From e90a8c8f444f1c917f7ccabeb84b7d157412458f Mon Sep 17 00:00:00 2001 From: pereiramarco011 Date: Thu, 27 Jul 2023 12:02:31 +0100 Subject: [PATCH 001/379] fix iam_access_analyzer_query --- .../aws/iam_access_analyzer_not_enabled/query.rego | 5 ++++- .../aws/iam_access_analyzer_not_enabled/test/negative2.yaml | 4 ++++ 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/negative2.yaml diff --git a/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/query.rego b/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/query.rego index 18e106e026b..ed295d5fd47 100644 --- a/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/query.rego +++ b/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/query.rego @@ -6,7 +6,10 @@ import data.generic.common as common_lib extensions := {".json", ".yaml"} CxPolicy[result] { - count({i | resources := input.document[i].Resources; resources[_].Type == "AWS::AccessAnalyzer::Analyzer"}) == 0 + + resources := input.document[i].Resources; + count(resources) > 0 + count({i | resources[_].Type == "AWS::AccessAnalyzer::Analyzer"}) == 0 result := { "documentId": input.document[i].id, diff --git a/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/negative2.yaml b/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/negative2.yaml new file mode 100644 index 00000000000..2e9dc48f325 --- /dev/null +++ b/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/negative2.yaml @@ -0,0 +1,4 @@ +# Random yaml file +--- +my_var: provider:a +service: foo \ No newline at end of file From 7b0637382dd872b83eb21156cf8cbe92122ac9f8 Mon Sep 17 00:00:00 2001 From: pereiramarco011 Date: Thu, 3 Aug 2023 16:06:23 +0100 Subject: [PATCH 002/379] add tests --- .../test/negative2.json | 43 +++++++++++++++++++ .../test/{negative2.yaml => negative3.yaml} | 0 .../test/negative4.json | 4 ++ .../test/positive2.json | 16 +++++++ .../test/positive_expected_result.json | 6 +++ 5 files changed, 69 insertions(+) create mode 100644 assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/negative2.json rename assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/{negative2.yaml => negative3.yaml} (100%) create mode 100644 assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/negative4.json create mode 100644 assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/positive2.json diff --git a/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/negative2.json b/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/negative2.json new file mode 100644 index 00000000000..8ca799f2dab --- /dev/null +++ b/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/negative2.json @@ -0,0 +1,43 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "Analyzer": { + "Type": "AWS::AccessAnalyzer::Analyzer", + "Properties": { + "AnalyzerName": "MyAccountAnalyzer", + "Type": "ACCOUNT", + "Tags": [ + { + "Key": "Kind", + "Value": "Dev" + } + ], + "ArchiveRules": [ + { + "RuleName": "ArchiveTrustedAccountAccess", + "Filter": [ + { + "Property": "principal.AWS", + "Eq": [ + "123456789012" + ] + } + ] + }, + { + "RuleName": "ArchivePublicS3BucketsAccess", + "Filter": [ + { + "Property": "resource", + "Contains": [ + "arn:aws:s3:::docs-bucket", + "arn:aws:s3:::clients-bucket" + ] + } + ] + } + ] + } + } + } + } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/negative2.yaml b/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/negative3.yaml similarity index 100% rename from assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/negative2.yaml rename to assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/negative3.yaml diff --git a/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/negative4.json b/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/negative4.json new file mode 100644 index 00000000000..3d026892986 --- /dev/null +++ b/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/negative4.json @@ -0,0 +1,4 @@ +{ + "my_var": "provider:a", + "service": "foo" + } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/positive2.json b/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/positive2.json new file mode 100644 index 00000000000..ab84c0e7708 --- /dev/null +++ b/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/positive2.json @@ -0,0 +1,16 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template 2", + "Resources": { + "myuseeer": { + "Type": "AWS::IAM::Group", + "Properties": { + "Path": "/", + "LoginProfile": { + "Password": "myP@ssW0rd" + } + } + } + } + } + \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json index 37e668d597d..c0896937034 100644 --- a/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json @@ -4,5 +4,11 @@ "severity": "LOW", "line": 3, "fileName": "positive1.yaml" + }, + { + "queryName": "IAM Access Analyzer Not Enabled", + "severity": "LOW", + "line": 4, + "fileName": "positive2.json" } ] From f03d3fe5769ff91ea3d8de78472738b9ad002401 Mon Sep 17 00:00:00 2001 From: pereiramarco011 Date: Mon, 7 Aug 2023 11:45:55 +0100 Subject: [PATCH 003/379] remove bad test file --- .../aws/iam_access_analyzer_not_enabled/test/negative4.json | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/negative4.json diff --git a/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/negative4.json b/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/negative4.json deleted file mode 100644 index 3d026892986..00000000000 --- a/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/negative4.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "my_var": "provider:a", - "service": "foo" - } \ No newline at end of file From 76228e1931fc3e672f182639fc14d2266dd7f889 Mon Sep 17 00:00:00 2001 From: gabriel-cx Date: Mon, 7 Aug 2023 13:53:17 +0100 Subject: [PATCH 004/379] feat(engine): experimental features queries scan --- docs/commands.md | 4 ++ docs/dockerhub.md | 4 ++ e2e/fixtures/assets/scan_help | 4 ++ internal/console/assets/scan-flags.json | 7 +++ internal/console/flags/scan_flags.go | 63 +++++++++++++------------ 5 files changed, 51 insertions(+), 31 deletions(-) diff --git a/docs/commands.md b/docs/commands.md index 4d9a2aca48e..aa95e00e124 100644 --- a/docs/commands.md +++ b/docs/commands.md @@ -67,6 +67,10 @@ Flags: can be provided multiple times or as a comma separated string example: 'info,low' possible values: 'high, medium, low, info, trace' + --experimental-features strings includes queries from experimental features (features not yet fully reviwed) by providing the name of a feature + can be provided multiple times or as a comma separated string + example: 'databricks,nifcloud' + possible values: 'databricks, nifcloud' --fail-on strings which kind of results should return an exit code different from 0 accepts: high, medium, low and info example: "high,low" (default [high,medium,low,info]) diff --git a/docs/dockerhub.md b/docs/dockerhub.md index 05c6031d0fd..bc00114e0a7 100644 --- a/docs/dockerhub.md +++ b/docs/dockerhub.md @@ -104,6 +104,10 @@ Flags: --exclude-severities strings exclude results by providing the severity of a result can be provided multiple times or as a comma separated string example: 'info,low' + --experimental-features strings includes queries from experimental features (features not yet fully reviwed) by providing the name of a feature + can be provided multiple times or as a comma separated string + example: 'databricks,nifcloud' + possible values: 'databricks, nifcloud' --fail-on strings which kind of results should return an exit code different from 0 accepts: high, medium, low and info example: "high,low" (default [high,medium,low,info]) diff --git a/e2e/fixtures/assets/scan_help b/e2e/fixtures/assets/scan_help index 44a266fcb54..0545aa92b73 100644 --- a/e2e/fixtures/assets/scan_help +++ b/e2e/fixtures/assets/scan_help @@ -28,6 +28,10 @@ Flags: --exclude-type strings case insensitive list of platform types not to scan (Ansible, AzureResourceManager, Buildah, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Pulumi, ServerlessFW, Terraform) cannot be provided with type inclusion flags + --experimental-features strings includes queries from experimental features (features not yet fully reviwed) by providing the name of a feature + can be provided multiple times or as a comma separated string + example: 'databricks,nifcloud' + possible values: 'databricks, nifcloud' --fail-on strings which kind of results should return an exit code different from 0 accepts: high, medium, low and info example: "high,low" (default [high,medium,low,info]) diff --git a/internal/console/assets/scan-flags.json b/internal/console/assets/scan-flags.json index 34aa8ae0ff9..3f66f363798 100644 --- a/internal/console/assets/scan-flags.json +++ b/internal/console/assets/scan-flags.json @@ -59,6 +59,13 @@ "defaultValue": "false", "usage": "include bill of materials (BoM) in results output" }, + "experimental-features": { + "flagType": "multiStr", + "shorthandFlag": "", + "defaultValue": null, + "usage": "includes queries from experimental features (features not yet fully reviwed) by providing the name of a feature\n${sliceInstructions}\nexample: 'databricks,nifcloud'", + "validation": "sliceFlagsShouldNotStartWithFlags,validateMultiStrEnum" + }, "fail-on": { "flagType": "multiStr", "shorthandFlag": "", diff --git a/internal/console/flags/scan_flags.go b/internal/console/flags/scan_flags.go index d994d9f3bea..b18649422d0 100644 --- a/internal/console/flags/scan_flags.go +++ b/internal/console/flags/scan_flags.go @@ -2,35 +2,36 @@ package flags // Flags constants for scan const ( - BomFlag = "bom" - CloudProviderFlag = "cloud-provider" - ConfigFlag = "config" - DisableFullDescFlag = "disable-full-descriptions" - ExcludeCategoriesFlag = "exclude-categories" - ExcludePathsFlag = "exclude-paths" - ExcludeQueriesFlag = "exclude-queries" - ExcludeResultsFlag = "exclude-results" - ExcludeSeveritiesFlag = "exclude-severities" - IncludeQueriesFlag = "include-queries" - InputDataFlag = "input-data" - FailOnFlag = "fail-on" - IgnoreOnExitFlag = "ignore-on-exit" - MinimalUIFlag = "minimal-ui" - NoProgressFlag = "no-progress" - OutputNameFlag = "output-name" - OutputPathFlag = "output-path" - PathFlag = "path" - PayloadPathFlag = "payload-path" - PreviewLinesFlag = "preview-lines" - QueriesPath = "queries-path" - LibrariesPath = "libraries-path" - ReportFormatsFlag = "report-formats" - TypeFlag = "type" - ExcludeTypeFlag = "exclude-type" - TerraformVarsPathFlag = "terraform-vars-path" - QueryExecTimeoutFlag = "timeout" - LineInfoPayloadFlag = "payload-lines" - DisableSecretsFlag = "disable-secrets" - SecretsRegexesPathFlag = "secrets-regexes-path" //nolint:gosec - ExcludeGitIgnore = "exclude-gitignore" + BomFlag = "bom" + CloudProviderFlag = "cloud-provider" + ConfigFlag = "config" + DisableFullDescFlag = "disable-full-descriptions" + ExcludeCategoriesFlag = "exclude-categories" + ExcludePathsFlag = "exclude-paths" + ExcludeQueriesFlag = "exclude-queries" + ExcludeResultsFlag = "exclude-results" + ExcludeSeveritiesFlag = "exclude-severities" + ExperimentalFeaturesFlag = "experimental-features" + IncludeQueriesFlag = "include-queries" + InputDataFlag = "input-data" + FailOnFlag = "fail-on" + IgnoreOnExitFlag = "ignore-on-exit" + MinimalUIFlag = "minimal-ui" + NoProgressFlag = "no-progress" + OutputNameFlag = "output-name" + OutputPathFlag = "output-path" + PathFlag = "path" + PayloadPathFlag = "payload-path" + PreviewLinesFlag = "preview-lines" + QueriesPath = "queries-path" + LibrariesPath = "libraries-path" + ReportFormatsFlag = "report-formats" + TypeFlag = "type" + ExcludeTypeFlag = "exclude-type" + TerraformVarsPathFlag = "terraform-vars-path" + QueryExecTimeoutFlag = "timeout" + LineInfoPayloadFlag = "payload-lines" + DisableSecretsFlag = "disable-secrets" + SecretsRegexesPathFlag = "secrets-regexes-path" //nolint:gosec + ExcludeGitIgnore = "exclude-gitignore" ) From b4bd5a7efc318aea55d00dc6bbcac03a6095a661 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Fri, 11 Aug 2023 17:05:50 +0100 Subject: [PATCH 005/379] fix(query): terraform alb_is_not_integrated_with_waf --- .../aws/alb_is_not_integrated_with_waf/query.rego | 9 +++++++-- .../test/{negative.tf => negative1.tf} | 0 .../alb_is_not_integrated_with_waf/test/negative2.tf | 12 ++++++++++++ .../test/{positive.tf => positive1.tf} | 0 .../alb_is_not_integrated_with_waf/test/positive2.tf | 12 ++++++++++++ .../test/positive_expected_result.json | 9 ++++++++- 6 files changed, 39 insertions(+), 3 deletions(-) rename assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/{negative.tf => negative1.tf} (100%) create mode 100644 assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/negative2.tf rename assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/{positive.tf => positive1.tf} (100%) create mode 100644 assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive2.tf diff --git a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/query.rego b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/query.rego index 3f0098d019d..5775781d861 100644 --- a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/query.rego +++ b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/query.rego @@ -2,11 +2,16 @@ package Cx import data.generic.terraform as tf_lib +waf := { + "aws_wafv2_web_acl_association", + "aws_wafregional_web_acl_association", +} + CxPolicy[result] { lb := {"aws_alb", "aws_lb"} resource := input.document[i].resource[lb[idx]][name] not is_internal_alb(resource) - not associated_waf(name) + count({x | x := associated_waf(name); x == false}) == 2 result := { "documentId": input.document[i].id, @@ -24,7 +29,7 @@ is_internal_alb(resource) { } associated_waf(name) { - waf := input.document[_].resource.aws_wafregional_web_acl_association[waf_name] + waf := input.document[_].resource.waf[_][waf_name] attribute := waf.resource_arn attribute_split := split(attribute, ".") options := {"${aws_alb", "${aws_lb"} diff --git a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/negative.tf b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/negative.tf rename to assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/negative1.tf diff --git a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/negative2.tf b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/negative2.tf new file mode 100644 index 00000000000..363bcdeada9 --- /dev/null +++ b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/negative2.tf @@ -0,0 +1,12 @@ +resource "aws_lb" "alb" { + name = "test-lb-tf" + internal = false + load_balancer_type = "application" + security_groups = [aws_security_group.lb_sg.id] + subnets = [for subnet in aws_subnet.public : subnet.id] +} + +resource "aws_wafv2_web_acl_association" "alb_waf_association" { + resource_arn = aws_lb.alb.arn + web_acl_arn = aws_wafv2_web_acl.example.arn +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive.tf b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive.tf rename to assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive1.tf diff --git a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive2.tf b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive2.tf new file mode 100644 index 00000000000..60f8ea2fc87 --- /dev/null +++ b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive2.tf @@ -0,0 +1,12 @@ +resource "aws_lb" "alb" { + name = "test-lb-tf" + internal = false + load_balancer_type = "application" + security_groups = [aws_security_group.lb_sg.id] + subnets = [for subnet in aws_subnet.public : subnet.id] +} + +resource "aws_wafv2_web_acl_association" "alb_waf_association" { + resource_arn = aws_lb.alba.arn + web_acl_arn = aws_wafv2_web_acl.example.arn +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json index c447e1598d4..412dc085a1f 100644 --- a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "ALB Is Not Integrated With WAF", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive1.tf" + }, + { + "queryName": "ALB Is Not Integrated With WAF", + "severity": "MEDIUM", + "line": 1, + "filename": "positive2.tf" } ] From da6768ee1fbf136d5525f86d46ceb60b31b566c2 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Fri, 11 Aug 2023 17:59:36 +0100 Subject: [PATCH 006/379] fix(query): dockerfile unpinned_package_version_in_pip_install --- .../query.rego | 11 ++++++++--- .../{negative.dockerfile => negative1.dockerfile} | 0 .../test/negative2.dockerfile | 9 +++++++++ .../test/negative3.dockerfile | 9 +++++++++ .../{positive.dockerfile => positive1.dockerfile} | 0 .../test/positive_expected_result.json | 12 ++++++++---- 6 files changed, 34 insertions(+), 7 deletions(-) rename assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/{negative.dockerfile => negative1.dockerfile} (100%) create mode 100644 assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/negative2.dockerfile create mode 100644 assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/negative3.dockerfile rename assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/{positive.dockerfile => positive1.dockerfile} (100%) diff --git a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego index f2cb65d48a5..bbb12fc672b 100644 --- a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego +++ b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego @@ -2,6 +2,8 @@ package Cx import data.generic.dockerfile as dockerLib +flags = ["-r", "-c"] + CxPolicy[result] { resource := input.document[i].command[name][_] resource.Cmd == "run" @@ -12,11 +14,14 @@ CxPolicy[result] { yum := regex.find_n("pip(3)? (-(-)?[a-zA-Z]+ *)*install", commands, -1) yum != null - packages = dockerLib.getPackages(commands, yum) - length := count(packages) + packages = getPackages(commands, yum) + refactorPackages = [ x | x := packages[_]; x != ""] + length := count(refactorPackages) + + count({x | x := packages[_]; x != flags[_]}) == length some j - analyzePackages(j, packages[j], packages, length) + analyzePackages(j, refactorPackages[j], packages, length) result := { "documentId": input.document[i].id, diff --git a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/negative.dockerfile b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/negative1.dockerfile similarity index 100% rename from assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/negative.dockerfile rename to assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/negative1.dockerfile diff --git a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/negative2.dockerfile b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/negative2.dockerfile new file mode 100644 index 00000000000..9cccff38e1a --- /dev/null +++ b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/negative2.dockerfile @@ -0,0 +1,9 @@ +FROM alpine:3.4 +RUN apk add --update py-pip=7.1.2-r0 +RUN pip3 install -r pip_requirements.txt +COPY requirements.txt /usr/src/app/ +RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt +COPY app.py /usr/src/app/ +COPY templates/index.html /usr/src/app/templates/ +EXPOSE 5000 +CMD ["python", "/usr/src/app/app.py"] diff --git a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/negative3.dockerfile b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/negative3.dockerfile new file mode 100644 index 00000000000..45b7b963e50 --- /dev/null +++ b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/negative3.dockerfile @@ -0,0 +1,9 @@ +FROM alpine:3.4 +RUN apk add --update py-pip=7.1.2-r0 +RUN pip3 install -c constraints.txt +COPY requirements.txt /usr/src/app/ +RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt +COPY app.py /usr/src/app/ +COPY templates/index.html /usr/src/app/templates/ +EXPOSE 5000 +CMD ["python", "/usr/src/app/app.py"] \ No newline at end of file diff --git a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive.dockerfile b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive1.dockerfile similarity index 100% rename from assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive.dockerfile rename to assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive1.dockerfile diff --git a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive_expected_result.json b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive_expected_result.json index ab2bb5198d3..4ffe50570bf 100644 --- a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive_expected_result.json +++ b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive_expected_result.json @@ -2,21 +2,25 @@ { "queryName": "Unpinned Package Version in Pip Install", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive1.dockerfile" }, { "queryName": "Unpinned Package Version in Pip Install", "severity": "MEDIUM", - "line": 4 + "line": 4, + "filename": "positive1.dockerfile" }, { "queryName": "Unpinned Package Version in Pip Install", "severity": "MEDIUM", - "line": 15 + "line": 15, + "filename": "positive1.dockerfile" }, { "queryName": "Unpinned Package Version in Pip Install", "severity": "MEDIUM", - "line": 18 + "line": 18, + "filename": "positive1.dockerfile" } ] From c32ff360bc9bf0f5e71d7b9c59243c5b0ade0869 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Fri, 11 Aug 2023 18:22:01 +0100 Subject: [PATCH 007/379] fix count --- .../aws/alb_is_not_integrated_with_waf/query.rego | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/query.rego b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/query.rego index 5775781d861..3a9cb23ac43 100644 --- a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/query.rego +++ b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/query.rego @@ -2,17 +2,17 @@ package Cx import data.generic.terraform as tf_lib -waf := { +waf_resources := [ "aws_wafv2_web_acl_association", "aws_wafregional_web_acl_association", -} +] CxPolicy[result] { lb := {"aws_alb", "aws_lb"} resource := input.document[i].resource[lb[idx]][name] not is_internal_alb(resource) - count({x | x := associated_waf(name); x == false}) == 2 - + count({x | x := associated_waf(name)}) == 0 + result := { "documentId": input.document[i].id, "resourceType": lb[idx], @@ -29,7 +29,7 @@ is_internal_alb(resource) { } associated_waf(name) { - waf := input.document[_].resource.waf[_][waf_name] + waf := input.document[_].resource[waf_resources[_]][waf_name] attribute := waf.resource_arn attribute_split := split(attribute, ".") options := {"${aws_alb", "${aws_lb"} From a0a14b5145a8bb8a091039e7aec00a7ba3412bb2 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Fri, 11 Aug 2023 18:25:24 +0100 Subject: [PATCH 008/379] fix getPackages --- .../unpinned_package_version_in_pip_install/query.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego index bbb12fc672b..6de3331d518 100644 --- a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego +++ b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego @@ -14,7 +14,7 @@ CxPolicy[result] { yum := regex.find_n("pip(3)? (-(-)?[a-zA-Z]+ *)*install", commands, -1) yum != null - packages = getPackages(commands, yum) + packages = dockerLib.getPackages(commands, yum) refactorPackages = [ x | x := packages[_]; x != ""] length := count(refactorPackages) From 46dc062f0b81ceb8541f7b93001c803c31ee11e0 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Sat, 12 Aug 2023 08:57:24 +0100 Subject: [PATCH 009/379] fixed counter and args --- .../unpinned_package_version_in_pip_install/query.rego | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego index 6de3331d518..96738e52487 100644 --- a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego +++ b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego @@ -18,7 +18,7 @@ CxPolicy[result] { refactorPackages = [ x | x := packages[_]; x != ""] length := count(refactorPackages) - count({x | x := packages[_]; x != flags[_]}) == length + count({x | x := refactorPackages[_]; x != flags[_]}) == length some j analyzePackages(j, refactorPackages[j], packages, length) @@ -62,10 +62,10 @@ isPip(command) { contains(command[j], "install") } -analyzePackages(j, currentPackage, packages, length) { +analyzePackages(j, currentPackage, _, length) { j == length - 1 regex.match("^[a-zA-Z]", currentPackage) == true - not dockerLib.withVersion(currentPackage) + not withVersion(currentPackage) } analyzePackages(j, currentPackage, packages, length) { From 5e7e34334bea4201d73bf2575e2c2a3441055129 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Sat, 12 Aug 2023 08:58:43 +0100 Subject: [PATCH 010/379] fixed function --- .../unpinned_package_version_in_pip_install/query.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego index 96738e52487..1a211dd6cb8 100644 --- a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego +++ b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego @@ -65,7 +65,7 @@ isPip(command) { analyzePackages(j, currentPackage, _, length) { j == length - 1 regex.match("^[a-zA-Z]", currentPackage) == true - not withVersion(currentPackage) + not dockerLib.withVersion(currentPackage) } analyzePackages(j, currentPackage, packages, length) { From bbfd0fcef75fcafc767d8cb20effa394e90eec1b Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Sat, 12 Aug 2023 09:52:36 +0100 Subject: [PATCH 011/379] fixed count --- .../unpinned_package_version_in_pip_install/query.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego index 1a211dd6cb8..268199179fb 100644 --- a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego +++ b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego @@ -18,7 +18,7 @@ CxPolicy[result] { refactorPackages = [ x | x := packages[_]; x != ""] length := count(refactorPackages) - count({x | x := refactorPackages[_]; x != flags[_]}) == length + count({x | x := refactorPackages[_]; x == flags[_]}) == 0 some j analyzePackages(j, refactorPackages[j], packages, length) From 017149cffa64f6e0da52d38d9cc2fccbbb39f680 Mon Sep 17 00:00:00 2001 From: gabriel-cx Date: Thu, 17 Aug 2023 16:03:13 +0100 Subject: [PATCH 012/379] update --- internal/console/scan.go | 1 + 1 file changed, 1 insertion(+) diff --git a/internal/console/scan.go b/internal/console/scan.go index df5ed692f7b..327f5236565 100644 --- a/internal/console/scan.go +++ b/internal/console/scan.go @@ -116,6 +116,7 @@ func getScanParameters(changedDefaultQueryPath, changedDefaultLibrariesPath bool ExcludeQueries: flags.GetMultiStrFlag(flags.ExcludeQueriesFlag), ExcludeResults: flags.GetMultiStrFlag(flags.ExcludeResultsFlag), ExcludeSeverities: flags.GetMultiStrFlag(flags.ExcludeSeveritiesFlag), + ExperimentalFeatures flags.GetMultiStrFlag(flags.ExperimentalFeatures), IncludeQueries: flags.GetMultiStrFlag(flags.IncludeQueriesFlag), InputData: flags.GetStrFlag(flags.InputDataFlag), OutputName: flags.GetStrFlag(flags.OutputNameFlag), From 4bed123546e0120cd16c5a14fa3c49e2bf248d56 Mon Sep 17 00:00:00 2001 From: pereiramarco011 Date: Fri, 25 Aug 2023 13:55:56 +0100 Subject: [PATCH 013/379] add experimental-queries flag and logic --- assets/utils/experimental-queries.json | 4 + docs/commands.md | 8 +- docs/dockerhub.md | 8 +- e2e/fixtures/assets/scan_help | 8 +- internal/console/assets/scan-flags.json | 4 +- internal/console/flags/scan_flags.go | 64 +++++++------- internal/console/scan.go | 2 +- pkg/engine/inspector_test.go | 4 +- pkg/engine/source/filesystem.go | 52 +++++++++--- pkg/engine/source/filesystem_test.go | 107 ++++++++++++++---------- pkg/engine/source/source.go | 9 +- pkg/remediation/scan.go | 3 +- pkg/scan/client.go | 1 + pkg/scan/scan.go | 12 +-- pkg/scanner/scanner_test.go | 2 +- 15 files changed, 173 insertions(+), 115 deletions(-) create mode 100644 assets/utils/experimental-queries.json diff --git a/assets/utils/experimental-queries.json b/assets/utils/experimental-queries.json new file mode 100644 index 00000000000..2c7dba6e10e --- /dev/null +++ b/assets/utils/experimental-queries.json @@ -0,0 +1,4 @@ +[ + "terraform/nifcloud", + "terraform/databricks" +] \ No newline at end of file diff --git a/docs/commands.md b/docs/commands.md index aa95e00e124..fb0de28a2e1 100644 --- a/docs/commands.md +++ b/docs/commands.md @@ -67,10 +67,10 @@ Flags: can be provided multiple times or as a comma separated string example: 'info,low' possible values: 'high, medium, low, info, trace' - --experimental-features strings includes queries from experimental features (features not yet fully reviwed) by providing the name of a feature - can be provided multiple times or as a comma separated string - example: 'databricks,nifcloud' - possible values: 'databricks, nifcloud' + --experimental-queries strings includes experimental queries (queries not yet fully reviewed) by providing the path of the queries folder + can be provided multiple times or as a comma separated string, (platform:cloudProvider or platform) + example: 'terraform/databricks' + possible values found in: '/assets/utils/experimental-queries.json' --fail-on strings which kind of results should return an exit code different from 0 accepts: high, medium, low and info example: "high,low" (default [high,medium,low,info]) diff --git a/docs/dockerhub.md b/docs/dockerhub.md index bc00114e0a7..0a7ed12ffaf 100644 --- a/docs/dockerhub.md +++ b/docs/dockerhub.md @@ -104,10 +104,10 @@ Flags: --exclude-severities strings exclude results by providing the severity of a result can be provided multiple times or as a comma separated string example: 'info,low' - --experimental-features strings includes queries from experimental features (features not yet fully reviwed) by providing the name of a feature - can be provided multiple times or as a comma separated string - example: 'databricks,nifcloud' - possible values: 'databricks, nifcloud' + --experimental-queries strings includes experimental queries (queries not yet fully reviewed) by providing the path of the queries folder + can be provided multiple times or as a comma separated string, (platform:cloudProvider or platform) + example: 'terraform/databricks' + possible values found in: '/assets/utils/experimental-queries.json' --fail-on strings which kind of results should return an exit code different from 0 accepts: high, medium, low and info example: "high,low" (default [high,medium,low,info]) diff --git a/e2e/fixtures/assets/scan_help b/e2e/fixtures/assets/scan_help index 0545aa92b73..c9646b61bbc 100644 --- a/e2e/fixtures/assets/scan_help +++ b/e2e/fixtures/assets/scan_help @@ -28,10 +28,10 @@ Flags: --exclude-type strings case insensitive list of platform types not to scan (Ansible, AzureResourceManager, Buildah, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Pulumi, ServerlessFW, Terraform) cannot be provided with type inclusion flags - --experimental-features strings includes queries from experimental features (features not yet fully reviwed) by providing the name of a feature - can be provided multiple times or as a comma separated string - example: 'databricks,nifcloud' - possible values: 'databricks, nifcloud' + --experimental-queries strings includes experimental queries (queries not yet fully reviewed) by providing the path of the queries folder + can be provided multiple times or as a comma separated string, (platform:cloudProvider or platform) + example: 'terraform/databricks' + possible values found in: '/assets/utils/experimental-queries.json' --fail-on strings which kind of results should return an exit code different from 0 accepts: high, medium, low and info example: "high,low" (default [high,medium,low,info]) diff --git a/internal/console/assets/scan-flags.json b/internal/console/assets/scan-flags.json index 3f66f363798..0f2ebb76466 100644 --- a/internal/console/assets/scan-flags.json +++ b/internal/console/assets/scan-flags.json @@ -59,11 +59,11 @@ "defaultValue": "false", "usage": "include bill of materials (BoM) in results output" }, - "experimental-features": { + "experimental-queries": { "flagType": "multiStr", "shorthandFlag": "", "defaultValue": null, - "usage": "includes queries from experimental features (features not yet fully reviwed) by providing the name of a feature\n${sliceInstructions}\nexample: 'databricks,nifcloud'", + "usage": "includes experimental queries (queries not yet fully reviewed) by providing the path of the queries folder\nexample: 'terraform/databricks'", "validation": "sliceFlagsShouldNotStartWithFlags,validateMultiStrEnum" }, "fail-on": { diff --git a/internal/console/flags/scan_flags.go b/internal/console/flags/scan_flags.go index b18649422d0..c2d2288aca8 100644 --- a/internal/console/flags/scan_flags.go +++ b/internal/console/flags/scan_flags.go @@ -2,36 +2,36 @@ package flags // Flags constants for scan const ( - BomFlag = "bom" - CloudProviderFlag = "cloud-provider" - ConfigFlag = "config" - DisableFullDescFlag = "disable-full-descriptions" - ExcludeCategoriesFlag = "exclude-categories" - ExcludePathsFlag = "exclude-paths" - ExcludeQueriesFlag = "exclude-queries" - ExcludeResultsFlag = "exclude-results" - ExcludeSeveritiesFlag = "exclude-severities" - ExperimentalFeaturesFlag = "experimental-features" - IncludeQueriesFlag = "include-queries" - InputDataFlag = "input-data" - FailOnFlag = "fail-on" - IgnoreOnExitFlag = "ignore-on-exit" - MinimalUIFlag = "minimal-ui" - NoProgressFlag = "no-progress" - OutputNameFlag = "output-name" - OutputPathFlag = "output-path" - PathFlag = "path" - PayloadPathFlag = "payload-path" - PreviewLinesFlag = "preview-lines" - QueriesPath = "queries-path" - LibrariesPath = "libraries-path" - ReportFormatsFlag = "report-formats" - TypeFlag = "type" - ExcludeTypeFlag = "exclude-type" - TerraformVarsPathFlag = "terraform-vars-path" - QueryExecTimeoutFlag = "timeout" - LineInfoPayloadFlag = "payload-lines" - DisableSecretsFlag = "disable-secrets" - SecretsRegexesPathFlag = "secrets-regexes-path" //nolint:gosec - ExcludeGitIgnore = "exclude-gitignore" + BomFlag = "bom" + CloudProviderFlag = "cloud-provider" + ConfigFlag = "config" + DisableFullDescFlag = "disable-full-descriptions" + ExcludeCategoriesFlag = "exclude-categories" + ExcludePathsFlag = "exclude-paths" + ExcludeQueriesFlag = "exclude-queries" + ExcludeResultsFlag = "exclude-results" + ExcludeSeveritiesFlag = "exclude-severities" + ExperimentalQueriesFlag = "experimental-queries" + IncludeQueriesFlag = "include-queries" + InputDataFlag = "input-data" + FailOnFlag = "fail-on" + IgnoreOnExitFlag = "ignore-on-exit" + MinimalUIFlag = "minimal-ui" + NoProgressFlag = "no-progress" + OutputNameFlag = "output-name" + OutputPathFlag = "output-path" + PathFlag = "path" + PayloadPathFlag = "payload-path" + PreviewLinesFlag = "preview-lines" + QueriesPath = "queries-path" + LibrariesPath = "libraries-path" + ReportFormatsFlag = "report-formats" + TypeFlag = "type" + ExcludeTypeFlag = "exclude-type" + TerraformVarsPathFlag = "terraform-vars-path" + QueryExecTimeoutFlag = "timeout" + LineInfoPayloadFlag = "payload-lines" + DisableSecretsFlag = "disable-secrets" + SecretsRegexesPathFlag = "secrets-regexes-path" //nolint:gosec + ExcludeGitIgnore = "exclude-gitignore" ) diff --git a/internal/console/scan.go b/internal/console/scan.go index 327f5236565..52524ae3b48 100644 --- a/internal/console/scan.go +++ b/internal/console/scan.go @@ -116,7 +116,7 @@ func getScanParameters(changedDefaultQueryPath, changedDefaultLibrariesPath bool ExcludeQueries: flags.GetMultiStrFlag(flags.ExcludeQueriesFlag), ExcludeResults: flags.GetMultiStrFlag(flags.ExcludeResultsFlag), ExcludeSeverities: flags.GetMultiStrFlag(flags.ExcludeSeveritiesFlag), - ExperimentalFeatures flags.GetMultiStrFlag(flags.ExperimentalFeatures), + ExperimentalQueries: flags.GetMultiStrFlag(flags.ExperimentalQueriesFlag), IncludeQueries: flags.GetMultiStrFlag(flags.IncludeQueriesFlag), InputData: flags.GetStrFlag(flags.InputDataFlag), OutputName: flags.GetStrFlag(flags.OutputNameFlag), diff --git a/pkg/engine/inspector_test.go b/pkg/engine/inspector_test.go index cf52684ff0b..4e5b584d95b 100644 --- a/pkg/engine/inspector_test.go +++ b/pkg/engine/inspector_test.go @@ -678,7 +678,7 @@ func TestShouldSkipFile(t *testing.T) { } func newInspectorInstance(t *testing.T, queryPath []string) *Inspector { - querySource := source.NewFilesystemSource(queryPath, []string{""}, []string{""}, filepath.FromSlash("./assets/libraries")) + querySource := source.NewFilesystemSource(queryPath, []string{""}, []string{""}, filepath.FromSlash("./assets/libraries"), filepath.FromSlash("./assets/utils/experimental-queries.json")) var vb = func(ctx *QueryContext, tracker Tracker, v interface{}, detector *detector.DetectLine) (*model.Vulnerability, error) { return &model.Vulnerability{}, nil @@ -701,7 +701,7 @@ type mockSource struct { } func (m *mockSource) GetQueries(queryFilter *source.QueryInspectorParameters) ([]model.QueryMetadata, error) { - sources := source.NewFilesystemSource(m.Source, []string{""}, []string{""}, filepath.FromSlash("./assets/libraries")) + sources := source.NewFilesystemSource(m.Source, []string{""}, []string{""}, filepath.FromSlash("./assets/libraries"), filepath.FromSlash("./assets/utils/experimental-queries.json")) return sources.GetQueries(queryFilter) } diff --git a/pkg/engine/source/filesystem.go b/pkg/engine/source/filesystem.go index a8796dc4e80..b041edb2347 100644 --- a/pkg/engine/source/filesystem.go +++ b/pkg/engine/source/filesystem.go @@ -3,6 +3,7 @@ package source import ( "encoding/json" "fmt" + "io/ioutil" "os" "path" "path/filepath" @@ -21,10 +22,11 @@ import ( // Source is the path to the queries // Types are the types given by the flag --type for query selection mechanism type FilesystemSource struct { - Source []string - Types []string - CloudProviders []string - Library string + Source []string + Types []string + CloudProviders []string + Library string + ExperimentalFeatures string } const ( @@ -43,7 +45,7 @@ const ( ) // NewFilesystemSource initializes a NewFilesystemSource with source to queries and types of queries to load -func NewFilesystemSource(source, types, cloudProviders []string, libraryPath string) *FilesystemSource { +func NewFilesystemSource(source, types, cloudProviders []string, libraryPath string, experimentalFeaturesPath string) *FilesystemSource { log.Debug().Msg("source.NewFilesystemSource()") if len(types) == 0 { @@ -59,10 +61,11 @@ func NewFilesystemSource(source, types, cloudProviders []string, libraryPath str } return &FilesystemSource{ - Source: source, - Types: types, - CloudProviders: cloudProviders, - Library: filepath.FromSlash(libraryPath), + Source: source, + Types: types, + CloudProviders: cloudProviders, + Library: filepath.FromSlash(libraryPath), + ExperimentalFeatures: experimentalFeaturesPath, } } @@ -242,8 +245,25 @@ func checkQueryExclude(metadata map[string]interface{}, queryParameters *QueryIn // QueryMetadata struct func (s *FilesystemSource) GetQueries(queryParameters *QueryInspectorParameters) ([]model.QueryMetadata, error) { queryDirs := make([]string, 0) + queries := make([]model.QueryMetadata, 0, len(queryDirs)) + experimentalQueriesPaths := make([]string, 0) var err error + if s.ExperimentalFeatures != "" { + + experimentalQueriesFile, err := os.Open(s.ExperimentalFeatures) + if err != nil { + return queries, nil + } + + defer experimentalQueriesFile.Close() + + byteValue, _ := ioutil.ReadAll(experimentalQueriesFile) + + json.Unmarshal(byteValue, &experimentalQueriesPaths) + + } + for _, source := range s.Source { err = filepath.Walk(source, func(p string, f os.FileInfo, err error) error { @@ -255,7 +275,18 @@ func (s *FilesystemSource) GetQueries(queryParameters *QueryInspectorParameters) return nil } - queryDirs = append(queryDirs, filepath.Dir(p)) + //if in experimental feature flag and not in json + querypathDir := filepath.Dir(p) + //in json + inJson := false + for _, queryPath := range experimentalQueriesPaths { + if strings.Contains(querypathDir, queryPath) { + inJson = true + } + } + if true || !inJson { + queryDirs = append(queryDirs, querypathDir) + } return nil }) if err != nil { @@ -263,7 +294,6 @@ func (s *FilesystemSource) GetQueries(queryParameters *QueryInspectorParameters) } } - queries := make([]model.QueryMetadata, 0, len(queryDirs)) for _, queryDir := range queryDirs { query, errRQ := ReadQuery(queryDir) if errRQ != nil { diff --git a/pkg/engine/source/filesystem_test.go b/pkg/engine/source/filesystem_test.go index ea33f4ef36e..0f041f0b005 100644 --- a/pkg/engine/source/filesystem_test.go +++ b/pkg/engine/source/filesystem_test.go @@ -23,10 +23,11 @@ func BenchmarkFilesystemSource_GetQueries(b *testing.B) { b.Fatal(err) } type fields struct { - Source []string - Types []string - CloudProviders []string - Library string + Source []string + Types []string + CloudProviders []string + Library string + ExperimentalFeatures string } tests := []struct { name string @@ -35,16 +36,17 @@ func BenchmarkFilesystemSource_GetQueries(b *testing.B) { { name: "testing_all_paths", fields: fields{ - Source: []string{"./assets/queries/"}, - Types: []string{""}, - CloudProviders: []string{""}, - Library: "./assets/libraries", + Source: []string{"./assets/queries/"}, + Types: []string{""}, + CloudProviders: []string{""}, + Library: "./assets/libraries", + ExperimentalFeatures: "./assets/utils/experimental-queries.json", }, }, } for _, tt := range tests { b.Run(tt.name, func(b *testing.B) { - s := NewFilesystemSource(tt.fields.Source, tt.fields.Types, tt.fields.CloudProviders, tt.fields.Library) + s := NewFilesystemSource(tt.fields.Source, tt.fields.Types, tt.fields.CloudProviders, tt.fields.Library, tt.fields.ExperimentalFeatures) for n := 0; n < b.N; n++ { filter := QueryInspectorParameters{ IncludeQueries: IncludeQueries{ByIDs: []string{}}, @@ -67,10 +69,11 @@ func TestFilesystemSource_GetQueriesWithExclude(t *testing.T) { //nolint contentByte, err := os.ReadFile(filepath.FromSlash("./test/fixtures/get_queries_test/content_get_queries.rego")) require.NoError(t, err) type fields struct { - Source []string - Types []string - CloudProviders []string - Library string + Source []string + Types []string + CloudProviders []string + Library string + ExperimentalFeatures string } tests := []struct { name string @@ -86,6 +89,7 @@ func TestFilesystemSource_GetQueriesWithExclude(t *testing.T) { //nolint fields: fields{ Source: []string{source}, Types: []string{""}, CloudProviders: []string{""}, Library: "./assets/libraries", + ExperimentalFeatures: "./assets/utils/experimental-queries.json", }, excludeCategory: []string{}, excludeSeverities: []string{}, @@ -159,7 +163,7 @@ func TestFilesystemSource_GetQueriesWithExclude(t *testing.T) { //nolint } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - s := NewFilesystemSource(tt.fields.Source, []string{""}, []string{""}, tt.fields.Library) + s := NewFilesystemSource(tt.fields.Source, []string{""}, []string{""}, tt.fields.Library, tt.fields.ExperimentalFeatures) filter := QueryInspectorParameters{ IncludeQueries: IncludeQueries{ByIDs: []string{}}, ExcludeQueries: ExcludeQueries{ByIDs: tt.excludeIDs, ByCategories: tt.excludeCategory, BySeverities: tt.excludeSeverities}, @@ -189,10 +193,11 @@ func TestFilesystemSource_GetQueriesWithInclude(t *testing.T) { require.NoError(t, err) type fields struct { - Source []string - Types []string - CloudProviders []string - Library string + Source []string + Types []string + CloudProviders []string + Library string + ExperimentalFeatures string } tests := []struct { name string @@ -204,7 +209,9 @@ func TestFilesystemSource_GetQueriesWithInclude(t *testing.T) { { name: "get_queries_with_include_result_1", fields: fields{ - Source: []string{source}, Types: []string{""}, CloudProviders: []string{""}, Library: "./assets/libraries", + Source: []string{source}, Types: []string{""}, CloudProviders: []string{""}, + Library: "./assets/libraries", + ExperimentalFeatures: "./assets/utils/experimental-queries.json", }, includeIDs: []string{"57b9893d-33b1-4419-bcea-b828fb87e318"}, want: []model.QueryMetadata{ @@ -248,7 +255,7 @@ func TestFilesystemSource_GetQueriesWithInclude(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - s := NewFilesystemSource(tt.fields.Source, []string{""}, []string{""}, tt.fields.Library) + s := NewFilesystemSource(tt.fields.Source, []string{""}, []string{""}, tt.fields.Library, tt.fields.ExperimentalFeatures) filter := QueryInspectorParameters{ IncludeQueries: IncludeQueries{ ByIDs: tt.includeIDs, @@ -281,8 +288,9 @@ func TestFilesystemSource_GetQueryLibrary(t *testing.T) { //nolint t.Fatal(err) } type fields struct { - Source []string - Library string + Source []string + Library string + ExperimentalFeatures string } type args struct { platform string @@ -297,8 +305,9 @@ func TestFilesystemSource_GetQueryLibrary(t *testing.T) { //nolint { name: "get_generic_query_terraform", fields: fields{ - Source: []string{"./assets/queries/template"}, - Library: "./assets/libraries", + Source: []string{"./assets/queries/template"}, + Library: "./assets/libraries", + ExperimentalFeatures: "./assets/utils/experimental-queries.json", }, args: args{ platform: "terraform", @@ -309,8 +318,9 @@ func TestFilesystemSource_GetQueryLibrary(t *testing.T) { //nolint { name: "get_generic_query_common", fields: fields{ - Source: []string{"./assets/queries/template"}, - Library: "./assets/libraries", + Source: []string{"./assets/queries/template"}, + Library: "./assets/libraries", + ExperimentalFeatures: "./assets/utils/experimental-queries.json", }, args: args{ platform: "common", @@ -321,8 +331,9 @@ func TestFilesystemSource_GetQueryLibrary(t *testing.T) { //nolint { name: "get_generic_query_cloudformation", fields: fields{ - Source: []string{"./assets/queries/template"}, - Library: "./assets/libraries", + Source: []string{"./assets/queries/template"}, + Library: "./assets/libraries", + ExperimentalFeatures: "./assets/utils/experimental-queries.json", }, args: args{ platform: "cloudFormation", @@ -333,8 +344,9 @@ func TestFilesystemSource_GetQueryLibrary(t *testing.T) { //nolint { name: "get_generic_query_ansible", fields: fields{ - Source: []string{"./assets/queries/template"}, - Library: "./assets/libraries", + Source: []string{"./assets/queries/template"}, + Library: "./assets/libraries", + ExperimentalFeatures: "./assets/utils/experimental-queries.json", }, args: args{ platform: "ansible", @@ -345,8 +357,9 @@ func TestFilesystemSource_GetQueryLibrary(t *testing.T) { //nolint { name: "get_generic_query_dockerfile", fields: fields{ - Source: []string{"./assets/queries/template"}, - Library: "./assets/libraries", + Source: []string{"./assets/queries/template"}, + Library: "./assets/libraries", + ExperimentalFeatures: "./assets/utils/experimental-queries.json", }, args: args{ platform: "dockerfile", @@ -357,8 +370,9 @@ func TestFilesystemSource_GetQueryLibrary(t *testing.T) { //nolint { name: "get_generic_query_k8s", fields: fields{ - Source: []string{"./assets/queries/template"}, - Library: "./assets/libraries", + Source: []string{"./assets/queries/template"}, + Library: "./assets/libraries", + ExperimentalFeatures: "./assets/utils/experimental-queries.json", }, args: args{ platform: "k8s", @@ -369,8 +383,9 @@ func TestFilesystemSource_GetQueryLibrary(t *testing.T) { //nolint { name: "get_generic_query_unknown", fields: fields{ - Source: []string{"./assets/queries/template"}, - Library: "./assets/libraries", + Source: []string{"./assets/queries/template"}, + Library: "./assets/libraries", + ExperimentalFeatures: "./assets/utils/experimental-queries.json", }, args: args{ platform: "unknown", @@ -381,7 +396,7 @@ func TestFilesystemSource_GetQueryLibrary(t *testing.T) { //nolint } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - s := NewFilesystemSource(tt.fields.Source, []string{""}, []string{""}, tt.fields.Library) + s := NewFilesystemSource(tt.fields.Source, []string{""}, []string{""}, tt.fields.Library, tt.fields.ExperimentalFeatures) got, err := s.GetQueryLibrary(tt.args.platform) if (err != nil) != tt.wantErr { @@ -405,10 +420,11 @@ func TestFilesystemSource_GetQueries(t *testing.T) { require.NoError(t, err) type fields struct { - Source []string - Types []string - CloudProviders []string - Library string + Source []string + Types []string + CloudProviders []string + Library string + ExperimentalFeatures string } tests := []struct { name string @@ -419,7 +435,9 @@ func TestFilesystemSource_GetQueries(t *testing.T) { { name: "get_queries_1", fields: fields{ - Source: []string{source, source}, Types: []string{""}, CloudProviders: []string{""}, Library: "./assets/libraries", + Source: []string{source, source}, Types: []string{""}, CloudProviders: []string{""}, + Library: "./assets/libraries", + ExperimentalFeatures: "./assets/utils/experimental-queries.json", }, want: []model.QueryMetadata{ { @@ -460,7 +478,8 @@ func TestFilesystemSource_GetQueries(t *testing.T) { { name: "get_queries_error", fields: fields{ - Source: []string{"../no-path"}, + Source: []string{"../no-path"}, + ExperimentalFeatures: "./assets/utils/experimental-queries.json", }, want: nil, wantErr: true, @@ -468,7 +487,7 @@ func TestFilesystemSource_GetQueries(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - s := NewFilesystemSource(tt.fields.Source, []string{""}, []string{""}, tt.fields.Library) + s := NewFilesystemSource(tt.fields.Source, []string{""}, []string{""}, tt.fields.Library, tt.fields.ExperimentalFeatures) filter := QueryInspectorParameters{ IncludeQueries: IncludeQueries{ ByIDs: []string{}}, diff --git a/pkg/engine/source/source.go b/pkg/engine/source/source.go index 3374a203aa8..2b70137ffc9 100644 --- a/pkg/engine/source/source.go +++ b/pkg/engine/source/source.go @@ -13,10 +13,11 @@ import ( // QueryInspectorParameters is a struct that represents the optionn to select queries to be executed type QueryInspectorParameters struct { - IncludeQueries IncludeQueries - ExcludeQueries ExcludeQueries - InputDataPath string - BomQueries bool + IncludeQueries IncludeQueries + ExcludeQueries ExcludeQueries + ExperimentalQueries []string + InputDataPath string + BomQueries bool } // ExcludeQueries is a struct that represents the option to exclude queries by ids or by categories diff --git a/pkg/remediation/scan.go b/pkg/remediation/scan.go index 84b91aba97d..9b0fefaeee0 100644 --- a/pkg/remediation/scan.go +++ b/pkg/remediation/scan.go @@ -208,7 +208,8 @@ func initScan(queryID string) (*engine.Inspector, error) { c.ScanParams.QueriesPath, c.ScanParams.Platform, c.ScanParams.CloudProvider, - c.ScanParams.LibrariesPath) + c.ScanParams.LibrariesPath, + "./assets/utils/experimental-queries.json") includeQueries := source.IncludeQueries{ ByIDs: []string{queryID}, diff --git a/pkg/scan/client.go b/pkg/scan/client.go index b2065b571be..55b07a72cb9 100644 --- a/pkg/scan/client.go +++ b/pkg/scan/client.go @@ -21,6 +21,7 @@ type Parameters struct { ExcludeQueries []string ExcludeResults []string ExcludeSeverities []string + ExperimentalQueries []string IncludeQueries []string InputData string OutputName string diff --git a/pkg/scan/scan.go b/pkg/scan/scan.go index 6a3ff3dde7a..92b56831988 100644 --- a/pkg/scan/scan.go +++ b/pkg/scan/scan.go @@ -58,7 +58,8 @@ func (c *Client) initScan(ctx context.Context) (*executeScanParameters, error) { c.ScanParams.QueriesPath, c.ScanParams.Platform, c.ScanParams.CloudProvider, - c.ScanParams.LibrariesPath) + c.ScanParams.LibrariesPath, + "./assets/utils/experimental-queries.json") queryFilter := c.createQueryFilter() @@ -198,10 +199,11 @@ func (c *Client) createQueryFilter() *source.QueryInspectorParameters { } queryFilter := source.QueryInspectorParameters{ - IncludeQueries: includeQueries, - ExcludeQueries: excludeQueries, - InputDataPath: c.ScanParams.InputData, - BomQueries: c.ScanParams.BillOfMaterials, + IncludeQueries: includeQueries, + ExcludeQueries: excludeQueries, + ExperimentalQueries: c.ScanParams.ExperimentalQueries, + InputDataPath: c.ScanParams.InputData, + BomQueries: c.ScanParams.BillOfMaterials, } return &queryFilter diff --git a/pkg/scanner/scanner_test.go b/pkg/scanner/scanner_test.go index 24463b1206f..d479778e2cf 100644 --- a/pkg/scanner/scanner_test.go +++ b/pkg/scanner/scanner_test.go @@ -97,7 +97,7 @@ func createServices(types, cloudProviders []string) (serviceSlice, *storage.Memo } t := &tracker.CITracker{} - querySource := source.NewFilesystemSource(sourcePath, types, cloudProviders, filepath.FromSlash("../../assets/libraries")) + querySource := source.NewFilesystemSource(sourcePath, types, cloudProviders, filepath.FromSlash("../../assets/libraries"), filepath.FromSlash("../../assets/utils/experimental-queries.json")) inspector, err := engine.NewInspector(context.Background(), querySource, engine.DefaultVulnerabilityBuilder, From 596df8a6f065faef3e7beb7bd7ee22c90d45f8d6 Mon Sep 17 00:00:00 2001 From: pereiramarco011 Date: Fri, 25 Aug 2023 16:46:03 +0100 Subject: [PATCH 014/379] fix path error --- assets/utils/experimental-queries.json | 2 -- internal/console/assets/scan-flags.json | 2 +- pkg/engine/source/filesystem.go | 33 +++++++++++++++++++------ pkg/remediation/scan.go | 3 ++- pkg/scan/scan.go | 3 ++- 5 files changed, 31 insertions(+), 12 deletions(-) diff --git a/assets/utils/experimental-queries.json b/assets/utils/experimental-queries.json index 2c7dba6e10e..32960f8ced3 100644 --- a/assets/utils/experimental-queries.json +++ b/assets/utils/experimental-queries.json @@ -1,4 +1,2 @@ [ - "terraform/nifcloud", - "terraform/databricks" ] \ No newline at end of file diff --git a/internal/console/assets/scan-flags.json b/internal/console/assets/scan-flags.json index 0f2ebb76466..6d574e80b86 100644 --- a/internal/console/assets/scan-flags.json +++ b/internal/console/assets/scan-flags.json @@ -64,7 +64,7 @@ "shorthandFlag": "", "defaultValue": null, "usage": "includes experimental queries (queries not yet fully reviewed) by providing the path of the queries folder\nexample: 'terraform/databricks'", - "validation": "sliceFlagsShouldNotStartWithFlags,validateMultiStrEnum" + "validation": "validateMultiStr" }, "fail-on": { "flagType": "multiStr", diff --git a/pkg/engine/source/filesystem.go b/pkg/engine/source/filesystem.go index b041edb2347..7fdbe719021 100644 --- a/pkg/engine/source/filesystem.go +++ b/pkg/engine/source/filesystem.go @@ -275,16 +275,35 @@ func (s *FilesystemSource) GetQueries(queryParameters *QueryInspectorParameters) return nil } - //if in experimental feature flag and not in json querypathDir := filepath.Dir(p) - //in json - inJson := false - for _, queryPath := range experimentalQueriesPaths { - if strings.Contains(querypathDir, queryPath) { - inJson = true + absQueriesPath, err := filepath.Abs("./assets/queries") + if err == nil { + var cleanPlatformCloudProviderDir string + cleanPlatformCloudProviderDir, err = filepath.Rel(absQueriesPath, querypathDir) + if err == nil { + cleanPlatformCloudProviderDir = filepath.ToSlash(cleanPlatformCloudProviderDir) + inExperimentalQueriesJSON := false + for _, queryPath := range experimentalQueriesPaths { + if strings.Contains(querypathDir, queryPath) { + inExperimentalQueriesJSON = true + break + } + } + + inExperimentalQueriesFlag := false + for _, experimentalFlag := range queryParameters.ExperimentalQueries { + if strings.HasPrefix(cleanPlatformCloudProviderDir, experimentalFlag) { + inExperimentalQueriesFlag = true + break + } + } + + if inExperimentalQueriesFlag || !inExperimentalQueriesJSON { + queryDirs = append(queryDirs, querypathDir) + } } } - if true || !inJson { + if err != nil { queryDirs = append(queryDirs, querypathDir) } return nil diff --git a/pkg/remediation/scan.go b/pkg/remediation/scan.go index 9b0fefaeee0..a64a27c22ca 100644 --- a/pkg/remediation/scan.go +++ b/pkg/remediation/scan.go @@ -4,6 +4,7 @@ import ( "context" "encoding/json" "errors" + "path/filepath" "time" "github.com/Checkmarx/kics/pkg/engine" @@ -209,7 +210,7 @@ func initScan(queryID string) (*engine.Inspector, error) { c.ScanParams.Platform, c.ScanParams.CloudProvider, c.ScanParams.LibrariesPath, - "./assets/utils/experimental-queries.json") + filepath.FromSlash("./assets/utils/experimental-queries.json")) includeQueries := source.IncludeQueries{ ByIDs: []string{queryID}, diff --git a/pkg/scan/scan.go b/pkg/scan/scan.go index 92b56831988..d8821a802b7 100644 --- a/pkg/scan/scan.go +++ b/pkg/scan/scan.go @@ -4,6 +4,7 @@ package scan import ( "context" "os" + "path/filepath" "github.com/Checkmarx/kics/assets" "github.com/Checkmarx/kics/pkg/engine" @@ -59,7 +60,7 @@ func (c *Client) initScan(ctx context.Context) (*executeScanParameters, error) { c.ScanParams.Platform, c.ScanParams.CloudProvider, c.ScanParams.LibrariesPath, - "./assets/utils/experimental-queries.json") + filepath.FromSlash("./assets/utils/experimental-queries.json")) queryFilter := c.createQueryFilter() From 7f0e1104e93c61bb1b002055ffc84ccbecb9a90e Mon Sep 17 00:00:00 2001 From: Tom Knobel Date: Sun, 27 Aug 2023 11:55:33 +0300 Subject: [PATCH 015/379] feat(CLI): add new flag --max-file-size to controle the max file size allwed to scan --- e2e/fixtures/assets/scan_help | 1 + internal/console/assets/scan-flags.json | 6 + internal/console/flags/scan_flags.go | 2 + internal/console/scan.go | 1 + pkg/kics/service.go | 4 +- pkg/kics/sink.go | 2 +- pkg/scan/client.go | 1 + pkg/scan/scan.go | 1 + tools/go.sum | 1563 +++++++++++++++++++++++ 9 files changed, 1578 insertions(+), 3 deletions(-) create mode 100644 tools/go.sum diff --git a/e2e/fixtures/assets/scan_help b/e2e/fixtures/assets/scan_help index 44a266fcb54..6fcaa40693c 100644 --- a/e2e/fixtures/assets/scan_help +++ b/e2e/fixtures/assets/scan_help @@ -41,6 +41,7 @@ Flags: example: 'e69890e6-fce5-461d-98ad-cb98318dfc96,4728cd65-a20c-49da-8b31-9c08b423e4db' --input-data string path to query input data files -b, --libraries-path string path to directory with libraries (default "./assets/libraries") + --max-file-size int max file size that allowed to scan in MB (default 5) --minimal-ui simplified version of CLI output --no-progress hides the progress bar --output-name string name used on report creations (default "results") diff --git a/internal/console/assets/scan-flags.json b/internal/console/assets/scan-flags.json index 34aa8ae0ff9..777cb72b37b 100644 --- a/internal/console/assets/scan-flags.json +++ b/internal/console/assets/scan-flags.json @@ -195,5 +195,11 @@ "shorthandFlag": "", "defaultValue": "false", "usage": "disables the exclusion of paths specified within .gitignore file" + }, + "max-file-size": { + "flagType": "int", + "shorthandFlag": "", + "defaultValue": "5", + "usage": "max file size that allowed to scan in MB" } } diff --git a/internal/console/flags/scan_flags.go b/internal/console/flags/scan_flags.go index d994d9f3bea..f4a1f3c380a 100644 --- a/internal/console/flags/scan_flags.go +++ b/internal/console/flags/scan_flags.go @@ -33,4 +33,6 @@ const ( DisableSecretsFlag = "disable-secrets" SecretsRegexesPathFlag = "secrets-regexes-path" //nolint:gosec ExcludeGitIgnore = "exclude-gitignore" + MaxFileSizeFlag = "max-file-size" // orca-specifics + ) diff --git a/internal/console/scan.go b/internal/console/scan.go index df5ed692f7b..746147597f8 100644 --- a/internal/console/scan.go +++ b/internal/console/scan.go @@ -138,6 +138,7 @@ func getScanParameters(changedDefaultQueryPath, changedDefaultLibrariesPath bool ChangedDefaultQueryPath: changedDefaultQueryPath, BillOfMaterials: flags.GetBoolFlag(flags.BomFlag), ExcludeGitIgnore: flags.GetBoolFlag(flags.ExcludeGitIgnore), + MaxFileSizeFlag: flags.GetIntFlag(flags.MaxFileSizeFlag), } return &scanParams diff --git a/pkg/kics/service.go b/pkg/kics/service.go index e2ba6feb1c4..b04e8819ccf 100644 --- a/pkg/kics/service.go +++ b/pkg/kics/service.go @@ -58,6 +58,7 @@ type Service struct { Tracker Tracker Resolver *resolver.Resolver files model.FileMetadatas + MaxFileSize int } // PrepareSources will prepare the sources to be scanned @@ -130,8 +131,7 @@ type Content struct { getContent will read the passed file 1MB at a time to prevent resource exhaustion and return its content */ -func getContent(rc io.Reader, data []byte) (*Content, error) { - maxSizeMB := 5 // Max size of file in MBs +func getContent(rc io.Reader, data []byte, maxSizeMB int) (*Content, error) { var content []byte countLines := 0 diff --git a/pkg/kics/sink.go b/pkg/kics/sink.go index a1acf322b32..bc65651fdd2 100644 --- a/pkg/kics/sink.go +++ b/pkg/kics/sink.go @@ -30,7 +30,7 @@ func (s *Service) sink(ctx context.Context, filename, scanID string, rc io.Reade s.Tracker.TrackFileFound() log.Debug().Msgf("Starting to process file %s", filename) - c, err := getContent(rc, data) + c, err := getContent(rc, data, s.MaxFileSize) *c.Content = resolveCRLFFile(*c.Content) content := c.Content diff --git a/pkg/scan/client.go b/pkg/scan/client.go index b2065b571be..b146fe8a505 100644 --- a/pkg/scan/client.go +++ b/pkg/scan/client.go @@ -43,6 +43,7 @@ type Parameters struct { ScanID string BillOfMaterials bool ExcludeGitIgnore bool + MaxFileSizeFlag int } // Client represents a scan client diff --git a/pkg/scan/scan.go b/pkg/scan/scan.go index bb376ad9aee..b4e1ca5982e 100644 --- a/pkg/scan/scan.go +++ b/pkg/scan/scan.go @@ -256,6 +256,7 @@ func (c *Client) createService( SecretsInspector: secretsInspector, Tracker: t, Resolver: combinedResolver, + MaxFileSize: c.ScanParams.MaxFileSizeFlag, }, ) } diff --git a/tools/go.sum b/tools/go.sum new file mode 100644 index 00000000000..cefa8e614e6 --- /dev/null +++ b/tools/go.sum @@ -0,0 +1,1563 @@ +4d63.com/gochecknoglobals v0.1.0/go.mod h1:wfdC5ZjKSPr7CybKEcgJhUOgeAQW1+7WcyK8OvUilfo= +bazil.org/fuse v0.0.0-20180421153158-65cc252bf669/go.mod h1:Xbm+BRKSBEpa4q4hTSxohYNQpsxXPbPry4JJWOB3LB8= +bitbucket.org/creachadair/shell v0.0.6/go.mod h1:8Qqi/cYk7vPnsOePHroKXDJYmb5x7ENhtiFtfZq8K+M= +cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= +cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU= +cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= +cloud.google.com/go v0.44.3/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= +cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= +cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= +cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To= +cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4= +cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M= +cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc= +cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk= +cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs= +cloud.google.com/go v0.60.0/go.mod h1:yw2G51M9IfRboUH61Us8GqCeF1PzPblB823Mn2q2eAU= +cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc= +cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY= +cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI= +cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk= +cloud.google.com/go v0.75.0/go.mod h1:VGuuCn7PG0dwsd5XPVm2Mm3wlh3EL55/79EKB6hlPTY= +cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg= +cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8= +cloud.google.com/go v0.81.0/go.mod h1:mk/AM35KwGk/Nm2YSeZbxXdrNK3KZOYHmLkOqC2V6E0= +cloud.google.com/go v0.82.0/go.mod h1:vlKccHJGuFBFufnAnuB08dfEH9Y3H7dzDzRECFdC2TA= +cloud.google.com/go v0.83.0/go.mod h1:Z7MJUsANfY0pYPdw0lbnivPx4/vhy/e2FEkSkF7vAVY= +cloud.google.com/go v0.84.0/go.mod h1:RazrYuxIK6Kb7YrzzhPoLmCVzl7Sup4NrbKPg8KHSUM= +cloud.google.com/go v0.87.0/go.mod h1:TpDYlFy7vuLzZMMZ+B6iRiELaY7z/gJPaqbMx6mlWcY= +cloud.google.com/go v0.88.0/go.mod h1:dnKwfYbP9hQhefiUvpbcAyoGSHUrOxR20JVElLiUvEY= +cloud.google.com/go v0.89.0/go.mod h1:kRX0mNRHe0e2rC6oNakvwQqzyDmg57xJ+SZU1eT2aDQ= +cloud.google.com/go v0.90.0/go.mod h1:kRX0mNRHe0e2rC6oNakvwQqzyDmg57xJ+SZU1eT2aDQ= +cloud.google.com/go v0.92.2/go.mod h1:8utlLll2EF5XMAV15woO4lSbWQlk8rer9aLOfLh7+YI= +cloud.google.com/go v0.92.3/go.mod h1:8utlLll2EF5XMAV15woO4lSbWQlk8rer9aLOfLh7+YI= +cloud.google.com/go v0.93.3/go.mod h1:8utlLll2EF5XMAV15woO4lSbWQlk8rer9aLOfLh7+YI= +cloud.google.com/go v0.94.0/go.mod h1:qAlAugsXlC+JWO+Bke5vCtc9ONxjQT3drlTTnAplMW4= +cloud.google.com/go v0.94.1/go.mod h1:qAlAugsXlC+JWO+Bke5vCtc9ONxjQT3drlTTnAplMW4= +cloud.google.com/go v0.97.0/go.mod h1:GF7l59pYBVlXQIBLx3a761cZ41F9bBH3JUlihCt2Udc= +cloud.google.com/go v0.99.0/go.mod h1:w0Xx2nLzqWJPuozYQX+hFfCSI8WioryfRDzkoI/Y2ZA= +cloud.google.com/go v0.100.2/go.mod h1:4Xra9TjzAeYHrl5+oeLlzbM2k3mjVhZh4UqTZ//w99A= +cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= +cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= +cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= +cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= +cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= +cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= +cloud.google.com/go/compute v0.1.0/go.mod h1:GAesmwr110a34z04OlxYkATPBEfVhkymfTBXtfbBFow= +cloud.google.com/go/compute v1.3.0/go.mod h1:cCZiE1NHEtai4wiufUhW8I8S1JKkAnhnQJWM7YD99wM= +cloud.google.com/go/compute v1.5.0/go.mod h1:9SMHyhJlzhlkJqrPAc839t2BZFTSk6Jdj6mkzQJeu0M= +cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= +cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= +cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk= +cloud.google.com/go/firestore v1.5.0/go.mod h1:c4nNYR1qdq7eaZ+jSc5fonrQN2k3M7sWATcYTiakjEo= +cloud.google.com/go/firestore v1.6.1/go.mod h1:asNXNOzBdyVQmEU+ggO8UPodTkEVFW5Qx+rwHnAz+EY= +cloud.google.com/go/iam v0.3.0/go.mod h1:XzJPvDayI+9zsASAFO68Hk07u3z+f+JrT2xXNdp4bnY= +cloud.google.com/go/kms v0.1.0/go.mod h1:8Qp8PCAypHg4FdmlyW1QRAv09BGQ9Uzh7JnmIZxPk+c= +cloud.google.com/go/monitoring v0.1.0/go.mod h1:Hpm3XfzJv+UTiXzCG5Ffp0wijzHTC7Cv4eR7o3x/fEE= +cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= +cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= +cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= +cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU= +cloud.google.com/go/pubsub v1.5.0/go.mod h1:ZEwJccE3z93Z2HWvstpri00jOg7oO4UZDtKhwDwqF0w= +cloud.google.com/go/pubsub v1.16.0/go.mod h1:6A8EfoWZ/lUvCWStKGwAWauJZSiuV0Mkmu6WilK/TxQ= +cloud.google.com/go/secretmanager v0.1.0/go.mod h1:3nGKHvnzDUVit7U0S9KAKJ4aOsO1xtwRG+7ey5LK1bM= +cloud.google.com/go/spanner v1.7.0/go.mod h1:sd3K2gZ9Fd0vMPLXzeCrF6fq4i63Q7aTLW/lBIfBkIk= +cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= +cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= +cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= +cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= +cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= +cloud.google.com/go/storage v1.14.0/go.mod h1:GrKmX003DSIwi9o29oFT7YDnHYwZoctc3fOKtUw0Xmo= +cloud.google.com/go/storage v1.16.1/go.mod h1:LaNorbty3ehnU3rEjXSNV/NRgQA0O8Y+uh6bPe5UOk4= +cloud.google.com/go/trace v0.1.0/go.mod h1:wxEwsoeRVPbeSkt7ZC9nWCgmoKQRAoySN7XHW2AmI7g= +code.gitea.io/gitea-vet v0.2.1/go.mod h1:zcNbT/aJEmivCAhfmkHOlT645KNOf9W2KnkLgFjGGfE= +code.gitea.io/sdk/gitea v0.15.1/go.mod h1:klY2LVI3s3NChzIk/MzMn7G1FHrfU7qd63iSMVoHRBA= +contrib.go.opencensus.io/exporter/aws v0.0.0-20200617204711-c478e41e60e9/go.mod h1:uu1P0UCM/6RbsMrgPa98ll8ZcHM858i/AD06a9aLRCA= +contrib.go.opencensus.io/exporter/stackdriver v0.13.4/go.mod h1:aXENhDJ1Y4lIg4EUaVTwzvYETVNZk10Pu26tevFKLUc= +contrib.go.opencensus.io/exporter/stackdriver v0.13.8/go.mod h1:huNtlWx75MwO7qMs0KrMxPZXzNNWebav1Sq/pm02JdQ= +contrib.go.opencensus.io/integrations/ocsql v0.1.7/go.mod h1:8DsSdjz3F+APR+0z0WkU1aRorQCFfRxvqjUUPMbF3fE= +dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= +github.com/AlekSi/pointer v1.2.0/go.mod h1:gZGfd3dpW4vEc/UlyfKKi1roIqcCgwOIvb0tSNSBle0= +github.com/Antonboom/errname v0.1.6/go.mod h1:7lz79JAnuoMNDAWE9MeeIr1/c/VpSUWatBv2FH9NYpI= +github.com/Antonboom/nilnil v0.1.1/go.mod h1:L1jBqoWM7AOeTD+tSquifKSesRHs4ZdaxvZR+xdJEaI= +github.com/Azure/azure-amqp-common-go/v3 v3.1.0/go.mod h1:PBIGdzcO1teYoufTKMcGibdKaYZv4avS+O6LNIp8bq0= +github.com/Azure/azure-amqp-common-go/v3 v3.1.1/go.mod h1:YsDaPfaO9Ub2XeSKdIy2DfwuiQlHQCauHJwSqtrkECI= +github.com/Azure/azure-pipeline-go v0.2.3/go.mod h1:x841ezTBIMG6O3lAcl8ATHnsOPVl2bqk7S3ta6S6u4k= +github.com/Azure/azure-sdk-for-go v51.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v57.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-service-bus-go v0.10.16/go.mod h1:MlkLwGGf1ewcx5jZadn0gUEty+tTg0RaElr6bPf+QhI= +github.com/Azure/azure-storage-blob-go v0.14.0/go.mod h1:SMqIBi+SuiQH32bvyjngEewEeXoPfKMgWlBDaYf6fck= +github.com/Azure/go-amqp v0.13.0/go.mod h1:qj+o8xPCz9tMSbQ83Vp8boHahuRDl5mkNHyt1xlxUTs= +github.com/Azure/go-amqp v0.13.11/go.mod h1:D5ZrjQqB1dyp1A+G73xeL/kNn7D5qHJIIsNNps7YNmk= +github.com/Azure/go-amqp v0.13.12/go.mod h1:D5ZrjQqB1dyp1A+G73xeL/kNn7D5qHJIIsNNps7YNmk= +github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= +github.com/Azure/go-autorest/autorest v0.11.3/go.mod h1:JFgpikqFJ/MleTTxwepExTKnFUKKszPS8UavbQYUMuw= +github.com/Azure/go-autorest/autorest v0.11.17/go.mod h1:eipySxLmqSyC5s5k1CLupqet0PSENBEDP93LQ9a8QYw= +github.com/Azure/go-autorest/autorest v0.11.18/go.mod h1:dSiJPy22c3u0OtOKDNttNgqpNFY/GeWa7GH/Pz56QRA= +github.com/Azure/go-autorest/autorest v0.11.20/go.mod h1:o3tqFY+QR40VOlk+pV4d77mORO64jOXSgEnPQgLK6JY= +github.com/Azure/go-autorest/autorest/adal v0.9.0/go.mod h1:/c022QCutn2P7uY+/oQWWNcK9YU+MH96NgK+jErpbcg= +github.com/Azure/go-autorest/autorest/adal v0.9.5/go.mod h1:B7KF7jKIeC9Mct5spmyCB/A8CG/sEz1vwIRGv/bbw7A= +github.com/Azure/go-autorest/autorest/adal v0.9.11/go.mod h1:nBKAnTomx8gDtl+3ZCJv2v0KACFHWTB2drffI1B68Pk= +github.com/Azure/go-autorest/autorest/adal v0.9.13/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M= +github.com/Azure/go-autorest/autorest/adal v0.9.14/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M= +github.com/Azure/go-autorest/autorest/adal v0.9.15/go.mod h1:tGMin8I49Yij6AQ+rvV+Xa/zwxYQB5hmsd6DkfAx2+A= +github.com/Azure/go-autorest/autorest/azure/auth v0.5.8/go.mod h1:kxyKZTSfKh8OVFWPAgOgQ/frrJgeYQJPyR5fLFmXko4= +github.com/Azure/go-autorest/autorest/azure/cli v0.4.2/go.mod h1:7qkJkT+j6b+hIpzMOwPChJhTqS8VbsqqgULzMNRugoM= +github.com/Azure/go-autorest/autorest/azure/cli v0.4.3/go.mod h1:yAQ2b6eP/CmLPnmLvxtT1ALIY3OR1oFcCqVBi8vHiTc= +github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74= +github.com/Azure/go-autorest/autorest/mocks v0.4.0/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= +github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= +github.com/Azure/go-autorest/autorest/to v0.4.0/go.mod h1:fE8iZBn7LQR7zH/9XU2NcPR4o9jEImooCeWJcYV/zLE= +github.com/Azure/go-autorest/autorest/validation v0.3.1/go.mod h1:yhLgjC0Wda5DYXl6JAsWyUe4KVNffhoDhG0zVzUMo3E= +github.com/Azure/go-autorest/logger v0.2.0/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= +github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= +github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/BurntSushi/toml v1.1.0/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= +github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= +github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= +github.com/DisgoOrg/disgohook v1.4.4/go.mod h1:l7r9dZgfkA3KiV+ErxqweKaknnskmzZO+SRTNHvJTUU= +github.com/DisgoOrg/log v1.1.0/go.mod h1:Qihgz6fax3JCfuO7vxVavL0LyHS0sUdQ9OmykQ2fiQs= +github.com/DisgoOrg/restclient v1.2.8/go.mod h1:2pc/htya/5kjxvWNYya98sb8B4mexobxmWvhTiWPt94= +github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24/go.mod h1:4UJr5HIiMZrwgkSPdsjy2uOQExX/WEILpIrO9UPGuXs= +github.com/GaijinEntertainment/go-exhaustruct/v2 v2.1.0/go.mod h1:LGOGuvEgCfCQsy3JF2tRmpGDpzA53iZfyGEWSPwQ6/4= +github.com/GoogleCloudPlatform/cloudsql-proxy v1.24.0/go.mod h1:3tx938GhY4FC+E1KT/jNjDw7Z5qxAEtIiERJ2sXjnII= +github.com/Masterminds/goutils v1.1.0/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= +github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= +github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= +github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= +github.com/Masterminds/semver/v3 v3.1.0/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs= +github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs= +github.com/Masterminds/sprig v2.15.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o= +github.com/Masterminds/sprig v2.22.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o= +github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA= +github.com/Microsoft/go-winio v0.4.15/go.mod h1:tTuCMEN+UleMWgg9dVx4Hu52b1bJo+59jBh3ajtinzw= +github.com/Microsoft/go-winio v0.4.16/go.mod h1:XB6nPKklQyQ7GC9LdcBEcBl8PF76WugXOPRXwdLnMv0= +github.com/Microsoft/go-winio v0.5.0/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84= +github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= +github.com/OpenPeeDeeP/depguard v1.1.0/go.mod h1:JtAMzWkmFEzDPyAd+W0NHl1lvpQKTvT9jnRVsohBKpc= +github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7/go.mod h1:z4/9nQmJSSwwds7ejkxaJwO37dru3geImFUdJlaLzQo= +github.com/ProtonMail/go-crypto v0.0.0-20210512092938-c05353c2d58c/go.mod h1:z4/9nQmJSSwwds7ejkxaJwO37dru3geImFUdJlaLzQo= +github.com/acomagu/bufpipe v1.0.3/go.mod h1:mxdxdup/WdsKVreO5GpW4+M/1CE2sMG4jeGJ2sYmHc4= +github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7/go.mod h1:6zEj6s6u/ghQa61ZWa/C2Aw3RkjiTBOix7dkqa1VLIs= +github.com/alecthomas/jsonschema v0.0.0-20211209230136-e2b41affa5c1/go.mod h1:/n6+1/DWPltRLWL/VKyUxg6tzsl5kHUCcraimt4vr60= +github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= +github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= +github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= +github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= +github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho= +github.com/alexkohler/prealloc v1.0.0/go.mod h1:VetnK3dIgFBBKmg0YnD9F9x6Icjd+9cvfHR56wJVlKE= +github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c= +github.com/antihax/optional v0.0.0-20180407024304-ca021399b1a6/go.mod h1:V8iCPQYkqmusNa815XgQio277wI47sdRh1dUOLdyC6Q= +github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= +github.com/aokoli/goutils v1.0.1/go.mod h1:SijmP0QR8LtwsmDs8Yii5Z/S4trXFGFC2oO5g9DP+DQ= +github.com/apex/log v1.9.0/go.mod h1:m82fZlWIuiWzWP04XCTXmnX0xRkYYbCdYn8jbJeLBEA= +github.com/apex/logs v1.0.0/go.mod h1:XzxuLZ5myVHDy9SAmYpamKKRNApGj54PfYLcFrXqDwo= +github.com/aphistic/golf v0.0.0-20180712155816-02c07f170c5a/go.mod h1:3NqKYiepwy8kCu4PNA+aP7WUV72eXWJeP9/r3/K9aLE= +github.com/aphistic/sweet v0.2.0/go.mod h1:fWDlIh/isSE9n6EPsRmC0det+whmX6dJid3stzu0Xys= +github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= +github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= +github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY= +github.com/armon/go-metrics v0.3.10/go.mod h1:4O98XIr/9W0sxpJ8UaYkvjk10Iff7SnFrb4QAOwNTFc= +github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= +github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= +github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= +github.com/ashanbrown/forbidigo v1.3.0/go.mod h1:vVW7PEdqEFqapJe95xHkTfB1+XvZXBFg8t0sG2FIxmI= +github.com/ashanbrown/makezero v1.1.1/go.mod h1:i1bJLCRSCHOcOa9Y6MyF2FTfMZMFdHvxKHxgO5Z1axI= +github.com/atc0005/go-teams-notify/v2 v2.6.1/go.mod h1:xo6GejLDHn3tWBA181F8LrllIL0xC1uRsRxq7YNXaaY= +github.com/aws/aws-sdk-go v1.15.27/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZoCYDt7FT0= +github.com/aws/aws-sdk-go v1.20.6/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= +github.com/aws/aws-sdk-go v1.23.20/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= +github.com/aws/aws-sdk-go v1.25.37/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= +github.com/aws/aws-sdk-go v1.36.30/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= +github.com/aws/aws-sdk-go v1.37.0/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= +github.com/aws/aws-sdk-go v1.40.34/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q= +github.com/aws/aws-sdk-go-v2 v1.9.0/go.mod h1:cK/D0BBs0b/oWPIcX/Z/obahJK1TT7IPVjy53i/mX/4= +github.com/aws/aws-sdk-go-v2/config v1.7.0/go.mod h1:w9+nMZ7soXCe5nT46Ri354SNhXDQ6v+V5wqDjnZE+GY= +github.com/aws/aws-sdk-go-v2/credentials v1.4.0/go.mod h1:dgGR+Qq7Wjcd4AOAW5Rf5Tnv3+x7ed6kETXyS9WCuAY= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.5.0/go.mod h1:CpNzHK9VEFUCknu50kkB8z58AH2B5DvPP7ea1LHve/Y= +github.com/aws/aws-sdk-go-v2/internal/ini v1.2.2/go.mod h1:BQV0agm+JEhqR+2RT5e1XTFIDcAAV0eW6z2trp+iduw= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.3.0/go.mod h1:R1KK+vY8AfalhG1AOu5e35pOD2SdoPKQCFLTvnxiohk= +github.com/aws/aws-sdk-go-v2/service/kms v1.5.0/go.mod h1:w7JuP9Oq1IKMFQPkNe3V6s9rOssXzOVEMNEqK1L1bao= +github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.6.0/go.mod h1:B+7C5UKdVq1ylkI/A6O8wcurFtaux0R1njePNPtKwoA= +github.com/aws/aws-sdk-go-v2/service/ssm v1.10.0/go.mod h1:4dXS5YNqI3SNbetQ7X7vfsMlX6ZnboJA2dulBwJx7+g= +github.com/aws/aws-sdk-go-v2/service/sso v1.4.0/go.mod h1:+1fpWnL96DL23aXPpMGbsmKe8jLTEfbjuQoA4WS1VaA= +github.com/aws/aws-sdk-go-v2/service/sts v1.7.0/go.mod h1:0qcSMCyASQPN2sk/1KQLQ2Fh6yq8wm0HSDAimPhzCoM= +github.com/aws/smithy-go v1.8.0/go.mod h1:SObp3lf9smib00L/v3U2eAKG8FyQ7iLrJnQiAmR5n+E= +github.com/aybabtme/rgbterm v0.0.0-20170906152045-cc83f3b3ce59/go.mod h1:q/89r3U2H7sSsE2t6Kca0lfwTK8JdoNGS/yzM/4iH5I= +github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= +github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= +github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= +github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= +github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= +github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84= +github.com/bkielbasa/cyclop v1.2.0/go.mod h1:qOI0yy6A7dYC4Zgsa72Ppm9kONl0RoIlPbzot9mhmeI= +github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb/go.mod h1:PkYb9DJNAwrSvRx5DYA+gUcOIgTGVMNkfSCbZM8cWpI= +github.com/blizzy78/varnamelen v0.8.0/go.mod h1:V9TzQZ4fLJ1DSrjVDfl89H7aMnTvKkApdHeyESmyR7k= +github.com/bombsimon/wsl/v3 v3.3.0/go.mod h1:st10JtZYLE4D5sC7b8xV4zTKZwAQjCH/Hy2Pm1FNZIc= +github.com/breml/bidichk v0.2.3/go.mod h1:8u2C6DnAy0g2cEq+k/A2+tr9O1s+vHGxWn0LTc70T2A= +github.com/breml/errchkjson v0.3.0/go.mod h1:9Cogkyv9gcT8HREpzi3TiqBxCqDzo8awa92zSDFcofU= +github.com/butuzov/ireturn v0.1.1/go.mod h1:Wh6Zl3IMtTpaIKbmwzqi6olnM9ptYQxxVacMsOEFPoc= +github.com/caarlos0/ctrlc v1.0.0/go.mod h1:CdXpj4rmq0q/1Eb44M9zi2nKB0QraNKuRGYGrrHhcQw= +github.com/caarlos0/env/v6 v6.9.2/go.mod h1:hvp/ryKXKipEkcuYjs9mI4bBCg+UI0Yhgm5Zu0ddvwc= +github.com/caarlos0/go-reddit/v3 v3.0.1/go.mod h1:QlwgmG5SAqxMeQvg/A2dD1x9cIZCO56BMnMdjXLoisI= +github.com/caarlos0/go-shellwords v1.0.12/go.mod h1:bYeeX1GrTLPl5cAMYEzdm272qdsQAZiaHgeF0KTk1Gw= +github.com/caarlos0/testfs v0.4.4/go.mod h1:bRN55zgG4XCUVVHZCeU+/Tz1Q6AxEJOEJTliBy+1DMk= +github.com/cavaliergopher/cpio v1.0.1/go.mod h1:pBdaqQjnvXxdS/6CvNDwIANIFSP0xRKI16PX4xejRQc= +github.com/cenkalti/backoff/v4 v4.1.2/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw= +github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/census-instrumentation/opencensus-proto v0.3.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= +github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/charithe/durationcheck v0.0.9/go.mod h1:SSbRIBVfMjCi/kEB6K65XEA83D6prSM8ap1UCpNKtgg= +github.com/chavacava/garif v0.0.0-20220316182200-5cad0b5181d4/go.mod h1:W8EnPSQ8Nv4fUjc/v1/8tHFqhuOJXnRub0dTfuAQktU= +github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= +github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= +github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= +github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag= +github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I= +github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= +github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= +github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= +github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI= +github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= +github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= +github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= +github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= +github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk= +github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/go-systemd v0.0.0-20190620071333-e64a0ec8b42a/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= +github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= +github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= +github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE= +github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/cpuguy83/go-md2man/v2 v2.0.1/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= +github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/daixiang0/gci v0.3.3/go.mod h1:1Xr2bxnQbDxCqqulUOv8qpGqkgRw9RSCGGjEC2LjF8o= +github.com/davecgh/go-spew v0.0.0-20161028175848-04cdfd42973b/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/denis-tingaikin/go-header v0.4.3/go.mod h1:0wOCWuN71D5qIgE2nz9KrKmuYBAC2Mra5RassOIQ2/c= +github.com/denisenkom/go-mssqldb v0.9.0/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU= +github.com/devigned/tab v0.1.1/go.mod h1:XG9mPq0dFghrYvoBF3xdRrJzSTX1b7IQrvaL9mzjeJY= +github.com/dghubble/go-twitter v0.0.0-20211115160449-93a8679adecb/go.mod h1:qhZBgV9e4WyB1JNjHpcXVkUe3knWUwYuAPB1hITdm50= +github.com/dghubble/oauth1 v0.7.1/go.mod h1:0eEzON0UY/OLACQrmnjgJjmvCGXzjBCsZqL1kWDXtF0= +github.com/dghubble/sling v1.4.0/go.mod h1:0r40aNsU9EdDUVBNhfCstAtFgutjgJGYbO1oNzkMoM8= +github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= +github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= +github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8= +github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE= +github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/emirpasic/gods v1.12.0/go.mod h1:YfzfFFoVP/catgzJb4IKIqXjX78Ha8FMSDh3ymbK86o= +github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= +github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po= +github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= +github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= +github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ= +github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0= +github.com/envoyproxy/protoc-gen-validate v0.0.14/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= +github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= +github.com/esimonov/ifshort v1.0.4/go.mod h1:Pe8zjlRrJ80+q2CxHLfEOfTwxCZ4O+MuhcHcfgNWTk0= +github.com/ettle/strcase v0.1.1/go.mod h1:hzDLsPC7/lwKyBOywSHEP89nt2pDgdy+No1NBA9o9VY= +github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= +github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU= +github.com/fatih/color v1.10.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM= +github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk= +github.com/fatih/structtag v1.2.0/go.mod h1:mBJUNpUnHmRKrKlQQlmCrh5PuhftFbNv8Ys4/aAZl94= +github.com/firefart/nonamedreturns v1.0.1/go.mod h1:D3dpIBojGGNh5UfElmwPu73SwDCm+VKhHYqwlNOk2uQ= +github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc= +github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= +github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g= +github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= +github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= +github.com/fsnotify/fsnotify v1.5.1/go.mod h1:T3375wBYaZdLLcVNkcVbzGHY7f1l/uK5T5Ai1i3InKU= +github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU= +github.com/fullstorydev/grpcurl v1.6.0/go.mod h1:ZQ+ayqbKMJNhzLmbpCiurTVlaK2M/3nqZCxaQ2Ze/sM= +github.com/fzipp/gocyclo v0.5.1/go.mod h1:rXPyn8fnlpa0R2csP/31uerbiVBugk5whMdlyaLkLoA= +github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI= +github.com/gin-gonic/gin v1.6.3/go.mod h1:75u5sXoLsGZoRN5Sgbi1eraJ4GU3++wFwWzhwvtwp4M= +github.com/gliderlabs/ssh v0.2.2/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0= +github.com/go-critic/go-critic v0.6.3/go.mod h1:c6b3ZP1MQ7o6lPR7Rv3lEf7pYQUmAcx8ABHgdZCQt/k= +github.com/go-git/gcfg v1.5.0/go.mod h1:5m20vg6GwYabIxaOonVkTdrILxQMpEShl1xiMF4ua+E= +github.com/go-git/go-billy/v5 v5.0.0/go.mod h1:pmpqyWchKfYfrkb/UVH4otLvyi/5gJlGI4Hb3ZqZ3W0= +github.com/go-git/go-billy/v5 v5.2.0/go.mod h1:pmpqyWchKfYfrkb/UVH4otLvyi/5gJlGI4Hb3ZqZ3W0= +github.com/go-git/go-billy/v5 v5.3.1/go.mod h1:pmpqyWchKfYfrkb/UVH4otLvyi/5gJlGI4Hb3ZqZ3W0= +github.com/go-git/go-git-fixtures/v4 v4.0.2-0.20200613231340-f56387b50c12/go.mod h1:m+ICp2rF3jDhFgEZ/8yziagdT1C+ZpZcrJjappBCDSw= +github.com/go-git/go-git-fixtures/v4 v4.2.1/go.mod h1:K8zd3kDUAykwTdDCr+I0per6Y6vMiRR/nnVTBtavnB0= +github.com/go-git/go-git/v5 v5.2.0/go.mod h1:kh02eMX+wdqqxgNMEyq8YgwlIOsDOa9homkUq1PoTMs= +github.com/go-git/go-git/v5 v5.4.2/go.mod h1:gQ1kArt6d+n+BGd+/B/I74HwRTLhth2+zti4ihgckDc= +github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= +github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= +github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= +github.com/go-ini/ini v1.25.4/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8= +github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= +github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= +github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY= +github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= +github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= +github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= +github.com/go-playground/assert/v2 v2.0.1/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4= +github.com/go-playground/locales v0.13.0/go.mod h1:taPMhCMXrRLJO55olJkUXHZBHCxTMfnGwq/HNwmWNS8= +github.com/go-playground/universal-translator v0.17.0/go.mod h1:UkSxE5sNxxRwHyU+Scu5vgOQjsIJAF8j9muTVoKLVtA= +github.com/go-playground/validator/v10 v10.2.0/go.mod h1:uOYAAleCW8F/7oMFd6aG0GOhaH6EGOAJShg8Id5JGkI= +github.com/go-redis/redis v6.15.8+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA= +github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= +github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= +github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= +github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= +github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= +github.com/go-telegram-bot-api/telegram-bot-api v4.6.4+incompatible/go.mod h1:qf9acutJ8cwBUhm1bqgz6Bei9/C/c93FPDljKWwsOgM= +github.com/go-test/deep v1.0.4/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= +github.com/go-toolsmith/astcast v1.0.0/go.mod h1:mt2OdQTeAQcY4DQgPSArJjHCcOwlX+Wl/kwN+LbLGQ4= +github.com/go-toolsmith/astcopy v1.0.0/go.mod h1:vrgyG+5Bxrnz4MZWPF+pI4R8h3qKRjjyvV/DSez4WVQ= +github.com/go-toolsmith/astequal v1.0.0/go.mod h1:H+xSiq0+LtiDC11+h1G32h7Of5O3CYFJ99GVbS5lDKY= +github.com/go-toolsmith/astequal v1.0.1/go.mod h1:4oGA3EZXTVItV/ipGiOx7NWkY5veFfcsOJVS2YxltLw= +github.com/go-toolsmith/astfmt v1.0.0/go.mod h1:cnWmsOAuq4jJY6Ct5YWlVLmcmLMn1JUPuQIHCY7CJDw= +github.com/go-toolsmith/astp v1.0.0/go.mod h1:RSyrtpVlfTFGDYRbrjyWP1pYu//tSFcvdYrA8meBmLI= +github.com/go-toolsmith/pkgload v1.0.2-0.20220101231613-e814995d17c5/go.mod h1:3NAwwmD4uY/yggRxoEjk/S00MIV3A+H7rrE3i87eYxM= +github.com/go-toolsmith/strparse v1.0.0/go.mod h1:YI2nUKP9YGZnL/L1/DLFBfixrcjslWct4wyljWhSRy8= +github.com/go-toolsmith/typep v1.0.2/go.mod h1:JSQCQMUPdRlMZFswiq3TGpNp1GMktqkR2Ns5AIQkATU= +github.com/go-xmlfmt/xmlfmt v0.0.0-20191208150333-d5b6f63a941b/go.mod h1:aUCEOzzezBEjDBbFBoSiya/gduyIiWYRP6CnSFIV8AM= +github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= +github.com/gobwas/httphead v0.0.0-20180130184737-2c6c146eadee/go.mod h1:L0fX3K22YWvt/FAX9NnzrNzcI4wNYi9Yku4O0LKYflo= +github.com/gobwas/pool v0.2.0/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw= +github.com/gobwas/ws v1.0.2/go.mod h1:szmBTxLgaFppYjEmNtny/v3w89xOydFnnZMcgRRu/EM= +github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= +github.com/gofrs/flock v0.8.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU= +github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= +github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= +github.com/gogo/protobuf v1.3.0/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= +github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= +github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= +github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= +github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= +github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= +github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= +github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= +github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4= +github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8= +github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs= +github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= +github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= +github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk= +github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= +github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= +github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= +github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= +github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= +github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= +github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= +github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM= +github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= +github.com/golangci/check v0.0.0-20180506172741-cfe4005ccda2/go.mod h1:k9Qvh+8juN+UKMCS/3jFtGICgW8O96FVaZsaxdzDkR4= +github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a/go.mod h1:ryS0uhF+x9jgbj/N71xsEqODy9BN81/GonCZiOzirOk= +github.com/golangci/go-misc v0.0.0-20220329215616-d24fe342adfe/go.mod h1:gjqyPShc/m8pEMpk0a3SeagVb0kaqvhscv+i9jI5ZhQ= +github.com/golangci/gofmt v0.0.0-20190930125516-244bba706f1a/go.mod h1:9qCChq59u/eW8im404Q2WWTrnBUQKjpNYKMbU4M7EFU= +github.com/golangci/golangci-lint v1.46.2/go.mod h1:3DkdHnxn9eoTTrpT2gB0TEv8KSziuoqe9FitgQLHvAY= +github.com/golangci/lint-1 v0.0.0-20191013205115-297bf364a8e0/go.mod h1:66R6K6P6VWk9I95jvqGxkqJxVWGFy9XlDwLwVz1RCFg= +github.com/golangci/maligned v0.0.0-20180506175553-b1d89398deca/go.mod h1:tvlJhZqDe4LMs4ZHD0oMUlt9G2LWuDGoisJTBzLMV9o= +github.com/golangci/misspell v0.3.5/go.mod h1:dEbvlSfYbMQDtrpRMQU675gSDLDNa8sCPPChZ7PhiVA= +github.com/golangci/revgrep v0.0.0-20210930125155-c22e5001d4f2/go.mod h1:LK+zW4MpyytAWQRz0M4xnzEk50lSvqDQKfx304apFkY= +github.com/golangci/unconvert v0.0.0-20180507085042-28b1c447d1f4/go.mod h1:Izgrg8RkN3rCIMLGE9CyYmU9pY2Jer6DgANEnZ/L/cQ= +github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/certificate-transparency-go v1.0.21/go.mod h1:QeJfpSbVSfYc7RgB3gJFj9cbuQMMchQxrWXz8Ruopmg= +github.com/google/certificate-transparency-go v1.1.1/go.mod h1:FDKqPvSXawb2ecErVRrD+nfy23RCzyl7eqVCEmlT1Zs= +github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= +github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE= +github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-github/v44 v44.1.0/go.mod h1:iWn00mWcP6PRWHhXm0zuFJ8wbEjE5AGO5D5HXYM4zgw= +github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU= +github.com/google/go-replayers/grpcreplay v1.1.0/go.mod h1:qzAvJ8/wi57zq7gWqaE6AwLM6miiXUQwP1S+I9icmhk= +github.com/google/go-replayers/httpreplay v1.0.0/go.mod h1:LJhKoTwS5Wy5Ld/peq8dFFG5OfJyHEz7ft+DsTUv25M= +github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= +github.com/google/martian v2.1.1-0.20190517191504-25dcb96d9e51+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= +github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= +github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= +github.com/google/martian/v3 v3.2.1/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk= +github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200507031123-427632fa3b1c/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210506205249-923b5ab0fc1a/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210715191844-86eeefc3e471/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= +github.com/google/rpmpack v0.0.0-20220314092521-38642b5e571e/go.mod h1:83rLnx5vhPyN/mDzBYJWtiPf+9xnSVQynTpqZWe7OnY= +github.com/google/subcommands v1.0.1/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk= +github.com/google/trillian v1.3.11/go.mod h1:0tPraVHrSDkA3BO6vKX67zgLXs6SsOAbHEivX+9mPgw= +github.com/google/uuid v0.0.0-20161128191214-064e2069ce9c/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/wire v0.5.0/go.mod h1:ngWDr9Qvq3yZA10YrxfyGELY/AFWGVpy9c1LTRi1EoU= +github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= +github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= +github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pfu6SK+H1/DsU0= +github.com/googleapis/gax-go/v2 v2.1.1/go.mod h1:hddJymUZASv3XPyGkUpKj8pPO47Rmb0eJc8R6ouapiM= +github.com/googleapis/gax-go/v2 v2.2.0/go.mod h1:as02EH8zWkzwUoLbBaFeQ+arQaj/OthfcblKl4IGNaM= +github.com/googleapis/gax-go/v2 v2.3.0/go.mod h1:b8LNqSzNabLiUpXKkY7HAR5jr6bIT99EXz9pXxye9YM= +github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g= +github.com/gookit/color v1.5.0/go.mod h1:43aQb+Zerm/BWh2GnrgOQm7ffz7tvQXEKV6BFMl7wAo= +github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= +github.com/gordonklaus/ineffassign v0.0.0-20200309095847-7953dde2c7bf/go.mod h1:cuNKsD1zp2v6XfE/orVX2QE1LC+i254ceGcVeDT3pTU= +github.com/gordonklaus/ineffassign v0.0.0-20210914165742-4cc7213b9bc8/go.mod h1:Qcp2HIAYhR7mNUVSIxZww3Guk4it82ghYcEXIAk+QT0= +github.com/goreleaser/chglog v0.1.2/go.mod h1:tTZsFuSZK4epDXfjMkxzcGbrIOXprf0JFp47BjIr3B8= +github.com/goreleaser/fileglob v1.3.0/go.mod h1:Jx6BoXv3mbYkEzwm9THo7xbr5egkAraxkGorbJb4RxU= +github.com/goreleaser/goreleaser v1.9.1/go.mod h1:LaST+VTzBrTMUxfWABpziqv3NDZ/xgbI4nO7ZzKxlYA= +github.com/goreleaser/nfpm/v2 v2.15.1/go.mod h1:fpR40o+Wq6aeE5xoSZY3E23r06aLntuYIr2zBCJ1x1o= +github.com/gorhill/cronexpr v0.0.0-20180427100037-88b0669f7d75/go.mod h1:g2644b03hfBX9Ov0ZBDgXXens4rxSxmqFBbhvKv2yVA= +github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So= +github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= +github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= +github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= +github.com/gostaticanalysis/analysisutil v0.0.0-20190318220348-4088753ea4d3/go.mod h1:eEOZF4jCKGi+aprrirO9e7WKB3beBRtWgqGunKl6pKE= +github.com/gostaticanalysis/analysisutil v0.0.3/go.mod h1:eEOZF4jCKGi+aprrirO9e7WKB3beBRtWgqGunKl6pKE= +github.com/gostaticanalysis/analysisutil v0.1.0/go.mod h1:dMhHRU9KTiDcuLGdy87/2gTR8WruwYZrKdRq9m1O6uw= +github.com/gostaticanalysis/analysisutil v0.7.1/go.mod h1:v21E3hY37WKMGSnbsw2S/ojApNWb6C1//mXO48CXbVc= +github.com/gostaticanalysis/comment v1.3.0/go.mod h1:xMicKDx7XRXYdVwY9f9wQpDJVnqWxw9wCauCMKp+IBI= +github.com/gostaticanalysis/comment v1.4.1/go.mod h1:ih6ZxzTHLdadaiSnF5WY3dxUoXfXAlTaRzuaNDlSado= +github.com/gostaticanalysis/comment v1.4.2/go.mod h1:KLUTGDv6HOCotCH8h2erHKmpci2ZoR8VPu34YA2uzdM= +github.com/gostaticanalysis/forcetypeassert v0.1.0/go.mod h1:qZEedyP/sY1lTGV1uJ3VhWZ2mqag3IkWsDHVbplHXak= +github.com/gostaticanalysis/nilerr v0.1.1/go.mod h1:wZYb6YI5YAxxq0i1+VJbY0s2YONW0HU0GPE3+5PWN4A= +github.com/gostaticanalysis/testutil v0.3.1-0.20210208050101-bfb5c8eec0e4/go.mod h1:D+FIZ+7OahH3ePw/izIEeH5I06eKs1IKI4Xr64/Am3M= +github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= +github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= +github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= +github.com/grpc-ecosystem/go-grpc-middleware v1.2.2/go.mod h1:EaizFBKfUKtMIF5iaDEhniwNedqGo9FuLFzppDr3uwI= +github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= +github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= +github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= +github.com/grpc-ecosystem/grpc-gateway v1.12.1/go.mod h1:8XEsbTttt/W+VvjtQhLACqCisSPWTxCZ7sBRjU6iH9c= +github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= +github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q= +github.com/hashicorp/consul/api v1.12.0/go.mod h1:6pVBMo0ebnYdt2S3H87XhekM/HHrUoTD2XXb/VrZVy0= +github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8= +github.com/hashicorp/consul/sdk v0.8.0/go.mod h1:GBvyrGALthsZObzUGsfgHZQDXjg4lOjagTIwIR1vPms= +github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= +github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= +github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= +github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ= +github.com/hashicorp/go-hclog v0.12.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= +github.com/hashicorp/go-hclog v1.2.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= +github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= +github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= +github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= +github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= +github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA= +github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= +github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs= +github.com/hashicorp/go-retryablehttp v0.6.8/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY= +github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU= +github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= +github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU= +github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4= +github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/hashicorp/go-version v1.2.1/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= +github.com/hashicorp/go-version v1.4.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= +github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90= +github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= +github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= +github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64= +github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ= +github.com/hashicorp/mdns v1.0.4/go.mod h1:mtBihi+LeNXGtG8L9dX59gAEa12BDtBQSp4v/YAJqrc= +github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I= +github.com/hashicorp/memberlist v0.3.0/go.mod h1:MS2lj3INKhZjWNqd3N0m3J+Jxf3DAOnAH9VT3Sh9MUE= +github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc= +github.com/hashicorp/serf v0.9.6/go.mod h1:TXZNMjZQijwlDvp+r0b63xZ45H7JmCmgg4gpTwn9UV4= +github.com/hashicorp/serf v0.9.7/go.mod h1:TXZNMjZQijwlDvp+r0b63xZ45H7JmCmgg4gpTwn9UV4= +github.com/hexops/gotextdiff v1.0.3/go.mod h1:pSWU5MAI3yDq+fZBTazCSJysOMbxWL1BSow5/V2vxeg= +github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= +github.com/huandu/xstrings v1.0.0/go.mod h1:4qWG/gcEcfX4z/mBDHJ++3ReCw9ibxbsNJbcucJdbSo= +github.com/huandu/xstrings v1.2.0/go.mod h1:DvyZB1rfVYsBIigL8HwpZgxHwXozlTgGqn63UyNX5k4= +github.com/huandu/xstrings v1.3.2/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= +github.com/iancoleman/orderedmap v0.0.0-20190318233801-ac98e3ecb4b0/go.mod h1:N0Wam8K1arqPXNWjMo21EXnBPOPp36vB07FNRdD2geA= +github.com/iancoleman/orderedmap v0.2.0/go.mod h1:N0Wam8K1arqPXNWjMo21EXnBPOPp36vB07FNRdD2geA= +github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= +github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= +github.com/imdario/mergo v0.3.4/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/imdario/mergo v0.3.8/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/imdario/mergo v0.3.9/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= +github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= +github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= +github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= +github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= +github.com/jessevdk/go-flags v1.5.0/go.mod h1:Fw0T6WPc1dYxT4mKEZRfG5kJhaTDP9pj1c2EWnYs/m4= +github.com/jgautheron/goconst v1.5.1/go.mod h1:aAosetZ5zaeC/2EfMeRswtxUFBpe2Hr7HzkgX4fanO4= +github.com/jhump/protoreflect v1.6.1/go.mod h1:RZQ/lnuN+zqeRVpQigTwO6o0AJUkxbnSnpuG7toUTG4= +github.com/jingyugao/rowserrcheck v1.1.1/go.mod h1:4yvlZSDb3IyDTUZJUmpZfm2Hwok+Dtp+nu2qOq+er9c= +github.com/jirfag/go-printf-func-name v0.0.0-20200119135958-7558a9eaa5af/go.mod h1:HEWGJkRDzjJY2sqdDwxccsGicWEf9BQOZsq2tV+xzM0= +github.com/jmespath/go-jmespath v0.0.0-20160202185014-0b12d6b521d8/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= +github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= +github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= +github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= +github.com/jmoiron/sqlx v1.2.0/go.mod h1:1FEQNm3xlJgrMD+FBdI9+xvCksHtbpVBBw5dYhBSsks= +github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg= +github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= +github.com/jonboulle/clockwork v0.2.0/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8= +github.com/jpillora/backoff v0.0.0-20180909062703-3050d21c67d7/go.mod h1:2iMrUgbbvHEiQClaW2NsSzMyGHqN+rDFqY705q49KG0= +github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4= +github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= +github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= +github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= +github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= +github.com/juju/ratelimit v1.0.1/go.mod h1:qapgC/Gy+xNh9UxzV13HGGl/6UXNN+ct+vwSgWNm/qk= +github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= +github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM= +github.com/julz/importas v0.1.0/go.mod h1:oSFU2R4XK/P7kNBrnL/FEQlDGN1/6WoxXEjSSXO0DV0= +github.com/k0kubun/colorstring v0.0.0-20150214042306-9440f1994b88/go.mod h1:3w7q1U84EfirKl04SVQ/s7nPm1ZPhiXd34z40TNz36k= +github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= +github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= +github.com/kevinburke/ssh_config v1.1.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= +github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= +github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= +github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= +github.com/kisielk/errcheck v1.6.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/klauspost/compress v1.10.3/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= +github.com/klauspost/compress v1.13.5/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk= +github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk= +github.com/klauspost/pgzip v1.2.5/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs= +github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg= +github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/kulti/thelper v0.6.2/go.mod h1:DsqKShOvP40epevkFrvIwkCMNYxMeTNjdWL4dqWHZ6I= +github.com/kunwardeep/paralleltest v1.0.3/go.mod h1:vLydzomDFpk7yu5UX02RmP0H8QfRPOV/oFhWN85Mjb4= +github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= +github.com/kyoh86/exportloopref v0.1.8/go.mod h1:1tUcJeiioIs7VWe5gcOObrux3lb66+sBqGZrRkMwPgg= +github.com/ldez/gomoddirectives v0.2.3/go.mod h1:cpgBogWITnCfRq2qGoDkKMEVSaarhdBr6g8G04uz6d0= +github.com/ldez/tagliatelle v0.3.1/go.mod h1:8s6WJQwEYHbKZDsp/LjArytKOG8qaMrKQQ3mFukHs88= +github.com/leodido/go-urn v1.2.0/go.mod h1:+8+nEpDfqqsY+g338gtMEUOtuK+4dEMhiQEgxpxOKII= +github.com/leonklingele/grouper v1.1.0/go.mod h1:uk3I3uDfi9B6PeUjsCKi6ndcf63Uy7snXgR4yDYQVDY= +github.com/letsencrypt/pkcs11key/v4 v4.0.0/go.mod h1:EFUvBDay26dErnNb70Nd0/VW3tJiIbETBPTl9ATXQag= +github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= +github.com/lib/pq v1.8.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= +github.com/lib/pq v1.9.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= +github.com/lib/pq v1.10.2/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= +github.com/lib/pq v1.10.4/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= +github.com/lufeee/execinquery v1.2.1/go.mod h1:EC7DrEKView09ocscGHC+apXMIaorh4xqSxS/dy8SbM= +github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= +github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= +github.com/magiconair/properties v1.8.4/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60= +github.com/magiconair/properties v1.8.6/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60= +github.com/maratori/testpackage v1.0.1/go.mod h1:ddKdw+XG0Phzhx8BFDTKgpWP4i7MpApTE5fXSKAqwDU= +github.com/matoous/godox v0.0.0-20210227103229-6504466cf951/go.mod h1:1BELzlh859Sh1c6+90blK8lbYy0kwQf1bYlBhBysy1s= +github.com/matryer/is v1.2.0/go.mod h1:2fLPjFQM9rhQ15aVEtbuwhJinnOqrmgXPNdZsdwlWXA= +github.com/matryer/is v1.4.0/go.mod h1:8I/i5uYgLzgsgEloJE1U6xx5HkBQpAZvepWuujKwMRU= +github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= +github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ= +github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= +github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= +github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= +github.com/mattn/go-colorable v0.1.8/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= +github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= +github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4= +github.com/mattn/go-ieproxy v0.0.1/go.mod h1:pYabZ6IHcRpFh7vIaLfK7rdcWgFEb3SFJ6/gNWuh88E= +github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= +github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= +github.com/mattn/go-isatty v0.0.5/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= +github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= +github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84= +github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE= +github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= +github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94= +github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= +github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= +github.com/mattn/go-runewidth v0.0.6/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= +github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= +github.com/mattn/go-sqlite3 v1.9.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc= +github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= +github.com/mbilski/exhaustivestruct v1.2.0/go.mod h1:OeTBVxQWoEmB2J2JCHmXWPJ0aksxSUOUy+nvtVEfzXc= +github.com/mgechev/dots v0.0.0-20210922191527-e955255bf517/go.mod h1:KQ7+USdGKfpPjXk4Ga+5XxQM4Lm4e3gAogrreFAYpOg= +github.com/mgechev/revive v1.2.1/go.mod h1:+Ro3wqY4vakcYNtkBWdZC7dBg1xSB6sp054wWwmeFm0= +github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE= +github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= +github.com/miekg/dns v1.1.26/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso= +github.com/miekg/dns v1.1.35/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM= +github.com/miekg/dns v1.1.41/go.mod h1:p6aan82bvRIyn+zDIv9xYNUpwa73JcSh9BKwknJysuI= +github.com/miekg/pkcs11 v1.0.2/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= +github.com/miekg/pkcs11 v1.0.3/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= +github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= +github.com/mitchellh/cli v1.1.0/go.mod h1:xcISNoH86gajksDmfB23e/pu+B+GeFRMYmoHXxx3xhI= +github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw= +github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s= +github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= +github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg= +github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY= +github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/mitchellh/mapstructure v1.3.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/mitchellh/mapstructure v1.4.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= +github.com/mitchellh/reflectwalk v1.0.1/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= +github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= +github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826/go.mod h1:TaXosZuwdSHYgviHp1DAtfrULt5eUgsSMsZf+YrPgl8= +github.com/moricho/tparallel v0.2.1/go.mod h1:fXEIZxG2vdfl0ZF8b42f5a78EhjjD5mX8qUplsoSU4k= +github.com/mozilla/scribe v0.0.0-20180711195314-fb71baf557c1/go.mod h1:FIczTrinKo8VaLxe6PWTPEXRXDIHz2QAwiaBaP5/4a8= +github.com/mozilla/tls-observatory v0.0.0-20210609171429-7bc42856d2e5/go.mod h1:FUqVoUPHSEdDR0MnFM3Dh8AU0pZHLXUD127SAJGER/s= +github.com/muesli/mango v0.1.0/go.mod h1:5XFpbC8jY5UUv89YQciiXNlbi+iJgt29VDC5xbzrLL4= +github.com/muesli/mango-cobra v1.1.0/go.mod h1:lotV+49eKrAV0tTw/ONhLsiyKwM5uW5QP2OkYw4xlNc= +github.com/muesli/mango-pflag v0.1.0/go.mod h1:YEQomTxaCUp8PrbhFh10UfbhbQrM/xJ4i2PB8VTLLW0= +github.com/muesli/roff v0.1.0/go.mod h1:pjAHQM9hdUUwm/krAfrLGgJkXJ+YuhtsfZ42kieB2Ig= +github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= +github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= +github.com/mwitkow/go-proto-validators v0.0.0-20180403085117-0950a7990007/go.mod h1:m2XC9Qq0AlmmVksL6FktJCdTYyLk7V3fKyp0sl1yWQo= +github.com/mwitkow/go-proto-validators v0.2.0/go.mod h1:ZfA1hW+UH/2ZHOWvQ3HnQaU0DtnpXu850MZiy+YUgcc= +github.com/nakabonne/nestif v0.3.1/go.mod h1:9EtoZochLn5iUprVDmDjqGKPofoUEBL8U4Ngq6aY7OE= +github.com/nbutton23/zxcvbn-go v0.0.0-20210217022336-fa2cb2858354/go.mod h1:KSVJerMDfblTH7p5MZaTt+8zaT2iEk3AkVb9PQdZuE8= +github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= +github.com/nishanths/exhaustive v0.7.11/go.mod h1:gX+MP7DWMKJmNa1HfMozK+u04hQd3na9i0hyqf3/dOI= +github.com/nishanths/predeclared v0.0.0-20190419143655-18a43bb90ffc/go.mod h1:62PewwiQTlm/7Rj+cxVYqZvDIUc+JjZq6GHAC1fsObQ= +github.com/nishanths/predeclared v0.2.2/go.mod h1:RROzoN6TnGQupbC+lqggsOlcgysk3LMK/HI84Mp280c= +github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= +github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= +github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= +github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= +github.com/olekukonko/tablewriter v0.0.1/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= +github.com/olekukonko/tablewriter v0.0.2/go.mod h1:rSAaSIOAGT9odnlyGlUfAJaoc5w2fSBUmeGDbRWPxyQ= +github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY= +github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.10.3/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= +github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0= +github.com/onsi/ginkgo/v2 v2.0.0/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c= +github.com/onsi/ginkgo/v2 v2.1.3/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c= +github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= +github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= +github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= +github.com/onsi/gomega v1.18.1/go.mod h1:0q+aL8jAiMXy9hbwj2mr5GziHiwhAIQpFmmtT5hitRs= +github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= +github.com/otiai10/copy v1.2.0/go.mod h1:rrF5dJ5F0t/EWSYODDu4j9/vEeYHMkc8jt0zJChqQWw= +github.com/otiai10/curr v0.0.0-20150429015615-9b4961190c95/go.mod h1:9qAhocn7zKJG+0mI8eUu6xqkFDYS2kb2saOteoSB3cE= +github.com/otiai10/curr v1.0.0/go.mod h1:LskTG5wDwr8Rs+nNQ+1LlxRjAtTZZjtJW4rMXl6j4vs= +github.com/otiai10/mint v1.3.0/go.mod h1:F5AjcsTsWUqX+Na9fpHb52P8pcRX2CI6A3ctIT91xUo= +github.com/otiai10/mint v1.3.1/go.mod h1:/yxELlJQ0ufhjUwhshSj+wFjZ78CnZ48/1wtmBH1OTc= +github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= +github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= +github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= +github.com/pelletier/go-toml v1.8.1/go.mod h1:T2/BmBdy8dvIRq1a/8aqjN41wvWlN4lrapLU/GW4pbc= +github.com/pelletier/go-toml v1.9.4/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= +github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= +github.com/pelletier/go-toml/v2 v2.0.0-beta.8/go.mod h1:r9LEWfGN8R5k0VXJ+0BkIe7MYkRdwZOjgMj2KwnJFUo= +github.com/pelletier/go-toml/v2 v2.0.0/go.mod h1:r9LEWfGN8R5k0VXJ+0BkIe7MYkRdwZOjgMj2KwnJFUo= +github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= +github.com/phayes/checkstyle v0.0.0-20170904204023-bfd46e6a821d/go.mod h1:3OzsM7FXDQlpCiw2j81fOmAwQLnZnLGXVKUzeKQXIAw= +github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= +github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI= +github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qRg= +github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/polyfloyd/go-errorlint v1.0.0/go.mod h1:KZy4xxPJyy88/gldCe5OdW6OQRtNO3EZE7hXzmnebgA= +github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= +github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSgv7Sy7s/s= +github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= +github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso= +github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= +github.com/prometheus/client_golang v1.4.0/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3OK1iX/F2sw+iXX5zU= +github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M= +github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0= +github.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY= +github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= +github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= +github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= +github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= +github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8bs7vj7HSQ4= +github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo= +github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc= +github.com/prometheus/common v0.32.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= +github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= +github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= +github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A= +github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= +github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= +github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= +github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= +github.com/pseudomuto/protoc-gen-doc v1.3.2/go.mod h1:y5+P6n3iGrbKG+9O04V5ld71in3v/bX88wUwgt+U8EA= +github.com/pseudomuto/protokit v0.2.0/go.mod h1:2PdH30hxVHsup8KpBTOXTBeMVhJZVio3Q8ViKSAXT0Q= +github.com/quasilyte/go-ruleguard v0.3.1-0.20210203134552-1b5a410e1cc8/go.mod h1:KsAh3x0e7Fkpgs+Q9pNLS5XpFSvYCEVl5gP9Pp1xp30= +github.com/quasilyte/go-ruleguard v0.3.16-0.20220213074421-6aa060fab41a/go.mod h1:VMX+OnnSw4LicdiEGtRSD/1X8kW7GuEscjYNr4cOIT4= +github.com/quasilyte/go-ruleguard/dsl v0.3.0/go.mod h1:KeCP03KrjuSO0H1kTuZQCWlQPulDV6YMIXmpQss17rU= +github.com/quasilyte/go-ruleguard/dsl v0.3.16/go.mod h1:KeCP03KrjuSO0H1kTuZQCWlQPulDV6YMIXmpQss17rU= +github.com/quasilyte/go-ruleguard/rules v0.0.0-20201231183845-9e62ed36efe1/go.mod h1:7JTjp89EGyU1d6XfBiXihJNG37wB2VRkd125Q1u7Plc= +github.com/quasilyte/go-ruleguard/rules v0.0.0-20211022131956-028d6511ab71/go.mod h1:4cgAphtvu7Ftv7vOT2ZOYhC6CvBxZixcasr8qIOTA50= +github.com/quasilyte/gogrep v0.0.0-20220120141003-628d8b3623b5/go.mod h1:wSEyW6O61xRV6zb6My3HxrQ5/8ke7NE2OayqCHa3xRM= +github.com/quasilyte/regex/syntax v0.0.0-20200407221936-30656e2c4a95/go.mod h1:rlzQ04UMyJXu/aOvhd8qT+hvDrFpiwqp8MRXDY9szc0= +github.com/quasilyte/stdinfo v0.0.0-20220114132959-f7386bf02567/go.mod h1:DWNGW8A4Y+GyBgPuaQJuWiy0XYftx4Xm/y5Jqk9I6VQ= +github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= +github.com/rogpeppe/fastuuid v1.1.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= +github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= +github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= +github.com/rogpeppe/go-internal v1.8.1/go.mod h1:JeRgkft04UBgHMgCIwADu4Pn6Mtm5d4nPKWu0nJ5d+o= +github.com/rs/cors v1.7.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU= +github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= +github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/ryancurrah/gomodguard v1.2.3/go.mod h1:rYbA/4Tg5c54mV1sv4sQTP5WOPBcoLtnBZ7/TEhXAbg= +github.com/ryanrolds/sqlclosecheck v0.3.0/go.mod h1:1gREqxyTGR3lVtpngyFo3hZAgk0KCtEdgEkHwDbigdA= +github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= +github.com/sagikazarmark/crypt v0.5.0/go.mod h1:l+nzl7KWh51rpzp2h7t4MZWyiEWdhNpOAnclKvg+mdA= +github.com/sanposhiho/wastedassign/v2 v2.0.6/go.mod h1:KyZ0MWTwxxBmfwn33zh3k1dmsbF2ud9pAAGfoLfjhtI= +github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= +github.com/securego/gosec/v2 v2.11.0/go.mod h1:SX8bptShuG8reGC0XS09+a4H2BoWSJi+fscA+Pulbpo= +github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= +github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= +github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= +github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c/go.mod h1:/PevMnwAxekIXwN8qQyfc5gl2NlkB3CQlkizAbOkeBs= +github.com/shurcooL/go v0.0.0-20180423040247-9e1955d9fb6e/go.mod h1:TDJrrUr11Vxrven61rcy3hJMUqaf/CLWYhHNPmT14Lk= +github.com/shurcooL/go-goon v0.0.0-20170922171312-37c2f522c041/go.mod h1:N5mDOmsrJOB+vfqUK+7DmDyjhSLIIBnXo9lvZJj3MWQ= +github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= +github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= +github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q= +github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= +github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88= +github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= +github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= +github.com/sivchari/containedctx v1.0.2/go.mod h1:PwZOeqm4/DLoJOqMSIJs3aKqXRX4YO+uXww087KZ7Bw= +github.com/sivchari/tenv v1.5.0/go.mod h1:64yStXKSOxDfX47NlhVwND4dHwfZDdbp2Lyl018Icvg= +github.com/slack-go/slack v0.10.3/go.mod h1:hlGi5oXA+Gt+yWTPP0plCdRKmjsDxecdHxYQdlMQKOw= +github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= +github.com/smartystreets/assertions v1.0.0/go.mod h1:kHHU4qYBaI3q23Pp3VPrmWhuIUrLW/7eUrw0BU5VaoM= +github.com/smartystreets/go-aws-auth v0.0.0-20180515143844-0c1422d1fdb9/go.mod h1:SnhjPscd9TpLiy1LpzGSKh3bXCfxxXuqd9xmQJy3slM= +github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= +github.com/smartystreets/gunit v1.0.0/go.mod h1:qwPWnhz6pn0NnRBP++URONOVyNkPyr4SauJk4cUOwJs= +github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= +github.com/sonatard/noctx v0.0.1/go.mod h1:9D2D/EoULe8Yy2joDHJj7bv3sZoq9AaSb8B4lqBjiZI= +github.com/sourcegraph/go-diff v0.6.1/go.mod h1:iBszgVvyxdc8SFZ7gm69go2KDdt3ag071iBaWPF6cjs= +github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= +github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= +github.com/spf13/afero v1.4.1/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I= +github.com/spf13/afero v1.8.2/go.mod h1:CtAatgMJh6bJEIs48Ay/FOnkljP3WeGUG0MC1RfAqwo= +github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= +github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= +github.com/spf13/cast v1.4.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= +github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= +github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= +github.com/spf13/cobra v1.1.1/go.mod h1:WnodtKOvamDL/PwE2M4iKs8aMDBZ5Q5klgD3qfVJQMI= +github.com/spf13/cobra v1.4.0/go.mod h1:Wo4iy3BUC+X2Fybo0PDqwJIv3dNRiZLHQymsfxlB84g= +github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= +github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo= +github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s= +github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg= +github.com/spf13/viper v1.7.1/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg= +github.com/spf13/viper v1.11.0/go.mod h1:djo0X/bA5+tYVoCn+C7cAYJGcVn/qYLFTG8gdUsX7Zk= +github.com/ssgreg/nlreturn/v2 v2.2.1/go.mod h1:E/iiPB78hV7Szg2YfRgyIrk1AD6JVMTRkkxBiELzh2I= +github.com/stbenjam/no-sprintf-host-port v0.1.1/go.mod h1:TLhvtIvONRzdmkFiio4O8LHsN9N74I+PhRquPsxpL0I= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= +github.com/stretchr/testify v0.0.0-20170130113145-4d4bfba8f1d1/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.1.4/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.3.1-0.20190311161405-34c6fa2dc709/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= +github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= +github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= +github.com/sylvia7788/contextcheck v1.0.4/go.mod h1:vuPKJMQ7MQ91ZTqfdyreNKwZjyUg6KO+IebVyQDedZQ= +github.com/tdakkota/asciicheck v0.1.1/go.mod h1:yHp0ai0Z9gUljN3o0xMhYJnH/IcvkdTBOX2fmJ93JEM= +github.com/technoweenie/multipartstreamer v1.0.1/go.mod h1:jNVxdtShOxzAsukZwTSw6MDx5eUJoiEBsSvzDU9uzog= +github.com/tenntenn/modver v1.0.1/go.mod h1:bePIyQPb7UeioSRkw3Q0XeMhYZSMx9B8ePqg6SAMGH0= +github.com/tenntenn/text/transform v0.0.0-20200319021203-7eef512accb3/go.mod h1:ON8b8w4BN/kE1EOhwT0o+d62W65a6aPw1nouo9LMgyY= +github.com/tetafro/godot v1.4.11/go.mod h1:LR3CJpxDVGlYOWn3ZZg1PgNZdTUvzsZWu8xaEohUpn8= +github.com/timakin/bodyclose v0.0.0-20210704033933-f49887972144/go.mod h1:Qimiffbc6q9tBWlVV6x0P9sat/ao1xEkREYPPj9hphk= +github.com/tj/assert v0.0.0-20171129193455-018094318fb0/go.mod h1:mZ9/Rh9oLWpLLDRpvE+3b7gP/C2YyLFYxNmcLnPTMe0= +github.com/tj/assert v0.0.3/go.mod h1:Ne6X72Q+TB1AteidzQncjw9PabbMp4PBMZ1k+vd1Pvk= +github.com/tj/go-buffer v1.1.0/go.mod h1:iyiJpfFcR2B9sXu7KvjbT9fpM4mOelRSDTbntVj52Uc= +github.com/tj/go-elastic v0.0.0-20171221160941-36157cbbebc2/go.mod h1:WjeM0Oo1eNAjXGDx2yma7uG2XoyRZTq1uv3M/o7imD0= +github.com/tj/go-kinesis v0.0.0-20171128231115-08b17f58cb1b/go.mod h1:/yhzCV0xPfx6jb1bBgRFjl5lytqVqZXEaeqWP8lTEao= +github.com/tj/go-spin v1.1.0/go.mod h1:Mg1mzmePZm4dva8Qz60H2lHwmJ2loum4VIrLgVnKwh4= +github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= +github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= +github.com/tmc/grpc-websocket-proxy v0.0.0-20200427203606-3cfed13b9966/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= +github.com/tomarrell/wrapcheck/v2 v2.6.1/go.mod h1:Eo+Opt6pyMW1b6cNllOcDSSoHO0aTJ+iF6BfCUbHltA= +github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce/go.mod h1:o8v6yHRoik09Xen7gje4m9ERNah1d1PPsVq1VEx9vE4= +github.com/tommy-muehle/go-mnd/v2 v2.5.0/go.mod h1:WsUAkMJMYww6l/ufffCD3m+P7LEvr8TnZn9lwVDlgzw= +github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM= +github.com/ugorji/go v1.1.7/go.mod h1:kZn38zHttfInRq0xu/PH0az30d+z6vm202qpg1oXVMw= +github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0= +github.com/ugorji/go/codec v1.1.7/go.mod h1:Ax+UKWsSmolVDwsd+7N3ZtXu+yMGCf907BLYF3GoBXY= +github.com/ulikunitz/xz v0.5.10/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= +github.com/ultraware/funlen v0.0.3/go.mod h1:Dp4UiAus7Wdb9KUZsYWZEWiRzGuM2kXM1lPbfaF6xhA= +github.com/ultraware/whitespace v0.0.5/go.mod h1:aVMh/gQve5Maj9hQ/hg+F75lr/X5A89uZnzAmWSineA= +github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= +github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= +github.com/uudashr/gocognit v1.0.5/go.mod h1:wgYz0mitoKOTysqxTDMOUXg+Jb5SvtihkfmugIZYpEA= +github.com/viki-org/dnscache v0.0.0-20130720023526-c70c1f23c5d8/go.mod h1:dniwbG03GafCjFohMDmz6Zc6oCuiqgH6tGNyXTkHzXE= +github.com/xanzy/go-gitlab v0.65.0/go.mod h1:F0QEXwmqiBUxCgJm8fE9S+1veX4XC9Z4cfaAbqwk4YM= +github.com/xanzy/ssh-agent v0.2.1/go.mod h1:mLlQY/MoOhWBj+gOGMQkOeiEvkx+8pJSI+0Bx9h2kr4= +github.com/xanzy/ssh-agent v0.3.0/go.mod h1:3s9xbODqPuuhK9JV1R321M/FlMZSBvE5aY6eAcqrDh0= +github.com/xanzy/ssh-agent v0.3.1/go.mod h1:QIE4lCeL7nkC25x+yA3LBIYfwCc1TFziCtG7cBAac6w= +github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= +github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778/go.mod h1:2MuV+tbUrU1zIOPMxZ5EncGwgmMJsa+9ucAQZXxsObs= +github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= +github.com/yagipy/maintidx v1.0.0/go.mod h1:0qNf/I/CCZXSMhsRsrEPDZ+DkekpKLXAJfsTACwgXLk= +github.com/yeya24/promlinter v0.2.0/go.mod h1:u54lkmBOZrpEbQQ6gox2zWKKLKu2SGe+2KOiextY+IA= +github.com/yudai/gojsondiff v1.0.0/go.mod h1:AY32+k2cwILAkW1fbgxQ5mUmMiZFgLIV+FBNExI05xg= +github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82/go.mod h1:lgjkn3NuSvDfVJdfcVVdX+jpBxNmX4rDAzaS45IcYoM= +github.com/yudai/pp v2.0.1+incompatible/go.mod h1:PuxR/8QJ7cyCkFp/aUDS+JY727OFEZkTdatxwunjIkc= +github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= +github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= +github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= +gitlab.com/bosi/decorder v0.2.1/go.mod h1:6C/nhLSbF6qZbYD8bRmISBwc6vcWdNsiIBkRvjJFrH0= +go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= +go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= +go.etcd.io/bbolt v1.3.4/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ= +go.etcd.io/etcd v0.0.0-20200513171258-e048e166ab9c/go.mod h1:xCI7ZzBfRuGgBXyXO6yfWfDmlWd35khcWpUa4L0xI/k= +go.etcd.io/etcd/api/v3 v3.5.2/go.mod h1:5GB2vv4A4AOn3yk7MftYGHkUfGtDHnEraIjym4dYz5A= +go.etcd.io/etcd/client/pkg/v3 v3.5.2/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g= +go.etcd.io/etcd/client/v2 v2.305.2/go.mod h1:2D7ZejHVMIfog1221iLSYlQRzrtECw3kz4I4VAQm3qI= +go.mozilla.org/mozlog v0.0.0-20170222151521-4bb13139d403/go.mod h1:jHoPAGnDrCy6kaI2tAze5Prf0Nr0w/oNkROt2lw3n3o= +go.opencensus.io v0.15.0/go.mod h1:UffZAU+4sDEINUGP/B7UfBBkq4fqLu9zXAX7ke6CHW0= +go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= +go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= +go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= +go.opencensus.io v0.22.6/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= +go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= +go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= +go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= +go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= +go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ= +go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= +go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= +go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A= +go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= +go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4= +go.uber.org/multierr v1.4.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4= +go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= +go.uber.org/multierr v1.7.0/go.mod h1:7EAYxJLBy9rStEaz58O2t4Uvip6FSURkq8/ppBp95ak= +go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA= +go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= +go.uber.org/zap v1.13.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM= +go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo= +go.uber.org/zap v1.18.1/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI= +go.uber.org/zap v1.19.0/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI= +gocloud.dev v0.24.0/go.mod h1:uA+als++iBX5ShuG4upQo/3Zoz49iIPlYUWHV5mM8w8= +golang.org/x/crypto v0.0.0-20180501155221-613d6eafa307/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3H3cr1v9wB50oz8l4C4h62xy7jSTY= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= +golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= +golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= +golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8= +golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.0.0-20220313003712-b769efc7c000/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek= +golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY= +golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= +golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= +golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= +golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= +golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= +golang.org/x/exp v0.0.0-20200331195152-e8c3332aa8e5/go.mod h1:4M0jN8W1tt0AVLNr8HDosyJCDCDuyL9N9+3m7wDWgKw= +golang.org/x/exp/typeparams v0.0.0-20220218215828-6cf2b201936e/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk= +golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= +golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= +golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= +golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= +golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= +golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= +golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= +golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= +golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= +golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= +golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= +golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= +golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY= +golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= +golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191002035440-2ec189313ef0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191112182307-2180aed22343/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200421231249-e086a090c8fd/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc= +golang.org/x/net v0.0.0-20210326060303-6b1517762897/go.mod h1:uSPa2vr4CLtc/ILN5odXGNXS6mhrKVzTaCXzk9m6W3k= +golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= +golang.org/x/net v0.0.0-20210410081132-afb366fc7cd1/go.mod h1:9tjilg8BloeKEkVJvy7fQ90B1CfIiPueXVOjqfkSzI8= +golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk= +golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20210614182718-04defd469f4e/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20210825183410-e898025ed96a/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/net v0.0.0-20220325170049-de3da57026de/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/net v0.0.0-20220412020605-290c469a71a5/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210126194326-f9ce19ea3013/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210427180440-81ed05c6b58c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20211005180243-6b3c2da341f1/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= +golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= +golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190412183630-56d357773e84/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190221075227-b4e8571b14e0/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190922100055-0a153f010e69/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191112214154-59a1497f0cea/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200124204421-9fbb57f87de9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200420163511-1957bb5e6d1f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200828194041-157a740278f4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201109165425-215b40eba54c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210223095934-7937bea0104d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210324051608-47abb6519492/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210502180810-71e4cd670f79/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210503080704-8803ae5d1324/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211105183446-c75c47738b0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211210111614-af8b64212486/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211213223007-03aa0b5f6827/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220328115105-d36c6a25d886/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220422013727-9388b58f7150/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20180525024113-a5b4c53f6e8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= +golang.org/x/tools v0.0.0-20190307163923-6a08e3108db3/go.mod h1:25r3+/G6/xytQM8iWZKq3Hn0kr0rgFKPUNVEL/dr3z4= +golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190311215038-5c2858a9cfe5/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190321232350-e250d351ecad/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190322203728-c1a832b0ad89/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190422233926-fe54fb35175b/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20190907020128-2ca718005c18/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20190910044552-dd2b5c81c578/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20190916130336-e45ffcd953cc/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191010075000-0337d82405ff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191029041327-9cc4af7d6b2c/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191029190741-b9c20aec41a5/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191108193012-7d206e10da11/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191112195655-aa38f8e97acc/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191216052735-49a3e744a425/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200117220505-0cba7a3a9ee9/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= +golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= +golang.org/x/tools v0.0.0-20200324003944-a576cf524670/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= +golang.org/x/tools v0.0.0-20200325010219-a49f79bcc224/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= +golang.org/x/tools v0.0.0-20200329025819-fd4102a86c65/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= +golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= +golang.org/x/tools v0.0.0-20200414032229-332987a829c3/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200422022333-3d57cf2e726e/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200426102838-f3a5411a4c3b/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200622203043-20e05c1c8ffa/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200624225443-88f3c62a19ff/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200625211823-6506e20df31f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200626171337-aa94e735be7f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200630154851-b2d8b0336632/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200706234117-b22de6825cf7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= +golang.org/x/tools v0.0.0-20200724022722-7017fd6b1305/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= +golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= +golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= +golang.org/x/tools v0.0.0-20200812195022-5ae4c3c160a0/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= +golang.org/x/tools v0.0.0-20200820010801-b793a1359eac/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= +golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= +golang.org/x/tools v0.0.0-20200831203904-5a2aa26beb65/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE= +golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE= +golang.org/x/tools v0.0.0-20201001104356-43ebab892c4c/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU= +golang.org/x/tools v0.0.0-20201002184944-ecd9fd270d5d/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU= +golang.org/x/tools v0.0.0-20201023174141-c8cfbd0f21e6/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20201230224404-63754364767c/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= +golang.org/x/tools v0.1.1-0.20210205202024-ef80cdb6ec6d/go.mod h1:9bzcO0MWcOuT0tm1iBGzDVPshzfwoVvREIui8C+MHqU= +golang.org/x/tools v0.1.1-0.20210302220138-2ac05c832e1a/go.mod h1:9bzcO0MWcOuT0tm1iBGzDVPshzfwoVvREIui8C+MHqU= +golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo= +golang.org/x/tools v0.1.8/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU= +golang.org/x/tools v0.1.9-0.20211228192929-ee1ca4ffc4da/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU= +golang.org/x/tools v0.1.9/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU= +golang.org/x/tools v0.1.10/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E= +golang.org/x/tools v0.1.11-0.20220316014157-77aa08bb151a/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= +google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= +google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/api v0.10.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= +google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= +google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= +google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= +google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= +google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM= +google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc= +google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg= +google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE= +google.golang.org/api v0.37.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8= +google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8= +google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU= +google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94= +google.golang.org/api v0.46.0/go.mod h1:ceL4oozhkAiTID8XMmJBsIxID/9wMXJVVFXPg4ylg3I= +google.golang.org/api v0.47.0/go.mod h1:Wbvgpq1HddcWVtzsVLyfLp8lDg6AA241LmgIL59tHXo= +google.golang.org/api v0.48.0/go.mod h1:71Pr1vy+TAZRPkPs/xlCf5SsU8WjuAWv1Pfjbtukyy4= +google.golang.org/api v0.50.0/go.mod h1:4bNT5pAuq5ji4SRZm+5QIkjny9JAyVD/3gaSihNefaw= +google.golang.org/api v0.51.0/go.mod h1:t4HdrdoNgyN5cbEfm7Lum0lcLDLiise1F8qDKX00sOU= +google.golang.org/api v0.52.0/go.mod h1:Him/adpjt0sxtkWViy0b6xyKW/SD71CwdJ7HqJo7SrU= +google.golang.org/api v0.54.0/go.mod h1:7C4bFFOvVDGXjfDTAsgGwDgAxRDeQ4X8NvUedIt6z3k= +google.golang.org/api v0.55.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE= +google.golang.org/api v0.56.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE= +google.golang.org/api v0.57.0/go.mod h1:dVPlbZyBo2/OjBpmvNdpn2GRm6rPy75jyU7bmhdrMgI= +google.golang.org/api v0.59.0/go.mod h1:sT2boj7M9YJxZzgeZqXogmhfmRWDtPzT31xkieUbuZU= +google.golang.org/api v0.61.0/go.mod h1:xQRti5UdCmoCEqFxcz93fTl338AVqDgyaDRuOZ3hg9I= +google.golang.org/api v0.63.0/go.mod h1:gs4ij2ffTRXwuzzgJl/56BdwJaA194ijkfn++9tDuPo= +google.golang.org/api v0.67.0/go.mod h1:ShHKP8E60yPsKNw/w8w+VYaj9H6buA5UqDp8dhbQZ6g= +google.golang.org/api v0.70.0/go.mod h1:Bs4ZM2HGifEvXwd50TtW70ovgJffJYw2oRCOFU/SkfA= +google.golang.org/api v0.71.0/go.mod h1:4PyU6e6JogV1f9eA4voyrTY2batOLdgZ5qZ5HOCc4j8= +google.golang.org/api v0.74.0/go.mod h1:ZpfMZOVRMywNyvJFeqL9HRWBgAuRfSjJFpe9QtRRyDs= +google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= +google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= +google.golang.org/appengine v1.6.2/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= +google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/genproto v0.0.0-20170818010345-ee236bd376b0/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= +google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= +google.golang.org/genproto v0.0.0-20181107211654-5fc9ac540362/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= +google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= +google.golang.org/genproto v0.0.0-20190927181202-20e1ac93f88c/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= +google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA= +google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200423170343-7949de9c1215/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U= +google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= +google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA= +google.golang.org/genproto v0.0.0-20200626011028-ee7919e894b5/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20200707001353-8e8330bf89df/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210126160654-44e461bb6506/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210222152913-aa3ee6e6a81c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A= +google.golang.org/genproto v0.0.0-20210429181445-86c259c2b4ab/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A= +google.golang.org/genproto v0.0.0-20210513213006-bf773b8c8384/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A= +google.golang.org/genproto v0.0.0-20210517163617-5e0236093d7a/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A= +google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= +google.golang.org/genproto v0.0.0-20210604141403-392c879c8b08/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= +google.golang.org/genproto v0.0.0-20210608205507-b6d2f5bf0d7d/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= +google.golang.org/genproto v0.0.0-20210624195500-8bfb893ecb84/go.mod h1:SzzZ/N+nwJDaO1kznhnlzqS8ocJICar6hYhVyhi++24= +google.golang.org/genproto v0.0.0-20210713002101-d411969a0d9a/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k= +google.golang.org/genproto v0.0.0-20210716133855-ce7ef5c701ea/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k= +google.golang.org/genproto v0.0.0-20210721163202-f1cecdd8b78a/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48= +google.golang.org/genproto v0.0.0-20210722135532-667f2b7c528f/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48= +google.golang.org/genproto v0.0.0-20210728212813-7823e685a01f/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48= +google.golang.org/genproto v0.0.0-20210805201207-89edb61ffb67/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48= +google.golang.org/genproto v0.0.0-20210813162853-db860fec028c/go.mod h1:cFeNkxwySK631ADgubI+/XFU/xp8FD5KIVV4rj8UC5w= +google.golang.org/genproto v0.0.0-20210821163610-241b8fcbd6c8/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= +google.golang.org/genproto v0.0.0-20210825212027-de86158e7fda/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= +google.golang.org/genproto v0.0.0-20210828152312-66f60bf46e71/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= +google.golang.org/genproto v0.0.0-20210831024726-fe130286e0e2/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= +google.golang.org/genproto v0.0.0-20210903162649-d08c68adba83/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= +google.golang.org/genproto v0.0.0-20210909211513-a8c4777a87af/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= +google.golang.org/genproto v0.0.0-20210924002016-3dee208752a0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20211008145708-270636b82663/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20211028162531-8db9c33dc351/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20211118181313-81c1377c94b1/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20211206160659-862468c7d6e0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20211221195035-429b39de9b1c/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20220126215142-9970aeb2e350/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20220207164111-0872dc986b00/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20220218161850-94dd64e39d7c/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI= +google.golang.org/genproto v0.0.0-20220222213610-43724f9ea8cf/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI= +google.golang.org/genproto v0.0.0-20220304144024-325a89244dc8/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI= +google.golang.org/genproto v0.0.0-20220310185008-1973136f34c6/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI= +google.golang.org/genproto v0.0.0-20220324131243-acbaeb5b85eb/go.mod h1:hAL49I2IFola2sVEjAn7MEwsja0xp51I0tlGAf9hz4E= +google.golang.org/genproto v0.0.0-20220407144326-9054f6ed7bac/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= +google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= +google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= +google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= +google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= +google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.24.0/go.mod h1:XDChyiUovWa60DnaeDeZmSW86xtLtjtZbwvSiRnRtcA= +google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= +google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60= +google.golang.org/grpc v1.29.0/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= +google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= +google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= +google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= +google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= +google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0= +google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= +google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8= +google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= +google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= +google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= +google.golang.org/grpc v1.37.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= +google.golang.org/grpc v1.37.1/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= +google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= +google.golang.org/grpc v1.39.0/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE= +google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE= +google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= +google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= +google.golang.org/grpc v1.44.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= +google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ= +google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= +google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= +google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= +google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= +google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= +google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= +google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= +google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= +google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= +google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= +gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc/go.mod h1:m7x9LTH6d71AHyAX77c9yqWCCa3UKHcVEj9y7hAtKDk= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= +gopkg.in/cheggaaa/pb.v1 v1.0.28/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= +gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= +gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= +gopkg.in/gcfg.v1 v1.2.3/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o= +gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= +gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= +gopkg.in/ini.v1 v1.66.4/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= +gopkg.in/mail.v2 v2.3.1/go.mod h1:htwXN1Qh09vZJ1NVKxQqHPBaCBbzKhp5GzuJEA4VJWw= +gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= +gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= +gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= +gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.6/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= +honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= +honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= +honnef.co/go/tools v0.3.1/go.mod h1:vlRD9XErLMGT+mDuofSr0mMMquscM/1nQqtRSsh6m70= +mvdan.cc/gofumpt v0.3.1/go.mod h1:w3ymliuxvzVx8DAutBnVyDqYb1Niy/yCJt/lk821YCE= +mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed/go.mod h1:Xkxe497xwlCKkIaQYRfC7CSLworTXY9RMqwhhCm+8Nc= +mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b/go.mod h1:2odslEg/xrtNQqCYg2/jCoyKnw3vv5biOc3JnIcYfL4= +mvdan.cc/unparam v0.0.0-20211214103731-d0ef000c54e5/go.mod h1:b8RRCBm0eeiWR8cfN88xeq2G5SG3VKGO+5UPWi5FSOY= +nhooyr.io/websocket v1.8.6/go.mod h1:B70DZP8IakI65RVQ51MsWP/8jndNma26DVA/nFSCgW0= +nhooyr.io/websocket v1.8.7/go.mod h1:B70DZP8IakI65RVQ51MsWP/8jndNma26DVA/nFSCgW0= +rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= +rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= +rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= +sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= From d6c7e2a0bf8bbb4ca3912965d460e11a5ca3ec02 Mon Sep 17 00:00:00 2001 From: pereiramarco011 Date: Mon, 28 Aug 2023 11:45:23 +0100 Subject: [PATCH 016/379] add-unit tests --- pkg/engine/source/filesystem.go | 37 +-- pkg/engine/source/filesystem_test.go | 225 ++++++++++++------ .../experimental.yaml | 30 +++ .../experimental/test/metadata.json | 12 + .../experimental/test/query.rego | 42 ++++ .../tested/tested_query/metadata.json | 12 + .../tested/tested_query/query.rego | 42 ++++ .../utils/experimental-queries.json | 3 + 8 files changed, 316 insertions(+), 87 deletions(-) create mode 100644 test/fixtures/test_experimental_queries/experimental_queries_feature/experimental.yaml create mode 100644 test/fixtures/test_experimental_queries/experimental_queries_queries/experimental/test/metadata.json create mode 100644 test/fixtures/test_experimental_queries/experimental_queries_queries/experimental/test/query.rego create mode 100644 test/fixtures/test_experimental_queries/experimental_queries_queries/tested/tested_query/metadata.json create mode 100644 test/fixtures/test_experimental_queries/experimental_queries_queries/tested/tested_query/query.rego create mode 100644 test/fixtures/test_experimental_queries/utils/experimental-queries.json diff --git a/pkg/engine/source/filesystem.go b/pkg/engine/source/filesystem.go index 7fdbe719021..d3af332c281 100644 --- a/pkg/engine/source/filesystem.go +++ b/pkg/engine/source/filesystem.go @@ -22,11 +22,11 @@ import ( // Source is the path to the queries // Types are the types given by the flag --type for query selection mechanism type FilesystemSource struct { - Source []string - Types []string - CloudProviders []string - Library string - ExperimentalFeatures string + Source []string + Types []string + CloudProviders []string + Library string + ExperimentalQueries string } const ( @@ -45,7 +45,7 @@ const ( ) // NewFilesystemSource initializes a NewFilesystemSource with source to queries and types of queries to load -func NewFilesystemSource(source, types, cloudProviders []string, libraryPath string, experimentalFeaturesPath string) *FilesystemSource { +func NewFilesystemSource(source, types, cloudProviders []string, libraryPath string, experimentalQueriesPath string) *FilesystemSource { log.Debug().Msg("source.NewFilesystemSource()") if len(types) == 0 { @@ -61,11 +61,11 @@ func NewFilesystemSource(source, types, cloudProviders []string, libraryPath str } return &FilesystemSource{ - Source: source, - Types: types, - CloudProviders: cloudProviders, - Library: filepath.FromSlash(libraryPath), - ExperimentalFeatures: experimentalFeaturesPath, + Source: source, + Types: types, + CloudProviders: cloudProviders, + Library: filepath.FromSlash(libraryPath), + ExperimentalQueries: experimentalQueriesPath, } } @@ -249,9 +249,9 @@ func (s *FilesystemSource) GetQueries(queryParameters *QueryInspectorParameters) experimentalQueriesPaths := make([]string, 0) var err error - if s.ExperimentalFeatures != "" { + if s.ExperimentalQueries != "" { - experimentalQueriesFile, err := os.Open(s.ExperimentalFeatures) + experimentalQueriesFile, err := os.Open(s.ExperimentalQueries) if err != nil { return queries, nil } @@ -276,14 +276,16 @@ func (s *FilesystemSource) GetQueries(queryParameters *QueryInspectorParameters) } querypathDir := filepath.Dir(p) - absQueriesPath, err := filepath.Abs("./assets/queries") - if err == nil { + absQueryPathDir, err1 := filepath.Abs(querypathDir) + absQueriesPath, err2 := filepath.Abs(source) + if err1 == nil && err2 == nil { var cleanPlatformCloudProviderDir string - cleanPlatformCloudProviderDir, err = filepath.Rel(absQueriesPath, querypathDir) + cleanPlatformCloudProviderDir, err = filepath.Rel(absQueriesPath, absQueryPathDir) if err == nil { - cleanPlatformCloudProviderDir = filepath.ToSlash(cleanPlatformCloudProviderDir) + cleanPlatformCloudProviderDir = filepath.FromSlash(cleanPlatformCloudProviderDir) inExperimentalQueriesJSON := false for _, queryPath := range experimentalQueriesPaths { + queryPath := filepath.FromSlash(queryPath) if strings.Contains(querypathDir, queryPath) { inExperimentalQueriesJSON = true break @@ -292,6 +294,7 @@ func (s *FilesystemSource) GetQueries(queryParameters *QueryInspectorParameters) inExperimentalQueriesFlag := false for _, experimentalFlag := range queryParameters.ExperimentalQueries { + experimentalFlag := filepath.FromSlash(experimentalFlag) if strings.HasPrefix(cleanPlatformCloudProviderDir, experimentalFlag) { inExperimentalQueriesFlag = true break diff --git a/pkg/engine/source/filesystem_test.go b/pkg/engine/source/filesystem_test.go index 0f041f0b005..12869b212d6 100644 --- a/pkg/engine/source/filesystem_test.go +++ b/pkg/engine/source/filesystem_test.go @@ -14,7 +14,8 @@ import ( ) const ( - source = "./test/fixtures/all_auth_users_get_read_access" + source_get_queries = "./test/fixtures/all_auth_users_get_read_access" + source_get_queries_experimental = "./test/fixtures/test_experimental_queries/experimental_queries_queries" ) // BenchmarkFilesystemSource_GetQueries benchmarks getQueries to see improvements @@ -23,11 +24,11 @@ func BenchmarkFilesystemSource_GetQueries(b *testing.B) { b.Fatal(err) } type fields struct { - Source []string - Types []string - CloudProviders []string - Library string - ExperimentalFeatures string + Source []string + Types []string + CloudProviders []string + Library string + ExperimentalQueries string } tests := []struct { name string @@ -36,17 +37,17 @@ func BenchmarkFilesystemSource_GetQueries(b *testing.B) { { name: "testing_all_paths", fields: fields{ - Source: []string{"./assets/queries/"}, - Types: []string{""}, - CloudProviders: []string{""}, - Library: "./assets/libraries", - ExperimentalFeatures: "./assets/utils/experimental-queries.json", + Source: []string{"./assets/queries/"}, + Types: []string{""}, + CloudProviders: []string{""}, + Library: "./assets/libraries", + ExperimentalQueries: "./assets/utils/experimental-queries.json", }, }, } for _, tt := range tests { b.Run(tt.name, func(b *testing.B) { - s := NewFilesystemSource(tt.fields.Source, tt.fields.Types, tt.fields.CloudProviders, tt.fields.Library, tt.fields.ExperimentalFeatures) + s := NewFilesystemSource(tt.fields.Source, tt.fields.Types, tt.fields.CloudProviders, tt.fields.Library, tt.fields.ExperimentalQueries) for n := 0; n < b.N; n++ { filter := QueryInspectorParameters{ IncludeQueries: IncludeQueries{ByIDs: []string{}}, @@ -69,11 +70,11 @@ func TestFilesystemSource_GetQueriesWithExclude(t *testing.T) { //nolint contentByte, err := os.ReadFile(filepath.FromSlash("./test/fixtures/get_queries_test/content_get_queries.rego")) require.NoError(t, err) type fields struct { - Source []string - Types []string - CloudProviders []string - Library string - ExperimentalFeatures string + Source []string + Types []string + CloudProviders []string + Library string + ExperimentalQueries string } tests := []struct { name string @@ -87,9 +88,9 @@ func TestFilesystemSource_GetQueriesWithExclude(t *testing.T) { //nolint { name: "get_queries_with_exclude_result_1", fields: fields{ - Source: []string{source}, Types: []string{""}, + Source: []string{source_get_queries}, Types: []string{""}, CloudProviders: []string{""}, Library: "./assets/libraries", - ExperimentalFeatures: "./assets/utils/experimental-queries.json", + ExperimentalQueries: "./assets/utils/experimental-queries.json", }, excludeCategory: []string{}, excludeSeverities: []string{}, @@ -117,7 +118,7 @@ func TestFilesystemSource_GetQueriesWithExclude(t *testing.T) { //nolint { name: "get_queries_with_exclude_no_result_1", fields: fields{ - Source: []string{source}, Types: []string{""}, + Source: []string{source_get_queries}, Types: []string{""}, CloudProviders: []string{""}, Library: "./assets/libraries", }, excludeCategory: []string{}, @@ -139,7 +140,7 @@ func TestFilesystemSource_GetQueriesWithExclude(t *testing.T) { //nolint { name: "get_queries_with_exclude_category_no_result", fields: fields{ - Source: []string{source}, Types: []string{""}, + Source: []string{source_get_queries}, Types: []string{""}, CloudProviders: []string{""}, Library: "./assets/libraries", }, excludeCategory: []string{"Access Control"}, @@ -151,7 +152,7 @@ func TestFilesystemSource_GetQueriesWithExclude(t *testing.T) { //nolint { name: "get_queries_with_exclude_severity_no_result", fields: fields{ - Source: []string{source}, Types: []string{""}, + Source: []string{source_get_queries}, Types: []string{""}, CloudProviders: []string{""}, Library: "./assets/libraries", }, excludeCategory: []string{}, @@ -163,7 +164,7 @@ func TestFilesystemSource_GetQueriesWithExclude(t *testing.T) { //nolint } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - s := NewFilesystemSource(tt.fields.Source, []string{""}, []string{""}, tt.fields.Library, tt.fields.ExperimentalFeatures) + s := NewFilesystemSource(tt.fields.Source, []string{""}, []string{""}, tt.fields.Library, tt.fields.ExperimentalQueries) filter := QueryInspectorParameters{ IncludeQueries: IncludeQueries{ByIDs: []string{}}, ExcludeQueries: ExcludeQueries{ByIDs: tt.excludeIDs, ByCategories: tt.excludeCategory, BySeverities: tt.excludeSeverities}, @@ -193,11 +194,11 @@ func TestFilesystemSource_GetQueriesWithInclude(t *testing.T) { require.NoError(t, err) type fields struct { - Source []string - Types []string - CloudProviders []string - Library string - ExperimentalFeatures string + Source []string + Types []string + CloudProviders []string + Library string + ExperimentalQueries string } tests := []struct { name string @@ -209,9 +210,9 @@ func TestFilesystemSource_GetQueriesWithInclude(t *testing.T) { { name: "get_queries_with_include_result_1", fields: fields{ - Source: []string{source}, Types: []string{""}, CloudProviders: []string{""}, - Library: "./assets/libraries", - ExperimentalFeatures: "./assets/utils/experimental-queries.json", + Source: []string{source_get_queries}, Types: []string{""}, CloudProviders: []string{""}, + Library: "./assets/libraries", + ExperimentalQueries: "./assets/utils/experimental-queries.json", }, includeIDs: []string{"57b9893d-33b1-4419-bcea-b828fb87e318"}, want: []model.QueryMetadata{ @@ -237,7 +238,7 @@ func TestFilesystemSource_GetQueriesWithInclude(t *testing.T) { { name: "get_queries_with_include_no_result_1", fields: fields{ - Source: []string{source}, Types: []string{""}, CloudProviders: []string{""}, Library: "./assets/libraries", + Source: []string{source_get_queries}, Types: []string{""}, CloudProviders: []string{""}, Library: "./assets/libraries", }, includeIDs: []string{"57b9893d-33b1-4419-bcea-xxxxxxx"}, want: []model.QueryMetadata{}, @@ -255,7 +256,7 @@ func TestFilesystemSource_GetQueriesWithInclude(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - s := NewFilesystemSource(tt.fields.Source, []string{""}, []string{""}, tt.fields.Library, tt.fields.ExperimentalFeatures) + s := NewFilesystemSource(tt.fields.Source, []string{""}, []string{""}, tt.fields.Library, tt.fields.ExperimentalQueries) filter := QueryInspectorParameters{ IncludeQueries: IncludeQueries{ ByIDs: tt.includeIDs, @@ -288,9 +289,9 @@ func TestFilesystemSource_GetQueryLibrary(t *testing.T) { //nolint t.Fatal(err) } type fields struct { - Source []string - Library string - ExperimentalFeatures string + Source []string + Library string + ExperimentalQueries string } type args struct { platform string @@ -305,9 +306,9 @@ func TestFilesystemSource_GetQueryLibrary(t *testing.T) { //nolint { name: "get_generic_query_terraform", fields: fields{ - Source: []string{"./assets/queries/template"}, - Library: "./assets/libraries", - ExperimentalFeatures: "./assets/utils/experimental-queries.json", + Source: []string{"./assets/queries/template"}, + Library: "./assets/libraries", + ExperimentalQueries: "./assets/utils/experimental-queries.json", }, args: args{ platform: "terraform", @@ -318,9 +319,9 @@ func TestFilesystemSource_GetQueryLibrary(t *testing.T) { //nolint { name: "get_generic_query_common", fields: fields{ - Source: []string{"./assets/queries/template"}, - Library: "./assets/libraries", - ExperimentalFeatures: "./assets/utils/experimental-queries.json", + Source: []string{"./assets/queries/template"}, + Library: "./assets/libraries", + ExperimentalQueries: "./assets/utils/experimental-queries.json", }, args: args{ platform: "common", @@ -331,9 +332,9 @@ func TestFilesystemSource_GetQueryLibrary(t *testing.T) { //nolint { name: "get_generic_query_cloudformation", fields: fields{ - Source: []string{"./assets/queries/template"}, - Library: "./assets/libraries", - ExperimentalFeatures: "./assets/utils/experimental-queries.json", + Source: []string{"./assets/queries/template"}, + Library: "./assets/libraries", + ExperimentalQueries: "./assets/utils/experimental-queries.json", }, args: args{ platform: "cloudFormation", @@ -344,9 +345,9 @@ func TestFilesystemSource_GetQueryLibrary(t *testing.T) { //nolint { name: "get_generic_query_ansible", fields: fields{ - Source: []string{"./assets/queries/template"}, - Library: "./assets/libraries", - ExperimentalFeatures: "./assets/utils/experimental-queries.json", + Source: []string{"./assets/queries/template"}, + Library: "./assets/libraries", + ExperimentalQueries: "./assets/utils/experimental-queries.json", }, args: args{ platform: "ansible", @@ -357,9 +358,9 @@ func TestFilesystemSource_GetQueryLibrary(t *testing.T) { //nolint { name: "get_generic_query_dockerfile", fields: fields{ - Source: []string{"./assets/queries/template"}, - Library: "./assets/libraries", - ExperimentalFeatures: "./assets/utils/experimental-queries.json", + Source: []string{"./assets/queries/template"}, + Library: "./assets/libraries", + ExperimentalQueries: "./assets/utils/experimental-queries.json", }, args: args{ platform: "dockerfile", @@ -370,9 +371,9 @@ func TestFilesystemSource_GetQueryLibrary(t *testing.T) { //nolint { name: "get_generic_query_k8s", fields: fields{ - Source: []string{"./assets/queries/template"}, - Library: "./assets/libraries", - ExperimentalFeatures: "./assets/utils/experimental-queries.json", + Source: []string{"./assets/queries/template"}, + Library: "./assets/libraries", + ExperimentalQueries: "./assets/utils/experimental-queries.json", }, args: args{ platform: "k8s", @@ -383,9 +384,9 @@ func TestFilesystemSource_GetQueryLibrary(t *testing.T) { //nolint { name: "get_generic_query_unknown", fields: fields{ - Source: []string{"./assets/queries/template"}, - Library: "./assets/libraries", - ExperimentalFeatures: "./assets/utils/experimental-queries.json", + Source: []string{"./assets/queries/template"}, + Library: "./assets/libraries", + ExperimentalQueries: "./assets/utils/experimental-queries.json", }, args: args{ platform: "unknown", @@ -396,7 +397,7 @@ func TestFilesystemSource_GetQueryLibrary(t *testing.T) { //nolint } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - s := NewFilesystemSource(tt.fields.Source, []string{""}, []string{""}, tt.fields.Library, tt.fields.ExperimentalFeatures) + s := NewFilesystemSource(tt.fields.Source, []string{""}, []string{""}, tt.fields.Library, tt.fields.ExperimentalQueries) got, err := s.GetQueryLibrary(tt.args.platform) if (err != nil) != tt.wantErr { @@ -418,13 +419,16 @@ func TestFilesystemSource_GetQueries(t *testing.T) { contentByte, err := os.ReadFile(filepath.FromSlash("./test/fixtures/get_queries_test/content_get_queries.rego")) require.NoError(t, err) + contentByteExperimental, err := os.ReadFile(filepath.FromSlash("./test/fixtures/test_experimental_queries/experimental_queries_queries/experimental/test/query.rego")) + require.NoError(t, err) type fields struct { - Source []string - Types []string - CloudProviders []string - Library string - ExperimentalFeatures string + Source []string + Types []string + CloudProviders []string + Library string + ExperimentalQueries string + ExperimentalQueriesFlag []string } tests := []struct { name string @@ -435,9 +439,10 @@ func TestFilesystemSource_GetQueries(t *testing.T) { { name: "get_queries_1", fields: fields{ - Source: []string{source, source}, Types: []string{""}, CloudProviders: []string{""}, - Library: "./assets/libraries", - ExperimentalFeatures: "./assets/utils/experimental-queries.json", + Source: []string{source_get_queries, source_get_queries}, Types: []string{""}, CloudProviders: []string{""}, + Library: "./assets/libraries", + ExperimentalQueries: "./assets/utils/experimental-queries.json", + ExperimentalQueriesFlag: []string{}, }, want: []model.QueryMetadata{ { @@ -478,16 +483,95 @@ func TestFilesystemSource_GetQueries(t *testing.T) { { name: "get_queries_error", fields: fields{ - Source: []string{"../no-path"}, - ExperimentalFeatures: "./assets/utils/experimental-queries.json", + Source: []string{"../no-path"}, + ExperimentalQueries: "./assets/utils/experimental-queries.json", + ExperimentalQueriesFlag: []string{}, }, want: nil, wantErr: true, }, + { + name: "get_queries_experimental_no_flag", + fields: fields{ + Source: []string{source_get_queries_experimental}, Types: []string{""}, CloudProviders: []string{""}, + Library: "./assets/libraries", + ExperimentalQueries: "./test/fixtures/test_experimental_queries/utils/experimental-queries.json", + ExperimentalQueriesFlag: []string{"tested"}, + }, + want: []model.QueryMetadata{ + { + Query: "tested_query", + Content: string(contentByteExperimental), + InputData: "{}", + Metadata: map[string]interface{}{ + "category": "Insecure Configurations", + "descriptionText": "SSL Client Certificate should be enabled", + "descriptionUrl": "https://docs.ansible.com/ansible/2.8/modules/aws_api_gateway_module.html", + "id": "b47b98ab-e481-4a82-8bb1-1ab39fd36e34", + "queryName": "API Gateway Without SSL Certificate", + "severity": model.SeverityMedium, + "platform": "Ansible", + "cloudProvider": "aws", + "descriptionID": "82608f36", + }, + Platform: "ansible", + Aggregation: 1, + }, + }, + wantErr: false, + }, + { + name: "get_queries_experimental_with_flag", + fields: fields{ + Source: []string{source_get_queries_experimental}, Types: []string{""}, CloudProviders: []string{""}, + Library: "./assets/libraries", + ExperimentalQueries: "./test/fixtures/test_experimental_queries/utils/experimental-queries.json", + ExperimentalQueriesFlag: []string{"experimental"}, + }, + want: []model.QueryMetadata{ + { + Query: "test", + Content: string(contentByteExperimental), + InputData: "{}", + Metadata: map[string]interface{}{ + "category": "Insecure Configurations", + "descriptionText": "SSL Client Certificate should be enabled", + "descriptionUrl": "https://docs.ansible.com/ansible/2.8/modules/aws_api_gateway_module.html", + "id": "b47b98ab-e481-4a82-8bb1-1ab39fd36e33", + "queryName": "API Gateway Without SSL Certificate", + "severity": model.SeverityMedium, + "platform": "Ansible", + "cloudProvider": "aws", + "descriptionID": "82608f36", + }, + Platform: "ansible", + Aggregation: 1, + }, + { + Query: "tested_query", + Content: string(contentByteExperimental), + InputData: "{}", + Metadata: map[string]interface{}{ + "category": "Insecure Configurations", + "descriptionText": "SSL Client Certificate should be enabled", + "descriptionUrl": "https://docs.ansible.com/ansible/2.8/modules/aws_api_gateway_module.html", + "id": "b47b98ab-e481-4a82-8bb1-1ab39fd36e34", + "queryName": "API Gateway Without SSL Certificate", + "severity": model.SeverityMedium, + "platform": "Ansible", + "cloudProvider": "aws", + "descriptionID": "82608f36", + }, + Platform: "ansible", + Aggregation: 1, + }, + }, + wantErr: false, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - s := NewFilesystemSource(tt.fields.Source, []string{""}, []string{""}, tt.fields.Library, tt.fields.ExperimentalFeatures) + s := NewFilesystemSource(tt.fields.Source, []string{""}, []string{""}, tt.fields.Library, tt.fields.ExperimentalQueries) filter := QueryInspectorParameters{ IncludeQueries: IncludeQueries{ ByIDs: []string{}}, @@ -495,7 +579,8 @@ func TestFilesystemSource_GetQueries(t *testing.T) { ByIDs: []string{}, ByCategories: []string{}, }, - InputDataPath: "", + ExperimentalQueries: tt.fields.ExperimentalQueriesFlag, + InputDataPath: "", } got, err := s.GetQueries(&filter) if (err != nil) != tt.wantErr { diff --git a/test/fixtures/test_experimental_queries/experimental_queries_feature/experimental.yaml b/test/fixtures/test_experimental_queries/experimental_queries_feature/experimental.yaml new file mode 100644 index 00000000000..7845aa3e0a9 --- /dev/null +++ b/test/fixtures/test_experimental_queries/experimental_queries_feature/experimental.yaml @@ -0,0 +1,30 @@ +- name: update API + aws_api_gateway: + api_id: 'abc123321cba' + state: present + swagger_file: my_api.yml + validate_certs: no +- name: update API v1 + aws_api_gateway: + api_id: 'abc123321cba' + state: present + swagger_file: my_api.yml +- name: Setup AWS API Gateway setup on AWS and deploy API definition + community.aws.aws_api_gateway: + swagger_file: my_api.yml + stage: production + cache_enabled: true + cache_size: '1.6' + tracing_enabled: true + endpoint_type: EDGE + state: present + validate_certs: no +- name: Setup AWS API Gateway setup on AWS and deploy API definition v1 + community.aws.aws_api_gateway: + swagger_file: my_api.yml + stage: production + cache_enabled: true + cache_size: '1.6' + tracing_enabled: true + endpoint_type: EDGE + state: present \ No newline at end of file diff --git a/test/fixtures/test_experimental_queries/experimental_queries_queries/experimental/test/metadata.json b/test/fixtures/test_experimental_queries/experimental_queries_queries/experimental/test/metadata.json new file mode 100644 index 00000000000..44f7883c443 --- /dev/null +++ b/test/fixtures/test_experimental_queries/experimental_queries_queries/experimental/test/metadata.json @@ -0,0 +1,12 @@ +{ + "id": "b47b98ab-e481-4a82-8bb1-1ab39fd36e33", + "queryName": "API Gateway Without SSL Certificate", + "severity": "MEDIUM", + "category": "Insecure Configurations", + "descriptionText": "SSL Client Certificate should be enabled", + "descriptionUrl": "https://docs.ansible.com/ansible/2.8/modules/aws_api_gateway_module.html", + "platform": "Ansible", + "descriptionID": "82608f36", + "cloudProvider": "aws" + } + \ No newline at end of file diff --git a/test/fixtures/test_experimental_queries/experimental_queries_queries/experimental/test/query.rego b/test/fixtures/test_experimental_queries/experimental_queries_queries/experimental/test/query.rego new file mode 100644 index 00000000000..6919afe4476 --- /dev/null +++ b/test/fixtures/test_experimental_queries/experimental_queries_queries/experimental/test/query.rego @@ -0,0 +1,42 @@ +package Cx + +import data.generic.ansible as ansLib +import data.generic.common as common_lib + +modules := {"community.aws.aws_api_gateway", "aws_api_gateway"} + +CxPolicy[result] { + task := ansLib.tasks[id][t] + api_gateway := task[modules[m]] + ansLib.checkState(api_gateway) + + not common_lib.valid_key(api_gateway, "validate_certs") + + result := { + "documentId": id, + "resourceType": modules[m], + "resourceName": task.name, + "searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, modules[m]]), + "issueType": "MissingAttribute", + "keyExpectedValue": "aws_api_gateway.validate_certs should be set", + "keyActualValue": "aws_api_gateway.validate_certs is undefined", + } +} + +CxPolicy[result] { + task := ansLib.tasks[id][t] + api_gateway := task[modules[m]] + ansLib.checkState(api_gateway) + + not ansLib.isAnsibleTrue(api_gateway.validate_certs) + + result := { + "documentId": id, + "resourceType": modules[m], + "resourceName": task.name, + "searchKey": sprintf("name={{%s}}.{{%s}}.validate_certs", [task.name, modules[m]]), + "issueType": "IncorrectValue", + "keyExpectedValue": "aws_api_gateway.validate_certs should be set to yes", + "keyActualValue": "aws_api_gateway.validate_certs is not set to yes", + } +} diff --git a/test/fixtures/test_experimental_queries/experimental_queries_queries/tested/tested_query/metadata.json b/test/fixtures/test_experimental_queries/experimental_queries_queries/tested/tested_query/metadata.json new file mode 100644 index 00000000000..96b8f4bcc79 --- /dev/null +++ b/test/fixtures/test_experimental_queries/experimental_queries_queries/tested/tested_query/metadata.json @@ -0,0 +1,12 @@ +{ + "id": "b47b98ab-e481-4a82-8bb1-1ab39fd36e34", + "queryName": "API Gateway Without SSL Certificate", + "severity": "MEDIUM", + "category": "Insecure Configurations", + "descriptionText": "SSL Client Certificate should be enabled", + "descriptionUrl": "https://docs.ansible.com/ansible/2.8/modules/aws_api_gateway_module.html", + "platform": "Ansible", + "descriptionID": "82608f36", + "cloudProvider": "aws" + } + \ No newline at end of file diff --git a/test/fixtures/test_experimental_queries/experimental_queries_queries/tested/tested_query/query.rego b/test/fixtures/test_experimental_queries/experimental_queries_queries/tested/tested_query/query.rego new file mode 100644 index 00000000000..6919afe4476 --- /dev/null +++ b/test/fixtures/test_experimental_queries/experimental_queries_queries/tested/tested_query/query.rego @@ -0,0 +1,42 @@ +package Cx + +import data.generic.ansible as ansLib +import data.generic.common as common_lib + +modules := {"community.aws.aws_api_gateway", "aws_api_gateway"} + +CxPolicy[result] { + task := ansLib.tasks[id][t] + api_gateway := task[modules[m]] + ansLib.checkState(api_gateway) + + not common_lib.valid_key(api_gateway, "validate_certs") + + result := { + "documentId": id, + "resourceType": modules[m], + "resourceName": task.name, + "searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, modules[m]]), + "issueType": "MissingAttribute", + "keyExpectedValue": "aws_api_gateway.validate_certs should be set", + "keyActualValue": "aws_api_gateway.validate_certs is undefined", + } +} + +CxPolicy[result] { + task := ansLib.tasks[id][t] + api_gateway := task[modules[m]] + ansLib.checkState(api_gateway) + + not ansLib.isAnsibleTrue(api_gateway.validate_certs) + + result := { + "documentId": id, + "resourceType": modules[m], + "resourceName": task.name, + "searchKey": sprintf("name={{%s}}.{{%s}}.validate_certs", [task.name, modules[m]]), + "issueType": "IncorrectValue", + "keyExpectedValue": "aws_api_gateway.validate_certs should be set to yes", + "keyActualValue": "aws_api_gateway.validate_certs is not set to yes", + } +} diff --git a/test/fixtures/test_experimental_queries/utils/experimental-queries.json b/test/fixtures/test_experimental_queries/utils/experimental-queries.json new file mode 100644 index 00000000000..234d13ae0a8 --- /dev/null +++ b/test/fixtures/test_experimental_queries/utils/experimental-queries.json @@ -0,0 +1,3 @@ +[ + "experimental/test" +] \ No newline at end of file From 724ad3538ad7164317f6ff40052442350f05e9dd Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Tue, 29 Aug 2023 09:07:37 +0100 Subject: [PATCH 017/379] first upgrade --- go.mod | 4 ++-- go.sum | 11 ++++++----- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/go.mod b/go.mod index 7401a032b9f..94aba7d5a57 100644 --- a/go.mod +++ b/go.mod @@ -176,7 +176,7 @@ require ( github.com/tdewolff/parse/v2 v2.6.5 // indirect github.com/tidwall/match v1.1.1 // indirect github.com/tidwall/pretty v1.2.0 // indirect - github.com/ulikunitz/xz v0.5.10 // indirect + github.com/ulikunitz/xz v0.5.11 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xlab/treeprint v1.1.0 // indirect @@ -220,7 +220,7 @@ require ( ) replace ( - github.com/containerd/containerd => github.com/containerd/containerd v1.6.12 + github.com/containerd/containerd => github.com/containerd/containerd v1.6.18 github.com/docker/cli => github.com/docker/cli v20.10.12+incompatible github.com/moby/buildkit => github.com/moby/buildkit v0.10.4 github.com/opencontainers/image-spec => github.com/opencontainers/image-spec v1.0.2 diff --git a/go.sum b/go.sum index bb84d940d38..1dd9b57aec9 100644 --- a/go.sum +++ b/go.sum @@ -208,7 +208,7 @@ github.com/Masterminds/sprig/v3 v3.2.3/go.mod h1:rXcFaZ2zZbLRJv/xSysmlgIM1u11eBa github.com/Masterminds/squirrel v1.5.3 h1:YPpoceAcxuzIljlr5iWpNKaql7hLeG1KLSrhvdHpkZc= github.com/Masterminds/squirrel v1.5.3/go.mod h1:NNaOrjSoIDfDA40n7sr2tPNZRfjzjA400rg+riTZj10= github.com/Microsoft/go-winio v0.5.2 h1:a9IhgEQBCUEk6QCdml9CiJGhAws+YwffDHEMp1VMrpA= -github.com/Microsoft/hcsshim v0.9.5 h1:AbV+VPfTrIVffukazHcpxmz/sRiE6YaMDzHWR9BXZHo= +github.com/Microsoft/hcsshim v0.9.6 h1:VwnDOgLeoi2du6dAznfmspNqTiwczvjv4K7NxuY9jsY= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8= github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q= @@ -291,9 +291,9 @@ github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWH github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/containerd/cgroups v1.0.3 h1:ADZftAkglvCiD44c77s5YmMqaP2pzVCFZvBmAlBdAP4= -github.com/containerd/containerd v1.6.12 h1:kJ9b3mOFKf8yqo05Ob+tMoxvt1pbVWhnB0re9Y+k+8c= -github.com/containerd/containerd v1.6.12/go.mod h1:K4Bw7gjgh4TnkmQY+py/PYQGp4e7xgnHAeg87VeWb3A= +github.com/containerd/cgroups v1.0.4 h1:jN/mbWBEaz+T1pi5OFtnkQ+8qnmEbAr1Oo1FRm5B0dA= +github.com/containerd/containerd v1.6.18 h1:qZbsLvmyu+Vlty0/Ex5xc0z2YtKpIsb5n45mAMI+2Ns= +github.com/containerd/containerd v1.6.18/go.mod h1:1RdCUu95+gc2v9t3IL+zIlpClSmew7/0YS8O5eQZrOw= github.com/containerd/typeurl v1.0.2 h1:Chlt8zIieDbzQFzXzAeBEF92KhExuE4p9p92/QmY7aY= github.com/containerd/typeurl v1.0.2/go.mod h1:9trJWW2sRlGub4wZJRTW83VtbOLS6hwcDZXTn6oPz9s= github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= @@ -947,8 +947,9 @@ github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs= github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc= -github.com/ulikunitz/xz v0.5.10 h1:t92gobL9l3HE202wg3rlk19F6X+JOxl9BBrCCMYEYd8= github.com/ulikunitz/xz v0.5.10/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= +github.com/ulikunitz/xz v0.5.11 h1:kpFauv27b6ynzBNT/Xy+1k+fK4WswhN/6PN5WhFAGw8= +github.com/ulikunitz/xz v0.5.11/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= From c68c12f21b96c2e5bade617c9682422e8aa88dc6 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Tue, 29 Aug 2023 09:48:46 +0100 Subject: [PATCH 018/379] removed unused --- go.mod | 1 - 1 file changed, 1 deletion(-) diff --git a/go.mod b/go.mod index 94aba7d5a57..6c9c993b1b1 100644 --- a/go.mod +++ b/go.mod @@ -225,5 +225,4 @@ replace ( github.com/moby/buildkit => github.com/moby/buildkit v0.10.4 github.com/opencontainers/image-spec => github.com/opencontainers/image-spec v1.0.2 github.com/spf13/afero => github.com/spf13/afero v1.2.2 - gopkg.in/jarcoal/httpmock.v1 => github.com/jarcoal/httpmock v1.0.5 ) From ef3bf8701a9414515f0f667113e65fa4313cf732 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Tue, 29 Aug 2023 11:09:40 +0100 Subject: [PATCH 019/379] simple packages --- go.mod | 8 ++++---- go.sum | 15 ++++++++------- 2 files changed, 12 insertions(+), 11 deletions(-) diff --git a/go.mod b/go.mod index 6c9c993b1b1..706b3506a4f 100644 --- a/go.mod +++ b/go.mod @@ -16,8 +16,8 @@ require ( github.com/gocarina/gocsv v0.0.0-20220310154401-d4df709ca055 github.com/golang/mock v1.6.0 github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 - github.com/google/uuid v1.3.0 - github.com/gookit/color v1.5.3 + github.com/google/uuid v1.3.1 + github.com/gookit/color v1.5.4 github.com/hashicorp/go-getter v1.7.1 github.com/hashicorp/hcl v1.0.0 github.com/hashicorp/hcl/v2 v2.16.2 @@ -34,7 +34,7 @@ require ( github.com/spf13/cobra v1.7.0 github.com/spf13/pflag v1.0.5 github.com/spf13/viper v1.15.0 - github.com/stretchr/testify v1.8.2 + github.com/stretchr/testify v1.8.4 github.com/tdewolff/minify/v2 v2.12.5 github.com/tidwall/gjson v1.14.4 github.com/xeipuuv/gojsonschema v1.2.0 @@ -187,7 +187,7 @@ require ( golang.org/x/crypto v0.7.0 // indirect golang.org/x/oauth2 v0.4.0 // indirect golang.org/x/sync v0.1.0 // indirect - golang.org/x/sys v0.6.0 // indirect + golang.org/x/sys v0.10.0 // indirect golang.org/x/term v0.6.0 // indirect golang.org/x/time v0.3.0 // indirect golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect diff --git a/go.sum b/go.sum index 1dd9b57aec9..b8f5b329baf 100644 --- a/go.sum +++ b/go.sum @@ -522,8 +522,9 @@ github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaU github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4= +github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8= github.com/googleapis/enterprise-certificate-proxy v0.1.0/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8= github.com/googleapis/enterprise-certificate-proxy v0.2.0/go.mod h1:8C0jb7/mgJe/9KK8Lm7X9ctZC2t60YyIpYEI16jx0Qg= @@ -541,8 +542,8 @@ github.com/googleapis/gax-go/v2 v2.6.0/go.mod h1:1mjbznJAPHFpesgE5ucqfYEscaz5kMd github.com/googleapis/gax-go/v2 v2.7.0 h1:IcsPKeInNvYi7eqSaDjiZqDDKu5rsmunY0Y1YupQSSQ= github.com/googleapis/gax-go/v2 v2.7.0/go.mod h1:TEop28CZZQ2y+c0VxMUmu1lV+fQx57QpBWsYpwqHJx8= github.com/googleapis/go-type-adapters v1.0.0/go.mod h1:zHW75FOG2aur7gAO2B+MLby+cLsWGBF62rFAi7WjWO4= -github.com/gookit/color v1.5.3 h1:twfIhZs4QLCtimkP7MOxlF3A0U/5cDPseRT9M/+2SCE= -github.com/gookit/color v1.5.3/go.mod h1:NUzwzeehUfl7GIb36pqId+UGmRfQcU/WiiyTTeNjHtE= +github.com/gookit/color v1.5.4 h1:FZmqs7XOyGgCAxmWyPslpiok1k05wmY3SJTytgvYFs0= +github.com/gookit/color v1.5.4/go.mod h1:pZJOeOS8DM43rXbp4AZo1n9zCU2qjpcRko0b6/QJi9w= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gorilla/handlers v1.5.1 h1:9lRY6j8DEeeBT10CvO9hGW0gmky0BprnvDI5vfhUHH4= github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI= @@ -926,8 +927,8 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8= -github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= github.com/subosito/gotenv v1.4.2 h1:X1TuBLAMDFbaTAChgCBLu3DU3UPyELpnF2jjJ2cz/S8= github.com/subosito/gotenv v1.4.2/go.mod h1:ayKnFf/c6rvx/2iiLrJUk1e6plDbT3edrFNGqEflhK0= @@ -1259,8 +1260,8 @@ golang.org/x/sys v0.0.0-20221013171732-95e765b1cc43/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ= -golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA= +golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= From 49139b67352de262aad9857388a28a50c128263f Mon Sep 17 00:00:00 2001 From: pereiramarco011 Date: Fri, 1 Sep 2023 12:46:32 +0100 Subject: [PATCH 020/379] fix lint --- pkg/engine/source/filesystem.go | 97 +++++++++++++++++++++------------ 1 file changed, 61 insertions(+), 36 deletions(-) diff --git a/pkg/engine/source/filesystem.go b/pkg/engine/source/filesystem.go index d3af332c281..a479765af24 100644 --- a/pkg/engine/source/filesystem.go +++ b/pkg/engine/source/filesystem.go @@ -3,7 +3,7 @@ package source import ( "encoding/json" "fmt" - "io/ioutil" + "io" "os" "path" "path/filepath" @@ -45,7 +45,7 @@ const ( ) // NewFilesystemSource initializes a NewFilesystemSource with source to queries and types of queries to load -func NewFilesystemSource(source, types, cloudProviders []string, libraryPath string, experimentalQueriesPath string) *FilesystemSource { +func NewFilesystemSource(source, types, cloudProviders []string, libraryPath, experimentalQueriesPath string) *FilesystemSource { log.Debug().Msg("source.NewFilesystemSource()") if len(types) == 0 { @@ -244,28 +244,42 @@ func checkQueryExclude(metadata map[string]interface{}, queryParameters *QueryIn // GetQueries walks a given filesource path returns all queries found in an array of // QueryMetadata struct func (s *FilesystemSource) GetQueries(queryParameters *QueryInspectorParameters) ([]model.QueryMetadata, error) { - queryDirs := make([]string, 0) - queries := make([]model.QueryMetadata, 0, len(queryDirs)) experimentalQueriesPaths := make([]string, 0) - var err error if s.ExperimentalQueries != "" { - experimentalQueriesFile, err := os.Open(s.ExperimentalQueries) if err != nil { - return queries, nil + return nil, err } defer experimentalQueriesFile.Close() - byteValue, _ := ioutil.ReadAll(experimentalQueriesFile) + byteValue, err := io.ReadAll(experimentalQueriesFile) + if err != nil { + return nil, err + } - json.Unmarshal(byteValue, &experimentalQueriesPaths) + err = json.Unmarshal(byteValue, &experimentalQueriesPaths) + if err != nil { + return nil, err + } + } + queryDirs, err := s.iterateSources(experimentalQueriesPaths, queryParameters) + if err != nil { + return nil, err } + queries := s.iterateQueryDirs(queryDirs, queryParameters) + + return queries, nil +} + +func (s *FilesystemSource) iterateSources(experimentalQueriesPaths []string, queryParameters *QueryInspectorParameters) ([]string, error) { + queryDirs := make([]string, 0) + for _, source := range s.Source { - err = filepath.Walk(source, + err := filepath.Walk(source, func(p string, f os.FileInfo, err error) error { if err != nil { return err @@ -281,32 +295,11 @@ func (s *FilesystemSource) GetQueries(queryParameters *QueryInspectorParameters) if err1 == nil && err2 == nil { var cleanPlatformCloudProviderDir string cleanPlatformCloudProviderDir, err = filepath.Rel(absQueriesPath, absQueryPathDir) - if err == nil { - cleanPlatformCloudProviderDir = filepath.FromSlash(cleanPlatformCloudProviderDir) - inExperimentalQueriesJSON := false - for _, queryPath := range experimentalQueriesPaths { - queryPath := filepath.FromSlash(queryPath) - if strings.Contains(querypathDir, queryPath) { - inExperimentalQueriesJSON = true - break - } - } - - inExperimentalQueriesFlag := false - for _, experimentalFlag := range queryParameters.ExperimentalQueries { - experimentalFlag := filepath.FromSlash(experimentalFlag) - if strings.HasPrefix(cleanPlatformCloudProviderDir, experimentalFlag) { - inExperimentalQueriesFlag = true - break - } - } - - if inExperimentalQueriesFlag || !inExperimentalQueriesJSON { - queryDirs = append(queryDirs, querypathDir) - } + if err == nil && isExperimental(querypathDir, cleanPlatformCloudProviderDir, experimentalQueriesPaths, queryParameters) { + queryDirs = append(queryDirs, querypathDir) } } - if err != nil { + if err != nil || err1 != nil || err2 != nil { queryDirs = append(queryDirs, querypathDir) } return nil @@ -316,6 +309,39 @@ func (s *FilesystemSource) GetQueries(queryParameters *QueryInspectorParameters) } } + return queryDirs, nil +} + +func isExperimental( + querypathDir, cleanPlatformCloudProviderDir string, + experimentalQueriesPaths []string, + queryParameters *QueryInspectorParameters) bool { + cleanPlatformCloudProviderDir = filepath.FromSlash(cleanPlatformCloudProviderDir) + inExperimentalQueriesJSON := false + for _, queryPath := range experimentalQueriesPaths { + queryPath = filepath.FromSlash(queryPath) + if strings.Contains(querypathDir, queryPath) { + inExperimentalQueriesJSON = true + break + } + } + + inExperimentalQueriesFlag := false + for _, experimentalFlag := range queryParameters.ExperimentalQueries { + experimentalFlag = filepath.FromSlash(experimentalFlag) + if strings.HasPrefix(cleanPlatformCloudProviderDir, experimentalFlag) { + inExperimentalQueriesFlag = true + break + } + } + + return inExperimentalQueriesFlag || !inExperimentalQueriesJSON +} + +// iterateQueryDirs iterates all query directories and reads the respective queries +func (s *FilesystemSource) iterateQueryDirs(queryDirs []string, queryParameters *QueryInspectorParameters) []model.QueryMetadata { + queries := make([]model.QueryMetadata, 0, len(queryDirs)) + for _, queryDir := range queryDirs { query, errRQ := ReadQuery(queryDir) if errRQ != nil { @@ -365,8 +391,7 @@ func (s *FilesystemSource) GetQueries(queryParameters *QueryInspectorParameters) queries = append(queries, query) } } - - return queries, err + return queries } // validateMetadata prevents panics when KICS queries metadata fields are missing From 80449c919dfa9127384df0ebf207b9675699d3a5 Mon Sep 17 00:00:00 2001 From: pereiramarco011 Date: Fri, 1 Sep 2023 15:27:18 +0100 Subject: [PATCH 021/379] add copy experimental-queries file --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 24c2c56a957..8eb0f822e93 100644 --- a/Dockerfile +++ b/Dockerfile @@ -67,6 +67,7 @@ RUN wget https://github.com/GoogleCloudPlatform/terraformer/releases/download/0. COPY --from=build_env /app/bin/kics /app/bin/kics COPY --from=build_env /app/assets/queries /app/bin/assets/queries COPY --from=build_env /app/assets/libraries/* /app/bin/assets/libraries/ +COPY --from=build_env /app/assets/utils/* /app/bin/assets/utils/ WORKDIR /app/bin From fa9752295930eb88e4f40a7f2e95b23bd8a2ac42 Mon Sep 17 00:00:00 2001 From: pereiramarco011 Date: Fri, 1 Sep 2023 17:34:47 +0100 Subject: [PATCH 022/379] fix experimental-queries path --- internal/console/helpers/helpers.go | 24 ++++++++++++++++++++++++ pkg/remediation/scan.go | 8 +++++++- pkg/scan/scan.go | 9 ++++++++- 3 files changed, 39 insertions(+), 2 deletions(-) diff --git a/internal/console/helpers/helpers.go b/internal/console/helpers/helpers.go index f44fcc9c53d..44792d8934c 100644 --- a/internal/console/helpers/helpers.go +++ b/internal/console/helpers/helpers.go @@ -153,6 +153,30 @@ func GetDefaultQueryPath(queriesPath string) (string, error) { return queriesDirectory, nil } +// GetDefaultExperimentalPath - returns the default Experimental path +func GetDefaultExperimentalPath(experimentalQueriesPath string) (string, error) { + log.Debug().Msg("helpers.GetDefaultExperimentalPath()") + executableDirPath := GetExecutableDirectory() + experimentalQueriesFile := filepath.Join(executableDirPath, experimentalQueriesPath) + if _, err := os.Stat(experimentalQueriesFile); os.IsNotExist(err) { + currentWorkDir, err := os.Getwd() + if err != nil { + return "", err + } + idx := strings.Index(currentWorkDir, "kics") + if idx != -1 { + currentWorkDir = currentWorkDir[:strings.LastIndex(currentWorkDir, "kics")] + "kics" + } + experimentalQueriesFile = filepath.Join(currentWorkDir, experimentalQueriesPath) + if _, err := os.Stat(experimentalQueriesFile); os.IsNotExist(err) { + return "", err + } + } + + log.Debug().Msgf("Experimental Queries found in %s", experimentalQueriesFile) + return experimentalQueriesFile, nil +} + // ListReportFormats return a slice with all supported report formats func ListReportFormats() []string { supportedFormats := make([]string, 0, len(reportGenerators)) diff --git a/pkg/remediation/scan.go b/pkg/remediation/scan.go index a64a27c22ca..48f53e57c92 100644 --- a/pkg/remediation/scan.go +++ b/pkg/remediation/scan.go @@ -14,6 +14,7 @@ import ( "github.com/open-policy-agent/opa/topdown" "github.com/Checkmarx/kics/internal/console/flags" + consoleHelpers "github.com/Checkmarx/kics/internal/console/helpers" "github.com/Checkmarx/kics/internal/tracker" "github.com/Checkmarx/kics/pkg/engine/source" "github.com/Checkmarx/kics/pkg/parser" @@ -199,7 +200,12 @@ func initScan(queryID string) (*engine.Inspector, error) { } _, err := c.GetQueryPath() + if err != nil { + log.Err(err) + return &engine.Inspector{}, err + } + experimentalQueries, err := consoleHelpers.GetDefaultExperimentalPath(filepath.FromSlash("./assets/utils/experimental-queries.json")) if err != nil { log.Err(err) return &engine.Inspector{}, err @@ -210,7 +216,7 @@ func initScan(queryID string) (*engine.Inspector, error) { c.ScanParams.Platform, c.ScanParams.CloudProvider, c.ScanParams.LibrariesPath, - filepath.FromSlash("./assets/utils/experimental-queries.json")) + experimentalQueries) includeQueries := source.IncludeQueries{ ByIDs: []string{queryID}, diff --git a/pkg/scan/scan.go b/pkg/scan/scan.go index cd6f2e95030..8c9f76f38c2 100644 --- a/pkg/scan/scan.go +++ b/pkg/scan/scan.go @@ -7,6 +7,7 @@ import ( "path/filepath" "github.com/Checkmarx/kics/assets" + consoleHelpers "github.com/Checkmarx/kics/internal/console/helpers" "github.com/Checkmarx/kics/pkg/engine" "github.com/Checkmarx/kics/pkg/engine/provider" "github.com/Checkmarx/kics/pkg/engine/secrets" @@ -57,12 +58,18 @@ func (c *Client) initScan(ctx context.Context) (*executeScanParameters, error) { return nil, nil } + experimentalQueries, err := consoleHelpers.GetDefaultExperimentalPath(filepath.FromSlash("./assets/utils/experimental-queries.json")) + if err != nil { + log.Err(err) + return nil, err + } + querySource := source.NewFilesystemSource( c.ScanParams.QueriesPath, c.ScanParams.Platform, c.ScanParams.CloudProvider, c.ScanParams.LibrariesPath, - filepath.FromSlash("./assets/utils/experimental-queries.json")) + experimentalQueries) queryFilter := c.createQueryFilter() From 4b3ff11bd112ca12e17b19e38f5a9dbe8e6a93a3 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Sat, 2 Sep 2023 11:32:34 +0100 Subject: [PATCH 023/379] feat(query): Unpinned Package Version --- assets/libraries/ansible.rego | 30 ++++ .../unpinned_package_version/metadata.json | 12 ++ .../unpinned_package_version/query.rego | 44 +++++ .../test/negative1.yaml | 150 +++++++++++++++++ .../test/positive1.yaml | 149 +++++++++++++++++ .../test/positive_expected_result.json | 158 ++++++++++++++++++ 6 files changed, 543 insertions(+) create mode 100644 assets/queries/ansible/general/unpinned_package_version/metadata.json create mode 100644 assets/queries/ansible/general/unpinned_package_version/query.rego create mode 100644 assets/queries/ansible/general/unpinned_package_version/test/negative1.yaml create mode 100644 assets/queries/ansible/general/unpinned_package_version/test/positive1.yaml create mode 100644 assets/queries/ansible/general/unpinned_package_version/test/positive_expected_result.json diff --git a/assets/libraries/ansible.rego b/assets/libraries/ansible.rego index 2e0103a4c6f..e85498b5427 100644 --- a/assets/libraries/ansible.rego +++ b/assets/libraries/ansible.rego @@ -147,3 +147,33 @@ isEntireNetwork(cidr) { cidrs = {"0.0.0.0/0", "::/0"} cidr == cidrs[j] } + +installer_modules := { + "community.general.apk", + "ansible.builtin.apt", + "ansible.builtin.apt", + "community.general.bundler", + "ansible.builtin.dnf", + "community.general.easy_install", + "community.general.gem", + "community.general.homebrew", + "community.general.jenkins_plugin", + "community.general.npm", + "community.general.openbsd_pkg", + "ansible.builtin.package", + "ansible.builtin.package", + "community.general.pear", + "community.general.pacman", + "ansible.builtin.pip", + "community.general.pkg5", + "community.general.pkgutil", + "community.general.pkgutil", + "community.general.portage", + "community.general.slackpkg", + "community.general.sorcery", + "community.general.swdepot", + "win_chocolatey", + "community.general.yarn", + "ansible.builtin.yum", + "community.general.zypper", +} \ No newline at end of file diff --git a/assets/queries/ansible/general/unpinned_package_version/metadata.json b/assets/queries/ansible/general/unpinned_package_version/metadata.json new file mode 100644 index 00000000000..ff87c4e7fe4 --- /dev/null +++ b/assets/queries/ansible/general/unpinned_package_version/metadata.json @@ -0,0 +1,12 @@ +{ + "id": "c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8", + "queryName": "Unpinned Package Version", + "severity": "LOW", + "category": "Supply-Chain", + "descriptionText": "Setting state to latest performs an update and installs additional packages possibly resulting in performance degradation or loss of service", + "descriptionUrl": "https://ansible.readthedocs.io/projects/lint/rules/package-latest/", + "platform": "Ansible", + "descriptionID": "43e877b3", + "cloudProvider": "common" + } + \ No newline at end of file diff --git a/assets/queries/ansible/general/unpinned_package_version/query.rego b/assets/queries/ansible/general/unpinned_package_version/query.rego new file mode 100644 index 00000000000..5ef48669239 --- /dev/null +++ b/assets/queries/ansible/general/unpinned_package_version/query.rego @@ -0,0 +1,44 @@ +package Cx + +import data.generic.ansible as ansLib +import data.generic.common as common_lib + +CxPolicy[result] { + task := ansLib.tasks[id][_] + package_installer := task[ansLib.installer_modules[m]] + ansLib.checkState(package_installer) + + not common_lib.valid_key(package_installer, "version") + not common_lib.valid_key(package_installer, "update_only") + package_installer.state == "latest" + + result := { + "documentId": id, + "resourceType": ansLib.installer_modules[m], + "resourceName": task.name, + "searchKey": sprintf("name={{%s}}.{{%s}}.state", [task.name, ansLib.installer_modules[m]]), + "issueType": "IncorrectValue", + "keyExpectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "keyActualValue": "State's task is set to 'latest'", + } +} + +CxPolicy[result] { + task := ansLib.tasks[id][_] + package_installer := task[ansLib.installer_modules[m]] + ansLib.checkState(package_installer) + + not common_lib.valid_key(package_installer, "version") + package_installer.update_only == false + package_installer.state == "latest" + + result := { + "documentId": id, + "resourceType": ansLib.installer_modules[m], + "resourceName": task.name, + "searchKey": sprintf("name={{%s}}.{{%s}}.state", [task.name, ansLib.installer_modules[m]]), + "issueType": "IncorrectValue", + "keyExpectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "keyActualValue": "State's task is set to 'latest'", + } +} diff --git a/assets/queries/ansible/general/unpinned_package_version/test/negative1.yaml b/assets/queries/ansible/general/unpinned_package_version/test/negative1.yaml new file mode 100644 index 00000000000..c6425ea05af --- /dev/null +++ b/assets/queries/ansible/general/unpinned_package_version/test/negative1.yaml @@ -0,0 +1,150 @@ +--- +- name: Example playbook + hosts: localhost + tasks: + - name: Install Ansible + ansible.builtin.yum: + name: ansible-2.12.7.0 + state: present + + - name: Install Ansible-lint + ansible.builtin.pip: + name: ansible-lint + state: present + version: 5.4.0 + + - name: Update Ansible with update_only to true + ansible.builtin.yum: + name: sudo + state: latest + update_only: true + + - name: Install nmap + community.general.zypper: + name: nmap + state: present + + - name: Install package without using cache + community.general.apk: + name: foo + state: present + no_cache: true + + - name: Install apache httpd + ansible.builtin.apt: + name: apache2 + state: present + + - name: Update Gemfile in another directory + community.general.bundler: + state: present + chdir: ~/rails_project + + - name: Install a modularity appstream with defined profile + ansible.builtin.dnf: + name: '@postgresql/client' + state: present + + - name: Install rake + community.general.gem: + name: rake + state: present + + - name: Install formula foo with 'brew' from cask + community.general.homebrew: + name: homebrew/cask/foo + state: present + + - name: Install Green Balls plugin + community.general.jenkins_plugin: + name: greenballs + version: present + state: present + url: http://host_jenkins:8080 + username: user_jenkins + password: userpass_jenkins + register: result + + - name: Install packages based on package.json + community.general.npm: + path: /app/location + state: present + + - name: Install nmap + community.general.openbsd_pkg: + name: nmap + state: present + + - name: Install ntpdate + ansible.builtin.package: + name: ntpdate + state: present + + - name: Install package bar from file + community.general.pacman: + name: ~/bar-1.0-1-any.pkg.tar.xz + state: present + + - name: Install package bar from file + community.general.pacman: + name: ~/bar-1.0-1-any.pkg.tar.xz + state: present + + - name: Install finger daemon + community.general.pkg5: + name: service/network/finger + state: present + + - name: Install several packages + community.general.pkgutil: + name: + - CSWsudo + - CSWtop + state: present + + - name: Install package foo + community.general.portage: + package: foo + state: present + + - name: Make sure that it is the most updated package + community.general.slackpkg: + name: foo + state: present + + - name: Make sure spell foo is installed + community.general.sorcery: + spell: foo + state: present + + - name: Install package unzip + community.general.swdepot: + name: unzip + state: present + depot: 'repository:/path' + + - name: Install multiple packages + win_chocolatey: + name: + - procexp + - putty + - windirstat + state: present + + - name: Install "imagemin" node.js package globally. + community.general.yarn: + name: imagemin + global: true + + - name: Install a list of packages (suitable replacement for 2.11 loop deprecation warning) + ansible.builtin.yum: + name: + - nginx + - postgresql + - postgresql-server + state: present + + - name: Install local rpm file + community.general.zypper: + name: /tmp/fancy-software.rpm + state: present \ No newline at end of file diff --git a/assets/queries/ansible/general/unpinned_package_version/test/positive1.yaml b/assets/queries/ansible/general/unpinned_package_version/test/positive1.yaml new file mode 100644 index 00000000000..6b05abf809a --- /dev/null +++ b/assets/queries/ansible/general/unpinned_package_version/test/positive1.yaml @@ -0,0 +1,149 @@ +--- +- name: Example playbook + hosts: localhost + tasks: + - name: Install Ansible + ansible.builtin.yum: + name: ansible + state: latest + + - name: Install Ansible-lint + ansible.builtin.pip: + name: ansible-lint + state: latest + + - name: Install some-package + ansible.builtin.package: + name: some-package + state: latest + + - name: Install Ansible with update_only to false + ansible.builtin.yum: + name: sudo + state: latest + update_only: false + + - name: Install nmap + community.general.zypper: + name: nmap + state: latest + + - name: Install package without using cache + community.general.apk: + name: foo + state: latest + no_cache: true + + - name: Install apache httpd + ansible.builtin.apt: + name: apache2 + state: latest + + - name: Update Gemfile in another directory + community.general.bundler: + state: latest + chdir: ~/rails_project + + - name: Install a modularity appstream with defined profile + ansible.builtin.dnf: + name: '@postgresql/client' + state: latest + + - name: Install rake + community.general.gem: + name: rake + state: latest + + - name: Install formula foo with 'brew' from cask + community.general.homebrew: + name: homebrew/cask/foo + state: latest + + - name: Install Green Balls plugin + community.general.jenkins_plugin: + name: greenballs + state: latest + url: http://host_jenkins:8080 + username: user_jenkins + password: userpass_jenkins + register: result + + - name: Install packages based on package.json + community.general.npm: + path: /app/location + state: latest + + - name: Install nmap + community.general.openbsd_pkg: + name: nmap + state: latest + + - name: Install ntpdate + ansible.builtin.package: + name: ntpdate + state: latest + + - name: Install package bar from file + community.general.pacman: + name: ~/bar-1.0-1-any.pkg.tar.xz + state: latest + + - name: Install finger daemon + community.general.pkg5: + name: service/network/finger + state: latest + + - name: Install several packages + community.general.pkgutil: + name: + - CSWsudo + - CSWtop + state: latest + + - name: Install package foo + community.general.portage: + package: foo + state: latest + + - name: Make sure that it is the most updated package + community.general.slackpkg: + name: foo + state: latest + + - name: Make sure spell foo is installed + community.general.sorcery: + spell: foo + state: latest + + - name: Install package unzip + community.general.swdepot: + name: unzip + state: latest + depot: 'repository:/path' + + - name: Install multiple packages + win_chocolatey: + name: + - procexp + - putty + - windirstat + state: latest + + - name: Install "imagemin" node.js package globally. + community.general.yarn: + name: imagemin + global: true + state: latest + + - name: Install a list of packages (suitable replacement for 2.11 loop deprecation warning) + ansible.builtin.yum: + name: + - nginx + - postgresql + - postgresql-server + state: latest + + - name: Install local rpm file + community.general.zypper: + name: /tmp/fancy-software.rpm + state: latest \ No newline at end of file diff --git a/assets/queries/ansible/general/unpinned_package_version/test/positive_expected_result.json b/assets/queries/ansible/general/unpinned_package_version/test/positive_expected_result.json new file mode 100644 index 00000000000..f67cb49ccc2 --- /dev/null +++ b/assets/queries/ansible/general/unpinned_package_version/test/positive_expected_result.json @@ -0,0 +1,158 @@ +[ + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "filename": "positive1.yaml", + "line": 8 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "filename": "positive1.yaml", + "line": 13 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "filename": "positive1.yaml", + "line": 18 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "filename": "positive1.yaml", + "line": 23 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "filename": "positive1.yaml", + "line": 29 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "filename": "positive1.yaml", + "line": 34 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "filename": "positive1.yaml", + "line": 40 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "filename": "positive1.yaml", + "line": 44 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "filename": "positive1.yaml", + "line": 50 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "filename": "positive1.yaml", + "line": 55 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "filename": "positive1.yaml", + "line": 60 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "filename": "positive1.yaml", + "line": 65 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "filename": "positive1.yaml", + "line": 74 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "filename": "positive1.yaml", + "line": 79 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "filename": "positive1.yaml", + "line": 84 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "filename": "positive1.yaml", + "line": 89 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "filename": "positive1.yaml", + "line": 94 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "filename": "positive1.yaml", + "line": 101 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "filename": "positive1.yaml", + "line": 106 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "filename": "positive1.yaml", + "line": 111 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "filename": "positive1.yaml", + "line": 116 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "filename": "positive1.yaml", + "line": 121 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "filename": "positive1.yaml", + "line": 130 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "filename": "positive1.yaml", + "line": 136 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "filename": "positive1.yaml", + "line": 144 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "filename": "positive1.yaml", + "line": 149 + } +] \ No newline at end of file From 051aa0b9d251709632df5e82b0021e8d7bbcfd3d Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Sat, 2 Sep 2023 11:33:42 +0100 Subject: [PATCH 024/379] update to list --- assets/libraries/ansible.rego | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/assets/libraries/ansible.rego b/assets/libraries/ansible.rego index e85498b5427..a74a7d4a0e5 100644 --- a/assets/libraries/ansible.rego +++ b/assets/libraries/ansible.rego @@ -148,7 +148,7 @@ isEntireNetwork(cidr) { cidr == cidrs[j] } -installer_modules := { +installer_modules := [ "community.general.apk", "ansible.builtin.apt", "ansible.builtin.apt", @@ -176,4 +176,4 @@ installer_modules := { "community.general.yarn", "ansible.builtin.yum", "community.general.zypper", -} \ No newline at end of file +] \ No newline at end of file From 0f42894ddaa862858923e5239877e741f13fbacf Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Sat, 2 Sep 2023 11:59:59 +0100 Subject: [PATCH 025/379] added installer modules --- assets/libraries/ansible.rego | 34 +++++++--------------------------- 1 file changed, 7 insertions(+), 27 deletions(-) diff --git a/assets/libraries/ansible.rego b/assets/libraries/ansible.rego index a74a7d4a0e5..fd3735cd532 100644 --- a/assets/libraries/ansible.rego +++ b/assets/libraries/ansible.rego @@ -149,31 +149,11 @@ isEntireNetwork(cidr) { } installer_modules := [ - "community.general.apk", - "ansible.builtin.apt", - "ansible.builtin.apt", - "community.general.bundler", - "ansible.builtin.dnf", - "community.general.easy_install", - "community.general.gem", - "community.general.homebrew", - "community.general.jenkins_plugin", - "community.general.npm", - "community.general.openbsd_pkg", - "ansible.builtin.package", - "ansible.builtin.package", - "community.general.pear", - "community.general.pacman", - "ansible.builtin.pip", - "community.general.pkg5", - "community.general.pkgutil", - "community.general.pkgutil", - "community.general.portage", - "community.general.slackpkg", - "community.general.sorcery", - "community.general.swdepot", - "win_chocolatey", - "community.general.yarn", - "ansible.builtin.yum", - "community.general.zypper", + "community.general.apk", "ansible.builtin.apt", "ansible.builtin.apt", "community.general.bundler", "ansible.builtin.dnf", "community.general.easy_install", + "community.general.gem", "community.general.homebrew", "community.general.jenkins_plugin", "community.general.npm", "community.general.openbsd_pkg", + "ansible.builtin.package", "ansible.builtin.package", "community.general.pear", "community.general.pacman", "ansible.builtin.pip", "community.general.pkg5", + "community.general.pkgutil", "community.general.pkgutil", "community.general.portage", "community.general.slackpkg", "community.general.sorcery", + "community.general.swdepot", "win_chocolatey", "community.general.yarn", "ansible.builtin.yum", "community.general.zypper", "apk", "apt", "bower", "bundler", + "dnf", "easy_install", "gem", "homebrew", "jenkins_plugin", "npm", "openbsd_package", "openbsd_pkg", "package", "pacman", "pear", "pip", "pkg5", "pkgutil", + "portage", "slackpkg", "sorcery", "swdepot", "win_chocolatey", "yarn", "yum", "zypper", ] \ No newline at end of file From 2950b4e6e14317f1ecbc7c0ba6b9f8ce6bc2b6a0 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Sat, 2 Sep 2023 18:23:12 +0100 Subject: [PATCH 026/379] feat(query): ansible playbooks risky file permissions --- .../risky_file_permissions/metadata.json | 11 +++ .../general/risky_file_permissions/query.rego | 88 +++++++++++++++++++ .../test/negative1.yaml | 83 +++++++++++++++++ .../test/positive1.yaml | 88 +++++++++++++++++++ .../test/positive_expected_result.json | 68 ++++++++++++++ 5 files changed, 338 insertions(+) create mode 100644 assets/queries/ansible/general/risky_file_permissions/metadata.json create mode 100644 assets/queries/ansible/general/risky_file_permissions/query.rego create mode 100644 assets/queries/ansible/general/risky_file_permissions/test/negative1.yaml create mode 100644 assets/queries/ansible/general/risky_file_permissions/test/positive1.yaml create mode 100644 assets/queries/ansible/general/risky_file_permissions/test/positive_expected_result.json diff --git a/assets/queries/ansible/general/risky_file_permissions/metadata.json b/assets/queries/ansible/general/risky_file_permissions/metadata.json new file mode 100644 index 00000000000..02a5dd64ab3 --- /dev/null +++ b/assets/queries/ansible/general/risky_file_permissions/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "88841d5c-d22d-4b7e-a6a0-89ca50e44b9f", + "queryName": "Risky File Permissions", + "severity": "INFO", + "category": "Supply-Chain", + "descriptionText": "Some modules could end up creating new files on disk with permissions that might be too open, or unpredictable", + "descriptionUrl": "https://ansible.readthedocs.io/projects/lint/rules/risky-file-permissions/", + "platform": "Ansible", + "descriptionID": "1f0e1485", + "cloudProvider": "common" + } \ No newline at end of file diff --git a/assets/queries/ansible/general/risky_file_permissions/query.rego b/assets/queries/ansible/general/risky_file_permissions/query.rego new file mode 100644 index 00000000000..8d3812241be --- /dev/null +++ b/assets/queries/ansible/general/risky_file_permissions/query.rego @@ -0,0 +1,88 @@ +package Cx + +import data.generic.ansible as ansLib +import data.generic.common as common_lib + + +CxPolicy[result] { + task := ansLib.tasks[id][e] + action := task[m] + action.mode == "preserve" + + modules_with_preserve := ["copy", "template"] + count([x | x := modules_with_preserve[mp]; x == m]) == 0 + + result := { + "documentId": id, + "resourceType": m, + "resourceName": task.name, + "searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, m]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("%s does not allow setting 'preserve' value for mode key", [m]), + "keyActualValue": sprintf("Mode key of %s is set to 'preserve'", [m]), + } +} + +CxPolicy[result] { + task := ansLib.tasks[id][_] + modules := [ + "archive", "community.general.archive", "assemble", "ansible.builtin.assemble", "copy", "ansible.builtin.copy", "file", "ansible.builtin.file", + "get_url", "ansible.builtin.get_url", "ansible.builtin.replace", "template", "ansible.builtin.template", + ] + action := task[modules[m]] + + state := object.get(action, "state", "none") + state != "absent" + state != "link" + + not common_lib.valid_key(action, "recurse") + not file_module(action, modules[m]) + + not common_lib.valid_key(action, "mode") + + result := { + "documentId": id, + "resourceType": modules[m], + "resourceName": task.name, + "searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, modules[m]]), + "issueType": "IncorrectValue", + "keyExpectedValue": "All the permissions set about creating files/directories", + "keyActualValue": "There are some permissions missing and might create directory/file", + } +} + + +CxPolicy[result] { + task := ansLib.tasks[id][_] + not common_lib.valid_key(task, "mode") + + modules := { + "blockinfile": false, + "ansible.builtin.blockinfile": false, + "htpasswd": true, + "community.general.htpasswd": true, + "ini_file": true, + "community.general.ini_file": true, + "lineinfile": false, + "ansible.builtin.lineinfile": false, + } + + bool := modules[m] + action := task[m] + object.get(action, "create", bool) == true + + result := { + "documentId": id, + "resourceType": modules[m], + "resourceName": task.name, + "searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, m]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("%s 'create' key should set to 'false' or 'mode' key should be defined and set to 'preserve'", [modules[m], bool]), + "keyActualValue": "%s 'create' key is set to 'true' or 'mode' key is not defined", + } +} + +file_module(action, module_name){ + module_name == "file" + object.get(action, "state", "file") == "file" +} diff --git a/assets/queries/ansible/general/risky_file_permissions/test/negative1.yaml b/assets/queries/ansible/general/risky_file_permissions/test/negative1.yaml new file mode 100644 index 00000000000..3113671f282 --- /dev/null +++ b/assets/queries/ansible/general/risky_file_permissions/test/negative1.yaml @@ -0,0 +1,83 @@ +--- +- name: SUCCESS_PERMISSIONS_PRESENT + hosts: all + tasks: + - name: Permissions not missing and numeric + ansible.builtin.file: + path: foo + mode: "0600" + +--- +- name: SUCCESS_PERMISSIONS_PRESENT_GET_URL + hosts: all + tasks: + - name: Permissions not missing and numeric + ansible.builtin.get_url: + url: http://foo + dest: foo + mode: "0600" + +--- +- name: SUCCESS_ABSENT_STATE + hosts: all + tasks: + - name: Permissions missing while state is absent is fine + ansible.builtin.file: + path: foo + state: absent + +--- +- name: SUCCESS_DEFAULT_STATE + hosts: all + tasks: + - name: Permissions missing while state is file (default) is fine + ansible.builtin.file: + path: foo + +--- +- name: SUCCESS_LINK_STATE + hosts: all + tasks: + - name: Permissions missing while state is link is fine + ansible.builtin.file: + path: foo2 + src: foo + state: link + +--- +- name: SUCCESS_CREATE_FALSE + hosts: all + tasks: + - name: File edit when create is false + ansible.builtin.lineinfile: + path: foo + create: false + line: some content here + +--- +- name: SUCCESS_REPLACE + hosts: all + tasks: + - name: Replace should not require mode + ansible.builtin.replace: + path: foo + regexp: foo + +--- +- name: SUCCESS_RECURSE + hosts: all + tasks: + - name: File with recursive does not require mode + ansible.builtin.file: + state: directory + recurse: true + path: foo + - name: Permissions not missing and numeric (fqcn) + ansible.builtin.file: + path: bar + mode: "755" + - name: File edit when create is false (fqcn) + ansible.builtin.lineinfile: + path: foo + create: false + line: some content here \ No newline at end of file diff --git a/assets/queries/ansible/general/risky_file_permissions/test/positive1.yaml b/assets/queries/ansible/general/risky_file_permissions/test/positive1.yaml new file mode 100644 index 00000000000..3ed8a1b73f8 --- /dev/null +++ b/assets/queries/ansible/general/risky_file_permissions/test/positive1.yaml @@ -0,0 +1,88 @@ +--- +- name: INI_PRESERVE + tasks: + - name: Ini_file + community.general.ini_file: + path: foo + create: true + mode: preserve + section: bar + +--- +- name: INI_PERMISSION + tasks: + - name: Permissions needed + community.general.ini_file: + path: foo + create: true + section: bar + +--- +- name: PRESERVE_MODE + tasks: + - name: not preserve value + ansible.builtin.file: + path: foo + mode: preserve + +--- +- name: MISSING_PERMISSIONS_TOUCH + tasks: + - name: Permissions missing + file: + path: foo + state: touch + - name: Permissions missing 2x + ansible.builtin.file: + path: foo + state: touch + +--- +- name: MISSING_PERMISSIONS_DIRECTORY + tasks: + - name: Permissions missing 3x + file: + path: foo + state: directory + - name: create is true + ansible.builtin.lineinfile: + path: foo + create: true + line: some content here + +--- +- name: MISSING_PERMISSIONS_GET_URL + tasks: + - name: Permissions missing 4x + get_url: + url: http://foo + dest: foo + +--- +- name: LINEINFILE_CREATE + tasks: + - name: create is true 2x + ansible.builtin.lineinfile: + path: foo + create: true + line: some content here + +--- +- name: REPLACE_PRESERVE + tasks: + - name: not preserve mode 2x + replace: + path: foo + mode: preserve + regexp: foo + +--- +- name: NOT_PERMISSION + tasks: + - name: Not Permissions + file: + path: foo + owner: root + group: root + state: directory + \ No newline at end of file diff --git a/assets/queries/ansible/general/risky_file_permissions/test/positive_expected_result.json b/assets/queries/ansible/general/risky_file_permissions/test/positive_expected_result.json new file mode 100644 index 00000000000..49dbde13893 --- /dev/null +++ b/assets/queries/ansible/general/risky_file_permissions/test/positive_expected_result.json @@ -0,0 +1,68 @@ +[ + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "file": "positive1.yaml", + "line": 5 + }, + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "file": "positive1.yaml", + "line": 15 + }, + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "file": "positive1.yaml", + "line": 24 + }, + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "file": "positive1.yaml", + "line": 32 + }, + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "file": "positive1.yaml", + "line": 36 + }, + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "file": "positive1.yaml", + "line": 44 + }, + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "file": "positive1.yaml", + "line": 48 + }, + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "file": "positive1.yaml", + "line": 57 + }, + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "file": "positive1.yaml", + "line": 65 + }, + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "file": "positive1.yaml", + "line": 74 + }, + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "file": "positive1.yaml", + "line": 83 + } +] \ No newline at end of file From 40509e1c8f0b7bc58d6b9fbb8114d90195e47f5b Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Sat, 2 Sep 2023 18:23:52 +0100 Subject: [PATCH 027/379] fix key actual value --- .../queries/ansible/general/risky_file_permissions/query.rego | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/assets/queries/ansible/general/risky_file_permissions/query.rego b/assets/queries/ansible/general/risky_file_permissions/query.rego index 8d3812241be..bb0cb857ff2 100644 --- a/assets/queries/ansible/general/risky_file_permissions/query.rego +++ b/assets/queries/ansible/general/risky_file_permissions/query.rego @@ -77,8 +77,8 @@ CxPolicy[result] { "resourceName": task.name, "searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, m]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("%s 'create' key should set to 'false' or 'mode' key should be defined and set to 'preserve'", [modules[m], bool]), - "keyActualValue": "%s 'create' key is set to 'true' or 'mode' key is not defined", + "keyExpectedValue": sprintf("%s 'create' key should set to 'false' or 'mode' key should be defined and set to 'preserve'", [modules[m]]), + "keyActualValue": sprintf("%s 'create' key is set to 'true' or 'mode' key is not defined", [modules[m]]), } } From 1141fc5bb74918a2f3a754871e43f220893b3a24 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Sat, 2 Sep 2023 18:26:51 +0100 Subject: [PATCH 028/379] fix key actual and expected value --- .../ansible/general/risky_file_permissions/query.rego | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/assets/queries/ansible/general/risky_file_permissions/query.rego b/assets/queries/ansible/general/risky_file_permissions/query.rego index bb0cb857ff2..72dc6c7385f 100644 --- a/assets/queries/ansible/general/risky_file_permissions/query.rego +++ b/assets/queries/ansible/general/risky_file_permissions/query.rego @@ -46,8 +46,8 @@ CxPolicy[result] { "resourceName": task.name, "searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, modules[m]]), "issueType": "IncorrectValue", - "keyExpectedValue": "All the permissions set about creating files/directories", - "keyActualValue": "There are some permissions missing and might create directory/file", + "keyExpectedValue": sprintf("All the permissions set in %s about creating files/directories", [m]), + "keyActualValue": sprintf("There are some permissions missing in %s and might create directory/file", [m]), } } @@ -77,8 +77,8 @@ CxPolicy[result] { "resourceName": task.name, "searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, m]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("%s 'create' key should set to 'false' or 'mode' key should be defined and set to 'preserve'", [modules[m]]), - "keyActualValue": sprintf("%s 'create' key is set to 'true' or 'mode' key is not defined", [modules[m]]), + "keyExpectedValue": sprintf("%s 'create' key should set to 'false' or 'mode' key should be defined and set to 'preserve'", [m]), + "keyActualValue": sprintf("%s 'create' key is set to 'true' or 'mode' key is not defined", [m]), } } From 32c12900d34994671bef04f17e91aef001307de5 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Sat, 2 Sep 2023 18:28:32 +0100 Subject: [PATCH 029/379] fix query and metadata --- .../ansible/general/risky_file_permissions/metadata.json | 2 +- .../ansible/general/risky_file_permissions/query.rego | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/assets/queries/ansible/general/risky_file_permissions/metadata.json b/assets/queries/ansible/general/risky_file_permissions/metadata.json index 02a5dd64ab3..bc5741d4e0f 100644 --- a/assets/queries/ansible/general/risky_file_permissions/metadata.json +++ b/assets/queries/ansible/general/risky_file_permissions/metadata.json @@ -3,7 +3,7 @@ "queryName": "Risky File Permissions", "severity": "INFO", "category": "Supply-Chain", - "descriptionText": "Some modules could end up creating new files on disk with permissions that might be too open, or unpredictable", + "descriptionText": "Some modules could end up creating new files on disk with permissions that might be too open or unpredictable", "descriptionUrl": "https://ansible.readthedocs.io/projects/lint/rules/risky-file-permissions/", "platform": "Ansible", "descriptionID": "1f0e1485", diff --git a/assets/queries/ansible/general/risky_file_permissions/query.rego b/assets/queries/ansible/general/risky_file_permissions/query.rego index 72dc6c7385f..c44d437835e 100644 --- a/assets/queries/ansible/general/risky_file_permissions/query.rego +++ b/assets/queries/ansible/general/risky_file_permissions/query.rego @@ -18,8 +18,8 @@ CxPolicy[result] { "resourceName": task.name, "searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, m]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("%s does not allow setting 'preserve' value for mode key", [m]), - "keyActualValue": sprintf("Mode key of %s is set to 'preserve'", [m]), + "keyExpectedValue": sprintf("%s does not allow setting 'preserve' value for 'mode' key", [m]), + "keyActualValue": sprintf("'Mode' key of %s is set to 'preserve'", [m]), } } @@ -46,8 +46,8 @@ CxPolicy[result] { "resourceName": task.name, "searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, modules[m]]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("All the permissions set in %s about creating files/directories", [m]), - "keyActualValue": sprintf("There are some permissions missing in %s and might create directory/file", [m]), + "keyExpectedValue": sprintf("All the permissions set in %s about creating files/directories", [modules[m]]), + "keyActualValue": sprintf("There are some permissions missing in %s and might create directory/file", [modules[m]]), } } From 5b63d6fa779cdb59a19d9a0a4e7b262eae45db56 Mon Sep 17 00:00:00 2001 From: pereiramarco011 Date: Mon, 4 Sep 2023 09:38:33 +0100 Subject: [PATCH 030/379] fix lint --- internal/console/helpers/helpers.go | 43 ++++++++++++++--------------- 1 file changed, 20 insertions(+), 23 deletions(-) diff --git a/internal/console/helpers/helpers.go b/internal/console/helpers/helpers.go index 44792d8934c..96942ff9189 100644 --- a/internal/console/helpers/helpers.go +++ b/internal/console/helpers/helpers.go @@ -132,33 +132,31 @@ func GetExecutableDirectory() string { // GetDefaultQueryPath - returns the default query path func GetDefaultQueryPath(queriesPath string) (string, error) { log.Debug().Msg("helpers.GetDefaultQueryPath()") - executableDirPath := GetExecutableDirectory() - queriesDirectory := filepath.Join(executableDirPath, queriesPath) - if _, err := os.Stat(queriesDirectory); os.IsNotExist(err) { - currentWorkDir, err := os.Getwd() - if err != nil { - return "", err - } - idx := strings.Index(currentWorkDir, "kics") - if idx != -1 { - currentWorkDir = currentWorkDir[:strings.LastIndex(currentWorkDir, "kics")] + "kics" - } - queriesDirectory = filepath.Join(currentWorkDir, queriesPath) - if _, err := os.Stat(queriesDirectory); os.IsNotExist(err) { - return "", err - } + queriesDirectory, err := GetFullPath(queriesPath) + if err != nil { + return "", err } - log.Debug().Msgf("Queries found in %s", queriesDirectory) return queriesDirectory, nil } -// GetDefaultExperimentalPath - returns the default Experimental path +// GetDefaultExperimentalPath returns the default Experimental path func GetDefaultExperimentalPath(experimentalQueriesPath string) (string, error) { log.Debug().Msg("helpers.GetDefaultExperimentalPath()") + experimentalQueriesFile, err := GetFullPath(experimentalQueriesPath) + if err != nil { + return "", err + } + + log.Debug().Msgf("Experimental Queries found in %s", experimentalQueriesFile) + return experimentalQueriesFile, nil +} + +// GetFulPath returns the full path of a partial path used for queries or experimental queries json path +func GetFullPath(partialPath string) (string, error) { executableDirPath := GetExecutableDirectory() - experimentalQueriesFile := filepath.Join(executableDirPath, experimentalQueriesPath) - if _, err := os.Stat(experimentalQueriesFile); os.IsNotExist(err) { + fullPath := filepath.Join(executableDirPath, partialPath) + if _, err := os.Stat(fullPath); os.IsNotExist(err) { currentWorkDir, err := os.Getwd() if err != nil { return "", err @@ -167,14 +165,13 @@ func GetDefaultExperimentalPath(experimentalQueriesPath string) (string, error) if idx != -1 { currentWorkDir = currentWorkDir[:strings.LastIndex(currentWorkDir, "kics")] + "kics" } - experimentalQueriesFile = filepath.Join(currentWorkDir, experimentalQueriesPath) - if _, err := os.Stat(experimentalQueriesFile); os.IsNotExist(err) { + fullPath = filepath.Join(currentWorkDir, partialPath) + if _, err := os.Stat(fullPath); os.IsNotExist(err) { return "", err } } - log.Debug().Msgf("Experimental Queries found in %s", experimentalQueriesFile) - return experimentalQueriesFile, nil + return fullPath, nil } // ListReportFormats return a slice with all supported report formats From ce75a8829bef2eeaaa30bd242a2a5ddb9108625c Mon Sep 17 00:00:00 2001 From: pereiramarco011 Date: Mon, 4 Sep 2023 09:39:00 +0100 Subject: [PATCH 031/379] fix e2e help tests --- internal/console/assets/scan-flags.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/console/assets/scan-flags.json b/internal/console/assets/scan-flags.json index 6d574e80b86..6618fcde422 100644 --- a/internal/console/assets/scan-flags.json +++ b/internal/console/assets/scan-flags.json @@ -63,7 +63,7 @@ "flagType": "multiStr", "shorthandFlag": "", "defaultValue": null, - "usage": "includes experimental queries (queries not yet fully reviewed) by providing the path of the queries folder\nexample: 'terraform/databricks'", + "usage": "includes experimental queries (queries not yet fully reviewed) by providing the path of the queries folder\ncan be provided multiple times or as a comma separated string, (platform:cloudProvider or platform)\nexample: 'terraform/databricks'\npossible values found in: '/assets/utils/experimental-queries.json'", "validation": "validateMultiStr" }, "fail-on": { From 6aaf49dc9a13a5784c69ef9f4bc98bc3b9e169a9 Mon Sep 17 00:00:00 2001 From: pereiramarco011 Date: Mon, 4 Sep 2023 11:12:03 +0100 Subject: [PATCH 032/379] fix scan help --- e2e/fixtures/assets/scan_help | 120 +++++++++++++++++----------------- 1 file changed, 60 insertions(+), 60 deletions(-) diff --git a/e2e/fixtures/assets/scan_help b/e2e/fixtures/assets/scan_help index c9646b61bbc..6e6c04eb0a4 100644 --- a/e2e/fixtures/assets/scan_help +++ b/e2e/fixtures/assets/scan_help @@ -2,66 +2,66 @@ Usage: kics scan [flags] Flags: - -m, --bom include bill of materials (BoM) in results output - --cloud-provider strings list of cloud providers to scan (alicloud, aws, azure, gcp) - --config string path to configuration file - --disable-full-descriptions disable request for full descriptions and use default vulnerability descriptions - --disable-secrets disable secrets scanning - --exclude-categories strings exclude categories by providing its name - cannot be provided with query inclusion flags - can be provided multiple times or as a comma separated string - example: 'Access control,Best practices' - --exclude-gitignore disables the exclusion of paths specified within .gitignore file - -e, --exclude-paths strings exclude paths from scan - supports glob and can be provided multiple times or as a quoted comma separated string - example: './shouldNotScan/*,somefile.txt' - --exclude-queries strings exclude queries by providing the query ID - cannot be provided with query inclusion flags - can be provided multiple times or as a comma separated string - example: 'e69890e6-fce5-461d-98ad-cb98318dfc96,4728cd65-a20c-49da-8b31-9c08b423e4db' - -x, --exclude-results strings exclude results by providing the similarity ID of a result - can be provided multiple times or as a comma separated string - example: 'fec62a97d569662093dbb9739360942f...,31263s5696620s93dbb973d9360942fc2a...' - --exclude-severities strings exclude results by providing the severity of a result - can be provided multiple times or as a comma separated string - example: 'info,low' - --exclude-type strings case insensitive list of platform types not to scan - (Ansible, AzureResourceManager, Buildah, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Pulumi, ServerlessFW, Terraform) - cannot be provided with type inclusion flags - --experimental-queries strings includes experimental queries (queries not yet fully reviewed) by providing the path of the queries folder - can be provided multiple times or as a comma separated string, (platform:cloudProvider or platform) - example: 'terraform/databricks' - possible values found in: '/assets/utils/experimental-queries.json' - --fail-on strings which kind of results should return an exit code different from 0 - accepts: high, medium, low and info - example: "high,low" (default [high,medium,low,info]) - -h, --help help for scan - --ignore-on-exit string defines which kind of non-zero exits code should be ignored - accepts: all, results, errors, none - example: if 'results' is set, only engine errors will make KICS exit code different from 0 (default "none") - -i, --include-queries strings include queries by providing the query ID - cannot be provided with query exclusion flags - can be provided multiple times or as a comma separated string - example: 'e69890e6-fce5-461d-98ad-cb98318dfc96,4728cd65-a20c-49da-8b31-9c08b423e4db' - --input-data string path to query input data files - -b, --libraries-path string path to directory with libraries (default "./assets/libraries") - --minimal-ui simplified version of CLI output - --no-progress hides the progress bar - --output-name string name used on report creations (default "results") - -o, --output-path string directory path to store reports - -p, --path strings paths or directories to scan - example: "./somepath,somefile.txt" - --payload-lines adds line information inside the payload when printing the payload file - -d, --payload-path string path to store internal representation JSON file - --preview-lines int number of lines to be display in CLI results (min: 1, max: 30) (default 3) - -q, --queries-path strings paths to directory with queries (default [./assets/queries]) - --report-formats strings formats in which the results will be exported (all, asff, codeclimate, csv, cyclonedx, glsast, html, json, junit, pdf, sarif, sonarqube) (default [json]) - -r, --secrets-regexes-path string path to secrets regex rules configuration file - --terraform-vars-path string path where terraform variables are present - --timeout int number of seconds the query has to execute before being canceled (default 60) - -t, --type strings case insensitive list of platform types to scan - (Ansible, AzureResourceManager, Buildah, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Pulumi, ServerlessFW, Terraform) - cannot be provided with type exclusion flags + -m, --bom include bill of materials (BoM) in results output + --cloud-provider strings list of cloud providers to scan (alicloud, aws, azure, gcp) + --config string path to configuration file + --disable-full-descriptions disable request for full descriptions and use default vulnerability descriptions + --disable-secrets disable secrets scanning + --exclude-categories strings exclude categories by providing its name + cannot be provided with query inclusion flags + can be provided multiple times or as a comma separated string + example: 'Access control,Best practices' + --exclude-gitignore disables the exclusion of paths specified within .gitignore file + -e, --exclude-paths strings exclude paths from scan + supports glob and can be provided multiple times or as a quoted comma separated string + example: './shouldNotScan/*,somefile.txt' + --exclude-queries strings exclude queries by providing the query ID + cannot be provided with query inclusion flags + can be provided multiple times or as a comma separated string + example: 'e69890e6-fce5-461d-98ad-cb98318dfc96,4728cd65-a20c-49da-8b31-9c08b423e4db' + -x, --exclude-results strings exclude results by providing the similarity ID of a result + can be provided multiple times or as a comma separated string + example: 'fec62a97d569662093dbb9739360942f...,31263s5696620s93dbb973d9360942fc2a...' + --exclude-severities strings exclude results by providing the severity of a result + can be provided multiple times or as a comma separated string + example: 'info,low' + --exclude-type strings case insensitive list of platform types not to scan + (Ansible, AzureResourceManager, Buildah, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Pulumi, ServerlessFW, Terraform) + cannot be provided with type inclusion flags + --experimental-queries strings includes experimental queries (queries not yet fully reviewed) by providing the path of the queries folder + can be provided multiple times or as a comma separated string, (platform:cloudProvider or platform) + example: 'terraform/databricks' + possible values found in: '/assets/utils/experimental-queries.json' + --fail-on strings which kind of results should return an exit code different from 0 + accepts: high, medium, low and info + example: "high,low" (default [high,medium,low,info]) + -h, --help help for scan + --ignore-on-exit string defines which kind of non-zero exits code should be ignored + accepts: all, results, errors, none + example: if 'results' is set, only engine errors will make KICS exit code different from 0 (default "none") + -i, --include-queries strings include queries by providing the query ID + cannot be provided with query exclusion flags + can be provided multiple times or as a comma separated string + example: 'e69890e6-fce5-461d-98ad-cb98318dfc96,4728cd65-a20c-49da-8b31-9c08b423e4db' + --input-data string path to query input data files + -b, --libraries-path string path to directory with libraries (default "./assets/libraries") + --minimal-ui simplified version of CLI output + --no-progress hides the progress bar + --output-name string name used on report creations (default "results") + -o, --output-path string directory path to store reports + -p, --path strings paths or directories to scan + example: "./somepath,somefile.txt" + --payload-lines adds line information inside the payload when printing the payload file + -d, --payload-path string path to store internal representation JSON file + --preview-lines int number of lines to be display in CLI results (min: 1, max: 30) (default 3) + -q, --queries-path strings paths to directory with queries (default [./assets/queries]) + --report-formats strings formats in which the results will be exported (all, asff, codeclimate, csv, cyclonedx, glsast, html, json, junit, pdf, sarif, sonarqube) (default [json]) + -r, --secrets-regexes-path string path to secrets regex rules configuration file + --terraform-vars-path string path where terraform variables are present + --timeout int number of seconds the query has to execute before being canceled (default 60) + -t, --type strings case insensitive list of platform types to scan + (Ansible, AzureResourceManager, Buildah, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Pulumi, ServerlessFW, Terraform) + cannot be provided with type exclusion flags Global Flags: --ci display only log messages to CLI output (mutually exclusive with silent) From b16e6b1f17476825d68985c6cc8303a241cc2f32 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Tue, 5 Sep 2023 09:44:19 +0100 Subject: [PATCH 033/379] feat(query): ansible playbooks privilege escalation using become plugin --- .../metadata.json | 12 +++++ .../query.rego | 48 +++++++++++++++++++ .../test/negative1.yaml | 12 +++++ .../test/positive1.yaml | 29 +++++++++++ .../test/positive_expected_result.json | 0 5 files changed, 101 insertions(+) create mode 100644 assets/queries/ansible/general/privilege_escalation_using_become_plugin/metadata.json create mode 100644 assets/queries/ansible/general/privilege_escalation_using_become_plugin/query.rego create mode 100644 assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/negative1.yaml create mode 100644 assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive1.yaml create mode 100644 assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json diff --git a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/metadata.json b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/metadata.json new file mode 100644 index 00000000000..cbac0c986ef --- /dev/null +++ b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/metadata.json @@ -0,0 +1,12 @@ +{ + "id": "0e75052f-cc02-41b8-ac39-a78017527e95", + "queryName": "Privilege escalation using become plugin", + "severity": "HIGH", + "category": "Insecure Defaults", + "descriptionText": "In order to perform an action as a different user with the become_user, you must define become and set to 'true'", + "descriptionUrl": "https://ansible.readthedocs.io/projects/lint/rules/partial-become/#problematic-code", + "platform": "Ansible", + "descriptionID": "11502e38", + "cloudProvider": "common" + } + \ No newline at end of file diff --git a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/query.rego b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/query.rego new file mode 100644 index 00000000000..52ec6d5cd56 --- /dev/null +++ b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/query.rego @@ -0,0 +1,48 @@ +package Cx + +import data.generic.ansible as ansLib +import data.generic.common as commonLib + +CxPolicy[result] { + become_exists := object.get(input.document[i].playbooks[_], "become", false) + become_exists == false + + task := ansLib.tasks[id][t] + input.document[i].id == id + + commonLib.valid_key(task, "become_user") + + b_exists := object.get(task, "become", false) + b_exists == false + + result := { + "documentId": id, + "searchKey": sprintf("name={{%s}}.become_user={{%s}}", [task.name, task.become_user]), + "issueType": "MissingAttribute", + "keyExpectedValue": sprintf("'become' should be defined and set to 'true' in order to perform an action with %s", [task.become_user]), + "keyActualValue": "'become' is not set", + } +} + +CxPolicy[result] { + commonLib.valid_key(input.document[i].playbooks[j], "become_user") + + tasks := ansLib.tasks[id] + + count([x | x := check_become(tasks, id); x == true]) == 0 + + result := { + "documentId": id, + "searchKey": sprintf("become_user={{%s}}", [input.document[i].playbooks[j].become_user]), + "issueType": "MissingAttribute", + "keyExpectedValue": "'become' should be defined and set to 'true'", + "keyActualValue": "'become' is not set", + } +} + +check_become(tasks, id){ + input.document[i].id == id + task := tasks[i] + not commonLib.valid_key(task, "become_user") + object.get(task, "become", false) == false +} \ No newline at end of file diff --git a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/negative1.yaml b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/negative1.yaml new file mode 100644 index 00000000000..ad8b404ad61 --- /dev/null +++ b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/negative1.yaml @@ -0,0 +1,12 @@ +--- +- hosts: localhost + become_user: postgres + tasks: + - name: Accepts a become from a lower scope + ansible.builtin.command: whoami + become: false + changed_when: false + + - name: Accepts a become from higher scope + ansible.builtin.command: whoamyou + changed_when: false \ No newline at end of file diff --git a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive1.yaml b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive1.yaml new file mode 100644 index 00000000000..dda250a3b1b --- /dev/null +++ b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive1.yaml @@ -0,0 +1,29 @@ +--- +- hosts: localhost + name: Use of become_user without become play + become_user: root + + tasks: + - name: Simple hello + ansible.builtin.debug: + msg: hello + +--- +- hosts: localhost + tasks: + - name: Use of become_user without become task + ansible.builtin.command: whoami + become_user: postgres + changed_when: false + +--- +- hosts: localhost + tasks: + - name: A block with become and become_user on different tasks + block: + - name: Sample become + become: true + ansible.builtin.command: whoami + - name: Sample become_user + become_user: postgres + ansible.builtin.command: whoami \ No newline at end of file diff --git a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json new file mode 100644 index 00000000000..e69de29bb2d From a64d4d976bae88e62a4370443781b8cf09feb009 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Tue, 5 Sep 2023 09:46:59 +0100 Subject: [PATCH 034/379] updated positive expected result --- .../test/positive_expected_result.json | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json index e69de29bb2d..605720e57be 100644 --- a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json +++ b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json @@ -0,0 +1,20 @@ +[ + { + "queryName": "Privilege escalation using become plugin", + "severity": "HIGH", + "line": 4, + "fileName": "positive1.yaml" + }, + { + "queryName": "Privilege escalation using become plugin", + "severity": "HIGH", + "line": 16, + "fileName": "positive1.yaml" + }, + { + "queryName": "Privilege escalation using become plugin", + "severity": "HIGH", + "line": 28, + "fileName": "positive1.yaml" + } +] \ No newline at end of file From 52ea2dcb07d1c4ca958279ef721f8c9007419337 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Tue, 5 Sep 2023 09:49:10 +0100 Subject: [PATCH 035/379] updated tests --- .../test/negative1.yaml | 4 ++-- .../test/positive1.yaml | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/negative1.yaml b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/negative1.yaml index ad8b404ad61..ad3e2a027a7 100644 --- a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/negative1.yaml +++ b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/negative1.yaml @@ -2,11 +2,11 @@ - hosts: localhost become_user: postgres tasks: - - name: Accepts a become from a lower scope + - name: become from a lower scope ansible.builtin.command: whoami become: false changed_when: false - - name: Accepts a become from higher scope + - name: become from higher scope ansible.builtin.command: whoamyou changed_when: false \ No newline at end of file diff --git a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive1.yaml b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive1.yaml index dda250a3b1b..4ac7d16dd62 100644 --- a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive1.yaml +++ b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive1.yaml @@ -1,6 +1,6 @@ --- - hosts: localhost - name: Use of become_user without become play + name: become_user without become become_user: root tasks: @@ -11,7 +11,7 @@ --- - hosts: localhost tasks: - - name: Use of become_user without become task + - name: become_user without become task ansible.builtin.command: whoami become_user: postgres changed_when: false @@ -19,11 +19,11 @@ --- - hosts: localhost tasks: - - name: A block with become and become_user on different tasks + - name: become and become_user on different tasks block: - name: Sample become become: true - ansible.builtin.command: whoami + ansible.builtin.command: ls . - name: Sample become_user become_user: postgres - ansible.builtin.command: whoami \ No newline at end of file + ansible.builtin.command: ls . \ No newline at end of file From d442a8530a8451f76806ec7f8033da74a32fa9bc Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Tue, 5 Sep 2023 13:12:47 +0100 Subject: [PATCH 036/379] feat(query): ansible config logging_of_sensitive_data --- .../logging_of_sensitive_data/metadata.json | 12 ++++++ .../logging_of_sensitive_data/query.rego | 31 +++++++++++++++ .../test/negative1.cfg | 39 +++++++++++++++++++ .../test/positive1.cfg | 38 ++++++++++++++++++ .../test/positive2.cfg | 39 +++++++++++++++++++ .../test/positive_expected_result.json | 14 +++++++ 6 files changed, 173 insertions(+) create mode 100644 assets/queries/ansible/config/logging_of_sensitive_data/metadata.json create mode 100644 assets/queries/ansible/config/logging_of_sensitive_data/query.rego create mode 100644 assets/queries/ansible/config/logging_of_sensitive_data/test/negative1.cfg create mode 100644 assets/queries/ansible/config/logging_of_sensitive_data/test/positive1.cfg create mode 100644 assets/queries/ansible/config/logging_of_sensitive_data/test/positive2.cfg create mode 100644 assets/queries/ansible/config/logging_of_sensitive_data/test/positive_expected_result.json diff --git a/assets/queries/ansible/config/logging_of_sensitive_data/metadata.json b/assets/queries/ansible/config/logging_of_sensitive_data/metadata.json new file mode 100644 index 00000000000..fe847bcd393 --- /dev/null +++ b/assets/queries/ansible/config/logging_of_sensitive_data/metadata.json @@ -0,0 +1,12 @@ +{ + "id": "c6473dae-8477-4119-88b7-b909b435ce7b", + "queryName": "Logging of sensitive data", + "severity": "LOW", + "category": "Best Practices", + "descriptionText": "To keep sensitive values out of your logs, mark tasks that expose them defining no_log and set to True", + "descriptionUrl": "https://docs.ansible.com/ansible/latest/reference_appendices/logging.html#protecting-sensitive-data-with-no-log", + "platform": "Ansible", + "descriptionID": "0eca35f3", + "cloudProvider": "common" + } + \ No newline at end of file diff --git a/assets/queries/ansible/config/logging_of_sensitive_data/query.rego b/assets/queries/ansible/config/logging_of_sensitive_data/query.rego new file mode 100644 index 00000000000..84075dd7842 --- /dev/null +++ b/assets/queries/ansible/config/logging_of_sensitive_data/query.rego @@ -0,0 +1,31 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + defaultsGroup := input.document[i].groups.defaults + + not common_lib.valid_key(defaultsGroup, "no_log") + + result := { + "documentId": input.document[i].id, + "searchKey": "defaults", + "issueType": "IncorrectValue", + "keyExpectedValue": "no_log should be defined and set to 'true'", + "keyActualValue": "no_log is not defined", + } +} + +CxPolicy[result] { + defaultsGroup := input.document[i].groups.defaults + + defaultsGroup.no_log == false + + result := { + "documentId": input.document[i].id, + "searchKey": "defaults.no_log", + "issueType": "IncorrectValue", + "keyExpectedValue": "no_log should be set to 'true'", + "keyActualValue": "no_log is set to 'false'", + } +} \ No newline at end of file diff --git a/assets/queries/ansible/config/logging_of_sensitive_data/test/negative1.cfg b/assets/queries/ansible/config/logging_of_sensitive_data/test/negative1.cfg new file mode 100644 index 00000000000..2874734b518 --- /dev/null +++ b/assets/queries/ansible/config/logging_of_sensitive_data/test/negative1.cfg @@ -0,0 +1,39 @@ +[defaults] +action_warnings=True +cowsay_enabled_stencils=bud-frogs, bunny, cheese, daemon, default, dragon, elephant-in-snake, elephant, eyes, hellokitty, kitty, luke-koala, meow, milk, moofasa, moose, ren, sheep, small, stegosaurus, stimpy, supermilker, three-eyes, turkey, turtle, tux, udder, vader-koala, vader, www +cow_selection=default +force_color=False +nocolor=False +nocows=False +any_errors_fatal=False +become_plugins=~/.ansible/plugins/become:/usr/share/ansible/plugins/become +fact_caching=memory +fact_caching_prefix=ansible_facts +fact_caching_timeout=86400 +collections_on_ansible_version_mismatch=warning +collections_path=~/.ansible/collections:/usr/share/ansible/collections +collections_scan_sys_path=True +command_warnings=False +action_plugins=~/.ansible/plugins/action:/usr/share/ansible/plugins/action +allow_unsafe_lookups=False +ask_pass=False +ask_vault_pass=False +cache_plugins=~/.ansible/plugins/cache:/usr/share/ansible/plugins/cache +callback_plugins=~/.ansible/plugins/callback:/usr/share/ansible/plugins/callback +cliconf_plugins=~/.ansible/plugins/cliconf:/usr/share/ansible/plugins/cliconf +connection_plugins=~/.ansible/plugins/connection:/usr/share/ansible/plugins/connection +debug=False +executable=/bin/sh +filter_plugins=~/.ansible/plugins/filter:/usr/share/ansible/plugins/filter +force_handlers=False +forks=5 +gathering=implicit +gather_subset=all +lookup_plugins=~/.ansible/plugins/lookup:/usr/share/ansible/plugins/lookup +ansible_managed=Ansible managed +module_compression=ZIP_DEFLATED +module_name=command +library=~/.ansible/plugins/modules:/usr/share/ansible/plugins/modules +module_utils=~/.ansible/plugins/module_utils:/usr/share/ansible/plugins/module_utils +netconf_plugins=~/.ansible/plugins/netconf:/usr/share/ansible/plugins/netconf +no_log=True \ No newline at end of file diff --git a/assets/queries/ansible/config/logging_of_sensitive_data/test/positive1.cfg b/assets/queries/ansible/config/logging_of_sensitive_data/test/positive1.cfg new file mode 100644 index 00000000000..934d15d0827 --- /dev/null +++ b/assets/queries/ansible/config/logging_of_sensitive_data/test/positive1.cfg @@ -0,0 +1,38 @@ +[defaults] +action_warnings=True +cowsay_enabled_stencils=bud-frogs, bunny, cheese, daemon, default, dragon, elephant-in-snake, elephant, eyes, hellokitty, kitty, luke-koala, meow, milk, moofasa, moose, ren, sheep, small, stegosaurus, stimpy, supermilker, three-eyes, turkey, turtle, tux, udder, vader-koala, vader, www +cow_selection=default +force_color=False +nocolor=False +nocows=False +any_errors_fatal=False +become_plugins=~/.ansible/plugins/become:/usr/share/ansible/plugins/become +fact_caching=memory +fact_caching_prefix=ansible_facts +fact_caching_timeout=86400 +collections_on_ansible_version_mismatch=warning +collections_path=~/.ansible/collections:/usr/share/ansible/collections +collections_scan_sys_path=True +command_warnings=False +action_plugins=~/.ansible/plugins/action:/usr/share/ansible/plugins/action +allow_unsafe_lookups=False +ask_pass=False +ask_vault_pass=False +cache_plugins=~/.ansible/plugins/cache:/usr/share/ansible/plugins/cache +callback_plugins=~/.ansible/plugins/callback:/usr/share/ansible/plugins/callback +cliconf_plugins=~/.ansible/plugins/cliconf:/usr/share/ansible/plugins/cliconf +connection_plugins=~/.ansible/plugins/connection:/usr/share/ansible/plugins/connection +debug=False +executable=/bin/sh +filter_plugins=~/.ansible/plugins/filter:/usr/share/ansible/plugins/filter +force_handlers=False +forks=5 +gathering=implicit +gather_subset=all +lookup_plugins=~/.ansible/plugins/lookup:/usr/share/ansible/plugins/lookup +ansible_managed=Ansible managed +module_compression=ZIP_DEFLATED +module_name=command +library=~/.ansible/plugins/modules:/usr/share/ansible/plugins/modules +module_utils=~/.ansible/plugins/module_utils:/usr/share/ansible/plugins/module_utils +netconf_plugins=~/.ansible/plugins/netconf:/usr/share/ansible/plugins/netconf \ No newline at end of file diff --git a/assets/queries/ansible/config/logging_of_sensitive_data/test/positive2.cfg b/assets/queries/ansible/config/logging_of_sensitive_data/test/positive2.cfg new file mode 100644 index 00000000000..03ff93a236b --- /dev/null +++ b/assets/queries/ansible/config/logging_of_sensitive_data/test/positive2.cfg @@ -0,0 +1,39 @@ +[defaults] +action_warnings=True +cowsay_enabled_stencils=bud-frogs, bunny, cheese, daemon, default, dragon, elephant-in-snake, elephant, eyes, hellokitty, kitty, luke-koala, meow, milk, moofasa, moose, ren, sheep, small, stegosaurus, stimpy, supermilker, three-eyes, turkey, turtle, tux, udder, vader-koala, vader, www +cow_selection=default +force_color=False +nocolor=False +nocows=False +any_errors_fatal=False +become_plugins=~/.ansible/plugins/become:/usr/share/ansible/plugins/become +fact_caching=memory +fact_caching_prefix=ansible_facts +fact_caching_timeout=86400 +collections_on_ansible_version_mismatch=warning +collections_path=~/.ansible/collections:/usr/share/ansible/collections +collections_scan_sys_path=True +command_warnings=False +action_plugins=~/.ansible/plugins/action:/usr/share/ansible/plugins/action +allow_unsafe_lookups=False +ask_pass=False +ask_vault_pass=False +cache_plugins=~/.ansible/plugins/cache:/usr/share/ansible/plugins/cache +callback_plugins=~/.ansible/plugins/callback:/usr/share/ansible/plugins/callback +cliconf_plugins=~/.ansible/plugins/cliconf:/usr/share/ansible/plugins/cliconf +connection_plugins=~/.ansible/plugins/connection:/usr/share/ansible/plugins/connection +debug=False +executable=/bin/sh +filter_plugins=~/.ansible/plugins/filter:/usr/share/ansible/plugins/filter +force_handlers=False +forks=5 +gathering=implicit +gather_subset=all +lookup_plugins=~/.ansible/plugins/lookup:/usr/share/ansible/plugins/lookup +ansible_managed=Ansible managed +module_compression=ZIP_DEFLATED +module_name=command +library=~/.ansible/plugins/modules:/usr/share/ansible/plugins/modules +module_utils=~/.ansible/plugins/module_utils:/usr/share/ansible/plugins/module_utils +netconf_plugins=~/.ansible/plugins/netconf:/usr/share/ansible/plugins/netconf +no_log=False \ No newline at end of file diff --git a/assets/queries/ansible/config/logging_of_sensitive_data/test/positive_expected_result.json b/assets/queries/ansible/config/logging_of_sensitive_data/test/positive_expected_result.json new file mode 100644 index 00000000000..9a8b6096b93 --- /dev/null +++ b/assets/queries/ansible/config/logging_of_sensitive_data/test/positive_expected_result.json @@ -0,0 +1,14 @@ +[ + { + "queryName": "Logging of Sensitive Data", + "severity": "LOW", + "filename": "positive1.cfg", + "line": 1 + }, + { + "queryName": "Logging of Sensitive Data", + "severity": "LOW", + "filename": "positive2.cfg", + "line": 39 + } +] From 5a4dfc2d98c79303c2bb74a3cadc651e671db715 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Tue, 5 Sep 2023 16:07:19 +0100 Subject: [PATCH 037/379] feat(query): ansible playbooks Logging of Sensitive Data --- .../logging_of_sensitive_data/metadata.json | 12 ++++++ .../logging_of_sensitive_data/query.rego | 42 +++++++++++++++++++ .../test/negative1.yaml | 14 +++++++ .../test/positive1.yaml | 14 +++++++ .../test/positive_expected_result.json | 8 ++++ 5 files changed, 90 insertions(+) create mode 100644 assets/queries/ansible/general/logging_of_sensitive_data/metadata.json create mode 100644 assets/queries/ansible/general/logging_of_sensitive_data/query.rego create mode 100644 assets/queries/ansible/general/logging_of_sensitive_data/test/negative1.yaml create mode 100644 assets/queries/ansible/general/logging_of_sensitive_data/test/positive1.yaml create mode 100644 assets/queries/ansible/general/logging_of_sensitive_data/test/positive_expected_result.json diff --git a/assets/queries/ansible/general/logging_of_sensitive_data/metadata.json b/assets/queries/ansible/general/logging_of_sensitive_data/metadata.json new file mode 100644 index 00000000000..626bcb571ec --- /dev/null +++ b/assets/queries/ansible/general/logging_of_sensitive_data/metadata.json @@ -0,0 +1,12 @@ +{ + "id": "59029ddf-e651-412b-ae7b-ff6d403184bc", + "queryName": "Logging of Sensitive Data", + "severity": "LOW", + "category": "Best Practices", + "descriptionText": "In order to perform an action as a different user with the become_user, you must define become and set to 'true'", + "descriptionUrl": "https://ansible.readthedocs.io/projects/lint/rules/no-log-password/", + "platform": "Ansible", + "descriptionID": "a700e724", + "cloudProvider": "common" + } + \ No newline at end of file diff --git a/assets/queries/ansible/general/logging_of_sensitive_data/query.rego b/assets/queries/ansible/general/logging_of_sensitive_data/query.rego new file mode 100644 index 00000000000..445f34f0095 --- /dev/null +++ b/assets/queries/ansible/general/logging_of_sensitive_data/query.rego @@ -0,0 +1,42 @@ +package Cx + +import data.generic.ansible as ansLib +import data.generic.common as commonLib + +CxPolicy[result] { + task := ansLib.tasks[id][t] + + not commonLib.valid_key(task, "no_log") + + action := task["ansible.builtin.user"] + commonLib.valid_key(action, "password") + + result := { + "documentId": id, + "resourceName": task.name, + "resourceType": "ansible.builtin.user", + "searchKey": sprintf("name={{%s}}.password={{%s}}", [task.name, action.password]), + "issueType": "MissingAttribute", + "keyExpectedValue": "'no_log' should be defined and set to 'true' in order to not expose sensitive data", + "keyActualValue": "'no_log' is set to false", + } +} + +CxPolicy[result] { + task := ansLib.tasks[id][t] + + task.no_log == false + + action := task["ansible.builtin.user"] + commonLib.valid_key(action, "password") + + result := { + "documentId": id, + "resourceName": task.name, + "resourceType": "ansible.builtin.user", + "searchKey": sprintf("name={{%s}}.no_log", [task.name]), + "issueType": "IncorrectValue", + "keyExpectedValue": "'no_log' should be set to 'true' in order to not expose sensitive data", + "keyActualValue": "'no_log' is not defined", + } +} \ No newline at end of file diff --git a/assets/queries/ansible/general/logging_of_sensitive_data/test/negative1.yaml b/assets/queries/ansible/general/logging_of_sensitive_data/test/negative1.yaml new file mode 100644 index 00000000000..f14f414eeca --- /dev/null +++ b/assets/queries/ansible/general/logging_of_sensitive_data/test/negative1.yaml @@ -0,0 +1,14 @@ +--- +- name: Example playbook + hosts: localhost + tasks: + - name: Do not log user passwords + ansible.builtin.user: + name: john_doe + comment: John Doe + uid: 1040 + group: admin + password: "{{ item }}" + with_items: + - wow + no_log: true # <- Sets the no_log attribute to a non-false value. \ No newline at end of file diff --git a/assets/queries/ansible/general/logging_of_sensitive_data/test/positive1.yaml b/assets/queries/ansible/general/logging_of_sensitive_data/test/positive1.yaml new file mode 100644 index 00000000000..3c788a80c2a --- /dev/null +++ b/assets/queries/ansible/general/logging_of_sensitive_data/test/positive1.yaml @@ -0,0 +1,14 @@ +--- +- name: Example playbook + hosts: localhost + tasks: + - name: Log user passwords + ansible.builtin.user: + name: john_doe + comment: John Doe + uid: 1040 + group: admin + password: "{{ item }}" + with_items: + - wow + no_log: false # <- Sets the no_log attribute to false. \ No newline at end of file diff --git a/assets/queries/ansible/general/logging_of_sensitive_data/test/positive_expected_result.json b/assets/queries/ansible/general/logging_of_sensitive_data/test/positive_expected_result.json new file mode 100644 index 00000000000..ff77a3d7654 --- /dev/null +++ b/assets/queries/ansible/general/logging_of_sensitive_data/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Logging of Sensitive Data", + "severity": "LOW", + "line": 14, + "fileName": "positive1.yaml" + } +] \ No newline at end of file From 3fc880810e9acf4572f1c3c683151bc0c937a193 Mon Sep 17 00:00:00 2001 From: Millena Santos Date: Wed, 6 Sep 2023 15:23:10 +0100 Subject: [PATCH 038/379] created unsecure commands query and added tests --- .../github/unsecured_commands/metadata.json | 12 +++++++ .../cicd/github/unsecured_commands/query.rego | 22 +++++++++++++ .../unsecured_commands/test/negative.yaml | 16 +++++++++ .../unsecured_commands/test/positive1.yaml | 33 +++++++++++++++++++ .../test/positive_expected_result.json | 8 +++++ 5 files changed, 91 insertions(+) create mode 100644 assets/queries/cicd/github/unsecured_commands/metadata.json create mode 100644 assets/queries/cicd/github/unsecured_commands/query.rego create mode 100644 assets/queries/cicd/github/unsecured_commands/test/negative.yaml create mode 100644 assets/queries/cicd/github/unsecured_commands/test/positive1.yaml create mode 100644 assets/queries/cicd/github/unsecured_commands/test/positive_expected_result.json diff --git a/assets/queries/cicd/github/unsecured_commands/metadata.json b/assets/queries/cicd/github/unsecured_commands/metadata.json new file mode 100644 index 00000000000..34ec8fc2a21 --- /dev/null +++ b/assets/queries/cicd/github/unsecured_commands/metadata.json @@ -0,0 +1,12 @@ +{ + "id": "60fd272d-15f4-4d8f-afe4-77d9c6cc0453", + "queryName": "Unsecured Commands", + "severity": "MEDIUM", + "category": "Insecured Configurations", + "descriptionText": "There are deprecated set-env and add-path commands that can be explicitly enabled by a user via setting the ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable as true. Depending on the use of the environment variable, this could enable an attacker to, at worst, modify the system path to run a different command than intended, resulting in arbitrary code execution.", + "descriptionUrl": "https://0xn3va.gitbook.io/cheat-sheets/ci-cd/github/actions#misuse-of-the-events-related-to-incoming-prs", + "platform": "CICD", + "descriptionID": "44751f79", + "cloudProvider": "common" + } + \ No newline at end of file diff --git a/assets/queries/cicd/github/unsecured_commands/query.rego b/assets/queries/cicd/github/unsecured_commands/query.rego new file mode 100644 index 00000000000..c9ab888c96e --- /dev/null +++ b/assets/queries/cicd/github/unsecured_commands/query.rego @@ -0,0 +1,22 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + env := input.document[i].env["ACTIONS_ALLOW_UNSECURE_COMMANDS"] + env == true + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("env={{%s}}", [env]), + "issueType": "IncorrectValue", + "keyExpectedValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is not set as true.", + "keyActualValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is set as true.", + "searchLine": common_lib.build_search_line(["env", "ACTIONS_ALLOW_UNSECURE_COMMANDS"],[]) + } +} + + + diff --git a/assets/queries/cicd/github/unsecured_commands/test/negative.yaml b/assets/queries/cicd/github/unsecured_commands/test/negative.yaml new file mode 100644 index 00000000000..447d8067397 --- /dev/null +++ b/assets/queries/cicd/github/unsecured_commands/test/negative.yaml @@ -0,0 +1,16 @@ +name: test-positive +on: + pull_request: + types: [opened, synchronize, edited, reopened] + branches: + - master +jobs: + test-positive: + runs-on: ubuntu-latest + steps: + - name: PR comment + uses: thollander/actions-comment-pull-request@b07c7f86be67002023e6cb13f57df3f21cdd3411 + with: + comment_tag: title_check + mode: recreate + create_if_not_exists: true \ No newline at end of file diff --git a/assets/queries/cicd/github/unsecured_commands/test/positive1.yaml b/assets/queries/cicd/github/unsecured_commands/test/positive1.yaml new file mode 100644 index 00000000000..0e03175161f --- /dev/null +++ b/assets/queries/cicd/github/unsecured_commands/test/positive1.yaml @@ -0,0 +1,33 @@ +name: Vulnerable workflow + +on: + pull_request_target + +env: + # 1. Enable unsecure commands + ACTIONS_ALLOW_UNSECURE_COMMANDS: true + ENVIRONMENT_NAME: prod + +jobs: + deploy: + runs-on: ubuntu-latest + steps: + # 2. Print github context + - run: | + print("""${{ toJSON(github) }}""") + shell: python + - name: Create new PR deployment + uses: actions/github-script@v5 + with: + # 3. Create deployment + script: | + return await github.rest.repos.createDeployment({ + ...context.repo, + ref: context.payload.pull_request.head.sha, + auto_merge: false, + required_contexts: [], + environment: "${{ env.ENVIRONMENT_NAME }}", + transient_environment: false, + production_environment: false, + }); + github-token: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/assets/queries/cicd/github/unsecured_commands/test/positive_expected_result.json b/assets/queries/cicd/github/unsecured_commands/test/positive_expected_result.json new file mode 100644 index 00000000000..6c218941db0 --- /dev/null +++ b/assets/queries/cicd/github/unsecured_commands/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Unsecured Commands", + "severity": "MEDIUM", + "line": 8, + "fileName": "positive1.yaml" + } +] From 6f0367b9d217fd5ac1a5ab625ccd820d857bc264 Mon Sep 17 00:00:00 2001 From: Millena Santos Date: Wed, 6 Sep 2023 15:47:11 +0100 Subject: [PATCH 039/379] added other possible cases --- .../cicd/github/unsecured_commands/query.rego | 35 ++++++++++++++++++- .../unsecured_commands/test/positive2.yaml | 31 ++++++++++++++++ .../unsecured_commands/test/positive3.yaml | 30 ++++++++++++++++ .../test/positive_expected_result.json | 12 +++++++ 4 files changed, 107 insertions(+), 1 deletion(-) create mode 100644 assets/queries/cicd/github/unsecured_commands/test/positive2.yaml create mode 100644 assets/queries/cicd/github/unsecured_commands/test/positive3.yaml diff --git a/assets/queries/cicd/github/unsecured_commands/query.rego b/assets/queries/cicd/github/unsecured_commands/query.rego index c9ab888c96e..a3295b5e8ec 100644 --- a/assets/queries/cicd/github/unsecured_commands/query.rego +++ b/assets/queries/cicd/github/unsecured_commands/query.rego @@ -10,7 +10,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, - "searchKey": sprintf("env={{%s}}", [env]), + "searchKey": sprintf("env.actions_allow_unsecure_commands={{%s}}", [env]), "issueType": "IncorrectValue", "keyExpectedValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is not set as true.", "keyActualValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is set as true.", @@ -18,5 +18,38 @@ CxPolicy[result] { } } +CxPolicy[result] { + + env := input.document[i].jobs[j].env["ACTIONS_ALLOW_UNSECURE_COMMANDS"] + env == true + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("env.actions_allow_unsecure_commands={{%s}}", [env]), + "issueType": "IncorrectValue", + "keyExpectedValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is not set as true.", + "keyActualValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is set as true.", + "searchLine": common_lib.build_search_line(["jobs", j, "env", "ACTIONS_ALLOW_UNSECURE_COMMANDS"],[]) + } +} + +CxPolicy[result] { + + env := input.document[i].jobs[j].steps[k].env["ACTIONS_ALLOW_UNSECURE_COMMANDS"] + env == true + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("env.actions_allow_unsecure_commands={{%s}}", [env]), + "issueType": "IncorrectValue", + "keyExpectedValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is not set as true.", + "keyActualValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is set as true.", + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "env", "ACTIONS_ALLOW_UNSECURE_COMMANDS"],[]) + } +} + + diff --git a/assets/queries/cicd/github/unsecured_commands/test/positive2.yaml b/assets/queries/cicd/github/unsecured_commands/test/positive2.yaml new file mode 100644 index 00000000000..2d355ced832 --- /dev/null +++ b/assets/queries/cicd/github/unsecured_commands/test/positive2.yaml @@ -0,0 +1,31 @@ +name: Vulnerable workflow + +on: + pull_request_target + + +jobs: + deploy: + runs-on: ubuntu-latest + env: + ACTIONS_ALLOW_UNSECURE_COMMANDS: true + steps: + # 2. Print github context + - run: | + print("""${{ toJSON(github) }}""") + shell: python + - name: Create new PR deployment + uses: actions/github-script@v5 + with: + # 3. Create deployment + script: | + return await github.rest.repos.createDeployment({ + ...context.repo, + ref: context.payload.pull_request.head.sha, + auto_merge: false, + required_contexts: [], + environment: "${{ env.ENVIRONMENT_NAME }}", + transient_environment: false, + production_environment: false, + }); + github-token: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/assets/queries/cicd/github/unsecured_commands/test/positive3.yaml b/assets/queries/cicd/github/unsecured_commands/test/positive3.yaml new file mode 100644 index 00000000000..d2df83f7756 --- /dev/null +++ b/assets/queries/cicd/github/unsecured_commands/test/positive3.yaml @@ -0,0 +1,30 @@ +name: Vulnerable workflow + +on: + pull_request_target + +jobs: + deploy: + runs-on: ubuntu-latest + steps: + # 2. Print github context + - run: | + print("""${{ toJSON(github) }}""") + shell: python + - name: Create new PR deployment + env: + ACTIONS_ALLOW_UNSECURE_COMMANDS: true + uses: actions/github-script@v5 + with: + # 3. Create deployment + script: | + return await github.rest.repos.createDeployment({ + ...context.repo, + ref: context.payload.pull_request.head.sha, + auto_merge: false, + required_contexts: [], + environment: "${{ env.ENVIRONMENT_NAME }}", + transient_environment: false, + production_environment: false, + }); + github-token: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/assets/queries/cicd/github/unsecured_commands/test/positive_expected_result.json b/assets/queries/cicd/github/unsecured_commands/test/positive_expected_result.json index 6c218941db0..cf333643e72 100644 --- a/assets/queries/cicd/github/unsecured_commands/test/positive_expected_result.json +++ b/assets/queries/cicd/github/unsecured_commands/test/positive_expected_result.json @@ -4,5 +4,17 @@ "severity": "MEDIUM", "line": 8, "fileName": "positive1.yaml" + }, + { + "queryName": "Unsecured Commands", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive2.yaml" + }, + { + "queryName": "Unsecured Commands", + "severity": "MEDIUM", + "line": 16, + "fileName": "positive3.yaml" } ] From 0efcc56203d29fdb05bf96c51a01b358d3fda497 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Wed, 6 Sep 2023 16:11:50 +0100 Subject: [PATCH 040/379] feat(query): ansible playbook no relative paths --- .../general/no_relative_paths/metadata.json | 11 +++++++ .../general/no_relative_paths/query.rego | 33 +++++++++++++++++++ .../no_relative_paths/test/negative1.yml | 14 ++++++++ .../no_relative_paths/test/positive1.yml | 14 ++++++++ .../test/positive_expected_result.json | 14 ++++++++ 5 files changed, 86 insertions(+) create mode 100644 assets/queries/ansible/general/no_relative_paths/metadata.json create mode 100644 assets/queries/ansible/general/no_relative_paths/query.rego create mode 100644 assets/queries/ansible/general/no_relative_paths/test/negative1.yml create mode 100644 assets/queries/ansible/general/no_relative_paths/test/positive1.yml create mode 100644 assets/queries/ansible/general/no_relative_paths/test/positive_expected_result.json diff --git a/assets/queries/ansible/general/no_relative_paths/metadata.json b/assets/queries/ansible/general/no_relative_paths/metadata.json new file mode 100644 index 00000000000..5e8f1b48444 --- /dev/null +++ b/assets/queries/ansible/general/no_relative_paths/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "8d22ae91-6ac1-459f-95be-d37bd373f244", + "queryName": "No Relative Paths", + "severity": "LOW", + "category": "Best Practices", + "descriptionText": "Using relative paths can lead to unexpected behavior, as the path is resolved relative to the current working directory, which can change.", + "descriptionUrl": "https://ansible.readthedocs.io/projects/lint/rules/no-relative-paths/", + "platform": "Ansible", + "descriptionID": "84ea91c8", + "cloudProvider": "common" +} diff --git a/assets/queries/ansible/general/no_relative_paths/query.rego b/assets/queries/ansible/general/no_relative_paths/query.rego new file mode 100644 index 00000000000..3b3f4454b9c --- /dev/null +++ b/assets/queries/ansible/general/no_relative_paths/query.rego @@ -0,0 +1,33 @@ +package Cx + +import data.generic.ansible as ansLib + +module_to_folder = { + "copy": "files", + "win_copy": "files", + "template": "templates", + "win_template": "win_templates", + "ansible.builtin.template": "templates", + "ansible.builtin.copy": "files", +} + +CxPolicy[result] { + task := ansLib.tasks[id][t] + folder := module_to_folder[m] + copyOrTemplate := task[m] + ansLib.checkState(copyOrTemplate) + + relative_path := sprintf("../%s", [folder]) + contains(copyOrTemplate.src, relative_path) + + result := { + "documentId": id, + "resourceType": m, + "resourceName": task.name, + "searchKey": sprintf("name={{%s}}.{{%s}}.src", [task.name, m]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("'%s' src should not be a relative path", [m]), + "keyActualValue": sprintf("'%s' src is a relative path", [m]), + } +} + diff --git a/assets/queries/ansible/general/no_relative_paths/test/negative1.yml b/assets/queries/ansible/general/no_relative_paths/test/negative1.yml new file mode 100644 index 00000000000..8df9513955b --- /dev/null +++ b/assets/queries/ansible/general/no_relative_paths/test/negative1.yml @@ -0,0 +1,14 @@ +--- +- name: Negative Example + hosts: localhost + tasks: + - name: One + ansible.builtin.copy: + content: + dest: /etc/mine.conf + mode: "0644" + - name: Two + ansible.builtin.copy: + src: /home/example/files/foo.conf + dest: /etc/foo.conf + mode: "0644" \ No newline at end of file diff --git a/assets/queries/ansible/general/no_relative_paths/test/positive1.yml b/assets/queries/ansible/general/no_relative_paths/test/positive1.yml new file mode 100644 index 00000000000..f7cc9a26e99 --- /dev/null +++ b/assets/queries/ansible/general/no_relative_paths/test/positive1.yml @@ -0,0 +1,14 @@ +--- +- name: Positive Example + hosts: localhost + tasks: + - name: One + ansible.builtin.template: + src: ../templates/foo.j2 + dest: /etc/file.conf + mode: "0644" + - name: Two + ansible.builtin.copy: + src: ../files/foo.conf + dest: /etc/foo.conf + mode: "0644" \ No newline at end of file diff --git a/assets/queries/ansible/general/no_relative_paths/test/positive_expected_result.json b/assets/queries/ansible/general/no_relative_paths/test/positive_expected_result.json new file mode 100644 index 00000000000..54f5ba28e6a --- /dev/null +++ b/assets/queries/ansible/general/no_relative_paths/test/positive_expected_result.json @@ -0,0 +1,14 @@ +[ + { + "queryName": "No Relative Paths", + "severity": "LOW", + "line": 7, + "fileName": "positive1.yml" + }, + { + "queryName": "No Relative Paths", + "severity": "LOW", + "line": 12, + "fileName": "positive1.yml" + } +] From 20946290237fa0b4efa1bc6a1e48f4b29f448996 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Wed, 6 Sep 2023 16:14:36 +0100 Subject: [PATCH 041/379] changed query --- .../metadata.json | 2 +- .../query.rego | 0 .../test/negative1.yml | 0 .../test/positive1.yml | 0 .../test/positive_expected_result.json | 4 ++-- 5 files changed, 3 insertions(+), 3 deletions(-) rename assets/queries/ansible/general/{no_relative_paths => insecure_relative_path_resolution}/metadata.json (89%) rename assets/queries/ansible/general/{no_relative_paths => insecure_relative_path_resolution}/query.rego (100%) rename assets/queries/ansible/general/{no_relative_paths => insecure_relative_path_resolution}/test/negative1.yml (100%) rename assets/queries/ansible/general/{no_relative_paths => insecure_relative_path_resolution}/test/positive1.yml (100%) rename assets/queries/ansible/general/{no_relative_paths => insecure_relative_path_resolution}/test/positive_expected_result.json (58%) diff --git a/assets/queries/ansible/general/no_relative_paths/metadata.json b/assets/queries/ansible/general/insecure_relative_path_resolution/metadata.json similarity index 89% rename from assets/queries/ansible/general/no_relative_paths/metadata.json rename to assets/queries/ansible/general/insecure_relative_path_resolution/metadata.json index 5e8f1b48444..4814f76a6d1 100644 --- a/assets/queries/ansible/general/no_relative_paths/metadata.json +++ b/assets/queries/ansible/general/insecure_relative_path_resolution/metadata.json @@ -1,6 +1,6 @@ { "id": "8d22ae91-6ac1-459f-95be-d37bd373f244", - "queryName": "No Relative Paths", + "queryName": "Insecure Relative Path Resolution", "severity": "LOW", "category": "Best Practices", "descriptionText": "Using relative paths can lead to unexpected behavior, as the path is resolved relative to the current working directory, which can change.", diff --git a/assets/queries/ansible/general/no_relative_paths/query.rego b/assets/queries/ansible/general/insecure_relative_path_resolution/query.rego similarity index 100% rename from assets/queries/ansible/general/no_relative_paths/query.rego rename to assets/queries/ansible/general/insecure_relative_path_resolution/query.rego diff --git a/assets/queries/ansible/general/no_relative_paths/test/negative1.yml b/assets/queries/ansible/general/insecure_relative_path_resolution/test/negative1.yml similarity index 100% rename from assets/queries/ansible/general/no_relative_paths/test/negative1.yml rename to assets/queries/ansible/general/insecure_relative_path_resolution/test/negative1.yml diff --git a/assets/queries/ansible/general/no_relative_paths/test/positive1.yml b/assets/queries/ansible/general/insecure_relative_path_resolution/test/positive1.yml similarity index 100% rename from assets/queries/ansible/general/no_relative_paths/test/positive1.yml rename to assets/queries/ansible/general/insecure_relative_path_resolution/test/positive1.yml diff --git a/assets/queries/ansible/general/no_relative_paths/test/positive_expected_result.json b/assets/queries/ansible/general/insecure_relative_path_resolution/test/positive_expected_result.json similarity index 58% rename from assets/queries/ansible/general/no_relative_paths/test/positive_expected_result.json rename to assets/queries/ansible/general/insecure_relative_path_resolution/test/positive_expected_result.json index 54f5ba28e6a..dfc540890b6 100644 --- a/assets/queries/ansible/general/no_relative_paths/test/positive_expected_result.json +++ b/assets/queries/ansible/general/insecure_relative_path_resolution/test/positive_expected_result.json @@ -1,12 +1,12 @@ [ { - "queryName": "No Relative Paths", + "queryName": "Insecure Relative Path Resolution", "severity": "LOW", "line": 7, "fileName": "positive1.yml" }, { - "queryName": "No Relative Paths", + "queryName": "Insecure Relative Path Resolution", "severity": "LOW", "line": 12, "fileName": "positive1.yml" From f58ec563d8e6abda2638af029ef302dc65399c79 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Wed, 6 Sep 2023 16:46:55 +0100 Subject: [PATCH 042/379] changed result --- .../general/insecure_relative_path_resolution/query.rego | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/assets/queries/ansible/general/insecure_relative_path_resolution/query.rego b/assets/queries/ansible/general/insecure_relative_path_resolution/query.rego index 3b3f4454b9c..f23c65a7ec7 100644 --- a/assets/queries/ansible/general/insecure_relative_path_resolution/query.rego +++ b/assets/queries/ansible/general/insecure_relative_path_resolution/query.rego @@ -26,8 +26,8 @@ CxPolicy[result] { "resourceName": task.name, "searchKey": sprintf("name={{%s}}.{{%s}}.src", [task.name, m]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("'%s' src should not be a relative path", [m]), - "keyActualValue": sprintf("'%s' src is a relative path", [m]), + "keyExpectedValue": sprintf("'%s'.src should not be a relative path", [m]), + "keyActualValue": sprintf("'%s'.src is a relative path", [m]), } } From db11ced71e4d6cad6678218cca91ebcd6f471925 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Wed, 6 Sep 2023 17:54:02 +0100 Subject: [PATCH 043/379] changed severity --- .../privilege_escalation_using_become_plugin/metadata.json | 4 ++-- .../test/positive_expected_result.json | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/metadata.json b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/metadata.json index cbac0c986ef..873f9af7518 100644 --- a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/metadata.json +++ b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/metadata.json @@ -1,8 +1,8 @@ { "id": "0e75052f-cc02-41b8-ac39-a78017527e95", "queryName": "Privilege escalation using become plugin", - "severity": "HIGH", - "category": "Insecure Defaults", + "severity": "MEDIUM", + "category": "Access Control", "descriptionText": "In order to perform an action as a different user with the become_user, you must define become and set to 'true'", "descriptionUrl": "https://ansible.readthedocs.io/projects/lint/rules/partial-become/#problematic-code", "platform": "Ansible", diff --git a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json index 605720e57be..e823c7320bf 100644 --- a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json +++ b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json @@ -1,19 +1,19 @@ [ { "queryName": "Privilege escalation using become plugin", - "severity": "HIGH", + "severity": "MEDIUM", "line": 4, "fileName": "positive1.yaml" }, { "queryName": "Privilege escalation using become plugin", - "severity": "HIGH", + "severity": "MEDIUM", "line": 16, "fileName": "positive1.yaml" }, { "queryName": "Privilege escalation using become plugin", - "severity": "HIGH", + "severity": "MEDIUM", "line": 28, "fileName": "positive1.yaml" } From 42f3cd3818ee6a329ac83e9131021ca0105f5063 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Wed, 6 Sep 2023 18:48:07 +0100 Subject: [PATCH 044/379] changed result and metadata --- .../privilege_escalation_using_become_plugin/metadata.json | 2 +- .../privilege_escalation_using_become_plugin/query.rego | 4 ++-- .../test/positive_expected_result.json | 6 +++--- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/metadata.json b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/metadata.json index 873f9af7518..2e49431a507 100644 --- a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/metadata.json +++ b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/metadata.json @@ -1,6 +1,6 @@ { "id": "0e75052f-cc02-41b8-ac39-a78017527e95", - "queryName": "Privilege escalation using become plugin", + "queryName": "Privilege Escalation Using Become Plugin", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "In order to perform an action as a different user with the become_user, you must define become and set to 'true'", diff --git a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/query.rego b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/query.rego index 52ec6d5cd56..3924fdb8160 100644 --- a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/query.rego +++ b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/query.rego @@ -20,7 +20,7 @@ CxPolicy[result] { "searchKey": sprintf("name={{%s}}.become_user={{%s}}", [task.name, task.become_user]), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("'become' should be defined and set to 'true' in order to perform an action with %s", [task.become_user]), - "keyActualValue": "'become' is not set", + "keyActualValue": "'become' is not defined", } } @@ -36,7 +36,7 @@ CxPolicy[result] { "searchKey": sprintf("become_user={{%s}}", [input.document[i].playbooks[j].become_user]), "issueType": "MissingAttribute", "keyExpectedValue": "'become' should be defined and set to 'true'", - "keyActualValue": "'become' is not set", + "keyActualValue": "'become' is not defined", } } diff --git a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json index e823c7320bf..20b42c3dfeb 100644 --- a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json +++ b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json @@ -1,18 +1,18 @@ [ { - "queryName": "Privilege escalation using become plugin", + "queryName": "Privilege Escalation Using Become Plugin", "severity": "MEDIUM", "line": 4, "fileName": "positive1.yaml" }, { - "queryName": "Privilege escalation using become plugin", + "queryName": "Privilege Escalation Using Become Plugin", "severity": "MEDIUM", "line": 16, "fileName": "positive1.yaml" }, { - "queryName": "Privilege escalation using become plugin", + "queryName": "Privilege Escalation Using Become Plugin", "severity": "MEDIUM", "line": 28, "fileName": "positive1.yaml" From 95b12615422177f3dd1762d44f21eda4e949e77c Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Wed, 6 Sep 2023 18:49:29 +0100 Subject: [PATCH 045/379] changed tests --- .../general/logging_of_sensitive_data/test/negative1.yaml | 6 +++--- .../general/logging_of_sensitive_data/test/positive1.yaml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/assets/queries/ansible/general/logging_of_sensitive_data/test/negative1.yaml b/assets/queries/ansible/general/logging_of_sensitive_data/test/negative1.yaml index f14f414eeca..1f276e0019b 100644 --- a/assets/queries/ansible/general/logging_of_sensitive_data/test/negative1.yaml +++ b/assets/queries/ansible/general/logging_of_sensitive_data/test/negative1.yaml @@ -1,8 +1,8 @@ --- -- name: Example playbook +- name: Negative playbook hosts: localhost tasks: - - name: Do not log user passwords + - name: foo ansible.builtin.user: name: john_doe comment: John Doe @@ -11,4 +11,4 @@ password: "{{ item }}" with_items: - wow - no_log: true # <- Sets the no_log attribute to a non-false value. \ No newline at end of file + no_log: true \ No newline at end of file diff --git a/assets/queries/ansible/general/logging_of_sensitive_data/test/positive1.yaml b/assets/queries/ansible/general/logging_of_sensitive_data/test/positive1.yaml index 3c788a80c2a..f02582d1be4 100644 --- a/assets/queries/ansible/general/logging_of_sensitive_data/test/positive1.yaml +++ b/assets/queries/ansible/general/logging_of_sensitive_data/test/positive1.yaml @@ -1,8 +1,8 @@ --- -- name: Example playbook +- name: Positive Playbook hosts: localhost tasks: - - name: Log user passwords + - name: bar ansible.builtin.user: name: john_doe comment: John Doe @@ -11,4 +11,4 @@ password: "{{ item }}" with_items: - wow - no_log: false # <- Sets the no_log attribute to false. \ No newline at end of file + no_log: false \ No newline at end of file From fb021952cac3905684e9bcaf8a8570ebe1db99f2 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Wed, 6 Sep 2023 18:51:57 +0100 Subject: [PATCH 046/379] fix metadata and query --- .../general/insecure_relative_path_resolution/metadata.json | 2 +- .../general/insecure_relative_path_resolution/query.rego | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/assets/queries/ansible/general/insecure_relative_path_resolution/metadata.json b/assets/queries/ansible/general/insecure_relative_path_resolution/metadata.json index 4814f76a6d1..f517f45b9b0 100644 --- a/assets/queries/ansible/general/insecure_relative_path_resolution/metadata.json +++ b/assets/queries/ansible/general/insecure_relative_path_resolution/metadata.json @@ -3,7 +3,7 @@ "queryName": "Insecure Relative Path Resolution", "severity": "LOW", "category": "Best Practices", - "descriptionText": "Using relative paths can lead to unexpected behavior, as the path is resolved relative to the current working directory, which can change.", + "descriptionText": "Using relative paths can lead to unexpected behavior as the path is resolved relative to the current working directory, which can change.", "descriptionUrl": "https://ansible.readthedocs.io/projects/lint/rules/no-relative-paths/", "platform": "Ansible", "descriptionID": "84ea91c8", diff --git a/assets/queries/ansible/general/insecure_relative_path_resolution/query.rego b/assets/queries/ansible/general/insecure_relative_path_resolution/query.rego index f23c65a7ec7..b48eb837a10 100644 --- a/assets/queries/ansible/general/insecure_relative_path_resolution/query.rego +++ b/assets/queries/ansible/general/insecure_relative_path_resolution/query.rego @@ -26,8 +26,8 @@ CxPolicy[result] { "resourceName": task.name, "searchKey": sprintf("name={{%s}}.{{%s}}.src", [task.name, m]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("'%s'.src should not be a relative path", [m]), - "keyActualValue": sprintf("'%s'.src is a relative path", [m]), + "keyExpectedValue": sprintf("%s.src should not be a relative path", [m]), + "keyActualValue": sprintf("%s.src is a relative path", [m]), } } From 43e627e2bbb640b9a8e1ccd88bf00c0232d9f4fb Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Wed, 6 Sep 2023 19:36:08 +0100 Subject: [PATCH 047/379] changed issue type --- .../queries/ansible/general/risky_file_permissions/query.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/ansible/general/risky_file_permissions/query.rego b/assets/queries/ansible/general/risky_file_permissions/query.rego index c44d437835e..1bae4c84aa0 100644 --- a/assets/queries/ansible/general/risky_file_permissions/query.rego +++ b/assets/queries/ansible/general/risky_file_permissions/query.rego @@ -45,7 +45,7 @@ CxPolicy[result] { "resourceType": modules[m], "resourceName": task.name, "searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, modules[m]]), - "issueType": "IncorrectValue", + "issueType": "MissingAttribute", "keyExpectedValue": sprintf("All the permissions set in %s about creating files/directories", [modules[m]]), "keyActualValue": sprintf("There are some permissions missing in %s and might create directory/file", [modules[m]]), } From fc65f81dc9c633652b5c5c72d4a62b7f39cdf726 Mon Sep 17 00:00:00 2001 From: Millena Santos Date: Thu, 7 Sep 2023 15:49:34 +0100 Subject: [PATCH 048/379] created query and added tests --- .../github/run_block_injection/metadata.json | 11 ++ .../github/run_block_injection/query.rego | 177 ++++++++++++++++++ .../run_block_injection/test/negative.yaml | 29 +++ .../run_block_injection/test/negative2.yaml | 15 ++ .../run_block_injection/test/negative3.yaml | 14 ++ .../run_block_injection/test/negative4.yaml | 14 ++ .../run_block_injection/test/negative5.yaml | 14 ++ .../run_block_injection/test/negative6.yaml | 14 ++ .../run_block_injection/test/negative7.yaml | 14 ++ .../run_block_injection/test/positive1.yaml | 39 ++++ .../run_block_injection/test/positive2.yaml | 14 ++ .../run_block_injection/test/positive3.yaml | 14 ++ .../run_block_injection/test/positive4.yaml | 14 ++ .../run_block_injection/test/positive5.yaml | 14 ++ .../run_block_injection/test/positive6.yaml | 14 ++ .../run_block_injection/test/positive7.yaml | 14 ++ .../test/positive_expected_result.json | 44 +++++ 17 files changed, 469 insertions(+) create mode 100644 assets/queries/cicd/github/run_block_injection/metadata.json create mode 100644 assets/queries/cicd/github/run_block_injection/query.rego create mode 100644 assets/queries/cicd/github/run_block_injection/test/negative.yaml create mode 100644 assets/queries/cicd/github/run_block_injection/test/negative2.yaml create mode 100644 assets/queries/cicd/github/run_block_injection/test/negative3.yaml create mode 100644 assets/queries/cicd/github/run_block_injection/test/negative4.yaml create mode 100644 assets/queries/cicd/github/run_block_injection/test/negative5.yaml create mode 100644 assets/queries/cicd/github/run_block_injection/test/negative6.yaml create mode 100644 assets/queries/cicd/github/run_block_injection/test/negative7.yaml create mode 100644 assets/queries/cicd/github/run_block_injection/test/positive1.yaml create mode 100644 assets/queries/cicd/github/run_block_injection/test/positive2.yaml create mode 100644 assets/queries/cicd/github/run_block_injection/test/positive3.yaml create mode 100644 assets/queries/cicd/github/run_block_injection/test/positive4.yaml create mode 100644 assets/queries/cicd/github/run_block_injection/test/positive5.yaml create mode 100644 assets/queries/cicd/github/run_block_injection/test/positive6.yaml create mode 100644 assets/queries/cicd/github/run_block_injection/test/positive7.yaml create mode 100644 assets/queries/cicd/github/run_block_injection/test/positive_expected_result.json diff --git a/assets/queries/cicd/github/run_block_injection/metadata.json b/assets/queries/cicd/github/run_block_injection/metadata.json new file mode 100644 index 00000000000..c2716ad0a84 --- /dev/null +++ b/assets/queries/cicd/github/run_block_injection/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "20f14e1a-a899-4e79-9f09-b6a84cd4649b", + "queryName": "Run Block Injection", + "severity": "HIGH", + "category": "Insecure Configurations", + "descriptionText": "GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event.", + "descriptionUrl": "https://securitylab.github.com/research/github-actions-untrusted-input/", + "platform": "CICD", + "descriptionID": "02044a75", + "cloudProvider": "common" +} diff --git a/assets/queries/cicd/github/run_block_injection/query.rego b/assets/queries/cicd/github/run_block_injection/query.rego new file mode 100644 index 00000000000..2f608666c5e --- /dev/null +++ b/assets/queries/cicd/github/run_block_injection/query.rego @@ -0,0 +1,177 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + input.document[i].on["pull_request_target"] + run := input.document[i].jobs[j].steps[k].run + + patterns := [ + "github.head_ref", + "github.event.pull_request.body", + "github.event.pull_request.head.label", + "github.event.pull_request.head.ref", + "github.event.pull_request.head.repo.default_branch", + "github.event.pull_request.head.repo.description", + "github.event.pull_request.head.repo.homepage", + "github.event.pull_request.title" + ] + + containsPattern(run, patterns) + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("run={{%s}}", [run]), + "issueType": "IncorrectValue", + "keyExpectedValue": "Run block does not contain dangerous input controlled by user.", + "keyActualValue": "Run block contains dangerous input controlled by user.", + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"],[]) + } +} + +CxPolicy[result] { + + input.document[i].on["issues"] + run := input.document[i].jobs[j].steps[k].run + + patterns := [ + "github.event.issue.body", + "github.event.issue.title" + ] + + containsPattern(run, patterns) + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("run={{%s}}", [run]), + "issueType": "IncorrectValue", + "keyExpectedValue": "Run block does not contain dangerous input controlled by user.", + "keyActualValue": "Run block contains dangerous input controlled by user.", + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"],[]) + } +} + +CxPolicy[result] { + + input.document[i].on["issue_comment"] + run := input.document[i].jobs[j].steps[k].run + + patterns := [ + "github.event.comment.body", + "github.event.issue.body", + "github.event.issue.title" + ] + + containsPattern(run, patterns) + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("run={{%s}}", [run]), + "issueType": "IncorrectValue", + "keyExpectedValue": "Run block does not contain dangerous input controlled by user.", + "keyActualValue": "Run block contains dangerous input controlled by user.", + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"],[]) + } +} + +CxPolicy[result] { + + input.document[i].on["discussion"] + run := input.document[i].jobs[j].steps[k].run + + patterns := [ + "github.event.discussion.body", + "github.event.discussion.title" + ] + + containsPattern(run, patterns) + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("run={{%s}}", [run]), + "issueType": "IncorrectValue", + "keyExpectedValue": "Run block does not contain dangerous input controlled by user.", + "keyActualValue": "Run block contains dangerous input controlled by user.", + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"],[]) + } +} + +CxPolicy[result] { + + input.document[i].on["discussion_comment"] + run := input.document[i].jobs[j].steps[k].run + + patterns := [ + "github.event.comment.body", + "github.event.discussion.body", + "github.event.discussion.title" + ] + + containsPattern(run, patterns) + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("run={{%s}}", [run]), + "issueType": "IncorrectValue", + "keyExpectedValue": "Run block does not contain dangerous input controlled by user.", + "keyActualValue": "Run block contains dangerous input controlled by user.", + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"],[]) + } +} + +CxPolicy[result] { + + input.document[i].on["workflow_run"] + run := input.document[i].jobs[j].steps[k].run + + patterns := [ + "github.event.workflow.path", + "github.event.workflow_run.head_branch", + "github.event.workflow_run.head_commit.author.email", + "github.event.workflow_run.head_commit.author.name", + "github.event.workflow_run.head_commit.message", + "github.event.workflow_run.head_repository.description" + ] + + containsPattern(run, patterns) + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("run={{%s}}", [run]), + "issueType": "IncorrectValue", + "keyExpectedValue": "Run block does not contain dangerous input controlled by user.", + "keyActualValue": "Run block contains dangerous input controlled by user.", + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"],[]) + } +} + +CxPolicy[result] { + + input.document[i].on["author"] + run := input.document[i].jobs[j].steps[k].run + + patterns := [ + "github.*.authors.name", + "github.*.authors.email" + ] + + containsPattern(run, patterns) + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("run={{%s}}", [run]), + "issueType": "IncorrectValue", + "keyExpectedValue": "Run block does not contain dangerous input controlled by user.", + "keyActualValue": "Run block contains dangerous input controlled by user.", + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"],[]) + } +} + + + +containsPattern(str, patterns) { + pattern := patterns[_] + regex.match(pattern, str) +} + diff --git a/assets/queries/cicd/github/run_block_injection/test/negative.yaml b/assets/queries/cicd/github/run_block_injection/test/negative.yaml new file mode 100644 index 00000000000..5f9d4a2dfd5 --- /dev/null +++ b/assets/queries/cicd/github/run_block_injection/test/negative.yaml @@ -0,0 +1,29 @@ +name: check-go-coverage + +on: + pull_request_target: + branches: [master] + +jobs: + coverage: + name: Check Go coverage + runs-on: ubuntu-latest + steps: + - name: Checkout Source + uses: actions/checkout@v3 + with: + fetch-depth: 0 + - name: Set up Go 1.20.x + uses: actions/setup-go@v4 + with: + go-version: 1.20.x + - name: Run test metrics script + id: testcov + run: | + make test-coverage-report | tee test-results + echo "coverage=$(cat test-results | grep "Total coverage: " test-results | cut -d ":" -f 2 | bc)" >> $GITHUB_ENV + - name: Checks if Go coverage is at least 80% + if: env.coverage < 80 + run: | + echo "Go coverage is lower than 80%: ${{ env.coverage }}%" + exit 1 \ No newline at end of file diff --git a/assets/queries/cicd/github/run_block_injection/test/negative2.yaml b/assets/queries/cicd/github/run_block_injection/test/negative2.yaml new file mode 100644 index 00000000000..c954704a14f --- /dev/null +++ b/assets/queries/cicd/github/run_block_injection/test/negative2.yaml @@ -0,0 +1,15 @@ +name: Issue Workflow + +on: + issues: + types: + - opened + +jobs: + process_issue: + runs-on: ubuntu-latest + steps: + - name: Greet the New Issue + run: | + # Echo a simple sentence + echo "Hello, a new issue has been opened!" diff --git a/assets/queries/cicd/github/run_block_injection/test/negative3.yaml b/assets/queries/cicd/github/run_block_injection/test/negative3.yaml new file mode 100644 index 00000000000..499acd8c7ba --- /dev/null +++ b/assets/queries/cicd/github/run_block_injection/test/negative3.yaml @@ -0,0 +1,14 @@ +name: Discussion Workflow + +on: + discussion: + types: + - created + +jobs: + process_discussion: + runs-on: ubuntu-latest + steps: + - name: Greet the New Discussion + run: | + echo "Hello, a new discussion has been created!" diff --git a/assets/queries/cicd/github/run_block_injection/test/negative4.yaml b/assets/queries/cicd/github/run_block_injection/test/negative4.yaml new file mode 100644 index 00000000000..dd99cdf9131 --- /dev/null +++ b/assets/queries/cicd/github/run_block_injection/test/negative4.yaml @@ -0,0 +1,14 @@ +name: Issue Comment Workflow + +on: + issue_comment: + types: + - created + +jobs: + process_issue_comment: + runs-on: ubuntu-latest + steps: + - name: Greet the New Issue Comment + run: | + echo "Hello, a new issue comment has been created!" diff --git a/assets/queries/cicd/github/run_block_injection/test/negative5.yaml b/assets/queries/cicd/github/run_block_injection/test/negative5.yaml new file mode 100644 index 00000000000..1fc2f915b03 --- /dev/null +++ b/assets/queries/cicd/github/run_block_injection/test/negative5.yaml @@ -0,0 +1,14 @@ +name: Discussion Comment Workflow + +on: + discussion_comment: + types: + - created + +jobs: + process_discussion_comment: + runs-on: ubuntu-latest + steps: + - name: Greet the New Discussion Comment + run: | + echo "Hello, a new discussion comment has been created!" diff --git a/assets/queries/cicd/github/run_block_injection/test/negative6.yaml b/assets/queries/cicd/github/run_block_injection/test/negative6.yaml new file mode 100644 index 00000000000..bcb86ef0aa1 --- /dev/null +++ b/assets/queries/cicd/github/run_block_injection/test/negative6.yaml @@ -0,0 +1,14 @@ +name: Author Workflow + +on: + author: + types: + - created + +jobs: + process_author: + runs-on: ubuntu-latest + steps: + - name: Greet the New Author + run: | + echo "Hello, a new author has been created!" diff --git a/assets/queries/cicd/github/run_block_injection/test/negative7.yaml b/assets/queries/cicd/github/run_block_injection/test/negative7.yaml new file mode 100644 index 00000000000..57af861e9b0 --- /dev/null +++ b/assets/queries/cicd/github/run_block_injection/test/negative7.yaml @@ -0,0 +1,14 @@ +name: Workflow Run Workflow + +on: + workflow_run: + workflows: + - "Your Workflow Name" # Replace with the name of your specific workflow + +jobs: + process_workflow_run: + runs-on: ubuntu-latest + steps: + - name: Greet the New Workflow Run + run: | + echo "Hello, a new workflow run has started for 'Your Workflow Name'!" diff --git a/assets/queries/cicd/github/run_block_injection/test/positive1.yaml b/assets/queries/cicd/github/run_block_injection/test/positive1.yaml new file mode 100644 index 00000000000..6ee6d54c544 --- /dev/null +++ b/assets/queries/cicd/github/run_block_injection/test/positive1.yaml @@ -0,0 +1,39 @@ +name: Web Page To Markdown +on: + issues: + types: [opened] +jobs: + WebPageToMarkdown: + runs-on: ubuntu-latest + steps: + - name: Does the issue need to be converted to markdown + run: | + if [ "${{ github.event.issue.body }}" ]; then + if [[ "${{ github.event.issue.title }}" =~ ^\[Auto\]* ]]; then + : + else + echo "This issue does not need to generate a markdown file." 1>&2 + exit 1; + fi; + else + echo "The description of the issue is empty." 1>&2 + exit 1; + fi; + shell: bash + - name: Checkout + uses: actions/checkout@v3 + with: + ref: ${{ github.head_ref }} + - name: Crawl pages and generate Markdown files + uses: freeCodeCamp-China/article-webpage-to-markdown-action@v0.1.8 + with: + newsLink: '${{ github.event.issue.Body }}' + markDownFilePath: './chinese/articles/' + githubToken: ${{ github.token }} + - name: Git Auto Commit + uses: stefanzweifel/git-auto-commit-action@v4.9.2 + with: + commit_message: '${{ github.event.issue.title }}' + file_pattern: chinese/articles/*.md + commit_user_name: PageToMarkdown Bot + commit_user_email: PageToMarkdown-bot@freeCodeCamp.org \ No newline at end of file diff --git a/assets/queries/cicd/github/run_block_injection/test/positive2.yaml b/assets/queries/cicd/github/run_block_injection/test/positive2.yaml new file mode 100644 index 00000000000..a2905bf2cdf --- /dev/null +++ b/assets/queries/cicd/github/run_block_injection/test/positive2.yaml @@ -0,0 +1,14 @@ +name: Pull Request Workflow + +on: + pull_request_target: + types: + - opened + +jobs: + process_pull_request: + runs-on: ubuntu-latest + steps: + - name: Echo Pull Request Body + run: | + echo "Pull Request Body: ${{ github.event.pull_request.body }}" diff --git a/assets/queries/cicd/github/run_block_injection/test/positive3.yaml b/assets/queries/cicd/github/run_block_injection/test/positive3.yaml new file mode 100644 index 00000000000..a0fd8865e47 --- /dev/null +++ b/assets/queries/cicd/github/run_block_injection/test/positive3.yaml @@ -0,0 +1,14 @@ +name: Issue Comment Workflow + +on: + issue_comment: + types: + - created + +jobs: + process_issue_comment: + runs-on: ubuntu-latest + steps: + - name: Echo Issue Comment Body + run: | + echo "Issue Comment Body: ${{ github.event.comment.body }}" diff --git a/assets/queries/cicd/github/run_block_injection/test/positive4.yaml b/assets/queries/cicd/github/run_block_injection/test/positive4.yaml new file mode 100644 index 00000000000..7552ddffc8b --- /dev/null +++ b/assets/queries/cicd/github/run_block_injection/test/positive4.yaml @@ -0,0 +1,14 @@ +name: Discussion Workflow + +on: + discussion: + types: + - created + +jobs: + process_discussion: + runs-on: ubuntu-latest + steps: + - name: Echo Discussion Title + run: | + echo "Discussion Title: ${{ github.event.discussion.title }}" diff --git a/assets/queries/cicd/github/run_block_injection/test/positive5.yaml b/assets/queries/cicd/github/run_block_injection/test/positive5.yaml new file mode 100644 index 00000000000..39beeb868a1 --- /dev/null +++ b/assets/queries/cicd/github/run_block_injection/test/positive5.yaml @@ -0,0 +1,14 @@ +name: Discussion Comment Workflow + +on: + discussion_comment: + types: + - created + +jobs: + process_discussion_comment: + runs-on: ubuntu-latest + steps: + - name: Echo Discussion Comment Body + run: | + echo "Discussion Comment Body: ${{ github.event.comment.body }}" diff --git a/assets/queries/cicd/github/run_block_injection/test/positive6.yaml b/assets/queries/cicd/github/run_block_injection/test/positive6.yaml new file mode 100644 index 00000000000..ec3c8e5c96b --- /dev/null +++ b/assets/queries/cicd/github/run_block_injection/test/positive6.yaml @@ -0,0 +1,14 @@ +name: Author Workflow + +on: + author: + types: + - created + +jobs: + process_author: + runs-on: ubuntu-latest + steps: + - name: Echo Author's Username + run: | + echo "Author's Name: ${{ github.event.authors.name }}" diff --git a/assets/queries/cicd/github/run_block_injection/test/positive7.yaml b/assets/queries/cicd/github/run_block_injection/test/positive7.yaml new file mode 100644 index 00000000000..f86dd89b24e --- /dev/null +++ b/assets/queries/cicd/github/run_block_injection/test/positive7.yaml @@ -0,0 +1,14 @@ +name: Workflow Run Workflow + +on: + workflow_run: + workflows: + - "Your Workflow Name" # Replace with the name of your specific workflow + +jobs: + process_workflow_run: + runs-on: ubuntu-latest + steps: + - name: Echo Workflow Run Name + run: | + echo "Workflow Run Path: ${{ github.event.workflow.path }}" diff --git a/assets/queries/cicd/github/run_block_injection/test/positive_expected_result.json b/assets/queries/cicd/github/run_block_injection/test/positive_expected_result.json new file mode 100644 index 00000000000..46b392e679b --- /dev/null +++ b/assets/queries/cicd/github/run_block_injection/test/positive_expected_result.json @@ -0,0 +1,44 @@ +[ + { + "queryName": "Run Block Injection", + "severity": "HIGH", + "line": 11, + "fileName": "positive1.yaml" + }, + { + "queryName": "Run Block Injection", + "severity": "HIGH", + "line": 14, + "fileName": "positive2.yaml" + }, + { + "queryName": "Run Block Injection", + "severity": "HIGH", + "line": 14, + "fileName": "positive3.yaml" + }, + { + "queryName": "Run Block Injection", + "severity": "HIGH", + "line": 14, + "fileName": "positive4.yaml" + }, + { + "queryName": "Run Block Injection", + "severity": "HIGH", + "line": 14, + "fileName": "positive5.yaml" + }, + { + "queryName": "Run Block Injection", + "severity": "HIGH", + "line": 14, + "fileName": "positive6.yaml" + }, + { + "queryName": "Run Block Injection", + "severity": "HIGH", + "line": 14, + "fileName": "positive7.yaml" + } +] From 40cb9e8fad79083f9ff3aa0848ed6a7d99772fc0 Mon Sep 17 00:00:00 2001 From: Millena Santos Date: Fri, 8 Sep 2023 15:28:45 +0100 Subject: [PATCH 049/379] creating query --- .../script_block_injection/metadata.json | 11 ++ .../github/script_block_injection/query.rego | 182 ++++++++++++++++++ .../test/positive1.yaml | 29 +++ .../test/positive_expected_result.json | 8 + 4 files changed, 230 insertions(+) create mode 100644 assets/queries/cicd/github/script_block_injection/metadata.json create mode 100644 assets/queries/cicd/github/script_block_injection/query.rego create mode 100644 assets/queries/cicd/github/script_block_injection/test/positive1.yaml create mode 100644 assets/queries/cicd/github/script_block_injection/test/positive_expected_result.json diff --git a/assets/queries/cicd/github/script_block_injection/metadata.json b/assets/queries/cicd/github/script_block_injection/metadata.json new file mode 100644 index 00000000000..43c8838d142 --- /dev/null +++ b/assets/queries/cicd/github/script_block_injection/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "62ff6823-927a-427f-acf9-f1ea2932d616", + "queryName": "Script Block Injection", + "severity": "HIGH", + "category": "Insecure Configurations", + "descriptionText": "GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event.", + "descriptionUrl": "https://securitylab.github.com/research/github-actions-untrusted-input/", + "platform": "CICD", + "descriptionID": "63e215f4", + "cloudProvider": "common" +} \ No newline at end of file diff --git a/assets/queries/cicd/github/script_block_injection/query.rego b/assets/queries/cicd/github/script_block_injection/query.rego new file mode 100644 index 00000000000..a83ddecf9db --- /dev/null +++ b/assets/queries/cicd/github/script_block_injection/query.rego @@ -0,0 +1,182 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + input.document[i].on["pull_request_target"] + + uses := input.document[i].jobs[j].steps[k].uses + + startswith(uses,"actions/github-scripts") + + script := input.document[i].jobs[j].steps[k].with["script"] + + patterns := [ + "github.head_ref", + "github.event.pull_request.body", + "github.event.pull_request.head.label", + "github.event.pull_request.head.ref", + "github.event.pull_request.head.repo.default_branch", + "github.event.pull_request.head.repo.description", + "github.event.pull_request.head.repo.homepage", + "github.event.pull_request.title" + ] + + containsPattern(script, patterns) + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("script={{%s}}", [script]), + "issueType": "IncorrectValue", + "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", + "keyActualValue": "Script block contains dangerous input controlled by user.", + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "with", "script"],[]) + } +} + +CxPolicy[result] { + + input.document[i].on["issues"] + script := input.document[i].jobs[j].steps[k].run + + patterns := [ + "github.event.issue.body", + "github.event.issue.title" + ] + + containsPattern(script, patterns) + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("script={{%s}}", [script]), + "issueType": "IncorrectValue", + "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", + "keyActualValue": "Script block contains dangerous input controlled by user.", + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "script"],[]) + } +} + +CxPolicy[result] { + + input.document[i].on["issue_comment"] + script := input.document[i].jobs[j].steps[k].run + + patterns := [ + "github.event.comment.body", + "github.event.issue.body", + "github.event.issue.title" + ] + + containsPattern(script, patterns) + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("script={{%s}}", [script]), + "issueType": "IncorrectValue", + "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", + "keyActualValue": "Script block contains dangerous input controlled by user.", + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "script"],[]) + } +} + +CxPolicy[result] { + + input.document[i].on["discussion"] + script := input.document[i].jobs[j].steps[k].run + + patterns := [ + "github.event.discussion.body", + "github.event.discussion.title" + ] + + containsPattern(script, patterns) + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("script={{%s}}", [script]), + "issueType": "IncorrectValue", + "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", + "keyActualValue": "Script block contains dangerous input controlled by user.", + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "script"],[]) + } +} + +CxPolicy[result] { + + input.document[i].on["discussion_comment"] + script := input.document[i].jobs[j].steps[k].run + + patterns := [ + "github.event.comment.body", + "github.event.discussion.body", + "github.event.discussion.title" + ] + + containsPattern(script, patterns) + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("script={{%s}}", [script]), + "issueType": "IncorrectValue", + "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", + "keyActualValue": "Script block contains dangerous input controlled by user.", + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "script"],[]) + } +} + +CxPolicy[result] { + + input.document[i].on["workflow_run"] + script := input.document[i].jobs[j].steps[k].run + + patterns := [ + "github.event.workflow.path", + "github.event.workflow_run.head_branch", + "github.event.workflow_run.head_commit.author.email", + "github.event.workflow_run.head_commit.author.name", + "github.event.workflow_run.head_commit.message", + "github.event.workflow_run.head_repository.description" + ] + + containsPattern(script, patterns) + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("script={{%s}}", [script]), + "issueType": "IncorrectValue", + "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", + "keyActualValue": "Script block contains dangerous input controlled by user.", + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "script"],[]) + } +} + +CxPolicy[result] { + + input.document[i].on["author"] + script := input.document[i].jobs[j].steps[k].run + + patterns := [ + "github.*.authors.name", + "github.*.authors.email" + ] + + containsPattern(script, patterns) + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("script={{%s}}", [script]), + "issueType": "IncorrectValue", + "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", + "keyActualValue": "Script block contains dangerous input controlled by user.", + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "script"],[]) + } +} + + + +containsPattern(str, patterns) { + pattern := patterns[_] + regex.match(pattern, str) +} + diff --git a/assets/queries/cicd/github/script_block_injection/test/positive1.yaml b/assets/queries/cicd/github/script_block_injection/test/positive1.yaml new file mode 100644 index 00000000000..69e715e8464 --- /dev/null +++ b/assets/queries/cicd/github/script_block_injection/test/positive1.yaml @@ -0,0 +1,29 @@ +name: test-script-run + +on: +- pull_request_target: + types: + - opened + +jobs: + script-run: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Run script + uses: actions/github-script@latest + with: + script: | + const fs = require('fs'); + const body = fs.readFileSync('/tmp/${{ github.event.issue.title }}.txt', {encoding: 'utf8'}); + + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: 'Thanks for reporting!' + }) + + return true; \ No newline at end of file diff --git a/assets/queries/cicd/github/script_block_injection/test/positive_expected_result.json b/assets/queries/cicd/github/script_block_injection/test/positive_expected_result.json new file mode 100644 index 00000000000..69a8665bd8e --- /dev/null +++ b/assets/queries/cicd/github/script_block_injection/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Script Block Injection", + "severity": "HIGH", + "line": 20, + "fileName": "positive1.yaml" + } +] From ce6b57c37974d8475724a0f574b29145774cd2dd Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Sat, 9 Sep 2023 12:00:43 +0100 Subject: [PATCH 050/379] fixed description --- .../ansible/config/logging_of_sensitive_data/metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/ansible/config/logging_of_sensitive_data/metadata.json b/assets/queries/ansible/config/logging_of_sensitive_data/metadata.json index fe847bcd393..81356007fa3 100644 --- a/assets/queries/ansible/config/logging_of_sensitive_data/metadata.json +++ b/assets/queries/ansible/config/logging_of_sensitive_data/metadata.json @@ -3,7 +3,7 @@ "queryName": "Logging of sensitive data", "severity": "LOW", "category": "Best Practices", - "descriptionText": "To keep sensitive values out of your logs, mark tasks that expose them defining no_log and set to True", + "descriptionText": "To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True", "descriptionUrl": "https://docs.ansible.com/ansible/latest/reference_appendices/logging.html#protecting-sensitive-data-with-no-log", "platform": "Ansible", "descriptionID": "0eca35f3", From e8b378bb4e08264155a3c3021c2d87970570059d Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Sat, 9 Sep 2023 12:04:04 +0100 Subject: [PATCH 051/379] fixed metadata --- .../privilege_escalation_using_become_plugin/metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/metadata.json b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/metadata.json index 2e49431a507..a2654f1389a 100644 --- a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/metadata.json +++ b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/metadata.json @@ -3,7 +3,7 @@ "queryName": "Privilege Escalation Using Become Plugin", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "In order to perform an action as a different user with the become_user, you must define become and set to 'true'", + "descriptionText": "In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true'", "descriptionUrl": "https://ansible.readthedocs.io/projects/lint/rules/partial-become/#problematic-code", "platform": "Ansible", "descriptionID": "11502e38", From bc126254621c7a33c864d2002f8eec9337dfa96a Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Sat, 9 Sep 2023 12:06:22 +0100 Subject: [PATCH 052/379] fixed metadata --- .../ansible/general/logging_of_sensitive_data/metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/ansible/general/logging_of_sensitive_data/metadata.json b/assets/queries/ansible/general/logging_of_sensitive_data/metadata.json index 626bcb571ec..cdba736fa5c 100644 --- a/assets/queries/ansible/general/logging_of_sensitive_data/metadata.json +++ b/assets/queries/ansible/general/logging_of_sensitive_data/metadata.json @@ -3,7 +3,7 @@ "queryName": "Logging of Sensitive Data", "severity": "LOW", "category": "Best Practices", - "descriptionText": "In order to perform an action as a different user with the become_user, you must define become and set to 'true'", + "descriptionText": "To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True", "descriptionUrl": "https://ansible.readthedocs.io/projects/lint/rules/no-log-password/", "platform": "Ansible", "descriptionID": "a700e724", From 84443164644cbfc0c7af9d148b8976ae65b73600 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Sat, 9 Sep 2023 13:17:54 +0100 Subject: [PATCH 053/379] fix(query): changed versionNotExplicit condition --- .../dockerfile/image_version_not_explicit/query.rego | 12 ++++++------ .../{negative.dockerfile => negative1.dockerfile} | 0 .../test/negative2.dockerfile | 8 ++++++++ .../{positive.dockerfile => positive1.dockerfile} | 0 .../test/positive2.dockerfile | 8 ++++++++ .../test/positive_expected_result.json | 7 +++++++ 6 files changed, 29 insertions(+), 6 deletions(-) rename assets/queries/dockerfile/image_version_not_explicit/test/{negative.dockerfile => negative1.dockerfile} (100%) create mode 100644 assets/queries/dockerfile/image_version_not_explicit/test/negative2.dockerfile rename assets/queries/dockerfile/image_version_not_explicit/test/{positive.dockerfile => positive1.dockerfile} (100%) create mode 100644 assets/queries/dockerfile/image_version_not_explicit/test/positive2.dockerfile diff --git a/assets/queries/dockerfile/image_version_not_explicit/query.rego b/assets/queries/dockerfile/image_version_not_explicit/query.rego index 4d5f3bf7f27..670e124ee41 100644 --- a/assets/queries/dockerfile/image_version_not_explicit/query.rego +++ b/assets/queries/dockerfile/image_version_not_explicit/query.rego @@ -43,16 +43,16 @@ versionNotExplicit(cmd) { count(cmd) > 1 not contains(cmd[0], ":") + count([x | x := input.document[i].command[name][_]; build_name_exists(x, cmd[0])]) == 0 +} - resource := input.document[i].command[name][_] +build_name_exists(resource, build_name){ not resource.Value[0] == "scratch" resource.Cmd == "from" count(resource.Value) > 1 - resource.Value[1] == "as" - - resource.Value[2] == cmd[0] + lower(resource.Value[1]) == "as" - not contains(resource.Value[0], ":") -} + resource.Value[2] == build_name +} \ No newline at end of file diff --git a/assets/queries/dockerfile/image_version_not_explicit/test/negative.dockerfile b/assets/queries/dockerfile/image_version_not_explicit/test/negative1.dockerfile similarity index 100% rename from assets/queries/dockerfile/image_version_not_explicit/test/negative.dockerfile rename to assets/queries/dockerfile/image_version_not_explicit/test/negative1.dockerfile diff --git a/assets/queries/dockerfile/image_version_not_explicit/test/negative2.dockerfile b/assets/queries/dockerfile/image_version_not_explicit/test/negative2.dockerfile new file mode 100644 index 00000000000..1da90378154 --- /dev/null +++ b/assets/queries/dockerfile/image_version_not_explicit/test/negative2.dockerfile @@ -0,0 +1,8 @@ +FROM ubuntu:22.04 AS test +RUN echo "hello" + +FROM test AS build +RUN echo "build" + +FROM build AS final +RUN echo "final" \ No newline at end of file diff --git a/assets/queries/dockerfile/image_version_not_explicit/test/positive.dockerfile b/assets/queries/dockerfile/image_version_not_explicit/test/positive1.dockerfile similarity index 100% rename from assets/queries/dockerfile/image_version_not_explicit/test/positive.dockerfile rename to assets/queries/dockerfile/image_version_not_explicit/test/positive1.dockerfile diff --git a/assets/queries/dockerfile/image_version_not_explicit/test/positive2.dockerfile b/assets/queries/dockerfile/image_version_not_explicit/test/positive2.dockerfile new file mode 100644 index 00000000000..6fc18a10a04 --- /dev/null +++ b/assets/queries/dockerfile/image_version_not_explicit/test/positive2.dockerfile @@ -0,0 +1,8 @@ +FROM ubuntu:22.04 AS test +RUN echo "hello" + +FROM test AS build +RUN echo "build" + +FROM construction AS final +RUN echo "final" \ No newline at end of file diff --git a/assets/queries/dockerfile/image_version_not_explicit/test/positive_expected_result.json b/assets/queries/dockerfile/image_version_not_explicit/test/positive_expected_result.json index e4e93fee282..37f34812dbf 100644 --- a/assets/queries/dockerfile/image_version_not_explicit/test/positive_expected_result.json +++ b/assets/queries/dockerfile/image_version_not_explicit/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Image Version Not Explicit", "severity": "MEDIUM", + "fileName": "negative1.dockerfile", "line": 1 + }, + { + "queryName": "Image Version Not Explicit", + "severity": "MEDIUM", + "fileName": "negative2.dockerfile", + "line": 7 } ] From 3bd38a40227b454d8a2b9aff358114ef8206caf4 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Sat, 9 Sep 2023 14:45:51 +0100 Subject: [PATCH 054/379] fix expected results --- .../test/positive_expected_result.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/assets/queries/dockerfile/image_version_not_explicit/test/positive_expected_result.json b/assets/queries/dockerfile/image_version_not_explicit/test/positive_expected_result.json index 37f34812dbf..cd389735b38 100644 --- a/assets/queries/dockerfile/image_version_not_explicit/test/positive_expected_result.json +++ b/assets/queries/dockerfile/image_version_not_explicit/test/positive_expected_result.json @@ -2,13 +2,13 @@ { "queryName": "Image Version Not Explicit", "severity": "MEDIUM", - "fileName": "negative1.dockerfile", + "fileName": "positive1.dockerfile", "line": 1 }, { "queryName": "Image Version Not Explicit", "severity": "MEDIUM", - "fileName": "negative2.dockerfile", + "fileName": "positive2.dockerfile", "line": 7 } ] From dafc93eaeb3a382fa53d16ab99948f97050b5293 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Sat, 9 Sep 2023 17:18:24 +0100 Subject: [PATCH 055/379] fix(query): deprecated network not set --- .../networks_not_set/metadata.json | 10 ------- .../dockerCompose/networks_not_set/query.rego | 18 ----------- .../networks_not_set/test/negative1.yaml | 16 ---------- .../networks_not_set/test/positive1.yaml | 14 --------- .../networks_not_set/test/positive2.yaml | 30 ------------------- .../test/positive_expected_result.json | 14 --------- 6 files changed, 102 deletions(-) delete mode 100644 assets/queries/dockerCompose/networks_not_set/metadata.json delete mode 100644 assets/queries/dockerCompose/networks_not_set/query.rego delete mode 100644 assets/queries/dockerCompose/networks_not_set/test/negative1.yaml delete mode 100644 assets/queries/dockerCompose/networks_not_set/test/positive1.yaml delete mode 100644 assets/queries/dockerCompose/networks_not_set/test/positive2.yaml delete mode 100644 assets/queries/dockerCompose/networks_not_set/test/positive_expected_result.json diff --git a/assets/queries/dockerCompose/networks_not_set/metadata.json b/assets/queries/dockerCompose/networks_not_set/metadata.json deleted file mode 100644 index 3f0f79b3ae8..00000000000 --- a/assets/queries/dockerCompose/networks_not_set/metadata.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "id": "ce14a68b-1668-41a0-ab7d-facd9f784742", - "queryName": "Networks Not Set", - "severity": "MEDIUM", - "category": "Networking and Firewall", - "descriptionText": "Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers.", - "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#networks", - "platform": "DockerCompose", - "descriptionID": "3743a217" -} diff --git a/assets/queries/dockerCompose/networks_not_set/query.rego b/assets/queries/dockerCompose/networks_not_set/query.rego deleted file mode 100644 index dbcd4a3b418..00000000000 --- a/assets/queries/dockerCompose/networks_not_set/query.rego +++ /dev/null @@ -1,18 +0,0 @@ -package Cx - -import data.generic.common as common_lib - -CxPolicy[result] { - resource := input.document[i] - service_parameters := resource.services[name] - not common_lib.valid_key(service_parameters, "networks") - - result := { - "documentId": sprintf("%s", [resource.id]), - "searchKey": sprintf("services.%s",[name]), - "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("There should be a network declared for the service '%s'", [name]), - "keyActualValue": sprintf("There is no network declared for the service '%s'", [name]), - "searchLine": common_lib.build_search_line(["services", name], []), - } -} diff --git a/assets/queries/dockerCompose/networks_not_set/test/negative1.yaml b/assets/queries/dockerCompose/networks_not_set/test/negative1.yaml deleted file mode 100644 index 66713f52c82..00000000000 --- a/assets/queries/dockerCompose/networks_not_set/test/negative1.yaml +++ /dev/null @@ -1,16 +0,0 @@ -version: "3.4" -services: - service-service-service: - build: - context: . - dockerfile: service.dockerfile - ports: - - "6969:8080" - networks: - - service-service-frontend - restart: always - security_opt: - - no-new-privileges:true - -networks: - service-service-frontend: diff --git a/assets/queries/dockerCompose/networks_not_set/test/positive1.yaml b/assets/queries/dockerCompose/networks_not_set/test/positive1.yaml deleted file mode 100644 index eb6a42ab6fc..00000000000 --- a/assets/queries/dockerCompose/networks_not_set/test/positive1.yaml +++ /dev/null @@ -1,14 +0,0 @@ -version: '2.2' - -volumes: - front_build: - -services: - auth: - build: - context: . - dockerfile: docker_config/Dockerfile - restart: on-failure - pids_limit: 10 - cpus: 0.25 - mem_limit: 500M diff --git a/assets/queries/dockerCompose/networks_not_set/test/positive2.yaml b/assets/queries/dockerCompose/networks_not_set/test/positive2.yaml deleted file mode 100644 index 826bdee1881..00000000000 --- a/assets/queries/dockerCompose/networks_not_set/test/positive2.yaml +++ /dev/null @@ -1,30 +0,0 @@ -version: '2.2' - -services: - service-service-service: - build: - context: . - dockerfile: service.dockerfile - ports: - - "6969:8080" - networks: - - service-service-frontend - restart: always - security_opt: - - no-new-privileges:true - - auth: - build: - context: . - dockerfile: docker_config/Dockerfile - restart: on-failure - pids_limit: 10 - cpus: 0.25 - mem_limit: 500M - -networks: - service-service-frontend: - -volumes: - front_build: - diff --git a/assets/queries/dockerCompose/networks_not_set/test/positive_expected_result.json b/assets/queries/dockerCompose/networks_not_set/test/positive_expected_result.json deleted file mode 100644 index 140e11ee12a..00000000000 --- a/assets/queries/dockerCompose/networks_not_set/test/positive_expected_result.json +++ /dev/null @@ -1,14 +0,0 @@ -[ - { - "queryName": "Networks Not Set", - "severity": "MEDIUM", - "line": 7, - "filename": "positive1.yaml" - }, - { - "queryName": "Networks Not Set", - "severity": "MEDIUM", - "line": 16, - "filename": "positive2.yaml" - } -] From eaef6134cb314cdb35f86f884d3382b3e4eba7c7 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Sat, 9 Sep 2023 18:42:01 +0100 Subject: [PATCH 056/379] fix: unnecessary private information --- .../test/negative2.json | 2 +- .../test/negative2.json | 2 +- .../test/negative2.json | 2 +- .../test/negative1.yaml | 2 +- .../test/negative2.json | 2 +- .../passwords_and_secrets/test/positive15.tf | 48 +++++++++---------- .../passwords_and_secrets/test/positive40.tf | 4 +- .../test/negative.dockerfile | 4 +- .../test/negative2.dockerfile | 4 +- .../test/positive2.dockerfile | 4 +- .../test/negative2.dockerfile | 4 +- .../test/negative2.dockerfile | 4 +- .../test/negative2.dockerfile | 4 +- .../test/positive2.dockerfile | 4 +- .../test/negative2.dockerfile | 4 +- .../test/negative2.dockerfile | 4 +- .../test/negative.dockerfile | 4 +- .../test/negative2.dockerfile | 4 +- .../test/positive.dockerfile | 4 +- .../test/negative.dockerfile | 4 +- .../test/negative2.dockerfile | 4 +- .../test/positive.dockerfile | 4 +- .../test/negative5.dockerfile | 4 +- .../test/negative2.dockerfile | 4 +- .../test/negative1.dockerfile | 4 +- .../test/positive1.dockerfile | 4 +- .../test/negative2.dockerfile | 4 +- .../test/negative3.yaml | 2 +- .../test/negative4.yaml | 2 +- .../test/positive3.yaml | 2 +- .../test/positive4.yaml | 2 +- .../test/negative1.yaml | 2 +- .../test/negative2.yaml | 2 +- .../test/negative3.yaml | 2 +- .../test/negative4.yaml | 2 +- .../test/positive3.yaml | 2 +- .../test/positive4.yaml | 2 +- .../test/negative1.yaml | 2 +- .../test/negative2.yaml | 2 +- .../test/positive1.yaml | 2 +- .../test/negative1.yaml | 2 +- .../test/positive1.yaml | 2 +- .../test/negative1.yaml | 2 +- .../test/negative2.yaml | 2 +- .../test/positive1.yaml | 2 +- .../test/positive2.yaml | 2 +- .../test/negative1.yaml | 2 +- .../test/positive1.yaml | 2 +- .../test/positive2.yaml | 2 +- .../test/negative1.yaml | 2 +- .../test/negative4.yaml | 2 +- .../test/positive1.yaml | 2 +- .../test/negative1.yaml | 2 +- .../test/negative2.yaml | 2 +- .../test/positive1.yaml | 2 +- .../test/positive2.yaml | 2 +- .../test/negative1.yaml | 2 +- .../test/negative2.yaml | 2 +- .../test/positive1.yaml | 2 +- .../test/positive2.yaml | 2 +- .../test/negative1.yaml | 2 +- .../test/positive1.yaml | 2 +- .../test/negative2.yaml | 2 +- .../test/negative4.yaml | 2 +- .../test/positive2.yaml | 2 +- .../test/negative3.yaml | 2 +- .../test/negative2.yaml | 2 +- .../test/negative3.yaml | 2 +- .../test/positive1.yaml | 2 +- .../test/negative.tf | 2 +- .../test/positive.tf | 2 +- .../test/negative4.tf | 4 +- 72 files changed, 117 insertions(+), 117 deletions(-) diff --git a/assets/queries/cloudFormation/aws/elasticsearch_logs_disabled/test/negative2.json b/assets/queries/cloudFormation/aws/elasticsearch_logs_disabled/test/negative2.json index 94a2752bb8c..07003eb44c9 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_logs_disabled/test/negative2.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_logs_disabled/test/negative2.json @@ -58,7 +58,7 @@ } }, "id": "c886b8d1-8c44-4f23-ba01-6e30a2f5be7b", - "file": "C:\\Users\\pedrom\\Desktop\\Data\\yaml\\yaml.yaml" + "file": "C:\\Users\\foo\\Desktop\\Data\\yaml\\yaml.yaml" } ] } diff --git a/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/test/negative2.json b/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/test/negative2.json index 94a2752bb8c..07003eb44c9 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/test/negative2.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/test/negative2.json @@ -58,7 +58,7 @@ } }, "id": "c886b8d1-8c44-4f23-ba01-6e30a2f5be7b", - "file": "C:\\Users\\pedrom\\Desktop\\Data\\yaml\\yaml.yaml" + "file": "C:\\Users\\foo\\Desktop\\Data\\yaml\\yaml.yaml" } ] } diff --git a/assets/queries/cloudFormation/aws/guardduty_detector_disabled/test/negative2.json b/assets/queries/cloudFormation/aws/guardduty_detector_disabled/test/negative2.json index af14a2b2621..1c710f27be3 100644 --- a/assets/queries/cloudFormation/aws/guardduty_detector_disabled/test/negative2.json +++ b/assets/queries/cloudFormation/aws/guardduty_detector_disabled/test/negative2.json @@ -12,7 +12,7 @@ } }, "id": "f63e21c6-c58e-45cf-b7b4-6b548d9f7674", - "file": "C:\\Users\\pedrom\\Desktop\\Data\\yaml\\yaml.yaml" + "file": "C:\\Users\\foo\\Desktop\\Data\\yaml\\yaml.yaml" } ] } diff --git a/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/test/negative1.yaml b/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/test/negative1.yaml index 604d07060dc..a9b882620a8 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/test/negative1.yaml +++ b/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/test/negative1.yaml @@ -17,7 +17,7 @@ Resources: Principal: AWS: - arn:aws:iam::111122223333:user/Alice - - arn:aws:iam::111122223333:user/Fabio + - arn:aws:iam::111122223333:user/foo Action: s3:GetObject Resource: arn:aws:s3:::DOC-EXAMPLE-BUCKET/* Condition: diff --git a/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/test/negative2.json b/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/test/negative2.json index d97401495a6..649826b9aee 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/test/negative2.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/test/negative2.json @@ -29,7 +29,7 @@ "Principal": { "AWS": [ "arn:aws:iam::111122223333:user/Alice", - "arn:aws:iam::111122223333:user/Fabio" + "arn:aws:iam::111122223333:user/foo" ] }, "Action": "s3:GetObject", diff --git a/assets/queries/common/passwords_and_secrets/test/positive15.tf b/assets/queries/common/passwords_and_secrets/test/positive15.tf index f40a3189274..a3679b48014 100644 --- a/assets/queries/common/passwords_and_secrets/test/positive15.tf +++ b/assets/queries/common/passwords_and_secrets/test/positive15.tf @@ -19,8 +19,8 @@ EOF tags = merge({ Name = "${local.resource_prefix.value}-ec2" }, { - git_last_modified_by = "felipe.avelar@checkmarx.com" - git_modifiers = "felipe.avelar" + git_last_modified_by = "email@email.com" + git_modifiers = "foo.bar" git_org = "checkmarx" git_repo = "kics" }) @@ -34,8 +34,8 @@ resource "aws_ebs_volume" "web_host_storage" { tags = merge({ Name = "${local.resource_prefix.value}-ebs" }, { - git_last_modified_by = "felipe.avelar@checkmarx.com" - git_modifiers = "felipe.avelar" + git_last_modified_by = "email@email.com" + git_modifiers = "foo.bar" git_org = "checkmarx" git_repo = "kics" }) @@ -48,8 +48,8 @@ resource "aws_ebs_snapshot" "example_snapshot" { tags = merge({ Name = "${local.resource_prefix.value}-ebs-snapshot" }, { - git_last_modified_by = "felipe.avelar@checkmarx.com" - git_modifiers = "felipe.avelar" + git_last_modified_by = "email@email.com" + git_modifiers = "foo.bar" git_org = "checkmarx" git_repo = "kics" }) @@ -90,8 +90,8 @@ resource "aws_security_group" "web-node" { } depends_on = [aws_vpc.web_vpc] tags = { - git_last_modified_by = "felipe.avelar@checkmarx.com" - git_modifiers = "felipe.avelar" + git_last_modified_by = "email@email.com" + git_modifiers = "foo.bar" git_org = "checkmarx" git_repo = "kics" } @@ -104,8 +104,8 @@ resource "aws_vpc" "web_vpc" { tags = merge({ Name = "${local.resource_prefix.value}-vpc" }, { - git_last_modified_by = "felipe.avelar@checkmarx.com" - git_modifiers = "felipe.avelar" + git_last_modified_by = "email@email.com" + git_modifiers = "foo.bar" git_org = "checkmarx" git_repo = "kics" }) @@ -120,8 +120,8 @@ resource "aws_subnet" "web_subnet" { tags = merge({ Name = "${local.resource_prefix.value}-subnet" }, { - git_last_modified_by = "felipe.avelar@checkmarx.com" - git_modifiers = "felipe.avelar" + git_last_modified_by = "email@email.com" + git_modifiers = "foo.bar" git_org = "checkmarx" git_repo = "kics" }) @@ -136,8 +136,8 @@ resource "aws_subnet" "web_subnet2" { tags = merge({ Name = "${local.resource_prefix.value}-subnet2" }, { - git_last_modified_by = "felipe.avelar@checkmarx.com" - git_modifiers = "felipe.avelar" + git_last_modified_by = "email@email.com" + git_modifiers = "foo.bar" git_org = "checkmarx" git_repo = "kics" }) @@ -150,8 +150,8 @@ resource "aws_internet_gateway" "web_igw" { tags = merge({ Name = "${local.resource_prefix.value}-igw" }, { - git_last_modified_by = "felipe.avelar@checkmarx.com" - git_modifiers = "felipe.avelar" + git_last_modified_by = "email@email.com" + git_modifiers = "foo.bar" git_org = "checkmarx" git_repo = "kics" }) @@ -163,8 +163,8 @@ resource "aws_route_table" "web_rtb" { tags = merge({ Name = "${local.resource_prefix.value}-rtb" }, { - git_last_modified_by = "felipe.avelar@checkmarx.com" - git_modifiers = "felipe.avelar" + git_last_modified_by = "email@email.com" + git_modifiers = "foo.bar" git_org = "checkmarx" git_repo = "kics" }) @@ -198,8 +198,8 @@ resource "aws_network_interface" "web-eni" { tags = merge({ Name = "${local.resource_prefix.value}-primary_network_interface" }, { - git_last_modified_by = "felipe.avelar@checkmarx.com" - git_modifiers = "felipe.avelar" + git_last_modified_by = "email@email.com" + git_modifiers = "foo.bar" git_org = "checkmarx" git_repo = "kics" }) @@ -216,8 +216,8 @@ resource "aws_flow_log" "vpcflowlogs" { Name = "${local.resource_prefix.value}-flowlogs" Environment = local.resource_prefix.value }, { - git_last_modified_by = "felipe.avelar@checkmarx.com" - git_modifiers = "felipe.avelar" + git_last_modified_by = "email@email.com" + git_modifiers = "foo.bar" git_org = "checkmarx" git_repo = "kics" }) @@ -231,8 +231,8 @@ resource "aws_s3_bucket" "flowbucket" { Name = "${local.resource_prefix.value}-flowlogs" Environment = local.resource_prefix.value }, { - git_last_modified_by = "felipe.avelar@checkmarx.com" - git_modifiers = "felipe.avelar" + git_last_modified_by = "email@email.com" + git_modifiers = "foo.bar" git_org = "checkmarx" git_repo = "kics" }) diff --git a/assets/queries/common/passwords_and_secrets/test/positive40.tf b/assets/queries/common/passwords_and_secrets/test/positive40.tf index 4b43c6848aa..ecbac652401 100644 --- a/assets/queries/common/passwords_and_secrets/test/positive40.tf +++ b/assets/queries/common/passwords_and_secrets/test/positive40.tf @@ -19,8 +19,8 @@ EOF tags = merge({ Name = "${local.resource_prefix.value}-ec2" }, { - git_last_modified_by = "felipe.avelar@checkmarx.com" - git_modifiers = "felipe.avelar" + git_last_modified_by = "email@email.com" + git_modifiers = "foo.bar" git_org = "checkmarx" git_repo = "kics" }) diff --git a/assets/queries/dockerfile/copy_from_references_current_from_alias/test/negative.dockerfile b/assets/queries/dockerfile/copy_from_references_current_from_alias/test/negative.dockerfile index b63e1394c32..068132f93d0 100644 --- a/assets/queries/dockerfile/copy_from_references_current_from_alias/test/negative.dockerfile +++ b/assets/queries/dockerfile/copy_from_references_current_from_alias/test/negative.dockerfile @@ -1,5 +1,5 @@ FROM golang:1.7.3 AS builder -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go . RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -8,5 +8,5 @@ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=builder /go/src/github.com/alexellis/href-counter/app . +COPY --from=builder /go/src/github.com/foo/href-counter/app . CMD ["./app"] diff --git a/assets/queries/dockerfile/healthcheck_instruction_missing/test/negative2.dockerfile b/assets/queries/dockerfile/healthcheck_instruction_missing/test/negative2.dockerfile index f6e11eaa7be..d596ed8708c 100644 --- a/assets/queries/dockerfile/healthcheck_instruction_missing/test/negative2.dockerfile +++ b/assets/queries/dockerfile/healthcheck_instruction_missing/test/negative2.dockerfile @@ -1,5 +1,5 @@ FROM golang:1.16 AS builder -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go ./ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -7,7 +7,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=builder /go/src/github.com/alexellis/href-counter/app ./ +COPY --from=builder /go/src/github.com/foo/href-counter/app ./ CMD ["./app"] RUN useradd -ms /bin/bash patrick diff --git a/assets/queries/dockerfile/healthcheck_instruction_missing/test/positive2.dockerfile b/assets/queries/dockerfile/healthcheck_instruction_missing/test/positive2.dockerfile index 54fc705e621..f779ad71574 100644 --- a/assets/queries/dockerfile/healthcheck_instruction_missing/test/positive2.dockerfile +++ b/assets/queries/dockerfile/healthcheck_instruction_missing/test/positive2.dockerfile @@ -1,5 +1,5 @@ FROM golang:1.16 AS builder -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go ./ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -7,7 +7,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=builder /go/src/github.com/alexellis/href-counter/app ./ +COPY --from=builder /go/src/github.com/foo/href-counter/app ./ CMD ["./app"] RUN useradd -ms /bin/bash patrick diff --git a/assets/queries/dockerfile/last_user_is_root/test/negative2.dockerfile b/assets/queries/dockerfile/last_user_is_root/test/negative2.dockerfile index e3d4b81ec67..cfd0135ffe4 100644 --- a/assets/queries/dockerfile/last_user_is_root/test/negative2.dockerfile +++ b/assets/queries/dockerfile/last_user_is_root/test/negative2.dockerfile @@ -1,5 +1,5 @@ FROM golang:1.16 AS builder -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go ./ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -8,7 +8,7 @@ USER root FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=builder /go/src/github.com/alexellis/href-counter/app ./ +COPY --from=builder /go/src/github.com/foo/href-counter/app ./ CMD ["./app"] RUN useradd -ms /bin/bash patrick diff --git a/assets/queries/dockerfile/missing_dnf_clean_all/test/negative2.dockerfile b/assets/queries/dockerfile/missing_dnf_clean_all/test/negative2.dockerfile index 58646b79169..3870cc8bba8 100644 --- a/assets/queries/dockerfile/missing_dnf_clean_all/test/negative2.dockerfile +++ b/assets/queries/dockerfile/missing_dnf_clean_all/test/negative2.dockerfile @@ -1,5 +1,5 @@ FROM golang:1.16 AS builder -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go ./ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -11,7 +11,7 @@ RUN set -uex && \ FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=builder /go/src/github.com/alexellis/href-counter/app ./ +COPY --from=builder /go/src/github.com/foo/href-counter/app ./ CMD ["./app"] RUN useradd -ms /bin/bash patrick diff --git a/assets/queries/dockerfile/missing_user_instruction/test/negative2.dockerfile b/assets/queries/dockerfile/missing_user_instruction/test/negative2.dockerfile index 54fc705e621..f779ad71574 100644 --- a/assets/queries/dockerfile/missing_user_instruction/test/negative2.dockerfile +++ b/assets/queries/dockerfile/missing_user_instruction/test/negative2.dockerfile @@ -1,5 +1,5 @@ FROM golang:1.16 AS builder -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go ./ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -7,7 +7,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=builder /go/src/github.com/alexellis/href-counter/app ./ +COPY --from=builder /go/src/github.com/foo/href-counter/app ./ CMD ["./app"] RUN useradd -ms /bin/bash patrick diff --git a/assets/queries/dockerfile/missing_user_instruction/test/positive2.dockerfile b/assets/queries/dockerfile/missing_user_instruction/test/positive2.dockerfile index 705a06381b4..720cb9493b0 100644 --- a/assets/queries/dockerfile/missing_user_instruction/test/positive2.dockerfile +++ b/assets/queries/dockerfile/missing_user_instruction/test/positive2.dockerfile @@ -1,5 +1,5 @@ FROM golang:1.16 AS builder -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go ./ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -7,5 +7,5 @@ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=builder /go/src/github.com/alexellis/href-counter/app ./ +COPY --from=builder /go/src/github.com/foo/href-counter/app ./ CMD ["./app"] diff --git a/assets/queries/dockerfile/missing_zypper_clean/test/negative2.dockerfile b/assets/queries/dockerfile/missing_zypper_clean/test/negative2.dockerfile index e541b507777..6dbbb1ca88e 100644 --- a/assets/queries/dockerfile/missing_zypper_clean/test/negative2.dockerfile +++ b/assets/queries/dockerfile/missing_zypper_clean/test/negative2.dockerfile @@ -1,5 +1,5 @@ FROM golang:1.16 AS builder -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go ./ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -8,7 +8,7 @@ RUN zypper install FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=builder /go/src/github.com/alexellis/href-counter/app ./ +COPY --from=builder /go/src/github.com/foo/href-counter/app ./ CMD ["./app"] RUN useradd -ms /bin/bash patrick diff --git a/assets/queries/dockerfile/missing_zypper_non_interactive_switch/test/negative2.dockerfile b/assets/queries/dockerfile/missing_zypper_non_interactive_switch/test/negative2.dockerfile index 4677acd65c6..6a90a260624 100644 --- a/assets/queries/dockerfile/missing_zypper_non_interactive_switch/test/negative2.dockerfile +++ b/assets/queries/dockerfile/missing_zypper_non_interactive_switch/test/negative2.dockerfile @@ -1,5 +1,5 @@ FROM golang:1.16 AS builder -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go ./ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -8,7 +8,7 @@ RUN zypper install httpd && zypper clean FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=builder /go/src/github.com/alexellis/href-counter/app ./ +COPY --from=builder /go/src/github.com/foo/href-counter/app ./ CMD ["./app"] RUN useradd -ms /bin/bash patrick diff --git a/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/negative.dockerfile b/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/negative.dockerfile index 44e4e13025e..8820b538bae 100644 --- a/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/negative.dockerfile +++ b/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/negative.dockerfile @@ -1,5 +1,5 @@ FROM golang:1.7.3 -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go . RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -8,5 +8,5 @@ CMD ["./app"] FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=0 /go/src/github.com/alexellis/href-counter/app . +COPY --from=0 /go/src/github.com/foo/href-counter/app . CMD ["./app"] \ No newline at end of file diff --git a/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/negative2.dockerfile b/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/negative2.dockerfile index 67008575374..2e9a5581f31 100644 --- a/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/negative2.dockerfile +++ b/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/negative2.dockerfile @@ -1,5 +1,5 @@ FROM golang:1.16 AS builder -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go ./ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -9,7 +9,7 @@ CMD ["./apps"] FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=builder /go/src/github.com/alexellis/href-counter/app ./ +COPY --from=builder /go/src/github.com/foo/href-counter/app ./ CMD ["./app"] RUN useradd -ms /bin/bash patrick diff --git a/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/positive.dockerfile b/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/positive.dockerfile index f82a17292d1..68c3ea42206 100644 --- a/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/positive.dockerfile +++ b/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/positive.dockerfile @@ -1,5 +1,5 @@ FROM golang:1.7.3 -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go . RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -7,6 +7,6 @@ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=0 /go/src/github.com/alexellis/href-counter/app . +COPY --from=0 /go/src/github.com/foo/href-counter/app . CMD ["./app"] CMD ["./apps"] diff --git a/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/negative.dockerfile b/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/negative.dockerfile index d75b79820c4..cd42e046ddc 100644 --- a/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/negative.dockerfile +++ b/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/negative.dockerfile @@ -1,5 +1,5 @@ FROM golang:1.7.3 -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go . RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -8,5 +8,5 @@ ENTRYPOINT [ "/opt/app/run.sh", "--port", "8080" ] FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=0 /go/src/github.com/alexellis/href-counter/app . +COPY --from=0 /go/src/github.com/foo/href-counter/app . ENTRYPOINT [ "/opt/app/run.sh", "--port", "8080" ] \ No newline at end of file diff --git a/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/negative2.dockerfile b/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/negative2.dockerfile index aa7c3b50a24..32f1423fc16 100644 --- a/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/negative2.dockerfile +++ b/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/negative2.dockerfile @@ -1,5 +1,5 @@ FROM golang:1.16 AS builder -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go ./ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -9,7 +9,7 @@ ENTRYPOINT [ "/opt/app/run.sh", "--port", "8000" ] FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=builder /go/src/github.com/alexellis/href-counter/app ./ +COPY --from=builder /go/src/github.com/foo/href-counter/app ./ CMD ["./app"] RUN useradd -ms /bin/bash patrick diff --git a/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/positive.dockerfile b/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/positive.dockerfile index 33b06c01ff3..535ab76805a 100644 --- a/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/positive.dockerfile +++ b/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/positive.dockerfile @@ -1,5 +1,5 @@ FROM golang:1.7.3 -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go . RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -7,6 +7,6 @@ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=0 /go/src/github.com/alexellis/href-counter/app . +COPY --from=0 /go/src/github.com/foo/href-counter/app . ENTRYPOINT [ "/opt/app/run.sh", "--port", "8080" ] ENTRYPOINT [ "/opt/app/run.sh", "--port", "8000" ] diff --git a/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test/negative5.dockerfile b/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test/negative5.dockerfile index 837960d552b..bb563440411 100644 --- a/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test/negative5.dockerfile +++ b/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test/negative5.dockerfile @@ -1,5 +1,5 @@ FROM golang:1.16 AS builder -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go ./ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -9,7 +9,7 @@ ADD cairo-1.13.1.tar.xz /rpmbuild/SOURCES FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=builder /go/src/github.com/alexellis/href-counter/app ./ +COPY --from=builder /go/src/github.com/foo/href-counter/app ./ CMD ["./app"] RUN useradd -ms /bin/bash patrick diff --git a/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/test/negative2.dockerfile b/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/test/negative2.dockerfile index fb95864698c..855d48b09e4 100644 --- a/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/test/negative2.dockerfile +++ b/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/test/negative2.dockerfile @@ -1,5 +1,5 @@ FROM golang:1.16 AS builder -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go ./ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -9,7 +9,7 @@ ENTRYPOINT [top, -b] FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=builder /go/src/github.com/alexellis/href-counter/app ./ +COPY --from=builder /go/src/github.com/foo/href-counter/app ./ CMD ["./app"] RUN useradd -ms /bin/bash patrick diff --git a/assets/queries/dockerfile/using_unnamed_build_stages/test/negative1.dockerfile b/assets/queries/dockerfile/using_unnamed_build_stages/test/negative1.dockerfile index b63e1394c32..068132f93d0 100644 --- a/assets/queries/dockerfile/using_unnamed_build_stages/test/negative1.dockerfile +++ b/assets/queries/dockerfile/using_unnamed_build_stages/test/negative1.dockerfile @@ -1,5 +1,5 @@ FROM golang:1.7.3 AS builder -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go . RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -8,5 +8,5 @@ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=builder /go/src/github.com/alexellis/href-counter/app . +COPY --from=builder /go/src/github.com/foo/href-counter/app . CMD ["./app"] diff --git a/assets/queries/dockerfile/using_unnamed_build_stages/test/positive1.dockerfile b/assets/queries/dockerfile/using_unnamed_build_stages/test/positive1.dockerfile index 5ff63e3c9d7..e0dd53f39c0 100644 --- a/assets/queries/dockerfile/using_unnamed_build_stages/test/positive1.dockerfile +++ b/assets/queries/dockerfile/using_unnamed_build_stages/test/positive1.dockerfile @@ -1,5 +1,5 @@ FROM golang:1.16 -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go ./ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -7,5 +7,5 @@ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=0 /go/src/github.com/alexellis/href-counter/app ./ +COPY --from=0 /go/src/github.com/foo/href-counter/app ./ CMD ["./app"] diff --git a/assets/queries/dockerfile/yum_clean_all_missing/test/negative2.dockerfile b/assets/queries/dockerfile/yum_clean_all_missing/test/negative2.dockerfile index 92a3ec08fbf..ef4f6c2d155 100644 --- a/assets/queries/dockerfile/yum_clean_all_missing/test/negative2.dockerfile +++ b/assets/queries/dockerfile/yum_clean_all_missing/test/negative2.dockerfile @@ -1,5 +1,5 @@ FROM golang:1.16 AS builder -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go ./ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -9,7 +9,7 @@ RUN yum clean all \ FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=builder /go/src/github.com/alexellis/href-counter/app ./ +COPY --from=builder /go/src/github.com/foo/href-counter/app ./ CMD ["./app"] RUN useradd -ms /bin/bash patrick diff --git a/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/negative3.yaml b/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/negative3.yaml index 6808598163d..91742f9de93 100644 --- a/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/negative3.yaml +++ b/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/negative3.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--anonymous-auth=false"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/negative4.yaml b/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/negative4.yaml index caff930f02c..e68f9fd9d76 100644 --- a/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/negative4.yaml +++ b/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/negative4.yaml @@ -7,6 +7,6 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet", "--anonymous-auth=false"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/positive3.yaml b/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/positive3.yaml index 0cb25b7e281..dba41319fc7 100644 --- a/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/positive3.yaml +++ b/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/positive3.yaml @@ -7,6 +7,6 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet", "--anonymous-auth=true"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/positive4.yaml b/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/positive4.yaml index a58f24c160b..7caaf8ffa4e 100644 --- a/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/positive4.yaml +++ b/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/positive4.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--anonymous-auth=true"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/audit_policy_file_not_defined/test/negative1.yaml b/assets/queries/k8s/audit_policy_file_not_defined/test/negative1.yaml index 96578174ecf..e804dcbd7d6 100644 --- a/assets/queries/k8s/audit_policy_file_not_defined/test/negative1.yaml +++ b/assets/queries/k8s/audit_policy_file_not_defined/test/negative1.yaml @@ -9,7 +9,7 @@ spec: - name: command-demo-container image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 command: ["kube-apiserver"] - args: ["--audit-policy-file=/home/miguel/cx/kics/assets/queries/k8s/audit_policy_file_not_defined/test/negative1.yaml"] + args: ["--audit-policy-file=/home/foo/cx/kics/assets/queries/k8s/audit_policy_file_not_defined/test/negative1.yaml"] restartPolicy: OnFailure --- apiVersion: audit.k8s.io/v1 # This is required. diff --git a/assets/queries/k8s/audit_policy_file_not_defined/test/negative2.yaml b/assets/queries/k8s/audit_policy_file_not_defined/test/negative2.yaml index 8e9811805d6..eebaf90475f 100644 --- a/assets/queries/k8s/audit_policy_file_not_defined/test/negative2.yaml +++ b/assets/queries/k8s/audit_policy_file_not_defined/test/negative2.yaml @@ -8,7 +8,7 @@ spec: containers: - name: command-demo-container image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 - command: ["kube-apiserver","--audit-policy-file=/home/miguel/cx/kics/assets/queries/k8s/audit_policy_file_not_defined/test/negative2.yaml"] + command: ["kube-apiserver","--audit-policy-file=/home/foo/cx/kics/assets/queries/k8s/audit_policy_file_not_defined/test/negative2.yaml"] args: [] restartPolicy: OnFailure --- diff --git a/assets/queries/k8s/authorization_mode_set_to_always_allow/test/negative3.yaml b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/negative3.yaml index ba1ac93897b..42c6d38065d 100644 --- a/assets/queries/k8s/authorization_mode_set_to_always_allow/test/negative3.yaml +++ b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/negative3.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--authorization-mode=MyMode"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/authorization_mode_set_to_always_allow/test/negative4.yaml b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/negative4.yaml index 80e2d5ea08a..b17c8889fc4 100644 --- a/assets/queries/k8s/authorization_mode_set_to_always_allow/test/negative4.yaml +++ b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/negative4.yaml @@ -7,6 +7,6 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet", "--authorization-mode=MyMode"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive3.yaml b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive3.yaml index dac6a582826..b09d6d298c1 100644 --- a/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive3.yaml +++ b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive3.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--anonymous-auth=false", "--authorization-mode=MyMode,AlwaysAllow"] diff --git a/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive4.yaml b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive4.yaml index 1a791271e01..fdc2d0c23e8 100644 --- a/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive4.yaml +++ b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive4.yaml @@ -7,6 +7,6 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet", "--authorization-mode=MyMode,AlwaysAllow"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/negative1.yaml b/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/negative1.yaml index dfb57f6a4da..736d3a2b6c8 100644 --- a/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/negative1.yaml +++ b/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/negative1.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--client-ca-file=/var/lib/ca.pem"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/negative2.yaml b/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/negative2.yaml index f475932a297..401ec076062 100644 --- a/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/negative2.yaml +++ b/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/negative2.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: [] restartPolicy: OnFailure diff --git a/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/positive1.yaml b/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/positive1.yaml index a5b12824d01..337b5ccbed8 100644 --- a/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/positive1.yaml +++ b/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/positive1.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--client-ca-file=/var/lib/ca.txt"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/test/negative1.yaml b/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/test/negative1.yaml index f4bd45d4d7e..4f3059fa614 100644 --- a/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/test/negative1.yaml +++ b/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/test/negative1.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--rotate-certificates"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/test/positive1.yaml b/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/test/positive1.yaml index 04a80c1919f..d17ce000e1d 100644 --- a/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/test/positive1.yaml +++ b/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/test/positive1.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--rotate-certificates=false"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/negative1.yaml b/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/negative1.yaml index 2c71ce9f85c..e707b0dff8b 100644 --- a/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/negative1.yaml +++ b/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/negative1.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--event-qps=0"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/negative2.yaml b/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/negative2.yaml index f475932a297..401ec076062 100644 --- a/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/negative2.yaml +++ b/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/negative2.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: [] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/positive1.yaml b/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/positive1.yaml index b55c1a5dafc..d9f28838f91 100644 --- a/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/positive1.yaml +++ b/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/positive1.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--event-qps=1"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/positive2.yaml b/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/positive2.yaml index 9cad126fe0b..8cd377bf561 100644 --- a/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/positive2.yaml +++ b/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/positive2.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet","--event-qps=3"] args: [] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_hostname_override_is_set/test/negative1.yaml b/assets/queries/k8s/kubelet_hostname_override_is_set/test/negative1.yaml index f475932a297..401ec076062 100644 --- a/assets/queries/k8s/kubelet_hostname_override_is_set/test/negative1.yaml +++ b/assets/queries/k8s/kubelet_hostname_override_is_set/test/negative1.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: [] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_hostname_override_is_set/test/positive1.yaml b/assets/queries/k8s/kubelet_hostname_override_is_set/test/positive1.yaml index 076ec552ad9..255f3313356 100644 --- a/assets/queries/k8s/kubelet_hostname_override_is_set/test/positive1.yaml +++ b/assets/queries/k8s/kubelet_hostname_override_is_set/test/positive1.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--hostname-override=host"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_hostname_override_is_set/test/positive2.yaml b/assets/queries/k8s/kubelet_hostname_override_is_set/test/positive2.yaml index 3b1130f1448..d2b19e9a16b 100644 --- a/assets/queries/k8s/kubelet_hostname_override_is_set/test/positive2.yaml +++ b/assets/queries/k8s/kubelet_hostname_override_is_set/test/positive2.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet","--hostname-override=host"] args: [] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_not_managing_ip_tables/test/negative1.yaml b/assets/queries/k8s/kubelet_not_managing_ip_tables/test/negative1.yaml index 3db9decc875..145a3245792 100644 --- a/assets/queries/k8s/kubelet_not_managing_ip_tables/test/negative1.yaml +++ b/assets/queries/k8s/kubelet_not_managing_ip_tables/test/negative1.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--make-iptables-util-chains=true"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_not_managing_ip_tables/test/negative4.yaml b/assets/queries/k8s/kubelet_not_managing_ip_tables/test/negative4.yaml index 1610f40f97b..56313ecfa4b 100644 --- a/assets/queries/k8s/kubelet_not_managing_ip_tables/test/negative4.yaml +++ b/assets/queries/k8s/kubelet_not_managing_ip_tables/test/negative4.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: [""] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_not_managing_ip_tables/test/positive1.yaml b/assets/queries/k8s/kubelet_not_managing_ip_tables/test/positive1.yaml index 7b36bd3a52c..2ae0a0612eb 100644 --- a/assets/queries/k8s/kubelet_not_managing_ip_tables/test/positive1.yaml +++ b/assets/queries/k8s/kubelet_not_managing_ip_tables/test/positive1.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--make-iptables-util-chains=false"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/negative1.yaml b/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/negative1.yaml index 62d9a655513..4549a1d6613 100644 --- a/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/negative1.yaml +++ b/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/negative1.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--protect-kernel-defaults=true"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/negative2.yaml b/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/negative2.yaml index f475932a297..401ec076062 100644 --- a/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/negative2.yaml +++ b/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/negative2.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: [] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/positive1.yaml b/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/positive1.yaml index 3b9476abf29..5f076dfb276 100644 --- a/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/positive1.yaml +++ b/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/positive1.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--protect-kernel-defaults=false"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/positive2.yaml b/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/positive2.yaml index ab1579b5d88..a19d791882e 100644 --- a/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/positive2.yaml +++ b/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/positive2.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet","--protect-kernel-defaults=false"] args: [] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/negative1.yaml b/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/negative1.yaml index 2aae554bdba..0974093b8f4 100644 --- a/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/negative1.yaml +++ b/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/negative1.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: kubelet-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--read-only-port=0"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/negative2.yaml b/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/negative2.yaml index 682c3c916f4..83f6974a512 100644 --- a/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/negative2.yaml +++ b/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/negative2.yaml @@ -7,6 +7,6 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet", "--read-only-port=0"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/positive1.yaml b/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/positive1.yaml index c17cf70071b..312662dddcd 100644 --- a/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/positive1.yaml +++ b/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/positive1.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--read-only-port=1"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/positive2.yaml b/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/positive2.yaml index e8cfdad4565..71f19da4242 100644 --- a/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/positive2.yaml +++ b/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/positive2.yaml @@ -7,6 +7,6 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet", "--read-only-port=1"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/test/negative1.yaml b/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/test/negative1.yaml index 1610f40f97b..56313ecfa4b 100644 --- a/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/test/negative1.yaml +++ b/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/test/negative1.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: [""] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/test/positive1.yaml b/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/test/positive1.yaml index 1687c35f07f..204c5164ff0 100644 --- a/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/test/positive1.yaml +++ b/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/test/positive1.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--streaming-connection-idle-timeout=0"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/negative2.yaml b/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/negative2.yaml index abf4225faa1..90622912a22 100644 --- a/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/negative2.yaml +++ b/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/negative2.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--feature-gates=RotateKubeletServerCertificate=true"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/negative4.yaml b/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/negative4.yaml index 1610f40f97b..56313ecfa4b 100644 --- a/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/negative4.yaml +++ b/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/negative4.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: [""] restartPolicy: OnFailure diff --git a/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/positive2.yaml b/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/positive2.yaml index 5325634729f..0b6f43153fc 100644 --- a/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/positive2.yaml +++ b/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/positive2.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--feature-gates=RotateKubeletServerCertificate=false"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/tls_connection_certificate_not_setup/test/negative3.yaml b/assets/queries/k8s/tls_connection_certificate_not_setup/test/negative3.yaml index ff638e7467e..86d150d983a 100644 --- a/assets/queries/k8s/tls_connection_certificate_not_setup/test/negative3.yaml +++ b/assets/queries/k8s/tls_connection_certificate_not_setup/test/negative3.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: [] restartPolicy: OnFailure diff --git a/assets/queries/k8s/weak_tls_cipher_suites/test/negative2.yaml b/assets/queries/k8s/weak_tls_cipher_suites/test/negative2.yaml index 6f6a466c158..23df5523253 100644 --- a/assets/queries/k8s/weak_tls_cipher_suites/test/negative2.yaml +++ b/assets/queries/k8s/weak_tls_cipher_suites/test/negative2.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/weak_tls_cipher_suites/test/negative3.yaml b/assets/queries/k8s/weak_tls_cipher_suites/test/negative3.yaml index f475932a297..401ec076062 100644 --- a/assets/queries/k8s/weak_tls_cipher_suites/test/negative3.yaml +++ b/assets/queries/k8s/weak_tls_cipher_suites/test/negative3.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: [] restartPolicy: OnFailure diff --git a/assets/queries/k8s/weak_tls_cipher_suites/test/positive1.yaml b/assets/queries/k8s/weak_tls_cipher_suites/test/positive1.yaml index d7ce82771a7..4948dd5171c 100644 --- a/assets/queries/k8s/weak_tls_cipher_suites/test/positive1.yaml +++ b/assets/queries/k8s/weak_tls_cipher_suites/test/positive1.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"] restartPolicy: OnFailure diff --git a/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/test/negative.tf b/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/test/negative.tf index 8a6c963f278..4ebee76b109 100644 --- a/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/test/negative.tf +++ b/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/test/negative.tf @@ -57,7 +57,7 @@ resource "aws_codebuild_project" "project-cloudrail-test2" { source { type = "GITHUB" - location = "https://github.com/mitchellh/packer.git" + location = "https://github.com/foo/bar.git" git_clone_depth = 1 } } diff --git a/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/test/positive.tf b/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/test/positive.tf index e0d54154c9e..3e4d0f470f7 100644 --- a/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/test/positive.tf +++ b/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/test/positive.tf @@ -57,7 +57,7 @@ resource "aws_codebuild_project" "project-cloudrail-test" { source { type = "GITHUB" - location = "https://github.com/mitchellh/packer.git" + location = "https://github.com/foo/bar.git" git_clone_depth = 1 } } diff --git a/assets/queries/terraform/aws/security_groups_not_used/test/negative4.tf b/assets/queries/terraform/aws/security_groups_not_used/test/negative4.tf index dfd565b3c49..8b3b78cd725 100644 --- a/assets/queries/terraform/aws/security_groups_not_used/test/negative4.tf +++ b/assets/queries/terraform/aws/security_groups_not_used/test/negative4.tf @@ -93,8 +93,8 @@ resource "aws_instance" "cowrie_server" { tags = { Name = "cowrie", - author = "konstruktoid" - vcs-url = "https://github.com/konstruktoid/ansible-cowrie-rootless" + author = "foo" + vcs-url = "https://github.com/foo/bar" purpose = "honeypot" } } From b8afc21ce993fc5851647a389c6aa5d5c3d17fc1 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Mon, 11 Sep 2023 13:53:30 +0100 Subject: [PATCH 057/379] fixed code --- .../test/negative2.json | 2 +- .../test/negative2.json | 2 +- .../test/negative2.json | 2 +- .../test/negative1.yaml | 2 +- .../test/negative2.json | 2 +- .../passwords_and_secrets/test/positive15.tf | 48 +++++++++---------- .../passwords_and_secrets/test/positive40.tf | 4 +- .../test/negative.dockerfile | 4 +- .../test/negative2.dockerfile | 4 +- .../test/positive2.dockerfile | 4 +- .../test/negative2.dockerfile | 4 +- .../test/negative2.dockerfile | 4 +- .../test/negative2.dockerfile | 4 +- .../test/positive2.dockerfile | 4 +- .../test/negative2.dockerfile | 4 +- .../test/negative2.dockerfile | 4 +- .../test/negative.dockerfile | 4 +- .../test/negative2.dockerfile | 4 +- .../test/positive.dockerfile | 4 +- .../test/negative.dockerfile | 4 +- .../test/negative2.dockerfile | 4 +- .../test/positive.dockerfile | 4 +- .../test/negative5.dockerfile | 4 +- .../test/negative2.dockerfile | 4 +- .../test/negative1.dockerfile | 4 +- .../test/positive1.dockerfile | 4 +- .../test/negative2.dockerfile | 4 +- .../test/negative3.yaml | 2 +- .../test/negative4.yaml | 2 +- .../test/positive3.yaml | 2 +- .../test/positive4.yaml | 2 +- .../test/negative1.yaml | 2 +- .../test/negative2.yaml | 2 +- .../test/negative3.yaml | 2 +- .../test/negative4.yaml | 2 +- .../test/positive3.yaml | 2 +- .../test/positive4.yaml | 2 +- .../test/negative1.yaml | 2 +- .../test/negative2.yaml | 2 +- .../test/positive1.yaml | 2 +- .../test/negative1.yaml | 2 +- .../test/positive1.yaml | 2 +- .../test/negative1.yaml | 2 +- .../test/negative2.yaml | 2 +- .../test/positive1.yaml | 2 +- .../test/positive2.yaml | 2 +- .../test/negative1.yaml | 2 +- .../test/positive1.yaml | 2 +- .../test/positive2.yaml | 2 +- .../test/negative1.yaml | 2 +- .../test/negative4.yaml | 2 +- .../test/positive1.yaml | 2 +- .../test/negative1.yaml | 2 +- .../test/negative2.yaml | 2 +- .../test/positive1.yaml | 2 +- .../test/positive2.yaml | 2 +- .../test/negative1.yaml | 2 +- .../test/negative2.yaml | 2 +- .../test/positive1.yaml | 2 +- .../test/positive2.yaml | 2 +- .../test/negative1.yaml | 2 +- .../test/positive1.yaml | 2 +- .../test/negative2.yaml | 2 +- .../test/negative4.yaml | 2 +- .../test/positive2.yaml | 2 +- .../test/negative3.yaml | 2 +- .../test/negative2.yaml | 2 +- .../test/negative3.yaml | 2 +- .../test/positive1.yaml | 2 +- .../test/negative.tf | 2 +- .../test/positive.tf | 2 +- .../test/negative4.tf | 4 +- 72 files changed, 117 insertions(+), 117 deletions(-) diff --git a/assets/queries/cloudFormation/aws/elasticsearch_logs_disabled/test/negative2.json b/assets/queries/cloudFormation/aws/elasticsearch_logs_disabled/test/negative2.json index 94a2752bb8c..07003eb44c9 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_logs_disabled/test/negative2.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_logs_disabled/test/negative2.json @@ -58,7 +58,7 @@ } }, "id": "c886b8d1-8c44-4f23-ba01-6e30a2f5be7b", - "file": "C:\\Users\\pedrom\\Desktop\\Data\\yaml\\yaml.yaml" + "file": "C:\\Users\\foo\\Desktop\\Data\\yaml\\yaml.yaml" } ] } diff --git a/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/test/negative2.json b/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/test/negative2.json index 94a2752bb8c..07003eb44c9 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/test/negative2.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/test/negative2.json @@ -58,7 +58,7 @@ } }, "id": "c886b8d1-8c44-4f23-ba01-6e30a2f5be7b", - "file": "C:\\Users\\pedrom\\Desktop\\Data\\yaml\\yaml.yaml" + "file": "C:\\Users\\foo\\Desktop\\Data\\yaml\\yaml.yaml" } ] } diff --git a/assets/queries/cloudFormation/aws/guardduty_detector_disabled/test/negative2.json b/assets/queries/cloudFormation/aws/guardduty_detector_disabled/test/negative2.json index af14a2b2621..1c710f27be3 100644 --- a/assets/queries/cloudFormation/aws/guardduty_detector_disabled/test/negative2.json +++ b/assets/queries/cloudFormation/aws/guardduty_detector_disabled/test/negative2.json @@ -12,7 +12,7 @@ } }, "id": "f63e21c6-c58e-45cf-b7b4-6b548d9f7674", - "file": "C:\\Users\\pedrom\\Desktop\\Data\\yaml\\yaml.yaml" + "file": "C:\\Users\\foo\\Desktop\\Data\\yaml\\yaml.yaml" } ] } diff --git a/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/test/negative1.yaml b/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/test/negative1.yaml index 604d07060dc..a9b882620a8 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/test/negative1.yaml +++ b/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/test/negative1.yaml @@ -17,7 +17,7 @@ Resources: Principal: AWS: - arn:aws:iam::111122223333:user/Alice - - arn:aws:iam::111122223333:user/Fabio + - arn:aws:iam::111122223333:user/foo Action: s3:GetObject Resource: arn:aws:s3:::DOC-EXAMPLE-BUCKET/* Condition: diff --git a/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/test/negative2.json b/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/test/negative2.json index d97401495a6..649826b9aee 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/test/negative2.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/test/negative2.json @@ -29,7 +29,7 @@ "Principal": { "AWS": [ "arn:aws:iam::111122223333:user/Alice", - "arn:aws:iam::111122223333:user/Fabio" + "arn:aws:iam::111122223333:user/foo" ] }, "Action": "s3:GetObject", diff --git a/assets/queries/common/passwords_and_secrets/test/positive15.tf b/assets/queries/common/passwords_and_secrets/test/positive15.tf index f40a3189274..a3679b48014 100644 --- a/assets/queries/common/passwords_and_secrets/test/positive15.tf +++ b/assets/queries/common/passwords_and_secrets/test/positive15.tf @@ -19,8 +19,8 @@ EOF tags = merge({ Name = "${local.resource_prefix.value}-ec2" }, { - git_last_modified_by = "felipe.avelar@checkmarx.com" - git_modifiers = "felipe.avelar" + git_last_modified_by = "email@email.com" + git_modifiers = "foo.bar" git_org = "checkmarx" git_repo = "kics" }) @@ -34,8 +34,8 @@ resource "aws_ebs_volume" "web_host_storage" { tags = merge({ Name = "${local.resource_prefix.value}-ebs" }, { - git_last_modified_by = "felipe.avelar@checkmarx.com" - git_modifiers = "felipe.avelar" + git_last_modified_by = "email@email.com" + git_modifiers = "foo.bar" git_org = "checkmarx" git_repo = "kics" }) @@ -48,8 +48,8 @@ resource "aws_ebs_snapshot" "example_snapshot" { tags = merge({ Name = "${local.resource_prefix.value}-ebs-snapshot" }, { - git_last_modified_by = "felipe.avelar@checkmarx.com" - git_modifiers = "felipe.avelar" + git_last_modified_by = "email@email.com" + git_modifiers = "foo.bar" git_org = "checkmarx" git_repo = "kics" }) @@ -90,8 +90,8 @@ resource "aws_security_group" "web-node" { } depends_on = [aws_vpc.web_vpc] tags = { - git_last_modified_by = "felipe.avelar@checkmarx.com" - git_modifiers = "felipe.avelar" + git_last_modified_by = "email@email.com" + git_modifiers = "foo.bar" git_org = "checkmarx" git_repo = "kics" } @@ -104,8 +104,8 @@ resource "aws_vpc" "web_vpc" { tags = merge({ Name = "${local.resource_prefix.value}-vpc" }, { - git_last_modified_by = "felipe.avelar@checkmarx.com" - git_modifiers = "felipe.avelar" + git_last_modified_by = "email@email.com" + git_modifiers = "foo.bar" git_org = "checkmarx" git_repo = "kics" }) @@ -120,8 +120,8 @@ resource "aws_subnet" "web_subnet" { tags = merge({ Name = "${local.resource_prefix.value}-subnet" }, { - git_last_modified_by = "felipe.avelar@checkmarx.com" - git_modifiers = "felipe.avelar" + git_last_modified_by = "email@email.com" + git_modifiers = "foo.bar" git_org = "checkmarx" git_repo = "kics" }) @@ -136,8 +136,8 @@ resource "aws_subnet" "web_subnet2" { tags = merge({ Name = "${local.resource_prefix.value}-subnet2" }, { - git_last_modified_by = "felipe.avelar@checkmarx.com" - git_modifiers = "felipe.avelar" + git_last_modified_by = "email@email.com" + git_modifiers = "foo.bar" git_org = "checkmarx" git_repo = "kics" }) @@ -150,8 +150,8 @@ resource "aws_internet_gateway" "web_igw" { tags = merge({ Name = "${local.resource_prefix.value}-igw" }, { - git_last_modified_by = "felipe.avelar@checkmarx.com" - git_modifiers = "felipe.avelar" + git_last_modified_by = "email@email.com" + git_modifiers = "foo.bar" git_org = "checkmarx" git_repo = "kics" }) @@ -163,8 +163,8 @@ resource "aws_route_table" "web_rtb" { tags = merge({ Name = "${local.resource_prefix.value}-rtb" }, { - git_last_modified_by = "felipe.avelar@checkmarx.com" - git_modifiers = "felipe.avelar" + git_last_modified_by = "email@email.com" + git_modifiers = "foo.bar" git_org = "checkmarx" git_repo = "kics" }) @@ -198,8 +198,8 @@ resource "aws_network_interface" "web-eni" { tags = merge({ Name = "${local.resource_prefix.value}-primary_network_interface" }, { - git_last_modified_by = "felipe.avelar@checkmarx.com" - git_modifiers = "felipe.avelar" + git_last_modified_by = "email@email.com" + git_modifiers = "foo.bar" git_org = "checkmarx" git_repo = "kics" }) @@ -216,8 +216,8 @@ resource "aws_flow_log" "vpcflowlogs" { Name = "${local.resource_prefix.value}-flowlogs" Environment = local.resource_prefix.value }, { - git_last_modified_by = "felipe.avelar@checkmarx.com" - git_modifiers = "felipe.avelar" + git_last_modified_by = "email@email.com" + git_modifiers = "foo.bar" git_org = "checkmarx" git_repo = "kics" }) @@ -231,8 +231,8 @@ resource "aws_s3_bucket" "flowbucket" { Name = "${local.resource_prefix.value}-flowlogs" Environment = local.resource_prefix.value }, { - git_last_modified_by = "felipe.avelar@checkmarx.com" - git_modifiers = "felipe.avelar" + git_last_modified_by = "email@email.com" + git_modifiers = "foo.bar" git_org = "checkmarx" git_repo = "kics" }) diff --git a/assets/queries/common/passwords_and_secrets/test/positive40.tf b/assets/queries/common/passwords_and_secrets/test/positive40.tf index 4b43c6848aa..ecbac652401 100644 --- a/assets/queries/common/passwords_and_secrets/test/positive40.tf +++ b/assets/queries/common/passwords_and_secrets/test/positive40.tf @@ -19,8 +19,8 @@ EOF tags = merge({ Name = "${local.resource_prefix.value}-ec2" }, { - git_last_modified_by = "felipe.avelar@checkmarx.com" - git_modifiers = "felipe.avelar" + git_last_modified_by = "email@email.com" + git_modifiers = "foo.bar" git_org = "checkmarx" git_repo = "kics" }) diff --git a/assets/queries/dockerfile/copy_from_references_current_from_alias/test/negative.dockerfile b/assets/queries/dockerfile/copy_from_references_current_from_alias/test/negative.dockerfile index b63e1394c32..068132f93d0 100644 --- a/assets/queries/dockerfile/copy_from_references_current_from_alias/test/negative.dockerfile +++ b/assets/queries/dockerfile/copy_from_references_current_from_alias/test/negative.dockerfile @@ -1,5 +1,5 @@ FROM golang:1.7.3 AS builder -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go . RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -8,5 +8,5 @@ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=builder /go/src/github.com/alexellis/href-counter/app . +COPY --from=builder /go/src/github.com/foo/href-counter/app . CMD ["./app"] diff --git a/assets/queries/dockerfile/healthcheck_instruction_missing/test/negative2.dockerfile b/assets/queries/dockerfile/healthcheck_instruction_missing/test/negative2.dockerfile index f6e11eaa7be..d596ed8708c 100644 --- a/assets/queries/dockerfile/healthcheck_instruction_missing/test/negative2.dockerfile +++ b/assets/queries/dockerfile/healthcheck_instruction_missing/test/negative2.dockerfile @@ -1,5 +1,5 @@ FROM golang:1.16 AS builder -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go ./ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -7,7 +7,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=builder /go/src/github.com/alexellis/href-counter/app ./ +COPY --from=builder /go/src/github.com/foo/href-counter/app ./ CMD ["./app"] RUN useradd -ms /bin/bash patrick diff --git a/assets/queries/dockerfile/healthcheck_instruction_missing/test/positive2.dockerfile b/assets/queries/dockerfile/healthcheck_instruction_missing/test/positive2.dockerfile index 54fc705e621..f779ad71574 100644 --- a/assets/queries/dockerfile/healthcheck_instruction_missing/test/positive2.dockerfile +++ b/assets/queries/dockerfile/healthcheck_instruction_missing/test/positive2.dockerfile @@ -1,5 +1,5 @@ FROM golang:1.16 AS builder -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go ./ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -7,7 +7,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=builder /go/src/github.com/alexellis/href-counter/app ./ +COPY --from=builder /go/src/github.com/foo/href-counter/app ./ CMD ["./app"] RUN useradd -ms /bin/bash patrick diff --git a/assets/queries/dockerfile/last_user_is_root/test/negative2.dockerfile b/assets/queries/dockerfile/last_user_is_root/test/negative2.dockerfile index e3d4b81ec67..cfd0135ffe4 100644 --- a/assets/queries/dockerfile/last_user_is_root/test/negative2.dockerfile +++ b/assets/queries/dockerfile/last_user_is_root/test/negative2.dockerfile @@ -1,5 +1,5 @@ FROM golang:1.16 AS builder -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go ./ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -8,7 +8,7 @@ USER root FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=builder /go/src/github.com/alexellis/href-counter/app ./ +COPY --from=builder /go/src/github.com/foo/href-counter/app ./ CMD ["./app"] RUN useradd -ms /bin/bash patrick diff --git a/assets/queries/dockerfile/missing_dnf_clean_all/test/negative2.dockerfile b/assets/queries/dockerfile/missing_dnf_clean_all/test/negative2.dockerfile index 58646b79169..3870cc8bba8 100644 --- a/assets/queries/dockerfile/missing_dnf_clean_all/test/negative2.dockerfile +++ b/assets/queries/dockerfile/missing_dnf_clean_all/test/negative2.dockerfile @@ -1,5 +1,5 @@ FROM golang:1.16 AS builder -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go ./ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -11,7 +11,7 @@ RUN set -uex && \ FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=builder /go/src/github.com/alexellis/href-counter/app ./ +COPY --from=builder /go/src/github.com/foo/href-counter/app ./ CMD ["./app"] RUN useradd -ms /bin/bash patrick diff --git a/assets/queries/dockerfile/missing_user_instruction/test/negative2.dockerfile b/assets/queries/dockerfile/missing_user_instruction/test/negative2.dockerfile index 54fc705e621..f779ad71574 100644 --- a/assets/queries/dockerfile/missing_user_instruction/test/negative2.dockerfile +++ b/assets/queries/dockerfile/missing_user_instruction/test/negative2.dockerfile @@ -1,5 +1,5 @@ FROM golang:1.16 AS builder -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go ./ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -7,7 +7,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=builder /go/src/github.com/alexellis/href-counter/app ./ +COPY --from=builder /go/src/github.com/foo/href-counter/app ./ CMD ["./app"] RUN useradd -ms /bin/bash patrick diff --git a/assets/queries/dockerfile/missing_user_instruction/test/positive2.dockerfile b/assets/queries/dockerfile/missing_user_instruction/test/positive2.dockerfile index 705a06381b4..720cb9493b0 100644 --- a/assets/queries/dockerfile/missing_user_instruction/test/positive2.dockerfile +++ b/assets/queries/dockerfile/missing_user_instruction/test/positive2.dockerfile @@ -1,5 +1,5 @@ FROM golang:1.16 AS builder -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go ./ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -7,5 +7,5 @@ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=builder /go/src/github.com/alexellis/href-counter/app ./ +COPY --from=builder /go/src/github.com/foo/href-counter/app ./ CMD ["./app"] diff --git a/assets/queries/dockerfile/missing_zypper_clean/test/negative2.dockerfile b/assets/queries/dockerfile/missing_zypper_clean/test/negative2.dockerfile index e541b507777..6dbbb1ca88e 100644 --- a/assets/queries/dockerfile/missing_zypper_clean/test/negative2.dockerfile +++ b/assets/queries/dockerfile/missing_zypper_clean/test/negative2.dockerfile @@ -1,5 +1,5 @@ FROM golang:1.16 AS builder -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go ./ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -8,7 +8,7 @@ RUN zypper install FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=builder /go/src/github.com/alexellis/href-counter/app ./ +COPY --from=builder /go/src/github.com/foo/href-counter/app ./ CMD ["./app"] RUN useradd -ms /bin/bash patrick diff --git a/assets/queries/dockerfile/missing_zypper_non_interactive_switch/test/negative2.dockerfile b/assets/queries/dockerfile/missing_zypper_non_interactive_switch/test/negative2.dockerfile index 4677acd65c6..6a90a260624 100644 --- a/assets/queries/dockerfile/missing_zypper_non_interactive_switch/test/negative2.dockerfile +++ b/assets/queries/dockerfile/missing_zypper_non_interactive_switch/test/negative2.dockerfile @@ -1,5 +1,5 @@ FROM golang:1.16 AS builder -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go ./ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -8,7 +8,7 @@ RUN zypper install httpd && zypper clean FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=builder /go/src/github.com/alexellis/href-counter/app ./ +COPY --from=builder /go/src/github.com/foo/href-counter/app ./ CMD ["./app"] RUN useradd -ms /bin/bash patrick diff --git a/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/negative.dockerfile b/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/negative.dockerfile index 44e4e13025e..8820b538bae 100644 --- a/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/negative.dockerfile +++ b/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/negative.dockerfile @@ -1,5 +1,5 @@ FROM golang:1.7.3 -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go . RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -8,5 +8,5 @@ CMD ["./app"] FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=0 /go/src/github.com/alexellis/href-counter/app . +COPY --from=0 /go/src/github.com/foo/href-counter/app . CMD ["./app"] \ No newline at end of file diff --git a/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/negative2.dockerfile b/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/negative2.dockerfile index 67008575374..2e9a5581f31 100644 --- a/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/negative2.dockerfile +++ b/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/negative2.dockerfile @@ -1,5 +1,5 @@ FROM golang:1.16 AS builder -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go ./ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -9,7 +9,7 @@ CMD ["./apps"] FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=builder /go/src/github.com/alexellis/href-counter/app ./ +COPY --from=builder /go/src/github.com/foo/href-counter/app ./ CMD ["./app"] RUN useradd -ms /bin/bash patrick diff --git a/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/positive.dockerfile b/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/positive.dockerfile index f82a17292d1..68c3ea42206 100644 --- a/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/positive.dockerfile +++ b/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/positive.dockerfile @@ -1,5 +1,5 @@ FROM golang:1.7.3 -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go . RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -7,6 +7,6 @@ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=0 /go/src/github.com/alexellis/href-counter/app . +COPY --from=0 /go/src/github.com/foo/href-counter/app . CMD ["./app"] CMD ["./apps"] diff --git a/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/negative.dockerfile b/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/negative.dockerfile index d75b79820c4..cd42e046ddc 100644 --- a/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/negative.dockerfile +++ b/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/negative.dockerfile @@ -1,5 +1,5 @@ FROM golang:1.7.3 -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go . RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -8,5 +8,5 @@ ENTRYPOINT [ "/opt/app/run.sh", "--port", "8080" ] FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=0 /go/src/github.com/alexellis/href-counter/app . +COPY --from=0 /go/src/github.com/foo/href-counter/app . ENTRYPOINT [ "/opt/app/run.sh", "--port", "8080" ] \ No newline at end of file diff --git a/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/negative2.dockerfile b/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/negative2.dockerfile index aa7c3b50a24..32f1423fc16 100644 --- a/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/negative2.dockerfile +++ b/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/negative2.dockerfile @@ -1,5 +1,5 @@ FROM golang:1.16 AS builder -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go ./ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -9,7 +9,7 @@ ENTRYPOINT [ "/opt/app/run.sh", "--port", "8000" ] FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=builder /go/src/github.com/alexellis/href-counter/app ./ +COPY --from=builder /go/src/github.com/foo/href-counter/app ./ CMD ["./app"] RUN useradd -ms /bin/bash patrick diff --git a/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/positive.dockerfile b/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/positive.dockerfile index 33b06c01ff3..535ab76805a 100644 --- a/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/positive.dockerfile +++ b/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/positive.dockerfile @@ -1,5 +1,5 @@ FROM golang:1.7.3 -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go . RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -7,6 +7,6 @@ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=0 /go/src/github.com/alexellis/href-counter/app . +COPY --from=0 /go/src/github.com/foo/href-counter/app . ENTRYPOINT [ "/opt/app/run.sh", "--port", "8080" ] ENTRYPOINT [ "/opt/app/run.sh", "--port", "8000" ] diff --git a/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test/negative5.dockerfile b/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test/negative5.dockerfile index 837960d552b..bb563440411 100644 --- a/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test/negative5.dockerfile +++ b/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test/negative5.dockerfile @@ -1,5 +1,5 @@ FROM golang:1.16 AS builder -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go ./ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -9,7 +9,7 @@ ADD cairo-1.13.1.tar.xz /rpmbuild/SOURCES FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=builder /go/src/github.com/alexellis/href-counter/app ./ +COPY --from=builder /go/src/github.com/foo/href-counter/app ./ CMD ["./app"] RUN useradd -ms /bin/bash patrick diff --git a/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/test/negative2.dockerfile b/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/test/negative2.dockerfile index fb95864698c..855d48b09e4 100644 --- a/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/test/negative2.dockerfile +++ b/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/test/negative2.dockerfile @@ -1,5 +1,5 @@ FROM golang:1.16 AS builder -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go ./ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -9,7 +9,7 @@ ENTRYPOINT [top, -b] FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=builder /go/src/github.com/alexellis/href-counter/app ./ +COPY --from=builder /go/src/github.com/foo/href-counter/app ./ CMD ["./app"] RUN useradd -ms /bin/bash patrick diff --git a/assets/queries/dockerfile/using_unnamed_build_stages/test/negative1.dockerfile b/assets/queries/dockerfile/using_unnamed_build_stages/test/negative1.dockerfile index b63e1394c32..068132f93d0 100644 --- a/assets/queries/dockerfile/using_unnamed_build_stages/test/negative1.dockerfile +++ b/assets/queries/dockerfile/using_unnamed_build_stages/test/negative1.dockerfile @@ -1,5 +1,5 @@ FROM golang:1.7.3 AS builder -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go . RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -8,5 +8,5 @@ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=builder /go/src/github.com/alexellis/href-counter/app . +COPY --from=builder /go/src/github.com/foo/href-counter/app . CMD ["./app"] diff --git a/assets/queries/dockerfile/using_unnamed_build_stages/test/positive1.dockerfile b/assets/queries/dockerfile/using_unnamed_build_stages/test/positive1.dockerfile index 5ff63e3c9d7..e0dd53f39c0 100644 --- a/assets/queries/dockerfile/using_unnamed_build_stages/test/positive1.dockerfile +++ b/assets/queries/dockerfile/using_unnamed_build_stages/test/positive1.dockerfile @@ -1,5 +1,5 @@ FROM golang:1.16 -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go ./ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -7,5 +7,5 @@ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=0 /go/src/github.com/alexellis/href-counter/app ./ +COPY --from=0 /go/src/github.com/foo/href-counter/app ./ CMD ["./app"] diff --git a/assets/queries/dockerfile/yum_clean_all_missing/test/negative2.dockerfile b/assets/queries/dockerfile/yum_clean_all_missing/test/negative2.dockerfile index 92a3ec08fbf..ef4f6c2d155 100644 --- a/assets/queries/dockerfile/yum_clean_all_missing/test/negative2.dockerfile +++ b/assets/queries/dockerfile/yum_clean_all_missing/test/negative2.dockerfile @@ -1,5 +1,5 @@ FROM golang:1.16 AS builder -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go ./ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -9,7 +9,7 @@ RUN yum clean all \ FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=builder /go/src/github.com/alexellis/href-counter/app ./ +COPY --from=builder /go/src/github.com/foo/href-counter/app ./ CMD ["./app"] RUN useradd -ms /bin/bash patrick diff --git a/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/negative3.yaml b/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/negative3.yaml index 6808598163d..91742f9de93 100644 --- a/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/negative3.yaml +++ b/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/negative3.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--anonymous-auth=false"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/negative4.yaml b/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/negative4.yaml index caff930f02c..e68f9fd9d76 100644 --- a/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/negative4.yaml +++ b/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/negative4.yaml @@ -7,6 +7,6 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet", "--anonymous-auth=false"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/positive3.yaml b/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/positive3.yaml index 0cb25b7e281..dba41319fc7 100644 --- a/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/positive3.yaml +++ b/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/positive3.yaml @@ -7,6 +7,6 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet", "--anonymous-auth=true"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/positive4.yaml b/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/positive4.yaml index a58f24c160b..7caaf8ffa4e 100644 --- a/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/positive4.yaml +++ b/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/positive4.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--anonymous-auth=true"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/audit_policy_file_not_defined/test/negative1.yaml b/assets/queries/k8s/audit_policy_file_not_defined/test/negative1.yaml index 96578174ecf..e804dcbd7d6 100644 --- a/assets/queries/k8s/audit_policy_file_not_defined/test/negative1.yaml +++ b/assets/queries/k8s/audit_policy_file_not_defined/test/negative1.yaml @@ -9,7 +9,7 @@ spec: - name: command-demo-container image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 command: ["kube-apiserver"] - args: ["--audit-policy-file=/home/miguel/cx/kics/assets/queries/k8s/audit_policy_file_not_defined/test/negative1.yaml"] + args: ["--audit-policy-file=/home/foo/cx/kics/assets/queries/k8s/audit_policy_file_not_defined/test/negative1.yaml"] restartPolicy: OnFailure --- apiVersion: audit.k8s.io/v1 # This is required. diff --git a/assets/queries/k8s/audit_policy_file_not_defined/test/negative2.yaml b/assets/queries/k8s/audit_policy_file_not_defined/test/negative2.yaml index 8e9811805d6..eebaf90475f 100644 --- a/assets/queries/k8s/audit_policy_file_not_defined/test/negative2.yaml +++ b/assets/queries/k8s/audit_policy_file_not_defined/test/negative2.yaml @@ -8,7 +8,7 @@ spec: containers: - name: command-demo-container image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 - command: ["kube-apiserver","--audit-policy-file=/home/miguel/cx/kics/assets/queries/k8s/audit_policy_file_not_defined/test/negative2.yaml"] + command: ["kube-apiserver","--audit-policy-file=/home/foo/cx/kics/assets/queries/k8s/audit_policy_file_not_defined/test/negative2.yaml"] args: [] restartPolicy: OnFailure --- diff --git a/assets/queries/k8s/authorization_mode_set_to_always_allow/test/negative3.yaml b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/negative3.yaml index ba1ac93897b..42c6d38065d 100644 --- a/assets/queries/k8s/authorization_mode_set_to_always_allow/test/negative3.yaml +++ b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/negative3.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--authorization-mode=MyMode"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/authorization_mode_set_to_always_allow/test/negative4.yaml b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/negative4.yaml index 80e2d5ea08a..b17c8889fc4 100644 --- a/assets/queries/k8s/authorization_mode_set_to_always_allow/test/negative4.yaml +++ b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/negative4.yaml @@ -7,6 +7,6 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet", "--authorization-mode=MyMode"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive3.yaml b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive3.yaml index dac6a582826..b09d6d298c1 100644 --- a/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive3.yaml +++ b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive3.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--anonymous-auth=false", "--authorization-mode=MyMode,AlwaysAllow"] diff --git a/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive4.yaml b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive4.yaml index 1a791271e01..fdc2d0c23e8 100644 --- a/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive4.yaml +++ b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive4.yaml @@ -7,6 +7,6 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet", "--authorization-mode=MyMode,AlwaysAllow"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/negative1.yaml b/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/negative1.yaml index dfb57f6a4da..736d3a2b6c8 100644 --- a/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/negative1.yaml +++ b/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/negative1.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--client-ca-file=/var/lib/ca.pem"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/negative2.yaml b/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/negative2.yaml index f475932a297..401ec076062 100644 --- a/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/negative2.yaml +++ b/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/negative2.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: [] restartPolicy: OnFailure diff --git a/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/positive1.yaml b/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/positive1.yaml index a5b12824d01..337b5ccbed8 100644 --- a/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/positive1.yaml +++ b/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/positive1.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--client-ca-file=/var/lib/ca.txt"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/test/negative1.yaml b/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/test/negative1.yaml index f4bd45d4d7e..4f3059fa614 100644 --- a/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/test/negative1.yaml +++ b/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/test/negative1.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--rotate-certificates"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/test/positive1.yaml b/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/test/positive1.yaml index 04a80c1919f..d17ce000e1d 100644 --- a/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/test/positive1.yaml +++ b/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/test/positive1.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--rotate-certificates=false"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/negative1.yaml b/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/negative1.yaml index 2c71ce9f85c..e707b0dff8b 100644 --- a/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/negative1.yaml +++ b/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/negative1.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--event-qps=0"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/negative2.yaml b/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/negative2.yaml index f475932a297..401ec076062 100644 --- a/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/negative2.yaml +++ b/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/negative2.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: [] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/positive1.yaml b/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/positive1.yaml index b55c1a5dafc..d9f28838f91 100644 --- a/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/positive1.yaml +++ b/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/positive1.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--event-qps=1"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/positive2.yaml b/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/positive2.yaml index 9cad126fe0b..8cd377bf561 100644 --- a/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/positive2.yaml +++ b/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/positive2.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet","--event-qps=3"] args: [] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_hostname_override_is_set/test/negative1.yaml b/assets/queries/k8s/kubelet_hostname_override_is_set/test/negative1.yaml index f475932a297..401ec076062 100644 --- a/assets/queries/k8s/kubelet_hostname_override_is_set/test/negative1.yaml +++ b/assets/queries/k8s/kubelet_hostname_override_is_set/test/negative1.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: [] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_hostname_override_is_set/test/positive1.yaml b/assets/queries/k8s/kubelet_hostname_override_is_set/test/positive1.yaml index 076ec552ad9..255f3313356 100644 --- a/assets/queries/k8s/kubelet_hostname_override_is_set/test/positive1.yaml +++ b/assets/queries/k8s/kubelet_hostname_override_is_set/test/positive1.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--hostname-override=host"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_hostname_override_is_set/test/positive2.yaml b/assets/queries/k8s/kubelet_hostname_override_is_set/test/positive2.yaml index 3b1130f1448..d2b19e9a16b 100644 --- a/assets/queries/k8s/kubelet_hostname_override_is_set/test/positive2.yaml +++ b/assets/queries/k8s/kubelet_hostname_override_is_set/test/positive2.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet","--hostname-override=host"] args: [] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_not_managing_ip_tables/test/negative1.yaml b/assets/queries/k8s/kubelet_not_managing_ip_tables/test/negative1.yaml index 3db9decc875..145a3245792 100644 --- a/assets/queries/k8s/kubelet_not_managing_ip_tables/test/negative1.yaml +++ b/assets/queries/k8s/kubelet_not_managing_ip_tables/test/negative1.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--make-iptables-util-chains=true"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_not_managing_ip_tables/test/negative4.yaml b/assets/queries/k8s/kubelet_not_managing_ip_tables/test/negative4.yaml index 1610f40f97b..56313ecfa4b 100644 --- a/assets/queries/k8s/kubelet_not_managing_ip_tables/test/negative4.yaml +++ b/assets/queries/k8s/kubelet_not_managing_ip_tables/test/negative4.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: [""] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_not_managing_ip_tables/test/positive1.yaml b/assets/queries/k8s/kubelet_not_managing_ip_tables/test/positive1.yaml index 7b36bd3a52c..2ae0a0612eb 100644 --- a/assets/queries/k8s/kubelet_not_managing_ip_tables/test/positive1.yaml +++ b/assets/queries/k8s/kubelet_not_managing_ip_tables/test/positive1.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--make-iptables-util-chains=false"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/negative1.yaml b/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/negative1.yaml index 62d9a655513..4549a1d6613 100644 --- a/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/negative1.yaml +++ b/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/negative1.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--protect-kernel-defaults=true"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/negative2.yaml b/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/negative2.yaml index f475932a297..401ec076062 100644 --- a/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/negative2.yaml +++ b/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/negative2.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: [] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/positive1.yaml b/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/positive1.yaml index 3b9476abf29..5f076dfb276 100644 --- a/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/positive1.yaml +++ b/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/positive1.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--protect-kernel-defaults=false"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/positive2.yaml b/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/positive2.yaml index ab1579b5d88..a19d791882e 100644 --- a/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/positive2.yaml +++ b/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/positive2.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet","--protect-kernel-defaults=false"] args: [] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/negative1.yaml b/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/negative1.yaml index 2aae554bdba..0974093b8f4 100644 --- a/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/negative1.yaml +++ b/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/negative1.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: kubelet-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--read-only-port=0"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/negative2.yaml b/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/negative2.yaml index 682c3c916f4..83f6974a512 100644 --- a/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/negative2.yaml +++ b/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/negative2.yaml @@ -7,6 +7,6 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet", "--read-only-port=0"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/positive1.yaml b/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/positive1.yaml index c17cf70071b..312662dddcd 100644 --- a/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/positive1.yaml +++ b/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/positive1.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--read-only-port=1"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/positive2.yaml b/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/positive2.yaml index e8cfdad4565..71f19da4242 100644 --- a/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/positive2.yaml +++ b/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/positive2.yaml @@ -7,6 +7,6 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet", "--read-only-port=1"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/test/negative1.yaml b/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/test/negative1.yaml index 1610f40f97b..56313ecfa4b 100644 --- a/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/test/negative1.yaml +++ b/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/test/negative1.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: [""] restartPolicy: OnFailure diff --git a/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/test/positive1.yaml b/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/test/positive1.yaml index 1687c35f07f..204c5164ff0 100644 --- a/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/test/positive1.yaml +++ b/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/test/positive1.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--streaming-connection-idle-timeout=0"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/negative2.yaml b/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/negative2.yaml index abf4225faa1..90622912a22 100644 --- a/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/negative2.yaml +++ b/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/negative2.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--feature-gates=RotateKubeletServerCertificate=true"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/negative4.yaml b/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/negative4.yaml index 1610f40f97b..56313ecfa4b 100644 --- a/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/negative4.yaml +++ b/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/negative4.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: [""] restartPolicy: OnFailure diff --git a/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/positive2.yaml b/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/positive2.yaml index 5325634729f..0b6f43153fc 100644 --- a/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/positive2.yaml +++ b/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/positive2.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--feature-gates=RotateKubeletServerCertificate=false"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/tls_connection_certificate_not_setup/test/negative3.yaml b/assets/queries/k8s/tls_connection_certificate_not_setup/test/negative3.yaml index ff638e7467e..86d150d983a 100644 --- a/assets/queries/k8s/tls_connection_certificate_not_setup/test/negative3.yaml +++ b/assets/queries/k8s/tls_connection_certificate_not_setup/test/negative3.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: [] restartPolicy: OnFailure diff --git a/assets/queries/k8s/weak_tls_cipher_suites/test/negative2.yaml b/assets/queries/k8s/weak_tls_cipher_suites/test/negative2.yaml index 6f6a466c158..23df5523253 100644 --- a/assets/queries/k8s/weak_tls_cipher_suites/test/negative2.yaml +++ b/assets/queries/k8s/weak_tls_cipher_suites/test/negative2.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"] restartPolicy: OnFailure diff --git a/assets/queries/k8s/weak_tls_cipher_suites/test/negative3.yaml b/assets/queries/k8s/weak_tls_cipher_suites/test/negative3.yaml index f475932a297..401ec076062 100644 --- a/assets/queries/k8s/weak_tls_cipher_suites/test/negative3.yaml +++ b/assets/queries/k8s/weak_tls_cipher_suites/test/negative3.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: [] restartPolicy: OnFailure diff --git a/assets/queries/k8s/weak_tls_cipher_suites/test/positive1.yaml b/assets/queries/k8s/weak_tls_cipher_suites/test/positive1.yaml index d7ce82771a7..4948dd5171c 100644 --- a/assets/queries/k8s/weak_tls_cipher_suites/test/positive1.yaml +++ b/assets/queries/k8s/weak_tls_cipher_suites/test/positive1.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"] restartPolicy: OnFailure diff --git a/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/test/negative.tf b/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/test/negative.tf index 8a6c963f278..4ebee76b109 100644 --- a/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/test/negative.tf +++ b/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/test/negative.tf @@ -57,7 +57,7 @@ resource "aws_codebuild_project" "project-cloudrail-test2" { source { type = "GITHUB" - location = "https://github.com/mitchellh/packer.git" + location = "https://github.com/foo/bar.git" git_clone_depth = 1 } } diff --git a/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/test/positive.tf b/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/test/positive.tf index e0d54154c9e..3e4d0f470f7 100644 --- a/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/test/positive.tf +++ b/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/test/positive.tf @@ -57,7 +57,7 @@ resource "aws_codebuild_project" "project-cloudrail-test" { source { type = "GITHUB" - location = "https://github.com/mitchellh/packer.git" + location = "https://github.com/foo/bar.git" git_clone_depth = 1 } } diff --git a/assets/queries/terraform/aws/security_groups_not_used/test/negative4.tf b/assets/queries/terraform/aws/security_groups_not_used/test/negative4.tf index dfd565b3c49..8b3b78cd725 100644 --- a/assets/queries/terraform/aws/security_groups_not_used/test/negative4.tf +++ b/assets/queries/terraform/aws/security_groups_not_used/test/negative4.tf @@ -93,8 +93,8 @@ resource "aws_instance" "cowrie_server" { tags = { Name = "cowrie", - author = "konstruktoid" - vcs-url = "https://github.com/konstruktoid/ansible-cowrie-rootless" + author = "foo" + vcs-url = "https://github.com/foo/bar" purpose = "honeypot" } } From 5c91dcc8f14c773e1e119cf6260de59c747b79e2 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Mon, 11 Sep 2023 13:56:15 +0100 Subject: [PATCH 058/379] fixed wrong commits --- .../networks_not_set/metadata.json | 10 +++++++ .../dockerCompose/networks_not_set/query.rego | 18 +++++++++++ .../networks_not_set/test/negative1.yaml | 16 ++++++++++ .../networks_not_set/test/positive1.yaml | 14 +++++++++ .../networks_not_set/test/positive2.yaml | 30 +++++++++++++++++++ .../test/positive_expected_result.json | 14 +++++++++ 6 files changed, 102 insertions(+) create mode 100644 assets/queries/dockerCompose/networks_not_set/metadata.json create mode 100644 assets/queries/dockerCompose/networks_not_set/query.rego create mode 100644 assets/queries/dockerCompose/networks_not_set/test/negative1.yaml create mode 100644 assets/queries/dockerCompose/networks_not_set/test/positive1.yaml create mode 100644 assets/queries/dockerCompose/networks_not_set/test/positive2.yaml create mode 100644 assets/queries/dockerCompose/networks_not_set/test/positive_expected_result.json diff --git a/assets/queries/dockerCompose/networks_not_set/metadata.json b/assets/queries/dockerCompose/networks_not_set/metadata.json new file mode 100644 index 00000000000..3f0f79b3ae8 --- /dev/null +++ b/assets/queries/dockerCompose/networks_not_set/metadata.json @@ -0,0 +1,10 @@ +{ + "id": "ce14a68b-1668-41a0-ab7d-facd9f784742", + "queryName": "Networks Not Set", + "severity": "MEDIUM", + "category": "Networking and Firewall", + "descriptionText": "Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers.", + "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#networks", + "platform": "DockerCompose", + "descriptionID": "3743a217" +} diff --git a/assets/queries/dockerCompose/networks_not_set/query.rego b/assets/queries/dockerCompose/networks_not_set/query.rego new file mode 100644 index 00000000000..dbcd4a3b418 --- /dev/null +++ b/assets/queries/dockerCompose/networks_not_set/query.rego @@ -0,0 +1,18 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + resource := input.document[i] + service_parameters := resource.services[name] + not common_lib.valid_key(service_parameters, "networks") + + result := { + "documentId": sprintf("%s", [resource.id]), + "searchKey": sprintf("services.%s",[name]), + "issueType": "MissingAttribute", + "keyExpectedValue": sprintf("There should be a network declared for the service '%s'", [name]), + "keyActualValue": sprintf("There is no network declared for the service '%s'", [name]), + "searchLine": common_lib.build_search_line(["services", name], []), + } +} diff --git a/assets/queries/dockerCompose/networks_not_set/test/negative1.yaml b/assets/queries/dockerCompose/networks_not_set/test/negative1.yaml new file mode 100644 index 00000000000..66713f52c82 --- /dev/null +++ b/assets/queries/dockerCompose/networks_not_set/test/negative1.yaml @@ -0,0 +1,16 @@ +version: "3.4" +services: + service-service-service: + build: + context: . + dockerfile: service.dockerfile + ports: + - "6969:8080" + networks: + - service-service-frontend + restart: always + security_opt: + - no-new-privileges:true + +networks: + service-service-frontend: diff --git a/assets/queries/dockerCompose/networks_not_set/test/positive1.yaml b/assets/queries/dockerCompose/networks_not_set/test/positive1.yaml new file mode 100644 index 00000000000..eb6a42ab6fc --- /dev/null +++ b/assets/queries/dockerCompose/networks_not_set/test/positive1.yaml @@ -0,0 +1,14 @@ +version: '2.2' + +volumes: + front_build: + +services: + auth: + build: + context: . + dockerfile: docker_config/Dockerfile + restart: on-failure + pids_limit: 10 + cpus: 0.25 + mem_limit: 500M diff --git a/assets/queries/dockerCompose/networks_not_set/test/positive2.yaml b/assets/queries/dockerCompose/networks_not_set/test/positive2.yaml new file mode 100644 index 00000000000..826bdee1881 --- /dev/null +++ b/assets/queries/dockerCompose/networks_not_set/test/positive2.yaml @@ -0,0 +1,30 @@ +version: '2.2' + +services: + service-service-service: + build: + context: . + dockerfile: service.dockerfile + ports: + - "6969:8080" + networks: + - service-service-frontend + restart: always + security_opt: + - no-new-privileges:true + + auth: + build: + context: . + dockerfile: docker_config/Dockerfile + restart: on-failure + pids_limit: 10 + cpus: 0.25 + mem_limit: 500M + +networks: + service-service-frontend: + +volumes: + front_build: + diff --git a/assets/queries/dockerCompose/networks_not_set/test/positive_expected_result.json b/assets/queries/dockerCompose/networks_not_set/test/positive_expected_result.json new file mode 100644 index 00000000000..140e11ee12a --- /dev/null +++ b/assets/queries/dockerCompose/networks_not_set/test/positive_expected_result.json @@ -0,0 +1,14 @@ +[ + { + "queryName": "Networks Not Set", + "severity": "MEDIUM", + "line": 7, + "filename": "positive1.yaml" + }, + { + "queryName": "Networks Not Set", + "severity": "MEDIUM", + "line": 16, + "filename": "positive2.yaml" + } +] From 54d7ae914d1ef914d1fc7035e70bb959263299c1 Mon Sep 17 00:00:00 2001 From: Millena Santos Date: Mon, 11 Sep 2023 20:13:42 +0100 Subject: [PATCH 059/379] fixed category --- assets/queries/cicd/github/unsecured_commands/metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/cicd/github/unsecured_commands/metadata.json b/assets/queries/cicd/github/unsecured_commands/metadata.json index 34ec8fc2a21..4ba71545e45 100644 --- a/assets/queries/cicd/github/unsecured_commands/metadata.json +++ b/assets/queries/cicd/github/unsecured_commands/metadata.json @@ -2,7 +2,7 @@ "id": "60fd272d-15f4-4d8f-afe4-77d9c6cc0453", "queryName": "Unsecured Commands", "severity": "MEDIUM", - "category": "Insecured Configurations", + "category": "Insecure Configurations", "descriptionText": "There are deprecated set-env and add-path commands that can be explicitly enabled by a user via setting the ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable as true. Depending on the use of the environment variable, this could enable an attacker to, at worst, modify the system path to run a different command than intended, resulting in arbitrary code execution.", "descriptionUrl": "https://0xn3va.gitbook.io/cheat-sheets/ci-cd/github/actions#misuse-of-the-events-related-to-incoming-prs", "platform": "CICD", From 668b1892bfbbd0e75f2c6f8569631a3f2a4cb44c Mon Sep 17 00:00:00 2001 From: Millena Santos Date: Wed, 13 Sep 2023 14:12:21 +0100 Subject: [PATCH 060/379] added new settings of latest update to the query --- .../metadata.json | 2 +- .../mssql_server_auditing_disabled/query.rego | 10 +++-- .../test/negative2.tf | 38 +++++++++++++++++++ .../test/negative3.tf | 38 +++++++++++++++++++ 4 files changed, 84 insertions(+), 4 deletions(-) create mode 100644 assets/queries/terraform/azure/mssql_server_auditing_disabled/test/negative2.tf create mode 100644 assets/queries/terraform/azure/mssql_server_auditing_disabled/test/negative3.tf diff --git a/assets/queries/terraform/azure/mssql_server_auditing_disabled/metadata.json b/assets/queries/terraform/azure/mssql_server_auditing_disabled/metadata.json index 1c262c3c870..edbdd842ed0 100644 --- a/assets/queries/terraform/azure/mssql_server_auditing_disabled/metadata.json +++ b/assets/queries/terraform/azure/mssql_server_auditing_disabled/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Observability", "descriptionText": "Make sure that for MSSQL Servers, that 'Auditing' is set to 'On'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_server", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_database_extended_auditing_policy", "platform": "Terraform", "descriptionID": "f0be3ea8", "cloudProvider": "azure" diff --git a/assets/queries/terraform/azure/mssql_server_auditing_disabled/query.rego b/assets/queries/terraform/azure/mssql_server_auditing_disabled/query.rego index 2db9050ed07..b19c35092d8 100644 --- a/assets/queries/terraform/azure/mssql_server_auditing_disabled/query.rego +++ b/assets/queries/terraform/azure/mssql_server_auditing_disabled/query.rego @@ -3,14 +3,18 @@ package Cx import data.generic.terraform as tf_lib CxPolicy[result] { - resource := input.document[i].resource.azurerm_mssql_server[name] + resource := input.document[i].resource + + server:= resource.azurerm_mssql_server[name] + + not server.extended_auditing_policy - not resource.extended_auditing_policy + not resource.azurerm_mssql_server_extended_auditing_policy result := { "documentId": input.document[i].id, "resourceType": "azurerm_mssql_server", - "resourceName": tf_lib.get_resource_name(resource, name), + "resourceName": tf_lib.get_resource_name(server, name), "searchKey": sprintf("azurerm_mssql_server[%s]", [name]), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("'azurerm_mssql_server.%s.extended_auditing_policy' should exist", [name]), diff --git a/assets/queries/terraform/azure/mssql_server_auditing_disabled/test/negative2.tf b/assets/queries/terraform/azure/mssql_server_auditing_disabled/test/negative2.tf new file mode 100644 index 00000000000..a7303d60b11 --- /dev/null +++ b/assets/queries/terraform/azure/mssql_server_auditing_disabled/test/negative2.tf @@ -0,0 +1,38 @@ +provider "azurerm" { + features {} +} + +resource "azurerm_resource_group" "example" { + name = "example-resources" + location = "West Europe" +} + +resource "azurerm_mssql_server" "negative1" { + name = "mssqlserver" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + version = "12.0" + administrator_login = "mradministrator" + administrator_login_password = "thisIsDog11" + + extended_auditing_policy { + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + storage_account_access_key_is_secondary = true + retention_in_days = 90 + } +} + +resource "azurerm_mssql_database" "example" { + name = "example-db" + server_id = azurerm_mssql_server.example.id +} + +resource "azurerm_storage_account" "example" { + name = "examplesa" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + account_tier = "Standard" + account_replication_type = "LRS" +} + diff --git a/assets/queries/terraform/azure/mssql_server_auditing_disabled/test/negative3.tf b/assets/queries/terraform/azure/mssql_server_auditing_disabled/test/negative3.tf new file mode 100644 index 00000000000..6cd3a2c8393 --- /dev/null +++ b/assets/queries/terraform/azure/mssql_server_auditing_disabled/test/negative3.tf @@ -0,0 +1,38 @@ +provider "azurerm" { + features {} +} + +resource "azurerm_resource_group" "example" { + name = "example-resources" + location = "West Europe" +} + +resource "azurerm_mssql_server" "negative1" { + name = "mssqlserver" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + version = "12.0" + administrator_login = "mradministrator" + administrator_login_password = "thisIsDog11" +} + +resource "azurerm_mssql_database" "example" { + name = "example-db" + server_id = azurerm_mssql_server.example.id +} + +resource "azurerm_storage_account" "example" { + name = "examplesa" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + account_tier = "Standard" + account_replication_type = "LRS" +} + +resource "azurerm_mssql_server_extended_auditing_policy" "example" { + database_id = azurerm_mssql_database.example.id + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + storage_account_access_key_is_secondary = false + retention_in_days = 6 +} \ No newline at end of file From cbb2087996bee0dee1f92814bcf2e33f7c16c50f Mon Sep 17 00:00:00 2001 From: Millena Santos Date: Wed, 13 Sep 2023 15:42:31 +0100 Subject: [PATCH 061/379] removed older version support --- .../mssql_server_auditing_disabled/query.rego | 8 ++-- .../test/negative.tf | 39 +++++++++++++++---- .../test/negative2.tf | 38 ------------------ .../test/negative3.tf | 38 ------------------ 4 files changed, 34 insertions(+), 89 deletions(-) delete mode 100644 assets/queries/terraform/azure/mssql_server_auditing_disabled/test/negative2.tf delete mode 100644 assets/queries/terraform/azure/mssql_server_auditing_disabled/test/negative3.tf diff --git a/assets/queries/terraform/azure/mssql_server_auditing_disabled/query.rego b/assets/queries/terraform/azure/mssql_server_auditing_disabled/query.rego index b19c35092d8..a7fb413d6fd 100644 --- a/assets/queries/terraform/azure/mssql_server_auditing_disabled/query.rego +++ b/assets/queries/terraform/azure/mssql_server_auditing_disabled/query.rego @@ -7,9 +7,7 @@ CxPolicy[result] { server:= resource.azurerm_mssql_server[name] - not server.extended_auditing_policy - - not resource.azurerm_mssql_server_extended_auditing_policy + not resource.azurerm_mssql_server_extended_auditing_policy[name] result := { "documentId": input.document[i].id, @@ -17,7 +15,7 @@ CxPolicy[result] { "resourceName": tf_lib.get_resource_name(server, name), "searchKey": sprintf("azurerm_mssql_server[%s]", [name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("'azurerm_mssql_server.%s.extended_auditing_policy' should exist", [name]), - "keyActualValue": sprintf("'azurerm_mssql_server.%s.extended_auditing_policy' does not exist", [name]), + "keyExpectedValue": sprintf("'azurerm_mssql_server_extended_auditing_policy' resource should exist", [name]), + "keyActualValue": sprintf("'azurerm_mssql_server_extended_auditing_policy' resource does not exist", [name]), } } diff --git a/assets/queries/terraform/azure/mssql_server_auditing_disabled/test/negative.tf b/assets/queries/terraform/azure/mssql_server_auditing_disabled/test/negative.tf index e15acd4455f..5a5f5041557 100644 --- a/assets/queries/terraform/azure/mssql_server_auditing_disabled/test/negative.tf +++ b/assets/queries/terraform/azure/mssql_server_auditing_disabled/test/negative.tf @@ -1,15 +1,38 @@ -resource "azurerm_mssql_server" "negative1" { +provider "azurerm" { + features {} +} + +resource "azurerm_resource_group" "example" { + name = "example-resources" + location = "West Europe" +} + +resource "azurerm_mssql_server" "example" { name = "mssqlserver" resource_group_name = azurerm_resource_group.example.name location = azurerm_resource_group.example.location version = "12.0" administrator_login = "mradministrator" administrator_login_password = "thisIsDog11" +} + +resource "azurerm_mssql_database" "example" { + name = "example-db" + server_id = azurerm_mssql_server.example.id +} + +resource "azurerm_storage_account" "example" { + name = "examplesa" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + account_tier = "Standard" + account_replication_type = "LRS" +} - extended_auditing_policy { - storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint - storage_account_access_key = azurerm_storage_account.example.primary_access_key - storage_account_access_key_is_secondary = true - retention_in_days = 90 - } -} \ No newline at end of file +resource "azurerm_mssql_server_extended_auditing_policy" "example" { + database_id = azurerm_mssql_database.example.id + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + storage_account_access_key_is_secondary = false + retention_in_days = 6 +} diff --git a/assets/queries/terraform/azure/mssql_server_auditing_disabled/test/negative2.tf b/assets/queries/terraform/azure/mssql_server_auditing_disabled/test/negative2.tf deleted file mode 100644 index a7303d60b11..00000000000 --- a/assets/queries/terraform/azure/mssql_server_auditing_disabled/test/negative2.tf +++ /dev/null @@ -1,38 +0,0 @@ -provider "azurerm" { - features {} -} - -resource "azurerm_resource_group" "example" { - name = "example-resources" - location = "West Europe" -} - -resource "azurerm_mssql_server" "negative1" { - name = "mssqlserver" - resource_group_name = azurerm_resource_group.example.name - location = azurerm_resource_group.example.location - version = "12.0" - administrator_login = "mradministrator" - administrator_login_password = "thisIsDog11" - - extended_auditing_policy { - storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint - storage_account_access_key = azurerm_storage_account.example.primary_access_key - storage_account_access_key_is_secondary = true - retention_in_days = 90 - } -} - -resource "azurerm_mssql_database" "example" { - name = "example-db" - server_id = azurerm_mssql_server.example.id -} - -resource "azurerm_storage_account" "example" { - name = "examplesa" - resource_group_name = azurerm_resource_group.example.name - location = azurerm_resource_group.example.location - account_tier = "Standard" - account_replication_type = "LRS" -} - diff --git a/assets/queries/terraform/azure/mssql_server_auditing_disabled/test/negative3.tf b/assets/queries/terraform/azure/mssql_server_auditing_disabled/test/negative3.tf deleted file mode 100644 index 6cd3a2c8393..00000000000 --- a/assets/queries/terraform/azure/mssql_server_auditing_disabled/test/negative3.tf +++ /dev/null @@ -1,38 +0,0 @@ -provider "azurerm" { - features {} -} - -resource "azurerm_resource_group" "example" { - name = "example-resources" - location = "West Europe" -} - -resource "azurerm_mssql_server" "negative1" { - name = "mssqlserver" - resource_group_name = azurerm_resource_group.example.name - location = azurerm_resource_group.example.location - version = "12.0" - administrator_login = "mradministrator" - administrator_login_password = "thisIsDog11" -} - -resource "azurerm_mssql_database" "example" { - name = "example-db" - server_id = azurerm_mssql_server.example.id -} - -resource "azurerm_storage_account" "example" { - name = "examplesa" - resource_group_name = azurerm_resource_group.example.name - location = azurerm_resource_group.example.location - account_tier = "Standard" - account_replication_type = "LRS" -} - -resource "azurerm_mssql_server_extended_auditing_policy" "example" { - database_id = azurerm_mssql_database.example.id - storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint - storage_account_access_key = azurerm_storage_account.example.primary_access_key - storage_account_access_key_is_secondary = false - retention_in_days = 6 -} \ No newline at end of file From ea269a40b2a36025dac2d23790610b141b9722a6 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Thu, 14 Sep 2023 18:27:41 +0100 Subject: [PATCH 062/379] added tests --- .../test/negative1.yaml | 9 +++++++++ .../test/positive1.yaml | 11 ++++++++++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/negative1.yaml b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/negative1.yaml index ad3e2a027a7..919df60c202 100644 --- a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/negative1.yaml +++ b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/negative1.yaml @@ -9,4 +9,13 @@ - name: become from higher scope ansible.builtin.command: whoamyou + changed_when: false + +--- +- hosts: localhost + tasks: + - name: become from the same scope + ansible.builtin.command: whoami + become: true + become_user: postgres changed_when: false \ No newline at end of file diff --git a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive1.yaml b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive1.yaml index 4ac7d16dd62..4aa187afadf 100644 --- a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive1.yaml +++ b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive1.yaml @@ -26,4 +26,13 @@ ansible.builtin.command: ls . - name: Sample become_user become_user: postgres - ansible.builtin.command: ls . \ No newline at end of file + ansible.builtin.command: ls . + +--- +- hosts: localhost + tasks: + - name: become_user without become task + ansible.builtin.command: whoami + become_user: postgres + become: false + changed_when: false \ No newline at end of file From 169ba63f25fb08ae0e5c83075acf524bec896c51 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Thu, 14 Sep 2023 18:27:49 +0100 Subject: [PATCH 063/379] expected results --- .../test/positive_expected_result.json | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json index 20b42c3dfeb..0b216c98022 100644 --- a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json +++ b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json @@ -16,5 +16,11 @@ "severity": "MEDIUM", "line": 28, "fileName": "positive1.yaml" + }, + { + "queryName": "Privilege Escalation Using Become Plugin", + "severity": "MEDIUM", + "line": 37, + "fileName": "positive1.yaml" } ] \ No newline at end of file From 7c68c2c15363f44cd69e9bc50719786e420dbcf5 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Thu, 14 Sep 2023 19:05:00 +0100 Subject: [PATCH 064/379] fixed tests --- .../test/positive1.yaml | 4 ++-- .../test/positive_expected_result.json | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive1.yaml b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive1.yaml index 4aa187afadf..192fd7250e4 100644 --- a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive1.yaml +++ b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive1.yaml @@ -31,8 +31,8 @@ --- - hosts: localhost tasks: - - name: become_user without become task + - name: become_user with become task as false ansible.builtin.command: whoami - become_user: postgres + become_user: mongodb become: false changed_when: false \ No newline at end of file diff --git a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json index 0b216c98022..be9edafa251 100644 --- a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json +++ b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json @@ -20,7 +20,7 @@ { "queryName": "Privilege Escalation Using Become Plugin", "severity": "MEDIUM", - "line": 37, + "line": 36, "fileName": "positive1.yaml" } ] \ No newline at end of file From ae60adb5c9f3a1cc0dc03566a9228ac43c30ebe3 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Thu, 14 Sep 2023 19:09:44 +0100 Subject: [PATCH 065/379] fixed test and query --- .../general/logging_of_sensitive_data/query.rego | 2 +- .../logging_of_sensitive_data/test/positive2.yaml | 13 +++++++++++++ .../test/positive_expected_result.json | 6 ++++++ 3 files changed, 20 insertions(+), 1 deletion(-) create mode 100644 assets/queries/ansible/general/logging_of_sensitive_data/test/positive2.yaml diff --git a/assets/queries/ansible/general/logging_of_sensitive_data/query.rego b/assets/queries/ansible/general/logging_of_sensitive_data/query.rego index 445f34f0095..711771ec240 100644 --- a/assets/queries/ansible/general/logging_of_sensitive_data/query.rego +++ b/assets/queries/ansible/general/logging_of_sensitive_data/query.rego @@ -15,7 +15,7 @@ CxPolicy[result] { "documentId": id, "resourceName": task.name, "resourceType": "ansible.builtin.user", - "searchKey": sprintf("name={{%s}}.password={{%s}}", [task.name, action.password]), + "searchKey": sprintf("name={{%s}}", [task.name, action.password]), "issueType": "MissingAttribute", "keyExpectedValue": "'no_log' should be defined and set to 'true' in order to not expose sensitive data", "keyActualValue": "'no_log' is set to false", diff --git a/assets/queries/ansible/general/logging_of_sensitive_data/test/positive2.yaml b/assets/queries/ansible/general/logging_of_sensitive_data/test/positive2.yaml new file mode 100644 index 00000000000..3dcd8a7e36e --- /dev/null +++ b/assets/queries/ansible/general/logging_of_sensitive_data/test/positive2.yaml @@ -0,0 +1,13 @@ +--- +- name: Positive Playbook + hosts: localhost + tasks: + - name: bar + ansible.builtin.user: + name: john_doe + comment: John Doe + uid: 1040 + group: admin + password: "{{ item }}" + with_items: + - wow \ No newline at end of file diff --git a/assets/queries/ansible/general/logging_of_sensitive_data/test/positive_expected_result.json b/assets/queries/ansible/general/logging_of_sensitive_data/test/positive_expected_result.json index ff77a3d7654..933fd9e5bf3 100644 --- a/assets/queries/ansible/general/logging_of_sensitive_data/test/positive_expected_result.json +++ b/assets/queries/ansible/general/logging_of_sensitive_data/test/positive_expected_result.json @@ -4,5 +4,11 @@ "severity": "LOW", "line": 14, "fileName": "positive1.yaml" + }, + { + "queryName": "Logging of Sensitive Data", + "severity": "LOW", + "line": 11, + "fileName": "positive2.yaml" } ] \ No newline at end of file From 627079dd4e36e5c34c9d3a9104caf1b68176c6f2 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Thu, 14 Sep 2023 19:26:22 +0100 Subject: [PATCH 066/379] fixed query and expected result --- .../ansible/general/logging_of_sensitive_data/query.rego | 2 +- .../test/positive_expected_result.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/assets/queries/ansible/general/logging_of_sensitive_data/query.rego b/assets/queries/ansible/general/logging_of_sensitive_data/query.rego index 711771ec240..8f2a1fc3de2 100644 --- a/assets/queries/ansible/general/logging_of_sensitive_data/query.rego +++ b/assets/queries/ansible/general/logging_of_sensitive_data/query.rego @@ -15,7 +15,7 @@ CxPolicy[result] { "documentId": id, "resourceName": task.name, "resourceType": "ansible.builtin.user", - "searchKey": sprintf("name={{%s}}", [task.name, action.password]), + "searchKey": sprintf("name={{%s}}", [task.name]), "issueType": "MissingAttribute", "keyExpectedValue": "'no_log' should be defined and set to 'true' in order to not expose sensitive data", "keyActualValue": "'no_log' is set to false", diff --git a/assets/queries/ansible/general/logging_of_sensitive_data/test/positive_expected_result.json b/assets/queries/ansible/general/logging_of_sensitive_data/test/positive_expected_result.json index 933fd9e5bf3..fd7f628c92d 100644 --- a/assets/queries/ansible/general/logging_of_sensitive_data/test/positive_expected_result.json +++ b/assets/queries/ansible/general/logging_of_sensitive_data/test/positive_expected_result.json @@ -8,7 +8,7 @@ { "queryName": "Logging of Sensitive Data", "severity": "LOW", - "line": 11, + "line": 5, "fileName": "positive2.yaml" } ] \ No newline at end of file From d17dd9311b5d6f4b26837aa3afc42ae38de80c57 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Thu, 14 Sep 2023 19:44:29 +0100 Subject: [PATCH 067/379] fixed query --- .../privilege_escalation_using_become_plugin/query.rego | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/query.rego b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/query.rego index 3924fdb8160..16732411f5c 100644 --- a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/query.rego +++ b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/query.rego @@ -17,6 +17,8 @@ CxPolicy[result] { result := { "documentId": id, + "resourceType": "n/a", + "resourceName": "n/a", "searchKey": sprintf("name={{%s}}.become_user={{%s}}", [task.name, task.become_user]), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("'become' should be defined and set to 'true' in order to perform an action with %s", [task.become_user]), @@ -33,6 +35,8 @@ CxPolicy[result] { result := { "documentId": id, + "resourceType": "n/a", + "resourceName": "n/a", "searchKey": sprintf("become_user={{%s}}", [input.document[i].playbooks[j].become_user]), "issueType": "MissingAttribute", "keyExpectedValue": "'become' should be defined and set to 'true'", From d6631047a9ccdd9ce6ef77b2ae20bb9b1032679d Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Fri, 15 Sep 2023 12:22:38 +0100 Subject: [PATCH 068/379] fixed query and tests --- .../query.rego | 38 +++++++------------ .../test/negative1.yaml | 8 +--- .../test/positive1.yaml | 34 ++++++++++++++--- .../test/positive_expected_result.json | 18 +++++++-- 4 files changed, 59 insertions(+), 39 deletions(-) diff --git a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/query.rego b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/query.rego index 16732411f5c..b5960227d7a 100644 --- a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/query.rego +++ b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/query.rego @@ -4,49 +4,37 @@ import data.generic.ansible as ansLib import data.generic.common as commonLib CxPolicy[result] { - become_exists := object.get(input.document[i].playbooks[_], "become", false) + playbook := input.document[i].playbooks[_] + become_exists := object.get(playbook, "become", false) become_exists == false - - task := ansLib.tasks[id][t] - input.document[i].id == id - - commonLib.valid_key(task, "become_user") - - b_exists := object.get(task, "become", false) - b_exists == false + commonLib.valid_key(playbook, "become_user") result := { - "documentId": id, + "documentId": input.document[i].id, "resourceType": "n/a", "resourceName": "n/a", - "searchKey": sprintf("name={{%s}}.become_user={{%s}}", [task.name, task.become_user]), + "searchKey": sprintf("name={{%s}}.become_user={{%s}}", [playbook.name, playbook.become_user]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("'become' should be defined and set to 'true' in order to perform an action with %s", [task.become_user]), + "keyExpectedValue": sprintf("'become' should be defined and set to 'true' in order to perform an action with %s", [playbook.become_user]), "keyActualValue": "'become' is not defined", } } CxPolicy[result] { - commonLib.valid_key(input.document[i].playbooks[j], "become_user") + task := ansLib.tasks[id][t] - tasks := ansLib.tasks[id] - - count([x | x := check_become(tasks, id); x == true]) == 0 + become_exists := object.get(task, "become", false) + become_exists == false + commonLib.valid_key(task, "become_user") + result := { "documentId": id, "resourceType": "n/a", "resourceName": "n/a", - "searchKey": sprintf("become_user={{%s}}", [input.document[i].playbooks[j].become_user]), + "searchKey": sprintf("name={{%s}}.become_user={{%s}}", [task.name, task.become_user]), "issueType": "MissingAttribute", - "keyExpectedValue": "'become' should be defined and set to 'true'", + "keyExpectedValue": sprintf("'become' should be defined and set to 'true' in order to perform an action with %s", [task.become_user]), "keyActualValue": "'become' is not defined", } -} - -check_become(tasks, id){ - input.document[i].id == id - task := tasks[i] - not commonLib.valid_key(task, "become_user") - object.get(task, "become", false) == false } \ No newline at end of file diff --git a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/negative1.yaml b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/negative1.yaml index 919df60c202..b8d778db239 100644 --- a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/negative1.yaml +++ b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/negative1.yaml @@ -1,13 +1,9 @@ --- - hosts: localhost become_user: postgres + become: true tasks: - - name: become from a lower scope - ansible.builtin.command: whoami - become: false - changed_when: false - - - name: become from higher scope + - name: some task ansible.builtin.command: whoamyou changed_when: false diff --git a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive1.yaml b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive1.yaml index 192fd7250e4..8d6b9062ddb 100644 --- a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive1.yaml +++ b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive1.yaml @@ -1,7 +1,7 @@ --- - hosts: localhost name: become_user without become - become_user: root + become_user: bar tasks: - name: Simple hello @@ -10,22 +10,38 @@ --- - hosts: localhost + name: become_user with become false + become_user: root + become: false + tasks: - - name: become_user without become task - ansible.builtin.command: whoami - become_user: postgres - changed_when: false + - name: Simple hello + ansible.builtin.debug: + msg: hello --- - hosts: localhost tasks: - name: become and become_user on different tasks + block: + - name: Sample become + become: true + ansible.builtin.command: ls . + - name: Sample become_user + become_user: foo + ansible.builtin.command: ls . + +--- +- hosts: localhost + tasks: + - name: become false block: - name: Sample become become: true ansible.builtin.command: ls . - name: Sample become_user become_user: postgres + become: false ansible.builtin.command: ls . --- @@ -35,4 +51,12 @@ ansible.builtin.command: whoami become_user: mongodb become: false + changed_when: false + +--- +- hosts: localhost + tasks: + - name: become_user without become + ansible.builtin.command: whoami + become_user: mysql changed_when: false \ No newline at end of file diff --git a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json index be9edafa251..c7543c86eb0 100644 --- a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json +++ b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json @@ -8,19 +8,31 @@ { "queryName": "Privilege Escalation Using Become Plugin", "severity": "MEDIUM", - "line": 16, + "line": 14, "fileName": "positive1.yaml" }, { "queryName": "Privilege Escalation Using Become Plugin", "severity": "MEDIUM", - "line": 28, + "line": 31, "fileName": "positive1.yaml" }, { "queryName": "Privilege Escalation Using Become Plugin", "severity": "MEDIUM", - "line": 36, + "line": 43, + "fileName": "positive1.yaml" + }, + { + "queryName": "Privilege Escalation Using Become Plugin", + "severity": "MEDIUM", + "line": 52, + "fileName": "positive1.yaml" + }, + { + "queryName": "Privilege Escalation Using Become Plugin", + "severity": "MEDIUM", + "line": 61, "fileName": "positive1.yaml" } ] \ No newline at end of file From c93d34746a359e25ea146229e4f0a45859aeb014 Mon Sep 17 00:00:00 2001 From: jeremypetit-grtgaz <56118973+jeremypetit-grtgaz@users.noreply.github.com> Date: Tue, 5 Sep 2023 13:04:08 +0200 Subject: [PATCH 069/379] fix(security): Critical CVEs in terraform and terraform-provider-azurerm fixes CRITICAL CVEs identified with trivy: in root/.terraform.d/plugins/linux_amd64/terraform-provider-azurerm_v2.95.0_x5 - CVE-2022-26945 (github.com/hashicorp/go-getter) in usr/bin/terraform: - CVE-2021-4238 (github.com/Masterminds/goutils) - CVE-2022-26945 (github.com/hashicorp/go-getter) --- Dockerfile | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index c63a80ed6dc..ce15d04637d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -44,16 +44,16 @@ Run apk update --no-cache \ git~=2.40 # Install Terraform and Terraform plugins -RUN wget https://releases.hashicorp.com/terraform/1.3.9/terraform_1.3.9_linux_amd64.zip \ - && unzip terraform_1.3.9_linux_amd64.zip && rm terraform_1.3.9_linux_amd64.zip \ +RUN wget https://releases.hashicorp.com/terraform/1.5.6/terraform_1.5.6_linux_amd64.zip \ + && unzip terraform_1.5.6_linux_amd64.zip && rm terraform_1.5.6_linux_amd64.zip \ && mv terraform /usr/bin/terraform \ - && wget https://releases.hashicorp.com/terraform-provider-azurerm/3.18.0/terraform-provider-azurerm_3.18.0_linux_amd64.zip \ + && wget https://releases.hashicorp.com/terraform-provider-azurerm/3.71.0/terraform-provider-azurerm_3.71.0_linux_amd64.zip \ && wget https://releases.hashicorp.com/terraform-provider-aws/3.72.0/terraform-provider-aws_3.72.0_linux_amd64.zip \ && wget https://releases.hashicorp.com/terraform-provider-google/4.32.0/terraform-provider-google_4.32.0_linux_amd64.zip \ - && unzip terraform-provider-azurerm_3.18.0_linux_amd64.zip && rm terraform-provider-azurerm_3.18.0_linux_amd64.zip\ + && unzip terraform-provider-azurerm_3.71.0_linux_amd64.zip && rm terraform-provider-azurerm_3.71.0_linux_amd64.zip\ && unzip terraform-provider-google_4.32.0_linux_amd64.zip && rm terraform-provider-google_4.32.0_linux_amd64.zip \ && unzip terraform-provider-aws_3.72.0_linux_amd64.zip && rm terraform-provider-aws_3.72.0_linux_amd64.zip \ - && mkdir ~/.terraform.d && mkdir ~/.terraform.d/plugins && mkdir ~/.terraform.d/plugins/linux_amd64 && mv terraform-provider-aws_v3.72.0_x5 terraform-provider-google_v4.32.0_x5 terraform-provider-azurerm_v3.18.0_x5 ~/.terraform.d/plugins/linux_amd64 + && mkdir ~/.terraform.d && mkdir ~/.terraform.d/plugins && mkdir ~/.terraform.d/plugins/linux_amd64 && mv terraform-provider-aws_v3.72.0_x5 terraform-provider-google_v4.32.0_x5 terraform-provider-azurerm_v3.71.0_x5 ~/.terraform.d/plugins/linux_amd64 # Install Terraformer RUN wget https://github.com/GoogleCloudPlatform/terraformer/releases/download/0.8.22/terraformer-all-linux-amd64 \ From fd135075f8b707d2bf41bc09c27bd97fc07b9355 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Fri, 15 Sep 2023 14:40:53 +0100 Subject: [PATCH 070/379] query fixed --- .../ansible/config/logging_of_sensitive_data/metadata.json | 2 +- .../ansible/config/logging_of_sensitive_data/query.rego | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/assets/queries/ansible/config/logging_of_sensitive_data/metadata.json b/assets/queries/ansible/config/logging_of_sensitive_data/metadata.json index 81356007fa3..0510840411b 100644 --- a/assets/queries/ansible/config/logging_of_sensitive_data/metadata.json +++ b/assets/queries/ansible/config/logging_of_sensitive_data/metadata.json @@ -1,6 +1,6 @@ { "id": "c6473dae-8477-4119-88b7-b909b435ce7b", - "queryName": "Logging of sensitive data", + "queryName": "Logging of Sensitive Data", "severity": "LOW", "category": "Best Practices", "descriptionText": "To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True", diff --git a/assets/queries/ansible/config/logging_of_sensitive_data/query.rego b/assets/queries/ansible/config/logging_of_sensitive_data/query.rego index 84075dd7842..4b32ceeec49 100644 --- a/assets/queries/ansible/config/logging_of_sensitive_data/query.rego +++ b/assets/queries/ansible/config/logging_of_sensitive_data/query.rego @@ -11,6 +11,8 @@ CxPolicy[result] { "documentId": input.document[i].id, "searchKey": "defaults", "issueType": "IncorrectValue", + "resourceType": "n/a", + "resourceName": "n/a", "keyExpectedValue": "no_log should be defined and set to 'true'", "keyActualValue": "no_log is not defined", } @@ -25,6 +27,8 @@ CxPolicy[result] { "documentId": input.document[i].id, "searchKey": "defaults.no_log", "issueType": "IncorrectValue", + "resourceType": "n/a", + "resourceName": "n/a", "keyExpectedValue": "no_log should be set to 'true'", "keyActualValue": "no_log is set to 'false'", } From 8d7baf2f7c2711fdd08e6b997b58ac4cfa4b74ee Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Fri, 15 Sep 2023 15:10:19 +0100 Subject: [PATCH 071/379] fixed actual values --- .../ansible/general/logging_of_sensitive_data/query.rego | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/assets/queries/ansible/general/logging_of_sensitive_data/query.rego b/assets/queries/ansible/general/logging_of_sensitive_data/query.rego index 8f2a1fc3de2..d1040f7585b 100644 --- a/assets/queries/ansible/general/logging_of_sensitive_data/query.rego +++ b/assets/queries/ansible/general/logging_of_sensitive_data/query.rego @@ -18,7 +18,7 @@ CxPolicy[result] { "searchKey": sprintf("name={{%s}}", [task.name]), "issueType": "MissingAttribute", "keyExpectedValue": "'no_log' should be defined and set to 'true' in order to not expose sensitive data", - "keyActualValue": "'no_log' is set to false", + "keyActualValue": "'no_log' is not defined", } } @@ -37,6 +37,6 @@ CxPolicy[result] { "searchKey": sprintf("name={{%s}}.no_log", [task.name]), "issueType": "IncorrectValue", "keyExpectedValue": "'no_log' should be set to 'true' in order to not expose sensitive data", - "keyActualValue": "'no_log' is not defined", + "keyActualValue": "'no_log' is set to false", } } \ No newline at end of file From 68fd8e84a5bf786bfabc1a338ff02feceeeb46b3 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Fri, 15 Sep 2023 16:08:39 +0100 Subject: [PATCH 072/379] fix actual value --- .../privilege_escalation_using_become_plugin/query.rego | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/query.rego b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/query.rego index b5960227d7a..a6c5da9fb5b 100644 --- a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/query.rego +++ b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/query.rego @@ -16,7 +16,7 @@ CxPolicy[result] { "searchKey": sprintf("name={{%s}}.become_user={{%s}}", [playbook.name, playbook.become_user]), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("'become' should be defined and set to 'true' in order to perform an action with %s", [playbook.become_user]), - "keyActualValue": "'become' is not defined", + "keyActualValue": "'become' is not defined or is set to 'false'", } } @@ -35,6 +35,6 @@ CxPolicy[result] { "searchKey": sprintf("name={{%s}}.become_user={{%s}}", [task.name, task.become_user]), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("'become' should be defined and set to 'true' in order to perform an action with %s", [task.become_user]), - "keyActualValue": "'become' is not defined", + "keyActualValue": "'become' is not defined or is set to 'false'", } } \ No newline at end of file From 11bed4fd0b862f83ab9258f39dbbfac6be1571d5 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Fri, 15 Sep 2023 16:24:51 +0100 Subject: [PATCH 073/379] fixed extension --- .../test/{negative1.yml => negative1.yaml} | 0 .../test/{positive1.yml => positive1.yaml} | 0 .../test/positive_expected_result.json | 4 ++-- 3 files changed, 2 insertions(+), 2 deletions(-) rename assets/queries/ansible/general/insecure_relative_path_resolution/test/{negative1.yml => negative1.yaml} (100%) rename assets/queries/ansible/general/insecure_relative_path_resolution/test/{positive1.yml => positive1.yaml} (100%) diff --git a/assets/queries/ansible/general/insecure_relative_path_resolution/test/negative1.yml b/assets/queries/ansible/general/insecure_relative_path_resolution/test/negative1.yaml similarity index 100% rename from assets/queries/ansible/general/insecure_relative_path_resolution/test/negative1.yml rename to assets/queries/ansible/general/insecure_relative_path_resolution/test/negative1.yaml diff --git a/assets/queries/ansible/general/insecure_relative_path_resolution/test/positive1.yml b/assets/queries/ansible/general/insecure_relative_path_resolution/test/positive1.yaml similarity index 100% rename from assets/queries/ansible/general/insecure_relative_path_resolution/test/positive1.yml rename to assets/queries/ansible/general/insecure_relative_path_resolution/test/positive1.yaml diff --git a/assets/queries/ansible/general/insecure_relative_path_resolution/test/positive_expected_result.json b/assets/queries/ansible/general/insecure_relative_path_resolution/test/positive_expected_result.json index dfc540890b6..d18625872a6 100644 --- a/assets/queries/ansible/general/insecure_relative_path_resolution/test/positive_expected_result.json +++ b/assets/queries/ansible/general/insecure_relative_path_resolution/test/positive_expected_result.json @@ -3,12 +3,12 @@ "queryName": "Insecure Relative Path Resolution", "severity": "LOW", "line": 7, - "fileName": "positive1.yml" + "fileName": "positive1.yaml" }, { "queryName": "Insecure Relative Path Resolution", "severity": "LOW", "line": 12, - "fileName": "positive1.yml" + "fileName": "positive1.yaml" } ] From 541375d33080b37de2581d2102ae1b9c2073bbb3 Mon Sep 17 00:00:00 2001 From: jeremypetit-grtgaz <56118973+jeremypetit-grtgaz@users.noreply.github.com> Date: Fri, 15 Sep 2023 18:02:30 +0200 Subject: [PATCH 074/379] fix: bump terraformer from 0.8.22 to 0.8.24 fixes critical vulnerabilities on terraformer --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index ce15d04637d..b79e429be81 100644 --- a/Dockerfile +++ b/Dockerfile @@ -56,7 +56,7 @@ RUN wget https://releases.hashicorp.com/terraform/1.5.6/terraform_1.5.6_linux_am && mkdir ~/.terraform.d && mkdir ~/.terraform.d/plugins && mkdir ~/.terraform.d/plugins/linux_amd64 && mv terraform-provider-aws_v3.72.0_x5 terraform-provider-google_v4.32.0_x5 terraform-provider-azurerm_v3.71.0_x5 ~/.terraform.d/plugins/linux_amd64 # Install Terraformer -RUN wget https://github.com/GoogleCloudPlatform/terraformer/releases/download/0.8.22/terraformer-all-linux-amd64 \ +RUN wget https://github.com/GoogleCloudPlatform/terraformer/releases/download/0.8.24/terraformer-all-linux-amd64 \ && chmod +x terraformer-all-linux-amd64 \ && mv terraformer-all-linux-amd64 /usr/bin/terraformer From a152308f4b622a89b0957f8e7630c6d197fdaa8e Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Sat, 16 Sep 2023 11:40:16 +0100 Subject: [PATCH 075/379] FIX QUERY --- .../query.rego | 44 +++++++++++++++---- .../test/positive_expected_result.json | 6 +-- 2 files changed, 39 insertions(+), 11 deletions(-) diff --git a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/query.rego b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/query.rego index a6c5da9fb5b..2b47c1c39b0 100644 --- a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/query.rego +++ b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/query.rego @@ -5,27 +5,55 @@ import data.generic.common as commonLib CxPolicy[result] { playbook := input.document[i].playbooks[_] - become_exists := object.get(playbook, "become", false) - become_exists == false + playbook.become == false commonLib.valid_key(playbook, "become_user") result := { "documentId": input.document[i].id, "resourceType": "n/a", "resourceName": "n/a", - "searchKey": sprintf("name={{%s}}.become_user={{%s}}", [playbook.name, playbook.become_user]), + "searchKey": "become", "issueType": "MissingAttribute", "keyExpectedValue": sprintf("'become' should be defined and set to 'true' in order to perform an action with %s", [playbook.become_user]), - "keyActualValue": "'become' is not defined or is set to 'false'", + "keyActualValue": "'become' is set to 'false'", + } +} + +CxPolicy[result] { + playbook := input.document[i].playbooks[_] + not commonLib.valid_key(playbook, "become") + commonLib.valid_key(playbook, "become_user") + + result := { + "documentId": input.document[i].id, + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": sprintf("become_user={{%s}}", [playbook.become_user]), + "issueType": "MissingAttribute", + "keyExpectedValue": sprintf("'become' should be defined and set to 'true' in order to perform an action with %s", [playbook.become_user]), + "keyActualValue": "'become' is not defined", } } CxPolicy[result] { task := ansLib.tasks[id][t] + task.become == false + commonLib.valid_key(task, "become_user") + + result := { + "documentId": id, + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": sprintf("name={{%s}}.become_user={{%s}}.become", [task.name, task.become_user]), + "issueType": "MissingAttribute", + "keyExpectedValue": sprintf("'become' should be to 'true' in order to perform an action with %s", [task.become_user]), + "keyActualValue": "'become' is set to 'false'", + } +} - become_exists := object.get(task, "become", false) - become_exists == false - +CxPolicy[result] { + task := ansLib.tasks[id][t] + not commonLib.valid_key(task, "become") commonLib.valid_key(task, "become_user") result := { @@ -35,6 +63,6 @@ CxPolicy[result] { "searchKey": sprintf("name={{%s}}.become_user={{%s}}", [task.name, task.become_user]), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("'become' should be defined and set to 'true' in order to perform an action with %s", [task.become_user]), - "keyActualValue": "'become' is not defined or is set to 'false'", + "keyActualValue": "'become' is not defined", } } \ No newline at end of file diff --git a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json index c7543c86eb0..9f87ac0816f 100644 --- a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json +++ b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json @@ -8,7 +8,7 @@ { "queryName": "Privilege Escalation Using Become Plugin", "severity": "MEDIUM", - "line": 14, + "line": 15, "fileName": "positive1.yaml" }, { @@ -20,13 +20,13 @@ { "queryName": "Privilege Escalation Using Become Plugin", "severity": "MEDIUM", - "line": 43, + "line": 44, "fileName": "positive1.yaml" }, { "queryName": "Privilege Escalation Using Become Plugin", "severity": "MEDIUM", - "line": 52, + "line": 53, "fileName": "positive1.yaml" }, { From d2d92d22a749861f27576e62f32ced8d62993c0a Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Mon, 18 Sep 2023 10:55:29 +0100 Subject: [PATCH 076/379] fixed query --- .../general/risky_file_permissions/query.rego | 7 +++-- .../test/positive1.yaml | 19 ------------- .../test/positive_expected_result.json | 28 ++++++------------- 3 files changed, 13 insertions(+), 41 deletions(-) diff --git a/assets/queries/ansible/general/risky_file_permissions/query.rego b/assets/queries/ansible/general/risky_file_permissions/query.rego index 1bae4c84aa0..5ad81acdbfa 100644 --- a/assets/queries/ansible/general/risky_file_permissions/query.rego +++ b/assets/queries/ansible/general/risky_file_permissions/query.rego @@ -27,7 +27,7 @@ CxPolicy[result] { task := ansLib.tasks[id][_] modules := [ "archive", "community.general.archive", "assemble", "ansible.builtin.assemble", "copy", "ansible.builtin.copy", "file", "ansible.builtin.file", - "get_url", "ansible.builtin.get_url", "ansible.builtin.replace", "template", "ansible.builtin.template", + "get_url", "ansible.builtin.get_url", "template", "ansible.builtin.template", ] action := task[modules[m]] @@ -67,8 +67,8 @@ CxPolicy[result] { "ansible.builtin.lineinfile": false, } - bool := modules[m] action := task[m] + bool := modules[m] object.get(action, "create", bool) == true result := { @@ -85,4 +85,7 @@ CxPolicy[result] { file_module(action, module_name){ module_name == "file" object.get(action, "state", "file") == "file" +} else { + module_name == "ansible.builtin.file" + object.get(action, "state", "file") == "file" } diff --git a/assets/queries/ansible/general/risky_file_permissions/test/positive1.yaml b/assets/queries/ansible/general/risky_file_permissions/test/positive1.yaml index 3ed8a1b73f8..8ad98534ee7 100644 --- a/assets/queries/ansible/general/risky_file_permissions/test/positive1.yaml +++ b/assets/queries/ansible/general/risky_file_permissions/test/positive1.yaml @@ -1,22 +1,3 @@ ---- -- name: INI_PRESERVE - tasks: - - name: Ini_file - community.general.ini_file: - path: foo - create: true - mode: preserve - section: bar - ---- -- name: INI_PERMISSION - tasks: - - name: Permissions needed - community.general.ini_file: - path: foo - create: true - section: bar - --- - name: PRESERVE_MODE tasks: diff --git a/assets/queries/ansible/general/risky_file_permissions/test/positive_expected_result.json b/assets/queries/ansible/general/risky_file_permissions/test/positive_expected_result.json index 49dbde13893..4506abb111c 100644 --- a/assets/queries/ansible/general/risky_file_permissions/test/positive_expected_result.json +++ b/assets/queries/ansible/general/risky_file_permissions/test/positive_expected_result.json @@ -9,60 +9,48 @@ "queryName": "Risky File Permissions", "severity": "INFO", "file": "positive1.yaml", - "line": 15 + "line": 13 }, { "queryName": "Risky File Permissions", "severity": "INFO", "file": "positive1.yaml", - "line": 24 + "line": 17 }, { "queryName": "Risky File Permissions", "severity": "INFO", "file": "positive1.yaml", - "line": 32 + "line": 25 }, { "queryName": "Risky File Permissions", "severity": "INFO", "file": "positive1.yaml", - "line": 36 + "line": 29 }, { "queryName": "Risky File Permissions", "severity": "INFO", "file": "positive1.yaml", - "line": 44 + "line": 38 }, { "queryName": "Risky File Permissions", "severity": "INFO", "file": "positive1.yaml", - "line": 48 + "line": 46 }, { "queryName": "Risky File Permissions", "severity": "INFO", "file": "positive1.yaml", - "line": 57 + "line": 55 }, { "queryName": "Risky File Permissions", "severity": "INFO", "file": "positive1.yaml", - "line": 65 - }, - { - "queryName": "Risky File Permissions", - "severity": "INFO", - "file": "positive1.yaml", - "line": 74 - }, - { - "queryName": "Risky File Permissions", - "severity": "INFO", - "file": "positive1.yaml", - "line": 83 + "line": 64 } ] \ No newline at end of file From f70ee3c10f26ea6067801a3ae01c58c267d5b55b Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Tue, 19 Sep 2023 10:24:07 +0100 Subject: [PATCH 077/379] fix expected result and added negative tests --- .../general/risky_file_permissions/query.rego | 2 +- .../test/negative1.yaml | 19 ++++++++++++++++++- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/assets/queries/ansible/general/risky_file_permissions/query.rego b/assets/queries/ansible/general/risky_file_permissions/query.rego index 5ad81acdbfa..2536fea8a6d 100644 --- a/assets/queries/ansible/general/risky_file_permissions/query.rego +++ b/assets/queries/ansible/general/risky_file_permissions/query.rego @@ -78,7 +78,7 @@ CxPolicy[result] { "searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, m]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("%s 'create' key should set to 'false' or 'mode' key should be defined and set to 'preserve'", [m]), - "keyActualValue": sprintf("%s 'create' key is set to 'true' or 'mode' key is not defined", [m]), + "keyActualValue": sprintf("%s 'create' key is set to 'true' and 'mode' key is not defined", [m]), } } diff --git a/assets/queries/ansible/general/risky_file_permissions/test/negative1.yaml b/assets/queries/ansible/general/risky_file_permissions/test/negative1.yaml index 3113671f282..d82373f8fa6 100644 --- a/assets/queries/ansible/general/risky_file_permissions/test/negative1.yaml +++ b/assets/queries/ansible/general/risky_file_permissions/test/negative1.yaml @@ -80,4 +80,21 @@ ansible.builtin.lineinfile: path: foo create: false - line: some content here \ No newline at end of file + line: some content here + +--- +- name: LINIINFILE_CREATE + tasks: + - name: create is true 2x + lineinfile: + path: foo + line: some content here + mode: "0600" + +--- +- name: PRESERVE_MODE + tasks: + - name: not preserve value + copy: + path: foo + mode: preserve \ No newline at end of file From 172d5f97e5426bd70cd82caa6f5bddb19250a1e3 Mon Sep 17 00:00:00 2001 From: gabriel-cx Date: Tue, 19 Sep 2023 11:03:54 +0100 Subject: [PATCH 078/379] udapte(doc): adding aws cdk integration --- docs/integrations.md | 1 + docs/integrations_aws_cdk.md | 1 + mkdocs.yml | 1 + 3 files changed, 3 insertions(+) create mode 100644 docs/integrations_aws_cdk.md diff --git a/docs/integrations.md b/docs/integrations.md index ffa2939acd2..29ce50be3c6 100644 --- a/docs/integrations.md +++ b/docs/integrations.md @@ -22,6 +22,7 @@ Integrate KICS with: - [Terraformer](integrations_terraformer.md) - [AWS CodeBuild](integrations_aws_codebuild.md) - [KICS Auto Scanning Extension for Visual Studio Code](integrations_auto_scanning_visual_studio.md) +- [AWS CDK](integrations_aws_cdk.md) - More soon... The pipelines examples can be found in our [GitHub Repository](https://github.com/Checkmarx/kics/tree/master/examples) diff --git a/docs/integrations_aws_cdk.md b/docs/integrations_aws_cdk.md new file mode 100644 index 00000000000..6f604be354d --- /dev/null +++ b/docs/integrations_aws_cdk.md @@ -0,0 +1 @@ +For more details check [here](https://www.npmjs.com/package/@checkmarx/cdk-validator-kics). \ No newline at end of file diff --git a/mkdocs.yml b/mkdocs.yml index 61782ecab2e..0e19e57c8fd 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -85,6 +85,7 @@ nav: - Terraformer: integrations_terraformer.md - KICS Auto Scanning: integrations_auto_scanning_visual_studio.md - Kuberneter: integrations_kuberneter.md + - AWS CDK: integrations_aws_cdk.md - Project: - Roadmap: roadmap.md - Plans: "https://github.com/Checkmarx/kics/projects" From 1e39e20bd4eedeb01f0489b19e6d262563feb316 Mon Sep 17 00:00:00 2001 From: Gabriel Date: Tue, 19 Sep 2023 11:32:09 +0100 Subject: [PATCH 079/379] Update pkg/engine/source/filesystem.go adding error handling to the defer function Co-authored-by: cx-henriqueAlvelos <128044259+cx-henriqueAlvelos@users.noreply.github.com> --- pkg/engine/source/filesystem.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/pkg/engine/source/filesystem.go b/pkg/engine/source/filesystem.go index 4bbfac285d4..676354f1042 100644 --- a/pkg/engine/source/filesystem.go +++ b/pkg/engine/source/filesystem.go @@ -257,7 +257,12 @@ func (s *FilesystemSource) GetQueries(queryParameters *QueryInspectorParameters) return nil, err } - defer experimentalQueriesFile.Close() + defer func(experimentalQueriesFile *os.File) { + err := experimentalQueriesFile.Close() + if err != nil { + log.Err(err).Msg("Failed to close experimental queries file") + } + }(experimentalQueriesFile) byteValue, err := io.ReadAll(experimentalQueriesFile) if err != nil { From 189069046ee60e48ae86262b96fdef5b6b7b547c Mon Sep 17 00:00:00 2001 From: Gabriel Date: Tue, 19 Sep 2023 11:35:39 +0100 Subject: [PATCH 080/379] Update docs/commands.md adding suggestion Co-authored-by: cx-henriqueAlvelos <128044259+cx-henriqueAlvelos@users.noreply.github.com> --- docs/commands.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/commands.md b/docs/commands.md index fb0de28a2e1..a6d0acc28ac 100644 --- a/docs/commands.md +++ b/docs/commands.md @@ -69,7 +69,7 @@ Flags: possible values: 'high, medium, low, info, trace' --experimental-queries strings includes experimental queries (queries not yet fully reviewed) by providing the path of the queries folder can be provided multiple times or as a comma separated string, (platform:cloudProvider or platform) - example: 'terraform/databricks' + example: 'terraform:databricks' possible values found in: '/assets/utils/experimental-queries.json' --fail-on strings which kind of results should return an exit code different from 0 accepts: high, medium, low and info From eab659252d93ba926f769dc9b001897668a818be Mon Sep 17 00:00:00 2001 From: Gabriel Date: Tue, 19 Sep 2023 11:36:25 +0100 Subject: [PATCH 081/379] Update docs/commands.md adding suggestion Co-authored-by: cx-henriqueAlvelos <128044259+cx-henriqueAlvelos@users.noreply.github.com> --- docs/commands.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/commands.md b/docs/commands.md index a6d0acc28ac..7a2e8b6a2cb 100644 --- a/docs/commands.md +++ b/docs/commands.md @@ -67,8 +67,8 @@ Flags: can be provided multiple times or as a comma separated string example: 'info,low' possible values: 'high, medium, low, info, trace' - --experimental-queries strings includes experimental queries (queries not yet fully reviewed) by providing the path of the queries folder - can be provided multiple times or as a comma separated string, (platform:cloudProvider or platform) + --experimental-queries strings include experimental queries (queries not yet thoroughly reviewed) by providing the path of the queries folder + can be provided multiple times or as a comma-separated string (platform:cloudProvider or platform) example: 'terraform:databricks' possible values found in: '/assets/utils/experimental-queries.json' --fail-on strings which kind of results should return an exit code different from 0 From 7d618391747b79b2e72ec17f84bfc832a0067374 Mon Sep 17 00:00:00 2001 From: Gabriel Date: Tue, 19 Sep 2023 11:36:57 +0100 Subject: [PATCH 082/379] Update internal/console/assets/scan-flags.json adding suggestion Co-authored-by: cx-henriqueAlvelos <128044259+cx-henriqueAlvelos@users.noreply.github.com> --- internal/console/assets/scan-flags.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/console/assets/scan-flags.json b/internal/console/assets/scan-flags.json index 6618fcde422..3f966f4a06f 100644 --- a/internal/console/assets/scan-flags.json +++ b/internal/console/assets/scan-flags.json @@ -63,7 +63,7 @@ "flagType": "multiStr", "shorthandFlag": "", "defaultValue": null, - "usage": "includes experimental queries (queries not yet fully reviewed) by providing the path of the queries folder\ncan be provided multiple times or as a comma separated string, (platform:cloudProvider or platform)\nexample: 'terraform/databricks'\npossible values found in: '/assets/utils/experimental-queries.json'", + "usage": " strings include experimental queries (queries not yet thoroughly reviewed) by providing the path of the queries folder\ncan be provided multiple times or as a comma-separated string (platform:cloudProvider or platform)\nexample: 'terraform:databricks'\npossible values found in: '/assets/utils/experimental-queries.json'", "validation": "validateMultiStr" }, "fail-on": { From cfc8c20d87739e1617136c57609712dedc05713e Mon Sep 17 00:00:00 2001 From: Gabriel Date: Tue, 19 Sep 2023 11:37:15 +0100 Subject: [PATCH 083/379] Update e2e/fixtures/assets/scan_help adding suggestion Co-authored-by: cx-henriqueAlvelos <128044259+cx-henriqueAlvelos@users.noreply.github.com> --- e2e/fixtures/assets/scan_help | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/e2e/fixtures/assets/scan_help b/e2e/fixtures/assets/scan_help index 6e6c04eb0a4..47e5946436f 100644 --- a/e2e/fixtures/assets/scan_help +++ b/e2e/fixtures/assets/scan_help @@ -28,9 +28,9 @@ Flags: --exclude-type strings case insensitive list of platform types not to scan (Ansible, AzureResourceManager, Buildah, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Pulumi, ServerlessFW, Terraform) cannot be provided with type inclusion flags - --experimental-queries strings includes experimental queries (queries not yet fully reviewed) by providing the path of the queries folder - can be provided multiple times or as a comma separated string, (platform:cloudProvider or platform) - example: 'terraform/databricks' + --experimental-queries strings include experimental queries (queries not yet thoroughly reviewed) by providing the path of the queries folder + can be provided multiple times or as a comma-separated string (platform:cloudProvider or platform) + example: 'terraform:databricks' possible values found in: '/assets/utils/experimental-queries.json' --fail-on strings which kind of results should return an exit code different from 0 accepts: high, medium, low and info From 14b371e93c4d5fa0bbef39f01db90c5981e146c6 Mon Sep 17 00:00:00 2001 From: Gabriel Date: Tue, 19 Sep 2023 11:37:35 +0100 Subject: [PATCH 084/379] Update docs/dockerhub.md adding suggestion Co-authored-by: cx-henriqueAlvelos <128044259+cx-henriqueAlvelos@users.noreply.github.com> --- docs/dockerhub.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/dockerhub.md b/docs/dockerhub.md index 0a7ed12ffaf..f9b5c87eccc 100644 --- a/docs/dockerhub.md +++ b/docs/dockerhub.md @@ -104,9 +104,9 @@ Flags: --exclude-severities strings exclude results by providing the severity of a result can be provided multiple times or as a comma separated string example: 'info,low' - --experimental-queries strings includes experimental queries (queries not yet fully reviewed) by providing the path of the queries folder - can be provided multiple times or as a comma separated string, (platform:cloudProvider or platform) - example: 'terraform/databricks' + --experimental-queries strings include experimental queries (queries not yet thoroughly reviewed) by providing the path of the queries folder + can be provided multiple times or as a comma-separated string (platform:cloudProvider or platform) + example: 'terraform:databricks' possible values found in: '/assets/utils/experimental-queries.json' --fail-on strings which kind of results should return an exit code different from 0 accepts: high, medium, low and info From 9401b0a5cf545e43e88380d0ff2d840cb6cb7074 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Tue, 19 Sep 2023 12:53:42 +0100 Subject: [PATCH 085/379] added negative test --- .../test/negative1.yaml | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/assets/queries/ansible/general/insecure_relative_path_resolution/test/negative1.yaml b/assets/queries/ansible/general/insecure_relative_path_resolution/test/negative1.yaml index 8df9513955b..8a5a9918f1c 100644 --- a/assets/queries/ansible/general/insecure_relative_path_resolution/test/negative1.yaml +++ b/assets/queries/ansible/general/insecure_relative_path_resolution/test/negative1.yaml @@ -11,4 +11,24 @@ ansible.builtin.copy: src: /home/example/files/foo.conf dest: /etc/foo.conf + mode: "0644" + +--- +- name: Negative Example 2 + hosts: localhost + tasks: + - name: One + ansible.builtin.template: + src: ../example/foo.j2 + dest: /etc/file.conf + mode: "0644" + - name: Two + ansible.builtin.copy: + src: ../example/foo.conf + dest: /etc/foo.conf + mode: "0644" + - name: Three + win_template: + src: ../example/foo2.j2 + dest: /etc/file.conf mode: "0644" \ No newline at end of file From 6ced090a3ba4b52f502c11e0a8e587260f1bd1fb Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Tue, 19 Sep 2023 13:45:33 +0100 Subject: [PATCH 086/379] added negative test --- .../test/negative1.yaml | 29 ++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/assets/queries/ansible/general/logging_of_sensitive_data/test/negative1.yaml b/assets/queries/ansible/general/logging_of_sensitive_data/test/negative1.yaml index 1f276e0019b..28059ab169f 100644 --- a/assets/queries/ansible/general/logging_of_sensitive_data/test/negative1.yaml +++ b/assets/queries/ansible/general/logging_of_sensitive_data/test/negative1.yaml @@ -11,4 +11,31 @@ password: "{{ item }}" with_items: - wow - no_log: true \ No newline at end of file + no_log: true + +--- +- name: Negative Playbook 2 + hosts: localhost + tasks: + - name: bar + ansible.builtin.user: + name: john_doe + comment: John Doe + uid: 1040 + group: admin + with_items: + - wow + no_log: false + +--- +- name: Negative Playbook 3 + hosts: localhost + tasks: + - name: bar + ansible.builtin.user: + name: john_doe + comment: John Doe + uid: 1040 + group: admin + with_items: + - wow \ No newline at end of file From c1b17682a7c6f699798857876614c34a9f6276e1 Mon Sep 17 00:00:00 2001 From: gabriel-cx Date: Tue, 19 Sep 2023 13:47:40 +0100 Subject: [PATCH 087/379] lint fix --- pkg/engine/source/filesystem.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/pkg/engine/source/filesystem.go b/pkg/engine/source/filesystem.go index 0f53e327647..e5c99e79a6e 100644 --- a/pkg/engine/source/filesystem.go +++ b/pkg/engine/source/filesystem.go @@ -252,15 +252,15 @@ func (s *FilesystemSource) GetQueries(queryParameters *QueryInspectorParameters) experimentalQueriesPaths := make([]string, 0) if s.ExperimentalQueries != "" { - experimentalQueriesFile, err := os.Open(s.ExperimentalQueries) - if err != nil { - return nil, err + experimentalQueriesFile, errOpeningFile := os.Open(s.ExperimentalQueries) + if errOpeningFile != nil { + return nil, errOpeningFile } defer func(experimentalQueriesFile *os.File) { - err := experimentalQueriesFile.Close() - if err != nil { - log.Err(err).Msg("Failed to close experimental queries file") + errClosingFile := experimentalQueriesFile.Close() + if errClosingFile != nil { + log.Err(errClosingFile).Msg("Failed to close experimental queries file") } }(experimentalQueriesFile) From 73c53516099e3a2c7739eb25f39f8de5423751b6 Mon Sep 17 00:00:00 2001 From: Gabriel Date: Tue, 19 Sep 2023 13:53:56 +0100 Subject: [PATCH 088/379] Update pkg/engine/source/filesystem.go adding suggestion regarding if conditions Co-authored-by: cx-henriqueAlvelos <128044259+cx-henriqueAlvelos@users.noreply.github.com> --- pkg/engine/source/filesystem.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pkg/engine/source/filesystem.go b/pkg/engine/source/filesystem.go index e5c99e79a6e..1c013bfda82 100644 --- a/pkg/engine/source/filesystem.go +++ b/pkg/engine/source/filesystem.go @@ -307,11 +307,11 @@ func (s *FilesystemSource) iterateSources(experimentalQueriesPaths []string, que cleanPlatformCloudProviderDir, err = filepath.Rel(absQueriesPath, absQueryPathDir) if err == nil && isExperimental(querypathDir, cleanPlatformCloudProviderDir, experimentalQueriesPaths, queryParameters) { queryDirs = append(queryDirs, querypathDir) + } else if err != nil { + return errors.Wrap(err, "Failed to get query relative path") } - } - if err != nil || err1 != nil || err2 != nil { - queryDirs = append(queryDirs, querypathDir) - } + } else { + return errors.Wrap(err, "Failed to get query absolute path") return nil }) if err != nil { From 2955e81969d32de44388dcd690bc958714c1a414 Mon Sep 17 00:00:00 2001 From: gabriel-cx Date: Tue, 19 Sep 2023 13:57:44 +0100 Subject: [PATCH 089/379] fixing code --- pkg/engine/source/filesystem.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/engine/source/filesystem.go b/pkg/engine/source/filesystem.go index 1c013bfda82..eab3e6b5048 100644 --- a/pkg/engine/source/filesystem.go +++ b/pkg/engine/source/filesystem.go @@ -312,6 +312,7 @@ func (s *FilesystemSource) iterateSources(experimentalQueriesPaths []string, que } } else { return errors.Wrap(err, "Failed to get query absolute path") + } return nil }) if err != nil { From 7b2d936b5213089be80c3c631a8155b504480f56 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Tue, 19 Sep 2023 15:19:00 +0100 Subject: [PATCH 090/379] docs --- assets/utils/experimental-queries.json | 1 + docs/commands.md | 4 ++-- docs/dockerhub.md | 4 ++-- e2e/fixtures/assets/scan_help | 4 ++-- internal/console/assets/scan-flags.json | 2 +- 5 files changed, 8 insertions(+), 7 deletions(-) diff --git a/assets/utils/experimental-queries.json b/assets/utils/experimental-queries.json index 32960f8ced3..3531cf78179 100644 --- a/assets/utils/experimental-queries.json +++ b/assets/utils/experimental-queries.json @@ -1,2 +1,3 @@ [ + "terraform/alicloud" ] \ No newline at end of file diff --git a/docs/commands.md b/docs/commands.md index 9071cae4ed8..ad6f93af765 100644 --- a/docs/commands.md +++ b/docs/commands.md @@ -68,8 +68,8 @@ Flags: example: 'info,low' possible values: 'high, medium, low, info, trace' --experimental-queries strings include experimental queries (queries not yet thoroughly reviewed) by providing the path of the queries folder - can be provided multiple times or as a comma-separated string (platform:cloudProvider or platform) - example: 'terraform:databricks' + can be provided multiple times or as a comma-separated string (platform/cloudProvider or platform) + example: 'terraform/databricks' possible values found in: '/assets/utils/experimental-queries.json' --fail-on strings which kind of results should return an exit code different from 0 accepts: high, medium, low and info diff --git a/docs/dockerhub.md b/docs/dockerhub.md index bd04b415679..6a09fd8865a 100644 --- a/docs/dockerhub.md +++ b/docs/dockerhub.md @@ -105,8 +105,8 @@ Flags: can be provided multiple times or as a comma separated string example: 'info,low' --experimental-queries strings include experimental queries (queries not yet thoroughly reviewed) by providing the path of the queries folder - can be provided multiple times or as a comma-separated string (platform:cloudProvider or platform) - example: 'terraform:databricks' + can be provided multiple times or as a comma-separated string (platform/cloudProvider or platform) + example: 'terraform/databricks' possible values found in: '/assets/utils/experimental-queries.json' --fail-on strings which kind of results should return an exit code different from 0 accepts: high, medium, low and info diff --git a/e2e/fixtures/assets/scan_help b/e2e/fixtures/assets/scan_help index 47e5946436f..ce0b2447cfb 100644 --- a/e2e/fixtures/assets/scan_help +++ b/e2e/fixtures/assets/scan_help @@ -29,8 +29,8 @@ Flags: (Ansible, AzureResourceManager, Buildah, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Pulumi, ServerlessFW, Terraform) cannot be provided with type inclusion flags --experimental-queries strings include experimental queries (queries not yet thoroughly reviewed) by providing the path of the queries folder - can be provided multiple times or as a comma-separated string (platform:cloudProvider or platform) - example: 'terraform:databricks' + can be provided multiple times or as a comma-separated string (platform/cloudProvider or platform) + example: 'terraform/databricks' possible values found in: '/assets/utils/experimental-queries.json' --fail-on strings which kind of results should return an exit code different from 0 accepts: high, medium, low and info diff --git a/internal/console/assets/scan-flags.json b/internal/console/assets/scan-flags.json index 3f966f4a06f..4ddb785c4c7 100644 --- a/internal/console/assets/scan-flags.json +++ b/internal/console/assets/scan-flags.json @@ -63,7 +63,7 @@ "flagType": "multiStr", "shorthandFlag": "", "defaultValue": null, - "usage": " strings include experimental queries (queries not yet thoroughly reviewed) by providing the path of the queries folder\ncan be provided multiple times or as a comma-separated string (platform:cloudProvider or platform)\nexample: 'terraform:databricks'\npossible values found in: '/assets/utils/experimental-queries.json'", + "usage": "strings include experimental queries (queries not yet thoroughly reviewed) by providing the path of the queries folder\ncan be provided multiple times or as a comma-separated string (platform/cloudProvider or platform)\nexample: 'terraform:databricks'\npossible values found in: '/assets/utils/experimental-queries.json'", "validation": "validateMultiStr" }, "fail-on": { From 2ac143d99c94f30e30d53490a03d56ebb5f69da1 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Tue, 19 Sep 2023 15:29:53 +0100 Subject: [PATCH 091/379] E2E --- e2e/fixtures/assets/scan_help | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/e2e/fixtures/assets/scan_help b/e2e/fixtures/assets/scan_help index ce0b2447cfb..4de49077084 100644 --- a/e2e/fixtures/assets/scan_help +++ b/e2e/fixtures/assets/scan_help @@ -26,7 +26,7 @@ Flags: can be provided multiple times or as a comma separated string example: 'info,low' --exclude-type strings case insensitive list of platform types not to scan - (Ansible, AzureResourceManager, Buildah, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Pulumi, ServerlessFW, Terraform) + (Ansible, AzureResourceManager, Buildah, CICD, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Pulumi, ServerlessFW, Terraform) cannot be provided with type inclusion flags --experimental-queries strings include experimental queries (queries not yet thoroughly reviewed) by providing the path of the queries folder can be provided multiple times or as a comma-separated string (platform/cloudProvider or platform) @@ -60,7 +60,7 @@ Flags: --terraform-vars-path string path where terraform variables are present --timeout int number of seconds the query has to execute before being canceled (default 60) -t, --type strings case insensitive list of platform types to scan - (Ansible, AzureResourceManager, Buildah, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Pulumi, ServerlessFW, Terraform) + (Ansible, AzureResourceManager, Buildah, CICD, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Pulumi, ServerlessFW, Terraform) cannot be provided with type exclusion flags Global Flags: From 8244dc4fa07708e541a4a6726db5171463835402 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Tue, 19 Sep 2023 16:05:40 +0100 Subject: [PATCH 092/379] fixed experimental queries --- assets/utils/experimental-queries.json | 1 - 1 file changed, 1 deletion(-) diff --git a/assets/utils/experimental-queries.json b/assets/utils/experimental-queries.json index 3531cf78179..32960f8ced3 100644 --- a/assets/utils/experimental-queries.json +++ b/assets/utils/experimental-queries.json @@ -1,3 +1,2 @@ [ - "terraform/alicloud" ] \ No newline at end of file From 741005b147999b9ed3057b7f227104f2dd59731d Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Tue, 19 Sep 2023 16:51:06 +0100 Subject: [PATCH 093/379] fix e2e --- e2e/fixtures/assets/scan_help | 2 +- internal/console/assets/scan-flags.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/e2e/fixtures/assets/scan_help b/e2e/fixtures/assets/scan_help index 4de49077084..d583c415e36 100644 --- a/e2e/fixtures/assets/scan_help +++ b/e2e/fixtures/assets/scan_help @@ -29,7 +29,7 @@ Flags: (Ansible, AzureResourceManager, Buildah, CICD, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Pulumi, ServerlessFW, Terraform) cannot be provided with type inclusion flags --experimental-queries strings include experimental queries (queries not yet thoroughly reviewed) by providing the path of the queries folder - can be provided multiple times or as a comma-separated string (platform/cloudProvider or platform) + can be provided multiple times or as a comma-separated string (platform/cloudProvider or platform) example: 'terraform/databricks' possible values found in: '/assets/utils/experimental-queries.json' --fail-on strings which kind of results should return an exit code different from 0 diff --git a/internal/console/assets/scan-flags.json b/internal/console/assets/scan-flags.json index 4ddb785c4c7..aa3973fedc0 100644 --- a/internal/console/assets/scan-flags.json +++ b/internal/console/assets/scan-flags.json @@ -63,7 +63,7 @@ "flagType": "multiStr", "shorthandFlag": "", "defaultValue": null, - "usage": "strings include experimental queries (queries not yet thoroughly reviewed) by providing the path of the queries folder\ncan be provided multiple times or as a comma-separated string (platform/cloudProvider or platform)\nexample: 'terraform:databricks'\npossible values found in: '/assets/utils/experimental-queries.json'", + "usage": "include experimental queries (queries not yet thoroughly reviewed) by providing the path of the queries folder\ncan be provided multiple times or as a comma-separated string (platform/cloudProvider or platform)\nexample: 'terraform/databricks'\npossible values found in: '/assets/utils/experimental-queries.json'", "validation": "validateMultiStr" }, "fail-on": { From 4b32f7ae93b15f7d6da33667b7ca93f47417d0d8 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Tue, 19 Sep 2023 17:49:46 +0100 Subject: [PATCH 094/379] fix query and added tests --- .../general/risky_file_permissions/query.rego | 6 +++--- .../risky_file_permissions/test/negative1.yaml | 12 +++++++++++- .../risky_file_permissions/test/positive1.yaml | 11 ++++++++++- .../test/positive_expected_result.json | 6 ++++++ 4 files changed, 30 insertions(+), 5 deletions(-) diff --git a/assets/queries/ansible/general/risky_file_permissions/query.rego b/assets/queries/ansible/general/risky_file_permissions/query.rego index 2536fea8a6d..0f3bff789f1 100644 --- a/assets/queries/ansible/general/risky_file_permissions/query.rego +++ b/assets/queries/ansible/general/risky_file_permissions/query.rego @@ -54,8 +54,6 @@ CxPolicy[result] { CxPolicy[result] { task := ansLib.tasks[id][_] - not common_lib.valid_key(task, "mode") - modules := { "blockinfile": false, "ansible.builtin.blockinfile": false, @@ -68,6 +66,8 @@ CxPolicy[result] { } action := task[m] + not common_lib.valid_key(action, "mode") + bool := modules[m] object.get(action, "create", bool) == true @@ -77,7 +77,7 @@ CxPolicy[result] { "resourceName": task.name, "searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, m]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("%s 'create' key should set to 'false' or 'mode' key should be defined and set to 'preserve'", [m]), + "keyExpectedValue": sprintf("%s 'create' key should set to 'false' or 'mode' key should be defined", [m]), "keyActualValue": sprintf("%s 'create' key is set to 'true' and 'mode' key is not defined", [m]), } } diff --git a/assets/queries/ansible/general/risky_file_permissions/test/negative1.yaml b/assets/queries/ansible/general/risky_file_permissions/test/negative1.yaml index d82373f8fa6..ec00e522503 100644 --- a/assets/queries/ansible/general/risky_file_permissions/test/negative1.yaml +++ b/assets/queries/ansible/general/risky_file_permissions/test/negative1.yaml @@ -97,4 +97,14 @@ - name: not preserve value copy: path: foo - mode: preserve \ No newline at end of file + mode: preserve + +--- +- name: LINEINFILE_CREATE2 + tasks: + - name: create_false + ansible.builtin.lineinfile: + path: foo + create: true + line: some content here + mode: "644" diff --git a/assets/queries/ansible/general/risky_file_permissions/test/positive1.yaml b/assets/queries/ansible/general/risky_file_permissions/test/positive1.yaml index 8ad98534ee7..7695a8b4058 100644 --- a/assets/queries/ansible/general/risky_file_permissions/test/positive1.yaml +++ b/assets/queries/ansible/general/risky_file_permissions/test/positive1.yaml @@ -66,4 +66,13 @@ owner: root group: root state: directory - \ No newline at end of file + +--- +- name: LINEINFILE_CREATE2 + tasks: + - name: create_false + ansible.builtin.lineinfile: + path: foo + create: true + line: some content here + mode: preserve \ No newline at end of file diff --git a/assets/queries/ansible/general/risky_file_permissions/test/positive_expected_result.json b/assets/queries/ansible/general/risky_file_permissions/test/positive_expected_result.json index 4506abb111c..96a4bfa8502 100644 --- a/assets/queries/ansible/general/risky_file_permissions/test/positive_expected_result.json +++ b/assets/queries/ansible/general/risky_file_permissions/test/positive_expected_result.json @@ -52,5 +52,11 @@ "severity": "INFO", "file": "positive1.yaml", "line": 64 + }, + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "file": "positive1.yaml", + "line": 74 } ] \ No newline at end of file From da62f7f38eb5ccf2dba868303ab17ee0523a7776 Mon Sep 17 00:00:00 2001 From: Millena Santos Date: Wed, 20 Sep 2023 14:35:28 +0100 Subject: [PATCH 095/379] created query and added tests, need to fix line --- .../github/run_block_injection/query.rego | 22 ++++++++++--------- .../run_block_injection/test/positive2.yaml | 1 + 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/assets/queries/cicd/github/run_block_injection/query.rego b/assets/queries/cicd/github/run_block_injection/query.rego index 2f608666c5e..f4791eeb00f 100644 --- a/assets/queries/cicd/github/run_block_injection/query.rego +++ b/assets/queries/cicd/github/run_block_injection/query.rego @@ -18,7 +18,7 @@ CxPolicy[result] { "github.event.pull_request.title" ] - containsPattern(run, patterns) + matched = containsPatterns(run, patterns) result := { "documentId": input.document[i].id, @@ -40,7 +40,7 @@ CxPolicy[result] { "github.event.issue.title" ] - containsPattern(run, patterns) + matched = containsPatterns(run, patterns) result := { "documentId": input.document[i].id, @@ -63,7 +63,7 @@ CxPolicy[result] { "github.event.issue.title" ] - containsPattern(run, patterns) + matched = containsPatterns(run, patterns) result := { "documentId": input.document[i].id, @@ -85,7 +85,7 @@ CxPolicy[result] { "github.event.discussion.title" ] - containsPattern(run, patterns) + matched = containsPatterns(run, patterns) result := { "documentId": input.document[i].id, @@ -108,7 +108,7 @@ CxPolicy[result] { "github.event.discussion.title" ] - containsPattern(run, patterns) + matched = containsPatterns(run, patterns) result := { "documentId": input.document[i].id, @@ -134,7 +134,7 @@ CxPolicy[result] { "github.event.workflow_run.head_repository.description" ] - containsPattern(run, patterns) + matched = containsPatterns(run, patterns) result := { "documentId": input.document[i].id, @@ -156,7 +156,7 @@ CxPolicy[result] { "github.*.authors.email" ] - containsPattern(run, patterns) + matched = containsPatterns(run, patterns) result := { "documentId": input.document[i].id, @@ -170,8 +170,10 @@ CxPolicy[result] { -containsPattern(str, patterns) { - pattern := patterns[_] - regex.match(pattern, str) +containsPatterns(str, patterns) = matched { + matched := {pattern | + pattern := patterns[_] + regex.match(pattern, str) + } } diff --git a/assets/queries/cicd/github/run_block_injection/test/positive2.yaml b/assets/queries/cicd/github/run_block_injection/test/positive2.yaml index a2905bf2cdf..0222d99d23e 100644 --- a/assets/queries/cicd/github/run_block_injection/test/positive2.yaml +++ b/assets/queries/cicd/github/run_block_injection/test/positive2.yaml @@ -12,3 +12,4 @@ jobs: - name: Echo Pull Request Body run: | echo "Pull Request Body: ${{ github.event.pull_request.body }}" + echo "Pull Request Title: ${{ github.event.pull_request.title }}" From be6477fcda4cdb31850c353b3fb56735c3db6b5d Mon Sep 17 00:00:00 2001 From: Millena Santos Date: Fri, 22 Sep 2023 11:28:44 +0100 Subject: [PATCH 096/379] fixed line result --- .../github/run_block_injection/query.rego | 21 ++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/assets/queries/cicd/github/run_block_injection/query.rego b/assets/queries/cicd/github/run_block_injection/query.rego index f4791eeb00f..ae9a223c10e 100644 --- a/assets/queries/cicd/github/run_block_injection/query.rego +++ b/assets/queries/cicd/github/run_block_injection/query.rego @@ -26,7 +26,8 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Run block does not contain dangerous input controlled by user.", "keyActualValue": "Run block contains dangerous input controlled by user.", - "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"],[]) + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"],[]), + "searchValue": matched[m] } } @@ -48,7 +49,8 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Run block does not contain dangerous input controlled by user.", "keyActualValue": "Run block contains dangerous input controlled by user.", - "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"],[]) + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"],[]), + "searchValue": matched[m] } } @@ -71,7 +73,8 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Run block does not contain dangerous input controlled by user.", "keyActualValue": "Run block contains dangerous input controlled by user.", - "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"],[]) + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"],[]), + "searchValue": matched[m] } } @@ -93,7 +96,8 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Run block does not contain dangerous input controlled by user.", "keyActualValue": "Run block contains dangerous input controlled by user.", - "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"],[]) + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"],[]), + "searchValue": matched[m] } } @@ -116,7 +120,8 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Run block does not contain dangerous input controlled by user.", "keyActualValue": "Run block contains dangerous input controlled by user.", - "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"],[]) + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"],[]), + "searchValue": matched[m] } } @@ -142,7 +147,8 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Run block does not contain dangerous input controlled by user.", "keyActualValue": "Run block contains dangerous input controlled by user.", - "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"],[]) + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"],[]), + "searchValue": matched[m] } } @@ -164,7 +170,8 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Run block does not contain dangerous input controlled by user.", "keyActualValue": "Run block contains dangerous input controlled by user.", - "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"],[]) + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"],[]), + "searchValue": matched[m] } } From bbea02e9f944584b6e31334f0fd3ea8de70b50fa Mon Sep 17 00:00:00 2001 From: Millena Santos Date: Fri, 22 Sep 2023 16:24:54 +0100 Subject: [PATCH 097/379] creating query --- .../github/script_block_injection/query.rego | 43 +++++++++++-------- 1 file changed, 26 insertions(+), 17 deletions(-) diff --git a/assets/queries/cicd/github/script_block_injection/query.rego b/assets/queries/cicd/github/script_block_injection/query.rego index a83ddecf9db..f2802e61084 100644 --- a/assets/queries/cicd/github/script_block_injection/query.rego +++ b/assets/queries/cicd/github/script_block_injection/query.rego @@ -23,7 +23,7 @@ CxPolicy[result] { "github.event.pull_request.title" ] - containsPattern(script, patterns) + matched = containsPatterns(script, patterns) result := { "documentId": input.document[i].id, @@ -31,7 +31,8 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", "keyActualValue": "Script block contains dangerous input controlled by user.", - "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "with", "script"],[]) + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "with", "script"],[]), + "searchValue": matched[m] } } @@ -45,7 +46,7 @@ CxPolicy[result] { "github.event.issue.title" ] - containsPattern(script, patterns) + matched = containsPatterns(script, patterns) result := { "documentId": input.document[i].id, @@ -53,7 +54,8 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", "keyActualValue": "Script block contains dangerous input controlled by user.", - "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "script"],[]) + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "script"],[]), + "searchValue": matched[m] } } @@ -68,7 +70,7 @@ CxPolicy[result] { "github.event.issue.title" ] - containsPattern(script, patterns) + matched = containsPatterns(script, patterns) result := { "documentId": input.document[i].id, @@ -76,7 +78,8 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", "keyActualValue": "Script block contains dangerous input controlled by user.", - "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "script"],[]) + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "script"],[]), + "searchValue": matched[m] } } @@ -90,7 +93,7 @@ CxPolicy[result] { "github.event.discussion.title" ] - containsPattern(script, patterns) + matched = containsPatterns(script, patterns) result := { "documentId": input.document[i].id, @@ -98,7 +101,8 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", "keyActualValue": "Script block contains dangerous input controlled by user.", - "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "script"],[]) + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "script"],[]), + "searchValue": matched[m] } } @@ -113,7 +117,7 @@ CxPolicy[result] { "github.event.discussion.title" ] - containsPattern(script, patterns) + matched = containsPatterns(script, patterns) result := { "documentId": input.document[i].id, @@ -121,7 +125,8 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", "keyActualValue": "Script block contains dangerous input controlled by user.", - "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "script"],[]) + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "script"],[]), + "searchValue": matched[m] } } @@ -139,7 +144,7 @@ CxPolicy[result] { "github.event.workflow_run.head_repository.description" ] - containsPattern(script, patterns) + matched = containsPatterns(script, patterns) result := { "documentId": input.document[i].id, @@ -147,7 +152,8 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", "keyActualValue": "Script block contains dangerous input controlled by user.", - "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "script"],[]) + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "script"],[]), + "searchValue": matched[m] } } @@ -161,7 +167,7 @@ CxPolicy[result] { "github.*.authors.email" ] - containsPattern(script, patterns) + matched = containsPatterns(script, patterns) result := { "documentId": input.document[i].id, @@ -169,14 +175,17 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", "keyActualValue": "Script block contains dangerous input controlled by user.", - "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "script"],[]) + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "script"],[]), + "searchValue": matched[m] } } -containsPattern(str, patterns) { - pattern := patterns[_] - regex.match(pattern, str) +containsPatterns(str, patterns) = matched { + matched := {pattern | + pattern := patterns[_] + regex.match(pattern, str) + } } From 95f85ebe2a961977137c88e7b118f669b5b405f3 Mon Sep 17 00:00:00 2001 From: Millena Santos Date: Fri, 22 Sep 2023 16:25:36 +0100 Subject: [PATCH 098/379] fixed tests --- .../queries/cicd/github/run_block_injection/test/positive2.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/cicd/github/run_block_injection/test/positive2.yaml b/assets/queries/cicd/github/run_block_injection/test/positive2.yaml index 0222d99d23e..e8db43feddd 100644 --- a/assets/queries/cicd/github/run_block_injection/test/positive2.yaml +++ b/assets/queries/cicd/github/run_block_injection/test/positive2.yaml @@ -12,4 +12,4 @@ jobs: - name: Echo Pull Request Body run: | echo "Pull Request Body: ${{ github.event.pull_request.body }}" - echo "Pull Request Title: ${{ github.event.pull_request.title }}" + From 5ead3c34fb8a9495d4f9ead0d876b11ffcdff613 Mon Sep 17 00:00:00 2001 From: Millena Santos Date: Fri, 22 Sep 2023 16:41:43 +0100 Subject: [PATCH 099/379] query logic added --- .../github/script_block_injection/query.rego | 49 +++++++++++++++---- 1 file changed, 39 insertions(+), 10 deletions(-) diff --git a/assets/queries/cicd/github/script_block_injection/query.rego b/assets/queries/cicd/github/script_block_injection/query.rego index f2802e61084..cac3f6cdbb5 100644 --- a/assets/queries/cicd/github/script_block_injection/query.rego +++ b/assets/queries/cicd/github/script_block_injection/query.rego @@ -8,9 +8,9 @@ CxPolicy[result] { uses := input.document[i].jobs[j].steps[k].uses - startswith(uses,"actions/github-scripts") - - script := input.document[i].jobs[j].steps[k].with["script"] + startswith("actions/github-scripts", uses) + + script := input.document[i].jobs[j].steps[k]["with"].script patterns := [ "github.head_ref", @@ -39,7 +39,12 @@ CxPolicy[result] { CxPolicy[result] { input.document[i].on["issues"] - script := input.document[i].jobs[j].steps[k].run + + uses := input.document[i].jobs[j].steps[k].uses + + startswith("actions/github-scripts", uses) + + script := input.document[i].jobs[j].steps[k]["with"].script patterns := [ "github.event.issue.body", @@ -62,7 +67,12 @@ CxPolicy[result] { CxPolicy[result] { input.document[i].on["issue_comment"] - script := input.document[i].jobs[j].steps[k].run + + uses := input.document[i].jobs[j].steps[k].uses + + startswith("actions/github-scripts", uses) + + script := input.document[i].jobs[j].steps[k]["with"].script patterns := [ "github.event.comment.body", @@ -86,7 +96,12 @@ CxPolicy[result] { CxPolicy[result] { input.document[i].on["discussion"] - script := input.document[i].jobs[j].steps[k].run + + uses := input.document[i].jobs[j].steps[k].uses + + startswith("actions/github-scripts", uses) + + script := input.document[i].jobs[j].steps[k]["with"].script patterns := [ "github.event.discussion.body", @@ -109,7 +124,12 @@ CxPolicy[result] { CxPolicy[result] { input.document[i].on["discussion_comment"] - script := input.document[i].jobs[j].steps[k].run + + uses := input.document[i].jobs[j].steps[k].uses + + startswith("actions/github-scripts", uses) + + script := input.document[i].jobs[j].steps[k]["with"].script patterns := [ "github.event.comment.body", @@ -133,7 +153,12 @@ CxPolicy[result] { CxPolicy[result] { input.document[i].on["workflow_run"] - script := input.document[i].jobs[j].steps[k].run + + uses := input.document[i].jobs[j].steps[k].uses + + startswith("actions/github-scripts", uses) + + script := input.document[i].jobs[j].steps[k]["with"].script patterns := [ "github.event.workflow.path", @@ -160,7 +185,12 @@ CxPolicy[result] { CxPolicy[result] { input.document[i].on["author"] - script := input.document[i].jobs[j].steps[k].run + + uses := input.document[i].jobs[j].steps[k].uses + + startswith("actions/github-scripts", uses) + + script := input.document[i].jobs[j].steps[k]["with"].script patterns := [ "github.*.authors.name", @@ -181,7 +211,6 @@ CxPolicy[result] { } - containsPatterns(str, patterns) = matched { matched := {pattern | pattern := patterns[_] From f818c68636962c3f2a031f5c63df7ae5f99cae95 Mon Sep 17 00:00:00 2001 From: Millena Santos Date: Fri, 22 Sep 2023 16:43:12 +0100 Subject: [PATCH 100/379] fixed tests --- .../test/positive_expected_result.json | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/assets/queries/cicd/github/run_block_injection/test/positive_expected_result.json b/assets/queries/cicd/github/run_block_injection/test/positive_expected_result.json index 46b392e679b..a6a73d142fe 100644 --- a/assets/queries/cicd/github/run_block_injection/test/positive_expected_result.json +++ b/assets/queries/cicd/github/run_block_injection/test/positive_expected_result.json @@ -2,43 +2,43 @@ { "queryName": "Run Block Injection", "severity": "HIGH", - "line": 11, + "line": 10, "fileName": "positive1.yaml" }, { "queryName": "Run Block Injection", "severity": "HIGH", - "line": 14, + "line": 13, "fileName": "positive2.yaml" }, { "queryName": "Run Block Injection", "severity": "HIGH", - "line": 14, + "line": 13, "fileName": "positive3.yaml" }, { "queryName": "Run Block Injection", "severity": "HIGH", - "line": 14, + "line": 13, "fileName": "positive4.yaml" }, { "queryName": "Run Block Injection", "severity": "HIGH", - "line": 14, + "line": 13, "fileName": "positive5.yaml" }, { "queryName": "Run Block Injection", "severity": "HIGH", - "line": 14, + "line": 13, "fileName": "positive6.yaml" }, { "queryName": "Run Block Injection", "severity": "HIGH", - "line": 14, + "line": 13, "fileName": "positive7.yaml" } ] From bf7f97c4306480f956f1a36c771f942a628db239 Mon Sep 17 00:00:00 2001 From: Millena Santos Date: Fri, 22 Sep 2023 16:58:25 +0100 Subject: [PATCH 101/379] creating query --- .../github/script_block_injection/query.rego | 18 +++++++++--------- .../script_block_injection/test/positive1.yaml | 5 ++--- 2 files changed, 11 insertions(+), 12 deletions(-) diff --git a/assets/queries/cicd/github/script_block_injection/query.rego b/assets/queries/cicd/github/script_block_injection/query.rego index cac3f6cdbb5..0996d80be63 100644 --- a/assets/queries/cicd/github/script_block_injection/query.rego +++ b/assets/queries/cicd/github/script_block_injection/query.rego @@ -8,7 +8,7 @@ CxPolicy[result] { uses := input.document[i].jobs[j].steps[k].uses - startswith("actions/github-scripts", uses) + startswith(uses, "actions/github-script") script := input.document[i].jobs[j].steps[k]["with"].script @@ -42,7 +42,7 @@ CxPolicy[result] { uses := input.document[i].jobs[j].steps[k].uses - startswith("actions/github-scripts", uses) + startswith(uses, "actions/github-script") script := input.document[i].jobs[j].steps[k]["with"].script @@ -55,11 +55,11 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, - "searchKey": sprintf("script={{%s}}", [script]), + "searchKey": "issues", "issueType": "IncorrectValue", "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", "keyActualValue": "Script block contains dangerous input controlled by user.", - "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "script"],[]), + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "with", "script"],[]), "searchValue": matched[m] } } @@ -70,7 +70,7 @@ CxPolicy[result] { uses := input.document[i].jobs[j].steps[k].uses - startswith("actions/github-scripts", uses) + startswith(uses, "actions/github-script") script := input.document[i].jobs[j].steps[k]["with"].script @@ -99,7 +99,7 @@ CxPolicy[result] { uses := input.document[i].jobs[j].steps[k].uses - startswith("actions/github-scripts", uses) + startswith(uses, "actions/github-script") script := input.document[i].jobs[j].steps[k]["with"].script @@ -127,7 +127,7 @@ CxPolicy[result] { uses := input.document[i].jobs[j].steps[k].uses - startswith("actions/github-scripts", uses) + startswith(uses, "actions/github-script") script := input.document[i].jobs[j].steps[k]["with"].script @@ -156,7 +156,7 @@ CxPolicy[result] { uses := input.document[i].jobs[j].steps[k].uses - startswith("actions/github-scripts", uses) + startswith(uses, "actions/github-script") script := input.document[i].jobs[j].steps[k]["with"].script @@ -188,7 +188,7 @@ CxPolicy[result] { uses := input.document[i].jobs[j].steps[k].uses - startswith("actions/github-scripts", uses) + startswith(uses, "actions/github-script") script := input.document[i].jobs[j].steps[k]["with"].script diff --git a/assets/queries/cicd/github/script_block_injection/test/positive1.yaml b/assets/queries/cicd/github/script_block_injection/test/positive1.yaml index 69e715e8464..d3484916144 100644 --- a/assets/queries/cicd/github/script_block_injection/test/positive1.yaml +++ b/assets/queries/cicd/github/script_block_injection/test/positive1.yaml @@ -1,9 +1,8 @@ name: test-script-run on: -- pull_request_target: - types: - - opened +- issues: + types: [opened] jobs: script-run: From a5f80a4b7f0a0d5f4aa8cff758e4a9a61f515727 Mon Sep 17 00:00:00 2001 From: Millena Santos Date: Fri, 22 Sep 2023 17:14:07 +0100 Subject: [PATCH 102/379] finished query and added tests --- .../github/script_block_injection/query.rego | 12 +++--- .../test/negative1.yaml | 25 ++++++++++++ .../test/negative2.yaml | 25 ++++++++++++ .../test/negative3.yaml | 25 ++++++++++++ .../test/negative4.yaml | 25 ++++++++++++ .../test/negative5.yaml | 25 ++++++++++++ .../test/negative6.yaml | 25 ++++++++++++ .../test/negative7.yaml | 25 ++++++++++++ .../test/positive1.yaml | 2 +- .../test/positive2.yaml | 28 ++++++++++++++ .../test/positive3.yaml | 28 ++++++++++++++ .../test/positive4.yaml | 28 ++++++++++++++ .../test/positive5.yaml | 28 ++++++++++++++ .../test/positive6.yaml | 28 ++++++++++++++ .../test/positive7.yaml | 28 ++++++++++++++ .../test/positive_expected_result.json | 38 ++++++++++++++++++- 16 files changed, 387 insertions(+), 8 deletions(-) create mode 100644 assets/queries/cicd/github/script_block_injection/test/negative1.yaml create mode 100644 assets/queries/cicd/github/script_block_injection/test/negative2.yaml create mode 100644 assets/queries/cicd/github/script_block_injection/test/negative3.yaml create mode 100644 assets/queries/cicd/github/script_block_injection/test/negative4.yaml create mode 100644 assets/queries/cicd/github/script_block_injection/test/negative5.yaml create mode 100644 assets/queries/cicd/github/script_block_injection/test/negative6.yaml create mode 100644 assets/queries/cicd/github/script_block_injection/test/negative7.yaml create mode 100644 assets/queries/cicd/github/script_block_injection/test/positive2.yaml create mode 100644 assets/queries/cicd/github/script_block_injection/test/positive3.yaml create mode 100644 assets/queries/cicd/github/script_block_injection/test/positive4.yaml create mode 100644 assets/queries/cicd/github/script_block_injection/test/positive5.yaml create mode 100644 assets/queries/cicd/github/script_block_injection/test/positive6.yaml create mode 100644 assets/queries/cicd/github/script_block_injection/test/positive7.yaml diff --git a/assets/queries/cicd/github/script_block_injection/query.rego b/assets/queries/cicd/github/script_block_injection/query.rego index 0996d80be63..e93b11a0814 100644 --- a/assets/queries/cicd/github/script_block_injection/query.rego +++ b/assets/queries/cicd/github/script_block_injection/query.rego @@ -55,7 +55,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, - "searchKey": "issues", + "searchKey": sprintf("script={{%s}}", [script]), "issueType": "IncorrectValue", "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", "keyActualValue": "Script block contains dangerous input controlled by user.", @@ -88,7 +88,7 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", "keyActualValue": "Script block contains dangerous input controlled by user.", - "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "script"],[]), + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "with","script"],[]), "searchValue": matched[m] } } @@ -116,7 +116,7 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", "keyActualValue": "Script block contains dangerous input controlled by user.", - "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "script"],[]), + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "with", "script"],[]), "searchValue": matched[m] } } @@ -145,7 +145,7 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", "keyActualValue": "Script block contains dangerous input controlled by user.", - "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "script"],[]), + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "with", "script"],[]), "searchValue": matched[m] } } @@ -177,7 +177,7 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", "keyActualValue": "Script block contains dangerous input controlled by user.", - "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "script"],[]), + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "with", "script"],[]), "searchValue": matched[m] } } @@ -205,7 +205,7 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", "keyActualValue": "Script block contains dangerous input controlled by user.", - "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "script"],[]), + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "with", "script"],[]), "searchValue": matched[m] } } diff --git a/assets/queries/cicd/github/script_block_injection/test/negative1.yaml b/assets/queries/cicd/github/script_block_injection/test/negative1.yaml new file mode 100644 index 00000000000..ce78396074b --- /dev/null +++ b/assets/queries/cicd/github/script_block_injection/test/negative1.yaml @@ -0,0 +1,25 @@ +name: test-script-run + +on: + issues: + types: [opened] + +jobs: + script-run: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Run script + uses: actions/github-script@latest + with: + script: | + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: 'Thanks for reporting!' + }) + + return true; \ No newline at end of file diff --git a/assets/queries/cicd/github/script_block_injection/test/negative2.yaml b/assets/queries/cicd/github/script_block_injection/test/negative2.yaml new file mode 100644 index 00000000000..3e54df1aa88 --- /dev/null +++ b/assets/queries/cicd/github/script_block_injection/test/negative2.yaml @@ -0,0 +1,25 @@ +name: test-script-run + +on: + pull_request_target: + types: [opened] + +jobs: + script-run: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Run script + uses: actions/github-script@latest + with: + script: | + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: 'Thanks for reporting!' + }) + + return true; \ No newline at end of file diff --git a/assets/queries/cicd/github/script_block_injection/test/negative3.yaml b/assets/queries/cicd/github/script_block_injection/test/negative3.yaml new file mode 100644 index 00000000000..7b96d141772 --- /dev/null +++ b/assets/queries/cicd/github/script_block_injection/test/negative3.yaml @@ -0,0 +1,25 @@ +name: test-script-run + +on: + issue_comment: + types: [opened] + +jobs: + script-run: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Run script + uses: actions/github-script@latest + with: + script: | + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: 'Thanks for reporting!' + }) + + return true; \ No newline at end of file diff --git a/assets/queries/cicd/github/script_block_injection/test/negative4.yaml b/assets/queries/cicd/github/script_block_injection/test/negative4.yaml new file mode 100644 index 00000000000..2462010831e --- /dev/null +++ b/assets/queries/cicd/github/script_block_injection/test/negative4.yaml @@ -0,0 +1,25 @@ +name: test-script-run + +on: + discussion: + types: [opened] + +jobs: + script-run: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Run script + uses: actions/github-script@latest + with: + script: | + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: 'Thanks for reporting!' + }) + + return true; \ No newline at end of file diff --git a/assets/queries/cicd/github/script_block_injection/test/negative5.yaml b/assets/queries/cicd/github/script_block_injection/test/negative5.yaml new file mode 100644 index 00000000000..62bfdf19ce1 --- /dev/null +++ b/assets/queries/cicd/github/script_block_injection/test/negative5.yaml @@ -0,0 +1,25 @@ +name: test-script-run + +on: + discussion_comment: + types: [opened] + +jobs: + script-run: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Run script + uses: actions/github-script@latest + with: + script: | + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: 'Thanks for reporting!' + }) + + return true; \ No newline at end of file diff --git a/assets/queries/cicd/github/script_block_injection/test/negative6.yaml b/assets/queries/cicd/github/script_block_injection/test/negative6.yaml new file mode 100644 index 00000000000..140066046da --- /dev/null +++ b/assets/queries/cicd/github/script_block_injection/test/negative6.yaml @@ -0,0 +1,25 @@ +name: test-script-run + +on: + workflow_run: + types: [opened] + +jobs: + script-run: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Run script + uses: actions/github-script@latest + with: + script: | + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: 'Thanks for reporting!' + }) + + return true; \ No newline at end of file diff --git a/assets/queries/cicd/github/script_block_injection/test/negative7.yaml b/assets/queries/cicd/github/script_block_injection/test/negative7.yaml new file mode 100644 index 00000000000..697454dad60 --- /dev/null +++ b/assets/queries/cicd/github/script_block_injection/test/negative7.yaml @@ -0,0 +1,25 @@ +name: test-script-run + +on: + author: + types: [opened] + +jobs: + script-run: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Run script + uses: actions/github-script@latest + with: + script: | + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: 'Thanks for reporting!' + }) + + return true; \ No newline at end of file diff --git a/assets/queries/cicd/github/script_block_injection/test/positive1.yaml b/assets/queries/cicd/github/script_block_injection/test/positive1.yaml index d3484916144..16e13af74c5 100644 --- a/assets/queries/cicd/github/script_block_injection/test/positive1.yaml +++ b/assets/queries/cicd/github/script_block_injection/test/positive1.yaml @@ -1,7 +1,7 @@ name: test-script-run on: -- issues: + issues: types: [opened] jobs: diff --git a/assets/queries/cicd/github/script_block_injection/test/positive2.yaml b/assets/queries/cicd/github/script_block_injection/test/positive2.yaml new file mode 100644 index 00000000000..7e983291659 --- /dev/null +++ b/assets/queries/cicd/github/script_block_injection/test/positive2.yaml @@ -0,0 +1,28 @@ +name: test-script-run + +on: + pull_request_target: + types: [opened] + +jobs: + script-run: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Run script + uses: actions/github-script@latest + with: + script: | + const fs = require('fs'); + const body = fs.readFileSync('/tmp/${{ github.event.pull_request.title }}.txt', {encoding: 'utf8'}); + + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: 'Thanks for reporting!' + }) + + return true; \ No newline at end of file diff --git a/assets/queries/cicd/github/script_block_injection/test/positive3.yaml b/assets/queries/cicd/github/script_block_injection/test/positive3.yaml new file mode 100644 index 00000000000..8ca2da2066f --- /dev/null +++ b/assets/queries/cicd/github/script_block_injection/test/positive3.yaml @@ -0,0 +1,28 @@ +name: test-script-run + +on: + issue_comment: + types: [opened] + +jobs: + script-run: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Run script + uses: actions/github-script@latest + with: + script: | + const fs = require('fs'); + const body = fs.readFileSync('/tmp/${{ github.event.issue.title }}.txt', {encoding: 'utf8'}); + + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: 'Thanks for reporting!' + }) + + return true; \ No newline at end of file diff --git a/assets/queries/cicd/github/script_block_injection/test/positive4.yaml b/assets/queries/cicd/github/script_block_injection/test/positive4.yaml new file mode 100644 index 00000000000..2436c3b6b56 --- /dev/null +++ b/assets/queries/cicd/github/script_block_injection/test/positive4.yaml @@ -0,0 +1,28 @@ +name: test-script-run + +on: + discussion: + types: [opened] + +jobs: + script-run: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Run script + uses: actions/github-script@latest + with: + script: | + const fs = require('fs'); + const body = fs.readFileSync('/tmp/${{ github.event.discussion.title }}.txt', {encoding: 'utf8'}); + + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: 'Thanks for reporting!' + }) + + return true; \ No newline at end of file diff --git a/assets/queries/cicd/github/script_block_injection/test/positive5.yaml b/assets/queries/cicd/github/script_block_injection/test/positive5.yaml new file mode 100644 index 00000000000..b1aef74842a --- /dev/null +++ b/assets/queries/cicd/github/script_block_injection/test/positive5.yaml @@ -0,0 +1,28 @@ +name: test-script-run + +on: + discussion_comment: + types: [opened] + +jobs: + script-run: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Run script + uses: actions/github-script@latest + with: + script: | + const fs = require('fs'); + const body = fs.readFileSync('/tmp/${{ github.event.discussion.title }}.txt', {encoding: 'utf8'}); + + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: 'Thanks for reporting!' + }) + + return true; \ No newline at end of file diff --git a/assets/queries/cicd/github/script_block_injection/test/positive6.yaml b/assets/queries/cicd/github/script_block_injection/test/positive6.yaml new file mode 100644 index 00000000000..f48f86268fb --- /dev/null +++ b/assets/queries/cicd/github/script_block_injection/test/positive6.yaml @@ -0,0 +1,28 @@ +name: test-script-run + +on: + workflow_run: + types: [opened] + +jobs: + script-run: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Run script + uses: actions/github-script@latest + with: + script: | + const fs = require('fs'); + const body = fs.readFileSync('/tmp/${{ github.event.workflow.path }}.txt', {encoding: 'utf8'}); + + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: 'Thanks for reporting!' + }) + + return true; \ No newline at end of file diff --git a/assets/queries/cicd/github/script_block_injection/test/positive7.yaml b/assets/queries/cicd/github/script_block_injection/test/positive7.yaml new file mode 100644 index 00000000000..0085761558e --- /dev/null +++ b/assets/queries/cicd/github/script_block_injection/test/positive7.yaml @@ -0,0 +1,28 @@ +name: test-script-run + +on: + author: + types: [opened] + +jobs: + script-run: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Run script + uses: actions/github-script@latest + with: + script: | + const fs = require('fs'); + const body = fs.readFileSync('/tmp/${{ github.event.authors.name }}.txt', {encoding: 'utf8'}); + + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: 'Thanks for reporting!' + }) + + return true; \ No newline at end of file diff --git a/assets/queries/cicd/github/script_block_injection/test/positive_expected_result.json b/assets/queries/cicd/github/script_block_injection/test/positive_expected_result.json index 69a8665bd8e..cd44b6b0881 100644 --- a/assets/queries/cicd/github/script_block_injection/test/positive_expected_result.json +++ b/assets/queries/cicd/github/script_block_injection/test/positive_expected_result.json @@ -2,7 +2,43 @@ { "queryName": "Script Block Injection", "severity": "HIGH", - "line": 20, + "line": 17, "fileName": "positive1.yaml" + }, + { + "queryName": "Script Block Injection", + "severity": "HIGH", + "line": 17, + "fileName": "positive2.yaml" + }, + { + "queryName": "Script Block Injection", + "severity": "HIGH", + "line": 17, + "fileName": "positive3.yaml" + }, + { + "queryName": "Script Block Injection", + "severity": "HIGH", + "line": 17, + "fileName": "positive4.yaml" + }, + { + "queryName": "Script Block Injection", + "severity": "HIGH", + "line": 17, + "fileName": "positive5.yaml" + }, + { + "queryName": "Script Block Injection", + "severity": "HIGH", + "line": 17, + "fileName": "positive6.yaml" + }, + { + "queryName": "Script Block Injection", + "severity": "HIGH", + "line": 17, + "fileName": "positive7.yaml" } ] From 64ff6d311e21df2932ab9cddafa25b6ebe58436b Mon Sep 17 00:00:00 2001 From: Millena Santos Date: Fri, 22 Sep 2023 17:22:17 +0100 Subject: [PATCH 103/379] added searchvalue as allowed --- test/queries_content_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/test/queries_content_test.go b/test/queries_content_test.go index ffa0d224ce4..1fa0b1b726b 100644 --- a/test/queries_content_test.go +++ b/test/queries_content_test.go @@ -55,6 +55,7 @@ var ( "../assets/queries/dockerfile/apt_get_install_pin_version_not_defined", "../assets/queries/terraform/aws/redshift_cluster_without_vpc", "../assets/queries/openAPI/general/response_code_missing", + "../assets/queries/cicd/github/run_block_injection", } // TODO uncomment this test once all metadata are fixed From 1c0d77f5af64820b90044ecea62edcf63524d9bc Mon Sep 17 00:00:00 2001 From: Millena Santos Date: Fri, 22 Sep 2023 17:24:20 +0100 Subject: [PATCH 104/379] added search value as allowed --- test/queries_content_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/test/queries_content_test.go b/test/queries_content_test.go index ffa0d224ce4..f09c7e0f773 100644 --- a/test/queries_content_test.go +++ b/test/queries_content_test.go @@ -55,6 +55,7 @@ var ( "../assets/queries/dockerfile/apt_get_install_pin_version_not_defined", "../assets/queries/terraform/aws/redshift_cluster_without_vpc", "../assets/queries/openAPI/general/response_code_missing", + "../assets/queries/cicd/github/script_block_injection", } // TODO uncomment this test once all metadata are fixed From c9f0ff8243b7ed6b3b834ea2bc786b4a7e3d0b49 Mon Sep 17 00:00:00 2001 From: Millena Santos Date: Fri, 22 Sep 2023 18:00:58 +0100 Subject: [PATCH 105/379] fixed test --- .../run_block_injection/test/positive_expected_result.json | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/assets/queries/cicd/github/run_block_injection/test/positive_expected_result.json b/assets/queries/cicd/github/run_block_injection/test/positive_expected_result.json index a6a73d142fe..dcf339d9a2f 100644 --- a/assets/queries/cicd/github/run_block_injection/test/positive_expected_result.json +++ b/assets/queries/cicd/github/run_block_injection/test/positive_expected_result.json @@ -5,6 +5,12 @@ "line": 10, "fileName": "positive1.yaml" }, + { + "queryName": "Run Block Injection", + "severity": "HIGH", + "line": 10, + "fileName": "positive1.yaml" + }, { "queryName": "Run Block Injection", "severity": "HIGH", From e918300a0126d74ca4496916c0316ac354fb4bd7 Mon Sep 17 00:00:00 2001 From: asofsilva Date: Wed, 27 Sep 2023 16:07:57 +0000 Subject: [PATCH 106/379] docs(queries): update queries catalog --- docs/queries/all-queries.md | 3285 +++++++++-------- docs/queries/ansible-queries.md | 300 +- .../0e75052f-cc02-41b8-ac39-a78017527e95.md | 116 + .../404908b6-4954-4611-98f0-e8ceacdabcb1.md | 33 + .../59029ddf-e651-412b-ae7b-ff6d403184bc.md | 107 + .../88841d5c-d22d-4b7e-a6a0-89ca50e44b9f.md | 226 ++ .../8d22ae91-6ac1-459f-95be-d37bd373f244.md | 85 + .../c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8.md | 336 ++ .../c6473dae-8477-4119-88b7-b909b435ce7b.md | 33 + .../d7dc9350-74bc-485b-8c85-fed22d276c43.md | 33 + docs/queries/azureresourcemanager-queries.md | 28 +- docs/queries/cicd-queries.md | 3 + .../20f14e1a-a899-4e79-9f09-b6a84cd4649b.md | 335 ++ .../60fd272d-15f4-4d8f-afe4-77d9c6cc0453.md | 151 + .../62ff6823-927a-427f-acf9-f1ea2932d616.md | 456 +++ docs/queries/cloudformation-queries.md | 336 +- docs/queries/crossplane-queries.md | 26 +- docs/queries/dockercompose-queries.md | 14 +- docs/queries/dockerfile-queries.md | 50 +- .../googledeploymentmanager-queries.md | 26 +- docs/queries/kubernetes-queries.md | 136 +- docs/queries/openapi-queries.md | 386 +- docs/queries/pulumi-queries.md | 22 +- docs/queries/terraform-queries.md | 944 ++--- 24 files changed, 4700 insertions(+), 2767 deletions(-) create mode 100644 docs/queries/ansible-queries/common/0e75052f-cc02-41b8-ac39-a78017527e95.md create mode 100644 docs/queries/ansible-queries/common/404908b6-4954-4611-98f0-e8ceacdabcb1.md create mode 100644 docs/queries/ansible-queries/common/59029ddf-e651-412b-ae7b-ff6d403184bc.md create mode 100644 docs/queries/ansible-queries/common/88841d5c-d22d-4b7e-a6a0-89ca50e44b9f.md create mode 100644 docs/queries/ansible-queries/common/8d22ae91-6ac1-459f-95be-d37bd373f244.md create mode 100644 docs/queries/ansible-queries/common/c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8.md create mode 100644 docs/queries/ansible-queries/common/c6473dae-8477-4119-88b7-b909b435ce7b.md create mode 100644 docs/queries/ansible-queries/common/d7dc9350-74bc-485b-8c85-fed22d276c43.md create mode 100644 docs/queries/cicd-queries/common/20f14e1a-a899-4e79-9f09-b6a84cd4649b.md create mode 100644 docs/queries/cicd-queries/common/60fd272d-15f4-4d8f-afe4-77d9c6cc0453.md create mode 100644 docs/queries/cicd-queries/common/62ff6823-927a-427f-acf9-f1ea2932d616.md diff --git a/docs/queries/all-queries.md b/docs/queries/all-queries.md index fe0dd08afd7..e77f2917cf3 100644 --- a/docs/queries/all-queries.md +++ b/docs/queries/all-queries.md @@ -3,1741 +3,274 @@ This page contains all queries. | Query |Platform|Severity|Category|Description|Help| |-----------------------------|---|---|---|---|---| -|Serverless Role With Full Privileges
59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd|ServerlessFW|High|Access Control|Roles defined in Serverless files should not have policies granting full administrative privileges. (read more)|Documentation
| -|Serverless Function Environment Variables Not Encrypted
4495bc5d-4d1e-4a26-ae92-152d18195648|ServerlessFW|High|Encryption|Serverless Function should encrypt environment variables (read more)|Documentation
| -|Serverless API Without Content Encoding
d5d1fe08-89db-440c-8725-b93223387309|ServerlessFW|Medium|Encryption|Serverless should have API Gateway with Content Encoding enabled through the attribute 'minimumCompressionSize'. This value should be greater than -1 and smaller than 10485760 (read more)|Documentation
| -|Serverless Function Without Tags
f99d3482-fa8c-4f79-bad9-35212dded164|ServerlessFW|Medium|Insecure Configurations|Serverless Function should be have associated tags (read more)|Documentation
| -|Serverless Function Without Unique IAM Role
165aae3b-a56a-48f3-b76d-d2b5083f5b8f|ServerlessFW|Medium|Insecure Configurations|Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| -|Serverless API Endpoint Config Not Private
4d424558-c6d1-453c-be98-9a7f877abd9a|ServerlessFW|Medium|Networking and Firewall|Serverless should have endpointType set to 'PRIVATE'. This way, it's not exposed to the public internet (read more)|Documentation
| -|Serverless API X-Ray Tracing Disabled
434945e5-4dfd-41b1-aba1-47075ccd9265|ServerlessFW|Medium|Observability|Serverless API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| -|Serverless API Access Logging Setting Undefined
a4d32883-aac7-42e1-b403-9415af0f3846|ServerlessFW|Medium|Observability|Serverless FW API should have HTTP Access Logging enabled (read more)|Documentation
| -|Serverless Function Without Dead Letter Queue
dec7bc85-d156-4f64-9a33-96ed3d9f3fed|ServerlessFW|Low|Insecure Configurations|Serverless Function should be configured for a Dead Letter Queue(DLQ). A Dead Letter Queue(DLQ) can be set up in 'onError' config parameter (read more)|Documentation
| -|Serverless Function Without X-Ray Tracing
0d7ef70f-e176-44e6-bdba-add3e429788d|ServerlessFW|Low|Observability|Serverless Function should have Tracing enabled. For this, property 'tracing' should have the value 'Active' (read more)|Documentation
| -|Key Vault Not Recoverable
7c25f361-7c66-44bf-9b69-022acd5eb4bd|AzureResourceManager|High|Backup|Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true (read more)|Documentation
| -|Secret Without Expiration Date
cff9c3f7-e8f0-455f-9fb4-5f72326da96e|AzureResourceManager|High|Best Practices|All Secrets must have an expiration date defined (read more)|Documentation
| -|Azure Instance Using Basic Authentication
6797f581-0433-4768-ae3e-7ceb2f8b138e|AzureResourceManager|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| -|Storage Account Allows Unsecure Transfer
1367dd13-2c90-4020-80b7-e4339a3dc2c4|AzureResourceManager|High|Encryption|'Microsoft.Storage/storageAccounts' should force the use of HTTPS (read more)|Documentation
| -|Web App Not Using TLS Last Version
b5c851d5-00f1-43dc-a8de-3218fd6f71be|AzureResourceManager|High|Encryption|Resources of type 'Microsoft.Web/sites' should define 'properties.siteConfig.minTlsVersion' with '1.2' (read more)|Documentation
| -|Azure Managed Disk Without Encryption
350f3955-b5be-436f-afaa-3d2be2fa6cdd|AzureResourceManager|High|Encryption|Azure Disk Encryption should be enabled (read more)|Documentation
| -|Website Not Forcing HTTPS
488847ff-6031-487c-bf42-98fd6ac5c9a0|AzureResourceManager|High|Insecure Configurations|'Microsoft.Web/sites' should force the use of HTTPS (read more)|Documentation
| -|Website with Client Certificate Auth Disabled
92302b47-b0cc-46cb-a28f-5610ecda140b|AzureResourceManager|High|Networking and Firewall|'Microsoft.Web/sites' should have client certificate authentication enabled (read more)|Documentation
| -|Trusted Microsoft Services Not Enabled
e25b56cd-a4d6-498f-ab92-e6296a082097|AzureResourceManager|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| -|Network Security Group With Unrestricted Access To RDP
59cb3da7-f206-4ae6-b827-7abf0a9cab9d|AzureResourceManager|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the Internet (read more)|Documentation
| -|Network Security Group With Unrestricted Access To SSH
2ade1579-4b2c-4590-bebb-f99bf597f612|AzureResourceManager|High|Networking and Firewall|Port 22 (SSH) is exposed to the Internet (read more)|Documentation
| -|MySQL Server SSL Enforcement Disabled
90120147-f2e7-4fda-bb21-6fa9109afd63|AzureResourceManager|High|Networking and Firewall|'Microsoft.DBforMySQL/servers' should enforce SSL (read more)|Documentation
| -|Storage Blob Service Container With Public Access
a0ab985d-660b-41f7-ac81-70957ee8e627|AzureResourceManager|High|Networking and Firewall|Storage Blob Service Container should not publicly accessible (read more)|Documentation
| -|PostgreSQL Database Server SSL Disabled
bf500309-da53-4dd3-bcf7-95f7974545a5|AzureResourceManager|High|Networking and Firewall|Microsoft.DBforPostgreSQL/servers sslEnforcement property should be set to 'Enabled' (read more)|Documentation
| -|SQL Database Server Firewall Allows All IPS
6a3201a5-1630-494b-b294-3129d06b0eca|AzureResourceManager|High|Networking and Firewall|SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS (read more)|Documentation
| -|Role Definitions Allow Custom Subscription Role Creation
8fa9ceea-881f-4ef0-b0b8-728f589699a7|AzureResourceManager|Medium|Access Control|Role Definitions should not allow custom subscription role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write') (read more)|Documentation
| -|AKS Cluster RBAC Disabled
9307a2ed-35c2-413d-94de-a1a0682c2158|AzureResourceManager|Medium|Access Control|Microsoft.ContainerService/managedClusters should have enableRBAC set to true (read more)|Documentation
| -|Default Azure Storage Account Network Access Is Too Permissive
d855ced8-6157-448f-9f1d-f05a41d046f7|AzureResourceManager|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it. (read more)|Documentation
| -|SQL Server Database With Alerts Disabled
574e8d82-1db2-4b9c-b526-e320ede9a9ff|AzureResourceManager|Medium|Best Practices|All Alerts should be enabled in SQL Database Server SecurityAlerts Policy Properties (read more)|Documentation
| -|AKS Cluster Network Policy Not Configured
25c0228e-4444-459b-a2df-93c7df40b7ed|AzureResourceManager|Medium|Insecure Configurations|Azure Kubernetes Service must have a network policy defined. (read more)|Documentation
| -|PostgreSQL Database Server Log Checkpoints Disabled
f9112910-c7bb-4864-9f5e-2059ba413bb7|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' property set to 'on' (read more)|Documentation
| -|PostgresSQL Database Server Connection Throttling Disabled
a6d774b6-d9ea-4bf4-8433-217bf15d2fb8|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttling' property set to 'on' (read more)|Documentation
| -|Standard Price Is Not Selected
2081c7d6-2851-4cce-bda5-cb49d462da42|AzureResourceManager|Medium|Networking and Firewall|Azure Security Center provides more features for standard pricing mode, so it must be activated. (read more)|Documentation
| -|AKS With Authorized IP Ranges Disabled
2583fab1-953b-4fae-bd02-4a136a6c21f9|AzureResourceManager|Medium|Networking and Firewall|Azure Kubernetes Service must have an authorized IP range for API Services enabled (read more)|Documentation
| -|PostgreSQL Database Server Log Connections Disabled
e69bda39-e1e2-47ca-b9ee-b6531b23aedd|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' property set to 'on' (read more)|Documentation
| -|Log Profile Incorrect Category
4d522e7b-f938-4d51-a3b1-974ada528bd3|AzureResourceManager|Medium|Observability|Log Profile Categories should be set to 'Write', 'Delete', and/or 'Action' (read more)|Documentation
| -|Unrecommended Network Watcher Flow Log Retention Policy
564b70f8-41cd-4690-aff8-bb53add86bc9|AzureResourceManager|Medium|Observability|Network Watcher Flow Log Retention Policy should be enabled and the recommended number of days for the retention should be higher than 90 (read more)|Documentation
| -|SQL Server Database With Unrecommended Retention Days
c09cdac2-7670-458a-bf6c-efad6880973a|AzureResourceManager|Medium|Observability|SQL Server Database Auditing Settings should keep the audit logs in the storage account for at least 90 days (read more)|Documentation
| -|SQL Server Database Without Auditing
e055285c-bc01-48b4-8aa5-8a54acdd29df|AzureResourceManager|Medium|Observability|Every 'Microsoft.Sql/servers/databases' resource should have Auditing Enabled (read more)|Documentation
| -|Unrecommended Log Profile Retention Policy
25684eac-daaa-4c2c-94b4-8d2dbb627909|AzureResourceManager|Medium|Observability|Log Profile Retention Policy should be enabled and the recommended number of days for the retention should be higher than 365 or 0 (0 will retain the events indefinitely) (read more)|Documentation
| -|AKS Logging To Azure Monitoring Is Disabled
9b09dee1-f09b-4013-91d2-158fa4695f4b|AzureResourceManager|Medium|Observability|Azure Kubernetes Service should have logging to Azure Monitoring enabled. (read more)|Documentation
| -|Storage Logging For Read Write And Delete Requests Disabled
43f6e60c-9cdb-4e77-864d-a66595d26518|AzureResourceManager|Medium|Observability|Storage Logging should be enabled for read, write and delete methods (read more)|Documentation
| -|Hardcoded SecureString Parameter Default Value
4d2cf896-c053-4be5-9c95-8b4771112f29|AzureResourceManager|Medium|Secret Management|Secure parameters should not have hardcoded default value (read more)|Documentation
| -|Website Azure Active Directory Disabled
e9c133e5-c2dd-4b7b-8fff-40f2de367b56|AzureResourceManager|Low|Access Control|WebApp should have Azure Active Directory enabled with 'identity.type' set to 'SystemAssigned' or 'userAssignedIdentities' set to 'true' (read more)|Documentation
| -|Phone Number Not Set For Security Contacts
3e9fcc67-1f64-405f-b2f9-0a6be17598f0|AzureResourceManager|Low|Best Practices|Microsoft.Security securityContacts should have a phone number defined (read more)|Documentation
| -|AKS Dashboard Is Enabled
c62d3b92-9a11-4ffd-b7b7-6faaae83faed|AzureResourceManager|Low|Insecure Configurations|Azure Kubernetes Service should have the Kubernetes dashboard disabled. (read more)|Documentation
| -|Storage Account Allows Default Network Access
9073f073-5d60-4b46-b569-0d6baa80ed95|AzureResourceManager|Low|Networking and Firewall|'Microsoft.Storage/storageAccounts' should force the use of HTTPS (read more)|Documentation
| -|Website with 'Http20Enabled' Disabled
70111098-7f85-48f0-b1b4-e4261cf5f61b|AzureResourceManager|Low|Networking and Firewall|'Microsoft.Web/sites' should have 'Http20Enabled' enabled (read more)|Documentation
| -|App Service Authentication Is Not Set
83130a07-235b-4a80-918b-a370e53f0bd9|AzureResourceManager|Info|Access Control|Azure App Service should have App Service Authentication set (read more)|Documentation
| -|SQL Alert Policy Without Emails
89b79fe5-49bd-4d39-84ce-55f5fc6f7764|AzureResourceManager|Info|Best Practices|SQL Database Server should contain emails to be notified in the event of a Security Alert (read more)|Documentation
| -|Account Admins Not Notified By Email
a8852cc0-fd4b-4fc7-9372-1e43fad0732e|AzureResourceManager|Info|Best Practices|Account admins should be notified by email in the event of security alerts (read more)|Documentation
| -|Email Notifications Disabled
79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92|AzureResourceManager|Info|Networking and Firewall|Email notifications about new security alerts, should be set to 'On', and be sent to persons with specific RBAC roles on the subscription (read more)|Documentation
| -|Volume Has Sensitive Host Directory
1c1325ff-831d-43a1-973e-839ae57dfcc0|DockerCompose|High|Build Process|Container has sensitive host directory mounted as a volume (read more)|Documentation
| -|Volume Mounted In Multiple Containers
baa452f0-1f21-4a25-ace5-844e7a5f410d|DockerCompose|High|Build Process|Volume mounts should not be shared, which means that 'propagation' should not be set to 'shared', 'rshared', 'slave', or 'rslave' (read more)|Documentation
| -|Docker Socket Mounted In Container
d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b|DockerCompose|High|Build Process|Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands. (read more)|Documentation
| -|Privileged Containers Enabled
ae5b6871-7f45-42e0-bb4c-ab300c4d2026|DockerCompose|High|Resource Management|Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker. (read more)|Documentation
| -|No New Privileges Not Set
27fcc7d6-c49b-46e0-98f1-6c082a6a2750|DockerCompose|High|Resource Management|Ensuring the process does not gain any new privileges lessens the risk associated with many operations. (read more)|Documentation
| -|Healthcheck Not Set
698ed579-b239-4f8f-a388-baa4bcb13ef8|DockerCompose|Medium|Availability|Check containers periodically to see if they are running properly. (read more)|Documentation
| -|Cgroup Not Default
4d9f44c6-2f4a-4317-9bb5-267adbea0232|DockerCompose|Medium|Build Process|Control groups restrict the access processes and containers have to system resources such as CPU, RAM, IOPS and network. Not having a cgroup well configured may prove to be a security fault. (read more)|Documentation
| -|Restart Policy On Failure Not Set To 5
2fc99041-ddad-49d5-853f-e35e70a48391|DockerCompose|Medium|Build Process|Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used. (read more)|Documentation
| -|Networks Not Set
ce14a68b-1668-41a0-ab7d-facd9f784742|DockerCompose|Medium|Networking and Firewall|Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers. (read more)|Documentation
| -|Container Traffic Not Bound To Host Interface
451d79dc-0588-476a-ad03-3c7f0320abb3|DockerCompose|Medium|Networking and Firewall|Incoming container traffic should be bound to a specific host interface (read more)|Documentation
| -|Privileged Ports Mapped In Container
bc2908f3-f73c-40a9-8793-c1b7d5544f79|DockerCompose|Medium|Networking and Firewall|Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind_service linux capability from the container unless you absolutely need to use priviledged ports. (read more)|Documentation
| -|Security Opt Not Set
610e266e-6c12-4bca-9925-1ed0cd29742b|DockerCompose|Medium|Resource Management|Attribute 'security_opt' should be defined. (read more)|Documentation
| -|Shared Host Network Namespace
071a71ff-f868-47a4-ac0b-3c59e4ab5443|DockerCompose|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| -|Shared Host User Namespace
8af7162d-6c98-482f-868e-0d33fb675ca8|DockerCompose|Medium|Resource Management|The host's user namespace should not be shared. (read more)|Documentation
| -|Default Seccomp Profile Disabled
404fde2c-bc4b-4371-9747-7054132ac953|DockerCompose|Medium|Resource Management|Seccomp offers a whitelist of common system calls, blocking all others. Having less kernel exposed to an app then increases security. (read more)|Documentation
| -|Pids Limit Not Set
221e0658-cb2a-44e3-b08a-db96a341d6fa|DockerCompose|Medium|Resource Management|'pids_limit' should be set and different than -1 (read more)|Documentation
| -|Memory Not Limited
bb9ac4f7-e13b-423d-a010-c74a1bfbe492|DockerCompose|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| -|Host Namespace is Shared
4f31dd9f-2cc3-4751-9b53-67e4af83dac0|DockerCompose|Medium|Resource Management|The hosts process namespace should not be shared by containers (read more)|Documentation
| -|Shared Host IPC Namespace
baa3890f-bed7-46f5-ab8f-1da8fc91c729|DockerCompose|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| -|Cpus Not Limited
6b610c50-99fb-4ef0-a5f3-e312fd945bc3|DockerCompose|Low|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| -|Container Capabilities Unrestricted
ce76b7d0-9e77-464d-b86f-c5c48e03e22d|DockerCompose|Low|Resource Management|Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well. (read more)|Documentation
| -|Unpinned Actions Full Length Commit SHA
555ab8f9-2001-455e-a077-f2d0f41e2fb9|CICD|Medium|Supply-Chain|Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork. (read more)|Documentation
| -|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|Ansible|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| -|S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|Ansible|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674|Ansible|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| -|ECS Service Admin Role Is Present
7db727c1-1720-468e-b80e-06697f71e09e|Ansible|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role (read more)|Documentation
| -|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|Ansible|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| -|SNS Topic is Publicly Accessible
905f4741-f965-45c1-98db-f7a00a0e5c73|Ansible|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| -|S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a|Ansible|High|Access Control|Checks if the S3 bucket is accessible for all users (read more)|Documentation
| -|SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a|Ansible|High|Access Control|Checks if the SQS Queue is exposed (read more)|Documentation
| -|S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|Ansible|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|Ansible|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| -|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|Ansible|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| -|IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|Ansible|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| -|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|Ansible|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more)|Documentation
| -|S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|Ansible|High|Access Control|S3 Buckets should not be readable to all users (read more)|Documentation
| -|Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a|Ansible|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume (read more)|Documentation
| -|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|Ansible|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more)|Documentation
| -|EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|Ansible|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| -|S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571|Ansible|High|Encryption|AWS S3 Storage should be protected with SSE (Server-Side Encryption) (read more)|Documentation
| -|ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|Ansible|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| -|Secure Ciphers Disabled
218413a0-c716-4b94-9e08-0bb70d854709|Ansible|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| -|User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|Ansible|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| -|Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7|Ansible|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS (read more)|Documentation
| -|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|Ansible|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| -|DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|Ansible|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more)|Documentation
| -|CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|Ansible|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'. (read more)|Documentation
| -|EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|Ansible|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| -|Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|Ansible|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) (read more)|Documentation
| -|S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4|Ansible|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| -|AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|Ansible|High|Encryption|AWS AMI Encryption is not enabled (read more)|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76|Ansible|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| -|ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| -|User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|Ansible|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| -|ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| -|Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|Ansible|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| -|KMS Key With Full Permissions
5b9d237a-57d5-4177-be0e-71434b0fef47|Ansible|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| -|Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f|Ansible|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| -|ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f|Ansible|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| -|S3 Bucket with Unsecured CORS Rule
3505094c-f77c-4ba0-95da-f83db712f86c|Ansible|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| -|EC2 Group Has Public Interface
5330b503-3319-44ff-9b1c-00ee873f728a|Ansible|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209|Ansible|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). (read more)|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67|Ansible|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| -|Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|Ansible|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true (default is false) (read more)|Documentation
| -|Vulnerable Default SSL Certificate
fb8f8929-afeb-4c46-99f0-a6cf410f7df4|Ansible|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| -|Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|Ansible|High|Networking and Firewall|AWS Security Group should restrict ingress access (read more)|Documentation
| -|Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|Ansible|High|Networking and Firewall|AWS Security Group should not have public port wide (read more)|Documentation
| -|ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|Ansible|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| -|Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|Ansible|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| -|HTTP Port Open To Internet
a14ad534-acbe-4a8e-9404-2f7e1045646e|Ansible|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| -|DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640|Ansible|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| -|EC2 Instance Has Public IP
a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1|Ansible|High|Networking and Firewall|EC2 Instance should not have a public IP address. (read more)|Documentation
| -|Elasticsearch with HTTPS disabled
d6c2d06f-43c1-488a-9ba1-8d75b40fc62d|Ansible|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| -|Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4|Ansible|High|Networking and Firewall|Route53 Record should have a list of records (read more)|Documentation
| -|Remote Desktop Port Open To Internet
eda7301d-1f3e-47cf-8d4e-976debc64341|Ansible|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| -|Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|Ansible|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| -|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|Ansible|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| -|Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b|Ansible|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| -|Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2|Ansible|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0/0 (read more)|Documentation
| -|RDS Associated with Public Subnet
16732649-4ff6-4cd2-8746-e72c13fae4b8|Ansible|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| -|CloudTrail Logging Disabled
d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5|Ansible|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| -|CMK Rotation Disabled
af96d737-0818-4162-8c41-40d969bd65d1|Ansible|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| -|SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10|Ansible|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| -|IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060|Ansible|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| -|SES Policy With Allowed IAM Actions
8ed0bfce-f780-46d4-b086-21c3628f09ad|Ansible|Medium|Access Control|SES policy should not allow IAM actions to all principals (read more)|Documentation
| -|IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Ansible|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root' (read more)|Documentation
| -|ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd|Ansible|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| -|AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f|Ansible|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image (read more)|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
af167837-9636-4086-b815-c239186b9dda|Ansible|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| -|Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Ansible|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| -|API Gateway Without Configured Authorizer
b16cdb37-ce15-4ab2-8401-d42b05d123fc|Ansible|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| -|Lambda Permission Principal Is Wildcard
1d972c56-8ec2-48c1-a578-887adb09c57a|Ansible|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| -|SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4|Ansible|Medium|Access Control|SQS policy allows ALL (*) actions (read more)|Documentation
| -|S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9|Ansible|Medium|Access Control|S3 Bucket allows public access (read more)|Documentation
| -|Certificate Has Expired
5a443297-19d4-4381-9e5b-24faf947ec22|Ansible|Medium|Access Control|Expired SSL/TLS certificates should be removed (read more)|Documentation
| -|Auto Scaling Group With No Associated ELB
050f085f-a8db-4072-9010-2cca235cc02f|Ansible|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. (read more)|Documentation
| -|CMK Is Unusable
133fee21-37ef-45df-a563-4d07edc169f4|Ansible|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined. (read more)|Documentation
| -|ECS Service Without Running Tasks
f5c45127-1d28-4b49-a692-0b97da1c3a84|Ansible|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| -|Stack Retention Disabled
17d5ba1d-7667-4729-b1a6-b11fde3db7f7|Ansible|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| -|RDS With Backup Disabled
e69890e6-fce5-461d-98ad-cb98318dfc96|Ansible|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| -|Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c|Ansible|Medium|Best Practices|Password policy `password_reuse_prevention` doesn't exist or is equal to 0 (read more)|Documentation
| -|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Ansible|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number (read more)|Documentation
| -|IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Ansible|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| -|IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354|Ansible|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| -|IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Ansible|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| -|Misconfigured Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9|Ansible|Medium|Best Practices|No password expiration policy (read more)|Documentation
| -|Stack Without Template
32d31f1f-0f83-4721-b7ec-1e6948c60145|Ansible|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body (read more)|Documentation
| -|SQS With SSE Disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Ansible|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| -|EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Ansible|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| -|CodeBuild Not Encrypted
a1423864-2fbc-4f46-bfe1-fbbf125c71c9|Ansible|Medium|Encryption|CodeBuild Project should be encrypted (read more)|Documentation
| -|Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89|Ansible|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache (read more)|Documentation
| -|Config Rule For Encrypted Volumes Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84|Ansible|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| -|Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f|Ansible|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| -|API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33|Ansible|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| -|Certificate RSA Key Bytes Lower Than 256
d5ec2080-340a-4259-b885-f833c4ea6a31|Ansible|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes (read more)|Documentation
| -|ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Ansible|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| -|Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5|Ansible|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags. (read more)|Documentation
| -|AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472|Ansible|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy (read more)|Documentation
| -|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Ansible|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more)|Documentation
| -|API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215|Ansible|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| -|API Gateway without WAF
f5f38943-664b-4acc-ab11-f292fa10ed0b|Ansible|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| -|API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f|Ansible|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| -|CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Ansible|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| -|API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Ansible|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled (read more)|Documentation
| -|CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Ansible|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'is_multi_region_trail' should be set to true (read more)|Documentation
| -|Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Ansible|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| -|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Ansible|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| -|S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|Ansible|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| -|CloudFront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Ansible|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' should be defined with 'enabled' set to true (read more)|Documentation
| -|S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Ansible|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| -|CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Ansible|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more)|Documentation
| -|CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3|Ansible|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| -|No Stack Policy
ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9|Ansible|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions (read more)|Documentation
| -|Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Ansible|Medium|Secret Management|AWS Access Key should not be hardcoded (read more)|Documentation
| -|Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645|Ansible|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| -|EC2 Instance Using Default Security Group
8d03993b-8384-419b-a681-d1f55149397c|Ansible|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Ansible|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| -|IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd|Ansible|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| -|IAM Group Without Users
f509931b-bbb0-443c-bd9b-10e92ecf2193|Ansible|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| -|CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6|Ansible|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| -|Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520|Ansible|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| -|Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|Ansible|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. (read more)|Documentation
| -|EFS Without Tags
b8a9852c-9943-4973-b8d5-77dae9352851|Ansible|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated (read more)|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
f5587077-3f57-4370-9b4e-4eb5b1bac85b|Ansible|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| -|ElastiCache Without VPC
5527dcfc-94f9-4bf6-b7d4-1b78850cf41f|Ansible|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| -|CloudFront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Ansible|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| -|Redshift Using Default Port
e01de151-a7bd-4db4-b49b-3c4775a5e881|Ansible|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| -|ElastiCache Using Default Port
7cc6c791-5f68-4816-a564-b9b699f9d26e|Ansible|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| -|EC2 Instance Using Default VPC
8833f180-96f1-46f4-9147-849aafa56029|Ansible|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| -|RDS Using Default Port
2cb674f6-32f9-40be-97f2-62c0dc38f0d5|Ansible|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| -|Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Ansible|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active' (read more)|Documentation
| -|CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Ansible|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| -|EC2 Not EBS Optimized
338b6cab-961d-4998-bb49-e5b6a11c9a5c|Ansible|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| -|Allow Unsafe Lookups Enabled
86b97bb4-85c9-462d-8635-cbc057c5c8c5|Ansible|High|Insecure Configurations|When enabled, this option allows lookup plugins to return data that is not marked 'unsafe'. (read more)|Documentation
| -|Communication Over HTTP
2e8d4922-8362-4606-8c14-aa10466a1ce3|Ansible|Medium|Insecure Configurations|Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks (read more)|Documentation
| -|VM With Full Cloud Access
bc20bbc6-0697-4568-9a73-85af1dd97bdd|Ansible|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)|Documentation
| -|BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2|Ansible|High|Access Control|BigQuery dataset is anonymously or publicly accessible (read more)|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2|Ansible|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| -|SQL DB Instance Backup Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8|Ansible|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| -|SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|Ansible|High|Encryption|Cloud SQL Database Instance should have SLL enabled (read more)|Documentation
| -|DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a|Ansible|High|Encryption|DNSSEC should not use the RSASHA1 algorithm (read more)|Documentation
| -|Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true (read more)|Documentation
| -|IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'. (read more)|Documentation
| -|SQL DB Instance Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b|Ansible|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible. (read more)|Documentation
| -|PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514|Ansible|High|Insecure Configurations|PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1' (read more)|Documentation
| -|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|Ansible|High|Insecure Configurations|SQL Instance should not have Contained Database Authentication On (read more)|Documentation
| -|Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f|Ansible|High|Insecure Configurations|GCP SQL Instance should not have Cross DB Ownership Chaining On (read more)|Documentation
| -|Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)|Documentation
| -|Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty (read more)|Documentation
| -|MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c|Ansible|High|Insecure Configurations|MySQL Instance should not have Local Infile On (read more)|Documentation
| -|Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true. (read more)|Documentation
| -|GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false. (read more)|Documentation
| -|Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7|Ansible|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)|Documentation
| -|GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1|Ansible|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty (read more)|Documentation
| -|Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82|Ansible|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet. (read more)|Documentation
| -|GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83|Ansible|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters (read more)|Documentation
| -|Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none' (read more)|Documentation
| -|PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317|Ansible|High|Observability|PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on' (read more)|Documentation
| -|Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none' (read more)|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd|Ansible|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| -|PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b|Ansible|High|Observability|PostgreSQL database 'log_temp_files' flag isn't set to '0' (read more)|Documentation
| -|Cloud Storage Bucket Versioning Disabled
7814ddda-e758-4a56-8be3-289a81ded929|Ansible|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| -|Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf|Ansible|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Ansible|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| -|Disk Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3|Ansible|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)|Documentation
| -|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Ansible|Medium|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account. (read more)|Documentation
| -|Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Ansible|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| -|Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Ansible|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)|Documentation
| -|Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03|Ansible|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| -|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Ansible|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| -|OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Ansible|Medium|Insecure Configurations|VM instance should have OSLogin enabled (read more)|Documentation
| -|GKE Using Default Service Account
dc126833-125a-40fb-905a-ce5f2afde240|Ansible|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account (read more)|Documentation
| -|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Ansible|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)|Documentation
| -|RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77|Ansible|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| -|Google Compute Network Using Default Firewall Rule
29b8224a-60e9-4011-8ac2-7916a659841f|Ansible|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows All Ports
3602d273-3290-47b2-80fa-720162b1a8af|Ansible|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports (read more)|Documentation
| -|SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Ansible|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| -|IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Ansible|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)|Documentation
| -|PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Ansible|Medium|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on' (read more)|Documentation
| -|PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Ansible|Medium|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value (read more)|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Ansible|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| -|High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Ansible|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows Port Range
7289eebd-a477-4064-8ad4-3c044bd70b00|Ansible|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| -|Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b|Ansible|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes (read more)|Documentation
| -|Storage Container Is Publicly Accessible
4d3817db-dd35-4de4-a80d-3867157e7f7f|Ansible|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage (read more)|Documentation
| -|Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|Ansible|High|Access Control|Admin user is enabled for Container Registry (read more)|Documentation
| -|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|Ansible|High|Access Control|Storage Account should not be public to grant the principle of least privileges (read more)|Documentation
| -|Azure Instance Using Basic Authentication
e2d834b7-8b25-4935-af53-4a60668dcbe0|Ansible|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| -|SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555|Ansible|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' (read more)|Documentation
| -|MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|Ansible|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more)|Documentation
| -|Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|Ansible|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| -|AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|Ansible|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server (read more)|Documentation
| -|Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91|Ansible|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service. (read more)|Documentation
| -|VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|Ansible|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine (read more)|Documentation
| -|Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|Ansible|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined (read more)|Documentation
| -|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|Ansible|High|Networking and Firewall|The IP range filter should be defined to secure the data stored (read more)|Documentation
| -|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|Ansible|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| -|Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet (read more)|Documentation
| -|SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|Ansible|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more)|Documentation
| -|Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources (read more)|Documentation
| -|Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|Ansible|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| -|AKS RBAC Disabled
149fa56c-4404-4f90-9e25-d34b676d5b39|Ansible|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| -|Role Definition Allows Custom Role Creation
5c80db8e-03f5-43a2-b4af-1f3f87018157|Ansible|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more)|Documentation
| -|Default Azure Storage Account Network Access Is Too Permissive
ca4df748-613a-4fbf-9c76-f02cbd580307|Ansible|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it. (read more)|Documentation
| -|Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854|Ansible|Medium|Backup|Make sure Soft Delete is enabled for Key Vault (read more)|Documentation
| -|SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40|Ansible|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict (read more)|Documentation
| -|SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308|Ansible|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict (read more)|Documentation
| -|Cosmos DB Account Without Tags
23a4dc83-4959-4d99-8056-8e051a82bc1e|Ansible|Medium|Build Process|Cosmos DB Account must have a mapping of tags. (read more)|Documentation
| -|Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee|Ansible|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption (read more)|Documentation
| -|AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Ansible|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined (read more)|Documentation
| -|Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Ansible|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty (read more)|Documentation
| -|Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Ansible|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections (read more)|Documentation
| -|WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Ansible|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. (read more)|Documentation
| -|Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Ansible|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0' (read more)|Documentation
| -|Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Ansible|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache. (read more)|Documentation
| -|PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' (read more)|Documentation
| -|PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' (read more)|Documentation
| -|Small Activity Log Retention Period
37fafbea-dedb-4e0d-852e-d16ee0589326|Ansible|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater (read more)|Documentation
| -|AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e|Ansible|Medium|Observability|Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring (read more)|Documentation
| -|PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a|Ansible|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server (read more)|Documentation
| -|Monitoring Log Profile Without All Activities
89f84a1e-75f8-47c5-83b5-bee8e2de4168|Ansible|Medium|Observability|Monitoring log profile captures all the activities (Action, Write, Delete) (read more)|Documentation
| -|Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more)|Documentation
| -|PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more)|Documentation
| -|PostgreSQL Log Checkpoints Disabled
7ab33ac0-e4a3-418f-a673-50da4e34df21|Ansible|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more)|Documentation
| -|Ansible Tower Exposed To Internet
1b2bf3ff-31e9-460e-bbfb-45e48f4f20cc|Ansible|Medium|Best Practices|Avoid exposing Ansible Tower to the public internet, effectively reducing the potential attack surface of your deployment (read more)|Documentation
| -|Service Account Lookup Set To False
a5530bd7-225a-48f9-91bb-f40b04200165|Kubernetes|High|Access Control|When using kube-apiserver command, the '--service-account-lookup' flag should be set to true (read more)|Documentation
| -|Basic Auth File Is Set
5da47109-f8d6-4585-9e2b-96a8958a12f5|Kubernetes|High|Access Control|When using kube-apiserver command, the 'basic-auth-file' flag should not be set (read more)|Documentation
| -|Node Restriction Admission Control Plugin Not Set
33fc6923-6553-4fe6-9d3a-4efa51eb874b|Kubernetes|High|Access Control|When using kube-apiserver command, the --enable-admission-plugins flag should have 'NodeRestriction' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| -|Always Admit Admission Control Plugin Set
ce30e584-b33f-4c7d-b418-a3d7027f8f60|Kubernetes|High|Access Control|When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin (read more)|Documentation
| -|RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e|Kubernetes|High|Access Control|Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least privilege recommends to specify only the set of needed objects and actions (read more)|Documentation
| -|Token Auth File Is Set
32ecd76e-7bbf-402e-bf48-8b9485749558|Kubernetes|High|Access Control|When using kube-apiserver command, the 'token-auth-file' flag should not be set (read more)|Documentation
| -|Client Certificate Authentication Not Setup Properly
e0e00aba-5f1c-4981-a542-9a9563c0ee20|Kubernetes|High|Access Control|Client Certificate Authentication should be Setup with a .pem or .crt file (read more)|Documentation
| -|Use Service Account Credentials Not Set To True
1acd93f1-5a37-45c0-aaac-82ece818be7d|Kubernetes|High|Access Control|When using kube-controller-manager commands, the '--use-service-account-credentials' should be set to true (read more)|Documentation
| -|Pod Security Policy Admission Control Plugin Not Set
afa36afb-39fe-4d94-b9b6-afb236f7a03d|Kubernetes|High|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'PodSecurityPolicy' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| -|Service Account Private Key File Not Defined
ccc98ff7-68a7-436e-9218-185cb0b0b780|Kubernetes|High|Encryption|When using kube-controller-manager commands, the '--service-account-private-key-file' should be defined (read more)|Documentation
| -|Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032|Kubernetes|High|Insecure Configurations|Limit capabilities for a Pod Security Policy (read more)|Documentation
| -|Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609|Kubernetes|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false (read more)|Documentation
| -|Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad|Kubernetes|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined. (read more)|Documentation
| -|Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d|Kubernetes|High|Insecure Configurations|Check if there is any Tiller Service present (read more)|Documentation
| -|Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d|Kubernetes|High|Insecure Configurations|Container should not share the host process ID namespace (read more)|Documentation
| -|Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d|Kubernetes|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process (read more)|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b|Kubernetes|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace. (read more)|Documentation
| -|Tiller (Helm v2) Is Deployed
6d173be7-545a-46c6-a81d-2ae52ed1605d|Kubernetes|High|Insecure Configurations|Check if Tiller is deployed. (read more)|Documentation
| -|Role Binding To Default Service Account
1e749bc9-fde8-471c-af0c-8254efd2dee5|Kubernetes|High|Insecure Defaults|No role nor cluster role should bind to a default service account (read more)|Documentation
| -|Etcd TLS Certificate Files Not Properly Set
075ca296-6768-4322-aea2-ba5063b969a9|Kubernetes|High|Networking and Firewall|When using etcd commands, the '--cert-file' and '--key-file' should be defined (read more)|Documentation
| -|Kubelet HTTPS Set To False
cdc8b54e-6b16-4538-a1b0-35849dbe29cf|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--kubelet-https' flag should not be set to false (read more)|Documentation
| -|Insecure Bind Address Set
b9380fd3-5ffe-4d10-9290-13e18e71eee1|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-bind-address' flag should not be set (read more)|Documentation
| -|Bind Address Not Properly Set
46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2|Kubernetes|High|Networking and Firewall|When using kube-controller-manager or kube-scheduler commands, the '--bind-address' should not be set to 127.0.0.1 (read more)|Documentation
| -|Etcd TLS Certificate Not Properly Configured
895a5a95-3756-4b04-9924-2f3bc93181bd|Kubernetes|High|Networking and Firewall|When using kube-apiserver commands, the '--etcd-certfile' and '--etcd-keyfile' flags should be defined (read more)|Documentation
| -|Secure Port Set To Zero
3d24b204-b73d-42cb-b0bf-1a5438c5f71e|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the --secure-port flag should not be 0 (read more)|Documentation
| -|Etcd Peer TLS Certificate Files Not Properly Set
09bb9e96-8da3-4736-b89a-b36814acca60|Kubernetes|High|Networking and Firewall|When using etcd commands, the '--peer-cert-file' and '--peer-key-file' should be defined (read more)|Documentation
| -|Tiller Deployment Is Accessible From Within The Cluster
e17fa86a-6222-4584-a914-56e8f6c87e06|Kubernetes|High|Networking and Firewall|Check if any Tiller Deployment container allows access from within the cluster. (read more)|Documentation
| -|TSL Connection Certificate Not Setup
fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f|Kubernetes|High|Networking and Firewall|TSL Connection Certificate files should be Setup (read more)|Documentation
| -|Insecure Port Not Properly Set
fa4def8c-1898-4a35-a139-7b76b1acdef0|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-port' flag should be defined and set to 0 (read more)|Documentation
| -|PSP With Unrestricted Access to Host Path
de4421f1-4e35-43b4-9783-737dd4e4a47e|Kubernetes|High|Resource Management|PodSecurityPolicy should set 'readOnly' to true in every host path allowed (read more)|Documentation
| -|Auto TLS Set To True
98ce8b81-7707-4734-aa39-627c6db3d84b|Kubernetes|High|Secret Management|When using etcd commands, the '--auto-tls' should be set to false (read more)|Documentation
| -|Peer Auto TLS Set To True
ae8827e2-4af9-4baa-9998-87539ae0d6f0|Kubernetes|High|Secret Management|When using etcd commands, the '--peer-auto-tls' should be set to false (read more)|Documentation
| -|RBAC Roles with Attach Permission
d45330fd-f58d-45fb-a682-6481477a0f84|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to attach to containers via 'kubectl attach' could be abused by attackers to read log output (stdout, stderr) and send input data (stdin) to running processes. Additionally, it would allow a malicious user to attach to a privileged container resulting in a privilege escalation attack. To prevent this, the 'pods/attach' verb should not be used in production environments (read more)|Documentation
| -|Authorization Mode Set To Always Allow
f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5|Kubernetes|Medium|Access Control|When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode (read more)|Documentation
| -|RBAC Roles with Impersonate Permission
9f85c3f6-26fd-4007-938a-2e0cb0100980|Kubernetes|Medium|Access Control|Roles or ClusterRoles with the permission 'impersonate' allow subjects to assume the rights of other users, groups, or service accounts. In case of compromise, attackers may abuse this sudo-like functionality to achieve privilege escalation (read more)|Documentation
| -|Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942|Kubernetes|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation. (read more)|Documentation
| -|RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14|Kubernetes|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more)|Documentation
| -|Service Account Admission Control Plugin Disabled
9587c890-0524-40c2-9ce2-663af7c2f063|Kubernetes|Medium|Access Control|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'ServiceAccount' plugin (read more)|Documentation
| -|Non Kube System Pod With Host Mount
aa8f7a35-9923-4cad-bd61-a19b7f6aac91|Kubernetes|Medium|Access Control|A non kube-system workload should not have hostPath mounted (read more)|Documentation
| -|RBAC Roles with Port-Forwarding Permission
38fa11ef-dbcc-4da8-9680-7e1fd855b6fb|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to port-forward into pods can open socket-level communication channels to containers. In case of compromise, attackers may abuse this for direct communication that bypasses network security restrictions (read more)|Documentation
| -|Authorization Mode RBAC Not Set
1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e|Kubernetes|Medium|Access Control|When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode (read more)|Documentation
| -|RBAC Roles with Exec Permission
c589f42c-7924-4871-aee2-1cede9bc7cbc|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to run commands in containers via 'kubectl exec' could be abused by attackers to execute malicious code in case of compromise. To prevent this, the 'pods/exec' verb should not be used in production environments (read more)|Documentation
| -|Anonymous Auth Is Not Set To False
1de5cc51-f376-4638-a940-20f2e85ae238|Kubernetes|Medium|Access Control|When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag should be set to false (--anonymous-auth=false) (read more)|Documentation
| -|RBAC Roles Allow Privilege Escalation
8320826e-7a9c-4b0b-9535-578333193432|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions 'bind' or 'escalate' allow subjects to create new bindings with other roles. This is dangerous, as users with these privileges can bind to roles that may exceed their own privileges (read more)|Documentation
| -|Readiness Probe Is Not Configured
a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3|Kubernetes|Medium|Availability|Check if Readiness Probe is not configured. (read more)|Documentation
| -|Request Timeout Not Properly Set
d89a15bb-8dba-4c71-9529-bef6729b9c09|Kubernetes|Medium|Availability|When using kube-apiserver command, the '--request-timeout' flag value should not be too long (read more)|Documentation
| -|Terminated Pod Garbage Collector Threshold Not Properly Set
49113af4-29ca-458e-b8d4-724c01a4a24f|Kubernetes|Medium|Availability|When using kube-controller-manager commands, the '--terminated-pod-gc-threshold' should be set between 0 and 12501 (read more)|Documentation
| -|Root Containers Admitted
e3aa0612-4351-4a0d-983f-aefea25cf203|Kubernetes|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden (read more)|Documentation
| -|Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660|Kubernetes|Medium|Best Practices|Check if containers are running with low UID, which might cause conflicts with the host's user table. (read more)|Documentation
| -|Container Running As Root
cf34805e-3872-4c08-bf92-6ff7bb0cfadb|Kubernetes|Medium|Best Practices|Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise (read more)|Documentation
| -|Always Pull Images Admission Control Plugin Not Set
a77f4d07-c6e0-4a48-8b35-0eeb51576f4f|Kubernetes|Medium|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'AlwaysPullImages' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| -|Incorrect Volume Claim Access Mode ReadWriteOnce
3878dc92-8e5d-47cf-9cdd-7590f71d21b9|Kubernetes|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' (read more)|Documentation
| -|Encryption Provider Config Is Not Defined
cbd2db69-0b21-4c14-8a40-7710a50571a9|Kubernetes|Medium|Encryption|When using kube-apiserver commands, the '--encryption-provider-config' flag should be defined and the encryption should be correctly configured in Encryption Configuration file (read more)|Documentation
| -|Weak TLS Cipher Suites
510d5810-9a30-443a-817d-5c1fa527b110|Kubernetes|Medium|Encryption|TLS Connection should use strong Cipher Suites (read more)|Documentation
| -|Encryption Provider Not Properly Configured
10efce34-5af6-4d83-b414-9e096d5a06a9|Kubernetes|Medium|Encryption|The EncryptionConfiguration should be configured to have at least one 'aescbc', 'kms' or 'secretbox' provider (read more)|Documentation
| -|Root CA File Not Defined
05fb986f-ac73-4ebb-a5b2-7faafa93d882|Kubernetes|Medium|Encryption|When using kube-controller-manager commands, the '--root-ca-file' should be defined (read more)|Documentation
| -|PSP Allows Sharing Host IPC
80f93444-b240-4ebb-a4c6-5c40b76c04ea|Kubernetes|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace (read more)|Documentation
| -|Security Context Deny Admission Control Plugin Not Set
6a68bebe-c021-492e-8ddb-55b0567fb768|Kubernetes|Medium|Insecure Configurations|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set (read more)|Documentation
| -|NET_RAW Capabilities Not Being Dropped
dbbc6705-d541-43b0-b166-dd4be8208b54|Kubernetes|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities (read more)|Documentation
| -|PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities (read more)|Documentation
| -|Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b|Kubernetes|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more)|Documentation
| -|Containers With Sys Admin Capabilities
235236ee-ad78-4065-bd29-61b061f28ce0|Kubernetes|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability (read more)|Documentation
| -|Kubelet Protect Kernel Defaults Set To False
6cf42c97-facd-4fda-b8af-ea4529123355|Kubernetes|Medium|Insecure Configurations|--protect-kernel-defaults should be set to true (read more)|Documentation
| -|PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation (read more)|Documentation
| -|Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40|Kubernetes|Medium|Insecure Configurations|Containers should not have extra capabilities allowed (read more)|Documentation
| -|Seccomp Profile Is Not Configured
f377b83e-bd07-4f48-a591-60c82b14a78b|Kubernetes|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls (read more)|Documentation
| -|Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3|Kubernetes|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more)|Documentation
| -|PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91|Kubernetes|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| -|Using Unrecommended Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6|Kubernetes|Medium|Insecure Configurations|Namespaces like 'default', 'kube-system' or 'kube-public' should not be used (read more)|Documentation
| -|NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648|Kubernetes|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities (read more)|Documentation
| -|Workload Mounting With Sensitive OS Directory
5308a7a8-06f8-45ac-bf10-791fe21de46e|Kubernetes|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory (read more)|Documentation
| -|Not Limited Capabilities For Container
2f1a0619-b12b-48a0-825f-993bb6f01d58|Kubernetes|Medium|Insecure Configurations|Limit the capabilities for a Container. (read more)|Documentation
| -|PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9|Kubernetes|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host process ID namespace (read more)|Documentation
| -|Authorization Mode Node Not Set
4d7ee40f-fc5d-427d-8cac-dffbe22d42d1|Kubernetes|Medium|Insecure Configurations|When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode (read more)|Documentation
| -|Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9|Kubernetes|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty. (read more)|Documentation
| -|Service Account Token Automount Not Disabled
48471392-d4d0-47c0-b135-cdec95eb3eef|Kubernetes|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary (read more)|Documentation
| -|Kubelet Streaming Connection Timeout Disabled
ed89b97d-04e9-4fd4-919f-ee5b27e555e9|Kubernetes|Medium|Networking and Firewall|The flag --streaming-connection-idle-timeout should not be set to 0 (read more)|Documentation
| -|Kubelet Not Managing Ip Tables
5f89001f-6dd9-49ff-9b15-d8cd71b617f4|Kubernetes|Medium|Networking and Firewall|Kubelet argument --make-iptables-util-chains should be true (read more)|Documentation
| -|Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be|Kubernetes|Medium|Networking and Firewall|Check if any pod is not being targeted by a proper network policy. (read more)|Documentation
| -|Network Policy Is Not Targeting Any Pod
85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3|Kubernetes|Medium|Networking and Firewall|Check if any network policy is not targeting any pod. (read more)|Documentation
| -|CNI Plugin Does Not Support Network Policies
03aabc8c-35d6-481e-9c85-20139cf72d23|Kubernetes|Medium|Networking and Firewall|Ensure the use of CNI Plugin that support Network Policies. If the CNI Plugin in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster (read more)|Documentation
| -|Kubelet Read Only Port Is Not Set To Zero
2940d48a-dc5e-4178-a3f8-bfbd80720b41|Kubernetes|Medium|Networking and Firewall|When using the kubelet command, the read-only port should be set to zero (--read-only-port=0) (read more)|Documentation
| -|Service With External Load Balancer
26763a1c-5dda-4772-b507-5fca7fb5f165|Kubernetes|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet (read more)|Documentation
| -|Audit Log Path Not Set
73e251f0-363d-4e53-86e2-0a93592437eb|Kubernetes|Medium|Observability|When using kube-apiserver command, the 'audit-log-path' flag should be defined (read more)|Documentation
| -|Audit Policy File Not Defined
13a49a2e-488e-4309-a7c0-d6b05577a5fb|Kubernetes|Medium|Observability|When using kube-apiserver command, the '--audit-policy-file' flag should be defined (read more)|Documentation
| -|Volume Mount With OS Directory Write Permissions
b7652612-de4e-4466-a0bf-1cd81f0c6063|Kubernetes|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more)|Documentation
| -|CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a|Kubernetes|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more)|Documentation
| -|Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded|Kubernetes|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more)|Documentation
| -|Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9|Kubernetes|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| -|Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a|Kubernetes|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| -|CPU Limits Not Set
4ac0e2b7-d2d2-4af7-8799-e8de6721ccda|Kubernetes|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| -|Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536|Kubernetes|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| -|Service Account Key File Not Properly Set
dab4ec72-ce2e-4732-b7c3-1757dcce01a1|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the '--service-account-key-file' flag should be defined (read more)|Documentation
| -|Kubelet Certificate Authority Not Set
ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set (read more)|Documentation
| -|Rotate Kubelet Server Certificate Not Active
1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2|Kubernetes|Medium|Secret Management|The RotateKubeletServerCertificate argument should be true (read more)|Documentation
| -|Kubelet Client Periodic Certificate Switch Disabled
52d70f2e-3257-474c-b3dc-8ad9ba6a061a|Kubernetes|Medium|Secret Management|Kubelet argument --rotate-certificates should be true (read more)|Documentation
| -|ServiceAccount Allows Access Secrets
056ac60e-fe07-4acc-9b34-8e1d51716ab9|Kubernetes|Medium|Secret Management|Roles and ClusterRoles when binded, should not use get, list or watch as verbs (read more)|Documentation
| -|Etcd Client Certificate Authentication Set To False
9391103a-d8d7-4671-ac5d-606ba7ccb0ac|Kubernetes|Medium|Secret Management|When using etcd commands, the '--client-cert-auth' flag should be defined (read more)|Documentation
| -|Shared Service Account
c1032cf7-3628-44e2-bd53-38c17cf31b6b|Kubernetes|Medium|Secret Management|A Service Account token is shared between workloads (read more)|Documentation
| -|Kubelet Client Certificate Or Key Not Set
36a27826-1bf5-49da-aeb0-a60a30c0e834|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-client-key' and 'kubelet-client-certificate' flags should be set (read more)|Documentation
| -|Etcd Peer Client Certificate Authentication Set To False
b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff|Kubernetes|Medium|Secret Management|When using etcd commands, the '--peer-client-cert-auth' flag should be set to true (read more)|Documentation
| -|Not Unique Certificate Authority
cb7e695d-6a85-495c-b15f-23aed2519303|Kubernetes|Medium|Secret Management|Certificate Authority should be unique for etcd (read more)|Documentation
| -|Etcd Client Certificate File Not Defined
3f5ff8a7-5ad6-4d02-86f5-666307da1b20|Kubernetes|Medium|Secret Management|When using kube-apiserver commands, the '--etcd-cafile' flag should be defined (read more)|Documentation
| -|Cluster Admin Rolebinding With Superuser Permissions
249328b8-5f0f-409f-b1dd-029f07882e11|Kubernetes|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC) (read more)|Documentation
| -|Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828|Kubernetes|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers (read more)|Documentation
| -|Missing AppArmor Profile
8b36775e-183d-4d46-b0f7-96a6f34a723f|Kubernetes|Low|Access Control|Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources (read more)|Documentation
| -|HPA Targeted Deployments With Configured Replica Count
5744cbb8-5946-4b75-a196-ade44449525b|Kubernetes|Low|Availability|Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set (read more)|Documentation
| -|Event Rate Limit Admission Control Plugin Not Set
e0099af2-fe17-411f-9991-0de28fe15f3c|Kubernetes|Low|Availability|When using kube-apiserver command, the --enable-admission-plugins flag should have 'EventRateLimit' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| -|Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678|Kubernetes|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| -|Liveness Probe Is Not Defined
ade74944-a674-4e00-859e-c6eab5bde441|Kubernetes|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it (read more)|Documentation
| -|StatefulSet Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0|Kubernetes|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more)|Documentation
| -|StatefulSet Without PodDisruptionBudget
1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5|Kubernetes|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| -|HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca|Kubernetes|Low|Availability|The Horizontal Pod Autoscaler must target a valid object (read more)|Documentation
| -|Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645|Kubernetes|Low|Best Practices|Kubernetes APIs evolve over time and are sometimes removed with newer releases. To prevent incompatibilities when upgrading Kubernetes, deprecated APIs should be replaced with newer and more stable API versions. (read more)|Documentation
| -|No Drop Capabilities for Containers
268ca686-7fb7-4ae9-b129-955a2a89064e|Kubernetes|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context (read more)|Documentation
| -|Metadata Label Is Invalid
1123031a-f921-4c5b-bd86-ef354ecfd37a|Kubernetes|Low|Best Practices|Check if any label in the metadata is invalid. (read more)|Documentation
| -|StatefulSet Requests Storage
8cf4671a-cf3d-46fc-8389-21e7405063a2|Kubernetes|Low|Build Process|A StatefulSet requests volume storage. (read more)|Documentation
| -|Root Container Not Mounted Read-only
a9c2f49d-0671-4fc9-9ece-f4e261e128d0|Kubernetes|Low|Build Process|Check if the root container filesystem is not being mounted read-only. (read more)|Documentation
| -|Image Policy Webhook Admission Control Plugin Not Set
14abda69-8e91-4acb-9931-76e2bee90284|Kubernetes|Low|Build Process|When using kube-apiserver command, the --enable-admission-plugins flag should have 'ImagePolicyWebhook' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| -|Namespace Lifecycle Admission Control Plugin Disabled
1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37|Kubernetes|Low|Build Process|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'NamespaceLifecycle' plugin (read more)|Documentation
| -|Pod or Container Without ResourceQuota
48a5beba-e4c0-4584-a2aa-e6894e4cf424|Kubernetes|Low|Insecure Configurations|Each namespace should have a ResourceQuota policy associated to limit the total amount of resources Pods, Containers and PersistentVolumeClaims can consume (read more)|Documentation
| -|Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2|Kubernetes|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always (read more)|Documentation
| -|Pod or Container Without LimitRange
4a20ebac-1060-4c81-95d1-1f7f620e983b|Kubernetes|Low|Insecure Configurations|Each namespace should have a LimitRange policy associated to ensure that resource allocations of Pods, Containers and PersistentVolumeClaims do not exceed the defined boundaries (read more)|Documentation
| -|Service Does Not Target Pod
3ca03a61-3249-4c16-8427-6f8e47dda729|Kubernetes|Low|Insecure Configurations|Service should Target a Pod (read more)|Documentation
| -|Kubelet Hostname Override Is Set
bf36b900-b5ef-4828-adb7-70eb543b7cfb|Kubernetes|Low|Insecure Configurations|Hostnames should not be overrided (read more)|Documentation
| -|Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995|Kubernetes|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container (read more)|Documentation
| -|Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b|Kubernetes|Low|Insecure Configurations|If not needed, disabling the dashboard can prevent from being used as an attack vector (read more)|Documentation
| -|Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678|Kubernetes|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity (read more)|Documentation
| -|Service Type is NodePort
845acfbe-3e10-4b8e-b656-3b404d36dfb2|Kubernetes|Low|Networking and Firewall|Service type should not be NodePort (read more)|Documentation
| -|Workload Host Port Not Specified
2b1836f1-dcce-416e-8e16-da8c71920633|Kubernetes|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified (read more)|Documentation
| -|Profiling Not Set To False
2f491173-6375-4a84-b28e-a4e2b9a58a69|Kubernetes|Low|Observability|When using kube-apiserver or kube-controller-manager or kube-scheduler command, the '--profiling' flag should be defined and set to false (read more)|Documentation
| -|Audit Policy Not Cover Key Security Concerns
1828a670-5957-4bc5-9974-47da228f75e2|Kubernetes|Low|Observability|Audit Policy should cover key security concerns about the sensitive data logged in Kubernetes audit policies (read more)|Documentation
| -|Audit Log Maxsize Not Properly Set
35c0a471-f7c8-4993-aa2c-503a3c712a66|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxsize' flag should be defined and set to 100 or more MegaBytes (read more)|Documentation
| -|Kubelet Event QPS Not Properly Set
1a07a446-8e61-4e4d-bc16-b0781fcb8211|Kubernetes|Low|Observability|When using the kubelet command, the '--event-qps' should be set to 0 (read more)|Documentation
| -|Audit Log Maxbackup Not Properly Set
768aab52-2504-4a2f-a3e3-329d5a679848|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxbackup' flag should be defined and set to 10 or more files (read more)|Documentation
| -|Audit Log Maxage Not Properly Set
da9f3aa8-fbfb-472f-b5a1-576127944218|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxage' flag should be defined and set to 30 or more days (read more)|Documentation
| -|Container Memory Requests Not Equal To It's Limits
aafa7d94-62de-4fbf-8838-b69ee217b0e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined. (read more)|Documentation
| -|Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46|Kubernetes|Low|Resource Management|Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively (read more)|Documentation
| -|Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined. (read more)|Documentation
| -|Deployment Has No PodAntiAffinity
a31b7b82-d994-48c4-bd21-3bab6c31827a|Kubernetes|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| -|CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3|Kubernetes|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined (read more)|Documentation
| -|StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e|Kubernetes|Low|Resource Management|Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| -|Secrets As Environment Variables
3d658f8b-d988-41a0-a841-40043121de1e|Kubernetes|Low|Secret Management|Container should not use secrets as environment variables (read more)|Documentation
| -|Invalid Image Tag
583053b7-e632-46f0-b989-f81ff8045385|Kubernetes|Low|Supply-Chain|Image tag must be defined and not be empty or equal to latest. (read more)|Documentation
| -|Ensure Administrative Boundaries Between Resources
e84eaf4d-2f45-47b2-abe8-e581b06deb66|Kubernetes|Info|Access Control|As a best practice, ensure that is made the correct use of namespaces to adequately administer your resources. Kubernetes Authorization plugins can also be used to create policies that segregate user access to namespaces. (read more)|Documentation
| -|Using Kubernetes Native Secret Management
b9c83569-459b-4110-8f79-6305aa33cb37|Kubernetes|Info|Secret Management|Kubernetes External Secret Storage and Management System usage should be considered if you have more complex secret management needs, rather than using Kubernetes Secrets directly. Additionally, ensure that access to secrets is carefully limited (read more)|Documentation
| -|Enum Name Not CamelCase
daaace5f-c0dc-4835-b526-7a116b7f4b4e|GRPC|Low|Best Practices|All Enum Names should follow CamelCase and start with Capital Letter (read more)|Documentation
| -|Security Field On Operations Has An Empty Array (v2)
5d29effc-5d68-481f-9721-d74e5919226b|OpenAPI|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error|Documentation
| -|Security Field On Operations Has An Empty Array (v3)
663c442d-f918-4f62-b096-0bf5dcbeb655|OpenAPI|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error (read more)|Documentation
| -|Global Security Field Has An Empty Array (v2)
da31d54b-ad54-41dc-95eb-8b3828629213|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| -|Global Security Field Has An Empty Array (v3)
d674aea4-ba8b-454b-bb97-88a772ea33f0|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme (read more)|Documentation
| -|No Global And Operation Security Defined (v2)
586abcee-9653-462d-ad7b-2638a32bd6e6|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| -|No Global And Operation Security Defined (v3)
96729c6b-7400-4d9e-9807-17f00cdde4d2|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined (read more)|Documentation
| -|Global security field has an empty object (v2)
292919fb-7b26-4454-bee9-ce29094768dd|OpenAPI|High|Access Control|Global security definition must not have empty objects|Documentation
| -|Global security field has an empty object (v3)
543e38f4-1eee-479e-8eb0-15257013aa0a|OpenAPI|High|Access Control|Global security definition must not have empty objects (read more)|Documentation
| -|Global Security Field Is Undefined (v2)
74703c89-0ea2-49ab-a7db-bf04f19f5a57|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securityDefinitions|Documentation
| -|Global Security Field Is Undefined (v3)
8af270ce-298b-4405-9922-82a10aee7a4f|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes (read more)|Documentation
| -|Security Field On Operations Has An Empty Object Definition (v2)
74581e3b-1d55-4323-a139-5959a7b3abc5|OpenAPI|High|Access Control|Security object for operations should not be empty object or has any empty object definition|Documentation
| -|Security Field On Operations Has An Empty Object Definition (v3)
baade968-7467-41e4-bf22-83ca222f5800|OpenAPI|High|Access Control|Security object for operations should not be empty object or has any empty object definition (read more)|Documentation
| -|Cleartext API Key In Operation Security (v2)
99733b39-6413-4ed8-8acf-dc7cdc9b4e51|OpenAPI|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| -|Cleartext API Key In Operation Security (v3)
d90d4e40-44c1-4125-87a0-e072c3e195b5|OpenAPI|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel (read more)|Documentation
| -|Array Without Maximum Number of Items (v2)
99eb2c95-2040-4104-9e7c-e16f7474d218|OpenAPI|High|Insecure Configurations|Array schema/parameter should have the field 'maxItems' set|Documentation
| -|Array Without Maximum Number of Items (v3)
6998389e-66b2-473d-8d05-c8d71ac4d04d|OpenAPI|High|Insecure Configurations|Array schema should have the field 'maxItems' set (read more)|Documentation
| -|Array Items Has No Type (v2)
8697a1a4-82c6-4603-8ac8-57529756744e|OpenAPI|High|Insecure Configurations|Schema/Parameter array items type should be defined|Documentation
| -|Array Items Has No Type (v3)
be0e0df7-f3d9-42a1-9b6f-d425f94872c4|OpenAPI|High|Insecure Configurations|Schema array items type should be defined (read more)|Documentation
| -|API Key Exposed In Global Security (v2)
533a0d13-6e89-4551-ae33-bce14e5849c1|OpenAPI|Medium|Access Control|API Keys should not be transported over network|Documentation
| -|API Key Exposed In Global Security (v3)
aecee30b-8ea1-4776-a99c-d6d600f0862f|OpenAPI|Medium|Access Control|API Keys should not be transported over network (read more)|Documentation
| -|Cleartext API Key In Global Security (v2)
70d3873e-d537-46e5-ac3b-4e48fbdd29b4|OpenAPI|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| -|Cleartext API Key In Global Security (v3)
9c238c97-1991-4c0b-9c7d-6c7912e1dc7c|OpenAPI|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel (read more)|Documentation
| -|Numeric Schema Without Maximum (v2)
203eee11-15b6-4d47-b888-4c7f534967ee|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined.|Documentation
| -|Numeric Schema Without Maximum (v3)
2ea04bef-c769-409e-9179-ee3a50b5c0ac|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined. (read more)|Documentation
| -|JSON Object Schema Without Properties (v2)
3d28f751-bc18-4f83-ace0-216b6086410b|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false.|Documentation
| -|JSON Object Schema Without Properties (v3)
9d967a2b-9d64-41a6-abea-dfc4960299bd|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false. (read more)|Documentation
| -|String Schema with Broad Pattern (v2)
e4a019f0-9af3-49c8-bf68-1939a6ff240d|OpenAPI|Medium|Insecure Configurations|String schema should restrict the pattern|Documentation
| -|String Schema with Broad Pattern (v3)
8c81d6c0-716b-49ec-afa5-2d62da4e3f3c|OpenAPI|Medium|Insecure Configurations|String schema should restrict the pattern (read more)|Documentation
| -|Maximum Length Undefined (v2)
2ec86e48-ab90-4cb6-a131-0502afd1f442|OpenAPI|Medium|Insecure Configurations|String schema/parameter/header should have 'maxLength' defined.|Documentation
| -|Maximum Length Undefined (v3)
8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85|OpenAPI|Medium|Insecure Configurations|String schema should have 'maxLength' defined. (read more)|Documentation
| -|Numeric Schema Without Minimum (v2)
efd1dfc8-da91-4909-a3f3-c23abc5ec799|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined.|Documentation
| -|Numeric Schema Without Minimum (v3)
181bd815-767e-4e95-a24d-bb3c87328e19|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined. (read more)|Documentation
| -|Schema Object is Empty (v2)
967575e5-eb44-4c24-aadb-7e33608ed30a|OpenAPI|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values|Documentation
| -|Schema Object is Empty (v3)
500ce696-d501-41dd-86eb-eceb011a386f|OpenAPI|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values (read more)|Documentation
| -|JSON Object Schema Without Type (v2)
62d52544-82ef-4b75-8308-cad49d50212b|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined.|Documentation
| -|JSON Object Schema Without Type (v3)
e2ffa504-d22a-4c94-b6c5-f661849d2db7|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined. (read more)|Documentation
| -|Numeric Schema Without Format (v2)
3ed8fc82-c2bb-49e0-811f-c53923674c49|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined.|Documentation
| -|Numeric Schema Without Format (v3)
fbf699b5-ef74-4542-9cf1-f6eeac379373|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined. (read more)|Documentation
| -|Pattern Undefined (v2)
afde15cf-9444-4126-8c62-41cd79db1d1d|OpenAPI|Medium|Insecure Configurations|String schema/parameter/header should have 'pattern' defined.|Documentation
| -|Pattern Undefined (v3)
00b78adf-b83f-419c-8ed8-c6018441dd3a|OpenAPI|Medium|Insecure Configurations|String schema should have 'pattern' defined. (read more)|Documentation
| -|Success Response Code Undefined for Patch Operation (v2)
f36e87cc-a209-4f37-8571-66833e4aead7|OpenAPI|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Patch Operation (v3)
1908a8ee-927d-4166-8f18-241152170cc1|OpenAPI|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|Default Response Undefined On Operations (v2)
5f34c7ae-4f3f-4cbb-8fe3-a11d6961062f|OpenAPI|Medium|Networking and Firewall|Operations responses should have a default response defined|Documentation
| -|Default Response Undefined On Operations (v3)
86e3702f-c868-44b2-b61d-ea5316c18110|OpenAPI|Medium|Networking and Firewall|Operations responses should have a default response defined (read more)|Documentation
| -|Response on operations that should have a body has undefined schema (v2)
31afbcb7-70e0-48bb-a31a-3374f95cf859|OpenAPI|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined|Documentation
| -|Response on operations that should have a body has undefined schema (v3)
a92be1d5-d762-484a-86d6-8cd0907ba100|OpenAPI|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined (read more)|Documentation
| -|Success Response Code Undefined for Put Operation (v2)
965a043f-5f3c-4d0a-be72-d9ce12fdb4d6|OpenAPI|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Put Operation (v3)
60b5f56b-66ff-4e1c-9b62-5753e16825bc|OpenAPI|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|Success Response Code Undefined for Post Operation (v2)
9fedee41-2e6d-4091-b011-4a16b4c18c70|OpenAPI|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Post Operation (v3)
f368dd2d-9344-4146-a05b-7c6faa1269ad|OpenAPI|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|Success Response Code Undefined for Head Operation (v2)
4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a|OpenAPI|Medium|Networking and Firewall|Head should define at least one success response (200 or 202)|Documentation
| -|Success Response Code Undefined for Head Operation (v3)
3b066059-f411-4554-ac8d-96f32bff90da|OpenAPI|Medium|Networking and Firewall|Head should define at least one success response (200 or 202) (read more)|Documentation
| -|Success Response Code Undefined for Get Operation (v2)
9b633f3b-c94b-4fbb-a65b-1a4e9134fb63|OpenAPI|Medium|Networking and Firewall|Get should define at least one success response (200 or 202)|Documentation
| -|Success Response Code Undefined for Get Operation (v3)
b2f275be-7d64-4064-b418-be6b431363a7|OpenAPI|Medium|Networking and Firewall|Get should define at least one success response (200 or 202) (read more)|Documentation
| -|Response on operations that should not have a body has declared content (v2)
268defd2-2839-4e15-8cbc-de86eb38c231|OpenAPI|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a schema defined|Documentation
| -|Response on operations that should not have a body has declared content (v3)
12a7210b-f4b4-47d0-acac-0a819e2a0ca3|OpenAPI|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a content defined (read more)|Documentation
| -|Response Code Missing (v2)
6e96ed39-bf45-4089-99ba-f1fe7cf6966f|OpenAPI|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined.|Documentation
| -|Response Code Missing (v3)
6c35d2c6-09f2-4e5c-a094-e0e91327071d|OpenAPI|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined. (read more)|Documentation
| -|Success Response Code Undefined for Delete Operation (v2)
ad432855-b7fb-4429-92a3-93b5ce34f0b1|OpenAPI|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Delete Operation (v3)
3b497874-ae59-46dd-8d72-1868a3b8f150|OpenAPI|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|API Key Exposed In Operation Security (v2)
392599e4-a4e2-403d-bc56-3fe05755782d|OpenAPI|Low|Access Control|API Keys should not be transported over network|Documentation
| -|API Key Exposed In Operation Security (v3)
281b8071-6226-4a43-911d-fec246d422c2|OpenAPI|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| -|Invalid Format (v2)
caf1793e-95dd-4b18-8d90-8f3c0ab5bddf|OpenAPI|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double|Documentation
| -|Invalid Format (v3)
d929c031-078f-4241-b802-e224656ad890|OpenAPI|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double (read more)|Documentation
| -|Invalid Tag External Documentation URL (v2)
b4a7d925-738b-4219-99d9-87d6ee262a03|OpenAPI|Info|Best Practices|Tag External Documentation URL should be a valid URL|Documentation
| -|Invalid Tag External Documentation URL (v3)
5aea1d7e-b834-4749-b143-2c7ec3bd5922|OpenAPI|Info|Best Practices|Tag External Documentation URL should be a valid URL (read more)|Documentation
| -|Header Parameter Named as 'Accept' (v2)
3ddd74cc-6582-486c-8b0c-2b48cb38e0a3|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored.|Documentation
| -|Header Parameter Named as 'Accept' (v3)
f2702af5-6016-46cb-bbc8-84c766032095|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored. (read more)|Documentation
| -|Example Not Compliant With Schema Type (v2)
448db771-06ea-4dee-b48c-1689cbfb4b43|OpenAPI|Info|Best Practices|Examples values and fields should be compliant with the schema type|Documentation
| -|Example Not Compliant With Schema Type (v3)
881a6e71-c2a7-4fe2-b9c3-dfcf08895331|OpenAPI|Info|Best Practices|Examples values and fields should be compliant with the schema type (read more)|Documentation
| -|Operation Without Successful HTTP Status Code (v2)
a1ee6ebe-3877-42ec-b9a6-e524e7d06aa2|OpenAPI|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined|Documentation
| -|Operation Without Successful HTTP Status Code (v3)
48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd|OpenAPI|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined (read more)|Documentation
| -|Invalid Operation External Documentation URL (v2)
25635c31-ee32-4708-88e5-fced87516f51|OpenAPI|Info|Best Practices|Operation External Documentation URL should be a valid URL|Documentation
| -|Invalid Operation External Documentation URL (v3)
5ea61624-3733-4a3a-8ca4-b96fec9c5aeb|OpenAPI|Info|Best Practices|Operation External Documentation URL should be a valid URL (read more)|Documentation
| -|Required Property With Default Value (v2)
f7ab6c83-ef89-40e1-8a99-32e2599fb665|OpenAPI|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value|Documentation
| -|Required Property With Default Value (v3)
013bdb4b-9246-4248-b0c3-7fb0fee42a29|OpenAPI|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value (read more)|Documentation
| -|Path Without Operation (v2)
609cd557-66b4-41fa-8edd-2abc6c7cfd08|OpenAPI|Info|Best Practices|Path object should have at least one operation object defined|Documentation
| -|Path Without Operation (v3)
84c826c9-1893-4b34-8cdd-db97645b4bf3|OpenAPI|Info|Best Practices|Path object should have at least one operation object defined (read more)|Documentation
| -|Header Parameter Named as 'Authorization' (v2)
e2e00c97-7171-4fb4-b461-d631df9a711c|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored.|Documentation
| -|Header Parameter Named as 'Authorization' (v3)
8c84f75e-5048-4926-a4cb-33e7b3431300|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored. (read more)|Documentation
| -|Invalid Contact URL (v2)
c7000383-16d0-4509-8cd3-585e5ea2e2f2|OpenAPI|Info|Best Practices|Contact Object URL should be a valid URL|Documentation
| -|Invalid Contact URL (v3)
332cf2ad-380d-4b90-b436-46f8e635cf38|OpenAPI|Info|Best Practices|Contact Object URL should be a valid URL (read more)|Documentation
| -|JSON '$ref' alongside other properties (v2)
f34c1c68-4773-4df0-a103-6e2ca32e585f|OpenAPI|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key|Documentation
| -|JSON '$ref' alongside other properties (v3)
96beb800-566f-49a9-a0ea-dbdf4bc80429|OpenAPI|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key (read more)|Documentation
| -|Invalid Contact Email (v2)
d83bebc8-4e5e-4241-b783-cba9fb5a1c9a|OpenAPI|Info|Best Practices|Contact Object Email should be a valid email|Documentation
| -|Invalid Contact Email (v3)
b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7|OpenAPI|Info|Best Practices|Contact Object Email should be a valid email (read more)|Documentation
| -|Object Using Enum With Keyword (v2)
7f15962a-d862-451c-ac9b-84ec13747aa6|OpenAPI|Info|Best Practices|Schema/Parameter/Header Object properties should not contain 'enum' and schema keywords|Documentation
| -|Object Using Enum With Keyword (v3)
2e9b6612-8f69-42e0-a5b8-ed17739c2f3a|OpenAPI|Info|Best Practices|Schema Object properties should not contain 'enum' and schema keywords (read more)|Documentation
| -|Invalid Global External Documentation URL (v2)
46d3b74d-9fe9-45bf-9e9e-efb7f701ee28|OpenAPI|Info|Best Practices|Global External Documentation URL should be a valid URL|Documentation
| -|Invalid Global External Documentation URL (v3)
b2d9dbf6-539c-4374-a1fd-210ddf5563a8|OpenAPI|Info|Best Practices|Global External Documentation URL should be a valid URL (read more)|Documentation
| -|Header Response Name Is Invalid (v2)
86733e01-a435-4bd5-a8b0-5108be9dc1e4|OpenAPI|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored.|Documentation
| -|Header Response Name Is Invalid (v3)
d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd|OpenAPI|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored. (read more)|Documentation
| -|Header Parameter Named as 'Content-Type' (v2)
51978067-3b22-4c29-aaf3-96bf0bc28897|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored.|Documentation
| -|Header Parameter Named as 'Content-Type' (v3)
72d259ca-9741-48dd-9f62-eb11f2936b37|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored. (read more)|Documentation
| -|Invalid License URL (v2)
de2b4910-8484-46d6-a055-dc1e793ee3ff|OpenAPI|Info|Best Practices|License Object URL should be a valid URL|Documentation
| -|Invalid License URL (v3)
9239c289-9e4c-4d92-8be1-9d506057c971|OpenAPI|Info|Best Practices|License Object URL should be a valid URL (read more)|Documentation
| -|Invalid Schema External Documentation URL (v2)
f7fa95b7-d819-484c-9a2b-665dd1bba25e|OpenAPI|Info|Best Practices|Schema External Documentation URL should be a valid URL|Documentation
| -|Invalid Schema External Documentation URL (v3)
6952a7e0-6e48-4285-bbc1-27c64e60f888|OpenAPI|Info|Best Practices|Schema External Documentation URL should be a valid URL (read more)|Documentation
| -|Parameter Objects Headers With Duplicated Name (v2)
bd2cbef5-62c4-40f1-af07-4b7f9ced6616|OpenAPI|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.|Documentation
| -|Parameter Objects Headers With Duplicated Name (v3)
05505192-ba2c-4a81-9b25-dcdbcc973746|OpenAPI|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive. (read more)|Documentation
| -|Property Defining Minimum Greater Than Maximum (v2)
b5102ea9-6527-4bb7-94fc-9b4076150e55|OpenAPI|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined|Documentation
| -|Property Defining Minimum Greater Than Maximum (v3)
ab2af219-cd08-4233-b5a1-a788aac88b51|OpenAPI|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined (read more)|Documentation
| -|Responses Object Is Empty (v2)
6172e7ab-d2b7-45f8-a7db-1603931d8ba3|OpenAPI|Info|Structure and Semantics|Responses Object should not be empty|Documentation
| -|Responses Object Is Empty (v3)
990eaf09-d6f1-4c3c-b174-a517b1de8917|OpenAPI|Info|Structure and Semantics|Responses Object should not be empty (read more)|Documentation
| -|Paths Object is Empty (v2)
3e6c7b1c-8a8d-43ab-98b9-65159f44db4a|OpenAPI|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed|Documentation
| -|Paths Object is Empty (v3)
815021c8-a50c-46d9-b192-24f71072c400|OpenAPI|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed (read more)|Documentation
| -|Non-Array Schema With Items (v2)
9d47956b-29cd-43b1-9e6e-b39a4d484353|OpenAPI|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| -|Non-Array Schema With Items (v3)
20cb3159-b219-496b-8dac-54ae3ab2021a|OpenAPI|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined (read more)|Documentation
| -|Schema Has A Required Property Undefined (v2)
811762c8-2e99-4f70-88f9-a63875a953b1|OpenAPI|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties|Documentation
| -|Schema Has A Required Property Undefined (v3)
2bd608ae-8a1f-457f-b710-c237883cb313|OpenAPI|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties (read more)|Documentation
| -|Template Path With No Corresponding Path Parameter (v2)
e7656d8d-7288-4bbe-b07b-22b389be75ce|OpenAPI|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation|Documentation
| -|Template Path With No Corresponding Path Parameter (v3)
561710b1-b845-4562-95ce-2397a05ccef4|OpenAPI|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation (read more)|Documentation
| -|Schema Enum Invalid (v2)
8fe6d18a-ad4c-4397-8884-e3a9da57f4c9|OpenAPI|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type|Documentation
| -|Schema Enum Invalid (v3)
03856cb2-e46c-4daf-bfbf-214ec93c882b|OpenAPI|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type (read more)|Documentation
| -|Properties Missing Required Property (v2)
71beb6ab-8b70-4816-a9ac-a0ff1fb22a62|OpenAPI|Info|Structure and Semantics|Schema Object should have all required properties defined|Documentation
| -|Properties Missing Required Property (v3)
3fb03214-25d4-4bd4-867c-c2d8d708a483|OpenAPI|Info|Structure and Semantics|Schema Object should have all required properties defined (read more)|Documentation
| -|Type Has Invalid Keyword (v2)
492c6cbb-f3f8-4807-aa4f-42b8b1c46b59|OpenAPI|Info|Structure and Semantics|Schema/Parameter/Header Object define type should not use a keyword of another type|Documentation
| -|Type Has Invalid Keyword (v3)
a9228976-10cf-4b5f-b902-9e962aad037a|OpenAPI|Info|Structure and Semantics|Schema Object define type should not use a keyword of another type (read more)|Documentation
| -|Path Parameter Not Required (v2)
ccd0613f-cb77-4684-a892-183bd2674d12|OpenAPI|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.|Documentation
| -|Path Parameter Not Required (v3)
0de50145-e845-47f4-9a15-23bcf2125710|OpenAPI|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true. (read more)|Documentation
| -|Schema Discriminator Not Required (v2)
be6a3722-af60-438c-b1b9-2a03e2958ab7|OpenAPI|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property|Documentation
| -|Schema Discriminator Not Required (v3)
b481d46c-9c61-480f-86d9-af07146dc4a4|OpenAPI|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property (read more)|Documentation
| -|Schema Object Properties With Duplicated Keys (v2)
ded017bf-fb13-4f8d-868b-84aebcc572ad|OpenAPI|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties'|Documentation
| -|Schema Object Properties With Duplicated Keys (v3)
10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa|OpenAPI|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties' (read more)|Documentation
| -|Schema Object With Circular Ref (v2)
cbff2508-85c9-4448-a8b3-770070edf5ca|OpenAPI|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties|Documentation
| -|Schema Object With Circular Ref (v3)
1a1aea94-745b-40a7-b860-0702ea6ee636|OpenAPI|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties (read more)|Documentation
| -|Path Parameter With No Corresponding Template Path (v2)
194ef1f8-360e-4c14-8ed2-e83e2bafa142|OpenAPI|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation|Documentation
| -|Path Parameter With No Corresponding Template Path (v3)
69d7aefd-149d-47b8-8d89-1c2181a8067b|OpenAPI|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation (read more)|Documentation
| -|OperationId Not Unique (v2)
21245007-91c4-40e5-964e-40c85d1e5aa6|OpenAPI|Info|Structure and Semantics|OperationId should be unique when defined|Documentation
| -|OperationId Not Unique (v3)
c254adc4-ef25-46e1-8270-b7944adb4198|OpenAPI|Info|Structure and Semantics|OperationId should be unique when defined (read more)|Documentation
| -|Default Invalid (v2)
78dfd8f0-a6ee-48ec-af8c-e4d9b3292a07|OpenAPI|Info|Structure and Semantics|The field 'default' of Schema/Parameter/Header Object should be consistent with the schema's/parameter's/header's type|Documentation
| -|Default Invalid (v3)
a96bbc06-8cde-4295-ad3c-ee343a7f658e|OpenAPI|Info|Structure and Semantics|The field 'default' of Schema Object should be consistent with the schema's type (read more)|Documentation
| -|Schema Discriminator Mismatch Defined Properties (v2)
addc0eab-27f6-4c26-8526-d2ccd3732662|OpenAPI|Info|Structure and Semantics|Schema discriminator values should match defined properties.|Documentation
| -|Schema Discriminator Mismatch Defined Properties (v3)
40d3df21-c170-4dbe-9c02-4289b51f994f|OpenAPI|Info|Structure and Semantics|Schema discriminator values should match defined properties. (read more)|Documentation
| -|Responses With Wrong HTTP Status Code (v2)
069a5378-2091-43f0-aa3b-ee8f20996e99|OpenAPI|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599]|Documentation
| -|Responses With Wrong HTTP Status Code (v3)
d86655c0-92f6-4ffc-b4d5-5b5775804c27|OpenAPI|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599] (read more)|Documentation
| -|Items Undefined (v2)
3e4d34d2-36cf-4449-976d-6c256db8fc49|OpenAPI|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array.|Documentation
| -|Items Undefined (v3)
a8e859da-4a43-4e7f-94b8-25d6e3bf8e90|OpenAPI|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array. (read more)|Documentation
| -|Property 'allowEmptyValue' Improperly Defined (v2)
0bc1477d-0922-478b-ae16-674a7634a1a8|OpenAPI|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters|Documentation
| -|Property 'allowEmptyValue' Improperly Defined (v3)
4bcbcd52-3028-469f-bc14-02c7dbba2df2|OpenAPI|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters (read more)|Documentation
| -|Path Is Ambiguous (v2)
b2468463-3ac4-4930-890c-f35b2bf4485d|OpenAPI|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object|Documentation
| -|Path Is Ambiguous (v3)
237402e2-c2f0-46c9-9cf5-286160cf7bfc|OpenAPI|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object (read more)|Documentation
| -|Path Template is Empty (v2)
c201b7ad-6173-4598-a407-5edb04a1bcd7|OpenAPI|Info|Structure and Semantics|All path templates should not be empty|Documentation
| -|Path Template is Empty (v3)
ae13a37d-943b-47a7-a970-83c8598bcca3|OpenAPI|Info|Structure and Semantics|All path templates should not be empty (read more)|Documentation
| -|Schema Discriminator Property Not String (v2)
949376f1-f560-4c6d-a016-63424ca931bb|OpenAPI|Info|Structure and Semantics|Schema discriminator property should be a string|Documentation
| -|Schema Discriminator Property Not String (v3)
dadc2f36-1f5a-46c0-8289-75e626583123|OpenAPI|Info|Structure and Semantics|Schema discriminator property should be a string (read more)|Documentation
| -|Parameters Name In Combination Not Unique (v2)
ab871897-ec02-4835-9818-702536ee1dda|OpenAPI|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations|Documentation
| -|Parameters Name In Combination Not Unique (v3)
f5b2e6af-76f5-496d-8482-8f898c5fdb4a|OpenAPI|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations (read more)|Documentation
| -|Field 'securityScheme' On Components Is Undefined
8db5544e-4874-4baa-9322-e9f75a2d219e|OpenAPI|High|Access Control|Components' securityScheme field must have a valid scheme (read more)|Documentation
| -|Cleartext Credentials With Basic Authentication For Operation
86b1fa30-9790-4980-994d-a27e0f6f27c1|OpenAPI|High|Access Control|Cleartext credentials over unencrypted channel should not be accepted for the operation (read more)|Documentation
| -|Security Scheme Using HTTP Negotiate
f525cc92-9050-4c41-a75c-890dc6f64449|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using negotiate authentication (read more)|Documentation
| -|Invalid OAuth2 Token URL (v3)
3ba0cca1-b815-47bf-ac62-1e584eb64a05|OpenAPI|Medium|Access Control|OAuth2 security scheme flow requires a valid URL in the tokenUrl field (read more)|Documentation
| -|OAuth2 With Implicit Flow
39cb32f2-3a42-4af0-8037-82a7a9654b6c|OpenAPI|Medium|Access Control|OAuth2 implicit flow is vulnerable to access token leakage and access token replay (read more)|Documentation
| -|OAuth2 With Password Flow
3979b0a4-532c-4ea7-86e4-34c090eaa4f2|OpenAPI|Medium|Access Control|OAuth2 password flow insecurely exposes the credentials of the resource owner to the client (read more)|Documentation
| -|Security Scheme HTTP Unknown Scheme
06764426-3c56-407e-981f-caa25db1c149|OpenAPI|Medium|Access Control|Security Scheme HTTP scheme should be registered in the IANA Authentication Scheme registry (read more)|Documentation
| -|Security Scheme Using HTTP Digest
a4247b11-890b-45df-bf42-350a7a3af9be|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using digest authentication (read more)|Documentation
| -|Invalid OAuth2 Authorization URL (v3)
52c0d841-60d6-4a81-88dd-c35fef36d315|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| -|Security Scheme Using HTTP Basic
68e5fcac-390c-4939-a373-6074b7be7c71|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using basic authentication (read more)|Documentation
| -|Implicit Flow in OAuth2 (v3)
4a1f3d75-ab73-41b2-83e7-06a93dc3a75a|OpenAPI|Medium|Access Control|There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| -|Path Server Object Uses HTTP (v3)
9670f240-7b4d-4955-bd93-edaa9fa38b58|OpenAPI|Medium|Encryption|The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection (read more)|Documentation
| -|Global Server Object Uses HTTP
2d8c175a-6d90-412b-8b0e-e034ea49a1fe|OpenAPI|Medium|Encryption|Global server object URL should use 'https' protocol instead of 'http' (read more)|Documentation
| -|Parameter Object Without Schema
8fe1846f-52cc-4413-ace9-1933d7d23672|OpenAPI|Medium|Insecure Configurations|The Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| -|Additional Properties Too Restrictive
a19c3bbd-c056-40d7-9e1c-eeb0634e320d|OpenAPI|Medium|Insecure Configurations|Objects should accept 'additionalProperties' if it is allOf or an object with anyOf or oneOf (read more)|Documentation
| -|Additional Properties Too Permissive
9f88c88d-824d-4d9a-b985-e22977046042|OpenAPI|Medium|Insecure Configurations|Objects should not accept 'additionalProperties' if it is possible (read more)|Documentation
| -|Media Type Object Without Schema
f79b9d26-e945-44e7-98a1-b93f0f7a68a0|OpenAPI|Medium|Insecure Configurations|The Media Type Object should have the attribute 'schema' defined (read more)|Documentation
| -|Header Object Without Schema
50de3b5b-6465-4e06-a9b0-b4c2ba34326b|OpenAPI|Medium|Networking and Firewall|The header object should have schema defined (read more)|Documentation
| -|Success Response Code Undefined for Trace Operation
105e20dd-8449-4d71-95c6-d5dac96639af|OpenAPI|Medium|Networking and Firewall|Trace should define the '200' successful code (read more)|Documentation
| -|Undefined Scope 'securityScheme' On 'security' Field On Operations
462d6a1d-fed9-4d75-bb9e-3de902f35e6e|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| -|Global Security Scheme Using Basic Authentication
77276d82-4f45-4cf1-8e2b-4d345b936228|OpenAPI|Low|Access Control|A security scheme is allowing basic authentication credentials to be transported over network (read more)|Documentation
| -|Undefined Scope 'securityScheme' On Global 'security' Field
23a9e2d9-8738-4556-a71c-2802b6ffa022|OpenAPI|Low|Access Control|Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| -|Security Scheme Using Oauth 1.0
1bc3205c-0d60-44e6-84f3-44fbf4dac5b3|OpenAPI|Low|Access Control|Oauth 1.0 is deprecated, OAuth2 should be used instead (read more)|Documentation
| -|API Key Exposed In Global Security Scheme
40e1d1bf-11a9-4f63-a3a2-a8b84c602839|OpenAPI|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| -|Property 'explode' of Encoding Object Ignored
a4dd69b8-49fa-45d2-a060-c76655405b05|OpenAPI|Info|Best Practices|Property 'explode' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| -|Property 'allowReserved' of Encoding Object Ignored
4190dda7-af03-4cf0-a128-70ac1661ca09|OpenAPI|Info|Best Practices|Property 'allowReserved' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| -|Components Example Definition Is Unused
b05bb927-2df5-43cc-8d7b-6825c0e71625|OpenAPI|Info|Best Practices|Components examples definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Encoding Header 'Content-Type' Improperly Defined
4cd8de87-b595-48b6-ab3c-1904567135ab|OpenAPI|Info|Best Practices|Encoding Map Key should not define a 'Content-Type' in the 'headers' field. If so, it will be ignored. (read more)|Documentation
| -|Components Link Definition Is Unused
c19779a9-5774-4d2f-a3a1-a99831730375|OpenAPI|Info|Best Practices|Components links definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Schema Definition Is Unused
962fa01e-b791-4dcc-b04a-4a3e7389be5e|OpenAPI|Info|Best Practices|Components schemas definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Property 'style' of Encoding Object Ignored
d3ea644a-9a5c-4fee-941f-f8a6786c0470|OpenAPI|Info|Best Practices|Property 'style' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| -|Property 'allowEmptyValue' Ignored
59c2f769-7cc2-49c8-a3de-4e211135cfab|OpenAPI|Info|Best Practices|Property 'allowEmptyValue' is ignored in the following cases: {"sytle": "simple", "explode": false}, {"sytle": "simple", "explode": true}, {"sytle": "spaceDelimited", "explode": false}, {"sytle": "pipeDelimited", "explode": false}, and {"sytle": "deepObject", "explode": true} (read more)|Documentation
| -|Components Header Definition Is Unused
a68da022-e95a-4bc2-97d3-481e0bd6d446|OpenAPI|Info|Best Practices|Components headers definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Response Definition Is Unused
9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae|OpenAPI|Info|Best Practices|Components responses definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Unknown Prefix (v3)
a5375be3-521c-43bb-9eab-e2432e368ee4|OpenAPI|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| -|Components Parameter Definition Is Unused
698a464e-bb3e-4ba8-ab5e-e6599b7644a0|OpenAPI|Info|Best Practices|Components parameters definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Request Body Definition Is Unused
6b76f589-9713-44ab-97f5-59a3dba1a285|OpenAPI|Info|Best Practices|Components request bodies definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Invalid Media Type Value (v3)
cf4a5f45-a27b-49df-843a-9911dbfe71d4|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| -|Components Callback Definition Is Unused
d15db953-a553-4b8a-9a14-a3d62ea3d79d|OpenAPI|Info|Best Practices|Components callbacks definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Parameter Object With Undefined Type
46facedc-f243-4108-ab33-583b807d50b0|OpenAPI|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property (read more)|Documentation
| -|Callback JSON Reference Does Not Exists
f29904c8-6041-4bca-b043-dfa0546b8079|OpenAPI|Info|Structure and Semantics|Callback reference should exists on components field (read more)|Documentation
| -|Server URL Not Absolute
a0bf7382-5d5a-4224-924c-3db8466026c9|OpenAPI|Info|Structure and Semantics|The Server URL should be an absolute URL (read more)|Documentation
| -|Header JSON Reference Does Not Exists
376c9390-7e9e-4cb8-a067-fd31c05451fd|OpenAPI|Info|Structure and Semantics|Header reference should exists on components field (read more)|Documentation
| -|Link Object With Both 'operationId' And 'operationRef'
60fb6621-9f02-473b-9424-ba9a825747d3|OpenAPI|Info|Structure and Semantics|Link object 'OperationId' should not have both 'operationId' and 'operationRef' defined since they are mutually exclusive. (read more)|Documentation
| -|Security Operation Field Undefined
20a482d5-c5d9-4a7a-b7a4-60d0805047b4|OpenAPI|Info|Structure and Semantics|Security operation field should be defined in '#/components/securitySchemes' (read more)|Documentation
| -|Object Without Required Property (v3)
d172a060-8569-4412-8045-3560ebd477e8|OpenAPI|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| -|Invalid Content Type For Multiple Files Upload
26f06397-36d8-4ce7-b993-17711261d777|OpenAPI|Info|Structure and Semantics|Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array) (read more)|Documentation
| -|Link Object Incorrect Ref
b9db8a10-020c-49ca-88c6-780e5fdb4328|OpenAPI|Info|Structure and Semantics|Link object reference must always point to '#/components/links' (read more)|Documentation
| -|Response JSON Reference Does Not Exists (v3)
7a01dfbd-da62-4165-aed7-71349ad42ab4|OpenAPI|Info|Structure and Semantics|Response reference should exists on components field (read more)|Documentation
| -|Callback Object With Incorrect Ref
ba066cda-e808-450d-92b6-f29109754d45|OpenAPI|Info|Structure and Semantics|Callback Object reference must always point to '#/components/callbacks' (read more)|Documentation
| -|Schema JSON Reference Does Not Exists (v3)
015eac96-6313-43c0-84e5-81b1374fa637|OpenAPI|Info|Structure and Semantics|Schema reference should exists on components field (read more)|Documentation
| -|Components Object Fixed Field Key Improperly Named
151331e2-11f4-4bb6-bd35-9a005e695087|OpenAPI|Info|Structure and Semantics|Components object fixed fields (schemas, responses, parameters, examples, requestBodies, headers, securitySchemes, links, and callbacks) should use keys that match the following REGEX: `^[a-zA-Z0-9\.\-_]+$` (read more)|Documentation
| -|Unknown Property (v3)
fb7d81e7-4150-48c4-b914-92fc05da6a2f|OpenAPI|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| -|Parameter Object Content With Multiple Entries
8bfed1c6-2d59-4924-bc7f-9b9d793ed0df|OpenAPI|Info|Structure and Semantics|The map content property of the parameter object should only contain one entry (read more)|Documentation
| -|Encoding Map Key Mismatch Schema Defined Properties
cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b|OpenAPI|Info|Structure and Semantics|Encoding Map Key should be set in schema defined properties (read more)|Documentation
| -|Example JSON Reference Outside Components Examples
bac56e3c-1f71-4a74-8ae6-2fba07efcddb|OpenAPI|Info|Structure and Semantics|Reference to examples should point to #/components/examples (read more)|Documentation
| -|Empty Array
5915c20f-dffa-4cee-b5d4-f457ddc0151a|OpenAPI|Info|Structure and Semantics|All array fields should not be empty (read more)|Documentation
| -|Security Requirement Object With Wrong Scopes
37140f7f-724a-4c87-a536-e9cee1d61533|OpenAPI|Info|Structure and Semantics|Security Requirement Object should only have scopes defined for security schemes of type 'oauth2' and 'openIdConnect' (read more)|Documentation
| -|Example JSON Reference Does Not Exists
6a2c219f-da5e-4745-941e-5ea8cde23356|OpenAPI|Info|Structure and Semantics|Example reference should exists on components field (read more)|Documentation
| -|Request Body Object With Incorrect Media Type
58f06434-a88c-4f74-826c-db7e10cc7def|OpenAPI|Info|Structure and Semantics|The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set. (read more)|Documentation
| -|Parameter JSON Reference Does Not Exists (v3)
2e275f16-b627-4d3f-ae73-a6153a23ae8f|OpenAPI|Info|Structure and Semantics|Parameter reference should exists on components field (read more)|Documentation
| -|Link Object OperationId Does Not Target Operation Object
c5bb7461-aa57-470b-a714-3bc3d74f4669|OpenAPI|Info|Structure and Semantics|Link object 'OperationId' should target an existing operation object in the OpenAPI definition (read more)|Documentation
| -|Response Object With Incorrect Ref (v3)
b3871dd8-9333-4d6c-bd52-67eb898b71ab|OpenAPI|Info|Structure and Semantics|Response Object reference must always point to '#/components/responses' (read more)|Documentation
| -|Security Field Undefined
ab1263c2-81df-46f0-9f2c-0b62fdb68419|OpenAPI|Info|Structure and Semantics|Security field should be defined in '#/components/securitySchemes' (read more)|Documentation
| -|Header Object With Incorrect Ref
2d6646f4-2946-420f-8c14-3232d49ae0cb|OpenAPI|Info|Structure and Semantics|Header Object reference must always point to '#/components/headers' (read more)|Documentation
| -|Property 'allowReserved' Improperly Defined
7f203940-39c4-4ea7-91ee-7aba16bca9e2|OpenAPI|Info|Structure and Semantics|Property 'allowReserved' should be only defined for query parameters (read more)|Documentation
| -|Schema With Both ReadOnly And WriteOnly
d2361d58-361c-49f0-9e50-b957fd608b29|OpenAPI|Info|Structure and Semantics|Schema should not have both 'writeOnly' and 'readOnly' set to true (read more)|Documentation
| -|Link JSON Reference Does Not Exists
801f0c6a-a834-4467-89c6-ddecffb46b5a|OpenAPI|Info|Structure and Semantics|Link reference should exists on components field (read more)|Documentation
| -|Parameter Object With Incorrect Ref (v3)
d40f27e6-15fb-4b56-90f8-fc0ff0291c51|OpenAPI|Info|Structure and Semantics|Parameter Object reference must always point to '#/components/parameters' (read more)|Documentation
| -|Server URL Uses Undefined Variables
8d0921d6-4131-461f-a253-99e873f8f77e|OpenAPI|Info|Structure and Semantics|Any variable used in the Service URL should be defined in the Service Object through 'variables'. (read more)|Documentation
| -|Request Body With Incorrect Ref
0f6cd0ab-c366-4595-84fc-fbd8b9901e4d|OpenAPI|Info|Structure and Semantics|Request Body reference must always point to '#/components/RequestBodies' (read more)|Documentation
| -|Request Body JSON Reference Does Not Exists
ca02f4e8-d3ae-4832-b7db-bb037516d9e7|OpenAPI|Info|Structure and Semantics|Request Body reference should exists on components field (read more)|Documentation
| -|Server Object Variable Not Used
8aee4754-970d-4c5f-8142-a49dfe388b1a|OpenAPI|Info|Structure and Semantics|Every defined Server Variable Object should be used in a Service URL. (read more)|Documentation
| -|Servers Array Undefined
c66ebeaa-676c-40dc-a3ff-3e49395dcd5e|OpenAPI|Info|Structure and Semantics|The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'. (read more)|Documentation
| -|Schema Object Incorrect Ref (v3)
4cac7ace-b0fb-477d-830d-65395d9109d9|OpenAPI|Info|Structure and Semantics|Schema Object reference must always point to '#/components/schemas' (read more)|Documentation
| -|Parameter Object With Schema And Content
31dd6fc0-f274-493b-9614-e063086c19fc|OpenAPI|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive (read more)|Documentation
| -|Security Definitions Undefined or Empty
e3f026e8-fdb4-4d5a-bcfd-bd94452073fe|OpenAPI|High|Access Control|Security Definitions Object should be set and not empty (read more)|Documentation
| -|Security Requirement Not Defined In Security Definition
a599b0d1-ff89-4cb8-9ece-9951854c06f6|OpenAPI|High|Structure and Semantics|All security requirement objects must be defined in 'securityDefinitions' (read more)|Documentation
| -|Non OAuth2 Security Requirement Defining OAuth2 Scopes
ba239cb9-f342-4c20-812d-7b5a2aa6969e|OpenAPI|High|Structure and Semantics|If the security scheme is not of type 'oauth2', the array value must be empty (read more)|Documentation
| -|Invalid OAuth2 Token URL (v2)
274f910a-0665-4f08-b66d-7058fe927dba|OpenAPI|Medium|Access Control|OAuth2 security definition flow requires a valid URL in the tokenUrl field (read more)|Documentation
| -|Security Definitions Allows Password Flow
773116aa-2e6d-416f-bd85-f0301cc05d76|OpenAPI|Medium|Access Control|Security Definition Object should not allow 'password' Flow in OAuth2 authentication (read more)|Documentation
| -|Operation Using Password Flow
2e44e632-d617-43cb-b294-6bfe72a08938|OpenAPI|Medium|Access Control|Operation Object should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| -|Invalid OAuth2 Authorization URL (v2)
33d96c65-977d-4c33-943f-440baca49185|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| -|Global Security Using Password Flow
2da46be4-4317-4650-9285-56d7103c4f93|OpenAPI|Medium|Access Control|Security should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| -|Implicit Flow in OAuth2 (v2)
e9817ad8-a8c9-4038-8a2f-db0e6e7b284b|OpenAPI|Medium|Access Control|There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| -|Schemes Uses HTTP
a46928f1-43d7-4671-94e0-2dd99746f389|OpenAPI|Medium|Encryption|Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials (read more)|Documentation
| -|Path Scheme Accepts HTTP (v2)
a6847dc6-f4ea-45ac-a81f-93291ae6c573|OpenAPI|Medium|Encryption|The Scheme list of Operation Object should only allow 'HTTPS' protocol to ensure an encrypted connection (read more)|Documentation
| -|Global Schemes Uses HTTP
f30ee711-0082-4480-85ab-31d922d9a2b2|OpenAPI|Medium|Encryption|Global Schemes should use 'https' protocol instead of 'http' (read more)|Documentation
| -|Operation Object Without 'produces'
be3e170e-1572-461e-a8b6-d963def581ec|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'produces' feild defined for 'GET'operation (read more)|Documentation
| -|Operation Object Without 'consumes'
0c79e50e-b3cf-490c-b8f6-587c644d4d0c|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations (read more)|Documentation
| -|Undefined Scope 'securityDefinition' On 'security' Field On Operations
3847280c-9193-40bc-8009-76168e822ce2|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| -|Undefined Scope 'securityDefinition' On Global 'security' Field
9aa6e95c-d964-4239-a3a8-9f37a3c5a31f|OpenAPI|Low|Access Control|Using an scope on global security field that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| -|Operation Using Basic Auth
ceefb058-8065-418f-9c4c-584a78c7e104|OpenAPI|Low|Access Control|Operation Object should not use basic authentication (read more)|Documentation
| -|Security Definitions Using Basic Auth
221015a8-aa2a-43f5-b00b-ad7d2b1d47a8|OpenAPI|Low|Access Control|Security Definition Object should not use basic authentication (read more)|Documentation
| -|Operation Using Implicit Flow
f42dfe7e-787d-4478-a75e-a5f3d8a2269e|OpenAPI|Low|Access Control|Operation Object should not use implicit flow (read more)|Documentation
| -|Operation Summary Too Long
d47940ca-5970-45cc-bdd1-4d81398cee1f|OpenAPI|Low|Best Practices|Operation summary should be short (less than 120 characters) (read more)|Documentation
| -|Global Responses Definition Not Being Used
0b76d993-ee52-43e0-8b39-3787d2ddabf1|OpenAPI|Info|Best Practices|All global responses definitions should be in use (read more)|Documentation
| -|Global Schema Definition Not Being Used
6d2e0790-cc3d-4c74-b973-d4e8b09f4455|OpenAPI|Info|Best Practices|All global schemas definitions should be in use (read more)|Documentation
| -|Constraining Enum Property
be1d8733-3731-40c7-a845-734741c6871d|OpenAPI|Info|Best Practices|There is a constraining keyword in a property which is already restricted by enum values (read more)|Documentation
| -|Global Parameter Definition Not Being Used
b30981fa-a12e-49c7-a5bb-eeafb61d0f0f|OpenAPI|Info|Best Practices|All global parameters definitions should be in use (read more)|Documentation
| -|Unknown Prefix (v2)
3b615f00-c443-4ba9-acc4-7c308716917d|OpenAPI|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| -|Schema with 'additionalProperties' set as Boolean
3a01790c-ebee-4da6-8fd3-e78657383b75|OpenAPI|Info|Best Practices|The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it (read more)|Documentation
| -|Invalid Media Type Value (v2)
f985a7d2-d404-4a7f-9814-f645f791e46e|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| -|Multiple Body Parameters In The Same Operation
b90033cf-ad9f-4fb9-acd1-1b9d6d278c87|OpenAPI|Info|Structure and Semantics|Only one body parameter is allowed on operation's parameters type field (read more)|Documentation
| -|Host With Invalid Pattern
3d7d7b6c-fb0a-475e-8a28-c125e30d15f0|OpenAPI|Info|Structure and Semantics|Host field should be an IP or a valid host name (read more)|Documentation
| -|Non Body Parameter Without Schema
73c3bc54-3cc6-4c0a-b30a-e19f2abfc951|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| -|Object Without Required Property (v2)
5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275|OpenAPI|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| -|Parameter File Type Not In 'formData'
c3cab8c4-6c52-47a9-942b-c27f26fbd7d2|OpenAPI|Info|Structure and Semantics|The In field of Parameter Object must be 'formData' when type is 'file' (read more)|Documentation
| -|Responses JSON Reference Does Not Exists (v2)
e9db5fb4-6a84-4abb-b4af-3b94fbdace6d|OpenAPI|Info|Structure and Semantics|Responses reference should exist on responses definition field (read more)|Documentation
| -|Body Parameter Without Schema
ed48229d-d43e-4da7-b453-5f98d964a57a|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| -|Property Not Unique
750b40be-4bac-4f59-bdc4-1ca0e6c3450e|OpenAPI|Info|Structure and Semantics|Every defined property must be unique throughout the whole API (read more)|Documentation
| -|Schema JSON Reference Does Not Exists (v2)
98295b32-ec09-4b5b-89a9-39853197f914|OpenAPI|Info|Structure and Semantics|Schema reference should exists on definitions field (read more)|Documentation
| -|Unknown Property (v2)
429b2106-ba37-43ba-9727-7f699cc611e1|OpenAPI|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| -|File Parameter With Wrong Consumes Property
7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a|OpenAPI|Info|Structure and Semantics|Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both (read more)|Documentation
| -|Operation Object Parameters With 'body' And 'formatData' locations
eb3f9744-d24e-4614-b1ff-2a9514eca21c|OpenAPI|Info|Structure and Semantics|Operation object parameters should not have both 'body' and 'formatData' locations (read more)|Documentation
| -|Body Parameter With Wrong Property
c38d630d-a415-4e3e-bac2-65475979ba88|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema' (read more)|Documentation
| -|Parameter JSON Reference Does Not Exists (v2)
fb889ae9-2d16-40b5-b41f-9da716c5abc1|OpenAPI|Info|Structure and Semantics|Parameter reference should exist on parameters definition field (read more)|Documentation
| -|Multi 'collectionformat' Not Valid For 'in' Parameter
750f6448-27c0-49f8-a153-b81735c1e19c|OpenAPI|Info|Structure and Semantics|When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'formData' (read more)|Documentation
| -|Response Object With Incorrect Ref (v2)
bccfa089-89e4-47e0-a0e5-185fe6902220|OpenAPI|Info|Structure and Semantics|Response Object reference must always point to '#/responses' (read more)|Documentation
| -|Parameter Object With Incorrect Ref (v2)
2596545e-1757-4ff7-a15a-8a9a180a42f3|OpenAPI|Info|Structure and Semantics|Parameter Object reference must always point to '#/parameters' (read more)|Documentation
| -|Operation Example Mismatch Produces MimeType
2cf35b40-ded3-43d6-9633-c8dcc8bcc822|OpenAPI|Info|Structure and Semantics|Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces' (read more)|Documentation
| -|BasePath With Wrong Format
b4803607-ed72-4d60-99e2-3fa6edf471c6|OpenAPI|Info|Structure and Semantics|The 'basePath' value format must match the pattern '^/' (read more)|Documentation
| -|Schema Object Incorrect Ref (v2)
0220e1c5-65d1-49dd-b7c2-cef6d6cb5283|OpenAPI|Info|Structure and Semantics|Schema Object reference must always point to '#/definitions' (read more)|Documentation
| -|Amazon DMS Replication Instance Is Publicly Accessible
bccb296f-362c-4b05-9221-86d1437a1016|Pulumi|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
647de8aa-5a42-41b5-9faf-22136f117380|Pulumi|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false. (read more)|Documentation
| -|Elasticsearch with HTTPS disabled
00603add-7f72-448f-a6c0-9e456a7a3f94|Pulumi|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| -|ElastiCache Nodes Not Created Across Multi AZ
9b18fc19-7fb8-49b1-8452-9c757c70f926|Pulumi|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| -|ElastiCache Redis Cluster Without Backup
e93bbe63-a631-4c0f-b6ef-700d48441ff2|Pulumi|Medium|Backup|ElastiCache Redis cluster should have 'snapshotRetentionLimit' higher than 0 (read more)|Documentation
| -|IAM Password Without Lowercase Letter
de92dd34-1b88-43e8-b825-6e02d73c4549|Pulumi|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| -|IAM Password Without Minimum Length
9850d621-7485-44f7-8bdd-b3cf426315cf|Pulumi|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| -|DynamoDB Table Not Encrypted
b6a7e0ae-aed8-4a19-a993-a95760bf8836|Pulumi|Medium|Encryption|AWS DynamoDB Tables should have serverSideEncryption enabled (read more)|Documentation
| -|API Gateway Without SSL Certificate
f27791a5-e2ae-4905-8910-6f995c576d09|Pulumi|Medium|Insecure Configurations|SSL Client Certificate should be defined (read more)|Documentation
| -|Elasticsearch Logs Disabled
a1120ee4-a712-42d9-8fb5-22595fed643b|Pulumi|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| -|API Gateway Access Logging Disabled
bf4b48b9-fc1f-4552-984a-4becdb5bf503|Pulumi|Medium|Observability|API Gateway should have Access Log Settings defined (read more)|Documentation
| -|DocDB Logging Is Disabled
2ca87964-fe7e-4cdc-899c-427f0f3525f8|Pulumi|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| -|DynamoDB Table Point In Time Recovery Disabled
327b0729-4c5c-4c44-8b5c-e476cd9c7290|Pulumi|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more)|Documentation
| -|EC2 Not EBS Optimized
d991e4ae-42ab-429b-ab43-d5e5fa9ca633|Pulumi|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| -|EC2 Instance Monitoring Disabled
daa581ef-731c-4121-832d-cf078f67759d|Pulumi|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| -|PSP Set To Privileged
ee305555-6b1d-4055-94cf-e22131143c34|Pulumi|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| -|Missing App Armor Config
95588189-1abd-4df1-9588-b0a5034f9e87|Pulumi|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack (read more)|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
48f7e44d-d1d1-44c2-b336-9f11b65c4fb0|Pulumi|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
965e8830-2bec-4b9b-a7f0-24dbc200a68f|Pulumi|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| -|Storage Account Not Forcing HTTPS
cb8e4bf0-903d-45c6-a278-9a947d82a27b|Pulumi|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| -|Redis Cache Allows Non SSL Connections
49e30ac8-f58e-4222-b488-3dcb90158ec1|Pulumi|Medium|Encryption|Redis Cache resource should not allow non-SSL connections. (read more)|Documentation
| -|Serving Revision Spec Without Timeout Seconds
e8bb41e4-2f24-4e84-8bea-8c7c070cf93d|Knative|Info|Insecure Configurations|Serving Revision Spec should have Timeout Seconds defined to avoid Denial of Service (read more)|Documentation
| -|EFS Without KMS
bdecd6db-2600-47dd-a10c-72c97cf17ae9|Crossplane|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| -|DB Instance Storage Not Encrypted
e50eb68a-a4af-4048-8bbe-8ec324421469|Crossplane|High|Encryption|RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'. (read more)|Documentation
| -|EFS Not Encrypted
72840c35-3876-48be-900d-f21b2f0c2ea1|Crossplane|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| -|ELB Using Weak Ciphers
a507daa5-0795-4380-960b-dd7bb7c56661|Crossplane|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
d9dc6429-5140-498a-8f55-a10daac5f000|Crossplane|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false and neither dbSubnetGroupName' subnets being part of a VPC that has an Internet gateway attached to it (read more)|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
255b0fcc-9f82-41fe-9229-01b163e3376b|Crossplane|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| -|DB Security Group Has Public Interface
dd667399-8d9d-4a8d-bbb4-e49ab53b2f52|Crossplane|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| -|Neptune Database Cluster Encryption Disabled
83bf5aca-138a-498e-b9cd-ad5bc5e117b4|Crossplane|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| -|SQS With SSE Disabled
9296f1cc-7a40-45de-bd41-f31745488a0e|Crossplane|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| -|CloudFront Logging Disabled
7b590235-1ff4-421b-b9ff-5227134be9bb|Crossplane|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true (read more)|Documentation
| -|CloudWatch Without Retention Period Specified
934613fe-b12c-4e5a-95f5-c1dcdffac1ff|Crossplane|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more)|Documentation
| -|CloudFront Without WAF
6d19ce0f-b3d8-4128-ac3d-1064e0f00494|Crossplane|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| -|DocDB Logging Is Disabled
e6cd49ba-77ed-417f-9bca-4f5303554308|Crossplane|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
6c2d627c-de0f-45fb-b33d-dad9bffbb421|Crossplane|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| -|Google Container Node Pool Auto Repair Disabled
b4f65d13-a609-4dc1-af7c-63d2e08bffe9|Crossplane|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| -|AKS RBAC Disabled
b2418936-cd47-4ea2-8346-623c0bdb87bd|Crossplane|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| -|Redis Cache Allows Non SSL Connections
6c7cfec3-c686-4ed2-bf58-a1ec054b63fc|Crossplane|Medium|Encryption|Redis Cache resource should not allow non-SSL connections. (read more)|Documentation
| -|BOM - GCP SB
c7781feb-a955-4f9f-b9cf-0d7c6f54bb59|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more)|Documentation
| -|BOM - GCP PD
268c65a8-58ad-43e4-9019-1a9bbc56749f|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more)|Documentation
| -|BOM - GCP PST
9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more)|Documentation
| -|BigQuery Dataset Is Public
83103dff-d57f-42a8-bd81-40abab64c1a7|GoogleDeploymentManager|High|Access Control|BigQuery dataset is anonymously or publicly accessible. Attribute access.specialGroup should not contain 'allAuthenticatedUsers' (read more)|Documentation
| -|Cloud Storage Bucket Is Publicly Accessible
77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc|GoogleDeploymentManager|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible (read more)|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
63ae3638-a38c-4ff4-b616-6e1f72a31a6a|GoogleDeploymentManager|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| -|SQL DB Instance Backup Disabled
a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01|GoogleDeploymentManager|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| -|SQL DB Instance With SSL Disabled
660360d3-9ca7-46d1-b147-3acc4002953f|GoogleDeploymentManager|High|Encryption|Cloud SQL Database Instance should have SLL enabled (read more)|Documentation
| -|DNSSEC Using RSASHA1
6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35|GoogleDeploymentManager|High|Encryption|DNSSEC should not use the RSASHA1 algorithm (read more)|Documentation
| -|Client Certificate Disabled
dd690686-2bf9-4012-a821-f61912dd77be|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'masterAuth' must have 'clientCertificateConfig' with the attribute 'issueClientCertificate' equal to true (read more)|Documentation
| -|IP Aliasing Disabled
28727987-e398-49b8-aef1-8a3e7789d111|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ipAllocationPolicy' must be defined and the subattribute 'useIpAliases' must be set to 'true'. (read more)|Documentation
| -|Network Policy Disabled
c47f90e8-4a19-43f0-8413-cc434d286c4e|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'networkPolicy.enabled' must be true and the attribute 'addonsConfig.networkPolicyConfig.disabled' must be false (read more)|Documentation
| -|Cluster Master Authentication Disabled
7ef7d141-9fbb-4679-a977-fd0883436906|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'masterAuth' must have the subattributes 'username' and 'password' defined and not empty (read more)|Documentation
| -|MySQL Instance With Local Infile On
c759d6f2-4dd3-4160-82d3-89202ef10d87|GoogleDeploymentManager|High|Insecure Configurations|MySQL Instance should not have Local Infile On (read more)|Documentation
| -|Not Proper Email Account In Use
a21b8df3-c840-4b3d-a41a-10fb2afda171|GoogleDeploymentManager|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials (read more)|Documentation
| -|Private Cluster Disabled
48c61fbd-09c9-46cc-a521-012e0c325412|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true. (read more)|Documentation
| -|GKE Legacy Authorization Enabled
df58d46c-783b-43e0-bdd0-d99164f712ee|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false. (read more)|Documentation
| -|Cluster Labels Disabled
8810968b-4b15-421d-918b-d91eb4bb8d1d|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resourceLabels' must be defined (read more)|Documentation
| -|Compute Instance Is Publicly Accessible
8212e2d7-e683-49bc-bf78-d6799075c5a7|GoogleDeploymentManager|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet. (read more)|Documentation
| -|GKE Master Authorized Networks Disabled
62c8cf50-87f0-4295-a974-8184ed78fe02|GoogleDeploymentManager|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters (read more)|Documentation
| -|Stackdriver Monitoring Disabled
bbfc97ab-e92a-4a7b-954c-e88cec815011|GoogleDeploymentManager|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoringService' must be defined and different than 'none' (read more)|Documentation
| -|Stackdriver Logging Disabled
95601b9a-7fe8-4aee-9b58-d36fd9382dfc|GoogleDeploymentManager|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'loggingService' must be defined and different from 'none' (read more)|Documentation
| -|Cloud Storage Bucket Versioning Disabled
ad0875c1-0b39-4890-9149-173158ba3bba|GoogleDeploymentManager|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| -|Node Auto Upgrade Disabled
dc5c5fee-6c53-43b0-ab11-4c660e064aaf|GoogleDeploymentManager|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means the attribute 'nodePools' must be defined and the subattribute 'managment' must be defined and have the attribute 'autoUpgrade' set to true (read more)|Documentation
| -|Disk Encryption Disabled
fc040fb6-4c23-4c0d-b12a-39edac35debb|GoogleDeploymentManager|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined (read more)|Documentation
| -|Google Storage Bucket Level Access Disabled
1239f54b-33de-482a-8132-faebe288e6a6|GoogleDeploymentManager|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled (read more)|Documentation
| -|Shielded VM Disabled
9038b526-4c19-4928-bca2-c03d503bdb79|GoogleDeploymentManager|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true (read more)|Documentation
| -|Cloud DNS Without DNSSEC
313d6deb-3b67-4948-b41d-35b699c2492e|GoogleDeploymentManager|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| -|COS Node Image Not Used
dbe058d7-b82e-430b-8426-992b2e4677e7|GoogleDeploymentManager|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| -|OSLogin Is Disabled In VM Instance
e66e1b71-c810-4b4e-a737-0ab59e7f5e41|GoogleDeploymentManager|Medium|Insecure Configurations|VM instance should have OSLogin enabled (read more)|Documentation
| -|RDP Access Is Not Restricted
50cb6c3b-c878-4b88-b50e-d1421bada9e8|GoogleDeploymentManager|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| -|SSH Access Is Not Restricted
dee21308-2a7a-49de-8ff7-c9b87e188575|GoogleDeploymentManager|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| -|IP Forwarding Enabled
7c98538a-81c6-444b-bf04-e60bc3ceeec0|GoogleDeploymentManager|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true (read more)|Documentation
| -|Bucket Without Versioning
227c2f58-70c6-4432-8e9a-a89c1a548cf5|GoogleDeploymentManager|Medium|Observability|Bucket should have versioning enabled (read more)|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
6e2b1ec1-1eca-4eb7-9d4d-2882680b4811|GoogleDeploymentManager|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| -|UNIX Ports Out Of Range
71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e|Dockerfile|High|Availability|Exposing UNIX ports out of range from 0 to 65535 (read more)|Documentation
| -|WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|Dockerfile|High|Build Process|For clarity and reliability, you should always use absolute paths for your WORKDIR (read more)|Documentation
| -|Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f|Dockerfile|High|Build Process|A user should be specified in the dockerfile, otherwise the image will run as root (read more)|Documentation
| -|Same Alias In Different Froms
f2daed12-c802-49cd-afed-fe41d0b82fed|Dockerfile|High|Build Process|Different FROMS cant have the same alias defined (read more)|Documentation
| -|Multiple ENTRYPOINT Instructions Listed
6938958b-3f1a-451c-909b-baeee14bdc97|Dockerfile|High|Build Process|There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect (read more)|Documentation
| -|Copy With More Than Two Arguments Not Ending With Slash
6db6e0c2-32a3-4a2e-93b5-72c35f4119db|Dockerfile|High|Build Process|When a COPY command has more than two arguments, the last one should end with a slash (read more)|Documentation
| -|COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b|Dockerfile|High|Build Process|COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself (read more)|Documentation
| -|Run Using Sudo
8ada6e80-0ade-439e-b176-0b28f6bce35a|Dockerfile|High|Insecure Configurations|Avoid RUN with sudo command as it leads to unpredictable behavior (read more)|Documentation
| -|Vulnerable OpenSSL Version
5fa731ea-e844-47a6-a1e8-abc25e95847e|Dockerfile|High|Supply-Chain|OpenSSL versions from 3.0.0 to 3.0.5 are affected by a critical vulnerability (read more)|Documentation
| -|Last User Is 'root'
67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae|Dockerfile|Medium|Best Practices|Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges (read more)|Documentation
| -|Changing Default Shell Using RUN Command
8a301064-c291-4b20-adcb-403fe7fd95fd|Dockerfile|Medium|Best Practices|Using the command RUN to override the default shell instead of the SHELL command leads to inefficiencies. It also does not make sense since Docker provides the SHELL command for this exact purpose. (read more)|Documentation
| -|Multiple CMD Instructions Listed
41c195f4-fc31-4a5c-8a1b-90605538d49f|Dockerfile|Medium|Build Process|There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect (read more)|Documentation
| -|RUN Instruction Using 'cd' Instead of WORKDIR
f4a6bcd3-e231-4acf-993c-aa027be50d2e|Dockerfile|Medium|Build Process|When using RUN command 'cd' should only be used for full path. For relative path make use of WORKDIR command instead. (read more)|Documentation
| -|Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79|Dockerfile|Medium|Build Process|Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments (read more)|Documentation
| -|Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd|Dockerfile|Medium|Build Process|Instruction 'RUN update' should always be followed by ' install' in the same RUN statement (read more)|Documentation
| -|Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22|Dockerfile|Medium|Insecure Defaults|Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o). (read more)|Documentation
| -|Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8|Dockerfile|Medium|Supply-Chain|The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input. (read more)|Documentation
| -|Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd|Dockerfile|Medium|Supply-Chain|Always tag the version of an image explicitly (read more)|Documentation
| -|Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067|Dockerfile|Medium|Supply-Chain|When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag (read more)|Documentation
| -|Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1|Dockerfile|Medium|Supply-Chain|Specifying a package version allows to reduce failures due to unanticipated changes in required packages. (read more)|Documentation
| -|Yum install Without Version
6452c424-1d92-4deb-bb18-a03e95d579c4|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages (read more)|Documentation
| -|Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37|Dockerfile|Medium|Supply-Chain|Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size (read more)|Documentation
| -|Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03|Dockerfile|Medium|Supply-Chain|Need to use -y to avoid manual input 'yum install -y ' (read more)|Documentation
| -|Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more)|Documentation
| -|Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341|Dockerfile|Medium|Supply-Chain|Instead of 'gem install ' we should use 'gem install :' (read more)|Documentation
| -|NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5|Dockerfile|Medium|Supply-Chain|Check if packages installed by npm are pinning a specific version. (read more)|Documentation
| -|Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0|Dockerfile|Medium|Supply-Chain|Cached package data should be cleaned after installation to reduce image size (read more)|Documentation
| -|Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313|Dockerfile|Medium|Supply-Chain|Reduce layer and image size by deleting unneeded caches after running zypper (read more)|Documentation
| -|APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Dockerfile|Medium|Supply-Chain|Check if apt-get calls use the flag -y to avoid user manual input. (read more)|Documentation
| -|Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Dockerfile|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache (read more)|Documentation
| -|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Dockerfile|Medium|Supply-Chain|When installing a package, its pin version should be defined (read more)|Documentation
| -|Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118|Dockerfile|Medium|Supply-Chain|When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller (read more)|Documentation
| -|Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9|Dockerfile|Medium|Supply-Chain|Don't use '--platform' flag with FROM (read more)|Documentation
| -|Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Dockerfile|Medium|Supply-Chain|Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect (read more)|Documentation
| -|Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages (read more)|Documentation
| -|Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944|Dockerfile|Medium|Supply-Chain|Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input (read more)|Documentation
| -|Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more)|Documentation
| -|Add Instead of Copy
9513a694-aa0d-41d8-be61-3271e056f36b|Dockerfile|Medium|Supply-Chain|Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script. (read more)|Documentation
| -|Chown Flag Exists
aa93e17f-b6db-4162-9334-c70334e7ac28|Dockerfile|Low|Best Practices|It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership (read more)|Documentation
| -|Exposing Port 22 (SSH)
5907595b-5b6d-4142-b173-dbb0e73fbff8|Dockerfile|Low|Best Practices|Expose only the ports that your application needs and avoid exposing ports like SSH (22) (read more)|Documentation
| -|Multiple RUN, ADD, COPY, Instructions Listed
0008c003-79aa-42d8-95b8-1c2fe37dbfe6|Dockerfile|Low|Best Practices|Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers. (read more)|Documentation
| -|Curl or Wget Instead of Add
4b410d24-1cbe-4430-a632-62c9a931cf1c|Dockerfile|Low|Best Practices|Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged (read more)|Documentation
| -|MAINTAINER Instruction Being Used
99614418-f82b-4852-a9ae-5051402b741c|Dockerfile|Low|Best Practices|The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily (read more)|Documentation
| -|Using Unnamed Build Stages
68a51e22-ae5a-4d48-8e87-b01a323605c9|Dockerfile|Low|Build Process| This query is used to ensure that build stages are named. This way even if the Dockerfile is re-ordered, the COPY instruction doesn’t break. (read more)|Documentation
| -|Healthcheck Instruction Missing
b03a748a-542d-44f4-bb86-9199ab4fd2d5|Dockerfile|Low|Insecure Configurations|Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working (read more)|Documentation
| -|Apk Add Using Local Cache Path
ae9c56a6-3ed1-4ac0-9b54-31267f51151d|Dockerfile|Info|Supply-Chain|When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*' (read more)|Documentation
| -|APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c|Dockerfile|Info|Supply-Chain|Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages. (read more)|Documentation
| -|Run Utilities And POSIX Commands
9b6b0f38-92a2-41f9-b881-3a1083d99f1b|Dockerfile|Info|Supply-Chain|Some POSIX commands and interactive utilities shouldn't run inside a Docker Container (read more)|Documentation
| -|Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c|Dockerfile|Info|Supply-Chain|After using apt-get install, it is needed to delete apt-get lists (read more)|Documentation
| -|Run Using apt
a1bc27c6-7115-48d8-bf9d-5a7e836845ba|Buildah|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache (read more)|Documentation
| -|Passwords And Secrets
a88baa34-e2ad-44ea-ad6f-8cac87bc7c71|Common|High|Secret Management|Query to find passwords and secrets in infrastructure code. (read more)|Documentation
| -|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|Terraform|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| -|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|Terraform|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| -|S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4|Terraform|High|Access Control|S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket. (read more)|Documentation
| -|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|Terraform|High|Access Control|S3 bucket allows public policy (read more)|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|Terraform|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| -|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|Terraform|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role (read more)|Documentation
| -|Amazon DMS Replication Instance Is Publicly Accessible
030d3b18-1821-45b4-9e08-50efbe7becbb|Terraform|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| -|Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|Terraform|High|Access Control|Neptune Cluster Instance should not be publicly accessible (read more)|Documentation
| -|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|Terraform|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| -|SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|Terraform|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| -|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|Terraform|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals (read more)|Documentation
| -|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|Terraform|High|Access Control|Checks if the SQS Queue is exposed (read more)|Documentation
| -|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|Terraform|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|Terraform|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| -|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|Terraform|High|Access Control|IAM role policy that allow full administrative privileges (for all resources) (read more)|Documentation
| -|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|Terraform|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| -|MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857|Terraform|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible (read more)|Documentation
| -|EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|Terraform|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'. (read more)|Documentation
| -|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|Terraform|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| -|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|Terraform|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more)|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|Terraform|High|Access Control|S3 Buckets should not be readable and writable to all users (read more)|Documentation
| -|SSO Policy with full privileges
132a8c31-9837-4203-9fd1-15ca210c7b73|Terraform|High|Access Control|SSO policies should be configured to grant limited administrative privileges, rather than full access to all resources. This approach allows for better security and control over the resources being accessed. (read more)|Documentation
| -|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|Terraform|High|Encryption|Amazon ECS Task Definition does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'transit_encryption' (read more)|Documentation
| -|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|Terraform|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume (read more)|Documentation
| -|Aurora With Disabled at Rest Encryption
1a690d1d-0ae7-49fa-b2db-b75ae0dd1d3e|Terraform|High|Encryption|Amazon Aurora does not have encryption for data at rest enabled. To prevent such a scenario, update the attribute 'StorageEncrypted' to 'true'. (read more)|Documentation
| -|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|Terraform|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled (read more)|Documentation
| -|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|Terraform|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true (read more)|Documentation
| -|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|Terraform|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key (read more)|Documentation
| -|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|Terraform|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled (read more)|Documentation
| -|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|Terraform|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more)|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|Terraform|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| -|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|Terraform|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS (read more)|Documentation
| -|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|Terraform|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| -|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|Terraform|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled (read more)|Documentation
| -|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|Terraform|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| -|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|Terraform|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| -|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|Terraform|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| -|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|Terraform|High|Encryption|RDS Database Cluster Encryption should be enabled (read more)|Documentation
| -|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|Terraform|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS (read more)|Documentation
| -|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|Terraform|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| -|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|Terraform|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more)|Documentation
| -|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|Terraform|High|Encryption|The certificate authority (CA) is the certificate that identifies the root CA at the top of the certificate chain. The CA certificate identifier must be one provided by Amazon RDS. (read more)|Documentation
| -|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|Terraform|High|Encryption|AWS Athena Database data in S3 should be encrypted (read more)|Documentation
| -|EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|Terraform|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| -|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|Terraform|High|Encryption|API Gateway Method Settings Cache should be encrypted (read more)|Documentation
| -|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|Terraform|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) (read more)|Documentation
| -|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|Terraform|High|Encryption|Sagemaker endpoint configuration should encrypt data (read more)|Documentation
| -|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|Terraform|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled (read more)|Documentation
| -|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|Terraform|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true' (read more)|Documentation
| -|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|Terraform|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| -|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|Terraform|High|Encryption|EKS Cluster should be encrypted (read more)|Documentation
| -|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|Terraform|High|Encryption|S3 Bucket Object should have server-side encryption enabled (read more)|Documentation
| -|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|Terraform|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| -|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|Terraform|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup (read more)|Documentation
| -|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|Terraform|High|Encryption|EBS Encryption should be enabled (read more)|Documentation
| -|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|Terraform|High|Encryption|AWS DAX Cluster should have server-side encryption at rest (read more)|Documentation
| -|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|Terraform|High|Encryption|AWS AMI Encryption is not enabled (read more)|Documentation
| -|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|Terraform|High|Encryption|AWS DOCDB Cluster storage should be encrypted (read more)|Documentation
| -|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| -|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|Terraform|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| -|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| -|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|Terraform|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted (read more)|Documentation
| -|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|Terraform|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| -|KMS Key With Full Permissions
7ebc9038-0bde-479a-acc4-6ed7b6758899|Terraform|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| -|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|Terraform|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| -|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|Terraform|High|Insecure Configurations|Check if the root user is authenticated with MFA (read more)|Documentation
| -|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|Terraform|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| -|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|Terraform|High|Insecure Configurations|S3 bucket without restriction of public bucket (read more)|Documentation
| -|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|Terraform|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more)|Documentation
| -|Lambda Function With Privileged Role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|Terraform|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions. (read more)|Documentation
| -|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|Terraform|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| -|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|Terraform|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2. (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|Terraform|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). (read more)|Documentation
| -|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|Terraform|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes (read more)|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|Terraform|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| -|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|Terraform|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations (read more)|Documentation
| -|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|Terraform|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| -|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|Terraform|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true) (read more)|Documentation
| -|Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|Terraform|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| -|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|Terraform|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| -|HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|Terraform|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| -|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| -|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|Terraform|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| -|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|Terraform|High|Networking and Firewall|EC2 Instance should not have a public IP address. (read more)|Documentation
| -|VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|Terraform|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic (read more)|Documentation
| -|Elasticsearch with HTTPS disabled
2e9e0729-66d5-4148-9d39-5e6fb4bf2a4e|Terraform|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| -|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|Terraform|High|Networking and Firewall|Check if Record is set (read more)|Documentation
| -|VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|Terraform|High|Networking and Firewall|VPC Peering Route Table should restrict CIDR (read more)|Documentation
| -|Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|Terraform|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| -|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|Terraform|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0" (read more)|Documentation
| -|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|Terraform|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL (read more)|Documentation
| -|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL (read more)|Documentation
| -|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|Terraform|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| -|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| -|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|Terraform|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| -|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|Terraform|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| -|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|Terraform|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0 and/or ::/0 (read more)|Documentation
| -|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|Terraform|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing (read more)|Documentation
| -|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|Terraform|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| -|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|Terraform|High|Observability|AWS KMS Key should have a valid deletion window (read more)|Documentation
| -|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible (read more)|Documentation
| -|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|Terraform|High|Observability|Ensure a log metric filter and alarm exist for root acount usage (read more)|Documentation
| -|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled (read more)|Documentation
| -|CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|Terraform|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls (read more)|Documentation
| -|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|Terraform|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes (read more)|Documentation
| -|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|Terraform|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| -|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|Terraform|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA (read more)|Documentation
| -|CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|Terraform|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Terraform|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources (read more)|Documentation
| -|SSO Permission With Inadequate User Session Duration
ce9dfce0-5fc8-433b-944a-3b16153111a8|Terraform|Medium|Access Control|SSO permissions should be configured to limit user sessions to no longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized access or session hijacking. This is a best practice for security and should be implemented in SSO permission settings. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Terraform|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action' (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Terraform|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| -|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Terraform|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| -|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Terraform|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Terraform|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Terraform|Medium|Access Control|SES policy should not allow IAM actions to all principals (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Terraform|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions' (read more)|Documentation
| -|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Terraform|Medium|Access Control|IAM Access Key should not be active for root users (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Terraform|Medium|Access Control|Public and private EC2 istances should not share the same role. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Terraform|Medium|Access Control|AWS IAM Users should not have access to console (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Terraform|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Terraform|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Terraform|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Terraform|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled (read more)|Documentation
| -|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Terraform|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined (read more)|Documentation
| -|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Terraform|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Terraform|Medium|Access Control|S3 bucket allows public ACL (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Terraform|Medium|Access Control|An API Key should be required on a method request. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Terraform|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Terraform|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Terraform|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'. (read more)|Documentation
| -|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Terraform|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Terraform|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Terraform|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| -|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Terraform|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Terraform|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Terraform|Medium|Access Control|SQS policy allows ALL (*) actions (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Terraform|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal' (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Terraform|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Terraform|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions' (read more)|Documentation
| -|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Terraform|Medium|Access Control|The attribute 'action' should not have wildcard (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Terraform|Medium|Access Control|Expired SSL/TLS certificates should be removed (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Terraform|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| -|Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Terraform|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. (read more)|Documentation
| -|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Terraform|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true (read more)|Documentation
| -|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Terraform|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| -|Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Terraform|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| -|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Terraform|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0 (read more)|Documentation
| -|RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Terraform|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| -|Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Terraform|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24 (read more)|Documentation
| -|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Terraform|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined (read more)|Documentation
| -|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Terraform|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| -|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Terraform|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more)|Documentation
| -|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Terraform|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| -|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Terraform|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| -|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Terraform|Medium|Best Practices|IAM password should have the required symbols (read more)|Documentation
| -|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Terraform|Medium|Best Practices|No password expiration policy (read more)|Documentation
| -|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Terraform|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields (read more)|Documentation
| -|Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Terraform|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body (read more)|Documentation
| -|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Terraform|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node (read more)|Documentation
| -|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Terraform|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests (read more)|Documentation
| -|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| -|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Terraform|Medium|Encryption|Checks if the ECR Image has been scanned (read more)|Documentation
| -|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Terraform|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| -|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Terraform|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined (read more)|Documentation
| -|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted (read more)|Documentation
| -|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Terraform|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| -|DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Terraform|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| -|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Terraform|Medium|Encryption|SSM Session should be encrypted in transit (read more)|Documentation
| -|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Terraform|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| -|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest (read more)|Documentation
| -|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Terraform|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret (read more)|Documentation
| -|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Terraform|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption (read more)|Documentation
| -|CloudWatch Log Group Without KMS
0afbcfe9-d341-4b92-a64c-7e6de0543879|Terraform|Medium|Encryption|AWS CloudWatch Log groups should be encrypted using KMS (read more)|Documentation
| -|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Terraform|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760. (read more)|Documentation
| -|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Terraform|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| -|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit (read more)|Documentation
| -|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Terraform|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| -|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Terraform|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS. (read more)|Documentation
| -|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Terraform|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest (read more)|Documentation
| -|Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Terraform|Medium|Encryption|ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html' (read more)|Documentation
| -|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Terraform|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| -|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Terraform|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| -|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Terraform|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes (read more)|Documentation
| -|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Terraform|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials (read more)|Documentation
| -|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Terraform|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| -|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Terraform|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud) (read more)|Documentation
| -|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Terraform|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs). (read more)|Documentation
| -|EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Terraform|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false (read more)|Documentation
| -|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Terraform|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy (read more)|Documentation
| -|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Terraform|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more)|Documentation
| -|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Terraform|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible (read more)|Documentation
| -|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Terraform|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more)|Documentation
| -|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Terraform|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association (read more)|Documentation
| -|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Terraform|Medium|Networking and Firewall|VPC should have a Network Firewall associated (read more)|Documentation
| -|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Terraform|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled (read more)|Documentation
| -|VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Terraform|Medium|Networking and Firewall|VPC Subnet should not assign public IP (read more)|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol (read more)|Documentation
| -|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Terraform|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol (read more)|Documentation
| -|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Terraform|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service (read more)|Documentation
| -|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Terraform|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| -|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Terraform|Medium|Observability|ELB should have logging enabled to help on error investigation (read more)|Documentation
| -|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Terraform|Medium|Observability|Checks if CloudWatch Metrics is Enabled (read more)|Documentation
| -|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Terraform|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| -|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes (read more)|Documentation
| -|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Terraform|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| -|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes (read more)|Documentation
| -|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Terraform|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation (read more)|Documentation
| -|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Terraform|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled (read more)|Documentation
| -|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Terraform|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| -|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (read more)|Documentation
| -|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Terraform|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| -|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK (read more)|Documentation
| -|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Terraform|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| -|ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Terraform|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs (read more)|Documentation
| -|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes (read more)|Documentation
| -|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Terraform|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined (read more)|Documentation
| -|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Terraform|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events (read more)|Documentation
| -|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Terraform|Medium|Observability|Make sure that Amazon GuardDuty is Enabled (read more)|Documentation
| -|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Terraform|Medium|Observability|Make sure Logging is enabled for Redshift Cluster (read more)|Documentation
| -|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes (read more)|Documentation
| -|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Terraform|Medium|Observability|It isn't recommended to use resources in default VPC (read more)|Documentation
| -|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Terraform|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. (read more)|Documentation
| -|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Terraform|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| -|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Terraform|Medium|Observability|API Gateway should have Access Log Settings defined (read more)|Documentation
| -|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Terraform|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones (read more)|Documentation
| -|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Terraform|Medium|Observability|Ensure MSK Cluster Logging is enabled (read more)|Documentation
| -|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Terraform|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| -|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Terraform|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). (read more)|Documentation
| -|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Terraform|Medium|Observability|AWS CloudWatch Log groups should have retention days specified (read more)|Documentation
| -|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Terraform|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| -|No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Terraform|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions (read more)|Documentation
| -|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Terraform|Medium|Secret Management|AWS Access Key should not be hardcoded (read more)|Documentation
| -|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Terraform|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| -|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Terraform|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| -|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Terraform|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets' (read more)|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Terraform|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| -|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Terraform|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| -|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Terraform|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| -|SSO Identity User Unsafe Creation
4003118b-046b-4640-b200-b8c7a4c8b89f|Terraform|Low|Access Control|The use of AWS SSO for creating users may pose a security risk as it does not synchronize with external Identity Providers (IdP) or Active Directory (AD). This can lead to inconsistencies and potential unauthorized access to resources. It is recommended to review and update user creation processes to ensure proper security protocols are in place. (read more)|Documentation
| -|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Terraform|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services (read more)|Documentation
| -|Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Terraform|Low|Availability|Autoscaling groups should supply tags to configurate (read more)|Documentation
| -|ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Terraform|Low|Best Practices|ECR Repository should have Policies attached to it (read more)|Documentation
| -|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Terraform|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| -|Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| -|Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| -|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Terraform|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. (read more)|Documentation
| -|IAM Access Analyzer Not Enabled
e592a0c5-5bdb-414c-9066-5dba7cdea370|Terraform|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions (read more)|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Terraform|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| -|ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Terraform|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation (read more)|Documentation
| -|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Terraform|Low|Insecure Configurations|S3 bucket without ignore public ACL (read more)|Documentation
| -|ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Terraform|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled (read more)|Documentation
| -|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Terraform|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more)|Documentation
| -|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Terraform|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| -|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Terraform|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| -|Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Terraform|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| -|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Terraform|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| -|EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Terraform|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| -|RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Terraform|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| -|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Terraform|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| -|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Terraform|Low|Observability|Amazon EKS control plane logging is not enabled (read more)|Documentation
| -|ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Terraform|Low|Observability|ECS Cluster should enable container insights (read more)|Documentation
| -|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Terraform|Low|Observability|Amazon EKS control plane logging don't enabled for all log types (read more)|Documentation
| -|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Terraform|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| -|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes (read more)|Documentation
| -|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| -|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL (read more)|Documentation
| -|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Terraform|Low|Observability|Global Accelerator should have flow logs enabled (read more)|Documentation
| -|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes (read more)|Documentation
| -|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Terraform|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active' (read more)|Documentation
| -|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for route table changes (read more)|Documentation
| -|API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Terraform|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| -|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Terraform|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| -|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes (read more)|Documentation
| -|API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Terraform|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| -|Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Terraform|Info|Access Control|Security group must be used or not declared (read more)|Documentation
| -|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Terraform|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more)|Documentation
| -|Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Terraform|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description (read more)|Documentation
| -|EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Terraform|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| -|Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Terraform|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description (read more)|Documentation
| -|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Terraform|Info|Best Practices|AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name' (read more)|Documentation
| -|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Terraform|Info|Observability|RDS does not have any kind of logger (read more)|Documentation
| -|EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Terraform|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| -|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Terraform|Info|Observability|Neptune logging should be enabled (read more)|Documentation
| -|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|Terraform|High|Insecure Configurations|Limit capabilities for a Pod Security Policy (read more)|Documentation
| -|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|Terraform|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false (read more)|Documentation
| -|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|Terraform|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined. (read more)|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|Terraform|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace. (read more)|Documentation
| -|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|Terraform|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process (read more)|Documentation
| -|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|Terraform|High|Insecure Configurations|Check if Tiller is deployed. (read more)|Documentation
| -|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|Terraform|High|Insecure Defaults|No role nor cluster role should bind to a default service account (read more)|Documentation
| -|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Terraform|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation. (read more)|Documentation
| -|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Terraform|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more)|Documentation
| -|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Terraform|Medium|Access Control|A non kube-system workload should not have hostPath mounted (read more)|Documentation
| -|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Terraform|Medium|Availability|Check if Readiness Probe is not configured. (read more)|Documentation
| -|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Terraform|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden (read more)|Documentation
| -|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Terraform|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' (read more)|Documentation
| -|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Terraform|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace (read more)|Documentation
| -|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Terraform|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace (read more)|Documentation
| -|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Terraform|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities (read more)|Documentation
| -|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Terraform|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls (read more)|Documentation
| -|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities (read more)|Documentation
| -|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Terraform|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more)|Documentation
| -|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Terraform|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory (read more)|Documentation
| -|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Terraform|Medium|Insecure Configurations|Default service accounts should not be actively used (read more)|Documentation
| -|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Terraform|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability (read more)|Documentation
| -|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation (read more)|Documentation
| -|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Terraform|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more)|Documentation
| -|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Terraform|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| -|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Terraform|Medium|Insecure Configurations|The default namespace should not be used (read more)|Documentation
| -|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Terraform|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities (read more)|Documentation
| -|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Terraform|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory (read more)|Documentation
| -|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Terraform|Medium|Insecure Configurations|Containers should not have extra capabilities allowed (read more)|Documentation
| -|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Terraform|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty. (read more)|Documentation
| -|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Terraform|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary (read more)|Documentation
| -|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Terraform|Medium|Networking and Firewall|Check if any network policy is not targeting any pod. (read more)|Documentation
| -|Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Terraform|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet (read more)|Documentation
| -|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Terraform|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more)|Documentation
| -|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Terraform|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more)|Documentation
| -|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Terraform|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more)|Documentation
| -|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Terraform|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| -|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Terraform|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| -|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Terraform|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| -|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Terraform|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| -|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Terraform|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs (read more)|Documentation
| -|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Terraform|Medium|Secret Management|A Service Account token is shared between workloads (read more)|Documentation
| -|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Terraform|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC) (read more)|Documentation
| -|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Terraform|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers (read more)|Documentation
| -|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Terraform|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack (read more)|Documentation
| -|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Terraform|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| -|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Terraform|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it (read more)|Documentation
| -|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Terraform|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more)|Documentation
| -|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Terraform|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| -|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Terraform|Low|Availability|The Horizontal Pod Autoscaler must target a valid object (read more)|Documentation
| -|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Terraform|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context (read more)|Documentation
| -|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Terraform|Low|Best Practices|Check if any label in the metadata is invalid. (read more)|Documentation
| -|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Terraform|Low|Build Process|A StatefulSet requests volume storage. (read more)|Documentation
| -|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Terraform|Low|Build Process|Check if the root container filesystem is not being mounted as read-only. (read more)|Documentation
| -|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Terraform|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always (read more)|Documentation
| -|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Terraform|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container (read more)|Documentation
| -|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Terraform|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity (read more)|Documentation
| -|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Terraform|Low|Networking and Firewall|Service type should not be NodePort (read more)|Documentation
| -|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Terraform|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified (read more)|Documentation
| -|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Terraform|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| -|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Terraform|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined (read more)|Documentation
| -|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Terraform|Low|Secret Management|Container should not use secrets as environment variables (read more)|Documentation
| -|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Terraform|Low|Supply-Chain|Image must be defined and not be empty or equal to latest. (read more)|Documentation
| -|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Terraform|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS. (read more)|Documentation
| -|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Terraform|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)|Documentation
| -|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Terraform|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more)|Documentation
| -|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Terraform|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)|Documentation
| -|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Terraform|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more)|Documentation
| -|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Terraform|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more)|Documentation
| -|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Terraform|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)|Documentation
| -|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Terraform|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more)|Documentation
| -|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Terraform|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more)|Documentation
| -|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Terraform|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)|Documentation
| -|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Terraform|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). (read more)|Documentation
| -|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Terraform|Info|Best Practices|All outputs should contain a valid description. (read more)|Documentation
| -|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Terraform|Info|Best Practices|All names should follow snake case pattern. (read more)|Documentation
| -|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Terraform|Info|Best Practices|All generic git repositories should reference a revision. (read more)|Documentation
| -|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Terraform|Info|Best Practices|All variables should contain a valid description. (read more)|Documentation
| -|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Terraform|Info|Best Practices|All variables should contain a valid type. (read more)|Documentation
| -|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|Terraform|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles (read more)|Documentation
| -|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|Terraform|High|Access Control|RAM Security preferences should enforce MFA login for RAM users (read more)|Documentation
| -|OSS Bucket Allows All Actions From All Principals
ec62a32c-a297-41ca-a850-cab40b42094a|Terraform|High|Access Control|OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals. (read more)|Documentation
| -|OSS Bucket Allows Delete Action From All Principals
8c0695d8-2378-4cd6-8243-7fd5894fa574|Terraform|High|Access Control|OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals. (read more)|Documentation
| -|OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|Terraform|High|Access Control|OSS Bucket should have public access disabled (read more)|Documentation
| -|OSS Bucket Allows Put Action From All Principals
fe286195-e75c-4359-bd58-00847c4f855a|Terraform|High|Access Control|OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals. (read more)|Documentation
| -|OSS Bucket Allows List Action From All Principals
88541597-6f88-42c8-bac6-7e0b855e8ff6|Terraform|High|Access Control|OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals. (read more)|Documentation
| -|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|Terraform|High|Encryption|Ecs Data Disk Kms Key Id should be set (read more)|Documentation
| -|RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|Terraform|High|Encryption|tde_status parameter should be Enabled for supported RDS instances (read more)|Documentation
| -|NAS File System Without KMS
5f670f9d-b1b4-4c90-8618-2288f1ab9676|Terraform|High|Encryption|NAS File System should have encryption provided by user KMS (read more)|Documentation
| -|NAS File System Not Encrypted
67bfdff1-31ce-4525-b564-e94368735360|Terraform|High|Encryption|NAS File System must be encrypted (read more)|Documentation
| -|Launch Template Is Not Encrypted
1455cb21-1d48-46d6-8ae3-cef911b71fd5|Terraform|High|Encryption|ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true. (read more)|Documentation
| -|OSS Bucket Has Static Website
2b13c6ff-b87a-484d-86fd-21ef6e97d426|Terraform|High|Insecure Configurations|Checks if any static websties are hosted on buckets. Be aware of any website you are running. (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|Terraform|High|Insecure Configurations|'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
faaefc15-51a5-419e-bb5e-51a4b5ab3485|Terraform|High|Insecure Configurations|The field 'address' should not be set to '0.0.0.0/0' (read more)|Documentation
| -|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|Terraform|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public (read more)|Documentation
| -|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol (read more)|Documentation
| -|RDS Instance SSL Action Disabled
7a1ee8a9-71be-4b11-bb70-efb62d16863b|Terraform|High|Networking and Firewall|ssl_action parameter should be set to Open for RDS instances (read more)|Documentation
| -|ALB Listening on HTTP
ee3b1557-9fb5-4685-a95d-93f1edf2a0d7|Terraform|High|Networking and Firewall|Application Load Balancer (alb) Listener should not listen on HTTP (read more)|Documentation
| -|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|Terraform|High|Networking and Firewall|OSS Bucket should have ip restricted access (read more)|Documentation
| -|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|Terraform|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS (read more)|Documentation
| -|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|Terraform|High|Networking and Firewall|OSS Buckets should have secure transport enabled (read more)|Documentation
| -|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|Terraform|High|Observability|All RDS Instance events trackers should be 'true' (read more)|Documentation
| -|ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|Terraform|High|Observability|ActionTrail Trail OSS Bucket should not be publicly accessible (read more)|Documentation
| -|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|Terraform|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above (read more)|Documentation
| -|Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|Terraform|High|Secret Management|Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts (read more)|Documentation
| -|Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Terraform|Medium|Access Control|Ram policies should not be attached to users (read more)|Documentation
| -|CMK Is Unusable
ed6e3ba0-278f-47b6-a1f5-173576b40b7e|Terraform|Medium|Availability|Alicloud KMS must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true (read more)|Documentation
| -|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Terraform|Medium|Backup|OSS Bucket should have versioning enabled (read more)|Documentation
| -|ROS Stack Retention Disabled
4bb06fa1-2114-4a00-b7b5-6aeab8b896f0|Terraform|Medium|Backup|The retain_stacks should be enabled to keep the Stack upon deleting the stack instance from the stack group (read more)|Documentation
| -|ROS Stack Without Template
92d65c51-5d82-4507-a2a1-d252e9706855|Terraform|Medium|Build Process|Alicloud ROS Stack should have a template defined through the attribute template_url or attribute template_body (read more)|Documentation
| -|SLB Policy With Insecure TLS Version In Use
dbfc834a-56e5-4750-b5da-73fda8e73f70|Terraform|Medium|Encryption|SLB Policy should not support insecure versions of TLS protocol (read more)|Documentation
| -|OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Terraform|Medium|Encryption|OSS Bucket should have encryption enabled using Customer Master Key (read more)|Documentation
| -|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Terraform|Medium|Encryption|Disks should have encryption enabled (read more)|Documentation
| -|CS Kubernetes Node Pool Auto Repair Disabled
81ce9394-013d-4731-8fcc-9d229b474073|Terraform|Medium|Insecure Configurations|Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| -|Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Terraform|Medium|Networking and Firewall|A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned (read more)|Documentation
| -|Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Terraform|Medium|Networking and Firewall|Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies (read more)|Documentation
| -|ROS Stack Notifications Disabled
9ef08939-ea40-489c-8851-667870b2ef50|Terraform|Medium|Observability|The ROS Stack Notifications should be defined and populated to receive stack related events (read more)|Documentation
| -|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Terraform|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180 (read more)|Documentation
| -|Log Retention Is Not Greater Than 90 Days
ed6cf6ff-9a1f-491c-9f88-e03c0807f390|Terraform|Medium|Observability|OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects. (read more)|Documentation
| -|Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Terraform|Medium|Observability|Action Trail Logging for all regions should be enabled (read more)|Documentation
| -|OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Terraform|Medium|Observability|OSS Bucket should have logging enabled, for better visibility of resources and objects. (read more)|Documentation
| -|No ROS Stack Policy
72ceb736-0aee-43ea-a191-3a69ab135681|Terraform|Medium|Resource Management|ROS Stack should have a stack policy in order to protect stack resources from and during update actions (read more)|Documentation
| -|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Terraform|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91 (read more)|Documentation
| -|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true (read more)|Documentation
| -|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true (read more)|Documentation
| -|High KMS Key Rotation Period
cb319d87-b90f-485e-a7e7-f2408380f309|Terraform|Medium|Secret Management|KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year (read more)|Documentation
| -|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Terraform|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less (read more)|Documentation
| -|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true (read more)|Documentation
| -|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Terraform|Medium|Secret Management|RAM account password security should require at least one symbol (read more)|Documentation
| -|OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Terraform|Low|Availability|OSS Bucket should have transfer acceleration enabled (read more)|Documentation
| -|OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Terraform|Low|Backup|OSS Bucket should have lifecycle rule enabled and set to true (read more)|Documentation
| -|RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Terraform|Low|Observability|log_disconnections parameter should be set to ON for RDS instances (read more)|Documentation
| -|RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Terraform|Low|Observability|log_duration parameter should be set to ON for RDS instances (read more)|Documentation
| -|VPC Flow Logs Disabled
d2731f3d-a992-44ed-812e-f4f1c2747d71|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| -|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Terraform|Low|Observability|'log_connections' parameter should be set to ON for RDS instances (read more)|Documentation
| -|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Terraform|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more)|Documentation
| -|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Terraform|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more)|Documentation
| -|BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Terraform|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more)|Documentation
| -|BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Terraform|Trace|Bill Of Materials|A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime. (read more)|Documentation
| -|BOM - GCP Redis
bc75ce52-a60a-4660-b533-bce837a5019b|Terraform|Trace|Bill Of Materials|A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments. (read more)|Documentation
| -|BOM - GCP Dataflow
895ed0d9-6fec-4567-8614-d7a74b599a53|Terraform|Trace|Bill Of Materials|A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective. (read more)|Documentation
| -|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|Terraform|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)|Documentation
| -|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|Terraform|High|Access Control|Verifies that the OSLogin is enabled (read more)|Documentation
| -|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|Terraform|High|Access Control|BigQuery dataset is anonymously or publicly accessible (read more)|Documentation
| -|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|Terraform|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible (read more)|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|Terraform|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| -|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|Terraform|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| -|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|Terraform|High|Encryption|Cloud SQL Database Instance should have SLL enabled (read more)|Documentation
| -|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|Terraform|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad. (read more)|Documentation
| -|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|Terraform|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members' (read more)|Documentation
| -|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE (read more)|Documentation
| -|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|Terraform|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible. (read more)|Documentation
| -|Legacy Client Certificate Auth Enabled
73fb21a1-b19a-45b1-b648-b47b1678681e|Terraform|High|Insecure Configurations|Kubernetes Clusters must use the default OAuth authentication, which means 'master_auth' must either be undefined or have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to false (read more)|Documentation
| -|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)|Documentation
| -|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|Terraform|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials (read more)|Documentation
| -|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|Terraform|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true (read more)|Documentation
| -|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true (read more)|Documentation
| -|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true (read more)|Documentation
| -|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|Terraform|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)|Documentation
| -|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must either be undefined or set to 'monitoring.googleapis.com/kubernetes' (read more)|Documentation
| -|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must either be undefined or set to 'logging.googleapis.com/kubernetes' (read more)|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|Terraform|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| -|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|Terraform|High|Observability|Audit Logging Configuration is defective (read more)|Documentation
| -|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|Terraform|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| -|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|Terraform|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)|Documentation
| -|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Terraform|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated (read more)|Documentation
| -|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Terraform|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated (read more)|Documentation
| -|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Terraform|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated (read more)|Documentation
| -|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Terraform|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member (read more)|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Terraform|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| -|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Terraform|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)|Documentation
| -|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Terraform|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled (read more)|Documentation
| -|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Terraform|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled (read more)|Documentation
| -|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Terraform|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| -|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Terraform|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)|Documentation
| -|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Terraform|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| -|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Terraform|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| -|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Terraform|Medium|Insecure Configurations|Check if any VM instance disables OSLogin (read more)|Documentation
| -|Shielded GKE Nodes Disabled
579a0727-9c29-4d58-8195-fc5802a8bdb4|Terraform|Medium|Insecure Configurations|GKE cluster nodes must be launched with Shielded VM enabled, which means the attribute 'enable_shielded_nodes' must be set to 'true'. (read more)|Documentation
| -|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Terraform|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account. (read more)|Documentation
| -|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Terraform|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account (read more)|Documentation
| -|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Terraform|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| -|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Terraform|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| -|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Terraform|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Terraform|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports (read more)|Documentation
| -|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Terraform|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| -|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Terraform|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)|Documentation
| -|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Terraform|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource. (read more)|Documentation
| -|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Terraform|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles (read more)|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Terraform|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| -|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Terraform|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)|Documentation
| -|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Terraform|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user (read more)|Documentation
| -|Outdated GKE Version
128df7ec-f185-48bc-8913-ce756a3ccb85|Terraform|Low|Best Practices|Running outdated versions of Google Kubernetes Engine (GKE) can expose it to known vulnerabilities and attacks. To reduce these risks, it is recommended to ensure that GKE is always running the latest version. (read more)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Terraform|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| -|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Terraform|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true (read more)|Documentation
| -|Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|Terraform|High|Access Control|Role Assignment should limit guest user permissions (read more)|Documentation
| -|Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|Terraform|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage (read more)|Documentation
| -|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|Terraform|High|Access Control|There is a role assignment for guest user (read more)|Documentation
| -|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|Terraform|High|Access Control|Admin user is enabled for Container Registry (read more)|Documentation
| -|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|Terraform|High|Access Control|Storage Account should not be public to grant the principle of least privileges (read more)|Documentation
| -|Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|Terraform|High|Access Control|Azure Function App authentication settings should be enabled (read more)|Documentation
| -|Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|Terraform|High|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled (read more)|Documentation
| -|Azure Instance Using Basic Authentication
dafe30ec-325d-4516-85d1-e8e6776f012c|Terraform|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| -|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|Terraform|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' (read more)|Documentation
| -|Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6|Terraform|High|Encryption|Ensure Function App is using the latest version of TLS encryption (read more)|Documentation
| -|MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|Terraform|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more)|Documentation
| -|App Service Not Using Latest TLS Encryption Version
b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643|Terraform|High|Encryption|Ensure App Service is using the latest version of TLS encryption (read more)|Documentation
| -|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|Terraform|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| -|AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|Terraform|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server (read more)|Documentation
| -|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|Terraform|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service. (read more)|Documentation
| -|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|Terraform|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine (read more)|Documentation
| -|Azure App Service Client Certificate Disabled
a81573f9-3691-4d83-88a0-7d4af63e17a3|Terraform|High|Insecure Configurations|Azure App Service client certificate should be enabled (read more)|Documentation
| -|App Service FTPS Enforce Disabled
85da374f-b00f-4832-9d44-84a1ca1e89f8|Terraform|High|Insecure Configurations|Azure App Service should only enforce FTPS when 'ftps_state' is enabled (read more)|Documentation
| -|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|Terraform|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry' (read more)|Documentation
| -|AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|Terraform|High|Insecure Configurations|Azure Kubernetes Service (AKS) API should not be exposed to the internet (read more)|Documentation
| -|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|Terraform|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates (read more)|Documentation
| -|Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|Terraform|High|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false. (read more)|Documentation
| -|Function App FTPS Enforce Disabled
9dab0179-433d-4dff-af8f-0091025691df|Terraform|High|Insecure Configurations|Azure Function App should only enforce FTPS when 'ftps_state' is enabled (read more)|Documentation
| -|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|Terraform|High|Networking and Firewall|The IP range filter should be defined to secure the data stored (read more)|Documentation
| -|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|Terraform|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| -|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet (read more)|Documentation
| -|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|Terraform|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more)|Documentation
| -|RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|Terraform|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet (read more)|Documentation
| -|MySQL Server Public Access Enabled
f118890b-2468-42b1-9ce9-af35146b425b|Terraform|High|Networking and Firewall|MySQL Server public access should be disabled (read more)|Documentation
| -|SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|Terraform|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet (read more)|Documentation
| -|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources (read more)|Documentation
| -|MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|Terraform|High|Networking and Firewall|MSSQL Server public network access should be disabled (read more)|Documentation
| -|Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| -|Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|Terraform|High|Observability|Ensure that logging for Azure KeyVault is 'Enabled' (read more)|Documentation
| -|SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a|Terraform|High|Resource Management|Ensure that 'Threat Detection' is enabled for Azure SQL Database (read more)|Documentation
| -|App Service Managed Identity Disabled
b61cce4b-0cc4-472b-8096-15617a6d769b|Terraform|High|Resource Management|Azure App Service should have managed identity enabled (read more)|Documentation
| -|PostgreSQL Server Threat Detection Policy Disabled
c407c3cf-c409-4b29-b590-db5f4138d332|Terraform|High|Resource Management|PostgreSQL Server Threat Detection Policy should be enabled (read more)|Documentation
| -|Key Expiration Not Set
4d080822-5ee2-49a4-8984-68f3d4c890fc|Terraform|High|Secret Management|Make sure that for all keys the expiration date is set (read more)|Documentation
| -|Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|Terraform|High|Secret Management|Make sure that for all secrets the expiration date is set (read more)|Documentation
| -|Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e|Terraform|Medium|Access Control|Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list). (read more)|Documentation
| -|AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Terraform|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| -|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Terraform|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more)|Documentation
| -|Storage Share File Allows All ACL Permissions
48bbe0fd-57e4-4678-a4a1-119e79c90fc3|Terraform|Medium|Access Control|Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list). (read more)|Documentation
| -|Virtual Network with DDoS Protection Plan disabled
b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a|Terraform|Medium|Availability|Virtual Network should have DDoS Protection Plan enabled (read more)|Documentation
| -|SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Terraform|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict (read more)|Documentation
| -|SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Terraform|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict (read more)|Documentation
| -|Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Terraform|Medium|Best Practices|Security Contact Email should be defined (read more)|Documentation
| -|Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Terraform|Medium|Build Process|Cosmos DB Account must have a mapping of tags. (read more)|Documentation
| -|Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Terraform|Medium|Encryption|Ensure that the encryption is active on the disk (read more)|Documentation
| -|AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Terraform|Medium|Encryption|Azure Container Service (AKS) should use Disk Encryption Set ID in supported types of disk (read more)|Documentation
| -|Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Terraform|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption (read more)|Documentation
| -|Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Terraform|Medium|Insecure Configurations|Azure Function App should have 'client_cert_mode' set to required (read more)|Documentation
| -|Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Terraform|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches (read more)|Documentation
| -|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Terraform|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined (read more)|Documentation
| -|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Terraform|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty (read more)|Documentation
| -|Function App Managed Identity Disabled
c87749b3-ff10-41f5-9df2-c421e8151759|Terraform|Medium|Insecure Configurations|Azure Function App should have managed identity enabled (read more)|Documentation
| -|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Terraform|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections (read more)|Documentation
| -|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Terraform|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected. (read more)|Documentation
| -|Default Azure Storage Account Network Access Is Too Permissive
a5613650-32ec-4975-a305-31af783153ea|Terraform|Medium|Insecure Defaults|Default Azure Storage Account network access should be set to Deny (read more)|Documentation
| -|Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Terraform|Medium|Networking and Firewall|Public Network Access should be disabled for Azure Cognitive Search (read more)|Documentation
| -|MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Terraform|Medium|Networking and Firewall|MariaDB Server Public Network Access should be disabled (read more)|Documentation
| -|WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Terraform|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. (read more)|Documentation
| -|Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b|Terraform|Medium|Networking and Firewall|Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline) (read more)|Documentation
| -|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Terraform|Medium|Networking and Firewall|Network Interfaces IP Forwarding should be disabled (read more)|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol (read more)|Documentation
| -|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Terraform|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache (read more)|Documentation
| -|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Terraform|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'. (read more)|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol (read more)|Documentation
| -|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Terraform|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On' (read more)|Documentation
| -|PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' (read more)|Documentation
| -|PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' (read more)|Documentation
| -|Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Terraform|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater (read more)|Documentation
| -|MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Terraform|Medium|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On' (read more)|Documentation
| -|PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Terraform|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server (read more)|Documentation
| -|Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Terraform|Medium|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact (read more)|Documentation
| -|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Terraform|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days (read more)|Documentation
| -|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more)|Documentation
| -|Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Terraform|Medium|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days (read more)|Documentation
| -|PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more)|Documentation
| -|Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Terraform|Medium|Observability|Make sure for SQL Servers that Auditing Retention is greater than 90 days (read more)|Documentation
| -|PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Terraform|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more)|Documentation
| -|Azure Active Directory Authentication
a21c8da9-41bf-40cf-941d-330cf0d11fc7|Terraform|Low|Access Control|Azure Active Directory must be used for authentication for Service Fabric (read more)|Documentation
| -|MariaDB Server Geo-redundant Backup Disabled
0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1|Terraform|Low|Backup|MariaDB Server Geo-redundant Backup should be enabled (read more)|Documentation
| -|Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Terraform|Low|Best Practices|Key Vault Secrets should have set Content Type (read more)|Documentation
| -|App Service Without Latest Python Version
cc4aaa9d-1070-461a-b519-04e00f42db8a|Terraform|Low|Best Practices|Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. (read more)|Documentation
| -|App Service Without Latest PHP Version
96fe318e-d631-4156-99fa-9080d57280ae|Terraform|Low|Best Practices|Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. (read more)|Documentation
| -|AKS Uses Azure Policies Add-On Disabled
43789711-161b-4708-b5bb-9d1c626f7492|Terraform|Low|Best Practices|Azure Container Service (AKS) should use Azure Policies Add-On (read more)|Documentation
| -|PostgreSQL Server Infrastructure Encryption Disabled
6425c98b-ca4e-41fe-896a-c78772c131f8|Terraform|Low|Encryption|PostgreSQL Server Infrastructure Encryption should be enabled (read more)|Documentation
| -|Function App HTTP2 Disabled
ace823d1-4432-4dee-945b-cdf11a5a6bd0|Terraform|Low|Insecure Configurations|Function App should have 'http2_enabled' enabled (read more)|Documentation
| -|App Service HTTP2 Disabled
525b53be-62ed-4244-b4df-41aecfcb4071|Terraform|Low|Insecure Configurations|App Service should have 'http2_enabled' enabled (read more)|Documentation
| -|Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Terraform|Low|Insecure Configurations|Check if the Kubernetes Dashboard is enabled. (read more)|Documentation
| -|Azure Front Door WAF Disabled
835a4f2f-df43-437d-9943-545ccfc55961|Terraform|Low|Networking and Firewall|Azure Front Door WAF should be enabled (read more)|Documentation
| -|App Service Authentication Disabled
c7fc1481-2899-4490-bbd8-544a3a61a2f3|Terraform|Info|Access Control|Azure App Service authentication settings should be enabled (read more)|Documentation
| -|SQL Server Alert Email Disabled
55975007-f6e7-4134-83c3-298f1fe4b519|Terraform|Info|Best Practices|SQL Server alert email should be enabled (read more)|Documentation
| -|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Terraform|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks (read more)|Documentation
| -|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Terraform|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)|Documentation
| -|IAM Policies With Full Privileges
953b3cdb-ce13-428a-aa12-318726506661|CloudFormation|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| -|S3 Bucket Allows Public Policy
860ba89b-b8de-4e72-af54-d6aee4138a69|CloudFormation|High|Access Control|S3 bucket allows public policy (read more)|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
835d5497-a526-4aea-a23f-98a9afd1635f|CloudFormation|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| +|S3 Bucket Allows List Action From All Principals
faa8fddf-c0aa-4b2d-84ff-e993e233ebe9|CloudFormation|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| +|MSK Broker Is Publicly Accessible
0ce1ba20-8ba8-4364-836f-40c24b8cb0ab|CloudFormation|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible (read more)|Documentation
| +|S3 Bucket Allows Get Action From All Principals
f97b7d23-568f-4bcc-9ac9-02df0d57fbba|CloudFormation|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| +|S3 Bucket Allows Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0|CloudFormation|High|Access Control|S3 Buckets must not allow Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Restore, for all Principals. (read more)|Documentation
| +|S3 Bucket ACL Allows Read to All Users
219f4c95-aa50-44e0-97de-cf71f4641170|CloudFormation|High|Access Control|S3 Buckets should not be readable to all users (read more)|Documentation
| +|IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368|CloudFormation|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| |ECS Service Admin Role Is Present
01986452-bdd8-4aaa-b5df-d6bf61d616ff|CloudFormation|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role (read more)|Documentation
| -|Amazon DMS Replication Instance Is Publicly Accessible
5864fb39-d719-4182-80e2-89dbe627be63|CloudFormation|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| -|Lambda Functions With Full Privileges
a0ae0a4e-712b-4115-8112-51b9eeed9d69|CloudFormation|High|Access Control|AWS Lambda Functions should not have roles with policies granting full administrative privileges. (read more)|Documentation
| -|SNS Topic is Publicly Accessible
ae53ce91-42b5-46bf-a84f-9a13366a4f13|CloudFormation|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
835d5497-a526-4aea-a23f-98a9afd1635f|CloudFormation|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| +|S3 Bucket Allows Public Policy
860ba89b-b8de-4e72-af54-d6aee4138a69|CloudFormation|High|Access Control|S3 bucket allows public policy (read more)|Documentation
| +|IAM Policies With Full Privileges
953b3cdb-ce13-428a-aa12-318726506661|CloudFormation|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
acc78859-765e-4011-a229-a65ea57db252|CloudFormation|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| |S3 Bucket Access to Any Principal
7772bb8c-c0f3-42d4-8e4e-f1b8939ad085|CloudFormation|High|Access Control|The S3 Bucket should not be associated with a policy statement that grants access to any principal (read more)|Documentation
| |S3 Bucket With All Permissions
4ae8af91-5108-42cb-9471-3bdbe596eac9|CloudFormation|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| -|S3 Bucket Allows Put Action From All Principals
f6397a20-4cf1-4540-a997-1d363c25ef58|CloudFormation|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| -|MSK Broker Is Publicly Accessible
0ce1ba20-8ba8-4364-836f-40c24b8cb0ab|CloudFormation|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible (read more)|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
acc78859-765e-4011-a229-a65ea57db252|CloudFormation|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| -|IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368|CloudFormation|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| -|S3 Bucket ACL Allows Read to All Users
219f4c95-aa50-44e0-97de-cf71f4641170|CloudFormation|High|Access Control|S3 Buckets should not be readable to all users (read more)|Documentation
| +|Amazon DMS Replication Instance Is Publicly Accessible
5864fb39-d719-4182-80e2-89dbe627be63|CloudFormation|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| +|SNS Topic is Publicly Accessible
ae53ce91-42b5-46bf-a84f-9a13366a4f13|CloudFormation|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| |S3 Bucket ACL Allows Read Or Write to All Users
07dda8de-d90d-469e-9b37-1aca53526ced|CloudFormation|High|Access Control|S3 Buckets should not be readable and writable to all users (read more)|Documentation
| -|S3 Bucket Allows Get Action From All Principals
f97b7d23-568f-4bcc-9ac9-02df0d57fbba|CloudFormation|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| -|S3 Bucket Allows Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0|CloudFormation|High|Access Control|S3 Buckets must not allow Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Restore, for all Principals. (read more)|Documentation
| -|S3 Bucket Allows List Action From All Principals
faa8fddf-c0aa-4b2d-84ff-e993e233ebe9|CloudFormation|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
31733ee2-fef0-4e87-9778-65da22a8ecf1|CloudFormation|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| -|CMK Unencrypted Storage
ffee2785-c347-451e-89f3-11aeb08e5c84|CloudFormation|High|Encryption|Ensure that storage is encrypted. (read more)|Documentation
| +|Lambda Functions With Full Privileges
a0ae0a4e-712b-4115-8112-51b9eeed9d69|CloudFormation|High|Access Control|AWS Lambda Functions should not have roles with policies granting full administrative privileges. (read more)|Documentation
| +|S3 Bucket Allows Put Action From All Principals
f6397a20-4cf1-4540-a997-1d363c25ef58|CloudFormation|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| +|User Data Shell Script Is Encoded
48c3bc58-6959-4f27-b647-4fedeace23be|CloudFormation|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| +|ECS Cluster Not Encrypted At Rest
6c131358-c54d-419b-9dd6-1f7dd41d180c|CloudFormation|High|Encryption|Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems. (read more)|Documentation
| +|ELB Without Secure Protocol
80908a75-586b-4c61-ab04-490f4f4525b8|CloudFormation|High|Encryption|Check if the ELB is setup with SSL or HTTPS for secure communication (read more)|Documentation
| +|Redshift Cluster Without KMS CMK
de76a0d6-66d5-45c9-9022-f05545b85c78|CloudFormation|High|Encryption|AWS Redshift Cluster should have KMS CMK defined (read more)|Documentation
| +|CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db|CloudFormation|High|Encryption|Specifying credentials in the template itself is probably not safe to do. (read more)|Documentation
| +|IAM Database Auth Not Enabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184|CloudFormation|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| +|S3 Bucket SSE Disabled
64ab651b-f5b2-4af0-8c89-ddd03c4d0e61|CloudFormation|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| +|S3 Bucket Without SSL In Write Actions
38c64e76-c71e-4d92-a337-60174d1de1c9|CloudFormation|High|Encryption|S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL) (read more)|Documentation
| |EFS Without KMS
6d087495-2a42-4735-abf7-02ef5660a7e6|CloudFormation|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| +|ELB Using Insecure Protocols
61a94903-3cd3-4780-88ec-fc918819b9c8|CloudFormation|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| +|RDS Storage Not Encrypted
5beacce3-4020-4a3d-9e1d-a36f953df630|CloudFormation|High|Encryption|RDS Storage should be encrypted, which means the attribute 'StorageEncrypted' should be set to 'true' (read more)|Documentation
| +|S3 Bucket Without Server-side-encryption
b2e8752c-3497-4255-98d2-e4ae5b46bbf5|CloudFormation|High|Encryption|S3 Buckets should have server-side encryption at rest enabled to protect sensitive data (read more)|Documentation
| |Kinesis SSE Not Configured
7f65be75-90ab-4036-8c2a-410aef7bb650|CloudFormation|High|Encryption|AWS Kinesis Stream should have SSE (Server Side Encryption) defined (read more)|Documentation
| -|ECS Task Definition Container With Plaintext Password
f9b10cdb-eaab-4e39-9793-e12b94a582ad|CloudFormation|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| -|ElastiCache With Disabled Transit Encryption
3b02569b-fc6f-4153-b3a3-ba91022fed68|CloudFormation|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled (read more)|Documentation
| +|EFS Volume With Disabled Transit Encryption
c1282e03-b285-4637-aee7-eefe3a7bb658|CloudFormation|High|Encryption|Amazon EFS volume does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'TransitEncryption' (read more)|Documentation
| +|ElastiCache With Disabled at Rest Encryption
e4ee3903-9225-4b6a-bdfb-e62dbadef821|CloudFormation|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled (read more)|Documentation
| |Secure Ciphers Disabled
be96849c-3df6-49c2-bc16-778a7be2519c|CloudFormation|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| -|Redshift Cluster Without KMS CMK
de76a0d6-66d5-45c9-9022-f05545b85c78|CloudFormation|High|Encryption|AWS Redshift Cluster should have KMS CMK defined (read more)|Documentation
| -|DynamoDB With Aws Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac|CloudFormation|High|Encryption|AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false. (read more)|Documentation
| |API Gateway Cache Encrypted Disabled
37cca703-b74c-48ba-ac81-595b53398e9b|CloudFormation|High|Encryption|'API::Gateway::Deployment' should have 'CacheDataEncrypted' enabled when 'CachingEnabled' is set to true (read more)|Documentation
| -|User Data Shell Script Is Encoded
48c3bc58-6959-4f27-b647-4fedeace23be|CloudFormation|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| -|ElastiCache With Disabled at Rest Encryption
e4ee3903-9225-4b6a-bdfb-e62dbadef821|CloudFormation|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled (read more)|Documentation
| -|S3 Bucket Without SSL In Write Actions
38c64e76-c71e-4d92-a337-60174d1de1c9|CloudFormation|High|Encryption|S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL) (read more)|Documentation
| -|IAM Database Auth Not Enabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184|CloudFormation|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| -|ELB Without Secure Protocol
80908a75-586b-4c61-ab04-490f4f4525b8|CloudFormation|High|Encryption|Check if the ELB is setup with SSL or HTTPS for secure communication (read more)|Documentation
| -|SageMaker Data Encryption Disabled
709e6da6-fa1f-44cc-8f17-7f25f96dadbe|CloudFormation|High|Encryption|Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, which means the attribute 'KmsKeyId' must be defined not empty or null. (read more)|Documentation
| -|EFS Not Encrypted
2ff8e83c-90e1-4d68-a300-6d652112e622|CloudFormation|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| -|EFS Volume With Disabled Transit Encryption
c1282e03-b285-4637-aee7-eefe3a7bb658|CloudFormation|High|Encryption|Amazon EFS volume does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'TransitEncryption' (read more)|Documentation
| -|Redshift Not Encrypted
3b316b05-564c-44a7-9c3f-405bb95e211e|CloudFormation|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'Encrypted' field is false or undefined (default is false) (read more)|Documentation
| -|MSK Cluster Encryption Disabled
a976d63f-af0e-46e8-b714-8c1a9c4bf768|CloudFormation|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled (read more)|Documentation
| -|RDS Storage Not Encrypted
5beacce3-4020-4a3d-9e1d-a36f953df630|CloudFormation|High|Encryption|RDS Storage should be encrypted, which means the attribute 'StorageEncrypted' should be set to 'true' (read more)|Documentation
| -|S3 Bucket SSE Disabled
64ab651b-f5b2-4af0-8c89-ddd03c4d0e61|CloudFormation|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| |Connection Between CloudFront Origin Not Encrypted
a5366a50-932f-4085-896b-41402714a388|CloudFormation|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted (read more)|Documentation
| -|ECS Cluster Not Encrypted At Rest
6c131358-c54d-419b-9dd6-1f7dd41d180c|CloudFormation|High|Encryption|Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems. (read more)|Documentation
| -|ELB Using Weak Ciphers
809f77f8-d10e-4842-a84f-3be7b6ff1190|CloudFormation|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| +|ECS Task Definition Container With Plaintext Password
f9b10cdb-eaab-4e39-9793-e12b94a582ad|CloudFormation|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| |User Data Contains Encoded Private Key
568cc372-ca64-420d-9015-ee347d00d288|CloudFormation|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| -|CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db|CloudFormation|High|Encryption|Specifying credentials in the template itself is probably not safe to do. (read more)|Documentation
| -|ELB Using Insecure Protocols
61a94903-3cd3-4780-88ec-fc918819b9c8|CloudFormation|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| -|S3 Bucket Without Server-side-encryption
b2e8752c-3497-4255-98d2-e4ae5b46bbf5|CloudFormation|High|Encryption|S3 Buckets should have server-side encryption at rest enabled to protect sensitive data (read more)|Documentation
| -|Root Account Has Active Access Keys
4c137350-7307-4803-8c04-17c09a7a9fcf|CloudFormation|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| +|DynamoDB With Aws Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac|CloudFormation|High|Encryption|AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false. (read more)|Documentation
| +|ELB Using Weak Ciphers
809f77f8-d10e-4842-a84f-3be7b6ff1190|CloudFormation|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| +|SageMaker Data Encryption Disabled
709e6da6-fa1f-44cc-8f17-7f25f96dadbe|CloudFormation|High|Encryption|Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, which means the attribute 'KmsKeyId' must be defined not empty or null. (read more)|Documentation
| +|ElastiCache With Disabled Transit Encryption
3b02569b-fc6f-4153-b3a3-ba91022fed68|CloudFormation|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled (read more)|Documentation
| +|MSK Cluster Encryption Disabled
a976d63f-af0e-46e8-b714-8c1a9c4bf768|CloudFormation|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled (read more)|Documentation
| +|Redshift Not Encrypted
3b316b05-564c-44a7-9c3f-405bb95e211e|CloudFormation|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'Encrypted' field is false or undefined (default is false) (read more)|Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
31733ee2-fef0-4e87-9778-65da22a8ecf1|CloudFormation|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| +|EFS Not Encrypted
2ff8e83c-90e1-4d68-a300-6d652112e622|CloudFormation|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| +|CMK Unencrypted Storage
ffee2785-c347-451e-89f3-11aeb08e5c84|CloudFormation|High|Encryption|Ensure that storage is encrypted. (read more)|Documentation
| +|API Gateway Without Security Policy
8275fab0-68ec-4705-bbf4-86975edb170e|CloudFormation|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2. (read more)|Documentation
| +|Redshift Publicly Accessible
bdf8dcb4-75df-4370-92c4-606e4ae6c4d3|CloudFormation|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false (read more)|Documentation
| |KMS Key With Full Permissions
da905474-7454-43c0-b8d2-5756ab951aba|CloudFormation|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| -|Batch Job Definition With Privileged Container Properties
76ddf32c-85b1-4808-8935-7eef8030ab36|CloudFormation|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| -|ECS Task Definition Network Mode Not Recommended
027a4b7a-8a59-4938-a04f-ed532512cf45|CloudFormation|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| -|S3 Bucket Without Restriction Of Public Bucket
350cd468-0e2c-44ef-9d22-cfb73a62523c|CloudFormation|High|Insecure Configurations|S3 bucket without restriction of public bucket (read more)|Documentation
| -|S3 Static Website Host Enabled
90501b1b-cded-4cc1-9e8b-206b85cda317|CloudFormation|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more)|Documentation
| |S3 Bucket With Unsecured CORS Rule
3609d27c-3698-483a-9402-13af6ae80583|CloudFormation|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| -|API Gateway Without Security Policy
8275fab0-68ec-4705-bbf4-86975edb170e|CloudFormation|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2. (read more)|Documentation
| |RDS DB Instance Publicly Accessible
de38e1d5-54cb-4111-a868-6f7722695007|CloudFormation|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false. (read more)|Documentation
| +|ECS Task Definition Network Mode Not Recommended
027a4b7a-8a59-4938-a04f-ed532512cf45|CloudFormation|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| +|Batch Job Definition With Privileged Container Properties
76ddf32c-85b1-4808-8935-7eef8030ab36|CloudFormation|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| +|S3 Static Website Host Enabled
90501b1b-cded-4cc1-9e8b-206b85cda317|CloudFormation|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more)|Documentation
| +|S3 Bucket Without Restriction Of Public Bucket
350cd468-0e2c-44ef-9d22-cfb73a62523c|CloudFormation|High|Insecure Configurations|S3 bucket without restriction of public bucket (read more)|Documentation
| +|Root Account Has Active Access Keys
4c137350-7307-4803-8c04-17c09a7a9fcf|CloudFormation|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| |CloudFront Without Minimum Protocol TLS 1.2
dc17ee4b-ddf2-4e23-96e8-7a36abad1303|CloudFormation|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| -|Redshift Publicly Accessible
bdf8dcb4-75df-4370-92c4-606e4ae6c4d3|CloudFormation|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false (read more)|Documentation
| -|Vulnerable Default SSL Certificate
b4d9c12b-bfba-4aeb-9cb8-2358546d8041|CloudFormation|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| |Permissive Web ACL Default Action
6d64f311-3da6-45f3-80f1-14db9771ea40|CloudFormation|High|Insecure Defaults|WebAcl DefaultAction should not be ALLOW (read more)|Documentation
| -|EC2 Public Instance Exposed Through Subnet
c44c95fc-ae92-4bb8-bdf8-bb9bc412004a|CloudFormation|High|Networking and Firewall|EC2 instances with public IP addresses shouldn't allow for unrestricted traffic to their subnets (read more)|Documentation
| -|ELB Sensitive Port Is Exposed To Entire Network
78055456-f670-4d2e-94d5-392d1cf4f5e4|CloudFormation|High|Networking and Firewall|The load balancer of the application with a sensitive port connection is exposed to the entire internet. (read more)|Documentation
| -|Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c|CloudFormation|High|Networking and Firewall|No security group should allow unrestricted egress access (read more)|Documentation
| -|Security Group With Unrestricted Access To SSH
6e856af2-62d7-4ba2-adc1-73b62cef9cc1|CloudFormation|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| -|ALB Listening on HTTP
275a3217-ca37-40c1-a6cf-bb57d245ab32|CloudFormation|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| -|Fully Open Ingress
e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5|CloudFormation|High|Networking and Firewall|ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses (read more)|Documentation
| -|HTTP Port Open To Internet
ddfc4eaa-af23-409f-b96c-bf5c45dc4daa|CloudFormation|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| -|DB Security Group Open To Large Scope
0104165b-02d5-426f-abc9-91fb48189899|CloudFormation|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| -|EC2 Sensitive Port Is Publicly Exposed
494b03d3-bf40-4464-8524-7c56ad0700ed|CloudFormation|High|Networking and Firewall|The EC2 instance has a sensitive port connection exposed to the entire network (read more)|Documentation
| -|Security Groups With Exposed Admin Ports
cdbb0467-2957-4a77-9992-7b55b29df7b7|CloudFormation|High|Networking and Firewall|Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389) (read more)|Documentation
| -|Security Groups With Meta IP
adcd0082-e90b-4b63-862b-21899f6e6a48|CloudFormation|High|Networking and Firewall|Security Groups allows 0.0.0.0/0 for all ports and protocols. (read more)|Documentation
| -|Elasticsearch with HTTPS disabled
4cdc88e6-c0c8-4081-a639-bb3a557cbedf|CloudFormation|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| -|Route53 Record Undefined
24d932e1-91f0-46ea-836f-fdbd81694151|CloudFormation|High|Networking and Firewall|Route53 HostedZone must have the Record Set defined. (read more)|Documentation
| -|Remote Desktop Port Open To Internet
c9846969-d066-431f-9b34-8c4abafe422a|CloudFormation|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| +|Vulnerable Default SSL Certificate
b4d9c12b-bfba-4aeb-9cb8-2358546d8041|CloudFormation|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| |EC2 Instance Subnet Has Public IP Mapping On Launch
b3de4e4c-14be-4159-b99d-9ad194365e4c|CloudFormation|High|Networking and Firewall|EC2 Instance Subnet should not have MapPublicIpOnLaunch set to true (read more)|Documentation
| -|EKS node group remote access
73d59e76-a12c-4b74-a3d8-d3e1e19c25b3|CloudFormation|High|Networking and Firewall|Ensure Amazon EKS Node group has implict SSH access (read more)|Documentation
| -|EC2 Network ACL Overlapping Ports
77b6f1e2-bde4-4a6a-ae7e-a40659ff1576|CloudFormation|High|Networking and Firewall|NetworkACL Entries are reusing or overlapping ports which may create ineffective rules (read more)|Documentation
| +|Remote Desktop Port Open To Internet
c9846969-d066-431f-9b34-8c4abafe422a|CloudFormation|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| |Security Group Unrestricted Access To RDP
3ae83918-7ec7-4cb8-80db-b91ef0f94002|CloudFormation|High|Networking and Firewall|Security Groups does not allow 0.0.0.0/0 for rdp (port:3389) (read more)|Documentation
| -|Default Security Groups With Unrestricted Traffic
ea33fcf7-394b-4d11-a228-985c5d08f205|CloudFormation|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| |DB Security Group With Public Scope
9564406d-e761-4e61-b8d7-5926e3ab8e79|CloudFormation|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| -|Unknown Port Exposed To Internet
829ce3b8-065c-41a3-ad57-e0accfea82d2|CloudFormation|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| +|Route53 Record Undefined
24d932e1-91f0-46ea-836f-fdbd81694151|CloudFormation|High|Networking and Firewall|Route53 HostedZone must have the Record Set defined. (read more)|Documentation
| +|EC2 Public Instance Exposed Through Subnet
c44c95fc-ae92-4bb8-bdf8-bb9bc412004a|CloudFormation|High|Networking and Firewall|EC2 instances with public IP addresses shouldn't allow for unrestricted traffic to their subnets (read more)|Documentation
| +|Security Groups With Exposed Admin Ports
cdbb0467-2957-4a77-9992-7b55b29df7b7|CloudFormation|High|Networking and Firewall|Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389) (read more)|Documentation
| +|EC2 Network ACL Overlapping Ports
77b6f1e2-bde4-4a6a-ae7e-a40659ff1576|CloudFormation|High|Networking and Firewall|NetworkACL Entries are reusing or overlapping ports which may create ineffective rules (read more)|Documentation
| |Unrestricted Security Group Ingress
4a1e6b34-1008-4e61-a5f2-1f7c276f8d14|CloudFormation|High|Networking and Firewall|AWS Security Group Ingress CIDR should not be open to the world (read more)|Documentation
| +|Fully Open Ingress
e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5|CloudFormation|High|Networking and Firewall|ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses (read more)|Documentation
| +|Elasticsearch with HTTPS disabled
4cdc88e6-c0c8-4081-a639-bb3a557cbedf|CloudFormation|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| +|Unknown Port Exposed To Internet
829ce3b8-065c-41a3-ad57-e0accfea82d2|CloudFormation|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| +|HTTP Port Open To Internet
ddfc4eaa-af23-409f-b96c-bf5c45dc4daa|CloudFormation|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| +|Default Security Groups With Unrestricted Traffic
ea33fcf7-394b-4d11-a228-985c5d08f205|CloudFormation|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| |SageMaker Notebook Not Placed In VPC
9c7028d9-04c2-45be-b8b2-1188ccaefb36|CloudFormation|High|Networking and Firewall|SageMaker Notebook must be placed in a VPC (read more)|Documentation
| +|Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c|CloudFormation|High|Networking and Firewall|No security group should allow unrestricted egress access (read more)|Documentation
| +|Security Groups With Meta IP
adcd0082-e90b-4b63-862b-21899f6e6a48|CloudFormation|High|Networking and Firewall|Security Groups allows 0.0.0.0/0 for all ports and protocols. (read more)|Documentation
| +|ELB Sensitive Port Is Exposed To Entire Network
78055456-f670-4d2e-94d5-392d1cf4f5e4|CloudFormation|High|Networking and Firewall|The load balancer of the application with a sensitive port connection is exposed to the entire internet. (read more)|Documentation
| |RDS Associated with Public Subnet
4e88adee-a8eb-4605-a78d-9fb1096e3091|CloudFormation|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| -|S3 Bucket CloudTrail Logging Disabled
c3ce69fd-e3df-49c6-be78-1db3f802261c|CloudFormation|High|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable when the Service used is CloudTrail (read more)|Documentation
| +|EKS node group remote access
73d59e76-a12c-4b74-a3d8-d3e1e19c25b3|CloudFormation|High|Networking and Firewall|Ensure Amazon EKS Node group has implict SSH access (read more)|Documentation
| +|ALB Listening on HTTP
275a3217-ca37-40c1-a6cf-bb57d245ab32|CloudFormation|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| +|EC2 Sensitive Port Is Publicly Exposed
494b03d3-bf40-4464-8524-7c56ad0700ed|CloudFormation|High|Networking and Firewall|The EC2 instance has a sensitive port connection exposed to the entire network (read more)|Documentation
| +|Security Group With Unrestricted Access To SSH
6e856af2-62d7-4ba2-adc1-73b62cef9cc1|CloudFormation|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| +|DB Security Group Open To Large Scope
0104165b-02d5-426f-abc9-91fb48189899|CloudFormation|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| |CloudTrail Logging Disabled
5c0b06d5-b7a4-484c-aeb0-75a836269ff0|CloudFormation|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| |CMK Rotation Disabled
1c07bfaf-663c-4f6f-b22b-8e2d481e4df5|CloudFormation|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'EnableKeyRotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| -|SQS Queue Policy Allows NotPrincipal
4a8fc9a2-2b2f-4b3f-aa8d-401425872034|CloudFormation|Medium|Access Control|Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using `NotPrincipal` in the same policy statement as `"Effect": "Allow"`. (read more)|Documentation
| -|EC2 Instance Has No IAM Role
f914357d-8386-4d56-9ba6-456e5723f9a6|CloudFormation|Medium|Access Control|Check if an EC2 instance refers to an IAM profile, which represents an IAM Role. (read more)|Documentation
| -|SQS Policy With Public Access
9b6a3f5b-5fd6-40ee-9bc0-ed604911212d|CloudFormation|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| -|IAM Policies Attached To User
edc95c10-7366-4f30-9b4b-f995c84eceb5|CloudFormation|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| +|S3 Bucket CloudTrail Logging Disabled
c3ce69fd-e3df-49c6-be78-1db3f802261c|CloudFormation|High|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable when the Service used is CloudTrail (read more)|Documentation
| +|Elasticsearch Without IAM Authentication
5c666ed9-b586-49ab-9873-c495a833b705|CloudFormation|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication (read more)|Documentation
| |SNS Topic Publicity Has Allow and NotAction Simultaneously
818f38ed-8446-4132-9c03-474d49e10195|CloudFormation|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. (read more)|Documentation
| -|EC2 Network ACL Ineffective Denied Traffic
2623d682-dccb-44cd-99d0-54d9fd62f8f2|CloudFormation|Medium|Access Control|Ineffective deny rules. A deny rule should be applied to all IP addresses. (read more)|Documentation
| -|ECR Repository Is Publicly Accessible
75be209d-1948-41f6-a8c8-e22dd0121134|CloudFormation|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| -|Neptune Cluster With IAM Database Authentication Disabled
a3aa0087-8228-4e7e-b202-dc9036972d02|CloudFormation|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled (read more)|Documentation
| -|S3 Bucket Allows Public ACL
48f100d9-f499-4c6d-b2b8-deafe47ffb26|CloudFormation|Medium|Access Control|S3 bucket allows public ACL (read more)|Documentation
| +|SQS Policy With Public Access
9b6a3f5b-5fd6-40ee-9bc0-ed604911212d|CloudFormation|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| +|Empty Roles For ECS Cluster Task Definitions
7f384a5f-b5a2-4d84-8ca3-ee0a5247becb|CloudFormation|Medium|Access Control|Check if any ECS cluster has not defined proper roles for services' task definitions. (read more)|Documentation
| |IoT Policy Allows Action as Wildcard
4d32780f-43a4-424a-a06d-943c543576a5|CloudFormation|Medium|Access Control|IoT Policy should not allow Action to be set as * (read more)|Documentation
| -|API Gateway Method Does Not Contains An API Key
3641d5b4-d339-4bc2-bfb9-208fe8d3477f|CloudFormation|Medium|Access Control|An API Key should be required on a method request. (read more)|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7|CloudFormation|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| +|KMS Allows Wildcard Principal
f6049677-ec4a-43af-8779-5190b6d03cba|CloudFormation|Medium|Access Control|KMS Should not allow Principal parameter to be set as * (read more)|Documentation
| +|EC2 Instance Has No IAM Role
f914357d-8386-4d56-9ba6-456e5723f9a6|CloudFormation|Medium|Access Control|Check if an EC2 instance refers to an IAM profile, which represents an IAM Role. (read more)|Documentation
| +|EC2 Network ACL Ineffective Denied Traffic
2623d682-dccb-44cd-99d0-54d9fd62f8f2|CloudFormation|Medium|Access Control|Ineffective deny rules. A deny rule should be applied to all IP addresses. (read more)|Documentation
| |Public Lambda via API Gateway
57b12981-3816-4c31-b190-a1e614361dd2|CloudFormation|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| |IAM Policy On User
e4239438-e639-44aa-adb8-866e400e3ade|CloudFormation|Medium|Access Control|IAM policies should be applied to groups and not to users (read more)|Documentation
| -|KMS Allows Wildcard Principal
f6049677-ec4a-43af-8779-5190b6d03cba|CloudFormation|Medium|Access Control|KMS Should not allow Principal parameter to be set as * (read more)|Documentation
| -|API Gateway Without Configured Authorizer
7fd0d461-5b8c-4815-898c-f2b4b117eb28|CloudFormation|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| |Lambda Permission Principal Is Wildcard
1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7|CloudFormation|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| -|SQS Queue Policy Allows NotAction
4fbfee74-8186-40d5-a24e-4baa76a855de|CloudFormation|Medium|Access Control|AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited (read more)|Documentation
| -|Empty Roles For ECS Cluster Task Definitions
7f384a5f-b5a2-4d84-8ca3-ee0a5247becb|CloudFormation|Medium|Access Control|Check if any ECS cluster has not defined proper roles for services' task definitions. (read more)|Documentation
| +|IAM Policies Attached To User
edc95c10-7366-4f30-9b4b-f995c84eceb5|CloudFormation|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| +|API Gateway Without Configured Authorizer
7fd0d461-5b8c-4815-898c-f2b4b117eb28|CloudFormation|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| |IoT Policy Allows Wildcard Resource
be5b230d-4371-4a28-a441-85dc760e2aa3|CloudFormation|Medium|Access Control|IoT Policy should not allow Resource to be set as * (read more)|Documentation
| -|Elasticsearch Without IAM Authentication
5c666ed9-b586-49ab-9873-c495a833b705|CloudFormation|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication (read more)|Documentation
| +|Neptune Cluster With IAM Database Authentication Disabled
a3aa0087-8228-4e7e-b202-dc9036972d02|CloudFormation|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled (read more)|Documentation
| +|SQS Queue Policy Allows NotAction
4fbfee74-8186-40d5-a24e-4baa76a855de|CloudFormation|Medium|Access Control|AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited (read more)|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7|CloudFormation|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| +|SQS Queue Policy Allows NotPrincipal
4a8fc9a2-2b2f-4b3f-aa8d-401425872034|CloudFormation|Medium|Access Control|Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using `NotPrincipal` in the same policy statement as `"Effect": "Allow"`. (read more)|Documentation
| +|S3 Bucket Allows Public ACL
48f100d9-f499-4c6d-b2b8-deafe47ffb26|CloudFormation|Medium|Access Control|S3 bucket allows public ACL (read more)|Documentation
| +|ECR Repository Is Publicly Accessible
75be209d-1948-41f6-a8c8-e22dd0121134|CloudFormation|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| +|API Gateway Method Does Not Contains An API Key
3641d5b4-d339-4bc2-bfb9-208fe8d3477f|CloudFormation|Medium|Access Control|An API Key should be required on a method request. (read more)|Documentation
| +|EBS Volume Not Attached To Instances
1819ac03-542b-4026-976b-f37addd59f3b|CloudFormation|Medium|Availability|EBS Volumes that are unattached to instances may contain sensitive data (read more)|Documentation
| |ElastiCache Nodes Not Created Across Multi AZ
cfdef2e5-1fe4-4ef4-bea8-c56e08963150|CloudFormation|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| -|Auto Scaling Group With No Associated ELB
ad21e616-5026-4b9d-990d-5b007bfe679c|CloudFormation|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty. (read more)|Documentation
| |CMK Is Unusable
2844c749-bd78-4cd1-90e8-b179df827602|CloudFormation|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined. (read more)|Documentation
| |ECS Service Without Running Tasks
79d745f0-d5f3-46db-9504-bef73e9fd528|CloudFormation|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| -|EBS Volume Not Attached To Instances
1819ac03-542b-4026-976b-f37addd59f3b|CloudFormation|Medium|Availability|EBS Volumes that are unattached to instances may contain sensitive data (read more)|Documentation
| -|RDS Multi-AZ Deployment Disabled
2b1d4935-9acf-48a7-8466-10d18bf51a69|CloudFormation|Medium|Backup|AWS RDS Instance should have a multi-az deployment (read more)|Documentation
| +|Auto Scaling Group With No Associated ELB
ad21e616-5026-4b9d-990d-5b007bfe679c|CloudFormation|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty. (read more)|Documentation
| +|RDS With Backup Disabled
8c415f6f-7b90-4a27-a44a-51047e1506f9|CloudFormation|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| |Stack Retention Disabled
fe974ae9-858e-4991-bbd5-e040a834679f|CloudFormation|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| |Low RDS Backup Retention Period
e649a218-d099-4550-86a4-1231e1fcb60d|CloudFormation|Medium|Backup|AWS RDS backup retention policy should be at least 7 days (read more)|Documentation
| -|RDS With Backup Disabled
8c415f6f-7b90-4a27-a44a-51047e1506f9|CloudFormation|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| +|RDS Multi-AZ Deployment Disabled
2b1d4935-9acf-48a7-8466-10d18bf51a69|CloudFormation|Medium|Backup|AWS RDS Instance should have a multi-az deployment (read more)|Documentation
| |IAM Managed Policy Applied to a User
0e5872b4-19a0-4165-8b2f-56d9e14b909f|CloudFormation|Medium|Best Practices|Make sure that any managed IAM policies are implemented in a group and not in a user. (read more)|Documentation
| -|ECS No Load Balancer Attached
fb2b0ecf-1492-491a-a70d-ba1df579175d|CloudFormation|Medium|Best Practices|Amazon ECS service should be configured to use Load Balancing to distribute traffic evenly across the tasks, which means there must exist at least one LoadBalancer. (read more)|Documentation
| -|IAM Password Without Number
839f238f-2e3a-4a72-b945-8abdf91af955|CloudFormation|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number (read more)|Documentation
| |IAM Password Without Lowercase Letter
f4cf35d6-da92-48de-ab70-57be2b2e6497|CloudFormation|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| -|Cognito UserPool Without MFA
74a18d1a-cf02-4a31-8791-ed0967ad7fdc|CloudFormation|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more)|Documentation
| -|IAM Password Without Uppercase Letter
445020f6-b69e-4484-847f-02d4b7768902|CloudFormation|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| +|IAM Password Without Number
839f238f-2e3a-4a72-b945-8abdf91af955|CloudFormation|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number (read more)|Documentation
| |IAM Password Without Minimum Length
b1b20ae3-8fa7-4af5-a74d-a2145920fcb1|CloudFormation|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| +|Cognito UserPool Without MFA
74a18d1a-cf02-4a31-8791-ed0967ad7fdc|CloudFormation|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more)|Documentation
| |IAM User Without Password Reset
a964d6e3-8e1e-4d93-8120-61fa640dd55a|CloudFormation|Medium|Best Practices|IAM User Login Profile should exist and have PasswordResetRequired property set to true (read more)|Documentation
| |IAM Password Without Symbol
d72a7869-e8b9-4e12-bcd2-e8be10b39fa7|CloudFormation|Medium|Best Practices|IAM password should have the required symbols (read more)|Documentation
| -|SageMaker EndPoint Config Should Specify KmsKeyId Attribute
44034eda-1c3f-486a-831d-e09a7dd94354|CloudFormation|Medium|Encryption|KmsKeyId attribute should be defined (read more)|Documentation
| +|IAM Password Without Uppercase Letter
445020f6-b69e-4484-847f-02d4b7768902|CloudFormation|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| +|ECS No Load Balancer Attached
fb2b0ecf-1492-491a-a70d-ba1df579175d|CloudFormation|Medium|Best Practices|Amazon ECS service should be configured to use Load Balancing to distribute traffic evenly across the tasks, which means there must exist at least one LoadBalancer. (read more)|Documentation
| +|ElasticSearch Not Encrypted At Rest
86a248ab-0e01-4564-a82a-878303e253bb|CloudFormation|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest (read more)|Documentation
| +|RDS Storage Encryption Disabled
65844ba3-03a1-40a8-b3dd-919f122e8c95|CloudFormation|Medium|Encryption|RDS DBCluster should have storage encrypted set to true (read more)|Documentation
| +|DynamoDB Table Not Encrypted
4bd21e68-38c1-4d58-acdc-6a14b203237f|CloudFormation|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption (read more)|Documentation
| |Unscanned ECR Image
9025b2b3-e554-4842-ba87-db7aeec36d35|CloudFormation|Medium|Encryption|Checks if the ECR Image has been scanned (read more)|Documentation
| -|Neptune Database Cluster Encryption Disabled
bf4473f1-c8a2-4b1b-8134-bd32efabab93|CloudFormation|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| -|Config Rule For Encrypted Volumes Disabled
1b6322d9-c755-4f8c-b804-32c19250f2d9|CloudFormation|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| -|AmazonMQ Broker Encryption Disabled
316278b3-87ac-444c-8f8f-a733a28da60f|CloudFormation|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined (read more)|Documentation
| -|SQS With SSE Disabled
12726829-93ed-4d51-9cbe-13423f4299e1|CloudFormation|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| |KMS Key Rotation Disabled
235ca980-eb71-48f4-9030-df0c371029eb|CloudFormation|Medium|Encryption|EnableKeyRotation should not be false or undefined (read more)|Documentation
| -|EBS Volume Encryption Disabled
80b7ac3f-d2b7-4577-9b10-df7913497162|CloudFormation|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| -|CodeBuild Not Encrypted
d7467bb6-3ed1-4c82-8095-5e7a818d0aad|CloudFormation|Medium|Encryption|CodeBuild Project should be encrypted, which means 'EncryptionKey' should be defined (read more)|Documentation
| -|DynamoDB Table Not Encrypted
4bd21e68-38c1-4d58-acdc-6a14b203237f|CloudFormation|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption (read more)|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85|CloudFormation|Medium|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| -|IAM Group Inline Policies
a58d1a2d-4078-4b80-855b-84cc3f7f4540|CloudFormation|Medium|Encryption|IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted (read more)|Documentation
| -|API Gateway With Invalid Compression
d6653eee-2d4d-4e6a-976f-6794a497999a|CloudFormation|Medium|Encryption|API Gateway should have valid compression, which means attribute 'MinimumCompressionSize' should be set and its value should be greater than -1 and smaller than 10485760. (read more)|Documentation
| -|Alexa Skill Plaintext Client Secret Exposed
3c3b7a58-b018-4d07-9444-d9ee7156e111|CloudFormation|Medium|Encryption|Alexa skills' client secrets should not be defined as a plaintext string. It should either use 'AWS Systems Manager Parameter Store' or 'AWS Secrets Manager' to retrieve sensitive information (read more)|Documentation
| |EMR Security Configuration Encryption Disabled
5b033ec8-f079-4323-b5c8-99d4620433a9|CloudFormation|Medium|Encryption|EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit. (read more)|Documentation
| +|Default KMS Key Usage
e52395b4-250b-4c60-81d5-2e58c1d37abc|CloudFormation|Medium|Encryption|When `StorageEncrypted` is set to true, `KmsKeyId` should be defined, to avoid the use of the default KMS Key (read more)|Documentation
| +|SageMaker EndPoint Config Should Specify KmsKeyId Attribute
44034eda-1c3f-486a-831d-e09a7dd94354|CloudFormation|Medium|Encryption|KmsKeyId attribute should be defined (read more)|Documentation
| |Workspace Without Encryption
89827c57-5a8a-49eb-9731-976a606d70db|CloudFormation|Medium|Encryption|Workspaces should have encryption enabled (read more)|Documentation
| |Memcached Disabled
dd0971a6-09c3-4168-8474-a7ef8fbfd99d|CloudFormation|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache (read more)|Documentation
| -|Default KMS Key Usage
e52395b4-250b-4c60-81d5-2e58c1d37abc|CloudFormation|Medium|Encryption|When `StorageEncrypted` is set to true, `KmsKeyId` should be defined, to avoid the use of the default KMS Key (read more)|Documentation
| +|IAM Group Inline Policies
a58d1a2d-4078-4b80-855b-84cc3f7f4540|CloudFormation|Medium|Encryption|IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted (read more)|Documentation
| +|AmazonMQ Broker Encryption Disabled
316278b3-87ac-444c-8f8f-a733a28da60f|CloudFormation|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined (read more)|Documentation
| |ElasticSearch Encryption With KMS Disabled
d926aa95-0a04-4abc-b20c-acf54afe38a1|CloudFormation|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS. (read more)|Documentation
| -|ElasticSearch Not Encrypted At Rest
86a248ab-0e01-4564-a82a-878303e253bb|CloudFormation|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest (read more)|Documentation
| -|RDS Storage Encryption Disabled
65844ba3-03a1-40a8-b3dd-919f122e8c95|CloudFormation|Medium|Encryption|RDS DBCluster should have storage encrypted set to true (read more)|Documentation
| -|SageMaker Enabling Internet Access
88d55d94-315d-4564-beee-d2d725feab11|CloudFormation|Medium|Insecure Configurations|SageMaker must have disabled internet access and root access for Creating Notebook Instances. (read more)|Documentation
| -|Instance With No VPC
8a6d36cd-0bc6-42b7-92c4-67acc8576861|CloudFormation|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| -|API Gateway Without SSL Certificate
ed4c48b8-eccc-4881-95c1-09fdae23db25|CloudFormation|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| +|SQS With SSE Disabled
12726829-93ed-4d51-9cbe-13423f4299e1|CloudFormation|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| +|Config Rule For Encrypted Volumes Disabled
1b6322d9-c755-4f8c-b804-32c19250f2d9|CloudFormation|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| +|EBS Volume Encryption Disabled
80b7ac3f-d2b7-4577-9b10-df7913497162|CloudFormation|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| +|API Gateway With Invalid Compression
d6653eee-2d4d-4e6a-976f-6794a497999a|CloudFormation|Medium|Encryption|API Gateway should have valid compression, which means attribute 'MinimumCompressionSize' should be set and its value should be greater than -1 and smaller than 10485760. (read more)|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85|CloudFormation|Medium|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| +|Neptune Database Cluster Encryption Disabled
bf4473f1-c8a2-4b1b-8134-bd32efabab93|CloudFormation|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| +|CodeBuild Not Encrypted
d7467bb6-3ed1-4c82-8095-5e7a818d0aad|CloudFormation|Medium|Encryption|CodeBuild Project should be encrypted, which means 'EncryptionKey' should be defined (read more)|Documentation
| +|Alexa Skill Plaintext Client Secret Exposed
3c3b7a58-b018-4d07-9444-d9ee7156e111|CloudFormation|Medium|Encryption|Alexa skills' client secrets should not be defined as a plaintext string. It should either use 'AWS Systems Manager Parameter Store' or 'AWS Secrets Manager' to retrieve sensitive information (read more)|Documentation
| |IAM User Has Too Many Access Keys
48677914-6fdf-40ec-80c4-2b0e94079f54|CloudFormation|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials (read more)|Documentation
| |Inline Policies Are Attached To ECS Service
9e8c89b3-7997-4d15-93e4-7911b9db99fd|CloudFormation|Medium|Insecure Configurations|Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies. (read more)|Documentation
| -|ECR Image Tag Not Immutable
33f41d31-86b1-46a4-81f7-9c9a671f59ac|CloudFormation|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| +|API Gateway Without SSL Certificate
ed4c48b8-eccc-4881-95c1-09fdae23db25|CloudFormation|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| +|EMR Cluster Without Security Configuration
48af92a5-c89b-4936-bc62-1086fe2bab23|CloudFormation|Medium|Insecure Configurations|EMR Cluster should have security configuration defined. (read more)|Documentation
| |Lambda Functions Without Unique IAM Roles
ae03f542-1423-402f-9cef-c834e7ee9583|CloudFormation|Medium|Insecure Configurations|AWS Lambda Functions should not share IAM roles to ensure they will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| +|API Gateway With Open Access
1056dfbb-5802-4762-bf2b-8b9b9684b1b0|CloudFormation|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more)|Documentation
| +|ECR Image Tag Not Immutable
33f41d31-86b1-46a4-81f7-9c9a671f59ac|CloudFormation|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| |Lambda Function Without Tags
8df8e857-bd59-44fa-9f4c-d77594b95b46|CloudFormation|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags. (read more)|Documentation
| -|EMR Cluster Without Security Configuration
48af92a5-c89b-4936-bc62-1086fe2bab23|CloudFormation|Medium|Insecure Configurations|EMR Cluster should have security configuration defined. (read more)|Documentation
| -|GitHub Repository Set To Public
5906092d-5f74-490d-9a03-78febe0f65e1|CloudFormation|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)|Documentation
| +|SageMaker Enabling Internet Access
88d55d94-315d-4564-beee-d2d725feab11|CloudFormation|Medium|Insecure Configurations|SageMaker must have disabled internet access and root access for Creating Notebook Instances. (read more)|Documentation
| +|Instance With No VPC
8a6d36cd-0bc6-42b7-92c4-67acc8576861|CloudFormation|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| |IAM User LoginProfile Password Is In Plaintext
06adef8c-c284-4de7-aad2-af43b07a8ca1|CloudFormation|Medium|Insecure Configurations|IAM User LoginProfile Password must not be a plaintext string (read more)|Documentation
| -|API Gateway With Open Access
1056dfbb-5802-4762-bf2b-8b9b9684b1b0|CloudFormation|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more)|Documentation
| |MQ Broker Is Publicly Accessible
68b6a789-82f8-4cfd-85de-e95332fe6a61|CloudFormation|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible (read more)|Documentation
| -|RouterTable with Default Routing
4f0908b9-eb66-433f-9145-134274e1e944|CloudFormation|Medium|Insecure Defaults|NAT gateways are recommended, and not the default route which permits all traffic, in Route Tables. (read more)|Documentation
| +|GitHub Repository Set To Public
5906092d-5f74-490d-9a03-78febe0f65e1|CloudFormation|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)|Documentation
| |S3 Bucket Should Have Bucket Policy
37fa8188-738b-42c8-bf82-6334ea567738|CloudFormation|Medium|Insecure Defaults|Checks if S3 Bucket has the same name as a Bucket Policy, if it has, S3 Bucket has a Bucket Policy associated (read more)|Documentation
| -|VPC Without Network Firewall
3e293410-d5b8-411f-85fd-7d26294f20c9|CloudFormation|Medium|Networking and Firewall|VPC should have a Network Firewall associated (read more)|Documentation
| -|Security Group Ingress With Port Range
87482183-a8e7-4e42-a566-7a23ec231c16|CloudFormation|Medium|Networking and Firewall|AWS Security Group Ingress should have a single port (read more)|Documentation
| +|RouterTable with Default Routing
4f0908b9-eb66-433f-9145-134274e1e944|CloudFormation|Medium|Insecure Defaults|NAT gateways are recommended, and not the default route which permits all traffic, in Route Tables. (read more)|Documentation
| |EC2 Permissive Network ACL Protocols
03879981-efa2-47a0-a818-c843e1441b88|CloudFormation|Medium|Networking and Firewall|To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code). (read more)|Documentation
| +|ELB With Security Group Without Inbound Rules
e200a6f3-c589-49ec-9143-7421d4a2c845|CloudFormation|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more)|Documentation
| +|VPC Without Network Firewall
3e293410-d5b8-411f-85fd-7d26294f20c9|CloudFormation|Medium|Networking and Firewall|VPC should have a Network Firewall associated (read more)|Documentation
| +|Security Group Egress With All Protocols
ee464fc2-54a6-4e22-b10a-c6dcd2474d0c|CloudFormation|Medium|Networking and Firewall|AWS Security Group Egress should not specify all protocols to prevent allow traffic on all ports (read more)|Documentation
| +|Security Group Ingress With All Protocols
1a427b25-2e9e-4298-9530-0499a55e736b|CloudFormation|Medium|Networking and Firewall|AWS Security Group Ingress should not specify all protocols to prevent allow traffic on all ports (read more)|Documentation
| |ELB With Security Group Without Outbound Rules
01d5a458-a6c4-452a-ac50-054d59275b7c|CloudFormation|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more)|Documentation
| +|API Gateway Endpoint Config is Not Private
4a8daf95-709d-4a36-9132-d3e19878fa34|CloudFormation|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| |GameLift Fleet EC2 InboundPermissions With Port Range
43356255-495d-4148-ad8d-f6af5eac09dd|CloudFormation|Medium|Networking and Firewall|AWS GameLift Fleet EC2InboundPermissions should have a single port (read more)|Documentation
| +|Security Groups Without VPC Attached
493d9591-6249-47bf-8dc0-5c10161cc558|CloudFormation|Medium|Networking and Firewall|Security Groups must have a VPC. (read more)|Documentation
| +|Security Group Ingress With Port Range
87482183-a8e7-4e42-a566-7a23ec231c16|CloudFormation|Medium|Networking and Firewall|AWS Security Group Ingress should have a single port (read more)|Documentation
| +|API Gateway without WAF
fcbf9019-566c-4832-a65c-af00d8137d2b|CloudFormation|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| +|Security Group Egress CIDR Open To World
1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a|CloudFormation|Medium|Networking and Firewall|AWS Security Group Egress CIDR should not be open to the world (read more)|Documentation
| |Security Group Egress With Port Range
dae9c373-8287-462f-8746-6f93dad93610|CloudFormation|Medium|Networking and Firewall|AWS Security Group Egress should have a single port (read more)|Documentation
| -|Security Group Ingress With All Protocols
1a427b25-2e9e-4298-9530-0499a55e736b|CloudFormation|Medium|Networking and Firewall|AWS Security Group Ingress should not specify all protocols to prevent allow traffic on all ports (read more)|Documentation
| -|API Gateway Endpoint Config is Not Private
4a8daf95-709d-4a36-9132-d3e19878fa34|CloudFormation|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| |TCP/UDP Protocol Network ACL Entry Allows All Ports
f57f849c-883b-4cb7-85e7-f7b199dff163|CloudFormation|Medium|Networking and Firewall|TCP/UDP protocol AWS Network ACL Entry should not allow all ports (read more)|Documentation
| -|Security Group Egress With All Protocols
ee464fc2-54a6-4e22-b10a-c6dcd2474d0c|CloudFormation|Medium|Networking and Firewall|AWS Security Group Egress should not specify all protocols to prevent allow traffic on all ports (read more)|Documentation
| |ALB Is Not Integrated With WAF
105ba098-1e34-48cd-b0f2-a8a43a51bf9b|CloudFormation|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service (read more)|Documentation
| -|Security Group Egress CIDR Open To World
1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a|CloudFormation|Medium|Networking and Firewall|AWS Security Group Egress CIDR should not be open to the world (read more)|Documentation
| -|Security Groups Without VPC Attached
493d9591-6249-47bf-8dc0-5c10161cc558|CloudFormation|Medium|Networking and Firewall|Security Groups must have a VPC. (read more)|Documentation
| -|ELB With Security Group Without Inbound Rules
e200a6f3-c589-49ec-9143-7421d4a2c845|CloudFormation|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more)|Documentation
| -|API Gateway without WAF
fcbf9019-566c-4832-a65c-af00d8137d2b|CloudFormation|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| -|CloudWatch Metrics Disabled
5d3c1807-acb3-4bb0-be4e-0440230feeaf|CloudFormation|Medium|Observability|Checks if CloudWatch Metrics is Enabled (read more)|Documentation
| +|ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621|CloudFormation|Medium|Observability|ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer. (read more)|Documentation
| |API Gateway X-Ray Disabled
4ab10c48-bedb-4deb-8f3b-ff12783b61de|CloudFormation|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| -|CloudTrail SNS Topic Name Undefined
3e09413f-471e-40f3-8626-990c79ae63f3|CloudFormation|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| -|CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7|CloudFormation|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'IsMultiRegionTrail' should be set to true (read more)|Documentation
| -|Stack Notifications Disabled
837e033c-4717-40bd-807e-6abaa30161b7|CloudFormation|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| -|Configuration Aggregator to All Regions Disabled
9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d|CloudFormation|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| +|Redshift Cluster Logging Disabled
3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6|CloudFormation|Medium|Observability|Make sure Logging is enabled for Redshift Cluster (read more)|Documentation
| |ELB Access Log Disabled
ee12ad32-2863-4c0f-b13f-28272d115028|CloudFormation|Medium|Observability|ELB should have access log enabled (read more)|Documentation
| +|CloudWatch Metrics Disabled
5d3c1807-acb3-4bb0-be4e-0440230feeaf|CloudFormation|Medium|Observability|Checks if CloudWatch Metrics is Enabled (read more)|Documentation
| |S3 Bucket Without Versioning
a227ec01-f97a-4084-91a4-47b350c1db54|CloudFormation|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| +|Configuration Aggregator to All Regions Disabled
9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d|CloudFormation|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| |ElasticSearch Without Slow Logs
086ea2eb-14a6-4fd4-914b-38e0bc8703e8|CloudFormation|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs (read more)|Documentation
| -|CloudFront Logging Disabled
de77cd9f-0e8b-46cc-b4a4-b6b436838642|CloudFormation|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'DistributionConfig.Logging' should be defined (read more)|Documentation
| -|GuardDuty Detector Disabled
a25cd877-375c-4121-a640-730929936fac|CloudFormation|Medium|Observability|Make sure that Amazon GuardDuty is Enabled (read more)|Documentation
| -|Redshift Cluster Logging Disabled
3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6|CloudFormation|Medium|Observability|Make sure Logging is enabled for Redshift Cluster (read more)|Documentation
| -|ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621|CloudFormation|Medium|Observability|ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer. (read more)|Documentation
| +|S3 Bucket Logging Disabled
4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c|CloudFormation|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| |API Gateway Stage Access Logging Settings Not Defined
80d45af4-4920-4236-a56e-b7ef419d1941|CloudFormation|Medium|Observability|API Gateway Stage should have Access Logging Settings defined (read more)|Documentation
| |API Gateway Deployment Without Access Log Setting
06ec63e3-9f72-4fe2-a218-2eb9200b8db5|CloudFormation|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. (read more)|Documentation
| -|Elasticsearch Logs Disabled
edbd62d4-8700-41de-b000-b3cfebb5e996|CloudFormation|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| |CloudWatch Logging Disabled
0f0fb06b-0f2f-4374-8588-f2c7c348c7a0|CloudFormation|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones (read more)|Documentation
| -|MSK Cluster Logging Disabled
fc7c2c15-f5d0-4b80-adb2-c89019f8f62b|CloudFormation|Medium|Observability|Ensure MSK Cluster Logging is enabled (read more)|Documentation
| -|S3 Bucket Logging Disabled
4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c|CloudFormation|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| +|GuardDuty Detector Disabled
a25cd877-375c-4121-a640-730929936fac|CloudFormation|Medium|Observability|Make sure that Amazon GuardDuty is Enabled (read more)|Documentation
| +|CloudFront Logging Disabled
de77cd9f-0e8b-46cc-b4a4-b6b436838642|CloudFormation|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'DistributionConfig.Logging' should be defined (read more)|Documentation
| |MQ Broker Logging Disabled
e519ed6a-8328-4b69-8eb7-8fa549ac3050|CloudFormation|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). (read more)|Documentation
| +|CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7|CloudFormation|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'IsMultiRegionTrail' should be set to true (read more)|Documentation
| +|Stack Notifications Disabled
837e033c-4717-40bd-807e-6abaa30161b7|CloudFormation|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| +|MSK Cluster Logging Disabled
fc7c2c15-f5d0-4b80-adb2-c89019f8f62b|CloudFormation|Medium|Observability|Ensure MSK Cluster Logging is enabled (read more)|Documentation
| |CloudTrail Not Integrated With CloudWatch
65d07da5-9af5-44df-8983-52d2e6f24c44|CloudFormation|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| -|EBS Volume Without KmsKeyId
b7063015-6c31-4658-a8e7-14f98f37fd42|CloudFormation|Medium|Secret Management|EBS Volume should specify a KmsKeyId value (read more)|Documentation
| -|Amplify Branch Basic Auth Config Password Exposed
dfb56e5d-ee68-446e-b32a-657b62befe69|CloudFormation|Medium|Secret Management|Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|DMS Endpoint MongoDB Settings Password Exposed
f988a17f-1139-46a3-8928-f27eafd8b024|CloudFormation|Medium|Secret Management|DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|Directory Service Microsoft AD Password Set to Plaintext or Default Ref
06b9f52a-8cd5-459b-bdc6-21a22521e1be|CloudFormation|Medium|Secret Management|Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|SNS Topic Without KmsMasterKeyId
9d13b150-a2ab-42a1-b6f4-142e41f81e52|CloudFormation|Medium|Secret Management|KmsMasterKeyId attribute should not be undefined (read more)|Documentation
| -|DocDB Cluster Master Password In Plaintext
39423ce4-9011-46cd-b6b1-009edcd9385d|CloudFormation|Medium|Secret Management|DocDB DB Cluster master user password must not be in a plain text string or referenced in a parameter as a default value. (read more)|Documentation
| -|Amplify App Basic Auth Config Password Exposed
71493c8b-3014-404c-9802-078b74496fb7|CloudFormation|Medium|Secret Management|Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|Amplify App OAuth Token Exposed
03b38885-8f4e-480c-a0e4-12c1affd15db|CloudFormation|Medium|Secret Management|Amplify App OAuth Token must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|RefreshToken Is Exposed
5b48c507-0d1f-41b0-a630-76817c6b4189|CloudFormation|Medium|Secret Management|Alexa ASK Skill AuthenticationConfiguration RefreshToken should not be a plaintext string (read more)|Documentation
| -|Directory Service Simple AD Password Exposed
6685d912-d81f-4cfa-95ad-e316ea31c989|CloudFormation|Medium|Secret Management|DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|CloudTrail SNS Topic Name Undefined
3e09413f-471e-40f3-8626-990c79ae63f3|CloudFormation|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| +|Elasticsearch Logs Disabled
edbd62d4-8700-41de-b000-b3cfebb5e996|CloudFormation|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| +|EBS Volume Without KmsKeyId
b7063015-6c31-4658-a8e7-14f98f37fd42|CloudFormation|Medium|Secret Management|EBS Volume should specify a KmsKeyId value (read more)|Documentation
| +|DMS Endpoint MongoDB Settings Password Exposed
f988a17f-1139-46a3-8928-f27eafd8b024|CloudFormation|Medium|Secret Management|DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| |High Access Key Rotation Period
800fa019-49dd-421b-9042-7331fdd83fa2|CloudFormation|Medium|Secret Management|ConfigRule should enforce access keys to be rotated within 90 days. (read more)|Documentation
| -|Hardcoded AWS Access Key In Lambda
2564172f-c92b-4261-9acd-464aed511696|CloudFormation|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| +|Secrets Manager Should Specify KmsKeyId
c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22|CloudFormation|Medium|Secret Management|Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the secret to be shared cross-account (read more)|Documentation
| |Amplify App Access Token Exposed
73980e43-f399-4fcc-a373-658228f7adf7|CloudFormation|Medium|Secret Management|Amplify App Access Token must not be in a plain text string or referenced in a parameter as a default value. (read more)|Documentation
| +|Directory Service Simple AD Password Exposed
6685d912-d81f-4cfa-95ad-e316ea31c989|CloudFormation|Medium|Secret Management|DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|Amplify App Basic Auth Config Password Exposed
71493c8b-3014-404c-9802-078b74496fb7|CloudFormation|Medium|Secret Management|Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|SNS Topic Without KmsMasterKeyId
9d13b150-a2ab-42a1-b6f4-142e41f81e52|CloudFormation|Medium|Secret Management|KmsMasterKeyId attribute should not be undefined (read more)|Documentation
| +|Amplify Branch Basic Auth Config Password Exposed
dfb56e5d-ee68-446e-b32a-657b62befe69|CloudFormation|Medium|Secret Management|Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|Amplify App OAuth Token Exposed
03b38885-8f4e-480c-a0e4-12c1affd15db|CloudFormation|Medium|Secret Management|Amplify App OAuth Token must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| |DMS Endpoint Password Exposed
5f700072-b7ce-4e84-b3f3-497bf1c24a4d|CloudFormation|Medium|Secret Management|DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|Secrets Manager Should Specify KmsKeyId
c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22|CloudFormation|Medium|Secret Management|Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the secret to be shared cross-account (read more)|Documentation
| +|Hardcoded AWS Access Key In Lambda
2564172f-c92b-4261-9acd-464aed511696|CloudFormation|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| +|DocDB Cluster Master Password In Plaintext
39423ce4-9011-46cd-b6b1-009edcd9385d|CloudFormation|Medium|Secret Management|DocDB DB Cluster master user password must not be in a plain text string or referenced in a parameter as a default value. (read more)|Documentation
| +|Directory Service Microsoft AD Password Set to Plaintext or Default Ref
06b9f52a-8cd5-459b-bdc6-21a22521e1be|CloudFormation|Medium|Secret Management|Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|RefreshToken Is Exposed
5b48c507-0d1f-41b0-a630-76817c6b4189|CloudFormation|Medium|Secret Management|Alexa ASK Skill AuthenticationConfiguration RefreshToken should not be a plaintext string (read more)|Documentation
| +|IAM Group Without Users
8f957abd-9703-413d-87d3-c578950a753c|CloudFormation|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| |IAM User With No Group
06933df4-0ea7-461c-b9b5-104d27390e0e|CloudFormation|Low|Access Control|A IAM user should belong to a group (read more)|Documentation
| +|IAM Role Allows All Principals To Assume
f80e3aa7-7b34-4185-954e-440a6894dde6|CloudFormation|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| |EC2 Instance Using Default Security Group
08b81bb3-0985-4023-8602-b606ad81d279|CloudFormation|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| -|Support Has No Role Associated
d71b5fd7-9020-4b2d-9ec8-b3839faa2744|CloudFormation|Low|Access Control|Check if any AWS Support policy does not have any role and users and group associated, which means that is not being managed. (read more)|Documentation
| |IAM Policy Grants 'AssumeRole' Permission Across All Services
e835bd0d-65da-49f7-b6d1-b646da8727e6|CloudFormation|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| -|IAM Role Allows All Principals To Assume
f80e3aa7-7b34-4185-954e-440a6894dde6|CloudFormation|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| -|IAM Group Without Users
8f957abd-9703-413d-87d3-c578950a753c|CloudFormation|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| +|Support Has No Role Associated
d71b5fd7-9020-4b2d-9ec8-b3839faa2744|CloudFormation|Low|Access Control|Check if any AWS Support policy does not have any role and users and group associated, which means that is not being managed. (read more)|Documentation
| |VPC Attached With Too Many Gateways
97e94d17-e2c7-4109-a53b-6536ac1bb64e|CloudFormation|Low|Availability|The number of gateways attached should not approach or go beyond the limit of 3, in a particular VPC (read more)|Documentation
| |RDS DB Instance With Deletion Protection Disabled
2c161e58-cb52-454f-abea-6470c37b5e6e|CloudFormation|Low|Backup|RDS DBInstance should have deletion protection set to true (read more)|Documentation
| -|IAM Policies Without Groups
5e7acff5-095b-40ac-9073-ac2e4ad8a512|CloudFormation|Low|Best Practices|IAM policy should not apply directly to users, should be with a group (read more)|Documentation
| |CDN Configuration Is Missing
e4f54ff4-d352-40e8-a096-5141073c37a2|CloudFormation|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| -|Geo Restriction Disabled
7f8843f0-9ea5-42b4-a02b-753055113195|CloudFormation|Low|Best Practices|Geo Restriction feature should be enabled, to restrict or allow users in specific locations accessing web application content (read more)|Documentation
| |Security Group Ingress Has CIDR Not Recommended
a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd|CloudFormation|Low|Best Practices|AWS Security Group Ingress CIDR should not be /32 in case of IPV4 or /128 in case of IPV6 (read more)|Documentation
| -|Lambda Permission Misconfigured
9b83114b-b2a1-4534-990d-06da015e47aa|CloudFormation|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| |Automatic Minor Upgrades Disabled
f0104061-8bfc-4b45-8a7d-630eb502f281|CloudFormation|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'AutoMinorVersionUpgrade' must be set to true. (read more)|Documentation
| +|Lambda Permission Misconfigured
9b83114b-b2a1-4534-990d-06da015e47aa|CloudFormation|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| |IAM Access Analyzer Not Enabled
8d29754a-2a18-460d-a1ba-9509f8d359da|CloudFormation|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions (read more)|Documentation
| -|DynamoDB With Not Recommented Table Billing Mode
c333e906-8d8b-4275-b999-78b6318f8dc6|CloudFormation|Low|Build Process|Checks if DynamoDB Table Billing Mode is set to either PAY_PER_REQUEST or PROVISIONED (read more)|Documentation
| +|Geo Restriction Disabled
7f8843f0-9ea5-42b4-a02b-753055113195|CloudFormation|Low|Best Practices|Geo Restriction feature should be enabled, to restrict or allow users in specific locations accessing web application content (read more)|Documentation
| +|IAM Policies Without Groups
5e7acff5-095b-40ac-9073-ac2e4ad8a512|CloudFormation|Low|Best Practices|IAM policy should not apply directly to users, should be with a group (read more)|Documentation
| |EFS Without Tags
08e39832-5e42-4304-98a0-aa5b43393162|CloudFormation|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated (read more)|Documentation
| +|DynamoDB With Not Recommented Table Billing Mode
c333e906-8d8b-4275-b999-78b6318f8dc6|CloudFormation|Low|Build Process|Checks if DynamoDB Table Billing Mode is set to either PAY_PER_REQUEST or PROVISIONED (read more)|Documentation
| |S3 Bucket Without Ignore Public ACL
6c8d51af-218d-4bfb-94a9-94eabaa0703a|CloudFormation|Low|Insecure Configurations|S3 bucket without ignore public ACL (read more)|Documentation
| -|Wildcard In ACM Certificate Domain Name
cc8b294f-006f-4f8f-b5bb-0a9140c33131|CloudFormation|Low|Insecure Configurations|ACM Certificate should not use wildcards (*) in the domain name (read more)|Documentation
| |API Gateway Cache Cluster Disabled
52790cad-d60d-41d5-8483-146f9f21208d|CloudFormation|Low|Insecure Configurations|AWS API Gateway should have cache clustering enabled (read more)|Documentation
| |Lambda Function Without Dead Letter Queue
c2eae442-d3ba-4cb1-84ca-1db4f80eae3d|CloudFormation|Low|Insecure Configurations|AWS Lambda Function should be configured for a Dead Letter Queue(DLQ) (read more)|Documentation
| +|Wildcard In ACM Certificate Domain Name
cc8b294f-006f-4f8f-b5bb-0a9140c33131|CloudFormation|Low|Insecure Configurations|ACM Certificate should not use wildcards (*) in the domain name (read more)|Documentation
| |Shield Advanced Not In Use
ad7444cf-817a-4765-a79e-2145f7981faf|CloudFormation|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more)|Documentation
| -|ElastiCache Without VPC
ba766c53-fe71-4bbb-be35-b6803f2ef13e|CloudFormation|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| -|CloudFront Without WAF
0f139403-303f-467c-96bd-e717e6cfd62d|CloudFormation|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| -|Redshift Using Default Port
a478af30-8c3a-404d-aa64-0b673cee509a|CloudFormation|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| -|EC2 Network ACL Duplicate Rule
045ddb54-cfc5-4abb-9e05-e427b2bc96fe|CloudFormation|Low|Networking and Firewall|A Network ACL's rule numbers cannot be repeated unless one is egress and the other is ingress (read more)|Documentation
| -|ElastiCache Using Default Port
323db967-c68e-44e6-916c-a777f95af34b|CloudFormation|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| +|EMR Without VPC
bf89373a-be40-4c04-99f5-746742dfd7f3|CloudFormation|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| |EC2 Instance Using Default VPC
e42a3ef0-5325-4667-84bf-075ba1c9d58e|CloudFormation|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| +|EC2 Network ACL Duplicate Rule
045ddb54-cfc5-4abb-9e05-e427b2bc96fe|CloudFormation|Low|Networking and Firewall|A Network ACL's rule numbers cannot be repeated unless one is egress and the other is ingress (read more)|Documentation
| +|Redshift Using Default Port
a478af30-8c3a-404d-aa64-0b673cee509a|CloudFormation|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| |RDS Using Default Port
1fe9d958-ddce-4228-a124-05265a959a8b|CloudFormation|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| -|EMR Without VPC
bf89373a-be40-4c04-99f5-746742dfd7f3|CloudFormation|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| -|ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd|CloudFormation|Low|Observability|Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks (read more)|Documentation
| -|DocDB Logging Is Disabled
1bf3b3d4-f373-4d7c-afbb-7d85948a67a5|CloudFormation|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| +|ElastiCache Using Default Port
323db967-c68e-44e6-916c-a777f95af34b|CloudFormation|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| +|CloudFront Without WAF
0f139403-303f-467c-96bd-e717e6cfd62d|CloudFormation|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| +|ElastiCache Without VPC
ba766c53-fe71-4bbb-be35-b6803f2ef13e|CloudFormation|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|CloudTrail Log File Validation Disabled
2a3560fe-52ca-4443-b34f-bf0ed5eb74c8|CloudFormation|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| |VPC FlowLogs Disabled
f6d299d2-21eb-41cc-b1e1-fe12d857500b|CloudFormation|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| +|ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd|CloudFormation|Low|Observability|Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks (read more)|Documentation
| |Lambda Functions Without X-Ray Tracing
9488c451-074e-4cd3-aee3-7db6104f542c|CloudFormation|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracingConfig.mode' should have the value 'Active' (read more)|Documentation
| +|DocDB Logging Is Disabled
1bf3b3d4-f373-4d7c-afbb-7d85948a67a5|CloudFormation|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| |API Gateway Deployment Without API Gateway UsagePlan Associated
783860a3-6dca-4c8b-81d0-7b62769ccbca|CloudFormation|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| -|CloudTrail Log File Validation Disabled
2a3560fe-52ca-4443-b34f-bf0ed5eb74c8|CloudFormation|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| |SDB Domain Declared As A Resource
6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d|CloudFormation|Low|Resource Management|SimpleDB Domain resource should not be declared (read more)|Documentation
| -|API Gateway Stage Without API Gateway UsagePlan Associated
7f8f1b60-43df-4c28-aa21-fb836dbd8071|CloudFormation|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| |ECS Task Definition Invalid CPU or Memory
f4c9b5f5-68b8-491f-9e48-4f96644a1d51|CloudFormation|Low|Resource Management|In ECS Task Definition of FARGATE launch type if you specify an invalid CPU or Memory value, you will receive an error (read more)|Documentation
| +|API Gateway Stage Without API Gateway UsagePlan Associated
7f8f1b60-43df-4c28-aa21-fb836dbd8071|CloudFormation|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| |VPC Without Attached Subnet
3b3b4411-ad1f-40e7-b257-a78a6bb9673a|CloudFormation|Low|Resource Management|VPCs without attached subnets may indicate that they are not being used (read more)|Documentation
| -|Security Group Rule Without Description
5e6c9c68-8a82-408e-8749-ddad78cbb9c5|CloudFormation|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description (read more)|Documentation
| |EC2 Not EBS Optimized
8dd0ff1f-0da4-48df-9bb3-7f338ae36a40|CloudFormation|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| +|Security Group Rule Without Description
5e6c9c68-8a82-408e-8749-ddad78cbb9c5|CloudFormation|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description (read more)|Documentation
| |EC2 Instance Monitoring Disabled
0264093f-6791-4475-af34-4b8102dcbcd0|CloudFormation|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| -|BOM - AWS Cassandra
124b173b-e06d-48a6-8acd-f889443d97a4|CloudFormation|Trace|Bill Of Materials|A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance (read more)|Documentation
| +|BOM - AWS MSK
2730c169-51d7-4ae7-99b5-584379eff1bb|CloudFormation|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)|Documentation
| +|BOM - AWS RDS
6ef03ff6-a2bd-483c-851f-631f248bc0ea|CloudFormation|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more)|Documentation
| +|BOM - AWS EBS
0b0556ea-9cd9-476f-862e-20679dda752b|CloudFormation|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). (read more)|Documentation
| +|BOM - AWS S3 Buckets
b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83|CloudFormation|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more)|Documentation
| +|BOM - AWS Elasticache
c689f51b-9203-43b3-9d8b-caed123f706c|CloudFormation|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more)|Documentation
| +|BOM - AWS DynamoDB
4e67c0ae-38a0-47f4-a50c-f0c9b75826df|CloudFormation|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more)|Documentation
| |BOM - AWS MQ
209189f3-c879-48a7-9703-fbcfa96d0cef|CloudFormation|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS. (read more)|Documentation
| +|BOM - AWS Cassandra
124b173b-e06d-48a6-8acd-f889443d97a4|CloudFormation|Trace|Bill Of Materials|A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance (read more)|Documentation
| +|BOM - AWS SNS
42e7dca3-8cce-4325-8df0-108888259136|CloudFormation|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)|Documentation
| |BOM - AWS EFS
ef05a925-8568-4054-8ff1-f5ba82631c16|CloudFormation|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)|Documentation
| -|BOM - AWS DynamoDB
4e67c0ae-38a0-47f4-a50c-f0c9b75826df|CloudFormation|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more)|Documentation
| |BOM - AWS SQS
59a849c2-1127-4023-85a5-ef906dcd458c|CloudFormation|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)|Documentation
| -|BOM - AWS Elasticache
c689f51b-9203-43b3-9d8b-caed123f706c|CloudFormation|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more)|Documentation
| -|BOM - AWS RDS
6ef03ff6-a2bd-483c-851f-631f248bc0ea|CloudFormation|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more)|Documentation
| -|BOM - AWS MSK
2730c169-51d7-4ae7-99b5-584379eff1bb|CloudFormation|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)|Documentation
| -|BOM - AWS S3 Buckets
b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83|CloudFormation|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more)|Documentation
| |BOM - AWS Kinesis
d53323be-dde6-4457-9a43-42df737e71d2|CloudFormation|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more)|Documentation
| -|BOM - AWS SNS
42e7dca3-8cce-4325-8df0-108888259136|CloudFormation|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)|Documentation
| -|BOM - AWS EBS
0b0556ea-9cd9-476f-862e-20679dda752b|CloudFormation|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). (read more)|Documentation
| |Serverless Function Environment Variables Not Encrypted
a7f8ac28-eed1-483d-87c8-4c325f022572|CloudFormation|High|Encryption|AWS Serverless Function should encrypt environment variables (read more)|Documentation
| |Serverless API Without Content Encoding
a2f2800e-614b-4bc8-89e6-fec8afd24800|CloudFormation|Medium|Encryption|AWS Serverless API should enable Content Encoding through the attribute 'MinimumCompressionSize'. This value should be greater than -1 and smaller than 10485760 (read more)|Documentation
| |Serverless Function Without Tags
a71ecabe-03b6-456a-b3bc-d1a39aa20c98|CloudFormation|Medium|Insecure Configurations|AWS Serverless Function should have associated tags (read more)|Documentation
| @@ -1748,3 +281,1481 @@ This page contains all queries. |Serverless API Cache Cluster Disabled
60a05ede-0a68-4d0d-a58f-f538cf55ff79|CloudFormation|Low|Insecure Configurations|AWS Serverless API should have cache clustering enabled (read more)|Documentation
| |Serverless Function Without Dead Letter Queue
cb2f612b-ed42-4ff5-9fb9-255c73d39a18|CloudFormation|Low|Insecure Configurations|AWS Serverless Function should be configured for a Dead Letter Queue(DLQ) (read more)|Documentation
| |Serverless Function Without X-Ray Tracing
dc1ab429-1481-4540-9b1d-280e3f15f1f8|CloudFormation|Low|Observability|AWS Serverless Function should have Tracing enabled. For this, property 'Tracing' should have the value 'Active' (read more)|Documentation
| +|UNIX Ports Out Of Range
71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e|Dockerfile|High|Availability|Exposing UNIX ports out of range from 0 to 65535 (read more)|Documentation
| +|WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|Dockerfile|High|Build Process|For clarity and reliability, you should always use absolute paths for your WORKDIR (read more)|Documentation
| +|COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b|Dockerfile|High|Build Process|COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself (read more)|Documentation
| +|Copy With More Than Two Arguments Not Ending With Slash
6db6e0c2-32a3-4a2e-93b5-72c35f4119db|Dockerfile|High|Build Process|When a COPY command has more than two arguments, the last one should end with a slash (read more)|Documentation
| +|Same Alias In Different Froms
f2daed12-c802-49cd-afed-fe41d0b82fed|Dockerfile|High|Build Process|Different FROMS cant have the same alias defined (read more)|Documentation
| +|Multiple ENTRYPOINT Instructions Listed
6938958b-3f1a-451c-909b-baeee14bdc97|Dockerfile|High|Build Process|There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect (read more)|Documentation
| +|Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f|Dockerfile|High|Build Process|A user should be specified in the dockerfile, otherwise the image will run as root (read more)|Documentation
| +|Run Using Sudo
8ada6e80-0ade-439e-b176-0b28f6bce35a|Dockerfile|High|Insecure Configurations|Avoid RUN with sudo command as it leads to unpredictable behavior (read more)|Documentation
| +|Vulnerable OpenSSL Version
5fa731ea-e844-47a6-a1e8-abc25e95847e|Dockerfile|High|Supply-Chain|OpenSSL versions from 3.0.0 to 3.0.5 are affected by a critical vulnerability (read more)|Documentation
| +|Changing Default Shell Using RUN Command
8a301064-c291-4b20-adcb-403fe7fd95fd|Dockerfile|Medium|Best Practices|Using the command RUN to override the default shell instead of the SHELL command leads to inefficiencies. It also does not make sense since Docker provides the SHELL command for this exact purpose. (read more)|Documentation
| +|Last User Is 'root'
67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae|Dockerfile|Medium|Best Practices|Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges (read more)|Documentation
| +|Multiple CMD Instructions Listed
41c195f4-fc31-4a5c-8a1b-90605538d49f|Dockerfile|Medium|Build Process|There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect (read more)|Documentation
| +|Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd|Dockerfile|Medium|Build Process|Instruction 'RUN update' should always be followed by ' install' in the same RUN statement (read more)|Documentation
| +|Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79|Dockerfile|Medium|Build Process|Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments (read more)|Documentation
| +|RUN Instruction Using 'cd' Instead of WORKDIR
f4a6bcd3-e231-4acf-993c-aa027be50d2e|Dockerfile|Medium|Build Process|When using RUN command 'cd' should only be used for full path. For relative path make use of WORKDIR command instead. (read more)|Documentation
| +|Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22|Dockerfile|Medium|Insecure Defaults|Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o). (read more)|Documentation
| +|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Dockerfile|Medium|Supply-Chain|When installing a package, its pin version should be defined (read more)|Documentation
| +|Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313|Dockerfile|Medium|Supply-Chain|Reduce layer and image size by deleting unneeded caches after running zypper (read more)|Documentation
| +|APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Dockerfile|Medium|Supply-Chain|Check if apt-get calls use the flag -y to avoid user manual input. (read more)|Documentation
| +|Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067|Dockerfile|Medium|Supply-Chain|When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag (read more)|Documentation
| +|Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Dockerfile|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache (read more)|Documentation
| +|Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more)|Documentation
| +|Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1|Dockerfile|Medium|Supply-Chain|Specifying a package version allows to reduce failures due to unanticipated changes in required packages. (read more)|Documentation
| +|Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9|Dockerfile|Medium|Supply-Chain|Don't use '--platform' flag with FROM (read more)|Documentation
| +|Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944|Dockerfile|Medium|Supply-Chain|Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input (read more)|Documentation
| +|NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5|Dockerfile|Medium|Supply-Chain|Check if packages installed by npm are pinning a specific version. (read more)|Documentation
| +|Add Instead of Copy
9513a694-aa0d-41d8-be61-3271e056f36b|Dockerfile|Medium|Supply-Chain|Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script. (read more)|Documentation
| +|Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37|Dockerfile|Medium|Supply-Chain|Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size (read more)|Documentation
| +|Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118|Dockerfile|Medium|Supply-Chain|When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller (read more)|Documentation
| +|Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more)|Documentation
| +|Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0|Dockerfile|Medium|Supply-Chain|Cached package data should be cleaned after installation to reduce image size (read more)|Documentation
| +|Yum install Without Version
6452c424-1d92-4deb-bb18-a03e95d579c4|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages (read more)|Documentation
| +|Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8|Dockerfile|Medium|Supply-Chain|The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input. (read more)|Documentation
| +|Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341|Dockerfile|Medium|Supply-Chain|Instead of 'gem install ' we should use 'gem install :' (read more)|Documentation
| +|Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd|Dockerfile|Medium|Supply-Chain|Always tag the version of an image explicitly (read more)|Documentation
| +|Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Dockerfile|Medium|Supply-Chain|Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect (read more)|Documentation
| +|Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03|Dockerfile|Medium|Supply-Chain|Need to use -y to avoid manual input 'yum install -y ' (read more)|Documentation
| +|Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages (read more)|Documentation
| +|Chown Flag Exists
aa93e17f-b6db-4162-9334-c70334e7ac28|Dockerfile|Low|Best Practices|It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership (read more)|Documentation
| +|Exposing Port 22 (SSH)
5907595b-5b6d-4142-b173-dbb0e73fbff8|Dockerfile|Low|Best Practices|Expose only the ports that your application needs and avoid exposing ports like SSH (22) (read more)|Documentation
| +|Curl or Wget Instead of Add
4b410d24-1cbe-4430-a632-62c9a931cf1c|Dockerfile|Low|Best Practices|Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged (read more)|Documentation
| +|Multiple RUN, ADD, COPY, Instructions Listed
0008c003-79aa-42d8-95b8-1c2fe37dbfe6|Dockerfile|Low|Best Practices|Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers. (read more)|Documentation
| +|MAINTAINER Instruction Being Used
99614418-f82b-4852-a9ae-5051402b741c|Dockerfile|Low|Best Practices|The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily (read more)|Documentation
| +|Using Unnamed Build Stages
68a51e22-ae5a-4d48-8e87-b01a323605c9|Dockerfile|Low|Build Process| This query is used to ensure that build stages are named. This way even if the Dockerfile is re-ordered, the COPY instruction doesn’t break. (read more)|Documentation
| +|Healthcheck Instruction Missing
b03a748a-542d-44f4-bb86-9199ab4fd2d5|Dockerfile|Low|Insecure Configurations|Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working (read more)|Documentation
| +|Apk Add Using Local Cache Path
ae9c56a6-3ed1-4ac0-9b54-31267f51151d|Dockerfile|Info|Supply-Chain|When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*' (read more)|Documentation
| +|Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c|Dockerfile|Info|Supply-Chain|After using apt-get install, it is needed to delete apt-get lists (read more)|Documentation
| +|Run Utilities And POSIX Commands
9b6b0f38-92a2-41f9-b881-3a1083d99f1b|Dockerfile|Info|Supply-Chain|Some POSIX commands and interactive utilities shouldn't run inside a Docker Container (read more)|Documentation
| +|APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c|Dockerfile|Info|Supply-Chain|Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages. (read more)|Documentation
| +|RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e|Kubernetes|High|Access Control|Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least privilege recommends to specify only the set of needed objects and actions (read more)|Documentation
| +|Service Account Lookup Set To False
a5530bd7-225a-48f9-91bb-f40b04200165|Kubernetes|High|Access Control|When using kube-apiserver command, the '--service-account-lookup' flag should be set to true (read more)|Documentation
| +|Always Admit Admission Control Plugin Set
ce30e584-b33f-4c7d-b418-a3d7027f8f60|Kubernetes|High|Access Control|When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin (read more)|Documentation
| +|Token Auth File Is Set
32ecd76e-7bbf-402e-bf48-8b9485749558|Kubernetes|High|Access Control|When using kube-apiserver command, the 'token-auth-file' flag should not be set (read more)|Documentation
| +|Client Certificate Authentication Not Setup Properly
e0e00aba-5f1c-4981-a542-9a9563c0ee20|Kubernetes|High|Access Control|Client Certificate Authentication should be Setup with a .pem or .crt file (read more)|Documentation
| +|Use Service Account Credentials Not Set To True
1acd93f1-5a37-45c0-aaac-82ece818be7d|Kubernetes|High|Access Control|When using kube-controller-manager commands, the '--use-service-account-credentials' should be set to true (read more)|Documentation
| +|Node Restriction Admission Control Plugin Not Set
33fc6923-6553-4fe6-9d3a-4efa51eb874b|Kubernetes|High|Access Control|When using kube-apiserver command, the --enable-admission-plugins flag should have 'NodeRestriction' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| +|Basic Auth File Is Set
5da47109-f8d6-4585-9e2b-96a8958a12f5|Kubernetes|High|Access Control|When using kube-apiserver command, the 'basic-auth-file' flag should not be set (read more)|Documentation
| +|Pod Security Policy Admission Control Plugin Not Set
afa36afb-39fe-4d94-b9b6-afb236f7a03d|Kubernetes|High|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'PodSecurityPolicy' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| +|Service Account Private Key File Not Defined
ccc98ff7-68a7-436e-9218-185cb0b0b780|Kubernetes|High|Encryption|When using kube-controller-manager commands, the '--service-account-private-key-file' should be defined (read more)|Documentation
| +|Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d|Kubernetes|High|Insecure Configurations|Check if there is any Tiller Service present (read more)|Documentation
| +|Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d|Kubernetes|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process (read more)|Documentation
| +|Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad|Kubernetes|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined. (read more)|Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b|Kubernetes|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace. (read more)|Documentation
| +|Tiller (Helm v2) Is Deployed
6d173be7-545a-46c6-a81d-2ae52ed1605d|Kubernetes|High|Insecure Configurations|Check if Tiller is deployed. (read more)|Documentation
| +|Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032|Kubernetes|High|Insecure Configurations|Limit capabilities for a Pod Security Policy (read more)|Documentation
| +|Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609|Kubernetes|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false (read more)|Documentation
| +|Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d|Kubernetes|High|Insecure Configurations|Container should not share the host process ID namespace (read more)|Documentation
| +|Role Binding To Default Service Account
1e749bc9-fde8-471c-af0c-8254efd2dee5|Kubernetes|High|Insecure Defaults|No role nor cluster role should bind to a default service account (read more)|Documentation
| +|Kubelet HTTPS Set To False
cdc8b54e-6b16-4538-a1b0-35849dbe29cf|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--kubelet-https' flag should not be set to false (read more)|Documentation
| +|Secure Port Set To Zero
3d24b204-b73d-42cb-b0bf-1a5438c5f71e|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the --secure-port flag should not be 0 (read more)|Documentation
| +|Tiller Deployment Is Accessible From Within The Cluster
e17fa86a-6222-4584-a914-56e8f6c87e06|Kubernetes|High|Networking and Firewall|Check if any Tiller Deployment container allows access from within the cluster. (read more)|Documentation
| +|Etcd Peer TLS Certificate Files Not Properly Set
09bb9e96-8da3-4736-b89a-b36814acca60|Kubernetes|High|Networking and Firewall|When using etcd commands, the '--peer-cert-file' and '--peer-key-file' should be defined (read more)|Documentation
| +|Etcd TLS Certificate Not Properly Configured
895a5a95-3756-4b04-9924-2f3bc93181bd|Kubernetes|High|Networking and Firewall|When using kube-apiserver commands, the '--etcd-certfile' and '--etcd-keyfile' flags should be defined (read more)|Documentation
| +|TSL Connection Certificate Not Setup
fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f|Kubernetes|High|Networking and Firewall|TSL Connection Certificate files should be Setup (read more)|Documentation
| +|Etcd TLS Certificate Files Not Properly Set
075ca296-6768-4322-aea2-ba5063b969a9|Kubernetes|High|Networking and Firewall|When using etcd commands, the '--cert-file' and '--key-file' should be defined (read more)|Documentation
| +|Bind Address Not Properly Set
46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2|Kubernetes|High|Networking and Firewall|When using kube-controller-manager or kube-scheduler commands, the '--bind-address' should not be set to 127.0.0.1 (read more)|Documentation
| +|Insecure Port Not Properly Set
fa4def8c-1898-4a35-a139-7b76b1acdef0|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-port' flag should be defined and set to 0 (read more)|Documentation
| +|Insecure Bind Address Set
b9380fd3-5ffe-4d10-9290-13e18e71eee1|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-bind-address' flag should not be set (read more)|Documentation
| +|PSP With Unrestricted Access to Host Path
de4421f1-4e35-43b4-9783-737dd4e4a47e|Kubernetes|High|Resource Management|PodSecurityPolicy should set 'readOnly' to true in every host path allowed (read more)|Documentation
| +|Auto TLS Set To True
98ce8b81-7707-4734-aa39-627c6db3d84b|Kubernetes|High|Secret Management|When using etcd commands, the '--auto-tls' should be set to false (read more)|Documentation
| +|Peer Auto TLS Set To True
ae8827e2-4af9-4baa-9998-87539ae0d6f0|Kubernetes|High|Secret Management|When using etcd commands, the '--peer-auto-tls' should be set to false (read more)|Documentation
| +|Authorization Mode Set To Always Allow
f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5|Kubernetes|Medium|Access Control|When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode (read more)|Documentation
| +|Anonymous Auth Is Not Set To False
1de5cc51-f376-4638-a940-20f2e85ae238|Kubernetes|Medium|Access Control|When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag should be set to false (--anonymous-auth=false) (read more)|Documentation
| +|Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942|Kubernetes|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation. (read more)|Documentation
| +|RBAC Roles Allow Privilege Escalation
8320826e-7a9c-4b0b-9535-578333193432|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions 'bind' or 'escalate' allow subjects to create new bindings with other roles. This is dangerous, as users with these privileges can bind to roles that may exceed their own privileges (read more)|Documentation
| +|RBAC Roles with Exec Permission
c589f42c-7924-4871-aee2-1cede9bc7cbc|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to run commands in containers via 'kubectl exec' could be abused by attackers to execute malicious code in case of compromise. To prevent this, the 'pods/exec' verb should not be used in production environments (read more)|Documentation
| +|Authorization Mode RBAC Not Set
1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e|Kubernetes|Medium|Access Control|When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode (read more)|Documentation
| +|Service Account Admission Control Plugin Disabled
9587c890-0524-40c2-9ce2-663af7c2f063|Kubernetes|Medium|Access Control|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'ServiceAccount' plugin (read more)|Documentation
| +|RBAC Roles with Impersonate Permission
9f85c3f6-26fd-4007-938a-2e0cb0100980|Kubernetes|Medium|Access Control|Roles or ClusterRoles with the permission 'impersonate' allow subjects to assume the rights of other users, groups, or service accounts. In case of compromise, attackers may abuse this sudo-like functionality to achieve privilege escalation (read more)|Documentation
| +|RBAC Roles with Port-Forwarding Permission
38fa11ef-dbcc-4da8-9680-7e1fd855b6fb|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to port-forward into pods can open socket-level communication channels to containers. In case of compromise, attackers may abuse this for direct communication that bypasses network security restrictions (read more)|Documentation
| +|RBAC Roles with Attach Permission
d45330fd-f58d-45fb-a682-6481477a0f84|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to attach to containers via 'kubectl attach' could be abused by attackers to read log output (stdout, stderr) and send input data (stdin) to running processes. Additionally, it would allow a malicious user to attach to a privileged container resulting in a privilege escalation attack. To prevent this, the 'pods/attach' verb should not be used in production environments (read more)|Documentation
| +|Non Kube System Pod With Host Mount
aa8f7a35-9923-4cad-bd61-a19b7f6aac91|Kubernetes|Medium|Access Control|A non kube-system workload should not have hostPath mounted (read more)|Documentation
| +|RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14|Kubernetes|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more)|Documentation
| +|Request Timeout Not Properly Set
d89a15bb-8dba-4c71-9529-bef6729b9c09|Kubernetes|Medium|Availability|When using kube-apiserver command, the '--request-timeout' flag value should not be too long (read more)|Documentation
| +|Readiness Probe Is Not Configured
a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3|Kubernetes|Medium|Availability|Check if Readiness Probe is not configured. (read more)|Documentation
| +|Terminated Pod Garbage Collector Threshold Not Properly Set
49113af4-29ca-458e-b8d4-724c01a4a24f|Kubernetes|Medium|Availability|When using kube-controller-manager commands, the '--terminated-pod-gc-threshold' should be set between 0 and 12501 (read more)|Documentation
| +|Container Running As Root
cf34805e-3872-4c08-bf92-6ff7bb0cfadb|Kubernetes|Medium|Best Practices|Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise (read more)|Documentation
| +|Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660|Kubernetes|Medium|Best Practices|Check if containers are running with low UID, which might cause conflicts with the host's user table. (read more)|Documentation
| +|Root Containers Admitted
e3aa0612-4351-4a0d-983f-aefea25cf203|Kubernetes|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden (read more)|Documentation
| +|Incorrect Volume Claim Access Mode ReadWriteOnce
3878dc92-8e5d-47cf-9cdd-7590f71d21b9|Kubernetes|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' (read more)|Documentation
| +|Always Pull Images Admission Control Plugin Not Set
a77f4d07-c6e0-4a48-8b35-0eeb51576f4f|Kubernetes|Medium|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'AlwaysPullImages' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| +|Weak TLS Cipher Suites
510d5810-9a30-443a-817d-5c1fa527b110|Kubernetes|Medium|Encryption|TLS Connection should use strong Cipher Suites (read more)|Documentation
| +|Encryption Provider Config Is Not Defined
cbd2db69-0b21-4c14-8a40-7710a50571a9|Kubernetes|Medium|Encryption|When using kube-apiserver commands, the '--encryption-provider-config' flag should be defined and the encryption should be correctly configured in Encryption Configuration file (read more)|Documentation
| +|Encryption Provider Not Properly Configured
10efce34-5af6-4d83-b414-9e096d5a06a9|Kubernetes|Medium|Encryption|The EncryptionConfiguration should be configured to have at least one 'aescbc', 'kms' or 'secretbox' provider (read more)|Documentation
| +|Root CA File Not Defined
05fb986f-ac73-4ebb-a5b2-7faafa93d882|Kubernetes|Medium|Encryption|When using kube-controller-manager commands, the '--root-ca-file' should be defined (read more)|Documentation
| +|Seccomp Profile Is Not Configured
f377b83e-bd07-4f48-a591-60c82b14a78b|Kubernetes|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls (read more)|Documentation
| +|NET_RAW Capabilities Not Being Dropped
dbbc6705-d541-43b0-b166-dd4be8208b54|Kubernetes|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities (read more)|Documentation
| +|PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9|Kubernetes|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host process ID namespace (read more)|Documentation
| +|PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities (read more)|Documentation
| +|Not Limited Capabilities For Container
2f1a0619-b12b-48a0-825f-993bb6f01d58|Kubernetes|Medium|Insecure Configurations|Limit the capabilities for a Container. (read more)|Documentation
| +|PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation (read more)|Documentation
| +|Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3|Kubernetes|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more)|Documentation
| +|Authorization Mode Node Not Set
4d7ee40f-fc5d-427d-8cac-dffbe22d42d1|Kubernetes|Medium|Insecure Configurations|When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode (read more)|Documentation
| +|Kubelet Protect Kernel Defaults Set To False
6cf42c97-facd-4fda-b8af-ea4529123355|Kubernetes|Medium|Insecure Configurations|--protect-kernel-defaults should be set to true (read more)|Documentation
| +|Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40|Kubernetes|Medium|Insecure Configurations|Containers should not have extra capabilities allowed (read more)|Documentation
| +|Using Unrecommended Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6|Kubernetes|Medium|Insecure Configurations|Namespaces like 'default', 'kube-system' or 'kube-public' should not be used (read more)|Documentation
| +|PSP Allows Sharing Host IPC
80f93444-b240-4ebb-a4c6-5c40b76c04ea|Kubernetes|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace (read more)|Documentation
| +|Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b|Kubernetes|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more)|Documentation
| +|PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91|Kubernetes|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| +|Workload Mounting With Sensitive OS Directory
5308a7a8-06f8-45ac-bf10-791fe21de46e|Kubernetes|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory (read more)|Documentation
| +|Security Context Deny Admission Control Plugin Not Set
6a68bebe-c021-492e-8ddb-55b0567fb768|Kubernetes|Medium|Insecure Configurations|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set (read more)|Documentation
| +|Containers With Sys Admin Capabilities
235236ee-ad78-4065-bd29-61b061f28ce0|Kubernetes|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability (read more)|Documentation
| +|NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648|Kubernetes|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities (read more)|Documentation
| +|Service Account Token Automount Not Disabled
48471392-d4d0-47c0-b135-cdec95eb3eef|Kubernetes|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary (read more)|Documentation
| +|Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9|Kubernetes|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty. (read more)|Documentation
| +|CNI Plugin Does Not Support Network Policies
03aabc8c-35d6-481e-9c85-20139cf72d23|Kubernetes|Medium|Networking and Firewall|Ensure the use of CNI Plugin that support Network Policies. If the CNI Plugin in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster (read more)|Documentation
| +|Network Policy Is Not Targeting Any Pod
85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3|Kubernetes|Medium|Networking and Firewall|Check if any network policy is not targeting any pod. (read more)|Documentation
| +|Service With External Load Balancer
26763a1c-5dda-4772-b507-5fca7fb5f165|Kubernetes|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet (read more)|Documentation
| +|Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be|Kubernetes|Medium|Networking and Firewall|Check if any pod is not being targeted by a proper network policy. (read more)|Documentation
| +|Kubelet Streaming Connection Timeout Disabled
ed89b97d-04e9-4fd4-919f-ee5b27e555e9|Kubernetes|Medium|Networking and Firewall|The flag --streaming-connection-idle-timeout should not be set to 0 (read more)|Documentation
| +|Kubelet Not Managing Ip Tables
5f89001f-6dd9-49ff-9b15-d8cd71b617f4|Kubernetes|Medium|Networking and Firewall|Kubelet argument --make-iptables-util-chains should be true (read more)|Documentation
| +|Kubelet Read Only Port Is Not Set To Zero
2940d48a-dc5e-4178-a3f8-bfbd80720b41|Kubernetes|Medium|Networking and Firewall|When using the kubelet command, the read-only port should be set to zero (--read-only-port=0) (read more)|Documentation
| +|Audit Log Path Not Set
73e251f0-363d-4e53-86e2-0a93592437eb|Kubernetes|Medium|Observability|When using kube-apiserver command, the 'audit-log-path' flag should be defined (read more)|Documentation
| +|Audit Policy File Not Defined
13a49a2e-488e-4309-a7c0-d6b05577a5fb|Kubernetes|Medium|Observability|When using kube-apiserver command, the '--audit-policy-file' flag should be defined (read more)|Documentation
| +|Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a|Kubernetes|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| +|Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9|Kubernetes|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| +|Volume Mount With OS Directory Write Permissions
b7652612-de4e-4466-a0bf-1cd81f0c6063|Kubernetes|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more)|Documentation
| +|Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded|Kubernetes|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more)|Documentation
| +|CPU Limits Not Set
4ac0e2b7-d2d2-4af7-8799-e8de6721ccda|Kubernetes|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| +|CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a|Kubernetes|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more)|Documentation
| +|Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536|Kubernetes|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| +|Etcd Client Certificate File Not Defined
3f5ff8a7-5ad6-4d02-86f5-666307da1b20|Kubernetes|Medium|Secret Management|When using kube-apiserver commands, the '--etcd-cafile' flag should be defined (read more)|Documentation
| +|ServiceAccount Allows Access Secrets
056ac60e-fe07-4acc-9b34-8e1d51716ab9|Kubernetes|Medium|Secret Management|Roles and ClusterRoles when binded, should not use get, list or watch as verbs (read more)|Documentation
| +|Kubelet Client Periodic Certificate Switch Disabled
52d70f2e-3257-474c-b3dc-8ad9ba6a061a|Kubernetes|Medium|Secret Management|Kubelet argument --rotate-certificates should be true (read more)|Documentation
| +|Etcd Client Certificate Authentication Set To False
9391103a-d8d7-4671-ac5d-606ba7ccb0ac|Kubernetes|Medium|Secret Management|When using etcd commands, the '--client-cert-auth' flag should be defined (read more)|Documentation
| +|Service Account Key File Not Properly Set
dab4ec72-ce2e-4732-b7c3-1757dcce01a1|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the '--service-account-key-file' flag should be defined (read more)|Documentation
| +|Rotate Kubelet Server Certificate Not Active
1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2|Kubernetes|Medium|Secret Management|The RotateKubeletServerCertificate argument should be true (read more)|Documentation
| +|Kubelet Client Certificate Or Key Not Set
36a27826-1bf5-49da-aeb0-a60a30c0e834|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-client-key' and 'kubelet-client-certificate' flags should be set (read more)|Documentation
| +|Not Unique Certificate Authority
cb7e695d-6a85-495c-b15f-23aed2519303|Kubernetes|Medium|Secret Management|Certificate Authority should be unique for etcd (read more)|Documentation
| +|Etcd Peer Client Certificate Authentication Set To False
b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff|Kubernetes|Medium|Secret Management|When using etcd commands, the '--peer-client-cert-auth' flag should be set to true (read more)|Documentation
| +|Kubelet Certificate Authority Not Set
ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set (read more)|Documentation
| +|Shared Service Account
c1032cf7-3628-44e2-bd53-38c17cf31b6b|Kubernetes|Medium|Secret Management|A Service Account token is shared between workloads (read more)|Documentation
| +|Cluster Admin Rolebinding With Superuser Permissions
249328b8-5f0f-409f-b1dd-029f07882e11|Kubernetes|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC) (read more)|Documentation
| +|Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828|Kubernetes|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers (read more)|Documentation
| +|Missing AppArmor Profile
8b36775e-183d-4d46-b0f7-96a6f34a723f|Kubernetes|Low|Access Control|Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources (read more)|Documentation
| +|Liveness Probe Is Not Defined
ade74944-a674-4e00-859e-c6eab5bde441|Kubernetes|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it (read more)|Documentation
| +|Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678|Kubernetes|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| +|Event Rate Limit Admission Control Plugin Not Set
e0099af2-fe17-411f-9991-0de28fe15f3c|Kubernetes|Low|Availability|When using kube-apiserver command, the --enable-admission-plugins flag should have 'EventRateLimit' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| +|HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca|Kubernetes|Low|Availability|The Horizontal Pod Autoscaler must target a valid object (read more)|Documentation
| +|StatefulSet Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0|Kubernetes|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more)|Documentation
| +|HPA Targeted Deployments With Configured Replica Count
5744cbb8-5946-4b75-a196-ade44449525b|Kubernetes|Low|Availability|Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set (read more)|Documentation
| +|StatefulSet Without PodDisruptionBudget
1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5|Kubernetes|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| +|No Drop Capabilities for Containers
268ca686-7fb7-4ae9-b129-955a2a89064e|Kubernetes|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context (read more)|Documentation
| +|Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645|Kubernetes|Low|Best Practices|Kubernetes APIs evolve over time and are sometimes removed with newer releases. To prevent incompatibilities when upgrading Kubernetes, deprecated APIs should be replaced with newer and more stable API versions. (read more)|Documentation
| +|Metadata Label Is Invalid
1123031a-f921-4c5b-bd86-ef354ecfd37a|Kubernetes|Low|Best Practices|Check if any label in the metadata is invalid. (read more)|Documentation
| +|Namespace Lifecycle Admission Control Plugin Disabled
1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37|Kubernetes|Low|Build Process|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'NamespaceLifecycle' plugin (read more)|Documentation
| +|Image Policy Webhook Admission Control Plugin Not Set
14abda69-8e91-4acb-9931-76e2bee90284|Kubernetes|Low|Build Process|When using kube-apiserver command, the --enable-admission-plugins flag should have 'ImagePolicyWebhook' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| +|StatefulSet Requests Storage
8cf4671a-cf3d-46fc-8389-21e7405063a2|Kubernetes|Low|Build Process|A StatefulSet requests volume storage. (read more)|Documentation
| +|Root Container Not Mounted Read-only
a9c2f49d-0671-4fc9-9ece-f4e261e128d0|Kubernetes|Low|Build Process|Check if the root container filesystem is not being mounted read-only. (read more)|Documentation
| +|Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995|Kubernetes|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container (read more)|Documentation
| +|Kubelet Hostname Override Is Set
bf36b900-b5ef-4828-adb7-70eb543b7cfb|Kubernetes|Low|Insecure Configurations|Hostnames should not be overrided (read more)|Documentation
| +|Pod or Container Without ResourceQuota
48a5beba-e4c0-4584-a2aa-e6894e4cf424|Kubernetes|Low|Insecure Configurations|Each namespace should have a ResourceQuota policy associated to limit the total amount of resources Pods, Containers and PersistentVolumeClaims can consume (read more)|Documentation
| +|Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b|Kubernetes|Low|Insecure Configurations|If not needed, disabling the dashboard can prevent from being used as an attack vector (read more)|Documentation
| +|Pod or Container Without LimitRange
4a20ebac-1060-4c81-95d1-1f7f620e983b|Kubernetes|Low|Insecure Configurations|Each namespace should have a LimitRange policy associated to ensure that resource allocations of Pods, Containers and PersistentVolumeClaims do not exceed the defined boundaries (read more)|Documentation
| +|Service Does Not Target Pod
3ca03a61-3249-4c16-8427-6f8e47dda729|Kubernetes|Low|Insecure Configurations|Service should Target a Pod (read more)|Documentation
| +|Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678|Kubernetes|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity (read more)|Documentation
| +|Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2|Kubernetes|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always (read more)|Documentation
| +|Service Type is NodePort
845acfbe-3e10-4b8e-b656-3b404d36dfb2|Kubernetes|Low|Networking and Firewall|Service type should not be NodePort (read more)|Documentation
| +|Workload Host Port Not Specified
2b1836f1-dcce-416e-8e16-da8c71920633|Kubernetes|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified (read more)|Documentation
| +|Audit Policy Not Cover Key Security Concerns
1828a670-5957-4bc5-9974-47da228f75e2|Kubernetes|Low|Observability|Audit Policy should cover key security concerns about the sensitive data logged in Kubernetes audit policies (read more)|Documentation
| +|Audit Log Maxsize Not Properly Set
35c0a471-f7c8-4993-aa2c-503a3c712a66|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxsize' flag should be defined and set to 100 or more MegaBytes (read more)|Documentation
| +|Audit Log Maxbackup Not Properly Set
768aab52-2504-4a2f-a3e3-329d5a679848|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxbackup' flag should be defined and set to 10 or more files (read more)|Documentation
| +|Kubelet Event QPS Not Properly Set
1a07a446-8e61-4e4d-bc16-b0781fcb8211|Kubernetes|Low|Observability|When using the kubelet command, the '--event-qps' should be set to 0 (read more)|Documentation
| +|Audit Log Maxage Not Properly Set
da9f3aa8-fbfb-472f-b5a1-576127944218|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxage' flag should be defined and set to 30 or more days (read more)|Documentation
| +|Profiling Not Set To False
2f491173-6375-4a84-b28e-a4e2b9a58a69|Kubernetes|Low|Observability|When using kube-apiserver or kube-controller-manager or kube-scheduler command, the '--profiling' flag should be defined and set to false (read more)|Documentation
| +|Container Memory Requests Not Equal To It's Limits
aafa7d94-62de-4fbf-8838-b69ee217b0e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined. (read more)|Documentation
| +|Deployment Has No PodAntiAffinity
a31b7b82-d994-48c4-bd21-3bab6c31827a|Kubernetes|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| +|Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined. (read more)|Documentation
| +|Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46|Kubernetes|Low|Resource Management|Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively (read more)|Documentation
| +|StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e|Kubernetes|Low|Resource Management|Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| +|CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3|Kubernetes|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined (read more)|Documentation
| +|Secrets As Environment Variables
3d658f8b-d988-41a0-a841-40043121de1e|Kubernetes|Low|Secret Management|Container should not use secrets as environment variables (read more)|Documentation
| +|Invalid Image Tag
583053b7-e632-46f0-b989-f81ff8045385|Kubernetes|Low|Supply-Chain|Image tag must be defined and not be empty or equal to latest. (read more)|Documentation
| +|Ensure Administrative Boundaries Between Resources
e84eaf4d-2f45-47b2-abe8-e581b06deb66|Kubernetes|Info|Access Control|As a best practice, ensure that is made the correct use of namespaces to adequately administer your resources. Kubernetes Authorization plugins can also be used to create policies that segregate user access to namespaces. (read more)|Documentation
| +|Using Kubernetes Native Secret Management
b9c83569-459b-4110-8f79-6305aa33cb37|Kubernetes|Info|Secret Management|Kubernetes External Secret Storage and Management System usage should be considered if you have more complex secret management needs, rather than using Kubernetes Secrets directly. Additionally, ensure that access to secrets is carefully limited (read more)|Documentation
| +|Key Vault Not Recoverable
7c25f361-7c66-44bf-9b69-022acd5eb4bd|AzureResourceManager|High|Backup|Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true (read more)|Documentation
| +|Secret Without Expiration Date
cff9c3f7-e8f0-455f-9fb4-5f72326da96e|AzureResourceManager|High|Best Practices|All Secrets must have an expiration date defined (read more)|Documentation
| +|Azure Instance Using Basic Authentication
6797f581-0433-4768-ae3e-7ceb2f8b138e|AzureResourceManager|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| +|Storage Account Allows Unsecure Transfer
1367dd13-2c90-4020-80b7-e4339a3dc2c4|AzureResourceManager|High|Encryption|'Microsoft.Storage/storageAccounts' should force the use of HTTPS (read more)|Documentation
| +|Azure Managed Disk Without Encryption
350f3955-b5be-436f-afaa-3d2be2fa6cdd|AzureResourceManager|High|Encryption|Azure Disk Encryption should be enabled (read more)|Documentation
| +|Web App Not Using TLS Last Version
b5c851d5-00f1-43dc-a8de-3218fd6f71be|AzureResourceManager|High|Encryption|Resources of type 'Microsoft.Web/sites' should define 'properties.siteConfig.minTlsVersion' with '1.2' (read more)|Documentation
| +|Website Not Forcing HTTPS
488847ff-6031-487c-bf42-98fd6ac5c9a0|AzureResourceManager|High|Insecure Configurations|'Microsoft.Web/sites' should force the use of HTTPS (read more)|Documentation
| +|SQL Database Server Firewall Allows All IPS
6a3201a5-1630-494b-b294-3129d06b0eca|AzureResourceManager|High|Networking and Firewall|SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS (read more)|Documentation
| +|Network Security Group With Unrestricted Access To RDP
59cb3da7-f206-4ae6-b827-7abf0a9cab9d|AzureResourceManager|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the Internet (read more)|Documentation
| +|Trusted Microsoft Services Not Enabled
e25b56cd-a4d6-498f-ab92-e6296a082097|AzureResourceManager|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| +|Network Security Group With Unrestricted Access To SSH
2ade1579-4b2c-4590-bebb-f99bf597f612|AzureResourceManager|High|Networking and Firewall|Port 22 (SSH) is exposed to the Internet (read more)|Documentation
| +|Storage Blob Service Container With Public Access
a0ab985d-660b-41f7-ac81-70957ee8e627|AzureResourceManager|High|Networking and Firewall|Storage Blob Service Container should not publicly accessible (read more)|Documentation
| +|Website with Client Certificate Auth Disabled
92302b47-b0cc-46cb-a28f-5610ecda140b|AzureResourceManager|High|Networking and Firewall|'Microsoft.Web/sites' should have client certificate authentication enabled (read more)|Documentation
| +|MySQL Server SSL Enforcement Disabled
90120147-f2e7-4fda-bb21-6fa9109afd63|AzureResourceManager|High|Networking and Firewall|'Microsoft.DBforMySQL/servers' should enforce SSL (read more)|Documentation
| +|PostgreSQL Database Server SSL Disabled
bf500309-da53-4dd3-bcf7-95f7974545a5|AzureResourceManager|High|Networking and Firewall|Microsoft.DBforPostgreSQL/servers sslEnforcement property should be set to 'Enabled' (read more)|Documentation
| +|Role Definitions Allow Custom Subscription Role Creation
8fa9ceea-881f-4ef0-b0b8-728f589699a7|AzureResourceManager|Medium|Access Control|Role Definitions should not allow custom subscription role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write') (read more)|Documentation
| +|Default Azure Storage Account Network Access Is Too Permissive
d855ced8-6157-448f-9f1d-f05a41d046f7|AzureResourceManager|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it. (read more)|Documentation
| +|AKS Cluster RBAC Disabled
9307a2ed-35c2-413d-94de-a1a0682c2158|AzureResourceManager|Medium|Access Control|Microsoft.ContainerService/managedClusters should have enableRBAC set to true (read more)|Documentation
| +|SQL Server Database With Alerts Disabled
574e8d82-1db2-4b9c-b526-e320ede9a9ff|AzureResourceManager|Medium|Best Practices|All Alerts should be enabled in SQL Database Server SecurityAlerts Policy Properties (read more)|Documentation
| +|AKS Cluster Network Policy Not Configured
25c0228e-4444-459b-a2df-93c7df40b7ed|AzureResourceManager|Medium|Insecure Configurations|Azure Kubernetes Service must have a network policy defined. (read more)|Documentation
| +|PostgreSQL Database Server Log Connections Disabled
e69bda39-e1e2-47ca-b9ee-b6531b23aedd|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' property set to 'on' (read more)|Documentation
| +|Standard Price Is Not Selected
2081c7d6-2851-4cce-bda5-cb49d462da42|AzureResourceManager|Medium|Networking and Firewall|Azure Security Center provides more features for standard pricing mode, so it must be activated. (read more)|Documentation
| +|AKS With Authorized IP Ranges Disabled
2583fab1-953b-4fae-bd02-4a136a6c21f9|AzureResourceManager|Medium|Networking and Firewall|Azure Kubernetes Service must have an authorized IP range for API Services enabled (read more)|Documentation
| +|PostgreSQL Database Server Log Checkpoints Disabled
f9112910-c7bb-4864-9f5e-2059ba413bb7|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' property set to 'on' (read more)|Documentation
| +|PostgresSQL Database Server Connection Throttling Disabled
a6d774b6-d9ea-4bf4-8433-217bf15d2fb8|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttling' property set to 'on' (read more)|Documentation
| +|SQL Server Database With Unrecommended Retention Days
c09cdac2-7670-458a-bf6c-efad6880973a|AzureResourceManager|Medium|Observability|SQL Server Database Auditing Settings should keep the audit logs in the storage account for at least 90 days (read more)|Documentation
| +|Unrecommended Log Profile Retention Policy
25684eac-daaa-4c2c-94b4-8d2dbb627909|AzureResourceManager|Medium|Observability|Log Profile Retention Policy should be enabled and the recommended number of days for the retention should be higher than 365 or 0 (0 will retain the events indefinitely) (read more)|Documentation
| +|Storage Logging For Read Write And Delete Requests Disabled
43f6e60c-9cdb-4e77-864d-a66595d26518|AzureResourceManager|Medium|Observability|Storage Logging should be enabled for read, write and delete methods (read more)|Documentation
| +|Unrecommended Network Watcher Flow Log Retention Policy
564b70f8-41cd-4690-aff8-bb53add86bc9|AzureResourceManager|Medium|Observability|Network Watcher Flow Log Retention Policy should be enabled and the recommended number of days for the retention should be higher than 90 (read more)|Documentation
| +|AKS Logging To Azure Monitoring Is Disabled
9b09dee1-f09b-4013-91d2-158fa4695f4b|AzureResourceManager|Medium|Observability|Azure Kubernetes Service should have logging to Azure Monitoring enabled. (read more)|Documentation
| +|SQL Server Database Without Auditing
e055285c-bc01-48b4-8aa5-8a54acdd29df|AzureResourceManager|Medium|Observability|Every 'Microsoft.Sql/servers/databases' resource should have Auditing Enabled (read more)|Documentation
| +|Log Profile Incorrect Category
4d522e7b-f938-4d51-a3b1-974ada528bd3|AzureResourceManager|Medium|Observability|Log Profile Categories should be set to 'Write', 'Delete', and/or 'Action' (read more)|Documentation
| +|Hardcoded SecureString Parameter Default Value
4d2cf896-c053-4be5-9c95-8b4771112f29|AzureResourceManager|Medium|Secret Management|Secure parameters should not have hardcoded default value (read more)|Documentation
| +|Website Azure Active Directory Disabled
e9c133e5-c2dd-4b7b-8fff-40f2de367b56|AzureResourceManager|Low|Access Control|WebApp should have Azure Active Directory enabled with 'identity.type' set to 'SystemAssigned' or 'userAssignedIdentities' set to 'true' (read more)|Documentation
| +|Phone Number Not Set For Security Contacts
3e9fcc67-1f64-405f-b2f9-0a6be17598f0|AzureResourceManager|Low|Best Practices|Microsoft.Security securityContacts should have a phone number defined (read more)|Documentation
| +|AKS Dashboard Is Enabled
c62d3b92-9a11-4ffd-b7b7-6faaae83faed|AzureResourceManager|Low|Insecure Configurations|Azure Kubernetes Service should have the Kubernetes dashboard disabled. (read more)|Documentation
| +|Website with 'Http20Enabled' Disabled
70111098-7f85-48f0-b1b4-e4261cf5f61b|AzureResourceManager|Low|Networking and Firewall|'Microsoft.Web/sites' should have 'Http20Enabled' enabled (read more)|Documentation
| +|Storage Account Allows Default Network Access
9073f073-5d60-4b46-b569-0d6baa80ed95|AzureResourceManager|Low|Networking and Firewall|'Microsoft.Storage/storageAccounts' should force the use of HTTPS (read more)|Documentation
| +|App Service Authentication Is Not Set
83130a07-235b-4a80-918b-a370e53f0bd9|AzureResourceManager|Info|Access Control|Azure App Service should have App Service Authentication set (read more)|Documentation
| +|SQL Alert Policy Without Emails
89b79fe5-49bd-4d39-84ce-55f5fc6f7764|AzureResourceManager|Info|Best Practices|SQL Database Server should contain emails to be notified in the event of a Security Alert (read more)|Documentation
| +|Account Admins Not Notified By Email
a8852cc0-fd4b-4fc7-9372-1e43fad0732e|AzureResourceManager|Info|Best Practices|Account admins should be notified by email in the event of security alerts (read more)|Documentation
| +|Email Notifications Disabled
79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92|AzureResourceManager|Info|Networking and Firewall|Email notifications about new security alerts, should be set to 'On', and be sent to persons with specific RBAC roles on the subscription (read more)|Documentation
| +|Volume Mounted In Multiple Containers
baa452f0-1f21-4a25-ace5-844e7a5f410d|DockerCompose|High|Build Process|Volume mounts should not be shared, which means that 'propagation' should not be set to 'shared', 'rshared', 'slave', or 'rslave' (read more)|Documentation
| +|Volume Has Sensitive Host Directory
1c1325ff-831d-43a1-973e-839ae57dfcc0|DockerCompose|High|Build Process|Container has sensitive host directory mounted as a volume (read more)|Documentation
| +|Docker Socket Mounted In Container
d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b|DockerCompose|High|Build Process|Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands. (read more)|Documentation
| +|Privileged Containers Enabled
ae5b6871-7f45-42e0-bb4c-ab300c4d2026|DockerCompose|High|Resource Management|Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker. (read more)|Documentation
| +|No New Privileges Not Set
27fcc7d6-c49b-46e0-98f1-6c082a6a2750|DockerCompose|High|Resource Management|Ensuring the process does not gain any new privileges lessens the risk associated with many operations. (read more)|Documentation
| +|Healthcheck Not Set
698ed579-b239-4f8f-a388-baa4bcb13ef8|DockerCompose|Medium|Availability|Check containers periodically to see if they are running properly. (read more)|Documentation
| +|Restart Policy On Failure Not Set To 5
2fc99041-ddad-49d5-853f-e35e70a48391|DockerCompose|Medium|Build Process|Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used. (read more)|Documentation
| +|Cgroup Not Default
4d9f44c6-2f4a-4317-9bb5-267adbea0232|DockerCompose|Medium|Build Process|Control groups restrict the access processes and containers have to system resources such as CPU, RAM, IOPS and network. Not having a cgroup well configured may prove to be a security fault. (read more)|Documentation
| +|Container Traffic Not Bound To Host Interface
451d79dc-0588-476a-ad03-3c7f0320abb3|DockerCompose|Medium|Networking and Firewall|Incoming container traffic should be bound to a specific host interface (read more)|Documentation
| +|Privileged Ports Mapped In Container
bc2908f3-f73c-40a9-8793-c1b7d5544f79|DockerCompose|Medium|Networking and Firewall|Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind_service linux capability from the container unless you absolutely need to use priviledged ports. (read more)|Documentation
| +|Networks Not Set
ce14a68b-1668-41a0-ab7d-facd9f784742|DockerCompose|Medium|Networking and Firewall|Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers. (read more)|Documentation
| +|Shared Host User Namespace
8af7162d-6c98-482f-868e-0d33fb675ca8|DockerCompose|Medium|Resource Management|The host's user namespace should not be shared. (read more)|Documentation
| +|Shared Host Network Namespace
071a71ff-f868-47a4-ac0b-3c59e4ab5443|DockerCompose|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| +|Default Seccomp Profile Disabled
404fde2c-bc4b-4371-9747-7054132ac953|DockerCompose|Medium|Resource Management|Seccomp offers a whitelist of common system calls, blocking all others. Having less kernel exposed to an app then increases security. (read more)|Documentation
| +|Pids Limit Not Set
221e0658-cb2a-44e3-b08a-db96a341d6fa|DockerCompose|Medium|Resource Management|'pids_limit' should be set and different than -1 (read more)|Documentation
| +|Host Namespace is Shared
4f31dd9f-2cc3-4751-9b53-67e4af83dac0|DockerCompose|Medium|Resource Management|The hosts process namespace should not be shared by containers (read more)|Documentation
| +|Security Opt Not Set
610e266e-6c12-4bca-9925-1ed0cd29742b|DockerCompose|Medium|Resource Management|Attribute 'security_opt' should be defined. (read more)|Documentation
| +|Memory Not Limited
bb9ac4f7-e13b-423d-a010-c74a1bfbe492|DockerCompose|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| +|Shared Host IPC Namespace
baa3890f-bed7-46f5-ab8f-1da8fc91c729|DockerCompose|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| +|Container Capabilities Unrestricted
ce76b7d0-9e77-464d-b86f-c5c48e03e22d|DockerCompose|Low|Resource Management|Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well. (read more)|Documentation
| +|Cpus Not Limited
6b610c50-99fb-4ef0-a5f3-e312fd945bc3|DockerCompose|Low|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| +|Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|Terraform|High|Access Control|Azure Function App authentication settings should be enabled (read more)|Documentation
| +|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|Terraform|High|Access Control|Storage Account should not be public to grant the principle of least privileges (read more)|Documentation
| +|Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|Terraform|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage (read more)|Documentation
| +|Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|Terraform|High|Access Control|Role Assignment should limit guest user permissions (read more)|Documentation
| +|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|Terraform|High|Access Control|Admin user is enabled for Container Registry (read more)|Documentation
| +|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|Terraform|High|Access Control|There is a role assignment for guest user (read more)|Documentation
| +|Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|Terraform|High|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled (read more)|Documentation
| +|Azure Instance Using Basic Authentication
dafe30ec-325d-4516-85d1-e8e6776f012c|Terraform|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| +|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|Terraform|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' (read more)|Documentation
| +|Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6|Terraform|High|Encryption|Ensure Function App is using the latest version of TLS encryption (read more)|Documentation
| +|App Service Not Using Latest TLS Encryption Version
b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643|Terraform|High|Encryption|Ensure App Service is using the latest version of TLS encryption (read more)|Documentation
| +|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|Terraform|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| +|MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|Terraform|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more)|Documentation
| +|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|Terraform|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service. (read more)|Documentation
| +|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|Terraform|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates (read more)|Documentation
| +|Function App FTPS Enforce Disabled
9dab0179-433d-4dff-af8f-0091025691df|Terraform|High|Insecure Configurations|Azure Function App should only enforce FTPS when 'ftps_state' is enabled (read more)|Documentation
| +|Azure App Service Client Certificate Disabled
a81573f9-3691-4d83-88a0-7d4af63e17a3|Terraform|High|Insecure Configurations|Azure App Service client certificate should be enabled (read more)|Documentation
| +|AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|Terraform|High|Insecure Configurations|Azure Kubernetes Service (AKS) API should not be exposed to the internet (read more)|Documentation
| +|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|Terraform|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry' (read more)|Documentation
| +|AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|Terraform|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server (read more)|Documentation
| +|Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|Terraform|High|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false. (read more)|Documentation
| +|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|Terraform|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine (read more)|Documentation
| +|App Service FTPS Enforce Disabled
85da374f-b00f-4832-9d44-84a1ca1e89f8|Terraform|High|Insecure Configurations|Azure App Service should only enforce FTPS when 'ftps_state' is enabled (read more)|Documentation
| +|Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| +|RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|Terraform|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet (read more)|Documentation
| +|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|Terraform|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| +|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|Terraform|High|Networking and Firewall|The IP range filter should be defined to secure the data stored (read more)|Documentation
| +|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|Terraform|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more)|Documentation
| +|MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|Terraform|High|Networking and Firewall|MSSQL Server public network access should be disabled (read more)|Documentation
| +|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources (read more)|Documentation
| +|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet (read more)|Documentation
| +|MySQL Server Public Access Enabled
f118890b-2468-42b1-9ce9-af35146b425b|Terraform|High|Networking and Firewall|MySQL Server public access should be disabled (read more)|Documentation
| +|SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|Terraform|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet (read more)|Documentation
| +|Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|Terraform|High|Observability|Ensure that logging for Azure KeyVault is 'Enabled' (read more)|Documentation
| +|SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a|Terraform|High|Resource Management|Ensure that 'Threat Detection' is enabled for Azure SQL Database (read more)|Documentation
| +|App Service Managed Identity Disabled
b61cce4b-0cc4-472b-8096-15617a6d769b|Terraform|High|Resource Management|Azure App Service should have managed identity enabled (read more)|Documentation
| +|PostgreSQL Server Threat Detection Policy Disabled
c407c3cf-c409-4b29-b590-db5f4138d332|Terraform|High|Resource Management|PostgreSQL Server Threat Detection Policy should be enabled (read more)|Documentation
| +|Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|Terraform|High|Secret Management|Make sure that for all secrets the expiration date is set (read more)|Documentation
| +|Key Expiration Not Set
4d080822-5ee2-49a4-8984-68f3d4c890fc|Terraform|High|Secret Management|Make sure that for all keys the expiration date is set (read more)|Documentation
| +|Storage Share File Allows All ACL Permissions
48bbe0fd-57e4-4678-a4a1-119e79c90fc3|Terraform|Medium|Access Control|Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list). (read more)|Documentation
| +|Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e|Terraform|Medium|Access Control|Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list). (read more)|Documentation
| +|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Terraform|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more)|Documentation
| +|AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Terraform|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| +|Virtual Network with DDoS Protection Plan disabled
b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a|Terraform|Medium|Availability|Virtual Network should have DDoS Protection Plan enabled (read more)|Documentation
| +|SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Terraform|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict (read more)|Documentation
| +|Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Terraform|Medium|Best Practices|Security Contact Email should be defined (read more)|Documentation
| +|SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Terraform|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict (read more)|Documentation
| +|Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Terraform|Medium|Build Process|Cosmos DB Account must have a mapping of tags. (read more)|Documentation
| +|AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Terraform|Medium|Encryption|Azure Container Service (AKS) should use Disk Encryption Set ID in supported types of disk (read more)|Documentation
| +|Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Terraform|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption (read more)|Documentation
| +|Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Terraform|Medium|Encryption|Ensure that the encryption is active on the disk (read more)|Documentation
| +|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Terraform|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected. (read more)|Documentation
| +|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Terraform|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections (read more)|Documentation
| +|Function App Managed Identity Disabled
c87749b3-ff10-41f5-9df2-c421e8151759|Terraform|Medium|Insecure Configurations|Azure Function App should have managed identity enabled (read more)|Documentation
| +|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Terraform|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty (read more)|Documentation
| +|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Terraform|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined (read more)|Documentation
| +|Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Terraform|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches (read more)|Documentation
| +|Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Terraform|Medium|Insecure Configurations|Azure Function App should have 'client_cert_mode' set to required (read more)|Documentation
| +|Default Azure Storage Account Network Access Is Too Permissive
a5613650-32ec-4975-a305-31af783153ea|Terraform|Medium|Insecure Defaults|Default Azure Storage Account network access should be set to Deny (read more)|Documentation
| +|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Terraform|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'. (read more)|Documentation
| +|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Terraform|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache (read more)|Documentation
| +|Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b|Terraform|Medium|Networking and Firewall|Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline) (read more)|Documentation
| +|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Terraform|Medium|Networking and Firewall|Network Interfaces IP Forwarding should be disabled (read more)|Documentation
| +|Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Terraform|Medium|Networking and Firewall|Public Network Access should be disabled for Azure Cognitive Search (read more)|Documentation
| +|WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Terraform|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. (read more)|Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol (read more)|Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol (read more)|Documentation
| +|MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Terraform|Medium|Networking and Firewall|MariaDB Server Public Network Access should be disabled (read more)|Documentation
| +|PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more)|Documentation
| +|PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Terraform|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server (read more)|Documentation
| +|PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' (read more)|Documentation
| +|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more)|Documentation
| +|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Terraform|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days (read more)|Documentation
| +|PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' (read more)|Documentation
| +|Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Terraform|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater (read more)|Documentation
| +|Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Terraform|Medium|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days (read more)|Documentation
| +|MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Terraform|Medium|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On' (read more)|Documentation
| +|PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Terraform|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more)|Documentation
| +|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Terraform|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On' (read more)|Documentation
| +|Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Terraform|Medium|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact (read more)|Documentation
| +|Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Terraform|Medium|Observability|Make sure for SQL Servers that Auditing Retention is greater than 90 days (read more)|Documentation
| +|Azure Active Directory Authentication
a21c8da9-41bf-40cf-941d-330cf0d11fc7|Terraform|Low|Access Control|Azure Active Directory must be used for authentication for Service Fabric (read more)|Documentation
| +|MariaDB Server Geo-redundant Backup Disabled
0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1|Terraform|Low|Backup|MariaDB Server Geo-redundant Backup should be enabled (read more)|Documentation
| +|App Service Without Latest Python Version
cc4aaa9d-1070-461a-b519-04e00f42db8a|Terraform|Low|Best Practices|Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. (read more)|Documentation
| +|App Service Without Latest PHP Version
96fe318e-d631-4156-99fa-9080d57280ae|Terraform|Low|Best Practices|Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. (read more)|Documentation
| +|Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Terraform|Low|Best Practices|Key Vault Secrets should have set Content Type (read more)|Documentation
| +|AKS Uses Azure Policies Add-On Disabled
43789711-161b-4708-b5bb-9d1c626f7492|Terraform|Low|Best Practices|Azure Container Service (AKS) should use Azure Policies Add-On (read more)|Documentation
| +|PostgreSQL Server Infrastructure Encryption Disabled
6425c98b-ca4e-41fe-896a-c78772c131f8|Terraform|Low|Encryption|PostgreSQL Server Infrastructure Encryption should be enabled (read more)|Documentation
| +|App Service HTTP2 Disabled
525b53be-62ed-4244-b4df-41aecfcb4071|Terraform|Low|Insecure Configurations|App Service should have 'http2_enabled' enabled (read more)|Documentation
| +|Function App HTTP2 Disabled
ace823d1-4432-4dee-945b-cdf11a5a6bd0|Terraform|Low|Insecure Configurations|Function App should have 'http2_enabled' enabled (read more)|Documentation
| +|Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Terraform|Low|Insecure Configurations|Check if the Kubernetes Dashboard is enabled. (read more)|Documentation
| +|Azure Front Door WAF Disabled
835a4f2f-df43-437d-9943-545ccfc55961|Terraform|Low|Networking and Firewall|Azure Front Door WAF should be enabled (read more)|Documentation
| +|App Service Authentication Disabled
c7fc1481-2899-4490-bbd8-544a3a61a2f3|Terraform|Info|Access Control|Azure App Service authentication settings should be enabled (read more)|Documentation
| +|SQL Server Alert Email Disabled
55975007-f6e7-4134-83c3-298f1fe4b519|Terraform|Info|Best Practices|SQL Server alert email should be enabled (read more)|Documentation
| +|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Terraform|Info|Best Practices|All generic git repositories should reference a revision. (read more)|Documentation
| +|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Terraform|Info|Best Practices|All variables should contain a valid type. (read more)|Documentation
| +|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Terraform|Info|Best Practices|All names should follow snake case pattern. (read more)|Documentation
| +|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Terraform|Info|Best Practices|All outputs should contain a valid description. (read more)|Documentation
| +|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Terraform|Info|Best Practices|All variables should contain a valid description. (read more)|Documentation
| +|Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|Terraform|High|Access Control|Neptune Cluster Instance should not be publicly accessible (read more)|Documentation
| +|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|Terraform|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| +|MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857|Terraform|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible (read more)|Documentation
| +|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|Terraform|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| +|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|Terraform|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role (read more)|Documentation
| +|S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4|Terraform|High|Access Control|S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket. (read more)|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|Terraform|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| +|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|Terraform|High|Access Control|S3 bucket allows public policy (read more)|Documentation
| +|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|Terraform|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| +|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|Terraform|High|Access Control|Checks if the SQS Queue is exposed (read more)|Documentation
| +|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|Terraform|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals (read more)|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|Terraform|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| +|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|Terraform|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| +|Amazon DMS Replication Instance Is Publicly Accessible
030d3b18-1821-45b4-9e08-50efbe7becbb|Terraform|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| +|SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|Terraform|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| +|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|Terraform|High|Access Control|S3 Buckets should not be readable and writable to all users (read more)|Documentation
| +|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|Terraform|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more)|Documentation
| +|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|Terraform|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| +|EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|Terraform|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'. (read more)|Documentation
| +|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|Terraform|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| +|SSO Policy with full privileges
132a8c31-9837-4203-9fd1-15ca210c7b73|Terraform|High|Access Control|SSO policies should be configured to grant limited administrative privileges, rather than full access to all resources. This approach allows for better security and control over the resources being accessed. (read more)|Documentation
| +|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|Terraform|High|Access Control|IAM role policy that allow full administrative privileges (for all resources) (read more)|Documentation
| +|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|Terraform|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| +|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|Terraform|High|Encryption|API Gateway Method Settings Cache should be encrypted (read more)|Documentation
| +|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|Terraform|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| +|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|Terraform|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| +|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|Terraform|High|Encryption|RDS Database Cluster Encryption should be enabled (read more)|Documentation
| +|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|Terraform|High|Encryption|EKS Cluster should be encrypted (read more)|Documentation
| +|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|Terraform|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| +|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|Terraform|High|Encryption|AWS DOCDB Cluster storage should be encrypted (read more)|Documentation
| +|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|Terraform|High|Encryption|EBS Encryption should be enabled (read more)|Documentation
| +|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|Terraform|High|Encryption|The certificate authority (CA) is the certificate that identifies the root CA at the top of the certificate chain. The CA certificate identifier must be one provided by Amazon RDS. (read more)|Documentation
| +|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|Terraform|High|Encryption|AWS DAX Cluster should have server-side encryption at rest (read more)|Documentation
| +|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|Terraform|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup (read more)|Documentation
| +|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| +|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|Terraform|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key (read more)|Documentation
| +|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|Terraform|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true' (read more)|Documentation
| +|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|Terraform|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted (read more)|Documentation
| +|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|Terraform|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more)|Documentation
| +|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|Terraform|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled (read more)|Documentation
| +|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|Terraform|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled (read more)|Documentation
| +|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|Terraform|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| +|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|Terraform|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS (read more)|Documentation
| +|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|Terraform|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more)|Documentation
| +|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|Terraform|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled (read more)|Documentation
| +|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|Terraform|High|Encryption|AWS AMI Encryption is not enabled (read more)|Documentation
| +|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|Terraform|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true (read more)|Documentation
| +|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|Terraform|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS (read more)|Documentation
| +|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|Terraform|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| +|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|Terraform|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| +|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|Terraform|High|Encryption|Sagemaker endpoint configuration should encrypt data (read more)|Documentation
| +|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| +|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|Terraform|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume (read more)|Documentation
| +|Aurora With Disabled at Rest Encryption
1a690d1d-0ae7-49fa-b2db-b75ae0dd1d3e|Terraform|High|Encryption|Amazon Aurora does not have encryption for data at rest enabled. To prevent such a scenario, update the attribute 'StorageEncrypted' to 'true'. (read more)|Documentation
| +|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|Terraform|High|Encryption|Amazon ECS Task Definition does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'transit_encryption' (read more)|Documentation
| +|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|Terraform|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| +|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|Terraform|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled (read more)|Documentation
| +|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|Terraform|High|Encryption|S3 Bucket Object should have server-side encryption enabled (read more)|Documentation
| +|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|Terraform|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) (read more)|Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|Terraform|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| +|EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|Terraform|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| +|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|Terraform|High|Encryption|AWS Athena Database data in S3 should be encrypted (read more)|Documentation
| +|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|Terraform|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2. (read more)|Documentation
| +|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|Terraform|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true) (read more)|Documentation
| +|Lambda Function With Privileged Role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|Terraform|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions. (read more)|Documentation
| +|KMS Key With Full Permissions
7ebc9038-0bde-479a-acc4-6ed7b6758899|Terraform|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| +|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|Terraform|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| +|RDS DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|Terraform|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). (read more)|Documentation
| +|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|Terraform|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| +|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|Terraform|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| +|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|Terraform|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more)|Documentation
| +|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|Terraform|High|Insecure Configurations|S3 bucket without restriction of public bucket (read more)|Documentation
| +|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|Terraform|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| +|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|Terraform|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations (read more)|Documentation
| +|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|Terraform|High|Insecure Configurations|Check if the root user is authenticated with MFA (read more)|Documentation
| +|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|Terraform|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes (read more)|Documentation
| +|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|Terraform|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|Terraform|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| +|Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|Terraform|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| +|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| +|Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|Terraform|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| +|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| +|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|Terraform|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0" (read more)|Documentation
| +|VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|Terraform|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic (read more)|Documentation
| +|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|Terraform|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL (read more)|Documentation
| +|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|Terraform|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| +|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|Terraform|High|Networking and Firewall|Check if Record is set (read more)|Documentation
| +|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|Terraform|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0 and/or ::/0 (read more)|Documentation
| +|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|Terraform|High|Networking and Firewall|EC2 Instance should not have a public IP address. (read more)|Documentation
| +|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL (read more)|Documentation
| +|Elasticsearch with HTTPS disabled
2e9e0729-66d5-4148-9d39-5e6fb4bf2a4e|Terraform|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| +|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|Terraform|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing (read more)|Documentation
| +|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|Terraform|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| +|HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|Terraform|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| +|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|Terraform|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| +|VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|Terraform|High|Networking and Firewall|VPC Peering Route Table should restrict CIDR (read more)|Documentation
| +|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|Terraform|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| +|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|Terraform|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| +|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|Terraform|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| +|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|Terraform|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| +|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible (read more)|Documentation
| +|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|Terraform|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA (read more)|Documentation
| +|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|Terraform|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes (read more)|Documentation
| +|CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|Terraform|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| +|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|Terraform|High|Observability|Ensure a log metric filter and alarm exist for root acount usage (read more)|Documentation
| +|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled (read more)|Documentation
| +|CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|Terraform|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls (read more)|Documentation
| +|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|Terraform|High|Observability|AWS KMS Key should have a valid deletion window (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Terraform|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Terraform|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Terraform|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. (read more)|Documentation
| +|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Terraform|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Terraform|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Terraform|Medium|Access Control|SQS policy allows ALL (*) actions (read more)|Documentation
| +|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Terraform|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|SSO Permission With Inadequate User Session Duration
ce9dfce0-5fc8-433b-944a-3b16153111a8|Terraform|Medium|Access Control|SSO permissions should be configured to limit user sessions to no longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized access or session hijacking. This is a best practice for security and should be implemented in SSO permission settings. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Terraform|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions' (read more)|Documentation
| +|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Terraform|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Terraform|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Terraform|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| +|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Terraform|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| +|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Terraform|Medium|Access Control|IAM Access Key should not be active for root users (read more)|Documentation
| +|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Terraform|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Terraform|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Terraform|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action' (read more)|Documentation
| +|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Terraform|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Terraform|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Terraform|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Terraform|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal' (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Terraform|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Terraform|Medium|Access Control|Public and private EC2 istances should not share the same role. (read more)|Documentation
| +|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Terraform|Medium|Access Control|S3 bucket allows public ACL (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Terraform|Medium|Access Control|Expired SSL/TLS certificates should be removed (read more)|Documentation
| +|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Terraform|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined (read more)|Documentation
| +|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Terraform|Medium|Access Control|AWS IAM Users should not have access to console (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Terraform|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| +|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Terraform|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions' (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Terraform|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Terraform|Medium|Access Control|The attribute 'action' should not have wildcard (read more)|Documentation
| +|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Terraform|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'. (read more)|Documentation
| +|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Terraform|Medium|Access Control|SES policy should not allow IAM actions to all principals (read more)|Documentation
| +|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Terraform|Medium|Access Control|An API Key should be required on a method request. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Terraform|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| +|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Terraform|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true (read more)|Documentation
| +|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Terraform|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| +|Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Terraform|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. (read more)|Documentation
| +|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Terraform|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0 (read more)|Documentation
| +|RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Terraform|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| +|Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Terraform|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| +|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Terraform|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| +|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Terraform|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| +|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Terraform|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more)|Documentation
| +|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Terraform|Medium|Best Practices|IAM password should have the required symbols (read more)|Documentation
| +|Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Terraform|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24 (read more)|Documentation
| +|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Terraform|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| +|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Terraform|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined (read more)|Documentation
| +|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Terraform|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields (read more)|Documentation
| +|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Terraform|Medium|Best Practices|No password expiration policy (read more)|Documentation
| +|Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Terraform|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body (read more)|Documentation
| +|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Terraform|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest (read more)|Documentation
| +|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Terraform|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret (read more)|Documentation
| +|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| +|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Terraform|Medium|Encryption|SSM Session should be encrypted in transit (read more)|Documentation
| +|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Terraform|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption (read more)|Documentation
| +|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Terraform|Medium|Encryption|Checks if the ECR Image has been scanned (read more)|Documentation
| +|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Terraform|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node (read more)|Documentation
| +|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted (read more)|Documentation
| +|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest (read more)|Documentation
| +|Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Terraform|Medium|Encryption|ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html' (read more)|Documentation
| +|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Terraform|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| +|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Terraform|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined (read more)|Documentation
| +|CloudWatch Log Group Without KMS
0afbcfe9-d341-4b92-a64c-7e6de0543879|Terraform|Medium|Encryption|AWS CloudWatch Log groups should be encrypted using KMS (read more)|Documentation
| +|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Terraform|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| +|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Terraform|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| +|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Terraform|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests (read more)|Documentation
| +|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Terraform|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| +|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Terraform|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760. (read more)|Documentation
| +|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Terraform|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS. (read more)|Documentation
| +|DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Terraform|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| +|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Terraform|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| +|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit (read more)|Documentation
| +|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Terraform|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials (read more)|Documentation
| +|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Terraform|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| +|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Terraform|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more)|Documentation
| +|EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Terraform|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false (read more)|Documentation
| +|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Terraform|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| +|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Terraform|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| +|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Terraform|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes (read more)|Documentation
| +|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Terraform|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy (read more)|Documentation
| +|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Terraform|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs). (read more)|Documentation
| +|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Terraform|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud) (read more)|Documentation
| +|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Terraform|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible (read more)|Documentation
| +|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Terraform|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association (read more)|Documentation
| +|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Terraform|Medium|Networking and Firewall|VPC should have a Network Firewall associated (read more)|Documentation
| +|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Terraform|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| +|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Terraform|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| +|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Terraform|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled (read more)|Documentation
| +|VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Terraform|Medium|Networking and Firewall|VPC Subnet should not assign public IP (read more)|Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Terraform|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more)|Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol (read more)|Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol (read more)|Documentation
| +|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Terraform|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service (read more)|Documentation
| +|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Terraform|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| +|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Terraform|Medium|Observability|Make sure Logging is enabled for Redshift Cluster (read more)|Documentation
| +|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Terraform|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation (read more)|Documentation
| +|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Terraform|Medium|Observability|Checks if CloudWatch Metrics is Enabled (read more)|Documentation
| +|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Terraform|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| +|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Terraform|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| +|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Terraform|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events (read more)|Documentation
| +|ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Terraform|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs (read more)|Documentation
| +|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Terraform|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| +|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Terraform|Medium|Observability|ELB should have logging enabled to help on error investigation (read more)|Documentation
| +|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes (read more)|Documentation
| +|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Terraform|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. (read more)|Documentation
| +|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Terraform|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones (read more)|Documentation
| +|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Terraform|Medium|Observability|Make sure that Amazon GuardDuty is Enabled (read more)|Documentation
| +|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Terraform|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined (read more)|Documentation
| +|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Terraform|Medium|Observability|API Gateway should have Access Log Settings defined (read more)|Documentation
| +|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes (read more)|Documentation
| +|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Terraform|Medium|Observability|It isn't recommended to use resources in default VPC (read more)|Documentation
| +|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (read more)|Documentation
| +|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Terraform|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). (read more)|Documentation
| +|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Terraform|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled (read more)|Documentation
| +|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Terraform|Medium|Observability|AWS CloudWatch Log groups should have retention days specified (read more)|Documentation
| +|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK (read more)|Documentation
| +|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Terraform|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| +|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes (read more)|Documentation
| +|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Terraform|Medium|Observability|Ensure MSK Cluster Logging is enabled (read more)|Documentation
| +|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Terraform|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| +|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes (read more)|Documentation
| +|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Terraform|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| +|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Terraform|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| +|No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Terraform|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions (read more)|Documentation
| +|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Terraform|Medium|Secret Management|AWS Access Key should not be hardcoded (read more)|Documentation
| +|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Terraform|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| +|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Terraform|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| +|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Terraform|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services (read more)|Documentation
| +|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Terraform|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets' (read more)|Documentation
| +|SSO Identity User Unsafe Creation
4003118b-046b-4640-b200-b8c7a4c8b89f|Terraform|Low|Access Control|The use of AWS SSO for creating users may pose a security risk as it does not synchronize with external Identity Providers (IdP) or Active Directory (AD). This can lead to inconsistencies and potential unauthorized access to resources. It is recommended to review and update user creation processes to ensure proper security protocols are in place. (read more)|Documentation
| +|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Terraform|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| +|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Terraform|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Terraform|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| +|Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Terraform|Low|Availability|Autoscaling groups should supply tags to configurate (read more)|Documentation
| +|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Terraform|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| +|Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| +|ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Terraform|Low|Best Practices|ECR Repository should have Policies attached to it (read more)|Documentation
| +|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Terraform|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. (read more)|Documentation
| +|Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| +|IAM Access Analyzer Not Enabled
e592a0c5-5bdb-414c-9066-5dba7cdea370|Terraform|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions (read more)|Documentation
| +|ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Terraform|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation (read more)|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Terraform|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| +|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Terraform|Low|Insecure Configurations|S3 bucket without ignore public ACL (read more)|Documentation
| +|ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Terraform|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled (read more)|Documentation
| +|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Terraform|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more)|Documentation
| +|EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Terraform|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| +|Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Terraform|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| +|RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Terraform|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| +|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Terraform|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| +|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Terraform|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| +|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Terraform|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Terraform|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Terraform|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| +|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| +|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for route table changes (read more)|Documentation
| +|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Terraform|Low|Observability|Amazon EKS control plane logging don't enabled for all log types (read more)|Documentation
| +|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL (read more)|Documentation
| +|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes (read more)|Documentation
| +|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes (read more)|Documentation
| +|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Terraform|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active' (read more)|Documentation
| +|ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Terraform|Low|Observability|ECS Cluster should enable container insights (read more)|Documentation
| +|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes (read more)|Documentation
| +|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Terraform|Low|Observability|Global Accelerator should have flow logs enabled (read more)|Documentation
| +|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Terraform|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| +|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Terraform|Low|Observability|Amazon EKS control plane logging is not enabled (read more)|Documentation
| +|API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Terraform|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| +|API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Terraform|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| +|Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Terraform|Info|Access Control|Security group must be used or not declared (read more)|Documentation
| +|Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Terraform|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description (read more)|Documentation
| +|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Terraform|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more)|Documentation
| +|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Terraform|Info|Best Practices|AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name' (read more)|Documentation
| +|EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Terraform|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| +|Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Terraform|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description (read more)|Documentation
| +|EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Terraform|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| +|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Terraform|Info|Observability|Neptune logging should be enabled (read more)|Documentation
| +|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Terraform|Info|Observability|RDS does not have any kind of logger (read more)|Documentation
| +|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Terraform|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)|Documentation
| +|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Terraform|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more)|Documentation
| +|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Terraform|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). (read more)|Documentation
| +|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Terraform|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more)|Documentation
| +|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Terraform|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more)|Documentation
| +|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Terraform|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more)|Documentation
| +|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Terraform|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS. (read more)|Documentation
| +|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Terraform|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)|Documentation
| +|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Terraform|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)|Documentation
| +|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Terraform|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)|Documentation
| +|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Terraform|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more)|Documentation
| +|OSS Bucket Allows List Action From All Principals
88541597-6f88-42c8-bac6-7e0b855e8ff6|Terraform|High|Access Control|OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals. (read more)|Documentation
| +|OSS Bucket Allows Put Action From All Principals
fe286195-e75c-4359-bd58-00847c4f855a|Terraform|High|Access Control|OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals. (read more)|Documentation
| +|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|Terraform|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles (read more)|Documentation
| +|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|Terraform|High|Access Control|RAM Security preferences should enforce MFA login for RAM users (read more)|Documentation
| +|OSS Bucket Allows Delete Action From All Principals
8c0695d8-2378-4cd6-8243-7fd5894fa574|Terraform|High|Access Control|OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals. (read more)|Documentation
| +|OSS Bucket Allows All Actions From All Principals
ec62a32c-a297-41ca-a850-cab40b42094a|Terraform|High|Access Control|OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals. (read more)|Documentation
| +|OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|Terraform|High|Access Control|OSS Bucket should have public access disabled (read more)|Documentation
| +|RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|Terraform|High|Encryption|tde_status parameter should be Enabled for supported RDS instances (read more)|Documentation
| +|NAS File System Without KMS
5f670f9d-b1b4-4c90-8618-2288f1ab9676|Terraform|High|Encryption|NAS File System should have encryption provided by user KMS (read more)|Documentation
| +|NAS File System Not Encrypted
67bfdff1-31ce-4525-b564-e94368735360|Terraform|High|Encryption|NAS File System must be encrypted (read more)|Documentation
| +|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|Terraform|High|Encryption|Ecs Data Disk Kms Key Id should be set (read more)|Documentation
| +|Launch Template Is Not Encrypted
1455cb21-1d48-46d6-8ae3-cef911b71fd5|Terraform|High|Encryption|ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true. (read more)|Documentation
| +|RDS DB Instance Publicly Accessible
faaefc15-51a5-419e-bb5e-51a4b5ab3485|Terraform|High|Insecure Configurations|The field 'address' should not be set to '0.0.0.0/0' (read more)|Documentation
| +|OSS Bucket Has Static Website
2b13c6ff-b87a-484d-86fd-21ef6e97d426|Terraform|High|Insecure Configurations|Checks if any static websties are hosted on buckets. Be aware of any website you are running. (read more)|Documentation
| +|RDS DB Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|Terraform|High|Insecure Configurations|'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list (read more)|Documentation
| +|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|Terraform|High|Networking and Firewall|OSS Buckets should have secure transport enabled (read more)|Documentation
| +|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol (read more)|Documentation
| +|RDS Instance SSL Action Disabled
7a1ee8a9-71be-4b11-bb70-efb62d16863b|Terraform|High|Networking and Firewall|ssl_action parameter should be set to Open for RDS instances (read more)|Documentation
| +|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|Terraform|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS (read more)|Documentation
| +|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|Terraform|High|Networking and Firewall|OSS Bucket should have ip restricted access (read more)|Documentation
| +|ALB Listening on HTTP
ee3b1557-9fb5-4685-a95d-93f1edf2a0d7|Terraform|High|Networking and Firewall|Application Load Balancer (alb) Listener should not listen on HTTP (read more)|Documentation
| +|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|Terraform|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public (read more)|Documentation
| +|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|Terraform|High|Observability|All RDS Instance events trackers should be 'true' (read more)|Documentation
| +|ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|Terraform|High|Observability|ActionTrail Trail OSS Bucket should not be publicly accessible (read more)|Documentation
| +|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|Terraform|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above (read more)|Documentation
| +|Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|Terraform|High|Secret Management|Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts (read more)|Documentation
| +|Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Terraform|Medium|Access Control|Ram policies should not be attached to users (read more)|Documentation
| +|CMK Is Unusable
ed6e3ba0-278f-47b6-a1f5-173576b40b7e|Terraform|Medium|Availability|Alicloud KMS must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true (read more)|Documentation
| +|ROS Stack Retention Disabled
4bb06fa1-2114-4a00-b7b5-6aeab8b896f0|Terraform|Medium|Backup|The retain_stacks should be enabled to keep the Stack upon deleting the stack instance from the stack group (read more)|Documentation
| +|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Terraform|Medium|Backup|OSS Bucket should have versioning enabled (read more)|Documentation
| +|ROS Stack Without Template
92d65c51-5d82-4507-a2a1-d252e9706855|Terraform|Medium|Build Process|Alicloud ROS Stack should have a template defined through the attribute template_url or attribute template_body (read more)|Documentation
| +|OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Terraform|Medium|Encryption|OSS Bucket should have encryption enabled using Customer Master Key (read more)|Documentation
| +|SLB Policy With Insecure TLS Version In Use
dbfc834a-56e5-4750-b5da-73fda8e73f70|Terraform|Medium|Encryption|SLB Policy should not support insecure versions of TLS protocol (read more)|Documentation
| +|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Terraform|Medium|Encryption|Disks should have encryption enabled (read more)|Documentation
| +|CS Kubernetes Node Pool Auto Repair Disabled
81ce9394-013d-4731-8fcc-9d229b474073|Terraform|Medium|Insecure Configurations|Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| +|Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Terraform|Medium|Networking and Firewall|A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned (read more)|Documentation
| +|Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Terraform|Medium|Networking and Firewall|Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies (read more)|Documentation
| +|ROS Stack Notifications Disabled
9ef08939-ea40-489c-8851-667870b2ef50|Terraform|Medium|Observability|The ROS Stack Notifications should be defined and populated to receive stack related events (read more)|Documentation
| +|Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Terraform|Medium|Observability|Action Trail Logging for all regions should be enabled (read more)|Documentation
| +|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Terraform|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180 (read more)|Documentation
| +|OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Terraform|Medium|Observability|OSS Bucket should have logging enabled, for better visibility of resources and objects. (read more)|Documentation
| +|Log Retention Is Not Greater Than 90 Days
ed6cf6ff-9a1f-491c-9f88-e03c0807f390|Terraform|Medium|Observability|OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects. (read more)|Documentation
| +|No ROS Stack Policy
72ceb736-0aee-43ea-a191-3a69ab135681|Terraform|Medium|Resource Management|ROS Stack should have a stack policy in order to protect stack resources from and during update actions (read more)|Documentation
| +|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true (read more)|Documentation
| +|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Terraform|Medium|Secret Management|RAM account password security should require at least one symbol (read more)|Documentation
| +|High KMS Key Rotation Period
cb319d87-b90f-485e-a7e7-f2408380f309|Terraform|Medium|Secret Management|KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year (read more)|Documentation
| +|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true (read more)|Documentation
| +|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Terraform|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91 (read more)|Documentation
| +|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Terraform|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less (read more)|Documentation
| +|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true (read more)|Documentation
| +|OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Terraform|Low|Availability|OSS Bucket should have transfer acceleration enabled (read more)|Documentation
| +|OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Terraform|Low|Backup|OSS Bucket should have lifecycle rule enabled and set to true (read more)|Documentation
| +|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Terraform|Low|Observability|'log_connections' parameter should be set to ON for RDS instances (read more)|Documentation
| +|VPC Flow Logs Disabled
d2731f3d-a992-44ed-812e-f4f1c2747d71|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| +|RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Terraform|Low|Observability|log_disconnections parameter should be set to ON for RDS instances (read more)|Documentation
| +|RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Terraform|Low|Observability|log_duration parameter should be set to ON for RDS instances (read more)|Documentation
| +|BOM - GCP Dataflow
895ed0d9-6fec-4567-8614-d7a74b599a53|Terraform|Trace|Bill Of Materials|A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective. (read more)|Documentation
| +|BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Terraform|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more)|Documentation
| +|BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Terraform|Trace|Bill Of Materials|A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime. (read more)|Documentation
| +|BOM - GCP Redis
bc75ce52-a60a-4660-b533-bce837a5019b|Terraform|Trace|Bill Of Materials|A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments. (read more)|Documentation
| +|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Terraform|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more)|Documentation
| +|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Terraform|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more)|Documentation
| +|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|Terraform|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process (read more)|Documentation
| +|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|Terraform|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined. (read more)|Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|Terraform|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace. (read more)|Documentation
| +|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|Terraform|High|Insecure Configurations|Check if Tiller is deployed. (read more)|Documentation
| +|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|Terraform|High|Insecure Configurations|Limit capabilities for a Pod Security Policy (read more)|Documentation
| +|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|Terraform|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false (read more)|Documentation
| +|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|Terraform|High|Insecure Defaults|No role nor cluster role should bind to a default service account (read more)|Documentation
| +|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Terraform|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation. (read more)|Documentation
| +|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Terraform|Medium|Access Control|A non kube-system workload should not have hostPath mounted (read more)|Documentation
| +|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Terraform|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more)|Documentation
| +|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Terraform|Medium|Availability|Check if Readiness Probe is not configured. (read more)|Documentation
| +|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Terraform|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden (read more)|Documentation
| +|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Terraform|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' (read more)|Documentation
| +|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Terraform|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory (read more)|Documentation
| +|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Terraform|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls (read more)|Documentation
| +|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Terraform|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities (read more)|Documentation
| +|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities (read more)|Documentation
| +|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation (read more)|Documentation
| +|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Terraform|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more)|Documentation
| +|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Terraform|Medium|Insecure Configurations|Containers should not have extra capabilities allowed (read more)|Documentation
| +|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Terraform|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace (read more)|Documentation
| +|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Terraform|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more)|Documentation
| +|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Terraform|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| +|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Terraform|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory (read more)|Documentation
| +|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Terraform|Medium|Insecure Configurations|The default namespace should not be used (read more)|Documentation
| +|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Terraform|Medium|Insecure Configurations|Default service accounts should not be actively used (read more)|Documentation
| +|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Terraform|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability (read more)|Documentation
| +|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Terraform|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities (read more)|Documentation
| +|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Terraform|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace (read more)|Documentation
| +|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Terraform|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary (read more)|Documentation
| +|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Terraform|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty. (read more)|Documentation
| +|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Terraform|Medium|Networking and Firewall|Check if any network policy is not targeting any pod. (read more)|Documentation
| +|Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Terraform|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet (read more)|Documentation
| +|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Terraform|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| +|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Terraform|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| +|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Terraform|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more)|Documentation
| +|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Terraform|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more)|Documentation
| +|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Terraform|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| +|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Terraform|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more)|Documentation
| +|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Terraform|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| +|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Terraform|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs (read more)|Documentation
| +|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Terraform|Medium|Secret Management|A Service Account token is shared between workloads (read more)|Documentation
| +|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Terraform|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC) (read more)|Documentation
| +|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Terraform|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers (read more)|Documentation
| +|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Terraform|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack (read more)|Documentation
| +|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Terraform|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it (read more)|Documentation
| +|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Terraform|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| +|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Terraform|Low|Availability|The Horizontal Pod Autoscaler must target a valid object (read more)|Documentation
| +|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Terraform|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more)|Documentation
| +|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Terraform|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| +|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Terraform|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context (read more)|Documentation
| +|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Terraform|Low|Best Practices|Check if any label in the metadata is invalid. (read more)|Documentation
| +|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Terraform|Low|Build Process|A StatefulSet requests volume storage. (read more)|Documentation
| +|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Terraform|Low|Build Process|Check if the root container filesystem is not being mounted as read-only. (read more)|Documentation
| +|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Terraform|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container (read more)|Documentation
| +|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Terraform|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity (read more)|Documentation
| +|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Terraform|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always (read more)|Documentation
| +|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Terraform|Low|Networking and Firewall|Service type should not be NodePort (read more)|Documentation
| +|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Terraform|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified (read more)|Documentation
| +|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Terraform|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| +|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Terraform|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined (read more)|Documentation
| +|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Terraform|Low|Secret Management|Container should not use secrets as environment variables (read more)|Documentation
| +|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Terraform|Low|Supply-Chain|Image must be defined and not be empty or equal to latest. (read more)|Documentation
| +|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Terraform|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks (read more)|Documentation
| +|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Terraform|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|Terraform|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| +|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|Terraform|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible (read more)|Documentation
| +|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|Terraform|High|Access Control|Verifies that the OSLogin is enabled (read more)|Documentation
| +|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|Terraform|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)|Documentation
| +|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|Terraform|High|Access Control|BigQuery dataset is anonymously or publicly accessible (read more)|Documentation
| +|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|Terraform|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| +|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|Terraform|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members' (read more)|Documentation
| +|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|Terraform|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad. (read more)|Documentation
| +|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|Terraform|High|Encryption|Cloud SQL Database Instance should have SLL enabled (read more)|Documentation
| +|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|Terraform|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials (read more)|Documentation
| +|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true (read more)|Documentation
| +|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|Terraform|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)|Documentation
| +|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE (read more)|Documentation
| +|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true (read more)|Documentation
| +|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|Terraform|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible. (read more)|Documentation
| +|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|Terraform|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true (read more)|Documentation
| +|Legacy Client Certificate Auth Enabled
73fb21a1-b19a-45b1-b648-b47b1678681e|Terraform|High|Insecure Configurations|Kubernetes Clusters must use the default OAuth authentication, which means 'master_auth' must either be undefined or have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to false (read more)|Documentation
| +|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)|Documentation
| +|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must either be undefined or set to 'logging.googleapis.com/kubernetes' (read more)|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|Terraform|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| +|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must either be undefined or set to 'monitoring.googleapis.com/kubernetes' (read more)|Documentation
| +|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|Terraform|High|Observability|Audit Logging Configuration is defective (read more)|Documentation
| +|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|Terraform|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| +|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|Terraform|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)|Documentation
| +|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Terraform|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated (read more)|Documentation
| +|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Terraform|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated (read more)|Documentation
| +|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Terraform|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated (read more)|Documentation
| +|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Terraform|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member (read more)|Documentation
| +|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Terraform|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Terraform|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| +|Shielded GKE Nodes Disabled
579a0727-9c29-4d58-8195-fc5802a8bdb4|Terraform|Medium|Insecure Configurations|GKE cluster nodes must be launched with Shielded VM enabled, which means the attribute 'enable_shielded_nodes' must be set to 'true'. (read more)|Documentation
| +|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Terraform|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| +|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Terraform|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| +|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Terraform|Medium|Insecure Configurations|Check if any VM instance disables OSLogin (read more)|Documentation
| +|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Terraform|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled (read more)|Documentation
| +|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Terraform|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled (read more)|Documentation
| +|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Terraform|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)|Documentation
| +|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Terraform|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| +|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Terraform|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account. (read more)|Documentation
| +|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Terraform|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account (read more)|Documentation
| +|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Terraform|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| +|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Terraform|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)|Documentation
| +|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Terraform|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Terraform|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports (read more)|Documentation
| +|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Terraform|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| +|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Terraform|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)|Documentation
| +|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Terraform|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource. (read more)|Documentation
| +|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Terraform|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles (read more)|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Terraform|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| +|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Terraform|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)|Documentation
| +|Outdated GKE Version
128df7ec-f185-48bc-8913-ce756a3ccb85|Terraform|Low|Best Practices|Running outdated versions of Google Kubernetes Engine (GKE) can expose it to known vulnerabilities and attacks. To reduce these risks, it is recommended to ensure that GKE is always running the latest version. (read more)|Documentation
| +|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Terraform|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user (read more)|Documentation
| +|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Terraform|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true (read more)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Terraform|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| +|AKS RBAC Disabled
b2418936-cd47-4ea2-8346-623c0bdb87bd|Crossplane|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| +|Redis Cache Allows Non SSL Connections
6c7cfec3-c686-4ed2-bf58-a1ec054b63fc|Crossplane|Medium|Encryption|Redis Cache resource should not allow non-SSL connections. (read more)|Documentation
| +|EFS Without KMS
bdecd6db-2600-47dd-a10c-72c97cf17ae9|Crossplane|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| +|DB Instance Storage Not Encrypted
e50eb68a-a4af-4048-8bbe-8ec324421469|Crossplane|High|Encryption|RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'. (read more)|Documentation
| +|ELB Using Weak Ciphers
a507daa5-0795-4380-960b-dd7bb7c56661|Crossplane|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| +|EFS Not Encrypted
72840c35-3876-48be-900d-f21b2f0c2ea1|Crossplane|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| +|RDS DB Instance Publicly Accessible
d9dc6429-5140-498a-8f55-a10daac5f000|Crossplane|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false and neither dbSubnetGroupName' subnets being part of a VPC that has an Internet gateway attached to it (read more)|Documentation
| +|DB Security Group Has Public Interface
dd667399-8d9d-4a8d-bbb4-e49ab53b2f52|Crossplane|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
255b0fcc-9f82-41fe-9229-01b163e3376b|Crossplane|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| +|SQS With SSE Disabled
9296f1cc-7a40-45de-bd41-f31745488a0e|Crossplane|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| +|Neptune Database Cluster Encryption Disabled
83bf5aca-138a-498e-b9cd-ad5bc5e117b4|Crossplane|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| +|CloudFront Logging Disabled
7b590235-1ff4-421b-b9ff-5227134be9bb|Crossplane|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true (read more)|Documentation
| +|CloudWatch Without Retention Period Specified
934613fe-b12c-4e5a-95f5-c1dcdffac1ff|Crossplane|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more)|Documentation
| +|CloudFront Without WAF
6d19ce0f-b3d8-4128-ac3d-1064e0f00494|Crossplane|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| +|DocDB Logging Is Disabled
e6cd49ba-77ed-417f-9bca-4f5303554308|Crossplane|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
6c2d627c-de0f-45fb-b33d-dad9bffbb421|Crossplane|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| +|Google Container Node Pool Auto Repair Disabled
b4f65d13-a609-4dc1-af7c-63d2e08bffe9|Crossplane|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| +|Enum Name Not CamelCase
daaace5f-c0dc-4835-b526-7a116b7f4b4e|GRPC|Low|Best Practices|All Enum Names should follow CamelCase and start with Capital Letter (read more)|Documentation
| +|Run Using apt
a1bc27c6-7115-48d8-bf9d-5a7e836845ba|Buildah|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache (read more)|Documentation
| +|Passwords And Secrets
a88baa34-e2ad-44ea-ad6f-8cac87bc7c71|Common|High|Secret Management|Query to find passwords and secrets in infrastructure code. (read more)|Documentation
| +|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|Ansible|High|Access Control|Storage Account should not be public to grant the principle of least privileges (read more)|Documentation
| +|Storage Container Is Publicly Accessible
4d3817db-dd35-4de4-a80d-3867157e7f7f|Ansible|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage (read more)|Documentation
| +|Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|Ansible|High|Access Control|Admin user is enabled for Container Registry (read more)|Documentation
| +|Azure Instance Using Basic Authentication
e2d834b7-8b25-4935-af53-4a60668dcbe0|Ansible|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| +|SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555|Ansible|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' (read more)|Documentation
| +|Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|Ansible|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| +|MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|Ansible|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more)|Documentation
| +|Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91|Ansible|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service. (read more)|Documentation
| +|Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|Ansible|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined (read more)|Documentation
| +|AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|Ansible|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server (read more)|Documentation
| +|VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|Ansible|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine (read more)|Documentation
| +|Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|Ansible|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| +|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|Ansible|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| +|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|Ansible|High|Networking and Firewall|The IP range filter should be defined to secure the data stored (read more)|Documentation
| +|SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|Ansible|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more)|Documentation
| +|Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources (read more)|Documentation
| +|Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet (read more)|Documentation
| +|Role Definition Allows Custom Role Creation
5c80db8e-03f5-43a2-b4af-1f3f87018157|Ansible|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more)|Documentation
| +|Default Azure Storage Account Network Access Is Too Permissive
ca4df748-613a-4fbf-9c76-f02cbd580307|Ansible|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it. (read more)|Documentation
| +|AKS RBAC Disabled
149fa56c-4404-4f90-9e25-d34b676d5b39|Ansible|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| +|Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854|Ansible|Medium|Backup|Make sure Soft Delete is enabled for Key Vault (read more)|Documentation
| +|SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40|Ansible|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict (read more)|Documentation
| +|SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308|Ansible|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict (read more)|Documentation
| +|Cosmos DB Account Without Tags
23a4dc83-4959-4d99-8056-8e051a82bc1e|Ansible|Medium|Build Process|Cosmos DB Account must have a mapping of tags. (read more)|Documentation
| +|Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee|Ansible|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption (read more)|Documentation
| +|Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Ansible|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections (read more)|Documentation
| +|Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Ansible|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty (read more)|Documentation
| +|AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Ansible|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined (read more)|Documentation
| +|Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Ansible|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache. (read more)|Documentation
| +|Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Ansible|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0' (read more)|Documentation
| +|WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Ansible|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. (read more)|Documentation
| +|PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more)|Documentation
| +|PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a|Ansible|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server (read more)|Documentation
| +|PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' (read more)|Documentation
| +|Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more)|Documentation
| +|PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' (read more)|Documentation
| +|Small Activity Log Retention Period
37fafbea-dedb-4e0d-852e-d16ee0589326|Ansible|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater (read more)|Documentation
| +|Monitoring Log Profile Without All Activities
89f84a1e-75f8-47c5-83b5-bee8e2de4168|Ansible|Medium|Observability|Monitoring log profile captures all the activities (Action, Write, Delete) (read more)|Documentation
| +|PostgreSQL Log Checkpoints Disabled
7ab33ac0-e4a3-418f-a673-50da4e34df21|Ansible|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more)|Documentation
| +|AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e|Ansible|Medium|Observability|Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring (read more)|Documentation
| +|Privilege Escalation Using Become Plugin
0e75052f-cc02-41b8-ac39-a78017527e95|Ansible|Medium|Access Control|In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true' (read more)|Documentation
| +|Communication Over HTTP
2e8d4922-8362-4606-8c14-aa10466a1ce3|Ansible|Medium|Insecure Configurations|Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks (read more)|Documentation
| +|Insecure Relative Path Resolution
8d22ae91-6ac1-459f-95be-d37bd373f244|Ansible|Low|Best Practices|Using relative paths can lead to unexpected behavior as the path is resolved relative to the current working directory, which can change. (read more)|Documentation
| +|Logging of Sensitive Data
59029ddf-e651-412b-ae7b-ff6d403184bc|Ansible|Low|Best Practices|To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True (read more)|Documentation
| +|Unpinned Package Version
c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8|Ansible|Low|Supply-Chain|Setting state to latest performs an update and installs additional packages possibly resulting in performance degradation or loss of service (read more)|Documentation
| +|Risky File Permissions
88841d5c-d22d-4b7e-a6a0-89ca50e44b9f|Ansible|Info|Supply-Chain|Some modules could end up creating new files on disk with permissions that might be too open or unpredictable (read more)|Documentation
| +|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|Ansible|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| +|S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|Ansible|High|Access Control|S3 Buckets should not be readable to all users (read more)|Documentation
| +|IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|Ansible|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| +|ECS Service Admin Role Is Present
7db727c1-1720-468e-b80e-06697f71e09e|Ansible|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role (read more)|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674|Ansible|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| +|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|Ansible|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| +|SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a|Ansible|High|Access Control|Checks if the SQS Queue is exposed (read more)|Documentation
| +|S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a|Ansible|High|Access Control|Checks if the S3 bucket is accessible for all users (read more)|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|Ansible|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| +|S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|Ansible|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| +|SNS Topic is Publicly Accessible
905f4741-f965-45c1-98db-f7a00a0e5c73|Ansible|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| +|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|Ansible|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more)|Documentation
| +|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|Ansible|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| +|S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|Ansible|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| +|User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|Ansible|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| +|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|Ansible|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| +|S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4|Ansible|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| +|EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|Ansible|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| +|S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571|Ansible|High|Encryption|AWS S3 Storage should be protected with SSE (Server-Side Encryption) (read more)|Documentation
| +|CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|Ansible|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'. (read more)|Documentation
| +|ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| +|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|Ansible|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more)|Documentation
| +|Secure Ciphers Disabled
218413a0-c716-4b94-9e08-0bb70d854709|Ansible|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| +|Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7|Ansible|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS (read more)|Documentation
| +|DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|Ansible|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more)|Documentation
| +|AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|Ansible|High|Encryption|AWS AMI Encryption is not enabled (read more)|Documentation
| +|ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|Ansible|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| +|User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|Ansible|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| +|ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| +|Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a|Ansible|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume (read more)|Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76|Ansible|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| +|Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|Ansible|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) (read more)|Documentation
| +|EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|Ansible|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| +|Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|Ansible|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true (default is false) (read more)|Documentation
| +|EC2 Group Has Public Interface
5330b503-3319-44ff-9b1c-00ee873f728a|Ansible|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| +|KMS Key With Full Permissions
5b9d237a-57d5-4177-be0e-71434b0fef47|Ansible|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| +|S3 Bucket with Unsecured CORS Rule
3505094c-f77c-4ba0-95da-f83db712f86c|Ansible|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| +|RDS DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209|Ansible|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). (read more)|Documentation
| +|ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f|Ansible|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| +|Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f|Ansible|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| +|Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|Ansible|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67|Ansible|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| +|Vulnerable Default SSL Certificate
fb8f8929-afeb-4c46-99f0-a6cf410f7df4|Ansible|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| +|HTTP Port Open To Internet
a14ad534-acbe-4a8e-9404-2f7e1045646e|Ansible|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| +|Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|Ansible|High|Networking and Firewall|AWS Security Group should not have public port wide (read more)|Documentation
| +|Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|Ansible|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| +|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|Ansible|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| +|Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4|Ansible|High|Networking and Firewall|Route53 Record should have a list of records (read more)|Documentation
| +|Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2|Ansible|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0/0 (read more)|Documentation
| +|EC2 Instance Has Public IP
a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1|Ansible|High|Networking and Firewall|EC2 Instance should not have a public IP address. (read more)|Documentation
| +|Elasticsearch with HTTPS disabled
d6c2d06f-43c1-488a-9ba1-8d75b40fc62d|Ansible|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| +|Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b|Ansible|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| +|Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|Ansible|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| +|Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|Ansible|High|Networking and Firewall|AWS Security Group should restrict ingress access (read more)|Documentation
| +|RDS Associated with Public Subnet
16732649-4ff6-4cd2-8746-e72c13fae4b8|Ansible|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| +|ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|Ansible|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| +|Remote Desktop Port Open To Internet
eda7301d-1f3e-47cf-8d4e-976debc64341|Ansible|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| +|DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640|Ansible|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| +|CloudTrail Logging Disabled
d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5|Ansible|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| +|CMK Rotation Disabled
af96d737-0818-4162-8c41-40d969bd65d1|Ansible|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| +|SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10|Ansible|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| +|S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9|Ansible|Medium|Access Control|S3 Bucket allows public access (read more)|Documentation
| +|SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4|Ansible|Medium|Access Control|SQS policy allows ALL (*) actions (read more)|Documentation
| +|Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Ansible|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| +|Lambda Permission Principal Is Wildcard
1d972c56-8ec2-48c1-a578-887adb09c57a|Ansible|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| +|IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Ansible|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root' (read more)|Documentation
| +|IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060|Ansible|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| +|API Gateway Without Configured Authorizer
b16cdb37-ce15-4ab2-8401-d42b05d123fc|Ansible|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| +|AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f|Ansible|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image (read more)|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
af167837-9636-4086-b815-c239186b9dda|Ansible|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| +|Certificate Has Expired
5a443297-19d4-4381-9e5b-24faf947ec22|Ansible|Medium|Access Control|Expired SSL/TLS certificates should be removed (read more)|Documentation
| +|ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd|Ansible|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| +|SES Policy With Allowed IAM Actions
8ed0bfce-f780-46d4-b086-21c3628f09ad|Ansible|Medium|Access Control|SES policy should not allow IAM actions to all principals (read more)|Documentation
| +|CMK Is Unusable
133fee21-37ef-45df-a563-4d07edc169f4|Ansible|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined. (read more)|Documentation
| +|ECS Service Without Running Tasks
f5c45127-1d28-4b49-a692-0b97da1c3a84|Ansible|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| +|Auto Scaling Group With No Associated ELB
050f085f-a8db-4072-9010-2cca235cc02f|Ansible|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. (read more)|Documentation
| +|RDS With Backup Disabled
e69890e6-fce5-461d-98ad-cb98318dfc96|Ansible|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| +|Stack Retention Disabled
17d5ba1d-7667-4729-b1a6-b11fde3db7f7|Ansible|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| +|IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Ansible|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| +|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Ansible|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number (read more)|Documentation
| +|IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Ansible|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| +|Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c|Ansible|Medium|Best Practices|Password policy `password_reuse_prevention` doesn't exist or is equal to 0 (read more)|Documentation
| +|IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354|Ansible|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| +|Misconfigured Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9|Ansible|Medium|Best Practices|No password expiration policy (read more)|Documentation
| +|Stack Without Template
32d31f1f-0f83-4721-b7ec-1e6948c60145|Ansible|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body (read more)|Documentation
| +|Config Rule For Encrypted Volumes Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84|Ansible|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| +|Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89|Ansible|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache (read more)|Documentation
| +|SQS With SSE Disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Ansible|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| +|EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Ansible|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| +|CodeBuild Not Encrypted
a1423864-2fbc-4f46-bfe1-fbbf125c71c9|Ansible|Medium|Encryption|CodeBuild Project should be encrypted (read more)|Documentation
| +|API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33|Ansible|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| +|ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Ansible|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| +|Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5|Ansible|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags. (read more)|Documentation
| +|Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f|Ansible|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| +|Certificate RSA Key Bytes Lower Than 256
d5ec2080-340a-4259-b885-f833c4ea6a31|Ansible|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes (read more)|Documentation
| +|AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472|Ansible|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy (read more)|Documentation
| +|API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215|Ansible|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| +|API Gateway without WAF
f5f38943-664b-4acc-ab11-f292fa10ed0b|Ansible|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Ansible|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more)|Documentation
| +|API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f|Ansible|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| +|API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Ansible|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled (read more)|Documentation
| +|S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|Ansible|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| +|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Ansible|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| +|S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Ansible|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| +|CloudFront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Ansible|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' should be defined with 'enabled' set to true (read more)|Documentation
| +|CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Ansible|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'is_multi_region_trail' should be set to true (read more)|Documentation
| +|CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Ansible|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more)|Documentation
| +|Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Ansible|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| +|CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3|Ansible|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| +|CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Ansible|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| +|No Stack Policy
ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9|Ansible|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions (read more)|Documentation
| +|Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Ansible|Medium|Secret Management|AWS Access Key should not be hardcoded (read more)|Documentation
| +|Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645|Ansible|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| +|IAM Group Without Users
f509931b-bbb0-443c-bd9b-10e92ecf2193|Ansible|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| +|IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd|Ansible|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| +|EC2 Instance Using Default Security Group
8d03993b-8384-419b-a681-d1f55149397c|Ansible|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Ansible|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| +|CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6|Ansible|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| +|Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|Ansible|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. (read more)|Documentation
| +|Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520|Ansible|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| +|EFS Without Tags
b8a9852c-9943-4973-b8d5-77dae9352851|Ansible|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated (read more)|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
f5587077-3f57-4370-9b4e-4eb5b1bac85b|Ansible|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| +|EC2 Instance Using Default VPC
8833f180-96f1-46f4-9147-849aafa56029|Ansible|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| +|Redshift Using Default Port
e01de151-a7bd-4db4-b49b-3c4775a5e881|Ansible|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| +|RDS Using Default Port
2cb674f6-32f9-40be-97f2-62c0dc38f0d5|Ansible|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| +|ElastiCache Using Default Port
7cc6c791-5f68-4816-a564-b9b699f9d26e|Ansible|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| +|CloudFront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Ansible|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| +|ElastiCache Without VPC
5527dcfc-94f9-4bf6-b7d4-1b78850cf41f|Ansible|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Ansible|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| +|Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Ansible|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active' (read more)|Documentation
| +|EC2 Not EBS Optimized
338b6cab-961d-4998-bb49-e5b6a11c9a5c|Ansible|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2|Ansible|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| +|VM With Full Cloud Access
bc20bbc6-0697-4568-9a73-85af1dd97bdd|Ansible|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)|Documentation
| +|BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2|Ansible|High|Access Control|BigQuery dataset is anonymously or publicly accessible (read more)|Documentation
| +|SQL DB Instance Backup Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8|Ansible|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| +|DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a|Ansible|High|Encryption|DNSSEC should not use the RSASHA1 algorithm (read more)|Documentation
| +|SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|Ansible|High|Encryption|Cloud SQL Database Instance should have SLL enabled (read more)|Documentation
| +|PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514|Ansible|High|Insecure Configurations|PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1' (read more)|Documentation
| +|MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c|Ansible|High|Insecure Configurations|MySQL Instance should not have Local Infile On (read more)|Documentation
| +|Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty (read more)|Documentation
| +|Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true. (read more)|Documentation
| +|Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7|Ansible|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)|Documentation
| +|Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f|Ansible|High|Insecure Configurations|GCP SQL Instance should not have Cross DB Ownership Chaining On (read more)|Documentation
| +|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|Ansible|High|Insecure Configurations|SQL Instance should not have Contained Database Authentication On (read more)|Documentation
| +|IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'. (read more)|Documentation
| +|GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false. (read more)|Documentation
| +|GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1|Ansible|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty (read more)|Documentation
| +|SQL DB Instance Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b|Ansible|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible. (read more)|Documentation
| +|Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true (read more)|Documentation
| +|Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)|Documentation
| +|Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82|Ansible|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet. (read more)|Documentation
| +|GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83|Ansible|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters (read more)|Documentation
| +|Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none' (read more)|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd|Ansible|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| +|PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b|Ansible|High|Observability|PostgreSQL database 'log_temp_files' flag isn't set to '0' (read more)|Documentation
| +|Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none' (read more)|Documentation
| +|PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317|Ansible|High|Observability|PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on' (read more)|Documentation
| +|Cloud Storage Bucket Versioning Disabled
7814ddda-e758-4a56-8be3-289a81ded929|Ansible|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| +|Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf|Ansible|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)|Documentation
| +|Disk Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3|Ansible|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Ansible|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| +|Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Ansible|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| +|Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03|Ansible|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| +|OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Ansible|Medium|Insecure Configurations|VM instance should have OSLogin enabled (read more)|Documentation
| +|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Ansible|Medium|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account. (read more)|Documentation
| +|Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Ansible|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)|Documentation
| +|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Ansible|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| +|GKE Using Default Service Account
dc126833-125a-40fb-905a-ce5f2afde240|Ansible|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account (read more)|Documentation
| +|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Ansible|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)|Documentation
| +|SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Ansible|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| +|RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77|Ansible|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows All Ports
3602d273-3290-47b2-80fa-720162b1a8af|Ansible|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports (read more)|Documentation
| +|Google Compute Network Using Default Firewall Rule
29b8224a-60e9-4011-8ac2-7916a659841f|Ansible|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| +|IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Ansible|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)|Documentation
| +|PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Ansible|Medium|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on' (read more)|Documentation
| +|PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Ansible|Medium|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value (read more)|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Ansible|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| +|High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Ansible|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)|Documentation
| +|Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b|Ansible|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes (read more)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows Port Range
7289eebd-a477-4064-8ad4-3c044bd70b00|Ansible|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| +|Allow Unsafe Lookups Enabled
86b97bb4-85c9-462d-8635-cbc057c5c8c5|Ansible|High|Insecure Configurations|When enabled, this option allows lookup plugins to return data that is not marked 'unsafe'. (read more)|Documentation
| +|Privilege Escalation Using Become Plugin
404908b6-4954-4611-98f0-e8ceacdabcb1|Ansible|Medium|Access Control|In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true' (read more)|Documentation
| +|Communication over HTTP
d7dc9350-74bc-485b-8c85-fed22d276c43|Ansible|Medium|Insecure Configurations|Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks (read more)|Documentation
| +|Logging of Sensitive Data
c6473dae-8477-4119-88b7-b909b435ce7b|Ansible|Low|Best Practices|To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True (read more)|Documentation
| +|Ansible Tower Exposed To Internet
1b2bf3ff-31e9-460e-bbfb-45e48f4f20cc|Ansible|Medium|Best Practices|Avoid exposing Ansible Tower to the public internet, effectively reducing the potential attack surface of your deployment (read more)|Documentation
| +|BOM - GCP PST
9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more)|Documentation
| +|BOM - GCP SB
c7781feb-a955-4f9f-b9cf-0d7c6f54bb59|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more)|Documentation
| +|BOM - GCP PD
268c65a8-58ad-43e4-9019-1a9bbc56749f|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more)|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
63ae3638-a38c-4ff4-b616-6e1f72a31a6a|GoogleDeploymentManager|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| +|BigQuery Dataset Is Public
83103dff-d57f-42a8-bd81-40abab64c1a7|GoogleDeploymentManager|High|Access Control|BigQuery dataset is anonymously or publicly accessible. Attribute access.specialGroup should not contain 'allAuthenticatedUsers' (read more)|Documentation
| +|Cloud Storage Bucket Is Publicly Accessible
77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc|GoogleDeploymentManager|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible (read more)|Documentation
| +|SQL DB Instance Backup Disabled
a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01|GoogleDeploymentManager|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| +|DNSSEC Using RSASHA1
6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35|GoogleDeploymentManager|High|Encryption|DNSSEC should not use the RSASHA1 algorithm (read more)|Documentation
| +|SQL DB Instance With SSL Disabled
660360d3-9ca7-46d1-b147-3acc4002953f|GoogleDeploymentManager|High|Encryption|Cloud SQL Database Instance should have SLL enabled (read more)|Documentation
| +|Not Proper Email Account In Use
a21b8df3-c840-4b3d-a41a-10fb2afda171|GoogleDeploymentManager|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials (read more)|Documentation
| +|MySQL Instance With Local Infile On
c759d6f2-4dd3-4160-82d3-89202ef10d87|GoogleDeploymentManager|High|Insecure Configurations|MySQL Instance should not have Local Infile On (read more)|Documentation
| +|Cluster Master Authentication Disabled
7ef7d141-9fbb-4679-a977-fd0883436906|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'masterAuth' must have the subattributes 'username' and 'password' defined and not empty (read more)|Documentation
| +|Private Cluster Disabled
48c61fbd-09c9-46cc-a521-012e0c325412|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true. (read more)|Documentation
| +|Cluster Labels Disabled
8810968b-4b15-421d-918b-d91eb4bb8d1d|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resourceLabels' must be defined (read more)|Documentation
| +|IP Aliasing Disabled
28727987-e398-49b8-aef1-8a3e7789d111|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ipAllocationPolicy' must be defined and the subattribute 'useIpAliases' must be set to 'true'. (read more)|Documentation
| +|GKE Legacy Authorization Enabled
df58d46c-783b-43e0-bdd0-d99164f712ee|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false. (read more)|Documentation
| +|Client Certificate Disabled
dd690686-2bf9-4012-a821-f61912dd77be|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'masterAuth' must have 'clientCertificateConfig' with the attribute 'issueClientCertificate' equal to true (read more)|Documentation
| +|Network Policy Disabled
c47f90e8-4a19-43f0-8413-cc434d286c4e|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'networkPolicy.enabled' must be true and the attribute 'addonsConfig.networkPolicyConfig.disabled' must be false (read more)|Documentation
| +|Compute Instance Is Publicly Accessible
8212e2d7-e683-49bc-bf78-d6799075c5a7|GoogleDeploymentManager|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet. (read more)|Documentation
| +|GKE Master Authorized Networks Disabled
62c8cf50-87f0-4295-a974-8184ed78fe02|GoogleDeploymentManager|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters (read more)|Documentation
| +|Stackdriver Logging Disabled
95601b9a-7fe8-4aee-9b58-d36fd9382dfc|GoogleDeploymentManager|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'loggingService' must be defined and different from 'none' (read more)|Documentation
| +|Stackdriver Monitoring Disabled
bbfc97ab-e92a-4a7b-954c-e88cec815011|GoogleDeploymentManager|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoringService' must be defined and different than 'none' (read more)|Documentation
| +|Cloud Storage Bucket Versioning Disabled
ad0875c1-0b39-4890-9149-173158ba3bba|GoogleDeploymentManager|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| +|Node Auto Upgrade Disabled
dc5c5fee-6c53-43b0-ab11-4c660e064aaf|GoogleDeploymentManager|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means the attribute 'nodePools' must be defined and the subattribute 'managment' must be defined and have the attribute 'autoUpgrade' set to true (read more)|Documentation
| +|Disk Encryption Disabled
fc040fb6-4c23-4c0d-b12a-39edac35debb|GoogleDeploymentManager|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined (read more)|Documentation
| +|Cloud DNS Without DNSSEC
313d6deb-3b67-4948-b41d-35b699c2492e|GoogleDeploymentManager|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| +|OSLogin Is Disabled In VM Instance
e66e1b71-c810-4b4e-a737-0ab59e7f5e41|GoogleDeploymentManager|Medium|Insecure Configurations|VM instance should have OSLogin enabled (read more)|Documentation
| +|Google Storage Bucket Level Access Disabled
1239f54b-33de-482a-8132-faebe288e6a6|GoogleDeploymentManager|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled (read more)|Documentation
| +|Shielded VM Disabled
9038b526-4c19-4928-bca2-c03d503bdb79|GoogleDeploymentManager|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true (read more)|Documentation
| +|COS Node Image Not Used
dbe058d7-b82e-430b-8426-992b2e4677e7|GoogleDeploymentManager|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| +|SSH Access Is Not Restricted
dee21308-2a7a-49de-8ff7-c9b87e188575|GoogleDeploymentManager|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| +|RDP Access Is Not Restricted
50cb6c3b-c878-4b88-b50e-d1421bada9e8|GoogleDeploymentManager|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| +|IP Forwarding Enabled
7c98538a-81c6-444b-bf04-e60bc3ceeec0|GoogleDeploymentManager|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true (read more)|Documentation
| +|Bucket Without Versioning
227c2f58-70c6-4432-8e9a-a89c1a548cf5|GoogleDeploymentManager|Medium|Observability|Bucket should have versioning enabled (read more)|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
6e2b1ec1-1eca-4eb7-9d4d-2882680b4811|GoogleDeploymentManager|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| +|Storage Account Not Forcing HTTPS
cb8e4bf0-903d-45c6-a278-9a947d82a27b|Pulumi|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| +|Redis Cache Allows Non SSL Connections
49e30ac8-f58e-4222-b488-3dcb90158ec1|Pulumi|Medium|Encryption|Redis Cache resource should not allow non-SSL connections. (read more)|Documentation
| +|Amazon DMS Replication Instance Is Publicly Accessible
bccb296f-362c-4b05-9221-86d1437a1016|Pulumi|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| +|RDS DB Instance Publicly Accessible
647de8aa-5a42-41b5-9faf-22136f117380|Pulumi|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false. (read more)|Documentation
| +|Elasticsearch with HTTPS disabled
00603add-7f72-448f-a6c0-9e456a7a3f94|Pulumi|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| +|ElastiCache Nodes Not Created Across Multi AZ
9b18fc19-7fb8-49b1-8452-9c757c70f926|Pulumi|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| +|ElastiCache Redis Cluster Without Backup
e93bbe63-a631-4c0f-b6ef-700d48441ff2|Pulumi|Medium|Backup|ElastiCache Redis cluster should have 'snapshotRetentionLimit' higher than 0 (read more)|Documentation
| +|IAM Password Without Lowercase Letter
de92dd34-1b88-43e8-b825-6e02d73c4549|Pulumi|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| +|IAM Password Without Minimum Length
9850d621-7485-44f7-8bdd-b3cf426315cf|Pulumi|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| +|DynamoDB Table Not Encrypted
b6a7e0ae-aed8-4a19-a993-a95760bf8836|Pulumi|Medium|Encryption|AWS DynamoDB Tables should have serverSideEncryption enabled (read more)|Documentation
| +|API Gateway Without SSL Certificate
f27791a5-e2ae-4905-8910-6f995c576d09|Pulumi|Medium|Insecure Configurations|SSL Client Certificate should be defined (read more)|Documentation
| +|API Gateway Access Logging Disabled
bf4b48b9-fc1f-4552-984a-4becdb5bf503|Pulumi|Medium|Observability|API Gateway should have Access Log Settings defined (read more)|Documentation
| +|Elasticsearch Logs Disabled
a1120ee4-a712-42d9-8fb5-22595fed643b|Pulumi|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| +|DocDB Logging Is Disabled
2ca87964-fe7e-4cdc-899c-427f0f3525f8|Pulumi|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| +|DynamoDB Table Point In Time Recovery Disabled
327b0729-4c5c-4c44-8b5c-e476cd9c7290|Pulumi|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more)|Documentation
| +|EC2 Not EBS Optimized
d991e4ae-42ab-429b-ab43-d5e5fa9ca633|Pulumi|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| +|EC2 Instance Monitoring Disabled
daa581ef-731c-4121-832d-cf078f67759d|Pulumi|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| +|PSP Set To Privileged
ee305555-6b1d-4055-94cf-e22131143c34|Pulumi|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| +|Missing App Armor Config
95588189-1abd-4df1-9588-b0a5034f9e87|Pulumi|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack (read more)|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
48f7e44d-d1d1-44c2-b336-9f11b65c4fb0|Pulumi|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
965e8830-2bec-4b9b-a7f0-24dbc200a68f|Pulumi|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| +|Global Security Field Is Undefined (v2)
74703c89-0ea2-49ab-a7db-bf04f19f5a57|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securityDefinitions|Documentation
| +|Global Security Field Is Undefined (v3)
8af270ce-298b-4405-9922-82a10aee7a4f|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes (read more)|Documentation
| +|Global Security Field Has An Empty Array (v2)
da31d54b-ad54-41dc-95eb-8b3828629213|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| +|Global Security Field Has An Empty Array (v3)
d674aea4-ba8b-454b-bb97-88a772ea33f0|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme (read more)|Documentation
| +|Security Field On Operations Has An Empty Array (v2)
5d29effc-5d68-481f-9721-d74e5919226b|OpenAPI|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error|Documentation
| +|Security Field On Operations Has An Empty Array (v3)
663c442d-f918-4f62-b096-0bf5dcbeb655|OpenAPI|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error (read more)|Documentation
| +|Security Field On Operations Has An Empty Object Definition (v2)
74581e3b-1d55-4323-a139-5959a7b3abc5|OpenAPI|High|Access Control|Security object for operations should not be empty object or has any empty object definition|Documentation
| +|Security Field On Operations Has An Empty Object Definition (v3)
baade968-7467-41e4-bf22-83ca222f5800|OpenAPI|High|Access Control|Security object for operations should not be empty object or has any empty object definition (read more)|Documentation
| +|Global security field has an empty object (v2)
292919fb-7b26-4454-bee9-ce29094768dd|OpenAPI|High|Access Control|Global security definition must not have empty objects|Documentation
| +|Global security field has an empty object (v3)
543e38f4-1eee-479e-8eb0-15257013aa0a|OpenAPI|High|Access Control|Global security definition must not have empty objects (read more)|Documentation
| +|No Global And Operation Security Defined (v2)
586abcee-9653-462d-ad7b-2638a32bd6e6|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| +|No Global And Operation Security Defined (v3)
96729c6b-7400-4d9e-9807-17f00cdde4d2|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined (read more)|Documentation
| +|Cleartext API Key In Operation Security (v2)
99733b39-6413-4ed8-8acf-dc7cdc9b4e51|OpenAPI|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| +|Cleartext API Key In Operation Security (v3)
d90d4e40-44c1-4125-87a0-e072c3e195b5|OpenAPI|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel (read more)|Documentation
| +|Array Items Has No Type (v2)
8697a1a4-82c6-4603-8ac8-57529756744e|OpenAPI|High|Insecure Configurations|Schema/Parameter array items type should be defined|Documentation
| +|Array Items Has No Type (v3)
be0e0df7-f3d9-42a1-9b6f-d425f94872c4|OpenAPI|High|Insecure Configurations|Schema array items type should be defined (read more)|Documentation
| +|Array Without Maximum Number of Items (v2)
99eb2c95-2040-4104-9e7c-e16f7474d218|OpenAPI|High|Insecure Configurations|Array schema/parameter should have the field 'maxItems' set|Documentation
| +|Array Without Maximum Number of Items (v3)
6998389e-66b2-473d-8d05-c8d71ac4d04d|OpenAPI|High|Insecure Configurations|Array schema should have the field 'maxItems' set (read more)|Documentation
| +|API Key Exposed In Global Security (v2)
533a0d13-6e89-4551-ae33-bce14e5849c1|OpenAPI|Medium|Access Control|API Keys should not be transported over network|Documentation
| +|API Key Exposed In Global Security (v3)
aecee30b-8ea1-4776-a99c-d6d600f0862f|OpenAPI|Medium|Access Control|API Keys should not be transported over network (read more)|Documentation
| +|Cleartext API Key In Global Security (v2)
70d3873e-d537-46e5-ac3b-4e48fbdd29b4|OpenAPI|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| +|Cleartext API Key In Global Security (v3)
9c238c97-1991-4c0b-9c7d-6c7912e1dc7c|OpenAPI|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel (read more)|Documentation
| +|Maximum Length Undefined (v2)
2ec86e48-ab90-4cb6-a131-0502afd1f442|OpenAPI|Medium|Insecure Configurations|String schema/parameter/header should have 'maxLength' defined.|Documentation
| +|Maximum Length Undefined (v3)
8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85|OpenAPI|Medium|Insecure Configurations|String schema should have 'maxLength' defined. (read more)|Documentation
| +|Pattern Undefined (v2)
afde15cf-9444-4126-8c62-41cd79db1d1d|OpenAPI|Medium|Insecure Configurations|String schema/parameter/header should have 'pattern' defined.|Documentation
| +|Pattern Undefined (v3)
00b78adf-b83f-419c-8ed8-c6018441dd3a|OpenAPI|Medium|Insecure Configurations|String schema should have 'pattern' defined. (read more)|Documentation
| +|Schema Object is Empty (v2)
967575e5-eb44-4c24-aadb-7e33608ed30a|OpenAPI|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values|Documentation
| +|Schema Object is Empty (v3)
500ce696-d501-41dd-86eb-eceb011a386f|OpenAPI|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values (read more)|Documentation
| +|Numeric Schema Without Minimum (v2)
efd1dfc8-da91-4909-a3f3-c23abc5ec799|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined.|Documentation
| +|Numeric Schema Without Minimum (v3)
181bd815-767e-4e95-a24d-bb3c87328e19|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined. (read more)|Documentation
| +|JSON Object Schema Without Properties (v2)
3d28f751-bc18-4f83-ace0-216b6086410b|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false.|Documentation
| +|JSON Object Schema Without Properties (v3)
9d967a2b-9d64-41a6-abea-dfc4960299bd|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false. (read more)|Documentation
| +|Numeric Schema Without Maximum (v2)
203eee11-15b6-4d47-b888-4c7f534967ee|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined.|Documentation
| +|Numeric Schema Without Maximum (v3)
2ea04bef-c769-409e-9179-ee3a50b5c0ac|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined. (read more)|Documentation
| +|Numeric Schema Without Format (v2)
3ed8fc82-c2bb-49e0-811f-c53923674c49|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined.|Documentation
| +|Numeric Schema Without Format (v3)
fbf699b5-ef74-4542-9cf1-f6eeac379373|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined. (read more)|Documentation
| +|JSON Object Schema Without Type (v2)
62d52544-82ef-4b75-8308-cad49d50212b|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined.|Documentation
| +|JSON Object Schema Without Type (v3)
e2ffa504-d22a-4c94-b6c5-f661849d2db7|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined. (read more)|Documentation
| +|String Schema with Broad Pattern (v2)
e4a019f0-9af3-49c8-bf68-1939a6ff240d|OpenAPI|Medium|Insecure Configurations|String schema should restrict the pattern|Documentation
| +|String Schema with Broad Pattern (v3)
8c81d6c0-716b-49ec-afa5-2d62da4e3f3c|OpenAPI|Medium|Insecure Configurations|String schema should restrict the pattern (read more)|Documentation
| +|Success Response Code Undefined for Put Operation (v2)
965a043f-5f3c-4d0a-be72-d9ce12fdb4d6|OpenAPI|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Put Operation (v3)
60b5f56b-66ff-4e1c-9b62-5753e16825bc|OpenAPI|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| +|Response on operations that should not have a body has declared content (v2)
268defd2-2839-4e15-8cbc-de86eb38c231|OpenAPI|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a schema defined|Documentation
| +|Response on operations that should not have a body has declared content (v3)
12a7210b-f4b4-47d0-acac-0a819e2a0ca3|OpenAPI|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a content defined (read more)|Documentation
| +|Success Response Code Undefined for Patch Operation (v2)
f36e87cc-a209-4f37-8571-66833e4aead7|OpenAPI|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Patch Operation (v3)
1908a8ee-927d-4166-8f18-241152170cc1|OpenAPI|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| +|Success Response Code Undefined for Delete Operation (v2)
ad432855-b7fb-4429-92a3-93b5ce34f0b1|OpenAPI|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Delete Operation (v3)
3b497874-ae59-46dd-8d72-1868a3b8f150|OpenAPI|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| +|Response Code Missing (v2)
6e96ed39-bf45-4089-99ba-f1fe7cf6966f|OpenAPI|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined.|Documentation
| +|Response Code Missing (v3)
6c35d2c6-09f2-4e5c-a094-e0e91327071d|OpenAPI|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined. (read more)|Documentation
| +|Success Response Code Undefined for Post Operation (v2)
9fedee41-2e6d-4091-b011-4a16b4c18c70|OpenAPI|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Post Operation (v3)
f368dd2d-9344-4146-a05b-7c6faa1269ad|OpenAPI|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| +|Response on operations that should have a body has undefined schema (v2)
31afbcb7-70e0-48bb-a31a-3374f95cf859|OpenAPI|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined|Documentation
| +|Response on operations that should have a body has undefined schema (v3)
a92be1d5-d762-484a-86d6-8cd0907ba100|OpenAPI|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined (read more)|Documentation
| +|Default Response Undefined On Operations (v2)
5f34c7ae-4f3f-4cbb-8fe3-a11d6961062f|OpenAPI|Medium|Networking and Firewall|Operations responses should have a default response defined|Documentation
| +|Default Response Undefined On Operations (v3)
86e3702f-c868-44b2-b61d-ea5316c18110|OpenAPI|Medium|Networking and Firewall|Operations responses should have a default response defined (read more)|Documentation
| +|Success Response Code Undefined for Get Operation (v2)
9b633f3b-c94b-4fbb-a65b-1a4e9134fb63|OpenAPI|Medium|Networking and Firewall|Get should define at least one success response (200 or 202)|Documentation
| +|Success Response Code Undefined for Get Operation (v3)
b2f275be-7d64-4064-b418-be6b431363a7|OpenAPI|Medium|Networking and Firewall|Get should define at least one success response (200 or 202) (read more)|Documentation
| +|Success Response Code Undefined for Head Operation (v2)
4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a|OpenAPI|Medium|Networking and Firewall|Head should define at least one success response (200 or 202)|Documentation
| +|Success Response Code Undefined for Head Operation (v3)
3b066059-f411-4554-ac8d-96f32bff90da|OpenAPI|Medium|Networking and Firewall|Head should define at least one success response (200 or 202) (read more)|Documentation
| +|API Key Exposed In Operation Security (v2)
392599e4-a4e2-403d-bc56-3fe05755782d|OpenAPI|Low|Access Control|API Keys should not be transported over network|Documentation
| +|API Key Exposed In Operation Security (v3)
281b8071-6226-4a43-911d-fec246d422c2|OpenAPI|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| +|Invalid Format (v2)
caf1793e-95dd-4b18-8d90-8f3c0ab5bddf|OpenAPI|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double|Documentation
| +|Invalid Format (v3)
d929c031-078f-4241-b802-e224656ad890|OpenAPI|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double (read more)|Documentation
| +|Required Property With Default Value (v2)
f7ab6c83-ef89-40e1-8a99-32e2599fb665|OpenAPI|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value|Documentation
| +|Required Property With Default Value (v3)
013bdb4b-9246-4248-b0c3-7fb0fee42a29|OpenAPI|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value (read more)|Documentation
| +|Object Using Enum With Keyword (v2)
7f15962a-d862-451c-ac9b-84ec13747aa6|OpenAPI|Info|Best Practices|Schema/Parameter/Header Object properties should not contain 'enum' and schema keywords|Documentation
| +|Object Using Enum With Keyword (v3)
2e9b6612-8f69-42e0-a5b8-ed17739c2f3a|OpenAPI|Info|Best Practices|Schema Object properties should not contain 'enum' and schema keywords (read more)|Documentation
| +|Header Parameter Named as 'Content-Type' (v2)
51978067-3b22-4c29-aaf3-96bf0bc28897|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored.|Documentation
| +|Header Parameter Named as 'Content-Type' (v3)
72d259ca-9741-48dd-9f62-eb11f2936b37|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored. (read more)|Documentation
| +|Header Response Name Is Invalid (v2)
86733e01-a435-4bd5-a8b0-5108be9dc1e4|OpenAPI|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored.|Documentation
| +|Header Response Name Is Invalid (v3)
d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd|OpenAPI|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored. (read more)|Documentation
| +|Invalid Contact URL (v2)
c7000383-16d0-4509-8cd3-585e5ea2e2f2|OpenAPI|Info|Best Practices|Contact Object URL should be a valid URL|Documentation
| +|Invalid Contact URL (v3)
332cf2ad-380d-4b90-b436-46f8e635cf38|OpenAPI|Info|Best Practices|Contact Object URL should be a valid URL (read more)|Documentation
| +|Invalid Tag External Documentation URL (v2)
b4a7d925-738b-4219-99d9-87d6ee262a03|OpenAPI|Info|Best Practices|Tag External Documentation URL should be a valid URL|Documentation
| +|Invalid Tag External Documentation URL (v3)
5aea1d7e-b834-4749-b143-2c7ec3bd5922|OpenAPI|Info|Best Practices|Tag External Documentation URL should be a valid URL (read more)|Documentation
| +|Header Parameter Named as 'Accept' (v2)
3ddd74cc-6582-486c-8b0c-2b48cb38e0a3|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored.|Documentation
| +|Header Parameter Named as 'Accept' (v3)
f2702af5-6016-46cb-bbc8-84c766032095|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored. (read more)|Documentation
| +|Invalid Global External Documentation URL (v2)
46d3b74d-9fe9-45bf-9e9e-efb7f701ee28|OpenAPI|Info|Best Practices|Global External Documentation URL should be a valid URL|Documentation
| +|Invalid Global External Documentation URL (v3)
b2d9dbf6-539c-4374-a1fd-210ddf5563a8|OpenAPI|Info|Best Practices|Global External Documentation URL should be a valid URL (read more)|Documentation
| +|Example Not Compliant With Schema Type (v2)
448db771-06ea-4dee-b48c-1689cbfb4b43|OpenAPI|Info|Best Practices|Examples values and fields should be compliant with the schema type|Documentation
| +|Example Not Compliant With Schema Type (v3)
881a6e71-c2a7-4fe2-b9c3-dfcf08895331|OpenAPI|Info|Best Practices|Examples values and fields should be compliant with the schema type (read more)|Documentation
| +|Header Parameter Named as 'Authorization' (v2)
e2e00c97-7171-4fb4-b461-d631df9a711c|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored.|Documentation
| +|Header Parameter Named as 'Authorization' (v3)
8c84f75e-5048-4926-a4cb-33e7b3431300|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored. (read more)|Documentation
| +|Operation Without Successful HTTP Status Code (v2)
a1ee6ebe-3877-42ec-b9a6-e524e7d06aa2|OpenAPI|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined|Documentation
| +|Operation Without Successful HTTP Status Code (v3)
48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd|OpenAPI|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined (read more)|Documentation
| +|Path Without Operation (v2)
609cd557-66b4-41fa-8edd-2abc6c7cfd08|OpenAPI|Info|Best Practices|Path object should have at least one operation object defined|Documentation
| +|Path Without Operation (v3)
84c826c9-1893-4b34-8cdd-db97645b4bf3|OpenAPI|Info|Best Practices|Path object should have at least one operation object defined (read more)|Documentation
| +|Invalid Operation External Documentation URL (v2)
25635c31-ee32-4708-88e5-fced87516f51|OpenAPI|Info|Best Practices|Operation External Documentation URL should be a valid URL|Documentation
| +|Invalid Operation External Documentation URL (v3)
5ea61624-3733-4a3a-8ca4-b96fec9c5aeb|OpenAPI|Info|Best Practices|Operation External Documentation URL should be a valid URL (read more)|Documentation
| +|Invalid License URL (v2)
de2b4910-8484-46d6-a055-dc1e793ee3ff|OpenAPI|Info|Best Practices|License Object URL should be a valid URL|Documentation
| +|Invalid License URL (v3)
9239c289-9e4c-4d92-8be1-9d506057c971|OpenAPI|Info|Best Practices|License Object URL should be a valid URL (read more)|Documentation
| +|JSON '$ref' alongside other properties (v2)
f34c1c68-4773-4df0-a103-6e2ca32e585f|OpenAPI|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key|Documentation
| +|JSON '$ref' alongside other properties (v3)
96beb800-566f-49a9-a0ea-dbdf4bc80429|OpenAPI|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key (read more)|Documentation
| +|Invalid Contact Email (v2)
d83bebc8-4e5e-4241-b783-cba9fb5a1c9a|OpenAPI|Info|Best Practices|Contact Object Email should be a valid email|Documentation
| +|Invalid Contact Email (v3)
b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7|OpenAPI|Info|Best Practices|Contact Object Email should be a valid email (read more)|Documentation
| +|Invalid Schema External Documentation URL (v2)
f7fa95b7-d819-484c-9a2b-665dd1bba25e|OpenAPI|Info|Best Practices|Schema External Documentation URL should be a valid URL|Documentation
| +|Invalid Schema External Documentation URL (v3)
6952a7e0-6e48-4285-bbc1-27c64e60f888|OpenAPI|Info|Best Practices|Schema External Documentation URL should be a valid URL (read more)|Documentation
| +|Non-Array Schema With Items (v2)
9d47956b-29cd-43b1-9e6e-b39a4d484353|OpenAPI|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| +|Non-Array Schema With Items (v3)
20cb3159-b219-496b-8dac-54ae3ab2021a|OpenAPI|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined (read more)|Documentation
| +|Path Is Ambiguous (v2)
b2468463-3ac4-4930-890c-f35b2bf4485d|OpenAPI|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object|Documentation
| +|Path Is Ambiguous (v3)
237402e2-c2f0-46c9-9cf5-286160cf7bfc|OpenAPI|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object (read more)|Documentation
| +|Schema Discriminator Not Required (v2)
be6a3722-af60-438c-b1b9-2a03e2958ab7|OpenAPI|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property|Documentation
| +|Schema Discriminator Not Required (v3)
b481d46c-9c61-480f-86d9-af07146dc4a4|OpenAPI|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property (read more)|Documentation
| +|Property 'allowEmptyValue' Improperly Defined (v2)
0bc1477d-0922-478b-ae16-674a7634a1a8|OpenAPI|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters|Documentation
| +|Property 'allowEmptyValue' Improperly Defined (v3)
4bcbcd52-3028-469f-bc14-02c7dbba2df2|OpenAPI|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters (read more)|Documentation
| +|OperationId Not Unique (v2)
21245007-91c4-40e5-964e-40c85d1e5aa6|OpenAPI|Info|Structure and Semantics|OperationId should be unique when defined|Documentation
| +|OperationId Not Unique (v3)
c254adc4-ef25-46e1-8270-b7944adb4198|OpenAPI|Info|Structure and Semantics|OperationId should be unique when defined (read more)|Documentation
| +|Paths Object is Empty (v2)
3e6c7b1c-8a8d-43ab-98b9-65159f44db4a|OpenAPI|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed|Documentation
| +|Paths Object is Empty (v3)
815021c8-a50c-46d9-b192-24f71072c400|OpenAPI|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed (read more)|Documentation
| +|Parameters Name In Combination Not Unique (v2)
ab871897-ec02-4835-9818-702536ee1dda|OpenAPI|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations|Documentation
| +|Parameters Name In Combination Not Unique (v3)
f5b2e6af-76f5-496d-8482-8f898c5fdb4a|OpenAPI|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations (read more)|Documentation
| +|Parameter Objects Headers With Duplicated Name (v2)
bd2cbef5-62c4-40f1-af07-4b7f9ced6616|OpenAPI|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.|Documentation
| +|Parameter Objects Headers With Duplicated Name (v3)
05505192-ba2c-4a81-9b25-dcdbcc973746|OpenAPI|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive. (read more)|Documentation
| +|Responses Object Is Empty (v2)
6172e7ab-d2b7-45f8-a7db-1603931d8ba3|OpenAPI|Info|Structure and Semantics|Responses Object should not be empty|Documentation
| +|Responses Object Is Empty (v3)
990eaf09-d6f1-4c3c-b174-a517b1de8917|OpenAPI|Info|Structure and Semantics|Responses Object should not be empty (read more)|Documentation
| +|Schema Has A Required Property Undefined (v2)
811762c8-2e99-4f70-88f9-a63875a953b1|OpenAPI|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties|Documentation
| +|Schema Has A Required Property Undefined (v3)
2bd608ae-8a1f-457f-b710-c237883cb313|OpenAPI|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties (read more)|Documentation
| +|Default Invalid (v2)
78dfd8f0-a6ee-48ec-af8c-e4d9b3292a07|OpenAPI|Info|Structure and Semantics|The field 'default' of Schema/Parameter/Header Object should be consistent with the schema's/parameter's/header's type|Documentation
| +|Default Invalid (v3)
a96bbc06-8cde-4295-ad3c-ee343a7f658e|OpenAPI|Info|Structure and Semantics|The field 'default' of Schema Object should be consistent with the schema's type (read more)|Documentation
| +|Properties Missing Required Property (v2)
71beb6ab-8b70-4816-a9ac-a0ff1fb22a62|OpenAPI|Info|Structure and Semantics|Schema Object should have all required properties defined|Documentation
| +|Properties Missing Required Property (v3)
3fb03214-25d4-4bd4-867c-c2d8d708a483|OpenAPI|Info|Structure and Semantics|Schema Object should have all required properties defined (read more)|Documentation
| +|Path Parameter With No Corresponding Template Path (v2)
194ef1f8-360e-4c14-8ed2-e83e2bafa142|OpenAPI|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation|Documentation
| +|Path Parameter With No Corresponding Template Path (v3)
69d7aefd-149d-47b8-8d89-1c2181a8067b|OpenAPI|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation (read more)|Documentation
| +|Type Has Invalid Keyword (v2)
492c6cbb-f3f8-4807-aa4f-42b8b1c46b59|OpenAPI|Info|Structure and Semantics|Schema/Parameter/Header Object define type should not use a keyword of another type|Documentation
| +|Type Has Invalid Keyword (v3)
a9228976-10cf-4b5f-b902-9e962aad037a|OpenAPI|Info|Structure and Semantics|Schema Object define type should not use a keyword of another type (read more)|Documentation
| +|Responses With Wrong HTTP Status Code (v2)
069a5378-2091-43f0-aa3b-ee8f20996e99|OpenAPI|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599]|Documentation
| +|Responses With Wrong HTTP Status Code (v3)
d86655c0-92f6-4ffc-b4d5-5b5775804c27|OpenAPI|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599] (read more)|Documentation
| +|Template Path With No Corresponding Path Parameter (v2)
e7656d8d-7288-4bbe-b07b-22b389be75ce|OpenAPI|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation|Documentation
| +|Template Path With No Corresponding Path Parameter (v3)
561710b1-b845-4562-95ce-2397a05ccef4|OpenAPI|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation (read more)|Documentation
| +|Schema Enum Invalid (v2)
8fe6d18a-ad4c-4397-8884-e3a9da57f4c9|OpenAPI|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type|Documentation
| +|Schema Enum Invalid (v3)
03856cb2-e46c-4daf-bfbf-214ec93c882b|OpenAPI|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type (read more)|Documentation
| +|Items Undefined (v2)
3e4d34d2-36cf-4449-976d-6c256db8fc49|OpenAPI|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array.|Documentation
| +|Items Undefined (v3)
a8e859da-4a43-4e7f-94b8-25d6e3bf8e90|OpenAPI|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array. (read more)|Documentation
| +|Schema Object Properties With Duplicated Keys (v2)
ded017bf-fb13-4f8d-868b-84aebcc572ad|OpenAPI|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties'|Documentation
| +|Schema Object Properties With Duplicated Keys (v3)
10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa|OpenAPI|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties' (read more)|Documentation
| +|Schema Discriminator Property Not String (v2)
949376f1-f560-4c6d-a016-63424ca931bb|OpenAPI|Info|Structure and Semantics|Schema discriminator property should be a string|Documentation
| +|Schema Discriminator Property Not String (v3)
dadc2f36-1f5a-46c0-8289-75e626583123|OpenAPI|Info|Structure and Semantics|Schema discriminator property should be a string (read more)|Documentation
| +|Path Template is Empty (v2)
c201b7ad-6173-4598-a407-5edb04a1bcd7|OpenAPI|Info|Structure and Semantics|All path templates should not be empty|Documentation
| +|Path Template is Empty (v3)
ae13a37d-943b-47a7-a970-83c8598bcca3|OpenAPI|Info|Structure and Semantics|All path templates should not be empty (read more)|Documentation
| +|Path Parameter Not Required (v2)
ccd0613f-cb77-4684-a892-183bd2674d12|OpenAPI|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.|Documentation
| +|Path Parameter Not Required (v3)
0de50145-e845-47f4-9a15-23bcf2125710|OpenAPI|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true. (read more)|Documentation
| +|Property Defining Minimum Greater Than Maximum (v2)
b5102ea9-6527-4bb7-94fc-9b4076150e55|OpenAPI|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined|Documentation
| +|Property Defining Minimum Greater Than Maximum (v3)
ab2af219-cd08-4233-b5a1-a788aac88b51|OpenAPI|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined (read more)|Documentation
| +|Schema Object With Circular Ref (v2)
cbff2508-85c9-4448-a8b3-770070edf5ca|OpenAPI|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties|Documentation
| +|Schema Object With Circular Ref (v3)
1a1aea94-745b-40a7-b860-0702ea6ee636|OpenAPI|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties (read more)|Documentation
| +|Schema Discriminator Mismatch Defined Properties (v2)
addc0eab-27f6-4c26-8526-d2ccd3732662|OpenAPI|Info|Structure and Semantics|Schema discriminator values should match defined properties.|Documentation
| +|Schema Discriminator Mismatch Defined Properties (v3)
40d3df21-c170-4dbe-9c02-4289b51f994f|OpenAPI|Info|Structure and Semantics|Schema discriminator values should match defined properties. (read more)|Documentation
| +|Security Definitions Undefined or Empty
e3f026e8-fdb4-4d5a-bcfd-bd94452073fe|OpenAPI|High|Access Control|Security Definitions Object should be set and not empty (read more)|Documentation
| +|Security Requirement Not Defined In Security Definition
a599b0d1-ff89-4cb8-9ece-9951854c06f6|OpenAPI|High|Structure and Semantics|All security requirement objects must be defined in 'securityDefinitions' (read more)|Documentation
| +|Non OAuth2 Security Requirement Defining OAuth2 Scopes
ba239cb9-f342-4c20-812d-7b5a2aa6969e|OpenAPI|High|Structure and Semantics|If the security scheme is not of type 'oauth2', the array value must be empty (read more)|Documentation
| +|Global Security Using Password Flow
2da46be4-4317-4650-9285-56d7103c4f93|OpenAPI|Medium|Access Control|Security should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| +|Invalid OAuth2 Authorization URL (v2)
33d96c65-977d-4c33-943f-440baca49185|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| +|Operation Using Password Flow
2e44e632-d617-43cb-b294-6bfe72a08938|OpenAPI|Medium|Access Control|Operation Object should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| +|Implicit Flow in OAuth2 (v2)
e9817ad8-a8c9-4038-8a2f-db0e6e7b284b|OpenAPI|Medium|Access Control|There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| +|Invalid OAuth2 Token URL (v2)
274f910a-0665-4f08-b66d-7058fe927dba|OpenAPI|Medium|Access Control|OAuth2 security definition flow requires a valid URL in the tokenUrl field (read more)|Documentation
| +|Security Definitions Allows Password Flow
773116aa-2e6d-416f-bd85-f0301cc05d76|OpenAPI|Medium|Access Control|Security Definition Object should not allow 'password' Flow in OAuth2 authentication (read more)|Documentation
| +|Path Scheme Accepts HTTP (v2)
a6847dc6-f4ea-45ac-a81f-93291ae6c573|OpenAPI|Medium|Encryption|The Scheme list of Operation Object should only allow 'HTTPS' protocol to ensure an encrypted connection (read more)|Documentation
| +|Schemes Uses HTTP
a46928f1-43d7-4671-94e0-2dd99746f389|OpenAPI|Medium|Encryption|Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials (read more)|Documentation
| +|Global Schemes Uses HTTP
f30ee711-0082-4480-85ab-31d922d9a2b2|OpenAPI|Medium|Encryption|Global Schemes should use 'https' protocol instead of 'http' (read more)|Documentation
| +|Operation Object Without 'consumes'
0c79e50e-b3cf-490c-b8f6-587c644d4d0c|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations (read more)|Documentation
| +|Operation Object Without 'produces'
be3e170e-1572-461e-a8b6-d963def581ec|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'produces' feild defined for 'GET'operation (read more)|Documentation
| +|Operation Using Basic Auth
ceefb058-8065-418f-9c4c-584a78c7e104|OpenAPI|Low|Access Control|Operation Object should not use basic authentication (read more)|Documentation
| +|Security Definitions Using Basic Auth
221015a8-aa2a-43f5-b00b-ad7d2b1d47a8|OpenAPI|Low|Access Control|Security Definition Object should not use basic authentication (read more)|Documentation
| +|Operation Using Implicit Flow
f42dfe7e-787d-4478-a75e-a5f3d8a2269e|OpenAPI|Low|Access Control|Operation Object should not use implicit flow (read more)|Documentation
| +|Undefined Scope 'securityDefinition' On 'security' Field On Operations
3847280c-9193-40bc-8009-76168e822ce2|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| +|Undefined Scope 'securityDefinition' On Global 'security' Field
9aa6e95c-d964-4239-a3a8-9f37a3c5a31f|OpenAPI|Low|Access Control|Using an scope on global security field that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| +|Operation Summary Too Long
d47940ca-5970-45cc-bdd1-4d81398cee1f|OpenAPI|Low|Best Practices|Operation summary should be short (less than 120 characters) (read more)|Documentation
| +|Global Schema Definition Not Being Used
6d2e0790-cc3d-4c74-b973-d4e8b09f4455|OpenAPI|Info|Best Practices|All global schemas definitions should be in use (read more)|Documentation
| +|Global Responses Definition Not Being Used
0b76d993-ee52-43e0-8b39-3787d2ddabf1|OpenAPI|Info|Best Practices|All global responses definitions should be in use (read more)|Documentation
| +|Global Parameter Definition Not Being Used
b30981fa-a12e-49c7-a5bb-eeafb61d0f0f|OpenAPI|Info|Best Practices|All global parameters definitions should be in use (read more)|Documentation
| +|Schema with 'additionalProperties' set as Boolean
3a01790c-ebee-4da6-8fd3-e78657383b75|OpenAPI|Info|Best Practices|The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it (read more)|Documentation
| +|Unknown Prefix (v2)
3b615f00-c443-4ba9-acc4-7c308716917d|OpenAPI|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| +|Constraining Enum Property
be1d8733-3731-40c7-a845-734741c6871d|OpenAPI|Info|Best Practices|There is a constraining keyword in a property which is already restricted by enum values (read more)|Documentation
| +|Invalid Media Type Value (v2)
f985a7d2-d404-4a7f-9814-f645f791e46e|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| +|Multiple Body Parameters In The Same Operation
b90033cf-ad9f-4fb9-acd1-1b9d6d278c87|OpenAPI|Info|Structure and Semantics|Only one body parameter is allowed on operation's parameters type field (read more)|Documentation
| +|Host With Invalid Pattern
3d7d7b6c-fb0a-475e-8a28-c125e30d15f0|OpenAPI|Info|Structure and Semantics|Host field should be an IP or a valid host name (read more)|Documentation
| +|Response Object With Incorrect Ref (v2)
bccfa089-89e4-47e0-a0e5-185fe6902220|OpenAPI|Info|Structure and Semantics|Response Object reference must always point to '#/responses' (read more)|Documentation
| +|Multi 'collectionformat' Not Valid For 'in' Parameter
750f6448-27c0-49f8-a153-b81735c1e19c|OpenAPI|Info|Structure and Semantics|When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'formData' (read more)|Documentation
| +|Schema JSON Reference Does Not Exists (v2)
98295b32-ec09-4b5b-89a9-39853197f914|OpenAPI|Info|Structure and Semantics|Schema reference should exists on definitions field (read more)|Documentation
| +|Responses JSON Reference Does Not Exists (v2)
e9db5fb4-6a84-4abb-b4af-3b94fbdace6d|OpenAPI|Info|Structure and Semantics|Responses reference should exist on responses definition field (read more)|Documentation
| +|Parameter Object With Incorrect Ref (v2)
2596545e-1757-4ff7-a15a-8a9a180a42f3|OpenAPI|Info|Structure and Semantics|Parameter Object reference must always point to '#/parameters' (read more)|Documentation
| +|Object Without Required Property (v2)
5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275|OpenAPI|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| +|Unknown Property (v2)
429b2106-ba37-43ba-9727-7f699cc611e1|OpenAPI|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| +|BasePath With Wrong Format
b4803607-ed72-4d60-99e2-3fa6edf471c6|OpenAPI|Info|Structure and Semantics|The 'basePath' value format must match the pattern '^/' (read more)|Documentation
| +|Body Parameter Without Schema
ed48229d-d43e-4da7-b453-5f98d964a57a|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| +|Operation Object Parameters With 'body' And 'formatData' locations
eb3f9744-d24e-4614-b1ff-2a9514eca21c|OpenAPI|Info|Structure and Semantics|Operation object parameters should not have both 'body' and 'formatData' locations (read more)|Documentation
| +|Schema Object Incorrect Ref (v2)
0220e1c5-65d1-49dd-b7c2-cef6d6cb5283|OpenAPI|Info|Structure and Semantics|Schema Object reference must always point to '#/definitions' (read more)|Documentation
| +|File Parameter With Wrong Consumes Property
7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a|OpenAPI|Info|Structure and Semantics|Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both (read more)|Documentation
| +|Parameter JSON Reference Does Not Exists (v2)
fb889ae9-2d16-40b5-b41f-9da716c5abc1|OpenAPI|Info|Structure and Semantics|Parameter reference should exist on parameters definition field (read more)|Documentation
| +|Operation Example Mismatch Produces MimeType
2cf35b40-ded3-43d6-9633-c8dcc8bcc822|OpenAPI|Info|Structure and Semantics|Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces' (read more)|Documentation
| +|Property Not Unique
750b40be-4bac-4f59-bdc4-1ca0e6c3450e|OpenAPI|Info|Structure and Semantics|Every defined property must be unique throughout the whole API (read more)|Documentation
| +|Non Body Parameter Without Schema
73c3bc54-3cc6-4c0a-b30a-e19f2abfc951|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| +|Body Parameter With Wrong Property
c38d630d-a415-4e3e-bac2-65475979ba88|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema' (read more)|Documentation
| +|Parameter File Type Not In 'formData'
c3cab8c4-6c52-47a9-942b-c27f26fbd7d2|OpenAPI|Info|Structure and Semantics|The In field of Parameter Object must be 'formData' when type is 'file' (read more)|Documentation
| +|Cleartext Credentials With Basic Authentication For Operation
86b1fa30-9790-4980-994d-a27e0f6f27c1|OpenAPI|High|Access Control|Cleartext credentials over unencrypted channel should not be accepted for the operation (read more)|Documentation
| +|Field 'securityScheme' On Components Is Undefined
8db5544e-4874-4baa-9322-e9f75a2d219e|OpenAPI|High|Access Control|Components' securityScheme field must have a valid scheme (read more)|Documentation
| +|OAuth2 With Implicit Flow
39cb32f2-3a42-4af0-8037-82a7a9654b6c|OpenAPI|Medium|Access Control|OAuth2 implicit flow is vulnerable to access token leakage and access token replay (read more)|Documentation
| +|Invalid OAuth2 Authorization URL (v3)
52c0d841-60d6-4a81-88dd-c35fef36d315|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| +|Implicit Flow in OAuth2 (v3)
4a1f3d75-ab73-41b2-83e7-06a93dc3a75a|OpenAPI|Medium|Access Control|There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| +|Security Scheme Using HTTP Basic
68e5fcac-390c-4939-a373-6074b7be7c71|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using basic authentication (read more)|Documentation
| +|OAuth2 With Password Flow
3979b0a4-532c-4ea7-86e4-34c090eaa4f2|OpenAPI|Medium|Access Control|OAuth2 password flow insecurely exposes the credentials of the resource owner to the client (read more)|Documentation
| +|Security Scheme Using HTTP Digest
a4247b11-890b-45df-bf42-350a7a3af9be|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using digest authentication (read more)|Documentation
| +|Invalid OAuth2 Token URL (v3)
3ba0cca1-b815-47bf-ac62-1e584eb64a05|OpenAPI|Medium|Access Control|OAuth2 security scheme flow requires a valid URL in the tokenUrl field (read more)|Documentation
| +|Security Scheme Using HTTP Negotiate
f525cc92-9050-4c41-a75c-890dc6f64449|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using negotiate authentication (read more)|Documentation
| +|Security Scheme HTTP Unknown Scheme
06764426-3c56-407e-981f-caa25db1c149|OpenAPI|Medium|Access Control|Security Scheme HTTP scheme should be registered in the IANA Authentication Scheme registry (read more)|Documentation
| +|Path Server Object Uses HTTP (v3)
9670f240-7b4d-4955-bd93-edaa9fa38b58|OpenAPI|Medium|Encryption|The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection (read more)|Documentation
| +|Global Server Object Uses HTTP
2d8c175a-6d90-412b-8b0e-e034ea49a1fe|OpenAPI|Medium|Encryption|Global server object URL should use 'https' protocol instead of 'http' (read more)|Documentation
| +|Additional Properties Too Permissive
9f88c88d-824d-4d9a-b985-e22977046042|OpenAPI|Medium|Insecure Configurations|Objects should not accept 'additionalProperties' if it is possible (read more)|Documentation
| +|Parameter Object Without Schema
8fe1846f-52cc-4413-ace9-1933d7d23672|OpenAPI|Medium|Insecure Configurations|The Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| +|Media Type Object Without Schema
f79b9d26-e945-44e7-98a1-b93f0f7a68a0|OpenAPI|Medium|Insecure Configurations|The Media Type Object should have the attribute 'schema' defined (read more)|Documentation
| +|Additional Properties Too Restrictive
a19c3bbd-c056-40d7-9e1c-eeb0634e320d|OpenAPI|Medium|Insecure Configurations|Objects should accept 'additionalProperties' if it is allOf or an object with anyOf or oneOf (read more)|Documentation
| +|Success Response Code Undefined for Trace Operation
105e20dd-8449-4d71-95c6-d5dac96639af|OpenAPI|Medium|Networking and Firewall|Trace should define the '200' successful code (read more)|Documentation
| +|Header Object Without Schema
50de3b5b-6465-4e06-a9b0-b4c2ba34326b|OpenAPI|Medium|Networking and Firewall|The header object should have schema defined (read more)|Documentation
| +|API Key Exposed In Global Security Scheme
40e1d1bf-11a9-4f63-a3a2-a8b84c602839|OpenAPI|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| +|Global Security Scheme Using Basic Authentication
77276d82-4f45-4cf1-8e2b-4d345b936228|OpenAPI|Low|Access Control|A security scheme is allowing basic authentication credentials to be transported over network (read more)|Documentation
| +|Security Scheme Using Oauth 1.0
1bc3205c-0d60-44e6-84f3-44fbf4dac5b3|OpenAPI|Low|Access Control|Oauth 1.0 is deprecated, OAuth2 should be used instead (read more)|Documentation
| +|Undefined Scope 'securityScheme' On 'security' Field On Operations
462d6a1d-fed9-4d75-bb9e-3de902f35e6e|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| +|Undefined Scope 'securityScheme' On Global 'security' Field
23a9e2d9-8738-4556-a71c-2802b6ffa022|OpenAPI|Low|Access Control|Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| +|Components Request Body Definition Is Unused
6b76f589-9713-44ab-97f5-59a3dba1a285|OpenAPI|Info|Best Practices|Components request bodies definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Property 'style' of Encoding Object Ignored
d3ea644a-9a5c-4fee-941f-f8a6786c0470|OpenAPI|Info|Best Practices|Property 'style' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| +|Components Header Definition Is Unused
a68da022-e95a-4bc2-97d3-481e0bd6d446|OpenAPI|Info|Best Practices|Components headers definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Link Definition Is Unused
c19779a9-5774-4d2f-a3a1-a99831730375|OpenAPI|Info|Best Practices|Components links definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Callback Definition Is Unused
d15db953-a553-4b8a-9a14-a3d62ea3d79d|OpenAPI|Info|Best Practices|Components callbacks definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Response Definition Is Unused
9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae|OpenAPI|Info|Best Practices|Components responses definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Unknown Prefix (v3)
a5375be3-521c-43bb-9eab-e2432e368ee4|OpenAPI|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| +|Property 'explode' of Encoding Object Ignored
a4dd69b8-49fa-45d2-a060-c76655405b05|OpenAPI|Info|Best Practices|Property 'explode' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| +|Property 'allowReserved' of Encoding Object Ignored
4190dda7-af03-4cf0-a128-70ac1661ca09|OpenAPI|Info|Best Practices|Property 'allowReserved' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| +|Components Parameter Definition Is Unused
698a464e-bb3e-4ba8-ab5e-e6599b7644a0|OpenAPI|Info|Best Practices|Components parameters definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Example Definition Is Unused
b05bb927-2df5-43cc-8d7b-6825c0e71625|OpenAPI|Info|Best Practices|Components examples definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Schema Definition Is Unused
962fa01e-b791-4dcc-b04a-4a3e7389be5e|OpenAPI|Info|Best Practices|Components schemas definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Property 'allowEmptyValue' Ignored
59c2f769-7cc2-49c8-a3de-4e211135cfab|OpenAPI|Info|Best Practices|Property 'allowEmptyValue' is ignored in the following cases: {"sytle": "simple", "explode": false}, {"sytle": "simple", "explode": true}, {"sytle": "spaceDelimited", "explode": false}, {"sytle": "pipeDelimited", "explode": false}, and {"sytle": "deepObject", "explode": true} (read more)|Documentation
| +|Invalid Media Type Value (v3)
cf4a5f45-a27b-49df-843a-9911dbfe71d4|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| +|Encoding Header 'Content-Type' Improperly Defined
4cd8de87-b595-48b6-ab3c-1904567135ab|OpenAPI|Info|Best Practices|Encoding Map Key should not define a 'Content-Type' in the 'headers' field. If so, it will be ignored. (read more)|Documentation
| +|Example JSON Reference Outside Components Examples
bac56e3c-1f71-4a74-8ae6-2fba07efcddb|OpenAPI|Info|Structure and Semantics|Reference to examples should point to #/components/examples (read more)|Documentation
| +|Security Operation Field Undefined
20a482d5-c5d9-4a7a-b7a4-60d0805047b4|OpenAPI|Info|Structure and Semantics|Security operation field should be defined in '#/components/securitySchemes' (read more)|Documentation
| +|Server URL Not Absolute
a0bf7382-5d5a-4224-924c-3db8466026c9|OpenAPI|Info|Structure and Semantics|The Server URL should be an absolute URL (read more)|Documentation
| +|Response Object With Incorrect Ref (v3)
b3871dd8-9333-4d6c-bd52-67eb898b71ab|OpenAPI|Info|Structure and Semantics|Response Object reference must always point to '#/components/responses' (read more)|Documentation
| +|Link Object OperationId Does Not Target Operation Object
c5bb7461-aa57-470b-a714-3bc3d74f4669|OpenAPI|Info|Structure and Semantics|Link object 'OperationId' should target an existing operation object in the OpenAPI definition (read more)|Documentation
| +|Request Body With Incorrect Ref
0f6cd0ab-c366-4595-84fc-fbd8b9901e4d|OpenAPI|Info|Structure and Semantics|Request Body reference must always point to '#/components/RequestBodies' (read more)|Documentation
| +|Encoding Map Key Mismatch Schema Defined Properties
cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b|OpenAPI|Info|Structure and Semantics|Encoding Map Key should be set in schema defined properties (read more)|Documentation
| +|Components Object Fixed Field Key Improperly Named
151331e2-11f4-4bb6-bd35-9a005e695087|OpenAPI|Info|Structure and Semantics|Components object fixed fields (schemas, responses, parameters, examples, requestBodies, headers, securitySchemes, links, and callbacks) should use keys that match the following REGEX: `^[a-zA-Z0-9\.\-_]+$` (read more)|Documentation
| +|Schema JSON Reference Does Not Exists (v3)
015eac96-6313-43c0-84e5-81b1374fa637|OpenAPI|Info|Structure and Semantics|Schema reference should exists on components field (read more)|Documentation
| +|Server URL Uses Undefined Variables
8d0921d6-4131-461f-a253-99e873f8f77e|OpenAPI|Info|Structure and Semantics|Any variable used in the Service URL should be defined in the Service Object through 'variables'. (read more)|Documentation
| +|Response JSON Reference Does Not Exists (v3)
7a01dfbd-da62-4165-aed7-71349ad42ab4|OpenAPI|Info|Structure and Semantics|Response reference should exists on components field (read more)|Documentation
| +|Parameter Object With Incorrect Ref (v3)
d40f27e6-15fb-4b56-90f8-fc0ff0291c51|OpenAPI|Info|Structure and Semantics|Parameter Object reference must always point to '#/components/parameters' (read more)|Documentation
| +|Object Without Required Property (v3)
d172a060-8569-4412-8045-3560ebd477e8|OpenAPI|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| +|Unknown Property (v3)
fb7d81e7-4150-48c4-b914-92fc05da6a2f|OpenAPI|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| +|Parameter Object Content With Multiple Entries
8bfed1c6-2d59-4924-bc7f-9b9d793ed0df|OpenAPI|Info|Structure and Semantics|The map content property of the parameter object should only contain one entry (read more)|Documentation
| +|Link Object Incorrect Ref
b9db8a10-020c-49ca-88c6-780e5fdb4328|OpenAPI|Info|Structure and Semantics|Link object reference must always point to '#/components/links' (read more)|Documentation
| +|Servers Array Undefined
c66ebeaa-676c-40dc-a3ff-3e49395dcd5e|OpenAPI|Info|Structure and Semantics|The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'. (read more)|Documentation
| +|Property 'allowReserved' Improperly Defined
7f203940-39c4-4ea7-91ee-7aba16bca9e2|OpenAPI|Info|Structure and Semantics|Property 'allowReserved' should be only defined for query parameters (read more)|Documentation
| +|Schema Object Incorrect Ref (v3)
4cac7ace-b0fb-477d-830d-65395d9109d9|OpenAPI|Info|Structure and Semantics|Schema Object reference must always point to '#/components/schemas' (read more)|Documentation
| +|Invalid Content Type For Multiple Files Upload
26f06397-36d8-4ce7-b993-17711261d777|OpenAPI|Info|Structure and Semantics|Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array) (read more)|Documentation
| +|Link JSON Reference Does Not Exists
801f0c6a-a834-4467-89c6-ddecffb46b5a|OpenAPI|Info|Structure and Semantics|Link reference should exists on components field (read more)|Documentation
| +|Request Body JSON Reference Does Not Exists
ca02f4e8-d3ae-4832-b7db-bb037516d9e7|OpenAPI|Info|Structure and Semantics|Request Body reference should exists on components field (read more)|Documentation
| +|Callback JSON Reference Does Not Exists
f29904c8-6041-4bca-b043-dfa0546b8079|OpenAPI|Info|Structure and Semantics|Callback reference should exists on components field (read more)|Documentation
| +|Callback Object With Incorrect Ref
ba066cda-e808-450d-92b6-f29109754d45|OpenAPI|Info|Structure and Semantics|Callback Object reference must always point to '#/components/callbacks' (read more)|Documentation
| +|Link Object With Both 'operationId' And 'operationRef'
60fb6621-9f02-473b-9424-ba9a825747d3|OpenAPI|Info|Structure and Semantics|Link object 'OperationId' should not have both 'operationId' and 'operationRef' defined since they are mutually exclusive. (read more)|Documentation
| +|Parameter JSON Reference Does Not Exists (v3)
2e275f16-b627-4d3f-ae73-a6153a23ae8f|OpenAPI|Info|Structure and Semantics|Parameter reference should exists on components field (read more)|Documentation
| +|Empty Array
5915c20f-dffa-4cee-b5d4-f457ddc0151a|OpenAPI|Info|Structure and Semantics|All array fields should not be empty (read more)|Documentation
| +|Server Object Variable Not Used
8aee4754-970d-4c5f-8142-a49dfe388b1a|OpenAPI|Info|Structure and Semantics|Every defined Server Variable Object should be used in a Service URL. (read more)|Documentation
| +|Header Object With Incorrect Ref
2d6646f4-2946-420f-8c14-3232d49ae0cb|OpenAPI|Info|Structure and Semantics|Header Object reference must always point to '#/components/headers' (read more)|Documentation
| +|Security Requirement Object With Wrong Scopes
37140f7f-724a-4c87-a536-e9cee1d61533|OpenAPI|Info|Structure and Semantics|Security Requirement Object should only have scopes defined for security schemes of type 'oauth2' and 'openIdConnect' (read more)|Documentation
| +|Example JSON Reference Does Not Exists
6a2c219f-da5e-4745-941e-5ea8cde23356|OpenAPI|Info|Structure and Semantics|Example reference should exists on components field (read more)|Documentation
| +|Schema With Both ReadOnly And WriteOnly
d2361d58-361c-49f0-9e50-b957fd608b29|OpenAPI|Info|Structure and Semantics|Schema should not have both 'writeOnly' and 'readOnly' set to true (read more)|Documentation
| +|Parameter Object With Undefined Type
46facedc-f243-4108-ab33-583b807d50b0|OpenAPI|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property (read more)|Documentation
| +|Parameter Object With Schema And Content
31dd6fc0-f274-493b-9614-e063086c19fc|OpenAPI|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive (read more)|Documentation
| +|Security Field Undefined
ab1263c2-81df-46f0-9f2c-0b62fdb68419|OpenAPI|Info|Structure and Semantics|Security field should be defined in '#/components/securitySchemes' (read more)|Documentation
| +|Header JSON Reference Does Not Exists
376c9390-7e9e-4cb8-a067-fd31c05451fd|OpenAPI|Info|Structure and Semantics|Header reference should exists on components field (read more)|Documentation
| +|Request Body Object With Incorrect Media Type
58f06434-a88c-4f74-826c-db7e10cc7def|OpenAPI|Info|Structure and Semantics|The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set. (read more)|Documentation
| +|Script Block Injection
62ff6823-927a-427f-acf9-f1ea2932d616|CICD|High|Insecure Configurations|GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event. (read more)|Documentation
| +|Run Block Injection
20f14e1a-a899-4e79-9f09-b6a84cd4649b|CICD|High|Insecure Configurations|GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event. (read more)|Documentation
| +|Unsecured Commands
60fd272d-15f4-4d8f-afe4-77d9c6cc0453|CICD|Medium|Insecure Configurations|There are deprecated set-env and add-path commands that can be explicitly enabled by a user via setting the ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable as true. Depending on the use of the environment variable, this could enable an attacker to, at worst, modify the system path to run a different command than intended, resulting in arbitrary code execution. (read more)|Documentation
| +|Unpinned Actions Full Length Commit SHA
555ab8f9-2001-455e-a077-f2d0f41e2fb9|CICD|Medium|Supply-Chain|Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork. (read more)|Documentation
| +|Serving Revision Spec Without Timeout Seconds
e8bb41e4-2f24-4e84-8bea-8c7c070cf93d|Knative|Info|Insecure Configurations|Serving Revision Spec should have Timeout Seconds defined to avoid Denial of Service (read more)|Documentation
| +|Serverless Role With Full Privileges
59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd|ServerlessFW|High|Access Control|Roles defined in Serverless files should not have policies granting full administrative privileges. (read more)|Documentation
| +|Serverless Function Environment Variables Not Encrypted
4495bc5d-4d1e-4a26-ae92-152d18195648|ServerlessFW|High|Encryption|Serverless Function should encrypt environment variables (read more)|Documentation
| +|Serverless API Without Content Encoding
d5d1fe08-89db-440c-8725-b93223387309|ServerlessFW|Medium|Encryption|Serverless should have API Gateway with Content Encoding enabled through the attribute 'minimumCompressionSize'. This value should be greater than -1 and smaller than 10485760 (read more)|Documentation
| +|Serverless Function Without Tags
f99d3482-fa8c-4f79-bad9-35212dded164|ServerlessFW|Medium|Insecure Configurations|Serverless Function should be have associated tags (read more)|Documentation
| +|Serverless Function Without Unique IAM Role
165aae3b-a56a-48f3-b76d-d2b5083f5b8f|ServerlessFW|Medium|Insecure Configurations|Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| +|Serverless API Endpoint Config Not Private
4d424558-c6d1-453c-be98-9a7f877abd9a|ServerlessFW|Medium|Networking and Firewall|Serverless should have endpointType set to 'PRIVATE'. This way, it's not exposed to the public internet (read more)|Documentation
| +|Serverless API X-Ray Tracing Disabled
434945e5-4dfd-41b1-aba1-47075ccd9265|ServerlessFW|Medium|Observability|Serverless API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| +|Serverless API Access Logging Setting Undefined
a4d32883-aac7-42e1-b403-9415af0f3846|ServerlessFW|Medium|Observability|Serverless FW API should have HTTP Access Logging enabled (read more)|Documentation
| +|Serverless Function Without Dead Letter Queue
dec7bc85-d156-4f64-9a33-96ed3d9f3fed|ServerlessFW|Low|Insecure Configurations|Serverless Function should be configured for a Dead Letter Queue(DLQ). A Dead Letter Queue(DLQ) can be set up in 'onError' config parameter (read more)|Documentation
| +|Serverless Function Without X-Ray Tracing
0d7ef70f-e176-44e6-bdba-add3e429788d|ServerlessFW|Low|Observability|Serverless Function should have Tracing enabled. For this, property 'tracing' should have the value 'Active' (read more)|Documentation
| diff --git a/docs/queries/ansible-queries.md b/docs/queries/ansible-queries.md index d70873ca710..669ed31088b 100644 --- a/docs/queries/ansible-queries.md +++ b/docs/queries/ansible-queries.md @@ -1,6 +1,68 @@ ## Ansible Queries List This page contains all queries from Ansible. +### AZURE +Bellow are listed queries related with Ansible AZURE: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|High|Access Control|Storage Account should not be public to grant the principle of least privileges (read more)|Documentation
| +|Storage Container Is Publicly Accessible
4d3817db-dd35-4de4-a80d-3867157e7f7f|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage (read more)|Documentation
| +|Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|High|Access Control|Admin user is enabled for Container Registry (read more)|Documentation
| +|Azure Instance Using Basic Authentication
e2d834b7-8b25-4935-af53-4a60668dcbe0|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| +|SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' (read more)|Documentation
| +|Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| +|MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more)|Documentation
| +|Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service. (read more)|Documentation
| +|Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined (read more)|Documentation
| +|AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server (read more)|Documentation
| +|VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine (read more)|Documentation
| +|Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| +|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| +|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|High|Networking and Firewall|The IP range filter should be defined to secure the data stored (read more)|Documentation
| +|SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more)|Documentation
| +|Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources (read more)|Documentation
| +|Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet (read more)|Documentation
| +|Role Definition Allows Custom Role Creation
5c80db8e-03f5-43a2-b4af-1f3f87018157|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more)|Documentation
| +|Default Azure Storage Account Network Access Is Too Permissive
ca4df748-613a-4fbf-9c76-f02cbd580307|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it. (read more)|Documentation
| +|AKS RBAC Disabled
149fa56c-4404-4f90-9e25-d34b676d5b39|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| +|Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854|Medium|Backup|Make sure Soft Delete is enabled for Key Vault (read more)|Documentation
| +|SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict (read more)|Documentation
| +|SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict (read more)|Documentation
| +|Cosmos DB Account Without Tags
23a4dc83-4959-4d99-8056-8e051a82bc1e|Medium|Build Process|Cosmos DB Account must have a mapping of tags. (read more)|Documentation
| +|Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption (read more)|Documentation
| +|Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections (read more)|Documentation
| +|Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty (read more)|Documentation
| +|AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined (read more)|Documentation
| +|Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache. (read more)|Documentation
| +|Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0' (read more)|Documentation
| +|WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. (read more)|Documentation
| +|PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more)|Documentation
| +|PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server (read more)|Documentation
| +|PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' (read more)|Documentation
| +|Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more)|Documentation
| +|PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' (read more)|Documentation
| +|Small Activity Log Retention Period
37fafbea-dedb-4e0d-852e-d16ee0589326|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater (read more)|Documentation
| +|Monitoring Log Profile Without All Activities
89f84a1e-75f8-47c5-83b5-bee8e2de4168|Medium|Observability|Monitoring log profile captures all the activities (Action, Write, Delete) (read more)|Documentation
| +|PostgreSQL Log Checkpoints Disabled
7ab33ac0-e4a3-418f-a673-50da4e34df21|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more)|Documentation
| +|AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e|Medium|Observability|Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring (read more)|Documentation
| + +### SHARED (V2/V3) +Bellow are listed queries related with Ansible SHARED (V2/V3): + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|Privilege Escalation Using Become Plugin
0e75052f-cc02-41b8-ac39-a78017527e95|Medium|Access Control|In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true' (read more)|Documentation
| +|Communication Over HTTP
2e8d4922-8362-4606-8c14-aa10466a1ce3|Medium|Insecure Configurations|Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks (read more)|Documentation
| +|Insecure Relative Path Resolution
8d22ae91-6ac1-459f-95be-d37bd373f244|Low|Best Practices|Using relative paths can lead to unexpected behavior as the path is resolved relative to the current working directory, which can change. (read more)|Documentation
| +|Logging of Sensitive Data
59029ddf-e651-412b-ae7b-ff6d403184bc|Low|Best Practices|To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True (read more)|Documentation
| +|Unpinned Package Version
c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8|Low|Supply-Chain|Setting state to latest performs an update and installs additional packages possibly resulting in performance degradation or loss of service (read more)|Documentation
| +|Risky File Permissions
88841d5c-d22d-4b7e-a6a0-89ca50e44b9f|Info|Supply-Chain|Some modules could end up creating new files on disk with permissions that might be too open or unpredictable (read more)|Documentation
| + ### AWS Bellow are listed queries related with Ansible AWS: @@ -8,156 +70,138 @@ Bellow are listed queries related with Ansible AWS: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| -|S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| -|ECS Service Admin Role Is Present
7db727c1-1720-468e-b80e-06697f71e09e|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role (read more)|Documentation
| |S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| -|SNS Topic is Publicly Accessible
905f4741-f965-45c1-98db-f7a00a0e5c73|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| -|S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a|High|Access Control|Checks if the S3 bucket is accessible for all users (read more)|Documentation
| +|S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|High|Access Control|S3 Buckets should not be readable to all users (read more)|Documentation
| +|IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| +|ECS Service Admin Role Is Present
7db727c1-1720-468e-b80e-06697f71e09e|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role (read more)|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| +|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| |SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a|High|Access Control|Checks if the SQS Queue is exposed (read more)|Documentation
| -|S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| +|S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a|High|Access Control|Checks if the S3 bucket is accessible for all users (read more)|Documentation
| |S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| -|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| -|IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| +|S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| +|SNS Topic is Publicly Accessible
905f4741-f965-45c1-98db-f7a00a0e5c73|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| |Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more)|Documentation
| -|S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|High|Access Control|S3 Buckets should not be readable to all users (read more)|Documentation
| -|Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume (read more)|Documentation
| -|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more)|Documentation
| +|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| +|S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| +|User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| +|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| +|S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| |EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| |S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571|High|Encryption|AWS S3 Storage should be protected with SSE (Server-Side Encryption) (read more)|Documentation
| -|ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| +|CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'. (read more)|Documentation
| +|ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| +|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more)|Documentation
| |Secure Ciphers Disabled
218413a0-c716-4b94-9e08-0bb70d854709|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| -|User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| |Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS (read more)|Documentation
| -|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| |DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more)|Documentation
| -|CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'. (read more)|Documentation
| -|EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| -|Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) (read more)|Documentation
| -|S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| |AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|High|Encryption|AWS AMI Encryption is not enabled (read more)|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| -|ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| +|ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| |User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| -|ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| -|Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| +|ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| +|Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume (read more)|Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| +|Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) (read more)|Documentation
| +|EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| +|Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true (default is false) (read more)|Documentation
| +|EC2 Group Has Public Interface
5330b503-3319-44ff-9b1c-00ee873f728a|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| |KMS Key With Full Permissions
5b9d237a-57d5-4177-be0e-71434b0fef47|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| -|Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| -|ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| |S3 Bucket with Unsecured CORS Rule
3505094c-f77c-4ba0-95da-f83db712f86c|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| -|EC2 Group Has Public Interface
5330b503-3319-44ff-9b1c-00ee873f728a|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| |RDS DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). (read more)|Documentation
| +|ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| +|Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| +|Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| |CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| -|Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true (default is false) (read more)|Documentation
| |Vulnerable Default SSL Certificate
fb8f8929-afeb-4c46-99f0-a6cf410f7df4|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| -|Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|High|Networking and Firewall|AWS Security Group should restrict ingress access (read more)|Documentation
| +|HTTP Port Open To Internet
a14ad534-acbe-4a8e-9404-2f7e1045646e|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| |Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|High|Networking and Firewall|AWS Security Group should not have public port wide (read more)|Documentation
| -|ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| |Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| -|HTTP Port Open To Internet
a14ad534-acbe-4a8e-9404-2f7e1045646e|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| -|DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| +|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| +|Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4|High|Networking and Firewall|Route53 Record should have a list of records (read more)|Documentation
| +|Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0/0 (read more)|Documentation
| |EC2 Instance Has Public IP
a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1|High|Networking and Firewall|EC2 Instance should not have a public IP address. (read more)|Documentation
| |Elasticsearch with HTTPS disabled
d6c2d06f-43c1-488a-9ba1-8d75b40fc62d|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| -|Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4|High|Networking and Firewall|Route53 Record should have a list of records (read more)|Documentation
| -|Remote Desktop Port Open To Internet
eda7301d-1f3e-47cf-8d4e-976debc64341|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| -|Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| -|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| |Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| -|Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0/0 (read more)|Documentation
| +|Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| +|Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|High|Networking and Firewall|AWS Security Group should restrict ingress access (read more)|Documentation
| |RDS Associated with Public Subnet
16732649-4ff6-4cd2-8746-e72c13fae4b8|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| +|ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| +|Remote Desktop Port Open To Internet
eda7301d-1f3e-47cf-8d4e-976debc64341|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| +|DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| |CloudTrail Logging Disabled
d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| |CMK Rotation Disabled
af96d737-0818-4162-8c41-40d969bd65d1|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| |SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| -|IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| -|SES Policy With Allowed IAM Actions
8ed0bfce-f780-46d4-b086-21c3628f09ad|Medium|Access Control|SES policy should not allow IAM actions to all principals (read more)|Documentation
| +|S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9|Medium|Access Control|S3 Bucket allows public access (read more)|Documentation
| +|SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4|Medium|Access Control|SQS policy allows ALL (*) actions (read more)|Documentation
| +|Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| +|Lambda Permission Principal Is Wildcard
1d972c56-8ec2-48c1-a578-887adb09c57a|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| |IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root' (read more)|Documentation
| -|ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| +|IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| +|API Gateway Without Configured Authorizer
b16cdb37-ce15-4ab2-8401-d42b05d123fc|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| |AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image (read more)|Documentation
| |Cross-Account IAM Assume Role Policy Without ExternalId or MFA
af167837-9636-4086-b815-c239186b9dda|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| -|Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| -|API Gateway Without Configured Authorizer
b16cdb37-ce15-4ab2-8401-d42b05d123fc|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| -|Lambda Permission Principal Is Wildcard
1d972c56-8ec2-48c1-a578-887adb09c57a|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| -|SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4|Medium|Access Control|SQS policy allows ALL (*) actions (read more)|Documentation
| -|S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9|Medium|Access Control|S3 Bucket allows public access (read more)|Documentation
| |Certificate Has Expired
5a443297-19d4-4381-9e5b-24faf947ec22|Medium|Access Control|Expired SSL/TLS certificates should be removed (read more)|Documentation
| -|Auto Scaling Group With No Associated ELB
050f085f-a8db-4072-9010-2cca235cc02f|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. (read more)|Documentation
| +|ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| +|SES Policy With Allowed IAM Actions
8ed0bfce-f780-46d4-b086-21c3628f09ad|Medium|Access Control|SES policy should not allow IAM actions to all principals (read more)|Documentation
| |CMK Is Unusable
133fee21-37ef-45df-a563-4d07edc169f4|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined. (read more)|Documentation
| |ECS Service Without Running Tasks
f5c45127-1d28-4b49-a692-0b97da1c3a84|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| -|Stack Retention Disabled
17d5ba1d-7667-4729-b1a6-b11fde3db7f7|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| +|Auto Scaling Group With No Associated ELB
050f085f-a8db-4072-9010-2cca235cc02f|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. (read more)|Documentation
| |RDS With Backup Disabled
e69890e6-fce5-461d-98ad-cb98318dfc96|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| -|Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c|Medium|Best Practices|Password policy `password_reuse_prevention` doesn't exist or is equal to 0 (read more)|Documentation
| -|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number (read more)|Documentation
| +|Stack Retention Disabled
17d5ba1d-7667-4729-b1a6-b11fde3db7f7|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| |IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| -|IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| +|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number (read more)|Documentation
| |IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| +|Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c|Medium|Best Practices|Password policy `password_reuse_prevention` doesn't exist or is equal to 0 (read more)|Documentation
| +|IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| |Misconfigured Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9|Medium|Best Practices|No password expiration policy (read more)|Documentation
| |Stack Without Template
32d31f1f-0f83-4721-b7ec-1e6948c60145|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body (read more)|Documentation
| +|Config Rule For Encrypted Volumes Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| +|Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache (read more)|Documentation
| |SQS With SSE Disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| |EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| |CodeBuild Not Encrypted
a1423864-2fbc-4f46-bfe1-fbbf125c71c9|Medium|Encryption|CodeBuild Project should be encrypted (read more)|Documentation
| -|Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache (read more)|Documentation
| -|Config Rule For Encrypted Volumes Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| -|Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| |API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| -|Certificate RSA Key Bytes Lower Than 256
d5ec2080-340a-4259-b885-f833c4ea6a31|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes (read more)|Documentation
| |ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| |Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags. (read more)|Documentation
| +|Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| +|Certificate RSA Key Bytes Lower Than 256
d5ec2080-340a-4259-b885-f833c4ea6a31|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes (read more)|Documentation
| |AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy (read more)|Documentation
| -|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more)|Documentation
| |API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| |API Gateway without WAF
f5f38943-664b-4acc-ab11-f292fa10ed0b|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more)|Documentation
| |API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| -|CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| |API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled (read more)|Documentation
| -|CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'is_multi_region_trail' should be set to true (read more)|Documentation
| -|Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| -|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| |S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| -|CloudFront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' should be defined with 'enabled' set to true (read more)|Documentation
| +|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| |S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| +|CloudFront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' should be defined with 'enabled' set to true (read more)|Documentation
| +|CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'is_multi_region_trail' should be set to true (read more)|Documentation
| |CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more)|Documentation
| +|Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| |CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| +|CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| |No Stack Policy
ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions (read more)|Documentation
| |Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Medium|Secret Management|AWS Access Key should not be hardcoded (read more)|Documentation
| |Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| +|IAM Group Without Users
f509931b-bbb0-443c-bd9b-10e92ecf2193|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| +|IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| |EC2 Instance Using Default Security Group
8d03993b-8384-419b-a681-d1f55149397c|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| |IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| -|IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| -|IAM Group Without Users
f509931b-bbb0-443c-bd9b-10e92ecf2193|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| |CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| -|Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| |Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. (read more)|Documentation
| +|Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| |EFS Without Tags
b8a9852c-9943-4973-b8d5-77dae9352851|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated (read more)|Documentation
| |CloudTrail Log Files Not Encrypted With KMS
f5587077-3f57-4370-9b4e-4eb5b1bac85b|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| -|ElastiCache Without VPC
5527dcfc-94f9-4bf6-b7d4-1b78850cf41f|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| -|CloudFront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| -|Redshift Using Default Port
e01de151-a7bd-4db4-b49b-3c4775a5e881|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| -|ElastiCache Using Default Port
7cc6c791-5f68-4816-a564-b9b699f9d26e|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| |EC2 Instance Using Default VPC
8833f180-96f1-46f4-9147-849aafa56029|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| +|Redshift Using Default Port
e01de151-a7bd-4db4-b49b-3c4775a5e881|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| |RDS Using Default Port
2cb674f6-32f9-40be-97f2-62c0dc38f0d5|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| -|Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active' (read more)|Documentation
| +|ElastiCache Using Default Port
7cc6c791-5f68-4816-a564-b9b699f9d26e|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| +|CloudFront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| +|ElastiCache Without VPC
5527dcfc-94f9-4bf6-b7d4-1b78850cf41f|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| |CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| +|Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active' (read more)|Documentation
| |EC2 Not EBS Optimized
338b6cab-961d-4998-bb49-e5b6a11c9a5c|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| -### CONFIG -Bellow are listed queries related with Ansible CONFIG: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Allow Unsafe Lookups Enabled
86b97bb4-85c9-462d-8635-cbc057c5c8c5|High|Insecure Configurations|When enabled, this option allows lookup plugins to return data that is not marked 'unsafe'. (read more)|Documentation
| - -### SHARED (V2/V3) -Bellow are listed queries related with Ansible SHARED (V2/V3): - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Communication Over HTTP
2e8d4922-8362-4606-8c14-aa10466a1ce3|Medium|Insecure Configurations|Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks (read more)|Documentation
| - ### GCP Bellow are listed queries related with Ansible GCP: @@ -165,103 +209,67 @@ Bellow are listed queries related with Ansible GCP: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| +|Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| |VM With Full Cloud Access
bc20bbc6-0697-4568-9a73-85af1dd97bdd|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)|Documentation
| |BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2|High|Access Control|BigQuery dataset is anonymously or publicly accessible (read more)|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| |SQL DB Instance Backup Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| -|SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|High|Encryption|Cloud SQL Database Instance should have SLL enabled (read more)|Documentation
| |DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a|High|Encryption|DNSSEC should not use the RSASHA1 algorithm (read more)|Documentation
| -|Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true (read more)|Documentation
| -|IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'. (read more)|Documentation
| -|SQL DB Instance Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible. (read more)|Documentation
| +|SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|High|Encryption|Cloud SQL Database Instance should have SLL enabled (read more)|Documentation
| |PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514|High|Insecure Configurations|PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1' (read more)|Documentation
| -|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|High|Insecure Configurations|SQL Instance should not have Contained Database Authentication On (read more)|Documentation
| -|Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f|High|Insecure Configurations|GCP SQL Instance should not have Cross DB Ownership Chaining On (read more)|Documentation
| -|Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)|Documentation
| -|Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty (read more)|Documentation
| |MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c|High|Insecure Configurations|MySQL Instance should not have Local Infile On (read more)|Documentation
| +|Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty (read more)|Documentation
| |Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true. (read more)|Documentation
| -|GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false. (read more)|Documentation
| |Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)|Documentation
| +|Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f|High|Insecure Configurations|GCP SQL Instance should not have Cross DB Ownership Chaining On (read more)|Documentation
| +|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|High|Insecure Configurations|SQL Instance should not have Contained Database Authentication On (read more)|Documentation
| +|IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'. (read more)|Documentation
| +|GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false. (read more)|Documentation
| |GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty (read more)|Documentation
| +|SQL DB Instance Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible. (read more)|Documentation
| +|Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true (read more)|Documentation
| +|Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)|Documentation
| |Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet. (read more)|Documentation
| |GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters (read more)|Documentation
| -|Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none' (read more)|Documentation
| -|PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317|High|Observability|PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on' (read more)|Documentation
| |Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none' (read more)|Documentation
| |Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| |PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b|High|Observability|PostgreSQL database 'log_temp_files' flag isn't set to '0' (read more)|Documentation
| +|Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none' (read more)|Documentation
| +|PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317|High|Observability|PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on' (read more)|Documentation
| |Cloud Storage Bucket Versioning Disabled
7814ddda-e758-4a56-8be3-289a81ded929|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| |Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| |Disk Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)|Documentation
| -|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Medium|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account. (read more)|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| |Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| -|Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)|Documentation
| |Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| -|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| |OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Medium|Insecure Configurations|VM instance should have OSLogin enabled (read more)|Documentation
| +|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Medium|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account. (read more)|Documentation
| +|Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)|Documentation
| +|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| |GKE Using Default Service Account
dc126833-125a-40fb-905a-ce5f2afde240|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account (read more)|Documentation
| |Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)|Documentation
| +|SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| |RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| -|Google Compute Network Using Default Firewall Rule
29b8224a-60e9-4011-8ac2-7916a659841f|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| |Google Compute Network Using Firewall Rule that Allows All Ports
3602d273-3290-47b2-80fa-720162b1a8af|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports (read more)|Documentation
| -|SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| +|Google Compute Network Using Default Firewall Rule
29b8224a-60e9-4011-8ac2-7916a659841f|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| |IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)|Documentation
| |PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Medium|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on' (read more)|Documentation
| |PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Medium|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value (read more)|Documentation
| |Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| |High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows Port Range
7289eebd-a477-4064-8ad4-3c044bd70b00|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| |Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes (read more)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows Port Range
7289eebd-a477-4064-8ad4-3c044bd70b00|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| -### AZURE -Bellow are listed queries related with Ansible AZURE: +### CONFIG +Bellow are listed queries related with Ansible CONFIG: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Storage Container Is Publicly Accessible
4d3817db-dd35-4de4-a80d-3867157e7f7f|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage (read more)|Documentation
| -|Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|High|Access Control|Admin user is enabled for Container Registry (read more)|Documentation
| -|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|High|Access Control|Storage Account should not be public to grant the principle of least privileges (read more)|Documentation
| -|Azure Instance Using Basic Authentication
e2d834b7-8b25-4935-af53-4a60668dcbe0|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| -|SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' (read more)|Documentation
| -|MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more)|Documentation
| -|Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| -|AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server (read more)|Documentation
| -|Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service. (read more)|Documentation
| -|VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine (read more)|Documentation
| -|Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined (read more)|Documentation
| -|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|High|Networking and Firewall|The IP range filter should be defined to secure the data stored (read more)|Documentation
| -|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| -|Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet (read more)|Documentation
| -|SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more)|Documentation
| -|Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources (read more)|Documentation
| -|Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| -|AKS RBAC Disabled
149fa56c-4404-4f90-9e25-d34b676d5b39|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| -|Role Definition Allows Custom Role Creation
5c80db8e-03f5-43a2-b4af-1f3f87018157|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more)|Documentation
| -|Default Azure Storage Account Network Access Is Too Permissive
ca4df748-613a-4fbf-9c76-f02cbd580307|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it. (read more)|Documentation
| -|Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854|Medium|Backup|Make sure Soft Delete is enabled for Key Vault (read more)|Documentation
| -|SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict (read more)|Documentation
| -|SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict (read more)|Documentation
| -|Cosmos DB Account Without Tags
23a4dc83-4959-4d99-8056-8e051a82bc1e|Medium|Build Process|Cosmos DB Account must have a mapping of tags. (read more)|Documentation
| -|Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption (read more)|Documentation
| -|AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined (read more)|Documentation
| -|Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty (read more)|Documentation
| -|Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections (read more)|Documentation
| -|WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. (read more)|Documentation
| -|Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0' (read more)|Documentation
| -|Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache. (read more)|Documentation
| -|PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' (read more)|Documentation
| -|PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' (read more)|Documentation
| -|Small Activity Log Retention Period
37fafbea-dedb-4e0d-852e-d16ee0589326|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater (read more)|Documentation
| -|AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e|Medium|Observability|Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring (read more)|Documentation
| -|PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server (read more)|Documentation
| -|Monitoring Log Profile Without All Activities
89f84a1e-75f8-47c5-83b5-bee8e2de4168|Medium|Observability|Monitoring log profile captures all the activities (Action, Write, Delete) (read more)|Documentation
| -|Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more)|Documentation
| -|PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more)|Documentation
| -|PostgreSQL Log Checkpoints Disabled
7ab33ac0-e4a3-418f-a673-50da4e34df21|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more)|Documentation
| +|Allow Unsafe Lookups Enabled
86b97bb4-85c9-462d-8635-cbc057c5c8c5|High|Insecure Configurations|When enabled, this option allows lookup plugins to return data that is not marked 'unsafe'. (read more)|Documentation
| +|Privilege Escalation Using Become Plugin
404908b6-4954-4611-98f0-e8ceacdabcb1|Medium|Access Control|In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true' (read more)|Documentation
| +|Communication over HTTP
d7dc9350-74bc-485b-8c85-fed22d276c43|Medium|Insecure Configurations|Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks (read more)|Documentation
| +|Logging of Sensitive Data
c6473dae-8477-4119-88b7-b909b435ce7b|Low|Best Practices|To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True (read more)|Documentation
| ### HOSTS Bellow are listed queries related with Ansible HOSTS: diff --git a/docs/queries/ansible-queries/common/0e75052f-cc02-41b8-ac39-a78017527e95.md b/docs/queries/ansible-queries/common/0e75052f-cc02-41b8-ac39-a78017527e95.md new file mode 100644 index 00000000000..4edd57168cf --- /dev/null +++ b/docs/queries/ansible-queries/common/0e75052f-cc02-41b8-ac39-a78017527e95.md @@ -0,0 +1,116 @@ +--- +title: Privilege Escalation Using Become Plugin +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0e75052f-cc02-41b8-ac39-a78017527e95 +- **Query name:** Privilege Escalation Using Become Plugin +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/general/privilege_escalation_using_become_plugin) + +### Description +In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true'
+[Documentation](https://ansible.readthedocs.io/projects/lint/rules/partial-become/#problematic-code) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4 44 15 53 61 31" +--- +- hosts: localhost + name: become_user without become + become_user: bar + + tasks: + - name: Simple hello + ansible.builtin.debug: + msg: hello + +--- +- hosts: localhost + name: become_user with become false + become_user: root + become: false + + tasks: + - name: Simple hello + ansible.builtin.debug: + msg: hello + +--- +- hosts: localhost + tasks: + - name: become and become_user on different tasks + block: + - name: Sample become + become: true + ansible.builtin.command: ls . + - name: Sample become_user + become_user: foo + ansible.builtin.command: ls . + +--- +- hosts: localhost + tasks: + - name: become false + block: + - name: Sample become + become: true + ansible.builtin.command: ls . + - name: Sample become_user + become_user: postgres + become: false + ansible.builtin.command: ls . + +--- +- hosts: localhost + tasks: + - name: become_user with become task as false + ansible.builtin.command: whoami + become_user: mongodb + become: false + changed_when: false + +--- +- hosts: localhost + tasks: + - name: become_user without become + ansible.builtin.command: whoami + become_user: mysql + changed_when: false +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +--- +- hosts: localhost + become_user: postgres + become: true + tasks: + - name: some task + ansible.builtin.command: whoamyou + changed_when: false + +--- +- hosts: localhost + tasks: + - name: become from the same scope + ansible.builtin.command: whoami + become: true + become_user: postgres + changed_when: false +``` diff --git a/docs/queries/ansible-queries/common/404908b6-4954-4611-98f0-e8ceacdabcb1.md b/docs/queries/ansible-queries/common/404908b6-4954-4611-98f0-e8ceacdabcb1.md new file mode 100644 index 00000000000..66290572620 --- /dev/null +++ b/docs/queries/ansible-queries/common/404908b6-4954-4611-98f0-e8ceacdabcb1.md @@ -0,0 +1,33 @@ +--- +title: Privilege Escalation Using Become Plugin +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 404908b6-4954-4611-98f0-e8ceacdabcb1 +- **Query name:** Privilege Escalation Using Become Plugin +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/config/privilege_escalation_using_become_plugin) + +### Description +In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true'
+[Documentation](https://docs.ansible.com/ansible/latest/plugins/become.html) + +### Code samples +#### Code samples with security vulnerabilities + + +#### Code samples without security vulnerabilities diff --git a/docs/queries/ansible-queries/common/59029ddf-e651-412b-ae7b-ff6d403184bc.md b/docs/queries/ansible-queries/common/59029ddf-e651-412b-ae7b-ff6d403184bc.md new file mode 100644 index 00000000000..643dc9ad15e --- /dev/null +++ b/docs/queries/ansible-queries/common/59029ddf-e651-412b-ae7b-ff6d403184bc.md @@ -0,0 +1,107 @@ +--- +title: Logging of Sensitive Data +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 59029ddf-e651-412b-ae7b-ff6d403184bc +- **Query name:** Logging of Sensitive Data +- **Platform:** Ansible +- **Severity:** Low +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/general/logging_of_sensitive_data) + +### Description +To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True
+[Documentation](https://ansible.readthedocs.io/projects/lint/rules/no-log-password/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="14" +--- +- name: Positive Playbook + hosts: localhost + tasks: + - name: bar + ansible.builtin.user: + name: john_doe + comment: John Doe + uid: 1040 + group: admin + password: "{{ item }}" + with_items: + - wow + no_log: false +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="5" +--- +- name: Positive Playbook + hosts: localhost + tasks: + - name: bar + ansible.builtin.user: + name: john_doe + comment: John Doe + uid: 1040 + group: admin + password: "{{ item }}" + with_items: + - wow +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +--- +- name: Negative playbook + hosts: localhost + tasks: + - name: foo + ansible.builtin.user: + name: john_doe + comment: John Doe + uid: 1040 + group: admin + password: "{{ item }}" + with_items: + - wow + no_log: true + +--- +- name: Negative Playbook 2 + hosts: localhost + tasks: + - name: bar + ansible.builtin.user: + name: john_doe + comment: John Doe + uid: 1040 + group: admin + with_items: + - wow + no_log: false + +--- +- name: Negative Playbook 3 + hosts: localhost + tasks: + - name: bar + ansible.builtin.user: + name: john_doe + comment: John Doe + uid: 1040 + group: admin + with_items: + - wow +``` diff --git a/docs/queries/ansible-queries/common/88841d5c-d22d-4b7e-a6a0-89ca50e44b9f.md b/docs/queries/ansible-queries/common/88841d5c-d22d-4b7e-a6a0-89ca50e44b9f.md new file mode 100644 index 00000000000..14d423155d2 --- /dev/null +++ b/docs/queries/ansible-queries/common/88841d5c-d22d-4b7e-a6a0-89ca50e44b9f.md @@ -0,0 +1,226 @@ +--- +title: Risky File Permissions +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 88841d5c-d22d-4b7e-a6a0-89ca50e44b9f +- **Query name:** Risky File Permissions +- **Platform:** Ansible +- **Severity:** Info +- **Category:** Supply-Chain +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/general/risky_file_permissions) + +### Description +Some modules could end up creating new files on disk with permissions that might be too open or unpredictable
+[Documentation](https://ansible.readthedocs.io/projects/lint/rules/risky-file-permissions/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="64 5 38 74 13 46 17 55 25 29" +--- +- name: PRESERVE_MODE + tasks: + - name: not preserve value + ansible.builtin.file: + path: foo + mode: preserve + +--- +- name: MISSING_PERMISSIONS_TOUCH + tasks: + - name: Permissions missing + file: + path: foo + state: touch + - name: Permissions missing 2x + ansible.builtin.file: + path: foo + state: touch + +--- +- name: MISSING_PERMISSIONS_DIRECTORY + tasks: + - name: Permissions missing 3x + file: + path: foo + state: directory + - name: create is true + ansible.builtin.lineinfile: + path: foo + create: true + line: some content here + +--- +- name: MISSING_PERMISSIONS_GET_URL + tasks: + - name: Permissions missing 4x + get_url: + url: http://foo + dest: foo + +--- +- name: LINEINFILE_CREATE + tasks: + - name: create is true 2x + ansible.builtin.lineinfile: + path: foo + create: true + line: some content here + +--- +- name: REPLACE_PRESERVE + tasks: + - name: not preserve mode 2x + replace: + path: foo + mode: preserve + regexp: foo + +--- +- name: NOT_PERMISSION + tasks: + - name: Not Permissions + file: + path: foo + owner: root + group: root + state: directory + +--- +- name: LINEINFILE_CREATE2 + tasks: + - name: create_false + ansible.builtin.lineinfile: + path: foo + create: true + line: some content here + mode: preserve +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +--- +- name: SUCCESS_PERMISSIONS_PRESENT + hosts: all + tasks: + - name: Permissions not missing and numeric + ansible.builtin.file: + path: foo + mode: "0600" + +--- +- name: SUCCESS_PERMISSIONS_PRESENT_GET_URL + hosts: all + tasks: + - name: Permissions not missing and numeric + ansible.builtin.get_url: + url: http://foo + dest: foo + mode: "0600" + +--- +- name: SUCCESS_ABSENT_STATE + hosts: all + tasks: + - name: Permissions missing while state is absent is fine + ansible.builtin.file: + path: foo + state: absent + +--- +- name: SUCCESS_DEFAULT_STATE + hosts: all + tasks: + - name: Permissions missing while state is file (default) is fine + ansible.builtin.file: + path: foo + +--- +- name: SUCCESS_LINK_STATE + hosts: all + tasks: + - name: Permissions missing while state is link is fine + ansible.builtin.file: + path: foo2 + src: foo + state: link + +--- +- name: SUCCESS_CREATE_FALSE + hosts: all + tasks: + - name: File edit when create is false + ansible.builtin.lineinfile: + path: foo + create: false + line: some content here + +--- +- name: SUCCESS_REPLACE + hosts: all + tasks: + - name: Replace should not require mode + ansible.builtin.replace: + path: foo + regexp: foo + +--- +- name: SUCCESS_RECURSE + hosts: all + tasks: + - name: File with recursive does not require mode + ansible.builtin.file: + state: directory + recurse: true + path: foo + - name: Permissions not missing and numeric (fqcn) + ansible.builtin.file: + path: bar + mode: "755" + - name: File edit when create is false (fqcn) + ansible.builtin.lineinfile: + path: foo + create: false + line: some content here + +--- +- name: LINIINFILE_CREATE + tasks: + - name: create is true 2x + lineinfile: + path: foo + line: some content here + mode: "0600" + +--- +- name: PRESERVE_MODE + tasks: + - name: not preserve value + copy: + path: foo + mode: preserve + +--- +- name: LINEINFILE_CREATE2 + tasks: + - name: create_false + ansible.builtin.lineinfile: + path: foo + create: true + line: some content here + mode: "644" + +``` diff --git a/docs/queries/ansible-queries/common/8d22ae91-6ac1-459f-95be-d37bd373f244.md b/docs/queries/ansible-queries/common/8d22ae91-6ac1-459f-95be-d37bd373f244.md new file mode 100644 index 00000000000..f9ad50e2858 --- /dev/null +++ b/docs/queries/ansible-queries/common/8d22ae91-6ac1-459f-95be-d37bd373f244.md @@ -0,0 +1,85 @@ +--- +title: Insecure Relative Path Resolution +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8d22ae91-6ac1-459f-95be-d37bd373f244 +- **Query name:** Insecure Relative Path Resolution +- **Platform:** Ansible +- **Severity:** Low +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/general/insecure_relative_path_resolution) + +### Description +Using relative paths can lead to unexpected behavior as the path is resolved relative to the current working directory, which can change.
+[Documentation](https://ansible.readthedocs.io/projects/lint/rules/no-relative-paths/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="12 7" +--- +- name: Positive Example + hosts: localhost + tasks: + - name: One + ansible.builtin.template: + src: ../templates/foo.j2 + dest: /etc/file.conf + mode: "0644" + - name: Two + ansible.builtin.copy: + src: ../files/foo.conf + dest: /etc/foo.conf + mode: "0644" +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +--- +- name: Negative Example + hosts: localhost + tasks: + - name: One + ansible.builtin.copy: + content: + dest: /etc/mine.conf + mode: "0644" + - name: Two + ansible.builtin.copy: + src: /home/example/files/foo.conf + dest: /etc/foo.conf + mode: "0644" + +--- +- name: Negative Example 2 + hosts: localhost + tasks: + - name: One + ansible.builtin.template: + src: ../example/foo.j2 + dest: /etc/file.conf + mode: "0644" + - name: Two + ansible.builtin.copy: + src: ../example/foo.conf + dest: /etc/foo.conf + mode: "0644" + - name: Three + win_template: + src: ../example/foo2.j2 + dest: /etc/file.conf + mode: "0644" +``` diff --git a/docs/queries/ansible-queries/common/c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8.md b/docs/queries/ansible-queries/common/c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8.md new file mode 100644 index 00000000000..361b8854825 --- /dev/null +++ b/docs/queries/ansible-queries/common/c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8.md @@ -0,0 +1,336 @@ +--- +title: Unpinned Package Version +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8 +- **Query name:** Unpinned Package Version +- **Platform:** Ansible +- **Severity:** Low +- **Category:** Supply-Chain +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/general/unpinned_package_version) + +### Description +Setting state to latest performs an update and installs additional packages possibly resulting in performance degradation or loss of service
+[Documentation](https://ansible.readthedocs.io/projects/lint/rules/package-latest/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="130 8 136 13 144 18 149 23 29 34 40 44 50 55 60 65 74 79 84 89 94 101 106 111 116 121" +--- +- name: Example playbook + hosts: localhost + tasks: + - name: Install Ansible + ansible.builtin.yum: + name: ansible + state: latest + + - name: Install Ansible-lint + ansible.builtin.pip: + name: ansible-lint + state: latest + + - name: Install some-package + ansible.builtin.package: + name: some-package + state: latest + + - name: Install Ansible with update_only to false + ansible.builtin.yum: + name: sudo + state: latest + update_only: false + + - name: Install nmap + community.general.zypper: + name: nmap + state: latest + + - name: Install package without using cache + community.general.apk: + name: foo + state: latest + no_cache: true + + - name: Install apache httpd + ansible.builtin.apt: + name: apache2 + state: latest + + - name: Update Gemfile in another directory + community.general.bundler: + state: latest + chdir: ~/rails_project + + - name: Install a modularity appstream with defined profile + ansible.builtin.dnf: + name: '@postgresql/client' + state: latest + + - name: Install rake + community.general.gem: + name: rake + state: latest + + - name: Install formula foo with 'brew' from cask + community.general.homebrew: + name: homebrew/cask/foo + state: latest + + - name: Install Green Balls plugin + community.general.jenkins_plugin: + name: greenballs + state: latest + url: http://host_jenkins:8080 + username: user_jenkins + password: userpass_jenkins + register: result + + - name: Install packages based on package.json + community.general.npm: + path: /app/location + state: latest + + - name: Install nmap + community.general.openbsd_pkg: + name: nmap + state: latest + + - name: Install ntpdate + ansible.builtin.package: + name: ntpdate + state: latest + + - name: Install package bar from file + community.general.pacman: + name: ~/bar-1.0-1-any.pkg.tar.xz + state: latest + + - name: Install finger daemon + community.general.pkg5: + name: service/network/finger + state: latest + + - name: Install several packages + community.general.pkgutil: + name: + - CSWsudo + - CSWtop + state: latest + + - name: Install package foo + community.general.portage: + package: foo + state: latest + + - name: Make sure that it is the most updated package + community.general.slackpkg: + name: foo + state: latest + + - name: Make sure spell foo is installed + community.general.sorcery: + spell: foo + state: latest + + - name: Install package unzip + community.general.swdepot: + name: unzip + state: latest + depot: 'repository:/path' + + - name: Install multiple packages + win_chocolatey: + name: + - procexp + - putty + - windirstat + state: latest + + - name: Install "imagemin" node.js package globally. + community.general.yarn: + name: imagemin + global: true + state: latest + + - name: Install a list of packages (suitable replacement for 2.11 loop deprecation warning) + ansible.builtin.yum: + name: + - nginx + - postgresql + - postgresql-server + state: latest + + - name: Install local rpm file + community.general.zypper: + name: /tmp/fancy-software.rpm + state: latest +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +--- +- name: Example playbook + hosts: localhost + tasks: + - name: Install Ansible + ansible.builtin.yum: + name: ansible-2.12.7.0 + state: present + + - name: Install Ansible-lint + ansible.builtin.pip: + name: ansible-lint + state: present + version: 5.4.0 + + - name: Update Ansible with update_only to true + ansible.builtin.yum: + name: sudo + state: latest + update_only: true + + - name: Install nmap + community.general.zypper: + name: nmap + state: present + + - name: Install package without using cache + community.general.apk: + name: foo + state: present + no_cache: true + + - name: Install apache httpd + ansible.builtin.apt: + name: apache2 + state: present + + - name: Update Gemfile in another directory + community.general.bundler: + state: present + chdir: ~/rails_project + + - name: Install a modularity appstream with defined profile + ansible.builtin.dnf: + name: '@postgresql/client' + state: present + + - name: Install rake + community.general.gem: + name: rake + state: present + + - name: Install formula foo with 'brew' from cask + community.general.homebrew: + name: homebrew/cask/foo + state: present + + - name: Install Green Balls plugin + community.general.jenkins_plugin: + name: greenballs + version: present + state: present + url: http://host_jenkins:8080 + username: user_jenkins + password: userpass_jenkins + register: result + + - name: Install packages based on package.json + community.general.npm: + path: /app/location + state: present + + - name: Install nmap + community.general.openbsd_pkg: + name: nmap + state: present + + - name: Install ntpdate + ansible.builtin.package: + name: ntpdate + state: present + + - name: Install package bar from file + community.general.pacman: + name: ~/bar-1.0-1-any.pkg.tar.xz + state: present + + - name: Install package bar from file + community.general.pacman: + name: ~/bar-1.0-1-any.pkg.tar.xz + state: present + + - name: Install finger daemon + community.general.pkg5: + name: service/network/finger + state: present + + - name: Install several packages + community.general.pkgutil: + name: + - CSWsudo + - CSWtop + state: present + + - name: Install package foo + community.general.portage: + package: foo + state: present + + - name: Make sure that it is the most updated package + community.general.slackpkg: + name: foo + state: present + + - name: Make sure spell foo is installed + community.general.sorcery: + spell: foo + state: present + + - name: Install package unzip + community.general.swdepot: + name: unzip + state: present + depot: 'repository:/path' + + - name: Install multiple packages + win_chocolatey: + name: + - procexp + - putty + - windirstat + state: present + + - name: Install "imagemin" node.js package globally. + community.general.yarn: + name: imagemin + global: true + + - name: Install a list of packages (suitable replacement for 2.11 loop deprecation warning) + ansible.builtin.yum: + name: + - nginx + - postgresql + - postgresql-server + state: present + + - name: Install local rpm file + community.general.zypper: + name: /tmp/fancy-software.rpm + state: present +``` diff --git a/docs/queries/ansible-queries/common/c6473dae-8477-4119-88b7-b909b435ce7b.md b/docs/queries/ansible-queries/common/c6473dae-8477-4119-88b7-b909b435ce7b.md new file mode 100644 index 00000000000..a45ffc146be --- /dev/null +++ b/docs/queries/ansible-queries/common/c6473dae-8477-4119-88b7-b909b435ce7b.md @@ -0,0 +1,33 @@ +--- +title: Logging of Sensitive Data +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c6473dae-8477-4119-88b7-b909b435ce7b +- **Query name:** Logging of Sensitive Data +- **Platform:** Ansible +- **Severity:** Low +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/config/logging_of_sensitive_data) + +### Description +To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True
+[Documentation](https://docs.ansible.com/ansible/latest/reference_appendices/logging.html#protecting-sensitive-data-with-no-log) + +### Code samples +#### Code samples with security vulnerabilities + + +#### Code samples without security vulnerabilities diff --git a/docs/queries/ansible-queries/common/d7dc9350-74bc-485b-8c85-fed22d276c43.md b/docs/queries/ansible-queries/common/d7dc9350-74bc-485b-8c85-fed22d276c43.md new file mode 100644 index 00000000000..8332214babc --- /dev/null +++ b/docs/queries/ansible-queries/common/d7dc9350-74bc-485b-8c85-fed22d276c43.md @@ -0,0 +1,33 @@ +--- +title: Communication over HTTP +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d7dc9350-74bc-485b-8c85-fed22d276c43 +- **Query name:** Communication over HTTP +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/config/communication_over_http) + +### Description +Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks
+[Documentation](https://docs.ansible.com/ansible/latest/plugins/httpapi.html) + +### Code samples +#### Code samples with security vulnerabilities + + +#### Code samples without security vulnerabilities diff --git a/docs/queries/azureresourcemanager-queries.md b/docs/queries/azureresourcemanager-queries.md index 5bd98173bb3..6f2f71ad094 100644 --- a/docs/queries/azureresourcemanager-queries.md +++ b/docs/queries/azureresourcemanager-queries.md @@ -7,40 +7,40 @@ This page contains all queries from AzureResourceManager. |Secret Without Expiration Date
cff9c3f7-e8f0-455f-9fb4-5f72326da96e|High|Best Practices|All Secrets must have an expiration date defined (read more)|Documentation
| |Azure Instance Using Basic Authentication
6797f581-0433-4768-ae3e-7ceb2f8b138e|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| |Storage Account Allows Unsecure Transfer
1367dd13-2c90-4020-80b7-e4339a3dc2c4|High|Encryption|'Microsoft.Storage/storageAccounts' should force the use of HTTPS (read more)|Documentation
| -|Web App Not Using TLS Last Version
b5c851d5-00f1-43dc-a8de-3218fd6f71be|High|Encryption|Resources of type 'Microsoft.Web/sites' should define 'properties.siteConfig.minTlsVersion' with '1.2' (read more)|Documentation
| |Azure Managed Disk Without Encryption
350f3955-b5be-436f-afaa-3d2be2fa6cdd|High|Encryption|Azure Disk Encryption should be enabled (read more)|Documentation
| +|Web App Not Using TLS Last Version
b5c851d5-00f1-43dc-a8de-3218fd6f71be|High|Encryption|Resources of type 'Microsoft.Web/sites' should define 'properties.siteConfig.minTlsVersion' with '1.2' (read more)|Documentation
| |Website Not Forcing HTTPS
488847ff-6031-487c-bf42-98fd6ac5c9a0|High|Insecure Configurations|'Microsoft.Web/sites' should force the use of HTTPS (read more)|Documentation
| -|Website with Client Certificate Auth Disabled
92302b47-b0cc-46cb-a28f-5610ecda140b|High|Networking and Firewall|'Microsoft.Web/sites' should have client certificate authentication enabled (read more)|Documentation
| -|Trusted Microsoft Services Not Enabled
e25b56cd-a4d6-498f-ab92-e6296a082097|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| +|SQL Database Server Firewall Allows All IPS
6a3201a5-1630-494b-b294-3129d06b0eca|High|Networking and Firewall|SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS (read more)|Documentation
| |Network Security Group With Unrestricted Access To RDP
59cb3da7-f206-4ae6-b827-7abf0a9cab9d|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the Internet (read more)|Documentation
| +|Trusted Microsoft Services Not Enabled
e25b56cd-a4d6-498f-ab92-e6296a082097|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| |Network Security Group With Unrestricted Access To SSH
2ade1579-4b2c-4590-bebb-f99bf597f612|High|Networking and Firewall|Port 22 (SSH) is exposed to the Internet (read more)|Documentation
| -|MySQL Server SSL Enforcement Disabled
90120147-f2e7-4fda-bb21-6fa9109afd63|High|Networking and Firewall|'Microsoft.DBforMySQL/servers' should enforce SSL (read more)|Documentation
| |Storage Blob Service Container With Public Access
a0ab985d-660b-41f7-ac81-70957ee8e627|High|Networking and Firewall|Storage Blob Service Container should not publicly accessible (read more)|Documentation
| +|Website with Client Certificate Auth Disabled
92302b47-b0cc-46cb-a28f-5610ecda140b|High|Networking and Firewall|'Microsoft.Web/sites' should have client certificate authentication enabled (read more)|Documentation
| +|MySQL Server SSL Enforcement Disabled
90120147-f2e7-4fda-bb21-6fa9109afd63|High|Networking and Firewall|'Microsoft.DBforMySQL/servers' should enforce SSL (read more)|Documentation
| |PostgreSQL Database Server SSL Disabled
bf500309-da53-4dd3-bcf7-95f7974545a5|High|Networking and Firewall|Microsoft.DBforPostgreSQL/servers sslEnforcement property should be set to 'Enabled' (read more)|Documentation
| -|SQL Database Server Firewall Allows All IPS
6a3201a5-1630-494b-b294-3129d06b0eca|High|Networking and Firewall|SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS (read more)|Documentation
| |Role Definitions Allow Custom Subscription Role Creation
8fa9ceea-881f-4ef0-b0b8-728f589699a7|Medium|Access Control|Role Definitions should not allow custom subscription role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write') (read more)|Documentation
| -|AKS Cluster RBAC Disabled
9307a2ed-35c2-413d-94de-a1a0682c2158|Medium|Access Control|Microsoft.ContainerService/managedClusters should have enableRBAC set to true (read more)|Documentation
| |Default Azure Storage Account Network Access Is Too Permissive
d855ced8-6157-448f-9f1d-f05a41d046f7|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it. (read more)|Documentation
| +|AKS Cluster RBAC Disabled
9307a2ed-35c2-413d-94de-a1a0682c2158|Medium|Access Control|Microsoft.ContainerService/managedClusters should have enableRBAC set to true (read more)|Documentation
| |SQL Server Database With Alerts Disabled
574e8d82-1db2-4b9c-b526-e320ede9a9ff|Medium|Best Practices|All Alerts should be enabled in SQL Database Server SecurityAlerts Policy Properties (read more)|Documentation
| |AKS Cluster Network Policy Not Configured
25c0228e-4444-459b-a2df-93c7df40b7ed|Medium|Insecure Configurations|Azure Kubernetes Service must have a network policy defined. (read more)|Documentation
| -|PostgreSQL Database Server Log Checkpoints Disabled
f9112910-c7bb-4864-9f5e-2059ba413bb7|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' property set to 'on' (read more)|Documentation
| -|PostgresSQL Database Server Connection Throttling Disabled
a6d774b6-d9ea-4bf4-8433-217bf15d2fb8|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttling' property set to 'on' (read more)|Documentation
| +|PostgreSQL Database Server Log Connections Disabled
e69bda39-e1e2-47ca-b9ee-b6531b23aedd|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' property set to 'on' (read more)|Documentation
| |Standard Price Is Not Selected
2081c7d6-2851-4cce-bda5-cb49d462da42|Medium|Networking and Firewall|Azure Security Center provides more features for standard pricing mode, so it must be activated. (read more)|Documentation
| |AKS With Authorized IP Ranges Disabled
2583fab1-953b-4fae-bd02-4a136a6c21f9|Medium|Networking and Firewall|Azure Kubernetes Service must have an authorized IP range for API Services enabled (read more)|Documentation
| -|PostgreSQL Database Server Log Connections Disabled
e69bda39-e1e2-47ca-b9ee-b6531b23aedd|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' property set to 'on' (read more)|Documentation
| -|Log Profile Incorrect Category
4d522e7b-f938-4d51-a3b1-974ada528bd3|Medium|Observability|Log Profile Categories should be set to 'Write', 'Delete', and/or 'Action' (read more)|Documentation
| -|Unrecommended Network Watcher Flow Log Retention Policy
564b70f8-41cd-4690-aff8-bb53add86bc9|Medium|Observability|Network Watcher Flow Log Retention Policy should be enabled and the recommended number of days for the retention should be higher than 90 (read more)|Documentation
| +|PostgreSQL Database Server Log Checkpoints Disabled
f9112910-c7bb-4864-9f5e-2059ba413bb7|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' property set to 'on' (read more)|Documentation
| +|PostgresSQL Database Server Connection Throttling Disabled
a6d774b6-d9ea-4bf4-8433-217bf15d2fb8|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttling' property set to 'on' (read more)|Documentation
| |SQL Server Database With Unrecommended Retention Days
c09cdac2-7670-458a-bf6c-efad6880973a|Medium|Observability|SQL Server Database Auditing Settings should keep the audit logs in the storage account for at least 90 days (read more)|Documentation
| -|SQL Server Database Without Auditing
e055285c-bc01-48b4-8aa5-8a54acdd29df|Medium|Observability|Every 'Microsoft.Sql/servers/databases' resource should have Auditing Enabled (read more)|Documentation
| |Unrecommended Log Profile Retention Policy
25684eac-daaa-4c2c-94b4-8d2dbb627909|Medium|Observability|Log Profile Retention Policy should be enabled and the recommended number of days for the retention should be higher than 365 or 0 (0 will retain the events indefinitely) (read more)|Documentation
| -|AKS Logging To Azure Monitoring Is Disabled
9b09dee1-f09b-4013-91d2-158fa4695f4b|Medium|Observability|Azure Kubernetes Service should have logging to Azure Monitoring enabled. (read more)|Documentation
| |Storage Logging For Read Write And Delete Requests Disabled
43f6e60c-9cdb-4e77-864d-a66595d26518|Medium|Observability|Storage Logging should be enabled for read, write and delete methods (read more)|Documentation
| +|Unrecommended Network Watcher Flow Log Retention Policy
564b70f8-41cd-4690-aff8-bb53add86bc9|Medium|Observability|Network Watcher Flow Log Retention Policy should be enabled and the recommended number of days for the retention should be higher than 90 (read more)|Documentation
| +|AKS Logging To Azure Monitoring Is Disabled
9b09dee1-f09b-4013-91d2-158fa4695f4b|Medium|Observability|Azure Kubernetes Service should have logging to Azure Monitoring enabled. (read more)|Documentation
| +|SQL Server Database Without Auditing
e055285c-bc01-48b4-8aa5-8a54acdd29df|Medium|Observability|Every 'Microsoft.Sql/servers/databases' resource should have Auditing Enabled (read more)|Documentation
| +|Log Profile Incorrect Category
4d522e7b-f938-4d51-a3b1-974ada528bd3|Medium|Observability|Log Profile Categories should be set to 'Write', 'Delete', and/or 'Action' (read more)|Documentation
| |Hardcoded SecureString Parameter Default Value
4d2cf896-c053-4be5-9c95-8b4771112f29|Medium|Secret Management|Secure parameters should not have hardcoded default value (read more)|Documentation
| |Website Azure Active Directory Disabled
e9c133e5-c2dd-4b7b-8fff-40f2de367b56|Low|Access Control|WebApp should have Azure Active Directory enabled with 'identity.type' set to 'SystemAssigned' or 'userAssignedIdentities' set to 'true' (read more)|Documentation
| |Phone Number Not Set For Security Contacts
3e9fcc67-1f64-405f-b2f9-0a6be17598f0|Low|Best Practices|Microsoft.Security securityContacts should have a phone number defined (read more)|Documentation
| |AKS Dashboard Is Enabled
c62d3b92-9a11-4ffd-b7b7-6faaae83faed|Low|Insecure Configurations|Azure Kubernetes Service should have the Kubernetes dashboard disabled. (read more)|Documentation
| -|Storage Account Allows Default Network Access
9073f073-5d60-4b46-b569-0d6baa80ed95|Low|Networking and Firewall|'Microsoft.Storage/storageAccounts' should force the use of HTTPS (read more)|Documentation
| |Website with 'Http20Enabled' Disabled
70111098-7f85-48f0-b1b4-e4261cf5f61b|Low|Networking and Firewall|'Microsoft.Web/sites' should have 'Http20Enabled' enabled (read more)|Documentation
| +|Storage Account Allows Default Network Access
9073f073-5d60-4b46-b569-0d6baa80ed95|Low|Networking and Firewall|'Microsoft.Storage/storageAccounts' should force the use of HTTPS (read more)|Documentation
| |App Service Authentication Is Not Set
83130a07-235b-4a80-918b-a370e53f0bd9|Info|Access Control|Azure App Service should have App Service Authentication set (read more)|Documentation
| |SQL Alert Policy Without Emails
89b79fe5-49bd-4d39-84ce-55f5fc6f7764|Info|Best Practices|SQL Database Server should contain emails to be notified in the event of a Security Alert (read more)|Documentation
| |Account Admins Not Notified By Email
a8852cc0-fd4b-4fc7-9372-1e43fad0732e|Info|Best Practices|Account admins should be notified by email in the event of security alerts (read more)|Documentation
| diff --git a/docs/queries/cicd-queries.md b/docs/queries/cicd-queries.md index 27b3444d936..dfd54946f88 100644 --- a/docs/queries/cicd-queries.md +++ b/docs/queries/cicd-queries.md @@ -8,4 +8,7 @@ Bellow are listed queries related with CICD GITHUB: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| +|Script Block Injection
62ff6823-927a-427f-acf9-f1ea2932d616|High|Insecure Configurations|GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event. (read more)|Documentation
| +|Run Block Injection
20f14e1a-a899-4e79-9f09-b6a84cd4649b|High|Insecure Configurations|GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event. (read more)|Documentation
| +|Unsecured Commands
60fd272d-15f4-4d8f-afe4-77d9c6cc0453|Medium|Insecure Configurations|There are deprecated set-env and add-path commands that can be explicitly enabled by a user via setting the ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable as true. Depending on the use of the environment variable, this could enable an attacker to, at worst, modify the system path to run a different command than intended, resulting in arbitrary code execution. (read more)|Documentation
| |Unpinned Actions Full Length Commit SHA
555ab8f9-2001-455e-a077-f2d0f41e2fb9|Medium|Supply-Chain|Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork. (read more)|Documentation
| diff --git a/docs/queries/cicd-queries/common/20f14e1a-a899-4e79-9f09-b6a84cd4649b.md b/docs/queries/cicd-queries/common/20f14e1a-a899-4e79-9f09-b6a84cd4649b.md new file mode 100644 index 00000000000..1f46c02011b --- /dev/null +++ b/docs/queries/cicd-queries/common/20f14e1a-a899-4e79-9f09-b6a84cd4649b.md @@ -0,0 +1,335 @@ +--- +title: Run Block Injection +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 20f14e1a-a899-4e79-9f09-b6a84cd4649b +- **Query name:** Run Block Injection +- **Platform:** CICD +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cicd/github/run_block_injection) + +### Description +GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event.
+[Documentation](https://securitylab.github.com/research/github-actions-untrusted-input/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +name: Web Page To Markdown +on: + issues: + types: [opened] +jobs: + WebPageToMarkdown: + runs-on: ubuntu-latest + steps: + - name: Does the issue need to be converted to markdown + run: | + if [ "${{ github.event.issue.body }}" ]; then + if [[ "${{ github.event.issue.title }}" =~ ^\[Auto\]* ]]; then + : + else + echo "This issue does not need to generate a markdown file." 1>&2 + exit 1; + fi; + else + echo "The description of the issue is empty." 1>&2 + exit 1; + fi; + shell: bash + - name: Checkout + uses: actions/checkout@v3 + with: + ref: ${{ github.head_ref }} + - name: Crawl pages and generate Markdown files + uses: freeCodeCamp-China/article-webpage-to-markdown-action@v0.1.8 + with: + newsLink: '${{ github.event.issue.Body }}' + markDownFilePath: './chinese/articles/' + githubToken: ${{ github.token }} + - name: Git Auto Commit + uses: stefanzweifel/git-auto-commit-action@v4.9.2 + with: + commit_message: '${{ github.event.issue.title }}' + file_pattern: chinese/articles/*.md + commit_user_name: PageToMarkdown Bot + commit_user_email: PageToMarkdown-bot@freeCodeCamp.org +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="13" +name: Pull Request Workflow + +on: + pull_request_target: + types: + - opened + +jobs: + process_pull_request: + runs-on: ubuntu-latest + steps: + - name: Echo Pull Request Body + run: | + echo "Pull Request Body: ${{ github.event.pull_request.body }}" + + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="13" +name: Issue Comment Workflow + +on: + issue_comment: + types: + - created + +jobs: + process_issue_comment: + runs-on: ubuntu-latest + steps: + - name: Echo Issue Comment Body + run: | + echo "Issue Comment Body: ${{ github.event.comment.body }}" + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="13" +name: Discussion Workflow + +on: + discussion: + types: + - created + +jobs: + process_discussion: + runs-on: ubuntu-latest + steps: + - name: Echo Discussion Title + run: | + echo "Discussion Title: ${{ github.event.discussion.title }}" + +``` +
+
Postitive test num. 5 - yaml file + +```yaml hl_lines="13" +name: Discussion Comment Workflow + +on: + discussion_comment: + types: + - created + +jobs: + process_discussion_comment: + runs-on: ubuntu-latest + steps: + - name: Echo Discussion Comment Body + run: | + echo "Discussion Comment Body: ${{ github.event.comment.body }}" + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="13" +name: Author Workflow + +on: + author: + types: + - created + +jobs: + process_author: + runs-on: ubuntu-latest + steps: + - name: Echo Author's Username + run: | + echo "Author's Name: ${{ github.event.authors.name }}" + +``` +
+
Postitive test num. 7 - yaml file + +```yaml hl_lines="13" +name: Workflow Run Workflow + +on: + workflow_run: + workflows: + - "Your Workflow Name" # Replace with the name of your specific workflow + +jobs: + process_workflow_run: + runs-on: ubuntu-latest + steps: + - name: Echo Workflow Run Name + run: | + echo "Workflow Run Path: ${{ github.event.workflow.path }}" + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +name: check-go-coverage + +on: + pull_request_target: + branches: [master] + +jobs: + coverage: + name: Check Go coverage + runs-on: ubuntu-latest + steps: + - name: Checkout Source + uses: actions/checkout@v3 + with: + fetch-depth: 0 + - name: Set up Go 1.20.x + uses: actions/setup-go@v4 + with: + go-version: 1.20.x + - name: Run test metrics script + id: testcov + run: | + make test-coverage-report | tee test-results + echo "coverage=$(cat test-results | grep "Total coverage: " test-results | cut -d ":" -f 2 | bc)" >> $GITHUB_ENV + - name: Checks if Go coverage is at least 80% + if: env.coverage < 80 + run: | + echo "Go coverage is lower than 80%: ${{ env.coverage }}%" + exit 1 +``` +```yaml title="Negative test num. 2 - yaml file" +name: Issue Workflow + +on: + issues: + types: + - opened + +jobs: + process_issue: + runs-on: ubuntu-latest + steps: + - name: Greet the New Issue + run: | + # Echo a simple sentence + echo "Hello, a new issue has been opened!" + +``` +```yaml title="Negative test num. 3 - yaml file" +name: Discussion Workflow + +on: + discussion: + types: + - created + +jobs: + process_discussion: + runs-on: ubuntu-latest + steps: + - name: Greet the New Discussion + run: | + echo "Hello, a new discussion has been created!" + +``` +
Negative test num. 4 - yaml file + +```yaml +name: Issue Comment Workflow + +on: + issue_comment: + types: + - created + +jobs: + process_issue_comment: + runs-on: ubuntu-latest + steps: + - name: Greet the New Issue Comment + run: | + echo "Hello, a new issue comment has been created!" + +``` +
+
Negative test num. 5 - yaml file + +```yaml +name: Discussion Comment Workflow + +on: + discussion_comment: + types: + - created + +jobs: + process_discussion_comment: + runs-on: ubuntu-latest + steps: + - name: Greet the New Discussion Comment + run: | + echo "Hello, a new discussion comment has been created!" + +``` +
+
Negative test num. 6 - yaml file + +```yaml +name: Author Workflow + +on: + author: + types: + - created + +jobs: + process_author: + runs-on: ubuntu-latest + steps: + - name: Greet the New Author + run: | + echo "Hello, a new author has been created!" + +``` +
+
Negative test num. 7 - yaml file + +```yaml +name: Workflow Run Workflow + +on: + workflow_run: + workflows: + - "Your Workflow Name" # Replace with the name of your specific workflow + +jobs: + process_workflow_run: + runs-on: ubuntu-latest + steps: + - name: Greet the New Workflow Run + run: | + echo "Hello, a new workflow run has started for 'Your Workflow Name'!" + +``` +
diff --git a/docs/queries/cicd-queries/common/60fd272d-15f4-4d8f-afe4-77d9c6cc0453.md b/docs/queries/cicd-queries/common/60fd272d-15f4-4d8f-afe4-77d9c6cc0453.md new file mode 100644 index 00000000000..9bd015d46b2 --- /dev/null +++ b/docs/queries/cicd-queries/common/60fd272d-15f4-4d8f-afe4-77d9c6cc0453.md @@ -0,0 +1,151 @@ +--- +title: Unsecured Commands +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 60fd272d-15f4-4d8f-afe4-77d9c6cc0453 +- **Query name:** Unsecured Commands +- **Platform:** CICD +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cicd/github/unsecured_commands) + +### Description +There are deprecated set-env and add-path commands that can be explicitly enabled by a user via setting the ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable as true. Depending on the use of the environment variable, this could enable an attacker to, at worst, modify the system path to run a different command than intended, resulting in arbitrary code execution.
+[Documentation](https://0xn3va.gitbook.io/cheat-sheets/ci-cd/github/actions#misuse-of-the-events-related-to-incoming-prs) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +name: Vulnerable workflow + +on: + pull_request_target + +env: + # 1. Enable unsecure commands + ACTIONS_ALLOW_UNSECURE_COMMANDS: true + ENVIRONMENT_NAME: prod + +jobs: + deploy: + runs-on: ubuntu-latest + steps: + # 2. Print github context + - run: | + print("""${{ toJSON(github) }}""") + shell: python + - name: Create new PR deployment + uses: actions/github-script@v5 + with: + # 3. Create deployment + script: | + return await github.rest.repos.createDeployment({ + ...context.repo, + ref: context.payload.pull_request.head.sha, + auto_merge: false, + required_contexts: [], + environment: "${{ env.ENVIRONMENT_NAME }}", + transient_environment: false, + production_environment: false, + }); + github-token: ${{ secrets.GITHUB_TOKEN }} +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +name: Vulnerable workflow + +on: + pull_request_target + + +jobs: + deploy: + runs-on: ubuntu-latest + env: + ACTIONS_ALLOW_UNSECURE_COMMANDS: true + steps: + # 2. Print github context + - run: | + print("""${{ toJSON(github) }}""") + shell: python + - name: Create new PR deployment + uses: actions/github-script@v5 + with: + # 3. Create deployment + script: | + return await github.rest.repos.createDeployment({ + ...context.repo, + ref: context.payload.pull_request.head.sha, + auto_merge: false, + required_contexts: [], + environment: "${{ env.ENVIRONMENT_NAME }}", + transient_environment: false, + production_environment: false, + }); + github-token: ${{ secrets.GITHUB_TOKEN }} +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="16" +name: Vulnerable workflow + +on: + pull_request_target + +jobs: + deploy: + runs-on: ubuntu-latest + steps: + # 2. Print github context + - run: | + print("""${{ toJSON(github) }}""") + shell: python + - name: Create new PR deployment + env: + ACTIONS_ALLOW_UNSECURE_COMMANDS: true + uses: actions/github-script@v5 + with: + # 3. Create deployment + script: | + return await github.rest.repos.createDeployment({ + ...context.repo, + ref: context.payload.pull_request.head.sha, + auto_merge: false, + required_contexts: [], + environment: "${{ env.ENVIRONMENT_NAME }}", + transient_environment: false, + production_environment: false, + }); + github-token: ${{ secrets.GITHUB_TOKEN }} +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +name: test-positive +on: + pull_request: + types: [opened, synchronize, edited, reopened] + branches: + - master +jobs: + test-positive: + runs-on: ubuntu-latest + steps: + - name: PR comment + uses: thollander/actions-comment-pull-request@b07c7f86be67002023e6cb13f57df3f21cdd3411 + with: + comment_tag: title_check + mode: recreate + create_if_not_exists: true +``` diff --git a/docs/queries/cicd-queries/common/62ff6823-927a-427f-acf9-f1ea2932d616.md b/docs/queries/cicd-queries/common/62ff6823-927a-427f-acf9-f1ea2932d616.md new file mode 100644 index 00000000000..9ac4e2e1f66 --- /dev/null +++ b/docs/queries/cicd-queries/common/62ff6823-927a-427f-acf9-f1ea2932d616.md @@ -0,0 +1,456 @@ +--- +title: Script Block Injection +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 62ff6823-927a-427f-acf9-f1ea2932d616 +- **Query name:** Script Block Injection +- **Platform:** CICD +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cicd/github/script_block_injection) + +### Description +GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event.
+[Documentation](https://securitylab.github.com/research/github-actions-untrusted-input/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="17" +name: test-script-run + +on: + issues: + types: [opened] + +jobs: + script-run: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Run script + uses: actions/github-script@latest + with: + script: | + const fs = require('fs'); + const body = fs.readFileSync('/tmp/${{ github.event.issue.title }}.txt', {encoding: 'utf8'}); + + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: 'Thanks for reporting!' + }) + + return true; +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="17" +name: test-script-run + +on: + pull_request_target: + types: [opened] + +jobs: + script-run: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Run script + uses: actions/github-script@latest + with: + script: | + const fs = require('fs'); + const body = fs.readFileSync('/tmp/${{ github.event.pull_request.title }}.txt', {encoding: 'utf8'}); + + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: 'Thanks for reporting!' + }) + + return true; +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="17" +name: test-script-run + +on: + issue_comment: + types: [opened] + +jobs: + script-run: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Run script + uses: actions/github-script@latest + with: + script: | + const fs = require('fs'); + const body = fs.readFileSync('/tmp/${{ github.event.issue.title }}.txt', {encoding: 'utf8'}); + + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: 'Thanks for reporting!' + }) + + return true; +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="17" +name: test-script-run + +on: + discussion: + types: [opened] + +jobs: + script-run: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Run script + uses: actions/github-script@latest + with: + script: | + const fs = require('fs'); + const body = fs.readFileSync('/tmp/${{ github.event.discussion.title }}.txt', {encoding: 'utf8'}); + + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: 'Thanks for reporting!' + }) + + return true; +``` +
+
Postitive test num. 5 - yaml file + +```yaml hl_lines="17" +name: test-script-run + +on: + discussion_comment: + types: [opened] + +jobs: + script-run: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Run script + uses: actions/github-script@latest + with: + script: | + const fs = require('fs'); + const body = fs.readFileSync('/tmp/${{ github.event.discussion.title }}.txt', {encoding: 'utf8'}); + + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: 'Thanks for reporting!' + }) + + return true; +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="17" +name: test-script-run + +on: + workflow_run: + types: [opened] + +jobs: + script-run: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Run script + uses: actions/github-script@latest + with: + script: | + const fs = require('fs'); + const body = fs.readFileSync('/tmp/${{ github.event.workflow.path }}.txt', {encoding: 'utf8'}); + + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: 'Thanks for reporting!' + }) + + return true; +``` +
+
Postitive test num. 7 - yaml file + +```yaml hl_lines="17" +name: test-script-run + +on: + author: + types: [opened] + +jobs: + script-run: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Run script + uses: actions/github-script@latest + with: + script: | + const fs = require('fs'); + const body = fs.readFileSync('/tmp/${{ github.event.authors.name }}.txt', {encoding: 'utf8'}); + + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: 'Thanks for reporting!' + }) + + return true; +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +name: test-script-run + +on: + issues: + types: [opened] + +jobs: + script-run: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Run script + uses: actions/github-script@latest + with: + script: | + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: 'Thanks for reporting!' + }) + + return true; +``` +```yaml title="Negative test num. 2 - yaml file" +name: test-script-run + +on: + pull_request_target: + types: [opened] + +jobs: + script-run: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Run script + uses: actions/github-script@latest + with: + script: | + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: 'Thanks for reporting!' + }) + + return true; +``` +```yaml title="Negative test num. 3 - yaml file" +name: test-script-run + +on: + issue_comment: + types: [opened] + +jobs: + script-run: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Run script + uses: actions/github-script@latest + with: + script: | + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: 'Thanks for reporting!' + }) + + return true; +``` +
Negative test num. 4 - yaml file + +```yaml +name: test-script-run + +on: + discussion: + types: [opened] + +jobs: + script-run: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Run script + uses: actions/github-script@latest + with: + script: | + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: 'Thanks for reporting!' + }) + + return true; +``` +
+
Negative test num. 5 - yaml file + +```yaml +name: test-script-run + +on: + discussion_comment: + types: [opened] + +jobs: + script-run: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Run script + uses: actions/github-script@latest + with: + script: | + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: 'Thanks for reporting!' + }) + + return true; +``` +
+
Negative test num. 6 - yaml file + +```yaml +name: test-script-run + +on: + workflow_run: + types: [opened] + +jobs: + script-run: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Run script + uses: actions/github-script@latest + with: + script: | + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: 'Thanks for reporting!' + }) + + return true; +``` +
+
Negative test num. 7 - yaml file + +```yaml +name: test-script-run + +on: + author: + types: [opened] + +jobs: + script-run: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Run script + uses: actions/github-script@latest + with: + script: | + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: 'Thanks for reporting!' + }) + + return true; +``` +
diff --git a/docs/queries/cloudformation-queries.md b/docs/queries/cloudformation-queries.md index dd578892adb..f152c9d4fec 100644 --- a/docs/queries/cloudformation-queries.md +++ b/docs/queries/cloudformation-queries.md @@ -8,261 +8,261 @@ Bellow are listed queries related with CloudFormation AWS: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|IAM Policies With Full Privileges
953b3cdb-ce13-428a-aa12-318726506661|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| -|S3 Bucket Allows Public Policy
860ba89b-b8de-4e72-af54-d6aee4138a69|High|Access Control|S3 bucket allows public policy (read more)|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
835d5497-a526-4aea-a23f-98a9afd1635f|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| +|S3 Bucket Allows List Action From All Principals
faa8fddf-c0aa-4b2d-84ff-e993e233ebe9|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| +|MSK Broker Is Publicly Accessible
0ce1ba20-8ba8-4364-836f-40c24b8cb0ab|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible (read more)|Documentation
| +|S3 Bucket Allows Get Action From All Principals
f97b7d23-568f-4bcc-9ac9-02df0d57fbba|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| +|S3 Bucket Allows Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0|High|Access Control|S3 Buckets must not allow Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Restore, for all Principals. (read more)|Documentation
| +|S3 Bucket ACL Allows Read to All Users
219f4c95-aa50-44e0-97de-cf71f4641170|High|Access Control|S3 Buckets should not be readable to all users (read more)|Documentation
| +|IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| |ECS Service Admin Role Is Present
01986452-bdd8-4aaa-b5df-d6bf61d616ff|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role (read more)|Documentation
| -|Amazon DMS Replication Instance Is Publicly Accessible
5864fb39-d719-4182-80e2-89dbe627be63|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| -|Lambda Functions With Full Privileges
a0ae0a4e-712b-4115-8112-51b9eeed9d69|High|Access Control|AWS Lambda Functions should not have roles with policies granting full administrative privileges. (read more)|Documentation
| -|SNS Topic is Publicly Accessible
ae53ce91-42b5-46bf-a84f-9a13366a4f13|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
835d5497-a526-4aea-a23f-98a9afd1635f|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| +|S3 Bucket Allows Public Policy
860ba89b-b8de-4e72-af54-d6aee4138a69|High|Access Control|S3 bucket allows public policy (read more)|Documentation
| +|IAM Policies With Full Privileges
953b3cdb-ce13-428a-aa12-318726506661|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
acc78859-765e-4011-a229-a65ea57db252|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| |S3 Bucket Access to Any Principal
7772bb8c-c0f3-42d4-8e4e-f1b8939ad085|High|Access Control|The S3 Bucket should not be associated with a policy statement that grants access to any principal (read more)|Documentation
| |S3 Bucket With All Permissions
4ae8af91-5108-42cb-9471-3bdbe596eac9|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| -|S3 Bucket Allows Put Action From All Principals
f6397a20-4cf1-4540-a997-1d363c25ef58|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| -|MSK Broker Is Publicly Accessible
0ce1ba20-8ba8-4364-836f-40c24b8cb0ab|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible (read more)|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
acc78859-765e-4011-a229-a65ea57db252|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| -|IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| -|S3 Bucket ACL Allows Read to All Users
219f4c95-aa50-44e0-97de-cf71f4641170|High|Access Control|S3 Buckets should not be readable to all users (read more)|Documentation
| +|Amazon DMS Replication Instance Is Publicly Accessible
5864fb39-d719-4182-80e2-89dbe627be63|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| +|SNS Topic is Publicly Accessible
ae53ce91-42b5-46bf-a84f-9a13366a4f13|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| |S3 Bucket ACL Allows Read Or Write to All Users
07dda8de-d90d-469e-9b37-1aca53526ced|High|Access Control|S3 Buckets should not be readable and writable to all users (read more)|Documentation
| -|S3 Bucket Allows Get Action From All Principals
f97b7d23-568f-4bcc-9ac9-02df0d57fbba|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| -|S3 Bucket Allows Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0|High|Access Control|S3 Buckets must not allow Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Restore, for all Principals. (read more)|Documentation
| -|S3 Bucket Allows List Action From All Principals
faa8fddf-c0aa-4b2d-84ff-e993e233ebe9|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
31733ee2-fef0-4e87-9778-65da22a8ecf1|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| -|CMK Unencrypted Storage
ffee2785-c347-451e-89f3-11aeb08e5c84|High|Encryption|Ensure that storage is encrypted. (read more)|Documentation
| +|Lambda Functions With Full Privileges
a0ae0a4e-712b-4115-8112-51b9eeed9d69|High|Access Control|AWS Lambda Functions should not have roles with policies granting full administrative privileges. (read more)|Documentation
| +|S3 Bucket Allows Put Action From All Principals
f6397a20-4cf1-4540-a997-1d363c25ef58|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| +|User Data Shell Script Is Encoded
48c3bc58-6959-4f27-b647-4fedeace23be|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| +|ECS Cluster Not Encrypted At Rest
6c131358-c54d-419b-9dd6-1f7dd41d180c|High|Encryption|Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems. (read more)|Documentation
| +|ELB Without Secure Protocol
80908a75-586b-4c61-ab04-490f4f4525b8|High|Encryption|Check if the ELB is setup with SSL or HTTPS for secure communication (read more)|Documentation
| +|Redshift Cluster Without KMS CMK
de76a0d6-66d5-45c9-9022-f05545b85c78|High|Encryption|AWS Redshift Cluster should have KMS CMK defined (read more)|Documentation
| +|CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db|High|Encryption|Specifying credentials in the template itself is probably not safe to do. (read more)|Documentation
| +|IAM Database Auth Not Enabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| +|S3 Bucket SSE Disabled
64ab651b-f5b2-4af0-8c89-ddd03c4d0e61|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| +|S3 Bucket Without SSL In Write Actions
38c64e76-c71e-4d92-a337-60174d1de1c9|High|Encryption|S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL) (read more)|Documentation
| |EFS Without KMS
6d087495-2a42-4735-abf7-02ef5660a7e6|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| +|ELB Using Insecure Protocols
61a94903-3cd3-4780-88ec-fc918819b9c8|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| +|RDS Storage Not Encrypted
5beacce3-4020-4a3d-9e1d-a36f953df630|High|Encryption|RDS Storage should be encrypted, which means the attribute 'StorageEncrypted' should be set to 'true' (read more)|Documentation
| +|S3 Bucket Without Server-side-encryption
b2e8752c-3497-4255-98d2-e4ae5b46bbf5|High|Encryption|S3 Buckets should have server-side encryption at rest enabled to protect sensitive data (read more)|Documentation
| |Kinesis SSE Not Configured
7f65be75-90ab-4036-8c2a-410aef7bb650|High|Encryption|AWS Kinesis Stream should have SSE (Server Side Encryption) defined (read more)|Documentation
| -|ECS Task Definition Container With Plaintext Password
f9b10cdb-eaab-4e39-9793-e12b94a582ad|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| -|ElastiCache With Disabled Transit Encryption
3b02569b-fc6f-4153-b3a3-ba91022fed68|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled (read more)|Documentation
| +|EFS Volume With Disabled Transit Encryption
c1282e03-b285-4637-aee7-eefe3a7bb658|High|Encryption|Amazon EFS volume does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'TransitEncryption' (read more)|Documentation
| +|ElastiCache With Disabled at Rest Encryption
e4ee3903-9225-4b6a-bdfb-e62dbadef821|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled (read more)|Documentation
| |Secure Ciphers Disabled
be96849c-3df6-49c2-bc16-778a7be2519c|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| -|Redshift Cluster Without KMS CMK
de76a0d6-66d5-45c9-9022-f05545b85c78|High|Encryption|AWS Redshift Cluster should have KMS CMK defined (read more)|Documentation
| -|DynamoDB With Aws Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac|High|Encryption|AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false. (read more)|Documentation
| |API Gateway Cache Encrypted Disabled
37cca703-b74c-48ba-ac81-595b53398e9b|High|Encryption|'API::Gateway::Deployment' should have 'CacheDataEncrypted' enabled when 'CachingEnabled' is set to true (read more)|Documentation
| -|User Data Shell Script Is Encoded
48c3bc58-6959-4f27-b647-4fedeace23be|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| -|ElastiCache With Disabled at Rest Encryption
e4ee3903-9225-4b6a-bdfb-e62dbadef821|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled (read more)|Documentation
| -|S3 Bucket Without SSL In Write Actions
38c64e76-c71e-4d92-a337-60174d1de1c9|High|Encryption|S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL) (read more)|Documentation
| -|IAM Database Auth Not Enabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| -|ELB Without Secure Protocol
80908a75-586b-4c61-ab04-490f4f4525b8|High|Encryption|Check if the ELB is setup with SSL or HTTPS for secure communication (read more)|Documentation
| -|SageMaker Data Encryption Disabled
709e6da6-fa1f-44cc-8f17-7f25f96dadbe|High|Encryption|Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, which means the attribute 'KmsKeyId' must be defined not empty or null. (read more)|Documentation
| -|EFS Not Encrypted
2ff8e83c-90e1-4d68-a300-6d652112e622|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| -|EFS Volume With Disabled Transit Encryption
c1282e03-b285-4637-aee7-eefe3a7bb658|High|Encryption|Amazon EFS volume does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'TransitEncryption' (read more)|Documentation
| -|Redshift Not Encrypted
3b316b05-564c-44a7-9c3f-405bb95e211e|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'Encrypted' field is false or undefined (default is false) (read more)|Documentation
| -|MSK Cluster Encryption Disabled
a976d63f-af0e-46e8-b714-8c1a9c4bf768|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled (read more)|Documentation
| -|RDS Storage Not Encrypted
5beacce3-4020-4a3d-9e1d-a36f953df630|High|Encryption|RDS Storage should be encrypted, which means the attribute 'StorageEncrypted' should be set to 'true' (read more)|Documentation
| -|S3 Bucket SSE Disabled
64ab651b-f5b2-4af0-8c89-ddd03c4d0e61|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| |Connection Between CloudFront Origin Not Encrypted
a5366a50-932f-4085-896b-41402714a388|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted (read more)|Documentation
| -|ECS Cluster Not Encrypted At Rest
6c131358-c54d-419b-9dd6-1f7dd41d180c|High|Encryption|Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems. (read more)|Documentation
| -|ELB Using Weak Ciphers
809f77f8-d10e-4842-a84f-3be7b6ff1190|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| +|ECS Task Definition Container With Plaintext Password
f9b10cdb-eaab-4e39-9793-e12b94a582ad|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| |User Data Contains Encoded Private Key
568cc372-ca64-420d-9015-ee347d00d288|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| -|CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db|High|Encryption|Specifying credentials in the template itself is probably not safe to do. (read more)|Documentation
| -|ELB Using Insecure Protocols
61a94903-3cd3-4780-88ec-fc918819b9c8|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| -|S3 Bucket Without Server-side-encryption
b2e8752c-3497-4255-98d2-e4ae5b46bbf5|High|Encryption|S3 Buckets should have server-side encryption at rest enabled to protect sensitive data (read more)|Documentation
| -|Root Account Has Active Access Keys
4c137350-7307-4803-8c04-17c09a7a9fcf|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| +|DynamoDB With Aws Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac|High|Encryption|AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false. (read more)|Documentation
| +|ELB Using Weak Ciphers
809f77f8-d10e-4842-a84f-3be7b6ff1190|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| +|SageMaker Data Encryption Disabled
709e6da6-fa1f-44cc-8f17-7f25f96dadbe|High|Encryption|Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, which means the attribute 'KmsKeyId' must be defined not empty or null. (read more)|Documentation
| +|ElastiCache With Disabled Transit Encryption
3b02569b-fc6f-4153-b3a3-ba91022fed68|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled (read more)|Documentation
| +|MSK Cluster Encryption Disabled
a976d63f-af0e-46e8-b714-8c1a9c4bf768|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled (read more)|Documentation
| +|Redshift Not Encrypted
3b316b05-564c-44a7-9c3f-405bb95e211e|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'Encrypted' field is false or undefined (default is false) (read more)|Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
31733ee2-fef0-4e87-9778-65da22a8ecf1|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| +|EFS Not Encrypted
2ff8e83c-90e1-4d68-a300-6d652112e622|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| +|CMK Unencrypted Storage
ffee2785-c347-451e-89f3-11aeb08e5c84|High|Encryption|Ensure that storage is encrypted. (read more)|Documentation
| +|API Gateway Without Security Policy
8275fab0-68ec-4705-bbf4-86975edb170e|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2. (read more)|Documentation
| +|Redshift Publicly Accessible
bdf8dcb4-75df-4370-92c4-606e4ae6c4d3|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false (read more)|Documentation
| |KMS Key With Full Permissions
da905474-7454-43c0-b8d2-5756ab951aba|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| -|Batch Job Definition With Privileged Container Properties
76ddf32c-85b1-4808-8935-7eef8030ab36|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| -|ECS Task Definition Network Mode Not Recommended
027a4b7a-8a59-4938-a04f-ed532512cf45|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| -|S3 Bucket Without Restriction Of Public Bucket
350cd468-0e2c-44ef-9d22-cfb73a62523c|High|Insecure Configurations|S3 bucket without restriction of public bucket (read more)|Documentation
| -|S3 Static Website Host Enabled
90501b1b-cded-4cc1-9e8b-206b85cda317|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more)|Documentation
| |S3 Bucket With Unsecured CORS Rule
3609d27c-3698-483a-9402-13af6ae80583|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| -|API Gateway Without Security Policy
8275fab0-68ec-4705-bbf4-86975edb170e|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2. (read more)|Documentation
| |RDS DB Instance Publicly Accessible
de38e1d5-54cb-4111-a868-6f7722695007|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false. (read more)|Documentation
| +|ECS Task Definition Network Mode Not Recommended
027a4b7a-8a59-4938-a04f-ed532512cf45|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| +|Batch Job Definition With Privileged Container Properties
76ddf32c-85b1-4808-8935-7eef8030ab36|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| +|S3 Static Website Host Enabled
90501b1b-cded-4cc1-9e8b-206b85cda317|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more)|Documentation
| +|S3 Bucket Without Restriction Of Public Bucket
350cd468-0e2c-44ef-9d22-cfb73a62523c|High|Insecure Configurations|S3 bucket without restriction of public bucket (read more)|Documentation
| +|Root Account Has Active Access Keys
4c137350-7307-4803-8c04-17c09a7a9fcf|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| |CloudFront Without Minimum Protocol TLS 1.2
dc17ee4b-ddf2-4e23-96e8-7a36abad1303|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| -|Redshift Publicly Accessible
bdf8dcb4-75df-4370-92c4-606e4ae6c4d3|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false (read more)|Documentation
| -|Vulnerable Default SSL Certificate
b4d9c12b-bfba-4aeb-9cb8-2358546d8041|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| |Permissive Web ACL Default Action
6d64f311-3da6-45f3-80f1-14db9771ea40|High|Insecure Defaults|WebAcl DefaultAction should not be ALLOW (read more)|Documentation
| -|EC2 Public Instance Exposed Through Subnet
c44c95fc-ae92-4bb8-bdf8-bb9bc412004a|High|Networking and Firewall|EC2 instances with public IP addresses shouldn't allow for unrestricted traffic to their subnets (read more)|Documentation
| -|ELB Sensitive Port Is Exposed To Entire Network
78055456-f670-4d2e-94d5-392d1cf4f5e4|High|Networking and Firewall|The load balancer of the application with a sensitive port connection is exposed to the entire internet. (read more)|Documentation
| -|Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c|High|Networking and Firewall|No security group should allow unrestricted egress access (read more)|Documentation
| -|Security Group With Unrestricted Access To SSH
6e856af2-62d7-4ba2-adc1-73b62cef9cc1|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| -|ALB Listening on HTTP
275a3217-ca37-40c1-a6cf-bb57d245ab32|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| -|Fully Open Ingress
e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5|High|Networking and Firewall|ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses (read more)|Documentation
| -|HTTP Port Open To Internet
ddfc4eaa-af23-409f-b96c-bf5c45dc4daa|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| -|DB Security Group Open To Large Scope
0104165b-02d5-426f-abc9-91fb48189899|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| -|EC2 Sensitive Port Is Publicly Exposed
494b03d3-bf40-4464-8524-7c56ad0700ed|High|Networking and Firewall|The EC2 instance has a sensitive port connection exposed to the entire network (read more)|Documentation
| -|Security Groups With Exposed Admin Ports
cdbb0467-2957-4a77-9992-7b55b29df7b7|High|Networking and Firewall|Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389) (read more)|Documentation
| -|Security Groups With Meta IP
adcd0082-e90b-4b63-862b-21899f6e6a48|High|Networking and Firewall|Security Groups allows 0.0.0.0/0 for all ports and protocols. (read more)|Documentation
| -|Elasticsearch with HTTPS disabled
4cdc88e6-c0c8-4081-a639-bb3a557cbedf|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| -|Route53 Record Undefined
24d932e1-91f0-46ea-836f-fdbd81694151|High|Networking and Firewall|Route53 HostedZone must have the Record Set defined. (read more)|Documentation
| -|Remote Desktop Port Open To Internet
c9846969-d066-431f-9b34-8c4abafe422a|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| +|Vulnerable Default SSL Certificate
b4d9c12b-bfba-4aeb-9cb8-2358546d8041|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| |EC2 Instance Subnet Has Public IP Mapping On Launch
b3de4e4c-14be-4159-b99d-9ad194365e4c|High|Networking and Firewall|EC2 Instance Subnet should not have MapPublicIpOnLaunch set to true (read more)|Documentation
| -|EKS node group remote access
73d59e76-a12c-4b74-a3d8-d3e1e19c25b3|High|Networking and Firewall|Ensure Amazon EKS Node group has implict SSH access (read more)|Documentation
| -|EC2 Network ACL Overlapping Ports
77b6f1e2-bde4-4a6a-ae7e-a40659ff1576|High|Networking and Firewall|NetworkACL Entries are reusing or overlapping ports which may create ineffective rules (read more)|Documentation
| +|Remote Desktop Port Open To Internet
c9846969-d066-431f-9b34-8c4abafe422a|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| |Security Group Unrestricted Access To RDP
3ae83918-7ec7-4cb8-80db-b91ef0f94002|High|Networking and Firewall|Security Groups does not allow 0.0.0.0/0 for rdp (port:3389) (read more)|Documentation
| -|Default Security Groups With Unrestricted Traffic
ea33fcf7-394b-4d11-a228-985c5d08f205|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| |DB Security Group With Public Scope
9564406d-e761-4e61-b8d7-5926e3ab8e79|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| -|Unknown Port Exposed To Internet
829ce3b8-065c-41a3-ad57-e0accfea82d2|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| +|Route53 Record Undefined
24d932e1-91f0-46ea-836f-fdbd81694151|High|Networking and Firewall|Route53 HostedZone must have the Record Set defined. (read more)|Documentation
| +|EC2 Public Instance Exposed Through Subnet
c44c95fc-ae92-4bb8-bdf8-bb9bc412004a|High|Networking and Firewall|EC2 instances with public IP addresses shouldn't allow for unrestricted traffic to their subnets (read more)|Documentation
| +|Security Groups With Exposed Admin Ports
cdbb0467-2957-4a77-9992-7b55b29df7b7|High|Networking and Firewall|Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389) (read more)|Documentation
| +|EC2 Network ACL Overlapping Ports
77b6f1e2-bde4-4a6a-ae7e-a40659ff1576|High|Networking and Firewall|NetworkACL Entries are reusing or overlapping ports which may create ineffective rules (read more)|Documentation
| |Unrestricted Security Group Ingress
4a1e6b34-1008-4e61-a5f2-1f7c276f8d14|High|Networking and Firewall|AWS Security Group Ingress CIDR should not be open to the world (read more)|Documentation
| +|Fully Open Ingress
e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5|High|Networking and Firewall|ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses (read more)|Documentation
| +|Elasticsearch with HTTPS disabled
4cdc88e6-c0c8-4081-a639-bb3a557cbedf|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| +|Unknown Port Exposed To Internet
829ce3b8-065c-41a3-ad57-e0accfea82d2|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| +|HTTP Port Open To Internet
ddfc4eaa-af23-409f-b96c-bf5c45dc4daa|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| +|Default Security Groups With Unrestricted Traffic
ea33fcf7-394b-4d11-a228-985c5d08f205|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| |SageMaker Notebook Not Placed In VPC
9c7028d9-04c2-45be-b8b2-1188ccaefb36|High|Networking and Firewall|SageMaker Notebook must be placed in a VPC (read more)|Documentation
| +|Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c|High|Networking and Firewall|No security group should allow unrestricted egress access (read more)|Documentation
| +|Security Groups With Meta IP
adcd0082-e90b-4b63-862b-21899f6e6a48|High|Networking and Firewall|Security Groups allows 0.0.0.0/0 for all ports and protocols. (read more)|Documentation
| +|ELB Sensitive Port Is Exposed To Entire Network
78055456-f670-4d2e-94d5-392d1cf4f5e4|High|Networking and Firewall|The load balancer of the application with a sensitive port connection is exposed to the entire internet. (read more)|Documentation
| |RDS Associated with Public Subnet
4e88adee-a8eb-4605-a78d-9fb1096e3091|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| -|S3 Bucket CloudTrail Logging Disabled
c3ce69fd-e3df-49c6-be78-1db3f802261c|High|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable when the Service used is CloudTrail (read more)|Documentation
| +|EKS node group remote access
73d59e76-a12c-4b74-a3d8-d3e1e19c25b3|High|Networking and Firewall|Ensure Amazon EKS Node group has implict SSH access (read more)|Documentation
| +|ALB Listening on HTTP
275a3217-ca37-40c1-a6cf-bb57d245ab32|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| +|EC2 Sensitive Port Is Publicly Exposed
494b03d3-bf40-4464-8524-7c56ad0700ed|High|Networking and Firewall|The EC2 instance has a sensitive port connection exposed to the entire network (read more)|Documentation
| +|Security Group With Unrestricted Access To SSH
6e856af2-62d7-4ba2-adc1-73b62cef9cc1|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| +|DB Security Group Open To Large Scope
0104165b-02d5-426f-abc9-91fb48189899|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| |CloudTrail Logging Disabled
5c0b06d5-b7a4-484c-aeb0-75a836269ff0|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| |CMK Rotation Disabled
1c07bfaf-663c-4f6f-b22b-8e2d481e4df5|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'EnableKeyRotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| -|SQS Queue Policy Allows NotPrincipal
4a8fc9a2-2b2f-4b3f-aa8d-401425872034|Medium|Access Control|Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using `NotPrincipal` in the same policy statement as `"Effect": "Allow"`. (read more)|Documentation
| -|EC2 Instance Has No IAM Role
f914357d-8386-4d56-9ba6-456e5723f9a6|Medium|Access Control|Check if an EC2 instance refers to an IAM profile, which represents an IAM Role. (read more)|Documentation
| -|SQS Policy With Public Access
9b6a3f5b-5fd6-40ee-9bc0-ed604911212d|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| -|IAM Policies Attached To User
edc95c10-7366-4f30-9b4b-f995c84eceb5|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| +|S3 Bucket CloudTrail Logging Disabled
c3ce69fd-e3df-49c6-be78-1db3f802261c|High|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable when the Service used is CloudTrail (read more)|Documentation
| +|Elasticsearch Without IAM Authentication
5c666ed9-b586-49ab-9873-c495a833b705|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication (read more)|Documentation
| |SNS Topic Publicity Has Allow and NotAction Simultaneously
818f38ed-8446-4132-9c03-474d49e10195|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. (read more)|Documentation
| -|EC2 Network ACL Ineffective Denied Traffic
2623d682-dccb-44cd-99d0-54d9fd62f8f2|Medium|Access Control|Ineffective deny rules. A deny rule should be applied to all IP addresses. (read more)|Documentation
| -|ECR Repository Is Publicly Accessible
75be209d-1948-41f6-a8c8-e22dd0121134|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| -|Neptune Cluster With IAM Database Authentication Disabled
a3aa0087-8228-4e7e-b202-dc9036972d02|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled (read more)|Documentation
| -|S3 Bucket Allows Public ACL
48f100d9-f499-4c6d-b2b8-deafe47ffb26|Medium|Access Control|S3 bucket allows public ACL (read more)|Documentation
| +|SQS Policy With Public Access
9b6a3f5b-5fd6-40ee-9bc0-ed604911212d|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| +|Empty Roles For ECS Cluster Task Definitions
7f384a5f-b5a2-4d84-8ca3-ee0a5247becb|Medium|Access Control|Check if any ECS cluster has not defined proper roles for services' task definitions. (read more)|Documentation
| |IoT Policy Allows Action as Wildcard
4d32780f-43a4-424a-a06d-943c543576a5|Medium|Access Control|IoT Policy should not allow Action to be set as * (read more)|Documentation
| -|API Gateway Method Does Not Contains An API Key
3641d5b4-d339-4bc2-bfb9-208fe8d3477f|Medium|Access Control|An API Key should be required on a method request. (read more)|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| +|KMS Allows Wildcard Principal
f6049677-ec4a-43af-8779-5190b6d03cba|Medium|Access Control|KMS Should not allow Principal parameter to be set as * (read more)|Documentation
| +|EC2 Instance Has No IAM Role
f914357d-8386-4d56-9ba6-456e5723f9a6|Medium|Access Control|Check if an EC2 instance refers to an IAM profile, which represents an IAM Role. (read more)|Documentation
| +|EC2 Network ACL Ineffective Denied Traffic
2623d682-dccb-44cd-99d0-54d9fd62f8f2|Medium|Access Control|Ineffective deny rules. A deny rule should be applied to all IP addresses. (read more)|Documentation
| |Public Lambda via API Gateway
57b12981-3816-4c31-b190-a1e614361dd2|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| |IAM Policy On User
e4239438-e639-44aa-adb8-866e400e3ade|Medium|Access Control|IAM policies should be applied to groups and not to users (read more)|Documentation
| -|KMS Allows Wildcard Principal
f6049677-ec4a-43af-8779-5190b6d03cba|Medium|Access Control|KMS Should not allow Principal parameter to be set as * (read more)|Documentation
| -|API Gateway Without Configured Authorizer
7fd0d461-5b8c-4815-898c-f2b4b117eb28|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| |Lambda Permission Principal Is Wildcard
1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| -|SQS Queue Policy Allows NotAction
4fbfee74-8186-40d5-a24e-4baa76a855de|Medium|Access Control|AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited (read more)|Documentation
| -|Empty Roles For ECS Cluster Task Definitions
7f384a5f-b5a2-4d84-8ca3-ee0a5247becb|Medium|Access Control|Check if any ECS cluster has not defined proper roles for services' task definitions. (read more)|Documentation
| +|IAM Policies Attached To User
edc95c10-7366-4f30-9b4b-f995c84eceb5|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| +|API Gateway Without Configured Authorizer
7fd0d461-5b8c-4815-898c-f2b4b117eb28|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| |IoT Policy Allows Wildcard Resource
be5b230d-4371-4a28-a441-85dc760e2aa3|Medium|Access Control|IoT Policy should not allow Resource to be set as * (read more)|Documentation
| -|Elasticsearch Without IAM Authentication
5c666ed9-b586-49ab-9873-c495a833b705|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication (read more)|Documentation
| +|Neptune Cluster With IAM Database Authentication Disabled
a3aa0087-8228-4e7e-b202-dc9036972d02|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled (read more)|Documentation
| +|SQS Queue Policy Allows NotAction
4fbfee74-8186-40d5-a24e-4baa76a855de|Medium|Access Control|AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited (read more)|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| +|SQS Queue Policy Allows NotPrincipal
4a8fc9a2-2b2f-4b3f-aa8d-401425872034|Medium|Access Control|Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using `NotPrincipal` in the same policy statement as `"Effect": "Allow"`. (read more)|Documentation
| +|S3 Bucket Allows Public ACL
48f100d9-f499-4c6d-b2b8-deafe47ffb26|Medium|Access Control|S3 bucket allows public ACL (read more)|Documentation
| +|ECR Repository Is Publicly Accessible
75be209d-1948-41f6-a8c8-e22dd0121134|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| +|API Gateway Method Does Not Contains An API Key
3641d5b4-d339-4bc2-bfb9-208fe8d3477f|Medium|Access Control|An API Key should be required on a method request. (read more)|Documentation
| +|EBS Volume Not Attached To Instances
1819ac03-542b-4026-976b-f37addd59f3b|Medium|Availability|EBS Volumes that are unattached to instances may contain sensitive data (read more)|Documentation
| |ElastiCache Nodes Not Created Across Multi AZ
cfdef2e5-1fe4-4ef4-bea8-c56e08963150|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| -|Auto Scaling Group With No Associated ELB
ad21e616-5026-4b9d-990d-5b007bfe679c|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty. (read more)|Documentation
| |CMK Is Unusable
2844c749-bd78-4cd1-90e8-b179df827602|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined. (read more)|Documentation
| |ECS Service Without Running Tasks
79d745f0-d5f3-46db-9504-bef73e9fd528|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| -|EBS Volume Not Attached To Instances
1819ac03-542b-4026-976b-f37addd59f3b|Medium|Availability|EBS Volumes that are unattached to instances may contain sensitive data (read more)|Documentation
| -|RDS Multi-AZ Deployment Disabled
2b1d4935-9acf-48a7-8466-10d18bf51a69|Medium|Backup|AWS RDS Instance should have a multi-az deployment (read more)|Documentation
| +|Auto Scaling Group With No Associated ELB
ad21e616-5026-4b9d-990d-5b007bfe679c|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty. (read more)|Documentation
| +|RDS With Backup Disabled
8c415f6f-7b90-4a27-a44a-51047e1506f9|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| |Stack Retention Disabled
fe974ae9-858e-4991-bbd5-e040a834679f|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| |Low RDS Backup Retention Period
e649a218-d099-4550-86a4-1231e1fcb60d|Medium|Backup|AWS RDS backup retention policy should be at least 7 days (read more)|Documentation
| -|RDS With Backup Disabled
8c415f6f-7b90-4a27-a44a-51047e1506f9|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| +|RDS Multi-AZ Deployment Disabled
2b1d4935-9acf-48a7-8466-10d18bf51a69|Medium|Backup|AWS RDS Instance should have a multi-az deployment (read more)|Documentation
| |IAM Managed Policy Applied to a User
0e5872b4-19a0-4165-8b2f-56d9e14b909f|Medium|Best Practices|Make sure that any managed IAM policies are implemented in a group and not in a user. (read more)|Documentation
| -|ECS No Load Balancer Attached
fb2b0ecf-1492-491a-a70d-ba1df579175d|Medium|Best Practices|Amazon ECS service should be configured to use Load Balancing to distribute traffic evenly across the tasks, which means there must exist at least one LoadBalancer. (read more)|Documentation
| -|IAM Password Without Number
839f238f-2e3a-4a72-b945-8abdf91af955|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number (read more)|Documentation
| |IAM Password Without Lowercase Letter
f4cf35d6-da92-48de-ab70-57be2b2e6497|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| -|Cognito UserPool Without MFA
74a18d1a-cf02-4a31-8791-ed0967ad7fdc|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more)|Documentation
| -|IAM Password Without Uppercase Letter
445020f6-b69e-4484-847f-02d4b7768902|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| +|IAM Password Without Number
839f238f-2e3a-4a72-b945-8abdf91af955|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number (read more)|Documentation
| |IAM Password Without Minimum Length
b1b20ae3-8fa7-4af5-a74d-a2145920fcb1|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| +|Cognito UserPool Without MFA
74a18d1a-cf02-4a31-8791-ed0967ad7fdc|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more)|Documentation
| |IAM User Without Password Reset
a964d6e3-8e1e-4d93-8120-61fa640dd55a|Medium|Best Practices|IAM User Login Profile should exist and have PasswordResetRequired property set to true (read more)|Documentation
| |IAM Password Without Symbol
d72a7869-e8b9-4e12-bcd2-e8be10b39fa7|Medium|Best Practices|IAM password should have the required symbols (read more)|Documentation
| -|SageMaker EndPoint Config Should Specify KmsKeyId Attribute
44034eda-1c3f-486a-831d-e09a7dd94354|Medium|Encryption|KmsKeyId attribute should be defined (read more)|Documentation
| +|IAM Password Without Uppercase Letter
445020f6-b69e-4484-847f-02d4b7768902|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| +|ECS No Load Balancer Attached
fb2b0ecf-1492-491a-a70d-ba1df579175d|Medium|Best Practices|Amazon ECS service should be configured to use Load Balancing to distribute traffic evenly across the tasks, which means there must exist at least one LoadBalancer. (read more)|Documentation
| +|ElasticSearch Not Encrypted At Rest
86a248ab-0e01-4564-a82a-878303e253bb|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest (read more)|Documentation
| +|RDS Storage Encryption Disabled
65844ba3-03a1-40a8-b3dd-919f122e8c95|Medium|Encryption|RDS DBCluster should have storage encrypted set to true (read more)|Documentation
| +|DynamoDB Table Not Encrypted
4bd21e68-38c1-4d58-acdc-6a14b203237f|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption (read more)|Documentation
| |Unscanned ECR Image
9025b2b3-e554-4842-ba87-db7aeec36d35|Medium|Encryption|Checks if the ECR Image has been scanned (read more)|Documentation
| -|Neptune Database Cluster Encryption Disabled
bf4473f1-c8a2-4b1b-8134-bd32efabab93|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| -|Config Rule For Encrypted Volumes Disabled
1b6322d9-c755-4f8c-b804-32c19250f2d9|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| -|AmazonMQ Broker Encryption Disabled
316278b3-87ac-444c-8f8f-a733a28da60f|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined (read more)|Documentation
| -|SQS With SSE Disabled
12726829-93ed-4d51-9cbe-13423f4299e1|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| |KMS Key Rotation Disabled
235ca980-eb71-48f4-9030-df0c371029eb|Medium|Encryption|EnableKeyRotation should not be false or undefined (read more)|Documentation
| -|EBS Volume Encryption Disabled
80b7ac3f-d2b7-4577-9b10-df7913497162|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| -|CodeBuild Not Encrypted
d7467bb6-3ed1-4c82-8095-5e7a818d0aad|Medium|Encryption|CodeBuild Project should be encrypted, which means 'EncryptionKey' should be defined (read more)|Documentation
| -|DynamoDB Table Not Encrypted
4bd21e68-38c1-4d58-acdc-6a14b203237f|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption (read more)|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85|Medium|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| -|IAM Group Inline Policies
a58d1a2d-4078-4b80-855b-84cc3f7f4540|Medium|Encryption|IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted (read more)|Documentation
| -|API Gateway With Invalid Compression
d6653eee-2d4d-4e6a-976f-6794a497999a|Medium|Encryption|API Gateway should have valid compression, which means attribute 'MinimumCompressionSize' should be set and its value should be greater than -1 and smaller than 10485760. (read more)|Documentation
| -|Alexa Skill Plaintext Client Secret Exposed
3c3b7a58-b018-4d07-9444-d9ee7156e111|Medium|Encryption|Alexa skills' client secrets should not be defined as a plaintext string. It should either use 'AWS Systems Manager Parameter Store' or 'AWS Secrets Manager' to retrieve sensitive information (read more)|Documentation
| |EMR Security Configuration Encryption Disabled
5b033ec8-f079-4323-b5c8-99d4620433a9|Medium|Encryption|EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit. (read more)|Documentation
| +|Default KMS Key Usage
e52395b4-250b-4c60-81d5-2e58c1d37abc|Medium|Encryption|When `StorageEncrypted` is set to true, `KmsKeyId` should be defined, to avoid the use of the default KMS Key (read more)|Documentation
| +|SageMaker EndPoint Config Should Specify KmsKeyId Attribute
44034eda-1c3f-486a-831d-e09a7dd94354|Medium|Encryption|KmsKeyId attribute should be defined (read more)|Documentation
| |Workspace Without Encryption
89827c57-5a8a-49eb-9731-976a606d70db|Medium|Encryption|Workspaces should have encryption enabled (read more)|Documentation
| |Memcached Disabled
dd0971a6-09c3-4168-8474-a7ef8fbfd99d|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache (read more)|Documentation
| -|Default KMS Key Usage
e52395b4-250b-4c60-81d5-2e58c1d37abc|Medium|Encryption|When `StorageEncrypted` is set to true, `KmsKeyId` should be defined, to avoid the use of the default KMS Key (read more)|Documentation
| +|IAM Group Inline Policies
a58d1a2d-4078-4b80-855b-84cc3f7f4540|Medium|Encryption|IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted (read more)|Documentation
| +|AmazonMQ Broker Encryption Disabled
316278b3-87ac-444c-8f8f-a733a28da60f|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined (read more)|Documentation
| |ElasticSearch Encryption With KMS Disabled
d926aa95-0a04-4abc-b20c-acf54afe38a1|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS. (read more)|Documentation
| -|ElasticSearch Not Encrypted At Rest
86a248ab-0e01-4564-a82a-878303e253bb|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest (read more)|Documentation
| -|RDS Storage Encryption Disabled
65844ba3-03a1-40a8-b3dd-919f122e8c95|Medium|Encryption|RDS DBCluster should have storage encrypted set to true (read more)|Documentation
| -|SageMaker Enabling Internet Access
88d55d94-315d-4564-beee-d2d725feab11|Medium|Insecure Configurations|SageMaker must have disabled internet access and root access for Creating Notebook Instances. (read more)|Documentation
| -|Instance With No VPC
8a6d36cd-0bc6-42b7-92c4-67acc8576861|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| -|API Gateway Without SSL Certificate
ed4c48b8-eccc-4881-95c1-09fdae23db25|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| +|SQS With SSE Disabled
12726829-93ed-4d51-9cbe-13423f4299e1|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| +|Config Rule For Encrypted Volumes Disabled
1b6322d9-c755-4f8c-b804-32c19250f2d9|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| +|EBS Volume Encryption Disabled
80b7ac3f-d2b7-4577-9b10-df7913497162|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| +|API Gateway With Invalid Compression
d6653eee-2d4d-4e6a-976f-6794a497999a|Medium|Encryption|API Gateway should have valid compression, which means attribute 'MinimumCompressionSize' should be set and its value should be greater than -1 and smaller than 10485760. (read more)|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85|Medium|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| +|Neptune Database Cluster Encryption Disabled
bf4473f1-c8a2-4b1b-8134-bd32efabab93|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| +|CodeBuild Not Encrypted
d7467bb6-3ed1-4c82-8095-5e7a818d0aad|Medium|Encryption|CodeBuild Project should be encrypted, which means 'EncryptionKey' should be defined (read more)|Documentation
| +|Alexa Skill Plaintext Client Secret Exposed
3c3b7a58-b018-4d07-9444-d9ee7156e111|Medium|Encryption|Alexa skills' client secrets should not be defined as a plaintext string. It should either use 'AWS Systems Manager Parameter Store' or 'AWS Secrets Manager' to retrieve sensitive information (read more)|Documentation
| |IAM User Has Too Many Access Keys
48677914-6fdf-40ec-80c4-2b0e94079f54|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials (read more)|Documentation
| |Inline Policies Are Attached To ECS Service
9e8c89b3-7997-4d15-93e4-7911b9db99fd|Medium|Insecure Configurations|Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies. (read more)|Documentation
| -|ECR Image Tag Not Immutable
33f41d31-86b1-46a4-81f7-9c9a671f59ac|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| +|API Gateway Without SSL Certificate
ed4c48b8-eccc-4881-95c1-09fdae23db25|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| +|EMR Cluster Without Security Configuration
48af92a5-c89b-4936-bc62-1086fe2bab23|Medium|Insecure Configurations|EMR Cluster should have security configuration defined. (read more)|Documentation
| |Lambda Functions Without Unique IAM Roles
ae03f542-1423-402f-9cef-c834e7ee9583|Medium|Insecure Configurations|AWS Lambda Functions should not share IAM roles to ensure they will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| +|API Gateway With Open Access
1056dfbb-5802-4762-bf2b-8b9b9684b1b0|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more)|Documentation
| +|ECR Image Tag Not Immutable
33f41d31-86b1-46a4-81f7-9c9a671f59ac|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| |Lambda Function Without Tags
8df8e857-bd59-44fa-9f4c-d77594b95b46|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags. (read more)|Documentation
| -|EMR Cluster Without Security Configuration
48af92a5-c89b-4936-bc62-1086fe2bab23|Medium|Insecure Configurations|EMR Cluster should have security configuration defined. (read more)|Documentation
| -|GitHub Repository Set To Public
5906092d-5f74-490d-9a03-78febe0f65e1|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)|Documentation
| +|SageMaker Enabling Internet Access
88d55d94-315d-4564-beee-d2d725feab11|Medium|Insecure Configurations|SageMaker must have disabled internet access and root access for Creating Notebook Instances. (read more)|Documentation
| +|Instance With No VPC
8a6d36cd-0bc6-42b7-92c4-67acc8576861|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| |IAM User LoginProfile Password Is In Plaintext
06adef8c-c284-4de7-aad2-af43b07a8ca1|Medium|Insecure Configurations|IAM User LoginProfile Password must not be a plaintext string (read more)|Documentation
| -|API Gateway With Open Access
1056dfbb-5802-4762-bf2b-8b9b9684b1b0|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more)|Documentation
| |MQ Broker Is Publicly Accessible
68b6a789-82f8-4cfd-85de-e95332fe6a61|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible (read more)|Documentation
| -|RouterTable with Default Routing
4f0908b9-eb66-433f-9145-134274e1e944|Medium|Insecure Defaults|NAT gateways are recommended, and not the default route which permits all traffic, in Route Tables. (read more)|Documentation
| +|GitHub Repository Set To Public
5906092d-5f74-490d-9a03-78febe0f65e1|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)|Documentation
| |S3 Bucket Should Have Bucket Policy
37fa8188-738b-42c8-bf82-6334ea567738|Medium|Insecure Defaults|Checks if S3 Bucket has the same name as a Bucket Policy, if it has, S3 Bucket has a Bucket Policy associated (read more)|Documentation
| -|VPC Without Network Firewall
3e293410-d5b8-411f-85fd-7d26294f20c9|Medium|Networking and Firewall|VPC should have a Network Firewall associated (read more)|Documentation
| -|Security Group Ingress With Port Range
87482183-a8e7-4e42-a566-7a23ec231c16|Medium|Networking and Firewall|AWS Security Group Ingress should have a single port (read more)|Documentation
| +|RouterTable with Default Routing
4f0908b9-eb66-433f-9145-134274e1e944|Medium|Insecure Defaults|NAT gateways are recommended, and not the default route which permits all traffic, in Route Tables. (read more)|Documentation
| |EC2 Permissive Network ACL Protocols
03879981-efa2-47a0-a818-c843e1441b88|Medium|Networking and Firewall|To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code). (read more)|Documentation
| +|ELB With Security Group Without Inbound Rules
e200a6f3-c589-49ec-9143-7421d4a2c845|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more)|Documentation
| +|VPC Without Network Firewall
3e293410-d5b8-411f-85fd-7d26294f20c9|Medium|Networking and Firewall|VPC should have a Network Firewall associated (read more)|Documentation
| +|Security Group Egress With All Protocols
ee464fc2-54a6-4e22-b10a-c6dcd2474d0c|Medium|Networking and Firewall|AWS Security Group Egress should not specify all protocols to prevent allow traffic on all ports (read more)|Documentation
| +|Security Group Ingress With All Protocols
1a427b25-2e9e-4298-9530-0499a55e736b|Medium|Networking and Firewall|AWS Security Group Ingress should not specify all protocols to prevent allow traffic on all ports (read more)|Documentation
| |ELB With Security Group Without Outbound Rules
01d5a458-a6c4-452a-ac50-054d59275b7c|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more)|Documentation
| +|API Gateway Endpoint Config is Not Private
4a8daf95-709d-4a36-9132-d3e19878fa34|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| |GameLift Fleet EC2 InboundPermissions With Port Range
43356255-495d-4148-ad8d-f6af5eac09dd|Medium|Networking and Firewall|AWS GameLift Fleet EC2InboundPermissions should have a single port (read more)|Documentation
| +|Security Groups Without VPC Attached
493d9591-6249-47bf-8dc0-5c10161cc558|Medium|Networking and Firewall|Security Groups must have a VPC. (read more)|Documentation
| +|Security Group Ingress With Port Range
87482183-a8e7-4e42-a566-7a23ec231c16|Medium|Networking and Firewall|AWS Security Group Ingress should have a single port (read more)|Documentation
| +|API Gateway without WAF
fcbf9019-566c-4832-a65c-af00d8137d2b|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| +|Security Group Egress CIDR Open To World
1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a|Medium|Networking and Firewall|AWS Security Group Egress CIDR should not be open to the world (read more)|Documentation
| |Security Group Egress With Port Range
dae9c373-8287-462f-8746-6f93dad93610|Medium|Networking and Firewall|AWS Security Group Egress should have a single port (read more)|Documentation
| -|Security Group Ingress With All Protocols
1a427b25-2e9e-4298-9530-0499a55e736b|Medium|Networking and Firewall|AWS Security Group Ingress should not specify all protocols to prevent allow traffic on all ports (read more)|Documentation
| -|API Gateway Endpoint Config is Not Private
4a8daf95-709d-4a36-9132-d3e19878fa34|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| |TCP/UDP Protocol Network ACL Entry Allows All Ports
f57f849c-883b-4cb7-85e7-f7b199dff163|Medium|Networking and Firewall|TCP/UDP protocol AWS Network ACL Entry should not allow all ports (read more)|Documentation
| -|Security Group Egress With All Protocols
ee464fc2-54a6-4e22-b10a-c6dcd2474d0c|Medium|Networking and Firewall|AWS Security Group Egress should not specify all protocols to prevent allow traffic on all ports (read more)|Documentation
| |ALB Is Not Integrated With WAF
105ba098-1e34-48cd-b0f2-a8a43a51bf9b|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service (read more)|Documentation
| -|Security Group Egress CIDR Open To World
1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a|Medium|Networking and Firewall|AWS Security Group Egress CIDR should not be open to the world (read more)|Documentation
| -|Security Groups Without VPC Attached
493d9591-6249-47bf-8dc0-5c10161cc558|Medium|Networking and Firewall|Security Groups must have a VPC. (read more)|Documentation
| -|ELB With Security Group Without Inbound Rules
e200a6f3-c589-49ec-9143-7421d4a2c845|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more)|Documentation
| -|API Gateway without WAF
fcbf9019-566c-4832-a65c-af00d8137d2b|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| -|CloudWatch Metrics Disabled
5d3c1807-acb3-4bb0-be4e-0440230feeaf|Medium|Observability|Checks if CloudWatch Metrics is Enabled (read more)|Documentation
| +|ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621|Medium|Observability|ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer. (read more)|Documentation
| |API Gateway X-Ray Disabled
4ab10c48-bedb-4deb-8f3b-ff12783b61de|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| -|CloudTrail SNS Topic Name Undefined
3e09413f-471e-40f3-8626-990c79ae63f3|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| -|CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'IsMultiRegionTrail' should be set to true (read more)|Documentation
| -|Stack Notifications Disabled
837e033c-4717-40bd-807e-6abaa30161b7|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| -|Configuration Aggregator to All Regions Disabled
9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| +|Redshift Cluster Logging Disabled
3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6|Medium|Observability|Make sure Logging is enabled for Redshift Cluster (read more)|Documentation
| |ELB Access Log Disabled
ee12ad32-2863-4c0f-b13f-28272d115028|Medium|Observability|ELB should have access log enabled (read more)|Documentation
| +|CloudWatch Metrics Disabled
5d3c1807-acb3-4bb0-be4e-0440230feeaf|Medium|Observability|Checks if CloudWatch Metrics is Enabled (read more)|Documentation
| |S3 Bucket Without Versioning
a227ec01-f97a-4084-91a4-47b350c1db54|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| +|Configuration Aggregator to All Regions Disabled
9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| |ElasticSearch Without Slow Logs
086ea2eb-14a6-4fd4-914b-38e0bc8703e8|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs (read more)|Documentation
| -|CloudFront Logging Disabled
de77cd9f-0e8b-46cc-b4a4-b6b436838642|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'DistributionConfig.Logging' should be defined (read more)|Documentation
| -|GuardDuty Detector Disabled
a25cd877-375c-4121-a640-730929936fac|Medium|Observability|Make sure that Amazon GuardDuty is Enabled (read more)|Documentation
| -|Redshift Cluster Logging Disabled
3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6|Medium|Observability|Make sure Logging is enabled for Redshift Cluster (read more)|Documentation
| -|ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621|Medium|Observability|ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer. (read more)|Documentation
| +|S3 Bucket Logging Disabled
4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| |API Gateway Stage Access Logging Settings Not Defined
80d45af4-4920-4236-a56e-b7ef419d1941|Medium|Observability|API Gateway Stage should have Access Logging Settings defined (read more)|Documentation
| |API Gateway Deployment Without Access Log Setting
06ec63e3-9f72-4fe2-a218-2eb9200b8db5|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. (read more)|Documentation
| -|Elasticsearch Logs Disabled
edbd62d4-8700-41de-b000-b3cfebb5e996|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| |CloudWatch Logging Disabled
0f0fb06b-0f2f-4374-8588-f2c7c348c7a0|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones (read more)|Documentation
| -|MSK Cluster Logging Disabled
fc7c2c15-f5d0-4b80-adb2-c89019f8f62b|Medium|Observability|Ensure MSK Cluster Logging is enabled (read more)|Documentation
| -|S3 Bucket Logging Disabled
4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| +|GuardDuty Detector Disabled
a25cd877-375c-4121-a640-730929936fac|Medium|Observability|Make sure that Amazon GuardDuty is Enabled (read more)|Documentation
| +|CloudFront Logging Disabled
de77cd9f-0e8b-46cc-b4a4-b6b436838642|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'DistributionConfig.Logging' should be defined (read more)|Documentation
| |MQ Broker Logging Disabled
e519ed6a-8328-4b69-8eb7-8fa549ac3050|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). (read more)|Documentation
| +|CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'IsMultiRegionTrail' should be set to true (read more)|Documentation
| +|Stack Notifications Disabled
837e033c-4717-40bd-807e-6abaa30161b7|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| +|MSK Cluster Logging Disabled
fc7c2c15-f5d0-4b80-adb2-c89019f8f62b|Medium|Observability|Ensure MSK Cluster Logging is enabled (read more)|Documentation
| |CloudTrail Not Integrated With CloudWatch
65d07da5-9af5-44df-8983-52d2e6f24c44|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| +|CloudTrail SNS Topic Name Undefined
3e09413f-471e-40f3-8626-990c79ae63f3|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| +|Elasticsearch Logs Disabled
edbd62d4-8700-41de-b000-b3cfebb5e996|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| |EBS Volume Without KmsKeyId
b7063015-6c31-4658-a8e7-14f98f37fd42|Medium|Secret Management|EBS Volume should specify a KmsKeyId value (read more)|Documentation
| -|Amplify Branch Basic Auth Config Password Exposed
dfb56e5d-ee68-446e-b32a-657b62befe69|Medium|Secret Management|Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| |DMS Endpoint MongoDB Settings Password Exposed
f988a17f-1139-46a3-8928-f27eafd8b024|Medium|Secret Management|DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|Directory Service Microsoft AD Password Set to Plaintext or Default Ref
06b9f52a-8cd5-459b-bdc6-21a22521e1be|Medium|Secret Management|Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|SNS Topic Without KmsMasterKeyId
9d13b150-a2ab-42a1-b6f4-142e41f81e52|Medium|Secret Management|KmsMasterKeyId attribute should not be undefined (read more)|Documentation
| -|DocDB Cluster Master Password In Plaintext
39423ce4-9011-46cd-b6b1-009edcd9385d|Medium|Secret Management|DocDB DB Cluster master user password must not be in a plain text string or referenced in a parameter as a default value. (read more)|Documentation
| -|Amplify App Basic Auth Config Password Exposed
71493c8b-3014-404c-9802-078b74496fb7|Medium|Secret Management|Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|Amplify App OAuth Token Exposed
03b38885-8f4e-480c-a0e4-12c1affd15db|Medium|Secret Management|Amplify App OAuth Token must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|RefreshToken Is Exposed
5b48c507-0d1f-41b0-a630-76817c6b4189|Medium|Secret Management|Alexa ASK Skill AuthenticationConfiguration RefreshToken should not be a plaintext string (read more)|Documentation
| -|Directory Service Simple AD Password Exposed
6685d912-d81f-4cfa-95ad-e316ea31c989|Medium|Secret Management|DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| |High Access Key Rotation Period
800fa019-49dd-421b-9042-7331fdd83fa2|Medium|Secret Management|ConfigRule should enforce access keys to be rotated within 90 days. (read more)|Documentation
| -|Hardcoded AWS Access Key In Lambda
2564172f-c92b-4261-9acd-464aed511696|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| +|Secrets Manager Should Specify KmsKeyId
c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22|Medium|Secret Management|Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the secret to be shared cross-account (read more)|Documentation
| |Amplify App Access Token Exposed
73980e43-f399-4fcc-a373-658228f7adf7|Medium|Secret Management|Amplify App Access Token must not be in a plain text string or referenced in a parameter as a default value. (read more)|Documentation
| +|Directory Service Simple AD Password Exposed
6685d912-d81f-4cfa-95ad-e316ea31c989|Medium|Secret Management|DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|Amplify App Basic Auth Config Password Exposed
71493c8b-3014-404c-9802-078b74496fb7|Medium|Secret Management|Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|SNS Topic Without KmsMasterKeyId
9d13b150-a2ab-42a1-b6f4-142e41f81e52|Medium|Secret Management|KmsMasterKeyId attribute should not be undefined (read more)|Documentation
| +|Amplify Branch Basic Auth Config Password Exposed
dfb56e5d-ee68-446e-b32a-657b62befe69|Medium|Secret Management|Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|Amplify App OAuth Token Exposed
03b38885-8f4e-480c-a0e4-12c1affd15db|Medium|Secret Management|Amplify App OAuth Token must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| |DMS Endpoint Password Exposed
5f700072-b7ce-4e84-b3f3-497bf1c24a4d|Medium|Secret Management|DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|Secrets Manager Should Specify KmsKeyId
c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22|Medium|Secret Management|Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the secret to be shared cross-account (read more)|Documentation
| +|Hardcoded AWS Access Key In Lambda
2564172f-c92b-4261-9acd-464aed511696|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| +|DocDB Cluster Master Password In Plaintext
39423ce4-9011-46cd-b6b1-009edcd9385d|Medium|Secret Management|DocDB DB Cluster master user password must not be in a plain text string or referenced in a parameter as a default value. (read more)|Documentation
| +|Directory Service Microsoft AD Password Set to Plaintext or Default Ref
06b9f52a-8cd5-459b-bdc6-21a22521e1be|Medium|Secret Management|Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|RefreshToken Is Exposed
5b48c507-0d1f-41b0-a630-76817c6b4189|Medium|Secret Management|Alexa ASK Skill AuthenticationConfiguration RefreshToken should not be a plaintext string (read more)|Documentation
| +|IAM Group Without Users
8f957abd-9703-413d-87d3-c578950a753c|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| |IAM User With No Group
06933df4-0ea7-461c-b9b5-104d27390e0e|Low|Access Control|A IAM user should belong to a group (read more)|Documentation
| +|IAM Role Allows All Principals To Assume
f80e3aa7-7b34-4185-954e-440a6894dde6|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| |EC2 Instance Using Default Security Group
08b81bb3-0985-4023-8602-b606ad81d279|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| -|Support Has No Role Associated
d71b5fd7-9020-4b2d-9ec8-b3839faa2744|Low|Access Control|Check if any AWS Support policy does not have any role and users and group associated, which means that is not being managed. (read more)|Documentation
| |IAM Policy Grants 'AssumeRole' Permission Across All Services
e835bd0d-65da-49f7-b6d1-b646da8727e6|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| -|IAM Role Allows All Principals To Assume
f80e3aa7-7b34-4185-954e-440a6894dde6|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| -|IAM Group Without Users
8f957abd-9703-413d-87d3-c578950a753c|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| +|Support Has No Role Associated
d71b5fd7-9020-4b2d-9ec8-b3839faa2744|Low|Access Control|Check if any AWS Support policy does not have any role and users and group associated, which means that is not being managed. (read more)|Documentation
| |VPC Attached With Too Many Gateways
97e94d17-e2c7-4109-a53b-6536ac1bb64e|Low|Availability|The number of gateways attached should not approach or go beyond the limit of 3, in a particular VPC (read more)|Documentation
| |RDS DB Instance With Deletion Protection Disabled
2c161e58-cb52-454f-abea-6470c37b5e6e|Low|Backup|RDS DBInstance should have deletion protection set to true (read more)|Documentation
| -|IAM Policies Without Groups
5e7acff5-095b-40ac-9073-ac2e4ad8a512|Low|Best Practices|IAM policy should not apply directly to users, should be with a group (read more)|Documentation
| |CDN Configuration Is Missing
e4f54ff4-d352-40e8-a096-5141073c37a2|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| -|Geo Restriction Disabled
7f8843f0-9ea5-42b4-a02b-753055113195|Low|Best Practices|Geo Restriction feature should be enabled, to restrict or allow users in specific locations accessing web application content (read more)|Documentation
| |Security Group Ingress Has CIDR Not Recommended
a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd|Low|Best Practices|AWS Security Group Ingress CIDR should not be /32 in case of IPV4 or /128 in case of IPV6 (read more)|Documentation
| -|Lambda Permission Misconfigured
9b83114b-b2a1-4534-990d-06da015e47aa|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| |Automatic Minor Upgrades Disabled
f0104061-8bfc-4b45-8a7d-630eb502f281|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'AutoMinorVersionUpgrade' must be set to true. (read more)|Documentation
| +|Lambda Permission Misconfigured
9b83114b-b2a1-4534-990d-06da015e47aa|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| |IAM Access Analyzer Not Enabled
8d29754a-2a18-460d-a1ba-9509f8d359da|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions (read more)|Documentation
| -|DynamoDB With Not Recommented Table Billing Mode
c333e906-8d8b-4275-b999-78b6318f8dc6|Low|Build Process|Checks if DynamoDB Table Billing Mode is set to either PAY_PER_REQUEST or PROVISIONED (read more)|Documentation
| +|Geo Restriction Disabled
7f8843f0-9ea5-42b4-a02b-753055113195|Low|Best Practices|Geo Restriction feature should be enabled, to restrict or allow users in specific locations accessing web application content (read more)|Documentation
| +|IAM Policies Without Groups
5e7acff5-095b-40ac-9073-ac2e4ad8a512|Low|Best Practices|IAM policy should not apply directly to users, should be with a group (read more)|Documentation
| |EFS Without Tags
08e39832-5e42-4304-98a0-aa5b43393162|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated (read more)|Documentation
| +|DynamoDB With Not Recommented Table Billing Mode
c333e906-8d8b-4275-b999-78b6318f8dc6|Low|Build Process|Checks if DynamoDB Table Billing Mode is set to either PAY_PER_REQUEST or PROVISIONED (read more)|Documentation
| |S3 Bucket Without Ignore Public ACL
6c8d51af-218d-4bfb-94a9-94eabaa0703a|Low|Insecure Configurations|S3 bucket without ignore public ACL (read more)|Documentation
| -|Wildcard In ACM Certificate Domain Name
cc8b294f-006f-4f8f-b5bb-0a9140c33131|Low|Insecure Configurations|ACM Certificate should not use wildcards (*) in the domain name (read more)|Documentation
| |API Gateway Cache Cluster Disabled
52790cad-d60d-41d5-8483-146f9f21208d|Low|Insecure Configurations|AWS API Gateway should have cache clustering enabled (read more)|Documentation
| |Lambda Function Without Dead Letter Queue
c2eae442-d3ba-4cb1-84ca-1db4f80eae3d|Low|Insecure Configurations|AWS Lambda Function should be configured for a Dead Letter Queue(DLQ) (read more)|Documentation
| +|Wildcard In ACM Certificate Domain Name
cc8b294f-006f-4f8f-b5bb-0a9140c33131|Low|Insecure Configurations|ACM Certificate should not use wildcards (*) in the domain name (read more)|Documentation
| |Shield Advanced Not In Use
ad7444cf-817a-4765-a79e-2145f7981faf|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more)|Documentation
| -|ElastiCache Without VPC
ba766c53-fe71-4bbb-be35-b6803f2ef13e|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| -|CloudFront Without WAF
0f139403-303f-467c-96bd-e717e6cfd62d|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| -|Redshift Using Default Port
a478af30-8c3a-404d-aa64-0b673cee509a|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| -|EC2 Network ACL Duplicate Rule
045ddb54-cfc5-4abb-9e05-e427b2bc96fe|Low|Networking and Firewall|A Network ACL's rule numbers cannot be repeated unless one is egress and the other is ingress (read more)|Documentation
| -|ElastiCache Using Default Port
323db967-c68e-44e6-916c-a777f95af34b|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| +|EMR Without VPC
bf89373a-be40-4c04-99f5-746742dfd7f3|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| |EC2 Instance Using Default VPC
e42a3ef0-5325-4667-84bf-075ba1c9d58e|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| +|EC2 Network ACL Duplicate Rule
045ddb54-cfc5-4abb-9e05-e427b2bc96fe|Low|Networking and Firewall|A Network ACL's rule numbers cannot be repeated unless one is egress and the other is ingress (read more)|Documentation
| +|Redshift Using Default Port
a478af30-8c3a-404d-aa64-0b673cee509a|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| |RDS Using Default Port
1fe9d958-ddce-4228-a124-05265a959a8b|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| -|EMR Without VPC
bf89373a-be40-4c04-99f5-746742dfd7f3|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| -|ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd|Low|Observability|Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks (read more)|Documentation
| -|DocDB Logging Is Disabled
1bf3b3d4-f373-4d7c-afbb-7d85948a67a5|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| +|ElastiCache Using Default Port
323db967-c68e-44e6-916c-a777f95af34b|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| +|CloudFront Without WAF
0f139403-303f-467c-96bd-e717e6cfd62d|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| +|ElastiCache Without VPC
ba766c53-fe71-4bbb-be35-b6803f2ef13e|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|CloudTrail Log File Validation Disabled
2a3560fe-52ca-4443-b34f-bf0ed5eb74c8|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| |VPC FlowLogs Disabled
f6d299d2-21eb-41cc-b1e1-fe12d857500b|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| +|ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd|Low|Observability|Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks (read more)|Documentation
| |Lambda Functions Without X-Ray Tracing
9488c451-074e-4cd3-aee3-7db6104f542c|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracingConfig.mode' should have the value 'Active' (read more)|Documentation
| +|DocDB Logging Is Disabled
1bf3b3d4-f373-4d7c-afbb-7d85948a67a5|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| |API Gateway Deployment Without API Gateway UsagePlan Associated
783860a3-6dca-4c8b-81d0-7b62769ccbca|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| -|CloudTrail Log File Validation Disabled
2a3560fe-52ca-4443-b34f-bf0ed5eb74c8|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| |SDB Domain Declared As A Resource
6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d|Low|Resource Management|SimpleDB Domain resource should not be declared (read more)|Documentation
| -|API Gateway Stage Without API Gateway UsagePlan Associated
7f8f1b60-43df-4c28-aa21-fb836dbd8071|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| |ECS Task Definition Invalid CPU or Memory
f4c9b5f5-68b8-491f-9e48-4f96644a1d51|Low|Resource Management|In ECS Task Definition of FARGATE launch type if you specify an invalid CPU or Memory value, you will receive an error (read more)|Documentation
| +|API Gateway Stage Without API Gateway UsagePlan Associated
7f8f1b60-43df-4c28-aa21-fb836dbd8071|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| |VPC Without Attached Subnet
3b3b4411-ad1f-40e7-b257-a78a6bb9673a|Low|Resource Management|VPCs without attached subnets may indicate that they are not being used (read more)|Documentation
| -|Security Group Rule Without Description
5e6c9c68-8a82-408e-8749-ddad78cbb9c5|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description (read more)|Documentation
| |EC2 Not EBS Optimized
8dd0ff1f-0da4-48df-9bb3-7f338ae36a40|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| +|Security Group Rule Without Description
5e6c9c68-8a82-408e-8749-ddad78cbb9c5|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description (read more)|Documentation
| |EC2 Instance Monitoring Disabled
0264093f-6791-4475-af34-4b8102dcbcd0|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| ### AWS_BOM @@ -272,18 +272,18 @@ Bellow are listed queries related with CloudFormation AWS_BOM: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|BOM - AWS Cassandra
124b173b-e06d-48a6-8acd-f889443d97a4|Trace|Bill Of Materials|A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance (read more)|Documentation
| +|BOM - AWS MSK
2730c169-51d7-4ae7-99b5-584379eff1bb|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)|Documentation
| +|BOM - AWS RDS
6ef03ff6-a2bd-483c-851f-631f248bc0ea|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more)|Documentation
| +|BOM - AWS EBS
0b0556ea-9cd9-476f-862e-20679dda752b|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). (read more)|Documentation
| +|BOM - AWS S3 Buckets
b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more)|Documentation
| +|BOM - AWS Elasticache
c689f51b-9203-43b3-9d8b-caed123f706c|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more)|Documentation
| +|BOM - AWS DynamoDB
4e67c0ae-38a0-47f4-a50c-f0c9b75826df|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more)|Documentation
| |BOM - AWS MQ
209189f3-c879-48a7-9703-fbcfa96d0cef|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS. (read more)|Documentation
| +|BOM - AWS Cassandra
124b173b-e06d-48a6-8acd-f889443d97a4|Trace|Bill Of Materials|A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance (read more)|Documentation
| +|BOM - AWS SNS
42e7dca3-8cce-4325-8df0-108888259136|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)|Documentation
| |BOM - AWS EFS
ef05a925-8568-4054-8ff1-f5ba82631c16|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)|Documentation
| -|BOM - AWS DynamoDB
4e67c0ae-38a0-47f4-a50c-f0c9b75826df|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more)|Documentation
| |BOM - AWS SQS
59a849c2-1127-4023-85a5-ef906dcd458c|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)|Documentation
| -|BOM - AWS Elasticache
c689f51b-9203-43b3-9d8b-caed123f706c|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more)|Documentation
| -|BOM - AWS RDS
6ef03ff6-a2bd-483c-851f-631f248bc0ea|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more)|Documentation
| -|BOM - AWS MSK
2730c169-51d7-4ae7-99b5-584379eff1bb|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)|Documentation
| -|BOM - AWS S3 Buckets
b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more)|Documentation
| |BOM - AWS Kinesis
d53323be-dde6-4457-9a43-42df737e71d2|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more)|Documentation
| -|BOM - AWS SNS
42e7dca3-8cce-4325-8df0-108888259136|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)|Documentation
| -|BOM - AWS EBS
0b0556ea-9cd9-476f-862e-20679dda752b|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). (read more)|Documentation
| ### AWS_SAM Bellow are listed queries related with CloudFormation AWS_SAM: diff --git a/docs/queries/crossplane-queries.md b/docs/queries/crossplane-queries.md index 2a826decd10..a38dfb8cbbc 100644 --- a/docs/queries/crossplane-queries.md +++ b/docs/queries/crossplane-queries.md @@ -1,6 +1,16 @@ ## Crossplane Queries List This page contains all queries from Crossplane. +### AZURE +Bellow are listed queries related with Crossplane AZURE: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|AKS RBAC Disabled
b2418936-cd47-4ea2-8346-623c0bdb87bd|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| +|Redis Cache Allows Non SSL Connections
6c7cfec3-c686-4ed2-bf58-a1ec054b63fc|Medium|Encryption|Redis Cache resource should not allow non-SSL connections. (read more)|Documentation
| + ### AWS Bellow are listed queries related with Crossplane AWS: @@ -10,13 +20,13 @@ Bellow are listed queries related with Crossplane AWS: |------------------------------|--------|--------|-----------|----| |EFS Without KMS
bdecd6db-2600-47dd-a10c-72c97cf17ae9|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| |DB Instance Storage Not Encrypted
e50eb68a-a4af-4048-8bbe-8ec324421469|High|Encryption|RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'. (read more)|Documentation
| -|EFS Not Encrypted
72840c35-3876-48be-900d-f21b2f0c2ea1|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| |ELB Using Weak Ciphers
a507daa5-0795-4380-960b-dd7bb7c56661|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| +|EFS Not Encrypted
72840c35-3876-48be-900d-f21b2f0c2ea1|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| |RDS DB Instance Publicly Accessible
d9dc6429-5140-498a-8f55-a10daac5f000|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false and neither dbSubnetGroupName' subnets being part of a VPC that has an Internet gateway attached to it (read more)|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
255b0fcc-9f82-41fe-9229-01b163e3376b|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| |DB Security Group Has Public Interface
dd667399-8d9d-4a8d-bbb4-e49ab53b2f52|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| -|Neptune Database Cluster Encryption Disabled
83bf5aca-138a-498e-b9cd-ad5bc5e117b4|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
255b0fcc-9f82-41fe-9229-01b163e3376b|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| |SQS With SSE Disabled
9296f1cc-7a40-45de-bd41-f31745488a0e|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| +|Neptune Database Cluster Encryption Disabled
83bf5aca-138a-498e-b9cd-ad5bc5e117b4|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| |CloudFront Logging Disabled
7b590235-1ff4-421b-b9ff-5227134be9bb|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true (read more)|Documentation
| |CloudWatch Without Retention Period Specified
934613fe-b12c-4e5a-95f5-c1dcdffac1ff|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more)|Documentation
| |CloudFront Without WAF
6d19ce0f-b3d8-4128-ac3d-1064e0f00494|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| @@ -31,13 +41,3 @@ Bellow are listed queries related with Crossplane GCP: |------------------------------|--------|--------|-----------|----| |Cloud Storage Bucket Logging Not Enabled
6c2d627c-de0f-45fb-b33d-dad9bffbb421|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| |Google Container Node Pool Auto Repair Disabled
b4f65d13-a609-4dc1-af7c-63d2e08bffe9|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| - -### AZURE -Bellow are listed queries related with Crossplane AZURE: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|AKS RBAC Disabled
b2418936-cd47-4ea2-8346-623c0bdb87bd|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| -|Redis Cache Allows Non SSL Connections
6c7cfec3-c686-4ed2-bf58-a1ec054b63fc|Medium|Encryption|Redis Cache resource should not allow non-SSL connections. (read more)|Documentation
| diff --git a/docs/queries/dockercompose-queries.md b/docs/queries/dockercompose-queries.md index 387e21021f2..207d92a26c0 100644 --- a/docs/queries/dockercompose-queries.md +++ b/docs/queries/dockercompose-queries.md @@ -3,24 +3,24 @@ This page contains all queries from DockerCompose. | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Volume Has Sensitive Host Directory
1c1325ff-831d-43a1-973e-839ae57dfcc0|High|Build Process|Container has sensitive host directory mounted as a volume (read more)|Documentation
| |Volume Mounted In Multiple Containers
baa452f0-1f21-4a25-ace5-844e7a5f410d|High|Build Process|Volume mounts should not be shared, which means that 'propagation' should not be set to 'shared', 'rshared', 'slave', or 'rslave' (read more)|Documentation
| +|Volume Has Sensitive Host Directory
1c1325ff-831d-43a1-973e-839ae57dfcc0|High|Build Process|Container has sensitive host directory mounted as a volume (read more)|Documentation
| |Docker Socket Mounted In Container
d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b|High|Build Process|Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands. (read more)|Documentation
| |Privileged Containers Enabled
ae5b6871-7f45-42e0-bb4c-ab300c4d2026|High|Resource Management|Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker. (read more)|Documentation
| |No New Privileges Not Set
27fcc7d6-c49b-46e0-98f1-6c082a6a2750|High|Resource Management|Ensuring the process does not gain any new privileges lessens the risk associated with many operations. (read more)|Documentation
| |Healthcheck Not Set
698ed579-b239-4f8f-a388-baa4bcb13ef8|Medium|Availability|Check containers periodically to see if they are running properly. (read more)|Documentation
| -|Cgroup Not Default
4d9f44c6-2f4a-4317-9bb5-267adbea0232|Medium|Build Process|Control groups restrict the access processes and containers have to system resources such as CPU, RAM, IOPS and network. Not having a cgroup well configured may prove to be a security fault. (read more)|Documentation
| |Restart Policy On Failure Not Set To 5
2fc99041-ddad-49d5-853f-e35e70a48391|Medium|Build Process|Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used. (read more)|Documentation
| -|Networks Not Set
ce14a68b-1668-41a0-ab7d-facd9f784742|Medium|Networking and Firewall|Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers. (read more)|Documentation
| +|Cgroup Not Default
4d9f44c6-2f4a-4317-9bb5-267adbea0232|Medium|Build Process|Control groups restrict the access processes and containers have to system resources such as CPU, RAM, IOPS and network. Not having a cgroup well configured may prove to be a security fault. (read more)|Documentation
| |Container Traffic Not Bound To Host Interface
451d79dc-0588-476a-ad03-3c7f0320abb3|Medium|Networking and Firewall|Incoming container traffic should be bound to a specific host interface (read more)|Documentation
| |Privileged Ports Mapped In Container
bc2908f3-f73c-40a9-8793-c1b7d5544f79|Medium|Networking and Firewall|Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind_service linux capability from the container unless you absolutely need to use priviledged ports. (read more)|Documentation
| -|Security Opt Not Set
610e266e-6c12-4bca-9925-1ed0cd29742b|Medium|Resource Management|Attribute 'security_opt' should be defined. (read more)|Documentation
| -|Shared Host Network Namespace
071a71ff-f868-47a4-ac0b-3c59e4ab5443|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| +|Networks Not Set
ce14a68b-1668-41a0-ab7d-facd9f784742|Medium|Networking and Firewall|Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers. (read more)|Documentation
| |Shared Host User Namespace
8af7162d-6c98-482f-868e-0d33fb675ca8|Medium|Resource Management|The host's user namespace should not be shared. (read more)|Documentation
| +|Shared Host Network Namespace
071a71ff-f868-47a4-ac0b-3c59e4ab5443|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| |Default Seccomp Profile Disabled
404fde2c-bc4b-4371-9747-7054132ac953|Medium|Resource Management|Seccomp offers a whitelist of common system calls, blocking all others. Having less kernel exposed to an app then increases security. (read more)|Documentation
| |Pids Limit Not Set
221e0658-cb2a-44e3-b08a-db96a341d6fa|Medium|Resource Management|'pids_limit' should be set and different than -1 (read more)|Documentation
| -|Memory Not Limited
bb9ac4f7-e13b-423d-a010-c74a1bfbe492|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| |Host Namespace is Shared
4f31dd9f-2cc3-4751-9b53-67e4af83dac0|Medium|Resource Management|The hosts process namespace should not be shared by containers (read more)|Documentation
| +|Security Opt Not Set
610e266e-6c12-4bca-9925-1ed0cd29742b|Medium|Resource Management|Attribute 'security_opt' should be defined. (read more)|Documentation
| +|Memory Not Limited
bb9ac4f7-e13b-423d-a010-c74a1bfbe492|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| |Shared Host IPC Namespace
baa3890f-bed7-46f5-ab8f-1da8fc91c729|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| -|Cpus Not Limited
6b610c50-99fb-4ef0-a5f3-e312fd945bc3|Low|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| |Container Capabilities Unrestricted
ce76b7d0-9e77-464d-b86f-c5c48e03e22d|Low|Resource Management|Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well. (read more)|Documentation
| +|Cpus Not Limited
6b610c50-99fb-4ef0-a5f3-e312fd945bc3|Low|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| diff --git a/docs/queries/dockerfile-queries.md b/docs/queries/dockerfile-queries.md index 07a8532f8dc..b898263a992 100644 --- a/docs/queries/dockerfile-queries.md +++ b/docs/queries/dockerfile-queries.md @@ -5,50 +5,50 @@ This page contains all queries from Dockerfile. |------------------------------|--------|--------|-----------|----| |UNIX Ports Out Of Range
71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e|High|Availability|Exposing UNIX ports out of range from 0 to 65535 (read more)|Documentation
| |WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|High|Build Process|For clarity and reliability, you should always use absolute paths for your WORKDIR (read more)|Documentation
| -|Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f|High|Build Process|A user should be specified in the dockerfile, otherwise the image will run as root (read more)|Documentation
| +|COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b|High|Build Process|COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself (read more)|Documentation
| +|Copy With More Than Two Arguments Not Ending With Slash
6db6e0c2-32a3-4a2e-93b5-72c35f4119db|High|Build Process|When a COPY command has more than two arguments, the last one should end with a slash (read more)|Documentation
| |Same Alias In Different Froms
f2daed12-c802-49cd-afed-fe41d0b82fed|High|Build Process|Different FROMS cant have the same alias defined (read more)|Documentation
| |Multiple ENTRYPOINT Instructions Listed
6938958b-3f1a-451c-909b-baeee14bdc97|High|Build Process|There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect (read more)|Documentation
| -|Copy With More Than Two Arguments Not Ending With Slash
6db6e0c2-32a3-4a2e-93b5-72c35f4119db|High|Build Process|When a COPY command has more than two arguments, the last one should end with a slash (read more)|Documentation
| -|COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b|High|Build Process|COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself (read more)|Documentation
| +|Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f|High|Build Process|A user should be specified in the dockerfile, otherwise the image will run as root (read more)|Documentation
| |Run Using Sudo
8ada6e80-0ade-439e-b176-0b28f6bce35a|High|Insecure Configurations|Avoid RUN with sudo command as it leads to unpredictable behavior (read more)|Documentation
| |Vulnerable OpenSSL Version
5fa731ea-e844-47a6-a1e8-abc25e95847e|High|Supply-Chain|OpenSSL versions from 3.0.0 to 3.0.5 are affected by a critical vulnerability (read more)|Documentation
| -|Last User Is 'root'
67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae|Medium|Best Practices|Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges (read more)|Documentation
| |Changing Default Shell Using RUN Command
8a301064-c291-4b20-adcb-403fe7fd95fd|Medium|Best Practices|Using the command RUN to override the default shell instead of the SHELL command leads to inefficiencies. It also does not make sense since Docker provides the SHELL command for this exact purpose. (read more)|Documentation
| +|Last User Is 'root'
67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae|Medium|Best Practices|Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges (read more)|Documentation
| |Multiple CMD Instructions Listed
41c195f4-fc31-4a5c-8a1b-90605538d49f|Medium|Build Process|There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect (read more)|Documentation
| -|RUN Instruction Using 'cd' Instead of WORKDIR
f4a6bcd3-e231-4acf-993c-aa027be50d2e|Medium|Build Process|When using RUN command 'cd' should only be used for full path. For relative path make use of WORKDIR command instead. (read more)|Documentation
| -|Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79|Medium|Build Process|Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments (read more)|Documentation
| |Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd|Medium|Build Process|Instruction 'RUN update' should always be followed by ' install' in the same RUN statement (read more)|Documentation
| +|Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79|Medium|Build Process|Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments (read more)|Documentation
| +|RUN Instruction Using 'cd' Instead of WORKDIR
f4a6bcd3-e231-4acf-993c-aa027be50d2e|Medium|Build Process|When using RUN command 'cd' should only be used for full path. For relative path make use of WORKDIR command instead. (read more)|Documentation
| |Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22|Medium|Insecure Defaults|Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o). (read more)|Documentation
| -|Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8|Medium|Supply-Chain|The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input. (read more)|Documentation
| -|Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd|Medium|Supply-Chain|Always tag the version of an image explicitly (read more)|Documentation
| -|Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067|Medium|Supply-Chain|When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag (read more)|Documentation
| -|Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1|Medium|Supply-Chain|Specifying a package version allows to reduce failures due to unanticipated changes in required packages. (read more)|Documentation
| -|Yum install Without Version
6452c424-1d92-4deb-bb18-a03e95d579c4|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages (read more)|Documentation
| -|Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37|Medium|Supply-Chain|Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size (read more)|Documentation
| -|Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03|Medium|Supply-Chain|Need to use -y to avoid manual input 'yum install -y ' (read more)|Documentation
| -|Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more)|Documentation
| -|Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341|Medium|Supply-Chain|Instead of 'gem install ' we should use 'gem install :' (read more)|Documentation
| -|NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5|Medium|Supply-Chain|Check if packages installed by npm are pinning a specific version. (read more)|Documentation
| -|Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0|Medium|Supply-Chain|Cached package data should be cleaned after installation to reduce image size (read more)|Documentation
| +|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Medium|Supply-Chain|When installing a package, its pin version should be defined (read more)|Documentation
| |Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313|Medium|Supply-Chain|Reduce layer and image size by deleting unneeded caches after running zypper (read more)|Documentation
| |APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Medium|Supply-Chain|Check if apt-get calls use the flag -y to avoid user manual input. (read more)|Documentation
| +|Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067|Medium|Supply-Chain|When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag (read more)|Documentation
| |Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache (read more)|Documentation
| -|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Medium|Supply-Chain|When installing a package, its pin version should be defined (read more)|Documentation
| -|Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118|Medium|Supply-Chain|When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller (read more)|Documentation
| +|Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more)|Documentation
| +|Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1|Medium|Supply-Chain|Specifying a package version allows to reduce failures due to unanticipated changes in required packages. (read more)|Documentation
| |Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9|Medium|Supply-Chain|Don't use '--platform' flag with FROM (read more)|Documentation
| -|Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Medium|Supply-Chain|Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect (read more)|Documentation
| -|Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages (read more)|Documentation
| |Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944|Medium|Supply-Chain|Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input (read more)|Documentation
| -|Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more)|Documentation
| +|NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5|Medium|Supply-Chain|Check if packages installed by npm are pinning a specific version. (read more)|Documentation
| |Add Instead of Copy
9513a694-aa0d-41d8-be61-3271e056f36b|Medium|Supply-Chain|Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script. (read more)|Documentation
| +|Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37|Medium|Supply-Chain|Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size (read more)|Documentation
| +|Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118|Medium|Supply-Chain|When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller (read more)|Documentation
| +|Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more)|Documentation
| +|Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0|Medium|Supply-Chain|Cached package data should be cleaned after installation to reduce image size (read more)|Documentation
| +|Yum install Without Version
6452c424-1d92-4deb-bb18-a03e95d579c4|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages (read more)|Documentation
| +|Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8|Medium|Supply-Chain|The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input. (read more)|Documentation
| +|Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341|Medium|Supply-Chain|Instead of 'gem install ' we should use 'gem install :' (read more)|Documentation
| +|Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd|Medium|Supply-Chain|Always tag the version of an image explicitly (read more)|Documentation
| +|Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Medium|Supply-Chain|Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect (read more)|Documentation
| +|Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03|Medium|Supply-Chain|Need to use -y to avoid manual input 'yum install -y ' (read more)|Documentation
| +|Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages (read more)|Documentation
| |Chown Flag Exists
aa93e17f-b6db-4162-9334-c70334e7ac28|Low|Best Practices|It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership (read more)|Documentation
| |Exposing Port 22 (SSH)
5907595b-5b6d-4142-b173-dbb0e73fbff8|Low|Best Practices|Expose only the ports that your application needs and avoid exposing ports like SSH (22) (read more)|Documentation
| -|Multiple RUN, ADD, COPY, Instructions Listed
0008c003-79aa-42d8-95b8-1c2fe37dbfe6|Low|Best Practices|Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers. (read more)|Documentation
| |Curl or Wget Instead of Add
4b410d24-1cbe-4430-a632-62c9a931cf1c|Low|Best Practices|Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged (read more)|Documentation
| +|Multiple RUN, ADD, COPY, Instructions Listed
0008c003-79aa-42d8-95b8-1c2fe37dbfe6|Low|Best Practices|Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers. (read more)|Documentation
| |MAINTAINER Instruction Being Used
99614418-f82b-4852-a9ae-5051402b741c|Low|Best Practices|The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily (read more)|Documentation
| |Using Unnamed Build Stages
68a51e22-ae5a-4d48-8e87-b01a323605c9|Low|Build Process| This query is used to ensure that build stages are named. This way even if the Dockerfile is re-ordered, the COPY instruction doesn’t break. (read more)|Documentation
| |Healthcheck Instruction Missing
b03a748a-542d-44f4-bb86-9199ab4fd2d5|Low|Insecure Configurations|Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working (read more)|Documentation
| |Apk Add Using Local Cache Path
ae9c56a6-3ed1-4ac0-9b54-31267f51151d|Info|Supply-Chain|When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*' (read more)|Documentation
| -|APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c|Info|Supply-Chain|Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages. (read more)|Documentation
| -|Run Utilities And POSIX Commands
9b6b0f38-92a2-41f9-b881-3a1083d99f1b|Info|Supply-Chain|Some POSIX commands and interactive utilities shouldn't run inside a Docker Container (read more)|Documentation
| |Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c|Info|Supply-Chain|After using apt-get install, it is needed to delete apt-get lists (read more)|Documentation
| +|Run Utilities And POSIX Commands
9b6b0f38-92a2-41f9-b881-3a1083d99f1b|Info|Supply-Chain|Some POSIX commands and interactive utilities shouldn't run inside a Docker Container (read more)|Documentation
| +|APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c|Info|Supply-Chain|Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages. (read more)|Documentation
| diff --git a/docs/queries/googledeploymentmanager-queries.md b/docs/queries/googledeploymentmanager-queries.md index 1b8e8a9a8f7..26a1cea5edc 100644 --- a/docs/queries/googledeploymentmanager-queries.md +++ b/docs/queries/googledeploymentmanager-queries.md @@ -8,9 +8,9 @@ Bellow are listed queries related with GoogleDeploymentManager GCP_BOM: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| +|BOM - GCP PST
9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more)|Documentation
| |BOM - GCP SB
c7781feb-a955-4f9f-b9cf-0d7c6f54bb59|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more)|Documentation
| |BOM - GCP PD
268c65a8-58ad-43e4-9019-1a9bbc56749f|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more)|Documentation
| -|BOM - GCP PST
9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more)|Documentation
| ### GCP Bellow are listed queries related with GoogleDeploymentManager GCP: @@ -19,35 +19,35 @@ Bellow are listed queries related with GoogleDeploymentManager GCP: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| +|Cloud Storage Anonymous or Publicly Accessible
63ae3638-a38c-4ff4-b616-6e1f72a31a6a|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| |BigQuery Dataset Is Public
83103dff-d57f-42a8-bd81-40abab64c1a7|High|Access Control|BigQuery dataset is anonymously or publicly accessible. Attribute access.specialGroup should not contain 'allAuthenticatedUsers' (read more)|Documentation
| |Cloud Storage Bucket Is Publicly Accessible
77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible (read more)|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
63ae3638-a38c-4ff4-b616-6e1f72a31a6a|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| |SQL DB Instance Backup Disabled
a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| -|SQL DB Instance With SSL Disabled
660360d3-9ca7-46d1-b147-3acc4002953f|High|Encryption|Cloud SQL Database Instance should have SLL enabled (read more)|Documentation
| |DNSSEC Using RSASHA1
6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35|High|Encryption|DNSSEC should not use the RSASHA1 algorithm (read more)|Documentation
| -|Client Certificate Disabled
dd690686-2bf9-4012-a821-f61912dd77be|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'masterAuth' must have 'clientCertificateConfig' with the attribute 'issueClientCertificate' equal to true (read more)|Documentation
| -|IP Aliasing Disabled
28727987-e398-49b8-aef1-8a3e7789d111|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ipAllocationPolicy' must be defined and the subattribute 'useIpAliases' must be set to 'true'. (read more)|Documentation
| -|Network Policy Disabled
c47f90e8-4a19-43f0-8413-cc434d286c4e|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'networkPolicy.enabled' must be true and the attribute 'addonsConfig.networkPolicyConfig.disabled' must be false (read more)|Documentation
| -|Cluster Master Authentication Disabled
7ef7d141-9fbb-4679-a977-fd0883436906|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'masterAuth' must have the subattributes 'username' and 'password' defined and not empty (read more)|Documentation
| -|MySQL Instance With Local Infile On
c759d6f2-4dd3-4160-82d3-89202ef10d87|High|Insecure Configurations|MySQL Instance should not have Local Infile On (read more)|Documentation
| +|SQL DB Instance With SSL Disabled
660360d3-9ca7-46d1-b147-3acc4002953f|High|Encryption|Cloud SQL Database Instance should have SLL enabled (read more)|Documentation
| |Not Proper Email Account In Use
a21b8df3-c840-4b3d-a41a-10fb2afda171|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials (read more)|Documentation
| +|MySQL Instance With Local Infile On
c759d6f2-4dd3-4160-82d3-89202ef10d87|High|Insecure Configurations|MySQL Instance should not have Local Infile On (read more)|Documentation
| +|Cluster Master Authentication Disabled
7ef7d141-9fbb-4679-a977-fd0883436906|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'masterAuth' must have the subattributes 'username' and 'password' defined and not empty (read more)|Documentation
| |Private Cluster Disabled
48c61fbd-09c9-46cc-a521-012e0c325412|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true. (read more)|Documentation
| -|GKE Legacy Authorization Enabled
df58d46c-783b-43e0-bdd0-d99164f712ee|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false. (read more)|Documentation
| |Cluster Labels Disabled
8810968b-4b15-421d-918b-d91eb4bb8d1d|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resourceLabels' must be defined (read more)|Documentation
| +|IP Aliasing Disabled
28727987-e398-49b8-aef1-8a3e7789d111|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ipAllocationPolicy' must be defined and the subattribute 'useIpAliases' must be set to 'true'. (read more)|Documentation
| +|GKE Legacy Authorization Enabled
df58d46c-783b-43e0-bdd0-d99164f712ee|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false. (read more)|Documentation
| +|Client Certificate Disabled
dd690686-2bf9-4012-a821-f61912dd77be|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'masterAuth' must have 'clientCertificateConfig' with the attribute 'issueClientCertificate' equal to true (read more)|Documentation
| +|Network Policy Disabled
c47f90e8-4a19-43f0-8413-cc434d286c4e|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'networkPolicy.enabled' must be true and the attribute 'addonsConfig.networkPolicyConfig.disabled' must be false (read more)|Documentation
| |Compute Instance Is Publicly Accessible
8212e2d7-e683-49bc-bf78-d6799075c5a7|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet. (read more)|Documentation
| |GKE Master Authorized Networks Disabled
62c8cf50-87f0-4295-a974-8184ed78fe02|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters (read more)|Documentation
| -|Stackdriver Monitoring Disabled
bbfc97ab-e92a-4a7b-954c-e88cec815011|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoringService' must be defined and different than 'none' (read more)|Documentation
| |Stackdriver Logging Disabled
95601b9a-7fe8-4aee-9b58-d36fd9382dfc|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'loggingService' must be defined and different from 'none' (read more)|Documentation
| +|Stackdriver Monitoring Disabled
bbfc97ab-e92a-4a7b-954c-e88cec815011|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoringService' must be defined and different than 'none' (read more)|Documentation
| |Cloud Storage Bucket Versioning Disabled
ad0875c1-0b39-4890-9149-173158ba3bba|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| |Node Auto Upgrade Disabled
dc5c5fee-6c53-43b0-ab11-4c660e064aaf|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means the attribute 'nodePools' must be defined and the subattribute 'managment' must be defined and have the attribute 'autoUpgrade' set to true (read more)|Documentation
| |Disk Encryption Disabled
fc040fb6-4c23-4c0d-b12a-39edac35debb|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined (read more)|Documentation
| +|Cloud DNS Without DNSSEC
313d6deb-3b67-4948-b41d-35b699c2492e|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| +|OSLogin Is Disabled In VM Instance
e66e1b71-c810-4b4e-a737-0ab59e7f5e41|Medium|Insecure Configurations|VM instance should have OSLogin enabled (read more)|Documentation
| |Google Storage Bucket Level Access Disabled
1239f54b-33de-482a-8132-faebe288e6a6|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled (read more)|Documentation
| |Shielded VM Disabled
9038b526-4c19-4928-bca2-c03d503bdb79|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true (read more)|Documentation
| -|Cloud DNS Without DNSSEC
313d6deb-3b67-4948-b41d-35b699c2492e|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| |COS Node Image Not Used
dbe058d7-b82e-430b-8426-992b2e4677e7|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| -|OSLogin Is Disabled In VM Instance
e66e1b71-c810-4b4e-a737-0ab59e7f5e41|Medium|Insecure Configurations|VM instance should have OSLogin enabled (read more)|Documentation
| -|RDP Access Is Not Restricted
50cb6c3b-c878-4b88-b50e-d1421bada9e8|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| |SSH Access Is Not Restricted
dee21308-2a7a-49de-8ff7-c9b87e188575|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| +|RDP Access Is Not Restricted
50cb6c3b-c878-4b88-b50e-d1421bada9e8|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| |IP Forwarding Enabled
7c98538a-81c6-444b-bf04-e60bc3ceeec0|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true (read more)|Documentation
| |Bucket Without Versioning
227c2f58-70c6-4432-8e9a-a89c1a548cf5|Medium|Observability|Bucket should have versioning enabled (read more)|Documentation
| |Project-wide SSH Keys Are Enabled In VM Instances
6e2b1ec1-1eca-4eb7-9d4d-2882680b4811|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| diff --git a/docs/queries/kubernetes-queries.md b/docs/queries/kubernetes-queries.md index f6df29fecc5..b40f8a2f217 100644 --- a/docs/queries/kubernetes-queries.md +++ b/docs/queries/kubernetes-queries.md @@ -3,148 +3,148 @@ This page contains all queries from Kubernetes. | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| +|RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e|High|Access Control|Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least privilege recommends to specify only the set of needed objects and actions (read more)|Documentation
| |Service Account Lookup Set To False
a5530bd7-225a-48f9-91bb-f40b04200165|High|Access Control|When using kube-apiserver command, the '--service-account-lookup' flag should be set to true (read more)|Documentation
| -|Basic Auth File Is Set
5da47109-f8d6-4585-9e2b-96a8958a12f5|High|Access Control|When using kube-apiserver command, the 'basic-auth-file' flag should not be set (read more)|Documentation
| -|Node Restriction Admission Control Plugin Not Set
33fc6923-6553-4fe6-9d3a-4efa51eb874b|High|Access Control|When using kube-apiserver command, the --enable-admission-plugins flag should have 'NodeRestriction' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| |Always Admit Admission Control Plugin Set
ce30e584-b33f-4c7d-b418-a3d7027f8f60|High|Access Control|When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin (read more)|Documentation
| -|RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e|High|Access Control|Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least privilege recommends to specify only the set of needed objects and actions (read more)|Documentation
| |Token Auth File Is Set
32ecd76e-7bbf-402e-bf48-8b9485749558|High|Access Control|When using kube-apiserver command, the 'token-auth-file' flag should not be set (read more)|Documentation
| |Client Certificate Authentication Not Setup Properly
e0e00aba-5f1c-4981-a542-9a9563c0ee20|High|Access Control|Client Certificate Authentication should be Setup with a .pem or .crt file (read more)|Documentation
| |Use Service Account Credentials Not Set To True
1acd93f1-5a37-45c0-aaac-82ece818be7d|High|Access Control|When using kube-controller-manager commands, the '--use-service-account-credentials' should be set to true (read more)|Documentation
| +|Node Restriction Admission Control Plugin Not Set
33fc6923-6553-4fe6-9d3a-4efa51eb874b|High|Access Control|When using kube-apiserver command, the --enable-admission-plugins flag should have 'NodeRestriction' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| +|Basic Auth File Is Set
5da47109-f8d6-4585-9e2b-96a8958a12f5|High|Access Control|When using kube-apiserver command, the 'basic-auth-file' flag should not be set (read more)|Documentation
| |Pod Security Policy Admission Control Plugin Not Set
afa36afb-39fe-4d94-b9b6-afb236f7a03d|High|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'PodSecurityPolicy' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| |Service Account Private Key File Not Defined
ccc98ff7-68a7-436e-9218-185cb0b0b780|High|Encryption|When using kube-controller-manager commands, the '--service-account-private-key-file' should be defined (read more)|Documentation
| -|Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032|High|Insecure Configurations|Limit capabilities for a Pod Security Policy (read more)|Documentation
| -|Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false (read more)|Documentation
| -|Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined. (read more)|Documentation
| |Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d|High|Insecure Configurations|Check if there is any Tiller Service present (read more)|Documentation
| -|Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d|High|Insecure Configurations|Container should not share the host process ID namespace (read more)|Documentation
| |Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process (read more)|Documentation
| +|Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined. (read more)|Documentation
| |PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace. (read more)|Documentation
| |Tiller (Helm v2) Is Deployed
6d173be7-545a-46c6-a81d-2ae52ed1605d|High|Insecure Configurations|Check if Tiller is deployed. (read more)|Documentation
| +|Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032|High|Insecure Configurations|Limit capabilities for a Pod Security Policy (read more)|Documentation
| +|Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false (read more)|Documentation
| +|Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d|High|Insecure Configurations|Container should not share the host process ID namespace (read more)|Documentation
| |Role Binding To Default Service Account
1e749bc9-fde8-471c-af0c-8254efd2dee5|High|Insecure Defaults|No role nor cluster role should bind to a default service account (read more)|Documentation
| -|Etcd TLS Certificate Files Not Properly Set
075ca296-6768-4322-aea2-ba5063b969a9|High|Networking and Firewall|When using etcd commands, the '--cert-file' and '--key-file' should be defined (read more)|Documentation
| |Kubelet HTTPS Set To False
cdc8b54e-6b16-4538-a1b0-35849dbe29cf|High|Networking and Firewall|When using kube-apiserver command, the '--kubelet-https' flag should not be set to false (read more)|Documentation
| -|Insecure Bind Address Set
b9380fd3-5ffe-4d10-9290-13e18e71eee1|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-bind-address' flag should not be set (read more)|Documentation
| -|Bind Address Not Properly Set
46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2|High|Networking and Firewall|When using kube-controller-manager or kube-scheduler commands, the '--bind-address' should not be set to 127.0.0.1 (read more)|Documentation
| -|Etcd TLS Certificate Not Properly Configured
895a5a95-3756-4b04-9924-2f3bc93181bd|High|Networking and Firewall|When using kube-apiserver commands, the '--etcd-certfile' and '--etcd-keyfile' flags should be defined (read more)|Documentation
| |Secure Port Set To Zero
3d24b204-b73d-42cb-b0bf-1a5438c5f71e|High|Networking and Firewall|When using kube-apiserver command, the --secure-port flag should not be 0 (read more)|Documentation
| -|Etcd Peer TLS Certificate Files Not Properly Set
09bb9e96-8da3-4736-b89a-b36814acca60|High|Networking and Firewall|When using etcd commands, the '--peer-cert-file' and '--peer-key-file' should be defined (read more)|Documentation
| |Tiller Deployment Is Accessible From Within The Cluster
e17fa86a-6222-4584-a914-56e8f6c87e06|High|Networking and Firewall|Check if any Tiller Deployment container allows access from within the cluster. (read more)|Documentation
| +|Etcd Peer TLS Certificate Files Not Properly Set
09bb9e96-8da3-4736-b89a-b36814acca60|High|Networking and Firewall|When using etcd commands, the '--peer-cert-file' and '--peer-key-file' should be defined (read more)|Documentation
| +|Etcd TLS Certificate Not Properly Configured
895a5a95-3756-4b04-9924-2f3bc93181bd|High|Networking and Firewall|When using kube-apiserver commands, the '--etcd-certfile' and '--etcd-keyfile' flags should be defined (read more)|Documentation
| |TSL Connection Certificate Not Setup
fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f|High|Networking and Firewall|TSL Connection Certificate files should be Setup (read more)|Documentation
| +|Etcd TLS Certificate Files Not Properly Set
075ca296-6768-4322-aea2-ba5063b969a9|High|Networking and Firewall|When using etcd commands, the '--cert-file' and '--key-file' should be defined (read more)|Documentation
| +|Bind Address Not Properly Set
46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2|High|Networking and Firewall|When using kube-controller-manager or kube-scheduler commands, the '--bind-address' should not be set to 127.0.0.1 (read more)|Documentation
| |Insecure Port Not Properly Set
fa4def8c-1898-4a35-a139-7b76b1acdef0|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-port' flag should be defined and set to 0 (read more)|Documentation
| +|Insecure Bind Address Set
b9380fd3-5ffe-4d10-9290-13e18e71eee1|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-bind-address' flag should not be set (read more)|Documentation
| |PSP With Unrestricted Access to Host Path
de4421f1-4e35-43b4-9783-737dd4e4a47e|High|Resource Management|PodSecurityPolicy should set 'readOnly' to true in every host path allowed (read more)|Documentation
| |Auto TLS Set To True
98ce8b81-7707-4734-aa39-627c6db3d84b|High|Secret Management|When using etcd commands, the '--auto-tls' should be set to false (read more)|Documentation
| |Peer Auto TLS Set To True
ae8827e2-4af9-4baa-9998-87539ae0d6f0|High|Secret Management|When using etcd commands, the '--peer-auto-tls' should be set to false (read more)|Documentation
| -|RBAC Roles with Attach Permission
d45330fd-f58d-45fb-a682-6481477a0f84|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to attach to containers via 'kubectl attach' could be abused by attackers to read log output (stdout, stderr) and send input data (stdin) to running processes. Additionally, it would allow a malicious user to attach to a privileged container resulting in a privilege escalation attack. To prevent this, the 'pods/attach' verb should not be used in production environments (read more)|Documentation
| |Authorization Mode Set To Always Allow
f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5|Medium|Access Control|When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode (read more)|Documentation
| -|RBAC Roles with Impersonate Permission
9f85c3f6-26fd-4007-938a-2e0cb0100980|Medium|Access Control|Roles or ClusterRoles with the permission 'impersonate' allow subjects to assume the rights of other users, groups, or service accounts. In case of compromise, attackers may abuse this sudo-like functionality to achieve privilege escalation (read more)|Documentation
| +|Anonymous Auth Is Not Set To False
1de5cc51-f376-4638-a940-20f2e85ae238|Medium|Access Control|When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag should be set to false (--anonymous-auth=false) (read more)|Documentation
| |Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation. (read more)|Documentation
| -|RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more)|Documentation
| +|RBAC Roles Allow Privilege Escalation
8320826e-7a9c-4b0b-9535-578333193432|Medium|Access Control|Roles or ClusterRoles with RBAC permissions 'bind' or 'escalate' allow subjects to create new bindings with other roles. This is dangerous, as users with these privileges can bind to roles that may exceed their own privileges (read more)|Documentation
| +|RBAC Roles with Exec Permission
c589f42c-7924-4871-aee2-1cede9bc7cbc|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to run commands in containers via 'kubectl exec' could be abused by attackers to execute malicious code in case of compromise. To prevent this, the 'pods/exec' verb should not be used in production environments (read more)|Documentation
| +|Authorization Mode RBAC Not Set
1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e|Medium|Access Control|When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode (read more)|Documentation
| |Service Account Admission Control Plugin Disabled
9587c890-0524-40c2-9ce2-663af7c2f063|Medium|Access Control|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'ServiceAccount' plugin (read more)|Documentation
| -|Non Kube System Pod With Host Mount
aa8f7a35-9923-4cad-bd61-a19b7f6aac91|Medium|Access Control|A non kube-system workload should not have hostPath mounted (read more)|Documentation
| +|RBAC Roles with Impersonate Permission
9f85c3f6-26fd-4007-938a-2e0cb0100980|Medium|Access Control|Roles or ClusterRoles with the permission 'impersonate' allow subjects to assume the rights of other users, groups, or service accounts. In case of compromise, attackers may abuse this sudo-like functionality to achieve privilege escalation (read more)|Documentation
| |RBAC Roles with Port-Forwarding Permission
38fa11ef-dbcc-4da8-9680-7e1fd855b6fb|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to port-forward into pods can open socket-level communication channels to containers. In case of compromise, attackers may abuse this for direct communication that bypasses network security restrictions (read more)|Documentation
| -|Authorization Mode RBAC Not Set
1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e|Medium|Access Control|When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode (read more)|Documentation
| -|RBAC Roles with Exec Permission
c589f42c-7924-4871-aee2-1cede9bc7cbc|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to run commands in containers via 'kubectl exec' could be abused by attackers to execute malicious code in case of compromise. To prevent this, the 'pods/exec' verb should not be used in production environments (read more)|Documentation
| -|Anonymous Auth Is Not Set To False
1de5cc51-f376-4638-a940-20f2e85ae238|Medium|Access Control|When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag should be set to false (--anonymous-auth=false) (read more)|Documentation
| -|RBAC Roles Allow Privilege Escalation
8320826e-7a9c-4b0b-9535-578333193432|Medium|Access Control|Roles or ClusterRoles with RBAC permissions 'bind' or 'escalate' allow subjects to create new bindings with other roles. This is dangerous, as users with these privileges can bind to roles that may exceed their own privileges (read more)|Documentation
| -|Readiness Probe Is Not Configured
a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3|Medium|Availability|Check if Readiness Probe is not configured. (read more)|Documentation
| +|RBAC Roles with Attach Permission
d45330fd-f58d-45fb-a682-6481477a0f84|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to attach to containers via 'kubectl attach' could be abused by attackers to read log output (stdout, stderr) and send input data (stdin) to running processes. Additionally, it would allow a malicious user to attach to a privileged container resulting in a privilege escalation attack. To prevent this, the 'pods/attach' verb should not be used in production environments (read more)|Documentation
| +|Non Kube System Pod With Host Mount
aa8f7a35-9923-4cad-bd61-a19b7f6aac91|Medium|Access Control|A non kube-system workload should not have hostPath mounted (read more)|Documentation
| +|RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more)|Documentation
| |Request Timeout Not Properly Set
d89a15bb-8dba-4c71-9529-bef6729b9c09|Medium|Availability|When using kube-apiserver command, the '--request-timeout' flag value should not be too long (read more)|Documentation
| +|Readiness Probe Is Not Configured
a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3|Medium|Availability|Check if Readiness Probe is not configured. (read more)|Documentation
| |Terminated Pod Garbage Collector Threshold Not Properly Set
49113af4-29ca-458e-b8d4-724c01a4a24f|Medium|Availability|When using kube-controller-manager commands, the '--terminated-pod-gc-threshold' should be set between 0 and 12501 (read more)|Documentation
| -|Root Containers Admitted
e3aa0612-4351-4a0d-983f-aefea25cf203|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden (read more)|Documentation
| -|Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660|Medium|Best Practices|Check if containers are running with low UID, which might cause conflicts with the host's user table. (read more)|Documentation
| |Container Running As Root
cf34805e-3872-4c08-bf92-6ff7bb0cfadb|Medium|Best Practices|Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise (read more)|Documentation
| -|Always Pull Images Admission Control Plugin Not Set
a77f4d07-c6e0-4a48-8b35-0eeb51576f4f|Medium|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'AlwaysPullImages' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| +|Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660|Medium|Best Practices|Check if containers are running with low UID, which might cause conflicts with the host's user table. (read more)|Documentation
| +|Root Containers Admitted
e3aa0612-4351-4a0d-983f-aefea25cf203|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden (read more)|Documentation
| |Incorrect Volume Claim Access Mode ReadWriteOnce
3878dc92-8e5d-47cf-9cdd-7590f71d21b9|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' (read more)|Documentation
| -|Encryption Provider Config Is Not Defined
cbd2db69-0b21-4c14-8a40-7710a50571a9|Medium|Encryption|When using kube-apiserver commands, the '--encryption-provider-config' flag should be defined and the encryption should be correctly configured in Encryption Configuration file (read more)|Documentation
| +|Always Pull Images Admission Control Plugin Not Set
a77f4d07-c6e0-4a48-8b35-0eeb51576f4f|Medium|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'AlwaysPullImages' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| |Weak TLS Cipher Suites
510d5810-9a30-443a-817d-5c1fa527b110|Medium|Encryption|TLS Connection should use strong Cipher Suites (read more)|Documentation
| +|Encryption Provider Config Is Not Defined
cbd2db69-0b21-4c14-8a40-7710a50571a9|Medium|Encryption|When using kube-apiserver commands, the '--encryption-provider-config' flag should be defined and the encryption should be correctly configured in Encryption Configuration file (read more)|Documentation
| |Encryption Provider Not Properly Configured
10efce34-5af6-4d83-b414-9e096d5a06a9|Medium|Encryption|The EncryptionConfiguration should be configured to have at least one 'aescbc', 'kms' or 'secretbox' provider (read more)|Documentation
| |Root CA File Not Defined
05fb986f-ac73-4ebb-a5b2-7faafa93d882|Medium|Encryption|When using kube-controller-manager commands, the '--root-ca-file' should be defined (read more)|Documentation
| -|PSP Allows Sharing Host IPC
80f93444-b240-4ebb-a4c6-5c40b76c04ea|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace (read more)|Documentation
| -|Security Context Deny Admission Control Plugin Not Set
6a68bebe-c021-492e-8ddb-55b0567fb768|Medium|Insecure Configurations|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set (read more)|Documentation
| +|Seccomp Profile Is Not Configured
f377b83e-bd07-4f48-a591-60c82b14a78b|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls (read more)|Documentation
| |NET_RAW Capabilities Not Being Dropped
dbbc6705-d541-43b0-b166-dd4be8208b54|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities (read more)|Documentation
| +|PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host process ID namespace (read more)|Documentation
| |PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities (read more)|Documentation
| -|Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more)|Documentation
| -|Containers With Sys Admin Capabilities
235236ee-ad78-4065-bd29-61b061f28ce0|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability (read more)|Documentation
| -|Kubelet Protect Kernel Defaults Set To False
6cf42c97-facd-4fda-b8af-ea4529123355|Medium|Insecure Configurations|--protect-kernel-defaults should be set to true (read more)|Documentation
| +|Not Limited Capabilities For Container
2f1a0619-b12b-48a0-825f-993bb6f01d58|Medium|Insecure Configurations|Limit the capabilities for a Container. (read more)|Documentation
| |PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation (read more)|Documentation
| -|Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40|Medium|Insecure Configurations|Containers should not have extra capabilities allowed (read more)|Documentation
| -|Seccomp Profile Is Not Configured
f377b83e-bd07-4f48-a591-60c82b14a78b|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls (read more)|Documentation
| |Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more)|Documentation
| -|PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| +|Authorization Mode Node Not Set
4d7ee40f-fc5d-427d-8cac-dffbe22d42d1|Medium|Insecure Configurations|When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode (read more)|Documentation
| +|Kubelet Protect Kernel Defaults Set To False
6cf42c97-facd-4fda-b8af-ea4529123355|Medium|Insecure Configurations|--protect-kernel-defaults should be set to true (read more)|Documentation
| +|Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40|Medium|Insecure Configurations|Containers should not have extra capabilities allowed (read more)|Documentation
| |Using Unrecommended Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6|Medium|Insecure Configurations|Namespaces like 'default', 'kube-system' or 'kube-public' should not be used (read more)|Documentation
| -|NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities (read more)|Documentation
| +|PSP Allows Sharing Host IPC
80f93444-b240-4ebb-a4c6-5c40b76c04ea|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace (read more)|Documentation
| +|Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more)|Documentation
| +|PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| |Workload Mounting With Sensitive OS Directory
5308a7a8-06f8-45ac-bf10-791fe21de46e|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory (read more)|Documentation
| -|Not Limited Capabilities For Container
2f1a0619-b12b-48a0-825f-993bb6f01d58|Medium|Insecure Configurations|Limit the capabilities for a Container. (read more)|Documentation
| -|PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host process ID namespace (read more)|Documentation
| -|Authorization Mode Node Not Set
4d7ee40f-fc5d-427d-8cac-dffbe22d42d1|Medium|Insecure Configurations|When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode (read more)|Documentation
| -|Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty. (read more)|Documentation
| +|Security Context Deny Admission Control Plugin Not Set
6a68bebe-c021-492e-8ddb-55b0567fb768|Medium|Insecure Configurations|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set (read more)|Documentation
| +|Containers With Sys Admin Capabilities
235236ee-ad78-4065-bd29-61b061f28ce0|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability (read more)|Documentation
| +|NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities (read more)|Documentation
| |Service Account Token Automount Not Disabled
48471392-d4d0-47c0-b135-cdec95eb3eef|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary (read more)|Documentation
| +|Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty. (read more)|Documentation
| +|CNI Plugin Does Not Support Network Policies
03aabc8c-35d6-481e-9c85-20139cf72d23|Medium|Networking and Firewall|Ensure the use of CNI Plugin that support Network Policies. If the CNI Plugin in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster (read more)|Documentation
| +|Network Policy Is Not Targeting Any Pod
85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3|Medium|Networking and Firewall|Check if any network policy is not targeting any pod. (read more)|Documentation
| +|Service With External Load Balancer
26763a1c-5dda-4772-b507-5fca7fb5f165|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet (read more)|Documentation
| +|Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be|Medium|Networking and Firewall|Check if any pod is not being targeted by a proper network policy. (read more)|Documentation
| |Kubelet Streaming Connection Timeout Disabled
ed89b97d-04e9-4fd4-919f-ee5b27e555e9|Medium|Networking and Firewall|The flag --streaming-connection-idle-timeout should not be set to 0 (read more)|Documentation
| |Kubelet Not Managing Ip Tables
5f89001f-6dd9-49ff-9b15-d8cd71b617f4|Medium|Networking and Firewall|Kubelet argument --make-iptables-util-chains should be true (read more)|Documentation
| -|Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be|Medium|Networking and Firewall|Check if any pod is not being targeted by a proper network policy. (read more)|Documentation
| -|Network Policy Is Not Targeting Any Pod
85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3|Medium|Networking and Firewall|Check if any network policy is not targeting any pod. (read more)|Documentation
| -|CNI Plugin Does Not Support Network Policies
03aabc8c-35d6-481e-9c85-20139cf72d23|Medium|Networking and Firewall|Ensure the use of CNI Plugin that support Network Policies. If the CNI Plugin in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster (read more)|Documentation
| |Kubelet Read Only Port Is Not Set To Zero
2940d48a-dc5e-4178-a3f8-bfbd80720b41|Medium|Networking and Firewall|When using the kubelet command, the read-only port should be set to zero (--read-only-port=0) (read more)|Documentation
| -|Service With External Load Balancer
26763a1c-5dda-4772-b507-5fca7fb5f165|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet (read more)|Documentation
| |Audit Log Path Not Set
73e251f0-363d-4e53-86e2-0a93592437eb|Medium|Observability|When using kube-apiserver command, the 'audit-log-path' flag should be defined (read more)|Documentation
| |Audit Policy File Not Defined
13a49a2e-488e-4309-a7c0-d6b05577a5fb|Medium|Observability|When using kube-apiserver command, the '--audit-policy-file' flag should be defined (read more)|Documentation
| +|Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| +|Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| |Volume Mount With OS Directory Write Permissions
b7652612-de4e-4466-a0bf-1cd81f0c6063|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more)|Documentation
| -|CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more)|Documentation
| |Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more)|Documentation
| -|Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| -|Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| |CPU Limits Not Set
4ac0e2b7-d2d2-4af7-8799-e8de6721ccda|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| +|CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more)|Documentation
| |Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| -|Service Account Key File Not Properly Set
dab4ec72-ce2e-4732-b7c3-1757dcce01a1|Medium|Secret Management|When using kube-apiserver command, the '--service-account-key-file' flag should be defined (read more)|Documentation
| -|Kubelet Certificate Authority Not Set
ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set (read more)|Documentation
| -|Rotate Kubelet Server Certificate Not Active
1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2|Medium|Secret Management|The RotateKubeletServerCertificate argument should be true (read more)|Documentation
| -|Kubelet Client Periodic Certificate Switch Disabled
52d70f2e-3257-474c-b3dc-8ad9ba6a061a|Medium|Secret Management|Kubelet argument --rotate-certificates should be true (read more)|Documentation
| +|Etcd Client Certificate File Not Defined
3f5ff8a7-5ad6-4d02-86f5-666307da1b20|Medium|Secret Management|When using kube-apiserver commands, the '--etcd-cafile' flag should be defined (read more)|Documentation
| |ServiceAccount Allows Access Secrets
056ac60e-fe07-4acc-9b34-8e1d51716ab9|Medium|Secret Management|Roles and ClusterRoles when binded, should not use get, list or watch as verbs (read more)|Documentation
| +|Kubelet Client Periodic Certificate Switch Disabled
52d70f2e-3257-474c-b3dc-8ad9ba6a061a|Medium|Secret Management|Kubelet argument --rotate-certificates should be true (read more)|Documentation
| |Etcd Client Certificate Authentication Set To False
9391103a-d8d7-4671-ac5d-606ba7ccb0ac|Medium|Secret Management|When using etcd commands, the '--client-cert-auth' flag should be defined (read more)|Documentation
| -|Shared Service Account
c1032cf7-3628-44e2-bd53-38c17cf31b6b|Medium|Secret Management|A Service Account token is shared between workloads (read more)|Documentation
| +|Service Account Key File Not Properly Set
dab4ec72-ce2e-4732-b7c3-1757dcce01a1|Medium|Secret Management|When using kube-apiserver command, the '--service-account-key-file' flag should be defined (read more)|Documentation
| +|Rotate Kubelet Server Certificate Not Active
1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2|Medium|Secret Management|The RotateKubeletServerCertificate argument should be true (read more)|Documentation
| |Kubelet Client Certificate Or Key Not Set
36a27826-1bf5-49da-aeb0-a60a30c0e834|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-client-key' and 'kubelet-client-certificate' flags should be set (read more)|Documentation
| -|Etcd Peer Client Certificate Authentication Set To False
b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff|Medium|Secret Management|When using etcd commands, the '--peer-client-cert-auth' flag should be set to true (read more)|Documentation
| |Not Unique Certificate Authority
cb7e695d-6a85-495c-b15f-23aed2519303|Medium|Secret Management|Certificate Authority should be unique for etcd (read more)|Documentation
| -|Etcd Client Certificate File Not Defined
3f5ff8a7-5ad6-4d02-86f5-666307da1b20|Medium|Secret Management|When using kube-apiserver commands, the '--etcd-cafile' flag should be defined (read more)|Documentation
| +|Etcd Peer Client Certificate Authentication Set To False
b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff|Medium|Secret Management|When using etcd commands, the '--peer-client-cert-auth' flag should be set to true (read more)|Documentation
| +|Kubelet Certificate Authority Not Set
ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set (read more)|Documentation
| +|Shared Service Account
c1032cf7-3628-44e2-bd53-38c17cf31b6b|Medium|Secret Management|A Service Account token is shared between workloads (read more)|Documentation
| |Cluster Admin Rolebinding With Superuser Permissions
249328b8-5f0f-409f-b1dd-029f07882e11|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC) (read more)|Documentation
| |Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers (read more)|Documentation
| |Missing AppArmor Profile
8b36775e-183d-4d46-b0f7-96a6f34a723f|Low|Access Control|Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources (read more)|Documentation
| -|HPA Targeted Deployments With Configured Replica Count
5744cbb8-5946-4b75-a196-ade44449525b|Low|Availability|Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set (read more)|Documentation
| -|Event Rate Limit Admission Control Plugin Not Set
e0099af2-fe17-411f-9991-0de28fe15f3c|Low|Availability|When using kube-apiserver command, the --enable-admission-plugins flag should have 'EventRateLimit' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| -|Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| |Liveness Probe Is Not Defined
ade74944-a674-4e00-859e-c6eab5bde441|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it (read more)|Documentation
| +|Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| +|Event Rate Limit Admission Control Plugin Not Set
e0099af2-fe17-411f-9991-0de28fe15f3c|Low|Availability|When using kube-apiserver command, the --enable-admission-plugins flag should have 'EventRateLimit' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| +|HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca|Low|Availability|The Horizontal Pod Autoscaler must target a valid object (read more)|Documentation
| |StatefulSet Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more)|Documentation
| +|HPA Targeted Deployments With Configured Replica Count
5744cbb8-5946-4b75-a196-ade44449525b|Low|Availability|Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set (read more)|Documentation
| |StatefulSet Without PodDisruptionBudget
1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| -|HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca|Low|Availability|The Horizontal Pod Autoscaler must target a valid object (read more)|Documentation
| -|Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645|Low|Best Practices|Kubernetes APIs evolve over time and are sometimes removed with newer releases. To prevent incompatibilities when upgrading Kubernetes, deprecated APIs should be replaced with newer and more stable API versions. (read more)|Documentation
| |No Drop Capabilities for Containers
268ca686-7fb7-4ae9-b129-955a2a89064e|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context (read more)|Documentation
| +|Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645|Low|Best Practices|Kubernetes APIs evolve over time and are sometimes removed with newer releases. To prevent incompatibilities when upgrading Kubernetes, deprecated APIs should be replaced with newer and more stable API versions. (read more)|Documentation
| |Metadata Label Is Invalid
1123031a-f921-4c5b-bd86-ef354ecfd37a|Low|Best Practices|Check if any label in the metadata is invalid. (read more)|Documentation
| +|Namespace Lifecycle Admission Control Plugin Disabled
1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37|Low|Build Process|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'NamespaceLifecycle' plugin (read more)|Documentation
| +|Image Policy Webhook Admission Control Plugin Not Set
14abda69-8e91-4acb-9931-76e2bee90284|Low|Build Process|When using kube-apiserver command, the --enable-admission-plugins flag should have 'ImagePolicyWebhook' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| |StatefulSet Requests Storage
8cf4671a-cf3d-46fc-8389-21e7405063a2|Low|Build Process|A StatefulSet requests volume storage. (read more)|Documentation
| |Root Container Not Mounted Read-only
a9c2f49d-0671-4fc9-9ece-f4e261e128d0|Low|Build Process|Check if the root container filesystem is not being mounted read-only. (read more)|Documentation
| -|Image Policy Webhook Admission Control Plugin Not Set
14abda69-8e91-4acb-9931-76e2bee90284|Low|Build Process|When using kube-apiserver command, the --enable-admission-plugins flag should have 'ImagePolicyWebhook' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| -|Namespace Lifecycle Admission Control Plugin Disabled
1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37|Low|Build Process|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'NamespaceLifecycle' plugin (read more)|Documentation
| +|Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container (read more)|Documentation
| +|Kubelet Hostname Override Is Set
bf36b900-b5ef-4828-adb7-70eb543b7cfb|Low|Insecure Configurations|Hostnames should not be overrided (read more)|Documentation
| |Pod or Container Without ResourceQuota
48a5beba-e4c0-4584-a2aa-e6894e4cf424|Low|Insecure Configurations|Each namespace should have a ResourceQuota policy associated to limit the total amount of resources Pods, Containers and PersistentVolumeClaims can consume (read more)|Documentation
| -|Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always (read more)|Documentation
| +|Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b|Low|Insecure Configurations|If not needed, disabling the dashboard can prevent from being used as an attack vector (read more)|Documentation
| |Pod or Container Without LimitRange
4a20ebac-1060-4c81-95d1-1f7f620e983b|Low|Insecure Configurations|Each namespace should have a LimitRange policy associated to ensure that resource allocations of Pods, Containers and PersistentVolumeClaims do not exceed the defined boundaries (read more)|Documentation
| |Service Does Not Target Pod
3ca03a61-3249-4c16-8427-6f8e47dda729|Low|Insecure Configurations|Service should Target a Pod (read more)|Documentation
| -|Kubelet Hostname Override Is Set
bf36b900-b5ef-4828-adb7-70eb543b7cfb|Low|Insecure Configurations|Hostnames should not be overrided (read more)|Documentation
| -|Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container (read more)|Documentation
| -|Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b|Low|Insecure Configurations|If not needed, disabling the dashboard can prevent from being used as an attack vector (read more)|Documentation
| |Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity (read more)|Documentation
| +|Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always (read more)|Documentation
| |Service Type is NodePort
845acfbe-3e10-4b8e-b656-3b404d36dfb2|Low|Networking and Firewall|Service type should not be NodePort (read more)|Documentation
| |Workload Host Port Not Specified
2b1836f1-dcce-416e-8e16-da8c71920633|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified (read more)|Documentation
| -|Profiling Not Set To False
2f491173-6375-4a84-b28e-a4e2b9a58a69|Low|Observability|When using kube-apiserver or kube-controller-manager or kube-scheduler command, the '--profiling' flag should be defined and set to false (read more)|Documentation
| |Audit Policy Not Cover Key Security Concerns
1828a670-5957-4bc5-9974-47da228f75e2|Low|Observability|Audit Policy should cover key security concerns about the sensitive data logged in Kubernetes audit policies (read more)|Documentation
| |Audit Log Maxsize Not Properly Set
35c0a471-f7c8-4993-aa2c-503a3c712a66|Low|Observability|When using kube-apiserver command, the '--audit-log-maxsize' flag should be defined and set to 100 or more MegaBytes (read more)|Documentation
| -|Kubelet Event QPS Not Properly Set
1a07a446-8e61-4e4d-bc16-b0781fcb8211|Low|Observability|When using the kubelet command, the '--event-qps' should be set to 0 (read more)|Documentation
| |Audit Log Maxbackup Not Properly Set
768aab52-2504-4a2f-a3e3-329d5a679848|Low|Observability|When using kube-apiserver command, the '--audit-log-maxbackup' flag should be defined and set to 10 or more files (read more)|Documentation
| +|Kubelet Event QPS Not Properly Set
1a07a446-8e61-4e4d-bc16-b0781fcb8211|Low|Observability|When using the kubelet command, the '--event-qps' should be set to 0 (read more)|Documentation
| |Audit Log Maxage Not Properly Set
da9f3aa8-fbfb-472f-b5a1-576127944218|Low|Observability|When using kube-apiserver command, the '--audit-log-maxage' flag should be defined and set to 30 or more days (read more)|Documentation
| +|Profiling Not Set To False
2f491173-6375-4a84-b28e-a4e2b9a58a69|Low|Observability|When using kube-apiserver or kube-controller-manager or kube-scheduler command, the '--profiling' flag should be defined and set to false (read more)|Documentation
| |Container Memory Requests Not Equal To It's Limits
aafa7d94-62de-4fbf-8838-b69ee217b0e6|Low|Resource Management|A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined. (read more)|Documentation
| -|Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46|Low|Resource Management|Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively (read more)|Documentation
| -|Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Low|Resource Management|A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined. (read more)|Documentation
| |Deployment Has No PodAntiAffinity
a31b7b82-d994-48c4-bd21-3bab6c31827a|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| -|CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined (read more)|Documentation
| +|Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Low|Resource Management|A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined. (read more)|Documentation
| +|Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46|Low|Resource Management|Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively (read more)|Documentation
| |StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e|Low|Resource Management|Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| +|CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined (read more)|Documentation
| |Secrets As Environment Variables
3d658f8b-d988-41a0-a841-40043121de1e|Low|Secret Management|Container should not use secrets as environment variables (read more)|Documentation
| |Invalid Image Tag
583053b7-e632-46f0-b989-f81ff8045385|Low|Supply-Chain|Image tag must be defined and not be empty or equal to latest. (read more)|Documentation
| |Ensure Administrative Boundaries Between Resources
e84eaf4d-2f45-47b2-abe8-e581b06deb66|Info|Access Control|As a best practice, ensure that is made the correct use of namespaces to adequately administer your resources. Kubernetes Authorization plugins can also be used to create policies that segregate user access to namespaces. (read more)|Documentation
| diff --git a/docs/queries/openapi-queries.md b/docs/queries/openapi-queries.md index e036ed99562..63f16d2f8ec 100644 --- a/docs/queries/openapi-queries.md +++ b/docs/queries/openapi-queries.md @@ -8,154 +8,209 @@ Bellow are listed queries related with OpenAPI SHARED (V2/V3): | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Security Field On Operations Has An Empty Array (v2)
5d29effc-5d68-481f-9721-d74e5919226b|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error|Documentation
| -|Security Field On Operations Has An Empty Array (v3)
663c442d-f918-4f62-b096-0bf5dcbeb655|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error (read more)|Documentation
| -|Global Security Field Has An Empty Array (v2)
da31d54b-ad54-41dc-95eb-8b3828629213|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| -|Global Security Field Has An Empty Array (v3)
d674aea4-ba8b-454b-bb97-88a772ea33f0|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme (read more)|Documentation
| -|No Global And Operation Security Defined (v2)
586abcee-9653-462d-ad7b-2638a32bd6e6|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| -|No Global And Operation Security Defined (v3)
96729c6b-7400-4d9e-9807-17f00cdde4d2|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined (read more)|Documentation
| -|Global security field has an empty object (v2)
292919fb-7b26-4454-bee9-ce29094768dd|High|Access Control|Global security definition must not have empty objects|Documentation
| -|Global security field has an empty object (v3)
543e38f4-1eee-479e-8eb0-15257013aa0a|High|Access Control|Global security definition must not have empty objects (read more)|Documentation
| |Global Security Field Is Undefined (v2)
74703c89-0ea2-49ab-a7db-bf04f19f5a57|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securityDefinitions|Documentation
| |Global Security Field Is Undefined (v3)
8af270ce-298b-4405-9922-82a10aee7a4f|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes (read more)|Documentation
| +|Global Security Field Has An Empty Array (v2)
da31d54b-ad54-41dc-95eb-8b3828629213|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| +|Global Security Field Has An Empty Array (v3)
d674aea4-ba8b-454b-bb97-88a772ea33f0|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme (read more)|Documentation
| +|Security Field On Operations Has An Empty Array (v2)
5d29effc-5d68-481f-9721-d74e5919226b|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error|Documentation
| +|Security Field On Operations Has An Empty Array (v3)
663c442d-f918-4f62-b096-0bf5dcbeb655|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error (read more)|Documentation
| |Security Field On Operations Has An Empty Object Definition (v2)
74581e3b-1d55-4323-a139-5959a7b3abc5|High|Access Control|Security object for operations should not be empty object or has any empty object definition|Documentation
| |Security Field On Operations Has An Empty Object Definition (v3)
baade968-7467-41e4-bf22-83ca222f5800|High|Access Control|Security object for operations should not be empty object or has any empty object definition (read more)|Documentation
| +|Global security field has an empty object (v2)
292919fb-7b26-4454-bee9-ce29094768dd|High|Access Control|Global security definition must not have empty objects|Documentation
| +|Global security field has an empty object (v3)
543e38f4-1eee-479e-8eb0-15257013aa0a|High|Access Control|Global security definition must not have empty objects (read more)|Documentation
| +|No Global And Operation Security Defined (v2)
586abcee-9653-462d-ad7b-2638a32bd6e6|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| +|No Global And Operation Security Defined (v3)
96729c6b-7400-4d9e-9807-17f00cdde4d2|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined (read more)|Documentation
| |Cleartext API Key In Operation Security (v2)
99733b39-6413-4ed8-8acf-dc7cdc9b4e51|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| |Cleartext API Key In Operation Security (v3)
d90d4e40-44c1-4125-87a0-e072c3e195b5|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel (read more)|Documentation
| -|Array Without Maximum Number of Items (v2)
99eb2c95-2040-4104-9e7c-e16f7474d218|High|Insecure Configurations|Array schema/parameter should have the field 'maxItems' set|Documentation
| -|Array Without Maximum Number of Items (v3)
6998389e-66b2-473d-8d05-c8d71ac4d04d|High|Insecure Configurations|Array schema should have the field 'maxItems' set (read more)|Documentation
| |Array Items Has No Type (v2)
8697a1a4-82c6-4603-8ac8-57529756744e|High|Insecure Configurations|Schema/Parameter array items type should be defined|Documentation
| |Array Items Has No Type (v3)
be0e0df7-f3d9-42a1-9b6f-d425f94872c4|High|Insecure Configurations|Schema array items type should be defined (read more)|Documentation
| +|Array Without Maximum Number of Items (v2)
99eb2c95-2040-4104-9e7c-e16f7474d218|High|Insecure Configurations|Array schema/parameter should have the field 'maxItems' set|Documentation
| +|Array Without Maximum Number of Items (v3)
6998389e-66b2-473d-8d05-c8d71ac4d04d|High|Insecure Configurations|Array schema should have the field 'maxItems' set (read more)|Documentation
| |API Key Exposed In Global Security (v2)
533a0d13-6e89-4551-ae33-bce14e5849c1|Medium|Access Control|API Keys should not be transported over network|Documentation
| |API Key Exposed In Global Security (v3)
aecee30b-8ea1-4776-a99c-d6d600f0862f|Medium|Access Control|API Keys should not be transported over network (read more)|Documentation
| |Cleartext API Key In Global Security (v2)
70d3873e-d537-46e5-ac3b-4e48fbdd29b4|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| |Cleartext API Key In Global Security (v3)
9c238c97-1991-4c0b-9c7d-6c7912e1dc7c|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel (read more)|Documentation
| -|Numeric Schema Without Maximum (v2)
203eee11-15b6-4d47-b888-4c7f534967ee|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined.|Documentation
| -|Numeric Schema Without Maximum (v3)
2ea04bef-c769-409e-9179-ee3a50b5c0ac|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined. (read more)|Documentation
| -|JSON Object Schema Without Properties (v2)
3d28f751-bc18-4f83-ace0-216b6086410b|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false.|Documentation
| -|JSON Object Schema Without Properties (v3)
9d967a2b-9d64-41a6-abea-dfc4960299bd|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false. (read more)|Documentation
| -|String Schema with Broad Pattern (v2)
e4a019f0-9af3-49c8-bf68-1939a6ff240d|Medium|Insecure Configurations|String schema should restrict the pattern|Documentation
| -|String Schema with Broad Pattern (v3)
8c81d6c0-716b-49ec-afa5-2d62da4e3f3c|Medium|Insecure Configurations|String schema should restrict the pattern (read more)|Documentation
| |Maximum Length Undefined (v2)
2ec86e48-ab90-4cb6-a131-0502afd1f442|Medium|Insecure Configurations|String schema/parameter/header should have 'maxLength' defined.|Documentation
| |Maximum Length Undefined (v3)
8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85|Medium|Insecure Configurations|String schema should have 'maxLength' defined. (read more)|Documentation
| -|Numeric Schema Without Minimum (v2)
efd1dfc8-da91-4909-a3f3-c23abc5ec799|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined.|Documentation
| -|Numeric Schema Without Minimum (v3)
181bd815-767e-4e95-a24d-bb3c87328e19|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined. (read more)|Documentation
| +|Pattern Undefined (v2)
afde15cf-9444-4126-8c62-41cd79db1d1d|Medium|Insecure Configurations|String schema/parameter/header should have 'pattern' defined.|Documentation
| +|Pattern Undefined (v3)
00b78adf-b83f-419c-8ed8-c6018441dd3a|Medium|Insecure Configurations|String schema should have 'pattern' defined. (read more)|Documentation
| |Schema Object is Empty (v2)
967575e5-eb44-4c24-aadb-7e33608ed30a|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values|Documentation
| |Schema Object is Empty (v3)
500ce696-d501-41dd-86eb-eceb011a386f|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values (read more)|Documentation
| -|JSON Object Schema Without Type (v2)
62d52544-82ef-4b75-8308-cad49d50212b|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined.|Documentation
| -|JSON Object Schema Without Type (v3)
e2ffa504-d22a-4c94-b6c5-f661849d2db7|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined. (read more)|Documentation
| +|Numeric Schema Without Minimum (v2)
efd1dfc8-da91-4909-a3f3-c23abc5ec799|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined.|Documentation
| +|Numeric Schema Without Minimum (v3)
181bd815-767e-4e95-a24d-bb3c87328e19|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined. (read more)|Documentation
| +|JSON Object Schema Without Properties (v2)
3d28f751-bc18-4f83-ace0-216b6086410b|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false.|Documentation
| +|JSON Object Schema Without Properties (v3)
9d967a2b-9d64-41a6-abea-dfc4960299bd|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false. (read more)|Documentation
| +|Numeric Schema Without Maximum (v2)
203eee11-15b6-4d47-b888-4c7f534967ee|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined.|Documentation
| +|Numeric Schema Without Maximum (v3)
2ea04bef-c769-409e-9179-ee3a50b5c0ac|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined. (read more)|Documentation
| |Numeric Schema Without Format (v2)
3ed8fc82-c2bb-49e0-811f-c53923674c49|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined.|Documentation
| |Numeric Schema Without Format (v3)
fbf699b5-ef74-4542-9cf1-f6eeac379373|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined. (read more)|Documentation
| -|Pattern Undefined (v2)
afde15cf-9444-4126-8c62-41cd79db1d1d|Medium|Insecure Configurations|String schema/parameter/header should have 'pattern' defined.|Documentation
| -|Pattern Undefined (v3)
00b78adf-b83f-419c-8ed8-c6018441dd3a|Medium|Insecure Configurations|String schema should have 'pattern' defined. (read more)|Documentation
| -|Success Response Code Undefined for Patch Operation (v2)
f36e87cc-a209-4f37-8571-66833e4aead7|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Patch Operation (v3)
1908a8ee-927d-4166-8f18-241152170cc1|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|Default Response Undefined On Operations (v2)
5f34c7ae-4f3f-4cbb-8fe3-a11d6961062f|Medium|Networking and Firewall|Operations responses should have a default response defined|Documentation
| -|Default Response Undefined On Operations (v3)
86e3702f-c868-44b2-b61d-ea5316c18110|Medium|Networking and Firewall|Operations responses should have a default response defined (read more)|Documentation
| -|Response on operations that should have a body has undefined schema (v2)
31afbcb7-70e0-48bb-a31a-3374f95cf859|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined|Documentation
| -|Response on operations that should have a body has undefined schema (v3)
a92be1d5-d762-484a-86d6-8cd0907ba100|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined (read more)|Documentation
| +|JSON Object Schema Without Type (v2)
62d52544-82ef-4b75-8308-cad49d50212b|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined.|Documentation
| +|JSON Object Schema Without Type (v3)
e2ffa504-d22a-4c94-b6c5-f661849d2db7|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined. (read more)|Documentation
| +|String Schema with Broad Pattern (v2)
e4a019f0-9af3-49c8-bf68-1939a6ff240d|Medium|Insecure Configurations|String schema should restrict the pattern|Documentation
| +|String Schema with Broad Pattern (v3)
8c81d6c0-716b-49ec-afa5-2d62da4e3f3c|Medium|Insecure Configurations|String schema should restrict the pattern (read more)|Documentation
| |Success Response Code Undefined for Put Operation (v2)
965a043f-5f3c-4d0a-be72-d9ce12fdb4d6|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204)|Documentation
| |Success Response Code Undefined for Put Operation (v3)
60b5f56b-66ff-4e1c-9b62-5753e16825bc|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|Success Response Code Undefined for Post Operation (v2)
9fedee41-2e6d-4091-b011-4a16b4c18c70|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Post Operation (v3)
f368dd2d-9344-4146-a05b-7c6faa1269ad|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|Success Response Code Undefined for Head Operation (v2)
4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a|Medium|Networking and Firewall|Head should define at least one success response (200 or 202)|Documentation
| -|Success Response Code Undefined for Head Operation (v3)
3b066059-f411-4554-ac8d-96f32bff90da|Medium|Networking and Firewall|Head should define at least one success response (200 or 202) (read more)|Documentation
| -|Success Response Code Undefined for Get Operation (v2)
9b633f3b-c94b-4fbb-a65b-1a4e9134fb63|Medium|Networking and Firewall|Get should define at least one success response (200 or 202)|Documentation
| -|Success Response Code Undefined for Get Operation (v3)
b2f275be-7d64-4064-b418-be6b431363a7|Medium|Networking and Firewall|Get should define at least one success response (200 or 202) (read more)|Documentation
| |Response on operations that should not have a body has declared content (v2)
268defd2-2839-4e15-8cbc-de86eb38c231|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a schema defined|Documentation
| |Response on operations that should not have a body has declared content (v3)
12a7210b-f4b4-47d0-acac-0a819e2a0ca3|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a content defined (read more)|Documentation
| -|Response Code Missing (v2)
6e96ed39-bf45-4089-99ba-f1fe7cf6966f|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined.|Documentation
| -|Response Code Missing (v3)
6c35d2c6-09f2-4e5c-a094-e0e91327071d|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined. (read more)|Documentation
| +|Success Response Code Undefined for Patch Operation (v2)
f36e87cc-a209-4f37-8571-66833e4aead7|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Patch Operation (v3)
1908a8ee-927d-4166-8f18-241152170cc1|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| |Success Response Code Undefined for Delete Operation (v2)
ad432855-b7fb-4429-92a3-93b5ce34f0b1|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204)|Documentation
| |Success Response Code Undefined for Delete Operation (v3)
3b497874-ae59-46dd-8d72-1868a3b8f150|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| +|Response Code Missing (v2)
6e96ed39-bf45-4089-99ba-f1fe7cf6966f|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined.|Documentation
| +|Response Code Missing (v3)
6c35d2c6-09f2-4e5c-a094-e0e91327071d|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined. (read more)|Documentation
| +|Success Response Code Undefined for Post Operation (v2)
9fedee41-2e6d-4091-b011-4a16b4c18c70|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Post Operation (v3)
f368dd2d-9344-4146-a05b-7c6faa1269ad|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| +|Response on operations that should have a body has undefined schema (v2)
31afbcb7-70e0-48bb-a31a-3374f95cf859|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined|Documentation
| +|Response on operations that should have a body has undefined schema (v3)
a92be1d5-d762-484a-86d6-8cd0907ba100|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined (read more)|Documentation
| +|Default Response Undefined On Operations (v2)
5f34c7ae-4f3f-4cbb-8fe3-a11d6961062f|Medium|Networking and Firewall|Operations responses should have a default response defined|Documentation
| +|Default Response Undefined On Operations (v3)
86e3702f-c868-44b2-b61d-ea5316c18110|Medium|Networking and Firewall|Operations responses should have a default response defined (read more)|Documentation
| +|Success Response Code Undefined for Get Operation (v2)
9b633f3b-c94b-4fbb-a65b-1a4e9134fb63|Medium|Networking and Firewall|Get should define at least one success response (200 or 202)|Documentation
| +|Success Response Code Undefined for Get Operation (v3)
b2f275be-7d64-4064-b418-be6b431363a7|Medium|Networking and Firewall|Get should define at least one success response (200 or 202) (read more)|Documentation
| +|Success Response Code Undefined for Head Operation (v2)
4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a|Medium|Networking and Firewall|Head should define at least one success response (200 or 202)|Documentation
| +|Success Response Code Undefined for Head Operation (v3)
3b066059-f411-4554-ac8d-96f32bff90da|Medium|Networking and Firewall|Head should define at least one success response (200 or 202) (read more)|Documentation
| |API Key Exposed In Operation Security (v2)
392599e4-a4e2-403d-bc56-3fe05755782d|Low|Access Control|API Keys should not be transported over network|Documentation
| |API Key Exposed In Operation Security (v3)
281b8071-6226-4a43-911d-fec246d422c2|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| |Invalid Format (v2)
caf1793e-95dd-4b18-8d90-8f3c0ab5bddf|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double|Documentation
| |Invalid Format (v3)
d929c031-078f-4241-b802-e224656ad890|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double (read more)|Documentation
| +|Required Property With Default Value (v2)
f7ab6c83-ef89-40e1-8a99-32e2599fb665|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value|Documentation
| +|Required Property With Default Value (v3)
013bdb4b-9246-4248-b0c3-7fb0fee42a29|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value (read more)|Documentation
| +|Object Using Enum With Keyword (v2)
7f15962a-d862-451c-ac9b-84ec13747aa6|Info|Best Practices|Schema/Parameter/Header Object properties should not contain 'enum' and schema keywords|Documentation
| +|Object Using Enum With Keyword (v3)
2e9b6612-8f69-42e0-a5b8-ed17739c2f3a|Info|Best Practices|Schema Object properties should not contain 'enum' and schema keywords (read more)|Documentation
| +|Header Parameter Named as 'Content-Type' (v2)
51978067-3b22-4c29-aaf3-96bf0bc28897|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored.|Documentation
| +|Header Parameter Named as 'Content-Type' (v3)
72d259ca-9741-48dd-9f62-eb11f2936b37|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored. (read more)|Documentation
| +|Header Response Name Is Invalid (v2)
86733e01-a435-4bd5-a8b0-5108be9dc1e4|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored.|Documentation
| +|Header Response Name Is Invalid (v3)
d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored. (read more)|Documentation
| +|Invalid Contact URL (v2)
c7000383-16d0-4509-8cd3-585e5ea2e2f2|Info|Best Practices|Contact Object URL should be a valid URL|Documentation
| +|Invalid Contact URL (v3)
332cf2ad-380d-4b90-b436-46f8e635cf38|Info|Best Practices|Contact Object URL should be a valid URL (read more)|Documentation
| |Invalid Tag External Documentation URL (v2)
b4a7d925-738b-4219-99d9-87d6ee262a03|Info|Best Practices|Tag External Documentation URL should be a valid URL|Documentation
| |Invalid Tag External Documentation URL (v3)
5aea1d7e-b834-4749-b143-2c7ec3bd5922|Info|Best Practices|Tag External Documentation URL should be a valid URL (read more)|Documentation
| |Header Parameter Named as 'Accept' (v2)
3ddd74cc-6582-486c-8b0c-2b48cb38e0a3|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored.|Documentation
| |Header Parameter Named as 'Accept' (v3)
f2702af5-6016-46cb-bbc8-84c766032095|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored. (read more)|Documentation
| +|Invalid Global External Documentation URL (v2)
46d3b74d-9fe9-45bf-9e9e-efb7f701ee28|Info|Best Practices|Global External Documentation URL should be a valid URL|Documentation
| +|Invalid Global External Documentation URL (v3)
b2d9dbf6-539c-4374-a1fd-210ddf5563a8|Info|Best Practices|Global External Documentation URL should be a valid URL (read more)|Documentation
| |Example Not Compliant With Schema Type (v2)
448db771-06ea-4dee-b48c-1689cbfb4b43|Info|Best Practices|Examples values and fields should be compliant with the schema type|Documentation
| |Example Not Compliant With Schema Type (v3)
881a6e71-c2a7-4fe2-b9c3-dfcf08895331|Info|Best Practices|Examples values and fields should be compliant with the schema type (read more)|Documentation
| +|Header Parameter Named as 'Authorization' (v2)
e2e00c97-7171-4fb4-b461-d631df9a711c|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored.|Documentation
| +|Header Parameter Named as 'Authorization' (v3)
8c84f75e-5048-4926-a4cb-33e7b3431300|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored. (read more)|Documentation
| |Operation Without Successful HTTP Status Code (v2)
a1ee6ebe-3877-42ec-b9a6-e524e7d06aa2|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined|Documentation
| |Operation Without Successful HTTP Status Code (v3)
48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined (read more)|Documentation
| -|Invalid Operation External Documentation URL (v2)
25635c31-ee32-4708-88e5-fced87516f51|Info|Best Practices|Operation External Documentation URL should be a valid URL|Documentation
| -|Invalid Operation External Documentation URL (v3)
5ea61624-3733-4a3a-8ca4-b96fec9c5aeb|Info|Best Practices|Operation External Documentation URL should be a valid URL (read more)|Documentation
| -|Required Property With Default Value (v2)
f7ab6c83-ef89-40e1-8a99-32e2599fb665|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value|Documentation
| -|Required Property With Default Value (v3)
013bdb4b-9246-4248-b0c3-7fb0fee42a29|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value (read more)|Documentation
| |Path Without Operation (v2)
609cd557-66b4-41fa-8edd-2abc6c7cfd08|Info|Best Practices|Path object should have at least one operation object defined|Documentation
| |Path Without Operation (v3)
84c826c9-1893-4b34-8cdd-db97645b4bf3|Info|Best Practices|Path object should have at least one operation object defined (read more)|Documentation
| -|Header Parameter Named as 'Authorization' (v2)
e2e00c97-7171-4fb4-b461-d631df9a711c|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored.|Documentation
| -|Header Parameter Named as 'Authorization' (v3)
8c84f75e-5048-4926-a4cb-33e7b3431300|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored. (read more)|Documentation
| -|Invalid Contact URL (v2)
c7000383-16d0-4509-8cd3-585e5ea2e2f2|Info|Best Practices|Contact Object URL should be a valid URL|Documentation
| -|Invalid Contact URL (v3)
332cf2ad-380d-4b90-b436-46f8e635cf38|Info|Best Practices|Contact Object URL should be a valid URL (read more)|Documentation
| +|Invalid Operation External Documentation URL (v2)
25635c31-ee32-4708-88e5-fced87516f51|Info|Best Practices|Operation External Documentation URL should be a valid URL|Documentation
| +|Invalid Operation External Documentation URL (v3)
5ea61624-3733-4a3a-8ca4-b96fec9c5aeb|Info|Best Practices|Operation External Documentation URL should be a valid URL (read more)|Documentation
| +|Invalid License URL (v2)
de2b4910-8484-46d6-a055-dc1e793ee3ff|Info|Best Practices|License Object URL should be a valid URL|Documentation
| +|Invalid License URL (v3)
9239c289-9e4c-4d92-8be1-9d506057c971|Info|Best Practices|License Object URL should be a valid URL (read more)|Documentation
| |JSON '$ref' alongside other properties (v2)
f34c1c68-4773-4df0-a103-6e2ca32e585f|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key|Documentation
| |JSON '$ref' alongside other properties (v3)
96beb800-566f-49a9-a0ea-dbdf4bc80429|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key (read more)|Documentation
| |Invalid Contact Email (v2)
d83bebc8-4e5e-4241-b783-cba9fb5a1c9a|Info|Best Practices|Contact Object Email should be a valid email|Documentation
| |Invalid Contact Email (v3)
b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7|Info|Best Practices|Contact Object Email should be a valid email (read more)|Documentation
| -|Object Using Enum With Keyword (v2)
7f15962a-d862-451c-ac9b-84ec13747aa6|Info|Best Practices|Schema/Parameter/Header Object properties should not contain 'enum' and schema keywords|Documentation
| -|Object Using Enum With Keyword (v3)
2e9b6612-8f69-42e0-a5b8-ed17739c2f3a|Info|Best Practices|Schema Object properties should not contain 'enum' and schema keywords (read more)|Documentation
| -|Invalid Global External Documentation URL (v2)
46d3b74d-9fe9-45bf-9e9e-efb7f701ee28|Info|Best Practices|Global External Documentation URL should be a valid URL|Documentation
| -|Invalid Global External Documentation URL (v3)
b2d9dbf6-539c-4374-a1fd-210ddf5563a8|Info|Best Practices|Global External Documentation URL should be a valid URL (read more)|Documentation
| -|Header Response Name Is Invalid (v2)
86733e01-a435-4bd5-a8b0-5108be9dc1e4|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored.|Documentation
| -|Header Response Name Is Invalid (v3)
d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored. (read more)|Documentation
| -|Header Parameter Named as 'Content-Type' (v2)
51978067-3b22-4c29-aaf3-96bf0bc28897|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored.|Documentation
| -|Header Parameter Named as 'Content-Type' (v3)
72d259ca-9741-48dd-9f62-eb11f2936b37|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored. (read more)|Documentation
| -|Invalid License URL (v2)
de2b4910-8484-46d6-a055-dc1e793ee3ff|Info|Best Practices|License Object URL should be a valid URL|Documentation
| -|Invalid License URL (v3)
9239c289-9e4c-4d92-8be1-9d506057c971|Info|Best Practices|License Object URL should be a valid URL (read more)|Documentation
| |Invalid Schema External Documentation URL (v2)
f7fa95b7-d819-484c-9a2b-665dd1bba25e|Info|Best Practices|Schema External Documentation URL should be a valid URL|Documentation
| |Invalid Schema External Documentation URL (v3)
6952a7e0-6e48-4285-bbc1-27c64e60f888|Info|Best Practices|Schema External Documentation URL should be a valid URL (read more)|Documentation
| +|Non-Array Schema With Items (v2)
9d47956b-29cd-43b1-9e6e-b39a4d484353|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| +|Non-Array Schema With Items (v3)
20cb3159-b219-496b-8dac-54ae3ab2021a|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined (read more)|Documentation
| +|Path Is Ambiguous (v2)
b2468463-3ac4-4930-890c-f35b2bf4485d|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object|Documentation
| +|Path Is Ambiguous (v3)
237402e2-c2f0-46c9-9cf5-286160cf7bfc|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object (read more)|Documentation
| +|Schema Discriminator Not Required (v2)
be6a3722-af60-438c-b1b9-2a03e2958ab7|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property|Documentation
| +|Schema Discriminator Not Required (v3)
b481d46c-9c61-480f-86d9-af07146dc4a4|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property (read more)|Documentation
| +|Property 'allowEmptyValue' Improperly Defined (v2)
0bc1477d-0922-478b-ae16-674a7634a1a8|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters|Documentation
| +|Property 'allowEmptyValue' Improperly Defined (v3)
4bcbcd52-3028-469f-bc14-02c7dbba2df2|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters (read more)|Documentation
| +|OperationId Not Unique (v2)
21245007-91c4-40e5-964e-40c85d1e5aa6|Info|Structure and Semantics|OperationId should be unique when defined|Documentation
| +|OperationId Not Unique (v3)
c254adc4-ef25-46e1-8270-b7944adb4198|Info|Structure and Semantics|OperationId should be unique when defined (read more)|Documentation
| +|Paths Object is Empty (v2)
3e6c7b1c-8a8d-43ab-98b9-65159f44db4a|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed|Documentation
| +|Paths Object is Empty (v3)
815021c8-a50c-46d9-b192-24f71072c400|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed (read more)|Documentation
| +|Parameters Name In Combination Not Unique (v2)
ab871897-ec02-4835-9818-702536ee1dda|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations|Documentation
| +|Parameters Name In Combination Not Unique (v3)
f5b2e6af-76f5-496d-8482-8f898c5fdb4a|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations (read more)|Documentation
| |Parameter Objects Headers With Duplicated Name (v2)
bd2cbef5-62c4-40f1-af07-4b7f9ced6616|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.|Documentation
| |Parameter Objects Headers With Duplicated Name (v3)
05505192-ba2c-4a81-9b25-dcdbcc973746|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive. (read more)|Documentation
| -|Property Defining Minimum Greater Than Maximum (v2)
b5102ea9-6527-4bb7-94fc-9b4076150e55|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined|Documentation
| -|Property Defining Minimum Greater Than Maximum (v3)
ab2af219-cd08-4233-b5a1-a788aac88b51|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined (read more)|Documentation
| |Responses Object Is Empty (v2)
6172e7ab-d2b7-45f8-a7db-1603931d8ba3|Info|Structure and Semantics|Responses Object should not be empty|Documentation
| |Responses Object Is Empty (v3)
990eaf09-d6f1-4c3c-b174-a517b1de8917|Info|Structure and Semantics|Responses Object should not be empty (read more)|Documentation
| -|Paths Object is Empty (v2)
3e6c7b1c-8a8d-43ab-98b9-65159f44db4a|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed|Documentation
| -|Paths Object is Empty (v3)
815021c8-a50c-46d9-b192-24f71072c400|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed (read more)|Documentation
| -|Non-Array Schema With Items (v2)
9d47956b-29cd-43b1-9e6e-b39a4d484353|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| -|Non-Array Schema With Items (v3)
20cb3159-b219-496b-8dac-54ae3ab2021a|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined (read more)|Documentation
| |Schema Has A Required Property Undefined (v2)
811762c8-2e99-4f70-88f9-a63875a953b1|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties|Documentation
| |Schema Has A Required Property Undefined (v3)
2bd608ae-8a1f-457f-b710-c237883cb313|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties (read more)|Documentation
| -|Template Path With No Corresponding Path Parameter (v2)
e7656d8d-7288-4bbe-b07b-22b389be75ce|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation|Documentation
| -|Template Path With No Corresponding Path Parameter (v3)
561710b1-b845-4562-95ce-2397a05ccef4|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation (read more)|Documentation
| -|Schema Enum Invalid (v2)
8fe6d18a-ad4c-4397-8884-e3a9da57f4c9|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type|Documentation
| -|Schema Enum Invalid (v3)
03856cb2-e46c-4daf-bfbf-214ec93c882b|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type (read more)|Documentation
| +|Default Invalid (v2)
78dfd8f0-a6ee-48ec-af8c-e4d9b3292a07|Info|Structure and Semantics|The field 'default' of Schema/Parameter/Header Object should be consistent with the schema's/parameter's/header's type|Documentation
| +|Default Invalid (v3)
a96bbc06-8cde-4295-ad3c-ee343a7f658e|Info|Structure and Semantics|The field 'default' of Schema Object should be consistent with the schema's type (read more)|Documentation
| |Properties Missing Required Property (v2)
71beb6ab-8b70-4816-a9ac-a0ff1fb22a62|Info|Structure and Semantics|Schema Object should have all required properties defined|Documentation
| |Properties Missing Required Property (v3)
3fb03214-25d4-4bd4-867c-c2d8d708a483|Info|Structure and Semantics|Schema Object should have all required properties defined (read more)|Documentation
| -|Type Has Invalid Keyword (v2)
492c6cbb-f3f8-4807-aa4f-42b8b1c46b59|Info|Structure and Semantics|Schema/Parameter/Header Object define type should not use a keyword of another type|Documentation
| -|Type Has Invalid Keyword (v3)
a9228976-10cf-4b5f-b902-9e962aad037a|Info|Structure and Semantics|Schema Object define type should not use a keyword of another type (read more)|Documentation
| -|Path Parameter Not Required (v2)
ccd0613f-cb77-4684-a892-183bd2674d12|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.|Documentation
| -|Path Parameter Not Required (v3)
0de50145-e845-47f4-9a15-23bcf2125710|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true. (read more)|Documentation
| -|Schema Discriminator Not Required (v2)
be6a3722-af60-438c-b1b9-2a03e2958ab7|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property|Documentation
| -|Schema Discriminator Not Required (v3)
b481d46c-9c61-480f-86d9-af07146dc4a4|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property (read more)|Documentation
| -|Schema Object Properties With Duplicated Keys (v2)
ded017bf-fb13-4f8d-868b-84aebcc572ad|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties'|Documentation
| -|Schema Object Properties With Duplicated Keys (v3)
10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties' (read more)|Documentation
| -|Schema Object With Circular Ref (v2)
cbff2508-85c9-4448-a8b3-770070edf5ca|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties|Documentation
| -|Schema Object With Circular Ref (v3)
1a1aea94-745b-40a7-b860-0702ea6ee636|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties (read more)|Documentation
| |Path Parameter With No Corresponding Template Path (v2)
194ef1f8-360e-4c14-8ed2-e83e2bafa142|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation|Documentation
| |Path Parameter With No Corresponding Template Path (v3)
69d7aefd-149d-47b8-8d89-1c2181a8067b|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation (read more)|Documentation
| -|OperationId Not Unique (v2)
21245007-91c4-40e5-964e-40c85d1e5aa6|Info|Structure and Semantics|OperationId should be unique when defined|Documentation
| -|OperationId Not Unique (v3)
c254adc4-ef25-46e1-8270-b7944adb4198|Info|Structure and Semantics|OperationId should be unique when defined (read more)|Documentation
| -|Default Invalid (v2)
78dfd8f0-a6ee-48ec-af8c-e4d9b3292a07|Info|Structure and Semantics|The field 'default' of Schema/Parameter/Header Object should be consistent with the schema's/parameter's/header's type|Documentation
| -|Default Invalid (v3)
a96bbc06-8cde-4295-ad3c-ee343a7f658e|Info|Structure and Semantics|The field 'default' of Schema Object should be consistent with the schema's type (read more)|Documentation
| -|Schema Discriminator Mismatch Defined Properties (v2)
addc0eab-27f6-4c26-8526-d2ccd3732662|Info|Structure and Semantics|Schema discriminator values should match defined properties.|Documentation
| -|Schema Discriminator Mismatch Defined Properties (v3)
40d3df21-c170-4dbe-9c02-4289b51f994f|Info|Structure and Semantics|Schema discriminator values should match defined properties. (read more)|Documentation
| +|Type Has Invalid Keyword (v2)
492c6cbb-f3f8-4807-aa4f-42b8b1c46b59|Info|Structure and Semantics|Schema/Parameter/Header Object define type should not use a keyword of another type|Documentation
| +|Type Has Invalid Keyword (v3)
a9228976-10cf-4b5f-b902-9e962aad037a|Info|Structure and Semantics|Schema Object define type should not use a keyword of another type (read more)|Documentation
| |Responses With Wrong HTTP Status Code (v2)
069a5378-2091-43f0-aa3b-ee8f20996e99|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599]|Documentation
| |Responses With Wrong HTTP Status Code (v3)
d86655c0-92f6-4ffc-b4d5-5b5775804c27|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599] (read more)|Documentation
| +|Template Path With No Corresponding Path Parameter (v2)
e7656d8d-7288-4bbe-b07b-22b389be75ce|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation|Documentation
| +|Template Path With No Corresponding Path Parameter (v3)
561710b1-b845-4562-95ce-2397a05ccef4|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation (read more)|Documentation
| +|Schema Enum Invalid (v2)
8fe6d18a-ad4c-4397-8884-e3a9da57f4c9|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type|Documentation
| +|Schema Enum Invalid (v3)
03856cb2-e46c-4daf-bfbf-214ec93c882b|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type (read more)|Documentation
| |Items Undefined (v2)
3e4d34d2-36cf-4449-976d-6c256db8fc49|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array.|Documentation
| |Items Undefined (v3)
a8e859da-4a43-4e7f-94b8-25d6e3bf8e90|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array. (read more)|Documentation
| -|Property 'allowEmptyValue' Improperly Defined (v2)
0bc1477d-0922-478b-ae16-674a7634a1a8|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters|Documentation
| -|Property 'allowEmptyValue' Improperly Defined (v3)
4bcbcd52-3028-469f-bc14-02c7dbba2df2|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters (read more)|Documentation
| -|Path Is Ambiguous (v2)
b2468463-3ac4-4930-890c-f35b2bf4485d|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object|Documentation
| -|Path Is Ambiguous (v3)
237402e2-c2f0-46c9-9cf5-286160cf7bfc|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object (read more)|Documentation
| -|Path Template is Empty (v2)
c201b7ad-6173-4598-a407-5edb04a1bcd7|Info|Structure and Semantics|All path templates should not be empty|Documentation
| -|Path Template is Empty (v3)
ae13a37d-943b-47a7-a970-83c8598bcca3|Info|Structure and Semantics|All path templates should not be empty (read more)|Documentation
| +|Schema Object Properties With Duplicated Keys (v2)
ded017bf-fb13-4f8d-868b-84aebcc572ad|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties'|Documentation
| +|Schema Object Properties With Duplicated Keys (v3)
10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties' (read more)|Documentation
| |Schema Discriminator Property Not String (v2)
949376f1-f560-4c6d-a016-63424ca931bb|Info|Structure and Semantics|Schema discriminator property should be a string|Documentation
| |Schema Discriminator Property Not String (v3)
dadc2f36-1f5a-46c0-8289-75e626583123|Info|Structure and Semantics|Schema discriminator property should be a string (read more)|Documentation
| -|Parameters Name In Combination Not Unique (v2)
ab871897-ec02-4835-9818-702536ee1dda|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations|Documentation
| -|Parameters Name In Combination Not Unique (v3)
f5b2e6af-76f5-496d-8482-8f898c5fdb4a|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations (read more)|Documentation
| +|Path Template is Empty (v2)
c201b7ad-6173-4598-a407-5edb04a1bcd7|Info|Structure and Semantics|All path templates should not be empty|Documentation
| +|Path Template is Empty (v3)
ae13a37d-943b-47a7-a970-83c8598bcca3|Info|Structure and Semantics|All path templates should not be empty (read more)|Documentation
| +|Path Parameter Not Required (v2)
ccd0613f-cb77-4684-a892-183bd2674d12|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.|Documentation
| +|Path Parameter Not Required (v3)
0de50145-e845-47f4-9a15-23bcf2125710|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true. (read more)|Documentation
| +|Property Defining Minimum Greater Than Maximum (v2)
b5102ea9-6527-4bb7-94fc-9b4076150e55|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined|Documentation
| +|Property Defining Minimum Greater Than Maximum (v3)
ab2af219-cd08-4233-b5a1-a788aac88b51|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined (read more)|Documentation
| +|Schema Object With Circular Ref (v2)
cbff2508-85c9-4448-a8b3-770070edf5ca|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties|Documentation
| +|Schema Object With Circular Ref (v3)
1a1aea94-745b-40a7-b860-0702ea6ee636|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties (read more)|Documentation
| +|Schema Discriminator Mismatch Defined Properties (v2)
addc0eab-27f6-4c26-8526-d2ccd3732662|Info|Structure and Semantics|Schema discriminator values should match defined properties.|Documentation
| +|Schema Discriminator Mismatch Defined Properties (v3)
40d3df21-c170-4dbe-9c02-4289b51f994f|Info|Structure and Semantics|Schema discriminator values should match defined properties. (read more)|Documentation
| + +### 2.0 +Bellow are listed queries related with OpenAPI 2.0: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|Security Definitions Undefined or Empty
e3f026e8-fdb4-4d5a-bcfd-bd94452073fe|High|Access Control|Security Definitions Object should be set and not empty (read more)|Documentation
| +|Security Requirement Not Defined In Security Definition
a599b0d1-ff89-4cb8-9ece-9951854c06f6|High|Structure and Semantics|All security requirement objects must be defined in 'securityDefinitions' (read more)|Documentation
| +|Non OAuth2 Security Requirement Defining OAuth2 Scopes
ba239cb9-f342-4c20-812d-7b5a2aa6969e|High|Structure and Semantics|If the security scheme is not of type 'oauth2', the array value must be empty (read more)|Documentation
| +|Global Security Using Password Flow
2da46be4-4317-4650-9285-56d7103c4f93|Medium|Access Control|Security should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| +|Invalid OAuth2 Authorization URL (v2)
33d96c65-977d-4c33-943f-440baca49185|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| +|Operation Using Password Flow
2e44e632-d617-43cb-b294-6bfe72a08938|Medium|Access Control|Operation Object should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| +|Implicit Flow in OAuth2 (v2)
e9817ad8-a8c9-4038-8a2f-db0e6e7b284b|Medium|Access Control|There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| +|Invalid OAuth2 Token URL (v2)
274f910a-0665-4f08-b66d-7058fe927dba|Medium|Access Control|OAuth2 security definition flow requires a valid URL in the tokenUrl field (read more)|Documentation
| +|Security Definitions Allows Password Flow
773116aa-2e6d-416f-bd85-f0301cc05d76|Medium|Access Control|Security Definition Object should not allow 'password' Flow in OAuth2 authentication (read more)|Documentation
| +|Path Scheme Accepts HTTP (v2)
a6847dc6-f4ea-45ac-a81f-93291ae6c573|Medium|Encryption|The Scheme list of Operation Object should only allow 'HTTPS' protocol to ensure an encrypted connection (read more)|Documentation
| +|Schemes Uses HTTP
a46928f1-43d7-4671-94e0-2dd99746f389|Medium|Encryption|Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials (read more)|Documentation
| +|Global Schemes Uses HTTP
f30ee711-0082-4480-85ab-31d922d9a2b2|Medium|Encryption|Global Schemes should use 'https' protocol instead of 'http' (read more)|Documentation
| +|Operation Object Without 'consumes'
0c79e50e-b3cf-490c-b8f6-587c644d4d0c|Medium|Insecure Configurations|Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations (read more)|Documentation
| +|Operation Object Without 'produces'
be3e170e-1572-461e-a8b6-d963def581ec|Medium|Insecure Configurations|Operation Object should have 'produces' feild defined for 'GET'operation (read more)|Documentation
| +|Operation Using Basic Auth
ceefb058-8065-418f-9c4c-584a78c7e104|Low|Access Control|Operation Object should not use basic authentication (read more)|Documentation
| +|Security Definitions Using Basic Auth
221015a8-aa2a-43f5-b00b-ad7d2b1d47a8|Low|Access Control|Security Definition Object should not use basic authentication (read more)|Documentation
| +|Operation Using Implicit Flow
f42dfe7e-787d-4478-a75e-a5f3d8a2269e|Low|Access Control|Operation Object should not use implicit flow (read more)|Documentation
| +|Undefined Scope 'securityDefinition' On 'security' Field On Operations
3847280c-9193-40bc-8009-76168e822ce2|Low|Access Control|Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| +|Undefined Scope 'securityDefinition' On Global 'security' Field
9aa6e95c-d964-4239-a3a8-9f37a3c5a31f|Low|Access Control|Using an scope on global security field that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| +|Operation Summary Too Long
d47940ca-5970-45cc-bdd1-4d81398cee1f|Low|Best Practices|Operation summary should be short (less than 120 characters) (read more)|Documentation
| +|Global Schema Definition Not Being Used
6d2e0790-cc3d-4c74-b973-d4e8b09f4455|Info|Best Practices|All global schemas definitions should be in use (read more)|Documentation
| +|Global Responses Definition Not Being Used
0b76d993-ee52-43e0-8b39-3787d2ddabf1|Info|Best Practices|All global responses definitions should be in use (read more)|Documentation
| +|Global Parameter Definition Not Being Used
b30981fa-a12e-49c7-a5bb-eeafb61d0f0f|Info|Best Practices|All global parameters definitions should be in use (read more)|Documentation
| +|Schema with 'additionalProperties' set as Boolean
3a01790c-ebee-4da6-8fd3-e78657383b75|Info|Best Practices|The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it (read more)|Documentation
| +|Unknown Prefix (v2)
3b615f00-c443-4ba9-acc4-7c308716917d|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| +|Constraining Enum Property
be1d8733-3731-40c7-a845-734741c6871d|Info|Best Practices|There is a constraining keyword in a property which is already restricted by enum values (read more)|Documentation
| +|Invalid Media Type Value (v2)
f985a7d2-d404-4a7f-9814-f645f791e46e|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| +|Multiple Body Parameters In The Same Operation
b90033cf-ad9f-4fb9-acd1-1b9d6d278c87|Info|Structure and Semantics|Only one body parameter is allowed on operation's parameters type field (read more)|Documentation
| +|Host With Invalid Pattern
3d7d7b6c-fb0a-475e-8a28-c125e30d15f0|Info|Structure and Semantics|Host field should be an IP or a valid host name (read more)|Documentation
| +|Response Object With Incorrect Ref (v2)
bccfa089-89e4-47e0-a0e5-185fe6902220|Info|Structure and Semantics|Response Object reference must always point to '#/responses' (read more)|Documentation
| +|Multi 'collectionformat' Not Valid For 'in' Parameter
750f6448-27c0-49f8-a153-b81735c1e19c|Info|Structure and Semantics|When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'formData' (read more)|Documentation
| +|Schema JSON Reference Does Not Exists (v2)
98295b32-ec09-4b5b-89a9-39853197f914|Info|Structure and Semantics|Schema reference should exists on definitions field (read more)|Documentation
| +|Responses JSON Reference Does Not Exists (v2)
e9db5fb4-6a84-4abb-b4af-3b94fbdace6d|Info|Structure and Semantics|Responses reference should exist on responses definition field (read more)|Documentation
| +|Parameter Object With Incorrect Ref (v2)
2596545e-1757-4ff7-a15a-8a9a180a42f3|Info|Structure and Semantics|Parameter Object reference must always point to '#/parameters' (read more)|Documentation
| +|Object Without Required Property (v2)
5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| +|Unknown Property (v2)
429b2106-ba37-43ba-9727-7f699cc611e1|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| +|BasePath With Wrong Format
b4803607-ed72-4d60-99e2-3fa6edf471c6|Info|Structure and Semantics|The 'basePath' value format must match the pattern '^/' (read more)|Documentation
| +|Body Parameter Without Schema
ed48229d-d43e-4da7-b453-5f98d964a57a|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| +|Operation Object Parameters With 'body' And 'formatData' locations
eb3f9744-d24e-4614-b1ff-2a9514eca21c|Info|Structure and Semantics|Operation object parameters should not have both 'body' and 'formatData' locations (read more)|Documentation
| +|Schema Object Incorrect Ref (v2)
0220e1c5-65d1-49dd-b7c2-cef6d6cb5283|Info|Structure and Semantics|Schema Object reference must always point to '#/definitions' (read more)|Documentation
| +|File Parameter With Wrong Consumes Property
7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a|Info|Structure and Semantics|Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both (read more)|Documentation
| +|Parameter JSON Reference Does Not Exists (v2)
fb889ae9-2d16-40b5-b41f-9da716c5abc1|Info|Structure and Semantics|Parameter reference should exist on parameters definition field (read more)|Documentation
| +|Operation Example Mismatch Produces MimeType
2cf35b40-ded3-43d6-9633-c8dcc8bcc822|Info|Structure and Semantics|Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces' (read more)|Documentation
| +|Property Not Unique
750b40be-4bac-4f59-bdc4-1ca0e6c3450e|Info|Structure and Semantics|Every defined property must be unique throughout the whole API (read more)|Documentation
| +|Non Body Parameter Without Schema
73c3bc54-3cc6-4c0a-b30a-e19f2abfc951|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| +|Body Parameter With Wrong Property
c38d630d-a415-4e3e-bac2-65475979ba88|Info|Structure and Semantics|The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema' (read more)|Documentation
| +|Parameter File Type Not In 'formData'
c3cab8c4-6c52-47a9-942b-c27f26fbd7d2|Info|Structure and Semantics|The In field of Parameter Object must be 'formData' when type is 'file' (read more)|Documentation
| ### 3.0 Bellow are listed queries related with OpenAPI 3.0: @@ -164,134 +219,79 @@ Bellow are listed queries related with OpenAPI 3.0: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Field 'securityScheme' On Components Is Undefined
8db5544e-4874-4baa-9322-e9f75a2d219e|High|Access Control|Components' securityScheme field must have a valid scheme (read more)|Documentation
| |Cleartext Credentials With Basic Authentication For Operation
86b1fa30-9790-4980-994d-a27e0f6f27c1|High|Access Control|Cleartext credentials over unencrypted channel should not be accepted for the operation (read more)|Documentation
| -|Security Scheme Using HTTP Negotiate
f525cc92-9050-4c41-a75c-890dc6f64449|Medium|Access Control|Security Scheme HTTP should not be using negotiate authentication (read more)|Documentation
| -|Invalid OAuth2 Token URL (v3)
3ba0cca1-b815-47bf-ac62-1e584eb64a05|Medium|Access Control|OAuth2 security scheme flow requires a valid URL in the tokenUrl field (read more)|Documentation
| +|Field 'securityScheme' On Components Is Undefined
8db5544e-4874-4baa-9322-e9f75a2d219e|High|Access Control|Components' securityScheme field must have a valid scheme (read more)|Documentation
| |OAuth2 With Implicit Flow
39cb32f2-3a42-4af0-8037-82a7a9654b6c|Medium|Access Control|OAuth2 implicit flow is vulnerable to access token leakage and access token replay (read more)|Documentation
| -|OAuth2 With Password Flow
3979b0a4-532c-4ea7-86e4-34c090eaa4f2|Medium|Access Control|OAuth2 password flow insecurely exposes the credentials of the resource owner to the client (read more)|Documentation
| -|Security Scheme HTTP Unknown Scheme
06764426-3c56-407e-981f-caa25db1c149|Medium|Access Control|Security Scheme HTTP scheme should be registered in the IANA Authentication Scheme registry (read more)|Documentation
| -|Security Scheme Using HTTP Digest
a4247b11-890b-45df-bf42-350a7a3af9be|Medium|Access Control|Security Scheme HTTP should not be using digest authentication (read more)|Documentation
| |Invalid OAuth2 Authorization URL (v3)
52c0d841-60d6-4a81-88dd-c35fef36d315|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| -|Security Scheme Using HTTP Basic
68e5fcac-390c-4939-a373-6074b7be7c71|Medium|Access Control|Security Scheme HTTP should not be using basic authentication (read more)|Documentation
| |Implicit Flow in OAuth2 (v3)
4a1f3d75-ab73-41b2-83e7-06a93dc3a75a|Medium|Access Control|There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| +|Security Scheme Using HTTP Basic
68e5fcac-390c-4939-a373-6074b7be7c71|Medium|Access Control|Security Scheme HTTP should not be using basic authentication (read more)|Documentation
| +|OAuth2 With Password Flow
3979b0a4-532c-4ea7-86e4-34c090eaa4f2|Medium|Access Control|OAuth2 password flow insecurely exposes the credentials of the resource owner to the client (read more)|Documentation
| +|Security Scheme Using HTTP Digest
a4247b11-890b-45df-bf42-350a7a3af9be|Medium|Access Control|Security Scheme HTTP should not be using digest authentication (read more)|Documentation
| +|Invalid OAuth2 Token URL (v3)
3ba0cca1-b815-47bf-ac62-1e584eb64a05|Medium|Access Control|OAuth2 security scheme flow requires a valid URL in the tokenUrl field (read more)|Documentation
| +|Security Scheme Using HTTP Negotiate
f525cc92-9050-4c41-a75c-890dc6f64449|Medium|Access Control|Security Scheme HTTP should not be using negotiate authentication (read more)|Documentation
| +|Security Scheme HTTP Unknown Scheme
06764426-3c56-407e-981f-caa25db1c149|Medium|Access Control|Security Scheme HTTP scheme should be registered in the IANA Authentication Scheme registry (read more)|Documentation
| |Path Server Object Uses HTTP (v3)
9670f240-7b4d-4955-bd93-edaa9fa38b58|Medium|Encryption|The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection (read more)|Documentation
| |Global Server Object Uses HTTP
2d8c175a-6d90-412b-8b0e-e034ea49a1fe|Medium|Encryption|Global server object URL should use 'https' protocol instead of 'http' (read more)|Documentation
| -|Parameter Object Without Schema
8fe1846f-52cc-4413-ace9-1933d7d23672|Medium|Insecure Configurations|The Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| -|Additional Properties Too Restrictive
a19c3bbd-c056-40d7-9e1c-eeb0634e320d|Medium|Insecure Configurations|Objects should accept 'additionalProperties' if it is allOf or an object with anyOf or oneOf (read more)|Documentation
| |Additional Properties Too Permissive
9f88c88d-824d-4d9a-b985-e22977046042|Medium|Insecure Configurations|Objects should not accept 'additionalProperties' if it is possible (read more)|Documentation
| +|Parameter Object Without Schema
8fe1846f-52cc-4413-ace9-1933d7d23672|Medium|Insecure Configurations|The Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| |Media Type Object Without Schema
f79b9d26-e945-44e7-98a1-b93f0f7a68a0|Medium|Insecure Configurations|The Media Type Object should have the attribute 'schema' defined (read more)|Documentation
| -|Header Object Without Schema
50de3b5b-6465-4e06-a9b0-b4c2ba34326b|Medium|Networking and Firewall|The header object should have schema defined (read more)|Documentation
| +|Additional Properties Too Restrictive
a19c3bbd-c056-40d7-9e1c-eeb0634e320d|Medium|Insecure Configurations|Objects should accept 'additionalProperties' if it is allOf or an object with anyOf or oneOf (read more)|Documentation
| |Success Response Code Undefined for Trace Operation
105e20dd-8449-4d71-95c6-d5dac96639af|Medium|Networking and Firewall|Trace should define the '200' successful code (read more)|Documentation
| -|Undefined Scope 'securityScheme' On 'security' Field On Operations
462d6a1d-fed9-4d75-bb9e-3de902f35e6e|Low|Access Control|Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| +|Header Object Without Schema
50de3b5b-6465-4e06-a9b0-b4c2ba34326b|Medium|Networking and Firewall|The header object should have schema defined (read more)|Documentation
| +|API Key Exposed In Global Security Scheme
40e1d1bf-11a9-4f63-a3a2-a8b84c602839|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| |Global Security Scheme Using Basic Authentication
77276d82-4f45-4cf1-8e2b-4d345b936228|Low|Access Control|A security scheme is allowing basic authentication credentials to be transported over network (read more)|Documentation
| -|Undefined Scope 'securityScheme' On Global 'security' Field
23a9e2d9-8738-4556-a71c-2802b6ffa022|Low|Access Control|Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| |Security Scheme Using Oauth 1.0
1bc3205c-0d60-44e6-84f3-44fbf4dac5b3|Low|Access Control|Oauth 1.0 is deprecated, OAuth2 should be used instead (read more)|Documentation
| -|API Key Exposed In Global Security Scheme
40e1d1bf-11a9-4f63-a3a2-a8b84c602839|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| -|Property 'explode' of Encoding Object Ignored
a4dd69b8-49fa-45d2-a060-c76655405b05|Info|Best Practices|Property 'explode' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| -|Property 'allowReserved' of Encoding Object Ignored
4190dda7-af03-4cf0-a128-70ac1661ca09|Info|Best Practices|Property 'allowReserved' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| -|Components Example Definition Is Unused
b05bb927-2df5-43cc-8d7b-6825c0e71625|Info|Best Practices|Components examples definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Encoding Header 'Content-Type' Improperly Defined
4cd8de87-b595-48b6-ab3c-1904567135ab|Info|Best Practices|Encoding Map Key should not define a 'Content-Type' in the 'headers' field. If so, it will be ignored. (read more)|Documentation
| -|Components Link Definition Is Unused
c19779a9-5774-4d2f-a3a1-a99831730375|Info|Best Practices|Components links definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Schema Definition Is Unused
962fa01e-b791-4dcc-b04a-4a3e7389be5e|Info|Best Practices|Components schemas definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Undefined Scope 'securityScheme' On 'security' Field On Operations
462d6a1d-fed9-4d75-bb9e-3de902f35e6e|Low|Access Control|Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| +|Undefined Scope 'securityScheme' On Global 'security' Field
23a9e2d9-8738-4556-a71c-2802b6ffa022|Low|Access Control|Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| +|Components Request Body Definition Is Unused
6b76f589-9713-44ab-97f5-59a3dba1a285|Info|Best Practices|Components request bodies definitions should be referenced or removed from Open API definition (read more)|Documentation
| |Property 'style' of Encoding Object Ignored
d3ea644a-9a5c-4fee-941f-f8a6786c0470|Info|Best Practices|Property 'style' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| -|Property 'allowEmptyValue' Ignored
59c2f769-7cc2-49c8-a3de-4e211135cfab|Info|Best Practices|Property 'allowEmptyValue' is ignored in the following cases: {"sytle": "simple", "explode": false}, {"sytle": "simple", "explode": true}, {"sytle": "spaceDelimited", "explode": false}, {"sytle": "pipeDelimited", "explode": false}, and {"sytle": "deepObject", "explode": true} (read more)|Documentation
| |Components Header Definition Is Unused
a68da022-e95a-4bc2-97d3-481e0bd6d446|Info|Best Practices|Components headers definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Link Definition Is Unused
c19779a9-5774-4d2f-a3a1-a99831730375|Info|Best Practices|Components links definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Callback Definition Is Unused
d15db953-a553-4b8a-9a14-a3d62ea3d79d|Info|Best Practices|Components callbacks definitions should be referenced or removed from Open API definition (read more)|Documentation
| |Components Response Definition Is Unused
9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae|Info|Best Practices|Components responses definitions should be referenced or removed from Open API definition (read more)|Documentation
| |Unknown Prefix (v3)
a5375be3-521c-43bb-9eab-e2432e368ee4|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| +|Property 'explode' of Encoding Object Ignored
a4dd69b8-49fa-45d2-a060-c76655405b05|Info|Best Practices|Property 'explode' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| +|Property 'allowReserved' of Encoding Object Ignored
4190dda7-af03-4cf0-a128-70ac1661ca09|Info|Best Practices|Property 'allowReserved' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| |Components Parameter Definition Is Unused
698a464e-bb3e-4ba8-ab5e-e6599b7644a0|Info|Best Practices|Components parameters definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Request Body Definition Is Unused
6b76f589-9713-44ab-97f5-59a3dba1a285|Info|Best Practices|Components request bodies definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Example Definition Is Unused
b05bb927-2df5-43cc-8d7b-6825c0e71625|Info|Best Practices|Components examples definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Schema Definition Is Unused
962fa01e-b791-4dcc-b04a-4a3e7389be5e|Info|Best Practices|Components schemas definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Property 'allowEmptyValue' Ignored
59c2f769-7cc2-49c8-a3de-4e211135cfab|Info|Best Practices|Property 'allowEmptyValue' is ignored in the following cases: {"sytle": "simple", "explode": false}, {"sytle": "simple", "explode": true}, {"sytle": "spaceDelimited", "explode": false}, {"sytle": "pipeDelimited", "explode": false}, and {"sytle": "deepObject", "explode": true} (read more)|Documentation
| |Invalid Media Type Value (v3)
cf4a5f45-a27b-49df-843a-9911dbfe71d4|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| -|Components Callback Definition Is Unused
d15db953-a553-4b8a-9a14-a3d62ea3d79d|Info|Best Practices|Components callbacks definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Parameter Object With Undefined Type
46facedc-f243-4108-ab33-583b807d50b0|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property (read more)|Documentation
| -|Callback JSON Reference Does Not Exists
f29904c8-6041-4bca-b043-dfa0546b8079|Info|Structure and Semantics|Callback reference should exists on components field (read more)|Documentation
| -|Server URL Not Absolute
a0bf7382-5d5a-4224-924c-3db8466026c9|Info|Structure and Semantics|The Server URL should be an absolute URL (read more)|Documentation
| -|Header JSON Reference Does Not Exists
376c9390-7e9e-4cb8-a067-fd31c05451fd|Info|Structure and Semantics|Header reference should exists on components field (read more)|Documentation
| -|Link Object With Both 'operationId' And 'operationRef'
60fb6621-9f02-473b-9424-ba9a825747d3|Info|Structure and Semantics|Link object 'OperationId' should not have both 'operationId' and 'operationRef' defined since they are mutually exclusive. (read more)|Documentation
| +|Encoding Header 'Content-Type' Improperly Defined
4cd8de87-b595-48b6-ab3c-1904567135ab|Info|Best Practices|Encoding Map Key should not define a 'Content-Type' in the 'headers' field. If so, it will be ignored. (read more)|Documentation
| +|Example JSON Reference Outside Components Examples
bac56e3c-1f71-4a74-8ae6-2fba07efcddb|Info|Structure and Semantics|Reference to examples should point to #/components/examples (read more)|Documentation
| |Security Operation Field Undefined
20a482d5-c5d9-4a7a-b7a4-60d0805047b4|Info|Structure and Semantics|Security operation field should be defined in '#/components/securitySchemes' (read more)|Documentation
| -|Object Without Required Property (v3)
d172a060-8569-4412-8045-3560ebd477e8|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| -|Invalid Content Type For Multiple Files Upload
26f06397-36d8-4ce7-b993-17711261d777|Info|Structure and Semantics|Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array) (read more)|Documentation
| -|Link Object Incorrect Ref
b9db8a10-020c-49ca-88c6-780e5fdb4328|Info|Structure and Semantics|Link object reference must always point to '#/components/links' (read more)|Documentation
| -|Response JSON Reference Does Not Exists (v3)
7a01dfbd-da62-4165-aed7-71349ad42ab4|Info|Structure and Semantics|Response reference should exists on components field (read more)|Documentation
| -|Callback Object With Incorrect Ref
ba066cda-e808-450d-92b6-f29109754d45|Info|Structure and Semantics|Callback Object reference must always point to '#/components/callbacks' (read more)|Documentation
| -|Schema JSON Reference Does Not Exists (v3)
015eac96-6313-43c0-84e5-81b1374fa637|Info|Structure and Semantics|Schema reference should exists on components field (read more)|Documentation
| +|Server URL Not Absolute
a0bf7382-5d5a-4224-924c-3db8466026c9|Info|Structure and Semantics|The Server URL should be an absolute URL (read more)|Documentation
| +|Response Object With Incorrect Ref (v3)
b3871dd8-9333-4d6c-bd52-67eb898b71ab|Info|Structure and Semantics|Response Object reference must always point to '#/components/responses' (read more)|Documentation
| +|Link Object OperationId Does Not Target Operation Object
c5bb7461-aa57-470b-a714-3bc3d74f4669|Info|Structure and Semantics|Link object 'OperationId' should target an existing operation object in the OpenAPI definition (read more)|Documentation
| +|Request Body With Incorrect Ref
0f6cd0ab-c366-4595-84fc-fbd8b9901e4d|Info|Structure and Semantics|Request Body reference must always point to '#/components/RequestBodies' (read more)|Documentation
| +|Encoding Map Key Mismatch Schema Defined Properties
cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b|Info|Structure and Semantics|Encoding Map Key should be set in schema defined properties (read more)|Documentation
| |Components Object Fixed Field Key Improperly Named
151331e2-11f4-4bb6-bd35-9a005e695087|Info|Structure and Semantics|Components object fixed fields (schemas, responses, parameters, examples, requestBodies, headers, securitySchemes, links, and callbacks) should use keys that match the following REGEX: `^[a-zA-Z0-9\.\-_]+$` (read more)|Documentation
| +|Schema JSON Reference Does Not Exists (v3)
015eac96-6313-43c0-84e5-81b1374fa637|Info|Structure and Semantics|Schema reference should exists on components field (read more)|Documentation
| +|Server URL Uses Undefined Variables
8d0921d6-4131-461f-a253-99e873f8f77e|Info|Structure and Semantics|Any variable used in the Service URL should be defined in the Service Object through 'variables'. (read more)|Documentation
| +|Response JSON Reference Does Not Exists (v3)
7a01dfbd-da62-4165-aed7-71349ad42ab4|Info|Structure and Semantics|Response reference should exists on components field (read more)|Documentation
| +|Parameter Object With Incorrect Ref (v3)
d40f27e6-15fb-4b56-90f8-fc0ff0291c51|Info|Structure and Semantics|Parameter Object reference must always point to '#/components/parameters' (read more)|Documentation
| +|Object Without Required Property (v3)
d172a060-8569-4412-8045-3560ebd477e8|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| |Unknown Property (v3)
fb7d81e7-4150-48c4-b914-92fc05da6a2f|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| |Parameter Object Content With Multiple Entries
8bfed1c6-2d59-4924-bc7f-9b9d793ed0df|Info|Structure and Semantics|The map content property of the parameter object should only contain one entry (read more)|Documentation
| -|Encoding Map Key Mismatch Schema Defined Properties
cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b|Info|Structure and Semantics|Encoding Map Key should be set in schema defined properties (read more)|Documentation
| -|Example JSON Reference Outside Components Examples
bac56e3c-1f71-4a74-8ae6-2fba07efcddb|Info|Structure and Semantics|Reference to examples should point to #/components/examples (read more)|Documentation
| -|Empty Array
5915c20f-dffa-4cee-b5d4-f457ddc0151a|Info|Structure and Semantics|All array fields should not be empty (read more)|Documentation
| -|Security Requirement Object With Wrong Scopes
37140f7f-724a-4c87-a536-e9cee1d61533|Info|Structure and Semantics|Security Requirement Object should only have scopes defined for security schemes of type 'oauth2' and 'openIdConnect' (read more)|Documentation
| -|Example JSON Reference Does Not Exists
6a2c219f-da5e-4745-941e-5ea8cde23356|Info|Structure and Semantics|Example reference should exists on components field (read more)|Documentation
| -|Request Body Object With Incorrect Media Type
58f06434-a88c-4f74-826c-db7e10cc7def|Info|Structure and Semantics|The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set. (read more)|Documentation
| -|Parameter JSON Reference Does Not Exists (v3)
2e275f16-b627-4d3f-ae73-a6153a23ae8f|Info|Structure and Semantics|Parameter reference should exists on components field (read more)|Documentation
| -|Link Object OperationId Does Not Target Operation Object
c5bb7461-aa57-470b-a714-3bc3d74f4669|Info|Structure and Semantics|Link object 'OperationId' should target an existing operation object in the OpenAPI definition (read more)|Documentation
| -|Response Object With Incorrect Ref (v3)
b3871dd8-9333-4d6c-bd52-67eb898b71ab|Info|Structure and Semantics|Response Object reference must always point to '#/components/responses' (read more)|Documentation
| -|Security Field Undefined
ab1263c2-81df-46f0-9f2c-0b62fdb68419|Info|Structure and Semantics|Security field should be defined in '#/components/securitySchemes' (read more)|Documentation
| -|Header Object With Incorrect Ref
2d6646f4-2946-420f-8c14-3232d49ae0cb|Info|Structure and Semantics|Header Object reference must always point to '#/components/headers' (read more)|Documentation
| +|Link Object Incorrect Ref
b9db8a10-020c-49ca-88c6-780e5fdb4328|Info|Structure and Semantics|Link object reference must always point to '#/components/links' (read more)|Documentation
| +|Servers Array Undefined
c66ebeaa-676c-40dc-a3ff-3e49395dcd5e|Info|Structure and Semantics|The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'. (read more)|Documentation
| |Property 'allowReserved' Improperly Defined
7f203940-39c4-4ea7-91ee-7aba16bca9e2|Info|Structure and Semantics|Property 'allowReserved' should be only defined for query parameters (read more)|Documentation
| -|Schema With Both ReadOnly And WriteOnly
d2361d58-361c-49f0-9e50-b957fd608b29|Info|Structure and Semantics|Schema should not have both 'writeOnly' and 'readOnly' set to true (read more)|Documentation
| +|Schema Object Incorrect Ref (v3)
4cac7ace-b0fb-477d-830d-65395d9109d9|Info|Structure and Semantics|Schema Object reference must always point to '#/components/schemas' (read more)|Documentation
| +|Invalid Content Type For Multiple Files Upload
26f06397-36d8-4ce7-b993-17711261d777|Info|Structure and Semantics|Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array) (read more)|Documentation
| |Link JSON Reference Does Not Exists
801f0c6a-a834-4467-89c6-ddecffb46b5a|Info|Structure and Semantics|Link reference should exists on components field (read more)|Documentation
| -|Parameter Object With Incorrect Ref (v3)
d40f27e6-15fb-4b56-90f8-fc0ff0291c51|Info|Structure and Semantics|Parameter Object reference must always point to '#/components/parameters' (read more)|Documentation
| -|Server URL Uses Undefined Variables
8d0921d6-4131-461f-a253-99e873f8f77e|Info|Structure and Semantics|Any variable used in the Service URL should be defined in the Service Object through 'variables'. (read more)|Documentation
| -|Request Body With Incorrect Ref
0f6cd0ab-c366-4595-84fc-fbd8b9901e4d|Info|Structure and Semantics|Request Body reference must always point to '#/components/RequestBodies' (read more)|Documentation
| |Request Body JSON Reference Does Not Exists
ca02f4e8-d3ae-4832-b7db-bb037516d9e7|Info|Structure and Semantics|Request Body reference should exists on components field (read more)|Documentation
| +|Callback JSON Reference Does Not Exists
f29904c8-6041-4bca-b043-dfa0546b8079|Info|Structure and Semantics|Callback reference should exists on components field (read more)|Documentation
| +|Callback Object With Incorrect Ref
ba066cda-e808-450d-92b6-f29109754d45|Info|Structure and Semantics|Callback Object reference must always point to '#/components/callbacks' (read more)|Documentation
| +|Link Object With Both 'operationId' And 'operationRef'
60fb6621-9f02-473b-9424-ba9a825747d3|Info|Structure and Semantics|Link object 'OperationId' should not have both 'operationId' and 'operationRef' defined since they are mutually exclusive. (read more)|Documentation
| +|Parameter JSON Reference Does Not Exists (v3)
2e275f16-b627-4d3f-ae73-a6153a23ae8f|Info|Structure and Semantics|Parameter reference should exists on components field (read more)|Documentation
| +|Empty Array
5915c20f-dffa-4cee-b5d4-f457ddc0151a|Info|Structure and Semantics|All array fields should not be empty (read more)|Documentation
| |Server Object Variable Not Used
8aee4754-970d-4c5f-8142-a49dfe388b1a|Info|Structure and Semantics|Every defined Server Variable Object should be used in a Service URL. (read more)|Documentation
| -|Servers Array Undefined
c66ebeaa-676c-40dc-a3ff-3e49395dcd5e|Info|Structure and Semantics|The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'. (read more)|Documentation
| -|Schema Object Incorrect Ref (v3)
4cac7ace-b0fb-477d-830d-65395d9109d9|Info|Structure and Semantics|Schema Object reference must always point to '#/components/schemas' (read more)|Documentation
| +|Header Object With Incorrect Ref
2d6646f4-2946-420f-8c14-3232d49ae0cb|Info|Structure and Semantics|Header Object reference must always point to '#/components/headers' (read more)|Documentation
| +|Security Requirement Object With Wrong Scopes
37140f7f-724a-4c87-a536-e9cee1d61533|Info|Structure and Semantics|Security Requirement Object should only have scopes defined for security schemes of type 'oauth2' and 'openIdConnect' (read more)|Documentation
| +|Example JSON Reference Does Not Exists
6a2c219f-da5e-4745-941e-5ea8cde23356|Info|Structure and Semantics|Example reference should exists on components field (read more)|Documentation
| +|Schema With Both ReadOnly And WriteOnly
d2361d58-361c-49f0-9e50-b957fd608b29|Info|Structure and Semantics|Schema should not have both 'writeOnly' and 'readOnly' set to true (read more)|Documentation
| +|Parameter Object With Undefined Type
46facedc-f243-4108-ab33-583b807d50b0|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property (read more)|Documentation
| |Parameter Object With Schema And Content
31dd6fc0-f274-493b-9614-e063086c19fc|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive (read more)|Documentation
| - -### 2.0 -Bellow are listed queries related with OpenAPI 2.0: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Security Definitions Undefined or Empty
e3f026e8-fdb4-4d5a-bcfd-bd94452073fe|High|Access Control|Security Definitions Object should be set and not empty (read more)|Documentation
| -|Security Requirement Not Defined In Security Definition
a599b0d1-ff89-4cb8-9ece-9951854c06f6|High|Structure and Semantics|All security requirement objects must be defined in 'securityDefinitions' (read more)|Documentation
| -|Non OAuth2 Security Requirement Defining OAuth2 Scopes
ba239cb9-f342-4c20-812d-7b5a2aa6969e|High|Structure and Semantics|If the security scheme is not of type 'oauth2', the array value must be empty (read more)|Documentation
| -|Invalid OAuth2 Token URL (v2)
274f910a-0665-4f08-b66d-7058fe927dba|Medium|Access Control|OAuth2 security definition flow requires a valid URL in the tokenUrl field (read more)|Documentation
| -|Security Definitions Allows Password Flow
773116aa-2e6d-416f-bd85-f0301cc05d76|Medium|Access Control|Security Definition Object should not allow 'password' Flow in OAuth2 authentication (read more)|Documentation
| -|Operation Using Password Flow
2e44e632-d617-43cb-b294-6bfe72a08938|Medium|Access Control|Operation Object should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| -|Invalid OAuth2 Authorization URL (v2)
33d96c65-977d-4c33-943f-440baca49185|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| -|Global Security Using Password Flow
2da46be4-4317-4650-9285-56d7103c4f93|Medium|Access Control|Security should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| -|Implicit Flow in OAuth2 (v2)
e9817ad8-a8c9-4038-8a2f-db0e6e7b284b|Medium|Access Control|There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| -|Schemes Uses HTTP
a46928f1-43d7-4671-94e0-2dd99746f389|Medium|Encryption|Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials (read more)|Documentation
| -|Path Scheme Accepts HTTP (v2)
a6847dc6-f4ea-45ac-a81f-93291ae6c573|Medium|Encryption|The Scheme list of Operation Object should only allow 'HTTPS' protocol to ensure an encrypted connection (read more)|Documentation
| -|Global Schemes Uses HTTP
f30ee711-0082-4480-85ab-31d922d9a2b2|Medium|Encryption|Global Schemes should use 'https' protocol instead of 'http' (read more)|Documentation
| -|Operation Object Without 'produces'
be3e170e-1572-461e-a8b6-d963def581ec|Medium|Insecure Configurations|Operation Object should have 'produces' feild defined for 'GET'operation (read more)|Documentation
| -|Operation Object Without 'consumes'
0c79e50e-b3cf-490c-b8f6-587c644d4d0c|Medium|Insecure Configurations|Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations (read more)|Documentation
| -|Undefined Scope 'securityDefinition' On 'security' Field On Operations
3847280c-9193-40bc-8009-76168e822ce2|Low|Access Control|Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| -|Undefined Scope 'securityDefinition' On Global 'security' Field
9aa6e95c-d964-4239-a3a8-9f37a3c5a31f|Low|Access Control|Using an scope on global security field that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| -|Operation Using Basic Auth
ceefb058-8065-418f-9c4c-584a78c7e104|Low|Access Control|Operation Object should not use basic authentication (read more)|Documentation
| -|Security Definitions Using Basic Auth
221015a8-aa2a-43f5-b00b-ad7d2b1d47a8|Low|Access Control|Security Definition Object should not use basic authentication (read more)|Documentation
| -|Operation Using Implicit Flow
f42dfe7e-787d-4478-a75e-a5f3d8a2269e|Low|Access Control|Operation Object should not use implicit flow (read more)|Documentation
| -|Operation Summary Too Long
d47940ca-5970-45cc-bdd1-4d81398cee1f|Low|Best Practices|Operation summary should be short (less than 120 characters) (read more)|Documentation
| -|Global Responses Definition Not Being Used
0b76d993-ee52-43e0-8b39-3787d2ddabf1|Info|Best Practices|All global responses definitions should be in use (read more)|Documentation
| -|Global Schema Definition Not Being Used
6d2e0790-cc3d-4c74-b973-d4e8b09f4455|Info|Best Practices|All global schemas definitions should be in use (read more)|Documentation
| -|Constraining Enum Property
be1d8733-3731-40c7-a845-734741c6871d|Info|Best Practices|There is a constraining keyword in a property which is already restricted by enum values (read more)|Documentation
| -|Global Parameter Definition Not Being Used
b30981fa-a12e-49c7-a5bb-eeafb61d0f0f|Info|Best Practices|All global parameters definitions should be in use (read more)|Documentation
| -|Unknown Prefix (v2)
3b615f00-c443-4ba9-acc4-7c308716917d|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| -|Schema with 'additionalProperties' set as Boolean
3a01790c-ebee-4da6-8fd3-e78657383b75|Info|Best Practices|The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it (read more)|Documentation
| -|Invalid Media Type Value (v2)
f985a7d2-d404-4a7f-9814-f645f791e46e|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| -|Multiple Body Parameters In The Same Operation
b90033cf-ad9f-4fb9-acd1-1b9d6d278c87|Info|Structure and Semantics|Only one body parameter is allowed on operation's parameters type field (read more)|Documentation
| -|Host With Invalid Pattern
3d7d7b6c-fb0a-475e-8a28-c125e30d15f0|Info|Structure and Semantics|Host field should be an IP or a valid host name (read more)|Documentation
| -|Non Body Parameter Without Schema
73c3bc54-3cc6-4c0a-b30a-e19f2abfc951|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| -|Object Without Required Property (v2)
5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| -|Parameter File Type Not In 'formData'
c3cab8c4-6c52-47a9-942b-c27f26fbd7d2|Info|Structure and Semantics|The In field of Parameter Object must be 'formData' when type is 'file' (read more)|Documentation
| -|Responses JSON Reference Does Not Exists (v2)
e9db5fb4-6a84-4abb-b4af-3b94fbdace6d|Info|Structure and Semantics|Responses reference should exist on responses definition field (read more)|Documentation
| -|Body Parameter Without Schema
ed48229d-d43e-4da7-b453-5f98d964a57a|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| -|Property Not Unique
750b40be-4bac-4f59-bdc4-1ca0e6c3450e|Info|Structure and Semantics|Every defined property must be unique throughout the whole API (read more)|Documentation
| -|Schema JSON Reference Does Not Exists (v2)
98295b32-ec09-4b5b-89a9-39853197f914|Info|Structure and Semantics|Schema reference should exists on definitions field (read more)|Documentation
| -|Unknown Property (v2)
429b2106-ba37-43ba-9727-7f699cc611e1|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| -|File Parameter With Wrong Consumes Property
7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a|Info|Structure and Semantics|Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both (read more)|Documentation
| -|Operation Object Parameters With 'body' And 'formatData' locations
eb3f9744-d24e-4614-b1ff-2a9514eca21c|Info|Structure and Semantics|Operation object parameters should not have both 'body' and 'formatData' locations (read more)|Documentation
| -|Body Parameter With Wrong Property
c38d630d-a415-4e3e-bac2-65475979ba88|Info|Structure and Semantics|The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema' (read more)|Documentation
| -|Parameter JSON Reference Does Not Exists (v2)
fb889ae9-2d16-40b5-b41f-9da716c5abc1|Info|Structure and Semantics|Parameter reference should exist on parameters definition field (read more)|Documentation
| -|Multi 'collectionformat' Not Valid For 'in' Parameter
750f6448-27c0-49f8-a153-b81735c1e19c|Info|Structure and Semantics|When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'formData' (read more)|Documentation
| -|Response Object With Incorrect Ref (v2)
bccfa089-89e4-47e0-a0e5-185fe6902220|Info|Structure and Semantics|Response Object reference must always point to '#/responses' (read more)|Documentation
| -|Parameter Object With Incorrect Ref (v2)
2596545e-1757-4ff7-a15a-8a9a180a42f3|Info|Structure and Semantics|Parameter Object reference must always point to '#/parameters' (read more)|Documentation
| -|Operation Example Mismatch Produces MimeType
2cf35b40-ded3-43d6-9633-c8dcc8bcc822|Info|Structure and Semantics|Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces' (read more)|Documentation
| -|BasePath With Wrong Format
b4803607-ed72-4d60-99e2-3fa6edf471c6|Info|Structure and Semantics|The 'basePath' value format must match the pattern '^/' (read more)|Documentation
| -|Schema Object Incorrect Ref (v2)
0220e1c5-65d1-49dd-b7c2-cef6d6cb5283|Info|Structure and Semantics|Schema Object reference must always point to '#/definitions' (read more)|Documentation
| +|Security Field Undefined
ab1263c2-81df-46f0-9f2c-0b62fdb68419|Info|Structure and Semantics|Security field should be defined in '#/components/securitySchemes' (read more)|Documentation
| +|Header JSON Reference Does Not Exists
376c9390-7e9e-4cb8-a067-fd31c05451fd|Info|Structure and Semantics|Header reference should exists on components field (read more)|Documentation
| +|Request Body Object With Incorrect Media Type
58f06434-a88c-4f74-826c-db7e10cc7def|Info|Structure and Semantics|The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set. (read more)|Documentation
| diff --git a/docs/queries/pulumi-queries.md b/docs/queries/pulumi-queries.md index bee3c731183..b4cdc0a3f3b 100644 --- a/docs/queries/pulumi-queries.md +++ b/docs/queries/pulumi-queries.md @@ -1,6 +1,16 @@ ## Pulumi Queries List This page contains all queries from Pulumi. +### AZURE +Bellow are listed queries related with Pulumi AZURE: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|Storage Account Not Forcing HTTPS
cb8e4bf0-903d-45c6-a278-9a947d82a27b|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| +|Redis Cache Allows Non SSL Connections
49e30ac8-f58e-4222-b488-3dcb90158ec1|Medium|Encryption|Redis Cache resource should not allow non-SSL connections. (read more)|Documentation
| + ### AWS Bellow are listed queries related with Pulumi AWS: @@ -17,8 +27,8 @@ Bellow are listed queries related with Pulumi AWS: |IAM Password Without Minimum Length
9850d621-7485-44f7-8bdd-b3cf426315cf|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| |DynamoDB Table Not Encrypted
b6a7e0ae-aed8-4a19-a993-a95760bf8836|Medium|Encryption|AWS DynamoDB Tables should have serverSideEncryption enabled (read more)|Documentation
| |API Gateway Without SSL Certificate
f27791a5-e2ae-4905-8910-6f995c576d09|Medium|Insecure Configurations|SSL Client Certificate should be defined (read more)|Documentation
| -|Elasticsearch Logs Disabled
a1120ee4-a712-42d9-8fb5-22595fed643b|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| |API Gateway Access Logging Disabled
bf4b48b9-fc1f-4552-984a-4becdb5bf503|Medium|Observability|API Gateway should have Access Log Settings defined (read more)|Documentation
| +|Elasticsearch Logs Disabled
a1120ee4-a712-42d9-8fb5-22595fed643b|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| |DocDB Logging Is Disabled
2ca87964-fe7e-4cdc-899c-427f0f3525f8|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| |DynamoDB Table Point In Time Recovery Disabled
327b0729-4c5c-4c44-8b5c-e476cd9c7290|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more)|Documentation
| |EC2 Not EBS Optimized
d991e4ae-42ab-429b-ab43-d5e5fa9ca633|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| @@ -43,13 +53,3 @@ Bellow are listed queries related with Pulumi GCP: |------------------------------|--------|--------|-----------|----| |Cloud Storage Bucket Logging Not Enabled
48f7e44d-d1d1-44c2-b336-9f11b65c4fb0|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| |Google Compute SSL Policy Weak Cipher In Use
965e8830-2bec-4b9b-a7f0-24dbc200a68f|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| - -### AZURE -Bellow are listed queries related with Pulumi AZURE: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Storage Account Not Forcing HTTPS
cb8e4bf0-903d-45c6-a278-9a947d82a27b|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| -|Redis Cache Allows Non SSL Connections
49e30ac8-f58e-4222-b488-3dcb90158ec1|Medium|Encryption|Redis Cache resource should not allow non-SSL connections. (read more)|Documentation
| diff --git a/docs/queries/terraform-queries.md b/docs/queries/terraform-queries.md index 562bf1e85a0..9f0bba8809e 100644 --- a/docs/queries/terraform-queries.md +++ b/docs/queries/terraform-queries.md @@ -1,6 +1,121 @@ ## Terraform Queries List This page contains all queries from Terraform. +### AZURE +Bellow are listed queries related with Terraform AZURE: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|High|Access Control|Azure Function App authentication settings should be enabled (read more)|Documentation
| +|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|High|Access Control|Storage Account should not be public to grant the principle of least privileges (read more)|Documentation
| +|Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage (read more)|Documentation
| +|Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|High|Access Control|Role Assignment should limit guest user permissions (read more)|Documentation
| +|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|High|Access Control|Admin user is enabled for Container Registry (read more)|Documentation
| +|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|High|Access Control|There is a role assignment for guest user (read more)|Documentation
| +|Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|High|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled (read more)|Documentation
| +|Azure Instance Using Basic Authentication
dafe30ec-325d-4516-85d1-e8e6776f012c|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| +|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' (read more)|Documentation
| +|Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6|High|Encryption|Ensure Function App is using the latest version of TLS encryption (read more)|Documentation
| +|App Service Not Using Latest TLS Encryption Version
b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643|High|Encryption|Ensure App Service is using the latest version of TLS encryption (read more)|Documentation
| +|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| +|MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more)|Documentation
| +|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service. (read more)|Documentation
| +|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates (read more)|Documentation
| +|Function App FTPS Enforce Disabled
9dab0179-433d-4dff-af8f-0091025691df|High|Insecure Configurations|Azure Function App should only enforce FTPS when 'ftps_state' is enabled (read more)|Documentation
| +|Azure App Service Client Certificate Disabled
a81573f9-3691-4d83-88a0-7d4af63e17a3|High|Insecure Configurations|Azure App Service client certificate should be enabled (read more)|Documentation
| +|AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|High|Insecure Configurations|Azure Kubernetes Service (AKS) API should not be exposed to the internet (read more)|Documentation
| +|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry' (read more)|Documentation
| +|AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server (read more)|Documentation
| +|Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|High|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false. (read more)|Documentation
| +|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine (read more)|Documentation
| +|App Service FTPS Enforce Disabled
85da374f-b00f-4832-9d44-84a1ca1e89f8|High|Insecure Configurations|Azure App Service should only enforce FTPS when 'ftps_state' is enabled (read more)|Documentation
| +|Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| +|RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet (read more)|Documentation
| +|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| +|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|High|Networking and Firewall|The IP range filter should be defined to secure the data stored (read more)|Documentation
| +|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more)|Documentation
| +|MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|High|Networking and Firewall|MSSQL Server public network access should be disabled (read more)|Documentation
| +|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources (read more)|Documentation
| +|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet (read more)|Documentation
| +|MySQL Server Public Access Enabled
f118890b-2468-42b1-9ce9-af35146b425b|High|Networking and Firewall|MySQL Server public access should be disabled (read more)|Documentation
| +|SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet (read more)|Documentation
| +|Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|High|Observability|Ensure that logging for Azure KeyVault is 'Enabled' (read more)|Documentation
| +|SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a|High|Resource Management|Ensure that 'Threat Detection' is enabled for Azure SQL Database (read more)|Documentation
| +|App Service Managed Identity Disabled
b61cce4b-0cc4-472b-8096-15617a6d769b|High|Resource Management|Azure App Service should have managed identity enabled (read more)|Documentation
| +|PostgreSQL Server Threat Detection Policy Disabled
c407c3cf-c409-4b29-b590-db5f4138d332|High|Resource Management|PostgreSQL Server Threat Detection Policy should be enabled (read more)|Documentation
| +|Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|High|Secret Management|Make sure that for all secrets the expiration date is set (read more)|Documentation
| +|Key Expiration Not Set
4d080822-5ee2-49a4-8984-68f3d4c890fc|High|Secret Management|Make sure that for all keys the expiration date is set (read more)|Documentation
| +|Storage Share File Allows All ACL Permissions
48bbe0fd-57e4-4678-a4a1-119e79c90fc3|Medium|Access Control|Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list). (read more)|Documentation
| +|Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e|Medium|Access Control|Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list). (read more)|Documentation
| +|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more)|Documentation
| +|AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| +|Virtual Network with DDoS Protection Plan disabled
b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a|Medium|Availability|Virtual Network should have DDoS Protection Plan enabled (read more)|Documentation
| +|SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict (read more)|Documentation
| +|Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Medium|Best Practices|Security Contact Email should be defined (read more)|Documentation
| +|SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict (read more)|Documentation
| +|Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Medium|Build Process|Cosmos DB Account must have a mapping of tags. (read more)|Documentation
| +|AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Medium|Encryption|Azure Container Service (AKS) should use Disk Encryption Set ID in supported types of disk (read more)|Documentation
| +|Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption (read more)|Documentation
| +|Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Medium|Encryption|Ensure that the encryption is active on the disk (read more)|Documentation
| +|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected. (read more)|Documentation
| +|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections (read more)|Documentation
| +|Function App Managed Identity Disabled
c87749b3-ff10-41f5-9df2-c421e8151759|Medium|Insecure Configurations|Azure Function App should have managed identity enabled (read more)|Documentation
| +|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty (read more)|Documentation
| +|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined (read more)|Documentation
| +|Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches (read more)|Documentation
| +|Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Medium|Insecure Configurations|Azure Function App should have 'client_cert_mode' set to required (read more)|Documentation
| +|Default Azure Storage Account Network Access Is Too Permissive
a5613650-32ec-4975-a305-31af783153ea|Medium|Insecure Defaults|Default Azure Storage Account network access should be set to Deny (read more)|Documentation
| +|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'. (read more)|Documentation
| +|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache (read more)|Documentation
| +|Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b|Medium|Networking and Firewall|Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline) (read more)|Documentation
| +|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Medium|Networking and Firewall|Network Interfaces IP Forwarding should be disabled (read more)|Documentation
| +|Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Medium|Networking and Firewall|Public Network Access should be disabled for Azure Cognitive Search (read more)|Documentation
| +|WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. (read more)|Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol (read more)|Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol (read more)|Documentation
| +|MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Medium|Networking and Firewall|MariaDB Server Public Network Access should be disabled (read more)|Documentation
| +|PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more)|Documentation
| +|PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server (read more)|Documentation
| +|PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' (read more)|Documentation
| +|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more)|Documentation
| +|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days (read more)|Documentation
| +|PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' (read more)|Documentation
| +|Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater (read more)|Documentation
| +|Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Medium|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days (read more)|Documentation
| +|MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Medium|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On' (read more)|Documentation
| +|PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more)|Documentation
| +|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On' (read more)|Documentation
| +|Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Medium|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact (read more)|Documentation
| +|Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Medium|Observability|Make sure for SQL Servers that Auditing Retention is greater than 90 days (read more)|Documentation
| +|Azure Active Directory Authentication
a21c8da9-41bf-40cf-941d-330cf0d11fc7|Low|Access Control|Azure Active Directory must be used for authentication for Service Fabric (read more)|Documentation
| +|MariaDB Server Geo-redundant Backup Disabled
0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1|Low|Backup|MariaDB Server Geo-redundant Backup should be enabled (read more)|Documentation
| +|App Service Without Latest Python Version
cc4aaa9d-1070-461a-b519-04e00f42db8a|Low|Best Practices|Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. (read more)|Documentation
| +|App Service Without Latest PHP Version
96fe318e-d631-4156-99fa-9080d57280ae|Low|Best Practices|Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. (read more)|Documentation
| +|Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Low|Best Practices|Key Vault Secrets should have set Content Type (read more)|Documentation
| +|AKS Uses Azure Policies Add-On Disabled
43789711-161b-4708-b5bb-9d1c626f7492|Low|Best Practices|Azure Container Service (AKS) should use Azure Policies Add-On (read more)|Documentation
| +|PostgreSQL Server Infrastructure Encryption Disabled
6425c98b-ca4e-41fe-896a-c78772c131f8|Low|Encryption|PostgreSQL Server Infrastructure Encryption should be enabled (read more)|Documentation
| +|App Service HTTP2 Disabled
525b53be-62ed-4244-b4df-41aecfcb4071|Low|Insecure Configurations|App Service should have 'http2_enabled' enabled (read more)|Documentation
| +|Function App HTTP2 Disabled
ace823d1-4432-4dee-945b-cdf11a5a6bd0|Low|Insecure Configurations|Function App should have 'http2_enabled' enabled (read more)|Documentation
| +|Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Low|Insecure Configurations|Check if the Kubernetes Dashboard is enabled. (read more)|Documentation
| +|Azure Front Door WAF Disabled
835a4f2f-df43-437d-9943-545ccfc55961|Low|Networking and Firewall|Azure Front Door WAF should be enabled (read more)|Documentation
| +|App Service Authentication Disabled
c7fc1481-2899-4490-bbd8-544a3a61a2f3|Info|Access Control|Azure App Service authentication settings should be enabled (read more)|Documentation
| +|SQL Server Alert Email Disabled
55975007-f6e7-4134-83c3-298f1fe4b519|Info|Best Practices|SQL Server alert email should be enabled (read more)|Documentation
| + +### SHARED (V2/V3) +Bellow are listed queries related with Terraform SHARED (V2/V3): + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Info|Best Practices|All generic git repositories should reference a revision. (read more)|Documentation
| +|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Info|Best Practices|All variables should contain a valid type. (read more)|Documentation
| +|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Info|Best Practices|All names should follow snake case pattern. (read more)|Documentation
| +|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Info|Best Practices|All outputs should contain a valid description. (read more)|Documentation
| +|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Info|Best Practices|All variables should contain a valid description. (read more)|Documentation
| + ### AWS Bellow are listed queries related with Terraform AWS: @@ -8,413 +123,342 @@ Bellow are listed queries related with Terraform AWS: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| -|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| -|S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4|High|Access Control|S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket. (read more)|Documentation
| -|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|High|Access Control|S3 bucket allows public policy (read more)|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| -|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role (read more)|Documentation
| -|Amazon DMS Replication Instance Is Publicly Accessible
030d3b18-1821-45b4-9e08-50efbe7becbb|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| |Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|High|Access Control|Neptune Cluster Instance should not be publicly accessible (read more)|Documentation
| |S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| -|SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| -|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals (read more)|Documentation
| +|MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible (read more)|Documentation
| +|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| +|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role (read more)|Documentation
| +|S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4|High|Access Control|S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket. (read more)|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| +|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|High|Access Control|S3 bucket allows public policy (read more)|Documentation
| +|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| |SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|High|Access Control|Checks if the SQS Queue is exposed (read more)|Documentation
| -|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| +|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals (read more)|Documentation
| |S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| -|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|High|Access Control|IAM role policy that allow full administrative privileges (for all resources) (read more)|Documentation
| +|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| +|Amazon DMS Replication Instance Is Publicly Accessible
030d3b18-1821-45b4-9e08-50efbe7becbb|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| +|SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| +|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|High|Access Control|S3 Buckets should not be readable and writable to all users (read more)|Documentation
| +|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more)|Documentation
| |S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| -|MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible (read more)|Documentation
| |EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'. (read more)|Documentation
| -|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| -|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more)|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|High|Access Control|S3 Buckets should not be readable and writable to all users (read more)|Documentation
| +|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| |SSO Policy with full privileges
132a8c31-9837-4203-9fd1-15ca210c7b73|High|Access Control|SSO policies should be configured to grant limited administrative privileges, rather than full access to all resources. This approach allows for better security and control over the resources being accessed. (read more)|Documentation
| -|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|High|Encryption|Amazon ECS Task Definition does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'transit_encryption' (read more)|Documentation
| -|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume (read more)|Documentation
| -|Aurora With Disabled at Rest Encryption
1a690d1d-0ae7-49fa-b2db-b75ae0dd1d3e|High|Encryption|Amazon Aurora does not have encryption for data at rest enabled. To prevent such a scenario, update the attribute 'StorageEncrypted' to 'true'. (read more)|Documentation
| -|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled (read more)|Documentation
| -|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true (read more)|Documentation
| +|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|High|Access Control|IAM role policy that allow full administrative privileges (for all resources) (read more)|Documentation
| +|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| +|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|High|Encryption|API Gateway Method Settings Cache should be encrypted (read more)|Documentation
| +|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| +|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| +|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|High|Encryption|RDS Database Cluster Encryption should be enabled (read more)|Documentation
| +|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|High|Encryption|EKS Cluster should be encrypted (read more)|Documentation
| +|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| +|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|High|Encryption|AWS DOCDB Cluster storage should be encrypted (read more)|Documentation
| +|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|High|Encryption|EBS Encryption should be enabled (read more)|Documentation
| +|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|High|Encryption|The certificate authority (CA) is the certificate that identifies the root CA at the top of the certificate chain. The CA certificate identifier must be one provided by Amazon RDS. (read more)|Documentation
| +|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|High|Encryption|AWS DAX Cluster should have server-side encryption at rest (read more)|Documentation
| +|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup (read more)|Documentation
| +|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| |DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key (read more)|Documentation
| -|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled (read more)|Documentation
| +|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true' (read more)|Documentation
| +|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted (read more)|Documentation
| |Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more)|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| -|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS (read more)|Documentation
| -|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| |Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled (read more)|Documentation
| -|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| +|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled (read more)|Documentation
| |Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| -|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| -|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|High|Encryption|RDS Database Cluster Encryption should be enabled (read more)|Documentation
| |Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS (read more)|Documentation
| -|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| |DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more)|Documentation
| -|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|High|Encryption|The certificate authority (CA) is the certificate that identifies the root CA at the top of the certificate chain. The CA certificate identifier must be one provided by Amazon RDS. (read more)|Documentation
| -|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|High|Encryption|AWS Athena Database data in S3 should be encrypted (read more)|Documentation
| -|EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| -|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|High|Encryption|API Gateway Method Settings Cache should be encrypted (read more)|Documentation
| -|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) (read more)|Documentation
| +|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled (read more)|Documentation
| +|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|High|Encryption|AWS AMI Encryption is not enabled (read more)|Documentation
| +|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true (read more)|Documentation
| +|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS (read more)|Documentation
| +|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| +|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| |Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|High|Encryption|Sagemaker endpoint configuration should encrypt data (read more)|Documentation
| -|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled (read more)|Documentation
| -|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true' (read more)|Documentation
| +|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| +|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume (read more)|Documentation
| +|Aurora With Disabled at Rest Encryption
1a690d1d-0ae7-49fa-b2db-b75ae0dd1d3e|High|Encryption|Amazon Aurora does not have encryption for data at rest enabled. To prevent such a scenario, update the attribute 'StorageEncrypted' to 'true'. (read more)|Documentation
| +|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|High|Encryption|Amazon ECS Task Definition does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'transit_encryption' (read more)|Documentation
| |CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| -|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|High|Encryption|EKS Cluster should be encrypted (read more)|Documentation
| +|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled (read more)|Documentation
| |S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|High|Encryption|S3 Bucket Object should have server-side encryption enabled (read more)|Documentation
| -|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| -|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup (read more)|Documentation
| -|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|High|Encryption|EBS Encryption should be enabled (read more)|Documentation
| -|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|High|Encryption|AWS DAX Cluster should have server-side encryption at rest (read more)|Documentation
| -|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|High|Encryption|AWS AMI Encryption is not enabled (read more)|Documentation
| -|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|High|Encryption|AWS DOCDB Cluster storage should be encrypted (read more)|Documentation
| -|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| -|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| -|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| -|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted (read more)|Documentation
| -|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| -|KMS Key With Full Permissions
7ebc9038-0bde-479a-acc4-6ed7b6758899|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| -|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| -|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|High|Insecure Configurations|Check if the root user is authenticated with MFA (read more)|Documentation
| -|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| -|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|High|Insecure Configurations|S3 bucket without restriction of public bucket (read more)|Documentation
| -|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more)|Documentation
| +|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) (read more)|Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| +|EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| +|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|High|Encryption|AWS Athena Database data in S3 should be encrypted (read more)|Documentation
| +|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2. (read more)|Documentation
| +|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true) (read more)|Documentation
| |Lambda Function With Privileged Role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions. (read more)|Documentation
| +|KMS Key With Full Permissions
7ebc9038-0bde-479a-acc4-6ed7b6758899|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| |S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| -|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2. (read more)|Documentation
| |RDS DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). (read more)|Documentation
| +|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| +|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| +|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more)|Documentation
| +|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|High|Insecure Configurations|S3 bucket without restriction of public bucket (read more)|Documentation
| +|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| +|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations (read more)|Documentation
| +|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|High|Insecure Configurations|Check if the root user is authenticated with MFA (read more)|Documentation
| |No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes (read more)|Documentation
| +|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| |CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| -|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations (read more)|Documentation
| -|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| -|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true) (read more)|Documentation
| |Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| -|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| -|HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| -|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| -|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| -|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|High|Networking and Firewall|EC2 Instance should not have a public IP address. (read more)|Documentation
| -|VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic (read more)|Documentation
| -|Elasticsearch with HTTPS disabled
2e9e0729-66d5-4148-9d39-5e6fb4bf2a4e|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| -|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|High|Networking and Firewall|Check if Record is set (read more)|Documentation
| -|VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|High|Networking and Firewall|VPC Peering Route Table should restrict CIDR (read more)|Documentation
| +|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| |Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| +|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| |EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0" (read more)|Documentation
| +|VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic (read more)|Documentation
| |Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL (read more)|Documentation
| -|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL (read more)|Documentation
| -|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| -|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| |DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| -|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| +|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|High|Networking and Firewall|Check if Record is set (read more)|Documentation
| |Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0 and/or ::/0 (read more)|Documentation
| +|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|High|Networking and Firewall|EC2 Instance should not have a public IP address. (read more)|Documentation
| +|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL (read more)|Documentation
| +|Elasticsearch with HTTPS disabled
2e9e0729-66d5-4148-9d39-5e6fb4bf2a4e|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| |EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing (read more)|Documentation
| +|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| +|HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| +|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| +|VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|High|Networking and Firewall|VPC Peering Route Table should restrict CIDR (read more)|Documentation
| |RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| -|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|High|Observability|AWS KMS Key should have a valid deletion window (read more)|Documentation
| +|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| +|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| +|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| |CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible (read more)|Documentation
| +|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA (read more)|Documentation
| +|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes (read more)|Documentation
| +|CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| |CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|High|Observability|Ensure a log metric filter and alarm exist for root acount usage (read more)|Documentation
| |CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled (read more)|Documentation
| |CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls (read more)|Documentation
| -|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes (read more)|Documentation
| -|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| -|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA (read more)|Documentation
| -|CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources (read more)|Documentation
| -|SSO Permission With Inadequate User Session Duration
ce9dfce0-5fc8-433b-944a-3b16153111a8|Medium|Access Control|SSO permissions should be configured to limit user sessions to no longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized access or session hijacking. This is a best practice for security and should be implemented in SSO permission settings. (read more)|Documentation
| +|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|High|Observability|AWS KMS Key should have a valid deletion window (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action' (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| -|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Medium|Access Control|SQS policy allows ALL (*) actions (read more)|Documentation
| +|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|SSO Permission With Inadequate User Session Duration
ce9dfce0-5fc8-433b-944a-3b16153111a8|Medium|Access Control|SSO permissions should be configured to limit user sessions to no longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized access or session hijacking. This is a best practice for security and should be implemented in SSO permission settings. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions' (read more)|Documentation
| +|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Medium|Access Control|SES policy should not allow IAM actions to all principals (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions' (read more)|Documentation
| -|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Medium|Access Control|IAM Access Key should not be active for root users (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Medium|Access Control|Public and private EC2 istances should not share the same role. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Medium|Access Control|Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Medium|Access Control|AWS IAM Users should not have access to console (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| +|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| +|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Medium|Access Control|IAM Access Key should not be active for root users (read more)|Documentation
| +|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| |Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action' (read more)|Documentation
| +|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled (read more)|Documentation
| -|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Medium|Access Control|S3 bucket allows public ACL (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Medium|Access Control|An API Key should be required on a method request. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'. (read more)|Documentation
| -|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal' (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| -|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Medium|Access Control|Public and private EC2 istances should not share the same role. (read more)|Documentation
| +|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Medium|Access Control|S3 bucket allows public ACL (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Medium|Access Control|Expired SSL/TLS certificates should be removed (read more)|Documentation
| +|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined (read more)|Documentation
| +|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Medium|Access Control|AWS IAM Users should not have access to console (read more)|Documentation
| |Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Medium|Access Control|SQS policy allows ALL (*) actions (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal' (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| |Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions' (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Medium|Access Control|The attribute 'action' should not have wildcard (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Medium|Access Control|Expired SSL/TLS certificates should be removed (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'. (read more)|Documentation
| +|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Medium|Access Control|SES policy should not allow IAM actions to all principals (read more)|Documentation
| +|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Medium|Access Control|An API Key should be required on a method request. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| -|Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. (read more)|Documentation
| |CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true (read more)|Documentation
| |ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| -|Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| +|Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. (read more)|Documentation
| |ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0 (read more)|Documentation
| |RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| -|Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24 (read more)|Documentation
| -|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined (read more)|Documentation
| +|Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| |IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| -|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more)|Documentation
| -|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| |IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| +|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more)|Documentation
| |IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Medium|Best Practices|IAM password should have the required symbols (read more)|Documentation
| -|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Medium|Best Practices|No password expiration policy (read more)|Documentation
| +|Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24 (read more)|Documentation
| +|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| +|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined (read more)|Documentation
| |ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields (read more)|Documentation
| -|Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body (read more)|Documentation
| -|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node (read more)|Documentation
| -|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests (read more)|Documentation
| -|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| -|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Medium|Encryption|Checks if the ECR Image has been scanned (read more)|Documentation
| -|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| -|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined (read more)|Documentation
| -|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted (read more)|Documentation
| -|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| -|DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| -|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Medium|Encryption|SSM Session should be encrypted in transit (read more)|Documentation
| -|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| -|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest (read more)|Documentation
| +|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Medium|Best Practices|No password expiration policy (read more)|Documentation
| +|Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body (read more)|Documentation
| +|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest (read more)|Documentation
| |Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret (read more)|Documentation
| +|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| +|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Medium|Encryption|SSM Session should be encrypted in transit (read more)|Documentation
| |DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption (read more)|Documentation
| +|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Medium|Encryption|Checks if the ECR Image has been scanned (read more)|Documentation
| +|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node (read more)|Documentation
| +|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted (read more)|Documentation
| +|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest (read more)|Documentation
| +|Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Medium|Encryption|ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html' (read more)|Documentation
| +|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| +|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined (read more)|Documentation
| |CloudWatch Log Group Without KMS
0afbcfe9-d341-4b92-a64c-7e6de0543879|Medium|Encryption|AWS CloudWatch Log groups should be encrypted using KMS (read more)|Documentation
| -|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760. (read more)|Documentation
| +|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| +|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| +|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests (read more)|Documentation
| |Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| -|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit (read more)|Documentation
| -|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| +|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760. (read more)|Documentation
| |ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS. (read more)|Documentation
| -|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest (read more)|Documentation
| -|Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Medium|Encryption|ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html' (read more)|Documentation
| -|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| -|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| -|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes (read more)|Documentation
| +|DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| +|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| +|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit (read more)|Documentation
| |IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials (read more)|Documentation
| -|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| -|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud) (read more)|Documentation
| -|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs). (read more)|Documentation
| +|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| +|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more)|Documentation
| |EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false (read more)|Documentation
| +|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| +|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| +|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes (read more)|Documentation
| |AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy (read more)|Documentation
| -|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more)|Documentation
| +|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs). (read more)|Documentation
| +|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud) (read more)|Documentation
| |MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible (read more)|Documentation
| -|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more)|Documentation
| |Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association (read more)|Documentation
| |VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Medium|Networking and Firewall|VPC should have a Network Firewall associated (read more)|Documentation
| +|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| +|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| |SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled (read more)|Documentation
| |VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Medium|Networking and Firewall|VPC Subnet should not assign public IP (read more)|Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more)|Documentation
| |Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol (read more)|Documentation
| -|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| |Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol (read more)|Documentation
| |ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service (read more)|Documentation
| -|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| -|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Medium|Observability|ELB should have logging enabled to help on error investigation (read more)|Documentation
| -|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Medium|Observability|Checks if CloudWatch Metrics is Enabled (read more)|Documentation
| |API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| -|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes (read more)|Documentation
| -|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| -|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes (read more)|Documentation
| +|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Medium|Observability|Make sure Logging is enabled for Redshift Cluster (read more)|Documentation
| |API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation (read more)|Documentation
| -|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled (read more)|Documentation
| -|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| -|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (read more)|Documentation
| -|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| -|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK (read more)|Documentation
| +|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Medium|Observability|Checks if CloudWatch Metrics is Enabled (read more)|Documentation
| |S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| +|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| +|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events (read more)|Documentation
| |ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs (read more)|Documentation
| +|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| +|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Medium|Observability|ELB should have logging enabled to help on error investigation (read more)|Documentation
| |CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes (read more)|Documentation
| -|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined (read more)|Documentation
| -|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events (read more)|Documentation
| -|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Medium|Observability|Make sure that Amazon GuardDuty is Enabled (read more)|Documentation
| -|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Medium|Observability|Make sure Logging is enabled for Redshift Cluster (read more)|Documentation
| -|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes (read more)|Documentation
| -|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Medium|Observability|It isn't recommended to use resources in default VPC (read more)|Documentation
| |API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. (read more)|Documentation
| -|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| -|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Medium|Observability|API Gateway should have Access Log Settings defined (read more)|Documentation
| |CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones (read more)|Documentation
| -|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Medium|Observability|Ensure MSK Cluster Logging is enabled (read more)|Documentation
| -|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| +|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Medium|Observability|Make sure that Amazon GuardDuty is Enabled (read more)|Documentation
| +|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined (read more)|Documentation
| +|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Medium|Observability|API Gateway should have Access Log Settings defined (read more)|Documentation
| +|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes (read more)|Documentation
| +|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Medium|Observability|It isn't recommended to use resources in default VPC (read more)|Documentation
| +|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (read more)|Documentation
| |MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). (read more)|Documentation
| +|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled (read more)|Documentation
| |CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Medium|Observability|AWS CloudWatch Log groups should have retention days specified (read more)|Documentation
| +|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK (read more)|Documentation
| +|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| +|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes (read more)|Documentation
| +|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Medium|Observability|Ensure MSK Cluster Logging is enabled (read more)|Documentation
| |CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| +|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes (read more)|Documentation
| +|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| +|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| |No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions (read more)|Documentation
| |Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Medium|Secret Management|AWS Access Key should not be hardcoded (read more)|Documentation
| |Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| -|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| -|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets' (read more)|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| -|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| |IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| -|SSO Identity User Unsafe Creation
4003118b-046b-4640-b200-b8c7a4c8b89f|Low|Access Control|The use of AWS SSO for creating users may pose a security risk as it does not synchronize with external Identity Providers (IdP) or Active Directory (AD). This can lead to inconsistencies and potential unauthorized access to resources. It is recommended to review and update user creation processes to ensure proper security protocols are in place. (read more)|Documentation
| |EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services (read more)|Documentation
| +|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets' (read more)|Documentation
| +|SSO Identity User Unsafe Creation
4003118b-046b-4640-b200-b8c7a4c8b89f|Low|Access Control|The use of AWS SSO for creating users may pose a security risk as it does not synchronize with external Identity Providers (IdP) or Active Directory (AD). This can lead to inconsistencies and potential unauthorized access to resources. It is recommended to review and update user creation processes to ensure proper security protocols are in place. (read more)|Documentation
| +|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| +|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| |Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Low|Availability|Autoscaling groups should supply tags to configurate (read more)|Documentation
| -|ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Low|Best Practices|ECR Repository should have Policies attached to it (read more)|Documentation
| |CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| |Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| -|Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| +|ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Low|Best Practices|ECR Repository should have Policies attached to it (read more)|Documentation
| |Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. (read more)|Documentation
| +|Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| |IAM Access Analyzer Not Enabled
e592a0c5-5bdb-414c-9066-5dba7cdea370|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions (read more)|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| |ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation (read more)|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| |S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Low|Insecure Configurations|S3 bucket without ignore public ACL (read more)|Documentation
| |ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled (read more)|Documentation
| |Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more)|Documentation
| -|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| -|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| -|Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| -|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| |EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| +|Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| |RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| +|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| +|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| +|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| |EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| -|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Low|Observability|Amazon EKS control plane logging is not enabled (read more)|Documentation
| -|ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Low|Observability|ECS Cluster should enable container insights (read more)|Documentation
| -|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Low|Observability|Amazon EKS control plane logging don't enabled for all log types (read more)|Documentation
| -|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| -|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes (read more)|Documentation
| +|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| |VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| +|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Low|Observability|Ensure a log metric filter and alarm exist for route table changes (read more)|Documentation
| +|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Low|Observability|Amazon EKS control plane logging don't enabled for all log types (read more)|Documentation
| |CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL (read more)|Documentation
| -|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Low|Observability|Global Accelerator should have flow logs enabled (read more)|Documentation
| -|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes (read more)|Documentation
| +|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes (read more)|Documentation
| +|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes (read more)|Documentation
| |Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active' (read more)|Documentation
| -|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Low|Observability|Ensure a log metric filter and alarm exist for route table changes (read more)|Documentation
| +|ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Low|Observability|ECS Cluster should enable container insights (read more)|Documentation
| +|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes (read more)|Documentation
| +|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Low|Observability|Global Accelerator should have flow logs enabled (read more)|Documentation
| +|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| +|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Low|Observability|Amazon EKS control plane logging is not enabled (read more)|Documentation
| |API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| -|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| -|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes (read more)|Documentation
| |API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| |Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Info|Access Control|Security group must be used or not declared (read more)|Documentation
| -|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more)|Documentation
| |Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description (read more)|Documentation
| +|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more)|Documentation
| +|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Info|Best Practices|AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name' (read more)|Documentation
| |EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| |Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description (read more)|Documentation
| -|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Info|Best Practices|AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name' (read more)|Documentation
| -|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Info|Observability|RDS does not have any kind of logger (read more)|Documentation
| |EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| |Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Info|Observability|Neptune logging should be enabled (read more)|Documentation
| - -### KUBERNETES -Bellow are listed queries related with Terraform KUBERNETES: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|High|Insecure Configurations|Limit capabilities for a Pod Security Policy (read more)|Documentation
| -|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false (read more)|Documentation
| -|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined. (read more)|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace. (read more)|Documentation
| -|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process (read more)|Documentation
| -|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|High|Insecure Configurations|Check if Tiller is deployed. (read more)|Documentation
| -|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|High|Insecure Defaults|No role nor cluster role should bind to a default service account (read more)|Documentation
| -|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation. (read more)|Documentation
| -|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more)|Documentation
| -|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Medium|Access Control|A non kube-system workload should not have hostPath mounted (read more)|Documentation
| -|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Medium|Availability|Check if Readiness Probe is not configured. (read more)|Documentation
| -|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden (read more)|Documentation
| -|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' (read more)|Documentation
| -|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace (read more)|Documentation
| -|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace (read more)|Documentation
| -|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities (read more)|Documentation
| -|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls (read more)|Documentation
| -|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities (read more)|Documentation
| -|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more)|Documentation
| -|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory (read more)|Documentation
| -|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Medium|Insecure Configurations|Default service accounts should not be actively used (read more)|Documentation
| -|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability (read more)|Documentation
| -|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation (read more)|Documentation
| -|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more)|Documentation
| -|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| -|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Medium|Insecure Configurations|The default namespace should not be used (read more)|Documentation
| -|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities (read more)|Documentation
| -|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory (read more)|Documentation
| -|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Medium|Insecure Configurations|Containers should not have extra capabilities allowed (read more)|Documentation
| -|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty. (read more)|Documentation
| -|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary (read more)|Documentation
| -|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Medium|Networking and Firewall|Check if any network policy is not targeting any pod. (read more)|Documentation
| -|Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet (read more)|Documentation
| -|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more)|Documentation
| -|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more)|Documentation
| -|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more)|Documentation
| -|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| -|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| -|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| -|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| -|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs (read more)|Documentation
| -|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Medium|Secret Management|A Service Account token is shared between workloads (read more)|Documentation
| -|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC) (read more)|Documentation
| -|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers (read more)|Documentation
| -|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack (read more)|Documentation
| -|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| -|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it (read more)|Documentation
| -|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more)|Documentation
| -|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| -|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Low|Availability|The Horizontal Pod Autoscaler must target a valid object (read more)|Documentation
| -|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context (read more)|Documentation
| -|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Low|Best Practices|Check if any label in the metadata is invalid. (read more)|Documentation
| -|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Low|Build Process|A StatefulSet requests volume storage. (read more)|Documentation
| -|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Low|Build Process|Check if the root container filesystem is not being mounted as read-only. (read more)|Documentation
| -|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always (read more)|Documentation
| -|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container (read more)|Documentation
| -|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity (read more)|Documentation
| -|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Low|Networking and Firewall|Service type should not be NodePort (read more)|Documentation
| -|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified (read more)|Documentation
| -|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| -|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined (read more)|Documentation
| -|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Low|Secret Management|Container should not use secrets as environment variables (read more)|Documentation
| -|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Low|Supply-Chain|Image must be defined and not be empty or equal to latest. (read more)|Documentation
| +|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Info|Observability|RDS does not have any kind of logger (read more)|Documentation
| ### AWS_BOM Bellow are listed queries related with Terraform AWS_BOM: @@ -423,30 +467,17 @@ Bellow are listed queries related with Terraform AWS_BOM: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| +|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)|Documentation
| +|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more)|Documentation
| +|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). (read more)|Documentation
| +|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more)|Documentation
| +|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more)|Documentation
| +|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more)|Documentation
| |BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS. (read more)|Documentation
| +|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)|Documentation
| |BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)|Documentation
| -|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more)|Documentation
| |BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)|Documentation
| -|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more)|Documentation
| -|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more)|Documentation
| -|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)|Documentation
| -|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more)|Documentation
| |BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more)|Documentation
| -|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)|Documentation
| -|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). (read more)|Documentation
| - -### SHARED (V2/V3) -Bellow are listed queries related with Terraform SHARED (V2/V3): - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Info|Best Practices|All outputs should contain a valid description. (read more)|Documentation
| -|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Info|Best Practices|All names should follow snake case pattern. (read more)|Documentation
| -|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Info|Best Practices|All generic git repositories should reference a revision. (read more)|Documentation
| -|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Info|Best Practices|All variables should contain a valid description. (read more)|Documentation
| -|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Info|Best Practices|All variables should contain a valid type. (read more)|Documentation
| ### ALICLOUD Bellow are listed queries related with Terraform ALICLOUD: @@ -455,62 +486,62 @@ Bellow are listed queries related with Terraform ALICLOUD: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| +|OSS Bucket Allows List Action From All Principals
88541597-6f88-42c8-bac6-7e0b855e8ff6|High|Access Control|OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals. (read more)|Documentation
| +|OSS Bucket Allows Put Action From All Principals
fe286195-e75c-4359-bd58-00847c4f855a|High|Access Control|OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals. (read more)|Documentation
| |Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles (read more)|Documentation
| |RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|High|Access Control|RAM Security preferences should enforce MFA login for RAM users (read more)|Documentation
| -|OSS Bucket Allows All Actions From All Principals
ec62a32c-a297-41ca-a850-cab40b42094a|High|Access Control|OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals. (read more)|Documentation
| |OSS Bucket Allows Delete Action From All Principals
8c0695d8-2378-4cd6-8243-7fd5894fa574|High|Access Control|OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals. (read more)|Documentation
| +|OSS Bucket Allows All Actions From All Principals
ec62a32c-a297-41ca-a850-cab40b42094a|High|Access Control|OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals. (read more)|Documentation
| |OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|High|Access Control|OSS Bucket should have public access disabled (read more)|Documentation
| -|OSS Bucket Allows Put Action From All Principals
fe286195-e75c-4359-bd58-00847c4f855a|High|Access Control|OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals. (read more)|Documentation
| -|OSS Bucket Allows List Action From All Principals
88541597-6f88-42c8-bac6-7e0b855e8ff6|High|Access Control|OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals. (read more)|Documentation
| -|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|High|Encryption|Ecs Data Disk Kms Key Id should be set (read more)|Documentation
| |RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|High|Encryption|tde_status parameter should be Enabled for supported RDS instances (read more)|Documentation
| |NAS File System Without KMS
5f670f9d-b1b4-4c90-8618-2288f1ab9676|High|Encryption|NAS File System should have encryption provided by user KMS (read more)|Documentation
| |NAS File System Not Encrypted
67bfdff1-31ce-4525-b564-e94368735360|High|Encryption|NAS File System must be encrypted (read more)|Documentation
| +|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|High|Encryption|Ecs Data Disk Kms Key Id should be set (read more)|Documentation
| |Launch Template Is Not Encrypted
1455cb21-1d48-46d6-8ae3-cef911b71fd5|High|Encryption|ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true. (read more)|Documentation
| +|RDS DB Instance Publicly Accessible
faaefc15-51a5-419e-bb5e-51a4b5ab3485|High|Insecure Configurations|The field 'address' should not be set to '0.0.0.0/0' (read more)|Documentation
| |OSS Bucket Has Static Website
2b13c6ff-b87a-484d-86fd-21ef6e97d426|High|Insecure Configurations|Checks if any static websties are hosted on buckets. Be aware of any website you are running. (read more)|Documentation
| |RDS DB Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|High|Insecure Configurations|'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
faaefc15-51a5-419e-bb5e-51a4b5ab3485|High|Insecure Configurations|The field 'address' should not be set to '0.0.0.0/0' (read more)|Documentation
| -|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public (read more)|Documentation
| +|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|High|Networking and Firewall|OSS Buckets should have secure transport enabled (read more)|Documentation
| |Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol (read more)|Documentation
| |RDS Instance SSL Action Disabled
7a1ee8a9-71be-4b11-bb70-efb62d16863b|High|Networking and Firewall|ssl_action parameter should be set to Open for RDS instances (read more)|Documentation
| -|ALB Listening on HTTP
ee3b1557-9fb5-4685-a95d-93f1edf2a0d7|High|Networking and Firewall|Application Load Balancer (alb) Listener should not listen on HTTP (read more)|Documentation
| -|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|High|Networking and Firewall|OSS Bucket should have ip restricted access (read more)|Documentation
| |API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS (read more)|Documentation
| -|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|High|Networking and Firewall|OSS Buckets should have secure transport enabled (read more)|Documentation
| +|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|High|Networking and Firewall|OSS Bucket should have ip restricted access (read more)|Documentation
| +|ALB Listening on HTTP
ee3b1557-9fb5-4685-a95d-93f1edf2a0d7|High|Networking and Firewall|Application Load Balancer (alb) Listener should not listen on HTTP (read more)|Documentation
| +|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public (read more)|Documentation
| |RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|High|Observability|All RDS Instance events trackers should be 'true' (read more)|Documentation
| |ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|High|Observability|ActionTrail Trail OSS Bucket should not be publicly accessible (read more)|Documentation
| |Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above (read more)|Documentation
| |Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|High|Secret Management|Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts (read more)|Documentation
| |Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Medium|Access Control|Ram policies should not be attached to users (read more)|Documentation
| |CMK Is Unusable
ed6e3ba0-278f-47b6-a1f5-173576b40b7e|Medium|Availability|Alicloud KMS must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true (read more)|Documentation
| -|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Medium|Backup|OSS Bucket should have versioning enabled (read more)|Documentation
| |ROS Stack Retention Disabled
4bb06fa1-2114-4a00-b7b5-6aeab8b896f0|Medium|Backup|The retain_stacks should be enabled to keep the Stack upon deleting the stack instance from the stack group (read more)|Documentation
| +|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Medium|Backup|OSS Bucket should have versioning enabled (read more)|Documentation
| |ROS Stack Without Template
92d65c51-5d82-4507-a2a1-d252e9706855|Medium|Build Process|Alicloud ROS Stack should have a template defined through the attribute template_url or attribute template_body (read more)|Documentation
| -|SLB Policy With Insecure TLS Version In Use
dbfc834a-56e5-4750-b5da-73fda8e73f70|Medium|Encryption|SLB Policy should not support insecure versions of TLS protocol (read more)|Documentation
| |OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Medium|Encryption|OSS Bucket should have encryption enabled using Customer Master Key (read more)|Documentation
| +|SLB Policy With Insecure TLS Version In Use
dbfc834a-56e5-4750-b5da-73fda8e73f70|Medium|Encryption|SLB Policy should not support insecure versions of TLS protocol (read more)|Documentation
| |Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Medium|Encryption|Disks should have encryption enabled (read more)|Documentation
| |CS Kubernetes Node Pool Auto Repair Disabled
81ce9394-013d-4731-8fcc-9d229b474073|Medium|Insecure Configurations|Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| |Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Medium|Networking and Firewall|A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned (read more)|Documentation
| |Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Medium|Networking and Firewall|Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies (read more)|Documentation
| -|ROS Stack Notifications Disabled
9ef08939-ea40-489c-8851-667870b2ef50|Medium|Observability|The ROS Stack Notifications should be defined and populated to receive stack related events (read more)|Documentation
| -|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180 (read more)|Documentation
| -|Log Retention Is Not Greater Than 90 Days
ed6cf6ff-9a1f-491c-9f88-e03c0807f390|Medium|Observability|OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects. (read more)|Documentation
| +|ROS Stack Notifications Disabled
9ef08939-ea40-489c-8851-667870b2ef50|Medium|Observability|The ROS Stack Notifications should be defined and populated to receive stack related events (read more)|Documentation
| |Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Medium|Observability|Action Trail Logging for all regions should be enabled (read more)|Documentation
| +|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180 (read more)|Documentation
| |OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Medium|Observability|OSS Bucket should have logging enabled, for better visibility of resources and objects. (read more)|Documentation
| +|Log Retention Is Not Greater Than 90 Days
ed6cf6ff-9a1f-491c-9f88-e03c0807f390|Medium|Observability|OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects. (read more)|Documentation
| |No ROS Stack Policy
72ceb736-0aee-43ea-a191-3a69ab135681|Medium|Resource Management|ROS Stack should have a stack policy in order to protect stack resources from and during update actions (read more)|Documentation
| -|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91 (read more)|Documentation
| -|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true (read more)|Documentation
| |RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true (read more)|Documentation
| +|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Medium|Secret Management|RAM account password security should require at least one symbol (read more)|Documentation
| |High KMS Key Rotation Period
cb319d87-b90f-485e-a7e7-f2408380f309|Medium|Secret Management|KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year (read more)|Documentation
| +|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true (read more)|Documentation
| +|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91 (read more)|Documentation
| |RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less (read more)|Documentation
| |Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true (read more)|Documentation
| -|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Medium|Secret Management|RAM account password security should require at least one symbol (read more)|Documentation
| |OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Low|Availability|OSS Bucket should have transfer acceleration enabled (read more)|Documentation
| |OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Low|Backup|OSS Bucket should have lifecycle rule enabled and set to true (read more)|Documentation
| +|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Low|Observability|'log_connections' parameter should be set to ON for RDS instances (read more)|Documentation
| +|VPC Flow Logs Disabled
d2731f3d-a992-44ed-812e-f4f1c2747d71|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| |RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Low|Observability|log_disconnections parameter should be set to ON for RDS instances (read more)|Documentation
| |RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Low|Observability|log_duration parameter should be set to ON for RDS instances (read more)|Documentation
| -|VPC Flow Logs Disabled
d2731f3d-a992-44ed-812e-f4f1c2747d71|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| -|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Low|Observability|'log_connections' parameter should be set to ON for RDS instances (read more)|Documentation
| ### GCP_BOM Bellow are listed queries related with Terraform GCP_BOM: @@ -519,12 +550,93 @@ Bellow are listed queries related with Terraform GCP_BOM: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more)|Documentation
| -|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more)|Documentation
| +|BOM - GCP Dataflow
895ed0d9-6fec-4567-8614-d7a74b599a53|Trace|Bill Of Materials|A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective. (read more)|Documentation
| |BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more)|Documentation
| |BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Trace|Bill Of Materials|A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime. (read more)|Documentation
| |BOM - GCP Redis
bc75ce52-a60a-4660-b533-bce837a5019b|Trace|Bill Of Materials|A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments. (read more)|Documentation
| -|BOM - GCP Dataflow
895ed0d9-6fec-4567-8614-d7a74b599a53|Trace|Bill Of Materials|A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective. (read more)|Documentation
| +|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more)|Documentation
| +|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more)|Documentation
| + +### KUBERNETES +Bellow are listed queries related with Terraform KUBERNETES: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process (read more)|Documentation
| +|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined. (read more)|Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace. (read more)|Documentation
| +|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|High|Insecure Configurations|Check if Tiller is deployed. (read more)|Documentation
| +|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|High|Insecure Configurations|Limit capabilities for a Pod Security Policy (read more)|Documentation
| +|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false (read more)|Documentation
| +|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|High|Insecure Defaults|No role nor cluster role should bind to a default service account (read more)|Documentation
| +|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation. (read more)|Documentation
| +|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Medium|Access Control|A non kube-system workload should not have hostPath mounted (read more)|Documentation
| +|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more)|Documentation
| +|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Medium|Availability|Check if Readiness Probe is not configured. (read more)|Documentation
| +|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden (read more)|Documentation
| +|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' (read more)|Documentation
| +|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory (read more)|Documentation
| +|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls (read more)|Documentation
| +|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities (read more)|Documentation
| +|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities (read more)|Documentation
| +|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation (read more)|Documentation
| +|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more)|Documentation
| +|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Medium|Insecure Configurations|Containers should not have extra capabilities allowed (read more)|Documentation
| +|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace (read more)|Documentation
| +|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more)|Documentation
| +|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| +|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory (read more)|Documentation
| +|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Medium|Insecure Configurations|The default namespace should not be used (read more)|Documentation
| +|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Medium|Insecure Configurations|Default service accounts should not be actively used (read more)|Documentation
| +|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability (read more)|Documentation
| +|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities (read more)|Documentation
| +|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace (read more)|Documentation
| +|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary (read more)|Documentation
| +|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty. (read more)|Documentation
| +|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Medium|Networking and Firewall|Check if any network policy is not targeting any pod. (read more)|Documentation
| +|Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet (read more)|Documentation
| +|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| +|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| +|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more)|Documentation
| +|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more)|Documentation
| +|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| +|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more)|Documentation
| +|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| +|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs (read more)|Documentation
| +|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Medium|Secret Management|A Service Account token is shared between workloads (read more)|Documentation
| +|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC) (read more)|Documentation
| +|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers (read more)|Documentation
| +|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack (read more)|Documentation
| +|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it (read more)|Documentation
| +|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| +|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Low|Availability|The Horizontal Pod Autoscaler must target a valid object (read more)|Documentation
| +|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more)|Documentation
| +|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| +|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context (read more)|Documentation
| +|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Low|Best Practices|Check if any label in the metadata is invalid. (read more)|Documentation
| +|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Low|Build Process|A StatefulSet requests volume storage. (read more)|Documentation
| +|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Low|Build Process|Check if the root container filesystem is not being mounted as read-only. (read more)|Documentation
| +|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container (read more)|Documentation
| +|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity (read more)|Documentation
| +|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always (read more)|Documentation
| +|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Low|Networking and Firewall|Service type should not be NodePort (read more)|Documentation
| +|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified (read more)|Documentation
| +|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| +|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined (read more)|Documentation
| +|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Low|Secret Management|Container should not use secrets as environment variables (read more)|Documentation
| +|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Low|Supply-Chain|Image must be defined and not be empty or equal to latest. (read more)|Documentation
| + +### GITHUB +Bellow are listed queries related with Terraform GITHUB: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks (read more)|Documentation
| +|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)|Documentation
| ### GCP Bellow are listed queries related with Terraform GCP: @@ -533,169 +645,57 @@ Bellow are listed queries related with Terraform GCP: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| +|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible (read more)|Documentation
| |OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|High|Access Control|Verifies that the OSLogin is enabled (read more)|Documentation
| +|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)|Documentation
| |BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|High|Access Control|BigQuery dataset is anonymously or publicly accessible (read more)|Documentation
| -|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible (read more)|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| |SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| -|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|High|Encryption|Cloud SQL Database Instance should have SLL enabled (read more)|Documentation
| -|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad. (read more)|Documentation
| |KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members' (read more)|Documentation
| +|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad. (read more)|Documentation
| +|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|High|Encryption|Cloud SQL Database Instance should have SLL enabled (read more)|Documentation
| +|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials (read more)|Documentation
| +|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true (read more)|Documentation
| +|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)|Documentation
| |IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE (read more)|Documentation
| +|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true (read more)|Documentation
| |SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible. (read more)|Documentation
| +|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true (read more)|Documentation
| |Legacy Client Certificate Auth Enabled
73fb21a1-b19a-45b1-b648-b47b1678681e|High|Insecure Configurations|Kubernetes Clusters must use the default OAuth authentication, which means 'master_auth' must either be undefined or have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to false (read more)|Documentation
| |Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)|Documentation
| -|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials (read more)|Documentation
| -|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true (read more)|Documentation
| -|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true (read more)|Documentation
| -|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true (read more)|Documentation
| -|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)|Documentation
| -|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must either be undefined or set to 'monitoring.googleapis.com/kubernetes' (read more)|Documentation
| |Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must either be undefined or set to 'logging.googleapis.com/kubernetes' (read more)|Documentation
| |Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| +|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must either be undefined or set to 'monitoring.googleapis.com/kubernetes' (read more)|Documentation
| |IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|High|Observability|Audit Logging Configuration is defective (read more)|Documentation
| |Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| |Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)|Documentation
| +|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated (read more)|Documentation
| |Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated (read more)|Documentation
| |Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated (read more)|Documentation
| -|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated (read more)|Documentation
| |KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member (read more)|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| |Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| +|Shielded GKE Nodes Disabled
579a0727-9c29-4d58-8195-fc5802a8bdb4|Medium|Insecure Configurations|GKE cluster nodes must be launched with Shielded VM enabled, which means the attribute 'enable_shielded_nodes' must be set to 'true'. (read more)|Documentation
| +|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| +|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| +|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Medium|Insecure Configurations|Check if any VM instance disables OSLogin (read more)|Documentation
| |Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled (read more)|Documentation
| |Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled (read more)|Documentation
| -|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| |Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)|Documentation
| |COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| -|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| -|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Medium|Insecure Configurations|Check if any VM instance disables OSLogin (read more)|Documentation
| -|Shielded GKE Nodes Disabled
579a0727-9c29-4d58-8195-fc5802a8bdb4|Medium|Insecure Configurations|GKE cluster nodes must be launched with Shielded VM enabled, which means the attribute 'enable_shielded_nodes' must be set to 'true'. (read more)|Documentation
| |Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account. (read more)|Documentation
| |GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account (read more)|Documentation
| -|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| -|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| +|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| |Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)|Documentation
| +|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| |Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports (read more)|Documentation
| -|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| +|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| |IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)|Documentation
| |Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource. (read more)|Documentation
| |Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles (read more)|Documentation
| |Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| |High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)|Documentation
| -|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user (read more)|Documentation
| |Outdated GKE Version
128df7ec-f185-48bc-8913-ce756a3ccb85|Low|Best Practices|Running outdated versions of Google Kubernetes Engine (GKE) can expose it to known vulnerabilities and attacks. To reduce these risks, it is recommended to ensure that GKE is always running the latest version. (read more)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| +|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user (read more)|Documentation
| |Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true (read more)|Documentation
| - -### AZURE -Bellow are listed queries related with Terraform AZURE: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|High|Access Control|Role Assignment should limit guest user permissions (read more)|Documentation
| -|Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage (read more)|Documentation
| -|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|High|Access Control|There is a role assignment for guest user (read more)|Documentation
| -|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|High|Access Control|Admin user is enabled for Container Registry (read more)|Documentation
| -|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|High|Access Control|Storage Account should not be public to grant the principle of least privileges (read more)|Documentation
| -|Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|High|Access Control|Azure Function App authentication settings should be enabled (read more)|Documentation
| -|Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|High|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled (read more)|Documentation
| -|Azure Instance Using Basic Authentication
dafe30ec-325d-4516-85d1-e8e6776f012c|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| -|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' (read more)|Documentation
| -|Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6|High|Encryption|Ensure Function App is using the latest version of TLS encryption (read more)|Documentation
| -|MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more)|Documentation
| -|App Service Not Using Latest TLS Encryption Version
b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643|High|Encryption|Ensure App Service is using the latest version of TLS encryption (read more)|Documentation
| -|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| -|AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server (read more)|Documentation
| -|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service. (read more)|Documentation
| -|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine (read more)|Documentation
| -|Azure App Service Client Certificate Disabled
a81573f9-3691-4d83-88a0-7d4af63e17a3|High|Insecure Configurations|Azure App Service client certificate should be enabled (read more)|Documentation
| -|App Service FTPS Enforce Disabled
85da374f-b00f-4832-9d44-84a1ca1e89f8|High|Insecure Configurations|Azure App Service should only enforce FTPS when 'ftps_state' is enabled (read more)|Documentation
| -|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry' (read more)|Documentation
| -|AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|High|Insecure Configurations|Azure Kubernetes Service (AKS) API should not be exposed to the internet (read more)|Documentation
| -|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates (read more)|Documentation
| -|Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|High|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false. (read more)|Documentation
| -|Function App FTPS Enforce Disabled
9dab0179-433d-4dff-af8f-0091025691df|High|Insecure Configurations|Azure Function App should only enforce FTPS when 'ftps_state' is enabled (read more)|Documentation
| -|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|High|Networking and Firewall|The IP range filter should be defined to secure the data stored (read more)|Documentation
| -|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| -|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet (read more)|Documentation
| -|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more)|Documentation
| -|RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet (read more)|Documentation
| -|MySQL Server Public Access Enabled
f118890b-2468-42b1-9ce9-af35146b425b|High|Networking and Firewall|MySQL Server public access should be disabled (read more)|Documentation
| -|SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet (read more)|Documentation
| -|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources (read more)|Documentation
| -|MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|High|Networking and Firewall|MSSQL Server public network access should be disabled (read more)|Documentation
| -|Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| -|Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|High|Observability|Ensure that logging for Azure KeyVault is 'Enabled' (read more)|Documentation
| -|SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a|High|Resource Management|Ensure that 'Threat Detection' is enabled for Azure SQL Database (read more)|Documentation
| -|App Service Managed Identity Disabled
b61cce4b-0cc4-472b-8096-15617a6d769b|High|Resource Management|Azure App Service should have managed identity enabled (read more)|Documentation
| -|PostgreSQL Server Threat Detection Policy Disabled
c407c3cf-c409-4b29-b590-db5f4138d332|High|Resource Management|PostgreSQL Server Threat Detection Policy should be enabled (read more)|Documentation
| -|Key Expiration Not Set
4d080822-5ee2-49a4-8984-68f3d4c890fc|High|Secret Management|Make sure that for all keys the expiration date is set (read more)|Documentation
| -|Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|High|Secret Management|Make sure that for all secrets the expiration date is set (read more)|Documentation
| -|Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e|Medium|Access Control|Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list). (read more)|Documentation
| -|AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| -|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more)|Documentation
| -|Storage Share File Allows All ACL Permissions
48bbe0fd-57e4-4678-a4a1-119e79c90fc3|Medium|Access Control|Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list). (read more)|Documentation
| -|Virtual Network with DDoS Protection Plan disabled
b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a|Medium|Availability|Virtual Network should have DDoS Protection Plan enabled (read more)|Documentation
| -|SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict (read more)|Documentation
| -|SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict (read more)|Documentation
| -|Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Medium|Best Practices|Security Contact Email should be defined (read more)|Documentation
| -|Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Medium|Build Process|Cosmos DB Account must have a mapping of tags. (read more)|Documentation
| -|Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Medium|Encryption|Ensure that the encryption is active on the disk (read more)|Documentation
| -|AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Medium|Encryption|Azure Container Service (AKS) should use Disk Encryption Set ID in supported types of disk (read more)|Documentation
| -|Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption (read more)|Documentation
| -|Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Medium|Insecure Configurations|Azure Function App should have 'client_cert_mode' set to required (read more)|Documentation
| -|Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches (read more)|Documentation
| -|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined (read more)|Documentation
| -|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty (read more)|Documentation
| -|Function App Managed Identity Disabled
c87749b3-ff10-41f5-9df2-c421e8151759|Medium|Insecure Configurations|Azure Function App should have managed identity enabled (read more)|Documentation
| -|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections (read more)|Documentation
| -|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected. (read more)|Documentation
| -|Default Azure Storage Account Network Access Is Too Permissive
a5613650-32ec-4975-a305-31af783153ea|Medium|Insecure Defaults|Default Azure Storage Account network access should be set to Deny (read more)|Documentation
| -|Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Medium|Networking and Firewall|Public Network Access should be disabled for Azure Cognitive Search (read more)|Documentation
| -|MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Medium|Networking and Firewall|MariaDB Server Public Network Access should be disabled (read more)|Documentation
| -|WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. (read more)|Documentation
| -|Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b|Medium|Networking and Firewall|Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline) (read more)|Documentation
| -|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Medium|Networking and Firewall|Network Interfaces IP Forwarding should be disabled (read more)|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol (read more)|Documentation
| -|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache (read more)|Documentation
| -|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'. (read more)|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol (read more)|Documentation
| -|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On' (read more)|Documentation
| -|PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' (read more)|Documentation
| -|PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' (read more)|Documentation
| -|Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater (read more)|Documentation
| -|MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Medium|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On' (read more)|Documentation
| -|PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server (read more)|Documentation
| -|Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Medium|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact (read more)|Documentation
| -|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days (read more)|Documentation
| -|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more)|Documentation
| -|Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Medium|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days (read more)|Documentation
| -|PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more)|Documentation
| -|Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Medium|Observability|Make sure for SQL Servers that Auditing Retention is greater than 90 days (read more)|Documentation
| -|PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more)|Documentation
| -|Azure Active Directory Authentication
a21c8da9-41bf-40cf-941d-330cf0d11fc7|Low|Access Control|Azure Active Directory must be used for authentication for Service Fabric (read more)|Documentation
| -|MariaDB Server Geo-redundant Backup Disabled
0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1|Low|Backup|MariaDB Server Geo-redundant Backup should be enabled (read more)|Documentation
| -|Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Low|Best Practices|Key Vault Secrets should have set Content Type (read more)|Documentation
| -|App Service Without Latest Python Version
cc4aaa9d-1070-461a-b519-04e00f42db8a|Low|Best Practices|Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. (read more)|Documentation
| -|App Service Without Latest PHP Version
96fe318e-d631-4156-99fa-9080d57280ae|Low|Best Practices|Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. (read more)|Documentation
| -|AKS Uses Azure Policies Add-On Disabled
43789711-161b-4708-b5bb-9d1c626f7492|Low|Best Practices|Azure Container Service (AKS) should use Azure Policies Add-On (read more)|Documentation
| -|PostgreSQL Server Infrastructure Encryption Disabled
6425c98b-ca4e-41fe-896a-c78772c131f8|Low|Encryption|PostgreSQL Server Infrastructure Encryption should be enabled (read more)|Documentation
| -|Function App HTTP2 Disabled
ace823d1-4432-4dee-945b-cdf11a5a6bd0|Low|Insecure Configurations|Function App should have 'http2_enabled' enabled (read more)|Documentation
| -|App Service HTTP2 Disabled
525b53be-62ed-4244-b4df-41aecfcb4071|Low|Insecure Configurations|App Service should have 'http2_enabled' enabled (read more)|Documentation
| -|Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Low|Insecure Configurations|Check if the Kubernetes Dashboard is enabled. (read more)|Documentation
| -|Azure Front Door WAF Disabled
835a4f2f-df43-437d-9943-545ccfc55961|Low|Networking and Firewall|Azure Front Door WAF should be enabled (read more)|Documentation
| -|App Service Authentication Disabled
c7fc1481-2899-4490-bbd8-544a3a61a2f3|Info|Access Control|Azure App Service authentication settings should be enabled (read more)|Documentation
| -|SQL Server Alert Email Disabled
55975007-f6e7-4134-83c3-298f1fe4b519|Info|Best Practices|SQL Server alert email should be enabled (read more)|Documentation
| - -### GITHUB -Bellow are listed queries related with Terraform GITHUB: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks (read more)|Documentation
| -|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| From 063bb2761a8b1d98b9cd78deb45917ab14e85e76 Mon Sep 17 00:00:00 2001 From: asofsilva Date: Thu, 28 Sep 2023 16:29:52 +0100 Subject: [PATCH 107/379] new beta feature section --- README.md | 3 +++ assets/utils/experimental-queries.json | 2 ++ docs/index.md | 4 ++++ 3 files changed, 9 insertions(+) diff --git a/README.md b/README.md index 1f118d23978..a37805c45c5 100644 --- a/README.md +++ b/README.md @@ -56,6 +56,9 @@ Find security vulnerabilities, compliance issues, and infrastructure misconfigur Azure BluePrints    GitHub Workflows    +#### Beta Features + + Support of other solutions and additional cloud providers are on the [roadmap](docs/roadmap.md). diff --git a/assets/utils/experimental-queries.json b/assets/utils/experimental-queries.json index 32960f8ced3..06d45b989fc 100644 --- a/assets/utils/experimental-queries.json +++ b/assets/utils/experimental-queries.json @@ -1,2 +1,4 @@ [ + "terraform/databricks", + "terraform/nifcloud" ] \ No newline at end of file diff --git a/docs/index.md b/docs/index.md index 96fd6b977b4..d4b6987f929 100644 --- a/docs/index.md +++ b/docs/index.md @@ -81,6 +81,10 @@ KICS scans and detects issues in following Infrastructure as Code solutions: +#### Beta Features + + + Support of other solutions, such as Chef, and of additional cloud providers are on the [roadmap](roadmap.md). ## Getting Started From c907eb1653221b98b4b47c28860f6d88576f39cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lu=C3=ADs=20Ventuzelos?= <46198926+LuisVentuzelos@users.noreply.github.com> Date: Sat, 30 Sep 2023 14:20:08 +0100 Subject: [PATCH 108/379] Update integrations_ghactions.md - changed code-ql action to v2 Updated github/codeql-action/upload-sarif to v2 since v1 was deprecated --- docs/integrations_ghactions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/integrations_ghactions.md b/docs/integrations_ghactions.md index bc2615a4b3f..31cf9693561 100644 --- a/docs/integrations_ghactions.md +++ b/docs/integrations_ghactions.md @@ -50,7 +50,7 @@ steps: path: 'terraform' output_path: results-dir - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results-dir/results.sarif ``` From 68a954b47b4c05b0fb58466284222530903f4d1b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lu=C3=ADs=20Ventuzelos?= <46198926+LuisVentuzelos@users.noreply.github.com> Date: Sat, 30 Sep 2023 14:34:37 +0100 Subject: [PATCH 109/379] Update integrations_ghactions.md --- docs/integrations_ghactions.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/integrations_ghactions.md b/docs/integrations_ghactions.md index 31cf9693561..f09829cb62c 100644 --- a/docs/integrations_ghactions.md +++ b/docs/integrations_ghactions.md @@ -202,7 +202,7 @@ jobs: cat results-dir/results.sarif cat results-dir/results.json - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results-dir/results.sarif ``` @@ -253,7 +253,7 @@ jobs: path: 'terraform' config_path: ./kics.config - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results-dir/results.sarif ``` From 41957cd10726a5c8512a1a22bea8f25175ba23e6 Mon Sep 17 00:00:00 2001 From: gabriel-cx Date: Mon, 2 Oct 2023 10:58:16 +0000 Subject: [PATCH 110/379] docs(kicsbot): preparing for release 1.7.9 --- docs/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/index.md b/docs/index.md index 96fd6b977b4..2f04b89f908 100644 --- a/docs/index.md +++ b/docs/index.md @@ -10,7 +10,7 @@


Version 1.7.8

-

2023.09.14

+

2023.10.02

Contribute!

From 885cb31acd2a991627a3413bdff420af1b1c6b07 Mon Sep 17 00:00:00 2001 From: gabriel-cx Date: Mon, 2 Oct 2023 12:05:06 +0100 Subject: [PATCH 111/379] update version --- docker/Dockerfile.ubi8 | 2 +- docs/index.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docker/Dockerfile.ubi8 b/docker/Dockerfile.ubi8 index a713584aa02..997b6915d5b 100644 --- a/docker/Dockerfile.ubi8 +++ b/docker/Dockerfile.ubi8 @@ -44,7 +44,7 @@ LABEL name="KICS" \ description="Checkmarx/kics is an opensource project that enable you to find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code find more in https://kics.io" \ maintainer="kics@checkmarx.com" \ vendor="Checkmarx" \ - version="v1.7.8" \ + version="v1.7.9" \ release="1" \ io.k8s.display-name="KICS by Checkmarx" \ io.openshift.tags="kics checkmarx" diff --git a/docs/index.md b/docs/index.md index 2f04b89f908..79a9fac377f 100644 --- a/docs/index.md +++ b/docs/index.md @@ -9,7 +9,7 @@


-

Version 1.7.8

+

Version 1.7.9

2023.10.02

Contribute!

From 1f07e6b5e6b20351e74ed49c4cad5f1764ba8f56 Mon Sep 17 00:00:00 2001 From: gabriel-cx Date: Mon, 2 Oct 2023 14:32:37 +0100 Subject: [PATCH 112/379] update --- README.md | 5 +---- docs/index.md | 5 +---- 2 files changed, 2 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index a37805c45c5..40d47ac0e11 100644 --- a/README.md +++ b/README.md @@ -57,10 +57,7 @@ Find security vulnerabilities, compliance issues, and infrastructure misconfigur GitHub Workflows    #### Beta Features - - - -Support of other solutions and additional cloud providers are on the [roadmap](docs/roadmap.md). +Soon... ## Getting Started diff --git a/docs/index.md b/docs/index.md index 663e519ba59..77a5908301c 100644 --- a/docs/index.md +++ b/docs/index.md @@ -82,10 +82,7 @@ KICS scans and detects issues in following Infrastructure as Code solutions: #### Beta Features - - - -Support of other solutions, such as Chef, and of additional cloud providers are on the [roadmap](roadmap.md). +Soon... ## Getting Started From 5da41f41e892ad694367e38df657348e30f032dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Martins?= Date: Mon, 2 Oct 2023 15:17:28 +0100 Subject: [PATCH 113/379] remove unnecessary variable --- .../terraform/aws/alb_is_not_integrated_with_waf/query.rego | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/query.rego b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/query.rego index 3a9cb23ac43..bca984dcf86 100644 --- a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/query.rego +++ b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/query.rego @@ -12,7 +12,7 @@ CxPolicy[result] { resource := input.document[i].resource[lb[idx]][name] not is_internal_alb(resource) count({x | x := associated_waf(name)}) == 0 - + result := { "documentId": input.document[i].id, "resourceType": lb[idx], @@ -29,7 +29,7 @@ is_internal_alb(resource) { } associated_waf(name) { - waf := input.document[_].resource[waf_resources[_]][waf_name] + waf := input.document[_].resource[waf_resources[_]][_] attribute := waf.resource_arn attribute_split := split(attribute, ".") options := {"${aws_alb", "${aws_lb"} From af158b6a4e059147619d7e5ceb97d0033a67be94 Mon Sep 17 00:00:00 2001 From: gabriel-cx Date: Wed, 4 Oct 2023 10:47:33 +0100 Subject: [PATCH 114/379] fix(docker): experimental-queries.json: no such file or directory --- docker/Dockerfile.apispec | 1 + docker/Dockerfile.apispec.debian | 1 + docker/Dockerfile.debian | 3 ++- 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/docker/Dockerfile.apispec b/docker/Dockerfile.apispec index 7a7aa413505..295a7499dfe 100644 --- a/docker/Dockerfile.apispec +++ b/docker/Dockerfile.apispec @@ -56,6 +56,7 @@ COPY --from=build_env /app/assets/libraries/common /app/bin/assets/libraries/com COPY --from=build_env /app/assets/libraries/openapi /app/bin/assets/libraries/openapi COPY --from=build_env /app/assets/queries/openAPI /app/bin/assets/queries/openAPI COPY --from=build_env /app/assets/queries/common /app/bin/assets/queries/common +COPY --from=build_env /app/assets/utils/* /app/bin/assets/utils WORKDIR /app/bin diff --git a/docker/Dockerfile.apispec.debian b/docker/Dockerfile.apispec.debian index c90f5d44cb6..419a1bef154 100644 --- a/docker/Dockerfile.apispec.debian +++ b/docker/Dockerfile.apispec.debian @@ -70,6 +70,7 @@ COPY --from=build_env /app/assets/libraries/common /app/bin/assets/libraries/com COPY --from=build_env /app/assets/libraries/openapi /app/bin/assets/libraries/openapi COPY --from=build_env /app/assets/queries/openAPI /app/bin/assets/queries/openAPI COPY --from=build_env /app/assets/queries/common /app/bin/assets/queries/common +COPY --from=build_env /app/assets/utils/* /app/bin/assets/utils WORKDIR /app/bin diff --git a/docker/Dockerfile.debian b/docker/Dockerfile.debian index 6c9137aa75f..0b5dac28629 100644 --- a/docker/Dockerfile.debian +++ b/docker/Dockerfile.debian @@ -49,7 +49,7 @@ ENV PATH /app/bin:/usr/bin/git:$PATH RUN apt-get update -yq \ && apt-get install git wget unzip zip -y \ - && apt-get clean \ + && apt-get clean \git pull && rm -rf /var/lib/apt/lists/* # Install Terraform and Terraform plugins @@ -69,6 +69,7 @@ RUN mkdir ~/.terraform.d && mkdir ~/.terraform.d/plugins && mkdir ~/.terraform.d COPY --from=build_env /app/bin/kics /app/bin/kics COPY --from=build_env /app/assets/queries /app/bin/assets/queries COPY --from=build_env /app/assets/libraries/* /app/bin/assets/libraries/ +COPY --from=build_env /app/assets/utils/* /app/bin/assets/utils/ WORKDIR /app/bin From af3ce389af553f104af22997d3d715e522ea9d49 Mon Sep 17 00:00:00 2001 From: gabriel-cx Date: Wed, 4 Oct 2023 10:53:28 +0100 Subject: [PATCH 115/379] removing typo --- docker/Dockerfile.debian | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/Dockerfile.debian b/docker/Dockerfile.debian index 0b5dac28629..7746fabc742 100644 --- a/docker/Dockerfile.debian +++ b/docker/Dockerfile.debian @@ -49,7 +49,7 @@ ENV PATH /app/bin:/usr/bin/git:$PATH RUN apt-get update -yq \ && apt-get install git wget unzip zip -y \ - && apt-get clean \git pull + && apt-get clean \ && rm -rf /var/lib/apt/lists/* # Install Terraform and Terraform plugins From 4e77be948edbe1b209225b52676a1bcffae90f00 Mon Sep 17 00:00:00 2001 From: gabriel-cx Date: Wed, 4 Oct 2023 10:58:52 +0100 Subject: [PATCH 116/379] / added --- docker/Dockerfile.apispec | 2 +- docker/Dockerfile.apispec.debian | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docker/Dockerfile.apispec b/docker/Dockerfile.apispec index 295a7499dfe..ef936ff6e9a 100644 --- a/docker/Dockerfile.apispec +++ b/docker/Dockerfile.apispec @@ -56,7 +56,7 @@ COPY --from=build_env /app/assets/libraries/common /app/bin/assets/libraries/com COPY --from=build_env /app/assets/libraries/openapi /app/bin/assets/libraries/openapi COPY --from=build_env /app/assets/queries/openAPI /app/bin/assets/queries/openAPI COPY --from=build_env /app/assets/queries/common /app/bin/assets/queries/common -COPY --from=build_env /app/assets/utils/* /app/bin/assets/utils +COPY --from=build_env /app/assets/utils/* /app/bin/assets/utils/ WORKDIR /app/bin diff --git a/docker/Dockerfile.apispec.debian b/docker/Dockerfile.apispec.debian index 419a1bef154..c0ceb596087 100644 --- a/docker/Dockerfile.apispec.debian +++ b/docker/Dockerfile.apispec.debian @@ -70,7 +70,7 @@ COPY --from=build_env /app/assets/libraries/common /app/bin/assets/libraries/com COPY --from=build_env /app/assets/libraries/openapi /app/bin/assets/libraries/openapi COPY --from=build_env /app/assets/queries/openAPI /app/bin/assets/queries/openAPI COPY --from=build_env /app/assets/queries/common /app/bin/assets/queries/common -COPY --from=build_env /app/assets/utils/* /app/bin/assets/utils +COPY --from=build_env /app/assets/utils/* /app/bin/assets/utils/ WORKDIR /app/bin From 134ad244485e81fb3ead6b82f88e1c53f34dcab9 Mon Sep 17 00:00:00 2001 From: Tohar Braun Date: Wed, 4 Oct 2023 16:33:23 +0300 Subject: [PATCH 117/379] Fix false positive detections in "api_key_exposed" function --- assets/libraries/openapi.rego | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/assets/libraries/openapi.rego b/assets/libraries/openapi.rego index eb71f2548b6..5be1653fc47 100644 --- a/assets/libraries/openapi.rego +++ b/assets/libraries/openapi.rego @@ -223,12 +223,15 @@ get_schema_info(doc, version) = schemaInfo { schemaInfo := {"obj": doc.definitions, "path": "definitions"} } -api_key_exposed(doc, version, s) { +api_key_exposed(doc, version, s) if { version == "3.0" doc.components.securitySchemes[s].type == "apiKey" + some server in doc.servers + startswith(server.url, "http://") } else { version == "2.0" doc.securityDefinitions[s].type == "apiKey" + "http" in doc.schemes } check_scheme(doc, schemeKey, scope, version) { From 626157e3002b26bcba4343a08e416fd3afe68242 Mon Sep 17 00:00:00 2001 From: Tohar Braun Date: Wed, 4 Oct 2023 17:58:36 +0300 Subject: [PATCH 118/379] Fix false positive detections in "api_key_exposed" function --- assets/libraries/openapi.rego | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/assets/libraries/openapi.rego b/assets/libraries/openapi.rego index 5be1653fc47..d0dd9ef220c 100644 --- a/assets/libraries/openapi.rego +++ b/assets/libraries/openapi.rego @@ -223,15 +223,24 @@ get_schema_info(doc, version) = schemaInfo { schemaInfo := {"obj": doc.definitions, "path": "definitions"} } -api_key_exposed(doc, version, s) if { +api_key_exposed(doc, version, s) { version == "3.0" doc.components.securitySchemes[s].type == "apiKey" - some server in doc.servers + server := doc.servers[_] startswith(server.url, "http://") +} else { + version == "3.0" + doc.components.securitySchemes[s].type == "apiKey" + not valid_key(doc, "servers") +} else { + version == "2.0" + doc.securityDefinitions[s].type == "apiKey" + scheme := doc.schemes[_] + scheme == "http" } else { version == "2.0" doc.securityDefinitions[s].type == "apiKey" - "http" in doc.schemes + not valid_key(doc, "schemes") } check_scheme(doc, schemeKey, scope, version) { From d76543ae746ae13d6c8438b0267da799864a086f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= <75611928+JoaoCxMartins@users.noreply.github.com> Date: Mon, 9 Oct 2023 12:09:29 +0100 Subject: [PATCH 119/379] Update scan_flags.go --- internal/console/flags/scan_flags.go | 64 ++++++++++++++-------------- 1 file changed, 32 insertions(+), 32 deletions(-) diff --git a/internal/console/flags/scan_flags.go b/internal/console/flags/scan_flags.go index 14f19eb5aef..e123eb02d8e 100644 --- a/internal/console/flags/scan_flags.go +++ b/internal/console/flags/scan_flags.go @@ -2,37 +2,37 @@ package flags // Flags constants for scan const ( - BomFlag = "bom" - CloudProviderFlag = "cloud-provider" - ConfigFlag = "config" - DisableFullDescFlag = "disable-full-descriptions" - ExcludeCategoriesFlag = "exclude-categories" - ExcludePathsFlag = "exclude-paths" - ExcludeQueriesFlag = "exclude-queries" - ExcludeResultsFlag = "exclude-results" - ExcludeSeveritiesFlag = "exclude-severities" + BomFlag = "bom" + CloudProviderFlag = "cloud-provider" + ConfigFlag = "config" + DisableFullDescFlag = "disable-full-descriptions" + ExcludeCategoriesFlag = "exclude-categories" + ExcludePathsFlag = "exclude-paths" + ExcludeQueriesFlag = "exclude-queries" + ExcludeResultsFlag = "exclude-results" + ExcludeSeveritiesFlag = "exclude-severities" ExperimentalQueriesFlag = "experimental-queries" - IncludeQueriesFlag = "include-queries" - InputDataFlag = "input-data" - FailOnFlag = "fail-on" - IgnoreOnExitFlag = "ignore-on-exit" - MinimalUIFlag = "minimal-ui" - NoProgressFlag = "no-progress" - OutputNameFlag = "output-name" - OutputPathFlag = "output-path" - PathFlag = "path" - PayloadPathFlag = "payload-path" - PreviewLinesFlag = "preview-lines" - QueriesPath = "queries-path" - LibrariesPath = "libraries-path" - ReportFormatsFlag = "report-formats" - TypeFlag = "type" - ExcludeTypeFlag = "exclude-type" - TerraformVarsPathFlag = "terraform-vars-path" - QueryExecTimeoutFlag = "timeout" - LineInfoPayloadFlag = "payload-lines" - DisableSecretsFlag = "disable-secrets" - SecretsRegexesPathFlag = "secrets-regexes-path" //nolint:gosec - ExcludeGitIgnore = "exclude-gitignore" - MaxFileSizeFlag = "max-file-size" // orca-specifics + IncludeQueriesFlag = "include-queries" + InputDataFlag = "input-data" + FailOnFlag = "fail-on" + IgnoreOnExitFlag = "ignore-on-exit" + MinimalUIFlag = "minimal-ui" + NoProgressFlag = "no-progress" + OutputNameFlag = "output-name" + OutputPathFlag = "output-path" + PathFlag = "path" + PayloadPathFlag = "payload-path" + PreviewLinesFlag = "preview-lines" + QueriesPath = "queries-path" + LibrariesPath = "libraries-path" + ReportFormatsFlag = "report-formats" + TypeFlag = "type" + ExcludeTypeFlag = "exclude-type" + TerraformVarsPathFlag = "terraform-vars-path" + QueryExecTimeoutFlag = "timeout" + LineInfoPayloadFlag = "payload-lines" + DisableSecretsFlag = "disable-secrets" + SecretsRegexesPathFlag = "secrets-regexes-path" //nolint:gosec + ExcludeGitIgnore = "exclude-gitignore" + MaxFileSizeFlag = "max-file-size" // orca-specifics ) From c684c33b526378645fd9571956283e1528701298 Mon Sep 17 00:00:00 2001 From: gabriel-cx Date: Tue, 10 Oct 2023 09:55:13 +0000 Subject: [PATCH 120/379] docs(kicsbot): preparing for release 1.7.10 --- docs/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/index.md b/docs/index.md index 77a5908301c..eaab07d106c 100644 --- a/docs/index.md +++ b/docs/index.md @@ -10,7 +10,7 @@


Version 1.7.9

-

2023.10.02

+

2023.10.10

Contribute!

From f8ff3f1ea5a659d9429d1db5f3ca397c9b594e04 Mon Sep 17 00:00:00 2001 From: gabriel-cx Date: Tue, 10 Oct 2023 10:59:38 +0100 Subject: [PATCH 121/379] update --- docker/Dockerfile.ubi8 | 2 +- docs/index.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docker/Dockerfile.ubi8 b/docker/Dockerfile.ubi8 index 997b6915d5b..d6a00080966 100644 --- a/docker/Dockerfile.ubi8 +++ b/docker/Dockerfile.ubi8 @@ -44,7 +44,7 @@ LABEL name="KICS" \ description="Checkmarx/kics is an opensource project that enable you to find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code find more in https://kics.io" \ maintainer="kics@checkmarx.com" \ vendor="Checkmarx" \ - version="v1.7.9" \ + version="v1.7.10" \ release="1" \ io.k8s.display-name="KICS by Checkmarx" \ io.openshift.tags="kics checkmarx" diff --git a/docs/index.md b/docs/index.md index eaab07d106c..ceb46663888 100644 --- a/docs/index.md +++ b/docs/index.md @@ -9,7 +9,7 @@


-

Version 1.7.9

+

Version 1.7.10

2023.10.10

Contribute!

From 2423c01d92aa3362434865da2f8d55239650e5da Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Fri, 13 Oct 2023 15:26:05 +0100 Subject: [PATCH 122/379] Experimental queries as ff with this commit we are change our system of experimental queries from a file that we should read for a feature flag --- internal/console/assets/scan-flags.json | 4 +- internal/console/scan.go | 2 +- pkg/engine/inspector_test.go | 4 +- pkg/engine/source/filesystem.go | 108 +++++---------- pkg/engine/source/filesystem_test.go | 123 +++++++----------- pkg/engine/source/source.go | 2 +- pkg/model/model.go | 3 +- pkg/remediation/scan.go | 23 ++-- pkg/scan/client.go | 2 +- pkg/scan/scan.go | 13 +- pkg/scanner/scanner_test.go | 2 +- .../experimental/test/metadata.json | 4 +- .../tested/tested_query/metadata.json | 22 ++-- 13 files changed, 115 insertions(+), 197 deletions(-) diff --git a/internal/console/assets/scan-flags.json b/internal/console/assets/scan-flags.json index aa3973fedc0..4b8b4644732 100644 --- a/internal/console/assets/scan-flags.json +++ b/internal/console/assets/scan-flags.json @@ -62,8 +62,8 @@ "experimental-queries": { "flagType": "multiStr", "shorthandFlag": "", - "defaultValue": null, - "usage": "include experimental queries (queries not yet thoroughly reviewed) by providing the path of the queries folder\ncan be provided multiple times or as a comma-separated string (platform/cloudProvider or platform)\nexample: 'terraform/databricks'\npossible values found in: '/assets/utils/experimental-queries.json'", + "defaultValue": "false", + "usage": "include experimental queries (queries not yet thoroughly reviewed) ", "validation": "validateMultiStr" }, "fail-on": { diff --git a/internal/console/scan.go b/internal/console/scan.go index 52524ae3b48..c9ea0e5f2d7 100644 --- a/internal/console/scan.go +++ b/internal/console/scan.go @@ -116,7 +116,7 @@ func getScanParameters(changedDefaultQueryPath, changedDefaultLibrariesPath bool ExcludeQueries: flags.GetMultiStrFlag(flags.ExcludeQueriesFlag), ExcludeResults: flags.GetMultiStrFlag(flags.ExcludeResultsFlag), ExcludeSeverities: flags.GetMultiStrFlag(flags.ExcludeSeveritiesFlag), - ExperimentalQueries: flags.GetMultiStrFlag(flags.ExperimentalQueriesFlag), + ExperimentalQueries: flags.GetBoolFlag(flags.ExperimentalQueriesFlag), IncludeQueries: flags.GetMultiStrFlag(flags.IncludeQueriesFlag), InputData: flags.GetStrFlag(flags.InputDataFlag), OutputName: flags.GetStrFlag(flags.OutputNameFlag), diff --git a/pkg/engine/inspector_test.go b/pkg/engine/inspector_test.go index 4e5b584d95b..87e9099700b 100644 --- a/pkg/engine/inspector_test.go +++ b/pkg/engine/inspector_test.go @@ -678,7 +678,7 @@ func TestShouldSkipFile(t *testing.T) { } func newInspectorInstance(t *testing.T, queryPath []string) *Inspector { - querySource := source.NewFilesystemSource(queryPath, []string{""}, []string{""}, filepath.FromSlash("./assets/libraries"), filepath.FromSlash("./assets/utils/experimental-queries.json")) + querySource := source.NewFilesystemSource(queryPath, []string{""}, []string{""}, filepath.FromSlash("./assets/libraries"), true) var vb = func(ctx *QueryContext, tracker Tracker, v interface{}, detector *detector.DetectLine) (*model.Vulnerability, error) { return &model.Vulnerability{}, nil @@ -701,7 +701,7 @@ type mockSource struct { } func (m *mockSource) GetQueries(queryFilter *source.QueryInspectorParameters) ([]model.QueryMetadata, error) { - sources := source.NewFilesystemSource(m.Source, []string{""}, []string{""}, filepath.FromSlash("./assets/libraries"), filepath.FromSlash("./assets/utils/experimental-queries.json")) + sources := source.NewFilesystemSource(m.Source, []string{""}, []string{""}, filepath.FromSlash("./assets/libraries"), true) return sources.GetQueries(queryFilter) } diff --git a/pkg/engine/source/filesystem.go b/pkg/engine/source/filesystem.go index eab3e6b5048..41f96f469f4 100644 --- a/pkg/engine/source/filesystem.go +++ b/pkg/engine/source/filesystem.go @@ -3,7 +3,6 @@ package source import ( "encoding/json" "fmt" - "io" "os" "path" "path/filepath" @@ -26,7 +25,7 @@ type FilesystemSource struct { Types []string CloudProviders []string Library string - ExperimentalQueries string + ExperimentalQueries bool } const ( @@ -45,7 +44,7 @@ const ( ) // NewFilesystemSource initializes a NewFilesystemSource with source to queries and types of queries to load -func NewFilesystemSource(source, types, cloudProviders []string, libraryPath, experimentalQueriesPath string) *FilesystemSource { +func NewFilesystemSource(source, types, cloudProviders []string, libraryPath string, experimentalQueries bool) *FilesystemSource { log.Debug().Msg("source.NewFilesystemSource()") if len(types) == 0 { @@ -65,7 +64,7 @@ func NewFilesystemSource(source, types, cloudProviders []string, libraryPath, ex Types: types, CloudProviders: cloudProviders, Library: filepath.FromSlash(libraryPath), - ExperimentalQueries: experimentalQueriesPath, + ExperimentalQueries: experimentalQueries, } } @@ -249,33 +248,8 @@ func checkQueryExclude(metadata map[string]interface{}, queryParameters *QueryIn // GetQueries walks a given filesource path returns all queries found in an array of // QueryMetadata struct func (s *FilesystemSource) GetQueries(queryParameters *QueryInspectorParameters) ([]model.QueryMetadata, error) { - experimentalQueriesPaths := make([]string, 0) - if s.ExperimentalQueries != "" { - experimentalQueriesFile, errOpeningFile := os.Open(s.ExperimentalQueries) - if errOpeningFile != nil { - return nil, errOpeningFile - } - - defer func(experimentalQueriesFile *os.File) { - errClosingFile := experimentalQueriesFile.Close() - if errClosingFile != nil { - log.Err(errClosingFile).Msg("Failed to close experimental queries file") - } - }(experimentalQueriesFile) - - byteValue, err := io.ReadAll(experimentalQueriesFile) - if err != nil { - return nil, err - } - - err = json.Unmarshal(byteValue, &experimentalQueriesPaths) - if err != nil { - return nil, err - } - } - - queryDirs, err := s.iterateSources(experimentalQueriesPaths, queryParameters) + queryDirs, err := s.iterateSources() if err != nil { return nil, err } @@ -285,7 +259,7 @@ func (s *FilesystemSource) GetQueries(queryParameters *QueryInspectorParameters) return queries, nil } -func (s *FilesystemSource) iterateSources(experimentalQueriesPaths []string, queryParameters *QueryInspectorParameters) ([]string, error) { +func (s *FilesystemSource) iterateSources() ([]string, error) { queryDirs := make([]string, 0) for _, source := range s.Source { @@ -300,19 +274,13 @@ func (s *FilesystemSource) iterateSources(experimentalQueriesPaths []string, que } querypathDir := filepath.Dir(p) - absQueryPathDir, err1 := filepath.Abs(querypathDir) - absQueriesPath, err2 := filepath.Abs(source) - if err1 == nil && err2 == nil { - var cleanPlatformCloudProviderDir string - cleanPlatformCloudProviderDir, err = filepath.Rel(absQueriesPath, absQueryPathDir) - if err == nil && isExperimental(querypathDir, cleanPlatformCloudProviderDir, experimentalQueriesPaths, queryParameters) { - queryDirs = append(queryDirs, querypathDir) - } else if err != nil { - return errors.Wrap(err, "Failed to get query relative path") - } - } else { - return errors.Wrap(err, "Failed to get query absolute path") + + if err == nil { + queryDirs = append(queryDirs, querypathDir) + } else if err != nil { + return errors.Wrap(err, "Failed to get query relative path") } + return nil }) if err != nil { @@ -323,32 +291,6 @@ func (s *FilesystemSource) iterateSources(experimentalQueriesPaths []string, que return queryDirs, nil } -func isExperimental( - querypathDir, cleanPlatformCloudProviderDir string, - experimentalQueriesPaths []string, - queryParameters *QueryInspectorParameters) bool { - cleanPlatformCloudProviderDir = filepath.FromSlash(cleanPlatformCloudProviderDir) - inExperimentalQueriesJSON := false - for _, queryPath := range experimentalQueriesPaths { - queryPath = filepath.FromSlash(queryPath) - if strings.Contains(querypathDir, queryPath) { - inExperimentalQueriesJSON = true - break - } - } - - inExperimentalQueriesFlag := false - for _, experimentalFlag := range queryParameters.ExperimentalQueries { - experimentalFlag = filepath.FromSlash(experimentalFlag) - if strings.HasPrefix(cleanPlatformCloudProviderDir, experimentalFlag) { - inExperimentalQueriesFlag = true - break - } - } - - return inExperimentalQueriesFlag || !inExperimentalQueriesJSON -} - // iterateQueryDirs iterates all query directories and reads the respective queries func (s *FilesystemSource) iterateQueryDirs(queryDirs []string, queryParameters *QueryInspectorParameters) []model.QueryMetadata { queries := make([]model.QueryMetadata, 0, len(queryDirs)) @@ -365,6 +307,10 @@ func (s *FilesystemSource) iterateQueryDirs(queryDirs []string, queryParameters continue } + if !queryParameters.ExperimentalQueries && query.Experimental { + continue + } + if !s.CheckType(query.Metadata["platform"]) { continue } @@ -449,13 +395,17 @@ func ReadQuery(queryDir string) (model.QueryMetadata, error) { aggregation = int(agg.(float64)) } + readExperimental, _ := metadata["experimental"].(string) + experimental := getExperimental(readExperimental) + return model.QueryMetadata{ - Query: path.Base(filepath.ToSlash(queryDir)), - Content: string(queryContent), - Metadata: metadata, - Platform: platform, - InputData: inputData, - Aggregation: aggregation, + Query: path.Base(filepath.ToSlash(queryDir)), + Content: string(queryContent), + Metadata: metadata, + Platform: platform, + InputData: inputData, + Aggregation: aggregation, + Experimental: experimental, }, nil } @@ -523,6 +473,14 @@ func getPlatform(metadataPlatform string) string { return "unknown" } +func getExperimental(experimental string) bool { + if experimental == "true" { + return true + } else { + return false + } +} + func readInputData(inputDataPath string) (string, error) { inputData, err := os.ReadFile(filepath.Clean(inputDataPath)) if err != nil { diff --git a/pkg/engine/source/filesystem_test.go b/pkg/engine/source/filesystem_test.go index 173396bd8cd..af4a516802e 100644 --- a/pkg/engine/source/filesystem_test.go +++ b/pkg/engine/source/filesystem_test.go @@ -28,7 +28,7 @@ func BenchmarkFilesystemSource_GetQueries(b *testing.B) { Types []string CloudProviders []string Library string - ExperimentalQueries string + ExperimentalQueries bool } tests := []struct { name string @@ -41,7 +41,7 @@ func BenchmarkFilesystemSource_GetQueries(b *testing.B) { Types: []string{""}, CloudProviders: []string{""}, Library: "./assets/libraries", - ExperimentalQueries: "./assets/utils/experimental-queries.json", + ExperimentalQueries: true, }, }, } @@ -74,7 +74,7 @@ func TestFilesystemSource_GetQueriesWithExclude(t *testing.T) { //nolint Types []string CloudProviders []string Library string - ExperimentalQueries string + ExperimentalQueries bool } tests := []struct { name string @@ -90,7 +90,7 @@ func TestFilesystemSource_GetQueriesWithExclude(t *testing.T) { //nolint fields: fields{ Source: []string{source_get_queries}, Types: []string{""}, CloudProviders: []string{""}, Library: "./assets/libraries", - ExperimentalQueries: "./assets/utils/experimental-queries.json", + ExperimentalQueries: true, }, excludeCategory: []string{}, excludeSeverities: []string{}, @@ -109,8 +109,9 @@ func TestFilesystemSource_GetQueriesWithExclude(t *testing.T) { //nolint "severity": model.SeverityHigh, "platform": "Terraform", }, - Platform: "terraform", - Aggregation: 1, + Platform: "terraform", + Aggregation: 1, + Experimental: false, }, }, wantErr: false, @@ -198,7 +199,7 @@ func TestFilesystemSource_GetQueriesWithInclude(t *testing.T) { Types []string CloudProviders []string Library string - ExperimentalQueries string + ExperimentalQueries bool } tests := []struct { name string @@ -212,7 +213,7 @@ func TestFilesystemSource_GetQueriesWithInclude(t *testing.T) { fields: fields{ Source: []string{source_get_queries}, Types: []string{""}, CloudProviders: []string{""}, Library: "./assets/libraries", - ExperimentalQueries: "./assets/utils/experimental-queries.json", + ExperimentalQueries: true, }, includeIDs: []string{"57b9893d-33b1-4419-bcea-b828fb87e318"}, want: []model.QueryMetadata{ @@ -229,8 +230,9 @@ func TestFilesystemSource_GetQueriesWithInclude(t *testing.T) { "severity": model.SeverityHigh, "platform": "Terraform", }, - Platform: "terraform", - Aggregation: 1, + Platform: "terraform", + Aggregation: 1, + Experimental: false, }, }, wantErr: false, @@ -291,7 +293,7 @@ func TestFilesystemSource_GetQueryLibrary(t *testing.T) { //nolint type fields struct { Source []string Library string - ExperimentalQueries string + ExperimentalQueries bool } type args struct { platform string @@ -308,7 +310,7 @@ func TestFilesystemSource_GetQueryLibrary(t *testing.T) { //nolint fields: fields{ Source: []string{"./assets/queries/template"}, Library: "./assets/libraries", - ExperimentalQueries: "./assets/utils/experimental-queries.json", + ExperimentalQueries: true, }, args: args{ platform: "terraform", @@ -321,7 +323,7 @@ func TestFilesystemSource_GetQueryLibrary(t *testing.T) { //nolint fields: fields{ Source: []string{"./assets/queries/template"}, Library: "./assets/libraries", - ExperimentalQueries: "./assets/utils/experimental-queries.json", + ExperimentalQueries: true, }, args: args{ platform: "common", @@ -334,7 +336,7 @@ func TestFilesystemSource_GetQueryLibrary(t *testing.T) { //nolint fields: fields{ Source: []string{"./assets/queries/template"}, Library: "./assets/libraries", - ExperimentalQueries: "./assets/utils/experimental-queries.json", + ExperimentalQueries: true, }, args: args{ platform: "cloudFormation", @@ -347,7 +349,7 @@ func TestFilesystemSource_GetQueryLibrary(t *testing.T) { //nolint fields: fields{ Source: []string{"./assets/queries/template"}, Library: "./assets/libraries", - ExperimentalQueries: "./assets/utils/experimental-queries.json", + ExperimentalQueries: true, }, args: args{ platform: "ansible", @@ -360,7 +362,7 @@ func TestFilesystemSource_GetQueryLibrary(t *testing.T) { //nolint fields: fields{ Source: []string{"./assets/queries/template"}, Library: "./assets/libraries", - ExperimentalQueries: "./assets/utils/experimental-queries.json", + ExperimentalQueries: true, }, args: args{ platform: "dockerfile", @@ -373,7 +375,7 @@ func TestFilesystemSource_GetQueryLibrary(t *testing.T) { //nolint fields: fields{ Source: []string{"./assets/queries/template"}, Library: "./assets/libraries", - ExperimentalQueries: "./assets/utils/experimental-queries.json", + ExperimentalQueries: true, }, args: args{ platform: "k8s", @@ -384,8 +386,9 @@ func TestFilesystemSource_GetQueryLibrary(t *testing.T) { //nolint { name: "get_generic_query_cicd", fields: fields{ - Source: []string{"./assets/queries/template"}, - Library: "./assets/libraries", + Source: []string{"./assets/queries/template"}, + Library: "./assets/libraries", + ExperimentalQueries: true, }, args: args{ platform: "cicd", @@ -398,7 +401,7 @@ func TestFilesystemSource_GetQueryLibrary(t *testing.T) { //nolint fields: fields{ Source: []string{"./assets/queries/template"}, Library: "./assets/libraries", - ExperimentalQueries: "./assets/utils/experimental-queries.json", + ExperimentalQueries: true, }, args: args{ platform: "unknown", @@ -435,12 +438,11 @@ func TestFilesystemSource_GetQueries(t *testing.T) { require.NoError(t, err) type fields struct { - Source []string - Types []string - CloudProviders []string - Library string - ExperimentalQueries string - ExperimentalQueriesFlag []string + Source []string + Types []string + CloudProviders []string + Library string + ExperimentalQueries bool } tests := []struct { name string @@ -452,9 +454,8 @@ func TestFilesystemSource_GetQueries(t *testing.T) { name: "get_queries_1", fields: fields{ Source: []string{source_get_queries, source_get_queries}, Types: []string{""}, CloudProviders: []string{""}, - Library: "./assets/libraries", - ExperimentalQueries: "./assets/utils/experimental-queries.json", - ExperimentalQueriesFlag: []string{}, + Library: "./assets/libraries", + ExperimentalQueries: false, }, want: []model.QueryMetadata{ { @@ -470,8 +471,9 @@ func TestFilesystemSource_GetQueries(t *testing.T) { "severity": model.SeverityHigh, "platform": "Terraform", }, - Platform: "terraform", - Aggregation: 1, + Platform: "terraform", + Aggregation: 1, + Experimental: false, }, { Query: "all_auth_users_get_read_access", @@ -486,8 +488,9 @@ func TestFilesystemSource_GetQueries(t *testing.T) { "severity": model.SeverityHigh, "platform": "Terraform", }, - Platform: "terraform", - Aggregation: 1, + Platform: "terraform", + Aggregation: 1, + Experimental: false, }, }, wantErr: false, @@ -495,50 +498,18 @@ func TestFilesystemSource_GetQueries(t *testing.T) { { name: "get_queries_error", fields: fields{ - Source: []string{"../no-path"}, - ExperimentalQueries: "./assets/utils/experimental-queries.json", - ExperimentalQueriesFlag: []string{}, + Source: []string{"../no-path"}, + ExperimentalQueries: false, }, want: nil, wantErr: true, }, - { - name: "get_queries_experimental_no_flag", - fields: fields{ - Source: []string{source_get_queries_experimental}, Types: []string{""}, CloudProviders: []string{""}, - Library: "./assets/libraries", - ExperimentalQueries: "./test/fixtures/test_experimental_queries/utils/experimental-queries.json", - ExperimentalQueriesFlag: []string{"tested"}, - }, - want: []model.QueryMetadata{ - { - Query: "tested_query", - Content: string(contentByteExperimental), - InputData: "{}", - Metadata: map[string]interface{}{ - "category": "Insecure Configurations", - "descriptionText": "SSL Client Certificate should be enabled", - "descriptionUrl": "https://docs.ansible.com/ansible/2.8/modules/aws_api_gateway_module.html", - "id": "b47b98ab-e481-4a82-8bb1-1ab39fd36e34", - "queryName": "API Gateway Without SSL Certificate", - "severity": model.SeverityMedium, - "platform": "Ansible", - "cloudProvider": "aws", - "descriptionID": "82608f36", - }, - Platform: "ansible", - Aggregation: 1, - }, - }, - wantErr: false, - }, { name: "get_queries_experimental_with_flag", fields: fields{ Source: []string{source_get_queries_experimental}, Types: []string{""}, CloudProviders: []string{""}, - Library: "./assets/libraries", - ExperimentalQueries: "./test/fixtures/test_experimental_queries/utils/experimental-queries.json", - ExperimentalQueriesFlag: []string{"experimental"}, + Library: "./assets/libraries", + ExperimentalQueries: true, }, want: []model.QueryMetadata{ { @@ -555,9 +526,11 @@ func TestFilesystemSource_GetQueries(t *testing.T) { "platform": "Ansible", "cloudProvider": "aws", "descriptionID": "82608f36", + "experimental": "true", }, - Platform: "ansible", - Aggregation: 1, + Platform: "ansible", + Aggregation: 1, + Experimental: true, }, { Query: "tested_query", @@ -573,9 +546,11 @@ func TestFilesystemSource_GetQueries(t *testing.T) { "platform": "Ansible", "cloudProvider": "aws", "descriptionID": "82608f36", + "experimental": "true", }, - Platform: "ansible", - Aggregation: 1, + Platform: "ansible", + Aggregation: 1, + Experimental: true, }, }, wantErr: false, @@ -591,7 +566,7 @@ func TestFilesystemSource_GetQueries(t *testing.T) { ByIDs: []string{}, ByCategories: []string{}, }, - ExperimentalQueries: tt.fields.ExperimentalQueriesFlag, + ExperimentalQueries: tt.fields.ExperimentalQueries, InputDataPath: "", } got, err := s.GetQueries(&filter) diff --git a/pkg/engine/source/source.go b/pkg/engine/source/source.go index 2b70137ffc9..fb9912b0d3a 100644 --- a/pkg/engine/source/source.go +++ b/pkg/engine/source/source.go @@ -15,7 +15,7 @@ import ( type QueryInspectorParameters struct { IncludeQueries IncludeQueries ExcludeQueries ExcludeQueries - ExperimentalQueries []string + ExperimentalQueries bool InputDataPath string BomQueries bool } diff --git a/pkg/model/model.go b/pkg/model/model.go index fb6aaa03280..8abe34bd083 100644 --- a/pkg/model/model.go +++ b/pkg/model/model.go @@ -141,7 +141,8 @@ type QueryMetadata struct { Platform string // special field for generic queries // represents how many queries are aggregated into a single rego file - Aggregation int + Aggregation int + Experimental bool } // Vulnerability is a representation of a detected vulnerability in scanned files diff --git a/pkg/remediation/scan.go b/pkg/remediation/scan.go index 48f53e57c92..79d51c399da 100644 --- a/pkg/remediation/scan.go +++ b/pkg/remediation/scan.go @@ -4,7 +4,6 @@ import ( "context" "encoding/json" "errors" - "path/filepath" "time" "github.com/Checkmarx/kics/pkg/engine" @@ -14,7 +13,6 @@ import ( "github.com/open-policy-agent/opa/topdown" "github.com/Checkmarx/kics/internal/console/flags" - consoleHelpers "github.com/Checkmarx/kics/internal/console/helpers" "github.com/Checkmarx/kics/internal/tracker" "github.com/Checkmarx/kics/pkg/engine/source" "github.com/Checkmarx/kics/pkg/parser" @@ -187,12 +185,13 @@ func runQuery(r *runQueryInfo) []model.Vulnerability { func initScan(queryID string) (*engine.Inspector, error) { scanParams := &scan.Parameters{ - QueriesPath: flags.GetMultiStrFlag(flags.QueriesPath), - Platform: flags.GetMultiStrFlag(flags.TypeFlag), - CloudProvider: flags.GetMultiStrFlag(flags.CloudProviderFlag), - LibrariesPath: flags.GetStrFlag(flags.LibrariesPath), - PreviewLines: flags.GetIntFlag(flags.PreviewLinesFlag), - QueryExecTimeout: flags.GetIntFlag(flags.QueryExecTimeoutFlag), + QueriesPath: flags.GetMultiStrFlag(flags.QueriesPath), + Platform: flags.GetMultiStrFlag(flags.TypeFlag), + CloudProvider: flags.GetMultiStrFlag(flags.CloudProviderFlag), + LibrariesPath: flags.GetStrFlag(flags.LibrariesPath), + PreviewLines: flags.GetIntFlag(flags.PreviewLinesFlag), + QueryExecTimeout: flags.GetIntFlag(flags.QueryExecTimeoutFlag), + ExperimentalQueries: flags.GetBoolFlag(flags.ExperimentalQueriesFlag), } c := &scan.Client{ @@ -205,18 +204,12 @@ func initScan(queryID string) (*engine.Inspector, error) { return &engine.Inspector{}, err } - experimentalQueries, err := consoleHelpers.GetDefaultExperimentalPath(filepath.FromSlash("./assets/utils/experimental-queries.json")) - if err != nil { - log.Err(err) - return &engine.Inspector{}, err - } - queriesSource := source.NewFilesystemSource( c.ScanParams.QueriesPath, c.ScanParams.Platform, c.ScanParams.CloudProvider, c.ScanParams.LibrariesPath, - experimentalQueries) + c.ScanParams.ExperimentalQueries) includeQueries := source.IncludeQueries{ ByIDs: []string{queryID}, diff --git a/pkg/scan/client.go b/pkg/scan/client.go index 55b07a72cb9..18484ddf8d3 100644 --- a/pkg/scan/client.go +++ b/pkg/scan/client.go @@ -21,7 +21,7 @@ type Parameters struct { ExcludeQueries []string ExcludeResults []string ExcludeSeverities []string - ExperimentalQueries []string + ExperimentalQueries bool IncludeQueries []string InputData string OutputName string diff --git a/pkg/scan/scan.go b/pkg/scan/scan.go index 8c9f76f38c2..1af9c4fba52 100644 --- a/pkg/scan/scan.go +++ b/pkg/scan/scan.go @@ -3,11 +3,7 @@ package scan import ( "context" - "os" - "path/filepath" - "github.com/Checkmarx/kics/assets" - consoleHelpers "github.com/Checkmarx/kics/internal/console/helpers" "github.com/Checkmarx/kics/pkg/engine" "github.com/Checkmarx/kics/pkg/engine/provider" "github.com/Checkmarx/kics/pkg/engine/secrets" @@ -26,6 +22,7 @@ import ( "github.com/Checkmarx/kics/pkg/resolver" "github.com/Checkmarx/kics/pkg/resolver/helm" "github.com/Checkmarx/kics/pkg/scanner" + "os" "github.com/rs/zerolog/log" ) @@ -58,18 +55,12 @@ func (c *Client) initScan(ctx context.Context) (*executeScanParameters, error) { return nil, nil } - experimentalQueries, err := consoleHelpers.GetDefaultExperimentalPath(filepath.FromSlash("./assets/utils/experimental-queries.json")) - if err != nil { - log.Err(err) - return nil, err - } - querySource := source.NewFilesystemSource( c.ScanParams.QueriesPath, c.ScanParams.Platform, c.ScanParams.CloudProvider, c.ScanParams.LibrariesPath, - experimentalQueries) + c.ScanParams.ExperimentalQueries) queryFilter := c.createQueryFilter() diff --git a/pkg/scanner/scanner_test.go b/pkg/scanner/scanner_test.go index d479778e2cf..5dddffaff5a 100644 --- a/pkg/scanner/scanner_test.go +++ b/pkg/scanner/scanner_test.go @@ -97,7 +97,7 @@ func createServices(types, cloudProviders []string) (serviceSlice, *storage.Memo } t := &tracker.CITracker{} - querySource := source.NewFilesystemSource(sourcePath, types, cloudProviders, filepath.FromSlash("../../assets/libraries"), filepath.FromSlash("../../assets/utils/experimental-queries.json")) + querySource := source.NewFilesystemSource(sourcePath, types, cloudProviders, filepath.FromSlash("../../assets/libraries"), true) inspector, err := engine.NewInspector(context.Background(), querySource, engine.DefaultVulnerabilityBuilder, diff --git a/test/fixtures/test_experimental_queries/experimental_queries_queries/experimental/test/metadata.json b/test/fixtures/test_experimental_queries/experimental_queries_queries/experimental/test/metadata.json index 44f7883c443..43a91062a2b 100644 --- a/test/fixtures/test_experimental_queries/experimental_queries_queries/experimental/test/metadata.json +++ b/test/fixtures/test_experimental_queries/experimental_queries_queries/experimental/test/metadata.json @@ -7,6 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/2.8/modules/aws_api_gateway_module.html", "platform": "Ansible", "descriptionID": "82608f36", - "cloudProvider": "aws" + "cloudProvider": "aws", + "experimental": "true" } - \ No newline at end of file diff --git a/test/fixtures/test_experimental_queries/experimental_queries_queries/tested/tested_query/metadata.json b/test/fixtures/test_experimental_queries/experimental_queries_queries/tested/tested_query/metadata.json index 96b8f4bcc79..c432788d1ce 100644 --- a/test/fixtures/test_experimental_queries/experimental_queries_queries/tested/tested_query/metadata.json +++ b/test/fixtures/test_experimental_queries/experimental_queries_queries/tested/tested_query/metadata.json @@ -1,12 +1,12 @@ { - "id": "b47b98ab-e481-4a82-8bb1-1ab39fd36e34", - "queryName": "API Gateway Without SSL Certificate", - "severity": "MEDIUM", - "category": "Insecure Configurations", - "descriptionText": "SSL Client Certificate should be enabled", - "descriptionUrl": "https://docs.ansible.com/ansible/2.8/modules/aws_api_gateway_module.html", - "platform": "Ansible", - "descriptionID": "82608f36", - "cloudProvider": "aws" - } - \ No newline at end of file + "id": "b47b98ab-e481-4a82-8bb1-1ab39fd36e34", + "queryName": "API Gateway Without SSL Certificate", + "severity": "MEDIUM", + "category": "Insecure Configurations", + "descriptionText": "SSL Client Certificate should be enabled", + "descriptionUrl": "https://docs.ansible.com/ansible/2.8/modules/aws_api_gateway_module.html", + "platform": "Ansible", + "descriptionID": "82608f36", + "cloudProvider": "aws", + "experimental": "true" +} From 5550eb65585ec69ee66ff0df05fd3ae6bf56929e Mon Sep 17 00:00:00 2001 From: Lior Jacobian Date: Sun, 15 Oct 2023 09:40:57 +0300 Subject: [PATCH 123/379] feat(panic): add recover for query evaluation process --- e2e/fixtures/E2E_CLI_068_RESULT.json | 98 +++++++++++++++++++ .../e2e-cli-068_corrupted_dockerfile.go | 26 +++++ pkg/engine/inspector.go | 9 +- test/fixtures/dockerfile/corrupted_dockerfile | 5 + 4 files changed, 137 insertions(+), 1 deletion(-) create mode 100644 e2e/fixtures/E2E_CLI_068_RESULT.json create mode 100644 e2e/testcases/e2e-cli-068_corrupted_dockerfile.go create mode 100644 test/fixtures/dockerfile/corrupted_dockerfile diff --git a/e2e/fixtures/E2E_CLI_068_RESULT.json b/e2e/fixtures/E2E_CLI_068_RESULT.json new file mode 100644 index 00000000000..00f5353502a --- /dev/null +++ b/e2e/fixtures/E2E_CLI_068_RESULT.json @@ -0,0 +1,98 @@ +{ + "kics_version": "development", + "files_scanned": 1, + "lines_scanned": 6, + "files_parsed": 1, + "lines_parsed": 6, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 49, + "queries_failed_to_execute": 1, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "HIGH": 1, + "INFO": 0, + "LOW": 1, + "MEDIUM": 1, + "TRACE": 0 + }, + "total_counter": 3, + "total_bom_resources": 0, + "start": "2023-10-15T09:20:54.322549843Z", + "end": "2023-10-15T09:20:57.878486637Z", + "paths": [ + "/path/test/fixtures/dockerfile/corrupted_dockerfile" + ], + "queries": [ + { + "query_name": "Missing User Instruction", + "query_id": "fd54f200-402c-4333-a5a4-36ef6709af2f", + "query_url": "https://docs.docker.com/engine/reference/builder/#user", + "severity": "HIGH", + "platform": "Dockerfile", + "category": "Build Process", + "description": "A user should be specified in the dockerfile, otherwise the image will run as root", + "description_id": "eb49caf6", + "files": [ + { + "file_name": "../../path/test/fixtures/dockerfile/corrupted_dockerfile", + "similarity_id": "821b0a105dd9ebb6b14489251615d94813a578feb68624113a52ba9c1668ecb7", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:latest}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + } + ] + }, + { + "query_name": "Image Version Using 'latest'", + "query_id": "f45ea400-6bbe-4501-9fc7-1c3d75c32067", + "query_url": "https://docs.docker.com/develop/dev-best-practices/", + "severity": "MEDIUM", + "platform": "Dockerfile", + "category": "Supply-Chain", + "description": "When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag", + "description_id": "22f535ec", + "files": [ + { + "file_name": "../../path/test/fixtures/dockerfile/corrupted_dockerfile", + "similarity_id": "a32938ae4d056569e5cfda73594f6cb276d4f9ee14a848fb6b642b14defee892", + "line": 1, + "issue_type": "IncorrectValue", + "search_key": "FROM={{alpine:latest}}", + "search_line": -1, + "search_value": "", + "expected_value": "FROM alpine:latest:'version' where version should not be 'latest'", + "actual_value": "FROM alpine:latest'" + } + ] + }, + { + "query_name": "Healthcheck Instruction Missing", + "query_id": "b03a748a-542d-44f4-bb86-9199ab4fd2d5", + "query_url": "https://docs.docker.com/engine/reference/builder/#healthcheck", + "severity": "LOW", + "platform": "Dockerfile", + "category": "Insecure Configurations", + "description": "Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working", + "description_id": "426121ee", + "files": [ + { + "file_name": "../../path/test/fixtures/dockerfile/corrupted_dockerfile", + "similarity_id": "ec1a1e998229f963313752def87ce5027e89997cfb4180c9b356414566f5a029", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:latest}}", + "search_line": -1, + "search_value": "", + "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", + "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" + } + ] + } + ] +} diff --git a/e2e/testcases/e2e-cli-068_corrupted_dockerfile.go b/e2e/testcases/e2e-cli-068_corrupted_dockerfile.go new file mode 100644 index 00000000000..a454068801c --- /dev/null +++ b/e2e/testcases/e2e-cli-068_corrupted_dockerfile.go @@ -0,0 +1,26 @@ +// Package testcases provides end-to-end (E2E) testing functionality for the application. +package testcases + +// E2E-CLI-068 - KICS scan but recover from corrupted dockerfile +// should perform the scan successfully and return exit code 50 +func init() { //nolint + testSample := TestCase{ + Name: "should perform a valid scan and recover from a corrupted dockerfile [E2E-CLI-068]", + Args: args{ + Args: []cmdArgs{ + []string{"scan", "-o", "/path/e2e/output", "--output-name", "E2E_CLI_068_RESULT", + "-p", "/path/test/fixtures/dockerfile/corrupted_dockerfile", + }, + }, + ExpectedResult: []ResultsValidation{ + { + ResultsFile: "E2E_CLI_068_RESULT", + ResultsFormats: []string{"json"}, + }, + }, + }, + WantStatus: []int{50}, + } + + Tests = append(Tests, testSample) +} diff --git a/pkg/engine/inspector.go b/pkg/engine/inspector.go index 8a729191c17..d47e989b7a7 100644 --- a/pkg/engine/inspector.go +++ b/pkg/engine/inspector.go @@ -300,9 +300,16 @@ func (c *Inspector) GetFailedQueries() map[string]error { return c.failedQueries } -func (c *Inspector) doRun(ctx *QueryContext) ([]model.Vulnerability, error) { +func (c *Inspector) doRun(ctx *QueryContext) (vulns []model.Vulnerability, err error) { timeoutCtx, cancel := context.WithTimeout(ctx.Ctx, c.queryExecTimeout) defer cancel() + defer func() { + if r := recover(); r != nil { + errMessage := fmt.Sprintf("Recovered from panic during query '%s' run. ", ctx.Query.Metadata.Query) + err = fmt.Errorf("panic: %v", r) + log.Err(err).Msg(errMessage) + } + }() options := []rego.EvalOption{rego.EvalParsedInput(*ctx.payload)} var cov *cover.Cover diff --git a/test/fixtures/dockerfile/corrupted_dockerfile b/test/fixtures/dockerfile/corrupted_dockerfile new file mode 100644 index 00000000000..fdc2b63f8f8 --- /dev/null +++ b/test/fixtures/dockerfile/corrupted_dockerfile @@ -0,0 +1,5 @@ +FROM alpine:latest + +COPY {{ file_path }} /test + +RUN echo "failure" From c42dd6a067ec72f9c87a99508584540fbf448563 Mon Sep 17 00:00:00 2001 From: Tohar Braun Date: Sun, 15 Oct 2023 22:08:30 +0300 Subject: [PATCH 124/379] fix-exposed-api-key-in-openapi --- .../test/negative5.yaml | 0 .../test/negative5.yaml | 31 +++++++++++++++++++ 2 files changed, 31 insertions(+) create mode 100644 assets/queries/openAPI/general/api_key_exposed_in_global_security/test/negative5.yaml create mode 100644 assets/queries/openAPI/general/api_key_exposed_in_operation_security/test/negative5.yaml diff --git a/assets/queries/openAPI/general/api_key_exposed_in_global_security/test/negative5.yaml b/assets/queries/openAPI/general/api_key_exposed_in_global_security/test/negative5.yaml new file mode 100644 index 00000000000..e69de29bb2d diff --git a/assets/queries/openAPI/general/api_key_exposed_in_operation_security/test/negative5.yaml b/assets/queries/openAPI/general/api_key_exposed_in_operation_security/test/negative5.yaml new file mode 100644 index 00000000000..a3640a74d8f --- /dev/null +++ b/assets/queries/openAPI/general/api_key_exposed_in_operation_security/test/negative5.yaml @@ -0,0 +1,31 @@ +openapi: "3.0.1" +info: + title: "test" + version: "1.0" +servers: + - url: "https://@API-GW-ID.execute-api.us-east-1.amazonaws.com/{basePath}" + variables: + basePath: + default: "/api" + +paths: + /address: + get: + summary: test + description: test + security: + - authorizer: [ ] + responses: + '200': + description: test + content: + text/plain: + schema: + type: string + +components: + securitySchemes: + authorizer: + type: "apiKey" + name: "authorization" + in: "header" From 5cbe1599be9b3555ba6017bd489d8355b1da62bb Mon Sep 17 00:00:00 2001 From: Tohar Braun Date: Sun, 15 Oct 2023 22:08:52 +0300 Subject: [PATCH 125/379] fix-exposed-api-key-in-openapi --- .../test/negative5.yaml | 32 +++++++++++++++++++ .../test/negative5.yaml | 1 + 2 files changed, 33 insertions(+) diff --git a/assets/queries/openAPI/general/api_key_exposed_in_global_security/test/negative5.yaml b/assets/queries/openAPI/general/api_key_exposed_in_global_security/test/negative5.yaml index e69de29bb2d..66fd3f72774 100644 --- a/assets/queries/openAPI/general/api_key_exposed_in_global_security/test/negative5.yaml +++ b/assets/queries/openAPI/general/api_key_exposed_in_global_security/test/negative5.yaml @@ -0,0 +1,32 @@ +openapi: "3.0.1" +info: + title: "test" + version: "1.0" +servers: + - url: "https://@API-GW-ID.execute-api.us-east-1.amazonaws.com/{basePath}" + variables: + basePath: + default: "/api" + +paths: + /address: + get: + summary: test + description: test + responses: + '200': + description: test + content: + text/plain: + schema: + type: string + +security: + - authorizer: [ ] + +components: + securitySchemes: + authorizer: + type: "apiKey" + name: "authorization" + in: "header" diff --git a/assets/queries/openAPI/general/api_key_exposed_in_operation_security/test/negative5.yaml b/assets/queries/openAPI/general/api_key_exposed_in_operation_security/test/negative5.yaml index a3640a74d8f..3c41491337d 100644 --- a/assets/queries/openAPI/general/api_key_exposed_in_operation_security/test/negative5.yaml +++ b/assets/queries/openAPI/general/api_key_exposed_in_operation_security/test/negative5.yaml @@ -14,6 +14,7 @@ paths: summary: test description: test security: + - apiKey1: [ ] - authorizer: [ ] responses: '200': From 04a5a883b8a9f5316acc1f80a04fcbb2613fa0d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Mon, 16 Oct 2023 10:06:03 +0100 Subject: [PATCH 126/379] move casting logic to auxiliary function --- pkg/engine/source/filesystem.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pkg/engine/source/filesystem.go b/pkg/engine/source/filesystem.go index 41f96f469f4..ec8132be26f 100644 --- a/pkg/engine/source/filesystem.go +++ b/pkg/engine/source/filesystem.go @@ -395,8 +395,7 @@ func ReadQuery(queryDir string) (model.QueryMetadata, error) { aggregation = int(agg.(float64)) } - readExperimental, _ := metadata["experimental"].(string) - experimental := getExperimental(readExperimental) + experimental := getExperimental(metadata["experimental"]) return model.QueryMetadata{ Query: path.Base(filepath.ToSlash(queryDir)), @@ -473,8 +472,9 @@ func getPlatform(metadataPlatform string) string { return "unknown" } -func getExperimental(experimental string) bool { - if experimental == "true" { +func getExperimental(experimental interface{}) bool { + readExperimental, _ := experimental.(string) + if readExperimental == "true" { return true } else { return false From 5c6e0d880e9e024a05589d9440b59bf6ae9d2fca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Mon, 16 Oct 2023 11:13:49 +0100 Subject: [PATCH 127/379] remove experimental from docker file --- Dockerfile | 1 - docs/commands.md | 2 +- internal/console/helpers/helpers.go | 12 ------------ 3 files changed, 1 insertion(+), 14 deletions(-) diff --git a/Dockerfile b/Dockerfile index 38dd8c7611a..b79e429be81 100644 --- a/Dockerfile +++ b/Dockerfile @@ -67,7 +67,6 @@ RUN wget https://github.com/GoogleCloudPlatform/terraformer/releases/download/0. COPY --from=build_env /app/bin/kics /app/bin/kics COPY --from=build_env /app/assets/queries /app/bin/assets/queries COPY --from=build_env /app/assets/libraries/* /app/bin/assets/libraries/ -COPY --from=build_env /app/assets/utils/* /app/bin/assets/utils/ WORKDIR /app/bin diff --git a/docs/commands.md b/docs/commands.md index ad6f93af765..1f5afc447b9 100644 --- a/docs/commands.md +++ b/docs/commands.md @@ -79,7 +79,7 @@ Flags: accepts: all, results, errors, none example: if 'results' is set, only engine errors will make KICS exit code different from 0 (default "none") -i, --include-queries strings include queries by providing the query ID - cannot be provided with query exclusion flags + c[Dockerfile](..%2FDockerfile)annot be provided with query exclusion flags can be provided multiple times or as a comma separated string example: 'e69890e6-fce5-461d-98ad-cb98318dfc96,4728cd65-a20c-49da-8b31-9c08b423e4db' --input-data string path to query input data files diff --git a/internal/console/helpers/helpers.go b/internal/console/helpers/helpers.go index 96942ff9189..1209acd033d 100644 --- a/internal/console/helpers/helpers.go +++ b/internal/console/helpers/helpers.go @@ -140,18 +140,6 @@ func GetDefaultQueryPath(queriesPath string) (string, error) { return queriesDirectory, nil } -// GetDefaultExperimentalPath returns the default Experimental path -func GetDefaultExperimentalPath(experimentalQueriesPath string) (string, error) { - log.Debug().Msg("helpers.GetDefaultExperimentalPath()") - experimentalQueriesFile, err := GetFullPath(experimentalQueriesPath) - if err != nil { - return "", err - } - - log.Debug().Msgf("Experimental Queries found in %s", experimentalQueriesFile) - return experimentalQueriesFile, nil -} - // GetFulPath returns the full path of a partial path used for queries or experimental queries json path func GetFullPath(partialPath string) (string, error) { executableDirPath := GetExecutableDirectory() From 38de59ad1fe96422ebe42f4985ed5ebaff01197f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Mon, 16 Oct 2023 14:47:54 +0100 Subject: [PATCH 128/379] fix flag information --- docs/commands.md | 28 ++++++++++++++++--------- internal/console/assets/scan-flags.json | 2 +- 2 files changed, 19 insertions(+), 11 deletions(-) diff --git a/docs/commands.md b/docs/commands.md index 1f5afc447b9..8f3f0d2d62c 100644 --- a/docs/commands.md +++ b/docs/commands.md @@ -1,6 +1,7 @@ # KICS CLI -KICS is a command line tool, and should be used in a terminal. The next section describes the usage, the same help content is displayed when kics is provided with the `--help` flag. +KICS is a command line tool, and should be used in a terminal. The next section describes the usage, the same help +content is displayed when kics is provided with the `--help` flag. ## KICS Command @@ -67,10 +68,7 @@ Flags: can be provided multiple times or as a comma separated string example: 'info,low' possible values: 'high, medium, low, info, trace' - --experimental-queries strings include experimental queries (queries not yet thoroughly reviewed) by providing the path of the queries folder - can be provided multiple times or as a comma-separated string (platform/cloudProvider or platform) - example: 'terraform/databricks' - possible values found in: '/assets/utils/experimental-queries.json' + --experimental-queries strings include experimental queries (queries not yet thoroughly reviewed) --fail-on strings which kind of results should return an exit code different from 0 accepts: high, medium, low and info example: "high,low" (default [high,medium,low,info]) @@ -79,7 +77,7 @@ Flags: accepts: all, results, errors, none example: if 'results' is set, only engine errors will make KICS exit code different from 0 (default "none") -i, --include-queries strings include queries by providing the query ID - c[Dockerfile](..%2FDockerfile)annot be provided with query exclusion flags + cannot be provided with query exclusion flags can be provided multiple times or as a comma separated string example: 'e69890e6-fce5-461d-98ad-cb98318dfc96,4728cd65-a20c-49da-8b31-9c08b423e4db' --input-data string path to query input data files @@ -134,13 +132,22 @@ Flags: The other commands have no further options. ## Exclude Paths -By default, KICS excludes paths specified in the .gitignore file in the root of the repository. To disable this behavior, use flag `--exclude-gitignore`. + +By default, KICS excludes paths specified in the .gitignore file in the root of the repository. To disable this +behavior, use flag `--exclude-gitignore`. ## Library Flag Usage -As mentioned above, the library flag (`-b` or `--libraries-path`) refers to the directory with libraries. The functions need to be grouped by platform and the library file name should follow the format: `.rego` to be loaded by KICS. It doesn't matter your directory structure. In other words, for example, if you want to indicate a directory that contains a library for your terraform queries, you should group your functions (used in your terraform queries) in a file named `terraform.rego` wherever you want. +As mentioned above, the library flag (`-b` or `--libraries-path`) refers to the directory with libraries. The functions +need to be grouped by platform and the library file name should follow the format: `.rego` to be loaded by +KICS. It doesn't matter your directory structure. In other words, for example, if you want to indicate a directory that +contains a library for your terraform queries, you should group your functions (used in your terraform queries) in a +file named `terraform.rego` wherever you want. -This will merge the custom libraries found on the flag's path with KICS's default libraries. Note that any functions declared in a custom library with the same signature as an existing function in the [default libraries](https://github.com/Checkmarx/kics/tree/master/assets/libraries) will cause **the default library function to be overwritten by the custom definition provided**. +This will merge the custom libraries found on the flag's path with KICS's default libraries. Note that any functions +declared in a custom library with the same signature as an existing function in +the [default libraries](https://github.com/Checkmarx/kics/tree/master/assets/libraries) will cause **the default library +function to be overwritten by the custom definition provided**. --- @@ -154,7 +161,8 @@ You can only enable one profiler at a time, CPU or MEM. ## Disable Crash Report -You can disable KICS crash report to [sentry.io](https://sentry.io) with `DISABLE_CRASH_REPORT` environment variable set to `0` or `false` e.g: +You can disable KICS crash report to [sentry.io](https://sentry.io) with `DISABLE_CRASH_REPORT` environment variable set +to `0` or `false` e.g: ```sh DISABLE_CRASH_REPORT=0 ./bin/kics version diff --git a/internal/console/assets/scan-flags.json b/internal/console/assets/scan-flags.json index 4b8b4644732..c66928b1fdc 100644 --- a/internal/console/assets/scan-flags.json +++ b/internal/console/assets/scan-flags.json @@ -63,7 +63,7 @@ "flagType": "multiStr", "shorthandFlag": "", "defaultValue": "false", - "usage": "include experimental queries (queries not yet thoroughly reviewed) ", + "usage": "include experimental queries (queries not yet thoroughly reviewed)", "validation": "validateMultiStr" }, "fail-on": { From df2196e915bdf68089cce590db0f306899ee9675 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Mon, 16 Oct 2023 15:20:57 +0100 Subject: [PATCH 129/379] wip --- docs/commands.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/commands.md b/docs/commands.md index 8f3f0d2d62c..e7d4561d728 100644 --- a/docs/commands.md +++ b/docs/commands.md @@ -68,7 +68,7 @@ Flags: can be provided multiple times or as a comma separated string example: 'info,low' possible values: 'high, medium, low, info, trace' - --experimental-queries strings include experimental queries (queries not yet thoroughly reviewed) + --experimental-queries strings include experimental queries (queries not yet thoroughly reviewed) --fail-on strings which kind of results should return an exit code different from 0 accepts: high, medium, low and info example: "high,low" (default [high,medium,low,info]) @@ -138,9 +138,9 @@ behavior, use flag `--exclude-gitignore`. ## Library Flag Usage -As mentioned above, the library flag (`-b` or `--libraries-path`) refers to the directory with libraries. The functions +As mentioned above, the library flag (`-b` or `--libraries-path`) refers to the directory with libraries. The functions need to be grouped by platform and the library file name should follow the format: `.rego` to be loaded by -KICS. It doesn't matter your directory structure. In other words, for example, if you want to indicate a directory that +KICS. It doesn't matter your directory structure. In other words, for example, if you want to indicate a directory that contains a library for your terraform queries, you should group your functions (used in your terraform queries) in a file named `terraform.rego` wherever you want. From ee213e5decfb81db2ac3d3eb209a4647d058deab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Mon, 16 Oct 2023 15:23:44 +0100 Subject: [PATCH 130/379] wip --- docs/commands.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/commands.md b/docs/commands.md index e7d4561d728..419e7a9d44d 100644 --- a/docs/commands.md +++ b/docs/commands.md @@ -68,7 +68,7 @@ Flags: can be provided multiple times or as a comma separated string example: 'info,low' possible values: 'high, medium, low, info, trace' - --experimental-queries strings include experimental queries (queries not yet thoroughly reviewed) + --experimental-queries include experimental queries (queries not yet thoroughly reviewed) --fail-on strings which kind of results should return an exit code different from 0 accepts: high, medium, low and info example: "high,low" (default [high,medium,low,info]) From 672824c6173fee5cbf4bc248811e314f01b31f88 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Mon, 16 Oct 2023 16:25:55 +0100 Subject: [PATCH 131/379] wip --- e2e/fixtures/assets/scan_help | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/e2e/fixtures/assets/scan_help b/e2e/fixtures/assets/scan_help index d583c415e36..271b72b5b5e 100644 --- a/e2e/fixtures/assets/scan_help +++ b/e2e/fixtures/assets/scan_help @@ -28,10 +28,7 @@ Flags: --exclude-type strings case insensitive list of platform types not to scan (Ansible, AzureResourceManager, Buildah, CICD, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Pulumi, ServerlessFW, Terraform) cannot be provided with type inclusion flags - --experimental-queries strings include experimental queries (queries not yet thoroughly reviewed) by providing the path of the queries folder - can be provided multiple times or as a comma-separated string (platform/cloudProvider or platform) - example: 'terraform/databricks' - possible values found in: '/assets/utils/experimental-queries.json' + --experimental-queries include experimental queries (queries not yet thoroughly reviewed) --fail-on strings which kind of results should return an exit code different from 0 accepts: high, medium, low and info example: "high,low" (default [high,medium,low,info]) From 1317d676b451d54931b360e86813c4abe6cb4252 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Mon, 16 Oct 2023 17:14:29 +0100 Subject: [PATCH 132/379] wip --- docs/dockerhub.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/docs/dockerhub.md b/docs/dockerhub.md index 6a09fd8865a..d65bc137837 100644 --- a/docs/dockerhub.md +++ b/docs/dockerhub.md @@ -104,10 +104,7 @@ Flags: --exclude-severities strings exclude results by providing the severity of a result can be provided multiple times or as a comma separated string example: 'info,low' - --experimental-queries strings include experimental queries (queries not yet thoroughly reviewed) by providing the path of the queries folder - can be provided multiple times or as a comma-separated string (platform/cloudProvider or platform) - example: 'terraform/databricks' - possible values found in: '/assets/utils/experimental-queries.json' + --experimental-queries include experimental queries (queries not yet thoroughly reviewed) --fail-on strings which kind of results should return an exit code different from 0 accepts: high, medium, low and info example: "high,low" (default [high,medium,low,info]) From d3a6af0fe710b936dd4205a3663f5dc55ebf427a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Mon, 16 Oct 2023 17:53:28 +0100 Subject: [PATCH 133/379] wip --- docs/commands.md | 2 +- docs/dockerhub.md | 2 +- internal/console/assets/scan-flags.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/commands.md b/docs/commands.md index 419e7a9d44d..dc6e1fb505b 100644 --- a/docs/commands.md +++ b/docs/commands.md @@ -68,7 +68,7 @@ Flags: can be provided multiple times or as a comma separated string example: 'info,low' possible values: 'high, medium, low, info, trace' - --experimental-queries include experimental queries (queries not yet thoroughly reviewed) + --experimental-queries include experimental queries (queries not yet thoroughly reviewed) (default [false]) --fail-on strings which kind of results should return an exit code different from 0 accepts: high, medium, low and info example: "high,low" (default [high,medium,low,info]) diff --git a/docs/dockerhub.md b/docs/dockerhub.md index d65bc137837..6c30d17f3fe 100644 --- a/docs/dockerhub.md +++ b/docs/dockerhub.md @@ -104,7 +104,7 @@ Flags: --exclude-severities strings exclude results by providing the severity of a result can be provided multiple times or as a comma separated string example: 'info,low' - --experimental-queries include experimental queries (queries not yet thoroughly reviewed) + --experimental-queries include experimental queries (queries not yet thoroughly reviewed) (default [false]) --fail-on strings which kind of results should return an exit code different from 0 accepts: high, medium, low and info example: "high,low" (default [high,medium,low,info]) diff --git a/internal/console/assets/scan-flags.json b/internal/console/assets/scan-flags.json index c66928b1fdc..4cece324975 100644 --- a/internal/console/assets/scan-flags.json +++ b/internal/console/assets/scan-flags.json @@ -60,7 +60,7 @@ "usage": "include bill of materials (BoM) in results output" }, "experimental-queries": { - "flagType": "multiStr", + "flagType": "bool", "shorthandFlag": "", "defaultValue": "false", "usage": "include experimental queries (queries not yet thoroughly reviewed)", From 9239e411db19681378c8246266f6f24f59a1cd88 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Mon, 16 Oct 2023 18:28:56 +0100 Subject: [PATCH 134/379] wip --- internal/console/assets/scan-flags.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/internal/console/assets/scan-flags.json b/internal/console/assets/scan-flags.json index 4cece324975..fb7164209fa 100644 --- a/internal/console/assets/scan-flags.json +++ b/internal/console/assets/scan-flags.json @@ -63,8 +63,7 @@ "flagType": "bool", "shorthandFlag": "", "defaultValue": "false", - "usage": "include experimental queries (queries not yet thoroughly reviewed)", - "validation": "validateMultiStr" + "usage": "include experimental queries (queries not yet thoroughly reviewed)" }, "fail-on": { "flagType": "multiStr", From d272ae6f3ea2c13b3537157e324edbdb54093e1d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Tue, 17 Oct 2023 09:57:23 +0100 Subject: [PATCH 135/379] fix e2e --- e2e/fixtures/assets/scan_help | 114 +++++++++++++++++----------------- 1 file changed, 57 insertions(+), 57 deletions(-) diff --git a/e2e/fixtures/assets/scan_help b/e2e/fixtures/assets/scan_help index 271b72b5b5e..4531f28b2c5 100644 --- a/e2e/fixtures/assets/scan_help +++ b/e2e/fixtures/assets/scan_help @@ -2,63 +2,63 @@ Usage: kics scan [flags] Flags: - -m, --bom include bill of materials (BoM) in results output - --cloud-provider strings list of cloud providers to scan (alicloud, aws, azure, gcp) - --config string path to configuration file - --disable-full-descriptions disable request for full descriptions and use default vulnerability descriptions - --disable-secrets disable secrets scanning - --exclude-categories strings exclude categories by providing its name - cannot be provided with query inclusion flags - can be provided multiple times or as a comma separated string - example: 'Access control,Best practices' - --exclude-gitignore disables the exclusion of paths specified within .gitignore file - -e, --exclude-paths strings exclude paths from scan - supports glob and can be provided multiple times or as a quoted comma separated string - example: './shouldNotScan/*,somefile.txt' - --exclude-queries strings exclude queries by providing the query ID - cannot be provided with query inclusion flags - can be provided multiple times or as a comma separated string - example: 'e69890e6-fce5-461d-98ad-cb98318dfc96,4728cd65-a20c-49da-8b31-9c08b423e4db' - -x, --exclude-results strings exclude results by providing the similarity ID of a result - can be provided multiple times or as a comma separated string - example: 'fec62a97d569662093dbb9739360942f...,31263s5696620s93dbb973d9360942fc2a...' - --exclude-severities strings exclude results by providing the severity of a result - can be provided multiple times or as a comma separated string - example: 'info,low' - --exclude-type strings case insensitive list of platform types not to scan - (Ansible, AzureResourceManager, Buildah, CICD, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Pulumi, ServerlessFW, Terraform) - cannot be provided with type inclusion flags - --experimental-queries include experimental queries (queries not yet thoroughly reviewed) - --fail-on strings which kind of results should return an exit code different from 0 - accepts: high, medium, low and info - example: "high,low" (default [high,medium,low,info]) - -h, --help help for scan - --ignore-on-exit string defines which kind of non-zero exits code should be ignored - accepts: all, results, errors, none - example: if 'results' is set, only engine errors will make KICS exit code different from 0 (default "none") - -i, --include-queries strings include queries by providing the query ID - cannot be provided with query exclusion flags - can be provided multiple times or as a comma separated string - example: 'e69890e6-fce5-461d-98ad-cb98318dfc96,4728cd65-a20c-49da-8b31-9c08b423e4db' - --input-data string path to query input data files - -b, --libraries-path string path to directory with libraries (default "./assets/libraries") - --minimal-ui simplified version of CLI output - --no-progress hides the progress bar - --output-name string name used on report creations (default "results") - -o, --output-path string directory path to store reports - -p, --path strings paths or directories to scan - example: "./somepath,somefile.txt" - --payload-lines adds line information inside the payload when printing the payload file - -d, --payload-path string path to store internal representation JSON file - --preview-lines int number of lines to be display in CLI results (min: 1, max: 30) (default 3) - -q, --queries-path strings paths to directory with queries (default [./assets/queries]) - --report-formats strings formats in which the results will be exported (all, asff, codeclimate, csv, cyclonedx, glsast, html, json, junit, pdf, sarif, sonarqube) (default [json]) - -r, --secrets-regexes-path string path to secrets regex rules configuration file - --terraform-vars-path string path where terraform variables are present - --timeout int number of seconds the query has to execute before being canceled (default 60) - -t, --type strings case insensitive list of platform types to scan - (Ansible, AzureResourceManager, Buildah, CICD, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Pulumi, ServerlessFW, Terraform) - cannot be provided with type exclusion flags + -m, --bom include bill of materials (BoM) in results output + --cloud-provider strings list of cloud providers to scan (alicloud, aws, azure, gcp) + --config string path to configuration file + --disable-full-descriptions disable request for full descriptions and use default vulnerability descriptions + --disable-secrets disable secrets scanning + --exclude-categories strings exclude categories by providing its name + cannot be provided with query inclusion flags + can be provided multiple times or as a comma separated string + example: 'Access control,Best practices' + --exclude-gitignore disables the exclusion of paths specified within .gitignore file + -e, --exclude-paths strings exclude paths from scan + supports glob and can be provided multiple times or as a quoted comma separated string + example: './shouldNotScan/*,somefile.txt' + --exclude-queries strings exclude queries by providing the query ID + cannot be provided with query inclusion flags + can be provided multiple times or as a comma separated string + example: 'e69890e6-fce5-461d-98ad-cb98318dfc96,4728cd65-a20c-49da-8b31-9c08b423e4db' + -x, --exclude-results strings exclude results by providing the similarity ID of a result + can be provided multiple times or as a comma separated string + example: 'fec62a97d569662093dbb9739360942f...,31263s5696620s93dbb973d9360942fc2a...' + --exclude-severities strings exclude results by providing the severity of a result + can be provided multiple times or as a comma separated string + example: 'info,low' + --exclude-type strings case insensitive list of platform types not to scan + (Ansible, AzureResourceManager, Buildah, CICD, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Pulumi, ServerlessFW, Terraform) + cannot be provided with type inclusion flags + --experimental-queries include experimental queries (queries not yet thoroughly reviewed) + --fail-on strings which kind of results should return an exit code different from 0 + accepts: high, medium, low and info + example: "high,low" (default [high,medium,low,info]) + -h, --help help for scan + --ignore-on-exit string defines which kind of non-zero exits code should be ignored + accepts: all, results, errors, none + example: if 'results' is set, only engine errors will make KICS exit code different from 0 (default "none") + -i, --include-queries strings include queries by providing the query ID + cannot be provided with query exclusion flags + can be provided multiple times or as a comma separated string + example: 'e69890e6-fce5-461d-98ad-cb98318dfc96,4728cd65-a20c-49da-8b31-9c08b423e4db' + --input-data string path to query input data files + -b, --libraries-path string path to directory with libraries (default "./assets/libraries") + --minimal-ui simplified version of CLI output + --no-progress hides the progress bar + --output-name string name used on report creations (default "results") + -o, --output-path string directory path to store reports + -p, --path strings paths or directories to scan + example: "./somepath,somefile.txt" + --payload-lines adds line information inside the payload when printing the payload file + -d, --payload-path string path to store internal representation JSON file + --preview-lines int number of lines to be display in CLI results (min: 1, max: 30) (default 3) + -q, --queries-path strings paths to directory with queries (default [./assets/queries]) + --report-formats strings formats in which the results will be exported (all, asff, codeclimate, csv, cyclonedx, glsast, html, json, junit, pdf, sarif, sonarqube) (default [json]) + -r, --secrets-regexes-path string path to secrets regex rules configuration file + --terraform-vars-path string path where terraform variables are present + --timeout int number of seconds the query has to execute before being canceled (default 60) + -t, --type strings case insensitive list of platform types to scan + (Ansible, AzureResourceManager, Buildah, CICD, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Pulumi, ServerlessFW, Terraform) + cannot be provided with type exclusion flags Global Flags: --ci display only log messages to CLI output (mutually exclusive with silent) From be38c59c59ac16af817b9d980579f22e9ee23ced Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Tue, 17 Oct 2023 12:35:17 +0100 Subject: [PATCH 136/379] wip --- internal/tracker/ci_test.go | 1 + pkg/detector/default_detect_test.go | 10 +++++----- pkg/engine/source/filesystem.go | 1 - test/queries_content_test.go | 3 +-- 4 files changed, 7 insertions(+), 8 deletions(-) diff --git a/internal/tracker/ci_test.go b/internal/tracker/ci_test.go index c20d1d8c159..8e317346298 100644 --- a/internal/tracker/ci_test.go +++ b/internal/tracker/ci_test.go @@ -12,6 +12,7 @@ import ( /* TestCITracker tests the functions [TrackQueryLoad(),TrackQueryExecution(),TrackFileFound(), + TrackFileParse(),TrackFileParse(),FailedDetectLine(),FailedComputeSimilarityID()] */ func TestCITracker(t *testing.T) { diff --git a/pkg/detector/default_detect_test.go b/pkg/detector/default_detect_test.go index 5a172807e0b..1118fcb604b 100644 --- a/pkg/detector/default_detect_test.go +++ b/pkg/detector/default_detect_test.go @@ -58,11 +58,11 @@ func Test_detectLine(t *testing.T) { //nolint VulnLines: &[]model.CodeLine{ { Position: 2, - Line: ` bucket = "my-tf-test-bucket"`, + Line: ` bucket = "my-tf-test-bucket"`, }, { Position: 3, - Line: ` acl = "authenticated-read"`, + Line: ` acl = "authenticated-read"`, }, { Position: 4, @@ -92,15 +92,15 @@ func Test_detectLine(t *testing.T) { //nolint VulnLines: &[]model.CodeLine{ { Position: 6, - Line: ` Name = "My bucket"`, + Line: ` Name = "My bucket"`, }, { Position: 7, - Line: ` Environment = "Dev.123"`, + Line: ` Environment = "Dev.123"`, }, { Position: 8, - Line: ` Environment = "test"`, + Line: ` Environment = "test"`, }, }, LineWithVulnerability: "", diff --git a/pkg/engine/source/filesystem.go b/pkg/engine/source/filesystem.go index ec8132be26f..780543bba3e 100644 --- a/pkg/engine/source/filesystem.go +++ b/pkg/engine/source/filesystem.go @@ -248,7 +248,6 @@ func checkQueryExclude(metadata map[string]interface{}, queryParameters *QueryIn // GetQueries walks a given filesource path returns all queries found in an array of // QueryMetadata struct func (s *FilesystemSource) GetQueries(queryParameters *QueryInspectorParameters) ([]model.QueryMetadata, error) { - queryDirs, err := s.iterateSources() if err != nil { return nil, err diff --git a/test/queries_content_test.go b/test/queries_content_test.go index f17bf655dc0..e3196456067 100644 --- a/test/queries_content_test.go +++ b/test/queries_content_test.go @@ -56,8 +56,7 @@ var ( "../assets/queries/terraform/aws/redshift_cluster_without_vpc", "../assets/queries/openAPI/general/response_code_missing", "../assets/queries/cicd/github/run_block_injection", - "../assets/queries/cicd/github/script_block_injection", - + "../assets/queries/cicd/github/script_block_injection", } // TODO uncomment this test once all metadata are fixed From df5c9a942026d0d0699c850922c7f1f3ced74659 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Tue, 17 Oct 2023 14:51:52 +0100 Subject: [PATCH 137/379] workaround for lint fails https://github.com/golangci/golangci-lint-action/issues/807 --- .github/workflows/go-ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/go-ci.yml b/.github/workflows/go-ci.yml index 93c9febd1fb..f155fc5207f 100644 --- a/.github/workflows/go-ci.yml +++ b/.github/workflows/go-ci.yml @@ -14,6 +14,7 @@ jobs: uses: actions/setup-go@v4 with: go-version: 1.20.x + cache: false - name: golangci-lint uses: golangci/golangci-lint-action@v3.5.0 with: From cccc01e42e19b07c0538005ddb6a5818dc116401 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Tue, 17 Oct 2023 15:05:36 +0100 Subject: [PATCH 138/379] fix --- pkg/scan/scan.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/scan/scan.go b/pkg/scan/scan.go index 1af9c4fba52..dd4c83a1f6c 100644 --- a/pkg/scan/scan.go +++ b/pkg/scan/scan.go @@ -3,6 +3,8 @@ package scan import ( "context" + "os" + "github.com/Checkmarx/kics/assets" "github.com/Checkmarx/kics/pkg/engine" "github.com/Checkmarx/kics/pkg/engine/provider" @@ -22,8 +24,6 @@ import ( "github.com/Checkmarx/kics/pkg/resolver" "github.com/Checkmarx/kics/pkg/resolver/helm" "github.com/Checkmarx/kics/pkg/scanner" - "os" - "github.com/rs/zerolog/log" ) From 056001313c1b7542701eb6447cd7e74051a93ef3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Wed, 18 Oct 2023 09:54:02 +0100 Subject: [PATCH 139/379] fix message of result --- .../terraform/azure/mssql_server_auditing_disabled/query.rego | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/assets/queries/terraform/azure/mssql_server_auditing_disabled/query.rego b/assets/queries/terraform/azure/mssql_server_auditing_disabled/query.rego index a7fb413d6fd..29078294bc9 100644 --- a/assets/queries/terraform/azure/mssql_server_auditing_disabled/query.rego +++ b/assets/queries/terraform/azure/mssql_server_auditing_disabled/query.rego @@ -15,7 +15,7 @@ CxPolicy[result] { "resourceName": tf_lib.get_resource_name(server, name), "searchKey": sprintf("azurerm_mssql_server[%s]", [name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("'azurerm_mssql_server_extended_auditing_policy' resource should exist", [name]), - "keyActualValue": sprintf("'azurerm_mssql_server_extended_auditing_policy' resource does not exist", [name]), + "keyExpectedValue": sprintf("'azurerm_mssql_server[%s].extended_auditing_policy' resource should exist", [name]), + "keyActualValue": sprintf("'azurerm_mssql_server[%s].extended_auditing_policy' resource does not exist", [name]), } } From a50ba8a2e83147a6b5e9cfcd2eddcc57ac5bd4b7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Fri, 20 Oct 2023 21:10:35 +0100 Subject: [PATCH 140/379] Fix the regex to the detection serverless + improve detection of files Ansible With this Pr: - improve the regex to detection of serverless files -improve logic to detection of Ansible files --- pkg/analyzer/analyzer.go | 20 ++++++++++++++++---- pkg/analyzer/analyzer_test.go | 31 +++++++++++++++++++++---------- 2 files changed, 37 insertions(+), 14 deletions(-) diff --git a/pkg/analyzer/analyzer.go b/pkg/analyzer/analyzer.go index 7830cd414bf..53624544c52 100644 --- a/pkg/analyzer/analyzer.go +++ b/pkg/analyzer/analyzer.go @@ -60,7 +60,7 @@ var ( pulumiRuntimeRegex = regexp.MustCompile(`runtime\s*:`) pulumiResourcesRegex = regexp.MustCompile(`resources\s*:`) serverlessServiceRegex = regexp.MustCompile(`service\s*:`) - serverlessProviderRegex = regexp.MustCompile(`provider\s*:`) + serverlessProviderRegex = regexp.MustCompile(`(^|\n)provider\s*:`) cicdOnRegex = regexp.MustCompile(`\s*on:\s*`) cicdJobsRegex = regexp.MustCompile(`\s*jobs:\s*`) cicdStepsRegex = regexp.MustCompile(`\s*steps:\s*`) @@ -100,6 +100,9 @@ var ( "pulumi": {"pulumi"}, "serverlessfw": {"serverlessfw"}, } + listKeywordsAnsible = []string{"playbooks", "name", "gather_facts", + "hosts", "tasks", "become", "with_items", "with_dict", + "when", "become_pass", "become_exe", "become_flags"} ) const ( @@ -543,9 +546,18 @@ func checkYamlPlatform(content []byte, path string) string { } } - // Since Ansible has no defining property - // and no other type matched for YAML file extension, assume the file type is Ansible - return ansible + // check if the file contains some keywords related with Ansiable + isAnsible := false + for _, keyword := range listKeywordsAnsible { + if _, ok := yamlContent[keyword]; ok { + isAnsible = true + } + } + + if isAnsible { + return ansible + } + return "" } // computeValues computes expected Lines of Code to be scanned from locCount channel diff --git a/pkg/analyzer/analyzer_test.go b/pkg/analyzer/analyzer_test.go index 8bc7389069d..843e4140d1d 100644 --- a/pkg/analyzer/analyzer_test.go +++ b/pkg/analyzer/analyzer_test.go @@ -28,10 +28,11 @@ func TestAnalyzer_Analyze(t *testing.T) { wantExclude: []string{ filepath.FromSlash("../../test/fixtures/analyzer_test/not_openapi.json"), filepath.FromSlash("../../test/fixtures/analyzer_test/pnpm-lock.yaml"), - filepath.FromSlash("../../test/fixtures/analyzer_test/dead_symlink")}, + filepath.FromSlash("../../test/fixtures/analyzer_test/dead_symlink"), + filepath.FromSlash("../../test/fixtures/analyzer_test/undetected.yaml")}, typesFromFlag: []string{""}, excludeTypesFromFlag: []string{""}, - wantLOC: 835, + wantLOC: 834, wantErr: false, gitIgnoreFileName: "", excludeGitIgnore: false, @@ -193,11 +194,11 @@ func TestAnalyzer_Analyze(t *testing.T) { paths: []string{ filepath.FromSlash("../../test/fixtures/analyzer_test/undetected.yaml"), }, - wantTypes: []string{"ansible"}, - wantExclude: []string{}, + wantTypes: []string{}, + wantExclude: []string{filepath.FromSlash("../../test/fixtures/analyzer_test/undetected.yaml")}, typesFromFlag: []string{""}, excludeTypesFromFlag: []string{""}, - wantLOC: 1, + wantLOC: 0, wantErr: false, gitIgnoreFileName: "", excludeGitIgnore: false, @@ -208,17 +209,25 @@ func TestAnalyzer_Analyze(t *testing.T) { wantTypes: []string{"ansible", "pulumi"}, wantExclude: []string{ filepath.FromSlash("../../test/fixtures/analyzer_test/azureResourceManager.json"), + filepath.FromSlash("../../test/fixtures/analyzer_test/cloudformation.yaml"), + filepath.FromSlash("../../test/fixtures/analyzer_test/crossplane.yaml"), + filepath.FromSlash("../../test/fixtures/analyzer_test/dead_symlink"), + filepath.FromSlash("../../test/fixtures/analyzer_test/docker-compose.yaml"), filepath.FromSlash("../../test/fixtures/analyzer_test/gdm.yaml"), filepath.FromSlash("../../test/fixtures/analyzer_test/helm/Chart.yaml"), + filepath.FromSlash("../../test/fixtures/analyzer_test/helm/templates/service.yaml"), filepath.FromSlash("../../test/fixtures/analyzer_test/helm/values.yaml"), + filepath.FromSlash("../../test/fixtures/analyzer_test/k8s.yaml"), + filepath.FromSlash("../../test/fixtures/analyzer_test/knative.yaml"), filepath.FromSlash("../../test/fixtures/analyzer_test/not_openapi.json"), filepath.FromSlash("../../test/fixtures/analyzer_test/openAPI.json"), filepath.FromSlash("../../test/fixtures/analyzer_test/openAPI_test/openAPI.json"), + filepath.FromSlash("../../test/fixtures/analyzer_test/openAPI_test/openAPI.yaml"), filepath.FromSlash("../../test/fixtures/analyzer_test/pnpm-lock.yaml"), - filepath.FromSlash("../../test/fixtures/analyzer_test/dead_symlink")}, + filepath.FromSlash("../../test/fixtures/analyzer_test/undetected.yaml")}, typesFromFlag: []string{"ansible", "pulumi"}, excludeTypesFromFlag: []string{""}, - wantLOC: 533, + wantLOC: 416, wantErr: false, gitIgnoreFileName: "", excludeGitIgnore: false, @@ -247,10 +256,11 @@ func TestAnalyzer_Analyze(t *testing.T) { wantExclude: []string{ filepath.FromSlash("../../test/fixtures/analyzer_test/pnpm-lock.yaml"), filepath.FromSlash("../../test/fixtures/analyzer_test/not_openapi.json"), - filepath.FromSlash("../../test/fixtures/analyzer_test/dead_symlink")}, + filepath.FromSlash("../../test/fixtures/analyzer_test/dead_symlink"), + filepath.FromSlash("../../test/fixtures/analyzer_test/undetected.yaml")}, typesFromFlag: []string{""}, excludeTypesFromFlag: []string{""}, - wantLOC: 835, + wantLOC: 834, wantErr: false, gitIgnoreFileName: "", excludeGitIgnore: false, @@ -263,10 +273,11 @@ func TestAnalyzer_Analyze(t *testing.T) { filepath.FromSlash("../../test/fixtures/analyzer_test/pnpm-lock.yaml"), filepath.FromSlash("../../test/fixtures/analyzer_test/not_openapi.json"), filepath.FromSlash("../../test/fixtures/analyzer_test/dead_symlink"), + filepath.FromSlash("../../test/fixtures/analyzer_test/undetected.yaml"), }, typesFromFlag: []string{""}, excludeTypesFromFlag: []string{""}, - wantLOC: 835, + wantLOC: 834, wantErr: false, gitIgnoreFileName: "", excludeGitIgnore: false, From 731f7ff70eb3bcceec2b667830a4cb3b59c55838 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Mon, 23 Oct 2023 12:30:12 +0100 Subject: [PATCH 141/379] improve logic before search for keywords make a previous search for playbooks --- pkg/analyzer/analyzer.go | 31 ++++++++++++++++++++++--------- pkg/analyzer/analyzer_test.go | 5 +++-- 2 files changed, 25 insertions(+), 11 deletions(-) diff --git a/pkg/analyzer/analyzer.go b/pkg/analyzer/analyzer.go index 53624544c52..8c89bef1f61 100644 --- a/pkg/analyzer/analyzer.go +++ b/pkg/analyzer/analyzer.go @@ -100,9 +100,10 @@ var ( "pulumi": {"pulumi"}, "serverlessfw": {"serverlessfw"}, } - listKeywordsAnsible = []string{"playbooks", "name", "gather_facts", + listKeywordsAnsible = []string{"name", "gather_facts", "hosts", "tasks", "become", "with_items", "with_dict", "when", "become_pass", "become_exe", "become_flags"} + playBooks = "playbooks" ) const ( @@ -547,19 +548,31 @@ func checkYamlPlatform(content []byte, path string) string { } // check if the file contains some keywords related with Ansiable - isAnsible := false - for _, keyword := range listKeywordsAnsible { - if _, ok := yamlContent[keyword]; ok { - isAnsible = true - } - } - - if isAnsible { + if checkForAnsible(yamlContent) { return ansible } return "" } +func checkForAnsible(yamlContent model.Document) bool { + isAnsible := false + if play := yamlContent[playBooks]; play != nil { + if listOfPlayBooks, ok := play.([]interface{}); ok { + for _, value := range listOfPlayBooks { + castingValue, ok := value.(map[string]interface{}) + if ok { + for _, keyword := range listKeywordsAnsible { + if _, ok := castingValue[keyword]; ok { + isAnsible = true + } + } + } + } + } + } + return isAnsible +} + // computeValues computes expected Lines of Code to be scanned from locCount channel // and creates the types and unwanted slices from the channels removing any duplicates func computeValues(types, unwanted chan string, locCount chan int, done chan bool) (typesS, unwantedS []string, locTotal int) { diff --git a/pkg/analyzer/analyzer_test.go b/pkg/analyzer/analyzer_test.go index 843e4140d1d..62ad13a89bf 100644 --- a/pkg/analyzer/analyzer_test.go +++ b/pkg/analyzer/analyzer_test.go @@ -224,10 +224,11 @@ func TestAnalyzer_Analyze(t *testing.T) { filepath.FromSlash("../../test/fixtures/analyzer_test/openAPI_test/openAPI.json"), filepath.FromSlash("../../test/fixtures/analyzer_test/openAPI_test/openAPI.yaml"), filepath.FromSlash("../../test/fixtures/analyzer_test/pnpm-lock.yaml"), - filepath.FromSlash("../../test/fixtures/analyzer_test/undetected.yaml")}, + filepath.FromSlash("../../test/fixtures/analyzer_test/undetected.yaml"), + filepath.FromSlash("../../test/fixtures/analyzer_test/github.yaml")}, typesFromFlag: []string{"ansible", "pulumi"}, excludeTypesFromFlag: []string{""}, - wantLOC: 416, + wantLOC: 374, wantErr: false, gitIgnoreFileName: "", excludeGitIgnore: false, From 9eed37bf5e62042aa1af67a959ae73f797cfe723 Mon Sep 17 00:00:00 2001 From: asofsilva Date: Mon, 23 Oct 2023 12:18:29 +0000 Subject: [PATCH 142/379] docs(queries): update queries catalog --- docs/queries/all-queries.md | 2782 ++++++++--------- docs/queries/ansible-queries.md | 318 +- docs/queries/azureresourcemanager-queries.md | 28 +- docs/queries/cloudformation-queries.md | 356 +-- docs/queries/crossplane-queries.md | 32 +- docs/queries/dockercompose-queries.md | 20 +- docs/queries/dockerfile-queries.md | 42 +- .../02d9c71f-3ee8-4986-9c27-1a20d0d19bfc.md | 23 + .../9efb0b2d-89c9-41a3-91ca-dcc0aec911fd.md | 20 + .../googledeploymentmanager-queries.md | 44 +- docs/queries/kubernetes-queries.md | 150 +- docs/queries/openapi-queries.md | 386 +-- docs/queries/pulumi-queries.md | 44 +- docs/queries/serverlessfw-queries.md | 2 +- docs/queries/terraform-queries.md | 904 +++--- .../0afa6ab8-a047-48cf-be07-93a2f8c34cf7.md | 28 + .../609839ae-bd81-4375-9910-5bce72ae7b92.md | 40 +- 17 files changed, 2657 insertions(+), 2562 deletions(-) diff --git a/docs/queries/all-queries.md b/docs/queries/all-queries.md index e77f2917cf3..7968f06858d 100644 --- a/docs/queries/all-queries.md +++ b/docs/queries/all-queries.md @@ -3,585 +3,170 @@ This page contains all queries. | Query |Platform|Severity|Category|Description|Help| |-----------------------------|---|---|---|---|---| -|S3 Bucket Allows List Action From All Principals
faa8fddf-c0aa-4b2d-84ff-e993e233ebe9|CloudFormation|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| -|MSK Broker Is Publicly Accessible
0ce1ba20-8ba8-4364-836f-40c24b8cb0ab|CloudFormation|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible (read more)|Documentation
| -|S3 Bucket Allows Get Action From All Principals
f97b7d23-568f-4bcc-9ac9-02df0d57fbba|CloudFormation|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| -|S3 Bucket Allows Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0|CloudFormation|High|Access Control|S3 Buckets must not allow Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Restore, for all Principals. (read more)|Documentation
| -|S3 Bucket ACL Allows Read to All Users
219f4c95-aa50-44e0-97de-cf71f4641170|CloudFormation|High|Access Control|S3 Buckets should not be readable to all users (read more)|Documentation
| -|IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368|CloudFormation|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| -|ECS Service Admin Role Is Present
01986452-bdd8-4aaa-b5df-d6bf61d616ff|CloudFormation|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role (read more)|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
835d5497-a526-4aea-a23f-98a9afd1635f|CloudFormation|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| -|S3 Bucket Allows Public Policy
860ba89b-b8de-4e72-af54-d6aee4138a69|CloudFormation|High|Access Control|S3 bucket allows public policy (read more)|Documentation
| -|IAM Policies With Full Privileges
953b3cdb-ce13-428a-aa12-318726506661|CloudFormation|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
acc78859-765e-4011-a229-a65ea57db252|CloudFormation|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| -|S3 Bucket Access to Any Principal
7772bb8c-c0f3-42d4-8e4e-f1b8939ad085|CloudFormation|High|Access Control|The S3 Bucket should not be associated with a policy statement that grants access to any principal (read more)|Documentation
| -|S3 Bucket With All Permissions
4ae8af91-5108-42cb-9471-3bdbe596eac9|CloudFormation|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| -|Amazon DMS Replication Instance Is Publicly Accessible
5864fb39-d719-4182-80e2-89dbe627be63|CloudFormation|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| -|SNS Topic is Publicly Accessible
ae53ce91-42b5-46bf-a84f-9a13366a4f13|CloudFormation|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
07dda8de-d90d-469e-9b37-1aca53526ced|CloudFormation|High|Access Control|S3 Buckets should not be readable and writable to all users (read more)|Documentation
| -|Lambda Functions With Full Privileges
a0ae0a4e-712b-4115-8112-51b9eeed9d69|CloudFormation|High|Access Control|AWS Lambda Functions should not have roles with policies granting full administrative privileges. (read more)|Documentation
| -|S3 Bucket Allows Put Action From All Principals
f6397a20-4cf1-4540-a997-1d363c25ef58|CloudFormation|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| -|User Data Shell Script Is Encoded
48c3bc58-6959-4f27-b647-4fedeace23be|CloudFormation|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| -|ECS Cluster Not Encrypted At Rest
6c131358-c54d-419b-9dd6-1f7dd41d180c|CloudFormation|High|Encryption|Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems. (read more)|Documentation
| -|ELB Without Secure Protocol
80908a75-586b-4c61-ab04-490f4f4525b8|CloudFormation|High|Encryption|Check if the ELB is setup with SSL or HTTPS for secure communication (read more)|Documentation
| -|Redshift Cluster Without KMS CMK
de76a0d6-66d5-45c9-9022-f05545b85c78|CloudFormation|High|Encryption|AWS Redshift Cluster should have KMS CMK defined (read more)|Documentation
| -|CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db|CloudFormation|High|Encryption|Specifying credentials in the template itself is probably not safe to do. (read more)|Documentation
| -|IAM Database Auth Not Enabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184|CloudFormation|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| -|S3 Bucket SSE Disabled
64ab651b-f5b2-4af0-8c89-ddd03c4d0e61|CloudFormation|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| -|S3 Bucket Without SSL In Write Actions
38c64e76-c71e-4d92-a337-60174d1de1c9|CloudFormation|High|Encryption|S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL) (read more)|Documentation
| -|EFS Without KMS
6d087495-2a42-4735-abf7-02ef5660a7e6|CloudFormation|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| -|ELB Using Insecure Protocols
61a94903-3cd3-4780-88ec-fc918819b9c8|CloudFormation|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| -|RDS Storage Not Encrypted
5beacce3-4020-4a3d-9e1d-a36f953df630|CloudFormation|High|Encryption|RDS Storage should be encrypted, which means the attribute 'StorageEncrypted' should be set to 'true' (read more)|Documentation
| -|S3 Bucket Without Server-side-encryption
b2e8752c-3497-4255-98d2-e4ae5b46bbf5|CloudFormation|High|Encryption|S3 Buckets should have server-side encryption at rest enabled to protect sensitive data (read more)|Documentation
| -|Kinesis SSE Not Configured
7f65be75-90ab-4036-8c2a-410aef7bb650|CloudFormation|High|Encryption|AWS Kinesis Stream should have SSE (Server Side Encryption) defined (read more)|Documentation
| -|EFS Volume With Disabled Transit Encryption
c1282e03-b285-4637-aee7-eefe3a7bb658|CloudFormation|High|Encryption|Amazon EFS volume does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'TransitEncryption' (read more)|Documentation
| -|ElastiCache With Disabled at Rest Encryption
e4ee3903-9225-4b6a-bdfb-e62dbadef821|CloudFormation|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled (read more)|Documentation
| -|Secure Ciphers Disabled
be96849c-3df6-49c2-bc16-778a7be2519c|CloudFormation|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| -|API Gateway Cache Encrypted Disabled
37cca703-b74c-48ba-ac81-595b53398e9b|CloudFormation|High|Encryption|'API::Gateway::Deployment' should have 'CacheDataEncrypted' enabled when 'CachingEnabled' is set to true (read more)|Documentation
| -|Connection Between CloudFront Origin Not Encrypted
a5366a50-932f-4085-896b-41402714a388|CloudFormation|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted (read more)|Documentation
| -|ECS Task Definition Container With Plaintext Password
f9b10cdb-eaab-4e39-9793-e12b94a582ad|CloudFormation|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| -|User Data Contains Encoded Private Key
568cc372-ca64-420d-9015-ee347d00d288|CloudFormation|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| -|DynamoDB With Aws Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac|CloudFormation|High|Encryption|AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false. (read more)|Documentation
| -|ELB Using Weak Ciphers
809f77f8-d10e-4842-a84f-3be7b6ff1190|CloudFormation|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| -|SageMaker Data Encryption Disabled
709e6da6-fa1f-44cc-8f17-7f25f96dadbe|CloudFormation|High|Encryption|Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, which means the attribute 'KmsKeyId' must be defined not empty or null. (read more)|Documentation
| -|ElastiCache With Disabled Transit Encryption
3b02569b-fc6f-4153-b3a3-ba91022fed68|CloudFormation|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled (read more)|Documentation
| -|MSK Cluster Encryption Disabled
a976d63f-af0e-46e8-b714-8c1a9c4bf768|CloudFormation|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled (read more)|Documentation
| -|Redshift Not Encrypted
3b316b05-564c-44a7-9c3f-405bb95e211e|CloudFormation|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'Encrypted' field is false or undefined (default is false) (read more)|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
31733ee2-fef0-4e87-9778-65da22a8ecf1|CloudFormation|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| -|EFS Not Encrypted
2ff8e83c-90e1-4d68-a300-6d652112e622|CloudFormation|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| -|CMK Unencrypted Storage
ffee2785-c347-451e-89f3-11aeb08e5c84|CloudFormation|High|Encryption|Ensure that storage is encrypted. (read more)|Documentation
| -|API Gateway Without Security Policy
8275fab0-68ec-4705-bbf4-86975edb170e|CloudFormation|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2. (read more)|Documentation
| -|Redshift Publicly Accessible
bdf8dcb4-75df-4370-92c4-606e4ae6c4d3|CloudFormation|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false (read more)|Documentation
| -|KMS Key With Full Permissions
da905474-7454-43c0-b8d2-5756ab951aba|CloudFormation|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| -|S3 Bucket With Unsecured CORS Rule
3609d27c-3698-483a-9402-13af6ae80583|CloudFormation|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
de38e1d5-54cb-4111-a868-6f7722695007|CloudFormation|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false. (read more)|Documentation
| -|ECS Task Definition Network Mode Not Recommended
027a4b7a-8a59-4938-a04f-ed532512cf45|CloudFormation|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| -|Batch Job Definition With Privileged Container Properties
76ddf32c-85b1-4808-8935-7eef8030ab36|CloudFormation|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| -|S3 Static Website Host Enabled
90501b1b-cded-4cc1-9e8b-206b85cda317|CloudFormation|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more)|Documentation
| -|S3 Bucket Without Restriction Of Public Bucket
350cd468-0e2c-44ef-9d22-cfb73a62523c|CloudFormation|High|Insecure Configurations|S3 bucket without restriction of public bucket (read more)|Documentation
| -|Root Account Has Active Access Keys
4c137350-7307-4803-8c04-17c09a7a9fcf|CloudFormation|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
dc17ee4b-ddf2-4e23-96e8-7a36abad1303|CloudFormation|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| -|Permissive Web ACL Default Action
6d64f311-3da6-45f3-80f1-14db9771ea40|CloudFormation|High|Insecure Defaults|WebAcl DefaultAction should not be ALLOW (read more)|Documentation
| -|Vulnerable Default SSL Certificate
b4d9c12b-bfba-4aeb-9cb8-2358546d8041|CloudFormation|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| -|EC2 Instance Subnet Has Public IP Mapping On Launch
b3de4e4c-14be-4159-b99d-9ad194365e4c|CloudFormation|High|Networking and Firewall|EC2 Instance Subnet should not have MapPublicIpOnLaunch set to true (read more)|Documentation
| -|Remote Desktop Port Open To Internet
c9846969-d066-431f-9b34-8c4abafe422a|CloudFormation|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| -|Security Group Unrestricted Access To RDP
3ae83918-7ec7-4cb8-80db-b91ef0f94002|CloudFormation|High|Networking and Firewall|Security Groups does not allow 0.0.0.0/0 for rdp (port:3389) (read more)|Documentation
| -|DB Security Group With Public Scope
9564406d-e761-4e61-b8d7-5926e3ab8e79|CloudFormation|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| -|Route53 Record Undefined
24d932e1-91f0-46ea-836f-fdbd81694151|CloudFormation|High|Networking and Firewall|Route53 HostedZone must have the Record Set defined. (read more)|Documentation
| -|EC2 Public Instance Exposed Through Subnet
c44c95fc-ae92-4bb8-bdf8-bb9bc412004a|CloudFormation|High|Networking and Firewall|EC2 instances with public IP addresses shouldn't allow for unrestricted traffic to their subnets (read more)|Documentation
| -|Security Groups With Exposed Admin Ports
cdbb0467-2957-4a77-9992-7b55b29df7b7|CloudFormation|High|Networking and Firewall|Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389) (read more)|Documentation
| -|EC2 Network ACL Overlapping Ports
77b6f1e2-bde4-4a6a-ae7e-a40659ff1576|CloudFormation|High|Networking and Firewall|NetworkACL Entries are reusing or overlapping ports which may create ineffective rules (read more)|Documentation
| -|Unrestricted Security Group Ingress
4a1e6b34-1008-4e61-a5f2-1f7c276f8d14|CloudFormation|High|Networking and Firewall|AWS Security Group Ingress CIDR should not be open to the world (read more)|Documentation
| -|Fully Open Ingress
e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5|CloudFormation|High|Networking and Firewall|ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses (read more)|Documentation
| -|Elasticsearch with HTTPS disabled
4cdc88e6-c0c8-4081-a639-bb3a557cbedf|CloudFormation|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| -|Unknown Port Exposed To Internet
829ce3b8-065c-41a3-ad57-e0accfea82d2|CloudFormation|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| -|HTTP Port Open To Internet
ddfc4eaa-af23-409f-b96c-bf5c45dc4daa|CloudFormation|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| -|Default Security Groups With Unrestricted Traffic
ea33fcf7-394b-4d11-a228-985c5d08f205|CloudFormation|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| -|SageMaker Notebook Not Placed In VPC
9c7028d9-04c2-45be-b8b2-1188ccaefb36|CloudFormation|High|Networking and Firewall|SageMaker Notebook must be placed in a VPC (read more)|Documentation
| -|Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c|CloudFormation|High|Networking and Firewall|No security group should allow unrestricted egress access (read more)|Documentation
| -|Security Groups With Meta IP
adcd0082-e90b-4b63-862b-21899f6e6a48|CloudFormation|High|Networking and Firewall|Security Groups allows 0.0.0.0/0 for all ports and protocols. (read more)|Documentation
| -|ELB Sensitive Port Is Exposed To Entire Network
78055456-f670-4d2e-94d5-392d1cf4f5e4|CloudFormation|High|Networking and Firewall|The load balancer of the application with a sensitive port connection is exposed to the entire internet. (read more)|Documentation
| -|RDS Associated with Public Subnet
4e88adee-a8eb-4605-a78d-9fb1096e3091|CloudFormation|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| -|EKS node group remote access
73d59e76-a12c-4b74-a3d8-d3e1e19c25b3|CloudFormation|High|Networking and Firewall|Ensure Amazon EKS Node group has implict SSH access (read more)|Documentation
| -|ALB Listening on HTTP
275a3217-ca37-40c1-a6cf-bb57d245ab32|CloudFormation|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| -|EC2 Sensitive Port Is Publicly Exposed
494b03d3-bf40-4464-8524-7c56ad0700ed|CloudFormation|High|Networking and Firewall|The EC2 instance has a sensitive port connection exposed to the entire network (read more)|Documentation
| -|Security Group With Unrestricted Access To SSH
6e856af2-62d7-4ba2-adc1-73b62cef9cc1|CloudFormation|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| -|DB Security Group Open To Large Scope
0104165b-02d5-426f-abc9-91fb48189899|CloudFormation|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| -|CloudTrail Logging Disabled
5c0b06d5-b7a4-484c-aeb0-75a836269ff0|CloudFormation|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| -|CMK Rotation Disabled
1c07bfaf-663c-4f6f-b22b-8e2d481e4df5|CloudFormation|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'EnableKeyRotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| -|S3 Bucket CloudTrail Logging Disabled
c3ce69fd-e3df-49c6-be78-1db3f802261c|CloudFormation|High|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable when the Service used is CloudTrail (read more)|Documentation
| -|Elasticsearch Without IAM Authentication
5c666ed9-b586-49ab-9873-c495a833b705|CloudFormation|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication (read more)|Documentation
| -|SNS Topic Publicity Has Allow and NotAction Simultaneously
818f38ed-8446-4132-9c03-474d49e10195|CloudFormation|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. (read more)|Documentation
| -|SQS Policy With Public Access
9b6a3f5b-5fd6-40ee-9bc0-ed604911212d|CloudFormation|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| -|Empty Roles For ECS Cluster Task Definitions
7f384a5f-b5a2-4d84-8ca3-ee0a5247becb|CloudFormation|Medium|Access Control|Check if any ECS cluster has not defined proper roles for services' task definitions. (read more)|Documentation
| -|IoT Policy Allows Action as Wildcard
4d32780f-43a4-424a-a06d-943c543576a5|CloudFormation|Medium|Access Control|IoT Policy should not allow Action to be set as * (read more)|Documentation
| -|KMS Allows Wildcard Principal
f6049677-ec4a-43af-8779-5190b6d03cba|CloudFormation|Medium|Access Control|KMS Should not allow Principal parameter to be set as * (read more)|Documentation
| -|EC2 Instance Has No IAM Role
f914357d-8386-4d56-9ba6-456e5723f9a6|CloudFormation|Medium|Access Control|Check if an EC2 instance refers to an IAM profile, which represents an IAM Role. (read more)|Documentation
| -|EC2 Network ACL Ineffective Denied Traffic
2623d682-dccb-44cd-99d0-54d9fd62f8f2|CloudFormation|Medium|Access Control|Ineffective deny rules. A deny rule should be applied to all IP addresses. (read more)|Documentation
| -|Public Lambda via API Gateway
57b12981-3816-4c31-b190-a1e614361dd2|CloudFormation|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| -|IAM Policy On User
e4239438-e639-44aa-adb8-866e400e3ade|CloudFormation|Medium|Access Control|IAM policies should be applied to groups and not to users (read more)|Documentation
| -|Lambda Permission Principal Is Wildcard
1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7|CloudFormation|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| -|IAM Policies Attached To User
edc95c10-7366-4f30-9b4b-f995c84eceb5|CloudFormation|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| -|API Gateway Without Configured Authorizer
7fd0d461-5b8c-4815-898c-f2b4b117eb28|CloudFormation|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| -|IoT Policy Allows Wildcard Resource
be5b230d-4371-4a28-a441-85dc760e2aa3|CloudFormation|Medium|Access Control|IoT Policy should not allow Resource to be set as * (read more)|Documentation
| -|Neptune Cluster With IAM Database Authentication Disabled
a3aa0087-8228-4e7e-b202-dc9036972d02|CloudFormation|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled (read more)|Documentation
| -|SQS Queue Policy Allows NotAction
4fbfee74-8186-40d5-a24e-4baa76a855de|CloudFormation|Medium|Access Control|AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited (read more)|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7|CloudFormation|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| -|SQS Queue Policy Allows NotPrincipal
4a8fc9a2-2b2f-4b3f-aa8d-401425872034|CloudFormation|Medium|Access Control|Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using `NotPrincipal` in the same policy statement as `"Effect": "Allow"`. (read more)|Documentation
| -|S3 Bucket Allows Public ACL
48f100d9-f499-4c6d-b2b8-deafe47ffb26|CloudFormation|Medium|Access Control|S3 bucket allows public ACL (read more)|Documentation
| -|ECR Repository Is Publicly Accessible
75be209d-1948-41f6-a8c8-e22dd0121134|CloudFormation|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| -|API Gateway Method Does Not Contains An API Key
3641d5b4-d339-4bc2-bfb9-208fe8d3477f|CloudFormation|Medium|Access Control|An API Key should be required on a method request. (read more)|Documentation
| -|EBS Volume Not Attached To Instances
1819ac03-542b-4026-976b-f37addd59f3b|CloudFormation|Medium|Availability|EBS Volumes that are unattached to instances may contain sensitive data (read more)|Documentation
| -|ElastiCache Nodes Not Created Across Multi AZ
cfdef2e5-1fe4-4ef4-bea8-c56e08963150|CloudFormation|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| -|CMK Is Unusable
2844c749-bd78-4cd1-90e8-b179df827602|CloudFormation|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined. (read more)|Documentation
| -|ECS Service Without Running Tasks
79d745f0-d5f3-46db-9504-bef73e9fd528|CloudFormation|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| -|Auto Scaling Group With No Associated ELB
ad21e616-5026-4b9d-990d-5b007bfe679c|CloudFormation|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty. (read more)|Documentation
| -|RDS With Backup Disabled
8c415f6f-7b90-4a27-a44a-51047e1506f9|CloudFormation|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| -|Stack Retention Disabled
fe974ae9-858e-4991-bbd5-e040a834679f|CloudFormation|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| -|Low RDS Backup Retention Period
e649a218-d099-4550-86a4-1231e1fcb60d|CloudFormation|Medium|Backup|AWS RDS backup retention policy should be at least 7 days (read more)|Documentation
| -|RDS Multi-AZ Deployment Disabled
2b1d4935-9acf-48a7-8466-10d18bf51a69|CloudFormation|Medium|Backup|AWS RDS Instance should have a multi-az deployment (read more)|Documentation
| -|IAM Managed Policy Applied to a User
0e5872b4-19a0-4165-8b2f-56d9e14b909f|CloudFormation|Medium|Best Practices|Make sure that any managed IAM policies are implemented in a group and not in a user. (read more)|Documentation
| -|IAM Password Without Lowercase Letter
f4cf35d6-da92-48de-ab70-57be2b2e6497|CloudFormation|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| -|IAM Password Without Number
839f238f-2e3a-4a72-b945-8abdf91af955|CloudFormation|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number (read more)|Documentation
| -|IAM Password Without Minimum Length
b1b20ae3-8fa7-4af5-a74d-a2145920fcb1|CloudFormation|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| -|Cognito UserPool Without MFA
74a18d1a-cf02-4a31-8791-ed0967ad7fdc|CloudFormation|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more)|Documentation
| -|IAM User Without Password Reset
a964d6e3-8e1e-4d93-8120-61fa640dd55a|CloudFormation|Medium|Best Practices|IAM User Login Profile should exist and have PasswordResetRequired property set to true (read more)|Documentation
| -|IAM Password Without Symbol
d72a7869-e8b9-4e12-bcd2-e8be10b39fa7|CloudFormation|Medium|Best Practices|IAM password should have the required symbols (read more)|Documentation
| -|IAM Password Without Uppercase Letter
445020f6-b69e-4484-847f-02d4b7768902|CloudFormation|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| -|ECS No Load Balancer Attached
fb2b0ecf-1492-491a-a70d-ba1df579175d|CloudFormation|Medium|Best Practices|Amazon ECS service should be configured to use Load Balancing to distribute traffic evenly across the tasks, which means there must exist at least one LoadBalancer. (read more)|Documentation
| -|ElasticSearch Not Encrypted At Rest
86a248ab-0e01-4564-a82a-878303e253bb|CloudFormation|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest (read more)|Documentation
| -|RDS Storage Encryption Disabled
65844ba3-03a1-40a8-b3dd-919f122e8c95|CloudFormation|Medium|Encryption|RDS DBCluster should have storage encrypted set to true (read more)|Documentation
| -|DynamoDB Table Not Encrypted
4bd21e68-38c1-4d58-acdc-6a14b203237f|CloudFormation|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption (read more)|Documentation
| -|Unscanned ECR Image
9025b2b3-e554-4842-ba87-db7aeec36d35|CloudFormation|Medium|Encryption|Checks if the ECR Image has been scanned (read more)|Documentation
| -|KMS Key Rotation Disabled
235ca980-eb71-48f4-9030-df0c371029eb|CloudFormation|Medium|Encryption|EnableKeyRotation should not be false or undefined (read more)|Documentation
| -|EMR Security Configuration Encryption Disabled
5b033ec8-f079-4323-b5c8-99d4620433a9|CloudFormation|Medium|Encryption|EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit. (read more)|Documentation
| -|Default KMS Key Usage
e52395b4-250b-4c60-81d5-2e58c1d37abc|CloudFormation|Medium|Encryption|When `StorageEncrypted` is set to true, `KmsKeyId` should be defined, to avoid the use of the default KMS Key (read more)|Documentation
| -|SageMaker EndPoint Config Should Specify KmsKeyId Attribute
44034eda-1c3f-486a-831d-e09a7dd94354|CloudFormation|Medium|Encryption|KmsKeyId attribute should be defined (read more)|Documentation
| -|Workspace Without Encryption
89827c57-5a8a-49eb-9731-976a606d70db|CloudFormation|Medium|Encryption|Workspaces should have encryption enabled (read more)|Documentation
| -|Memcached Disabled
dd0971a6-09c3-4168-8474-a7ef8fbfd99d|CloudFormation|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache (read more)|Documentation
| -|IAM Group Inline Policies
a58d1a2d-4078-4b80-855b-84cc3f7f4540|CloudFormation|Medium|Encryption|IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted (read more)|Documentation
| -|AmazonMQ Broker Encryption Disabled
316278b3-87ac-444c-8f8f-a733a28da60f|CloudFormation|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined (read more)|Documentation
| -|ElasticSearch Encryption With KMS Disabled
d926aa95-0a04-4abc-b20c-acf54afe38a1|CloudFormation|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS. (read more)|Documentation
| -|SQS With SSE Disabled
12726829-93ed-4d51-9cbe-13423f4299e1|CloudFormation|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| -|Config Rule For Encrypted Volumes Disabled
1b6322d9-c755-4f8c-b804-32c19250f2d9|CloudFormation|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| -|EBS Volume Encryption Disabled
80b7ac3f-d2b7-4577-9b10-df7913497162|CloudFormation|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| -|API Gateway With Invalid Compression
d6653eee-2d4d-4e6a-976f-6794a497999a|CloudFormation|Medium|Encryption|API Gateway should have valid compression, which means attribute 'MinimumCompressionSize' should be set and its value should be greater than -1 and smaller than 10485760. (read more)|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85|CloudFormation|Medium|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| -|Neptune Database Cluster Encryption Disabled
bf4473f1-c8a2-4b1b-8134-bd32efabab93|CloudFormation|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| -|CodeBuild Not Encrypted
d7467bb6-3ed1-4c82-8095-5e7a818d0aad|CloudFormation|Medium|Encryption|CodeBuild Project should be encrypted, which means 'EncryptionKey' should be defined (read more)|Documentation
| -|Alexa Skill Plaintext Client Secret Exposed
3c3b7a58-b018-4d07-9444-d9ee7156e111|CloudFormation|Medium|Encryption|Alexa skills' client secrets should not be defined as a plaintext string. It should either use 'AWS Systems Manager Parameter Store' or 'AWS Secrets Manager' to retrieve sensitive information (read more)|Documentation
| -|IAM User Has Too Many Access Keys
48677914-6fdf-40ec-80c4-2b0e94079f54|CloudFormation|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials (read more)|Documentation
| -|Inline Policies Are Attached To ECS Service
9e8c89b3-7997-4d15-93e4-7911b9db99fd|CloudFormation|Medium|Insecure Configurations|Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies. (read more)|Documentation
| -|API Gateway Without SSL Certificate
ed4c48b8-eccc-4881-95c1-09fdae23db25|CloudFormation|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| -|EMR Cluster Without Security Configuration
48af92a5-c89b-4936-bc62-1086fe2bab23|CloudFormation|Medium|Insecure Configurations|EMR Cluster should have security configuration defined. (read more)|Documentation
| -|Lambda Functions Without Unique IAM Roles
ae03f542-1423-402f-9cef-c834e7ee9583|CloudFormation|Medium|Insecure Configurations|AWS Lambda Functions should not share IAM roles to ensure they will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| -|API Gateway With Open Access
1056dfbb-5802-4762-bf2b-8b9b9684b1b0|CloudFormation|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more)|Documentation
| -|ECR Image Tag Not Immutable
33f41d31-86b1-46a4-81f7-9c9a671f59ac|CloudFormation|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| -|Lambda Function Without Tags
8df8e857-bd59-44fa-9f4c-d77594b95b46|CloudFormation|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags. (read more)|Documentation
| -|SageMaker Enabling Internet Access
88d55d94-315d-4564-beee-d2d725feab11|CloudFormation|Medium|Insecure Configurations|SageMaker must have disabled internet access and root access for Creating Notebook Instances. (read more)|Documentation
| -|Instance With No VPC
8a6d36cd-0bc6-42b7-92c4-67acc8576861|CloudFormation|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| -|IAM User LoginProfile Password Is In Plaintext
06adef8c-c284-4de7-aad2-af43b07a8ca1|CloudFormation|Medium|Insecure Configurations|IAM User LoginProfile Password must not be a plaintext string (read more)|Documentation
| -|MQ Broker Is Publicly Accessible
68b6a789-82f8-4cfd-85de-e95332fe6a61|CloudFormation|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible (read more)|Documentation
| -|GitHub Repository Set To Public
5906092d-5f74-490d-9a03-78febe0f65e1|CloudFormation|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)|Documentation
| -|S3 Bucket Should Have Bucket Policy
37fa8188-738b-42c8-bf82-6334ea567738|CloudFormation|Medium|Insecure Defaults|Checks if S3 Bucket has the same name as a Bucket Policy, if it has, S3 Bucket has a Bucket Policy associated (read more)|Documentation
| -|RouterTable with Default Routing
4f0908b9-eb66-433f-9145-134274e1e944|CloudFormation|Medium|Insecure Defaults|NAT gateways are recommended, and not the default route which permits all traffic, in Route Tables. (read more)|Documentation
| -|EC2 Permissive Network ACL Protocols
03879981-efa2-47a0-a818-c843e1441b88|CloudFormation|Medium|Networking and Firewall|To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code). (read more)|Documentation
| -|ELB With Security Group Without Inbound Rules
e200a6f3-c589-49ec-9143-7421d4a2c845|CloudFormation|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more)|Documentation
| -|VPC Without Network Firewall
3e293410-d5b8-411f-85fd-7d26294f20c9|CloudFormation|Medium|Networking and Firewall|VPC should have a Network Firewall associated (read more)|Documentation
| -|Security Group Egress With All Protocols
ee464fc2-54a6-4e22-b10a-c6dcd2474d0c|CloudFormation|Medium|Networking and Firewall|AWS Security Group Egress should not specify all protocols to prevent allow traffic on all ports (read more)|Documentation
| -|Security Group Ingress With All Protocols
1a427b25-2e9e-4298-9530-0499a55e736b|CloudFormation|Medium|Networking and Firewall|AWS Security Group Ingress should not specify all protocols to prevent allow traffic on all ports (read more)|Documentation
| -|ELB With Security Group Without Outbound Rules
01d5a458-a6c4-452a-ac50-054d59275b7c|CloudFormation|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more)|Documentation
| -|API Gateway Endpoint Config is Not Private
4a8daf95-709d-4a36-9132-d3e19878fa34|CloudFormation|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| -|GameLift Fleet EC2 InboundPermissions With Port Range
43356255-495d-4148-ad8d-f6af5eac09dd|CloudFormation|Medium|Networking and Firewall|AWS GameLift Fleet EC2InboundPermissions should have a single port (read more)|Documentation
| -|Security Groups Without VPC Attached
493d9591-6249-47bf-8dc0-5c10161cc558|CloudFormation|Medium|Networking and Firewall|Security Groups must have a VPC. (read more)|Documentation
| -|Security Group Ingress With Port Range
87482183-a8e7-4e42-a566-7a23ec231c16|CloudFormation|Medium|Networking and Firewall|AWS Security Group Ingress should have a single port (read more)|Documentation
| -|API Gateway without WAF
fcbf9019-566c-4832-a65c-af00d8137d2b|CloudFormation|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| -|Security Group Egress CIDR Open To World
1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a|CloudFormation|Medium|Networking and Firewall|AWS Security Group Egress CIDR should not be open to the world (read more)|Documentation
| -|Security Group Egress With Port Range
dae9c373-8287-462f-8746-6f93dad93610|CloudFormation|Medium|Networking and Firewall|AWS Security Group Egress should have a single port (read more)|Documentation
| -|TCP/UDP Protocol Network ACL Entry Allows All Ports
f57f849c-883b-4cb7-85e7-f7b199dff163|CloudFormation|Medium|Networking and Firewall|TCP/UDP protocol AWS Network ACL Entry should not allow all ports (read more)|Documentation
| -|ALB Is Not Integrated With WAF
105ba098-1e34-48cd-b0f2-a8a43a51bf9b|CloudFormation|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service (read more)|Documentation
| -|ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621|CloudFormation|Medium|Observability|ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer. (read more)|Documentation
| -|API Gateway X-Ray Disabled
4ab10c48-bedb-4deb-8f3b-ff12783b61de|CloudFormation|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| -|Redshift Cluster Logging Disabled
3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6|CloudFormation|Medium|Observability|Make sure Logging is enabled for Redshift Cluster (read more)|Documentation
| -|ELB Access Log Disabled
ee12ad32-2863-4c0f-b13f-28272d115028|CloudFormation|Medium|Observability|ELB should have access log enabled (read more)|Documentation
| -|CloudWatch Metrics Disabled
5d3c1807-acb3-4bb0-be4e-0440230feeaf|CloudFormation|Medium|Observability|Checks if CloudWatch Metrics is Enabled (read more)|Documentation
| -|S3 Bucket Without Versioning
a227ec01-f97a-4084-91a4-47b350c1db54|CloudFormation|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| -|Configuration Aggregator to All Regions Disabled
9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d|CloudFormation|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| -|ElasticSearch Without Slow Logs
086ea2eb-14a6-4fd4-914b-38e0bc8703e8|CloudFormation|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs (read more)|Documentation
| -|S3 Bucket Logging Disabled
4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c|CloudFormation|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| -|API Gateway Stage Access Logging Settings Not Defined
80d45af4-4920-4236-a56e-b7ef419d1941|CloudFormation|Medium|Observability|API Gateway Stage should have Access Logging Settings defined (read more)|Documentation
| -|API Gateway Deployment Without Access Log Setting
06ec63e3-9f72-4fe2-a218-2eb9200b8db5|CloudFormation|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. (read more)|Documentation
| -|CloudWatch Logging Disabled
0f0fb06b-0f2f-4374-8588-f2c7c348c7a0|CloudFormation|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones (read more)|Documentation
| -|GuardDuty Detector Disabled
a25cd877-375c-4121-a640-730929936fac|CloudFormation|Medium|Observability|Make sure that Amazon GuardDuty is Enabled (read more)|Documentation
| -|CloudFront Logging Disabled
de77cd9f-0e8b-46cc-b4a4-b6b436838642|CloudFormation|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'DistributionConfig.Logging' should be defined (read more)|Documentation
| -|MQ Broker Logging Disabled
e519ed6a-8328-4b69-8eb7-8fa549ac3050|CloudFormation|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). (read more)|Documentation
| -|CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7|CloudFormation|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'IsMultiRegionTrail' should be set to true (read more)|Documentation
| -|Stack Notifications Disabled
837e033c-4717-40bd-807e-6abaa30161b7|CloudFormation|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| -|MSK Cluster Logging Disabled
fc7c2c15-f5d0-4b80-adb2-c89019f8f62b|CloudFormation|Medium|Observability|Ensure MSK Cluster Logging is enabled (read more)|Documentation
| -|CloudTrail Not Integrated With CloudWatch
65d07da5-9af5-44df-8983-52d2e6f24c44|CloudFormation|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| -|CloudTrail SNS Topic Name Undefined
3e09413f-471e-40f3-8626-990c79ae63f3|CloudFormation|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| -|Elasticsearch Logs Disabled
edbd62d4-8700-41de-b000-b3cfebb5e996|CloudFormation|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| -|EBS Volume Without KmsKeyId
b7063015-6c31-4658-a8e7-14f98f37fd42|CloudFormation|Medium|Secret Management|EBS Volume should specify a KmsKeyId value (read more)|Documentation
| -|DMS Endpoint MongoDB Settings Password Exposed
f988a17f-1139-46a3-8928-f27eafd8b024|CloudFormation|Medium|Secret Management|DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|High Access Key Rotation Period
800fa019-49dd-421b-9042-7331fdd83fa2|CloudFormation|Medium|Secret Management|ConfigRule should enforce access keys to be rotated within 90 days. (read more)|Documentation
| -|Secrets Manager Should Specify KmsKeyId
c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22|CloudFormation|Medium|Secret Management|Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the secret to be shared cross-account (read more)|Documentation
| -|Amplify App Access Token Exposed
73980e43-f399-4fcc-a373-658228f7adf7|CloudFormation|Medium|Secret Management|Amplify App Access Token must not be in a plain text string or referenced in a parameter as a default value. (read more)|Documentation
| -|Directory Service Simple AD Password Exposed
6685d912-d81f-4cfa-95ad-e316ea31c989|CloudFormation|Medium|Secret Management|DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|Amplify App Basic Auth Config Password Exposed
71493c8b-3014-404c-9802-078b74496fb7|CloudFormation|Medium|Secret Management|Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|SNS Topic Without KmsMasterKeyId
9d13b150-a2ab-42a1-b6f4-142e41f81e52|CloudFormation|Medium|Secret Management|KmsMasterKeyId attribute should not be undefined (read more)|Documentation
| -|Amplify Branch Basic Auth Config Password Exposed
dfb56e5d-ee68-446e-b32a-657b62befe69|CloudFormation|Medium|Secret Management|Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|Amplify App OAuth Token Exposed
03b38885-8f4e-480c-a0e4-12c1affd15db|CloudFormation|Medium|Secret Management|Amplify App OAuth Token must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|DMS Endpoint Password Exposed
5f700072-b7ce-4e84-b3f3-497bf1c24a4d|CloudFormation|Medium|Secret Management|DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|Hardcoded AWS Access Key In Lambda
2564172f-c92b-4261-9acd-464aed511696|CloudFormation|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| -|DocDB Cluster Master Password In Plaintext
39423ce4-9011-46cd-b6b1-009edcd9385d|CloudFormation|Medium|Secret Management|DocDB DB Cluster master user password must not be in a plain text string or referenced in a parameter as a default value. (read more)|Documentation
| -|Directory Service Microsoft AD Password Set to Plaintext or Default Ref
06b9f52a-8cd5-459b-bdc6-21a22521e1be|CloudFormation|Medium|Secret Management|Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|RefreshToken Is Exposed
5b48c507-0d1f-41b0-a630-76817c6b4189|CloudFormation|Medium|Secret Management|Alexa ASK Skill AuthenticationConfiguration RefreshToken should not be a plaintext string (read more)|Documentation
| -|IAM Group Without Users
8f957abd-9703-413d-87d3-c578950a753c|CloudFormation|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| -|IAM User With No Group
06933df4-0ea7-461c-b9b5-104d27390e0e|CloudFormation|Low|Access Control|A IAM user should belong to a group (read more)|Documentation
| -|IAM Role Allows All Principals To Assume
f80e3aa7-7b34-4185-954e-440a6894dde6|CloudFormation|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| -|EC2 Instance Using Default Security Group
08b81bb3-0985-4023-8602-b606ad81d279|CloudFormation|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
e835bd0d-65da-49f7-b6d1-b646da8727e6|CloudFormation|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| -|Support Has No Role Associated
d71b5fd7-9020-4b2d-9ec8-b3839faa2744|CloudFormation|Low|Access Control|Check if any AWS Support policy does not have any role and users and group associated, which means that is not being managed. (read more)|Documentation
| -|VPC Attached With Too Many Gateways
97e94d17-e2c7-4109-a53b-6536ac1bb64e|CloudFormation|Low|Availability|The number of gateways attached should not approach or go beyond the limit of 3, in a particular VPC (read more)|Documentation
| -|RDS DB Instance With Deletion Protection Disabled
2c161e58-cb52-454f-abea-6470c37b5e6e|CloudFormation|Low|Backup|RDS DBInstance should have deletion protection set to true (read more)|Documentation
| -|CDN Configuration Is Missing
e4f54ff4-d352-40e8-a096-5141073c37a2|CloudFormation|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| -|Security Group Ingress Has CIDR Not Recommended
a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd|CloudFormation|Low|Best Practices|AWS Security Group Ingress CIDR should not be /32 in case of IPV4 or /128 in case of IPV6 (read more)|Documentation
| -|Automatic Minor Upgrades Disabled
f0104061-8bfc-4b45-8a7d-630eb502f281|CloudFormation|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'AutoMinorVersionUpgrade' must be set to true. (read more)|Documentation
| -|Lambda Permission Misconfigured
9b83114b-b2a1-4534-990d-06da015e47aa|CloudFormation|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| -|IAM Access Analyzer Not Enabled
8d29754a-2a18-460d-a1ba-9509f8d359da|CloudFormation|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions (read more)|Documentation
| -|Geo Restriction Disabled
7f8843f0-9ea5-42b4-a02b-753055113195|CloudFormation|Low|Best Practices|Geo Restriction feature should be enabled, to restrict or allow users in specific locations accessing web application content (read more)|Documentation
| -|IAM Policies Without Groups
5e7acff5-095b-40ac-9073-ac2e4ad8a512|CloudFormation|Low|Best Practices|IAM policy should not apply directly to users, should be with a group (read more)|Documentation
| -|EFS Without Tags
08e39832-5e42-4304-98a0-aa5b43393162|CloudFormation|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated (read more)|Documentation
| -|DynamoDB With Not Recommented Table Billing Mode
c333e906-8d8b-4275-b999-78b6318f8dc6|CloudFormation|Low|Build Process|Checks if DynamoDB Table Billing Mode is set to either PAY_PER_REQUEST or PROVISIONED (read more)|Documentation
| -|S3 Bucket Without Ignore Public ACL
6c8d51af-218d-4bfb-94a9-94eabaa0703a|CloudFormation|Low|Insecure Configurations|S3 bucket without ignore public ACL (read more)|Documentation
| -|API Gateway Cache Cluster Disabled
52790cad-d60d-41d5-8483-146f9f21208d|CloudFormation|Low|Insecure Configurations|AWS API Gateway should have cache clustering enabled (read more)|Documentation
| -|Lambda Function Without Dead Letter Queue
c2eae442-d3ba-4cb1-84ca-1db4f80eae3d|CloudFormation|Low|Insecure Configurations|AWS Lambda Function should be configured for a Dead Letter Queue(DLQ) (read more)|Documentation
| -|Wildcard In ACM Certificate Domain Name
cc8b294f-006f-4f8f-b5bb-0a9140c33131|CloudFormation|Low|Insecure Configurations|ACM Certificate should not use wildcards (*) in the domain name (read more)|Documentation
| -|Shield Advanced Not In Use
ad7444cf-817a-4765-a79e-2145f7981faf|CloudFormation|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more)|Documentation
| -|EMR Without VPC
bf89373a-be40-4c04-99f5-746742dfd7f3|CloudFormation|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| -|EC2 Instance Using Default VPC
e42a3ef0-5325-4667-84bf-075ba1c9d58e|CloudFormation|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| -|EC2 Network ACL Duplicate Rule
045ddb54-cfc5-4abb-9e05-e427b2bc96fe|CloudFormation|Low|Networking and Firewall|A Network ACL's rule numbers cannot be repeated unless one is egress and the other is ingress (read more)|Documentation
| -|Redshift Using Default Port
a478af30-8c3a-404d-aa64-0b673cee509a|CloudFormation|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| -|RDS Using Default Port
1fe9d958-ddce-4228-a124-05265a959a8b|CloudFormation|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| -|ElastiCache Using Default Port
323db967-c68e-44e6-916c-a777f95af34b|CloudFormation|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| -|CloudFront Without WAF
0f139403-303f-467c-96bd-e717e6cfd62d|CloudFormation|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| -|ElastiCache Without VPC
ba766c53-fe71-4bbb-be35-b6803f2ef13e|CloudFormation|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| -|CloudTrail Log File Validation Disabled
2a3560fe-52ca-4443-b34f-bf0ed5eb74c8|CloudFormation|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| -|VPC FlowLogs Disabled
f6d299d2-21eb-41cc-b1e1-fe12d857500b|CloudFormation|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| -|ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd|CloudFormation|Low|Observability|Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks (read more)|Documentation
| -|Lambda Functions Without X-Ray Tracing
9488c451-074e-4cd3-aee3-7db6104f542c|CloudFormation|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracingConfig.mode' should have the value 'Active' (read more)|Documentation
| -|DocDB Logging Is Disabled
1bf3b3d4-f373-4d7c-afbb-7d85948a67a5|CloudFormation|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| -|API Gateway Deployment Without API Gateway UsagePlan Associated
783860a3-6dca-4c8b-81d0-7b62769ccbca|CloudFormation|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| -|SDB Domain Declared As A Resource
6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d|CloudFormation|Low|Resource Management|SimpleDB Domain resource should not be declared (read more)|Documentation
| -|ECS Task Definition Invalid CPU or Memory
f4c9b5f5-68b8-491f-9e48-4f96644a1d51|CloudFormation|Low|Resource Management|In ECS Task Definition of FARGATE launch type if you specify an invalid CPU or Memory value, you will receive an error (read more)|Documentation
| -|API Gateway Stage Without API Gateway UsagePlan Associated
7f8f1b60-43df-4c28-aa21-fb836dbd8071|CloudFormation|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| -|VPC Without Attached Subnet
3b3b4411-ad1f-40e7-b257-a78a6bb9673a|CloudFormation|Low|Resource Management|VPCs without attached subnets may indicate that they are not being used (read more)|Documentation
| -|EC2 Not EBS Optimized
8dd0ff1f-0da4-48df-9bb3-7f338ae36a40|CloudFormation|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| -|Security Group Rule Without Description
5e6c9c68-8a82-408e-8749-ddad78cbb9c5|CloudFormation|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description (read more)|Documentation
| -|EC2 Instance Monitoring Disabled
0264093f-6791-4475-af34-4b8102dcbcd0|CloudFormation|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| -|BOM - AWS MSK
2730c169-51d7-4ae7-99b5-584379eff1bb|CloudFormation|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)|Documentation
| -|BOM - AWS RDS
6ef03ff6-a2bd-483c-851f-631f248bc0ea|CloudFormation|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more)|Documentation
| -|BOM - AWS EBS
0b0556ea-9cd9-476f-862e-20679dda752b|CloudFormation|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). (read more)|Documentation
| -|BOM - AWS S3 Buckets
b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83|CloudFormation|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more)|Documentation
| -|BOM - AWS Elasticache
c689f51b-9203-43b3-9d8b-caed123f706c|CloudFormation|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more)|Documentation
| -|BOM - AWS DynamoDB
4e67c0ae-38a0-47f4-a50c-f0c9b75826df|CloudFormation|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more)|Documentation
| -|BOM - AWS MQ
209189f3-c879-48a7-9703-fbcfa96d0cef|CloudFormation|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS. (read more)|Documentation
| -|BOM - AWS Cassandra
124b173b-e06d-48a6-8acd-f889443d97a4|CloudFormation|Trace|Bill Of Materials|A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance (read more)|Documentation
| -|BOM - AWS SNS
42e7dca3-8cce-4325-8df0-108888259136|CloudFormation|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)|Documentation
| -|BOM - AWS EFS
ef05a925-8568-4054-8ff1-f5ba82631c16|CloudFormation|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)|Documentation
| -|BOM - AWS SQS
59a849c2-1127-4023-85a5-ef906dcd458c|CloudFormation|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)|Documentation
| -|BOM - AWS Kinesis
d53323be-dde6-4457-9a43-42df737e71d2|CloudFormation|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more)|Documentation
| -|Serverless Function Environment Variables Not Encrypted
a7f8ac28-eed1-483d-87c8-4c325f022572|CloudFormation|High|Encryption|AWS Serverless Function should encrypt environment variables (read more)|Documentation
| -|Serverless API Without Content Encoding
a2f2800e-614b-4bc8-89e6-fec8afd24800|CloudFormation|Medium|Encryption|AWS Serverless API should enable Content Encoding through the attribute 'MinimumCompressionSize'. This value should be greater than -1 and smaller than 10485760 (read more)|Documentation
| -|Serverless Function Without Tags
a71ecabe-03b6-456a-b3bc-d1a39aa20c98|CloudFormation|Medium|Insecure Configurations|AWS Serverless Function should have associated tags (read more)|Documentation
| -|Serverless Function Without Unique IAM Role
4ba74f01-aba5-4be2-83bc-be79ff1a3b92|CloudFormation|Medium|Insecure Configurations|AWS Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| -|Serverless API Endpoint Config Not Private
6b5b0313-771b-4319-ad7a-122ee78700ef|CloudFormation|Medium|Networking and Firewall|AWS Serverless API should set API Endpoint Config type to 'PRIVATE'. This way, it's not exposed to the public internet (read more)|Documentation
| -|Serverless API X-Ray Tracing Disabled
c757c6a3-ac87-4b9d-b28d-e5a5add6a315|CloudFormation|Medium|Observability|AWS Serverless API should have X-Ray Tracing enabled (read more)|Documentation
| -|Serverless API Access Logging Setting Undefined
0a994e04-c6dc-471d-817e-d37451d18a3b|CloudFormation|Medium|Observability|AWS Serverless API/AWS Serverless HTTP API should have Access Logging Setting(s) defined (read more)|Documentation
| -|Serverless API Cache Cluster Disabled
60a05ede-0a68-4d0d-a58f-f538cf55ff79|CloudFormation|Low|Insecure Configurations|AWS Serverless API should have cache clustering enabled (read more)|Documentation
| -|Serverless Function Without Dead Letter Queue
cb2f612b-ed42-4ff5-9fb9-255c73d39a18|CloudFormation|Low|Insecure Configurations|AWS Serverless Function should be configured for a Dead Letter Queue(DLQ) (read more)|Documentation
| -|Serverless Function Without X-Ray Tracing
dc1ab429-1481-4540-9b1d-280e3f15f1f8|CloudFormation|Low|Observability|AWS Serverless Function should have Tracing enabled. For this, property 'Tracing' should have the value 'Active' (read more)|Documentation
| -|UNIX Ports Out Of Range
71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e|Dockerfile|High|Availability|Exposing UNIX ports out of range from 0 to 65535 (read more)|Documentation
| -|WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|Dockerfile|High|Build Process|For clarity and reliability, you should always use absolute paths for your WORKDIR (read more)|Documentation
| -|COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b|Dockerfile|High|Build Process|COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself (read more)|Documentation
| -|Copy With More Than Two Arguments Not Ending With Slash
6db6e0c2-32a3-4a2e-93b5-72c35f4119db|Dockerfile|High|Build Process|When a COPY command has more than two arguments, the last one should end with a slash (read more)|Documentation
| -|Same Alias In Different Froms
f2daed12-c802-49cd-afed-fe41d0b82fed|Dockerfile|High|Build Process|Different FROMS cant have the same alias defined (read more)|Documentation
| -|Multiple ENTRYPOINT Instructions Listed
6938958b-3f1a-451c-909b-baeee14bdc97|Dockerfile|High|Build Process|There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect (read more)|Documentation
| -|Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f|Dockerfile|High|Build Process|A user should be specified in the dockerfile, otherwise the image will run as root (read more)|Documentation
| -|Run Using Sudo
8ada6e80-0ade-439e-b176-0b28f6bce35a|Dockerfile|High|Insecure Configurations|Avoid RUN with sudo command as it leads to unpredictable behavior (read more)|Documentation
| -|Vulnerable OpenSSL Version
5fa731ea-e844-47a6-a1e8-abc25e95847e|Dockerfile|High|Supply-Chain|OpenSSL versions from 3.0.0 to 3.0.5 are affected by a critical vulnerability (read more)|Documentation
| -|Changing Default Shell Using RUN Command
8a301064-c291-4b20-adcb-403fe7fd95fd|Dockerfile|Medium|Best Practices|Using the command RUN to override the default shell instead of the SHELL command leads to inefficiencies. It also does not make sense since Docker provides the SHELL command for this exact purpose. (read more)|Documentation
| -|Last User Is 'root'
67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae|Dockerfile|Medium|Best Practices|Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges (read more)|Documentation
| -|Multiple CMD Instructions Listed
41c195f4-fc31-4a5c-8a1b-90605538d49f|Dockerfile|Medium|Build Process|There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect (read more)|Documentation
| -|Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd|Dockerfile|Medium|Build Process|Instruction 'RUN update' should always be followed by ' install' in the same RUN statement (read more)|Documentation
| -|Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79|Dockerfile|Medium|Build Process|Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments (read more)|Documentation
| -|RUN Instruction Using 'cd' Instead of WORKDIR
f4a6bcd3-e231-4acf-993c-aa027be50d2e|Dockerfile|Medium|Build Process|When using RUN command 'cd' should only be used for full path. For relative path make use of WORKDIR command instead. (read more)|Documentation
| -|Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22|Dockerfile|Medium|Insecure Defaults|Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o). (read more)|Documentation
| -|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Dockerfile|Medium|Supply-Chain|When installing a package, its pin version should be defined (read more)|Documentation
| -|Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313|Dockerfile|Medium|Supply-Chain|Reduce layer and image size by deleting unneeded caches after running zypper (read more)|Documentation
| -|APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Dockerfile|Medium|Supply-Chain|Check if apt-get calls use the flag -y to avoid user manual input. (read more)|Documentation
| -|Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067|Dockerfile|Medium|Supply-Chain|When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag (read more)|Documentation
| -|Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Dockerfile|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache (read more)|Documentation
| -|Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more)|Documentation
| -|Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1|Dockerfile|Medium|Supply-Chain|Specifying a package version allows to reduce failures due to unanticipated changes in required packages. (read more)|Documentation
| -|Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9|Dockerfile|Medium|Supply-Chain|Don't use '--platform' flag with FROM (read more)|Documentation
| -|Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944|Dockerfile|Medium|Supply-Chain|Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input (read more)|Documentation
| -|NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5|Dockerfile|Medium|Supply-Chain|Check if packages installed by npm are pinning a specific version. (read more)|Documentation
| -|Add Instead of Copy
9513a694-aa0d-41d8-be61-3271e056f36b|Dockerfile|Medium|Supply-Chain|Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script. (read more)|Documentation
| -|Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37|Dockerfile|Medium|Supply-Chain|Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size (read more)|Documentation
| -|Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118|Dockerfile|Medium|Supply-Chain|When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller (read more)|Documentation
| -|Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more)|Documentation
| -|Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0|Dockerfile|Medium|Supply-Chain|Cached package data should be cleaned after installation to reduce image size (read more)|Documentation
| -|Yum install Without Version
6452c424-1d92-4deb-bb18-a03e95d579c4|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages (read more)|Documentation
| -|Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8|Dockerfile|Medium|Supply-Chain|The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input. (read more)|Documentation
| -|Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341|Dockerfile|Medium|Supply-Chain|Instead of 'gem install ' we should use 'gem install :' (read more)|Documentation
| -|Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd|Dockerfile|Medium|Supply-Chain|Always tag the version of an image explicitly (read more)|Documentation
| -|Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Dockerfile|Medium|Supply-Chain|Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect (read more)|Documentation
| -|Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03|Dockerfile|Medium|Supply-Chain|Need to use -y to avoid manual input 'yum install -y ' (read more)|Documentation
| -|Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages (read more)|Documentation
| -|Chown Flag Exists
aa93e17f-b6db-4162-9334-c70334e7ac28|Dockerfile|Low|Best Practices|It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership (read more)|Documentation
| -|Exposing Port 22 (SSH)
5907595b-5b6d-4142-b173-dbb0e73fbff8|Dockerfile|Low|Best Practices|Expose only the ports that your application needs and avoid exposing ports like SSH (22) (read more)|Documentation
| -|Curl or Wget Instead of Add
4b410d24-1cbe-4430-a632-62c9a931cf1c|Dockerfile|Low|Best Practices|Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged (read more)|Documentation
| -|Multiple RUN, ADD, COPY, Instructions Listed
0008c003-79aa-42d8-95b8-1c2fe37dbfe6|Dockerfile|Low|Best Practices|Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers. (read more)|Documentation
| -|MAINTAINER Instruction Being Used
99614418-f82b-4852-a9ae-5051402b741c|Dockerfile|Low|Best Practices|The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily (read more)|Documentation
| -|Using Unnamed Build Stages
68a51e22-ae5a-4d48-8e87-b01a323605c9|Dockerfile|Low|Build Process| This query is used to ensure that build stages are named. This way even if the Dockerfile is re-ordered, the COPY instruction doesn’t break. (read more)|Documentation
| -|Healthcheck Instruction Missing
b03a748a-542d-44f4-bb86-9199ab4fd2d5|Dockerfile|Low|Insecure Configurations|Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working (read more)|Documentation
| -|Apk Add Using Local Cache Path
ae9c56a6-3ed1-4ac0-9b54-31267f51151d|Dockerfile|Info|Supply-Chain|When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*' (read more)|Documentation
| -|Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c|Dockerfile|Info|Supply-Chain|After using apt-get install, it is needed to delete apt-get lists (read more)|Documentation
| -|Run Utilities And POSIX Commands
9b6b0f38-92a2-41f9-b881-3a1083d99f1b|Dockerfile|Info|Supply-Chain|Some POSIX commands and interactive utilities shouldn't run inside a Docker Container (read more)|Documentation
| -|APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c|Dockerfile|Info|Supply-Chain|Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages. (read more)|Documentation
| -|RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e|Kubernetes|High|Access Control|Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least privilege recommends to specify only the set of needed objects and actions (read more)|Documentation
| -|Service Account Lookup Set To False
a5530bd7-225a-48f9-91bb-f40b04200165|Kubernetes|High|Access Control|When using kube-apiserver command, the '--service-account-lookup' flag should be set to true (read more)|Documentation
| -|Always Admit Admission Control Plugin Set
ce30e584-b33f-4c7d-b418-a3d7027f8f60|Kubernetes|High|Access Control|When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin (read more)|Documentation
| -|Token Auth File Is Set
32ecd76e-7bbf-402e-bf48-8b9485749558|Kubernetes|High|Access Control|When using kube-apiserver command, the 'token-auth-file' flag should not be set (read more)|Documentation
| -|Client Certificate Authentication Not Setup Properly
e0e00aba-5f1c-4981-a542-9a9563c0ee20|Kubernetes|High|Access Control|Client Certificate Authentication should be Setup with a .pem or .crt file (read more)|Documentation
| -|Use Service Account Credentials Not Set To True
1acd93f1-5a37-45c0-aaac-82ece818be7d|Kubernetes|High|Access Control|When using kube-controller-manager commands, the '--use-service-account-credentials' should be set to true (read more)|Documentation
| -|Node Restriction Admission Control Plugin Not Set
33fc6923-6553-4fe6-9d3a-4efa51eb874b|Kubernetes|High|Access Control|When using kube-apiserver command, the --enable-admission-plugins flag should have 'NodeRestriction' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| -|Basic Auth File Is Set
5da47109-f8d6-4585-9e2b-96a8958a12f5|Kubernetes|High|Access Control|When using kube-apiserver command, the 'basic-auth-file' flag should not be set (read more)|Documentation
| -|Pod Security Policy Admission Control Plugin Not Set
afa36afb-39fe-4d94-b9b6-afb236f7a03d|Kubernetes|High|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'PodSecurityPolicy' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| -|Service Account Private Key File Not Defined
ccc98ff7-68a7-436e-9218-185cb0b0b780|Kubernetes|High|Encryption|When using kube-controller-manager commands, the '--service-account-private-key-file' should be defined (read more)|Documentation
| -|Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d|Kubernetes|High|Insecure Configurations|Check if there is any Tiller Service present (read more)|Documentation
| -|Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d|Kubernetes|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process (read more)|Documentation
| -|Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad|Kubernetes|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined. (read more)|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b|Kubernetes|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace. (read more)|Documentation
| -|Tiller (Helm v2) Is Deployed
6d173be7-545a-46c6-a81d-2ae52ed1605d|Kubernetes|High|Insecure Configurations|Check if Tiller is deployed. (read more)|Documentation
| -|Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032|Kubernetes|High|Insecure Configurations|Limit capabilities for a Pod Security Policy (read more)|Documentation
| -|Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609|Kubernetes|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false (read more)|Documentation
| -|Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d|Kubernetes|High|Insecure Configurations|Container should not share the host process ID namespace (read more)|Documentation
| -|Role Binding To Default Service Account
1e749bc9-fde8-471c-af0c-8254efd2dee5|Kubernetes|High|Insecure Defaults|No role nor cluster role should bind to a default service account (read more)|Documentation
| -|Kubelet HTTPS Set To False
cdc8b54e-6b16-4538-a1b0-35849dbe29cf|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--kubelet-https' flag should not be set to false (read more)|Documentation
| -|Secure Port Set To Zero
3d24b204-b73d-42cb-b0bf-1a5438c5f71e|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the --secure-port flag should not be 0 (read more)|Documentation
| -|Tiller Deployment Is Accessible From Within The Cluster
e17fa86a-6222-4584-a914-56e8f6c87e06|Kubernetes|High|Networking and Firewall|Check if any Tiller Deployment container allows access from within the cluster. (read more)|Documentation
| -|Etcd Peer TLS Certificate Files Not Properly Set
09bb9e96-8da3-4736-b89a-b36814acca60|Kubernetes|High|Networking and Firewall|When using etcd commands, the '--peer-cert-file' and '--peer-key-file' should be defined (read more)|Documentation
| -|Etcd TLS Certificate Not Properly Configured
895a5a95-3756-4b04-9924-2f3bc93181bd|Kubernetes|High|Networking and Firewall|When using kube-apiserver commands, the '--etcd-certfile' and '--etcd-keyfile' flags should be defined (read more)|Documentation
| -|TSL Connection Certificate Not Setup
fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f|Kubernetes|High|Networking and Firewall|TSL Connection Certificate files should be Setup (read more)|Documentation
| -|Etcd TLS Certificate Files Not Properly Set
075ca296-6768-4322-aea2-ba5063b969a9|Kubernetes|High|Networking and Firewall|When using etcd commands, the '--cert-file' and '--key-file' should be defined (read more)|Documentation
| -|Bind Address Not Properly Set
46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2|Kubernetes|High|Networking and Firewall|When using kube-controller-manager or kube-scheduler commands, the '--bind-address' should not be set to 127.0.0.1 (read more)|Documentation
| -|Insecure Port Not Properly Set
fa4def8c-1898-4a35-a139-7b76b1acdef0|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-port' flag should be defined and set to 0 (read more)|Documentation
| -|Insecure Bind Address Set
b9380fd3-5ffe-4d10-9290-13e18e71eee1|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-bind-address' flag should not be set (read more)|Documentation
| -|PSP With Unrestricted Access to Host Path
de4421f1-4e35-43b4-9783-737dd4e4a47e|Kubernetes|High|Resource Management|PodSecurityPolicy should set 'readOnly' to true in every host path allowed (read more)|Documentation
| -|Auto TLS Set To True
98ce8b81-7707-4734-aa39-627c6db3d84b|Kubernetes|High|Secret Management|When using etcd commands, the '--auto-tls' should be set to false (read more)|Documentation
| -|Peer Auto TLS Set To True
ae8827e2-4af9-4baa-9998-87539ae0d6f0|Kubernetes|High|Secret Management|When using etcd commands, the '--peer-auto-tls' should be set to false (read more)|Documentation
| -|Authorization Mode Set To Always Allow
f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5|Kubernetes|Medium|Access Control|When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode (read more)|Documentation
| -|Anonymous Auth Is Not Set To False
1de5cc51-f376-4638-a940-20f2e85ae238|Kubernetes|Medium|Access Control|When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag should be set to false (--anonymous-auth=false) (read more)|Documentation
| -|Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942|Kubernetes|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation. (read more)|Documentation
| -|RBAC Roles Allow Privilege Escalation
8320826e-7a9c-4b0b-9535-578333193432|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions 'bind' or 'escalate' allow subjects to create new bindings with other roles. This is dangerous, as users with these privileges can bind to roles that may exceed their own privileges (read more)|Documentation
| -|RBAC Roles with Exec Permission
c589f42c-7924-4871-aee2-1cede9bc7cbc|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to run commands in containers via 'kubectl exec' could be abused by attackers to execute malicious code in case of compromise. To prevent this, the 'pods/exec' verb should not be used in production environments (read more)|Documentation
| -|Authorization Mode RBAC Not Set
1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e|Kubernetes|Medium|Access Control|When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode (read more)|Documentation
| -|Service Account Admission Control Plugin Disabled
9587c890-0524-40c2-9ce2-663af7c2f063|Kubernetes|Medium|Access Control|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'ServiceAccount' plugin (read more)|Documentation
| -|RBAC Roles with Impersonate Permission
9f85c3f6-26fd-4007-938a-2e0cb0100980|Kubernetes|Medium|Access Control|Roles or ClusterRoles with the permission 'impersonate' allow subjects to assume the rights of other users, groups, or service accounts. In case of compromise, attackers may abuse this sudo-like functionality to achieve privilege escalation (read more)|Documentation
| -|RBAC Roles with Port-Forwarding Permission
38fa11ef-dbcc-4da8-9680-7e1fd855b6fb|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to port-forward into pods can open socket-level communication channels to containers. In case of compromise, attackers may abuse this for direct communication that bypasses network security restrictions (read more)|Documentation
| -|RBAC Roles with Attach Permission
d45330fd-f58d-45fb-a682-6481477a0f84|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to attach to containers via 'kubectl attach' could be abused by attackers to read log output (stdout, stderr) and send input data (stdin) to running processes. Additionally, it would allow a malicious user to attach to a privileged container resulting in a privilege escalation attack. To prevent this, the 'pods/attach' verb should not be used in production environments (read more)|Documentation
| -|Non Kube System Pod With Host Mount
aa8f7a35-9923-4cad-bd61-a19b7f6aac91|Kubernetes|Medium|Access Control|A non kube-system workload should not have hostPath mounted (read more)|Documentation
| -|RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14|Kubernetes|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more)|Documentation
| -|Request Timeout Not Properly Set
d89a15bb-8dba-4c71-9529-bef6729b9c09|Kubernetes|Medium|Availability|When using kube-apiserver command, the '--request-timeout' flag value should not be too long (read more)|Documentation
| -|Readiness Probe Is Not Configured
a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3|Kubernetes|Medium|Availability|Check if Readiness Probe is not configured. (read more)|Documentation
| -|Terminated Pod Garbage Collector Threshold Not Properly Set
49113af4-29ca-458e-b8d4-724c01a4a24f|Kubernetes|Medium|Availability|When using kube-controller-manager commands, the '--terminated-pod-gc-threshold' should be set between 0 and 12501 (read more)|Documentation
| -|Container Running As Root
cf34805e-3872-4c08-bf92-6ff7bb0cfadb|Kubernetes|Medium|Best Practices|Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise (read more)|Documentation
| -|Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660|Kubernetes|Medium|Best Practices|Check if containers are running with low UID, which might cause conflicts with the host's user table. (read more)|Documentation
| -|Root Containers Admitted
e3aa0612-4351-4a0d-983f-aefea25cf203|Kubernetes|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden (read more)|Documentation
| -|Incorrect Volume Claim Access Mode ReadWriteOnce
3878dc92-8e5d-47cf-9cdd-7590f71d21b9|Kubernetes|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' (read more)|Documentation
| -|Always Pull Images Admission Control Plugin Not Set
a77f4d07-c6e0-4a48-8b35-0eeb51576f4f|Kubernetes|Medium|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'AlwaysPullImages' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| -|Weak TLS Cipher Suites
510d5810-9a30-443a-817d-5c1fa527b110|Kubernetes|Medium|Encryption|TLS Connection should use strong Cipher Suites (read more)|Documentation
| -|Encryption Provider Config Is Not Defined
cbd2db69-0b21-4c14-8a40-7710a50571a9|Kubernetes|Medium|Encryption|When using kube-apiserver commands, the '--encryption-provider-config' flag should be defined and the encryption should be correctly configured in Encryption Configuration file (read more)|Documentation
| -|Encryption Provider Not Properly Configured
10efce34-5af6-4d83-b414-9e096d5a06a9|Kubernetes|Medium|Encryption|The EncryptionConfiguration should be configured to have at least one 'aescbc', 'kms' or 'secretbox' provider (read more)|Documentation
| -|Root CA File Not Defined
05fb986f-ac73-4ebb-a5b2-7faafa93d882|Kubernetes|Medium|Encryption|When using kube-controller-manager commands, the '--root-ca-file' should be defined (read more)|Documentation
| -|Seccomp Profile Is Not Configured
f377b83e-bd07-4f48-a591-60c82b14a78b|Kubernetes|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls (read more)|Documentation
| -|NET_RAW Capabilities Not Being Dropped
dbbc6705-d541-43b0-b166-dd4be8208b54|Kubernetes|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities (read more)|Documentation
| -|PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9|Kubernetes|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host process ID namespace (read more)|Documentation
| -|PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities (read more)|Documentation
| -|Not Limited Capabilities For Container
2f1a0619-b12b-48a0-825f-993bb6f01d58|Kubernetes|Medium|Insecure Configurations|Limit the capabilities for a Container. (read more)|Documentation
| -|PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation (read more)|Documentation
| -|Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3|Kubernetes|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more)|Documentation
| -|Authorization Mode Node Not Set
4d7ee40f-fc5d-427d-8cac-dffbe22d42d1|Kubernetes|Medium|Insecure Configurations|When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode (read more)|Documentation
| -|Kubelet Protect Kernel Defaults Set To False
6cf42c97-facd-4fda-b8af-ea4529123355|Kubernetes|Medium|Insecure Configurations|--protect-kernel-defaults should be set to true (read more)|Documentation
| -|Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40|Kubernetes|Medium|Insecure Configurations|Containers should not have extra capabilities allowed (read more)|Documentation
| -|Using Unrecommended Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6|Kubernetes|Medium|Insecure Configurations|Namespaces like 'default', 'kube-system' or 'kube-public' should not be used (read more)|Documentation
| -|PSP Allows Sharing Host IPC
80f93444-b240-4ebb-a4c6-5c40b76c04ea|Kubernetes|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace (read more)|Documentation
| -|Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b|Kubernetes|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more)|Documentation
| -|PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91|Kubernetes|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| -|Workload Mounting With Sensitive OS Directory
5308a7a8-06f8-45ac-bf10-791fe21de46e|Kubernetes|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory (read more)|Documentation
| -|Security Context Deny Admission Control Plugin Not Set
6a68bebe-c021-492e-8ddb-55b0567fb768|Kubernetes|Medium|Insecure Configurations|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set (read more)|Documentation
| -|Containers With Sys Admin Capabilities
235236ee-ad78-4065-bd29-61b061f28ce0|Kubernetes|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability (read more)|Documentation
| -|NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648|Kubernetes|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities (read more)|Documentation
| -|Service Account Token Automount Not Disabled
48471392-d4d0-47c0-b135-cdec95eb3eef|Kubernetes|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary (read more)|Documentation
| -|Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9|Kubernetes|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty. (read more)|Documentation
| -|CNI Plugin Does Not Support Network Policies
03aabc8c-35d6-481e-9c85-20139cf72d23|Kubernetes|Medium|Networking and Firewall|Ensure the use of CNI Plugin that support Network Policies. If the CNI Plugin in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster (read more)|Documentation
| -|Network Policy Is Not Targeting Any Pod
85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3|Kubernetes|Medium|Networking and Firewall|Check if any network policy is not targeting any pod. (read more)|Documentation
| -|Service With External Load Balancer
26763a1c-5dda-4772-b507-5fca7fb5f165|Kubernetes|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet (read more)|Documentation
| -|Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be|Kubernetes|Medium|Networking and Firewall|Check if any pod is not being targeted by a proper network policy. (read more)|Documentation
| -|Kubelet Streaming Connection Timeout Disabled
ed89b97d-04e9-4fd4-919f-ee5b27e555e9|Kubernetes|Medium|Networking and Firewall|The flag --streaming-connection-idle-timeout should not be set to 0 (read more)|Documentation
| -|Kubelet Not Managing Ip Tables
5f89001f-6dd9-49ff-9b15-d8cd71b617f4|Kubernetes|Medium|Networking and Firewall|Kubelet argument --make-iptables-util-chains should be true (read more)|Documentation
| -|Kubelet Read Only Port Is Not Set To Zero
2940d48a-dc5e-4178-a3f8-bfbd80720b41|Kubernetes|Medium|Networking and Firewall|When using the kubelet command, the read-only port should be set to zero (--read-only-port=0) (read more)|Documentation
| -|Audit Log Path Not Set
73e251f0-363d-4e53-86e2-0a93592437eb|Kubernetes|Medium|Observability|When using kube-apiserver command, the 'audit-log-path' flag should be defined (read more)|Documentation
| -|Audit Policy File Not Defined
13a49a2e-488e-4309-a7c0-d6b05577a5fb|Kubernetes|Medium|Observability|When using kube-apiserver command, the '--audit-policy-file' flag should be defined (read more)|Documentation
| -|Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a|Kubernetes|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| -|Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9|Kubernetes|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| -|Volume Mount With OS Directory Write Permissions
b7652612-de4e-4466-a0bf-1cd81f0c6063|Kubernetes|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more)|Documentation
| -|Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded|Kubernetes|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more)|Documentation
| -|CPU Limits Not Set
4ac0e2b7-d2d2-4af7-8799-e8de6721ccda|Kubernetes|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| -|CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a|Kubernetes|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more)|Documentation
| -|Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536|Kubernetes|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| -|Etcd Client Certificate File Not Defined
3f5ff8a7-5ad6-4d02-86f5-666307da1b20|Kubernetes|Medium|Secret Management|When using kube-apiserver commands, the '--etcd-cafile' flag should be defined (read more)|Documentation
| -|ServiceAccount Allows Access Secrets
056ac60e-fe07-4acc-9b34-8e1d51716ab9|Kubernetes|Medium|Secret Management|Roles and ClusterRoles when binded, should not use get, list or watch as verbs (read more)|Documentation
| -|Kubelet Client Periodic Certificate Switch Disabled
52d70f2e-3257-474c-b3dc-8ad9ba6a061a|Kubernetes|Medium|Secret Management|Kubelet argument --rotate-certificates should be true (read more)|Documentation
| -|Etcd Client Certificate Authentication Set To False
9391103a-d8d7-4671-ac5d-606ba7ccb0ac|Kubernetes|Medium|Secret Management|When using etcd commands, the '--client-cert-auth' flag should be defined (read more)|Documentation
| -|Service Account Key File Not Properly Set
dab4ec72-ce2e-4732-b7c3-1757dcce01a1|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the '--service-account-key-file' flag should be defined (read more)|Documentation
| -|Rotate Kubelet Server Certificate Not Active
1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2|Kubernetes|Medium|Secret Management|The RotateKubeletServerCertificate argument should be true (read more)|Documentation
| -|Kubelet Client Certificate Or Key Not Set
36a27826-1bf5-49da-aeb0-a60a30c0e834|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-client-key' and 'kubelet-client-certificate' flags should be set (read more)|Documentation
| -|Not Unique Certificate Authority
cb7e695d-6a85-495c-b15f-23aed2519303|Kubernetes|Medium|Secret Management|Certificate Authority should be unique for etcd (read more)|Documentation
| -|Etcd Peer Client Certificate Authentication Set To False
b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff|Kubernetes|Medium|Secret Management|When using etcd commands, the '--peer-client-cert-auth' flag should be set to true (read more)|Documentation
| -|Kubelet Certificate Authority Not Set
ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set (read more)|Documentation
| -|Shared Service Account
c1032cf7-3628-44e2-bd53-38c17cf31b6b|Kubernetes|Medium|Secret Management|A Service Account token is shared between workloads (read more)|Documentation
| -|Cluster Admin Rolebinding With Superuser Permissions
249328b8-5f0f-409f-b1dd-029f07882e11|Kubernetes|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC) (read more)|Documentation
| -|Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828|Kubernetes|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers (read more)|Documentation
| -|Missing AppArmor Profile
8b36775e-183d-4d46-b0f7-96a6f34a723f|Kubernetes|Low|Access Control|Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources (read more)|Documentation
| -|Liveness Probe Is Not Defined
ade74944-a674-4e00-859e-c6eab5bde441|Kubernetes|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it (read more)|Documentation
| -|Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678|Kubernetes|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| -|Event Rate Limit Admission Control Plugin Not Set
e0099af2-fe17-411f-9991-0de28fe15f3c|Kubernetes|Low|Availability|When using kube-apiserver command, the --enable-admission-plugins flag should have 'EventRateLimit' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| -|HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca|Kubernetes|Low|Availability|The Horizontal Pod Autoscaler must target a valid object (read more)|Documentation
| -|StatefulSet Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0|Kubernetes|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more)|Documentation
| -|HPA Targeted Deployments With Configured Replica Count
5744cbb8-5946-4b75-a196-ade44449525b|Kubernetes|Low|Availability|Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set (read more)|Documentation
| -|StatefulSet Without PodDisruptionBudget
1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5|Kubernetes|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| -|No Drop Capabilities for Containers
268ca686-7fb7-4ae9-b129-955a2a89064e|Kubernetes|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context (read more)|Documentation
| -|Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645|Kubernetes|Low|Best Practices|Kubernetes APIs evolve over time and are sometimes removed with newer releases. To prevent incompatibilities when upgrading Kubernetes, deprecated APIs should be replaced with newer and more stable API versions. (read more)|Documentation
| -|Metadata Label Is Invalid
1123031a-f921-4c5b-bd86-ef354ecfd37a|Kubernetes|Low|Best Practices|Check if any label in the metadata is invalid. (read more)|Documentation
| -|Namespace Lifecycle Admission Control Plugin Disabled
1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37|Kubernetes|Low|Build Process|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'NamespaceLifecycle' plugin (read more)|Documentation
| -|Image Policy Webhook Admission Control Plugin Not Set
14abda69-8e91-4acb-9931-76e2bee90284|Kubernetes|Low|Build Process|When using kube-apiserver command, the --enable-admission-plugins flag should have 'ImagePolicyWebhook' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| -|StatefulSet Requests Storage
8cf4671a-cf3d-46fc-8389-21e7405063a2|Kubernetes|Low|Build Process|A StatefulSet requests volume storage. (read more)|Documentation
| -|Root Container Not Mounted Read-only
a9c2f49d-0671-4fc9-9ece-f4e261e128d0|Kubernetes|Low|Build Process|Check if the root container filesystem is not being mounted read-only. (read more)|Documentation
| -|Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995|Kubernetes|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container (read more)|Documentation
| -|Kubelet Hostname Override Is Set
bf36b900-b5ef-4828-adb7-70eb543b7cfb|Kubernetes|Low|Insecure Configurations|Hostnames should not be overrided (read more)|Documentation
| -|Pod or Container Without ResourceQuota
48a5beba-e4c0-4584-a2aa-e6894e4cf424|Kubernetes|Low|Insecure Configurations|Each namespace should have a ResourceQuota policy associated to limit the total amount of resources Pods, Containers and PersistentVolumeClaims can consume (read more)|Documentation
| -|Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b|Kubernetes|Low|Insecure Configurations|If not needed, disabling the dashboard can prevent from being used as an attack vector (read more)|Documentation
| -|Pod or Container Without LimitRange
4a20ebac-1060-4c81-95d1-1f7f620e983b|Kubernetes|Low|Insecure Configurations|Each namespace should have a LimitRange policy associated to ensure that resource allocations of Pods, Containers and PersistentVolumeClaims do not exceed the defined boundaries (read more)|Documentation
| -|Service Does Not Target Pod
3ca03a61-3249-4c16-8427-6f8e47dda729|Kubernetes|Low|Insecure Configurations|Service should Target a Pod (read more)|Documentation
| -|Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678|Kubernetes|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity (read more)|Documentation
| -|Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2|Kubernetes|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always (read more)|Documentation
| -|Service Type is NodePort
845acfbe-3e10-4b8e-b656-3b404d36dfb2|Kubernetes|Low|Networking and Firewall|Service type should not be NodePort (read more)|Documentation
| -|Workload Host Port Not Specified
2b1836f1-dcce-416e-8e16-da8c71920633|Kubernetes|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified (read more)|Documentation
| -|Audit Policy Not Cover Key Security Concerns
1828a670-5957-4bc5-9974-47da228f75e2|Kubernetes|Low|Observability|Audit Policy should cover key security concerns about the sensitive data logged in Kubernetes audit policies (read more)|Documentation
| -|Audit Log Maxsize Not Properly Set
35c0a471-f7c8-4993-aa2c-503a3c712a66|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxsize' flag should be defined and set to 100 or more MegaBytes (read more)|Documentation
| -|Audit Log Maxbackup Not Properly Set
768aab52-2504-4a2f-a3e3-329d5a679848|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxbackup' flag should be defined and set to 10 or more files (read more)|Documentation
| -|Kubelet Event QPS Not Properly Set
1a07a446-8e61-4e4d-bc16-b0781fcb8211|Kubernetes|Low|Observability|When using the kubelet command, the '--event-qps' should be set to 0 (read more)|Documentation
| -|Audit Log Maxage Not Properly Set
da9f3aa8-fbfb-472f-b5a1-576127944218|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxage' flag should be defined and set to 30 or more days (read more)|Documentation
| -|Profiling Not Set To False
2f491173-6375-4a84-b28e-a4e2b9a58a69|Kubernetes|Low|Observability|When using kube-apiserver or kube-controller-manager or kube-scheduler command, the '--profiling' flag should be defined and set to false (read more)|Documentation
| -|Container Memory Requests Not Equal To It's Limits
aafa7d94-62de-4fbf-8838-b69ee217b0e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined. (read more)|Documentation
| -|Deployment Has No PodAntiAffinity
a31b7b82-d994-48c4-bd21-3bab6c31827a|Kubernetes|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| -|Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined. (read more)|Documentation
| -|Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46|Kubernetes|Low|Resource Management|Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively (read more)|Documentation
| -|StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e|Kubernetes|Low|Resource Management|Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| -|CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3|Kubernetes|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined (read more)|Documentation
| -|Secrets As Environment Variables
3d658f8b-d988-41a0-a841-40043121de1e|Kubernetes|Low|Secret Management|Container should not use secrets as environment variables (read more)|Documentation
| -|Invalid Image Tag
583053b7-e632-46f0-b989-f81ff8045385|Kubernetes|Low|Supply-Chain|Image tag must be defined and not be empty or equal to latest. (read more)|Documentation
| -|Ensure Administrative Boundaries Between Resources
e84eaf4d-2f45-47b2-abe8-e581b06deb66|Kubernetes|Info|Access Control|As a best practice, ensure that is made the correct use of namespaces to adequately administer your resources. Kubernetes Authorization plugins can also be used to create policies that segregate user access to namespaces. (read more)|Documentation
| -|Using Kubernetes Native Secret Management
b9c83569-459b-4110-8f79-6305aa33cb37|Kubernetes|Info|Secret Management|Kubernetes External Secret Storage and Management System usage should be considered if you have more complex secret management needs, rather than using Kubernetes Secrets directly. Additionally, ensure that access to secrets is carefully limited (read more)|Documentation
| -|Key Vault Not Recoverable
7c25f361-7c66-44bf-9b69-022acd5eb4bd|AzureResourceManager|High|Backup|Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true (read more)|Documentation
| -|Secret Without Expiration Date
cff9c3f7-e8f0-455f-9fb4-5f72326da96e|AzureResourceManager|High|Best Practices|All Secrets must have an expiration date defined (read more)|Documentation
| -|Azure Instance Using Basic Authentication
6797f581-0433-4768-ae3e-7ceb2f8b138e|AzureResourceManager|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| -|Storage Account Allows Unsecure Transfer
1367dd13-2c90-4020-80b7-e4339a3dc2c4|AzureResourceManager|High|Encryption|'Microsoft.Storage/storageAccounts' should force the use of HTTPS (read more)|Documentation
| -|Azure Managed Disk Without Encryption
350f3955-b5be-436f-afaa-3d2be2fa6cdd|AzureResourceManager|High|Encryption|Azure Disk Encryption should be enabled (read more)|Documentation
| -|Web App Not Using TLS Last Version
b5c851d5-00f1-43dc-a8de-3218fd6f71be|AzureResourceManager|High|Encryption|Resources of type 'Microsoft.Web/sites' should define 'properties.siteConfig.minTlsVersion' with '1.2' (read more)|Documentation
| -|Website Not Forcing HTTPS
488847ff-6031-487c-bf42-98fd6ac5c9a0|AzureResourceManager|High|Insecure Configurations|'Microsoft.Web/sites' should force the use of HTTPS (read more)|Documentation
| -|SQL Database Server Firewall Allows All IPS
6a3201a5-1630-494b-b294-3129d06b0eca|AzureResourceManager|High|Networking and Firewall|SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS (read more)|Documentation
| -|Network Security Group With Unrestricted Access To RDP
59cb3da7-f206-4ae6-b827-7abf0a9cab9d|AzureResourceManager|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the Internet (read more)|Documentation
| -|Trusted Microsoft Services Not Enabled
e25b56cd-a4d6-498f-ab92-e6296a082097|AzureResourceManager|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| -|Network Security Group With Unrestricted Access To SSH
2ade1579-4b2c-4590-bebb-f99bf597f612|AzureResourceManager|High|Networking and Firewall|Port 22 (SSH) is exposed to the Internet (read more)|Documentation
| -|Storage Blob Service Container With Public Access
a0ab985d-660b-41f7-ac81-70957ee8e627|AzureResourceManager|High|Networking and Firewall|Storage Blob Service Container should not publicly accessible (read more)|Documentation
| -|Website with Client Certificate Auth Disabled
92302b47-b0cc-46cb-a28f-5610ecda140b|AzureResourceManager|High|Networking and Firewall|'Microsoft.Web/sites' should have client certificate authentication enabled (read more)|Documentation
| -|MySQL Server SSL Enforcement Disabled
90120147-f2e7-4fda-bb21-6fa9109afd63|AzureResourceManager|High|Networking and Firewall|'Microsoft.DBforMySQL/servers' should enforce SSL (read more)|Documentation
| -|PostgreSQL Database Server SSL Disabled
bf500309-da53-4dd3-bcf7-95f7974545a5|AzureResourceManager|High|Networking and Firewall|Microsoft.DBforPostgreSQL/servers sslEnforcement property should be set to 'Enabled' (read more)|Documentation
| -|Role Definitions Allow Custom Subscription Role Creation
8fa9ceea-881f-4ef0-b0b8-728f589699a7|AzureResourceManager|Medium|Access Control|Role Definitions should not allow custom subscription role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write') (read more)|Documentation
| -|Default Azure Storage Account Network Access Is Too Permissive
d855ced8-6157-448f-9f1d-f05a41d046f7|AzureResourceManager|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it. (read more)|Documentation
| -|AKS Cluster RBAC Disabled
9307a2ed-35c2-413d-94de-a1a0682c2158|AzureResourceManager|Medium|Access Control|Microsoft.ContainerService/managedClusters should have enableRBAC set to true (read more)|Documentation
| -|SQL Server Database With Alerts Disabled
574e8d82-1db2-4b9c-b526-e320ede9a9ff|AzureResourceManager|Medium|Best Practices|All Alerts should be enabled in SQL Database Server SecurityAlerts Policy Properties (read more)|Documentation
| -|AKS Cluster Network Policy Not Configured
25c0228e-4444-459b-a2df-93c7df40b7ed|AzureResourceManager|Medium|Insecure Configurations|Azure Kubernetes Service must have a network policy defined. (read more)|Documentation
| -|PostgreSQL Database Server Log Connections Disabled
e69bda39-e1e2-47ca-b9ee-b6531b23aedd|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' property set to 'on' (read more)|Documentation
| -|Standard Price Is Not Selected
2081c7d6-2851-4cce-bda5-cb49d462da42|AzureResourceManager|Medium|Networking and Firewall|Azure Security Center provides more features for standard pricing mode, so it must be activated. (read more)|Documentation
| -|AKS With Authorized IP Ranges Disabled
2583fab1-953b-4fae-bd02-4a136a6c21f9|AzureResourceManager|Medium|Networking and Firewall|Azure Kubernetes Service must have an authorized IP range for API Services enabled (read more)|Documentation
| -|PostgreSQL Database Server Log Checkpoints Disabled
f9112910-c7bb-4864-9f5e-2059ba413bb7|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' property set to 'on' (read more)|Documentation
| -|PostgresSQL Database Server Connection Throttling Disabled
a6d774b6-d9ea-4bf4-8433-217bf15d2fb8|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttling' property set to 'on' (read more)|Documentation
| -|SQL Server Database With Unrecommended Retention Days
c09cdac2-7670-458a-bf6c-efad6880973a|AzureResourceManager|Medium|Observability|SQL Server Database Auditing Settings should keep the audit logs in the storage account for at least 90 days (read more)|Documentation
| -|Unrecommended Log Profile Retention Policy
25684eac-daaa-4c2c-94b4-8d2dbb627909|AzureResourceManager|Medium|Observability|Log Profile Retention Policy should be enabled and the recommended number of days for the retention should be higher than 365 or 0 (0 will retain the events indefinitely) (read more)|Documentation
| -|Storage Logging For Read Write And Delete Requests Disabled
43f6e60c-9cdb-4e77-864d-a66595d26518|AzureResourceManager|Medium|Observability|Storage Logging should be enabled for read, write and delete methods (read more)|Documentation
| -|Unrecommended Network Watcher Flow Log Retention Policy
564b70f8-41cd-4690-aff8-bb53add86bc9|AzureResourceManager|Medium|Observability|Network Watcher Flow Log Retention Policy should be enabled and the recommended number of days for the retention should be higher than 90 (read more)|Documentation
| -|AKS Logging To Azure Monitoring Is Disabled
9b09dee1-f09b-4013-91d2-158fa4695f4b|AzureResourceManager|Medium|Observability|Azure Kubernetes Service should have logging to Azure Monitoring enabled. (read more)|Documentation
| -|SQL Server Database Without Auditing
e055285c-bc01-48b4-8aa5-8a54acdd29df|AzureResourceManager|Medium|Observability|Every 'Microsoft.Sql/servers/databases' resource should have Auditing Enabled (read more)|Documentation
| -|Log Profile Incorrect Category
4d522e7b-f938-4d51-a3b1-974ada528bd3|AzureResourceManager|Medium|Observability|Log Profile Categories should be set to 'Write', 'Delete', and/or 'Action' (read more)|Documentation
| -|Hardcoded SecureString Parameter Default Value
4d2cf896-c053-4be5-9c95-8b4771112f29|AzureResourceManager|Medium|Secret Management|Secure parameters should not have hardcoded default value (read more)|Documentation
| -|Website Azure Active Directory Disabled
e9c133e5-c2dd-4b7b-8fff-40f2de367b56|AzureResourceManager|Low|Access Control|WebApp should have Azure Active Directory enabled with 'identity.type' set to 'SystemAssigned' or 'userAssignedIdentities' set to 'true' (read more)|Documentation
| -|Phone Number Not Set For Security Contacts
3e9fcc67-1f64-405f-b2f9-0a6be17598f0|AzureResourceManager|Low|Best Practices|Microsoft.Security securityContacts should have a phone number defined (read more)|Documentation
| -|AKS Dashboard Is Enabled
c62d3b92-9a11-4ffd-b7b7-6faaae83faed|AzureResourceManager|Low|Insecure Configurations|Azure Kubernetes Service should have the Kubernetes dashboard disabled. (read more)|Documentation
| -|Website with 'Http20Enabled' Disabled
70111098-7f85-48f0-b1b4-e4261cf5f61b|AzureResourceManager|Low|Networking and Firewall|'Microsoft.Web/sites' should have 'Http20Enabled' enabled (read more)|Documentation
| -|Storage Account Allows Default Network Access
9073f073-5d60-4b46-b569-0d6baa80ed95|AzureResourceManager|Low|Networking and Firewall|'Microsoft.Storage/storageAccounts' should force the use of HTTPS (read more)|Documentation
| -|App Service Authentication Is Not Set
83130a07-235b-4a80-918b-a370e53f0bd9|AzureResourceManager|Info|Access Control|Azure App Service should have App Service Authentication set (read more)|Documentation
| -|SQL Alert Policy Without Emails
89b79fe5-49bd-4d39-84ce-55f5fc6f7764|AzureResourceManager|Info|Best Practices|SQL Database Server should contain emails to be notified in the event of a Security Alert (read more)|Documentation
| -|Account Admins Not Notified By Email
a8852cc0-fd4b-4fc7-9372-1e43fad0732e|AzureResourceManager|Info|Best Practices|Account admins should be notified by email in the event of security alerts (read more)|Documentation
| -|Email Notifications Disabled
79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92|AzureResourceManager|Info|Networking and Firewall|Email notifications about new security alerts, should be set to 'On', and be sent to persons with specific RBAC roles on the subscription (read more)|Documentation
| -|Volume Mounted In Multiple Containers
baa452f0-1f21-4a25-ace5-844e7a5f410d|DockerCompose|High|Build Process|Volume mounts should not be shared, which means that 'propagation' should not be set to 'shared', 'rshared', 'slave', or 'rslave' (read more)|Documentation
| -|Volume Has Sensitive Host Directory
1c1325ff-831d-43a1-973e-839ae57dfcc0|DockerCompose|High|Build Process|Container has sensitive host directory mounted as a volume (read more)|Documentation
| -|Docker Socket Mounted In Container
d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b|DockerCompose|High|Build Process|Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands. (read more)|Documentation
| -|Privileged Containers Enabled
ae5b6871-7f45-42e0-bb4c-ab300c4d2026|DockerCompose|High|Resource Management|Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker. (read more)|Documentation
| -|No New Privileges Not Set
27fcc7d6-c49b-46e0-98f1-6c082a6a2750|DockerCompose|High|Resource Management|Ensuring the process does not gain any new privileges lessens the risk associated with many operations. (read more)|Documentation
| -|Healthcheck Not Set
698ed579-b239-4f8f-a388-baa4bcb13ef8|DockerCompose|Medium|Availability|Check containers periodically to see if they are running properly. (read more)|Documentation
| -|Restart Policy On Failure Not Set To 5
2fc99041-ddad-49d5-853f-e35e70a48391|DockerCompose|Medium|Build Process|Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used. (read more)|Documentation
| -|Cgroup Not Default
4d9f44c6-2f4a-4317-9bb5-267adbea0232|DockerCompose|Medium|Build Process|Control groups restrict the access processes and containers have to system resources such as CPU, RAM, IOPS and network. Not having a cgroup well configured may prove to be a security fault. (read more)|Documentation
| -|Container Traffic Not Bound To Host Interface
451d79dc-0588-476a-ad03-3c7f0320abb3|DockerCompose|Medium|Networking and Firewall|Incoming container traffic should be bound to a specific host interface (read more)|Documentation
| -|Privileged Ports Mapped In Container
bc2908f3-f73c-40a9-8793-c1b7d5544f79|DockerCompose|Medium|Networking and Firewall|Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind_service linux capability from the container unless you absolutely need to use priviledged ports. (read more)|Documentation
| -|Networks Not Set
ce14a68b-1668-41a0-ab7d-facd9f784742|DockerCompose|Medium|Networking and Firewall|Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers. (read more)|Documentation
| -|Shared Host User Namespace
8af7162d-6c98-482f-868e-0d33fb675ca8|DockerCompose|Medium|Resource Management|The host's user namespace should not be shared. (read more)|Documentation
| -|Shared Host Network Namespace
071a71ff-f868-47a4-ac0b-3c59e4ab5443|DockerCompose|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| -|Default Seccomp Profile Disabled
404fde2c-bc4b-4371-9747-7054132ac953|DockerCompose|Medium|Resource Management|Seccomp offers a whitelist of common system calls, blocking all others. Having less kernel exposed to an app then increases security. (read more)|Documentation
| -|Pids Limit Not Set
221e0658-cb2a-44e3-b08a-db96a341d6fa|DockerCompose|Medium|Resource Management|'pids_limit' should be set and different than -1 (read more)|Documentation
| -|Host Namespace is Shared
4f31dd9f-2cc3-4751-9b53-67e4af83dac0|DockerCompose|Medium|Resource Management|The hosts process namespace should not be shared by containers (read more)|Documentation
| -|Security Opt Not Set
610e266e-6c12-4bca-9925-1ed0cd29742b|DockerCompose|Medium|Resource Management|Attribute 'security_opt' should be defined. (read more)|Documentation
| -|Memory Not Limited
bb9ac4f7-e13b-423d-a010-c74a1bfbe492|DockerCompose|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| -|Shared Host IPC Namespace
baa3890f-bed7-46f5-ab8f-1da8fc91c729|DockerCompose|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| -|Container Capabilities Unrestricted
ce76b7d0-9e77-464d-b86f-c5c48e03e22d|DockerCompose|Low|Resource Management|Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well. (read more)|Documentation
| -|Cpus Not Limited
6b610c50-99fb-4ef0-a5f3-e312fd945bc3|DockerCompose|Low|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| -|Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|Terraform|High|Access Control|Azure Function App authentication settings should be enabled (read more)|Documentation
| -|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|Terraform|High|Access Control|Storage Account should not be public to grant the principle of least privileges (read more)|Documentation
| +|Script Block Injection
62ff6823-927a-427f-acf9-f1ea2932d616|CICD|High|Insecure Configurations|GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event. (read more)|Documentation
| +|Run Block Injection
20f14e1a-a899-4e79-9f09-b6a84cd4649b|CICD|High|Insecure Configurations|GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event. (read more)|Documentation
| +|Unsecured Commands
60fd272d-15f4-4d8f-afe4-77d9c6cc0453|CICD|Medium|Insecure Configurations|There are deprecated set-env and add-path commands that can be explicitly enabled by a user via setting the ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable as true. Depending on the use of the environment variable, this could enable an attacker to, at worst, modify the system path to run a different command than intended, resulting in arbitrary code execution. (read more)|Documentation
| +|Unpinned Actions Full Length Commit SHA
555ab8f9-2001-455e-a077-f2d0f41e2fb9|CICD|Medium|Supply-Chain|Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork. (read more)|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|Terraform|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| +|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|Terraform|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible (read more)|Documentation
| +|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|Terraform|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)|Documentation
| +|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|Terraform|High|Access Control|BigQuery dataset is anonymously or publicly accessible (read more)|Documentation
| +|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|Terraform|High|Access Control|Verifies that the OSLogin is enabled (read more)|Documentation
| +|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|Terraform|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| +|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|Terraform|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members' (read more)|Documentation
| +|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|Terraform|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad. (read more)|Documentation
| +|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|Terraform|High|Encryption|Cloud SQL Database Instance should have SLL enabled (read more)|Documentation
| +|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE (read more)|Documentation
| +|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)|Documentation
| +|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true (read more)|Documentation
| +|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|Terraform|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials (read more)|Documentation
| +|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true (read more)|Documentation
| +|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|Terraform|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true (read more)|Documentation
| +|Legacy Client Certificate Auth Enabled
73fb21a1-b19a-45b1-b648-b47b1678681e|Terraform|High|Insecure Configurations|Kubernetes Clusters must use the default OAuth authentication, which means 'master_auth' must either be undefined or have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to false (read more)|Documentation
| +|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|Terraform|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible. (read more)|Documentation
| +|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|Terraform|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)|Documentation
| +|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must either be undefined or set to 'logging.googleapis.com/kubernetes' (read more)|Documentation
| +|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|Terraform|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| +|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|Terraform|High|Observability|Audit Logging Configuration is defective (read more)|Documentation
| +|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must either be undefined or set to 'monitoring.googleapis.com/kubernetes' (read more)|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|Terraform|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| +|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|Terraform|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)|Documentation
| +|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Terraform|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated (read more)|Documentation
| +|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Terraform|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated (read more)|Documentation
| +|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Terraform|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated (read more)|Documentation
| +|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Terraform|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member (read more)|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Terraform|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| +|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Terraform|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)|Documentation
| +|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Terraform|Medium|Insecure Configurations|Check if any VM instance disables OSLogin (read more)|Documentation
| +|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Terraform|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| +|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Terraform|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled (read more)|Documentation
| +|Shielded GKE Nodes Disabled
579a0727-9c29-4d58-8195-fc5802a8bdb4|Terraform|Medium|Insecure Configurations|GKE cluster nodes must be launched with Shielded VM enabled, which means the attribute 'enable_shielded_nodes' must be set to 'true'. (read more)|Documentation
| +|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Terraform|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)|Documentation
| +|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Terraform|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled (read more)|Documentation
| +|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Terraform|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| +|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Terraform|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| +|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Terraform|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account (read more)|Documentation
| +|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Terraform|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account. (read more)|Documentation
| +|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Terraform|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Terraform|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports (read more)|Documentation
| +|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Terraform|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| +|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Terraform|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| +|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Terraform|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)|Documentation
| +|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Terraform|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)|Documentation
| +|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Terraform|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource. (read more)|Documentation
| +|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Terraform|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles (read more)|Documentation
| +|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Terraform|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Terraform|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| +|Outdated GKE Version
128df7ec-f185-48bc-8913-ce756a3ccb85|Terraform|Low|Best Practices|Running outdated versions of Google Kubernetes Engine (GKE) can expose it to known vulnerabilities and attacks. To reduce these risks, it is recommended to ensure that GKE is always running the latest version. (read more)|Documentation
| +|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Terraform|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user (read more)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Terraform|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| +|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Terraform|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true (read more)|Documentation
| +|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|Terraform|High|Insecure Configurations|Check if Tiller is deployed. (read more)|Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|Terraform|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace. (read more)|Documentation
| +|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|Terraform|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false (read more)|Documentation
| +|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|Terraform|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined. (read more)|Documentation
| +|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|Terraform|High|Insecure Configurations|Limit capabilities for a Pod Security Policy (read more)|Documentation
| +|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|Terraform|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process (read more)|Documentation
| +|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|Terraform|High|Insecure Defaults|No role nor cluster role should bind to a default service account (read more)|Documentation
| +|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Terraform|Medium|Access Control|A non kube-system workload should not have hostPath mounted (read more)|Documentation
| +|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Terraform|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more)|Documentation
| +|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Terraform|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation. (read more)|Documentation
| +|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Terraform|Medium|Availability|Check if Readiness Probe is not configured. (read more)|Documentation
| +|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Terraform|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden (read more)|Documentation
| +|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Terraform|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' (read more)|Documentation
| +|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Terraform|Medium|Insecure Configurations|Containers should not have extra capabilities allowed (read more)|Documentation
| +|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Terraform|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls (read more)|Documentation
| +|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Terraform|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| +|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Terraform|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace (read more)|Documentation
| +|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities (read more)|Documentation
| +|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Terraform|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more)|Documentation
| +|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation (read more)|Documentation
| +|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Terraform|Medium|Insecure Configurations|Default service accounts should not be actively used (read more)|Documentation
| +|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Terraform|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace (read more)|Documentation
| +|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Terraform|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory (read more)|Documentation
| +|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Terraform|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities (read more)|Documentation
| +|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Terraform|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities (read more)|Documentation
| +|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Terraform|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory (read more)|Documentation
| +|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Terraform|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more)|Documentation
| +|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Terraform|Medium|Insecure Configurations|The default namespace should not be used (read more)|Documentation
| +|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Terraform|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability (read more)|Documentation
| +|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Terraform|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty. (read more)|Documentation
| +|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Terraform|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary (read more)|Documentation
| +|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Terraform|Medium|Networking and Firewall|Check if any network policy is not targeting any pod. (read more)|Documentation
| +|Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Terraform|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet (read more)|Documentation
| +|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Terraform|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| +|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Terraform|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more)|Documentation
| +|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Terraform|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more)|Documentation
| +|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Terraform|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| +|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Terraform|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| +|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Terraform|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more)|Documentation
| +|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Terraform|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| +|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Terraform|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs (read more)|Documentation
| +|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Terraform|Medium|Secret Management|A Service Account token is shared between workloads (read more)|Documentation
| +|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Terraform|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC) (read more)|Documentation
| +|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Terraform|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack (read more)|Documentation
| +|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Terraform|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers (read more)|Documentation
| +|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Terraform|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more)|Documentation
| +|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Terraform|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it (read more)|Documentation
| +|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Terraform|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| +|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Terraform|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| +|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Terraform|Low|Availability|The Horizontal Pod Autoscaler must target a valid object (read more)|Documentation
| +|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Terraform|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context (read more)|Documentation
| +|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Terraform|Low|Best Practices|Check if any label in the metadata is invalid. (read more)|Documentation
| +|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Terraform|Low|Build Process|Check if the root container filesystem is not being mounted as read-only. (read more)|Documentation
| +|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Terraform|Low|Build Process|A StatefulSet requests volume storage. (read more)|Documentation
| +|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Terraform|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always (read more)|Documentation
| +|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Terraform|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container (read more)|Documentation
| +|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Terraform|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity (read more)|Documentation
| +|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Terraform|Low|Networking and Firewall|Service type should not be NodePort (read more)|Documentation
| +|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Terraform|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified (read more)|Documentation
| +|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Terraform|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined (read more)|Documentation
| +|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Terraform|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| +|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Terraform|Low|Secret Management|Container should not use secrets as environment variables (read more)|Documentation
| +|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Terraform|Low|Supply-Chain|Image must be defined and not be empty or equal to latest. (read more)|Documentation
| |Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|Terraform|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage (read more)|Documentation
| |Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|Terraform|High|Access Control|Role Assignment should limit guest user permissions (read more)|Documentation
| -|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|Terraform|High|Access Control|Admin user is enabled for Container Registry (read more)|Documentation
| |Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|Terraform|High|Access Control|There is a role assignment for guest user (read more)|Documentation
| +|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|Terraform|High|Access Control|Admin user is enabled for Container Registry (read more)|Documentation
| +|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|Terraform|High|Access Control|Storage Account should not be public to grant the principle of least privileges (read more)|Documentation
| +|Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|Terraform|High|Access Control|Azure Function App authentication settings should be enabled (read more)|Documentation
| |Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|Terraform|High|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled (read more)|Documentation
| |Azure Instance Using Basic Authentication
dafe30ec-325d-4516-85d1-e8e6776f012c|Terraform|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| -|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|Terraform|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' (read more)|Documentation
| -|Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6|Terraform|High|Encryption|Ensure Function App is using the latest version of TLS encryption (read more)|Documentation
| |App Service Not Using Latest TLS Encryption Version
b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643|Terraform|High|Encryption|Ensure App Service is using the latest version of TLS encryption (read more)|Documentation
| -|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|Terraform|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| +|Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6|Terraform|High|Encryption|Ensure Function App is using the latest version of TLS encryption (read more)|Documentation
| |MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|Terraform|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more)|Documentation
| -|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|Terraform|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service. (read more)|Documentation
| -|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|Terraform|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates (read more)|Documentation
| +|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|Terraform|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' (read more)|Documentation
| +|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|Terraform|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| |Function App FTPS Enforce Disabled
9dab0179-433d-4dff-af8f-0091025691df|Terraform|High|Insecure Configurations|Azure Function App should only enforce FTPS when 'ftps_state' is enabled (read more)|Documentation
| -|Azure App Service Client Certificate Disabled
a81573f9-3691-4d83-88a0-7d4af63e17a3|Terraform|High|Insecure Configurations|Azure App Service client certificate should be enabled (read more)|Documentation
| -|AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|Terraform|High|Insecure Configurations|Azure Kubernetes Service (AKS) API should not be exposed to the internet (read more)|Documentation
| -|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|Terraform|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry' (read more)|Documentation
| +|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|Terraform|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine (read more)|Documentation
| |AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|Terraform|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server (read more)|Documentation
| |Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|Terraform|High|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false. (read more)|Documentation
| -|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|Terraform|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine (read more)|Documentation
| +|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|Terraform|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service. (read more)|Documentation
| +|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|Terraform|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry' (read more)|Documentation
| +|Azure App Service Client Certificate Disabled
a81573f9-3691-4d83-88a0-7d4af63e17a3|Terraform|High|Insecure Configurations|Azure App Service client certificate should be enabled (read more)|Documentation
| |App Service FTPS Enforce Disabled
85da374f-b00f-4832-9d44-84a1ca1e89f8|Terraform|High|Insecure Configurations|Azure App Service should only enforce FTPS when 'ftps_state' is enabled (read more)|Documentation
| -|Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| -|RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|Terraform|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet (read more)|Documentation
| -|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|Terraform|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| +|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|Terraform|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates (read more)|Documentation
| +|AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|Terraform|High|Insecure Configurations|Azure Kubernetes Service (AKS) API should not be exposed to the internet (read more)|Documentation
| |CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|Terraform|High|Networking and Firewall|The IP range filter should be defined to secure the data stored (read more)|Documentation
| -|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|Terraform|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more)|Documentation
| -|MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|Terraform|High|Networking and Firewall|MSSQL Server public network access should be disabled (read more)|Documentation
| |Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources (read more)|Documentation
| +|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|Terraform|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| |Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet (read more)|Documentation
| -|MySQL Server Public Access Enabled
f118890b-2468-42b1-9ce9-af35146b425b|Terraform|High|Networking and Firewall|MySQL Server public access should be disabled (read more)|Documentation
| |SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|Terraform|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet (read more)|Documentation
| +|MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|Terraform|High|Networking and Firewall|MSSQL Server public network access should be disabled (read more)|Documentation
| +|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|Terraform|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more)|Documentation
| +|Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| +|RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|Terraform|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet (read more)|Documentation
| +|MySQL Server Public Access Enabled
f118890b-2468-42b1-9ce9-af35146b425b|Terraform|High|Networking and Firewall|MySQL Server public access should be disabled (read more)|Documentation
| |Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|Terraform|High|Observability|Ensure that logging for Azure KeyVault is 'Enabled' (read more)|Documentation
| +|PostgreSQL Server Threat Detection Policy Disabled
c407c3cf-c409-4b29-b590-db5f4138d332|Terraform|High|Resource Management|PostgreSQL Server Threat Detection Policy should be enabled (read more)|Documentation
| |SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a|Terraform|High|Resource Management|Ensure that 'Threat Detection' is enabled for Azure SQL Database (read more)|Documentation
| |App Service Managed Identity Disabled
b61cce4b-0cc4-472b-8096-15617a6d769b|Terraform|High|Resource Management|Azure App Service should have managed identity enabled (read more)|Documentation
| -|PostgreSQL Server Threat Detection Policy Disabled
c407c3cf-c409-4b29-b590-db5f4138d332|Terraform|High|Resource Management|PostgreSQL Server Threat Detection Policy should be enabled (read more)|Documentation
| -|Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|Terraform|High|Secret Management|Make sure that for all secrets the expiration date is set (read more)|Documentation
| |Key Expiration Not Set
4d080822-5ee2-49a4-8984-68f3d4c890fc|Terraform|High|Secret Management|Make sure that for all keys the expiration date is set (read more)|Documentation
| +|Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|Terraform|High|Secret Management|Make sure that for all secrets the expiration date is set (read more)|Documentation
| |Storage Share File Allows All ACL Permissions
48bbe0fd-57e4-4678-a4a1-119e79c90fc3|Terraform|Medium|Access Control|Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list). (read more)|Documentation
| |Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e|Terraform|Medium|Access Control|Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list). (read more)|Documentation
| -|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Terraform|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more)|Documentation
| |AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Terraform|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| +|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Terraform|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more)|Documentation
| |Virtual Network with DDoS Protection Plan disabled
b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a|Terraform|Medium|Availability|Virtual Network should have DDoS Protection Plan enabled (read more)|Documentation
| |SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Terraform|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict (read more)|Documentation
| |Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Terraform|Medium|Best Practices|Security Contact Email should be defined (read more)|Documentation
| @@ -590,622 +175,617 @@ This page contains all queries. |AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Terraform|Medium|Encryption|Azure Container Service (AKS) should use Disk Encryption Set ID in supported types of disk (read more)|Documentation
| |Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Terraform|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption (read more)|Documentation
| |Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Terraform|Medium|Encryption|Ensure that the encryption is active on the disk (read more)|Documentation
| -|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Terraform|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected. (read more)|Documentation
| |Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Terraform|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections (read more)|Documentation
| |Function App Managed Identity Disabled
c87749b3-ff10-41f5-9df2-c421e8151759|Terraform|Medium|Insecure Configurations|Azure Function App should have managed identity enabled (read more)|Documentation
| +|Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Terraform|Medium|Insecure Configurations|Azure Function App should have 'client_cert_mode' set to required (read more)|Documentation
| +|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Terraform|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected. (read more)|Documentation
| |Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Terraform|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty (read more)|Documentation
| -|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Terraform|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined (read more)|Documentation
| |Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Terraform|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches (read more)|Documentation
| -|Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Terraform|Medium|Insecure Configurations|Azure Function App should have 'client_cert_mode' set to required (read more)|Documentation
| +|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Terraform|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined (read more)|Documentation
| |Default Azure Storage Account Network Access Is Too Permissive
a5613650-32ec-4975-a305-31af783153ea|Terraform|Medium|Insecure Defaults|Default Azure Storage Account network access should be set to Deny (read more)|Documentation
| +|Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Terraform|Medium|Networking and Firewall|Public Network Access should be disabled for Azure Cognitive Search (read more)|Documentation
| |Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Terraform|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'. (read more)|Documentation
| -|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Terraform|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache (read more)|Documentation
| +|MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Terraform|Medium|Networking and Firewall|MariaDB Server Public Network Access should be disabled (read more)|Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol (read more)|Documentation
| |Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b|Terraform|Medium|Networking and Firewall|Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline) (read more)|Documentation
| -|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Terraform|Medium|Networking and Firewall|Network Interfaces IP Forwarding should be disabled (read more)|Documentation
| -|Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Terraform|Medium|Networking and Firewall|Public Network Access should be disabled for Azure Cognitive Search (read more)|Documentation
| |WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Terraform|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. (read more)|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol (read more)|Documentation
| +|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Terraform|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache (read more)|Documentation
| +|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Terraform|Medium|Networking and Firewall|Network Interfaces IP Forwarding should be disabled (read more)|Documentation
| |Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol (read more)|Documentation
| -|MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Terraform|Medium|Networking and Firewall|MariaDB Server Public Network Access should be disabled (read more)|Documentation
| -|PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more)|Documentation
| |PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Terraform|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server (read more)|Documentation
| +|PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Terraform|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more)|Documentation
| +|PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' (read more)|Documentation
| |PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' (read more)|Documentation
| -|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more)|Documentation
| |Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Terraform|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days (read more)|Documentation
| -|PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' (read more)|Documentation
| +|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more)|Documentation
| +|MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Terraform|Medium|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On' (read more)|Documentation
| |Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Terraform|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater (read more)|Documentation
| +|Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Terraform|Medium|Observability|Make sure for SQL Servers that Auditing Retention is greater than 90 days (read more)|Documentation
| +|PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more)|Documentation
| |Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Terraform|Medium|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days (read more)|Documentation
| -|MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Terraform|Medium|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On' (read more)|Documentation
| -|PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Terraform|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more)|Documentation
| -|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Terraform|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On' (read more)|Documentation
| |Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Terraform|Medium|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact (read more)|Documentation
| -|Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Terraform|Medium|Observability|Make sure for SQL Servers that Auditing Retention is greater than 90 days (read more)|Documentation
| +|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Terraform|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On' (read more)|Documentation
| |Azure Active Directory Authentication
a21c8da9-41bf-40cf-941d-330cf0d11fc7|Terraform|Low|Access Control|Azure Active Directory must be used for authentication for Service Fabric (read more)|Documentation
| |MariaDB Server Geo-redundant Backup Disabled
0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1|Terraform|Low|Backup|MariaDB Server Geo-redundant Backup should be enabled (read more)|Documentation
| -|App Service Without Latest Python Version
cc4aaa9d-1070-461a-b519-04e00f42db8a|Terraform|Low|Best Practices|Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. (read more)|Documentation
| -|App Service Without Latest PHP Version
96fe318e-d631-4156-99fa-9080d57280ae|Terraform|Low|Best Practices|Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. (read more)|Documentation
| -|Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Terraform|Low|Best Practices|Key Vault Secrets should have set Content Type (read more)|Documentation
| |AKS Uses Azure Policies Add-On Disabled
43789711-161b-4708-b5bb-9d1c626f7492|Terraform|Low|Best Practices|Azure Container Service (AKS) should use Azure Policies Add-On (read more)|Documentation
| +|Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Terraform|Low|Best Practices|Key Vault Secrets should have set Content Type (read more)|Documentation
| +|App Service Without Latest PHP Version
96fe318e-d631-4156-99fa-9080d57280ae|Terraform|Low|Best Practices|Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. (read more)|Documentation
| +|App Service Without Latest Python Version
cc4aaa9d-1070-461a-b519-04e00f42db8a|Terraform|Low|Best Practices|Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. (read more)|Documentation
| |PostgreSQL Server Infrastructure Encryption Disabled
6425c98b-ca4e-41fe-896a-c78772c131f8|Terraform|Low|Encryption|PostgreSQL Server Infrastructure Encryption should be enabled (read more)|Documentation
| +|Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Terraform|Low|Insecure Configurations|Check if the Kubernetes Dashboard is enabled. (read more)|Documentation
| |App Service HTTP2 Disabled
525b53be-62ed-4244-b4df-41aecfcb4071|Terraform|Low|Insecure Configurations|App Service should have 'http2_enabled' enabled (read more)|Documentation
| |Function App HTTP2 Disabled
ace823d1-4432-4dee-945b-cdf11a5a6bd0|Terraform|Low|Insecure Configurations|Function App should have 'http2_enabled' enabled (read more)|Documentation
| -|Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Terraform|Low|Insecure Configurations|Check if the Kubernetes Dashboard is enabled. (read more)|Documentation
| |Azure Front Door WAF Disabled
835a4f2f-df43-437d-9943-545ccfc55961|Terraform|Low|Networking and Firewall|Azure Front Door WAF should be enabled (read more)|Documentation
| |App Service Authentication Disabled
c7fc1481-2899-4490-bbd8-544a3a61a2f3|Terraform|Info|Access Control|Azure App Service authentication settings should be enabled (read more)|Documentation
| |SQL Server Alert Email Disabled
55975007-f6e7-4134-83c3-298f1fe4b519|Terraform|Info|Best Practices|SQL Server alert email should be enabled (read more)|Documentation
| -|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Terraform|Info|Best Practices|All generic git repositories should reference a revision. (read more)|Documentation
| -|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Terraform|Info|Best Practices|All variables should contain a valid type. (read more)|Documentation
| -|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Terraform|Info|Best Practices|All names should follow snake case pattern. (read more)|Documentation
| -|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Terraform|Info|Best Practices|All outputs should contain a valid description. (read more)|Documentation
| -|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Terraform|Info|Best Practices|All variables should contain a valid description. (read more)|Documentation
| +|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|Terraform|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| +|SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|Terraform|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| |Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|Terraform|High|Access Control|Neptune Cluster Instance should not be publicly accessible (read more)|Documentation
| -|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|Terraform|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| |MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857|Terraform|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible (read more)|Documentation
| -|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|Terraform|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| -|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|Terraform|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role (read more)|Documentation
| +|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|Terraform|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more)|Documentation
| |S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4|Terraform|High|Access Control|S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket. (read more)|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|Terraform|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| -|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|Terraform|High|Access Control|S3 bucket allows public policy (read more)|Documentation
| +|Amazon DMS Replication Instance Is Publicly Accessible
030d3b18-1821-45b4-9e08-50efbe7becbb|Terraform|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| |IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|Terraform|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| -|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|Terraform|High|Access Control|Checks if the SQS Queue is exposed (read more)|Documentation
| -|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|Terraform|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals (read more)|Documentation
| +|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|Terraform|High|Access Control|S3 bucket allows public policy (read more)|Documentation
| +|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|Terraform|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| |S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|Terraform|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| -|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|Terraform|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| -|Amazon DMS Replication Instance Is Publicly Accessible
030d3b18-1821-45b4-9e08-50efbe7becbb|Terraform|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| -|SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|Terraform|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| +|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|Terraform|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| |S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|Terraform|High|Access Control|S3 Buckets should not be readable and writable to all users (read more)|Documentation
| -|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|Terraform|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more)|Documentation
| -|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|Terraform|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| +|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|Terraform|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals (read more)|Documentation
| |EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|Terraform|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'. (read more)|Documentation
| -|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|Terraform|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| -|SSO Policy with full privileges
132a8c31-9837-4203-9fd1-15ca210c7b73|Terraform|High|Access Control|SSO policies should be configured to grant limited administrative privileges, rather than full access to all resources. This approach allows for better security and control over the resources being accessed. (read more)|Documentation
| |IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|Terraform|High|Access Control|IAM role policy that allow full administrative privileges (for all resources) (read more)|Documentation
| -|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|Terraform|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| -|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|Terraform|High|Encryption|API Gateway Method Settings Cache should be encrypted (read more)|Documentation
| -|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|Terraform|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| -|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|Terraform|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| -|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|Terraform|High|Encryption|RDS Database Cluster Encryption should be enabled (read more)|Documentation
| -|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|Terraform|High|Encryption|EKS Cluster should be encrypted (read more)|Documentation
| -|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|Terraform|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| -|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|Terraform|High|Encryption|AWS DOCDB Cluster storage should be encrypted (read more)|Documentation
| -|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|Terraform|High|Encryption|EBS Encryption should be enabled (read more)|Documentation
| -|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|Terraform|High|Encryption|The certificate authority (CA) is the certificate that identifies the root CA at the top of the certificate chain. The CA certificate identifier must be one provided by Amazon RDS. (read more)|Documentation
| -|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|Terraform|High|Encryption|AWS DAX Cluster should have server-side encryption at rest (read more)|Documentation
| -|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|Terraform|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup (read more)|Documentation
| -|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| -|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|Terraform|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key (read more)|Documentation
| -|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|Terraform|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true' (read more)|Documentation
| +|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|Terraform|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role (read more)|Documentation
| +|SSO Policy with full privileges
132a8c31-9837-4203-9fd1-15ca210c7b73|Terraform|High|Access Control|SSO policies should be configured to grant limited administrative privileges, rather than full access to all resources. This approach allows for better security and control over the resources being accessed. (read more)|Documentation
| +|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|Terraform|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|Terraform|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| +|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|Terraform|High|Access Control|Checks if the SQS Queue is exposed (read more)|Documentation
| +|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|Terraform|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| |Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|Terraform|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted (read more)|Documentation
| -|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|Terraform|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more)|Documentation
| -|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|Terraform|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled (read more)|Documentation
| -|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|Terraform|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled (read more)|Documentation
| -|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|Terraform|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| -|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|Terraform|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS (read more)|Documentation
| -|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|Terraform|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more)|Documentation
| -|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|Terraform|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled (read more)|Documentation
| -|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|Terraform|High|Encryption|AWS AMI Encryption is not enabled (read more)|Documentation
| -|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|Terraform|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true (read more)|Documentation
| -|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|Terraform|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS (read more)|Documentation
| -|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|Terraform|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| |User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|Terraform|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| -|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|Terraform|High|Encryption|Sagemaker endpoint configuration should encrypt data (read more)|Documentation
| +|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|Terraform|High|Encryption|AWS DAX Cluster should have server-side encryption at rest (read more)|Documentation
| |ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| -|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|Terraform|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume (read more)|Documentation
| -|Aurora With Disabled at Rest Encryption
1a690d1d-0ae7-49fa-b2db-b75ae0dd1d3e|Terraform|High|Encryption|Amazon Aurora does not have encryption for data at rest enabled. To prevent such a scenario, update the attribute 'StorageEncrypted' to 'true'. (read more)|Documentation
| -|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|Terraform|High|Encryption|Amazon ECS Task Definition does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'transit_encryption' (read more)|Documentation
| +|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|Terraform|High|Encryption|S3 Bucket Object should have server-side encryption enabled (read more)|Documentation
| +|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|Terraform|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| |CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|Terraform|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| +|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|Terraform|High|Encryption|AWS AMI Encryption is not enabled (read more)|Documentation
| +|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|Terraform|High|Encryption|The certificate authority (CA) is the certificate that identifies the root CA at the top of the certificate chain. The CA certificate identifier must be one provided by Amazon RDS. (read more)|Documentation
| +|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|Terraform|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| +|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|Terraform|High|Encryption|API Gateway Method Settings Cache should be encrypted (read more)|Documentation
| +|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|Terraform|High|Encryption|Amazon ECS Task Definition does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'transit_encryption' (read more)|Documentation
| +|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|Terraform|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| +|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|Terraform|High|Encryption|Sagemaker endpoint configuration should encrypt data (read more)|Documentation
| +|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|Terraform|High|Encryption|EKS Cluster should be encrypted (read more)|Documentation
| +|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|Terraform|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true (read more)|Documentation
| |MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|Terraform|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled (read more)|Documentation
| -|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|Terraform|High|Encryption|S3 Bucket Object should have server-side encryption enabled (read more)|Documentation
| +|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|Terraform|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more)|Documentation
| +|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|Terraform|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup (read more)|Documentation
| +|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|Terraform|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| +|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|Terraform|High|Encryption|EBS Encryption should be enabled (read more)|Documentation
| +|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|Terraform|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS (read more)|Documentation
| +|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|Terraform|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key (read more)|Documentation
| +|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|Terraform|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume (read more)|Documentation
| +|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|Terraform|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled (read more)|Documentation
| +|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|Terraform|High|Encryption|AWS Athena Database data in S3 should be encrypted (read more)|Documentation
| +|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|Terraform|High|Encryption|RDS Database Cluster Encryption should be enabled (read more)|Documentation
| |Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|Terraform|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) (read more)|Documentation
| |Cloudfront Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|Terraform|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| +|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|Terraform|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| +|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|Terraform|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled (read more)|Documentation
| +|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|Terraform|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| |EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|Terraform|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| -|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|Terraform|High|Encryption|AWS Athena Database data in S3 should be encrypted (read more)|Documentation
| -|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|Terraform|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2. (read more)|Documentation
| -|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|Terraform|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true) (read more)|Documentation
| +|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| +|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|Terraform|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS (read more)|Documentation
| +|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|Terraform|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more)|Documentation
| +|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|Terraform|High|Encryption|AWS DOCDB Cluster storage should be encrypted (read more)|Documentation
| +|Aurora With Disabled at Rest Encryption
1a690d1d-0ae7-49fa-b2db-b75ae0dd1d3e|Terraform|High|Encryption|Amazon Aurora does not have encryption for data at rest enabled. To prevent such a scenario, update the attribute 'StorageEncrypted' to 'true'. (read more)|Documentation
| +|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|Terraform|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled (read more)|Documentation
| +|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|Terraform|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true' (read more)|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|Terraform|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| |Lambda Function With Privileged Role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|Terraform|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions. (read more)|Documentation
| -|KMS Key With Full Permissions
7ebc9038-0bde-479a-acc4-6ed7b6758899|Terraform|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| -|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|Terraform|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|Terraform|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). (read more)|Documentation
| -|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|Terraform|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| +|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|Terraform|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| +|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|Terraform|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| |Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|Terraform|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| -|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|Terraform|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more)|Documentation
| +|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|Terraform|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2. (read more)|Documentation
| +|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|Terraform|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| |S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|Terraform|High|Insecure Configurations|S3 bucket without restriction of public bucket (read more)|Documentation
| -|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|Terraform|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| +|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|Terraform|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true) (read more)|Documentation
| +|KMS Key With Full Permissions
7ebc9038-0bde-479a-acc4-6ed7b6758899|Terraform|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| +|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|Terraform|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes (read more)|Documentation
| |S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|Terraform|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations (read more)|Documentation
| +|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|Terraform|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| |IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|Terraform|High|Insecure Configurations|Check if the root user is authenticated with MFA (read more)|Documentation
| -|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|Terraform|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes (read more)|Documentation
| -|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|Terraform|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|Terraform|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| +|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|Terraform|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more)|Documentation
| +|RDS DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|Terraform|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). (read more)|Documentation
| |Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|Terraform|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| -|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| +|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL (read more)|Documentation
| +|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|Terraform|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| |Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|Terraform|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| -|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| -|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|Terraform|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0" (read more)|Documentation
| |VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|Terraform|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic (read more)|Documentation
| -|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|Terraform|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL (read more)|Documentation
| -|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|Terraform|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| |Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|Terraform|High|Networking and Firewall|Check if Record is set (read more)|Documentation
| -|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|Terraform|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0 and/or ::/0 (read more)|Documentation
| |EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|Terraform|High|Networking and Firewall|EC2 Instance should not have a public IP address. (read more)|Documentation
| -|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL (read more)|Documentation
| -|Elasticsearch with HTTPS disabled
2e9e0729-66d5-4148-9d39-5e6fb4bf2a4e|Terraform|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| -|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|Terraform|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing (read more)|Documentation
| -|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|Terraform|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| +|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|Terraform|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| +|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|Terraform|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL (read more)|Documentation
| +|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|Terraform|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0 and/or ::/0 (read more)|Documentation
| +|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|Terraform|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| |HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|Terraform|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| -|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|Terraform|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| +|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| |VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|Terraform|High|Networking and Firewall|VPC Peering Route Table should restrict CIDR (read more)|Documentation
| -|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|Terraform|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| -|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|Terraform|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| +|Elasticsearch with HTTPS disabled
2e9e0729-66d5-4148-9d39-5e6fb4bf2a4e|Terraform|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| +|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|Terraform|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| +|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| +|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|Terraform|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0" (read more)|Documentation
| |DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|Terraform|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| -|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|Terraform|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| -|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible (read more)|Documentation
| -|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|Terraform|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA (read more)|Documentation
| +|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|Terraform|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing (read more)|Documentation
| +|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|Terraform|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| |CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|Terraform|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes (read more)|Documentation
| +|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible (read more)|Documentation
| +|CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|Terraform|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls (read more)|Documentation
| +|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|Terraform|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| +|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled (read more)|Documentation
| |CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|Terraform|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| |CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|Terraform|High|Observability|Ensure a log metric filter and alarm exist for root acount usage (read more)|Documentation
| -|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled (read more)|Documentation
| -|CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|Terraform|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls (read more)|Documentation
| +|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|Terraform|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA (read more)|Documentation
| |KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|Terraform|High|Observability|AWS KMS Key should have a valid deletion window (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Terraform|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Terraform|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Terraform|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. (read more)|Documentation
| -|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Terraform|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Terraform|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Terraform|Medium|Access Control|SQS policy allows ALL (*) actions (read more)|Documentation
| -|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Terraform|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|SSO Permission With Inadequate User Session Duration
ce9dfce0-5fc8-433b-944a-3b16153111a8|Terraform|Medium|Access Control|SSO permissions should be configured to limit user sessions to no longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized access or session hijacking. This is a best practice for security and should be implemented in SSO permission settings. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Terraform|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions' (read more)|Documentation
| +|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Terraform|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| +|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Terraform|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Terraform|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'. (read more)|Documentation
| +|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Terraform|Medium|Access Control|IAM Access Key should not be active for root users (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Terraform|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Terraform|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Terraform|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Terraform|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Terraform|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Terraform|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Terraform|Medium|Access Control|AWS IAM Users should not have access to console (read more)|Documentation
| +|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Terraform|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|SSO Permission With Inadequate User Session Duration
ce9dfce0-5fc8-433b-944a-3b16153111a8|Terraform|Medium|Access Control|SSO permissions should be configured to limit user sessions to no longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized access or session hijacking. This is a best practice for security and should be implemented in SSO permission settings. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Terraform|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| -|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Terraform|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| -|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Terraform|Medium|Access Control|IAM Access Key should not be active for root users (read more)|Documentation
| -|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Terraform|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Terraform|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Terraform|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action' (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Terraform|Medium|Access Control|Public and private EC2 istances should not share the same role. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Terraform|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| |User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Terraform|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Terraform|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Terraform|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Terraform|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal' (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Terraform|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action' (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Terraform|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Terraform|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| +|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Terraform|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions' (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Terraform|Medium|Access Control|SQS policy allows ALL (*) actions (read more)|Documentation
| +|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Terraform|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Terraform|Medium|Access Control|Public and private EC2 istances should not share the same role. (read more)|Documentation
| -|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Terraform|Medium|Access Control|S3 bucket allows public ACL (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Terraform|Medium|Access Control|Expired SSL/TLS certificates should be removed (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Terraform|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined (read more)|Documentation
| -|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Terraform|Medium|Access Control|AWS IAM Users should not have access to console (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Terraform|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| -|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Terraform|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions' (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Terraform|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Terraform|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. (read more)|Documentation
| +|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Terraform|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal' (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Terraform|Medium|Access Control|Expired SSL/TLS certificates should be removed (read more)|Documentation
| +|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Terraform|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled (read more)|Documentation
| |User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Terraform|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions' (read more)|Documentation
| +|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Terraform|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Terraform|Medium|Access Control|The attribute 'action' should not have wildcard (read more)|Documentation
| -|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Terraform|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'. (read more)|Documentation
| |SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Terraform|Medium|Access Control|SES policy should not allow IAM actions to all principals (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Terraform|Medium|Access Control|An API Key should be required on a method request. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Terraform|Medium|Access Control|S3 bucket allows public ACL (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Terraform|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| +|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Terraform|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Terraform|Medium|Access Control|The attribute 'action' should not have wildcard (read more)|Documentation
| +|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Terraform|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication (read more)|Documentation
| +|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Terraform|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| |ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Terraform|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| |CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Terraform|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true (read more)|Documentation
| -|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Terraform|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| |Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Terraform|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. (read more)|Documentation
| |ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Terraform|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0 (read more)|Documentation
| |RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Terraform|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| |Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Terraform|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| -|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Terraform|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| -|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Terraform|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| -|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Terraform|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more)|Documentation
| -|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Terraform|Medium|Best Practices|IAM password should have the required symbols (read more)|Documentation
| |Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Terraform|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24 (read more)|Documentation
| -|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Terraform|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| -|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Terraform|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined (read more)|Documentation
| |ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Terraform|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields (read more)|Documentation
| +|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Terraform|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| +|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Terraform|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined (read more)|Documentation
| +|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Terraform|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| +|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Terraform|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| +|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Terraform|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more)|Documentation
| |Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Terraform|Medium|Best Practices|No password expiration policy (read more)|Documentation
| +|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Terraform|Medium|Best Practices|IAM password should have the required symbols (read more)|Documentation
| |Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Terraform|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body (read more)|Documentation
| -|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Terraform|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest (read more)|Documentation
| -|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Terraform|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret (read more)|Documentation
| |SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| -|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Terraform|Medium|Encryption|SSM Session should be encrypted in transit (read more)|Documentation
| -|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Terraform|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption (read more)|Documentation
| -|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Terraform|Medium|Encryption|Checks if the ECR Image has been scanned (read more)|Documentation
| -|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Terraform|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node (read more)|Documentation
| -|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted (read more)|Documentation
| -|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest (read more)|Documentation
| -|Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Terraform|Medium|Encryption|ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html' (read more)|Documentation
| |Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Terraform|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| +|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Terraform|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| +|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Terraform|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760. (read more)|Documentation
| +|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Terraform|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption (read more)|Documentation
| +|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Terraform|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| |AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Terraform|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined (read more)|Documentation
| +|Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Terraform|Medium|Encryption|ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html' (read more)|Documentation
| |CloudWatch Log Group Without KMS
0afbcfe9-d341-4b92-a64c-7e6de0543879|Terraform|Medium|Encryption|AWS CloudWatch Log groups should be encrypted using KMS (read more)|Documentation
| -|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Terraform|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| -|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Terraform|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| |S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Terraform|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests (read more)|Documentation
| -|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Terraform|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| -|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Terraform|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760. (read more)|Documentation
| |ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Terraform|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS. (read more)|Documentation
| +|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest (read more)|Documentation
| +|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Terraform|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret (read more)|Documentation
| +|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Terraform|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| +|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Terraform|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest (read more)|Documentation
| +|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Terraform|Medium|Encryption|SSM Session should be encrypted in transit (read more)|Documentation
| +|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted (read more)|Documentation
| +|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Terraform|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node (read more)|Documentation
| |DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Terraform|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| -|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Terraform|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| +|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Terraform|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| +|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Terraform|Medium|Encryption|Checks if the ECR Image has been scanned (read more)|Documentation
| |ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit (read more)|Documentation
| -|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Terraform|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials (read more)|Documentation
| -|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Terraform|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| -|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Terraform|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more)|Documentation
| +|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Terraform|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs). (read more)|Documentation
| +|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Terraform|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy (read more)|Documentation
| |EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Terraform|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false (read more)|Documentation
| -|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Terraform|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| +|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Terraform|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible (read more)|Documentation
| |Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Terraform|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| +|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Terraform|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| |Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Terraform|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes (read more)|Documentation
| -|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Terraform|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy (read more)|Documentation
| -|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Terraform|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs). (read more)|Documentation
| +|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Terraform|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| |Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Terraform|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud) (read more)|Documentation
| -|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Terraform|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible (read more)|Documentation
| -|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Terraform|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association (read more)|Documentation
| -|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Terraform|Medium|Networking and Firewall|VPC should have a Network Firewall associated (read more)|Documentation
| +|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Terraform|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials (read more)|Documentation
| +|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Terraform|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more)|Documentation
| +|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Terraform|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service (read more)|Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Terraform|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more)|Documentation
| +|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Terraform|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled (read more)|Documentation
| |API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Terraform|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol (read more)|Documentation
| |API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Terraform|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| -|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Terraform|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled (read more)|Documentation
| +|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Terraform|Medium|Networking and Firewall|VPC should have a Network Firewall associated (read more)|Documentation
| +|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Terraform|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association (read more)|Documentation
| |VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Terraform|Medium|Networking and Firewall|VPC Subnet should not assign public IP (read more)|Documentation
| -|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Terraform|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more)|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol (read more)|Documentation
| |Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol (read more)|Documentation
| -|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Terraform|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service (read more)|Documentation
| -|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Terraform|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| |Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Terraform|Medium|Observability|Make sure Logging is enabled for Redshift Cluster (read more)|Documentation
| -|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Terraform|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation (read more)|Documentation
| -|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Terraform|Medium|Observability|Checks if CloudWatch Metrics is Enabled (read more)|Documentation
| -|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Terraform|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| +|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes (read more)|Documentation
| +|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Terraform|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled (read more)|Documentation
| +|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Terraform|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| +|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (read more)|Documentation
| +|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes (read more)|Documentation
| +|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Terraform|Medium|Observability|ELB should have logging enabled to help on error investigation (read more)|Documentation
| |Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Terraform|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| -|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Terraform|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events (read more)|Documentation
| +|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Terraform|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| +|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Terraform|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| +|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Terraform|Medium|Observability|API Gateway should have Access Log Settings defined (read more)|Documentation
| |ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Terraform|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs (read more)|Documentation
| |S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Terraform|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| -|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Terraform|Medium|Observability|ELB should have logging enabled to help on error investigation (read more)|Documentation
| -|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes (read more)|Documentation
| -|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Terraform|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. (read more)|Documentation
| +|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Terraform|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). (read more)|Documentation
| +|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Terraform|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation (read more)|Documentation
| |CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Terraform|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones (read more)|Documentation
| -|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Terraform|Medium|Observability|Make sure that Amazon GuardDuty is Enabled (read more)|Documentation
| -|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Terraform|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined (read more)|Documentation
| -|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Terraform|Medium|Observability|API Gateway should have Access Log Settings defined (read more)|Documentation
| -|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes (read more)|Documentation
| +|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Terraform|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| |Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Terraform|Medium|Observability|It isn't recommended to use resources in default VPC (read more)|Documentation
| -|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (read more)|Documentation
| -|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Terraform|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). (read more)|Documentation
| -|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Terraform|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled (read more)|Documentation
| -|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Terraform|Medium|Observability|AWS CloudWatch Log groups should have retention days specified (read more)|Documentation
| +|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Terraform|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| +|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Terraform|Medium|Observability|Make sure that Amazon GuardDuty is Enabled (read more)|Documentation
| |CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK (read more)|Documentation
| -|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Terraform|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| -|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes (read more)|Documentation
| -|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Terraform|Medium|Observability|Ensure MSK Cluster Logging is enabled (read more)|Documentation
| -|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Terraform|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| +|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Terraform|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| +|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Terraform|Medium|Observability|AWS CloudWatch Log groups should have retention days specified (read more)|Documentation
| +|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes (read more)|Documentation
| |CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes (read more)|Documentation
| -|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Terraform|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| -|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Terraform|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| +|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Terraform|Medium|Observability|Ensure MSK Cluster Logging is enabled (read more)|Documentation
| +|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Terraform|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined (read more)|Documentation
| +|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Terraform|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. (read more)|Documentation
| +|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Terraform|Medium|Observability|Checks if CloudWatch Metrics is Enabled (read more)|Documentation
| +|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Terraform|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events (read more)|Documentation
| |No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Terraform|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions (read more)|Documentation
| |Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Terraform|Medium|Secret Management|AWS Access Key should not be hardcoded (read more)|Documentation
| |Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Terraform|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| -|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Terraform|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| -|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Terraform|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services (read more)|Documentation
| -|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Terraform|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets' (read more)|Documentation
| |SSO Identity User Unsafe Creation
4003118b-046b-4640-b200-b8c7a4c8b89f|Terraform|Low|Access Control|The use of AWS SSO for creating users may pose a security risk as it does not synchronize with external Identity Providers (IdP) or Active Directory (AD). This can lead to inconsistencies and potential unauthorized access to resources. It is recommended to review and update user creation processes to ensure proper security protocols are in place. (read more)|Documentation
| |IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Terraform|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| -|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Terraform|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| +|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Terraform|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| |IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Terraform|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| +|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Terraform|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services (read more)|Documentation
| +|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Terraform|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| +|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Terraform|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets' (read more)|Documentation
| |Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Terraform|Low|Availability|Autoscaling groups should supply tags to configurate (read more)|Documentation
| -|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Terraform|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| |Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| +|Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| |ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Terraform|Low|Best Practices|ECR Repository should have Policies attached to it (read more)|Documentation
| |Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Terraform|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. (read more)|Documentation
| -|Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| +|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Terraform|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| |IAM Access Analyzer Not Enabled
e592a0c5-5bdb-414c-9066-5dba7cdea370|Terraform|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions (read more)|Documentation
| -|ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Terraform|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation (read more)|Documentation
| |CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Terraform|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| -|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Terraform|Low|Insecure Configurations|S3 bucket without ignore public ACL (read more)|Documentation
| +|ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Terraform|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation (read more)|Documentation
| |ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Terraform|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled (read more)|Documentation
| -|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Terraform|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more)|Documentation
| +|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Terraform|Low|Insecure Configurations|S3 bucket without ignore public ACL (read more)|Documentation
| +|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Terraform|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Terraform|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| |EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Terraform|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| +|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Terraform|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Terraform|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| +|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Terraform|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more)|Documentation
| |Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Terraform|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| |RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Terraform|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| -|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Terraform|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| -|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Terraform|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| -|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Terraform|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| -|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Terraform|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| -|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Terraform|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| -|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| -|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for route table changes (read more)|Documentation
| -|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Terraform|Low|Observability|Amazon EKS control plane logging don't enabled for all log types (read more)|Documentation
| +|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Terraform|Low|Observability|Amazon EKS control plane logging is not enabled (read more)|Documentation
| |CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL (read more)|Documentation
| -|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes (read more)|Documentation
| -|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes (read more)|Documentation
| +|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes (read more)|Documentation
| |Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Terraform|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active' (read more)|Documentation
| +|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| +|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes (read more)|Documentation
| |ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Terraform|Low|Observability|ECS Cluster should enable container insights (read more)|Documentation
| -|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes (read more)|Documentation
| |Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Terraform|Low|Observability|Global Accelerator should have flow logs enabled (read more)|Documentation
| +|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for route table changes (read more)|Documentation
| |DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Terraform|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| -|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Terraform|Low|Observability|Amazon EKS control plane logging is not enabled (read more)|Documentation
| +|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes (read more)|Documentation
| +|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Terraform|Low|Observability|Amazon EKS control plane logging don't enabled for all log types (read more)|Documentation
| |API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Terraform|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| +|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Terraform|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| |API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Terraform|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| |Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Terraform|Info|Access Control|Security group must be used or not declared (read more)|Documentation
| -|Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Terraform|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description (read more)|Documentation
| -|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Terraform|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more)|Documentation
| +|Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Terraform|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description (read more)|Documentation
| |Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Terraform|Info|Best Practices|AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name' (read more)|Documentation
| +|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Terraform|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more)|Documentation
| |EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Terraform|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| -|Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Terraform|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description (read more)|Documentation
| -|EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Terraform|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| -|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Terraform|Info|Observability|Neptune logging should be enabled (read more)|Documentation
| +|Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Terraform|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description (read more)|Documentation
| |RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Terraform|Info|Observability|RDS does not have any kind of logger (read more)|Documentation
| -|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Terraform|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)|Documentation
| -|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Terraform|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more)|Documentation
| +|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Terraform|Info|Observability|Neptune logging should be enabled (read more)|Documentation
| +|EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Terraform|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| +|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Terraform|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks (read more)|Documentation
| +|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Terraform|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)|Documentation
| |BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Terraform|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). (read more)|Documentation
| -|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Terraform|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more)|Documentation
| -|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Terraform|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more)|Documentation
| +|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Terraform|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)|Documentation
| |BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Terraform|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more)|Documentation
| |BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Terraform|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS. (read more)|Documentation
| -|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Terraform|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)|Documentation
| -|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Terraform|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)|Documentation
| -|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Terraform|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)|Documentation
| +|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Terraform|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more)|Documentation
| |BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Terraform|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more)|Documentation
| -|OSS Bucket Allows List Action From All Principals
88541597-6f88-42c8-bac6-7e0b855e8ff6|Terraform|High|Access Control|OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals. (read more)|Documentation
| -|OSS Bucket Allows Put Action From All Principals
fe286195-e75c-4359-bd58-00847c4f855a|Terraform|High|Access Control|OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals. (read more)|Documentation
| -|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|Terraform|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles (read more)|Documentation
| -|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|Terraform|High|Access Control|RAM Security preferences should enforce MFA login for RAM users (read more)|Documentation
| +|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Terraform|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)|Documentation
| +|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Terraform|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more)|Documentation
| +|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Terraform|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more)|Documentation
| +|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Terraform|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)|Documentation
| +|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Terraform|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)|Documentation
| |OSS Bucket Allows Delete Action From All Principals
8c0695d8-2378-4cd6-8243-7fd5894fa574|Terraform|High|Access Control|OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals. (read more)|Documentation
| +|OSS Bucket Allows List Action From All Principals
88541597-6f88-42c8-bac6-7e0b855e8ff6|Terraform|High|Access Control|OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals. (read more)|Documentation
| |OSS Bucket Allows All Actions From All Principals
ec62a32c-a297-41ca-a850-cab40b42094a|Terraform|High|Access Control|OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals. (read more)|Documentation
| +|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|Terraform|High|Access Control|RAM Security preferences should enforce MFA login for RAM users (read more)|Documentation
| |OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|Terraform|High|Access Control|OSS Bucket should have public access disabled (read more)|Documentation
| +|OSS Bucket Allows Put Action From All Principals
fe286195-e75c-4359-bd58-00847c4f855a|Terraform|High|Access Control|OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals. (read more)|Documentation
| +|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|Terraform|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles (read more)|Documentation
| +|Launch Template Is Not Encrypted
1455cb21-1d48-46d6-8ae3-cef911b71fd5|Terraform|High|Encryption|ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true. (read more)|Documentation
| +|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|Terraform|High|Encryption|Ecs Data Disk Kms Key Id should be set (read more)|Documentation
| +|NAS File System Not Encrypted
67bfdff1-31ce-4525-b564-e94368735360|Terraform|High|Encryption|NAS File System must be encrypted (read more)|Documentation
| |RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|Terraform|High|Encryption|tde_status parameter should be Enabled for supported RDS instances (read more)|Documentation
| |NAS File System Without KMS
5f670f9d-b1b4-4c90-8618-2288f1ab9676|Terraform|High|Encryption|NAS File System should have encryption provided by user KMS (read more)|Documentation
| -|NAS File System Not Encrypted
67bfdff1-31ce-4525-b564-e94368735360|Terraform|High|Encryption|NAS File System must be encrypted (read more)|Documentation
| -|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|Terraform|High|Encryption|Ecs Data Disk Kms Key Id should be set (read more)|Documentation
| -|Launch Template Is Not Encrypted
1455cb21-1d48-46d6-8ae3-cef911b71fd5|Terraform|High|Encryption|ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true. (read more)|Documentation
| |RDS DB Instance Publicly Accessible
faaefc15-51a5-419e-bb5e-51a4b5ab3485|Terraform|High|Insecure Configurations|The field 'address' should not be set to '0.0.0.0/0' (read more)|Documentation
| |OSS Bucket Has Static Website
2b13c6ff-b87a-484d-86fd-21ef6e97d426|Terraform|High|Insecure Configurations|Checks if any static websties are hosted on buckets. Be aware of any website you are running. (read more)|Documentation
| |RDS DB Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|Terraform|High|Insecure Configurations|'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list (read more)|Documentation
| -|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|Terraform|High|Networking and Firewall|OSS Buckets should have secure transport enabled (read more)|Documentation
| -|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol (read more)|Documentation
| +|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|Terraform|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public (read more)|Documentation
| +|ALB Listening on HTTP
ee3b1557-9fb5-4685-a95d-93f1edf2a0d7|Terraform|High|Networking and Firewall|Application Load Balancer (alb) Listener should not listen on HTTP (read more)|Documentation
| |RDS Instance SSL Action Disabled
7a1ee8a9-71be-4b11-bb70-efb62d16863b|Terraform|High|Networking and Firewall|ssl_action parameter should be set to Open for RDS instances (read more)|Documentation
| -|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|Terraform|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS (read more)|Documentation
| |OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|Terraform|High|Networking and Firewall|OSS Bucket should have ip restricted access (read more)|Documentation
| -|ALB Listening on HTTP
ee3b1557-9fb5-4685-a95d-93f1edf2a0d7|Terraform|High|Networking and Firewall|Application Load Balancer (alb) Listener should not listen on HTTP (read more)|Documentation
| -|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|Terraform|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public (read more)|Documentation
| -|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|Terraform|High|Observability|All RDS Instance events trackers should be 'true' (read more)|Documentation
| +|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|Terraform|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS (read more)|Documentation
| +|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|Terraform|High|Networking and Firewall|OSS Buckets should have secure transport enabled (read more)|Documentation
| +|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol (read more)|Documentation
| |ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|Terraform|High|Observability|ActionTrail Trail OSS Bucket should not be publicly accessible (read more)|Documentation
| -|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|Terraform|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above (read more)|Documentation
| +|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|Terraform|High|Observability|All RDS Instance events trackers should be 'true' (read more)|Documentation
| |Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|Terraform|High|Secret Management|Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts (read more)|Documentation
| +|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|Terraform|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above (read more)|Documentation
| |Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Terraform|Medium|Access Control|Ram policies should not be attached to users (read more)|Documentation
| |CMK Is Unusable
ed6e3ba0-278f-47b6-a1f5-173576b40b7e|Terraform|Medium|Availability|Alicloud KMS must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true (read more)|Documentation
| |ROS Stack Retention Disabled
4bb06fa1-2114-4a00-b7b5-6aeab8b896f0|Terraform|Medium|Backup|The retain_stacks should be enabled to keep the Stack upon deleting the stack instance from the stack group (read more)|Documentation
| |OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Terraform|Medium|Backup|OSS Bucket should have versioning enabled (read more)|Documentation
| |ROS Stack Without Template
92d65c51-5d82-4507-a2a1-d252e9706855|Terraform|Medium|Build Process|Alicloud ROS Stack should have a template defined through the attribute template_url or attribute template_body (read more)|Documentation
| +|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Terraform|Medium|Encryption|Disks should have encryption enabled (read more)|Documentation
| |OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Terraform|Medium|Encryption|OSS Bucket should have encryption enabled using Customer Master Key (read more)|Documentation
| |SLB Policy With Insecure TLS Version In Use
dbfc834a-56e5-4750-b5da-73fda8e73f70|Terraform|Medium|Encryption|SLB Policy should not support insecure versions of TLS protocol (read more)|Documentation
| -|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Terraform|Medium|Encryption|Disks should have encryption enabled (read more)|Documentation
| |CS Kubernetes Node Pool Auto Repair Disabled
81ce9394-013d-4731-8fcc-9d229b474073|Terraform|Medium|Insecure Configurations|Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| |Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Terraform|Medium|Networking and Firewall|A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned (read more)|Documentation
| |Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Terraform|Medium|Networking and Firewall|Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies (read more)|Documentation
| |ROS Stack Notifications Disabled
9ef08939-ea40-489c-8851-667870b2ef50|Terraform|Medium|Observability|The ROS Stack Notifications should be defined and populated to receive stack related events (read more)|Documentation
| |Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Terraform|Medium|Observability|Action Trail Logging for all regions should be enabled (read more)|Documentation
| +|Log Retention Is Not Greater Than 90 Days
ed6cf6ff-9a1f-491c-9f88-e03c0807f390|Terraform|Medium|Observability|OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects. (read more)|Documentation
| |RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Terraform|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180 (read more)|Documentation
| |OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Terraform|Medium|Observability|OSS Bucket should have logging enabled, for better visibility of resources and objects. (read more)|Documentation
| -|Log Retention Is Not Greater Than 90 Days
ed6cf6ff-9a1f-491c-9f88-e03c0807f390|Terraform|Medium|Observability|OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects. (read more)|Documentation
| |No ROS Stack Policy
72ceb736-0aee-43ea-a191-3a69ab135681|Terraform|Medium|Resource Management|ROS Stack should have a stack policy in order to protect stack resources from and during update actions (read more)|Documentation
| -|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true (read more)|Documentation
| |RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Terraform|Medium|Secret Management|RAM account password security should require at least one symbol (read more)|Documentation
| |High KMS Key Rotation Period
cb319d87-b90f-485e-a7e7-f2408380f309|Terraform|Medium|Secret Management|KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year (read more)|Documentation
| +|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true (read more)|Documentation
| +|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true (read more)|Documentation
| +|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Terraform|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less (read more)|Documentation
| |Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true (read more)|Documentation
| |Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Terraform|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91 (read more)|Documentation
| -|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Terraform|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less (read more)|Documentation
| -|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true (read more)|Documentation
| |OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Terraform|Low|Availability|OSS Bucket should have transfer acceleration enabled (read more)|Documentation
| |OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Terraform|Low|Backup|OSS Bucket should have lifecycle rule enabled and set to true (read more)|Documentation
| -|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Terraform|Low|Observability|'log_connections' parameter should be set to ON for RDS instances (read more)|Documentation
| -|VPC Flow Logs Disabled
d2731f3d-a992-44ed-812e-f4f1c2747d71|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| |RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Terraform|Low|Observability|log_disconnections parameter should be set to ON for RDS instances (read more)|Documentation
| +|VPC Flow Logs Disabled
d2731f3d-a992-44ed-812e-f4f1c2747d71|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| +|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Terraform|Low|Observability|'log_connections' parameter should be set to ON for RDS instances (read more)|Documentation
| |RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Terraform|Low|Observability|log_duration parameter should be set to ON for RDS instances (read more)|Documentation
| -|BOM - GCP Dataflow
895ed0d9-6fec-4567-8614-d7a74b599a53|Terraform|Trace|Bill Of Materials|A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective. (read more)|Documentation
| +|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Terraform|Info|Best Practices|All variables should contain a valid type. (read more)|Documentation
| +|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Terraform|Info|Best Practices|All generic git repositories should reference a revision. (read more)|Documentation
| +|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Terraform|Info|Best Practices|All outputs should contain a valid description. (read more)|Documentation
| +|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Terraform|Info|Best Practices|All variables should contain a valid description. (read more)|Documentation
| +|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Terraform|Info|Best Practices|All names should follow snake case pattern. (read more)|Documentation
| |BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Terraform|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more)|Documentation
| -|BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Terraform|Trace|Bill Of Materials|A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime. (read more)|Documentation
| +|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Terraform|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more)|Documentation
| |BOM - GCP Redis
bc75ce52-a60a-4660-b533-bce837a5019b|Terraform|Trace|Bill Of Materials|A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments. (read more)|Documentation
| +|BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Terraform|Trace|Bill Of Materials|A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime. (read more)|Documentation
| |BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Terraform|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more)|Documentation
| -|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Terraform|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more)|Documentation
| -|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|Terraform|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process (read more)|Documentation
| -|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|Terraform|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined. (read more)|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|Terraform|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace. (read more)|Documentation
| -|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|Terraform|High|Insecure Configurations|Check if Tiller is deployed. (read more)|Documentation
| -|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|Terraform|High|Insecure Configurations|Limit capabilities for a Pod Security Policy (read more)|Documentation
| -|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|Terraform|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false (read more)|Documentation
| -|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|Terraform|High|Insecure Defaults|No role nor cluster role should bind to a default service account (read more)|Documentation
| -|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Terraform|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation. (read more)|Documentation
| -|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Terraform|Medium|Access Control|A non kube-system workload should not have hostPath mounted (read more)|Documentation
| -|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Terraform|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more)|Documentation
| -|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Terraform|Medium|Availability|Check if Readiness Probe is not configured. (read more)|Documentation
| -|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Terraform|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden (read more)|Documentation
| -|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Terraform|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' (read more)|Documentation
| -|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Terraform|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory (read more)|Documentation
| -|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Terraform|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls (read more)|Documentation
| -|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Terraform|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities (read more)|Documentation
| -|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities (read more)|Documentation
| -|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation (read more)|Documentation
| -|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Terraform|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more)|Documentation
| -|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Terraform|Medium|Insecure Configurations|Containers should not have extra capabilities allowed (read more)|Documentation
| -|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Terraform|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace (read more)|Documentation
| -|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Terraform|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more)|Documentation
| -|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Terraform|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| -|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Terraform|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory (read more)|Documentation
| -|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Terraform|Medium|Insecure Configurations|The default namespace should not be used (read more)|Documentation
| -|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Terraform|Medium|Insecure Configurations|Default service accounts should not be actively used (read more)|Documentation
| -|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Terraform|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability (read more)|Documentation
| -|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Terraform|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities (read more)|Documentation
| -|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Terraform|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace (read more)|Documentation
| -|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Terraform|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary (read more)|Documentation
| -|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Terraform|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty. (read more)|Documentation
| -|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Terraform|Medium|Networking and Firewall|Check if any network policy is not targeting any pod. (read more)|Documentation
| -|Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Terraform|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet (read more)|Documentation
| -|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Terraform|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| -|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Terraform|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| -|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Terraform|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more)|Documentation
| -|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Terraform|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more)|Documentation
| -|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Terraform|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| -|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Terraform|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more)|Documentation
| -|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Terraform|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| -|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Terraform|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs (read more)|Documentation
| -|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Terraform|Medium|Secret Management|A Service Account token is shared between workloads (read more)|Documentation
| -|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Terraform|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC) (read more)|Documentation
| -|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Terraform|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers (read more)|Documentation
| -|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Terraform|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack (read more)|Documentation
| -|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Terraform|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it (read more)|Documentation
| -|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Terraform|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| -|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Terraform|Low|Availability|The Horizontal Pod Autoscaler must target a valid object (read more)|Documentation
| -|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Terraform|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more)|Documentation
| -|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Terraform|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| -|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Terraform|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context (read more)|Documentation
| -|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Terraform|Low|Best Practices|Check if any label in the metadata is invalid. (read more)|Documentation
| -|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Terraform|Low|Build Process|A StatefulSet requests volume storage. (read more)|Documentation
| -|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Terraform|Low|Build Process|Check if the root container filesystem is not being mounted as read-only. (read more)|Documentation
| -|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Terraform|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container (read more)|Documentation
| -|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Terraform|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity (read more)|Documentation
| -|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Terraform|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always (read more)|Documentation
| -|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Terraform|Low|Networking and Firewall|Service type should not be NodePort (read more)|Documentation
| -|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Terraform|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified (read more)|Documentation
| -|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Terraform|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| -|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Terraform|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined (read more)|Documentation
| -|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Terraform|Low|Secret Management|Container should not use secrets as environment variables (read more)|Documentation
| -|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Terraform|Low|Supply-Chain|Image must be defined and not be empty or equal to latest. (read more)|Documentation
| -|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Terraform|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks (read more)|Documentation
| -|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Terraform|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|Terraform|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| -|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|Terraform|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible (read more)|Documentation
| -|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|Terraform|High|Access Control|Verifies that the OSLogin is enabled (read more)|Documentation
| -|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|Terraform|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)|Documentation
| -|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|Terraform|High|Access Control|BigQuery dataset is anonymously or publicly accessible (read more)|Documentation
| -|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|Terraform|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| -|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|Terraform|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members' (read more)|Documentation
| -|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|Terraform|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad. (read more)|Documentation
| -|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|Terraform|High|Encryption|Cloud SQL Database Instance should have SLL enabled (read more)|Documentation
| -|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|Terraform|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials (read more)|Documentation
| -|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true (read more)|Documentation
| -|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|Terraform|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)|Documentation
| -|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE (read more)|Documentation
| -|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true (read more)|Documentation
| -|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|Terraform|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible. (read more)|Documentation
| -|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|Terraform|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true (read more)|Documentation
| -|Legacy Client Certificate Auth Enabled
73fb21a1-b19a-45b1-b648-b47b1678681e|Terraform|High|Insecure Configurations|Kubernetes Clusters must use the default OAuth authentication, which means 'master_auth' must either be undefined or have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to false (read more)|Documentation
| -|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)|Documentation
| -|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must either be undefined or set to 'logging.googleapis.com/kubernetes' (read more)|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|Terraform|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| -|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must either be undefined or set to 'monitoring.googleapis.com/kubernetes' (read more)|Documentation
| -|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|Terraform|High|Observability|Audit Logging Configuration is defective (read more)|Documentation
| -|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|Terraform|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| -|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|Terraform|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)|Documentation
| -|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Terraform|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated (read more)|Documentation
| -|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Terraform|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated (read more)|Documentation
| -|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Terraform|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated (read more)|Documentation
| -|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Terraform|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member (read more)|Documentation
| -|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Terraform|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Terraform|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| -|Shielded GKE Nodes Disabled
579a0727-9c29-4d58-8195-fc5802a8bdb4|Terraform|Medium|Insecure Configurations|GKE cluster nodes must be launched with Shielded VM enabled, which means the attribute 'enable_shielded_nodes' must be set to 'true'. (read more)|Documentation
| -|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Terraform|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| -|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Terraform|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| -|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Terraform|Medium|Insecure Configurations|Check if any VM instance disables OSLogin (read more)|Documentation
| -|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Terraform|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled (read more)|Documentation
| -|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Terraform|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled (read more)|Documentation
| -|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Terraform|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)|Documentation
| -|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Terraform|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| -|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Terraform|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account. (read more)|Documentation
| -|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Terraform|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account (read more)|Documentation
| -|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Terraform|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| -|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Terraform|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)|Documentation
| -|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Terraform|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Terraform|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports (read more)|Documentation
| -|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Terraform|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| -|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Terraform|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)|Documentation
| -|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Terraform|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource. (read more)|Documentation
| -|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Terraform|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles (read more)|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Terraform|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| -|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Terraform|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)|Documentation
| -|Outdated GKE Version
128df7ec-f185-48bc-8913-ce756a3ccb85|Terraform|Low|Best Practices|Running outdated versions of Google Kubernetes Engine (GKE) can expose it to known vulnerabilities and attacks. To reduce these risks, it is recommended to ensure that GKE is always running the latest version. (read more)|Documentation
| -|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Terraform|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user (read more)|Documentation
| -|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Terraform|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true (read more)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Terraform|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| -|AKS RBAC Disabled
b2418936-cd47-4ea2-8346-623c0bdb87bd|Crossplane|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| -|Redis Cache Allows Non SSL Connections
6c7cfec3-c686-4ed2-bf58-a1ec054b63fc|Crossplane|Medium|Encryption|Redis Cache resource should not allow non-SSL connections. (read more)|Documentation
| -|EFS Without KMS
bdecd6db-2600-47dd-a10c-72c97cf17ae9|Crossplane|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| -|DB Instance Storage Not Encrypted
e50eb68a-a4af-4048-8bbe-8ec324421469|Crossplane|High|Encryption|RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'. (read more)|Documentation
| -|ELB Using Weak Ciphers
a507daa5-0795-4380-960b-dd7bb7c56661|Crossplane|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| -|EFS Not Encrypted
72840c35-3876-48be-900d-f21b2f0c2ea1|Crossplane|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
d9dc6429-5140-498a-8f55-a10daac5f000|Crossplane|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false and neither dbSubnetGroupName' subnets being part of a VPC that has an Internet gateway attached to it (read more)|Documentation
| -|DB Security Group Has Public Interface
dd667399-8d9d-4a8d-bbb4-e49ab53b2f52|Crossplane|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
255b0fcc-9f82-41fe-9229-01b163e3376b|Crossplane|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| -|SQS With SSE Disabled
9296f1cc-7a40-45de-bd41-f31745488a0e|Crossplane|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| -|Neptune Database Cluster Encryption Disabled
83bf5aca-138a-498e-b9cd-ad5bc5e117b4|Crossplane|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| -|CloudFront Logging Disabled
7b590235-1ff4-421b-b9ff-5227134be9bb|Crossplane|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true (read more)|Documentation
| -|CloudWatch Without Retention Period Specified
934613fe-b12c-4e5a-95f5-c1dcdffac1ff|Crossplane|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more)|Documentation
| -|CloudFront Without WAF
6d19ce0f-b3d8-4128-ac3d-1064e0f00494|Crossplane|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| -|DocDB Logging Is Disabled
e6cd49ba-77ed-417f-9bca-4f5303554308|Crossplane|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
6c2d627c-de0f-45fb-b33d-dad9bffbb421|Crossplane|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| -|Google Container Node Pool Auto Repair Disabled
b4f65d13-a609-4dc1-af7c-63d2e08bffe9|Crossplane|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| -|Enum Name Not CamelCase
daaace5f-c0dc-4835-b526-7a116b7f4b4e|GRPC|Low|Best Practices|All Enum Names should follow CamelCase and start with Capital Letter (read more)|Documentation
| +|BOM - GCP Dataflow
895ed0d9-6fec-4567-8614-d7a74b599a53|Terraform|Trace|Bill Of Materials|A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective. (read more)|Documentation
| +|Serverless Role With Full Privileges
59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd|ServerlessFW|High|Access Control|Roles defined in Serverless files should not have policies granting full administrative privileges. (read more)|Documentation
| +|Serverless Function Environment Variables Not Encrypted
4495bc5d-4d1e-4a26-ae92-152d18195648|ServerlessFW|High|Encryption|Serverless Function should encrypt environment variables (read more)|Documentation
| +|Serverless API Without Content Encoding
d5d1fe08-89db-440c-8725-b93223387309|ServerlessFW|Medium|Encryption|Serverless should have API Gateway with Content Encoding enabled through the attribute 'minimumCompressionSize'. This value should be greater than -1 and smaller than 10485760 (read more)|Documentation
| +|Serverless Function Without Unique IAM Role
165aae3b-a56a-48f3-b76d-d2b5083f5b8f|ServerlessFW|Medium|Insecure Configurations|Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| +|Serverless Function Without Tags
f99d3482-fa8c-4f79-bad9-35212dded164|ServerlessFW|Medium|Insecure Configurations|Serverless Function should be have associated tags (read more)|Documentation
| +|Serverless API Endpoint Config Not Private
4d424558-c6d1-453c-be98-9a7f877abd9a|ServerlessFW|Medium|Networking and Firewall|Serverless should have endpointType set to 'PRIVATE'. This way, it's not exposed to the public internet (read more)|Documentation
| +|Serverless API X-Ray Tracing Disabled
434945e5-4dfd-41b1-aba1-47075ccd9265|ServerlessFW|Medium|Observability|Serverless API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| +|Serverless API Access Logging Setting Undefined
a4d32883-aac7-42e1-b403-9415af0f3846|ServerlessFW|Medium|Observability|Serverless FW API should have HTTP Access Logging enabled (read more)|Documentation
| +|Serverless Function Without Dead Letter Queue
dec7bc85-d156-4f64-9a33-96ed3d9f3fed|ServerlessFW|Low|Insecure Configurations|Serverless Function should be configured for a Dead Letter Queue(DLQ). A Dead Letter Queue(DLQ) can be set up in 'onError' config parameter (read more)|Documentation
| +|Serverless Function Without X-Ray Tracing
0d7ef70f-e176-44e6-bdba-add3e429788d|ServerlessFW|Low|Observability|Serverless Function should have Tracing enabled. For this, property 'tracing' should have the value 'Active' (read more)|Documentation
| |Run Using apt
a1bc27c6-7115-48d8-bf9d-5a7e836845ba|Buildah|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache (read more)|Documentation
| -|Passwords And Secrets
a88baa34-e2ad-44ea-ad6f-8cac87bc7c71|Common|High|Secret Management|Query to find passwords and secrets in infrastructure code. (read more)|Documentation
| -|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|Ansible|High|Access Control|Storage Account should not be public to grant the principle of least privileges (read more)|Documentation
| +|Enum Name Not CamelCase
daaace5f-c0dc-4835-b526-7a116b7f4b4e|GRPC|Low|Best Practices|All Enum Names should follow CamelCase and start with Capital Letter (read more)|Documentation
| +|UNIX Ports Out Of Range
71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e|Dockerfile|High|Availability|Exposing UNIX ports out of range from 0 to 65535 (read more)|Documentation
| +|Copy With More Than Two Arguments Not Ending With Slash
6db6e0c2-32a3-4a2e-93b5-72c35f4119db|Dockerfile|High|Build Process|When a COPY command has more than two arguments, the last one should end with a slash (read more)|Documentation
| +|WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|Dockerfile|High|Build Process|For clarity and reliability, you should always use absolute paths for your WORKDIR (read more)|Documentation
| +|Same Alias In Different Froms
f2daed12-c802-49cd-afed-fe41d0b82fed|Dockerfile|High|Build Process|Different FROMS cant have the same alias defined (read more)|Documentation
| +|Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f|Dockerfile|High|Build Process|A user should be specified in the dockerfile, otherwise the image will run as root (read more)|Documentation
| +|COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b|Dockerfile|High|Build Process|COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself (read more)|Documentation
| +|Multiple ENTRYPOINT Instructions Listed
6938958b-3f1a-451c-909b-baeee14bdc97|Dockerfile|High|Build Process|There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect (read more)|Documentation
| +|Run Using Sudo
8ada6e80-0ade-439e-b176-0b28f6bce35a|Dockerfile|High|Insecure Configurations|Avoid RUN with sudo command as it leads to unpredictable behavior (read more)|Documentation
| +|Vulnerable OpenSSL Version
5fa731ea-e844-47a6-a1e8-abc25e95847e|Dockerfile|High|Supply-Chain|OpenSSL versions from 3.0.0 to 3.0.5 are affected by a critical vulnerability (read more)|Documentation
| +|Changing Default Shell Using RUN Command
8a301064-c291-4b20-adcb-403fe7fd95fd|Dockerfile|Medium|Best Practices|Using the command RUN to override the default shell instead of the SHELL command leads to inefficiencies. It also does not make sense since Docker provides the SHELL command for this exact purpose. (read more)|Documentation
| +|Last User Is 'root'
67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae|Dockerfile|Medium|Best Practices|Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges (read more)|Documentation
| +|Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79|Dockerfile|Medium|Build Process|Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments (read more)|Documentation
| +|Multiple CMD Instructions Listed
41c195f4-fc31-4a5c-8a1b-90605538d49f|Dockerfile|Medium|Build Process|There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect (read more)|Documentation
| +|Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd|Dockerfile|Medium|Build Process|Instruction 'RUN update' should always be followed by ' install' in the same RUN statement (read more)|Documentation
| +|RUN Instruction Using 'cd' Instead of WORKDIR
f4a6bcd3-e231-4acf-993c-aa027be50d2e|Dockerfile|Medium|Build Process|When using RUN command 'cd' should only be used for full path. For relative path make use of WORKDIR command instead. (read more)|Documentation
| +|Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22|Dockerfile|Medium|Insecure Defaults|Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o). (read more)|Documentation
| +|Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Dockerfile|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache (read more)|Documentation
| +|Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944|Dockerfile|Medium|Supply-Chain|Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input (read more)|Documentation
| +|NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5|Dockerfile|Medium|Supply-Chain|Check if packages installed by npm are pinning a specific version. (read more)|Documentation
| +|APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Dockerfile|Medium|Supply-Chain|Check if apt-get calls use the flag -y to avoid user manual input. (read more)|Documentation
| +|Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118|Dockerfile|Medium|Supply-Chain|When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller (read more)|Documentation
| +|Add Instead of Copy
9513a694-aa0d-41d8-be61-3271e056f36b|Dockerfile|Medium|Supply-Chain|Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script. (read more)|Documentation
| +|Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more)|Documentation
| +|Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9|Dockerfile|Medium|Supply-Chain|Don't use '--platform' flag with FROM (read more)|Documentation
| +|Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8|Dockerfile|Medium|Supply-Chain|The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input. (read more)|Documentation
| +|Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313|Dockerfile|Medium|Supply-Chain|Reduce layer and image size by deleting unneeded caches after running zypper (read more)|Documentation
| +|Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03|Dockerfile|Medium|Supply-Chain|Need to use -y to avoid manual input 'yum install -y ' (read more)|Documentation
| +|Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1|Dockerfile|Medium|Supply-Chain|Specifying a package version allows to reduce failures due to unanticipated changes in required packages. (read more)|Documentation
| +|Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd|Dockerfile|Medium|Supply-Chain|Always tag the version of an image explicitly (read more)|Documentation
| +|Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages (read more)|Documentation
| +|Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341|Dockerfile|Medium|Supply-Chain|Instead of 'gem install ' we should use 'gem install :' (read more)|Documentation
| +|Yum install Without Version
6452c424-1d92-4deb-bb18-a03e95d579c4|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages (read more)|Documentation
| +|Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more)|Documentation
| +|Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Dockerfile|Medium|Supply-Chain|Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect (read more)|Documentation
| +|Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37|Dockerfile|Medium|Supply-Chain|Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size (read more)|Documentation
| +|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Dockerfile|Medium|Supply-Chain|When installing a package, its pin version should be defined (read more)|Documentation
| +|Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0|Dockerfile|Medium|Supply-Chain|Cached package data should be cleaned after installation to reduce image size (read more)|Documentation
| +|Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067|Dockerfile|Medium|Supply-Chain|When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag (read more)|Documentation
| +|Chown Flag Exists
aa93e17f-b6db-4162-9334-c70334e7ac28|Dockerfile|Low|Best Practices|It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership (read more)|Documentation
| +|Multiple RUN, ADD, COPY, Instructions Listed
0008c003-79aa-42d8-95b8-1c2fe37dbfe6|Dockerfile|Low|Best Practices|Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers. (read more)|Documentation
| +|Curl or Wget Instead of Add
4b410d24-1cbe-4430-a632-62c9a931cf1c|Dockerfile|Low|Best Practices|Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged (read more)|Documentation
| +|MAINTAINER Instruction Being Used
99614418-f82b-4852-a9ae-5051402b741c|Dockerfile|Low|Best Practices|The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily (read more)|Documentation
| +|Exposing Port 22 (SSH)
5907595b-5b6d-4142-b173-dbb0e73fbff8|Dockerfile|Low|Best Practices|Expose only the ports that your application needs and avoid exposing ports like SSH (22) (read more)|Documentation
| +|Using Unnamed Build Stages
68a51e22-ae5a-4d48-8e87-b01a323605c9|Dockerfile|Low|Build Process| This query is used to ensure that build stages are named. This way even if the Dockerfile is re-ordered, the COPY instruction doesn’t break. (read more)|Documentation
| +|Healthcheck Instruction Missing
b03a748a-542d-44f4-bb86-9199ab4fd2d5|Dockerfile|Low|Insecure Configurations|Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working (read more)|Documentation
| +|Apk Add Using Local Cache Path
ae9c56a6-3ed1-4ac0-9b54-31267f51151d|Dockerfile|Info|Supply-Chain|When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*' (read more)|Documentation
| +|Run Utilities And POSIX Commands
9b6b0f38-92a2-41f9-b881-3a1083d99f1b|Dockerfile|Info|Supply-Chain|Some POSIX commands and interactive utilities shouldn't run inside a Docker Container (read more)|Documentation
| +|APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c|Dockerfile|Info|Supply-Chain|Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages. (read more)|Documentation
| +|Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c|Dockerfile|Info|Supply-Chain|After using apt-get install, it is needed to delete apt-get lists (read more)|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
48f7e44d-d1d1-44c2-b336-9f11b65c4fb0|Pulumi|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
965e8830-2bec-4b9b-a7f0-24dbc200a68f|Pulumi|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| +|PSP Set To Privileged
ee305555-6b1d-4055-94cf-e22131143c34|Pulumi|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| +|Missing App Armor Config
95588189-1abd-4df1-9588-b0a5034f9e87|Pulumi|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack (read more)|Documentation
| +|Storage Account Not Forcing HTTPS
cb8e4bf0-903d-45c6-a278-9a947d82a27b|Pulumi|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| +|Redis Cache Allows Non SSL Connections
49e30ac8-f58e-4222-b488-3dcb90158ec1|Pulumi|Medium|Encryption|Redis Cache resource should not allow non-SSL connections. (read more)|Documentation
| +|Amazon DMS Replication Instance Is Publicly Accessible
bccb296f-362c-4b05-9221-86d1437a1016|Pulumi|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| +|RDS DB Instance Publicly Accessible
647de8aa-5a42-41b5-9faf-22136f117380|Pulumi|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false. (read more)|Documentation
| +|Elasticsearch with HTTPS disabled
00603add-7f72-448f-a6c0-9e456a7a3f94|Pulumi|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| +|ElastiCache Nodes Not Created Across Multi AZ
9b18fc19-7fb8-49b1-8452-9c757c70f926|Pulumi|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| +|ElastiCache Redis Cluster Without Backup
e93bbe63-a631-4c0f-b6ef-700d48441ff2|Pulumi|Medium|Backup|ElastiCache Redis cluster should have 'snapshotRetentionLimit' higher than 0 (read more)|Documentation
| +|IAM Password Without Minimum Length
9850d621-7485-44f7-8bdd-b3cf426315cf|Pulumi|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| +|IAM Password Without Lowercase Letter
de92dd34-1b88-43e8-b825-6e02d73c4549|Pulumi|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| +|DynamoDB Table Not Encrypted
b6a7e0ae-aed8-4a19-a993-a95760bf8836|Pulumi|Medium|Encryption|AWS DynamoDB Tables should have serverSideEncryption enabled (read more)|Documentation
| +|API Gateway Without SSL Certificate
f27791a5-e2ae-4905-8910-6f995c576d09|Pulumi|Medium|Insecure Configurations|SSL Client Certificate should be defined (read more)|Documentation
| +|Elasticsearch Logs Disabled
a1120ee4-a712-42d9-8fb5-22595fed643b|Pulumi|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| +|API Gateway Access Logging Disabled
bf4b48b9-fc1f-4552-984a-4becdb5bf503|Pulumi|Medium|Observability|API Gateway should have Access Log Settings defined (read more)|Documentation
| +|DocDB Logging Is Disabled
2ca87964-fe7e-4cdc-899c-427f0f3525f8|Pulumi|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| +|DynamoDB Table Point In Time Recovery Disabled
327b0729-4c5c-4c44-8b5c-e476cd9c7290|Pulumi|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more)|Documentation
| +|EC2 Not EBS Optimized
d991e4ae-42ab-429b-ab43-d5e5fa9ca633|Pulumi|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| +|EC2 Instance Monitoring Disabled
daa581ef-731c-4121-832d-cf078f67759d|Pulumi|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2|Ansible|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| +|VM With Full Cloud Access
bc20bbc6-0697-4568-9a73-85af1dd97bdd|Ansible|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)|Documentation
| +|BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2|Ansible|High|Access Control|BigQuery dataset is anonymously or publicly accessible (read more)|Documentation
| +|SQL DB Instance Backup Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8|Ansible|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| +|DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a|Ansible|High|Encryption|DNSSEC should not use the RSASHA1 algorithm (read more)|Documentation
| +|SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|Ansible|High|Encryption|Cloud SQL Database Instance should have SLL enabled (read more)|Documentation
| +|MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c|Ansible|High|Insecure Configurations|MySQL Instance should not have Local Infile On (read more)|Documentation
| +|Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true (read more)|Documentation
| +|IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'. (read more)|Documentation
| +|GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1|Ansible|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty (read more)|Documentation
| +|Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)|Documentation
| +|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|Ansible|High|Insecure Configurations|SQL Instance should not have Contained Database Authentication On (read more)|Documentation
| +|Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true. (read more)|Documentation
| +|GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false. (read more)|Documentation
| +|Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty (read more)|Documentation
| +|SQL DB Instance Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b|Ansible|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible. (read more)|Documentation
| +|PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514|Ansible|High|Insecure Configurations|PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1' (read more)|Documentation
| +|Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7|Ansible|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)|Documentation
| +|Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f|Ansible|High|Insecure Configurations|GCP SQL Instance should not have Cross DB Ownership Chaining On (read more)|Documentation
| +|GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83|Ansible|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters (read more)|Documentation
| +|Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82|Ansible|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet. (read more)|Documentation
| +|PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b|Ansible|High|Observability|PostgreSQL database 'log_temp_files' flag isn't set to '0' (read more)|Documentation
| +|Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none' (read more)|Documentation
| +|Cloud Storage Bucket Versioning Disabled
7814ddda-e758-4a56-8be3-289a81ded929|Ansible|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| +|PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317|Ansible|High|Observability|PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on' (read more)|Documentation
| +|Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none' (read more)|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd|Ansible|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| +|Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf|Ansible|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Ansible|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| +|Disk Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3|Ansible|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)|Documentation
| +|OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Ansible|Medium|Insecure Configurations|VM instance should have OSLogin enabled (read more)|Documentation
| +|Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Ansible|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)|Documentation
| +|Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03|Ansible|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| +|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Ansible|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| +|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Ansible|Medium|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account. (read more)|Documentation
| +|Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Ansible|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| +|GKE Using Default Service Account
dc126833-125a-40fb-905a-ce5f2afde240|Ansible|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account (read more)|Documentation
| +|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Ansible|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)|Documentation
| +|SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Ansible|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows All Ports
3602d273-3290-47b2-80fa-720162b1a8af|Ansible|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports (read more)|Documentation
| +|RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77|Ansible|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| +|Google Compute Network Using Default Firewall Rule
29b8224a-60e9-4011-8ac2-7916a659841f|Ansible|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| +|IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Ansible|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)|Documentation
| +|PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Ansible|Medium|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value (read more)|Documentation
| +|PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Ansible|Medium|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on' (read more)|Documentation
| +|High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Ansible|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Ansible|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| +|Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b|Ansible|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes (read more)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows Port Range
7289eebd-a477-4064-8ad4-3c044bd70b00|Ansible|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| +|Ansible Tower Exposed To Internet
1b2bf3ff-31e9-460e-bbfb-45e48f4f20cc|Ansible|Medium|Best Practices|Avoid exposing Ansible Tower to the public internet, effectively reducing the potential attack surface of your deployment (read more)|Documentation
| |Storage Container Is Publicly Accessible
4d3817db-dd35-4de4-a80d-3867157e7f7f|Ansible|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage (read more)|Documentation
| |Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|Ansible|High|Access Control|Admin user is enabled for Container Registry (read more)|Documentation
| +|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|Ansible|High|Access Control|Storage Account should not be public to grant the principle of least privileges (read more)|Documentation
| |Azure Instance Using Basic Authentication
e2d834b7-8b25-4935-af53-4a60668dcbe0|Ansible|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| +|MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|Ansible|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more)|Documentation
| |SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555|Ansible|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' (read more)|Documentation
| |Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|Ansible|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| -|MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|Ansible|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more)|Documentation
| +|VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|Ansible|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine (read more)|Documentation
| +|AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|Ansible|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server (read more)|Documentation
| |Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91|Ansible|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service. (read more)|Documentation
| |Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|Ansible|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined (read more)|Documentation
| -|AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|Ansible|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server (read more)|Documentation
| -|VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|Ansible|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine (read more)|Documentation
| -|Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|Ansible|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| -|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|Ansible|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| |CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|Ansible|High|Networking and Firewall|The IP range filter should be defined to secure the data stored (read more)|Documentation
| -|SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|Ansible|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more)|Documentation
| |Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources (read more)|Documentation
| +|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|Ansible|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| |Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet (read more)|Documentation
| -|Role Definition Allows Custom Role Creation
5c80db8e-03f5-43a2-b4af-1f3f87018157|Ansible|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more)|Documentation
| +|SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|Ansible|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more)|Documentation
| +|Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|Ansible|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| |Default Azure Storage Account Network Access Is Too Permissive
ca4df748-613a-4fbf-9c76-f02cbd580307|Ansible|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it. (read more)|Documentation
| |AKS RBAC Disabled
149fa56c-4404-4f90-9e25-d34b676d5b39|Ansible|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| +|Role Definition Allows Custom Role Creation
5c80db8e-03f5-43a2-b4af-1f3f87018157|Ansible|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more)|Documentation
| |Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854|Ansible|Medium|Backup|Make sure Soft Delete is enabled for Key Vault (read more)|Documentation
| |SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40|Ansible|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict (read more)|Documentation
| |SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308|Ansible|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict (read more)|Documentation
| @@ -1214,548 +794,968 @@ This page contains all queries. |Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Ansible|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections (read more)|Documentation
| |Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Ansible|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty (read more)|Documentation
| |AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Ansible|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined (read more)|Documentation
| -|Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Ansible|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache. (read more)|Documentation
| |Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Ansible|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0' (read more)|Documentation
| |WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Ansible|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. (read more)|Documentation
| -|PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more)|Documentation
| +|Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Ansible|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache. (read more)|Documentation
| |PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a|Ansible|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server (read more)|Documentation
| +|PostgreSQL Log Checkpoints Disabled
7ab33ac0-e4a3-418f-a673-50da4e34df21|Ansible|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more)|Documentation
| +|PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' (read more)|Documentation
| |PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' (read more)|Documentation
| |Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more)|Documentation
| -|PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' (read more)|Documentation
| +|AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e|Ansible|Medium|Observability|Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring (read more)|Documentation
| |Small Activity Log Retention Period
37fafbea-dedb-4e0d-852e-d16ee0589326|Ansible|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater (read more)|Documentation
| +|PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more)|Documentation
| |Monitoring Log Profile Without All Activities
89f84a1e-75f8-47c5-83b5-bee8e2de4168|Ansible|Medium|Observability|Monitoring log profile captures all the activities (Action, Write, Delete) (read more)|Documentation
| -|PostgreSQL Log Checkpoints Disabled
7ab33ac0-e4a3-418f-a673-50da4e34df21|Ansible|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more)|Documentation
| -|AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e|Ansible|Medium|Observability|Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring (read more)|Documentation
| -|Privilege Escalation Using Become Plugin
0e75052f-cc02-41b8-ac39-a78017527e95|Ansible|Medium|Access Control|In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true' (read more)|Documentation
| -|Communication Over HTTP
2e8d4922-8362-4606-8c14-aa10466a1ce3|Ansible|Medium|Insecure Configurations|Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks (read more)|Documentation
| -|Insecure Relative Path Resolution
8d22ae91-6ac1-459f-95be-d37bd373f244|Ansible|Low|Best Practices|Using relative paths can lead to unexpected behavior as the path is resolved relative to the current working directory, which can change. (read more)|Documentation
| -|Logging of Sensitive Data
59029ddf-e651-412b-ae7b-ff6d403184bc|Ansible|Low|Best Practices|To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True (read more)|Documentation
| -|Unpinned Package Version
c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8|Ansible|Low|Supply-Chain|Setting state to latest performs an update and installs additional packages possibly resulting in performance degradation or loss of service (read more)|Documentation
| -|Risky File Permissions
88841d5c-d22d-4b7e-a6a0-89ca50e44b9f|Ansible|Info|Supply-Chain|Some modules could end up creating new files on disk with permissions that might be too open or unpredictable (read more)|Documentation
| -|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|Ansible|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| -|S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|Ansible|High|Access Control|S3 Buckets should not be readable to all users (read more)|Documentation
| +|S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|Ansible|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| +|SNS Topic is Publicly Accessible
905f4741-f965-45c1-98db-f7a00a0e5c73|Ansible|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| +|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|Ansible|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more)|Documentation
| +|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|Ansible|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| +|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|Ansible|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|Ansible|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| |IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|Ansible|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| +|S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|Ansible|High|Access Control|S3 Buckets should not be readable to all users (read more)|Documentation
| +|S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a|Ansible|High|Access Control|Checks if the S3 bucket is accessible for all users (read more)|Documentation
| |ECS Service Admin Role Is Present
7db727c1-1720-468e-b80e-06697f71e09e|Ansible|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role (read more)|Documentation
| +|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|Ansible|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| |S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674|Ansible|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| -|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|Ansible|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| |SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a|Ansible|High|Access Control|Checks if the SQS Queue is exposed (read more)|Documentation
| -|S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a|Ansible|High|Access Control|Checks if the S3 bucket is accessible for all users (read more)|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|Ansible|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| |S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|Ansible|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| -|SNS Topic is Publicly Accessible
905f4741-f965-45c1-98db-f7a00a0e5c73|Ansible|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| -|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|Ansible|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more)|Documentation
| -|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|Ansible|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| -|S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|Ansible|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| -|User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|Ansible|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| -|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|Ansible|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| -|S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4|Ansible|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| -|EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|Ansible|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| -|S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571|Ansible|High|Encryption|AWS S3 Storage should be protected with SSE (Server-Side Encryption) (read more)|Documentation
| +|User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|Ansible|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| +|ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| +|ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|Ansible|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| +|AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|Ansible|High|Encryption|AWS AMI Encryption is not enabled (read more)|Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76|Ansible|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| |CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|Ansible|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'. (read more)|Documentation
| -|ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| -|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|Ansible|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more)|Documentation
| +|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|Ansible|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| |Secure Ciphers Disabled
218413a0-c716-4b94-9e08-0bb70d854709|Ansible|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| +|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|Ansible|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more)|Documentation
| +|S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4|Ansible|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| |Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7|Ansible|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS (read more)|Documentation
| -|DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|Ansible|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more)|Documentation
| -|AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|Ansible|High|Encryption|AWS AMI Encryption is not enabled (read more)|Documentation
| -|ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|Ansible|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| -|User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|Ansible|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| -|ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| |Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a|Ansible|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume (read more)|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76|Ansible|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| +|S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571|Ansible|High|Encryption|AWS S3 Storage should be protected with SSE (Server-Side Encryption) (read more)|Documentation
| |Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|Ansible|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) (read more)|Documentation
| +|EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|Ansible|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| +|User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|Ansible|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| |EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|Ansible|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| +|ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| +|DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|Ansible|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more)|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67|Ansible|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| +|Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|Ansible|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| +|Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f|Ansible|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| +|S3 Bucket with Unsecured CORS Rule
3505094c-f77c-4ba0-95da-f83db712f86c|Ansible|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| |Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|Ansible|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true (default is false) (read more)|Documentation
| -|EC2 Group Has Public Interface
5330b503-3319-44ff-9b1c-00ee873f728a|Ansible|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| |KMS Key With Full Permissions
5b9d237a-57d5-4177-be0e-71434b0fef47|Ansible|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| -|S3 Bucket with Unsecured CORS Rule
3505094c-f77c-4ba0-95da-f83db712f86c|Ansible|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209|Ansible|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). (read more)|Documentation
| |ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f|Ansible|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| -|Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f|Ansible|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| -|Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|Ansible|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67|Ansible|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| +|EC2 Group Has Public Interface
5330b503-3319-44ff-9b1c-00ee873f728a|Ansible|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| +|RDS DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209|Ansible|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). (read more)|Documentation
| |Vulnerable Default SSL Certificate
fb8f8929-afeb-4c46-99f0-a6cf410f7df4|Ansible|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| -|HTTP Port Open To Internet
a14ad534-acbe-4a8e-9404-2f7e1045646e|Ansible|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| -|Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|Ansible|High|Networking and Firewall|AWS Security Group should not have public port wide (read more)|Documentation
| -|Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|Ansible|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| -|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|Ansible|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| +|Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|Ansible|High|Networking and Firewall|AWS Security Group should restrict ingress access (read more)|Documentation
| +|ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|Ansible|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| |Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4|Ansible|High|Networking and Firewall|Route53 Record should have a list of records (read more)|Documentation
| -|Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2|Ansible|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0/0 (read more)|Documentation
| |EC2 Instance Has Public IP
a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1|Ansible|High|Networking and Firewall|EC2 Instance should not have a public IP address. (read more)|Documentation
| -|Elasticsearch with HTTPS disabled
d6c2d06f-43c1-488a-9ba1-8d75b40fc62d|Ansible|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| -|Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b|Ansible|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| -|Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|Ansible|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| -|Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|Ansible|High|Networking and Firewall|AWS Security Group should restrict ingress access (read more)|Documentation
| |RDS Associated with Public Subnet
16732649-4ff6-4cd2-8746-e72c13fae4b8|Ansible|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| -|ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|Ansible|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| +|Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2|Ansible|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0/0 (read more)|Documentation
| +|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|Ansible|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| |Remote Desktop Port Open To Internet
eda7301d-1f3e-47cf-8d4e-976debc64341|Ansible|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| +|Elasticsearch with HTTPS disabled
d6c2d06f-43c1-488a-9ba1-8d75b40fc62d|Ansible|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| +|Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b|Ansible|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| +|Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|Ansible|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| +|HTTP Port Open To Internet
a14ad534-acbe-4a8e-9404-2f7e1045646e|Ansible|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| +|Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|Ansible|High|Networking and Firewall|AWS Security Group should not have public port wide (read more)|Documentation
| |DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640|Ansible|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| +|Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|Ansible|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| |CloudTrail Logging Disabled
d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5|Ansible|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| |CMK Rotation Disabled
af96d737-0818-4162-8c41-40d969bd65d1|Ansible|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| -|SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10|Ansible|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| -|S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9|Ansible|Medium|Access Control|S3 Bucket allows public access (read more)|Documentation
| -|SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4|Ansible|Medium|Access Control|SQS policy allows ALL (*) actions (read more)|Documentation
| -|Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Ansible|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| |Lambda Permission Principal Is Wildcard
1d972c56-8ec2-48c1-a578-887adb09c57a|Ansible|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| -|IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Ansible|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root' (read more)|Documentation
| |IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060|Ansible|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| -|API Gateway Without Configured Authorizer
b16cdb37-ce15-4ab2-8401-d42b05d123fc|Ansible|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| +|IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Ansible|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root' (read more)|Documentation
| |AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f|Ansible|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image (read more)|Documentation
| +|SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10|Ansible|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| +|S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9|Ansible|Medium|Access Control|S3 Bucket allows public access (read more)|Documentation
| +|ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd|Ansible|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| |Cross-Account IAM Assume Role Policy Without ExternalId or MFA
af167837-9636-4086-b815-c239186b9dda|Ansible|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| +|API Gateway Without Configured Authorizer
b16cdb37-ce15-4ab2-8401-d42b05d123fc|Ansible|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| +|SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4|Ansible|Medium|Access Control|SQS policy allows ALL (*) actions (read more)|Documentation
| |Certificate Has Expired
5a443297-19d4-4381-9e5b-24faf947ec22|Ansible|Medium|Access Control|Expired SSL/TLS certificates should be removed (read more)|Documentation
| -|ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd|Ansible|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| |SES Policy With Allowed IAM Actions
8ed0bfce-f780-46d4-b086-21c3628f09ad|Ansible|Medium|Access Control|SES policy should not allow IAM actions to all principals (read more)|Documentation
| -|CMK Is Unusable
133fee21-37ef-45df-a563-4d07edc169f4|Ansible|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined. (read more)|Documentation
| +|Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Ansible|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| |ECS Service Without Running Tasks
f5c45127-1d28-4b49-a692-0b97da1c3a84|Ansible|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| +|CMK Is Unusable
133fee21-37ef-45df-a563-4d07edc169f4|Ansible|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined. (read more)|Documentation
| |Auto Scaling Group With No Associated ELB
050f085f-a8db-4072-9010-2cca235cc02f|Ansible|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. (read more)|Documentation
| |RDS With Backup Disabled
e69890e6-fce5-461d-98ad-cb98318dfc96|Ansible|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| |Stack Retention Disabled
17d5ba1d-7667-4729-b1a6-b11fde3db7f7|Ansible|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| -|IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Ansible|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| -|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Ansible|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number (read more)|Documentation
| -|IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Ansible|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| |Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c|Ansible|Medium|Best Practices|Password policy `password_reuse_prevention` doesn't exist or is equal to 0 (read more)|Documentation
| +|IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Ansible|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| +|IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Ansible|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| |IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354|Ansible|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| +|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Ansible|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number (read more)|Documentation
| |Misconfigured Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9|Ansible|Medium|Best Practices|No password expiration policy (read more)|Documentation
| |Stack Without Template
32d31f1f-0f83-4721-b7ec-1e6948c60145|Ansible|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body (read more)|Documentation
| |Config Rule For Encrypted Volumes Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84|Ansible|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| -|Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89|Ansible|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache (read more)|Documentation
| |SQS With SSE Disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Ansible|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| -|EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Ansible|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| +|Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89|Ansible|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache (read more)|Documentation
| |CodeBuild Not Encrypted
a1423864-2fbc-4f46-bfe1-fbbf125c71c9|Ansible|Medium|Encryption|CodeBuild Project should be encrypted (read more)|Documentation
| -|API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33|Ansible|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| -|ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Ansible|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| -|Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5|Ansible|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags. (read more)|Documentation
| +|EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Ansible|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| +|AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472|Ansible|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy (read more)|Documentation
| |Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f|Ansible|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| +|ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Ansible|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| |Certificate RSA Key Bytes Lower Than 256
d5ec2080-340a-4259-b885-f833c4ea6a31|Ansible|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes (read more)|Documentation
| -|AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472|Ansible|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy (read more)|Documentation
| -|API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215|Ansible|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| -|API Gateway without WAF
f5f38943-664b-4acc-ab11-f292fa10ed0b|Ansible|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| -|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Ansible|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more)|Documentation
| -|API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f|Ansible|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| -|API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Ansible|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled (read more)|Documentation
| -|S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|Ansible|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| -|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Ansible|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| -|S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Ansible|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| -|CloudFront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Ansible|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' should be defined with 'enabled' set to true (read more)|Documentation
| -|CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Ansible|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'is_multi_region_trail' should be set to true (read more)|Documentation
| -|CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Ansible|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more)|Documentation
| -|Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Ansible|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| -|CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3|Ansible|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| -|CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Ansible|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| -|No Stack Policy
ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9|Ansible|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions (read more)|Documentation
| -|Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Ansible|Medium|Secret Management|AWS Access Key should not be hardcoded (read more)|Documentation
| -|Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645|Ansible|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| -|IAM Group Without Users
f509931b-bbb0-443c-bd9b-10e92ecf2193|Ansible|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| -|IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd|Ansible|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| -|EC2 Instance Using Default Security Group
8d03993b-8384-419b-a681-d1f55149397c|Ansible|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Ansible|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| -|CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6|Ansible|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| -|Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|Ansible|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. (read more)|Documentation
| -|Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520|Ansible|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| -|EFS Without Tags
b8a9852c-9943-4973-b8d5-77dae9352851|Ansible|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated (read more)|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
f5587077-3f57-4370-9b4e-4eb5b1bac85b|Ansible|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| -|EC2 Instance Using Default VPC
8833f180-96f1-46f4-9147-849aafa56029|Ansible|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| -|Redshift Using Default Port
e01de151-a7bd-4db4-b49b-3c4775a5e881|Ansible|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| -|RDS Using Default Port
2cb674f6-32f9-40be-97f2-62c0dc38f0d5|Ansible|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| -|ElastiCache Using Default Port
7cc6c791-5f68-4816-a564-b9b699f9d26e|Ansible|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| -|CloudFront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Ansible|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| -|ElastiCache Without VPC
5527dcfc-94f9-4bf6-b7d4-1b78850cf41f|Ansible|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| -|CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Ansible|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| -|Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Ansible|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active' (read more)|Documentation
| -|EC2 Not EBS Optimized
338b6cab-961d-4998-bb49-e5b6a11c9a5c|Ansible|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2|Ansible|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| -|VM With Full Cloud Access
bc20bbc6-0697-4568-9a73-85af1dd97bdd|Ansible|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)|Documentation
| -|BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2|Ansible|High|Access Control|BigQuery dataset is anonymously or publicly accessible (read more)|Documentation
| -|SQL DB Instance Backup Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8|Ansible|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| -|DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a|Ansible|High|Encryption|DNSSEC should not use the RSASHA1 algorithm (read more)|Documentation
| -|SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|Ansible|High|Encryption|Cloud SQL Database Instance should have SLL enabled (read more)|Documentation
| -|PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514|Ansible|High|Insecure Configurations|PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1' (read more)|Documentation
| -|MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c|Ansible|High|Insecure Configurations|MySQL Instance should not have Local Infile On (read more)|Documentation
| -|Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty (read more)|Documentation
| -|Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true. (read more)|Documentation
| -|Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7|Ansible|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)|Documentation
| -|Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f|Ansible|High|Insecure Configurations|GCP SQL Instance should not have Cross DB Ownership Chaining On (read more)|Documentation
| -|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|Ansible|High|Insecure Configurations|SQL Instance should not have Contained Database Authentication On (read more)|Documentation
| -|IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'. (read more)|Documentation
| -|GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false. (read more)|Documentation
| -|GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1|Ansible|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty (read more)|Documentation
| -|SQL DB Instance Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b|Ansible|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible. (read more)|Documentation
| -|Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true (read more)|Documentation
| -|Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)|Documentation
| -|Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82|Ansible|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet. (read more)|Documentation
| -|GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83|Ansible|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters (read more)|Documentation
| -|Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none' (read more)|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd|Ansible|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| -|PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b|Ansible|High|Observability|PostgreSQL database 'log_temp_files' flag isn't set to '0' (read more)|Documentation
| -|Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none' (read more)|Documentation
| -|PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317|Ansible|High|Observability|PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on' (read more)|Documentation
| -|Cloud Storage Bucket Versioning Disabled
7814ddda-e758-4a56-8be3-289a81ded929|Ansible|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| -|Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf|Ansible|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)|Documentation
| -|Disk Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3|Ansible|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Ansible|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| -|Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Ansible|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| -|Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03|Ansible|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| -|OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Ansible|Medium|Insecure Configurations|VM instance should have OSLogin enabled (read more)|Documentation
| -|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Ansible|Medium|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account. (read more)|Documentation
| -|Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Ansible|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)|Documentation
| -|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Ansible|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| -|GKE Using Default Service Account
dc126833-125a-40fb-905a-ce5f2afde240|Ansible|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account (read more)|Documentation
| -|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Ansible|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)|Documentation
| -|SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Ansible|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| -|RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77|Ansible|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows All Ports
3602d273-3290-47b2-80fa-720162b1a8af|Ansible|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports (read more)|Documentation
| -|Google Compute Network Using Default Firewall Rule
29b8224a-60e9-4011-8ac2-7916a659841f|Ansible|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| -|IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Ansible|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)|Documentation
| -|PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Ansible|Medium|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on' (read more)|Documentation
| -|PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Ansible|Medium|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value (read more)|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Ansible|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| -|High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Ansible|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)|Documentation
| -|Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b|Ansible|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes (read more)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows Port Range
7289eebd-a477-4064-8ad4-3c044bd70b00|Ansible|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| +|API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33|Ansible|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| +|Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5|Ansible|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags. (read more)|Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Ansible|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more)|Documentation
| +|API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215|Ansible|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| +|API Gateway without WAF
f5f38943-664b-4acc-ab11-f292fa10ed0b|Ansible|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| +|CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Ansible|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'is_multi_region_trail' should be set to true (read more)|Documentation
| +|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Ansible|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| +|CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3|Ansible|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| +|CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Ansible|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| +|S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Ansible|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| +|API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Ansible|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled (read more)|Documentation
| +|Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Ansible|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| +|S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|Ansible|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| +|API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f|Ansible|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| +|CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Ansible|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more)|Documentation
| +|CloudFront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Ansible|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' should be defined with 'enabled' set to true (read more)|Documentation
| +|No Stack Policy
ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9|Ansible|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions (read more)|Documentation
| +|Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Ansible|Medium|Secret Management|AWS Access Key should not be hardcoded (read more)|Documentation
| +|Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645|Ansible|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| +|IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd|Ansible|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| +|IAM Group Without Users
f509931b-bbb0-443c-bd9b-10e92ecf2193|Ansible|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Ansible|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| +|EC2 Instance Using Default Security Group
8d03993b-8384-419b-a681-d1f55149397c|Ansible|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| +|Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520|Ansible|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| +|Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|Ansible|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. (read more)|Documentation
| +|CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6|Ansible|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| +|EFS Without Tags
b8a9852c-9943-4973-b8d5-77dae9352851|Ansible|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated (read more)|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
f5587077-3f57-4370-9b4e-4eb5b1bac85b|Ansible|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| +|CloudFront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Ansible|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| +|EC2 Instance Using Default VPC
8833f180-96f1-46f4-9147-849aafa56029|Ansible|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| +|ElastiCache Without VPC
5527dcfc-94f9-4bf6-b7d4-1b78850cf41f|Ansible|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|ElastiCache Using Default Port
7cc6c791-5f68-4816-a564-b9b699f9d26e|Ansible|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| +|Redshift Using Default Port
e01de151-a7bd-4db4-b49b-3c4775a5e881|Ansible|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| +|RDS Using Default Port
2cb674f6-32f9-40be-97f2-62c0dc38f0d5|Ansible|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| +|Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Ansible|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active' (read more)|Documentation
| +|CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Ansible|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| +|EC2 Not EBS Optimized
338b6cab-961d-4998-bb49-e5b6a11c9a5c|Ansible|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| +|Privilege Escalation Using Become Plugin
0e75052f-cc02-41b8-ac39-a78017527e95|Ansible|Medium|Access Control|In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true' (read more)|Documentation
| +|Communication Over HTTP
2e8d4922-8362-4606-8c14-aa10466a1ce3|Ansible|Medium|Insecure Configurations|Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks (read more)|Documentation
| +|Logging of Sensitive Data
59029ddf-e651-412b-ae7b-ff6d403184bc|Ansible|Low|Best Practices|To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True (read more)|Documentation
| +|Insecure Relative Path Resolution
8d22ae91-6ac1-459f-95be-d37bd373f244|Ansible|Low|Best Practices|Using relative paths can lead to unexpected behavior as the path is resolved relative to the current working directory, which can change. (read more)|Documentation
| +|Unpinned Package Version
c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8|Ansible|Low|Supply-Chain|Setting state to latest performs an update and installs additional packages possibly resulting in performance degradation or loss of service (read more)|Documentation
| +|Risky File Permissions
88841d5c-d22d-4b7e-a6a0-89ca50e44b9f|Ansible|Info|Supply-Chain|Some modules could end up creating new files on disk with permissions that might be too open or unpredictable (read more)|Documentation
| |Allow Unsafe Lookups Enabled
86b97bb4-85c9-462d-8635-cbc057c5c8c5|Ansible|High|Insecure Configurations|When enabled, this option allows lookup plugins to return data that is not marked 'unsafe'. (read more)|Documentation
| |Privilege Escalation Using Become Plugin
404908b6-4954-4611-98f0-e8ceacdabcb1|Ansible|Medium|Access Control|In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true' (read more)|Documentation
| |Communication over HTTP
d7dc9350-74bc-485b-8c85-fed22d276c43|Ansible|Medium|Insecure Configurations|Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks (read more)|Documentation
| |Logging of Sensitive Data
c6473dae-8477-4119-88b7-b909b435ce7b|Ansible|Low|Best Practices|To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True (read more)|Documentation
| -|Ansible Tower Exposed To Internet
1b2bf3ff-31e9-460e-bbfb-45e48f4f20cc|Ansible|Medium|Best Practices|Avoid exposing Ansible Tower to the public internet, effectively reducing the potential attack surface of your deployment (read more)|Documentation
| -|BOM - GCP PST
9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more)|Documentation
| -|BOM - GCP SB
c7781feb-a955-4f9f-b9cf-0d7c6f54bb59|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more)|Documentation
| -|BOM - GCP PD
268c65a8-58ad-43e4-9019-1a9bbc56749f|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more)|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
63ae3638-a38c-4ff4-b616-6e1f72a31a6a|GoogleDeploymentManager|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| -|BigQuery Dataset Is Public
83103dff-d57f-42a8-bd81-40abab64c1a7|GoogleDeploymentManager|High|Access Control|BigQuery dataset is anonymously or publicly accessible. Attribute access.specialGroup should not contain 'allAuthenticatedUsers' (read more)|Documentation
| -|Cloud Storage Bucket Is Publicly Accessible
77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc|GoogleDeploymentManager|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible (read more)|Documentation
| -|SQL DB Instance Backup Disabled
a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01|GoogleDeploymentManager|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| -|DNSSEC Using RSASHA1
6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35|GoogleDeploymentManager|High|Encryption|DNSSEC should not use the RSASHA1 algorithm (read more)|Documentation
| -|SQL DB Instance With SSL Disabled
660360d3-9ca7-46d1-b147-3acc4002953f|GoogleDeploymentManager|High|Encryption|Cloud SQL Database Instance should have SLL enabled (read more)|Documentation
| -|Not Proper Email Account In Use
a21b8df3-c840-4b3d-a41a-10fb2afda171|GoogleDeploymentManager|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials (read more)|Documentation
| -|MySQL Instance With Local Infile On
c759d6f2-4dd3-4160-82d3-89202ef10d87|GoogleDeploymentManager|High|Insecure Configurations|MySQL Instance should not have Local Infile On (read more)|Documentation
| -|Cluster Master Authentication Disabled
7ef7d141-9fbb-4679-a977-fd0883436906|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'masterAuth' must have the subattributes 'username' and 'password' defined and not empty (read more)|Documentation
| -|Private Cluster Disabled
48c61fbd-09c9-46cc-a521-012e0c325412|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true. (read more)|Documentation
| -|Cluster Labels Disabled
8810968b-4b15-421d-918b-d91eb4bb8d1d|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resourceLabels' must be defined (read more)|Documentation
| -|IP Aliasing Disabled
28727987-e398-49b8-aef1-8a3e7789d111|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ipAllocationPolicy' must be defined and the subattribute 'useIpAliases' must be set to 'true'. (read more)|Documentation
| -|GKE Legacy Authorization Enabled
df58d46c-783b-43e0-bdd0-d99164f712ee|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false. (read more)|Documentation
| -|Client Certificate Disabled
dd690686-2bf9-4012-a821-f61912dd77be|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'masterAuth' must have 'clientCertificateConfig' with the attribute 'issueClientCertificate' equal to true (read more)|Documentation
| -|Network Policy Disabled
c47f90e8-4a19-43f0-8413-cc434d286c4e|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'networkPolicy.enabled' must be true and the attribute 'addonsConfig.networkPolicyConfig.disabled' must be false (read more)|Documentation
| -|Compute Instance Is Publicly Accessible
8212e2d7-e683-49bc-bf78-d6799075c5a7|GoogleDeploymentManager|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet. (read more)|Documentation
| -|GKE Master Authorized Networks Disabled
62c8cf50-87f0-4295-a974-8184ed78fe02|GoogleDeploymentManager|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters (read more)|Documentation
| -|Stackdriver Logging Disabled
95601b9a-7fe8-4aee-9b58-d36fd9382dfc|GoogleDeploymentManager|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'loggingService' must be defined and different from 'none' (read more)|Documentation
| -|Stackdriver Monitoring Disabled
bbfc97ab-e92a-4a7b-954c-e88cec815011|GoogleDeploymentManager|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoringService' must be defined and different than 'none' (read more)|Documentation
| -|Cloud Storage Bucket Versioning Disabled
ad0875c1-0b39-4890-9149-173158ba3bba|GoogleDeploymentManager|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| -|Node Auto Upgrade Disabled
dc5c5fee-6c53-43b0-ab11-4c660e064aaf|GoogleDeploymentManager|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means the attribute 'nodePools' must be defined and the subattribute 'managment' must be defined and have the attribute 'autoUpgrade' set to true (read more)|Documentation
| -|Disk Encryption Disabled
fc040fb6-4c23-4c0d-b12a-39edac35debb|GoogleDeploymentManager|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined (read more)|Documentation
| -|Cloud DNS Without DNSSEC
313d6deb-3b67-4948-b41d-35b699c2492e|GoogleDeploymentManager|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| -|OSLogin Is Disabled In VM Instance
e66e1b71-c810-4b4e-a737-0ab59e7f5e41|GoogleDeploymentManager|Medium|Insecure Configurations|VM instance should have OSLogin enabled (read more)|Documentation
| -|Google Storage Bucket Level Access Disabled
1239f54b-33de-482a-8132-faebe288e6a6|GoogleDeploymentManager|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled (read more)|Documentation
| -|Shielded VM Disabled
9038b526-4c19-4928-bca2-c03d503bdb79|GoogleDeploymentManager|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true (read more)|Documentation
| -|COS Node Image Not Used
dbe058d7-b82e-430b-8426-992b2e4677e7|GoogleDeploymentManager|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| -|SSH Access Is Not Restricted
dee21308-2a7a-49de-8ff7-c9b87e188575|GoogleDeploymentManager|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| -|RDP Access Is Not Restricted
50cb6c3b-c878-4b88-b50e-d1421bada9e8|GoogleDeploymentManager|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| -|IP Forwarding Enabled
7c98538a-81c6-444b-bf04-e60bc3ceeec0|GoogleDeploymentManager|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true (read more)|Documentation
| -|Bucket Without Versioning
227c2f58-70c6-4432-8e9a-a89c1a548cf5|GoogleDeploymentManager|Medium|Observability|Bucket should have versioning enabled (read more)|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
6e2b1ec1-1eca-4eb7-9d4d-2882680b4811|GoogleDeploymentManager|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| -|Storage Account Not Forcing HTTPS
cb8e4bf0-903d-45c6-a278-9a947d82a27b|Pulumi|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| -|Redis Cache Allows Non SSL Connections
49e30ac8-f58e-4222-b488-3dcb90158ec1|Pulumi|Medium|Encryption|Redis Cache resource should not allow non-SSL connections. (read more)|Documentation
| -|Amazon DMS Replication Instance Is Publicly Accessible
bccb296f-362c-4b05-9221-86d1437a1016|Pulumi|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
647de8aa-5a42-41b5-9faf-22136f117380|Pulumi|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false. (read more)|Documentation
| -|Elasticsearch with HTTPS disabled
00603add-7f72-448f-a6c0-9e456a7a3f94|Pulumi|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| -|ElastiCache Nodes Not Created Across Multi AZ
9b18fc19-7fb8-49b1-8452-9c757c70f926|Pulumi|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| -|ElastiCache Redis Cluster Without Backup
e93bbe63-a631-4c0f-b6ef-700d48441ff2|Pulumi|Medium|Backup|ElastiCache Redis cluster should have 'snapshotRetentionLimit' higher than 0 (read more)|Documentation
| -|IAM Password Without Lowercase Letter
de92dd34-1b88-43e8-b825-6e02d73c4549|Pulumi|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| -|IAM Password Without Minimum Length
9850d621-7485-44f7-8bdd-b3cf426315cf|Pulumi|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| -|DynamoDB Table Not Encrypted
b6a7e0ae-aed8-4a19-a993-a95760bf8836|Pulumi|Medium|Encryption|AWS DynamoDB Tables should have serverSideEncryption enabled (read more)|Documentation
| -|API Gateway Without SSL Certificate
f27791a5-e2ae-4905-8910-6f995c576d09|Pulumi|Medium|Insecure Configurations|SSL Client Certificate should be defined (read more)|Documentation
| -|API Gateway Access Logging Disabled
bf4b48b9-fc1f-4552-984a-4becdb5bf503|Pulumi|Medium|Observability|API Gateway should have Access Log Settings defined (read more)|Documentation
| -|Elasticsearch Logs Disabled
a1120ee4-a712-42d9-8fb5-22595fed643b|Pulumi|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| -|DocDB Logging Is Disabled
2ca87964-fe7e-4cdc-899c-427f0f3525f8|Pulumi|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| -|DynamoDB Table Point In Time Recovery Disabled
327b0729-4c5c-4c44-8b5c-e476cd9c7290|Pulumi|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more)|Documentation
| -|EC2 Not EBS Optimized
d991e4ae-42ab-429b-ab43-d5e5fa9ca633|Pulumi|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| -|EC2 Instance Monitoring Disabled
daa581ef-731c-4121-832d-cf078f67759d|Pulumi|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| -|PSP Set To Privileged
ee305555-6b1d-4055-94cf-e22131143c34|Pulumi|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| -|Missing App Armor Config
95588189-1abd-4df1-9588-b0a5034f9e87|Pulumi|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack (read more)|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
48f7e44d-d1d1-44c2-b336-9f11b65c4fb0|Pulumi|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
965e8830-2bec-4b9b-a7f0-24dbc200a68f|Pulumi|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| -|Global Security Field Is Undefined (v2)
74703c89-0ea2-49ab-a7db-bf04f19f5a57|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securityDefinitions|Documentation
| -|Global Security Field Is Undefined (v3)
8af270ce-298b-4405-9922-82a10aee7a4f|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes (read more)|Documentation
| -|Global Security Field Has An Empty Array (v2)
da31d54b-ad54-41dc-95eb-8b3828629213|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| -|Global Security Field Has An Empty Array (v3)
d674aea4-ba8b-454b-bb97-88a772ea33f0|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme (read more)|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
6c2d627c-de0f-45fb-b33d-dad9bffbb421|Crossplane|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| +|Google Container Node Pool Auto Repair Disabled
b4f65d13-a609-4dc1-af7c-63d2e08bffe9|Crossplane|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| +|AKS RBAC Disabled
b2418936-cd47-4ea2-8346-623c0bdb87bd|Crossplane|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| +|Redis Cache Allows Non SSL Connections
6c7cfec3-c686-4ed2-bf58-a1ec054b63fc|Crossplane|Medium|Encryption|Redis Cache resource should not allow non-SSL connections. (read more)|Documentation
| +|ELB Using Weak Ciphers
a507daa5-0795-4380-960b-dd7bb7c56661|Crossplane|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| +|EFS Without KMS
bdecd6db-2600-47dd-a10c-72c97cf17ae9|Crossplane|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| +|EFS Not Encrypted
72840c35-3876-48be-900d-f21b2f0c2ea1|Crossplane|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| +|DB Instance Storage Not Encrypted
e50eb68a-a4af-4048-8bbe-8ec324421469|Crossplane|High|Encryption|RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'. (read more)|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
255b0fcc-9f82-41fe-9229-01b163e3376b|Crossplane|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| +|DB Security Group Has Public Interface
dd667399-8d9d-4a8d-bbb4-e49ab53b2f52|Crossplane|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| +|RDS DB Instance Publicly Accessible
d9dc6429-5140-498a-8f55-a10daac5f000|Crossplane|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false and neither dbSubnetGroupName' subnets being part of a VPC that has an Internet gateway attached to it (read more)|Documentation
| +|Neptune Database Cluster Encryption Disabled
83bf5aca-138a-498e-b9cd-ad5bc5e117b4|Crossplane|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| +|SQS With SSE Disabled
9296f1cc-7a40-45de-bd41-f31745488a0e|Crossplane|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| +|CloudWatch Without Retention Period Specified
934613fe-b12c-4e5a-95f5-c1dcdffac1ff|Crossplane|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more)|Documentation
| +|CloudFront Logging Disabled
7b590235-1ff4-421b-b9ff-5227134be9bb|Crossplane|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true (read more)|Documentation
| +|CloudFront Without WAF
6d19ce0f-b3d8-4128-ac3d-1064e0f00494|Crossplane|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| +|DocDB Logging Is Disabled
e6cd49ba-77ed-417f-9bca-4f5303554308|Crossplane|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| +|Serving Revision Spec Without Timeout Seconds
e8bb41e4-2f24-4e84-8bea-8c7c070cf93d|Knative|Info|Insecure Configurations|Serving Revision Spec should have Timeout Seconds defined to avoid Denial of Service (read more)|Documentation
| +|Security Definitions Undefined or Empty
e3f026e8-fdb4-4d5a-bcfd-bd94452073fe|OpenAPI|High|Access Control|Security Definitions Object should be set and not empty (read more)|Documentation
| +|Security Requirement Not Defined In Security Definition
a599b0d1-ff89-4cb8-9ece-9951854c06f6|OpenAPI|High|Structure and Semantics|All security requirement objects must be defined in 'securityDefinitions' (read more)|Documentation
| +|Non OAuth2 Security Requirement Defining OAuth2 Scopes
ba239cb9-f342-4c20-812d-7b5a2aa6969e|OpenAPI|High|Structure and Semantics|If the security scheme is not of type 'oauth2', the array value must be empty (read more)|Documentation
| +|Global Security Using Password Flow
2da46be4-4317-4650-9285-56d7103c4f93|OpenAPI|Medium|Access Control|Security should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| +|Operation Using Password Flow
2e44e632-d617-43cb-b294-6bfe72a08938|OpenAPI|Medium|Access Control|Operation Object should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| +|Invalid OAuth2 Authorization URL (v2)
33d96c65-977d-4c33-943f-440baca49185|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| +|Security Definitions Allows Password Flow
773116aa-2e6d-416f-bd85-f0301cc05d76|OpenAPI|Medium|Access Control|Security Definition Object should not allow 'password' Flow in OAuth2 authentication (read more)|Documentation
| +|Invalid OAuth2 Token URL (v2)
274f910a-0665-4f08-b66d-7058fe927dba|OpenAPI|Medium|Access Control|OAuth2 security definition flow requires a valid URL in the tokenUrl field (read more)|Documentation
| +|Implicit Flow in OAuth2 (v2)
e9817ad8-a8c9-4038-8a2f-db0e6e7b284b|OpenAPI|Medium|Access Control|There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| +|Schemes Uses HTTP
a46928f1-43d7-4671-94e0-2dd99746f389|OpenAPI|Medium|Encryption|Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials (read more)|Documentation
| +|Global Schemes Uses HTTP
f30ee711-0082-4480-85ab-31d922d9a2b2|OpenAPI|Medium|Encryption|Global Schemes should use 'https' protocol instead of 'http' (read more)|Documentation
| +|Path Scheme Accepts HTTP (v2)
a6847dc6-f4ea-45ac-a81f-93291ae6c573|OpenAPI|Medium|Encryption|The Scheme list of Operation Object should only allow 'HTTPS' protocol to ensure an encrypted connection (read more)|Documentation
| +|Operation Object Without 'produces'
be3e170e-1572-461e-a8b6-d963def581ec|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'produces' feild defined for 'GET'operation (read more)|Documentation
| +|Operation Object Without 'consumes'
0c79e50e-b3cf-490c-b8f6-587c644d4d0c|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations (read more)|Documentation
| +|Security Definitions Using Basic Auth
221015a8-aa2a-43f5-b00b-ad7d2b1d47a8|OpenAPI|Low|Access Control|Security Definition Object should not use basic authentication (read more)|Documentation
| +|Operation Using Implicit Flow
f42dfe7e-787d-4478-a75e-a5f3d8a2269e|OpenAPI|Low|Access Control|Operation Object should not use implicit flow (read more)|Documentation
| +|Operation Using Basic Auth
ceefb058-8065-418f-9c4c-584a78c7e104|OpenAPI|Low|Access Control|Operation Object should not use basic authentication (read more)|Documentation
| +|Undefined Scope 'securityDefinition' On 'security' Field On Operations
3847280c-9193-40bc-8009-76168e822ce2|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| +|Undefined Scope 'securityDefinition' On Global 'security' Field
9aa6e95c-d964-4239-a3a8-9f37a3c5a31f|OpenAPI|Low|Access Control|Using an scope on global security field that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| +|Operation Summary Too Long
d47940ca-5970-45cc-bdd1-4d81398cee1f|OpenAPI|Low|Best Practices|Operation summary should be short (less than 120 characters) (read more)|Documentation
| +|Unknown Prefix (v2)
3b615f00-c443-4ba9-acc4-7c308716917d|OpenAPI|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| +|Invalid Media Type Value (v2)
f985a7d2-d404-4a7f-9814-f645f791e46e|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| +|Global Parameter Definition Not Being Used
b30981fa-a12e-49c7-a5bb-eeafb61d0f0f|OpenAPI|Info|Best Practices|All global parameters definitions should be in use (read more)|Documentation
| +|Global Responses Definition Not Being Used
0b76d993-ee52-43e0-8b39-3787d2ddabf1|OpenAPI|Info|Best Practices|All global responses definitions should be in use (read more)|Documentation
| +|Schema with 'additionalProperties' set as Boolean
3a01790c-ebee-4da6-8fd3-e78657383b75|OpenAPI|Info|Best Practices|The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it (read more)|Documentation
| +|Global Schema Definition Not Being Used
6d2e0790-cc3d-4c74-b973-d4e8b09f4455|OpenAPI|Info|Best Practices|All global schemas definitions should be in use (read more)|Documentation
| +|Constraining Enum Property
be1d8733-3731-40c7-a845-734741c6871d|OpenAPI|Info|Best Practices|There is a constraining keyword in a property which is already restricted by enum values (read more)|Documentation
| +|Schema Object Incorrect Ref (v2)
0220e1c5-65d1-49dd-b7c2-cef6d6cb5283|OpenAPI|Info|Structure and Semantics|Schema Object reference must always point to '#/definitions' (read more)|Documentation
| +|Non Body Parameter Without Schema
73c3bc54-3cc6-4c0a-b30a-e19f2abfc951|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| +|BasePath With Wrong Format
b4803607-ed72-4d60-99e2-3fa6edf471c6|OpenAPI|Info|Structure and Semantics|The 'basePath' value format must match the pattern '^/' (read more)|Documentation
| +|Responses JSON Reference Does Not Exists (v2)
e9db5fb4-6a84-4abb-b4af-3b94fbdace6d|OpenAPI|Info|Structure and Semantics|Responses reference should exist on responses definition field (read more)|Documentation
| +|Operation Object Parameters With 'body' And 'formatData' locations
eb3f9744-d24e-4614-b1ff-2a9514eca21c|OpenAPI|Info|Structure and Semantics|Operation object parameters should not have both 'body' and 'formatData' locations (read more)|Documentation
| +|Response Object With Incorrect Ref (v2)
bccfa089-89e4-47e0-a0e5-185fe6902220|OpenAPI|Info|Structure and Semantics|Response Object reference must always point to '#/responses' (read more)|Documentation
| +|Object Without Required Property (v2)
5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275|OpenAPI|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| +|Multiple Body Parameters In The Same Operation
b90033cf-ad9f-4fb9-acd1-1b9d6d278c87|OpenAPI|Info|Structure and Semantics|Only one body parameter is allowed on operation's parameters type field (read more)|Documentation
| +|Multi 'collectionformat' Not Valid For 'in' Parameter
750f6448-27c0-49f8-a153-b81735c1e19c|OpenAPI|Info|Structure and Semantics|When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'formData' (read more)|Documentation
| +|Parameter File Type Not In 'formData'
c3cab8c4-6c52-47a9-942b-c27f26fbd7d2|OpenAPI|Info|Structure and Semantics|The In field of Parameter Object must be 'formData' when type is 'file' (read more)|Documentation
| +|Property Not Unique
750b40be-4bac-4f59-bdc4-1ca0e6c3450e|OpenAPI|Info|Structure and Semantics|Every defined property must be unique throughout the whole API (read more)|Documentation
| +|Schema JSON Reference Does Not Exists (v2)
98295b32-ec09-4b5b-89a9-39853197f914|OpenAPI|Info|Structure and Semantics|Schema reference should exists on definitions field (read more)|Documentation
| +|Body Parameter Without Schema
ed48229d-d43e-4da7-b453-5f98d964a57a|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| +|Operation Example Mismatch Produces MimeType
2cf35b40-ded3-43d6-9633-c8dcc8bcc822|OpenAPI|Info|Structure and Semantics|Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces' (read more)|Documentation
| +|Body Parameter With Wrong Property
c38d630d-a415-4e3e-bac2-65475979ba88|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema' (read more)|Documentation
| +|Host With Invalid Pattern
3d7d7b6c-fb0a-475e-8a28-c125e30d15f0|OpenAPI|Info|Structure and Semantics|Host field should be an IP or a valid host name (read more)|Documentation
| +|Parameter JSON Reference Does Not Exists (v2)
fb889ae9-2d16-40b5-b41f-9da716c5abc1|OpenAPI|Info|Structure and Semantics|Parameter reference should exist on parameters definition field (read more)|Documentation
| +|Unknown Property (v2)
429b2106-ba37-43ba-9727-7f699cc611e1|OpenAPI|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| +|File Parameter With Wrong Consumes Property
7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a|OpenAPI|Info|Structure and Semantics|Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both (read more)|Documentation
| +|Parameter Object With Incorrect Ref (v2)
2596545e-1757-4ff7-a15a-8a9a180a42f3|OpenAPI|Info|Structure and Semantics|Parameter Object reference must always point to '#/parameters' (read more)|Documentation
| +|No Global And Operation Security Defined (v2)
586abcee-9653-462d-ad7b-2638a32bd6e6|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| +|No Global And Operation Security Defined (v3)
96729c6b-7400-4d9e-9807-17f00cdde4d2|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined (read more)|Documentation
| |Security Field On Operations Has An Empty Array (v2)
5d29effc-5d68-481f-9721-d74e5919226b|OpenAPI|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error|Documentation
| |Security Field On Operations Has An Empty Array (v3)
663c442d-f918-4f62-b096-0bf5dcbeb655|OpenAPI|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error (read more)|Documentation
| -|Security Field On Operations Has An Empty Object Definition (v2)
74581e3b-1d55-4323-a139-5959a7b3abc5|OpenAPI|High|Access Control|Security object for operations should not be empty object or has any empty object definition|Documentation
| -|Security Field On Operations Has An Empty Object Definition (v3)
baade968-7467-41e4-bf22-83ca222f5800|OpenAPI|High|Access Control|Security object for operations should not be empty object or has any empty object definition (read more)|Documentation
| +|Global Security Field Has An Empty Array (v2)
da31d54b-ad54-41dc-95eb-8b3828629213|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| +|Global Security Field Has An Empty Array (v3)
d674aea4-ba8b-454b-bb97-88a772ea33f0|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme (read more)|Documentation
| |Global security field has an empty object (v2)
292919fb-7b26-4454-bee9-ce29094768dd|OpenAPI|High|Access Control|Global security definition must not have empty objects|Documentation
| |Global security field has an empty object (v3)
543e38f4-1eee-479e-8eb0-15257013aa0a|OpenAPI|High|Access Control|Global security definition must not have empty objects (read more)|Documentation
| -|No Global And Operation Security Defined (v2)
586abcee-9653-462d-ad7b-2638a32bd6e6|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| -|No Global And Operation Security Defined (v3)
96729c6b-7400-4d9e-9807-17f00cdde4d2|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined (read more)|Documentation
| |Cleartext API Key In Operation Security (v2)
99733b39-6413-4ed8-8acf-dc7cdc9b4e51|OpenAPI|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| |Cleartext API Key In Operation Security (v3)
d90d4e40-44c1-4125-87a0-e072c3e195b5|OpenAPI|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel (read more)|Documentation
| -|Array Items Has No Type (v2)
8697a1a4-82c6-4603-8ac8-57529756744e|OpenAPI|High|Insecure Configurations|Schema/Parameter array items type should be defined|Documentation
| -|Array Items Has No Type (v3)
be0e0df7-f3d9-42a1-9b6f-d425f94872c4|OpenAPI|High|Insecure Configurations|Schema array items type should be defined (read more)|Documentation
| +|Global Security Field Is Undefined (v2)
74703c89-0ea2-49ab-a7db-bf04f19f5a57|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securityDefinitions|Documentation
| +|Global Security Field Is Undefined (v3)
8af270ce-298b-4405-9922-82a10aee7a4f|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes (read more)|Documentation
| +|Security Field On Operations Has An Empty Object Definition (v2)
74581e3b-1d55-4323-a139-5959a7b3abc5|OpenAPI|High|Access Control|Security object for operations should not be empty object or has any empty object definition|Documentation
| +|Security Field On Operations Has An Empty Object Definition (v3)
baade968-7467-41e4-bf22-83ca222f5800|OpenAPI|High|Access Control|Security object for operations should not be empty object or has any empty object definition (read more)|Documentation
| |Array Without Maximum Number of Items (v2)
99eb2c95-2040-4104-9e7c-e16f7474d218|OpenAPI|High|Insecure Configurations|Array schema/parameter should have the field 'maxItems' set|Documentation
| |Array Without Maximum Number of Items (v3)
6998389e-66b2-473d-8d05-c8d71ac4d04d|OpenAPI|High|Insecure Configurations|Array schema should have the field 'maxItems' set (read more)|Documentation
| -|API Key Exposed In Global Security (v2)
533a0d13-6e89-4551-ae33-bce14e5849c1|OpenAPI|Medium|Access Control|API Keys should not be transported over network|Documentation
| -|API Key Exposed In Global Security (v3)
aecee30b-8ea1-4776-a99c-d6d600f0862f|OpenAPI|Medium|Access Control|API Keys should not be transported over network (read more)|Documentation
| +|Array Items Has No Type (v2)
8697a1a4-82c6-4603-8ac8-57529756744e|OpenAPI|High|Insecure Configurations|Schema/Parameter array items type should be defined|Documentation
| +|Array Items Has No Type (v3)
be0e0df7-f3d9-42a1-9b6f-d425f94872c4|OpenAPI|High|Insecure Configurations|Schema array items type should be defined (read more)|Documentation
| |Cleartext API Key In Global Security (v2)
70d3873e-d537-46e5-ac3b-4e48fbdd29b4|OpenAPI|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| |Cleartext API Key In Global Security (v3)
9c238c97-1991-4c0b-9c7d-6c7912e1dc7c|OpenAPI|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel (read more)|Documentation
| -|Maximum Length Undefined (v2)
2ec86e48-ab90-4cb6-a131-0502afd1f442|OpenAPI|Medium|Insecure Configurations|String schema/parameter/header should have 'maxLength' defined.|Documentation
| -|Maximum Length Undefined (v3)
8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85|OpenAPI|Medium|Insecure Configurations|String schema should have 'maxLength' defined. (read more)|Documentation
| +|API Key Exposed In Global Security (v2)
533a0d13-6e89-4551-ae33-bce14e5849c1|OpenAPI|Medium|Access Control|API Keys should not be transported over network|Documentation
| +|API Key Exposed In Global Security (v3)
aecee30b-8ea1-4776-a99c-d6d600f0862f|OpenAPI|Medium|Access Control|API Keys should not be transported over network (read more)|Documentation
| +|String Schema with Broad Pattern (v2)
e4a019f0-9af3-49c8-bf68-1939a6ff240d|OpenAPI|Medium|Insecure Configurations|String schema should restrict the pattern|Documentation
| +|String Schema with Broad Pattern (v3)
8c81d6c0-716b-49ec-afa5-2d62da4e3f3c|OpenAPI|Medium|Insecure Configurations|String schema should restrict the pattern (read more)|Documentation
| +|JSON Object Schema Without Properties (v2)
3d28f751-bc18-4f83-ace0-216b6086410b|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false.|Documentation
| +|JSON Object Schema Without Properties (v3)
9d967a2b-9d64-41a6-abea-dfc4960299bd|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false. (read more)|Documentation
| |Pattern Undefined (v2)
afde15cf-9444-4126-8c62-41cd79db1d1d|OpenAPI|Medium|Insecure Configurations|String schema/parameter/header should have 'pattern' defined.|Documentation
| |Pattern Undefined (v3)
00b78adf-b83f-419c-8ed8-c6018441dd3a|OpenAPI|Medium|Insecure Configurations|String schema should have 'pattern' defined. (read more)|Documentation
| +|Numeric Schema Without Format (v2)
3ed8fc82-c2bb-49e0-811f-c53923674c49|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined.|Documentation
| +|Numeric Schema Without Format (v3)
fbf699b5-ef74-4542-9cf1-f6eeac379373|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined. (read more)|Documentation
| +|Numeric Schema Without Maximum (v2)
203eee11-15b6-4d47-b888-4c7f534967ee|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined.|Documentation
| +|Numeric Schema Without Maximum (v3)
2ea04bef-c769-409e-9179-ee3a50b5c0ac|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined. (read more)|Documentation
| |Schema Object is Empty (v2)
967575e5-eb44-4c24-aadb-7e33608ed30a|OpenAPI|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values|Documentation
| |Schema Object is Empty (v3)
500ce696-d501-41dd-86eb-eceb011a386f|OpenAPI|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values (read more)|Documentation
| |Numeric Schema Without Minimum (v2)
efd1dfc8-da91-4909-a3f3-c23abc5ec799|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined.|Documentation
| |Numeric Schema Without Minimum (v3)
181bd815-767e-4e95-a24d-bb3c87328e19|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined. (read more)|Documentation
| -|JSON Object Schema Without Properties (v2)
3d28f751-bc18-4f83-ace0-216b6086410b|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false.|Documentation
| -|JSON Object Schema Without Properties (v3)
9d967a2b-9d64-41a6-abea-dfc4960299bd|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false. (read more)|Documentation
| -|Numeric Schema Without Maximum (v2)
203eee11-15b6-4d47-b888-4c7f534967ee|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined.|Documentation
| -|Numeric Schema Without Maximum (v3)
2ea04bef-c769-409e-9179-ee3a50b5c0ac|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined. (read more)|Documentation
| -|Numeric Schema Without Format (v2)
3ed8fc82-c2bb-49e0-811f-c53923674c49|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined.|Documentation
| -|Numeric Schema Without Format (v3)
fbf699b5-ef74-4542-9cf1-f6eeac379373|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined. (read more)|Documentation
| |JSON Object Schema Without Type (v2)
62d52544-82ef-4b75-8308-cad49d50212b|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined.|Documentation
| |JSON Object Schema Without Type (v3)
e2ffa504-d22a-4c94-b6c5-f661849d2db7|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined. (read more)|Documentation
| -|String Schema with Broad Pattern (v2)
e4a019f0-9af3-49c8-bf68-1939a6ff240d|OpenAPI|Medium|Insecure Configurations|String schema should restrict the pattern|Documentation
| -|String Schema with Broad Pattern (v3)
8c81d6c0-716b-49ec-afa5-2d62da4e3f3c|OpenAPI|Medium|Insecure Configurations|String schema should restrict the pattern (read more)|Documentation
| -|Success Response Code Undefined for Put Operation (v2)
965a043f-5f3c-4d0a-be72-d9ce12fdb4d6|OpenAPI|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Put Operation (v3)
60b5f56b-66ff-4e1c-9b62-5753e16825bc|OpenAPI|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|Response on operations that should not have a body has declared content (v2)
268defd2-2839-4e15-8cbc-de86eb38c231|OpenAPI|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a schema defined|Documentation
| -|Response on operations that should not have a body has declared content (v3)
12a7210b-f4b4-47d0-acac-0a819e2a0ca3|OpenAPI|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a content defined (read more)|Documentation
| +|Maximum Length Undefined (v2)
2ec86e48-ab90-4cb6-a131-0502afd1f442|OpenAPI|Medium|Insecure Configurations|String schema/parameter/header should have 'maxLength' defined.|Documentation
| +|Maximum Length Undefined (v3)
8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85|OpenAPI|Medium|Insecure Configurations|String schema should have 'maxLength' defined. (read more)|Documentation
| |Success Response Code Undefined for Patch Operation (v2)
f36e87cc-a209-4f37-8571-66833e4aead7|OpenAPI|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204)|Documentation
| |Success Response Code Undefined for Patch Operation (v3)
1908a8ee-927d-4166-8f18-241152170cc1|OpenAPI|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|Success Response Code Undefined for Delete Operation (v2)
ad432855-b7fb-4429-92a3-93b5ce34f0b1|OpenAPI|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Delete Operation (v3)
3b497874-ae59-46dd-8d72-1868a3b8f150|OpenAPI|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| +|Success Response Code Undefined for Head Operation (v2)
4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a|OpenAPI|Medium|Networking and Firewall|Head should define at least one success response (200 or 202)|Documentation
| +|Success Response Code Undefined for Head Operation (v3)
3b066059-f411-4554-ac8d-96f32bff90da|OpenAPI|Medium|Networking and Firewall|Head should define at least one success response (200 or 202) (read more)|Documentation
| +|Success Response Code Undefined for Get Operation (v2)
9b633f3b-c94b-4fbb-a65b-1a4e9134fb63|OpenAPI|Medium|Networking and Firewall|Get should define at least one success response (200 or 202)|Documentation
| +|Success Response Code Undefined for Get Operation (v3)
b2f275be-7d64-4064-b418-be6b431363a7|OpenAPI|Medium|Networking and Firewall|Get should define at least one success response (200 or 202) (read more)|Documentation
| |Response Code Missing (v2)
6e96ed39-bf45-4089-99ba-f1fe7cf6966f|OpenAPI|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined.|Documentation
| |Response Code Missing (v3)
6c35d2c6-09f2-4e5c-a094-e0e91327071d|OpenAPI|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined. (read more)|Documentation
| +|Success Response Code Undefined for Put Operation (v2)
965a043f-5f3c-4d0a-be72-d9ce12fdb4d6|OpenAPI|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Put Operation (v3)
60b5f56b-66ff-4e1c-9b62-5753e16825bc|OpenAPI|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| |Success Response Code Undefined for Post Operation (v2)
9fedee41-2e6d-4091-b011-4a16b4c18c70|OpenAPI|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204)|Documentation
| |Success Response Code Undefined for Post Operation (v3)
f368dd2d-9344-4146-a05b-7c6faa1269ad|OpenAPI|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|Response on operations that should have a body has undefined schema (v2)
31afbcb7-70e0-48bb-a31a-3374f95cf859|OpenAPI|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined|Documentation
| -|Response on operations that should have a body has undefined schema (v3)
a92be1d5-d762-484a-86d6-8cd0907ba100|OpenAPI|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined (read more)|Documentation
| +|Response on operations that should not have a body has declared content (v2)
268defd2-2839-4e15-8cbc-de86eb38c231|OpenAPI|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a schema defined|Documentation
| +|Response on operations that should not have a body has declared content (v3)
12a7210b-f4b4-47d0-acac-0a819e2a0ca3|OpenAPI|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a content defined (read more)|Documentation
| |Default Response Undefined On Operations (v2)
5f34c7ae-4f3f-4cbb-8fe3-a11d6961062f|OpenAPI|Medium|Networking and Firewall|Operations responses should have a default response defined|Documentation
| |Default Response Undefined On Operations (v3)
86e3702f-c868-44b2-b61d-ea5316c18110|OpenAPI|Medium|Networking and Firewall|Operations responses should have a default response defined (read more)|Documentation
| -|Success Response Code Undefined for Get Operation (v2)
9b633f3b-c94b-4fbb-a65b-1a4e9134fb63|OpenAPI|Medium|Networking and Firewall|Get should define at least one success response (200 or 202)|Documentation
| -|Success Response Code Undefined for Get Operation (v3)
b2f275be-7d64-4064-b418-be6b431363a7|OpenAPI|Medium|Networking and Firewall|Get should define at least one success response (200 or 202) (read more)|Documentation
| -|Success Response Code Undefined for Head Operation (v2)
4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a|OpenAPI|Medium|Networking and Firewall|Head should define at least one success response (200 or 202)|Documentation
| -|Success Response Code Undefined for Head Operation (v3)
3b066059-f411-4554-ac8d-96f32bff90da|OpenAPI|Medium|Networking and Firewall|Head should define at least one success response (200 or 202) (read more)|Documentation
| +|Response on operations that should have a body has undefined schema (v2)
31afbcb7-70e0-48bb-a31a-3374f95cf859|OpenAPI|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined|Documentation
| +|Response on operations that should have a body has undefined schema (v3)
a92be1d5-d762-484a-86d6-8cd0907ba100|OpenAPI|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined (read more)|Documentation
| +|Success Response Code Undefined for Delete Operation (v2)
ad432855-b7fb-4429-92a3-93b5ce34f0b1|OpenAPI|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Delete Operation (v3)
3b497874-ae59-46dd-8d72-1868a3b8f150|OpenAPI|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| |API Key Exposed In Operation Security (v2)
392599e4-a4e2-403d-bc56-3fe05755782d|OpenAPI|Low|Access Control|API Keys should not be transported over network|Documentation
| |API Key Exposed In Operation Security (v3)
281b8071-6226-4a43-911d-fec246d422c2|OpenAPI|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| |Invalid Format (v2)
caf1793e-95dd-4b18-8d90-8f3c0ab5bddf|OpenAPI|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double|Documentation
| |Invalid Format (v3)
d929c031-078f-4241-b802-e224656ad890|OpenAPI|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double (read more)|Documentation
| -|Required Property With Default Value (v2)
f7ab6c83-ef89-40e1-8a99-32e2599fb665|OpenAPI|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value|Documentation
| -|Required Property With Default Value (v3)
013bdb4b-9246-4248-b0c3-7fb0fee42a29|OpenAPI|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value (read more)|Documentation
| -|Object Using Enum With Keyword (v2)
7f15962a-d862-451c-ac9b-84ec13747aa6|OpenAPI|Info|Best Practices|Schema/Parameter/Header Object properties should not contain 'enum' and schema keywords|Documentation
| -|Object Using Enum With Keyword (v3)
2e9b6612-8f69-42e0-a5b8-ed17739c2f3a|OpenAPI|Info|Best Practices|Schema Object properties should not contain 'enum' and schema keywords (read more)|Documentation
| |Header Parameter Named as 'Content-Type' (v2)
51978067-3b22-4c29-aaf3-96bf0bc28897|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored.|Documentation
| |Header Parameter Named as 'Content-Type' (v3)
72d259ca-9741-48dd-9f62-eb11f2936b37|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored. (read more)|Documentation
| +|Invalid License URL (v2)
de2b4910-8484-46d6-a055-dc1e793ee3ff|OpenAPI|Info|Best Practices|License Object URL should be a valid URL|Documentation
| +|Invalid License URL (v3)
9239c289-9e4c-4d92-8be1-9d506057c971|OpenAPI|Info|Best Practices|License Object URL should be a valid URL (read more)|Documentation
| +|Invalid Global External Documentation URL (v2)
46d3b74d-9fe9-45bf-9e9e-efb7f701ee28|OpenAPI|Info|Best Practices|Global External Documentation URL should be a valid URL|Documentation
| +|Invalid Global External Documentation URL (v3)
b2d9dbf6-539c-4374-a1fd-210ddf5563a8|OpenAPI|Info|Best Practices|Global External Documentation URL should be a valid URL (read more)|Documentation
| |Header Response Name Is Invalid (v2)
86733e01-a435-4bd5-a8b0-5108be9dc1e4|OpenAPI|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored.|Documentation
| |Header Response Name Is Invalid (v3)
d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd|OpenAPI|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored. (read more)|Documentation
| +|Path Without Operation (v2)
609cd557-66b4-41fa-8edd-2abc6c7cfd08|OpenAPI|Info|Best Practices|Path object should have at least one operation object defined|Documentation
| +|Path Without Operation (v3)
84c826c9-1893-4b34-8cdd-db97645b4bf3|OpenAPI|Info|Best Practices|Path object should have at least one operation object defined (read more)|Documentation
| |Invalid Contact URL (v2)
c7000383-16d0-4509-8cd3-585e5ea2e2f2|OpenAPI|Info|Best Practices|Contact Object URL should be a valid URL|Documentation
| |Invalid Contact URL (v3)
332cf2ad-380d-4b90-b436-46f8e635cf38|OpenAPI|Info|Best Practices|Contact Object URL should be a valid URL (read more)|Documentation
| +|Invalid Contact Email (v2)
d83bebc8-4e5e-4241-b783-cba9fb5a1c9a|OpenAPI|Info|Best Practices|Contact Object Email should be a valid email|Documentation
| +|Invalid Contact Email (v3)
b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7|OpenAPI|Info|Best Practices|Contact Object Email should be a valid email (read more)|Documentation
| +|Invalid Operation External Documentation URL (v2)
25635c31-ee32-4708-88e5-fced87516f51|OpenAPI|Info|Best Practices|Operation External Documentation URL should be a valid URL|Documentation
| +|Invalid Operation External Documentation URL (v3)
5ea61624-3733-4a3a-8ca4-b96fec9c5aeb|OpenAPI|Info|Best Practices|Operation External Documentation URL should be a valid URL (read more)|Documentation
| |Invalid Tag External Documentation URL (v2)
b4a7d925-738b-4219-99d9-87d6ee262a03|OpenAPI|Info|Best Practices|Tag External Documentation URL should be a valid URL|Documentation
| |Invalid Tag External Documentation URL (v3)
5aea1d7e-b834-4749-b143-2c7ec3bd5922|OpenAPI|Info|Best Practices|Tag External Documentation URL should be a valid URL (read more)|Documentation
| -|Header Parameter Named as 'Accept' (v2)
3ddd74cc-6582-486c-8b0c-2b48cb38e0a3|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored.|Documentation
| -|Header Parameter Named as 'Accept' (v3)
f2702af5-6016-46cb-bbc8-84c766032095|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored. (read more)|Documentation
| -|Invalid Global External Documentation URL (v2)
46d3b74d-9fe9-45bf-9e9e-efb7f701ee28|OpenAPI|Info|Best Practices|Global External Documentation URL should be a valid URL|Documentation
| -|Invalid Global External Documentation URL (v3)
b2d9dbf6-539c-4374-a1fd-210ddf5563a8|OpenAPI|Info|Best Practices|Global External Documentation URL should be a valid URL (read more)|Documentation
| -|Example Not Compliant With Schema Type (v2)
448db771-06ea-4dee-b48c-1689cbfb4b43|OpenAPI|Info|Best Practices|Examples values and fields should be compliant with the schema type|Documentation
| -|Example Not Compliant With Schema Type (v3)
881a6e71-c2a7-4fe2-b9c3-dfcf08895331|OpenAPI|Info|Best Practices|Examples values and fields should be compliant with the schema type (read more)|Documentation
| |Header Parameter Named as 'Authorization' (v2)
e2e00c97-7171-4fb4-b461-d631df9a711c|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored.|Documentation
| |Header Parameter Named as 'Authorization' (v3)
8c84f75e-5048-4926-a4cb-33e7b3431300|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored. (read more)|Documentation
| +|Object Using Enum With Keyword (v2)
7f15962a-d862-451c-ac9b-84ec13747aa6|OpenAPI|Info|Best Practices|Schema/Parameter/Header Object properties should not contain 'enum' and schema keywords|Documentation
| +|Object Using Enum With Keyword (v3)
2e9b6612-8f69-42e0-a5b8-ed17739c2f3a|OpenAPI|Info|Best Practices|Schema Object properties should not contain 'enum' and schema keywords (read more)|Documentation
| +|Example Not Compliant With Schema Type (v2)
448db771-06ea-4dee-b48c-1689cbfb4b43|OpenAPI|Info|Best Practices|Examples values and fields should be compliant with the schema type|Documentation
| +|Example Not Compliant With Schema Type (v3)
881a6e71-c2a7-4fe2-b9c3-dfcf08895331|OpenAPI|Info|Best Practices|Examples values and fields should be compliant with the schema type (read more)|Documentation
| +|Required Property With Default Value (v2)
f7ab6c83-ef89-40e1-8a99-32e2599fb665|OpenAPI|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value|Documentation
| +|Required Property With Default Value (v3)
013bdb4b-9246-4248-b0c3-7fb0fee42a29|OpenAPI|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value (read more)|Documentation
| +|Header Parameter Named as 'Accept' (v2)
3ddd74cc-6582-486c-8b0c-2b48cb38e0a3|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored.|Documentation
| +|Header Parameter Named as 'Accept' (v3)
f2702af5-6016-46cb-bbc8-84c766032095|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored. (read more)|Documentation
| |Operation Without Successful HTTP Status Code (v2)
a1ee6ebe-3877-42ec-b9a6-e524e7d06aa2|OpenAPI|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined|Documentation
| |Operation Without Successful HTTP Status Code (v3)
48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd|OpenAPI|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined (read more)|Documentation
| -|Path Without Operation (v2)
609cd557-66b4-41fa-8edd-2abc6c7cfd08|OpenAPI|Info|Best Practices|Path object should have at least one operation object defined|Documentation
| -|Path Without Operation (v3)
84c826c9-1893-4b34-8cdd-db97645b4bf3|OpenAPI|Info|Best Practices|Path object should have at least one operation object defined (read more)|Documentation
| -|Invalid Operation External Documentation URL (v2)
25635c31-ee32-4708-88e5-fced87516f51|OpenAPI|Info|Best Practices|Operation External Documentation URL should be a valid URL|Documentation
| -|Invalid Operation External Documentation URL (v3)
5ea61624-3733-4a3a-8ca4-b96fec9c5aeb|OpenAPI|Info|Best Practices|Operation External Documentation URL should be a valid URL (read more)|Documentation
| -|Invalid License URL (v2)
de2b4910-8484-46d6-a055-dc1e793ee3ff|OpenAPI|Info|Best Practices|License Object URL should be a valid URL|Documentation
| -|Invalid License URL (v3)
9239c289-9e4c-4d92-8be1-9d506057c971|OpenAPI|Info|Best Practices|License Object URL should be a valid URL (read more)|Documentation
| -|JSON '$ref' alongside other properties (v2)
f34c1c68-4773-4df0-a103-6e2ca32e585f|OpenAPI|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key|Documentation
| -|JSON '$ref' alongside other properties (v3)
96beb800-566f-49a9-a0ea-dbdf4bc80429|OpenAPI|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key (read more)|Documentation
| -|Invalid Contact Email (v2)
d83bebc8-4e5e-4241-b783-cba9fb5a1c9a|OpenAPI|Info|Best Practices|Contact Object Email should be a valid email|Documentation
| -|Invalid Contact Email (v3)
b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7|OpenAPI|Info|Best Practices|Contact Object Email should be a valid email (read more)|Documentation
| |Invalid Schema External Documentation URL (v2)
f7fa95b7-d819-484c-9a2b-665dd1bba25e|OpenAPI|Info|Best Practices|Schema External Documentation URL should be a valid URL|Documentation
| |Invalid Schema External Documentation URL (v3)
6952a7e0-6e48-4285-bbc1-27c64e60f888|OpenAPI|Info|Best Practices|Schema External Documentation URL should be a valid URL (read more)|Documentation
| -|Non-Array Schema With Items (v2)
9d47956b-29cd-43b1-9e6e-b39a4d484353|OpenAPI|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| -|Non-Array Schema With Items (v3)
20cb3159-b219-496b-8dac-54ae3ab2021a|OpenAPI|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined (read more)|Documentation
| -|Path Is Ambiguous (v2)
b2468463-3ac4-4930-890c-f35b2bf4485d|OpenAPI|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object|Documentation
| -|Path Is Ambiguous (v3)
237402e2-c2f0-46c9-9cf5-286160cf7bfc|OpenAPI|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object (read more)|Documentation
| -|Schema Discriminator Not Required (v2)
be6a3722-af60-438c-b1b9-2a03e2958ab7|OpenAPI|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property|Documentation
| -|Schema Discriminator Not Required (v3)
b481d46c-9c61-480f-86d9-af07146dc4a4|OpenAPI|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property (read more)|Documentation
| -|Property 'allowEmptyValue' Improperly Defined (v2)
0bc1477d-0922-478b-ae16-674a7634a1a8|OpenAPI|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters|Documentation
| -|Property 'allowEmptyValue' Improperly Defined (v3)
4bcbcd52-3028-469f-bc14-02c7dbba2df2|OpenAPI|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters (read more)|Documentation
| -|OperationId Not Unique (v2)
21245007-91c4-40e5-964e-40c85d1e5aa6|OpenAPI|Info|Structure and Semantics|OperationId should be unique when defined|Documentation
| -|OperationId Not Unique (v3)
c254adc4-ef25-46e1-8270-b7944adb4198|OpenAPI|Info|Structure and Semantics|OperationId should be unique when defined (read more)|Documentation
| -|Paths Object is Empty (v2)
3e6c7b1c-8a8d-43ab-98b9-65159f44db4a|OpenAPI|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed|Documentation
| -|Paths Object is Empty (v3)
815021c8-a50c-46d9-b192-24f71072c400|OpenAPI|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed (read more)|Documentation
| +|JSON '$ref' alongside other properties (v2)
f34c1c68-4773-4df0-a103-6e2ca32e585f|OpenAPI|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key|Documentation
| +|JSON '$ref' alongside other properties (v3)
96beb800-566f-49a9-a0ea-dbdf4bc80429|OpenAPI|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key (read more)|Documentation
| |Parameters Name In Combination Not Unique (v2)
ab871897-ec02-4835-9818-702536ee1dda|OpenAPI|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations|Documentation
| |Parameters Name In Combination Not Unique (v3)
f5b2e6af-76f5-496d-8482-8f898c5fdb4a|OpenAPI|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations (read more)|Documentation
| -|Parameter Objects Headers With Duplicated Name (v2)
bd2cbef5-62c4-40f1-af07-4b7f9ced6616|OpenAPI|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.|Documentation
| -|Parameter Objects Headers With Duplicated Name (v3)
05505192-ba2c-4a81-9b25-dcdbcc973746|OpenAPI|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive. (read more)|Documentation
| -|Responses Object Is Empty (v2)
6172e7ab-d2b7-45f8-a7db-1603931d8ba3|OpenAPI|Info|Structure and Semantics|Responses Object should not be empty|Documentation
| -|Responses Object Is Empty (v3)
990eaf09-d6f1-4c3c-b174-a517b1de8917|OpenAPI|Info|Structure and Semantics|Responses Object should not be empty (read more)|Documentation
| -|Schema Has A Required Property Undefined (v2)
811762c8-2e99-4f70-88f9-a63875a953b1|OpenAPI|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties|Documentation
| -|Schema Has A Required Property Undefined (v3)
2bd608ae-8a1f-457f-b710-c237883cb313|OpenAPI|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties (read more)|Documentation
| -|Default Invalid (v2)
78dfd8f0-a6ee-48ec-af8c-e4d9b3292a07|OpenAPI|Info|Structure and Semantics|The field 'default' of Schema/Parameter/Header Object should be consistent with the schema's/parameter's/header's type|Documentation
| -|Default Invalid (v3)
a96bbc06-8cde-4295-ad3c-ee343a7f658e|OpenAPI|Info|Structure and Semantics|The field 'default' of Schema Object should be consistent with the schema's type (read more)|Documentation
| -|Properties Missing Required Property (v2)
71beb6ab-8b70-4816-a9ac-a0ff1fb22a62|OpenAPI|Info|Structure and Semantics|Schema Object should have all required properties defined|Documentation
| -|Properties Missing Required Property (v3)
3fb03214-25d4-4bd4-867c-c2d8d708a483|OpenAPI|Info|Structure and Semantics|Schema Object should have all required properties defined (read more)|Documentation
| +|Property 'allowEmptyValue' Improperly Defined (v2)
0bc1477d-0922-478b-ae16-674a7634a1a8|OpenAPI|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters|Documentation
| +|Property 'allowEmptyValue' Improperly Defined (v3)
4bcbcd52-3028-469f-bc14-02c7dbba2df2|OpenAPI|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters (read more)|Documentation
| +|Property Defining Minimum Greater Than Maximum (v2)
b5102ea9-6527-4bb7-94fc-9b4076150e55|OpenAPI|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined|Documentation
| +|Property Defining Minimum Greater Than Maximum (v3)
ab2af219-cd08-4233-b5a1-a788aac88b51|OpenAPI|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined (read more)|Documentation
| |Path Parameter With No Corresponding Template Path (v2)
194ef1f8-360e-4c14-8ed2-e83e2bafa142|OpenAPI|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation|Documentation
| |Path Parameter With No Corresponding Template Path (v3)
69d7aefd-149d-47b8-8d89-1c2181a8067b|OpenAPI|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation (read more)|Documentation
| -|Type Has Invalid Keyword (v2)
492c6cbb-f3f8-4807-aa4f-42b8b1c46b59|OpenAPI|Info|Structure and Semantics|Schema/Parameter/Header Object define type should not use a keyword of another type|Documentation
| -|Type Has Invalid Keyword (v3)
a9228976-10cf-4b5f-b902-9e962aad037a|OpenAPI|Info|Structure and Semantics|Schema Object define type should not use a keyword of another type (read more)|Documentation
| -|Responses With Wrong HTTP Status Code (v2)
069a5378-2091-43f0-aa3b-ee8f20996e99|OpenAPI|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599]|Documentation
| -|Responses With Wrong HTTP Status Code (v3)
d86655c0-92f6-4ffc-b4d5-5b5775804c27|OpenAPI|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599] (read more)|Documentation
| +|Path Template is Empty (v2)
c201b7ad-6173-4598-a407-5edb04a1bcd7|OpenAPI|Info|Structure and Semantics|All path templates should not be empty|Documentation
| +|Path Template is Empty (v3)
ae13a37d-943b-47a7-a970-83c8598bcca3|OpenAPI|Info|Structure and Semantics|All path templates should not be empty (read more)|Documentation
| +|Items Undefined (v2)
3e4d34d2-36cf-4449-976d-6c256db8fc49|OpenAPI|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array.|Documentation
| +|Items Undefined (v3)
a8e859da-4a43-4e7f-94b8-25d6e3bf8e90|OpenAPI|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array. (read more)|Documentation
| |Template Path With No Corresponding Path Parameter (v2)
e7656d8d-7288-4bbe-b07b-22b389be75ce|OpenAPI|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation|Documentation
| |Template Path With No Corresponding Path Parameter (v3)
561710b1-b845-4562-95ce-2397a05ccef4|OpenAPI|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation (read more)|Documentation
| +|Schema Object With Circular Ref (v2)
cbff2508-85c9-4448-a8b3-770070edf5ca|OpenAPI|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties|Documentation
| +|Schema Object With Circular Ref (v3)
1a1aea94-745b-40a7-b860-0702ea6ee636|OpenAPI|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties (read more)|Documentation
| |Schema Enum Invalid (v2)
8fe6d18a-ad4c-4397-8884-e3a9da57f4c9|OpenAPI|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type|Documentation
| |Schema Enum Invalid (v3)
03856cb2-e46c-4daf-bfbf-214ec93c882b|OpenAPI|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type (read more)|Documentation
| -|Items Undefined (v2)
3e4d34d2-36cf-4449-976d-6c256db8fc49|OpenAPI|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array.|Documentation
| -|Items Undefined (v3)
a8e859da-4a43-4e7f-94b8-25d6e3bf8e90|OpenAPI|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array. (read more)|Documentation
| -|Schema Object Properties With Duplicated Keys (v2)
ded017bf-fb13-4f8d-868b-84aebcc572ad|OpenAPI|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties'|Documentation
| -|Schema Object Properties With Duplicated Keys (v3)
10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa|OpenAPI|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties' (read more)|Documentation
| -|Schema Discriminator Property Not String (v2)
949376f1-f560-4c6d-a016-63424ca931bb|OpenAPI|Info|Structure and Semantics|Schema discriminator property should be a string|Documentation
| -|Schema Discriminator Property Not String (v3)
dadc2f36-1f5a-46c0-8289-75e626583123|OpenAPI|Info|Structure and Semantics|Schema discriminator property should be a string (read more)|Documentation
| -|Path Template is Empty (v2)
c201b7ad-6173-4598-a407-5edb04a1bcd7|OpenAPI|Info|Structure and Semantics|All path templates should not be empty|Documentation
| -|Path Template is Empty (v3)
ae13a37d-943b-47a7-a970-83c8598bcca3|OpenAPI|Info|Structure and Semantics|All path templates should not be empty (read more)|Documentation
| |Path Parameter Not Required (v2)
ccd0613f-cb77-4684-a892-183bd2674d12|OpenAPI|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.|Documentation
| |Path Parameter Not Required (v3)
0de50145-e845-47f4-9a15-23bcf2125710|OpenAPI|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true. (read more)|Documentation
| -|Property Defining Minimum Greater Than Maximum (v2)
b5102ea9-6527-4bb7-94fc-9b4076150e55|OpenAPI|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined|Documentation
| -|Property Defining Minimum Greater Than Maximum (v3)
ab2af219-cd08-4233-b5a1-a788aac88b51|OpenAPI|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined (read more)|Documentation
| -|Schema Object With Circular Ref (v2)
cbff2508-85c9-4448-a8b3-770070edf5ca|OpenAPI|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties|Documentation
| -|Schema Object With Circular Ref (v3)
1a1aea94-745b-40a7-b860-0702ea6ee636|OpenAPI|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties (read more)|Documentation
| +|Schema Discriminator Not Required (v2)
be6a3722-af60-438c-b1b9-2a03e2958ab7|OpenAPI|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property|Documentation
| +|Schema Discriminator Not Required (v3)
b481d46c-9c61-480f-86d9-af07146dc4a4|OpenAPI|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property (read more)|Documentation
| +|Properties Missing Required Property (v2)
71beb6ab-8b70-4816-a9ac-a0ff1fb22a62|OpenAPI|Info|Structure and Semantics|Schema Object should have all required properties defined|Documentation
| +|Properties Missing Required Property (v3)
3fb03214-25d4-4bd4-867c-c2d8d708a483|OpenAPI|Info|Structure and Semantics|Schema Object should have all required properties defined (read more)|Documentation
| +|Parameter Objects Headers With Duplicated Name (v2)
bd2cbef5-62c4-40f1-af07-4b7f9ced6616|OpenAPI|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.|Documentation
| +|Parameter Objects Headers With Duplicated Name (v3)
05505192-ba2c-4a81-9b25-dcdbcc973746|OpenAPI|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive. (read more)|Documentation
| +|Responses With Wrong HTTP Status Code (v2)
069a5378-2091-43f0-aa3b-ee8f20996e99|OpenAPI|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599]|Documentation
| +|Responses With Wrong HTTP Status Code (v3)
d86655c0-92f6-4ffc-b4d5-5b5775804c27|OpenAPI|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599] (read more)|Documentation
| +|Non-Array Schema With Items (v2)
9d47956b-29cd-43b1-9e6e-b39a4d484353|OpenAPI|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| +|Non-Array Schema With Items (v3)
20cb3159-b219-496b-8dac-54ae3ab2021a|OpenAPI|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined (read more)|Documentation
| +|Path Is Ambiguous (v2)
b2468463-3ac4-4930-890c-f35b2bf4485d|OpenAPI|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object|Documentation
| +|Path Is Ambiguous (v3)
237402e2-c2f0-46c9-9cf5-286160cf7bfc|OpenAPI|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object (read more)|Documentation
| |Schema Discriminator Mismatch Defined Properties (v2)
addc0eab-27f6-4c26-8526-d2ccd3732662|OpenAPI|Info|Structure and Semantics|Schema discriminator values should match defined properties.|Documentation
| |Schema Discriminator Mismatch Defined Properties (v3)
40d3df21-c170-4dbe-9c02-4289b51f994f|OpenAPI|Info|Structure and Semantics|Schema discriminator values should match defined properties. (read more)|Documentation
| -|Security Definitions Undefined or Empty
e3f026e8-fdb4-4d5a-bcfd-bd94452073fe|OpenAPI|High|Access Control|Security Definitions Object should be set and not empty (read more)|Documentation
| -|Security Requirement Not Defined In Security Definition
a599b0d1-ff89-4cb8-9ece-9951854c06f6|OpenAPI|High|Structure and Semantics|All security requirement objects must be defined in 'securityDefinitions' (read more)|Documentation
| -|Non OAuth2 Security Requirement Defining OAuth2 Scopes
ba239cb9-f342-4c20-812d-7b5a2aa6969e|OpenAPI|High|Structure and Semantics|If the security scheme is not of type 'oauth2', the array value must be empty (read more)|Documentation
| -|Global Security Using Password Flow
2da46be4-4317-4650-9285-56d7103c4f93|OpenAPI|Medium|Access Control|Security should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| -|Invalid OAuth2 Authorization URL (v2)
33d96c65-977d-4c33-943f-440baca49185|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| -|Operation Using Password Flow
2e44e632-d617-43cb-b294-6bfe72a08938|OpenAPI|Medium|Access Control|Operation Object should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| -|Implicit Flow in OAuth2 (v2)
e9817ad8-a8c9-4038-8a2f-db0e6e7b284b|OpenAPI|Medium|Access Control|There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| -|Invalid OAuth2 Token URL (v2)
274f910a-0665-4f08-b66d-7058fe927dba|OpenAPI|Medium|Access Control|OAuth2 security definition flow requires a valid URL in the tokenUrl field (read more)|Documentation
| -|Security Definitions Allows Password Flow
773116aa-2e6d-416f-bd85-f0301cc05d76|OpenAPI|Medium|Access Control|Security Definition Object should not allow 'password' Flow in OAuth2 authentication (read more)|Documentation
| -|Path Scheme Accepts HTTP (v2)
a6847dc6-f4ea-45ac-a81f-93291ae6c573|OpenAPI|Medium|Encryption|The Scheme list of Operation Object should only allow 'HTTPS' protocol to ensure an encrypted connection (read more)|Documentation
| -|Schemes Uses HTTP
a46928f1-43d7-4671-94e0-2dd99746f389|OpenAPI|Medium|Encryption|Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials (read more)|Documentation
| -|Global Schemes Uses HTTP
f30ee711-0082-4480-85ab-31d922d9a2b2|OpenAPI|Medium|Encryption|Global Schemes should use 'https' protocol instead of 'http' (read more)|Documentation
| -|Operation Object Without 'consumes'
0c79e50e-b3cf-490c-b8f6-587c644d4d0c|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations (read more)|Documentation
| -|Operation Object Without 'produces'
be3e170e-1572-461e-a8b6-d963def581ec|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'produces' feild defined for 'GET'operation (read more)|Documentation
| -|Operation Using Basic Auth
ceefb058-8065-418f-9c4c-584a78c7e104|OpenAPI|Low|Access Control|Operation Object should not use basic authentication (read more)|Documentation
| -|Security Definitions Using Basic Auth
221015a8-aa2a-43f5-b00b-ad7d2b1d47a8|OpenAPI|Low|Access Control|Security Definition Object should not use basic authentication (read more)|Documentation
| -|Operation Using Implicit Flow
f42dfe7e-787d-4478-a75e-a5f3d8a2269e|OpenAPI|Low|Access Control|Operation Object should not use implicit flow (read more)|Documentation
| -|Undefined Scope 'securityDefinition' On 'security' Field On Operations
3847280c-9193-40bc-8009-76168e822ce2|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| -|Undefined Scope 'securityDefinition' On Global 'security' Field
9aa6e95c-d964-4239-a3a8-9f37a3c5a31f|OpenAPI|Low|Access Control|Using an scope on global security field that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| -|Operation Summary Too Long
d47940ca-5970-45cc-bdd1-4d81398cee1f|OpenAPI|Low|Best Practices|Operation summary should be short (less than 120 characters) (read more)|Documentation
| -|Global Schema Definition Not Being Used
6d2e0790-cc3d-4c74-b973-d4e8b09f4455|OpenAPI|Info|Best Practices|All global schemas definitions should be in use (read more)|Documentation
| -|Global Responses Definition Not Being Used
0b76d993-ee52-43e0-8b39-3787d2ddabf1|OpenAPI|Info|Best Practices|All global responses definitions should be in use (read more)|Documentation
| -|Global Parameter Definition Not Being Used
b30981fa-a12e-49c7-a5bb-eeafb61d0f0f|OpenAPI|Info|Best Practices|All global parameters definitions should be in use (read more)|Documentation
| -|Schema with 'additionalProperties' set as Boolean
3a01790c-ebee-4da6-8fd3-e78657383b75|OpenAPI|Info|Best Practices|The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it (read more)|Documentation
| -|Unknown Prefix (v2)
3b615f00-c443-4ba9-acc4-7c308716917d|OpenAPI|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| -|Constraining Enum Property
be1d8733-3731-40c7-a845-734741c6871d|OpenAPI|Info|Best Practices|There is a constraining keyword in a property which is already restricted by enum values (read more)|Documentation
| -|Invalid Media Type Value (v2)
f985a7d2-d404-4a7f-9814-f645f791e46e|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| -|Multiple Body Parameters In The Same Operation
b90033cf-ad9f-4fb9-acd1-1b9d6d278c87|OpenAPI|Info|Structure and Semantics|Only one body parameter is allowed on operation's parameters type field (read more)|Documentation
| -|Host With Invalid Pattern
3d7d7b6c-fb0a-475e-8a28-c125e30d15f0|OpenAPI|Info|Structure and Semantics|Host field should be an IP or a valid host name (read more)|Documentation
| -|Response Object With Incorrect Ref (v2)
bccfa089-89e4-47e0-a0e5-185fe6902220|OpenAPI|Info|Structure and Semantics|Response Object reference must always point to '#/responses' (read more)|Documentation
| -|Multi 'collectionformat' Not Valid For 'in' Parameter
750f6448-27c0-49f8-a153-b81735c1e19c|OpenAPI|Info|Structure and Semantics|When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'formData' (read more)|Documentation
| -|Schema JSON Reference Does Not Exists (v2)
98295b32-ec09-4b5b-89a9-39853197f914|OpenAPI|Info|Structure and Semantics|Schema reference should exists on definitions field (read more)|Documentation
| -|Responses JSON Reference Does Not Exists (v2)
e9db5fb4-6a84-4abb-b4af-3b94fbdace6d|OpenAPI|Info|Structure and Semantics|Responses reference should exist on responses definition field (read more)|Documentation
| -|Parameter Object With Incorrect Ref (v2)
2596545e-1757-4ff7-a15a-8a9a180a42f3|OpenAPI|Info|Structure and Semantics|Parameter Object reference must always point to '#/parameters' (read more)|Documentation
| -|Object Without Required Property (v2)
5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275|OpenAPI|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| -|Unknown Property (v2)
429b2106-ba37-43ba-9727-7f699cc611e1|OpenAPI|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| -|BasePath With Wrong Format
b4803607-ed72-4d60-99e2-3fa6edf471c6|OpenAPI|Info|Structure and Semantics|The 'basePath' value format must match the pattern '^/' (read more)|Documentation
| -|Body Parameter Without Schema
ed48229d-d43e-4da7-b453-5f98d964a57a|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| -|Operation Object Parameters With 'body' And 'formatData' locations
eb3f9744-d24e-4614-b1ff-2a9514eca21c|OpenAPI|Info|Structure and Semantics|Operation object parameters should not have both 'body' and 'formatData' locations (read more)|Documentation
| -|Schema Object Incorrect Ref (v2)
0220e1c5-65d1-49dd-b7c2-cef6d6cb5283|OpenAPI|Info|Structure and Semantics|Schema Object reference must always point to '#/definitions' (read more)|Documentation
| -|File Parameter With Wrong Consumes Property
7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a|OpenAPI|Info|Structure and Semantics|Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both (read more)|Documentation
| -|Parameter JSON Reference Does Not Exists (v2)
fb889ae9-2d16-40b5-b41f-9da716c5abc1|OpenAPI|Info|Structure and Semantics|Parameter reference should exist on parameters definition field (read more)|Documentation
| -|Operation Example Mismatch Produces MimeType
2cf35b40-ded3-43d6-9633-c8dcc8bcc822|OpenAPI|Info|Structure and Semantics|Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces' (read more)|Documentation
| -|Property Not Unique
750b40be-4bac-4f59-bdc4-1ca0e6c3450e|OpenAPI|Info|Structure and Semantics|Every defined property must be unique throughout the whole API (read more)|Documentation
| -|Non Body Parameter Without Schema
73c3bc54-3cc6-4c0a-b30a-e19f2abfc951|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| -|Body Parameter With Wrong Property
c38d630d-a415-4e3e-bac2-65475979ba88|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema' (read more)|Documentation
| -|Parameter File Type Not In 'formData'
c3cab8c4-6c52-47a9-942b-c27f26fbd7d2|OpenAPI|Info|Structure and Semantics|The In field of Parameter Object must be 'formData' when type is 'file' (read more)|Documentation
| -|Cleartext Credentials With Basic Authentication For Operation
86b1fa30-9790-4980-994d-a27e0f6f27c1|OpenAPI|High|Access Control|Cleartext credentials over unencrypted channel should not be accepted for the operation (read more)|Documentation
| +|Schema Object Properties With Duplicated Keys (v2)
ded017bf-fb13-4f8d-868b-84aebcc572ad|OpenAPI|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties'|Documentation
| +|Schema Object Properties With Duplicated Keys (v3)
10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa|OpenAPI|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties' (read more)|Documentation
| +|Type Has Invalid Keyword (v2)
492c6cbb-f3f8-4807-aa4f-42b8b1c46b59|OpenAPI|Info|Structure and Semantics|Schema/Parameter/Header Object define type should not use a keyword of another type|Documentation
| +|Type Has Invalid Keyword (v3)
a9228976-10cf-4b5f-b902-9e962aad037a|OpenAPI|Info|Structure and Semantics|Schema Object define type should not use a keyword of another type (read more)|Documentation
| +|Schema Discriminator Property Not String (v2)
949376f1-f560-4c6d-a016-63424ca931bb|OpenAPI|Info|Structure and Semantics|Schema discriminator property should be a string|Documentation
| +|Schema Discriminator Property Not String (v3)
dadc2f36-1f5a-46c0-8289-75e626583123|OpenAPI|Info|Structure and Semantics|Schema discriminator property should be a string (read more)|Documentation
| +|Default Invalid (v2)
78dfd8f0-a6ee-48ec-af8c-e4d9b3292a07|OpenAPI|Info|Structure and Semantics|The field 'default' of Schema/Parameter/Header Object should be consistent with the schema's/parameter's/header's type|Documentation
| +|Default Invalid (v3)
a96bbc06-8cde-4295-ad3c-ee343a7f658e|OpenAPI|Info|Structure and Semantics|The field 'default' of Schema Object should be consistent with the schema's type (read more)|Documentation
| +|Responses Object Is Empty (v2)
6172e7ab-d2b7-45f8-a7db-1603931d8ba3|OpenAPI|Info|Structure and Semantics|Responses Object should not be empty|Documentation
| +|Responses Object Is Empty (v3)
990eaf09-d6f1-4c3c-b174-a517b1de8917|OpenAPI|Info|Structure and Semantics|Responses Object should not be empty (read more)|Documentation
| +|OperationId Not Unique (v2)
21245007-91c4-40e5-964e-40c85d1e5aa6|OpenAPI|Info|Structure and Semantics|OperationId should be unique when defined|Documentation
| +|OperationId Not Unique (v3)
c254adc4-ef25-46e1-8270-b7944adb4198|OpenAPI|Info|Structure and Semantics|OperationId should be unique when defined (read more)|Documentation
| +|Schema Has A Required Property Undefined (v2)
811762c8-2e99-4f70-88f9-a63875a953b1|OpenAPI|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties|Documentation
| +|Schema Has A Required Property Undefined (v3)
2bd608ae-8a1f-457f-b710-c237883cb313|OpenAPI|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties (read more)|Documentation
| +|Paths Object is Empty (v2)
3e6c7b1c-8a8d-43ab-98b9-65159f44db4a|OpenAPI|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed|Documentation
| +|Paths Object is Empty (v3)
815021c8-a50c-46d9-b192-24f71072c400|OpenAPI|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed (read more)|Documentation
| |Field 'securityScheme' On Components Is Undefined
8db5544e-4874-4baa-9322-e9f75a2d219e|OpenAPI|High|Access Control|Components' securityScheme field must have a valid scheme (read more)|Documentation
| -|OAuth2 With Implicit Flow
39cb32f2-3a42-4af0-8037-82a7a9654b6c|OpenAPI|Medium|Access Control|OAuth2 implicit flow is vulnerable to access token leakage and access token replay (read more)|Documentation
| -|Invalid OAuth2 Authorization URL (v3)
52c0d841-60d6-4a81-88dd-c35fef36d315|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| -|Implicit Flow in OAuth2 (v3)
4a1f3d75-ab73-41b2-83e7-06a93dc3a75a|OpenAPI|Medium|Access Control|There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| -|Security Scheme Using HTTP Basic
68e5fcac-390c-4939-a373-6074b7be7c71|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using basic authentication (read more)|Documentation
| -|OAuth2 With Password Flow
3979b0a4-532c-4ea7-86e4-34c090eaa4f2|OpenAPI|Medium|Access Control|OAuth2 password flow insecurely exposes the credentials of the resource owner to the client (read more)|Documentation
| +|Cleartext Credentials With Basic Authentication For Operation
86b1fa30-9790-4980-994d-a27e0f6f27c1|OpenAPI|High|Access Control|Cleartext credentials over unencrypted channel should not be accepted for the operation (read more)|Documentation
| |Security Scheme Using HTTP Digest
a4247b11-890b-45df-bf42-350a7a3af9be|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using digest authentication (read more)|Documentation
| -|Invalid OAuth2 Token URL (v3)
3ba0cca1-b815-47bf-ac62-1e584eb64a05|OpenAPI|Medium|Access Control|OAuth2 security scheme flow requires a valid URL in the tokenUrl field (read more)|Documentation
| +|Invalid OAuth2 Authorization URL (v3)
52c0d841-60d6-4a81-88dd-c35fef36d315|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| |Security Scheme Using HTTP Negotiate
f525cc92-9050-4c41-a75c-890dc6f64449|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using negotiate authentication (read more)|Documentation
| +|Invalid OAuth2 Token URL (v3)
3ba0cca1-b815-47bf-ac62-1e584eb64a05|OpenAPI|Medium|Access Control|OAuth2 security scheme flow requires a valid URL in the tokenUrl field (read more)|Documentation
| +|OAuth2 With Implicit Flow
39cb32f2-3a42-4af0-8037-82a7a9654b6c|OpenAPI|Medium|Access Control|OAuth2 implicit flow is vulnerable to access token leakage and access token replay (read more)|Documentation
| +|OAuth2 With Password Flow
3979b0a4-532c-4ea7-86e4-34c090eaa4f2|OpenAPI|Medium|Access Control|OAuth2 password flow insecurely exposes the credentials of the resource owner to the client (read more)|Documentation
| |Security Scheme HTTP Unknown Scheme
06764426-3c56-407e-981f-caa25db1c149|OpenAPI|Medium|Access Control|Security Scheme HTTP scheme should be registered in the IANA Authentication Scheme registry (read more)|Documentation
| +|Security Scheme Using HTTP Basic
68e5fcac-390c-4939-a373-6074b7be7c71|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using basic authentication (read more)|Documentation
| +|Implicit Flow in OAuth2 (v3)
4a1f3d75-ab73-41b2-83e7-06a93dc3a75a|OpenAPI|Medium|Access Control|There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| |Path Server Object Uses HTTP (v3)
9670f240-7b4d-4955-bd93-edaa9fa38b58|OpenAPI|Medium|Encryption|The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection (read more)|Documentation
| |Global Server Object Uses HTTP
2d8c175a-6d90-412b-8b0e-e034ea49a1fe|OpenAPI|Medium|Encryption|Global server object URL should use 'https' protocol instead of 'http' (read more)|Documentation
| -|Additional Properties Too Permissive
9f88c88d-824d-4d9a-b985-e22977046042|OpenAPI|Medium|Insecure Configurations|Objects should not accept 'additionalProperties' if it is possible (read more)|Documentation
| |Parameter Object Without Schema
8fe1846f-52cc-4413-ace9-1933d7d23672|OpenAPI|Medium|Insecure Configurations|The Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| |Media Type Object Without Schema
f79b9d26-e945-44e7-98a1-b93f0f7a68a0|OpenAPI|Medium|Insecure Configurations|The Media Type Object should have the attribute 'schema' defined (read more)|Documentation
| +|Additional Properties Too Permissive
9f88c88d-824d-4d9a-b985-e22977046042|OpenAPI|Medium|Insecure Configurations|Objects should not accept 'additionalProperties' if it is possible (read more)|Documentation
| |Additional Properties Too Restrictive
a19c3bbd-c056-40d7-9e1c-eeb0634e320d|OpenAPI|Medium|Insecure Configurations|Objects should accept 'additionalProperties' if it is allOf or an object with anyOf or oneOf (read more)|Documentation
| |Success Response Code Undefined for Trace Operation
105e20dd-8449-4d71-95c6-d5dac96639af|OpenAPI|Medium|Networking and Firewall|Trace should define the '200' successful code (read more)|Documentation
| |Header Object Without Schema
50de3b5b-6465-4e06-a9b0-b4c2ba34326b|OpenAPI|Medium|Networking and Firewall|The header object should have schema defined (read more)|Documentation
| -|API Key Exposed In Global Security Scheme
40e1d1bf-11a9-4f63-a3a2-a8b84c602839|OpenAPI|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| -|Global Security Scheme Using Basic Authentication
77276d82-4f45-4cf1-8e2b-4d345b936228|OpenAPI|Low|Access Control|A security scheme is allowing basic authentication credentials to be transported over network (read more)|Documentation
| |Security Scheme Using Oauth 1.0
1bc3205c-0d60-44e6-84f3-44fbf4dac5b3|OpenAPI|Low|Access Control|Oauth 1.0 is deprecated, OAuth2 should be used instead (read more)|Documentation
| +|Global Security Scheme Using Basic Authentication
77276d82-4f45-4cf1-8e2b-4d345b936228|OpenAPI|Low|Access Control|A security scheme is allowing basic authentication credentials to be transported over network (read more)|Documentation
| |Undefined Scope 'securityScheme' On 'security' Field On Operations
462d6a1d-fed9-4d75-bb9e-3de902f35e6e|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| |Undefined Scope 'securityScheme' On Global 'security' Field
23a9e2d9-8738-4556-a71c-2802b6ffa022|OpenAPI|Low|Access Control|Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| +|API Key Exposed In Global Security Scheme
40e1d1bf-11a9-4f63-a3a2-a8b84c602839|OpenAPI|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| +|Components Schema Definition Is Unused
962fa01e-b791-4dcc-b04a-4a3e7389be5e|OpenAPI|Info|Best Practices|Components schemas definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Link Definition Is Unused
c19779a9-5774-4d2f-a3a1-a99831730375|OpenAPI|Info|Best Practices|Components links definitions should be referenced or removed from Open API definition (read more)|Documentation
| |Components Request Body Definition Is Unused
6b76f589-9713-44ab-97f5-59a3dba1a285|OpenAPI|Info|Best Practices|Components request bodies definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Unknown Prefix (v3)
a5375be3-521c-43bb-9eab-e2432e368ee4|OpenAPI|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| +|Invalid Media Type Value (v3)
cf4a5f45-a27b-49df-843a-9911dbfe71d4|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| |Property 'style' of Encoding Object Ignored
d3ea644a-9a5c-4fee-941f-f8a6786c0470|OpenAPI|Info|Best Practices|Property 'style' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| -|Components Header Definition Is Unused
a68da022-e95a-4bc2-97d3-481e0bd6d446|OpenAPI|Info|Best Practices|Components headers definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Link Definition Is Unused
c19779a9-5774-4d2f-a3a1-a99831730375|OpenAPI|Info|Best Practices|Components links definitions should be referenced or removed from Open API definition (read more)|Documentation
| |Components Callback Definition Is Unused
d15db953-a553-4b8a-9a14-a3d62ea3d79d|OpenAPI|Info|Best Practices|Components callbacks definitions should be referenced or removed from Open API definition (read more)|Documentation
| |Components Response Definition Is Unused
9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae|OpenAPI|Info|Best Practices|Components responses definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Unknown Prefix (v3)
a5375be3-521c-43bb-9eab-e2432e368ee4|OpenAPI|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| -|Property 'explode' of Encoding Object Ignored
a4dd69b8-49fa-45d2-a060-c76655405b05|OpenAPI|Info|Best Practices|Property 'explode' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| +|Encoding Header 'Content-Type' Improperly Defined
4cd8de87-b595-48b6-ab3c-1904567135ab|OpenAPI|Info|Best Practices|Encoding Map Key should not define a 'Content-Type' in the 'headers' field. If so, it will be ignored. (read more)|Documentation
| |Property 'allowReserved' of Encoding Object Ignored
4190dda7-af03-4cf0-a128-70ac1661ca09|OpenAPI|Info|Best Practices|Property 'allowReserved' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| -|Components Parameter Definition Is Unused
698a464e-bb3e-4ba8-ab5e-e6599b7644a0|OpenAPI|Info|Best Practices|Components parameters definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Example Definition Is Unused
b05bb927-2df5-43cc-8d7b-6825c0e71625|OpenAPI|Info|Best Practices|Components examples definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Schema Definition Is Unused
962fa01e-b791-4dcc-b04a-4a3e7389be5e|OpenAPI|Info|Best Practices|Components schemas definitions should be referenced or removed from Open API definition (read more)|Documentation
| |Property 'allowEmptyValue' Ignored
59c2f769-7cc2-49c8-a3de-4e211135cfab|OpenAPI|Info|Best Practices|Property 'allowEmptyValue' is ignored in the following cases: {"sytle": "simple", "explode": false}, {"sytle": "simple", "explode": true}, {"sytle": "spaceDelimited", "explode": false}, {"sytle": "pipeDelimited", "explode": false}, and {"sytle": "deepObject", "explode": true} (read more)|Documentation
| -|Invalid Media Type Value (v3)
cf4a5f45-a27b-49df-843a-9911dbfe71d4|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| -|Encoding Header 'Content-Type' Improperly Defined
4cd8de87-b595-48b6-ab3c-1904567135ab|OpenAPI|Info|Best Practices|Encoding Map Key should not define a 'Content-Type' in the 'headers' field. If so, it will be ignored. (read more)|Documentation
| +|Components Example Definition Is Unused
b05bb927-2df5-43cc-8d7b-6825c0e71625|OpenAPI|Info|Best Practices|Components examples definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Property 'explode' of Encoding Object Ignored
a4dd69b8-49fa-45d2-a060-c76655405b05|OpenAPI|Info|Best Practices|Property 'explode' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| +|Components Parameter Definition Is Unused
698a464e-bb3e-4ba8-ab5e-e6599b7644a0|OpenAPI|Info|Best Practices|Components parameters definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Header Definition Is Unused
a68da022-e95a-4bc2-97d3-481e0bd6d446|OpenAPI|Info|Best Practices|Components headers definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Schema Object Incorrect Ref (v3)
4cac7ace-b0fb-477d-830d-65395d9109d9|OpenAPI|Info|Structure and Semantics|Schema Object reference must always point to '#/components/schemas' (read more)|Documentation
| +|Callback Object With Incorrect Ref
ba066cda-e808-450d-92b6-f29109754d45|OpenAPI|Info|Structure and Semantics|Callback Object reference must always point to '#/components/callbacks' (read more)|Documentation
| +|Request Body JSON Reference Does Not Exists
ca02f4e8-d3ae-4832-b7db-bb037516d9e7|OpenAPI|Info|Structure and Semantics|Request Body reference should exists on components field (read more)|Documentation
| +|Server URL Not Absolute
a0bf7382-5d5a-4224-924c-3db8466026c9|OpenAPI|Info|Structure and Semantics|The Server URL should be an absolute URL (read more)|Documentation
| +|Header Object With Incorrect Ref
2d6646f4-2946-420f-8c14-3232d49ae0cb|OpenAPI|Info|Structure and Semantics|Header Object reference must always point to '#/components/headers' (read more)|Documentation
| +|Parameter Object With Schema And Content
31dd6fc0-f274-493b-9614-e063086c19fc|OpenAPI|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive (read more)|Documentation
| +|Parameter Object With Undefined Type
46facedc-f243-4108-ab33-583b807d50b0|OpenAPI|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property (read more)|Documentation
| +|Response JSON Reference Does Not Exists (v3)
7a01dfbd-da62-4165-aed7-71349ad42ab4|OpenAPI|Info|Structure and Semantics|Response reference should exists on components field (read more)|Documentation
| |Example JSON Reference Outside Components Examples
bac56e3c-1f71-4a74-8ae6-2fba07efcddb|OpenAPI|Info|Structure and Semantics|Reference to examples should point to #/components/examples (read more)|Documentation
| +|Link Object OperationId Does Not Target Operation Object
c5bb7461-aa57-470b-a714-3bc3d74f4669|OpenAPI|Info|Structure and Semantics|Link object 'OperationId' should target an existing operation object in the OpenAPI definition (read more)|Documentation
| +|Invalid Content Type For Multiple Files Upload
26f06397-36d8-4ce7-b993-17711261d777|OpenAPI|Info|Structure and Semantics|Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array) (read more)|Documentation
| +|Link Object With Both 'operationId' And 'operationRef'
60fb6621-9f02-473b-9424-ba9a825747d3|OpenAPI|Info|Structure and Semantics|Link object 'OperationId' should not have both 'operationId' and 'operationRef' defined since they are mutually exclusive. (read more)|Documentation
| |Security Operation Field Undefined
20a482d5-c5d9-4a7a-b7a4-60d0805047b4|OpenAPI|Info|Structure and Semantics|Security operation field should be defined in '#/components/securitySchemes' (read more)|Documentation
| -|Server URL Not Absolute
a0bf7382-5d5a-4224-924c-3db8466026c9|OpenAPI|Info|Structure and Semantics|The Server URL should be an absolute URL (read more)|Documentation
| |Response Object With Incorrect Ref (v3)
b3871dd8-9333-4d6c-bd52-67eb898b71ab|OpenAPI|Info|Structure and Semantics|Response Object reference must always point to '#/components/responses' (read more)|Documentation
| -|Link Object OperationId Does Not Target Operation Object
c5bb7461-aa57-470b-a714-3bc3d74f4669|OpenAPI|Info|Structure and Semantics|Link object 'OperationId' should target an existing operation object in the OpenAPI definition (read more)|Documentation
| -|Request Body With Incorrect Ref
0f6cd0ab-c366-4595-84fc-fbd8b9901e4d|OpenAPI|Info|Structure and Semantics|Request Body reference must always point to '#/components/RequestBodies' (read more)|Documentation
| -|Encoding Map Key Mismatch Schema Defined Properties
cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b|OpenAPI|Info|Structure and Semantics|Encoding Map Key should be set in schema defined properties (read more)|Documentation
| -|Components Object Fixed Field Key Improperly Named
151331e2-11f4-4bb6-bd35-9a005e695087|OpenAPI|Info|Structure and Semantics|Components object fixed fields (schemas, responses, parameters, examples, requestBodies, headers, securitySchemes, links, and callbacks) should use keys that match the following REGEX: `^[a-zA-Z0-9\.\-_]+$` (read more)|Documentation
| -|Schema JSON Reference Does Not Exists (v3)
015eac96-6313-43c0-84e5-81b1374fa637|OpenAPI|Info|Structure and Semantics|Schema reference should exists on components field (read more)|Documentation
| -|Server URL Uses Undefined Variables
8d0921d6-4131-461f-a253-99e873f8f77e|OpenAPI|Info|Structure and Semantics|Any variable used in the Service URL should be defined in the Service Object through 'variables'. (read more)|Documentation
| -|Response JSON Reference Does Not Exists (v3)
7a01dfbd-da62-4165-aed7-71349ad42ab4|OpenAPI|Info|Structure and Semantics|Response reference should exists on components field (read more)|Documentation
| -|Parameter Object With Incorrect Ref (v3)
d40f27e6-15fb-4b56-90f8-fc0ff0291c51|OpenAPI|Info|Structure and Semantics|Parameter Object reference must always point to '#/components/parameters' (read more)|Documentation
| |Object Without Required Property (v3)
d172a060-8569-4412-8045-3560ebd477e8|OpenAPI|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| -|Unknown Property (v3)
fb7d81e7-4150-48c4-b914-92fc05da6a2f|OpenAPI|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| |Parameter Object Content With Multiple Entries
8bfed1c6-2d59-4924-bc7f-9b9d793ed0df|OpenAPI|Info|Structure and Semantics|The map content property of the parameter object should only contain one entry (read more)|Documentation
| -|Link Object Incorrect Ref
b9db8a10-020c-49ca-88c6-780e5fdb4328|OpenAPI|Info|Structure and Semantics|Link object reference must always point to '#/components/links' (read more)|Documentation
| -|Servers Array Undefined
c66ebeaa-676c-40dc-a3ff-3e49395dcd5e|OpenAPI|Info|Structure and Semantics|The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'. (read more)|Documentation
| -|Property 'allowReserved' Improperly Defined
7f203940-39c4-4ea7-91ee-7aba16bca9e2|OpenAPI|Info|Structure and Semantics|Property 'allowReserved' should be only defined for query parameters (read more)|Documentation
| -|Schema Object Incorrect Ref (v3)
4cac7ace-b0fb-477d-830d-65395d9109d9|OpenAPI|Info|Structure and Semantics|Schema Object reference must always point to '#/components/schemas' (read more)|Documentation
| -|Invalid Content Type For Multiple Files Upload
26f06397-36d8-4ce7-b993-17711261d777|OpenAPI|Info|Structure and Semantics|Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array) (read more)|Documentation
| +|Security Requirement Object With Wrong Scopes
37140f7f-724a-4c87-a536-e9cee1d61533|OpenAPI|Info|Structure and Semantics|Security Requirement Object should only have scopes defined for security schemes of type 'oauth2' and 'openIdConnect' (read more)|Documentation
| |Link JSON Reference Does Not Exists
801f0c6a-a834-4467-89c6-ddecffb46b5a|OpenAPI|Info|Structure and Semantics|Link reference should exists on components field (read more)|Documentation
| -|Request Body JSON Reference Does Not Exists
ca02f4e8-d3ae-4832-b7db-bb037516d9e7|OpenAPI|Info|Structure and Semantics|Request Body reference should exists on components field (read more)|Documentation
| |Callback JSON Reference Does Not Exists
f29904c8-6041-4bca-b043-dfa0546b8079|OpenAPI|Info|Structure and Semantics|Callback reference should exists on components field (read more)|Documentation
| -|Callback Object With Incorrect Ref
ba066cda-e808-450d-92b6-f29109754d45|OpenAPI|Info|Structure and Semantics|Callback Object reference must always point to '#/components/callbacks' (read more)|Documentation
| -|Link Object With Both 'operationId' And 'operationRef'
60fb6621-9f02-473b-9424-ba9a825747d3|OpenAPI|Info|Structure and Semantics|Link object 'OperationId' should not have both 'operationId' and 'operationRef' defined since they are mutually exclusive. (read more)|Documentation
| -|Parameter JSON Reference Does Not Exists (v3)
2e275f16-b627-4d3f-ae73-a6153a23ae8f|OpenAPI|Info|Structure and Semantics|Parameter reference should exists on components field (read more)|Documentation
| +|Property 'allowReserved' Improperly Defined
7f203940-39c4-4ea7-91ee-7aba16bca9e2|OpenAPI|Info|Structure and Semantics|Property 'allowReserved' should be only defined for query parameters (read more)|Documentation
| +|Request Body Object With Incorrect Media Type
58f06434-a88c-4f74-826c-db7e10cc7def|OpenAPI|Info|Structure and Semantics|The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set. (read more)|Documentation
| +|Server URL Uses Undefined Variables
8d0921d6-4131-461f-a253-99e873f8f77e|OpenAPI|Info|Structure and Semantics|Any variable used in the Service URL should be defined in the Service Object through 'variables'. (read more)|Documentation
| +|Security Field Undefined
ab1263c2-81df-46f0-9f2c-0b62fdb68419|OpenAPI|Info|Structure and Semantics|Security field should be defined in '#/components/securitySchemes' (read more)|Documentation
| +|Schema JSON Reference Does Not Exists (v3)
015eac96-6313-43c0-84e5-81b1374fa637|OpenAPI|Info|Structure and Semantics|Schema reference should exists on components field (read more)|Documentation
| +|Request Body With Incorrect Ref
0f6cd0ab-c366-4595-84fc-fbd8b9901e4d|OpenAPI|Info|Structure and Semantics|Request Body reference must always point to '#/components/RequestBodies' (read more)|Documentation
| +|Schema With Both ReadOnly And WriteOnly
d2361d58-361c-49f0-9e50-b957fd608b29|OpenAPI|Info|Structure and Semantics|Schema should not have both 'writeOnly' and 'readOnly' set to true (read more)|Documentation
| +|Servers Array Undefined
c66ebeaa-676c-40dc-a3ff-3e49395dcd5e|OpenAPI|Info|Structure and Semantics|The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'. (read more)|Documentation
| |Empty Array
5915c20f-dffa-4cee-b5d4-f457ddc0151a|OpenAPI|Info|Structure and Semantics|All array fields should not be empty (read more)|Documentation
| +|Link Object Incorrect Ref
b9db8a10-020c-49ca-88c6-780e5fdb4328|OpenAPI|Info|Structure and Semantics|Link object reference must always point to '#/components/links' (read more)|Documentation
| |Server Object Variable Not Used
8aee4754-970d-4c5f-8142-a49dfe388b1a|OpenAPI|Info|Structure and Semantics|Every defined Server Variable Object should be used in a Service URL. (read more)|Documentation
| -|Header Object With Incorrect Ref
2d6646f4-2946-420f-8c14-3232d49ae0cb|OpenAPI|Info|Structure and Semantics|Header Object reference must always point to '#/components/headers' (read more)|Documentation
| -|Security Requirement Object With Wrong Scopes
37140f7f-724a-4c87-a536-e9cee1d61533|OpenAPI|Info|Structure and Semantics|Security Requirement Object should only have scopes defined for security schemes of type 'oauth2' and 'openIdConnect' (read more)|Documentation
| -|Example JSON Reference Does Not Exists
6a2c219f-da5e-4745-941e-5ea8cde23356|OpenAPI|Info|Structure and Semantics|Example reference should exists on components field (read more)|Documentation
| -|Schema With Both ReadOnly And WriteOnly
d2361d58-361c-49f0-9e50-b957fd608b29|OpenAPI|Info|Structure and Semantics|Schema should not have both 'writeOnly' and 'readOnly' set to true (read more)|Documentation
| -|Parameter Object With Undefined Type
46facedc-f243-4108-ab33-583b807d50b0|OpenAPI|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property (read more)|Documentation
| -|Parameter Object With Schema And Content
31dd6fc0-f274-493b-9614-e063086c19fc|OpenAPI|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive (read more)|Documentation
| -|Security Field Undefined
ab1263c2-81df-46f0-9f2c-0b62fdb68419|OpenAPI|Info|Structure and Semantics|Security field should be defined in '#/components/securitySchemes' (read more)|Documentation
| +|Parameter JSON Reference Does Not Exists (v3)
2e275f16-b627-4d3f-ae73-a6153a23ae8f|OpenAPI|Info|Structure and Semantics|Parameter reference should exists on components field (read more)|Documentation
| +|Unknown Property (v3)
fb7d81e7-4150-48c4-b914-92fc05da6a2f|OpenAPI|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| |Header JSON Reference Does Not Exists
376c9390-7e9e-4cb8-a067-fd31c05451fd|OpenAPI|Info|Structure and Semantics|Header reference should exists on components field (read more)|Documentation
| -|Request Body Object With Incorrect Media Type
58f06434-a88c-4f74-826c-db7e10cc7def|OpenAPI|Info|Structure and Semantics|The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set. (read more)|Documentation
| -|Script Block Injection
62ff6823-927a-427f-acf9-f1ea2932d616|CICD|High|Insecure Configurations|GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event. (read more)|Documentation
| -|Run Block Injection
20f14e1a-a899-4e79-9f09-b6a84cd4649b|CICD|High|Insecure Configurations|GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event. (read more)|Documentation
| -|Unsecured Commands
60fd272d-15f4-4d8f-afe4-77d9c6cc0453|CICD|Medium|Insecure Configurations|There are deprecated set-env and add-path commands that can be explicitly enabled by a user via setting the ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable as true. Depending on the use of the environment variable, this could enable an attacker to, at worst, modify the system path to run a different command than intended, resulting in arbitrary code execution. (read more)|Documentation
| -|Unpinned Actions Full Length Commit SHA
555ab8f9-2001-455e-a077-f2d0f41e2fb9|CICD|Medium|Supply-Chain|Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork. (read more)|Documentation
| -|Serving Revision Spec Without Timeout Seconds
e8bb41e4-2f24-4e84-8bea-8c7c070cf93d|Knative|Info|Insecure Configurations|Serving Revision Spec should have Timeout Seconds defined to avoid Denial of Service (read more)|Documentation
| -|Serverless Role With Full Privileges
59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd|ServerlessFW|High|Access Control|Roles defined in Serverless files should not have policies granting full administrative privileges. (read more)|Documentation
| -|Serverless Function Environment Variables Not Encrypted
4495bc5d-4d1e-4a26-ae92-152d18195648|ServerlessFW|High|Encryption|Serverless Function should encrypt environment variables (read more)|Documentation
| -|Serverless API Without Content Encoding
d5d1fe08-89db-440c-8725-b93223387309|ServerlessFW|Medium|Encryption|Serverless should have API Gateway with Content Encoding enabled through the attribute 'minimumCompressionSize'. This value should be greater than -1 and smaller than 10485760 (read more)|Documentation
| -|Serverless Function Without Tags
f99d3482-fa8c-4f79-bad9-35212dded164|ServerlessFW|Medium|Insecure Configurations|Serverless Function should be have associated tags (read more)|Documentation
| -|Serverless Function Without Unique IAM Role
165aae3b-a56a-48f3-b76d-d2b5083f5b8f|ServerlessFW|Medium|Insecure Configurations|Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| -|Serverless API Endpoint Config Not Private
4d424558-c6d1-453c-be98-9a7f877abd9a|ServerlessFW|Medium|Networking and Firewall|Serverless should have endpointType set to 'PRIVATE'. This way, it's not exposed to the public internet (read more)|Documentation
| -|Serverless API X-Ray Tracing Disabled
434945e5-4dfd-41b1-aba1-47075ccd9265|ServerlessFW|Medium|Observability|Serverless API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| -|Serverless API Access Logging Setting Undefined
a4d32883-aac7-42e1-b403-9415af0f3846|ServerlessFW|Medium|Observability|Serverless FW API should have HTTP Access Logging enabled (read more)|Documentation
| -|Serverless Function Without Dead Letter Queue
dec7bc85-d156-4f64-9a33-96ed3d9f3fed|ServerlessFW|Low|Insecure Configurations|Serverless Function should be configured for a Dead Letter Queue(DLQ). A Dead Letter Queue(DLQ) can be set up in 'onError' config parameter (read more)|Documentation
| -|Serverless Function Without X-Ray Tracing
0d7ef70f-e176-44e6-bdba-add3e429788d|ServerlessFW|Low|Observability|Serverless Function should have Tracing enabled. For this, property 'tracing' should have the value 'Active' (read more)|Documentation
| +|Encoding Map Key Mismatch Schema Defined Properties
cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b|OpenAPI|Info|Structure and Semantics|Encoding Map Key should be set in schema defined properties (read more)|Documentation
| +|Example JSON Reference Does Not Exists
6a2c219f-da5e-4745-941e-5ea8cde23356|OpenAPI|Info|Structure and Semantics|Example reference should exists on components field (read more)|Documentation
| +|Parameter Object With Incorrect Ref (v3)
d40f27e6-15fb-4b56-90f8-fc0ff0291c51|OpenAPI|Info|Structure and Semantics|Parameter Object reference must always point to '#/components/parameters' (read more)|Documentation
| +|Components Object Fixed Field Key Improperly Named
151331e2-11f4-4bb6-bd35-9a005e695087|OpenAPI|Info|Structure and Semantics|Components object fixed fields (schemas, responses, parameters, examples, requestBodies, headers, securitySchemes, links, and callbacks) should use keys that match the following REGEX: `^[a-zA-Z0-9\.\-_]+$` (read more)|Documentation
| +|Client Certificate Authentication Not Setup Properly
e0e00aba-5f1c-4981-a542-9a9563c0ee20|Kubernetes|High|Access Control|Client Certificate Authentication should be Setup with a .pem or .crt file (read more)|Documentation
| +|Token Auth File Is Set
32ecd76e-7bbf-402e-bf48-8b9485749558|Kubernetes|High|Access Control|When using kube-apiserver command, the 'token-auth-file' flag should not be set (read more)|Documentation
| +|Always Admit Admission Control Plugin Set
ce30e584-b33f-4c7d-b418-a3d7027f8f60|Kubernetes|High|Access Control|When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin (read more)|Documentation
| +|Node Restriction Admission Control Plugin Not Set
33fc6923-6553-4fe6-9d3a-4efa51eb874b|Kubernetes|High|Access Control|When using kube-apiserver command, the --enable-admission-plugins flag should have 'NodeRestriction' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| +|RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e|Kubernetes|High|Access Control|Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least privilege recommends to specify only the set of needed objects and actions (read more)|Documentation
| +|Use Service Account Credentials Not Set To True
1acd93f1-5a37-45c0-aaac-82ece818be7d|Kubernetes|High|Access Control|When using kube-controller-manager commands, the '--use-service-account-credentials' should be set to true (read more)|Documentation
| +|Service Account Lookup Set To False
a5530bd7-225a-48f9-91bb-f40b04200165|Kubernetes|High|Access Control|When using kube-apiserver command, the '--service-account-lookup' flag should be set to true (read more)|Documentation
| +|Basic Auth File Is Set
5da47109-f8d6-4585-9e2b-96a8958a12f5|Kubernetes|High|Access Control|When using kube-apiserver command, the 'basic-auth-file' flag should not be set (read more)|Documentation
| +|Pod Security Policy Admission Control Plugin Not Set
afa36afb-39fe-4d94-b9b6-afb236f7a03d|Kubernetes|High|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'PodSecurityPolicy' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| +|Service Account Private Key File Not Defined
ccc98ff7-68a7-436e-9218-185cb0b0b780|Kubernetes|High|Encryption|When using kube-controller-manager commands, the '--service-account-private-key-file' should be defined (read more)|Documentation
| +|Tiller (Helm v2) Is Deployed
6d173be7-545a-46c6-a81d-2ae52ed1605d|Kubernetes|High|Insecure Configurations|Check if Tiller is deployed. (read more)|Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b|Kubernetes|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace. (read more)|Documentation
| +|Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d|Kubernetes|High|Insecure Configurations|Container should not share the host process ID namespace (read more)|Documentation
| +|Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609|Kubernetes|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false (read more)|Documentation
| +|Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad|Kubernetes|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined. (read more)|Documentation
| +|Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032|Kubernetes|High|Insecure Configurations|Limit capabilities for a Pod Security Policy (read more)|Documentation
| +|Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d|Kubernetes|High|Insecure Configurations|Check if there is any Tiller Service present (read more)|Documentation
| +|Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d|Kubernetes|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process (read more)|Documentation
| +|Role Binding To Default Service Account
1e749bc9-fde8-471c-af0c-8254efd2dee5|Kubernetes|High|Insecure Defaults|No role nor cluster role should bind to a default service account (read more)|Documentation
| +|TSL Connection Certificate Not Setup
fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f|Kubernetes|High|Networking and Firewall|TSL Connection Certificate files should be Setup (read more)|Documentation
| +|Etcd Peer TLS Certificate Files Not Properly Set
09bb9e96-8da3-4736-b89a-b36814acca60|Kubernetes|High|Networking and Firewall|When using etcd commands, the '--peer-cert-file' and '--peer-key-file' should be defined (read more)|Documentation
| +|Etcd TLS Certificate Not Properly Configured
895a5a95-3756-4b04-9924-2f3bc93181bd|Kubernetes|High|Networking and Firewall|When using kube-apiserver commands, the '--etcd-certfile' and '--etcd-keyfile' flags should be defined (read more)|Documentation
| +|Insecure Bind Address Set
b9380fd3-5ffe-4d10-9290-13e18e71eee1|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-bind-address' flag should not be set (read more)|Documentation
| +|Secure Port Set To Zero
3d24b204-b73d-42cb-b0bf-1a5438c5f71e|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the --secure-port flag should not be 0 (read more)|Documentation
| +|Kubelet HTTPS Set To False
cdc8b54e-6b16-4538-a1b0-35849dbe29cf|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--kubelet-https' flag should not be set to false (read more)|Documentation
| +|Etcd TLS Certificate Files Not Properly Set
075ca296-6768-4322-aea2-ba5063b969a9|Kubernetes|High|Networking and Firewall|When using etcd commands, the '--cert-file' and '--key-file' should be defined (read more)|Documentation
| +|Tiller Deployment Is Accessible From Within The Cluster
e17fa86a-6222-4584-a914-56e8f6c87e06|Kubernetes|High|Networking and Firewall|Check if any Tiller Deployment container allows access from within the cluster. (read more)|Documentation
| +|Insecure Port Not Properly Set
fa4def8c-1898-4a35-a139-7b76b1acdef0|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-port' flag should be defined and set to 0 (read more)|Documentation
| +|Bind Address Not Properly Set
46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2|Kubernetes|High|Networking and Firewall|When using kube-controller-manager or kube-scheduler commands, the '--bind-address' should not be set to 127.0.0.1 (read more)|Documentation
| +|PSP With Unrestricted Access to Host Path
de4421f1-4e35-43b4-9783-737dd4e4a47e|Kubernetes|High|Resource Management|PodSecurityPolicy should set 'readOnly' to true in every host path allowed (read more)|Documentation
| +|Peer Auto TLS Set To True
ae8827e2-4af9-4baa-9998-87539ae0d6f0|Kubernetes|High|Secret Management|When using etcd commands, the '--peer-auto-tls' should be set to false (read more)|Documentation
| +|Auto TLS Set To True
98ce8b81-7707-4734-aa39-627c6db3d84b|Kubernetes|High|Secret Management|When using etcd commands, the '--auto-tls' should be set to false (read more)|Documentation
| +|RBAC Roles with Impersonate Permission
9f85c3f6-26fd-4007-938a-2e0cb0100980|Kubernetes|Medium|Access Control|Roles or ClusterRoles with the permission 'impersonate' allow subjects to assume the rights of other users, groups, or service accounts. In case of compromise, attackers may abuse this sudo-like functionality to achieve privilege escalation (read more)|Documentation
| +|RBAC Roles with Exec Permission
c589f42c-7924-4871-aee2-1cede9bc7cbc|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to run commands in containers via 'kubectl exec' could be abused by attackers to execute malicious code in case of compromise. To prevent this, the 'pods/exec' verb should not be used in production environments (read more)|Documentation
| +|RBAC Roles Allow Privilege Escalation
8320826e-7a9c-4b0b-9535-578333193432|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions 'bind' or 'escalate' allow subjects to create new bindings with other roles. This is dangerous, as users with these privileges can bind to roles that may exceed their own privileges (read more)|Documentation
| +|Service Account Admission Control Plugin Disabled
9587c890-0524-40c2-9ce2-663af7c2f063|Kubernetes|Medium|Access Control|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'ServiceAccount' plugin (read more)|Documentation
| +|Authorization Mode RBAC Not Set
1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e|Kubernetes|Medium|Access Control|When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode (read more)|Documentation
| +|RBAC Roles with Attach Permission
d45330fd-f58d-45fb-a682-6481477a0f84|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to attach to containers via 'kubectl attach' could be abused by attackers to read log output (stdout, stderr) and send input data (stdin) to running processes. Additionally, it would allow a malicious user to attach to a privileged container resulting in a privilege escalation attack. To prevent this, the 'pods/attach' verb should not be used in production environments (read more)|Documentation
| +|Non Kube System Pod With Host Mount
aa8f7a35-9923-4cad-bd61-a19b7f6aac91|Kubernetes|Medium|Access Control|A non kube-system workload should not have hostPath mounted (read more)|Documentation
| +|RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14|Kubernetes|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more)|Documentation
| +|Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942|Kubernetes|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation. (read more)|Documentation
| +|Anonymous Auth Is Not Set To False
1de5cc51-f376-4638-a940-20f2e85ae238|Kubernetes|Medium|Access Control|When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag should be set to false (--anonymous-auth=false) (read more)|Documentation
| +|Authorization Mode Set To Always Allow
f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5|Kubernetes|Medium|Access Control|When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode (read more)|Documentation
| +|RBAC Roles with Port-Forwarding Permission
38fa11ef-dbcc-4da8-9680-7e1fd855b6fb|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to port-forward into pods can open socket-level communication channels to containers. In case of compromise, attackers may abuse this for direct communication that bypasses network security restrictions (read more)|Documentation
| +|Request Timeout Not Properly Set
d89a15bb-8dba-4c71-9529-bef6729b9c09|Kubernetes|Medium|Availability|When using kube-apiserver command, the '--request-timeout' flag value should not be too long (read more)|Documentation
| +|Terminated Pod Garbage Collector Threshold Not Properly Set
49113af4-29ca-458e-b8d4-724c01a4a24f|Kubernetes|Medium|Availability|When using kube-controller-manager commands, the '--terminated-pod-gc-threshold' should be set between 0 and 12501 (read more)|Documentation
| +|Readiness Probe Is Not Configured
a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3|Kubernetes|Medium|Availability|Check if Readiness Probe is not configured. (read more)|Documentation
| +|Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660|Kubernetes|Medium|Best Practices|Check if containers are running with low UID, which might cause conflicts with the host's user table. (read more)|Documentation
| +|Container Running As Root
cf34805e-3872-4c08-bf92-6ff7bb0cfadb|Kubernetes|Medium|Best Practices|Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise (read more)|Documentation
| +|Root Containers Admitted
e3aa0612-4351-4a0d-983f-aefea25cf203|Kubernetes|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden (read more)|Documentation
| +|Always Pull Images Admission Control Plugin Not Set
a77f4d07-c6e0-4a48-8b35-0eeb51576f4f|Kubernetes|Medium|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'AlwaysPullImages' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| +|Incorrect Volume Claim Access Mode ReadWriteOnce
3878dc92-8e5d-47cf-9cdd-7590f71d21b9|Kubernetes|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' (read more)|Documentation
| +|Encryption Provider Not Properly Configured
10efce34-5af6-4d83-b414-9e096d5a06a9|Kubernetes|Medium|Encryption|The EncryptionConfiguration should be configured to have at least one 'aescbc', 'kms' or 'secretbox' provider (read more)|Documentation
| +|Encryption Provider Config Is Not Defined
cbd2db69-0b21-4c14-8a40-7710a50571a9|Kubernetes|Medium|Encryption|When using kube-apiserver commands, the '--encryption-provider-config' flag should be defined and the encryption should be correctly configured in Encryption Configuration file (read more)|Documentation
| +|Root CA File Not Defined
05fb986f-ac73-4ebb-a5b2-7faafa93d882|Kubernetes|Medium|Encryption|When using kube-controller-manager commands, the '--root-ca-file' should be defined (read more)|Documentation
| +|Weak TLS Cipher Suites
510d5810-9a30-443a-817d-5c1fa527b110|Kubernetes|Medium|Encryption|TLS Connection should use strong Cipher Suites (read more)|Documentation
| +|Not Limited Capabilities For Container
2f1a0619-b12b-48a0-825f-993bb6f01d58|Kubernetes|Medium|Insecure Configurations|Limit the capabilities for a Container. (read more)|Documentation
| +|Kubelet Protect Kernel Defaults Set To False
6cf42c97-facd-4fda-b8af-ea4529123355|Kubernetes|Medium|Insecure Configurations|--protect-kernel-defaults should be set to true (read more)|Documentation
| +|Using Unrecommended Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6|Kubernetes|Medium|Insecure Configurations|Namespaces like 'default', 'kube-system' or 'kube-public' should not be used (read more)|Documentation
| +|PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91|Kubernetes|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| +|Authorization Mode Node Not Set
4d7ee40f-fc5d-427d-8cac-dffbe22d42d1|Kubernetes|Medium|Insecure Configurations|When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode (read more)|Documentation
| +|PSP Allows Sharing Host IPC
80f93444-b240-4ebb-a4c6-5c40b76c04ea|Kubernetes|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace (read more)|Documentation
| +|Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40|Kubernetes|Medium|Insecure Configurations|Containers should not have extra capabilities allowed (read more)|Documentation
| +|PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9|Kubernetes|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host process ID namespace (read more)|Documentation
| +|PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities (read more)|Documentation
| +|Security Context Deny Admission Control Plugin Not Set
6a68bebe-c021-492e-8ddb-55b0567fb768|Kubernetes|Medium|Insecure Configurations|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set (read more)|Documentation
| +|Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b|Kubernetes|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more)|Documentation
| +|PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation (read more)|Documentation
| +|Seccomp Profile Is Not Configured
f377b83e-bd07-4f48-a591-60c82b14a78b|Kubernetes|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls (read more)|Documentation
| +|NET_RAW Capabilities Not Being Dropped
dbbc6705-d541-43b0-b166-dd4be8208b54|Kubernetes|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities (read more)|Documentation
| +|NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648|Kubernetes|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities (read more)|Documentation
| +|Workload Mounting With Sensitive OS Directory
5308a7a8-06f8-45ac-bf10-791fe21de46e|Kubernetes|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory (read more)|Documentation
| +|Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3|Kubernetes|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more)|Documentation
| +|Containers With Sys Admin Capabilities
235236ee-ad78-4065-bd29-61b061f28ce0|Kubernetes|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability (read more)|Documentation
| +|Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9|Kubernetes|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty. (read more)|Documentation
| +|Service Account Token Automount Not Disabled
48471392-d4d0-47c0-b135-cdec95eb3eef|Kubernetes|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary (read more)|Documentation
| +|CNI Plugin Does Not Support Network Policies
03aabc8c-35d6-481e-9c85-20139cf72d23|Kubernetes|Medium|Networking and Firewall|Ensure the use of CNI Plugin that support Network Policies. If the CNI Plugin in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster (read more)|Documentation
| +|Kubelet Read Only Port Is Not Set To Zero
2940d48a-dc5e-4178-a3f8-bfbd80720b41|Kubernetes|Medium|Networking and Firewall|When using the kubelet command, the read-only port should be set to zero (--read-only-port=0) (read more)|Documentation
| +|Kubelet Not Managing Ip Tables
5f89001f-6dd9-49ff-9b15-d8cd71b617f4|Kubernetes|Medium|Networking and Firewall|Kubelet argument --make-iptables-util-chains should be true (read more)|Documentation
| +|Kubelet Streaming Connection Timeout Disabled
ed89b97d-04e9-4fd4-919f-ee5b27e555e9|Kubernetes|Medium|Networking and Firewall|The flag --streaming-connection-idle-timeout should not be set to 0 (read more)|Documentation
| +|Network Policy Is Not Targeting Any Pod
85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3|Kubernetes|Medium|Networking and Firewall|Check if any network policy is not targeting any pod. (read more)|Documentation
| +|Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be|Kubernetes|Medium|Networking and Firewall|Check if any pod is not being targeted by a proper network policy. (read more)|Documentation
| +|Service With External Load Balancer
26763a1c-5dda-4772-b507-5fca7fb5f165|Kubernetes|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet (read more)|Documentation
| +|Audit Policy File Not Defined
13a49a2e-488e-4309-a7c0-d6b05577a5fb|Kubernetes|Medium|Observability|When using kube-apiserver command, the '--audit-policy-file' flag should be defined (read more)|Documentation
| +|Audit Log Path Not Set
73e251f0-363d-4e53-86e2-0a93592437eb|Kubernetes|Medium|Observability|When using kube-apiserver command, the 'audit-log-path' flag should be defined (read more)|Documentation
| +|Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536|Kubernetes|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| +|Volume Mount With OS Directory Write Permissions
b7652612-de4e-4466-a0bf-1cd81f0c6063|Kubernetes|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more)|Documentation
| +|Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded|Kubernetes|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more)|Documentation
| +|Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9|Kubernetes|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| +|Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a|Kubernetes|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| +|CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a|Kubernetes|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more)|Documentation
| +|CPU Limits Not Set
4ac0e2b7-d2d2-4af7-8799-e8de6721ccda|Kubernetes|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| +|Kubelet Client Periodic Certificate Switch Disabled
52d70f2e-3257-474c-b3dc-8ad9ba6a061a|Kubernetes|Medium|Secret Management|Kubelet argument --rotate-certificates should be true (read more)|Documentation
| +|Kubelet Certificate Authority Not Set
ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set (read more)|Documentation
| +|Service Account Key File Not Properly Set
dab4ec72-ce2e-4732-b7c3-1757dcce01a1|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the '--service-account-key-file' flag should be defined (read more)|Documentation
| +|Rotate Kubelet Server Certificate Not Active
1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2|Kubernetes|Medium|Secret Management|The RotateKubeletServerCertificate argument should be true (read more)|Documentation
| +|Etcd Client Certificate Authentication Set To False
9391103a-d8d7-4671-ac5d-606ba7ccb0ac|Kubernetes|Medium|Secret Management|When using etcd commands, the '--client-cert-auth' flag should be defined (read more)|Documentation
| +|Etcd Peer Client Certificate Authentication Set To False
b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff|Kubernetes|Medium|Secret Management|When using etcd commands, the '--peer-client-cert-auth' flag should be set to true (read more)|Documentation
| +|Kubelet Client Certificate Or Key Not Set
36a27826-1bf5-49da-aeb0-a60a30c0e834|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-client-key' and 'kubelet-client-certificate' flags should be set (read more)|Documentation
| +|ServiceAccount Allows Access Secrets
056ac60e-fe07-4acc-9b34-8e1d51716ab9|Kubernetes|Medium|Secret Management|Roles and ClusterRoles when binded, should not use get, list or watch as verbs (read more)|Documentation
| +|Shared Service Account
c1032cf7-3628-44e2-bd53-38c17cf31b6b|Kubernetes|Medium|Secret Management|A Service Account token is shared between workloads (read more)|Documentation
| +|Etcd Client Certificate File Not Defined
3f5ff8a7-5ad6-4d02-86f5-666307da1b20|Kubernetes|Medium|Secret Management|When using kube-apiserver commands, the '--etcd-cafile' flag should be defined (read more)|Documentation
| +|Not Unique Certificate Authority
cb7e695d-6a85-495c-b15f-23aed2519303|Kubernetes|Medium|Secret Management|Certificate Authority should be unique for etcd (read more)|Documentation
| +|Cluster Admin Rolebinding With Superuser Permissions
249328b8-5f0f-409f-b1dd-029f07882e11|Kubernetes|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC) (read more)|Documentation
| +|Missing AppArmor Profile
8b36775e-183d-4d46-b0f7-96a6f34a723f|Kubernetes|Low|Access Control|Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources (read more)|Documentation
| +|Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828|Kubernetes|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers (read more)|Documentation
| +|StatefulSet Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0|Kubernetes|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more)|Documentation
| +|Liveness Probe Is Not Defined
ade74944-a674-4e00-859e-c6eab5bde441|Kubernetes|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it (read more)|Documentation
| +|Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678|Kubernetes|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| +|Event Rate Limit Admission Control Plugin Not Set
e0099af2-fe17-411f-9991-0de28fe15f3c|Kubernetes|Low|Availability|When using kube-apiserver command, the --enable-admission-plugins flag should have 'EventRateLimit' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| +|HPA Targeted Deployments With Configured Replica Count
5744cbb8-5946-4b75-a196-ade44449525b|Kubernetes|Low|Availability|Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set (read more)|Documentation
| +|StatefulSet Without PodDisruptionBudget
1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5|Kubernetes|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| +|HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca|Kubernetes|Low|Availability|The Horizontal Pod Autoscaler must target a valid object (read more)|Documentation
| +|Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645|Kubernetes|Low|Best Practices|Kubernetes APIs evolve over time and are sometimes removed with newer releases. To prevent incompatibilities when upgrading Kubernetes, deprecated APIs should be replaced with newer and more stable API versions. (read more)|Documentation
| +|No Drop Capabilities for Containers
268ca686-7fb7-4ae9-b129-955a2a89064e|Kubernetes|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context (read more)|Documentation
| +|Metadata Label Is Invalid
1123031a-f921-4c5b-bd86-ef354ecfd37a|Kubernetes|Low|Best Practices|Check if any label in the metadata is invalid. (read more)|Documentation
| +|Root Container Not Mounted Read-only
a9c2f49d-0671-4fc9-9ece-f4e261e128d0|Kubernetes|Low|Build Process|Check if the root container filesystem is not being mounted read-only. (read more)|Documentation
| +|Image Policy Webhook Admission Control Plugin Not Set
14abda69-8e91-4acb-9931-76e2bee90284|Kubernetes|Low|Build Process|When using kube-apiserver command, the --enable-admission-plugins flag should have 'ImagePolicyWebhook' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| +|Namespace Lifecycle Admission Control Plugin Disabled
1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37|Kubernetes|Low|Build Process|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'NamespaceLifecycle' plugin (read more)|Documentation
| +|StatefulSet Requests Storage
8cf4671a-cf3d-46fc-8389-21e7405063a2|Kubernetes|Low|Build Process|A StatefulSet requests volume storage. (read more)|Documentation
| +|Pod or Container Without ResourceQuota
48a5beba-e4c0-4584-a2aa-e6894e4cf424|Kubernetes|Low|Insecure Configurations|Each namespace should have a ResourceQuota policy associated to limit the total amount of resources Pods, Containers and PersistentVolumeClaims can consume (read more)|Documentation
| +|Kubelet Hostname Override Is Set
bf36b900-b5ef-4828-adb7-70eb543b7cfb|Kubernetes|Low|Insecure Configurations|Hostnames should not be overrided (read more)|Documentation
| +|Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b|Kubernetes|Low|Insecure Configurations|If not needed, disabling the dashboard can prevent from being used as an attack vector (read more)|Documentation
| +|Service Does Not Target Pod
3ca03a61-3249-4c16-8427-6f8e47dda729|Kubernetes|Low|Insecure Configurations|Service should Target a Pod (read more)|Documentation
| +|Pod or Container Without LimitRange
4a20ebac-1060-4c81-95d1-1f7f620e983b|Kubernetes|Low|Insecure Configurations|Each namespace should have a LimitRange policy associated to ensure that resource allocations of Pods, Containers and PersistentVolumeClaims do not exceed the defined boundaries (read more)|Documentation
| +|Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2|Kubernetes|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always (read more)|Documentation
| +|Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995|Kubernetes|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container (read more)|Documentation
| +|Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678|Kubernetes|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity (read more)|Documentation
| +|Service Type is NodePort
845acfbe-3e10-4b8e-b656-3b404d36dfb2|Kubernetes|Low|Networking and Firewall|Service type should not be NodePort (read more)|Documentation
| +|Workload Host Port Not Specified
2b1836f1-dcce-416e-8e16-da8c71920633|Kubernetes|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified (read more)|Documentation
| +|Profiling Not Set To False
2f491173-6375-4a84-b28e-a4e2b9a58a69|Kubernetes|Low|Observability|When using kube-apiserver or kube-controller-manager or kube-scheduler command, the '--profiling' flag should be defined and set to false (read more)|Documentation
| +|Audit Log Maxbackup Not Properly Set
768aab52-2504-4a2f-a3e3-329d5a679848|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxbackup' flag should be defined and set to 10 or more files (read more)|Documentation
| +|Audit Log Maxsize Not Properly Set
35c0a471-f7c8-4993-aa2c-503a3c712a66|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxsize' flag should be defined and set to 100 or more MegaBytes (read more)|Documentation
| +|Audit Policy Not Cover Key Security Concerns
1828a670-5957-4bc5-9974-47da228f75e2|Kubernetes|Low|Observability|Audit Policy should cover key security concerns about the sensitive data logged in Kubernetes audit policies (read more)|Documentation
| +|Audit Log Maxage Not Properly Set
da9f3aa8-fbfb-472f-b5a1-576127944218|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxage' flag should be defined and set to 30 or more days (read more)|Documentation
| +|Kubelet Event QPS Not Properly Set
1a07a446-8e61-4e4d-bc16-b0781fcb8211|Kubernetes|Low|Observability|When using the kubelet command, the '--event-qps' should be set to 0 (read more)|Documentation
| +|StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e|Kubernetes|Low|Resource Management|Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| +|Container Memory Requests Not Equal To It's Limits
aafa7d94-62de-4fbf-8838-b69ee217b0e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined. (read more)|Documentation
| +|CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3|Kubernetes|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined (read more)|Documentation
| +|Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46|Kubernetes|Low|Resource Management|Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively (read more)|Documentation
| +|Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined. (read more)|Documentation
| +|Deployment Has No PodAntiAffinity
a31b7b82-d994-48c4-bd21-3bab6c31827a|Kubernetes|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| +|Secrets As Environment Variables
3d658f8b-d988-41a0-a841-40043121de1e|Kubernetes|Low|Secret Management|Container should not use secrets as environment variables (read more)|Documentation
| +|Invalid Image Tag
583053b7-e632-46f0-b989-f81ff8045385|Kubernetes|Low|Supply-Chain|Image tag must be defined and not be empty or equal to latest. (read more)|Documentation
| +|Ensure Administrative Boundaries Between Resources
e84eaf4d-2f45-47b2-abe8-e581b06deb66|Kubernetes|Info|Access Control|As a best practice, ensure that is made the correct use of namespaces to adequately administer your resources. Kubernetes Authorization plugins can also be used to create policies that segregate user access to namespaces. (read more)|Documentation
| +|Using Kubernetes Native Secret Management
b9c83569-459b-4110-8f79-6305aa33cb37|Kubernetes|Info|Secret Management|Kubernetes External Secret Storage and Management System usage should be considered if you have more complex secret management needs, rather than using Kubernetes Secrets directly. Additionally, ensure that access to secrets is carefully limited (read more)|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
63ae3638-a38c-4ff4-b616-6e1f72a31a6a|GoogleDeploymentManager|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| +|Cloud Storage Bucket Is Publicly Accessible
77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc|GoogleDeploymentManager|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible (read more)|Documentation
| +|BigQuery Dataset Is Public
83103dff-d57f-42a8-bd81-40abab64c1a7|GoogleDeploymentManager|High|Access Control|BigQuery dataset is anonymously or publicly accessible. Attribute access.specialGroup should not contain 'allAuthenticatedUsers' (read more)|Documentation
| +|SQL DB Instance Backup Disabled
a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01|GoogleDeploymentManager|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| +|DNSSEC Using RSASHA1
6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35|GoogleDeploymentManager|High|Encryption|DNSSEC should not use the RSASHA1 algorithm (read more)|Documentation
| +|SQL DB Instance With SSL Disabled
660360d3-9ca7-46d1-b147-3acc4002953f|GoogleDeploymentManager|High|Encryption|Cloud SQL Database Instance should have SLL enabled (read more)|Documentation
| +|MySQL Instance With Local Infile On
c759d6f2-4dd3-4160-82d3-89202ef10d87|GoogleDeploymentManager|High|Insecure Configurations|MySQL Instance should not have Local Infile On (read more)|Documentation
| +|Client Certificate Disabled
dd690686-2bf9-4012-a821-f61912dd77be|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'masterAuth' must have 'clientCertificateConfig' with the attribute 'issueClientCertificate' equal to true (read more)|Documentation
| +|IP Aliasing Disabled
28727987-e398-49b8-aef1-8a3e7789d111|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ipAllocationPolicy' must be defined and the subattribute 'useIpAliases' must be set to 'true'. (read more)|Documentation
| +|Network Policy Disabled
c47f90e8-4a19-43f0-8413-cc434d286c4e|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'networkPolicy.enabled' must be true and the attribute 'addonsConfig.networkPolicyConfig.disabled' must be false (read more)|Documentation
| +|Private Cluster Disabled
48c61fbd-09c9-46cc-a521-012e0c325412|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true. (read more)|Documentation
| +|Not Proper Email Account In Use
a21b8df3-c840-4b3d-a41a-10fb2afda171|GoogleDeploymentManager|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials (read more)|Documentation
| +|GKE Legacy Authorization Enabled
df58d46c-783b-43e0-bdd0-d99164f712ee|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false. (read more)|Documentation
| +|Cluster Master Authentication Disabled
7ef7d141-9fbb-4679-a977-fd0883436906|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'masterAuth' must have the subattributes 'username' and 'password' defined and not empty (read more)|Documentation
| +|Cluster Labels Disabled
8810968b-4b15-421d-918b-d91eb4bb8d1d|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resourceLabels' must be defined (read more)|Documentation
| +|GKE Master Authorized Networks Disabled
62c8cf50-87f0-4295-a974-8184ed78fe02|GoogleDeploymentManager|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters (read more)|Documentation
| +|Compute Instance Is Publicly Accessible
8212e2d7-e683-49bc-bf78-d6799075c5a7|GoogleDeploymentManager|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet. (read more)|Documentation
| +|Stackdriver Logging Disabled
95601b9a-7fe8-4aee-9b58-d36fd9382dfc|GoogleDeploymentManager|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'loggingService' must be defined and different from 'none' (read more)|Documentation
| +|Cloud Storage Bucket Versioning Disabled
ad0875c1-0b39-4890-9149-173158ba3bba|GoogleDeploymentManager|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| +|Stackdriver Monitoring Disabled
bbfc97ab-e92a-4a7b-954c-e88cec815011|GoogleDeploymentManager|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoringService' must be defined and different than 'none' (read more)|Documentation
| +|Node Auto Upgrade Disabled
dc5c5fee-6c53-43b0-ab11-4c660e064aaf|GoogleDeploymentManager|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means the attribute 'nodePools' must be defined and the subattribute 'managment' must be defined and have the attribute 'autoUpgrade' set to true (read more)|Documentation
| +|Disk Encryption Disabled
fc040fb6-4c23-4c0d-b12a-39edac35debb|GoogleDeploymentManager|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined (read more)|Documentation
| +|OSLogin Is Disabled In VM Instance
e66e1b71-c810-4b4e-a737-0ab59e7f5e41|GoogleDeploymentManager|Medium|Insecure Configurations|VM instance should have OSLogin enabled (read more)|Documentation
| +|Shielded VM Disabled
9038b526-4c19-4928-bca2-c03d503bdb79|GoogleDeploymentManager|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true (read more)|Documentation
| +|Cloud DNS Without DNSSEC
313d6deb-3b67-4948-b41d-35b699c2492e|GoogleDeploymentManager|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| +|Google Storage Bucket Level Access Disabled
1239f54b-33de-482a-8132-faebe288e6a6|GoogleDeploymentManager|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled (read more)|Documentation
| +|COS Node Image Not Used
dbe058d7-b82e-430b-8426-992b2e4677e7|GoogleDeploymentManager|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| +|SSH Access Is Not Restricted
dee21308-2a7a-49de-8ff7-c9b87e188575|GoogleDeploymentManager|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| +|RDP Access Is Not Restricted
50cb6c3b-c878-4b88-b50e-d1421bada9e8|GoogleDeploymentManager|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| +|IP Forwarding Enabled
7c98538a-81c6-444b-bf04-e60bc3ceeec0|GoogleDeploymentManager|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true (read more)|Documentation
| +|Bucket Without Versioning
227c2f58-70c6-4432-8e9a-a89c1a548cf5|GoogleDeploymentManager|Medium|Observability|Bucket should have versioning enabled (read more)|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
6e2b1ec1-1eca-4eb7-9d4d-2882680b4811|GoogleDeploymentManager|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| +|BOM - GCP PST
9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more)|Documentation
| +|BOM - GCP PD
268c65a8-58ad-43e4-9019-1a9bbc56749f|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more)|Documentation
| +|BOM - GCP SB
c7781feb-a955-4f9f-b9cf-0d7c6f54bb59|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more)|Documentation
| +|Key Vault Not Recoverable
7c25f361-7c66-44bf-9b69-022acd5eb4bd|AzureResourceManager|High|Backup|Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true (read more)|Documentation
| +|Secret Without Expiration Date
cff9c3f7-e8f0-455f-9fb4-5f72326da96e|AzureResourceManager|High|Best Practices|All Secrets must have an expiration date defined (read more)|Documentation
| +|Azure Instance Using Basic Authentication
6797f581-0433-4768-ae3e-7ceb2f8b138e|AzureResourceManager|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| +|Azure Managed Disk Without Encryption
350f3955-b5be-436f-afaa-3d2be2fa6cdd|AzureResourceManager|High|Encryption|Azure Disk Encryption should be enabled (read more)|Documentation
| +|Storage Account Allows Unsecure Transfer
1367dd13-2c90-4020-80b7-e4339a3dc2c4|AzureResourceManager|High|Encryption|'Microsoft.Storage/storageAccounts' should force the use of HTTPS (read more)|Documentation
| +|Web App Not Using TLS Last Version
b5c851d5-00f1-43dc-a8de-3218fd6f71be|AzureResourceManager|High|Encryption|Resources of type 'Microsoft.Web/sites' should define 'properties.siteConfig.minTlsVersion' with '1.2' (read more)|Documentation
| +|Website Not Forcing HTTPS
488847ff-6031-487c-bf42-98fd6ac5c9a0|AzureResourceManager|High|Insecure Configurations|'Microsoft.Web/sites' should force the use of HTTPS (read more)|Documentation
| +|Storage Blob Service Container With Public Access
a0ab985d-660b-41f7-ac81-70957ee8e627|AzureResourceManager|High|Networking and Firewall|Storage Blob Service Container should not publicly accessible (read more)|Documentation
| +|Trusted Microsoft Services Not Enabled
e25b56cd-a4d6-498f-ab92-e6296a082097|AzureResourceManager|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| +|MySQL Server SSL Enforcement Disabled
90120147-f2e7-4fda-bb21-6fa9109afd63|AzureResourceManager|High|Networking and Firewall|'Microsoft.DBforMySQL/servers' should enforce SSL (read more)|Documentation
| +|SQL Database Server Firewall Allows All IPS
6a3201a5-1630-494b-b294-3129d06b0eca|AzureResourceManager|High|Networking and Firewall|SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS (read more)|Documentation
| +|Website with Client Certificate Auth Disabled
92302b47-b0cc-46cb-a28f-5610ecda140b|AzureResourceManager|High|Networking and Firewall|'Microsoft.Web/sites' should have client certificate authentication enabled (read more)|Documentation
| +|PostgreSQL Database Server SSL Disabled
bf500309-da53-4dd3-bcf7-95f7974545a5|AzureResourceManager|High|Networking and Firewall|Microsoft.DBforPostgreSQL/servers sslEnforcement property should be set to 'Enabled' (read more)|Documentation
| +|Network Security Group With Unrestricted Access To RDP
59cb3da7-f206-4ae6-b827-7abf0a9cab9d|AzureResourceManager|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the Internet (read more)|Documentation
| +|Network Security Group With Unrestricted Access To SSH
2ade1579-4b2c-4590-bebb-f99bf597f612|AzureResourceManager|High|Networking and Firewall|Port 22 (SSH) is exposed to the Internet (read more)|Documentation
| +|Default Azure Storage Account Network Access Is Too Permissive
d855ced8-6157-448f-9f1d-f05a41d046f7|AzureResourceManager|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it. (read more)|Documentation
| +|AKS Cluster RBAC Disabled
9307a2ed-35c2-413d-94de-a1a0682c2158|AzureResourceManager|Medium|Access Control|Microsoft.ContainerService/managedClusters should have enableRBAC set to true (read more)|Documentation
| +|Role Definitions Allow Custom Subscription Role Creation
8fa9ceea-881f-4ef0-b0b8-728f589699a7|AzureResourceManager|Medium|Access Control|Role Definitions should not allow custom subscription role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write') (read more)|Documentation
| +|SQL Server Database With Alerts Disabled
574e8d82-1db2-4b9c-b526-e320ede9a9ff|AzureResourceManager|Medium|Best Practices|All Alerts should be enabled in SQL Database Server SecurityAlerts Policy Properties (read more)|Documentation
| +|AKS Cluster Network Policy Not Configured
25c0228e-4444-459b-a2df-93c7df40b7ed|AzureResourceManager|Medium|Insecure Configurations|Azure Kubernetes Service must have a network policy defined. (read more)|Documentation
| +|PostgresSQL Database Server Connection Throttling Disabled
a6d774b6-d9ea-4bf4-8433-217bf15d2fb8|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttling' property set to 'on' (read more)|Documentation
| +|Standard Price Is Not Selected
2081c7d6-2851-4cce-bda5-cb49d462da42|AzureResourceManager|Medium|Networking and Firewall|Azure Security Center provides more features for standard pricing mode, so it must be activated. (read more)|Documentation
| +|AKS With Authorized IP Ranges Disabled
2583fab1-953b-4fae-bd02-4a136a6c21f9|AzureResourceManager|Medium|Networking and Firewall|Azure Kubernetes Service must have an authorized IP range for API Services enabled (read more)|Documentation
| +|PostgreSQL Database Server Log Connections Disabled
e69bda39-e1e2-47ca-b9ee-b6531b23aedd|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' property set to 'on' (read more)|Documentation
| +|PostgreSQL Database Server Log Checkpoints Disabled
f9112910-c7bb-4864-9f5e-2059ba413bb7|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' property set to 'on' (read more)|Documentation
| +|Log Profile Incorrect Category
4d522e7b-f938-4d51-a3b1-974ada528bd3|AzureResourceManager|Medium|Observability|Log Profile Categories should be set to 'Write', 'Delete', and/or 'Action' (read more)|Documentation
| +|SQL Server Database Without Auditing
e055285c-bc01-48b4-8aa5-8a54acdd29df|AzureResourceManager|Medium|Observability|Every 'Microsoft.Sql/servers/databases' resource should have Auditing Enabled (read more)|Documentation
| +|AKS Logging To Azure Monitoring Is Disabled
9b09dee1-f09b-4013-91d2-158fa4695f4b|AzureResourceManager|Medium|Observability|Azure Kubernetes Service should have logging to Azure Monitoring enabled. (read more)|Documentation
| +|SQL Server Database With Unrecommended Retention Days
c09cdac2-7670-458a-bf6c-efad6880973a|AzureResourceManager|Medium|Observability|SQL Server Database Auditing Settings should keep the audit logs in the storage account for at least 90 days (read more)|Documentation
| +|Unrecommended Log Profile Retention Policy
25684eac-daaa-4c2c-94b4-8d2dbb627909|AzureResourceManager|Medium|Observability|Log Profile Retention Policy should be enabled and the recommended number of days for the retention should be higher than 365 or 0 (0 will retain the events indefinitely) (read more)|Documentation
| +|Unrecommended Network Watcher Flow Log Retention Policy
564b70f8-41cd-4690-aff8-bb53add86bc9|AzureResourceManager|Medium|Observability|Network Watcher Flow Log Retention Policy should be enabled and the recommended number of days for the retention should be higher than 90 (read more)|Documentation
| +|Storage Logging For Read Write And Delete Requests Disabled
43f6e60c-9cdb-4e77-864d-a66595d26518|AzureResourceManager|Medium|Observability|Storage Logging should be enabled for read, write and delete methods (read more)|Documentation
| +|Hardcoded SecureString Parameter Default Value
4d2cf896-c053-4be5-9c95-8b4771112f29|AzureResourceManager|Medium|Secret Management|Secure parameters should not have hardcoded default value (read more)|Documentation
| +|Website Azure Active Directory Disabled
e9c133e5-c2dd-4b7b-8fff-40f2de367b56|AzureResourceManager|Low|Access Control|WebApp should have Azure Active Directory enabled with 'identity.type' set to 'SystemAssigned' or 'userAssignedIdentities' set to 'true' (read more)|Documentation
| +|Phone Number Not Set For Security Contacts
3e9fcc67-1f64-405f-b2f9-0a6be17598f0|AzureResourceManager|Low|Best Practices|Microsoft.Security securityContacts should have a phone number defined (read more)|Documentation
| +|AKS Dashboard Is Enabled
c62d3b92-9a11-4ffd-b7b7-6faaae83faed|AzureResourceManager|Low|Insecure Configurations|Azure Kubernetes Service should have the Kubernetes dashboard disabled. (read more)|Documentation
| +|Storage Account Allows Default Network Access
9073f073-5d60-4b46-b569-0d6baa80ed95|AzureResourceManager|Low|Networking and Firewall|'Microsoft.Storage/storageAccounts' should force the use of HTTPS (read more)|Documentation
| +|Website with 'Http20Enabled' Disabled
70111098-7f85-48f0-b1b4-e4261cf5f61b|AzureResourceManager|Low|Networking and Firewall|'Microsoft.Web/sites' should have 'Http20Enabled' enabled (read more)|Documentation
| +|App Service Authentication Is Not Set
83130a07-235b-4a80-918b-a370e53f0bd9|AzureResourceManager|Info|Access Control|Azure App Service should have App Service Authentication set (read more)|Documentation
| +|SQL Alert Policy Without Emails
89b79fe5-49bd-4d39-84ce-55f5fc6f7764|AzureResourceManager|Info|Best Practices|SQL Database Server should contain emails to be notified in the event of a Security Alert (read more)|Documentation
| +|Account Admins Not Notified By Email
a8852cc0-fd4b-4fc7-9372-1e43fad0732e|AzureResourceManager|Info|Best Practices|Account admins should be notified by email in the event of security alerts (read more)|Documentation
| +|Email Notifications Disabled
79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92|AzureResourceManager|Info|Networking and Firewall|Email notifications about new security alerts, should be set to 'On', and be sent to persons with specific RBAC roles on the subscription (read more)|Documentation
| +|Serverless Function Environment Variables Not Encrypted
a7f8ac28-eed1-483d-87c8-4c325f022572|CloudFormation|High|Encryption|AWS Serverless Function should encrypt environment variables (read more)|Documentation
| +|Serverless API Without Content Encoding
a2f2800e-614b-4bc8-89e6-fec8afd24800|CloudFormation|Medium|Encryption|AWS Serverless API should enable Content Encoding through the attribute 'MinimumCompressionSize'. This value should be greater than -1 and smaller than 10485760 (read more)|Documentation
| +|Serverless Function Without Unique IAM Role
4ba74f01-aba5-4be2-83bc-be79ff1a3b92|CloudFormation|Medium|Insecure Configurations|AWS Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| +|Serverless Function Without Tags
a71ecabe-03b6-456a-b3bc-d1a39aa20c98|CloudFormation|Medium|Insecure Configurations|AWS Serverless Function should have associated tags (read more)|Documentation
| +|Serverless API Endpoint Config Not Private
6b5b0313-771b-4319-ad7a-122ee78700ef|CloudFormation|Medium|Networking and Firewall|AWS Serverless API should set API Endpoint Config type to 'PRIVATE'. This way, it's not exposed to the public internet (read more)|Documentation
| +|Serverless API X-Ray Tracing Disabled
c757c6a3-ac87-4b9d-b28d-e5a5add6a315|CloudFormation|Medium|Observability|AWS Serverless API should have X-Ray Tracing enabled (read more)|Documentation
| +|Serverless API Access Logging Setting Undefined
0a994e04-c6dc-471d-817e-d37451d18a3b|CloudFormation|Medium|Observability|AWS Serverless API/AWS Serverless HTTP API should have Access Logging Setting(s) defined (read more)|Documentation
| +|Serverless API Cache Cluster Disabled
60a05ede-0a68-4d0d-a58f-f538cf55ff79|CloudFormation|Low|Insecure Configurations|AWS Serverless API should have cache clustering enabled (read more)|Documentation
| +|Serverless Function Without Dead Letter Queue
cb2f612b-ed42-4ff5-9fb9-255c73d39a18|CloudFormation|Low|Insecure Configurations|AWS Serverless Function should be configured for a Dead Letter Queue(DLQ) (read more)|Documentation
| +|Serverless Function Without X-Ray Tracing
dc1ab429-1481-4540-9b1d-280e3f15f1f8|CloudFormation|Low|Observability|AWS Serverless Function should have Tracing enabled. For this, property 'Tracing' should have the value 'Active' (read more)|Documentation
| +|SNS Topic is Publicly Accessible
ae53ce91-42b5-46bf-a84f-9a13366a4f13|CloudFormation|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
acc78859-765e-4011-a229-a65ea57db252|CloudFormation|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| +|MSK Broker Is Publicly Accessible
0ce1ba20-8ba8-4364-836f-40c24b8cb0ab|CloudFormation|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible (read more)|Documentation
| +|Amazon DMS Replication Instance Is Publicly Accessible
5864fb39-d719-4182-80e2-89dbe627be63|CloudFormation|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| +|IAM Policies With Full Privileges
953b3cdb-ce13-428a-aa12-318726506661|CloudFormation|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| +|S3 Bucket Allows Public Policy
860ba89b-b8de-4e72-af54-d6aee4138a69|CloudFormation|High|Access Control|S3 bucket allows public policy (read more)|Documentation
| +|S3 Bucket Allows Get Action From All Principals
f97b7d23-568f-4bcc-9ac9-02df0d57fbba|CloudFormation|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| +|IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368|CloudFormation|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| +|S3 Bucket ACL Allows Read Or Write to All Users
07dda8de-d90d-469e-9b37-1aca53526ced|CloudFormation|High|Access Control|S3 Buckets should not be readable and writable to all users (read more)|Documentation
| +|S3 Bucket ACL Allows Read to All Users
219f4c95-aa50-44e0-97de-cf71f4641170|CloudFormation|High|Access Control|S3 Buckets should not be readable to all users (read more)|Documentation
| +|S3 Bucket Access to Any Principal
7772bb8c-c0f3-42d4-8e4e-f1b8939ad085|CloudFormation|High|Access Control|The S3 Bucket should not be associated with a policy statement that grants access to any principal (read more)|Documentation
| +|ECS Service Admin Role Is Present
01986452-bdd8-4aaa-b5df-d6bf61d616ff|CloudFormation|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role (read more)|Documentation
| +|Lambda Functions With Full Privileges
a0ae0a4e-712b-4115-8112-51b9eeed9d69|CloudFormation|High|Access Control|AWS Lambda Functions should not have roles with policies granting full administrative privileges. (read more)|Documentation
| +|S3 Bucket Allows List Action From All Principals
faa8fddf-c0aa-4b2d-84ff-e993e233ebe9|CloudFormation|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| +|S3 Bucket Allows Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0|CloudFormation|High|Access Control|S3 Buckets must not allow Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Restore, for all Principals. (read more)|Documentation
| +|S3 Bucket Allows Put Action From All Principals
f6397a20-4cf1-4540-a997-1d363c25ef58|CloudFormation|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
835d5497-a526-4aea-a23f-98a9afd1635f|CloudFormation|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| +|S3 Bucket With All Permissions
4ae8af91-5108-42cb-9471-3bdbe596eac9|CloudFormation|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| +|CMK Unencrypted Storage
ffee2785-c347-451e-89f3-11aeb08e5c84|CloudFormation|High|Encryption|Ensure that storage is encrypted. (read more)|Documentation
| +|User Data Contains Encoded Private Key
568cc372-ca64-420d-9015-ee347d00d288|CloudFormation|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| +|ElastiCache With Disabled at Rest Encryption
e4ee3903-9225-4b6a-bdfb-e62dbadef821|CloudFormation|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled (read more)|Documentation
| +|ELB Using Weak Ciphers
809f77f8-d10e-4842-a84f-3be7b6ff1190|CloudFormation|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| +|Redshift Cluster Without KMS CMK
de76a0d6-66d5-45c9-9022-f05545b85c78|CloudFormation|High|Encryption|AWS Redshift Cluster should have KMS CMK defined (read more)|Documentation
| +|ECS Task Definition Container With Plaintext Password
f9b10cdb-eaab-4e39-9793-e12b94a582ad|CloudFormation|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| +|DynamoDB With Aws Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac|CloudFormation|High|Encryption|AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false. (read more)|Documentation
| +|S3 Bucket Without Server-side-encryption
b2e8752c-3497-4255-98d2-e4ae5b46bbf5|CloudFormation|High|Encryption|S3 Buckets should have server-side encryption at rest enabled to protect sensitive data (read more)|Documentation
| +|S3 Bucket Without SSL In Write Actions
38c64e76-c71e-4d92-a337-60174d1de1c9|CloudFormation|High|Encryption|S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL) (read more)|Documentation
| +|IAM Database Auth Not Enabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184|CloudFormation|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| +|ECS Cluster Not Encrypted At Rest
6c131358-c54d-419b-9dd6-1f7dd41d180c|CloudFormation|High|Encryption|Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems. (read more)|Documentation
| +|Secure Ciphers Disabled
be96849c-3df6-49c2-bc16-778a7be2519c|CloudFormation|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| +|MSK Cluster Encryption Disabled
a976d63f-af0e-46e8-b714-8c1a9c4bf768|CloudFormation|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled (read more)|Documentation
| +|S3 Bucket SSE Disabled
64ab651b-f5b2-4af0-8c89-ddd03c4d0e61|CloudFormation|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| +|CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db|CloudFormation|High|Encryption|Specifying credentials in the template itself is probably not safe to do. (read more)|Documentation
| +|ElastiCache With Disabled Transit Encryption
3b02569b-fc6f-4153-b3a3-ba91022fed68|CloudFormation|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled (read more)|Documentation
| +|Connection Between CloudFront Origin Not Encrypted
a5366a50-932f-4085-896b-41402714a388|CloudFormation|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted (read more)|Documentation
| +|Kinesis SSE Not Configured
7f65be75-90ab-4036-8c2a-410aef7bb650|CloudFormation|High|Encryption|AWS Kinesis Stream should have SSE (Server Side Encryption) defined (read more)|Documentation
| +|ELB Without Secure Protocol
80908a75-586b-4c61-ab04-490f4f4525b8|CloudFormation|High|Encryption|Check if the ELB is setup with SSL or HTTPS for secure communication (read more)|Documentation
| +|API Gateway Cache Encrypted Disabled
37cca703-b74c-48ba-ac81-595b53398e9b|CloudFormation|High|Encryption|'API::Gateway::Deployment' should have 'CacheDataEncrypted' enabled when 'CachingEnabled' is set to true (read more)|Documentation
| +|Redshift Not Encrypted
3b316b05-564c-44a7-9c3f-405bb95e211e|CloudFormation|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'Encrypted' field is false or undefined (default is false) (read more)|Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
31733ee2-fef0-4e87-9778-65da22a8ecf1|CloudFormation|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| +|SageMaker Data Encryption Disabled
709e6da6-fa1f-44cc-8f17-7f25f96dadbe|CloudFormation|High|Encryption|Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, which means the attribute 'KmsKeyId' must be defined not empty or null. (read more)|Documentation
| +|EFS Without KMS
6d087495-2a42-4735-abf7-02ef5660a7e6|CloudFormation|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| +|User Data Shell Script Is Encoded
48c3bc58-6959-4f27-b647-4fedeace23be|CloudFormation|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| +|EFS Not Encrypted
2ff8e83c-90e1-4d68-a300-6d652112e622|CloudFormation|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| +|ELB Using Insecure Protocols
61a94903-3cd3-4780-88ec-fc918819b9c8|CloudFormation|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| +|EFS Volume With Disabled Transit Encryption
c1282e03-b285-4637-aee7-eefe3a7bb658|CloudFormation|High|Encryption|Amazon EFS volume does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'TransitEncryption' (read more)|Documentation
| +|RDS Storage Not Encrypted
5beacce3-4020-4a3d-9e1d-a36f953df630|CloudFormation|High|Encryption|RDS Storage should be encrypted, which means the attribute 'StorageEncrypted' should be set to 'true' (read more)|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
dc17ee4b-ddf2-4e23-96e8-7a36abad1303|CloudFormation|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| +|Root Account Has Active Access Keys
4c137350-7307-4803-8c04-17c09a7a9fcf|CloudFormation|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| +|Batch Job Definition With Privileged Container Properties
76ddf32c-85b1-4808-8935-7eef8030ab36|CloudFormation|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| +|API Gateway Without Security Policy
8275fab0-68ec-4705-bbf4-86975edb170e|CloudFormation|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2. (read more)|Documentation
| +|S3 Bucket With Unsecured CORS Rule
3609d27c-3698-483a-9402-13af6ae80583|CloudFormation|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| +|S3 Bucket Without Restriction Of Public Bucket
350cd468-0e2c-44ef-9d22-cfb73a62523c|CloudFormation|High|Insecure Configurations|S3 bucket without restriction of public bucket (read more)|Documentation
| +|Redshift Publicly Accessible
bdf8dcb4-75df-4370-92c4-606e4ae6c4d3|CloudFormation|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false (read more)|Documentation
| +|KMS Key With Full Permissions
da905474-7454-43c0-b8d2-5756ab951aba|CloudFormation|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| +|ECS Task Definition Network Mode Not Recommended
027a4b7a-8a59-4938-a04f-ed532512cf45|CloudFormation|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| +|S3 Static Website Host Enabled
90501b1b-cded-4cc1-9e8b-206b85cda317|CloudFormation|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more)|Documentation
| +|RDS DB Instance Publicly Accessible
de38e1d5-54cb-4111-a868-6f7722695007|CloudFormation|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false. (read more)|Documentation
| +|Vulnerable Default SSL Certificate
b4d9c12b-bfba-4aeb-9cb8-2358546d8041|CloudFormation|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| +|Permissive Web ACL Default Action
6d64f311-3da6-45f3-80f1-14db9771ea40|CloudFormation|High|Insecure Defaults|WebAcl DefaultAction should not be ALLOW (read more)|Documentation
| +|Security Groups With Exposed Admin Ports
cdbb0467-2957-4a77-9992-7b55b29df7b7|CloudFormation|High|Networking and Firewall|Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389) (read more)|Documentation
| +|EKS node group remote access
73d59e76-a12c-4b74-a3d8-d3e1e19c25b3|CloudFormation|High|Networking and Firewall|Ensure Amazon EKS Node group has implict SSH access (read more)|Documentation
| +|Security Group With Unrestricted Access To SSH
6e856af2-62d7-4ba2-adc1-73b62cef9cc1|CloudFormation|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| +|ALB Listening on HTTP
275a3217-ca37-40c1-a6cf-bb57d245ab32|CloudFormation|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| +|Security Group Unrestricted Access To RDP
3ae83918-7ec7-4cb8-80db-b91ef0f94002|CloudFormation|High|Networking and Firewall|Security Groups does not allow 0.0.0.0/0 for rdp (port:3389) (read more)|Documentation
| +|Remote Desktop Port Open To Internet
c9846969-d066-431f-9b34-8c4abafe422a|CloudFormation|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| +|Route53 Record Undefined
24d932e1-91f0-46ea-836f-fdbd81694151|CloudFormation|High|Networking and Firewall|Route53 HostedZone must have the Record Set defined. (read more)|Documentation
| +|RDS Associated with Public Subnet
4e88adee-a8eb-4605-a78d-9fb1096e3091|CloudFormation|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| +|Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c|CloudFormation|High|Networking and Firewall|No security group should allow unrestricted egress access (read more)|Documentation
| +|Unrestricted Security Group Ingress
4a1e6b34-1008-4e61-a5f2-1f7c276f8d14|CloudFormation|High|Networking and Firewall|AWS Security Group Ingress CIDR should not be open to the world (read more)|Documentation
| +|EC2 Public Instance Exposed Through Subnet
c44c95fc-ae92-4bb8-bdf8-bb9bc412004a|CloudFormation|High|Networking and Firewall|EC2 instances with public IP addresses shouldn't allow for unrestricted traffic to their subnets (read more)|Documentation
| +|DB Security Group With Public Scope
9564406d-e761-4e61-b8d7-5926e3ab8e79|CloudFormation|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| +|EC2 Instance Subnet Has Public IP Mapping On Launch
b3de4e4c-14be-4159-b99d-9ad194365e4c|CloudFormation|High|Networking and Firewall|EC2 Instance Subnet should not have MapPublicIpOnLaunch set to true (read more)|Documentation
| +|ELB Sensitive Port Is Exposed To Entire Network
78055456-f670-4d2e-94d5-392d1cf4f5e4|CloudFormation|High|Networking and Firewall|The load balancer of the application with a sensitive port connection is exposed to the entire internet. (read more)|Documentation
| +|HTTP Port Open To Internet
ddfc4eaa-af23-409f-b96c-bf5c45dc4daa|CloudFormation|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| +|Elasticsearch with HTTPS disabled
4cdc88e6-c0c8-4081-a639-bb3a557cbedf|CloudFormation|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| +|Unknown Port Exposed To Internet
829ce3b8-065c-41a3-ad57-e0accfea82d2|CloudFormation|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| +|EC2 Sensitive Port Is Publicly Exposed
494b03d3-bf40-4464-8524-7c56ad0700ed|CloudFormation|High|Networking and Firewall|The EC2 instance has a sensitive port connection exposed to the entire network (read more)|Documentation
| +|Fully Open Ingress
e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5|CloudFormation|High|Networking and Firewall|ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses (read more)|Documentation
| +|SageMaker Notebook Not Placed In VPC
9c7028d9-04c2-45be-b8b2-1188ccaefb36|CloudFormation|High|Networking and Firewall|SageMaker Notebook must be placed in a VPC (read more)|Documentation
| +|Security Groups With Meta IP
adcd0082-e90b-4b63-862b-21899f6e6a48|CloudFormation|High|Networking and Firewall|Security Groups allows 0.0.0.0/0 for all ports and protocols. (read more)|Documentation
| +|EC2 Network ACL Overlapping Ports
77b6f1e2-bde4-4a6a-ae7e-a40659ff1576|CloudFormation|High|Networking and Firewall|NetworkACL Entries are reusing or overlapping ports which may create ineffective rules (read more)|Documentation
| +|DB Security Group Open To Large Scope
0104165b-02d5-426f-abc9-91fb48189899|CloudFormation|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| +|Default Security Groups With Unrestricted Traffic
ea33fcf7-394b-4d11-a228-985c5d08f205|CloudFormation|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| +|CloudTrail Logging Disabled
5c0b06d5-b7a4-484c-aeb0-75a836269ff0|CloudFormation|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| +|CMK Rotation Disabled
1c07bfaf-663c-4f6f-b22b-8e2d481e4df5|CloudFormation|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'EnableKeyRotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| +|S3 Bucket CloudTrail Logging Disabled
c3ce69fd-e3df-49c6-be78-1db3f802261c|CloudFormation|High|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable when the Service used is CloudTrail (read more)|Documentation
| +|Lambda Permission Principal Is Wildcard
1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7|CloudFormation|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| +|IAM Policies Attached To User
edc95c10-7366-4f30-9b4b-f995c84eceb5|CloudFormation|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| +|IAM Policy On User
e4239438-e639-44aa-adb8-866e400e3ade|CloudFormation|Medium|Access Control|IAM policies should be applied to groups and not to users (read more)|Documentation
| +|IoT Policy Allows Action as Wildcard
4d32780f-43a4-424a-a06d-943c543576a5|CloudFormation|Medium|Access Control|IoT Policy should not allow Action to be set as * (read more)|Documentation
| +|EC2 Network ACL Ineffective Denied Traffic
2623d682-dccb-44cd-99d0-54d9fd62f8f2|CloudFormation|Medium|Access Control|Ineffective deny rules. A deny rule should be applied to all IP addresses. (read more)|Documentation
| +|SQS Policy With Public Access
9b6a3f5b-5fd6-40ee-9bc0-ed604911212d|CloudFormation|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| +|KMS Allows Wildcard Principal
f6049677-ec4a-43af-8779-5190b6d03cba|CloudFormation|Medium|Access Control|KMS Should not allow Principal parameter to be set as * (read more)|Documentation
| +|EC2 Instance Has No IAM Role
f914357d-8386-4d56-9ba6-456e5723f9a6|CloudFormation|Medium|Access Control|Check if an EC2 instance refers to an IAM profile, which represents an IAM Role. (read more)|Documentation
| +|SQS Queue Policy Allows NotAction
4fbfee74-8186-40d5-a24e-4baa76a855de|CloudFormation|Medium|Access Control|AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited (read more)|Documentation
| +|ECR Repository Is Publicly Accessible
75be209d-1948-41f6-a8c8-e22dd0121134|CloudFormation|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7|CloudFormation|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| +|API Gateway Without Configured Authorizer
7fd0d461-5b8c-4815-898c-f2b4b117eb28|CloudFormation|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| +|SNS Topic Publicity Has Allow and NotAction Simultaneously
818f38ed-8446-4132-9c03-474d49e10195|CloudFormation|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. (read more)|Documentation
| +|Empty Roles For ECS Cluster Task Definitions
7f384a5f-b5a2-4d84-8ca3-ee0a5247becb|CloudFormation|Medium|Access Control|Check if any ECS cluster has not defined proper roles for services' task definitions. (read more)|Documentation
| +|Neptune Cluster With IAM Database Authentication Disabled
a3aa0087-8228-4e7e-b202-dc9036972d02|CloudFormation|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled (read more)|Documentation
| +|SQS Queue Policy Allows NotPrincipal
4a8fc9a2-2b2f-4b3f-aa8d-401425872034|CloudFormation|Medium|Access Control|Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using `NotPrincipal` in the same policy statement as `"Effect": "Allow"`. (read more)|Documentation
| +|API Gateway Method Does Not Contains An API Key
3641d5b4-d339-4bc2-bfb9-208fe8d3477f|CloudFormation|Medium|Access Control|An API Key should be required on a method request. (read more)|Documentation
| +|S3 Bucket Allows Public ACL
48f100d9-f499-4c6d-b2b8-deafe47ffb26|CloudFormation|Medium|Access Control|S3 bucket allows public ACL (read more)|Documentation
| +|Public Lambda via API Gateway
57b12981-3816-4c31-b190-a1e614361dd2|CloudFormation|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| +|IoT Policy Allows Wildcard Resource
be5b230d-4371-4a28-a441-85dc760e2aa3|CloudFormation|Medium|Access Control|IoT Policy should not allow Resource to be set as * (read more)|Documentation
| +|Elasticsearch Without IAM Authentication
5c666ed9-b586-49ab-9873-c495a833b705|CloudFormation|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication (read more)|Documentation
| +|ECS Service Without Running Tasks
79d745f0-d5f3-46db-9504-bef73e9fd528|CloudFormation|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| +|ElastiCache Nodes Not Created Across Multi AZ
cfdef2e5-1fe4-4ef4-bea8-c56e08963150|CloudFormation|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| +|EBS Volume Not Attached To Instances
1819ac03-542b-4026-976b-f37addd59f3b|CloudFormation|Medium|Availability|EBS Volumes that are unattached to instances may contain sensitive data (read more)|Documentation
| +|CMK Is Unusable
2844c749-bd78-4cd1-90e8-b179df827602|CloudFormation|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined. (read more)|Documentation
| +|Auto Scaling Group With No Associated ELB
ad21e616-5026-4b9d-990d-5b007bfe679c|CloudFormation|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty. (read more)|Documentation
| +|RDS Multi-AZ Deployment Disabled
2b1d4935-9acf-48a7-8466-10d18bf51a69|CloudFormation|Medium|Backup|AWS RDS Instance should have a multi-az deployment (read more)|Documentation
| +|Low RDS Backup Retention Period
e649a218-d099-4550-86a4-1231e1fcb60d|CloudFormation|Medium|Backup|AWS RDS backup retention policy should be at least 7 days (read more)|Documentation
| +|RDS With Backup Disabled
8c415f6f-7b90-4a27-a44a-51047e1506f9|CloudFormation|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| +|Stack Retention Disabled
fe974ae9-858e-4991-bbd5-e040a834679f|CloudFormation|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| +|IAM Password Without Minimum Length
b1b20ae3-8fa7-4af5-a74d-a2145920fcb1|CloudFormation|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| +|IAM User Without Password Reset
a964d6e3-8e1e-4d93-8120-61fa640dd55a|CloudFormation|Medium|Best Practices|IAM User Login Profile should exist and have PasswordResetRequired property set to true (read more)|Documentation
| +|ECS No Load Balancer Attached
fb2b0ecf-1492-491a-a70d-ba1df579175d|CloudFormation|Medium|Best Practices|Amazon ECS service should be configured to use Load Balancing to distribute traffic evenly across the tasks, which means there must exist at least one LoadBalancer. (read more)|Documentation
| +|IAM Password Without Lowercase Letter
f4cf35d6-da92-48de-ab70-57be2b2e6497|CloudFormation|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| +|IAM Password Without Uppercase Letter
445020f6-b69e-4484-847f-02d4b7768902|CloudFormation|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| +|Cognito UserPool Without MFA
74a18d1a-cf02-4a31-8791-ed0967ad7fdc|CloudFormation|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more)|Documentation
| +|IAM Password Without Number
839f238f-2e3a-4a72-b945-8abdf91af955|CloudFormation|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number (read more)|Documentation
| +|IAM Managed Policy Applied to a User
0e5872b4-19a0-4165-8b2f-56d9e14b909f|CloudFormation|Medium|Best Practices|Make sure that any managed IAM policies are implemented in a group and not in a user. (read more)|Documentation
| +|IAM Password Without Symbol
d72a7869-e8b9-4e12-bcd2-e8be10b39fa7|CloudFormation|Medium|Best Practices|IAM password should have the required symbols (read more)|Documentation
| +|Neptune Database Cluster Encryption Disabled
bf4473f1-c8a2-4b1b-8134-bd32efabab93|CloudFormation|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| +|API Gateway With Invalid Compression
d6653eee-2d4d-4e6a-976f-6794a497999a|CloudFormation|Medium|Encryption|API Gateway should have valid compression, which means attribute 'MinimumCompressionSize' should be set and its value should be greater than -1 and smaller than 10485760. (read more)|Documentation
| +|DynamoDB Table Not Encrypted
4bd21e68-38c1-4d58-acdc-6a14b203237f|CloudFormation|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption (read more)|Documentation
| +|Default KMS Key Usage
e52395b4-250b-4c60-81d5-2e58c1d37abc|CloudFormation|Medium|Encryption|When `StorageEncrypted` is set to true, `KmsKeyId` should be defined, to avoid the use of the default KMS Key (read more)|Documentation
| +|AmazonMQ Broker Encryption Disabled
316278b3-87ac-444c-8f8f-a733a28da60f|CloudFormation|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined (read more)|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85|CloudFormation|Medium|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| +|Workspace Without Encryption
89827c57-5a8a-49eb-9731-976a606d70db|CloudFormation|Medium|Encryption|Workspaces should have encryption enabled (read more)|Documentation
| +|EMR Security Configuration Encryption Disabled
5b033ec8-f079-4323-b5c8-99d4620433a9|CloudFormation|Medium|Encryption|EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit. (read more)|Documentation
| +|IAM Group Inline Policies
a58d1a2d-4078-4b80-855b-84cc3f7f4540|CloudFormation|Medium|Encryption|IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted (read more)|Documentation
| +|Config Rule For Encrypted Volumes Disabled
1b6322d9-c755-4f8c-b804-32c19250f2d9|CloudFormation|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| +|SQS With SSE Disabled
12726829-93ed-4d51-9cbe-13423f4299e1|CloudFormation|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| +|ElasticSearch Not Encrypted At Rest
86a248ab-0e01-4564-a82a-878303e253bb|CloudFormation|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest (read more)|Documentation
| +|Alexa Skill Plaintext Client Secret Exposed
3c3b7a58-b018-4d07-9444-d9ee7156e111|CloudFormation|Medium|Encryption|Alexa skills' client secrets should not be defined as a plaintext string. It should either use 'AWS Systems Manager Parameter Store' or 'AWS Secrets Manager' to retrieve sensitive information (read more)|Documentation
| +|RDS Storage Encryption Disabled
65844ba3-03a1-40a8-b3dd-919f122e8c95|CloudFormation|Medium|Encryption|RDS DBCluster should have storage encrypted set to true (read more)|Documentation
| +|ElasticSearch Encryption With KMS Disabled
d926aa95-0a04-4abc-b20c-acf54afe38a1|CloudFormation|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS. (read more)|Documentation
| +|Memcached Disabled
dd0971a6-09c3-4168-8474-a7ef8fbfd99d|CloudFormation|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache (read more)|Documentation
| +|KMS Key Rotation Disabled
235ca980-eb71-48f4-9030-df0c371029eb|CloudFormation|Medium|Encryption|EnableKeyRotation should not be false or undefined (read more)|Documentation
| +|SageMaker EndPoint Config Should Specify KmsKeyId Attribute
44034eda-1c3f-486a-831d-e09a7dd94354|CloudFormation|Medium|Encryption|KmsKeyId attribute should be defined (read more)|Documentation
| +|CodeBuild Not Encrypted
d7467bb6-3ed1-4c82-8095-5e7a818d0aad|CloudFormation|Medium|Encryption|CodeBuild Project should be encrypted, which means 'EncryptionKey' should be defined (read more)|Documentation
| +|EBS Volume Encryption Disabled
80b7ac3f-d2b7-4577-9b10-df7913497162|CloudFormation|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| +|Unscanned ECR Image
9025b2b3-e554-4842-ba87-db7aeec36d35|CloudFormation|Medium|Encryption|Checks if the ECR Image has been scanned (read more)|Documentation
| +|EMR Cluster Without Security Configuration
48af92a5-c89b-4936-bc62-1086fe2bab23|CloudFormation|Medium|Insecure Configurations|EMR Cluster should have security configuration defined. (read more)|Documentation
| +|SageMaker Enabling Internet Access
88d55d94-315d-4564-beee-d2d725feab11|CloudFormation|Medium|Insecure Configurations|SageMaker must have disabled internet access and root access for Creating Notebook Instances. (read more)|Documentation
| +|Lambda Functions Without Unique IAM Roles
ae03f542-1423-402f-9cef-c834e7ee9583|CloudFormation|Medium|Insecure Configurations|AWS Lambda Functions should not share IAM roles to ensure they will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| +|MQ Broker Is Publicly Accessible
68b6a789-82f8-4cfd-85de-e95332fe6a61|CloudFormation|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible (read more)|Documentation
| +|Instance With No VPC
8a6d36cd-0bc6-42b7-92c4-67acc8576861|CloudFormation|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| +|ECR Image Tag Not Immutable
33f41d31-86b1-46a4-81f7-9c9a671f59ac|CloudFormation|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| +|IAM User LoginProfile Password Is In Plaintext
06adef8c-c284-4de7-aad2-af43b07a8ca1|CloudFormation|Medium|Insecure Configurations|IAM User LoginProfile Password must not be a plaintext string (read more)|Documentation
| +|API Gateway Without SSL Certificate
ed4c48b8-eccc-4881-95c1-09fdae23db25|CloudFormation|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| +|GitHub Repository Set To Public
5906092d-5f74-490d-9a03-78febe0f65e1|CloudFormation|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)|Documentation
| +|Inline Policies Are Attached To ECS Service
9e8c89b3-7997-4d15-93e4-7911b9db99fd|CloudFormation|Medium|Insecure Configurations|Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies. (read more)|Documentation
| +|IAM User Has Too Many Access Keys
48677914-6fdf-40ec-80c4-2b0e94079f54|CloudFormation|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials (read more)|Documentation
| +|API Gateway With Open Access
1056dfbb-5802-4762-bf2b-8b9b9684b1b0|CloudFormation|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more)|Documentation
| +|Lambda Function Without Tags
8df8e857-bd59-44fa-9f4c-d77594b95b46|CloudFormation|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags. (read more)|Documentation
| +|S3 Bucket Should Have Bucket Policy
37fa8188-738b-42c8-bf82-6334ea567738|CloudFormation|Medium|Insecure Defaults|Checks if S3 Bucket has the same name as a Bucket Policy, if it has, S3 Bucket has a Bucket Policy associated (read more)|Documentation
| +|RouterTable with Default Routing
4f0908b9-eb66-433f-9145-134274e1e944|CloudFormation|Medium|Insecure Defaults|NAT gateways are recommended, and not the default route which permits all traffic, in Route Tables. (read more)|Documentation
| +|ALB Is Not Integrated With WAF
105ba098-1e34-48cd-b0f2-a8a43a51bf9b|CloudFormation|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service (read more)|Documentation
| +|Security Groups Without VPC Attached
493d9591-6249-47bf-8dc0-5c10161cc558|CloudFormation|Medium|Networking and Firewall|Security Groups must have a VPC. (read more)|Documentation
| +|ELB With Security Group Without Outbound Rules
01d5a458-a6c4-452a-ac50-054d59275b7c|CloudFormation|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more)|Documentation
| +|TCP/UDP Protocol Network ACL Entry Allows All Ports
f57f849c-883b-4cb7-85e7-f7b199dff163|CloudFormation|Medium|Networking and Firewall|TCP/UDP protocol AWS Network ACL Entry should not allow all ports (read more)|Documentation
| +|Security Group Ingress With Port Range
87482183-a8e7-4e42-a566-7a23ec231c16|CloudFormation|Medium|Networking and Firewall|AWS Security Group Ingress should have a single port (read more)|Documentation
| +|Security Group Egress CIDR Open To World
1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a|CloudFormation|Medium|Networking and Firewall|AWS Security Group Egress CIDR should not be open to the world (read more)|Documentation
| +|API Gateway Endpoint Config is Not Private
4a8daf95-709d-4a36-9132-d3e19878fa34|CloudFormation|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| +|EC2 Permissive Network ACL Protocols
03879981-efa2-47a0-a818-c843e1441b88|CloudFormation|Medium|Networking and Firewall|To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code). (read more)|Documentation
| +|API Gateway without WAF
fcbf9019-566c-4832-a65c-af00d8137d2b|CloudFormation|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| +|Security Group Ingress With All Protocols
1a427b25-2e9e-4298-9530-0499a55e736b|CloudFormation|Medium|Networking and Firewall|AWS Security Group Ingress should not specify all protocols to prevent allow traffic on all ports (read more)|Documentation
| +|ELB With Security Group Without Inbound Rules
e200a6f3-c589-49ec-9143-7421d4a2c845|CloudFormation|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more)|Documentation
| +|VPC Without Network Firewall
3e293410-d5b8-411f-85fd-7d26294f20c9|CloudFormation|Medium|Networking and Firewall|VPC should have a Network Firewall associated (read more)|Documentation
| +|GameLift Fleet EC2 InboundPermissions With Port Range
43356255-495d-4148-ad8d-f6af5eac09dd|CloudFormation|Medium|Networking and Firewall|AWS GameLift Fleet EC2InboundPermissions should have a single port (read more)|Documentation
| +|Security Group Egress With Port Range
dae9c373-8287-462f-8746-6f93dad93610|CloudFormation|Medium|Networking and Firewall|AWS Security Group Egress should have a single port (read more)|Documentation
| +|Security Group Egress With All Protocols
ee464fc2-54a6-4e22-b10a-c6dcd2474d0c|CloudFormation|Medium|Networking and Firewall|AWS Security Group Egress should not specify all protocols to prevent allow traffic on all ports (read more)|Documentation
| +|Redshift Cluster Logging Disabled
3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6|CloudFormation|Medium|Observability|Make sure Logging is enabled for Redshift Cluster (read more)|Documentation
| +|CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7|CloudFormation|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'IsMultiRegionTrail' should be set to true (read more)|Documentation
| +|API Gateway Stage Access Logging Settings Not Defined
80d45af4-4920-4236-a56e-b7ef419d1941|CloudFormation|Medium|Observability|API Gateway Stage should have Access Logging Settings defined (read more)|Documentation
| +|Elasticsearch Logs Disabled
edbd62d4-8700-41de-b000-b3cfebb5e996|CloudFormation|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| +|Configuration Aggregator to All Regions Disabled
9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d|CloudFormation|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| +|CloudTrail Not Integrated With CloudWatch
65d07da5-9af5-44df-8983-52d2e6f24c44|CloudFormation|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| +|CloudTrail SNS Topic Name Undefined
3e09413f-471e-40f3-8626-990c79ae63f3|CloudFormation|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| +|ElasticSearch Without Slow Logs
086ea2eb-14a6-4fd4-914b-38e0bc8703e8|CloudFormation|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs (read more)|Documentation
| +|ELB Access Log Disabled
ee12ad32-2863-4c0f-b13f-28272d115028|CloudFormation|Medium|Observability|ELB should have access log enabled (read more)|Documentation
| +|S3 Bucket Logging Disabled
4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c|CloudFormation|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| +|MQ Broker Logging Disabled
e519ed6a-8328-4b69-8eb7-8fa549ac3050|CloudFormation|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). (read more)|Documentation
| +|CloudWatch Logging Disabled
0f0fb06b-0f2f-4374-8588-f2c7c348c7a0|CloudFormation|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones (read more)|Documentation
| +|Stack Notifications Disabled
837e033c-4717-40bd-807e-6abaa30161b7|CloudFormation|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| +|S3 Bucket Without Versioning
a227ec01-f97a-4084-91a4-47b350c1db54|CloudFormation|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| +|GuardDuty Detector Disabled
a25cd877-375c-4121-a640-730929936fac|CloudFormation|Medium|Observability|Make sure that Amazon GuardDuty is Enabled (read more)|Documentation
| +|API Gateway X-Ray Disabled
4ab10c48-bedb-4deb-8f3b-ff12783b61de|CloudFormation|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| +|MSK Cluster Logging Disabled
fc7c2c15-f5d0-4b80-adb2-c89019f8f62b|CloudFormation|Medium|Observability|Ensure MSK Cluster Logging is enabled (read more)|Documentation
| +|CloudFront Logging Disabled
de77cd9f-0e8b-46cc-b4a4-b6b436838642|CloudFormation|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'DistributionConfig.Logging' should be defined (read more)|Documentation
| +|API Gateway Deployment Without Access Log Setting
06ec63e3-9f72-4fe2-a218-2eb9200b8db5|CloudFormation|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. (read more)|Documentation
| +|CloudWatch Metrics Disabled
5d3c1807-acb3-4bb0-be4e-0440230feeaf|CloudFormation|Medium|Observability|Checks if CloudWatch Metrics is Enabled (read more)|Documentation
| +|ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621|CloudFormation|Medium|Observability|ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer. (read more)|Documentation
| +|High Access Key Rotation Period
800fa019-49dd-421b-9042-7331fdd83fa2|CloudFormation|Medium|Secret Management|ConfigRule should enforce access keys to be rotated within 90 days. (read more)|Documentation
| +|Amplify Branch Basic Auth Config Password Exposed
dfb56e5d-ee68-446e-b32a-657b62befe69|CloudFormation|Medium|Secret Management|Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|EBS Volume Without KmsKeyId
b7063015-6c31-4658-a8e7-14f98f37fd42|CloudFormation|Medium|Secret Management|EBS Volume should specify a KmsKeyId value (read more)|Documentation
| +|Amplify App OAuth Token Exposed
03b38885-8f4e-480c-a0e4-12c1affd15db|CloudFormation|Medium|Secret Management|Amplify App OAuth Token must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|DMS Endpoint Password Exposed
5f700072-b7ce-4e84-b3f3-497bf1c24a4d|CloudFormation|Medium|Secret Management|DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|Directory Service Microsoft AD Password Set to Plaintext or Default Ref
06b9f52a-8cd5-459b-bdc6-21a22521e1be|CloudFormation|Medium|Secret Management|Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|SNS Topic Without KmsMasterKeyId
9d13b150-a2ab-42a1-b6f4-142e41f81e52|CloudFormation|Medium|Secret Management|KmsMasterKeyId attribute should not be undefined (read more)|Documentation
| +|Secrets Manager Should Specify KmsKeyId
c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22|CloudFormation|Medium|Secret Management|Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the secret to be shared cross-account (read more)|Documentation
| +|Amplify App Access Token Exposed
73980e43-f399-4fcc-a373-658228f7adf7|CloudFormation|Medium|Secret Management|Amplify App Access Token must not be in a plain text string or referenced in a parameter as a default value. (read more)|Documentation
| +|Directory Service Simple AD Password Exposed
6685d912-d81f-4cfa-95ad-e316ea31c989|CloudFormation|Medium|Secret Management|DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|DMS Endpoint MongoDB Settings Password Exposed
f988a17f-1139-46a3-8928-f27eafd8b024|CloudFormation|Medium|Secret Management|DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|Hardcoded AWS Access Key In Lambda
2564172f-c92b-4261-9acd-464aed511696|CloudFormation|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| +|DocDB Cluster Master Password In Plaintext
39423ce4-9011-46cd-b6b1-009edcd9385d|CloudFormation|Medium|Secret Management|DocDB DB Cluster master user password must not be in a plain text string or referenced in a parameter as a default value. (read more)|Documentation
| +|RefreshToken Is Exposed
5b48c507-0d1f-41b0-a630-76817c6b4189|CloudFormation|Medium|Secret Management|Alexa ASK Skill AuthenticationConfiguration RefreshToken should not be a plaintext string (read more)|Documentation
| +|Amplify App Basic Auth Config Password Exposed
71493c8b-3014-404c-9802-078b74496fb7|CloudFormation|Medium|Secret Management|Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|IAM Role Allows All Principals To Assume
f80e3aa7-7b34-4185-954e-440a6894dde6|CloudFormation|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| +|IAM Group Without Users
8f957abd-9703-413d-87d3-c578950a753c|CloudFormation|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| +|Support Has No Role Associated
d71b5fd7-9020-4b2d-9ec8-b3839faa2744|CloudFormation|Low|Access Control|Check if any AWS Support policy does not have any role and users and group associated, which means that is not being managed. (read more)|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
e835bd0d-65da-49f7-b6d1-b646da8727e6|CloudFormation|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| +|EC2 Instance Using Default Security Group
08b81bb3-0985-4023-8602-b606ad81d279|CloudFormation|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| +|IAM User With No Group
06933df4-0ea7-461c-b9b5-104d27390e0e|CloudFormation|Low|Access Control|A IAM user should belong to a group (read more)|Documentation
| +|VPC Attached With Too Many Gateways
97e94d17-e2c7-4109-a53b-6536ac1bb64e|CloudFormation|Low|Availability|The number of gateways attached should not approach or go beyond the limit of 3, in a particular VPC (read more)|Documentation
| +|RDS DB Instance With Deletion Protection Disabled
2c161e58-cb52-454f-abea-6470c37b5e6e|CloudFormation|Low|Backup|RDS DBInstance should have deletion protection set to true (read more)|Documentation
| +|Geo Restriction Disabled
7f8843f0-9ea5-42b4-a02b-753055113195|CloudFormation|Low|Best Practices|Geo Restriction feature should be enabled, to restrict or allow users in specific locations accessing web application content (read more)|Documentation
| +|IAM Policies Without Groups
5e7acff5-095b-40ac-9073-ac2e4ad8a512|CloudFormation|Low|Best Practices|IAM policy should not apply directly to users, should be with a group (read more)|Documentation
| +|Lambda Permission Misconfigured
9b83114b-b2a1-4534-990d-06da015e47aa|CloudFormation|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| +|Security Group Ingress Has CIDR Not Recommended
a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd|CloudFormation|Low|Best Practices|AWS Security Group Ingress CIDR should not be /32 in case of IPV4 or /128 in case of IPV6 (read more)|Documentation
| +|Automatic Minor Upgrades Disabled
f0104061-8bfc-4b45-8a7d-630eb502f281|CloudFormation|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'AutoMinorVersionUpgrade' must be set to true. (read more)|Documentation
| +|CDN Configuration Is Missing
e4f54ff4-d352-40e8-a096-5141073c37a2|CloudFormation|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| +|IAM Access Analyzer Not Enabled
8d29754a-2a18-460d-a1ba-9509f8d359da|CloudFormation|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions (read more)|Documentation
| +|DynamoDB With Not Recommented Table Billing Mode
c333e906-8d8b-4275-b999-78b6318f8dc6|CloudFormation|Low|Build Process|Checks if DynamoDB Table Billing Mode is set to either PAY_PER_REQUEST or PROVISIONED (read more)|Documentation
| +|EFS Without Tags
08e39832-5e42-4304-98a0-aa5b43393162|CloudFormation|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated (read more)|Documentation
| +|S3 Bucket Without Ignore Public ACL
6c8d51af-218d-4bfb-94a9-94eabaa0703a|CloudFormation|Low|Insecure Configurations|S3 bucket without ignore public ACL (read more)|Documentation
| +|API Gateway Cache Cluster Disabled
52790cad-d60d-41d5-8483-146f9f21208d|CloudFormation|Low|Insecure Configurations|AWS API Gateway should have cache clustering enabled (read more)|Documentation
| +|Lambda Function Without Dead Letter Queue
c2eae442-d3ba-4cb1-84ca-1db4f80eae3d|CloudFormation|Low|Insecure Configurations|AWS Lambda Function should be configured for a Dead Letter Queue(DLQ) (read more)|Documentation
| +|Wildcard In ACM Certificate Domain Name
cc8b294f-006f-4f8f-b5bb-0a9140c33131|CloudFormation|Low|Insecure Configurations|ACM Certificate should not use wildcards (*) in the domain name (read more)|Documentation
| +|CloudFront Without WAF
0f139403-303f-467c-96bd-e717e6cfd62d|CloudFormation|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| +|EMR Without VPC
bf89373a-be40-4c04-99f5-746742dfd7f3|CloudFormation|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|EC2 Instance Using Default VPC
e42a3ef0-5325-4667-84bf-075ba1c9d58e|CloudFormation|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| +|ElastiCache Without VPC
ba766c53-fe71-4bbb-be35-b6803f2ef13e|CloudFormation|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|EC2 Network ACL Duplicate Rule
045ddb54-cfc5-4abb-9e05-e427b2bc96fe|CloudFormation|Low|Networking and Firewall|A Network ACL's rule numbers cannot be repeated unless one is egress and the other is ingress (read more)|Documentation
| +|ElastiCache Using Default Port
323db967-c68e-44e6-916c-a777f95af34b|CloudFormation|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| +|Shield Advanced Not In Use
ad7444cf-817a-4765-a79e-2145f7981faf|CloudFormation|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more)|Documentation
| +|Redshift Using Default Port
a478af30-8c3a-404d-aa64-0b673cee509a|CloudFormation|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| +|RDS Using Default Port
1fe9d958-ddce-4228-a124-05265a959a8b|CloudFormation|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| +|Lambda Functions Without X-Ray Tracing
9488c451-074e-4cd3-aee3-7db6104f542c|CloudFormation|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracingConfig.mode' should have the value 'Active' (read more)|Documentation
| +|VPC FlowLogs Disabled
f6d299d2-21eb-41cc-b1e1-fe12d857500b|CloudFormation|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| +|ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd|CloudFormation|Low|Observability|Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks (read more)|Documentation
| +|DocDB Logging Is Disabled
1bf3b3d4-f373-4d7c-afbb-7d85948a67a5|CloudFormation|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| +|API Gateway Deployment Without API Gateway UsagePlan Associated
783860a3-6dca-4c8b-81d0-7b62769ccbca|CloudFormation|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| +|CloudTrail Log File Validation Disabled
2a3560fe-52ca-4443-b34f-bf0ed5eb74c8|CloudFormation|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| +|SDB Domain Declared As A Resource
6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d|CloudFormation|Low|Resource Management|SimpleDB Domain resource should not be declared (read more)|Documentation
| +|VPC Without Attached Subnet
3b3b4411-ad1f-40e7-b257-a78a6bb9673a|CloudFormation|Low|Resource Management|VPCs without attached subnets may indicate that they are not being used (read more)|Documentation
| +|ECS Task Definition Invalid CPU or Memory
f4c9b5f5-68b8-491f-9e48-4f96644a1d51|CloudFormation|Low|Resource Management|In ECS Task Definition of FARGATE launch type if you specify an invalid CPU or Memory value, you will receive an error (read more)|Documentation
| +|API Gateway Stage Without API Gateway UsagePlan Associated
7f8f1b60-43df-4c28-aa21-fb836dbd8071|CloudFormation|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| +|Security Group Rule Without Description
5e6c9c68-8a82-408e-8749-ddad78cbb9c5|CloudFormation|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description (read more)|Documentation
| +|EC2 Not EBS Optimized
8dd0ff1f-0da4-48df-9bb3-7f338ae36a40|CloudFormation|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| +|EC2 Instance Monitoring Disabled
0264093f-6791-4475-af34-4b8102dcbcd0|CloudFormation|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| +|BOM - AWS Cassandra
124b173b-e06d-48a6-8acd-f889443d97a4|CloudFormation|Trace|Bill Of Materials|A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance (read more)|Documentation
| +|BOM - AWS EBS
0b0556ea-9cd9-476f-862e-20679dda752b|CloudFormation|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). (read more)|Documentation
| +|BOM - AWS EFS
ef05a925-8568-4054-8ff1-f5ba82631c16|CloudFormation|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)|Documentation
| +|BOM - AWS DynamoDB
4e67c0ae-38a0-47f4-a50c-f0c9b75826df|CloudFormation|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more)|Documentation
| +|BOM - AWS MQ
209189f3-c879-48a7-9703-fbcfa96d0cef|CloudFormation|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS. (read more)|Documentation
| +|BOM - AWS Elasticache
c689f51b-9203-43b3-9d8b-caed123f706c|CloudFormation|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more)|Documentation
| +|BOM - AWS Kinesis
d53323be-dde6-4457-9a43-42df737e71d2|CloudFormation|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more)|Documentation
| +|BOM - AWS SQS
59a849c2-1127-4023-85a5-ef906dcd458c|CloudFormation|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)|Documentation
| +|BOM - AWS RDS
6ef03ff6-a2bd-483c-851f-631f248bc0ea|CloudFormation|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more)|Documentation
| +|BOM - AWS S3 Buckets
b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83|CloudFormation|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more)|Documentation
| +|BOM - AWS MSK
2730c169-51d7-4ae7-99b5-584379eff1bb|CloudFormation|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)|Documentation
| +|BOM - AWS SNS
42e7dca3-8cce-4325-8df0-108888259136|CloudFormation|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)|Documentation
| +|Passwords And Secrets
a88baa34-e2ad-44ea-ad6f-8cac87bc7c71|Common|High|Secret Management|Query to find passwords and secrets in infrastructure code. (read more)|Documentation
| +|Volume Mounted In Multiple Containers
baa452f0-1f21-4a25-ace5-844e7a5f410d|DockerCompose|High|Build Process|Volume mounts should not be shared, which means that 'propagation' should not be set to 'shared', 'rshared', 'slave', or 'rslave' (read more)|Documentation
| +|Docker Socket Mounted In Container
d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b|DockerCompose|High|Build Process|Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands. (read more)|Documentation
| +|Volume Has Sensitive Host Directory
1c1325ff-831d-43a1-973e-839ae57dfcc0|DockerCompose|High|Build Process|Container has sensitive host directory mounted as a volume (read more)|Documentation
| +|No New Privileges Not Set
27fcc7d6-c49b-46e0-98f1-6c082a6a2750|DockerCompose|High|Resource Management|Ensuring the process does not gain any new privileges lessens the risk associated with many operations. (read more)|Documentation
| +|Privileged Containers Enabled
ae5b6871-7f45-42e0-bb4c-ab300c4d2026|DockerCompose|High|Resource Management|Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker. (read more)|Documentation
| +|Healthcheck Not Set
698ed579-b239-4f8f-a388-baa4bcb13ef8|DockerCompose|Medium|Availability|Check containers periodically to see if they are running properly. (read more)|Documentation
| +|Cgroup Not Default
4d9f44c6-2f4a-4317-9bb5-267adbea0232|DockerCompose|Medium|Build Process|Control groups restrict the access processes and containers have to system resources such as CPU, RAM, IOPS and network. Not having a cgroup well configured may prove to be a security fault. (read more)|Documentation
| +|Restart Policy On Failure Not Set To 5
2fc99041-ddad-49d5-853f-e35e70a48391|DockerCompose|Medium|Build Process|Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used. (read more)|Documentation
| +|Container Traffic Not Bound To Host Interface
451d79dc-0588-476a-ad03-3c7f0320abb3|DockerCompose|Medium|Networking and Firewall|Incoming container traffic should be bound to a specific host interface (read more)|Documentation
| +|Privileged Ports Mapped In Container
bc2908f3-f73c-40a9-8793-c1b7d5544f79|DockerCompose|Medium|Networking and Firewall|Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind_service linux capability from the container unless you absolutely need to use priviledged ports. (read more)|Documentation
| +|Networks Not Set
ce14a68b-1668-41a0-ab7d-facd9f784742|DockerCompose|Medium|Networking and Firewall|Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers. (read more)|Documentation
| +|Host Namespace is Shared
4f31dd9f-2cc3-4751-9b53-67e4af83dac0|DockerCompose|Medium|Resource Management|The hosts process namespace should not be shared by containers (read more)|Documentation
| +|Shared Host IPC Namespace
baa3890f-bed7-46f5-ab8f-1da8fc91c729|DockerCompose|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| +|Memory Not Limited
bb9ac4f7-e13b-423d-a010-c74a1bfbe492|DockerCompose|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| +|Security Opt Not Set
610e266e-6c12-4bca-9925-1ed0cd29742b|DockerCompose|Medium|Resource Management|Attribute 'security_opt' should be defined. (read more)|Documentation
| +|Pids Limit Not Set
221e0658-cb2a-44e3-b08a-db96a341d6fa|DockerCompose|Medium|Resource Management|'pids_limit' should be set and different than -1 (read more)|Documentation
| +|Shared Host Network Namespace
071a71ff-f868-47a4-ac0b-3c59e4ab5443|DockerCompose|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| +|Default Seccomp Profile Disabled
404fde2c-bc4b-4371-9747-7054132ac953|DockerCompose|Medium|Resource Management|Seccomp offers a whitelist of common system calls, blocking all others. Having less kernel exposed to an app then increases security. (read more)|Documentation
| +|Shared Host User Namespace
8af7162d-6c98-482f-868e-0d33fb675ca8|DockerCompose|Medium|Resource Management|The host's user namespace should not be shared. (read more)|Documentation
| +|Cpus Not Limited
6b610c50-99fb-4ef0-a5f3-e312fd945bc3|DockerCompose|Low|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| +|Container Capabilities Unrestricted
ce76b7d0-9e77-464d-b86f-c5c48e03e22d|DockerCompose|Low|Resource Management|Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well. (read more)|Documentation
| diff --git a/docs/queries/ansible-queries.md b/docs/queries/ansible-queries.md index 669ed31088b..e33bb2405f6 100644 --- a/docs/queries/ansible-queries.md +++ b/docs/queries/ansible-queries.md @@ -1,6 +1,72 @@ ## Ansible Queries List This page contains all queries from Ansible. +### GCP +Bellow are listed queries related with Ansible GCP: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| +|VM With Full Cloud Access
bc20bbc6-0697-4568-9a73-85af1dd97bdd|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)|Documentation
| +|BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2|High|Access Control|BigQuery dataset is anonymously or publicly accessible (read more)|Documentation
| +|SQL DB Instance Backup Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| +|DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a|High|Encryption|DNSSEC should not use the RSASHA1 algorithm (read more)|Documentation
| +|SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|High|Encryption|Cloud SQL Database Instance should have SLL enabled (read more)|Documentation
| +|MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c|High|Insecure Configurations|MySQL Instance should not have Local Infile On (read more)|Documentation
| +|Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true (read more)|Documentation
| +|IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'. (read more)|Documentation
| +|GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty (read more)|Documentation
| +|Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)|Documentation
| +|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|High|Insecure Configurations|SQL Instance should not have Contained Database Authentication On (read more)|Documentation
| +|Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true. (read more)|Documentation
| +|GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false. (read more)|Documentation
| +|Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty (read more)|Documentation
| +|SQL DB Instance Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible. (read more)|Documentation
| +|PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514|High|Insecure Configurations|PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1' (read more)|Documentation
| +|Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)|Documentation
| +|Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f|High|Insecure Configurations|GCP SQL Instance should not have Cross DB Ownership Chaining On (read more)|Documentation
| +|GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters (read more)|Documentation
| +|Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet. (read more)|Documentation
| +|PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b|High|Observability|PostgreSQL database 'log_temp_files' flag isn't set to '0' (read more)|Documentation
| +|Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none' (read more)|Documentation
| +|Cloud Storage Bucket Versioning Disabled
7814ddda-e758-4a56-8be3-289a81ded929|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| +|PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317|High|Observability|PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on' (read more)|Documentation
| +|Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none' (read more)|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| +|Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| +|Disk Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)|Documentation
| +|OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Medium|Insecure Configurations|VM instance should have OSLogin enabled (read more)|Documentation
| +|Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)|Documentation
| +|Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| +|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| +|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Medium|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account. (read more)|Documentation
| +|Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| +|GKE Using Default Service Account
dc126833-125a-40fb-905a-ce5f2afde240|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account (read more)|Documentation
| +|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)|Documentation
| +|SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows All Ports
3602d273-3290-47b2-80fa-720162b1a8af|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports (read more)|Documentation
| +|RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| +|Google Compute Network Using Default Firewall Rule
29b8224a-60e9-4011-8ac2-7916a659841f|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| +|IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)|Documentation
| +|PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Medium|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value (read more)|Documentation
| +|PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Medium|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on' (read more)|Documentation
| +|High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| +|Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes (read more)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows Port Range
7289eebd-a477-4064-8ad4-3c044bd70b00|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| + +### HOSTS +Bellow are listed queries related with Ansible HOSTS: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|Ansible Tower Exposed To Internet
1b2bf3ff-31e9-460e-bbfb-45e48f4f20cc|Medium|Best Practices|Avoid exposing Ansible Tower to the public internet, effectively reducing the potential attack surface of your deployment (read more)|Documentation
| + ### AZURE Bellow are listed queries related with Ansible AZURE: @@ -8,26 +74,26 @@ Bellow are listed queries related with Ansible AZURE: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|High|Access Control|Storage Account should not be public to grant the principle of least privileges (read more)|Documentation
| |Storage Container Is Publicly Accessible
4d3817db-dd35-4de4-a80d-3867157e7f7f|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage (read more)|Documentation
| |Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|High|Access Control|Admin user is enabled for Container Registry (read more)|Documentation
| +|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|High|Access Control|Storage Account should not be public to grant the principle of least privileges (read more)|Documentation
| |Azure Instance Using Basic Authentication
e2d834b7-8b25-4935-af53-4a60668dcbe0|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| +|MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more)|Documentation
| |SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' (read more)|Documentation
| |Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| -|MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more)|Documentation
| +|VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine (read more)|Documentation
| +|AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server (read more)|Documentation
| |Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service. (read more)|Documentation
| |Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined (read more)|Documentation
| -|AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server (read more)|Documentation
| -|VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine (read more)|Documentation
| -|Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| -|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| |CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|High|Networking and Firewall|The IP range filter should be defined to secure the data stored (read more)|Documentation
| -|SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more)|Documentation
| |Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources (read more)|Documentation
| +|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| |Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet (read more)|Documentation
| -|Role Definition Allows Custom Role Creation
5c80db8e-03f5-43a2-b4af-1f3f87018157|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more)|Documentation
| +|SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more)|Documentation
| +|Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| |Default Azure Storage Account Network Access Is Too Permissive
ca4df748-613a-4fbf-9c76-f02cbd580307|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it. (read more)|Documentation
| |AKS RBAC Disabled
149fa56c-4404-4f90-9e25-d34b676d5b39|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| +|Role Definition Allows Custom Role Creation
5c80db8e-03f5-43a2-b4af-1f3f87018157|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more)|Documentation
| |Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854|Medium|Backup|Make sure Soft Delete is enabled for Key Vault (read more)|Documentation
| |SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict (read more)|Documentation
| |SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict (read more)|Documentation
| @@ -36,32 +102,18 @@ Bellow are listed queries related with Ansible AZURE: |Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections (read more)|Documentation
| |Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty (read more)|Documentation
| |AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined (read more)|Documentation
| -|Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache. (read more)|Documentation
| |Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0' (read more)|Documentation
| |WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. (read more)|Documentation
| -|PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more)|Documentation
| +|Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache. (read more)|Documentation
| |PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server (read more)|Documentation
| +|PostgreSQL Log Checkpoints Disabled
7ab33ac0-e4a3-418f-a673-50da4e34df21|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more)|Documentation
| +|PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' (read more)|Documentation
| |PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' (read more)|Documentation
| |Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more)|Documentation
| -|PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' (read more)|Documentation
| +|AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e|Medium|Observability|Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring (read more)|Documentation
| |Small Activity Log Retention Period
37fafbea-dedb-4e0d-852e-d16ee0589326|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater (read more)|Documentation
| +|PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more)|Documentation
| |Monitoring Log Profile Without All Activities
89f84a1e-75f8-47c5-83b5-bee8e2de4168|Medium|Observability|Monitoring log profile captures all the activities (Action, Write, Delete) (read more)|Documentation
| -|PostgreSQL Log Checkpoints Disabled
7ab33ac0-e4a3-418f-a673-50da4e34df21|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more)|Documentation
| -|AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e|Medium|Observability|Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring (read more)|Documentation
| - -### SHARED (V2/V3) -Bellow are listed queries related with Ansible SHARED (V2/V3): - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Privilege Escalation Using Become Plugin
0e75052f-cc02-41b8-ac39-a78017527e95|Medium|Access Control|In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true' (read more)|Documentation
| -|Communication Over HTTP
2e8d4922-8362-4606-8c14-aa10466a1ce3|Medium|Insecure Configurations|Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks (read more)|Documentation
| -|Insecure Relative Path Resolution
8d22ae91-6ac1-459f-95be-d37bd373f244|Low|Best Practices|Using relative paths can lead to unexpected behavior as the path is resolved relative to the current working directory, which can change. (read more)|Documentation
| -|Logging of Sensitive Data
59029ddf-e651-412b-ae7b-ff6d403184bc|Low|Best Practices|To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True (read more)|Documentation
| -|Unpinned Package Version
c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8|Low|Supply-Chain|Setting state to latest performs an update and installs additional packages possibly resulting in performance degradation or loss of service (read more)|Documentation
| -|Risky File Permissions
88841d5c-d22d-4b7e-a6a0-89ca50e44b9f|Info|Supply-Chain|Some modules could end up creating new files on disk with permissions that might be too open or unpredictable (read more)|Documentation
| ### AWS Bellow are listed queries related with Ansible AWS: @@ -70,194 +122,151 @@ Bellow are listed queries related with Ansible AWS: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| -|S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|High|Access Control|S3 Buckets should not be readable to all users (read more)|Documentation
| +|S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| +|SNS Topic is Publicly Accessible
905f4741-f965-45c1-98db-f7a00a0e5c73|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| +|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more)|Documentation
| +|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| +|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| |IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| +|S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|High|Access Control|S3 Buckets should not be readable to all users (read more)|Documentation
| +|S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a|High|Access Control|Checks if the S3 bucket is accessible for all users (read more)|Documentation
| |ECS Service Admin Role Is Present
7db727c1-1720-468e-b80e-06697f71e09e|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role (read more)|Documentation
| +|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| |S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| -|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| |SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a|High|Access Control|Checks if the SQS Queue is exposed (read more)|Documentation
| -|S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a|High|Access Control|Checks if the S3 bucket is accessible for all users (read more)|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| |S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| -|SNS Topic is Publicly Accessible
905f4741-f965-45c1-98db-f7a00a0e5c73|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| -|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more)|Documentation
| -|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| -|S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| -|User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| -|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| -|S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| -|EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| -|S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571|High|Encryption|AWS S3 Storage should be protected with SSE (Server-Side Encryption) (read more)|Documentation
| +|User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| +|ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| +|ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| +|AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|High|Encryption|AWS AMI Encryption is not enabled (read more)|Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| |CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'. (read more)|Documentation
| -|ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| -|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more)|Documentation
| +|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| |Secure Ciphers Disabled
218413a0-c716-4b94-9e08-0bb70d854709|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| +|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more)|Documentation
| +|S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| |Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS (read more)|Documentation
| -|DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more)|Documentation
| -|AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|High|Encryption|AWS AMI Encryption is not enabled (read more)|Documentation
| -|ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| -|User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| -|ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| |Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume (read more)|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| +|S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571|High|Encryption|AWS S3 Storage should be protected with SSE (Server-Side Encryption) (read more)|Documentation
| |Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) (read more)|Documentation
| +|EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| +|User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| |EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| +|ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| +|DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more)|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| +|Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| +|Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| +|S3 Bucket with Unsecured CORS Rule
3505094c-f77c-4ba0-95da-f83db712f86c|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| |Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true (default is false) (read more)|Documentation
| -|EC2 Group Has Public Interface
5330b503-3319-44ff-9b1c-00ee873f728a|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| |KMS Key With Full Permissions
5b9d237a-57d5-4177-be0e-71434b0fef47|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| -|S3 Bucket with Unsecured CORS Rule
3505094c-f77c-4ba0-95da-f83db712f86c|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). (read more)|Documentation
| |ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| -|Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| -|Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| +|EC2 Group Has Public Interface
5330b503-3319-44ff-9b1c-00ee873f728a|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| +|RDS DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). (read more)|Documentation
| |Vulnerable Default SSL Certificate
fb8f8929-afeb-4c46-99f0-a6cf410f7df4|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| -|HTTP Port Open To Internet
a14ad534-acbe-4a8e-9404-2f7e1045646e|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| -|Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|High|Networking and Firewall|AWS Security Group should not have public port wide (read more)|Documentation
| -|Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| -|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| +|Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|High|Networking and Firewall|AWS Security Group should restrict ingress access (read more)|Documentation
| +|ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| |Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4|High|Networking and Firewall|Route53 Record should have a list of records (read more)|Documentation
| -|Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0/0 (read more)|Documentation
| |EC2 Instance Has Public IP
a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1|High|Networking and Firewall|EC2 Instance should not have a public IP address. (read more)|Documentation
| -|Elasticsearch with HTTPS disabled
d6c2d06f-43c1-488a-9ba1-8d75b40fc62d|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| -|Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| -|Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| -|Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|High|Networking and Firewall|AWS Security Group should restrict ingress access (read more)|Documentation
| |RDS Associated with Public Subnet
16732649-4ff6-4cd2-8746-e72c13fae4b8|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| -|ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| +|Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0/0 (read more)|Documentation
| +|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| |Remote Desktop Port Open To Internet
eda7301d-1f3e-47cf-8d4e-976debc64341|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| +|Elasticsearch with HTTPS disabled
d6c2d06f-43c1-488a-9ba1-8d75b40fc62d|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| +|Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| +|Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| +|HTTP Port Open To Internet
a14ad534-acbe-4a8e-9404-2f7e1045646e|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| +|Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|High|Networking and Firewall|AWS Security Group should not have public port wide (read more)|Documentation
| |DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| +|Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| |CloudTrail Logging Disabled
d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| |CMK Rotation Disabled
af96d737-0818-4162-8c41-40d969bd65d1|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| -|SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| -|S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9|Medium|Access Control|S3 Bucket allows public access (read more)|Documentation
| -|SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4|Medium|Access Control|SQS policy allows ALL (*) actions (read more)|Documentation
| -|Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| |Lambda Permission Principal Is Wildcard
1d972c56-8ec2-48c1-a578-887adb09c57a|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| -|IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root' (read more)|Documentation
| |IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| -|API Gateway Without Configured Authorizer
b16cdb37-ce15-4ab2-8401-d42b05d123fc|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| +|IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root' (read more)|Documentation
| |AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image (read more)|Documentation
| +|SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| +|S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9|Medium|Access Control|S3 Bucket allows public access (read more)|Documentation
| +|ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| |Cross-Account IAM Assume Role Policy Without ExternalId or MFA
af167837-9636-4086-b815-c239186b9dda|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| +|API Gateway Without Configured Authorizer
b16cdb37-ce15-4ab2-8401-d42b05d123fc|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| +|SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4|Medium|Access Control|SQS policy allows ALL (*) actions (read more)|Documentation
| |Certificate Has Expired
5a443297-19d4-4381-9e5b-24faf947ec22|Medium|Access Control|Expired SSL/TLS certificates should be removed (read more)|Documentation
| -|ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| |SES Policy With Allowed IAM Actions
8ed0bfce-f780-46d4-b086-21c3628f09ad|Medium|Access Control|SES policy should not allow IAM actions to all principals (read more)|Documentation
| -|CMK Is Unusable
133fee21-37ef-45df-a563-4d07edc169f4|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined. (read more)|Documentation
| +|Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| |ECS Service Without Running Tasks
f5c45127-1d28-4b49-a692-0b97da1c3a84|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| +|CMK Is Unusable
133fee21-37ef-45df-a563-4d07edc169f4|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined. (read more)|Documentation
| |Auto Scaling Group With No Associated ELB
050f085f-a8db-4072-9010-2cca235cc02f|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. (read more)|Documentation
| |RDS With Backup Disabled
e69890e6-fce5-461d-98ad-cb98318dfc96|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| |Stack Retention Disabled
17d5ba1d-7667-4729-b1a6-b11fde3db7f7|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| -|IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| -|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number (read more)|Documentation
| -|IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| |Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c|Medium|Best Practices|Password policy `password_reuse_prevention` doesn't exist or is equal to 0 (read more)|Documentation
| +|IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| +|IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| |IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| +|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number (read more)|Documentation
| |Misconfigured Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9|Medium|Best Practices|No password expiration policy (read more)|Documentation
| |Stack Without Template
32d31f1f-0f83-4721-b7ec-1e6948c60145|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body (read more)|Documentation
| |Config Rule For Encrypted Volumes Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| -|Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache (read more)|Documentation
| |SQS With SSE Disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| -|EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| +|Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache (read more)|Documentation
| |CodeBuild Not Encrypted
a1423864-2fbc-4f46-bfe1-fbbf125c71c9|Medium|Encryption|CodeBuild Project should be encrypted (read more)|Documentation
| -|API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| -|ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| -|Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags. (read more)|Documentation
| +|EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| +|AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy (read more)|Documentation
| |Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| +|ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| |Certificate RSA Key Bytes Lower Than 256
d5ec2080-340a-4259-b885-f833c4ea6a31|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes (read more)|Documentation
| -|AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy (read more)|Documentation
| +|API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| +|Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags. (read more)|Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more)|Documentation
| |API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| |API Gateway without WAF
f5f38943-664b-4acc-ab11-f292fa10ed0b|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| -|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more)|Documentation
| -|API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| -|API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled (read more)|Documentation
| -|S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| -|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| -|S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| -|CloudFront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' should be defined with 'enabled' set to true (read more)|Documentation
| |CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'is_multi_region_trail' should be set to true (read more)|Documentation
| -|CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more)|Documentation
| -|Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| +|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| |CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| |CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| +|S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| +|API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled (read more)|Documentation
| +|Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| +|S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| +|API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| +|CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more)|Documentation
| +|CloudFront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' should be defined with 'enabled' set to true (read more)|Documentation
| |No Stack Policy
ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions (read more)|Documentation
| |Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Medium|Secret Management|AWS Access Key should not be hardcoded (read more)|Documentation
| |Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| -|IAM Group Without Users
f509931b-bbb0-443c-bd9b-10e92ecf2193|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| |IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| -|EC2 Instance Using Default Security Group
8d03993b-8384-419b-a681-d1f55149397c|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| +|IAM Group Without Users
f509931b-bbb0-443c-bd9b-10e92ecf2193|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| |IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| -|CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| -|Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. (read more)|Documentation
| +|EC2 Instance Using Default Security Group
8d03993b-8384-419b-a681-d1f55149397c|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| |Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| +|Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. (read more)|Documentation
| +|CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| |EFS Without Tags
b8a9852c-9943-4973-b8d5-77dae9352851|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated (read more)|Documentation
| |CloudTrail Log Files Not Encrypted With KMS
f5587077-3f57-4370-9b4e-4eb5b1bac85b|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| +|CloudFront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| |EC2 Instance Using Default VPC
8833f180-96f1-46f4-9147-849aafa56029|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| +|ElastiCache Without VPC
5527dcfc-94f9-4bf6-b7d4-1b78850cf41f|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|ElastiCache Using Default Port
7cc6c791-5f68-4816-a564-b9b699f9d26e|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| |Redshift Using Default Port
e01de151-a7bd-4db4-b49b-3c4775a5e881|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| |RDS Using Default Port
2cb674f6-32f9-40be-97f2-62c0dc38f0d5|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| -|ElastiCache Using Default Port
7cc6c791-5f68-4816-a564-b9b699f9d26e|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| -|CloudFront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| -|ElastiCache Without VPC
5527dcfc-94f9-4bf6-b7d4-1b78850cf41f|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| -|CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| |Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active' (read more)|Documentation
| +|CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| |EC2 Not EBS Optimized
338b6cab-961d-4998-bb49-e5b6a11c9a5c|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| -### GCP -Bellow are listed queries related with Ansible GCP: +### SHARED (V2/V3) +Bellow are listed queries related with Ansible SHARED (V2/V3): | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| -|VM With Full Cloud Access
bc20bbc6-0697-4568-9a73-85af1dd97bdd|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)|Documentation
| -|BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2|High|Access Control|BigQuery dataset is anonymously or publicly accessible (read more)|Documentation
| -|SQL DB Instance Backup Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| -|DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a|High|Encryption|DNSSEC should not use the RSASHA1 algorithm (read more)|Documentation
| -|SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|High|Encryption|Cloud SQL Database Instance should have SLL enabled (read more)|Documentation
| -|PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514|High|Insecure Configurations|PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1' (read more)|Documentation
| -|MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c|High|Insecure Configurations|MySQL Instance should not have Local Infile On (read more)|Documentation
| -|Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty (read more)|Documentation
| -|Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true. (read more)|Documentation
| -|Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)|Documentation
| -|Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f|High|Insecure Configurations|GCP SQL Instance should not have Cross DB Ownership Chaining On (read more)|Documentation
| -|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|High|Insecure Configurations|SQL Instance should not have Contained Database Authentication On (read more)|Documentation
| -|IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'. (read more)|Documentation
| -|GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false. (read more)|Documentation
| -|GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty (read more)|Documentation
| -|SQL DB Instance Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible. (read more)|Documentation
| -|Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true (read more)|Documentation
| -|Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)|Documentation
| -|Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet. (read more)|Documentation
| -|GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters (read more)|Documentation
| -|Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none' (read more)|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| -|PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b|High|Observability|PostgreSQL database 'log_temp_files' flag isn't set to '0' (read more)|Documentation
| -|Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none' (read more)|Documentation
| -|PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317|High|Observability|PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on' (read more)|Documentation
| -|Cloud Storage Bucket Versioning Disabled
7814ddda-e758-4a56-8be3-289a81ded929|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| -|Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)|Documentation
| -|Disk Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| -|Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| -|Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| -|OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Medium|Insecure Configurations|VM instance should have OSLogin enabled (read more)|Documentation
| -|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Medium|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account. (read more)|Documentation
| -|Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)|Documentation
| -|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| -|GKE Using Default Service Account
dc126833-125a-40fb-905a-ce5f2afde240|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account (read more)|Documentation
| -|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)|Documentation
| -|SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| -|RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows All Ports
3602d273-3290-47b2-80fa-720162b1a8af|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports (read more)|Documentation
| -|Google Compute Network Using Default Firewall Rule
29b8224a-60e9-4011-8ac2-7916a659841f|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| -|IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)|Documentation
| -|PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Medium|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on' (read more)|Documentation
| -|PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Medium|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value (read more)|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| -|High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)|Documentation
| -|Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes (read more)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows Port Range
7289eebd-a477-4064-8ad4-3c044bd70b00|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| +|Privilege Escalation Using Become Plugin
0e75052f-cc02-41b8-ac39-a78017527e95|Medium|Access Control|In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true' (read more)|Documentation
| +|Communication Over HTTP
2e8d4922-8362-4606-8c14-aa10466a1ce3|Medium|Insecure Configurations|Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks (read more)|Documentation
| +|Logging of Sensitive Data
59029ddf-e651-412b-ae7b-ff6d403184bc|Low|Best Practices|To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True (read more)|Documentation
| +|Insecure Relative Path Resolution
8d22ae91-6ac1-459f-95be-d37bd373f244|Low|Best Practices|Using relative paths can lead to unexpected behavior as the path is resolved relative to the current working directory, which can change. (read more)|Documentation
| +|Unpinned Package Version
c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8|Low|Supply-Chain|Setting state to latest performs an update and installs additional packages possibly resulting in performance degradation or loss of service (read more)|Documentation
| +|Risky File Permissions
88841d5c-d22d-4b7e-a6a0-89ca50e44b9f|Info|Supply-Chain|Some modules could end up creating new files on disk with permissions that might be too open or unpredictable (read more)|Documentation
| ### CONFIG Bellow are listed queries related with Ansible CONFIG: @@ -270,12 +279,3 @@ Bellow are listed queries related with Ansible CONFIG: |Privilege Escalation Using Become Plugin
404908b6-4954-4611-98f0-e8ceacdabcb1|Medium|Access Control|In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true' (read more)|Documentation
| |Communication over HTTP
d7dc9350-74bc-485b-8c85-fed22d276c43|Medium|Insecure Configurations|Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks (read more)|Documentation
| |Logging of Sensitive Data
c6473dae-8477-4119-88b7-b909b435ce7b|Low|Best Practices|To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True (read more)|Documentation
| - -### HOSTS -Bellow are listed queries related with Ansible HOSTS: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Ansible Tower Exposed To Internet
1b2bf3ff-31e9-460e-bbfb-45e48f4f20cc|Medium|Best Practices|Avoid exposing Ansible Tower to the public internet, effectively reducing the potential attack surface of your deployment (read more)|Documentation
| diff --git a/docs/queries/azureresourcemanager-queries.md b/docs/queries/azureresourcemanager-queries.md index 6f2f71ad094..e6d1c27225f 100644 --- a/docs/queries/azureresourcemanager-queries.md +++ b/docs/queries/azureresourcemanager-queries.md @@ -6,41 +6,41 @@ This page contains all queries from AzureResourceManager. |Key Vault Not Recoverable
7c25f361-7c66-44bf-9b69-022acd5eb4bd|High|Backup|Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true (read more)|Documentation
| |Secret Without Expiration Date
cff9c3f7-e8f0-455f-9fb4-5f72326da96e|High|Best Practices|All Secrets must have an expiration date defined (read more)|Documentation
| |Azure Instance Using Basic Authentication
6797f581-0433-4768-ae3e-7ceb2f8b138e|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| -|Storage Account Allows Unsecure Transfer
1367dd13-2c90-4020-80b7-e4339a3dc2c4|High|Encryption|'Microsoft.Storage/storageAccounts' should force the use of HTTPS (read more)|Documentation
| |Azure Managed Disk Without Encryption
350f3955-b5be-436f-afaa-3d2be2fa6cdd|High|Encryption|Azure Disk Encryption should be enabled (read more)|Documentation
| +|Storage Account Allows Unsecure Transfer
1367dd13-2c90-4020-80b7-e4339a3dc2c4|High|Encryption|'Microsoft.Storage/storageAccounts' should force the use of HTTPS (read more)|Documentation
| |Web App Not Using TLS Last Version
b5c851d5-00f1-43dc-a8de-3218fd6f71be|High|Encryption|Resources of type 'Microsoft.Web/sites' should define 'properties.siteConfig.minTlsVersion' with '1.2' (read more)|Documentation
| |Website Not Forcing HTTPS
488847ff-6031-487c-bf42-98fd6ac5c9a0|High|Insecure Configurations|'Microsoft.Web/sites' should force the use of HTTPS (read more)|Documentation
| -|SQL Database Server Firewall Allows All IPS
6a3201a5-1630-494b-b294-3129d06b0eca|High|Networking and Firewall|SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS (read more)|Documentation
| -|Network Security Group With Unrestricted Access To RDP
59cb3da7-f206-4ae6-b827-7abf0a9cab9d|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the Internet (read more)|Documentation
| -|Trusted Microsoft Services Not Enabled
e25b56cd-a4d6-498f-ab92-e6296a082097|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| -|Network Security Group With Unrestricted Access To SSH
2ade1579-4b2c-4590-bebb-f99bf597f612|High|Networking and Firewall|Port 22 (SSH) is exposed to the Internet (read more)|Documentation
| |Storage Blob Service Container With Public Access
a0ab985d-660b-41f7-ac81-70957ee8e627|High|Networking and Firewall|Storage Blob Service Container should not publicly accessible (read more)|Documentation
| -|Website with Client Certificate Auth Disabled
92302b47-b0cc-46cb-a28f-5610ecda140b|High|Networking and Firewall|'Microsoft.Web/sites' should have client certificate authentication enabled (read more)|Documentation
| +|Trusted Microsoft Services Not Enabled
e25b56cd-a4d6-498f-ab92-e6296a082097|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| |MySQL Server SSL Enforcement Disabled
90120147-f2e7-4fda-bb21-6fa9109afd63|High|Networking and Firewall|'Microsoft.DBforMySQL/servers' should enforce SSL (read more)|Documentation
| +|SQL Database Server Firewall Allows All IPS
6a3201a5-1630-494b-b294-3129d06b0eca|High|Networking and Firewall|SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS (read more)|Documentation
| +|Website with Client Certificate Auth Disabled
92302b47-b0cc-46cb-a28f-5610ecda140b|High|Networking and Firewall|'Microsoft.Web/sites' should have client certificate authentication enabled (read more)|Documentation
| |PostgreSQL Database Server SSL Disabled
bf500309-da53-4dd3-bcf7-95f7974545a5|High|Networking and Firewall|Microsoft.DBforPostgreSQL/servers sslEnforcement property should be set to 'Enabled' (read more)|Documentation
| -|Role Definitions Allow Custom Subscription Role Creation
8fa9ceea-881f-4ef0-b0b8-728f589699a7|Medium|Access Control|Role Definitions should not allow custom subscription role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write') (read more)|Documentation
| +|Network Security Group With Unrestricted Access To RDP
59cb3da7-f206-4ae6-b827-7abf0a9cab9d|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the Internet (read more)|Documentation
| +|Network Security Group With Unrestricted Access To SSH
2ade1579-4b2c-4590-bebb-f99bf597f612|High|Networking and Firewall|Port 22 (SSH) is exposed to the Internet (read more)|Documentation
| |Default Azure Storage Account Network Access Is Too Permissive
d855ced8-6157-448f-9f1d-f05a41d046f7|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it. (read more)|Documentation
| |AKS Cluster RBAC Disabled
9307a2ed-35c2-413d-94de-a1a0682c2158|Medium|Access Control|Microsoft.ContainerService/managedClusters should have enableRBAC set to true (read more)|Documentation
| +|Role Definitions Allow Custom Subscription Role Creation
8fa9ceea-881f-4ef0-b0b8-728f589699a7|Medium|Access Control|Role Definitions should not allow custom subscription role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write') (read more)|Documentation
| |SQL Server Database With Alerts Disabled
574e8d82-1db2-4b9c-b526-e320ede9a9ff|Medium|Best Practices|All Alerts should be enabled in SQL Database Server SecurityAlerts Policy Properties (read more)|Documentation
| |AKS Cluster Network Policy Not Configured
25c0228e-4444-459b-a2df-93c7df40b7ed|Medium|Insecure Configurations|Azure Kubernetes Service must have a network policy defined. (read more)|Documentation
| -|PostgreSQL Database Server Log Connections Disabled
e69bda39-e1e2-47ca-b9ee-b6531b23aedd|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' property set to 'on' (read more)|Documentation
| +|PostgresSQL Database Server Connection Throttling Disabled
a6d774b6-d9ea-4bf4-8433-217bf15d2fb8|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttling' property set to 'on' (read more)|Documentation
| |Standard Price Is Not Selected
2081c7d6-2851-4cce-bda5-cb49d462da42|Medium|Networking and Firewall|Azure Security Center provides more features for standard pricing mode, so it must be activated. (read more)|Documentation
| |AKS With Authorized IP Ranges Disabled
2583fab1-953b-4fae-bd02-4a136a6c21f9|Medium|Networking and Firewall|Azure Kubernetes Service must have an authorized IP range for API Services enabled (read more)|Documentation
| +|PostgreSQL Database Server Log Connections Disabled
e69bda39-e1e2-47ca-b9ee-b6531b23aedd|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' property set to 'on' (read more)|Documentation
| |PostgreSQL Database Server Log Checkpoints Disabled
f9112910-c7bb-4864-9f5e-2059ba413bb7|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' property set to 'on' (read more)|Documentation
| -|PostgresSQL Database Server Connection Throttling Disabled
a6d774b6-d9ea-4bf4-8433-217bf15d2fb8|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttling' property set to 'on' (read more)|Documentation
| +|Log Profile Incorrect Category
4d522e7b-f938-4d51-a3b1-974ada528bd3|Medium|Observability|Log Profile Categories should be set to 'Write', 'Delete', and/or 'Action' (read more)|Documentation
| +|SQL Server Database Without Auditing
e055285c-bc01-48b4-8aa5-8a54acdd29df|Medium|Observability|Every 'Microsoft.Sql/servers/databases' resource should have Auditing Enabled (read more)|Documentation
| +|AKS Logging To Azure Monitoring Is Disabled
9b09dee1-f09b-4013-91d2-158fa4695f4b|Medium|Observability|Azure Kubernetes Service should have logging to Azure Monitoring enabled. (read more)|Documentation
| |SQL Server Database With Unrecommended Retention Days
c09cdac2-7670-458a-bf6c-efad6880973a|Medium|Observability|SQL Server Database Auditing Settings should keep the audit logs in the storage account for at least 90 days (read more)|Documentation
| |Unrecommended Log Profile Retention Policy
25684eac-daaa-4c2c-94b4-8d2dbb627909|Medium|Observability|Log Profile Retention Policy should be enabled and the recommended number of days for the retention should be higher than 365 or 0 (0 will retain the events indefinitely) (read more)|Documentation
| -|Storage Logging For Read Write And Delete Requests Disabled
43f6e60c-9cdb-4e77-864d-a66595d26518|Medium|Observability|Storage Logging should be enabled for read, write and delete methods (read more)|Documentation
| |Unrecommended Network Watcher Flow Log Retention Policy
564b70f8-41cd-4690-aff8-bb53add86bc9|Medium|Observability|Network Watcher Flow Log Retention Policy should be enabled and the recommended number of days for the retention should be higher than 90 (read more)|Documentation
| -|AKS Logging To Azure Monitoring Is Disabled
9b09dee1-f09b-4013-91d2-158fa4695f4b|Medium|Observability|Azure Kubernetes Service should have logging to Azure Monitoring enabled. (read more)|Documentation
| -|SQL Server Database Without Auditing
e055285c-bc01-48b4-8aa5-8a54acdd29df|Medium|Observability|Every 'Microsoft.Sql/servers/databases' resource should have Auditing Enabled (read more)|Documentation
| -|Log Profile Incorrect Category
4d522e7b-f938-4d51-a3b1-974ada528bd3|Medium|Observability|Log Profile Categories should be set to 'Write', 'Delete', and/or 'Action' (read more)|Documentation
| +|Storage Logging For Read Write And Delete Requests Disabled
43f6e60c-9cdb-4e77-864d-a66595d26518|Medium|Observability|Storage Logging should be enabled for read, write and delete methods (read more)|Documentation
| |Hardcoded SecureString Parameter Default Value
4d2cf896-c053-4be5-9c95-8b4771112f29|Medium|Secret Management|Secure parameters should not have hardcoded default value (read more)|Documentation
| |Website Azure Active Directory Disabled
e9c133e5-c2dd-4b7b-8fff-40f2de367b56|Low|Access Control|WebApp should have Azure Active Directory enabled with 'identity.type' set to 'SystemAssigned' or 'userAssignedIdentities' set to 'true' (read more)|Documentation
| |Phone Number Not Set For Security Contacts
3e9fcc67-1f64-405f-b2f9-0a6be17598f0|Low|Best Practices|Microsoft.Security securityContacts should have a phone number defined (read more)|Documentation
| |AKS Dashboard Is Enabled
c62d3b92-9a11-4ffd-b7b7-6faaae83faed|Low|Insecure Configurations|Azure Kubernetes Service should have the Kubernetes dashboard disabled. (read more)|Documentation
| -|Website with 'Http20Enabled' Disabled
70111098-7f85-48f0-b1b4-e4261cf5f61b|Low|Networking and Firewall|'Microsoft.Web/sites' should have 'Http20Enabled' enabled (read more)|Documentation
| |Storage Account Allows Default Network Access
9073f073-5d60-4b46-b569-0d6baa80ed95|Low|Networking and Firewall|'Microsoft.Storage/storageAccounts' should force the use of HTTPS (read more)|Documentation
| +|Website with 'Http20Enabled' Disabled
70111098-7f85-48f0-b1b4-e4261cf5f61b|Low|Networking and Firewall|'Microsoft.Web/sites' should have 'Http20Enabled' enabled (read more)|Documentation
| |App Service Authentication Is Not Set
83130a07-235b-4a80-918b-a370e53f0bd9|Info|Access Control|Azure App Service should have App Service Authentication set (read more)|Documentation
| |SQL Alert Policy Without Emails
89b79fe5-49bd-4d39-84ce-55f5fc6f7764|Info|Best Practices|SQL Database Server should contain emails to be notified in the event of a Security Alert (read more)|Documentation
| |Account Admins Not Notified By Email
a8852cc0-fd4b-4fc7-9372-1e43fad0732e|Info|Best Practices|Account admins should be notified by email in the event of security alerts (read more)|Documentation
| diff --git a/docs/queries/cloudformation-queries.md b/docs/queries/cloudformation-queries.md index f152c9d4fec..ac8c47486c5 100644 --- a/docs/queries/cloudformation-queries.md +++ b/docs/queries/cloudformation-queries.md @@ -1,6 +1,24 @@ ## CloudFormation Queries List This page contains all queries from CloudFormation. +### AWS_SAM +Bellow are listed queries related with CloudFormation AWS_SAM: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|Serverless Function Environment Variables Not Encrypted
a7f8ac28-eed1-483d-87c8-4c325f022572|High|Encryption|AWS Serverless Function should encrypt environment variables (read more)|Documentation
| +|Serverless API Without Content Encoding
a2f2800e-614b-4bc8-89e6-fec8afd24800|Medium|Encryption|AWS Serverless API should enable Content Encoding through the attribute 'MinimumCompressionSize'. This value should be greater than -1 and smaller than 10485760 (read more)|Documentation
| +|Serverless Function Without Unique IAM Role
4ba74f01-aba5-4be2-83bc-be79ff1a3b92|Medium|Insecure Configurations|AWS Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| +|Serverless Function Without Tags
a71ecabe-03b6-456a-b3bc-d1a39aa20c98|Medium|Insecure Configurations|AWS Serverless Function should have associated tags (read more)|Documentation
| +|Serverless API Endpoint Config Not Private
6b5b0313-771b-4319-ad7a-122ee78700ef|Medium|Networking and Firewall|AWS Serverless API should set API Endpoint Config type to 'PRIVATE'. This way, it's not exposed to the public internet (read more)|Documentation
| +|Serverless API X-Ray Tracing Disabled
c757c6a3-ac87-4b9d-b28d-e5a5add6a315|Medium|Observability|AWS Serverless API should have X-Ray Tracing enabled (read more)|Documentation
| +|Serverless API Access Logging Setting Undefined
0a994e04-c6dc-471d-817e-d37451d18a3b|Medium|Observability|AWS Serverless API/AWS Serverless HTTP API should have Access Logging Setting(s) defined (read more)|Documentation
| +|Serverless API Cache Cluster Disabled
60a05ede-0a68-4d0d-a58f-f538cf55ff79|Low|Insecure Configurations|AWS Serverless API should have cache clustering enabled (read more)|Documentation
| +|Serverless Function Without Dead Letter Queue
cb2f612b-ed42-4ff5-9fb9-255c73d39a18|Low|Insecure Configurations|AWS Serverless Function should be configured for a Dead Letter Queue(DLQ) (read more)|Documentation
| +|Serverless Function Without X-Ray Tracing
dc1ab429-1481-4540-9b1d-280e3f15f1f8|Low|Observability|AWS Serverless Function should have Tracing enabled. For this, property 'Tracing' should have the value 'Active' (read more)|Documentation
| + ### AWS Bellow are listed queries related with CloudFormation AWS: @@ -8,261 +26,261 @@ Bellow are listed queries related with CloudFormation AWS: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|S3 Bucket Allows List Action From All Principals
faa8fddf-c0aa-4b2d-84ff-e993e233ebe9|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| +|SNS Topic is Publicly Accessible
ae53ce91-42b5-46bf-a84f-9a13366a4f13|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
acc78859-765e-4011-a229-a65ea57db252|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| |MSK Broker Is Publicly Accessible
0ce1ba20-8ba8-4364-836f-40c24b8cb0ab|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible (read more)|Documentation
| +|Amazon DMS Replication Instance Is Publicly Accessible
5864fb39-d719-4182-80e2-89dbe627be63|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| +|IAM Policies With Full Privileges
953b3cdb-ce13-428a-aa12-318726506661|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| +|S3 Bucket Allows Public Policy
860ba89b-b8de-4e72-af54-d6aee4138a69|High|Access Control|S3 bucket allows public policy (read more)|Documentation
| |S3 Bucket Allows Get Action From All Principals
f97b7d23-568f-4bcc-9ac9-02df0d57fbba|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| -|S3 Bucket Allows Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0|High|Access Control|S3 Buckets must not allow Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Restore, for all Principals. (read more)|Documentation
| -|S3 Bucket ACL Allows Read to All Users
219f4c95-aa50-44e0-97de-cf71f4641170|High|Access Control|S3 Buckets should not be readable to all users (read more)|Documentation
| |IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| -|ECS Service Admin Role Is Present
01986452-bdd8-4aaa-b5df-d6bf61d616ff|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role (read more)|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
835d5497-a526-4aea-a23f-98a9afd1635f|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| -|S3 Bucket Allows Public Policy
860ba89b-b8de-4e72-af54-d6aee4138a69|High|Access Control|S3 bucket allows public policy (read more)|Documentation
| -|IAM Policies With Full Privileges
953b3cdb-ce13-428a-aa12-318726506661|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
acc78859-765e-4011-a229-a65ea57db252|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| -|S3 Bucket Access to Any Principal
7772bb8c-c0f3-42d4-8e4e-f1b8939ad085|High|Access Control|The S3 Bucket should not be associated with a policy statement that grants access to any principal (read more)|Documentation
| -|S3 Bucket With All Permissions
4ae8af91-5108-42cb-9471-3bdbe596eac9|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| -|Amazon DMS Replication Instance Is Publicly Accessible
5864fb39-d719-4182-80e2-89dbe627be63|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| -|SNS Topic is Publicly Accessible
ae53ce91-42b5-46bf-a84f-9a13366a4f13|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| |S3 Bucket ACL Allows Read Or Write to All Users
07dda8de-d90d-469e-9b37-1aca53526ced|High|Access Control|S3 Buckets should not be readable and writable to all users (read more)|Documentation
| +|S3 Bucket ACL Allows Read to All Users
219f4c95-aa50-44e0-97de-cf71f4641170|High|Access Control|S3 Buckets should not be readable to all users (read more)|Documentation
| +|S3 Bucket Access to Any Principal
7772bb8c-c0f3-42d4-8e4e-f1b8939ad085|High|Access Control|The S3 Bucket should not be associated with a policy statement that grants access to any principal (read more)|Documentation
| +|ECS Service Admin Role Is Present
01986452-bdd8-4aaa-b5df-d6bf61d616ff|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role (read more)|Documentation
| |Lambda Functions With Full Privileges
a0ae0a4e-712b-4115-8112-51b9eeed9d69|High|Access Control|AWS Lambda Functions should not have roles with policies granting full administrative privileges. (read more)|Documentation
| +|S3 Bucket Allows List Action From All Principals
faa8fddf-c0aa-4b2d-84ff-e993e233ebe9|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| +|S3 Bucket Allows Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0|High|Access Control|S3 Buckets must not allow Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Restore, for all Principals. (read more)|Documentation
| |S3 Bucket Allows Put Action From All Principals
f6397a20-4cf1-4540-a997-1d363c25ef58|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| -|User Data Shell Script Is Encoded
48c3bc58-6959-4f27-b647-4fedeace23be|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| -|ECS Cluster Not Encrypted At Rest
6c131358-c54d-419b-9dd6-1f7dd41d180c|High|Encryption|Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems. (read more)|Documentation
| -|ELB Without Secure Protocol
80908a75-586b-4c61-ab04-490f4f4525b8|High|Encryption|Check if the ELB is setup with SSL or HTTPS for secure communication (read more)|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
835d5497-a526-4aea-a23f-98a9afd1635f|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| +|S3 Bucket With All Permissions
4ae8af91-5108-42cb-9471-3bdbe596eac9|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| +|CMK Unencrypted Storage
ffee2785-c347-451e-89f3-11aeb08e5c84|High|Encryption|Ensure that storage is encrypted. (read more)|Documentation
| +|User Data Contains Encoded Private Key
568cc372-ca64-420d-9015-ee347d00d288|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| +|ElastiCache With Disabled at Rest Encryption
e4ee3903-9225-4b6a-bdfb-e62dbadef821|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled (read more)|Documentation
| +|ELB Using Weak Ciphers
809f77f8-d10e-4842-a84f-3be7b6ff1190|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| |Redshift Cluster Without KMS CMK
de76a0d6-66d5-45c9-9022-f05545b85c78|High|Encryption|AWS Redshift Cluster should have KMS CMK defined (read more)|Documentation
| -|CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db|High|Encryption|Specifying credentials in the template itself is probably not safe to do. (read more)|Documentation
| +|ECS Task Definition Container With Plaintext Password
f9b10cdb-eaab-4e39-9793-e12b94a582ad|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| +|DynamoDB With Aws Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac|High|Encryption|AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false. (read more)|Documentation
| +|S3 Bucket Without Server-side-encryption
b2e8752c-3497-4255-98d2-e4ae5b46bbf5|High|Encryption|S3 Buckets should have server-side encryption at rest enabled to protect sensitive data (read more)|Documentation
| +|S3 Bucket Without SSL In Write Actions
38c64e76-c71e-4d92-a337-60174d1de1c9|High|Encryption|S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL) (read more)|Documentation
| |IAM Database Auth Not Enabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| +|ECS Cluster Not Encrypted At Rest
6c131358-c54d-419b-9dd6-1f7dd41d180c|High|Encryption|Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems. (read more)|Documentation
| +|Secure Ciphers Disabled
be96849c-3df6-49c2-bc16-778a7be2519c|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| +|MSK Cluster Encryption Disabled
a976d63f-af0e-46e8-b714-8c1a9c4bf768|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled (read more)|Documentation
| |S3 Bucket SSE Disabled
64ab651b-f5b2-4af0-8c89-ddd03c4d0e61|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| -|S3 Bucket Without SSL In Write Actions
38c64e76-c71e-4d92-a337-60174d1de1c9|High|Encryption|S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL) (read more)|Documentation
| -|EFS Without KMS
6d087495-2a42-4735-abf7-02ef5660a7e6|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| -|ELB Using Insecure Protocols
61a94903-3cd3-4780-88ec-fc918819b9c8|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| -|RDS Storage Not Encrypted
5beacce3-4020-4a3d-9e1d-a36f953df630|High|Encryption|RDS Storage should be encrypted, which means the attribute 'StorageEncrypted' should be set to 'true' (read more)|Documentation
| -|S3 Bucket Without Server-side-encryption
b2e8752c-3497-4255-98d2-e4ae5b46bbf5|High|Encryption|S3 Buckets should have server-side encryption at rest enabled to protect sensitive data (read more)|Documentation
| +|CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db|High|Encryption|Specifying credentials in the template itself is probably not safe to do. (read more)|Documentation
| +|ElastiCache With Disabled Transit Encryption
3b02569b-fc6f-4153-b3a3-ba91022fed68|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled (read more)|Documentation
| +|Connection Between CloudFront Origin Not Encrypted
a5366a50-932f-4085-896b-41402714a388|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted (read more)|Documentation
| |Kinesis SSE Not Configured
7f65be75-90ab-4036-8c2a-410aef7bb650|High|Encryption|AWS Kinesis Stream should have SSE (Server Side Encryption) defined (read more)|Documentation
| -|EFS Volume With Disabled Transit Encryption
c1282e03-b285-4637-aee7-eefe3a7bb658|High|Encryption|Amazon EFS volume does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'TransitEncryption' (read more)|Documentation
| -|ElastiCache With Disabled at Rest Encryption
e4ee3903-9225-4b6a-bdfb-e62dbadef821|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled (read more)|Documentation
| -|Secure Ciphers Disabled
be96849c-3df6-49c2-bc16-778a7be2519c|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| +|ELB Without Secure Protocol
80908a75-586b-4c61-ab04-490f4f4525b8|High|Encryption|Check if the ELB is setup with SSL or HTTPS for secure communication (read more)|Documentation
| |API Gateway Cache Encrypted Disabled
37cca703-b74c-48ba-ac81-595b53398e9b|High|Encryption|'API::Gateway::Deployment' should have 'CacheDataEncrypted' enabled when 'CachingEnabled' is set to true (read more)|Documentation
| -|Connection Between CloudFront Origin Not Encrypted
a5366a50-932f-4085-896b-41402714a388|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted (read more)|Documentation
| -|ECS Task Definition Container With Plaintext Password
f9b10cdb-eaab-4e39-9793-e12b94a582ad|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| -|User Data Contains Encoded Private Key
568cc372-ca64-420d-9015-ee347d00d288|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| -|DynamoDB With Aws Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac|High|Encryption|AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false. (read more)|Documentation
| -|ELB Using Weak Ciphers
809f77f8-d10e-4842-a84f-3be7b6ff1190|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| -|SageMaker Data Encryption Disabled
709e6da6-fa1f-44cc-8f17-7f25f96dadbe|High|Encryption|Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, which means the attribute 'KmsKeyId' must be defined not empty or null. (read more)|Documentation
| -|ElastiCache With Disabled Transit Encryption
3b02569b-fc6f-4153-b3a3-ba91022fed68|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled (read more)|Documentation
| -|MSK Cluster Encryption Disabled
a976d63f-af0e-46e8-b714-8c1a9c4bf768|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled (read more)|Documentation
| |Redshift Not Encrypted
3b316b05-564c-44a7-9c3f-405bb95e211e|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'Encrypted' field is false or undefined (default is false) (read more)|Documentation
| |Cloudfront Viewer Protocol Policy Allows HTTP
31733ee2-fef0-4e87-9778-65da22a8ecf1|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| +|SageMaker Data Encryption Disabled
709e6da6-fa1f-44cc-8f17-7f25f96dadbe|High|Encryption|Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, which means the attribute 'KmsKeyId' must be defined not empty or null. (read more)|Documentation
| +|EFS Without KMS
6d087495-2a42-4735-abf7-02ef5660a7e6|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| +|User Data Shell Script Is Encoded
48c3bc58-6959-4f27-b647-4fedeace23be|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| |EFS Not Encrypted
2ff8e83c-90e1-4d68-a300-6d652112e622|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| -|CMK Unencrypted Storage
ffee2785-c347-451e-89f3-11aeb08e5c84|High|Encryption|Ensure that storage is encrypted. (read more)|Documentation
| +|ELB Using Insecure Protocols
61a94903-3cd3-4780-88ec-fc918819b9c8|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| +|EFS Volume With Disabled Transit Encryption
c1282e03-b285-4637-aee7-eefe3a7bb658|High|Encryption|Amazon EFS volume does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'TransitEncryption' (read more)|Documentation
| +|RDS Storage Not Encrypted
5beacce3-4020-4a3d-9e1d-a36f953df630|High|Encryption|RDS Storage should be encrypted, which means the attribute 'StorageEncrypted' should be set to 'true' (read more)|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
dc17ee4b-ddf2-4e23-96e8-7a36abad1303|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| +|Root Account Has Active Access Keys
4c137350-7307-4803-8c04-17c09a7a9fcf|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| +|Batch Job Definition With Privileged Container Properties
76ddf32c-85b1-4808-8935-7eef8030ab36|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| |API Gateway Without Security Policy
8275fab0-68ec-4705-bbf4-86975edb170e|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2. (read more)|Documentation
| +|S3 Bucket With Unsecured CORS Rule
3609d27c-3698-483a-9402-13af6ae80583|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| +|S3 Bucket Without Restriction Of Public Bucket
350cd468-0e2c-44ef-9d22-cfb73a62523c|High|Insecure Configurations|S3 bucket without restriction of public bucket (read more)|Documentation
| |Redshift Publicly Accessible
bdf8dcb4-75df-4370-92c4-606e4ae6c4d3|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false (read more)|Documentation
| |KMS Key With Full Permissions
da905474-7454-43c0-b8d2-5756ab951aba|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| -|S3 Bucket With Unsecured CORS Rule
3609d27c-3698-483a-9402-13af6ae80583|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
de38e1d5-54cb-4111-a868-6f7722695007|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false. (read more)|Documentation
| |ECS Task Definition Network Mode Not Recommended
027a4b7a-8a59-4938-a04f-ed532512cf45|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| -|Batch Job Definition With Privileged Container Properties
76ddf32c-85b1-4808-8935-7eef8030ab36|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| |S3 Static Website Host Enabled
90501b1b-cded-4cc1-9e8b-206b85cda317|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more)|Documentation
| -|S3 Bucket Without Restriction Of Public Bucket
350cd468-0e2c-44ef-9d22-cfb73a62523c|High|Insecure Configurations|S3 bucket without restriction of public bucket (read more)|Documentation
| -|Root Account Has Active Access Keys
4c137350-7307-4803-8c04-17c09a7a9fcf|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
dc17ee4b-ddf2-4e23-96e8-7a36abad1303|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| -|Permissive Web ACL Default Action
6d64f311-3da6-45f3-80f1-14db9771ea40|High|Insecure Defaults|WebAcl DefaultAction should not be ALLOW (read more)|Documentation
| +|RDS DB Instance Publicly Accessible
de38e1d5-54cb-4111-a868-6f7722695007|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false. (read more)|Documentation
| |Vulnerable Default SSL Certificate
b4d9c12b-bfba-4aeb-9cb8-2358546d8041|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| -|EC2 Instance Subnet Has Public IP Mapping On Launch
b3de4e4c-14be-4159-b99d-9ad194365e4c|High|Networking and Firewall|EC2 Instance Subnet should not have MapPublicIpOnLaunch set to true (read more)|Documentation
| -|Remote Desktop Port Open To Internet
c9846969-d066-431f-9b34-8c4abafe422a|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| +|Permissive Web ACL Default Action
6d64f311-3da6-45f3-80f1-14db9771ea40|High|Insecure Defaults|WebAcl DefaultAction should not be ALLOW (read more)|Documentation
| +|Security Groups With Exposed Admin Ports
cdbb0467-2957-4a77-9992-7b55b29df7b7|High|Networking and Firewall|Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389) (read more)|Documentation
| +|EKS node group remote access
73d59e76-a12c-4b74-a3d8-d3e1e19c25b3|High|Networking and Firewall|Ensure Amazon EKS Node group has implict SSH access (read more)|Documentation
| +|Security Group With Unrestricted Access To SSH
6e856af2-62d7-4ba2-adc1-73b62cef9cc1|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| +|ALB Listening on HTTP
275a3217-ca37-40c1-a6cf-bb57d245ab32|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| |Security Group Unrestricted Access To RDP
3ae83918-7ec7-4cb8-80db-b91ef0f94002|High|Networking and Firewall|Security Groups does not allow 0.0.0.0/0 for rdp (port:3389) (read more)|Documentation
| -|DB Security Group With Public Scope
9564406d-e761-4e61-b8d7-5926e3ab8e79|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| +|Remote Desktop Port Open To Internet
c9846969-d066-431f-9b34-8c4abafe422a|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| |Route53 Record Undefined
24d932e1-91f0-46ea-836f-fdbd81694151|High|Networking and Firewall|Route53 HostedZone must have the Record Set defined. (read more)|Documentation
| -|EC2 Public Instance Exposed Through Subnet
c44c95fc-ae92-4bb8-bdf8-bb9bc412004a|High|Networking and Firewall|EC2 instances with public IP addresses shouldn't allow for unrestricted traffic to their subnets (read more)|Documentation
| -|Security Groups With Exposed Admin Ports
cdbb0467-2957-4a77-9992-7b55b29df7b7|High|Networking and Firewall|Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389) (read more)|Documentation
| -|EC2 Network ACL Overlapping Ports
77b6f1e2-bde4-4a6a-ae7e-a40659ff1576|High|Networking and Firewall|NetworkACL Entries are reusing or overlapping ports which may create ineffective rules (read more)|Documentation
| +|RDS Associated with Public Subnet
4e88adee-a8eb-4605-a78d-9fb1096e3091|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| +|Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c|High|Networking and Firewall|No security group should allow unrestricted egress access (read more)|Documentation
| |Unrestricted Security Group Ingress
4a1e6b34-1008-4e61-a5f2-1f7c276f8d14|High|Networking and Firewall|AWS Security Group Ingress CIDR should not be open to the world (read more)|Documentation
| -|Fully Open Ingress
e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5|High|Networking and Firewall|ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses (read more)|Documentation
| +|EC2 Public Instance Exposed Through Subnet
c44c95fc-ae92-4bb8-bdf8-bb9bc412004a|High|Networking and Firewall|EC2 instances with public IP addresses shouldn't allow for unrestricted traffic to their subnets (read more)|Documentation
| +|DB Security Group With Public Scope
9564406d-e761-4e61-b8d7-5926e3ab8e79|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| +|EC2 Instance Subnet Has Public IP Mapping On Launch
b3de4e4c-14be-4159-b99d-9ad194365e4c|High|Networking and Firewall|EC2 Instance Subnet should not have MapPublicIpOnLaunch set to true (read more)|Documentation
| +|ELB Sensitive Port Is Exposed To Entire Network
78055456-f670-4d2e-94d5-392d1cf4f5e4|High|Networking and Firewall|The load balancer of the application with a sensitive port connection is exposed to the entire internet. (read more)|Documentation
| +|HTTP Port Open To Internet
ddfc4eaa-af23-409f-b96c-bf5c45dc4daa|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| |Elasticsearch with HTTPS disabled
4cdc88e6-c0c8-4081-a639-bb3a557cbedf|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| |Unknown Port Exposed To Internet
829ce3b8-065c-41a3-ad57-e0accfea82d2|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| -|HTTP Port Open To Internet
ddfc4eaa-af23-409f-b96c-bf5c45dc4daa|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| -|Default Security Groups With Unrestricted Traffic
ea33fcf7-394b-4d11-a228-985c5d08f205|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| +|EC2 Sensitive Port Is Publicly Exposed
494b03d3-bf40-4464-8524-7c56ad0700ed|High|Networking and Firewall|The EC2 instance has a sensitive port connection exposed to the entire network (read more)|Documentation
| +|Fully Open Ingress
e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5|High|Networking and Firewall|ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses (read more)|Documentation
| |SageMaker Notebook Not Placed In VPC
9c7028d9-04c2-45be-b8b2-1188ccaefb36|High|Networking and Firewall|SageMaker Notebook must be placed in a VPC (read more)|Documentation
| -|Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c|High|Networking and Firewall|No security group should allow unrestricted egress access (read more)|Documentation
| |Security Groups With Meta IP
adcd0082-e90b-4b63-862b-21899f6e6a48|High|Networking and Firewall|Security Groups allows 0.0.0.0/0 for all ports and protocols. (read more)|Documentation
| -|ELB Sensitive Port Is Exposed To Entire Network
78055456-f670-4d2e-94d5-392d1cf4f5e4|High|Networking and Firewall|The load balancer of the application with a sensitive port connection is exposed to the entire internet. (read more)|Documentation
| -|RDS Associated with Public Subnet
4e88adee-a8eb-4605-a78d-9fb1096e3091|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| -|EKS node group remote access
73d59e76-a12c-4b74-a3d8-d3e1e19c25b3|High|Networking and Firewall|Ensure Amazon EKS Node group has implict SSH access (read more)|Documentation
| -|ALB Listening on HTTP
275a3217-ca37-40c1-a6cf-bb57d245ab32|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| -|EC2 Sensitive Port Is Publicly Exposed
494b03d3-bf40-4464-8524-7c56ad0700ed|High|Networking and Firewall|The EC2 instance has a sensitive port connection exposed to the entire network (read more)|Documentation
| -|Security Group With Unrestricted Access To SSH
6e856af2-62d7-4ba2-adc1-73b62cef9cc1|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| +|EC2 Network ACL Overlapping Ports
77b6f1e2-bde4-4a6a-ae7e-a40659ff1576|High|Networking and Firewall|NetworkACL Entries are reusing or overlapping ports which may create ineffective rules (read more)|Documentation
| |DB Security Group Open To Large Scope
0104165b-02d5-426f-abc9-91fb48189899|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| +|Default Security Groups With Unrestricted Traffic
ea33fcf7-394b-4d11-a228-985c5d08f205|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| |CloudTrail Logging Disabled
5c0b06d5-b7a4-484c-aeb0-75a836269ff0|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| |CMK Rotation Disabled
1c07bfaf-663c-4f6f-b22b-8e2d481e4df5|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'EnableKeyRotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| |S3 Bucket CloudTrail Logging Disabled
c3ce69fd-e3df-49c6-be78-1db3f802261c|High|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable when the Service used is CloudTrail (read more)|Documentation
| -|Elasticsearch Without IAM Authentication
5c666ed9-b586-49ab-9873-c495a833b705|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication (read more)|Documentation
| -|SNS Topic Publicity Has Allow and NotAction Simultaneously
818f38ed-8446-4132-9c03-474d49e10195|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. (read more)|Documentation
| -|SQS Policy With Public Access
9b6a3f5b-5fd6-40ee-9bc0-ed604911212d|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| -|Empty Roles For ECS Cluster Task Definitions
7f384a5f-b5a2-4d84-8ca3-ee0a5247becb|Medium|Access Control|Check if any ECS cluster has not defined proper roles for services' task definitions. (read more)|Documentation
| +|Lambda Permission Principal Is Wildcard
1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| +|IAM Policies Attached To User
edc95c10-7366-4f30-9b4b-f995c84eceb5|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| +|IAM Policy On User
e4239438-e639-44aa-adb8-866e400e3ade|Medium|Access Control|IAM policies should be applied to groups and not to users (read more)|Documentation
| |IoT Policy Allows Action as Wildcard
4d32780f-43a4-424a-a06d-943c543576a5|Medium|Access Control|IoT Policy should not allow Action to be set as * (read more)|Documentation
| +|EC2 Network ACL Ineffective Denied Traffic
2623d682-dccb-44cd-99d0-54d9fd62f8f2|Medium|Access Control|Ineffective deny rules. A deny rule should be applied to all IP addresses. (read more)|Documentation
| +|SQS Policy With Public Access
9b6a3f5b-5fd6-40ee-9bc0-ed604911212d|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| |KMS Allows Wildcard Principal
f6049677-ec4a-43af-8779-5190b6d03cba|Medium|Access Control|KMS Should not allow Principal parameter to be set as * (read more)|Documentation
| |EC2 Instance Has No IAM Role
f914357d-8386-4d56-9ba6-456e5723f9a6|Medium|Access Control|Check if an EC2 instance refers to an IAM profile, which represents an IAM Role. (read more)|Documentation
| -|EC2 Network ACL Ineffective Denied Traffic
2623d682-dccb-44cd-99d0-54d9fd62f8f2|Medium|Access Control|Ineffective deny rules. A deny rule should be applied to all IP addresses. (read more)|Documentation
| -|Public Lambda via API Gateway
57b12981-3816-4c31-b190-a1e614361dd2|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| -|IAM Policy On User
e4239438-e639-44aa-adb8-866e400e3ade|Medium|Access Control|IAM policies should be applied to groups and not to users (read more)|Documentation
| -|Lambda Permission Principal Is Wildcard
1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| -|IAM Policies Attached To User
edc95c10-7366-4f30-9b4b-f995c84eceb5|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| -|API Gateway Without Configured Authorizer
7fd0d461-5b8c-4815-898c-f2b4b117eb28|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| -|IoT Policy Allows Wildcard Resource
be5b230d-4371-4a28-a441-85dc760e2aa3|Medium|Access Control|IoT Policy should not allow Resource to be set as * (read more)|Documentation
| -|Neptune Cluster With IAM Database Authentication Disabled
a3aa0087-8228-4e7e-b202-dc9036972d02|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled (read more)|Documentation
| |SQS Queue Policy Allows NotAction
4fbfee74-8186-40d5-a24e-4baa76a855de|Medium|Access Control|AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited (read more)|Documentation
| +|ECR Repository Is Publicly Accessible
75be209d-1948-41f6-a8c8-e22dd0121134|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| |Cross-Account IAM Assume Role Policy Without ExternalId or MFA
85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| +|API Gateway Without Configured Authorizer
7fd0d461-5b8c-4815-898c-f2b4b117eb28|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| +|SNS Topic Publicity Has Allow and NotAction Simultaneously
818f38ed-8446-4132-9c03-474d49e10195|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. (read more)|Documentation
| +|Empty Roles For ECS Cluster Task Definitions
7f384a5f-b5a2-4d84-8ca3-ee0a5247becb|Medium|Access Control|Check if any ECS cluster has not defined proper roles for services' task definitions. (read more)|Documentation
| +|Neptune Cluster With IAM Database Authentication Disabled
a3aa0087-8228-4e7e-b202-dc9036972d02|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled (read more)|Documentation
| |SQS Queue Policy Allows NotPrincipal
4a8fc9a2-2b2f-4b3f-aa8d-401425872034|Medium|Access Control|Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using `NotPrincipal` in the same policy statement as `"Effect": "Allow"`. (read more)|Documentation
| -|S3 Bucket Allows Public ACL
48f100d9-f499-4c6d-b2b8-deafe47ffb26|Medium|Access Control|S3 bucket allows public ACL (read more)|Documentation
| -|ECR Repository Is Publicly Accessible
75be209d-1948-41f6-a8c8-e22dd0121134|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| |API Gateway Method Does Not Contains An API Key
3641d5b4-d339-4bc2-bfb9-208fe8d3477f|Medium|Access Control|An API Key should be required on a method request. (read more)|Documentation
| -|EBS Volume Not Attached To Instances
1819ac03-542b-4026-976b-f37addd59f3b|Medium|Availability|EBS Volumes that are unattached to instances may contain sensitive data (read more)|Documentation
| +|S3 Bucket Allows Public ACL
48f100d9-f499-4c6d-b2b8-deafe47ffb26|Medium|Access Control|S3 bucket allows public ACL (read more)|Documentation
| +|Public Lambda via API Gateway
57b12981-3816-4c31-b190-a1e614361dd2|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| +|IoT Policy Allows Wildcard Resource
be5b230d-4371-4a28-a441-85dc760e2aa3|Medium|Access Control|IoT Policy should not allow Resource to be set as * (read more)|Documentation
| +|Elasticsearch Without IAM Authentication
5c666ed9-b586-49ab-9873-c495a833b705|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication (read more)|Documentation
| +|ECS Service Without Running Tasks
79d745f0-d5f3-46db-9504-bef73e9fd528|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| |ElastiCache Nodes Not Created Across Multi AZ
cfdef2e5-1fe4-4ef4-bea8-c56e08963150|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| +|EBS Volume Not Attached To Instances
1819ac03-542b-4026-976b-f37addd59f3b|Medium|Availability|EBS Volumes that are unattached to instances may contain sensitive data (read more)|Documentation
| |CMK Is Unusable
2844c749-bd78-4cd1-90e8-b179df827602|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined. (read more)|Documentation
| -|ECS Service Without Running Tasks
79d745f0-d5f3-46db-9504-bef73e9fd528|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| |Auto Scaling Group With No Associated ELB
ad21e616-5026-4b9d-990d-5b007bfe679c|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty. (read more)|Documentation
| +|RDS Multi-AZ Deployment Disabled
2b1d4935-9acf-48a7-8466-10d18bf51a69|Medium|Backup|AWS RDS Instance should have a multi-az deployment (read more)|Documentation
| +|Low RDS Backup Retention Period
e649a218-d099-4550-86a4-1231e1fcb60d|Medium|Backup|AWS RDS backup retention policy should be at least 7 days (read more)|Documentation
| |RDS With Backup Disabled
8c415f6f-7b90-4a27-a44a-51047e1506f9|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| |Stack Retention Disabled
fe974ae9-858e-4991-bbd5-e040a834679f|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| -|Low RDS Backup Retention Period
e649a218-d099-4550-86a4-1231e1fcb60d|Medium|Backup|AWS RDS backup retention policy should be at least 7 days (read more)|Documentation
| -|RDS Multi-AZ Deployment Disabled
2b1d4935-9acf-48a7-8466-10d18bf51a69|Medium|Backup|AWS RDS Instance should have a multi-az deployment (read more)|Documentation
| -|IAM Managed Policy Applied to a User
0e5872b4-19a0-4165-8b2f-56d9e14b909f|Medium|Best Practices|Make sure that any managed IAM policies are implemented in a group and not in a user. (read more)|Documentation
| -|IAM Password Without Lowercase Letter
f4cf35d6-da92-48de-ab70-57be2b2e6497|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| -|IAM Password Without Number
839f238f-2e3a-4a72-b945-8abdf91af955|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number (read more)|Documentation
| |IAM Password Without Minimum Length
b1b20ae3-8fa7-4af5-a74d-a2145920fcb1|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| -|Cognito UserPool Without MFA
74a18d1a-cf02-4a31-8791-ed0967ad7fdc|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more)|Documentation
| |IAM User Without Password Reset
a964d6e3-8e1e-4d93-8120-61fa640dd55a|Medium|Best Practices|IAM User Login Profile should exist and have PasswordResetRequired property set to true (read more)|Documentation
| -|IAM Password Without Symbol
d72a7869-e8b9-4e12-bcd2-e8be10b39fa7|Medium|Best Practices|IAM password should have the required symbols (read more)|Documentation
| -|IAM Password Without Uppercase Letter
445020f6-b69e-4484-847f-02d4b7768902|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| |ECS No Load Balancer Attached
fb2b0ecf-1492-491a-a70d-ba1df579175d|Medium|Best Practices|Amazon ECS service should be configured to use Load Balancing to distribute traffic evenly across the tasks, which means there must exist at least one LoadBalancer. (read more)|Documentation
| -|ElasticSearch Not Encrypted At Rest
86a248ab-0e01-4564-a82a-878303e253bb|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest (read more)|Documentation
| -|RDS Storage Encryption Disabled
65844ba3-03a1-40a8-b3dd-919f122e8c95|Medium|Encryption|RDS DBCluster should have storage encrypted set to true (read more)|Documentation
| +|IAM Password Without Lowercase Letter
f4cf35d6-da92-48de-ab70-57be2b2e6497|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| +|IAM Password Without Uppercase Letter
445020f6-b69e-4484-847f-02d4b7768902|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| +|Cognito UserPool Without MFA
74a18d1a-cf02-4a31-8791-ed0967ad7fdc|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more)|Documentation
| +|IAM Password Without Number
839f238f-2e3a-4a72-b945-8abdf91af955|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number (read more)|Documentation
| +|IAM Managed Policy Applied to a User
0e5872b4-19a0-4165-8b2f-56d9e14b909f|Medium|Best Practices|Make sure that any managed IAM policies are implemented in a group and not in a user. (read more)|Documentation
| +|IAM Password Without Symbol
d72a7869-e8b9-4e12-bcd2-e8be10b39fa7|Medium|Best Practices|IAM password should have the required symbols (read more)|Documentation
| +|Neptune Database Cluster Encryption Disabled
bf4473f1-c8a2-4b1b-8134-bd32efabab93|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| +|API Gateway With Invalid Compression
d6653eee-2d4d-4e6a-976f-6794a497999a|Medium|Encryption|API Gateway should have valid compression, which means attribute 'MinimumCompressionSize' should be set and its value should be greater than -1 and smaller than 10485760. (read more)|Documentation
| |DynamoDB Table Not Encrypted
4bd21e68-38c1-4d58-acdc-6a14b203237f|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption (read more)|Documentation
| -|Unscanned ECR Image
9025b2b3-e554-4842-ba87-db7aeec36d35|Medium|Encryption|Checks if the ECR Image has been scanned (read more)|Documentation
| -|KMS Key Rotation Disabled
235ca980-eb71-48f4-9030-df0c371029eb|Medium|Encryption|EnableKeyRotation should not be false or undefined (read more)|Documentation
| -|EMR Security Configuration Encryption Disabled
5b033ec8-f079-4323-b5c8-99d4620433a9|Medium|Encryption|EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit. (read more)|Documentation
| |Default KMS Key Usage
e52395b4-250b-4c60-81d5-2e58c1d37abc|Medium|Encryption|When `StorageEncrypted` is set to true, `KmsKeyId` should be defined, to avoid the use of the default KMS Key (read more)|Documentation
| -|SageMaker EndPoint Config Should Specify KmsKeyId Attribute
44034eda-1c3f-486a-831d-e09a7dd94354|Medium|Encryption|KmsKeyId attribute should be defined (read more)|Documentation
| +|AmazonMQ Broker Encryption Disabled
316278b3-87ac-444c-8f8f-a733a28da60f|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined (read more)|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85|Medium|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| |Workspace Without Encryption
89827c57-5a8a-49eb-9731-976a606d70db|Medium|Encryption|Workspaces should have encryption enabled (read more)|Documentation
| -|Memcached Disabled
dd0971a6-09c3-4168-8474-a7ef8fbfd99d|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache (read more)|Documentation
| +|EMR Security Configuration Encryption Disabled
5b033ec8-f079-4323-b5c8-99d4620433a9|Medium|Encryption|EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit. (read more)|Documentation
| |IAM Group Inline Policies
a58d1a2d-4078-4b80-855b-84cc3f7f4540|Medium|Encryption|IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted (read more)|Documentation
| -|AmazonMQ Broker Encryption Disabled
316278b3-87ac-444c-8f8f-a733a28da60f|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined (read more)|Documentation
| -|ElasticSearch Encryption With KMS Disabled
d926aa95-0a04-4abc-b20c-acf54afe38a1|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS. (read more)|Documentation
| -|SQS With SSE Disabled
12726829-93ed-4d51-9cbe-13423f4299e1|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| |Config Rule For Encrypted Volumes Disabled
1b6322d9-c755-4f8c-b804-32c19250f2d9|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| -|EBS Volume Encryption Disabled
80b7ac3f-d2b7-4577-9b10-df7913497162|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| -|API Gateway With Invalid Compression
d6653eee-2d4d-4e6a-976f-6794a497999a|Medium|Encryption|API Gateway should have valid compression, which means attribute 'MinimumCompressionSize' should be set and its value should be greater than -1 and smaller than 10485760. (read more)|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85|Medium|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| -|Neptune Database Cluster Encryption Disabled
bf4473f1-c8a2-4b1b-8134-bd32efabab93|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| -|CodeBuild Not Encrypted
d7467bb6-3ed1-4c82-8095-5e7a818d0aad|Medium|Encryption|CodeBuild Project should be encrypted, which means 'EncryptionKey' should be defined (read more)|Documentation
| +|SQS With SSE Disabled
12726829-93ed-4d51-9cbe-13423f4299e1|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| +|ElasticSearch Not Encrypted At Rest
86a248ab-0e01-4564-a82a-878303e253bb|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest (read more)|Documentation
| |Alexa Skill Plaintext Client Secret Exposed
3c3b7a58-b018-4d07-9444-d9ee7156e111|Medium|Encryption|Alexa skills' client secrets should not be defined as a plaintext string. It should either use 'AWS Systems Manager Parameter Store' or 'AWS Secrets Manager' to retrieve sensitive information (read more)|Documentation
| -|IAM User Has Too Many Access Keys
48677914-6fdf-40ec-80c4-2b0e94079f54|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials (read more)|Documentation
| -|Inline Policies Are Attached To ECS Service
9e8c89b3-7997-4d15-93e4-7911b9db99fd|Medium|Insecure Configurations|Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies. (read more)|Documentation
| -|API Gateway Without SSL Certificate
ed4c48b8-eccc-4881-95c1-09fdae23db25|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| +|RDS Storage Encryption Disabled
65844ba3-03a1-40a8-b3dd-919f122e8c95|Medium|Encryption|RDS DBCluster should have storage encrypted set to true (read more)|Documentation
| +|ElasticSearch Encryption With KMS Disabled
d926aa95-0a04-4abc-b20c-acf54afe38a1|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS. (read more)|Documentation
| +|Memcached Disabled
dd0971a6-09c3-4168-8474-a7ef8fbfd99d|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache (read more)|Documentation
| +|KMS Key Rotation Disabled
235ca980-eb71-48f4-9030-df0c371029eb|Medium|Encryption|EnableKeyRotation should not be false or undefined (read more)|Documentation
| +|SageMaker EndPoint Config Should Specify KmsKeyId Attribute
44034eda-1c3f-486a-831d-e09a7dd94354|Medium|Encryption|KmsKeyId attribute should be defined (read more)|Documentation
| +|CodeBuild Not Encrypted
d7467bb6-3ed1-4c82-8095-5e7a818d0aad|Medium|Encryption|CodeBuild Project should be encrypted, which means 'EncryptionKey' should be defined (read more)|Documentation
| +|EBS Volume Encryption Disabled
80b7ac3f-d2b7-4577-9b10-df7913497162|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| +|Unscanned ECR Image
9025b2b3-e554-4842-ba87-db7aeec36d35|Medium|Encryption|Checks if the ECR Image has been scanned (read more)|Documentation
| |EMR Cluster Without Security Configuration
48af92a5-c89b-4936-bc62-1086fe2bab23|Medium|Insecure Configurations|EMR Cluster should have security configuration defined. (read more)|Documentation
| -|Lambda Functions Without Unique IAM Roles
ae03f542-1423-402f-9cef-c834e7ee9583|Medium|Insecure Configurations|AWS Lambda Functions should not share IAM roles to ensure they will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| -|API Gateway With Open Access
1056dfbb-5802-4762-bf2b-8b9b9684b1b0|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more)|Documentation
| -|ECR Image Tag Not Immutable
33f41d31-86b1-46a4-81f7-9c9a671f59ac|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| -|Lambda Function Without Tags
8df8e857-bd59-44fa-9f4c-d77594b95b46|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags. (read more)|Documentation
| |SageMaker Enabling Internet Access
88d55d94-315d-4564-beee-d2d725feab11|Medium|Insecure Configurations|SageMaker must have disabled internet access and root access for Creating Notebook Instances. (read more)|Documentation
| +|Lambda Functions Without Unique IAM Roles
ae03f542-1423-402f-9cef-c834e7ee9583|Medium|Insecure Configurations|AWS Lambda Functions should not share IAM roles to ensure they will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| +|MQ Broker Is Publicly Accessible
68b6a789-82f8-4cfd-85de-e95332fe6a61|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible (read more)|Documentation
| |Instance With No VPC
8a6d36cd-0bc6-42b7-92c4-67acc8576861|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| +|ECR Image Tag Not Immutable
33f41d31-86b1-46a4-81f7-9c9a671f59ac|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| |IAM User LoginProfile Password Is In Plaintext
06adef8c-c284-4de7-aad2-af43b07a8ca1|Medium|Insecure Configurations|IAM User LoginProfile Password must not be a plaintext string (read more)|Documentation
| -|MQ Broker Is Publicly Accessible
68b6a789-82f8-4cfd-85de-e95332fe6a61|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible (read more)|Documentation
| +|API Gateway Without SSL Certificate
ed4c48b8-eccc-4881-95c1-09fdae23db25|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| |GitHub Repository Set To Public
5906092d-5f74-490d-9a03-78febe0f65e1|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)|Documentation
| +|Inline Policies Are Attached To ECS Service
9e8c89b3-7997-4d15-93e4-7911b9db99fd|Medium|Insecure Configurations|Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies. (read more)|Documentation
| +|IAM User Has Too Many Access Keys
48677914-6fdf-40ec-80c4-2b0e94079f54|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials (read more)|Documentation
| +|API Gateway With Open Access
1056dfbb-5802-4762-bf2b-8b9b9684b1b0|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more)|Documentation
| +|Lambda Function Without Tags
8df8e857-bd59-44fa-9f4c-d77594b95b46|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags. (read more)|Documentation
| |S3 Bucket Should Have Bucket Policy
37fa8188-738b-42c8-bf82-6334ea567738|Medium|Insecure Defaults|Checks if S3 Bucket has the same name as a Bucket Policy, if it has, S3 Bucket has a Bucket Policy associated (read more)|Documentation
| |RouterTable with Default Routing
4f0908b9-eb66-433f-9145-134274e1e944|Medium|Insecure Defaults|NAT gateways are recommended, and not the default route which permits all traffic, in Route Tables. (read more)|Documentation
| +|ALB Is Not Integrated With WAF
105ba098-1e34-48cd-b0f2-a8a43a51bf9b|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service (read more)|Documentation
| +|Security Groups Without VPC Attached
493d9591-6249-47bf-8dc0-5c10161cc558|Medium|Networking and Firewall|Security Groups must have a VPC. (read more)|Documentation
| +|ELB With Security Group Without Outbound Rules
01d5a458-a6c4-452a-ac50-054d59275b7c|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more)|Documentation
| +|TCP/UDP Protocol Network ACL Entry Allows All Ports
f57f849c-883b-4cb7-85e7-f7b199dff163|Medium|Networking and Firewall|TCP/UDP protocol AWS Network ACL Entry should not allow all ports (read more)|Documentation
| +|Security Group Ingress With Port Range
87482183-a8e7-4e42-a566-7a23ec231c16|Medium|Networking and Firewall|AWS Security Group Ingress should have a single port (read more)|Documentation
| +|Security Group Egress CIDR Open To World
1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a|Medium|Networking and Firewall|AWS Security Group Egress CIDR should not be open to the world (read more)|Documentation
| +|API Gateway Endpoint Config is Not Private
4a8daf95-709d-4a36-9132-d3e19878fa34|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| |EC2 Permissive Network ACL Protocols
03879981-efa2-47a0-a818-c843e1441b88|Medium|Networking and Firewall|To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code). (read more)|Documentation
| +|API Gateway without WAF
fcbf9019-566c-4832-a65c-af00d8137d2b|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| +|Security Group Ingress With All Protocols
1a427b25-2e9e-4298-9530-0499a55e736b|Medium|Networking and Firewall|AWS Security Group Ingress should not specify all protocols to prevent allow traffic on all ports (read more)|Documentation
| |ELB With Security Group Without Inbound Rules
e200a6f3-c589-49ec-9143-7421d4a2c845|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more)|Documentation
| |VPC Without Network Firewall
3e293410-d5b8-411f-85fd-7d26294f20c9|Medium|Networking and Firewall|VPC should have a Network Firewall associated (read more)|Documentation
| -|Security Group Egress With All Protocols
ee464fc2-54a6-4e22-b10a-c6dcd2474d0c|Medium|Networking and Firewall|AWS Security Group Egress should not specify all protocols to prevent allow traffic on all ports (read more)|Documentation
| -|Security Group Ingress With All Protocols
1a427b25-2e9e-4298-9530-0499a55e736b|Medium|Networking and Firewall|AWS Security Group Ingress should not specify all protocols to prevent allow traffic on all ports (read more)|Documentation
| -|ELB With Security Group Without Outbound Rules
01d5a458-a6c4-452a-ac50-054d59275b7c|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more)|Documentation
| -|API Gateway Endpoint Config is Not Private
4a8daf95-709d-4a36-9132-d3e19878fa34|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| |GameLift Fleet EC2 InboundPermissions With Port Range
43356255-495d-4148-ad8d-f6af5eac09dd|Medium|Networking and Firewall|AWS GameLift Fleet EC2InboundPermissions should have a single port (read more)|Documentation
| -|Security Groups Without VPC Attached
493d9591-6249-47bf-8dc0-5c10161cc558|Medium|Networking and Firewall|Security Groups must have a VPC. (read more)|Documentation
| -|Security Group Ingress With Port Range
87482183-a8e7-4e42-a566-7a23ec231c16|Medium|Networking and Firewall|AWS Security Group Ingress should have a single port (read more)|Documentation
| -|API Gateway without WAF
fcbf9019-566c-4832-a65c-af00d8137d2b|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| -|Security Group Egress CIDR Open To World
1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a|Medium|Networking and Firewall|AWS Security Group Egress CIDR should not be open to the world (read more)|Documentation
| |Security Group Egress With Port Range
dae9c373-8287-462f-8746-6f93dad93610|Medium|Networking and Firewall|AWS Security Group Egress should have a single port (read more)|Documentation
| -|TCP/UDP Protocol Network ACL Entry Allows All Ports
f57f849c-883b-4cb7-85e7-f7b199dff163|Medium|Networking and Firewall|TCP/UDP protocol AWS Network ACL Entry should not allow all ports (read more)|Documentation
| -|ALB Is Not Integrated With WAF
105ba098-1e34-48cd-b0f2-a8a43a51bf9b|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service (read more)|Documentation
| -|ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621|Medium|Observability|ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer. (read more)|Documentation
| -|API Gateway X-Ray Disabled
4ab10c48-bedb-4deb-8f3b-ff12783b61de|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| +|Security Group Egress With All Protocols
ee464fc2-54a6-4e22-b10a-c6dcd2474d0c|Medium|Networking and Firewall|AWS Security Group Egress should not specify all protocols to prevent allow traffic on all ports (read more)|Documentation
| |Redshift Cluster Logging Disabled
3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6|Medium|Observability|Make sure Logging is enabled for Redshift Cluster (read more)|Documentation
| -|ELB Access Log Disabled
ee12ad32-2863-4c0f-b13f-28272d115028|Medium|Observability|ELB should have access log enabled (read more)|Documentation
| -|CloudWatch Metrics Disabled
5d3c1807-acb3-4bb0-be4e-0440230feeaf|Medium|Observability|Checks if CloudWatch Metrics is Enabled (read more)|Documentation
| -|S3 Bucket Without Versioning
a227ec01-f97a-4084-91a4-47b350c1db54|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| +|CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'IsMultiRegionTrail' should be set to true (read more)|Documentation
| +|API Gateway Stage Access Logging Settings Not Defined
80d45af4-4920-4236-a56e-b7ef419d1941|Medium|Observability|API Gateway Stage should have Access Logging Settings defined (read more)|Documentation
| +|Elasticsearch Logs Disabled
edbd62d4-8700-41de-b000-b3cfebb5e996|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| |Configuration Aggregator to All Regions Disabled
9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| +|CloudTrail Not Integrated With CloudWatch
65d07da5-9af5-44df-8983-52d2e6f24c44|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| +|CloudTrail SNS Topic Name Undefined
3e09413f-471e-40f3-8626-990c79ae63f3|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| |ElasticSearch Without Slow Logs
086ea2eb-14a6-4fd4-914b-38e0bc8703e8|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs (read more)|Documentation
| +|ELB Access Log Disabled
ee12ad32-2863-4c0f-b13f-28272d115028|Medium|Observability|ELB should have access log enabled (read more)|Documentation
| |S3 Bucket Logging Disabled
4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| -|API Gateway Stage Access Logging Settings Not Defined
80d45af4-4920-4236-a56e-b7ef419d1941|Medium|Observability|API Gateway Stage should have Access Logging Settings defined (read more)|Documentation
| -|API Gateway Deployment Without Access Log Setting
06ec63e3-9f72-4fe2-a218-2eb9200b8db5|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. (read more)|Documentation
| -|CloudWatch Logging Disabled
0f0fb06b-0f2f-4374-8588-f2c7c348c7a0|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones (read more)|Documentation
| -|GuardDuty Detector Disabled
a25cd877-375c-4121-a640-730929936fac|Medium|Observability|Make sure that Amazon GuardDuty is Enabled (read more)|Documentation
| -|CloudFront Logging Disabled
de77cd9f-0e8b-46cc-b4a4-b6b436838642|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'DistributionConfig.Logging' should be defined (read more)|Documentation
| |MQ Broker Logging Disabled
e519ed6a-8328-4b69-8eb7-8fa549ac3050|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). (read more)|Documentation
| -|CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'IsMultiRegionTrail' should be set to true (read more)|Documentation
| +|CloudWatch Logging Disabled
0f0fb06b-0f2f-4374-8588-f2c7c348c7a0|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones (read more)|Documentation
| |Stack Notifications Disabled
837e033c-4717-40bd-807e-6abaa30161b7|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| +|S3 Bucket Without Versioning
a227ec01-f97a-4084-91a4-47b350c1db54|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| +|GuardDuty Detector Disabled
a25cd877-375c-4121-a640-730929936fac|Medium|Observability|Make sure that Amazon GuardDuty is Enabled (read more)|Documentation
| +|API Gateway X-Ray Disabled
4ab10c48-bedb-4deb-8f3b-ff12783b61de|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| |MSK Cluster Logging Disabled
fc7c2c15-f5d0-4b80-adb2-c89019f8f62b|Medium|Observability|Ensure MSK Cluster Logging is enabled (read more)|Documentation
| -|CloudTrail Not Integrated With CloudWatch
65d07da5-9af5-44df-8983-52d2e6f24c44|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| -|CloudTrail SNS Topic Name Undefined
3e09413f-471e-40f3-8626-990c79ae63f3|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| -|Elasticsearch Logs Disabled
edbd62d4-8700-41de-b000-b3cfebb5e996|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| -|EBS Volume Without KmsKeyId
b7063015-6c31-4658-a8e7-14f98f37fd42|Medium|Secret Management|EBS Volume should specify a KmsKeyId value (read more)|Documentation
| -|DMS Endpoint MongoDB Settings Password Exposed
f988a17f-1139-46a3-8928-f27eafd8b024|Medium|Secret Management|DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|CloudFront Logging Disabled
de77cd9f-0e8b-46cc-b4a4-b6b436838642|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'DistributionConfig.Logging' should be defined (read more)|Documentation
| +|API Gateway Deployment Without Access Log Setting
06ec63e3-9f72-4fe2-a218-2eb9200b8db5|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. (read more)|Documentation
| +|CloudWatch Metrics Disabled
5d3c1807-acb3-4bb0-be4e-0440230feeaf|Medium|Observability|Checks if CloudWatch Metrics is Enabled (read more)|Documentation
| +|ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621|Medium|Observability|ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer. (read more)|Documentation
| |High Access Key Rotation Period
800fa019-49dd-421b-9042-7331fdd83fa2|Medium|Secret Management|ConfigRule should enforce access keys to be rotated within 90 days. (read more)|Documentation
| -|Secrets Manager Should Specify KmsKeyId
c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22|Medium|Secret Management|Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the secret to be shared cross-account (read more)|Documentation
| -|Amplify App Access Token Exposed
73980e43-f399-4fcc-a373-658228f7adf7|Medium|Secret Management|Amplify App Access Token must not be in a plain text string or referenced in a parameter as a default value. (read more)|Documentation
| -|Directory Service Simple AD Password Exposed
6685d912-d81f-4cfa-95ad-e316ea31c989|Medium|Secret Management|DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|Amplify App Basic Auth Config Password Exposed
71493c8b-3014-404c-9802-078b74496fb7|Medium|Secret Management|Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|SNS Topic Without KmsMasterKeyId
9d13b150-a2ab-42a1-b6f4-142e41f81e52|Medium|Secret Management|KmsMasterKeyId attribute should not be undefined (read more)|Documentation
| |Amplify Branch Basic Auth Config Password Exposed
dfb56e5d-ee68-446e-b32a-657b62befe69|Medium|Secret Management|Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|EBS Volume Without KmsKeyId
b7063015-6c31-4658-a8e7-14f98f37fd42|Medium|Secret Management|EBS Volume should specify a KmsKeyId value (read more)|Documentation
| |Amplify App OAuth Token Exposed
03b38885-8f4e-480c-a0e4-12c1affd15db|Medium|Secret Management|Amplify App OAuth Token must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| |DMS Endpoint Password Exposed
5f700072-b7ce-4e84-b3f3-497bf1c24a4d|Medium|Secret Management|DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|Directory Service Microsoft AD Password Set to Plaintext or Default Ref
06b9f52a-8cd5-459b-bdc6-21a22521e1be|Medium|Secret Management|Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|SNS Topic Without KmsMasterKeyId
9d13b150-a2ab-42a1-b6f4-142e41f81e52|Medium|Secret Management|KmsMasterKeyId attribute should not be undefined (read more)|Documentation
| +|Secrets Manager Should Specify KmsKeyId
c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22|Medium|Secret Management|Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the secret to be shared cross-account (read more)|Documentation
| +|Amplify App Access Token Exposed
73980e43-f399-4fcc-a373-658228f7adf7|Medium|Secret Management|Amplify App Access Token must not be in a plain text string or referenced in a parameter as a default value. (read more)|Documentation
| +|Directory Service Simple AD Password Exposed
6685d912-d81f-4cfa-95ad-e316ea31c989|Medium|Secret Management|DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|DMS Endpoint MongoDB Settings Password Exposed
f988a17f-1139-46a3-8928-f27eafd8b024|Medium|Secret Management|DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| |Hardcoded AWS Access Key In Lambda
2564172f-c92b-4261-9acd-464aed511696|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| |DocDB Cluster Master Password In Plaintext
39423ce4-9011-46cd-b6b1-009edcd9385d|Medium|Secret Management|DocDB DB Cluster master user password must not be in a plain text string or referenced in a parameter as a default value. (read more)|Documentation
| -|Directory Service Microsoft AD Password Set to Plaintext or Default Ref
06b9f52a-8cd5-459b-bdc6-21a22521e1be|Medium|Secret Management|Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| |RefreshToken Is Exposed
5b48c507-0d1f-41b0-a630-76817c6b4189|Medium|Secret Management|Alexa ASK Skill AuthenticationConfiguration RefreshToken should not be a plaintext string (read more)|Documentation
| -|IAM Group Without Users
8f957abd-9703-413d-87d3-c578950a753c|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| -|IAM User With No Group
06933df4-0ea7-461c-b9b5-104d27390e0e|Low|Access Control|A IAM user should belong to a group (read more)|Documentation
| +|Amplify App Basic Auth Config Password Exposed
71493c8b-3014-404c-9802-078b74496fb7|Medium|Secret Management|Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| |IAM Role Allows All Principals To Assume
f80e3aa7-7b34-4185-954e-440a6894dde6|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| -|EC2 Instance Using Default Security Group
08b81bb3-0985-4023-8602-b606ad81d279|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
e835bd0d-65da-49f7-b6d1-b646da8727e6|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| +|IAM Group Without Users
8f957abd-9703-413d-87d3-c578950a753c|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| |Support Has No Role Associated
d71b5fd7-9020-4b2d-9ec8-b3839faa2744|Low|Access Control|Check if any AWS Support policy does not have any role and users and group associated, which means that is not being managed. (read more)|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
e835bd0d-65da-49f7-b6d1-b646da8727e6|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| +|EC2 Instance Using Default Security Group
08b81bb3-0985-4023-8602-b606ad81d279|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| +|IAM User With No Group
06933df4-0ea7-461c-b9b5-104d27390e0e|Low|Access Control|A IAM user should belong to a group (read more)|Documentation
| |VPC Attached With Too Many Gateways
97e94d17-e2c7-4109-a53b-6536ac1bb64e|Low|Availability|The number of gateways attached should not approach or go beyond the limit of 3, in a particular VPC (read more)|Documentation
| |RDS DB Instance With Deletion Protection Disabled
2c161e58-cb52-454f-abea-6470c37b5e6e|Low|Backup|RDS DBInstance should have deletion protection set to true (read more)|Documentation
| -|CDN Configuration Is Missing
e4f54ff4-d352-40e8-a096-5141073c37a2|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| +|Geo Restriction Disabled
7f8843f0-9ea5-42b4-a02b-753055113195|Low|Best Practices|Geo Restriction feature should be enabled, to restrict or allow users in specific locations accessing web application content (read more)|Documentation
| +|IAM Policies Without Groups
5e7acff5-095b-40ac-9073-ac2e4ad8a512|Low|Best Practices|IAM policy should not apply directly to users, should be with a group (read more)|Documentation
| +|Lambda Permission Misconfigured
9b83114b-b2a1-4534-990d-06da015e47aa|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| |Security Group Ingress Has CIDR Not Recommended
a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd|Low|Best Practices|AWS Security Group Ingress CIDR should not be /32 in case of IPV4 or /128 in case of IPV6 (read more)|Documentation
| |Automatic Minor Upgrades Disabled
f0104061-8bfc-4b45-8a7d-630eb502f281|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'AutoMinorVersionUpgrade' must be set to true. (read more)|Documentation
| -|Lambda Permission Misconfigured
9b83114b-b2a1-4534-990d-06da015e47aa|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| +|CDN Configuration Is Missing
e4f54ff4-d352-40e8-a096-5141073c37a2|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| |IAM Access Analyzer Not Enabled
8d29754a-2a18-460d-a1ba-9509f8d359da|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions (read more)|Documentation
| -|Geo Restriction Disabled
7f8843f0-9ea5-42b4-a02b-753055113195|Low|Best Practices|Geo Restriction feature should be enabled, to restrict or allow users in specific locations accessing web application content (read more)|Documentation
| -|IAM Policies Without Groups
5e7acff5-095b-40ac-9073-ac2e4ad8a512|Low|Best Practices|IAM policy should not apply directly to users, should be with a group (read more)|Documentation
| -|EFS Without Tags
08e39832-5e42-4304-98a0-aa5b43393162|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated (read more)|Documentation
| |DynamoDB With Not Recommented Table Billing Mode
c333e906-8d8b-4275-b999-78b6318f8dc6|Low|Build Process|Checks if DynamoDB Table Billing Mode is set to either PAY_PER_REQUEST or PROVISIONED (read more)|Documentation
| +|EFS Without Tags
08e39832-5e42-4304-98a0-aa5b43393162|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated (read more)|Documentation
| |S3 Bucket Without Ignore Public ACL
6c8d51af-218d-4bfb-94a9-94eabaa0703a|Low|Insecure Configurations|S3 bucket without ignore public ACL (read more)|Documentation
| |API Gateway Cache Cluster Disabled
52790cad-d60d-41d5-8483-146f9f21208d|Low|Insecure Configurations|AWS API Gateway should have cache clustering enabled (read more)|Documentation
| |Lambda Function Without Dead Letter Queue
c2eae442-d3ba-4cb1-84ca-1db4f80eae3d|Low|Insecure Configurations|AWS Lambda Function should be configured for a Dead Letter Queue(DLQ) (read more)|Documentation
| |Wildcard In ACM Certificate Domain Name
cc8b294f-006f-4f8f-b5bb-0a9140c33131|Low|Insecure Configurations|ACM Certificate should not use wildcards (*) in the domain name (read more)|Documentation
| -|Shield Advanced Not In Use
ad7444cf-817a-4765-a79e-2145f7981faf|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more)|Documentation
| +|CloudFront Without WAF
0f139403-303f-467c-96bd-e717e6cfd62d|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| |EMR Without VPC
bf89373a-be40-4c04-99f5-746742dfd7f3|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| |EC2 Instance Using Default VPC
e42a3ef0-5325-4667-84bf-075ba1c9d58e|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| +|ElastiCache Without VPC
ba766c53-fe71-4bbb-be35-b6803f2ef13e|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| |EC2 Network ACL Duplicate Rule
045ddb54-cfc5-4abb-9e05-e427b2bc96fe|Low|Networking and Firewall|A Network ACL's rule numbers cannot be repeated unless one is egress and the other is ingress (read more)|Documentation
| +|ElastiCache Using Default Port
323db967-c68e-44e6-916c-a777f95af34b|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| +|Shield Advanced Not In Use
ad7444cf-817a-4765-a79e-2145f7981faf|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more)|Documentation
| |Redshift Using Default Port
a478af30-8c3a-404d-aa64-0b673cee509a|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| |RDS Using Default Port
1fe9d958-ddce-4228-a124-05265a959a8b|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| -|ElastiCache Using Default Port
323db967-c68e-44e6-916c-a777f95af34b|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| -|CloudFront Without WAF
0f139403-303f-467c-96bd-e717e6cfd62d|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| -|ElastiCache Without VPC
ba766c53-fe71-4bbb-be35-b6803f2ef13e|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| -|CloudTrail Log File Validation Disabled
2a3560fe-52ca-4443-b34f-bf0ed5eb74c8|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| +|Lambda Functions Without X-Ray Tracing
9488c451-074e-4cd3-aee3-7db6104f542c|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracingConfig.mode' should have the value 'Active' (read more)|Documentation
| |VPC FlowLogs Disabled
f6d299d2-21eb-41cc-b1e1-fe12d857500b|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| |ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd|Low|Observability|Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks (read more)|Documentation
| -|Lambda Functions Without X-Ray Tracing
9488c451-074e-4cd3-aee3-7db6104f542c|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracingConfig.mode' should have the value 'Active' (read more)|Documentation
| |DocDB Logging Is Disabled
1bf3b3d4-f373-4d7c-afbb-7d85948a67a5|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| |API Gateway Deployment Without API Gateway UsagePlan Associated
783860a3-6dca-4c8b-81d0-7b62769ccbca|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| +|CloudTrail Log File Validation Disabled
2a3560fe-52ca-4443-b34f-bf0ed5eb74c8|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| |SDB Domain Declared As A Resource
6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d|Low|Resource Management|SimpleDB Domain resource should not be declared (read more)|Documentation
| +|VPC Without Attached Subnet
3b3b4411-ad1f-40e7-b257-a78a6bb9673a|Low|Resource Management|VPCs without attached subnets may indicate that they are not being used (read more)|Documentation
| |ECS Task Definition Invalid CPU or Memory
f4c9b5f5-68b8-491f-9e48-4f96644a1d51|Low|Resource Management|In ECS Task Definition of FARGATE launch type if you specify an invalid CPU or Memory value, you will receive an error (read more)|Documentation
| |API Gateway Stage Without API Gateway UsagePlan Associated
7f8f1b60-43df-4c28-aa21-fb836dbd8071|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| -|VPC Without Attached Subnet
3b3b4411-ad1f-40e7-b257-a78a6bb9673a|Low|Resource Management|VPCs without attached subnets may indicate that they are not being used (read more)|Documentation
| -|EC2 Not EBS Optimized
8dd0ff1f-0da4-48df-9bb3-7f338ae36a40|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| |Security Group Rule Without Description
5e6c9c68-8a82-408e-8749-ddad78cbb9c5|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description (read more)|Documentation
| +|EC2 Not EBS Optimized
8dd0ff1f-0da4-48df-9bb3-7f338ae36a40|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| |EC2 Instance Monitoring Disabled
0264093f-6791-4475-af34-4b8102dcbcd0|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| ### AWS_BOM @@ -272,33 +290,15 @@ Bellow are listed queries related with CloudFormation AWS_BOM: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|BOM - AWS MSK
2730c169-51d7-4ae7-99b5-584379eff1bb|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)|Documentation
| -|BOM - AWS RDS
6ef03ff6-a2bd-483c-851f-631f248bc0ea|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more)|Documentation
| +|BOM - AWS Cassandra
124b173b-e06d-48a6-8acd-f889443d97a4|Trace|Bill Of Materials|A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance (read more)|Documentation
| |BOM - AWS EBS
0b0556ea-9cd9-476f-862e-20679dda752b|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). (read more)|Documentation
| -|BOM - AWS S3 Buckets
b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more)|Documentation
| -|BOM - AWS Elasticache
c689f51b-9203-43b3-9d8b-caed123f706c|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more)|Documentation
| +|BOM - AWS EFS
ef05a925-8568-4054-8ff1-f5ba82631c16|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)|Documentation
| |BOM - AWS DynamoDB
4e67c0ae-38a0-47f4-a50c-f0c9b75826df|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more)|Documentation
| |BOM - AWS MQ
209189f3-c879-48a7-9703-fbcfa96d0cef|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS. (read more)|Documentation
| -|BOM - AWS Cassandra
124b173b-e06d-48a6-8acd-f889443d97a4|Trace|Bill Of Materials|A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance (read more)|Documentation
| -|BOM - AWS SNS
42e7dca3-8cce-4325-8df0-108888259136|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)|Documentation
| -|BOM - AWS EFS
ef05a925-8568-4054-8ff1-f5ba82631c16|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)|Documentation
| -|BOM - AWS SQS
59a849c2-1127-4023-85a5-ef906dcd458c|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)|Documentation
| +|BOM - AWS Elasticache
c689f51b-9203-43b3-9d8b-caed123f706c|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more)|Documentation
| |BOM - AWS Kinesis
d53323be-dde6-4457-9a43-42df737e71d2|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more)|Documentation
| - -### AWS_SAM -Bellow are listed queries related with CloudFormation AWS_SAM: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Serverless Function Environment Variables Not Encrypted
a7f8ac28-eed1-483d-87c8-4c325f022572|High|Encryption|AWS Serverless Function should encrypt environment variables (read more)|Documentation
| -|Serverless API Without Content Encoding
a2f2800e-614b-4bc8-89e6-fec8afd24800|Medium|Encryption|AWS Serverless API should enable Content Encoding through the attribute 'MinimumCompressionSize'. This value should be greater than -1 and smaller than 10485760 (read more)|Documentation
| -|Serverless Function Without Tags
a71ecabe-03b6-456a-b3bc-d1a39aa20c98|Medium|Insecure Configurations|AWS Serverless Function should have associated tags (read more)|Documentation
| -|Serverless Function Without Unique IAM Role
4ba74f01-aba5-4be2-83bc-be79ff1a3b92|Medium|Insecure Configurations|AWS Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| -|Serverless API Endpoint Config Not Private
6b5b0313-771b-4319-ad7a-122ee78700ef|Medium|Networking and Firewall|AWS Serverless API should set API Endpoint Config type to 'PRIVATE'. This way, it's not exposed to the public internet (read more)|Documentation
| -|Serverless API X-Ray Tracing Disabled
c757c6a3-ac87-4b9d-b28d-e5a5add6a315|Medium|Observability|AWS Serverless API should have X-Ray Tracing enabled (read more)|Documentation
| -|Serverless API Access Logging Setting Undefined
0a994e04-c6dc-471d-817e-d37451d18a3b|Medium|Observability|AWS Serverless API/AWS Serverless HTTP API should have Access Logging Setting(s) defined (read more)|Documentation
| -|Serverless API Cache Cluster Disabled
60a05ede-0a68-4d0d-a58f-f538cf55ff79|Low|Insecure Configurations|AWS Serverless API should have cache clustering enabled (read more)|Documentation
| -|Serverless Function Without Dead Letter Queue
cb2f612b-ed42-4ff5-9fb9-255c73d39a18|Low|Insecure Configurations|AWS Serverless Function should be configured for a Dead Letter Queue(DLQ) (read more)|Documentation
| -|Serverless Function Without X-Ray Tracing
dc1ab429-1481-4540-9b1d-280e3f15f1f8|Low|Observability|AWS Serverless Function should have Tracing enabled. For this, property 'Tracing' should have the value 'Active' (read more)|Documentation
| +|BOM - AWS SQS
59a849c2-1127-4023-85a5-ef906dcd458c|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)|Documentation
| +|BOM - AWS RDS
6ef03ff6-a2bd-483c-851f-631f248bc0ea|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more)|Documentation
| +|BOM - AWS S3 Buckets
b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more)|Documentation
| +|BOM - AWS MSK
2730c169-51d7-4ae7-99b5-584379eff1bb|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)|Documentation
| +|BOM - AWS SNS
42e7dca3-8cce-4325-8df0-108888259136|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)|Documentation
| diff --git a/docs/queries/crossplane-queries.md b/docs/queries/crossplane-queries.md index a38dfb8cbbc..d264598b2e2 100644 --- a/docs/queries/crossplane-queries.md +++ b/docs/queries/crossplane-queries.md @@ -1,6 +1,16 @@ ## Crossplane Queries List This page contains all queries from Crossplane. +### GCP +Bellow are listed queries related with Crossplane GCP: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|Cloud Storage Bucket Logging Not Enabled
6c2d627c-de0f-45fb-b33d-dad9bffbb421|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| +|Google Container Node Pool Auto Repair Disabled
b4f65d13-a609-4dc1-af7c-63d2e08bffe9|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| + ### AZURE Bellow are listed queries related with Crossplane AZURE: @@ -18,26 +28,16 @@ Bellow are listed queries related with Crossplane AWS: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|EFS Without KMS
bdecd6db-2600-47dd-a10c-72c97cf17ae9|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| -|DB Instance Storage Not Encrypted
e50eb68a-a4af-4048-8bbe-8ec324421469|High|Encryption|RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'. (read more)|Documentation
| |ELB Using Weak Ciphers
a507daa5-0795-4380-960b-dd7bb7c56661|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| +|EFS Without KMS
bdecd6db-2600-47dd-a10c-72c97cf17ae9|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| |EFS Not Encrypted
72840c35-3876-48be-900d-f21b2f0c2ea1|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
d9dc6429-5140-498a-8f55-a10daac5f000|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false and neither dbSubnetGroupName' subnets being part of a VPC that has an Internet gateway attached to it (read more)|Documentation
| -|DB Security Group Has Public Interface
dd667399-8d9d-4a8d-bbb4-e49ab53b2f52|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| +|DB Instance Storage Not Encrypted
e50eb68a-a4af-4048-8bbe-8ec324421469|High|Encryption|RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'. (read more)|Documentation
| |CloudFront Without Minimum Protocol TLS 1.2
255b0fcc-9f82-41fe-9229-01b163e3376b|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| -|SQS With SSE Disabled
9296f1cc-7a40-45de-bd41-f31745488a0e|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| +|DB Security Group Has Public Interface
dd667399-8d9d-4a8d-bbb4-e49ab53b2f52|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| +|RDS DB Instance Publicly Accessible
d9dc6429-5140-498a-8f55-a10daac5f000|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false and neither dbSubnetGroupName' subnets being part of a VPC that has an Internet gateway attached to it (read more)|Documentation
| |Neptune Database Cluster Encryption Disabled
83bf5aca-138a-498e-b9cd-ad5bc5e117b4|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| -|CloudFront Logging Disabled
7b590235-1ff4-421b-b9ff-5227134be9bb|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true (read more)|Documentation
| +|SQS With SSE Disabled
9296f1cc-7a40-45de-bd41-f31745488a0e|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| |CloudWatch Without Retention Period Specified
934613fe-b12c-4e5a-95f5-c1dcdffac1ff|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more)|Documentation
| +|CloudFront Logging Disabled
7b590235-1ff4-421b-b9ff-5227134be9bb|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true (read more)|Documentation
| |CloudFront Without WAF
6d19ce0f-b3d8-4128-ac3d-1064e0f00494|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| |DocDB Logging Is Disabled
e6cd49ba-77ed-417f-9bca-4f5303554308|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| - -### GCP -Bellow are listed queries related with Crossplane GCP: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Cloud Storage Bucket Logging Not Enabled
6c2d627c-de0f-45fb-b33d-dad9bffbb421|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| -|Google Container Node Pool Auto Repair Disabled
b4f65d13-a609-4dc1-af7c-63d2e08bffe9|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| diff --git a/docs/queries/dockercompose-queries.md b/docs/queries/dockercompose-queries.md index 207d92a26c0..61ff8c0a568 100644 --- a/docs/queries/dockercompose-queries.md +++ b/docs/queries/dockercompose-queries.md @@ -4,23 +4,23 @@ This page contains all queries from DockerCompose. | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| |Volume Mounted In Multiple Containers
baa452f0-1f21-4a25-ace5-844e7a5f410d|High|Build Process|Volume mounts should not be shared, which means that 'propagation' should not be set to 'shared', 'rshared', 'slave', or 'rslave' (read more)|Documentation
| -|Volume Has Sensitive Host Directory
1c1325ff-831d-43a1-973e-839ae57dfcc0|High|Build Process|Container has sensitive host directory mounted as a volume (read more)|Documentation
| |Docker Socket Mounted In Container
d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b|High|Build Process|Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands. (read more)|Documentation
| -|Privileged Containers Enabled
ae5b6871-7f45-42e0-bb4c-ab300c4d2026|High|Resource Management|Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker. (read more)|Documentation
| +|Volume Has Sensitive Host Directory
1c1325ff-831d-43a1-973e-839ae57dfcc0|High|Build Process|Container has sensitive host directory mounted as a volume (read more)|Documentation
| |No New Privileges Not Set
27fcc7d6-c49b-46e0-98f1-6c082a6a2750|High|Resource Management|Ensuring the process does not gain any new privileges lessens the risk associated with many operations. (read more)|Documentation
| +|Privileged Containers Enabled
ae5b6871-7f45-42e0-bb4c-ab300c4d2026|High|Resource Management|Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker. (read more)|Documentation
| |Healthcheck Not Set
698ed579-b239-4f8f-a388-baa4bcb13ef8|Medium|Availability|Check containers periodically to see if they are running properly. (read more)|Documentation
| -|Restart Policy On Failure Not Set To 5
2fc99041-ddad-49d5-853f-e35e70a48391|Medium|Build Process|Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used. (read more)|Documentation
| |Cgroup Not Default
4d9f44c6-2f4a-4317-9bb5-267adbea0232|Medium|Build Process|Control groups restrict the access processes and containers have to system resources such as CPU, RAM, IOPS and network. Not having a cgroup well configured may prove to be a security fault. (read more)|Documentation
| +|Restart Policy On Failure Not Set To 5
2fc99041-ddad-49d5-853f-e35e70a48391|Medium|Build Process|Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used. (read more)|Documentation
| |Container Traffic Not Bound To Host Interface
451d79dc-0588-476a-ad03-3c7f0320abb3|Medium|Networking and Firewall|Incoming container traffic should be bound to a specific host interface (read more)|Documentation
| |Privileged Ports Mapped In Container
bc2908f3-f73c-40a9-8793-c1b7d5544f79|Medium|Networking and Firewall|Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind_service linux capability from the container unless you absolutely need to use priviledged ports. (read more)|Documentation
| |Networks Not Set
ce14a68b-1668-41a0-ab7d-facd9f784742|Medium|Networking and Firewall|Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers. (read more)|Documentation
| -|Shared Host User Namespace
8af7162d-6c98-482f-868e-0d33fb675ca8|Medium|Resource Management|The host's user namespace should not be shared. (read more)|Documentation
| -|Shared Host Network Namespace
071a71ff-f868-47a4-ac0b-3c59e4ab5443|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| -|Default Seccomp Profile Disabled
404fde2c-bc4b-4371-9747-7054132ac953|Medium|Resource Management|Seccomp offers a whitelist of common system calls, blocking all others. Having less kernel exposed to an app then increases security. (read more)|Documentation
| -|Pids Limit Not Set
221e0658-cb2a-44e3-b08a-db96a341d6fa|Medium|Resource Management|'pids_limit' should be set and different than -1 (read more)|Documentation
| |Host Namespace is Shared
4f31dd9f-2cc3-4751-9b53-67e4af83dac0|Medium|Resource Management|The hosts process namespace should not be shared by containers (read more)|Documentation
| -|Security Opt Not Set
610e266e-6c12-4bca-9925-1ed0cd29742b|Medium|Resource Management|Attribute 'security_opt' should be defined. (read more)|Documentation
| -|Memory Not Limited
bb9ac4f7-e13b-423d-a010-c74a1bfbe492|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| |Shared Host IPC Namespace
baa3890f-bed7-46f5-ab8f-1da8fc91c729|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| -|Container Capabilities Unrestricted
ce76b7d0-9e77-464d-b86f-c5c48e03e22d|Low|Resource Management|Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well. (read more)|Documentation
| +|Memory Not Limited
bb9ac4f7-e13b-423d-a010-c74a1bfbe492|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| +|Security Opt Not Set
610e266e-6c12-4bca-9925-1ed0cd29742b|Medium|Resource Management|Attribute 'security_opt' should be defined. (read more)|Documentation
| +|Pids Limit Not Set
221e0658-cb2a-44e3-b08a-db96a341d6fa|Medium|Resource Management|'pids_limit' should be set and different than -1 (read more)|Documentation
| +|Shared Host Network Namespace
071a71ff-f868-47a4-ac0b-3c59e4ab5443|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| +|Default Seccomp Profile Disabled
404fde2c-bc4b-4371-9747-7054132ac953|Medium|Resource Management|Seccomp offers a whitelist of common system calls, blocking all others. Having less kernel exposed to an app then increases security. (read more)|Documentation
| +|Shared Host User Namespace
8af7162d-6c98-482f-868e-0d33fb675ca8|Medium|Resource Management|The host's user namespace should not be shared. (read more)|Documentation
| |Cpus Not Limited
6b610c50-99fb-4ef0-a5f3-e312fd945bc3|Low|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| +|Container Capabilities Unrestricted
ce76b7d0-9e77-464d-b86f-c5c48e03e22d|Low|Resource Management|Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well. (read more)|Documentation
| diff --git a/docs/queries/dockerfile-queries.md b/docs/queries/dockerfile-queries.md index b898263a992..4de9205fbaa 100644 --- a/docs/queries/dockerfile-queries.md +++ b/docs/queries/dockerfile-queries.md @@ -4,51 +4,51 @@ This page contains all queries from Dockerfile. | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| |UNIX Ports Out Of Range
71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e|High|Availability|Exposing UNIX ports out of range from 0 to 65535 (read more)|Documentation
| -|WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|High|Build Process|For clarity and reliability, you should always use absolute paths for your WORKDIR (read more)|Documentation
| -|COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b|High|Build Process|COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself (read more)|Documentation
| |Copy With More Than Two Arguments Not Ending With Slash
6db6e0c2-32a3-4a2e-93b5-72c35f4119db|High|Build Process|When a COPY command has more than two arguments, the last one should end with a slash (read more)|Documentation
| +|WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|High|Build Process|For clarity and reliability, you should always use absolute paths for your WORKDIR (read more)|Documentation
| |Same Alias In Different Froms
f2daed12-c802-49cd-afed-fe41d0b82fed|High|Build Process|Different FROMS cant have the same alias defined (read more)|Documentation
| -|Multiple ENTRYPOINT Instructions Listed
6938958b-3f1a-451c-909b-baeee14bdc97|High|Build Process|There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect (read more)|Documentation
| |Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f|High|Build Process|A user should be specified in the dockerfile, otherwise the image will run as root (read more)|Documentation
| +|COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b|High|Build Process|COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself (read more)|Documentation
| +|Multiple ENTRYPOINT Instructions Listed
6938958b-3f1a-451c-909b-baeee14bdc97|High|Build Process|There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect (read more)|Documentation
| |Run Using Sudo
8ada6e80-0ade-439e-b176-0b28f6bce35a|High|Insecure Configurations|Avoid RUN with sudo command as it leads to unpredictable behavior (read more)|Documentation
| |Vulnerable OpenSSL Version
5fa731ea-e844-47a6-a1e8-abc25e95847e|High|Supply-Chain|OpenSSL versions from 3.0.0 to 3.0.5 are affected by a critical vulnerability (read more)|Documentation
| |Changing Default Shell Using RUN Command
8a301064-c291-4b20-adcb-403fe7fd95fd|Medium|Best Practices|Using the command RUN to override the default shell instead of the SHELL command leads to inefficiencies. It also does not make sense since Docker provides the SHELL command for this exact purpose. (read more)|Documentation
| |Last User Is 'root'
67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae|Medium|Best Practices|Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges (read more)|Documentation
| +|Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79|Medium|Build Process|Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments (read more)|Documentation
| |Multiple CMD Instructions Listed
41c195f4-fc31-4a5c-8a1b-90605538d49f|Medium|Build Process|There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect (read more)|Documentation
| |Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd|Medium|Build Process|Instruction 'RUN update' should always be followed by ' install' in the same RUN statement (read more)|Documentation
| -|Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79|Medium|Build Process|Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments (read more)|Documentation
| |RUN Instruction Using 'cd' Instead of WORKDIR
f4a6bcd3-e231-4acf-993c-aa027be50d2e|Medium|Build Process|When using RUN command 'cd' should only be used for full path. For relative path make use of WORKDIR command instead. (read more)|Documentation
| |Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22|Medium|Insecure Defaults|Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o). (read more)|Documentation
| -|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Medium|Supply-Chain|When installing a package, its pin version should be defined (read more)|Documentation
| -|Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313|Medium|Supply-Chain|Reduce layer and image size by deleting unneeded caches after running zypper (read more)|Documentation
| -|APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Medium|Supply-Chain|Check if apt-get calls use the flag -y to avoid user manual input. (read more)|Documentation
| -|Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067|Medium|Supply-Chain|When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag (read more)|Documentation
| |Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache (read more)|Documentation
| -|Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more)|Documentation
| -|Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1|Medium|Supply-Chain|Specifying a package version allows to reduce failures due to unanticipated changes in required packages. (read more)|Documentation
| -|Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9|Medium|Supply-Chain|Don't use '--platform' flag with FROM (read more)|Documentation
| |Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944|Medium|Supply-Chain|Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input (read more)|Documentation
| |NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5|Medium|Supply-Chain|Check if packages installed by npm are pinning a specific version. (read more)|Documentation
| -|Add Instead of Copy
9513a694-aa0d-41d8-be61-3271e056f36b|Medium|Supply-Chain|Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script. (read more)|Documentation
| -|Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37|Medium|Supply-Chain|Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size (read more)|Documentation
| +|APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Medium|Supply-Chain|Check if apt-get calls use the flag -y to avoid user manual input. (read more)|Documentation
| |Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118|Medium|Supply-Chain|When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller (read more)|Documentation
| +|Add Instead of Copy
9513a694-aa0d-41d8-be61-3271e056f36b|Medium|Supply-Chain|Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script. (read more)|Documentation
| |Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more)|Documentation
| -|Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0|Medium|Supply-Chain|Cached package data should be cleaned after installation to reduce image size (read more)|Documentation
| -|Yum install Without Version
6452c424-1d92-4deb-bb18-a03e95d579c4|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages (read more)|Documentation
| +|Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9|Medium|Supply-Chain|Don't use '--platform' flag with FROM (read more)|Documentation
| |Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8|Medium|Supply-Chain|The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input. (read more)|Documentation
| -|Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341|Medium|Supply-Chain|Instead of 'gem install ' we should use 'gem install :' (read more)|Documentation
| -|Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd|Medium|Supply-Chain|Always tag the version of an image explicitly (read more)|Documentation
| -|Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Medium|Supply-Chain|Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect (read more)|Documentation
| +|Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313|Medium|Supply-Chain|Reduce layer and image size by deleting unneeded caches after running zypper (read more)|Documentation
| |Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03|Medium|Supply-Chain|Need to use -y to avoid manual input 'yum install -y ' (read more)|Documentation
| +|Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1|Medium|Supply-Chain|Specifying a package version allows to reduce failures due to unanticipated changes in required packages. (read more)|Documentation
| +|Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd|Medium|Supply-Chain|Always tag the version of an image explicitly (read more)|Documentation
| |Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages (read more)|Documentation
| +|Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341|Medium|Supply-Chain|Instead of 'gem install ' we should use 'gem install :' (read more)|Documentation
| +|Yum install Without Version
6452c424-1d92-4deb-bb18-a03e95d579c4|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages (read more)|Documentation
| +|Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more)|Documentation
| +|Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Medium|Supply-Chain|Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect (read more)|Documentation
| +|Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37|Medium|Supply-Chain|Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size (read more)|Documentation
| +|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Medium|Supply-Chain|When installing a package, its pin version should be defined (read more)|Documentation
| +|Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0|Medium|Supply-Chain|Cached package data should be cleaned after installation to reduce image size (read more)|Documentation
| +|Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067|Medium|Supply-Chain|When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag (read more)|Documentation
| |Chown Flag Exists
aa93e17f-b6db-4162-9334-c70334e7ac28|Low|Best Practices|It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership (read more)|Documentation
| -|Exposing Port 22 (SSH)
5907595b-5b6d-4142-b173-dbb0e73fbff8|Low|Best Practices|Expose only the ports that your application needs and avoid exposing ports like SSH (22) (read more)|Documentation
| -|Curl or Wget Instead of Add
4b410d24-1cbe-4430-a632-62c9a931cf1c|Low|Best Practices|Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged (read more)|Documentation
| |Multiple RUN, ADD, COPY, Instructions Listed
0008c003-79aa-42d8-95b8-1c2fe37dbfe6|Low|Best Practices|Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers. (read more)|Documentation
| +|Curl or Wget Instead of Add
4b410d24-1cbe-4430-a632-62c9a931cf1c|Low|Best Practices|Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged (read more)|Documentation
| |MAINTAINER Instruction Being Used
99614418-f82b-4852-a9ae-5051402b741c|Low|Best Practices|The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily (read more)|Documentation
| +|Exposing Port 22 (SSH)
5907595b-5b6d-4142-b173-dbb0e73fbff8|Low|Best Practices|Expose only the ports that your application needs and avoid exposing ports like SSH (22) (read more)|Documentation
| |Using Unnamed Build Stages
68a51e22-ae5a-4d48-8e87-b01a323605c9|Low|Build Process| This query is used to ensure that build stages are named. This way even if the Dockerfile is re-ordered, the COPY instruction doesn’t break. (read more)|Documentation
| |Healthcheck Instruction Missing
b03a748a-542d-44f4-bb86-9199ab4fd2d5|Low|Insecure Configurations|Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working (read more)|Documentation
| |Apk Add Using Local Cache Path
ae9c56a6-3ed1-4ac0-9b54-31267f51151d|Info|Supply-Chain|When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*' (read more)|Documentation
| -|Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c|Info|Supply-Chain|After using apt-get install, it is needed to delete apt-get lists (read more)|Documentation
| |Run Utilities And POSIX Commands
9b6b0f38-92a2-41f9-b881-3a1083d99f1b|Info|Supply-Chain|Some POSIX commands and interactive utilities shouldn't run inside a Docker Container (read more)|Documentation
| |APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c|Info|Supply-Chain|Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages. (read more)|Documentation
| +|Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c|Info|Supply-Chain|After using apt-get install, it is needed to delete apt-get lists (read more)|Documentation
| diff --git a/docs/queries/dockerfile-queries/02d9c71f-3ee8-4986-9c27-1a20d0d19bfc.md b/docs/queries/dockerfile-queries/02d9c71f-3ee8-4986-9c27-1a20d0d19bfc.md index 94c42f0b326..eef045db77a 100644 --- a/docs/queries/dockerfile-queries/02d9c71f-3ee8-4986-9c27-1a20d0d19bfc.md +++ b/docs/queries/dockerfile-queries/02d9c71f-3ee8-4986-9c27-1a20d0d19bfc.md @@ -79,3 +79,26 @@ EXPOSE 5000 CMD ["python", "/usr/src/app/app.py"] ``` +```dockerfile title="Negative test num. 2 - dockerfile file" +FROM alpine:3.4 +RUN apk add --update py-pip=7.1.2-r0 +RUN pip3 install -r pip_requirements.txt +COPY requirements.txt /usr/src/app/ +RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt +COPY app.py /usr/src/app/ +COPY templates/index.html /usr/src/app/templates/ +EXPOSE 5000 +CMD ["python", "/usr/src/app/app.py"] + +``` +```dockerfile title="Negative test num. 3 - dockerfile file" +FROM alpine:3.4 +RUN apk add --update py-pip=7.1.2-r0 +RUN pip3 install -c constraints.txt +COPY requirements.txt /usr/src/app/ +RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt +COPY app.py /usr/src/app/ +COPY templates/index.html /usr/src/app/templates/ +EXPOSE 5000 +CMD ["python", "/usr/src/app/app.py"] +``` diff --git a/docs/queries/dockerfile-queries/9efb0b2d-89c9-41a3-91ca-dcc0aec911fd.md b/docs/queries/dockerfile-queries/9efb0b2d-89c9-41a3-91ca-dcc0aec911fd.md index 967c0b3a30b..a0d790eb246 100644 --- a/docs/queries/dockerfile-queries/9efb0b2d-89c9-41a3-91ca-dcc0aec911fd.md +++ b/docs/queries/dockerfile-queries/9efb0b2d-89c9-41a3-91ca-dcc0aec911fd.md @@ -39,6 +39,16 @@ COPY templates/index.html /usr/src/app/templates/ EXPOSE 5000 CMD ["python", "/usr/src/app/app.py"] ``` +```dockerfile title="Postitive test num. 2 - dockerfile file" hl_lines="7" +FROM ubuntu:22.04 AS test +RUN echo "hello" + +FROM test AS build +RUN echo "build" + +FROM construction AS final +RUN echo "final" +``` #### Code samples without security vulnerabilities @@ -56,3 +66,13 @@ FROM $IMAGE CMD ["python", "/usr/src/app/app.py"] ``` +```dockerfile title="Negative test num. 2 - dockerfile file" +FROM ubuntu:22.04 AS test +RUN echo "hello" + +FROM test AS build +RUN echo "build" + +FROM build AS final +RUN echo "final" +``` diff --git a/docs/queries/googledeploymentmanager-queries.md b/docs/queries/googledeploymentmanager-queries.md index 26a1cea5edc..0e7ad570762 100644 --- a/docs/queries/googledeploymentmanager-queries.md +++ b/docs/queries/googledeploymentmanager-queries.md @@ -1,17 +1,6 @@ ## GoogleDeploymentManager Queries List This page contains all queries from GoogleDeploymentManager. -### GCP_BOM -Bellow are listed queries related with GoogleDeploymentManager GCP_BOM: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|BOM - GCP PST
9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more)|Documentation
| -|BOM - GCP SB
c7781feb-a955-4f9f-b9cf-0d7c6f54bb59|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more)|Documentation
| -|BOM - GCP PD
268c65a8-58ad-43e4-9019-1a9bbc56749f|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more)|Documentation
| - ### GCP Bellow are listed queries related with GoogleDeploymentManager GCP: @@ -20,34 +9,45 @@ Bellow are listed queries related with GoogleDeploymentManager GCP: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| |Cloud Storage Anonymous or Publicly Accessible
63ae3638-a38c-4ff4-b616-6e1f72a31a6a|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| -|BigQuery Dataset Is Public
83103dff-d57f-42a8-bd81-40abab64c1a7|High|Access Control|BigQuery dataset is anonymously or publicly accessible. Attribute access.specialGroup should not contain 'allAuthenticatedUsers' (read more)|Documentation
| |Cloud Storage Bucket Is Publicly Accessible
77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible (read more)|Documentation
| +|BigQuery Dataset Is Public
83103dff-d57f-42a8-bd81-40abab64c1a7|High|Access Control|BigQuery dataset is anonymously or publicly accessible. Attribute access.specialGroup should not contain 'allAuthenticatedUsers' (read more)|Documentation
| |SQL DB Instance Backup Disabled
a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| |DNSSEC Using RSASHA1
6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35|High|Encryption|DNSSEC should not use the RSASHA1 algorithm (read more)|Documentation
| |SQL DB Instance With SSL Disabled
660360d3-9ca7-46d1-b147-3acc4002953f|High|Encryption|Cloud SQL Database Instance should have SLL enabled (read more)|Documentation
| -|Not Proper Email Account In Use
a21b8df3-c840-4b3d-a41a-10fb2afda171|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials (read more)|Documentation
| |MySQL Instance With Local Infile On
c759d6f2-4dd3-4160-82d3-89202ef10d87|High|Insecure Configurations|MySQL Instance should not have Local Infile On (read more)|Documentation
| -|Cluster Master Authentication Disabled
7ef7d141-9fbb-4679-a977-fd0883436906|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'masterAuth' must have the subattributes 'username' and 'password' defined and not empty (read more)|Documentation
| -|Private Cluster Disabled
48c61fbd-09c9-46cc-a521-012e0c325412|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true. (read more)|Documentation
| -|Cluster Labels Disabled
8810968b-4b15-421d-918b-d91eb4bb8d1d|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resourceLabels' must be defined (read more)|Documentation
| -|IP Aliasing Disabled
28727987-e398-49b8-aef1-8a3e7789d111|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ipAllocationPolicy' must be defined and the subattribute 'useIpAliases' must be set to 'true'. (read more)|Documentation
| -|GKE Legacy Authorization Enabled
df58d46c-783b-43e0-bdd0-d99164f712ee|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false. (read more)|Documentation
| |Client Certificate Disabled
dd690686-2bf9-4012-a821-f61912dd77be|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'masterAuth' must have 'clientCertificateConfig' with the attribute 'issueClientCertificate' equal to true (read more)|Documentation
| +|IP Aliasing Disabled
28727987-e398-49b8-aef1-8a3e7789d111|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ipAllocationPolicy' must be defined and the subattribute 'useIpAliases' must be set to 'true'. (read more)|Documentation
| |Network Policy Disabled
c47f90e8-4a19-43f0-8413-cc434d286c4e|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'networkPolicy.enabled' must be true and the attribute 'addonsConfig.networkPolicyConfig.disabled' must be false (read more)|Documentation
| -|Compute Instance Is Publicly Accessible
8212e2d7-e683-49bc-bf78-d6799075c5a7|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet. (read more)|Documentation
| +|Private Cluster Disabled
48c61fbd-09c9-46cc-a521-012e0c325412|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true. (read more)|Documentation
| +|Not Proper Email Account In Use
a21b8df3-c840-4b3d-a41a-10fb2afda171|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials (read more)|Documentation
| +|GKE Legacy Authorization Enabled
df58d46c-783b-43e0-bdd0-d99164f712ee|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false. (read more)|Documentation
| +|Cluster Master Authentication Disabled
7ef7d141-9fbb-4679-a977-fd0883436906|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'masterAuth' must have the subattributes 'username' and 'password' defined and not empty (read more)|Documentation
| +|Cluster Labels Disabled
8810968b-4b15-421d-918b-d91eb4bb8d1d|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resourceLabels' must be defined (read more)|Documentation
| |GKE Master Authorized Networks Disabled
62c8cf50-87f0-4295-a974-8184ed78fe02|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters (read more)|Documentation
| +|Compute Instance Is Publicly Accessible
8212e2d7-e683-49bc-bf78-d6799075c5a7|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet. (read more)|Documentation
| |Stackdriver Logging Disabled
95601b9a-7fe8-4aee-9b58-d36fd9382dfc|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'loggingService' must be defined and different from 'none' (read more)|Documentation
| -|Stackdriver Monitoring Disabled
bbfc97ab-e92a-4a7b-954c-e88cec815011|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoringService' must be defined and different than 'none' (read more)|Documentation
| |Cloud Storage Bucket Versioning Disabled
ad0875c1-0b39-4890-9149-173158ba3bba|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| +|Stackdriver Monitoring Disabled
bbfc97ab-e92a-4a7b-954c-e88cec815011|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoringService' must be defined and different than 'none' (read more)|Documentation
| |Node Auto Upgrade Disabled
dc5c5fee-6c53-43b0-ab11-4c660e064aaf|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means the attribute 'nodePools' must be defined and the subattribute 'managment' must be defined and have the attribute 'autoUpgrade' set to true (read more)|Documentation
| |Disk Encryption Disabled
fc040fb6-4c23-4c0d-b12a-39edac35debb|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined (read more)|Documentation
| -|Cloud DNS Without DNSSEC
313d6deb-3b67-4948-b41d-35b699c2492e|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| |OSLogin Is Disabled In VM Instance
e66e1b71-c810-4b4e-a737-0ab59e7f5e41|Medium|Insecure Configurations|VM instance should have OSLogin enabled (read more)|Documentation
| -|Google Storage Bucket Level Access Disabled
1239f54b-33de-482a-8132-faebe288e6a6|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled (read more)|Documentation
| |Shielded VM Disabled
9038b526-4c19-4928-bca2-c03d503bdb79|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true (read more)|Documentation
| +|Cloud DNS Without DNSSEC
313d6deb-3b67-4948-b41d-35b699c2492e|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| +|Google Storage Bucket Level Access Disabled
1239f54b-33de-482a-8132-faebe288e6a6|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled (read more)|Documentation
| |COS Node Image Not Used
dbe058d7-b82e-430b-8426-992b2e4677e7|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| |SSH Access Is Not Restricted
dee21308-2a7a-49de-8ff7-c9b87e188575|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| |RDP Access Is Not Restricted
50cb6c3b-c878-4b88-b50e-d1421bada9e8|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| |IP Forwarding Enabled
7c98538a-81c6-444b-bf04-e60bc3ceeec0|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true (read more)|Documentation
| |Bucket Without Versioning
227c2f58-70c6-4432-8e9a-a89c1a548cf5|Medium|Observability|Bucket should have versioning enabled (read more)|Documentation
| |Project-wide SSH Keys Are Enabled In VM Instances
6e2b1ec1-1eca-4eb7-9d4d-2882680b4811|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| + +### GCP_BOM +Bellow are listed queries related with GoogleDeploymentManager GCP_BOM: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|BOM - GCP PST
9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more)|Documentation
| +|BOM - GCP PD
268c65a8-58ad-43e4-9019-1a9bbc56749f|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more)|Documentation
| +|BOM - GCP SB
c7781feb-a955-4f9f-b9cf-0d7c6f54bb59|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more)|Documentation
| diff --git a/docs/queries/kubernetes-queries.md b/docs/queries/kubernetes-queries.md index b40f8a2f217..ff270dbc356 100644 --- a/docs/queries/kubernetes-queries.md +++ b/docs/queries/kubernetes-queries.md @@ -3,148 +3,148 @@ This page contains all queries from Kubernetes. | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e|High|Access Control|Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least privilege recommends to specify only the set of needed objects and actions (read more)|Documentation
| -|Service Account Lookup Set To False
a5530bd7-225a-48f9-91bb-f40b04200165|High|Access Control|When using kube-apiserver command, the '--service-account-lookup' flag should be set to true (read more)|Documentation
| -|Always Admit Admission Control Plugin Set
ce30e584-b33f-4c7d-b418-a3d7027f8f60|High|Access Control|When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin (read more)|Documentation
| -|Token Auth File Is Set
32ecd76e-7bbf-402e-bf48-8b9485749558|High|Access Control|When using kube-apiserver command, the 'token-auth-file' flag should not be set (read more)|Documentation
| |Client Certificate Authentication Not Setup Properly
e0e00aba-5f1c-4981-a542-9a9563c0ee20|High|Access Control|Client Certificate Authentication should be Setup with a .pem or .crt file (read more)|Documentation
| -|Use Service Account Credentials Not Set To True
1acd93f1-5a37-45c0-aaac-82ece818be7d|High|Access Control|When using kube-controller-manager commands, the '--use-service-account-credentials' should be set to true (read more)|Documentation
| +|Token Auth File Is Set
32ecd76e-7bbf-402e-bf48-8b9485749558|High|Access Control|When using kube-apiserver command, the 'token-auth-file' flag should not be set (read more)|Documentation
| +|Always Admit Admission Control Plugin Set
ce30e584-b33f-4c7d-b418-a3d7027f8f60|High|Access Control|When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin (read more)|Documentation
| |Node Restriction Admission Control Plugin Not Set
33fc6923-6553-4fe6-9d3a-4efa51eb874b|High|Access Control|When using kube-apiserver command, the --enable-admission-plugins flag should have 'NodeRestriction' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| +|RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e|High|Access Control|Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least privilege recommends to specify only the set of needed objects and actions (read more)|Documentation
| +|Use Service Account Credentials Not Set To True
1acd93f1-5a37-45c0-aaac-82ece818be7d|High|Access Control|When using kube-controller-manager commands, the '--use-service-account-credentials' should be set to true (read more)|Documentation
| +|Service Account Lookup Set To False
a5530bd7-225a-48f9-91bb-f40b04200165|High|Access Control|When using kube-apiserver command, the '--service-account-lookup' flag should be set to true (read more)|Documentation
| |Basic Auth File Is Set
5da47109-f8d6-4585-9e2b-96a8958a12f5|High|Access Control|When using kube-apiserver command, the 'basic-auth-file' flag should not be set (read more)|Documentation
| |Pod Security Policy Admission Control Plugin Not Set
afa36afb-39fe-4d94-b9b6-afb236f7a03d|High|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'PodSecurityPolicy' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| |Service Account Private Key File Not Defined
ccc98ff7-68a7-436e-9218-185cb0b0b780|High|Encryption|When using kube-controller-manager commands, the '--service-account-private-key-file' should be defined (read more)|Documentation
| -|Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d|High|Insecure Configurations|Check if there is any Tiller Service present (read more)|Documentation
| -|Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process (read more)|Documentation
| -|Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined. (read more)|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace. (read more)|Documentation
| |Tiller (Helm v2) Is Deployed
6d173be7-545a-46c6-a81d-2ae52ed1605d|High|Insecure Configurations|Check if Tiller is deployed. (read more)|Documentation
| -|Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032|High|Insecure Configurations|Limit capabilities for a Pod Security Policy (read more)|Documentation
| -|Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false (read more)|Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace. (read more)|Documentation
| |Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d|High|Insecure Configurations|Container should not share the host process ID namespace (read more)|Documentation
| +|Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false (read more)|Documentation
| +|Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined. (read more)|Documentation
| +|Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032|High|Insecure Configurations|Limit capabilities for a Pod Security Policy (read more)|Documentation
| +|Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d|High|Insecure Configurations|Check if there is any Tiller Service present (read more)|Documentation
| +|Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process (read more)|Documentation
| |Role Binding To Default Service Account
1e749bc9-fde8-471c-af0c-8254efd2dee5|High|Insecure Defaults|No role nor cluster role should bind to a default service account (read more)|Documentation
| -|Kubelet HTTPS Set To False
cdc8b54e-6b16-4538-a1b0-35849dbe29cf|High|Networking and Firewall|When using kube-apiserver command, the '--kubelet-https' flag should not be set to false (read more)|Documentation
| -|Secure Port Set To Zero
3d24b204-b73d-42cb-b0bf-1a5438c5f71e|High|Networking and Firewall|When using kube-apiserver command, the --secure-port flag should not be 0 (read more)|Documentation
| -|Tiller Deployment Is Accessible From Within The Cluster
e17fa86a-6222-4584-a914-56e8f6c87e06|High|Networking and Firewall|Check if any Tiller Deployment container allows access from within the cluster. (read more)|Documentation
| +|TSL Connection Certificate Not Setup
fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f|High|Networking and Firewall|TSL Connection Certificate files should be Setup (read more)|Documentation
| |Etcd Peer TLS Certificate Files Not Properly Set
09bb9e96-8da3-4736-b89a-b36814acca60|High|Networking and Firewall|When using etcd commands, the '--peer-cert-file' and '--peer-key-file' should be defined (read more)|Documentation
| |Etcd TLS Certificate Not Properly Configured
895a5a95-3756-4b04-9924-2f3bc93181bd|High|Networking and Firewall|When using kube-apiserver commands, the '--etcd-certfile' and '--etcd-keyfile' flags should be defined (read more)|Documentation
| -|TSL Connection Certificate Not Setup
fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f|High|Networking and Firewall|TSL Connection Certificate files should be Setup (read more)|Documentation
| +|Insecure Bind Address Set
b9380fd3-5ffe-4d10-9290-13e18e71eee1|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-bind-address' flag should not be set (read more)|Documentation
| +|Secure Port Set To Zero
3d24b204-b73d-42cb-b0bf-1a5438c5f71e|High|Networking and Firewall|When using kube-apiserver command, the --secure-port flag should not be 0 (read more)|Documentation
| +|Kubelet HTTPS Set To False
cdc8b54e-6b16-4538-a1b0-35849dbe29cf|High|Networking and Firewall|When using kube-apiserver command, the '--kubelet-https' flag should not be set to false (read more)|Documentation
| |Etcd TLS Certificate Files Not Properly Set
075ca296-6768-4322-aea2-ba5063b969a9|High|Networking and Firewall|When using etcd commands, the '--cert-file' and '--key-file' should be defined (read more)|Documentation
| -|Bind Address Not Properly Set
46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2|High|Networking and Firewall|When using kube-controller-manager or kube-scheduler commands, the '--bind-address' should not be set to 127.0.0.1 (read more)|Documentation
| +|Tiller Deployment Is Accessible From Within The Cluster
e17fa86a-6222-4584-a914-56e8f6c87e06|High|Networking and Firewall|Check if any Tiller Deployment container allows access from within the cluster. (read more)|Documentation
| |Insecure Port Not Properly Set
fa4def8c-1898-4a35-a139-7b76b1acdef0|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-port' flag should be defined and set to 0 (read more)|Documentation
| -|Insecure Bind Address Set
b9380fd3-5ffe-4d10-9290-13e18e71eee1|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-bind-address' flag should not be set (read more)|Documentation
| +|Bind Address Not Properly Set
46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2|High|Networking and Firewall|When using kube-controller-manager or kube-scheduler commands, the '--bind-address' should not be set to 127.0.0.1 (read more)|Documentation
| |PSP With Unrestricted Access to Host Path
de4421f1-4e35-43b4-9783-737dd4e4a47e|High|Resource Management|PodSecurityPolicy should set 'readOnly' to true in every host path allowed (read more)|Documentation
| -|Auto TLS Set To True
98ce8b81-7707-4734-aa39-627c6db3d84b|High|Secret Management|When using etcd commands, the '--auto-tls' should be set to false (read more)|Documentation
| |Peer Auto TLS Set To True
ae8827e2-4af9-4baa-9998-87539ae0d6f0|High|Secret Management|When using etcd commands, the '--peer-auto-tls' should be set to false (read more)|Documentation
| -|Authorization Mode Set To Always Allow
f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5|Medium|Access Control|When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode (read more)|Documentation
| -|Anonymous Auth Is Not Set To False
1de5cc51-f376-4638-a940-20f2e85ae238|Medium|Access Control|When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag should be set to false (--anonymous-auth=false) (read more)|Documentation
| -|Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation. (read more)|Documentation
| -|RBAC Roles Allow Privilege Escalation
8320826e-7a9c-4b0b-9535-578333193432|Medium|Access Control|Roles or ClusterRoles with RBAC permissions 'bind' or 'escalate' allow subjects to create new bindings with other roles. This is dangerous, as users with these privileges can bind to roles that may exceed their own privileges (read more)|Documentation
| +|Auto TLS Set To True
98ce8b81-7707-4734-aa39-627c6db3d84b|High|Secret Management|When using etcd commands, the '--auto-tls' should be set to false (read more)|Documentation
| +|RBAC Roles with Impersonate Permission
9f85c3f6-26fd-4007-938a-2e0cb0100980|Medium|Access Control|Roles or ClusterRoles with the permission 'impersonate' allow subjects to assume the rights of other users, groups, or service accounts. In case of compromise, attackers may abuse this sudo-like functionality to achieve privilege escalation (read more)|Documentation
| |RBAC Roles with Exec Permission
c589f42c-7924-4871-aee2-1cede9bc7cbc|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to run commands in containers via 'kubectl exec' could be abused by attackers to execute malicious code in case of compromise. To prevent this, the 'pods/exec' verb should not be used in production environments (read more)|Documentation
| -|Authorization Mode RBAC Not Set
1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e|Medium|Access Control|When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode (read more)|Documentation
| +|RBAC Roles Allow Privilege Escalation
8320826e-7a9c-4b0b-9535-578333193432|Medium|Access Control|Roles or ClusterRoles with RBAC permissions 'bind' or 'escalate' allow subjects to create new bindings with other roles. This is dangerous, as users with these privileges can bind to roles that may exceed their own privileges (read more)|Documentation
| |Service Account Admission Control Plugin Disabled
9587c890-0524-40c2-9ce2-663af7c2f063|Medium|Access Control|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'ServiceAccount' plugin (read more)|Documentation
| -|RBAC Roles with Impersonate Permission
9f85c3f6-26fd-4007-938a-2e0cb0100980|Medium|Access Control|Roles or ClusterRoles with the permission 'impersonate' allow subjects to assume the rights of other users, groups, or service accounts. In case of compromise, attackers may abuse this sudo-like functionality to achieve privilege escalation (read more)|Documentation
| -|RBAC Roles with Port-Forwarding Permission
38fa11ef-dbcc-4da8-9680-7e1fd855b6fb|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to port-forward into pods can open socket-level communication channels to containers. In case of compromise, attackers may abuse this for direct communication that bypasses network security restrictions (read more)|Documentation
| +|Authorization Mode RBAC Not Set
1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e|Medium|Access Control|When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode (read more)|Documentation
| |RBAC Roles with Attach Permission
d45330fd-f58d-45fb-a682-6481477a0f84|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to attach to containers via 'kubectl attach' could be abused by attackers to read log output (stdout, stderr) and send input data (stdin) to running processes. Additionally, it would allow a malicious user to attach to a privileged container resulting in a privilege escalation attack. To prevent this, the 'pods/attach' verb should not be used in production environments (read more)|Documentation
| |Non Kube System Pod With Host Mount
aa8f7a35-9923-4cad-bd61-a19b7f6aac91|Medium|Access Control|A non kube-system workload should not have hostPath mounted (read more)|Documentation
| |RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more)|Documentation
| +|Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation. (read more)|Documentation
| +|Anonymous Auth Is Not Set To False
1de5cc51-f376-4638-a940-20f2e85ae238|Medium|Access Control|When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag should be set to false (--anonymous-auth=false) (read more)|Documentation
| +|Authorization Mode Set To Always Allow
f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5|Medium|Access Control|When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode (read more)|Documentation
| +|RBAC Roles with Port-Forwarding Permission
38fa11ef-dbcc-4da8-9680-7e1fd855b6fb|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to port-forward into pods can open socket-level communication channels to containers. In case of compromise, attackers may abuse this for direct communication that bypasses network security restrictions (read more)|Documentation
| |Request Timeout Not Properly Set
d89a15bb-8dba-4c71-9529-bef6729b9c09|Medium|Availability|When using kube-apiserver command, the '--request-timeout' flag value should not be too long (read more)|Documentation
| -|Readiness Probe Is Not Configured
a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3|Medium|Availability|Check if Readiness Probe is not configured. (read more)|Documentation
| |Terminated Pod Garbage Collector Threshold Not Properly Set
49113af4-29ca-458e-b8d4-724c01a4a24f|Medium|Availability|When using kube-controller-manager commands, the '--terminated-pod-gc-threshold' should be set between 0 and 12501 (read more)|Documentation
| -|Container Running As Root
cf34805e-3872-4c08-bf92-6ff7bb0cfadb|Medium|Best Practices|Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise (read more)|Documentation
| +|Readiness Probe Is Not Configured
a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3|Medium|Availability|Check if Readiness Probe is not configured. (read more)|Documentation
| |Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660|Medium|Best Practices|Check if containers are running with low UID, which might cause conflicts with the host's user table. (read more)|Documentation
| +|Container Running As Root
cf34805e-3872-4c08-bf92-6ff7bb0cfadb|Medium|Best Practices|Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise (read more)|Documentation
| |Root Containers Admitted
e3aa0612-4351-4a0d-983f-aefea25cf203|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden (read more)|Documentation
| -|Incorrect Volume Claim Access Mode ReadWriteOnce
3878dc92-8e5d-47cf-9cdd-7590f71d21b9|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' (read more)|Documentation
| |Always Pull Images Admission Control Plugin Not Set
a77f4d07-c6e0-4a48-8b35-0eeb51576f4f|Medium|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'AlwaysPullImages' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| -|Weak TLS Cipher Suites
510d5810-9a30-443a-817d-5c1fa527b110|Medium|Encryption|TLS Connection should use strong Cipher Suites (read more)|Documentation
| -|Encryption Provider Config Is Not Defined
cbd2db69-0b21-4c14-8a40-7710a50571a9|Medium|Encryption|When using kube-apiserver commands, the '--encryption-provider-config' flag should be defined and the encryption should be correctly configured in Encryption Configuration file (read more)|Documentation
| +|Incorrect Volume Claim Access Mode ReadWriteOnce
3878dc92-8e5d-47cf-9cdd-7590f71d21b9|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' (read more)|Documentation
| |Encryption Provider Not Properly Configured
10efce34-5af6-4d83-b414-9e096d5a06a9|Medium|Encryption|The EncryptionConfiguration should be configured to have at least one 'aescbc', 'kms' or 'secretbox' provider (read more)|Documentation
| +|Encryption Provider Config Is Not Defined
cbd2db69-0b21-4c14-8a40-7710a50571a9|Medium|Encryption|When using kube-apiserver commands, the '--encryption-provider-config' flag should be defined and the encryption should be correctly configured in Encryption Configuration file (read more)|Documentation
| |Root CA File Not Defined
05fb986f-ac73-4ebb-a5b2-7faafa93d882|Medium|Encryption|When using kube-controller-manager commands, the '--root-ca-file' should be defined (read more)|Documentation
| -|Seccomp Profile Is Not Configured
f377b83e-bd07-4f48-a591-60c82b14a78b|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls (read more)|Documentation
| -|NET_RAW Capabilities Not Being Dropped
dbbc6705-d541-43b0-b166-dd4be8208b54|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities (read more)|Documentation
| -|PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host process ID namespace (read more)|Documentation
| -|PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities (read more)|Documentation
| +|Weak TLS Cipher Suites
510d5810-9a30-443a-817d-5c1fa527b110|Medium|Encryption|TLS Connection should use strong Cipher Suites (read more)|Documentation
| |Not Limited Capabilities For Container
2f1a0619-b12b-48a0-825f-993bb6f01d58|Medium|Insecure Configurations|Limit the capabilities for a Container. (read more)|Documentation
| -|PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation (read more)|Documentation
| -|Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more)|Documentation
| -|Authorization Mode Node Not Set
4d7ee40f-fc5d-427d-8cac-dffbe22d42d1|Medium|Insecure Configurations|When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode (read more)|Documentation
| |Kubelet Protect Kernel Defaults Set To False
6cf42c97-facd-4fda-b8af-ea4529123355|Medium|Insecure Configurations|--protect-kernel-defaults should be set to true (read more)|Documentation
| -|Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40|Medium|Insecure Configurations|Containers should not have extra capabilities allowed (read more)|Documentation
| |Using Unrecommended Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6|Medium|Insecure Configurations|Namespaces like 'default', 'kube-system' or 'kube-public' should not be used (read more)|Documentation
| +|PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| +|Authorization Mode Node Not Set
4d7ee40f-fc5d-427d-8cac-dffbe22d42d1|Medium|Insecure Configurations|When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode (read more)|Documentation
| |PSP Allows Sharing Host IPC
80f93444-b240-4ebb-a4c6-5c40b76c04ea|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace (read more)|Documentation
| +|Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40|Medium|Insecure Configurations|Containers should not have extra capabilities allowed (read more)|Documentation
| +|PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host process ID namespace (read more)|Documentation
| +|PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities (read more)|Documentation
| +|Security Context Deny Admission Control Plugin Not Set
6a68bebe-c021-492e-8ddb-55b0567fb768|Medium|Insecure Configurations|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set (read more)|Documentation
| |Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more)|Documentation
| -|PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| +|PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation (read more)|Documentation
| +|Seccomp Profile Is Not Configured
f377b83e-bd07-4f48-a591-60c82b14a78b|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls (read more)|Documentation
| +|NET_RAW Capabilities Not Being Dropped
dbbc6705-d541-43b0-b166-dd4be8208b54|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities (read more)|Documentation
| +|NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities (read more)|Documentation
| |Workload Mounting With Sensitive OS Directory
5308a7a8-06f8-45ac-bf10-791fe21de46e|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory (read more)|Documentation
| -|Security Context Deny Admission Control Plugin Not Set
6a68bebe-c021-492e-8ddb-55b0567fb768|Medium|Insecure Configurations|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set (read more)|Documentation
| +|Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more)|Documentation
| |Containers With Sys Admin Capabilities
235236ee-ad78-4065-bd29-61b061f28ce0|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability (read more)|Documentation
| -|NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities (read more)|Documentation
| -|Service Account Token Automount Not Disabled
48471392-d4d0-47c0-b135-cdec95eb3eef|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary (read more)|Documentation
| |Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty. (read more)|Documentation
| +|Service Account Token Automount Not Disabled
48471392-d4d0-47c0-b135-cdec95eb3eef|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary (read more)|Documentation
| |CNI Plugin Does Not Support Network Policies
03aabc8c-35d6-481e-9c85-20139cf72d23|Medium|Networking and Firewall|Ensure the use of CNI Plugin that support Network Policies. If the CNI Plugin in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster (read more)|Documentation
| +|Kubelet Read Only Port Is Not Set To Zero
2940d48a-dc5e-4178-a3f8-bfbd80720b41|Medium|Networking and Firewall|When using the kubelet command, the read-only port should be set to zero (--read-only-port=0) (read more)|Documentation
| +|Kubelet Not Managing Ip Tables
5f89001f-6dd9-49ff-9b15-d8cd71b617f4|Medium|Networking and Firewall|Kubelet argument --make-iptables-util-chains should be true (read more)|Documentation
| +|Kubelet Streaming Connection Timeout Disabled
ed89b97d-04e9-4fd4-919f-ee5b27e555e9|Medium|Networking and Firewall|The flag --streaming-connection-idle-timeout should not be set to 0 (read more)|Documentation
| |Network Policy Is Not Targeting Any Pod
85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3|Medium|Networking and Firewall|Check if any network policy is not targeting any pod. (read more)|Documentation
| -|Service With External Load Balancer
26763a1c-5dda-4772-b507-5fca7fb5f165|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet (read more)|Documentation
| |Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be|Medium|Networking and Firewall|Check if any pod is not being targeted by a proper network policy. (read more)|Documentation
| -|Kubelet Streaming Connection Timeout Disabled
ed89b97d-04e9-4fd4-919f-ee5b27e555e9|Medium|Networking and Firewall|The flag --streaming-connection-idle-timeout should not be set to 0 (read more)|Documentation
| -|Kubelet Not Managing Ip Tables
5f89001f-6dd9-49ff-9b15-d8cd71b617f4|Medium|Networking and Firewall|Kubelet argument --make-iptables-util-chains should be true (read more)|Documentation
| -|Kubelet Read Only Port Is Not Set To Zero
2940d48a-dc5e-4178-a3f8-bfbd80720b41|Medium|Networking and Firewall|When using the kubelet command, the read-only port should be set to zero (--read-only-port=0) (read more)|Documentation
| -|Audit Log Path Not Set
73e251f0-363d-4e53-86e2-0a93592437eb|Medium|Observability|When using kube-apiserver command, the 'audit-log-path' flag should be defined (read more)|Documentation
| +|Service With External Load Balancer
26763a1c-5dda-4772-b507-5fca7fb5f165|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet (read more)|Documentation
| |Audit Policy File Not Defined
13a49a2e-488e-4309-a7c0-d6b05577a5fb|Medium|Observability|When using kube-apiserver command, the '--audit-policy-file' flag should be defined (read more)|Documentation
| -|Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| -|Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| +|Audit Log Path Not Set
73e251f0-363d-4e53-86e2-0a93592437eb|Medium|Observability|When using kube-apiserver command, the 'audit-log-path' flag should be defined (read more)|Documentation
| +|Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| |Volume Mount With OS Directory Write Permissions
b7652612-de4e-4466-a0bf-1cd81f0c6063|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more)|Documentation
| |Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more)|Documentation
| -|CPU Limits Not Set
4ac0e2b7-d2d2-4af7-8799-e8de6721ccda|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| +|Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| +|Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| |CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more)|Documentation
| -|Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| -|Etcd Client Certificate File Not Defined
3f5ff8a7-5ad6-4d02-86f5-666307da1b20|Medium|Secret Management|When using kube-apiserver commands, the '--etcd-cafile' flag should be defined (read more)|Documentation
| -|ServiceAccount Allows Access Secrets
056ac60e-fe07-4acc-9b34-8e1d51716ab9|Medium|Secret Management|Roles and ClusterRoles when binded, should not use get, list or watch as verbs (read more)|Documentation
| +|CPU Limits Not Set
4ac0e2b7-d2d2-4af7-8799-e8de6721ccda|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| |Kubelet Client Periodic Certificate Switch Disabled
52d70f2e-3257-474c-b3dc-8ad9ba6a061a|Medium|Secret Management|Kubelet argument --rotate-certificates should be true (read more)|Documentation
| -|Etcd Client Certificate Authentication Set To False
9391103a-d8d7-4671-ac5d-606ba7ccb0ac|Medium|Secret Management|When using etcd commands, the '--client-cert-auth' flag should be defined (read more)|Documentation
| +|Kubelet Certificate Authority Not Set
ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set (read more)|Documentation
| |Service Account Key File Not Properly Set
dab4ec72-ce2e-4732-b7c3-1757dcce01a1|Medium|Secret Management|When using kube-apiserver command, the '--service-account-key-file' flag should be defined (read more)|Documentation
| |Rotate Kubelet Server Certificate Not Active
1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2|Medium|Secret Management|The RotateKubeletServerCertificate argument should be true (read more)|Documentation
| -|Kubelet Client Certificate Or Key Not Set
36a27826-1bf5-49da-aeb0-a60a30c0e834|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-client-key' and 'kubelet-client-certificate' flags should be set (read more)|Documentation
| -|Not Unique Certificate Authority
cb7e695d-6a85-495c-b15f-23aed2519303|Medium|Secret Management|Certificate Authority should be unique for etcd (read more)|Documentation
| +|Etcd Client Certificate Authentication Set To False
9391103a-d8d7-4671-ac5d-606ba7ccb0ac|Medium|Secret Management|When using etcd commands, the '--client-cert-auth' flag should be defined (read more)|Documentation
| |Etcd Peer Client Certificate Authentication Set To False
b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff|Medium|Secret Management|When using etcd commands, the '--peer-client-cert-auth' flag should be set to true (read more)|Documentation
| -|Kubelet Certificate Authority Not Set
ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set (read more)|Documentation
| +|Kubelet Client Certificate Or Key Not Set
36a27826-1bf5-49da-aeb0-a60a30c0e834|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-client-key' and 'kubelet-client-certificate' flags should be set (read more)|Documentation
| +|ServiceAccount Allows Access Secrets
056ac60e-fe07-4acc-9b34-8e1d51716ab9|Medium|Secret Management|Roles and ClusterRoles when binded, should not use get, list or watch as verbs (read more)|Documentation
| |Shared Service Account
c1032cf7-3628-44e2-bd53-38c17cf31b6b|Medium|Secret Management|A Service Account token is shared between workloads (read more)|Documentation
| +|Etcd Client Certificate File Not Defined
3f5ff8a7-5ad6-4d02-86f5-666307da1b20|Medium|Secret Management|When using kube-apiserver commands, the '--etcd-cafile' flag should be defined (read more)|Documentation
| +|Not Unique Certificate Authority
cb7e695d-6a85-495c-b15f-23aed2519303|Medium|Secret Management|Certificate Authority should be unique for etcd (read more)|Documentation
| |Cluster Admin Rolebinding With Superuser Permissions
249328b8-5f0f-409f-b1dd-029f07882e11|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC) (read more)|Documentation
| -|Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers (read more)|Documentation
| |Missing AppArmor Profile
8b36775e-183d-4d46-b0f7-96a6f34a723f|Low|Access Control|Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources (read more)|Documentation
| +|Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers (read more)|Documentation
| +|StatefulSet Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more)|Documentation
| |Liveness Probe Is Not Defined
ade74944-a674-4e00-859e-c6eab5bde441|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it (read more)|Documentation
| |Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| |Event Rate Limit Admission Control Plugin Not Set
e0099af2-fe17-411f-9991-0de28fe15f3c|Low|Availability|When using kube-apiserver command, the --enable-admission-plugins flag should have 'EventRateLimit' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| -|HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca|Low|Availability|The Horizontal Pod Autoscaler must target a valid object (read more)|Documentation
| -|StatefulSet Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more)|Documentation
| |HPA Targeted Deployments With Configured Replica Count
5744cbb8-5946-4b75-a196-ade44449525b|Low|Availability|Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set (read more)|Documentation
| |StatefulSet Without PodDisruptionBudget
1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| -|No Drop Capabilities for Containers
268ca686-7fb7-4ae9-b129-955a2a89064e|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context (read more)|Documentation
| +|HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca|Low|Availability|The Horizontal Pod Autoscaler must target a valid object (read more)|Documentation
| |Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645|Low|Best Practices|Kubernetes APIs evolve over time and are sometimes removed with newer releases. To prevent incompatibilities when upgrading Kubernetes, deprecated APIs should be replaced with newer and more stable API versions. (read more)|Documentation
| +|No Drop Capabilities for Containers
268ca686-7fb7-4ae9-b129-955a2a89064e|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context (read more)|Documentation
| |Metadata Label Is Invalid
1123031a-f921-4c5b-bd86-ef354ecfd37a|Low|Best Practices|Check if any label in the metadata is invalid. (read more)|Documentation
| -|Namespace Lifecycle Admission Control Plugin Disabled
1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37|Low|Build Process|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'NamespaceLifecycle' plugin (read more)|Documentation
| +|Root Container Not Mounted Read-only
a9c2f49d-0671-4fc9-9ece-f4e261e128d0|Low|Build Process|Check if the root container filesystem is not being mounted read-only. (read more)|Documentation
| |Image Policy Webhook Admission Control Plugin Not Set
14abda69-8e91-4acb-9931-76e2bee90284|Low|Build Process|When using kube-apiserver command, the --enable-admission-plugins flag should have 'ImagePolicyWebhook' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| +|Namespace Lifecycle Admission Control Plugin Disabled
1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37|Low|Build Process|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'NamespaceLifecycle' plugin (read more)|Documentation
| |StatefulSet Requests Storage
8cf4671a-cf3d-46fc-8389-21e7405063a2|Low|Build Process|A StatefulSet requests volume storage. (read more)|Documentation
| -|Root Container Not Mounted Read-only
a9c2f49d-0671-4fc9-9ece-f4e261e128d0|Low|Build Process|Check if the root container filesystem is not being mounted read-only. (read more)|Documentation
| -|Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container (read more)|Documentation
| -|Kubelet Hostname Override Is Set
bf36b900-b5ef-4828-adb7-70eb543b7cfb|Low|Insecure Configurations|Hostnames should not be overrided (read more)|Documentation
| |Pod or Container Without ResourceQuota
48a5beba-e4c0-4584-a2aa-e6894e4cf424|Low|Insecure Configurations|Each namespace should have a ResourceQuota policy associated to limit the total amount of resources Pods, Containers and PersistentVolumeClaims can consume (read more)|Documentation
| +|Kubelet Hostname Override Is Set
bf36b900-b5ef-4828-adb7-70eb543b7cfb|Low|Insecure Configurations|Hostnames should not be overrided (read more)|Documentation
| |Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b|Low|Insecure Configurations|If not needed, disabling the dashboard can prevent from being used as an attack vector (read more)|Documentation
| -|Pod or Container Without LimitRange
4a20ebac-1060-4c81-95d1-1f7f620e983b|Low|Insecure Configurations|Each namespace should have a LimitRange policy associated to ensure that resource allocations of Pods, Containers and PersistentVolumeClaims do not exceed the defined boundaries (read more)|Documentation
| |Service Does Not Target Pod
3ca03a61-3249-4c16-8427-6f8e47dda729|Low|Insecure Configurations|Service should Target a Pod (read more)|Documentation
| -|Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity (read more)|Documentation
| +|Pod or Container Without LimitRange
4a20ebac-1060-4c81-95d1-1f7f620e983b|Low|Insecure Configurations|Each namespace should have a LimitRange policy associated to ensure that resource allocations of Pods, Containers and PersistentVolumeClaims do not exceed the defined boundaries (read more)|Documentation
| |Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always (read more)|Documentation
| +|Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container (read more)|Documentation
| +|Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity (read more)|Documentation
| |Service Type is NodePort
845acfbe-3e10-4b8e-b656-3b404d36dfb2|Low|Networking and Firewall|Service type should not be NodePort (read more)|Documentation
| |Workload Host Port Not Specified
2b1836f1-dcce-416e-8e16-da8c71920633|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified (read more)|Documentation
| -|Audit Policy Not Cover Key Security Concerns
1828a670-5957-4bc5-9974-47da228f75e2|Low|Observability|Audit Policy should cover key security concerns about the sensitive data logged in Kubernetes audit policies (read more)|Documentation
| -|Audit Log Maxsize Not Properly Set
35c0a471-f7c8-4993-aa2c-503a3c712a66|Low|Observability|When using kube-apiserver command, the '--audit-log-maxsize' flag should be defined and set to 100 or more MegaBytes (read more)|Documentation
| +|Profiling Not Set To False
2f491173-6375-4a84-b28e-a4e2b9a58a69|Low|Observability|When using kube-apiserver or kube-controller-manager or kube-scheduler command, the '--profiling' flag should be defined and set to false (read more)|Documentation
| |Audit Log Maxbackup Not Properly Set
768aab52-2504-4a2f-a3e3-329d5a679848|Low|Observability|When using kube-apiserver command, the '--audit-log-maxbackup' flag should be defined and set to 10 or more files (read more)|Documentation
| -|Kubelet Event QPS Not Properly Set
1a07a446-8e61-4e4d-bc16-b0781fcb8211|Low|Observability|When using the kubelet command, the '--event-qps' should be set to 0 (read more)|Documentation
| +|Audit Log Maxsize Not Properly Set
35c0a471-f7c8-4993-aa2c-503a3c712a66|Low|Observability|When using kube-apiserver command, the '--audit-log-maxsize' flag should be defined and set to 100 or more MegaBytes (read more)|Documentation
| +|Audit Policy Not Cover Key Security Concerns
1828a670-5957-4bc5-9974-47da228f75e2|Low|Observability|Audit Policy should cover key security concerns about the sensitive data logged in Kubernetes audit policies (read more)|Documentation
| |Audit Log Maxage Not Properly Set
da9f3aa8-fbfb-472f-b5a1-576127944218|Low|Observability|When using kube-apiserver command, the '--audit-log-maxage' flag should be defined and set to 30 or more days (read more)|Documentation
| -|Profiling Not Set To False
2f491173-6375-4a84-b28e-a4e2b9a58a69|Low|Observability|When using kube-apiserver or kube-controller-manager or kube-scheduler command, the '--profiling' flag should be defined and set to false (read more)|Documentation
| -|Container Memory Requests Not Equal To It's Limits
aafa7d94-62de-4fbf-8838-b69ee217b0e6|Low|Resource Management|A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined. (read more)|Documentation
| -|Deployment Has No PodAntiAffinity
a31b7b82-d994-48c4-bd21-3bab6c31827a|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| -|Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Low|Resource Management|A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined. (read more)|Documentation
| -|Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46|Low|Resource Management|Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively (read more)|Documentation
| +|Kubelet Event QPS Not Properly Set
1a07a446-8e61-4e4d-bc16-b0781fcb8211|Low|Observability|When using the kubelet command, the '--event-qps' should be set to 0 (read more)|Documentation
| |StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e|Low|Resource Management|Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| +|Container Memory Requests Not Equal To It's Limits
aafa7d94-62de-4fbf-8838-b69ee217b0e6|Low|Resource Management|A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined. (read more)|Documentation
| |CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined (read more)|Documentation
| +|Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46|Low|Resource Management|Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively (read more)|Documentation
| +|Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Low|Resource Management|A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined. (read more)|Documentation
| +|Deployment Has No PodAntiAffinity
a31b7b82-d994-48c4-bd21-3bab6c31827a|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| |Secrets As Environment Variables
3d658f8b-d988-41a0-a841-40043121de1e|Low|Secret Management|Container should not use secrets as environment variables (read more)|Documentation
| |Invalid Image Tag
583053b7-e632-46f0-b989-f81ff8045385|Low|Supply-Chain|Image tag must be defined and not be empty or equal to latest. (read more)|Documentation
| |Ensure Administrative Boundaries Between Resources
e84eaf4d-2f45-47b2-abe8-e581b06deb66|Info|Access Control|As a best practice, ensure that is made the correct use of namespaces to adequately administer your resources. Kubernetes Authorization plugins can also be used to create policies that segregate user access to namespaces. (read more)|Documentation
| diff --git a/docs/queries/openapi-queries.md b/docs/queries/openapi-queries.md index 63f16d2f8ec..55add2f0b27 100644 --- a/docs/queries/openapi-queries.md +++ b/docs/queries/openapi-queries.md @@ -1,6 +1,61 @@ ## OpenAPI Queries List This page contains all queries from OpenAPI. +### 2.0 +Bellow are listed queries related with OpenAPI 2.0: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|Security Definitions Undefined or Empty
e3f026e8-fdb4-4d5a-bcfd-bd94452073fe|High|Access Control|Security Definitions Object should be set and not empty (read more)|Documentation
| +|Security Requirement Not Defined In Security Definition
a599b0d1-ff89-4cb8-9ece-9951854c06f6|High|Structure and Semantics|All security requirement objects must be defined in 'securityDefinitions' (read more)|Documentation
| +|Non OAuth2 Security Requirement Defining OAuth2 Scopes
ba239cb9-f342-4c20-812d-7b5a2aa6969e|High|Structure and Semantics|If the security scheme is not of type 'oauth2', the array value must be empty (read more)|Documentation
| +|Global Security Using Password Flow
2da46be4-4317-4650-9285-56d7103c4f93|Medium|Access Control|Security should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| +|Operation Using Password Flow
2e44e632-d617-43cb-b294-6bfe72a08938|Medium|Access Control|Operation Object should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| +|Invalid OAuth2 Authorization URL (v2)
33d96c65-977d-4c33-943f-440baca49185|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| +|Security Definitions Allows Password Flow
773116aa-2e6d-416f-bd85-f0301cc05d76|Medium|Access Control|Security Definition Object should not allow 'password' Flow in OAuth2 authentication (read more)|Documentation
| +|Invalid OAuth2 Token URL (v2)
274f910a-0665-4f08-b66d-7058fe927dba|Medium|Access Control|OAuth2 security definition flow requires a valid URL in the tokenUrl field (read more)|Documentation
| +|Implicit Flow in OAuth2 (v2)
e9817ad8-a8c9-4038-8a2f-db0e6e7b284b|Medium|Access Control|There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| +|Schemes Uses HTTP
a46928f1-43d7-4671-94e0-2dd99746f389|Medium|Encryption|Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials (read more)|Documentation
| +|Global Schemes Uses HTTP
f30ee711-0082-4480-85ab-31d922d9a2b2|Medium|Encryption|Global Schemes should use 'https' protocol instead of 'http' (read more)|Documentation
| +|Path Scheme Accepts HTTP (v2)
a6847dc6-f4ea-45ac-a81f-93291ae6c573|Medium|Encryption|The Scheme list of Operation Object should only allow 'HTTPS' protocol to ensure an encrypted connection (read more)|Documentation
| +|Operation Object Without 'produces'
be3e170e-1572-461e-a8b6-d963def581ec|Medium|Insecure Configurations|Operation Object should have 'produces' feild defined for 'GET'operation (read more)|Documentation
| +|Operation Object Without 'consumes'
0c79e50e-b3cf-490c-b8f6-587c644d4d0c|Medium|Insecure Configurations|Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations (read more)|Documentation
| +|Security Definitions Using Basic Auth
221015a8-aa2a-43f5-b00b-ad7d2b1d47a8|Low|Access Control|Security Definition Object should not use basic authentication (read more)|Documentation
| +|Operation Using Implicit Flow
f42dfe7e-787d-4478-a75e-a5f3d8a2269e|Low|Access Control|Operation Object should not use implicit flow (read more)|Documentation
| +|Operation Using Basic Auth
ceefb058-8065-418f-9c4c-584a78c7e104|Low|Access Control|Operation Object should not use basic authentication (read more)|Documentation
| +|Undefined Scope 'securityDefinition' On 'security' Field On Operations
3847280c-9193-40bc-8009-76168e822ce2|Low|Access Control|Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| +|Undefined Scope 'securityDefinition' On Global 'security' Field
9aa6e95c-d964-4239-a3a8-9f37a3c5a31f|Low|Access Control|Using an scope on global security field that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| +|Operation Summary Too Long
d47940ca-5970-45cc-bdd1-4d81398cee1f|Low|Best Practices|Operation summary should be short (less than 120 characters) (read more)|Documentation
| +|Unknown Prefix (v2)
3b615f00-c443-4ba9-acc4-7c308716917d|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| +|Invalid Media Type Value (v2)
f985a7d2-d404-4a7f-9814-f645f791e46e|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| +|Global Parameter Definition Not Being Used
b30981fa-a12e-49c7-a5bb-eeafb61d0f0f|Info|Best Practices|All global parameters definitions should be in use (read more)|Documentation
| +|Global Responses Definition Not Being Used
0b76d993-ee52-43e0-8b39-3787d2ddabf1|Info|Best Practices|All global responses definitions should be in use (read more)|Documentation
| +|Schema with 'additionalProperties' set as Boolean
3a01790c-ebee-4da6-8fd3-e78657383b75|Info|Best Practices|The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it (read more)|Documentation
| +|Global Schema Definition Not Being Used
6d2e0790-cc3d-4c74-b973-d4e8b09f4455|Info|Best Practices|All global schemas definitions should be in use (read more)|Documentation
| +|Constraining Enum Property
be1d8733-3731-40c7-a845-734741c6871d|Info|Best Practices|There is a constraining keyword in a property which is already restricted by enum values (read more)|Documentation
| +|Schema Object Incorrect Ref (v2)
0220e1c5-65d1-49dd-b7c2-cef6d6cb5283|Info|Structure and Semantics|Schema Object reference must always point to '#/definitions' (read more)|Documentation
| +|Non Body Parameter Without Schema
73c3bc54-3cc6-4c0a-b30a-e19f2abfc951|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| +|BasePath With Wrong Format
b4803607-ed72-4d60-99e2-3fa6edf471c6|Info|Structure and Semantics|The 'basePath' value format must match the pattern '^/' (read more)|Documentation
| +|Responses JSON Reference Does Not Exists (v2)
e9db5fb4-6a84-4abb-b4af-3b94fbdace6d|Info|Structure and Semantics|Responses reference should exist on responses definition field (read more)|Documentation
| +|Operation Object Parameters With 'body' And 'formatData' locations
eb3f9744-d24e-4614-b1ff-2a9514eca21c|Info|Structure and Semantics|Operation object parameters should not have both 'body' and 'formatData' locations (read more)|Documentation
| +|Response Object With Incorrect Ref (v2)
bccfa089-89e4-47e0-a0e5-185fe6902220|Info|Structure and Semantics|Response Object reference must always point to '#/responses' (read more)|Documentation
| +|Object Without Required Property (v2)
5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| +|Multiple Body Parameters In The Same Operation
b90033cf-ad9f-4fb9-acd1-1b9d6d278c87|Info|Structure and Semantics|Only one body parameter is allowed on operation's parameters type field (read more)|Documentation
| +|Multi 'collectionformat' Not Valid For 'in' Parameter
750f6448-27c0-49f8-a153-b81735c1e19c|Info|Structure and Semantics|When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'formData' (read more)|Documentation
| +|Parameter File Type Not In 'formData'
c3cab8c4-6c52-47a9-942b-c27f26fbd7d2|Info|Structure and Semantics|The In field of Parameter Object must be 'formData' when type is 'file' (read more)|Documentation
| +|Property Not Unique
750b40be-4bac-4f59-bdc4-1ca0e6c3450e|Info|Structure and Semantics|Every defined property must be unique throughout the whole API (read more)|Documentation
| +|Schema JSON Reference Does Not Exists (v2)
98295b32-ec09-4b5b-89a9-39853197f914|Info|Structure and Semantics|Schema reference should exists on definitions field (read more)|Documentation
| +|Body Parameter Without Schema
ed48229d-d43e-4da7-b453-5f98d964a57a|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| +|Operation Example Mismatch Produces MimeType
2cf35b40-ded3-43d6-9633-c8dcc8bcc822|Info|Structure and Semantics|Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces' (read more)|Documentation
| +|Body Parameter With Wrong Property
c38d630d-a415-4e3e-bac2-65475979ba88|Info|Structure and Semantics|The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema' (read more)|Documentation
| +|Host With Invalid Pattern
3d7d7b6c-fb0a-475e-8a28-c125e30d15f0|Info|Structure and Semantics|Host field should be an IP or a valid host name (read more)|Documentation
| +|Parameter JSON Reference Does Not Exists (v2)
fb889ae9-2d16-40b5-b41f-9da716c5abc1|Info|Structure and Semantics|Parameter reference should exist on parameters definition field (read more)|Documentation
| +|Unknown Property (v2)
429b2106-ba37-43ba-9727-7f699cc611e1|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| +|File Parameter With Wrong Consumes Property
7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a|Info|Structure and Semantics|Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both (read more)|Documentation
| +|Parameter Object With Incorrect Ref (v2)
2596545e-1757-4ff7-a15a-8a9a180a42f3|Info|Structure and Semantics|Parameter Object reference must always point to '#/parameters' (read more)|Documentation
| + ### SHARED (V2/V3) Bellow are listed queries related with OpenAPI SHARED (V2/V3): @@ -8,209 +63,154 @@ Bellow are listed queries related with OpenAPI SHARED (V2/V3): | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Global Security Field Is Undefined (v2)
74703c89-0ea2-49ab-a7db-bf04f19f5a57|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securityDefinitions|Documentation
| -|Global Security Field Is Undefined (v3)
8af270ce-298b-4405-9922-82a10aee7a4f|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes (read more)|Documentation
| -|Global Security Field Has An Empty Array (v2)
da31d54b-ad54-41dc-95eb-8b3828629213|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| -|Global Security Field Has An Empty Array (v3)
d674aea4-ba8b-454b-bb97-88a772ea33f0|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme (read more)|Documentation
| +|No Global And Operation Security Defined (v2)
586abcee-9653-462d-ad7b-2638a32bd6e6|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| +|No Global And Operation Security Defined (v3)
96729c6b-7400-4d9e-9807-17f00cdde4d2|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined (read more)|Documentation
| |Security Field On Operations Has An Empty Array (v2)
5d29effc-5d68-481f-9721-d74e5919226b|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error|Documentation
| |Security Field On Operations Has An Empty Array (v3)
663c442d-f918-4f62-b096-0bf5dcbeb655|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error (read more)|Documentation
| -|Security Field On Operations Has An Empty Object Definition (v2)
74581e3b-1d55-4323-a139-5959a7b3abc5|High|Access Control|Security object for operations should not be empty object or has any empty object definition|Documentation
| -|Security Field On Operations Has An Empty Object Definition (v3)
baade968-7467-41e4-bf22-83ca222f5800|High|Access Control|Security object for operations should not be empty object or has any empty object definition (read more)|Documentation
| +|Global Security Field Has An Empty Array (v2)
da31d54b-ad54-41dc-95eb-8b3828629213|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| +|Global Security Field Has An Empty Array (v3)
d674aea4-ba8b-454b-bb97-88a772ea33f0|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme (read more)|Documentation
| |Global security field has an empty object (v2)
292919fb-7b26-4454-bee9-ce29094768dd|High|Access Control|Global security definition must not have empty objects|Documentation
| |Global security field has an empty object (v3)
543e38f4-1eee-479e-8eb0-15257013aa0a|High|Access Control|Global security definition must not have empty objects (read more)|Documentation
| -|No Global And Operation Security Defined (v2)
586abcee-9653-462d-ad7b-2638a32bd6e6|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| -|No Global And Operation Security Defined (v3)
96729c6b-7400-4d9e-9807-17f00cdde4d2|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined (read more)|Documentation
| |Cleartext API Key In Operation Security (v2)
99733b39-6413-4ed8-8acf-dc7cdc9b4e51|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| |Cleartext API Key In Operation Security (v3)
d90d4e40-44c1-4125-87a0-e072c3e195b5|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel (read more)|Documentation
| -|Array Items Has No Type (v2)
8697a1a4-82c6-4603-8ac8-57529756744e|High|Insecure Configurations|Schema/Parameter array items type should be defined|Documentation
| -|Array Items Has No Type (v3)
be0e0df7-f3d9-42a1-9b6f-d425f94872c4|High|Insecure Configurations|Schema array items type should be defined (read more)|Documentation
| +|Global Security Field Is Undefined (v2)
74703c89-0ea2-49ab-a7db-bf04f19f5a57|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securityDefinitions|Documentation
| +|Global Security Field Is Undefined (v3)
8af270ce-298b-4405-9922-82a10aee7a4f|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes (read more)|Documentation
| +|Security Field On Operations Has An Empty Object Definition (v2)
74581e3b-1d55-4323-a139-5959a7b3abc5|High|Access Control|Security object for operations should not be empty object or has any empty object definition|Documentation
| +|Security Field On Operations Has An Empty Object Definition (v3)
baade968-7467-41e4-bf22-83ca222f5800|High|Access Control|Security object for operations should not be empty object or has any empty object definition (read more)|Documentation
| |Array Without Maximum Number of Items (v2)
99eb2c95-2040-4104-9e7c-e16f7474d218|High|Insecure Configurations|Array schema/parameter should have the field 'maxItems' set|Documentation
| |Array Without Maximum Number of Items (v3)
6998389e-66b2-473d-8d05-c8d71ac4d04d|High|Insecure Configurations|Array schema should have the field 'maxItems' set (read more)|Documentation
| -|API Key Exposed In Global Security (v2)
533a0d13-6e89-4551-ae33-bce14e5849c1|Medium|Access Control|API Keys should not be transported over network|Documentation
| -|API Key Exposed In Global Security (v3)
aecee30b-8ea1-4776-a99c-d6d600f0862f|Medium|Access Control|API Keys should not be transported over network (read more)|Documentation
| +|Array Items Has No Type (v2)
8697a1a4-82c6-4603-8ac8-57529756744e|High|Insecure Configurations|Schema/Parameter array items type should be defined|Documentation
| +|Array Items Has No Type (v3)
be0e0df7-f3d9-42a1-9b6f-d425f94872c4|High|Insecure Configurations|Schema array items type should be defined (read more)|Documentation
| |Cleartext API Key In Global Security (v2)
70d3873e-d537-46e5-ac3b-4e48fbdd29b4|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| |Cleartext API Key In Global Security (v3)
9c238c97-1991-4c0b-9c7d-6c7912e1dc7c|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel (read more)|Documentation
| -|Maximum Length Undefined (v2)
2ec86e48-ab90-4cb6-a131-0502afd1f442|Medium|Insecure Configurations|String schema/parameter/header should have 'maxLength' defined.|Documentation
| -|Maximum Length Undefined (v3)
8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85|Medium|Insecure Configurations|String schema should have 'maxLength' defined. (read more)|Documentation
| +|API Key Exposed In Global Security (v2)
533a0d13-6e89-4551-ae33-bce14e5849c1|Medium|Access Control|API Keys should not be transported over network|Documentation
| +|API Key Exposed In Global Security (v3)
aecee30b-8ea1-4776-a99c-d6d600f0862f|Medium|Access Control|API Keys should not be transported over network (read more)|Documentation
| +|String Schema with Broad Pattern (v2)
e4a019f0-9af3-49c8-bf68-1939a6ff240d|Medium|Insecure Configurations|String schema should restrict the pattern|Documentation
| +|String Schema with Broad Pattern (v3)
8c81d6c0-716b-49ec-afa5-2d62da4e3f3c|Medium|Insecure Configurations|String schema should restrict the pattern (read more)|Documentation
| +|JSON Object Schema Without Properties (v2)
3d28f751-bc18-4f83-ace0-216b6086410b|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false.|Documentation
| +|JSON Object Schema Without Properties (v3)
9d967a2b-9d64-41a6-abea-dfc4960299bd|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false. (read more)|Documentation
| |Pattern Undefined (v2)
afde15cf-9444-4126-8c62-41cd79db1d1d|Medium|Insecure Configurations|String schema/parameter/header should have 'pattern' defined.|Documentation
| |Pattern Undefined (v3)
00b78adf-b83f-419c-8ed8-c6018441dd3a|Medium|Insecure Configurations|String schema should have 'pattern' defined. (read more)|Documentation
| +|Numeric Schema Without Format (v2)
3ed8fc82-c2bb-49e0-811f-c53923674c49|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined.|Documentation
| +|Numeric Schema Without Format (v3)
fbf699b5-ef74-4542-9cf1-f6eeac379373|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined. (read more)|Documentation
| +|Numeric Schema Without Maximum (v2)
203eee11-15b6-4d47-b888-4c7f534967ee|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined.|Documentation
| +|Numeric Schema Without Maximum (v3)
2ea04bef-c769-409e-9179-ee3a50b5c0ac|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined. (read more)|Documentation
| |Schema Object is Empty (v2)
967575e5-eb44-4c24-aadb-7e33608ed30a|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values|Documentation
| |Schema Object is Empty (v3)
500ce696-d501-41dd-86eb-eceb011a386f|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values (read more)|Documentation
| |Numeric Schema Without Minimum (v2)
efd1dfc8-da91-4909-a3f3-c23abc5ec799|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined.|Documentation
| |Numeric Schema Without Minimum (v3)
181bd815-767e-4e95-a24d-bb3c87328e19|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined. (read more)|Documentation
| -|JSON Object Schema Without Properties (v2)
3d28f751-bc18-4f83-ace0-216b6086410b|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false.|Documentation
| -|JSON Object Schema Without Properties (v3)
9d967a2b-9d64-41a6-abea-dfc4960299bd|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false. (read more)|Documentation
| -|Numeric Schema Without Maximum (v2)
203eee11-15b6-4d47-b888-4c7f534967ee|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined.|Documentation
| -|Numeric Schema Without Maximum (v3)
2ea04bef-c769-409e-9179-ee3a50b5c0ac|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined. (read more)|Documentation
| -|Numeric Schema Without Format (v2)
3ed8fc82-c2bb-49e0-811f-c53923674c49|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined.|Documentation
| -|Numeric Schema Without Format (v3)
fbf699b5-ef74-4542-9cf1-f6eeac379373|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined. (read more)|Documentation
| |JSON Object Schema Without Type (v2)
62d52544-82ef-4b75-8308-cad49d50212b|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined.|Documentation
| |JSON Object Schema Without Type (v3)
e2ffa504-d22a-4c94-b6c5-f661849d2db7|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined. (read more)|Documentation
| -|String Schema with Broad Pattern (v2)
e4a019f0-9af3-49c8-bf68-1939a6ff240d|Medium|Insecure Configurations|String schema should restrict the pattern|Documentation
| -|String Schema with Broad Pattern (v3)
8c81d6c0-716b-49ec-afa5-2d62da4e3f3c|Medium|Insecure Configurations|String schema should restrict the pattern (read more)|Documentation
| -|Success Response Code Undefined for Put Operation (v2)
965a043f-5f3c-4d0a-be72-d9ce12fdb4d6|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Put Operation (v3)
60b5f56b-66ff-4e1c-9b62-5753e16825bc|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|Response on operations that should not have a body has declared content (v2)
268defd2-2839-4e15-8cbc-de86eb38c231|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a schema defined|Documentation
| -|Response on operations that should not have a body has declared content (v3)
12a7210b-f4b4-47d0-acac-0a819e2a0ca3|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a content defined (read more)|Documentation
| +|Maximum Length Undefined (v2)
2ec86e48-ab90-4cb6-a131-0502afd1f442|Medium|Insecure Configurations|String schema/parameter/header should have 'maxLength' defined.|Documentation
| +|Maximum Length Undefined (v3)
8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85|Medium|Insecure Configurations|String schema should have 'maxLength' defined. (read more)|Documentation
| |Success Response Code Undefined for Patch Operation (v2)
f36e87cc-a209-4f37-8571-66833e4aead7|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204)|Documentation
| |Success Response Code Undefined for Patch Operation (v3)
1908a8ee-927d-4166-8f18-241152170cc1|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|Success Response Code Undefined for Delete Operation (v2)
ad432855-b7fb-4429-92a3-93b5ce34f0b1|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Delete Operation (v3)
3b497874-ae59-46dd-8d72-1868a3b8f150|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| +|Success Response Code Undefined for Head Operation (v2)
4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a|Medium|Networking and Firewall|Head should define at least one success response (200 or 202)|Documentation
| +|Success Response Code Undefined for Head Operation (v3)
3b066059-f411-4554-ac8d-96f32bff90da|Medium|Networking and Firewall|Head should define at least one success response (200 or 202) (read more)|Documentation
| +|Success Response Code Undefined for Get Operation (v2)
9b633f3b-c94b-4fbb-a65b-1a4e9134fb63|Medium|Networking and Firewall|Get should define at least one success response (200 or 202)|Documentation
| +|Success Response Code Undefined for Get Operation (v3)
b2f275be-7d64-4064-b418-be6b431363a7|Medium|Networking and Firewall|Get should define at least one success response (200 or 202) (read more)|Documentation
| |Response Code Missing (v2)
6e96ed39-bf45-4089-99ba-f1fe7cf6966f|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined.|Documentation
| |Response Code Missing (v3)
6c35d2c6-09f2-4e5c-a094-e0e91327071d|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined. (read more)|Documentation
| +|Success Response Code Undefined for Put Operation (v2)
965a043f-5f3c-4d0a-be72-d9ce12fdb4d6|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Put Operation (v3)
60b5f56b-66ff-4e1c-9b62-5753e16825bc|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| |Success Response Code Undefined for Post Operation (v2)
9fedee41-2e6d-4091-b011-4a16b4c18c70|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204)|Documentation
| |Success Response Code Undefined for Post Operation (v3)
f368dd2d-9344-4146-a05b-7c6faa1269ad|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|Response on operations that should have a body has undefined schema (v2)
31afbcb7-70e0-48bb-a31a-3374f95cf859|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined|Documentation
| -|Response on operations that should have a body has undefined schema (v3)
a92be1d5-d762-484a-86d6-8cd0907ba100|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined (read more)|Documentation
| +|Response on operations that should not have a body has declared content (v2)
268defd2-2839-4e15-8cbc-de86eb38c231|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a schema defined|Documentation
| +|Response on operations that should not have a body has declared content (v3)
12a7210b-f4b4-47d0-acac-0a819e2a0ca3|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a content defined (read more)|Documentation
| |Default Response Undefined On Operations (v2)
5f34c7ae-4f3f-4cbb-8fe3-a11d6961062f|Medium|Networking and Firewall|Operations responses should have a default response defined|Documentation
| |Default Response Undefined On Operations (v3)
86e3702f-c868-44b2-b61d-ea5316c18110|Medium|Networking and Firewall|Operations responses should have a default response defined (read more)|Documentation
| -|Success Response Code Undefined for Get Operation (v2)
9b633f3b-c94b-4fbb-a65b-1a4e9134fb63|Medium|Networking and Firewall|Get should define at least one success response (200 or 202)|Documentation
| -|Success Response Code Undefined for Get Operation (v3)
b2f275be-7d64-4064-b418-be6b431363a7|Medium|Networking and Firewall|Get should define at least one success response (200 or 202) (read more)|Documentation
| -|Success Response Code Undefined for Head Operation (v2)
4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a|Medium|Networking and Firewall|Head should define at least one success response (200 or 202)|Documentation
| -|Success Response Code Undefined for Head Operation (v3)
3b066059-f411-4554-ac8d-96f32bff90da|Medium|Networking and Firewall|Head should define at least one success response (200 or 202) (read more)|Documentation
| +|Response on operations that should have a body has undefined schema (v2)
31afbcb7-70e0-48bb-a31a-3374f95cf859|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined|Documentation
| +|Response on operations that should have a body has undefined schema (v3)
a92be1d5-d762-484a-86d6-8cd0907ba100|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined (read more)|Documentation
| +|Success Response Code Undefined for Delete Operation (v2)
ad432855-b7fb-4429-92a3-93b5ce34f0b1|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Delete Operation (v3)
3b497874-ae59-46dd-8d72-1868a3b8f150|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| |API Key Exposed In Operation Security (v2)
392599e4-a4e2-403d-bc56-3fe05755782d|Low|Access Control|API Keys should not be transported over network|Documentation
| |API Key Exposed In Operation Security (v3)
281b8071-6226-4a43-911d-fec246d422c2|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| |Invalid Format (v2)
caf1793e-95dd-4b18-8d90-8f3c0ab5bddf|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double|Documentation
| |Invalid Format (v3)
d929c031-078f-4241-b802-e224656ad890|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double (read more)|Documentation
| -|Required Property With Default Value (v2)
f7ab6c83-ef89-40e1-8a99-32e2599fb665|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value|Documentation
| -|Required Property With Default Value (v3)
013bdb4b-9246-4248-b0c3-7fb0fee42a29|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value (read more)|Documentation
| -|Object Using Enum With Keyword (v2)
7f15962a-d862-451c-ac9b-84ec13747aa6|Info|Best Practices|Schema/Parameter/Header Object properties should not contain 'enum' and schema keywords|Documentation
| -|Object Using Enum With Keyword (v3)
2e9b6612-8f69-42e0-a5b8-ed17739c2f3a|Info|Best Practices|Schema Object properties should not contain 'enum' and schema keywords (read more)|Documentation
| |Header Parameter Named as 'Content-Type' (v2)
51978067-3b22-4c29-aaf3-96bf0bc28897|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored.|Documentation
| |Header Parameter Named as 'Content-Type' (v3)
72d259ca-9741-48dd-9f62-eb11f2936b37|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored. (read more)|Documentation
| +|Invalid License URL (v2)
de2b4910-8484-46d6-a055-dc1e793ee3ff|Info|Best Practices|License Object URL should be a valid URL|Documentation
| +|Invalid License URL (v3)
9239c289-9e4c-4d92-8be1-9d506057c971|Info|Best Practices|License Object URL should be a valid URL (read more)|Documentation
| +|Invalid Global External Documentation URL (v2)
46d3b74d-9fe9-45bf-9e9e-efb7f701ee28|Info|Best Practices|Global External Documentation URL should be a valid URL|Documentation
| +|Invalid Global External Documentation URL (v3)
b2d9dbf6-539c-4374-a1fd-210ddf5563a8|Info|Best Practices|Global External Documentation URL should be a valid URL (read more)|Documentation
| |Header Response Name Is Invalid (v2)
86733e01-a435-4bd5-a8b0-5108be9dc1e4|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored.|Documentation
| |Header Response Name Is Invalid (v3)
d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored. (read more)|Documentation
| +|Path Without Operation (v2)
609cd557-66b4-41fa-8edd-2abc6c7cfd08|Info|Best Practices|Path object should have at least one operation object defined|Documentation
| +|Path Without Operation (v3)
84c826c9-1893-4b34-8cdd-db97645b4bf3|Info|Best Practices|Path object should have at least one operation object defined (read more)|Documentation
| |Invalid Contact URL (v2)
c7000383-16d0-4509-8cd3-585e5ea2e2f2|Info|Best Practices|Contact Object URL should be a valid URL|Documentation
| |Invalid Contact URL (v3)
332cf2ad-380d-4b90-b436-46f8e635cf38|Info|Best Practices|Contact Object URL should be a valid URL (read more)|Documentation
| +|Invalid Contact Email (v2)
d83bebc8-4e5e-4241-b783-cba9fb5a1c9a|Info|Best Practices|Contact Object Email should be a valid email|Documentation
| +|Invalid Contact Email (v3)
b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7|Info|Best Practices|Contact Object Email should be a valid email (read more)|Documentation
| +|Invalid Operation External Documentation URL (v2)
25635c31-ee32-4708-88e5-fced87516f51|Info|Best Practices|Operation External Documentation URL should be a valid URL|Documentation
| +|Invalid Operation External Documentation URL (v3)
5ea61624-3733-4a3a-8ca4-b96fec9c5aeb|Info|Best Practices|Operation External Documentation URL should be a valid URL (read more)|Documentation
| |Invalid Tag External Documentation URL (v2)
b4a7d925-738b-4219-99d9-87d6ee262a03|Info|Best Practices|Tag External Documentation URL should be a valid URL|Documentation
| |Invalid Tag External Documentation URL (v3)
5aea1d7e-b834-4749-b143-2c7ec3bd5922|Info|Best Practices|Tag External Documentation URL should be a valid URL (read more)|Documentation
| -|Header Parameter Named as 'Accept' (v2)
3ddd74cc-6582-486c-8b0c-2b48cb38e0a3|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored.|Documentation
| -|Header Parameter Named as 'Accept' (v3)
f2702af5-6016-46cb-bbc8-84c766032095|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored. (read more)|Documentation
| -|Invalid Global External Documentation URL (v2)
46d3b74d-9fe9-45bf-9e9e-efb7f701ee28|Info|Best Practices|Global External Documentation URL should be a valid URL|Documentation
| -|Invalid Global External Documentation URL (v3)
b2d9dbf6-539c-4374-a1fd-210ddf5563a8|Info|Best Practices|Global External Documentation URL should be a valid URL (read more)|Documentation
| -|Example Not Compliant With Schema Type (v2)
448db771-06ea-4dee-b48c-1689cbfb4b43|Info|Best Practices|Examples values and fields should be compliant with the schema type|Documentation
| -|Example Not Compliant With Schema Type (v3)
881a6e71-c2a7-4fe2-b9c3-dfcf08895331|Info|Best Practices|Examples values and fields should be compliant with the schema type (read more)|Documentation
| |Header Parameter Named as 'Authorization' (v2)
e2e00c97-7171-4fb4-b461-d631df9a711c|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored.|Documentation
| |Header Parameter Named as 'Authorization' (v3)
8c84f75e-5048-4926-a4cb-33e7b3431300|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored. (read more)|Documentation
| +|Object Using Enum With Keyword (v2)
7f15962a-d862-451c-ac9b-84ec13747aa6|Info|Best Practices|Schema/Parameter/Header Object properties should not contain 'enum' and schema keywords|Documentation
| +|Object Using Enum With Keyword (v3)
2e9b6612-8f69-42e0-a5b8-ed17739c2f3a|Info|Best Practices|Schema Object properties should not contain 'enum' and schema keywords (read more)|Documentation
| +|Example Not Compliant With Schema Type (v2)
448db771-06ea-4dee-b48c-1689cbfb4b43|Info|Best Practices|Examples values and fields should be compliant with the schema type|Documentation
| +|Example Not Compliant With Schema Type (v3)
881a6e71-c2a7-4fe2-b9c3-dfcf08895331|Info|Best Practices|Examples values and fields should be compliant with the schema type (read more)|Documentation
| +|Required Property With Default Value (v2)
f7ab6c83-ef89-40e1-8a99-32e2599fb665|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value|Documentation
| +|Required Property With Default Value (v3)
013bdb4b-9246-4248-b0c3-7fb0fee42a29|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value (read more)|Documentation
| +|Header Parameter Named as 'Accept' (v2)
3ddd74cc-6582-486c-8b0c-2b48cb38e0a3|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored.|Documentation
| +|Header Parameter Named as 'Accept' (v3)
f2702af5-6016-46cb-bbc8-84c766032095|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored. (read more)|Documentation
| |Operation Without Successful HTTP Status Code (v2)
a1ee6ebe-3877-42ec-b9a6-e524e7d06aa2|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined|Documentation
| |Operation Without Successful HTTP Status Code (v3)
48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined (read more)|Documentation
| -|Path Without Operation (v2)
609cd557-66b4-41fa-8edd-2abc6c7cfd08|Info|Best Practices|Path object should have at least one operation object defined|Documentation
| -|Path Without Operation (v3)
84c826c9-1893-4b34-8cdd-db97645b4bf3|Info|Best Practices|Path object should have at least one operation object defined (read more)|Documentation
| -|Invalid Operation External Documentation URL (v2)
25635c31-ee32-4708-88e5-fced87516f51|Info|Best Practices|Operation External Documentation URL should be a valid URL|Documentation
| -|Invalid Operation External Documentation URL (v3)
5ea61624-3733-4a3a-8ca4-b96fec9c5aeb|Info|Best Practices|Operation External Documentation URL should be a valid URL (read more)|Documentation
| -|Invalid License URL (v2)
de2b4910-8484-46d6-a055-dc1e793ee3ff|Info|Best Practices|License Object URL should be a valid URL|Documentation
| -|Invalid License URL (v3)
9239c289-9e4c-4d92-8be1-9d506057c971|Info|Best Practices|License Object URL should be a valid URL (read more)|Documentation
| -|JSON '$ref' alongside other properties (v2)
f34c1c68-4773-4df0-a103-6e2ca32e585f|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key|Documentation
| -|JSON '$ref' alongside other properties (v3)
96beb800-566f-49a9-a0ea-dbdf4bc80429|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key (read more)|Documentation
| -|Invalid Contact Email (v2)
d83bebc8-4e5e-4241-b783-cba9fb5a1c9a|Info|Best Practices|Contact Object Email should be a valid email|Documentation
| -|Invalid Contact Email (v3)
b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7|Info|Best Practices|Contact Object Email should be a valid email (read more)|Documentation
| |Invalid Schema External Documentation URL (v2)
f7fa95b7-d819-484c-9a2b-665dd1bba25e|Info|Best Practices|Schema External Documentation URL should be a valid URL|Documentation
| |Invalid Schema External Documentation URL (v3)
6952a7e0-6e48-4285-bbc1-27c64e60f888|Info|Best Practices|Schema External Documentation URL should be a valid URL (read more)|Documentation
| -|Non-Array Schema With Items (v2)
9d47956b-29cd-43b1-9e6e-b39a4d484353|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| -|Non-Array Schema With Items (v3)
20cb3159-b219-496b-8dac-54ae3ab2021a|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined (read more)|Documentation
| -|Path Is Ambiguous (v2)
b2468463-3ac4-4930-890c-f35b2bf4485d|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object|Documentation
| -|Path Is Ambiguous (v3)
237402e2-c2f0-46c9-9cf5-286160cf7bfc|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object (read more)|Documentation
| -|Schema Discriminator Not Required (v2)
be6a3722-af60-438c-b1b9-2a03e2958ab7|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property|Documentation
| -|Schema Discriminator Not Required (v3)
b481d46c-9c61-480f-86d9-af07146dc4a4|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property (read more)|Documentation
| -|Property 'allowEmptyValue' Improperly Defined (v2)
0bc1477d-0922-478b-ae16-674a7634a1a8|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters|Documentation
| -|Property 'allowEmptyValue' Improperly Defined (v3)
4bcbcd52-3028-469f-bc14-02c7dbba2df2|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters (read more)|Documentation
| -|OperationId Not Unique (v2)
21245007-91c4-40e5-964e-40c85d1e5aa6|Info|Structure and Semantics|OperationId should be unique when defined|Documentation
| -|OperationId Not Unique (v3)
c254adc4-ef25-46e1-8270-b7944adb4198|Info|Structure and Semantics|OperationId should be unique when defined (read more)|Documentation
| -|Paths Object is Empty (v2)
3e6c7b1c-8a8d-43ab-98b9-65159f44db4a|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed|Documentation
| -|Paths Object is Empty (v3)
815021c8-a50c-46d9-b192-24f71072c400|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed (read more)|Documentation
| +|JSON '$ref' alongside other properties (v2)
f34c1c68-4773-4df0-a103-6e2ca32e585f|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key|Documentation
| +|JSON '$ref' alongside other properties (v3)
96beb800-566f-49a9-a0ea-dbdf4bc80429|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key (read more)|Documentation
| |Parameters Name In Combination Not Unique (v2)
ab871897-ec02-4835-9818-702536ee1dda|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations|Documentation
| |Parameters Name In Combination Not Unique (v3)
f5b2e6af-76f5-496d-8482-8f898c5fdb4a|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations (read more)|Documentation
| -|Parameter Objects Headers With Duplicated Name (v2)
bd2cbef5-62c4-40f1-af07-4b7f9ced6616|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.|Documentation
| -|Parameter Objects Headers With Duplicated Name (v3)
05505192-ba2c-4a81-9b25-dcdbcc973746|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive. (read more)|Documentation
| -|Responses Object Is Empty (v2)
6172e7ab-d2b7-45f8-a7db-1603931d8ba3|Info|Structure and Semantics|Responses Object should not be empty|Documentation
| -|Responses Object Is Empty (v3)
990eaf09-d6f1-4c3c-b174-a517b1de8917|Info|Structure and Semantics|Responses Object should not be empty (read more)|Documentation
| -|Schema Has A Required Property Undefined (v2)
811762c8-2e99-4f70-88f9-a63875a953b1|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties|Documentation
| -|Schema Has A Required Property Undefined (v3)
2bd608ae-8a1f-457f-b710-c237883cb313|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties (read more)|Documentation
| -|Default Invalid (v2)
78dfd8f0-a6ee-48ec-af8c-e4d9b3292a07|Info|Structure and Semantics|The field 'default' of Schema/Parameter/Header Object should be consistent with the schema's/parameter's/header's type|Documentation
| -|Default Invalid (v3)
a96bbc06-8cde-4295-ad3c-ee343a7f658e|Info|Structure and Semantics|The field 'default' of Schema Object should be consistent with the schema's type (read more)|Documentation
| -|Properties Missing Required Property (v2)
71beb6ab-8b70-4816-a9ac-a0ff1fb22a62|Info|Structure and Semantics|Schema Object should have all required properties defined|Documentation
| -|Properties Missing Required Property (v3)
3fb03214-25d4-4bd4-867c-c2d8d708a483|Info|Structure and Semantics|Schema Object should have all required properties defined (read more)|Documentation
| +|Property 'allowEmptyValue' Improperly Defined (v2)
0bc1477d-0922-478b-ae16-674a7634a1a8|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters|Documentation
| +|Property 'allowEmptyValue' Improperly Defined (v3)
4bcbcd52-3028-469f-bc14-02c7dbba2df2|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters (read more)|Documentation
| +|Property Defining Minimum Greater Than Maximum (v2)
b5102ea9-6527-4bb7-94fc-9b4076150e55|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined|Documentation
| +|Property Defining Minimum Greater Than Maximum (v3)
ab2af219-cd08-4233-b5a1-a788aac88b51|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined (read more)|Documentation
| |Path Parameter With No Corresponding Template Path (v2)
194ef1f8-360e-4c14-8ed2-e83e2bafa142|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation|Documentation
| |Path Parameter With No Corresponding Template Path (v3)
69d7aefd-149d-47b8-8d89-1c2181a8067b|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation (read more)|Documentation
| -|Type Has Invalid Keyword (v2)
492c6cbb-f3f8-4807-aa4f-42b8b1c46b59|Info|Structure and Semantics|Schema/Parameter/Header Object define type should not use a keyword of another type|Documentation
| -|Type Has Invalid Keyword (v3)
a9228976-10cf-4b5f-b902-9e962aad037a|Info|Structure and Semantics|Schema Object define type should not use a keyword of another type (read more)|Documentation
| -|Responses With Wrong HTTP Status Code (v2)
069a5378-2091-43f0-aa3b-ee8f20996e99|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599]|Documentation
| -|Responses With Wrong HTTP Status Code (v3)
d86655c0-92f6-4ffc-b4d5-5b5775804c27|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599] (read more)|Documentation
| +|Path Template is Empty (v2)
c201b7ad-6173-4598-a407-5edb04a1bcd7|Info|Structure and Semantics|All path templates should not be empty|Documentation
| +|Path Template is Empty (v3)
ae13a37d-943b-47a7-a970-83c8598bcca3|Info|Structure and Semantics|All path templates should not be empty (read more)|Documentation
| +|Items Undefined (v2)
3e4d34d2-36cf-4449-976d-6c256db8fc49|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array.|Documentation
| +|Items Undefined (v3)
a8e859da-4a43-4e7f-94b8-25d6e3bf8e90|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array. (read more)|Documentation
| |Template Path With No Corresponding Path Parameter (v2)
e7656d8d-7288-4bbe-b07b-22b389be75ce|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation|Documentation
| |Template Path With No Corresponding Path Parameter (v3)
561710b1-b845-4562-95ce-2397a05ccef4|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation (read more)|Documentation
| +|Schema Object With Circular Ref (v2)
cbff2508-85c9-4448-a8b3-770070edf5ca|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties|Documentation
| +|Schema Object With Circular Ref (v3)
1a1aea94-745b-40a7-b860-0702ea6ee636|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties (read more)|Documentation
| |Schema Enum Invalid (v2)
8fe6d18a-ad4c-4397-8884-e3a9da57f4c9|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type|Documentation
| |Schema Enum Invalid (v3)
03856cb2-e46c-4daf-bfbf-214ec93c882b|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type (read more)|Documentation
| -|Items Undefined (v2)
3e4d34d2-36cf-4449-976d-6c256db8fc49|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array.|Documentation
| -|Items Undefined (v3)
a8e859da-4a43-4e7f-94b8-25d6e3bf8e90|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array. (read more)|Documentation
| -|Schema Object Properties With Duplicated Keys (v2)
ded017bf-fb13-4f8d-868b-84aebcc572ad|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties'|Documentation
| -|Schema Object Properties With Duplicated Keys (v3)
10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties' (read more)|Documentation
| -|Schema Discriminator Property Not String (v2)
949376f1-f560-4c6d-a016-63424ca931bb|Info|Structure and Semantics|Schema discriminator property should be a string|Documentation
| -|Schema Discriminator Property Not String (v3)
dadc2f36-1f5a-46c0-8289-75e626583123|Info|Structure and Semantics|Schema discriminator property should be a string (read more)|Documentation
| -|Path Template is Empty (v2)
c201b7ad-6173-4598-a407-5edb04a1bcd7|Info|Structure and Semantics|All path templates should not be empty|Documentation
| -|Path Template is Empty (v3)
ae13a37d-943b-47a7-a970-83c8598bcca3|Info|Structure and Semantics|All path templates should not be empty (read more)|Documentation
| |Path Parameter Not Required (v2)
ccd0613f-cb77-4684-a892-183bd2674d12|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.|Documentation
| |Path Parameter Not Required (v3)
0de50145-e845-47f4-9a15-23bcf2125710|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true. (read more)|Documentation
| -|Property Defining Minimum Greater Than Maximum (v2)
b5102ea9-6527-4bb7-94fc-9b4076150e55|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined|Documentation
| -|Property Defining Minimum Greater Than Maximum (v3)
ab2af219-cd08-4233-b5a1-a788aac88b51|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined (read more)|Documentation
| -|Schema Object With Circular Ref (v2)
cbff2508-85c9-4448-a8b3-770070edf5ca|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties|Documentation
| -|Schema Object With Circular Ref (v3)
1a1aea94-745b-40a7-b860-0702ea6ee636|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties (read more)|Documentation
| +|Schema Discriminator Not Required (v2)
be6a3722-af60-438c-b1b9-2a03e2958ab7|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property|Documentation
| +|Schema Discriminator Not Required (v3)
b481d46c-9c61-480f-86d9-af07146dc4a4|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property (read more)|Documentation
| +|Properties Missing Required Property (v2)
71beb6ab-8b70-4816-a9ac-a0ff1fb22a62|Info|Structure and Semantics|Schema Object should have all required properties defined|Documentation
| +|Properties Missing Required Property (v3)
3fb03214-25d4-4bd4-867c-c2d8d708a483|Info|Structure and Semantics|Schema Object should have all required properties defined (read more)|Documentation
| +|Parameter Objects Headers With Duplicated Name (v2)
bd2cbef5-62c4-40f1-af07-4b7f9ced6616|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.|Documentation
| +|Parameter Objects Headers With Duplicated Name (v3)
05505192-ba2c-4a81-9b25-dcdbcc973746|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive. (read more)|Documentation
| +|Responses With Wrong HTTP Status Code (v2)
069a5378-2091-43f0-aa3b-ee8f20996e99|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599]|Documentation
| +|Responses With Wrong HTTP Status Code (v3)
d86655c0-92f6-4ffc-b4d5-5b5775804c27|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599] (read more)|Documentation
| +|Non-Array Schema With Items (v2)
9d47956b-29cd-43b1-9e6e-b39a4d484353|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| +|Non-Array Schema With Items (v3)
20cb3159-b219-496b-8dac-54ae3ab2021a|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined (read more)|Documentation
| +|Path Is Ambiguous (v2)
b2468463-3ac4-4930-890c-f35b2bf4485d|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object|Documentation
| +|Path Is Ambiguous (v3)
237402e2-c2f0-46c9-9cf5-286160cf7bfc|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object (read more)|Documentation
| |Schema Discriminator Mismatch Defined Properties (v2)
addc0eab-27f6-4c26-8526-d2ccd3732662|Info|Structure and Semantics|Schema discriminator values should match defined properties.|Documentation
| |Schema Discriminator Mismatch Defined Properties (v3)
40d3df21-c170-4dbe-9c02-4289b51f994f|Info|Structure and Semantics|Schema discriminator values should match defined properties. (read more)|Documentation
| - -### 2.0 -Bellow are listed queries related with OpenAPI 2.0: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Security Definitions Undefined or Empty
e3f026e8-fdb4-4d5a-bcfd-bd94452073fe|High|Access Control|Security Definitions Object should be set and not empty (read more)|Documentation
| -|Security Requirement Not Defined In Security Definition
a599b0d1-ff89-4cb8-9ece-9951854c06f6|High|Structure and Semantics|All security requirement objects must be defined in 'securityDefinitions' (read more)|Documentation
| -|Non OAuth2 Security Requirement Defining OAuth2 Scopes
ba239cb9-f342-4c20-812d-7b5a2aa6969e|High|Structure and Semantics|If the security scheme is not of type 'oauth2', the array value must be empty (read more)|Documentation
| -|Global Security Using Password Flow
2da46be4-4317-4650-9285-56d7103c4f93|Medium|Access Control|Security should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| -|Invalid OAuth2 Authorization URL (v2)
33d96c65-977d-4c33-943f-440baca49185|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| -|Operation Using Password Flow
2e44e632-d617-43cb-b294-6bfe72a08938|Medium|Access Control|Operation Object should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| -|Implicit Flow in OAuth2 (v2)
e9817ad8-a8c9-4038-8a2f-db0e6e7b284b|Medium|Access Control|There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| -|Invalid OAuth2 Token URL (v2)
274f910a-0665-4f08-b66d-7058fe927dba|Medium|Access Control|OAuth2 security definition flow requires a valid URL in the tokenUrl field (read more)|Documentation
| -|Security Definitions Allows Password Flow
773116aa-2e6d-416f-bd85-f0301cc05d76|Medium|Access Control|Security Definition Object should not allow 'password' Flow in OAuth2 authentication (read more)|Documentation
| -|Path Scheme Accepts HTTP (v2)
a6847dc6-f4ea-45ac-a81f-93291ae6c573|Medium|Encryption|The Scheme list of Operation Object should only allow 'HTTPS' protocol to ensure an encrypted connection (read more)|Documentation
| -|Schemes Uses HTTP
a46928f1-43d7-4671-94e0-2dd99746f389|Medium|Encryption|Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials (read more)|Documentation
| -|Global Schemes Uses HTTP
f30ee711-0082-4480-85ab-31d922d9a2b2|Medium|Encryption|Global Schemes should use 'https' protocol instead of 'http' (read more)|Documentation
| -|Operation Object Without 'consumes'
0c79e50e-b3cf-490c-b8f6-587c644d4d0c|Medium|Insecure Configurations|Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations (read more)|Documentation
| -|Operation Object Without 'produces'
be3e170e-1572-461e-a8b6-d963def581ec|Medium|Insecure Configurations|Operation Object should have 'produces' feild defined for 'GET'operation (read more)|Documentation
| -|Operation Using Basic Auth
ceefb058-8065-418f-9c4c-584a78c7e104|Low|Access Control|Operation Object should not use basic authentication (read more)|Documentation
| -|Security Definitions Using Basic Auth
221015a8-aa2a-43f5-b00b-ad7d2b1d47a8|Low|Access Control|Security Definition Object should not use basic authentication (read more)|Documentation
| -|Operation Using Implicit Flow
f42dfe7e-787d-4478-a75e-a5f3d8a2269e|Low|Access Control|Operation Object should not use implicit flow (read more)|Documentation
| -|Undefined Scope 'securityDefinition' On 'security' Field On Operations
3847280c-9193-40bc-8009-76168e822ce2|Low|Access Control|Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| -|Undefined Scope 'securityDefinition' On Global 'security' Field
9aa6e95c-d964-4239-a3a8-9f37a3c5a31f|Low|Access Control|Using an scope on global security field that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| -|Operation Summary Too Long
d47940ca-5970-45cc-bdd1-4d81398cee1f|Low|Best Practices|Operation summary should be short (less than 120 characters) (read more)|Documentation
| -|Global Schema Definition Not Being Used
6d2e0790-cc3d-4c74-b973-d4e8b09f4455|Info|Best Practices|All global schemas definitions should be in use (read more)|Documentation
| -|Global Responses Definition Not Being Used
0b76d993-ee52-43e0-8b39-3787d2ddabf1|Info|Best Practices|All global responses definitions should be in use (read more)|Documentation
| -|Global Parameter Definition Not Being Used
b30981fa-a12e-49c7-a5bb-eeafb61d0f0f|Info|Best Practices|All global parameters definitions should be in use (read more)|Documentation
| -|Schema with 'additionalProperties' set as Boolean
3a01790c-ebee-4da6-8fd3-e78657383b75|Info|Best Practices|The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it (read more)|Documentation
| -|Unknown Prefix (v2)
3b615f00-c443-4ba9-acc4-7c308716917d|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| -|Constraining Enum Property
be1d8733-3731-40c7-a845-734741c6871d|Info|Best Practices|There is a constraining keyword in a property which is already restricted by enum values (read more)|Documentation
| -|Invalid Media Type Value (v2)
f985a7d2-d404-4a7f-9814-f645f791e46e|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| -|Multiple Body Parameters In The Same Operation
b90033cf-ad9f-4fb9-acd1-1b9d6d278c87|Info|Structure and Semantics|Only one body parameter is allowed on operation's parameters type field (read more)|Documentation
| -|Host With Invalid Pattern
3d7d7b6c-fb0a-475e-8a28-c125e30d15f0|Info|Structure and Semantics|Host field should be an IP or a valid host name (read more)|Documentation
| -|Response Object With Incorrect Ref (v2)
bccfa089-89e4-47e0-a0e5-185fe6902220|Info|Structure and Semantics|Response Object reference must always point to '#/responses' (read more)|Documentation
| -|Multi 'collectionformat' Not Valid For 'in' Parameter
750f6448-27c0-49f8-a153-b81735c1e19c|Info|Structure and Semantics|When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'formData' (read more)|Documentation
| -|Schema JSON Reference Does Not Exists (v2)
98295b32-ec09-4b5b-89a9-39853197f914|Info|Structure and Semantics|Schema reference should exists on definitions field (read more)|Documentation
| -|Responses JSON Reference Does Not Exists (v2)
e9db5fb4-6a84-4abb-b4af-3b94fbdace6d|Info|Structure and Semantics|Responses reference should exist on responses definition field (read more)|Documentation
| -|Parameter Object With Incorrect Ref (v2)
2596545e-1757-4ff7-a15a-8a9a180a42f3|Info|Structure and Semantics|Parameter Object reference must always point to '#/parameters' (read more)|Documentation
| -|Object Without Required Property (v2)
5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| -|Unknown Property (v2)
429b2106-ba37-43ba-9727-7f699cc611e1|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| -|BasePath With Wrong Format
b4803607-ed72-4d60-99e2-3fa6edf471c6|Info|Structure and Semantics|The 'basePath' value format must match the pattern '^/' (read more)|Documentation
| -|Body Parameter Without Schema
ed48229d-d43e-4da7-b453-5f98d964a57a|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| -|Operation Object Parameters With 'body' And 'formatData' locations
eb3f9744-d24e-4614-b1ff-2a9514eca21c|Info|Structure and Semantics|Operation object parameters should not have both 'body' and 'formatData' locations (read more)|Documentation
| -|Schema Object Incorrect Ref (v2)
0220e1c5-65d1-49dd-b7c2-cef6d6cb5283|Info|Structure and Semantics|Schema Object reference must always point to '#/definitions' (read more)|Documentation
| -|File Parameter With Wrong Consumes Property
7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a|Info|Structure and Semantics|Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both (read more)|Documentation
| -|Parameter JSON Reference Does Not Exists (v2)
fb889ae9-2d16-40b5-b41f-9da716c5abc1|Info|Structure and Semantics|Parameter reference should exist on parameters definition field (read more)|Documentation
| -|Operation Example Mismatch Produces MimeType
2cf35b40-ded3-43d6-9633-c8dcc8bcc822|Info|Structure and Semantics|Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces' (read more)|Documentation
| -|Property Not Unique
750b40be-4bac-4f59-bdc4-1ca0e6c3450e|Info|Structure and Semantics|Every defined property must be unique throughout the whole API (read more)|Documentation
| -|Non Body Parameter Without Schema
73c3bc54-3cc6-4c0a-b30a-e19f2abfc951|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| -|Body Parameter With Wrong Property
c38d630d-a415-4e3e-bac2-65475979ba88|Info|Structure and Semantics|The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema' (read more)|Documentation
| -|Parameter File Type Not In 'formData'
c3cab8c4-6c52-47a9-942b-c27f26fbd7d2|Info|Structure and Semantics|The In field of Parameter Object must be 'formData' when type is 'file' (read more)|Documentation
| +|Schema Object Properties With Duplicated Keys (v2)
ded017bf-fb13-4f8d-868b-84aebcc572ad|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties'|Documentation
| +|Schema Object Properties With Duplicated Keys (v3)
10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties' (read more)|Documentation
| +|Type Has Invalid Keyword (v2)
492c6cbb-f3f8-4807-aa4f-42b8b1c46b59|Info|Structure and Semantics|Schema/Parameter/Header Object define type should not use a keyword of another type|Documentation
| +|Type Has Invalid Keyword (v3)
a9228976-10cf-4b5f-b902-9e962aad037a|Info|Structure and Semantics|Schema Object define type should not use a keyword of another type (read more)|Documentation
| +|Schema Discriminator Property Not String (v2)
949376f1-f560-4c6d-a016-63424ca931bb|Info|Structure and Semantics|Schema discriminator property should be a string|Documentation
| +|Schema Discriminator Property Not String (v3)
dadc2f36-1f5a-46c0-8289-75e626583123|Info|Structure and Semantics|Schema discriminator property should be a string (read more)|Documentation
| +|Default Invalid (v2)
78dfd8f0-a6ee-48ec-af8c-e4d9b3292a07|Info|Structure and Semantics|The field 'default' of Schema/Parameter/Header Object should be consistent with the schema's/parameter's/header's type|Documentation
| +|Default Invalid (v3)
a96bbc06-8cde-4295-ad3c-ee343a7f658e|Info|Structure and Semantics|The field 'default' of Schema Object should be consistent with the schema's type (read more)|Documentation
| +|Responses Object Is Empty (v2)
6172e7ab-d2b7-45f8-a7db-1603931d8ba3|Info|Structure and Semantics|Responses Object should not be empty|Documentation
| +|Responses Object Is Empty (v3)
990eaf09-d6f1-4c3c-b174-a517b1de8917|Info|Structure and Semantics|Responses Object should not be empty (read more)|Documentation
| +|OperationId Not Unique (v2)
21245007-91c4-40e5-964e-40c85d1e5aa6|Info|Structure and Semantics|OperationId should be unique when defined|Documentation
| +|OperationId Not Unique (v3)
c254adc4-ef25-46e1-8270-b7944adb4198|Info|Structure and Semantics|OperationId should be unique when defined (read more)|Documentation
| +|Schema Has A Required Property Undefined (v2)
811762c8-2e99-4f70-88f9-a63875a953b1|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties|Documentation
| +|Schema Has A Required Property Undefined (v3)
2bd608ae-8a1f-457f-b710-c237883cb313|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties (read more)|Documentation
| +|Paths Object is Empty (v2)
3e6c7b1c-8a8d-43ab-98b9-65159f44db4a|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed|Documentation
| +|Paths Object is Empty (v3)
815021c8-a50c-46d9-b192-24f71072c400|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed (read more)|Documentation
| ### 3.0 Bellow are listed queries related with OpenAPI 3.0: @@ -219,79 +219,79 @@ Bellow are listed queries related with OpenAPI 3.0: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Cleartext Credentials With Basic Authentication For Operation
86b1fa30-9790-4980-994d-a27e0f6f27c1|High|Access Control|Cleartext credentials over unencrypted channel should not be accepted for the operation (read more)|Documentation
| |Field 'securityScheme' On Components Is Undefined
8db5544e-4874-4baa-9322-e9f75a2d219e|High|Access Control|Components' securityScheme field must have a valid scheme (read more)|Documentation
| -|OAuth2 With Implicit Flow
39cb32f2-3a42-4af0-8037-82a7a9654b6c|Medium|Access Control|OAuth2 implicit flow is vulnerable to access token leakage and access token replay (read more)|Documentation
| -|Invalid OAuth2 Authorization URL (v3)
52c0d841-60d6-4a81-88dd-c35fef36d315|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| -|Implicit Flow in OAuth2 (v3)
4a1f3d75-ab73-41b2-83e7-06a93dc3a75a|Medium|Access Control|There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| -|Security Scheme Using HTTP Basic
68e5fcac-390c-4939-a373-6074b7be7c71|Medium|Access Control|Security Scheme HTTP should not be using basic authentication (read more)|Documentation
| -|OAuth2 With Password Flow
3979b0a4-532c-4ea7-86e4-34c090eaa4f2|Medium|Access Control|OAuth2 password flow insecurely exposes the credentials of the resource owner to the client (read more)|Documentation
| +|Cleartext Credentials With Basic Authentication For Operation
86b1fa30-9790-4980-994d-a27e0f6f27c1|High|Access Control|Cleartext credentials over unencrypted channel should not be accepted for the operation (read more)|Documentation
| |Security Scheme Using HTTP Digest
a4247b11-890b-45df-bf42-350a7a3af9be|Medium|Access Control|Security Scheme HTTP should not be using digest authentication (read more)|Documentation
| -|Invalid OAuth2 Token URL (v3)
3ba0cca1-b815-47bf-ac62-1e584eb64a05|Medium|Access Control|OAuth2 security scheme flow requires a valid URL in the tokenUrl field (read more)|Documentation
| +|Invalid OAuth2 Authorization URL (v3)
52c0d841-60d6-4a81-88dd-c35fef36d315|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| |Security Scheme Using HTTP Negotiate
f525cc92-9050-4c41-a75c-890dc6f64449|Medium|Access Control|Security Scheme HTTP should not be using negotiate authentication (read more)|Documentation
| +|Invalid OAuth2 Token URL (v3)
3ba0cca1-b815-47bf-ac62-1e584eb64a05|Medium|Access Control|OAuth2 security scheme flow requires a valid URL in the tokenUrl field (read more)|Documentation
| +|OAuth2 With Implicit Flow
39cb32f2-3a42-4af0-8037-82a7a9654b6c|Medium|Access Control|OAuth2 implicit flow is vulnerable to access token leakage and access token replay (read more)|Documentation
| +|OAuth2 With Password Flow
3979b0a4-532c-4ea7-86e4-34c090eaa4f2|Medium|Access Control|OAuth2 password flow insecurely exposes the credentials of the resource owner to the client (read more)|Documentation
| |Security Scheme HTTP Unknown Scheme
06764426-3c56-407e-981f-caa25db1c149|Medium|Access Control|Security Scheme HTTP scheme should be registered in the IANA Authentication Scheme registry (read more)|Documentation
| +|Security Scheme Using HTTP Basic
68e5fcac-390c-4939-a373-6074b7be7c71|Medium|Access Control|Security Scheme HTTP should not be using basic authentication (read more)|Documentation
| +|Implicit Flow in OAuth2 (v3)
4a1f3d75-ab73-41b2-83e7-06a93dc3a75a|Medium|Access Control|There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| |Path Server Object Uses HTTP (v3)
9670f240-7b4d-4955-bd93-edaa9fa38b58|Medium|Encryption|The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection (read more)|Documentation
| |Global Server Object Uses HTTP
2d8c175a-6d90-412b-8b0e-e034ea49a1fe|Medium|Encryption|Global server object URL should use 'https' protocol instead of 'http' (read more)|Documentation
| -|Additional Properties Too Permissive
9f88c88d-824d-4d9a-b985-e22977046042|Medium|Insecure Configurations|Objects should not accept 'additionalProperties' if it is possible (read more)|Documentation
| |Parameter Object Without Schema
8fe1846f-52cc-4413-ace9-1933d7d23672|Medium|Insecure Configurations|The Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| |Media Type Object Without Schema
f79b9d26-e945-44e7-98a1-b93f0f7a68a0|Medium|Insecure Configurations|The Media Type Object should have the attribute 'schema' defined (read more)|Documentation
| +|Additional Properties Too Permissive
9f88c88d-824d-4d9a-b985-e22977046042|Medium|Insecure Configurations|Objects should not accept 'additionalProperties' if it is possible (read more)|Documentation
| |Additional Properties Too Restrictive
a19c3bbd-c056-40d7-9e1c-eeb0634e320d|Medium|Insecure Configurations|Objects should accept 'additionalProperties' if it is allOf or an object with anyOf or oneOf (read more)|Documentation
| |Success Response Code Undefined for Trace Operation
105e20dd-8449-4d71-95c6-d5dac96639af|Medium|Networking and Firewall|Trace should define the '200' successful code (read more)|Documentation
| |Header Object Without Schema
50de3b5b-6465-4e06-a9b0-b4c2ba34326b|Medium|Networking and Firewall|The header object should have schema defined (read more)|Documentation
| -|API Key Exposed In Global Security Scheme
40e1d1bf-11a9-4f63-a3a2-a8b84c602839|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| -|Global Security Scheme Using Basic Authentication
77276d82-4f45-4cf1-8e2b-4d345b936228|Low|Access Control|A security scheme is allowing basic authentication credentials to be transported over network (read more)|Documentation
| |Security Scheme Using Oauth 1.0
1bc3205c-0d60-44e6-84f3-44fbf4dac5b3|Low|Access Control|Oauth 1.0 is deprecated, OAuth2 should be used instead (read more)|Documentation
| +|Global Security Scheme Using Basic Authentication
77276d82-4f45-4cf1-8e2b-4d345b936228|Low|Access Control|A security scheme is allowing basic authentication credentials to be transported over network (read more)|Documentation
| |Undefined Scope 'securityScheme' On 'security' Field On Operations
462d6a1d-fed9-4d75-bb9e-3de902f35e6e|Low|Access Control|Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| |Undefined Scope 'securityScheme' On Global 'security' Field
23a9e2d9-8738-4556-a71c-2802b6ffa022|Low|Access Control|Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| +|API Key Exposed In Global Security Scheme
40e1d1bf-11a9-4f63-a3a2-a8b84c602839|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| +|Components Schema Definition Is Unused
962fa01e-b791-4dcc-b04a-4a3e7389be5e|Info|Best Practices|Components schemas definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Link Definition Is Unused
c19779a9-5774-4d2f-a3a1-a99831730375|Info|Best Practices|Components links definitions should be referenced or removed from Open API definition (read more)|Documentation
| |Components Request Body Definition Is Unused
6b76f589-9713-44ab-97f5-59a3dba1a285|Info|Best Practices|Components request bodies definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Unknown Prefix (v3)
a5375be3-521c-43bb-9eab-e2432e368ee4|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| +|Invalid Media Type Value (v3)
cf4a5f45-a27b-49df-843a-9911dbfe71d4|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| |Property 'style' of Encoding Object Ignored
d3ea644a-9a5c-4fee-941f-f8a6786c0470|Info|Best Practices|Property 'style' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| -|Components Header Definition Is Unused
a68da022-e95a-4bc2-97d3-481e0bd6d446|Info|Best Practices|Components headers definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Link Definition Is Unused
c19779a9-5774-4d2f-a3a1-a99831730375|Info|Best Practices|Components links definitions should be referenced or removed from Open API definition (read more)|Documentation
| |Components Callback Definition Is Unused
d15db953-a553-4b8a-9a14-a3d62ea3d79d|Info|Best Practices|Components callbacks definitions should be referenced or removed from Open API definition (read more)|Documentation
| |Components Response Definition Is Unused
9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae|Info|Best Practices|Components responses definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Unknown Prefix (v3)
a5375be3-521c-43bb-9eab-e2432e368ee4|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| -|Property 'explode' of Encoding Object Ignored
a4dd69b8-49fa-45d2-a060-c76655405b05|Info|Best Practices|Property 'explode' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| +|Encoding Header 'Content-Type' Improperly Defined
4cd8de87-b595-48b6-ab3c-1904567135ab|Info|Best Practices|Encoding Map Key should not define a 'Content-Type' in the 'headers' field. If so, it will be ignored. (read more)|Documentation
| |Property 'allowReserved' of Encoding Object Ignored
4190dda7-af03-4cf0-a128-70ac1661ca09|Info|Best Practices|Property 'allowReserved' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| -|Components Parameter Definition Is Unused
698a464e-bb3e-4ba8-ab5e-e6599b7644a0|Info|Best Practices|Components parameters definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Example Definition Is Unused
b05bb927-2df5-43cc-8d7b-6825c0e71625|Info|Best Practices|Components examples definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Schema Definition Is Unused
962fa01e-b791-4dcc-b04a-4a3e7389be5e|Info|Best Practices|Components schemas definitions should be referenced or removed from Open API definition (read more)|Documentation
| |Property 'allowEmptyValue' Ignored
59c2f769-7cc2-49c8-a3de-4e211135cfab|Info|Best Practices|Property 'allowEmptyValue' is ignored in the following cases: {"sytle": "simple", "explode": false}, {"sytle": "simple", "explode": true}, {"sytle": "spaceDelimited", "explode": false}, {"sytle": "pipeDelimited", "explode": false}, and {"sytle": "deepObject", "explode": true} (read more)|Documentation
| -|Invalid Media Type Value (v3)
cf4a5f45-a27b-49df-843a-9911dbfe71d4|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| -|Encoding Header 'Content-Type' Improperly Defined
4cd8de87-b595-48b6-ab3c-1904567135ab|Info|Best Practices|Encoding Map Key should not define a 'Content-Type' in the 'headers' field. If so, it will be ignored. (read more)|Documentation
| +|Components Example Definition Is Unused
b05bb927-2df5-43cc-8d7b-6825c0e71625|Info|Best Practices|Components examples definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Property 'explode' of Encoding Object Ignored
a4dd69b8-49fa-45d2-a060-c76655405b05|Info|Best Practices|Property 'explode' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| +|Components Parameter Definition Is Unused
698a464e-bb3e-4ba8-ab5e-e6599b7644a0|Info|Best Practices|Components parameters definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Header Definition Is Unused
a68da022-e95a-4bc2-97d3-481e0bd6d446|Info|Best Practices|Components headers definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Schema Object Incorrect Ref (v3)
4cac7ace-b0fb-477d-830d-65395d9109d9|Info|Structure and Semantics|Schema Object reference must always point to '#/components/schemas' (read more)|Documentation
| +|Callback Object With Incorrect Ref
ba066cda-e808-450d-92b6-f29109754d45|Info|Structure and Semantics|Callback Object reference must always point to '#/components/callbacks' (read more)|Documentation
| +|Request Body JSON Reference Does Not Exists
ca02f4e8-d3ae-4832-b7db-bb037516d9e7|Info|Structure and Semantics|Request Body reference should exists on components field (read more)|Documentation
| +|Server URL Not Absolute
a0bf7382-5d5a-4224-924c-3db8466026c9|Info|Structure and Semantics|The Server URL should be an absolute URL (read more)|Documentation
| +|Header Object With Incorrect Ref
2d6646f4-2946-420f-8c14-3232d49ae0cb|Info|Structure and Semantics|Header Object reference must always point to '#/components/headers' (read more)|Documentation
| +|Parameter Object With Schema And Content
31dd6fc0-f274-493b-9614-e063086c19fc|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive (read more)|Documentation
| +|Parameter Object With Undefined Type
46facedc-f243-4108-ab33-583b807d50b0|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property (read more)|Documentation
| +|Response JSON Reference Does Not Exists (v3)
7a01dfbd-da62-4165-aed7-71349ad42ab4|Info|Structure and Semantics|Response reference should exists on components field (read more)|Documentation
| |Example JSON Reference Outside Components Examples
bac56e3c-1f71-4a74-8ae6-2fba07efcddb|Info|Structure and Semantics|Reference to examples should point to #/components/examples (read more)|Documentation
| +|Link Object OperationId Does Not Target Operation Object
c5bb7461-aa57-470b-a714-3bc3d74f4669|Info|Structure and Semantics|Link object 'OperationId' should target an existing operation object in the OpenAPI definition (read more)|Documentation
| +|Invalid Content Type For Multiple Files Upload
26f06397-36d8-4ce7-b993-17711261d777|Info|Structure and Semantics|Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array) (read more)|Documentation
| +|Link Object With Both 'operationId' And 'operationRef'
60fb6621-9f02-473b-9424-ba9a825747d3|Info|Structure and Semantics|Link object 'OperationId' should not have both 'operationId' and 'operationRef' defined since they are mutually exclusive. (read more)|Documentation
| |Security Operation Field Undefined
20a482d5-c5d9-4a7a-b7a4-60d0805047b4|Info|Structure and Semantics|Security operation field should be defined in '#/components/securitySchemes' (read more)|Documentation
| -|Server URL Not Absolute
a0bf7382-5d5a-4224-924c-3db8466026c9|Info|Structure and Semantics|The Server URL should be an absolute URL (read more)|Documentation
| |Response Object With Incorrect Ref (v3)
b3871dd8-9333-4d6c-bd52-67eb898b71ab|Info|Structure and Semantics|Response Object reference must always point to '#/components/responses' (read more)|Documentation
| -|Link Object OperationId Does Not Target Operation Object
c5bb7461-aa57-470b-a714-3bc3d74f4669|Info|Structure and Semantics|Link object 'OperationId' should target an existing operation object in the OpenAPI definition (read more)|Documentation
| -|Request Body With Incorrect Ref
0f6cd0ab-c366-4595-84fc-fbd8b9901e4d|Info|Structure and Semantics|Request Body reference must always point to '#/components/RequestBodies' (read more)|Documentation
| -|Encoding Map Key Mismatch Schema Defined Properties
cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b|Info|Structure and Semantics|Encoding Map Key should be set in schema defined properties (read more)|Documentation
| -|Components Object Fixed Field Key Improperly Named
151331e2-11f4-4bb6-bd35-9a005e695087|Info|Structure and Semantics|Components object fixed fields (schemas, responses, parameters, examples, requestBodies, headers, securitySchemes, links, and callbacks) should use keys that match the following REGEX: `^[a-zA-Z0-9\.\-_]+$` (read more)|Documentation
| -|Schema JSON Reference Does Not Exists (v3)
015eac96-6313-43c0-84e5-81b1374fa637|Info|Structure and Semantics|Schema reference should exists on components field (read more)|Documentation
| -|Server URL Uses Undefined Variables
8d0921d6-4131-461f-a253-99e873f8f77e|Info|Structure and Semantics|Any variable used in the Service URL should be defined in the Service Object through 'variables'. (read more)|Documentation
| -|Response JSON Reference Does Not Exists (v3)
7a01dfbd-da62-4165-aed7-71349ad42ab4|Info|Structure and Semantics|Response reference should exists on components field (read more)|Documentation
| -|Parameter Object With Incorrect Ref (v3)
d40f27e6-15fb-4b56-90f8-fc0ff0291c51|Info|Structure and Semantics|Parameter Object reference must always point to '#/components/parameters' (read more)|Documentation
| |Object Without Required Property (v3)
d172a060-8569-4412-8045-3560ebd477e8|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| -|Unknown Property (v3)
fb7d81e7-4150-48c4-b914-92fc05da6a2f|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| |Parameter Object Content With Multiple Entries
8bfed1c6-2d59-4924-bc7f-9b9d793ed0df|Info|Structure and Semantics|The map content property of the parameter object should only contain one entry (read more)|Documentation
| -|Link Object Incorrect Ref
b9db8a10-020c-49ca-88c6-780e5fdb4328|Info|Structure and Semantics|Link object reference must always point to '#/components/links' (read more)|Documentation
| -|Servers Array Undefined
c66ebeaa-676c-40dc-a3ff-3e49395dcd5e|Info|Structure and Semantics|The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'. (read more)|Documentation
| -|Property 'allowReserved' Improperly Defined
7f203940-39c4-4ea7-91ee-7aba16bca9e2|Info|Structure and Semantics|Property 'allowReserved' should be only defined for query parameters (read more)|Documentation
| -|Schema Object Incorrect Ref (v3)
4cac7ace-b0fb-477d-830d-65395d9109d9|Info|Structure and Semantics|Schema Object reference must always point to '#/components/schemas' (read more)|Documentation
| -|Invalid Content Type For Multiple Files Upload
26f06397-36d8-4ce7-b993-17711261d777|Info|Structure and Semantics|Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array) (read more)|Documentation
| +|Security Requirement Object With Wrong Scopes
37140f7f-724a-4c87-a536-e9cee1d61533|Info|Structure and Semantics|Security Requirement Object should only have scopes defined for security schemes of type 'oauth2' and 'openIdConnect' (read more)|Documentation
| |Link JSON Reference Does Not Exists
801f0c6a-a834-4467-89c6-ddecffb46b5a|Info|Structure and Semantics|Link reference should exists on components field (read more)|Documentation
| -|Request Body JSON Reference Does Not Exists
ca02f4e8-d3ae-4832-b7db-bb037516d9e7|Info|Structure and Semantics|Request Body reference should exists on components field (read more)|Documentation
| |Callback JSON Reference Does Not Exists
f29904c8-6041-4bca-b043-dfa0546b8079|Info|Structure and Semantics|Callback reference should exists on components field (read more)|Documentation
| -|Callback Object With Incorrect Ref
ba066cda-e808-450d-92b6-f29109754d45|Info|Structure and Semantics|Callback Object reference must always point to '#/components/callbacks' (read more)|Documentation
| -|Link Object With Both 'operationId' And 'operationRef'
60fb6621-9f02-473b-9424-ba9a825747d3|Info|Structure and Semantics|Link object 'OperationId' should not have both 'operationId' and 'operationRef' defined since they are mutually exclusive. (read more)|Documentation
| -|Parameter JSON Reference Does Not Exists (v3)
2e275f16-b627-4d3f-ae73-a6153a23ae8f|Info|Structure and Semantics|Parameter reference should exists on components field (read more)|Documentation
| +|Property 'allowReserved' Improperly Defined
7f203940-39c4-4ea7-91ee-7aba16bca9e2|Info|Structure and Semantics|Property 'allowReserved' should be only defined for query parameters (read more)|Documentation
| +|Request Body Object With Incorrect Media Type
58f06434-a88c-4f74-826c-db7e10cc7def|Info|Structure and Semantics|The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set. (read more)|Documentation
| +|Server URL Uses Undefined Variables
8d0921d6-4131-461f-a253-99e873f8f77e|Info|Structure and Semantics|Any variable used in the Service URL should be defined in the Service Object through 'variables'. (read more)|Documentation
| +|Security Field Undefined
ab1263c2-81df-46f0-9f2c-0b62fdb68419|Info|Structure and Semantics|Security field should be defined in '#/components/securitySchemes' (read more)|Documentation
| +|Schema JSON Reference Does Not Exists (v3)
015eac96-6313-43c0-84e5-81b1374fa637|Info|Structure and Semantics|Schema reference should exists on components field (read more)|Documentation
| +|Request Body With Incorrect Ref
0f6cd0ab-c366-4595-84fc-fbd8b9901e4d|Info|Structure and Semantics|Request Body reference must always point to '#/components/RequestBodies' (read more)|Documentation
| +|Schema With Both ReadOnly And WriteOnly
d2361d58-361c-49f0-9e50-b957fd608b29|Info|Structure and Semantics|Schema should not have both 'writeOnly' and 'readOnly' set to true (read more)|Documentation
| +|Servers Array Undefined
c66ebeaa-676c-40dc-a3ff-3e49395dcd5e|Info|Structure and Semantics|The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'. (read more)|Documentation
| |Empty Array
5915c20f-dffa-4cee-b5d4-f457ddc0151a|Info|Structure and Semantics|All array fields should not be empty (read more)|Documentation
| +|Link Object Incorrect Ref
b9db8a10-020c-49ca-88c6-780e5fdb4328|Info|Structure and Semantics|Link object reference must always point to '#/components/links' (read more)|Documentation
| |Server Object Variable Not Used
8aee4754-970d-4c5f-8142-a49dfe388b1a|Info|Structure and Semantics|Every defined Server Variable Object should be used in a Service URL. (read more)|Documentation
| -|Header Object With Incorrect Ref
2d6646f4-2946-420f-8c14-3232d49ae0cb|Info|Structure and Semantics|Header Object reference must always point to '#/components/headers' (read more)|Documentation
| -|Security Requirement Object With Wrong Scopes
37140f7f-724a-4c87-a536-e9cee1d61533|Info|Structure and Semantics|Security Requirement Object should only have scopes defined for security schemes of type 'oauth2' and 'openIdConnect' (read more)|Documentation
| -|Example JSON Reference Does Not Exists
6a2c219f-da5e-4745-941e-5ea8cde23356|Info|Structure and Semantics|Example reference should exists on components field (read more)|Documentation
| -|Schema With Both ReadOnly And WriteOnly
d2361d58-361c-49f0-9e50-b957fd608b29|Info|Structure and Semantics|Schema should not have both 'writeOnly' and 'readOnly' set to true (read more)|Documentation
| -|Parameter Object With Undefined Type
46facedc-f243-4108-ab33-583b807d50b0|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property (read more)|Documentation
| -|Parameter Object With Schema And Content
31dd6fc0-f274-493b-9614-e063086c19fc|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive (read more)|Documentation
| -|Security Field Undefined
ab1263c2-81df-46f0-9f2c-0b62fdb68419|Info|Structure and Semantics|Security field should be defined in '#/components/securitySchemes' (read more)|Documentation
| +|Parameter JSON Reference Does Not Exists (v3)
2e275f16-b627-4d3f-ae73-a6153a23ae8f|Info|Structure and Semantics|Parameter reference should exists on components field (read more)|Documentation
| +|Unknown Property (v3)
fb7d81e7-4150-48c4-b914-92fc05da6a2f|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| |Header JSON Reference Does Not Exists
376c9390-7e9e-4cb8-a067-fd31c05451fd|Info|Structure and Semantics|Header reference should exists on components field (read more)|Documentation
| -|Request Body Object With Incorrect Media Type
58f06434-a88c-4f74-826c-db7e10cc7def|Info|Structure and Semantics|The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set. (read more)|Documentation
| +|Encoding Map Key Mismatch Schema Defined Properties
cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b|Info|Structure and Semantics|Encoding Map Key should be set in schema defined properties (read more)|Documentation
| +|Example JSON Reference Does Not Exists
6a2c219f-da5e-4745-941e-5ea8cde23356|Info|Structure and Semantics|Example reference should exists on components field (read more)|Documentation
| +|Parameter Object With Incorrect Ref (v3)
d40f27e6-15fb-4b56-90f8-fc0ff0291c51|Info|Structure and Semantics|Parameter Object reference must always point to '#/components/parameters' (read more)|Documentation
| +|Components Object Fixed Field Key Improperly Named
151331e2-11f4-4bb6-bd35-9a005e695087|Info|Structure and Semantics|Components object fixed fields (schemas, responses, parameters, examples, requestBodies, headers, securitySchemes, links, and callbacks) should use keys that match the following REGEX: `^[a-zA-Z0-9\.\-_]+$` (read more)|Documentation
| diff --git a/docs/queries/pulumi-queries.md b/docs/queries/pulumi-queries.md index b4cdc0a3f3b..6cdee433906 100644 --- a/docs/queries/pulumi-queries.md +++ b/docs/queries/pulumi-queries.md @@ -1,6 +1,26 @@ ## Pulumi Queries List This page contains all queries from Pulumi. +### GCP +Bellow are listed queries related with Pulumi GCP: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|Cloud Storage Bucket Logging Not Enabled
48f7e44d-d1d1-44c2-b336-9f11b65c4fb0|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
965e8830-2bec-4b9b-a7f0-24dbc200a68f|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| + +### KUBERNETES +Bellow are listed queries related with Pulumi KUBERNETES: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|PSP Set To Privileged
ee305555-6b1d-4055-94cf-e22131143c34|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| +|Missing App Armor Config
95588189-1abd-4df1-9588-b0a5034f9e87|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack (read more)|Documentation
| + ### AZURE Bellow are listed queries related with Pulumi AZURE: @@ -23,33 +43,13 @@ Bellow are listed queries related with Pulumi AWS: |Elasticsearch with HTTPS disabled
00603add-7f72-448f-a6c0-9e456a7a3f94|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| |ElastiCache Nodes Not Created Across Multi AZ
9b18fc19-7fb8-49b1-8452-9c757c70f926|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| |ElastiCache Redis Cluster Without Backup
e93bbe63-a631-4c0f-b6ef-700d48441ff2|Medium|Backup|ElastiCache Redis cluster should have 'snapshotRetentionLimit' higher than 0 (read more)|Documentation
| -|IAM Password Without Lowercase Letter
de92dd34-1b88-43e8-b825-6e02d73c4549|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| |IAM Password Without Minimum Length
9850d621-7485-44f7-8bdd-b3cf426315cf|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| +|IAM Password Without Lowercase Letter
de92dd34-1b88-43e8-b825-6e02d73c4549|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| |DynamoDB Table Not Encrypted
b6a7e0ae-aed8-4a19-a993-a95760bf8836|Medium|Encryption|AWS DynamoDB Tables should have serverSideEncryption enabled (read more)|Documentation
| |API Gateway Without SSL Certificate
f27791a5-e2ae-4905-8910-6f995c576d09|Medium|Insecure Configurations|SSL Client Certificate should be defined (read more)|Documentation
| -|API Gateway Access Logging Disabled
bf4b48b9-fc1f-4552-984a-4becdb5bf503|Medium|Observability|API Gateway should have Access Log Settings defined (read more)|Documentation
| |Elasticsearch Logs Disabled
a1120ee4-a712-42d9-8fb5-22595fed643b|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| +|API Gateway Access Logging Disabled
bf4b48b9-fc1f-4552-984a-4becdb5bf503|Medium|Observability|API Gateway should have Access Log Settings defined (read more)|Documentation
| |DocDB Logging Is Disabled
2ca87964-fe7e-4cdc-899c-427f0f3525f8|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| |DynamoDB Table Point In Time Recovery Disabled
327b0729-4c5c-4c44-8b5c-e476cd9c7290|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more)|Documentation
| |EC2 Not EBS Optimized
d991e4ae-42ab-429b-ab43-d5e5fa9ca633|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| |EC2 Instance Monitoring Disabled
daa581ef-731c-4121-832d-cf078f67759d|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| - -### KUBERNETES -Bellow are listed queries related with Pulumi KUBERNETES: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|PSP Set To Privileged
ee305555-6b1d-4055-94cf-e22131143c34|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| -|Missing App Armor Config
95588189-1abd-4df1-9588-b0a5034f9e87|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack (read more)|Documentation
| - -### GCP -Bellow are listed queries related with Pulumi GCP: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Cloud Storage Bucket Logging Not Enabled
48f7e44d-d1d1-44c2-b336-9f11b65c4fb0|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
965e8830-2bec-4b9b-a7f0-24dbc200a68f|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| diff --git a/docs/queries/serverlessfw-queries.md b/docs/queries/serverlessfw-queries.md index 101bf95371c..ede01692de5 100644 --- a/docs/queries/serverlessfw-queries.md +++ b/docs/queries/serverlessfw-queries.md @@ -6,8 +6,8 @@ This page contains all queries from ServerlessFW. |Serverless Role With Full Privileges
59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd|High|Access Control|Roles defined in Serverless files should not have policies granting full administrative privileges. (read more)|Documentation
| |Serverless Function Environment Variables Not Encrypted
4495bc5d-4d1e-4a26-ae92-152d18195648|High|Encryption|Serverless Function should encrypt environment variables (read more)|Documentation
| |Serverless API Without Content Encoding
d5d1fe08-89db-440c-8725-b93223387309|Medium|Encryption|Serverless should have API Gateway with Content Encoding enabled through the attribute 'minimumCompressionSize'. This value should be greater than -1 and smaller than 10485760 (read more)|Documentation
| -|Serverless Function Without Tags
f99d3482-fa8c-4f79-bad9-35212dded164|Medium|Insecure Configurations|Serverless Function should be have associated tags (read more)|Documentation
| |Serverless Function Without Unique IAM Role
165aae3b-a56a-48f3-b76d-d2b5083f5b8f|Medium|Insecure Configurations|Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| +|Serverless Function Without Tags
f99d3482-fa8c-4f79-bad9-35212dded164|Medium|Insecure Configurations|Serverless Function should be have associated tags (read more)|Documentation
| |Serverless API Endpoint Config Not Private
4d424558-c6d1-453c-be98-9a7f877abd9a|Medium|Networking and Firewall|Serverless should have endpointType set to 'PRIVATE'. This way, it's not exposed to the public internet (read more)|Documentation
| |Serverless API X-Ray Tracing Disabled
434945e5-4dfd-41b1-aba1-47075ccd9265|Medium|Observability|Serverless API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| |Serverless API Access Logging Setting Undefined
a4d32883-aac7-42e1-b403-9415af0f3846|Medium|Observability|Serverless FW API should have HTTP Access Logging enabled (read more)|Documentation
| diff --git a/docs/queries/terraform-queries.md b/docs/queries/terraform-queries.md index 9f0bba8809e..6f7042845a2 100644 --- a/docs/queries/terraform-queries.md +++ b/docs/queries/terraform-queries.md @@ -1,6 +1,139 @@ ## Terraform Queries List This page contains all queries from Terraform. +### GCP +Bellow are listed queries related with Terraform GCP: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| +|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible (read more)|Documentation
| +|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)|Documentation
| +|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|High|Access Control|BigQuery dataset is anonymously or publicly accessible (read more)|Documentation
| +|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|High|Access Control|Verifies that the OSLogin is enabled (read more)|Documentation
| +|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| +|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members' (read more)|Documentation
| +|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad. (read more)|Documentation
| +|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|High|Encryption|Cloud SQL Database Instance should have SLL enabled (read more)|Documentation
| +|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE (read more)|Documentation
| +|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)|Documentation
| +|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true (read more)|Documentation
| +|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials (read more)|Documentation
| +|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true (read more)|Documentation
| +|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true (read more)|Documentation
| +|Legacy Client Certificate Auth Enabled
73fb21a1-b19a-45b1-b648-b47b1678681e|High|Insecure Configurations|Kubernetes Clusters must use the default OAuth authentication, which means 'master_auth' must either be undefined or have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to false (read more)|Documentation
| +|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible. (read more)|Documentation
| +|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)|Documentation
| +|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must either be undefined or set to 'logging.googleapis.com/kubernetes' (read more)|Documentation
| +|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| +|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|High|Observability|Audit Logging Configuration is defective (read more)|Documentation
| +|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must either be undefined or set to 'monitoring.googleapis.com/kubernetes' (read more)|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| +|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)|Documentation
| +|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated (read more)|Documentation
| +|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated (read more)|Documentation
| +|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated (read more)|Documentation
| +|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member (read more)|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| +|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)|Documentation
| +|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Medium|Insecure Configurations|Check if any VM instance disables OSLogin (read more)|Documentation
| +|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| +|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled (read more)|Documentation
| +|Shielded GKE Nodes Disabled
579a0727-9c29-4d58-8195-fc5802a8bdb4|Medium|Insecure Configurations|GKE cluster nodes must be launched with Shielded VM enabled, which means the attribute 'enable_shielded_nodes' must be set to 'true'. (read more)|Documentation
| +|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)|Documentation
| +|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled (read more)|Documentation
| +|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| +|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| +|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account (read more)|Documentation
| +|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account. (read more)|Documentation
| +|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports (read more)|Documentation
| +|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| +|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| +|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)|Documentation
| +|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)|Documentation
| +|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource. (read more)|Documentation
| +|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles (read more)|Documentation
| +|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| +|Outdated GKE Version
128df7ec-f185-48bc-8913-ce756a3ccb85|Low|Best Practices|Running outdated versions of Google Kubernetes Engine (GKE) can expose it to known vulnerabilities and attacks. To reduce these risks, it is recommended to ensure that GKE is always running the latest version. (read more)|Documentation
| +|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user (read more)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| +|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true (read more)|Documentation
| + +### KUBERNETES +Bellow are listed queries related with Terraform KUBERNETES: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|High|Insecure Configurations|Check if Tiller is deployed. (read more)|Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace. (read more)|Documentation
| +|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false (read more)|Documentation
| +|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined. (read more)|Documentation
| +|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|High|Insecure Configurations|Limit capabilities for a Pod Security Policy (read more)|Documentation
| +|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process (read more)|Documentation
| +|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|High|Insecure Defaults|No role nor cluster role should bind to a default service account (read more)|Documentation
| +|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Medium|Access Control|A non kube-system workload should not have hostPath mounted (read more)|Documentation
| +|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more)|Documentation
| +|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation. (read more)|Documentation
| +|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Medium|Availability|Check if Readiness Probe is not configured. (read more)|Documentation
| +|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden (read more)|Documentation
| +|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' (read more)|Documentation
| +|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Medium|Insecure Configurations|Containers should not have extra capabilities allowed (read more)|Documentation
| +|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls (read more)|Documentation
| +|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| +|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace (read more)|Documentation
| +|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities (read more)|Documentation
| +|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more)|Documentation
| +|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation (read more)|Documentation
| +|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Medium|Insecure Configurations|Default service accounts should not be actively used (read more)|Documentation
| +|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace (read more)|Documentation
| +|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory (read more)|Documentation
| +|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities (read more)|Documentation
| +|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities (read more)|Documentation
| +|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory (read more)|Documentation
| +|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more)|Documentation
| +|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Medium|Insecure Configurations|The default namespace should not be used (read more)|Documentation
| +|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability (read more)|Documentation
| +|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty. (read more)|Documentation
| +|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary (read more)|Documentation
| +|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Medium|Networking and Firewall|Check if any network policy is not targeting any pod. (read more)|Documentation
| +|Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet (read more)|Documentation
| +|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| +|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more)|Documentation
| +|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more)|Documentation
| +|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| +|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| +|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more)|Documentation
| +|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| +|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs (read more)|Documentation
| +|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Medium|Secret Management|A Service Account token is shared between workloads (read more)|Documentation
| +|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC) (read more)|Documentation
| +|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack (read more)|Documentation
| +|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers (read more)|Documentation
| +|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more)|Documentation
| +|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it (read more)|Documentation
| +|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| +|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| +|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Low|Availability|The Horizontal Pod Autoscaler must target a valid object (read more)|Documentation
| +|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context (read more)|Documentation
| +|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Low|Best Practices|Check if any label in the metadata is invalid. (read more)|Documentation
| +|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Low|Build Process|Check if the root container filesystem is not being mounted as read-only. (read more)|Documentation
| +|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Low|Build Process|A StatefulSet requests volume storage. (read more)|Documentation
| +|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always (read more)|Documentation
| +|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container (read more)|Documentation
| +|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity (read more)|Documentation
| +|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Low|Networking and Firewall|Service type should not be NodePort (read more)|Documentation
| +|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified (read more)|Documentation
| +|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined (read more)|Documentation
| +|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| +|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Low|Secret Management|Container should not use secrets as environment variables (read more)|Documentation
| +|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Low|Supply-Chain|Image must be defined and not be empty or equal to latest. (read more)|Documentation
| + ### AZURE Bellow are listed queries related with Terraform AZURE: @@ -8,49 +141,49 @@ Bellow are listed queries related with Terraform AZURE: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|High|Access Control|Azure Function App authentication settings should be enabled (read more)|Documentation
| -|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|High|Access Control|Storage Account should not be public to grant the principle of least privileges (read more)|Documentation
| |Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage (read more)|Documentation
| |Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|High|Access Control|Role Assignment should limit guest user permissions (read more)|Documentation
| -|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|High|Access Control|Admin user is enabled for Container Registry (read more)|Documentation
| |Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|High|Access Control|There is a role assignment for guest user (read more)|Documentation
| +|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|High|Access Control|Admin user is enabled for Container Registry (read more)|Documentation
| +|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|High|Access Control|Storage Account should not be public to grant the principle of least privileges (read more)|Documentation
| +|Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|High|Access Control|Azure Function App authentication settings should be enabled (read more)|Documentation
| |Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|High|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled (read more)|Documentation
| |Azure Instance Using Basic Authentication
dafe30ec-325d-4516-85d1-e8e6776f012c|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| -|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' (read more)|Documentation
| -|Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6|High|Encryption|Ensure Function App is using the latest version of TLS encryption (read more)|Documentation
| |App Service Not Using Latest TLS Encryption Version
b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643|High|Encryption|Ensure App Service is using the latest version of TLS encryption (read more)|Documentation
| -|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| +|Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6|High|Encryption|Ensure Function App is using the latest version of TLS encryption (read more)|Documentation
| |MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more)|Documentation
| -|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service. (read more)|Documentation
| -|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates (read more)|Documentation
| +|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' (read more)|Documentation
| +|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| |Function App FTPS Enforce Disabled
9dab0179-433d-4dff-af8f-0091025691df|High|Insecure Configurations|Azure Function App should only enforce FTPS when 'ftps_state' is enabled (read more)|Documentation
| -|Azure App Service Client Certificate Disabled
a81573f9-3691-4d83-88a0-7d4af63e17a3|High|Insecure Configurations|Azure App Service client certificate should be enabled (read more)|Documentation
| -|AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|High|Insecure Configurations|Azure Kubernetes Service (AKS) API should not be exposed to the internet (read more)|Documentation
| -|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry' (read more)|Documentation
| +|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine (read more)|Documentation
| |AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server (read more)|Documentation
| |Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|High|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false. (read more)|Documentation
| -|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine (read more)|Documentation
| +|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service. (read more)|Documentation
| +|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry' (read more)|Documentation
| +|Azure App Service Client Certificate Disabled
a81573f9-3691-4d83-88a0-7d4af63e17a3|High|Insecure Configurations|Azure App Service client certificate should be enabled (read more)|Documentation
| |App Service FTPS Enforce Disabled
85da374f-b00f-4832-9d44-84a1ca1e89f8|High|Insecure Configurations|Azure App Service should only enforce FTPS when 'ftps_state' is enabled (read more)|Documentation
| -|Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| -|RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet (read more)|Documentation
| -|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| +|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates (read more)|Documentation
| +|AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|High|Insecure Configurations|Azure Kubernetes Service (AKS) API should not be exposed to the internet (read more)|Documentation
| |CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|High|Networking and Firewall|The IP range filter should be defined to secure the data stored (read more)|Documentation
| -|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more)|Documentation
| -|MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|High|Networking and Firewall|MSSQL Server public network access should be disabled (read more)|Documentation
| |Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources (read more)|Documentation
| +|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| |Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet (read more)|Documentation
| -|MySQL Server Public Access Enabled
f118890b-2468-42b1-9ce9-af35146b425b|High|Networking and Firewall|MySQL Server public access should be disabled (read more)|Documentation
| |SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet (read more)|Documentation
| +|MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|High|Networking and Firewall|MSSQL Server public network access should be disabled (read more)|Documentation
| +|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more)|Documentation
| +|Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| +|RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet (read more)|Documentation
| +|MySQL Server Public Access Enabled
f118890b-2468-42b1-9ce9-af35146b425b|High|Networking and Firewall|MySQL Server public access should be disabled (read more)|Documentation
| |Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|High|Observability|Ensure that logging for Azure KeyVault is 'Enabled' (read more)|Documentation
| +|PostgreSQL Server Threat Detection Policy Disabled
c407c3cf-c409-4b29-b590-db5f4138d332|High|Resource Management|PostgreSQL Server Threat Detection Policy should be enabled (read more)|Documentation
| |SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a|High|Resource Management|Ensure that 'Threat Detection' is enabled for Azure SQL Database (read more)|Documentation
| |App Service Managed Identity Disabled
b61cce4b-0cc4-472b-8096-15617a6d769b|High|Resource Management|Azure App Service should have managed identity enabled (read more)|Documentation
| -|PostgreSQL Server Threat Detection Policy Disabled
c407c3cf-c409-4b29-b590-db5f4138d332|High|Resource Management|PostgreSQL Server Threat Detection Policy should be enabled (read more)|Documentation
| -|Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|High|Secret Management|Make sure that for all secrets the expiration date is set (read more)|Documentation
| |Key Expiration Not Set
4d080822-5ee2-49a4-8984-68f3d4c890fc|High|Secret Management|Make sure that for all keys the expiration date is set (read more)|Documentation
| +|Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|High|Secret Management|Make sure that for all secrets the expiration date is set (read more)|Documentation
| |Storage Share File Allows All ACL Permissions
48bbe0fd-57e4-4678-a4a1-119e79c90fc3|Medium|Access Control|Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list). (read more)|Documentation
| |Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e|Medium|Access Control|Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list). (read more)|Documentation
| -|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more)|Documentation
| |AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| +|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more)|Documentation
| |Virtual Network with DDoS Protection Plan disabled
b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a|Medium|Availability|Virtual Network should have DDoS Protection Plan enabled (read more)|Documentation
| |SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict (read more)|Documentation
| |Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Medium|Best Practices|Security Contact Email should be defined (read more)|Documentation
| @@ -59,63 +192,50 @@ Bellow are listed queries related with Terraform AZURE: |AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Medium|Encryption|Azure Container Service (AKS) should use Disk Encryption Set ID in supported types of disk (read more)|Documentation
| |Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption (read more)|Documentation
| |Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Medium|Encryption|Ensure that the encryption is active on the disk (read more)|Documentation
| -|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected. (read more)|Documentation
| |Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections (read more)|Documentation
| |Function App Managed Identity Disabled
c87749b3-ff10-41f5-9df2-c421e8151759|Medium|Insecure Configurations|Azure Function App should have managed identity enabled (read more)|Documentation
| +|Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Medium|Insecure Configurations|Azure Function App should have 'client_cert_mode' set to required (read more)|Documentation
| +|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected. (read more)|Documentation
| |Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty (read more)|Documentation
| -|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined (read more)|Documentation
| |Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches (read more)|Documentation
| -|Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Medium|Insecure Configurations|Azure Function App should have 'client_cert_mode' set to required (read more)|Documentation
| +|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined (read more)|Documentation
| |Default Azure Storage Account Network Access Is Too Permissive
a5613650-32ec-4975-a305-31af783153ea|Medium|Insecure Defaults|Default Azure Storage Account network access should be set to Deny (read more)|Documentation
| +|Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Medium|Networking and Firewall|Public Network Access should be disabled for Azure Cognitive Search (read more)|Documentation
| |Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'. (read more)|Documentation
| -|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache (read more)|Documentation
| +|MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Medium|Networking and Firewall|MariaDB Server Public Network Access should be disabled (read more)|Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol (read more)|Documentation
| |Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b|Medium|Networking and Firewall|Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline) (read more)|Documentation
| -|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Medium|Networking and Firewall|Network Interfaces IP Forwarding should be disabled (read more)|Documentation
| -|Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Medium|Networking and Firewall|Public Network Access should be disabled for Azure Cognitive Search (read more)|Documentation
| |WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. (read more)|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol (read more)|Documentation
| +|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache (read more)|Documentation
| +|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Medium|Networking and Firewall|Network Interfaces IP Forwarding should be disabled (read more)|Documentation
| |Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol (read more)|Documentation
| -|MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Medium|Networking and Firewall|MariaDB Server Public Network Access should be disabled (read more)|Documentation
| -|PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more)|Documentation
| |PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server (read more)|Documentation
| +|PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more)|Documentation
| +|PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' (read more)|Documentation
| |PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' (read more)|Documentation
| -|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more)|Documentation
| |Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days (read more)|Documentation
| -|PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' (read more)|Documentation
| +|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more)|Documentation
| +|MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Medium|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On' (read more)|Documentation
| |Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater (read more)|Documentation
| +|Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Medium|Observability|Make sure for SQL Servers that Auditing Retention is greater than 90 days (read more)|Documentation
| +|PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more)|Documentation
| |Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Medium|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days (read more)|Documentation
| -|MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Medium|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On' (read more)|Documentation
| -|PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more)|Documentation
| -|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On' (read more)|Documentation
| |Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Medium|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact (read more)|Documentation
| -|Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Medium|Observability|Make sure for SQL Servers that Auditing Retention is greater than 90 days (read more)|Documentation
| +|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On' (read more)|Documentation
| |Azure Active Directory Authentication
a21c8da9-41bf-40cf-941d-330cf0d11fc7|Low|Access Control|Azure Active Directory must be used for authentication for Service Fabric (read more)|Documentation
| |MariaDB Server Geo-redundant Backup Disabled
0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1|Low|Backup|MariaDB Server Geo-redundant Backup should be enabled (read more)|Documentation
| -|App Service Without Latest Python Version
cc4aaa9d-1070-461a-b519-04e00f42db8a|Low|Best Practices|Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. (read more)|Documentation
| -|App Service Without Latest PHP Version
96fe318e-d631-4156-99fa-9080d57280ae|Low|Best Practices|Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. (read more)|Documentation
| -|Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Low|Best Practices|Key Vault Secrets should have set Content Type (read more)|Documentation
| |AKS Uses Azure Policies Add-On Disabled
43789711-161b-4708-b5bb-9d1c626f7492|Low|Best Practices|Azure Container Service (AKS) should use Azure Policies Add-On (read more)|Documentation
| +|Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Low|Best Practices|Key Vault Secrets should have set Content Type (read more)|Documentation
| +|App Service Without Latest PHP Version
96fe318e-d631-4156-99fa-9080d57280ae|Low|Best Practices|Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. (read more)|Documentation
| +|App Service Without Latest Python Version
cc4aaa9d-1070-461a-b519-04e00f42db8a|Low|Best Practices|Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. (read more)|Documentation
| |PostgreSQL Server Infrastructure Encryption Disabled
6425c98b-ca4e-41fe-896a-c78772c131f8|Low|Encryption|PostgreSQL Server Infrastructure Encryption should be enabled (read more)|Documentation
| +|Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Low|Insecure Configurations|Check if the Kubernetes Dashboard is enabled. (read more)|Documentation
| |App Service HTTP2 Disabled
525b53be-62ed-4244-b4df-41aecfcb4071|Low|Insecure Configurations|App Service should have 'http2_enabled' enabled (read more)|Documentation
| |Function App HTTP2 Disabled
ace823d1-4432-4dee-945b-cdf11a5a6bd0|Low|Insecure Configurations|Function App should have 'http2_enabled' enabled (read more)|Documentation
| -|Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Low|Insecure Configurations|Check if the Kubernetes Dashboard is enabled. (read more)|Documentation
| |Azure Front Door WAF Disabled
835a4f2f-df43-437d-9943-545ccfc55961|Low|Networking and Firewall|Azure Front Door WAF should be enabled (read more)|Documentation
| |App Service Authentication Disabled
c7fc1481-2899-4490-bbd8-544a3a61a2f3|Info|Access Control|Azure App Service authentication settings should be enabled (read more)|Documentation
| |SQL Server Alert Email Disabled
55975007-f6e7-4134-83c3-298f1fe4b519|Info|Best Practices|SQL Server alert email should be enabled (read more)|Documentation
| -### SHARED (V2/V3) -Bellow are listed queries related with Terraform SHARED (V2/V3): - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Info|Best Practices|All generic git repositories should reference a revision. (read more)|Documentation
| -|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Info|Best Practices|All variables should contain a valid type. (read more)|Documentation
| -|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Info|Best Practices|All names should follow snake case pattern. (read more)|Documentation
| -|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Info|Best Practices|All outputs should contain a valid description. (read more)|Documentation
| -|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Info|Best Practices|All variables should contain a valid description. (read more)|Documentation
| - ### AWS Bellow are listed queries related with Terraform AWS: @@ -123,342 +243,352 @@ Bellow are listed queries related with Terraform AWS: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| +|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| +|SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| |Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|High|Access Control|Neptune Cluster Instance should not be publicly accessible (read more)|Documentation
| -|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| |MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible (read more)|Documentation
| -|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| -|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role (read more)|Documentation
| +|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more)|Documentation
| |S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4|High|Access Control|S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket. (read more)|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| -|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|High|Access Control|S3 bucket allows public policy (read more)|Documentation
| +|Amazon DMS Replication Instance Is Publicly Accessible
030d3b18-1821-45b4-9e08-50efbe7becbb|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| |IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| -|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|High|Access Control|Checks if the SQS Queue is exposed (read more)|Documentation
| -|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals (read more)|Documentation
| +|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|High|Access Control|S3 bucket allows public policy (read more)|Documentation
| +|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| |S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| -|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| -|Amazon DMS Replication Instance Is Publicly Accessible
030d3b18-1821-45b4-9e08-50efbe7becbb|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| -|SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| +|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| |S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|High|Access Control|S3 Buckets should not be readable and writable to all users (read more)|Documentation
| -|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more)|Documentation
| -|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| +|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals (read more)|Documentation
| |EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'. (read more)|Documentation
| -|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| -|SSO Policy with full privileges
132a8c31-9837-4203-9fd1-15ca210c7b73|High|Access Control|SSO policies should be configured to grant limited administrative privileges, rather than full access to all resources. This approach allows for better security and control over the resources being accessed. (read more)|Documentation
| |IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|High|Access Control|IAM role policy that allow full administrative privileges (for all resources) (read more)|Documentation
| -|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| -|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|High|Encryption|API Gateway Method Settings Cache should be encrypted (read more)|Documentation
| -|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| -|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| -|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|High|Encryption|RDS Database Cluster Encryption should be enabled (read more)|Documentation
| -|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|High|Encryption|EKS Cluster should be encrypted (read more)|Documentation
| -|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| -|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|High|Encryption|AWS DOCDB Cluster storage should be encrypted (read more)|Documentation
| -|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|High|Encryption|EBS Encryption should be enabled (read more)|Documentation
| -|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|High|Encryption|The certificate authority (CA) is the certificate that identifies the root CA at the top of the certificate chain. The CA certificate identifier must be one provided by Amazon RDS. (read more)|Documentation
| -|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|High|Encryption|AWS DAX Cluster should have server-side encryption at rest (read more)|Documentation
| -|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup (read more)|Documentation
| -|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| -|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key (read more)|Documentation
| -|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true' (read more)|Documentation
| +|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role (read more)|Documentation
| +|SSO Policy with full privileges
132a8c31-9837-4203-9fd1-15ca210c7b73|High|Access Control|SSO policies should be configured to grant limited administrative privileges, rather than full access to all resources. This approach allows for better security and control over the resources being accessed. (read more)|Documentation
| +|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| +|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|High|Access Control|Checks if the SQS Queue is exposed (read more)|Documentation
| +|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| |Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted (read more)|Documentation
| -|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more)|Documentation
| -|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled (read more)|Documentation
| -|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled (read more)|Documentation
| -|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| -|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS (read more)|Documentation
| -|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more)|Documentation
| -|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled (read more)|Documentation
| -|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|High|Encryption|AWS AMI Encryption is not enabled (read more)|Documentation
| -|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true (read more)|Documentation
| -|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS (read more)|Documentation
| -|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| |User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| -|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|High|Encryption|Sagemaker endpoint configuration should encrypt data (read more)|Documentation
| +|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|High|Encryption|AWS DAX Cluster should have server-side encryption at rest (read more)|Documentation
| |ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| -|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume (read more)|Documentation
| -|Aurora With Disabled at Rest Encryption
1a690d1d-0ae7-49fa-b2db-b75ae0dd1d3e|High|Encryption|Amazon Aurora does not have encryption for data at rest enabled. To prevent such a scenario, update the attribute 'StorageEncrypted' to 'true'. (read more)|Documentation
| -|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|High|Encryption|Amazon ECS Task Definition does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'transit_encryption' (read more)|Documentation
| +|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|High|Encryption|S3 Bucket Object should have server-side encryption enabled (read more)|Documentation
| +|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| |CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| +|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|High|Encryption|AWS AMI Encryption is not enabled (read more)|Documentation
| +|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|High|Encryption|The certificate authority (CA) is the certificate that identifies the root CA at the top of the certificate chain. The CA certificate identifier must be one provided by Amazon RDS. (read more)|Documentation
| +|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| +|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|High|Encryption|API Gateway Method Settings Cache should be encrypted (read more)|Documentation
| +|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|High|Encryption|Amazon ECS Task Definition does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'transit_encryption' (read more)|Documentation
| +|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| +|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|High|Encryption|Sagemaker endpoint configuration should encrypt data (read more)|Documentation
| +|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|High|Encryption|EKS Cluster should be encrypted (read more)|Documentation
| +|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true (read more)|Documentation
| |MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled (read more)|Documentation
| -|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|High|Encryption|S3 Bucket Object should have server-side encryption enabled (read more)|Documentation
| +|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more)|Documentation
| +|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup (read more)|Documentation
| +|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| +|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|High|Encryption|EBS Encryption should be enabled (read more)|Documentation
| +|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS (read more)|Documentation
| +|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key (read more)|Documentation
| +|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume (read more)|Documentation
| +|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled (read more)|Documentation
| +|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|High|Encryption|AWS Athena Database data in S3 should be encrypted (read more)|Documentation
| +|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|High|Encryption|RDS Database Cluster Encryption should be enabled (read more)|Documentation
| |Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) (read more)|Documentation
| |Cloudfront Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| +|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| +|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled (read more)|Documentation
| +|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| |EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| -|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|High|Encryption|AWS Athena Database data in S3 should be encrypted (read more)|Documentation
| -|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2. (read more)|Documentation
| -|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true) (read more)|Documentation
| +|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| +|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS (read more)|Documentation
| +|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more)|Documentation
| +|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|High|Encryption|AWS DOCDB Cluster storage should be encrypted (read more)|Documentation
| +|Aurora With Disabled at Rest Encryption
1a690d1d-0ae7-49fa-b2db-b75ae0dd1d3e|High|Encryption|Amazon Aurora does not have encryption for data at rest enabled. To prevent such a scenario, update the attribute 'StorageEncrypted' to 'true'. (read more)|Documentation
| +|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled (read more)|Documentation
| +|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true' (read more)|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| |Lambda Function With Privileged Role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions. (read more)|Documentation
| -|KMS Key With Full Permissions
7ebc9038-0bde-479a-acc4-6ed7b6758899|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| -|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). (read more)|Documentation
| -|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| +|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| +|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| |Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| -|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more)|Documentation
| +|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2. (read more)|Documentation
| +|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| |S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|High|Insecure Configurations|S3 bucket without restriction of public bucket (read more)|Documentation
| -|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| +|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true) (read more)|Documentation
| +|KMS Key With Full Permissions
7ebc9038-0bde-479a-acc4-6ed7b6758899|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| +|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes (read more)|Documentation
| |S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations (read more)|Documentation
| +|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| |IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|High|Insecure Configurations|Check if the root user is authenticated with MFA (read more)|Documentation
| -|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes (read more)|Documentation
| -|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| +|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more)|Documentation
| +|RDS DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). (read more)|Documentation
| |Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| -|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| +|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL (read more)|Documentation
| +|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| |Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| -|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| -|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0" (read more)|Documentation
| |VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic (read more)|Documentation
| -|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL (read more)|Documentation
| -|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| |Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|High|Networking and Firewall|Check if Record is set (read more)|Documentation
| -|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0 and/or ::/0 (read more)|Documentation
| |EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|High|Networking and Firewall|EC2 Instance should not have a public IP address. (read more)|Documentation
| -|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL (read more)|Documentation
| -|Elasticsearch with HTTPS disabled
2e9e0729-66d5-4148-9d39-5e6fb4bf2a4e|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| -|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing (read more)|Documentation
| -|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| +|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| +|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL (read more)|Documentation
| +|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0 and/or ::/0 (read more)|Documentation
| +|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| |HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| -|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| +|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| |VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|High|Networking and Firewall|VPC Peering Route Table should restrict CIDR (read more)|Documentation
| -|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| -|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| +|Elasticsearch with HTTPS disabled
2e9e0729-66d5-4148-9d39-5e6fb4bf2a4e|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| +|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| +|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| +|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0" (read more)|Documentation
| |DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| -|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| -|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible (read more)|Documentation
| -|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA (read more)|Documentation
| +|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing (read more)|Documentation
| +|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| |CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes (read more)|Documentation
| +|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible (read more)|Documentation
| +|CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls (read more)|Documentation
| +|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| +|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled (read more)|Documentation
| |CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| |CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|High|Observability|Ensure a log metric filter and alarm exist for root acount usage (read more)|Documentation
| -|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled (read more)|Documentation
| -|CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls (read more)|Documentation
| +|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA (read more)|Documentation
| |KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|High|Observability|AWS KMS Key should have a valid deletion window (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. (read more)|Documentation
| -|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Medium|Access Control|SQS policy allows ALL (*) actions (read more)|Documentation
| -|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|SSO Permission With Inadequate User Session Duration
ce9dfce0-5fc8-433b-944a-3b16153111a8|Medium|Access Control|SSO permissions should be configured to limit user sessions to no longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized access or session hijacking. This is a best practice for security and should be implemented in SSO permission settings. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions' (read more)|Documentation
| +|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| +|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'. (read more)|Documentation
| +|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Medium|Access Control|IAM Access Key should not be active for root users (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Medium|Access Control|AWS IAM Users should not have access to console (read more)|Documentation
| +|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|SSO Permission With Inadequate User Session Duration
ce9dfce0-5fc8-433b-944a-3b16153111a8|Medium|Access Control|SSO permissions should be configured to limit user sessions to no longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized access or session hijacking. This is a best practice for security and should be implemented in SSO permission settings. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Medium|Access Control|Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| -|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| -|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Medium|Access Control|IAM Access Key should not be active for root users (read more)|Documentation
| -|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action' (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Medium|Access Control|Public and private EC2 istances should not share the same role. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| |User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal' (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action' (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| +|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions' (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Medium|Access Control|SQS policy allows ALL (*) actions (read more)|Documentation
| +|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Medium|Access Control|Public and private EC2 istances should not share the same role. (read more)|Documentation
| -|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Medium|Access Control|S3 bucket allows public ACL (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Medium|Access Control|Expired SSL/TLS certificates should be removed (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined (read more)|Documentation
| -|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Medium|Access Control|AWS IAM Users should not have access to console (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| -|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions' (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. (read more)|Documentation
| +|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal' (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Medium|Access Control|Expired SSL/TLS certificates should be removed (read more)|Documentation
| +|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled (read more)|Documentation
| |User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions' (read more)|Documentation
| +|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Medium|Access Control|The attribute 'action' should not have wildcard (read more)|Documentation
| -|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'. (read more)|Documentation
| |SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Medium|Access Control|SES policy should not allow IAM actions to all principals (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Medium|Access Control|An API Key should be required on a method request. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Medium|Access Control|S3 bucket allows public ACL (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| +|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Medium|Access Control|The attribute 'action' should not have wildcard (read more)|Documentation
| +|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication (read more)|Documentation
| +|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| |ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| |CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true (read more)|Documentation
| -|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| |Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. (read more)|Documentation
| |ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0 (read more)|Documentation
| |RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| |Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| -|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| -|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| -|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more)|Documentation
| -|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Medium|Best Practices|IAM password should have the required symbols (read more)|Documentation
| |Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24 (read more)|Documentation
| -|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| -|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined (read more)|Documentation
| |ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields (read more)|Documentation
| +|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| +|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined (read more)|Documentation
| +|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| +|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| +|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more)|Documentation
| |Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Medium|Best Practices|No password expiration policy (read more)|Documentation
| +|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Medium|Best Practices|IAM password should have the required symbols (read more)|Documentation
| |Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body (read more)|Documentation
| -|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest (read more)|Documentation
| -|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret (read more)|Documentation
| |SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| -|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Medium|Encryption|SSM Session should be encrypted in transit (read more)|Documentation
| -|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption (read more)|Documentation
| -|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Medium|Encryption|Checks if the ECR Image has been scanned (read more)|Documentation
| -|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node (read more)|Documentation
| -|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted (read more)|Documentation
| -|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest (read more)|Documentation
| -|Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Medium|Encryption|ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html' (read more)|Documentation
| |Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| +|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| +|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760. (read more)|Documentation
| +|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption (read more)|Documentation
| +|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| |AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined (read more)|Documentation
| +|Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Medium|Encryption|ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html' (read more)|Documentation
| |CloudWatch Log Group Without KMS
0afbcfe9-d341-4b92-a64c-7e6de0543879|Medium|Encryption|AWS CloudWatch Log groups should be encrypted using KMS (read more)|Documentation
| -|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| -|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| |S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests (read more)|Documentation
| -|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| -|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760. (read more)|Documentation
| |ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS. (read more)|Documentation
| +|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest (read more)|Documentation
| +|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret (read more)|Documentation
| +|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| +|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest (read more)|Documentation
| +|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Medium|Encryption|SSM Session should be encrypted in transit (read more)|Documentation
| +|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted (read more)|Documentation
| +|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node (read more)|Documentation
| |DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| -|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| +|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| +|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Medium|Encryption|Checks if the ECR Image has been scanned (read more)|Documentation
| |ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit (read more)|Documentation
| -|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials (read more)|Documentation
| -|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| -|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more)|Documentation
| +|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs). (read more)|Documentation
| +|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy (read more)|Documentation
| |EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false (read more)|Documentation
| -|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| +|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible (read more)|Documentation
| |Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| +|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| |Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes (read more)|Documentation
| -|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy (read more)|Documentation
| -|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs). (read more)|Documentation
| +|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| |Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud) (read more)|Documentation
| -|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible (read more)|Documentation
| -|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association (read more)|Documentation
| -|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Medium|Networking and Firewall|VPC should have a Network Firewall associated (read more)|Documentation
| +|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials (read more)|Documentation
| +|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more)|Documentation
| +|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service (read more)|Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more)|Documentation
| +|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled (read more)|Documentation
| |API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol (read more)|Documentation
| |API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| -|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled (read more)|Documentation
| +|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Medium|Networking and Firewall|VPC should have a Network Firewall associated (read more)|Documentation
| +|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association (read more)|Documentation
| |VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Medium|Networking and Firewall|VPC Subnet should not assign public IP (read more)|Documentation
| -|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more)|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol (read more)|Documentation
| |Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol (read more)|Documentation
| -|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service (read more)|Documentation
| -|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| |Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Medium|Observability|Make sure Logging is enabled for Redshift Cluster (read more)|Documentation
| -|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation (read more)|Documentation
| -|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Medium|Observability|Checks if CloudWatch Metrics is Enabled (read more)|Documentation
| -|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| +|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes (read more)|Documentation
| +|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled (read more)|Documentation
| +|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| +|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (read more)|Documentation
| +|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes (read more)|Documentation
| +|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Medium|Observability|ELB should have logging enabled to help on error investigation (read more)|Documentation
| |Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| -|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events (read more)|Documentation
| +|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| +|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| +|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Medium|Observability|API Gateway should have Access Log Settings defined (read more)|Documentation
| |ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs (read more)|Documentation
| |S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| -|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Medium|Observability|ELB should have logging enabled to help on error investigation (read more)|Documentation
| -|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes (read more)|Documentation
| -|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. (read more)|Documentation
| +|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). (read more)|Documentation
| +|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation (read more)|Documentation
| |CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones (read more)|Documentation
| -|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Medium|Observability|Make sure that Amazon GuardDuty is Enabled (read more)|Documentation
| -|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined (read more)|Documentation
| -|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Medium|Observability|API Gateway should have Access Log Settings defined (read more)|Documentation
| -|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes (read more)|Documentation
| +|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| |Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Medium|Observability|It isn't recommended to use resources in default VPC (read more)|Documentation
| -|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (read more)|Documentation
| -|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). (read more)|Documentation
| -|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled (read more)|Documentation
| -|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Medium|Observability|AWS CloudWatch Log groups should have retention days specified (read more)|Documentation
| +|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| +|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Medium|Observability|Make sure that Amazon GuardDuty is Enabled (read more)|Documentation
| |CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK (read more)|Documentation
| -|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| -|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes (read more)|Documentation
| -|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Medium|Observability|Ensure MSK Cluster Logging is enabled (read more)|Documentation
| -|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| +|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| +|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Medium|Observability|AWS CloudWatch Log groups should have retention days specified (read more)|Documentation
| +|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes (read more)|Documentation
| |CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes (read more)|Documentation
| -|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| -|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| +|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Medium|Observability|Ensure MSK Cluster Logging is enabled (read more)|Documentation
| +|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined (read more)|Documentation
| +|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. (read more)|Documentation
| +|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Medium|Observability|Checks if CloudWatch Metrics is Enabled (read more)|Documentation
| +|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events (read more)|Documentation
| |No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions (read more)|Documentation
| |Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Medium|Secret Management|AWS Access Key should not be hardcoded (read more)|Documentation
| |Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| -|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| -|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services (read more)|Documentation
| -|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets' (read more)|Documentation
| |SSO Identity User Unsafe Creation
4003118b-046b-4640-b200-b8c7a4c8b89f|Low|Access Control|The use of AWS SSO for creating users may pose a security risk as it does not synchronize with external Identity Providers (IdP) or Active Directory (AD). This can lead to inconsistencies and potential unauthorized access to resources. It is recommended to review and update user creation processes to ensure proper security protocols are in place. (read more)|Documentation
| |IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| -|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| +|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| |IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| +|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services (read more)|Documentation
| +|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| +|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets' (read more)|Documentation
| |Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Low|Availability|Autoscaling groups should supply tags to configurate (read more)|Documentation
| -|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| |Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| +|Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| |ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Low|Best Practices|ECR Repository should have Policies attached to it (read more)|Documentation
| |Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. (read more)|Documentation
| -|Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| +|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| |IAM Access Analyzer Not Enabled
e592a0c5-5bdb-414c-9066-5dba7cdea370|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions (read more)|Documentation
| -|ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation (read more)|Documentation
| |CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| -|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Low|Insecure Configurations|S3 bucket without ignore public ACL (read more)|Documentation
| +|ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation (read more)|Documentation
| |ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled (read more)|Documentation
| -|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more)|Documentation
| +|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Low|Insecure Configurations|S3 bucket without ignore public ACL (read more)|Documentation
| +|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| |EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| +|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| +|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more)|Documentation
| |Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| |RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| -|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| -|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| -|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| -|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| -|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| -|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| -|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Low|Observability|Ensure a log metric filter and alarm exist for route table changes (read more)|Documentation
| -|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Low|Observability|Amazon EKS control plane logging don't enabled for all log types (read more)|Documentation
| +|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Low|Observability|Amazon EKS control plane logging is not enabled (read more)|Documentation
| |CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL (read more)|Documentation
| -|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes (read more)|Documentation
| -|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes (read more)|Documentation
| +|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes (read more)|Documentation
| |Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active' (read more)|Documentation
| +|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| +|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes (read more)|Documentation
| |ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Low|Observability|ECS Cluster should enable container insights (read more)|Documentation
| -|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes (read more)|Documentation
| |Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Low|Observability|Global Accelerator should have flow logs enabled (read more)|Documentation
| +|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Low|Observability|Ensure a log metric filter and alarm exist for route table changes (read more)|Documentation
| |DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| -|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Low|Observability|Amazon EKS control plane logging is not enabled (read more)|Documentation
| +|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes (read more)|Documentation
| +|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Low|Observability|Amazon EKS control plane logging don't enabled for all log types (read more)|Documentation
| |API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| +|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| |API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| |Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Info|Access Control|Security group must be used or not declared (read more)|Documentation
| -|Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description (read more)|Documentation
| -|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more)|Documentation
| +|Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description (read more)|Documentation
| |Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Info|Best Practices|AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name' (read more)|Documentation
| +|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more)|Documentation
| |EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| -|Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description (read more)|Documentation
| -|EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| -|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Info|Observability|Neptune logging should be enabled (read more)|Documentation
| +|Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description (read more)|Documentation
| |RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Info|Observability|RDS does not have any kind of logger (read more)|Documentation
| +|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Info|Observability|Neptune logging should be enabled (read more)|Documentation
| +|EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| + +### GITHUB +Bellow are listed queries related with Terraform GITHUB: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks (read more)|Documentation
| +|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)|Documentation
| ### AWS_BOM Bellow are listed queries related with Terraform AWS_BOM: @@ -467,17 +597,17 @@ Bellow are listed queries related with Terraform AWS_BOM: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)|Documentation
| -|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more)|Documentation
| |BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). (read more)|Documentation
| -|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more)|Documentation
| -|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more)|Documentation
| +|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)|Documentation
| |BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more)|Documentation
| |BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS. (read more)|Documentation
| -|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)|Documentation
| -|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)|Documentation
| -|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)|Documentation
| +|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more)|Documentation
| |BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more)|Documentation
| +|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)|Documentation
| +|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more)|Documentation
| +|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more)|Documentation
| +|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)|Documentation
| +|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)|Documentation
| ### ALICLOUD Bellow are listed queries related with Terraform ALICLOUD: @@ -486,216 +616,86 @@ Bellow are listed queries related with Terraform ALICLOUD: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|OSS Bucket Allows List Action From All Principals
88541597-6f88-42c8-bac6-7e0b855e8ff6|High|Access Control|OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals. (read more)|Documentation
| -|OSS Bucket Allows Put Action From All Principals
fe286195-e75c-4359-bd58-00847c4f855a|High|Access Control|OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals. (read more)|Documentation
| -|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles (read more)|Documentation
| -|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|High|Access Control|RAM Security preferences should enforce MFA login for RAM users (read more)|Documentation
| |OSS Bucket Allows Delete Action From All Principals
8c0695d8-2378-4cd6-8243-7fd5894fa574|High|Access Control|OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals. (read more)|Documentation
| +|OSS Bucket Allows List Action From All Principals
88541597-6f88-42c8-bac6-7e0b855e8ff6|High|Access Control|OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals. (read more)|Documentation
| |OSS Bucket Allows All Actions From All Principals
ec62a32c-a297-41ca-a850-cab40b42094a|High|Access Control|OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals. (read more)|Documentation
| +|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|High|Access Control|RAM Security preferences should enforce MFA login for RAM users (read more)|Documentation
| |OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|High|Access Control|OSS Bucket should have public access disabled (read more)|Documentation
| +|OSS Bucket Allows Put Action From All Principals
fe286195-e75c-4359-bd58-00847c4f855a|High|Access Control|OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals. (read more)|Documentation
| +|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles (read more)|Documentation
| +|Launch Template Is Not Encrypted
1455cb21-1d48-46d6-8ae3-cef911b71fd5|High|Encryption|ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true. (read more)|Documentation
| +|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|High|Encryption|Ecs Data Disk Kms Key Id should be set (read more)|Documentation
| +|NAS File System Not Encrypted
67bfdff1-31ce-4525-b564-e94368735360|High|Encryption|NAS File System must be encrypted (read more)|Documentation
| |RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|High|Encryption|tde_status parameter should be Enabled for supported RDS instances (read more)|Documentation
| |NAS File System Without KMS
5f670f9d-b1b4-4c90-8618-2288f1ab9676|High|Encryption|NAS File System should have encryption provided by user KMS (read more)|Documentation
| -|NAS File System Not Encrypted
67bfdff1-31ce-4525-b564-e94368735360|High|Encryption|NAS File System must be encrypted (read more)|Documentation
| -|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|High|Encryption|Ecs Data Disk Kms Key Id should be set (read more)|Documentation
| -|Launch Template Is Not Encrypted
1455cb21-1d48-46d6-8ae3-cef911b71fd5|High|Encryption|ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true. (read more)|Documentation
| |RDS DB Instance Publicly Accessible
faaefc15-51a5-419e-bb5e-51a4b5ab3485|High|Insecure Configurations|The field 'address' should not be set to '0.0.0.0/0' (read more)|Documentation
| |OSS Bucket Has Static Website
2b13c6ff-b87a-484d-86fd-21ef6e97d426|High|Insecure Configurations|Checks if any static websties are hosted on buckets. Be aware of any website you are running. (read more)|Documentation
| |RDS DB Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|High|Insecure Configurations|'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list (read more)|Documentation
| -|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|High|Networking and Firewall|OSS Buckets should have secure transport enabled (read more)|Documentation
| -|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol (read more)|Documentation
| +|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public (read more)|Documentation
| +|ALB Listening on HTTP
ee3b1557-9fb5-4685-a95d-93f1edf2a0d7|High|Networking and Firewall|Application Load Balancer (alb) Listener should not listen on HTTP (read more)|Documentation
| |RDS Instance SSL Action Disabled
7a1ee8a9-71be-4b11-bb70-efb62d16863b|High|Networking and Firewall|ssl_action parameter should be set to Open for RDS instances (read more)|Documentation
| -|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS (read more)|Documentation
| |OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|High|Networking and Firewall|OSS Bucket should have ip restricted access (read more)|Documentation
| -|ALB Listening on HTTP
ee3b1557-9fb5-4685-a95d-93f1edf2a0d7|High|Networking and Firewall|Application Load Balancer (alb) Listener should not listen on HTTP (read more)|Documentation
| -|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public (read more)|Documentation
| -|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|High|Observability|All RDS Instance events trackers should be 'true' (read more)|Documentation
| +|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS (read more)|Documentation
| +|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|High|Networking and Firewall|OSS Buckets should have secure transport enabled (read more)|Documentation
| +|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol (read more)|Documentation
| |ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|High|Observability|ActionTrail Trail OSS Bucket should not be publicly accessible (read more)|Documentation
| -|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above (read more)|Documentation
| +|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|High|Observability|All RDS Instance events trackers should be 'true' (read more)|Documentation
| |Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|High|Secret Management|Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts (read more)|Documentation
| +|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above (read more)|Documentation
| |Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Medium|Access Control|Ram policies should not be attached to users (read more)|Documentation
| |CMK Is Unusable
ed6e3ba0-278f-47b6-a1f5-173576b40b7e|Medium|Availability|Alicloud KMS must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true (read more)|Documentation
| |ROS Stack Retention Disabled
4bb06fa1-2114-4a00-b7b5-6aeab8b896f0|Medium|Backup|The retain_stacks should be enabled to keep the Stack upon deleting the stack instance from the stack group (read more)|Documentation
| |OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Medium|Backup|OSS Bucket should have versioning enabled (read more)|Documentation
| |ROS Stack Without Template
92d65c51-5d82-4507-a2a1-d252e9706855|Medium|Build Process|Alicloud ROS Stack should have a template defined through the attribute template_url or attribute template_body (read more)|Documentation
| +|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Medium|Encryption|Disks should have encryption enabled (read more)|Documentation
| |OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Medium|Encryption|OSS Bucket should have encryption enabled using Customer Master Key (read more)|Documentation
| |SLB Policy With Insecure TLS Version In Use
dbfc834a-56e5-4750-b5da-73fda8e73f70|Medium|Encryption|SLB Policy should not support insecure versions of TLS protocol (read more)|Documentation
| -|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Medium|Encryption|Disks should have encryption enabled (read more)|Documentation
| |CS Kubernetes Node Pool Auto Repair Disabled
81ce9394-013d-4731-8fcc-9d229b474073|Medium|Insecure Configurations|Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| |Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Medium|Networking and Firewall|A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned (read more)|Documentation
| |Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Medium|Networking and Firewall|Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies (read more)|Documentation
| |ROS Stack Notifications Disabled
9ef08939-ea40-489c-8851-667870b2ef50|Medium|Observability|The ROS Stack Notifications should be defined and populated to receive stack related events (read more)|Documentation
| |Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Medium|Observability|Action Trail Logging for all regions should be enabled (read more)|Documentation
| +|Log Retention Is Not Greater Than 90 Days
ed6cf6ff-9a1f-491c-9f88-e03c0807f390|Medium|Observability|OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects. (read more)|Documentation
| |RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180 (read more)|Documentation
| |OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Medium|Observability|OSS Bucket should have logging enabled, for better visibility of resources and objects. (read more)|Documentation
| -|Log Retention Is Not Greater Than 90 Days
ed6cf6ff-9a1f-491c-9f88-e03c0807f390|Medium|Observability|OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects. (read more)|Documentation
| |No ROS Stack Policy
72ceb736-0aee-43ea-a191-3a69ab135681|Medium|Resource Management|ROS Stack should have a stack policy in order to protect stack resources from and during update actions (read more)|Documentation
| -|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true (read more)|Documentation
| |RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Medium|Secret Management|RAM account password security should require at least one symbol (read more)|Documentation
| |High KMS Key Rotation Period
cb319d87-b90f-485e-a7e7-f2408380f309|Medium|Secret Management|KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year (read more)|Documentation
| +|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true (read more)|Documentation
| +|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true (read more)|Documentation
| +|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less (read more)|Documentation
| |Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true (read more)|Documentation
| |Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91 (read more)|Documentation
| -|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less (read more)|Documentation
| -|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true (read more)|Documentation
| |OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Low|Availability|OSS Bucket should have transfer acceleration enabled (read more)|Documentation
| |OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Low|Backup|OSS Bucket should have lifecycle rule enabled and set to true (read more)|Documentation
| -|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Low|Observability|'log_connections' parameter should be set to ON for RDS instances (read more)|Documentation
| -|VPC Flow Logs Disabled
d2731f3d-a992-44ed-812e-f4f1c2747d71|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| |RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Low|Observability|log_disconnections parameter should be set to ON for RDS instances (read more)|Documentation
| +|VPC Flow Logs Disabled
d2731f3d-a992-44ed-812e-f4f1c2747d71|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| +|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Low|Observability|'log_connections' parameter should be set to ON for RDS instances (read more)|Documentation
| |RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Low|Observability|log_duration parameter should be set to ON for RDS instances (read more)|Documentation
| -### GCP_BOM -Bellow are listed queries related with Terraform GCP_BOM: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|BOM - GCP Dataflow
895ed0d9-6fec-4567-8614-d7a74b599a53|Trace|Bill Of Materials|A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective. (read more)|Documentation
| -|BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more)|Documentation
| -|BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Trace|Bill Of Materials|A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime. (read more)|Documentation
| -|BOM - GCP Redis
bc75ce52-a60a-4660-b533-bce837a5019b|Trace|Bill Of Materials|A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments. (read more)|Documentation
| -|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more)|Documentation
| -|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more)|Documentation
| - -### KUBERNETES -Bellow are listed queries related with Terraform KUBERNETES: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process (read more)|Documentation
| -|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined. (read more)|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace. (read more)|Documentation
| -|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|High|Insecure Configurations|Check if Tiller is deployed. (read more)|Documentation
| -|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|High|Insecure Configurations|Limit capabilities for a Pod Security Policy (read more)|Documentation
| -|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false (read more)|Documentation
| -|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|High|Insecure Defaults|No role nor cluster role should bind to a default service account (read more)|Documentation
| -|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation. (read more)|Documentation
| -|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Medium|Access Control|A non kube-system workload should not have hostPath mounted (read more)|Documentation
| -|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more)|Documentation
| -|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Medium|Availability|Check if Readiness Probe is not configured. (read more)|Documentation
| -|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden (read more)|Documentation
| -|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' (read more)|Documentation
| -|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory (read more)|Documentation
| -|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls (read more)|Documentation
| -|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities (read more)|Documentation
| -|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities (read more)|Documentation
| -|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation (read more)|Documentation
| -|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more)|Documentation
| -|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Medium|Insecure Configurations|Containers should not have extra capabilities allowed (read more)|Documentation
| -|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace (read more)|Documentation
| -|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more)|Documentation
| -|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| -|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory (read more)|Documentation
| -|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Medium|Insecure Configurations|The default namespace should not be used (read more)|Documentation
| -|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Medium|Insecure Configurations|Default service accounts should not be actively used (read more)|Documentation
| -|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability (read more)|Documentation
| -|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities (read more)|Documentation
| -|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace (read more)|Documentation
| -|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary (read more)|Documentation
| -|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty. (read more)|Documentation
| -|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Medium|Networking and Firewall|Check if any network policy is not targeting any pod. (read more)|Documentation
| -|Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet (read more)|Documentation
| -|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| -|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| -|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more)|Documentation
| -|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more)|Documentation
| -|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| -|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more)|Documentation
| -|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| -|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs (read more)|Documentation
| -|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Medium|Secret Management|A Service Account token is shared between workloads (read more)|Documentation
| -|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC) (read more)|Documentation
| -|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers (read more)|Documentation
| -|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack (read more)|Documentation
| -|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it (read more)|Documentation
| -|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| -|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Low|Availability|The Horizontal Pod Autoscaler must target a valid object (read more)|Documentation
| -|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more)|Documentation
| -|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| -|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context (read more)|Documentation
| -|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Low|Best Practices|Check if any label in the metadata is invalid. (read more)|Documentation
| -|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Low|Build Process|A StatefulSet requests volume storage. (read more)|Documentation
| -|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Low|Build Process|Check if the root container filesystem is not being mounted as read-only. (read more)|Documentation
| -|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container (read more)|Documentation
| -|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity (read more)|Documentation
| -|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always (read more)|Documentation
| -|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Low|Networking and Firewall|Service type should not be NodePort (read more)|Documentation
| -|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified (read more)|Documentation
| -|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| -|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined (read more)|Documentation
| -|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Low|Secret Management|Container should not use secrets as environment variables (read more)|Documentation
| -|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Low|Supply-Chain|Image must be defined and not be empty or equal to latest. (read more)|Documentation
| - -### GITHUB -Bellow are listed queries related with Terraform GITHUB: +### SHARED (V2/V3) +Bellow are listed queries related with Terraform SHARED (V2/V3): | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks (read more)|Documentation
| -|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)|Documentation
| +|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Info|Best Practices|All variables should contain a valid type. (read more)|Documentation
| +|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Info|Best Practices|All generic git repositories should reference a revision. (read more)|Documentation
| +|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Info|Best Practices|All outputs should contain a valid description. (read more)|Documentation
| +|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Info|Best Practices|All variables should contain a valid description. (read more)|Documentation
| +|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Info|Best Practices|All names should follow snake case pattern. (read more)|Documentation
| -### GCP -Bellow are listed queries related with Terraform GCP: +### GCP_BOM +Bellow are listed queries related with Terraform GCP_BOM: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| -|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible (read more)|Documentation
| -|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|High|Access Control|Verifies that the OSLogin is enabled (read more)|Documentation
| -|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)|Documentation
| -|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|High|Access Control|BigQuery dataset is anonymously or publicly accessible (read more)|Documentation
| -|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| -|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members' (read more)|Documentation
| -|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad. (read more)|Documentation
| -|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|High|Encryption|Cloud SQL Database Instance should have SLL enabled (read more)|Documentation
| -|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials (read more)|Documentation
| -|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true (read more)|Documentation
| -|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)|Documentation
| -|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE (read more)|Documentation
| -|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true (read more)|Documentation
| -|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible. (read more)|Documentation
| -|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true (read more)|Documentation
| -|Legacy Client Certificate Auth Enabled
73fb21a1-b19a-45b1-b648-b47b1678681e|High|Insecure Configurations|Kubernetes Clusters must use the default OAuth authentication, which means 'master_auth' must either be undefined or have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to false (read more)|Documentation
| -|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)|Documentation
| -|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must either be undefined or set to 'logging.googleapis.com/kubernetes' (read more)|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| -|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must either be undefined or set to 'monitoring.googleapis.com/kubernetes' (read more)|Documentation
| -|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|High|Observability|Audit Logging Configuration is defective (read more)|Documentation
| -|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| -|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)|Documentation
| -|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated (read more)|Documentation
| -|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated (read more)|Documentation
| -|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated (read more)|Documentation
| -|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member (read more)|Documentation
| -|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| -|Shielded GKE Nodes Disabled
579a0727-9c29-4d58-8195-fc5802a8bdb4|Medium|Insecure Configurations|GKE cluster nodes must be launched with Shielded VM enabled, which means the attribute 'enable_shielded_nodes' must be set to 'true'. (read more)|Documentation
| -|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| -|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| -|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Medium|Insecure Configurations|Check if any VM instance disables OSLogin (read more)|Documentation
| -|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled (read more)|Documentation
| -|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled (read more)|Documentation
| -|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)|Documentation
| -|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| -|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account. (read more)|Documentation
| -|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account (read more)|Documentation
| -|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| -|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)|Documentation
| -|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports (read more)|Documentation
| -|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| -|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)|Documentation
| -|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource. (read more)|Documentation
| -|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles (read more)|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| -|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)|Documentation
| -|Outdated GKE Version
128df7ec-f185-48bc-8913-ce756a3ccb85|Low|Best Practices|Running outdated versions of Google Kubernetes Engine (GKE) can expose it to known vulnerabilities and attacks. To reduce these risks, it is recommended to ensure that GKE is always running the latest version. (read more)|Documentation
| -|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user (read more)|Documentation
| -|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true (read more)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| +|BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more)|Documentation
| +|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more)|Documentation
| +|BOM - GCP Redis
bc75ce52-a60a-4660-b533-bce837a5019b|Trace|Bill Of Materials|A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments. (read more)|Documentation
| +|BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Trace|Bill Of Materials|A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime. (read more)|Documentation
| +|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more)|Documentation
| +|BOM - GCP Dataflow
895ed0d9-6fec-4567-8614-d7a74b599a53|Trace|Bill Of Materials|A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective. (read more)|Documentation
| diff --git a/docs/queries/terraform-queries/aws/0afa6ab8-a047-48cf-be07-93a2f8c34cf7.md b/docs/queries/terraform-queries/aws/0afa6ab8-a047-48cf-be07-93a2f8c34cf7.md index fcbb7de02ad..13d896678da 100644 --- a/docs/queries/terraform-queries/aws/0afa6ab8-a047-48cf-be07-93a2f8c34cf7.md +++ b/docs/queries/terraform-queries/aws/0afa6ab8-a047-48cf-be07-93a2f8c34cf7.md @@ -40,6 +40,20 @@ resource "aws_wafregional_web_acl_association" "foo_waf" { } +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "aws_lb" "alb" { + name = "test-lb-tf" + internal = false + load_balancer_type = "application" + security_groups = [aws_security_group.lb_sg.id] + subnets = [for subnet in aws_subnet.public : subnet.id] +} + +resource "aws_wafv2_web_acl_association" "alb_waf_association" { + resource_arn = aws_lb.alba.arn + web_acl_arn = aws_wafv2_web_acl.example.arn +} ``` @@ -57,3 +71,17 @@ resource "aws_wafregional_web_acl_association" "foo_waf33" { # trigger validation ``` +```tf title="Negative test num. 2 - tf file" +resource "aws_lb" "alb" { + name = "test-lb-tf" + internal = false + load_balancer_type = "application" + security_groups = [aws_security_group.lb_sg.id] + subnets = [for subnet in aws_subnet.public : subnet.id] +} + +resource "aws_wafv2_web_acl_association" "alb_waf_association" { + resource_arn = aws_lb.alb.arn + web_acl_arn = aws_wafv2_web_acl.example.arn +} +``` diff --git a/docs/queries/terraform-queries/azure/609839ae-bd81-4375-9910-5bce72ae7b92.md b/docs/queries/terraform-queries/azure/609839ae-bd81-4375-9910-5bce72ae7b92.md index 93582eae8df..3b9fef30422 100644 --- a/docs/queries/terraform-queries/azure/609839ae-bd81-4375-9910-5bce72ae7b92.md +++ b/docs/queries/terraform-queries/azure/609839ae-bd81-4375-9910-5bce72ae7b92.md @@ -24,7 +24,7 @@ hide: ### Description Make sure that for MSSQL Servers, that 'Auditing' is set to 'On'
-[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_server) +[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_database_extended_auditing_policy) ### Code samples #### Code samples with security vulnerabilities @@ -42,19 +42,43 @@ resource "azurerm_mssql_server" "positive1" { #### Code samples without security vulnerabilities ```tf title="Negative test num. 1 - tf file" -resource "azurerm_mssql_server" "negative1" { +provider "azurerm" { + features {} +} + +resource "azurerm_resource_group" "example" { + name = "example-resources" + location = "West Europe" +} + +resource "azurerm_mssql_server" "example" { name = "mssqlserver" resource_group_name = azurerm_resource_group.example.name location = azurerm_resource_group.example.location version = "12.0" administrator_login = "mradministrator" administrator_login_password = "thisIsDog11" +} - extended_auditing_policy { - storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint - storage_account_access_key = azurerm_storage_account.example.primary_access_key - storage_account_access_key_is_secondary = true - retention_in_days = 90 - } +resource "azurerm_mssql_database" "example" { + name = "example-db" + server_id = azurerm_mssql_server.example.id } + +resource "azurerm_storage_account" "example" { + name = "examplesa" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + account_tier = "Standard" + account_replication_type = "LRS" +} + +resource "azurerm_mssql_server_extended_auditing_policy" "example" { + database_id = azurerm_mssql_database.example.id + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + storage_account_access_key_is_secondary = false + retention_in_days = 6 +} + ``` From 75bdd3579e0846dc4b16a7c08da6e0bf4865b42e Mon Sep 17 00:00:00 2001 From: Lior Kaplan Date: Wed, 25 Oct 2023 09:54:36 +0300 Subject: [PATCH 143/379] Fix typo --- .../docs-generator/query-page-generator/query-page-generator.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/scripts/docs-generator/query-page-generator/query-page-generator.py b/.github/scripts/docs-generator/query-page-generator/query-page-generator.py index 4e75c3b1a0c..b63c710be51 100644 --- a/.github/scripts/docs-generator/query-page-generator/query-page-generator.py +++ b/.github/scripts/docs-generator/query-page-generator/query-page-generator.py @@ -138,7 +138,7 @@ def format_positive_tests(positive_tests : dict) -> str: for idx, x in enumerate(positive_tests): filename = x.get('fileName') extension = filename.split(".")[-1] - title = f'Postitive test num. {idx + 1} - {extension} file' + title = f'Positive test num. {idx + 1} - {extension} file' code = x.get('code') results_lines = '' From 80d73a3c2e6ed0ea9c2a15683241e72f06e9bf1c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Thu, 26 Oct 2023 11:58:12 +0100 Subject: [PATCH 144/379] update message of Not Using JSON In CMD And ENTRYPOINT Arguments --- .../query.rego | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/query.rego b/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/query.rego index 58f11277f8b..9610584e0eb 100644 --- a/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/query.rego +++ b/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/query.rego @@ -5,7 +5,7 @@ import data.generic.dockerfile as dockerLib CxPolicy[result] { resource := input.document[i].command[name][_] dockerLib.check_multi_stage(name, input.document[i].command) - + resource.Cmd == "cmd" resource.JSON == false @@ -13,15 +13,15 @@ CxPolicy[result] { "documentId": input.document[i].id, "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("FROM={{%s}}.{{%s}} is in the JSON Notation", [name, resource.Original]), - "keyActualValue": sprintf("FROM={{%s}}.{{%s}} isn't in the JSON Notation", [name, resource.Original]), + "keyExpectedValue": sprintf("{{%s}} is in the JSON Notation", [resource.Original]), + "keyActualValue": sprintf("{{%s}} isn't in the JSON Notation", [resource.Original]), } } CxPolicy[result] { resource := input.document[i].command[name][_] dockerLib.check_multi_stage(name, input.document[i].command) - + resource.Cmd == "entrypoint" resource.JSON == false @@ -29,7 +29,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("FROM={{%s}}.{{%s}} is in the JSON Notation", [name, resource.Original]), - "keyActualValue": sprintf("FROM={{%s}}.{{%s}} isn't in the JSON Notation", [name, resource.Original]), + "keyExpectedValue": sprintf("{{%s}} is in the JSON Notation", [resource.Original]), + "keyActualValue": sprintf("{{%s}} isn't in the JSON Notation", [resource.Original]), } } From c0e0db0f6ea68539bb6a9c6f7d29ac45feccb69a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Thu, 26 Oct 2023 13:05:54 +0100 Subject: [PATCH 145/379] update the info message on queries --- .../query.rego | 8 ++++---- .../query.rego | 12 ++++++------ .../missing_flag_from_dnf_install/query.rego | 2 +- .../dockerfile/yum_clean_all_missing/query.rego | 4 ++-- .../yum_install_allows_manual_input/query.rego | 8 ++++---- 5 files changed, 17 insertions(+), 17 deletions(-) diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/query.rego b/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/query.rego index 9db9703d678..55453f2ca0e 100644 --- a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/query.rego +++ b/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/query.rego @@ -18,8 +18,8 @@ CxPolicy[result] { "documentId": input.document[i].id, "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("FROM={{%s}}.{{%s}} avoids manual input", [name, resource.Original]), - "keyActualValue": sprintf("FROM={{%s}}.{{%s}} doesn't avoid manual input", [name, resource.Original]), + "keyExpectedValue": sprintf("{{%s}} avoids manual input", [resource.Original]), + "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [resource.Original]), } } @@ -37,8 +37,8 @@ CxPolicy[result] { "documentId": input.document[i].id, "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("FROM={{%s}}.{{%s}} avoids manual input", [name, resource.Original]), - "keyActualValue": sprintf("FROM={{%s}}.{{%s}} doesn't avoid manual input", [name, resource.Original]), + "keyExpectedValue": sprintf("{{%s}} avoids manual input", [name, resource.Original]), + "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [name, resource.Original]), } } diff --git a/assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego b/assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego index d217ce50692..02555acdaf1 100644 --- a/assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego +++ b/assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego @@ -21,20 +21,20 @@ CxPolicy[result] { resource := input.document[i].command[name][_] resource.Cmd == "run" value := resource.Value - + contains(value[v], shell_possibilities[p]) run_values := split(value[v], " ") command := run_values[0] command_possibilities := {"mv", "chsh", "usermod", "ln"} - command == command_possibilities[cp] + command == command_possibilities[cp] result := { "debug": sprintf("%s", [value[v]]), "documentId": input.document[i].id, "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("FROM={{%s}}.{{%s}} should use the SHELL command to change the default shell", [name, resource.Original]), - "keyActualValue": sprintf("FROM={{%s}}.{{%s}} uses the RUN command to change the default shell", [name, resource.Original]), + "keyExpectedValue": sprintf("{{%s}} should use the SHELL command to change the default shell", [name, resource.Original]), + "keyActualValue": sprintf("{{%s}} uses the RUN command to change the default shell", [name, resource.Original]), } } @@ -50,7 +50,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("FROM={{%s}}.{{%s}} should use the SHELL command to change the default shell", [name, resource.Original]), - "keyActualValue": sprintf("FROM={{%s}}.{{%s}} uses the RUN command to change the default shell", [name, resource.Original]), + "keyExpectedValue": sprintf("{{%s}} should use the SHELL command to change the default shell", [name, resource.Original]), + "keyActualValue": sprintf("{{%s}} uses the RUN command to change the default shell", [name, resource.Original]), } } diff --git a/assets/queries/dockerfile/missing_flag_from_dnf_install/query.rego b/assets/queries/dockerfile/missing_flag_from_dnf_install/query.rego index cc444700ec2..639ce3d41d1 100644 --- a/assets/queries/dockerfile/missing_flag_from_dnf_install/query.rego +++ b/assets/queries/dockerfile/missing_flag_from_dnf_install/query.rego @@ -18,7 +18,7 @@ CxPolicy[result] { "searchKey": sprintf("FROM={{%s}}.RUN={{%s}}", [name, resource.Value[0]]), "issueType": "IncorrectValue", "keyExpectedValue": "When running `dnf install`, `-y` or `--assumeyes` switch should be set to avoid build failure ", - "keyActualValue": sprintf("Command `FROM={{%s}}.RUN={{%s}}` doesn't have the `-y` or `--assumeyes` switch set", [name, trim_space(commands[k])]), + "keyActualValue": sprintf("Command `RUN={{%s}}` doesn't have the `-y` or `--assumeyes` switch set", [trim_space(commands[k])]), } } diff --git a/assets/queries/dockerfile/yum_clean_all_missing/query.rego b/assets/queries/dockerfile/yum_clean_all_missing/query.rego index 20b7f26b86c..556f93f16b5 100644 --- a/assets/queries/dockerfile/yum_clean_all_missing/query.rego +++ b/assets/queries/dockerfile/yum_clean_all_missing/query.rego @@ -19,8 +19,8 @@ CxPolicy[result] { "documentId": input.document[i].id, "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("FROM={{%s}}.{{%s}} should have 'yum clean all' after 'yum install' command", [name, resource.Original]), - "keyActualValue": sprintf("FROM={{%s}}.{{%s}} doesn't have 'yum clean all' after 'yum install' command", [name, resource.Original]), + "keyExpectedValue": sprintf("{{%s}} should have 'yum clean all' after 'yum install' command", [resource.Original]), + "keyActualValue": sprintf("{{%s}} doesn't have 'yum clean all' after 'yum install' command", [resource.Original]), } } diff --git a/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego b/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego index 660c930ba95..a448d361b78 100644 --- a/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego +++ b/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego @@ -16,8 +16,8 @@ CxPolicy[result] { "documentId": input.document[i].id, "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("FROM={{%s}}.{{%s}} avoids manual input", [name, resource.Original]), - "keyActualValue": sprintf("FROM={{%s}}.{{%s}} doesn't avoid manual input", [name, resource.Original]), + "keyExpectedValue": sprintf("{{%s}} avoids manual input", [name, resource.Original]), + "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [name, resource.Original]), } } @@ -34,8 +34,8 @@ CxPolicy[result] { "documentId": input.document[i].id, "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("FROM={{%s}}.{{%s}} avoids manual input", [name, resource.Original]), - "keyActualValue": sprintf("FROM={{%s}}.{{%s}} doesn't avoid manual input", [name, resource.Original]), + "keyExpectedValue": sprintf("{{%s}} avoids manual input", [name, resource.Original]), + "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [name, resource.Original]), } } From 9f51436dcc2a11a2cfcbf13baf4cfec1179f4776 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Thu, 26 Oct 2023 13:17:41 +0100 Subject: [PATCH 146/379] improve message --- .../not_using_json_in_cmd_and_entrypoint_arguments/query.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/query.rego b/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/query.rego index 9610584e0eb..4156c0840dd 100644 --- a/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/query.rego +++ b/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/query.rego @@ -14,7 +14,7 @@ CxPolicy[result] { "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("{{%s}} is in the JSON Notation", [resource.Original]), - "keyActualValue": sprintf("{{%s}} isn't in the JSON Notation", [resource.Original]), + "keyActualValue": sprintf("{{%s}} should be in JSON Notation", [resource.Original]), } } From 8f4b29619be33b7f28821468c6e5b539640bed49 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Fri, 27 Oct 2023 10:58:26 +0100 Subject: [PATCH 147/379] remove references to the experimental-queries.json --- assets/utils/experimental-queries.json | 4 ---- docker/Dockerfile.apispec | 1 - docker/Dockerfile.apispec.debian | 1 - docker/Dockerfile.debian | 1 - 4 files changed, 7 deletions(-) delete mode 100644 assets/utils/experimental-queries.json diff --git a/assets/utils/experimental-queries.json b/assets/utils/experimental-queries.json deleted file mode 100644 index 06d45b989fc..00000000000 --- a/assets/utils/experimental-queries.json +++ /dev/null @@ -1,4 +0,0 @@ -[ - "terraform/databricks", - "terraform/nifcloud" -] \ No newline at end of file diff --git a/docker/Dockerfile.apispec b/docker/Dockerfile.apispec index ef936ff6e9a..7a7aa413505 100644 --- a/docker/Dockerfile.apispec +++ b/docker/Dockerfile.apispec @@ -56,7 +56,6 @@ COPY --from=build_env /app/assets/libraries/common /app/bin/assets/libraries/com COPY --from=build_env /app/assets/libraries/openapi /app/bin/assets/libraries/openapi COPY --from=build_env /app/assets/queries/openAPI /app/bin/assets/queries/openAPI COPY --from=build_env /app/assets/queries/common /app/bin/assets/queries/common -COPY --from=build_env /app/assets/utils/* /app/bin/assets/utils/ WORKDIR /app/bin diff --git a/docker/Dockerfile.apispec.debian b/docker/Dockerfile.apispec.debian index c0ceb596087..c90f5d44cb6 100644 --- a/docker/Dockerfile.apispec.debian +++ b/docker/Dockerfile.apispec.debian @@ -70,7 +70,6 @@ COPY --from=build_env /app/assets/libraries/common /app/bin/assets/libraries/com COPY --from=build_env /app/assets/libraries/openapi /app/bin/assets/libraries/openapi COPY --from=build_env /app/assets/queries/openAPI /app/bin/assets/queries/openAPI COPY --from=build_env /app/assets/queries/common /app/bin/assets/queries/common -COPY --from=build_env /app/assets/utils/* /app/bin/assets/utils/ WORKDIR /app/bin diff --git a/docker/Dockerfile.debian b/docker/Dockerfile.debian index 7746fabc742..6c9137aa75f 100644 --- a/docker/Dockerfile.debian +++ b/docker/Dockerfile.debian @@ -69,7 +69,6 @@ RUN mkdir ~/.terraform.d && mkdir ~/.terraform.d/plugins && mkdir ~/.terraform.d COPY --from=build_env /app/bin/kics /app/bin/kics COPY --from=build_env /app/assets/queries /app/bin/assets/queries COPY --from=build_env /app/assets/libraries/* /app/bin/assets/libraries/ -COPY --from=build_env /app/assets/utils/* /app/bin/assets/utils/ WORKDIR /app/bin From a2335da5ff0d84d1f9d94d479220d7da2d8a5378 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= <75611928+JoaoCxMartins@users.noreply.github.com> Date: Fri, 27 Oct 2023 12:27:37 +0100 Subject: [PATCH 148/379] Update pkg/engine/source/filesystem.go Co-authored-by: Gabriel --- pkg/engine/source/filesystem.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/engine/source/filesystem.go b/pkg/engine/source/filesystem.go index 780543bba3e..5ad463d944c 100644 --- a/pkg/engine/source/filesystem.go +++ b/pkg/engine/source/filesystem.go @@ -306,7 +306,7 @@ func (s *FilesystemSource) iterateQueryDirs(queryDirs []string, queryParameters continue } - if !queryParameters.ExperimentalQueries && query.Experimental { + if query.Experimental && !queryParameters.ExperimentalQueries { continue } From 5de337736710b90c94427a7671ab729dcbb01953 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Fri, 27 Oct 2023 16:48:11 +0100 Subject: [PATCH 149/379] add two e2e one where we scan and ignore the experimental and other scan where we don't ignore --- .../e2e-cli-069_igore_experimental_query.go | 25 +++++ ...2e-cli-070_not_igore_experimental_query.go | 26 ++++++ .../redis_disable_experimental/metadata.json | 12 +++ .../redis_disable_experimental/query.rego | 92 +++++++++++++++++++ .../queries/redis_disabled/metadata.json | 11 +++ .../queries/redis_disabled/query.rego | 92 +++++++++++++++++++ .../experimental_test/sample/sample.tf | 9 ++ 7 files changed, 267 insertions(+) create mode 100644 e2e/testcases/e2e-cli-069_igore_experimental_query.go create mode 100644 e2e/testcases/e2e-cli-070_not_igore_experimental_query.go create mode 100644 test/fixtures/experimental_test/queries/redis_disable_experimental/metadata.json create mode 100644 test/fixtures/experimental_test/queries/redis_disable_experimental/query.rego create mode 100644 test/fixtures/experimental_test/queries/redis_disabled/metadata.json create mode 100644 test/fixtures/experimental_test/queries/redis_disabled/query.rego create mode 100644 test/fixtures/experimental_test/sample/sample.tf diff --git a/e2e/testcases/e2e-cli-069_igore_experimental_query.go b/e2e/testcases/e2e-cli-069_igore_experimental_query.go new file mode 100644 index 00000000000..3b082c2e49d --- /dev/null +++ b/e2e/testcases/e2e-cli-069_igore_experimental_query.go @@ -0,0 +1,25 @@ +package testcases + +// E2E-CLI-069 - KICS scan and ignore experimental queries +// should perform the scan successfully and return exit code 40 +func init() { //nolint + testSample := TestCase{ + Name: "should perform a valid scan and ignore the experimental queries [E2E-CLI-069]", + Args: args{ + Args: []cmdArgs{ + []string{"scan", "-o", "/path/e2e/output", "--output-name", "E2E_CLI_069_RESULT", + "-p", "/path/test/fixtures/experimental_test/sample", "-q", "/path/test/fixtures/experimental_test/queries", + }, + }, + ExpectedResult: []ResultsValidation{ + { + ResultsFile: "E2E_CLI_069_RESULT", + ResultsFormats: []string{"json"}, + }, + }, + }, + WantStatus: []int{40}, + } + + Tests = append(Tests, testSample) +} diff --git a/e2e/testcases/e2e-cli-070_not_igore_experimental_query.go b/e2e/testcases/e2e-cli-070_not_igore_experimental_query.go new file mode 100644 index 00000000000..cc5c82ee3dd --- /dev/null +++ b/e2e/testcases/e2e-cli-070_not_igore_experimental_query.go @@ -0,0 +1,26 @@ +package testcases + +// E2E-CLI-070 - KICS scan and not ignore experimental queries +// should perform the scan successfully and return exit code 40 and 50 +func init() { //nolint + testSample := TestCase{ + Name: "should perform a valid scan and not ignore the experimental queries [E2E-CLI-070]", + Args: args{ + Args: []cmdArgs{ + []string{"scan", "-o", "/path/e2e/output", "--output-name", "E2E_CLI_070_RESULT", + "-p", "/path/test/fixtures/experimental_test/sample", "-q", "/path/test/fixtures/experimental_test/queries", + "--experimental-queries", + }, + }, + ExpectedResult: []ResultsValidation{ + { + ResultsFile: "E2E_CLI_070_RESULT", + ResultsFormats: []string{"json"}, + }, + }, + }, + WantStatus: []int{50}, + } + + Tests = append(Tests, testSample) +} diff --git a/test/fixtures/experimental_test/queries/redis_disable_experimental/metadata.json b/test/fixtures/experimental_test/queries/redis_disable_experimental/metadata.json new file mode 100644 index 00000000000..1da83e327e5 --- /dev/null +++ b/test/fixtures/experimental_test/queries/redis_disable_experimental/metadata.json @@ -0,0 +1,12 @@ +{ + "id": "4bd15dd9-8d5e-4008-8532-27eb0c3706d4", + "queryName": "Redis Disabled Experimental", + "severity": "HIGH", + "category": "Encryption", + "descriptionText": "ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_cluster#engine", + "platform": "Terraform", + "descriptionID": "68984bf2", + "cloudProvider": "aws", + "experimental": "true" +} diff --git a/test/fixtures/experimental_test/queries/redis_disable_experimental/query.rego b/test/fixtures/experimental_test/queries/redis_disable_experimental/query.rego new file mode 100644 index 00000000000..3d56f8598e3 --- /dev/null +++ b/test/fixtures/experimental_test/queries/redis_disable_experimental/query.rego @@ -0,0 +1,92 @@ +package Cx + +CxPolicy[result] { + resource := input.document[i].resource.aws_elasticache_cluster[name] + resource.engine != "redis" + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_elasticache_cluster", + "resourceName": get_specific_resource_name(resource, "aws_elasticache_cluster", name), + "searchKey": sprintf("resource.aws_elasticache_cluster[%s].engine", [name]), + "searchLine": build_search_line(["resource", "aws_elasticache_cluster", name, "engine"], []), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("resource.aws_elasticache_cluster[%s].engine should have Redis enabled", [name]), + "keyActualValue": sprintf("resource.aws_elasticache_cluster[%s].engine doesn't enable Redis", [name]), + "remediation": json.marshal({ + "before": "memcached", + "after": "redis" + }), + "remediationType": "replacement", + } +} + +get_specific_resource_name(resource, resourceType, resourceDefinitionName) = name { + field := resourceFieldName[resourceType] + name := resource[field] +} else = name { + name := get_resource_name(resource, resourceDefinitionName) +} + +get_resource_name(resource, resourceDefinitionName) = name { + name := resource["name"] +} else = name { + name := resource["display_name"] +} else = name { + name := resource.metadata.name +} else = name { + prefix := resource.name_prefix + name := sprintf("%s", [prefix]) +} else = name { + name := get_tag_name_if_exists(resource) +} else = name { + name := resourceDefinitionName +} + +build_search_line(path, obj) = resolvedPath { + resolveArray := [x | pathItem := path[n]; x := convert_path_item(pathItem)] + resolvedObj := [x | objItem := obj[n]; x := convert_path_item(objItem)] + resolvedPath = array.concat(resolveArray, resolvedObj) +} + +convert_path_item(pathItem) = convertedPath { + is_number(pathItem) + convertedPath := sprintf("%d", [pathItem]) +} else = convertedPath { + convertedPath := sprintf("%s", [pathItem]) +} + +get_tag_name_if_exists(resource) = name { + name := resource.tags.Name +} else = name { + tag := resource.Properties.Tags[_] + tag.Key == "Name" + name := tag.Value +} else = name { + tag := resource.Properties.FileSystemTags[_] + tag.Key == "Name" + name := tag.Value +} else = name { + tag := resource.Properties.Tags[key] + key == "Name" + name := tag +} else = name { + tag := resource.spec.forProvider.tags[_] + tag.key == "Name" + name := tag.value +} else = name { + tag := resource.properties.tags[key] + key == "Name" + name := tag +} + +resourceFieldName = { + "google_bigquery_dataset": "friendly_name", + "alicloud_actiontrail_trail": "trail_name", + "alicloud_ros_stack": "stack_name", + "alicloud_oss_bucket": "bucket", + "aws_s3_bucket": "bucket", + "aws_msk_cluster": "cluster_name", + "aws_mq_broker": "broker_name", + "aws_elasticache_cluster": "cluster_id", +} diff --git a/test/fixtures/experimental_test/queries/redis_disabled/metadata.json b/test/fixtures/experimental_test/queries/redis_disabled/metadata.json new file mode 100644 index 00000000000..950faf01e92 --- /dev/null +++ b/test/fixtures/experimental_test/queries/redis_disabled/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "4bd15dd9-8d5e-4008-8532-27eb0c3706d3", + "queryName": "Redis Disabled", + "severity": "MEDIUM", + "category": "Encryption", + "descriptionText": "ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_cluster#engine", + "platform": "Terraform", + "descriptionID": "68984bf2", + "cloudProvider": "aws" +} diff --git a/test/fixtures/experimental_test/queries/redis_disabled/query.rego b/test/fixtures/experimental_test/queries/redis_disabled/query.rego new file mode 100644 index 00000000000..3d56f8598e3 --- /dev/null +++ b/test/fixtures/experimental_test/queries/redis_disabled/query.rego @@ -0,0 +1,92 @@ +package Cx + +CxPolicy[result] { + resource := input.document[i].resource.aws_elasticache_cluster[name] + resource.engine != "redis" + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_elasticache_cluster", + "resourceName": get_specific_resource_name(resource, "aws_elasticache_cluster", name), + "searchKey": sprintf("resource.aws_elasticache_cluster[%s].engine", [name]), + "searchLine": build_search_line(["resource", "aws_elasticache_cluster", name, "engine"], []), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("resource.aws_elasticache_cluster[%s].engine should have Redis enabled", [name]), + "keyActualValue": sprintf("resource.aws_elasticache_cluster[%s].engine doesn't enable Redis", [name]), + "remediation": json.marshal({ + "before": "memcached", + "after": "redis" + }), + "remediationType": "replacement", + } +} + +get_specific_resource_name(resource, resourceType, resourceDefinitionName) = name { + field := resourceFieldName[resourceType] + name := resource[field] +} else = name { + name := get_resource_name(resource, resourceDefinitionName) +} + +get_resource_name(resource, resourceDefinitionName) = name { + name := resource["name"] +} else = name { + name := resource["display_name"] +} else = name { + name := resource.metadata.name +} else = name { + prefix := resource.name_prefix + name := sprintf("%s", [prefix]) +} else = name { + name := get_tag_name_if_exists(resource) +} else = name { + name := resourceDefinitionName +} + +build_search_line(path, obj) = resolvedPath { + resolveArray := [x | pathItem := path[n]; x := convert_path_item(pathItem)] + resolvedObj := [x | objItem := obj[n]; x := convert_path_item(objItem)] + resolvedPath = array.concat(resolveArray, resolvedObj) +} + +convert_path_item(pathItem) = convertedPath { + is_number(pathItem) + convertedPath := sprintf("%d", [pathItem]) +} else = convertedPath { + convertedPath := sprintf("%s", [pathItem]) +} + +get_tag_name_if_exists(resource) = name { + name := resource.tags.Name +} else = name { + tag := resource.Properties.Tags[_] + tag.Key == "Name" + name := tag.Value +} else = name { + tag := resource.Properties.FileSystemTags[_] + tag.Key == "Name" + name := tag.Value +} else = name { + tag := resource.Properties.Tags[key] + key == "Name" + name := tag +} else = name { + tag := resource.spec.forProvider.tags[_] + tag.key == "Name" + name := tag.value +} else = name { + tag := resource.properties.tags[key] + key == "Name" + name := tag +} + +resourceFieldName = { + "google_bigquery_dataset": "friendly_name", + "alicloud_actiontrail_trail": "trail_name", + "alicloud_ros_stack": "stack_name", + "alicloud_oss_bucket": "bucket", + "aws_s3_bucket": "bucket", + "aws_msk_cluster": "cluster_name", + "aws_mq_broker": "broker_name", + "aws_elasticache_cluster": "cluster_id", +} diff --git a/test/fixtures/experimental_test/sample/sample.tf b/test/fixtures/experimental_test/sample/sample.tf new file mode 100644 index 00000000000..6f202546eb2 --- /dev/null +++ b/test/fixtures/experimental_test/sample/sample.tf @@ -0,0 +1,9 @@ +#this is a problematic code where the query should report a result(s) +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} From a4988180e014fc694ed3b6d99c682b5466d22c5d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Fri, 27 Oct 2023 16:54:19 +0100 Subject: [PATCH 150/379] add the results files to fixture e2e --- e2e/fixtures/E2E_CLI_069_RESULT.json | 58 +++++++++++++++++++ e2e/fixtures/E2E_CLI_070_RESULT.json | 86 ++++++++++++++++++++++++++++ 2 files changed, 144 insertions(+) create mode 100644 e2e/fixtures/E2E_CLI_069_RESULT.json create mode 100644 e2e/fixtures/E2E_CLI_070_RESULT.json diff --git a/e2e/fixtures/E2E_CLI_069_RESULT.json b/e2e/fixtures/E2E_CLI_069_RESULT.json new file mode 100644 index 00000000000..c7e2e89f505 --- /dev/null +++ b/e2e/fixtures/E2E_CLI_069_RESULT.json @@ -0,0 +1,58 @@ +{ + "kics_version": "development", + "files_scanned": 1, + "lines_scanned": 10, + "files_parsed": 1, + "lines_parsed": 9, + "lines_ignored": 1, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 1, + "TRACE": 0 + }, + "total_counter": 1, + "total_bom_resources": 0, + "start": "2023-10-27T16:37:16.0886334+01:00", + "end": "2023-10-27T16:37:16.4789259+01:00", + "paths": [ + "/test/fixtures/experimental_test/sample", + "/test/fixtures/experimental_test/queries" + ], + "queries": [ + { + "query_name": "Redis Disabled", + "query_id": "4bd15dd9-8d5e-4008-8532-27eb0c3706d3", + "query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_cluster#engine", + "severity": "MEDIUM", + "platform": "Terraform", + "cloud_provider": "AWS", + "category": "Encryption", + "description": "ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html'", + "description_id": "68984bf2", + "files": [ + { + "file_name": "test\\fixtures\\experimental_test\\sample\\sample.tf", + "similarity_id": "32a6747d15f909ebe86d171c563878dd7e06dfb2f9ec1b569ef46e810860f27a", + "line": 4, + "resource_type": "aws_elasticache_cluster", + "resource_name": "cluster-example", + "issue_type": "IncorrectValue", + "search_key": "resource.aws_elasticache_cluster[positive1].engine", + "search_line": 4, + "search_value": "", + "expected_value": "resource.aws_elasticache_cluster[positive1].engine should have Redis enabled", + "actual_value": "resource.aws_elasticache_cluster[positive1].engine doesn't enable Redis", + "remediation": "{\"after\":\"redis\",\"before\":\"memcached\"}", + "remediation_type": "replacement" + } + ] + } + ] +} diff --git a/e2e/fixtures/E2E_CLI_070_RESULT.json b/e2e/fixtures/E2E_CLI_070_RESULT.json new file mode 100644 index 00000000000..2499b124296 --- /dev/null +++ b/e2e/fixtures/E2E_CLI_070_RESULT.json @@ -0,0 +1,86 @@ +{ + "kics_version": "development", + "files_scanned": 1, + "lines_scanned": 10, + "files_parsed": 1, + "lines_parsed": 9, + "lines_ignored": 1, + "files_failed_to_scan": 0, + "queries_total": 2, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "HIGH": 1, + "INFO": 0, + "LOW": 0, + "MEDIUM": 1, + "TRACE": 0 + }, + "total_counter": 2, + "total_bom_resources": 0, + "start": "2023-10-27T16:46:52.5513995+01:00", + "end": "2023-10-27T16:46:52.8805179+01:00", + "paths": [ + "/test/fixtures/experimental_test/sample", + "/test/fixtures/experimental_test/queries" + ], + "queries": [ + { + "query_name": "Redis Disabled Experimental", + "query_id": "4bd15dd9-8d5e-4008-8532-27eb0c3706d4", + "query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_cluster#engine", + "severity": "HIGH", + "platform": "Terraform", + "cloud_provider": "AWS", + "category": "Encryption", + "description": "ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html'", + "description_id": "68984bf2", + "files": [ + { + "file_name": "test\\fixtures\\experimental_test\\sample\\sample.tf", + "similarity_id": "4e651f5c005de96ab66f25419b1f160d9e0eecae83181edfcd1b72b3afbe9f69", + "line": 4, + "resource_type": "aws_elasticache_cluster", + "resource_name": "cluster-example", + "issue_type": "IncorrectValue", + "search_key": "resource.aws_elasticache_cluster[positive1].engine", + "search_line": 4, + "search_value": "", + "expected_value": "resource.aws_elasticache_cluster[positive1].engine should have Redis enabled", + "actual_value": "resource.aws_elasticache_cluster[positive1].engine doesn't enable Redis", + "remediation": "{\"after\":\"redis\",\"before\":\"memcached\"}", + "remediation_type": "replacement" + } + ] + }, + { + "query_name": "Redis Disabled", + "query_id": "4bd15dd9-8d5e-4008-8532-27eb0c3706d3", + "query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_cluster#engine", + "severity": "MEDIUM", + "platform": "Terraform", + "cloud_provider": "AWS", + "category": "Encryption", + "description": "ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html'", + "description_id": "68984bf2", + "files": [ + { + "file_name": "test\\fixtures\\experimental_test\\sample\\sample.tf", + "similarity_id": "32a6747d15f909ebe86d171c563878dd7e06dfb2f9ec1b569ef46e810860f27a", + "line": 4, + "resource_type": "aws_elasticache_cluster", + "resource_name": "cluster-example", + "issue_type": "IncorrectValue", + "search_key": "resource.aws_elasticache_cluster[positive1].engine", + "search_line": 4, + "search_value": "", + "expected_value": "resource.aws_elasticache_cluster[positive1].engine should have Redis enabled", + "actual_value": "resource.aws_elasticache_cluster[positive1].engine doesn't enable Redis", + "remediation": "{\"after\":\"redis\",\"before\":\"memcached\"}", + "remediation_type": "replacement" + } + ] + } + ] +} From dee21e97333a8d62b2ebd1f8ceb670b8201693db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= <75611928+JoaoCxMartins@users.noreply.github.com> Date: Fri, 27 Oct 2023 16:56:57 +0100 Subject: [PATCH 151/379] Update assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/query.rego Co-authored-by: Gabriel --- .../apt_get_missing_yes_flag_to_avoid_manual_input/query.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/query.rego b/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/query.rego index 55453f2ca0e..1a901d6867d 100644 --- a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/query.rego +++ b/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/query.rego @@ -37,7 +37,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("{{%s}} avoids manual input", [name, resource.Original]), + "keyExpectedValue": sprintf("{{%s}} avoids manual input", [resource.Original]), "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [name, resource.Original]), } } From c98a0cefc62221f29189951942f9ffdc807019ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= <75611928+JoaoCxMartins@users.noreply.github.com> Date: Fri, 27 Oct 2023 16:57:08 +0100 Subject: [PATCH 152/379] Update assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/query.rego Co-authored-by: Gabriel --- .../apt_get_missing_yes_flag_to_avoid_manual_input/query.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/query.rego b/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/query.rego index 1a901d6867d..e9c368ad68b 100644 --- a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/query.rego +++ b/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/query.rego @@ -38,7 +38,7 @@ CxPolicy[result] { "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("{{%s}} avoids manual input", [resource.Original]), - "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [name, resource.Original]), + "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [resource.Original]), } } From 3453911fbc825905ba43cfc4138fa90dc9bbb6b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= <75611928+JoaoCxMartins@users.noreply.github.com> Date: Fri, 27 Oct 2023 16:57:26 +0100 Subject: [PATCH 153/379] Update assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego Co-authored-by: Gabriel --- .../changing_default_shell_using_run_command/query.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego b/assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego index 02555acdaf1..04d0c0db2b6 100644 --- a/assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego +++ b/assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego @@ -33,7 +33,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("{{%s}} should use the SHELL command to change the default shell", [name, resource.Original]), + "keyExpectedValue": sprintf("{{%s}} should use the SHELL command to change the default shell", [resource.Original]), "keyActualValue": sprintf("{{%s}} uses the RUN command to change the default shell", [name, resource.Original]), } } From 4f9287a7c774cf63ce1ac70e46443b34bc0fd8a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= <75611928+JoaoCxMartins@users.noreply.github.com> Date: Fri, 27 Oct 2023 16:57:45 +0100 Subject: [PATCH 154/379] Update assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego Co-authored-by: Gabriel --- .../changing_default_shell_using_run_command/query.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego b/assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego index 04d0c0db2b6..64765fd8379 100644 --- a/assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego +++ b/assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego @@ -34,7 +34,7 @@ CxPolicy[result] { "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("{{%s}} should use the SHELL command to change the default shell", [resource.Original]), - "keyActualValue": sprintf("{{%s}} uses the RUN command to change the default shell", [name, resource.Original]), + "keyActualValue": sprintf("{{%s}} uses the RUN command to change the default shell", [resource.Original]), } } From cdb82f7b94dac4d6c0d1208d61e6d0b5617b980c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= <75611928+JoaoCxMartins@users.noreply.github.com> Date: Fri, 27 Oct 2023 16:57:51 +0100 Subject: [PATCH 155/379] Update assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego Co-authored-by: Gabriel --- .../changing_default_shell_using_run_command/query.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego b/assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego index 64765fd8379..c729f8cea16 100644 --- a/assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego +++ b/assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego @@ -51,6 +51,6 @@ CxPolicy[result] { "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("{{%s}} should use the SHELL command to change the default shell", [name, resource.Original]), - "keyActualValue": sprintf("{{%s}} uses the RUN command to change the default shell", [name, resource.Original]), + "keyActualValue": sprintf("{{%s}} uses the RUN command to change the default shell", [resource.Original]), } } From 53aa50c8c2bc00d8c16bb3154049ff4c2999473b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= <75611928+JoaoCxMartins@users.noreply.github.com> Date: Fri, 27 Oct 2023 16:57:57 +0100 Subject: [PATCH 156/379] Update assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego Co-authored-by: Gabriel --- .../changing_default_shell_using_run_command/query.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego b/assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego index c729f8cea16..9e602aec2cd 100644 --- a/assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego +++ b/assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego @@ -50,7 +50,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("{{%s}} should use the SHELL command to change the default shell", [name, resource.Original]), + "keyExpectedValue": sprintf("{{%s}} should use the SHELL command to change the default shell", [resource.Original]), "keyActualValue": sprintf("{{%s}} uses the RUN command to change the default shell", [resource.Original]), } } From ffba8622794e9578cde57774937ffaea9f8ab0e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= <75611928+JoaoCxMartins@users.noreply.github.com> Date: Fri, 27 Oct 2023 16:58:04 +0100 Subject: [PATCH 157/379] Update assets/queries/dockerfile/yum_install_allows_manual_input/query.rego Co-authored-by: Gabriel --- .../dockerfile/yum_install_allows_manual_input/query.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego b/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego index a448d361b78..303a5e65aa8 100644 --- a/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego +++ b/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego @@ -16,7 +16,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("{{%s}} avoids manual input", [name, resource.Original]), + "keyExpectedValue": sprintf("{{%s}} avoids manual input", [resource.Original]), "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [name, resource.Original]), } } From 682eaecffe59abbfccf91b1b8d5debf8c6ba17d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= <75611928+JoaoCxMartins@users.noreply.github.com> Date: Fri, 27 Oct 2023 16:58:10 +0100 Subject: [PATCH 158/379] Update assets/queries/dockerfile/yum_install_allows_manual_input/query.rego Co-authored-by: Gabriel --- .../dockerfile/yum_install_allows_manual_input/query.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego b/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego index 303a5e65aa8..f218d962531 100644 --- a/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego +++ b/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego @@ -34,7 +34,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("{{%s}} avoids manual input", [name, resource.Original]), + "keyExpectedValue": sprintf("{{%s}} avoids manual input", [resource.Original]), "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [name, resource.Original]), } } From a50b1bd16420a7d81eeda05530953dbe32200eaf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= <75611928+JoaoCxMartins@users.noreply.github.com> Date: Fri, 27 Oct 2023 16:58:18 +0100 Subject: [PATCH 159/379] Update assets/queries/dockerfile/yum_install_allows_manual_input/query.rego Co-authored-by: Gabriel --- .../dockerfile/yum_install_allows_manual_input/query.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego b/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego index f218d962531..b265ef75b39 100644 --- a/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego +++ b/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego @@ -17,7 +17,7 @@ CxPolicy[result] { "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("{{%s}} avoids manual input", [resource.Original]), - "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [name, resource.Original]), + "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [resource.Original]), } } From 23c5a8bc6fef7cd756b1de7da8732d01336bbc2a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= <75611928+JoaoCxMartins@users.noreply.github.com> Date: Fri, 27 Oct 2023 16:58:24 +0100 Subject: [PATCH 160/379] Update assets/queries/dockerfile/yum_install_allows_manual_input/query.rego Co-authored-by: Gabriel --- .../dockerfile/yum_install_allows_manual_input/query.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego b/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego index b265ef75b39..1dd2c8b0546 100644 --- a/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego +++ b/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego @@ -35,7 +35,7 @@ CxPolicy[result] { "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("{{%s}} avoids manual input", [resource.Original]), - "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [name, resource.Original]), + "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [resource.Original]), } } From 0cc6f8164e51816903252a9a4f4811fe8edd19e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Fri, 27 Oct 2023 17:14:50 +0100 Subject: [PATCH 161/379] rename tests --- ...rimental_query.go => e2e-cli-069_ignore_experimental_query.go} | 0 ...ntal_query.go => e2e-cli-070_not_ignore_experimental_query.go} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename e2e/testcases/{e2e-cli-069_igore_experimental_query.go => e2e-cli-069_ignore_experimental_query.go} (100%) rename e2e/testcases/{e2e-cli-070_not_igore_experimental_query.go => e2e-cli-070_not_ignore_experimental_query.go} (100%) diff --git a/e2e/testcases/e2e-cli-069_igore_experimental_query.go b/e2e/testcases/e2e-cli-069_ignore_experimental_query.go similarity index 100% rename from e2e/testcases/e2e-cli-069_igore_experimental_query.go rename to e2e/testcases/e2e-cli-069_ignore_experimental_query.go diff --git a/e2e/testcases/e2e-cli-070_not_igore_experimental_query.go b/e2e/testcases/e2e-cli-070_not_ignore_experimental_query.go similarity index 100% rename from e2e/testcases/e2e-cli-070_not_igore_experimental_query.go rename to e2e/testcases/e2e-cli-070_not_ignore_experimental_query.go From 79cfb742f6082ab61ca9c24c3b860e12f4edd7dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Mon, 30 Oct 2023 09:22:50 +0000 Subject: [PATCH 162/379] fix tests --- e2e/testcases/e2e-cli-069_ignore_experimental_query.go | 2 +- e2e/testcases/e2e-cli-070_not_ignore_experimental_query.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/e2e/testcases/e2e-cli-069_ignore_experimental_query.go b/e2e/testcases/e2e-cli-069_ignore_experimental_query.go index 3b082c2e49d..b930126d359 100644 --- a/e2e/testcases/e2e-cli-069_ignore_experimental_query.go +++ b/e2e/testcases/e2e-cli-069_ignore_experimental_query.go @@ -8,7 +8,7 @@ func init() { //nolint Args: args{ Args: []cmdArgs{ []string{"scan", "-o", "/path/e2e/output", "--output-name", "E2E_CLI_069_RESULT", - "-p", "/path/test/fixtures/experimental_test/sample", "-q", "/path/test/fixtures/experimental_test/queries", + "-p", "\"/path/test/fixtures/experimental_test/sample\"", "-q", "\"/path/test/fixtures/experimental_test/queries\"", }, }, ExpectedResult: []ResultsValidation{ diff --git a/e2e/testcases/e2e-cli-070_not_ignore_experimental_query.go b/e2e/testcases/e2e-cli-070_not_ignore_experimental_query.go index cc5c82ee3dd..1dd2bc64d4a 100644 --- a/e2e/testcases/e2e-cli-070_not_ignore_experimental_query.go +++ b/e2e/testcases/e2e-cli-070_not_ignore_experimental_query.go @@ -8,7 +8,7 @@ func init() { //nolint Args: args{ Args: []cmdArgs{ []string{"scan", "-o", "/path/e2e/output", "--output-name", "E2E_CLI_070_RESULT", - "-p", "/path/test/fixtures/experimental_test/sample", "-q", "/path/test/fixtures/experimental_test/queries", + "-p", "\"/path/test/fixtures/experimental_test/sample\"", "-q", "\"/path/test/fixtures/experimental_test/queries\"", "--experimental-queries", }, }, From 754eb294c58572fffaca6c2132b08a915d3e4389 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Mon, 30 Oct 2023 09:54:47 +0000 Subject: [PATCH 163/379] fix path on e2e --- e2e/fixtures/E2E_CLI_069_RESULT.json | 4 ++-- e2e/fixtures/E2E_CLI_070_RESULT.json | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/e2e/fixtures/E2E_CLI_069_RESULT.json b/e2e/fixtures/E2E_CLI_069_RESULT.json index c7e2e89f505..9b9f28e9948 100644 --- a/e2e/fixtures/E2E_CLI_069_RESULT.json +++ b/e2e/fixtures/E2E_CLI_069_RESULT.json @@ -22,8 +22,8 @@ "start": "2023-10-27T16:37:16.0886334+01:00", "end": "2023-10-27T16:37:16.4789259+01:00", "paths": [ - "/test/fixtures/experimental_test/sample", - "/test/fixtures/experimental_test/queries" + "/path/test/fixtures/experimental_test/sample", + "/path/test/fixtures/experimental_test/queries" ], "queries": [ { diff --git a/e2e/fixtures/E2E_CLI_070_RESULT.json b/e2e/fixtures/E2E_CLI_070_RESULT.json index 2499b124296..072da73637b 100644 --- a/e2e/fixtures/E2E_CLI_070_RESULT.json +++ b/e2e/fixtures/E2E_CLI_070_RESULT.json @@ -22,8 +22,8 @@ "start": "2023-10-27T16:46:52.5513995+01:00", "end": "2023-10-27T16:46:52.8805179+01:00", "paths": [ - "/test/fixtures/experimental_test/sample", - "/test/fixtures/experimental_test/queries" + "/path/test/fixtures/experimental_test/sample", + "/path/test/fixtures/experimental_test/queries" ], "queries": [ { From 843a53d17f6d591185213f029ebef9be8613126c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Mon, 30 Oct 2023 10:04:35 +0000 Subject: [PATCH 164/379] wip --- e2e/fixtures/E2E_CLI_069_RESULT.json | 2 +- e2e/fixtures/E2E_CLI_070_RESULT.json | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/e2e/fixtures/E2E_CLI_069_RESULT.json b/e2e/fixtures/E2E_CLI_069_RESULT.json index 9b9f28e9948..2253d7b85a1 100644 --- a/e2e/fixtures/E2E_CLI_069_RESULT.json +++ b/e2e/fixtures/E2E_CLI_069_RESULT.json @@ -38,7 +38,7 @@ "description_id": "68984bf2", "files": [ { - "file_name": "test\\fixtures\\experimental_test\\sample\\sample.tf", + "file_name": "path\\test\\fixtures\\experimental_test\\sample\\sample.tf", "similarity_id": "32a6747d15f909ebe86d171c563878dd7e06dfb2f9ec1b569ef46e810860f27a", "line": 4, "resource_type": "aws_elasticache_cluster", diff --git a/e2e/fixtures/E2E_CLI_070_RESULT.json b/e2e/fixtures/E2E_CLI_070_RESULT.json index 072da73637b..7b4f1b32ba5 100644 --- a/e2e/fixtures/E2E_CLI_070_RESULT.json +++ b/e2e/fixtures/E2E_CLI_070_RESULT.json @@ -38,7 +38,7 @@ "description_id": "68984bf2", "files": [ { - "file_name": "test\\fixtures\\experimental_test\\sample\\sample.tf", + "file_name": "path\\test\\fixtures\\experimental_test\\sample\\sample.tf", "similarity_id": "4e651f5c005de96ab66f25419b1f160d9e0eecae83181edfcd1b72b3afbe9f69", "line": 4, "resource_type": "aws_elasticache_cluster", @@ -66,7 +66,7 @@ "description_id": "68984bf2", "files": [ { - "file_name": "test\\fixtures\\experimental_test\\sample\\sample.tf", + "file_name": "path\\test\\fixtures\\experimental_test\\sample\\sample.tf", "similarity_id": "32a6747d15f909ebe86d171c563878dd7e06dfb2f9ec1b569ef46e810860f27a", "line": 4, "resource_type": "aws_elasticache_cluster", From f77ba415ea60d2895eeb9905faec624aac621d72 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Mon, 30 Oct 2023 16:50:04 +0000 Subject: [PATCH 165/379] fix messages --- .../query.rego | 4 ++-- .../query.rego | 8 ++++---- .../dockerfile/yum_install_allows_manual_input/query.rego | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/query.rego b/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/query.rego index e9c368ad68b..59e376a0799 100644 --- a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/query.rego +++ b/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/query.rego @@ -18,7 +18,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("{{%s}} avoids manual input", [resource.Original]), + "keyExpectedValue": sprintf("{{%s}} sould avoid manual input", [resource.Original]), "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [resource.Original]), } } @@ -37,7 +37,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("{{%s}} avoids manual input", [resource.Original]), + "keyExpectedValue": sprintf("{{%s}} should avoid manual input", [resource.Original]), "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [resource.Original]), } } diff --git a/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/query.rego b/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/query.rego index 4156c0840dd..2ab522b1177 100644 --- a/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/query.rego +++ b/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/query.rego @@ -13,8 +13,8 @@ CxPolicy[result] { "documentId": input.document[i].id, "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("{{%s}} is in the JSON Notation", [resource.Original]), - "keyActualValue": sprintf("{{%s}} should be in JSON Notation", [resource.Original]), + "keyExpectedValue": sprintf("{{%s}} should be in the JSON Notation", [resource.Original]), + "keyActualValue": sprintf("{{%s}} isn't in JSON Notation", [resource.Original]), } } @@ -29,7 +29,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("{{%s}} is in the JSON Notation", [resource.Original]), - "keyActualValue": sprintf("{{%s}} isn't in the JSON Notation", [resource.Original]), + "keyExpectedValue": sprintf("{{%s}} should be in the JSON Notation", [resource.Original]), + "keyActualValue": sprintf("{{%s}} isn't in JSON Notation", [resource.Original]), } } diff --git a/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego b/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego index 1dd2c8b0546..8ba58d017d3 100644 --- a/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego +++ b/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego @@ -16,7 +16,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("{{%s}} avoids manual input", [resource.Original]), + "keyExpectedValue": sprintf("{{%s}} should avoids manual input", [resource.Original]), "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [resource.Original]), } } @@ -34,7 +34,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("{{%s}} avoids manual input", [resource.Original]), + "keyExpectedValue": sprintf("{{%s}} should avoids manual input", [resource.Original]), "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [resource.Original]), } } From 9d1091cd427e915aa8c130f964aa2ce69d3bb07d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Mon, 30 Oct 2023 16:50:27 +0000 Subject: [PATCH 166/379] wip --- .../dockerfile/yum_install_allows_manual_input/query.rego | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego b/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego index 8ba58d017d3..1c7fb4f21b6 100644 --- a/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego +++ b/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego @@ -16,7 +16,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("{{%s}} should avoids manual input", [resource.Original]), + "keyExpectedValue": sprintf("{{%s}} should avoid manual input", [resource.Original]), "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [resource.Original]), } } @@ -34,7 +34,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("{{%s}} should avoids manual input", [resource.Original]), + "keyExpectedValue": sprintf("{{%s}} should avoid manual input", [resource.Original]), "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [resource.Original]), } } From 9d12e0c4d68d4d99de1e80916d62eb3c4a6852f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= <75611928+JoaoCxMartins@users.noreply.github.com> Date: Tue, 31 Oct 2023 09:30:19 +0000 Subject: [PATCH 167/379] Update pkg/analyzer/analyzer.go Co-authored-by: Gabriel --- pkg/analyzer/analyzer.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/analyzer/analyzer.go b/pkg/analyzer/analyzer.go index 8c89bef1f61..82a1fc95b81 100644 --- a/pkg/analyzer/analyzer.go +++ b/pkg/analyzer/analyzer.go @@ -547,7 +547,7 @@ func checkYamlPlatform(content []byte, path string) string { } } - // check if the file contains some keywords related with Ansiable + // check if the file contains some keywords related with Ansible if checkForAnsible(yamlContent) { return ansible } From c437020c935c6c2234b8909acd19a38adfed5e2d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Tue, 31 Oct 2023 09:52:39 +0000 Subject: [PATCH 168/379] Update opa to version 0.58.0 updating the opa for security issue related with a indirect lib: go-restful V2.9.5 --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 706b3506a4f..ecd8f849269 100644 --- a/go.mod +++ b/go.mod @@ -26,7 +26,7 @@ require ( github.com/mackerelio/go-osstat v0.2.4 github.com/mailru/easyjson v0.7.7 github.com/moby/buildkit v0.10.4 - github.com/open-policy-agent/opa v0.51.0 + github.com/open-policy-agent/opa v0.58.0 github.com/pkg/errors v0.9.1 github.com/relex/aini v1.6.0 github.com/rs/zerolog v1.29.0 From 532f50720adffa16286960197645724311b1cc23 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Tue, 31 Oct 2023 11:01:02 +0000 Subject: [PATCH 169/379] update files --- go.mod | 65 ++++++++++++--------- go.sum | 179 ++++++++++++++++++++++++++++----------------------------- 2 files changed, 125 insertions(+), 119 deletions(-) diff --git a/go.mod b/go.mod index ecd8f849269..787ea5613af 100644 --- a/go.mod +++ b/go.mod @@ -40,8 +40,8 @@ require ( github.com/xeipuuv/gojsonschema v1.2.0 github.com/yargevad/filepathx v1.0.0 github.com/zclconf/go-cty v1.13.1 - golang.org/x/net v0.8.0 - golang.org/x/text v0.8.0 + golang.org/x/net v0.17.0 + golang.org/x/text v0.13.0 golang.org/x/tools v0.7.0 gopkg.in/yaml.v3 v3.0.1 helm.sh/helm/v3 v3.11.2 @@ -50,19 +50,29 @@ require ( require ( cloud.google.com/go/compute/metadata v0.2.3 // indirect + github.com/Microsoft/go-winio v0.6.1 // indirect github.com/evanphx/json-patch/v5 v5.6.0 // indirect - github.com/googleapis/enterprise-certificate-proxy v0.2.1 // indirect + github.com/go-ini/ini v1.67.0 // indirect + github.com/go-logr/stdr v1.2.2 // indirect + github.com/google/s2a-go v0.1.4 // indirect + github.com/googleapis/enterprise-certificate-proxy v0.2.3 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/samber/lo v1.38.1 // indirect github.com/tchap/go-patricia/v2 v2.3.1 // indirect + go.opentelemetry.io/otel v1.19.0 // indirect + go.opentelemetry.io/otel/metric v1.19.0 // indirect + go.opentelemetry.io/otel/sdk v1.19.0 // indirect + go.opentelemetry.io/otel/trace v1.19.0 // indirect golang.org/x/exp v0.0.0-20230713183714-613f0c0eb8a1 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d // indirect ) require ( - cloud.google.com/go v0.107.0 // indirect - cloud.google.com/go/compute v1.15.1 // indirect - cloud.google.com/go/iam v0.8.0 // indirect - cloud.google.com/go/storage v1.27.0 // indirect + cloud.google.com/go v0.110.7 // indirect + cloud.google.com/go/compute v1.23.0 // indirect + cloud.google.com/go/iam v1.1.1 // indirect + cloud.google.com/go/storage v1.30.1 // indirect github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect github.com/MakeNowJust/heredoc v1.0.0 // indirect github.com/Masterminds/goutils v1.1.1 // indirect @@ -80,7 +90,7 @@ require ( github.com/boombuler/barcode v1.0.1 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect github.com/chai2010/gettext-go v1.0.2 // indirect - github.com/containerd/containerd v1.6.19 // indirect + github.com/containerd/containerd v1.7.7 // indirect github.com/containerd/typeurl v1.0.2 // indirect github.com/cyphar/filepath-securejoin v0.2.3 // indirect github.com/davecgh/go-spew v1.1.1 // indirect @@ -95,8 +105,7 @@ require ( github.com/evanphx/json-patch v5.6.0+incompatible // indirect github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect github.com/fatih/color v1.14.1 // indirect - github.com/fsnotify/fsnotify v1.6.0 // indirect - github.com/ghodss/yaml v1.0.1-0.20220118164431-d8423dcdf344 // indirect + github.com/fsnotify/fsnotify v1.7.0 // indirect github.com/go-errors/errors v1.4.2 // indirect github.com/go-gorp/gorp/v3 v3.0.5 // indirect github.com/go-logr/logr v1.2.4 // indirect @@ -109,10 +118,10 @@ require ( github.com/golang/protobuf v1.5.3 // indirect github.com/google/btree v1.0.1 // indirect github.com/google/gnostic v0.5.7-v3refs // indirect - github.com/google/go-cmp v0.5.9 // indirect + github.com/google/go-cmp v0.6.0 // indirect github.com/google/gofuzz v1.2.0 // indirect github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect - github.com/googleapis/gax-go/v2 v2.7.0 // indirect + github.com/googleapis/gax-go/v2 v2.11.0 // indirect github.com/gorilla/mux v1.8.0 // indirect github.com/gosuri/uitable v0.0.4 // indirect github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect @@ -153,14 +162,14 @@ require ( github.com/morikuni/aec v1.0.0 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect - github.com/opencontainers/image-spec v1.1.0-rc2 // indirect + github.com/opencontainers/image-spec v1.1.0-rc5 // indirect github.com/pelletier/go-toml/v2 v2.0.6 // indirect github.com/peterbourgon/diskv v2.0.1+incompatible // indirect github.com/pmezard/go-difflib v1.0.0 // indirect - github.com/prometheus/client_golang v1.14.0 // indirect + github.com/prometheus/client_golang v1.16.0 // indirect github.com/prometheus/client_model v0.3.0 // indirect - github.com/prometheus/common v0.37.0 // indirect - github.com/prometheus/procfs v0.8.0 // indirect + github.com/prometheus/common v0.42.0 // indirect + github.com/prometheus/procfs v0.10.1 // indirect github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect github.com/rivo/uniseg v0.2.0 // indirect github.com/rubenv/sql-migrate v1.3.1 // indirect @@ -168,7 +177,7 @@ require ( github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06 github.com/sergi/go-diff v1.2.0 // indirect github.com/shopspring/decimal v1.3.1 // indirect - github.com/sirupsen/logrus v1.9.0 // indirect + github.com/sirupsen/logrus v1.9.3 // indirect github.com/spf13/afero v1.9.3 // indirect github.com/spf13/cast v1.5.0 // indirect github.com/spf13/jwalterweatherman v1.1.0 // indirect @@ -181,21 +190,21 @@ require ( github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xlab/treeprint v1.1.0 // indirect github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778 // indirect - github.com/yashtewari/glob-intersection v0.1.0 // indirect + github.com/yashtewari/glob-intersection v0.2.0 // indirect go.opencensus.io v0.24.0 // indirect go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect - golang.org/x/crypto v0.7.0 // indirect - golang.org/x/oauth2 v0.4.0 // indirect - golang.org/x/sync v0.1.0 // indirect - golang.org/x/sys v0.10.0 // indirect - golang.org/x/term v0.6.0 // indirect + golang.org/x/crypto v0.14.0 // indirect + golang.org/x/oauth2 v0.11.0 // indirect + golang.org/x/sync v0.4.0 // indirect + golang.org/x/sys v0.13.0 // indirect + golang.org/x/term v0.13.0 // indirect golang.org/x/time v0.3.0 // indirect golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect - google.golang.org/api v0.107.0 // indirect + google.golang.org/api v0.126.0 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f // indirect - google.golang.org/grpc v1.54.0 // indirect - google.golang.org/protobuf v1.29.1 // indirect + google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d // indirect + google.golang.org/grpc v1.59.0 // indirect + google.golang.org/protobuf v1.31.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect @@ -216,7 +225,7 @@ require ( sigs.k8s.io/kustomize/api v0.12.1 // indirect sigs.k8s.io/kustomize/kyaml v0.13.9 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect - sigs.k8s.io/yaml v1.3.0 // indirect + sigs.k8s.io/yaml v1.4.0 // indirect ) replace ( diff --git a/go.sum b/go.sum index b8f5b329baf..d3ae84b3328 100644 --- a/go.sum +++ b/go.sum @@ -30,8 +30,8 @@ cloud.google.com/go v0.100.2/go.mod h1:4Xra9TjzAeYHrl5+oeLlzbM2k3mjVhZh4UqTZ//w9 cloud.google.com/go v0.102.0/go.mod h1:oWcCzKlqJ5zgHQt9YsaeTY9KzIvjyy0ArmiBUgpQ+nc= cloud.google.com/go v0.102.1/go.mod h1:XZ77E9qnTEnrgEOvr4xzfdX5TRo7fB4T2F4O6+34hIU= cloud.google.com/go v0.104.0/go.mod h1:OO6xxXdJyvuJPcEPBLN9BJPD+jep5G1+2U5B5gkRYtA= -cloud.google.com/go v0.107.0 h1:qkj22L7bgkl6vIeZDlOY2po43Mx/TIa2Wsa7VR+PEww= -cloud.google.com/go v0.107.0/go.mod h1:wpc2eNrD7hXUTy8EKS10jkxpZBjASrORK7goS+3YX2I= +cloud.google.com/go v0.110.7 h1:rJyC7nWRg2jWGZ4wSJ5nY65GTdYJkg0cd/uXb+ACI6o= +cloud.google.com/go v0.110.7/go.mod h1:+EYjdK8e5RME/VY/qLCAtuyALQ9q67dvuum8i+H5xsI= cloud.google.com/go/aiplatform v1.22.0/go.mod h1:ig5Nct50bZlzV6NvKaTwmplLLddFx0YReh9WfTO5jKw= cloud.google.com/go/aiplatform v1.24.0/go.mod h1:67UUvRBKG6GTayHKV8DBv2RtR1t93YRu5B1P3x99mYY= cloud.google.com/go/analytics v0.11.0/go.mod h1:DjEWCu41bVbYcKyvlws9Er60YE4a//bK6mnhWvQeFNI= @@ -68,8 +68,8 @@ cloud.google.com/go/compute v1.6.0/go.mod h1:T29tfhtVbq1wvAPo0E3+7vhgmkOYeXjhFvz cloud.google.com/go/compute v1.6.1/go.mod h1:g85FgpzFvNULZ+S8AYq87axRKuf2Kh7deLqV/jJ3thU= cloud.google.com/go/compute v1.7.0/go.mod h1:435lt8av5oL9P3fv1OEzSbSUe+ybHXGMPQHHZWZxy9U= cloud.google.com/go/compute v1.10.0/go.mod h1:ER5CLbMxl90o2jtNbGSbtfOpQKR0t15FOtRsugnLrlU= -cloud.google.com/go/compute v1.15.1 h1:7UGq3QknM33pw5xATlpzeoomNxsacIVvTqTTvbfajmE= -cloud.google.com/go/compute v1.15.1/go.mod h1:bjjoF/NtFUrkD/urWfdHaKuOPDR5nWIs63rR+SXhcpA= +cloud.google.com/go/compute v1.23.0 h1:tP41Zoavr8ptEqaW6j+LQOnyBBhO7OkOMAGrgLopTwY= +cloud.google.com/go/compute v1.23.0/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM= cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY= cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA= cloud.google.com/go/containeranalysis v0.5.1/go.mod h1:1D92jd8gRR/c0fGMlymRgxWD3Qw9C1ff6/T7mLgVL8I= @@ -110,13 +110,12 @@ cloud.google.com/go/gkehub v0.10.0/go.mod h1:UIPwxI0DsrpsVoWpLB0stwKCP+WFVG9+y97 cloud.google.com/go/grafeas v0.2.0/go.mod h1:KhxgtF2hb0P191HlY5besjYm6MqTSTj3LSI+M+ByZHc= cloud.google.com/go/iam v0.3.0/go.mod h1:XzJPvDayI+9zsASAFO68Hk07u3z+f+JrT2xXNdp4bnY= cloud.google.com/go/iam v0.5.0/go.mod h1:wPU9Vt0P4UmCux7mqtRu6jcpPAb74cP1fh50J3QpkUc= -cloud.google.com/go/iam v0.8.0 h1:E2osAkZzxI/+8pZcxVLcDtAQx/u+hZXVryUaYQ5O0Kk= -cloud.google.com/go/iam v0.8.0/go.mod h1:lga0/y3iH6CX7sYqypWJ33hf7kkfXJag67naqGESjkE= +cloud.google.com/go/iam v1.1.1 h1:lW7fzj15aVIXYHREOqjRBV9PsH0Z6u8Y46a1YGvQP4Y= +cloud.google.com/go/iam v1.1.1/go.mod h1:A5avdyVL2tCppe4unb0951eI9jreack+RJ0/d+KUZOU= cloud.google.com/go/language v1.4.0/go.mod h1:F9dRpNFQmJbkaop6g0JhSBXCNlO90e1KWx5iDdxbWic= cloud.google.com/go/language v1.6.0/go.mod h1:6dJ8t3B+lUYfStgls25GusK04NLh3eDLQnWM3mdEbhI= cloud.google.com/go/lifesciences v0.5.0/go.mod h1:3oIKy8ycWGPUyZDR/8RNnTOYevhaMLqh5vLUXs9zvT8= cloud.google.com/go/lifesciences v0.6.0/go.mod h1:ddj6tSX/7BOnhxCSd3ZcETvtNr8NZ6t/iPhY2Tyfu08= -cloud.google.com/go/longrunning v0.3.0 h1:NjljC+FYPV3uh5/OwWT6pVU+doBqMg2x/rZlE+CamDs= cloud.google.com/go/mediatranslation v0.5.0/go.mod h1:jGPUhGTybqsPQn91pNXw0xVHfuJ3leR1wj37oU3y1f4= cloud.google.com/go/mediatranslation v0.6.0/go.mod h1:hHdBCTYNigsBxshbznuIMFNe5QXEowAuNmmC7h8pu5w= cloud.google.com/go/memcache v1.4.0/go.mod h1:rTOfiGZtJX1AaFUrOgsMHX5kAzaTQ8azHiuDoTPzNsE= @@ -172,8 +171,9 @@ cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RX cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= cloud.google.com/go/storage v1.22.1/go.mod h1:S8N1cAStu7BOeFfE8KAQzmyyLkK8p/vmRq6kuBTW58Y= cloud.google.com/go/storage v1.23.0/go.mod h1:vOEEDNFnciUMhBeT6hsJIn3ieU5cFRmzeLgDvXzfIXc= -cloud.google.com/go/storage v1.27.0 h1:YOO045NZI9RKfCj1c5A/ZtuuENUc8OAW+gHdGnDgyMQ= cloud.google.com/go/storage v1.27.0/go.mod h1:x9DOL8TK/ygDUMieqwfhdpQryTeEkhGKMi80i/iqR2s= +cloud.google.com/go/storage v1.30.1 h1:uOdMxAs8HExqBlnLtnQyP0YkvbiDpdGShGKtx6U/oNM= +cloud.google.com/go/storage v1.30.1/go.mod h1:NfxhC0UJE1aXSx7CIIbCf7y9HKT7BiccwkR7+P7gN8E= cloud.google.com/go/talent v1.1.0/go.mod h1:Vl4pt9jiHKvOgF9KoZo6Kob9oV4lwd/ZD5Cto54zDRw= cloud.google.com/go/talent v1.2.0/go.mod h1:MoNF9bhFQbiJ6eFD3uSsg0uBALw4n4gaCaEjBw9zo8g= cloud.google.com/go/videointelligence v1.6.0/go.mod h1:w0DIDlVRKtwPCn/C4iwZIJdvC69yInhW0cfi+p546uU= @@ -207,8 +207,9 @@ github.com/Masterminds/sprig/v3 v3.2.3 h1:eL2fZNezLomi0uOLqjQoN6BfsDD+fyLtgbJMAj github.com/Masterminds/sprig/v3 v3.2.3/go.mod h1:rXcFaZ2zZbLRJv/xSysmlgIM1u11eBaRMhvYXJNkGuM= github.com/Masterminds/squirrel v1.5.3 h1:YPpoceAcxuzIljlr5iWpNKaql7hLeG1KLSrhvdHpkZc= github.com/Masterminds/squirrel v1.5.3/go.mod h1:NNaOrjSoIDfDA40n7sr2tPNZRfjzjA400rg+riTZj10= -github.com/Microsoft/go-winio v0.5.2 h1:a9IhgEQBCUEk6QCdml9CiJGhAws+YwffDHEMp1VMrpA= -github.com/Microsoft/hcsshim v0.9.6 h1:VwnDOgLeoi2du6dAznfmspNqTiwczvjv4K7NxuY9jsY= +github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow= +github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM= +github.com/Microsoft/hcsshim v0.11.1 h1:hJ3s7GbWlGK4YVV92sO88BQSyF4ZLVy7/awqOlPxFbA= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8= github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q= @@ -221,10 +222,7 @@ github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki github.com/agnivade/levenshtein v1.1.1 h1:QY8M92nrzkmr798gCo3kmMyqXFzdQVpxLlGPRBij0P8= github.com/agnivade/levenshtein v1.1.1/go.mod h1:veldBMzWxcCG2ZvUTKD2kJNRdCk5hVbJomOvKkmgYbo= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= -github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= -github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= -github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho= github.com/alexmullins/zip v0.0.0-20180717182244-4affb64b04d0 h1:BVts5dexXf4i+JX8tXlKT0aKoi38JwTXSe+3WUneX0k= github.com/alexmullins/zip v0.0.0-20180717182244-4affb64b04d0/go.mod h1:FDIQmoMNJJl5/k7upZEnGvgWVZfFeE6qHeN7iCMbCsA= github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= @@ -265,11 +263,11 @@ github.com/bugsnag/bugsnag-go v0.0.0-20141110184014-b1d153021fcd h1:rFt+Y/IK1aEZ github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b h1:otBG+dV+YK+Soembjv71DPz3uX/V/6MMlSyD9JBQ6kQ= github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0 h1:nvj0OLI3YqYXer/kZD8Ri1aaunCxIEsOst1BVJswV0o= github.com/bytecodealliance/wasmtime-go/v3 v3.0.2 h1:3uZCA/BLTIu+DqCfguByNMJa2HVHpXvjfy0Dy7g6fuA= +github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= -github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/chai2010/gettext-go v1.0.2 h1:1Lwwip6Q2QGsAdl/ZKPCwTe9fe0CjlUbqj5bFNSjIRk= @@ -374,13 +372,12 @@ github.com/frankban/quicktest v1.14.3/go.mod h1:mgiwOwqx65TmIk1wJ6Q7wvnVMocbUork github.com/frankban/quicktest v1.14.4 h1:g2rn0vABPOOXmZUj+vbmUp0lPoXEMuhTpIluN0XL9UY= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= -github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY= github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= +github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= +github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= github.com/getsentry/sentry-go v0.20.0 h1:bwXW98iMRIWxn+4FgPW7vMrjmbym6HblXALmhjHmQaQ= github.com/getsentry/sentry-go v0.20.0/go.mod h1:lc76E2QywIyW8WuBnwl8Lc4bkmQH4+w1gwTf25trprY= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= -github.com/ghodss/yaml v1.0.1-0.20220118164431-d8423dcdf344 h1:Arcl6UOIS/kgO2nW3A65HN+7CMjSDP/gofXL4CZt1V4= -github.com/ghodss/yaml v1.0.1-0.20220118164431-d8423dcdf344/go.mod h1:GIjDIg/heH5DOkXY3YJ/wNhfHsQHoXGjl8G8amsYQ1I= github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA= github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= @@ -388,17 +385,18 @@ github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gorp/gorp/v3 v3.0.5 h1:PUjzYdYu3HBOh8LE+UUmRG2P0IRDak9XMeGNvaeq4Ow= github.com/go-gorp/gorp/v3 v3.0.5/go.mod h1:dLEjIyyRNiXvNZ8PSmzpt1GsWAUK8kjVhEpjH8TixEw= +github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A= +github.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= -github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= -github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY= -github.com/go-kit/log v0.2.0/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0= github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= -github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs= github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= +github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/go-logr/zapr v1.2.3 h1:a9vnzlIBPQBBkeaR9IuMUfmVOrQlkoC4YfPoFkX3T7A= github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= github.com/go-openapi/jsonpointer v0.19.5 h1:gZr+CIYByUqjcgeLXnQu2gHYQC9o73G2XUeOFYEICuY= @@ -431,7 +429,7 @@ github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= -github.com/golang/glog v1.0.0 h1:nfP3RFugxnNRyKgeWd4oI1nYvXpxrx8ck8ZrcizshdQ= +github.com/golang/glog v1.1.2 h1:DVjP2PbBOzHyzA+dn3WhHIq4NdVu3Q+pvivFICf/7fo= github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -491,8 +489,9 @@ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE= github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= @@ -500,8 +499,8 @@ github.com/google/martian v2.1.0+incompatible h1:/CP5g8u/VJHijgedC/Legn3BAbAaWPg github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= -github.com/google/martian/v3 v3.2.1 h1:d8MncMlErDFTwQGBK1xhv026j9kqhvw1Qv9IbWT1VLQ= github.com/google/martian/v3 v3.2.1/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk= +github.com/google/martian/v3 v3.3.2 h1:IqNFLAmvJOgVlpdEBiQbDc2EwKW77amAycfTuWKdfvw= github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= @@ -518,6 +517,8 @@ github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLe github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= +github.com/google/s2a-go v0.1.4 h1:1kZ/sQM3srePvKs3tXAvQzo66XfcReoqFpIpIccE7Oc= +github.com/google/s2a-go v0.1.4/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= @@ -528,8 +529,8 @@ github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+ github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8= github.com/googleapis/enterprise-certificate-proxy v0.1.0/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8= github.com/googleapis/enterprise-certificate-proxy v0.2.0/go.mod h1:8C0jb7/mgJe/9KK8Lm7X9ctZC2t60YyIpYEI16jx0Qg= -github.com/googleapis/enterprise-certificate-proxy v0.2.1 h1:RY7tHKZcRlk788d5WSo/e83gOyyy742E8GSs771ySpg= -github.com/googleapis/enterprise-certificate-proxy v0.2.1/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k= +github.com/googleapis/enterprise-certificate-proxy v0.2.3 h1:yk9/cqRKtT9wXZSsRH9aurXEpJX+U6FLtpYTdC3R06k= +github.com/googleapis/enterprise-certificate-proxy v0.2.3/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pfu6SK+H1/DsU0= @@ -539,8 +540,8 @@ github.com/googleapis/gax-go/v2 v2.3.0/go.mod h1:b8LNqSzNabLiUpXKkY7HAR5jr6bIT99 github.com/googleapis/gax-go/v2 v2.4.0/go.mod h1:XOTVJ59hdnfJLIP/dh8n5CGryZR2LxK9wbMD5+iXC6c= github.com/googleapis/gax-go/v2 v2.5.1/go.mod h1:h6B0KMMFNtI2ddbGJn3T3ZbwkeT6yqEF02fYlzkUCyo= github.com/googleapis/gax-go/v2 v2.6.0/go.mod h1:1mjbznJAPHFpesgE5ucqfYEscaz5kMdcIDwU/6+DDoY= -github.com/googleapis/gax-go/v2 v2.7.0 h1:IcsPKeInNvYi7eqSaDjiZqDDKu5rsmunY0Y1YupQSSQ= -github.com/googleapis/gax-go/v2 v2.7.0/go.mod h1:TEop28CZZQ2y+c0VxMUmu1lV+fQx57QpBWsYpwqHJx8= +github.com/googleapis/gax-go/v2 v2.11.0 h1:9V9PWXEsWnPpQhu/PeQIkS4eGzMlTLGgt80cUUI8Ki4= +github.com/googleapis/gax-go/v2 v2.11.0/go.mod h1:DxmR61SGKkGLa2xigwuZIQpkCI2S5iydzRfb3peWZJI= github.com/googleapis/go-type-adapters v1.0.0/go.mod h1:zHW75FOG2aur7gAO2B+MLby+cLsWGBF62rFAi7WjWO4= github.com/gookit/color v1.5.4 h1:FZmqs7XOyGgCAxmWyPslpiok1k05wmY3SJTytgvYFs0= github.com/gookit/color v1.5.4/go.mod h1:pZJOeOS8DM43rXbp4AZo1n9zCU2qjpcRko0b6/QJi9w= @@ -557,7 +558,9 @@ github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:Fecb github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= +github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 h1:YBftPWNWd4WwGqtY2yeZL2ef8rHAxPBD8KFhJpmcqms= github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q= github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -620,10 +623,8 @@ github.com/johnfercher/maroto v0.40.0/go.mod h1:qeujdhKT+677jMjGWlIa5OCgR04GgIHv github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= -github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4= github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= -github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= @@ -631,7 +632,6 @@ github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= -github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM= github.com/jung-kurt/gofpdf v1.0.0/go.mod h1:7Id9E/uU8ce6rXgefFLlgrJj/GYY22cpxn+r32jIOes= github.com/jung-kurt/gofpdf v1.16.2 h1:jgbatWHfRlPYiK85qgevsZTHviWXKwB1TTiKdz5PtRc= github.com/jung-kurt/gofpdf v1.16.2/go.mod h1:1hl7y57EsiPAkLbOwzpzqgx1A30nQCk/YmFV8S2vmK0= @@ -644,7 +644,6 @@ github.com/klauspost/compress v1.15.11/go.mod h1:QPwzmACJjUTFsnSHH934V6woptycfrD github.com/klauspost/compress v1.16.0 h1:iULayQNOReoYUe+1qtKOqw9CwJv3aNQu8ivo7lw1HU4= github.com/klauspost/compress v1.16.0/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= -github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/kortschak/utter v1.0.1/go.mod h1:vSmSjbyrlKjjsL71193LmzBOKgwePk9DH6uFaWHIInc= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= @@ -760,7 +759,6 @@ github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7P github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= -github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/nelsam/hel/v2 v2.3.2/go.mod h1:1ZTGfU2PFTOd5mx22i5O0Lc2GY933lQ2wb/ggy+rL3w= github.com/nelsam/hel/v2 v2.3.3/go.mod h1:1ZTGfU2PFTOd5mx22i5O0Lc2GY933lQ2wb/ggy+rL3w= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= @@ -778,8 +776,8 @@ github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7J github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.16.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= github.com/onsi/gomega v1.24.1 h1:KORJXNNTzJXzu4ScJWssJfJMnJ+2QJqhoQSRwNlze9E= -github.com/open-policy-agent/opa v0.51.0 h1:2hS5xhos8HtkN+mgpqMhNJSFtn/1n/h3wh+AeTPJg6Q= -github.com/open-policy-agent/opa v0.51.0/go.mod h1:OjmwLfXdeR7skSxrt8Yd3ScXTqPxyJn7GeTRJrcEerU= +github.com/open-policy-agent/opa v0.58.0 h1:S5qvevW8JoFizU7Hp66R/Y1SOXol0aCdFYVkzIqIpUo= +github.com/open-policy-agent/opa v0.58.0/go.mod h1:EGWBwvmyt50YURNvL8X4W5hXdlKeNhAHn3QXsetmYcc= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.0.2 h1:9yCKha/T5XdGtO0q9Q9a6T5NUCsTn/DrBg0D7ufOcFM= @@ -812,35 +810,25 @@ github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXP github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso= github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g= -github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M= -github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0= -github.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY= -github.com/prometheus/client_golang v1.14.0 h1:nJdhIvne2eSX/XRAFV9PcvFFRbrjbcTUj0VP62TMhnw= -github.com/prometheus/client_golang v1.14.0/go.mod h1:8vpkKitgIVNcqrRBWh1C4TIUQgYNtG/XQE4E/Zae36Y= +github.com/prometheus/client_golang v1.16.0 h1:yk/hx9hDbrGHovbci4BY+pRMfSuuat626eFsHb7tmT8= +github.com/prometheus/client_golang v1.16.0/go.mod h1:Zsulrv/L9oM40tJ7T815tM89lFEugiJ9HzIqaAx4LKc= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.3.0 h1:UBgGFHqYdG/TPFD1B1ogZywDqEkwp3fBMvqdiQ7Xew4= github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w= github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc= -github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo= -github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc= -github.com/prometheus/common v0.32.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= -github.com/prometheus/common v0.37.0 h1:ccBbHCgIiT9uSoFY0vX8H3zsNR5eLt17/RQLUvn8pXE= -github.com/prometheus/common v0.37.0/go.mod h1:phzohg0JFMnBEFGxTDbfu3QyL5GI8gTQJFhYO5B3mfA= +github.com/prometheus/common v0.42.0 h1:EKsfXEYo4JpWMHH5cg+KOUWeuJSov1Id8zGR8eeI1YM= +github.com/prometheus/common v0.42.0/go.mod h1:xBwqVerjNdUDjgODMpudtOMwlOwf2SaTr1yjz4b7Zbc= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ= -github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= -github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= -github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= -github.com/prometheus/procfs v0.8.0 h1:ODq8ZFEaYeCaZOJlZZdJA2AbQR98dSHSM1KW/You5mo= -github.com/prometheus/procfs v0.8.0/go.mod h1:z7EfXMXOkbkqb9IINtpCn86r/to3BnA0uaxHdg830/4= +github.com/prometheus/procfs v0.10.1 h1:kYK1Va/YMlutzCGazswoHKo//tZVlFpKYh+PymziUAg= +github.com/prometheus/procfs v0.10.1/go.mod h1:nwNm2aOCAYw8uTR/9bWRREkZFxAUcWzPHWJq+XBB/FM= github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 h1:MkV+77GLUNo5oJ0jf870itWm3D0Sjh7+Za9gazKc5LQ= github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= @@ -854,8 +842,8 @@ github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6L github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc= github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE= -github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8= github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= +github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= github.com/rs/xid v1.4.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg= github.com/rs/zerolog v1.29.0 h1:Zes4hju04hjbvkVkOhdl2HpZa+0PmVwigmo8XoORE5w= github.com/rs/zerolog v1.29.0/go.mod h1:NILgTygv/Uej1ra5XxGf82ZFSLk58MFGAUS2o6usyD0= @@ -880,11 +868,9 @@ github.com/shopspring/decimal v1.3.1 h1:2Usl1nmF/WZucqkFZhnfFYxxxu8LG21F6nPQBE5g github.com/shopspring/decimal v1.3.1/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= -github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= -github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88= github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= -github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0= -github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= +github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= @@ -966,8 +952,8 @@ github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778/go.mod h1:2MuV+tbUrU1z github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= github.com/yargevad/filepathx v1.0.0 h1:SYcT+N3tYGi+NvazubCNlvgIPbzAk7i7y2dwg3I5FYc= github.com/yargevad/filepathx v1.0.0/go.mod h1:BprfX/gpYNJHJfc35GjRRpVcwWXS89gGulUIU5tK3tA= -github.com/yashtewari/glob-intersection v0.1.0 h1:6gJvMYQlTDOL3dMsPF6J0+26vwX9MB8/1q3uAdhmTrg= -github.com/yashtewari/glob-intersection v0.1.0/go.mod h1:LK7pIC3piUjovexikBbJ26Yml7g8xa5bsjfx2v1fwok= +github.com/yashtewari/glob-intersection v0.2.0 h1:8iuHdN88yYuCzCdjt0gDe+6bAhUwBeEWqThExu54RFg= +github.com/yashtewari/glob-intersection v0.2.0/go.mod h1:LK7pIC3piUjovexikBbJ26Yml7g8xa5bsjfx2v1fwok= github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= @@ -993,7 +979,19 @@ go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0 h1:x8Z78aZx8cOF0+Kkazoc7lwUNMGy0LrzEMxTm4BbTxg= +go.opentelemetry.io/otel v1.19.0 h1:MuS/TNf4/j4IXsZuJegVzI1cwut7Qc00344rgH7p8bs= +go.opentelemetry.io/otel v1.19.0/go.mod h1:i0QyjOq3UPoTzff0PJB2N66fb4S0+rSbSB15/oyH9fY= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0 h1:Mne5On7VWdx7omSrSSZvM4Kw7cS7NQkOOmLcgscI51U= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.19.0 h1:3d+S281UTjM+AbF31XSOYn1qXn3BgIdWl8HNEpx08Jk= +go.opentelemetry.io/otel/metric v1.19.0 h1:aTzpGtV0ar9wlV4Sna9sdJyII5jTVJEvKETPiOKwvpE= +go.opentelemetry.io/otel/metric v1.19.0/go.mod h1:L5rUsV9kM1IxCj1MmSdS+JQAcVm319EUrDVLrt7jqt8= +go.opentelemetry.io/otel/sdk v1.19.0 h1:6USY6zH+L8uMH8L3t1enZPR3WFEmSTADlqldyHtJi3o= +go.opentelemetry.io/otel/sdk v1.19.0/go.mod h1:NedEbbS4w3C6zElbLdPJKOpJQOrGUJ+GfzpjUvI0v1A= +go.opentelemetry.io/otel/trace v1.19.0 h1:DFVQmlVbfVeOuBRrwdtaehRrWiL1JoVs9CPIQ1Dzxpg= +go.opentelemetry.io/otel/trace v1.19.0/go.mod h1:mfaSyvGyEJEI0nyV2I4qhNQnbBOUUmYZpYojqMnX2vo= go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= +go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I= go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 h1:+FNtrFTmVw0YZGpBGX56XDee331t6JAXeK2bcyhLOOc= go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5/go.mod h1:nmDLcffg48OtT/PSW0Hg7FvpRQsQh5OSqIylirxKC7o= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= @@ -1017,10 +1015,11 @@ golang.org/x/crypto v0.0.0-20200414173820-0848c9571904/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.0.0-20220314234659-1baeb1ce4c0b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= golang.org/x/crypto v0.5.0/go.mod h1:NK/OQwhpMQP3MwtdjgLlYHnH9ebylxKWv3e0fK+mkQU= -golang.org/x/crypto v0.7.0 h1:AvwMYaRytfdeVt3u6mLaxYtErKYjxA2OXjJ1HHq6t3A= -golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= +golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc= +golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -1060,6 +1059,7 @@ golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/mod v0.11.0 h1:bUO06HqtnRcc/7l71XBe4WcqTZ+3AH1J59zWDDwLKgU= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -1104,8 +1104,8 @@ golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLd golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk= golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220325170049-de3da57026de/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= @@ -1120,8 +1120,8 @@ golang.org/x/net v0.0.0-20221014081412-f15817d10f9b/go.mod h1:YDH+HFinaLZZlnHAfS golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws= -golang.org/x/net v0.8.0 h1:Zrh2ngAOFYneWTAIAPethzeaQLuHwhuBkuV6ZiRnUaQ= -golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= +golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= +golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -1148,8 +1148,8 @@ golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094/go.mod h1:h4gKUeWbJ4rQPri golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= golang.org/x/oauth2 v0.1.0/go.mod h1:G9FE4dLTsbXUu90h/Pf85g4w1D+SSAgR+q46nJZ8M4A= -golang.org/x/oauth2 v0.4.0 h1:NF0gk8LVPg1Ml7SSbGyySuoxdsXitj7TvgvuRxIMc/M= -golang.org/x/oauth2 v0.4.0/go.mod h1:RznEsdpjGAINPTOF0UH/t+xJ75L18YO3Ho6Pyn+uRec= +golang.org/x/oauth2 v0.11.0 h1:vPL4xzxBM4niKCW6g9whtaWVXTJf1U5e4aZxxFx/gbU= +golang.org/x/oauth2 v0.11.0/go.mod h1:LdF7O/8bLR/qWK9DrpXmbHLTouvRHK0SgJl0GmDBchk= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -1164,8 +1164,8 @@ golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o= -golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ= +golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -1177,7 +1177,6 @@ golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5h golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -1192,7 +1191,6 @@ golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -1206,8 +1204,6 @@ golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -1216,7 +1212,6 @@ golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -1226,7 +1221,6 @@ golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -1239,7 +1233,6 @@ golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211210111614-af8b64212486/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -1260,15 +1253,15 @@ golang.org/x/sys v0.0.0-20221013171732-95e765b1cc43/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA= -golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= +golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ= -golang.org/x/term v0.6.0 h1:clScbb1cHjoCkyRbWwBEUZ5H/tIFu5TAXIqaZD0Gcjw= -golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= +golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek= +golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1278,10 +1271,11 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.8.0 h1:57P1ETyNKtuIjB4SRd15iJxuhj8Gc416Y78H3qgMh68= -golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= +golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -1408,8 +1402,8 @@ google.golang.org/api v0.96.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ google.golang.org/api v0.97.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s= google.golang.org/api v0.98.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s= google.golang.org/api v0.100.0/go.mod h1:ZE3Z2+ZOr87Rx7dqFsdRQkRBk36kDtp/h+QpHbB7a70= -google.golang.org/api v0.107.0 h1:I2SlFjD8ZWabaIFOfeEDg3pf0BHJDh6iYQ1ic3Yu/UU= -google.golang.org/api v0.107.0/go.mod h1:2Ts0XTHNVWxypznxWOYUeI4g3WdP9Pk2Qk58+a/O9MY= +google.golang.org/api v0.126.0 h1:q4GJq+cAdMAC7XP7njvQ4tvohGLiSlytuL4BQxbIZ+o= +google.golang.org/api v0.126.0/go.mod h1:mBwVAtz+87bEN6CbA1GtZPDOqY2R5ONPqJeIlvyo4Aw= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -1520,8 +1514,12 @@ google.golang.org/genproto v0.0.0-20221010155953-15ba04fc1c0e/go.mod h1:3526vdqw google.golang.org/genproto v0.0.0-20221014173430-6e2ab493f96b/go.mod h1:1vXfmgAz9N9Jx0QA82PqRVauvCz1SGSz739p0f183jM= google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a/go.mod h1:1vXfmgAz9N9Jx0QA82PqRVauvCz1SGSz739p0f183jM= google.golang.org/genproto v0.0.0-20221025140454-527a21cfbd71/go.mod h1:9qHF0xnpdSfF6knlcsnpzUu5y+rpwgbvsyGAZPBMg4s= -google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f h1:BWUVssLB0HVOSY78gIdvk1dTVYtT1y8SBWtPYuTJ/6w= -google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM= +google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d h1:VBu5YqKPv6XiJ199exd8Br+Aetz+o08F+PLMnwJQHAY= +google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d/go.mod h1:yZTlhN0tQnXo3h00fuXNCxJdLdIdnVFVBaRJ5LWBbw4= +google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d h1:DoPTO70H+bcDXcd39vOqb2viZxgqeBeSGtZ55yZU4/Q= +google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d/go.mod h1:KjSP20unUpOx5kyQUFa7k4OJg0qeJ7DEZflGDu2p6Bk= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d h1:uvYuEyMHKNt+lT4K3bN6fGswmK8qSvcreM3BwjDh+y4= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d/go.mod h1:+Bk1OCOj40wS2hwAMA+aCW9ypzm63QTBBHp6lQ3p+9M= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= @@ -1558,8 +1556,8 @@ google.golang.org/grpc v1.48.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACu google.golang.org/grpc v1.49.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= google.golang.org/grpc v1.50.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= google.golang.org/grpc v1.50.1/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= -google.golang.org/grpc v1.54.0 h1:EhTqbhiYeixwWQtAEZAxmV9MGqcjEU2mFx52xCzNyag= -google.golang.org/grpc v1.54.0/go.mod h1:PUSEXI6iWghWaB6lXM4knEgpJNu2qUcKfDtNci3EC2g= +google.golang.org/grpc v1.59.0 h1:Z5Iec2pjwb+LEOqzpB2MR12/eKFhDPhuqW91O+4bwUk= +google.golang.org/grpc v1.59.0/go.mod h1:aUPDwccQo6OTjy7Hct4AfBPD1GptF4fyUjIkQ9YtF98= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= @@ -1576,8 +1574,8 @@ google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQ google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= -google.golang.org/protobuf v1.29.1 h1:7QBf+IK2gx70Ap/hDsOmam3GE0v9HicjfEdAxE62UoM= -google.golang.org/protobuf v1.29.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= +google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -1601,7 +1599,6 @@ gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= @@ -1661,5 +1658,5 @@ sigs.k8s.io/kustomize/kyaml v0.13.9 h1:Qz53EAaFFANyNgyOEJbT/yoIHygK40/ZcvU3rgry2 sigs.k8s.io/kustomize/kyaml v0.13.9/go.mod h1:QsRbD0/KcU+wdk0/L0fIp2KLnohkVzs6fQ85/nOXac4= sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E= -sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= -sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= +sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= +sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= From 99a507cce8ec91720af48544470831b565c5cbf8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Tue, 31 Oct 2023 12:03:57 +0000 Subject: [PATCH 170/379] update helm update helm to update the indirect filepath-securejoin --- go.mod | 76 +++++++------ go.sum | 347 ++++++++++++++------------------------------------------- 2 files changed, 120 insertions(+), 303 deletions(-) diff --git a/go.mod b/go.mod index 787ea5613af..cccf820da1a 100644 --- a/go.mod +++ b/go.mod @@ -7,7 +7,7 @@ require ( github.com/BurntSushi/toml v1.3.2 github.com/agnivade/levenshtein v1.1.1 github.com/alexmullins/zip v0.0.0-20180717182244-4affb64b04d0 - github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20221202181307-76fa05c21b12 + github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df github.com/aws/aws-sdk-go v1.44.295 github.com/bigkevmcd/go-configparser v0.0.0-20230427073640-c6b631f70126 github.com/cheggaaa/pb/v3 v3.1.2 @@ -42,9 +42,9 @@ require ( github.com/zclconf/go-cty v1.13.1 golang.org/x/net v0.17.0 golang.org/x/text v0.13.0 - golang.org/x/tools v0.7.0 + golang.org/x/tools v0.8.0 gopkg.in/yaml.v3 v3.0.1 - helm.sh/helm/v3 v3.11.2 + helm.sh/helm/v3 v3.13.1 mvdan.cc/sh/v3 v3.6.0 ) @@ -54,8 +54,11 @@ require ( github.com/evanphx/json-patch/v5 v5.6.0 // indirect github.com/go-ini/ini v1.67.0 // indirect github.com/go-logr/stdr v1.2.2 // indirect + github.com/google/gnostic-models v0.6.8 // indirect github.com/google/s2a-go v0.1.4 // indirect github.com/googleapis/enterprise-certificate-proxy v0.2.3 // indirect + github.com/hashicorp/errwrap v1.1.0 // indirect + github.com/hashicorp/go-multierror v1.1.1 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/samber/lo v1.38.1 // indirect github.com/tchap/go-patricia/v2 v2.3.1 // indirect @@ -76,9 +79,9 @@ require ( github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect github.com/MakeNowJust/heredoc v1.0.0 // indirect github.com/Masterminds/goutils v1.1.1 // indirect - github.com/Masterminds/semver/v3 v3.2.0 // indirect + github.com/Masterminds/semver/v3 v3.2.1 // indirect github.com/Masterminds/sprig/v3 v3.2.3 // indirect - github.com/Masterminds/squirrel v1.5.3 // indirect + github.com/Masterminds/squirrel v1.5.4 // indirect github.com/OneOfOne/xxhash v1.2.8 // indirect github.com/VividCortex/ewma v1.2.0 // indirect github.com/agext/levenshtein v1.2.3 // indirect @@ -92,32 +95,31 @@ require ( github.com/chai2010/gettext-go v1.0.2 // indirect github.com/containerd/containerd v1.7.7 // indirect github.com/containerd/typeurl v1.0.2 // indirect - github.com/cyphar/filepath-securejoin v0.2.3 // indirect + github.com/cyphar/filepath-securejoin v0.2.4 // indirect github.com/davecgh/go-spew v1.1.1 // indirect - github.com/docker/cli v20.10.21+incompatible // indirect + github.com/docker/cli v24.0.6+incompatible // indirect github.com/docker/distribution v2.8.2+incompatible // indirect - github.com/docker/docker v20.10.24+incompatible // indirect + github.com/docker/docker v24.0.6+incompatible // indirect github.com/docker/docker-credential-helpers v0.7.0 // indirect github.com/docker/go-connections v0.4.0 // indirect github.com/docker/go-metrics v0.0.1 // indirect - github.com/docker/go-units v0.4.0 // indirect - github.com/emicklei/go-restful/v3 v3.9.0 // indirect + github.com/docker/go-units v0.5.0 // indirect + github.com/emicklei/go-restful/v3 v3.10.1 // indirect github.com/evanphx/json-patch v5.6.0+incompatible // indirect github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect github.com/fatih/color v1.14.1 // indirect github.com/fsnotify/fsnotify v1.7.0 // indirect github.com/go-errors/errors v1.4.2 // indirect - github.com/go-gorp/gorp/v3 v3.0.5 // indirect + github.com/go-gorp/gorp/v3 v3.1.0 // indirect github.com/go-logr/logr v1.2.4 // indirect - github.com/go-openapi/jsonpointer v0.19.5 // indirect - github.com/go-openapi/jsonreference v0.20.0 // indirect - github.com/go-openapi/swag v0.19.14 // indirect + github.com/go-openapi/jsonpointer v0.19.6 // indirect + github.com/go-openapi/jsonreference v0.20.2 // indirect + github.com/go-openapi/swag v0.22.3 // indirect github.com/gobwas/glob v0.2.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.3 // indirect github.com/google/btree v1.0.1 // indirect - github.com/google/gnostic v0.5.7-v3refs // indirect github.com/google/go-cmp v0.6.0 // indirect github.com/google/gofuzz v1.2.0 // indirect github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect @@ -140,7 +142,7 @@ require ( github.com/kylelemons/godebug v1.1.0 // indirect github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect - github.com/lib/pq v1.10.7 // indirect + github.com/lib/pq v1.10.9 // indirect github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect github.com/magiconair/properties v1.8.7 // indirect github.com/mattn/go-colorable v0.1.13 // indirect @@ -155,7 +157,7 @@ require ( github.com/mitchellh/reflectwalk v1.0.2 // indirect github.com/moby/locker v1.0.1 // indirect github.com/moby/spdystream v0.2.0 // indirect - github.com/moby/term v0.0.0-20221205130635-1aeaba878587 // indirect + github.com/moby/term v0.5.0 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect @@ -167,12 +169,12 @@ require ( github.com/peterbourgon/diskv v2.0.1+incompatible // indirect github.com/pmezard/go-difflib v1.0.0 // indirect github.com/prometheus/client_golang v1.16.0 // indirect - github.com/prometheus/client_model v0.3.0 // indirect - github.com/prometheus/common v0.42.0 // indirect + github.com/prometheus/client_model v0.4.0 // indirect + github.com/prometheus/common v0.44.0 // indirect github.com/prometheus/procfs v0.10.1 // indirect github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect github.com/rivo/uniseg v0.2.0 // indirect - github.com/rubenv/sql-migrate v1.3.1 // indirect + github.com/rubenv/sql-migrate v1.5.2 // indirect github.com/ruudk/golang-pdf417 v0.0.0-20201230142125-a7e3863a1245 // indirect github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06 github.com/sergi/go-diff v1.2.0 // indirect @@ -188,11 +190,11 @@ require ( github.com/ulikunitz/xz v0.5.11 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect - github.com/xlab/treeprint v1.1.0 // indirect + github.com/xlab/treeprint v1.2.0 // indirect github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778 // indirect github.com/yashtewari/glob-intersection v0.2.0 // indirect go.opencensus.io v0.24.0 // indirect - go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect + go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect golang.org/x/crypto v0.14.0 // indirect golang.org/x/oauth2 v0.11.0 // indirect golang.org/x/sync v0.4.0 // indirect @@ -208,22 +210,22 @@ require ( gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect - k8s.io/api v0.26.3 - k8s.io/apiextensions-apiserver v0.26.1 // indirect - k8s.io/apimachinery v0.26.3 - k8s.io/apiserver v0.26.1 // indirect - k8s.io/cli-runtime v0.26.0 // indirect - k8s.io/client-go v0.26.3 - k8s.io/component-base v0.26.1 // indirect - k8s.io/klog/v2 v2.80.1 // indirect - k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect - k8s.io/kubectl v0.26.0 // indirect - k8s.io/utils v0.0.0-20221128185143-99ec85e7a448 // indirect - oras.land/oras-go v1.2.2 // indirect + k8s.io/api v0.28.2 + k8s.io/apiextensions-apiserver v0.28.2 // indirect + k8s.io/apimachinery v0.28.2 + k8s.io/apiserver v0.28.2 // indirect + k8s.io/cli-runtime v0.28.2 // indirect + k8s.io/client-go v0.28.2 + k8s.io/component-base v0.28.2 // indirect + k8s.io/klog/v2 v2.100.1 // indirect + k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect + k8s.io/kubectl v0.28.2 // indirect + k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect + oras.land/oras-go v1.2.4 // indirect sigs.k8s.io/controller-runtime v0.14.6 - sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect - sigs.k8s.io/kustomize/api v0.12.1 // indirect - sigs.k8s.io/kustomize/kyaml v0.13.9 // indirect + sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect + sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 // indirect + sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect sigs.k8s.io/yaml v1.4.0 // indirect ) diff --git a/go.sum b/go.sum index d3ae84b3328..0f39d62cf9e 100644 --- a/go.sum +++ b/go.sum @@ -98,7 +98,6 @@ cloud.google.com/go/domains v0.6.0/go.mod h1:T9Rz3GasrpYk6mEGHh4rymIhjlnIuB4ofT1 cloud.google.com/go/domains v0.7.0/go.mod h1:PtZeqS1xjnXuRPKE/88Iru/LdfoRyEHYA9nFQf4UKpg= cloud.google.com/go/edgecontainer v0.1.0/go.mod h1:WgkZ9tp10bFxqO8BLPqv2LlfmQF1X8lZqwW4r1BTajk= cloud.google.com/go/edgecontainer v0.2.0/go.mod h1:RTmLijy+lGpQ7BXuTDa4C4ssxyXT34NIuHIgKuP4s5w= -cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk= cloud.google.com/go/functions v1.6.0/go.mod h1:3H1UA3qiIPRWD7PeZKLvHZ9SaQhR26XIJcC0A5GbvAk= cloud.google.com/go/functions v1.7.0/go.mod h1:+d+QBcWM+RsrgZfV9xo6KfA1GlzJfxcfZcRPEhDDfzg= cloud.google.com/go/gaming v1.5.0/go.mod h1:ol7rGcxP/qHTRQE/RO4bxkXq+Fix0j6D4LFPzYTIrDM= @@ -199,14 +198,13 @@ github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE= github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI= github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= -github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs= -github.com/Masterminds/semver/v3 v3.2.0 h1:3MEsd0SM6jqZojhjLWWeBY+Kcjy9i6MQAeY7YgDP83g= github.com/Masterminds/semver/v3 v3.2.0/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ= -github.com/Masterminds/sprig/v3 v3.2.1/go.mod h1:UoaO7Yp8KlPnJIYWTFkMaqPUYKTfGFPhxNuwnnxkKlk= +github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0rYXWg0= +github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ= github.com/Masterminds/sprig/v3 v3.2.3 h1:eL2fZNezLomi0uOLqjQoN6BfsDD+fyLtgbJMAj9n6YA= github.com/Masterminds/sprig/v3 v3.2.3/go.mod h1:rXcFaZ2zZbLRJv/xSysmlgIM1u11eBaRMhvYXJNkGuM= -github.com/Masterminds/squirrel v1.5.3 h1:YPpoceAcxuzIljlr5iWpNKaql7hLeG1KLSrhvdHpkZc= -github.com/Masterminds/squirrel v1.5.3/go.mod h1:NNaOrjSoIDfDA40n7sr2tPNZRfjzjA400rg+riTZj10= +github.com/Masterminds/squirrel v1.5.4 h1:uUcX/aBc8O7Fg9kaISIUsHXdKuqehiXAMQTYX8afzqM= +github.com/Masterminds/squirrel v1.5.4/go.mod h1:NNaOrjSoIDfDA40n7sr2tPNZRfjzjA400rg+riTZj10= github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow= github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM= github.com/Microsoft/hcsshim v0.11.1 h1:hJ3s7GbWlGK4YVV92sO88BQSyF4ZLVy7/awqOlPxFbA= @@ -216,7 +214,6 @@ github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdII github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d h1:UrqY+r/OJnIp5u0s1SbQ8dVfLCZJsnvazdBP5hS4iRs= github.com/VividCortex/ewma v1.2.0 h1:f58SaIzcDXrSy3kWaHNvuJgJ3Nmz59Zji6XoJR/q1ow= github.com/VividCortex/ewma v1.2.0/go.mod h1:nz4BbCtbLyFDeC9SUHbtcT5644juEuWfUAUnGx7j5l4= -github.com/a8m/expect v1.0.0/go.mod h1:4IwSCMumY49ScypDnjNbYEjgVeqy1/U2cEs3Lat96eA= github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo= github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= github.com/agnivade/levenshtein v1.1.1 h1:QY8M92nrzkmr798gCo3kmMyqXFzdQVpxLlGPRBij0P8= @@ -226,19 +223,14 @@ github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRF github.com/alexmullins/zip v0.0.0-20180717182244-4affb64b04d0 h1:BVts5dexXf4i+JX8tXlKT0aKoi38JwTXSe+3WUneX0k= github.com/alexmullins/zip v0.0.0-20180717182244-4affb64b04d0/go.mod h1:FDIQmoMNJJl5/k7upZEnGvgWVZfFeE6qHeN7iCMbCsA= github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= -github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20221202181307-76fa05c21b12 h1:npHgfD4Tl2WJS3AJaMUi5ynGDPUBfkg3U3fCzDyXZ+4= -github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20221202181307-76fa05c21b12/go.mod h1:pSwJ0fSY5KhvocuWSx4fz3BA8OrA1bQn+K1Eli3BRwM= +github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df h1:7RFfzj4SSt6nnvCPbCqijJi1nWCd+TqAT3bYCStRC18= +github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df/go.mod h1:pSwJ0fSY5KhvocuWSx4fz3BA8OrA1bQn+K1Eli3BRwM= github.com/apparentlymart/go-dump v0.0.0-20190214190832-042adf3cf4a0 h1:MzVXffFUye+ZcSR6opIgz9Co7WcDx6ZcY+RjfFHoA0I= github.com/apparentlymart/go-dump v0.0.0-20190214190832-042adf3cf4a0/go.mod h1:oL81AME2rN47vu18xqj1S1jPIPuN7afo62yKTNn3XMM= github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6iT90AvPUL1NNfNw= github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE= -github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= -github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= -github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY= -github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= -github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef h1:46PFijGLmAjMPwCCCo7Jf0W6f9slllCkkv7vyc1yOSg= github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= @@ -251,10 +243,8 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d h1:xDfNPAt8lFiC1UJrqV3uuy861HCTo708pDMbjHHdCas= github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d/go.mod h1:6QX/PXZ00z/TKoufEY6K/a0k6AhaJrQKdFe6OfVXsa4= -github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= github.com/bigkevmcd/go-configparser v0.0.0-20230427073640-c6b631f70126 h1:uru++pUKoS/yYU3Ohq9VItZdK/cT7FFJH/UUjOlxc+s= github.com/bigkevmcd/go-configparser v0.0.0-20230427073640-c6b631f70126/go.mod h1:zqqfbfnDeSdRs1WihmMjSbhb2Ptw8Jbus831xoqiIec= -github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqOes/6LfM= github.com/boombuler/barcode v1.0.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= github.com/boombuler/barcode v1.0.1 h1:NDBbPmhS+EqABEs5Kg3n/5ZNjy73Pz7SIV+KCeqyXcs= github.com/boombuler/barcode v1.0.1/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= @@ -294,28 +284,17 @@ github.com/containerd/containerd v1.6.18 h1:qZbsLvmyu+Vlty0/Ex5xc0z2YtKpIsb5n45m github.com/containerd/containerd v1.6.18/go.mod h1:1RdCUu95+gc2v9t3IL+zIlpClSmew7/0YS8O5eQZrOw= github.com/containerd/typeurl v1.0.2 h1:Chlt8zIieDbzQFzXzAeBEF92KhExuE4p9p92/QmY7aY= github.com/containerd/typeurl v1.0.2/go.mod h1:9trJWW2sRlGub4wZJRTW83VtbOLS6hwcDZXTn6oPz9s= -github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= -github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= -github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= -github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= -github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= -github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/coreos/go-systemd/v22 v22.3.3-0.20220203105225-a9a7ef127534/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= -github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= -github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY= -github.com/cyphar/filepath-securejoin v0.2.3 h1:YX6ebbZCZP7VkM3scTTokDgBL2TY741X51MTk3ycuNI= -github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= +github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg= +github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/denisenkom/go-mssqldb v0.9.0/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU= github.com/dgraph-io/badger/v3 v3.2103.5 h1:ylPa6qzbjYRQMU6jokoj4wzcaweHylt//CH0AKt0akg= github.com/dgraph-io/ristretto v0.1.1 h1:6CWw5tJNgpegArSHpNHJKldNeq03FQCwYvfMVWajOK8= -github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= -github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48 h1:fRzb/w+pyskVMQ+UbP35JkH8yB7MYb4q/qhBarqZE6g= github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA= github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2 h1:aBfCb7iqHmDEIp6fBvC/hQUddQfg+3qdYjwzaiP9Hnc= @@ -324,8 +303,8 @@ github.com/docker/cli v20.10.12+incompatible h1:lZlz0uzG+GH+c0plStMUdF/qk3ppmgns github.com/docker/cli v20.10.12+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8= github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v20.10.24+incompatible h1:Ugvxm7a8+Gz6vqQYQQ2W7GYq5EUPaAiuPgIfVyI3dYE= -github.com/docker/docker v20.10.24+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v24.0.6+incompatible h1:hceabKCtUgDqPu+qm0NgsaXf28Ljf4/pWFL7xjWWDgE= +github.com/docker/docker v24.0.6+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A= github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0= github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ= @@ -333,15 +312,13 @@ github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5Xh github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c h1:+pKlWGMw7gf6bQ+oDZB4KHQFypsfjYlq/C4rfL7D3g8= github.com/docker/go-metrics v0.0.1 h1:AgB/0SvBxihN0X8OR4SjsblXkbMvalQ8cjmtKQ2rQV8= github.com/docker/go-metrics v0.0.1/go.mod h1:cG1hvH2utMXtqgqqYE9plW6lDxS3/5ayHzueweSI3Vw= -github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw= -github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= +github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4= +github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= github.com/docker/libtrust v0.0.0-20150114040149-fa567046d9b1 h1:ZClxb8laGDf5arXfYcAtECDFgAgHklGI8CxgjHnXKJ4= -github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY= github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= -github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153 h1:yUdfgN0XgIJw7foRItutHYUIhlcKzcSf5vDpdhQAKTc= -github.com/emicklei/go-restful/v3 v3.9.0 h1:XwGDlfxEnQZzuopoqxwSEllNcCOM9DhhFyhFIIGKwxE= -github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emicklei/go-restful/v3 v3.10.1 h1:rc42Y5YTp7Am7CS630D7JmhRjq4UlEUuEKfrDac4bSQ= +github.com/emicklei/go-restful/v3 v3.10.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/emicklei/proto v1.11.2 h1:DiIeyTJ+gPSyJI+RIAqvuTeKb0tLUmaGXbYg6aFKsnE= github.com/emicklei/proto v1.11.2/go.mod h1:rn1FgRS/FANiZdD2djyH7TMA9jdRDcYQ9IEN9yvjX0A= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= @@ -361,14 +338,11 @@ github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2Vvl github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d h1:105gxyaGwCFad8crR9dcMQWvV9Hvulu6hwUh4tWPJnM= github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d/go.mod h1:ZZMPRZwes7CROmyNKgQzC3XPs6L/G2EJLHddWejkmf4= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= -github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU= -github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk= github.com/fatih/color v1.14.1 h1:qfhVLaG5s+nCROl1zJsZRxFeYrHLqWroPOQ8BWiNb4w= github.com/fatih/color v1.14.1/go.mod h1:2oHN61fhTpgcxD3TSWCgKDiH1+x4OiDVVGH8WlgGZGg= github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk= github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw= github.com/foxcpp/go-mockdns v1.0.0 h1:7jBqxd3WDWwi/6WhDvacvH1XsN3rOLXyHM1uhvIx6FI= -github.com/frankban/quicktest v1.14.3/go.mod h1:mgiwOwqx65TmIk1wJ6Q7wvnVMocbUorkibMOrVTHZps= github.com/frankban/quicktest v1.14.4 h1:g2rn0vABPOOXmZUj+vbmUp0lPoXEMuhTpIluN0XL9UY= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= @@ -383,14 +357,13 @@ github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3Bop github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= -github.com/go-gorp/gorp/v3 v3.0.5 h1:PUjzYdYu3HBOh8LE+UUmRG2P0IRDak9XMeGNvaeq4Ow= -github.com/go-gorp/gorp/v3 v3.0.5/go.mod h1:dLEjIyyRNiXvNZ8PSmzpt1GsWAUK8kjVhEpjH8TixEw= +github.com/go-gorp/gorp/v3 v3.1.0 h1:ItKF/Vbuj31dmV4jxA1qblpSwkl9g1typ24xoe70IGs= +github.com/go-gorp/gorp/v3 v3.1.0/go.mod h1:dLEjIyyRNiXvNZ8PSmzpt1GsWAUK8kjVhEpjH8TixEw= github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A= github.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= -github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= @@ -398,39 +371,31 @@ github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbV github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/go-logr/zapr v1.2.3 h1:a9vnzlIBPQBBkeaR9IuMUfmVOrQlkoC4YfPoFkX3T7A= -github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= -github.com/go-openapi/jsonpointer v0.19.5 h1:gZr+CIYByUqjcgeLXnQu2gHYQC9o73G2XUeOFYEICuY= -github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= -github.com/go-openapi/jsonreference v0.20.0 h1:MYlu0sBgChmCfJxxUKZ8g1cPWFOB37YSZqewK7OKeyA= -github.com/go-openapi/jsonreference v0.20.0/go.mod h1:Ag74Ico3lPc+zR+qjn4XBUmXymS4zJbYVCZmcgkasdo= -github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= -github.com/go-openapi/swag v0.19.14 h1:gm3vOOXfiuw5i9p5N9xJvfjvuofpyvLA9Wr6QfK5Fng= -github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= +github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= +github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= +github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE= +github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= +github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g= +github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= github.com/go-sql-driver/mysql v1.6.0 h1:BCTh4TKNUYmOmMUcQ3IipzF5prigylS7XXjEkfCHuOE= github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= github.com/go-test/deep v1.0.3 h1:ZrJSEWsXzPOxaZnFteGEfooLba+ju3FYIbOrS+rQd68= github.com/gobuffalo/logger v1.0.6 h1:nnZNpxYo0zx+Aj9RfMPBm+x9zAU2OayFh/xrAWi34HU= -github.com/gobuffalo/logger v1.0.6/go.mod h1:J31TBEHR1QLV2683OXTAItYIg8pv2JMHnF/quuAbMjs= github.com/gobuffalo/packd v1.0.1 h1:U2wXfRr4E9DH8IdsDLlRFwTZTK7hLfq9qT/QHXGVe/0= -github.com/gobuffalo/packd v1.0.1/go.mod h1:PP2POP3p3RXGz7Jh6eYEf93S7vA2za6xM7QT85L4+VY= github.com/gobuffalo/packr/v2 v2.8.3 h1:xE1yzvnO56cUC0sTpKR3DIbxZgB54AftTFMhB2XEWlY= -github.com/gobuffalo/packr/v2 v2.8.3/go.mod h1:0SahksCVcx4IMnigTjiFuyldmTrdTctXsOdiU5KwbKc= github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= github.com/gocarina/gocsv v0.0.0-20220310154401-d4df709ca055 h1:UfcDMw41lSx3XM7UvD1i7Fsu3rMgD55OU5LYwLoR/Yk= github.com/gocarina/gocsv v0.0.0-20220310154401-d4df709ca055/go.mod h1:5YoVOkjYAQumqlV356Hj3xeYh4BdZuLE0/nRkf2NKkI= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= -github.com/godror/godror v0.24.2/go.mod h1:wZv/9vPiUib6tkoDl+AZ/QLf5YZgMravZ7jxH2eQWAE= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= -github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= -github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/glog v1.1.2 h1:DVjP2PbBOzHyzA+dn3WhHIq4NdVu3Q+pvivFICf/7fo= -github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -473,8 +438,8 @@ github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4= github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA= github.com/google/flatbuffers v1.12.1 h1:MVlul7pQNoDzWRLTw5imwYsl+usrS1TXG2H4jg6ImGw= -github.com/google/gnostic v0.5.7-v3refs h1:FhTMOKj2VhjpouxvWJAV1TL304uMlb9zcDqkl6cEI54= -github.com/google/gnostic v0.5.7-v3refs/go.mod h1:73MKFl6jIHelAJNaBGFzt3SPtZULs9dYrGFt8OiIsHQ= +github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= +github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= @@ -545,45 +510,30 @@ github.com/googleapis/gax-go/v2 v2.11.0/go.mod h1:DxmR61SGKkGLa2xigwuZIQpkCI2S5i github.com/googleapis/go-type-adapters v1.0.0/go.mod h1:zHW75FOG2aur7gAO2B+MLby+cLsWGBF62rFAi7WjWO4= github.com/gookit/color v1.5.4 h1:FZmqs7XOyGgCAxmWyPslpiok1k05wmY3SJTytgvYFs0= github.com/gookit/color v1.5.4/go.mod h1:pZJOeOS8DM43rXbp4AZo1n9zCU2qjpcRko0b6/QJi9w= -github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gorilla/handlers v1.5.1 h1:9lRY6j8DEeeBT10CvO9hGW0gmky0BprnvDI5vfhUHH4= github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI= github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So= -github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/gosuri/uitable v0.0.4 h1:IG2xLKRvErL3uhY6e1BylFzG+aJiwQviDDTfOKeKTpY= github.com/gosuri/uitable v0.0.4/go.mod h1:tKR86bXuXPZazfOTG1FIzvjIdXzd0mo4Vtn16vt0PJo= github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 h1:pdN6V1QBWetyv/0+wjACpqVH+eVULgEjkurDLq3goeM= github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= -github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= -github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= -github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 h1:YBftPWNWd4WwGqtY2yeZL2ef8rHAxPBD8KFhJpmcqms= -github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q= -github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= -github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= github.com/hashicorp/go-getter v1.7.1 h1:SWiSWN/42qdpR0MdhaOc/bLR48PLuP1ZQtYLRlM69uY= github.com/hashicorp/go-getter v1.7.1/go.mod h1:W7TalhMmbPmsSMdNjD0ZskARur/9GJ17cfHTRtXV744= -github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= -github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= -github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= +github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= -github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU= github.com/hashicorp/go-safetemp v1.0.0 h1:2HR189eFNrjHQyENnQMMpCiBAsRxzbTMIgBhEyExpmo= github.com/hashicorp/go-safetemp v1.0.0/go.mod h1:oaerMy3BhqiTbVye6QuFhFtIceqFoDHxNAB65b+Rj1I= -github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU= -github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4= -github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= -github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/go-version v1.6.0 h1:feTTfFNnjP967rlCxM/I9g701jU+RN74YKx2mOkIeek= github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= -github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc= @@ -591,15 +541,9 @@ github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= github.com/hashicorp/hcl/v2 v2.16.2 h1:mpkHZh/Tv+xet3sy3F9Ld4FyI2tUpWe9x3XtPx9f1a0= github.com/hashicorp/hcl/v2 v2.16.2/go.mod h1:JRmR89jycNkrrqnMmvPDMd56n1rQJ2Q6KocSLCMCXng= -github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64= -github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ= -github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I= -github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc= github.com/hashicorp/terraform-json v0.16.0 h1:UKkeWRWb23do5LNAFlh/K3N0ymn1qTOO8c+85Albo3s= github.com/hashicorp/terraform-json v0.16.0/go.mod h1:v0Ufk9jJnk6tcIZvScHvetlKfiNTC+WS21mnXIlc0B0= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= -github.com/huandu/xstrings v1.3.1/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= -github.com/huandu/xstrings v1.3.2/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= github.com/huandu/xstrings v1.3.3/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= github.com/huandu/xstrings v1.4.0 h1:D17IlohoQq4UcpqD7fDk80P7l+lwAmlFaBHgOipl2FU= github.com/huandu/xstrings v1.4.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= @@ -608,7 +552,6 @@ github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1: github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk= github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg= -github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= @@ -620,38 +563,29 @@ github.com/jmoiron/sqlx v1.3.5 h1:vFFPA71p1o5gAeqtEAwLU4dnX2napprKtHr7PYIcN3g= github.com/jmoiron/sqlx v1.3.5/go.mod h1:nRVWtLre0KfCLJvgxzCsLVMogSvQ1zNJtpYr2Ccp0mQ= github.com/johnfercher/maroto v0.40.0 h1:jBPC9JQ030SSbusWwIbfbsgdcyk6OZtBe428EOXopI0= github.com/johnfercher/maroto v0.40.0/go.mod h1:qeujdhKT+677jMjGWlIa5OCgR04GgIHvByJ6pSC+hOw= -github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= -github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= -github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= github.com/jung-kurt/gofpdf v1.0.0/go.mod h1:7Id9E/uU8ce6rXgefFLlgrJj/GYY22cpxn+r32jIOes= github.com/jung-kurt/gofpdf v1.16.2 h1:jgbatWHfRlPYiK85qgevsZTHviWXKwB1TTiKdz5PtRc= github.com/jung-kurt/gofpdf v1.16.2/go.mod h1:1hl7y57EsiPAkLbOwzpzqgx1A30nQCk/YmFV8S2vmK0= github.com/karrick/godirwalk v1.16.1 h1:DynhcF+bztK8gooS0+NDJFrdNZjJ3gzVzC545UNA9iw= -github.com/karrick/godirwalk v1.16.1/go.mod h1:j4mkqPuvaLI8mp1DroR3P6ad7cyYd4c1qeJ3RV7ULlk= -github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/klauspost/compress v1.15.11/go.mod h1:QPwzmACJjUTFsnSHH934V6woptycfrDDJnH7hvFVbGM= github.com/klauspost/compress v1.16.0 h1:iULayQNOReoYUe+1qtKOqw9CwJv3aNQu8ivo7lw1HU4= github.com/klauspost/compress v1.16.0/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= -github.com/kortschak/utter v1.0.1/go.mod h1:vSmSjbyrlKjjsL71193LmzBOKgwePk9DH6uFaWHIInc= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= -github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= -github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= -github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= @@ -663,74 +597,47 @@ github.com/lann/builder v0.0.0-20180802200727-47ae307949d0/go.mod h1:dXGbAdH5GtB github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 h1:P6pPBnrTSX3DEVR4fDembhRWSsG5rVo6hYhAB/ADZrk= github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0/go.mod h1:vmVJ0l/dxyfGW6FmdpVm2joNMFikkuWg0EoCKLGUMNw= github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= -github.com/lib/pq v1.10.7 h1:p7ZhMD+KsSRozJr34udlUrhboJwWAgCg34+/ZZNvZZw= -github.com/lib/pq v1.10.7/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= +github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw= +github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE= github.com/mackerelio/go-osstat v0.2.4 h1:qxGbdPkFo65PXOb/F/nhDKpF2nGmGaCFDLXoZjJTtUs= github.com/mackerelio/go-osstat v0.2.4/go.mod h1:Zy+qzGdZs3A9cuIqmgbJvwbmLQH9dJvtio5ZjJTbdlQ= -github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= -github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60= github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY= github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0= -github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= -github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= -github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= github.com/markbates/errx v1.1.0 h1:QDFeR+UP95dO12JgW+tgi2UVfo0V8YBHiUIOaeBPiEI= -github.com/markbates/errx v1.1.0/go.mod h1:PLa46Oex9KNbVDZhKel8v1OT7hD5JZ2eI7AHhA0wswc= github.com/markbates/oncer v1.0.0 h1:E83IaVAHygyndzPimgUYJjbshhDTALZyXxvk9FOlQRY= -github.com/markbates/oncer v1.0.0/go.mod h1:Z59JA581E9GP6w96jai+TGqafHPW+cPfRxz2aSZ0mcI= github.com/markbates/safe v1.0.1 h1:yjZkbvRM6IzKj9tlu/zMJLS0n/V351OZWRnF3QfaUxI= -github.com/markbates/safe v1.0.1/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kNSCBdG0= github.com/matryer/try v0.0.0-20161228173917-9ac251b645a2/go.mod h1:0KeJpeMD6o+O4hW7qJOT7vyQPKrWmj26uf5wMc/IiIs= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= -github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= -github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4= github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= -github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= -github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= -github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE= -github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94= github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= github.com/mattn/go-isatty v0.0.17 h1:BTarxUcIeDqL27Mc+vyvdWYSL28zpIhv3RoTdsLMPng= github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= -github.com/mattn/go-oci8 v0.1.1/go.mod h1:wjDx6Xm9q7dFtHJvIlrI99JytznLw5wQ4R+9mNXJwGI= github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= -github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= github.com/mattn/go-runewidth v0.0.12 h1:Y41i/hVW3Pgwr8gV+J23B9YEY0zxjptBuCWEaxmAOow= github.com/mattn/go-runewidth v0.0.12/go.mod h1:RAqKPSqVFrSLVXbA8x7dzmKdmGzieGRCM46jaSJTDAk= github.com/mattn/go-sqlite3 v1.14.6/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU= github.com/mattn/go-sqlite3 v1.14.15 h1:vfoHhTN1af61xCRSWzFIWzx2YskyMTwHLrExkBOjvxI= -github.com/mattn/go-sqlite3 v1.14.15/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo= github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= -github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= github.com/miekg/dns v1.1.43 h1:JKfpVSCB84vrAmHzyrsxB5NAr5kLoMXZArPSw7Qlgyg= -github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= -github.com/mitchellh/cli v1.1.5/go.mod h1:v8+iFts2sPIKUV1ltktPXMCC8fumSKFItNcD2cLtRR4= github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw= github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw= github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s= -github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= -github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= github.com/mitchellh/go-testing-interface v1.14.1 h1:jrgshOhYAUVNMAJiKbEu7EqAwgJJ2JqpQmpLJOu07cU= github.com/mitchellh/go-testing-interface v1.14.1/go.mod h1:gfgS7OtZj6MA4U1UrDRp04twqAjfvlZyCfX3sDjEym8= github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0= github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0= -github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg= -github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY= -github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= -github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= -github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= @@ -743,8 +650,8 @@ github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQ github.com/moby/spdystream v0.2.0 h1:cjW1zVyyoiM0T7b6UoySUFqzXMoqRckQtXwGPiBhOM8= github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c= github.com/moby/sys/mountinfo v0.6.0 h1:gUDhXQx58YNrpHlK4nSL+7y2pxFZkUcXqzFDKWdC0Oo= -github.com/moby/term v0.0.0-20221205130635-1aeaba878587 h1:HfkjXDfhgVaN5rmueG8cL8KKeFNecRCXFhaJ2qZ5SKA= -github.com/moby/term v0.0.0-20221205130635-1aeaba878587/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y= +github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0= +github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= @@ -759,32 +666,24 @@ github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7P github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= -github.com/nelsam/hel/v2 v2.3.2/go.mod h1:1ZTGfU2PFTOd5mx22i5O0Lc2GY933lQ2wb/ggy+rL3w= -github.com/nelsam/hel/v2 v2.3.3/go.mod h1:1ZTGfU2PFTOd5mx22i5O0Lc2GY933lQ2wb/ggy+rL3w= -github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= -github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= -github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY= github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= github.com/onsi/ginkgo v1.16.4 h1:29JGrr5oVBm5ulCWet69zQkzWipVXIol6ygQUe/EzNc= github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0= -github.com/onsi/ginkgo/v2 v2.6.0 h1:9t9b9vRUbFq3C4qKFCGkVuq/fIHji802N1nrtkh1mNc= +github.com/onsi/ginkgo/v2 v2.9.4 h1:xR7vG4IXt5RWx6FfIjyAtsoMAtnc3C/rFXBBd2AjZwE= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.16.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= -github.com/onsi/gomega v1.24.1 h1:KORJXNNTzJXzu4ScJWssJfJMnJ+2QJqhoQSRwNlze9E= +github.com/onsi/gomega v1.27.6 h1:ENqfyGeS5AX/rlXDd/ETokDz93u0YufY1Pgxuy/PvWE= github.com/open-policy-agent/opa v0.58.0 h1:S5qvevW8JoFizU7Hp66R/Y1SOXol0aCdFYVkzIqIpUo= github.com/open-policy-agent/opa v0.58.0/go.mod h1:EGWBwvmyt50YURNvL8X4W5hXdlKeNhAHn3QXsetmYcc= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.0.2 h1:9yCKha/T5XdGtO0q9Q9a6T5NUCsTn/DrBg0D7ufOcFM= github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= -github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= -github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= -github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= github.com/pelletier/go-toml/v2 v2.0.6 h1:nrzqCb7j9cDFj2coyLNLaZuJTLjWjlaz6nvTvIwycIU= github.com/pelletier/go-toml/v2 v2.0.6/go.mod h1:eumQOmlWiOPt5WriQQqoM5y18pDHwha2N+QD+EUNTek= github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= @@ -794,20 +693,14 @@ github.com/phpdave11/gofpdf v1.4.2/go.mod h1:zpO6xFn9yxo3YLyMvW8HcKWVdbNqgIfOOp2 github.com/phpdave11/gofpdi v1.0.7/go.mod h1:vBmVV0Do6hSBHC8uKUQ71JGW+ZGQq74llk/7bXwjDoI= github.com/phpdave11/gofpdi v1.0.12/go.mod h1:vBmVV0Do6hSBHC8uKUQ71JGW+ZGQq74llk/7bXwjDoI= github.com/pingcap/errors v0.11.4 h1:lFuQV/oaUMGcD2tqt+01ROSmJs75VG1ToEOkZIZ4nE4= -github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= -github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSgv7Sy7s/s= -github.com/poy/onpar v0.0.0-20200406201722-06f95a1c68e8/go.mod h1:nSbFQvMj97ZyhFRSJYtut+msi4sOY6zJDGCdSc+/rZU= github.com/poy/onpar v1.1.2 h1:QaNrNiZx0+Nar5dLgTVp5mXkyoVFIbepjyEoGSnhbAY= -github.com/poy/onpar v1.1.2/go.mod h1:6X8FLNoxyr9kkmnlqpK6LSoiOtrO6MICtWwEuWkLjzg= github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= -github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso= github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g= github.com/prometheus/client_golang v1.16.0 h1:yk/hx9hDbrGHovbci4BY+pRMfSuuat626eFsHb7tmT8= @@ -815,21 +708,17 @@ github.com/prometheus/client_golang v1.16.0/go.mod h1:Zsulrv/L9oM40tJ7T815tM89lF github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/client_model v0.3.0 h1:UBgGFHqYdG/TPFD1B1ogZywDqEkwp3fBMvqdiQ7Xew4= -github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w= -github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= -github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= +github.com/prometheus/client_model v0.4.0 h1:5lQXD3cAg1OXBf4Wq03gTrXHeaV0TQvGfUooCfx1yqY= +github.com/prometheus/client_model v0.4.0/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU= github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc= -github.com/prometheus/common v0.42.0 h1:EKsfXEYo4JpWMHH5cg+KOUWeuJSov1Id8zGR8eeI1YM= -github.com/prometheus/common v0.42.0/go.mod h1:xBwqVerjNdUDjgODMpudtOMwlOwf2SaTr1yjz4b7Zbc= +github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdOOfY= +github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= -github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ= github.com/prometheus/procfs v0.10.1 h1:kYK1Va/YMlutzCGazswoHKo//tZVlFpKYh+PymziUAg= github.com/prometheus/procfs v0.10.1/go.mod h1:nwNm2aOCAYw8uTR/9bWRREkZFxAUcWzPHWJq+XBB/FM= -github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 h1:MkV+77GLUNo5oJ0jf870itWm3D0Sjh7+Za9gazKc5LQ= github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= github.com/relex/aini v1.6.0 h1:iIMLsRWYtXKYS3edGz3EDpBxvLOiMAfSCUXjr4A8jbY= @@ -837,67 +726,47 @@ github.com/relex/aini v1.6.0/go.mod h1:Lrud1Ua+Sfmz7ajfXG3Gi6hf9dI5fKssfRz97DrMZ github.com/rivo/uniseg v0.1.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY= github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= -github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= -github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc= -github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE= -github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= github.com/rs/xid v1.4.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg= github.com/rs/zerolog v1.29.0 h1:Zes4hju04hjbvkVkOhdl2HpZa+0PmVwigmo8XoORE5w= github.com/rs/zerolog v1.29.0/go.mod h1:NILgTygv/Uej1ra5XxGf82ZFSLk58MFGAUS2o6usyD0= -github.com/rubenv/sql-migrate v1.3.1 h1:Vx+n4Du8X8VTYuXbhNxdEUoh6wiJERA0GlWocR5FrbA= -github.com/rubenv/sql-migrate v1.3.1/go.mod h1:YzG/Vh82CwyhTFXy+Mf5ahAiiEOpAlHurg+23VEzcsk= -github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/rubenv/sql-migrate v1.5.2 h1:bMDqOnrJVV/6JQgQ/MxOpU+AdO8uzYYA/TxFUBzFtS0= +github.com/rubenv/sql-migrate v1.5.2/go.mod h1:H38GW8Vqf8F0Su5XignRyaRcbXbJunSWxs+kmzlg0Is= github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/ruudk/golang-pdf417 v0.0.0-20181029194003-1af4ab5afa58/go.mod h1:6lfFZQK844Gfx8o5WFuvpxWRwnSoipWe/p622j1v06w= github.com/ruudk/golang-pdf417 v0.0.0-20201230142125-a7e3863a1245 h1:K1Xf3bKttbF+koVGaX5xngRIZ5bVjbmPnaxE/dR08uY= github.com/ruudk/golang-pdf417 v0.0.0-20201230142125-a7e3863a1245/go.mod h1:pQAZKsJ8yyVxGRWYNEm9oFB8ieLgKFnamEyDmSA0BRk= -github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06 h1:OkMGxebDjyw0ULyrTYWeN0UNCCkmCWfjPnIA2W6oviI= github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06/go.mod h1:+ePHsJ1keEjQtpvf9HHw0f4ZeJ0TLRsxhunSI2hYJSs= github.com/samber/lo v1.38.1 h1:j2XEAqXKb09Am4ebOg31SpvzUTTs6EN3VfgeLUhPdXM= github.com/samber/lo v1.38.1/go.mod h1:+m/ZKRl6ClXCE2Lgf3MsQlWfh4bn1bz6CXEOxnEXnEA= -github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ= github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= github.com/shopspring/decimal v1.3.1 h1:2Usl1nmF/WZucqkFZhnfFYxxxu8LG21F6nPQBE5gKV8= github.com/shopspring/decimal v1.3.1/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= -github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= -github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= -github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= -github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= -github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= github.com/sosedoff/ansible-vault-go v0.1.1 h1:3yU5yxPnK70Exemc0FKFPYCul7YB1EM9Of1Dd7xBzFI= github.com/sosedoff/ansible-vault-go v0.1.1/go.mod h1:u74h49t5XRrBQpubnCr8PXRABdzTEuM+nHUn1mGYgtI= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spf13/afero v1.2.2 h1:5jhuqJyZCZf2JRofRvN/nIFgIWNzPa3/Vz8mYylgbWc= github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= -github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= github.com/spf13/cast v1.5.0 h1:rj3WzYc11XZaIZMPKmwP96zkFEnnAmV8s6XbB2aY32w= github.com/spf13/cast v1.5.0/go.mod h1:SpXXQ5YoyJw6s3/6cMTQuxvgRl3PCJiyaX9p6b155UU= -github.com/spf13/cobra v0.0.6/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE= -github.com/spf13/cobra v1.2.1/go.mod h1:ExllRjgxM/piMAM+3tAZvg8fsklGAf3tPfi+i8t68Nk= github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I= github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0= -github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= github.com/spf13/jwalterweatherman v1.1.0 h1:ue6voC5bR5F8YxI5S67j9i582FU4Qvo2bmqnqMYADFk= github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo= -github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE= -github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns= github.com/spf13/viper v1.15.0 h1:js3yy885G8xwJa6iOISGFwd+qlUo5AvyXb7CiihdtiU= github.com/spf13/viper v1.15.0/go.mod h1:fFcTBJxvhhzSJiZy8n+PeW6t8l+KeT/uTARa0jHOQLA= -github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= @@ -915,7 +784,6 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= -github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= github.com/subosito/gotenv v1.4.2 h1:X1TuBLAMDFbaTAChgCBLu3DU3UPyELpnF2jjJ2cz/S8= github.com/subosito/gotenv v1.4.2/go.mod h1:ayKnFf/c6rvx/2iiLrJUk1e6plDbT3edrFNGqEflhK0= github.com/tchap/go-patricia/v2 v2.3.1 h1:6rQp39lgIYZ+MHmdEq4xzuk1t7OdC35z/xm0BGhTkes= @@ -932,8 +800,6 @@ github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA= github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM= github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs= github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= -github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= -github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc= github.com/ulikunitz/xz v0.5.10/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= github.com/ulikunitz/xz v0.5.11 h1:kpFauv27b6ynzBNT/Xy+1k+fK4WswhN/6PN5WhFAGw8= github.com/ulikunitz/xz v0.5.11/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= @@ -944,12 +810,10 @@ github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHo github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74= github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y= -github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= -github.com/xlab/treeprint v1.1.0 h1:G/1DjNkPpfZCFt9CSh6b5/nY4VimlbHF3Rh4obvtzDk= -github.com/xlab/treeprint v1.1.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0= +github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ= +github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0= github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778 h1:QldyIu/L63oPpyvQmHgvgickp1Yw510KJOqX7H24mg8= github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778/go.mod h1:2MuV+tbUrU1zIOPMxZ5EncGwgmMJsa+9ucAQZXxsObs= -github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= github.com/yargevad/filepathx v1.0.0 h1:SYcT+N3tYGi+NvazubCNlvgIPbzAk7i7y2dwg3I5FYc= github.com/yargevad/filepathx v1.0.0/go.mod h1:BprfX/gpYNJHJfc35GjRRpVcwWXS89gGulUIU5tK3tA= github.com/yashtewari/glob-intersection v0.2.0 h1:8iuHdN88yYuCzCdjt0gDe+6bAhUwBeEWqThExu54RFg= @@ -959,17 +823,12 @@ github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= -github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43 h1:+lm10QQTNSBd8DVTNGHx7o/IKu9HYDvLMffDhbyLccI= github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50 h1:hlE8//ciYMztlGpl/VA+Zm1AcTPHYkHJPbHqE6WJUXE= github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f h1:ERexzlUfuTvpE74urLSbIQW0Z/6hF9t8U4NsJLaioAY= github.com/zclconf/go-cty v1.13.1 h1:0a6bRwuiSHtAmqCqNOE+c2oHgepv0ctoxU4FUe43kwc= github.com/zclconf/go-cty v1.13.1/go.mod h1:YKQzy/7pZ7iq2jNFzy5go57xdxdWoLLpaEp4u238AE0= -go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= -go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs= -go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g= -go.etcd.io/etcd/client/v2 v2.305.0/go.mod h1:h9puh54ZTgAKtEbut2oe9P4L/oqKCVB6xsXlzd7alYQ= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= @@ -992,32 +851,21 @@ go.opentelemetry.io/otel/trace v1.19.0 h1:DFVQmlVbfVeOuBRrwdtaehRrWiL1JoVs9CPIQ1 go.opentelemetry.io/otel/trace v1.19.0/go.mod h1:mfaSyvGyEJEI0nyV2I4qhNQnbBOUUmYZpYojqMnX2vo= go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I= -go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 h1:+FNtrFTmVw0YZGpBGX56XDee331t6JAXeK2bcyhLOOc= -go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5/go.mod h1:nmDLcffg48OtT/PSW0Hg7FvpRQsQh5OSqIylirxKC7o= -go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= -go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= -go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE= -go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= -go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= -go.uber.org/multierr v1.8.0 h1:dg6GjLku4EH+249NNmoIciG9N/jURbDG+pFlTkhzIC8= -go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= -go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo= +go.starlark.net v0.0.0-20230525235612-a134d8f9ddca h1:VdD38733bfYv5tUZwEIskMM93VanwNIi5bIKnDrJdEY= +go.starlark.net v0.0.0-20230525235612-a134d8f9ddca/go.mod h1:jxU+3+j+71eXOW14274+SmmuW82qJzl6iZSeqEtTGds= +go.uber.org/atomic v1.10.0 h1:9qC72Qh0+3MqyJbAn8YU5xVq1frD8bn3JtD2oXtafVQ= +go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= -golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20181112202954-3d3f9f413869/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20200414173820-0848c9571904/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220314234659-1baeb1ce4c0b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= -golang.org/x/crypto v0.5.0/go.mod h1:NK/OQwhpMQP3MwtdjgLlYHnH9ebylxKWv3e0fK+mkQU= golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc= golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -1063,17 +911,13 @@ golang.org/x/mod v0.11.0 h1:bUO06HqtnRcc/7l71XBe4WcqTZ+3AH1J59zWDDwLKgU= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= @@ -1104,7 +948,6 @@ golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLd golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk= golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= @@ -1119,7 +962,6 @@ golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfS golang.org/x/net v0.0.0-20221014081412-f15817d10f9b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= -golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws= golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -1133,7 +975,6 @@ golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= @@ -1166,15 +1007,11 @@ golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ= golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= -golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -1185,14 +1022,11 @@ golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191002063906-3421d5a6bb1c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -1217,7 +1051,6 @@ golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -1226,7 +1059,6 @@ golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -1249,17 +1081,15 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20221013171732-95e765b1cc43/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.0.0-20220526004731-065cf7ba2467/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= -golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ= golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek= golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1273,7 +1103,6 @@ golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -1281,14 +1110,12 @@ golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxb golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= @@ -1298,7 +1125,6 @@ golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgw golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191112195655-aa38f8e97acc/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= @@ -1316,7 +1142,6 @@ golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapK golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= -golang.org/x/tools v0.0.0-20200313205530-4303120df7d8/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= @@ -1339,10 +1164,9 @@ golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= -golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/tools v0.7.0 h1:W4OVu8VVOaIO0yzWMNdepAulS7YfoS3Zabrm8DOXXU4= -golang.org/x/tools v0.7.0/go.mod h1:4pg6aUX35JBAogB10C9AtvVL+qowtN4pT3CGSQex14s= +golang.org/x/tools v0.8.0 h1:vSDcovVPld282ceKgDimkRSC8kpaH1dgyc9UMzlt84Y= +golang.org/x/tools v0.8.0/go.mod h1:JxBZ99ISMI5ViVkT1tr6tdNmXeTrcpVSD3vZ1RsRdN4= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -1374,7 +1198,6 @@ google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34q google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8= google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU= google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94= -google.golang.org/api v0.44.0/go.mod h1:EBOGZqzyhtvMDoxwS97ctnh0zUmYY6CxqXsc1AvkYD8= google.golang.org/api v0.47.0/go.mod h1:Wbvgpq1HddcWVtzsVLyfLp8lDg6AA241LmgIL59tHXo= google.golang.org/api v0.48.0/go.mod h1:71Pr1vy+TAZRPkPs/xlCf5SsU8WjuAWv1Pfjbtukyy4= google.golang.org/api v0.50.0/go.mod h1:4bNT5pAuq5ji4SRZm+5QIkjny9JAyVD/3gaSihNefaw= @@ -1443,7 +1266,6 @@ google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6D google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= @@ -1522,7 +1344,6 @@ google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d h1: google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d/go.mod h1:+Bk1OCOj40wS2hwAMA+aCW9ypzm63QTBBHp6lQ3p+9M= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= -google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= @@ -1580,7 +1401,6 @@ gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLks gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/cheggaaa/pb.v1 v1.0.27/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= @@ -1588,13 +1408,10 @@ gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= -gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA= gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= -gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= -gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= @@ -1604,14 +1421,12 @@ gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0= -helm.sh/helm/v3 v3.11.2 h1:P3cLaFxfoxaGLGJVnoPrhf1j86LC5EDINSpYSpMUkkA= -helm.sh/helm/v3 v3.11.2/go.mod h1:Hw+09mfpDiRRKAgAIZlFkPSeOkvv7Acl5McBvQyNPVw= +gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o= +helm.sh/helm/v3 v3.13.1 h1:DG+XLGzBJeZvMLlMbm6bPDLV1dGaVW9eZsDoUd1/LM0= +helm.sh/helm/v3 v3.13.1/go.mod h1:TdQRMiq46CSWcc68Hb0uVhvAWusaN90YwAV54cz6JzU= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= @@ -1619,43 +1434,43 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -k8s.io/api v0.26.3 h1:emf74GIQMTik01Aum9dPP0gAypL8JTLl/lHa4V9RFSU= -k8s.io/api v0.26.3/go.mod h1:PXsqwPMXBSBcL1lJ9CYDKy7kIReUydukS5JiRlxC3qE= -k8s.io/apiextensions-apiserver v0.26.1 h1:cB8h1SRk6e/+i3NOrQgSFij1B2S0Y0wDoNl66bn8RMI= -k8s.io/apiextensions-apiserver v0.26.1/go.mod h1:AptjOSXDGuE0JICx/Em15PaoO7buLwTs0dGleIHixSM= -k8s.io/apimachinery v0.26.3 h1:dQx6PNETJ7nODU3XPtrwkfuubs6w7sX0M8n61zHIV/k= -k8s.io/apimachinery v0.26.3/go.mod h1:ats7nN1LExKHvJ9TmwootT00Yz05MuYqPXEXaVeOy5I= -k8s.io/apiserver v0.26.1 h1:6vmnAqCDO194SVCPU3MU8NcDgSqsUA62tBUSWrFXhsc= -k8s.io/apiserver v0.26.1/go.mod h1:wr75z634Cv+sifswE9HlAo5FQ7UoUauIICRlOE+5dCg= -k8s.io/cli-runtime v0.26.0 h1:aQHa1SyUhpqxAw1fY21x2z2OS5RLtMJOCj7tN4oq8mw= -k8s.io/cli-runtime v0.26.0/go.mod h1:o+4KmwHzO/UK0wepE1qpRk6l3o60/txUZ1fEXWGIKTY= -k8s.io/client-go v0.26.3 h1:k1UY+KXfkxV2ScEL3gilKcF7761xkYsSD6BC9szIu8s= -k8s.io/client-go v0.26.3/go.mod h1:ZPNu9lm8/dbRIPAgteN30RSXea6vrCpFvq+MateTUuQ= -k8s.io/component-base v0.26.1 h1:4ahudpeQXHZL5kko+iDHqLj/FSGAEUnSVO0EBbgDd+4= -k8s.io/component-base v0.26.1/go.mod h1:VHrLR0b58oC035w6YQiBSbtsf0ThuSwXP+p5dD/kAWU= -k8s.io/klog/v2 v2.80.1 h1:atnLQ121W371wYYFawwYx1aEY2eUfs4l3J72wtgAwV4= -k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= -k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 h1:+70TFaan3hfJzs+7VK2o+OGxg8HsuBr/5f6tVAjDu6E= -k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280/go.mod h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4= -k8s.io/kubectl v0.26.0 h1:xmrzoKR9CyNdzxBmXV7jW9Ln8WMrwRK6hGbbf69o4T0= -k8s.io/kubectl v0.26.0/go.mod h1:eInP0b+U9XUJWSYeU9XZnTA+cVYuWyl3iYPGtru0qhQ= -k8s.io/utils v0.0.0-20221128185143-99ec85e7a448 h1:KTgPnR10d5zhztWptI952TNtt/4u5h3IzDXkdIMuo2Y= -k8s.io/utils v0.0.0-20221128185143-99ec85e7a448/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/api v0.28.2 h1:9mpl5mOb6vXZvqbQmankOfPIGiudghwCoLl1EYfUZbw= +k8s.io/api v0.28.2/go.mod h1:RVnJBsjU8tcMq7C3iaRSGMeaKt2TWEUXcpIt/90fjEg= +k8s.io/apiextensions-apiserver v0.28.2 h1:J6/QRWIKV2/HwBhHRVITMLYoypCoPY1ftigDM0Kn+QU= +k8s.io/apiextensions-apiserver v0.28.2/go.mod h1:5tnkxLGa9nefefYzWuAlWZ7RZYuN/765Au8cWLA6SRg= +k8s.io/apimachinery v0.28.2 h1:KCOJLrc6gu+wV1BYgwik4AF4vXOlVJPdiqn0yAWWwXQ= +k8s.io/apimachinery v0.28.2/go.mod h1:RdzF87y/ngqk9H4z3EL2Rppv5jj95vGS/HaFXrLDApU= +k8s.io/apiserver v0.28.2 h1:rBeYkLvF94Nku9XfXyUIirsVzCzJBs6jMn3NWeHieyI= +k8s.io/apiserver v0.28.2/go.mod h1:f7D5e8wH8MWcKD7azq6Csw9UN+CjdtXIVQUyUhrtb+E= +k8s.io/cli-runtime v0.28.2 h1:64meB2fDj10/ThIMEJLO29a1oujSm0GQmKzh1RtA/uk= +k8s.io/cli-runtime v0.28.2/go.mod h1:bTpGOvpdsPtDKoyfG4EG041WIyFZLV9qq4rPlkyYfDA= +k8s.io/client-go v0.28.2 h1:DNoYI1vGq0slMBN/SWKMZMw0Rq+0EQW6/AK4v9+3VeY= +k8s.io/client-go v0.28.2/go.mod h1:sMkApowspLuc7omj1FOSUxSoqjr+d5Q0Yc0LOFnYFJY= +k8s.io/component-base v0.28.2 h1:Yc1yU+6AQSlpJZyvehm/NkJBII72rzlEsd6MkBQ+G0E= +k8s.io/component-base v0.28.2/go.mod h1:4IuQPQviQCg3du4si8GpMrhAIegxpsgPngPRR/zWpzc= +k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= +k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= +k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 h1:LyMgNKD2P8Wn1iAwQU5OhxCKlKJy0sHc+PcDwFB24dQ= +k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM= +k8s.io/kubectl v0.28.2 h1:fOWOtU6S0smdNjG1PB9WFbqEIMlkzU5ahyHkc7ESHgM= +k8s.io/kubectl v0.28.2/go.mod h1:6EQWTPySF1fn7yKoQZHYf9TPwIl2AygHEcJoxFekr64= +k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 h1:qY1Ad8PODbnymg2pRbkyMT/ylpTrCM8P2RJ0yroCyIk= +k8s.io/utils v0.0.0-20230406110748-d93618cff8a2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= mvdan.cc/sh/v3 v3.6.0 h1:gtva4EXJ0dFNvl5bHjcUEvws+KRcDslT8VKheTYkbGU= mvdan.cc/sh/v3 v3.6.0/go.mod h1:U4mhtBLZ32iWhif5/lD+ygy1zrgaQhUu+XFy7C8+TTA= -oras.land/oras-go v1.2.2 h1:0E9tOHUfrNH7TCDk5KU0jVBEzCqbfdyuVfGmJ7ZeRPE= -oras.land/oras-go v1.2.2/go.mod h1:Apa81sKoZPpP7CDciE006tSZ0x3Q3+dOoBcMZ/aNxvw= +oras.land/oras-go v1.2.4 h1:djpBY2/2Cs1PV87GSJlxv4voajVOMZxqqtq9AB8YNvY= +oras.land/oras-go v1.2.4/go.mod h1:DYcGfb3YF1nKjcezfX2SNlDAeQFKSXmf+qrFmrh4324= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/controller-runtime v0.14.6 h1:oxstGVvXGNnMvY7TAESYk+lzr6S3V5VFxQ6d92KcwQA= sigs.k8s.io/controller-runtime v0.14.6/go.mod h1:WqIdsAY6JBsjfc/CqO0CORmNtoCtE4S6qbPc9s68h+0= -sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 h1:iXTIw73aPyC+oRdyqqvVJuloN1p0AC/kzH07hu3NE+k= -sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= -sigs.k8s.io/kustomize/api v0.12.1 h1:7YM7gW3kYBwtKvoY216ZzY+8hM+lV53LUayghNRJ0vM= -sigs.k8s.io/kustomize/api v0.12.1/go.mod h1:y3JUhimkZkR6sbLNwfJHxvo1TCLwuwm14sCYnkH6S1s= -sigs.k8s.io/kustomize/kyaml v0.13.9 h1:Qz53EAaFFANyNgyOEJbT/yoIHygK40/ZcvU3rgry2Tk= -sigs.k8s.io/kustomize/kyaml v0.13.9/go.mod h1:QsRbD0/KcU+wdk0/L0fIp2KLnohkVzs6fQ85/nOXac4= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= +sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 h1:XX3Ajgzov2RKUdc5jW3t5jwY7Bo7dcRm+tFxT+NfgY0= +sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3/go.mod h1:9n16EZKMhXBNSiUC5kSdFQJkdH3zbxS/JoO619G1VAY= +sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 h1:W6cLQc5pnqM7vh3b7HvGNfXrJ/xL6BDMS0v1V/HHg5U= +sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3/go.mod h1:JWP1Fj0VWGHyw3YUPjXSQnRnrwezrZSrApfX5S0nIag= sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E= sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= From 576f384f66bf692a4b3ea41a8bb65b2107900d5e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Tue, 31 Oct 2023 15:32:58 +0000 Subject: [PATCH 171/379] force version of etcd/pkg --- go.mod | 1 + 1 file changed, 1 insertion(+) diff --git a/go.mod b/go.mod index cccf820da1a..763710d248e 100644 --- a/go.mod +++ b/go.mod @@ -236,4 +236,5 @@ replace ( github.com/moby/buildkit => github.com/moby/buildkit v0.10.4 github.com/opencontainers/image-spec => github.com/opencontainers/image-spec v1.0.2 github.com/spf13/afero => github.com/spf13/afero v1.2.2 + go.etcd.io/etcd/pkg/v3 => go.etcd.io/etcd/pkg/v3 v3.5.10 ) From 117ae706d7cbf1efc445e07929240142ecb56bd2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Thu, 2 Nov 2023 11:33:05 +0000 Subject: [PATCH 172/379] update certifi version --- .../scripts/queries-validator/requirements.txt | Bin 332 -> 332 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/.github/scripts/queries-validator/requirements.txt b/.github/scripts/queries-validator/requirements.txt index 7bf640e5b84d37bcf9a8c140b96ec88add964321..40ddcf78b8e76e77ee3a99580cb858f17cee8a16 100644 GIT binary patch delta 22 ccmX@ZbcShy1-CJS9)md$8!;Gdbmn9P06(k*m;e9( delta 22 ccmX@ZbcShy1-BuC9)lr+0g$xV=*-Co06$;^lmGw# From ea9f0df5ff359a301d424ae0c00b505a499e9444 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Thu, 2 Nov 2023 12:21:46 +0000 Subject: [PATCH 173/379] force latest version of gin --- go.mod | 1 + 1 file changed, 1 insertion(+) diff --git a/go.mod b/go.mod index 763710d248e..eb8d30a4fb8 100644 --- a/go.mod +++ b/go.mod @@ -233,6 +233,7 @@ require ( replace ( github.com/containerd/containerd => github.com/containerd/containerd v1.6.18 github.com/docker/cli => github.com/docker/cli v20.10.12+incompatible + github.com/gin-gonic/gin => github.com/gin-gonic/gin v1.9.1 github.com/moby/buildkit => github.com/moby/buildkit v0.10.4 github.com/opencontainers/image-spec => github.com/opencontainers/image-spec v1.0.2 github.com/spf13/afero => github.com/spf13/afero v1.2.2 From a5f1dd23e7bf9984f2b875857598a7a0e558ff85 Mon Sep 17 00:00:00 2001 From: pereiramarco011 Date: Mon, 6 Nov 2023 14:24:58 +0000 Subject: [PATCH 174/379] remove negative3 file --- .../aws/iam_access_analyzer_not_enabled/test/negative3.yaml | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/negative3.yaml diff --git a/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/negative3.yaml b/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/negative3.yaml deleted file mode 100644 index 2e9dc48f325..00000000000 --- a/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/negative3.yaml +++ /dev/null @@ -1,4 +0,0 @@ -# Random yaml file ---- -my_var: provider:a -service: foo \ No newline at end of file From 6271b6400f7afbe42e671065ef8aac0b1043dcda Mon Sep 17 00:00:00 2001 From: pereiramarco011 Date: Tue, 7 Nov 2023 11:56:47 +0000 Subject: [PATCH 175/379] create-kics-queries-repo branch --- .../config-template/config.yaml | 0 .../release-kics-queries-repo-branch.yaml | 46 +++++++++++++++++++ 2 files changed, 46 insertions(+) create mode 100644 .github/scripts/kics-queries-repo-branch-creation/config-template/config.yaml create mode 100644 .github/workflows/release-kics-queries-repo-branch.yaml diff --git a/.github/scripts/kics-queries-repo-branch-creation/config-template/config.yaml b/.github/scripts/kics-queries-repo-branch-creation/config-template/config.yaml new file mode 100644 index 00000000000..e69de29bb2d diff --git a/.github/workflows/release-kics-queries-repo-branch.yaml b/.github/workflows/release-kics-queries-repo-branch.yaml new file mode 100644 index 00000000000..b18e59efdf7 --- /dev/null +++ b/.github/workflows/release-kics-queries-repo-branch.yaml @@ -0,0 +1,46 @@ +name: release-kics-queries-repo-branch +on: + release: + types: + - published +jobs: + create-branch: + runs-on: ubuntu-latest + env: + REPO_NAME: "kics-queries-repo" + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Set up Git credentials + run: | + git config --global user.name "${{ github.actor }}" + git config --global url."https://${{ secrets.CHECKMARXDEV_GIT_TOKEN }}@github.com".insteadOf "https://github.com" + + - name: Clone kics-queries-repo from CheckmarxDev + run: | + cd .. + git clone https://github.com/CheckmarxDev/$REPO_NAME.git + + - name: Create new branch for release ${{ github.event.release.name }} + run: | + cd ../$REPO_NAME + git checkout -b ${{ github.event.release.name }} + + - name: Copy queries to new branch + run: | + mkdir -p ../$REPO_NAME/kics-queries + rsync -av --exclude='*/test/*' --exclude='*/common/*' ./assets/queries/ ../$REPO_NAME/kics-queries/ + + - name: Copy circle ci configuration to new branch + run: | + mkdir -p ../$REPO_NAME/.circleci + sed 's/branch_name_template_to_replace/${{ github.event.release.name }}/g' .github/scripts/kics-queries-repo-branch-creation/config-template/config.yml > .github/scripts/kics-queries-repo-branch-creation/config.yml + cp .github/scripts/kics-queries-repo-branch-creation/config.yml ../$REPO_NAME/.circleci/ + + - name: Push branch + run: | + cd ../$REPO_NAME + git add . + git commit -m "Add queries from release ${{ github.event.release.name }} to $REPO_NAME" + git push origin ${{ github.event.release.name }} \ No newline at end of file From 1a617baf1afb1f3fdcdb86fd8ed3f511240da622 Mon Sep 17 00:00:00 2001 From: pereiramarco011 Date: Tue, 7 Nov 2023 14:24:41 +0000 Subject: [PATCH 176/379] add config template --- .../config-template/config.yaml | 114 ++++++++++++++++++ 1 file changed, 114 insertions(+) diff --git a/.github/scripts/kics-queries-repo-branch-creation/config-template/config.yaml b/.github/scripts/kics-queries-repo-branch-creation/config-template/config.yaml index e69de29bb2d..ad78505a13c 100644 --- a/.github/scripts/kics-queries-repo-branch-creation/config-template/config.yaml +++ b/.github/scripts/kics-queries-repo-branch-creation/config-template/config.yaml @@ -0,0 +1,114 @@ +version: 2.1 +orbs: + gh: circleci/github-cli@1.0.5 +executors: + circle-machine: + machine: + image: ubuntu-2004:2023.04.2 + cimg-base: + docker: + - image: cimg/base:2022.11 + resource_class: small + +jobs: + publish-github-release-and-images: + executor: circle-machine + working_directory: ~/repo + steps: + - run: + name: Config git and clone kics-queries-repo + command: | + git config --global url."https://${GITHUB_USER}:${GITHUB_TOKEN}@github.com".insteadOf "https://github.com" + git clone https://github.com/CheckmarxDev/kics-queries-repo.git full_repo + - run: + name: Configure tools worktree + command: | + cd full_repo + git worktree add ../main main + cd .. + - run: + name: Set variables + command: | + echo "branch_name_template_to_replace" >> main/releaseBranches.txt + main/scripts/setVariables.sh + source "$BASH_ENV" + - run: + name: Build kics-queries-repo tar.gz + command: | + main/scripts/createQueriesRepo.sh "$PWD/full_repo" queries.tar.gz + - run: + name: Create GitHub release + command: | + main/scripts/createRelease.sh + - run: + name: Build ast-data image + command: | + main/scripts/buildImages.sh + - run: + name: Push ast-data image (JFrog Artifactory) + command: | + main/scripts/pushImageJFrog.sh + - run: + name: Persist AST_DATA_TAG to env file + command: | + echo "export AST_DATA_TAG='${AST_DATA_TAG}'" > /tmp/ast_data_env + - persist_to_workspace: + root: "/tmp" + paths: + - ast_data_env + + #create-pr-to-component-kics: + # executor: cimg-base + # steps: + # - attach_workspace: + # at: workspace + # - run: + # name: Set env vars from workspace + # command: | + # cat workspace/ast_data_env >> "$BASH_ENV" + # source "$BASH_ENV" + # echo "AST data tag: ${AST_DATA_TAG}" + # if [ -z "${AST_DATA_TAG}" ]; then + # echo "No AST_DATA_TAG env found!" + # exit 1 + # fi + # - run: + # name: Config git and clone queries-repo + # command: | + # git config --global url."https://api:${GITHUB_TOKEN}@github.com/CheckmarxDev".insteadOf "https://github.com/CheckmarxDev" + # git config --global user.email "${GIT_CX_EMAIL}" + # git config --global user.name "${GIT_CX_USERNAME}" + # + # echo "Clone queries-repo main branch" + # git clone --branch main https://github.com/CheckmarxDev/kics-queries-repo.git main + # - run: + # name: Checkout and patch component-kics + # command: | + # main/scripts/patchComponentSAST.sh + # - gh/setup: + # version: 2.3.0 + # - run: + # name: Create PR to component-kics + # command: | + # main/scripts/createPR.sh + +workflows: + release-publish-workflow: + jobs: + - publish-github-release-and-images: + filters: + branches: + only: + - "branch_name_template_to_replace" + context: + - AWS + - JFROG + #- create-pr-to-component-sast: + # filters: + # branches: + # only: + # - "branch_name_template_to_replace" + # context: + # - AST-COMPONENT-GH + # requires: + # - publish-github-release-and-images \ No newline at end of file From 5d30d6591adb2a40d8d368403c88eec1831ffb92 Mon Sep 17 00:00:00 2001 From: pereiramarco011 Date: Tue, 7 Nov 2023 14:32:59 +0000 Subject: [PATCH 177/379] rename config --- .../config-template/{config.yaml => config.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/scripts/kics-queries-repo-branch-creation/config-template/{config.yaml => config.yml} (100%) diff --git a/.github/scripts/kics-queries-repo-branch-creation/config-template/config.yaml b/.github/scripts/kics-queries-repo-branch-creation/config-template/config.yml similarity index 100% rename from .github/scripts/kics-queries-repo-branch-creation/config-template/config.yaml rename to .github/scripts/kics-queries-repo-branch-creation/config-template/config.yml From 28a61c2e291bbb69bc73080eb3bfb83045ba6dae Mon Sep 17 00:00:00 2001 From: pereiramarco011 Date: Tue, 7 Nov 2023 15:00:05 +0000 Subject: [PATCH 178/379] remove commented code --- .../config-template/config.yml | 46 +------------------ 1 file changed, 1 insertion(+), 45 deletions(-) diff --git a/.github/scripts/kics-queries-repo-branch-creation/config-template/config.yml b/.github/scripts/kics-queries-repo-branch-creation/config-template/config.yml index ad78505a13c..ba5fc20fd5c 100644 --- a/.github/scripts/kics-queries-repo-branch-creation/config-template/config.yml +++ b/.github/scripts/kics-queries-repo-branch-creation/config-template/config.yml @@ -57,41 +57,6 @@ jobs: paths: - ast_data_env - #create-pr-to-component-kics: - # executor: cimg-base - # steps: - # - attach_workspace: - # at: workspace - # - run: - # name: Set env vars from workspace - # command: | - # cat workspace/ast_data_env >> "$BASH_ENV" - # source "$BASH_ENV" - # echo "AST data tag: ${AST_DATA_TAG}" - # if [ -z "${AST_DATA_TAG}" ]; then - # echo "No AST_DATA_TAG env found!" - # exit 1 - # fi - # - run: - # name: Config git and clone queries-repo - # command: | - # git config --global url."https://api:${GITHUB_TOKEN}@github.com/CheckmarxDev".insteadOf "https://github.com/CheckmarxDev" - # git config --global user.email "${GIT_CX_EMAIL}" - # git config --global user.name "${GIT_CX_USERNAME}" - # - # echo "Clone queries-repo main branch" - # git clone --branch main https://github.com/CheckmarxDev/kics-queries-repo.git main - # - run: - # name: Checkout and patch component-kics - # command: | - # main/scripts/patchComponentSAST.sh - # - gh/setup: - # version: 2.3.0 - # - run: - # name: Create PR to component-kics - # command: | - # main/scripts/createPR.sh - workflows: release-publish-workflow: jobs: @@ -102,13 +67,4 @@ workflows: - "branch_name_template_to_replace" context: - AWS - - JFROG - #- create-pr-to-component-sast: - # filters: - # branches: - # only: - # - "branch_name_template_to_replace" - # context: - # - AST-COMPONENT-GH - # requires: - # - publish-github-release-and-images \ No newline at end of file + - JFROG \ No newline at end of file From 904ec19a76b41977c296749249b0c40d7cba5620 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Tue, 7 Nov 2023 16:51:32 +0000 Subject: [PATCH 179/379] implementation of the flag resolve-references --- docs/commands.md | 3 +- docs/dockerhub.md | 2 + e2e/fixtures/assets/scan_help | 1 + internal/console/assets/scan-flags.json | 6 ++ internal/console/flags/flags.go | 8 +++ internal/console/flags/scan_flags.go | 1 + internal/console/scan.go | 1 + pkg/kics/service.go | 4 +- pkg/kics/sink.go | 5 +- pkg/parser/ansible/ini/config/parser.go | 2 +- pkg/parser/ansible/ini/hosts/parser.go | 2 +- pkg/parser/buildah/parser.go | 2 +- pkg/parser/docker/parser.go | 2 +- pkg/parser/grpc/parser.go | 2 +- pkg/parser/json/parser.go | 4 +- pkg/parser/parser.go | 6 +- pkg/parser/terraform/terraform.go | 2 +- pkg/parser/yaml/parser.go | 4 +- pkg/resolver/file/file.go | 46 ++++++++------- pkg/resolver/file/file_test.go | 77 ++++++++++++++++++++++++- pkg/scan/client.go | 1 + pkg/scan/scan.go | 2 +- pkg/scanner/scanner.go | 4 +- 23 files changed, 143 insertions(+), 44 deletions(-) diff --git a/docs/commands.md b/docs/commands.md index dc6e1fb505b..0891d20c144 100644 --- a/docs/commands.md +++ b/docs/commands.md @@ -102,7 +102,8 @@ Flags: --exclude-type strings case insensitive list of platform types not to scan (Ansible, AzureResourceManager, Buildah, CICD, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Pulumi, ServerLessFW, Terraform) cannot be provided with type inclusion flags - + --resolve-references resolve the file reference (default [false]) + Global Flags: --ci display only log messages to CLI output (mutually exclusive with silent) -f, --log-format string determines log format (pretty,json) (default "pretty") diff --git a/docs/dockerhub.md b/docs/dockerhub.md index 6c30d17f3fe..ac766224a50 100644 --- a/docs/dockerhub.md +++ b/docs/dockerhub.md @@ -137,6 +137,8 @@ Flags: --exclude-type strings case insensitive list of platform types not to scan (Ansible, AzureResourceManager, Buildah, CICD, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Pulumi, ServerLessFW, Terraform) cannot be provided with type inclusion flags + --resolve-references resolve the file reference (default [false]) + ``` ```txt diff --git a/e2e/fixtures/assets/scan_help b/e2e/fixtures/assets/scan_help index 4531f28b2c5..e8166d7ebf8 100644 --- a/e2e/fixtures/assets/scan_help +++ b/e2e/fixtures/assets/scan_help @@ -59,6 +59,7 @@ Flags: -t, --type strings case insensitive list of platform types to scan (Ansible, AzureResourceManager, Buildah, CICD, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Pulumi, ServerlessFW, Terraform) cannot be provided with type exclusion flags + --resolve-references resolve the file reference Global Flags: --ci display only log messages to CLI output (mutually exclusive with silent) diff --git a/internal/console/assets/scan-flags.json b/internal/console/assets/scan-flags.json index fb7164209fa..dab9a6ebb23 100644 --- a/internal/console/assets/scan-flags.json +++ b/internal/console/assets/scan-flags.json @@ -201,5 +201,11 @@ "shorthandFlag": "", "defaultValue": "false", "usage": "disables the exclusion of paths specified within .gitignore file" + }, + "resolve-references": { + "flagType": "bool", + "shorthandFlag": "", + "defaultValue": "false", + "usage": "resolve the file reference" } } diff --git a/internal/console/flags/flags.go b/internal/console/flags/flags.go index 3ee7287c9d7..f4b92178efa 100644 --- a/internal/console/flags/flags.go +++ b/internal/console/flags/flags.go @@ -22,6 +22,14 @@ var ( validations = make(map[string][]string) ) +type FlagInterface interface { + GetBoolFlag(flagName string) bool + GetStrFlag(flagName string) string +} + +type FlagStruct struct { +} + type flagJSON struct { FlagType string ShorthandFlag string diff --git a/internal/console/flags/scan_flags.go b/internal/console/flags/scan_flags.go index c2d2288aca8..9d462b31ff7 100644 --- a/internal/console/flags/scan_flags.go +++ b/internal/console/flags/scan_flags.go @@ -34,4 +34,5 @@ const ( DisableSecretsFlag = "disable-secrets" SecretsRegexesPathFlag = "secrets-regexes-path" //nolint:gosec ExcludeGitIgnore = "exclude-gitignore" + ResolveReferencesFlag = "resolve-references" ) diff --git a/internal/console/scan.go b/internal/console/scan.go index c9ea0e5f2d7..696fffaed18 100644 --- a/internal/console/scan.go +++ b/internal/console/scan.go @@ -139,6 +139,7 @@ func getScanParameters(changedDefaultQueryPath, changedDefaultLibrariesPath bool ChangedDefaultQueryPath: changedDefaultQueryPath, BillOfMaterials: flags.GetBoolFlag(flags.BomFlag), ExcludeGitIgnore: flags.GetBoolFlag(flags.ExcludeGitIgnore), + ResolveReferences: flags.GetBoolFlag(flags.ResolveReferencesFlag), } return &scanParams diff --git a/pkg/kics/service.go b/pkg/kics/service.go index e2ba6feb1c4..8ce399c774b 100644 --- a/pkg/kics/service.go +++ b/pkg/kics/service.go @@ -61,7 +61,7 @@ type Service struct { } // PrepareSources will prepare the sources to be scanned -func (s *Service) PrepareSources(ctx context.Context, scanID string, wg *sync.WaitGroup, errCh chan<- error) { +func (s *Service) PrepareSources(ctx context.Context, scanID string, wg *sync.WaitGroup, errCh chan<- error, resolveReferences bool) { defer wg.Done() // CxSAST query under review data := make([]byte, mbConst) @@ -69,7 +69,7 @@ func (s *Service) PrepareSources(ctx context.Context, scanID string, wg *sync.Wa ctx, s.Parser.SupportedExtensions(), func(ctx context.Context, filename string, rc io.ReadCloser) error { - return s.sink(ctx, filename, scanID, rc, data) + return s.sink(ctx, filename, scanID, rc, data, resolveReferences) }, func(ctx context.Context, filename string) ([]string, error) { // Sink used for resolver files and templates return s.resolverSink(ctx, filename, scanID) diff --git a/pkg/kics/sink.go b/pkg/kics/sink.go index a1acf322b32..bcd6dac78d1 100644 --- a/pkg/kics/sink.go +++ b/pkg/kics/sink.go @@ -26,7 +26,7 @@ var ( } ) -func (s *Service) sink(ctx context.Context, filename, scanID string, rc io.Reader, data []byte) error { +func (s *Service) sink(ctx context.Context, filename, scanID string, rc io.Reader, data []byte, resolveReferences bool) error { s.Tracker.TrackFileFound() log.Debug().Msgf("Starting to process file %s", filename) @@ -40,8 +40,7 @@ func (s *Service) sink(ctx context.Context, filename, scanID string, rc io.Reade if err != nil { return errors.Wrapf(err, "failed to get file content: %s", filename) } - - documents, err := s.Parser.Parse(filename, *content) + documents, err := s.Parser.Parse(filename, *content, resolveReferences) if err != nil { log.Err(err).Msgf("failed to parse file content: %s", filename) return nil diff --git a/pkg/parser/ansible/ini/config/parser.go b/pkg/parser/ansible/ini/config/parser.go index 03e232ddf57..e4a32a05a86 100644 --- a/pkg/parser/ansible/ini/config/parser.go +++ b/pkg/parser/ansible/ini/config/parser.go @@ -13,7 +13,7 @@ import ( type Parser struct { } -func (p *Parser) Resolve(fileContent []byte, filename string) ([]byte, error) { +func (p *Parser) Resolve(fileContent []byte, filename string, _ bool) ([]byte, error) { return fileContent, nil } diff --git a/pkg/parser/ansible/ini/hosts/parser.go b/pkg/parser/ansible/ini/hosts/parser.go index d83271f01d6..b921062f684 100644 --- a/pkg/parser/ansible/ini/hosts/parser.go +++ b/pkg/parser/ansible/ini/hosts/parser.go @@ -13,7 +13,7 @@ import ( type Parser struct { } -func (p *Parser) Resolve(fileContent []byte, _ string) ([]byte, error) { +func (p *Parser) Resolve(fileContent []byte, _ string, _ bool) ([]byte, error) { return fileContent, nil } diff --git a/pkg/parser/buildah/parser.go b/pkg/parser/buildah/parser.go index 7f21f751028..07b1ad67fc8 100644 --- a/pkg/parser/buildah/parser.go +++ b/pkg/parser/buildah/parser.go @@ -51,7 +51,7 @@ const ( ) // Resolve - replace or modifies in-memory content before parsing -func (p *Parser) Resolve(fileContent []byte, _ string) ([]byte, error) { +func (p *Parser) Resolve(fileContent []byte, _ string, _ bool) ([]byte, error) { return fileContent, nil } diff --git a/pkg/parser/docker/parser.go b/pkg/parser/docker/parser.go index 95f0d370880..9e0a2d88582 100644 --- a/pkg/parser/docker/parser.go +++ b/pkg/parser/docker/parser.go @@ -34,7 +34,7 @@ type Command struct { } // Resolve - replace or modifies in-memory content before parsing -func (p *Parser) Resolve(fileContent []byte, _ string) ([]byte, error) { +func (p *Parser) Resolve(fileContent []byte, _ string, _ bool) ([]byte, error) { return fileContent, nil } diff --git a/pkg/parser/grpc/parser.go b/pkg/parser/grpc/parser.go index 3274a9fab0d..97f88b5602d 100644 --- a/pkg/parser/grpc/parser.go +++ b/pkg/parser/grpc/parser.go @@ -65,7 +65,7 @@ func (p *Parser) StringifyContent(content []byte) (string, error) { } // Resolve resolves proto files variables -func (p *Parser) Resolve(fileContent []byte, _ string) ([]byte, error) { +func (p *Parser) Resolve(fileContent []byte, _ string, _ bool) ([]byte, error) { return fileContent, nil } diff --git a/pkg/parser/json/parser.go b/pkg/parser/json/parser.go index dae67f0628e..53c1828de5a 100644 --- a/pkg/parser/json/parser.go +++ b/pkg/parser/json/parser.go @@ -16,11 +16,11 @@ type Parser struct { } // Resolve - replace or modifies in-memory content before parsing -func (p *Parser) Resolve(fileContent []byte, filename string) ([]byte, error) { +func (p *Parser) Resolve(fileContent []byte, filename string, resolveReferences bool) ([]byte, error) { // Resolve files passed as arguments with file resolver (e.g. file://) res := file.NewResolver(json.Unmarshal, json.Marshal, p.SupportedExtensions()) resolvedFilesCache := make(map[string]file.ResolvedFile) - resolved := res.Resolve(fileContent, filename, 0, resolvedFilesCache) + resolved := res.Resolve(fileContent, filename, 0, resolvedFilesCache, resolveReferences) p.resolvedFiles = res.ResolvedFiles if len(res.ResolvedFiles) == 0 { return fileContent, nil diff --git a/pkg/parser/parser.go b/pkg/parser/parser.go index d8137647aae..e3993f1a7f3 100644 --- a/pkg/parser/parser.go +++ b/pkg/parser/parser.go @@ -17,7 +17,7 @@ type kindParser interface { SupportedExtensions() []string SupportedTypes() map[string]bool Parse(filePath string, fileContent []byte) ([]model.Document, []int, error) - Resolve(fileContent []byte, filename string) ([]byte, error) + Resolve(fileContent []byte, filename string, _ bool) ([]byte, error) StringifyContent(content []byte) (string, error) GetResolvedFiles() map[string]model.ResolvedFile } @@ -117,11 +117,11 @@ func (c *Parser) CommentsCommands(filePath string, fileContent []byte) model.Com // Parse executes a parser on the fileContent and returns the file content as a Document, the file kind and // an error, if an error has occurred -func (c *Parser) Parse(filePath string, fileContent []byte) (ParsedDocument, error) { +func (c *Parser) Parse(filePath string, fileContent []byte, resolveReferences bool) (ParsedDocument, error) { fileContent = utils.DecryptAnsibleVault(fileContent, os.Getenv("ANSIBLE_VAULT_PASSWORD_FILE")) if c.isValidExtension(filePath) { - resolved, err := c.parsers.Resolve(fileContent, filePath) + resolved, err := c.parsers.Resolve(fileContent, filePath, resolveReferences) if err != nil { return ParsedDocument{}, err } diff --git a/pkg/parser/terraform/terraform.go b/pkg/parser/terraform/terraform.go index 79b3edabbf8..4e7e43e74cd 100644 --- a/pkg/parser/terraform/terraform.go +++ b/pkg/parser/terraform/terraform.go @@ -46,7 +46,7 @@ func NewDefaultWithVarsPath(terraformVarsPath string) *Parser { } // Resolve - replace or modifies in-memory content before parsing -func (p *Parser) Resolve(fileContent []byte, filename string) ([]byte, error) { +func (p *Parser) Resolve(fileContent []byte, filename string, _ bool) ([]byte, error) { // handle panic during resolve process defer func() { if r := recover(); r != nil { diff --git a/pkg/parser/yaml/parser.go b/pkg/parser/yaml/parser.go index e213533a88a..fd5738b8b06 100644 --- a/pkg/parser/yaml/parser.go +++ b/pkg/parser/yaml/parser.go @@ -18,11 +18,11 @@ type Parser struct { } // Resolve - replace or modifies in-memory content before parsing -func (p *Parser) Resolve(fileContent []byte, filename string) ([]byte, error) { +func (p *Parser) Resolve(fileContent []byte, filename string, resolveReferences bool) ([]byte, error) { // Resolve files passed as arguments with file resolver (e.g. file://) res := file.NewResolver(yaml.Unmarshal, yaml.Marshal, p.SupportedExtensions()) resolvedFilesCache := make(map[string]file.ResolvedFile) - resolved := res.Resolve(fileContent, filename, 0, resolvedFilesCache) + resolved := res.Resolve(fileContent, filename, 0, resolvedFilesCache, resolveReferences) p.resolvedFiles = res.ResolvedFiles if len(res.ResolvedFiles) == 0 { return fileContent, nil diff --git a/pkg/resolver/file/file.go b/pkg/resolver/file/file.go index 13a06aff1b4..c6e391b047c 100644 --- a/pkg/resolver/file/file.go +++ b/pkg/resolver/file/file.go @@ -47,7 +47,7 @@ func NewResolver( } // Resolve - replace or modifies in-memory content before parsing -func (r *Resolver) Resolve(fileContent []byte, path string, resolveCount int, resolvedFilesCache map[string]ResolvedFile) []byte { +func (r *Resolver) Resolve(fileContent []byte, path string, resolveCount int, resolvedFilesCache map[string]ResolvedFile, resolveReferences bool) []byte { // handle panic during resolve process defer func() { if r := recover(); r != nil { @@ -56,8 +56,12 @@ func (r *Resolver) Resolve(fileContent []byte, path string, resolveCount int, re } }() + if !resolveReferences { + return fileContent + } + if utils.Contains(filepath.Ext(path), []string{".yml", ".yaml"}) { - return r.yamlResolve(fileContent, path, resolveCount, resolvedFilesCache) + return r.yamlResolve(fileContent, path, resolveCount, resolvedFilesCache, resolveReferences) } var obj any err := r.unmarshler(fileContent, &obj) @@ -66,7 +70,7 @@ func (r *Resolver) Resolve(fileContent []byte, path string, resolveCount int, re } // resolve the paths - obj, _ = r.walk(fileContent, obj, obj, path, resolveCount, resolvedFilesCache, false) + obj, _ = r.walk(fileContent, obj, obj, path, resolveCount, resolvedFilesCache, false, resolveReferences) b, err := json.MarshalIndent(obj, "", "") if err == nil { @@ -83,31 +87,32 @@ func (r *Resolver) walk( path string, resolveCount int, resolvedFilesCache map[string]ResolvedFile, - refBool bool) (any, bool) { + refBool bool, + resolveReferences bool) (any, bool) { // go over the value and replace paths with the real content switch typedValue := value.(type) { case string: if filepath.Base(path) != typedValue { - return r.resolvePath(originalFileContent, fullObject, typedValue, path, resolveCount, resolvedFilesCache, refBool) + return r.resolvePath(originalFileContent, fullObject, typedValue, path, resolveCount, resolvedFilesCache, refBool, resolveReferences) } return value, false case []any: for i, v := range typedValue { - typedValue[i], _ = r.walk(originalFileContent, fullObject, v, path, resolveCount, resolvedFilesCache, refBool) + typedValue[i], _ = r.walk(originalFileContent, fullObject, v, path, resolveCount, resolvedFilesCache, refBool, resolveReferences) } return typedValue, false case map[string]any: - return r.handleMap(originalFileContent, fullObject, typedValue, path, resolveCount, resolvedFilesCache) + return r.handleMap(originalFileContent, fullObject, typedValue, path, resolveCount, resolvedFilesCache, resolveReferences) default: return value, false } } func (r *Resolver) handleMap(originalFileContent []byte, fullObject interface{}, value map[string]interface{}, path string, - resolveCount int, resolvedFilesCache map[string]ResolvedFile) (any, bool) { + resolveCount int, resolvedFilesCache map[string]ResolvedFile, resolveReferences bool) (any, bool) { for k, v := range value { isRef := strings.Contains(strings.ToLower(k), "$ref") - val, res := r.walk(originalFileContent, fullObject, v, path, resolveCount, resolvedFilesCache, isRef) + val, res := r.walk(originalFileContent, fullObject, v, path, resolveCount, resolvedFilesCache, isRef, resolveReferences) // check if it is a ref then add new details if valMap, ok := val.(map[string]interface{}); (ok || !res) && isRef { // Create RefMetadata and add it to the resolved value map @@ -127,7 +132,7 @@ func (r *Resolver) handleMap(originalFileContent []byte, fullObject interface{}, return value, false } -func (r *Resolver) yamlResolve(fileContent []byte, path string, resolveCount int, resolvedFilesCache map[string]ResolvedFile) []byte { +func (r *Resolver) yamlResolve(fileContent []byte, path string, resolveCount int, resolvedFilesCache map[string]ResolvedFile, resolveReferences bool) []byte { var obj yaml.Node err := r.unmarshler(fileContent, &obj) if err != nil { @@ -137,7 +142,7 @@ func (r *Resolver) yamlResolve(fileContent []byte, path string, resolveCount int fullObjectCopy := obj // resolve the paths - obj, _ = r.yamlWalk(fileContent, &fullObjectCopy, &obj, path, resolveCount, resolvedFilesCache, false) + obj, _ = r.yamlWalk(fileContent, &fullObjectCopy, &obj, path, resolveCount, resolvedFilesCache, false, resolveReferences) if obj.Kind == 1 && len(obj.Content) == 1 { obj = *obj.Content[0] @@ -158,12 +163,13 @@ func (r *Resolver) yamlWalk( path string, resolveCount int, resolvedFilesCache map[string]ResolvedFile, - refBool bool) (yaml.Node, bool) { + refBool bool, + resolveReferences bool) (yaml.Node, bool) { // go over the value and replace paths with the real content switch value.Kind { case yaml.ScalarNode: if filepath.Base(path) != value.Value { - return r.resolveYamlPath(originalFileContent, fullObject, value, path, resolveCount, resolvedFilesCache, refBool) + return r.resolveYamlPath(originalFileContent, fullObject, value, path, resolveCount, resolvedFilesCache, refBool, resolveReferences) } return *value, false default: @@ -172,7 +178,7 @@ func (r *Resolver) yamlWalk( if i >= 1 { refBool = strings.Contains(value.Content[i-1].Value, "$ref") } - resolved, ok := r.yamlWalk(originalFileContent, fullObject, value.Content[i], path, resolveCount, resolvedFilesCache, refBool) + resolved, ok := r.yamlWalk(originalFileContent, fullObject, value.Content[i], path, resolveCount, resolvedFilesCache, refBool, resolveReferences) if i >= 1 && refBool && (resolved.Kind == yaml.MappingNode || !ok) { // Create RefMetadata and add it to yaml Node @@ -220,7 +226,7 @@ func (r *Resolver) resolveYamlPath( filePath string, resolveCount int, resolvedFilesCache map[string]ResolvedFile, - refBool bool) (yaml.Node, bool) { + refBool bool, resolveReferences bool) (yaml.Node, bool) { value := v.Value if resolveCount > constants.MaxResolvedFiles || (strings.HasPrefix(value, "#") && !refBool) || (value == "#" && refBool) { return *v, false @@ -251,7 +257,7 @@ func (r *Resolver) resolveYamlPath( // Check if file has already been resolved, if not resolve it and save it for future references if _, ok := resolvedFilesCache[filename]; !ok { - if ret, isError := r.resolveFile(value, onlyFilePath, resolveCount, resolvedFilesCache, true); isError { + if ret, isError := r.resolveFile(value, onlyFilePath, resolveCount, resolvedFilesCache, true, resolveReferences); isError { if retYaml, yamlNode := ret.(yaml.Node); yamlNode { return retYaml, false } else { @@ -308,7 +314,7 @@ func (r *Resolver) resolveFile( filePath string, resolveCount int, resolvedFilesCache map[string]ResolvedFile, - yamlResolve bool) (any, bool) { + yamlResolve bool, resolveReferences bool) (any, bool) { // open the file with the content to replace file, err := os.Open(filepath.Clean(filePath)) if err != nil { @@ -324,7 +330,7 @@ func (r *Resolver) resolveFile( // read the content fileContent, _ := io.ReadAll(file) - resolvedFile := r.Resolve(fileContent, filePath, resolveCount+1, resolvedFilesCache) + resolvedFile := r.Resolve(fileContent, filePath, resolveCount+1, resolvedFilesCache, resolveReferences) if yamlResolve { var obj yaml.Node @@ -367,7 +373,7 @@ func (r *Resolver) resolvePath( value, filePath string, resolveCount int, resolvedFilesCache map[string]ResolvedFile, - refBool bool) (any, bool) { + refBool bool, resolveReferences bool) (any, bool) { if resolveCount > constants.MaxResolvedFiles || (strings.HasPrefix(value, "#") && !refBool) || (value == "#" && refBool) { return value, false } @@ -393,7 +399,7 @@ func (r *Resolver) resolvePath( // Check if file has already been resolved, if not resolve it and save it for future references if _, ok := resolvedFilesCache[onlyFilePath]; !ok { - if ret, isError := r.resolveFile(value, onlyFilePath, resolveCount, resolvedFilesCache, false); isError { + if ret, isError := r.resolveFile(value, onlyFilePath, resolveCount, resolvedFilesCache, false, resolveReferences); isError { return ret, false } } diff --git a/pkg/resolver/file/file_test.go b/pkg/resolver/file/file_test.go index 1d2df5e8fb3..1c662311238 100644 --- a/pkg/resolver/file/file_test.go +++ b/pkg/resolver/file/file_test.go @@ -13,7 +13,7 @@ import ( "gopkg.in/yaml.v3" ) -func TestResolver_Resolve(t *testing.T) { +func TestResolver_Resolve_With_ResolveReferences(t *testing.T) { err := test.ChangeCurrentDir("kics") if err != nil { t.Fatal(err) @@ -79,7 +79,80 @@ func TestResolver_Resolve(t *testing.T) { t.Fatal(err) } - if got := r.Resolve(cont, tt.args.path, 0, make(map[string]ResolvedFile)); !reflect.DeepEqual(prepareString(string(got)), prepareString(string(tt.want))) { + if got := r.Resolve(cont, tt.args.path, 0, make(map[string]ResolvedFile), true); !reflect.DeepEqual(prepareString(string(got)), prepareString(string(tt.want))) { + t.Errorf("Resolve() = %v, want = %v", prepareString(string(got)), prepareString(string(tt.want))) + } + }) + } +} + +func TestResolver_Resolve_Without_ResolveReferences(t *testing.T) { + err := test.ChangeCurrentDir("kics") + if err != nil { + t.Fatal(err) + } + type fields struct { + *Resolver + } + type args struct { + path string + } + tests := []struct { + name string + fields fields + args args + want []byte + }{ + { + name: "test", + fields: fields{ + Resolver: NewResolver(yaml.Unmarshal, yaml.Marshal, []string{".yml", ".yaml"}), + }, + args: args{ + path: filepath.ToSlash("test/fixtures/unresolved_openapi/responses/_index.yaml"), + }, + want: []byte( + `UnexpectedError:$ref:"./UnexpectedError.yaml"NullResponse:$ref:"./NullResponse.yaml"`), + }, + { + name: "json test", + fields: fields{ + Resolver: NewResolver(json.Unmarshal, json.Marshal, []string{".json"}), + }, + args: args{ + path: filepath.ToSlash("test/fixtures/unresolved_openapi_json/openapi.json"), + }, + want: []byte( + "{\"openapi\":\"3.0.3\",\"info\":{\"title\":\"Reference in reference example\",\"version\":\"1.0.0\"},\"paths\":{\"/api/test/ref/in/ref\":{\"post\":{\"requestBody\":{\"content\":{\"application/json\":{\"schema\":{\"$ref\":\"messages/request.json\"}}}},\"responses\":{\"200\":{\"description\":\"Successful response\",\"content\":{\"application/json\":{\"schema\":{\"$ref\":\"messages/response.json\"}}}}}}}}}", + ), + }, + { + name: "test_serverless", + fields: fields{ + Resolver: NewResolver(yaml.Unmarshal, yaml.Marshal, []string{".yml", ".yaml"}), + }, + args: args{ + path: filepath.ToSlash("test/fixtures/unresolved_serverless/serverless.yml"), + }, + want: []byte( + "service:aws-node-projectframeworkVersion:'3'provider:name:awsruntime:nodejs14.xfunctions:eventRouterHandler:${file(eventRouterHandler.yml)}"), + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + r := &Resolver{ + unmarshler: tt.fields.unmarshler, + marshler: tt.fields.marshler, + ResolvedFiles: tt.fields.ResolvedFiles, + Extension: tt.fields.Extension, + } + + cont, err := getFileContent(tt.args.path) + if err != nil { + t.Fatal(err) + } + + if got := r.Resolve(cont, tt.args.path, 0, make(map[string]ResolvedFile), false); !reflect.DeepEqual(prepareString(string(got)), prepareString(string(tt.want))) { t.Errorf("Resolve() = %v, want = %v", prepareString(string(got)), prepareString(string(tt.want))) } }) diff --git a/pkg/scan/client.go b/pkg/scan/client.go index 18484ddf8d3..a0317faf9fa 100644 --- a/pkg/scan/client.go +++ b/pkg/scan/client.go @@ -44,6 +44,7 @@ type Parameters struct { ScanID string BillOfMaterials bool ExcludeGitIgnore bool + ResolveReferences bool } // Client represents a scan client diff --git a/pkg/scan/scan.go b/pkg/scan/scan.go index dd4c83a1f6c..23b54749089 100644 --- a/pkg/scan/scan.go +++ b/pkg/scan/scan.go @@ -135,7 +135,7 @@ func (c *Client) executeScan(ctx context.Context) (*Results, error) { return nil, nil } - if err = scanner.PrepareAndScan(ctx, c.ScanParams.ScanID, *c.ProBarBuilder, executeScanParameters.services); err != nil { + if err = scanner.PrepareAndScan(ctx, c.ScanParams.ScanID, *c.ProBarBuilder, executeScanParameters.services, c.ScanParams.ResolveReferences); err != nil { log.Err(err) return nil, err } diff --git a/pkg/scanner/scanner.go b/pkg/scanner/scanner.go index 9afd6d78356..8d58e5de690 100644 --- a/pkg/scanner/scanner.go +++ b/pkg/scanner/scanner.go @@ -12,7 +12,7 @@ import ( type serviceSlice []*kics.Service -func PrepareAndScan(ctx context.Context, scanID string, proBarBuilder progress.PbBuilder, services serviceSlice) error { +func PrepareAndScan(ctx context.Context, scanID string, proBarBuilder progress.PbBuilder, services serviceSlice, resolveReferences bool) error { metrics.Metric.Start("prepare_sources") var wg sync.WaitGroup wgDone := make(chan bool) @@ -21,7 +21,7 @@ func PrepareAndScan(ctx context.Context, scanID string, proBarBuilder progress.P for _, service := range services { wg.Add(1) - go service.PrepareSources(ctx, scanID, &wg, errCh) + go service.PrepareSources(ctx, scanID, &wg, errCh, resolveReferences) } go func() { From d3aa6985de1dbec9271d845bb279651b79750aae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Wed, 8 Nov 2023 10:01:43 +0000 Subject: [PATCH 180/379] fix calls --- internal/console/remediate.go | 3 ++- pkg/kics/resolver_sink.go | 4 ++-- pkg/kics/service.go | 2 +- pkg/remediation/remediation.go | 6 +++--- pkg/remediation/scan.go | 8 ++++---- pkg/remediation/utils.go | 4 ++-- 6 files changed, 14 insertions(+), 13 deletions(-) diff --git a/internal/console/remediate.go b/internal/console/remediate.go index aaea010d0f9..4518e5764ae 100644 --- a/internal/console/remediate.go +++ b/internal/console/remediate.go @@ -78,6 +78,7 @@ func preRemediate(cmd *cobra.Command) error { func remediate() error { resultsPath := flags.GetStrFlag(flags.Results) include := flags.GetMultiStrFlag(flags.IncludeIds) + resolveReferences := flags.GetBoolFlag(flags.ResolveReferencesFlag) filepath.Clean(resultsPath) @@ -105,7 +106,7 @@ func remediate() error { for filePath := range remediationSets { fix := remediationSets[filePath].(remediation.Set) - err = summary.RemediateFile(filePath, fix) + err = summary.RemediateFile(filePath, fix, resolveReferences) if err != nil { return err } diff --git a/pkg/kics/resolver_sink.go b/pkg/kics/resolver_sink.go index 54c7ca9f24d..c7bbd0a5ddf 100644 --- a/pkg/kics/resolver_sink.go +++ b/pkg/kics/resolver_sink.go @@ -14,7 +14,7 @@ import ( "github.com/rs/zerolog/log" ) -func (s *Service) resolverSink(ctx context.Context, filename, scanID string) ([]string, error) { +func (s *Service) resolverSink(ctx context.Context, filename, scanID string, resolveReferences bool) ([]string, error) { kind := s.Resolver.GetType(filename) if kind == model.KindCOMMON { return []string{}, nil @@ -30,7 +30,7 @@ func (s *Service) resolverSink(ctx context.Context, filename, scanID string) ([] countLines := bytes.Count(rfile.Content, []byte{'\n'}) + 1 s.Tracker.TrackFileFoundCountLines(countLines) - documents, err := s.Parser.Parse(rfile.FileName, rfile.Content) + documents, err := s.Parser.Parse(rfile.FileName, rfile.Content, resolveReferences) if err != nil { if documents.Kind == "break" { return []string{}, nil diff --git a/pkg/kics/service.go b/pkg/kics/service.go index 8ce399c774b..6e0eb6db8cf 100644 --- a/pkg/kics/service.go +++ b/pkg/kics/service.go @@ -72,7 +72,7 @@ func (s *Service) PrepareSources(ctx context.Context, scanID string, wg *sync.Wa return s.sink(ctx, filename, scanID, rc, data, resolveReferences) }, func(ctx context.Context, filename string) ([]string, error) { // Sink used for resolver files and templates - return s.resolverSink(ctx, filename, scanID) + return s.resolverSink(ctx, filename, scanID, resolveReferences) }, ); err != nil { errCh <- errors.Wrap(err, "failed to read sources") diff --git a/pkg/remediation/remediation.go b/pkg/remediation/remediation.go index 103b133d885..8673a2e4c64 100644 --- a/pkg/remediation/remediation.go +++ b/pkg/remediation/remediation.go @@ -51,7 +51,7 @@ type Set struct { } // RemediateFile remediationSets the replacements first and secondly, the additions sorted down -func (s *Summary) RemediateFile(filePath string, remediationSet Set) error { +func (s *Summary) RemediateFile(filePath string, remediationSet Set, resolveReferences bool) error { filepath.Clean(filePath) content, err := os.ReadFile(filePath) @@ -67,7 +67,7 @@ func (s *Summary) RemediateFile(filePath string, remediationSet Set) error { for i := range remediationSet.Replacement { r := remediationSet.Replacement[i] remediatedLines := replacement(&r, lines) - if len(remediatedLines) > 0 && willRemediate(remediatedLines, filePath, &r) { + if len(remediatedLines) > 0 && willRemediate(remediatedLines, filePath, &r, resolveReferences) { lines = s.writeRemediation(remediatedLines, lines, filePath, r.SimilarityID) } } @@ -83,7 +83,7 @@ func (s *Summary) RemediateFile(filePath string, remediationSet Set) error { for i := range remediationSet.Addition { a := remediationSet.Addition[i] remediatedLines := addition(&a, &lines) - if len(remediatedLines) > 0 && willRemediate(remediatedLines, filePath, &a) { + if len(remediatedLines) > 0 && willRemediate(remediatedLines, filePath, &a, resolveReferences) { lines = s.writeRemediation(remediatedLines, lines, filePath, a.SimilarityID) } } diff --git a/pkg/remediation/scan.go b/pkg/remediation/scan.go index 79d51c399da..f59e06947d0 100644 --- a/pkg/remediation/scan.go +++ b/pkg/remediation/scan.go @@ -36,9 +36,9 @@ type runQueryInfo struct { } // scanTmpFile scans a temporary file against a specific query -func scanTmpFile(tmpFile, queryID string, remediated []byte) ([]model.Vulnerability, error) { +func scanTmpFile(tmpFile, queryID string, remediated []byte, resolveReferences bool) ([]model.Vulnerability, error) { // get payload - files, err := getPayload(tmpFile, remediated) + files, err := getPayload(tmpFile, remediated, resolveReferences) if err != nil { log.Err(err) @@ -81,7 +81,7 @@ func scanTmpFile(tmpFile, queryID string, remediated []byte) ([]model.Vulnerabil } // getPayload gets the payload of a file -func getPayload(filePath string, content []byte) (model.FileMetadatas, error) { +func getPayload(filePath string, content []byte, resolveReferences bool) (model.FileMetadatas, error) { ext := utils.GetExtension(filePath) var p []*parser.Parser var err error @@ -116,7 +116,7 @@ func getPayload(filePath string, content []byte) (model.FileMetadatas, error) { return model.FileMetadatas{}, errors.New("failed to get parser") } - documents, er := p[0].Parse(filePath, content) + documents, er := p[0].Parse(filePath, content, resolveReferences) if er != nil { log.Error().Msgf("failed to parse file '%s': %s", filePath, er) diff --git a/pkg/remediation/utils.go b/pkg/remediation/utils.go index 25c2be88109..3bc3de42ef1 100644 --- a/pkg/remediation/utils.go +++ b/pkg/remediation/utils.go @@ -49,7 +49,7 @@ func getBefore(line string) string { } // willRemediate verifies if the remediation actually removes the result -func willRemediate(remediated []string, originalFileName string, remediation *Remediation) bool { +func willRemediate(remediated []string, originalFileName string, remediation *Remediation, resolveReferences bool) bool { filepath.Clean(originalFileName) // create temporary file tmpFile := filepath.Join(os.TempDir(), "temporary-remediation-"+utils.NextRandom()+"-"+filepath.Base(originalFileName)) @@ -75,7 +75,7 @@ func willRemediate(remediated []string, originalFileName string, remediation *Re } // scan the temporary file to verify if the remediation removed the result - results, err := scanTmpFile(tmpFile, remediation.QueryID, content) + results, err := scanTmpFile(tmpFile, remediation.QueryID, content, resolveReferences) if err != nil { log.Error().Msgf("failed to get results of query %s: %s", remediation.QueryID, err) From 369f4ae1f8e0b471171750adba46e3a3705b0d23 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Wed, 8 Nov 2023 11:24:11 +0000 Subject: [PATCH 181/379] fix linter and unit --- pkg/parser/buildah/parser_test.go | 2 +- pkg/parser/docker/parser_test.go | 2 +- pkg/parser/grpc/parser_test.go | 2 +- pkg/parser/json/parser_test.go | 2 +- pkg/parser/terraform/terraform_test.go | 2 +- pkg/resolver/file/file.go | 18 ++++++++++++++---- pkg/scan/scan.go | 3 ++- pkg/scanner/scanner.go | 7 +++++-- 8 files changed, 26 insertions(+), 12 deletions(-) diff --git a/pkg/parser/buildah/parser_test.go b/pkg/parser/buildah/parser_test.go index b321acc1257..cb27ee87f17 100644 --- a/pkg/parser/buildah/parser_test.go +++ b/pkg/parser/buildah/parser_test.go @@ -318,7 +318,7 @@ func TestParser_Resolve(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { p := &Parser{} - got, err := p.Resolve(tt.args.fileContent, tt.args.filename) + got, err := p.Resolve(tt.args.fileContent, tt.args.filename, true) if (err != nil) != tt.wantErr { t.Errorf("Parser.Resolve() error = %v, wantErr %v", err, tt.wantErr) return diff --git a/pkg/parser/docker/parser_test.go b/pkg/parser/docker/parser_test.go index 836605415da..5369f4ecbef 100644 --- a/pkg/parser/docker/parser_test.go +++ b/pkg/parser/docker/parser_test.go @@ -149,7 +149,7 @@ func Test_Resolve(t *testing.T) { ENTRYPOINT ["java","-Djava.security.egd=file:/dev/./urandom","-jar","/app.jar"] ` - resolved, err := parser.Resolve([]byte(have), "Dockerfile") + resolved, err := parser.Resolve([]byte(have), "Dockerfile", true) require.NoError(t, err) require.Equal(t, []byte(have), resolved) } diff --git a/pkg/parser/grpc/parser_test.go b/pkg/parser/grpc/parser_test.go index 20a19d6813a..a7d35db7ef1 100644 --- a/pkg/parser/grpc/parser_test.go +++ b/pkg/parser/grpc/parser_test.go @@ -527,7 +527,7 @@ func TestParser_Resolve(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { p := &Parser{} - got, err := p.Resolve(tt.args.fileContent, tt.args.filename) + got, err := p.Resolve(tt.args.fileContent, tt.args.filename, true) if (err != nil) != tt.wantErr { t.Errorf("Parser.Resolve() error = %v, wantErr %v", err, tt.wantErr) return diff --git a/pkg/parser/json/parser_test.go b/pkg/parser/json/parser_test.go index fdbccd5f960..923ca70111a 100644 --- a/pkg/parser/json/parser_test.go +++ b/pkg/parser/json/parser_test.go @@ -49,7 +49,7 @@ func TestParser_Parse(t *testing.T) { func Test_Resolve(t *testing.T) { parser := &Parser{} - resolved, err := parser.Resolve([]byte(have), "test.json") + resolved, err := parser.Resolve([]byte(have), "test.json", true) require.NoError(t, err) require.Equal(t, have, string(resolved)) } diff --git a/pkg/parser/terraform/terraform_test.go b/pkg/parser/terraform/terraform_test.go index 5e97a96cc16..60a164edc56 100644 --- a/pkg/parser/terraform/terraform_test.go +++ b/pkg/parser/terraform/terraform_test.go @@ -178,7 +178,7 @@ func Test_namelessResource(t *testing.T) { func Test_Resolve(t *testing.T) { parser := NewDefault() - resolved, err := parser.Resolve([]byte(have), "test.tf") + resolved, err := parser.Resolve([]byte(have), "test.tf", true) require.NoError(t, err) require.Equal(t, []byte(have), resolved) } diff --git a/pkg/resolver/file/file.go b/pkg/resolver/file/file.go index c6e391b047c..8194ccccd8f 100644 --- a/pkg/resolver/file/file.go +++ b/pkg/resolver/file/file.go @@ -47,7 +47,9 @@ func NewResolver( } // Resolve - replace or modifies in-memory content before parsing -func (r *Resolver) Resolve(fileContent []byte, path string, resolveCount int, resolvedFilesCache map[string]ResolvedFile, resolveReferences bool) []byte { +func (r *Resolver) Resolve(fileContent []byte, path string, + resolveCount int, resolvedFilesCache map[string]ResolvedFile, + resolveReferences bool) []byte { // handle panic during resolve process defer func() { if r := recover(); r != nil { @@ -132,7 +134,9 @@ func (r *Resolver) handleMap(originalFileContent []byte, fullObject interface{}, return value, false } -func (r *Resolver) yamlResolve(fileContent []byte, path string, resolveCount int, resolvedFilesCache map[string]ResolvedFile, resolveReferences bool) []byte { +func (r *Resolver) yamlResolve(fileContent []byte, path string, + resolveCount int, resolvedFilesCache map[string]ResolvedFile, + resolveReferences bool) []byte { var obj yaml.Node err := r.unmarshler(fileContent, &obj) if err != nil { @@ -169,7 +173,10 @@ func (r *Resolver) yamlWalk( switch value.Kind { case yaml.ScalarNode: if filepath.Base(path) != value.Value { - return r.resolveYamlPath(originalFileContent, fullObject, value, path, resolveCount, resolvedFilesCache, refBool, resolveReferences) + return r.resolveYamlPath(originalFileContent, fullObject, + value, path, + resolveCount, resolvedFilesCache, + refBool, resolveReferences) } return *value, false default: @@ -178,7 +185,10 @@ func (r *Resolver) yamlWalk( if i >= 1 { refBool = strings.Contains(value.Content[i-1].Value, "$ref") } - resolved, ok := r.yamlWalk(originalFileContent, fullObject, value.Content[i], path, resolveCount, resolvedFilesCache, refBool, resolveReferences) + resolved, ok := r.yamlWalk(originalFileContent, fullObject, + value.Content[i], path, + resolveCount, resolvedFilesCache, + refBool, resolveReferences) if i >= 1 && refBool && (resolved.Kind == yaml.MappingNode || !ok) { // Create RefMetadata and add it to yaml Node diff --git a/pkg/scan/scan.go b/pkg/scan/scan.go index 23b54749089..d763db2e87e 100644 --- a/pkg/scan/scan.go +++ b/pkg/scan/scan.go @@ -135,7 +135,8 @@ func (c *Client) executeScan(ctx context.Context) (*Results, error) { return nil, nil } - if err = scanner.PrepareAndScan(ctx, c.ScanParams.ScanID, *c.ProBarBuilder, executeScanParameters.services, c.ScanParams.ResolveReferences); err != nil { + if err = scanner.PrepareAndScan(ctx, c.ScanParams.ScanID, *c.ProBarBuilder, + executeScanParameters.services, c.ScanParams.ResolveReferences); err != nil { log.Err(err) return nil, err } diff --git a/pkg/scanner/scanner.go b/pkg/scanner/scanner.go index 8d58e5de690..e4283dac35b 100644 --- a/pkg/scanner/scanner.go +++ b/pkg/scanner/scanner.go @@ -12,7 +12,9 @@ import ( type serviceSlice []*kics.Service -func PrepareAndScan(ctx context.Context, scanID string, proBarBuilder progress.PbBuilder, services serviceSlice, resolveReferences bool) error { +func PrepareAndScan(ctx context.Context, scanID string, + proBarBuilder progress.PbBuilder, + services serviceSlice, resolveReferences bool) error { metrics.Metric.Start("prepare_sources") var wg sync.WaitGroup wgDone := make(chan bool) @@ -48,7 +50,8 @@ func PrepareAndScan(ctx context.Context, scanID string, proBarBuilder progress.P } // StartScan will run concurrent scans by parser -func StartScan(ctx context.Context, scanID string, proBarBuilder progress.PbBuilder, services serviceSlice) error { +func StartScan(ctx context.Context, scanID string, + proBarBuilder progress.PbBuilder, services serviceSlice) error { defer metrics.Metric.Stop() metrics.Metric.Start("start_scan") var wg sync.WaitGroup From 23d2a809919352e0b712613a4dd24e2a9d12a824 Mon Sep 17 00:00:00 2001 From: cxMarcoPereira <113338444+pereiramarco011@users.noreply.github.com> Date: Wed, 8 Nov 2023 11:37:54 +0000 Subject: [PATCH 182/379] Update release-kics-queries-repo-branch.yaml --- .github/workflows/release-kics-queries-repo-branch.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release-kics-queries-repo-branch.yaml b/.github/workflows/release-kics-queries-repo-branch.yaml index b18e59efdf7..56fae4ca90c 100644 --- a/.github/workflows/release-kics-queries-repo-branch.yaml +++ b/.github/workflows/release-kics-queries-repo-branch.yaml @@ -30,7 +30,7 @@ jobs: - name: Copy queries to new branch run: | mkdir -p ../$REPO_NAME/kics-queries - rsync -av --exclude='*/test/*' --exclude='*/common/*' ./assets/queries/ ../$REPO_NAME/kics-queries/ + rsync -av --exclude='*/test/*' --exclude='common/*' ./assets/queries/ ../$REPO_NAME/kics-queries/ - name: Copy circle ci configuration to new branch run: | @@ -43,4 +43,4 @@ jobs: cd ../$REPO_NAME git add . git commit -m "Add queries from release ${{ github.event.release.name }} to $REPO_NAME" - git push origin ${{ github.event.release.name }} \ No newline at end of file + git push origin ${{ github.event.release.name }} From ebe725e7e1c96d5581a2c9aab4bd9e8ca62b6ad1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Wed, 8 Nov 2023 11:40:16 +0000 Subject: [PATCH 183/379] fix unit --- pkg/parser/parser_test.go | 8 ++++---- pkg/parser/yaml/parser_test.go | 2 +- pkg/remediation/remediation_test.go | 2 +- test/main_test.go | 2 +- test/queries_test.go | 2 +- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/pkg/parser/parser_test.go b/pkg/parser/parser_test.go index 629cfb56986..a205a87ad5b 100644 --- a/pkg/parser/parser_test.go +++ b/pkg/parser/parser_test.go @@ -25,7 +25,7 @@ func TestParser_Parse(t *testing.T) { "name": "CxBraga" } } -`)) +`), true) require.NoError(t, err) require.Len(t, docs.Docs, 1) require.Contains(t, docs.Docs[0], "martin") @@ -39,7 +39,7 @@ func TestParser_Parse(t *testing.T) { docs, err := parser.Parse("test.yaml", []byte(` martin: name: CxBraga -`)) +`), true) require.NoError(t, err) require.Len(t, docs.Docs, 1) require.Contains(t, docs.Docs[0], "martin") @@ -54,7 +54,7 @@ martin: FROM foo COPY . / RUN echo hello -`)) +`), true) require.NoError(t, err) require.Len(t, docs.Docs, 1) @@ -70,7 +70,7 @@ func TestParser_Empty(t *testing.T) { t.Errorf("Error building parser: %s", err) } for _, parser := range p { - docs, err := parser.Parse("test.json", nil) + docs, err := parser.Parse("test.json", nil, true) require.Nil(t, docs.Docs) require.Equal(t, model.FileKind(""), docs.Kind) require.Error(t, err) diff --git a/pkg/parser/yaml/parser_test.go b/pkg/parser/yaml/parser_test.go index 0d0ccca953e..f674cdfcba9 100644 --- a/pkg/parser/yaml/parser_test.go +++ b/pkg/parser/yaml/parser_test.go @@ -389,7 +389,7 @@ func Test_Resolve(t *testing.T) { ` parser := &Parser{} - resolved, err := parser.Resolve([]byte(have), "test.yaml") + resolved, err := parser.Resolve([]byte(have), "test.yaml", true) require.NoError(t, err) require.Equal(t, []byte(have), resolved) } diff --git a/pkg/remediation/remediation_test.go b/pkg/remediation/remediation_test.go index f3f6c19b0c1..6e04beafe8f 100644 --- a/pkg/remediation/remediation_test.go +++ b/pkg/remediation/remediation_test.go @@ -111,7 +111,7 @@ func Test_RemediateFile(t *testing.T) { tmpFileName := filepath.Join(os.TempDir(), "temporary-remediation"+utils.NextRandom()+filepath.Ext(filePathCopyFrom)) tmpFile := CreateTempFile(filePathCopyFrom, tmpFileName) - s.RemediateFile(tmpFile, tt.args.remediate) + s.RemediateFile(tmpFile, tt.args.remediate, true) os.Remove(tmpFile) require.Equal(t, s.ActualRemediationDoneNumber, tt.actualRemediationDoneNumber) diff --git a/test/main_test.go b/test/main_test.go index 812c2096f22..3eb4f1a3e3e 100644 --- a/test/main_test.go +++ b/test/main_test.go @@ -168,7 +168,7 @@ func getFilesMetadatasWithContent(t testing.TB, filePath string, content []byte) files := make(model.FileMetadatas, 0) for _, parser := range combinedParser { - docs, err := parser.Parse(filePath, content) + docs, err := parser.Parse(filePath, content, true) for _, document := range docs.Docs { require.NoError(t, err) files = append(files, model.FileMetadata{ diff --git a/test/queries_test.go b/test/queries_test.go index f4c25f19a90..e8835b9120b 100644 --- a/test/queries_test.go +++ b/test/queries_test.go @@ -96,7 +96,7 @@ func testRemediationQuery(t testing.TB, entry queryEntry, vulnerabilities []mode for filePath := range temporaryRemediationSets { fix := temporaryRemediationSets[filePath].(remediation.Set) - err = summary.RemediateFile(filePath, fix) + err = summary.RemediateFile(filePath, fix, true) os.Remove(filePath) if err != nil { require.NoError(t, err) From 1d37e809787d68a1f68c6567b38cf8a26d64d12b Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Sun, 15 Jan 2023 11:48:34 +0100 Subject: [PATCH 184/379] feat(terraform/databricks): init databricks rules --- README.md | 1 + .../autoscale_badly_setup/metadata.json | 10 ++++ .../autoscale_badly_setup/query.rego | 33 ++++++++++++ .../autoscale_badly_setup/test/negative.tf | 16 ++++++ .../autoscale_badly_setup/test/positive1.tf | 15 ++++++ .../autoscale_badly_setup/test/positive2.tf | 15 ++++++ .../test/positive_expected_result.json | 12 +++++ .../autoscale_not_setup/metadata.json | 10 ++++ .../databricks/autoscale_not_setup/query.rego | 18 +++++++ .../autoscale_not_setup/test/negative.tf | 16 ++++++ .../autoscale_not_setup/test/positive.tf | 12 +++++ .../test/positive_expected_result.json | 7 +++ .../cluster_aws_attributes/metadata.json | 10 ++++ .../cluster_aws_attributes/query.rego | 49 ++++++++++++++++++ .../cluster_aws_attributes/test/negative1.tf | 16 ++++++ .../cluster_aws_attributes/test/positive1.tf | 16 ++++++ .../cluster_aws_attributes/test/positive2.tf | 16 ++++++ .../cluster_aws_attributes/test/positive3.tf | 15 ++++++ .../test/positive_expected_result.json | 17 ++++++ .../databricks/unrestricted_acl/metadata.json | 10 ++++ .../databricks/unrestricted_acl/query.rego | 37 +++++++++++++ .../unrestricted_acl/test/negative.tf | 15 ++++++ .../unrestricted_acl/test/positive1.tf | 15 ++++++ .../unrestricted_acl/test/positive2.tf | 15 ++++++ .../test/positive_expected_result.json | 12 +++++ docs/img/logo-databricks.png | Bin 0 -> 44225 bytes 26 files changed, 408 insertions(+) create mode 100644 assets/queries/terraform/databricks/autoscale_badly_setup/metadata.json create mode 100644 assets/queries/terraform/databricks/autoscale_badly_setup/query.rego create mode 100644 assets/queries/terraform/databricks/autoscale_badly_setup/test/negative.tf create mode 100644 assets/queries/terraform/databricks/autoscale_badly_setup/test/positive1.tf create mode 100644 assets/queries/terraform/databricks/autoscale_badly_setup/test/positive2.tf create mode 100644 assets/queries/terraform/databricks/autoscale_badly_setup/test/positive_expected_result.json create mode 100644 assets/queries/terraform/databricks/autoscale_not_setup/metadata.json create mode 100644 assets/queries/terraform/databricks/autoscale_not_setup/query.rego create mode 100644 assets/queries/terraform/databricks/autoscale_not_setup/test/negative.tf create mode 100644 assets/queries/terraform/databricks/autoscale_not_setup/test/positive.tf create mode 100644 assets/queries/terraform/databricks/autoscale_not_setup/test/positive_expected_result.json create mode 100644 assets/queries/terraform/databricks/cluster_aws_attributes/metadata.json create mode 100644 assets/queries/terraform/databricks/cluster_aws_attributes/query.rego create mode 100644 assets/queries/terraform/databricks/cluster_aws_attributes/test/negative1.tf create mode 100644 assets/queries/terraform/databricks/cluster_aws_attributes/test/positive1.tf create mode 100644 assets/queries/terraform/databricks/cluster_aws_attributes/test/positive2.tf create mode 100644 assets/queries/terraform/databricks/cluster_aws_attributes/test/positive3.tf create mode 100644 assets/queries/terraform/databricks/cluster_aws_attributes/test/positive_expected_result.json create mode 100644 assets/queries/terraform/databricks/unrestricted_acl/metadata.json create mode 100644 assets/queries/terraform/databricks/unrestricted_acl/query.rego create mode 100644 assets/queries/terraform/databricks/unrestricted_acl/test/negative.tf create mode 100644 assets/queries/terraform/databricks/unrestricted_acl/test/positive1.tf create mode 100644 assets/queries/terraform/databricks/unrestricted_acl/test/positive2.tf create mode 100644 assets/queries/terraform/databricks/unrestricted_acl/test/positive_expected_result.json create mode 100644 docs/img/logo-databricks.png diff --git a/README.md b/README.md index 40d47ac0e11..8a496f15626 100644 --- a/README.md +++ b/README.md @@ -55,6 +55,7 @@ Find security vulnerabilities, compliance issues, and infrastructure misconfigur
Azure BluePrints    GitHub Workflows    +Databricks    #### Beta Features Soon... diff --git a/assets/queries/terraform/databricks/autoscale_badly_setup/metadata.json b/assets/queries/terraform/databricks/autoscale_badly_setup/metadata.json new file mode 100644 index 00000000000..016c1fed42a --- /dev/null +++ b/assets/queries/terraform/databricks/autoscale_badly_setup/metadata.json @@ -0,0 +1,10 @@ +{ + "id": "953c0cc6-5f30-44cb-a803-bf4ef2571be8", + "queryName": "Databricks Autoscale Badly Setup", + "severity": "MEDIUM", + "category": "MissingAttribute", + "descriptionText": "Databricks should have min and max worker setup for autoscale", + "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/cluster", + "platform": "Terraform", + "cloudProvider": "databricks" +} \ No newline at end of file diff --git a/assets/queries/terraform/databricks/autoscale_badly_setup/query.rego b/assets/queries/terraform/databricks/autoscale_badly_setup/query.rego new file mode 100644 index 00000000000..08d4ba9fc63 --- /dev/null +++ b/assets/queries/terraform/databricks/autoscale_badly_setup/query.rego @@ -0,0 +1,33 @@ +package Cx + +import data.generic.terraform as tf_lib + +CxPolicy[result] { + resource := input.document[i].resource.databricks_cluster[name] + not resource.autoscale.min_workers + + result := { + "documentId": input.document[i].id, + "resourceType": "databricks_cluster", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("databricks_cluster[%s].autoscale", [name]), + "issueType": "MissingAttribute", + "keyExpectedValue": sprintf("'databricks_cluster[%s].autoscale.min_workers' should not empty", [name]), + "keyActualValue": sprintf("'databricks_cluster[%s].autoscale.min_workers' is not setup'", [name]), + } +} + +CxPolicy[result] { + resource := input.document[i].resource.databricks_cluster[name] + not resource.autoscale.max_workers + + result := { + "documentId": input.document[i].id, + "resourceType": "databricks_cluster", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("databricks_cluster[%s].autoscale", [name]), + "issueType": "MissingAttribute", + "keyExpectedValue": sprintf("'databricks_cluster[%s].autoscale.max_workers' should not empty", [name]), + "keyActualValue": sprintf("'databricks_cluster[%s].autoscale.max_workers' is not setup'", [name]), + } +} \ No newline at end of file diff --git a/assets/queries/terraform/databricks/autoscale_badly_setup/test/negative.tf b/assets/queries/terraform/databricks/autoscale_badly_setup/test/negative.tf new file mode 100644 index 00000000000..1328a74fced --- /dev/null +++ b/assets/queries/terraform/databricks/autoscale_badly_setup/test/negative.tf @@ -0,0 +1,16 @@ +resource "databricks_cluster" "negative" { + cluster_name = "Shared Autoscaling" + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + autotermination_minutes = 20 + autoscale { + min_workers = 1 + max_workers = 50 + } + aws_attributes { + availability = "SPOT" + zone_id = "us-east-1" + first_on_demand = 1 + spot_bid_price_percent = 100 + } +} \ No newline at end of file diff --git a/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive1.tf b/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive1.tf new file mode 100644 index 00000000000..8de53f13c42 --- /dev/null +++ b/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive1.tf @@ -0,0 +1,15 @@ +resource "databricks_cluster" "positive1" { + cluster_name = "Shared Autoscaling" + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + autotermination_minutes = 20 + autoscale { + min_workers = 1 + } + aws_attributes { + availability = "SPOT" + zone_id = "us-east-1" + first_on_demand = 1 + spot_bid_price_percent = 100 + } +} \ No newline at end of file diff --git a/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive2.tf b/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive2.tf new file mode 100644 index 00000000000..54228d92cc7 --- /dev/null +++ b/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive2.tf @@ -0,0 +1,15 @@ +resource "databricks_cluster" "positive2" { + cluster_name = "Shared Autoscaling" + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + autotermination_minutes = 20 + autoscale { + max_workers = 50 + } + aws_attributes { + availability = "SPOT" + zone_id = "us-east-1" + first_on_demand = 1 + spot_bid_price_percent = 100 + } +} \ No newline at end of file diff --git a/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive_expected_result.json b/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive_expected_result.json new file mode 100644 index 00000000000..a6091a36ca1 --- /dev/null +++ b/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive_expected_result.json @@ -0,0 +1,12 @@ +[ + { + "queryName": "Databricks Autoscale Badly Setup", + "severity": "MEDIUM", + "line": 6 + }, + { + "queryName": "Databricks Autoscale Badly Setup", + "severity": "MEDIUM", + "line": 6 + } +] diff --git a/assets/queries/terraform/databricks/autoscale_not_setup/metadata.json b/assets/queries/terraform/databricks/autoscale_not_setup/metadata.json new file mode 100644 index 00000000000..02cc3fe1f8a --- /dev/null +++ b/assets/queries/terraform/databricks/autoscale_not_setup/metadata.json @@ -0,0 +1,10 @@ +{ + "id": "543e77a0-4ce0-45f9-b34e-9eec1e885c71", + "queryName": "Databricks Autoscale Not Setup", + "severity": "INFO", + "category": "Best Practices", + "descriptionText": "Databricks should have autoscale", + "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/cluster", + "platform": "Terraform", + "cloudProvider": "databricks" +} \ No newline at end of file diff --git a/assets/queries/terraform/databricks/autoscale_not_setup/query.rego b/assets/queries/terraform/databricks/autoscale_not_setup/query.rego new file mode 100644 index 00000000000..5a6f627504f --- /dev/null +++ b/assets/queries/terraform/databricks/autoscale_not_setup/query.rego @@ -0,0 +1,18 @@ +package Cx + +import data.generic.terraform as tf_lib + +CxPolicy[result] { + resource := input.document[i].resource.databricks_cluster[name] + not resource.autoscale + + result := { + "documentId": input.document[i].id, + "resourceType": "databricks_cluster", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("databricks_cluster[%s]", [name]), + "issueType": "MissingAttribute", + "keyExpectedValue": sprintf("'databricks_cluster[%s].autoscale.min_workers' should be setup", [name]), + "keyActualValue": sprintf("'databricks_cluster[%s].autoscale' is not setup'", [name]), + } +} \ No newline at end of file diff --git a/assets/queries/terraform/databricks/autoscale_not_setup/test/negative.tf b/assets/queries/terraform/databricks/autoscale_not_setup/test/negative.tf new file mode 100644 index 00000000000..1328a74fced --- /dev/null +++ b/assets/queries/terraform/databricks/autoscale_not_setup/test/negative.tf @@ -0,0 +1,16 @@ +resource "databricks_cluster" "negative" { + cluster_name = "Shared Autoscaling" + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + autotermination_minutes = 20 + autoscale { + min_workers = 1 + max_workers = 50 + } + aws_attributes { + availability = "SPOT" + zone_id = "us-east-1" + first_on_demand = 1 + spot_bid_price_percent = 100 + } +} \ No newline at end of file diff --git a/assets/queries/terraform/databricks/autoscale_not_setup/test/positive.tf b/assets/queries/terraform/databricks/autoscale_not_setup/test/positive.tf new file mode 100644 index 00000000000..165dcfe55a2 --- /dev/null +++ b/assets/queries/terraform/databricks/autoscale_not_setup/test/positive.tf @@ -0,0 +1,12 @@ +resource "databricks_cluster" "positive" { + cluster_name = "Shared Autoscaling" + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + autotermination_minutes = 20 + aws_attributes { + availability = "SPOT" + zone_id = "us-east-1" + first_on_demand = 1 + spot_bid_price_percent = 100 + } +} \ No newline at end of file diff --git a/assets/queries/terraform/databricks/autoscale_not_setup/test/positive_expected_result.json b/assets/queries/terraform/databricks/autoscale_not_setup/test/positive_expected_result.json new file mode 100644 index 00000000000..e3351fcf0f6 --- /dev/null +++ b/assets/queries/terraform/databricks/autoscale_not_setup/test/positive_expected_result.json @@ -0,0 +1,7 @@ +[ + { + "queryName": "Databricks Autoscale Not Setup", + "severity": "INFO", + "line": 1 + } +] diff --git a/assets/queries/terraform/databricks/cluster_aws_attributes/metadata.json b/assets/queries/terraform/databricks/cluster_aws_attributes/metadata.json new file mode 100644 index 00000000000..52164347c4e --- /dev/null +++ b/assets/queries/terraform/databricks/cluster_aws_attributes/metadata.json @@ -0,0 +1,10 @@ +{ + "id": "b0749c53-e3ff-4d09-bbe4-dca94e2e7a38", + "queryName": "Check Databricks Cluster AWS Attribute Best Practices", + "severity": "LOW", + "category": "Best Practices", + "descriptionText": "One or some Databricks Cluster AWS Attribute Best Practices are not respected", + "descriptionUrl": "https://docs.databricks.com/clusters/cluster-config-best-practices.html", + "platform": "Terraform", + "cloudProvider": "databricks" +} diff --git a/assets/queries/terraform/databricks/cluster_aws_attributes/query.rego b/assets/queries/terraform/databricks/cluster_aws_attributes/query.rego new file mode 100644 index 00000000000..477dceae2ca --- /dev/null +++ b/assets/queries/terraform/databricks/cluster_aws_attributes/query.rego @@ -0,0 +1,49 @@ +package Cx + +import data.generic.terraform as tf_lib + +#use spot instance +CxPolicy[result] { + resource := input.document[i].resource.databricks_cluster[name] + contains(resource.aws_attributes.availability, "ON_DEMAND") + + result := { + "documentId": input.document[i].id, + "resourceType": "databricks_cluster", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("databricks_cluster[%s].aws_attributes.availability", [name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("'databricks_cluster[%s].aws_attributes.availability' should not equal to 'ON_DEMAND'", [name]), + "keyActualValue": sprintf("'databricks_cluster[%s].aws_attributes.availability' is equal to 'ON_DEMAND'", [name]), + } +} + +CxPolicy[result] { + resource := input.document[i].resource.databricks_cluster[name] + resource.aws_attributes.first_on_demand == 0 + + result := { + "documentId": input.document[i].id, + "resourceType": "databricks_cluster", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("databricks_cluster[%s].aws_attributes.first_on_demand", [name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("'databricks_cluster[%s].aws_attributes.first_on_demand' should not equal to '0'", [name]), + "keyActualValue": sprintf("'databricks_cluster[%s].aws_attributes.first_on_demand' is equal to '0'", [name]), + } +} + +CxPolicy[result] { + resource := input.document[i].resource.databricks_cluster[name] + not resource.aws_attributes.first_on_demand + + result := { + "documentId": input.document[i].id, + "resourceType": "databricks_cluster", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("databricks_cluster[%s].aws_attributes.first_on_demand", [name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("'databricks_cluster[%s].aws_attributes.first_on_demand' should present", [name]), + "keyActualValue": sprintf("'databricks_cluster[%s].aws_attributes.first_on_demand' is not present", [name]), + } +} diff --git a/assets/queries/terraform/databricks/cluster_aws_attributes/test/negative1.tf b/assets/queries/terraform/databricks/cluster_aws_attributes/test/negative1.tf new file mode 100644 index 00000000000..c17393edf59 --- /dev/null +++ b/assets/queries/terraform/databricks/cluster_aws_attributes/test/negative1.tf @@ -0,0 +1,16 @@ +resource "databricks_cluster" "this" { + cluster_name = "Shared Autoscaling" + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + autotermination_minutes = 20 + autoscale { + min_workers = 1 + max_workers = 50 + } + aws_attributes { + availability = "SPOT" + zone_id = "us-east-1" + first_on_demand = 1 + spot_bid_price_percent = 100 + } +} \ No newline at end of file diff --git a/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive1.tf b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive1.tf new file mode 100644 index 00000000000..0312a0ccfb7 --- /dev/null +++ b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive1.tf @@ -0,0 +1,16 @@ +resource "databricks_cluster" "this" { + cluster_name = "data" + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + autotermination_minutes = 20 + autoscale { + min_workers = 1 + max_workers = 50 + } + aws_attributes { + availability = "ON_DEMAND" + zone_id = "us-east-1" + first_on_demand = 1 + spot_bid_price_percent = 100 + } +} \ No newline at end of file diff --git a/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive2.tf b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive2.tf new file mode 100644 index 00000000000..a58991a36b6 --- /dev/null +++ b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive2.tf @@ -0,0 +1,16 @@ +resource "databricks_cluster" "this" { + cluster_name = "data" + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + autotermination_minutes = 20 + autoscale { + min_workers = 1 + max_workers = 50 + } + aws_attributes { + availability = "SPOT" + zone_id = "us-east-1" + first_on_demand = 0 + spot_bid_price_percent = 100 + } +} \ No newline at end of file diff --git a/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive3.tf b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive3.tf new file mode 100644 index 00000000000..41551576318 --- /dev/null +++ b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive3.tf @@ -0,0 +1,15 @@ +resource "databricks_cluster" "this" { + cluster_name = "data" + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + autotermination_minutes = 20 + autoscale { + min_workers = 1 + max_workers = 50 + } + aws_attributes { + availability = "SPOT" + zone_id = "us-east-1" + spot_bid_price_percent = 100 + } +} \ No newline at end of file diff --git a/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive_expected_result.json b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive_expected_result.json new file mode 100644 index 00000000000..2a3e125924a --- /dev/null +++ b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive_expected_result.json @@ -0,0 +1,17 @@ +[ + { + "queryName": "Check Databricks Cluster AWS Attribute Best Practices", + "severity": "LOW", + "line": 11 + }, + { + "queryName": "Check Databricks Cluster AWS Attribute Best Practices", + "severity": "LOW", + "line": 13 + }, + { + "queryName": "Check Databricks Cluster AWS Attribute Best Practices", + "severity": "LOW", + "line": 10 + } +] diff --git a/assets/queries/terraform/databricks/unrestricted_acl/metadata.json b/assets/queries/terraform/databricks/unrestricted_acl/metadata.json new file mode 100644 index 00000000000..f4cb1b5d4fa --- /dev/null +++ b/assets/queries/terraform/databricks/unrestricted_acl/metadata.json @@ -0,0 +1,10 @@ +{ + "id": "2c4fe4a9-f44b-4c70-b09b-5b75cd251805", + "queryName": "Unrestricted Databricks ACL", + "severity": "HIGH", + "category": "Networking and Firewall", + "descriptionText": "ACL allow ingress from 0.0.0.0/0 and/or ::/0", + "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/ip_access_list", + "platform": "Terraform", + "cloudProvider": "databricks" +} \ No newline at end of file diff --git a/assets/queries/terraform/databricks/unrestricted_acl/query.rego b/assets/queries/terraform/databricks/unrestricted_acl/query.rego new file mode 100644 index 00000000000..7a1d04724af --- /dev/null +++ b/assets/queries/terraform/databricks/unrestricted_acl/query.rego @@ -0,0 +1,37 @@ +package Cx + +import data.generic.terraform as tf_lib + +CxPolicy[result] { + resource := input.document[i].resource.databricks_ip_access_list[name] + + some j + contains(resource.ip_addresses[j], "0.0.0.0/0") + + result := { + "documentId": input.document[i].id, + "resourceType": "databricks_ip_access_list", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("databricks_ip_access_list[%s].ip_addresses", [name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("'databricks_ip_access_list[%s].ip_addresses' should not equal to '0.0.0.0/0'", [name]), + "keyActualValue": sprintf("'databricks_ip_access_list[%s].ip_addresses' is equal to '0.0.0.0/0'", [name]), + } +} + +CxPolicy[result] { + resource := input.document[i].resource.databricks_ip_access_list[name] + + some j + contains(resource.ip_addresses[j], "::/0") + + result := { + "documentId": input.document[i].id, + "resourceType": "databricks_ip_access_list", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("databricks_ip_access_list[%s].ip_addresses", [name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("'databricks_ip_access_list[%s].ip_addresses' should not equal to '::/0'", [name]), + "keyActualValue": sprintf("'databricks_ip_access_list[%s].ip_addresses' is equal to '::/0'", [name]), + } +} \ No newline at end of file diff --git a/assets/queries/terraform/databricks/unrestricted_acl/test/negative.tf b/assets/queries/terraform/databricks/unrestricted_acl/test/negative.tf new file mode 100644 index 00000000000..5f7c9b4a334 --- /dev/null +++ b/assets/queries/terraform/databricks/unrestricted_acl/test/negative.tf @@ -0,0 +1,15 @@ +resource "databricks_workspace_conf" "negative" { + custom_config = { + "enableIpAccessLists" : true + } +} + +resource "databricks_ip_access_list" "negative" { + label = "allow_in" + list_type = "ALLOW" + ip_addresses = [ + "1.2.3.0/24", + "1.2.5.0/24" + ] + depends_on = [databricks_workspace_conf.this] +} \ No newline at end of file diff --git a/assets/queries/terraform/databricks/unrestricted_acl/test/positive1.tf b/assets/queries/terraform/databricks/unrestricted_acl/test/positive1.tf new file mode 100644 index 00000000000..7d52cf04971 --- /dev/null +++ b/assets/queries/terraform/databricks/unrestricted_acl/test/positive1.tf @@ -0,0 +1,15 @@ +resource "databricks_workspace_conf" "this" { + custom_config = { + "enableIpAccessLists" : true + } +} + +resource "databricks_ip_access_list" "positive1" { + label = "allow_in" + list_type = "ALLOW" + ip_addresses = [ + "0.0.0.0/0", + "1.2.5.0/24" + ] + depends_on = [databricks_workspace_conf.this] +} \ No newline at end of file diff --git a/assets/queries/terraform/databricks/unrestricted_acl/test/positive2.tf b/assets/queries/terraform/databricks/unrestricted_acl/test/positive2.tf new file mode 100644 index 00000000000..8aac2b2ee6e --- /dev/null +++ b/assets/queries/terraform/databricks/unrestricted_acl/test/positive2.tf @@ -0,0 +1,15 @@ +resource "databricks_workspace_conf" "this" { + custom_config = { + "enableIpAccessLists" : true + } +} + +resource "databricks_ip_access_list" "positive2" { + label = "allow_in" + list_type = "ALLOW" + ip_addresses = [ + "::/0", + "1.2.5.0/24" + ] + depends_on = [databricks_workspace_conf.this] +} \ No newline at end of file diff --git a/assets/queries/terraform/databricks/unrestricted_acl/test/positive_expected_result.json b/assets/queries/terraform/databricks/unrestricted_acl/test/positive_expected_result.json new file mode 100644 index 00000000000..ef9a9ede78b --- /dev/null +++ b/assets/queries/terraform/databricks/unrestricted_acl/test/positive_expected_result.json @@ -0,0 +1,12 @@ +[ + { + "queryName": "Unrestricted Databricks ACL", + "severity": "HIGH", + "line": 10 + }, + { + "queryName": "Unrestricted Databricks ACL", + "severity": "HIGH", + "line": 10 + } +] diff --git a/docs/img/logo-databricks.png b/docs/img/logo-databricks.png new file mode 100644 index 0000000000000000000000000000000000000000..9e83815d30e98594cebd809fdb4655f16795ab3f GIT binary patch literal 44225 zcmeFY^;=v^6E!-xySoN=cXxLUZowUbLy!ay4#C}nLvRf)gS*>cgG2C-b8^pnf4qOd zclWcWrh0XC^{Umq_slaAsiq=}f=Gx6002f{IwUV5`Xb`d;V{RYYD!0|5TU}>OV5?%|ZsMcMJI+ zf&>Kx2MGoDZ>n=KE?7v&_bT24{vPl6JDK` zMVS8^_s{b?^0)a{xVP!4zs(DA)^`LB67ny8_Fr9wxVVUrkbhIX+xOmgChuatpYP3g z|L=4+QtW3!4DWJXh_T?q!KF}=|Hc1`|95yZBi-NR{~P!hKNV$pC;9H53o{4MNDIDA)FWp~0 z@0Jw_$p{ChljB1_=ZC-GDnGp>8rpl|Gdy$~0`%_#o7kvZ*{T2b;=;hZZ*(*$C?!m^ zcjP@AGys4N{cir*(tr2czoIeyBeD?FnIOYIyYU}Z4Db8rljDf;d+4=?hKeTO>G>4` z^5OLb3gQ*|&nx8P>&q)V?7iR%3@XF^>h(c}5qhZ4!G@S4K*7>RQPb9od z4hI<5h1q8ioW4I{&vH9NF3au+H71V&5_xr5SnEWInuix(Qd@^GatZG7qUfZoYiqU<}Y#q>vbRW`TFVQFyNtcJ>dUZwf{c~_w@YSO$ZP>tA0Hgih95Qaq|YY z@*zJg6w|hJLj#Tviwo9>lg*NiagG3Ln$Ed?JVn2m?3*NgJw2bZ+p%E)cDsXguPw2& z>;qm2qd>cGy)aR3rT19YMP1&jrBlm(r_?5kPu_wLgH7|Y*suV*9Vwhc`_j15!t38` zB}`$!sQhI|r;<{Zmtxmd1W5tFsh9hZ4q+^#a~8|48~y;t*p6O9Ola+zk*FWIW&Q_F z0xF<=rSACiBdu!j(h;^#3*BhPC!T1^#waI|PbF$zEFDJ7t%^lZJwM~F7lTBHW%XH+ zTq%;-Efp2VhT==o>#K94&-;1hcB&mwyJQp?&+c##^LNNaA)37*toh(61 zG{~XIKCs~%Q@VM5$_H2~R^dYJs`YXbW+pSDb3)z=wXVTxCN(ki+g)~RU1VzWX}}qs zGc*u=ofxyxA!LNZaa=v!UZuIDd(JG+@GB`n^t+piJIk$}Fx=p5b^dz4vY?dI+B(RH zw<#ZrKdQHPX3oxPPO$T!*lo`R4sfp|PKlndb0B-`^&=ETxl7X}dZi};c94$TrB zrd=%^X%+r)`NfBSxAO3yX&=9a-~Z-%d(tW1l7zClOm2C$;l^2=`*`9RzIwOzQq%dC zK_YyuXA%E6HyRz33mm_Hd*0D4Da@P~d)g9i$q{-eHze}|r^r||wVAQuFKc$O8xT>V5=jnmnH$8jSA~#c+-I;zwXyBLakhj1^G*R~|RN6o{w@qjP z&Ar>SML4TZIMN%+b?c)Ng!?vc-ph)e>WKO}%#0RvZPgr(`*_+lZIGmoI&VE)86>x4 zn4nw4o7MBIx$(d^lX#VW=6hPF2XYu2>t<(d|7z6Im%7&k1hT&PyKZ|M&JU9gF&g~G zjkABO{XR8Ij9w!Nvc5PNqrzTm7k%|2wv4{sw|;)OhU|0&fnS*gRbihV$?!njNH>Bs zTn!2>svF+daF6$7ujFHlFPCHEu|&(8KPB_X(%Eu@ir#z#Gs`dfQYO^#t*gbWBm|s2 z4cLE=oxhr$$Km}vaW*pCRLC|iCDG(0vs~^AS`u7cqKo5l54r& zsoWbzv1K@J?se2qN2f<6Q<(o=QtnDcQA}5cqTVlF7K_QGaT*5e@(l{1424-PFN*R* zF{UXYvU>FQt7^;-aw#j$PePmxeym5QAvkjUl8Uuc4O6N-0zPKWHUVqruh&;GukbEK ztOD4(1m_m;!r~IV3ZN;GPt8Ej-Hj*ZK4*oG?9t@Yr&GqiinGI1&|?*gwvvJvd{W3A z`SF?Mpztc_?z;E~EnBo5nkwL3_@xxmQd6q56kcfQ^OJz|`I+Q5hb&DuyOAMfUusd%kfknWH>kbI-*;LdbGJA@t$mOU*gRIUVK4AzR`2X3uAwGb+N(TD_1q( z#1$hCyXnj@4Do|$SI}3ZC& z*~Ewd+0Dts_#eBE&6V%jfp3lH6C1^5B59S5wS?r}!swN}IkV>x%+&u-3P|J#7p}@q z|MiHZe{E^OoAaJ5(e}*XurzfnF-;>ch4`rBJCu+4rtKidqIVpLY)W#t1N^c_V+3;w zmidua_059PGnf`3JIo38{H0^V4rTrG`ZEm5ivdkO7Q1Cd+!C$#{h_5QYVv{)p&G6m zor&;O#KME;1K(_-nPwcSK8LQ0M8clD)>hNV%uMW8edK!wiuXDvOr7SobL8eQd>h`7 z?f0r9OTV??jN^qhfYvmggazlb4m+lsipDhjac6H zLGIt*#iG8EA0&PA>UNU2&wSQD#iRE4@~OyUqsu|9!ha)$5<#ekgEjc0@Qs(O-_Tnl zkgM?RPIU2{p*#mWcn_Ukc#&ogSdKerU{U<<@*$JX%&5$9x1pY&5I!8szcc!C@f@kp z6oW{C0`X-(a_0C$f6#M~is!dF_j4qAVdKHzv<3~c)~JVAvgVe~COT^g)E9k zsXc+^>K=}*M+`yhqii58G`*jSx&$ve*>O?&v|NBqqcA z8}ST?8uBpTKCSZTV&;-Pcto_Lp@a+MyE{=KN)0J%!#JJgg*n9lMW?`-0pZI(>1gkq z1G2(YBxv)o2KZcYlaV{9>69p!RyxR|YhtZWiI9$_2?Qc6=|VkjTq&ZrmgLJ#>1Y^d zEXZ$;93)?Imh_|LL4)uCr!3x>0^(eN)#8QLOc?rl0r6G+T zku=WV`sVr9=a~Gd_BJ5a#4E7^DB>d29y|3CkJk$h3L%?q^)My?xav%y$506UNdnraN$`fIY)&5&Ro3An0Tt7%iebL> zEaG+D*3&f89)HR-()`i!1doVKO04zd59*+SvbOKXL11Rhqsr##R7sc<;?zR+q4BE7 zt#{)pp}5kw$tD9d=Rh%Eemnp(!I{4C_e55L1?$epu@M8q8?w-L1rC$dtoa>@)^O5f z!FFBt)C^UL+^n_!Ko93^(8B4aq6Ba8S@bhOVD`FZVa;HdKc;{gT|!;EpLj%g5kuiF zdGJX-)9L(C$1RO>_6(sX=-h}xnx(jau;ClswNLWPP#SwG`=!&61ZXo$TNl(I2O7Mv z>85v08NtMp1@hKL7)K~b(2mdfRH_^fwHJY|$mbM1zqhxR?LK``0q?4HI~vehQ28yw zUwmX#a?7OR3zyJF1p|kWv(8CR*gY`Y#Qo#ySRWb+&29#02}zY*-yB0*-e1M=L~1$*K4c>1-q#nmZ>@5_N;5whFX zV$Bf!Zp@7~$25F*cIJi%Og87X@KoO^&OZ3_G+f7GL1FSUjEtEg?6+-1?c9McacoN( zYFb2Duga5)zbl4SN!1kuQ43h=$uH@7w7z-D80F6v@r8zMbZtjQBLv*E82K%o^1kem z#Rgtdd-RDJTRizG%qZ)d@u2XKL#w6KkmY>)=>NyRoU%{sXlx5rk6v{&XGgBo)>{Zy z!bGU_C(w5Jhxpp)D>v=5|AW%6=x1NeeiMQBEghrN9Cfz&AuMfoddr7k6m$?~(9T+c z#5>vgi^rhLqOfJH!4Y~3f&sj5IU>yGwo*0XdTHD&6K;iEXfZwede)GcDTDRM92x$~ zxk}R;ogSu=992pB7#k@6@YhZa^dQbyWXcYcUp3AysaRxR4k#LMT>x?u}N@vky25=gg2| z0*F6qFgJdw1Iq&lJ7U97@`akTCLU} zO^$#ZEgg>7dX2SQGn88H(UmAM7pCG^76;l7qJ;TjA|sfOh2HbZpvHiT5Sg0G;r^tf zdU;Toc#H$9PM=nhJ95|;uBgPNRo?76Sh}e@8E5I^A3QWu z0uOL_+Nf&JDMFs`|h6) zBjI6T@Cl}nEb5fvh%(X86M2FhUo;rd%c39&#g{8iD%ux@1Xj#@s}(SEE1g>6nkPj* z+RJ`yZaSV6Xqt5rR9bcQux>e1D!r=<@~{@%&+&7DU&?XE`iKXPg_M`uy3gKb-==vE zJiL5*HzFz#u{xk#kkbtUgvUK)8ITqgSf~N;0DhkK6a7G~I&;F zFTx>-_sPL9Y@Lv2x8>{o=Wrc+`=EtOGH@`W@F;`Fk_b*Psu)~|M6|oa*(S+GzeQ$Z zA>SdNLw4vNyeY8h;OUH4D`mD>8(MD9b7VvUO`p7mEghu%k`khPPp>%^JWBU1GLA$(Fq9J3#;mG$9E&LVdfaLtnfD zPmFNZOj0DWe%6p*U3jFL9y!LdB@&w%^Pg z*rsU<8QCS|bylgEHhf5%_!Wfus~%Js4>Aq%B;u9w`a`Y$fiiofNaGby2(hTfJ%b`lEXCv2(tjzuN>c-Yi=n3 z!k8h(qBsoi%lWQ2A`fsXQ3LmgAJIdK;U+qoRjN+Zv8CZjI7eg$HFtTn^tLh1HT-Ad zGdE-isZQ-uhUjRnB${UUPsHexUZ^%Zhc<>b>~WbW#Jqkz01D(|tY^FfEa`OhJp3HH zM8xh8ymrA)xm>PLGhDJ+-_CfB8-?oc@|_eokN6PT^Pusz-j6fo!_lX+2c~?%lNu-E zp~hTTwo5Ky@Km!tnq3lT^gwOGY;_xA4^E3`=3`$vAu?g0t!{=hitlAAi_{%z1AC;a zHPyq+y2g=*g)OWjHNsrNPZ~}qVo0On{8*7s_*l-KgksO{pF6KQC-SkZisjNs*0?Sb z@mcaoMBV6zPY-xRU6Y{cZW|lIE=DJJB(m^*9)t#2{#<@xFDmP-7+yd1YQGk|e$&z7 zM&FBtuu%FIGI@Lom0$BRH|}efy?R!WF>kyd#FV#QhUBSM%V~&ZMaGnbS^vR%hCT2Y zJKJv4nBGe%@Nlxg%etiIFh;y|uPj(aW=2dg%P!YbtFdL{<>ikk=W2kFEpPn#1Kyph z1&31pW?mg2)3qn&OglV?{&{Kt4h58}tCPLb6&UQ{b$wAzS|_G^blPR6KF~PDgh%28 z_P}kzd&ow4d4`d$Z>u4r^=zHUJC!6LJ_tjuT=d&Io=S&bbisJN|4;LPV6Am(xC{em^N(+ECB4jE4;wqFijYUzDg<@tuz;rB!B{S)Si>)Rsp3 zSXrQ(tMC|K+wC^FzObE#*^?<+IYwDc@A!_zC~$u>d$Q5on(L?ik}1@>$(3EjSQg9u zq5|=(xt!|niR_$qO79T+D0iE>+{(gn@g+0go8kpayBUUTtBFNI!mfH&W#3|j*K65W zl6f(a{?s(V>_eT`uF2_NbSxoppqvk5f^Eht8YVjWI%lGveii#(g#0wmEwK57k=Xl9 zG-)qUV|qyZQX z?av{TglBtx;>!KU=PASZi=5o|I4zZb5OTs~U`Vh(xz429SHTDVuqtvCb}qHQEwOU@ zSsLWlwybZc5NdUCypaI8E}A$4X8M%ezqbYG z$3ZB|DOddH9UwDaJrU;_l{Dj+I%%jE5_)A5$YGI8isKE6R6oh0&atFU@)2jFYo)eY zV)S6w`!w3sL@k|VK!0>ZU!?aX9Fe?+n}8n*i|r=2 zhBkH7$aJaJ9b(v9>_3lkdc^cz$(MkM2_%YeuNOXDSzhALkQxF&bMo#du2 ze*b)9MUb&WSg~_u7eOLFgk8Fx**q-kv_tDEtWM#ZBX`Wd!p`31aZ)_$V@{&Q@F0JO zm|b*Ytt{<^9>PNS@p|i~PsrC4vMw#AXkZ9R{*-}Cfy6s*AqoK?IHO*vupoC|(#a=g zztE;TiG%V@xpYE)u0fx}T`}dsBfFKy6T7^@`N8zCi`ny)lN;9@I@<|xGgxPKKL(ov zW;Q@;(y*&(`EZJpR#Y6eO<^3{icpeR;_izfCse!zJ7aZLr&Nb8mr+)4mwHu6VY)A) zN`+%Psai>OhNu|EGB>k8TAW0OqBFQd zlaGq5P-=a{Wozy^2?l^m^liMBkoTCt;+nDXVMX^@QyPVFaJhI0i(Wu3UP@73H$_0+c* z&A;Lj6)?x4$}gUK^NAqh0`(try1Ep?TCm8+S?b)Vfi@T=LN z9#+PiP#ePoAtu(W7xCZSbp8y0naX*F#sdv#FSdIc@z=L)YAJgXC!HmAr)wb~XHJfcT$#s=}2-7fnXvo>dd+S+p@p-&BSMDzS zMW@ULD1?V>n@W^o9(1atB=|yDG!{}g7rl)Z@hJS@zr(S-P#*gRZHOI{Mj&?X?8YC= zwD*x3;w)0x}j)i^(f8RApi*Df1Z5^6MTE_`7?RL-;EA4Ifx;44Z zIZfx2ZxeAHxPr5a*<%)mSnyJ$-ejvsG)n4jrLFCSx_b;{aUWqq7cz2&`2?z#T#x|y z&njn#&SB3uYlzhZh=|F8&6hBynxaG4)JKf`BcleR`c`N&4{EYFd<0{*Wl3p}>~NQxi9)vr8i9g_c5U zY=SCQpoZ7R#%`huK;$mQ3>xnOI}}cyZe;BGw|lp@coVk~Svq7dwr`&LKfQFFXF6M_ z$Z~H<@G#&1O38D;W@N8Ku&P#2qF57wb zaCsgzh?~GbnBjEmAON2lX-}ct(%#q`uyj8pSuFd@muFHh+lF8X8ygE<4T&s}95UQ< ziav^;6Vrw((ZEW~UnJ!rYs5gY>&K$-3hrX$mxjirvi_(I;1G{cPeDzLHobI6|DbHx zGPlT_OKj^Oo5ho9<<_7N9G6c6%k1HW$S%v}n1meGvw!(s2W`}A-JrggI}+mCBn@g1 zF!YrN_Jxt*&-ie>1T%4mzuBX4FMBZl;(g7r$v+ze2%|h7>*d641&h0T+W>0JPc>5y@c+O(o--W;7B&#{iK!cK?@yvsh3XRJ-;hf>HK)m51 z?hszKzRGBpD-P8FCB0Dse0s&++P`@GamG_^dyGKeOBD&J5DD*l78sE665kW!Jvd; zyB1tjrV9fx=-*}TD;cbXUJez2SXQIcW`>?&JO|<7zRy&9wPjvvLeUpzYr4g-NmqK^ zZN!NhW^z%A?17j)pW}kYxMQ6%5W z2CQ2)k+*ZF!-Ar!V|}&2N7QW2J6O+?APEg|x;yN2#FoN{I#lG16W9GCgwh~O^h2|3xj{cm?V5pA|;}~U$8FyMw++LY4+i%MAsYiyo?z`sTx!a~* z1DWg(t3I>{tA0%8N&2i*g}IBLUqhb`Urs(}ZdOF!)7M%T4XmRtBl42L&sV{Xzr+y~ zw&MbN@+xBpd_S1X=b2^AlvMZ;fh@9_r{Sz5BL(_%*gsC9JQKzsp9I@@K3oU^$^$3& z*T}ilTSq9gs-9@~rIY4i+1eFj%!4vFetRffE%>f@%7U;*gY+s@UmE>0aSk33rsh?} zbIhV5JEnlSRu;gI0F8a{$Vw4khtH=hth2`X(KU54IZWi6bQw_f{HtX-YDRHm-?;MtD(D2(pM?~;JcA-+!l(^I1j{e4KpmKetPk5Ui2dzMM?0&PW1N)cAXfZHB|^y z>vfjeF~MDJ?cbC8js{vAe<0-_FO%F;09Vt}lXpgj6Trl+jAr^}Tpt|d!ZtX!h!_JJ zDX%0-2OV7Y#DYBYCEK#q#5pC4*9>hKrt9rARJ`(f?W35C79WY`|J@D10lwX|)5<1}hCljK>3bdK$cqUQMtYfQ za$2R0T&z6|gz`0(%olaU3|}AGT=0g@@{~lTx>;zLb{(ayb$q%_2XyLiLlvXvFEX>S zNCa)2*wKvM{it~|L z`0e{(K54%{C?wS4c<(ohDe91ZR1vpB?~Z?WpJwVtQUA;x@cc z2#M)|suhZOPy9Cv#@J^lKR$ZvzsT8)Q{C9$@ujpFeWzA8f?ix{v`C<&8cGt!`EaXtY>*#Drr>#z;oq^HH&|~p{ zvpt#*96YAUgVF;1)x!0jys#i^Hv4^j9~398oriqASxT%I5x^t1TDNYfDOL3Mig+72*RU*z=LaC3ii{rkyAwx`Mz#i z=@2?-R!lK)3$tC`JY8)$gJZ5kp;xhkoJ z0-r>mAvD(;u_3hcitaGO%W8-t8m^$Pb2gm%yvaZ@TBBT5g2b#3RQ=>7XSuKLtog{< zl4K6IvLL}x^+tm5NXvMb6wyXFsb4jA&|*Whz8q^e(oBcI%Uj*oiMK3r$tHx{s!JDl zke?Ma@Va)C97`)^Y6RA+G>s7z=e2{%grPE6U9_*i-29%}dC9f&dC)+8n8nOzgR1(v zxq2DKUpoNK9x zlB+IBNyNrQbbp zfB$J|L>Re_VBy}p3At66?raX+VSi-{Z?vQpK>f!0W=_Sbl`>6vNFi8fwYLJZ{gTEA zNXKz5QvE%Xg@1*(!BKya<-j{-o%T75c0&Z?)MNk(v~)`vGHfju2Cng%kXSttvo@vy z8L(#SivsI>R`%4Ys^)DlnLr=m(i6YNZX%k{dr3eFYp&$1LC3aLX>A7MnhY5YS!|Rw zRuhJIRYHNH+lDv(Z26J6T{fFlSW2dXeG7w~V2v327&J~(tG6Luwu2Mei1*4huAyHy+ z)6I@fi5w7BUBkqNcrKt6d?FK6E{V$=Gn@rdy{TRfL(y6qs#Losv4|xOjfv7{aJz2$ zDi!-T-~?b?j|!!#fHg!74PbZ9OeTf;No@mG5KWkb{5J81+F2U^$mHeo<}WQ$o2iSd zzVymb$8*7}D+o1=7LpBll8yUZQR-yys8uJV@@h1{AN^Qt*Cm_@jmV_f)U&AHA}RK~ z=ioWGuaof?BX}@nxE?+XABSWK#|(x1^RxS=nH+OAvl!6_&AdjA`@4$8)g~g`B6+-w8n-lkQo$ zSf4BLk%kQPCht4r;mCdCW7T8%^ZJ#i>F39z+=Ao&Ol2HtZDtnH+#3+K_fr+kWDFAs zeMae|KK{(2JPwgH?==8N3GhIWcjo4vZx*zu*P8UCet4{y&?lE|x;PNXs4!948jQ_G zds+H?EfFa+e&eM&rwlgqrkr^$I){m;LaIJrp{Vc4lL@X-rwn%1qJjnZ?tI3j{g%$! zx$1sHaQ+Pzg=HUth`f5WH%?+jHhuQ4fdbSUDx`H!UPXIb47 zovUQjfJWlE^ZMKGm-YB=_W(?POqdx`(Sb>KmZJ%L(|5ebv6H6#r8Sjk0oz|ROf3t9 zJ&(pq^KpL)cu)tk#O^CiwaAkF+`}n&Dr<9v@O^_b&-2YqAZK8d34R5}@UviHdFqpL zYIf@F@lr$ucO@45nA(TB#Se;LUm^0Qcq;J+mVm|37VH*JzFd~`7_fS;O7G$Hb+!w{ zfm{FsD!)sKg!0P*aJzh>30kF_|U-^(kgw z2sXaitzi6E>mQ=ENLb@m!d;4i^jJOfWv|V>Xe(V3@toyT2J2o?Rha#JSl2d*Y(pcd zgWIpYmKhfzb&=~OKQ8EpmS*ip!5pOlyltrdn8YuQR5G`i@9w^CV-;legO_OQ9sPl_ z?B`>0(zU6frLUBW+>J_d=X&aZl*T#V^e>Pg`cH%7pB5X@711Dp_7&7ZwBa$>D@ABe89YZG70i-sacr1k zxvpYujabby5y95=;Ut0dJO-sJwkf?5mwI9*R>|mCfrYj!GzpOl`HrD6!^s>OS*GEL zd9-R^W9B&Y!nl(DdZ=5PKZT^^crpPF*>{ai7t>l|X!U#wUY|(JoH6;4ej>JWW2l3v ze95uOM*^~J?ZfTi9hLjnC%3H|GQK1_gkqNVH=?8>ov>9ob zQDS@xsdDwBDSH#A`P}B4u<70?evGe6DI@98Yf$JSzDu^Oy0ggbjVZZcv=v2%!9(!x zzK5`dP^}o`b9tA!=yo!a8ymwds0k(;Qcm0yXI4D zTtvha192R=KZrogi^Cq~29ii*h^|NnwiQan4`R>B-6?_-UiDMBHd3B$-i6FWTWpbs zwpa~0b02#>8_VHZK}5uSzykqA@*)wHJ!hqnIS_unM=x@Xe$F^PK)|w(V)9QbTOYt>>y<+MQ{(Wu(CF^nFGVjW zGSn*bMqkz;NMFa@v!BhAlYa`oby}qCwlm_-waRq3tjfwDW8Ou35d`iMROfCN&af z>E(Y#4`KP|^!$bewrrtuj%PV-a+K1}02`L5G4b0J! z+=W4Hf%w$*Gq@hvjh(Ib3sy6zz6xJH7Z&G#6>hvKbfXh29P!JanbqH;OeDFqDk{p7 zvbS_^Orx~ua~7t;zCBJWq!etBNBlg`fF@dJ18cluvo!*wb1m%n7c`M`Q2s7-Yg1xG z4jxsK-}VQg97Wo%s9KvH+T{y(qkj4OdrAh{-rw+nQ|$Pa*R=;nbSozMLIzFn8kap^ zSf5D5?4MYr#boJCqDnvfA{l8@DmYDd+sqG#pl9^*$kq{#YiY*TT9WbDdaB6(N{lK{ z`?6H(R6`ign!8a)ZRyy<)Qq9^0#lwK4GoIoSgo{lBa?la^UX4(a5(wpWL&OJ0;=Jj zIA?~nfK(w^<_eHxZen#y^0SC&`@-_l7Mj<4#=I{lKLVa>bYt>o@p z`Tcu(icyQZnr`$p7JK6V=w+<=v4102k^fm>?=-HqZj#ezJ678Z>B}kBo*;C8 zi0u9TMO{PqQhkqJp4Wg{xUXLH<|LgJagA zk;&vl5t3BNqYGXh?1H|$11SwAp+8DV)dDR+Hecm3pU!AgxNf3`Av#HtLinEXo+ifl z%t{dL+j%yTj(S%rTeP>CImCj}e{5{4aqo=0Xw+cBH{R<;@!QWN3Y<(=0O@_l>B+lg z|438{80@6;)*U(K?1Ssqc>P$u^UA#RcfDASe<9h&yk&3dx_-@7mKf;cv+K92{B)dE=HfL(c00IW~og9@Bg%7M^Y?d0O)u z@MvkrzjDlk7Xz2qn3o#d9&XgCK|;=!hmzh6cwP7H=1Az@EHErIu9Nw1?dBRFLPGh9e+Ulh)LIPd};QN9du4Exxi$pm-x;Tw77z{UDoAx zhe<(HFiRxdgY^0EheJR_G__dIC_IHEH97&gRG@4WB3CoD6q24@D6pdOxqgXbDc{s~ zzQ7`^aX6k5<``e@t8H|%%9HFWfq_lqb>Qj72eZeGjY|urr@J%objFWUGRuhdfcuTE z_4C80hgbi=#iroJGb()AxX&8lACdQI0jtfXAL1b8e$%P#oGC&-zjQ6KXsw`rwrRjd&VE8V$pAjfX5Hgb!^Vd=^*nf}_DWA9#-DtdoSJX>cw6Qx zMqWnIvoSc$a%>~O&`7uoN80mk;e@^PjyL8BMI_AuoQt>;bWxzxE1+|sYfouNBrM@= zp#^LlYzDX6$==f1ZwRAne$JQtt&rLKI(=Uu7F?@r0jKMa%usDu<3bLW2(wDcI7z?B z(vobsugT2CvE7ap_Yb}p0z4`%gM=k3A@f5Iv9)vgsJOO=Jo&niudNB`**pk!Ie#Km z>=`T%v0oi0iB-Y8Y+b&gfR?^uua&}5D(pOO2B)uQu|G7l`y!yi=}Rw2iK)LJ#>uL( zd-gCCaSFY8QT6Qy&V7}jQ=#C`B0o-yrdRBk?hW)i9r;9N823eMFRpZX57jwW!Hx4G z3^C(rb^L~_VChyrwyZl94U|J5a}1mLjPsb;7g?s#_T6iGhteAVaotk@%DNwM7I_`2 z1czOp{`#_G2aEG6#?dUc>~erdQk6hQh6UJ2C*A`=?gw=OGmvqYm8k&mTwPQJxDgWG>8T(^d`5LCzBEXL4O(r7*KS zUqR6GR{gBnh~LsI?u!m6Xe+rjxnl@QKZeqSphEMhsDHakFf7ka2Z7?F={Xh<^KAB` z*YR}0N_1v5ghQB$it%B(cR?qID7X~a$MA7jcz(LFeROgDm~oY07x;To&K4pq9i+Yo zR@Lzjiv?Bll~THUU_&>$fT`p4_M8I>>v}n9hu2*3I0A}Yd>EdoGSd>xeBY10!Ny2l zy1)7A`S&>;&db*wj|;sZri!8*>f&gv0Y6gRQDH0Q~* zNc9J-)ijI?SckYW{QR>zncLz9hi%?+o>SI|JN>Q!km9^mN8iM;PUav5tVBi0}7UPS9=t*zXRz?H>$iLo+L)arrW!F0}Ed zIr8{)LUgTWrwfy}FG|Xm{pcEl<9^xtyGLWD)!~+~#B+daSf`W3c1IDKh38kjPwjVp z6Nfn(*g<-~R~+y=&s9xCvO{qkx2b4e8b(Kf%1H*NvaO4%ye_$#(<08HDM!pq5fa=> zO6hAsB(qi^_G@uhS;H;1u6CThkyM@l)l{`hb^9|-QEzx@(YO0{_Y~*NX|3>BFJ*A~ zwBbTJLSo&9qhn_XQAl={3)A9GT1WEoI*JKA5_0GK@DXQVnCbTXnP%SPA%!zu;hzRh z%}IA=G*c*iAz17@sxa+x=!chW)7_G5oBMz)#*3A?I0D43tIG$}9klRbkd$=Tj(2=~I}z{HLvWFP6wu1^Dpq zdx~;qqF_-M%Gh{2A-ILaXaCWxX1iG^!4MmeJB&2s_Ys(z;@^+20OeKu)Fzu$n8HlB zjz4Xwkx43IL9KFlz-T4NHmsQR?-Nv@mAoXzQiE;U6eRmRmLmncJo|Pm#*fbVQwd27 zZq=Su&PX;Mj$&z?*AcPC8`36lu3uxh$=Z|(ia5cIt_2t z6~~T5g)?--y!lp|7mj$$ly)AreW%05Tg(N5S^E8*&~6PQf`9*L61G??j(sq#-8vD2 z@(8QL8=@c4!JyxqXV%&@;&iVOY^~gkrKcD~;8ll5Bv%sXvS{;I%jll^5T&6}P~kxN zZ6Ial^@Xg%xlhmKQvE^#yW#3a+it}ifSyJ_h7VqSUI!;di% z&;~dD!%0uOa`x(Y6>)YH*ec@D5S)X=b0tA!sf?&n-*JOSis4$YY6ar(2bJy92hN*< zke33NY4YrC4@-mWQE@-!l>@(^twX#zR*4wb!KshEnSPGs7c2cSKb-CqY+jFizB?Os zSZY&{_hVIwLaa3Yj(s7J8%u zGO`9#28e>k{%^_P&$X?LvcLq93J1IXaAiT9VybVL*pnZ^UN%yW*hLHLGeb zzAJBGn?!E4YSzv_f!LaWi@5Om`uZk_whH0lxRpvu%ccvv26MbR0rjqLNA9k8sSO9` z;LEH^N3#VVIvt;FV*a5DumTcv>Hhd#u>B+IH1lh@k(f;gJhxWf_#583&!VZr)B7%n z$(SXeU>!_{rj$CeidFxbijYSiEo~oIizlr>UpIIOkg;P^f;WS>)`UR@R>?9f&94%r z^?lr~^iGXxo2LU1^CE0ZFjaX0u^DFW09~evg z8lu_vKwNXi1RlCm5rDEpxj1_t)E4(%ztH7{s+vvEhMxM1K?=xF9C(xjB?wYuVAE-1 zd*0r|4CVdOZ$3+QLy>(3ONk+x;=qhyDeP`IS;$!*Iiu7BXi^ko)JQx-eYvG6%^G==uR-vV@#6Xt#_XF$}3r0dir zkiJ(e+wF_j1P61GBtznT!eDKyO=y8%I#!fBe?cd_MVf{1@IAk8ykdR)EYdY&tQ=Wq zs?zS7%Wo#O`O^l>W~es^g*#{IdUhtA#K63=>P(y&jlwhNd$dTs`_buq-StCL?^~^R zQ?D|y&F5I^u|b(;rqw0?foiRhPXg$nDA4evNv7sK{?M3J03IIvnF0U>P)#D_%euxe zHFFMEx_+-zR@G)%B;^)Bgi^K#0F~_l^*f z(XQ^!YyCm{Q?~Z@_D=7!&-?Mb+(NH9yMS&y^WnCZWkdRP0=P$4e&KN4=Rq<$fLZ}` z*K)REf$`as)-KKhba$HRN_NA%r=;QTOh8vXK^ZkR5KQ%CQNKBsQ829H)^?M1+=Hh8 zu%c^Wv{&{!paLP8z!NA^n(8*N#t+UZ+H8|JbXiMgYX?rNn?~-B~Edct2C%FAm-MYWs(*8XmG25w69cC7# zotY^(zf%Dn70KJ>?v6%`V9evm@<4|st3`QOJ={`na;6;c@~X~O+}r0T6UbEO%@Ztx z&5bR*Z*?w=YADY`D7qgxD4h59D*Mg=P-Bu@Uu-#mQC?Au!nu#Idk=)T{Y<@xE-|0A z%M+g;!bpiT3f9*By5EOk7pT~juvr=d&`;AE6*fyvzus>rC9%$xX_6S1`xvm6CG0jx z8d71+<-T7k;rW_#_xD@wG85EQC1_G(zc~vncKo}5Fy|XHxRK|QYI}fg=>Px6*6U-Z zeQGfnUPX43)wzd&>^l!8$26J;^kHuoGTkG_TQhT(#f$G}Jxp@^do~4IsgV%S9eF75 zG`O+zrx^9cR7J+fAuG@imA>|_dh_#b=!__20*4|yVhCb_>PmC_1=a+=ZI2?@r^yge z)pl=8CM5m*MGIFu-`Id5xf;gMffW?%LwyU+ZxFvt+2Fr-aqMNTG-FwTh}@H3Nr_rg z!~=8}a4lh3AH${lm=G^T#TO(|G4!P)m<+wj3PX2+xorDSj|aK?7x(|cWPj445bluHUXVX`M`6w7Dxcya{JT?;HXr{3vHxNN|GMAX+ST2pDm|v z{QOp1zWDyBY#+tQ;*=vjH4*~47imp9@_LALXR9$qP{&AE_LowE17^?1jmppt3^dv zYdw5+0CtI3v%7g!VQKs}59Y_j&6156dI1>fX1Ih6#n;#7i7^2i6F3lr#Lz7<^lV~x zOL**e1Q5_K(gm{lF>3n^eURk7XR(l{GyP${y4q$tfUYN@jkMW9I}=Q=vKm7_3D)xf zJzYAMtgLNwfbIly*Op7{;yn7h+&s(r!;CNd;MUngMGCi4!-UHnw&+q--Mb@7%m_-$ z$eZQ$L)84E^T2$LSvR50YPbl=4iyDG9v|+-+JS2T)ZA+0Mw_Bt-nk9;U;^g~m4SiY zydY|5-D7&$06cR^Lx?QUgOG}779YZ`ja>t>OT}Q;Y?eKzRm9R)MhUVqb897jd)D}X zK3TepnURx0Gja;VtnL`M7~KM(S5%3Kp??W9v4RcyO2;(`0ZSM7+7&JVw#U%*(^j=8 z?W0GSD>Oc|2k2>1$!Vv(x7$Y9niKqmmK3;|yH#1&&vXN^fbOK}sLbX??u0#BnSfr! z&~n#%@hnZ1qNPS6hVFr79bl9Wl`Rb#O&gC9sHKWCUN3}YT~7mGD(^gpYR9!HvK;oy zw5}a14qrf(+uj79v`nLAZs0qYp;RvdtX=eJ=s;Bjaw z)s<6x0ZrDTXE*e_AA8)958jZJdef;4iw3_VR6_fftm>pYoLhvBvb=sJehZn3$Ec4Fu> zzdM7&cK-y%B*`>#0R6SepWfjgx&771ySaXvo$agQ<@r|*O(A+}Bmi_d+V%ngbffsY zdmHS*0iWLGgu-R0rzf)WLDO>raCW642SQ#1kxcMf$J=P9URkb#`g=d<=`oxDS&&w( z6FT44xXK(F)9Ei>*xS=%tj|M_9C=9oUv$ra?NT<_$ngW_N=roeb#D&60fXBDpgX~s z`=&Bcjm$LeUSURX`nM%9F886LvfSr$)d9-q2r_&wFnqNnI)<*-A3P<h~}nBrSf-1oT1D$jP5)Nhh~NI`mPumK$gP|qqI&;gh-1%NY$8gMY2NBfYf2*aXMMTvI3JXr6d zl8~fR?Y8@yWfUM2=$>~C2Fes|`yY(IzxO>EQzgF&hzQ>w@-8;_9dnxN;jD}+h#0y>rMRnW*l_8Va*qomGEOitjT3FKr4&aK9|}(hdv|C~Wg6$zsf>q( zTtL^uNsroQgPCCBShtlJx)V(JStZNkuAfbRA#k_sGxTvU-u$29nR+8vPCu44Hcuc& zH?f|JQR(>MGZuTnr^X!y=ph*T%}qcDV3Z4-`xZfDC_{*RiXSU5R2B~HK6?{V6OL)w z;NNfQ%~Bv#9f}WYezZM`|3z5-ik6UER!R%aVg%};hd{n^=q0e?*2NQzgN<1@6xMZQ zX!PAf>HUtMgW_oewMp4vfu2gu@~V}KqYad1aa*p(0rbIO7pHPdD!*4`)Ukq_vu)bt z-Xy4f>ZFHw_P_f30{PsucQ`#tZECrvNwxhIy}A9}sbg-2#PYc(VCcD0<%unJ0i7I# zms@hVlP|1iuO~yw{p!+WMbJ5b?#{SHyLY9hxp`_+(!*P9F8JAzJkL|cT_s-zDG9jL zU;;XJ$Pw+xZT%ZFx75Gc-p~*Vwme_p)m|@Q|CHl1^sChj%+QYpM~8{@QcmYqJDUdd`%1)gTU+`? zp6u%yp|8PGu3Ea~Zfi!q;&pM9(+OO)V_9MeI-rlT2IzX(_fPEW@>ouabApps*vB8j zOFv4YX=DSsTUz1*1qEQj>9G>OyTiweZ6DWO9lQ&Pss|PK7=paFfGA0_~f3iYX~BROkgxyhbXcVBh9M?V=<_bLjqD| z{K_d{S_tNH%f1GL0$GaQ#6?yRROPZGm&sph25ytG!JlasIqSz&IY;PW`P2wDM#Tg4 zY_P!1{01=!Cj_pJ7?0J&;xgl+NpGKeypTg=+>^w<2ke&h_WGgIcPC$HO!ynzjDmNq zF?7ABPx^fOE`&_5c!s4Ix(obs9XlJuEp5tAVg)u6(CJp{m1D2FnfmRI&O`*6Fc zgyX1lQ%Aq_-6!kJWf7;woe1cyZ5_8C;VByif4vaZ!mSPktI(mUC=d#(&08;k75OF@ zbxjTc^)LLeObJu}I`Shmh61Gs#sYcda+(ioFx-kmJO1%|b8tR-a6RbQ+blyrVfCs5 zBCN$q!%FymT0WmsGoahFh*=v&K3y-;$~eK}uS&UW;m472tYDLr&epZ4o+H)>&f`^K zCB1#>Ox96`<~EEM8-#iM5oXSrEkGwzr9UQ;V7b8P>Jm=q_0e-yUG77qYLIPvg_&S( zr6oXjf@Q3;seY8YJDGHp1?c)pW<0d4X?ZR$ACCO#SpNUnJOAJ&jw_C@eYRzBSh6HS zL;xFGmV_w=2Z0^xn&K1!#b6BKhxug&41p=XnI?ew(HK0Xgk%CZ1X|)ipi^iGxFie> z8Axb;IBCm}Oot|EN&xV_OtKp zd*5e4ZK`@YbC=#J8$VEz%7=}<1iO=~!i9xGgdja% zCWf|K#z89HQe?zVCrGdR{5V2Edg7f=E+8XcfOOUwCl?4Rk&}0RX3T|OM0TQe$J|&h z3^-(RCAuF71QB}aj?puK*qig|dhM56eYb}m=6tR<-dvPB0P7h?=<4vk$8~J!z%J#m zWw8vq+(+%mQ6q^Hauhes-$MSrbC~TRy2LU-Vt>Hff%b z(&3z3?rEU^x?G(jbZKTH&yCp@y4nUx>{>;gJfAzmO7|s;^z#Y3?%RVSPk%(Gu4Gg) zLN3`DQSRNXVo>(+8_{SWpvIty7-C-`#Ep->W6Y{9AQzm~+=OwVPsZc|wA?y`euuwJ z@w%hYgTJinM0Kx7rCWoRolz7FUR2fUG=%AF!f6e1ARe=33M}QYcn2Uu6n7`U+(Aq959oEV@g|71JAj( zG*CKSr?*^FE_Zs9Gbb;#5VU8ud@6ZRf6Mwjo%qeO6RCNsbB1oSWs_OXO4aqZ@2yC) zFKMSITX&#$i*oO7mH=@1D2n=gvJAsAt!?Tn3}bxo z6ad2wkkm)8$qsWxYT`g5-!6vqY(n>RFYs8{otvCGf z6^UFLd$G_{^`?!BXY7Lh0MvOUOs9X1sVpB|3TW~3B-4{XzbpM3*#k7*7-ty(+fN-u z?bsu>i7+BS=yLlYUUTfOSH3qZorb2LI)d5}xq#nKb_9^%yd!w><1XAA!1Vay{Ft>ipzc3iY5{H@*~Zh zp{If8Xubxk%vefdmqtCH+q(U!&GR|dQ(3Exl&YspSD&w}(6)!G)LBe2JqdIf2@yHc z3^cdERNL*f)<=#C5$L+*Q_WcDn{`fHGx!4?Y+;pNk3ssCT`k`}NN9>yFBZCfd!Bcqix)Omff)q@40?^^`K=_kmduAnWl0KWlJeZ87G-B_|;A;9N8wdIj9iR{3KOO67 zK#FTyCFxU3Trv;z z#S?UZ{_Di1T*nM_n=~f$IFAv$rUpdxLiDfQ1?p|A9JgwHVoxTL?b``-+1;TL6!(Aa zKw}4%JuWc}g|Hy{+dK$1T|H;KuR*^khS2YqJ8BwE8UL+w*PGgrC*LK=;d~fI4sVCt zQFz0dxG72lvzF^DlB4q>$#7uKbXcrScZ>r=zSFE$cwjXN4a-zRKKOA2IBxhIt&X66!Hb310T8k zJ7A~`n~8A|6wm5+40p(GhoC4z7%BoyJYR9v;02sTYAseSgR0h9^d>Ch{?gdNA1bvM zWlf+zvw^YQu*C)F1W}75i$LcU<$jo{rESZWUWtRR24paY9fO6QSH=6;Ndu#HOlFt; zGy!zg$^F3`(>C|$Owp86C7CIShPAMm%f3!u_gtytubZ@h%#TP59Y1I25 zkZgSr=up70_(bm(ItAp-?_=!tiV+A2(ow`$7*<}SW!Q|!uR1F#3?!PV(d#elQ)S^G zgd%nDd))}5<5!Gjs;QQ_T1bXRTbj#u1paqE_j{5KZcS%GpeN9u(-Q|PiNokdU7N@{ z=}d4Q`h{{9&{L&QT!20-hgTjtl_Xjihc|loTvfzOb53$iTIj2+o$;H@Lr(|yEz&9H zzWRa0E{(AQz4Ht3xwT}1z9Sikb=L@dr_wjlnfU;Kq=a1G1bWTN#|%_3?N?Az_ost3 z7(%~DaGozf=y2E8t~fwN-#8iR^fLQf8dk3G5u6L61InV`1JRmYyX#7d40_R@`TKEP z+_0yP$9Tqeg^+5!JL~uZU9D-M=|$HBdc{y3p!1K3O9S?KnJlX=!Afz5^H?;>mKHr7 z51{8U;`?K;&?SbK-dZcDsAmIxpuNZ2qYL!kThmN3sT4<^`!QMUF*I-A-%sW+pD3Bwj%8Y?}b5>@nxal&nmfIih#_bjH7v!Et>M=mK;! z;#Onf>Qq?0`Au0V#$k~bTJgxDH&EDkXyuoHQ&sXiJ8O~K>l4~sf`hsMAZ(A`Y+X_Y z4C=&!Jue<=bi3U_8SUnngtA>K*Fo7 zeIT)cK90Xo0a+GLPtcrfTTDQ|7>9df2e;Wk*9fU#=b_tZzJW!TyQykxc2G)P9jy4y z*Y6pitAS|~cWiWWSq!Q!{k2!gIPLpKtE{F-p~JV5oa<{qr>3ws+HkePSa2KtNNY;~ z)w)ERSR9Je9X%V;2_w7Q^<5xEeB7`_tC~rObuE8XvBJvg9xVZ~M z?3ba~R(pUG&{@d*75{sZ4oXgI=i_Pu{gq6%S@U3Afc~G#Zwt_EIzW$$yvBEja0L3g zI7E4+gH<{}Uu**Ck~GC)<$KKh-Msb{R zeC)M-w$~iKJK~;QFy)RrW7R>9X^c_`qJ%gJF9rjprlF?1n6`wZNgy~ewFwDsQ&Lkf zq`VrrB(w?yPy#6sNzh4{d?Wdb zZ(ru__U1SLXP)^#npTiDxV3y&zBaaOFGyyYx>UREKzCD!sE#qd^k?=z3nSsfye`XY zhe&@gj1f{HSLwkpA$T*pK+WJCJ=m?U9j+(D8&nM)t8NHMcnc!U2Uhacduuqqwuilu zU{Hmgh#J{)*kPb=01k}Fm7kBb4)kqflMVFc=Mn_^L@+~2$lX+-I|B4m0$08}1nBc^ z0exC!VjUbr$lV0!Gi#DNG$sV}DA5-rWXtn~&jq|ytZ5@$n%%hj^?XfDd-|%}DnO|= zq=Ak-lm>iiq})$xFLf{hZY8qK#>)e*HW9r%Ob~QK9Z?uA(aB>A*=tkA54txm)_ZyV zbsDYgrt7>|Yume*t>K*4k@@gw8_`Rm7f_(8Z+XCBpm*PXpcmYMKwn-VPKq1KKwmFZ z=z~a#Tbpd4XaC3+&=)1#mx(Ln0UfMN?$DUX8hWgN>Z2RwY#PhU0AD`EI+HaBq_e}* z^V!^NR%-v+Fai3y{ZN5Wr$&fSUzqgP?QXHSHH;neQr9Mm!a<$kmpi{uKfA!eooCqv z><8YtuHU!CATX>LSf`YPkhcV)O)ne(V8Tdi7dW=C)*wN@8odAyxl04OXjpP!9hBRB zRSac?{{FdyL+-+DYuVb^J5!+#V%u8s75Znkfc}pJcRb~Q$>(frTN?oA-A~>*K)+7( zA8wPQ(KGS@_~%rP=4`tO@6m(VBb&b#i~^}P41nIzjH#cmSHl1@lyDg1x~=WjPUg$) ztzFFo8c~8WmCi3#7t;xbp(L#93_NJ4+z#3)*Yz0kzRkai(Sg1;6JwY5GLWU z5@G5*LJ`y@0ey*yLf`8I(7_{Gy5*#}x6;KxcP1%r{yE3i(Crz^e42EizcMENOlwfv z)_&pu&~w-mm0mSu(6&U!RujEcZp4$XLd<^=slG?f88(*|wJd z%mh0?U!UNF!>09X4)~T?mV2^+G!W2ZY2;DQm-wXz*$V}~9wmwB8T>M{KA+CN$LNi1 zF6px&;sU4vsWuGS>dqaAXOv?GL7h>Z^dsD|+TxN6r|t1N+>3Ps8ki|-10g+vnmUi$ z3%a*Iup1GgK*n<>%(+5GsQmZV&o690T&weSa|4GUyEUi)genP$vU7q!;Ge94?>j$Ezm3>sRZo!Kg z&^IKQ8*Mu&u4uYRZI%s59u@}x`c3yXmx)SG&)Oi>Pkq-b50woV9EcxFVBhkUl(+jZ zY3(hCN{G+xA=rnI;`YD@#+z4fv>Z3T>+DGgkuQKK)}g9W(r=*V&LdVYkdb-1b2lcSBCl(YLVX*DfPkdUxKIns5v65uIrc98zTPMu=pS11e-s07>! z?Zpdg20B0b;y&Dqk=w06J-~483Ft2BNUtvta3dIi$ng4g3hT~W#5ou7M|!A1 zd}_ep72{waY!IW=fF5aU=$YWOnFgNkfNuDet$OHRHK~WbSbEG+P1Z;Rq?aBuOm~s%DU@M1$Kb`iAa*M z!{2rw6yV2|Ki4)^o{K=^LG(-9rkr(~w-h8w;7JEsz5POdi{l_Vw z5101v_=&$=x2Kls!JwP^RO(g?C8*an_wc~G6*t%M;6reJCn2yjs6Zc^7GN4E4XX8B z|6Umf>0DfYeEgu%8&)EGt6J1*j?DxvZEpt?EZuG-SlN1_DU8DroghOEQPt~4eQn(9 z?xVgf5`n(!=R#!is!BlipbXZC7!Vie?});htb5ZPsGj&l!U}yNm_JE|LI+Qa#((zz z*&F4*^~HjZdXNfzt^Ca4tn5DTVxjKsw=rNv8y`gpQKGUF? ztQ4>psvIz@U`#K}-IbF&V@=tl=!`NgeIU~r-j}T61*xF>uxgigP~0C0@!Ym(`BDSn zz8glq zF=zlrV94+V*u6F#;TKp)%c)eL3xC^M<7COx?+h?`oE@NNK5iDLtd>2F0MICoS6Bvm zcY)CQ)rM0XxF8I-Wz3GMJ2x*ediHfxOV z*>Y*K^OBksXPV_+@!%KU<<}Z-P+oNO&z$NcS3dLZZMeChK9EQs&A!xBqWka>=}bp= zT-;B1ZIcLcL&XEV!GPM^{NleXou8XK1=L*I+EibnhbRs}2m^*1hWe%bzsvZ4PT$>e zVh2H`UdlI``7lKRgzGxbt^`vo)^@pk@#s#1!d{9LWQ4E*z1V1OS-p;H|Alx9M$(ev zz!zuHoOABE*LJdccE|@#V~TRIUmZ_wEk-+Fs8?azpO6vy=cH`W$-i(Hn)P_YnDbMsDo5e_cc;5? zRedJto<_^iL+{ud)k^|IRH-qdd4i-@J8|o+VfhyO$R2uoZkyUxLR2+KL=zmpQdGTp z#{1=f_q?*pX#35he#-xe(4bbVYD6hj%b)+q>Mq|x=+;kFrWzLz#dKP%d}*|$1MNDmr`6>04x2e%45qGcS{z9I($VZ15 zB_)0_b5^H}gqqZzMIA@1sj=tQA#|x@6QgbAK1%(Z-mAXSCKhe&9&216*I?+Hygqbv z8fUq2iV~qNG;A#xLQe?j%jR>_;|AVewMVu?-i4vao{f-uXOR>@pIHmSQ5HTpLiV#! z4O;EK06PEsx?ELDCz>?R1QBt9U{Zeyxx3JiCE)h?W&V*;Ludx*tM1zOwe#FUfUb*J zoyk)qcY3`7qKEH!XNhR<$TEu--~#+b9m=eoUMa4U1ty{KRS5ez} zDiV!UD6xnd^l|=7l#)or{*&ncKEd&`rHlpyyY_Kh*NRL1QMN-Q>aA#`mLW9#Z%3I< z6-}eW7gQre3F&O(yNBcMgu&3|0{SkqGWU6#r9P`pw6Mw+pif6@%mN6fr2@JW<*#+a z_QEotzYoi&R@x|vTR+k)i7q|nUNA@^pc|7uWRLE;z0xEJT{$e(fNrZOPHb+np(6qW zu4`wdGFl7*I`=uZ-u>pfDP~h$`0*&3nbh31bD+30GoN^&3S&c(4Vo0eZ{seMS?RS5 z4t-`vRBKa+MuQGNaRka0owZy%Y>7kXm2qJH@Kjqg+7{wIf#A?ASjwWM`$fsyoFgZe zGFD+Iyg5`t{7MPaI({yG@BVdnM(6pDTN%>>ff(PKN7YD(^Z#QX{2rl6d3Rz2asfTJ z?qz5`ws>r+<u%ZhD z^lUuxTlbiV3F|=DGM=U>{4~jXcNr(CesV1~;)!l>K*NHWD6`TK(zmxSjYgHArm13J z3-y(jQ)T1HN!E(cMdR6D+ZCoNA&v8Uk&IVLRWeu{$-+wj^7+EkvQ;&9<<4c0o{du z1!uK6#x9ggYu12eOH$-hIgk8<4H4;Izyn1 zP9in*WCJ??@OA**i8g>oS!}3!b@Bq&b{P7M1VS;*&`kF`gJ?!xO8S<)`TX{5SQn29 zfT^fy8!`ZweoIVu>pr!Ql9C{as2qAJ4FsCBmX?#-IZd`O4z`Tr$cp!tQWEev!a|%i zLP|nyTI*h>21;TP=Fl9vPB_hGdynkq?Al6KTpn6>=3 z#6w?2eYt=>484PkK%<;pxenz^yz}paZRHT4-yUt2dE6$E);Q6?xNPKuhTQ)+2mbc>rj@mdOY?d7KVbfHPDdp7>|m<+t7>$=h!>523fb2ukH zO4JxrwdH5uwtBV@`e(i*&c|Uqr(Wzp4f~{5pcMSiq<0j<6b`oS}0#U*WYpN#^pF zePZfOz~k_X(X_=(*D4NmB#O(+1#~Z(Fa<+uBEtT>Xd_5`zqJr5S%-7zXq$;(yCJ(R z%?hrb2Pwfw8U1P$?bu=HWv{^lIypuElf0*)dA8d`0;3P3U*mH@2gsDm=z`A<-};-0 zaxeX8^s8}9I}3pWW&l*tR^&~U`Lhk^vl}-z*4YzN<&V_Y!qKFAo9;3zt=41Y zc}jhL&e9pvJi%BmRWF|0ZT3hcSDMND*uQJ>}+@FXxNwG zps_|$kkf^Rt~8tP*%yW`E+(8oS+o2mAtQ_g(%YJ^A>_Wq-so2(CgT*Cj9e>Bo&Kj? zKzH7`nI=K^+DB3pbRY2<=-_ALX^&@sExp&yLv0+=6%jY5g!nupMj~?!NVkaTkDXAN zu7pJsT$pMksBkzZKe6LfT#5EF;_!&caw;?6ytidV;`b*5&=+GUv&~-}jK3#MmGC@h z5@0}IkGf1c(YdESUKU0F+;nKQy^uRtKXlLz3u~SXrW?eyR?6u>aG{2SW}?%5%b~}| zw;hyb#8<*+N4$zs59l>3?E$(|^etd0OfPo&3QAR7oNb2gLf%!Qpwyh9$Cibs*7P-J zV3XP}EQD@j4lc?7dfKn2cT}B!n4&oM#czKQNS8gB)hHU`SPa{`<5| zIHwMu!yloH`vaj6|FQ23^c(U4onyj$lV0y^kwuphOKbkb95E9E`Vj7Kz{6s>U8v-Gfq>zrGH&m*(KYM^I*^_2M>h z=amx*)5=4FWRqBg`jis3|Ba_CLVDi7{KFSZdzc>Zd&Fq>rl()ER0?PGrsuu!qn_oF z0QJW-hwAVYD-ot{`uKPrG*?bOpd-K3e>8foZa#Zwy`R zFdJ9>TgnMtU1d_)oP*bn{~8#&U9~k4ZCYnm;rT!Iu01%a>WqK;NOm_%HoJLT76J)m zlaRCt0|7z_k0HuSB+!ru%Bzy{Dhh}~f`!pM5TS}VJOmoXPC5d%qJvlv%TtFINTsDZ zeN4-={9$og?cmJ0&&{Jf=iUI-@tphG1Wfl#n9MA>XV1O&ob&sB-}%1Z=RkFndI-@i z0Jm z*mw_>%|xpelWghYo5ruoeQjHZC@CT@1c<+@l*|MO1`ka3%W6PVvf$t8TyfA>ZX^NSZ4eX9Y6DGhAb~B zMtv+64w}E{RI##@hkncH{=-;EnvNOF8le|Wg>M9)XTYCXrZWcnS0J}XHatrVolHj$ zGYdSq%*tS{J#v1!xk>WU09s{0FWM7_v;X^s7g52LcQ$k=Lc|~S^X=_<(e}ddq77Az zm6b*`Tgh>IYg0o+4Cn8?f7t;ei*i~DRF=QCZG#vpbh-F6mn*~vBFYj;dShWfRzzMm z0D1z|Uvbih!;M&J}h)DtTbf{&?J>tubZY;L_2rBAy%08Q5=$lSa0X-Z2 z&P15I4<4av(Q0}gPtSGRy>mE}jl9e|cUoiU+WuNM?zCM*PboOesIo;o?$7r;p!;B^ zIi)zbogzvNb9A8LS2KEK$Fl_J8zEE6yQ4=>79BC;%yW}J?f?1YDRqa;1;SL+Pz+r> z;kLx_EZ$TP`RRRfRKe_A5~8vo%AzC)JNLb3yn`#}ekvXO#JGjMaNAN*XcuHr5&c9? z2LD_7Dk9XPK!Ia%nAPI0iSr0KOfR1<09V~u^P4!hagNb}FeFdAO znsvF;^zaA=GY;r|ATu$Wes+v+om+R(?u#koIQEM{R*JLyPqVL4`|(6JLHC}#8-PA~ zjafj4p)i#m=BOg#h(kS+yJn4{yW#u@MpP>aNh>m09VMwRsiH;-`Iu@eY4gsD4#m-| zS0iLMlu z(D7%r^uu=**0T553dDD(6i?RTdSU_S{UCGA*9RHmui(%q6M1WHQp|>~l}pB3w|}>t zz_@o|(i+u!$!6#l0bPq)Tw$*QRtCIX#6l4d%31+;!{t8Iw96d>IxAd-s0E?qO+A6= z)&SiHlU9!KFw8%EYsX)F!rQBj z$+Z!Z{noCil&{rF!zdewL`C`Hb706M&>ZbXa^3Kt;7={0DCdV|UU4ZxyDN1F&r1iN z0##*3575QUq7YMto&c*6tq@4p;^j8l=)V-|$0JtC8WYg_LEni~l`1V){=skALG-ck zr0(d91G5R6qHE3^-H$vqr0nRi(BSqEnt7)z@*`J!v3vCDADuCRvdiFpPVd%qR>~i2hM3?1*CYgs~Ogrf!5S@yd3f$~~J7r!+P=m|vlI!LE5<4l+y zZtxvOton3LlsLQ|`dI@2d{x4EUDt$dm%D>pZWW?3VADV^V$2;c;;5BmyVvDDZ=h+H zJETJyTaFM@Ove#>tJz3|s6{}>TR`z(rn|)B;EHrv2_7R}16N1ku9AZut$f-8rWB@E zQUQHLynbqLZa?3(NRryB&bW<{^kU4!KYFgMQ%Fta1wqOYWjQ=VlEkX_z_@mt9w5V& z-x4L72!V4_)kR1Xl*q-GZ*hEGhWf$5zGn6h z5JSG+eo&ld4RR#N!D_2mgP6e=n4nV+>AN{7uFgE5`(SjD-aKRbXibGiaxx-#~h>rD`b^|YWkFUpSRq4(N04L)rVHWv=@OG?9~ z?T}&!(znCd3kO32Ux-2 z8{PV+5zDJ>8qo2+v>Z{D_k!ruUrl7$`JiH|hk5Hxr-Q4ta^Qe(eeqgDx9+rS2fc4w_O|1BP+!eGnXa=I zECV{g*!6Thi7wOgKK7HtLtAhZ&zo$GovS}yH2AXdNj&C3$_b$p&4>efuWd=tx{r@a zg2MAr{^hME_K^>(+5}$m^FkhS+Tb!vwK`{4-%9F^ z6`-fXO@>!8h@Lk$z|RJ-PhIgIJo$T;UQGQcBZih`VVN(zo)wnn&hGt1+SK#Vjg4%2 z&-dOLI-%$**$h{;Qr=IuO43h^9DoqFzh5^obh4|KA?g{3_Nt2h$nN6UmO-fN)p+il zMa?np0z5){@=jD#3Gvoz0e#`4yemicha!1W$4{!38Nc+Srsih^Ddd+$zbh|_I}oJ* zv^2Kb9nn*b%@0Szp;W(|hP##n0VUe8^z0{K*rC6*X-P;_{DLg=ekF#0-Uns{S@NGM zb3nn>Gfnq=@;h}NBe1~&bo}uaRR!C_8Xfn#SzL32dvy&`%fZJK(ARPF#O`D?d6tPX zX_&O!MC=-MUN0K|ues*=`QsB1-J5S;`t>WD{QT>srbk$DBa4aWYN>&0x_jc@lYS*_ z6UQ!T;KA##WVy9O(Gypz9pt7-Z4hyc&;1HR$cbf>v?O8TukHJ)$*|g#;xRYPRaj%y%^pGg!2vI)F z3liV*;hV;{(hDt*btvH+e^eAhn60PsJnrCt_2GQbyhu_yb3y@END>q|C!lmJYG^Wi zF91!Cc1ERe*yT@iVOaOKFS$Rak1LB=p@W=r5!-v#WdlL1clKn?iF@@JLQEE*C%_E{ zi%xnx>am{ph#8%gq>5J%(viEd0O)-n^AF6N0kq$QKNW-jI44nbXW=FOHGb9HVuQW9 zVK;nt?H#D?W`=&-Y{;4f9~i#zO8EU$w#lL57Fx}SNVw<9r)p3Cm|htm^}jjO(A0NS zR@Y;}KUtr%9<@zCpFScBF{?5Jua|zk(Ryr9*K+;xBhbdo%`xOJ&s!d9;();zFfNcZggQf-(0_^z1wtt$G)xF>AdX9& zmUt)(n39>0mJ&KlGvSX+k|EPS_MY-%x_hUy4LaTJ+13o9{zfB@PtxAEyWf4k{T}-* zkB=+woqFYCU^qKY+MIsmSG{a6g}7kx4tJ-kw~Jw}T_x=a03RP;&vr8uh1M4$D|pAb zx_e$9#=%O)UTrM}uc+2`Nh?`&K?BouMZpljh9;m}KtWj7gMdG*Z0Ntc26vLOnU_zF z=LP_M6qr6=%La46RmLKuor^W20!r7nk0tMVOTXraiMG)D&=+Q&Nhg<`La6QAp`}bs z$8?S4=mcBn;XwlW(pgaZm?CAk%7`8{$Fp1cQ1czi-9IC zG91rI4IoH&rg}x8r)$M(qii7hqKX&zGz{lXmO)lJ+s*l|8ENHjT|GUVKh??EMV7Ir zrS|eY%x{Ntv@9S+@4T_7wrH21PK%yO{tPOLi-to4bO4Hgb_N%%+$+2n=m4Ai(OkD; z*$*?IqfUGo_uT8KJ&o0!l^D~fn>Dxb_f5=xpwso}C%=aV@O+$#QU|l}wnYOb^3;sFb%e2211raHxO|K8auJDLU6@ zR7Svxs|49pHA3`aV}b5sZ(cC2o^r#Hv(_GR+I^Vg*;HI8Mr1fUl^V&ea-PS#%1LU! zAt+wGVvUQF8gNn!Cs1i3`_p|F!2+U^a0;9!Hy_I7_;Fr}V;O|!P8ZAa{(aApWx`1} z`a?C(_`Kd!fuWoX<#MrHcJ-y#tiw4{7W9;BCrL$D(J-ZPV_u$Y?O9^2g(y>{+iUPC z+ccp8tPAJ>e6Hg`kX3>QItmxb+QX{Co^=$yW*I%VCL`0pYQrF)ucWoA!Jt>PxEUHi z%YdOnq{eh7n6I0?ChPJEwNLi76+1D}OWSHZ^289*uvqBw3GQfE8V}wcqt0RfrP7nZ zsO)Gj;B0W>Qms9J58$>nnO@XN@$6g4pw`VL<>$T^D=N_|(MK(LW@}@9e~a>{(I!~e z78lWn4Cs?@X;h4pUNzHW>jPSV^(l>#kLVeLmCtH;C9rZSTN~dwV1nf%koR!g=-{=B zl)$nsDY2YmDNc;|dUDQR1;mA7E?o0PFaYCnuxXs&#NPMIUjXt3!0F#jWkpsLI6sA~ zYX-r2q-x)3;;343TL1tc07*naR33n$kB(Jy&NPAJ{McRZ=TQUB6V1avT$_`0_m)Nf z7MJYpi;-FGHvkcRTaphAk}jYF2%%oRby`}c!_b*#jmepLr#2HBX3q$qFI}vekAQ8< z%D)&`j-|V`4@4V4w+=oVI~{$L_wMElwUnd;Tj&FC=z%+SDr*a?n(W*y$s}#Bu1s@J z{{su?I0IF;a-#evABLB&j^}E@v}nd`7_A{e-}7q|bSzJl%N^Z+A=H#fGn}om{lE(5 zxwTFwz|^66XKbIxTSquxxNHRU9&SR`!0z{#AqY%k1=h=W1-oC2a8(D67m?LnA8mc& zjom-4O3ih-7<_7Z8nTab*ky-b|BB@9SyQaw(<_%b(dV*9{1oNq1!p$HS0B6dTtPa? z-SOLhUd?8^(Ru)}FEZ_&RZ|?$vV{kSU_k~SEV#S7+u$19Ex5Zw(BK3J?h@Q#AOs6e zaF<|%yW8d5UvaAL?dSc_)wLeFcYU=MF2|&s;T&U4*G2z1W;(Ux3bHnuQn3hLlpRCh zqR@KGr|-#stG*u{X!&?9?04V%X@YloiQq*I!L`@m4x?M>DdUfQM~b(QUSRARhv(KS0N0 zdxhL1wov_M>uKrY2ch%{v!KLU;@UBT#y)ue+b8qhlv7xJgDVVM>(M3K@;6Gb%=z(^ zTsYpetlK}OE1ua2@;kP0a=0!oV~B^R?}~NXj!l5JYAZls{~M3X(l&hfAKZZtamKh0 z-1z8UY&LvCQ%KOTdJNCqNXRatpSxrABP*~^UXtpGLSt-4^aJTgY&JY5mFuZFYl9#) z783x>duLdI@?a`b_y-rvto?975hpsLkDv8i_m4*+3O0issgS2q#H&cl2k^FP&6Uw-BGQueW0SSy1IG12_4iG+3ox%4aq2%~mE6KOxUqr3wANhS*X+z^*eAj0h?Q&!Q(mcw%&&VF8iocMH7TZa ztc)_pEa5StowvXxy)r!;u=CCoQOJ$u70JG(I{kdwOn+y>E6%9(Dx!=vFof4B*9Lou zL`KYceVmeQVi=f(0r~W^>1Owdg;q9s{oTPm40%|!|ih90%zWUM`c!R1tvc~ zQP@&UDP{;O7&=64_58AOzk73gOC}UxzXorR{5RdA5d9xDR(@F&h$l-5b=s=pT#D`L z!sDscb8LBWy5S;wc^*Wa=CSz5nF(%EJ4J)(0FLDpbuKJY)y9Mt*m`gP{Vv0jvzX(S zF3n*CkFKk({s2spJ5GnoyRkeA~HX~q7^PtfhQ-W&`a6Aplbw`bm`oFlF;9_97@5%LWqJgm zNs8n^&zkBIbDnT{mk}8`Yn+}$wCYd6cjvOxSd_J|55BqM<9mejv2aVj+YChRcnPLs zksG$zit|KPaZR%ZQAk*eIlhDsn?BTN1PvV_c*spkWH@zGo2s5< zw>IH|A=;ik4H8zR{wGn(5Tqjd3$m25!a`GSRV10uY<`OVer=s)oyscA7sYKh@-7Q?!|3uLgeu%jA zE-An6|I2IOZooPig+Hq;+y@KImmtnstE*RHPLbrSk!3WBwxz!L8M{N&Ah>cnp-X^l zx}O4;O!3|nMGTZg&332}X;POz<&Q#1+M?WpZ?LlXp~=pWpv9M6s$jbvT@)$E`Bj+SR`> z&sr63jgPtZXzo*Rb%?lnuK<)hnpqZzqR!>mIutg3iHk|uI*i9#Lnm$i9*}ngD{#*v z6%2i`n__aI6-P3g%qbSjvO~2hCTqsU<;m>&-*&u>8dZ^NnGb)x}!xR&f0m%b++rdi_8ZOF|Aga=K4j zad1IMX#Ui6DZG?}5e4$s0Q{aaGH@!qB@s-`(;R!4I5sNwA)SL`& zKhMb#tKNd>52&#K_YM^Tna=vEk`IiuGy;pG4dbjP6WkVf#+jOGuE>a^1td7?YSg4?La@^kjg2>Y@qcT>h^-A|6A)u@Rtm>y z>Ma-IxIX%ZV$NW+uKDIlU43%J#fr`^CsAV)x%~{<7$<;n%9TfEh*o9O(UdsD>$Q03 zIY2Dl_;amr$g_5EiI}i)lYRMs?cD8`QzewDA(kDNWC$nFrZyY}y-S#|7Ue^k}$BP|=+*qenIDnS@m!rvDevjX8^Pv_x0Q1@P=#KRe5 zzDku6!W0aFJ&+_{v~52mtsfz49ddV9bvv*W0jncc$pph&qYwfI}lDJ zkFfJ)!1j4O6L)z1sgSEpb?xntCzCpT=3=^<3YPAy_mbUf1WB1Vb-L;S=_*aC6L1#+(u+{G-z`-PGcIO8`di^VKU!khOHYe^{Zg)S4q{7*i21#Yy=^ZjTQ(z_4! zG%~Pnt-HM9f)Q|Vl6=~BM)smLgjMo@ob-^L;PpJVWz6C@ASX+NAv&`q+kk(m5H6+_cMb4C%`HMwa~$Gnns2bq2} zxCV`9ng*P>6}A&KVv3C1a1;yP*ncp!cadTp3$xvZY7Ze8pTHf!x-*39lT+0mB>50hlY-T15@L||?!iSJ_65?s%eAq*Xt%?tkou1%{Ux=$ zbyM;Ox4shPn~@^%^h->hiOe*8F|p0vZmhX3^Ko`I^wq>$1Xb9&eS=?mX0f+$H| zKr#j*eW0GXt=UTqwpfv)VQpjRSw|H_|7h!OVaw%ZB(wyqU3eFel9D2zEQSQOR3)g% zOsf4jKXl8%n3>W;Ahz-5#w#$2H`SY;Vo3o7HfBa^DOLF9fPbtz>(ULItg*QxD_ZLs zRCB=xz-sXlyUzT{1wdKe#k&XPE}^Ks*NE<%a~9FhIR7F+lFzyEs~E>bV>A-o97pN7 zRXP;owo7}gZzl^)^bGRzF24U?M-HI=fxrl1u*UJk8ekgtrQHYETE&|?@X!EE&Ry@(5`Sa+g^$6D@`K3I>G#JHRoor--z}HlZ&r2Z5 zAbTP<&h;G3b~$Bh*?~=q^}6v~45*UOjQtvD+`T!1M^cIyFSx%O5f%o-6bEEh63LgM zo~m4ssQs$5Xzyc`9`xat2BFE(fWy^4p6N(k50}s;XSQk_@UFCSioFx}@>jf6ZYjME zJ;t0SNKg}c5|7Mk7}L3d+WU{wKMPgbby=x#%tqK_c;e()88p}OCre4KUxy47Tx=M^ z-GnE0bzB~ijx-gnxduG#oVT$jSAmM;`C%X39l_1k(D{(Cw8PbGjvpF1#%=kKZTjI3 z_o1nw_;~SQ)Cj|UD=)E0)NJkZ5z%pLsFuig%KU7H^k3UWo!Oe6zONIj7I(NPP!loN zvSwX@$5v}v@4_H7gvBK@kkVo9_8+CA;gfM0rDrVq828K&Yu%yGN7}R?1KYXlx{d4a zI?=`$RpsD#h6dA)UQWgCko|K>u!^D_pf&guN2dAgH$gnsJ067J%T)I17ws zFQ_G4nLv+1sVnP`@t17NGJX}#Ezo!1Ub%RL&!y0F_h}kuj(FduLNZyGYxo|EqR|j0 zf2Vr+YV+gc*IJdn^fU*W03)uo3)!MP45!`ok}vCT4>8tP;rTbud(v&BbYNo&%n1n_ zs_7K!Hz*q#=;&$9}ZVlhr%r^QJ>Lg5E5Q8MxG#-_Z#G;f8-<#GiWm`SvJ{85Utl z?+7+u5Weh0%e5p5plyZJ7r?g;TiI%8&D0kZ?GAZD(owzDnjS_-(F^F@SA)!yA2tJKMZ<>a@Kvd_xAOCbj72*UJ zwkMV;QZNF5ZG51wuulL{&o(UkZ&4D!{Ffkh8n*E6_Muz^0HfHf`R zBCCI|{S6HooUq-`as8f5-<_p{C`^yW*P{KAh3Hu7*_I{mb9QBhpC9p+r75YQ56t>0 zp5;v{YoX$b0~%;nM}kR^!66?5-G7OZ#svhiwYPkIOdwL=n?zfrt`gb2mrYwP2(FOID2h71zz)w@hw9nI63Nv zKI{xt&#GDd|5JO!;4jZG;(+>MSQQ627{pk4(Baqlrb5ERa@=rXtP|QSFn1n7_JYab__a z&mr2N6&JAS@83ZfFjwXUyQQ7rPo7fcB6IyrTfzQeL%s<@c& z^wJn~4B7YJ7u*l*IrB2w$V?e3zIZMf4SC$k9J<#0Y=Jy5MKMMNB+Sfge|R2#=xJH2 zx_&D{yX2ok=FcOJHu?$ef-ls%0zm%=e;HT#hr{#d3Q+)^>uz9d5p?7wrW10EkuzNe zcc2ac=~Z0ieLVDV#R{G!+)R%2wa&FI`?@BgLbpFQ)hzZh!+^{k{^f@{`KOj!z=jD& z;!IfwZcEdW)x0E&270RKHatp1Zg`|d*!n#6Gb*&a#t~u@=oRQm?GIn=IfsJYBg=!_ z=fOcV-l`1;4vI&C)l;=fK6aCY#6fuDvx-6Ynm!gp;1yASfY(<^L2#K1mbe|VAOTDZM}7-dD$qd}H^N#cA{8 zRNg;JQ$ia6hO!O!WJSp|+zMJky@%pS8H5Z7qCRsoB?=(KCz?Vyxv2dk-EbwUgK**N z^T#AC;IqkIGA+MX)1?>UyCvo(4TS%AW5--DLg+ii#NbdNv5o!v^nKIG7j<$;F@Jx_ z`{MSQhK2#P-c9OUjfy?3eX;kL&=)Bf2;*Fh{WLk@8W*Tw+%n{HOyU<;sSI$PHOVbq zy{I(s?*!6{+<2G<_uFpZ2HfO}q3+>KxrCX;l{4gs5(-S?J`4_OAWx?ek!4MY#&9Ni zdDI~MWf^3_4#E138H_Po-e5JW^#L6vK#QQS{nAzVoIhh;s7$5#-T@sHJm&&^=mENH zrK@Z#x1Oums2bD7yuymPH?JmO1)tRqi; zgX@i}5O;~XHU^b^M@z8SX5Ra9ct=RH{rvG!MZ&caxxeAwHj_KE0a=4XiVZISi5&lQ~DOm+zElS}g4qI>vJ&od}DdJ=?)mL1}$VWYT zSj=^oqS){|@xA9)`wYgJ&_9TsG?jen;@Ff+LnwJLAPNqK`&U%@RsS$v0C~3|e8}#} zf*Qfjgy$&tha8iczJZ0QpOkyk^jilK86F1Qu4~(63s)&6$sIA|{EHQB+zFcoGL=VZ zR25j---2`8j3vo}iE`vF9MksqsG%x-1q27%6C>nDrUJ z;b4xUIoHIZBO0aB*f4#hxdW`O=?(<+7Vn2OsAR`#6w!jj<3yRh1BB@$aEwN0H)HED z34LR>FiN7>QZxwlASr^8gT>+kxk94tL6duTL!Kcd(bnq|=qHw$V`KDq5g4gqxgR{( zzTLgNiqdue!JykNpR)Eo2z4+_yXsFNr^1>+D&&)GI{6i1oDbz6TSLclkM1nv;8(`O z$yPyR&2V!}yspmG2)Mf4x?oGhVg6O>6=R=4l|4oQbjtn7b(yb#ym39eksBRKVbicH zXTXRd$=v35I}bzwh5f}s;?N?N9qgSZp%B!G;SCUTPD#V7{`oP8wrBkW#EqEk#G-G2 zVd!_ru=uEj@&T=OXqf%k6jSy7_YW9hktN9seG6c1Oy?^~xxSCzY=1;9C*lW+mZ7Hu zm-+^e=FUX2WScVXe_7d&JA^x&st%VtnNv5F=d@jDQe7(x4$gsyxgfORkU)*6h=ty` zwH9%d7*un_&8@#-*|z?4!l_vb*1EpQrJ1bXTFa?Vw1>!_k6tdY8DjxM2^))2e{q9M zShxZ>xZ>CQNkOOvaMW?DjS|9|$y7nNes~NQI=``=)wZ3t6|Hmb={6B%-QtJoLz5S& z7<*uKz#ia09boiDGFAVqWELY949f`vKh@`HXPua@ngshC@5e|%cWDikg&5jFarQ@{ z9kUW{X@u@2Q|DQmzmf^^hvyr3u$1gc7HOt4hoe7v zm;pfqb=o%MlozC(AB^3KYQN~~0fM`lh#Ai5c=@HJAglQM7|?&8+ME0>lq)36hZm+;yvoxsXiKuynq9<9Qav%Z)o1!lw@ zW9LTcA$DG%j^#-wvVWTi9o-~Vp}qLT1t>1eRn_wYnL^%&_+n^vHO0A`{F$K6cwS0d z#z~s6(jE@3@S+BNdP^flR_SdQ8F~{|hz&7tKj$zeTLI!^tDwH#c~nsyE8J-wUh+_C zaMR>%)M-V9Pt-M`ekdzy#Jxu8MRPId#Qc+`@P#`ro`PY5%Bud4}lRqYA_$5&s zx9&(_=Fd{>w_&oPb{G3t4aifMDdx2iB35MtF|NfLt0j$b0UIlrup1(Wd$-RFI4EEu zzHw6TL)3AoBo|}0;{vNO-wDf&v7?qv{_n9W-k+e_b!>=-S=e*7`%44(;$|@8TT@yY zLH@dhr$Vw!h32oCmKG1`9Q_4NQGDjI-TYE3$Uq`ISbmjcWGsQ5qQ+Wo$*6%QcrXdi zAMffWjS5cbv)T9DYoBGUa&${y`@5|}LckrG0*@S@unC85e#01liR4GlaaW>_*+eui{ty#$e%=?_0of!`$d_ z=Oe^`;%51<7q$|~fcLpp-a9PipLY+paAzBZn$4~&t%~ichwf%lQ*~({Q`4!PVMbk@ zVe>g&mZR6!rqhV@d@0UZGw%>Wa*k%8Z@{>-h*#mdv@5M$y6{RLC7rA8VhpjL?jRPi zbiKO(%>fs0&K;CZky*vdtS9m7Z-Ceo1q1fM&H?kQ`B+0IRn8`6G{KcpZYxdvXVjm5FXVm z7RRW2tqWGK#V;)y0Sk|)hcAi`@3}AmcsOgSZ7seQg)o^FTS3Qb!f_ z&7K)%lI=%pyB`!!)m8Nz%fBMWYlI`_X|xr)xXH*wS!@r6hoD)IBWdwm)^eiG_=kbjy!au^-D zNq7x=SPBz;k$md9pJ9D_ypkn*5r1u8CBAzRXa-(esFtcBXTJohF*`Ysv`gLvFzC>y zOP5d6mHy=`Au#4^FEVoXIum|;Q$uJu$_rfdpnX-;dnVh&83;S&pYZZ{yBV5kh`+8> zXmm_Huvk@MHEPE}8ek>SXBtY8Pnl*aD;>YtHM_||Knm{Mc^qvYzLHOg9cS2SNT47Q zyaS0OT+|;waRLCyO!89VntyU{2d%#i2+T{zXwg}L*~u0jptknt0I%WP_2DXOBPClt zd-WyFMtKd4vic66n~=8)jLw;De52Y!$2>o^$SHJVCs(CO!|uN;_7IrO8lU?VoT&7x z0V|-SXcN$vo0Mgt#vtIlMZfo@?rE4q$sA0Qzzbknz@A1LL4|F z5CDO7N$b)lNVMr5251^YTHs7qUgeX2+53KwfL7xYFToTeVGlZ1yq8nQ4!%4VSEC-+ zf(1X_A8@~f-|Z_!TdVsN$~&TM*wIQ0CRE7$D}Q!6F;3sP4?Op3Fpdh5Y1Mz9t^Y7{ z(jVPG`*i@jpQecpBxw6`c)iub+X?lY_M3rU zAwO5HSAa$3YB$**il4a-+t062)y#lZbEn#$Lu^DDb5_uy#KRw1bC^aaFGFE_Yy9_c zym>X3bu3ji`vyG(n2|HaprBiM)DM6=1N`MO%cr_E&e^DmBcQKi!Kyn`ItWlH8gr@NS5{fpe^G zZmYKLb9gs>ZCMKmLRS1Rn|_xALmSFH8J!3AFEpM3RwFK=`;!~@dn-b` zU1@!FWM-gBUA&Z!+cUD=mG>~gXX7{ft!AqXqpRZzwJ|P#=(}&uY9B9}Cg$AvzWRJT z3S_Uyu)X=6F((2z7nXf2k=BTEygy(n6Yq(?7BGBVsDgOfFh&)YSF(MjK$FOED)G|V z2h)#1wr*vJ~ChjXettFzZ4+hUlmi)BbA{m9w24^a)e!J|3}OAY z3I|x}wa-vb=u;y+q-;qNQEYXD+#fC^b>CeM{_N8lOCgEnnMCR%*gkCD_{;-Xlv$>H zl2w5;>z016Vo>2Zn*EaCCg6FPS)(zwzAmdXKT?{IV#UK4(;`%BPMYU^#EFUoSebm# z@Da#Skx&S;ORv<8@;<)s@`IpSe~VO|9I;E4$W-S94Lw|VRpSG`Nc#DzkoxRGgd z#oGc{uM6KDj#>)H;mKjI^zi01G}85PV7BKH#X$ zc|1RZ(}W2IB| Date: Sun, 15 Jan 2023 11:56:51 +0100 Subject: [PATCH 185/379] style: add carriage return --- .../terraform/databricks/autoscale_badly_setup/metadata.json | 2 +- .../terraform/databricks/autoscale_badly_setup/query.rego | 2 +- .../terraform/databricks/autoscale_badly_setup/test/negative.tf | 2 +- .../databricks/autoscale_badly_setup/test/positive1.tf | 2 +- .../databricks/autoscale_badly_setup/test/positive2.tf | 2 +- .../terraform/databricks/autoscale_not_setup/metadata.json | 2 +- .../queries/terraform/databricks/autoscale_not_setup/query.rego | 2 +- .../terraform/databricks/autoscale_not_setup/test/negative.tf | 2 +- .../terraform/databricks/autoscale_not_setup/test/positive.tf | 2 +- .../databricks/cluster_aws_attributes/test/negative1.tf | 2 +- .../databricks/cluster_aws_attributes/test/positive1.tf | 2 +- .../databricks/cluster_aws_attributes/test/positive2.tf | 2 +- .../databricks/cluster_aws_attributes/test/positive3.tf | 2 +- .../queries/terraform/databricks/unrestricted_acl/metadata.json | 2 +- assets/queries/terraform/databricks/unrestricted_acl/query.rego | 2 +- .../terraform/databricks/unrestricted_acl/test/negative.tf | 2 +- .../terraform/databricks/unrestricted_acl/test/positive1.tf | 2 +- .../terraform/databricks/unrestricted_acl/test/positive2.tf | 2 +- 18 files changed, 18 insertions(+), 18 deletions(-) diff --git a/assets/queries/terraform/databricks/autoscale_badly_setup/metadata.json b/assets/queries/terraform/databricks/autoscale_badly_setup/metadata.json index 016c1fed42a..2aaf789c7b8 100644 --- a/assets/queries/terraform/databricks/autoscale_badly_setup/metadata.json +++ b/assets/queries/terraform/databricks/autoscale_badly_setup/metadata.json @@ -7,4 +7,4 @@ "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/cluster", "platform": "Terraform", "cloudProvider": "databricks" -} \ No newline at end of file +} diff --git a/assets/queries/terraform/databricks/autoscale_badly_setup/query.rego b/assets/queries/terraform/databricks/autoscale_badly_setup/query.rego index 08d4ba9fc63..5b41e7eb304 100644 --- a/assets/queries/terraform/databricks/autoscale_badly_setup/query.rego +++ b/assets/queries/terraform/databricks/autoscale_badly_setup/query.rego @@ -30,4 +30,4 @@ CxPolicy[result] { "keyExpectedValue": sprintf("'databricks_cluster[%s].autoscale.max_workers' should not empty", [name]), "keyActualValue": sprintf("'databricks_cluster[%s].autoscale.max_workers' is not setup'", [name]), } -} \ No newline at end of file +} diff --git a/assets/queries/terraform/databricks/autoscale_badly_setup/test/negative.tf b/assets/queries/terraform/databricks/autoscale_badly_setup/test/negative.tf index 1328a74fced..e6b32fd300c 100644 --- a/assets/queries/terraform/databricks/autoscale_badly_setup/test/negative.tf +++ b/assets/queries/terraform/databricks/autoscale_badly_setup/test/negative.tf @@ -13,4 +13,4 @@ resource "databricks_cluster" "negative" { first_on_demand = 1 spot_bid_price_percent = 100 } -} \ No newline at end of file +} diff --git a/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive1.tf b/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive1.tf index 8de53f13c42..60d9caef0e9 100644 --- a/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive1.tf +++ b/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive1.tf @@ -12,4 +12,4 @@ resource "databricks_cluster" "positive1" { first_on_demand = 1 spot_bid_price_percent = 100 } -} \ No newline at end of file +} diff --git a/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive2.tf b/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive2.tf index 54228d92cc7..a2513454ced 100644 --- a/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive2.tf +++ b/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive2.tf @@ -12,4 +12,4 @@ resource "databricks_cluster" "positive2" { first_on_demand = 1 spot_bid_price_percent = 100 } -} \ No newline at end of file +} diff --git a/assets/queries/terraform/databricks/autoscale_not_setup/metadata.json b/assets/queries/terraform/databricks/autoscale_not_setup/metadata.json index 02cc3fe1f8a..017d45632e3 100644 --- a/assets/queries/terraform/databricks/autoscale_not_setup/metadata.json +++ b/assets/queries/terraform/databricks/autoscale_not_setup/metadata.json @@ -7,4 +7,4 @@ "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/cluster", "platform": "Terraform", "cloudProvider": "databricks" -} \ No newline at end of file +} diff --git a/assets/queries/terraform/databricks/autoscale_not_setup/query.rego b/assets/queries/terraform/databricks/autoscale_not_setup/query.rego index 5a6f627504f..423dfc7f952 100644 --- a/assets/queries/terraform/databricks/autoscale_not_setup/query.rego +++ b/assets/queries/terraform/databricks/autoscale_not_setup/query.rego @@ -15,4 +15,4 @@ CxPolicy[result] { "keyExpectedValue": sprintf("'databricks_cluster[%s].autoscale.min_workers' should be setup", [name]), "keyActualValue": sprintf("'databricks_cluster[%s].autoscale' is not setup'", [name]), } -} \ No newline at end of file +} diff --git a/assets/queries/terraform/databricks/autoscale_not_setup/test/negative.tf b/assets/queries/terraform/databricks/autoscale_not_setup/test/negative.tf index 1328a74fced..e6b32fd300c 100644 --- a/assets/queries/terraform/databricks/autoscale_not_setup/test/negative.tf +++ b/assets/queries/terraform/databricks/autoscale_not_setup/test/negative.tf @@ -13,4 +13,4 @@ resource "databricks_cluster" "negative" { first_on_demand = 1 spot_bid_price_percent = 100 } -} \ No newline at end of file +} diff --git a/assets/queries/terraform/databricks/autoscale_not_setup/test/positive.tf b/assets/queries/terraform/databricks/autoscale_not_setup/test/positive.tf index 165dcfe55a2..dca0fdf7c54 100644 --- a/assets/queries/terraform/databricks/autoscale_not_setup/test/positive.tf +++ b/assets/queries/terraform/databricks/autoscale_not_setup/test/positive.tf @@ -9,4 +9,4 @@ resource "databricks_cluster" "positive" { first_on_demand = 1 spot_bid_price_percent = 100 } -} \ No newline at end of file +} diff --git a/assets/queries/terraform/databricks/cluster_aws_attributes/test/negative1.tf b/assets/queries/terraform/databricks/cluster_aws_attributes/test/negative1.tf index c17393edf59..2f630e24fd5 100644 --- a/assets/queries/terraform/databricks/cluster_aws_attributes/test/negative1.tf +++ b/assets/queries/terraform/databricks/cluster_aws_attributes/test/negative1.tf @@ -13,4 +13,4 @@ resource "databricks_cluster" "this" { first_on_demand = 1 spot_bid_price_percent = 100 } -} \ No newline at end of file +} diff --git a/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive1.tf b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive1.tf index 0312a0ccfb7..527791d06ba 100644 --- a/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive1.tf +++ b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive1.tf @@ -13,4 +13,4 @@ resource "databricks_cluster" "this" { first_on_demand = 1 spot_bid_price_percent = 100 } -} \ No newline at end of file +} diff --git a/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive2.tf b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive2.tf index a58991a36b6..0e3d9527487 100644 --- a/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive2.tf +++ b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive2.tf @@ -13,4 +13,4 @@ resource "databricks_cluster" "this" { first_on_demand = 0 spot_bid_price_percent = 100 } -} \ No newline at end of file +} diff --git a/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive3.tf b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive3.tf index 41551576318..6994451447d 100644 --- a/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive3.tf +++ b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive3.tf @@ -12,4 +12,4 @@ resource "databricks_cluster" "this" { zone_id = "us-east-1" spot_bid_price_percent = 100 } -} \ No newline at end of file +} diff --git a/assets/queries/terraform/databricks/unrestricted_acl/metadata.json b/assets/queries/terraform/databricks/unrestricted_acl/metadata.json index f4cb1b5d4fa..356253adacc 100644 --- a/assets/queries/terraform/databricks/unrestricted_acl/metadata.json +++ b/assets/queries/terraform/databricks/unrestricted_acl/metadata.json @@ -7,4 +7,4 @@ "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/ip_access_list", "platform": "Terraform", "cloudProvider": "databricks" -} \ No newline at end of file +} diff --git a/assets/queries/terraform/databricks/unrestricted_acl/query.rego b/assets/queries/terraform/databricks/unrestricted_acl/query.rego index 7a1d04724af..f2b3a2f6d2e 100644 --- a/assets/queries/terraform/databricks/unrestricted_acl/query.rego +++ b/assets/queries/terraform/databricks/unrestricted_acl/query.rego @@ -34,4 +34,4 @@ CxPolicy[result] { "keyExpectedValue": sprintf("'databricks_ip_access_list[%s].ip_addresses' should not equal to '::/0'", [name]), "keyActualValue": sprintf("'databricks_ip_access_list[%s].ip_addresses' is equal to '::/0'", [name]), } -} \ No newline at end of file +} diff --git a/assets/queries/terraform/databricks/unrestricted_acl/test/negative.tf b/assets/queries/terraform/databricks/unrestricted_acl/test/negative.tf index 5f7c9b4a334..f2999c6dd2f 100644 --- a/assets/queries/terraform/databricks/unrestricted_acl/test/negative.tf +++ b/assets/queries/terraform/databricks/unrestricted_acl/test/negative.tf @@ -12,4 +12,4 @@ resource "databricks_ip_access_list" "negative" { "1.2.5.0/24" ] depends_on = [databricks_workspace_conf.this] -} \ No newline at end of file +} diff --git a/assets/queries/terraform/databricks/unrestricted_acl/test/positive1.tf b/assets/queries/terraform/databricks/unrestricted_acl/test/positive1.tf index 7d52cf04971..ad3c9857700 100644 --- a/assets/queries/terraform/databricks/unrestricted_acl/test/positive1.tf +++ b/assets/queries/terraform/databricks/unrestricted_acl/test/positive1.tf @@ -12,4 +12,4 @@ resource "databricks_ip_access_list" "positive1" { "1.2.5.0/24" ] depends_on = [databricks_workspace_conf.this] -} \ No newline at end of file +} diff --git a/assets/queries/terraform/databricks/unrestricted_acl/test/positive2.tf b/assets/queries/terraform/databricks/unrestricted_acl/test/positive2.tf index 8aac2b2ee6e..48c87de07d2 100644 --- a/assets/queries/terraform/databricks/unrestricted_acl/test/positive2.tf +++ b/assets/queries/terraform/databricks/unrestricted_acl/test/positive2.tf @@ -12,4 +12,4 @@ resource "databricks_ip_access_list" "positive2" { "1.2.5.0/24" ] depends_on = [databricks_workspace_conf.this] -} \ No newline at end of file +} From 30e8f05b53907774b745f1d6f95de9be5c450021 Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Sun, 15 Jan 2023 12:46:48 +0100 Subject: [PATCH 186/379] chore(terraform/databricks): refacto check CIDR --- .../databricks/unrestricted_acl/query.rego | 25 ++++++------------- 1 file changed, 7 insertions(+), 18 deletions(-) diff --git a/assets/queries/terraform/databricks/unrestricted_acl/query.rego b/assets/queries/terraform/databricks/unrestricted_acl/query.rego index f2b3a2f6d2e..fae77c6c453 100644 --- a/assets/queries/terraform/databricks/unrestricted_acl/query.rego +++ b/assets/queries/terraform/databricks/unrestricted_acl/query.rego @@ -6,7 +6,7 @@ CxPolicy[result] { resource := input.document[i].resource.databricks_ip_access_list[name] some j - contains(resource.ip_addresses[j], "0.0.0.0/0") + isEntireNetwork(resource.ip_addresses[j]) result := { "documentId": input.document[i].id, @@ -14,24 +14,13 @@ CxPolicy[result] { "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("databricks_ip_access_list[%s].ip_addresses", [name]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("'databricks_ip_access_list[%s].ip_addresses' should not equal to '0.0.0.0/0'", [name]), - "keyActualValue": sprintf("'databricks_ip_access_list[%s].ip_addresses' is equal to '0.0.0.0/0'", [name]), + "keyExpectedValue": sprintf("'databricks_ip_access_list[%s].ip_addresses' should not equal to '0.0.0.0/0' or '::/0", [name]), + "keyActualValue": sprintf("'databricks_ip_access_list[%s].ip_addresses' is equal to '0.0.0.0/0' or '::/0'", [name]), } } -CxPolicy[result] { - resource := input.document[i].resource.databricks_ip_access_list[name] - - some j - contains(resource.ip_addresses[j], "::/0") - - result := { - "documentId": input.document[i].id, - "resourceType": "databricks_ip_access_list", - "resourceName": tf_lib.get_resource_name(resource, name), - "searchKey": sprintf("databricks_ip_access_list[%s].ip_addresses", [name]), - "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("'databricks_ip_access_list[%s].ip_addresses' should not equal to '::/0'", [name]), - "keyActualValue": sprintf("'databricks_ip_access_list[%s].ip_addresses' is equal to '::/0'", [name]), - } +isEntireNetwork(cidr) { + is_string(cidr) + cidrs = {"0.0.0.0/0", "::/0"} + cidr == cidrs[j] } From f0d2195c7138a871de4b9435b335fc972c177bde Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Sun, 15 Jan 2023 13:06:15 +0100 Subject: [PATCH 187/379] fix(terraform/databricks): keyExpectedValue --- assets/queries/terraform/databricks/unrestricted_acl/query.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/terraform/databricks/unrestricted_acl/query.rego b/assets/queries/terraform/databricks/unrestricted_acl/query.rego index fae77c6c453..64ea4ff9584 100644 --- a/assets/queries/terraform/databricks/unrestricted_acl/query.rego +++ b/assets/queries/terraform/databricks/unrestricted_acl/query.rego @@ -14,7 +14,7 @@ CxPolicy[result] { "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("databricks_ip_access_list[%s].ip_addresses", [name]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("'databricks_ip_access_list[%s].ip_addresses' should not equal to '0.0.0.0/0' or '::/0", [name]), + "keyExpectedValue": sprintf("'databricks_ip_access_list[%s].ip_addresses' should not equal to '0.0.0.0/0' or '::/0'", [name]), "keyActualValue": sprintf("'databricks_ip_access_list[%s].ip_addresses' is equal to '0.0.0.0/0' or '::/0'", [name]), } } From 00ed9d55f51ba1a950b48cde595a9893e8eabc5b Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Sun, 15 Jan 2023 13:06:34 +0100 Subject: [PATCH 188/379] feat(terraform/databricks): add token lifetime check --- .../indefinitely_token/metadata.json | 10 ++++++++++ .../databricks/indefinitely_token/query.rego | 18 ++++++++++++++++++ .../indefinitely_token/test/negative.tf | 6 ++++++ .../indefinitely_token/test/positive.tf | 4 ++++ .../test/positive_expected_result.json | 7 +++++++ 5 files changed, 45 insertions(+) create mode 100644 assets/queries/terraform/databricks/indefinitely_token/metadata.json create mode 100644 assets/queries/terraform/databricks/indefinitely_token/query.rego create mode 100644 assets/queries/terraform/databricks/indefinitely_token/test/negative.tf create mode 100644 assets/queries/terraform/databricks/indefinitely_token/test/positive.tf create mode 100644 assets/queries/terraform/databricks/indefinitely_token/test/positive_expected_result.json diff --git a/assets/queries/terraform/databricks/indefinitely_token/metadata.json b/assets/queries/terraform/databricks/indefinitely_token/metadata.json new file mode 100644 index 00000000000..33f4cdf2acb --- /dev/null +++ b/assets/queries/terraform/databricks/indefinitely_token/metadata.json @@ -0,0 +1,10 @@ +{ + "id": "7d05ca25-91b4-42ee-b6f6-b06611a87ce8", + "queryName": "Indefinitely Databricks Token Lifetime", + "severity": "MEDIUM", + "category": "Insecure Defaults", + "descriptionText": "Token has an indefinitely lifetime", + "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/token", + "platform": "Terraform", + "cloudProvider": "databricks" +} diff --git a/assets/queries/terraform/databricks/indefinitely_token/query.rego b/assets/queries/terraform/databricks/indefinitely_token/query.rego new file mode 100644 index 00000000000..4acf357414c --- /dev/null +++ b/assets/queries/terraform/databricks/indefinitely_token/query.rego @@ -0,0 +1,18 @@ +package Cx + +import data.generic.terraform as tf_lib + +CxPolicy[result] { + resource := input.document[i].resource.databricks_token[name] + not resource.lifetime_seconds + + result := { + "documentId": input.document[i].id, + "resourceType": "databricks_token", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("databricks_token[%s]", [name]), + "issueType": "MissingAttribute", + "keyExpectedValue": sprintf("'databricks_token[%s]' should not have indefinitely lifetime", [name]), + "keyActualValue": sprintf("'databricks_token[%s]' have an indefinitely lifetime", [name]), + } +} diff --git a/assets/queries/terraform/databricks/indefinitely_token/test/negative.tf b/assets/queries/terraform/databricks/indefinitely_token/test/negative.tf new file mode 100644 index 00000000000..209119fb5f3 --- /dev/null +++ b/assets/queries/terraform/databricks/indefinitely_token/test/negative.tf @@ -0,0 +1,6 @@ +resource "databricks_token" "negative" { + provider = databricks.created_workspace + comment = "Terraform Provisioning" + // 100 day token + lifetime_seconds = 8640000 +} diff --git a/assets/queries/terraform/databricks/indefinitely_token/test/positive.tf b/assets/queries/terraform/databricks/indefinitely_token/test/positive.tf new file mode 100644 index 00000000000..8e9dd3559d7 --- /dev/null +++ b/assets/queries/terraform/databricks/indefinitely_token/test/positive.tf @@ -0,0 +1,4 @@ +resource "databricks_token" "positive" { + provider = databricks.created_workspace + comment = "Terraform Provisioning" +} diff --git a/assets/queries/terraform/databricks/indefinitely_token/test/positive_expected_result.json b/assets/queries/terraform/databricks/indefinitely_token/test/positive_expected_result.json new file mode 100644 index 00000000000..a2999c2e199 --- /dev/null +++ b/assets/queries/terraform/databricks/indefinitely_token/test/positive_expected_result.json @@ -0,0 +1,7 @@ +[ + { + "queryName": "Indefinitely Databricks Token Lifetime", + "severity": "MEDIUM", + "line": 1 + } +] From 50f1fe280ac6b738b9805ff3e9b30ff3bffdb3d2 Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Sun, 15 Jan 2023 13:11:21 +0100 Subject: [PATCH 189/379] feat(terraform/databricks): add obo token lifetime check --- .../indefinitely_obo_token/metadata.json | 10 ++++++++++ .../indefinitely_obo_token/query.rego | 18 ++++++++++++++++++ .../indefinitely_obo_token/test/negative.tf | 6 ++++++ .../indefinitely_obo_token/test/positive.tf | 5 +++++ .../test/positive_expected_result.json | 7 +++++++ 5 files changed, 46 insertions(+) create mode 100644 assets/queries/terraform/databricks/indefinitely_obo_token/metadata.json create mode 100644 assets/queries/terraform/databricks/indefinitely_obo_token/query.rego create mode 100644 assets/queries/terraform/databricks/indefinitely_obo_token/test/negative.tf create mode 100644 assets/queries/terraform/databricks/indefinitely_obo_token/test/positive.tf create mode 100644 assets/queries/terraform/databricks/indefinitely_obo_token/test/positive_expected_result.json diff --git a/assets/queries/terraform/databricks/indefinitely_obo_token/metadata.json b/assets/queries/terraform/databricks/indefinitely_obo_token/metadata.json new file mode 100644 index 00000000000..b9128ee3207 --- /dev/null +++ b/assets/queries/terraform/databricks/indefinitely_obo_token/metadata.json @@ -0,0 +1,10 @@ +{ + "id": "23e1f5f0-12b7-4d7e-9087-f60f42ccd514", + "queryName": "Indefinitely Databricks OBO Token Lifetime", + "severity": "MEDIUM", + "category": "Insecure Defaults", + "descriptionText": "OBO Token has an indefinitely lifetime", + "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/obo_token", + "platform": "Terraform", + "cloudProvider": "databricks" +} diff --git a/assets/queries/terraform/databricks/indefinitely_obo_token/query.rego b/assets/queries/terraform/databricks/indefinitely_obo_token/query.rego new file mode 100644 index 00000000000..8859aab47ed --- /dev/null +++ b/assets/queries/terraform/databricks/indefinitely_obo_token/query.rego @@ -0,0 +1,18 @@ +package Cx + +import data.generic.terraform as tf_lib + +CxPolicy[result] { + resource := input.document[i].resource.databricks_obo_token[name] + not resource.lifetime_seconds + + result := { + "documentId": input.document[i].id, + "resourceType": "databricks_obo_token", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("databricks_obo_token[%s]", [name]), + "issueType": "MissingAttribute", + "keyExpectedValue": sprintf("'databricks_obo_token[%s]' should not have indefinitely lifetime", [name]), + "keyActualValue": sprintf("'databricks_obo_token[%s]' have an indefinitely lifetime", [name]), + } +} diff --git a/assets/queries/terraform/databricks/indefinitely_obo_token/test/negative.tf b/assets/queries/terraform/databricks/indefinitely_obo_token/test/negative.tf new file mode 100644 index 00000000000..0f648b31ca4 --- /dev/null +++ b/assets/queries/terraform/databricks/indefinitely_obo_token/test/negative.tf @@ -0,0 +1,6 @@ +resource "databricks_obo_token" "negative" { + depends_on = [databricks_group_member.this] + application_id = databricks_service_principal.this.application_id + comment = "PAT on behalf of ${databricks_service_principal.this.display_name}" + lifetime_seconds = 3600 +} diff --git a/assets/queries/terraform/databricks/indefinitely_obo_token/test/positive.tf b/assets/queries/terraform/databricks/indefinitely_obo_token/test/positive.tf new file mode 100644 index 00000000000..cb6d10953d5 --- /dev/null +++ b/assets/queries/terraform/databricks/indefinitely_obo_token/test/positive.tf @@ -0,0 +1,5 @@ +resource "databricks_obo_token" "positive" { + depends_on = [databricks_group_member.this] + application_id = databricks_service_principal.this.application_id + comment = "PAT on behalf of ${databricks_service_principal.this.display_name}" +} diff --git a/assets/queries/terraform/databricks/indefinitely_obo_token/test/positive_expected_result.json b/assets/queries/terraform/databricks/indefinitely_obo_token/test/positive_expected_result.json new file mode 100644 index 00000000000..62c4d425835 --- /dev/null +++ b/assets/queries/terraform/databricks/indefinitely_obo_token/test/positive_expected_result.json @@ -0,0 +1,7 @@ +[ + { + "queryName": "Indefinitely Databricks OBO Token Lifetime", + "severity": "MEDIUM", + "line": 1 + } +] From cdc839ef7a1f36e480b098ea6d9cbcfe4ef70a84 Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Sun, 15 Jan 2023 13:20:54 +0100 Subject: [PATCH 190/379] chore(terraform/databricks): delete cloudProvider reference --- .../terraform/databricks/autoscale_badly_setup/metadata.json | 3 +-- .../terraform/databricks/autoscale_not_setup/metadata.json | 3 +-- .../terraform/databricks/cluster_aws_attributes/metadata.json | 3 +-- .../terraform/databricks/indefinitely_obo_token/metadata.json | 3 +-- .../terraform/databricks/indefinitely_token/metadata.json | 3 +-- .../terraform/databricks/unrestricted_acl/metadata.json | 3 +-- 6 files changed, 6 insertions(+), 12 deletions(-) diff --git a/assets/queries/terraform/databricks/autoscale_badly_setup/metadata.json b/assets/queries/terraform/databricks/autoscale_badly_setup/metadata.json index 2aaf789c7b8..9c505c47899 100644 --- a/assets/queries/terraform/databricks/autoscale_badly_setup/metadata.json +++ b/assets/queries/terraform/databricks/autoscale_badly_setup/metadata.json @@ -5,6 +5,5 @@ "category": "MissingAttribute", "descriptionText": "Databricks should have min and max worker setup for autoscale", "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/cluster", - "platform": "Terraform", - "cloudProvider": "databricks" + "platform": "Terraform" } diff --git a/assets/queries/terraform/databricks/autoscale_not_setup/metadata.json b/assets/queries/terraform/databricks/autoscale_not_setup/metadata.json index 017d45632e3..b0f319095d5 100644 --- a/assets/queries/terraform/databricks/autoscale_not_setup/metadata.json +++ b/assets/queries/terraform/databricks/autoscale_not_setup/metadata.json @@ -5,6 +5,5 @@ "category": "Best Practices", "descriptionText": "Databricks should have autoscale", "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/cluster", - "platform": "Terraform", - "cloudProvider": "databricks" + "platform": "Terraform" } diff --git a/assets/queries/terraform/databricks/cluster_aws_attributes/metadata.json b/assets/queries/terraform/databricks/cluster_aws_attributes/metadata.json index 52164347c4e..45f10d3b2a4 100644 --- a/assets/queries/terraform/databricks/cluster_aws_attributes/metadata.json +++ b/assets/queries/terraform/databricks/cluster_aws_attributes/metadata.json @@ -5,6 +5,5 @@ "category": "Best Practices", "descriptionText": "One or some Databricks Cluster AWS Attribute Best Practices are not respected", "descriptionUrl": "https://docs.databricks.com/clusters/cluster-config-best-practices.html", - "platform": "Terraform", - "cloudProvider": "databricks" + "platform": "Terraform" } diff --git a/assets/queries/terraform/databricks/indefinitely_obo_token/metadata.json b/assets/queries/terraform/databricks/indefinitely_obo_token/metadata.json index b9128ee3207..c13681ea814 100644 --- a/assets/queries/terraform/databricks/indefinitely_obo_token/metadata.json +++ b/assets/queries/terraform/databricks/indefinitely_obo_token/metadata.json @@ -5,6 +5,5 @@ "category": "Insecure Defaults", "descriptionText": "OBO Token has an indefinitely lifetime", "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/obo_token", - "platform": "Terraform", - "cloudProvider": "databricks" + "platform": "Terraform" } diff --git a/assets/queries/terraform/databricks/indefinitely_token/metadata.json b/assets/queries/terraform/databricks/indefinitely_token/metadata.json index 33f4cdf2acb..6cb416b0f8b 100644 --- a/assets/queries/terraform/databricks/indefinitely_token/metadata.json +++ b/assets/queries/terraform/databricks/indefinitely_token/metadata.json @@ -5,6 +5,5 @@ "category": "Insecure Defaults", "descriptionText": "Token has an indefinitely lifetime", "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/token", - "platform": "Terraform", - "cloudProvider": "databricks" + "platform": "Terraform" } diff --git a/assets/queries/terraform/databricks/unrestricted_acl/metadata.json b/assets/queries/terraform/databricks/unrestricted_acl/metadata.json index 356253adacc..4ac74906ca7 100644 --- a/assets/queries/terraform/databricks/unrestricted_acl/metadata.json +++ b/assets/queries/terraform/databricks/unrestricted_acl/metadata.json @@ -5,6 +5,5 @@ "category": "Networking and Firewall", "descriptionText": "ACL allow ingress from 0.0.0.0/0 and/or ::/0", "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/ip_access_list", - "platform": "Terraform", - "cloudProvider": "databricks" + "platform": "Terraform" } From 7238157b3d9ca39c3e983d1a042faa957fdcb335 Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Mon, 16 Jan 2023 19:08:05 +0100 Subject: [PATCH 191/379] feat(terraform/databricks): group not used --- .../group_without_user/metadata.json | 9 ++++++ .../databricks/group_without_user/query.rego | 32 +++++++++++++++++++ .../group_without_user/test/negative.tf | 14 ++++++++ .../group_without_user/test/positive.tf | 20 ++++++++++++ .../test/positive_expected_result.json | 7 ++++ 5 files changed, 82 insertions(+) create mode 100644 assets/queries/terraform/databricks/group_without_user/metadata.json create mode 100644 assets/queries/terraform/databricks/group_without_user/query.rego create mode 100644 assets/queries/terraform/databricks/group_without_user/test/negative.tf create mode 100644 assets/queries/terraform/databricks/group_without_user/test/positive.tf create mode 100644 assets/queries/terraform/databricks/group_without_user/test/positive_expected_result.json diff --git a/assets/queries/terraform/databricks/group_without_user/metadata.json b/assets/queries/terraform/databricks/group_without_user/metadata.json new file mode 100644 index 00000000000..d5a0f596493 --- /dev/null +++ b/assets/queries/terraform/databricks/group_without_user/metadata.json @@ -0,0 +1,9 @@ +{ + "id": "23c3067a-8cc9-480c-b645-7c1e0ad4bf60", + "queryName": "Databricks Group Without User", + "severity": "LOW", + "category": "Access Control", + "descriptionText": "Databricks Group should have at least one user associated", + "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/group", + "platform": "Terraform" +} diff --git a/assets/queries/terraform/databricks/group_without_user/query.rego b/assets/queries/terraform/databricks/group_without_user/query.rego new file mode 100644 index 00000000000..df6205e30f8 --- /dev/null +++ b/assets/queries/terraform/databricks/group_without_user/query.rego @@ -0,0 +1,32 @@ +package Cx + +import data.generic.terraform as tf_lib + +CxPolicy[result] { + databricks_group := input.document[i].resource.databricks_group[name] + + without_users(name) + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_databricks_group", + "resourceName": tf_lib.get_resource_name(databricks_group, name), + "searchKey": sprintf("databricks_group[%s]", [name]), + "issueType": "MissingAttribute", + "keyExpectedValue": sprintf("aws_databricks_group[%s] should be associated with an databricks_group_member that has at least one user set", [name]), + "keyActualValue": sprintf("aws_databricks_group[%s] is not associated with an databricks_group_member that has at least one user set", [name]), + } +} + +without_users(name) { + count({x | resource := input.document[x].resource.databricks_group_member; has_membership_associated(resource, name); not empty(resource)}) == 0 +} + +has_membership_associated(resource, name) { + attributeSplit := split(resource[_].group_id, ".") + attributeSplit[1] == name +} + +empty(resource) { + count(resource[_].member_id) == 0 +} diff --git a/assets/queries/terraform/databricks/group_without_user/test/negative.tf b/assets/queries/terraform/databricks/group_without_user/test/negative.tf new file mode 100644 index 00000000000..4f264c85e95 --- /dev/null +++ b/assets/queries/terraform/databricks/group_without_user/test/negative.tf @@ -0,0 +1,14 @@ +resource "databricks_group" "negative_group" { + display_name = "Some Group" + allow_cluster_create = true + allow_instance_pool_create = true +} + +resource "databricks_user" "negative_user" { + user_name = "someone@example.com" +} + +resource "databricks_group_member" "negative_member" { + group_id = databricks_group.negative_group.id + member_id = databricks_user.negative_user.id +} diff --git a/assets/queries/terraform/databricks/group_without_user/test/positive.tf b/assets/queries/terraform/databricks/group_without_user/test/positive.tf new file mode 100644 index 00000000000..2e38d5848bf --- /dev/null +++ b/assets/queries/terraform/databricks/group_without_user/test/positive.tf @@ -0,0 +1,20 @@ +resource "databricks_group" "positive_group" { + display_name = "Some Group" + allow_cluster_create = true + allow_instance_pool_create = true +} + +resource "databricks_user" "positive_user" { + user_name = "someone@example.com" +} + +resource "databricks_group_member" "positive_member" { + group_id = databricks_group.positive_group.id + member_id = databricks_user.positive_user.id +} + +resource "databricks_group" "positive_group_2" { + display_name = "Some Group" + allow_cluster_create = true + allow_instance_pool_create = true +} diff --git a/assets/queries/terraform/databricks/group_without_user/test/positive_expected_result.json b/assets/queries/terraform/databricks/group_without_user/test/positive_expected_result.json new file mode 100644 index 00000000000..c76a28cabf7 --- /dev/null +++ b/assets/queries/terraform/databricks/group_without_user/test/positive_expected_result.json @@ -0,0 +1,7 @@ +[ + { + "queryName": "Databricks Group Without User", + "severity": "LOW", + "line": 16 + } +] From 52e1d4d0eda0f83cfad10c395d81d4fac2e91195 Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Mon, 16 Jan 2023 19:37:38 +0100 Subject: [PATCH 192/379] fix(terraform/databricks): add instance profile --- .../test/positive_expected_result.json | 7 ------- .../metadata.json | 4 ++-- .../query.rego | 15 ++++++++++++--- .../test/negative1.tf} | 0 .../test/negative2.tf | 12 ++++++++++++ .../test/positive1.tf} | 0 .../test/positive2.tf | 16 ++++++++++++++++ .../test/positive_expected_result.json | 12 ++++++++++++ 8 files changed, 54 insertions(+), 12 deletions(-) delete mode 100644 assets/queries/terraform/databricks/group_without_user/test/positive_expected_result.json rename assets/queries/terraform/databricks/{group_without_user => group_without_user_or_instance_profile}/metadata.json (73%) rename assets/queries/terraform/databricks/{group_without_user => group_without_user_or_instance_profile}/query.rego (75%) rename assets/queries/terraform/databricks/{group_without_user/test/negative.tf => group_without_user_or_instance_profile/test/negative1.tf} (100%) create mode 100644 assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/negative2.tf rename assets/queries/terraform/databricks/{group_without_user/test/positive.tf => group_without_user_or_instance_profile/test/positive1.tf} (100%) create mode 100644 assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/positive2.tf create mode 100644 assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/positive_expected_result.json diff --git a/assets/queries/terraform/databricks/group_without_user/test/positive_expected_result.json b/assets/queries/terraform/databricks/group_without_user/test/positive_expected_result.json deleted file mode 100644 index c76a28cabf7..00000000000 --- a/assets/queries/terraform/databricks/group_without_user/test/positive_expected_result.json +++ /dev/null @@ -1,7 +0,0 @@ -[ - { - "queryName": "Databricks Group Without User", - "severity": "LOW", - "line": 16 - } -] diff --git a/assets/queries/terraform/databricks/group_without_user/metadata.json b/assets/queries/terraform/databricks/group_without_user_or_instance_profile/metadata.json similarity index 73% rename from assets/queries/terraform/databricks/group_without_user/metadata.json rename to assets/queries/terraform/databricks/group_without_user_or_instance_profile/metadata.json index d5a0f596493..2c1935d4342 100644 --- a/assets/queries/terraform/databricks/group_without_user/metadata.json +++ b/assets/queries/terraform/databricks/group_without_user_or_instance_profile/metadata.json @@ -1,9 +1,9 @@ { "id": "23c3067a-8cc9-480c-b645-7c1e0ad4bf60", - "queryName": "Databricks Group Without User", + "queryName": "Databricks Group Without User Or Instance Profile", "severity": "LOW", "category": "Access Control", - "descriptionText": "Databricks Group should have at least one user associated", + "descriptionText": "Databricks Group should have at least one user or one instance profile associated", "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/group", "platform": "Terraform" } diff --git a/assets/queries/terraform/databricks/group_without_user/query.rego b/assets/queries/terraform/databricks/group_without_user_or_instance_profile/query.rego similarity index 75% rename from assets/queries/terraform/databricks/group_without_user/query.rego rename to assets/queries/terraform/databricks/group_without_user_or_instance_profile/query.rego index df6205e30f8..539a00525d1 100644 --- a/assets/queries/terraform/databricks/group_without_user/query.rego +++ b/assets/queries/terraform/databricks/group_without_user_or_instance_profile/query.rego @@ -5,7 +5,8 @@ import data.generic.terraform as tf_lib CxPolicy[result] { databricks_group := input.document[i].resource.databricks_group[name] - without_users(name) + without_instance_profile(name) + without_user(name) result := { "documentId": input.document[i].id, @@ -18,8 +19,8 @@ CxPolicy[result] { } } -without_users(name) { - count({x | resource := input.document[x].resource.databricks_group_member; has_membership_associated(resource, name); not empty(resource)}) == 0 +without_instance_profile(name) { + count({x | resource := input.document[x].resource.databricks_group_instance_profile; has_membership_associated(resource, name); not empty(resource)}) == 0 } has_membership_associated(resource, name) { @@ -28,5 +29,13 @@ has_membership_associated(resource, name) { } empty(resource) { + count(resource[_].instance_profile_id) == 0 +} + +without_user(name) { + count({x | resource := input.document[x].resource.databricks_group_member; has_membership_associated(resource, name); not empty(resource)}) == 0 +} + +empty_user(resource) { count(resource[_].member_id) == 0 } diff --git a/assets/queries/terraform/databricks/group_without_user/test/negative.tf b/assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/negative1.tf similarity index 100% rename from assets/queries/terraform/databricks/group_without_user/test/negative.tf rename to assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/negative1.tf diff --git a/assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/negative2.tf b/assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/negative2.tf new file mode 100644 index 00000000000..b65542f82fc --- /dev/null +++ b/assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/negative2.tf @@ -0,0 +1,12 @@ +resource "databricks_instance_profile" "negative_instance_profile" { + instance_profile_arn = "my_instance_profile_arn" +} + +resource "databricks_group" "negative_group" { + display_name = "my_group_name" +} + +resource "databricks_group_instance_profile" "negative_group_instance_profile" { + group_id = databricks_group.negative_group.id + instance_profile_id = databricks_instance_profile.negative_instance_profile.id +} diff --git a/assets/queries/terraform/databricks/group_without_user/test/positive.tf b/assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/positive1.tf similarity index 100% rename from assets/queries/terraform/databricks/group_without_user/test/positive.tf rename to assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/positive1.tf diff --git a/assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/positive2.tf b/assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/positive2.tf new file mode 100644 index 00000000000..11f26c26cc2 --- /dev/null +++ b/assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/positive2.tf @@ -0,0 +1,16 @@ +resource "databricks_instance_profile" "positive_instance_profile" { + instance_profile_arn = "my_instance_profile_arn" +} + +resource "databricks_group" "positive_group" { + display_name = "my_group_name" +} + +resource "databricks_group_instance_profile" "my_group_instance_profile" { + group_id = databricks_group.positive_group.id + instance_profile_id = databricks_instance_profile.positive_instance_profile.id +} + +resource "databricks_group" "positive_group2" { + display_name = "my_group_name" +} diff --git a/assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/positive_expected_result.json b/assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/positive_expected_result.json new file mode 100644 index 00000000000..8adeff90c4c --- /dev/null +++ b/assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/positive_expected_result.json @@ -0,0 +1,12 @@ +[ + { + "queryName": "Databricks Group Without User Or Instance Profile", + "severity": "LOW", + "line": 16 + }, + { + "queryName": "Databricks Group Without User Or Instance Profile", + "severity": "LOW", + "line": 14 + } +] From 73c64180d4d1ffacb4c5fca0eed1d8033c6479e6 Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Mon, 16 Jan 2023 19:45:03 +0100 Subject: [PATCH 193/379] fix(terraform/databricks): add descriptionID --- .../terraform/databricks/autoscale_badly_setup/metadata.json | 1 + .../terraform/databricks/autoscale_not_setup/metadata.json | 1 + .../terraform/databricks/cluster_aws_attributes/metadata.json | 1 + .../group_without_user_or_instance_profile/metadata.json | 1 + .../terraform/databricks/indefinitely_obo_token/metadata.json | 1 + .../terraform/databricks/indefinitely_token/metadata.json | 1 + .../queries/terraform/databricks/unrestricted_acl/metadata.json | 1 + 7 files changed, 7 insertions(+) diff --git a/assets/queries/terraform/databricks/autoscale_badly_setup/metadata.json b/assets/queries/terraform/databricks/autoscale_badly_setup/metadata.json index 9c505c47899..0918462f8b1 100644 --- a/assets/queries/terraform/databricks/autoscale_badly_setup/metadata.json +++ b/assets/queries/terraform/databricks/autoscale_badly_setup/metadata.json @@ -5,5 +5,6 @@ "category": "MissingAttribute", "descriptionText": "Databricks should have min and max worker setup for autoscale", "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/cluster", + "descriptionID": "e6eabd3e", "platform": "Terraform" } diff --git a/assets/queries/terraform/databricks/autoscale_not_setup/metadata.json b/assets/queries/terraform/databricks/autoscale_not_setup/metadata.json index b0f319095d5..1ea3791c939 100644 --- a/assets/queries/terraform/databricks/autoscale_not_setup/metadata.json +++ b/assets/queries/terraform/databricks/autoscale_not_setup/metadata.json @@ -5,5 +5,6 @@ "category": "Best Practices", "descriptionText": "Databricks should have autoscale", "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/cluster", + "descriptionID": "700067d9", "platform": "Terraform" } diff --git a/assets/queries/terraform/databricks/cluster_aws_attributes/metadata.json b/assets/queries/terraform/databricks/cluster_aws_attributes/metadata.json index 45f10d3b2a4..8ee3169ca27 100644 --- a/assets/queries/terraform/databricks/cluster_aws_attributes/metadata.json +++ b/assets/queries/terraform/databricks/cluster_aws_attributes/metadata.json @@ -5,5 +5,6 @@ "category": "Best Practices", "descriptionText": "One or some Databricks Cluster AWS Attribute Best Practices are not respected", "descriptionUrl": "https://docs.databricks.com/clusters/cluster-config-best-practices.html", + "descriptionID": "b6345aa6", "platform": "Terraform" } diff --git a/assets/queries/terraform/databricks/group_without_user_or_instance_profile/metadata.json b/assets/queries/terraform/databricks/group_without_user_or_instance_profile/metadata.json index 2c1935d4342..2b1f967a032 100644 --- a/assets/queries/terraform/databricks/group_without_user_or_instance_profile/metadata.json +++ b/assets/queries/terraform/databricks/group_without_user_or_instance_profile/metadata.json @@ -5,5 +5,6 @@ "category": "Access Control", "descriptionText": "Databricks Group should have at least one user or one instance profile associated", "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/group", + "descriptionID": "4bb78f12", "platform": "Terraform" } diff --git a/assets/queries/terraform/databricks/indefinitely_obo_token/metadata.json b/assets/queries/terraform/databricks/indefinitely_obo_token/metadata.json index c13681ea814..38769bd0234 100644 --- a/assets/queries/terraform/databricks/indefinitely_obo_token/metadata.json +++ b/assets/queries/terraform/databricks/indefinitely_obo_token/metadata.json @@ -5,5 +5,6 @@ "category": "Insecure Defaults", "descriptionText": "OBO Token has an indefinitely lifetime", "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/obo_token", + "descriptionID": "df3aa7ed", "platform": "Terraform" } diff --git a/assets/queries/terraform/databricks/indefinitely_token/metadata.json b/assets/queries/terraform/databricks/indefinitely_token/metadata.json index 6cb416b0f8b..d3cd1c66885 100644 --- a/assets/queries/terraform/databricks/indefinitely_token/metadata.json +++ b/assets/queries/terraform/databricks/indefinitely_token/metadata.json @@ -5,5 +5,6 @@ "category": "Insecure Defaults", "descriptionText": "Token has an indefinitely lifetime", "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/token", + "descriptionID": "79759163", "platform": "Terraform" } diff --git a/assets/queries/terraform/databricks/unrestricted_acl/metadata.json b/assets/queries/terraform/databricks/unrestricted_acl/metadata.json index 4ac74906ca7..2e34ad86516 100644 --- a/assets/queries/terraform/databricks/unrestricted_acl/metadata.json +++ b/assets/queries/terraform/databricks/unrestricted_acl/metadata.json @@ -5,5 +5,6 @@ "category": "Networking and Firewall", "descriptionText": "ACL allow ingress from 0.0.0.0/0 and/or ::/0", "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/ip_access_list", + "descriptionID": "9670a9f6", "platform": "Terraform" } From 5f054229a223d2f17010c08ce20a5fabf08bc038 Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Mon, 16 Jan 2023 19:47:55 +0100 Subject: [PATCH 194/379] fix(terraform/databricks): modify category --- .../terraform/databricks/autoscale_badly_setup/metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/terraform/databricks/autoscale_badly_setup/metadata.json b/assets/queries/terraform/databricks/autoscale_badly_setup/metadata.json index 0918462f8b1..818725418f1 100644 --- a/assets/queries/terraform/databricks/autoscale_badly_setup/metadata.json +++ b/assets/queries/terraform/databricks/autoscale_badly_setup/metadata.json @@ -2,7 +2,7 @@ "id": "953c0cc6-5f30-44cb-a803-bf4ef2571be8", "queryName": "Databricks Autoscale Badly Setup", "severity": "MEDIUM", - "category": "MissingAttribute", + "category": "Resource Management", "descriptionText": "Databricks should have min and max worker setup for autoscale", "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/cluster", "descriptionID": "e6eabd3e", From 976f48ef8614b0848673f6fc84405cd503d68190 Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Wed, 18 Jan 2023 18:11:19 +0100 Subject: [PATCH 195/379] chore(terraform/databricks): use common cloudProvider --- .../terraform/databricks/autoscale_badly_setup/metadata.json | 3 ++- .../terraform/databricks/autoscale_not_setup/metadata.json | 3 ++- .../terraform/databricks/cluster_aws_attributes/metadata.json | 3 ++- .../group_without_user_or_instance_profile/metadata.json | 3 ++- .../terraform/databricks/indefinitely_obo_token/metadata.json | 3 ++- .../terraform/databricks/indefinitely_token/metadata.json | 3 ++- .../terraform/databricks/unrestricted_acl/metadata.json | 3 ++- 7 files changed, 14 insertions(+), 7 deletions(-) diff --git a/assets/queries/terraform/databricks/autoscale_badly_setup/metadata.json b/assets/queries/terraform/databricks/autoscale_badly_setup/metadata.json index 818725418f1..eb142edbd69 100644 --- a/assets/queries/terraform/databricks/autoscale_badly_setup/metadata.json +++ b/assets/queries/terraform/databricks/autoscale_badly_setup/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Databricks should have min and max worker setup for autoscale", "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/cluster", "descriptionID": "e6eabd3e", - "platform": "Terraform" + "platform": "Terraform", + "cloudProvider": "common" } diff --git a/assets/queries/terraform/databricks/autoscale_not_setup/metadata.json b/assets/queries/terraform/databricks/autoscale_not_setup/metadata.json index 1ea3791c939..8b58b9a2ccf 100644 --- a/assets/queries/terraform/databricks/autoscale_not_setup/metadata.json +++ b/assets/queries/terraform/databricks/autoscale_not_setup/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Databricks should have autoscale", "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/cluster", "descriptionID": "700067d9", - "platform": "Terraform" + "platform": "Terraform", + "cloudProvider": "common" } diff --git a/assets/queries/terraform/databricks/cluster_aws_attributes/metadata.json b/assets/queries/terraform/databricks/cluster_aws_attributes/metadata.json index 8ee3169ca27..e4884f95026 100644 --- a/assets/queries/terraform/databricks/cluster_aws_attributes/metadata.json +++ b/assets/queries/terraform/databricks/cluster_aws_attributes/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "One or some Databricks Cluster AWS Attribute Best Practices are not respected", "descriptionUrl": "https://docs.databricks.com/clusters/cluster-config-best-practices.html", "descriptionID": "b6345aa6", - "platform": "Terraform" + "platform": "Terraform", + "cloudProvider": "common" } diff --git a/assets/queries/terraform/databricks/group_without_user_or_instance_profile/metadata.json b/assets/queries/terraform/databricks/group_without_user_or_instance_profile/metadata.json index 2b1f967a032..b138804c4dc 100644 --- a/assets/queries/terraform/databricks/group_without_user_or_instance_profile/metadata.json +++ b/assets/queries/terraform/databricks/group_without_user_or_instance_profile/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Databricks Group should have at least one user or one instance profile associated", "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/group", "descriptionID": "4bb78f12", - "platform": "Terraform" + "platform": "Terraform", + "cloudProvider": "common" } diff --git a/assets/queries/terraform/databricks/indefinitely_obo_token/metadata.json b/assets/queries/terraform/databricks/indefinitely_obo_token/metadata.json index 38769bd0234..c624df76b71 100644 --- a/assets/queries/terraform/databricks/indefinitely_obo_token/metadata.json +++ b/assets/queries/terraform/databricks/indefinitely_obo_token/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "OBO Token has an indefinitely lifetime", "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/obo_token", "descriptionID": "df3aa7ed", - "platform": "Terraform" + "platform": "Terraform", + "cloudProvider": "common" } diff --git a/assets/queries/terraform/databricks/indefinitely_token/metadata.json b/assets/queries/terraform/databricks/indefinitely_token/metadata.json index d3cd1c66885..1dc228380bd 100644 --- a/assets/queries/terraform/databricks/indefinitely_token/metadata.json +++ b/assets/queries/terraform/databricks/indefinitely_token/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Token has an indefinitely lifetime", "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/token", "descriptionID": "79759163", - "platform": "Terraform" + "platform": "Terraform", + "cloudProvider": "common" } diff --git a/assets/queries/terraform/databricks/unrestricted_acl/metadata.json b/assets/queries/terraform/databricks/unrestricted_acl/metadata.json index 2e34ad86516..187b3fa1449 100644 --- a/assets/queries/terraform/databricks/unrestricted_acl/metadata.json +++ b/assets/queries/terraform/databricks/unrestricted_acl/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "ACL allow ingress from 0.0.0.0/0 and/or ::/0", "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/ip_access_list", "descriptionID": "9670a9f6", - "platform": "Terraform" + "platform": "Terraform", + "cloudProvider": "common" } From 808af41ec719daeab2cc13541d3081b6ed2894fc Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Thu, 19 Jan 2023 16:42:57 +0100 Subject: [PATCH 196/379] chore(terraform/databricks): delete no autoscale rule --- .../autoscale_not_setup/metadata.json | 11 ----------- .../databricks/autoscale_not_setup/query.rego | 18 ------------------ .../autoscale_not_setup/test/negative.tf | 16 ---------------- .../autoscale_not_setup/test/positive.tf | 12 ------------ .../test/positive_expected_result.json | 7 ------- 5 files changed, 64 deletions(-) delete mode 100644 assets/queries/terraform/databricks/autoscale_not_setup/metadata.json delete mode 100644 assets/queries/terraform/databricks/autoscale_not_setup/query.rego delete mode 100644 assets/queries/terraform/databricks/autoscale_not_setup/test/negative.tf delete mode 100644 assets/queries/terraform/databricks/autoscale_not_setup/test/positive.tf delete mode 100644 assets/queries/terraform/databricks/autoscale_not_setup/test/positive_expected_result.json diff --git a/assets/queries/terraform/databricks/autoscale_not_setup/metadata.json b/assets/queries/terraform/databricks/autoscale_not_setup/metadata.json deleted file mode 100644 index 8b58b9a2ccf..00000000000 --- a/assets/queries/terraform/databricks/autoscale_not_setup/metadata.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "id": "543e77a0-4ce0-45f9-b34e-9eec1e885c71", - "queryName": "Databricks Autoscale Not Setup", - "severity": "INFO", - "category": "Best Practices", - "descriptionText": "Databricks should have autoscale", - "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/cluster", - "descriptionID": "700067d9", - "platform": "Terraform", - "cloudProvider": "common" -} diff --git a/assets/queries/terraform/databricks/autoscale_not_setup/query.rego b/assets/queries/terraform/databricks/autoscale_not_setup/query.rego deleted file mode 100644 index 423dfc7f952..00000000000 --- a/assets/queries/terraform/databricks/autoscale_not_setup/query.rego +++ /dev/null @@ -1,18 +0,0 @@ -package Cx - -import data.generic.terraform as tf_lib - -CxPolicy[result] { - resource := input.document[i].resource.databricks_cluster[name] - not resource.autoscale - - result := { - "documentId": input.document[i].id, - "resourceType": "databricks_cluster", - "resourceName": tf_lib.get_resource_name(resource, name), - "searchKey": sprintf("databricks_cluster[%s]", [name]), - "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("'databricks_cluster[%s].autoscale.min_workers' should be setup", [name]), - "keyActualValue": sprintf("'databricks_cluster[%s].autoscale' is not setup'", [name]), - } -} diff --git a/assets/queries/terraform/databricks/autoscale_not_setup/test/negative.tf b/assets/queries/terraform/databricks/autoscale_not_setup/test/negative.tf deleted file mode 100644 index e6b32fd300c..00000000000 --- a/assets/queries/terraform/databricks/autoscale_not_setup/test/negative.tf +++ /dev/null @@ -1,16 +0,0 @@ -resource "databricks_cluster" "negative" { - cluster_name = "Shared Autoscaling" - spark_version = data.databricks_spark_version.latest.id - node_type_id = data.databricks_node_type.smallest.id - autotermination_minutes = 20 - autoscale { - min_workers = 1 - max_workers = 50 - } - aws_attributes { - availability = "SPOT" - zone_id = "us-east-1" - first_on_demand = 1 - spot_bid_price_percent = 100 - } -} diff --git a/assets/queries/terraform/databricks/autoscale_not_setup/test/positive.tf b/assets/queries/terraform/databricks/autoscale_not_setup/test/positive.tf deleted file mode 100644 index dca0fdf7c54..00000000000 --- a/assets/queries/terraform/databricks/autoscale_not_setup/test/positive.tf +++ /dev/null @@ -1,12 +0,0 @@ -resource "databricks_cluster" "positive" { - cluster_name = "Shared Autoscaling" - spark_version = data.databricks_spark_version.latest.id - node_type_id = data.databricks_node_type.smallest.id - autotermination_minutes = 20 - aws_attributes { - availability = "SPOT" - zone_id = "us-east-1" - first_on_demand = 1 - spot_bid_price_percent = 100 - } -} diff --git a/assets/queries/terraform/databricks/autoscale_not_setup/test/positive_expected_result.json b/assets/queries/terraform/databricks/autoscale_not_setup/test/positive_expected_result.json deleted file mode 100644 index e3351fcf0f6..00000000000 --- a/assets/queries/terraform/databricks/autoscale_not_setup/test/positive_expected_result.json +++ /dev/null @@ -1,7 +0,0 @@ -[ - { - "queryName": "Databricks Autoscale Not Setup", - "severity": "INFO", - "line": 1 - } -] From d2d905c4321626038bff314f356d2bda815da4e0 Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Thu, 19 Jan 2023 16:54:36 +0100 Subject: [PATCH 197/379] feat(terraform/databricks): check zone_id --- .../cluster_aws_attributes/query.rego | 22 +++++++++++++++---- .../cluster_aws_attributes/test/negative1.tf | 4 ++-- .../cluster_aws_attributes/test/positive1.tf | 4 ++-- .../cluster_aws_attributes/test/positive2.tf | 4 ++-- .../cluster_aws_attributes/test/positive3.tf | 4 ++-- .../cluster_aws_attributes/test/positive4.tf | 16 ++++++++++++++ 6 files changed, 42 insertions(+), 12 deletions(-) create mode 100644 assets/queries/terraform/databricks/cluster_aws_attributes/test/positive4.tf diff --git a/assets/queries/terraform/databricks/cluster_aws_attributes/query.rego b/assets/queries/terraform/databricks/cluster_aws_attributes/query.rego index 477dceae2ca..e9cf96c0bc2 100644 --- a/assets/queries/terraform/databricks/cluster_aws_attributes/query.rego +++ b/assets/queries/terraform/databricks/cluster_aws_attributes/query.rego @@ -2,10 +2,9 @@ package Cx import data.generic.terraform as tf_lib -#use spot instance CxPolicy[result] { resource := input.document[i].resource.databricks_cluster[name] - contains(resource.aws_attributes.availability, "ON_DEMAND") + resource.aws_attributes.availability == "SPOT" result := { "documentId": input.document[i].id, @@ -13,8 +12,8 @@ CxPolicy[result] { "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("databricks_cluster[%s].aws_attributes.availability", [name]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("'databricks_cluster[%s].aws_attributes.availability' should not equal to 'ON_DEMAND'", [name]), - "keyActualValue": sprintf("'databricks_cluster[%s].aws_attributes.availability' is equal to 'ON_DEMAND'", [name]), + "keyExpectedValue": sprintf("'databricks_cluster[%s].aws_attributes.availability' should not equal to 'SPOT'", [name]), + "keyActualValue": sprintf("'databricks_cluster[%s].aws_attributes.availability' is equal to 'SPOT'", [name]), } } @@ -47,3 +46,18 @@ CxPolicy[result] { "keyActualValue": sprintf("'databricks_cluster[%s].aws_attributes.first_on_demand' is not present", [name]), } } + +CxPolicy[result] { + resource := input.document[i].resource.databricks_cluster[name] + not resource.aws_attributes.zone_id == "auto" + + result := { + "documentId": input.document[i].id, + "resourceType": "databricks_cluster", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("databricks_cluster[%s].aws_attributes.zone_id", [name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("'databricks_cluster[%s].aws_attributes.zone_id' should be egal to 'auto'", [name]), + "keyActualValue": sprintf("'databricks_cluster[%s].aws_attributes.zone_id' is not equal to 'auto'", [name]), + } +} diff --git a/assets/queries/terraform/databricks/cluster_aws_attributes/test/negative1.tf b/assets/queries/terraform/databricks/cluster_aws_attributes/test/negative1.tf index 2f630e24fd5..70bd583477c 100644 --- a/assets/queries/terraform/databricks/cluster_aws_attributes/test/negative1.tf +++ b/assets/queries/terraform/databricks/cluster_aws_attributes/test/negative1.tf @@ -8,8 +8,8 @@ resource "databricks_cluster" "this" { max_workers = 50 } aws_attributes { - availability = "SPOT" - zone_id = "us-east-1" + availability = "SPOT_WITH_FALLBACK" + zone_id = "auto" first_on_demand = 1 spot_bid_price_percent = 100 } diff --git a/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive1.tf b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive1.tf index 527791d06ba..58de1733c87 100644 --- a/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive1.tf +++ b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive1.tf @@ -8,8 +8,8 @@ resource "databricks_cluster" "this" { max_workers = 50 } aws_attributes { - availability = "ON_DEMAND" - zone_id = "us-east-1" + availability = "SPOT" + zone_id = "auto" first_on_demand = 1 spot_bid_price_percent = 100 } diff --git a/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive2.tf b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive2.tf index 0e3d9527487..53f5e68e6fe 100644 --- a/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive2.tf +++ b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive2.tf @@ -8,8 +8,8 @@ resource "databricks_cluster" "this" { max_workers = 50 } aws_attributes { - availability = "SPOT" - zone_id = "us-east-1" + availability = "SPOT_WITH_FALLBACK" + zone_id = "auto" first_on_demand = 0 spot_bid_price_percent = 100 } diff --git a/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive3.tf b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive3.tf index 6994451447d..6f1364013c2 100644 --- a/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive3.tf +++ b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive3.tf @@ -8,8 +8,8 @@ resource "databricks_cluster" "this" { max_workers = 50 } aws_attributes { - availability = "SPOT" - zone_id = "us-east-1" + availability = "SPOT_WITH_FALLBACK" + zone_id = "auto" spot_bid_price_percent = 100 } } diff --git a/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive4.tf b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive4.tf new file mode 100644 index 00000000000..b7703430ef9 --- /dev/null +++ b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive4.tf @@ -0,0 +1,16 @@ +resource "databricks_cluster" "this" { + cluster_name = "data" + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + autotermination_minutes = 20 + autoscale { + min_workers = 1 + max_workers = 50 + } + aws_attributes { + availability = "SPOT_WITH_FALLBACK" + zone_id = "us-west-2a" + first_on_demand = 1 + spot_bid_price_percent = 100 + } +} From 42e7d9b214046a2c0d9d9e0f37b08452b6d39d86 Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Thu, 19 Jan 2023 17:23:59 +0100 Subject: [PATCH 198/379] feat(terraform/databricks): check if task is legacy mode --- .../use_spark_submit_task/metadata.json | 11 ++++ .../use_spark_submit_task/query.rego | 36 ++++++++++++ .../use_spark_submit_task/test/negative.tf | 58 +++++++++++++++++++ .../use_spark_submit_task/test/negative2.tf | 26 +++++++++ .../use_spark_submit_task/test/positive1.tf | 58 +++++++++++++++++++ .../use_spark_submit_task/test/positive2.tf | 22 +++++++ .../test/positive_expected_result.json | 12 ++++ 7 files changed, 223 insertions(+) create mode 100644 assets/queries/terraform/databricks/use_spark_submit_task/metadata.json create mode 100644 assets/queries/terraform/databricks/use_spark_submit_task/query.rego create mode 100644 assets/queries/terraform/databricks/use_spark_submit_task/test/negative.tf create mode 100644 assets/queries/terraform/databricks/use_spark_submit_task/test/negative2.tf create mode 100644 assets/queries/terraform/databricks/use_spark_submit_task/test/positive1.tf create mode 100644 assets/queries/terraform/databricks/use_spark_submit_task/test/positive2.tf create mode 100644 assets/queries/terraform/databricks/use_spark_submit_task/test/positive_expected_result.json diff --git a/assets/queries/terraform/databricks/use_spark_submit_task/metadata.json b/assets/queries/terraform/databricks/use_spark_submit_task/metadata.json new file mode 100644 index 00000000000..28e75dccb49 --- /dev/null +++ b/assets/queries/terraform/databricks/use_spark_submit_task/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "375cdab9-3f94-4ae0-b1e3-8fbdf9cdf4d7", + "queryName": "Job's Task is Legacy (spark_submit_task)", + "severity": "MEDIUM", + "category": "Networking and Firewall", + "descriptionText": "Job's Task Is spark_submit_task", + "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/job#spark_submit_task-configuration-block", + "descriptionID": "fdaa059f", + "platform": "Terraform", + "cloudProvider": "common" +} diff --git a/assets/queries/terraform/databricks/use_spark_submit_task/query.rego b/assets/queries/terraform/databricks/use_spark_submit_task/query.rego new file mode 100644 index 00000000000..24d6ff225e3 --- /dev/null +++ b/assets/queries/terraform/databricks/use_spark_submit_task/query.rego @@ -0,0 +1,36 @@ +package Cx + +import data.generic.terraform as tf_lib + +CxPolicy[result] { + resource := input.document[i].resource.databricks_job[name] + + resource.task.spark_submit_task + + result := { + "documentId": input.document[i].id, + "resourceType": "databricks_job", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("databricks_job[%s].task.spark_submit_task", [name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("'databricks_job[%s].task.spark_submit_task' should not contains to 'spark_submit_task'", [name]), + "keyActualValue": sprintf("'databricks_job[%s].task.spark_submit_task' contains to 'spark_submit_task'", [name]), + } +} + +CxPolicy[result] { + resource := input.document[i].resource.databricks_job[name] + + some j + resource.task[j].spark_submit_task + + result := { + "documentId": input.document[i].id, + "resourceType": "databricks_job", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("databricks_job[%s].task.spark_submit_task", [name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("'databricks_job[%s].task.spark_submit_task' should not contains to 'spark_submit_task'", [name]), + "keyActualValue": sprintf("'databricks_job[%s].task.spark_submit_task' contains to 'spark_submit_task'", [name]), + } +} diff --git a/assets/queries/terraform/databricks/use_spark_submit_task/test/negative.tf b/assets/queries/terraform/databricks/use_spark_submit_task/test/negative.tf new file mode 100644 index 00000000000..21d2d4d883c --- /dev/null +++ b/assets/queries/terraform/databricks/use_spark_submit_task/test/negative.tf @@ -0,0 +1,58 @@ +resource "databricks_job" "negative1" { + name = "Job with multiple tasks" + + job_cluster { + job_cluster_key = "j" + new_cluster { + num_workers = 2 + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + } + } + + task { + task_key = "a" + + new_cluster { + num_workers = 1 + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + } + + notebook_task { + notebook_path = databricks_notebook.this.path + } + } + + task { + task_key = "b" + //this task will only run after task a + depends_on { + task_key = "a" + } + + existing_cluster_id = databricks_cluster.shared.id + + spark_jar_task { + main_class_name = "com.acme.data.Main" + } + } + + task { + task_key = "c" + + job_cluster_key = "j" + + notebook_task { + notebook_path = databricks_notebook.this.path + } + } + //this task starts a Delta Live Tables pipline update + task { + task_key = "d" + + pipeline_task { + pipeline_id = databricks_pipeline.this.id + } + } +} diff --git a/assets/queries/terraform/databricks/use_spark_submit_task/test/negative2.tf b/assets/queries/terraform/databricks/use_spark_submit_task/test/negative2.tf new file mode 100644 index 00000000000..90aaa3cdf75 --- /dev/null +++ b/assets/queries/terraform/databricks/use_spark_submit_task/test/negative2.tf @@ -0,0 +1,26 @@ +resource "databricks_job" "negative1" { + name = "Job with multiple tasks" + + job_cluster { + job_cluster_key = "j" + new_cluster { + num_workers = 2 + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + } + } + + task { + task_key = "a" + + new_cluster { + num_workers = 1 + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + } + + notebook_task { + notebook_path = databricks_notebook.this.path + } + } +} diff --git a/assets/queries/terraform/databricks/use_spark_submit_task/test/positive1.tf b/assets/queries/terraform/databricks/use_spark_submit_task/test/positive1.tf new file mode 100644 index 00000000000..3d34040c5d9 --- /dev/null +++ b/assets/queries/terraform/databricks/use_spark_submit_task/test/positive1.tf @@ -0,0 +1,58 @@ +resource "databricks_job" "positive" { + name = "Job with multiple tasks" + + job_cluster { + job_cluster_key = "j" + new_cluster { + num_workers = 2 + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + } + } + + task { + task_key = "a" + + new_cluster { + num_workers = 1 + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + } + + notebook_task { + notebook_path = databricks_notebook.this.path + } + } + + task { + task_key = "b" + //this task will only run after task a + depends_on { + task_key = "a" + } + + existing_cluster_id = databricks_cluster.shared.id + + spark_submit_task { + main_class_name = "com.acme.data.Main" + } + } + + task { + task_key = "c" + + job_cluster_key = "j" + + notebook_task { + notebook_path = databricks_notebook.this.path + } + } + //this task starts a Delta Live Tables pipline update + task { + task_key = "d" + + pipeline_task { + pipeline_id = databricks_pipeline.this.id + } + } +} diff --git a/assets/queries/terraform/databricks/use_spark_submit_task/test/positive2.tf b/assets/queries/terraform/databricks/use_spark_submit_task/test/positive2.tf new file mode 100644 index 00000000000..5ce61cc7158 --- /dev/null +++ b/assets/queries/terraform/databricks/use_spark_submit_task/test/positive2.tf @@ -0,0 +1,22 @@ +resource "databricks_job" "positive" { + name = "Job with multiple tasks" + + job_cluster { + job_cluster_key = "j" + new_cluster { + num_workers = 2 + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + } + } + + task { + task_key = "a" + + existing_cluster_id = databricks_cluster.shared.id + + spark_submit_task { + main_class_name = "com.acme.data.Main" + } + } +} diff --git a/assets/queries/terraform/databricks/use_spark_submit_task/test/positive_expected_result.json b/assets/queries/terraform/databricks/use_spark_submit_task/test/positive_expected_result.json new file mode 100644 index 00000000000..6fc2dd18985 --- /dev/null +++ b/assets/queries/terraform/databricks/use_spark_submit_task/test/positive_expected_result.json @@ -0,0 +1,12 @@ +[ + { + "queryName": "Job's Task is Legacy (spark_submit_task)", + "severity": "MEDIUM", + "line": 18 + }, + { + "queryName": "Job's Task is Legacy (spark_submit_task)", + "severity": "MEDIUM", + "line": 26 + } +] From 5440f1888012848f63253c8282a664848089219b Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Thu, 19 Jan 2023 22:02:51 +0100 Subject: [PATCH 199/379] feat(terraform/databricks): add azure attributes --- .../cluster_azure_attributes/metadata.json | 11 +++++ .../cluster_azure_attributes/query.rego | 48 +++++++++++++++++++ .../test/negative1.tf | 15 ++++++ .../test/positive1.tf | 15 ++++++ .../test/positive2.tf | 15 ++++++ .../test/positive3.tf | 15 ++++++ .../test/positive_expected_result.json | 17 +++++++ 7 files changed, 136 insertions(+) create mode 100644 assets/queries/terraform/databricks/cluster_azure_attributes/metadata.json create mode 100644 assets/queries/terraform/databricks/cluster_azure_attributes/query.rego create mode 100644 assets/queries/terraform/databricks/cluster_azure_attributes/test/negative1.tf create mode 100644 assets/queries/terraform/databricks/cluster_azure_attributes/test/positive1.tf create mode 100644 assets/queries/terraform/databricks/cluster_azure_attributes/test/positive2.tf create mode 100644 assets/queries/terraform/databricks/cluster_azure_attributes/test/positive3.tf create mode 100644 assets/queries/terraform/databricks/cluster_azure_attributes/test/positive_expected_result.json diff --git a/assets/queries/terraform/databricks/cluster_azure_attributes/metadata.json b/assets/queries/terraform/databricks/cluster_azure_attributes/metadata.json new file mode 100644 index 00000000000..000e5b11ac5 --- /dev/null +++ b/assets/queries/terraform/databricks/cluster_azure_attributes/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "38028698-e663-4ef7-aa92-773fef0ca86f", + "queryName": "Check Databricks Cluster AWS Attribute Best Practices", + "severity": "LOW", + "category": "Best Practices", + "descriptionText": "One or some Databricks Cluster Azure Attribute Best Practices are not respected", + "descriptionUrl": "https://docs.databricks.com/clusters/cluster-config-best-practices.html", + "descriptionID": "bb2e4c81", + "platform": "Terraform", + "cloudProvider": "common" +} diff --git a/assets/queries/terraform/databricks/cluster_azure_attributes/query.rego b/assets/queries/terraform/databricks/cluster_azure_attributes/query.rego new file mode 100644 index 00000000000..46e65da9732 --- /dev/null +++ b/assets/queries/terraform/databricks/cluster_azure_attributes/query.rego @@ -0,0 +1,48 @@ +package Cx + +import data.generic.terraform as tf_lib + +CxPolicy[result] { + resource := input.document[i].resource.databricks_cluster[name] + resource.azure_attributes.availability == "SPOT_AZURE" + + result := { + "documentId": input.document[i].id, + "resourceType": "databricks_cluster", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("databricks_cluster[%s].azure_attributes.availability", [name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("'databricks_cluster[%s].azure_attributes.availability' should not equal to 'SPOT'", [name]), + "keyActualValue": sprintf("'databricks_cluster[%s].azure_attributes.availability' is equal to 'SPOT'", [name]), + } +} + +CxPolicy[result] { + resource := input.document[i].resource.databricks_cluster[name] + resource.azure_attributes.first_on_demand == 0 + + result := { + "documentId": input.document[i].id, + "resourceType": "databricks_cluster", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("databricks_cluster[%s].azure_attributes.first_on_demand", [name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("'databricks_cluster[%s].azure_attributes.first_on_demand' should not equal to '0'", [name]), + "keyActualValue": sprintf("'databricks_cluster[%s].azure_attributes.first_on_demand' is equal to '0'", [name]), + } +} + +CxPolicy[result] { + resource := input.document[i].resource.databricks_cluster[name] + not resource.azure_attributes.first_on_demand + + result := { + "documentId": input.document[i].id, + "resourceType": "databricks_cluster", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("databricks_cluster[%s].azure_attributes.first_on_demand", [name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("'databricks_cluster[%s].azure_attributes.first_on_demand' should present", [name]), + "keyActualValue": sprintf("'databricks_cluster[%s].azure_attributes.first_on_demand' is not present", [name]), + } +} diff --git a/assets/queries/terraform/databricks/cluster_azure_attributes/test/negative1.tf b/assets/queries/terraform/databricks/cluster_azure_attributes/test/negative1.tf new file mode 100644 index 00000000000..53abc098458 --- /dev/null +++ b/assets/queries/terraform/databricks/cluster_azure_attributes/test/negative1.tf @@ -0,0 +1,15 @@ +resource "databricks_cluster" "this" { + cluster_name = "Shared Autoscaling" + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + autotermination_minutes = 20 + autoscale { + min_workers = 1 + max_workers = 50 + } + azure_attributes { + availability = "SPOT_WITH_FALLBACK_AZURE" + first_on_demand = 1 + spot_bid_price_percent = 100 + } +} diff --git a/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive1.tf b/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive1.tf new file mode 100644 index 00000000000..1c82459d521 --- /dev/null +++ b/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive1.tf @@ -0,0 +1,15 @@ +resource "databricks_cluster" "this" { + cluster_name = "data" + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + autotermination_minutes = 20 + autoscale { + min_workers = 1 + max_workers = 50 + } + azure_attributes { + availability = "SPOT_AZURE" + first_on_demand = 1 + spot_bid_price_percent = 100 + } +} diff --git a/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive2.tf b/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive2.tf new file mode 100644 index 00000000000..2ed7d5d1807 --- /dev/null +++ b/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive2.tf @@ -0,0 +1,15 @@ +resource "databricks_cluster" "this" { + cluster_name = "data" + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + autotermination_minutes = 20 + autoscale { + min_workers = 1 + max_workers = 50 + } + azure_attributes { + availability = "SPOT_WITH_FALLBACK_AZURE" + first_on_demand = 0 + spot_bid_price_percent = 100 + } +} diff --git a/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive3.tf b/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive3.tf new file mode 100644 index 00000000000..1bd4f57ce51 --- /dev/null +++ b/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive3.tf @@ -0,0 +1,15 @@ +resource "databricks_cluster" "this" { + cluster_name = "data" + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + autotermination_minutes = 20 + autoscale { + min_workers = 1 + max_workers = 50 + } + azure_attributes { + availability = "SPOT_WITH_FALLBACK_AZURE" + zone_id = "auto" + spot_bid_price_percent = 100 + } +} diff --git a/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive_expected_result.json b/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive_expected_result.json new file mode 100644 index 00000000000..001a77b057b --- /dev/null +++ b/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive_expected_result.json @@ -0,0 +1,17 @@ +[ + { + "queryName": "Check Databricks Cluster Azure Attribute Best Practices", + "severity": "LOW", + "line": 11 + }, + { + "queryName": "Check Databricks Cluster Azure Attribute Best Practices", + "severity": "LOW", + "line": 13 + }, + { + "queryName": "Check Databricks Cluster Azure Attribute Best Practices", + "severity": "LOW", + "line": 10 + } +] From 6c9fd6b22ec387184c7fb5ae48b69bedddfbda81 Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Thu, 19 Jan 2023 22:03:13 +0100 Subject: [PATCH 200/379] feat(terraform/databricks): add gcp attributes --- .../cluster_gcp_attributes/metadata.json | 11 +++++++++++ .../cluster_gcp_attributes/query.rego | 18 ++++++++++++++++++ .../cluster_gcp_attributes/test/negative1.tf | 16 ++++++++++++++++ .../cluster_gcp_attributes/test/positive1.tf | 15 +++++++++++++++ .../cluster_gcp_attributes/test/positive2.tf | 16 ++++++++++++++++ .../cluster_gcp_attributes/test/positive3.tf | 15 +++++++++++++++ .../test/positive_expected_result.json | 7 +++++++ 7 files changed, 98 insertions(+) create mode 100644 assets/queries/terraform/databricks/cluster_gcp_attributes/metadata.json create mode 100644 assets/queries/terraform/databricks/cluster_gcp_attributes/query.rego create mode 100644 assets/queries/terraform/databricks/cluster_gcp_attributes/test/negative1.tf create mode 100644 assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive1.tf create mode 100644 assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive2.tf create mode 100644 assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive3.tf create mode 100644 assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive_expected_result.json diff --git a/assets/queries/terraform/databricks/cluster_gcp_attributes/metadata.json b/assets/queries/terraform/databricks/cluster_gcp_attributes/metadata.json new file mode 100644 index 00000000000..43bd1fa5a8f --- /dev/null +++ b/assets/queries/terraform/databricks/cluster_gcp_attributes/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "539e4557-d2b5-4d57-a001-cb01140a4e2d", + "queryName": "Check Databricks Cluster AWS Attribute Best Practices", + "severity": "LOW", + "category": "Best Practices", + "descriptionText": "One or some Databricks Cluster GCP Attribute Best Practices are not respected", + "descriptionUrl": "https://docs.databricks.com/clusters/cluster-config-best-practices.html", + "descriptionID": "c1fe1954", + "platform": "Terraform", + "cloudProvider": "common" +} diff --git a/assets/queries/terraform/databricks/cluster_gcp_attributes/query.rego b/assets/queries/terraform/databricks/cluster_gcp_attributes/query.rego new file mode 100644 index 00000000000..e28e910fd1a --- /dev/null +++ b/assets/queries/terraform/databricks/cluster_gcp_attributes/query.rego @@ -0,0 +1,18 @@ +package Cx + +import data.generic.terraform as tf_lib + +CxPolicy[result] { + resource := input.document[i].resource.databricks_cluster[name] + resource.gcp_attributes.availability == "PREEMPTIBLE_GCP" + + result := { + "documentId": input.document[i].id, + "resourceType": "databricks_cluster", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("databricks_cluster[%s].gcp_attributes.availability", [name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("'databricks_cluster[%s].gcp_attributes.availability' should not equal to 'SPOT'", [name]), + "keyActualValue": sprintf("'databricks_cluster[%s].gcp_attributes.availability' is equal to 'SPOT'", [name]), + } +} diff --git a/assets/queries/terraform/databricks/cluster_gcp_attributes/test/negative1.tf b/assets/queries/terraform/databricks/cluster_gcp_attributes/test/negative1.tf new file mode 100644 index 00000000000..7bdaaeb1ea6 --- /dev/null +++ b/assets/queries/terraform/databricks/cluster_gcp_attributes/test/negative1.tf @@ -0,0 +1,16 @@ +resource "databricks_cluster" "this" { + cluster_name = "Shared Autoscaling" + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + autotermination_minutes = 20 + autoscale { + min_workers = 1 + max_workers = 50 + } + gcp_attributes { + availability = "PREEMPTIBLE_WITH_FALLBACK_GCP" + zone_id = "auto" + first_on_demand = 1 + spot_bid_price_percent = 100 + } +} diff --git a/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive1.tf b/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive1.tf new file mode 100644 index 00000000000..15e63e828c2 --- /dev/null +++ b/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive1.tf @@ -0,0 +1,15 @@ +resource "databricks_cluster" "this" { + cluster_name = "data" + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + autotermination_minutes = 20 + autoscale { + min_workers = 1 + max_workers = 50 + } + gcp_attributes { + availability = "PREEMPTIBLE_GCP" + zone_id = "AUTO" + spot_bid_price_percent = 100 + } +} diff --git a/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive2.tf b/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive2.tf new file mode 100644 index 00000000000..1f00af04bb4 --- /dev/null +++ b/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive2.tf @@ -0,0 +1,16 @@ +resource "databricks_cluster" "this" { + cluster_name = "data" + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + autotermination_minutes = 20 + autoscale { + min_workers = 1 + max_workers = 50 + } + gcp_attributes { + availability = "PREEMPTIBLE_WITH_FALLBACK_GCP" + zone_id = "AUTO" + first_on_demand = 0 + spot_bid_price_percent = 100 + } +} diff --git a/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive3.tf b/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive3.tf new file mode 100644 index 00000000000..24da5f151a2 --- /dev/null +++ b/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive3.tf @@ -0,0 +1,15 @@ +resource "databricks_cluster" "this" { + cluster_name = "data" + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + autotermination_minutes = 20 + autoscale { + min_workers = 1 + max_workers = 50 + } + gcp_attributes { + availability = "PREEMPTIBLE_WITH_FALLBACK_GCP" + zone_id = "AUTO" + spot_bid_price_percent = 100 + } +} diff --git a/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive_expected_result.json b/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive_expected_result.json new file mode 100644 index 00000000000..5ebfaf8c459 --- /dev/null +++ b/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive_expected_result.json @@ -0,0 +1,7 @@ +[ + { + "queryName": "Check Databricks Cluster AWS Attribute Best Practices", + "severity": "LOW", + "line": 11 + } +] From c36af320a6054d16e9030bae8eb559759c3b82f2 Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Thu, 19 Jan 2023 22:03:32 +0100 Subject: [PATCH 201/379] fix(terraform/databricks): positive result --- .../test/positive_expected_result.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive_expected_result.json b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive_expected_result.json index 2a3e125924a..be2f8142f47 100644 --- a/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive_expected_result.json @@ -13,5 +13,10 @@ "queryName": "Check Databricks Cluster AWS Attribute Best Practices", "severity": "LOW", "line": 10 + }, + { + "queryName": "Check Databricks Cluster AWS Attribute Best Practices", + "severity": "LOW", + "line": 12 } ] From 4d4d57c67a7416de5633ff721a80f487432238be Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Thu, 19 Jan 2023 22:04:55 +0100 Subject: [PATCH 202/379] chore(terraform/databricks): delete used test --- .../cluster_gcp_attributes/test/positive2.tf | 16 ---------------- .../cluster_gcp_attributes/test/positive3.tf | 15 --------------- 2 files changed, 31 deletions(-) delete mode 100644 assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive2.tf delete mode 100644 assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive3.tf diff --git a/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive2.tf b/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive2.tf deleted file mode 100644 index 1f00af04bb4..00000000000 --- a/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive2.tf +++ /dev/null @@ -1,16 +0,0 @@ -resource "databricks_cluster" "this" { - cluster_name = "data" - spark_version = data.databricks_spark_version.latest.id - node_type_id = data.databricks_node_type.smallest.id - autotermination_minutes = 20 - autoscale { - min_workers = 1 - max_workers = 50 - } - gcp_attributes { - availability = "PREEMPTIBLE_WITH_FALLBACK_GCP" - zone_id = "AUTO" - first_on_demand = 0 - spot_bid_price_percent = 100 - } -} diff --git a/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive3.tf b/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive3.tf deleted file mode 100644 index 24da5f151a2..00000000000 --- a/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive3.tf +++ /dev/null @@ -1,15 +0,0 @@ -resource "databricks_cluster" "this" { - cluster_name = "data" - spark_version = data.databricks_spark_version.latest.id - node_type_id = data.databricks_node_type.smallest.id - autotermination_minutes = 20 - autoscale { - min_workers = 1 - max_workers = 50 - } - gcp_attributes { - availability = "PREEMPTIBLE_WITH_FALLBACK_GCP" - zone_id = "AUTO" - spot_bid_price_percent = 100 - } -} From cac78c5546aa0e2d972fe9db33078fd905073930 Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Thu, 19 Jan 2023 22:05:28 +0100 Subject: [PATCH 203/379] chore(terraform/databricks): delete a false attribute --- .../databricks/cluster_gcp_attributes/test/positive1.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive1.tf b/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive1.tf index 15e63e828c2..986583d715d 100644 --- a/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive1.tf +++ b/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive1.tf @@ -10,6 +10,5 @@ resource "databricks_cluster" "this" { gcp_attributes { availability = "PREEMPTIBLE_GCP" zone_id = "AUTO" - spot_bid_price_percent = 100 } } From 4d03ecfe6fe8e2df6761268432f3ce90745d3629 Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Fri, 20 Jan 2023 08:37:25 +0100 Subject: [PATCH 204/379] chore(terraform/databricks): modify category --- .../terraform/databricks/use_spark_submit_task/metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/terraform/databricks/use_spark_submit_task/metadata.json b/assets/queries/terraform/databricks/use_spark_submit_task/metadata.json index 28e75dccb49..02a0beb0480 100644 --- a/assets/queries/terraform/databricks/use_spark_submit_task/metadata.json +++ b/assets/queries/terraform/databricks/use_spark_submit_task/metadata.json @@ -2,7 +2,7 @@ "id": "375cdab9-3f94-4ae0-b1e3-8fbdf9cdf4d7", "queryName": "Job's Task is Legacy (spark_submit_task)", "severity": "MEDIUM", - "category": "Networking and Firewall", + "category": "Best Practices", "descriptionText": "Job's Task Is spark_submit_task", "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/job#spark_submit_task-configuration-block", "descriptionID": "fdaa059f", From 8cc7c934295c47e81c9d95424304fcfa38bc6ec4 Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Fri, 20 Jan 2023 08:58:18 +0100 Subject: [PATCH 205/379] feat(terraform/databricks): check LTS spark version --- .../not_use_lts_spark_version/metadata.json | 11 +++++++++ .../not_use_lts_spark_version/query.rego | 19 +++++++++++++++ .../test/negative.tf | 23 +++++++++++++++++++ .../test/positive1.tf | 22 ++++++++++++++++++ .../test/positive2.tf | 23 +++++++++++++++++++ .../test/positive_expected_result.json | 12 ++++++++++ 6 files changed, 110 insertions(+) create mode 100644 assets/queries/terraform/databricks/not_use_lts_spark_version/metadata.json create mode 100644 assets/queries/terraform/databricks/not_use_lts_spark_version/query.rego create mode 100644 assets/queries/terraform/databricks/not_use_lts_spark_version/test/negative.tf create mode 100644 assets/queries/terraform/databricks/not_use_lts_spark_version/test/positive1.tf create mode 100644 assets/queries/terraform/databricks/not_use_lts_spark_version/test/positive2.tf create mode 100644 assets/queries/terraform/databricks/not_use_lts_spark_version/test/positive_expected_result.json diff --git a/assets/queries/terraform/databricks/not_use_lts_spark_version/metadata.json b/assets/queries/terraform/databricks/not_use_lts_spark_version/metadata.json new file mode 100644 index 00000000000..88aa0d001e6 --- /dev/null +++ b/assets/queries/terraform/databricks/not_use_lts_spark_version/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "5a627dfa-a4dd-4020-a4c6-5f3caf4abcd6", + "queryName": "Check use no LTS Spark Version", + "severity": "MEDIUM", + "category": "Best Practices", + "descriptionText": "Spark Version is not a Long-term Support", + "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/data-sources/spark_version", + "descriptionID": "fdaa059f", + "platform": "Terraform", + "cloudProvider": "common" +} diff --git a/assets/queries/terraform/databricks/not_use_lts_spark_version/query.rego b/assets/queries/terraform/databricks/not_use_lts_spark_version/query.rego new file mode 100644 index 00000000000..7f01f854e57 --- /dev/null +++ b/assets/queries/terraform/databricks/not_use_lts_spark_version/query.rego @@ -0,0 +1,19 @@ +package Cx + +import data.generic.terraform as tf_lib + +CxPolicy[result] { + resource := input.document[i].data.databricks_spark_version[name] + + not resource.long_term_support + + result := { + "documentId": input.document[i].id, + "resourceType": "databricks_spark_version", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("databricks_spark_version[%s].long_term_support", [name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("'databricks_spark_version[%s]' should be a LTS version'", [name]), + "keyActualValue": sprintf("'databricks_spark_version[%s]' is not a LTS version'", [name]), + } +} diff --git a/assets/queries/terraform/databricks/not_use_lts_spark_version/test/negative.tf b/assets/queries/terraform/databricks/not_use_lts_spark_version/test/negative.tf new file mode 100644 index 00000000000..cffd5bdd501 --- /dev/null +++ b/assets/queries/terraform/databricks/not_use_lts_spark_version/test/negative.tf @@ -0,0 +1,23 @@ +data "databricks_node_type" "negative_with_gpu" { + local_disk = true + min_cores = 16 + gb_per_core = 1 + min_gpus = 1 +} + +data "databricks_spark_version" "negative_gpu_ml" { + gpu = true + ml = true + long_term_support = true +} + +resource "databricks_cluster" "negative_research" { + cluster_name = "Research Cluster" + spark_version = data.databricks_spark_version.negative_gpu_ml.id + node_type_id = data.databricks_node_type.negative_with_gpu.id + autotermination_minutes = 20 + autoscale { + min_workers = 1 + max_workers = 50 + } +} diff --git a/assets/queries/terraform/databricks/not_use_lts_spark_version/test/positive1.tf b/assets/queries/terraform/databricks/not_use_lts_spark_version/test/positive1.tf new file mode 100644 index 00000000000..60b9470370b --- /dev/null +++ b/assets/queries/terraform/databricks/not_use_lts_spark_version/test/positive1.tf @@ -0,0 +1,22 @@ +data "databricks_node_type" "postive1_with_gpu" { + local_disk = true + min_cores = 16 + gb_per_core = 1 + min_gpus = 1 +} + +data "databricks_spark_version" "postive1_gpu_ml" { + gpu = true + ml = true +} + +resource "databricks_cluster" "positive1_research" { + cluster_name = "Research Cluster" + spark_version = data.databricks_spark_version.postive1_gpu_ml.id + node_type_id = data.databricks_node_type.postive1_with_gpu.id + autotermination_minutes = 20 + autoscale { + min_workers = 1 + max_workers = 50 + } +} diff --git a/assets/queries/terraform/databricks/not_use_lts_spark_version/test/positive2.tf b/assets/queries/terraform/databricks/not_use_lts_spark_version/test/positive2.tf new file mode 100644 index 00000000000..9030810c41f --- /dev/null +++ b/assets/queries/terraform/databricks/not_use_lts_spark_version/test/positive2.tf @@ -0,0 +1,23 @@ +data "databricks_node_type" "positive2_with_gpu" { + local_disk = true + min_cores = 16 + gb_per_core = 1 + min_gpus = 1 +} + +data "databricks_spark_version" "positive2_gpu_ml" { + gpu = true + ml = true + long_term_support = false +} + +resource "databricks_cluster" "positive2_research" { + cluster_name = "Research Cluster" + spark_version = data.databricks_spark_version.positive2_gpu_ml.id + node_type_id = data.databricks_node_type.positive2_with_gpu.id + autotermination_minutes = 20 + autoscale { + min_workers = 1 + max_workers = 50 + } +} diff --git a/assets/queries/terraform/databricks/not_use_lts_spark_version/test/positive_expected_result.json b/assets/queries/terraform/databricks/not_use_lts_spark_version/test/positive_expected_result.json new file mode 100644 index 00000000000..94fa5ab8596 --- /dev/null +++ b/assets/queries/terraform/databricks/not_use_lts_spark_version/test/positive_expected_result.json @@ -0,0 +1,12 @@ +[ + { + "queryName": "Check use no LTS Spark Version", + "severity": "MEDIUM", + "line": 8 + }, + { + "queryName": "Check use no LTS Spark Version", + "severity": "MEDIUM", + "line": 11 + } +] From b212e95920df28c865f792b979b5c214c12ede06 Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Sat, 21 Jan 2023 17:09:49 +0100 Subject: [PATCH 206/379] feat(terraform/databricks): check permissions --- .../databricks_permissions/metadata.json | 11 ++++ .../databricks_permissions/query.rego | 66 +++++++++++++++++++ .../databricks_permissions/test/negative1.tf | 38 +++++++++++ .../databricks_permissions/test/negative2.tf | 29 ++++++++ .../databricks_permissions/test/positive1.tf | 53 +++++++++++++++ .../databricks_permissions/test/positive2.tf | 40 +++++++++++ .../databricks_permissions/test/positive3.tf | 38 +++++++++++ .../test/positive_expected_result.json | 20 ++++++ 8 files changed, 295 insertions(+) create mode 100755 assets/queries/terraform/databricks/databricks_permissions/metadata.json create mode 100644 assets/queries/terraform/databricks/databricks_permissions/query.rego create mode 100644 assets/queries/terraform/databricks/databricks_permissions/test/negative1.tf create mode 100644 assets/queries/terraform/databricks/databricks_permissions/test/negative2.tf create mode 100644 assets/queries/terraform/databricks/databricks_permissions/test/positive1.tf create mode 100644 assets/queries/terraform/databricks/databricks_permissions/test/positive2.tf create mode 100644 assets/queries/terraform/databricks/databricks_permissions/test/positive3.tf create mode 100755 assets/queries/terraform/databricks/databricks_permissions/test/positive_expected_result.json diff --git a/assets/queries/terraform/databricks/databricks_permissions/metadata.json b/assets/queries/terraform/databricks/databricks_permissions/metadata.json new file mode 100755 index 00000000000..4f50f0c3772 --- /dev/null +++ b/assets/queries/terraform/databricks/databricks_permissions/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "a4edb7e1-c0e0-4f7f-9d7c-d1b603e81ad5", + "queryName": "Databricks Cluster or Job With None Or Insecure Permission(s)", + "severity": "HIGH", + "category": "Insecure Configurations", + "descriptionText": "Databricks Cluster and Job must have restricted permissions", + "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/permissions", + "platform": "Terraform", + "descriptionID": "66b9bc6e", + "cloudProvider": "common" +} diff --git a/assets/queries/terraform/databricks/databricks_permissions/query.rego b/assets/queries/terraform/databricks/databricks_permissions/query.rego new file mode 100644 index 00000000000..68e516e7ad3 --- /dev/null +++ b/assets/queries/terraform/databricks/databricks_permissions/query.rego @@ -0,0 +1,66 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + databricks_job := input.document[i].resource.databricks_job[name] + + is_associated_to_job(name, input.document[i]) + + result := { + "documentId": input.document[i].id, + "resourceType": "databricks_job", + "resourceName": tf_lib.get_specific_resource_name(databricks_job, "databricks_job", name), + "searchKey": sprintf("databricks_job[%s]", [name]), + "issueType": "MissingAttribute", + "keyExpectedValue": sprintf("'databricks_job[%s]' should have permissions", [name]), + "keyActualValue": sprintf("'databricks_job[%s]' doesn't have permission associated", [name]), + } +} + +is_associated_to_job(databricks_job_name, doc) { + [path, value] := walk(doc) + databricks_permissions_used := value.databricks_permissions[_] + not contains(databricks_permissions_used.job_id, sprintf("databricks_job.%s", [databricks_job_name])) +} + + +CxPolicy[result] { + databricks_cluster := input.document[i].resource.databricks_cluster[name] + + is_associated_to_cluster(name, input.document[i]) + + result := { + "documentId": input.document[i].id, + "resourceType": "databricks_cluster", + "resourceName": tf_lib.get_specific_resource_name(databricks_cluster, "databricks_cluster", name), + "searchKey": sprintf("databricks_cluster[%s]", [name]), + "issueType": "MissingAttribute", + "keyExpectedValue": sprintf("'databricks_cluster[%s]' should have permissions", [name]), + "keyActualValue": sprintf("'databricks_cluster[%s]' doesn't have permission associated", [name]), + } +} + +is_associated_to_cluster(databricks_cluster_name, doc) { + [path, value] := walk(doc) + databricks_permissions_used := value.databricks_permissions[_] + not contains(databricks_permissions_used.cluster_id, sprintf("databricks_cluster.%s", [databricks_cluster_name])) +} + +CxPolicy[result] { + databricks_permissions := input.document[i].resource.databricks_permissions[name] + + some j + databricks_permissions.access_control[j].permission_level == "IS_OWNER"; not databricks_permissions.access_control[j].service_principal_name + + result := { + "documentId": input.document[i].id, + "resourceType": "databricks_permissions", + "resourceName": tf_lib.get_specific_resource_name(databricks_permissions, "databricks_permissions", name), + "searchKey": sprintf("databricks_permissions.[%s]", [name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("'databricks_permissions[%s]' should not have permission_level == 'IS_OWNER' without service_principal_name associated", [name]), + "keyActualValue": sprintf("'databricks_permissions[%s]' have permission_level == 'IS_OWNER' without service_principal_name associated", [name]), + } +} diff --git a/assets/queries/terraform/databricks/databricks_permissions/test/negative1.tf b/assets/queries/terraform/databricks/databricks_permissions/test/negative1.tf new file mode 100644 index 00000000000..d6c2511b366 --- /dev/null +++ b/assets/queries/terraform/databricks/databricks_permissions/test/negative1.tf @@ -0,0 +1,38 @@ +resource "databricks_job" "negative1" { + name = "Featurization" + max_concurrent_runs = 1 + + new_cluster { + num_workers = 300 + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + } + + notebook_task { + notebook_path = "/Production/MakeFeatures" + } +} + +resource "databricks_permissions" "job_usage" { + job_id = databricks_job.negative1.id + + access_control { + group_name = "users" + permission_level = "CAN_VIEW" + } + + access_control { + group_name = databricks_group.auto.display_name + permission_level = "CAN_MANAGE_RUN" + } + + access_control { + group_name = databricks_group.eng.display_name + permission_level = "CAN_MANAGE" + } + + access_control { + service_principal_name = databricks_service_principal.aws_principal.application_id + permission_level = "IS_OWNER" + } +} diff --git a/assets/queries/terraform/databricks/databricks_permissions/test/negative2.tf b/assets/queries/terraform/databricks/databricks_permissions/test/negative2.tf new file mode 100644 index 00000000000..8fa030cee7c --- /dev/null +++ b/assets/queries/terraform/databricks/databricks_permissions/test/negative2.tf @@ -0,0 +1,29 @@ +resource "databricks_cluster" "negative2" { + cluster_name = "Shared Autoscaling" + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + autotermination_minutes = 60 + autoscale { + min_workers = 1 + max_workers = 10 + } +} + +resource "databricks_permissions" "cluster_usage" { + cluster_id = databricks_cluster.negative2.id + + access_control { + group_name = databricks_group.auto.display_name + permission_level = "CAN_ATTACH_TO" + } + + access_control { + group_name = databricks_group.eng.display_name + permission_level = "CAN_RESTART" + } + + access_control { + group_name = databricks_group.ds.display_name + permission_level = "CAN_MANAGE" + } +} diff --git a/assets/queries/terraform/databricks/databricks_permissions/test/positive1.tf b/assets/queries/terraform/databricks/databricks_permissions/test/positive1.tf new file mode 100644 index 00000000000..26ec157bf3c --- /dev/null +++ b/assets/queries/terraform/databricks/databricks_permissions/test/positive1.tf @@ -0,0 +1,53 @@ +resource "databricks_job" "positive1" { + name = "Featurization" + max_concurrent_runs = 1 + + new_cluster { + num_workers = 300 + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + } + + notebook_task { + notebook_path = "/Production/MakeFeatures" + } +} + +resource "databricks_job" "positive1_error" { + name = "Featurization" + max_concurrent_runs = 1 + + new_cluster { + num_workers = 300 + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + } + + notebook_task { + notebook_path = "/Production/MakeFeatures" + } +} + +resource "databricks_permissions" "job_usage" { + job_id = databricks_job.positive1.id + + access_control { + group_name = "users" + permission_level = "CAN_VIEW" + } + + access_control { + group_name = databricks_group.auto.display_name + permission_level = "CAN_MANAGE_RUN" + } + + access_control { + group_name = databricks_group.eng.display_name + permission_level = "CAN_MANAGE" + } + + access_control { + service_principal_name = databricks_service_principal.aws_principal.application_id + permission_level = "IS_OWNER" + } +} diff --git a/assets/queries/terraform/databricks/databricks_permissions/test/positive2.tf b/assets/queries/terraform/databricks/databricks_permissions/test/positive2.tf new file mode 100644 index 00000000000..b49858b1cd2 --- /dev/null +++ b/assets/queries/terraform/databricks/databricks_permissions/test/positive2.tf @@ -0,0 +1,40 @@ +resource "databricks_cluster" "positive2" { + cluster_name = "Shared Autoscaling" + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + autotermination_minutes = 60 + autoscale { + min_workers = 1 + max_workers = 10 + } +} + +resource "databricks_cluster" "positive2_error" { + cluster_name = "Shared Autoscaling" + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + autotermination_minutes = 60 + autoscale { + min_workers = 1 + max_workers = 10 + } +} + +resource "databricks_permissions" "cluster_usage" { + cluster_id = databricks_cluster.positive2.id + + access_control { + group_name = databricks_group.auto.display_name + permission_level = "CAN_ATTACH_TO" + } + + access_control { + group_name = databricks_group.eng.display_name + permission_level = "CAN_RESTART" + } + + access_control { + group_name = databricks_group.ds.display_name + permission_level = "CAN_MANAGE" + } +} diff --git a/assets/queries/terraform/databricks/databricks_permissions/test/positive3.tf b/assets/queries/terraform/databricks/databricks_permissions/test/positive3.tf new file mode 100644 index 00000000000..237e945b376 --- /dev/null +++ b/assets/queries/terraform/databricks/databricks_permissions/test/positive3.tf @@ -0,0 +1,38 @@ +resource "databricks_job" "positive3" { + name = "Featurization" + max_concurrent_runs = 1 + + new_cluster { + num_workers = 300 + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + } + + notebook_task { + notebook_path = "/Production/MakeFeatures" + } +} + +resource "databricks_permissions" "job_usage" { + job_id = databricks_job.positive3.id + + access_control { + group_name = "users" + permission_level = "CAN_VIEW" + } + + access_control { + group_name = databricks_group.auto.display_name + permission_level = "CAN_MANAGE_RUN" + } + + access_control { + group_name = databricks_group.eng.display_name + permission_level = "CAN_MANAGE" + } + + access_control { + group_name = databricks_group.eng.display_name + permission_level = "IS_OWNER" + } +} diff --git a/assets/queries/terraform/databricks/databricks_permissions/test/positive_expected_result.json b/assets/queries/terraform/databricks/databricks_permissions/test/positive_expected_result.json new file mode 100755 index 00000000000..5ea31958b68 --- /dev/null +++ b/assets/queries/terraform/databricks/databricks_permissions/test/positive_expected_result.json @@ -0,0 +1,20 @@ +[ + { + "queryName": "Databricks Cluster or Job With None Or Insecure Permission(s)", + "severity": "HIGH", + "line": 16, + "fileName": "positive1.tf" + }, + { + "queryName": "Databricks Cluster or Job With None Or Insecure Permission(s)", + "severity": "HIGH", + "line": 12, + "fileName": "positive2.tf" + }, + { + "queryName": "Databricks Cluster or Job With None Or Insecure Permission(s)", + "severity": "HIGH", + "line": 16, + "fileName": "positive3.tf" + } +] From 0b9d160f2c0596653204e9209c352f5fb78830b0 Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Sat, 21 Jan 2023 17:13:55 +0100 Subject: [PATCH 207/379] chore(terraform/databricks): associate result with filename --- .../test/positive_expected_result.json | 6 ++++-- .../test/positive_expected_result.json | 12 ++++++++---- .../test/positive_expected_result.json | 9 ++++++--- .../test/positive_expected_result.json | 3 ++- .../test/positive_expected_result.json | 6 ++++-- .../test/positive_expected_result.json | 3 ++- .../test/positive_expected_result.json | 3 ++- .../test/positive_expected_result.json | 6 ++++-- .../test/positive_expected_result.json | 6 ++++-- .../test/positive_expected_result.json | 6 ++++-- 10 files changed, 40 insertions(+), 20 deletions(-) diff --git a/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive_expected_result.json b/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive_expected_result.json index a6091a36ca1..7b122be2d1e 100644 --- a/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive_expected_result.json @@ -2,11 +2,13 @@ { "queryName": "Databricks Autoscale Badly Setup", "severity": "MEDIUM", - "line": 6 + "line": 6, + "fileName": "positive1.tf" }, { "queryName": "Databricks Autoscale Badly Setup", "severity": "MEDIUM", - "line": 6 + "line": 6, + "fileName": "positive2.tf" } ] diff --git a/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive_expected_result.json b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive_expected_result.json index be2f8142f47..fad519ef7d2 100644 --- a/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive_expected_result.json @@ -2,21 +2,25 @@ { "queryName": "Check Databricks Cluster AWS Attribute Best Practices", "severity": "LOW", - "line": 11 + "line": 11, + "fileName": "positive1.tf" }, { "queryName": "Check Databricks Cluster AWS Attribute Best Practices", "severity": "LOW", - "line": 13 + "line": 13, + "fileName": "positive2.tf" }, { "queryName": "Check Databricks Cluster AWS Attribute Best Practices", "severity": "LOW", - "line": 10 + "line": 10, + "fileName": "positive3.tf" }, { "queryName": "Check Databricks Cluster AWS Attribute Best Practices", "severity": "LOW", - "line": 12 + "line": 12, + "fileName": "positive4.tf" } ] diff --git a/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive_expected_result.json b/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive_expected_result.json index 001a77b057b..71bb6d4e396 100644 --- a/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive_expected_result.json @@ -2,16 +2,19 @@ { "queryName": "Check Databricks Cluster Azure Attribute Best Practices", "severity": "LOW", - "line": 11 + "line": 11, + "fileName": "positive1.tf" }, { "queryName": "Check Databricks Cluster Azure Attribute Best Practices", "severity": "LOW", - "line": 13 + "line": 13, + "fileName": "positive2.tf" }, { "queryName": "Check Databricks Cluster Azure Attribute Best Practices", "severity": "LOW", - "line": 10 + "line": 10, + "fileName": "positive3.tf" } ] diff --git a/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive_expected_result.json b/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive_expected_result.json index 5ebfaf8c459..e9fc7e3912b 100644 --- a/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive_expected_result.json @@ -2,6 +2,7 @@ { "queryName": "Check Databricks Cluster AWS Attribute Best Practices", "severity": "LOW", - "line": 11 + "line": 11, + "fileName": "positive1.tf" } ] diff --git a/assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/positive_expected_result.json b/assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/positive_expected_result.json index 8adeff90c4c..0fadf818ea4 100644 --- a/assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/positive_expected_result.json @@ -2,11 +2,13 @@ { "queryName": "Databricks Group Without User Or Instance Profile", "severity": "LOW", - "line": 16 + "line": 16, + "fileName": "positive1.tf" }, { "queryName": "Databricks Group Without User Or Instance Profile", "severity": "LOW", - "line": 14 + "line": 14, + "fileName": "positive2.tf" } ] diff --git a/assets/queries/terraform/databricks/indefinitely_obo_token/test/positive_expected_result.json b/assets/queries/terraform/databricks/indefinitely_obo_token/test/positive_expected_result.json index 62c4d425835..cc134659b5a 100644 --- a/assets/queries/terraform/databricks/indefinitely_obo_token/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/indefinitely_obo_token/test/positive_expected_result.json @@ -2,6 +2,7 @@ { "queryName": "Indefinitely Databricks OBO Token Lifetime", "severity": "MEDIUM", - "line": 1 + "line": 1, + "fileName": "positive.tf" } ] diff --git a/assets/queries/terraform/databricks/indefinitely_token/test/positive_expected_result.json b/assets/queries/terraform/databricks/indefinitely_token/test/positive_expected_result.json index a2999c2e199..804551b008f 100644 --- a/assets/queries/terraform/databricks/indefinitely_token/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/indefinitely_token/test/positive_expected_result.json @@ -2,6 +2,7 @@ { "queryName": "Indefinitely Databricks Token Lifetime", "severity": "MEDIUM", - "line": 1 + "line": 1, + "fileName": "positive.tf" } ] diff --git a/assets/queries/terraform/databricks/not_use_lts_spark_version/test/positive_expected_result.json b/assets/queries/terraform/databricks/not_use_lts_spark_version/test/positive_expected_result.json index 94fa5ab8596..50b5e8f7247 100644 --- a/assets/queries/terraform/databricks/not_use_lts_spark_version/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/not_use_lts_spark_version/test/positive_expected_result.json @@ -2,11 +2,13 @@ { "queryName": "Check use no LTS Spark Version", "severity": "MEDIUM", - "line": 8 + "line": 8, + "fileName": "positive1.tf" }, { "queryName": "Check use no LTS Spark Version", "severity": "MEDIUM", - "line": 11 + "line": 11, + "fileName": "positive2.tf" } ] diff --git a/assets/queries/terraform/databricks/unrestricted_acl/test/positive_expected_result.json b/assets/queries/terraform/databricks/unrestricted_acl/test/positive_expected_result.json index ef9a9ede78b..a70c25b0fd1 100644 --- a/assets/queries/terraform/databricks/unrestricted_acl/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/unrestricted_acl/test/positive_expected_result.json @@ -2,11 +2,13 @@ { "queryName": "Unrestricted Databricks ACL", "severity": "HIGH", - "line": 10 + "line": 10, + "fileName": "positive1.tf" }, { "queryName": "Unrestricted Databricks ACL", "severity": "HIGH", - "line": 10 + "line": 10, + "fileName": "positive2.tf" } ] diff --git a/assets/queries/terraform/databricks/use_spark_submit_task/test/positive_expected_result.json b/assets/queries/terraform/databricks/use_spark_submit_task/test/positive_expected_result.json index 6fc2dd18985..f115199fa4a 100644 --- a/assets/queries/terraform/databricks/use_spark_submit_task/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/use_spark_submit_task/test/positive_expected_result.json @@ -2,11 +2,13 @@ { "queryName": "Job's Task is Legacy (spark_submit_task)", "severity": "MEDIUM", - "line": 18 + "line": 18, + "fileName": "positive1.tf" }, { "queryName": "Job's Task is Legacy (spark_submit_task)", "severity": "MEDIUM", - "line": 26 + "line": 26, + "fileName": "positive2.tf" } ] From d58df9985faa8272ed01bec80be5692f29f1c0f6 Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Sun, 22 Jan 2023 15:03:34 +0100 Subject: [PATCH 208/379] fix(terraform/databricks): queryName --- .../terraform/databricks/cluster_azure_attributes/metadata.json | 2 +- .../terraform/databricks/cluster_gcp_attributes/metadata.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/assets/queries/terraform/databricks/cluster_azure_attributes/metadata.json b/assets/queries/terraform/databricks/cluster_azure_attributes/metadata.json index 000e5b11ac5..e2dc7e4f9dd 100644 --- a/assets/queries/terraform/databricks/cluster_azure_attributes/metadata.json +++ b/assets/queries/terraform/databricks/cluster_azure_attributes/metadata.json @@ -1,6 +1,6 @@ { "id": "38028698-e663-4ef7-aa92-773fef0ca86f", - "queryName": "Check Databricks Cluster AWS Attribute Best Practices", + "queryName": "Check Databricks Cluster Azure Attribute Best Practices", "severity": "LOW", "category": "Best Practices", "descriptionText": "One or some Databricks Cluster Azure Attribute Best Practices are not respected", diff --git a/assets/queries/terraform/databricks/cluster_gcp_attributes/metadata.json b/assets/queries/terraform/databricks/cluster_gcp_attributes/metadata.json index 43bd1fa5a8f..128c9ad7cbb 100644 --- a/assets/queries/terraform/databricks/cluster_gcp_attributes/metadata.json +++ b/assets/queries/terraform/databricks/cluster_gcp_attributes/metadata.json @@ -1,6 +1,6 @@ { "id": "539e4557-d2b5-4d57-a001-cb01140a4e2d", - "queryName": "Check Databricks Cluster AWS Attribute Best Practices", + "queryName": "Check Databricks Cluster GCP Attribute Best Practices", "severity": "LOW", "category": "Best Practices", "descriptionText": "One or some Databricks Cluster GCP Attribute Best Practices are not respected", From 0b4773534af2f5b9977dc693847c33e7ac83ff34 Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Sun, 22 Jan 2023 15:11:50 +0100 Subject: [PATCH 209/379] chore(terraform/databricks): check permissions add query and tests --- .../databricks_permissions/query.rego | 16 + .../databricks_permissions/test/negative3.tf | 23 ++ .../databricks_permissions/test/positive4.tf | 23 ++ .../test/positive_expected_result.json | 6 + .../databricks_permissions/toto.json | 287 ++++++++++++++++++ 5 files changed, 355 insertions(+) create mode 100644 assets/queries/terraform/databricks/databricks_permissions/test/negative3.tf create mode 100644 assets/queries/terraform/databricks/databricks_permissions/test/positive4.tf create mode 100755 assets/queries/terraform/databricks/databricks_permissions/toto.json diff --git a/assets/queries/terraform/databricks/databricks_permissions/query.rego b/assets/queries/terraform/databricks/databricks_permissions/query.rego index 68e516e7ad3..d0093b0b91d 100644 --- a/assets/queries/terraform/databricks/databricks_permissions/query.rego +++ b/assets/queries/terraform/databricks/databricks_permissions/query.rego @@ -48,6 +48,22 @@ is_associated_to_cluster(databricks_cluster_name, doc) { not contains(databricks_permissions_used.cluster_id, sprintf("databricks_cluster.%s", [databricks_cluster_name])) } +CxPolicy[result] { + databricks_permissions := input.document[i].resource.databricks_permissions[name] + + databricks_permissions.access_control.permission_level == "IS_OWNER"; not databricks_permissions.access_control.service_principal_name + + result := { + "documentId": input.document[i].id, + "resourceType": "databricks_permissions", + "resourceName": tf_lib.get_specific_resource_name(databricks_permissions, "databricks_permissions", name), + "searchKey": sprintf("databricks_permissions.[%s]", [name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("'databricks_permissions[%s]' should not have permission_level == 'IS_OWNER' without service_principal_name associated", [name]), + "keyActualValue": sprintf("'databricks_permissions[%s]' have permission_level == 'IS_OWNER' without service_principal_name associated", [name]), + } +} + CxPolicy[result] { databricks_permissions := input.document[i].resource.databricks_permissions[name] diff --git a/assets/queries/terraform/databricks/databricks_permissions/test/negative3.tf b/assets/queries/terraform/databricks/databricks_permissions/test/negative3.tf new file mode 100644 index 00000000000..0a7d7cb9cca --- /dev/null +++ b/assets/queries/terraform/databricks/databricks_permissions/test/negative3.tf @@ -0,0 +1,23 @@ +resource "databricks_job" "negative3" { + name = "Featurization" + max_concurrent_runs = 1 + + new_cluster { + num_workers = 300 + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + } + + notebook_task { + notebook_path = "/Production/MakeFeatures" + } +} + +resource "databricks_permissions" "job_usage" { + job_id = databricks_job.negative3.id + + access_control { + service_principal_name = databricks_service_principal.aws_principal.application_id + permission_level = "IS_OWNER" + } +} diff --git a/assets/queries/terraform/databricks/databricks_permissions/test/positive4.tf b/assets/queries/terraform/databricks/databricks_permissions/test/positive4.tf new file mode 100644 index 00000000000..6813c2e7709 --- /dev/null +++ b/assets/queries/terraform/databricks/databricks_permissions/test/positive4.tf @@ -0,0 +1,23 @@ +resource "databricks_job" "positive4" { + name = "Featurization" + max_concurrent_runs = 1 + + new_cluster { + num_workers = 300 + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + } + + notebook_task { + notebook_path = "/Production/MakeFeatures" + } +} + +resource "databricks_permissions" "job_usage" { + job_id = databricks_job.positive4.id + + access_control { + group_name = databricks_group.eng.display_name + permission_level = "IS_OWNER" + } +} diff --git a/assets/queries/terraform/databricks/databricks_permissions/test/positive_expected_result.json b/assets/queries/terraform/databricks/databricks_permissions/test/positive_expected_result.json index 5ea31958b68..fa8ae3b3161 100755 --- a/assets/queries/terraform/databricks/databricks_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/databricks_permissions/test/positive_expected_result.json @@ -16,5 +16,11 @@ "severity": "HIGH", "line": 16, "fileName": "positive3.tf" + }, + { + "queryName": "Databricks Cluster or Job With None Or Insecure Permission(s)", + "severity": "HIGH", + "line": 16, + "fileName": "positive4.tf" } ] diff --git a/assets/queries/terraform/databricks/databricks_permissions/toto.json b/assets/queries/terraform/databricks/databricks_permissions/toto.json new file mode 100755 index 00000000000..f0f993a6829 --- /dev/null +++ b/assets/queries/terraform/databricks/databricks_permissions/toto.json @@ -0,0 +1,287 @@ +{ + "document": [ + { + "id": "6a71f23c-7171-4f08-9d15-b31eee142380", + "resource": { + "databricks_job": { + "negative1": { + "max_concurrent_runs": 1, + "name": "Featurization", + "new_cluster": { + "node_type_id": "${data.databricks_node_type.smallest.id}", + "num_workers": 300, + "spark_version": "${data.databricks_spark_version.latest.id}" + }, + "notebook_task": { + "notebook_path": "/Production/MakeFeatures" + } + } + }, + "databricks_permissions": { + "job_usage": { + "access_control": [ + { + "group_name": "users", + "permission_level": "CAN_VIEW" + }, + { + "group_name": "${databricks_group.auto.display_name}", + "permission_level": "CAN_MANAGE_RUN" + }, + { + "group_name": "${databricks_group.eng.display_name}", + "permission_level": "CAN_MANAGE" + }, + { + "permission_level": "IS_OWNER", + "service_principal_name": "${databricks_service_principal.aws_principal.application_id}" + } + ], + "job_id": "${databricks_job.negative1.id}" + } + } + }, + "file": "/Users/dgrisard/bedrock/opensource/dim-ops/kics/assets/queries/terraform/databricks/databricks_permissions/test/negative1.tf" + }, + { + "id": "f922a6c8-2e51-44a8-8cda-220bbbb5c461", + "resource": { + "databricks_cluster": { + "negative2": { + "autoscale": { + "max_workers": 10, + "min_workers": 1 + }, + "autotermination_minutes": 60, + "cluster_name": "Shared Autoscaling", + "node_type_id": "${data.databricks_node_type.smallest.id}", + "spark_version": "${data.databricks_spark_version.latest.id}" + } + }, + "databricks_permissions": { + "cluster_usage": { + "access_control": [ + { + "group_name": "${databricks_group.auto.display_name}", + "permission_level": "CAN_ATTACH_TO" + }, + { + "group_name": "${databricks_group.eng.display_name}", + "permission_level": "CAN_RESTART" + }, + { + "group_name": "${databricks_group.ds.display_name}", + "permission_level": "CAN_MANAGE" + } + ], + "cluster_id": "${databricks_cluster.negative2.id}" + } + } + }, + "file": "/Users/dgrisard/bedrock/opensource/dim-ops/kics/assets/queries/terraform/databricks/databricks_permissions/test/negative2.tf" + }, + { + "id": "44189886-236f-4bb5-9754-e738a5b86186", + "resource": { + "databricks_job": { + "negative3": { + "max_concurrent_runs": 1, + "name": "Featurization", + "new_cluster": { + "node_type_id": "${data.databricks_node_type.smallest.id}", + "num_workers": 300, + "spark_version": "${data.databricks_spark_version.latest.id}" + }, + "notebook_task": { + "notebook_path": "/Production/MakeFeatures" + } + } + }, + "databricks_permissions": { + "job_usage": { + "access_control": { + "permission_level": "IS_OWNER", + "service_principal_name": "${databricks_service_principal.aws_principal.application_id}" + }, + "job_id": "${databricks_job.negative3.id}" + } + } + }, + "file": "/Users/dgrisard/bedrock/opensource/dim-ops/kics/assets/queries/terraform/databricks/databricks_permissions/test/negative3.tf" + }, + { + "file": "/Users/dgrisard/bedrock/opensource/dim-ops/kics/assets/queries/terraform/databricks/databricks_permissions/test/positive1.tf", + "id": "336fb3bb-d9e8-40b3-b755-605c83ab3e04", + "resource": { + "databricks_job": { + "positive1": { + "max_concurrent_runs": 1, + "name": "Featurization", + "new_cluster": { + "node_type_id": "${data.databricks_node_type.smallest.id}", + "num_workers": 300, + "spark_version": "${data.databricks_spark_version.latest.id}" + }, + "notebook_task": { + "notebook_path": "/Production/MakeFeatures" + } + }, + "positive1_error": { + "max_concurrent_runs": 1, + "name": "Featurization", + "new_cluster": { + "node_type_id": "${data.databricks_node_type.smallest.id}", + "num_workers": 300, + "spark_version": "${data.databricks_spark_version.latest.id}" + }, + "notebook_task": { + "notebook_path": "/Production/MakeFeatures" + } + } + }, + "databricks_permissions": { + "job_usage": { + "access_control": [ + { + "group_name": "users", + "permission_level": "CAN_VIEW" + }, + { + "group_name": "${databricks_group.auto.display_name}", + "permission_level": "CAN_MANAGE_RUN" + }, + { + "group_name": "${databricks_group.eng.display_name}", + "permission_level": "CAN_MANAGE" + }, + { + "permission_level": "IS_OWNER", + "service_principal_name": "${databricks_service_principal.aws_principal.application_id}" + } + ], + "job_id": "${databricks_job.positive1.id}" + } + } + } + }, + { + "id": "146e6ccb-1f28-4090-8822-7fc32f85ab1c", + "resource": { + "databricks_cluster": { + "positive2": { + "autoscale": { + "max_workers": 10, + "min_workers": 1 + }, + "autotermination_minutes": 60, + "cluster_name": "Shared Autoscaling", + "node_type_id": "${data.databricks_node_type.smallest.id}", + "spark_version": "${data.databricks_spark_version.latest.id}" + }, + "positive2_error": { + "autoscale": { + "max_workers": 10, + "min_workers": 1 + }, + "autotermination_minutes": 60, + "cluster_name": "Shared Autoscaling", + "node_type_id": "${data.databricks_node_type.smallest.id}", + "spark_version": "${data.databricks_spark_version.latest.id}" + } + }, + "databricks_permissions": { + "cluster_usage": { + "access_control": [ + { + "group_name": "${databricks_group.auto.display_name}", + "permission_level": "CAN_ATTACH_TO" + }, + { + "group_name": "${databricks_group.eng.display_name}", + "permission_level": "CAN_RESTART" + }, + { + "group_name": "${databricks_group.ds.display_name}", + "permission_level": "CAN_MANAGE" + } + ], + "cluster_id": "${databricks_cluster.positive2.id}" + } + } + }, + "file": "/Users/dgrisard/bedrock/opensource/dim-ops/kics/assets/queries/terraform/databricks/databricks_permissions/test/positive2.tf" + }, + { + "id": "5f30cc00-1c48-43a9-b7d3-2074e9841024", + "resource": { + "databricks_job": { + "positive3": { + "max_concurrent_runs": 1, + "name": "Featurization", + "new_cluster": { + "node_type_id": "${data.databricks_node_type.smallest.id}", + "num_workers": 300, + "spark_version": "${data.databricks_spark_version.latest.id}" + }, + "notebook_task": { + "notebook_path": "/Production/MakeFeatures" + } + } + }, + "databricks_permissions": { + "job_usage": { + "access_control": [ + { + "group_name": "users", + "permission_level": "CAN_VIEW" + }, + { + "group_name": "${databricks_group.auto.display_name}", + "permission_level": "CAN_MANAGE_RUN" + }, + { + "group_name": "${databricks_group.eng.display_name}", + "permission_level": "CAN_MANAGE" + }, + { + "group_name": "${databricks_group.eng.display_name}", + "permission_level": "IS_OWNER" + } + ], + "job_id": "${databricks_job.positive3.id}" + } + } + }, + "file": "/Users/dgrisard/bedrock/opensource/dim-ops/kics/assets/queries/terraform/databricks/databricks_permissions/test/positive3.tf" + }, + { + "id": "db48835d-8e25-4597-a3f7-391f7914fe6e", + "resource": { + "databricks_job": { + "positive4": { + "max_concurrent_runs": 1, + "name": "Featurization", + "new_cluster": { + "node_type_id": "${data.databricks_node_type.smallest.id}", + "num_workers": 300, + "spark_version": "${data.databricks_spark_version.latest.id}" + }, + "notebook_task": { + "notebook_path": "/Production/MakeFeatures" + } + } + }, + "databricks_permissions": { + "job_usage": { + "access_control": { + "group_name": "${databricks_group.eng.display_name}", + "permission_level": "IS_OWNER" + }, + "job_id": "${databricks_job.positive4.id}" + } + } + }, + "file": "/Users/dgrisard/bedrock/opensource/dim-ops/kics/assets/queries/terraform/databricks/databricks_permissions/test/positive4.tf" + } + ] +} From 382ac83663e400996e771624d67e974d74201bdb Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Sun, 22 Jan 2023 15:16:58 +0100 Subject: [PATCH 210/379] clean(terraform/databricks): delete files unused --- .../databricks_permissions/toto.json | 287 ------------------ 1 file changed, 287 deletions(-) delete mode 100755 assets/queries/terraform/databricks/databricks_permissions/toto.json diff --git a/assets/queries/terraform/databricks/databricks_permissions/toto.json b/assets/queries/terraform/databricks/databricks_permissions/toto.json deleted file mode 100755 index f0f993a6829..00000000000 --- a/assets/queries/terraform/databricks/databricks_permissions/toto.json +++ /dev/null @@ -1,287 +0,0 @@ -{ - "document": [ - { - "id": "6a71f23c-7171-4f08-9d15-b31eee142380", - "resource": { - "databricks_job": { - "negative1": { - "max_concurrent_runs": 1, - "name": "Featurization", - "new_cluster": { - "node_type_id": "${data.databricks_node_type.smallest.id}", - "num_workers": 300, - "spark_version": "${data.databricks_spark_version.latest.id}" - }, - "notebook_task": { - "notebook_path": "/Production/MakeFeatures" - } - } - }, - "databricks_permissions": { - "job_usage": { - "access_control": [ - { - "group_name": "users", - "permission_level": "CAN_VIEW" - }, - { - "group_name": "${databricks_group.auto.display_name}", - "permission_level": "CAN_MANAGE_RUN" - }, - { - "group_name": "${databricks_group.eng.display_name}", - "permission_level": "CAN_MANAGE" - }, - { - "permission_level": "IS_OWNER", - "service_principal_name": "${databricks_service_principal.aws_principal.application_id}" - } - ], - "job_id": "${databricks_job.negative1.id}" - } - } - }, - "file": "/Users/dgrisard/bedrock/opensource/dim-ops/kics/assets/queries/terraform/databricks/databricks_permissions/test/negative1.tf" - }, - { - "id": "f922a6c8-2e51-44a8-8cda-220bbbb5c461", - "resource": { - "databricks_cluster": { - "negative2": { - "autoscale": { - "max_workers": 10, - "min_workers": 1 - }, - "autotermination_minutes": 60, - "cluster_name": "Shared Autoscaling", - "node_type_id": "${data.databricks_node_type.smallest.id}", - "spark_version": "${data.databricks_spark_version.latest.id}" - } - }, - "databricks_permissions": { - "cluster_usage": { - "access_control": [ - { - "group_name": "${databricks_group.auto.display_name}", - "permission_level": "CAN_ATTACH_TO" - }, - { - "group_name": "${databricks_group.eng.display_name}", - "permission_level": "CAN_RESTART" - }, - { - "group_name": "${databricks_group.ds.display_name}", - "permission_level": "CAN_MANAGE" - } - ], - "cluster_id": "${databricks_cluster.negative2.id}" - } - } - }, - "file": "/Users/dgrisard/bedrock/opensource/dim-ops/kics/assets/queries/terraform/databricks/databricks_permissions/test/negative2.tf" - }, - { - "id": "44189886-236f-4bb5-9754-e738a5b86186", - "resource": { - "databricks_job": { - "negative3": { - "max_concurrent_runs": 1, - "name": "Featurization", - "new_cluster": { - "node_type_id": "${data.databricks_node_type.smallest.id}", - "num_workers": 300, - "spark_version": "${data.databricks_spark_version.latest.id}" - }, - "notebook_task": { - "notebook_path": "/Production/MakeFeatures" - } - } - }, - "databricks_permissions": { - "job_usage": { - "access_control": { - "permission_level": "IS_OWNER", - "service_principal_name": "${databricks_service_principal.aws_principal.application_id}" - }, - "job_id": "${databricks_job.negative3.id}" - } - } - }, - "file": "/Users/dgrisard/bedrock/opensource/dim-ops/kics/assets/queries/terraform/databricks/databricks_permissions/test/negative3.tf" - }, - { - "file": "/Users/dgrisard/bedrock/opensource/dim-ops/kics/assets/queries/terraform/databricks/databricks_permissions/test/positive1.tf", - "id": "336fb3bb-d9e8-40b3-b755-605c83ab3e04", - "resource": { - "databricks_job": { - "positive1": { - "max_concurrent_runs": 1, - "name": "Featurization", - "new_cluster": { - "node_type_id": "${data.databricks_node_type.smallest.id}", - "num_workers": 300, - "spark_version": "${data.databricks_spark_version.latest.id}" - }, - "notebook_task": { - "notebook_path": "/Production/MakeFeatures" - } - }, - "positive1_error": { - "max_concurrent_runs": 1, - "name": "Featurization", - "new_cluster": { - "node_type_id": "${data.databricks_node_type.smallest.id}", - "num_workers": 300, - "spark_version": "${data.databricks_spark_version.latest.id}" - }, - "notebook_task": { - "notebook_path": "/Production/MakeFeatures" - } - } - }, - "databricks_permissions": { - "job_usage": { - "access_control": [ - { - "group_name": "users", - "permission_level": "CAN_VIEW" - }, - { - "group_name": "${databricks_group.auto.display_name}", - "permission_level": "CAN_MANAGE_RUN" - }, - { - "group_name": "${databricks_group.eng.display_name}", - "permission_level": "CAN_MANAGE" - }, - { - "permission_level": "IS_OWNER", - "service_principal_name": "${databricks_service_principal.aws_principal.application_id}" - } - ], - "job_id": "${databricks_job.positive1.id}" - } - } - } - }, - { - "id": "146e6ccb-1f28-4090-8822-7fc32f85ab1c", - "resource": { - "databricks_cluster": { - "positive2": { - "autoscale": { - "max_workers": 10, - "min_workers": 1 - }, - "autotermination_minutes": 60, - "cluster_name": "Shared Autoscaling", - "node_type_id": "${data.databricks_node_type.smallest.id}", - "spark_version": "${data.databricks_spark_version.latest.id}" - }, - "positive2_error": { - "autoscale": { - "max_workers": 10, - "min_workers": 1 - }, - "autotermination_minutes": 60, - "cluster_name": "Shared Autoscaling", - "node_type_id": "${data.databricks_node_type.smallest.id}", - "spark_version": "${data.databricks_spark_version.latest.id}" - } - }, - "databricks_permissions": { - "cluster_usage": { - "access_control": [ - { - "group_name": "${databricks_group.auto.display_name}", - "permission_level": "CAN_ATTACH_TO" - }, - { - "group_name": "${databricks_group.eng.display_name}", - "permission_level": "CAN_RESTART" - }, - { - "group_name": "${databricks_group.ds.display_name}", - "permission_level": "CAN_MANAGE" - } - ], - "cluster_id": "${databricks_cluster.positive2.id}" - } - } - }, - "file": "/Users/dgrisard/bedrock/opensource/dim-ops/kics/assets/queries/terraform/databricks/databricks_permissions/test/positive2.tf" - }, - { - "id": "5f30cc00-1c48-43a9-b7d3-2074e9841024", - "resource": { - "databricks_job": { - "positive3": { - "max_concurrent_runs": 1, - "name": "Featurization", - "new_cluster": { - "node_type_id": "${data.databricks_node_type.smallest.id}", - "num_workers": 300, - "spark_version": "${data.databricks_spark_version.latest.id}" - }, - "notebook_task": { - "notebook_path": "/Production/MakeFeatures" - } - } - }, - "databricks_permissions": { - "job_usage": { - "access_control": [ - { - "group_name": "users", - "permission_level": "CAN_VIEW" - }, - { - "group_name": "${databricks_group.auto.display_name}", - "permission_level": "CAN_MANAGE_RUN" - }, - { - "group_name": "${databricks_group.eng.display_name}", - "permission_level": "CAN_MANAGE" - }, - { - "group_name": "${databricks_group.eng.display_name}", - "permission_level": "IS_OWNER" - } - ], - "job_id": "${databricks_job.positive3.id}" - } - } - }, - "file": "/Users/dgrisard/bedrock/opensource/dim-ops/kics/assets/queries/terraform/databricks/databricks_permissions/test/positive3.tf" - }, - { - "id": "db48835d-8e25-4597-a3f7-391f7914fe6e", - "resource": { - "databricks_job": { - "positive4": { - "max_concurrent_runs": 1, - "name": "Featurization", - "new_cluster": { - "node_type_id": "${data.databricks_node_type.smallest.id}", - "num_workers": 300, - "spark_version": "${data.databricks_spark_version.latest.id}" - }, - "notebook_task": { - "notebook_path": "/Production/MakeFeatures" - } - } - }, - "databricks_permissions": { - "job_usage": { - "access_control": { - "group_name": "${databricks_group.eng.display_name}", - "permission_level": "IS_OWNER" - }, - "job_id": "${databricks_job.positive4.id}" - } - } - }, - "file": "/Users/dgrisard/bedrock/opensource/dim-ops/kics/assets/queries/terraform/databricks/databricks_permissions/test/positive4.tf" - } - ] -} From 7bc822e813e865ce92bbadb29aed4f6795f60a59 Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Sun, 22 Jan 2023 15:41:43 +0100 Subject: [PATCH 211/379] chore(terraform/databricks): improve spark_version LTS check --- .../not_use_lts_spark_version/query.rego | 16 ++++++++++++++++ .../test/{negative.tf => negative1.tf} | 10 +++++----- .../not_use_lts_spark_version/test/negative2.tf | 17 +++++++++++++++++ .../not_use_lts_spark_version/test/positive3.tf | 17 +++++++++++++++++ .../test/positive_expected_result.json | 6 ++++++ 5 files changed, 61 insertions(+), 5 deletions(-) rename assets/queries/terraform/databricks/not_use_lts_spark_version/test/{negative.tf => negative1.tf} (57%) create mode 100644 assets/queries/terraform/databricks/not_use_lts_spark_version/test/negative2.tf create mode 100644 assets/queries/terraform/databricks/not_use_lts_spark_version/test/positive3.tf diff --git a/assets/queries/terraform/databricks/not_use_lts_spark_version/query.rego b/assets/queries/terraform/databricks/not_use_lts_spark_version/query.rego index 7f01f854e57..785a066024d 100644 --- a/assets/queries/terraform/databricks/not_use_lts_spark_version/query.rego +++ b/assets/queries/terraform/databricks/not_use_lts_spark_version/query.rego @@ -17,3 +17,19 @@ CxPolicy[result] { "keyActualValue": sprintf("'databricks_spark_version[%s]' is not a LTS version'", [name]), } } + +CxPolicy[result] { + resource := input.document[i].resource.databricks_cluster[name] + + not contains(resource.spark_version, "LTS"); not contains(resource.spark_version, "data") + + result := { + "documentId": input.document[i].id, + "resourceType": "databricks_spark_version", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("databricks_cluster[%s].spark_version", [name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("'databricks_cluster[%s].spark_version' should be a LTS version'", [name]), + "keyActualValue": sprintf("'databricks_cluster[%s].spark_version' is not a LTS version'", [name]), + } +} diff --git a/assets/queries/terraform/databricks/not_use_lts_spark_version/test/negative.tf b/assets/queries/terraform/databricks/not_use_lts_spark_version/test/negative1.tf similarity index 57% rename from assets/queries/terraform/databricks/not_use_lts_spark_version/test/negative.tf rename to assets/queries/terraform/databricks/not_use_lts_spark_version/test/negative1.tf index cffd5bdd501..333aa74379b 100644 --- a/assets/queries/terraform/databricks/not_use_lts_spark_version/test/negative.tf +++ b/assets/queries/terraform/databricks/not_use_lts_spark_version/test/negative1.tf @@ -1,20 +1,20 @@ -data "databricks_node_type" "negative_with_gpu" { +data "databricks_node_type" "negative1_with_gpu" { local_disk = true min_cores = 16 gb_per_core = 1 min_gpus = 1 } -data "databricks_spark_version" "negative_gpu_ml" { +data "databricks_spark_version" "negative1_gpu_ml" { gpu = true ml = true long_term_support = true } -resource "databricks_cluster" "negative_research" { +resource "databricks_cluster" "negative1_research" { cluster_name = "Research Cluster" - spark_version = data.databricks_spark_version.negative_gpu_ml.id - node_type_id = data.databricks_node_type.negative_with_gpu.id + spark_version = data.databricks_spark_version.negative1_gpu_ml.id + node_type_id = data.databricks_node_type.negative1_with_gpu.id autotermination_minutes = 20 autoscale { min_workers = 1 diff --git a/assets/queries/terraform/databricks/not_use_lts_spark_version/test/negative2.tf b/assets/queries/terraform/databricks/not_use_lts_spark_version/test/negative2.tf new file mode 100644 index 00000000000..d4a9717f5d6 --- /dev/null +++ b/assets/queries/terraform/databricks/not_use_lts_spark_version/test/negative2.tf @@ -0,0 +1,17 @@ +data "databricks_node_type" "negative2_with_gpu" { + local_disk = true + min_cores = 16 + gb_per_core = 1 + min_gpus = 1 +} + +resource "databricks_cluster" "negative2_research" { + cluster_name = "Research Cluster" + spark_version = "3.5 LTS" + node_type_id = data.databricks_node_type.negative2_with_gpu.id + autotermination_minutes = 20 + autoscale { + min_workers = 1 + max_workers = 50 + } +} diff --git a/assets/queries/terraform/databricks/not_use_lts_spark_version/test/positive3.tf b/assets/queries/terraform/databricks/not_use_lts_spark_version/test/positive3.tf new file mode 100644 index 00000000000..d9e35c67fb5 --- /dev/null +++ b/assets/queries/terraform/databricks/not_use_lts_spark_version/test/positive3.tf @@ -0,0 +1,17 @@ +data "databricks_node_type" "positive3_with_gpu" { + local_disk = true + min_cores = 16 + gb_per_core = 1 + min_gpus = 1 +} + +resource "databricks_cluster" "positive3_research" { + cluster_name = "Research Cluster" + spark_version = "3.5" + node_type_id = data.databricks_node_type.positive2_with_gpu.id + autotermination_minutes = 20 + autoscale { + min_workers = 1 + max_workers = 50 + } +} diff --git a/assets/queries/terraform/databricks/not_use_lts_spark_version/test/positive_expected_result.json b/assets/queries/terraform/databricks/not_use_lts_spark_version/test/positive_expected_result.json index 50b5e8f7247..e7ebf35ebf4 100644 --- a/assets/queries/terraform/databricks/not_use_lts_spark_version/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/not_use_lts_spark_version/test/positive_expected_result.json @@ -10,5 +10,11 @@ "severity": "MEDIUM", "line": 11, "fileName": "positive2.tf" + }, + { + "queryName": "Check use no LTS Spark Version", + "severity": "MEDIUM", + "line": 10, + "fileName": "positive3.tf" } ] From c8f5f40b4acaa6ee605ecc078eaeb56b92528e43 Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Mon, 23 Jan 2023 11:10:33 +0100 Subject: [PATCH 212/379] chore(terraform/databricks): increase severity --- .../databricks/cluster_aws_attributes/metadata.json | 2 +- .../test/positive_expected_result.json | 8 ++++---- .../databricks/cluster_azure_attributes/metadata.json | 2 +- .../test/positive_expected_result.json | 6 +++--- .../databricks/cluster_gcp_attributes/metadata.json | 2 +- .../test/positive_expected_result.json | 2 +- 6 files changed, 11 insertions(+), 11 deletions(-) diff --git a/assets/queries/terraform/databricks/cluster_aws_attributes/metadata.json b/assets/queries/terraform/databricks/cluster_aws_attributes/metadata.json index e4884f95026..7eb47cf253d 100644 --- a/assets/queries/terraform/databricks/cluster_aws_attributes/metadata.json +++ b/assets/queries/terraform/databricks/cluster_aws_attributes/metadata.json @@ -1,7 +1,7 @@ { "id": "b0749c53-e3ff-4d09-bbe4-dca94e2e7a38", "queryName": "Check Databricks Cluster AWS Attribute Best Practices", - "severity": "LOW", + "severity": "MEDIUM", "category": "Best Practices", "descriptionText": "One or some Databricks Cluster AWS Attribute Best Practices are not respected", "descriptionUrl": "https://docs.databricks.com/clusters/cluster-config-best-practices.html", diff --git a/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive_expected_result.json b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive_expected_result.json index fad519ef7d2..0b396f9b133 100644 --- a/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive_expected_result.json @@ -1,25 +1,25 @@ [ { "queryName": "Check Databricks Cluster AWS Attribute Best Practices", - "severity": "LOW", + "severity": "MEDIUM", "line": 11, "fileName": "positive1.tf" }, { "queryName": "Check Databricks Cluster AWS Attribute Best Practices", - "severity": "LOW", + "severity": "MEDIUM", "line": 13, "fileName": "positive2.tf" }, { "queryName": "Check Databricks Cluster AWS Attribute Best Practices", - "severity": "LOW", + "severity": "MEDIUM", "line": 10, "fileName": "positive3.tf" }, { "queryName": "Check Databricks Cluster AWS Attribute Best Practices", - "severity": "LOW", + "severity": "MEDIUM", "line": 12, "fileName": "positive4.tf" } diff --git a/assets/queries/terraform/databricks/cluster_azure_attributes/metadata.json b/assets/queries/terraform/databricks/cluster_azure_attributes/metadata.json index e2dc7e4f9dd..7454795f031 100644 --- a/assets/queries/terraform/databricks/cluster_azure_attributes/metadata.json +++ b/assets/queries/terraform/databricks/cluster_azure_attributes/metadata.json @@ -1,7 +1,7 @@ { "id": "38028698-e663-4ef7-aa92-773fef0ca86f", "queryName": "Check Databricks Cluster Azure Attribute Best Practices", - "severity": "LOW", + "severity": "MEDIUM", "category": "Best Practices", "descriptionText": "One or some Databricks Cluster Azure Attribute Best Practices are not respected", "descriptionUrl": "https://docs.databricks.com/clusters/cluster-config-best-practices.html", diff --git a/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive_expected_result.json b/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive_expected_result.json index 71bb6d4e396..d1eddaf3c4a 100644 --- a/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive_expected_result.json @@ -1,19 +1,19 @@ [ { "queryName": "Check Databricks Cluster Azure Attribute Best Practices", - "severity": "LOW", + "severity": "MEDIUM", "line": 11, "fileName": "positive1.tf" }, { "queryName": "Check Databricks Cluster Azure Attribute Best Practices", - "severity": "LOW", + "severity": "MEDIUM", "line": 13, "fileName": "positive2.tf" }, { "queryName": "Check Databricks Cluster Azure Attribute Best Practices", - "severity": "LOW", + "severity": "MEDIUM", "line": 10, "fileName": "positive3.tf" } diff --git a/assets/queries/terraform/databricks/cluster_gcp_attributes/metadata.json b/assets/queries/terraform/databricks/cluster_gcp_attributes/metadata.json index 128c9ad7cbb..386bf8b51e3 100644 --- a/assets/queries/terraform/databricks/cluster_gcp_attributes/metadata.json +++ b/assets/queries/terraform/databricks/cluster_gcp_attributes/metadata.json @@ -1,7 +1,7 @@ { "id": "539e4557-d2b5-4d57-a001-cb01140a4e2d", "queryName": "Check Databricks Cluster GCP Attribute Best Practices", - "severity": "LOW", + "severity": "MEDIUM", "category": "Best Practices", "descriptionText": "One or some Databricks Cluster GCP Attribute Best Practices are not respected", "descriptionUrl": "https://docs.databricks.com/clusters/cluster-config-best-practices.html", diff --git a/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive_expected_result.json b/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive_expected_result.json index e9fc7e3912b..f7526627c61 100644 --- a/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive_expected_result.json @@ -1,7 +1,7 @@ [ { "queryName": "Check Databricks Cluster AWS Attribute Best Practices", - "severity": "LOW", + "severity": "MEDIUM", "line": 11, "fileName": "positive1.tf" } From 54c55e1bda759be7d4d475390d0589e2f2b51070 Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Tue, 24 Jan 2023 20:05:42 +0100 Subject: [PATCH 213/379] fix(terraform/databricks): spelling mistake --- .../terraform/databricks/autoscale_badly_setup/query.rego | 4 ++-- .../terraform/databricks/cluster_aws_attributes/query.rego | 4 ++-- .../terraform/databricks/cluster_azure_attributes/query.rego | 4 ++-- .../terraform/databricks/cluster_gcp_attributes/query.rego | 2 +- .../queries/terraform/databricks/unrestricted_acl/query.rego | 2 +- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/assets/queries/terraform/databricks/autoscale_badly_setup/query.rego b/assets/queries/terraform/databricks/autoscale_badly_setup/query.rego index 5b41e7eb304..e6e3c78c733 100644 --- a/assets/queries/terraform/databricks/autoscale_badly_setup/query.rego +++ b/assets/queries/terraform/databricks/autoscale_badly_setup/query.rego @@ -12,7 +12,7 @@ CxPolicy[result] { "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("databricks_cluster[%s].autoscale", [name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("'databricks_cluster[%s].autoscale.min_workers' should not empty", [name]), + "keyExpectedValue": sprintf("'databricks_cluster[%s].autoscale.min_workers' should not be empty", [name]), "keyActualValue": sprintf("'databricks_cluster[%s].autoscale.min_workers' is not setup'", [name]), } } @@ -27,7 +27,7 @@ CxPolicy[result] { "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("databricks_cluster[%s].autoscale", [name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("'databricks_cluster[%s].autoscale.max_workers' should not empty", [name]), + "keyExpectedValue": sprintf("'databricks_cluster[%s].autoscale.max_workers' should not be empty", [name]), "keyActualValue": sprintf("'databricks_cluster[%s].autoscale.max_workers' is not setup'", [name]), } } diff --git a/assets/queries/terraform/databricks/cluster_aws_attributes/query.rego b/assets/queries/terraform/databricks/cluster_aws_attributes/query.rego index e9cf96c0bc2..c0a8a5df2e0 100644 --- a/assets/queries/terraform/databricks/cluster_aws_attributes/query.rego +++ b/assets/queries/terraform/databricks/cluster_aws_attributes/query.rego @@ -12,7 +12,7 @@ CxPolicy[result] { "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("databricks_cluster[%s].aws_attributes.availability", [name]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("'databricks_cluster[%s].aws_attributes.availability' should not equal to 'SPOT'", [name]), + "keyExpectedValue": sprintf("'databricks_cluster[%s].aws_attributes.availability' should not be equal to 'SPOT'", [name]), "keyActualValue": sprintf("'databricks_cluster[%s].aws_attributes.availability' is equal to 'SPOT'", [name]), } } @@ -27,7 +27,7 @@ CxPolicy[result] { "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("databricks_cluster[%s].aws_attributes.first_on_demand", [name]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("'databricks_cluster[%s].aws_attributes.first_on_demand' should not equal to '0'", [name]), + "keyExpectedValue": sprintf("'databricks_cluster[%s].aws_attributes.first_on_demand' should not be equal to '0'", [name]), "keyActualValue": sprintf("'databricks_cluster[%s].aws_attributes.first_on_demand' is equal to '0'", [name]), } } diff --git a/assets/queries/terraform/databricks/cluster_azure_attributes/query.rego b/assets/queries/terraform/databricks/cluster_azure_attributes/query.rego index 46e65da9732..ecbe2969822 100644 --- a/assets/queries/terraform/databricks/cluster_azure_attributes/query.rego +++ b/assets/queries/terraform/databricks/cluster_azure_attributes/query.rego @@ -12,7 +12,7 @@ CxPolicy[result] { "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("databricks_cluster[%s].azure_attributes.availability", [name]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("'databricks_cluster[%s].azure_attributes.availability' should not equal to 'SPOT'", [name]), + "keyExpectedValue": sprintf("'databricks_cluster[%s].azure_attributes.availability' should not be equal to 'SPOT'", [name]), "keyActualValue": sprintf("'databricks_cluster[%s].azure_attributes.availability' is equal to 'SPOT'", [name]), } } @@ -27,7 +27,7 @@ CxPolicy[result] { "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("databricks_cluster[%s].azure_attributes.first_on_demand", [name]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("'databricks_cluster[%s].azure_attributes.first_on_demand' should not equal to '0'", [name]), + "keyExpectedValue": sprintf("'databricks_cluster[%s].azure_attributes.first_on_demand' should not be equal to '0'", [name]), "keyActualValue": sprintf("'databricks_cluster[%s].azure_attributes.first_on_demand' is equal to '0'", [name]), } } diff --git a/assets/queries/terraform/databricks/cluster_gcp_attributes/query.rego b/assets/queries/terraform/databricks/cluster_gcp_attributes/query.rego index e28e910fd1a..395841e9b72 100644 --- a/assets/queries/terraform/databricks/cluster_gcp_attributes/query.rego +++ b/assets/queries/terraform/databricks/cluster_gcp_attributes/query.rego @@ -12,7 +12,7 @@ CxPolicy[result] { "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("databricks_cluster[%s].gcp_attributes.availability", [name]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("'databricks_cluster[%s].gcp_attributes.availability' should not equal to 'SPOT'", [name]), + "keyExpectedValue": sprintf("'databricks_cluster[%s].gcp_attributes.availability' should not be equal to 'SPOT'", [name]), "keyActualValue": sprintf("'databricks_cluster[%s].gcp_attributes.availability' is equal to 'SPOT'", [name]), } } diff --git a/assets/queries/terraform/databricks/unrestricted_acl/query.rego b/assets/queries/terraform/databricks/unrestricted_acl/query.rego index 64ea4ff9584..a4c68fe2302 100644 --- a/assets/queries/terraform/databricks/unrestricted_acl/query.rego +++ b/assets/queries/terraform/databricks/unrestricted_acl/query.rego @@ -14,7 +14,7 @@ CxPolicy[result] { "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("databricks_ip_access_list[%s].ip_addresses", [name]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("'databricks_ip_access_list[%s].ip_addresses' should not equal to '0.0.0.0/0' or '::/0'", [name]), + "keyExpectedValue": sprintf("'databricks_ip_access_list[%s].ip_addresses' should not be equal to '0.0.0.0/0' or '::/0'", [name]), "keyActualValue": sprintf("'databricks_ip_access_list[%s].ip_addresses' is equal to '0.0.0.0/0' or '::/0'", [name]), } } From e17e6c87e2045bd85de61e23cb84b0647c9c5f14 Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Tue, 24 Jan 2023 20:14:05 +0100 Subject: [PATCH 214/379] chore(terraform/databricks): rename folder --- .../not_use_lts_spark_version/query.rego | 35 ------------------- .../metadata.json | 0 .../test/negative1.tf | 0 .../test/negative2.tf | 0 .../test/positive1.tf | 0 .../test/positive2.tf | 0 .../test/positive3.tf | 0 .../test/positive_expected_result.json | 0 8 files changed, 35 deletions(-) delete mode 100644 assets/queries/terraform/databricks/not_use_lts_spark_version/query.rego rename assets/queries/terraform/databricks/{not_use_lts_spark_version => use_lts_spark_version}/metadata.json (100%) rename assets/queries/terraform/databricks/{not_use_lts_spark_version => use_lts_spark_version}/test/negative1.tf (100%) rename assets/queries/terraform/databricks/{not_use_lts_spark_version => use_lts_spark_version}/test/negative2.tf (100%) rename assets/queries/terraform/databricks/{not_use_lts_spark_version => use_lts_spark_version}/test/positive1.tf (100%) rename assets/queries/terraform/databricks/{not_use_lts_spark_version => use_lts_spark_version}/test/positive2.tf (100%) rename assets/queries/terraform/databricks/{not_use_lts_spark_version => use_lts_spark_version}/test/positive3.tf (100%) rename assets/queries/terraform/databricks/{not_use_lts_spark_version => use_lts_spark_version}/test/positive_expected_result.json (100%) diff --git a/assets/queries/terraform/databricks/not_use_lts_spark_version/query.rego b/assets/queries/terraform/databricks/not_use_lts_spark_version/query.rego deleted file mode 100644 index 785a066024d..00000000000 --- a/assets/queries/terraform/databricks/not_use_lts_spark_version/query.rego +++ /dev/null @@ -1,35 +0,0 @@ -package Cx - -import data.generic.terraform as tf_lib - -CxPolicy[result] { - resource := input.document[i].data.databricks_spark_version[name] - - not resource.long_term_support - - result := { - "documentId": input.document[i].id, - "resourceType": "databricks_spark_version", - "resourceName": tf_lib.get_resource_name(resource, name), - "searchKey": sprintf("databricks_spark_version[%s].long_term_support", [name]), - "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("'databricks_spark_version[%s]' should be a LTS version'", [name]), - "keyActualValue": sprintf("'databricks_spark_version[%s]' is not a LTS version'", [name]), - } -} - -CxPolicy[result] { - resource := input.document[i].resource.databricks_cluster[name] - - not contains(resource.spark_version, "LTS"); not contains(resource.spark_version, "data") - - result := { - "documentId": input.document[i].id, - "resourceType": "databricks_spark_version", - "resourceName": tf_lib.get_resource_name(resource, name), - "searchKey": sprintf("databricks_cluster[%s].spark_version", [name]), - "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("'databricks_cluster[%s].spark_version' should be a LTS version'", [name]), - "keyActualValue": sprintf("'databricks_cluster[%s].spark_version' is not a LTS version'", [name]), - } -} diff --git a/assets/queries/terraform/databricks/not_use_lts_spark_version/metadata.json b/assets/queries/terraform/databricks/use_lts_spark_version/metadata.json similarity index 100% rename from assets/queries/terraform/databricks/not_use_lts_spark_version/metadata.json rename to assets/queries/terraform/databricks/use_lts_spark_version/metadata.json diff --git a/assets/queries/terraform/databricks/not_use_lts_spark_version/test/negative1.tf b/assets/queries/terraform/databricks/use_lts_spark_version/test/negative1.tf similarity index 100% rename from assets/queries/terraform/databricks/not_use_lts_spark_version/test/negative1.tf rename to assets/queries/terraform/databricks/use_lts_spark_version/test/negative1.tf diff --git a/assets/queries/terraform/databricks/not_use_lts_spark_version/test/negative2.tf b/assets/queries/terraform/databricks/use_lts_spark_version/test/negative2.tf similarity index 100% rename from assets/queries/terraform/databricks/not_use_lts_spark_version/test/negative2.tf rename to assets/queries/terraform/databricks/use_lts_spark_version/test/negative2.tf diff --git a/assets/queries/terraform/databricks/not_use_lts_spark_version/test/positive1.tf b/assets/queries/terraform/databricks/use_lts_spark_version/test/positive1.tf similarity index 100% rename from assets/queries/terraform/databricks/not_use_lts_spark_version/test/positive1.tf rename to assets/queries/terraform/databricks/use_lts_spark_version/test/positive1.tf diff --git a/assets/queries/terraform/databricks/not_use_lts_spark_version/test/positive2.tf b/assets/queries/terraform/databricks/use_lts_spark_version/test/positive2.tf similarity index 100% rename from assets/queries/terraform/databricks/not_use_lts_spark_version/test/positive2.tf rename to assets/queries/terraform/databricks/use_lts_spark_version/test/positive2.tf diff --git a/assets/queries/terraform/databricks/not_use_lts_spark_version/test/positive3.tf b/assets/queries/terraform/databricks/use_lts_spark_version/test/positive3.tf similarity index 100% rename from assets/queries/terraform/databricks/not_use_lts_spark_version/test/positive3.tf rename to assets/queries/terraform/databricks/use_lts_spark_version/test/positive3.tf diff --git a/assets/queries/terraform/databricks/not_use_lts_spark_version/test/positive_expected_result.json b/assets/queries/terraform/databricks/use_lts_spark_version/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/databricks/not_use_lts_spark_version/test/positive_expected_result.json rename to assets/queries/terraform/databricks/use_lts_spark_version/test/positive_expected_result.json From 54abc09337026f775bbf73cde69498bb30c42a20 Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Tue, 24 Jan 2023 20:14:36 +0100 Subject: [PATCH 215/379] chore(terraform/databricks): improve query --- .../use_lts_spark_version/query.rego | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 assets/queries/terraform/databricks/use_lts_spark_version/query.rego diff --git a/assets/queries/terraform/databricks/use_lts_spark_version/query.rego b/assets/queries/terraform/databricks/use_lts_spark_version/query.rego new file mode 100644 index 00000000000..c7579ce3a36 --- /dev/null +++ b/assets/queries/terraform/databricks/use_lts_spark_version/query.rego @@ -0,0 +1,35 @@ +package Cx + +import data.generic.terraform as tf_lib + +CxPolicy[result] { + resource := input.document[i].data.databricks_spark_version[name] + + not resource.long_term_support + + result := { + "documentId": input.document[i].id, + "resourceType": "databricks_spark_version", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("databricks_spark_version[%s].long_term_support", [name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("'databricks_spark_version[%s]' should be a LTS version'", [name]), + "keyActualValue": sprintf("'databricks_spark_version[%s]' is not a LTS version'", [name]), + } +} + +CxPolicy[result] { + resource := input.document[i].resource.databricks_cluster[name] + + not contains(resource.spark_version, "LTS"); not contains(resource.spark_version, "data.databricks_spark_version") + + result := { + "documentId": input.document[i].id, + "resourceType": "databricks_spark_version", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("databricks_cluster[%s].spark_version", [name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("'databricks_cluster[%s].spark_version' should be a LTS version'", [name]), + "keyActualValue": sprintf("'databricks_cluster[%s].spark_version' is not a LTS version'", [name]), + } +} From a359348c2dce636ce18c454e029dd156c7349dd2 Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Tue, 24 Jan 2023 21:02:04 +0100 Subject: [PATCH 216/379] chore(terraform/databricks): resources name for test --- .../test/{negative1.tf => negative.tf} | 2 +- .../cluster_aws_attributes/test/positive1.tf | 2 +- .../cluster_aws_attributes/test/positive2.tf | 2 +- .../cluster_aws_attributes/test/positive3.tf | 2 +- .../cluster_aws_attributes/test/positive4.tf | 2 +- .../test/{negative1.tf => negative.tf} | 2 +- .../cluster_azure_attributes/test/positive1.tf | 2 +- .../cluster_azure_attributes/test/positive2.tf | 2 +- .../cluster_azure_attributes/test/positive3.tf | 2 +- .../test/{negative1.tf => negative.tf} | 2 +- .../test/{positive1.tf => positive.tf} | 2 +- .../databricks_permissions/test/negative1.tf | 2 +- .../databricks_permissions/test/negative2.tf | 2 +- .../databricks_permissions/test/negative3.tf | 2 +- .../databricks_permissions/test/positive1.tf | 2 +- .../databricks_permissions/test/positive2.tf | 2 +- .../databricks_permissions/test/positive3.tf | 2 +- .../databricks_permissions/test/positive4.tf | 2 +- .../test/negative1.tf | 10 +++++----- .../test/negative2.tf | 10 +++++----- .../databricks/unrestricted_acl/test/negative.tf | 2 +- .../databricks/unrestricted_acl/test/positive1.tf | 4 ++-- .../databricks/unrestricted_acl/test/positive2.tf | 4 ++-- .../test/{negative.tf => negative1.tf} | 0 24 files changed, 33 insertions(+), 33 deletions(-) rename assets/queries/terraform/databricks/cluster_aws_attributes/test/{negative1.tf => negative.tf} (91%) rename assets/queries/terraform/databricks/cluster_azure_attributes/test/{negative1.tf => negative.tf} (90%) rename assets/queries/terraform/databricks/cluster_gcp_attributes/test/{negative1.tf => negative.tf} (91%) rename assets/queries/terraform/databricks/cluster_gcp_attributes/test/{positive1.tf => positive.tf} (89%) rename assets/queries/terraform/databricks/use_spark_submit_task/test/{negative.tf => negative1.tf} (100%) diff --git a/assets/queries/terraform/databricks/cluster_aws_attributes/test/negative1.tf b/assets/queries/terraform/databricks/cluster_aws_attributes/test/negative.tf similarity index 91% rename from assets/queries/terraform/databricks/cluster_aws_attributes/test/negative1.tf rename to assets/queries/terraform/databricks/cluster_aws_attributes/test/negative.tf index 70bd583477c..fd472dc5407 100644 --- a/assets/queries/terraform/databricks/cluster_aws_attributes/test/negative1.tf +++ b/assets/queries/terraform/databricks/cluster_aws_attributes/test/negative.tf @@ -1,4 +1,4 @@ -resource "databricks_cluster" "this" { +resource "databricks_cluster" "negative" { cluster_name = "Shared Autoscaling" spark_version = data.databricks_spark_version.latest.id node_type_id = data.databricks_node_type.smallest.id diff --git a/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive1.tf b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive1.tf index 58de1733c87..b113437e353 100644 --- a/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive1.tf +++ b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive1.tf @@ -1,4 +1,4 @@ -resource "databricks_cluster" "this" { +resource "databricks_cluster" "positive1" { cluster_name = "data" spark_version = data.databricks_spark_version.latest.id node_type_id = data.databricks_node_type.smallest.id diff --git a/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive2.tf b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive2.tf index 53f5e68e6fe..544d848c2b9 100644 --- a/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive2.tf +++ b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive2.tf @@ -1,4 +1,4 @@ -resource "databricks_cluster" "this" { +resource "databricks_cluster" "positive2" { cluster_name = "data" spark_version = data.databricks_spark_version.latest.id node_type_id = data.databricks_node_type.smallest.id diff --git a/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive3.tf b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive3.tf index 6f1364013c2..cc3ec1b0065 100644 --- a/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive3.tf +++ b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive3.tf @@ -1,4 +1,4 @@ -resource "databricks_cluster" "this" { +resource "databricks_cluster" "positive3" { cluster_name = "data" spark_version = data.databricks_spark_version.latest.id node_type_id = data.databricks_node_type.smallest.id diff --git a/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive4.tf b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive4.tf index b7703430ef9..5435a5ceb8e 100644 --- a/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive4.tf +++ b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive4.tf @@ -1,4 +1,4 @@ -resource "databricks_cluster" "this" { +resource "databricks_cluster" "positive4" { cluster_name = "data" spark_version = data.databricks_spark_version.latest.id node_type_id = data.databricks_node_type.smallest.id diff --git a/assets/queries/terraform/databricks/cluster_azure_attributes/test/negative1.tf b/assets/queries/terraform/databricks/cluster_azure_attributes/test/negative.tf similarity index 90% rename from assets/queries/terraform/databricks/cluster_azure_attributes/test/negative1.tf rename to assets/queries/terraform/databricks/cluster_azure_attributes/test/negative.tf index 53abc098458..cb618299f9a 100644 --- a/assets/queries/terraform/databricks/cluster_azure_attributes/test/negative1.tf +++ b/assets/queries/terraform/databricks/cluster_azure_attributes/test/negative.tf @@ -1,4 +1,4 @@ -resource "databricks_cluster" "this" { +resource "databricks_cluster" "negative" { cluster_name = "Shared Autoscaling" spark_version = data.databricks_spark_version.latest.id node_type_id = data.databricks_node_type.smallest.id diff --git a/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive1.tf b/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive1.tf index 1c82459d521..eade7623278 100644 --- a/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive1.tf +++ b/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive1.tf @@ -1,4 +1,4 @@ -resource "databricks_cluster" "this" { +resource "databricks_cluster" "positive1" { cluster_name = "data" spark_version = data.databricks_spark_version.latest.id node_type_id = data.databricks_node_type.smallest.id diff --git a/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive2.tf b/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive2.tf index 2ed7d5d1807..4280f7e65b8 100644 --- a/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive2.tf +++ b/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive2.tf @@ -1,4 +1,4 @@ -resource "databricks_cluster" "this" { +resource "databricks_cluster" "positive2" { cluster_name = "data" spark_version = data.databricks_spark_version.latest.id node_type_id = data.databricks_node_type.smallest.id diff --git a/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive3.tf b/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive3.tf index 1bd4f57ce51..19b5f7ec2ea 100644 --- a/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive3.tf +++ b/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive3.tf @@ -1,4 +1,4 @@ -resource "databricks_cluster" "this" { +resource "databricks_cluster" "positive3" { cluster_name = "data" spark_version = data.databricks_spark_version.latest.id node_type_id = data.databricks_node_type.smallest.id diff --git a/assets/queries/terraform/databricks/cluster_gcp_attributes/test/negative1.tf b/assets/queries/terraform/databricks/cluster_gcp_attributes/test/negative.tf similarity index 91% rename from assets/queries/terraform/databricks/cluster_gcp_attributes/test/negative1.tf rename to assets/queries/terraform/databricks/cluster_gcp_attributes/test/negative.tf index 7bdaaeb1ea6..234c6789cf8 100644 --- a/assets/queries/terraform/databricks/cluster_gcp_attributes/test/negative1.tf +++ b/assets/queries/terraform/databricks/cluster_gcp_attributes/test/negative.tf @@ -1,4 +1,4 @@ -resource "databricks_cluster" "this" { +resource "databricks_cluster" "negative" { cluster_name = "Shared Autoscaling" spark_version = data.databricks_spark_version.latest.id node_type_id = data.databricks_node_type.smallest.id diff --git a/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive1.tf b/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive.tf similarity index 89% rename from assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive1.tf rename to assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive.tf index 986583d715d..b612d14f0a5 100644 --- a/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive1.tf +++ b/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive.tf @@ -1,4 +1,4 @@ -resource "databricks_cluster" "this" { +resource "databricks_cluster" "positive" { cluster_name = "data" spark_version = data.databricks_spark_version.latest.id node_type_id = data.databricks_node_type.smallest.id diff --git a/assets/queries/terraform/databricks/databricks_permissions/test/negative1.tf b/assets/queries/terraform/databricks/databricks_permissions/test/negative1.tf index d6c2511b366..81468fd04a0 100644 --- a/assets/queries/terraform/databricks/databricks_permissions/test/negative1.tf +++ b/assets/queries/terraform/databricks/databricks_permissions/test/negative1.tf @@ -13,7 +13,7 @@ resource "databricks_job" "negative1" { } } -resource "databricks_permissions" "job_usage" { +resource "databricks_permissions" "negative1" { job_id = databricks_job.negative1.id access_control { diff --git a/assets/queries/terraform/databricks/databricks_permissions/test/negative2.tf b/assets/queries/terraform/databricks/databricks_permissions/test/negative2.tf index 8fa030cee7c..a2d7c584c65 100644 --- a/assets/queries/terraform/databricks/databricks_permissions/test/negative2.tf +++ b/assets/queries/terraform/databricks/databricks_permissions/test/negative2.tf @@ -9,7 +9,7 @@ resource "databricks_cluster" "negative2" { } } -resource "databricks_permissions" "cluster_usage" { +resource "databricks_permissions" "negative2" { cluster_id = databricks_cluster.negative2.id access_control { diff --git a/assets/queries/terraform/databricks/databricks_permissions/test/negative3.tf b/assets/queries/terraform/databricks/databricks_permissions/test/negative3.tf index 0a7d7cb9cca..8a9fa9ebcfc 100644 --- a/assets/queries/terraform/databricks/databricks_permissions/test/negative3.tf +++ b/assets/queries/terraform/databricks/databricks_permissions/test/negative3.tf @@ -13,7 +13,7 @@ resource "databricks_job" "negative3" { } } -resource "databricks_permissions" "job_usage" { +resource "databricks_permissions" "negative3" { job_id = databricks_job.negative3.id access_control { diff --git a/assets/queries/terraform/databricks/databricks_permissions/test/positive1.tf b/assets/queries/terraform/databricks/databricks_permissions/test/positive1.tf index 26ec157bf3c..2f45ec7b948 100644 --- a/assets/queries/terraform/databricks/databricks_permissions/test/positive1.tf +++ b/assets/queries/terraform/databricks/databricks_permissions/test/positive1.tf @@ -28,7 +28,7 @@ resource "databricks_job" "positive1_error" { } } -resource "databricks_permissions" "job_usage" { +resource "databricks_permissions" "positive1" { job_id = databricks_job.positive1.id access_control { diff --git a/assets/queries/terraform/databricks/databricks_permissions/test/positive2.tf b/assets/queries/terraform/databricks/databricks_permissions/test/positive2.tf index b49858b1cd2..1055e4a9488 100644 --- a/assets/queries/terraform/databricks/databricks_permissions/test/positive2.tf +++ b/assets/queries/terraform/databricks/databricks_permissions/test/positive2.tf @@ -20,7 +20,7 @@ resource "databricks_cluster" "positive2_error" { } } -resource "databricks_permissions" "cluster_usage" { +resource "databricks_permissions" "positive2" { cluster_id = databricks_cluster.positive2.id access_control { diff --git a/assets/queries/terraform/databricks/databricks_permissions/test/positive3.tf b/assets/queries/terraform/databricks/databricks_permissions/test/positive3.tf index 237e945b376..a7aa27068f5 100644 --- a/assets/queries/terraform/databricks/databricks_permissions/test/positive3.tf +++ b/assets/queries/terraform/databricks/databricks_permissions/test/positive3.tf @@ -13,7 +13,7 @@ resource "databricks_job" "positive3" { } } -resource "databricks_permissions" "job_usage" { +resource "databricks_permissions" "positive3" { job_id = databricks_job.positive3.id access_control { diff --git a/assets/queries/terraform/databricks/databricks_permissions/test/positive4.tf b/assets/queries/terraform/databricks/databricks_permissions/test/positive4.tf index 6813c2e7709..0598da0167d 100644 --- a/assets/queries/terraform/databricks/databricks_permissions/test/positive4.tf +++ b/assets/queries/terraform/databricks/databricks_permissions/test/positive4.tf @@ -13,7 +13,7 @@ resource "databricks_job" "positive4" { } } -resource "databricks_permissions" "job_usage" { +resource "databricks_permissions" "positive4" { job_id = databricks_job.positive4.id access_control { diff --git a/assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/negative1.tf b/assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/negative1.tf index 4f264c85e95..54d02c5c820 100644 --- a/assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/negative1.tf +++ b/assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/negative1.tf @@ -1,14 +1,14 @@ -resource "databricks_group" "negative_group" { +resource "databricks_group" "negative1_group" { display_name = "Some Group" allow_cluster_create = true allow_instance_pool_create = true } -resource "databricks_user" "negative_user" { +resource "databricks_user" "negative1_user" { user_name = "someone@example.com" } -resource "databricks_group_member" "negative_member" { - group_id = databricks_group.negative_group.id - member_id = databricks_user.negative_user.id +resource "databricks_group_member" "negative1_member" { + group_id = databricks_group.negative1_group.id + member_id = databricks_user.negative1_user.id } diff --git a/assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/negative2.tf b/assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/negative2.tf index b65542f82fc..b30e75d1f06 100644 --- a/assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/negative2.tf +++ b/assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/negative2.tf @@ -1,12 +1,12 @@ -resource "databricks_instance_profile" "negative_instance_profile" { +resource "databricks_instance_profile" "negative2_instance_profile" { instance_profile_arn = "my_instance_profile_arn" } -resource "databricks_group" "negative_group" { +resource "databricks_group" "negative2_group" { display_name = "my_group_name" } -resource "databricks_group_instance_profile" "negative_group_instance_profile" { - group_id = databricks_group.negative_group.id - instance_profile_id = databricks_instance_profile.negative_instance_profile.id +resource "databricks_group_instance_profile" "negative2_group_instance_profile" { + group_id = databricks_group.negative2_group.id + instance_profile_id = databricks_instance_profile.negative2_instance_profile.id } diff --git a/assets/queries/terraform/databricks/unrestricted_acl/test/negative.tf b/assets/queries/terraform/databricks/unrestricted_acl/test/negative.tf index f2999c6dd2f..ede5e5e3db6 100644 --- a/assets/queries/terraform/databricks/unrestricted_acl/test/negative.tf +++ b/assets/queries/terraform/databricks/unrestricted_acl/test/negative.tf @@ -11,5 +11,5 @@ resource "databricks_ip_access_list" "negative" { "1.2.3.0/24", "1.2.5.0/24" ] - depends_on = [databricks_workspace_conf.this] + depends_on = [databricks_workspace_conf.negative] } diff --git a/assets/queries/terraform/databricks/unrestricted_acl/test/positive1.tf b/assets/queries/terraform/databricks/unrestricted_acl/test/positive1.tf index ad3c9857700..c3bf090eba9 100644 --- a/assets/queries/terraform/databricks/unrestricted_acl/test/positive1.tf +++ b/assets/queries/terraform/databricks/unrestricted_acl/test/positive1.tf @@ -1,4 +1,4 @@ -resource "databricks_workspace_conf" "this" { +resource "databricks_workspace_conf" "positive1" { custom_config = { "enableIpAccessLists" : true } @@ -11,5 +11,5 @@ resource "databricks_ip_access_list" "positive1" { "0.0.0.0/0", "1.2.5.0/24" ] - depends_on = [databricks_workspace_conf.this] + depends_on = [databricks_workspace_conf.positive1] } diff --git a/assets/queries/terraform/databricks/unrestricted_acl/test/positive2.tf b/assets/queries/terraform/databricks/unrestricted_acl/test/positive2.tf index 48c87de07d2..500eb725204 100644 --- a/assets/queries/terraform/databricks/unrestricted_acl/test/positive2.tf +++ b/assets/queries/terraform/databricks/unrestricted_acl/test/positive2.tf @@ -1,4 +1,4 @@ -resource "databricks_workspace_conf" "this" { +resource "databricks_workspace_conf" "positive2" { custom_config = { "enableIpAccessLists" : true } @@ -11,5 +11,5 @@ resource "databricks_ip_access_list" "positive2" { "::/0", "1.2.5.0/24" ] - depends_on = [databricks_workspace_conf.this] + depends_on = [databricks_workspace_conf.positive2] } diff --git a/assets/queries/terraform/databricks/use_spark_submit_task/test/negative.tf b/assets/queries/terraform/databricks/use_spark_submit_task/test/negative1.tf similarity index 100% rename from assets/queries/terraform/databricks/use_spark_submit_task/test/negative.tf rename to assets/queries/terraform/databricks/use_spark_submit_task/test/negative1.tf From 6b84a2a9e95c2134a87f4b9b4ce2d8bd865d616a Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Fri, 27 Jan 2023 12:15:09 +0100 Subject: [PATCH 217/379] fix(terraform/databricks): LTS version check --- .../terraform/databricks/use_lts_spark_version/query.rego | 8 +++++++- .../databricks/use_lts_spark_version/test/negative2.tf | 2 +- .../databricks/use_lts_spark_version/test/positive3.tf | 2 +- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/assets/queries/terraform/databricks/use_lts_spark_version/query.rego b/assets/queries/terraform/databricks/use_lts_spark_version/query.rego index c7579ce3a36..8798aa48cc6 100644 --- a/assets/queries/terraform/databricks/use_lts_spark_version/query.rego +++ b/assets/queries/terraform/databricks/use_lts_spark_version/query.rego @@ -21,7 +21,8 @@ CxPolicy[result] { CxPolicy[result] { resource := input.document[i].resource.databricks_cluster[name] - not contains(resource.spark_version, "LTS"); not contains(resource.spark_version, "data.databricks_spark_version") + not isLtsVersion(resource.spark_version) + not contains(resource.spark_version, "data.databricks_spark_version") result := { "documentId": input.document[i].id, @@ -33,3 +34,8 @@ CxPolicy[result] { "keyActualValue": sprintf("'databricks_cluster[%s].spark_version' is not a LTS version'", [name]), } } + +isLtsVersion(version) { + versions = {"3.0.1", "3.1.2", "3.2.1", "3.3.0"} + version = versions[j] +} diff --git a/assets/queries/terraform/databricks/use_lts_spark_version/test/negative2.tf b/assets/queries/terraform/databricks/use_lts_spark_version/test/negative2.tf index d4a9717f5d6..6941390f9b7 100644 --- a/assets/queries/terraform/databricks/use_lts_spark_version/test/negative2.tf +++ b/assets/queries/terraform/databricks/use_lts_spark_version/test/negative2.tf @@ -7,7 +7,7 @@ data "databricks_node_type" "negative2_with_gpu" { resource "databricks_cluster" "negative2_research" { cluster_name = "Research Cluster" - spark_version = "3.5 LTS" + spark_version = "3.2.1" node_type_id = data.databricks_node_type.negative2_with_gpu.id autotermination_minutes = 20 autoscale { diff --git a/assets/queries/terraform/databricks/use_lts_spark_version/test/positive3.tf b/assets/queries/terraform/databricks/use_lts_spark_version/test/positive3.tf index d9e35c67fb5..03f059c1de5 100644 --- a/assets/queries/terraform/databricks/use_lts_spark_version/test/positive3.tf +++ b/assets/queries/terraform/databricks/use_lts_spark_version/test/positive3.tf @@ -7,7 +7,7 @@ data "databricks_node_type" "positive3_with_gpu" { resource "databricks_cluster" "positive3_research" { cluster_name = "Research Cluster" - spark_version = "3.5" + spark_version = "3.3.1" node_type_id = data.databricks_node_type.positive2_with_gpu.id autotermination_minutes = 20 autoscale { From 3a79ddaccb6efaf221ba34a2de5e13e34eef7a11 Mon Sep 17 00:00:00 2001 From: rafaela-soares Date: Mon, 11 Apr 2022 18:02:11 +0100 Subject: [PATCH 218/379] fixed incorrect metadatas --- docs/queries/all-queries.md | 943 ++++++++++++++++++++++++++++++ docs/queries/terraform-queries.md | 604 +++++++++++++++++++ 2 files changed, 1547 insertions(+) diff --git a/docs/queries/all-queries.md b/docs/queries/all-queries.md index e77f2917cf3..b7ef7971fd6 100644 --- a/docs/queries/all-queries.md +++ b/docs/queries/all-queries.md @@ -1473,6 +1473,949 @@ This page contains all queries. |Missing App Armor Config
95588189-1abd-4df1-9588-b0a5034f9e87|Pulumi|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack (read more)|Documentation
| |Cloud Storage Bucket Logging Not Enabled
48f7e44d-d1d1-44c2-b336-9f11b65c4fb0|Pulumi|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| |Google Compute SSL Policy Weak Cipher In Use
965e8830-2bec-4b9b-a7f0-24dbc200a68f|Pulumi|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| +|Run Using apt
a1bc27c6-7115-48d8-bf9d-5a7e836845ba|Buildah|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache|Documentation
| +|VM With Full Cloud Access
bc20bbc6-0697-4568-9a73-85af1dd97bdd|Ansible|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| +|SQL DB Instance Is Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b|Ansible|High|Access Control|Check if any Cloud SQL instances are publicly accessible.|Documentation
| +|SQL DB Instance Backup Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8|Ansible|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| +|DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a|Ansible|High|Encryption|DNSSEC should not use the RSASHA1 algorithm|Documentation
| +|High KMS Rotation Period
79f45008-60b3-4a0a-a302-8311fd3701b4|Ansible|High|Encryption|Check if any KMS rotation period surpasses 365 days.|Documentation
| +|SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|Ansible|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| +|IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'.|Documentation
| +|MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c|Ansible|High|Insecure Configurations|MySQL Instance should not have Local Infile On|Documentation
| +|Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f|Ansible|High|Insecure Configurations|GCP SQL Instance should not have Cross DB Ownership Chaining On|Documentation
| +|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|Ansible|High|Insecure Configurations|SQL Instance should not have Contained Database Authentication On|Documentation
| +|GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1|Ansible|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty|Documentation
| +|Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| +|Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true.|Documentation
| +|Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true|Documentation
| +|Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7|Ansible|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| +|Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false|Documentation
| +|BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2|Ansible|High|Insecure Configurations|BigQuery dataset is anonymously or publicly accessible|Documentation
| +|PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514|Ansible|High|Insecure Configurations|PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1'|Documentation
| +|GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false.|Documentation
| +|Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82|Ansible|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet.|Documentation
| +|GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83|Ansible|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters|Documentation
| +|PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317|Ansible|High|Observability|PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on'|Documentation
| +|Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd|Ansible|High|Observability|Cloud storage bucket with logging not enabled|Documentation
| +|Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| +|PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b|Ansible|High|Observability|PostgreSQL database 'log_temp_files' flag isn't set to '0'|Documentation
| +|Cloud Storage Bucket Versioning Disabled
7814ddda-e758-4a56-8be3-289a81ded929|Ansible|High|Observability|Object Versioning not fully enabled on Cloud Storage Bucket|Documentation
| +|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Ansible|High|Resource Management|The node image should be Container-Optimized OS(COS)|Documentation
| +|Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf|Ansible|High|Resource Management|Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Ansible|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| +|Disk Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3|Ansible|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined|Documentation
| +|High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Ansible|Medium|Encryption|Make sure Encryption keys changes after 90 days|Documentation
| +|Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Ansible|Medium|Insecure Configurations|Verifies if Google Container Node Pool Auto Repair is Enabled|Documentation
| +|GKE Using Default Service Account
dc126833-125a-40fb-905a-ce5f2afde240|Ansible|Medium|Insecure Configurations|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
| +|Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03|Ansible|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2|Ansible|Medium|Insecure Configurations|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers'|Documentation
| +|Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Ansible|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| +|OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Ansible|Medium|Insecure Configurations|VM instance should have OSLogin enabled|Documentation
| +|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Ansible|Medium|Insecure Defaults|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| +|IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Ansible|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| +|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Ansible|Medium|Networking and Firewall|Check if serial ports are enabled in Google Compute Engine VM instances|Documentation
| +|RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77|Ansible|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access.|Documentation
| +|Google Compute Network Using Firewall Rule that Allows All Ports
3602d273-3290-47b2-80fa-720162b1a8af|Ansible|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports|Documentation
| +|SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Ansible|Medium|Networking and Firewall|Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block).|Documentation
| +|Google Compute Network Using Default Firewall Rule
29b8224a-60e9-4011-8ac2-7916a659841f|Ansible|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
| +|PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Ansible|Medium|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value|Documentation
| +|PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Ansible|Medium|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on'|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Ansible|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| +|Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b|Ansible|Low|Networking and Firewall|Google Compute Subnetwork should have 'private_ip_google_access' set to yes|Documentation
| +|Google Compute Network Using Firewall Rule that Allows Port Range
7289eebd-a477-4064-8ad4-3c044bd70b00|Ansible|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range|Documentation
| +|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|Ansible|High|Access Control|Ensure Trusted Microsoft Services have Storage Account access.|Documentation
| +|Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|Ansible|High|Access Control|Admin user is enabled for Container Registry|Documentation
| +|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|Ansible|High|Access Control|Check if 'network_acls' is open to public.|Documentation
| +|Storage Container Is Publicly Accessible
4d3817db-dd35-4de4-a80d-3867157e7f7f|Ansible|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| +|Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|Ansible|High|Encryption|See that Storage Accounts forces the use of HTTPS|Documentation
| +|MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|Ansible|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| +|SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555|Ansible|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| +|VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|Ansible|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| +|AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|Ansible|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| +|Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91|Ansible|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| +|Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|Ansible|High|Insecure Configurations|Azurerm Container Registry should contain associated locks through 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association|Documentation
| +|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|Ansible|High|Networking and Firewall|The IP range filter should be defined|Documentation
| +|SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|Ansible|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| +|Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| +|Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|Ansible|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| +|Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| +|AKS RBAC Disabled
149fa56c-4404-4f90-9e25-d34b676d5b39|Ansible|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| +|Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854|Ansible|Medium|Backup|Make sure Soft Delete is enabled for Key Vault|Documentation
| +|SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308|Ansible|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict|Documentation
| +|Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Ansible|Medium|Best Practices|Azure SQL Server Accessibility should be set to a minimal address range, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be lesser than 256. Additionally, both ips must be different from '0.0.0.0'|Documentation
| +|SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40|Ansible|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict|Documentation
| +|Cosmos DB Account Without Tags
23a4dc83-4959-4d99-8056-8e051a82bc1e|Ansible|Medium|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| +|Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee|Ansible|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| +|Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Ansible|Medium|Insecure Configurations|Check if any Redis Cache resource allows non-SSL connections.|Documentation
| +|Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Ansible|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| +|AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Ansible|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration|Documentation
| +|Default Network Access is Allowed
974e6fe7-63fd-4fa4-aa72-77b21a4a959d|Ansible|Medium|Insecure Defaults|Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny'|Documentation
| +|Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Ansible|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache.|Documentation
| +|WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Ansible|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| +|PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| +|PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a|Ansible|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| +|Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| +|Monitoring Log Profile Without All Activities
89f84a1e-75f8-47c5-83b5-bee8e2de4168|Ansible|Medium|Observability|Monitoring log profile captures all the activities (Action, Write, Delete)|Documentation
| +|PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| +|Small Activity Log Retention Period
37fafbea-dedb-4e0d-852e-d16ee0589326|Ansible|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater|Documentation
| +|PostgreSQL Log Checkpoints Disabled
7ab33ac0-e4a3-418f-a673-50da4e34df21|Ansible|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'|Documentation
| +|PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| +|AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e|Ansible|Medium|Observability|Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring|Documentation
| +|SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a|Ansible|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| +|S3 Bucket Allows WriteACP Action From All Principals
7529b8d2-55d7-44d2-b1cd-d7d2984a2a81|Ansible|High|Access Control|S3 Buckets must not allow Write_ACP Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Write_ACP, for all Principals.|Documentation
| +|DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209|Ansible|High|Access Control|The field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674|Ansible|High|Access Control|Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| +|S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|Ansible|High|Access Control|S3 Buckets must not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| +|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|Ansible|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.|Documentation
| +|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|Ansible|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.|Documentation
| +|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|Ansible|High|Access Control|IAM policies that allow full administrative privileges (for all resources)|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|Ansible|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.|Documentation
| +|S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|Ansible|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.|Documentation
| +|S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|Ansible|High|Access Control|It's not recommended to allow read access for all user groups.|Documentation
| +|S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a|Ansible|High|Access Control|Checks if the S3 bucket is accessible for all users|Documentation
| +|ECS Service Admin Role is Present
7db727c1-1720-468e-b80e-06697f71e09e|Ansible|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role|Documentation
| +|Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76|Ansible|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted|Documentation
| +|EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|Ansible|High|Encryption|Elastic File System (EFS) must have KMS Key ID|Documentation
| +|Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a|Ansible|High|Encryption|AWS Autoscaling Launch Configurations should have encryption enabled|Documentation
| +|Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7|Ansible|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| +|User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|Ansible|High|Encryption|User Data Shell Script must be encoded|Documentation
| +|ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|Ansible|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| +|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|Ansible|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| +|User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|Ansible|High|Encryption|User Data contains an encoded RSA Private Key|Documentation
| +|S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4|Ansible|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| +|Secure Ciphers Disabled
218413a0-c716-4b94-9e08-0bb70d854709|Ansible|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| +|AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|Ansible|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| +|CloudTrail Log Files Not Encrypted
f5587077-3f57-4370-9b4e-4eb5b1bac85b|Ansible|High|Encryption|CloudTrail Log Files should be encrypted with Key Management Service (KMS)|Documentation
| +|DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|Ansible|High|Encryption|The parameter storage_encrypted in aws_db_instance must be set to 'true' (the default is 'false').|Documentation
| +|S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571|Ansible|High|Encryption|AWS S3 Storage should be protected with SSE (Server-Side Encryption)|Documentation
| +|ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols.|Documentation
| +|EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|Ansible|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| +|Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|Ansible|High|Encryption|Check if 'encrypted' field is false or undefined (default is false)|Documentation
| +|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|Ansible|High|Encryption|IAM Database Auth Enabled must be configured to true|Documentation
| +|Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89|Ansible|High|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| +|CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|Ansible|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| +|Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|Ansible|High|Encryption|RDS instance auto minor version upgrade feature must be true|Documentation
| +|ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers.|Documentation
| +|Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|Ansible|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| +|ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f|Ansible|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| +|Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|Ansible|High|Insecure Configurations|Check if 'publicly_accessible' field is true (default is false)|Documentation
| +|EC2 Group Has Public Interface
5330b503-3319-44ff-9b1c-00ee873f728a|Ansible|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| +|S3 Bucket with Unsecured CORS Rule
3505094c-f77c-4ba0-95da-f83db712f86c|Ansible|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| +|KMS Key With Vulnerable Policy
5b9d237a-57d5-4177-be0e-71434b0fef47|Ansible|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67|Ansible|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| +|Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f|Ansible|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| +|Vulnerable Default SSL Certificate
fb8f8929-afeb-4c46-99f0-a6cf410f7df4|Ansible|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| +|Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|Ansible|High|Networking and Firewall|SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| +|Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|Ansible|High|Networking and Firewall|AWS Security Group should restrict ingress access|Documentation
| +|Remote Desktop Port Open
eda7301d-1f3e-47cf-8d4e-976debc64341|Ansible|High|Networking and Firewall|The Remote Desktop port is open in a Security Group|Documentation
| +|HTTP Port Open
a14ad534-acbe-4a8e-9404-2f7e1045646e|Ansible|High|Networking and Firewall|The HTTP port is open in a Security Group|Documentation
| +|Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|Ansible|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| +|Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2|Ansible|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0/0|Documentation
| +|EC2 Instance Has Public IP
a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1|Ansible|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| +|Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4|Ansible|High|Networking and Firewall|Route53 Record should have a list of records|Documentation
| +|ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|Ansible|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| +|RDS Associated with Public Subnet
16732649-4ff6-4cd2-8746-e72c13fae4b8|Ansible|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| +|DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640|Ansible|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| +|Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b|Ansible|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| +|Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|Ansible|High|Networking and Firewall|AWS Security Group should not have public port wide|Documentation
| +|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|Ansible|High|Networking and Firewall|The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6).|Documentation
| +|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Ansible|High|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| +|CMK Rotation Disabled
af96d737-0818-4162-8c41-40d969bd65d1|Ansible|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.|Documentation
| +|CloudTrail Logging Disabled
d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5|Ansible|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| +|SES Policy With Allowed IAM Actions
8ed0bfce-f780-46d4-b086-21c3628f09ad|Ansible|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| +|API Gateway Without Configured Authorizer
b16cdb37-ce15-4ab2-8401-d42b05d123fc|Ansible|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| +|SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4|Ansible|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| +|SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10|Ansible|Medium|Access Control|SQS policy with public access|Documentation
| +|ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd|Ansible|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| +|AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f|Ansible|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| +|S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9|Ansible|Medium|Access Control|S3 Bucket allows public access|Documentation
| +|IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|Ansible|Medium|Access Control|IAM policies allow all ('*') in a statement action|Documentation
| +|Certificate Has Expired
5a443297-19d4-4381-9e5b-24faf947ec22|Ansible|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| +|SNS Topic is Publicly Accessible For Subscription
905f4741-f965-45c1-98db-f7a00a0e5c73|Ansible|Medium|Access Control|This query checks if SNS Topic is Accessible For Subscription|Documentation
| +|Lambda Permission Principal Is Wildcard
1d972c56-8ec2-48c1-a578-887adb09c57a|Ansible|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| +|Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Ansible|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
af167837-9636-4086-b815-c239186b9dda|Ansible|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| +|IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Ansible|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root'|Documentation
| +|Auto Scaling Group With No Associated ELB
050f085f-a8db-4072-9010-2cca235cc02f|Ansible|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
| +|CMK Is Unusable
133fee21-37ef-45df-a563-4d07edc169f4|Ansible|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined.|Documentation
| +|ECS Service Without Running Tasks
f5c45127-1d28-4b49-a692-0b97da1c3a84|Ansible|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| +|RDS With Backup Disabled
e69890e6-fce5-461d-98ad-cb98318dfc96|Ansible|Medium|Backup|RDS configured without backup|Documentation
| +|Stack Retention Disabled
17d5ba1d-7667-4729-b1a6-b11fde3db7f7|Ansible|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| +|Misconfigured Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9|Ansible|Medium|Best Practices|No password expiration policy|Documentation
| +|IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Ansible|Medium|Best Practices|Check if IAM account password has at least one lowercase letter|Documentation
| +|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Ansible|Medium|Best Practices|Check if IAM account password has at least one number|Documentation
| +|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|Ansible|Medium|Best Practices|Users should authenticate with MFA (Multi-factor Authentication)|Documentation
| +|IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Ansible|Medium|Best Practices|Check if IAM account password has the required minimum length|Documentation
| +|Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c|Ansible|Medium|Best Practices|Password policy `password_reuse_prevention` doesn't exist or is equal to 0|Documentation
| +|Stack Without Template
32d31f1f-0f83-4721-b7ec-1e6948c60145|Ansible|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body|Documentation
| +|Config Rule For Encrypted Volumes Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84|Ansible|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| +|CodeBuild Not Encrypted
a1423864-2fbc-4f46-bfe1-fbbf125c71c9|Ansible|Medium|Encryption|CodeBuild Project should be encrypted|Documentation
| +|EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Ansible|Medium|Encryption|EBS Encryption should be enabled|Documentation
| +|Certificate RSA Key Bytes Lower Than 256
d5ec2080-340a-4259-b885-f833c4ea6a31|Ansible|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| +|Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5|Ansible|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags.|Documentation
| +|ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Ansible|Medium|Insecure Configurations|ECR should have an image tag immutable|Documentation
| +|API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33|Ansible|Medium|Insecure Configurations|SSL Client Certificate should be enabled in aws_api_gateway|Documentation
| +|AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472|Ansible|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| +|IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354|Ansible|Medium|Insecure Configurations|Check if IAM account password has at least one uppercase letter|Documentation
| +|Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f|Ansible|Medium|Insecure Configurations|Instance should be configured in VPC (Virtual Private Cloud)|Documentation
| +|API Gateway without WAF
f5f38943-664b-4acc-ab11-f292fa10ed0b|Ansible|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| +|API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215|Ansible|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| +|SQL Analysis Services Port 2383 (TCP) is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Ansible|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| +|CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3|Ansible|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| +|Cloudfront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Ansible|Medium|Observability|AWS Cloudfront distributions must have logging enabled, which means the attribute 'logging' must be defined with 'enabled' set to true|Documentation
| +|CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Ansible|Medium|Observability|Check if MultiRegion is Enabled|Documentation
| +|API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Ansible|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled|Documentation
| +|CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Ansible|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events|Documentation
| +|S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|Ansible|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| +|CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Ansible|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| +|API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f|Ansible|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| +|Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Ansible|Medium|Observability|AWS CloudFormation should have stack notifications enabled|Documentation
| +|No Stack Policy
ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9|Ansible|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| +|Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645|Ansible|Medium|Secret Management|Lambda access key should not be in plaintext.|Documentation
| +|IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd|Ansible|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Ansible|Low|Access Control|IAM role allows All services or principals to assume it|Documentation
| +|IAM Group Without Users
f509931b-bbb0-443c-bd9b-10e92ecf2193|Ansible|Low|Access Control|IAM Group should have at least one user associated|Documentation
| +|EC2 Instance Using Default Security Group
8d03993b-8384-419b-a681-d1f55149397c|Ansible|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| +|Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520|Ansible|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| +|IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060|Ansible|Low|Best Practices|IAM policies should be attached only to groups or roles|Documentation
| +|CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6|Ansible|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| +|EFS Without Tags
b8a9852c-9943-4973-b8d5-77dae9352851|Ansible|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated|Documentation
| +|SQS with SSE disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Ansible|Low|Encryption| SQS Queue should be protected with CMK encryption|Documentation
| +|RDS Using Default Port
2cb674f6-32f9-40be-97f2-62c0dc38f0d5|Ansible|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| +|Cloudfront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Ansible|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| +|ElastiCache Without VPC
5527dcfc-94f9-4bf6-b7d4-1b78850cf41f|Ansible|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| +|Redshift Using Default Port
e01de151-a7bd-4db4-b49b-3c4775a5e881|Ansible|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| +|EC2 Instance Using Default VPC
8833f180-96f1-46f4-9147-849aafa56029|Ansible|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| +|ElastiCache Using Default Port
7cc6c791-5f68-4816-a564-b9b699f9d26e|Ansible|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| +|S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Ansible|Low|Observability|S3 bucket without debug_botocore_endpoint_logs|Documentation
| +|Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Ansible|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active'|Documentation
| +|CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Ansible|Low|Observability|CloudTrail Log Files should have validation enabled|Documentation
| +|Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Ansible|Low|Secret Management|Check if the user data in the EC2 instance has the access key hardcoded|Documentation
| +|EC2 Not EBS Optimized
338b6cab-961d-4998-bb49-e5b6a11c9a5c|Ansible|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| +|Client Certificate Authentication Not Setup Properly
e0e00aba-5f1c-4981-a542-9a9563c0ee20|Kubernetes|High|Access Control|Client Certificate Authentication should be Setup with a .pem file|Documentation
| +|Always Admit Admission Control Plugin Set
ce30e584-b33f-4c7d-b418-a3d7027f8f60|Kubernetes|High|Access Control|When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin|Documentation
| +|Token Auth File Is Set
32ecd76e-7bbf-402e-bf48-8b9485749558|Kubernetes|High|Access Control|When using kube-apiserver command, the 'token-auth-file' flag should not be set|Documentation
| +|Tiller (Helm v2) Is Deployed
6d173be7-545a-46c6-a81d-2ae52ed1605d|Kubernetes|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| +|Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609|Kubernetes|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false|Documentation
| +|Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645|Kubernetes|High|Insecure Configurations|Check if any objects are using a deprecated version of API.|Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b|Kubernetes|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| +|NET_RAW Capabilities Not Being Dropped
dbbc6705-d541-43b0-b166-dd4be8208b54|Kubernetes|High|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|Documentation
| +|Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a|Kubernetes|High|Insecure Configurations|Container should not share the host network namespace|Documentation
| +|Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536|Kubernetes|High|Insecure Configurations|Container should not share the host IPC namespace|Documentation
| +|Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d|Kubernetes|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|Documentation
| +|Host Aliases Undefined Or Empty
72b03514-20ae-4409-8842-2dd70c2e25aa|Kubernetes|High|Insecure Configurations|A Pod should have Host Aliases defined as to prevent the container from modifying the file after a pod's containers have already been started. This means the attribute 'spec.hostAliases' must be defined and not empty or null.|Documentation
| +|Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d|Kubernetes|High|Insecure Configurations|Container should not share the host process ID namespace|Documentation
| +|Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad|Kubernetes|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined.|Documentation
| +|Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d|Kubernetes|High|Insecure Configurations|Check if there is any Tiller Service present|Documentation
| +|Role Binding To Default Service Account
1e749bc9-fde8-471c-af0c-8254efd2dee5|Kubernetes|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| +|Tiller Deployment Is Accessible From Within The Cluster
e17fa86a-6222-4584-a914-56e8f6c87e06|Kubernetes|High|Networking and Firewall|Check if any Tiller Deployment container allows access from within the cluster.|Documentation
| +|TSL Connection Certificate Not Setup
fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f|Kubernetes|High|Networking and Firewall|TSL Connection Certificate files should be Setup|Documentation
| +|PSP With Unrestricted Access to Host Path
de4421f1-4e35-43b4-9783-737dd4e4a47e|Kubernetes|High|Resource Management|PodSecurityPolicy should set 'readOnly' to true in every host path allowed|Documentation
| +|Authorization Mode RBAC Not Set
1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e|Kubernetes|Medium|Access Control|When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode|Documentation
| +|Non Kube System Pod With Host Mount
aa8f7a35-9923-4cad-bd61-a19b7f6aac91|Kubernetes|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| +|Authorization Mode Set To Always Allow
f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5|Kubernetes|Medium|Access Control|When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode|Documentation
| +|RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14|Kubernetes|Medium|Access Control|Minimize access to secrets (RBAC)|Documentation
| +|Anonymous Auth Is Not Set To False
1de5cc51-f376-4638-a940-20f2e85ae238|Kubernetes|Medium|Access Control|When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag should be set to false (--anonymous-auth=false)|Documentation
| +|Readiness Probe Is Not Configured
a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3|Kubernetes|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| +|Root Containers Admitted
e3aa0612-4351-4a0d-983f-aefea25cf203|Kubernetes|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| +|Container Running As Root
cf34805e-3872-4c08-bf92-6ff7bb0cfadb|Kubernetes|Medium|Best Practices|Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise|Documentation
| +|Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660|Kubernetes|Medium|Best Practices|Check if containers are running with low UID, which might cause conflicts with the host's user table.|Documentation
| +|Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032|Kubernetes|Medium|Build Process|Limit capabilities for a Pod Security Policy|Documentation
| +|Incorrect Volume Claim Access Mode ReadWriteOnce
3878dc92-8e5d-47cf-9cdd-7590f71d21b9|Kubernetes|Medium|Build Process|Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| +|Always Pull Images Admission Control Plugin Not Set
a77f4d07-c6e0-4a48-8b35-0eeb51576f4f|Kubernetes|Medium|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'AlwaysPullImages' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| +|Weak TLS Cipher Suites
510d5810-9a30-443a-817d-5c1fa527b110|Kubernetes|Medium|Encryption|TLS Connection should use strong Cipher Suites|Documentation
| +|Security Context Deny Admission Control Plugin Not Set
6a68bebe-c021-492e-8ddb-55b0567fb768|Kubernetes|Medium|Insecure Configurations|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set|Documentation
| +|Authorization Mode Node Not Set
4d7ee40f-fc5d-427d-8cac-dffbe22d42d1|Kubernetes|Medium|Insecure Configurations|When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode|Documentation
| +|Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b|Kubernetes|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| +|Kubelet Protect Kernel Defaults Set To False
6cf42c97-facd-4fda-b8af-ea4529123355|Kubernetes|Medium|Insecure Configurations|--protect-kernel-defaults should be set to true|Documentation
| +|Seccomp Profile Is Not Configured
f377b83e-bd07-4f48-a591-60c82b14a78b|Kubernetes|Medium|Insecure Configurations|Check if any resource does not configure Seccomp default profile properly|Documentation
| +|NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648|Kubernetes|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| +|PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91|Kubernetes|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| +|Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40|Kubernetes|Medium|Insecure Configurations|Containers should not have added capability|Documentation
| +|PSP Allows Sharing Host IPC
80f93444-b240-4ebb-a4c6-5c40b76c04ea|Kubernetes|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| +|Workload Mounting With Sensitive OS Directory
5308a7a8-06f8-45ac-bf10-791fe21de46e|Kubernetes|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| +|PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| +|Containers With Sys Admin Capabilities
235236ee-ad78-4065-bd29-61b061f28ce0|Kubernetes|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| +|Not Limited Capabilities For Container
2f1a0619-b12b-48a0-825f-993bb6f01d58|Kubernetes|Medium|Insecure Configurations|Limit the capabilities for a Container.|Documentation
| +|PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9|Kubernetes|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host process ID namespace|Documentation
| +|Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3|Kubernetes|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| +|PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| +|Using Unrecommended Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6|Kubernetes|Medium|Insecure Configurations|Namespaces like 'default', 'kube-system' or 'kube-public' should not be used|Documentation
| +|Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9|Kubernetes|Medium|Insecure Defaults|A Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty.|Documentation
| +|Service Account Token Automount Not Disabled
48471392-d4d0-47c0-b135-cdec95eb3eef|Kubernetes|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| +|Kubelet Not Managing Ip Tables
5f89001f-6dd9-49ff-9b15-d8cd71b617f4|Kubernetes|Medium|Networking and Firewall|Kubelet argument --make-iptables-util-chains should be true|Documentation
| +|Network Policy Is Not Targeting Any Pod
85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3|Kubernetes|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| +|Service With External Load Balance
26763a1c-5dda-4772-b507-5fca7fb5f165|Kubernetes|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| +|Kubelet Read Only Port Is Not Set To Zero
2940d48a-dc5e-4178-a3f8-bfbd80720b41|Kubernetes|Medium|Networking and Firewall|When using the kubelet command, the read-only port should be set to zero (--read-only-port=0)|Documentation
| +|Kubelet Streaming Connection Timeout Disabled
ed89b97d-04e9-4fd4-919f-ee5b27e555e9|Kubernetes|Medium|Networking and Firewall|The flag --streaming-connection-idle-timeout should not be set to 0|Documentation
| +|Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be|Kubernetes|Medium|Networking and Firewall|Check if any pod is not being targeted by a proper network policy.|Documentation
| +|CPU Limits Not Set
4ac0e2b7-d2d2-4af7-8799-e8de6721ccda|Kubernetes|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| +|CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a|Kubernetes|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| +|Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9|Kubernetes|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| +|Volume Mount With OS Directory Write Permissions
b7652612-de4e-4466-a0bf-1cd81f0c6063|Kubernetes|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| +|Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded|Kubernetes|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes|Documentation
| +|Kubelet Client Periodic Certificate Switch Disabled
52d70f2e-3257-474c-b3dc-8ad9ba6a061a|Kubernetes|Medium|Secret Management|Kubelet argument --rotate-certificates should be true|Documentation
| +|Kubelet Client Certificate Or Key Not Set
36a27826-1bf5-49da-aeb0-a60a30c0e834|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-client-key' and 'kubelet-client-certificate' flags should be set|Documentation
| +|Rotate Kubelet Server Certificate Not Active
1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2|Kubernetes|Medium|Secret Management|The RotateKubeletServerCertificate argument should be true|Documentation
| +|Kubelet Certificate Authority Not Set
ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set|Documentation
| +|Not Unique Certificate Authority
cb7e695d-6a85-495c-b15f-23aed2519303|Kubernetes|Medium|Secret Management|Certificate Authority should be unique for etcd|Documentation
| +|ServiceAccount Allows Access Secrets
056ac60e-fe07-4acc-9b34-8e1d51716ab9|Kubernetes|Medium|Secret Management|Roles and ClusterRoles when binded, should not use get, list or watch as verbs|Documentation
| +|Shared Service Account
c1032cf7-3628-44e2-bd53-38c17cf31b6b|Kubernetes|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| +|Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942|Kubernetes|Low|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| +|Missing AppArmor Profile
8b36775e-183d-4d46-b0f7-96a6f34a723f|Kubernetes|Low|Access Control|Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources|Documentation
| +|Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828|Kubernetes|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| +|RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e|Kubernetes|Low|Access Control|Kubernetes Roles and ClusterRoles should not use wildcards in rules (objects or actions)|Documentation
| +|Cluster Admin Rolebinding With Superuser Permissions
249328b8-5f0f-409f-b1dd-029f07882e11|Kubernetes|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| +|HPA Targeted Deployments With Configured Replica Count
5744cbb8-5946-4b75-a196-ade44449525b|Kubernetes|Low|Availability|Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set|Documentation
| +|StatefulSet Without PodDisruptionBudget
1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5|Kubernetes|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| +|HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca|Kubernetes|Low|Availability|The Horizontal Pod Autoscale must target a valid object|Documentation
| +|Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678|Kubernetes|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| +|StatefulSet Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0|Kubernetes|Low|Availability|Check if the StatefulSets have a headless 'serviceName'|Documentation
| +|Event Rate Limit Admission Control Plugin Not Set
e0099af2-fe17-411f-9991-0de28fe15f3c|Kubernetes|Low|Availability|When using kube-apiserver command, the --enable-admission-plugins flag should have 'EventRateLimit' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| +|Metadata Label Is Invalid
1123031a-f921-4c5b-bd86-ef354ecfd37a|Kubernetes|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| +|No Drop Capabilities for Containers
268ca686-7fb7-4ae9-b129-955a2a89064e|Kubernetes|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| +|StatefulSet Requests Storage
8cf4671a-cf3d-46fc-8389-21e7405063a2|Kubernetes|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| +|Root Container Not Mounted Read-only
a9c2f49d-0671-4fc9-9ece-f4e261e128d0|Kubernetes|Low|Build Process|Check if the root container filesystem is not being mounted read-only.|Documentation
| +|Image Policy Webhook Admission Control Plugin Not Set
14abda69-8e91-4acb-9931-76e2bee90284|Kubernetes|Low|Build Process|When using kube-apiserver command, the --enable-admission-plugins flag should have 'ImagePolicyWebhook' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| +|Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678|Kubernetes|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity|Documentation
| +|Pod or Container Without ResourceQuota
48a5beba-e4c0-4584-a2aa-e6894e4cf424|Kubernetes|Low|Insecure Configurations|Pod or Container should have a ResourceQuota associated|Documentation
| +|Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b|Kubernetes|Low|Insecure Configurations|If not needed, disabling the dashboard can prevent from being used as an attack vector|Documentation
| +|Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2|Kubernetes|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| +|Pod or Container Without LimitRange
4a20ebac-1060-4c81-95d1-1f7f620e983b|Kubernetes|Low|Insecure Configurations|Pod or Container should have a LimitRange associated|Documentation
| +|Kubelet Hostname Override Is Set
bf36b900-b5ef-4828-adb7-70eb543b7cfb|Kubernetes|Low|Insecure Configurations|Hostnames should not be overrided|Documentation
| +|Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995|Kubernetes|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| +|Service Does Not Target Pod
3ca03a61-3249-4c16-8427-6f8e47dda729|Kubernetes|Low|Insecure Configurations|Service should Target a Pod|Documentation
| +|Workload Host Port Not Specified
2b1836f1-dcce-416e-8e16-da8c71920633|Kubernetes|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified|Documentation
| +|Service Type is NodePort
845acfbe-3e10-4b8e-b656-3b404d36dfb2|Kubernetes|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| +|Audit Policy Not Cover Key Security Concerns
1828a670-5957-4bc5-9974-47da228f75e2|Kubernetes|Low|Observability|Audit Policy should cover key security concerns about the sensitive data logged in Kubernetes audit policies|Documentation
| +|Kubelet Event QPS Not Properly Set
1a07a446-8e61-4e4d-bc16-b0781fcb8211|Kubernetes|Low|Observability|When using the kubelet command, the '--event-qps' should be set to 0|Documentation
| +|Deployment Has No PodAntiAffinity
a31b7b82-d994-48c4-bd21-3bab6c31827a|Kubernetes|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| +|Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined.|Documentation
| +|StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e|Kubernetes|Low|Resource Management|Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| +|Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46|Kubernetes|Low|Resource Management|Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively|Documentation
| +|CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3|Kubernetes|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined|Documentation
| +|Container Memory Requests Not Equal To It's Limits
aafa7d94-62de-4fbf-8838-b69ee217b0e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined.|Documentation
| +|Secrets As Environment Variables
3d658f8b-d988-41a0-a841-40043121de1e|Kubernetes|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| +|Invalid Image Tag
583053b7-e632-46f0-b989-f81ff8045385|Kubernetes|Low|Supply-Chain|Image tag must be defined and not be empty or equal to latest.|Documentation
| +|Liveness Probe Is Not Defined
ade74944-a674-4e00-859e-c6eab5bde441|Kubernetes|Info|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it|Documentation
| +|Cloud Storage Bucket Is Publicly Accessible
77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc|GoogleDeploymentManager|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible|Documentation
| +|SQL DB Instance Backup Disabled
a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01|GoogleDeploymentManager|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| +|DNSSEC Using RSASHA1
6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35|GoogleDeploymentManager|High|Encryption|DNSSEC should not use the RSASHA1 algorithm|Documentation
| +|SQL DB Instance With SSL Disabled
660360d3-9ca7-46d1-b147-3acc4002953f|GoogleDeploymentManager|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| +|IP Aliasing Disabled
28727987-e398-49b8-aef1-8a3e7789d111|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ipAllocationPolicy' must be defined and the subattribute 'useIpAliases' must be set to 'true'.|Documentation
| +|COS Node Image Not Used
dbe058d7-b82e-430b-8426-992b2e4677e7|GoogleDeploymentManager|High|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| +|MySQL Instance With Local Infile On
c759d6f2-4dd3-4160-82d3-89202ef10d87|GoogleDeploymentManager|High|Insecure Configurations|MySQL Instance should not have Local Infile On|Documentation
| +|Cluster Master Authentication Disabled
7ef7d141-9fbb-4679-a977-fd0883436906|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'masterAuth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| +|Private Cluster Disabled
48c61fbd-09c9-46cc-a521-012e0c325412|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true.|Documentation
| +|Client Certificate Disabled
dd690686-2bf9-4012-a821-f61912dd77be|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'masterAuth' must have 'clientCertificateConfig' with the attribute 'issueClientCertificate' equal to true|Documentation
| +|Cluster Labels Disabled
8810968b-4b15-421d-918b-d91eb4bb8d1d|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resourceLabels' must be defined|Documentation
| +|Network Policy Disabled
c47f90e8-4a19-43f0-8413-cc434d286c4e|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'networkPolicy.enabled' must be true and the attribute 'addonsConfig.networkPolicyConfig.disabled' must be false|Documentation
| +|BigQuery Dataset Is Public
83103dff-d57f-42a8-bd81-40abab64c1a7|GoogleDeploymentManager|High|Insecure Configurations|BigQuery dataset is anonymously or publicly accessible. Attribute access.specialGroup should not contain 'allAuthenticatedUsers'|Documentation
| +|Not Proper Email Account In Use
a21b8df3-c840-4b3d-a41a-10fb2afda171|GoogleDeploymentManager|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| +|GKE Legacy Authorization Enabled
df58d46c-783b-43e0-bdd0-d99164f712ee|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false.|Documentation
| +|Compute Instance Is Publicly Accessible
8212e2d7-e683-49bc-bf78-d6799075c5a7|GoogleDeploymentManager|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet.|Documentation
| +|GKE Master Authorized Networks Disabled
62c8cf50-87f0-4295-a974-8184ed78fe02|GoogleDeploymentManager|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters|Documentation
| +|Stackdriver Monitoring Disabled
bbfc97ab-e92a-4a7b-954c-e88cec815011|GoogleDeploymentManager|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoringService' must be defined and different than 'none'|Documentation
| +|Stackdriver Logging Disabled
95601b9a-7fe8-4aee-9b58-d36fd9382dfc|GoogleDeploymentManager|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'loggingService' must be defined and different from 'none'|Documentation
| +|Cloud Storage Bucket Versioning Disabled
ad0875c1-0b39-4890-9149-173158ba3bba|GoogleDeploymentManager|High|Observability|Cloud Storage Bucket should be enabled|Documentation
| +|Node Auto Upgrade Disabled
dc5c5fee-6c53-43b0-ab11-4c660e064aaf|GoogleDeploymentManager|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means the attribute 'nodePools' must be defined and the subattribute 'managment' must be defined and have the attribute 'autoUpgrade' set to true|Documentation
| +|Disk Encryption Disabled
fc040fb6-4c23-4c0d-b12a-39edac35debb|GoogleDeploymentManager|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined|Documentation
| +|OSLogin Is Disabled In VM Instance
e66e1b71-c810-4b4e-a737-0ab59e7f5e41|GoogleDeploymentManager|Medium|Insecure Configurations|VM instance should have OSLogin enabled|Documentation
| +|Cloud DNS Without DNSSEC
313d6deb-3b67-4948-b41d-35b699c2492e|GoogleDeploymentManager|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
63ae3638-a38c-4ff4-b616-6e1f72a31a6a|GoogleDeploymentManager|Medium|Insecure Configurations|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers'|Documentation
| +|Google Storage Bucket Level Access Disabled
1239f54b-33de-482a-8132-faebe288e6a6|GoogleDeploymentManager|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| +|Shielded VM Disabled
9038b526-4c19-4928-bca2-c03d503bdb79|GoogleDeploymentManager|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true|Documentation
| +|IP Forwarding Enabled
7c98538a-81c6-444b-bf04-e60bc3ceeec0|GoogleDeploymentManager|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true|Documentation
| +|RDP Access Is Not Restricted
50cb6c3b-c878-4b88-b50e-d1421bada9e8|GoogleDeploymentManager|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| +|SSH Access Is Not Restricted
dee21308-2a7a-49de-8ff7-c9b87e188575|GoogleDeploymentManager|Medium|Networking and Firewall|Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block)|Documentation
| +|S3 Bucket Without Versioning
227c2f58-70c6-4432-8e9a-a89c1a548cf5|GoogleDeploymentManager|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
6e2b1ec1-1eca-4eb7-9d4d-2882680b4811|GoogleDeploymentManager|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| +|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|Terraform|High|Access Control|Verifies that the OSLogin is enabled|Documentation
| +|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|Terraform|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| +|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|Terraform|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible|Documentation
| +|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|Terraform|High|Access Control|BigQuery dataset is anonymously or publicly accessible|Documentation
| +|SQL DB Instance Is Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|Terraform|High|Access Control|Check if any Cloud SQL instances are publicly accessible.|Documentation
| +|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|Terraform|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| +|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|Terraform|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members'|Documentation
| +|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|Terraform|High|Encryption|Checks if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad.|Documentation
| +|High KMS Rotation Period
352271ca-842f-408a-8b24-f6f2b76eb027|Terraform|High|Encryption|Check that keys aren't the same for a period greater than 365 days.|Documentation
| +|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|Terraform|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| +|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE |Documentation
| +|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Terraform|High|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| +|GKE Basic Authentication Enabled
70cdf849-b7d9-4569-b87d-5d82ffd44719|Terraform|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty|Documentation
| +|Cluster Master Authentication Disabled
1baba08e-3c8a-4be7-95eb-dced5833de21|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| +|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true|Documentation
| +|Client Certificate Disabled
73fb21a1-b19a-45b1-b648-b47b1678681e|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true|Documentation
| +|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|Terraform|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| +|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false |Documentation
| +|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|Terraform|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true|Documentation
| +|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|Terraform|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| +|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true|Documentation
| +|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|Terraform|High|Observability|Cloud storage bucket with logging not enabled|Documentation
| +|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| +|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|Terraform|High|Observability|Object Versioning Not Enabled on Cloud Storage Bucket|Documentation
| +|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|Terraform|High|Observability|Audit Logging Configuration is defective|Documentation
| +|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|Terraform|High|Resource Management|Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| +|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Terraform|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|Terraform|Medium|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers'|Documentation
| +|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Terraform|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member|Documentation
| +|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Terraform|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated|Documentation
| +|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Terraform|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Terraform|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| +|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Terraform|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined|Documentation
| +|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Terraform|Medium|Encryption|Make sure Encryption keys change after 90 days|Documentation
| +|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Terraform|Medium|Insecure Configurations|Check if any VM instance disables OSLogin|Documentation
| +|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Terraform|Medium|Insecure Configurations|Verifies if Google Container Node Pool Auto Repair is Enabled|Documentation
| +|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Terraform|Medium|Insecure Configurations|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
| +|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Terraform|Medium|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Terraform|Medium|Insecure Configurations|VM Instance should block project-wide SSH keys|Documentation
| +|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Terraform|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| +|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Terraform|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled|Documentation
| +|Cloud DNS without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Terraform|Medium|Insecure Configurations|Cloud DNS without DNSSEC|Documentation
| +|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Terraform|Medium|Insecure Configurations|Check if VM instance enables serial ports|Documentation
| +|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Terraform|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| +|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Terraform|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| +|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Terraform|Medium|Networking and Firewall|Check if Google Firewall ingress allows RDP access (port 3389)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Terraform|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports|Documentation
| +|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Terraform|Medium|Networking and Firewall|Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block)|Documentation
| +|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Terraform|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
| +|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Terraform|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource.|Documentation
| +|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Terraform|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles|Documentation
| +|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Terraform|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user|Documentation
| +|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Terraform|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range|Documentation
| +|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Terraform|Low|Networking and Firewall|Google Compute Subnetwork should have 'private_ip_google_access' set to true|Documentation
| +|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Terraform|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks|Documentation
| +|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Terraform|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')|Documentation
| +|Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|Terraform|High|Access Control|Role Assignment should limit guest user permissions|Documentation
| +|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|Terraform|High|Access Control|There is a role assignment for guest user|Documentation
| +|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|Terraform|High|Access Control|Admin user is enabled for Container Registry|Documentation
| +|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|Terraform|High|Access Control|Storage Account should not be public|Documentation
| +|Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|Terraform|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| +|Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|Terraform|High|Access Control|Azure Function App authentication settings should be enabled|Documentation
| +|Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|Terraform|High|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled|Documentation
| +|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|Terraform|High|Encryption|See that Storage Accounts forces the use of HTTPS|Documentation
| +|MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|Terraform|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| +|Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6|Terraform|High|Encryption|Ensure Function App is using the latest version of TLS encryption|Documentation
| +|App Service Not Using Latest TLS Encryption Version
b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643|Terraform|High|Encryption|Ensure App Service is using the latest version of TLS encryption|Documentation
| +|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|Terraform|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| +|Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|Terraform|High|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false.|Documentation
| +|App Service FTPS Enforce Disabled
85da374f-b00f-4832-9d44-84a1ca1e89f8|Terraform|High|Insecure Configurations|Azure App Service should only enforce FTPS when 'ftps_state' is enabled|Documentation
| +|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|Terraform|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates|Documentation
| +|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|Terraform|High|Insecure Configurations|Trusted MIcrosoft Services are not enabled for Storage Account access|Documentation
| +|Function App FTPS Enforce Disabled
9dab0179-433d-4dff-af8f-0091025691df|Terraform|High|Insecure Configurations|Azure Function App should only enforce FTPS when 'ftps_state' is enabled|Documentation
| +|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|Terraform|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| +|AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|Terraform|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| +|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|Terraform|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| +|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|Terraform|High|Insecure Configurations|Azurerm Container Registry Must Contain Associated Locks |Documentation
| +|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|Terraform|High|Networking and Firewall|The Ip Range Must Contain Ips|Documentation
| +|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|Terraform|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| +|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| +|Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| +|RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|Terraform|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet|Documentation
| +|MySQL Server Public Access Enabled
f118890b-2468-42b1-9ce9-af35146b425b|Terraform|High|Networking and Firewall|MySQL Server public access should be disabled|Documentation
| +|MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|Terraform|High|Networking and Firewall|MSSQL Server public network access should be disabled|Documentation
| +|SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|Terraform|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet|Documentation
| +|Azure App Service Client Certificate Disabled
a81573f9-3691-4d83-88a0-7d4af63e17a3|Terraform|High|Networking and Firewall|Azure App Service client certificate should be enabled|Documentation
| +|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| +|Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|Terraform|High|Observability|Ensure that logging for Azure KeyVault is 'Enabled'|Documentation
| +|PostgreSQL Server Threat Detection Policy Disabled
c407c3cf-c409-4b29-b590-db5f4138d332|Terraform|High|Resource Management|PostgreSQL Server Threat Detection Policy should be enabled|Documentation
| +|SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a|Terraform|High|Resource Management|Ensure that 'Threat Detection' is enabled for Azure SQL Database|Documentation
| +|App Service Managed Identity Disabled
b61cce4b-0cc4-472b-8096-15617a6d769b|Terraform|High|Resource Management|Azure App Service should have managed identity enabled|Documentation
| +|Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|Terraform|High|Secret Management|Make sure that for all secrets the expiration date is set|Documentation
| +|Key Expiration Not Set
4d080822-5ee2-49a4-8984-68f3d4c890fc|Terraform|High|Secret Management|Make sure that for all keys the expiration date is set|Documentation
| +|Storage Share File Allows All ACL Permissions
48bbe0fd-57e4-4678-a4a1-119e79c90fc3|Terraform|Medium|Access Control|Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).|Documentation
| +|Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e|Terraform|Medium|Access Control|Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).|Documentation
| +|AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Terraform|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| +|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Terraform|Medium|Access Control|Role Definition should not allow custom role creation|Documentation
| +|Virtual Network with DDoS Protection Plan disabled
b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a|Terraform|Medium|Availability|Virtual Network should have DDoS Protection Plan enabled|Documentation
| +|SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Terraform|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict|Documentation
| +|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Terraform|Medium|Best Practices|Azure SQL Server Accessibility must be set to a minimal address range, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be lesser than 256. Additionally, both ips must be different from '0.0.0.0'|Documentation
| +|Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Terraform|Medium|Best Practices|Security Contact Email should be defined|Documentation
| +|SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Terraform|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict|Documentation
| +|Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Terraform|Medium|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| +|AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Terraform|Medium|Encryption|Azure Container Service (AKS) should use Disk Encryption Set ID|Documentation
| +|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Terraform|Medium|Encryption|Check if any Redis Cache resource allows non-SSL connections.|Documentation
| +|Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Terraform|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| +|Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Terraform|Medium|Encryption|Ensure that the encryption is active on the disk|Documentation
| +|Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Terraform|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches|Documentation
| +|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Terraform|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| +|Function App Managed Identity Disabled
c87749b3-ff10-41f5-9df2-c421e8151759|Terraform|Medium|Insecure Configurations|Azure Function App should have managed identity enabled|Documentation
| +|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Terraform|Medium|Insecure Configurations|Check if the Azure Kubernetes Service doesn't have the proper network policy configuration.|Documentation
| +|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Terraform|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected.|Documentation
| +|Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Terraform|Medium|Insecure Configurations|Azure Function App should have 'client_cert_mode' set to required|Documentation
| +|Default Azure Storage Account Network Access Is Too Permissive
a5613650-32ec-4975-a305-31af783153ea|Terraform|Medium|Insecure Defaults|Default Azure Storage Account network access should be set to Deny|Documentation
| +|Default Network Access is Allowed
9be09caf-2ba4-4fa9-9787-a670dc32c639|Terraform|Medium|Insecure Defaults|Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny'|Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol|Documentation
| +|MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Terraform|Medium|Networking and Firewall|MariaDB Server Public Network Access should be disabled|Documentation
| +|Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b|Terraform|Medium|Networking and Firewall|Network Interfaces must not be exposed with a public IP address|Documentation
| +|Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Terraform|Medium|Networking and Firewall|Public Network Access should be disabled for Azure Cognitive Search|Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol|Documentation
| +|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Terraform|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache|Documentation
| +|WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Terraform|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| +|PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| +|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Terraform|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days|Documentation
| +|PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Terraform|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| +|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| +|Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Terraform|Medium|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact|Documentation
| +|Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Terraform|Medium|Observability|Make sure for SQL Servers that Auditing Retention is greater than 90 days|Documentation
| +|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Terraform|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On'|Documentation
| +|PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| +|Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Terraform|Medium|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days|Documentation
| +|Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Terraform|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater|Documentation
| +|MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Terraform|Medium|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On'|Documentation
| +|PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Terraform|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'|Documentation
| +|PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| +|Azure Active Directory Authentication
a21c8da9-41bf-40cf-941d-330cf0d11fc7|Terraform|Low|Access Control|Azure Active Directory must be used for authentication for Service Fabric|Documentation
| +|MariaDB Server Geo-redundant Backup Disabled
0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1|Terraform|Low|Backup|MariaDB Server Geo-redundant Backup should be enabled|Documentation
| +|Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Terraform|Low|Best Practices|Key Vault Secrets should have set Content Type|Documentation
| +|AKS Uses Azure Policies Add-On Disabled
43789711-161b-4708-b5bb-9d1c626f7492|Terraform|Low|Best Practices|Azure Container Service (AKS) should use Azure Policies Add-On|Documentation
| +|PostgreSQL Server Infrastructure Encryption Disabled
6425c98b-ca4e-41fe-896a-c78772c131f8|Terraform|Low|Encryption|PostgreSQL Server Infrastructure Encryption should be enabled|Documentation
| +|Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Terraform|Low|Insecure Configurations|Check if the Kubernetes Dashboard is enabled.|Documentation
| +|Function App HTTP2 Disabled
ace823d1-4432-4dee-945b-cdf11a5a6bd0|Terraform|Low|Insecure Configurations|Function App should have 'http2_enabled' enabled|Documentation
| +|App Service HTTP2 Disabled
525b53be-62ed-4244-b4df-41aecfcb4071|Terraform|Low|Insecure Configurations|App Service should have 'http2_enabled' enabled|Documentation
| +|AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|Terraform|Low|Networking and Firewall|Azure Kubernetes Service (AKS) API should not be exposed to the internet|Documentation
| +|Azure Front Door WAF Disabled
835a4f2f-df43-437d-9943-545ccfc55961|Terraform|Low|Networking and Firewall|Azure Front Door WAF should be enabled|Documentation
| +|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Terraform|Low|Networking and Firewall|Network Interfaces IP Forwarding should be disabled|Documentation
| +|App Service Authentication Disabled
c7fc1481-2899-4490-bbd8-544a3a61a2f3|Terraform|Info|Access Control|Azure App Service authentication settings should be enabled|Documentation
| +|SQL Server Alert Email Disabled
55975007-f6e7-4134-83c3-298f1fe4b519|Terraform|Info|Best Practices|SQL Server alert email should be enabled|Documentation
| +|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Terraform|High|Insecure Configurations|Container should not share the host IPC namespace|Documentation
| +|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|Terraform|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| +|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|Terraform|High|Insecure Configurations|Do not allow container to be privileged.|Documentation
| +|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|Terraform|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| +|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Terraform|High|Insecure Configurations|Containers should drop 'NET_RAW' or 'ALL' capabilities|Documentation
| +|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Terraform|High|Insecure Configurations|Container should not share the host network namespace|Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|Terraform|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| +|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|Terraform|High|Insecure Configurations|Admission of privileged containers should be minimized|Documentation
| +|Host Aliases Undefined Or Empty
5d05ea11-ae3e-470e-9864-97e55fb2b2e0|Terraform|High|Insecure Configurations|A Kubernetes Pod should have Host Aliases defined as to prevent the container from modifying the file after a pod's containers have already been started. This means the attribute 'spec.host_aliases' must be defined and not empty or null.|Documentation
| +|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|Terraform|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined.|Documentation
| +|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|Terraform|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| +|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Terraform|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| +|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Terraform|Medium|Access Control|Minimize access to secrets (RBAC)|Documentation
| +|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Terraform|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| +|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Terraform|Medium|Availability|Liveness Probe must be defined|Documentation
| +|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Terraform|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| +|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Terraform|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| +|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Terraform|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| +|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Terraform|Medium|Insecure Configurations|The default namespace should not be used|Documentation
| +|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Terraform|Medium|Insecure Configurations|Check if any resource does not configure Seccomp default profile properly|Documentation
| +|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Terraform|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| +|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Terraform|Medium|Insecure Configurations|Do not allow pod to request execution as privileged|Documentation
| +|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Terraform|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| +|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Terraform|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| +|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| +|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Terraform|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| +|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Terraform|Medium|Insecure Configurations|Default service accounts should not be actively used|Documentation
| +|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Terraform|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| +|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Terraform|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace|Documentation
| +|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| +|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Terraform|Medium|Insecure Configurations|Kubernetes Pod should not have extra capabilities allowed|Documentation
| +|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Terraform|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory|Documentation
| +|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Terraform|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty.|Documentation
| +|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Terraform|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| +|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Terraform|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| +|Service With External Load Balance
2a52567c-abb8-4651-a038-52fa27c77aed|Terraform|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| +|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Terraform|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| +|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Terraform|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| +|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Terraform|Medium|Resource Management|Memory limits should be specified|Documentation
| +|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Terraform|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| +|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Terraform|Medium|Resource Management|Memory requests should be specified|Documentation
| +|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Terraform|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs|Documentation
| +|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Terraform|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| +|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Terraform|Low|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| +|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Terraform|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| +|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Terraform|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| +|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Terraform|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| +|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Terraform|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| +|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Terraform|Low|Availability|The Horizontal Pod Autoscale must target a valid object|Documentation
| +|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Terraform|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| +|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Terraform|Low|Availability|Check if the StatefulSet have a headless 'serviceName'|Documentation
| +|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Terraform|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| +|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Terraform|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| +|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Terraform|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| +|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Terraform|Low|Build Process|Check if the root container filesystem is not being mounted as read-only.|Documentation
| +|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Terraform|Low|Insecure Configurations|Sees if Kubernetes image has digest on|Documentation
| +|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Terraform|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| +|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Terraform|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| +|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Terraform|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified|Documentation
| +|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Terraform|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| +|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Terraform|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| +|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Terraform|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined|Documentation
| +|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Terraform|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| +|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Terraform|Low|Supply-Chain|Image must be defined and not be empty or equal to latest.|Documentation
| +|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|Terraform|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| +|S3 Bucket Allows WriteACP Action From All Principals
64a222aa-7793-4e40-915f-4b302c76e4d4|Terraform|High|Access Control|S3 Buckets must not allow Write_ACP Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Write_ACP, for all Principals.|Documentation
| +|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|Terraform|High|Access Control|S3 bucket allows public policy|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|Terraform|High|Access Control|Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| +|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|Terraform|High|Access Control|S3 Buckets must not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| +|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|Terraform|High|Access Control|S3 bucket with public READ/WRITE access|Documentation
| +|S3 Bucket Allows All Actions From All Principals
51cf6f14-6a52-4642-97fb-10db078382d3|Terraform|High|Access Control|S3 Buckets must not allow All Actions (wildcard) From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals.|Documentation
| +|EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|Terraform|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| +|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|Terraform|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| +|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|Terraform|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| +|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|Terraform|High|Access Control|IAM policies that allow full administrative privileges (for all resources)|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|Terraform|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| +|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|Terraform|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| +|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|Terraform|High|Access Control|IAM role policy that allow full administrative privileges (for all resources)|Documentation
| +|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|Terraform|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals|Documentation
| +|Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|Terraform|High|Access Control|Neptune Cluster Instance should not be publicly accessible|Documentation
| +|ECS Service Admin Role is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|Terraform|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role|Documentation
| +|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|Terraform|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled|Documentation
| +|Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|Terraform|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted|Documentation
| +|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|Terraform|High|Encryption|Elastic File System (EFS) must have KMS Key ID|Documentation
| +|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|Terraform|High|Encryption|Data stored in the Launch configuration EBS is not securely encrypted|Documentation
| +|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|Terraform|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| +|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|Terraform|High|Encryption|Base64 Shell Script must be encoded|Documentation
| +|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|Terraform|High|Encryption|Check if RDS Cluster Storage isn't encrypted. Happens when 'storage_encrypted' is not set to 'true'|Documentation
| +|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|Terraform|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| +|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|Terraform|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true|Documentation
| +|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|Terraform|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|Terraform|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled|Documentation
| +|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|Terraform|High|Encryption|AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted|Documentation
| +|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|Terraform|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted|Documentation
| +|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|Terraform|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| +|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|Terraform|High|Encryption|AWS DOCDB Cluster storage should be encrypted|Documentation
| +|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|Terraform|High|Encryption|User Data Base64 contains an encoded RSA Private Key|Documentation
| +|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|Terraform|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| +|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|Terraform|High|Encryption|RDS Database Cluster Encryption should be enabled|Documentation
| +|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|Terraform|High|Encryption|AWS Athena Database data in S3 should be encrypted|Documentation
| +|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|Terraform|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS|Documentation
| +|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|Terraform|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| +|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|Terraform|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| +|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|Terraform|High|Encryption|The parameter storage_encrypted in aws_db_instance must be set to 'true' (the default is 'false').|Documentation
| +|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|Terraform|High|Encryption|Sagemaker endpoint configuration should encrypt data|Documentation
| +|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.|Documentation
| +|EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|Terraform|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| +|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|Terraform|High|Encryption|Check if 'encrypted' field is false or undefined (default is false)|Documentation
| +|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|Terraform|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| +|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|Terraform|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled|Documentation
| +|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|Terraform|High|Encryption|IAM Database Auth Enabled must be configured to true|Documentation
| +|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|Terraform|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key|Documentation
| +|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|Terraform|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup|Documentation
| +|CloudWatch Log Group Not Encrypted
0afbcfe9-d341-4b92-a64c-7e6de0543879|Terraform|High|Encryption|AWS CloudWatch Log groups should be encrypted using KMS|Documentation
| +|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|Terraform|High|Encryption|S3 Bucket Object should have server-side encryption enabled|Documentation
| +|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|Terraform|High|Encryption|EBS Encryption should be enabled|Documentation
| +|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|Terraform|High|Encryption|EKS Cluster should be encrypted|Documentation
| +|Memcached Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Terraform|High|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| +|CA certificate Identifier is outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|Terraform|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| +|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|Terraform|High|Encryption|AWS DAX Cluster should have server-side encryption at rest|Documentation
| +|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Terraform|High|Encryption|RDS Instance Auto Minor Version Upgrade feature in Aws Db Instance must be true|Documentation
| +|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|Terraform|High|Encryption|API Gateway Method Settings Cache should be encrypted|Documentation
| +|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers.|Documentation
| +|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|Terraform|High|Insecure Configurations|Check if the root user is authenticated with MFA|Documentation
| +|DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|Terraform|High|Insecure Configurations|The field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| +|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Terraform|High|Insecure Configurations|Amazon Simple Queue Service (SQS) queue is not protecting the contents of their messages using Server-Side Encryption (SSE)|Documentation
| +|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|Terraform|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| +|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|Terraform|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_defenition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| +|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|Terraform|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations|Documentation
| +|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|Terraform|High|Insecure Configurations|S3 bucket without restriction of public bucket|Documentation
| +|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|Terraform|High|Insecure Configurations|Check if 'publicly_accessible' field is true or undefined (default is true)|Documentation
| +|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|Terraform|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2.|Documentation
| +|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|Terraform|High|Insecure Configurations|Users should authenticate with MFA (Multi-factor Authentication)|Documentation
| +|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|Terraform|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| +|KMS Key With Vulnerable Policy
7ebc9038-0bde-479a-acc4-6ed7b6758899|Terraform|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| +|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|Terraform|High|Insecure Configurations|Checks if any static websties are hosted on buckets|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|Terraform|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| +|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|Terraform|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes|Documentation
| +|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|Terraform|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| +|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|Terraform|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| +|Lambda Function With Privileged role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|Terraform|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions.|Documentation
| +|Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|Terraform|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| +|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| +|Remote Desktop Port Open
151187cb-0efc-481c-babd-ad24e3c9bc22|Terraform|High|Networking and Firewall|The Remote Desktop port is open in a Security Group|Documentation
| +|HTTP Port Open
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|Terraform|High|Networking and Firewall|The HTTP port is open in a Security Group|Documentation
| +|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| +|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|Terraform|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| +|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|Terraform|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL|Documentation
| +|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|Terraform|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0"|Documentation
| +|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|Terraform|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0|Documentation
| +|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|Terraform|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| +|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|Terraform|High|Networking and Firewall|Check if Record is set|Documentation
| +|VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|Terraform|High|Networking and Firewall|VPC Peering Route Table should restrict CIDR|Documentation
| +|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|Terraform|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| +|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|Terraform|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| +|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|Terraform|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| +|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL|Documentation
| +|VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|Terraform|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic|Documentation
| +|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|Terraform|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| +|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|Terraform|High|Networking and Firewall|The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6).|Documentation
| +|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|Terraform|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing|Documentation
| +|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|Terraform|High|Observability|Ensure a log metric filter and alarm exist for root acount usage|Documentation
| +|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Terraform|High|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| +|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|Terraform|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes|Documentation
| +|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|Terraform|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA|Documentation
| +|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|Terraform|High|Observability|AWS KMS Key should have a valid deletion window|Documentation
| +|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible|Documentation
| +|CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|Terraform|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.|Documentation
| +|CloudTrail Log Files Not Encrypted
5d9e3164-9265-470c-9a10-57ae454ac0c7|Terraform|High|Observability|Logs delivered by CloudTrail should be encrypted using KMS|Documentation
| +|CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|Terraform|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls|Documentation
| +|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|Terraform|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| +|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled|Documentation
| +|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Terraform|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| +|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Terraform|Medium|Access Control|AWS IAM Users should not have access to console|Documentation
| +|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Terraform|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| +|IAM Access Analyzer Undefined
e592a0c5-5bdb-414c-9066-5dba7cdea370|Terraform|Medium|Access Control|IAM Access Analyzer should be defined to identify unintentional access|Documentation
| +|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Terraform|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| +|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Terraform|Medium|Access Control|SQS policy with public access|Documentation
| +|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Terraform|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources|Documentation
| +|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Terraform|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication|Documentation
| +|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Terraform|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| +|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Terraform|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| +|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Terraform|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| +|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Terraform|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal'|Documentation
| +|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Terraform|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'|Documentation
| +|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|Terraform|Medium|Access Control|IAM policies allow all ('*') in a statement action|Documentation
| +|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Terraform|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled|Documentation
| +|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Terraform|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| +|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Terraform|Medium|Access Control|An API Key should be required on a method request.|Documentation
| +|SNS Topic is Publicly Accessible For Subscription
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|Terraform|Medium|Access Control|This query checks if SNS Topic is Accessible For Subscription|Documentation
| +|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Terraform|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| +|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Terraform|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined|Documentation
| +|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Terraform|Medium|Access Control|S3 bucket allows public ACL|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Terraform|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| +|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Terraform|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action'|Documentation
| +|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Terraform|Medium|Access Control|Public and private EC2 istances should not share the same role.|Documentation
| +|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Terraform|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| +|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Terraform|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root'|Documentation
| +|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Terraform|Medium|Access Control|The attribute 'action' should not have wildcard|Documentation
| +|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Terraform|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions'|Documentation
| +|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Terraform|Medium|Availability|Check if ElastiCache nodes are not being created across multi AZ|Documentation
| +|Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Terraform|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
| +|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Terraform|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| +|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Terraform|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| +|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Terraform|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0|Documentation
| +|RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Terraform|Medium|Backup|RDS configured without backup|Documentation
| +|Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Terraform|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| +|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Terraform|Medium|Best Practices|No password expiration policy|Documentation
| +|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Terraform|Medium|Best Practices|Check if IAM account password has the required symbols|Documentation
| +|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Terraform|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined|Documentation
| +|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Terraform|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| +|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Terraform|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields|Documentation
| +|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Terraform|Medium|Best Practices|Check if IAM account password has the required minimum length|Documentation
| +|Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Terraform|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24|Documentation
| +|Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Terraform|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body|Documentation
| +|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Terraform|Medium|Encryption|Check if Neptune Cluster Storage is securely encrypted|Documentation
| +|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Terraform|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS|Documentation
| +|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Terraform|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| +|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit|Documentation
| +|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Terraform|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| +|ECR Repository Not Encrypted
0e32d561-4b5a-4664-a6e3-a3fa85649157|Terraform|Medium|Encryption|ECR (Elastic Container Registry) Repository encryption should be set|Documentation
| +|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Terraform|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest|Documentation
| +|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Terraform|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret|Documentation
| +|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted|Documentation
| +|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Terraform|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption|Documentation
| +|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Terraform|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests|Documentation
| +|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Terraform|Medium|Encryption|SSM Session should be encrypted in transit|Documentation
| +|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Terraform|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| +|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Terraform|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| +|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Terraform|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node|Documentation
| +|DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Terraform|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Terraform|Medium|Encryption|The value on AWS EBS Volume Cluster Encryption must be true|Documentation
| +|API Gateway Without Content Encoding
ed35928e-195c-4405-a252-98ccb664ab7b|Terraform|Medium|Encryption|Enable Content Encoding through the attribute 'minimum_compression_size'. This value should be greater than -1 and smaller than 10485760|Documentation
| +|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Terraform|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible|Documentation
| +|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Terraform|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.|Documentation
| +|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Terraform|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| +|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Terraform|Medium|Insecure Configurations|ECR should have an image tag be immutable|Documentation
| +|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Terraform|Medium|Insecure Configurations|Check if IAM account password has at least one lowercase letter|Documentation
| +|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Terraform|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs).|Documentation
| +|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Terraform|Medium|Insecure Configurations|SSL Client Certificate should be enabled in aws_api_gateway_stage resource|Documentation
| +|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Terraform|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| +|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Terraform|Medium|Insecure Configurations|Check if IAM account password has at least one uppercase letter|Documentation
| +|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Terraform|Medium|Insecure Configurations|Instance should be configured in VPC (Virtual Private Cloud)|Documentation
| +|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Terraform|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud)|Documentation
| +|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Terraform|Medium|Insecure Configurations|Allowing to run lambda function using public API Gateway|Documentation
| +|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Terraform|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials|Documentation
| +|EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Terraform|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false|Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol|Documentation
| +|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Terraform|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| +|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Terraform|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| +|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Terraform|Medium|Networking and Firewall|VPC should have a Network Firewall associated|Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol|Documentation
| +|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Terraform|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association|Documentation
| +|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Terraform|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| +|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Terraform|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled|Documentation
| +|VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Terraform|Medium|Networking and Firewall|VPC Subnet should not assign public IP|Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Terraform|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| +|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Terraform|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| +|Cloudfront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Terraform|Medium|Observability|AWS Cloudfront distributions must be have logging enabled, which means the attribute 'logging_config' must be defined|Documentation
| +|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Terraform|Medium|Observability|CloudTrail should have 'is_multi_region_trail' and 'include_global_service_events' enabled|Documentation
| +|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Terraform|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled|Documentation
| +|Elasticsearch Log is disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Terraform|Medium|Observability|AWS Elasticsearch should have logs enabled|Documentation
| +|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Terraform|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| +|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Terraform|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| +|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Terraform|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| +|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes|Documentation
| +|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Terraform|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| +|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Terraform|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| +|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures|Documentation
| +|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Terraform|Medium|Observability|AWS CloudWatch Log groups should have retention days specified|Documentation
| +|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes|Documentation
| +|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Terraform|Medium|Observability|VPC hasn't got any FlowLog associated|Documentation
| +|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Terraform|Medium|Observability|It isn't recommended to use resources in default VPC|Documentation
| +|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Terraform|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| +|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Terraform|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events|Documentation
| +|Api Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Terraform|Medium|Observability|RDS does not have any kind of logger|Documentation
| +|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Terraform|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| +|Elasticsearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Terraform|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| +|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Terraform|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| +|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Terraform|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| +|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes|Documentation
| +|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK|Documentation
| +|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Terraform|Medium|Observability|X-ray Tracing is not enabled|Documentation
| +|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Terraform|Medium|Observability|Enable AWS CloudFormation Stack Notifications|Documentation
| +|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes|Documentation
| +|No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Terraform|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| +|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Terraform|Medium|Secret Management|Lambda hardcoded AWS access/secret keys|Documentation
| +|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Terraform|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| +|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Terraform|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets'|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Terraform|Low|Access Control|IAM role allows All services or principals to assume it|Documentation
| +|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Terraform|Low|Access Control|IAM Group should have at least one user associated|Documentation
| +|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Terraform|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| +|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Terraform|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services|Documentation
| +|Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Terraform|Low|Availability|Autoscaling groups should supply tags to configurate|Documentation
| +|ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Terraform|Low|Best Practices|ECR Repository should have Policies attached to it|Documentation
| +|Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| +|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Terraform|Low|Best Practices|IAM policies should be attached only to groups or roles|Documentation
| +|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Terraform|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| +|Open Access To Resources Through API
108aa260-6dab-4a75-ae3f-de917d634840|Terraform|Low|Insecure Configurations|Open access to back-end resources through API|Documentation
| +|ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Terraform|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled|Documentation
| +|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Terraform|Low|Insecure Configurations|S3 bucket without ignore public ACL|Documentation
| +|RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Terraform|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| +|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Terraform|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)|Documentation
| +|Cloudfront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Terraform|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| +|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Terraform|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| +|Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Terraform|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| +|EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Terraform|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| +|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Terraform|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks|Documentation
| +|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Terraform|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| +|ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Terraform|Low|Observability|ECS Cluster should enable container insights|Documentation
| +|API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Terraform|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| +|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Terraform|Low|Observability|S3 bucket without logging|Documentation
| +|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Terraform|Low|Observability|Amazon EKS control plane logging don't enabled for all log types|Documentation
| +|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes|Documentation
| +|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes|Documentation
| +|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Terraform|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'|Documentation
| +|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Terraform|Low|Observability|Global Accelerator should have flow logs enabled|Documentation
| +|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL|Documentation
| +|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes|Documentation
| +|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for route table changes|Documentation
| +|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Terraform|Low|Observability|CloudTrail log file validation should be enabled|Documentation
| +|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Terraform|Low|Observability|DocDB logging should be enabled|Documentation
| +|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Terraform|Low|Observability|Amazon EKS control plane logging is not enabled|Documentation
| +|API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Terraform|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| +|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Terraform|Low|Secret Management|Hard-coded AWS access key / secret key exists in EC2 user data|Documentation
| +|Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Terraform|Info|Access Control|Security group must be used or not declared|Documentation
| +|Security Group Rules Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Terraform|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description|Documentation
| +|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Terraform|Info|Best Practices|AWS services resource tags are an essential part of managing components|Documentation
| +|Security Group Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Terraform|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description|Documentation
| +|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Terraform|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table|Documentation
| +|EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Terraform|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| +|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Terraform|Info|Observability|Neptune logging should be enabled|Documentation
| +|ELB Access Logging Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Terraform|Info|Observability|ELB should have logging enabled to help on error investigation|Documentation
| +|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Terraform|Info|Observability|RDS does not have any kind of logger|Documentation
| +|EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Terraform|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods|Documentation
| +|BOM - SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Terraform|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| +|BOM - MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Terraform|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| +|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Terraform|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| +|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Terraform|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| +|BOM - SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Terraform|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| +|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Terraform|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| +|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Terraform|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| +|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Terraform|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| +|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|Terraform|High|Access Control|RAM Security preferences should enforce MFA login for RAM users|Documentation
| +|OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|Terraform|High|Access Control|OSS Bucket should have public access disabled|Documentation
| +|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|Terraform|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles|Documentation
| +|RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|Terraform|High|Encryption|tde_status parameter should be Enabled for supported RDS instances|Documentation
| +|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|Terraform|High|Encryption|Ecs Data Disk Kms Key Id should be set|Documentation
| +|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Terraform|High|Encryption|Disks should have encryption enabled|Documentation
| +|RDS Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|Terraform|High|Insecure Configurations|'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list|Documentation
| +|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|Terraform|High|Networking and Firewall|OSS Buckets should have secure transport enabled|Documentation
| +|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|Terraform|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS|Documentation
| +|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol|Documentation
| +|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|Terraform|High|Networking and Firewall|OSS Bucket should have ip restricted access|Documentation
| +|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|Terraform|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public|Documentation
| +|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|Terraform|High|Observability|All RDS Instance events trackers should be 'true'|Documentation
| +|ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|Terraform|High|Observability|ActionTrail Trail OSS Bucket should not be publicly accessible|Documentation
| +|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|Terraform|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above|Documentation
| +|Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|Terraform|High|Secret Management|Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts|Documentation
| +|Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Terraform|Medium|Access Control|Ram policies should not be attached to users|Documentation
| +|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Terraform|Medium|Backup|OSS Bucket should have versioning enabled|Documentation
| +|OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Terraform|Medium|Encryption|OSS Bucket should have encryption enabled using Customer Master Key|Documentation
| +|Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Terraform|Medium|Networking and Firewall|A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned|Documentation
| +|Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Terraform|Medium|Networking and Firewall|Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies|Documentation
| +|OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Terraform|Medium|Observability|OSS Bucket should have logging enabled, for better visibility of resources and objects.|Documentation
| +|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Terraform|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180|Documentation
| +|Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Terraform|Medium|Observability|Action Trail Logging for all regions should be enabled|Documentation
| +|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true|Documentation
| +|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Terraform|Medium|Secret Management|RAM account password security should require at least one symbol|Documentation
| +|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Terraform|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91|Documentation
| +|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Terraform|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less|Documentation
| +|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true|Documentation
| +|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true|Documentation
| +|OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Terraform|Low|Availability|OSS Bucket should have transfer acceleration enabled|Documentation
| +|OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Terraform|Low|Backup|OSS Bucket should have lifecycle rule enabled and set to true|Documentation
| +|RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Terraform|Low|Observability|log_disconnections parameter should be set to ON for RDS instances|Documentation
| +|RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Terraform|Low|Observability|log_duration parameter should be set to ON for RDS instances|Documentation
| +|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Terraform|Low|Observability|'log_connections' parameter should be set to ON for RDS instances|Documentation
| +|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Terraform|Info|Best Practices|All names should follow snake case pattern.|Documentation
| +|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Terraform|Info|Best Practices|All variables should contain a valid type.|Documentation
| +|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Terraform|Info|Best Practices|All generic git repositories should reference a revision.|Documentation
| +|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Terraform|Info|Best Practices|All outputs should contain a valid description.|Documentation
| +|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Terraform|Info|Best Practices|All variables should contain a valid description.|Documentation
| +|Security Definitions Undefined or Empty
e3f026e8-fdb4-4d5a-bcfd-bd94452073fe|OpenAPI|High|Access Control|Security Definitions Object should be set and not empty|Documentation
| +|Security Requirement Not Defined In Security Definition
a599b0d1-ff89-4cb8-9ece-9951854c06f6|OpenAPI|High|Structure and Semantics|All security requirement objects must be defined in 'securityDefinitions'|Documentation
| +|Non OAuth2 Security Requirement Defining OAuth2 Scopes
ba239cb9-f342-4c20-812d-7b5a2aa6969e|OpenAPI|High|Structure and Semantics|If the security scheme is not of type 'oauth2', the array value must be empty|Documentation
| +|Invalid OAuth2 Token URL (v2)
274f910a-0665-4f08-b66d-7058fe927dba|OpenAPI|Medium|Access Control|OAuth2 security definition flow requires a valid URL in the tokenUrl field|Documentation
| +|Implicit Flow in OAuth2 (v2)
e9817ad8-a8c9-4038-8a2f-db0e6e7b284b|OpenAPI|Medium|Access Control|There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated|Documentation
| +|Invalid OAuth2 Authorization URL (v2)
33d96c65-977d-4c33-943f-440baca49185|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL|Documentation
| +|Global Security Using Password Flow
2da46be4-4317-4650-9285-56d7103c4f93|OpenAPI|Medium|Access Control|Security should not use 'password' Flow in OAuth2 authentication|Documentation
| +|Security Definitions Allows Password Flow
773116aa-2e6d-416f-bd85-f0301cc05d76|OpenAPI|Medium|Access Control|Security Definition Object should not allow 'password' Flow in OAuth2 authentication|Documentation
| +|Operation Using Password Flow
2e44e632-d617-43cb-b294-6bfe72a08938|OpenAPI|Medium|Access Control|Operation Object should not use 'password' Flow in OAuth2 authentication|Documentation
| +|Path Scheme Accepts HTTP (v2)
a6847dc6-f4ea-45ac-a81f-93291ae6c573|OpenAPI|Medium|Encryption|The Scheme list of Operation Object should only allow 'HTTPS' protocol to ensure an encrypted connection|Documentation
| +|Global Schemes Uses HTTP
f30ee711-0082-4480-85ab-31d922d9a2b2|OpenAPI|Medium|Encryption|Global Schemes should use 'https' protocol instead of 'http'|Documentation
| +|Schemes Uses HTTP
a46928f1-43d7-4671-94e0-2dd99746f389|OpenAPI|Medium|Encryption|Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials|Documentation
| +|Operation Object Without 'produces'
be3e170e-1572-461e-a8b6-d963def581ec|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'produces' feild defined for 'GET'operation|Documentation
| +|Operation Object Without 'consumes'
0c79e50e-b3cf-490c-b8f6-587c644d4d0c|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations|Documentation
| +|Undefined Scope 'securityDefinition' On Global 'security' Field
9aa6e95c-d964-4239-a3a8-9f37a3c5a31f|OpenAPI|Low|Access Control|Using an scope on global security field that is undefined on 'securityDefinitions' can be defined by an attacker|Documentation
| +|Undefined Scope 'securityDefinition' On 'security' Field On Operations
3847280c-9193-40bc-8009-76168e822ce2|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker|Documentation
| +|Operation Using Basic Auth
ceefb058-8065-418f-9c4c-584a78c7e104|OpenAPI|Low|Access Control|Operation Object should not use basic authentication|Documentation
| +|Operation Using Implicit Flow
f42dfe7e-787d-4478-a75e-a5f3d8a2269e|OpenAPI|Low|Access Control|Operation Object should not use implicit flow|Documentation
| +|Security Definitions Using Basic Auth
221015a8-aa2a-43f5-b00b-ad7d2b1d47a8|OpenAPI|Low|Access Control|Security Definition Object should not use basic authentication|Documentation
| +|Operation Summary Too Long
d47940ca-5970-45cc-bdd1-4d81398cee1f|OpenAPI|Low|Best Practices|Operation summary should be short (less than 120 characters)|Documentation
| +|Invalid Media Type Value (v2)
f985a7d2-d404-4a7f-9814-f645f791e46e|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters]|Documentation
| +|Global Schema Definition Not Being Used
6d2e0790-cc3d-4c74-b973-d4e8b09f4455|OpenAPI|Info|Best Practices|All global schemas definitions should be in use|Documentation
| +|Global Responses Definition Not Being Used
0b76d993-ee52-43e0-8b39-3787d2ddabf1|OpenAPI|Info|Best Practices|All global responses definitions should be in use|Documentation
| +|Schema with 'additionalProperties' set as Boolean
3a01790c-ebee-4da6-8fd3-e78657383b75|OpenAPI|Info|Best Practices|The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it|Documentation
| +|Constraining Enum Property
be1d8733-3731-40c7-a845-734741c6871d|OpenAPI|Info|Best Practices|There is a constraining keyword in a property which is already restricted by enum values|Documentation
| +|Global Parameter Definition Not Being Used
b30981fa-a12e-49c7-a5bb-eeafb61d0f0f|OpenAPI|Info|Best Practices|All global parameters definitions should be in use|Documentation
| +|Unknown Prefix (v2)
3b615f00-c443-4ba9-acc4-7c308716917d|OpenAPI|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video'|Documentation
| +|Responses JSON Reference Does Not Exists (v2)
e9db5fb4-6a84-4abb-b4af-3b94fbdace6d|OpenAPI|Info|Structure and Semantics|Responses reference should exist on responses definition field|Documentation
| +|Parameter File Type Not In 'formData'
c3cab8c4-6c52-47a9-942b-c27f26fbd7d2|OpenAPI|Info|Structure and Semantics|The In field of Parameter Object must be 'formData' when type is 'file'|Documentation
| +|Property Not Unique
750b40be-4bac-4f59-bdc4-1ca0e6c3450e|OpenAPI|Info|Structure and Semantics|Every defined property must be unique throughout the whole API|Documentation
| +|File Parameter With Wrong Consumes Property
7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a|OpenAPI|Info|Structure and Semantics|Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both|Documentation
| +|Parameter JSON Reference Does Not Exists (v2)
fb889ae9-2d16-40b5-b41f-9da716c5abc1|OpenAPI|Info|Structure and Semantics|Parameter reference should exist on parameters definition field|Documentation
| +|Object Without Required Property (v2)
5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275|OpenAPI|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields|Documentation
| +|Multi 'collectionformat' Not Valid For 'in' Parameter
750f6448-27c0-49f8-a153-b81735c1e19c|OpenAPI|Info|Structure and Semantics|When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'formData'|Documentation
| +|Response Object With Incorrect Ref (v2)
bccfa089-89e4-47e0-a0e5-185fe6902220|OpenAPI|Info|Structure and Semantics|Response Object reference must always point to '#/responses'|Documentation
| +|Host With Invalid Pattern
3d7d7b6c-fb0a-475e-8a28-c125e30d15f0|OpenAPI|Info|Structure and Semantics|Host field should be an IP or a valid host name|Documentation
| +|Schema JSON Reference Does Not Exists (v2)
98295b32-ec09-4b5b-89a9-39853197f914|OpenAPI|Info|Structure and Semantics|Schema reference should exists on definitions field|Documentation
| +|Schema Object Incorrect Ref (v2)
0220e1c5-65d1-49dd-b7c2-cef6d6cb5283|OpenAPI|Info|Structure and Semantics|Schema Object reference must always point to '#/definitions'|Documentation
| +|Parameter Object With Incorrect Ref (v2)
2596545e-1757-4ff7-a15a-8a9a180a42f3|OpenAPI|Info|Structure and Semantics|Parameter Object reference must always point to '#/parameters'|Documentation
| +|Unknown Property (v2)
429b2106-ba37-43ba-9727-7f699cc611e1|OpenAPI|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known|Documentation
| +|BasePath With Wrong Format
b4803607-ed72-4d60-99e2-3fa6edf471c6|OpenAPI|Info|Structure and Semantics|The 'basePath' value format must match the pattern '^/'|Documentation
| +|Multiple Body Parameters In The Same Operation
b90033cf-ad9f-4fb9-acd1-1b9d6d278c87|OpenAPI|Info|Structure and Semantics|Only one body parameter is allowed on operation's parameters type field|Documentation
| +|Operation Example Mismatch Produces MimeType
2cf35b40-ded3-43d6-9633-c8dcc8bcc822|OpenAPI|Info|Structure and Semantics|Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces'|Documentation
| +|Operation Object Parameters With 'body' And 'formatData' locations
eb3f9744-d24e-4614-b1ff-2a9514eca21c|OpenAPI|Info|Structure and Semantics|Operation object parameters should not have both 'body' and 'formatData' locations|Documentation
| +|Body Parameter With Wrong Property
c38d630d-a415-4e3e-bac2-65475979ba88|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema'|Documentation
| +|Body Parameter Without Schema
ed48229d-d43e-4da7-b453-5f98d964a57a|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined|Documentation
| +|Non Body Parameter Without Schema
73c3bc54-3cc6-4c0a-b30a-e19f2abfc951|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined|Documentation
| +|No Global And Operation Security Defined (v2)
586abcee-9653-462d-ad7b-2638a32bd6e6|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| +|No Global And Operation Security Defined (v3)
96729c6b-7400-4d9e-9807-17f00cdde4d2|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| +|Global Security Field Has An Empty Array (v2)
da31d54b-ad54-41dc-95eb-8b3828629213|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| +|Global Security Field Has An Empty Array (v3)
d674aea4-ba8b-454b-bb97-88a772ea33f0|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| |Global Security Field Is Undefined (v2)
74703c89-0ea2-49ab-a7db-bf04f19f5a57|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securityDefinitions|Documentation
| |Global Security Field Is Undefined (v3)
8af270ce-298b-4405-9922-82a10aee7a4f|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes (read more)|Documentation
| |Global Security Field Has An Empty Array (v2)
da31d54b-ad54-41dc-95eb-8b3828629213|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| diff --git a/docs/queries/terraform-queries.md b/docs/queries/terraform-queries.md index 9f0bba8809e..428315511f7 100644 --- a/docs/queries/terraform-queries.md +++ b/docs/queries/terraform-queries.md @@ -640,6 +640,15 @@ Bellow are listed queries related with Terraform GITHUB: ### GCP Bellow are listed queries related with Terraform GCP: +|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.|Documentation
| +|BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.|Documentation
| +|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.|Documentation
| +|BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Trace|Bill Of Materials|A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime.|Documentation
| +|BOM - GCP Redis
bc75ce52-a60a-4660-b533-bce837a5019b|Trace|Bill Of Materials|A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments.|Documentation
| +|BOM - GCP Dataflow
895ed0d9-6fec-4567-8614-d7a74b599a53|Trace|Bill Of Materials|A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective.|Documentation
| + +### AWS_BOM +Below are listed queries related with Terraform AWS_BOM: @@ -699,3 +708,598 @@ Bellow are listed queries related with Terraform GCP: |User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user (read more)|Documentation
| |Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true (read more)|Documentation
| |Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| +|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.|Documentation
| +|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| +|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.|Documentation
| +|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| +|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| +|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| +|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time|Documentation
| +|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| +|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| +|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| +|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| + +### GCP +Below are listed queries related with Terraform GCP: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|High|Access Control|Verifies that the OSLogin is enabled|Documentation
| +|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| +|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|High|Access Control|BigQuery dataset is anonymously or publicly accessible|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers'|Documentation
| +|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible|Documentation
| +|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| +|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members'|Documentation
| +|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad.|Documentation
| +|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| +|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible.|Documentation
| +|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true|Documentation
| +|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| +|Cluster Master Authentication Disabled
1baba08e-3c8a-4be7-95eb-dced5833de21|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| +|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE |Documentation
| +|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| +|GKE Basic Authentication Enabled
70cdf849-b7d9-4569-b87d-5d82ffd44719|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty|Documentation
| +|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false |Documentation
| +|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true|Documentation
| +|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true|Documentation
| +|Client Certificate Disabled
73fb21a1-b19a-45b1-b648-b47b1678681e|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| +|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| +|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|High|Observability|Audit Logging Configuration is defective|Documentation
| +|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| +|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| +|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| +|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member|Documentation
| +|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated|Documentation
| +|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated|Documentation
| +|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| +|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined|Documentation
| +|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| +|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled|Documentation
| +|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| +|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Medium|Insecure Configurations|Check if any VM instance disables OSLogin|Documentation
| +|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| +|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| +|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| +|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
| +|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| +|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| +|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| +|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
| +|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
| +|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| +|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports|Documentation
| +|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource.|Documentation
| +|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| +|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.|Documentation
| +|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user|Documentation
| +|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range|Documentation
| +|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true|Documentation
| + +### AZURE +Below are listed queries related with Terraform AZURE: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|High|Access Control|There is a role assignment for guest user|Documentation
| +|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|High|Access Control|Storage Account should not be public to grant the principle of least privileges|Documentation
| +|Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|High|Access Control|Azure Function App authentication settings should be enabled|Documentation
| +|Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| +|Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|High|Access Control|Role Assignment should limit guest user permissions|Documentation
| +|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|High|Access Control|Admin user is enabled for Container Registry|Documentation
| +|Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|High|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled|Documentation
| +|App Service Not Using Latest TLS Encryption Version
b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643|High|Encryption|Ensure App Service is using the latest version of TLS encryption|Documentation
| +|MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| +|Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6|High|Encryption|Ensure Function App is using the latest version of TLS encryption|Documentation
| +|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| +|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| +|Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|High|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false.|Documentation
| +|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry'|Documentation
| +|AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|High|Insecure Configurations|Azure Kubernetes Service (AKS) API should not be exposed to the internet|Documentation
| +|Azure App Service Client Certificate Disabled
a81573f9-3691-4d83-88a0-7d4af63e17a3|High|Insecure Configurations|Azure App Service client certificate should be enabled|Documentation
| +|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates|Documentation
| +|AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| +|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| +|Function App FTPS Enforce Disabled
9dab0179-433d-4dff-af8f-0091025691df|High|Insecure Configurations|Azure Function App should only enforce FTPS when 'ftps_state' is enabled|Documentation
| +|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| +|App Service FTPS Enforce Disabled
85da374f-b00f-4832-9d44-84a1ca1e89f8|High|Insecure Configurations|Azure App Service should only enforce FTPS when 'ftps_state' is enabled|Documentation
| +|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|High|Networking and Firewall|The IP range filter should be defined to secure the data stored|Documentation
| +|MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|High|Networking and Firewall|MSSQL Server public network access should be disabled|Documentation
| +|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| +|SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet|Documentation
| +|RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet|Documentation
| +|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| +|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| +|MySQL Server Public Access Enabled
f118890b-2468-42b1-9ce9-af35146b425b|High|Networking and Firewall|MySQL Server public access should be disabled|Documentation
| +|Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| +|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| +|Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|High|Observability|Ensure that logging for Azure KeyVault is 'Enabled'|Documentation
| +|App Service Managed Identity Disabled
b61cce4b-0cc4-472b-8096-15617a6d769b|High|Resource Management|Azure App Service should have managed identity enabled|Documentation
| +|PostgreSQL Server Threat Detection Policy Disabled
c407c3cf-c409-4b29-b590-db5f4138d332|High|Resource Management|PostgreSQL Server Threat Detection Policy should be enabled|Documentation
| +|SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a|High|Resource Management|Ensure that 'Threat Detection' is enabled for Azure SQL Database|Documentation
| +|Key Expiration Not Set
4d080822-5ee2-49a4-8984-68f3d4c890fc|High|Secret Management|Make sure that for all keys the expiration date is set|Documentation
| +|Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|High|Secret Management|Make sure that for all secrets the expiration date is set|Documentation
| +|AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| +|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)|Documentation
| +|Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e|Medium|Access Control|Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).|Documentation
| +|Storage Share File Allows All ACL Permissions
48bbe0fd-57e4-4678-a4a1-119e79c90fc3|Medium|Access Control|Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).|Documentation
| +|Virtual Network with DDoS Protection Plan disabled
b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a|Medium|Availability|Virtual Network should have DDoS Protection Plan enabled|Documentation
| +|SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict|Documentation
| +|SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict|Documentation
| +|Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Medium|Best Practices|Security Contact Email should be defined|Documentation
| +|Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Medium|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| +|Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| +|AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Medium|Encryption|Azure Container Service (AKS) should use Disk Encryption Set ID in supported types of disk|Documentation
| +|Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Medium|Encryption|Ensure that the encryption is active on the disk|Documentation
| +|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections|Documentation
| +|Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Medium|Insecure Configurations|Azure Function App should have 'client_cert_mode' set to required|Documentation
| +|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined|Documentation
| +|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| +|Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches|Documentation
| +|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected.|Documentation
| +|Function App Managed Identity Disabled
c87749b3-ff10-41f5-9df2-c421e8151759|Medium|Insecure Configurations|Azure Function App should have managed identity enabled|Documentation
| +|Default Network Access is Allowed
9be09caf-2ba4-4fa9-9787-a670dc32c639|Medium|Insecure Defaults|Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny'|Documentation
| +|Default Azure Storage Account Network Access Is Too Permissive
a5613650-32ec-4975-a305-31af783153ea|Medium|Insecure Defaults|Default Azure Storage Account network access should be set to Deny|Documentation
| +|WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| +|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Medium|Networking and Firewall|Network Interfaces IP Forwarding should be disabled|Documentation
| +|Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b|Medium|Networking and Firewall|Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline)|Documentation
| +|MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Medium|Networking and Firewall|MariaDB Server Public Network Access should be disabled|Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol|Documentation
| +|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'.|Documentation
| +|Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Medium|Networking and Firewall|Public Network Access should be disabled for Azure Cognitive Search|Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol|Documentation
| +|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache|Documentation
| +|Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater|Documentation
| +|PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| +|Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Medium|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact|Documentation
| +|PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'|Documentation
| +|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days|Documentation
| +|Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Medium|Observability|Make sure for SQL Servers that Auditing Retention is greater than 90 days|Documentation
| +|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| +|Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Medium|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days|Documentation
| +|PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| +|MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Medium|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On'|Documentation
| +|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On'|Documentation
| +|PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| +|PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| +|Azure Active Directory Authentication
a21c8da9-41bf-40cf-941d-330cf0d11fc7|Low|Access Control|Azure Active Directory must be used for authentication for Service Fabric|Documentation
| +|MariaDB Server Geo-redundant Backup Disabled
0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1|Low|Backup|MariaDB Server Geo-redundant Backup should be enabled|Documentation
| +|Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Low|Best Practices|Key Vault Secrets should have set Content Type|Documentation
| +|AKS Uses Azure Policies Add-On Disabled
43789711-161b-4708-b5bb-9d1c626f7492|Low|Best Practices|Azure Container Service (AKS) should use Azure Policies Add-On|Documentation
| +|App Service Without Latest PHP Version
96fe318e-d631-4156-99fa-9080d57280ae|Low|Best Practices|Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.|Documentation
| +|App Service Without Latest Python Version
cc4aaa9d-1070-461a-b519-04e00f42db8a|Low|Best Practices|Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.|Documentation
| +|PostgreSQL Server Infrastructure Encryption Disabled
6425c98b-ca4e-41fe-896a-c78772c131f8|Low|Encryption|PostgreSQL Server Infrastructure Encryption should be enabled|Documentation
| +|App Service HTTP2 Disabled
525b53be-62ed-4244-b4df-41aecfcb4071|Low|Insecure Configurations|App Service should have 'http2_enabled' enabled|Documentation
| +|Function App HTTP2 Disabled
ace823d1-4432-4dee-945b-cdf11a5a6bd0|Low|Insecure Configurations|Function App should have 'http2_enabled' enabled|Documentation
| +|Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Low|Insecure Configurations|Check if the Kubernetes Dashboard is enabled.|Documentation
| +|Azure Front Door WAF Disabled
835a4f2f-df43-437d-9943-545ccfc55961|Low|Networking and Firewall|Azure Front Door WAF should be enabled|Documentation
| +|App Service Authentication Disabled
c7fc1481-2899-4490-bbd8-544a3a61a2f3|Info|Access Control|Azure App Service authentication settings should be enabled|Documentation
| +|SQL Server Alert Email Disabled
55975007-f6e7-4134-83c3-298f1fe4b519|Info|Best Practices|SQL Server alert email should be enabled|Documentation
| +### KUBERNETES +Bellow are listed queries related with Terraform KUBERNETES: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|High|Insecure Configurations|Container should not share the host IPC namespace|Documentation
| +|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| +|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|High|Insecure Configurations|Do not allow container to be privileged.|Documentation
| +|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| +|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|High|Insecure Configurations|Containers should drop 'NET_RAW' or 'ALL' capabilities|Documentation
| +|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|High|Insecure Configurations|Container should not share the host network namespace|Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| +|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|High|Insecure Configurations|Admission of privileged containers should be minimized|Documentation
| +|Host Aliases Undefined Or Empty
5d05ea11-ae3e-470e-9864-97e55fb2b2e0|High|Insecure Configurations|A Kubernetes Pod should have Host Aliases defined as to prevent the container from modifying the file after a pod's containers have already been started. This means the attribute 'spec.host_aliases' must be defined and not empty or null.|Documentation
| +|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined.|Documentation
| +|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| +|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| +|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Medium|Access Control|Minimize access to secrets (RBAC)|Documentation
| +|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| +|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Medium|Availability|Liveness Probe must be defined|Documentation
| +|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| +|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| +|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| +|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Medium|Insecure Configurations|The default namespace should not be used|Documentation
| +|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Medium|Insecure Configurations|Check if any resource does not configure Seccomp default profile properly|Documentation
| +|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| +|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Medium|Insecure Configurations|Do not allow pod to request execution as privileged|Documentation
| +|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| +|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| +|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| +|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| +|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Medium|Insecure Configurations|Default service accounts should not be actively used|Documentation
| +|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| +|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace|Documentation
| +|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| +|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Medium|Insecure Configurations|Kubernetes Pod should not have extra capabilities allowed|Documentation
| +|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory|Documentation
| +|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty.|Documentation
| +|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| +|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| +|Service With External Load Balance
2a52567c-abb8-4651-a038-52fa27c77aed|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| +|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| +|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| +|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Medium|Resource Management|Memory limits should be specified|Documentation
| +|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| +|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Medium|Resource Management|Memory requests should be specified|Documentation
| +|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs|Documentation
| +|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| +|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Low|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| +|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| +|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| +|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| +|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| +|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Low|Availability|The Horizontal Pod Autoscale must target a valid object|Documentation
| +|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| +|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Low|Availability|Check if the StatefulSet have a headless 'serviceName'|Documentation
| +|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| +|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| +|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| +|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Low|Build Process|Check if the root container filesystem is not being mounted as read-only.|Documentation
| +|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Low|Insecure Configurations|Sees if Kubernetes image has digest on|Documentation
| +|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| +|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| +|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified|Documentation
| +|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| +|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| +|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined|Documentation
| +|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| +|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Low|Supply-Chain|Image must be defined and not be empty or equal to latest.|Documentation
| +### AWS +Bellow are listed queries related with Terraform AWS: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| +|S3 Bucket Allows WriteACP Action From All Principals
64a222aa-7793-4e40-915f-4b302c76e4d4|High|Access Control|S3 Buckets must not allow Write_ACP Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Write_ACP, for all Principals.|Documentation
| +|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|High|Access Control|S3 bucket allows public policy|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|High|Access Control|Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| +|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|High|Access Control|S3 Buckets must not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| +|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|High|Access Control|S3 bucket with public READ/WRITE access|Documentation
| +|S3 Bucket Allows All Actions From All Principals
51cf6f14-6a52-4642-97fb-10db078382d3|High|Access Control|S3 Buckets must not allow All Actions (wildcard) From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals.|Documentation
| +|EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| +|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| +|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| +|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|High|Access Control|IAM policies that allow full administrative privileges (for all resources)|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| +|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| +|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|High|Access Control|IAM role policy that allow full administrative privileges (for all resources)|Documentation
| +|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals|Documentation
| +|Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|High|Access Control|Neptune Cluster Instance should not be publicly accessible|Documentation
| +|ECS Service Admin Role is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role|Documentation
| +|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled|Documentation
| +|Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted|Documentation
| +|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|High|Encryption|Elastic File System (EFS) must have KMS Key ID|Documentation
| +|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|High|Encryption|Data stored in the Launch configuration EBS is not securely encrypted|Documentation
| +|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| +|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|High|Encryption|Base64 Shell Script must be encoded|Documentation
| +|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|High|Encryption|Check if RDS Cluster Storage isn't encrypted. Happens when 'storage_encrypted' is not set to 'true'|Documentation
| +|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| +|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true|Documentation
| +|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled|Documentation
| +|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|High|Encryption|AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted|Documentation
| +|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted|Documentation
| +|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| +|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|High|Encryption|AWS DOCDB Cluster storage should be encrypted|Documentation
| +|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|High|Encryption|User Data Base64 contains an encoded RSA Private Key|Documentation
| +|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| +|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|High|Encryption|RDS Database Cluster Encryption should be enabled|Documentation
| +|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|High|Encryption|AWS Athena Database data in S3 should be encrypted|Documentation
| +|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS|Documentation
| +|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| +|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| +|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|High|Encryption|The parameter storage_encrypted in aws_db_instance must be set to 'true' (the default is 'false').|Documentation
| +|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|High|Encryption|Sagemaker endpoint configuration should encrypt data|Documentation
| +|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.|Documentation
| +|EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| +|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|High|Encryption|Check if 'encrypted' field is false or undefined (default is false)|Documentation
| +|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| +|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled|Documentation
| +|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|High|Encryption|IAM Database Auth Enabled must be configured to true|Documentation
| +|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key|Documentation
| +|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup|Documentation
| +|CloudWatch Log Group Not Encrypted
0afbcfe9-d341-4b92-a64c-7e6de0543879|High|Encryption|AWS CloudWatch Log groups should be encrypted using KMS|Documentation
| +|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|High|Encryption|S3 Bucket Object should have server-side encryption enabled|Documentation
| +|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|High|Encryption|EBS Encryption should be enabled|Documentation
| +|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|High|Encryption|EKS Cluster should be encrypted|Documentation
| +|Memcached Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|High|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| +|CA certificate Identifier is outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| +|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|High|Encryption|AWS DAX Cluster should have server-side encryption at rest|Documentation
| +|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|High|Encryption|RDS Instance Auto Minor Version Upgrade feature in Aws Db Instance must be true|Documentation
| +|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|High|Encryption|API Gateway Method Settings Cache should be encrypted|Documentation
| +|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers.|Documentation
| +|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|High|Insecure Configurations|Check if the root user is authenticated with MFA|Documentation
| +|DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|High|Insecure Configurations|The field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| +|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|High|Insecure Configurations|Amazon Simple Queue Service (SQS) queue is not protecting the contents of their messages using Server-Side Encryption (SSE)|Documentation
| +|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| +|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_defenition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| +|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations|Documentation
| +|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|High|Insecure Configurations|S3 bucket without restriction of public bucket|Documentation
| +|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|High|Insecure Configurations|Check if 'publicly_accessible' field is true or undefined (default is true)|Documentation
| +|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2.|Documentation
| +|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|High|Insecure Configurations|Users should authenticate with MFA (Multi-factor Authentication)|Documentation
| +|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| +|KMS Key With Vulnerable Policy
7ebc9038-0bde-479a-acc4-6ed7b6758899|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| +|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|High|Insecure Configurations|Checks if any static websties are hosted on buckets|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| +|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes|Documentation
| +|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| +|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| +|Lambda Function With Privileged role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions.|Documentation
| +|Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| +|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| +|Remote Desktop Port Open
151187cb-0efc-481c-babd-ad24e3c9bc22|High|Networking and Firewall|The Remote Desktop port is open in a Security Group|Documentation
| +|HTTP Port Open
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|High|Networking and Firewall|The HTTP port is open in a Security Group|Documentation
| +|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| +|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| +|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL|Documentation
| +|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0"|Documentation
| +|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0|Documentation
| +|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| +|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|High|Networking and Firewall|Check if Record is set|Documentation
| +|VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|High|Networking and Firewall|VPC Peering Route Table should restrict CIDR|Documentation
| +|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| +|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| +|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| +|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL|Documentation
| +|VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic|Documentation
| +|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| +|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|High|Networking and Firewall|The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6).|Documentation
| +|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing|Documentation
| +|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|High|Observability|Ensure a log metric filter and alarm exist for root acount usage|Documentation
| +|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|High|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| +|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes|Documentation
| +|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA|Documentation
| +|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|High|Observability|AWS KMS Key should have a valid deletion window|Documentation
| +|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible|Documentation
| +|CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.|Documentation
| +|CloudTrail Log Files Not Encrypted
5d9e3164-9265-470c-9a10-57ae454ac0c7|High|Observability|Logs delivered by CloudTrail should be encrypted using KMS|Documentation
| +|CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls|Documentation
| +|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| +|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled|Documentation
| +|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| +|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Medium|Access Control|AWS IAM Users should not have access to console|Documentation
| +|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| +|IAM Access Analyzer Undefined
e592a0c5-5bdb-414c-9066-5dba7cdea370|Medium|Access Control|IAM Access Analyzer should be defined to identify unintentional access|Documentation
| +|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| +|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Medium|Access Control|SQS policy with public access|Documentation
| +|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources|Documentation
| +|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication|Documentation
| +|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| +|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| +|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| +|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal'|Documentation
| +|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'|Documentation
| +|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|Medium|Access Control|IAM policies allow all ('*') in a statement action|Documentation
| +|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled|Documentation
| +|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| +|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Medium|Access Control|An API Key should be required on a method request.|Documentation
| +|SNS Topic is Publicly Accessible For Subscription
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|Medium|Access Control|This query checks if SNS Topic is Accessible For Subscription|Documentation
| +|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| +|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined|Documentation
| +|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Medium|Access Control|S3 bucket allows public ACL|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| +|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action'|Documentation
| +|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Medium|Access Control|Public and private EC2 istances should not share the same role.|Documentation
| +|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| +|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root'|Documentation
| +|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Medium|Access Control|The attribute 'action' should not have wildcard|Documentation
| +|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions'|Documentation
| +|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Medium|Availability|Check if ElastiCache nodes are not being created across multi AZ|Documentation
| +|Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
| +|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| +|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| +|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0|Documentation
| +|RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Medium|Backup|RDS configured without backup|Documentation
| +|Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| +|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Medium|Best Practices|No password expiration policy|Documentation
| +|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Medium|Best Practices|Check if IAM account password has the required symbols|Documentation
| +|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined|Documentation
| +|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| +|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields|Documentation
| +|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Medium|Best Practices|Check if IAM account password has the required minimum length|Documentation
| +|Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24|Documentation
| +|Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body|Documentation
| +|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Medium|Encryption|Check if Neptune Cluster Storage is securely encrypted|Documentation
| +|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS|Documentation
| +|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| +|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit|Documentation
| +|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| +|ECR Repository Not Encrypted
0e32d561-4b5a-4664-a6e3-a3fa85649157|Medium|Encryption|ECR (Elastic Container Registry) Repository encryption should be set|Documentation
| +|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest|Documentation
| +|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret|Documentation
| +|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted|Documentation
| +|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption|Documentation
| +|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests|Documentation
| +|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Medium|Encryption|SSM Session should be encrypted in transit|Documentation
| +|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| +|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| +|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node|Documentation
| +|DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Medium|Encryption|The value on AWS EBS Volume Cluster Encryption must be true|Documentation
| +|API Gateway Without Content Encoding
ed35928e-195c-4405-a252-98ccb664ab7b|Medium|Encryption|Enable Content Encoding through the attribute 'minimum_compression_size'. This value should be greater than -1 and smaller than 10485760|Documentation
| +|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible|Documentation
| +|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.|Documentation
| +|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| +|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Medium|Insecure Configurations|ECR should have an image tag be immutable|Documentation
| +|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Medium|Insecure Configurations|Check if IAM account password has at least one lowercase letter|Documentation
| +|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs).|Documentation
| +|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Medium|Insecure Configurations|SSL Client Certificate should be enabled in aws_api_gateway_stage resource|Documentation
| +|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| +|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Medium|Insecure Configurations|Check if IAM account password has at least one uppercase letter|Documentation
| +|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Medium|Insecure Configurations|Instance should be configured in VPC (Virtual Private Cloud)|Documentation
| +|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud)|Documentation
| +|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Medium|Insecure Configurations|Allowing to run lambda function using public API Gateway|Documentation
| +|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials|Documentation
| +|EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false|Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol|Documentation
| +|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| +|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| +|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Medium|Networking and Firewall|VPC should have a Network Firewall associated|Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol|Documentation
| +|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association|Documentation
| +|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| +|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled|Documentation
| +|VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Medium|Networking and Firewall|VPC Subnet should not assign public IP|Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| +|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| +|Cloudfront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Medium|Observability|AWS Cloudfront distributions must be have logging enabled, which means the attribute 'logging_config' must be defined|Documentation
| +|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Medium|Observability|CloudTrail should have 'is_multi_region_trail' and 'include_global_service_events' enabled|Documentation
| +|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled|Documentation
| +|Elasticsearch Log is disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Medium|Observability|AWS Elasticsearch should have logs enabled|Documentation
| +|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| +|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| +|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| +|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes|Documentation
| +|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| +|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| +|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures|Documentation
| +|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Medium|Observability|AWS CloudWatch Log groups should have retention days specified|Documentation
| +|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes|Documentation
| +|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Medium|Observability|VPC hasn't got any FlowLog associated|Documentation
| +|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Medium|Observability|It isn't recommended to use resources in default VPC|Documentation
| +|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| +|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events|Documentation
| +|Api Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Medium|Observability|RDS does not have any kind of logger|Documentation
| +|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| +|Elasticsearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| +|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| +|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| +|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes|Documentation
| +|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK|Documentation
| +|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Medium|Observability|X-ray Tracing is not enabled|Documentation
| +|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Medium|Observability|Enable AWS CloudFormation Stack Notifications|Documentation
| +|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes|Documentation
| +|No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| +|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Medium|Secret Management|Lambda hardcoded AWS access/secret keys|Documentation
| +|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| +|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets'|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Low|Access Control|IAM role allows All services or principals to assume it|Documentation
| +|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Low|Access Control|IAM Group should have at least one user associated|Documentation
| +|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| +|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services|Documentation
| +|Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Low|Availability|Autoscaling groups should supply tags to configurate|Documentation
| +|ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Low|Best Practices|ECR Repository should have Policies attached to it|Documentation
| +|Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| +|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Low|Best Practices|IAM policies should be attached only to groups or roles|Documentation
| +|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| +|Open Access To Resources Through API
108aa260-6dab-4a75-ae3f-de917d634840|Low|Insecure Configurations|Open access to back-end resources through API|Documentation
| +|ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled|Documentation
| +|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Low|Insecure Configurations|S3 bucket without ignore public ACL|Documentation
| +|RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| +|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)|Documentation
| +|Cloudfront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| +|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| +|Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| +|EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| +|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks|Documentation
| +|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| +|ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Low|Observability|ECS Cluster should enable container insights|Documentation
| +|API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| +|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Low|Observability|S3 bucket without logging|Documentation
| +|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Low|Observability|Amazon EKS control plane logging don't enabled for all log types|Documentation
| +|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes|Documentation
| +|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes|Documentation
| +|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'|Documentation
| +|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Low|Observability|Global Accelerator should have flow logs enabled|Documentation
| +|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL|Documentation
| +|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes|Documentation
| +|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Low|Observability|Ensure a log metric filter and alarm exist for route table changes|Documentation
| +|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Low|Observability|CloudTrail log file validation should be enabled|Documentation
| +|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Low|Observability|DocDB logging should be enabled|Documentation
| +|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Low|Observability|Amazon EKS control plane logging is not enabled|Documentation
| +|API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| +|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Low|Secret Management|Hard-coded AWS access key / secret key exists in EC2 user data|Documentation
| +|Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Info|Access Control|Security group must be used or not declared|Documentation
| +|Security Group Rules Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description|Documentation
| +|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Info|Best Practices|AWS services resource tags are an essential part of managing components|Documentation
| +|Security Group Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description|Documentation
| +|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table|Documentation
| +|EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| +|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Info|Observability|Neptune logging should be enabled|Documentation
| +|ELB Access Logging Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Info|Observability|ELB should have logging enabled to help on error investigation|Documentation
| +|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Info|Observability|RDS does not have any kind of logger|Documentation
| +|EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods|Documentation
| +### AWS_BOM +Bellow are listed queries related with Terraform AWS_BOM: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|BOM - SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| +|BOM - MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| +|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| +|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| +|BOM - SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| +|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| +|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| +|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| +### ALICLOUD +Bellow are listed queries related with Terraform ALICLOUD: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|High|Access Control|RAM Security preferences should enforce MFA login for RAM users|Documentation
| +|OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|High|Access Control|OSS Bucket should have public access disabled|Documentation
| +|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles|Documentation
| +|RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|High|Encryption|tde_status parameter should be Enabled for supported RDS instances|Documentation
| +|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|High|Encryption|Ecs Data Disk Kms Key Id should be set|Documentation
| +|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|High|Encryption|Disks should have encryption enabled|Documentation
| +|RDS Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|High|Insecure Configurations|'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list|Documentation
| +|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|High|Networking and Firewall|OSS Buckets should have secure transport enabled|Documentation
| +|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS|Documentation
| +|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol|Documentation
| +|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|High|Networking and Firewall|OSS Bucket should have ip restricted access|Documentation
| +|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public|Documentation
| +|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|High|Observability|All RDS Instance events trackers should be 'true'|Documentation
| +|ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|High|Observability|ActionTrail Trail OSS Bucket should not be publicly accessible|Documentation
| +|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above|Documentation
| +|Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|High|Secret Management|Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts|Documentation
| +|Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Medium|Access Control|Ram policies should not be attached to users|Documentation
| +|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Medium|Backup|OSS Bucket should have versioning enabled|Documentation
| +|OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Medium|Encryption|OSS Bucket should have encryption enabled using Customer Master Key|Documentation
| +|Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Medium|Networking and Firewall|A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned|Documentation
| +|Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Medium|Networking and Firewall|Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies|Documentation
| +|OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Medium|Observability|OSS Bucket should have logging enabled, for better visibility of resources and objects.|Documentation
| +|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180|Documentation
| +|Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Medium|Observability|Action Trail Logging for all regions should be enabled|Documentation
| +|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true|Documentation
| +|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Medium|Secret Management|RAM account password security should require at least one symbol|Documentation
| +|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91|Documentation
| +|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less|Documentation
| +|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true|Documentation
| +|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true|Documentation
| +|OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Low|Availability|OSS Bucket should have transfer acceleration enabled|Documentation
| +|OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Low|Backup|OSS Bucket should have lifecycle rule enabled and set to true|Documentation
| +|RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Low|Observability|log_disconnections parameter should be set to ON for RDS instances|Documentation
| +|RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Low|Observability|log_duration parameter should be set to ON for RDS instances|Documentation
| +|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Low|Observability|'log_connections' parameter should be set to ON for RDS instances|Documentation
| +### SHARED (V2/V3) +Bellow are listed queries related with Terraform SHARED (V2/V3): + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Info|Best Practices|All names should follow snake case pattern.|Documentation
| +|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Info|Best Practices|All variables should contain a valid type.|Documentation
| +|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Info|Best Practices|All generic git repositories should reference a revision.|Documentation
| +|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Info|Best Practices|All outputs should contain a valid description.|Documentation
| +|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Info|Best Practices|All variables should contain a valid description.|Documentation
| From 52705cb8bb7de45039e22804ef22880972ccdefa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Reigota?= Date: Mon, 12 Dec 2022 12:37:15 +0000 Subject: [PATCH 219/379] fixed conflicts --- docs/queries/all-queries.md | 2237 +++++++++++++++++++++++++++++ docs/queries/terraform-queries.md | 16 +- 2 files changed, 2241 insertions(+), 12 deletions(-) diff --git a/docs/queries/all-queries.md b/docs/queries/all-queries.md index b7ef7971fd6..3c9cc9e9f2d 100644 --- a/docs/queries/all-queries.md +++ b/docs/queries/all-queries.md @@ -2702,3 +2702,2240 @@ This page contains all queries. |Serverless API Access Logging Setting Undefined
a4d32883-aac7-42e1-b403-9415af0f3846|ServerlessFW|Medium|Observability|Serverless FW API should have HTTP Access Logging enabled (read more)|Documentation
| |Serverless Function Without Dead Letter Queue
dec7bc85-d156-4f64-9a33-96ed3d9f3fed|ServerlessFW|Low|Insecure Configurations|Serverless Function should be configured for a Dead Letter Queue(DLQ). A Dead Letter Queue(DLQ) can be set up in 'onError' config parameter (read more)|Documentation
| |Serverless Function Without X-Ray Tracing
0d7ef70f-e176-44e6-bdba-add3e429788d|ServerlessFW|Low|Observability|Serverless Function should have Tracing enabled. For this, property 'tracing' should have the value 'Active' (read more)|Documentation
| +|Non-Array Schema With Items (v3)
20cb3159-b219-496b-8dac-54ae3ab2021a|OpenAPI|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| +|Passwords And Secrets
a88baa34-e2ad-44ea-ad6f-8cac87bc7c71|Common|High|Secret Management|Query to find passwords and secrets in infrastructure code.|Documentation
| +|Cloud Storage Bucket Is Publicly Accessible
77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc|GoogleDeploymentManager|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
63ae3638-a38c-4ff4-b616-6e1f72a31a6a|GoogleDeploymentManager|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers'|Documentation
| +|BigQuery Dataset Is Public
83103dff-d57f-42a8-bd81-40abab64c1a7|GoogleDeploymentManager|High|Access Control|BigQuery dataset is anonymously or publicly accessible. Attribute access.specialGroup should not contain 'allAuthenticatedUsers'|Documentation
| +|SQL DB Instance Backup Disabled
a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01|GoogleDeploymentManager|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| +|SQL DB Instance With SSL Disabled
660360d3-9ca7-46d1-b147-3acc4002953f|GoogleDeploymentManager|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| +|DNSSEC Using RSASHA1
6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35|GoogleDeploymentManager|High|Encryption|DNSSEC should not use the RSASHA1 algorithm|Documentation
| +|Network Policy Disabled
c47f90e8-4a19-43f0-8413-cc434d286c4e|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'networkPolicy.enabled' must be true and the attribute 'addonsConfig.networkPolicyConfig.disabled' must be false|Documentation
| +|Cluster Labels Disabled
8810968b-4b15-421d-918b-d91eb4bb8d1d|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resourceLabels' must be defined|Documentation
| +|Not Proper Email Account In Use
a21b8df3-c840-4b3d-a41a-10fb2afda171|GoogleDeploymentManager|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| +|MySQL Instance With Local Infile On
c759d6f2-4dd3-4160-82d3-89202ef10d87|GoogleDeploymentManager|High|Insecure Configurations|MySQL Instance should not have Local Infile On|Documentation
| +|IP Aliasing Disabled
28727987-e398-49b8-aef1-8a3e7789d111|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ipAllocationPolicy' must be defined and the subattribute 'useIpAliases' must be set to 'true'.|Documentation
| +|Client Certificate Disabled
dd690686-2bf9-4012-a821-f61912dd77be|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'masterAuth' must have 'clientCertificateConfig' with the attribute 'issueClientCertificate' equal to true|Documentation
| +|Cluster Master Authentication Disabled
7ef7d141-9fbb-4679-a977-fd0883436906|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'masterAuth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| +|Private Cluster Disabled
48c61fbd-09c9-46cc-a521-012e0c325412|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true.|Documentation
| +|GKE Legacy Authorization Enabled
df58d46c-783b-43e0-bdd0-d99164f712ee|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false.|Documentation
| +|Compute Instance Is Publicly Accessible
8212e2d7-e683-49bc-bf78-d6799075c5a7|GoogleDeploymentManager|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet.|Documentation
| +|GKE Master Authorized Networks Disabled
62c8cf50-87f0-4295-a974-8184ed78fe02|GoogleDeploymentManager|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters|Documentation
| +|Stackdriver Monitoring Disabled
bbfc97ab-e92a-4a7b-954c-e88cec815011|GoogleDeploymentManager|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoringService' must be defined and different than 'none'|Documentation
| +|Cloud Storage Bucket Versioning Disabled
ad0875c1-0b39-4890-9149-173158ba3bba|GoogleDeploymentManager|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| +|Stackdriver Logging Disabled
95601b9a-7fe8-4aee-9b58-d36fd9382dfc|GoogleDeploymentManager|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'loggingService' must be defined and different from 'none'|Documentation
| +|Node Auto Upgrade Disabled
dc5c5fee-6c53-43b0-ab11-4c660e064aaf|GoogleDeploymentManager|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means the attribute 'nodePools' must be defined and the subattribute 'managment' must be defined and have the attribute 'autoUpgrade' set to true|Documentation
| +|Disk Encryption Disabled
fc040fb6-4c23-4c0d-b12a-39edac35debb|GoogleDeploymentManager|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined|Documentation
| +|OSLogin Is Disabled In VM Instance
e66e1b71-c810-4b4e-a737-0ab59e7f5e41|GoogleDeploymentManager|Medium|Insecure Configurations|VM instance should have OSLogin enabled|Documentation
| +|COS Node Image Not Used
dbe058d7-b82e-430b-8426-992b2e4677e7|GoogleDeploymentManager|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| +|Shielded VM Disabled
9038b526-4c19-4928-bca2-c03d503bdb79|GoogleDeploymentManager|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true|Documentation
| +|Cloud DNS Without DNSSEC
313d6deb-3b67-4948-b41d-35b699c2492e|GoogleDeploymentManager|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| +|Google Storage Bucket Level Access Disabled
1239f54b-33de-482a-8132-faebe288e6a6|GoogleDeploymentManager|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| +|IP Forwarding Enabled
7c98538a-81c6-444b-bf04-e60bc3ceeec0|GoogleDeploymentManager|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true|Documentation
| +|RDP Access Is Not Restricted
50cb6c3b-c878-4b88-b50e-d1421bada9e8|GoogleDeploymentManager|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| +|SSH Access Is Not Restricted
dee21308-2a7a-49de-8ff7-c9b87e188575|GoogleDeploymentManager|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| +|Bucket Without Versioning
227c2f58-70c6-4432-8e9a-a89c1a548cf5|GoogleDeploymentManager|Medium|Observability|Bucket should have versioning enabled|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
6e2b1ec1-1eca-4eb7-9d4d-2882680b4811|GoogleDeploymentManager|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| +|BOM - GCP SB
c7781feb-a955-4f9f-b9cf-0d7c6f54bb59|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.|Documentation
| +|BOM - GCP PD
268c65a8-58ad-43e4-9019-1a9bbc56749f|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.|Documentation
| +|BOM - GCP PST
9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.|Documentation
| +|Serving Revision Spec Without Timeout Seconds
e8bb41e4-2f24-4e84-8bea-8c7c070cf93d|Knative|Info|Insecure Configurations|Serving Revision Spec should have Timeout Seconds defined to avoid Denial of Service|Documentation
| +|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Terraform|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| +|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Terraform|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| +|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Terraform|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.|Documentation
| +|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Terraform|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| +|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Terraform|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| +|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Terraform|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.|Documentation
| +|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Terraform|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| +|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Terraform|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| +|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Terraform|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| +|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Terraform|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time|Documentation
| +|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Terraform|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| +|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|Terraform|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false|Documentation
| +|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|Terraform|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|Documentation
| +|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|Terraform|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| +|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|Terraform|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| +|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|Terraform|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined.|Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|Terraform|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| +|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|Terraform|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| +|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Terraform|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys|Documentation
| +|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Terraform|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| +|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Terraform|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| +|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Terraform|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| +|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Terraform|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| +|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Terraform|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| +|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Terraform|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls|Documentation
| +|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Terraform|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| +|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Terraform|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| +|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Terraform|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|Documentation
| +|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Terraform|Medium|Insecure Configurations|Containers should not have extra capabilities allowed|Documentation
| +|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Terraform|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| +|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Terraform|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| +|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| +|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Terraform|Medium|Insecure Configurations|Default service accounts should not be actively used|Documentation
| +|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Terraform|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| +|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Terraform|Medium|Insecure Configurations|The default namespace should not be used|Documentation
| +|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Terraform|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| +|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| +|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Terraform|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| +|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Terraform|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory|Documentation
| +|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Terraform|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace|Documentation
| +|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Terraform|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty.|Documentation
| +|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Terraform|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| +|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Terraform|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| +|Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Terraform|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| +|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Terraform|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| +|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Terraform|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| +|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Terraform|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| +|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Terraform|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes|Documentation
| +|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Terraform|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| +|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Terraform|Medium|Resource Management|Container should not share the host network namespace|Documentation
| +|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Terraform|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| +|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Terraform|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs|Documentation
| +|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Terraform|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| +|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Terraform|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| +|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Terraform|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| +|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Terraform|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| +|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Terraform|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| +|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Terraform|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| +|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Terraform|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.|Documentation
| +|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Terraform|Low|Availability|The Horizontal Pod Autoscaler must target a valid object|Documentation
| +|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Terraform|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it|Documentation
| +|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Terraform|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| +|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Terraform|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| +|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Terraform|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| +|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Terraform|Low|Build Process|Check if the root container filesystem is not being mounted as read-only.|Documentation
| +|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Terraform|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| +|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Terraform|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity|Documentation
| +|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Terraform|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| +|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Terraform|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| +|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Terraform|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified|Documentation
| +|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Terraform|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| +|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Terraform|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined|Documentation
| +|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Terraform|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| +|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Terraform|Low|Supply-Chain|Image must be defined and not be empty or equal to latest.|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|Terraform|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|Terraform|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| +|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|Terraform|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals|Documentation
| +|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|Terraform|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| +|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|Terraform|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| +|EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|Terraform|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| +|SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|Terraform|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| +|Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|Terraform|High|Access Control|Neptune Cluster Instance should not be publicly accessible|Documentation
| +|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|Terraform|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating|Documentation
| +|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|Terraform|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| +|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|Terraform|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| +|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|Terraform|High|Access Control|IAM role policy that allow full administrative privileges (for all resources)|Documentation
| +|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|Terraform|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| +|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|Terraform|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role|Documentation
| +|MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857|Terraform|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible|Documentation
| +|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|Terraform|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| +|SSO Policy with full privileges
132a8c31-9837-4203-9fd1-15ca210c7b73|Terraform|High|Access Control|SSO policies should be configured to grant limited administrative privileges, rather than full access to all resources. This approach allows for better security and control over the resources being accessed.|Documentation
| +|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|Terraform|High|Access Control|S3 Buckets should not be readable and writable to all users|Documentation
| +|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|Terraform|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| +|S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4|Terraform|High|Access Control|S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket.|Documentation
| +|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|Terraform|High|Access Control|S3 bucket allows public policy|Documentation
| +|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|Terraform|High|Encryption|AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted|Documentation
| +|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|Terraform|High|Encryption|AWS DAX Cluster should have server-side encryption at rest|Documentation
| +|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|Terraform|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| +|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|Terraform|High|Encryption|AWS Athena Database data in S3 should be encrypted|Documentation
| +|EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|Terraform|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| +|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|Terraform|High|Encryption|S3 Bucket Object should have server-side encryption enabled|Documentation
| +|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|Terraform|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key|Documentation
| +|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|Terraform|High|Encryption|EKS Cluster should be encrypted|Documentation
| +|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|Terraform|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume|Documentation
| +|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|Terraform|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| +|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|Terraform|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled|Documentation
| +|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|Terraform|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)|Documentation
| +|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|Terraform|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| +|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|Terraform|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true'|Documentation
| +|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|Terraform|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.|Documentation
| +|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|Terraform|High|Encryption|Sagemaker endpoint configuration should encrypt data|Documentation
| +|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|Terraform|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| +|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|Terraform|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted|Documentation
| +|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|Terraform|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| +|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|Terraform|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| +|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|Terraform|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| +|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|Terraform|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| +|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|Terraform|High|Encryption|API Gateway Method Settings Cache should be encrypted|Documentation
| +|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|Terraform|High|Encryption|EBS Encryption should be enabled|Documentation
| +|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|Terraform|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| +|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|Terraform|High|Encryption|User Data Shell Script must be encoded|Documentation
| +|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers.|Documentation
| +|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|Terraform|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS|Documentation
| +|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|Terraform|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup|Documentation
| +|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|Terraform|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|Terraform|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled|Documentation
| +|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|Terraform|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true|Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|Terraform|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| +|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.|Documentation
| +|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|Terraform|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| +|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|Terraform|High|Encryption|AWS DOCDB Cluster storage should be encrypted|Documentation
| +|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|Terraform|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled|Documentation
| +|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|Terraform|High|Encryption|RDS Database Cluster Encryption should be enabled|Documentation
| +|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|Terraform|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| +|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|Terraform|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes|Documentation
| +|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|Terraform|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| +|Lambda Function With Privileged Role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|Terraform|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions.|Documentation
| +|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|Terraform|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| +|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|Terraform|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured.|Documentation
| +|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|Terraform|High|Insecure Configurations|Check if the root user is authenticated with MFA|Documentation
| +|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|Terraform|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations|Documentation
| +|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|Terraform|High|Insecure Configurations|S3 bucket without restriction of public bucket|Documentation
| +|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|Terraform|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| +|DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|Terraform|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| +|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|Terraform|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| +|KMS Key With Vulnerable Policy
7ebc9038-0bde-479a-acc4-6ed7b6758899|Terraform|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| +|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|Terraform|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2.|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|Terraform|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| +|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|Terraform|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| +|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|Terraform|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true)|Documentation
| +|Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|Terraform|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| +|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|Terraform|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| +|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| +|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|Terraform|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| +|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|Terraform|High|Networking and Firewall|Check if Record is set|Documentation
| +|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|Terraform|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| +|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| +|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|Terraform|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| +|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|Terraform|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| +|VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|Terraform|High|Networking and Firewall|VPC Peering Route Table should restrict CIDR|Documentation
| +|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|Terraform|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL|Documentation
| +|HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|Terraform|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| +|Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|Terraform|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| +|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL|Documentation
| +|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|Terraform|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0"|Documentation
| +|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|Terraform|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| +|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|Terraform|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0 and/or ::/0|Documentation
| +|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|Terraform|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| +|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|Terraform|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing|Documentation
| +|VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|Terraform|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic|Documentation
| +|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible|Documentation
| +|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|Terraform|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes|Documentation
| +|CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|Terraform|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.|Documentation
| +|CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|Terraform|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls|Documentation
| +|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|Terraform|High|Observability|AWS KMS Key should have a valid deletion window|Documentation
| +|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled|Documentation
| +|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|Terraform|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| +|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|Terraform|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA|Documentation
| +|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|Terraform|High|Observability|Ensure a log metric filter and alarm exist for root acount usage|Documentation
| +|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Terraform|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Terraform|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Terraform|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| +|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Terraform|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Terraform|Medium|Access Control|IAM Access Key should not be active for root users|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Terraform|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| +|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Terraform|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| +|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Terraform|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| +|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Terraform|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Terraform|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Terraform|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Terraform|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Terraform|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication|Documentation
| +|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Terraform|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal'|Documentation
| +|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Terraform|Medium|Access Control|AWS IAM Users should not have access to console|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Terraform|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|SSO Permission With Inadequate User Session Duration
ce9dfce0-5fc8-433b-944a-3b16153111a8|Terraform|Medium|Access Control|SSO permissions should be configured to limit user sessions to no longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized access or session hijacking. This is a best practice for security and should be implemented in SSO permission settings.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Terraform|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| +|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Terraform|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Terraform|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Terraform|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled|Documentation
| +|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Terraform|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| +|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Terraform|Medium|Access Control|Public and private EC2 istances should not share the same role.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Terraform|Medium|Access Control|The attribute 'action' should not have wildcard|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Terraform|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action'|Documentation
| +|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Terraform|Medium|Access Control|S3 bucket allows public ACL|Documentation
| +|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Terraform|Medium|Access Control|An API Key should be required on a method request.|Documentation
| +|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Terraform|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Terraform|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'|Documentation
| +|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Terraform|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Terraform|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Terraform|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| +|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Terraform|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Terraform|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions'|Documentation
| +|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Terraform|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| +|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Terraform|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| +|Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Terraform|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
| +|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Terraform|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster|Documentation
| +|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Terraform|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0|Documentation
| +|RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Terraform|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| +|Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Terraform|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| +|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Terraform|Medium|Best Practices|No password expiration policy|Documentation
| +|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Terraform|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| +|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Terraform|Medium|Best Practices|IAM password should have the required symbols|Documentation
| +|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Terraform|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined|Documentation
| +|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Terraform|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields|Documentation
| +|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Terraform|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| +|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Terraform|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| +|Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Terraform|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24|Documentation
| +|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Terraform|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| +|Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Terraform|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body|Documentation
| +|DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Terraform|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Terraform|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| +|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Terraform|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret|Documentation
| +|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Terraform|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption|Documentation
| +|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Terraform|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node|Documentation
| +|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Terraform|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| +|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted|Documentation
| +|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Terraform|Medium|Encryption|SSM Session should be encrypted in transit|Documentation
| +|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Terraform|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| +|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Terraform|Medium|Encryption|EBS volumes should be encrypted|Documentation
| +|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest|Documentation
| +|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Terraform|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760.|Documentation
| +|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Terraform|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| +|Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Terraform|Medium|Encryption|ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html'|Documentation
| +|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Terraform|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| +|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit|Documentation
| +|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Terraform|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests|Documentation
| +|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Terraform|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|CloudWatch Log Group Without KMS
0afbcfe9-d341-4b92-a64c-7e6de0543879|Terraform|Medium|Encryption|AWS CloudWatch Log groups should be encrypted using KMS|Documentation
| +|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Terraform|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS.|Documentation
| +|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Terraform|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| +|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Terraform|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| +|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Terraform|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud)|Documentation
| +|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Terraform|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs).|Documentation
| +|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Terraform|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| +|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Terraform|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible|Documentation
| +|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Terraform|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials|Documentation
| +|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Terraform|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| +|EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Terraform|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false|Documentation
| +|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Terraform|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| +|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Terraform|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.|Documentation
| +|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Terraform|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol|Documentation
| +|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Terraform|Medium|Networking and Firewall|VPC should have a Network Firewall associated|Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Terraform|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| +|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Terraform|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| +|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Terraform|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| +|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Terraform|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association|Documentation
| +|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Terraform|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled|Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol|Documentation
| +|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Terraform|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| +|VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Terraform|Medium|Networking and Firewall|VPC Subnet should not assign public IP|Documentation
| +|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Terraform|Medium|Observability|It isn't recommended to use resources in default VPC|Documentation
| +|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Terraform|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| +|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes|Documentation
| +|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Terraform|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| +|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Terraform|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events|Documentation
| +|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Terraform|Medium|Observability|ELB should have logging enabled to help on error investigation|Documentation
| +|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Terraform|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| +|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Terraform|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined|Documentation
| +|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Terraform|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| +|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Terraform|Medium|Observability|AWS Elasticsearch should have logs enabled|Documentation
| +|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Terraform|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| +|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Terraform|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| +|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Terraform|Medium|Observability|API Gateway should have Access Log Settings defined|Documentation
| +|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Terraform|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| +|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Terraform|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| +|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes|Documentation
| +|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Terraform|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| +|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes|Documentation
| +|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Terraform|Medium|Observability|AWS CloudWatch Log groups should have retention days specified|Documentation
| +|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Terraform|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation|Documentation
| +|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes|Documentation
| +|ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Terraform|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| +|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Terraform|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled|Documentation
| +|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Terraform|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| +|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures|Documentation
| +|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Terraform|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| +|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Terraform|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| +|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Terraform|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| +|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK|Documentation
| +|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Terraform|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| +|No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Terraform|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| +|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Terraform|Medium|Secret Management|AWS Access Key should not be hardcoded|Documentation
| +|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Terraform|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| +|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Terraform|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services|Documentation
| +|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Terraform|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets'|Documentation
| +|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Terraform|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| +|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Terraform|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| +|SSO Identity User Unsafe Creation
4003118b-046b-4640-b200-b8c7a4c8b89f|Terraform|Low|Access Control|The use of AWS SSO for creating users may pose a security risk as it does not synchronize with external Identity Providers (IdP) or Active Directory (AD). This can lead to inconsistencies and potential unauthorized access to resources. It is recommended to review and update user creation processes to ensure proper security protocols are in place.|Documentation
| +|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Terraform|Low|Access Control|IAM Group should have at least one user associated|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Terraform|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| +|Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Terraform|Low|Availability|Autoscaling groups should supply tags to configurate|Documentation
| +|Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| +|Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| +|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Terraform|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.|Documentation
| +|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Terraform|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| +|IAM Access Analyzer Not Enabled
e592a0c5-5bdb-414c-9066-5dba7cdea370|Terraform|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions|Documentation
| +|ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Terraform|Low|Best Practices|ECR Repository should have Policies attached to it|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Terraform|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| +|ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Terraform|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation|Documentation
| +|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Terraform|Low|Insecure Configurations|S3 bucket without ignore public ACL|Documentation
| +|ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Terraform|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled|Documentation
| +|Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Terraform|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| +|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Terraform|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| +|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Terraform|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)|Documentation
| +|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Terraform|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| +|EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Terraform|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| +|RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Terraform|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| +|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Terraform|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| +|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Terraform|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks|Documentation
| +|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Terraform|Low|Observability|Amazon EKS control plane logging don't enabled for all log types|Documentation
| +|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Terraform|Low|Observability|Global Accelerator should have flow logs enabled|Documentation
| +|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Terraform|Low|Observability|Amazon EKS control plane logging is not enabled|Documentation
| +|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes|Documentation
| +|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Terraform|Low|Observability|DocDB logging should be enabled|Documentation
| +|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Terraform|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'|Documentation
| +|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL|Documentation
| +|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes|Documentation
| +|API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Terraform|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| +|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Terraform|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| +|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| +|ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Terraform|Low|Observability|ECS Cluster should enable container insights|Documentation
| +|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes|Documentation
| +|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for route table changes|Documentation
| +|API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Terraform|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| +|Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Terraform|Info|Access Control|Security group must be used or not declared|Documentation
| +|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Terraform|Info|Best Practices|AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name'|Documentation
| +|Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Terraform|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description|Documentation
| +|Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Terraform|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description|Documentation
| +|EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Terraform|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| +|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Terraform|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table|Documentation
| +|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Terraform|Info|Observability|Neptune logging should be enabled|Documentation
| +|EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Terraform|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods|Documentation
| +|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Terraform|Info|Observability|RDS does not have any kind of logger|Documentation
| +|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|Terraform|High|Access Control|Verifies that the OSLogin is enabled|Documentation
| +|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|Terraform|High|Access Control|BigQuery dataset is anonymously or publicly accessible|Documentation
| +|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|Terraform|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible|Documentation
| +|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|Terraform|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|Terraform|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers'|Documentation
| +|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|Terraform|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| +|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|Terraform|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| +|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|Terraform|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad.|Documentation
| +|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|Terraform|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members'|Documentation
| +|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false |Documentation
| +|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|Terraform|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible.|Documentation
| +|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|Terraform|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| +|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|Terraform|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| +|Legacy Client Certificate Auth Enabled
73fb21a1-b19a-45b1-b648-b47b1678681e|Terraform|High|Insecure Configurations|Kubernetes Clusters must use the default OAuth authentication, which means 'master_auth' must either be undefined or have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to false|Documentation
| +|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE |Documentation
| +|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|Terraform|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true|Documentation
| +|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true|Documentation
| +|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true|Documentation
| +|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|Terraform|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| +|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|Terraform|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| +|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| +|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|Terraform|High|Observability|Audit Logging Configuration is defective|Documentation
| +|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|Terraform|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| +|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Terraform|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member|Documentation
| +|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Terraform|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated|Documentation
| +|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Terraform|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated|Documentation
| +|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Terraform|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated|Documentation
| +|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Terraform|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Terraform|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| +|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Terraform|Medium|Insecure Configurations|Check if any VM instance disables OSLogin|Documentation
| +|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Terraform|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| +|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Terraform|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled|Documentation
| +|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Terraform|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| +|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Terraform|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| +|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Terraform|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| +|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Terraform|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| +|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Terraform|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
| +|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Terraform|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| +|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Terraform|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
| +|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Terraform|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| +|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Terraform|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
| +|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Terraform|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| +|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Terraform|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| +|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Terraform|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports|Documentation
| +|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Terraform|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource.|Documentation
| +|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Terraform|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Terraform|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| +|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Terraform|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.|Documentation
| +|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Terraform|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user|Documentation
| +|Outdated GKE Version
128df7ec-f185-48bc-8913-ce756a3ccb85|Terraform|Low|Best Practices|Running outdated versions of Google Kubernetes Engine (GKE) can expose it to known vulnerabilities and attacks. To reduce these risks, it is recommended to ensure that GKE is always running the latest version.|Documentation
| +|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Terraform|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true|Documentation
| +|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Terraform|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range|Documentation
| +|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Terraform|Info|Best Practices|All outputs should contain a valid description.|Documentation
| +|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Terraform|Info|Best Practices|All variables should contain a valid type.|Documentation
| +|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Terraform|Info|Best Practices|All variables should contain a valid description.|Documentation
| +|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Terraform|Info|Best Practices|All generic git repositories should reference a revision.|Documentation
| +|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Terraform|Info|Best Practices|All names should follow snake case pattern.|Documentation
| +|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|Terraform|High|Access Control|Storage Account should not be public to grant the principle of least privileges|Documentation
| +|Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|Terraform|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| +|Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|Terraform|High|Access Control|Azure Function App authentication settings should be enabled|Documentation
| +|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|Terraform|High|Access Control|There is a role assignment for guest user|Documentation
| +|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|Terraform|High|Access Control|Admin user is enabled for Container Registry|Documentation
| +|Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|Terraform|High|Access Control|Role Assignment should limit guest user permissions|Documentation
| +|Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|Terraform|High|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled|Documentation
| +|Azure Instance Using Basic Authentication
dafe30ec-325d-4516-85d1-e8e6776f012c|Terraform|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication|Documentation
| +|Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6|Terraform|High|Encryption|Ensure Function App is using the latest version of TLS encryption|Documentation
| +|MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|Terraform|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| +|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|Terraform|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| +|App Service Not Using Latest TLS Encryption Version
b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643|Terraform|High|Encryption|Ensure App Service is using the latest version of TLS encryption|Documentation
| +|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|Terraform|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| +|App Service FTPS Enforce Disabled
85da374f-b00f-4832-9d44-84a1ca1e89f8|Terraform|High|Insecure Configurations|Azure App Service should only enforce FTPS when 'ftps_state' is enabled|Documentation
| +|AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|Terraform|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| +|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|Terraform|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| +|AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|Terraform|High|Insecure Configurations|Azure Kubernetes Service (AKS) API should not be exposed to the internet|Documentation
| +|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|Terraform|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry'|Documentation
| +|Function App FTPS Enforce Disabled
9dab0179-433d-4dff-af8f-0091025691df|Terraform|High|Insecure Configurations|Azure Function App should only enforce FTPS when 'ftps_state' is enabled|Documentation
| +|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|Terraform|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| +|Azure App Service Client Certificate Disabled
a81573f9-3691-4d83-88a0-7d4af63e17a3|Terraform|High|Insecure Configurations|Azure App Service client certificate should be enabled|Documentation
| +|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|Terraform|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates|Documentation
| +|Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|Terraform|High|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false.|Documentation
| +|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| +|Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| +|MySQL Server Public Access Enabled
f118890b-2468-42b1-9ce9-af35146b425b|Terraform|High|Networking and Firewall|MySQL Server public access should be disabled|Documentation
| +|RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|Terraform|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet|Documentation
| +|MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|Terraform|High|Networking and Firewall|MSSQL Server public network access should be disabled|Documentation
| +|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|Terraform|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| +|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| +|SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|Terraform|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet|Documentation
| +|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|Terraform|High|Networking and Firewall|The IP range filter should be defined to secure the data stored|Documentation
| +|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|Terraform|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| +|Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|Terraform|High|Observability|Ensure that logging for Azure KeyVault is 'Enabled'|Documentation
| +|PostgreSQL Server Threat Detection Policy Disabled
c407c3cf-c409-4b29-b590-db5f4138d332|Terraform|High|Resource Management|PostgreSQL Server Threat Detection Policy should be enabled|Documentation
| +|SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a|Terraform|High|Resource Management|Ensure that 'Threat Detection' is enabled for Azure SQL Database|Documentation
| +|App Service Managed Identity Disabled
b61cce4b-0cc4-472b-8096-15617a6d769b|Terraform|High|Resource Management|Azure App Service should have managed identity enabled|Documentation
| +|Key Expiration Not Set
4d080822-5ee2-49a4-8984-68f3d4c890fc|Terraform|High|Secret Management|Make sure that for all keys the expiration date is set|Documentation
| +|Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|Terraform|High|Secret Management|Make sure that for all secrets the expiration date is set|Documentation
| +|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Terraform|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)|Documentation
| +|Storage Share File Allows All ACL Permissions
48bbe0fd-57e4-4678-a4a1-119e79c90fc3|Terraform|Medium|Access Control|Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).|Documentation
| +|Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e|Terraform|Medium|Access Control|Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).|Documentation
| +|AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Terraform|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| +|Virtual Network with DDoS Protection Plan disabled
b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a|Terraform|Medium|Availability|Virtual Network should have DDoS Protection Plan enabled|Documentation
| +|Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Terraform|Medium|Best Practices|Security Contact Email should be defined|Documentation
| +|SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Terraform|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict|Documentation
| +|SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Terraform|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict|Documentation
| +|Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Terraform|Medium|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| +|Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Terraform|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| +|Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Terraform|Medium|Encryption|Ensure that the encryption is active on the disk|Documentation
| +|AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Terraform|Medium|Encryption|Azure Container Service (AKS) should use Disk Encryption Set ID in supported types of disk|Documentation
| +|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Terraform|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| +|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Terraform|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections|Documentation
| +|Function App Managed Identity Disabled
c87749b3-ff10-41f5-9df2-c421e8151759|Terraform|Medium|Insecure Configurations|Azure Function App should have managed identity enabled|Documentation
| +|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Terraform|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected.|Documentation
| +|Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Terraform|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches|Documentation
| +|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Terraform|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined|Documentation
| +|Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Terraform|Medium|Insecure Configurations|Azure Function App should have 'client_cert_mode' set to required|Documentation
| +|Default Azure Storage Account Network Access Is Too Permissive
a5613650-32ec-4975-a305-31af783153ea|Terraform|Medium|Insecure Defaults|Default Azure Storage Account network access should be set to Deny|Documentation
| +|Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Terraform|Medium|Networking and Firewall|Public Network Access should be disabled for Azure Cognitive Search|Documentation
| +|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Terraform|Medium|Networking and Firewall|Network Interfaces IP Forwarding should be disabled|Documentation
| +|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Terraform|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache|Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol|Documentation
| +|Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b|Terraform|Medium|Networking and Firewall|Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline)|Documentation
| +|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Terraform|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'.|Documentation
| +|MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Terraform|Medium|Networking and Firewall|MariaDB Server Public Network Access should be disabled|Documentation
| +|WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Terraform|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol|Documentation
| +|Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Terraform|Medium|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days|Documentation
| +|PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| +|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| +|PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| +|Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Terraform|Medium|Observability|Make sure for SQL Servers that Auditing Retention is greater than 90 days|Documentation
| +|PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Terraform|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| +|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Terraform|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days|Documentation
| +|PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| +|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Terraform|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On'|Documentation
| +|MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Terraform|Medium|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On'|Documentation
| +|Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Terraform|Medium|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact|Documentation
| +|PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Terraform|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'|Documentation
| +|Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Terraform|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater|Documentation
| +|Azure Active Directory Authentication
a21c8da9-41bf-40cf-941d-330cf0d11fc7|Terraform|Low|Access Control|Azure Active Directory must be used for authentication for Service Fabric|Documentation
| +|MariaDB Server Geo-redundant Backup Disabled
0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1|Terraform|Low|Backup|MariaDB Server Geo-redundant Backup should be enabled|Documentation
| +|AKS Uses Azure Policies Add-On Disabled
43789711-161b-4708-b5bb-9d1c626f7492|Terraform|Low|Best Practices|Azure Container Service (AKS) should use Azure Policies Add-On|Documentation
| +|App Service Without Latest PHP Version
96fe318e-d631-4156-99fa-9080d57280ae|Terraform|Low|Best Practices|Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.|Documentation
| +|App Service Without Latest Python Version
cc4aaa9d-1070-461a-b519-04e00f42db8a|Terraform|Low|Best Practices|Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.|Documentation
| +|Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Terraform|Low|Best Practices|Key Vault Secrets should have set Content Type|Documentation
| +|PostgreSQL Server Infrastructure Encryption Disabled
6425c98b-ca4e-41fe-896a-c78772c131f8|Terraform|Low|Encryption|PostgreSQL Server Infrastructure Encryption should be enabled|Documentation
| +|Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Terraform|Low|Insecure Configurations|Check if the Kubernetes Dashboard is enabled.|Documentation
| +|Function App HTTP2 Disabled
ace823d1-4432-4dee-945b-cdf11a5a6bd0|Terraform|Low|Insecure Configurations|Function App should have 'http2_enabled' enabled|Documentation
| +|App Service HTTP2 Disabled
525b53be-62ed-4244-b4df-41aecfcb4071|Terraform|Low|Insecure Configurations|App Service should have 'http2_enabled' enabled|Documentation
| +|Azure Front Door WAF Disabled
835a4f2f-df43-437d-9943-545ccfc55961|Terraform|Low|Networking and Firewall|Azure Front Door WAF should be enabled|Documentation
| +|App Service Authentication Disabled
c7fc1481-2899-4490-bbd8-544a3a61a2f3|Terraform|Info|Access Control|Azure App Service authentication settings should be enabled|Documentation
| +|SQL Server Alert Email Disabled
55975007-f6e7-4134-83c3-298f1fe4b519|Terraform|Info|Best Practices|SQL Server alert email should be enabled|Documentation
| +|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Terraform|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.|Documentation
| +|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Terraform|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.|Documentation
| +|BOM - GCP Redis
bc75ce52-a60a-4660-b533-bce837a5019b|Terraform|Trace|Bill Of Materials|A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments.|Documentation
| +|BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Terraform|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.|Documentation
| +|BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Terraform|Trace|Bill Of Materials|A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime.|Documentation
| +|BOM - GCP Dataflow
895ed0d9-6fec-4567-8614-d7a74b599a53|Terraform|Trace|Bill Of Materials|A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective.|Documentation
| +|OSS Bucket Allows Delete Action From All Principals
8c0695d8-2378-4cd6-8243-7fd5894fa574|Terraform|High|Access Control|OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals.|Documentation
| +|OSS Bucket Allows List Action From All Principals
88541597-6f88-42c8-bac6-7e0b855e8ff6|Terraform|High|Access Control|OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals.|Documentation
| +|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|Terraform|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles|Documentation
| +|OSS Bucket Allows Put Action From All Principals
fe286195-e75c-4359-bd58-00847c4f855a|Terraform|High|Access Control|OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals.|Documentation
| +|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|Terraform|High|Access Control|RAM Security preferences should enforce MFA login for RAM users|Documentation
| +|OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|Terraform|High|Access Control|OSS Bucket should have public access disabled|Documentation
| +|OSS Bucket Allows All Actions From All Principals
ec62a32c-a297-41ca-a850-cab40b42094a|Terraform|High|Access Control|OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals.|Documentation
| +|NAS File System Without KMS
5f670f9d-b1b4-4c90-8618-2288f1ab9676|Terraform|High|Encryption|NAS File System should have encryption provided by user KMS |Documentation
| +|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|Terraform|High|Encryption|Ecs Data Disk Kms Key Id should be set|Documentation
| +|NAS File System Not Encrypted
67bfdff1-31ce-4525-b564-e94368735360|Terraform|High|Encryption|NAS File System must be encrypted|Documentation
| +|Launch Template Is Not Encrypted
1455cb21-1d48-46d6-8ae3-cef911b71fd5|Terraform|High|Encryption|ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true.|Documentation
| +|RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|Terraform|High|Encryption|tde_status parameter should be Enabled for supported RDS instances|Documentation
| +|RDS DB Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|Terraform|High|Insecure Configurations|'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list|Documentation
| +|DB Instance Publicly Accessible
faaefc15-51a5-419e-bb5e-51a4b5ab3485|Terraform|High|Insecure Configurations|The field 'address' should not be set to '0.0.0.0/0'|Documentation
| +|OSS Bucket Has Static Website
2b13c6ff-b87a-484d-86fd-21ef6e97d426|Terraform|High|Insecure Configurations|Checks if any static websties are hosted on buckets. Be aware of any website you are running.|Documentation
| +|ALB Listening on HTTP
ee3b1557-9fb5-4685-a95d-93f1edf2a0d7|Terraform|High|Networking and Firewall|Application Load Balancer (alb) Listener should not listen on HTTP|Documentation
| +|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|Terraform|High|Networking and Firewall|OSS Bucket should have ip restricted access|Documentation
| +|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|Terraform|High|Networking and Firewall|OSS Buckets should have secure transport enabled|Documentation
| +|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|Terraform|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS|Documentation
| +|RDS Instance SSL Action Disabled
7a1ee8a9-71be-4b11-bb70-efb62d16863b|Terraform|High|Networking and Firewall|ssl_action parameter should be set to Open for RDS instances|Documentation
| +|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|Terraform|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public|Documentation
| +|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol|Documentation
| +|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|Terraform|High|Observability|All RDS Instance events trackers should be 'true'|Documentation
| +|ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|Terraform|High|Observability|ActionTrail Trail OSS Bucket should not be publicly accessible|Documentation
| +|Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|Terraform|High|Secret Management|Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts|Documentation
| +|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|Terraform|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above|Documentation
| +|Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Terraform|Medium|Access Control|Ram policies should not be attached to users|Documentation
| +|CMK Is Unusable
ed6e3ba0-278f-47b6-a1f5-173576b40b7e|Terraform|Medium|Availability|Alicloud KMS must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| +|ROS Stack Retention Disabled
4bb06fa1-2114-4a00-b7b5-6aeab8b896f0|Terraform|Medium|Backup|The retain_stacks should be enabled to keep the Stack upon deleting the stack instance from the stack group|Documentation
| +|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Terraform|Medium|Backup|OSS Bucket should have versioning enabled|Documentation
| +|ROS Stack Without Template
92d65c51-5d82-4507-a2a1-d252e9706855|Terraform|Medium|Build Process|Alicloud ROS Stack should have a template defined through the attribute template_url or attribute template_body|Documentation
| +|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Terraform|Medium|Encryption|Disks should have encryption enabled|Documentation
| +|SLB Policy With Insecure TLS Version In Use
dbfc834a-56e5-4750-b5da-73fda8e73f70|Terraform|Medium|Encryption|SLB Policy should not support insecure versions of TLS protocol|Documentation
| +|OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Terraform|Medium|Encryption|OSS Bucket should have encryption enabled using Customer Master Key|Documentation
| +|CS Kubernetes Node Pool Auto Repair Disabled
81ce9394-013d-4731-8fcc-9d229b474073|Terraform|Medium|Insecure Configurations|Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| +|Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Terraform|Medium|Networking and Firewall|A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned|Documentation
| +|Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Terraform|Medium|Networking and Firewall|Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies|Documentation
| +|ROS Stack Notifications Disabled
9ef08939-ea40-489c-8851-667870b2ef50|Terraform|Medium|Observability|The ROS Stack Notifications should be defined and populated to receive stack related events|Documentation
| +|Log Retention Is Not Greater Than 90 Days
ed6cf6ff-9a1f-491c-9f88-e03c0807f390|Terraform|Medium|Observability|OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects.|Documentation
| +|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Terraform|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180|Documentation
| +|OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Terraform|Medium|Observability|OSS Bucket should have logging enabled, for better visibility of resources and objects.|Documentation
| +|Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Terraform|Medium|Observability|Action Trail Logging for all regions should be enabled|Documentation
| +|No ROS Stack Policy
72ceb736-0aee-43ea-a191-3a69ab135681|Terraform|Medium|Resource Management|ROS Stack should have a stack policy in order to protect stack resources from and during update actions|Documentation
| +|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Terraform|Medium|Secret Management|RAM account password security should require at least one symbol|Documentation
| +|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true|Documentation
| +|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Terraform|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91|Documentation
| +|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Terraform|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less|Documentation
| +|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true|Documentation
| +|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true|Documentation
| +|High KMS Key Rotation Period
cb319d87-b90f-485e-a7e7-f2408380f309|Terraform|Medium|Secret Management|KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year|Documentation
| +|OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Terraform|Low|Availability|OSS Bucket should have transfer acceleration enabled|Documentation
| +|OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Terraform|Low|Backup|OSS Bucket should have lifecycle rule enabled and set to true|Documentation
| +|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Terraform|Low|Observability|'log_connections' parameter should be set to ON for RDS instances|Documentation
| +|RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Terraform|Low|Observability|log_duration parameter should be set to ON for RDS instances|Documentation
| +|RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Terraform|Low|Observability|log_disconnections parameter should be set to ON for RDS instances|Documentation
| +|VPC Flow Logs Disabled
d2731f3d-a992-44ed-812e-f4f1c2747d71|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| +|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Terraform|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks|Documentation
| +|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Terraform|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')|Documentation
| +|Enum Name Not CamelCase
daaace5f-c0dc-4835-b526-7a116b7f4b4e|GRPC|Low|Best Practices|All Enum Names should follow CamelCase and start with Capital Letter|Documentation
| +|EFS Not Encrypted
72840c35-3876-48be-900d-f21b2f0c2ea1|Crossplane|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| +|DB Instance Storage Not Encrypted
e50eb68a-a4af-4048-8bbe-8ec324421469|Crossplane|High|Encryption|RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'.|Documentation
| +|EFS Without KMS
bdecd6db-2600-47dd-a10c-72c97cf17ae9|Crossplane|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| +|ELB Using Weak Ciphers
a507daa5-0795-4380-960b-dd7bb7c56661|Crossplane|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers.|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
255b0fcc-9f82-41fe-9229-01b163e3376b|Crossplane|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| +|DB Security Group Has Public Interface
dd667399-8d9d-4a8d-bbb4-e49ab53b2f52|Crossplane|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| +|Neptune Database Cluster Encryption Disabled
83bf5aca-138a-498e-b9cd-ad5bc5e117b4|Crossplane|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| +|SQS With SSE Disabled
9296f1cc-7a40-45de-bd41-f31745488a0e|Crossplane|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| +|CloudFront Logging Disabled
7b590235-1ff4-421b-b9ff-5227134be9bb|Crossplane|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true|Documentation
| +|CloudWatch Without Retention Period Specified
934613fe-b12c-4e5a-95f5-c1dcdffac1ff|Crossplane|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events|Documentation
| +|CloudFront Without WAF
6d19ce0f-b3d8-4128-ac3d-1064e0f00494|Crossplane|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
6c2d627c-de0f-45fb-b33d-dad9bffbb421|Crossplane|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| +|Google Container Node Pool Auto Repair Disabled
b4f65d13-a609-4dc1-af7c-63d2e08bffe9|Crossplane|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| +|AKS RBAC Disabled
b2418936-cd47-4ea2-8346-623c0bdb87bd|Crossplane|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| +|Redis Cache Allows Non SSL Connections
6c7cfec3-c686-4ed2-bf58-a1ec054b63fc|Crossplane|Medium|Encryption|Redis Cache resource should not allow non-SSL connections.|Documentation
| +|UNIX Ports Out Of Range
71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e|Dockerfile|High|Availability|Exposing UNIX ports out of range from 0 to 65535|Documentation
| +|COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b|Dockerfile|High|Build Process|COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself|Documentation
| +|Same Alias In Different Froms
f2daed12-c802-49cd-afed-fe41d0b82fed|Dockerfile|High|Build Process|Different FROMS cant have the same alias defined|Documentation
| +|WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|Dockerfile|High|Build Process|For clarity and reliability, you should always use absolute paths for your WORKDIR|Documentation
| +|Copy With More Than Two Arguments Not Ending With Slash
6db6e0c2-32a3-4a2e-93b5-72c35f4119db|Dockerfile|High|Build Process|When a COPY command has more than two arguments, the last one should end with a slash|Documentation
| +|Multiple ENTRYPOINT Instructions Listed
6938958b-3f1a-451c-909b-baeee14bdc97|Dockerfile|High|Build Process|There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect|Documentation
| +|Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f|Dockerfile|High|Build Process|A user should be specified in the dockerfile, otherwise the image will run as root|Documentation
| +|Run Using Sudo
8ada6e80-0ade-439e-b176-0b28f6bce35a|Dockerfile|High|Insecure Configurations|Avoid RUN with sudo command as it leads to unpredictable behavior|Documentation
| +|Vulnerable OpenSSL Version
5fa731ea-e844-47a6-a1e8-abc25e95847e|Dockerfile|High|Supply-Chain|OpenSSL versions from 3.0.0 to 3.0.5 are affected by a critical vulnerability|Documentation
| +|Last User Is 'root'
67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae|Dockerfile|Medium|Best Practices|Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges|Documentation
| +|Changing Default Shell Using RUN Command
8a301064-c291-4b20-adcb-403fe7fd95fd|Dockerfile|Medium|Best Practices|Using the command RUN to override the default shell instead of the SHELL command leads to inefficiencies. It also does not make sense since Docker provides the SHELL command for this exact purpose.|Documentation
| +|Multiple CMD Instructions Listed
41c195f4-fc31-4a5c-8a1b-90605538d49f|Dockerfile|Medium|Build Process|There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect|Documentation
| +|Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79|Dockerfile|Medium|Build Process|Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments|Documentation
| +|RUN Instruction Using 'cd' Instead of WORKDIR
f4a6bcd3-e231-4acf-993c-aa027be50d2e|Dockerfile|Medium|Build Process|When using RUN command 'cd' should only be used for full path. For relative path make use of WORKDIR command instead.|Documentation
| +|Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd|Dockerfile|Medium|Build Process|Instruction 'RUN update' should always be followed by ' install' in the same RUN statement|Documentation
| +|Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22|Dockerfile|Medium|Insecure Defaults|Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o).|Documentation
| +|Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944|Dockerfile|Medium|Supply-Chain|Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input|Documentation
| +|Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37|Dockerfile|Medium|Supply-Chain|Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size|Documentation
| +|Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9|Dockerfile|Medium|Supply-Chain|Don't use '--platform' flag with FROM|Documentation
| +|Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes|Documentation
| +|Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118|Dockerfile|Medium|Supply-Chain|When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller|Documentation
| +|Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages|Documentation
| +|Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067|Dockerfile|Medium|Supply-Chain|When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag|Documentation
| +|NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5|Dockerfile|Medium|Supply-Chain|Check if packages installed by npm are pinning a specific version.|Documentation
| +|Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd|Dockerfile|Medium|Supply-Chain|Always tag the version of an image explicitly|Documentation
| +|Add Instead of Copy
9513a694-aa0d-41d8-be61-3271e056f36b|Dockerfile|Medium|Supply-Chain|Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script.|Documentation
| +|Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341|Dockerfile|Medium|Supply-Chain|Instead of 'gem install ' we should use 'gem install :'|Documentation
| +|Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03|Dockerfile|Medium|Supply-Chain|Need to use -y to avoid manual input 'yum install -y '|Documentation
| +|Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0|Dockerfile|Medium|Supply-Chain|Cached package data should be cleaned after installation to reduce image size|Documentation
| +|Yum install Without Version
6452c424-1d92-4deb-bb18-a03e95d579c4|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages|Documentation
| +|Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313|Dockerfile|Medium|Supply-Chain|Reduce layer and image size by deleting unneeded caches after running zypper|Documentation
| +|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Dockerfile|Medium|Supply-Chain|When installing a package, its pin version should be defined|Documentation
| +|Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1|Dockerfile|Medium|Supply-Chain|Specifying a package version allows to reduce failures due to unanticipated changes in required packages.|Documentation
| +|Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Dockerfile|Medium|Supply-Chain|Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect|Documentation
| +|APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Dockerfile|Medium|Supply-Chain|Check if apt-get calls use the flag -y to avoid user manual input.|Documentation
| +|Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8|Dockerfile|Medium|Supply-Chain|The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input.|Documentation
| +|Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes|Documentation
| +|Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Dockerfile|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache|Documentation
| +|Curl or Wget Instead of Add
4b410d24-1cbe-4430-a632-62c9a931cf1c|Dockerfile|Low|Best Practices|Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged|Documentation
| +|Exposing Port 22 (SSH)
5907595b-5b6d-4142-b173-dbb0e73fbff8|Dockerfile|Low|Best Practices|Expose only the ports that your application needs and avoid exposing ports like SSH (22)|Documentation
| +|Chown Flag Exists
aa93e17f-b6db-4162-9334-c70334e7ac28|Dockerfile|Low|Best Practices|It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership|Documentation
| +|MAINTAINER Instruction Being Used
99614418-f82b-4852-a9ae-5051402b741c|Dockerfile|Low|Best Practices|The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily|Documentation
| +|Multiple RUN, ADD, COPY, Instructions Listed
0008c003-79aa-42d8-95b8-1c2fe37dbfe6|Dockerfile|Low|Best Practices|Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers.|Documentation
| +|Using Unnamed Build Stages
68a51e22-ae5a-4d48-8e87-b01a323605c9|Dockerfile|Low|Build Process| This query is used to ensure that build stages are named. This way even if the Dockerfile is re-ordered, the COPY instruction doesn’t break.|Documentation
| +|Healthcheck Instruction Missing
b03a748a-542d-44f4-bb86-9199ab4fd2d5|Dockerfile|Low|Insecure Configurations|Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working|Documentation
| +|APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c|Dockerfile|Info|Supply-Chain|Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages.|Documentation
| +|Run Utilities And POSIX Commands
9b6b0f38-92a2-41f9-b881-3a1083d99f1b|Dockerfile|Info|Supply-Chain|Some POSIX commands and interactive utilities shouldn't run inside a Docker Container|Documentation
| +|Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c|Dockerfile|Info|Supply-Chain|After using apt-get install, it is needed to delete apt-get lists|Documentation
| +|Apk Add Using Local Cache Path
ae9c56a6-3ed1-4ac0-9b54-31267f51151d|Dockerfile|Info|Supply-Chain|When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*'|Documentation
| +|PSP Set To Privileged
ee305555-6b1d-4055-94cf-e22131143c34|Pulumi|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| +|Missing App Armor Config
95588189-1abd-4df1-9588-b0a5034f9e87|Pulumi|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| +|ElastiCache Nodes Not Created Across Multi AZ
9b18fc19-7fb8-49b1-8452-9c757c70f926|Pulumi|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster|Documentation
| +|ElastiCache Redis Cluster Without Backup
e93bbe63-a631-4c0f-b6ef-700d48441ff2|Pulumi|Medium|Backup|ElastiCache Redis cluster should have 'snapshotRetentionLimit' higher than 0|Documentation
| +|IAM Password Without Minimum Length
9850d621-7485-44f7-8bdd-b3cf426315cf|Pulumi|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| +|IAM Password Without Lowercase Letter
de92dd34-1b88-43e8-b825-6e02d73c4549|Pulumi|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| +|DynamoDB Table Not Encrypted
b6a7e0ae-aed8-4a19-a993-a95760bf8836|Pulumi|Medium|Encryption|AWS DynamoDB Tables should have serverSideEncryption enabled|Documentation
| +|API Gateway Without SSL Certificate
f27791a5-e2ae-4905-8910-6f995c576d09|Pulumi|Medium|Insecure Configurations|SSL Client Certificate should be defined|Documentation
| +|API Gateway Access Logging Disabled
bf4b48b9-fc1f-4552-984a-4becdb5bf503|Pulumi|Medium|Observability|API Gateway should have Access Log Settings defined|Documentation
| +|EC2 Not EBS Optimized
d991e4ae-42ab-429b-ab43-d5e5fa9ca633|Pulumi|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| +|DynamoDB Table Point In Time Recovery Disabled
327b0729-4c5c-4c44-8b5c-e476cd9c7290|Pulumi|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table|Documentation
| +|EC2 Instance Monitoring Disabled
daa581ef-731c-4121-832d-cf078f67759d|Pulumi|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
48f7e44d-d1d1-44c2-b336-9f11b65c4fb0|Pulumi|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
965e8830-2bec-4b9b-a7f0-24dbc200a68f|Pulumi|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| +|Storage Account Not Forcing HTTPS
cb8e4bf0-903d-45c6-a278-9a947d82a27b|Pulumi|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| +|Redis Cache Allows Non SSL Connections
49e30ac8-f58e-4222-b488-3dcb90158ec1|Pulumi|Medium|Encryption|Redis Cache resource should not allow non-SSL connections.|Documentation
| +|Serverless Role With Full Privileges
59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd|ServerlessFW|High|Access Control|Roles defined in Serverless files should not have policies granting full administrative privileges.|Documentation
| +|Serverless Function Environment Variables Not Encrypted
4495bc5d-4d1e-4a26-ae92-152d18195648|ServerlessFW|High|Encryption|Serverless Function should encrypt environment variables|Documentation
| +|Serverless API Without Content Encoding
d5d1fe08-89db-440c-8725-b93223387309|ServerlessFW|Medium|Encryption|Serverless should have API Gateway with Content Encoding enabled through the attribute 'minimumCompressionSize'. This value should be greater than -1 and smaller than 10485760|Documentation
| +|Serverless Function Without Tags
f99d3482-fa8c-4f79-bad9-35212dded164|ServerlessFW|Medium|Insecure Configurations|Serverless Function should be have associated tags|Documentation
| +|Serverless Function Without Unique IAM Role
165aae3b-a56a-48f3-b76d-d2b5083f5b8f|ServerlessFW|Medium|Insecure Configurations|Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks|Documentation
| +|Serverless API Endpoint Config Not Private
4d424558-c6d1-453c-be98-9a7f877abd9a|ServerlessFW|Medium|Networking and Firewall|Serverless should have endpointType set to 'PRIVATE'. This way, it's not exposed to the public internet|Documentation
| +|Serverless API Access Logging Setting Undefined
a4d32883-aac7-42e1-b403-9415af0f3846|ServerlessFW|Medium|Observability|Serverless FW API should have HTTP Access Logging enabled|Documentation
| +|Serverless API X-Ray Tracing Disabled
434945e5-4dfd-41b1-aba1-47075ccd9265|ServerlessFW|Medium|Observability|Serverless API Gateway should have X-Ray Tracing enabled|Documentation
| +|Serverless Function Without Dead Letter Queue
dec7bc85-d156-4f64-9a33-96ed3d9f3fed|ServerlessFW|Low|Insecure Configurations|Serverless Function should be configured for a Dead Letter Queue(DLQ). A Dead Letter Queue(DLQ) can be set up in 'onError' config parameter|Documentation
| +|Serverless Function Without X-Ray Tracing
0d7ef70f-e176-44e6-bdba-add3e429788d|ServerlessFW|Low|Observability|Serverless Function should have Tracing enabled. For this, property 'tracing' should have the value 'Active'|Documentation
| +|Run Using apt
a1bc27c6-7115-48d8-bf9d-5a7e836845ba|Buildah|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache|Documentation
| +|Key Vault Not Recoverable
7c25f361-7c66-44bf-9b69-022acd5eb4bd|AzureResourceManager|High|Backup|Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true|Documentation
| +|Secret Without Expiration Date
cff9c3f7-e8f0-455f-9fb4-5f72326da96e|AzureResourceManager|High|Best Practices|All Secrets must have an expiration date defined|Documentation
| +|Azure Instance Using Basic Authentication
6797f581-0433-4768-ae3e-7ceb2f8b138e|AzureResourceManager|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication|Documentation
| +|Web App Not Using TLS Last Version
b5c851d5-00f1-43dc-a8de-3218fd6f71be|AzureResourceManager|High|Encryption|Resources of type 'Microsoft.Web/sites' should define 'properties.siteConfig.minTlsVersion' with '1.2'|Documentation
| +|Storage Account Allows Unsecure Transfer
1367dd13-2c90-4020-80b7-e4339a3dc2c4|AzureResourceManager|High|Encryption|'Microsoft.Storage/storageAccounts' should force the use of HTTPS|Documentation
| +|Azure Managed Disk Without Encryption
350f3955-b5be-436f-afaa-3d2be2fa6cdd|AzureResourceManager|High|Encryption|Azure Disk Encryption should be enabled|Documentation
| +|Website Not Forcing HTTPS
488847ff-6031-487c-bf42-98fd6ac5c9a0|AzureResourceManager|High|Insecure Configurations|'Microsoft.Web/sites' should force the use of HTTPS|Documentation
| +|Network Security Group With Unrestricted Access To SSH
2ade1579-4b2c-4590-bebb-f99bf597f612|AzureResourceManager|High|Networking and Firewall|Port 22 (SSH) is exposed to the Internet|Documentation
| +|Website with Client Certificate Auth Disabled
92302b47-b0cc-46cb-a28f-5610ecda140b|AzureResourceManager|High|Networking and Firewall|'Microsoft.Web/sites' should have client certificate authentication enabled|Documentation
| +|Storage Blob Service Container With Public Access
a0ab985d-660b-41f7-ac81-70957ee8e627|AzureResourceManager|High|Networking and Firewall|Storage Blob Service Container should not publicly accessible|Documentation
| +|MySQL Server SSL Enforcement Disabled
90120147-f2e7-4fda-bb21-6fa9109afd63|AzureResourceManager|High|Networking and Firewall|'Microsoft.DBforMySQL/servers' should enforce SSL|Documentation
| +|PostgreSQL Database Server SSL Disabled
bf500309-da53-4dd3-bcf7-95f7974545a5|AzureResourceManager|High|Networking and Firewall|Microsoft.DBforPostgreSQL/servers sslEnforcement property should be set to 'Enabled'|Documentation
| +|Network Security Group With Unrestricted Access To RDP
59cb3da7-f206-4ae6-b827-7abf0a9cab9d|AzureResourceManager|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the Internet|Documentation
| +|SQL Database Server Firewall Allows All IPS
6a3201a5-1630-494b-b294-3129d06b0eca|AzureResourceManager|High|Networking and Firewall|SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS|Documentation
| +|Trusted Microsoft Services Not Enabled
e25b56cd-a4d6-498f-ab92-e6296a082097|AzureResourceManager|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| +|Default Azure Storage Account Network Access Is Too Permissive
d855ced8-6157-448f-9f1d-f05a41d046f7|AzureResourceManager|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it.|Documentation
| +|AKS Cluster RBAC Disabled
9307a2ed-35c2-413d-94de-a1a0682c2158|AzureResourceManager|Medium|Access Control|Microsoft.ContainerService/managedClusters should have enableRBAC set to true|Documentation
| +|Role Definitions Allow Custom Subscription Role Creation
8fa9ceea-881f-4ef0-b0b8-728f589699a7|AzureResourceManager|Medium|Access Control|Role Definitions should not allow custom subscription role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')|Documentation
| +|SQL Server Database With Alerts Disabled
574e8d82-1db2-4b9c-b526-e320ede9a9ff|AzureResourceManager|Medium|Best Practices|All Alerts should be enabled in SQL Database Server SecurityAlerts Policy Properties|Documentation
| +|AKS Cluster Network Policy Not Configured
25c0228e-4444-459b-a2df-93c7df40b7ed|AzureResourceManager|Medium|Insecure Configurations|Azure Kubernetes Service must have a network policy defined.|Documentation
| +|PostgresSQL Database Server Connection Throttling Disabled
a6d774b6-d9ea-4bf4-8433-217bf15d2fb8|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttling' property set to 'on'|Documentation
| +|Standard Price Is Not Selected
2081c7d6-2851-4cce-bda5-cb49d462da42|AzureResourceManager|Medium|Networking and Firewall|Azure Security Center provides more features for standard pricing mode, so it must be activated.|Documentation
| +|PostgreSQL Database Server Log Connections Disabled
e69bda39-e1e2-47ca-b9ee-b6531b23aedd|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' property set to 'on'|Documentation
| +|PostgreSQL Database Server Log Checkpoints Disabled
f9112910-c7bb-4864-9f5e-2059ba413bb7|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' property set to 'on'|Documentation
| +|AKS With Authorized IP Ranges Disabled
2583fab1-953b-4fae-bd02-4a136a6c21f9|AzureResourceManager|Medium|Networking and Firewall|Azure Kubernetes Service must have an authorized IP range for API Services enabled|Documentation
| +|Storage Logging For Read Write And Delete Requests Disabled
43f6e60c-9cdb-4e77-864d-a66595d26518|AzureResourceManager|Medium|Observability|Storage Logging should be enabled for read, write and delete methods|Documentation
| +|Unrecommended Log Profile Retention Policy
25684eac-daaa-4c2c-94b4-8d2dbb627909|AzureResourceManager|Medium|Observability|Log Profile Retention Policy should be enabled and the recommended number of days for the retention should be higher than 365 or 0 (0 will retain the events indefinitely)|Documentation
| +|SQL Server Database Without Auditing
e055285c-bc01-48b4-8aa5-8a54acdd29df|AzureResourceManager|Medium|Observability|Every 'Microsoft.Sql/servers/databases' resource should have Auditing Enabled|Documentation
| +|Log Profile Incorrect Category
4d522e7b-f938-4d51-a3b1-974ada528bd3|AzureResourceManager|Medium|Observability|Log Profile Categories should be set to 'Write', 'Delete', and/or 'Action'|Documentation
| +|Unrecommended Network Watcher Flow Log Retention Policy
564b70f8-41cd-4690-aff8-bb53add86bc9|AzureResourceManager|Medium|Observability|Network Watcher Flow Log Retention Policy should be enabled and the recommended number of days for the retention should be higher than 90|Documentation
| +|SQL Server Database With Unrecommended Retention Days
c09cdac2-7670-458a-bf6c-efad6880973a|AzureResourceManager|Medium|Observability|SQL Server Database Auditing Settings should keep the audit logs in the storage account for at least 90 days|Documentation
| +|AKS Logging To Azure Monitoring Is Disabled
9b09dee1-f09b-4013-91d2-158fa4695f4b|AzureResourceManager|Medium|Observability|Azure Kubernetes Service should have logging to Azure Monitoring enabled.|Documentation
| +|Hardcoded SecureString Parameter Default Value
4d2cf896-c053-4be5-9c95-8b4771112f29|AzureResourceManager|Medium|Secret Management|Secure parameters should not have hardcoded default value|Documentation
| +|Website Azure Active Directory Disabled
e9c133e5-c2dd-4b7b-8fff-40f2de367b56|AzureResourceManager|Low|Access Control|WebApp should have Azure Active Directory enabled with 'identity.type' set to 'SystemAssigned' or 'userAssignedIdentities' set to 'true'|Documentation
| +|Phone Number Not Set For Security Contacts
3e9fcc67-1f64-405f-b2f9-0a6be17598f0|AzureResourceManager|Low|Best Practices|Microsoft.Security securityContacts should have a phone number defined|Documentation
| +|AKS Dashboard Is Enabled
c62d3b92-9a11-4ffd-b7b7-6faaae83faed|AzureResourceManager|Low|Insecure Configurations|Azure Kubernetes Service should have the Kubernetes dashboard disabled.|Documentation
| +|Storage Account Allows Default Network Access
9073f073-5d60-4b46-b569-0d6baa80ed95|AzureResourceManager|Low|Networking and Firewall|'Microsoft.Storage/storageAccounts' should force the use of HTTPS|Documentation
| +|Website with 'Http20Enabled' Disabled
70111098-7f85-48f0-b1b4-e4261cf5f61b|AzureResourceManager|Low|Networking and Firewall|'Microsoft.Web/sites' should have 'Http20Enabled' enabled|Documentation
| +|App Service Authentication Is Not Set
83130a07-235b-4a80-918b-a370e53f0bd9|AzureResourceManager|Info|Access Control|Azure App Service should have App Service Authentication set|Documentation
| +|Account Admins Not Notified By Email
a8852cc0-fd4b-4fc7-9372-1e43fad0732e|AzureResourceManager|Info|Best Practices|Account admins should be notified by email in the event of security alerts|Documentation
| +|SQL Alert Policy Without Emails
89b79fe5-49bd-4d39-84ce-55f5fc6f7764|AzureResourceManager|Info|Best Practices|SQL Database Server should contain emails to be notified in the event of a Security Alert|Documentation
| +|Email Notifications Disabled
79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92|AzureResourceManager|Info|Networking and Firewall|Email notifications about new security alerts, should be set to 'On', and be sent to persons with specific RBAC roles on the subscription|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674|Ansible|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| +|S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|Ansible|High|Access Control|S3 Buckets should not be readable to all users|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|Ansible|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| +|S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a|Ansible|High|Access Control|Checks if the S3 bucket is accessible for all users|Documentation
| +|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|Ansible|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| +|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|Ansible|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| +|SNS Topic is Publicly Accessible
905f4741-f965-45c1-98db-f7a00a0e5c73|Ansible|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| +|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|Ansible|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating|Documentation
| +|SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a|Ansible|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| +|S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|Ansible|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| +|S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|Ansible|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| +|ECS Service Admin Role Is Present
7db727c1-1720-468e-b80e-06697f71e09e|Ansible|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role|Documentation
| +|IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|Ansible|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| +|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|Ansible|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| +|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|Ansible|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76|Ansible|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| +|EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|Ansible|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| +|Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a|Ansible|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume|Documentation
| +|AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|Ansible|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| +|Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|Ansible|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)|Documentation
| +|S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4|Ansible|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| +|DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|Ansible|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.|Documentation
| +|ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|Ansible|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| +|EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|Ansible|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| +|S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571|Ansible|High|Encryption|AWS S3 Storage should be protected with SSE (Server-Side Encryption)|Documentation
| +|User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|Ansible|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| +|Secure Ciphers Disabled
218413a0-c716-4b94-9e08-0bb70d854709|Ansible|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| +|CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|Ansible|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| +|User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|Ansible|High|Encryption|User Data Shell Script must be encoded|Documentation
| +|ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers.|Documentation
| +|ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols.|Documentation
| +|Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7|Ansible|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| +|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|Ansible|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| +|Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f|Ansible|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| +|S3 Bucket with Unsecured CORS Rule
3505094c-f77c-4ba0-95da-f83db712f86c|Ansible|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| +|Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|Ansible|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| +|DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209|Ansible|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| +|ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f|Ansible|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| +|KMS Key With Vulnerable Policy
5b9d237a-57d5-4177-be0e-71434b0fef47|Ansible|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67|Ansible|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| +|Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|Ansible|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true (default is false)|Documentation
| +|EC2 Group Has Public Interface
5330b503-3319-44ff-9b1c-00ee873f728a|Ansible|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| +|Vulnerable Default SSL Certificate
fb8f8929-afeb-4c46-99f0-a6cf410f7df4|Ansible|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| +|DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640|Ansible|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| +|ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|Ansible|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| +|Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4|Ansible|High|Networking and Firewall|Route53 Record should have a list of records|Documentation
| +|EC2 Instance Has Public IP
a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1|Ansible|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| +|Remote Desktop Port Open To Internet
eda7301d-1f3e-47cf-8d4e-976debc64341|Ansible|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| +|Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|Ansible|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| +|RDS Associated with Public Subnet
16732649-4ff6-4cd2-8746-e72c13fae4b8|Ansible|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| +|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|Ansible|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| +|Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|Ansible|High|Networking and Firewall|AWS Security Group should restrict ingress access|Documentation
| +|HTTP Port Open To Internet
a14ad534-acbe-4a8e-9404-2f7e1045646e|Ansible|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| +|Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|Ansible|High|Networking and Firewall|AWS Security Group should not have public port wide|Documentation
| +|Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b|Ansible|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| +|Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2|Ansible|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0/0|Documentation
| +|Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|Ansible|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| +|CMK Rotation Disabled
af96d737-0818-4162-8c41-40d969bd65d1|Ansible|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.|Documentation
| +|CloudTrail Logging Disabled
d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5|Ansible|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| +|ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd|Ansible|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| +|Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Ansible|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| +|IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Ansible|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root'|Documentation
| +|API Gateway Without Configured Authorizer
b16cdb37-ce15-4ab2-8401-d42b05d123fc|Ansible|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| +|Lambda Permission Principal Is Wildcard
1d972c56-8ec2-48c1-a578-887adb09c57a|Ansible|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| +|AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f|Ansible|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| +|SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10|Ansible|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| +|SES Policy With Allowed IAM Actions
8ed0bfce-f780-46d4-b086-21c3628f09ad|Ansible|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| +|IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060|Ansible|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| +|SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4|Ansible|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
af167837-9636-4086-b815-c239186b9dda|Ansible|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| +|Certificate Has Expired
5a443297-19d4-4381-9e5b-24faf947ec22|Ansible|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| +|S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9|Ansible|Medium|Access Control|S3 Bucket allows public access|Documentation
| +|CMK Is Unusable
133fee21-37ef-45df-a563-4d07edc169f4|Ansible|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined.|Documentation
| +|ECS Service Without Running Tasks
f5c45127-1d28-4b49-a692-0b97da1c3a84|Ansible|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| +|Auto Scaling Group With No Associated ELB
050f085f-a8db-4072-9010-2cca235cc02f|Ansible|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
| +|RDS With Backup Disabled
e69890e6-fce5-461d-98ad-cb98318dfc96|Ansible|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| +|Stack Retention Disabled
17d5ba1d-7667-4729-b1a6-b11fde3db7f7|Ansible|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| +|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Ansible|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number|Documentation
| +|Misconfigured Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9|Ansible|Medium|Best Practices|No password expiration policy|Documentation
| +|IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Ansible|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| +|IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354|Ansible|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| +|Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c|Ansible|Medium|Best Practices|Password policy `password_reuse_prevention` doesn't exist or is equal to 0|Documentation
| +|IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Ansible|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| +|Stack Without Template
32d31f1f-0f83-4721-b7ec-1e6948c60145|Ansible|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body|Documentation
| +|Config Rule For Encrypted Volumes Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84|Ansible|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| +|Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89|Ansible|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| +|CodeBuild Not Encrypted
a1423864-2fbc-4f46-bfe1-fbbf125c71c9|Ansible|Medium|Encryption|CodeBuild Project should be encrypted|Documentation
| +|EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Ansible|Medium|Encryption|EBS volumes should be encrypted|Documentation
| +|SQS With SSE Disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Ansible|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| +|AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472|Ansible|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| +|ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Ansible|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| +|Certificate RSA Key Bytes Lower Than 256
d5ec2080-340a-4259-b885-f833c4ea6a31|Ansible|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| +|Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f|Ansible|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| +|Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5|Ansible|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags.|Documentation
| +|API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33|Ansible|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Ansible|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| +|API Gateway without WAF
f5f38943-664b-4acc-ab11-f292fa10ed0b|Ansible|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| +|API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215|Ansible|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| +|Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Ansible|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| +|API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f|Ansible|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| +|CloudFront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Ansible|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' should be defined with 'enabled' set to true|Documentation
| +|CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Ansible|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| +|S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Ansible|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| +|S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|Ansible|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| +|CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3|Ansible|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| +|CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Ansible|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events|Documentation
| +|API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Ansible|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled|Documentation
| +|CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Ansible|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'is_multi_region_trail' should be set to true|Documentation
| +|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Ansible|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| +|No Stack Policy
ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9|Ansible|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| +|Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Ansible|Medium|Secret Management|AWS Access Key should not be hardcoded|Documentation
| +|Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645|Ansible|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| +|EC2 Instance Using Default Security Group
8d03993b-8384-419b-a681-d1f55149397c|Ansible|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| +|IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd|Ansible|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| +|IAM Group Without Users
f509931b-bbb0-443c-bd9b-10e92ecf2193|Ansible|Low|Access Control|IAM Group should have at least one user associated|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Ansible|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| +|Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520|Ansible|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| +|Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|Ansible|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.|Documentation
| +|CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6|Ansible|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| +|EFS Without Tags
b8a9852c-9943-4973-b8d5-77dae9352851|Ansible|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
f5587077-3f57-4370-9b4e-4eb5b1bac85b|Ansible|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| +|Redshift Using Default Port
e01de151-a7bd-4db4-b49b-3c4775a5e881|Ansible|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| +|CloudFront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Ansible|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| +|ElastiCache Using Default Port
7cc6c791-5f68-4816-a564-b9b699f9d26e|Ansible|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| +|EC2 Instance Using Default VPC
8833f180-96f1-46f4-9147-849aafa56029|Ansible|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| +|RDS Using Default Port
2cb674f6-32f9-40be-97f2-62c0dc38f0d5|Ansible|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| +|ElastiCache Without VPC
5527dcfc-94f9-4bf6-b7d4-1b78850cf41f|Ansible|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| +|Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Ansible|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active'|Documentation
| +|CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Ansible|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| +|EC2 Not EBS Optimized
338b6cab-961d-4998-bb49-e5b6a11c9a5c|Ansible|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| +|BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2|Ansible|High|Access Control|BigQuery dataset is anonymously or publicly accessible|Documentation
| +|VM With Full Cloud Access
bc20bbc6-0697-4568-9a73-85af1dd97bdd|Ansible|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2|Ansible|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers'|Documentation
| +|SQL DB Instance Backup Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8|Ansible|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| +|SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|Ansible|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| +|DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a|Ansible|High|Encryption|DNSSEC should not use the RSASHA1 algorithm|Documentation
| +|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|Ansible|High|Insecure Configurations|SQL Instance should not have Contained Database Authentication On|Documentation
| +|Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false|Documentation
| +|SQL DB Instance Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b|Ansible|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible.|Documentation
| +|Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7|Ansible|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| +|GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1|Ansible|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty|Documentation
| +|MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c|Ansible|High|Insecure Configurations|MySQL Instance should not have Local Infile On|Documentation
| +|IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'.|Documentation
| +|Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true|Documentation
| +|Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| +|Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true.|Documentation
| +|Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f|Ansible|High|Insecure Configurations|GCP SQL Instance should not have Cross DB Ownership Chaining On|Documentation
| +|GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false.|Documentation
| +|PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514|Ansible|High|Insecure Configurations|PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1'|Documentation
| +|Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82|Ansible|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet.|Documentation
| +|GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83|Ansible|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters|Documentation
| +|Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| +|PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b|Ansible|High|Observability|PostgreSQL database 'log_temp_files' flag isn't set to '0'|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd|Ansible|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| +|Cloud Storage Bucket Versioning Disabled
7814ddda-e758-4a56-8be3-289a81ded929|Ansible|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| +|Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| +|PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317|Ansible|High|Observability|PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on'|Documentation
| +|Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf|Ansible|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| +|Disk Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3|Ansible|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Ansible|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| +|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Ansible|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| +|OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Ansible|Medium|Insecure Configurations|VM instance should have OSLogin enabled|Documentation
| +|Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Ansible|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| +|Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Ansible|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| +|Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03|Ansible|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| +|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Ansible|Medium|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| +|GKE Using Default Service Account
dc126833-125a-40fb-905a-ce5f2afde240|Ansible|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
| +|IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Ansible|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| +|Google Compute Network Using Default Firewall Rule
29b8224a-60e9-4011-8ac2-7916a659841f|Ansible|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
| +|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Ansible|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
| +|RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77|Ansible|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| +|SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Ansible|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| +|Google Compute Network Using Firewall Rule that Allows All Ports
3602d273-3290-47b2-80fa-720162b1a8af|Ansible|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports|Documentation
| +|PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Ansible|Medium|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on'|Documentation
| +|PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Ansible|Medium|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Ansible|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| +|High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Ansible|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.|Documentation
| +|Google Compute Network Using Firewall Rule that Allows Port Range
7289eebd-a477-4064-8ad4-3c044bd70b00|Ansible|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range|Documentation
| +|Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b|Ansible|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes|Documentation
| +|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|Ansible|High|Access Control|Storage Account should not be public to grant the principle of least privileges|Documentation
| +|Storage Container Is Publicly Accessible
4d3817db-dd35-4de4-a80d-3867157e7f7f|Ansible|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| +|Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|Ansible|High|Access Control|Admin user is enabled for Container Registry|Documentation
| +|Azure Instance Using Basic Authentication
e2d834b7-8b25-4935-af53-4a60668dcbe0|Ansible|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication|Documentation
| +|MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|Ansible|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| +|Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|Ansible|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| +|SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555|Ansible|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| +|AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|Ansible|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| +|Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91|Ansible|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| +|Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|Ansible|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined|Documentation
| +|VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|Ansible|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| +|Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| +|Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|Ansible|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| +|SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|Ansible|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| +|Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| +|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|Ansible|High|Networking and Firewall|The IP range filter should be defined to secure the data stored|Documentation
| +|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|Ansible|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| +|Role Definition Allows Custom Role Creation
5c80db8e-03f5-43a2-b4af-1f3f87018157|Ansible|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)|Documentation
| +|Default Azure Storage Account Network Access Is Too Permissive
ca4df748-613a-4fbf-9c76-f02cbd580307|Ansible|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it.|Documentation
| +|AKS RBAC Disabled
149fa56c-4404-4f90-9e25-d34b676d5b39|Ansible|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| +|Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854|Ansible|Medium|Backup|Make sure Soft Delete is enabled for Key Vault|Documentation
| +|SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40|Ansible|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict|Documentation
| +|SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308|Ansible|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict|Documentation
| +|Cosmos DB Account Without Tags
23a4dc83-4959-4d99-8056-8e051a82bc1e|Ansible|Medium|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| +|Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee|Ansible|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| +|Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Ansible|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| +|Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Ansible|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections|Documentation
| +|AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Ansible|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined|Documentation
| +|Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Ansible|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache.|Documentation
| +|Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Ansible|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0'|Documentation
| +|WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Ansible|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| +|PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| +|Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| +|PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| +|PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a|Ansible|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| +|AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e|Ansible|Medium|Observability|Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring|Documentation
| +|PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| +|PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| +|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|Terraform|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| +|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|Terraform|High|Access Control|S3 bucket allows public policy|Documentation
| +|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|Terraform|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| +|SSO Policy with full privileges
132a8c31-9837-4203-9fd1-15ca210c7b73|Terraform|High|Access Control|SSO policies should be configured to grant limited administrative privileges, rather than full access to all resources. This approach allows for better security and control over the resources being accessed.|Documentation
| +|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|Terraform|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals|Documentation
| +|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|Terraform|High|Access Control|S3 Buckets should not be readable and writable to all users|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|Terraform|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| +|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|Terraform|High|Access Control|IAM role policy that allow full administrative privileges (for all resources)|Documentation
| +|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|Terraform|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| +|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|Terraform|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| +|SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|Terraform|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| +|EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|Terraform|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| +|MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857|Terraform|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible|Documentation
| +|S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4|Terraform|High|Access Control|S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket.|Documentation
| +|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|Terraform|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| +|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|Terraform|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating|Documentation
| +|Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|Terraform|High|Access Control|Neptune Cluster Instance should not be publicly accessible|Documentation
| +|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|Terraform|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| +|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|Terraform|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| +|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|Terraform|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|Terraform|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| +|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|Terraform|High|Encryption|AWS DOCDB Cluster storage should be encrypted|Documentation
| +|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|Terraform|High|Encryption|AWS DAX Cluster should have server-side encryption at rest|Documentation
| +|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|Terraform|High|Encryption|EBS Encryption should be enabled|Documentation
| +|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|Terraform|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| +|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.|Documentation
| +|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|Terraform|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| +|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|Terraform|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|Terraform|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true|Documentation
| +|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|Terraform|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)|Documentation
| +|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|Terraform|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted|Documentation
| +|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|Terraform|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| +|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|Terraform|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| +|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|Terraform|High|Encryption|API Gateway Method Settings Cache should be encrypted|Documentation
| +|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|Terraform|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume|Documentation
| +|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|Terraform|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.|Documentation
| +|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|Terraform|High|Encryption|S3 Bucket Object should have server-side encryption enabled|Documentation
| +|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|Terraform|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled|Documentation
| +|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|Terraform|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| +|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers.|Documentation
| +|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|Terraform|High|Encryption|AWS Athena Database data in S3 should be encrypted|Documentation
| +|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|Terraform|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS|Documentation
| +|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|Terraform|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true'|Documentation
| +|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|Terraform|High|Encryption|RDS Database Cluster Encryption should be enabled|Documentation
| +|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|Terraform|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| +|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|Terraform|High|Encryption|User Data Shell Script must be encoded|Documentation
| +|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|Terraform|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| +|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|Terraform|High|Encryption|AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted|Documentation
| +|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|Terraform|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|Terraform|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| +|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|Terraform|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| +|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|Terraform|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| +|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|Terraform|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| +|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|Terraform|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup|Documentation
| +|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|Terraform|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled|Documentation
| +|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|Terraform|High|Encryption|EKS Cluster should be encrypted|Documentation
| +|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|Terraform|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled|Documentation
| +|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|Terraform|High|Encryption|Sagemaker endpoint configuration should encrypt data|Documentation
| +|EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|Terraform|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| +|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|Terraform|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|Terraform|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| +|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|Terraform|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| +|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|Terraform|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true)|Documentation
| +|DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|Terraform|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| +|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|Terraform|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| +|Lambda Function With Privileged Role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|Terraform|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions.|Documentation
| +|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|Terraform|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2.|Documentation
| +|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|Terraform|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| +|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|Terraform|High|Insecure Configurations|Check if the root user is authenticated with MFA|Documentation
| +|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|Terraform|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured.|Documentation
| +|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|Terraform|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| +|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|Terraform|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes|Documentation
| +|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|Terraform|High|Insecure Configurations|S3 bucket without restriction of public bucket|Documentation
| +|KMS Key With Vulnerable Policy
7ebc9038-0bde-479a-acc4-6ed7b6758899|Terraform|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| +|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|Terraform|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| +|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|Terraform|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations|Documentation
| +|Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|Terraform|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| +|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL|Documentation
| +|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|Terraform|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing|Documentation
| +|VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|Terraform|High|Networking and Firewall|VPC Peering Route Table should restrict CIDR|Documentation
| +|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|Terraform|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| +|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|Terraform|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| +|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|Terraform|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0"|Documentation
| +|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|Terraform|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| +|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| +|VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|Terraform|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic|Documentation
| +|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|Terraform|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| +|HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|Terraform|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| +|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|Terraform|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0 and/or ::/0|Documentation
| +|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|Terraform|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| +|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|Terraform|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| +|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|Terraform|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| +|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| +|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|Terraform|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL|Documentation
| +|Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|Terraform|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| +|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|Terraform|High|Networking and Firewall|Check if Record is set|Documentation
| +|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|Terraform|High|Observability|Ensure a log metric filter and alarm exist for root acount usage|Documentation
| +|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|Terraform|High|Observability|AWS KMS Key should have a valid deletion window|Documentation
| +|CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|Terraform|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.|Documentation
| +|CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|Terraform|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls|Documentation
| +|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|Terraform|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| +|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled|Documentation
| +|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible|Documentation
| +|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|Terraform|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes|Documentation
| +|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|Terraform|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Terraform|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Terraform|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Terraform|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Terraform|Medium|Access Control|The attribute 'action' should not have wildcard|Documentation
| +|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Terraform|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Terraform|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Terraform|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined|Documentation
| +|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Terraform|Medium|Access Control|AWS IAM Users should not have access to console|Documentation
| +|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Terraform|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Terraform|Medium|Access Control|S3 bucket allows public ACL|Documentation
| +|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Terraform|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| +|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Terraform|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources|Documentation
| +|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Terraform|Medium|Access Control|An API Key should be required on a method request.|Documentation
| +|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Terraform|Medium|Access Control|IAM Access Key should not be active for root users|Documentation
| +|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Terraform|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal'|Documentation
| +|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Terraform|Medium|Access Control|Public and private EC2 istances should not share the same role.|Documentation
| +|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Terraform|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|API Gateway Without Configured Authorizer
ed35928e-195c-4405-a252-98ccb664ab7C|Terraform|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| +|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Terraform|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions'|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Terraform|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Terraform|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Terraform|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|SSO Permission With Inadequate User Session Duration
ce9dfce0-5fc8-433b-944a-3b16153111a8|Terraform|Medium|Access Control|SSO permissions should be configured to limit user sessions to no longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized access or session hijacking. This is a best practice for security and should be implemented in SSO permission settings.|Documentation
| +|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Terraform|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Terraform|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Terraform|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Terraform|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Terraform|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Terraform|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Terraform|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Terraform|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| +|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Terraform|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Terraform|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'|Documentation
| +|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Terraform|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action'|Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Terraform|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
| +|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Terraform|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| +|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Terraform|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster|Documentation
| +|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Terraform|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| +|RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Terraform|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| +|Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Terraform|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| +|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Terraform|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0|Documentation
| +|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Terraform|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| +|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Terraform|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields|Documentation
| +|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Terraform|Medium|Best Practices|No password expiration policy|Documentation
| +|Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Terraform|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24|Documentation
| +|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Terraform|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| +|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Terraform|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined|Documentation
| +|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Terraform|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| +|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Terraform|Medium|Best Practices|IAM password should have the required symbols|Documentation
| +|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Terraform|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| +|Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Terraform|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body|Documentation
| +|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest|Documentation
| +|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Terraform|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760.|Documentation
| +|DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Terraform|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Terraform|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| +|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit|Documentation
| +|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Terraform|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| +|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Terraform|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| +|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Terraform|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS.|Documentation
| +|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Terraform|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| +|Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Terraform|Medium|Encryption|ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html'|Documentation
| +|CloudWatch Log Group Without KMS
0afbcfe9-d341-4b92-a64c-7e6de0543879|Terraform|Medium|Encryption|AWS CloudWatch Log groups should be encrypted using KMS|Documentation
| +|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted|Documentation
| +|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Terraform|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests|Documentation
| +|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Terraform|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| +|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Terraform|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Terraform|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption|Documentation
| +|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Terraform|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret|Documentation
| +|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Terraform|Medium|Encryption|EBS volumes should be encrypted|Documentation
| +|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Terraform|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| +|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Terraform|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node|Documentation
| +|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Terraform|Medium|Encryption|SSM Session should be encrypted in transit|Documentation
| +|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Terraform|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| +|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Terraform|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials|Documentation
| +|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Terraform|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.|Documentation
| +|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Terraform|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| +|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Terraform|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs).|Documentation
| +|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Terraform|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| +|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Terraform|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| +|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Terraform|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| +|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Terraform|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible|Documentation
| +|EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Terraform|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false|Documentation
| +|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Terraform|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud)|Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Terraform|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| +|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Terraform|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| +|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Terraform|Medium|Networking and Firewall|VPC should have a Network Firewall associated|Documentation
| +|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Terraform|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled|Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol|Documentation
| +|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Terraform|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| +|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Terraform|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association|Documentation
| +|VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Terraform|Medium|Networking and Firewall|VPC Subnet should not assign public IP|Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol|Documentation
| +|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Terraform|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| +|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Terraform|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation|Documentation
| +|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Terraform|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| +|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK|Documentation
| +|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Terraform|Medium|Observability|API Gateway should have Access Log Settings defined|Documentation
| +|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Terraform|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| +|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Terraform|Medium|Observability|ELB should have logging enabled to help on error investigation|Documentation
| +|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes|Documentation
| +|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Terraform|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| +|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes|Documentation
| +|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Terraform|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| +|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Terraform|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| +|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Terraform|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| +|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Terraform|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| +|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Terraform|Medium|Observability|It isn't recommended to use resources in default VPC|Documentation
| +|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Terraform|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| +|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Terraform|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| +|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Terraform|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| +|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes|Documentation
| +|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Terraform|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| +|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes|Documentation
| +|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Terraform|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events|Documentation
| +|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Terraform|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled|Documentation
| +|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures|Documentation
| +|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Terraform|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| +|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Terraform|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined|Documentation
| +|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Terraform|Medium|Observability|AWS CloudWatch Log groups should have retention days specified|Documentation
| +|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Terraform|Medium|Observability|AWS Elasticsearch should have logs enabled|Documentation
| +|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Terraform|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| +|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Terraform|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| +|ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Terraform|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| +|No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Terraform|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| +|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Terraform|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| +|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Terraform|Medium|Secret Management|AWS Access Key should not be hardcoded|Documentation
| +|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Terraform|Low|Access Control|IAM Group should have at least one user associated|Documentation
| +|SSO Identity User Unsafe Creation
4003118b-046b-4640-b200-b8c7a4c8b89f|Terraform|Low|Access Control|The use of AWS SSO for creating users may pose a security risk as it does not synchronize with external Identity Providers (IdP) or Active Directory (AD). This can lead to inconsistencies and potential unauthorized access to resources. It is recommended to review and update user creation processes to ensure proper security protocols are in place.|Documentation
| +|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Terraform|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets'|Documentation
| +|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Terraform|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Terraform|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| +|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Terraform|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| +|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Terraform|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| +|Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Terraform|Low|Availability|Autoscaling groups should supply tags to configurate|Documentation
| +|IAM Access Analyzer Not Enabled
e592a0c5-5bdb-414c-9066-5dba7cdea370|Terraform|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions|Documentation
| +|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Terraform|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.|Documentation
| +|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Terraform|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| +|Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| +|ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Terraform|Low|Best Practices|ECR Repository should have Policies attached to it|Documentation
| +|Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Terraform|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| +|ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Terraform|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation|Documentation
| +|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Terraform|Low|Insecure Configurations|S3 bucket without ignore public ACL|Documentation
| +|ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Terraform|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled|Documentation
| +|RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Terraform|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| +|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Terraform|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)|Documentation
| +|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Terraform|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| +|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Terraform|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| +|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Terraform|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| +|EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Terraform|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| +|Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Terraform|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| +|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Terraform|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks|Documentation
| +|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Terraform|Low|Observability|DocDB logging should be enabled|Documentation
| +|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Terraform|Low|Observability|Amazon EKS control plane logging is not enabled|Documentation
| +|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes|Documentation
| +|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Terraform|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| +|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL|Documentation
| +|API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Terraform|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| +|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for route table changes|Documentation
| +|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| +|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Terraform|Low|Observability|Amazon EKS control plane logging don't enabled for all log types|Documentation
| +|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Terraform|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'|Documentation
| +|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes|Documentation
| +|ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Terraform|Low|Observability|ECS Cluster should enable container insights|Documentation
| +|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes|Documentation
| +|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Terraform|Low|Observability|Global Accelerator should have flow logs enabled|Documentation
| +|API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Terraform|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| +|Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Terraform|Info|Access Control|Security group must be used or not declared|Documentation
| +|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Terraform|Info|Best Practices|AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name'|Documentation
| +|Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Terraform|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description|Documentation
| +|Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Terraform|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description|Documentation
| +|EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Terraform|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| +|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Terraform|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table|Documentation
| +|EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Terraform|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods|Documentation
| +|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Terraform|Info|Observability|Neptune logging should be enabled|Documentation
| +|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Terraform|Info|Observability|RDS does not have any kind of logger|Documentation
| +|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Terraform|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks|Documentation
| +|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Terraform|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')|Documentation
| +|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Terraform|Info|Best Practices|All outputs should contain a valid description.|Documentation
| +|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Terraform|Info|Best Practices|All variables should contain a valid type.|Documentation
| +|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Terraform|Info|Best Practices|All variables should contain a valid description.|Documentation
| +|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Terraform|Info|Best Practices|All generic git repositories should reference a revision.|Documentation
| +|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Terraform|Info|Best Practices|All names should follow snake case pattern.|Documentation
| +|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|Terraform|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined.|Documentation
| +|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|Terraform|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|Terraform|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| +|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|Terraform|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| +|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|Terraform|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false|Documentation
| +|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|Terraform|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|Documentation
| +|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|Terraform|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| +|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Terraform|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| +|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Terraform|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| +|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Terraform|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys|Documentation
| +|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Terraform|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| +|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Terraform|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| +|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Terraform|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| +|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| +|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Terraform|Medium|Insecure Configurations|Containers should not have extra capabilities allowed|Documentation
| +|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Terraform|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| +|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Terraform|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| +|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Terraform|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory|Documentation
| +|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Terraform|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| +|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Terraform|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace|Documentation
| +|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Terraform|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls|Documentation
| +|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Terraform|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| +|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Terraform|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|Documentation
| +|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Terraform|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| +|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| +|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Terraform|Medium|Insecure Configurations|The default namespace should not be used|Documentation
| +|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Terraform|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| +|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Terraform|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| +|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Terraform|Medium|Insecure Configurations|Default service accounts should not be actively used|Documentation
| +|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Terraform|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| +|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Terraform|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty.|Documentation
| +|Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Terraform|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| +|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Terraform|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| +|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Terraform|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| +|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Terraform|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| +|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Terraform|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes|Documentation
| +|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Terraform|Medium|Resource Management|Container should not share the host network namespace|Documentation
| +|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Terraform|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| +|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Terraform|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| +|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Terraform|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| +|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Terraform|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| +|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Terraform|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs|Documentation
| +|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Terraform|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| +|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Terraform|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| +|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Terraform|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| +|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Terraform|Low|Availability|The Horizontal Pod Autoscaler must target a valid object|Documentation
| +|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Terraform|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| +|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Terraform|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it|Documentation
| +|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Terraform|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| +|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Terraform|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.|Documentation
| +|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Terraform|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| +|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Terraform|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| +|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Terraform|Low|Build Process|Check if the root container filesystem is not being mounted as read-only.|Documentation
| +|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Terraform|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| +|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Terraform|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| +|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Terraform|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| +|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Terraform|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity|Documentation
| +|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Terraform|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified|Documentation
| +|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Terraform|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| +|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Terraform|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined|Documentation
| +|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Terraform|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| +|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Terraform|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| +|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Terraform|Low|Supply-Chain|Image must be defined and not be empty or equal to latest.|Documentation
| +|OSS Bucket Allows List Action From All Principals
88541597-6f88-42c8-bac6-7e0b855e8ff6|Terraform|High|Access Control|OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals.|Documentation
| +|OSS Bucket Allows Put Action From All Principals
fe286195-e75c-4359-bd58-00847c4f855a|Terraform|High|Access Control|OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals.|Documentation
| +|OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|Terraform|High|Access Control|OSS Bucket should have public access disabled|Documentation
| +|OSS Bucket Allows Delete Action From All Principals
8c0695d8-2378-4cd6-8243-7fd5894fa574|Terraform|High|Access Control|OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals.|Documentation
| +|OSS Bucket Allows All Actions From All Principals
ec62a32c-a297-41ca-a850-cab40b42094a|Terraform|High|Access Control|OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals.|Documentation
| +|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|Terraform|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles|Documentation
| +|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|Terraform|High|Access Control|RAM Security preferences should enforce MFA login for RAM users|Documentation
| +|NAS File System Not Encrypted
67bfdff1-31ce-4525-b564-e94368735360|Terraform|High|Encryption|NAS File System must be encrypted|Documentation
| +|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|Terraform|High|Encryption|Ecs Data Disk Kms Key Id should be set|Documentation
| +|NAS File System Without KMS
5f670f9d-b1b4-4c90-8618-2288f1ab9676|Terraform|High|Encryption|NAS File System should have encryption provided by user KMS |Documentation
| +|Launch Template Is Not Encrypted
1455cb21-1d48-46d6-8ae3-cef911b71fd5|Terraform|High|Encryption|ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true.|Documentation
| +|RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|Terraform|High|Encryption|tde_status parameter should be Enabled for supported RDS instances|Documentation
| +|DB Instance Publicly Accessible
faaefc15-51a5-419e-bb5e-51a4b5ab3485|Terraform|High|Insecure Configurations|The field 'address' should not be set to '0.0.0.0/0'|Documentation
| +|RDS DB Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|Terraform|High|Insecure Configurations|'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list|Documentation
| +|OSS Bucket Has Static Website
2b13c6ff-b87a-484d-86fd-21ef6e97d426|Terraform|High|Insecure Configurations|Checks if any static websties are hosted on buckets. Be aware of any website you are running.|Documentation
| +|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|Terraform|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS|Documentation
| +|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|Terraform|High|Networking and Firewall|OSS Bucket should have ip restricted access|Documentation
| +|ALB Listening on HTTP
ee3b1557-9fb5-4685-a95d-93f1edf2a0d7|Terraform|High|Networking and Firewall|Application Load Balancer (alb) Listener should not listen on HTTP|Documentation
| +|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol|Documentation
| +|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|Terraform|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public|Documentation
| +|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|Terraform|High|Networking and Firewall|OSS Buckets should have secure transport enabled|Documentation
| +|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|Terraform|High|Observability|All RDS Instance events trackers should be 'true'|Documentation
| +|ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|Terraform|High|Observability|ActionTrail Trail OSS Bucket should not be publicly accessible|Documentation
| +|Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|Terraform|High|Secret Management|Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts|Documentation
| +|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|Terraform|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above|Documentation
| +|Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Terraform|Medium|Access Control|Ram policies should not be attached to users|Documentation
| +|CMK Is Unusable
ed6e3ba0-278f-47b6-a1f5-173576b40b7e|Terraform|Medium|Availability|Alicloud KMS must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| +|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Terraform|Medium|Backup|OSS Bucket should have versioning enabled|Documentation
| +|ROS Stack Retention Disabled
4bb06fa1-2114-4a00-b7b5-6aeab8b896f0|Terraform|Medium|Backup|The retain_stacks should be enabled to keep the Stack upon deleting the stack instance from the stack group|Documentation
| +|ROS Stack Without Template
92d65c51-5d82-4507-a2a1-d252e9706855|Terraform|Medium|Build Process|Alicloud ROS Stack should have a template defined through the attribute template_url or attribute template_body|Documentation
| +|OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Terraform|Medium|Encryption|OSS Bucket should have encryption enabled using Customer Master Key|Documentation
| +|SLB Policy With Insecure TLS Version In Use
dbfc834a-56e5-4750-b5da-73fda8e73f70|Terraform|Medium|Encryption|SLB Policy should not support insecure versions of TLS protocol|Documentation
| +|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Terraform|Medium|Encryption|Disks should have encryption enabled|Documentation
| +|CS Kubernetes Node Pool Auto Repair Disabled
81ce9394-013d-4731-8fcc-9d229b474073|Terraform|Medium|Insecure Configurations|Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| +|Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Terraform|Medium|Networking and Firewall|A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned|Documentation
| +|Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Terraform|Medium|Networking and Firewall|Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies|Documentation
| +|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Terraform|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180|Documentation
| +|Log Retention Is Not Greater Than 90 Days
ed6cf6ff-9a1f-491c-9f88-e03c0807f390|Terraform|Medium|Observability|OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects.|Documentation
| +|ROS Stack Notifications Disabled
9ef08939-ea40-489c-8851-667870b2ef50|Terraform|Medium|Observability|The ROS Stack Notifications should be defined and populated to receive stack related events|Documentation
| +|Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Terraform|Medium|Observability|Action Trail Logging for all regions should be enabled|Documentation
| +|OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Terraform|Medium|Observability|OSS Bucket should have logging enabled, for better visibility of resources and objects.|Documentation
| +|No ROS Stack Policy
72ceb736-0aee-43ea-a191-3a69ab135681|Terraform|Medium|Resource Management|ROS Stack should have a stack policy in order to protect stack resources from and during update actions|Documentation
| +|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true|Documentation
| +|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Terraform|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91|Documentation
| +|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Terraform|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less|Documentation
| +|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true|Documentation
| +|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true|Documentation
| +|High KMS Key Rotation Period
cb319d87-b90f-485e-a7e7-f2408380f309|Terraform|Medium|Secret Management|KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year|Documentation
| +|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Terraform|Medium|Secret Management|RAM account password security should require at least one symbol|Documentation
| +|OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Terraform|Low|Availability|OSS Bucket should have transfer acceleration enabled|Documentation
| +|OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Terraform|Low|Backup|OSS Bucket should have lifecycle rule enabled and set to true|Documentation
| +|VPC Flow Logs Disabled
d2731f3d-a992-44ed-812e-f4f1c2747d71|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| +|RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Terraform|Low|Observability|log_disconnections parameter should be set to ON for RDS instances|Documentation
| +|RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Terraform|Low|Observability|log_duration parameter should be set to ON for RDS instances|Documentation
| +|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Terraform|Low|Observability|'log_connections' parameter should be set to ON for RDS instances|Documentation
| +|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Terraform|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.|Documentation
| +|BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Terraform|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.|Documentation
| +|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Terraform|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.|Documentation
| +|BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Terraform|Trace|Bill Of Materials|A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime.|Documentation
| +|BOM - GCP Redis
bc75ce52-a60a-4660-b533-bce837a5019b|Terraform|Trace|Bill Of Materials|A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments.|Documentation
| +|BOM - GCP Dataflow
895ed0d9-6fec-4567-8614-d7a74b599a53|Terraform|Trace|Bill Of Materials|A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective.|Documentation
| +|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Terraform|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.|Documentation
| +|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Terraform|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| +|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Terraform|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.|Documentation
| +|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Terraform|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| +|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Terraform|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| +|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Terraform|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| +|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Terraform|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time|Documentation
| +|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Terraform|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| +|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Terraform|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| +|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Terraform|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| +|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Terraform|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| +|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|Terraform|High|Access Control|Verifies that the OSLogin is enabled|Documentation
| +|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|Terraform|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| +|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|Terraform|High|Access Control|BigQuery dataset is anonymously or publicly accessible|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|Terraform|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers'|Documentation
| +|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|Terraform|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible|Documentation
| +|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|Terraform|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| +|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|Terraform|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members'|Documentation
| +|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|Terraform|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad.|Documentation
| +|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|Terraform|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| +|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|Terraform|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible.|Documentation
| +|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|Terraform|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true|Documentation
| +|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|Terraform|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| +|Cluster Master Authentication Disabled
1baba08e-3c8a-4be7-95eb-dced5833de21|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| +|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE |Documentation
| +|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|Terraform|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| +|GKE Basic Authentication Enabled
70cdf849-b7d9-4569-b87d-5d82ffd44719|Terraform|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty|Documentation
| +|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false |Documentation
| +|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true|Documentation
| +|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true|Documentation
| +|Client Certificate Disabled
73fb21a1-b19a-45b1-b648-b47b1678681e|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|Terraform|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| +|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| +|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|Terraform|High|Observability|Audit Logging Configuration is defective|Documentation
| +|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| +|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|Terraform|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| +|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|Terraform|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| +|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Terraform|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member|Documentation
| +|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Terraform|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated|Documentation
| +|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Terraform|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated|Documentation
| +|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Terraform|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Terraform|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| +|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Terraform|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined|Documentation
| +|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Terraform|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| +|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Terraform|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled|Documentation
| +|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Terraform|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| +|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Terraform|Medium|Insecure Configurations|Check if any VM instance disables OSLogin|Documentation
| +|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Terraform|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| +|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Terraform|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| +|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Terraform|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| +|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Terraform|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
| +|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Terraform|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| +|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Terraform|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| +|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Terraform|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| +|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Terraform|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
| +|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Terraform|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
| +|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Terraform|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| +|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Terraform|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports|Documentation
| +|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Terraform|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource.|Documentation
| +|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Terraform|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Terraform|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| +|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Terraform|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.|Documentation
| +|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Terraform|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user|Documentation
| +|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Terraform|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range|Documentation
| +|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Terraform|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks|Documentation
| +|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Terraform|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')|Documentation
| +|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Terraform|Info|Best Practices|All variables should contain a valid type.|Documentation
| +|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Terraform|Info|Best Practices|All outputs should contain a valid description.|Documentation
| +|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Terraform|Info|Best Practices|All variables should contain a valid description.|Documentation
| +|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Terraform|Info|Best Practices|All generic git repositories should reference a revision.|Documentation
| +|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Terraform|Info|Best Practices|All names should follow snake case pattern.|Documentation
| +|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|Terraform|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false|Documentation
| +|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|Terraform|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|Documentation
| +|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|Terraform|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| +|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|Terraform|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|Terraform|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| +|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|Terraform|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined.|Documentation
| +|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|Terraform|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| +|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Terraform|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| +|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Terraform|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys|Documentation
| +|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Terraform|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| +|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Terraform|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| +|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Terraform|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| +|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Terraform|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| +|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Terraform|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| +|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Terraform|Medium|Insecure Configurations|Default service accounts should not be actively used|Documentation
| +|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Terraform|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory|Documentation
| +|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Terraform|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| +|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Terraform|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| +|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Terraform|Medium|Insecure Configurations|Containers should not have extra capabilities allowed|Documentation
| +|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Terraform|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace|Documentation
| +|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Terraform|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| +|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Terraform|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| +|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Terraform|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls|Documentation
| +|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Terraform|Medium|Insecure Configurations|The default namespace should not be used|Documentation
| +|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| +|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Terraform|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| +|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Terraform|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|Documentation
| +|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Terraform|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| +|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| +|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Terraform|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| +|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Terraform|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty.|Documentation
| +|Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Terraform|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| +|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Terraform|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| +|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Terraform|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| +|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Terraform|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| +|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Terraform|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| +|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Terraform|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes|Documentation
| +|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Terraform|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| +|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Terraform|Medium|Resource Management|Container should not share the host network namespace|Documentation
| +|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Terraform|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| +|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Terraform|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| +|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Terraform|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs|Documentation
| +|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Terraform|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| +|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Terraform|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| +|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Terraform|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| +|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Terraform|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.|Documentation
| +|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Terraform|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| +|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Terraform|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| +|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Terraform|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it|Documentation
| +|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Terraform|Low|Availability|The Horizontal Pod Autoscale must target a valid object|Documentation
| +|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Terraform|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| +|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Terraform|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| +|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Terraform|Low|Build Process|Check if the root container filesystem is not being mounted as read-only.|Documentation
| +|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Terraform|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| +|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Terraform|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| +|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Terraform|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity|Documentation
| +|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Terraform|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| +|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Terraform|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| +|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Terraform|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified|Documentation
| +|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Terraform|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| +|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Terraform|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined|Documentation
| +|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Terraform|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| +|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Terraform|Low|Supply-Chain|Image must be defined and not be empty or equal to latest.|Documentation
| +|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Terraform|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| +|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Terraform|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| +|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Terraform|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| +|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Terraform|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| +|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Terraform|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time|Documentation
| +|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Terraform|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| +|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Terraform|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| +|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Terraform|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.|Documentation
| +|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Terraform|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| +|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Terraform|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| +|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Terraform|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.|Documentation
| +|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|Terraform|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|Terraform|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| +|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|Terraform|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals|Documentation
| +|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|Terraform|High|Access Control|IAM role policy that allow full administrative privileges (for all resources)|Documentation
| +|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|Terraform|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| +|Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|Terraform|High|Access Control|Neptune Cluster Instance should not be publicly accessible|Documentation
| +|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|Terraform|High|Access Control|S3 bucket allows public policy|Documentation
| +|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|Terraform|High|Access Control|S3 Buckets should not be readable and writable to all users|Documentation
| +|MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857|Terraform|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible|Documentation
| +|EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|Terraform|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| +|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|Terraform|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| +|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|Terraform|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|Terraform|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| +|S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4|Terraform|High|Access Control|S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket.|Documentation
| +|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|Terraform|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| +|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|Terraform|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| +|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|Terraform|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| +|SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|Terraform|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| +|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|Terraform|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating|Documentation
| +|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|Terraform|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role|Documentation
| +|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|Terraform|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled|Documentation
| +|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|Terraform|High|Encryption|API Gateway Method Settings Cache should be encrypted|Documentation
| +|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|Terraform|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| +|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|Terraform|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| +|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|Terraform|High|Encryption|AWS Athena Database data in S3 should be encrypted|Documentation
| +|EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|Terraform|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| +|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|Terraform|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| +|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|Terraform|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.|Documentation
| +|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|Terraform|High|Encryption|EBS Encryption should be enabled|Documentation
| +|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|Terraform|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true|Documentation
| +|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|Terraform|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted|Documentation
| +|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|Terraform|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| +|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|Terraform|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true'|Documentation
| +|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|Terraform|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled|Documentation
| +|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|Terraform|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup|Documentation
| +|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.|Documentation
| +|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|Terraform|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|Terraform|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key|Documentation
| +|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|Terraform|High|Encryption|RDS Database Cluster Encryption should be enabled|Documentation
| +|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|Terraform|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| +|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|Terraform|High|Encryption|Launch Configuration EBS should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' argument should be set to true in each volume block|Documentation
| +|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|Terraform|High|Encryption|AWS DOCDB Cluster storage should be encrypted|Documentation
| +|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|Terraform|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| +|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|Terraform|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS|Documentation
| +|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|Terraform|High|Encryption|EKS Cluster should be encrypted|Documentation
| +|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|Terraform|High|Encryption|User Data Shell Script must be encoded|Documentation
| +|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|Terraform|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)|Documentation
| +|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|Terraform|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|Terraform|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| +|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|Terraform|High|Encryption|AWS DAX Cluster should have server-side encryption at rest|Documentation
| +|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|Terraform|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled|Documentation
| +|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers.|Documentation
| +|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|Terraform|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| +|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|Terraform|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| +|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|Terraform|High|Encryption|S3 Bucket Object should have server-side encryption enabled|Documentation
| +|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|Terraform|High|Encryption|AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted|Documentation
| +|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|Terraform|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| +|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|Terraform|High|Encryption|Sagemaker endpoint configuration should encrypt data|Documentation
| +|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|Terraform|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| +|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|Terraform|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes|Documentation
| +|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|Terraform|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true)|Documentation
| +|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|Terraform|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| +|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|Terraform|High|Insecure Configurations|S3 bucket without restriction of public bucket|Documentation
| +|KMS Key With Vulnerable Policy
7ebc9038-0bde-479a-acc4-6ed7b6758899|Terraform|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| +|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|Terraform|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured.|Documentation
| +|DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|Terraform|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| +|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|Terraform|High|Insecure Configurations|Check if the root user is authenticated with MFA|Documentation
| +|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|Terraform|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| +|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|Terraform|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2.|Documentation
| +|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|Terraform|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| +|Lambda Function With Privileged Role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|Terraform|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions.|Documentation
| +|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|Terraform|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations|Documentation
| +|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|Terraform|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| +|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|Terraform|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|Terraform|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| +|Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|Terraform|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| +|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|Terraform|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0"|Documentation
| +|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|Terraform|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing|Documentation
| +|VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|Terraform|High|Networking and Firewall|VPC Peering Route Table should restrict CIDR|Documentation
| +|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|Terraform|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0|Documentation
| +|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| +|Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|Terraform|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| +|VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|Terraform|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic|Documentation
| +|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|Terraform|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| +|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|Terraform|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| +|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|Terraform|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| +|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|Terraform|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL|Documentation
| +|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|Terraform|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| +|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|Terraform|High|Networking and Firewall|Check if Record is set|Documentation
| +|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| +|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|Terraform|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| +|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|Terraform|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| +|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL|Documentation
| +|HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|Terraform|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| +|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|Terraform|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| +|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|Terraform|High|Observability|AWS KMS Key should have a valid deletion window|Documentation
| +|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|Terraform|High|Observability|Ensure a log metric filter and alarm exist for root acount usage|Documentation
| +|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled|Documentation
| +|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|Terraform|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes|Documentation
| +|CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|Terraform|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.|Documentation
| +|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|Terraform|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| +|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible|Documentation
| +|CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|Terraform|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls|Documentation
| +|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|Terraform|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA|Documentation
| +|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Terraform|Medium|Access Control|Public and private EC2 istances should not share the same role.|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Terraform|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Terraform|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| +|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Terraform|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'|Documentation
| +|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Terraform|Medium|Access Control|AWS IAM Users should not have access to console|Documentation
| +|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Terraform|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Terraform|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| +|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Terraform|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal'|Documentation
| +|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Terraform|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication|Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Terraform|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action'|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Terraform|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Terraform|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Terraform|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| +|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Terraform|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| +|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Terraform|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Terraform|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| +|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Terraform|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled|Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Terraform|Medium|Access Control|S3 bucket allows public ACL|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Terraform|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions'|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Terraform|Medium|Access Control|An API Key should be required on a method request.|Documentation
| +|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Terraform|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Terraform|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| +|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Terraform|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Terraform|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| +|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Terraform|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| +|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Terraform|Medium|Access Control|IAM Access Key should not be active for root users|Documentation
| +|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Terraform|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Terraform|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Terraform|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources|Documentation
| +|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Terraform|Medium|Access Control|The attribute 'action' should not have wildcard|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Terraform|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| +|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Terraform|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Terraform|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined|Documentation
| +|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Terraform|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| +|Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Terraform|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
| +|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Terraform|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| +|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Terraform|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster|Documentation
| +|RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Terraform|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| +|Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Terraform|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| +|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Terraform|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0|Documentation
| +|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Terraform|Medium|Best Practices|IAM password should have the required symbols|Documentation
| +|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Terraform|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| +|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Terraform|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| +|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Terraform|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| +|Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Terraform|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24|Documentation
| +|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Terraform|Medium|Best Practices|No password expiration policy|Documentation
| +|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Terraform|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields|Documentation
| +|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Terraform|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| +|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Terraform|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined|Documentation
| +|Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Terraform|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body|Documentation
| +|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Terraform|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node|Documentation
| +|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Terraform|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS.|Documentation
| +|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Terraform|Medium|Encryption|EBS volumes should be encrypted|Documentation
| +|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Terraform|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|CloudWatch Log Group Without KMS
0afbcfe9-d341-4b92-a64c-7e6de0543879|Terraform|Medium|Encryption|AWS CloudWatch Log groups should be encrypted using KMS|Documentation
| +|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Terraform|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| +|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted|Documentation
| +|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Terraform|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760.|Documentation
| +|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Terraform|Medium|Encryption|SSM Session should be encrypted in transit|Documentation
| +|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Terraform|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Terraform|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| +|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest|Documentation
| +|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Terraform|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret|Documentation
| +|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Terraform|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| +|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Terraform|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| +|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Terraform|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests|Documentation
| +|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit|Documentation
| +|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Terraform|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| +|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Terraform|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption|Documentation
| +|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Terraform|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| +|Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Terraform|Medium|Encryption|ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html'|Documentation
| +|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Terraform|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| +|EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Terraform|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false|Documentation
| +|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Terraform|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| +|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Terraform|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs).|Documentation
| +|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Terraform|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud)|Documentation
| +|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Terraform|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| +|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Terraform|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.|Documentation
| +|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Terraform|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials|Documentation
| +|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Terraform|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| +|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Terraform|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| +|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Terraform|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible|Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol|Documentation
| +|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Terraform|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Terraform|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| +|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Terraform|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association|Documentation
| +|VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Terraform|Medium|Networking and Firewall|VPC Subnet should not assign public IP|Documentation
| +|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Terraform|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| +|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Terraform|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled|Documentation
| +|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Terraform|Medium|Networking and Firewall|VPC should have a Network Firewall associated|Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol|Documentation
| +|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Terraform|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| +|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Terraform|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| +|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Terraform|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| +|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes|Documentation
| +|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Terraform|Medium|Observability|API Gateway should have Access Log Settings defined|Documentation
| +|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Terraform|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| +|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Terraform|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| +|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes|Documentation
| +|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Terraform|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| +|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Terraform|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| +|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Terraform|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events|Documentation
| +|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK|Documentation
| +|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Terraform|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| +|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes|Documentation
| +|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Terraform|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| +|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Terraform|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined|Documentation
| +|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Terraform|Medium|Observability|AWS Elasticsearch should have logs enabled|Documentation
| +|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures|Documentation
| +|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Terraform|Medium|Observability|ELB should have logging enabled to help on error investigation|Documentation
| +|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Terraform|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| +|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Terraform|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| +|ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Terraform|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| +|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Terraform|Medium|Observability|AWS CloudWatch Log groups should have retention days specified|Documentation
| +|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Terraform|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| +|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Terraform|Medium|Observability|It isn't recommended to use resources in default VPC|Documentation
| +|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Terraform|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| +|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Terraform|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| +|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Terraform|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled|Documentation
| +|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes|Documentation
| +|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Terraform|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation|Documentation
| +|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Terraform|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| +|No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Terraform|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| +|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Terraform|Medium|Secret Management|AWS Access Key should not be hardcoded|Documentation
| +|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Terraform|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| +|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Terraform|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets'|Documentation
| +|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Terraform|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| +|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Terraform|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Terraform|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| +|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Terraform|Low|Access Control|IAM Group should have at least one user associated|Documentation
| +|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Terraform|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services|Documentation
| +|Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Terraform|Low|Availability|Autoscaling groups should supply tags to configurate|Documentation
| +|IAM Access Analyzer Not Enabled
e592a0c5-5bdb-414c-9066-5dba7cdea370|Terraform|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions|Documentation
| +|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Terraform|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.|Documentation
| +|ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Terraform|Low|Best Practices|ECR Repository should have Policies attached to it|Documentation
| +|Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| +|Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| +|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Terraform|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Terraform|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| +|ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Terraform|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation|Documentation
| +|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Terraform|Low|Insecure Configurations|S3 bucket without ignore public ACL|Documentation
| +|ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Terraform|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled|Documentation
| +|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Terraform|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks|Documentation
| +|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Terraform|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| +|Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Terraform|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| +|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Terraform|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| +|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Terraform|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| +|EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Terraform|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| +|RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Terraform|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| +|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Terraform|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)|Documentation
| +|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Terraform|Low|Observability|Amazon EKS control plane logging is not enabled|Documentation
| +|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Terraform|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| +|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes|Documentation
| +|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Terraform|Low|Observability|Amazon EKS control plane logging don't enabled for all log types|Documentation
| +|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL|Documentation
| +|API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Terraform|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| +|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for route table changes|Documentation
| +|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes|Documentation
| +|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Terraform|Low|Observability|DocDB logging should be enabled|Documentation
| +|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| +|ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Terraform|Low|Observability|ECS Cluster should enable container insights|Documentation
| +|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes|Documentation
| +|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Terraform|Low|Observability|Global Accelerator should have flow logs enabled|Documentation
| +|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Terraform|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'|Documentation
| +|API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Terraform|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| +|Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Terraform|Info|Access Control|Security group must be used or not declared|Documentation
| +|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Terraform|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table|Documentation
| +|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Terraform|Info|Best Practices|AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name'|Documentation
| +|Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Terraform|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description|Documentation
| +|EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Terraform|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| +|Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Terraform|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description|Documentation
| +|EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Terraform|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods|Documentation
| +|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Terraform|Info|Observability|Neptune logging should be enabled|Documentation
| +|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Terraform|Info|Observability|RDS does not have any kind of logger|Documentation
| +|Serverless Function Environment Variables Not Encrypted
a7f8ac28-eed1-483d-87c8-4c325f022572|CloudFormation|High|Encryption|AWS Serverless Function should encrypt environment variables|Documentation
| +|Serverless API Without Content Encoding
a2f2800e-614b-4bc8-89e6-fec8afd24800|CloudFormation|Medium|Encryption|AWS Serverless API should enable Content Encoding through the attribute 'MinimumCompressionSize'. This value should be greater than -1 and smaller than 10485760|Documentation
| +|Serverless Function Without Unique IAM Role
4ba74f01-aba5-4be2-83bc-be79ff1a3b92|CloudFormation|Medium|Insecure Configurations|AWS Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks|Documentation
| +|Serverless Function Without Tags
a71ecabe-03b6-456a-b3bc-d1a39aa20c98|CloudFormation|Medium|Insecure Configurations|AWS Serverless Function should have associated tags|Documentation
| +|Serverless API Endpoint Config Not Private
6b5b0313-771b-4319-ad7a-122ee78700ef|CloudFormation|Medium|Networking and Firewall|AWS Serverless API should set API Endpoint Config type to 'PRIVATE'. This way, it's not exposed to the public internet|Documentation
| +|Serverless API Access Logging Setting Undefined
0a994e04-c6dc-471d-817e-d37451d18a3b|CloudFormation|Medium|Observability|AWS Serverless API/AWS Serverless HTTP API should have Access Logging Setting(s) defined|Documentation
| +|Serverless API X-Ray Tracing Disabled
c757c6a3-ac87-4b9d-b28d-e5a5add6a315|CloudFormation|Medium|Observability|AWS Serverless API should have X-Ray Tracing enabled|Documentation
| +|Serverless Function Without Dead Letter Queue
cb2f612b-ed42-4ff5-9fb9-255c73d39a18|CloudFormation|Low|Insecure Configurations|AWS Serverless Function should be configured for a Dead Letter Queue(DLQ)|Documentation
| +|Serverless API Cache Cluster Disabled
60a05ede-0a68-4d0d-a58f-f538cf55ff79|CloudFormation|Low|Insecure Configurations|AWS Serverless API should have cache clustering enabled|Documentation
| +|Serverless Function Without X-Ray Tracing
dc1ab429-1481-4540-9b1d-280e3f15f1f8|CloudFormation|Low|Observability|AWS Serverless Function should have Tracing enabled. For this, property 'Tracing' should have the value 'Active'|Documentation
| +|BOM - AWS S3 Buckets
b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83|CloudFormation|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| +|BOM - AWS EBS
0b0556ea-9cd9-476f-862e-20679dda752b|CloudFormation|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| +|BOM - AWS SNS
42e7dca3-8cce-4325-8df0-108888259136|CloudFormation|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| +|BOM - AWS MQ
209189f3-c879-48a7-9703-fbcfa96d0cef|CloudFormation|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| +|BOM - AWS Kinesis
d53323be-dde6-4457-9a43-42df737e71d2|CloudFormation|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time|Documentation
| +|BOM - AWS Elasticache
c689f51b-9203-43b3-9d8b-caed123f706c|CloudFormation|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| +|BOM - AWS EFS
ef05a925-8568-4054-8ff1-f5ba82631c16|CloudFormation|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| +|BOM - AWS DynamoDB
4e67c0ae-38a0-47f4-a50c-f0c9b75826df|CloudFormation|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.|Documentation
| +|BOM - AWS SQS
59a849c2-1127-4023-85a5-ef906dcd458c|CloudFormation|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| +|BOM - AWS MSK
2730c169-51d7-4ae7-99b5-584379eff1bb|CloudFormation|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| +|BOM - AWS Cassandra
124b173b-e06d-48a6-8acd-f889443d97a4|CloudFormation|Trace|Bill Of Materials|A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance|Documentation
| +|BOM - AWS RDS
6ef03ff6-a2bd-483c-851f-631f248bc0ea|CloudFormation|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.|Documentation
| +|IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368|CloudFormation|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
835d5497-a526-4aea-a23f-98a9afd1635f|CloudFormation|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| +|S3 Bucket Access to Any Principal
7772bb8c-c0f3-42d4-8e4e-f1b8939ad085|CloudFormation|High|Access Control|The S3 Bucket should not be associated with a policy statement that grants access to any principal|Documentation
| +|IAM Policies With Full Privileges
953b3cdb-ce13-428a-aa12-318726506661|CloudFormation|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| +|S3 Bucket Allows Public Policy
860ba89b-b8de-4e72-af54-d6aee4138a69|CloudFormation|High|Access Control|S3 bucket allows public policy|Documentation
| +|S3 Bucket ACL Allows Read Or Write to All Users
07dda8de-d90d-469e-9b37-1aca53526ced|CloudFormation|High|Access Control|S3 Buckets should not be readable and writable to all users|Documentation
| +|MSK Broker Is Publicly Accessible
0ce1ba20-8ba8-4364-836f-40c24b8cb0ab|CloudFormation|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible|Documentation
| +|S3 Bucket Allows Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0|CloudFormation|High|Access Control|S3 Buckets must not allow Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Restore, for all Principals.|Documentation
| +|S3 Bucket Allows List Action From All Principals
faa8fddf-c0aa-4b2d-84ff-e993e233ebe9|CloudFormation|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| +|S3 Bucket Allows Put Action From All Principals
f6397a20-4cf1-4540-a997-1d363c25ef58|CloudFormation|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| +|S3 Bucket ACL Allows Read to All Users
219f4c95-aa50-44e0-97de-cf71f4641170|CloudFormation|High|Access Control|S3 Buckets should not be readable to all users|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
acc78859-765e-4011-a229-a65ea57db252|CloudFormation|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| +|Lambda Functions With Full Privileges
a0ae0a4e-712b-4115-8112-51b9eeed9d69|CloudFormation|High|Access Control|AWS Lambda Functions should not have roles with policies granting full administrative privileges.|Documentation
| +|S3 Bucket With All Permissions
4ae8af91-5108-42cb-9471-3bdbe596eac9|CloudFormation|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| +|SNS Topic is Publicly Accessible
ae53ce91-42b5-46bf-a84f-9a13366a4f13|CloudFormation|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| +|S3 Bucket Allows Get Action From All Principals
f97b7d23-568f-4bcc-9ac9-02df0d57fbba|CloudFormation|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| +|ECS Service Admin Role Is Present
01986452-bdd8-4aaa-b5df-d6bf61d616ff|CloudFormation|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role|Documentation
| +|ECS Task Definition Container With Plaintext Password
f9b10cdb-eaab-4e39-9793-e12b94a582ad|CloudFormation|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| +|User Data Contains Encoded Private Key
568cc372-ca64-420d-9015-ee347d00d288|CloudFormation|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| +|Connection Between CloudFront Origin Not Encrypted
a5366a50-932f-4085-896b-41402714a388|CloudFormation|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted|Documentation
| +|EFS Not Encrypted
2ff8e83c-90e1-4d68-a300-6d652112e622|CloudFormation|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| +|S3 Bucket Without SSL In Write Actions
38c64e76-c71e-4d92-a337-60174d1de1c9|CloudFormation|High|Encryption|S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL)|Documentation
| +|ElastiCache With Disabled at Rest Encryption
e4ee3903-9225-4b6a-bdfb-e62dbadef821|CloudFormation|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled|Documentation
| +|RDS Storage Not Encrypted
5beacce3-4020-4a3d-9e1d-a36f953df630|CloudFormation|High|Encryption|RDS Storage should be encrypted, which means the attribute 'StorageEncrypted' should be set to 'true'|Documentation
| +|Kinesis SSE Not Configured
7f65be75-90ab-4036-8c2a-410aef7bb650|CloudFormation|High|Encryption|AWS Kinesis Stream should have SSE (Server Side Encryption) defined|Documentation
| +|CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db|CloudFormation|High|Encryption|Specifying credentials in the template itself is probably not safe to do.|Documentation
| +|ELB Using Insecure Protocols
61a94903-3cd3-4780-88ec-fc918819b9c8|CloudFormation|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols.|Documentation
| +|API Gateway Cache Encrypted Disabled
37cca703-b74c-48ba-ac81-595b53398e9b|CloudFormation|High|Encryption|'API::Gateway::Deployment' should have 'CacheDataEncrypted' enabled when 'CachingEnabled' is set to true|Documentation
| +|User Data Shell Script Is Encoded
48c3bc58-6959-4f27-b647-4fedeace23be|CloudFormation|High|Encryption|User Data Shell Script must be encoded|Documentation
| +|ElastiCache With Disabled Transit Encryption
3b02569b-fc6f-4153-b3a3-ba91022fed68|CloudFormation|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled|Documentation
| +|Redshift Not Encrypted
3b316b05-564c-44a7-9c3f-405bb95e211e|CloudFormation|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'Encrypted' field is false or undefined (default is false)|Documentation
| +|ELB Without Secure Protocol
80908a75-586b-4c61-ab04-490f4f4525b8|CloudFormation|High|Encryption|Check if the ELB is setup with SSL or HTTPS for secure communication|Documentation
| +|Secure Ciphers Disabled
be96849c-3df6-49c2-bc16-778a7be2519c|CloudFormation|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| +|S3 Bucket Without Server-side-encryption
b2e8752c-3497-4255-98d2-e4ae5b46bbf5|CloudFormation|High|Encryption|S3 Buckets should have server-side encryption at rest enabled to protect sensitive data|Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
31733ee2-fef0-4e87-9778-65da22a8ecf1|CloudFormation|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| +|ELB Using Weak Ciphers
809f77f8-d10e-4842-a84f-3be7b6ff1190|CloudFormation|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers.|Documentation
| +|S3 Bucket SSE Disabled
64ab651b-f5b2-4af0-8c89-ddd03c4d0e61|CloudFormation|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| +|CMK Unencrypted Storage
ffee2785-c347-451e-89f3-11aeb08e5c84|CloudFormation|High|Encryption|Ensure that storage is encrypted.|Documentation
| +|Redshift Cluster Without KMS CMK
de76a0d6-66d5-45c9-9022-f05545b85c78|CloudFormation|High|Encryption|AWS Redshift Cluster should have KMS CMK defined|Documentation
| +|SageMaker Data Encryption Disabled
709e6da6-fa1f-44cc-8f17-7f25f96dadbe|CloudFormation|High|Encryption|Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, which means the attribute 'KmsKeyId' must be defined not empty or null.|Documentation
| +|EFS Without KMS
6d087495-2a42-4735-abf7-02ef5660a7e6|CloudFormation|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| +|ECS Cluster Not Encrypted At Rest
6c131358-c54d-419b-9dd6-1f7dd41d180c|CloudFormation|High|Encryption|Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems.|Documentation
| +|DynamoDB With Aws Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac|CloudFormation|High|Encryption|AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false.|Documentation
| +|MSK Cluster Encryption Disabled
a976d63f-af0e-46e8-b714-8c1a9c4bf768|CloudFormation|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| +|IAM Database Auth Not Enabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184|CloudFormation|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| +|Redshift Publicly Accessible
bdf8dcb4-75df-4370-92c4-606e4ae6c4d3|CloudFormation|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false|Documentation
| +|Root Account Has Active Access Keys
4c137350-7307-4803-8c04-17c09a7a9fcf|CloudFormation|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| +|S3 Bucket Without Restriction Of Public Bucket
350cd468-0e2c-44ef-9d22-cfb73a62523c|CloudFormation|High|Insecure Configurations|S3 bucket without restriction of public bucket|Documentation
| +|KMS Key With Vulnerable Policy
da905474-7454-43c0-b8d2-5756ab951aba|CloudFormation|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| +|S3 Static Website Host Enabled
90501b1b-cded-4cc1-9e8b-206b85cda317|CloudFormation|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured.|Documentation
| +|DB Instance Publicly Accessible
de38e1d5-54cb-4111-a868-6f7722695007|CloudFormation|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false.|Documentation
| +|ECS Task Definition Network Mode Not Recommended
027a4b7a-8a59-4938-a04f-ed532512cf45|CloudFormation|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| +|API Gateway Without Security Policy
8275fab0-68ec-4705-bbf4-86975edb170e|CloudFormation|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2.|Documentation
| +|Batch Job Definition With Privileged Container Properties
76ddf32c-85b1-4808-8935-7eef8030ab36|CloudFormation|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| +|S3 Bucket With Unsecured CORS Rule
3609d27c-3698-483a-9402-13af6ae80583|CloudFormation|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
dc17ee4b-ddf2-4e23-96e8-7a36abad1303|CloudFormation|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| +|Permissive Web ACL Default Action
6d64f311-3da6-45f3-80f1-14db9771ea40|CloudFormation|High|Insecure Defaults|WebAcl DefaultAction should not be ALLOW|Documentation
| +|Vulnerable Default SSL Certificate
b4d9c12b-bfba-4aeb-9cb8-2358546d8041|CloudFormation|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| +|EKS node group remote access
73d59e76-a12c-4b74-a3d8-d3e1e19c25b3|CloudFormation|High|Networking and Firewall|Ensure Amazon EKS Node group has implict SSH access|Documentation
| +|EC2 Network ACL Overlapping Ports
77b6f1e2-bde4-4a6a-ae7e-a40659ff1576|CloudFormation|High|Networking and Firewall|NetworkACL Entries are reusing or overlapping ports which may create ineffective rules|Documentation
| +|Fully Open Ingress
e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5|CloudFormation|High|Networking and Firewall|ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses|Documentation
| +|Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c|CloudFormation|High|Networking and Firewall|No security group should allow unrestricted egress access|Documentation
| +|Unrestricted Security Group Ingress
4a1e6b34-1008-4e61-a5f2-1f7c276f8d14|CloudFormation|High|Networking and Firewall|AWS Security Group Ingress CIDR should not be open to the world|Documentation
| +|Remote Desktop Port Open To Internet
c9846969-d066-431f-9b34-8c4abafe422a|CloudFormation|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| +|SageMaker Notebook Not Placed In VPC
9c7028d9-04c2-45be-b8b2-1188ccaefb36|CloudFormation|High|Networking and Firewall|SageMaker Notebook must be placed in a VPC|Documentation
| +|RDS Associated with Public Subnet
4e88adee-a8eb-4605-a78d-9fb1096e3091|CloudFormation|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| +|DB Security Group Open To Large Scope
0104165b-02d5-426f-abc9-91fb48189899|CloudFormation|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| +|Security Group With Unrestricted Access To SSH
6e856af2-62d7-4ba2-adc1-73b62cef9cc1|CloudFormation|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| +|ELB Sensitive Port Is Exposed To Entire Network
78055456-f670-4d2e-94d5-392d1cf4f5e4|CloudFormation|High|Networking and Firewall|The load balancer of the application with a sensitive port connection is exposed to the entire internet.|Documentation
| +|Unknown Port Exposed To Internet
829ce3b8-065c-41a3-ad57-e0accfea82d2|CloudFormation|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| +|Route53 Record Undefined
24d932e1-91f0-46ea-836f-fdbd81694151|CloudFormation|High|Networking and Firewall|Route53 HostedZone must have the Record Set defined.|Documentation
| +|ALB Listening on HTTP
275a3217-ca37-40c1-a6cf-bb57d245ab32|CloudFormation|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| +|Default Security Groups With Unrestricted Traffic
ea33fcf7-394b-4d11-a228-985c5d08f205|CloudFormation|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| +|EC2 Public Instance Exposed Through Subnet
c44c95fc-ae92-4bb8-bdf8-bb9bc412004a|CloudFormation|High|Networking and Firewall|EC2 instances with public IP addresses shouldn't allow for unrestricted traffic to their subnets|Documentation
| +|Security Groups With Meta IP
adcd0082-e90b-4b63-862b-21899f6e6a48|CloudFormation|High|Networking and Firewall|Security Groups allows 0.0.0.0/0 for all ports and protocols.|Documentation
| +|HTTP Port Open To Internet
ddfc4eaa-af23-409f-b96c-bf5c45dc4daa|CloudFormation|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| +|Security Group Unrestricted Access To RDP
3ae83918-7ec7-4cb8-80db-b91ef0f94002|CloudFormation|High|Networking and Firewall|Security Groups does not allow 0.0.0.0/0 for rdp (port:3389)|Documentation
| +|Security Groups With Exposed Admin Ports
cdbb0467-2957-4a77-9992-7b55b29df7b7|CloudFormation|High|Networking and Firewall|Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389)|Documentation
| +|EC2 Instance Subnet Has Public IP Mapping On Launch
b3de4e4c-14be-4159-b99d-9ad194365e4c|CloudFormation|High|Networking and Firewall|EC2 Instance Subnet should not have MapPublicIpOnLaunch set to true|Documentation
| +|DB Security Group With Public Scope
9564406d-e761-4e61-b8d7-5926e3ab8e79|CloudFormation|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| +|EC2 Sensitive Port Is Publicly Exposed
494b03d3-bf40-4464-8524-7c56ad0700ed|CloudFormation|High|Networking and Firewall|The EC2 instance has a sensitive port connection exposed to the entire network|Documentation
| +|S3 Bucket CloudTrail Logging Disabled
c3ce69fd-e3df-49c6-be78-1db3f802261c|CloudFormation|High|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable when the Service used is CloudTrail|Documentation
| +|CMK Rotation Disabled
1c07bfaf-663c-4f6f-b22b-8e2d481e4df5|CloudFormation|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'EnableKeyRotation' must be set to 'true' when the key is enabled.|Documentation
| +|CloudTrail Logging Disabled
5c0b06d5-b7a4-484c-aeb0-75a836269ff0|CloudFormation|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| +|EC2 Network ACL Ineffective Denied Traffic
2623d682-dccb-44cd-99d0-54d9fd62f8f2|CloudFormation|Medium|Access Control|Ineffective deny rules. A deny rule should be applied to all IP addresses.|Documentation
| +|IoT Policy Allows Action as Wildcard
4d32780f-43a4-424a-a06d-943c543576a5|CloudFormation|Medium|Access Control|IoT Policy should not allow Action to be set as *|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7|CloudFormation|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| +|EC2 Instance Has No IAM Role
f914357d-8386-4d56-9ba6-456e5723f9a6|CloudFormation|Medium|Access Control|Check if an EC2 instance refers to an IAM profile, which represents an IAM Role.|Documentation
| +|Elasticsearch Without IAM Authentication
5c666ed9-b586-49ab-9873-c495a833b705|CloudFormation|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication|Documentation
| +|SQS Queue Policy Allows NotAction
4fbfee74-8186-40d5-a24e-4baa76a855de|CloudFormation|Medium|Access Control|AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited|Documentation
| +|Public Lambda via API Gateway
57b12981-3816-4c31-b190-a1e614361dd2|CloudFormation|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| +|IAM Policies Attached To User
edc95c10-7366-4f30-9b4b-f995c84eceb5|CloudFormation|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| +|Empty Roles For ECS Cluster Task Definitions
7f384a5f-b5a2-4d84-8ca3-ee0a5247becb|CloudFormation|Medium|Access Control|Check if any ECS cluster has not defined proper roles for services' task definitions.|Documentation
| +|Lambda Permission Principal Is Wildcard
1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7|CloudFormation|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| +|Neptune Cluster With IAM Database Authentication Disabled
a3aa0087-8228-4e7e-b202-dc9036972d02|CloudFormation|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled|Documentation
| +|S3 Bucket Allows Public ACL
48f100d9-f499-4c6d-b2b8-deafe47ffb26|CloudFormation|Medium|Access Control|S3 bucket allows public ACL|Documentation
| +|KMS Allows Wildcard Principal
f6049677-ec4a-43af-8779-5190b6d03cba|CloudFormation|Medium|Access Control|KMS Should not allow Principal parameter to be set as *|Documentation
| +|IAM Policy On User
e4239438-e639-44aa-adb8-866e400e3ade|CloudFormation|Medium|Access Control|IAM policies should be applied to groups and not to users|Documentation
| +|API Gateway Method Does Not Contains An API Key
3641d5b4-d339-4bc2-bfb9-208fe8d3477f|CloudFormation|Medium|Access Control|An API Key should be required on a method request.|Documentation
| +|ECR Repository Is Publicly Accessible
75be209d-1948-41f6-a8c8-e22dd0121134|CloudFormation|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| +|SQS Policy With Public Access
9b6a3f5b-5fd6-40ee-9bc0-ed604911212d|CloudFormation|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| +|IoT Policy Allows Wildcard Resource
be5b230d-4371-4a28-a441-85dc760e2aa3|CloudFormation|Medium|Access Control|IoT Policy should not allow Resource to be set as *|Documentation
| +|SQS Queue Policy Allows NotPrincipal
4a8fc9a2-2b2f-4b3f-aa8d-401425872034|CloudFormation|Medium|Access Control|Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using `NotPrincipal` in the same policy statement as `"Effect": "Allow"`.|Documentation
| +|SNS Topic Publicity Has Allow and NotAction Simultaneously
818f38ed-8446-4132-9c03-474d49e10195|CloudFormation|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| +|API Gateway Without Configured Authorizer
7fd0d461-5b8c-4815-898c-f2b4b117eb28|CloudFormation|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| +|ECS Service Without Running Tasks
79d745f0-d5f3-46db-9504-bef73e9fd528|CloudFormation|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| +|EBS Volume Not Attached To Instances
1819ac03-542b-4026-976b-f37addd59f3b|CloudFormation|Medium|Availability|EBS Volumes that are unattached to instances may contain sensitive data|Documentation
| +|Auto Scaling Group With No Associated ELB
ad21e616-5026-4b9d-990d-5b007bfe679c|CloudFormation|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty.|Documentation
| +|CMK Is Unusable
2844c749-bd78-4cd1-90e8-b179df827602|CloudFormation|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined.|Documentation
| +|ElastiCache Nodes Not Created Across Multi AZ
cfdef2e5-1fe4-4ef4-bea8-c56e08963150|CloudFormation|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster|Documentation
| +|RDS Multi-AZ Deployment Disabled
2b1d4935-9acf-48a7-8466-10d18bf51a69|CloudFormation|Medium|Backup|AWS RDS Instance should have a multi-az deployment|Documentation
| +|Low RDS Backup Retention Period
e649a218-d099-4550-86a4-1231e1fcb60d|CloudFormation|Medium|Backup|AWS RDS backup retention policy should be at least 7 days|Documentation
| +|RDS With Backup Disabled
8c415f6f-7b90-4a27-a44a-51047e1506f9|CloudFormation|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| +|Stack Retention Disabled
fe974ae9-858e-4991-bbd5-e040a834679f|CloudFormation|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| +|IAM Password Without Symbol
d72a7869-e8b9-4e12-bcd2-e8be10b39fa7|CloudFormation|Medium|Best Practices|IAM password should have the required symbols|Documentation
| +|IAM Password Without Minimum Length
b1b20ae3-8fa7-4af5-a74d-a2145920fcb1|CloudFormation|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| +|IAM Managed Policy Applied to a User
0e5872b4-19a0-4165-8b2f-56d9e14b909f|CloudFormation|Medium|Best Practices|Make sure that any managed IAM policies are implemented in a group and not in a user.|Documentation
| +|Cognito UserPool Without MFA
74a18d1a-cf02-4a31-8791-ed0967ad7fdc|CloudFormation|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| +|IAM Password Without Uppercase Letter
445020f6-b69e-4484-847f-02d4b7768902|CloudFormation|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| +|ECS No Load Balancer Attached
fb2b0ecf-1492-491a-a70d-ba1df579175d|CloudFormation|Medium|Best Practices|Amazon ECS service should be configured to use Load Balancing to distribute traffic evenly across the tasks, which means there must exist at least one LoadBalancer.|Documentation
| +|IAM User Without Password Reset
a964d6e3-8e1e-4d93-8120-61fa640dd55a|CloudFormation|Medium|Best Practices|IAM User Login Profile should exist and have PasswordResetRequired property set to true|Documentation
| +|IAM Password Without Lowercase Letter
f4cf35d6-da92-48de-ab70-57be2b2e6497|CloudFormation|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| +|IAM Password Without Number
839f238f-2e3a-4a72-b945-8abdf91af955|CloudFormation|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number|Documentation
| +|EMR Security Configuration Encryption Disabled
5b033ec8-f079-4323-b5c8-99d4620433a9|CloudFormation|Medium|Encryption|EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit.|Documentation
| +|EBS Volume Encryption Disabled
80b7ac3f-d2b7-4577-9b10-df7913497162|CloudFormation|Medium|Encryption|EBS volumes should be encrypted|Documentation
| +|SageMaker EndPoint Config Should Specify KmsKeyId Attribute
44034eda-1c3f-486a-831d-e09a7dd94354|CloudFormation|Medium|Encryption|KmsKeyId attribute should be defined|Documentation
| +|Config Rule For Encrypted Volumes Disabled
1b6322d9-c755-4f8c-b804-32c19250f2d9|CloudFormation|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| +|IAM Group Inline Policies
a58d1a2d-4078-4b80-855b-84cc3f7f4540|CloudFormation|Medium|Encryption|IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted|Documentation
| +|CodeBuild Not Encrypted
d7467bb6-3ed1-4c82-8095-5e7a818d0aad|CloudFormation|Medium|Encryption|CodeBuild Project should be encrypted, which means 'EncryptionKey' should be defined|Documentation
| +|Workspace Without Encryption
89827c57-5a8a-49eb-9731-976a606d70db|CloudFormation|Medium|Encryption|Workspaces should have encryption enabled|Documentation
| +|RDS Storage Encryption Disabled
65844ba3-03a1-40a8-b3dd-919f122e8c95|CloudFormation|Medium|Encryption|RDS DBCluster should have storage encrypted set to true|Documentation
| +|SQS With SSE Disabled
12726829-93ed-4d51-9cbe-13423f4299e1|CloudFormation|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| +|ElasticSearch Encryption With KMS Disabled
d926aa95-0a04-4abc-b20c-acf54afe38a1|CloudFormation|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS.|Documentation
| +|API Gateway With Invalid Compression
d6653eee-2d4d-4e6a-976f-6794a497999a|CloudFormation|Medium|Encryption|API Gateway should have valid compression, which means attribute 'MinimumCompressionSize' should be set and its value should be greater than -1 and smaller than 10485760.|Documentation
| +|Alexa Skill Plaintext Client Secret Exposed
3c3b7a58-b018-4d07-9444-d9ee7156e111|CloudFormation|Medium|Encryption|Alexa skills' client secrets should not be defined as a plaintext string. It should either use 'AWS Systems Manager Parameter Store' or 'AWS Secrets Manager' to retrieve sensitive information|Documentation
| +|Neptune Database Cluster Encryption Disabled
bf4473f1-c8a2-4b1b-8134-bd32efabab93|CloudFormation|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| +|Memcached Disabled
dd0971a6-09c3-4168-8474-a7ef8fbfd99d|CloudFormation|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| +|Unscanned ECR Image
9025b2b3-e554-4842-ba87-db7aeec36d35|CloudFormation|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| +|AmazonMQ Broker Encryption Disabled
316278b3-87ac-444c-8f8f-a733a28da60f|CloudFormation|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| +|Default KMS Key Usage
e52395b4-250b-4c60-81d5-2e58c1d37abc|CloudFormation|Medium|Encryption|When `StorageEncrypted` is set to true, `KmsKeyId` should be defined, to avoid the use of the default KMS Key|Documentation
| +|ElasticSearch Not Encrypted At Rest
86a248ab-0e01-4564-a82a-878303e253bb|CloudFormation|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| +|KMS Key Rotation Disabled
235ca980-eb71-48f4-9030-df0c371029eb|CloudFormation|Medium|Encryption|EnableKeyRotation should not be false or undefined|Documentation
| +|Instance With No VPC
8a6d36cd-0bc6-42b7-92c4-67acc8576861|CloudFormation|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| +|Inline Policies Are Attached To ECS Service
9e8c89b3-7997-4d15-93e4-7911b9db99fd|CloudFormation|Medium|Insecure Configurations|Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies.|Documentation
| +|Lambda Function Without Tags
8df8e857-bd59-44fa-9f4c-d77594b95b46|CloudFormation|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags.|Documentation
| +|IAM User LoginProfile Password Is In Plaintext
06adef8c-c284-4de7-aad2-af43b07a8ca1|CloudFormation|Medium|Insecure Configurations|IAM User LoginProfile Password must not be a plaintext string|Documentation
| +|SageMaker Enabling Internet Access
88d55d94-315d-4564-beee-d2d725feab11|CloudFormation|Medium|Insecure Configurations|SageMaker must have disabled internet access and root access for Creating Notebook Instances.|Documentation
| +|Lambda Functions Without Unique IAM Roles
ae03f542-1423-402f-9cef-c834e7ee9583|CloudFormation|Medium|Insecure Configurations|AWS Lambda Functions should not share IAM roles to ensure they will have the minimum privileges needed to perform the required tasks|Documentation
| +|ECR Image Tag Not Immutable
33f41d31-86b1-46a4-81f7-9c9a671f59ac|CloudFormation|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| +|API Gateway With Open Access
1056dfbb-5802-4762-bf2b-8b9b9684b1b0|CloudFormation|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.|Documentation
| +|IAM User Has Too Many Access Keys
48677914-6fdf-40ec-80c4-2b0e94079f54|CloudFormation|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials|Documentation
| +|GitHub Repository Set To Public
5906092d-5f74-490d-9a03-78febe0f65e1|CloudFormation|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')|Documentation
| +|API Gateway Without SSL Certificate
ed4c48b8-eccc-4881-95c1-09fdae23db25|CloudFormation|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| +|MQ Broker Is Publicly Accessible
68b6a789-82f8-4cfd-85de-e95332fe6a61|CloudFormation|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible|Documentation
| +|EMR Cluster Without Security Configuration
48af92a5-c89b-4936-bc62-1086fe2bab23|CloudFormation|Medium|Insecure Configurations|EMR Cluster should have security configuration defined.|Documentation
| +|S3 Bucket Should Have Bucket Policy
37fa8188-738b-42c8-bf82-6334ea567738|CloudFormation|Medium|Insecure Defaults|Checks if S3 Bucket has the same name as a Bucket Policy, if it has, S3 Bucket has a Bucket Policy associated|Documentation
| +|RouterTable with Default Routing
4f0908b9-eb66-433f-9145-134274e1e944|CloudFormation|Medium|Insecure Defaults|NAT gateways are recommended, and not the default route which permits all traffic, in Route Tables.|Documentation
| +|Security Group Egress CIDR Open To World
1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a|CloudFormation|Medium|Networking and Firewall|AWS Security Group Egress CIDR should not be open to the world|Documentation
| +|API Gateway without WAF
fcbf9019-566c-4832-a65c-af00d8137d2b|CloudFormation|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| +|EC2 Permissive Network ACL Protocols
03879981-efa2-47a0-a818-c843e1441b88|CloudFormation|Medium|Networking and Firewall|To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code).|Documentation
| +|TCP/UDP Protocol Network ACL Entry Allows All Ports
f57f849c-883b-4cb7-85e7-f7b199dff163|CloudFormation|Medium|Networking and Firewall|TCP/UDP protocol AWS Network ACL Entry should not allow all ports|Documentation
| +|Security Group Egress With All Protocols
ee464fc2-54a6-4e22-b10a-c6dcd2474d0c|CloudFormation|Medium|Networking and Firewall|AWS Security Group Egress should not specify all protocols to prevent allow traffic on all ports|Documentation
| +|Security Group Ingress With Port Range
87482183-a8e7-4e42-a566-7a23ec231c16|CloudFormation|Medium|Networking and Firewall|AWS Security Group Ingress should have a single port|Documentation
| +|GameLift Fleet EC2 InboundPermissions With Port Range
43356255-495d-4148-ad8d-f6af5eac09dd|CloudFormation|Medium|Networking and Firewall|AWS GameLift Fleet EC2InboundPermissions should have a single port|Documentation
| +|Security Groups Without VPC Attached
493d9591-6249-47bf-8dc0-5c10161cc558|CloudFormation|Medium|Networking and Firewall|Security Groups must have a VPC.|Documentation
| +|ELB With Security Group Without Outbound Rules
01d5a458-a6c4-452a-ac50-054d59275b7c|CloudFormation|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules|Documentation
| +|Security Group Ingress With All Protocols
1a427b25-2e9e-4298-9530-0499a55e736b|CloudFormation|Medium|Networking and Firewall|AWS Security Group Ingress should not specify all protocols to prevent allow traffic on all ports|Documentation
| +|Security Group Egress With Port Range
dae9c373-8287-462f-8746-6f93dad93610|CloudFormation|Medium|Networking and Firewall|AWS Security Group Egress should have a single port|Documentation
| +|ALB Is Not Integrated With WAF
105ba098-1e34-48cd-b0f2-a8a43a51bf9b|CloudFormation|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| +|ELB With Security Group Without Inbound Rules
e200a6f3-c589-49ec-9143-7421d4a2c845|CloudFormation|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules|Documentation
| +|VPC Without Network Firewall
3e293410-d5b8-411f-85fd-7d26294f20c9|CloudFormation|Medium|Networking and Firewall|VPC should have a Network Firewall associated|Documentation
| +|API Gateway Endpoint Config is Not Private
4a8daf95-709d-4a36-9132-d3e19878fa34|CloudFormation|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| +|API Gateway V2 Stage Access Logging Settings Not Defined
80d45af4-4920-4236-a56e-b7ef419d1941|CloudFormation|Medium|Observability|API Gateway V2 Stage should have Access Logging Settings defined.|Documentation
| +|CloudWatch Metrics Disabled
5d3c1807-acb3-4bb0-be4e-0440230feeaf|CloudFormation|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| +|API Gateway X-Ray Disabled
4ab10c48-bedb-4deb-8f3b-ff12783b61de|CloudFormation|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| +|S3 Bucket Without Versioning
a227ec01-f97a-4084-91a4-47b350c1db54|CloudFormation|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| +|S3 Bucket Logging Disabled
4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c|CloudFormation|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| +|CloudWatch Logging Disabled
0f0fb06b-0f2f-4374-8588-f2c7c348c7a0|CloudFormation|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| +|CloudTrail SNS Topic Name Undefined
3e09413f-471e-40f3-8626-990c79ae63f3|CloudFormation|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| +|CloudTrail Not Integrated With CloudWatch
65d07da5-9af5-44df-8983-52d2e6f24c44|CloudFormation|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| +|MSK Cluster Logging Disabled
fc7c2c15-f5d0-4b80-adb2-c89019f8f62b|CloudFormation|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| +|CloudFront Logging Disabled
de77cd9f-0e8b-46cc-b4a4-b6b436838642|CloudFormation|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'DistributionConfig.Logging' should be defined|Documentation
| +|ELB Access Log Disabled
ee12ad32-2863-4c0f-b13f-28272d115028|CloudFormation|Medium|Observability|ELB should have access log enabled|Documentation
| +|Stack Notifications Disabled
837e033c-4717-40bd-807e-6abaa30161b7|CloudFormation|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| +|Redshift Cluster Logging Disabled
3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6|CloudFormation|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| +|ElasticSearch Without Slow Logs
086ea2eb-14a6-4fd4-914b-38e0bc8703e8|CloudFormation|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| +|GuardDuty Detector Disabled
a25cd877-375c-4121-a640-730929936fac|CloudFormation|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| +|API Gateway Deployment Without Access Log Setting
06ec63e3-9f72-4fe2-a218-2eb9200b8db5|CloudFormation|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| +|Configuration Aggregator to All Regions Disabled
9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d|CloudFormation|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| +|ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621|CloudFormation|Medium|Observability|ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer.|Documentation
| +|CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7|CloudFormation|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'IsMultiRegionTrail' should be set to true|Documentation
| +|MQ Broker Logging Disabled
e519ed6a-8328-4b69-8eb7-8fa549ac3050|CloudFormation|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| +|Secrets Manager Should Specify KmsKeyId
c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22|CloudFormation|Medium|Secret Management|Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the secret to be shared cross-account|Documentation
| +|DocDB Cluster Master Password In Plaintext
39423ce4-9011-46cd-b6b1-009edcd9385d|CloudFormation|Medium|Secret Management|DocDB DB Cluster master user password must not be in a plain text string or referenced in a parameter as a default value.|Documentation
| +|Amplify App Access Token Exposed
73980e43-f399-4fcc-a373-658228f7adf7|CloudFormation|Medium|Secret Management|Amplify App Access Token must not be in a plain text string or referenced in a parameter as a default value.|Documentation
| +|High Access Key Rotation Period
800fa019-49dd-421b-9042-7331fdd83fa2|CloudFormation|Medium|Secret Management|ConfigRule should enforce access keys to be rotated within 90 days.|Documentation
| +|Directory Service Microsoft AD Password Set to Plaintext or Default Ref
06b9f52a-8cd5-459b-bdc6-21a22521e1be|CloudFormation|Medium|Secret Management|Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| +|SNS Topic Without KmsMasterKeyId
9d13b150-a2ab-42a1-b6f4-142e41f81e52|CloudFormation|Medium|Secret Management|KmsMasterKeyId attribute should not be undefined|Documentation
| +|Amplify App Basic Auth Config Password Exposed
71493c8b-3014-404c-9802-078b74496fb7|CloudFormation|Medium|Secret Management|Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| +|Amplify App OAuth Token Exposed
03b38885-8f4e-480c-a0e4-12c1affd15db|CloudFormation|Medium|Secret Management|Amplify App OAuth Token must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| +|Directory Service Simple AD Password Exposed
6685d912-d81f-4cfa-95ad-e316ea31c989|CloudFormation|Medium|Secret Management|DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| +|RefreshToken Is Exposed
5b48c507-0d1f-41b0-a630-76817c6b4189|CloudFormation|Medium|Secret Management|Alexa ASK Skill AuthenticationConfiguration RefreshToken should not be a plaintext string|Documentation
| +|DMS Endpoint MongoDB Settings Password Exposed
f988a17f-1139-46a3-8928-f27eafd8b024|CloudFormation|Medium|Secret Management|DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| +|DMS Endpoint Password Exposed
5f700072-b7ce-4e84-b3f3-497bf1c24a4d|CloudFormation|Medium|Secret Management|DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| +|Hardcoded AWS Access Key In Lambda
2564172f-c92b-4261-9acd-464aed511696|CloudFormation|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| +|EBS Volume Without KmsKeyId
b7063015-6c31-4658-a8e7-14f98f37fd42|CloudFormation|Medium|Secret Management|EBS Volume should specify a KmsKeyId value|Documentation
| +|Amplify Branch Basic Auth Config Password Exposed
dfb56e5d-ee68-446e-b32a-657b62befe69|CloudFormation|Medium|Secret Management|Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| +|IAM Role Allows All Principals To Assume
f80e3aa7-7b34-4185-954e-440a6894dde6|CloudFormation|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| +|IAM User With No Group
06933df4-0ea7-461c-b9b5-104d27390e0e|CloudFormation|Low|Access Control|A IAM user should belong to a group|Documentation
| +|EC2 Instance Using Default Security Group
08b81bb3-0985-4023-8602-b606ad81d279|CloudFormation|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
e835bd0d-65da-49f7-b6d1-b646da8727e6|CloudFormation|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| +|IAM Group Without Users
8f957abd-9703-413d-87d3-c578950a753c|CloudFormation|Low|Access Control|IAM Group should have at least one user associated|Documentation
| +|Support Has No Role Associated
d71b5fd7-9020-4b2d-9ec8-b3839faa2744|CloudFormation|Low|Access Control|Check if any AWS Support policy does not have any role and users and group associated, which means that is not being managed.|Documentation
| +|VPC Attached With Too Many Gateways
97e94d17-e2c7-4109-a53b-6536ac1bb64e|CloudFormation|Low|Availability|The number of gateways attached should not approach or go beyond the limit of 3, in a particular VPC|Documentation
| +|RDS DB Instance With Deletion Protection Disabled
2c161e58-cb52-454f-abea-6470c37b5e6e|CloudFormation|Low|Backup|RDS DBInstance should have deletion protection set to true|Documentation
| +|IAM Policies Without Groups
5e7acff5-095b-40ac-9073-ac2e4ad8a512|CloudFormation|Low|Best Practices|IAM policy should not apply directly to users, should be with a group|Documentation
| +|IAM Access Analyzer Not Enabled
8d29754a-2a18-460d-a1ba-9509f8d359da|CloudFormation|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions|Documentation
| +|Automatic Minor Upgrades Disabled
f0104061-8bfc-4b45-8a7d-630eb502f281|CloudFormation|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'AutoMinorVersionUpgrade' must be set to true.|Documentation
| +|Geo Restriction Disabled
7f8843f0-9ea5-42b4-a02b-753055113195|CloudFormation|Low|Best Practices|Geo Restriction feature should be enabled, to restrict or allow users in specific locations accessing web application content|Documentation
| +|Lambda Permission Misconfigured
9b83114b-b2a1-4534-990d-06da015e47aa|CloudFormation|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| +|Security Group Ingress Has CIDR Not Recommended
a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd|CloudFormation|Low|Best Practices|AWS Security Group Ingress CIDR should not be /32 in case of IPV4 or /128 in case of IPV6|Documentation
| +|CDN Configuration Is Missing
e4f54ff4-d352-40e8-a096-5141073c37a2|CloudFormation|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| +|EFS Without Tags
08e39832-5e42-4304-98a0-aa5b43393162|CloudFormation|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated|Documentation
| +|DynamoDB With Not Recommented Table Billing Mode
c333e906-8d8b-4275-b999-78b6318f8dc6|CloudFormation|Low|Build Process|Checks if DynamoDB Table Billing Mode is set to either PAY_PER_REQUEST or PROVISIONED|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85|CloudFormation|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| +|S3 Bucket Without Ignore Public ACL
6c8d51af-218d-4bfb-94a9-94eabaa0703a|CloudFormation|Low|Insecure Configurations|S3 bucket without ignore public ACL|Documentation
| +|API Gateway Cache Cluster Disabled
52790cad-d60d-41d5-8483-146f9f21208d|CloudFormation|Low|Insecure Configurations|AWS API Gateway should have cache clustering enabled|Documentation
| +|Lambda Function Without Dead Letter Queue
c2eae442-d3ba-4cb1-84ca-1db4f80eae3d|CloudFormation|Low|Insecure Configurations|AWS Lambda Function should be configured for a Dead Letter Queue(DLQ)|Documentation
| +|Wildcard In ACM Certificate Domain Name
cc8b294f-006f-4f8f-b5bb-0a9140c33131|CloudFormation|Low|Insecure Configurations|ACM Certificate should not use wildcards (*) in the domain name|Documentation
| +|Shield Advanced Not In Use
ad7444cf-817a-4765-a79e-2145f7981faf|CloudFormation|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks|Documentation
| +|EC2 Network ACL Duplicate Rule
045ddb54-cfc5-4abb-9e05-e427b2bc96fe|CloudFormation|Low|Networking and Firewall|A Network ACL's rule numbers cannot be repeated unless one is egress and the other is ingress|Documentation
| +|ElastiCache Without VPC
ba766c53-fe71-4bbb-be35-b6803f2ef13e|CloudFormation|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| +|Redshift Using Default Port
a478af30-8c3a-404d-aa64-0b673cee509a|CloudFormation|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| +|ElastiCache Using Default Port
323db967-c68e-44e6-916c-a777f95af34b|CloudFormation|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| +|CloudFront Without WAF
0f139403-303f-467c-96bd-e717e6cfd62d|CloudFormation|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| +|EC2 Instance Using Default VPC
e42a3ef0-5325-4667-84bf-075ba1c9d58e|CloudFormation|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| +|RDS Using Default Port
1fe9d958-ddce-4228-a124-05265a959a8b|CloudFormation|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| +|EMR Without VPC
bf89373a-be40-4c04-99f5-746742dfd7f3|CloudFormation|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)|Documentation
| +|CloudTrail Log File Validation Disabled
2a3560fe-52ca-4443-b34f-bf0ed5eb74c8|CloudFormation|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| +|ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd|CloudFormation|Low|Observability|Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks|Documentation
| +|API Gateway Deployment Without API Gateway UsagePlan Associated
783860a3-6dca-4c8b-81d0-7b62769ccbca|CloudFormation|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| +|VPC FlowLogs Disabled
f6d299d2-21eb-41cc-b1e1-fe12d857500b|CloudFormation|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| +|Lambda Functions Without X-Ray Tracing
9488c451-074e-4cd3-aee3-7db6104f542c|CloudFormation|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracingConfig.mode' should have the value 'Active'|Documentation
| +|SDB Domain Declared As A Resource
6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d|CloudFormation|Low|Resource Management|SimpleDB Domain resource should not be declared|Documentation
| +|VPC Without Attached Subnet
3b3b4411-ad1f-40e7-b257-a78a6bb9673a|CloudFormation|Low|Resource Management|VPCs without attached subnets may indicate that they are not being used|Documentation
| +|ECS Task Definition Invalid CPU or Memory
f4c9b5f5-68b8-491f-9e48-4f96644a1d51|CloudFormation|Low|Resource Management|In ECS Task Definition of FARGATE launch type if you specify an invalid CPU or Memory value, you will receive an error|Documentation
| +|API Gateway Stage Without API Gateway UsagePlan Associated
7f8f1b60-43df-4c28-aa21-fb836dbd8071|CloudFormation|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| +|Security Group Rule Without Description
5e6c9c68-8a82-408e-8749-ddad78cbb9c5|CloudFormation|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description|Documentation
| +|EC2 Not EBS Optimized
8dd0ff1f-0da4-48df-9bb3-7f338ae36a40|CloudFormation|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| +|AKS RBAC Disabled
b2418936-cd47-4ea2-8346-623c0bdb87bd|Crossplane|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| +|Redis Cache Allows Non SSL Connections
6c7cfec3-c686-4ed2-bf58-a1ec054b63fc|Crossplane|Medium|Encryption|Redis Cache resource should not allow non-SSL connections.|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
6c2d627c-de0f-45fb-b33d-dad9bffbb421|Crossplane|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| +|Google Container Node Pool Auto Repair Disabled
b4f65d13-a609-4dc1-af7c-63d2e08bffe9|Crossplane|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| +|EFS Not Encrypted
72840c35-3876-48be-900d-f21b2f0c2ea1|Crossplane|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| +|DB Instance Storage Not Encrypted
e50eb68a-a4af-4048-8bbe-8ec324421469|Crossplane|High|Encryption|RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'.|Documentation
| +|ELB Using Weak Ciphers
a507daa5-0795-4380-960b-dd7bb7c56661|Crossplane|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers.|Documentation
| +|EFS Without KMS
bdecd6db-2600-47dd-a10c-72c97cf17ae9|Crossplane|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| +|DB Security Group Has Public Interface
dd667399-8d9d-4a8d-bbb4-e49ab53b2f52|Crossplane|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
255b0fcc-9f82-41fe-9229-01b163e3376b|Crossplane|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| +|SQS With SSE Disabled
9296f1cc-7a40-45de-bd41-f31745488a0e|Crossplane|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| +|Neptune Database Cluster Encryption Disabled
83bf5aca-138a-498e-b9cd-ad5bc5e117b4|Crossplane|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| +|CloudFront Logging Disabled
7b590235-1ff4-421b-b9ff-5227134be9bb|Crossplane|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true|Documentation
| +|CloudWatch Without Retention Period Specified
934613fe-b12c-4e5a-95f5-c1dcdffac1ff|Crossplane|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events|Documentation
| +|CloudFront Without WAF
6d19ce0f-b3d8-4128-ac3d-1064e0f00494|Crossplane|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| diff --git a/docs/queries/terraform-queries.md b/docs/queries/terraform-queries.md index 428315511f7..c0003c8505f 100644 --- a/docs/queries/terraform-queries.md +++ b/docs/queries/terraform-queries.md @@ -1076,18 +1076,10 @@ Bellow are listed queries related with Terraform AWS: |SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| |SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Medium|Access Control|SQS policy with public access|Documentation
| |IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources|Documentation
| -|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication|Documentation
| -|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| -|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| -|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| -|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal'|Documentation
| -|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'|Documentation
| -|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|Medium|Access Control|IAM policies allow all ('*') in a statement action|Documentation
| -|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled|Documentation
| -|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| -|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Medium|Access Control|An API Key should be required on a method request.|Documentation
| -|SNS Topic is Publicly Accessible For Subscription
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|Medium|Access Control|This query checks if SNS Topic is Accessible For Subscription|Documentation
| -|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| +|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Medium|Access Control|The attribute 'action' should not have wildcard|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| +|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined|Documentation
| |S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Medium|Access Control|S3 bucket allows public ACL|Documentation
| |Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| From 26d364dd945af9dd4c905b09ebe75a2fa6e55318 Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Tue, 10 Jan 2023 11:56:38 +0000 Subject: [PATCH 220/379] update md files --- docs/queries/terraform-queries.md | 67 +++++++++++++++++++++++++------ 1 file changed, 55 insertions(+), 12 deletions(-) diff --git a/docs/queries/terraform-queries.md b/docs/queries/terraform-queries.md index c0003c8505f..c59a3843fb2 100644 --- a/docs/queries/terraform-queries.md +++ b/docs/queries/terraform-queries.md @@ -1074,22 +1074,65 @@ Bellow are listed queries related with Terraform AWS: |API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| |IAM Access Analyzer Undefined
e592a0c5-5bdb-414c-9066-5dba7cdea370|Medium|Access Control|IAM Access Analyzer should be defined to identify unintentional access|Documentation
| |SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| -|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Medium|Access Control|SQS policy with public access|Documentation
| -|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources|Documentation
| +|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Medium|Access Control|IAM Access Key should not be active for root users|Documentation
| +|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Medium|Access Control|The attribute 'action' should not have wildcard|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| -|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined|Documentation
| -|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Medium|Access Control|S3 bucket allows public ACL|Documentation
| |Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| +|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action'|Documentation
| +|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| +|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Medium|Access Control|Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Medium|Access Control|S3 bucket allows public ACL|Documentation
| +|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| +|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Medium|Access Control|Public and private EC2 istances should not share the same role.|Documentation
| -|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| -|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root'|Documentation
| -|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Medium|Access Control|The attribute 'action' should not have wildcard|Documentation
| -|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions'|Documentation
| -|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Medium|Availability|Check if ElastiCache nodes are not being created across multi AZ|Documentation
| +|User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal'|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication|Documentation
| +|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled|Documentation
| +|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| +|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| +|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Medium|Access Control|AWS IAM Users should not have access to console|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| +|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| +|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster|Documentation
| |Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
| |CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| |ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| From 8671883f8d92d7bea942e078ebb0d190ca891d35 Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Tue, 10 Jan 2023 11:56:49 +0000 Subject: [PATCH 221/379] update md files --- docs/queries/all-queries.md | 1786 +++++++++++++++++++++++------------ 1 file changed, 1204 insertions(+), 582 deletions(-) diff --git a/docs/queries/all-queries.md b/docs/queries/all-queries.md index 3c9cc9e9f2d..41a74d4465f 100644 --- a/docs/queries/all-queries.md +++ b/docs/queries/all-queries.md @@ -1831,587 +1831,48 @@ This page contains all queries. |SSH Access Is Not Restricted
dee21308-2a7a-49de-8ff7-c9b87e188575|GoogleDeploymentManager|Medium|Networking and Firewall|Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block)|Documentation
| |S3 Bucket Without Versioning
227c2f58-70c6-4432-8e9a-a89c1a548cf5|GoogleDeploymentManager|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| |Project-wide SSH Keys Are Enabled In VM Instances
6e2b1ec1-1eca-4eb7-9d4d-2882680b4811|GoogleDeploymentManager|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| -|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|Terraform|High|Access Control|Verifies that the OSLogin is enabled|Documentation
| -|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|Terraform|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| -|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|Terraform|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible|Documentation
| -|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|Terraform|High|Access Control|BigQuery dataset is anonymously or publicly accessible|Documentation
| -|SQL DB Instance Is Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|Terraform|High|Access Control|Check if any Cloud SQL instances are publicly accessible.|Documentation
| -|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|Terraform|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| -|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|Terraform|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members'|Documentation
| -|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|Terraform|High|Encryption|Checks if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad.|Documentation
| -|High KMS Rotation Period
352271ca-842f-408a-8b24-f6f2b76eb027|Terraform|High|Encryption|Check that keys aren't the same for a period greater than 365 days.|Documentation
| -|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|Terraform|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| -|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE |Documentation
| -|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Terraform|High|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| -|GKE Basic Authentication Enabled
70cdf849-b7d9-4569-b87d-5d82ffd44719|Terraform|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty|Documentation
| -|Cluster Master Authentication Disabled
1baba08e-3c8a-4be7-95eb-dced5833de21|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| -|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true|Documentation
| -|Client Certificate Disabled
73fb21a1-b19a-45b1-b648-b47b1678681e|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true|Documentation
| -|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|Terraform|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| -|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false |Documentation
| -|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|Terraform|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true|Documentation
| -|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|Terraform|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| -|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true|Documentation
| -|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|Terraform|High|Observability|Cloud storage bucket with logging not enabled|Documentation
| -|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| -|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|Terraform|High|Observability|Object Versioning Not Enabled on Cloud Storage Bucket|Documentation
| -|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|Terraform|High|Observability|Audit Logging Configuration is defective|Documentation
| -|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|Terraform|High|Resource Management|Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| -|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Terraform|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|Terraform|Medium|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers'|Documentation
| -|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Terraform|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member|Documentation
| -|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Terraform|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated|Documentation
| -|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Terraform|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Terraform|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| -|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Terraform|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined|Documentation
| -|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Terraform|Medium|Encryption|Make sure Encryption keys change after 90 days|Documentation
| -|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Terraform|Medium|Insecure Configurations|Check if any VM instance disables OSLogin|Documentation
| -|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Terraform|Medium|Insecure Configurations|Verifies if Google Container Node Pool Auto Repair is Enabled|Documentation
| -|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Terraform|Medium|Insecure Configurations|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
| -|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Terraform|Medium|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Terraform|Medium|Insecure Configurations|VM Instance should block project-wide SSH keys|Documentation
| -|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Terraform|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| -|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Terraform|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled|Documentation
| -|Cloud DNS without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Terraform|Medium|Insecure Configurations|Cloud DNS without DNSSEC|Documentation
| -|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Terraform|Medium|Insecure Configurations|Check if VM instance enables serial ports|Documentation
| -|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Terraform|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| -|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Terraform|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| -|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Terraform|Medium|Networking and Firewall|Check if Google Firewall ingress allows RDP access (port 3389)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Terraform|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports|Documentation
| -|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Terraform|Medium|Networking and Firewall|Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block)|Documentation
| -|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Terraform|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
| -|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Terraform|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource.|Documentation
| -|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Terraform|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles|Documentation
| -|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Terraform|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user|Documentation
| -|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Terraform|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range|Documentation
| -|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Terraform|Low|Networking and Firewall|Google Compute Subnetwork should have 'private_ip_google_access' set to true|Documentation
| -|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Terraform|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks|Documentation
| -|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Terraform|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')|Documentation
| -|Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|Terraform|High|Access Control|Role Assignment should limit guest user permissions|Documentation
| -|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|Terraform|High|Access Control|There is a role assignment for guest user|Documentation
| -|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|Terraform|High|Access Control|Admin user is enabled for Container Registry|Documentation
| -|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|Terraform|High|Access Control|Storage Account should not be public|Documentation
| -|Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|Terraform|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| -|Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|Terraform|High|Access Control|Azure Function App authentication settings should be enabled|Documentation
| -|Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|Terraform|High|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled|Documentation
| -|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|Terraform|High|Encryption|See that Storage Accounts forces the use of HTTPS|Documentation
| -|MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|Terraform|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| -|Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6|Terraform|High|Encryption|Ensure Function App is using the latest version of TLS encryption|Documentation
| -|App Service Not Using Latest TLS Encryption Version
b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643|Terraform|High|Encryption|Ensure App Service is using the latest version of TLS encryption|Documentation
| -|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|Terraform|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| -|Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|Terraform|High|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false.|Documentation
| -|App Service FTPS Enforce Disabled
85da374f-b00f-4832-9d44-84a1ca1e89f8|Terraform|High|Insecure Configurations|Azure App Service should only enforce FTPS when 'ftps_state' is enabled|Documentation
| -|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|Terraform|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates|Documentation
| -|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|Terraform|High|Insecure Configurations|Trusted MIcrosoft Services are not enabled for Storage Account access|Documentation
| -|Function App FTPS Enforce Disabled
9dab0179-433d-4dff-af8f-0091025691df|Terraform|High|Insecure Configurations|Azure Function App should only enforce FTPS when 'ftps_state' is enabled|Documentation
| -|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|Terraform|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| -|AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|Terraform|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| -|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|Terraform|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| -|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|Terraform|High|Insecure Configurations|Azurerm Container Registry Must Contain Associated Locks |Documentation
| -|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|Terraform|High|Networking and Firewall|The Ip Range Must Contain Ips|Documentation
| -|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|Terraform|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| -|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| -|Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| -|RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|Terraform|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet|Documentation
| -|MySQL Server Public Access Enabled
f118890b-2468-42b1-9ce9-af35146b425b|Terraform|High|Networking and Firewall|MySQL Server public access should be disabled|Documentation
| -|MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|Terraform|High|Networking and Firewall|MSSQL Server public network access should be disabled|Documentation
| -|SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|Terraform|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet|Documentation
| -|Azure App Service Client Certificate Disabled
a81573f9-3691-4d83-88a0-7d4af63e17a3|Terraform|High|Networking and Firewall|Azure App Service client certificate should be enabled|Documentation
| -|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| -|Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|Terraform|High|Observability|Ensure that logging for Azure KeyVault is 'Enabled'|Documentation
| -|PostgreSQL Server Threat Detection Policy Disabled
c407c3cf-c409-4b29-b590-db5f4138d332|Terraform|High|Resource Management|PostgreSQL Server Threat Detection Policy should be enabled|Documentation
| -|SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a|Terraform|High|Resource Management|Ensure that 'Threat Detection' is enabled for Azure SQL Database|Documentation
| -|App Service Managed Identity Disabled
b61cce4b-0cc4-472b-8096-15617a6d769b|Terraform|High|Resource Management|Azure App Service should have managed identity enabled|Documentation
| -|Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|Terraform|High|Secret Management|Make sure that for all secrets the expiration date is set|Documentation
| -|Key Expiration Not Set
4d080822-5ee2-49a4-8984-68f3d4c890fc|Terraform|High|Secret Management|Make sure that for all keys the expiration date is set|Documentation
| -|Storage Share File Allows All ACL Permissions
48bbe0fd-57e4-4678-a4a1-119e79c90fc3|Terraform|Medium|Access Control|Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).|Documentation
| -|Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e|Terraform|Medium|Access Control|Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).|Documentation
| -|AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Terraform|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| -|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Terraform|Medium|Access Control|Role Definition should not allow custom role creation|Documentation
| -|Virtual Network with DDoS Protection Plan disabled
b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a|Terraform|Medium|Availability|Virtual Network should have DDoS Protection Plan enabled|Documentation
| -|SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Terraform|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict|Documentation
| -|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Terraform|Medium|Best Practices|Azure SQL Server Accessibility must be set to a minimal address range, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be lesser than 256. Additionally, both ips must be different from '0.0.0.0'|Documentation
| -|Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Terraform|Medium|Best Practices|Security Contact Email should be defined|Documentation
| -|SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Terraform|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict|Documentation
| -|Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Terraform|Medium|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| -|AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Terraform|Medium|Encryption|Azure Container Service (AKS) should use Disk Encryption Set ID|Documentation
| -|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Terraform|Medium|Encryption|Check if any Redis Cache resource allows non-SSL connections.|Documentation
| -|Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Terraform|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| -|Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Terraform|Medium|Encryption|Ensure that the encryption is active on the disk|Documentation
| -|Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Terraform|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches|Documentation
| -|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Terraform|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| -|Function App Managed Identity Disabled
c87749b3-ff10-41f5-9df2-c421e8151759|Terraform|Medium|Insecure Configurations|Azure Function App should have managed identity enabled|Documentation
| -|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Terraform|Medium|Insecure Configurations|Check if the Azure Kubernetes Service doesn't have the proper network policy configuration.|Documentation
| -|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Terraform|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected.|Documentation
| -|Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Terraform|Medium|Insecure Configurations|Azure Function App should have 'client_cert_mode' set to required|Documentation
| -|Default Azure Storage Account Network Access Is Too Permissive
a5613650-32ec-4975-a305-31af783153ea|Terraform|Medium|Insecure Defaults|Default Azure Storage Account network access should be set to Deny|Documentation
| -|Default Network Access is Allowed
9be09caf-2ba4-4fa9-9787-a670dc32c639|Terraform|Medium|Insecure Defaults|Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny'|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol|Documentation
| -|MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Terraform|Medium|Networking and Firewall|MariaDB Server Public Network Access should be disabled|Documentation
| -|Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b|Terraform|Medium|Networking and Firewall|Network Interfaces must not be exposed with a public IP address|Documentation
| -|Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Terraform|Medium|Networking and Firewall|Public Network Access should be disabled for Azure Cognitive Search|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol|Documentation
| -|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Terraform|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache|Documentation
| -|WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Terraform|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| -|PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| -|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Terraform|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days|Documentation
| -|PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Terraform|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| -|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| -|Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Terraform|Medium|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact|Documentation
| -|Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Terraform|Medium|Observability|Make sure for SQL Servers that Auditing Retention is greater than 90 days|Documentation
| -|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Terraform|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On'|Documentation
| -|PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| -|Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Terraform|Medium|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days|Documentation
| -|Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Terraform|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater|Documentation
| -|MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Terraform|Medium|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On'|Documentation
| -|PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Terraform|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'|Documentation
| -|PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| -|Azure Active Directory Authentication
a21c8da9-41bf-40cf-941d-330cf0d11fc7|Terraform|Low|Access Control|Azure Active Directory must be used for authentication for Service Fabric|Documentation
| -|MariaDB Server Geo-redundant Backup Disabled
0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1|Terraform|Low|Backup|MariaDB Server Geo-redundant Backup should be enabled|Documentation
| -|Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Terraform|Low|Best Practices|Key Vault Secrets should have set Content Type|Documentation
| -|AKS Uses Azure Policies Add-On Disabled
43789711-161b-4708-b5bb-9d1c626f7492|Terraform|Low|Best Practices|Azure Container Service (AKS) should use Azure Policies Add-On|Documentation
| -|PostgreSQL Server Infrastructure Encryption Disabled
6425c98b-ca4e-41fe-896a-c78772c131f8|Terraform|Low|Encryption|PostgreSQL Server Infrastructure Encryption should be enabled|Documentation
| -|Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Terraform|Low|Insecure Configurations|Check if the Kubernetes Dashboard is enabled.|Documentation
| -|Function App HTTP2 Disabled
ace823d1-4432-4dee-945b-cdf11a5a6bd0|Terraform|Low|Insecure Configurations|Function App should have 'http2_enabled' enabled|Documentation
| -|App Service HTTP2 Disabled
525b53be-62ed-4244-b4df-41aecfcb4071|Terraform|Low|Insecure Configurations|App Service should have 'http2_enabled' enabled|Documentation
| -|AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|Terraform|Low|Networking and Firewall|Azure Kubernetes Service (AKS) API should not be exposed to the internet|Documentation
| -|Azure Front Door WAF Disabled
835a4f2f-df43-437d-9943-545ccfc55961|Terraform|Low|Networking and Firewall|Azure Front Door WAF should be enabled|Documentation
| -|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Terraform|Low|Networking and Firewall|Network Interfaces IP Forwarding should be disabled|Documentation
| -|App Service Authentication Disabled
c7fc1481-2899-4490-bbd8-544a3a61a2f3|Terraform|Info|Access Control|Azure App Service authentication settings should be enabled|Documentation
| -|SQL Server Alert Email Disabled
55975007-f6e7-4134-83c3-298f1fe4b519|Terraform|Info|Best Practices|SQL Server alert email should be enabled|Documentation
| -|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Terraform|High|Insecure Configurations|Container should not share the host IPC namespace|Documentation
| -|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|Terraform|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| -|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|Terraform|High|Insecure Configurations|Do not allow container to be privileged.|Documentation
| -|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|Terraform|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| -|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Terraform|High|Insecure Configurations|Containers should drop 'NET_RAW' or 'ALL' capabilities|Documentation
| -|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Terraform|High|Insecure Configurations|Container should not share the host network namespace|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|Terraform|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| -|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|Terraform|High|Insecure Configurations|Admission of privileged containers should be minimized|Documentation
| -|Host Aliases Undefined Or Empty
5d05ea11-ae3e-470e-9864-97e55fb2b2e0|Terraform|High|Insecure Configurations|A Kubernetes Pod should have Host Aliases defined as to prevent the container from modifying the file after a pod's containers have already been started. This means the attribute 'spec.host_aliases' must be defined and not empty or null.|Documentation
| -|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|Terraform|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined.|Documentation
| -|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|Terraform|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| -|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Terraform|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| -|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Terraform|Medium|Access Control|Minimize access to secrets (RBAC)|Documentation
| -|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Terraform|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| -|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Terraform|Medium|Availability|Liveness Probe must be defined|Documentation
| -|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Terraform|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| -|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Terraform|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| -|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Terraform|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| -|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Terraform|Medium|Insecure Configurations|The default namespace should not be used|Documentation
| -|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Terraform|Medium|Insecure Configurations|Check if any resource does not configure Seccomp default profile properly|Documentation
| -|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Terraform|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| -|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Terraform|Medium|Insecure Configurations|Do not allow pod to request execution as privileged|Documentation
| -|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Terraform|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| -|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Terraform|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| -|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| -|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Terraform|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| -|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Terraform|Medium|Insecure Configurations|Default service accounts should not be actively used|Documentation
| -|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Terraform|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| -|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Terraform|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace|Documentation
| -|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| -|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Terraform|Medium|Insecure Configurations|Kubernetes Pod should not have extra capabilities allowed|Documentation
| -|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Terraform|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory|Documentation
| -|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Terraform|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty.|Documentation
| -|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Terraform|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| -|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Terraform|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| -|Service With External Load Balance
2a52567c-abb8-4651-a038-52fa27c77aed|Terraform|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| -|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Terraform|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| -|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Terraform|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| -|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Terraform|Medium|Resource Management|Memory limits should be specified|Documentation
| -|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Terraform|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| -|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Terraform|Medium|Resource Management|Memory requests should be specified|Documentation
| -|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Terraform|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs|Documentation
| -|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Terraform|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| -|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Terraform|Low|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| -|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Terraform|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| -|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Terraform|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| -|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Terraform|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| -|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Terraform|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Terraform|Low|Availability|The Horizontal Pod Autoscale must target a valid object|Documentation
| -|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Terraform|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Terraform|Low|Availability|Check if the StatefulSet have a headless 'serviceName'|Documentation
| -|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Terraform|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| -|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Terraform|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| -|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Terraform|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| -|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Terraform|Low|Build Process|Check if the root container filesystem is not being mounted as read-only.|Documentation
| -|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Terraform|Low|Insecure Configurations|Sees if Kubernetes image has digest on|Documentation
| -|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Terraform|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| -|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Terraform|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| -|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Terraform|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified|Documentation
| -|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Terraform|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| -|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Terraform|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| -|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Terraform|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined|Documentation
| -|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Terraform|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| -|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Terraform|Low|Supply-Chain|Image must be defined and not be empty or equal to latest.|Documentation
| -|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|Terraform|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| -|S3 Bucket Allows WriteACP Action From All Principals
64a222aa-7793-4e40-915f-4b302c76e4d4|Terraform|High|Access Control|S3 Buckets must not allow Write_ACP Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Write_ACP, for all Principals.|Documentation
| -|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|Terraform|High|Access Control|S3 bucket allows public policy|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|Terraform|High|Access Control|Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| -|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|Terraform|High|Access Control|S3 Buckets must not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|Terraform|High|Access Control|S3 bucket with public READ/WRITE access|Documentation
| -|S3 Bucket Allows All Actions From All Principals
51cf6f14-6a52-4642-97fb-10db078382d3|Terraform|High|Access Control|S3 Buckets must not allow All Actions (wildcard) From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals.|Documentation
| -|EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|Terraform|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| -|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|Terraform|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| -|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|Terraform|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| -|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|Terraform|High|Access Control|IAM policies that allow full administrative privileges (for all resources)|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|Terraform|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| -|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|Terraform|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| -|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|Terraform|High|Access Control|IAM role policy that allow full administrative privileges (for all resources)|Documentation
| -|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|Terraform|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals|Documentation
| -|Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|Terraform|High|Access Control|Neptune Cluster Instance should not be publicly accessible|Documentation
| -|ECS Service Admin Role is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|Terraform|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role|Documentation
| -|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|Terraform|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled|Documentation
| -|Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|Terraform|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted|Documentation
| -|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|Terraform|High|Encryption|Elastic File System (EFS) must have KMS Key ID|Documentation
| -|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|Terraform|High|Encryption|Data stored in the Launch configuration EBS is not securely encrypted|Documentation
| -|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|Terraform|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| -|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|Terraform|High|Encryption|Base64 Shell Script must be encoded|Documentation
| -|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|Terraform|High|Encryption|Check if RDS Cluster Storage isn't encrypted. Happens when 'storage_encrypted' is not set to 'true'|Documentation
| -|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|Terraform|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| -|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|Terraform|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true|Documentation
| -|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|Terraform|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|Terraform|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled|Documentation
| -|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|Terraform|High|Encryption|AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted|Documentation
| -|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|Terraform|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted|Documentation
| -|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|Terraform|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| -|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|Terraform|High|Encryption|AWS DOCDB Cluster storage should be encrypted|Documentation
| -|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|Terraform|High|Encryption|User Data Base64 contains an encoded RSA Private Key|Documentation
| -|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|Terraform|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| -|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|Terraform|High|Encryption|RDS Database Cluster Encryption should be enabled|Documentation
| -|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|Terraform|High|Encryption|AWS Athena Database data in S3 should be encrypted|Documentation
| -|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|Terraform|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS|Documentation
| -|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|Terraform|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| -|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|Terraform|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| -|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|Terraform|High|Encryption|The parameter storage_encrypted in aws_db_instance must be set to 'true' (the default is 'false').|Documentation
| -|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|Terraform|High|Encryption|Sagemaker endpoint configuration should encrypt data|Documentation
| -|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.|Documentation
| -|EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|Terraform|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|Terraform|High|Encryption|Check if 'encrypted' field is false or undefined (default is false)|Documentation
| -|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|Terraform|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| -|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|Terraform|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled|Documentation
| -|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|Terraform|High|Encryption|IAM Database Auth Enabled must be configured to true|Documentation
| -|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|Terraform|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key|Documentation
| -|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|Terraform|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup|Documentation
| -|CloudWatch Log Group Not Encrypted
0afbcfe9-d341-4b92-a64c-7e6de0543879|Terraform|High|Encryption|AWS CloudWatch Log groups should be encrypted using KMS|Documentation
| -|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|Terraform|High|Encryption|S3 Bucket Object should have server-side encryption enabled|Documentation
| -|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|Terraform|High|Encryption|EBS Encryption should be enabled|Documentation
| -|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|Terraform|High|Encryption|EKS Cluster should be encrypted|Documentation
| -|Memcached Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Terraform|High|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| -|CA certificate Identifier is outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|Terraform|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| -|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|Terraform|High|Encryption|AWS DAX Cluster should have server-side encryption at rest|Documentation
| -|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Terraform|High|Encryption|RDS Instance Auto Minor Version Upgrade feature in Aws Db Instance must be true|Documentation
| -|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|Terraform|High|Encryption|API Gateway Method Settings Cache should be encrypted|Documentation
| -|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers.|Documentation
| -|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|Terraform|High|Insecure Configurations|Check if the root user is authenticated with MFA|Documentation
| -|DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|Terraform|High|Insecure Configurations|The field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| -|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Terraform|High|Insecure Configurations|Amazon Simple Queue Service (SQS) queue is not protecting the contents of their messages using Server-Side Encryption (SSE)|Documentation
| -|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|Terraform|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| -|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|Terraform|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_defenition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| -|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|Terraform|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations|Documentation
| -|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|Terraform|High|Insecure Configurations|S3 bucket without restriction of public bucket|Documentation
| -|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|Terraform|High|Insecure Configurations|Check if 'publicly_accessible' field is true or undefined (default is true)|Documentation
| -|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|Terraform|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2.|Documentation
| -|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|Terraform|High|Insecure Configurations|Users should authenticate with MFA (Multi-factor Authentication)|Documentation
| -|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|Terraform|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| -|KMS Key With Vulnerable Policy
7ebc9038-0bde-479a-acc4-6ed7b6758899|Terraform|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| -|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|Terraform|High|Insecure Configurations|Checks if any static websties are hosted on buckets|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|Terraform|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| -|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|Terraform|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes|Documentation
| -|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|Terraform|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| -|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|Terraform|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| -|Lambda Function With Privileged role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|Terraform|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions.|Documentation
| -|Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|Terraform|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| -|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| -|Remote Desktop Port Open
151187cb-0efc-481c-babd-ad24e3c9bc22|Terraform|High|Networking and Firewall|The Remote Desktop port is open in a Security Group|Documentation
| -|HTTP Port Open
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|Terraform|High|Networking and Firewall|The HTTP port is open in a Security Group|Documentation
| -|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| -|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|Terraform|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| -|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|Terraform|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL|Documentation
| -|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|Terraform|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0"|Documentation
| -|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|Terraform|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0|Documentation
| -|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|Terraform|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| -|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|Terraform|High|Networking and Firewall|Check if Record is set|Documentation
| -|VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|Terraform|High|Networking and Firewall|VPC Peering Route Table should restrict CIDR|Documentation
| -|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|Terraform|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| -|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|Terraform|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| -|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|Terraform|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| -|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL|Documentation
| -|VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|Terraform|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic|Documentation
| -|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|Terraform|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| -|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|Terraform|High|Networking and Firewall|The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6).|Documentation
| -|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|Terraform|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing|Documentation
| -|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|Terraform|High|Observability|Ensure a log metric filter and alarm exist for root acount usage|Documentation
| -|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Terraform|High|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| -|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|Terraform|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes|Documentation
| -|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|Terraform|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA|Documentation
| -|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|Terraform|High|Observability|AWS KMS Key should have a valid deletion window|Documentation
| -|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible|Documentation
| -|CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|Terraform|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.|Documentation
| -|CloudTrail Log Files Not Encrypted
5d9e3164-9265-470c-9a10-57ae454ac0c7|Terraform|High|Observability|Logs delivered by CloudTrail should be encrypted using KMS|Documentation
| -|CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|Terraform|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls|Documentation
| -|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|Terraform|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| -|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled|Documentation
| -|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Terraform|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| -|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Terraform|Medium|Access Control|AWS IAM Users should not have access to console|Documentation
| -|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Terraform|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| -|IAM Access Analyzer Undefined
e592a0c5-5bdb-414c-9066-5dba7cdea370|Terraform|Medium|Access Control|IAM Access Analyzer should be defined to identify unintentional access|Documentation
| -|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Terraform|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| -|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Terraform|Medium|Access Control|SQS policy with public access|Documentation
| -|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Terraform|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources|Documentation
| -|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Terraform|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication|Documentation
| -|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Terraform|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| -|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Terraform|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| -|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Terraform|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| -|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Terraform|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal'|Documentation
| -|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Terraform|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'|Documentation
| -|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|Terraform|Medium|Access Control|IAM policies allow all ('*') in a statement action|Documentation
| -|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Terraform|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled|Documentation
| -|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Terraform|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| -|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Terraform|Medium|Access Control|An API Key should be required on a method request.|Documentation
| -|SNS Topic is Publicly Accessible For Subscription
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|Terraform|Medium|Access Control|This query checks if SNS Topic is Accessible For Subscription|Documentation
| -|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Terraform|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| -|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Terraform|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined|Documentation
| -|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Terraform|Medium|Access Control|S3 bucket allows public ACL|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Terraform|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| -|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Terraform|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action'|Documentation
| -|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Terraform|Medium|Access Control|Public and private EC2 istances should not share the same role.|Documentation
| -|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Terraform|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| -|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Terraform|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root'|Documentation
| -|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Terraform|Medium|Access Control|The attribute 'action' should not have wildcard|Documentation
| -|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Terraform|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions'|Documentation
| -|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Terraform|Medium|Availability|Check if ElastiCache nodes are not being created across multi AZ|Documentation
| -|Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Terraform|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
| -|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Terraform|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| -|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Terraform|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| -|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Terraform|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0|Documentation
| -|RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Terraform|Medium|Backup|RDS configured without backup|Documentation
| -|Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Terraform|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| -|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Terraform|Medium|Best Practices|No password expiration policy|Documentation
| -|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Terraform|Medium|Best Practices|Check if IAM account password has the required symbols|Documentation
| -|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Terraform|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined|Documentation
| -|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Terraform|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| -|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Terraform|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields|Documentation
| -|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Terraform|Medium|Best Practices|Check if IAM account password has the required minimum length|Documentation
| -|Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Terraform|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24|Documentation
| -|Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Terraform|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body|Documentation
| -|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Terraform|Medium|Encryption|Check if Neptune Cluster Storage is securely encrypted|Documentation
| -|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Terraform|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS|Documentation
| -|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Terraform|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| -|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit|Documentation
| -|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Terraform|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| -|ECR Repository Not Encrypted
0e32d561-4b5a-4664-a6e3-a3fa85649157|Terraform|Medium|Encryption|ECR (Elastic Container Registry) Repository encryption should be set|Documentation
| -|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Terraform|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest|Documentation
| -|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Terraform|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret|Documentation
| -|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted|Documentation
| -|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Terraform|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption|Documentation
| -|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Terraform|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests|Documentation
| -|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Terraform|Medium|Encryption|SSM Session should be encrypted in transit|Documentation
| -|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Terraform|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| -|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Terraform|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| -|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Terraform|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node|Documentation
| -|DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Terraform|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Terraform|Medium|Encryption|The value on AWS EBS Volume Cluster Encryption must be true|Documentation
| -|API Gateway Without Content Encoding
ed35928e-195c-4405-a252-98ccb664ab7b|Terraform|Medium|Encryption|Enable Content Encoding through the attribute 'minimum_compression_size'. This value should be greater than -1 and smaller than 10485760|Documentation
| -|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Terraform|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible|Documentation
| -|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Terraform|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.|Documentation
| -|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Terraform|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| -|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Terraform|Medium|Insecure Configurations|ECR should have an image tag be immutable|Documentation
| -|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Terraform|Medium|Insecure Configurations|Check if IAM account password has at least one lowercase letter|Documentation
| -|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Terraform|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs).|Documentation
| -|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Terraform|Medium|Insecure Configurations|SSL Client Certificate should be enabled in aws_api_gateway_stage resource|Documentation
| -|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Terraform|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| -|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Terraform|Medium|Insecure Configurations|Check if IAM account password has at least one uppercase letter|Documentation
| -|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Terraform|Medium|Insecure Configurations|Instance should be configured in VPC (Virtual Private Cloud)|Documentation
| -|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Terraform|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud)|Documentation
| -|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Terraform|Medium|Insecure Configurations|Allowing to run lambda function using public API Gateway|Documentation
| -|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Terraform|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials|Documentation
| -|EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Terraform|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol|Documentation
| -|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Terraform|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| -|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Terraform|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| -|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Terraform|Medium|Networking and Firewall|VPC should have a Network Firewall associated|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol|Documentation
| -|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Terraform|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association|Documentation
| -|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Terraform|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| -|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Terraform|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled|Documentation
| -|VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Terraform|Medium|Networking and Firewall|VPC Subnet should not assign public IP|Documentation
| -|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Terraform|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| -|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Terraform|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| -|Cloudfront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Terraform|Medium|Observability|AWS Cloudfront distributions must be have logging enabled, which means the attribute 'logging_config' must be defined|Documentation
| -|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Terraform|Medium|Observability|CloudTrail should have 'is_multi_region_trail' and 'include_global_service_events' enabled|Documentation
| -|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Terraform|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled|Documentation
| -|Elasticsearch Log is disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Terraform|Medium|Observability|AWS Elasticsearch should have logs enabled|Documentation
| -|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Terraform|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| -|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Terraform|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| -|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Terraform|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| -|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes|Documentation
| -|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Terraform|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| -|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Terraform|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| -|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures|Documentation
| -|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Terraform|Medium|Observability|AWS CloudWatch Log groups should have retention days specified|Documentation
| -|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes|Documentation
| -|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Terraform|Medium|Observability|VPC hasn't got any FlowLog associated|Documentation
| -|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Terraform|Medium|Observability|It isn't recommended to use resources in default VPC|Documentation
| -|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Terraform|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| -|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Terraform|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events|Documentation
| -|Api Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Terraform|Medium|Observability|RDS does not have any kind of logger|Documentation
| -|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Terraform|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| -|Elasticsearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Terraform|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| -|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Terraform|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| -|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Terraform|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| -|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes|Documentation
| -|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK|Documentation
| -|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Terraform|Medium|Observability|X-ray Tracing is not enabled|Documentation
| -|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Terraform|Medium|Observability|Enable AWS CloudFormation Stack Notifications|Documentation
| -|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes|Documentation
| -|No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Terraform|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| -|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Terraform|Medium|Secret Management|Lambda hardcoded AWS access/secret keys|Documentation
| -|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Terraform|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| -|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Terraform|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets'|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Terraform|Low|Access Control|IAM role allows All services or principals to assume it|Documentation
| -|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Terraform|Low|Access Control|IAM Group should have at least one user associated|Documentation
| -|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Terraform|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| -|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Terraform|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services|Documentation
| -|Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Terraform|Low|Availability|Autoscaling groups should supply tags to configurate|Documentation
| -|ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Terraform|Low|Best Practices|ECR Repository should have Policies attached to it|Documentation
| -|Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Terraform|Low|Best Practices|IAM policies should be attached only to groups or roles|Documentation
| -|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Terraform|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| -|Open Access To Resources Through API
108aa260-6dab-4a75-ae3f-de917d634840|Terraform|Low|Insecure Configurations|Open access to back-end resources through API|Documentation
| -|ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Terraform|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled|Documentation
| -|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Terraform|Low|Insecure Configurations|S3 bucket without ignore public ACL|Documentation
| -|RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Terraform|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| -|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Terraform|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|Cloudfront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Terraform|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| -|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Terraform|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Terraform|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| -|EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Terraform|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| -|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Terraform|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks|Documentation
| -|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Terraform|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| -|ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Terraform|Low|Observability|ECS Cluster should enable container insights|Documentation
| -|API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Terraform|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| -|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Terraform|Low|Observability|S3 bucket without logging|Documentation
| -|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Terraform|Low|Observability|Amazon EKS control plane logging don't enabled for all log types|Documentation
| -|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes|Documentation
| -|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes|Documentation
| -|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Terraform|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'|Documentation
| -|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Terraform|Low|Observability|Global Accelerator should have flow logs enabled|Documentation
| -|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL|Documentation
| -|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes|Documentation
| -|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for route table changes|Documentation
| -|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Terraform|Low|Observability|CloudTrail log file validation should be enabled|Documentation
| -|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Terraform|Low|Observability|DocDB logging should be enabled|Documentation
| -|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Terraform|Low|Observability|Amazon EKS control plane logging is not enabled|Documentation
| -|API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Terraform|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| -|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Terraform|Low|Secret Management|Hard-coded AWS access key / secret key exists in EC2 user data|Documentation
| -|Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Terraform|Info|Access Control|Security group must be used or not declared|Documentation
| -|Security Group Rules Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Terraform|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description|Documentation
| -|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Terraform|Info|Best Practices|AWS services resource tags are an essential part of managing components|Documentation
| -|Security Group Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Terraform|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description|Documentation
| -|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Terraform|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table|Documentation
| -|EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Terraform|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| -|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Terraform|Info|Observability|Neptune logging should be enabled|Documentation
| -|ELB Access Logging Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Terraform|Info|Observability|ELB should have logging enabled to help on error investigation|Documentation
| -|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Terraform|Info|Observability|RDS does not have any kind of logger|Documentation
| -|EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Terraform|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods|Documentation
| -|BOM - SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Terraform|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| -|BOM - MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Terraform|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| -|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Terraform|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| -|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Terraform|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| -|BOM - SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Terraform|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| -|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Terraform|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| -|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Terraform|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| -|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Terraform|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| -|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|Terraform|High|Access Control|RAM Security preferences should enforce MFA login for RAM users|Documentation
| -|OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|Terraform|High|Access Control|OSS Bucket should have public access disabled|Documentation
| -|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|Terraform|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles|Documentation
| -|RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|Terraform|High|Encryption|tde_status parameter should be Enabled for supported RDS instances|Documentation
| -|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|Terraform|High|Encryption|Ecs Data Disk Kms Key Id should be set|Documentation
| -|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Terraform|High|Encryption|Disks should have encryption enabled|Documentation
| -|RDS Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|Terraform|High|Insecure Configurations|'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list|Documentation
| -|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|Terraform|High|Networking and Firewall|OSS Buckets should have secure transport enabled|Documentation
| -|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|Terraform|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS|Documentation
| -|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol|Documentation
| -|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|Terraform|High|Networking and Firewall|OSS Bucket should have ip restricted access|Documentation
| -|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|Terraform|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public|Documentation
| -|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|Terraform|High|Observability|All RDS Instance events trackers should be 'true'|Documentation
| -|ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|Terraform|High|Observability|ActionTrail Trail OSS Bucket should not be publicly accessible|Documentation
| -|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|Terraform|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above|Documentation
| -|Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|Terraform|High|Secret Management|Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts|Documentation
| -|Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Terraform|Medium|Access Control|Ram policies should not be attached to users|Documentation
| -|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Terraform|Medium|Backup|OSS Bucket should have versioning enabled|Documentation
| -|OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Terraform|Medium|Encryption|OSS Bucket should have encryption enabled using Customer Master Key|Documentation
| -|Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Terraform|Medium|Networking and Firewall|A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned|Documentation
| -|Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Terraform|Medium|Networking and Firewall|Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies|Documentation
| -|OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Terraform|Medium|Observability|OSS Bucket should have logging enabled, for better visibility of resources and objects.|Documentation
| -|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Terraform|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180|Documentation
| -|Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Terraform|Medium|Observability|Action Trail Logging for all regions should be enabled|Documentation
| -|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true|Documentation
| -|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Terraform|Medium|Secret Management|RAM account password security should require at least one symbol|Documentation
| -|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Terraform|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91|Documentation
| -|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Terraform|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less|Documentation
| -|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true|Documentation
| -|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true|Documentation
| -|OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Terraform|Low|Availability|OSS Bucket should have transfer acceleration enabled|Documentation
| -|OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Terraform|Low|Backup|OSS Bucket should have lifecycle rule enabled and set to true|Documentation
| -|RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Terraform|Low|Observability|log_disconnections parameter should be set to ON for RDS instances|Documentation
| -|RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Terraform|Low|Observability|log_duration parameter should be set to ON for RDS instances|Documentation
| -|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Terraform|Low|Observability|'log_connections' parameter should be set to ON for RDS instances|Documentation
| -|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Terraform|Info|Best Practices|All names should follow snake case pattern.|Documentation
| -|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Terraform|Info|Best Practices|All variables should contain a valid type.|Documentation
| -|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Terraform|Info|Best Practices|All generic git repositories should reference a revision.|Documentation
| -|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Terraform|Info|Best Practices|All outputs should contain a valid description.|Documentation
| -|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Terraform|Info|Best Practices|All variables should contain a valid description.|Documentation
| -|Security Definitions Undefined or Empty
e3f026e8-fdb4-4d5a-bcfd-bd94452073fe|OpenAPI|High|Access Control|Security Definitions Object should be set and not empty|Documentation
| -|Security Requirement Not Defined In Security Definition
a599b0d1-ff89-4cb8-9ece-9951854c06f6|OpenAPI|High|Structure and Semantics|All security requirement objects must be defined in 'securityDefinitions'|Documentation
| -|Non OAuth2 Security Requirement Defining OAuth2 Scopes
ba239cb9-f342-4c20-812d-7b5a2aa6969e|OpenAPI|High|Structure and Semantics|If the security scheme is not of type 'oauth2', the array value must be empty|Documentation
| -|Invalid OAuth2 Token URL (v2)
274f910a-0665-4f08-b66d-7058fe927dba|OpenAPI|Medium|Access Control|OAuth2 security definition flow requires a valid URL in the tokenUrl field|Documentation
| -|Implicit Flow in OAuth2 (v2)
e9817ad8-a8c9-4038-8a2f-db0e6e7b284b|OpenAPI|Medium|Access Control|There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated|Documentation
| -|Invalid OAuth2 Authorization URL (v2)
33d96c65-977d-4c33-943f-440baca49185|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL|Documentation
| -|Global Security Using Password Flow
2da46be4-4317-4650-9285-56d7103c4f93|OpenAPI|Medium|Access Control|Security should not use 'password' Flow in OAuth2 authentication|Documentation
| -|Security Definitions Allows Password Flow
773116aa-2e6d-416f-bd85-f0301cc05d76|OpenAPI|Medium|Access Control|Security Definition Object should not allow 'password' Flow in OAuth2 authentication|Documentation
| -|Operation Using Password Flow
2e44e632-d617-43cb-b294-6bfe72a08938|OpenAPI|Medium|Access Control|Operation Object should not use 'password' Flow in OAuth2 authentication|Documentation
| -|Path Scheme Accepts HTTP (v2)
a6847dc6-f4ea-45ac-a81f-93291ae6c573|OpenAPI|Medium|Encryption|The Scheme list of Operation Object should only allow 'HTTPS' protocol to ensure an encrypted connection|Documentation
| -|Global Schemes Uses HTTP
f30ee711-0082-4480-85ab-31d922d9a2b2|OpenAPI|Medium|Encryption|Global Schemes should use 'https' protocol instead of 'http'|Documentation
| -|Schemes Uses HTTP
a46928f1-43d7-4671-94e0-2dd99746f389|OpenAPI|Medium|Encryption|Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials|Documentation
| -|Operation Object Without 'produces'
be3e170e-1572-461e-a8b6-d963def581ec|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'produces' feild defined for 'GET'operation|Documentation
| -|Operation Object Without 'consumes'
0c79e50e-b3cf-490c-b8f6-587c644d4d0c|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations|Documentation
| -|Undefined Scope 'securityDefinition' On Global 'security' Field
9aa6e95c-d964-4239-a3a8-9f37a3c5a31f|OpenAPI|Low|Access Control|Using an scope on global security field that is undefined on 'securityDefinitions' can be defined by an attacker|Documentation
| -|Undefined Scope 'securityDefinition' On 'security' Field On Operations
3847280c-9193-40bc-8009-76168e822ce2|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker|Documentation
| -|Operation Using Basic Auth
ceefb058-8065-418f-9c4c-584a78c7e104|OpenAPI|Low|Access Control|Operation Object should not use basic authentication|Documentation
| -|Operation Using Implicit Flow
f42dfe7e-787d-4478-a75e-a5f3d8a2269e|OpenAPI|Low|Access Control|Operation Object should not use implicit flow|Documentation
| -|Security Definitions Using Basic Auth
221015a8-aa2a-43f5-b00b-ad7d2b1d47a8|OpenAPI|Low|Access Control|Security Definition Object should not use basic authentication|Documentation
| -|Operation Summary Too Long
d47940ca-5970-45cc-bdd1-4d81398cee1f|OpenAPI|Low|Best Practices|Operation summary should be short (less than 120 characters)|Documentation
| -|Invalid Media Type Value (v2)
f985a7d2-d404-4a7f-9814-f645f791e46e|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters]|Documentation
| -|Global Schema Definition Not Being Used
6d2e0790-cc3d-4c74-b973-d4e8b09f4455|OpenAPI|Info|Best Practices|All global schemas definitions should be in use|Documentation
| -|Global Responses Definition Not Being Used
0b76d993-ee52-43e0-8b39-3787d2ddabf1|OpenAPI|Info|Best Practices|All global responses definitions should be in use|Documentation
| -|Schema with 'additionalProperties' set as Boolean
3a01790c-ebee-4da6-8fd3-e78657383b75|OpenAPI|Info|Best Practices|The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it|Documentation
| -|Constraining Enum Property
be1d8733-3731-40c7-a845-734741c6871d|OpenAPI|Info|Best Practices|There is a constraining keyword in a property which is already restricted by enum values|Documentation
| -|Global Parameter Definition Not Being Used
b30981fa-a12e-49c7-a5bb-eeafb61d0f0f|OpenAPI|Info|Best Practices|All global parameters definitions should be in use|Documentation
| -|Unknown Prefix (v2)
3b615f00-c443-4ba9-acc4-7c308716917d|OpenAPI|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video'|Documentation
| -|Responses JSON Reference Does Not Exists (v2)
e9db5fb4-6a84-4abb-b4af-3b94fbdace6d|OpenAPI|Info|Structure and Semantics|Responses reference should exist on responses definition field|Documentation
| -|Parameter File Type Not In 'formData'
c3cab8c4-6c52-47a9-942b-c27f26fbd7d2|OpenAPI|Info|Structure and Semantics|The In field of Parameter Object must be 'formData' when type is 'file'|Documentation
| -|Property Not Unique
750b40be-4bac-4f59-bdc4-1ca0e6c3450e|OpenAPI|Info|Structure and Semantics|Every defined property must be unique throughout the whole API|Documentation
| -|File Parameter With Wrong Consumes Property
7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a|OpenAPI|Info|Structure and Semantics|Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both|Documentation
| -|Parameter JSON Reference Does Not Exists (v2)
fb889ae9-2d16-40b5-b41f-9da716c5abc1|OpenAPI|Info|Structure and Semantics|Parameter reference should exist on parameters definition field|Documentation
| -|Object Without Required Property (v2)
5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275|OpenAPI|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields|Documentation
| -|Multi 'collectionformat' Not Valid For 'in' Parameter
750f6448-27c0-49f8-a153-b81735c1e19c|OpenAPI|Info|Structure and Semantics|When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'formData'|Documentation
| -|Response Object With Incorrect Ref (v2)
bccfa089-89e4-47e0-a0e5-185fe6902220|OpenAPI|Info|Structure and Semantics|Response Object reference must always point to '#/responses'|Documentation
| -|Host With Invalid Pattern
3d7d7b6c-fb0a-475e-8a28-c125e30d15f0|OpenAPI|Info|Structure and Semantics|Host field should be an IP or a valid host name|Documentation
| -|Schema JSON Reference Does Not Exists (v2)
98295b32-ec09-4b5b-89a9-39853197f914|OpenAPI|Info|Structure and Semantics|Schema reference should exists on definitions field|Documentation
| -|Schema Object Incorrect Ref (v2)
0220e1c5-65d1-49dd-b7c2-cef6d6cb5283|OpenAPI|Info|Structure and Semantics|Schema Object reference must always point to '#/definitions'|Documentation
| -|Parameter Object With Incorrect Ref (v2)
2596545e-1757-4ff7-a15a-8a9a180a42f3|OpenAPI|Info|Structure and Semantics|Parameter Object reference must always point to '#/parameters'|Documentation
| -|Unknown Property (v2)
429b2106-ba37-43ba-9727-7f699cc611e1|OpenAPI|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known|Documentation
| -|BasePath With Wrong Format
b4803607-ed72-4d60-99e2-3fa6edf471c6|OpenAPI|Info|Structure and Semantics|The 'basePath' value format must match the pattern '^/'|Documentation
| -|Multiple Body Parameters In The Same Operation
b90033cf-ad9f-4fb9-acd1-1b9d6d278c87|OpenAPI|Info|Structure and Semantics|Only one body parameter is allowed on operation's parameters type field|Documentation
| -|Operation Example Mismatch Produces MimeType
2cf35b40-ded3-43d6-9633-c8dcc8bcc822|OpenAPI|Info|Structure and Semantics|Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces'|Documentation
| -|Operation Object Parameters With 'body' And 'formatData' locations
eb3f9744-d24e-4614-b1ff-2a9514eca21c|OpenAPI|Info|Structure and Semantics|Operation object parameters should not have both 'body' and 'formatData' locations|Documentation
| -|Body Parameter With Wrong Property
c38d630d-a415-4e3e-bac2-65475979ba88|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema'|Documentation
| -|Body Parameter Without Schema
ed48229d-d43e-4da7-b453-5f98d964a57a|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined|Documentation
| -|Non Body Parameter Without Schema
73c3bc54-3cc6-4c0a-b30a-e19f2abfc951|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined|Documentation
| +|BOM - GCP SB
c7781feb-a955-4f9f-b9cf-0d7c6f54bb59|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.|Documentation
| +|BOM - GCP PD
268c65a8-58ad-43e4-9019-1a9bbc56749f|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.|Documentation
| +|BOM - GCP PST
9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.|Documentation
| +|Volume Mounted In Multiple Containers
baa452f0-1f21-4a25-ace5-844e7a5f410d|DockerCompose|High|Build Process|Volume mounts should not be shared, which means that 'propagation' should not be set to 'shared', 'rshared', 'slave', or 'rslave'|Documentation
| +|Docker Socket Mounted In Container
d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b|DockerCompose|High|Build Process|Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands.|Documentation
| +|Volume Has Sensitive Host Directory
1c1325ff-831d-43a1-973e-839ae57dfcc0|DockerCompose|High|Build Process|Container has sensitive host directory mounted as a volume|Documentation
| +|No New Privileges Not Set
27fcc7d6-c49b-46e0-98f1-6c082a6a2750|DockerCompose|High|Resource Management|Ensuring the process does not gain any new privileges lessens the risk associated with many operations.|Documentation
| +|Privileged Containers Enabled
ae5b6871-7f45-42e0-bb4c-ab300c4d2026|DockerCompose|High|Resource Management|Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker.|Documentation
| +|Healthcheck Not Set
698ed579-b239-4f8f-a388-baa4bcb13ef8|DockerCompose|Medium|Availability|Check containers periodically to see if they are running properly.|Documentation
| +|Cgroup Not Default
4d9f44c6-2f4a-4317-9bb5-267adbea0232|DockerCompose|Medium|Build Process|Control groups restrict the access processes and containers have to system resources such as CPU, RAM, IOPS and network. Not having a cgroup well configured may prove to be a security fault.|Documentation
| +|Restart Policy On Failure Not Set To 5
2fc99041-ddad-49d5-853f-e35e70a48391|DockerCompose|Medium|Build Process|Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used, and 5 retries is the recommended by CIS.|Documentation
| +|Networks Not Set
ce14a68b-1668-41a0-ab7d-facd9f784742|DockerCompose|Medium|Networking and Firewall|Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers.|Documentation
| +|Privileged Ports Mapped In Container
bc2908f3-f73c-40a9-8793-c1b7d5544f79|DockerCompose|Medium|Networking and Firewall|Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind_service linux capability from the container unless you absolutely need to use priviledged ports.|Documentation
| +|Container Traffic Not Bound To Host Interface
451d79dc-0588-476a-ad03-3c7f0320abb3|DockerCompose|Medium|Networking and Firewall|Incoming container traffic should be bound to a specific host interface|Documentation
| +|Memory Not Limited
bb9ac4f7-e13b-423d-a010-c74a1bfbe492|DockerCompose|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| +|Pids Limit Not Set
221e0658-cb2a-44e3-b08a-db96a341d6fa|DockerCompose|Medium|Resource Management|'pids_limit' should be set and different than -1|Documentation
| +|Default Seccomp Profile Disabled
404fde2c-bc4b-4371-9747-7054132ac953|DockerCompose|Medium|Resource Management|Seccomp offers a whitelist of common system calls, blocking all others. Having less kernel exposed to an app then increases security.|Documentation
| +|Host Namespace is Shared
4f31dd9f-2cc3-4751-9b53-67e4af83dac0|DockerCompose|Medium|Resource Management|The hosts process namespace should not be shared by containers|Documentation
| +|Shared Host Network Namespace
071a71ff-f868-47a4-ac0b-3c59e4ab5443|DockerCompose|Medium|Resource Management|Container should not share the host network namespace|Documentation
| +|Security Opt Not Set
610e266e-6c12-4bca-9925-1ed0cd29742b|DockerCompose|Medium|Resource Management|Attribute 'security_opt' should be defined.|Documentation
| +|Shared Host User Namespace
8af7162d-6c98-482f-868e-0d33fb675ca8|DockerCompose|Medium|Resource Management|The host's user namespace should not be shared.|Documentation
| +|Shared Host IPC Namespace
baa3890f-bed7-46f5-ab8f-1da8fc91c729|DockerCompose|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| +|Container Capabilities Unrestricted
ce76b7d0-9e77-464d-b86f-c5c48e03e22d|DockerCompose|Low|Resource Management|Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.|Documentation
| +|Cpus Not Limited
6b610c50-99fb-4ef0-a5f3-e312fd945bc3|DockerCompose|Low|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| +|ElastiCache Nodes Not Created Across Multi AZ
9b18fc19-7fb8-49b1-8452-9c757c70f926|Pulumi|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster|Documentation
| +|ElastiCache Redis Cluster Without Backup
e93bbe63-a631-4c0f-b6ef-700d48441ff2|Pulumi|Medium|Backup|ElastiCache Redis cluster should have 'snapshotRetentionLimit' higher than 0|Documentation
| +|IAM Password Without Lowercase Letter
de92dd34-1b88-43e8-b825-6e02d73c4549|Pulumi|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| +|IAM Password Without Minimum Length
9850d621-7485-44f7-8bdd-b3cf426315cf|Pulumi|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| +|DynamoDB Table Not Encrypted
b6a7e0ae-aed8-4a19-a993-a95760bf8836|Pulumi|Medium|Encryption|AWS DynamoDB Tables should have serverSideEncryption enabled|Documentation
| +|API Gateway Without SSL Certificate
f27791a5-e2ae-4905-8910-6f995c576d09|Pulumi|Medium|Insecure Configurations|SSL Client Certificate should be defined|Documentation
| +|API Gateway Access Logging Disabled
bf4b48b9-fc1f-4552-984a-4becdb5bf503|Pulumi|Medium|Observability|API Gateway should have Access Log Settings defined|Documentation
| +|DynamoDB Table Point In Time Recovery Disabled
327b0729-4c5c-4c44-8b5c-e476cd9c7290|Pulumi|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table|Documentation
| +|EC2 Not EBS Optimized
d991e4ae-42ab-429b-ab43-d5e5fa9ca633|Pulumi|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| +|EC2 Instance Monitoring Disabled
daa581ef-731c-4121-832d-cf078f67759d|Pulumi|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods|Documentation
| +|PSP Set To Privileged
ee305555-6b1d-4055-94cf-e22131143c34|Pulumi|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| +|Missing App Armor Config
95588189-1abd-4df1-9588-b0a5034f9e87|Pulumi|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| +|Storage Account Not Forcing HTTPS
cb8e4bf0-903d-45c6-a278-9a947d82a27b|Pulumi|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| +|Redis Cache Allows Non SSL Connections
49e30ac8-f58e-4222-b488-3dcb90158ec1|Pulumi|Medium|Encryption|Redis Cache resource should not allow non-SSL connections.|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
48f7e44d-d1d1-44c2-b336-9f11b65c4fb0|Pulumi|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
965e8830-2bec-4b9b-a7f0-24dbc200a68f|Pulumi|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| +|Global security field has an empty object (v2)
292919fb-7b26-4454-bee9-ce29094768dd|OpenAPI|High|Access Control|Global security definition must not have empty objects|Documentation
| +|Global security field has an empty object (v3)
543e38f4-1eee-479e-8eb0-15257013aa0a|OpenAPI|High|Access Control|Global security definition must not have empty objects|Documentation
| |No Global And Operation Security Defined (v2)
586abcee-9653-462d-ad7b-2638a32bd6e6|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| |No Global And Operation Security Defined (v3)
96729c6b-7400-4d9e-9807-17f00cdde4d2|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| |Global Security Field Has An Empty Array (v2)
da31d54b-ad54-41dc-95eb-8b3828629213|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| @@ -2464,6 +1925,58 @@ This page contains all queries. |Success Response Code Undefined for Patch Operation (v3)
1908a8ee-927d-4166-8f18-241152170cc1|OpenAPI|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| |Success Response Code Undefined for Delete Operation (v2)
ad432855-b7fb-4429-92a3-93b5ce34f0b1|OpenAPI|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204)|Documentation
| |Success Response Code Undefined for Delete Operation (v3)
3b497874-ae59-46dd-8d72-1868a3b8f150|OpenAPI|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| +|Security Field On Operations Has An Empty Object Definition (v2)
74581e3b-1d55-4323-a139-5959a7b3abc5|OpenAPI|High|Access Control|Security object for operations should not be empty object or has any empty object definition|Documentation
| +|Security Field On Operations Has An Empty Object Definition (v3)
baade968-7467-41e4-bf22-83ca222f5800|OpenAPI|High|Access Control|Security object for operations should not be empty object or has any empty object definition|Documentation
| +|Cleartext API Key In Operation Security (v2)
99733b39-6413-4ed8-8acf-dc7cdc9b4e51|OpenAPI|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| +|Cleartext API Key In Operation Security (v3)
d90d4e40-44c1-4125-87a0-e072c3e195b5|OpenAPI|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| +|Security Field On Operations Has An Empty Array (v2)
5d29effc-5d68-481f-9721-d74e5919226b|OpenAPI|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error|Documentation
| +|Security Field On Operations Has An Empty Array (v3)
663c442d-f918-4f62-b096-0bf5dcbeb655|OpenAPI|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error|Documentation
| +|Global Security Field Is Undefined (v2)
74703c89-0ea2-49ab-a7db-bf04f19f5a57|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securityDefinitions|Documentation
| +|Global Security Field Is Undefined (v3)
8af270ce-298b-4405-9922-82a10aee7a4f|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes|Documentation
| +|Array Without Maximum Number of Items (v2)
99eb2c95-2040-4104-9e7c-e16f7474d218|OpenAPI|High|Insecure Configurations|Array schema/parameter should have the field 'maxItems' set|Documentation
| +|Array Without Maximum Number of Items (v3)
6998389e-66b2-473d-8d05-c8d71ac4d04d|OpenAPI|High|Insecure Configurations|Array schema should have the field 'maxItems' set|Documentation
| +|Array Items Has No Type (v2)
8697a1a4-82c6-4603-8ac8-57529756744e|OpenAPI|High|Insecure Configurations|Schema/Parameter array items type should be defined|Documentation
| +|Array Items Has No Type (v3)
be0e0df7-f3d9-42a1-9b6f-d425f94872c4|OpenAPI|High|Insecure Configurations|Schema array items type should be defined|Documentation
| +|Cleartext API Key In Global Security (v2)
70d3873e-d537-46e5-ac3b-4e48fbdd29b4|OpenAPI|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| +|Cleartext API Key In Global Security (v3)
9c238c97-1991-4c0b-9c7d-6c7912e1dc7c|OpenAPI|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| +|API Key Exposed In Global Security (v2)
533a0d13-6e89-4551-ae33-bce14e5849c1|OpenAPI|Medium|Access Control|API Keys should not be transported over network|Documentation
| +|API Key Exposed In Global Security (v3)
aecee30b-8ea1-4776-a99c-d6d600f0862f|OpenAPI|Medium|Access Control|API Keys should not be transported over network|Documentation
| +|Numeric Schema Without Minimum (v2)
efd1dfc8-da91-4909-a3f3-c23abc5ec799|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined.|Documentation
| +|Numeric Schema Without Minimum (v3)
181bd815-767e-4e95-a24d-bb3c87328e19|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined.|Documentation
| +|Schema Object is Empty (v2)
967575e5-eb44-4c24-aadb-7e33608ed30a|OpenAPI|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values|Documentation
| +|Schema Object is Empty (v3)
500ce696-d501-41dd-86eb-eceb011a386f|OpenAPI|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values|Documentation
| +|Pattern Undefined (v2)
afde15cf-9444-4126-8c62-41cd79db1d1d|OpenAPI|Medium|Insecure Configurations|String schema/parameter/header should have 'pattern' defined.|Documentation
| +|Pattern Undefined (v3)
00b78adf-b83f-419c-8ed8-c6018441dd3a|OpenAPI|Medium|Insecure Configurations|String schema should have 'pattern' defined.|Documentation
| +|JSON Object Schema Without Properties (v2)
3d28f751-bc18-4f83-ace0-216b6086410b|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false.|Documentation
| +|JSON Object Schema Without Properties (v3)
9d967a2b-9d64-41a6-abea-dfc4960299bd|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false.|Documentation
| +|String Schema with Broad Pattern (v2)
e4a019f0-9af3-49c8-bf68-1939a6ff240d|OpenAPI|Medium|Insecure Configurations|String schema should restrict the pattern|Documentation
| +|String Schema with Broad Pattern (v3)
8c81d6c0-716b-49ec-afa5-2d62da4e3f3c|OpenAPI|Medium|Insecure Configurations|String schema should restrict the pattern|Documentation
| +|JSON Object Schema Without Type (v2)
62d52544-82ef-4b75-8308-cad49d50212b|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined.|Documentation
| +|JSON Object Schema Without Type (v3)
e2ffa504-d22a-4c94-b6c5-f661849d2db7|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined.|Documentation
| +|Maximum Length Undefined (v2)
2ec86e48-ab90-4cb6-a131-0502afd1f442|OpenAPI|Medium|Insecure Configurations|String schema/parameter/header should have 'maxLength' defined.|Documentation
| +|Maximum Length Undefined (v3)
8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85|OpenAPI|Medium|Insecure Configurations|String schema should have 'maxLength' defined.|Documentation
| +|Numeric Schema Without Maximum (v2)
203eee11-15b6-4d47-b888-4c7f534967ee|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined.|Documentation
| +|Numeric Schema Without Maximum (v3)
2ea04bef-c769-409e-9179-ee3a50b5c0ac|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined.|Documentation
| +|Numeric Schema Without Format (v2)
3ed8fc82-c2bb-49e0-811f-c53923674c49|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined.|Documentation
| +|Numeric Schema Without Format (v3)
fbf699b5-ef74-4542-9cf1-f6eeac379373|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined.|Documentation
| +|Default Response Undefined On Operations (v2)
5f34c7ae-4f3f-4cbb-8fe3-a11d6961062f|OpenAPI|Medium|Networking and Firewall|Operations responses should have a default response defined|Documentation
| +|Default Response Undefined On Operations (v3)
86e3702f-c868-44b2-b61d-ea5316c18110|OpenAPI|Medium|Networking and Firewall|Operations responses should have a default response defined|Documentation
| +|Success Response Code Undefined for Patch Operation (v2)
f36e87cc-a209-4f37-8571-66833e4aead7|OpenAPI|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Patch Operation (v3)
1908a8ee-927d-4166-8f18-241152170cc1|OpenAPI|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Post Operation (v2)
9fedee41-2e6d-4091-b011-4a16b4c18c70|OpenAPI|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Post Operation (v3)
f368dd2d-9344-4146-a05b-7c6faa1269ad|OpenAPI|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Put Operation (v2)
965a043f-5f3c-4d0a-be72-d9ce12fdb4d6|OpenAPI|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Put Operation (v3)
60b5f56b-66ff-4e1c-9b62-5753e16825bc|OpenAPI|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Response on operations that should not have a body has declared content (v2)
268defd2-2839-4e15-8cbc-de86eb38c231|OpenAPI|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a schema defined|Documentation
| +|Response on operations that should not have a body has declared content (v3)
12a7210b-f4b4-47d0-acac-0a819e2a0ca3|OpenAPI|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a content defined|Documentation
| +|Success Response Code Undefined for Head Operation (v2)
4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a|OpenAPI|Medium|Networking and Firewall|Head should define at least one success response (200 or 202)|Documentation
| +|Success Response Code Undefined for Head Operation (v3)
3b066059-f411-4554-ac8d-96f32bff90da|OpenAPI|Medium|Networking and Firewall|Head should define at least one success response (200 or 202)|Documentation
| +|Success Response Code Undefined for Get Operation (v2)
9b633f3b-c94b-4fbb-a65b-1a4e9134fb63|OpenAPI|Medium|Networking and Firewall|Get should define at least one success response (200 or 202)|Documentation
| +|Success Response Code Undefined for Get Operation (v3)
b2f275be-7d64-4064-b418-be6b431363a7|OpenAPI|Medium|Networking and Firewall|Get should define at least one success response (200 or 202)|Documentation
| +|Response on operations that should have a body has undefined schema (v2)
31afbcb7-70e0-48bb-a31a-3374f95cf859|OpenAPI|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined|Documentation
| +|Response on operations that should have a body has undefined schema (v3)
a92be1d5-d762-484a-86d6-8cd0907ba100|OpenAPI|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined|Documentation
| +|Success Response Code Undefined for Delete Operation (v2)
ad432855-b7fb-4429-92a3-93b5ce34f0b1|OpenAPI|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Delete Operation (v3)
3b497874-ae59-46dd-8d72-1868a3b8f150|OpenAPI|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204)|Documentation
| |Response Code Missing (v2)
6e96ed39-bf45-4089-99ba-f1fe7cf6966f|OpenAPI|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined.|Documentation
| |Response Code Missing (v3)
6c35d2c6-09f2-4e5c-a094-e0e91327071d|OpenAPI|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined. (read more)|Documentation
| |Success Response Code Undefined for Post Operation (v2)
9fedee41-2e6d-4091-b011-4a16b4c18c70|OpenAPI|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204)|Documentation
| @@ -4683,6 +4196,360 @@ This page contains all queries. |S3 Bucket ACL Allows Read Or Write to All Users
07dda8de-d90d-469e-9b37-1aca53526ced|CloudFormation|High|Access Control|S3 Buckets should not be readable and writable to all users|Documentation
| |MSK Broker Is Publicly Accessible
0ce1ba20-8ba8-4364-836f-40c24b8cb0ab|CloudFormation|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible|Documentation
| |S3 Bucket Allows Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0|CloudFormation|High|Access Control|S3 Buckets must not allow Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Restore, for all Principals.|Documentation
| +|Invalid Format (v3)
d929c031-078f-4241-b802-e224656ad890|OpenAPI|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double|Documentation
| +|Invalid Schema External Documentation URL (v2)
f7fa95b7-d819-484c-9a2b-665dd1bba25e|OpenAPI|Info|Best Practices|Schema External Documentation URL should be a valid URL|Documentation
| +|Invalid Schema External Documentation URL (v3)
6952a7e0-6e48-4285-bbc1-27c64e60f888|OpenAPI|Info|Best Practices|Schema External Documentation URL should be a valid URL|Documentation
| +|Header Parameter Named as 'Content-Type' (v2)
51978067-3b22-4c29-aaf3-96bf0bc28897|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored.|Documentation
| +|Header Parameter Named as 'Content-Type' (v3)
72d259ca-9741-48dd-9f62-eb11f2936b37|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored.|Documentation
| +|Path Without Operation (v2)
609cd557-66b4-41fa-8edd-2abc6c7cfd08|OpenAPI|Info|Best Practices|Path object should have at least one operation object defined|Documentation
| +|Path Without Operation (v3)
84c826c9-1893-4b34-8cdd-db97645b4bf3|OpenAPI|Info|Best Practices|Path object should have at least one operation object defined|Documentation
| +|Invalid Global External Documentation URL (v2)
46d3b74d-9fe9-45bf-9e9e-efb7f701ee28|OpenAPI|Info|Best Practices|Global External Documentation URL should be a valid URL|Documentation
| +|Invalid Global External Documentation URL (v3)
b2d9dbf6-539c-4374-a1fd-210ddf5563a8|OpenAPI|Info|Best Practices|Global External Documentation URL should be a valid URL|Documentation
| +|Invalid Contact URL (v2)
c7000383-16d0-4509-8cd3-585e5ea2e2f2|OpenAPI|Info|Best Practices|Contact Object URL should be a valid URL|Documentation
| +|Invalid Contact URL (v3)
332cf2ad-380d-4b90-b436-46f8e635cf38|OpenAPI|Info|Best Practices|Contact Object URL should be a valid URL|Documentation
| +|Header Parameter Named as 'Authorization' (v2)
e2e00c97-7171-4fb4-b461-d631df9a711c|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored.|Documentation
| +|Header Parameter Named as 'Authorization' (v3)
8c84f75e-5048-4926-a4cb-33e7b3431300|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored.|Documentation
| +|Operation Without Successful HTTP Status Code (v2)
a1ee6ebe-3877-42ec-b9a6-e524e7d06aa2|OpenAPI|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined|Documentation
| +|Operation Without Successful HTTP Status Code (v3)
48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd|OpenAPI|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined|Documentation
| +|Example Not Compliant With Schema Type (v2)
448db771-06ea-4dee-b48c-1689cbfb4b43|OpenAPI|Info|Best Practices|Examples values and fields should be compliant with the schema type|Documentation
| +|Example Not Compliant With Schema Type (v3)
881a6e71-c2a7-4fe2-b9c3-dfcf08895331|OpenAPI|Info|Best Practices|Examples values and fields should be compliant with the schema type|Documentation
| +|JSON '$ref' alongside other properties (v2)
f34c1c68-4773-4df0-a103-6e2ca32e585f|OpenAPI|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key|Documentation
| +|JSON '$ref' alongside other properties (v3)
96beb800-566f-49a9-a0ea-dbdf4bc80429|OpenAPI|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key|Documentation
| +|Invalid Tag External Documentation URL (v2)
b4a7d925-738b-4219-99d9-87d6ee262a03|OpenAPI|Info|Best Practices|Tag External Documentation URL should be a valid URL|Documentation
| +|Invalid Tag External Documentation URL (v3)
5aea1d7e-b834-4749-b143-2c7ec3bd5922|OpenAPI|Info|Best Practices|Tag External Documentation URL should be a valid URL|Documentation
| +|Required Property With Default Value (v2)
f7ab6c83-ef89-40e1-8a99-32e2599fb665|OpenAPI|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value|Documentation
| +|Required Property With Default Value (v3)
013bdb4b-9246-4248-b0c3-7fb0fee42a29|OpenAPI|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value|Documentation
| +|Invalid Operation External Documentation URL (v2)
25635c31-ee32-4708-88e5-fced87516f51|OpenAPI|Info|Best Practices|Operation External Documentation URL should be a valid URL|Documentation
| +|Invalid Operation External Documentation URL (v3)
5ea61624-3733-4a3a-8ca4-b96fec9c5aeb|OpenAPI|Info|Best Practices|Operation External Documentation URL should be a valid URL|Documentation
| +|Invalid Contact Email (v2)
d83bebc8-4e5e-4241-b783-cba9fb5a1c9a|OpenAPI|Info|Best Practices|Contact Object Email should be a valid email|Documentation
| +|Invalid Contact Email (v3)
b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7|OpenAPI|Info|Best Practices|Contact Object Email should be a valid email|Documentation
| +|Header Parameter Named as 'Accept' (v2)
3ddd74cc-6582-486c-8b0c-2b48cb38e0a3|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored.|Documentation
| +|Header Parameter Named as 'Accept' (v3)
f2702af5-6016-46cb-bbc8-84c766032095|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored.|Documentation
| +|Object Using Enum With Keyword (v2)
7f15962a-d862-451c-ac9b-84ec13747aa6|OpenAPI|Info|Best Practices|Schema/Parameter/Header Object properties should not contain 'enum' and schema keywords|Documentation
| +|Object Using Enum With Keyword (v3)
2e9b6612-8f69-42e0-a5b8-ed17739c2f3a|OpenAPI|Info|Best Practices|Schema Object properties should not contain 'enum' and schema keywords|Documentation
| +|Invalid License URL (v2)
de2b4910-8484-46d6-a055-dc1e793ee3ff|OpenAPI|Info|Best Practices|License Object URL should be a valid URL|Documentation
| +|Invalid License URL (v3)
9239c289-9e4c-4d92-8be1-9d506057c971|OpenAPI|Info|Best Practices|License Object URL should be a valid URL|Documentation
| +|Header Response Name Is Invalid (v2)
86733e01-a435-4bd5-a8b0-5108be9dc1e4|OpenAPI|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored.|Documentation
| +|Header Response Name Is Invalid (v3)
d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd|OpenAPI|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored.|Documentation
| +|Default Invalid (v2)
78dfd8f0-a6ee-48ec-af8c-e4d9b3292a07|OpenAPI|Info|Structure and Semantics|The field 'default' of Schema/Parameter/Header Object should be consistent with the schema's/parameter's/header's type|Documentation
| +|Default Invalid (v3)
a96bbc06-8cde-4295-ad3c-ee343a7f658e|OpenAPI|Info|Structure and Semantics|The field 'default' of Schema Object should be consistent with the schema's type|Documentation
| +|Properties Missing Required Property (v2)
71beb6ab-8b70-4816-a9ac-a0ff1fb22a62|OpenAPI|Info|Structure and Semantics|Schema Object should have all required properties defined|Documentation
| +|Properties Missing Required Property (v3)
3fb03214-25d4-4bd4-867c-c2d8d708a483|OpenAPI|Info|Structure and Semantics|Schema Object should have all required properties defined|Documentation
| +|OperationId Not Unique (v2)
21245007-91c4-40e5-964e-40c85d1e5aa6|OpenAPI|Info|Structure and Semantics|OperationId should be unique when defined|Documentation
| +|OperationId Not Unique (v3)
c254adc4-ef25-46e1-8270-b7944adb4198|OpenAPI|Info|Structure and Semantics|OperationId should be unique when defined|Documentation
| +|Non-Array Schema With Items (v2)
9d47956b-29cd-43b1-9e6e-b39a4d484353|OpenAPI|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| +|Non-Array Schema With Items (v3)
20cb3159-b219-496b-8dac-54ae3ab2021a|OpenAPI|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| +|Schema Enum Invalid (v2)
8fe6d18a-ad4c-4397-8884-e3a9da57f4c9|OpenAPI|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type|Documentation
| +|Schema Enum Invalid (v3)
03856cb2-e46c-4daf-bfbf-214ec93c882b|OpenAPI|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type|Documentation
| +|Path Parameter Not Required (v2)
ccd0613f-cb77-4684-a892-183bd2674d12|OpenAPI|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.|Documentation
| +|Path Parameter Not Required (v3)
0de50145-e845-47f4-9a15-23bcf2125710|OpenAPI|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.|Documentation
| +|Schema Discriminator Mismatch Defined Properties (v2)
addc0eab-27f6-4c26-8526-d2ccd3732662|OpenAPI|Info|Structure and Semantics|Schema discriminator values should match defined properties.|Documentation
| +|Schema Discriminator Mismatch Defined Properties (v3)
40d3df21-c170-4dbe-9c02-4289b51f994f|OpenAPI|Info|Structure and Semantics|Schema discriminator values should match defined properties.|Documentation
| +|Schema Object Properties With Duplicated Keys (v2)
ded017bf-fb13-4f8d-868b-84aebcc572ad|OpenAPI|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties'|Documentation
| +|Schema Object Properties With Duplicated Keys (v3)
10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa|OpenAPI|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties'|Documentation
| +|Path Template is Empty (v2)
c201b7ad-6173-4598-a407-5edb04a1bcd7|OpenAPI|Info|Structure and Semantics|All path templates should not be empty|Documentation
| +|Path Template is Empty (v3)
ae13a37d-943b-47a7-a970-83c8598bcca3|OpenAPI|Info|Structure and Semantics|All path templates should not be empty|Documentation
| +|Type Has Invalid Keyword (v2)
492c6cbb-f3f8-4807-aa4f-42b8b1c46b59|OpenAPI|Info|Structure and Semantics|Schema/Parameter/Header Object define type should not use a keyword of another type|Documentation
| +|Type Has Invalid Keyword (v3)
a9228976-10cf-4b5f-b902-9e962aad037a|OpenAPI|Info|Structure and Semantics|Schema Object define type should not use a keyword of another type|Documentation
| +|Schema Discriminator Not Required (v2)
be6a3722-af60-438c-b1b9-2a03e2958ab7|OpenAPI|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property|Documentation
| +|Schema Discriminator Not Required (v3)
b481d46c-9c61-480f-86d9-af07146dc4a4|OpenAPI|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property|Documentation
| +|Paths Object is Empty (v2)
3e6c7b1c-8a8d-43ab-98b9-65159f44db4a|OpenAPI|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed|Documentation
| +|Paths Object is Empty (v3)
815021c8-a50c-46d9-b192-24f71072c400|OpenAPI|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed|Documentation
| +|Path Is Ambiguous (v2)
b2468463-3ac4-4930-890c-f35b2bf4485d|OpenAPI|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object|Documentation
| +|Path Is Ambiguous (v3)
237402e2-c2f0-46c9-9cf5-286160cf7bfc|OpenAPI|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object|Documentation
| +|Path Parameter With No Corresponding Template Path (v2)
194ef1f8-360e-4c14-8ed2-e83e2bafa142|OpenAPI|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation|Documentation
| +|Path Parameter With No Corresponding Template Path (v3)
69d7aefd-149d-47b8-8d89-1c2181a8067b|OpenAPI|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation|Documentation
| +|Parameter Objects Headers With Duplicated Name (v2)
bd2cbef5-62c4-40f1-af07-4b7f9ced6616|OpenAPI|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.|Documentation
| +|Parameter Objects Headers With Duplicated Name (v3)
05505192-ba2c-4a81-9b25-dcdbcc973746|OpenAPI|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.|Documentation
| +|Parameters Name In Combination Not Unique (v2)
ab871897-ec02-4835-9818-702536ee1dda|OpenAPI|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations|Documentation
| +|Parameters Name In Combination Not Unique (v3)
f5b2e6af-76f5-496d-8482-8f898c5fdb4a|OpenAPI|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations|Documentation
| +|Responses Object Is Empty (v2)
6172e7ab-d2b7-45f8-a7db-1603931d8ba3|OpenAPI|Info|Structure and Semantics|Responses Object should not be empty|Documentation
| +|Responses Object Is Empty (v3)
990eaf09-d6f1-4c3c-b174-a517b1de8917|OpenAPI|Info|Structure and Semantics|Responses Object should not be empty|Documentation
| +|Template Path With No Corresponding Path Parameter (v2)
e7656d8d-7288-4bbe-b07b-22b389be75ce|OpenAPI|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation|Documentation
| +|Template Path With No Corresponding Path Parameter (v3)
561710b1-b845-4562-95ce-2397a05ccef4|OpenAPI|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation|Documentation
| +|Items Undefined (v2)
3e4d34d2-36cf-4449-976d-6c256db8fc49|OpenAPI|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array.|Documentation
| +|Items Undefined (v3)
a8e859da-4a43-4e7f-94b8-25d6e3bf8e90|OpenAPI|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array.|Documentation
| +|Schema Object With Circular Ref (v2)
cbff2508-85c9-4448-a8b3-770070edf5ca|OpenAPI|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties|Documentation
| +|Schema Object With Circular Ref (v3)
1a1aea94-745b-40a7-b860-0702ea6ee636|OpenAPI|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties|Documentation
| +|Schema Discriminator Property Not String (v2)
949376f1-f560-4c6d-a016-63424ca931bb|OpenAPI|Info|Structure and Semantics|Schema discriminator property should be a string|Documentation
| +|Schema Discriminator Property Not String (v3)
dadc2f36-1f5a-46c0-8289-75e626583123|OpenAPI|Info|Structure and Semantics|Schema discriminator property should be a string|Documentation
| +|Property Defining Minimum Greater Than Maximum (v2)
b5102ea9-6527-4bb7-94fc-9b4076150e55|OpenAPI|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined|Documentation
| +|Property Defining Minimum Greater Than Maximum (v3)
ab2af219-cd08-4233-b5a1-a788aac88b51|OpenAPI|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined|Documentation
| +|Property 'allowEmptyValue' Improperly Defined (v2)
0bc1477d-0922-478b-ae16-674a7634a1a8|OpenAPI|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters|Documentation
| +|Property 'allowEmptyValue' Improperly Defined (v3)
4bcbcd52-3028-469f-bc14-02c7dbba2df2|OpenAPI|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters|Documentation
| +|Responses With Wrong HTTP Status Code (v2)
069a5378-2091-43f0-aa3b-ee8f20996e99|OpenAPI|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599]|Documentation
| +|Responses With Wrong HTTP Status Code (v3)
d86655c0-92f6-4ffc-b4d5-5b5775804c27|OpenAPI|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599]|Documentation
| +|Schema Has A Required Property Undefined (v2)
811762c8-2e99-4f70-88f9-a63875a953b1|OpenAPI|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties|Documentation
| +|Schema Has A Required Property Undefined (v3)
2bd608ae-8a1f-457f-b710-c237883cb313|OpenAPI|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties|Documentation
| +|Security Definitions Undefined or Empty
e3f026e8-fdb4-4d5a-bcfd-bd94452073fe|OpenAPI|High|Access Control|Security Definitions Object should be set and not empty|Documentation
| +|Non OAuth2 Security Requirement Defining OAuth2 Scopes
ba239cb9-f342-4c20-812d-7b5a2aa6969e|OpenAPI|High|Structure and Semantics|If the security scheme is not of type 'oauth2', the array value must be empty|Documentation
| +|Security Requirement Not Defined In Security Definition
a599b0d1-ff89-4cb8-9ece-9951854c06f6|OpenAPI|High|Structure and Semantics|All security requirement objects must be defined in 'securityDefinitions'|Documentation
| +|Invalid OAuth2 Token URL (v2)
274f910a-0665-4f08-b66d-7058fe927dba|OpenAPI|Medium|Access Control|OAuth2 security definition flow requires a valid URL in the tokenUrl field|Documentation
| +|Global Security Using Password Flow
2da46be4-4317-4650-9285-56d7103c4f93|OpenAPI|Medium|Access Control|Security should not use 'password' Flow in OAuth2 authentication|Documentation
| +|Implicit Flow in OAuth2 (v2)
e9817ad8-a8c9-4038-8a2f-db0e6e7b284b|OpenAPI|Medium|Access Control|There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated|Documentation
| +|Operation Using Password Flow
2e44e632-d617-43cb-b294-6bfe72a08938|OpenAPI|Medium|Access Control|Operation Object should not use 'password' Flow in OAuth2 authentication|Documentation
| +|Invalid OAuth2 Authorization URL (v2)
33d96c65-977d-4c33-943f-440baca49185|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL|Documentation
| +|Security Definitions Allows Password Flow
773116aa-2e6d-416f-bd85-f0301cc05d76|OpenAPI|Medium|Access Control|Security Definition Object should not allow 'password' Flow in OAuth2 authentication|Documentation
| +|Schemes Uses HTTP
a46928f1-43d7-4671-94e0-2dd99746f389|OpenAPI|Medium|Encryption|Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials|Documentation
| +|Global Schemes Uses HTTP
f30ee711-0082-4480-85ab-31d922d9a2b2|OpenAPI|Medium|Encryption|Global Schemes should use 'https' protocol instead of 'http'|Documentation
| +|Path Scheme Accepts HTTP (v2)
a6847dc6-f4ea-45ac-a81f-93291ae6c573|OpenAPI|Medium|Encryption|The Scheme list of Operation Object should only allow 'HTTPS' protocol to ensure an encrypted connection|Documentation
| +|Operation Object Without 'consumes'
0c79e50e-b3cf-490c-b8f6-587c644d4d0c|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations|Documentation
| +|Operation Object Without 'produces'
be3e170e-1572-461e-a8b6-d963def581ec|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'produces' feild defined for 'GET'operation|Documentation
| +|Operation Using Basic Auth
ceefb058-8065-418f-9c4c-584a78c7e104|OpenAPI|Low|Access Control|Operation Object should not use basic authentication|Documentation
| +|Undefined Scope 'securityDefinition' On Global 'security' Field
9aa6e95c-d964-4239-a3a8-9f37a3c5a31f|OpenAPI|Low|Access Control|Using an scope on global security field that is undefined on 'securityDefinitions' can be defined by an attacker|Documentation
| +|Operation Using Implicit Flow
f42dfe7e-787d-4478-a75e-a5f3d8a2269e|OpenAPI|Low|Access Control|Operation Object should not use implicit flow|Documentation
| +|Undefined Scope 'securityDefinition' On 'security' Field On Operations
3847280c-9193-40bc-8009-76168e822ce2|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker|Documentation
| +|Security Definitions Using Basic Auth
221015a8-aa2a-43f5-b00b-ad7d2b1d47a8|OpenAPI|Low|Access Control|Security Definition Object should not use basic authentication|Documentation
| +|Operation Summary Too Long
d47940ca-5970-45cc-bdd1-4d81398cee1f|OpenAPI|Low|Best Practices|Operation summary should be short (less than 120 characters)|Documentation
| +|Global Parameter Definition Not Being Used
b30981fa-a12e-49c7-a5bb-eeafb61d0f0f|OpenAPI|Info|Best Practices|All global parameters definitions should be in use|Documentation
| +|Global Responses Definition Not Being Used
0b76d993-ee52-43e0-8b39-3787d2ddabf1|OpenAPI|Info|Best Practices|All global responses definitions should be in use|Documentation
| +|Constraining Enum Property
be1d8733-3731-40c7-a845-734741c6871d|OpenAPI|Info|Best Practices|There is a constraining keyword in a property which is already restricted by enum values|Documentation
| +|Global Schema Definition Not Being Used
6d2e0790-cc3d-4c74-b973-d4e8b09f4455|OpenAPI|Info|Best Practices|All global schemas definitions should be in use|Documentation
| +|Schema with 'additionalProperties' set as Boolean
3a01790c-ebee-4da6-8fd3-e78657383b75|OpenAPI|Info|Best Practices|The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it|Documentation
| +|Invalid Media Type Value (v2)
f985a7d2-d404-4a7f-9814-f645f791e46e|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters]|Documentation
| +|Unknown Prefix (v2)
3b615f00-c443-4ba9-acc4-7c308716917d|OpenAPI|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video'|Documentation
| +|Responses JSON Reference Does Not Exists (v2)
e9db5fb4-6a84-4abb-b4af-3b94fbdace6d|OpenAPI|Info|Structure and Semantics|Responses reference should exist on responses definition field|Documentation
| +|Parameter File Type Not In 'formData'
c3cab8c4-6c52-47a9-942b-c27f26fbd7d2|OpenAPI|Info|Structure and Semantics|The In field of Parameter Object must be 'formData' when type is 'file'|Documentation
| +|Body Parameter Without Schema
ed48229d-d43e-4da7-b453-5f98d964a57a|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined|Documentation
| +|Operation Example Mismatch Produces MimeType
2cf35b40-ded3-43d6-9633-c8dcc8bcc822|OpenAPI|Info|Structure and Semantics|Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces'|Documentation
| +|Schema JSON Reference Does Not Exists (v2)
98295b32-ec09-4b5b-89a9-39853197f914|OpenAPI|Info|Structure and Semantics|Schema reference should exists on definitions field|Documentation
| +|Host With Invalid Pattern
3d7d7b6c-fb0a-475e-8a28-c125e30d15f0|OpenAPI|Info|Structure and Semantics|Host field should be an IP or a valid host name|Documentation
| +|Operation Object Parameters With 'body' And 'formatData' locations
eb3f9744-d24e-4614-b1ff-2a9514eca21c|OpenAPI|Info|Structure and Semantics|Operation object parameters should not have both 'body' and 'formatData' locations|Documentation
| +|Multi 'collectionformat' Not Valid For 'in' Parameter
750f6448-27c0-49f8-a153-b81735c1e19c|OpenAPI|Info|Structure and Semantics|When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'formData'|Documentation
| +|Body Parameter With Wrong Property
c38d630d-a415-4e3e-bac2-65475979ba88|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema'|Documentation
| +|Parameter Object With Incorrect Ref (v2)
2596545e-1757-4ff7-a15a-8a9a180a42f3|OpenAPI|Info|Structure and Semantics|Parameter Object reference must always point to '#/parameters'|Documentation
| +|File Parameter With Wrong Consumes Property
7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a|OpenAPI|Info|Structure and Semantics|Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both|Documentation
| +|Unknown Property (v2)
429b2106-ba37-43ba-9727-7f699cc611e1|OpenAPI|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known|Documentation
| +|Parameter JSON Reference Does Not Exists (v2)
fb889ae9-2d16-40b5-b41f-9da716c5abc1|OpenAPI|Info|Structure and Semantics|Parameter reference should exist on parameters definition field|Documentation
| +|Property Not Unique
750b40be-4bac-4f59-bdc4-1ca0e6c3450e|OpenAPI|Info|Structure and Semantics|Every defined property must be unique throughout the whole API|Documentation
| +|Non Body Parameter Without Schema
73c3bc54-3cc6-4c0a-b30a-e19f2abfc951|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined|Documentation
| +|Multiple Body Parameters In The Same Operation
b90033cf-ad9f-4fb9-acd1-1b9d6d278c87|OpenAPI|Info|Structure and Semantics|Only one body parameter is allowed on operation's parameters type field|Documentation
| +|Schema Object Incorrect Ref (v2)
0220e1c5-65d1-49dd-b7c2-cef6d6cb5283|OpenAPI|Info|Structure and Semantics|Schema Object reference must always point to '#/definitions'|Documentation
| +|BasePath With Wrong Format
b4803607-ed72-4d60-99e2-3fa6edf471c6|OpenAPI|Info|Structure and Semantics|The 'basePath' value format must match the pattern '^/'|Documentation
| +|Object Without Required Property (v2)
5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275|OpenAPI|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields|Documentation
| +|Response Object With Incorrect Ref (v2)
bccfa089-89e4-47e0-a0e5-185fe6902220|OpenAPI|Info|Structure and Semantics|Response Object reference must always point to '#/responses'|Documentation
| +|Field 'securityScheme' On Components Is Undefined
8db5544e-4874-4baa-9322-e9f75a2d219e|OpenAPI|High|Access Control|Components' securityScheme field must have a valid scheme|Documentation
| +|Cleartext Credentials With Basic Authentication For Operation
86b1fa30-9790-4980-994d-a27e0f6f27c1|OpenAPI|High|Access Control|Cleartext credentials over unencrypted channel should not be accepted for the operation|Documentation
| +|OAuth2 With Password Flow
3979b0a4-532c-4ea7-86e4-34c090eaa4f2|OpenAPI|Medium|Access Control|OAuth2 password flow insecurely exposes the credentials of the resource owner to the client|Documentation
| +|Security Scheme Using HTTP Basic
68e5fcac-390c-4939-a373-6074b7be7c71|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using basic authentication|Documentation
| +|Invalid OAuth2 Token URL (v3)
3ba0cca1-b815-47bf-ac62-1e584eb64a05|OpenAPI|Medium|Access Control|OAuth2 security scheme flow requires a valid URL in the tokenUrl field|Documentation
| +|Implicit Flow in OAuth2 (v3)
4a1f3d75-ab73-41b2-83e7-06a93dc3a75a|OpenAPI|Medium|Access Control|There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated|Documentation
| +|Security Scheme Using HTTP Negotiate
f525cc92-9050-4c41-a75c-890dc6f64449|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using negotiate authentication|Documentation
| +|Security Scheme HTTP Unknown Scheme
06764426-3c56-407e-981f-caa25db1c149|OpenAPI|Medium|Access Control|Security Scheme HTTP scheme should be registered in the IANA Authentication Scheme registry|Documentation
| +|Invalid OAuth2 Authorization URL (v3)
52c0d841-60d6-4a81-88dd-c35fef36d315|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL|Documentation
| +|OAuth2 With Implicit Flow
39cb32f2-3a42-4af0-8037-82a7a9654b6c|OpenAPI|Medium|Access Control|OAuth2 implicit flow is vulnerable to access token leakage and access token replay|Documentation
| +|Security Scheme Using HTTP Digest
a4247b11-890b-45df-bf42-350a7a3af9be|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using digest authentication|Documentation
| +|Path Server Object Uses HTTP (v3)
9670f240-7b4d-4955-bd93-edaa9fa38b58|OpenAPI|Medium|Encryption|The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection|Documentation
| +|Global Server Object Uses HTTP
2d8c175a-6d90-412b-8b0e-e034ea49a1fe|OpenAPI|Medium|Encryption|Global server object URL should use 'https' protocol instead of 'http'|Documentation
| +|Media Type Object Without Schema
f79b9d26-e945-44e7-98a1-b93f0f7a68a0|OpenAPI|Medium|Insecure Configurations|The Media Type Object should have the attribute 'schema' defined|Documentation
| +|Parameter Object Without Schema
8fe1846f-52cc-4413-ace9-1933d7d23672|OpenAPI|Medium|Insecure Configurations|The Parameter Object should have the attribute 'schema' defined|Documentation
| +|Additional Properties Too Permissive
9f88c88d-824d-4d9a-b985-e22977046042|OpenAPI|Medium|Insecure Configurations|Objects should not accept 'additionalProperties' if it is possible|Documentation
| +|Additional Properties Too Restrictive
a19c3bbd-c056-40d7-9e1c-eeb0634e320d|OpenAPI|Medium|Insecure Configurations|Objects should accept 'additionalProperties' if it is allOf or an object with anyOf or oneOf|Documentation
| +|Header Object Without Schema
50de3b5b-6465-4e06-a9b0-b4c2ba34326b|OpenAPI|Medium|Networking and Firewall|The header object should have schema defined|Documentation
| +|Success Response Code Undefined for Trace Operation
105e20dd-8449-4d71-95c6-d5dac96639af|OpenAPI|Medium|Networking and Firewall|Trace should define the '200' successful code|Documentation
| +|Global Security Scheme Using Basic Authentication
77276d82-4f45-4cf1-8e2b-4d345b936228|OpenAPI|Low|Access Control|A security scheme is allowing basic authentication credentials to be transported over network|Documentation
| +|Undefined Scope 'securityScheme' On Global 'security' Field
23a9e2d9-8738-4556-a71c-2802b6ffa022|OpenAPI|Low|Access Control|Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker|Documentation
| +|Undefined Scope 'securityScheme' On 'security' Field On Operations
462d6a1d-fed9-4d75-bb9e-3de902f35e6e|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker|Documentation
| +|Security Scheme Using Oauth 1.0
1bc3205c-0d60-44e6-84f3-44fbf4dac5b3|OpenAPI|Low|Access Control|Oauth 1.0 is deprecated, OAuth2 should be used instead|Documentation
| +|API Key Exposed In Global Security Scheme
40e1d1bf-11a9-4f63-a3a2-a8b84c602839|OpenAPI|Low|Access Control|API Keys should not be transported over network|Documentation
| +|Property 'explode' of Encoding Object Ignored
a4dd69b8-49fa-45d2-a060-c76655405b05|OpenAPI|Info|Best Practices|Property 'explode' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored.|Documentation
| +|Components Schema Definition Is Unused
962fa01e-b791-4dcc-b04a-4a3e7389be5e|OpenAPI|Info|Best Practices|Components schemas definitions should be referenced or removed from Open API definition|Documentation
| +|Components Parameter Definition Is Unused
698a464e-bb3e-4ba8-ab5e-e6599b7644a0|OpenAPI|Info|Best Practices|Components parameters definitions should be referenced or removed from Open API definition|Documentation
| +|Property 'allowEmptyValue' Ignored
59c2f769-7cc2-49c8-a3de-4e211135cfab|OpenAPI|Info|Best Practices|Property 'allowEmptyValue' is ignored in the following cases: {"sytle": "simple", "explode": false}, {"sytle": "simple", "explode": true}, {"sytle": "spaceDelimited", "explode": false}, {"sytle": "pipeDelimited", "explode": false}, and {"sytle": "deepObject", "explode": true}|Documentation
| +|Components Example Definition Is Unused
b05bb927-2df5-43cc-8d7b-6825c0e71625|OpenAPI|Info|Best Practices|Components examples definitions should be referenced or removed from Open API definition|Documentation
| +|Components Header Definition Is Unused
a68da022-e95a-4bc2-97d3-481e0bd6d446|OpenAPI|Info|Best Practices|Components headers definitions should be referenced or removed from Open API definition|Documentation
| +|Components Callback Definition Is Unused
d15db953-a553-4b8a-9a14-a3d62ea3d79d|OpenAPI|Info|Best Practices|Components callbacks definitions should be referenced or removed from Open API definition|Documentation
| +|Components Link Definition Is Unused
c19779a9-5774-4d2f-a3a1-a99831730375|OpenAPI|Info|Best Practices|Components links definitions should be referenced or removed from Open API definition|Documentation
| +|Invalid Media Type Value (v3)
cf4a5f45-a27b-49df-843a-9911dbfe71d4|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters]|Documentation
| +|Property 'style' of Encoding Object Ignored
d3ea644a-9a5c-4fee-941f-f8a6786c0470|OpenAPI|Info|Best Practices|Property 'style' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored.|Documentation
| +|Components Response Definition Is Unused
9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae|OpenAPI|Info|Best Practices|Components responses definitions should be referenced or removed from Open API definition|Documentation
| +|Components Request Body Definition Is Unused
6b76f589-9713-44ab-97f5-59a3dba1a285|OpenAPI|Info|Best Practices|Components request bodies definitions should be referenced or removed from Open API definition|Documentation
| +|Property 'allowReserved' of Encoding Object Ignored
4190dda7-af03-4cf0-a128-70ac1661ca09|OpenAPI|Info|Best Practices|Property 'allowReserved' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored.|Documentation
| +|Unknown Prefix (v3)
a5375be3-521c-43bb-9eab-e2432e368ee4|OpenAPI|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video'|Documentation
| +|Encoding Header 'Content-Type' Improperly Defined
4cd8de87-b595-48b6-ab3c-1904567135ab|OpenAPI|Info|Best Practices|Encoding Map Key should not define a 'Content-Type' in the 'headers' field. If so, it will be ignored.|Documentation
| +|Response JSON Reference Does Not Exists (v3)
7a01dfbd-da62-4165-aed7-71349ad42ab4|OpenAPI|Info|Structure and Semantics|Response reference should exists on components field|Documentation
| +|Parameter Object Content With Multiple Entries
8bfed1c6-2d59-4924-bc7f-9b9d793ed0df|OpenAPI|Info|Structure and Semantics|The map content property of the parameter object should only contain one entry|Documentation
| +|Header JSON Reference Does Not Exists
376c9390-7e9e-4cb8-a067-fd31c05451fd|OpenAPI|Info|Structure and Semantics|Header reference should exists on components field|Documentation
| +|Callback JSON Reference Does Not Exists
f29904c8-6041-4bca-b043-dfa0546b8079|OpenAPI|Info|Structure and Semantics|Callback reference should exists on components field|Documentation
| +|Encoding Map Key Mismatch Schema Defined Properties
cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b|OpenAPI|Info|Structure and Semantics|Encoding Map Key should be set in schema defined properties|Documentation
| +|Callback Object With Incorrect Ref
ba066cda-e808-450d-92b6-f29109754d45|OpenAPI|Info|Structure and Semantics|Callback Object reference must always point to '#/components/callbacks'|Documentation
| +|Request Body Object With Incorrect Media Type
58f06434-a88c-4f74-826c-db7e10cc7def|OpenAPI|Info|Structure and Semantics|The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set.|Documentation
| +|Property 'allowReserved' Improperly Defined
7f203940-39c4-4ea7-91ee-7aba16bca9e2|OpenAPI|Info|Structure and Semantics|Property 'allowReserved' should be only defined for query parameters|Documentation
| +|Parameter Object With Undefined Type
46facedc-f243-4108-ab33-583b807d50b0|OpenAPI|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property|Documentation
| +|Schema JSON Reference Does Not Exists (v3)
015eac96-6313-43c0-84e5-81b1374fa637|OpenAPI|Info|Structure and Semantics|Schema reference should exists on components field|Documentation
| +|Schema With Both ReadOnly And WriteOnly
d2361d58-361c-49f0-9e50-b957fd608b29|OpenAPI|Info|Structure and Semantics|Schema should not have both 'writeOnly' and 'readOnly' set to true|Documentation
| +|Request Body JSON Reference Does Not Exists
ca02f4e8-d3ae-4832-b7db-bb037516d9e7|OpenAPI|Info|Structure and Semantics|Request Body reference should exists on components field|Documentation
| +|Server URL Uses Undefined Variables
8d0921d6-4131-461f-a253-99e873f8f77e|OpenAPI|Info|Structure and Semantics|Any variable used in the Service URL should be defined in the Service Object through 'variables'.|Documentation
| +|Parameter Object With Incorrect Ref (v3)
d40f27e6-15fb-4b56-90f8-fc0ff0291c51|OpenAPI|Info|Structure and Semantics|Parameter Object reference must always point to '#/components/parameters'|Documentation
| +|Unknown Property (v3)
fb7d81e7-4150-48c4-b914-92fc05da6a2f|OpenAPI|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known|Documentation
| +|Servers Array Undefined
c66ebeaa-676c-40dc-a3ff-3e49395dcd5e|OpenAPI|Info|Structure and Semantics|The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'.|Documentation
| +|Link Object Incorrect Ref
b9db8a10-020c-49ca-88c6-780e5fdb4328|OpenAPI|Info|Structure and Semantics|Link object reference must always point to '#/components/links'|Documentation
| +|Server Object Variable Not Used
8aee4754-970d-4c5f-8142-a49dfe388b1a|OpenAPI|Info|Structure and Semantics|Every defined Server Variable Object should be used in a Service URL.|Documentation
| +|Parameter JSON Reference Does Not Exists (v3)
2e275f16-b627-4d3f-ae73-a6153a23ae8f|OpenAPI|Info|Structure and Semantics|Parameter reference should exists on components field|Documentation
| +|Link JSON Reference Does Not Exists
801f0c6a-a834-4467-89c6-ddecffb46b5a|OpenAPI|Info|Structure and Semantics|Link reference should exists on components field|Documentation
| +|Header Object With Incorrect Ref
2d6646f4-2946-420f-8c14-3232d49ae0cb|OpenAPI|Info|Structure and Semantics|Header Object reference must always point to '#/components/headers'|Documentation
| +|Security Requirement Object With Wrong Scopes
37140f7f-724a-4c87-a536-e9cee1d61533|OpenAPI|Info|Structure and Semantics|Security Requirement Object should only have scopes defined for security schemes of type 'oauth2' and 'openIdConnect'|Documentation
| +|Example JSON Reference Outside Components Examples
bac56e3c-1f71-4a74-8ae6-2fba07efcddb|OpenAPI|Info|Structure and Semantics|Reference to examples should point to #/components/examples|Documentation
| +|Schema Object Incorrect Ref (v3)
4cac7ace-b0fb-477d-830d-65395d9109d9|OpenAPI|Info|Structure and Semantics|Schema Object reference must always point to '#/components/schemas'|Documentation
| +|Link Object With Both 'operationId' And 'operationRef'
60fb6621-9f02-473b-9424-ba9a825747d3|OpenAPI|Info|Structure and Semantics|Link object 'OperationId' should not have both 'operationId' and 'operationRef' defined since they are mutually exclusive.|Documentation
| +|Empty Array
5915c20f-dffa-4cee-b5d4-f457ddc0151a|OpenAPI|Info|Structure and Semantics|All array fields should not be empty|Documentation
| +|Security Field Undefined
ab1263c2-81df-46f0-9f2c-0b62fdb68419|OpenAPI|Info|Structure and Semantics|Security field should be defined in '#/components/securitySchemes'|Documentation
| +|Security Operation Field Undefined
20a482d5-c5d9-4a7a-b7a4-60d0805047b4|OpenAPI|Info|Structure and Semantics|Security operation field should be defined in '#/components/securitySchemes'|Documentation
| +|Link Object OperationId Does Not Target Operation Object
c5bb7461-aa57-470b-a714-3bc3d74f4669|OpenAPI|Info|Structure and Semantics|Link object 'OperationId' should target an existing operation object in the OpenAPI definition|Documentation
| +|Object Without Required Property (v3)
d172a060-8569-4412-8045-3560ebd477e8|OpenAPI|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields|Documentation
| +|Server URL Not Absolute
a0bf7382-5d5a-4224-924c-3db8466026c9|OpenAPI|Info|Structure and Semantics|The Server URL should be an absolute URL|Documentation
| +|Components Object Fixed Field Key Improperly Named
151331e2-11f4-4bb6-bd35-9a005e695087|OpenAPI|Info|Structure and Semantics|Components object fixed fields (schemas, responses, parameters, examples, requestBodies, headers, securitySchemes, links, and callbacks) should use keys that match the following REGEX: `^[a-zA-Z0-9\.\-_]+$`|Documentation
| +|Response Object With Incorrect Ref (v3)
b3871dd8-9333-4d6c-bd52-67eb898b71ab|OpenAPI|Info|Structure and Semantics|Response Object reference must always point to '#/components/responses'|Documentation
| +|Example JSON Reference Does Not Exists
6a2c219f-da5e-4745-941e-5ea8cde23356|OpenAPI|Info|Structure and Semantics|Example reference should exists on components field|Documentation
| +|Invalid Content Type For Multiple Files Upload
26f06397-36d8-4ce7-b993-17711261d777|OpenAPI|Info|Structure and Semantics|Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array)|Documentation
| +|Request Body With Incorrect Ref
0f6cd0ab-c366-4595-84fc-fbd8b9901e4d|OpenAPI|Info|Structure and Semantics|Request Body reference must always point to '#/components/RequestBodies'|Documentation
| +|Parameter Object With Schema And Content
31dd6fc0-f274-493b-9614-e063086c19fc|OpenAPI|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive|Documentation
| +|Always Admit Admission Control Plugin Set
ce30e584-b33f-4c7d-b418-a3d7027f8f60|Kubernetes|High|Access Control|When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin|Documentation
| +|Basic Auth File Is Set
5da47109-f8d6-4585-9e2b-96a8958a12f5|Kubernetes|High|Access Control|When using kube-apiserver command, the 'basic-auth-file' flag should not be set|Documentation
| +|Node Restriction Admission Control Plugin Not Set
33fc6923-6553-4fe6-9d3a-4efa51eb874b|Kubernetes|High|Access Control|When using kube-apiserver command, the --enable-admission-plugins flag should have 'NodeRestriction' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| +|Token Auth File Is Set
32ecd76e-7bbf-402e-bf48-8b9485749558|Kubernetes|High|Access Control|When using kube-apiserver command, the 'token-auth-file' flag should not be set|Documentation
| +|RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e|Kubernetes|High|Access Control|Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least privilege recommends to specify only the set of needed objects and actions|Documentation
| +|Service Account Lookup Set To False
a5530bd7-225a-48f9-91bb-f40b04200165|Kubernetes|High|Access Control|When using kube-apiserver command, the '--service-account-lookup' flag should be set to true|Documentation
| +|Use Service Account Credentials Not Set To True
1acd93f1-5a37-45c0-aaac-82ece818be7d|Kubernetes|High|Access Control|When using kube-controller-manager commands, the '--use-service-account-credentials' should be set to true|Documentation
| +|Client Certificate Authentication Not Setup Properly
e0e00aba-5f1c-4981-a542-9a9563c0ee20|Kubernetes|High|Access Control|Client Certificate Authentication should be Setup with a .pem or .crt file|Documentation
| +|Pod Security Policy Admission Control Plugin Not Set
afa36afb-39fe-4d94-b9b6-afb236f7a03d|Kubernetes|High|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'PodSecurityPolicy' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| +|Service Account Private Key File Not Defined
ccc98ff7-68a7-436e-9218-185cb0b0b780|Kubernetes|High|Encryption|When using kube-controller-manager commands, the '--service-account-private-key-file' should be defined|Documentation
| +|Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609|Kubernetes|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false|Documentation
| +|Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad|Kubernetes|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined.|Documentation
| +|Tiller (Helm v2) Is Deployed
6d173be7-545a-46c6-a81d-2ae52ed1605d|Kubernetes|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| +|Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d|Kubernetes|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|Documentation
| +|Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d|Kubernetes|High|Insecure Configurations|Check if there is any Tiller Service present|Documentation
| +|Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d|Kubernetes|High|Insecure Configurations|Container should not share the host process ID namespace|Documentation
| +|Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032|Kubernetes|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b|Kubernetes|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| +|Role Binding To Default Service Account
1e749bc9-fde8-471c-af0c-8254efd2dee5|Kubernetes|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| +|Kubelet HTTPS Set To False
cdc8b54e-6b16-4538-a1b0-35849dbe29cf|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--kubelet-https' flag should not be set to false|Documentation
| +|Bind Address Not Properly Set
46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2|Kubernetes|High|Networking and Firewall|When using kube-controller-manager or kube-scheduler commands, the '--bind-address' should not be set to 127.0.0.1|Documentation
| +|Etcd TLS Certificate Not Properly Configured
895a5a95-3756-4b04-9924-2f3bc93181bd|Kubernetes|High|Networking and Firewall|When using kube-apiserver commands, the '--etcd-certfile' and '--etcd-keyfile' flags should be defined|Documentation
| +|Insecure Bind Address Set
b9380fd3-5ffe-4d10-9290-13e18e71eee1|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-bind-address' flag should not be set|Documentation
| +|Etcd TLS Certificate Files Not Properly Set
075ca296-6768-4322-aea2-ba5063b969a9|Kubernetes|High|Networking and Firewall|When using etcd commands, the '--cert-file' and '--key-file' should be defined|Documentation
| +|Secure Port Set To Zero
3d24b204-b73d-42cb-b0bf-1a5438c5f71e|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the --secure-port flag should not be 0|Documentation
| +|Etcd Peer TLS Certificate Files Not Properly Set
09bb9e96-8da3-4736-b89a-b36814acca60|Kubernetes|High|Networking and Firewall|When using etcd commands, the '--peer-cert-file' and '--peer-key-file' should be defined|Documentation
| +|Insecure Port Not Properly Set
fa4def8c-1898-4a35-a139-7b76b1acdef0|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-port' flag should be defined and set to 0|Documentation
| +|Tiller Deployment Is Accessible From Within The Cluster
e17fa86a-6222-4584-a914-56e8f6c87e06|Kubernetes|High|Networking and Firewall|Check if any Tiller Deployment container allows access from within the cluster.|Documentation
| +|TSL Connection Certificate Not Setup
fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f|Kubernetes|High|Networking and Firewall|TSL Connection Certificate files should be Setup|Documentation
| +|PSP With Unrestricted Access to Host Path
de4421f1-4e35-43b4-9783-737dd4e4a47e|Kubernetes|High|Resource Management|PodSecurityPolicy should set 'readOnly' to true in every host path allowed|Documentation
| +|Auto TLS Set To True
98ce8b81-7707-4734-aa39-627c6db3d84b|Kubernetes|High|Secret Management|When using etcd commands, the '--auto-tls' should be set to false|Documentation
| +|Peer Auto TLS Set To True
ae8827e2-4af9-4baa-9998-87539ae0d6f0|Kubernetes|High|Secret Management|When using etcd commands, the '--peer-auto-tls' should be set to false|Documentation
| +|RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14|Kubernetes|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys|Documentation
| +|Non Kube System Pod With Host Mount
aa8f7a35-9923-4cad-bd61-a19b7f6aac91|Kubernetes|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| +|Authorization Mode RBAC Not Set
1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e|Kubernetes|Medium|Access Control|When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode|Documentation
| +|RBAC Roles with Exec Permission
c589f42c-7924-4871-aee2-1cede9bc7cbc|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to run commands in containers via 'kubectl exec' could be abused by attackers to execute malicious code in case of compromise. To prevent this, the 'pods/exec' verb should not be used in production environments|Documentation
| +|RBAC Roles with Attach Permission
d45330fd-f58d-45fb-a682-6481477a0f84|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to attach to containers via 'kubectl attach' could be abused by attackers to read log output (stdout, stderr) and send input data (stdin) to running processes. Additionally, it would allow a malicious user to attach to a privileged container resulting in a privilege escalation attack. To prevent this, the 'pods/attach' verb should not be used in production environments|Documentation
| +|Service Account Admission Control Plugin Disabled
9587c890-0524-40c2-9ce2-663af7c2f063|Kubernetes|Medium|Access Control|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'ServiceAccount' plugin|Documentation
| +|Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942|Kubernetes|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| +|Anonymous Auth Is Not Set To False
1de5cc51-f376-4638-a940-20f2e85ae238|Kubernetes|Medium|Access Control|When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag should be set to false (--anonymous-auth=false)|Documentation
| +|RBAC Roles with Port-Forwarding Permission
38fa11ef-dbcc-4da8-9680-7e1fd855b6fb|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to port-forward into pods can open socket-level communication channels to containers. In case of compromise, attackers may abuse this for direct communication that bypasses network security restrictions|Documentation
| +|RBAC Roles Allow Privilege Escalation
8320826e-7a9c-4b0b-9535-578333193432|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions 'bind' or 'escalate' allow subjects to create new bindings with other roles. This is dangerous, as users with these privileges can bind to roles that may exceed their own privileges|Documentation
| +|RBAC Roles with Impersonate Permission
9f85c3f6-26fd-4007-938a-2e0cb0100980|Kubernetes|Medium|Access Control|Roles or ClusterRoles with the permission 'impersonate' allow subjects to assume the rights of other users, groups, or service accounts. In case of compromise, attackers may abuse this sudo-like functionality to achieve privilege escalation|Documentation
| +|Authorization Mode Set To Always Allow
f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5|Kubernetes|Medium|Access Control|When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode|Documentation
| +|Terminated Pod Garbage Collector Threshold Not Properly Set
49113af4-29ca-458e-b8d4-724c01a4a24f|Kubernetes|Medium|Availability|When using kube-controller-manager commands, the '--terminated-pod-gc-threshold' should be set between 0 and 12501|Documentation
| +|Request Timeout Not Properly Set
d89a15bb-8dba-4c71-9529-bef6729b9c09|Kubernetes|Medium|Availability|When using kube-apiserver command, the '--request-timeout' flag value should not be too long|Documentation
| +|Readiness Probe Is Not Configured
a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3|Kubernetes|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| +|Root Containers Admitted
e3aa0612-4351-4a0d-983f-aefea25cf203|Kubernetes|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| +|Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660|Kubernetes|Medium|Best Practices|Check if containers are running with low UID, which might cause conflicts with the host's user table.|Documentation
| +|Container Running As Root
cf34805e-3872-4c08-bf92-6ff7bb0cfadb|Kubernetes|Medium|Best Practices|Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise|Documentation
| +|Always Pull Images Admission Control Plugin Not Set
a77f4d07-c6e0-4a48-8b35-0eeb51576f4f|Kubernetes|Medium|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'AlwaysPullImages' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| +|Incorrect Volume Claim Access Mode ReadWriteOnce
3878dc92-8e5d-47cf-9cdd-7590f71d21b9|Kubernetes|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| +|Root CA File Not Defined
05fb986f-ac73-4ebb-a5b2-7faafa93d882|Kubernetes|Medium|Encryption|When using kube-controller-manager commands, the '--root-ca-file' should be defined|Documentation
| +|Encryption Provider Not Properly Configured
10efce34-5af6-4d83-b414-9e096d5a06a9|Kubernetes|Medium|Encryption|The EncryptionConfiguration should be configured to have at least one 'aescbc', 'kms' or 'secretbox' provider|Documentation
| +|Weak TLS Cipher Suites
510d5810-9a30-443a-817d-5c1fa527b110|Kubernetes|Medium|Encryption|TLS Connection should use strong Cipher Suites|Documentation
| +|Encryption Provider Config Is Not Defined
cbd2db69-0b21-4c14-8a40-7710a50571a9|Kubernetes|Medium|Encryption|When using kube-apiserver commands, the '--encryption-provider-config' flag should be defined and the encryption should be correctly configured in Encryption Configuration file|Documentation
| +|Seccomp Profile Is Not Configured
f377b83e-bd07-4f48-a591-60c82b14a78b|Kubernetes|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls|Documentation
| +|Containers With Sys Admin Capabilities
235236ee-ad78-4065-bd29-61b061f28ce0|Kubernetes|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| +|Workload Mounting With Sensitive OS Directory
5308a7a8-06f8-45ac-bf10-791fe21de46e|Kubernetes|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| +|Using Unrecommended Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6|Kubernetes|Medium|Insecure Configurations|Namespaces like 'default', 'kube-system' or 'kube-public' should not be used|Documentation
| +|Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b|Kubernetes|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| +|PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| +|PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| +|Security Context Deny Admission Control Plugin Not Set
6a68bebe-c021-492e-8ddb-55b0567fb768|Kubernetes|Medium|Insecure Configurations|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set|Documentation
| +|Not Limited Capabilities For Container
2f1a0619-b12b-48a0-825f-993bb6f01d58|Kubernetes|Medium|Insecure Configurations|Limit the capabilities for a Container.|Documentation
| +|Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40|Kubernetes|Medium|Insecure Configurations|Containers should not have extra capabilities allowed|Documentation
| +|PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9|Kubernetes|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host process ID namespace|Documentation
| +|Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3|Kubernetes|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| +|NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648|Kubernetes|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| +|NET_RAW Capabilities Not Being Dropped
dbbc6705-d541-43b0-b166-dd4be8208b54|Kubernetes|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|Documentation
| +|PSP Allows Sharing Host IPC
80f93444-b240-4ebb-a4c6-5c40b76c04ea|Kubernetes|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| +|Authorization Mode Node Not Set
4d7ee40f-fc5d-427d-8cac-dffbe22d42d1|Kubernetes|Medium|Insecure Configurations|When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode|Documentation
| +|PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91|Kubernetes|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| +|Kubelet Protect Kernel Defaults Set To False
6cf42c97-facd-4fda-b8af-ea4529123355|Kubernetes|Medium|Insecure Configurations|--protect-kernel-defaults should be set to true|Documentation
| +|Service Account Token Automount Not Disabled
48471392-d4d0-47c0-b135-cdec95eb3eef|Kubernetes|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| +|Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9|Kubernetes|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty.|Documentation
| +|CNI Plugin Does Not Support Network Policies
03aabc8c-35d6-481e-9c85-20139cf72d23|Kubernetes|Medium|Networking and Firewall|Ensure the use of CNI Plugin that support Network Policies. If the CNI Plugin in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster|Documentation
| +|Kubelet Read Only Port Is Not Set To Zero
2940d48a-dc5e-4178-a3f8-bfbd80720b41|Kubernetes|Medium|Networking and Firewall|When using the kubelet command, the read-only port should be set to zero (--read-only-port=0)|Documentation
| +|Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be|Kubernetes|Medium|Networking and Firewall|Check if any pod is not being targeted by a proper network policy.|Documentation
| +|Network Policy Is Not Targeting Any Pod
85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3|Kubernetes|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| +|Kubelet Not Managing Ip Tables
5f89001f-6dd9-49ff-9b15-d8cd71b617f4|Kubernetes|Medium|Networking and Firewall|Kubelet argument --make-iptables-util-chains should be true|Documentation
| +|Kubelet Streaming Connection Timeout Disabled
ed89b97d-04e9-4fd4-919f-ee5b27e555e9|Kubernetes|Medium|Networking and Firewall|The flag --streaming-connection-idle-timeout should not be set to 0|Documentation
| +|Service With External Load Balancer
26763a1c-5dda-4772-b507-5fca7fb5f165|Kubernetes|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| +|Audit Log Path Not Set
73e251f0-363d-4e53-86e2-0a93592437eb|Kubernetes|Medium|Observability|When using kube-apiserver command, the 'audit-log-path' flag should be defined|Documentation
| +|Audit Policy File Not Defined
13a49a2e-488e-4309-a7c0-d6b05577a5fb|Kubernetes|Medium|Observability|When using kube-apiserver command, the '--audit-policy-file' flag should be defined|Documentation
| +|Volume Mount With OS Directory Write Permissions
b7652612-de4e-4466-a0bf-1cd81f0c6063|Kubernetes|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| +|CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a|Kubernetes|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| +|Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9|Kubernetes|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| +|CPU Limits Not Set
4ac0e2b7-d2d2-4af7-8799-e8de6721ccda|Kubernetes|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| +|Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded|Kubernetes|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes|Documentation
| +|Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a|Kubernetes|Medium|Resource Management|Container should not share the host network namespace|Documentation
| +|Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536|Kubernetes|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| +|Rotate Kubelet Server Certificate Not Active
1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2|Kubernetes|Medium|Secret Management|The RotateKubeletServerCertificate argument should be true|Documentation
| +|Etcd Client Certificate Authentication Set To False
9391103a-d8d7-4671-ac5d-606ba7ccb0ac|Kubernetes|Medium|Secret Management|When using etcd commands, the '--client-cert-auth' flag should be defined|Documentation
| +|ServiceAccount Allows Access Secrets
056ac60e-fe07-4acc-9b34-8e1d51716ab9|Kubernetes|Medium|Secret Management|Roles and ClusterRoles when binded, should not use get, list or watch as verbs|Documentation
| +|Kubelet Certificate Authority Not Set
ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set|Documentation
| +|Kubelet Client Certificate Or Key Not Set
36a27826-1bf5-49da-aeb0-a60a30c0e834|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-client-key' and 'kubelet-client-certificate' flags should be set|Documentation
| +|Shared Service Account
c1032cf7-3628-44e2-bd53-38c17cf31b6b|Kubernetes|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| +|Etcd Client Certificate File Not Defined
3f5ff8a7-5ad6-4d02-86f5-666307da1b20|Kubernetes|Medium|Secret Management|When using kube-apiserver commands, the '--etcd-cafile' flag should be defined|Documentation
| +|Service Account Key File Not Properly Set
dab4ec72-ce2e-4732-b7c3-1757dcce01a1|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the '--service-account-key-file' flag should be defined|Documentation
| +|Kubelet Client Periodic Certificate Switch Disabled
52d70f2e-3257-474c-b3dc-8ad9ba6a061a|Kubernetes|Medium|Secret Management|Kubelet argument --rotate-certificates should be true|Documentation
| +|Not Unique Certificate Authority
cb7e695d-6a85-495c-b15f-23aed2519303|Kubernetes|Medium|Secret Management|Certificate Authority should be unique for etcd|Documentation
| +|Etcd Peer Client Certificate Authentication Set To False
b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff|Kubernetes|Medium|Secret Management|When using etcd commands, the '--peer-client-cert-auth' flag should be set to true|Documentation
| +|Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828|Kubernetes|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| +|Missing AppArmor Profile
8b36775e-183d-4d46-b0f7-96a6f34a723f|Kubernetes|Low|Access Control|Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources|Documentation
| +|Cluster Admin Rolebinding With Superuser Permissions
249328b8-5f0f-409f-b1dd-029f07882e11|Kubernetes|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| +|StatefulSet Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0|Kubernetes|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.|Documentation
| +|StatefulSet Without PodDisruptionBudget
1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5|Kubernetes|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| +|HPA Targeted Deployments With Configured Replica Count
5744cbb8-5946-4b75-a196-ade44449525b|Kubernetes|Low|Availability|Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set|Documentation
| +|Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678|Kubernetes|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| +|Liveness Probe Is Not Defined
ade74944-a674-4e00-859e-c6eab5bde441|Kubernetes|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it|Documentation
| +|Event Rate Limit Admission Control Plugin Not Set
e0099af2-fe17-411f-9991-0de28fe15f3c|Kubernetes|Low|Availability|When using kube-apiserver command, the --enable-admission-plugins flag should have 'EventRateLimit' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| +|HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca|Kubernetes|Low|Availability|The Horizontal Pod Autoscaler must target a valid object|Documentation
| +|Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645|Kubernetes|Low|Best Practices|Kubernetes APIs evolve over time and are sometimes removed with newer releases. To prevent incompatibilities when upgrading Kubernetes, deprecated APIs should be replaced with newer and more stable API versions.|Documentation
| +|Metadata Label Is Invalid
1123031a-f921-4c5b-bd86-ef354ecfd37a|Kubernetes|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| +|No Drop Capabilities for Containers
268ca686-7fb7-4ae9-b129-955a2a89064e|Kubernetes|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| +|Image Policy Webhook Admission Control Plugin Not Set
14abda69-8e91-4acb-9931-76e2bee90284|Kubernetes|Low|Build Process|When using kube-apiserver command, the --enable-admission-plugins flag should have 'ImagePolicyWebhook' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| +|Namespace Lifecycle Admission Control Plugin Disabled
1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37|Kubernetes|Low|Build Process|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'NamespaceLifecycle' plugin|Documentation
| +|Root Container Not Mounted Read-only
a9c2f49d-0671-4fc9-9ece-f4e261e128d0|Kubernetes|Low|Build Process|Check if the root container filesystem is not being mounted read-only.|Documentation
| +|StatefulSet Requests Storage
8cf4671a-cf3d-46fc-8389-21e7405063a2|Kubernetes|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| +|Kubelet Hostname Override Is Set
bf36b900-b5ef-4828-adb7-70eb543b7cfb|Kubernetes|Low|Insecure Configurations|Hostnames should not be overrided|Documentation
| +|Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995|Kubernetes|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| +|Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b|Kubernetes|Low|Insecure Configurations|If not needed, disabling the dashboard can prevent from being used as an attack vector|Documentation
| +|Service Does Not Target Pod
3ca03a61-3249-4c16-8427-6f8e47dda729|Kubernetes|Low|Insecure Configurations|Service should Target a Pod|Documentation
| +|Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678|Kubernetes|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity|Documentation
| +|Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2|Kubernetes|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| +|Pod or Container Without LimitRange
4a20ebac-1060-4c81-95d1-1f7f620e983b|Kubernetes|Low|Insecure Configurations|Each namespace should have a LimitRange policy associated to ensure that resource allocations of Pods, Containers and PersistentVolumeClaims do not exceed the defined boundaries|Documentation
| +|Pod or Container Without ResourceQuota
48a5beba-e4c0-4584-a2aa-e6894e4cf424|Kubernetes|Low|Insecure Configurations|Each namespace should have a ResourceQuota policy associated to limit the total amount of resources Pods, Containers and PersistentVolumeClaims can consume|Documentation
| +|Workload Host Port Not Specified
2b1836f1-dcce-416e-8e16-da8c71920633|Kubernetes|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified|Documentation
| +|Service Type is NodePort
845acfbe-3e10-4b8e-b656-3b404d36dfb2|Kubernetes|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| +|Kubelet Event QPS Not Properly Set
1a07a446-8e61-4e4d-bc16-b0781fcb8211|Kubernetes|Low|Observability|When using the kubelet command, the '--event-qps' should be set to 0|Documentation
| +|Audit Log Maxbackup Not Properly Set
768aab52-2504-4a2f-a3e3-329d5a679848|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxbackup' flag should be defined and set to 10 or more files|Documentation
| +|Audit Policy Not Cover Key Security Concerns
1828a670-5957-4bc5-9974-47da228f75e2|Kubernetes|Low|Observability|Audit Policy should cover key security concerns about the sensitive data logged in Kubernetes audit policies|Documentation
| +|Profiling Not Set To False
2f491173-6375-4a84-b28e-a4e2b9a58a69|Kubernetes|Low|Observability|When using kube-apiserver or kube-controller-manager or kube-scheduler command, the '--profiling' flag should be defined and set to false|Documentation
| +|Audit Log Maxage Not Properly Set
da9f3aa8-fbfb-472f-b5a1-576127944218|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxage' flag should be defined and set to 30 or more days|Documentation
| +|Audit Log Maxsize Not Properly Set
35c0a471-f7c8-4993-aa2c-503a3c712a66|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxsize' flag should be defined and set to 100 or more MegaBytes|Documentation
| +|Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46|Kubernetes|Low|Resource Management|Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively|Documentation
| +|Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined.|Documentation
| +|Deployment Has No PodAntiAffinity
a31b7b82-d994-48c4-bd21-3bab6c31827a|Kubernetes|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| +|Container Memory Requests Not Equal To It's Limits
aafa7d94-62de-4fbf-8838-b69ee217b0e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined.|Documentation
| +|CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3|Kubernetes|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined|Documentation
| +|StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e|Kubernetes|Low|Resource Management|Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| +|Secrets As Environment Variables
3d658f8b-d988-41a0-a841-40043121de1e|Kubernetes|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| +|Invalid Image Tag
583053b7-e632-46f0-b989-f81ff8045385|Kubernetes|Low|Supply-Chain|Image tag must be defined and not be empty or equal to latest.|Documentation
| +|Ensure Administrative Boundaries Between Resources
e84eaf4d-2f45-47b2-abe8-e581b06deb66|Kubernetes|Info|Access Control|As a best practice, ensure that is made the correct use of namespaces to adequately administer your resources. Kubernetes Authorization plugins can also be used to create policies that segregate user access to namespaces.|Documentation
| +|Using Kubernetes Native Secret Management
b9c83569-459b-4110-8f79-6305aa33cb37|Kubernetes|Info|Secret Management|Kubernetes External Secret Storage and Management System usage should be considered if you have more complex secret management needs, rather than using Kubernetes Secrets directly. Additionally, ensure that access to secrets is carefully limited|Documentation
| |S3 Bucket Allows List Action From All Principals
faa8fddf-c0aa-4b2d-84ff-e993e233ebe9|CloudFormation|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| |S3 Bucket Allows Put Action From All Principals
f6397a20-4cf1-4540-a997-1d363c25ef58|CloudFormation|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| |S3 Bucket ACL Allows Read to All Users
219f4c95-aa50-44e0-97de-cf71f4641170|CloudFormation|High|Access Control|S3 Buckets should not be readable to all users|Documentation
| @@ -4923,7 +4790,762 @@ This page contains all queries. |ECS Task Definition Invalid CPU or Memory
f4c9b5f5-68b8-491f-9e48-4f96644a1d51|CloudFormation|Low|Resource Management|In ECS Task Definition of FARGATE launch type if you specify an invalid CPU or Memory value, you will receive an error|Documentation
| |API Gateway Stage Without API Gateway UsagePlan Associated
7f8f1b60-43df-4c28-aa21-fb836dbd8071|CloudFormation|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| |Security Group Rule Without Description
5e6c9c68-8a82-408e-8749-ddad78cbb9c5|CloudFormation|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description|Documentation
| -|EC2 Not EBS Optimized
8dd0ff1f-0da4-48df-9bb3-7f338ae36a40|CloudFormation|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| +|Serverless Function Environment Variables Not Encrypted
a7f8ac28-eed1-483d-87c8-4c325f022572|CloudFormation|High|Encryption|AWS Serverless Function should encrypt environment variables|Documentation
| +|Serverless API Without Content Encoding
a2f2800e-614b-4bc8-89e6-fec8afd24800|CloudFormation|Medium|Encryption|AWS Serverless API should enable Content Encoding through the attribute 'MinimumCompressionSize'. This value should be greater than -1 and smaller than 10485760|Documentation
| +|Serverless Function Without Unique IAM Role
4ba74f01-aba5-4be2-83bc-be79ff1a3b92|CloudFormation|Medium|Insecure Configurations|AWS Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks|Documentation
| +|Serverless Function Without Tags
a71ecabe-03b6-456a-b3bc-d1a39aa20c98|CloudFormation|Medium|Insecure Configurations|AWS Serverless Function should have associated tags|Documentation
| +|Serverless API Endpoint Config Not Private
6b5b0313-771b-4319-ad7a-122ee78700ef|CloudFormation|Medium|Networking and Firewall|AWS Serverless API should set API Endpoint Config type to 'PRIVATE'. This way, it's not exposed to the public internet|Documentation
| +|Serverless API X-Ray Tracing Disabled
c757c6a3-ac87-4b9d-b28d-e5a5add6a315|CloudFormation|Medium|Observability|AWS Serverless API should have X-Ray Tracing enabled|Documentation
| +|Serverless API Access Logging Setting Undefined
0a994e04-c6dc-471d-817e-d37451d18a3b|CloudFormation|Medium|Observability|AWS Serverless API/AWS Serverless HTTP API should have Access Logging Setting(s) defined|Documentation
| +|Serverless API Cache Cluster Disabled
60a05ede-0a68-4d0d-a58f-f538cf55ff79|CloudFormation|Low|Insecure Configurations|AWS Serverless API should have cache clustering enabled|Documentation
| +|Serverless Function Without Dead Letter Queue
cb2f612b-ed42-4ff5-9fb9-255c73d39a18|CloudFormation|Low|Insecure Configurations|AWS Serverless Function should be configured for a Dead Letter Queue(DLQ)|Documentation
| +|Serverless Function Without X-Ray Tracing
dc1ab429-1481-4540-9b1d-280e3f15f1f8|CloudFormation|Low|Observability|AWS Serverless Function should have Tracing enabled. For this, property 'Tracing' should have the value 'Active'|Documentation
| +|BOM - AWS Elasticache
c689f51b-9203-43b3-9d8b-caed123f706c|CloudFormation|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| +|BOM - AWS MQ
209189f3-c879-48a7-9703-fbcfa96d0cef|CloudFormation|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| +|BOM - AWS SQS
59a849c2-1127-4023-85a5-ef906dcd458c|CloudFormation|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| +|BOM - AWS S3 Buckets
b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83|CloudFormation|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| +|BOM - AWS RDS
6ef03ff6-a2bd-483c-851f-631f248bc0ea|CloudFormation|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.|Documentation
| +|BOM - AWS MSK
2730c169-51d7-4ae7-99b5-584379eff1bb|CloudFormation|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| +|BOM - AWS SNS
42e7dca3-8cce-4325-8df0-108888259136|CloudFormation|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| +|BOM - AWS DynamoDB
4e67c0ae-38a0-47f4-a50c-f0c9b75826df|CloudFormation|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.|Documentation
| +|BOM - AWS Kinesis
d53323be-dde6-4457-9a43-42df737e71d2|CloudFormation|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time|Documentation
| +|BOM - AWS EFS
ef05a925-8568-4054-8ff1-f5ba82631c16|CloudFormation|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| +|BOM - AWS Cassandra
124b173b-e06d-48a6-8acd-f889443d97a4|CloudFormation|Trace|Bill Of Materials|A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance|Documentation
| +|BOM - AWS EBS
0b0556ea-9cd9-476f-862e-20679dda752b|CloudFormation|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| +|Run Using apt
a1bc27c6-7115-48d8-bf9d-5a7e836845ba|Buildah|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache|Documentation
| +|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Terraform|Info|Best Practices|All names should follow snake case pattern.|Documentation
| +|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Terraform|Info|Best Practices|All variables should contain a valid description.|Documentation
| +|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Terraform|Info|Best Practices|All generic git repositories should reference a revision.|Documentation
| +|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Terraform|Info|Best Practices|All outputs should contain a valid description.|Documentation
| +|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Terraform|Info|Best Practices|All variables should contain a valid type.|Documentation
| +|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|Terraform|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| +|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|Terraform|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating|Documentation
| +|S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4|Terraform|High|Access Control|S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket.|Documentation
| +|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|Terraform|High|Access Control|S3 bucket allows public policy|Documentation
| +|EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|Terraform|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| +|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|Terraform|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| +|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|Terraform|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals|Documentation
| +|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|Terraform|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|Terraform|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| +|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|Terraform|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| +|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|Terraform|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|Terraform|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| +|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|Terraform|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| +|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|Terraform|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| +|Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|Terraform|High|Access Control|Neptune Cluster Instance should not be publicly accessible|Documentation
| +|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|Terraform|High|Access Control|S3 Buckets should not be readable and writable to all users|Documentation
| +|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|Terraform|High|Access Control|IAM role policy that allow full administrative privileges (for all resources)|Documentation
| +|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|Terraform|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role|Documentation
| +|MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857|Terraform|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible|Documentation
| +|SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|Terraform|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| +|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|Terraform|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled|Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|Terraform|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| +|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|Terraform|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled|Documentation
| +|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|Terraform|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key|Documentation
| +|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|Terraform|High|Encryption|EBS Encryption should be enabled|Documentation
| +|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|Terraform|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| +|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|Terraform|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true|Documentation
| +|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|Terraform|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| +|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|Terraform|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| +|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|Terraform|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| +|EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|Terraform|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| +|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.|Documentation
| +|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|Terraform|High|Encryption|AWS DAX Cluster should have server-side encryption at rest|Documentation
| +|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|Terraform|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| +|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|Terraform|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.|Documentation
| +|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|Terraform|High|Encryption|AWS DOCDB Cluster storage should be encrypted|Documentation
| +|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|Terraform|High|Encryption|AWS Athena Database data in S3 should be encrypted|Documentation
| +|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers.|Documentation
| +|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|Terraform|High|Encryption|Launch Configuration EBS should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' argument should be set to true in each volume block|Documentation
| +|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|Terraform|High|Encryption|AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted|Documentation
| +|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|Terraform|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled|Documentation
| +|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|Terraform|High|Encryption|User Data Shell Script must be encoded|Documentation
| +|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|Terraform|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| +|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|Terraform|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS|Documentation
| +|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|Terraform|High|Encryption|EKS Cluster should be encrypted|Documentation
| +|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|Terraform|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| +|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|Terraform|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| +|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|Terraform|High|Encryption|RDS Database Cluster Encryption should be enabled|Documentation
| +|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|Terraform|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted|Documentation
| +|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|Terraform|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|Terraform|High|Encryption|S3 Bucket Object should have server-side encryption enabled|Documentation
| +|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|Terraform|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true'|Documentation
| +|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|Terraform|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup|Documentation
| +|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|Terraform|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| +|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|Terraform|High|Encryption|Sagemaker endpoint configuration should encrypt data|Documentation
| +|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|Terraform|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| +|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|Terraform|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| +|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|Terraform|High|Encryption|API Gateway Method Settings Cache should be encrypted|Documentation
| +|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|Terraform|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)|Documentation
| +|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|Terraform|High|Insecure Configurations|S3 bucket without restriction of public bucket|Documentation
| +|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|Terraform|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| +|KMS Key With Vulnerable Policy
7ebc9038-0bde-479a-acc4-6ed7b6758899|Terraform|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| +|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|Terraform|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|Terraform|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| +|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|Terraform|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes|Documentation
| +|Lambda Function With Privileged Role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|Terraform|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions.|Documentation
| +|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|Terraform|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured.|Documentation
| +|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|Terraform|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| +|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|Terraform|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true)|Documentation
| +|DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|Terraform|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| +|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|Terraform|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations|Documentation
| +|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|Terraform|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| +|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|Terraform|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| +|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|Terraform|High|Insecure Configurations|Check if the root user is authenticated with MFA|Documentation
| +|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|Terraform|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2.|Documentation
| +|Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|Terraform|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| +|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|Terraform|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0|Documentation
| +|HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|Terraform|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| +|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|Terraform|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| +|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL|Documentation
| +|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|Terraform|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL|Documentation
| +|VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|Terraform|High|Networking and Firewall|VPC Peering Route Table should restrict CIDR|Documentation
| +|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|Terraform|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| +|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|Terraform|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| +|VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|Terraform|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic|Documentation
| +|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|Terraform|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| +|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|Terraform|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| +|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|Terraform|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0"|Documentation
| +|Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|Terraform|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| +|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| +|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|Terraform|High|Networking and Firewall|Check if Record is set|Documentation
| +|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| +|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|Terraform|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| +|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|Terraform|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| +|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|Terraform|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing|Documentation
| +|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|Terraform|High|Observability|Ensure a log metric filter and alarm exist for root acount usage|Documentation
| +|CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|Terraform|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls|Documentation
| +|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible|Documentation
| +|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|Terraform|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA|Documentation
| +|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|Terraform|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| +|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|Terraform|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes|Documentation
| +|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|Terraform|High|Observability|AWS KMS Key should have a valid deletion window|Documentation
| +|CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|Terraform|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.|Documentation
| +|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Terraform|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Terraform|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Terraform|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| +|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Terraform|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Terraform|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources|Documentation
| +|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Terraform|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Terraform|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| +|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Terraform|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions'|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Terraform|Medium|Access Control|An API Key should be required on a method request.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Terraform|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Terraform|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| +|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Terraform|Medium|Access Control|IAM Access Key should not be active for root users|Documentation
| +|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Terraform|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Terraform|Medium|Access Control|The attribute 'action' should not have wildcard|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Terraform|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| +|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Terraform|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Terraform|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action'|Documentation
| +|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Terraform|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| +|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Terraform|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Terraform|Medium|Access Control|S3 bucket allows public ACL|Documentation
| +|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Terraform|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Terraform|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| +|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Terraform|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Terraform|Medium|Access Control|Public and private EC2 istances should not share the same role.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Terraform|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Terraform|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Terraform|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal'|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Terraform|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication|Documentation
| +|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Terraform|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled|Documentation
| +|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Terraform|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Terraform|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| +|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Terraform|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| +|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Terraform|Medium|Access Control|AWS IAM Users should not have access to console|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Terraform|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| +|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Terraform|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| +|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Terraform|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster|Documentation
| +|Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Terraform|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
| +|Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Terraform|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| +|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Terraform|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0|Documentation
| +|RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Terraform|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| +|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Terraform|Medium|Best Practices|IAM password should have the required symbols|Documentation
| +|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Terraform|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| +|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Terraform|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| +|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Terraform|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| +|Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Terraform|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24|Documentation
| +|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Terraform|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| +|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Terraform|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined|Documentation
| +|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Terraform|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields|Documentation
| +|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Terraform|Medium|Best Practices|No password expiration policy|Documentation
| +|Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Terraform|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body|Documentation
| +|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Terraform|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| +|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Terraform|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| +|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted|Documentation
| +|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Terraform|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| +|DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Terraform|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Terraform|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests|Documentation
| +|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit|Documentation
| +|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Terraform|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret|Documentation
| +|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Terraform|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| +|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Terraform|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption|Documentation
| +|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Terraform|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node|Documentation
| +|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Terraform|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| +|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest|Documentation
| +|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Terraform|Medium|Encryption|EBS volumes should be encrypted|Documentation
| +|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Terraform|Medium|Encryption|SSM Session should be encrypted in transit|Documentation
| +|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Terraform|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| +|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Terraform|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|CloudWatch Log Group Without KMS
0afbcfe9-d341-4b92-a64c-7e6de0543879|Terraform|Medium|Encryption|AWS CloudWatch Log groups should be encrypted using KMS|Documentation
| +|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Terraform|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS.|Documentation
| +|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Terraform|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760.|Documentation
| +|Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Terraform|Medium|Encryption|ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html'|Documentation
| +|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Terraform|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| +|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Terraform|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials|Documentation
| +|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Terraform|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud)|Documentation
| +|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Terraform|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| +|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Terraform|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.|Documentation
| +|EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Terraform|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false|Documentation
| +|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Terraform|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs).|Documentation
| +|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Terraform|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| +|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Terraform|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible|Documentation
| +|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Terraform|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| +|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Terraform|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| +|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Terraform|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| +|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Terraform|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association|Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Terraform|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol|Documentation
| +|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Terraform|Medium|Networking and Firewall|VPC should have a Network Firewall associated|Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol|Documentation
| +|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Terraform|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled|Documentation
| +|VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Terraform|Medium|Networking and Firewall|VPC Subnet should not assign public IP|Documentation
| +|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Terraform|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| +|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Terraform|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| +|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes|Documentation
| +|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK|Documentation
| +|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Terraform|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| +|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Terraform|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| +|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Terraform|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events|Documentation
| +|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Terraform|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| +|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Terraform|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| +|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Terraform|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| +|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Terraform|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| +|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Terraform|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| +|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Terraform|Medium|Observability|ELB should have logging enabled to help on error investigation|Documentation
| +|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Terraform|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| +|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Terraform|Medium|Observability|AWS Elasticsearch should have logs enabled|Documentation
| +|ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Terraform|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| +|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes|Documentation
| +|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Terraform|Medium|Observability|AWS CloudWatch Log groups should have retention days specified|Documentation
| +|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Terraform|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| +|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Terraform|Medium|Observability|API Gateway should have Access Log Settings defined|Documentation
| +|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Terraform|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| +|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures|Documentation
| +|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Terraform|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled|Documentation
| +|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Terraform|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| +|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes|Documentation
| +|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Terraform|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined|Documentation
| +|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes|Documentation
| +|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Terraform|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| +|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Terraform|Medium|Observability|It isn't recommended to use resources in default VPC|Documentation
| +|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Terraform|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| +|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Terraform|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation|Documentation
| +|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Terraform|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| +|No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Terraform|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| +|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Terraform|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| +|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Terraform|Medium|Secret Management|AWS Access Key should not be hardcoded|Documentation
| +|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Terraform|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Terraform|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| +|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Terraform|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| +|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Terraform|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services|Documentation
| +|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Terraform|Low|Access Control|IAM Group should have at least one user associated|Documentation
| +|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Terraform|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets'|Documentation
| +|Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Terraform|Low|Availability|Autoscaling groups should supply tags to configurate|Documentation
| +|IAM Access Analyzer Not Enabled
e592a0c5-5bdb-414c-9066-5dba7cdea370|Terraform|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions|Documentation
| +|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Terraform|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| +|ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Terraform|Low|Best Practices|ECR Repository should have Policies attached to it|Documentation
| +|Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| +|Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| +|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Terraform|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Terraform|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| +|ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Terraform|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation|Documentation
| +|ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Terraform|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled|Documentation
| +|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Terraform|Low|Insecure Configurations|S3 bucket without ignore public ACL|Documentation
| +|RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Terraform|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| +|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Terraform|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| +|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Terraform|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| +|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Terraform|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks|Documentation
| +|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Terraform|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)|Documentation
| +|EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Terraform|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| +|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Terraform|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| +|Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Terraform|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| +|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for route table changes|Documentation
| +|API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Terraform|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| +|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Terraform|Low|Observability|DocDB logging should be enabled|Documentation
| +|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| +|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes|Documentation
| +|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes|Documentation
| +|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Terraform|Low|Observability|Amazon EKS control plane logging is not enabled|Documentation
| +|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Terraform|Low|Observability|Global Accelerator should have flow logs enabled|Documentation
| +|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Terraform|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| +|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL|Documentation
| +|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes|Documentation
| +|ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Terraform|Low|Observability|ECS Cluster should enable container insights|Documentation
| +|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Terraform|Low|Observability|Amazon EKS control plane logging don't enabled for all log types|Documentation
| +|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Terraform|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'|Documentation
| +|API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Terraform|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| +|Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Terraform|Info|Access Control|Security group must be used or not declared|Documentation
| +|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Terraform|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table|Documentation
| +|Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Terraform|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description|Documentation
| +|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Terraform|Info|Best Practices|AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name'|Documentation
| +|EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Terraform|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| +|Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Terraform|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description|Documentation
| +|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Terraform|Info|Observability|Neptune logging should be enabled|Documentation
| +|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Terraform|Info|Observability|RDS does not have any kind of logger|Documentation
| +|EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Terraform|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods|Documentation
| +|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|Terraform|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false|Documentation
| +|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|Terraform|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined.|Documentation
| +|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|Terraform|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| +|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|Terraform|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|Documentation
| +|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|Terraform|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|Terraform|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| +|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|Terraform|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| +|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Terraform|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys|Documentation
| +|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Terraform|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| +|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Terraform|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| +|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Terraform|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| +|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Terraform|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| +|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Terraform|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| +|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Terraform|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| +|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Terraform|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| +|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Terraform|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| +|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| +|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| +|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Terraform|Medium|Insecure Configurations|Containers should not have extra capabilities allowed|Documentation
| +|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Terraform|Medium|Insecure Configurations|Default service accounts should not be actively used|Documentation
| +|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Terraform|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| +|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Terraform|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace|Documentation
| +|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Terraform|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| +|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Terraform|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory|Documentation
| +|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Terraform|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|Documentation
| +|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Terraform|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| +|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Terraform|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| +|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Terraform|Medium|Insecure Configurations|The default namespace should not be used|Documentation
| +|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Terraform|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls|Documentation
| +|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Terraform|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| +|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Terraform|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty.|Documentation
| +|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Terraform|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| +|Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Terraform|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| +|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Terraform|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| +|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Terraform|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| +|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Terraform|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| +|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Terraform|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| +|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Terraform|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes|Documentation
| +|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Terraform|Medium|Resource Management|Container should not share the host network namespace|Documentation
| +|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Terraform|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| +|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Terraform|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs|Documentation
| +|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Terraform|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| +|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Terraform|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| +|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Terraform|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| +|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Terraform|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| +|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Terraform|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.|Documentation
| +|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Terraform|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| +|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Terraform|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| +|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Terraform|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it|Documentation
| +|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Terraform|Low|Availability|The Horizontal Pod Autoscale must target a valid object|Documentation
| +|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Terraform|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| +|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Terraform|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| +|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Terraform|Low|Build Process|Check if the root container filesystem is not being mounted as read-only.|Documentation
| +|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Terraform|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| +|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Terraform|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| +|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Terraform|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity|Documentation
| +|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Terraform|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| +|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Terraform|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified|Documentation
| +|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Terraform|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| +|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Terraform|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| +|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Terraform|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined|Documentation
| +|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Terraform|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| +|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Terraform|Low|Supply-Chain|Image must be defined and not be empty or equal to latest.|Documentation
| +|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Terraform|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| +|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Terraform|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| +|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Terraform|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| +|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Terraform|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| +|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Terraform|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.|Documentation
| +|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Terraform|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| +|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Terraform|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| +|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Terraform|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.|Documentation
| +|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Terraform|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time|Documentation
| +|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Terraform|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| +|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Terraform|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| +|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|Terraform|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles|Documentation
| +|OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|Terraform|High|Access Control|OSS Bucket should have public access disabled|Documentation
| +|OSS Bucket Allows All Actions From All Principals
ec62a32c-a297-41ca-a850-cab40b42094a|Terraform|High|Access Control|OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals.|Documentation
| +|OSS Bucket Allows Put Action From All Principals
fe286195-e75c-4359-bd58-00847c4f855a|Terraform|High|Access Control|OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals.|Documentation
| +|OSS Bucket Allows Delete Action From All Principals
8c0695d8-2378-4cd6-8243-7fd5894fa574|Terraform|High|Access Control|OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals.|Documentation
| +|OSS Bucket Allows List Action From All Principals
88541597-6f88-42c8-bac6-7e0b855e8ff6|Terraform|High|Access Control|OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals.|Documentation
| +|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|Terraform|High|Access Control|RAM Security preferences should enforce MFA login for RAM users|Documentation
| +|Launch Template Is Not Encrypted
1455cb21-1d48-46d6-8ae3-cef911b71fd5|Terraform|High|Encryption|ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true.|Documentation
| +|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|Terraform|High|Encryption|Ecs Data Disk Kms Key Id should be set|Documentation
| +|NAS File System Not Encrypted
67bfdff1-31ce-4525-b564-e94368735360|Terraform|High|Encryption|NAS File System must be encrypted|Documentation
| +|RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|Terraform|High|Encryption|tde_status parameter should be Enabled for supported RDS instances|Documentation
| +|NAS File System Without KMS
5f670f9d-b1b4-4c90-8618-2288f1ab9676|Terraform|High|Encryption|NAS File System should have encryption provided by user KMS |Documentation
| +|RDS DB Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|Terraform|High|Insecure Configurations|'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list|Documentation
| +|OSS Bucket Has Static Website
2b13c6ff-b87a-484d-86fd-21ef6e97d426|Terraform|High|Insecure Configurations|Checks if any static websties are hosted on buckets. Be aware of any website you are running.|Documentation
| +|DB Instance Publicly Accessible
faaefc15-51a5-419e-bb5e-51a4b5ab3485|Terraform|High|Insecure Configurations|The field 'address' should not be set to '0.0.0.0/0'|Documentation
| +|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|Terraform|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public|Documentation
| +|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol|Documentation
| +|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|Terraform|High|Networking and Firewall|OSS Bucket should have ip restricted access|Documentation
| +|ALB Listening on HTTP
ee3b1557-9fb5-4685-a95d-93f1edf2a0d7|Terraform|High|Networking and Firewall|Application Load Balancer (alb) Listener should not listen on HTTP|Documentation
| +|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|Terraform|High|Networking and Firewall|OSS Buckets should have secure transport enabled|Documentation
| +|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|Terraform|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS|Documentation
| +|ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|Terraform|High|Observability|ActionTrail Trail OSS Bucket should not be publicly accessible|Documentation
| +|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|Terraform|High|Observability|All RDS Instance events trackers should be 'true'|Documentation
| +|Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|Terraform|High|Secret Management|Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts|Documentation
| +|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|Terraform|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above|Documentation
| +|Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Terraform|Medium|Access Control|Ram policies should not be attached to users|Documentation
| +|CMK Is Unusable
ed6e3ba0-278f-47b6-a1f5-173576b40b7e|Terraform|Medium|Availability|Alicloud KMS must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| +|ROS Stack Retention Disabled
4bb06fa1-2114-4a00-b7b5-6aeab8b896f0|Terraform|Medium|Backup|The retain_stacks should be enabled to keep the Stack upon deleting the stack instance from the stack group|Documentation
| +|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Terraform|Medium|Backup|OSS Bucket should have versioning enabled|Documentation
| +|ROS Stack Without Template
92d65c51-5d82-4507-a2a1-d252e9706855|Terraform|Medium|Build Process|Alicloud ROS Stack should have a template defined through the attribute template_url or attribute template_body|Documentation
| +|OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Terraform|Medium|Encryption|OSS Bucket should have encryption enabled using Customer Master Key|Documentation
| +|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Terraform|Medium|Encryption|Disks should have encryption enabled|Documentation
| +|SLB Policy With Insecure TLS Version In Use
dbfc834a-56e5-4750-b5da-73fda8e73f70|Terraform|Medium|Encryption|SLB Policy should not support insecure versions of TLS protocol|Documentation
| +|CS Kubernetes Node Pool Auto Repair Disabled
81ce9394-013d-4731-8fcc-9d229b474073|Terraform|Medium|Insecure Configurations|Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| +|Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Terraform|Medium|Networking and Firewall|Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies|Documentation
| +|Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Terraform|Medium|Networking and Firewall|A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned|Documentation
| +|Log Retention Is Not Greater Than 90 Days
ed6cf6ff-9a1f-491c-9f88-e03c0807f390|Terraform|Medium|Observability|OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects.|Documentation
| +|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Terraform|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180|Documentation
| +|OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Terraform|Medium|Observability|OSS Bucket should have logging enabled, for better visibility of resources and objects.|Documentation
| +|ROS Stack Notifications Disabled
9ef08939-ea40-489c-8851-667870b2ef50|Terraform|Medium|Observability|The ROS Stack Notifications should be defined and populated to receive stack related events|Documentation
| +|Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Terraform|Medium|Observability|Action Trail Logging for all regions should be enabled|Documentation
| +|No ROS Stack Policy
72ceb736-0aee-43ea-a191-3a69ab135681|Terraform|Medium|Resource Management|ROS Stack should have a stack policy in order to protect stack resources from and during update actions|Documentation
| +|High KMS Key Rotation Period
cb319d87-b90f-485e-a7e7-f2408380f309|Terraform|Medium|Secret Management|KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year|Documentation
| +|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true|Documentation
| +|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Terraform|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91|Documentation
| +|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Terraform|Medium|Secret Management|RAM account password security should require at least one symbol|Documentation
| +|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Terraform|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less|Documentation
| +|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true|Documentation
| +|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true|Documentation
| +|OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Terraform|Low|Availability|OSS Bucket should have transfer acceleration enabled|Documentation
| +|OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Terraform|Low|Backup|OSS Bucket should have lifecycle rule enabled and set to true|Documentation
| +|RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Terraform|Low|Observability|log_disconnections parameter should be set to ON for RDS instances|Documentation
| +|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Terraform|Low|Observability|'log_connections' parameter should be set to ON for RDS instances|Documentation
| +|VPC Flow Logs Disabled
d2731f3d-a992-44ed-812e-f4f1c2747d71|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| +|RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Terraform|Low|Observability|log_duration parameter should be set to ON for RDS instances|Documentation
| +|Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|Terraform|High|Access Control|Role Assignment should limit guest user permissions|Documentation
| +|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|Terraform|High|Access Control|Admin user is enabled for Container Registry|Documentation
| +|Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|Terraform|High|Access Control|Azure Function App authentication settings should be enabled|Documentation
| +|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|Terraform|High|Access Control|There is a role assignment for guest user|Documentation
| +|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|Terraform|High|Access Control|Storage Account should not be public to grant the principle of least privileges|Documentation
| +|Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|Terraform|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| +|Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|Terraform|High|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled|Documentation
| +|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|Terraform|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| +|MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|Terraform|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| +|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|Terraform|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| +|App Service Not Using Latest TLS Encryption Version
b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643|Terraform|High|Encryption|Ensure App Service is using the latest version of TLS encryption|Documentation
| +|Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6|Terraform|High|Encryption|Ensure Function App is using the latest version of TLS encryption|Documentation
| +|App Service FTPS Enforce Disabled
85da374f-b00f-4832-9d44-84a1ca1e89f8|Terraform|High|Insecure Configurations|Azure App Service should only enforce FTPS when 'ftps_state' is enabled|Documentation
| +|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|Terraform|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry'|Documentation
| +|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|Terraform|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| +|AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|Terraform|High|Insecure Configurations|Azure Kubernetes Service (AKS) API should not be exposed to the internet|Documentation
| +|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|Terraform|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates|Documentation
| +|Azure App Service Client Certificate Disabled
a81573f9-3691-4d83-88a0-7d4af63e17a3|Terraform|High|Insecure Configurations|Azure App Service client certificate should be enabled|Documentation
| +|AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|Terraform|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| +|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|Terraform|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| +|Function App FTPS Enforce Disabled
9dab0179-433d-4dff-af8f-0091025691df|Terraform|High|Insecure Configurations|Azure Function App should only enforce FTPS when 'ftps_state' is enabled|Documentation
| +|Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|Terraform|High|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false.|Documentation
| +|MySQL Server Public Access Enabled
f118890b-2468-42b1-9ce9-af35146b425b|Terraform|High|Networking and Firewall|MySQL Server public access should be disabled|Documentation
| +|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| +|SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|Terraform|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet|Documentation
| +|RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|Terraform|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet|Documentation
| +|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|Terraform|High|Networking and Firewall|The IP range filter should be defined to secure the data stored|Documentation
| +|MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|Terraform|High|Networking and Firewall|MSSQL Server public network access should be disabled|Documentation
| +|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|Terraform|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| +|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| +|Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| +|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|Terraform|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| +|Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|Terraform|High|Observability|Ensure that logging for Azure KeyVault is 'Enabled'|Documentation
| +|SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a|Terraform|High|Resource Management|Ensure that 'Threat Detection' is enabled for Azure SQL Database|Documentation
| +|PostgreSQL Server Threat Detection Policy Disabled
c407c3cf-c409-4b29-b590-db5f4138d332|Terraform|High|Resource Management|PostgreSQL Server Threat Detection Policy should be enabled|Documentation
| +|App Service Managed Identity Disabled
b61cce4b-0cc4-472b-8096-15617a6d769b|Terraform|High|Resource Management|Azure App Service should have managed identity enabled|Documentation
| +|Key Expiration Not Set
4d080822-5ee2-49a4-8984-68f3d4c890fc|Terraform|High|Secret Management|Make sure that for all keys the expiration date is set|Documentation
| +|Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|Terraform|High|Secret Management|Make sure that for all secrets the expiration date is set|Documentation
| +|Storage Share File Allows All ACL Permissions
48bbe0fd-57e4-4678-a4a1-119e79c90fc3|Terraform|Medium|Access Control|Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).|Documentation
| +|Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e|Terraform|Medium|Access Control|Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).|Documentation
| +|AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Terraform|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| +|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Terraform|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)|Documentation
| +|Virtual Network with DDoS Protection Plan disabled
b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a|Terraform|Medium|Availability|Virtual Network should have DDoS Protection Plan enabled|Documentation
| +|SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Terraform|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict|Documentation
| +|Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Terraform|Medium|Best Practices|Security Contact Email should be defined|Documentation
| +|SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Terraform|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict|Documentation
| +|Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Terraform|Medium|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| +|Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Terraform|Medium|Encryption|Ensure that the encryption is active on the disk|Documentation
| +|Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Terraform|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| +|AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Terraform|Medium|Encryption|Azure Container Service (AKS) should use Disk Encryption Set ID in supported types of disk|Documentation
| +|Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Terraform|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches|Documentation
| +|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Terraform|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected.|Documentation
| +|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Terraform|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections|Documentation
| +|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Terraform|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| +|Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Terraform|Medium|Insecure Configurations|Azure Function App should have 'client_cert_mode' set to required|Documentation
| +|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Terraform|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined|Documentation
| +|Function App Managed Identity Disabled
c87749b3-ff10-41f5-9df2-c421e8151759|Terraform|Medium|Insecure Configurations|Azure Function App should have managed identity enabled|Documentation
| +|Default Network Access is Allowed
9be09caf-2ba4-4fa9-9787-a670dc32c639|Terraform|Medium|Insecure Defaults|Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny'|Documentation
| +|Default Azure Storage Account Network Access Is Too Permissive
a5613650-32ec-4975-a305-31af783153ea|Terraform|Medium|Insecure Defaults|Default Azure Storage Account network access should be set to Deny|Documentation
| +|MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Terraform|Medium|Networking and Firewall|MariaDB Server Public Network Access should be disabled|Documentation
| +|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Terraform|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache|Documentation
| +|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Terraform|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'.|Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol|Documentation
| +|Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Terraform|Medium|Networking and Firewall|Public Network Access should be disabled for Azure Cognitive Search|Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol|Documentation
| +|WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Terraform|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| +|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Terraform|Medium|Networking and Firewall|Network Interfaces IP Forwarding should be disabled|Documentation
| +|Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b|Terraform|Medium|Networking and Firewall|Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline)|Documentation
| +|Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Terraform|Medium|Observability|Make sure for SQL Servers that Auditing Retention is greater than 90 days|Documentation
| +|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| +|Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Terraform|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater|Documentation
| +|PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| +|Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Terraform|Medium|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact|Documentation
| +|PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Terraform|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'|Documentation
| +|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Terraform|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days|Documentation
| +|PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| +|PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Terraform|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| +|PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| +|MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Terraform|Medium|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On'|Documentation
| +|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Terraform|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On'|Documentation
| +|Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Terraform|Medium|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days|Documentation
| +|Azure Active Directory Authentication
a21c8da9-41bf-40cf-941d-330cf0d11fc7|Terraform|Low|Access Control|Azure Active Directory must be used for authentication for Service Fabric|Documentation
| +|MariaDB Server Geo-redundant Backup Disabled
0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1|Terraform|Low|Backup|MariaDB Server Geo-redundant Backup should be enabled|Documentation
| +|Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Terraform|Low|Best Practices|Key Vault Secrets should have set Content Type|Documentation
| +|AKS Uses Azure Policies Add-On Disabled
43789711-161b-4708-b5bb-9d1c626f7492|Terraform|Low|Best Practices|Azure Container Service (AKS) should use Azure Policies Add-On|Documentation
| +|App Service Without Latest PHP Version
96fe318e-d631-4156-99fa-9080d57280ae|Terraform|Low|Best Practices|Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.|Documentation
| +|App Service Without Latest Python Version
cc4aaa9d-1070-461a-b519-04e00f42db8a|Terraform|Low|Best Practices|Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.|Documentation
| +|PostgreSQL Server Infrastructure Encryption Disabled
6425c98b-ca4e-41fe-896a-c78772c131f8|Terraform|Low|Encryption|PostgreSQL Server Infrastructure Encryption should be enabled|Documentation
| +|Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Terraform|Low|Insecure Configurations|Check if the Kubernetes Dashboard is enabled.|Documentation
| +|Function App HTTP2 Disabled
ace823d1-4432-4dee-945b-cdf11a5a6bd0|Terraform|Low|Insecure Configurations|Function App should have 'http2_enabled' enabled|Documentation
| +|App Service HTTP2 Disabled
525b53be-62ed-4244-b4df-41aecfcb4071|Terraform|Low|Insecure Configurations|App Service should have 'http2_enabled' enabled|Documentation
| +|Azure Front Door WAF Disabled
835a4f2f-df43-437d-9943-545ccfc55961|Terraform|Low|Networking and Firewall|Azure Front Door WAF should be enabled|Documentation
| +|App Service Authentication Disabled
c7fc1481-2899-4490-bbd8-544a3a61a2f3|Terraform|Info|Access Control|Azure App Service authentication settings should be enabled|Documentation
| +|SQL Server Alert Email Disabled
55975007-f6e7-4134-83c3-298f1fe4b519|Terraform|Info|Best Practices|SQL Server alert email should be enabled|Documentation
| +|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Terraform|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks|Documentation
| +|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Terraform|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')|Documentation
| +|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|Terraform|High|Access Control|BigQuery dataset is anonymously or publicly accessible|Documentation
| +|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|Terraform|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible|Documentation
| +|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|Terraform|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|Terraform|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers'|Documentation
| +|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|Terraform|High|Access Control|Verifies that the OSLogin is enabled|Documentation
| +|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|Terraform|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| +|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|Terraform|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad.|Documentation
| +|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|Terraform|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| +|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|Terraform|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members'|Documentation
| +|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|Terraform|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible.|Documentation
| +|Cluster Master Authentication Disabled
1baba08e-3c8a-4be7-95eb-dced5833de21|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| +|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true|Documentation
| +|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true|Documentation
| +|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|Terraform|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true|Documentation
| +|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false |Documentation
| +|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|Terraform|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| +|Client Certificate Disabled
73fb21a1-b19a-45b1-b648-b47b1678681e|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true|Documentation
| +|GKE Basic Authentication Enabled
70cdf849-b7d9-4569-b87d-5d82ffd44719|Terraform|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty|Documentation
| +|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|Terraform|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| +|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE |Documentation
| +|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|Terraform|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| +|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|Terraform|High|Observability|Audit Logging Configuration is defective|Documentation
| +|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| +|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|Terraform|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| +|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|Terraform|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| +|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Terraform|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated|Documentation
| +|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Terraform|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated|Documentation
| +|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Terraform|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated|Documentation
| +|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Terraform|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member|Documentation
| +|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Terraform|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Terraform|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| +|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Terraform|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| +|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Terraform|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| +|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Terraform|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled|Documentation
| +|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Terraform|Medium|Insecure Configurations|Check if any VM instance disables OSLogin|Documentation
| +|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Terraform|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| +|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Terraform|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| +|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Terraform|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| +|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Terraform|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
| +|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Terraform|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| +|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Terraform|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| +|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Terraform|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports|Documentation
| +|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Terraform|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| +|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Terraform|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| +|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Terraform|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
| +|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Terraform|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
| +|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Terraform|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource.|Documentation
| +|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Terraform|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Terraform|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| +|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Terraform|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.|Documentation
| +|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Terraform|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user|Documentation
| +|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Terraform|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true|Documentation
| +|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Terraform|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range|Documentation
| +|BOM - GCP Dataflow
895ed0d9-6fec-4567-8614-d7a74b599a53|Terraform|Trace|Bill Of Materials|A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective.|Documentation
| +|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Terraform|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.|Documentation
| +|BOM - GCP Redis
bc75ce52-a60a-4660-b533-bce837a5019b|Terraform|Trace|Bill Of Materials|A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments.|Documentation
| +|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Terraform|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.|Documentation
| +|BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Terraform|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.|Documentation
| +|BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Terraform|Trace|Bill Of Materials|A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime.|Documentation
| +|Serving Revision Spec Without Timeout Seconds
e8bb41e4-2f24-4e84-8bea-8c7c070cf93d|Knative|Info|Insecure Configurations|Serving Revision Spec should have Timeout Seconds defined to avoid Denial of Service|Documentation
| +|UNIX Ports Out Of Range
71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e|Dockerfile|High|Availability|Exposing UNIX ports out of range from 0 to 65535|Documentation
| +|Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f|Dockerfile|High|Build Process|A user should be specified in the dockerfile, otherwise the image will run as root|Documentation
| +|Same Alias In Different Froms
f2daed12-c802-49cd-afed-fe41d0b82fed|Dockerfile|High|Build Process|Different FROMS cant have the same alias defined|Documentation
| +|COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b|Dockerfile|High|Build Process|COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself|Documentation
| +|Copy With More Than Two Arguments Not Ending With Slash
6db6e0c2-32a3-4a2e-93b5-72c35f4119db|Dockerfile|High|Build Process|When a COPY command has more than two arguments, the last one should end with a slash|Documentation
| +|Multiple ENTRYPOINT Instructions Listed
6938958b-3f1a-451c-909b-baeee14bdc97|Dockerfile|High|Build Process|There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect|Documentation
| +|WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|Dockerfile|High|Build Process|For clarity and reliability, you should always use absolute paths for your WORKDIR|Documentation
| +|Run Using Sudo
8ada6e80-0ade-439e-b176-0b28f6bce35a|Dockerfile|High|Insecure Configurations|Avoid RUN with sudo command as it leads to unpredictable behavior|Documentation
| +|Vulnerable OpenSSL Version
5fa731ea-e844-47a6-a1e8-abc25e95847e|Dockerfile|High|Supply-Chain|OpenSSL versions from 3.0.0 to 3.0.5 are affected by a critical vulnerability|Documentation
| +|Changing Default Shell Using RUN Command
8a301064-c291-4b20-adcb-403fe7fd95fd|Dockerfile|Medium|Best Practices|Using the command RUN to override the default shell instead of the SHELL command leads to inefficiencies. It also does not make sense since Docker provides the SHELL command for this exact purpose.|Documentation
| +|Last User Is 'root'
67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae|Dockerfile|Medium|Best Practices|Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges|Documentation
| +|Multiple CMD Instructions Listed
41c195f4-fc31-4a5c-8a1b-90605538d49f|Dockerfile|Medium|Build Process|There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect|Documentation
| +|RUN Instruction Using 'cd' Instead of WORKDIR
f4a6bcd3-e231-4acf-993c-aa027be50d2e|Dockerfile|Medium|Build Process|When using RUN command 'cd' should only be used for full path. For relative path make use of WORKDIR command instead.|Documentation
| +|Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79|Dockerfile|Medium|Build Process|Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments|Documentation
| +|Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd|Dockerfile|Medium|Build Process|Instruction 'RUN update' should always be followed by ' install' in the same RUN statement|Documentation
| +|Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22|Dockerfile|Medium|Insecure Defaults|Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o).|Documentation
| +|Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37|Dockerfile|Medium|Supply-Chain|Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size|Documentation
| +|Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067|Dockerfile|Medium|Supply-Chain|When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag|Documentation
| +|Add Instead of Copy
9513a694-aa0d-41d8-be61-3271e056f36b|Dockerfile|Medium|Supply-Chain|Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script.|Documentation
| +|Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages|Documentation
| +|Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341|Dockerfile|Medium|Supply-Chain|Instead of 'gem install ' we should use 'gem install :'|Documentation
| +|NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5|Dockerfile|Medium|Supply-Chain|Check if packages installed by npm are pinning a specific version.|Documentation
| +|Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd|Dockerfile|Medium|Supply-Chain|Always tag the version of an image explicitly|Documentation
| +|Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03|Dockerfile|Medium|Supply-Chain|Need to use -y to avoid manual input 'yum install -y '|Documentation
| +|Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313|Dockerfile|Medium|Supply-Chain|Reduce layer and image size by deleting unneeded caches after running zypper|Documentation
| +|Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Dockerfile|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache|Documentation
| +|Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118|Dockerfile|Medium|Supply-Chain|When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller|Documentation
| +|Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9|Dockerfile|Medium|Supply-Chain|Don't use '--platform' flag with FROM|Documentation
| +|Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0|Dockerfile|Medium|Supply-Chain|Cached package data should be cleaned after installation to reduce image size|Documentation
| +|Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944|Dockerfile|Medium|Supply-Chain|Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input|Documentation
| +|Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes|Documentation
| +|Yum install Without Version
6452c424-1d92-4deb-bb18-a03e95d579c4|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages|Documentation
| +|Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes|Documentation
| +|APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Dockerfile|Medium|Supply-Chain|Check if apt-get calls use the flag -y to avoid user manual input.|Documentation
| +|Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1|Dockerfile|Medium|Supply-Chain|Specifying a package version allows to reduce failures due to unanticipated changes in required packages.|Documentation
| +|Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8|Dockerfile|Medium|Supply-Chain|The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input.|Documentation
| +|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Dockerfile|Medium|Supply-Chain|When installing a package, its pin version should be defined|Documentation
| +|Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Dockerfile|Medium|Supply-Chain|Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect|Documentation
| +|MAINTAINER Instruction Being Used
99614418-f82b-4852-a9ae-5051402b741c|Dockerfile|Low|Best Practices|The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily|Documentation
| +|Exposing Port 22 (SSH)
5907595b-5b6d-4142-b173-dbb0e73fbff8|Dockerfile|Low|Best Practices|Expose only the ports that your application needs and avoid exposing ports like SSH (22)|Documentation
| +|Curl or Wget Instead of Add
4b410d24-1cbe-4430-a632-62c9a931cf1c|Dockerfile|Low|Best Practices|Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged|Documentation
| +|Multiple RUN, ADD, COPY, Instructions Listed
0008c003-79aa-42d8-95b8-1c2fe37dbfe6|Dockerfile|Low|Best Practices|Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers.|Documentation
| +|Chown Flag Exists
aa93e17f-b6db-4162-9334-c70334e7ac28|Dockerfile|Low|Best Practices|It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership|Documentation
| +|Using Unnamed Build Stages
68a51e22-ae5a-4d48-8e87-b01a323605c9|Dockerfile|Low|Build Process| This query is used to ensure that build stages are named. This way even if the Dockerfile is re-ordered, the COPY instruction doesn’t break.|Documentation
| +|Healthcheck Instruction Missing
b03a748a-542d-44f4-bb86-9199ab4fd2d5|Dockerfile|Low|Insecure Configurations|Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working|Documentation
| +|APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c|Dockerfile|Info|Supply-Chain|Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages.|Documentation
| +|Apk Add Using Local Cache Path
ae9c56a6-3ed1-4ac0-9b54-31267f51151d|Dockerfile|Info|Supply-Chain|When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*'|Documentation
| +|Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c|Dockerfile|Info|Supply-Chain|After using apt-get install, it is needed to delete apt-get lists|Documentation
| +|Run Utilities And POSIX Commands
9b6b0f38-92a2-41f9-b881-3a1083d99f1b|Dockerfile|Info|Supply-Chain|Some POSIX commands and interactive utilities shouldn't run inside a Docker Container|Documentation
| +|Key Vault Not Recoverable
7c25f361-7c66-44bf-9b69-022acd5eb4bd|AzureResourceManager|High|Backup|Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true|Documentation
| +|Azure Instance Using Basic Authentication
6797f581-0433-4768-ae3e-7ceb2f8b138e|AzureResourceManager|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication|Documentation
| +|Secret Without Expiration Date
cff9c3f7-e8f0-455f-9fb4-5f72326da96e|AzureResourceManager|High|Best Practices|All Secrets must have an expiration date defined|Documentation
| +|Web App Not Using TLS Last Version
b5c851d5-00f1-43dc-a8de-3218fd6f71be|AzureResourceManager|High|Encryption|Resources of type 'Microsoft.Web/sites' should define 'properties.siteConfig.minTlsVersion' with '1.2'|Documentation
| +|Storage Account Allows Unsecure Transfer
1367dd13-2c90-4020-80b7-e4339a3dc2c4|AzureResourceManager|High|Encryption|'Microsoft.Storage/storageAccounts' should force the use of HTTPS|Documentation
| +|Azure Managed Disk Without Encryption
350f3955-b5be-436f-afaa-3d2be2fa6cdd|AzureResourceManager|High|Encryption|Azure Disk Encryption should be enabled|Documentation
| +|Website Not Forcing HTTPS
488847ff-6031-487c-bf42-98fd6ac5c9a0|AzureResourceManager|High|Insecure Configurations|'Microsoft.Web/sites' should force the use of HTTPS|Documentation
| +|Network Security Group With Unrestricted Access To RDP
59cb3da7-f206-4ae6-b827-7abf0a9cab9d|AzureResourceManager|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the Internet|Documentation
| +|Storage Blob Service Container With Public Access
a0ab985d-660b-41f7-ac81-70957ee8e627|AzureResourceManager|High|Networking and Firewall|Storage Blob Service Container should not publicly accessible|Documentation
| +|SQL Database Server Firewall Allows All IPS
6a3201a5-1630-494b-b294-3129d06b0eca|AzureResourceManager|High|Networking and Firewall|SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS|Documentation
| +|Website with Client Certificate Auth Disabled
92302b47-b0cc-46cb-a28f-5610ecda140b|AzureResourceManager|High|Networking and Firewall|'Microsoft.Web/sites' should have client certificate authentication enabled|Documentation
| +|Trusted Microsoft Services Not Enabled
e25b56cd-a4d6-498f-ab92-e6296a082097|AzureResourceManager|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| +|PostgreSQL Database Server SSL Disabled
bf500309-da53-4dd3-bcf7-95f7974545a5|AzureResourceManager|High|Networking and Firewall|Microsoft.DBforPostgreSQL/servers sslEnforcement property should be set to 'Enabled'|Documentation
| +|MySQL Server SSL Enforcement Disabled
90120147-f2e7-4fda-bb21-6fa9109afd63|AzureResourceManager|High|Networking and Firewall|'Microsoft.DBforMySQL/servers' should enforce SSL|Documentation
| +|Network Security Group With Unrestricted Access To SSH
2ade1579-4b2c-4590-bebb-f99bf597f612|AzureResourceManager|High|Networking and Firewall|Port 22 (SSH) is exposed to the Internet|Documentation
| +|Role Definitions Allow Custom Subscription Role Creation
8fa9ceea-881f-4ef0-b0b8-728f589699a7|AzureResourceManager|Medium|Access Control|Role Definitions should not allow custom subscription role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')|Documentation
| +|AKS Cluster RBAC Disabled
9307a2ed-35c2-413d-94de-a1a0682c2158|AzureResourceManager|Medium|Access Control|Microsoft.ContainerService/managedClusters should have enableRBAC set to true|Documentation
| +|SQL Server Database With Alerts Disabled
574e8d82-1db2-4b9c-b526-e320ede9a9ff|AzureResourceManager|Medium|Best Practices|All Alerts should be enabled in SQL Database Server SecurityAlerts Policy Properties|Documentation
| +|AKS Cluster Network Policy Not Configured
25c0228e-4444-459b-a2df-93c7df40b7ed|AzureResourceManager|Medium|Insecure Configurations|Azure Kubernetes Service must have a network policy defined.|Documentation
| +|PostgresSQL Database Server Connection Throttling Disabled
a6d774b6-d9ea-4bf4-8433-217bf15d2fb8|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttling' property set to 'on'|Documentation
| +|PostgreSQL Database Server Log Connections Disabled
e69bda39-e1e2-47ca-b9ee-b6531b23aedd|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' property set to 'on'|Documentation
| +|PostgreSQL Database Server Log Checkpoints Disabled
f9112910-c7bb-4864-9f5e-2059ba413bb7|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' property set to 'on'|Documentation
| +|AKS With Authorized IP Ranges Disabled
2583fab1-953b-4fae-bd02-4a136a6c21f9|AzureResourceManager|Medium|Networking and Firewall|Azure Kubernetes Service must have an authorized IP range for API Services enabled|Documentation
| +|Standard Price Is Not Selected
2081c7d6-2851-4cce-bda5-cb49d462da42|AzureResourceManager|Medium|Networking and Firewall|Azure Security Center provides more features for standard pricing mode, so it must be activated.|Documentation
| +|Unrecommended Log Profile Retention Policy
25684eac-daaa-4c2c-94b4-8d2dbb627909|AzureResourceManager|Medium|Observability|Log Profile Retention Policy should be enabled and the recommended number of days for the retention should be higher than 365 or 0 (0 will retain the events indefinitely)|Documentation
| +|SQL Server Database Without Auditing
e055285c-bc01-48b4-8aa5-8a54acdd29df|AzureResourceManager|Medium|Observability|Every 'Microsoft.Sql/servers/databases' resource should have Auditing Enabled|Documentation
| +|Storage Logging For Read Write And Delete Requests Disabled
43f6e60c-9cdb-4e77-864d-a66595d26518|AzureResourceManager|Medium|Observability|Storage Logging should be enabled for read, write and delete methods|Documentation
| +|Unrecommended Network Watcher Flow Log Retention Policy
564b70f8-41cd-4690-aff8-bb53add86bc9|AzureResourceManager|Medium|Observability|Network Watcher Flow Log Retention Policy should be enabled and the recommended number of days for the retention should be higher than 90|Documentation
| +|Log Profile Incorrect Category
4d522e7b-f938-4d51-a3b1-974ada528bd3|AzureResourceManager|Medium|Observability|Log Profile Categories should be set to 'Write', 'Delete', and/or 'Action'|Documentation
| +|AKS Logging To Azure Monitoring Is Disabled
9b09dee1-f09b-4013-91d2-158fa4695f4b|AzureResourceManager|Medium|Observability|Azure Kubernetes Service should have logging to Azure Monitoring enabled.|Documentation
| +|SQL Server Database With Unrecommended Retention Days
c09cdac2-7670-458a-bf6c-efad6880973a|AzureResourceManager|Medium|Observability|SQL Server Database Auditing Settings should keep the audit logs in the storage account for at least 90 days|Documentation
| +|Hardcoded SecureString Parameter Default Value
4d2cf896-c053-4be5-9c95-8b4771112f29|AzureResourceManager|Medium|Secret Management|Secure parameters should not have hardcoded default value|Documentation
| +|Website Azure Active Directory Disabled
e9c133e5-c2dd-4b7b-8fff-40f2de367b56|AzureResourceManager|Low|Access Control|WebApp should have Azure Active Directory enabled with 'identity.type' set to 'SystemAssigned' or 'userAssignedIdentities' set to 'true'|Documentation
| +|Phone Number Not Set For Security Contacts
3e9fcc67-1f64-405f-b2f9-0a6be17598f0|AzureResourceManager|Low|Best Practices|Microsoft.Security securityContacts should have a phone number defined|Documentation
| +|AKS Dashboard Is Enabled
c62d3b92-9a11-4ffd-b7b7-6faaae83faed|AzureResourceManager|Low|Insecure Configurations|Azure Kubernetes Service should have the Kubernetes dashboard disabled.|Documentation
| +|Storage Account Allows Default Network Access
9073f073-5d60-4b46-b569-0d6baa80ed95|AzureResourceManager|Low|Networking and Firewall|'Microsoft.Storage/storageAccounts' should force the use of HTTPS|Documentation
| +|Website with 'Http20Enabled' Disabled
70111098-7f85-48f0-b1b4-e4261cf5f61b|AzureResourceManager|Low|Networking and Firewall|'Microsoft.Web/sites' should have 'Http20Enabled' enabled|Documentation
| +|App Service Authentication Is Not Set
83130a07-235b-4a80-918b-a370e53f0bd9|AzureResourceManager|Info|Access Control|Azure App Service should have App Service Authentication set|Documentation
| +|SQL Alert Policy Without Emails
89b79fe5-49bd-4d39-84ce-55f5fc6f7764|AzureResourceManager|Info|Best Practices|SQL Database Server should contain emails to be notified in the event of a Security Alert|Documentation
| +|Account Admins Not Notified By Email
a8852cc0-fd4b-4fc7-9372-1e43fad0732e|AzureResourceManager|Info|Best Practices|Account admins should be notified by email in the event of security alerts|Documentation
| +|Email Notifications Disabled
79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92|AzureResourceManager|Info|Networking and Firewall|Email notifications about new security alerts, should be set to 'On', and be sent to persons with specific RBAC roles on the subscription|Documentation
| +|Serverless Role With Full Privileges
59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd|ServerlessFW|High|Access Control|Roles defined in Serverless files should not have policies granting full administrative privileges.|Documentation
| +|Serverless Function Environment Variables Not Encrypted
4495bc5d-4d1e-4a26-ae92-152d18195648|ServerlessFW|High|Encryption|Serverless Function should encrypt environment variables|Documentation
| +|Serverless API Without Content Encoding
d5d1fe08-89db-440c-8725-b93223387309|ServerlessFW|Medium|Encryption|Serverless should have API Gateway with Content Encoding enabled through the attribute 'minimumCompressionSize'. This value should be greater than -1 and smaller than 10485760|Documentation
| +|Serverless Function Without Unique IAM Role
165aae3b-a56a-48f3-b76d-d2b5083f5b8f|ServerlessFW|Medium|Insecure Configurations|Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks|Documentation
| +|Serverless Function Without Tags
f99d3482-fa8c-4f79-bad9-35212dded164|ServerlessFW|Medium|Insecure Configurations|Serverless Function should be have associated tags|Documentation
| +|Serverless API Endpoint Config Not Private
4d424558-c6d1-453c-be98-9a7f877abd9a|ServerlessFW|Medium|Networking and Firewall|Serverless should have endpointType set to 'PRIVATE'. This way, it's not exposed to the public internet|Documentation
| +|Serverless API X-Ray Tracing Disabled
434945e5-4dfd-41b1-aba1-47075ccd9265|ServerlessFW|Medium|Observability|Serverless API Gateway should have X-Ray Tracing enabled|Documentation
| +|Serverless API Access Logging Setting Undefined
a4d32883-aac7-42e1-b403-9415af0f3846|ServerlessFW|Medium|Observability|Serverless FW API should have HTTP Access Logging enabled|Documentation
| +|Serverless Function Without Dead Letter Queue
dec7bc85-d156-4f64-9a33-96ed3d9f3fed|ServerlessFW|Low|Insecure Configurations|Serverless Function should be configured for a Dead Letter Queue(DLQ). A Dead Letter Queue(DLQ) can be set up in 'onError' config parameter|Documentation
| +|Serverless Function Without X-Ray Tracing
0d7ef70f-e176-44e6-bdba-add3e429788d|ServerlessFW|Low|Observability|Serverless Function should have Tracing enabled. For this, property 'tracing' should have the value 'Active'|Documentation
| +|Passwords And Secrets
a88baa34-e2ad-44ea-ad6f-8cac87bc7c71|Common|High|Secret Management|Query to find passwords and secrets in infrastructure code.|Documentation
| +|EFS Without KMS
bdecd6db-2600-47dd-a10c-72c97cf17ae9|Crossplane|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| +|EFS Not Encrypted
72840c35-3876-48be-900d-f21b2f0c2ea1|Crossplane|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| +|DB Instance Storage Not Encrypted
e50eb68a-a4af-4048-8bbe-8ec324421469|Crossplane|High|Encryption|RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'.|Documentation
| +|ELB Using Weak Ciphers
a507daa5-0795-4380-960b-dd7bb7c56661|Crossplane|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers.|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
255b0fcc-9f82-41fe-9229-01b163e3376b|Crossplane|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| +|DB Security Group Has Public Interface
dd667399-8d9d-4a8d-bbb4-e49ab53b2f52|Crossplane|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| +|SQS With SSE Disabled
9296f1cc-7a40-45de-bd41-f31745488a0e|Crossplane|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| +|Neptune Database Cluster Encryption Disabled
83bf5aca-138a-498e-b9cd-ad5bc5e117b4|Crossplane|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| +|CloudWatch Without Retention Period Specified
934613fe-b12c-4e5a-95f5-c1dcdffac1ff|Crossplane|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events|Documentation
| +|CloudFront Logging Disabled
7b590235-1ff4-421b-b9ff-5227134be9bb|Crossplane|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true|Documentation
| +|CloudFront Without WAF
6d19ce0f-b3d8-4128-ac3d-1064e0f00494|Crossplane|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| |AKS RBAC Disabled
b2418936-cd47-4ea2-8346-623c0bdb87bd|Crossplane|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| |Redis Cache Allows Non SSL Connections
6c7cfec3-c686-4ed2-bf58-a1ec054b63fc|Crossplane|Medium|Encryption|Redis Cache resource should not allow non-SSL connections.|Documentation
| |Cloud Storage Bucket Logging Not Enabled
6c2d627c-de0f-45fb-b33d-dad9bffbb421|Crossplane|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| From 0ed8a647d9aeeab6d1689c847d8cc3dfacd0dbaa Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Tue, 28 Feb 2023 09:50:04 +0000 Subject: [PATCH 222/379] docs(queries): update queries catalog --- docs/queries/all-queries.md | 7297 ++++++++--------- docs/queries/ansible-queries.md | 219 + docs/queries/azureresourcemanager-queries.md | 43 + docs/queries/cloudformation-queries.md | 280 + docs/queries/crossplane-queries.md | 15 + docs/queries/dockercompose-queries.md | 22 + docs/queries/dockerfile-queries.md | 53 + .../googledeploymentmanager-queries.md | 51 + docs/queries/kubernetes-queries.md | 152 + docs/queries/openapi-queries.md | 367 + docs/queries/pulumi-queries.md | 24 + docs/queries/serverlessfw-queries.md | 10 + docs/queries/terraform-queries.md | 1262 +-- 13 files changed, 5541 insertions(+), 4254 deletions(-) diff --git a/docs/queries/all-queries.md b/docs/queries/all-queries.md index 41a74d4465f..f89f623fe7d 100644 --- a/docs/queries/all-queries.md +++ b/docs/queries/all-queries.md @@ -1527,3788 +1527,3388 @@ This page contains all queries. |Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|Ansible|High|Access Control|Ensure Trusted Microsoft Services have Storage Account access.|Documentation
| |Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|Ansible|High|Access Control|Admin user is enabled for Container Registry|Documentation
| |Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|Ansible|High|Access Control|Check if 'network_acls' is open to public.|Documentation
| +|Serverless Role With Full Privileges
59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd|ServerlessFW|High|Access Control|Roles defined in Serverless files should not have policies granting full administrative privileges.|Documentation
| +|Serverless Function Environment Variables Not Encrypted
4495bc5d-4d1e-4a26-ae92-152d18195648|ServerlessFW|High|Encryption|Serverless Function should encrypt environment variables|Documentation
| +|Serverless API Without Content Encoding
d5d1fe08-89db-440c-8725-b93223387309|ServerlessFW|Medium|Encryption|Serverless should have API Gateway with Content Encoding enabled through the attribute 'minimumCompressionSize'. This value should be greater than -1 and smaller than 10485760|Documentation
| +|Serverless Function Without Tags
f99d3482-fa8c-4f79-bad9-35212dded164|ServerlessFW|Medium|Insecure Configurations|Serverless Function should be have associated tags|Documentation
| +|Serverless Function Without Unique IAM Role
165aae3b-a56a-48f3-b76d-d2b5083f5b8f|ServerlessFW|Medium|Insecure Configurations|Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks|Documentation
| +|Serverless API Endpoint Config Not Private
4d424558-c6d1-453c-be98-9a7f877abd9a|ServerlessFW|Medium|Networking and Firewall|Serverless should have endpointType set to 'PRIVATE'. This way, it's not exposed to the public internet|Documentation
| +|Serverless API X-Ray Tracing Disabled
434945e5-4dfd-41b1-aba1-47075ccd9265|ServerlessFW|Medium|Observability|Serverless API Gateway should have X-Ray Tracing enabled|Documentation
| +|Serverless API Access Logging Setting Undefined
a4d32883-aac7-42e1-b403-9415af0f3846|ServerlessFW|Medium|Observability|Serverless FW API should have HTTP Access Logging enabled|Documentation
| +|Serverless Function Without Dead Letter Queue
dec7bc85-d156-4f64-9a33-96ed3d9f3fed|ServerlessFW|Low|Insecure Configurations|Serverless Function should be configured for a Dead Letter Queue(DLQ). A Dead Letter Queue(DLQ) can be set up in 'onError' config parameter|Documentation
| +|Serverless Function Without X-Ray Tracing
0d7ef70f-e176-44e6-bdba-add3e429788d|ServerlessFW|Low|Observability|Serverless Function should have Tracing enabled. For this, property 'tracing' should have the value 'Active'|Documentation
| +|UNIX Ports Out Of Range
71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e|Dockerfile|High|Availability|Exposing UNIX ports out of range from 0 to 65535|Documentation
| +|WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|Dockerfile|High|Build Process|For clarity and reliability, you should always use absolute paths for your WORKDIR|Documentation
| +|Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f|Dockerfile|High|Build Process|A user should be specified in the dockerfile, otherwise the image will run as root|Documentation
| +|Copy With More Than Two Arguments Not Ending With Slash
6db6e0c2-32a3-4a2e-93b5-72c35f4119db|Dockerfile|High|Build Process|When a COPY command has more than two arguments, the last one should end with a slash|Documentation
| +|Multiple ENTRYPOINT Instructions Listed
6938958b-3f1a-451c-909b-baeee14bdc97|Dockerfile|High|Build Process|There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect|Documentation
| +|COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b|Dockerfile|High|Build Process|COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself|Documentation
| +|Same Alias In Different Froms
f2daed12-c802-49cd-afed-fe41d0b82fed|Dockerfile|High|Build Process|Different FROMS cant have the same alias defined|Documentation
| +|Run Using Sudo
8ada6e80-0ade-439e-b176-0b28f6bce35a|Dockerfile|High|Insecure Configurations|Avoid RUN with sudo command as it leads to unpredictable behavior|Documentation
| +|Vulnerable OpenSSL Version
5fa731ea-e844-47a6-a1e8-abc25e95847e|Dockerfile|High|Supply-Chain|OpenSSL versions from 3.0.0 to 3.0.5 are affected by a critical vulnerability|Documentation
| +|Changing Default Shell Using RUN Command
8a301064-c291-4b20-adcb-403fe7fd95fd|Dockerfile|Medium|Best Practices|Using the command RUN to override the default shell instead of the SHELL command leads to inefficiencies. It also does not make sense since Docker provides the SHELL command for this exact purpose.|Documentation
| +|Last User Is 'root'
67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae|Dockerfile|Medium|Best Practices|Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges|Documentation
| +|Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd|Dockerfile|Medium|Build Process|Instruction 'RUN update' should always be followed by ' install' in the same RUN statement|Documentation
| +|Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79|Dockerfile|Medium|Build Process|Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments|Documentation
| +|Multiple CMD Instructions Listed
41c195f4-fc31-4a5c-8a1b-90605538d49f|Dockerfile|Medium|Build Process|There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect|Documentation
| +|RUN Instruction Using 'cd' Instead of WORKDIR
f4a6bcd3-e231-4acf-993c-aa027be50d2e|Dockerfile|Medium|Build Process|When using RUN command 'cd' should only be used for full path. For relative path make use of WORKDIR command instead.|Documentation
| +|Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22|Dockerfile|Medium|Insecure Defaults|Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o).|Documentation
| +|Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37|Dockerfile|Medium|Supply-Chain|Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size|Documentation
| +|Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313|Dockerfile|Medium|Supply-Chain|Reduce layer and image size by deleting unneeded caches after running zypper|Documentation
| +|Add Instead of Copy
9513a694-aa0d-41d8-be61-3271e056f36b|Dockerfile|Medium|Supply-Chain|Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script.|Documentation
| +|Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Dockerfile|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache|Documentation
| +|Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages|Documentation
| +|Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0|Dockerfile|Medium|Supply-Chain|Cached package data should be cleaned after installation to reduce image size|Documentation
| +|Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9|Dockerfile|Medium|Supply-Chain|Don't use '--platform' flag with FROM|Documentation
| +|Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes|Documentation
| +|Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944|Dockerfile|Medium|Supply-Chain|Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input|Documentation
| +|Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes|Documentation
| +|Yum install Without Version
6452c424-1d92-4deb-bb18-a03e95d579c4|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages|Documentation
| +|Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118|Dockerfile|Medium|Supply-Chain|When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller|Documentation
| +|Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Dockerfile|Medium|Supply-Chain|Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect|Documentation
| +|NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5|Dockerfile|Medium|Supply-Chain|Check if packages installed by npm are pinning a specific version.|Documentation
| +|Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067|Dockerfile|Medium|Supply-Chain|When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag|Documentation
| +|Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd|Dockerfile|Medium|Supply-Chain|Always tag the version of an image explicitly|Documentation
| +|Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341|Dockerfile|Medium|Supply-Chain|Instead of 'gem install ' we should use 'gem install :'|Documentation
| +|APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Dockerfile|Medium|Supply-Chain|Check if apt-get calls use the flag -y to avoid user manual input.|Documentation
| +|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Dockerfile|Medium|Supply-Chain|When installing a package, its pin version should be defined|Documentation
| +|Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03|Dockerfile|Medium|Supply-Chain|Need to use -y to avoid manual input 'yum install -y '|Documentation
| +|Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1|Dockerfile|Medium|Supply-Chain|Specifying a package version allows to reduce failures due to unanticipated changes in required packages.|Documentation
| +|Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8|Dockerfile|Medium|Supply-Chain|The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input.|Documentation
| +|Chown Flag Exists
aa93e17f-b6db-4162-9334-c70334e7ac28|Dockerfile|Low|Best Practices|It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership|Documentation
| +|Multiple RUN, ADD, COPY, Instructions Listed
0008c003-79aa-42d8-95b8-1c2fe37dbfe6|Dockerfile|Low|Best Practices|Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers.|Documentation
| +|MAINTAINER Instruction Being Used
99614418-f82b-4852-a9ae-5051402b741c|Dockerfile|Low|Best Practices|The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily|Documentation
| +|Curl or Wget Instead of Add
4b410d24-1cbe-4430-a632-62c9a931cf1c|Dockerfile|Low|Best Practices|Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged|Documentation
| +|Exposing Port 22 (SSH)
5907595b-5b6d-4142-b173-dbb0e73fbff8|Dockerfile|Low|Best Practices|Expose only the ports that your application needs and avoid exposing ports like SSH (22)|Documentation
| +|Using Unnamed Build Stages
68a51e22-ae5a-4d48-8e87-b01a323605c9|Dockerfile|Low|Build Process| This query is used to ensure that build stages are named. This way even if the Dockerfile is re-ordered, the COPY instruction doesn’t break.|Documentation
| +|Healthcheck Instruction Missing
b03a748a-542d-44f4-bb86-9199ab4fd2d5|Dockerfile|Low|Insecure Configurations|Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working|Documentation
| +|Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c|Dockerfile|Info|Supply-Chain|After using apt-get install, it is needed to delete apt-get lists|Documentation
| +|Run Utilities And POSIX Commands
9b6b0f38-92a2-41f9-b881-3a1083d99f1b|Dockerfile|Info|Supply-Chain|Some POSIX commands and interactive utilities shouldn't run inside a Docker Container|Documentation
| +|Apk Add Using Local Cache Path
ae9c56a6-3ed1-4ac0-9b54-31267f51151d|Dockerfile|Info|Supply-Chain|When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*'|Documentation
| +|APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c|Dockerfile|Info|Supply-Chain|Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages.|Documentation
| +|Key Vault Not Recoverable
7c25f361-7c66-44bf-9b69-022acd5eb4bd|AzureResourceManager|High|Backup|Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true|Documentation
| +|Azure Instance Using Basic Authentication
6797f581-0433-4768-ae3e-7ceb2f8b138e|AzureResourceManager|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication|Documentation
| +|Secret Without Expiration Date
cff9c3f7-e8f0-455f-9fb4-5f72326da96e|AzureResourceManager|High|Best Practices|All Secrets must have an expiration date defined|Documentation
| +|Storage Account Allows Unsecure Transfer
1367dd13-2c90-4020-80b7-e4339a3dc2c4|AzureResourceManager|High|Encryption|'Microsoft.Storage/storageAccounts' should force the use of HTTPS|Documentation
| +|Web App Not Using TLS Last Version
b5c851d5-00f1-43dc-a8de-3218fd6f71be|AzureResourceManager|High|Encryption|Resources of type 'Microsoft.Web/sites' should define 'properties.siteConfig.minTlsVersion' with '1.2'|Documentation
| +|Azure Managed Disk Without Encryption
350f3955-b5be-436f-afaa-3d2be2fa6cdd|AzureResourceManager|High|Encryption|Azure Disk Encryption should be enabled|Documentation
| +|Website Not Forcing HTTPS
488847ff-6031-487c-bf42-98fd6ac5c9a0|AzureResourceManager|High|Insecure Configurations|'Microsoft.Web/sites' should force the use of HTTPS|Documentation
| +|Storage Blob Service Container With Public Access
a0ab985d-660b-41f7-ac81-70957ee8e627|AzureResourceManager|High|Networking and Firewall|Storage Blob Service Container should not publicly accessible|Documentation
| +|Network Security Group With Unrestricted Access To SSH
2ade1579-4b2c-4590-bebb-f99bf597f612|AzureResourceManager|High|Networking and Firewall|Port 22 (SSH) is exposed to the Internet|Documentation
| +|SQL Database Server Firewall Allows All IPS
6a3201a5-1630-494b-b294-3129d06b0eca|AzureResourceManager|High|Networking and Firewall|SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS|Documentation
| +|Website with Client Certificate Auth Disabled
92302b47-b0cc-46cb-a28f-5610ecda140b|AzureResourceManager|High|Networking and Firewall|'Microsoft.Web/sites' should have client certificate authentication enabled|Documentation
| +|MySQL Server SSL Enforcement Disabled
90120147-f2e7-4fda-bb21-6fa9109afd63|AzureResourceManager|High|Networking and Firewall|'Microsoft.DBforMySQL/servers' should enforce SSL|Documentation
| +|Network Security Group With Unrestricted Access To RDP
59cb3da7-f206-4ae6-b827-7abf0a9cab9d|AzureResourceManager|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the Internet|Documentation
| +|PostgreSQL Database Server SSL Disabled
bf500309-da53-4dd3-bcf7-95f7974545a5|AzureResourceManager|High|Networking and Firewall|Microsoft.DBforPostgreSQL/servers sslEnforcement property should be set to 'Enabled'|Documentation
| +|Trusted Microsoft Services Not Enabled
e25b56cd-a4d6-498f-ab92-e6296a082097|AzureResourceManager|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| +|AKS Cluster RBAC Disabled
9307a2ed-35c2-413d-94de-a1a0682c2158|AzureResourceManager|Medium|Access Control|Microsoft.ContainerService/managedClusters should have enableRBAC set to true|Documentation
| +|Role Definitions Allow Custom Subscription Role Creation
8fa9ceea-881f-4ef0-b0b8-728f589699a7|AzureResourceManager|Medium|Access Control|Role Definitions should not allow custom subscription role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')|Documentation
| +|SQL Server Database With Alerts Disabled
574e8d82-1db2-4b9c-b526-e320ede9a9ff|AzureResourceManager|Medium|Best Practices|All Alerts should be enabled in SQL Database Server SecurityAlerts Policy Properties|Documentation
| +|AKS Cluster Network Policy Not Configured
25c0228e-4444-459b-a2df-93c7df40b7ed|AzureResourceManager|Medium|Insecure Configurations|Azure Kubernetes Service must have a network policy defined.|Documentation
| +|AKS With Authorized IP Ranges Disabled
2583fab1-953b-4fae-bd02-4a136a6c21f9|AzureResourceManager|Medium|Networking and Firewall|Azure Kubernetes Service must have an authorized IP range for API Services enabled|Documentation
| +|Standard Price Is Not Selected
2081c7d6-2851-4cce-bda5-cb49d462da42|AzureResourceManager|Medium|Networking and Firewall|Azure Security Center provides more features for standard pricing mode, so it must be activated.|Documentation
| +|PostgreSQL Database Server Log Checkpoints Disabled
f9112910-c7bb-4864-9f5e-2059ba413bb7|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' property set to 'on'|Documentation
| +|PostgresSQL Database Server Connection Throttling Disabled
a6d774b6-d9ea-4bf4-8433-217bf15d2fb8|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttling' property set to 'on'|Documentation
| +|PostgreSQL Database Server Log Connections Disabled
e69bda39-e1e2-47ca-b9ee-b6531b23aedd|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' property set to 'on'|Documentation
| +|AKS Logging To Azure Monitoring Is Disabled
9b09dee1-f09b-4013-91d2-158fa4695f4b|AzureResourceManager|Medium|Observability|Azure Kubernetes Service should have logging to Azure Monitoring enabled.|Documentation
| +|Unrecommended Log Profile Retention Policy
25684eac-daaa-4c2c-94b4-8d2dbb627909|AzureResourceManager|Medium|Observability|Log Profile Retention Policy should be enabled and the recommended number of days for the retention should be higher than 365 or 0 (0 will retain the events indefinitely)|Documentation
| +|SQL Server Database Without Auditing
e055285c-bc01-48b4-8aa5-8a54acdd29df|AzureResourceManager|Medium|Observability|Every 'Microsoft.Sql/servers/databases' resource should have Auditing Enabled|Documentation
| +|Log Profile Incorrect Category
4d522e7b-f938-4d51-a3b1-974ada528bd3|AzureResourceManager|Medium|Observability|Log Profile Categories should be set to 'Write', 'Delete', and/or 'Action'|Documentation
| +|Unrecommended Network Watcher Flow Log Retention Policy
564b70f8-41cd-4690-aff8-bb53add86bc9|AzureResourceManager|Medium|Observability|Network Watcher Flow Log Retention Policy should be enabled and the recommended number of days for the retention should be higher than 90|Documentation
| +|Storage Logging For Read Write And Delete Requests Disabled
43f6e60c-9cdb-4e77-864d-a66595d26518|AzureResourceManager|Medium|Observability|Storage Logging should be enabled for read, write and delete methods|Documentation
| +|SQL Server Database With Unrecommended Retention Days
c09cdac2-7670-458a-bf6c-efad6880973a|AzureResourceManager|Medium|Observability|SQL Server Database Auditing Settings should keep the audit logs in the storage account for at least 90 days|Documentation
| +|Hardcoded SecureString Parameter Default Value
4d2cf896-c053-4be5-9c95-8b4771112f29|AzureResourceManager|Medium|Secret Management|Secure parameters should not have hardcoded default value|Documentation
| +|Website Azure Active Directory Disabled
e9c133e5-c2dd-4b7b-8fff-40f2de367b56|AzureResourceManager|Low|Access Control|WebApp should have Azure Active Directory enabled with 'identity.type' set to 'SystemAssigned' or 'userAssignedIdentities' set to 'true'|Documentation
| +|Phone Number Not Set For Security Contacts
3e9fcc67-1f64-405f-b2f9-0a6be17598f0|AzureResourceManager|Low|Best Practices|Microsoft.Security securityContacts should have a phone number defined|Documentation
| +|AKS Dashboard Is Enabled
c62d3b92-9a11-4ffd-b7b7-6faaae83faed|AzureResourceManager|Low|Insecure Configurations|Azure Kubernetes Service should have the Kubernetes dashboard disabled.|Documentation
| +|Website with 'Http20Enabled' Disabled
70111098-7f85-48f0-b1b4-e4261cf5f61b|AzureResourceManager|Low|Networking and Firewall|'Microsoft.Web/sites' should have 'Http20Enabled' enabled|Documentation
| +|Storage Account Allows Default Network Access
9073f073-5d60-4b46-b569-0d6baa80ed95|AzureResourceManager|Low|Networking and Firewall|'Microsoft.Storage/storageAccounts' should force the use of HTTPS|Documentation
| +|App Service Authentication Is Not Set
83130a07-235b-4a80-918b-a370e53f0bd9|AzureResourceManager|Info|Access Control|Azure App Service should have App Service Authentication set|Documentation
| +|SQL Alert Policy Without Emails
89b79fe5-49bd-4d39-84ce-55f5fc6f7764|AzureResourceManager|Info|Best Practices|SQL Database Server should contain emails to be notified in the event of a Security Alert|Documentation
| +|Account Admins Not Notified By Email
a8852cc0-fd4b-4fc7-9372-1e43fad0732e|AzureResourceManager|Info|Best Practices|Account admins should be notified by email in the event of security alerts|Documentation
| +|Email Notifications Disabled
79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92|AzureResourceManager|Info|Networking and Firewall|Email notifications about new security alerts, should be set to 'On', and be sent to persons with specific RBAC roles on the subscription|Documentation
| +|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|Ansible|High|Access Control|Storage Account should not be public to grant the principle of least privileges|Documentation
| |Storage Container Is Publicly Accessible
4d3817db-dd35-4de4-a80d-3867157e7f7f|Ansible|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| -|Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|Ansible|High|Encryption|See that Storage Accounts forces the use of HTTPS|Documentation
| +|Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|Ansible|High|Access Control|Admin user is enabled for Container Registry|Documentation
| |MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|Ansible|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| +|Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|Ansible|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| |SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555|Ansible|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| |VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|Ansible|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| -|AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|Ansible|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| +|Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|Ansible|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined|Documentation
| |Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91|Ansible|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| -|Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|Ansible|High|Insecure Configurations|Azurerm Container Registry should contain associated locks through 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association|Documentation
| -|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|Ansible|High|Networking and Firewall|The IP range filter should be defined|Documentation
| +|AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|Ansible|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| |SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|Ansible|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| -|Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| |Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|Ansible|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| |Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| +|Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| +|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|Ansible|High|Networking and Firewall|The IP range filter should be defined to secure the data stored|Documentation
| +|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|Ansible|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| +|Role Definition Allows Custom Role Creation
5c80db8e-03f5-43a2-b4af-1f3f87018157|Ansible|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)|Documentation
| |AKS RBAC Disabled
149fa56c-4404-4f90-9e25-d34b676d5b39|Ansible|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| |Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854|Ansible|Medium|Backup|Make sure Soft Delete is enabled for Key Vault|Documentation
| -|SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308|Ansible|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict|Documentation
| -|Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Ansible|Medium|Best Practices|Azure SQL Server Accessibility should be set to a minimal address range, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be lesser than 256. Additionally, both ips must be different from '0.0.0.0'|Documentation
| |SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40|Ansible|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict|Documentation
| +|SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308|Ansible|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict|Documentation
| |Cosmos DB Account Without Tags
23a4dc83-4959-4d99-8056-8e051a82bc1e|Ansible|Medium|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| |Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee|Ansible|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| -|Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Ansible|Medium|Insecure Configurations|Check if any Redis Cache resource allows non-SSL connections.|Documentation
| +|AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Ansible|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined|Documentation
| |Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Ansible|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| -|AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Ansible|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration|Documentation
| +|Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Ansible|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections|Documentation
| |Default Network Access is Allowed
974e6fe7-63fd-4fa4-aa72-77b21a4a959d|Ansible|Medium|Insecure Defaults|Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny'|Documentation
| +|Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Ansible|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0'|Documentation
| |Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Ansible|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache.|Documentation
| |WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Ansible|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| +|PostgreSQL Log Checkpoints Disabled
7ab33ac0-e4a3-418f-a673-50da4e34df21|Ansible|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'|Documentation
| +|PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| +|AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e|Ansible|Medium|Observability|Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring|Documentation
| |PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| -|PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a|Ansible|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| |Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| +|PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a|Ansible|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| |Monitoring Log Profile Without All Activities
89f84a1e-75f8-47c5-83b5-bee8e2de4168|Ansible|Medium|Observability|Monitoring log profile captures all the activities (Action, Write, Delete)|Documentation
| -|PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| |Small Activity Log Retention Period
37fafbea-dedb-4e0d-852e-d16ee0589326|Ansible|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater|Documentation
| -|PostgreSQL Log Checkpoints Disabled
7ab33ac0-e4a3-418f-a673-50da4e34df21|Ansible|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'|Documentation
| |PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| -|AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e|Ansible|Medium|Observability|Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring|Documentation
| +|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|Ansible|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| +|IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|Ansible|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| +|S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|Ansible|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674|Ansible|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| +|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|Ansible|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| +|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|Ansible|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|Ansible|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| +|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|Ansible|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating|Documentation
| +|ECS Service Admin Role Is Present
7db727c1-1720-468e-b80e-06697f71e09e|Ansible|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role|Documentation
| |SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a|Ansible|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| -|S3 Bucket Allows WriteACP Action From All Principals
7529b8d2-55d7-44d2-b1cd-d7d2984a2a81|Ansible|High|Access Control|S3 Buckets must not allow Write_ACP Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Write_ACP, for all Principals.|Documentation
| -|DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209|Ansible|High|Access Control|The field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674|Ansible|High|Access Control|Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| -|S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|Ansible|High|Access Control|S3 Buckets must not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| -|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|Ansible|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.|Documentation
| -|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|Ansible|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.|Documentation
| -|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|Ansible|High|Access Control|IAM policies that allow full administrative privileges (for all resources)|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|Ansible|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.|Documentation
| -|S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|Ansible|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.|Documentation
| -|S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|Ansible|High|Access Control|It's not recommended to allow read access for all user groups.|Documentation
| +|S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|Ansible|High|Access Control|S3 Buckets should not be readable to all users|Documentation
| +|S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|Ansible|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| |S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a|Ansible|High|Access Control|Checks if the S3 bucket is accessible for all users|Documentation
| -|ECS Service Admin Role is Present
7db727c1-1720-468e-b80e-06697f71e09e|Ansible|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role|Documentation
| -|Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76|Ansible|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted|Documentation
| -|EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|Ansible|High|Encryption|Elastic File System (EFS) must have KMS Key ID|Documentation
| -|Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a|Ansible|High|Encryption|AWS Autoscaling Launch Configurations should have encryption enabled|Documentation
| -|Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7|Ansible|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| +|SNS Topic is Publicly Accessible
905f4741-f965-45c1-98db-f7a00a0e5c73|Ansible|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| +|Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|Ansible|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)|Documentation
| |User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|Ansible|High|Encryption|User Data Shell Script must be encoded|Documentation
| -|ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|Ansible|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| -|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|Ansible|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| -|User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|Ansible|High|Encryption|User Data contains an encoded RSA Private Key|Documentation
| -|S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4|Ansible|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| -|Secure Ciphers Disabled
218413a0-c716-4b94-9e08-0bb70d854709|Ansible|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| -|AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|Ansible|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| -|CloudTrail Log Files Not Encrypted
f5587077-3f57-4370-9b4e-4eb5b1bac85b|Ansible|High|Encryption|CloudTrail Log Files should be encrypted with Key Management Service (KMS)|Documentation
| -|DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|Ansible|High|Encryption|The parameter storage_encrypted in aws_db_instance must be set to 'true' (the default is 'false').|Documentation
| +|CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|Ansible|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| +|User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|Ansible|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| |S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571|Ansible|High|Encryption|AWS S3 Storage should be protected with SSE (Server-Side Encryption)|Documentation
| -|ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols.|Documentation
| +|AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|Ansible|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| +|EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|Ansible|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| |EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|Ansible|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|Ansible|High|Encryption|Check if 'encrypted' field is false or undefined (default is false)|Documentation
| -|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|Ansible|High|Encryption|IAM Database Auth Enabled must be configured to true|Documentation
| -|Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89|Ansible|High|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| -|CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|Ansible|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| -|Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|Ansible|High|Encryption|RDS instance auto minor version upgrade feature must be true|Documentation
| +|Secure Ciphers Disabled
218413a0-c716-4b94-9e08-0bb70d854709|Ansible|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| |ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers.|Documentation
| -|Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|Ansible|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| -|ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f|Ansible|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| -|Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|Ansible|High|Insecure Configurations|Check if 'publicly_accessible' field is true (default is false)|Documentation
| +|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|Ansible|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| +|Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7|Ansible|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76|Ansible|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| +|S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4|Ansible|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| +|DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|Ansible|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.|Documentation
| +|Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a|Ansible|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume|Documentation
| +|ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols.|Documentation
| +|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|Ansible|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| +|ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|Ansible|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| |EC2 Group Has Public Interface
5330b503-3319-44ff-9b1c-00ee873f728a|Ansible|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| -|S3 Bucket with Unsecured CORS Rule
3505094c-f77c-4ba0-95da-f83db712f86c|Ansible|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| -|KMS Key With Vulnerable Policy
5b9d237a-57d5-4177-be0e-71434b0fef47|Ansible|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| +|Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|Ansible|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true (default is false)|Documentation
| |CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67|Ansible|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| +|DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209|Ansible|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| +|S3 Bucket with Unsecured CORS Rule
3505094c-f77c-4ba0-95da-f83db712f86c|Ansible|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| |Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f|Ansible|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| +|ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f|Ansible|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| +|KMS Key With Vulnerable Policy
5b9d237a-57d5-4177-be0e-71434b0fef47|Ansible|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| +|Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|Ansible|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| |Vulnerable Default SSL Certificate
fb8f8929-afeb-4c46-99f0-a6cf410f7df4|Ansible|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| -|Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|Ansible|High|Networking and Firewall|SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| -|Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|Ansible|High|Networking and Firewall|AWS Security Group should restrict ingress access|Documentation
| -|Remote Desktop Port Open
eda7301d-1f3e-47cf-8d4e-976debc64341|Ansible|High|Networking and Firewall|The Remote Desktop port is open in a Security Group|Documentation
| -|HTTP Port Open
a14ad534-acbe-4a8e-9404-2f7e1045646e|Ansible|High|Networking and Firewall|The HTTP port is open in a Security Group|Documentation
| -|Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|Ansible|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| |Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2|Ansible|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0/0|Documentation
| |EC2 Instance Has Public IP
a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1|Ansible|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| -|Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4|Ansible|High|Networking and Firewall|Route53 Record should have a list of records|Documentation
| -|ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|Ansible|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| -|RDS Associated with Public Subnet
16732649-4ff6-4cd2-8746-e72c13fae4b8|Ansible|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| +|Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|Ansible|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| +|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|Ansible|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| +|Remote Desktop Port Open To Internet
eda7301d-1f3e-47cf-8d4e-976debc64341|Ansible|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| |DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640|Ansible|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| -|Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b|Ansible|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| +|HTTP Port Open To Internet
a14ad534-acbe-4a8e-9404-2f7e1045646e|Ansible|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| +|Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|Ansible|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| +|RDS Associated with Public Subnet
16732649-4ff6-4cd2-8746-e72c13fae4b8|Ansible|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| +|ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|Ansible|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| |Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|Ansible|High|Networking and Firewall|AWS Security Group should not have public port wide|Documentation
| -|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|Ansible|High|Networking and Firewall|The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6).|Documentation
| -|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Ansible|High|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| -|CMK Rotation Disabled
af96d737-0818-4162-8c41-40d969bd65d1|Ansible|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.|Documentation
| +|Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b|Ansible|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| +|Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|Ansible|High|Networking and Firewall|AWS Security Group should restrict ingress access|Documentation
| +|Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4|Ansible|High|Networking and Firewall|Route53 Record should have a list of records|Documentation
| |CloudTrail Logging Disabled
d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5|Ansible|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| -|SES Policy With Allowed IAM Actions
8ed0bfce-f780-46d4-b086-21c3628f09ad|Ansible|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| +|CMK Rotation Disabled
af96d737-0818-4162-8c41-40d969bd65d1|Ansible|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.|Documentation
| +|IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Ansible|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root'|Documentation
| |API Gateway Without Configured Authorizer
b16cdb37-ce15-4ab2-8401-d42b05d123fc|Ansible|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| +|IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060|Ansible|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| |SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4|Ansible|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| -|SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10|Ansible|Medium|Access Control|SQS policy with public access|Documentation
| -|ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd|Ansible|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| -|AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f|Ansible|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| -|S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9|Ansible|Medium|Access Control|S3 Bucket allows public access|Documentation
| -|IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|Ansible|Medium|Access Control|IAM policies allow all ('*') in a statement action|Documentation
| |Certificate Has Expired
5a443297-19d4-4381-9e5b-24faf947ec22|Ansible|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| -|SNS Topic is Publicly Accessible For Subscription
905f4741-f965-45c1-98db-f7a00a0e5c73|Ansible|Medium|Access Control|This query checks if SNS Topic is Accessible For Subscription|Documentation
| -|Lambda Permission Principal Is Wildcard
1d972c56-8ec2-48c1-a578-887adb09c57a|Ansible|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| +|ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd|Ansible|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| |Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Ansible|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| +|S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9|Ansible|Medium|Access Control|S3 Bucket allows public access|Documentation
| |Cross-Account IAM Assume Role Policy Without ExternalId or MFA
af167837-9636-4086-b815-c239186b9dda|Ansible|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| -|IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Ansible|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root'|Documentation
| +|Lambda Permission Principal Is Wildcard
1d972c56-8ec2-48c1-a578-887adb09c57a|Ansible|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| +|SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10|Ansible|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| +|SES Policy With Allowed IAM Actions
8ed0bfce-f780-46d4-b086-21c3628f09ad|Ansible|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| +|AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f|Ansible|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| |Auto Scaling Group With No Associated ELB
050f085f-a8db-4072-9010-2cca235cc02f|Ansible|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
| |CMK Is Unusable
133fee21-37ef-45df-a563-4d07edc169f4|Ansible|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined.|Documentation
| |ECS Service Without Running Tasks
f5c45127-1d28-4b49-a692-0b97da1c3a84|Ansible|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| -|RDS With Backup Disabled
e69890e6-fce5-461d-98ad-cb98318dfc96|Ansible|Medium|Backup|RDS configured without backup|Documentation
| |Stack Retention Disabled
17d5ba1d-7667-4729-b1a6-b11fde3db7f7|Ansible|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| -|Misconfigured Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9|Ansible|Medium|Best Practices|No password expiration policy|Documentation
| -|IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Ansible|Medium|Best Practices|Check if IAM account password has at least one lowercase letter|Documentation
| -|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Ansible|Medium|Best Practices|Check if IAM account password has at least one number|Documentation
| -|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|Ansible|Medium|Best Practices|Users should authenticate with MFA (Multi-factor Authentication)|Documentation
| -|IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Ansible|Medium|Best Practices|Check if IAM account password has the required minimum length|Documentation
| +|RDS With Backup Disabled
e69890e6-fce5-461d-98ad-cb98318dfc96|Ansible|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| +|IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Ansible|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| +|IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354|Ansible|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| |Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c|Ansible|Medium|Best Practices|Password policy `password_reuse_prevention` doesn't exist or is equal to 0|Documentation
| +|Misconfigured Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9|Ansible|Medium|Best Practices|No password expiration policy|Documentation
| +|IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Ansible|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| +|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Ansible|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number|Documentation
| |Stack Without Template
32d31f1f-0f83-4721-b7ec-1e6948c60145|Ansible|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body|Documentation
| +|Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89|Ansible|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| |Config Rule For Encrypted Volumes Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84|Ansible|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| +|EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Ansible|Medium|Encryption|EBS volumes should be encrypted|Documentation
| +|SQS With SSE Disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Ansible|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| |CodeBuild Not Encrypted
a1423864-2fbc-4f46-bfe1-fbbf125c71c9|Ansible|Medium|Encryption|CodeBuild Project should be encrypted|Documentation
| -|EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Ansible|Medium|Encryption|EBS Encryption should be enabled|Documentation
| +|API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33|Ansible|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| |Certificate RSA Key Bytes Lower Than 256
d5ec2080-340a-4259-b885-f833c4ea6a31|Ansible|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| -|Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5|Ansible|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags.|Documentation
| -|ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Ansible|Medium|Insecure Configurations|ECR should have an image tag immutable|Documentation
| -|API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33|Ansible|Medium|Insecure Configurations|SSL Client Certificate should be enabled in aws_api_gateway|Documentation
| +|ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Ansible|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| +|Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f|Ansible|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| |AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472|Ansible|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| -|IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354|Ansible|Medium|Insecure Configurations|Check if IAM account password has at least one uppercase letter|Documentation
| -|Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f|Ansible|Medium|Insecure Configurations|Instance should be configured in VPC (Virtual Private Cloud)|Documentation
| -|API Gateway without WAF
f5f38943-664b-4acc-ab11-f292fa10ed0b|Ansible|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| +|Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5|Ansible|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags.|Documentation
| |API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215|Ansible|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| -|SQL Analysis Services Port 2383 (TCP) is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Ansible|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| -|CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3|Ansible|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| -|Cloudfront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Ansible|Medium|Observability|AWS Cloudfront distributions must have logging enabled, which means the attribute 'logging' must be defined with 'enabled' set to true|Documentation
| -|CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Ansible|Medium|Observability|Check if MultiRegion is Enabled|Documentation
| -|API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Ansible|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled|Documentation
| -|CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Ansible|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events|Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Ansible|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| +|API Gateway without WAF
f5f38943-664b-4acc-ab11-f292fa10ed0b|Ansible|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| |S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|Ansible|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| +|API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Ansible|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled|Documentation
| +|CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Ansible|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'is_multi_region_trail' should be set to true|Documentation
| +|Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Ansible|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| +|CloudFront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Ansible|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' should be defined with 'enabled' set to true|Documentation
| +|CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3|Ansible|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| +|S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Ansible|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| |CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Ansible|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| +|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Ansible|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| +|CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Ansible|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events|Documentation
| |API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f|Ansible|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| -|Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Ansible|Medium|Observability|AWS CloudFormation should have stack notifications enabled|Documentation
| |No Stack Policy
ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9|Ansible|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| -|Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645|Ansible|Medium|Secret Management|Lambda access key should not be in plaintext.|Documentation
| +|Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Ansible|Medium|Secret Management|AWS Access Key should not be hardcoded|Documentation
| +|Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645|Ansible|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Ansible|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| |IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd|Ansible|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Ansible|Low|Access Control|IAM role allows All services or principals to assume it|Documentation
| -|IAM Group Without Users
f509931b-bbb0-443c-bd9b-10e92ecf2193|Ansible|Low|Access Control|IAM Group should have at least one user associated|Documentation
| |EC2 Instance Using Default Security Group
8d03993b-8384-419b-a681-d1f55149397c|Ansible|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| -|Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520|Ansible|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060|Ansible|Low|Best Practices|IAM policies should be attached only to groups or roles|Documentation
| +|IAM Group Without Users
f509931b-bbb0-443c-bd9b-10e92ecf2193|Ansible|Low|Access Control|IAM Group should have at least one user associated|Documentation
| |CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6|Ansible|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| +|Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|Ansible|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.|Documentation
| +|Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520|Ansible|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| |EFS Without Tags
b8a9852c-9943-4973-b8d5-77dae9352851|Ansible|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated|Documentation
| -|SQS with SSE disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Ansible|Low|Encryption| SQS Queue should be protected with CMK encryption|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
f5587077-3f57-4370-9b4e-4eb5b1bac85b|Ansible|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| |RDS Using Default Port
2cb674f6-32f9-40be-97f2-62c0dc38f0d5|Ansible|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| -|Cloudfront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Ansible|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| |ElastiCache Without VPC
5527dcfc-94f9-4bf6-b7d4-1b78850cf41f|Ansible|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| +|CloudFront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Ansible|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| |Redshift Using Default Port
e01de151-a7bd-4db4-b49b-3c4775a5e881|Ansible|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| -|EC2 Instance Using Default VPC
8833f180-96f1-46f4-9147-849aafa56029|Ansible|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| |ElastiCache Using Default Port
7cc6c791-5f68-4816-a564-b9b699f9d26e|Ansible|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| -|S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Ansible|Low|Observability|S3 bucket without debug_botocore_endpoint_logs|Documentation
| +|EC2 Instance Using Default VPC
8833f180-96f1-46f4-9147-849aafa56029|Ansible|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| |Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Ansible|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active'|Documentation
| -|CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Ansible|Low|Observability|CloudTrail Log Files should have validation enabled|Documentation
| -|Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Ansible|Low|Secret Management|Check if the user data in the EC2 instance has the access key hardcoded|Documentation
| +|CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Ansible|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| |EC2 Not EBS Optimized
338b6cab-961d-4998-bb49-e5b6a11c9a5c|Ansible|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| -|Client Certificate Authentication Not Setup Properly
e0e00aba-5f1c-4981-a542-9a9563c0ee20|Kubernetes|High|Access Control|Client Certificate Authentication should be Setup with a .pem file|Documentation
| -|Always Admit Admission Control Plugin Set
ce30e584-b33f-4c7d-b418-a3d7027f8f60|Kubernetes|High|Access Control|When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin|Documentation
| -|Token Auth File Is Set
32ecd76e-7bbf-402e-bf48-8b9485749558|Kubernetes|High|Access Control|When using kube-apiserver command, the 'token-auth-file' flag should not be set|Documentation
| -|Tiller (Helm v2) Is Deployed
6d173be7-545a-46c6-a81d-2ae52ed1605d|Kubernetes|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| -|Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609|Kubernetes|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false|Documentation
| -|Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645|Kubernetes|High|Insecure Configurations|Check if any objects are using a deprecated version of API.|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b|Kubernetes|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| -|NET_RAW Capabilities Not Being Dropped
dbbc6705-d541-43b0-b166-dd4be8208b54|Kubernetes|High|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|Documentation
| -|Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a|Kubernetes|High|Insecure Configurations|Container should not share the host network namespace|Documentation
| -|Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536|Kubernetes|High|Insecure Configurations|Container should not share the host IPC namespace|Documentation
| -|Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d|Kubernetes|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|Documentation
| -|Host Aliases Undefined Or Empty
72b03514-20ae-4409-8842-2dd70c2e25aa|Kubernetes|High|Insecure Configurations|A Pod should have Host Aliases defined as to prevent the container from modifying the file after a pod's containers have already been started. This means the attribute 'spec.hostAliases' must be defined and not empty or null.|Documentation
| -|Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d|Kubernetes|High|Insecure Configurations|Container should not share the host process ID namespace|Documentation
| -|Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad|Kubernetes|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined.|Documentation
| -|Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d|Kubernetes|High|Insecure Configurations|Check if there is any Tiller Service present|Documentation
| -|Role Binding To Default Service Account
1e749bc9-fde8-471c-af0c-8254efd2dee5|Kubernetes|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| -|Tiller Deployment Is Accessible From Within The Cluster
e17fa86a-6222-4584-a914-56e8f6c87e06|Kubernetes|High|Networking and Firewall|Check if any Tiller Deployment container allows access from within the cluster.|Documentation
| -|TSL Connection Certificate Not Setup
fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f|Kubernetes|High|Networking and Firewall|TSL Connection Certificate files should be Setup|Documentation
| -|PSP With Unrestricted Access to Host Path
de4421f1-4e35-43b4-9783-737dd4e4a47e|Kubernetes|High|Resource Management|PodSecurityPolicy should set 'readOnly' to true in every host path allowed|Documentation
| -|Authorization Mode RBAC Not Set
1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e|Kubernetes|Medium|Access Control|When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode|Documentation
| -|Non Kube System Pod With Host Mount
aa8f7a35-9923-4cad-bd61-a19b7f6aac91|Kubernetes|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| -|Authorization Mode Set To Always Allow
f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5|Kubernetes|Medium|Access Control|When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode|Documentation
| -|RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14|Kubernetes|Medium|Access Control|Minimize access to secrets (RBAC)|Documentation
| -|Anonymous Auth Is Not Set To False
1de5cc51-f376-4638-a940-20f2e85ae238|Kubernetes|Medium|Access Control|When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag should be set to false (--anonymous-auth=false)|Documentation
| -|Readiness Probe Is Not Configured
a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3|Kubernetes|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| -|Root Containers Admitted
e3aa0612-4351-4a0d-983f-aefea25cf203|Kubernetes|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| -|Container Running As Root
cf34805e-3872-4c08-bf92-6ff7bb0cfadb|Kubernetes|Medium|Best Practices|Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise|Documentation
| -|Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660|Kubernetes|Medium|Best Practices|Check if containers are running with low UID, which might cause conflicts with the host's user table.|Documentation
| -|Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032|Kubernetes|Medium|Build Process|Limit capabilities for a Pod Security Policy|Documentation
| -|Incorrect Volume Claim Access Mode ReadWriteOnce
3878dc92-8e5d-47cf-9cdd-7590f71d21b9|Kubernetes|Medium|Build Process|Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| -|Always Pull Images Admission Control Plugin Not Set
a77f4d07-c6e0-4a48-8b35-0eeb51576f4f|Kubernetes|Medium|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'AlwaysPullImages' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| -|Weak TLS Cipher Suites
510d5810-9a30-443a-817d-5c1fa527b110|Kubernetes|Medium|Encryption|TLS Connection should use strong Cipher Suites|Documentation
| -|Security Context Deny Admission Control Plugin Not Set
6a68bebe-c021-492e-8ddb-55b0567fb768|Kubernetes|Medium|Insecure Configurations|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set|Documentation
| -|Authorization Mode Node Not Set
4d7ee40f-fc5d-427d-8cac-dffbe22d42d1|Kubernetes|Medium|Insecure Configurations|When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode|Documentation
| -|Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b|Kubernetes|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| -|Kubelet Protect Kernel Defaults Set To False
6cf42c97-facd-4fda-b8af-ea4529123355|Kubernetes|Medium|Insecure Configurations|--protect-kernel-defaults should be set to true|Documentation
| -|Seccomp Profile Is Not Configured
f377b83e-bd07-4f48-a591-60c82b14a78b|Kubernetes|Medium|Insecure Configurations|Check if any resource does not configure Seccomp default profile properly|Documentation
| -|NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648|Kubernetes|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| -|PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91|Kubernetes|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| -|Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40|Kubernetes|Medium|Insecure Configurations|Containers should not have added capability|Documentation
| -|PSP Allows Sharing Host IPC
80f93444-b240-4ebb-a4c6-5c40b76c04ea|Kubernetes|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| -|Workload Mounting With Sensitive OS Directory
5308a7a8-06f8-45ac-bf10-791fe21de46e|Kubernetes|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| -|PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| -|Containers With Sys Admin Capabilities
235236ee-ad78-4065-bd29-61b061f28ce0|Kubernetes|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| -|Not Limited Capabilities For Container
2f1a0619-b12b-48a0-825f-993bb6f01d58|Kubernetes|Medium|Insecure Configurations|Limit the capabilities for a Container.|Documentation
| -|PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9|Kubernetes|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host process ID namespace|Documentation
| -|Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3|Kubernetes|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| -|PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| -|Using Unrecommended Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6|Kubernetes|Medium|Insecure Configurations|Namespaces like 'default', 'kube-system' or 'kube-public' should not be used|Documentation
| -|Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9|Kubernetes|Medium|Insecure Defaults|A Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty.|Documentation
| -|Service Account Token Automount Not Disabled
48471392-d4d0-47c0-b135-cdec95eb3eef|Kubernetes|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| -|Kubelet Not Managing Ip Tables
5f89001f-6dd9-49ff-9b15-d8cd71b617f4|Kubernetes|Medium|Networking and Firewall|Kubelet argument --make-iptables-util-chains should be true|Documentation
| -|Network Policy Is Not Targeting Any Pod
85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3|Kubernetes|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| -|Service With External Load Balance
26763a1c-5dda-4772-b507-5fca7fb5f165|Kubernetes|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| -|Kubelet Read Only Port Is Not Set To Zero
2940d48a-dc5e-4178-a3f8-bfbd80720b41|Kubernetes|Medium|Networking and Firewall|When using the kubelet command, the read-only port should be set to zero (--read-only-port=0)|Documentation
| -|Kubelet Streaming Connection Timeout Disabled
ed89b97d-04e9-4fd4-919f-ee5b27e555e9|Kubernetes|Medium|Networking and Firewall|The flag --streaming-connection-idle-timeout should not be set to 0|Documentation
| -|Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be|Kubernetes|Medium|Networking and Firewall|Check if any pod is not being targeted by a proper network policy.|Documentation
| -|CPU Limits Not Set
4ac0e2b7-d2d2-4af7-8799-e8de6721ccda|Kubernetes|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| -|CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a|Kubernetes|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| -|Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9|Kubernetes|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| -|Volume Mount With OS Directory Write Permissions
b7652612-de4e-4466-a0bf-1cd81f0c6063|Kubernetes|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| -|Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded|Kubernetes|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes|Documentation
| -|Kubelet Client Periodic Certificate Switch Disabled
52d70f2e-3257-474c-b3dc-8ad9ba6a061a|Kubernetes|Medium|Secret Management|Kubelet argument --rotate-certificates should be true|Documentation
| -|Kubelet Client Certificate Or Key Not Set
36a27826-1bf5-49da-aeb0-a60a30c0e834|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-client-key' and 'kubelet-client-certificate' flags should be set|Documentation
| -|Rotate Kubelet Server Certificate Not Active
1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2|Kubernetes|Medium|Secret Management|The RotateKubeletServerCertificate argument should be true|Documentation
| -|Kubelet Certificate Authority Not Set
ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set|Documentation
| -|Not Unique Certificate Authority
cb7e695d-6a85-495c-b15f-23aed2519303|Kubernetes|Medium|Secret Management|Certificate Authority should be unique for etcd|Documentation
| -|ServiceAccount Allows Access Secrets
056ac60e-fe07-4acc-9b34-8e1d51716ab9|Kubernetes|Medium|Secret Management|Roles and ClusterRoles when binded, should not use get, list or watch as verbs|Documentation
| -|Shared Service Account
c1032cf7-3628-44e2-bd53-38c17cf31b6b|Kubernetes|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| -|Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942|Kubernetes|Low|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| -|Missing AppArmor Profile
8b36775e-183d-4d46-b0f7-96a6f34a723f|Kubernetes|Low|Access Control|Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources|Documentation
| -|Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828|Kubernetes|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| -|RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e|Kubernetes|Low|Access Control|Kubernetes Roles and ClusterRoles should not use wildcards in rules (objects or actions)|Documentation
| -|Cluster Admin Rolebinding With Superuser Permissions
249328b8-5f0f-409f-b1dd-029f07882e11|Kubernetes|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| -|HPA Targeted Deployments With Configured Replica Count
5744cbb8-5946-4b75-a196-ade44449525b|Kubernetes|Low|Availability|Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set|Documentation
| -|StatefulSet Without PodDisruptionBudget
1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5|Kubernetes|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca|Kubernetes|Low|Availability|The Horizontal Pod Autoscale must target a valid object|Documentation
| -|Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678|Kubernetes|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|StatefulSet Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0|Kubernetes|Low|Availability|Check if the StatefulSets have a headless 'serviceName'|Documentation
| -|Event Rate Limit Admission Control Plugin Not Set
e0099af2-fe17-411f-9991-0de28fe15f3c|Kubernetes|Low|Availability|When using kube-apiserver command, the --enable-admission-plugins flag should have 'EventRateLimit' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| -|Metadata Label Is Invalid
1123031a-f921-4c5b-bd86-ef354ecfd37a|Kubernetes|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| -|No Drop Capabilities for Containers
268ca686-7fb7-4ae9-b129-955a2a89064e|Kubernetes|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| -|StatefulSet Requests Storage
8cf4671a-cf3d-46fc-8389-21e7405063a2|Kubernetes|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| -|Root Container Not Mounted Read-only
a9c2f49d-0671-4fc9-9ece-f4e261e128d0|Kubernetes|Low|Build Process|Check if the root container filesystem is not being mounted read-only.|Documentation
| -|Image Policy Webhook Admission Control Plugin Not Set
14abda69-8e91-4acb-9931-76e2bee90284|Kubernetes|Low|Build Process|When using kube-apiserver command, the --enable-admission-plugins flag should have 'ImagePolicyWebhook' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| -|Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678|Kubernetes|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity|Documentation
| -|Pod or Container Without ResourceQuota
48a5beba-e4c0-4584-a2aa-e6894e4cf424|Kubernetes|Low|Insecure Configurations|Pod or Container should have a ResourceQuota associated|Documentation
| -|Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b|Kubernetes|Low|Insecure Configurations|If not needed, disabling the dashboard can prevent from being used as an attack vector|Documentation
| -|Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2|Kubernetes|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| -|Pod or Container Without LimitRange
4a20ebac-1060-4c81-95d1-1f7f620e983b|Kubernetes|Low|Insecure Configurations|Pod or Container should have a LimitRange associated|Documentation
| -|Kubelet Hostname Override Is Set
bf36b900-b5ef-4828-adb7-70eb543b7cfb|Kubernetes|Low|Insecure Configurations|Hostnames should not be overrided|Documentation
| -|Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995|Kubernetes|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| -|Service Does Not Target Pod
3ca03a61-3249-4c16-8427-6f8e47dda729|Kubernetes|Low|Insecure Configurations|Service should Target a Pod|Documentation
| -|Workload Host Port Not Specified
2b1836f1-dcce-416e-8e16-da8c71920633|Kubernetes|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified|Documentation
| -|Service Type is NodePort
845acfbe-3e10-4b8e-b656-3b404d36dfb2|Kubernetes|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| -|Audit Policy Not Cover Key Security Concerns
1828a670-5957-4bc5-9974-47da228f75e2|Kubernetes|Low|Observability|Audit Policy should cover key security concerns about the sensitive data logged in Kubernetes audit policies|Documentation
| -|Kubelet Event QPS Not Properly Set
1a07a446-8e61-4e4d-bc16-b0781fcb8211|Kubernetes|Low|Observability|When using the kubelet command, the '--event-qps' should be set to 0|Documentation
| -|Deployment Has No PodAntiAffinity
a31b7b82-d994-48c4-bd21-3bab6c31827a|Kubernetes|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| -|Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined.|Documentation
| -|StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e|Kubernetes|Low|Resource Management|Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| -|Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46|Kubernetes|Low|Resource Management|Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively|Documentation
| -|CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3|Kubernetes|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined|Documentation
| -|Container Memory Requests Not Equal To It's Limits
aafa7d94-62de-4fbf-8838-b69ee217b0e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined.|Documentation
| -|Secrets As Environment Variables
3d658f8b-d988-41a0-a841-40043121de1e|Kubernetes|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| -|Invalid Image Tag
583053b7-e632-46f0-b989-f81ff8045385|Kubernetes|Low|Supply-Chain|Image tag must be defined and not be empty or equal to latest.|Documentation
| -|Liveness Probe Is Not Defined
ade74944-a674-4e00-859e-c6eab5bde441|Kubernetes|Info|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it|Documentation
| -|Cloud Storage Bucket Is Publicly Accessible
77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc|GoogleDeploymentManager|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible|Documentation
| -|SQL DB Instance Backup Disabled
a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01|GoogleDeploymentManager|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| -|DNSSEC Using RSASHA1
6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35|GoogleDeploymentManager|High|Encryption|DNSSEC should not use the RSASHA1 algorithm|Documentation
| -|SQL DB Instance With SSL Disabled
660360d3-9ca7-46d1-b147-3acc4002953f|GoogleDeploymentManager|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| -|IP Aliasing Disabled
28727987-e398-49b8-aef1-8a3e7789d111|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ipAllocationPolicy' must be defined and the subattribute 'useIpAliases' must be set to 'true'.|Documentation
| -|COS Node Image Not Used
dbe058d7-b82e-430b-8426-992b2e4677e7|GoogleDeploymentManager|High|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| -|MySQL Instance With Local Infile On
c759d6f2-4dd3-4160-82d3-89202ef10d87|GoogleDeploymentManager|High|Insecure Configurations|MySQL Instance should not have Local Infile On|Documentation
| -|Cluster Master Authentication Disabled
7ef7d141-9fbb-4679-a977-fd0883436906|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'masterAuth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| -|Private Cluster Disabled
48c61fbd-09c9-46cc-a521-012e0c325412|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true.|Documentation
| -|Client Certificate Disabled
dd690686-2bf9-4012-a821-f61912dd77be|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'masterAuth' must have 'clientCertificateConfig' with the attribute 'issueClientCertificate' equal to true|Documentation
| -|Cluster Labels Disabled
8810968b-4b15-421d-918b-d91eb4bb8d1d|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resourceLabels' must be defined|Documentation
| -|Network Policy Disabled
c47f90e8-4a19-43f0-8413-cc434d286c4e|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'networkPolicy.enabled' must be true and the attribute 'addonsConfig.networkPolicyConfig.disabled' must be false|Documentation
| -|BigQuery Dataset Is Public
83103dff-d57f-42a8-bd81-40abab64c1a7|GoogleDeploymentManager|High|Insecure Configurations|BigQuery dataset is anonymously or publicly accessible. Attribute access.specialGroup should not contain 'allAuthenticatedUsers'|Documentation
| -|Not Proper Email Account In Use
a21b8df3-c840-4b3d-a41a-10fb2afda171|GoogleDeploymentManager|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| -|GKE Legacy Authorization Enabled
df58d46c-783b-43e0-bdd0-d99164f712ee|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false.|Documentation
| -|Compute Instance Is Publicly Accessible
8212e2d7-e683-49bc-bf78-d6799075c5a7|GoogleDeploymentManager|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet.|Documentation
| -|GKE Master Authorized Networks Disabled
62c8cf50-87f0-4295-a974-8184ed78fe02|GoogleDeploymentManager|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters|Documentation
| -|Stackdriver Monitoring Disabled
bbfc97ab-e92a-4a7b-954c-e88cec815011|GoogleDeploymentManager|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoringService' must be defined and different than 'none'|Documentation
| -|Stackdriver Logging Disabled
95601b9a-7fe8-4aee-9b58-d36fd9382dfc|GoogleDeploymentManager|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'loggingService' must be defined and different from 'none'|Documentation
| -|Cloud Storage Bucket Versioning Disabled
ad0875c1-0b39-4890-9149-173158ba3bba|GoogleDeploymentManager|High|Observability|Cloud Storage Bucket should be enabled|Documentation
| -|Node Auto Upgrade Disabled
dc5c5fee-6c53-43b0-ab11-4c660e064aaf|GoogleDeploymentManager|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means the attribute 'nodePools' must be defined and the subattribute 'managment' must be defined and have the attribute 'autoUpgrade' set to true|Documentation
| -|Disk Encryption Disabled
fc040fb6-4c23-4c0d-b12a-39edac35debb|GoogleDeploymentManager|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined|Documentation
| -|OSLogin Is Disabled In VM Instance
e66e1b71-c810-4b4e-a737-0ab59e7f5e41|GoogleDeploymentManager|Medium|Insecure Configurations|VM instance should have OSLogin enabled|Documentation
| -|Cloud DNS Without DNSSEC
313d6deb-3b67-4948-b41d-35b699c2492e|GoogleDeploymentManager|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
63ae3638-a38c-4ff4-b616-6e1f72a31a6a|GoogleDeploymentManager|Medium|Insecure Configurations|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers'|Documentation
| -|Google Storage Bucket Level Access Disabled
1239f54b-33de-482a-8132-faebe288e6a6|GoogleDeploymentManager|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| -|Shielded VM Disabled
9038b526-4c19-4928-bca2-c03d503bdb79|GoogleDeploymentManager|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true|Documentation
| -|IP Forwarding Enabled
7c98538a-81c6-444b-bf04-e60bc3ceeec0|GoogleDeploymentManager|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true|Documentation
| -|RDP Access Is Not Restricted
50cb6c3b-c878-4b88-b50e-d1421bada9e8|GoogleDeploymentManager|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| -|SSH Access Is Not Restricted
dee21308-2a7a-49de-8ff7-c9b87e188575|GoogleDeploymentManager|Medium|Networking and Firewall|Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block)|Documentation
| -|S3 Bucket Without Versioning
227c2f58-70c6-4432-8e9a-a89c1a548cf5|GoogleDeploymentManager|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
6e2b1ec1-1eca-4eb7-9d4d-2882680b4811|GoogleDeploymentManager|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| -|BOM - GCP SB
c7781feb-a955-4f9f-b9cf-0d7c6f54bb59|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.|Documentation
| -|BOM - GCP PD
268c65a8-58ad-43e4-9019-1a9bbc56749f|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.|Documentation
| -|BOM - GCP PST
9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.|Documentation
| -|Volume Mounted In Multiple Containers
baa452f0-1f21-4a25-ace5-844e7a5f410d|DockerCompose|High|Build Process|Volume mounts should not be shared, which means that 'propagation' should not be set to 'shared', 'rshared', 'slave', or 'rslave'|Documentation
| -|Docker Socket Mounted In Container
d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b|DockerCompose|High|Build Process|Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands.|Documentation
| -|Volume Has Sensitive Host Directory
1c1325ff-831d-43a1-973e-839ae57dfcc0|DockerCompose|High|Build Process|Container has sensitive host directory mounted as a volume|Documentation
| -|No New Privileges Not Set
27fcc7d6-c49b-46e0-98f1-6c082a6a2750|DockerCompose|High|Resource Management|Ensuring the process does not gain any new privileges lessens the risk associated with many operations.|Documentation
| -|Privileged Containers Enabled
ae5b6871-7f45-42e0-bb4c-ab300c4d2026|DockerCompose|High|Resource Management|Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker.|Documentation
| -|Healthcheck Not Set
698ed579-b239-4f8f-a388-baa4bcb13ef8|DockerCompose|Medium|Availability|Check containers periodically to see if they are running properly.|Documentation
| -|Cgroup Not Default
4d9f44c6-2f4a-4317-9bb5-267adbea0232|DockerCompose|Medium|Build Process|Control groups restrict the access processes and containers have to system resources such as CPU, RAM, IOPS and network. Not having a cgroup well configured may prove to be a security fault.|Documentation
| -|Restart Policy On Failure Not Set To 5
2fc99041-ddad-49d5-853f-e35e70a48391|DockerCompose|Medium|Build Process|Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used, and 5 retries is the recommended by CIS.|Documentation
| -|Networks Not Set
ce14a68b-1668-41a0-ab7d-facd9f784742|DockerCompose|Medium|Networking and Firewall|Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers.|Documentation
| -|Privileged Ports Mapped In Container
bc2908f3-f73c-40a9-8793-c1b7d5544f79|DockerCompose|Medium|Networking and Firewall|Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind_service linux capability from the container unless you absolutely need to use priviledged ports.|Documentation
| -|Container Traffic Not Bound To Host Interface
451d79dc-0588-476a-ad03-3c7f0320abb3|DockerCompose|Medium|Networking and Firewall|Incoming container traffic should be bound to a specific host interface|Documentation
| -|Memory Not Limited
bb9ac4f7-e13b-423d-a010-c74a1bfbe492|DockerCompose|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| -|Pids Limit Not Set
221e0658-cb2a-44e3-b08a-db96a341d6fa|DockerCompose|Medium|Resource Management|'pids_limit' should be set and different than -1|Documentation
| -|Default Seccomp Profile Disabled
404fde2c-bc4b-4371-9747-7054132ac953|DockerCompose|Medium|Resource Management|Seccomp offers a whitelist of common system calls, blocking all others. Having less kernel exposed to an app then increases security.|Documentation
| -|Host Namespace is Shared
4f31dd9f-2cc3-4751-9b53-67e4af83dac0|DockerCompose|Medium|Resource Management|The hosts process namespace should not be shared by containers|Documentation
| -|Shared Host Network Namespace
071a71ff-f868-47a4-ac0b-3c59e4ab5443|DockerCompose|Medium|Resource Management|Container should not share the host network namespace|Documentation
| -|Security Opt Not Set
610e266e-6c12-4bca-9925-1ed0cd29742b|DockerCompose|Medium|Resource Management|Attribute 'security_opt' should be defined.|Documentation
| -|Shared Host User Namespace
8af7162d-6c98-482f-868e-0d33fb675ca8|DockerCompose|Medium|Resource Management|The host's user namespace should not be shared.|Documentation
| -|Shared Host IPC Namespace
baa3890f-bed7-46f5-ab8f-1da8fc91c729|DockerCompose|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| -|Container Capabilities Unrestricted
ce76b7d0-9e77-464d-b86f-c5c48e03e22d|DockerCompose|Low|Resource Management|Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.|Documentation
| -|Cpus Not Limited
6b610c50-99fb-4ef0-a5f3-e312fd945bc3|DockerCompose|Low|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| -|ElastiCache Nodes Not Created Across Multi AZ
9b18fc19-7fb8-49b1-8452-9c757c70f926|Pulumi|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster|Documentation
| -|ElastiCache Redis Cluster Without Backup
e93bbe63-a631-4c0f-b6ef-700d48441ff2|Pulumi|Medium|Backup|ElastiCache Redis cluster should have 'snapshotRetentionLimit' higher than 0|Documentation
| -|IAM Password Without Lowercase Letter
de92dd34-1b88-43e8-b825-6e02d73c4549|Pulumi|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| -|IAM Password Without Minimum Length
9850d621-7485-44f7-8bdd-b3cf426315cf|Pulumi|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| -|DynamoDB Table Not Encrypted
b6a7e0ae-aed8-4a19-a993-a95760bf8836|Pulumi|Medium|Encryption|AWS DynamoDB Tables should have serverSideEncryption enabled|Documentation
| -|API Gateway Without SSL Certificate
f27791a5-e2ae-4905-8910-6f995c576d09|Pulumi|Medium|Insecure Configurations|SSL Client Certificate should be defined|Documentation
| -|API Gateway Access Logging Disabled
bf4b48b9-fc1f-4552-984a-4becdb5bf503|Pulumi|Medium|Observability|API Gateway should have Access Log Settings defined|Documentation
| -|DynamoDB Table Point In Time Recovery Disabled
327b0729-4c5c-4c44-8b5c-e476cd9c7290|Pulumi|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table|Documentation
| -|EC2 Not EBS Optimized
d991e4ae-42ab-429b-ab43-d5e5fa9ca633|Pulumi|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| -|EC2 Instance Monitoring Disabled
daa581ef-731c-4121-832d-cf078f67759d|Pulumi|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods|Documentation
| -|PSP Set To Privileged
ee305555-6b1d-4055-94cf-e22131143c34|Pulumi|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| -|Missing App Armor Config
95588189-1abd-4df1-9588-b0a5034f9e87|Pulumi|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| -|Storage Account Not Forcing HTTPS
cb8e4bf0-903d-45c6-a278-9a947d82a27b|Pulumi|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| -|Redis Cache Allows Non SSL Connections
49e30ac8-f58e-4222-b488-3dcb90158ec1|Pulumi|Medium|Encryption|Redis Cache resource should not allow non-SSL connections.|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
48f7e44d-d1d1-44c2-b336-9f11b65c4fb0|Pulumi|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
965e8830-2bec-4b9b-a7f0-24dbc200a68f|Pulumi|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| -|Global security field has an empty object (v2)
292919fb-7b26-4454-bee9-ce29094768dd|OpenAPI|High|Access Control|Global security definition must not have empty objects|Documentation
| -|Global security field has an empty object (v3)
543e38f4-1eee-479e-8eb0-15257013aa0a|OpenAPI|High|Access Control|Global security definition must not have empty objects|Documentation
| -|No Global And Operation Security Defined (v2)
586abcee-9653-462d-ad7b-2638a32bd6e6|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| -|No Global And Operation Security Defined (v3)
96729c6b-7400-4d9e-9807-17f00cdde4d2|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| -|Global Security Field Has An Empty Array (v2)
da31d54b-ad54-41dc-95eb-8b3828629213|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| -|Global Security Field Has An Empty Array (v3)
d674aea4-ba8b-454b-bb97-88a772ea33f0|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| -|Global Security Field Is Undefined (v2)
74703c89-0ea2-49ab-a7db-bf04f19f5a57|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securityDefinitions|Documentation
| -|Global Security Field Is Undefined (v3)
8af270ce-298b-4405-9922-82a10aee7a4f|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes (read more)|Documentation
| -|Global Security Field Has An Empty Array (v2)
da31d54b-ad54-41dc-95eb-8b3828629213|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| -|Global Security Field Has An Empty Array (v3)
d674aea4-ba8b-454b-bb97-88a772ea33f0|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme (read more)|Documentation
| -|Security Field On Operations Has An Empty Array (v2)
5d29effc-5d68-481f-9721-d74e5919226b|OpenAPI|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error|Documentation
| -|Security Field On Operations Has An Empty Array (v3)
663c442d-f918-4f62-b096-0bf5dcbeb655|OpenAPI|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error (read more)|Documentation
| -|Security Field On Operations Has An Empty Object Definition (v2)
74581e3b-1d55-4323-a139-5959a7b3abc5|OpenAPI|High|Access Control|Security object for operations should not be empty object or has any empty object definition|Documentation
| -|Security Field On Operations Has An Empty Object Definition (v3)
baade968-7467-41e4-bf22-83ca222f5800|OpenAPI|High|Access Control|Security object for operations should not be empty object or has any empty object definition (read more)|Documentation
| -|Global security field has an empty object (v2)
292919fb-7b26-4454-bee9-ce29094768dd|OpenAPI|High|Access Control|Global security definition must not have empty objects|Documentation
| -|Global security field has an empty object (v3)
543e38f4-1eee-479e-8eb0-15257013aa0a|OpenAPI|High|Access Control|Global security definition must not have empty objects (read more)|Documentation
| -|No Global And Operation Security Defined (v2)
586abcee-9653-462d-ad7b-2638a32bd6e6|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| -|No Global And Operation Security Defined (v3)
96729c6b-7400-4d9e-9807-17f00cdde4d2|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined (read more)|Documentation
| -|Cleartext API Key In Operation Security (v2)
99733b39-6413-4ed8-8acf-dc7cdc9b4e51|OpenAPI|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| -|Cleartext API Key In Operation Security (v3)
d90d4e40-44c1-4125-87a0-e072c3e195b5|OpenAPI|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel (read more)|Documentation
| -|Array Items Has No Type (v2)
8697a1a4-82c6-4603-8ac8-57529756744e|OpenAPI|High|Insecure Configurations|Schema/Parameter array items type should be defined|Documentation
| -|Array Items Has No Type (v3)
be0e0df7-f3d9-42a1-9b6f-d425f94872c4|OpenAPI|High|Insecure Configurations|Schema array items type should be defined (read more)|Documentation
| -|Array Without Maximum Number of Items (v2)
99eb2c95-2040-4104-9e7c-e16f7474d218|OpenAPI|High|Insecure Configurations|Array schema/parameter should have the field 'maxItems' set|Documentation
| -|Array Without Maximum Number of Items (v3)
6998389e-66b2-473d-8d05-c8d71ac4d04d|OpenAPI|High|Insecure Configurations|Array schema should have the field 'maxItems' set (read more)|Documentation
| -|API Key Exposed In Global Security (v2)
533a0d13-6e89-4551-ae33-bce14e5849c1|OpenAPI|Medium|Access Control|API Keys should not be transported over network|Documentation
| -|API Key Exposed In Global Security (v3)
aecee30b-8ea1-4776-a99c-d6d600f0862f|OpenAPI|Medium|Access Control|API Keys should not be transported over network (read more)|Documentation
| -|Cleartext API Key In Global Security (v2)
70d3873e-d537-46e5-ac3b-4e48fbdd29b4|OpenAPI|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| -|Cleartext API Key In Global Security (v3)
9c238c97-1991-4c0b-9c7d-6c7912e1dc7c|OpenAPI|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel (read more)|Documentation
| -|Maximum Length Undefined (v2)
2ec86e48-ab90-4cb6-a131-0502afd1f442|OpenAPI|Medium|Insecure Configurations|String schema/parameter/header should have 'maxLength' defined.|Documentation
| -|Maximum Length Undefined (v3)
8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85|OpenAPI|Medium|Insecure Configurations|String schema should have 'maxLength' defined. (read more)|Documentation
| -|Pattern Undefined (v2)
afde15cf-9444-4126-8c62-41cd79db1d1d|OpenAPI|Medium|Insecure Configurations|String schema/parameter/header should have 'pattern' defined.|Documentation
| -|Pattern Undefined (v3)
00b78adf-b83f-419c-8ed8-c6018441dd3a|OpenAPI|Medium|Insecure Configurations|String schema should have 'pattern' defined. (read more)|Documentation
| -|Schema Object is Empty (v2)
967575e5-eb44-4c24-aadb-7e33608ed30a|OpenAPI|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values|Documentation
| -|Schema Object is Empty (v3)
500ce696-d501-41dd-86eb-eceb011a386f|OpenAPI|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values (read more)|Documentation
| -|Numeric Schema Without Minimum (v2)
efd1dfc8-da91-4909-a3f3-c23abc5ec799|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined.|Documentation
| -|Numeric Schema Without Minimum (v3)
181bd815-767e-4e95-a24d-bb3c87328e19|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined. (read more)|Documentation
| -|JSON Object Schema Without Properties (v2)
3d28f751-bc18-4f83-ace0-216b6086410b|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false.|Documentation
| -|JSON Object Schema Without Properties (v3)
9d967a2b-9d64-41a6-abea-dfc4960299bd|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false. (read more)|Documentation
| -|Numeric Schema Without Maximum (v2)
203eee11-15b6-4d47-b888-4c7f534967ee|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined.|Documentation
| -|Numeric Schema Without Maximum (v3)
2ea04bef-c769-409e-9179-ee3a50b5c0ac|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined. (read more)|Documentation
| -|Numeric Schema Without Format (v2)
3ed8fc82-c2bb-49e0-811f-c53923674c49|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined.|Documentation
| -|Numeric Schema Without Format (v3)
fbf699b5-ef74-4542-9cf1-f6eeac379373|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined. (read more)|Documentation
| -|JSON Object Schema Without Type (v2)
62d52544-82ef-4b75-8308-cad49d50212b|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined.|Documentation
| -|JSON Object Schema Without Type (v3)
e2ffa504-d22a-4c94-b6c5-f661849d2db7|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined. (read more)|Documentation
| -|String Schema with Broad Pattern (v2)
e4a019f0-9af3-49c8-bf68-1939a6ff240d|OpenAPI|Medium|Insecure Configurations|String schema should restrict the pattern|Documentation
| -|String Schema with Broad Pattern (v3)
8c81d6c0-716b-49ec-afa5-2d62da4e3f3c|OpenAPI|Medium|Insecure Configurations|String schema should restrict the pattern (read more)|Documentation
| -|Success Response Code Undefined for Put Operation (v2)
965a043f-5f3c-4d0a-be72-d9ce12fdb4d6|OpenAPI|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Put Operation (v3)
60b5f56b-66ff-4e1c-9b62-5753e16825bc|OpenAPI|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|Response on operations that should not have a body has declared content (v2)
268defd2-2839-4e15-8cbc-de86eb38c231|OpenAPI|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a schema defined|Documentation
| -|Response on operations that should not have a body has declared content (v3)
12a7210b-f4b4-47d0-acac-0a819e2a0ca3|OpenAPI|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a content defined (read more)|Documentation
| -|Success Response Code Undefined for Patch Operation (v2)
f36e87cc-a209-4f37-8571-66833e4aead7|OpenAPI|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Patch Operation (v3)
1908a8ee-927d-4166-8f18-241152170cc1|OpenAPI|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|Success Response Code Undefined for Delete Operation (v2)
ad432855-b7fb-4429-92a3-93b5ce34f0b1|OpenAPI|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Delete Operation (v3)
3b497874-ae59-46dd-8d72-1868a3b8f150|OpenAPI|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|Security Field On Operations Has An Empty Object Definition (v2)
74581e3b-1d55-4323-a139-5959a7b3abc5|OpenAPI|High|Access Control|Security object for operations should not be empty object or has any empty object definition|Documentation
| -|Security Field On Operations Has An Empty Object Definition (v3)
baade968-7467-41e4-bf22-83ca222f5800|OpenAPI|High|Access Control|Security object for operations should not be empty object or has any empty object definition|Documentation
| -|Cleartext API Key In Operation Security (v2)
99733b39-6413-4ed8-8acf-dc7cdc9b4e51|OpenAPI|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| -|Cleartext API Key In Operation Security (v3)
d90d4e40-44c1-4125-87a0-e072c3e195b5|OpenAPI|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| -|Security Field On Operations Has An Empty Array (v2)
5d29effc-5d68-481f-9721-d74e5919226b|OpenAPI|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error|Documentation
| -|Security Field On Operations Has An Empty Array (v3)
663c442d-f918-4f62-b096-0bf5dcbeb655|OpenAPI|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error|Documentation
| -|Global Security Field Is Undefined (v2)
74703c89-0ea2-49ab-a7db-bf04f19f5a57|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securityDefinitions|Documentation
| -|Global Security Field Is Undefined (v3)
8af270ce-298b-4405-9922-82a10aee7a4f|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes|Documentation
| -|Array Without Maximum Number of Items (v2)
99eb2c95-2040-4104-9e7c-e16f7474d218|OpenAPI|High|Insecure Configurations|Array schema/parameter should have the field 'maxItems' set|Documentation
| -|Array Without Maximum Number of Items (v3)
6998389e-66b2-473d-8d05-c8d71ac4d04d|OpenAPI|High|Insecure Configurations|Array schema should have the field 'maxItems' set|Documentation
| -|Array Items Has No Type (v2)
8697a1a4-82c6-4603-8ac8-57529756744e|OpenAPI|High|Insecure Configurations|Schema/Parameter array items type should be defined|Documentation
| -|Array Items Has No Type (v3)
be0e0df7-f3d9-42a1-9b6f-d425f94872c4|OpenAPI|High|Insecure Configurations|Schema array items type should be defined|Documentation
| -|Cleartext API Key In Global Security (v2)
70d3873e-d537-46e5-ac3b-4e48fbdd29b4|OpenAPI|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| -|Cleartext API Key In Global Security (v3)
9c238c97-1991-4c0b-9c7d-6c7912e1dc7c|OpenAPI|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| -|API Key Exposed In Global Security (v2)
533a0d13-6e89-4551-ae33-bce14e5849c1|OpenAPI|Medium|Access Control|API Keys should not be transported over network|Documentation
| -|API Key Exposed In Global Security (v3)
aecee30b-8ea1-4776-a99c-d6d600f0862f|OpenAPI|Medium|Access Control|API Keys should not be transported over network|Documentation
| -|Numeric Schema Without Minimum (v2)
efd1dfc8-da91-4909-a3f3-c23abc5ec799|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined.|Documentation
| -|Numeric Schema Without Minimum (v3)
181bd815-767e-4e95-a24d-bb3c87328e19|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined.|Documentation
| -|Schema Object is Empty (v2)
967575e5-eb44-4c24-aadb-7e33608ed30a|OpenAPI|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values|Documentation
| -|Schema Object is Empty (v3)
500ce696-d501-41dd-86eb-eceb011a386f|OpenAPI|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values|Documentation
| -|Pattern Undefined (v2)
afde15cf-9444-4126-8c62-41cd79db1d1d|OpenAPI|Medium|Insecure Configurations|String schema/parameter/header should have 'pattern' defined.|Documentation
| -|Pattern Undefined (v3)
00b78adf-b83f-419c-8ed8-c6018441dd3a|OpenAPI|Medium|Insecure Configurations|String schema should have 'pattern' defined.|Documentation
| -|JSON Object Schema Without Properties (v2)
3d28f751-bc18-4f83-ace0-216b6086410b|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false.|Documentation
| -|JSON Object Schema Without Properties (v3)
9d967a2b-9d64-41a6-abea-dfc4960299bd|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false.|Documentation
| -|String Schema with Broad Pattern (v2)
e4a019f0-9af3-49c8-bf68-1939a6ff240d|OpenAPI|Medium|Insecure Configurations|String schema should restrict the pattern|Documentation
| -|String Schema with Broad Pattern (v3)
8c81d6c0-716b-49ec-afa5-2d62da4e3f3c|OpenAPI|Medium|Insecure Configurations|String schema should restrict the pattern|Documentation
| -|JSON Object Schema Without Type (v2)
62d52544-82ef-4b75-8308-cad49d50212b|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined.|Documentation
| -|JSON Object Schema Without Type (v3)
e2ffa504-d22a-4c94-b6c5-f661849d2db7|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined.|Documentation
| -|Maximum Length Undefined (v2)
2ec86e48-ab90-4cb6-a131-0502afd1f442|OpenAPI|Medium|Insecure Configurations|String schema/parameter/header should have 'maxLength' defined.|Documentation
| -|Maximum Length Undefined (v3)
8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85|OpenAPI|Medium|Insecure Configurations|String schema should have 'maxLength' defined.|Documentation
| -|Numeric Schema Without Maximum (v2)
203eee11-15b6-4d47-b888-4c7f534967ee|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined.|Documentation
| -|Numeric Schema Without Maximum (v3)
2ea04bef-c769-409e-9179-ee3a50b5c0ac|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined.|Documentation
| -|Numeric Schema Without Format (v2)
3ed8fc82-c2bb-49e0-811f-c53923674c49|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined.|Documentation
| -|Numeric Schema Without Format (v3)
fbf699b5-ef74-4542-9cf1-f6eeac379373|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined.|Documentation
| -|Default Response Undefined On Operations (v2)
5f34c7ae-4f3f-4cbb-8fe3-a11d6961062f|OpenAPI|Medium|Networking and Firewall|Operations responses should have a default response defined|Documentation
| -|Default Response Undefined On Operations (v3)
86e3702f-c868-44b2-b61d-ea5316c18110|OpenAPI|Medium|Networking and Firewall|Operations responses should have a default response defined|Documentation
| -|Success Response Code Undefined for Patch Operation (v2)
f36e87cc-a209-4f37-8571-66833e4aead7|OpenAPI|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Patch Operation (v3)
1908a8ee-927d-4166-8f18-241152170cc1|OpenAPI|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Post Operation (v2)
9fedee41-2e6d-4091-b011-4a16b4c18c70|OpenAPI|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Post Operation (v3)
f368dd2d-9344-4146-a05b-7c6faa1269ad|OpenAPI|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Put Operation (v2)
965a043f-5f3c-4d0a-be72-d9ce12fdb4d6|OpenAPI|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Put Operation (v3)
60b5f56b-66ff-4e1c-9b62-5753e16825bc|OpenAPI|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Response on operations that should not have a body has declared content (v2)
268defd2-2839-4e15-8cbc-de86eb38c231|OpenAPI|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a schema defined|Documentation
| -|Response on operations that should not have a body has declared content (v3)
12a7210b-f4b4-47d0-acac-0a819e2a0ca3|OpenAPI|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a content defined|Documentation
| -|Success Response Code Undefined for Head Operation (v2)
4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a|OpenAPI|Medium|Networking and Firewall|Head should define at least one success response (200 or 202)|Documentation
| -|Success Response Code Undefined for Head Operation (v3)
3b066059-f411-4554-ac8d-96f32bff90da|OpenAPI|Medium|Networking and Firewall|Head should define at least one success response (200 or 202)|Documentation
| -|Success Response Code Undefined for Get Operation (v2)
9b633f3b-c94b-4fbb-a65b-1a4e9134fb63|OpenAPI|Medium|Networking and Firewall|Get should define at least one success response (200 or 202)|Documentation
| -|Success Response Code Undefined for Get Operation (v3)
b2f275be-7d64-4064-b418-be6b431363a7|OpenAPI|Medium|Networking and Firewall|Get should define at least one success response (200 or 202)|Documentation
| -|Response on operations that should have a body has undefined schema (v2)
31afbcb7-70e0-48bb-a31a-3374f95cf859|OpenAPI|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined|Documentation
| -|Response on operations that should have a body has undefined schema (v3)
a92be1d5-d762-484a-86d6-8cd0907ba100|OpenAPI|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined|Documentation
| -|Success Response Code Undefined for Delete Operation (v2)
ad432855-b7fb-4429-92a3-93b5ce34f0b1|OpenAPI|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Delete Operation (v3)
3b497874-ae59-46dd-8d72-1868a3b8f150|OpenAPI|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Response Code Missing (v2)
6e96ed39-bf45-4089-99ba-f1fe7cf6966f|OpenAPI|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined.|Documentation
| -|Response Code Missing (v3)
6c35d2c6-09f2-4e5c-a094-e0e91327071d|OpenAPI|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined. (read more)|Documentation
| -|Success Response Code Undefined for Post Operation (v2)
9fedee41-2e6d-4091-b011-4a16b4c18c70|OpenAPI|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Post Operation (v3)
f368dd2d-9344-4146-a05b-7c6faa1269ad|OpenAPI|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|Response on operations that should have a body has undefined schema (v2)
31afbcb7-70e0-48bb-a31a-3374f95cf859|OpenAPI|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined|Documentation
| -|Response on operations that should have a body has undefined schema (v3)
a92be1d5-d762-484a-86d6-8cd0907ba100|OpenAPI|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined (read more)|Documentation
| -|Default Response Undefined On Operations (v2)
5f34c7ae-4f3f-4cbb-8fe3-a11d6961062f|OpenAPI|Medium|Networking and Firewall|Operations responses should have a default response defined|Documentation
| -|Default Response Undefined On Operations (v3)
86e3702f-c868-44b2-b61d-ea5316c18110|OpenAPI|Medium|Networking and Firewall|Operations responses should have a default response defined (read more)|Documentation
| -|Success Response Code Undefined for Get Operation (v2)
9b633f3b-c94b-4fbb-a65b-1a4e9134fb63|OpenAPI|Medium|Networking and Firewall|Get should define at least one success response (200 or 202)|Documentation
| -|Success Response Code Undefined for Get Operation (v3)
b2f275be-7d64-4064-b418-be6b431363a7|OpenAPI|Medium|Networking and Firewall|Get should define at least one success response (200 or 202) (read more)|Documentation
| -|Success Response Code Undefined for Head Operation (v2)
4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a|OpenAPI|Medium|Networking and Firewall|Head should define at least one success response (200 or 202)|Documentation
| -|Success Response Code Undefined for Head Operation (v3)
3b066059-f411-4554-ac8d-96f32bff90da|OpenAPI|Medium|Networking and Firewall|Head should define at least one success response (200 or 202) (read more)|Documentation
| -|API Key Exposed In Operation Security (v2)
392599e4-a4e2-403d-bc56-3fe05755782d|OpenAPI|Low|Access Control|API Keys should not be transported over network|Documentation
| -|API Key Exposed In Operation Security (v3)
281b8071-6226-4a43-911d-fec246d422c2|OpenAPI|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| -|Invalid Format (v2)
caf1793e-95dd-4b18-8d90-8f3c0ab5bddf|OpenAPI|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double|Documentation
| -|Invalid Format (v3)
d929c031-078f-4241-b802-e224656ad890|OpenAPI|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double (read more)|Documentation
| -|Required Property With Default Value (v2)
f7ab6c83-ef89-40e1-8a99-32e2599fb665|OpenAPI|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value|Documentation
| -|Required Property With Default Value (v3)
013bdb4b-9246-4248-b0c3-7fb0fee42a29|OpenAPI|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value (read more)|Documentation
| -|Object Using Enum With Keyword (v2)
7f15962a-d862-451c-ac9b-84ec13747aa6|OpenAPI|Info|Best Practices|Schema/Parameter/Header Object properties should not contain 'enum' and schema keywords|Documentation
| -|Object Using Enum With Keyword (v3)
2e9b6612-8f69-42e0-a5b8-ed17739c2f3a|OpenAPI|Info|Best Practices|Schema Object properties should not contain 'enum' and schema keywords (read more)|Documentation
| -|Header Parameter Named as 'Content-Type' (v2)
51978067-3b22-4c29-aaf3-96bf0bc28897|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored.|Documentation
| -|Header Parameter Named as 'Content-Type' (v3)
72d259ca-9741-48dd-9f62-eb11f2936b37|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored. (read more)|Documentation
| -|Header Response Name Is Invalid (v2)
86733e01-a435-4bd5-a8b0-5108be9dc1e4|OpenAPI|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored.|Documentation
| -|Header Response Name Is Invalid (v3)
d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd|OpenAPI|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored. (read more)|Documentation
| -|Invalid Contact URL (v2)
c7000383-16d0-4509-8cd3-585e5ea2e2f2|OpenAPI|Info|Best Practices|Contact Object URL should be a valid URL|Documentation
| -|Invalid Contact URL (v3)
332cf2ad-380d-4b90-b436-46f8e635cf38|OpenAPI|Info|Best Practices|Contact Object URL should be a valid URL (read more)|Documentation
| -|Invalid Tag External Documentation URL (v2)
b4a7d925-738b-4219-99d9-87d6ee262a03|OpenAPI|Info|Best Practices|Tag External Documentation URL should be a valid URL|Documentation
| -|Invalid Tag External Documentation URL (v3)
5aea1d7e-b834-4749-b143-2c7ec3bd5922|OpenAPI|Info|Best Practices|Tag External Documentation URL should be a valid URL (read more)|Documentation
| -|Header Parameter Named as 'Accept' (v2)
3ddd74cc-6582-486c-8b0c-2b48cb38e0a3|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored.|Documentation
| -|Header Parameter Named as 'Accept' (v3)
f2702af5-6016-46cb-bbc8-84c766032095|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored. (read more)|Documentation
| -|Invalid Global External Documentation URL (v2)
46d3b74d-9fe9-45bf-9e9e-efb7f701ee28|OpenAPI|Info|Best Practices|Global External Documentation URL should be a valid URL|Documentation
| -|Invalid Global External Documentation URL (v3)
b2d9dbf6-539c-4374-a1fd-210ddf5563a8|OpenAPI|Info|Best Practices|Global External Documentation URL should be a valid URL (read more)|Documentation
| -|Example Not Compliant With Schema Type (v2)
448db771-06ea-4dee-b48c-1689cbfb4b43|OpenAPI|Info|Best Practices|Examples values and fields should be compliant with the schema type|Documentation
| -|Example Not Compliant With Schema Type (v3)
881a6e71-c2a7-4fe2-b9c3-dfcf08895331|OpenAPI|Info|Best Practices|Examples values and fields should be compliant with the schema type (read more)|Documentation
| -|Header Parameter Named as 'Authorization' (v2)
e2e00c97-7171-4fb4-b461-d631df9a711c|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored.|Documentation
| -|Header Parameter Named as 'Authorization' (v3)
8c84f75e-5048-4926-a4cb-33e7b3431300|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored. (read more)|Documentation
| -|Operation Without Successful HTTP Status Code (v2)
a1ee6ebe-3877-42ec-b9a6-e524e7d06aa2|OpenAPI|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined|Documentation
| -|Operation Without Successful HTTP Status Code (v3)
48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd|OpenAPI|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined (read more)|Documentation
| -|Path Without Operation (v2)
609cd557-66b4-41fa-8edd-2abc6c7cfd08|OpenAPI|Info|Best Practices|Path object should have at least one operation object defined|Documentation
| -|Path Without Operation (v3)
84c826c9-1893-4b34-8cdd-db97645b4bf3|OpenAPI|Info|Best Practices|Path object should have at least one operation object defined (read more)|Documentation
| -|Invalid Operation External Documentation URL (v2)
25635c31-ee32-4708-88e5-fced87516f51|OpenAPI|Info|Best Practices|Operation External Documentation URL should be a valid URL|Documentation
| -|Invalid Operation External Documentation URL (v3)
5ea61624-3733-4a3a-8ca4-b96fec9c5aeb|OpenAPI|Info|Best Practices|Operation External Documentation URL should be a valid URL (read more)|Documentation
| -|Invalid License URL (v2)
de2b4910-8484-46d6-a055-dc1e793ee3ff|OpenAPI|Info|Best Practices|License Object URL should be a valid URL|Documentation
| -|Invalid License URL (v3)
9239c289-9e4c-4d92-8be1-9d506057c971|OpenAPI|Info|Best Practices|License Object URL should be a valid URL (read more)|Documentation
| -|JSON '$ref' alongside other properties (v2)
f34c1c68-4773-4df0-a103-6e2ca32e585f|OpenAPI|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key|Documentation
| -|JSON '$ref' alongside other properties (v3)
96beb800-566f-49a9-a0ea-dbdf4bc80429|OpenAPI|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key (read more)|Documentation
| -|Invalid Contact Email (v2)
d83bebc8-4e5e-4241-b783-cba9fb5a1c9a|OpenAPI|Info|Best Practices|Contact Object Email should be a valid email|Documentation
| -|Invalid Contact Email (v3)
b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7|OpenAPI|Info|Best Practices|Contact Object Email should be a valid email (read more)|Documentation
| -|Invalid Schema External Documentation URL (v2)
f7fa95b7-d819-484c-9a2b-665dd1bba25e|OpenAPI|Info|Best Practices|Schema External Documentation URL should be a valid URL|Documentation
| -|Invalid Schema External Documentation URL (v3)
6952a7e0-6e48-4285-bbc1-27c64e60f888|OpenAPI|Info|Best Practices|Schema External Documentation URL should be a valid URL (read more)|Documentation
| -|Non-Array Schema With Items (v2)
9d47956b-29cd-43b1-9e6e-b39a4d484353|OpenAPI|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| -|Non-Array Schema With Items (v3)
20cb3159-b219-496b-8dac-54ae3ab2021a|OpenAPI|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined (read more)|Documentation
| -|Path Is Ambiguous (v2)
b2468463-3ac4-4930-890c-f35b2bf4485d|OpenAPI|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object|Documentation
| -|Path Is Ambiguous (v3)
237402e2-c2f0-46c9-9cf5-286160cf7bfc|OpenAPI|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object (read more)|Documentation
| -|Schema Discriminator Not Required (v2)
be6a3722-af60-438c-b1b9-2a03e2958ab7|OpenAPI|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property|Documentation
| -|Schema Discriminator Not Required (v3)
b481d46c-9c61-480f-86d9-af07146dc4a4|OpenAPI|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property (read more)|Documentation
| -|Property 'allowEmptyValue' Improperly Defined (v2)
0bc1477d-0922-478b-ae16-674a7634a1a8|OpenAPI|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters|Documentation
| -|Property 'allowEmptyValue' Improperly Defined (v3)
4bcbcd52-3028-469f-bc14-02c7dbba2df2|OpenAPI|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters (read more)|Documentation
| -|OperationId Not Unique (v2)
21245007-91c4-40e5-964e-40c85d1e5aa6|OpenAPI|Info|Structure and Semantics|OperationId should be unique when defined|Documentation
| -|OperationId Not Unique (v3)
c254adc4-ef25-46e1-8270-b7944adb4198|OpenAPI|Info|Structure and Semantics|OperationId should be unique when defined (read more)|Documentation
| -|Paths Object is Empty (v2)
3e6c7b1c-8a8d-43ab-98b9-65159f44db4a|OpenAPI|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed|Documentation
| -|Paths Object is Empty (v3)
815021c8-a50c-46d9-b192-24f71072c400|OpenAPI|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed (read more)|Documentation
| -|Parameters Name In Combination Not Unique (v2)
ab871897-ec02-4835-9818-702536ee1dda|OpenAPI|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations|Documentation
| -|Parameters Name In Combination Not Unique (v3)
f5b2e6af-76f5-496d-8482-8f898c5fdb4a|OpenAPI|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations (read more)|Documentation
| -|Parameter Objects Headers With Duplicated Name (v2)
bd2cbef5-62c4-40f1-af07-4b7f9ced6616|OpenAPI|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.|Documentation
| -|Parameter Objects Headers With Duplicated Name (v3)
05505192-ba2c-4a81-9b25-dcdbcc973746|OpenAPI|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive. (read more)|Documentation
| -|Responses Object Is Empty (v2)
6172e7ab-d2b7-45f8-a7db-1603931d8ba3|OpenAPI|Info|Structure and Semantics|Responses Object should not be empty|Documentation
| -|Responses Object Is Empty (v3)
990eaf09-d6f1-4c3c-b174-a517b1de8917|OpenAPI|Info|Structure and Semantics|Responses Object should not be empty (read more)|Documentation
| -|Schema Has A Required Property Undefined (v2)
811762c8-2e99-4f70-88f9-a63875a953b1|OpenAPI|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties|Documentation
| -|Schema Has A Required Property Undefined (v3)
2bd608ae-8a1f-457f-b710-c237883cb313|OpenAPI|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties (read more)|Documentation
| -|Default Invalid (v2)
78dfd8f0-a6ee-48ec-af8c-e4d9b3292a07|OpenAPI|Info|Structure and Semantics|The field 'default' of Schema/Parameter/Header Object should be consistent with the schema's/parameter's/header's type|Documentation
| -|Default Invalid (v3)
a96bbc06-8cde-4295-ad3c-ee343a7f658e|OpenAPI|Info|Structure and Semantics|The field 'default' of Schema Object should be consistent with the schema's type (read more)|Documentation
| -|Properties Missing Required Property (v2)
71beb6ab-8b70-4816-a9ac-a0ff1fb22a62|OpenAPI|Info|Structure and Semantics|Schema Object should have all required properties defined|Documentation
| -|Properties Missing Required Property (v3)
3fb03214-25d4-4bd4-867c-c2d8d708a483|OpenAPI|Info|Structure and Semantics|Schema Object should have all required properties defined (read more)|Documentation
| -|Path Parameter With No Corresponding Template Path (v2)
194ef1f8-360e-4c14-8ed2-e83e2bafa142|OpenAPI|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation|Documentation
| -|Path Parameter With No Corresponding Template Path (v3)
69d7aefd-149d-47b8-8d89-1c2181a8067b|OpenAPI|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation (read more)|Documentation
| -|Type Has Invalid Keyword (v2)
492c6cbb-f3f8-4807-aa4f-42b8b1c46b59|OpenAPI|Info|Structure and Semantics|Schema/Parameter/Header Object define type should not use a keyword of another type|Documentation
| -|Type Has Invalid Keyword (v3)
a9228976-10cf-4b5f-b902-9e962aad037a|OpenAPI|Info|Structure and Semantics|Schema Object define type should not use a keyword of another type (read more)|Documentation
| -|Responses With Wrong HTTP Status Code (v2)
069a5378-2091-43f0-aa3b-ee8f20996e99|OpenAPI|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599]|Documentation
| -|Responses With Wrong HTTP Status Code (v3)
d86655c0-92f6-4ffc-b4d5-5b5775804c27|OpenAPI|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599] (read more)|Documentation
| -|Template Path With No Corresponding Path Parameter (v2)
e7656d8d-7288-4bbe-b07b-22b389be75ce|OpenAPI|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation|Documentation
| -|Template Path With No Corresponding Path Parameter (v3)
561710b1-b845-4562-95ce-2397a05ccef4|OpenAPI|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation (read more)|Documentation
| -|Schema Enum Invalid (v2)
8fe6d18a-ad4c-4397-8884-e3a9da57f4c9|OpenAPI|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type|Documentation
| -|Schema Enum Invalid (v3)
03856cb2-e46c-4daf-bfbf-214ec93c882b|OpenAPI|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type (read more)|Documentation
| -|Items Undefined (v2)
3e4d34d2-36cf-4449-976d-6c256db8fc49|OpenAPI|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array.|Documentation
| -|Items Undefined (v3)
a8e859da-4a43-4e7f-94b8-25d6e3bf8e90|OpenAPI|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array. (read more)|Documentation
| -|Schema Object Properties With Duplicated Keys (v2)
ded017bf-fb13-4f8d-868b-84aebcc572ad|OpenAPI|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties'|Documentation
| -|Schema Object Properties With Duplicated Keys (v3)
10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa|OpenAPI|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties' (read more)|Documentation
| -|Schema Discriminator Property Not String (v2)
949376f1-f560-4c6d-a016-63424ca931bb|OpenAPI|Info|Structure and Semantics|Schema discriminator property should be a string|Documentation
| -|Schema Discriminator Property Not String (v3)
dadc2f36-1f5a-46c0-8289-75e626583123|OpenAPI|Info|Structure and Semantics|Schema discriminator property should be a string (read more)|Documentation
| -|Path Template is Empty (v2)
c201b7ad-6173-4598-a407-5edb04a1bcd7|OpenAPI|Info|Structure and Semantics|All path templates should not be empty|Documentation
| -|Path Template is Empty (v3)
ae13a37d-943b-47a7-a970-83c8598bcca3|OpenAPI|Info|Structure and Semantics|All path templates should not be empty (read more)|Documentation
| -|Path Parameter Not Required (v2)
ccd0613f-cb77-4684-a892-183bd2674d12|OpenAPI|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.|Documentation
| -|Path Parameter Not Required (v3)
0de50145-e845-47f4-9a15-23bcf2125710|OpenAPI|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true. (read more)|Documentation
| -|Property Defining Minimum Greater Than Maximum (v2)
b5102ea9-6527-4bb7-94fc-9b4076150e55|OpenAPI|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined|Documentation
| -|Property Defining Minimum Greater Than Maximum (v3)
ab2af219-cd08-4233-b5a1-a788aac88b51|OpenAPI|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined (read more)|Documentation
| -|Schema Object With Circular Ref (v2)
cbff2508-85c9-4448-a8b3-770070edf5ca|OpenAPI|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties|Documentation
| -|Schema Object With Circular Ref (v3)
1a1aea94-745b-40a7-b860-0702ea6ee636|OpenAPI|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties (read more)|Documentation
| -|Schema Discriminator Mismatch Defined Properties (v2)
addc0eab-27f6-4c26-8526-d2ccd3732662|OpenAPI|Info|Structure and Semantics|Schema discriminator values should match defined properties.|Documentation
| -|Schema Discriminator Mismatch Defined Properties (v3)
40d3df21-c170-4dbe-9c02-4289b51f994f|OpenAPI|Info|Structure and Semantics|Schema discriminator values should match defined properties. (read more)|Documentation
| -|Security Definitions Undefined or Empty
e3f026e8-fdb4-4d5a-bcfd-bd94452073fe|OpenAPI|High|Access Control|Security Definitions Object should be set and not empty (read more)|Documentation
| -|Security Requirement Not Defined In Security Definition
a599b0d1-ff89-4cb8-9ece-9951854c06f6|OpenAPI|High|Structure and Semantics|All security requirement objects must be defined in 'securityDefinitions' (read more)|Documentation
| -|Non OAuth2 Security Requirement Defining OAuth2 Scopes
ba239cb9-f342-4c20-812d-7b5a2aa6969e|OpenAPI|High|Structure and Semantics|If the security scheme is not of type 'oauth2', the array value must be empty (read more)|Documentation
| -|Global Security Using Password Flow
2da46be4-4317-4650-9285-56d7103c4f93|OpenAPI|Medium|Access Control|Security should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| -|Invalid OAuth2 Authorization URL (v2)
33d96c65-977d-4c33-943f-440baca49185|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| -|Operation Using Password Flow
2e44e632-d617-43cb-b294-6bfe72a08938|OpenAPI|Medium|Access Control|Operation Object should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| -|Implicit Flow in OAuth2 (v2)
e9817ad8-a8c9-4038-8a2f-db0e6e7b284b|OpenAPI|Medium|Access Control|There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| -|Invalid OAuth2 Token URL (v2)
274f910a-0665-4f08-b66d-7058fe927dba|OpenAPI|Medium|Access Control|OAuth2 security definition flow requires a valid URL in the tokenUrl field (read more)|Documentation
| -|Security Definitions Allows Password Flow
773116aa-2e6d-416f-bd85-f0301cc05d76|OpenAPI|Medium|Access Control|Security Definition Object should not allow 'password' Flow in OAuth2 authentication (read more)|Documentation
| -|Path Scheme Accepts HTTP (v2)
a6847dc6-f4ea-45ac-a81f-93291ae6c573|OpenAPI|Medium|Encryption|The Scheme list of Operation Object should only allow 'HTTPS' protocol to ensure an encrypted connection (read more)|Documentation
| -|Schemes Uses HTTP
a46928f1-43d7-4671-94e0-2dd99746f389|OpenAPI|Medium|Encryption|Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials (read more)|Documentation
| -|Global Schemes Uses HTTP
f30ee711-0082-4480-85ab-31d922d9a2b2|OpenAPI|Medium|Encryption|Global Schemes should use 'https' protocol instead of 'http' (read more)|Documentation
| -|Operation Object Without 'consumes'
0c79e50e-b3cf-490c-b8f6-587c644d4d0c|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations (read more)|Documentation
| -|Operation Object Without 'produces'
be3e170e-1572-461e-a8b6-d963def581ec|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'produces' feild defined for 'GET'operation (read more)|Documentation
| -|Operation Using Basic Auth
ceefb058-8065-418f-9c4c-584a78c7e104|OpenAPI|Low|Access Control|Operation Object should not use basic authentication (read more)|Documentation
| -|Security Definitions Using Basic Auth
221015a8-aa2a-43f5-b00b-ad7d2b1d47a8|OpenAPI|Low|Access Control|Security Definition Object should not use basic authentication (read more)|Documentation
| -|Operation Using Implicit Flow
f42dfe7e-787d-4478-a75e-a5f3d8a2269e|OpenAPI|Low|Access Control|Operation Object should not use implicit flow (read more)|Documentation
| -|Undefined Scope 'securityDefinition' On 'security' Field On Operations
3847280c-9193-40bc-8009-76168e822ce2|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| -|Undefined Scope 'securityDefinition' On Global 'security' Field
9aa6e95c-d964-4239-a3a8-9f37a3c5a31f|OpenAPI|Low|Access Control|Using an scope on global security field that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| -|Operation Summary Too Long
d47940ca-5970-45cc-bdd1-4d81398cee1f|OpenAPI|Low|Best Practices|Operation summary should be short (less than 120 characters) (read more)|Documentation
| -|Global Schema Definition Not Being Used
6d2e0790-cc3d-4c74-b973-d4e8b09f4455|OpenAPI|Info|Best Practices|All global schemas definitions should be in use (read more)|Documentation
| -|Global Responses Definition Not Being Used
0b76d993-ee52-43e0-8b39-3787d2ddabf1|OpenAPI|Info|Best Practices|All global responses definitions should be in use (read more)|Documentation
| -|Global Parameter Definition Not Being Used
b30981fa-a12e-49c7-a5bb-eeafb61d0f0f|OpenAPI|Info|Best Practices|All global parameters definitions should be in use (read more)|Documentation
| -|Schema with 'additionalProperties' set as Boolean
3a01790c-ebee-4da6-8fd3-e78657383b75|OpenAPI|Info|Best Practices|The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it (read more)|Documentation
| -|Unknown Prefix (v2)
3b615f00-c443-4ba9-acc4-7c308716917d|OpenAPI|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| -|Constraining Enum Property
be1d8733-3731-40c7-a845-734741c6871d|OpenAPI|Info|Best Practices|There is a constraining keyword in a property which is already restricted by enum values (read more)|Documentation
| -|Invalid Media Type Value (v2)
f985a7d2-d404-4a7f-9814-f645f791e46e|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| -|Multiple Body Parameters In The Same Operation
b90033cf-ad9f-4fb9-acd1-1b9d6d278c87|OpenAPI|Info|Structure and Semantics|Only one body parameter is allowed on operation's parameters type field (read more)|Documentation
| -|Host With Invalid Pattern
3d7d7b6c-fb0a-475e-8a28-c125e30d15f0|OpenAPI|Info|Structure and Semantics|Host field should be an IP or a valid host name (read more)|Documentation
| -|Response Object With Incorrect Ref (v2)
bccfa089-89e4-47e0-a0e5-185fe6902220|OpenAPI|Info|Structure and Semantics|Response Object reference must always point to '#/responses' (read more)|Documentation
| -|Multi 'collectionformat' Not Valid For 'in' Parameter
750f6448-27c0-49f8-a153-b81735c1e19c|OpenAPI|Info|Structure and Semantics|When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'formData' (read more)|Documentation
| -|Schema JSON Reference Does Not Exists (v2)
98295b32-ec09-4b5b-89a9-39853197f914|OpenAPI|Info|Structure and Semantics|Schema reference should exists on definitions field (read more)|Documentation
| -|Responses JSON Reference Does Not Exists (v2)
e9db5fb4-6a84-4abb-b4af-3b94fbdace6d|OpenAPI|Info|Structure and Semantics|Responses reference should exist on responses definition field (read more)|Documentation
| -|Parameter Object With Incorrect Ref (v2)
2596545e-1757-4ff7-a15a-8a9a180a42f3|OpenAPI|Info|Structure and Semantics|Parameter Object reference must always point to '#/parameters' (read more)|Documentation
| -|Object Without Required Property (v2)
5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275|OpenAPI|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| -|Unknown Property (v2)
429b2106-ba37-43ba-9727-7f699cc611e1|OpenAPI|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| -|BasePath With Wrong Format
b4803607-ed72-4d60-99e2-3fa6edf471c6|OpenAPI|Info|Structure and Semantics|The 'basePath' value format must match the pattern '^/' (read more)|Documentation
| -|Body Parameter Without Schema
ed48229d-d43e-4da7-b453-5f98d964a57a|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| -|Operation Object Parameters With 'body' And 'formatData' locations
eb3f9744-d24e-4614-b1ff-2a9514eca21c|OpenAPI|Info|Structure and Semantics|Operation object parameters should not have both 'body' and 'formatData' locations (read more)|Documentation
| -|Schema Object Incorrect Ref (v2)
0220e1c5-65d1-49dd-b7c2-cef6d6cb5283|OpenAPI|Info|Structure and Semantics|Schema Object reference must always point to '#/definitions' (read more)|Documentation
| -|File Parameter With Wrong Consumes Property
7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a|OpenAPI|Info|Structure and Semantics|Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both (read more)|Documentation
| -|Parameter JSON Reference Does Not Exists (v2)
fb889ae9-2d16-40b5-b41f-9da716c5abc1|OpenAPI|Info|Structure and Semantics|Parameter reference should exist on parameters definition field (read more)|Documentation
| -|Operation Example Mismatch Produces MimeType
2cf35b40-ded3-43d6-9633-c8dcc8bcc822|OpenAPI|Info|Structure and Semantics|Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces' (read more)|Documentation
| -|Property Not Unique
750b40be-4bac-4f59-bdc4-1ca0e6c3450e|OpenAPI|Info|Structure and Semantics|Every defined property must be unique throughout the whole API (read more)|Documentation
| -|Non Body Parameter Without Schema
73c3bc54-3cc6-4c0a-b30a-e19f2abfc951|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| -|Body Parameter With Wrong Property
c38d630d-a415-4e3e-bac2-65475979ba88|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema' (read more)|Documentation
| -|Parameter File Type Not In 'formData'
c3cab8c4-6c52-47a9-942b-c27f26fbd7d2|OpenAPI|Info|Structure and Semantics|The In field of Parameter Object must be 'formData' when type is 'file' (read more)|Documentation
| -|Cleartext Credentials With Basic Authentication For Operation
86b1fa30-9790-4980-994d-a27e0f6f27c1|OpenAPI|High|Access Control|Cleartext credentials over unencrypted channel should not be accepted for the operation (read more)|Documentation
| -|Field 'securityScheme' On Components Is Undefined
8db5544e-4874-4baa-9322-e9f75a2d219e|OpenAPI|High|Access Control|Components' securityScheme field must have a valid scheme (read more)|Documentation
| -|OAuth2 With Implicit Flow
39cb32f2-3a42-4af0-8037-82a7a9654b6c|OpenAPI|Medium|Access Control|OAuth2 implicit flow is vulnerable to access token leakage and access token replay (read more)|Documentation
| -|Invalid OAuth2 Authorization URL (v3)
52c0d841-60d6-4a81-88dd-c35fef36d315|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| -|Implicit Flow in OAuth2 (v3)
4a1f3d75-ab73-41b2-83e7-06a93dc3a75a|OpenAPI|Medium|Access Control|There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| -|Security Scheme Using HTTP Basic
68e5fcac-390c-4939-a373-6074b7be7c71|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using basic authentication (read more)|Documentation
| -|OAuth2 With Password Flow
3979b0a4-532c-4ea7-86e4-34c090eaa4f2|OpenAPI|Medium|Access Control|OAuth2 password flow insecurely exposes the credentials of the resource owner to the client (read more)|Documentation
| -|Security Scheme Using HTTP Digest
a4247b11-890b-45df-bf42-350a7a3af9be|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using digest authentication (read more)|Documentation
| -|Invalid OAuth2 Token URL (v3)
3ba0cca1-b815-47bf-ac62-1e584eb64a05|OpenAPI|Medium|Access Control|OAuth2 security scheme flow requires a valid URL in the tokenUrl field (read more)|Documentation
| -|Security Scheme Using HTTP Negotiate
f525cc92-9050-4c41-a75c-890dc6f64449|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using negotiate authentication (read more)|Documentation
| -|Security Scheme HTTP Unknown Scheme
06764426-3c56-407e-981f-caa25db1c149|OpenAPI|Medium|Access Control|Security Scheme HTTP scheme should be registered in the IANA Authentication Scheme registry (read more)|Documentation
| -|Path Server Object Uses HTTP (v3)
9670f240-7b4d-4955-bd93-edaa9fa38b58|OpenAPI|Medium|Encryption|The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection (read more)|Documentation
| -|Global Server Object Uses HTTP
2d8c175a-6d90-412b-8b0e-e034ea49a1fe|OpenAPI|Medium|Encryption|Global server object URL should use 'https' protocol instead of 'http' (read more)|Documentation
| -|Additional Properties Too Permissive
9f88c88d-824d-4d9a-b985-e22977046042|OpenAPI|Medium|Insecure Configurations|Objects should not accept 'additionalProperties' if it is possible (read more)|Documentation
| -|Parameter Object Without Schema
8fe1846f-52cc-4413-ace9-1933d7d23672|OpenAPI|Medium|Insecure Configurations|The Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| -|Media Type Object Without Schema
f79b9d26-e945-44e7-98a1-b93f0f7a68a0|OpenAPI|Medium|Insecure Configurations|The Media Type Object should have the attribute 'schema' defined (read more)|Documentation
| -|Additional Properties Too Restrictive
a19c3bbd-c056-40d7-9e1c-eeb0634e320d|OpenAPI|Medium|Insecure Configurations|Objects should accept 'additionalProperties' if it is allOf or an object with anyOf or oneOf (read more)|Documentation
| -|Success Response Code Undefined for Trace Operation
105e20dd-8449-4d71-95c6-d5dac96639af|OpenAPI|Medium|Networking and Firewall|Trace should define the '200' successful code (read more)|Documentation
| -|Header Object Without Schema
50de3b5b-6465-4e06-a9b0-b4c2ba34326b|OpenAPI|Medium|Networking and Firewall|The header object should have schema defined (read more)|Documentation
| -|API Key Exposed In Global Security Scheme
40e1d1bf-11a9-4f63-a3a2-a8b84c602839|OpenAPI|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| -|Global Security Scheme Using Basic Authentication
77276d82-4f45-4cf1-8e2b-4d345b936228|OpenAPI|Low|Access Control|A security scheme is allowing basic authentication credentials to be transported over network (read more)|Documentation
| -|Security Scheme Using Oauth 1.0
1bc3205c-0d60-44e6-84f3-44fbf4dac5b3|OpenAPI|Low|Access Control|Oauth 1.0 is deprecated, OAuth2 should be used instead (read more)|Documentation
| -|Undefined Scope 'securityScheme' On 'security' Field On Operations
462d6a1d-fed9-4d75-bb9e-3de902f35e6e|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| -|Undefined Scope 'securityScheme' On Global 'security' Field
23a9e2d9-8738-4556-a71c-2802b6ffa022|OpenAPI|Low|Access Control|Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| -|Components Request Body Definition Is Unused
6b76f589-9713-44ab-97f5-59a3dba1a285|OpenAPI|Info|Best Practices|Components request bodies definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Property 'style' of Encoding Object Ignored
d3ea644a-9a5c-4fee-941f-f8a6786c0470|OpenAPI|Info|Best Practices|Property 'style' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| -|Components Header Definition Is Unused
a68da022-e95a-4bc2-97d3-481e0bd6d446|OpenAPI|Info|Best Practices|Components headers definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Link Definition Is Unused
c19779a9-5774-4d2f-a3a1-a99831730375|OpenAPI|Info|Best Practices|Components links definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Callback Definition Is Unused
d15db953-a553-4b8a-9a14-a3d62ea3d79d|OpenAPI|Info|Best Practices|Components callbacks definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Response Definition Is Unused
9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae|OpenAPI|Info|Best Practices|Components responses definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Unknown Prefix (v3)
a5375be3-521c-43bb-9eab-e2432e368ee4|OpenAPI|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| -|Property 'explode' of Encoding Object Ignored
a4dd69b8-49fa-45d2-a060-c76655405b05|OpenAPI|Info|Best Practices|Property 'explode' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| -|Property 'allowReserved' of Encoding Object Ignored
4190dda7-af03-4cf0-a128-70ac1661ca09|OpenAPI|Info|Best Practices|Property 'allowReserved' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| -|Components Parameter Definition Is Unused
698a464e-bb3e-4ba8-ab5e-e6599b7644a0|OpenAPI|Info|Best Practices|Components parameters definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Example Definition Is Unused
b05bb927-2df5-43cc-8d7b-6825c0e71625|OpenAPI|Info|Best Practices|Components examples definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Schema Definition Is Unused
962fa01e-b791-4dcc-b04a-4a3e7389be5e|OpenAPI|Info|Best Practices|Components schemas definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Property 'allowEmptyValue' Ignored
59c2f769-7cc2-49c8-a3de-4e211135cfab|OpenAPI|Info|Best Practices|Property 'allowEmptyValue' is ignored in the following cases: {"sytle": "simple", "explode": false}, {"sytle": "simple", "explode": true}, {"sytle": "spaceDelimited", "explode": false}, {"sytle": "pipeDelimited", "explode": false}, and {"sytle": "deepObject", "explode": true} (read more)|Documentation
| -|Invalid Media Type Value (v3)
cf4a5f45-a27b-49df-843a-9911dbfe71d4|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| -|Encoding Header 'Content-Type' Improperly Defined
4cd8de87-b595-48b6-ab3c-1904567135ab|OpenAPI|Info|Best Practices|Encoding Map Key should not define a 'Content-Type' in the 'headers' field. If so, it will be ignored. (read more)|Documentation
| -|Example JSON Reference Outside Components Examples
bac56e3c-1f71-4a74-8ae6-2fba07efcddb|OpenAPI|Info|Structure and Semantics|Reference to examples should point to #/components/examples (read more)|Documentation
| -|Security Operation Field Undefined
20a482d5-c5d9-4a7a-b7a4-60d0805047b4|OpenAPI|Info|Structure and Semantics|Security operation field should be defined in '#/components/securitySchemes' (read more)|Documentation
| -|Server URL Not Absolute
a0bf7382-5d5a-4224-924c-3db8466026c9|OpenAPI|Info|Structure and Semantics|The Server URL should be an absolute URL (read more)|Documentation
| -|Response Object With Incorrect Ref (v3)
b3871dd8-9333-4d6c-bd52-67eb898b71ab|OpenAPI|Info|Structure and Semantics|Response Object reference must always point to '#/components/responses' (read more)|Documentation
| -|Link Object OperationId Does Not Target Operation Object
c5bb7461-aa57-470b-a714-3bc3d74f4669|OpenAPI|Info|Structure and Semantics|Link object 'OperationId' should target an existing operation object in the OpenAPI definition (read more)|Documentation
| -|Request Body With Incorrect Ref
0f6cd0ab-c366-4595-84fc-fbd8b9901e4d|OpenAPI|Info|Structure and Semantics|Request Body reference must always point to '#/components/RequestBodies' (read more)|Documentation
| -|Encoding Map Key Mismatch Schema Defined Properties
cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b|OpenAPI|Info|Structure and Semantics|Encoding Map Key should be set in schema defined properties (read more)|Documentation
| -|Components Object Fixed Field Key Improperly Named
151331e2-11f4-4bb6-bd35-9a005e695087|OpenAPI|Info|Structure and Semantics|Components object fixed fields (schemas, responses, parameters, examples, requestBodies, headers, securitySchemes, links, and callbacks) should use keys that match the following REGEX: `^[a-zA-Z0-9\.\-_]+$` (read more)|Documentation
| -|Schema JSON Reference Does Not Exists (v3)
015eac96-6313-43c0-84e5-81b1374fa637|OpenAPI|Info|Structure and Semantics|Schema reference should exists on components field (read more)|Documentation
| -|Server URL Uses Undefined Variables
8d0921d6-4131-461f-a253-99e873f8f77e|OpenAPI|Info|Structure and Semantics|Any variable used in the Service URL should be defined in the Service Object through 'variables'. (read more)|Documentation
| -|Response JSON Reference Does Not Exists (v3)
7a01dfbd-da62-4165-aed7-71349ad42ab4|OpenAPI|Info|Structure and Semantics|Response reference should exists on components field (read more)|Documentation
| -|Parameter Object With Incorrect Ref (v3)
d40f27e6-15fb-4b56-90f8-fc0ff0291c51|OpenAPI|Info|Structure and Semantics|Parameter Object reference must always point to '#/components/parameters' (read more)|Documentation
| -|Object Without Required Property (v3)
d172a060-8569-4412-8045-3560ebd477e8|OpenAPI|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| -|Unknown Property (v3)
fb7d81e7-4150-48c4-b914-92fc05da6a2f|OpenAPI|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| -|Parameter Object Content With Multiple Entries
8bfed1c6-2d59-4924-bc7f-9b9d793ed0df|OpenAPI|Info|Structure and Semantics|The map content property of the parameter object should only contain one entry (read more)|Documentation
| -|Link Object Incorrect Ref
b9db8a10-020c-49ca-88c6-780e5fdb4328|OpenAPI|Info|Structure and Semantics|Link object reference must always point to '#/components/links' (read more)|Documentation
| -|Servers Array Undefined
c66ebeaa-676c-40dc-a3ff-3e49395dcd5e|OpenAPI|Info|Structure and Semantics|The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'. (read more)|Documentation
| -|Property 'allowReserved' Improperly Defined
7f203940-39c4-4ea7-91ee-7aba16bca9e2|OpenAPI|Info|Structure and Semantics|Property 'allowReserved' should be only defined for query parameters (read more)|Documentation
| -|Schema Object Incorrect Ref (v3)
4cac7ace-b0fb-477d-830d-65395d9109d9|OpenAPI|Info|Structure and Semantics|Schema Object reference must always point to '#/components/schemas' (read more)|Documentation
| -|Invalid Content Type For Multiple Files Upload
26f06397-36d8-4ce7-b993-17711261d777|OpenAPI|Info|Structure and Semantics|Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array) (read more)|Documentation
| -|Link JSON Reference Does Not Exists
801f0c6a-a834-4467-89c6-ddecffb46b5a|OpenAPI|Info|Structure and Semantics|Link reference should exists on components field (read more)|Documentation
| -|Request Body JSON Reference Does Not Exists
ca02f4e8-d3ae-4832-b7db-bb037516d9e7|OpenAPI|Info|Structure and Semantics|Request Body reference should exists on components field (read more)|Documentation
| -|Callback JSON Reference Does Not Exists
f29904c8-6041-4bca-b043-dfa0546b8079|OpenAPI|Info|Structure and Semantics|Callback reference should exists on components field (read more)|Documentation
| -|Callback Object With Incorrect Ref
ba066cda-e808-450d-92b6-f29109754d45|OpenAPI|Info|Structure and Semantics|Callback Object reference must always point to '#/components/callbacks' (read more)|Documentation
| -|Link Object With Both 'operationId' And 'operationRef'
60fb6621-9f02-473b-9424-ba9a825747d3|OpenAPI|Info|Structure and Semantics|Link object 'OperationId' should not have both 'operationId' and 'operationRef' defined since they are mutually exclusive. (read more)|Documentation
| -|Parameter JSON Reference Does Not Exists (v3)
2e275f16-b627-4d3f-ae73-a6153a23ae8f|OpenAPI|Info|Structure and Semantics|Parameter reference should exists on components field (read more)|Documentation
| -|Empty Array
5915c20f-dffa-4cee-b5d4-f457ddc0151a|OpenAPI|Info|Structure and Semantics|All array fields should not be empty (read more)|Documentation
| -|Server Object Variable Not Used
8aee4754-970d-4c5f-8142-a49dfe388b1a|OpenAPI|Info|Structure and Semantics|Every defined Server Variable Object should be used in a Service URL. (read more)|Documentation
| -|Header Object With Incorrect Ref
2d6646f4-2946-420f-8c14-3232d49ae0cb|OpenAPI|Info|Structure and Semantics|Header Object reference must always point to '#/components/headers' (read more)|Documentation
| -|Security Requirement Object With Wrong Scopes
37140f7f-724a-4c87-a536-e9cee1d61533|OpenAPI|Info|Structure and Semantics|Security Requirement Object should only have scopes defined for security schemes of type 'oauth2' and 'openIdConnect' (read more)|Documentation
| -|Example JSON Reference Does Not Exists
6a2c219f-da5e-4745-941e-5ea8cde23356|OpenAPI|Info|Structure and Semantics|Example reference should exists on components field (read more)|Documentation
| -|Schema With Both ReadOnly And WriteOnly
d2361d58-361c-49f0-9e50-b957fd608b29|OpenAPI|Info|Structure and Semantics|Schema should not have both 'writeOnly' and 'readOnly' set to true (read more)|Documentation
| -|Parameter Object With Undefined Type
46facedc-f243-4108-ab33-583b807d50b0|OpenAPI|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property (read more)|Documentation
| -|Parameter Object With Schema And Content
31dd6fc0-f274-493b-9614-e063086c19fc|OpenAPI|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive (read more)|Documentation
| -|Security Field Undefined
ab1263c2-81df-46f0-9f2c-0b62fdb68419|OpenAPI|Info|Structure and Semantics|Security field should be defined in '#/components/securitySchemes' (read more)|Documentation
| -|Header JSON Reference Does Not Exists
376c9390-7e9e-4cb8-a067-fd31c05451fd|OpenAPI|Info|Structure and Semantics|Header reference should exists on components field (read more)|Documentation
| -|Request Body Object With Incorrect Media Type
58f06434-a88c-4f74-826c-db7e10cc7def|OpenAPI|Info|Structure and Semantics|The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set. (read more)|Documentation
| -|Script Block Injection
62ff6823-927a-427f-acf9-f1ea2932d616|CICD|High|Insecure Configurations|GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event. (read more)|Documentation
| -|Run Block Injection
20f14e1a-a899-4e79-9f09-b6a84cd4649b|CICD|High|Insecure Configurations|GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event. (read more)|Documentation
| -|Unsecured Commands
60fd272d-15f4-4d8f-afe4-77d9c6cc0453|CICD|Medium|Insecure Configurations|There are deprecated set-env and add-path commands that can be explicitly enabled by a user via setting the ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable as true. Depending on the use of the environment variable, this could enable an attacker to, at worst, modify the system path to run a different command than intended, resulting in arbitrary code execution. (read more)|Documentation
| -|Unpinned Actions Full Length Commit SHA
555ab8f9-2001-455e-a077-f2d0f41e2fb9|CICD|Medium|Supply-Chain|Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork. (read more)|Documentation
| -|Serving Revision Spec Without Timeout Seconds
e8bb41e4-2f24-4e84-8bea-8c7c070cf93d|Knative|Info|Insecure Configurations|Serving Revision Spec should have Timeout Seconds defined to avoid Denial of Service (read more)|Documentation
| -|Serverless Role With Full Privileges
59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd|ServerlessFW|High|Access Control|Roles defined in Serverless files should not have policies granting full administrative privileges. (read more)|Documentation
| -|Serverless Function Environment Variables Not Encrypted
4495bc5d-4d1e-4a26-ae92-152d18195648|ServerlessFW|High|Encryption|Serverless Function should encrypt environment variables (read more)|Documentation
| -|Serverless API Without Content Encoding
d5d1fe08-89db-440c-8725-b93223387309|ServerlessFW|Medium|Encryption|Serverless should have API Gateway with Content Encoding enabled through the attribute 'minimumCompressionSize'. This value should be greater than -1 and smaller than 10485760 (read more)|Documentation
| -|Serverless Function Without Tags
f99d3482-fa8c-4f79-bad9-35212dded164|ServerlessFW|Medium|Insecure Configurations|Serverless Function should be have associated tags (read more)|Documentation
| -|Serverless Function Without Unique IAM Role
165aae3b-a56a-48f3-b76d-d2b5083f5b8f|ServerlessFW|Medium|Insecure Configurations|Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| -|Serverless API Endpoint Config Not Private
4d424558-c6d1-453c-be98-9a7f877abd9a|ServerlessFW|Medium|Networking and Firewall|Serverless should have endpointType set to 'PRIVATE'. This way, it's not exposed to the public internet (read more)|Documentation
| -|Serverless API X-Ray Tracing Disabled
434945e5-4dfd-41b1-aba1-47075ccd9265|ServerlessFW|Medium|Observability|Serverless API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| -|Serverless API Access Logging Setting Undefined
a4d32883-aac7-42e1-b403-9415af0f3846|ServerlessFW|Medium|Observability|Serverless FW API should have HTTP Access Logging enabled (read more)|Documentation
| -|Serverless Function Without Dead Letter Queue
dec7bc85-d156-4f64-9a33-96ed3d9f3fed|ServerlessFW|Low|Insecure Configurations|Serverless Function should be configured for a Dead Letter Queue(DLQ). A Dead Letter Queue(DLQ) can be set up in 'onError' config parameter (read more)|Documentation
| -|Serverless Function Without X-Ray Tracing
0d7ef70f-e176-44e6-bdba-add3e429788d|ServerlessFW|Low|Observability|Serverless Function should have Tracing enabled. For this, property 'tracing' should have the value 'Active' (read more)|Documentation
| -|Non-Array Schema With Items (v3)
20cb3159-b219-496b-8dac-54ae3ab2021a|OpenAPI|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| -|Passwords And Secrets
a88baa34-e2ad-44ea-ad6f-8cac87bc7c71|Common|High|Secret Management|Query to find passwords and secrets in infrastructure code.|Documentation
| -|Cloud Storage Bucket Is Publicly Accessible
77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc|GoogleDeploymentManager|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
63ae3638-a38c-4ff4-b616-6e1f72a31a6a|GoogleDeploymentManager|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers'|Documentation
| -|BigQuery Dataset Is Public
83103dff-d57f-42a8-bd81-40abab64c1a7|GoogleDeploymentManager|High|Access Control|BigQuery dataset is anonymously or publicly accessible. Attribute access.specialGroup should not contain 'allAuthenticatedUsers'|Documentation
| -|SQL DB Instance Backup Disabled
a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01|GoogleDeploymentManager|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| -|SQL DB Instance With SSL Disabled
660360d3-9ca7-46d1-b147-3acc4002953f|GoogleDeploymentManager|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| -|DNSSEC Using RSASHA1
6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35|GoogleDeploymentManager|High|Encryption|DNSSEC should not use the RSASHA1 algorithm|Documentation
| -|Network Policy Disabled
c47f90e8-4a19-43f0-8413-cc434d286c4e|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'networkPolicy.enabled' must be true and the attribute 'addonsConfig.networkPolicyConfig.disabled' must be false|Documentation
| -|Cluster Labels Disabled
8810968b-4b15-421d-918b-d91eb4bb8d1d|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resourceLabels' must be defined|Documentation
| -|Not Proper Email Account In Use
a21b8df3-c840-4b3d-a41a-10fb2afda171|GoogleDeploymentManager|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| -|MySQL Instance With Local Infile On
c759d6f2-4dd3-4160-82d3-89202ef10d87|GoogleDeploymentManager|High|Insecure Configurations|MySQL Instance should not have Local Infile On|Documentation
| -|IP Aliasing Disabled
28727987-e398-49b8-aef1-8a3e7789d111|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ipAllocationPolicy' must be defined and the subattribute 'useIpAliases' must be set to 'true'.|Documentation
| -|Client Certificate Disabled
dd690686-2bf9-4012-a821-f61912dd77be|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'masterAuth' must have 'clientCertificateConfig' with the attribute 'issueClientCertificate' equal to true|Documentation
| -|Cluster Master Authentication Disabled
7ef7d141-9fbb-4679-a977-fd0883436906|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'masterAuth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| -|Private Cluster Disabled
48c61fbd-09c9-46cc-a521-012e0c325412|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true.|Documentation
| -|GKE Legacy Authorization Enabled
df58d46c-783b-43e0-bdd0-d99164f712ee|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false.|Documentation
| -|Compute Instance Is Publicly Accessible
8212e2d7-e683-49bc-bf78-d6799075c5a7|GoogleDeploymentManager|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet.|Documentation
| -|GKE Master Authorized Networks Disabled
62c8cf50-87f0-4295-a974-8184ed78fe02|GoogleDeploymentManager|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters|Documentation
| -|Stackdriver Monitoring Disabled
bbfc97ab-e92a-4a7b-954c-e88cec815011|GoogleDeploymentManager|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoringService' must be defined and different than 'none'|Documentation
| -|Cloud Storage Bucket Versioning Disabled
ad0875c1-0b39-4890-9149-173158ba3bba|GoogleDeploymentManager|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| -|Stackdriver Logging Disabled
95601b9a-7fe8-4aee-9b58-d36fd9382dfc|GoogleDeploymentManager|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'loggingService' must be defined and different from 'none'|Documentation
| -|Node Auto Upgrade Disabled
dc5c5fee-6c53-43b0-ab11-4c660e064aaf|GoogleDeploymentManager|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means the attribute 'nodePools' must be defined and the subattribute 'managment' must be defined and have the attribute 'autoUpgrade' set to true|Documentation
| -|Disk Encryption Disabled
fc040fb6-4c23-4c0d-b12a-39edac35debb|GoogleDeploymentManager|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined|Documentation
| -|OSLogin Is Disabled In VM Instance
e66e1b71-c810-4b4e-a737-0ab59e7f5e41|GoogleDeploymentManager|Medium|Insecure Configurations|VM instance should have OSLogin enabled|Documentation
| -|COS Node Image Not Used
dbe058d7-b82e-430b-8426-992b2e4677e7|GoogleDeploymentManager|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| -|Shielded VM Disabled
9038b526-4c19-4928-bca2-c03d503bdb79|GoogleDeploymentManager|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true|Documentation
| -|Cloud DNS Without DNSSEC
313d6deb-3b67-4948-b41d-35b699c2492e|GoogleDeploymentManager|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| -|Google Storage Bucket Level Access Disabled
1239f54b-33de-482a-8132-faebe288e6a6|GoogleDeploymentManager|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| -|IP Forwarding Enabled
7c98538a-81c6-444b-bf04-e60bc3ceeec0|GoogleDeploymentManager|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true|Documentation
| -|RDP Access Is Not Restricted
50cb6c3b-c878-4b88-b50e-d1421bada9e8|GoogleDeploymentManager|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| -|SSH Access Is Not Restricted
dee21308-2a7a-49de-8ff7-c9b87e188575|GoogleDeploymentManager|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| -|Bucket Without Versioning
227c2f58-70c6-4432-8e9a-a89c1a548cf5|GoogleDeploymentManager|Medium|Observability|Bucket should have versioning enabled|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
6e2b1ec1-1eca-4eb7-9d4d-2882680b4811|GoogleDeploymentManager|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| -|BOM - GCP SB
c7781feb-a955-4f9f-b9cf-0d7c6f54bb59|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.|Documentation
| -|BOM - GCP PD
268c65a8-58ad-43e4-9019-1a9bbc56749f|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.|Documentation
| -|BOM - GCP PST
9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.|Documentation
| -|Serving Revision Spec Without Timeout Seconds
e8bb41e4-2f24-4e84-8bea-8c7c070cf93d|Knative|Info|Insecure Configurations|Serving Revision Spec should have Timeout Seconds defined to avoid Denial of Service|Documentation
| -|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Terraform|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| -|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Terraform|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| -|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Terraform|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.|Documentation
| -|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Terraform|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| -|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Terraform|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| -|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Terraform|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.|Documentation
| -|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Terraform|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| -|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Terraform|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| -|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Terraform|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| -|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Terraform|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time|Documentation
| -|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Terraform|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| -|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|Terraform|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false|Documentation
| -|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|Terraform|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|Documentation
| -|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|Terraform|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| -|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|Terraform|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| -|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|Terraform|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined.|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|Terraform|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| -|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|Terraform|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| -|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Terraform|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys|Documentation
| -|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Terraform|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| -|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Terraform|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| -|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Terraform|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| -|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Terraform|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| -|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Terraform|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| -|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Terraform|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls|Documentation
| -|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Terraform|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| -|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Terraform|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| -|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Terraform|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|Documentation
| -|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Terraform|Medium|Insecure Configurations|Containers should not have extra capabilities allowed|Documentation
| -|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Terraform|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| -|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Terraform|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| -|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| -|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Terraform|Medium|Insecure Configurations|Default service accounts should not be actively used|Documentation
| -|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Terraform|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| -|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Terraform|Medium|Insecure Configurations|The default namespace should not be used|Documentation
| -|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Terraform|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| -|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| -|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Terraform|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| -|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Terraform|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory|Documentation
| -|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Terraform|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace|Documentation
| -|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Terraform|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty.|Documentation
| -|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Terraform|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| -|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Terraform|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| -|Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Terraform|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| -|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Terraform|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| -|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Terraform|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| -|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Terraform|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| -|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Terraform|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes|Documentation
| -|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Terraform|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| -|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Terraform|Medium|Resource Management|Container should not share the host network namespace|Documentation
| -|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Terraform|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| -|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Terraform|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs|Documentation
| -|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Terraform|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| -|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Terraform|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| -|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Terraform|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| -|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Terraform|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| -|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Terraform|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Terraform|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Terraform|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.|Documentation
| -|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Terraform|Low|Availability|The Horizontal Pod Autoscaler must target a valid object|Documentation
| -|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Terraform|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it|Documentation
| -|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Terraform|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| -|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Terraform|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| -|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Terraform|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| -|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Terraform|Low|Build Process|Check if the root container filesystem is not being mounted as read-only.|Documentation
| -|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Terraform|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| -|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Terraform|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity|Documentation
| -|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Terraform|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| -|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Terraform|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| -|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Terraform|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified|Documentation
| -|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Terraform|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| -|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Terraform|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined|Documentation
| -|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Terraform|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| -|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Terraform|Low|Supply-Chain|Image must be defined and not be empty or equal to latest.|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|Terraform|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|Terraform|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| -|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|Terraform|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals|Documentation
| -|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|Terraform|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| -|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|Terraform|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| -|EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|Terraform|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| -|SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|Terraform|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| -|Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|Terraform|High|Access Control|Neptune Cluster Instance should not be publicly accessible|Documentation
| -|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|Terraform|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating|Documentation
| -|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|Terraform|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| -|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|Terraform|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| -|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|Terraform|High|Access Control|IAM role policy that allow full administrative privileges (for all resources)|Documentation
| -|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|Terraform|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| -|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|Terraform|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role|Documentation
| -|MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857|Terraform|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible|Documentation
| -|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|Terraform|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| -|SSO Policy with full privileges
132a8c31-9837-4203-9fd1-15ca210c7b73|Terraform|High|Access Control|SSO policies should be configured to grant limited administrative privileges, rather than full access to all resources. This approach allows for better security and control over the resources being accessed.|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|Terraform|High|Access Control|S3 Buckets should not be readable and writable to all users|Documentation
| -|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|Terraform|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| -|S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4|Terraform|High|Access Control|S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket.|Documentation
| -|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|Terraform|High|Access Control|S3 bucket allows public policy|Documentation
| -|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|Terraform|High|Encryption|AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted|Documentation
| -|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|Terraform|High|Encryption|AWS DAX Cluster should have server-side encryption at rest|Documentation
| -|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|Terraform|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| -|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|Terraform|High|Encryption|AWS Athena Database data in S3 should be encrypted|Documentation
| -|EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|Terraform|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|Terraform|High|Encryption|S3 Bucket Object should have server-side encryption enabled|Documentation
| -|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|Terraform|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key|Documentation
| -|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|Terraform|High|Encryption|EKS Cluster should be encrypted|Documentation
| -|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|Terraform|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume|Documentation
| -|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|Terraform|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| -|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|Terraform|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled|Documentation
| -|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|Terraform|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)|Documentation
| -|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|Terraform|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| -|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|Terraform|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true'|Documentation
| -|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|Terraform|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.|Documentation
| -|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|Terraform|High|Encryption|Sagemaker endpoint configuration should encrypt data|Documentation
| -|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|Terraform|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| -|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|Terraform|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted|Documentation
| -|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|Terraform|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| -|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|Terraform|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| -|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|Terraform|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| -|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|Terraform|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| -|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|Terraform|High|Encryption|API Gateway Method Settings Cache should be encrypted|Documentation
| -|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|Terraform|High|Encryption|EBS Encryption should be enabled|Documentation
| -|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|Terraform|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| -|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|Terraform|High|Encryption|User Data Shell Script must be encoded|Documentation
| -|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers.|Documentation
| -|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|Terraform|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS|Documentation
| -|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|Terraform|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup|Documentation
| -|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|Terraform|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|Terraform|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled|Documentation
| -|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|Terraform|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|Terraform|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| -|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.|Documentation
| -|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|Terraform|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| -|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|Terraform|High|Encryption|AWS DOCDB Cluster storage should be encrypted|Documentation
| -|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|Terraform|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled|Documentation
| -|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|Terraform|High|Encryption|RDS Database Cluster Encryption should be enabled|Documentation
| -|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|Terraform|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| -|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|Terraform|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes|Documentation
| -|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|Terraform|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| -|Lambda Function With Privileged Role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|Terraform|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions.|Documentation
| -|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|Terraform|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| -|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|Terraform|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured.|Documentation
| -|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|Terraform|High|Insecure Configurations|Check if the root user is authenticated with MFA|Documentation
| -|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|Terraform|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations|Documentation
| -|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|Terraform|High|Insecure Configurations|S3 bucket without restriction of public bucket|Documentation
| -|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|Terraform|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| -|DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|Terraform|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| -|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|Terraform|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| -|KMS Key With Vulnerable Policy
7ebc9038-0bde-479a-acc4-6ed7b6758899|Terraform|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| -|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|Terraform|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2.|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|Terraform|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| -|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|Terraform|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| -|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|Terraform|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true)|Documentation
| -|Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|Terraform|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| -|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|Terraform|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| -|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| -|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|Terraform|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| -|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|Terraform|High|Networking and Firewall|Check if Record is set|Documentation
| -|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|Terraform|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| -|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| -|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|Terraform|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| -|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|Terraform|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| -|VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|Terraform|High|Networking and Firewall|VPC Peering Route Table should restrict CIDR|Documentation
| -|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|Terraform|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL|Documentation
| -|HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|Terraform|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| -|Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|Terraform|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| -|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL|Documentation
| -|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|Terraform|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0"|Documentation
| -|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|Terraform|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| -|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|Terraform|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0 and/or ::/0|Documentation
| -|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|Terraform|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| -|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|Terraform|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing|Documentation
| -|VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|Terraform|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic|Documentation
| -|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible|Documentation
| -|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|Terraform|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes|Documentation
| -|CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|Terraform|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.|Documentation
| -|CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|Terraform|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls|Documentation
| -|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|Terraform|High|Observability|AWS KMS Key should have a valid deletion window|Documentation
| -|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled|Documentation
| -|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|Terraform|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| -|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|Terraform|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA|Documentation
| -|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|Terraform|High|Observability|Ensure a log metric filter and alarm exist for root acount usage|Documentation
| -|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Terraform|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Terraform|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Terraform|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| -|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Terraform|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Terraform|Medium|Access Control|IAM Access Key should not be active for root users|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Terraform|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| -|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Terraform|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| -|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Terraform|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| -|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Terraform|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Terraform|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Terraform|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Terraform|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Terraform|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication|Documentation
| -|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Terraform|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal'|Documentation
| -|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Terraform|Medium|Access Control|AWS IAM Users should not have access to console|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Terraform|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SSO Permission With Inadequate User Session Duration
ce9dfce0-5fc8-433b-944a-3b16153111a8|Terraform|Medium|Access Control|SSO permissions should be configured to limit user sessions to no longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized access or session hijacking. This is a best practice for security and should be implemented in SSO permission settings.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Terraform|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| -|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Terraform|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Terraform|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Terraform|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled|Documentation
| -|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Terraform|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| -|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Terraform|Medium|Access Control|Public and private EC2 istances should not share the same role.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Terraform|Medium|Access Control|The attribute 'action' should not have wildcard|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Terraform|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action'|Documentation
| -|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Terraform|Medium|Access Control|S3 bucket allows public ACL|Documentation
| -|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Terraform|Medium|Access Control|An API Key should be required on a method request.|Documentation
| -|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Terraform|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Terraform|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'|Documentation
| -|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Terraform|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Terraform|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Terraform|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| -|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Terraform|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Terraform|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions'|Documentation
| -|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Terraform|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| -|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Terraform|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| -|Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Terraform|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
| -|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Terraform|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster|Documentation
| -|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Terraform|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0|Documentation
| -|RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Terraform|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| -|Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Terraform|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| -|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Terraform|Medium|Best Practices|No password expiration policy|Documentation
| -|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Terraform|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| -|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Terraform|Medium|Best Practices|IAM password should have the required symbols|Documentation
| -|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Terraform|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined|Documentation
| -|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Terraform|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields|Documentation
| -|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Terraform|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| -|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Terraform|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| -|Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Terraform|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24|Documentation
| -|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Terraform|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| -|Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Terraform|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body|Documentation
| -|DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Terraform|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Terraform|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| -|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Terraform|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret|Documentation
| -|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Terraform|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption|Documentation
| -|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Terraform|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node|Documentation
| -|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Terraform|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| -|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted|Documentation
| -|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Terraform|Medium|Encryption|SSM Session should be encrypted in transit|Documentation
| -|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Terraform|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| -|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Terraform|Medium|Encryption|EBS volumes should be encrypted|Documentation
| -|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest|Documentation
| -|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Terraform|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760.|Documentation
| -|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Terraform|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| -|Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Terraform|Medium|Encryption|ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html'|Documentation
| -|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Terraform|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| -|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit|Documentation
| -|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Terraform|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests|Documentation
| -|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Terraform|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|CloudWatch Log Group Without KMS
0afbcfe9-d341-4b92-a64c-7e6de0543879|Terraform|Medium|Encryption|AWS CloudWatch Log groups should be encrypted using KMS|Documentation
| -|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Terraform|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS.|Documentation
| -|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Terraform|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| -|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Terraform|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| -|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Terraform|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud)|Documentation
| -|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Terraform|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs).|Documentation
| -|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Terraform|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| -|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Terraform|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible|Documentation
| -|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Terraform|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials|Documentation
| -|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Terraform|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| -|EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Terraform|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false|Documentation
| -|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Terraform|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| -|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Terraform|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.|Documentation
| -|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Terraform|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol|Documentation
| -|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Terraform|Medium|Networking and Firewall|VPC should have a Network Firewall associated|Documentation
| -|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Terraform|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| -|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Terraform|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| -|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Terraform|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| -|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Terraform|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association|Documentation
| -|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Terraform|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol|Documentation
| -|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Terraform|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| -|VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Terraform|Medium|Networking and Firewall|VPC Subnet should not assign public IP|Documentation
| -|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Terraform|Medium|Observability|It isn't recommended to use resources in default VPC|Documentation
| -|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Terraform|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| -|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes|Documentation
| -|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Terraform|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| -|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Terraform|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events|Documentation
| -|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Terraform|Medium|Observability|ELB should have logging enabled to help on error investigation|Documentation
| -|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Terraform|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| -|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Terraform|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined|Documentation
| -|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Terraform|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| -|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Terraform|Medium|Observability|AWS Elasticsearch should have logs enabled|Documentation
| -|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Terraform|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| -|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Terraform|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| -|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Terraform|Medium|Observability|API Gateway should have Access Log Settings defined|Documentation
| -|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Terraform|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| -|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Terraform|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| -|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes|Documentation
| -|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Terraform|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| -|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes|Documentation
| -|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Terraform|Medium|Observability|AWS CloudWatch Log groups should have retention days specified|Documentation
| -|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Terraform|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation|Documentation
| -|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes|Documentation
| -|ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Terraform|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| -|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Terraform|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled|Documentation
| -|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Terraform|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| -|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures|Documentation
| -|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Terraform|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| -|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Terraform|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| -|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Terraform|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| -|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK|Documentation
| -|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Terraform|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| -|No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Terraform|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| -|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Terraform|Medium|Secret Management|AWS Access Key should not be hardcoded|Documentation
| -|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Terraform|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| -|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Terraform|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services|Documentation
| -|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Terraform|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets'|Documentation
| -|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Terraform|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| -|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Terraform|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| -|SSO Identity User Unsafe Creation
4003118b-046b-4640-b200-b8c7a4c8b89f|Terraform|Low|Access Control|The use of AWS SSO for creating users may pose a security risk as it does not synchronize with external Identity Providers (IdP) or Active Directory (AD). This can lead to inconsistencies and potential unauthorized access to resources. It is recommended to review and update user creation processes to ensure proper security protocols are in place.|Documentation
| -|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Terraform|Low|Access Control|IAM Group should have at least one user associated|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Terraform|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| -|Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Terraform|Low|Availability|Autoscaling groups should supply tags to configurate|Documentation
| -|Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Terraform|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.|Documentation
| -|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Terraform|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| -|IAM Access Analyzer Not Enabled
e592a0c5-5bdb-414c-9066-5dba7cdea370|Terraform|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions|Documentation
| -|ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Terraform|Low|Best Practices|ECR Repository should have Policies attached to it|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Terraform|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| -|ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Terraform|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation|Documentation
| -|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Terraform|Low|Insecure Configurations|S3 bucket without ignore public ACL|Documentation
| -|ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Terraform|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled|Documentation
| -|Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Terraform|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| -|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Terraform|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| -|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Terraform|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Terraform|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| -|EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Terraform|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| -|RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Terraform|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| -|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Terraform|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Terraform|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks|Documentation
| -|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Terraform|Low|Observability|Amazon EKS control plane logging don't enabled for all log types|Documentation
| -|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Terraform|Low|Observability|Global Accelerator should have flow logs enabled|Documentation
| -|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Terraform|Low|Observability|Amazon EKS control plane logging is not enabled|Documentation
| -|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes|Documentation
| -|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Terraform|Low|Observability|DocDB logging should be enabled|Documentation
| -|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Terraform|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'|Documentation
| -|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL|Documentation
| -|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes|Documentation
| -|API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Terraform|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| -|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Terraform|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| -|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| -|ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Terraform|Low|Observability|ECS Cluster should enable container insights|Documentation
| -|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes|Documentation
| -|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for route table changes|Documentation
| -|API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Terraform|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| -|Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Terraform|Info|Access Control|Security group must be used or not declared|Documentation
| -|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Terraform|Info|Best Practices|AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name'|Documentation
| -|Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Terraform|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description|Documentation
| -|Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Terraform|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description|Documentation
| -|EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Terraform|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| -|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Terraform|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table|Documentation
| -|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Terraform|Info|Observability|Neptune logging should be enabled|Documentation
| -|EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Terraform|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods|Documentation
| -|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Terraform|Info|Observability|RDS does not have any kind of logger|Documentation
| -|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|Terraform|High|Access Control|Verifies that the OSLogin is enabled|Documentation
| -|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|Terraform|High|Access Control|BigQuery dataset is anonymously or publicly accessible|Documentation
| -|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|Terraform|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible|Documentation
| -|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|Terraform|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|Terraform|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers'|Documentation
| -|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|Terraform|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| -|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|Terraform|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| -|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|Terraform|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad.|Documentation
| -|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|Terraform|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members'|Documentation
| -|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false |Documentation
| -|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|Terraform|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible.|Documentation
| -|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|Terraform|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| -|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|Terraform|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| -|Legacy Client Certificate Auth Enabled
73fb21a1-b19a-45b1-b648-b47b1678681e|Terraform|High|Insecure Configurations|Kubernetes Clusters must use the default OAuth authentication, which means 'master_auth' must either be undefined or have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to false|Documentation
| -|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE |Documentation
| -|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|Terraform|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true|Documentation
| -|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true|Documentation
| -|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true|Documentation
| -|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|Terraform|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| -|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|Terraform|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| -|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| -|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|Terraform|High|Observability|Audit Logging Configuration is defective|Documentation
| -|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|Terraform|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| -|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Terraform|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member|Documentation
| -|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Terraform|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated|Documentation
| -|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Terraform|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated|Documentation
| -|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Terraform|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated|Documentation
| -|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Terraform|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Terraform|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| -|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Terraform|Medium|Insecure Configurations|Check if any VM instance disables OSLogin|Documentation
| -|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Terraform|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| -|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Terraform|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled|Documentation
| -|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Terraform|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| -|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Terraform|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| -|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Terraform|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| -|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Terraform|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| -|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Terraform|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
| -|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Terraform|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| -|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Terraform|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
| -|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Terraform|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| -|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Terraform|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
| -|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Terraform|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| -|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Terraform|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| -|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Terraform|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports|Documentation
| -|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Terraform|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource.|Documentation
| -|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Terraform|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Terraform|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| -|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Terraform|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.|Documentation
| -|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Terraform|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user|Documentation
| -|Outdated GKE Version
128df7ec-f185-48bc-8913-ce756a3ccb85|Terraform|Low|Best Practices|Running outdated versions of Google Kubernetes Engine (GKE) can expose it to known vulnerabilities and attacks. To reduce these risks, it is recommended to ensure that GKE is always running the latest version.|Documentation
| -|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Terraform|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true|Documentation
| -|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Terraform|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range|Documentation
| -|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Terraform|Info|Best Practices|All outputs should contain a valid description.|Documentation
| -|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Terraform|Info|Best Practices|All variables should contain a valid type.|Documentation
| -|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Terraform|Info|Best Practices|All variables should contain a valid description.|Documentation
| -|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Terraform|Info|Best Practices|All generic git repositories should reference a revision.|Documentation
| -|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Terraform|Info|Best Practices|All names should follow snake case pattern.|Documentation
| -|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|Terraform|High|Access Control|Storage Account should not be public to grant the principle of least privileges|Documentation
| -|Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|Terraform|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| -|Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|Terraform|High|Access Control|Azure Function App authentication settings should be enabled|Documentation
| -|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|Terraform|High|Access Control|There is a role assignment for guest user|Documentation
| -|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|Terraform|High|Access Control|Admin user is enabled for Container Registry|Documentation
| -|Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|Terraform|High|Access Control|Role Assignment should limit guest user permissions|Documentation
| -|Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|Terraform|High|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled|Documentation
| -|Azure Instance Using Basic Authentication
dafe30ec-325d-4516-85d1-e8e6776f012c|Terraform|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication|Documentation
| -|Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6|Terraform|High|Encryption|Ensure Function App is using the latest version of TLS encryption|Documentation
| -|MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|Terraform|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| -|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|Terraform|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| -|App Service Not Using Latest TLS Encryption Version
b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643|Terraform|High|Encryption|Ensure App Service is using the latest version of TLS encryption|Documentation
| -|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|Terraform|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| -|App Service FTPS Enforce Disabled
85da374f-b00f-4832-9d44-84a1ca1e89f8|Terraform|High|Insecure Configurations|Azure App Service should only enforce FTPS when 'ftps_state' is enabled|Documentation
| -|AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|Terraform|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| -|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|Terraform|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| -|AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|Terraform|High|Insecure Configurations|Azure Kubernetes Service (AKS) API should not be exposed to the internet|Documentation
| -|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|Terraform|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry'|Documentation
| -|Function App FTPS Enforce Disabled
9dab0179-433d-4dff-af8f-0091025691df|Terraform|High|Insecure Configurations|Azure Function App should only enforce FTPS when 'ftps_state' is enabled|Documentation
| -|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|Terraform|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| -|Azure App Service Client Certificate Disabled
a81573f9-3691-4d83-88a0-7d4af63e17a3|Terraform|High|Insecure Configurations|Azure App Service client certificate should be enabled|Documentation
| -|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|Terraform|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates|Documentation
| -|Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|Terraform|High|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false.|Documentation
| -|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| -|Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| -|MySQL Server Public Access Enabled
f118890b-2468-42b1-9ce9-af35146b425b|Terraform|High|Networking and Firewall|MySQL Server public access should be disabled|Documentation
| -|RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|Terraform|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet|Documentation
| -|MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|Terraform|High|Networking and Firewall|MSSQL Server public network access should be disabled|Documentation
| -|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|Terraform|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| -|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| -|SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|Terraform|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet|Documentation
| -|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|Terraform|High|Networking and Firewall|The IP range filter should be defined to secure the data stored|Documentation
| -|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|Terraform|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| -|Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|Terraform|High|Observability|Ensure that logging for Azure KeyVault is 'Enabled'|Documentation
| -|PostgreSQL Server Threat Detection Policy Disabled
c407c3cf-c409-4b29-b590-db5f4138d332|Terraform|High|Resource Management|PostgreSQL Server Threat Detection Policy should be enabled|Documentation
| -|SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a|Terraform|High|Resource Management|Ensure that 'Threat Detection' is enabled for Azure SQL Database|Documentation
| -|App Service Managed Identity Disabled
b61cce4b-0cc4-472b-8096-15617a6d769b|Terraform|High|Resource Management|Azure App Service should have managed identity enabled|Documentation
| -|Key Expiration Not Set
4d080822-5ee2-49a4-8984-68f3d4c890fc|Terraform|High|Secret Management|Make sure that for all keys the expiration date is set|Documentation
| -|Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|Terraform|High|Secret Management|Make sure that for all secrets the expiration date is set|Documentation
| -|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Terraform|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)|Documentation
| -|Storage Share File Allows All ACL Permissions
48bbe0fd-57e4-4678-a4a1-119e79c90fc3|Terraform|Medium|Access Control|Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).|Documentation
| -|Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e|Terraform|Medium|Access Control|Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).|Documentation
| -|AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Terraform|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| -|Virtual Network with DDoS Protection Plan disabled
b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a|Terraform|Medium|Availability|Virtual Network should have DDoS Protection Plan enabled|Documentation
| -|Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Terraform|Medium|Best Practices|Security Contact Email should be defined|Documentation
| -|SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Terraform|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict|Documentation
| -|SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Terraform|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict|Documentation
| -|Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Terraform|Medium|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| -|Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Terraform|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| -|Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Terraform|Medium|Encryption|Ensure that the encryption is active on the disk|Documentation
| -|AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Terraform|Medium|Encryption|Azure Container Service (AKS) should use Disk Encryption Set ID in supported types of disk|Documentation
| -|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Terraform|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| -|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Terraform|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections|Documentation
| -|Function App Managed Identity Disabled
c87749b3-ff10-41f5-9df2-c421e8151759|Terraform|Medium|Insecure Configurations|Azure Function App should have managed identity enabled|Documentation
| -|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Terraform|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected.|Documentation
| -|Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Terraform|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches|Documentation
| -|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Terraform|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined|Documentation
| -|Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Terraform|Medium|Insecure Configurations|Azure Function App should have 'client_cert_mode' set to required|Documentation
| -|Default Azure Storage Account Network Access Is Too Permissive
a5613650-32ec-4975-a305-31af783153ea|Terraform|Medium|Insecure Defaults|Default Azure Storage Account network access should be set to Deny|Documentation
| -|Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Terraform|Medium|Networking and Firewall|Public Network Access should be disabled for Azure Cognitive Search|Documentation
| -|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Terraform|Medium|Networking and Firewall|Network Interfaces IP Forwarding should be disabled|Documentation
| -|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Terraform|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol|Documentation
| -|Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b|Terraform|Medium|Networking and Firewall|Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline)|Documentation
| -|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Terraform|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'.|Documentation
| -|MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Terraform|Medium|Networking and Firewall|MariaDB Server Public Network Access should be disabled|Documentation
| -|WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Terraform|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol|Documentation
| -|Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Terraform|Medium|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days|Documentation
| -|PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| -|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| -|PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| -|Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Terraform|Medium|Observability|Make sure for SQL Servers that Auditing Retention is greater than 90 days|Documentation
| -|PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Terraform|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| -|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Terraform|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days|Documentation
| -|PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| -|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Terraform|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On'|Documentation
| -|MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Terraform|Medium|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On'|Documentation
| -|Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Terraform|Medium|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact|Documentation
| -|PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Terraform|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'|Documentation
| -|Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Terraform|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater|Documentation
| -|Azure Active Directory Authentication
a21c8da9-41bf-40cf-941d-330cf0d11fc7|Terraform|Low|Access Control|Azure Active Directory must be used for authentication for Service Fabric|Documentation
| -|MariaDB Server Geo-redundant Backup Disabled
0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1|Terraform|Low|Backup|MariaDB Server Geo-redundant Backup should be enabled|Documentation
| -|AKS Uses Azure Policies Add-On Disabled
43789711-161b-4708-b5bb-9d1c626f7492|Terraform|Low|Best Practices|Azure Container Service (AKS) should use Azure Policies Add-On|Documentation
| -|App Service Without Latest PHP Version
96fe318e-d631-4156-99fa-9080d57280ae|Terraform|Low|Best Practices|Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.|Documentation
| -|App Service Without Latest Python Version
cc4aaa9d-1070-461a-b519-04e00f42db8a|Terraform|Low|Best Practices|Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.|Documentation
| -|Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Terraform|Low|Best Practices|Key Vault Secrets should have set Content Type|Documentation
| -|PostgreSQL Server Infrastructure Encryption Disabled
6425c98b-ca4e-41fe-896a-c78772c131f8|Terraform|Low|Encryption|PostgreSQL Server Infrastructure Encryption should be enabled|Documentation
| -|Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Terraform|Low|Insecure Configurations|Check if the Kubernetes Dashboard is enabled.|Documentation
| -|Function App HTTP2 Disabled
ace823d1-4432-4dee-945b-cdf11a5a6bd0|Terraform|Low|Insecure Configurations|Function App should have 'http2_enabled' enabled|Documentation
| -|App Service HTTP2 Disabled
525b53be-62ed-4244-b4df-41aecfcb4071|Terraform|Low|Insecure Configurations|App Service should have 'http2_enabled' enabled|Documentation
| -|Azure Front Door WAF Disabled
835a4f2f-df43-437d-9943-545ccfc55961|Terraform|Low|Networking and Firewall|Azure Front Door WAF should be enabled|Documentation
| -|App Service Authentication Disabled
c7fc1481-2899-4490-bbd8-544a3a61a2f3|Terraform|Info|Access Control|Azure App Service authentication settings should be enabled|Documentation
| -|SQL Server Alert Email Disabled
55975007-f6e7-4134-83c3-298f1fe4b519|Terraform|Info|Best Practices|SQL Server alert email should be enabled|Documentation
| -|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Terraform|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.|Documentation
| -|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Terraform|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.|Documentation
| -|BOM - GCP Redis
bc75ce52-a60a-4660-b533-bce837a5019b|Terraform|Trace|Bill Of Materials|A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments.|Documentation
| -|BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Terraform|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.|Documentation
| -|BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Terraform|Trace|Bill Of Materials|A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime.|Documentation
| -|BOM - GCP Dataflow
895ed0d9-6fec-4567-8614-d7a74b599a53|Terraform|Trace|Bill Of Materials|A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective.|Documentation
| -|OSS Bucket Allows Delete Action From All Principals
8c0695d8-2378-4cd6-8243-7fd5894fa574|Terraform|High|Access Control|OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals.|Documentation
| -|OSS Bucket Allows List Action From All Principals
88541597-6f88-42c8-bac6-7e0b855e8ff6|Terraform|High|Access Control|OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals.|Documentation
| -|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|Terraform|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles|Documentation
| -|OSS Bucket Allows Put Action From All Principals
fe286195-e75c-4359-bd58-00847c4f855a|Terraform|High|Access Control|OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals.|Documentation
| -|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|Terraform|High|Access Control|RAM Security preferences should enforce MFA login for RAM users|Documentation
| -|OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|Terraform|High|Access Control|OSS Bucket should have public access disabled|Documentation
| -|OSS Bucket Allows All Actions From All Principals
ec62a32c-a297-41ca-a850-cab40b42094a|Terraform|High|Access Control|OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals.|Documentation
| -|NAS File System Without KMS
5f670f9d-b1b4-4c90-8618-2288f1ab9676|Terraform|High|Encryption|NAS File System should have encryption provided by user KMS |Documentation
| -|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|Terraform|High|Encryption|Ecs Data Disk Kms Key Id should be set|Documentation
| -|NAS File System Not Encrypted
67bfdff1-31ce-4525-b564-e94368735360|Terraform|High|Encryption|NAS File System must be encrypted|Documentation
| -|Launch Template Is Not Encrypted
1455cb21-1d48-46d6-8ae3-cef911b71fd5|Terraform|High|Encryption|ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true.|Documentation
| -|RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|Terraform|High|Encryption|tde_status parameter should be Enabled for supported RDS instances|Documentation
| -|RDS DB Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|Terraform|High|Insecure Configurations|'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list|Documentation
| -|DB Instance Publicly Accessible
faaefc15-51a5-419e-bb5e-51a4b5ab3485|Terraform|High|Insecure Configurations|The field 'address' should not be set to '0.0.0.0/0'|Documentation
| -|OSS Bucket Has Static Website
2b13c6ff-b87a-484d-86fd-21ef6e97d426|Terraform|High|Insecure Configurations|Checks if any static websties are hosted on buckets. Be aware of any website you are running.|Documentation
| -|ALB Listening on HTTP
ee3b1557-9fb5-4685-a95d-93f1edf2a0d7|Terraform|High|Networking and Firewall|Application Load Balancer (alb) Listener should not listen on HTTP|Documentation
| -|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|Terraform|High|Networking and Firewall|OSS Bucket should have ip restricted access|Documentation
| -|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|Terraform|High|Networking and Firewall|OSS Buckets should have secure transport enabled|Documentation
| -|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|Terraform|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS|Documentation
| -|RDS Instance SSL Action Disabled
7a1ee8a9-71be-4b11-bb70-efb62d16863b|Terraform|High|Networking and Firewall|ssl_action parameter should be set to Open for RDS instances|Documentation
| -|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|Terraform|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public|Documentation
| -|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol|Documentation
| -|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|Terraform|High|Observability|All RDS Instance events trackers should be 'true'|Documentation
| -|ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|Terraform|High|Observability|ActionTrail Trail OSS Bucket should not be publicly accessible|Documentation
| -|Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|Terraform|High|Secret Management|Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts|Documentation
| -|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|Terraform|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above|Documentation
| -|Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Terraform|Medium|Access Control|Ram policies should not be attached to users|Documentation
| -|CMK Is Unusable
ed6e3ba0-278f-47b6-a1f5-173576b40b7e|Terraform|Medium|Availability|Alicloud KMS must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| -|ROS Stack Retention Disabled
4bb06fa1-2114-4a00-b7b5-6aeab8b896f0|Terraform|Medium|Backup|The retain_stacks should be enabled to keep the Stack upon deleting the stack instance from the stack group|Documentation
| -|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Terraform|Medium|Backup|OSS Bucket should have versioning enabled|Documentation
| -|ROS Stack Without Template
92d65c51-5d82-4507-a2a1-d252e9706855|Terraform|Medium|Build Process|Alicloud ROS Stack should have a template defined through the attribute template_url or attribute template_body|Documentation
| -|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Terraform|Medium|Encryption|Disks should have encryption enabled|Documentation
| -|SLB Policy With Insecure TLS Version In Use
dbfc834a-56e5-4750-b5da-73fda8e73f70|Terraform|Medium|Encryption|SLB Policy should not support insecure versions of TLS protocol|Documentation
| -|OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Terraform|Medium|Encryption|OSS Bucket should have encryption enabled using Customer Master Key|Documentation
| -|CS Kubernetes Node Pool Auto Repair Disabled
81ce9394-013d-4731-8fcc-9d229b474073|Terraform|Medium|Insecure Configurations|Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| -|Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Terraform|Medium|Networking and Firewall|A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned|Documentation
| -|Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Terraform|Medium|Networking and Firewall|Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies|Documentation
| -|ROS Stack Notifications Disabled
9ef08939-ea40-489c-8851-667870b2ef50|Terraform|Medium|Observability|The ROS Stack Notifications should be defined and populated to receive stack related events|Documentation
| -|Log Retention Is Not Greater Than 90 Days
ed6cf6ff-9a1f-491c-9f88-e03c0807f390|Terraform|Medium|Observability|OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects.|Documentation
| -|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Terraform|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180|Documentation
| -|OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Terraform|Medium|Observability|OSS Bucket should have logging enabled, for better visibility of resources and objects.|Documentation
| -|Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Terraform|Medium|Observability|Action Trail Logging for all regions should be enabled|Documentation
| -|No ROS Stack Policy
72ceb736-0aee-43ea-a191-3a69ab135681|Terraform|Medium|Resource Management|ROS Stack should have a stack policy in order to protect stack resources from and during update actions|Documentation
| -|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Terraform|Medium|Secret Management|RAM account password security should require at least one symbol|Documentation
| -|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true|Documentation
| -|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Terraform|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91|Documentation
| -|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Terraform|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less|Documentation
| -|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true|Documentation
| -|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true|Documentation
| -|High KMS Key Rotation Period
cb319d87-b90f-485e-a7e7-f2408380f309|Terraform|Medium|Secret Management|KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year|Documentation
| -|OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Terraform|Low|Availability|OSS Bucket should have transfer acceleration enabled|Documentation
| -|OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Terraform|Low|Backup|OSS Bucket should have lifecycle rule enabled and set to true|Documentation
| -|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Terraform|Low|Observability|'log_connections' parameter should be set to ON for RDS instances|Documentation
| -|RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Terraform|Low|Observability|log_duration parameter should be set to ON for RDS instances|Documentation
| -|RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Terraform|Low|Observability|log_disconnections parameter should be set to ON for RDS instances|Documentation
| -|VPC Flow Logs Disabled
d2731f3d-a992-44ed-812e-f4f1c2747d71|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| -|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Terraform|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks|Documentation
| -|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Terraform|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')|Documentation
| -|Enum Name Not CamelCase
daaace5f-c0dc-4835-b526-7a116b7f4b4e|GRPC|Low|Best Practices|All Enum Names should follow CamelCase and start with Capital Letter|Documentation
| -|EFS Not Encrypted
72840c35-3876-48be-900d-f21b2f0c2ea1|Crossplane|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|DB Instance Storage Not Encrypted
e50eb68a-a4af-4048-8bbe-8ec324421469|Crossplane|High|Encryption|RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'.|Documentation
| -|EFS Without KMS
bdecd6db-2600-47dd-a10c-72c97cf17ae9|Crossplane|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| -|ELB Using Weak Ciphers
a507daa5-0795-4380-960b-dd7bb7c56661|Crossplane|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers.|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
255b0fcc-9f82-41fe-9229-01b163e3376b|Crossplane|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| -|DB Security Group Has Public Interface
dd667399-8d9d-4a8d-bbb4-e49ab53b2f52|Crossplane|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| -|Neptune Database Cluster Encryption Disabled
83bf5aca-138a-498e-b9cd-ad5bc5e117b4|Crossplane|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| -|SQS With SSE Disabled
9296f1cc-7a40-45de-bd41-f31745488a0e|Crossplane|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| -|CloudFront Logging Disabled
7b590235-1ff4-421b-b9ff-5227134be9bb|Crossplane|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true|Documentation
| -|CloudWatch Without Retention Period Specified
934613fe-b12c-4e5a-95f5-c1dcdffac1ff|Crossplane|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events|Documentation
| -|CloudFront Without WAF
6d19ce0f-b3d8-4128-ac3d-1064e0f00494|Crossplane|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
6c2d627c-de0f-45fb-b33d-dad9bffbb421|Crossplane|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| -|Google Container Node Pool Auto Repair Disabled
b4f65d13-a609-4dc1-af7c-63d2e08bffe9|Crossplane|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| -|AKS RBAC Disabled
b2418936-cd47-4ea2-8346-623c0bdb87bd|Crossplane|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| -|Redis Cache Allows Non SSL Connections
6c7cfec3-c686-4ed2-bf58-a1ec054b63fc|Crossplane|Medium|Encryption|Redis Cache resource should not allow non-SSL connections.|Documentation
| -|UNIX Ports Out Of Range
71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e|Dockerfile|High|Availability|Exposing UNIX ports out of range from 0 to 65535|Documentation
| -|COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b|Dockerfile|High|Build Process|COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself|Documentation
| -|Same Alias In Different Froms
f2daed12-c802-49cd-afed-fe41d0b82fed|Dockerfile|High|Build Process|Different FROMS cant have the same alias defined|Documentation
| -|WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|Dockerfile|High|Build Process|For clarity and reliability, you should always use absolute paths for your WORKDIR|Documentation
| -|Copy With More Than Two Arguments Not Ending With Slash
6db6e0c2-32a3-4a2e-93b5-72c35f4119db|Dockerfile|High|Build Process|When a COPY command has more than two arguments, the last one should end with a slash|Documentation
| -|Multiple ENTRYPOINT Instructions Listed
6938958b-3f1a-451c-909b-baeee14bdc97|Dockerfile|High|Build Process|There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect|Documentation
| -|Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f|Dockerfile|High|Build Process|A user should be specified in the dockerfile, otherwise the image will run as root|Documentation
| -|Run Using Sudo
8ada6e80-0ade-439e-b176-0b28f6bce35a|Dockerfile|High|Insecure Configurations|Avoid RUN with sudo command as it leads to unpredictable behavior|Documentation
| -|Vulnerable OpenSSL Version
5fa731ea-e844-47a6-a1e8-abc25e95847e|Dockerfile|High|Supply-Chain|OpenSSL versions from 3.0.0 to 3.0.5 are affected by a critical vulnerability|Documentation
| -|Last User Is 'root'
67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae|Dockerfile|Medium|Best Practices|Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges|Documentation
| -|Changing Default Shell Using RUN Command
8a301064-c291-4b20-adcb-403fe7fd95fd|Dockerfile|Medium|Best Practices|Using the command RUN to override the default shell instead of the SHELL command leads to inefficiencies. It also does not make sense since Docker provides the SHELL command for this exact purpose.|Documentation
| -|Multiple CMD Instructions Listed
41c195f4-fc31-4a5c-8a1b-90605538d49f|Dockerfile|Medium|Build Process|There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect|Documentation
| -|Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79|Dockerfile|Medium|Build Process|Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments|Documentation
| -|RUN Instruction Using 'cd' Instead of WORKDIR
f4a6bcd3-e231-4acf-993c-aa027be50d2e|Dockerfile|Medium|Build Process|When using RUN command 'cd' should only be used for full path. For relative path make use of WORKDIR command instead.|Documentation
| -|Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd|Dockerfile|Medium|Build Process|Instruction 'RUN update' should always be followed by ' install' in the same RUN statement|Documentation
| -|Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22|Dockerfile|Medium|Insecure Defaults|Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o).|Documentation
| -|Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944|Dockerfile|Medium|Supply-Chain|Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input|Documentation
| -|Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37|Dockerfile|Medium|Supply-Chain|Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size|Documentation
| -|Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9|Dockerfile|Medium|Supply-Chain|Don't use '--platform' flag with FROM|Documentation
| -|Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes|Documentation
| -|Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118|Dockerfile|Medium|Supply-Chain|When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller|Documentation
| -|Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages|Documentation
| -|Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067|Dockerfile|Medium|Supply-Chain|When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag|Documentation
| -|NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5|Dockerfile|Medium|Supply-Chain|Check if packages installed by npm are pinning a specific version.|Documentation
| -|Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd|Dockerfile|Medium|Supply-Chain|Always tag the version of an image explicitly|Documentation
| -|Add Instead of Copy
9513a694-aa0d-41d8-be61-3271e056f36b|Dockerfile|Medium|Supply-Chain|Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script.|Documentation
| -|Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341|Dockerfile|Medium|Supply-Chain|Instead of 'gem install ' we should use 'gem install :'|Documentation
| -|Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03|Dockerfile|Medium|Supply-Chain|Need to use -y to avoid manual input 'yum install -y '|Documentation
| -|Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0|Dockerfile|Medium|Supply-Chain|Cached package data should be cleaned after installation to reduce image size|Documentation
| -|Yum install Without Version
6452c424-1d92-4deb-bb18-a03e95d579c4|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages|Documentation
| -|Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313|Dockerfile|Medium|Supply-Chain|Reduce layer and image size by deleting unneeded caches after running zypper|Documentation
| -|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Dockerfile|Medium|Supply-Chain|When installing a package, its pin version should be defined|Documentation
| -|Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1|Dockerfile|Medium|Supply-Chain|Specifying a package version allows to reduce failures due to unanticipated changes in required packages.|Documentation
| -|Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Dockerfile|Medium|Supply-Chain|Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect|Documentation
| -|APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Dockerfile|Medium|Supply-Chain|Check if apt-get calls use the flag -y to avoid user manual input.|Documentation
| -|Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8|Dockerfile|Medium|Supply-Chain|The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input.|Documentation
| -|Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes|Documentation
| -|Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Dockerfile|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache|Documentation
| -|Curl or Wget Instead of Add
4b410d24-1cbe-4430-a632-62c9a931cf1c|Dockerfile|Low|Best Practices|Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged|Documentation
| -|Exposing Port 22 (SSH)
5907595b-5b6d-4142-b173-dbb0e73fbff8|Dockerfile|Low|Best Practices|Expose only the ports that your application needs and avoid exposing ports like SSH (22)|Documentation
| -|Chown Flag Exists
aa93e17f-b6db-4162-9334-c70334e7ac28|Dockerfile|Low|Best Practices|It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership|Documentation
| -|MAINTAINER Instruction Being Used
99614418-f82b-4852-a9ae-5051402b741c|Dockerfile|Low|Best Practices|The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily|Documentation
| -|Multiple RUN, ADD, COPY, Instructions Listed
0008c003-79aa-42d8-95b8-1c2fe37dbfe6|Dockerfile|Low|Best Practices|Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers.|Documentation
| -|Using Unnamed Build Stages
68a51e22-ae5a-4d48-8e87-b01a323605c9|Dockerfile|Low|Build Process| This query is used to ensure that build stages are named. This way even if the Dockerfile is re-ordered, the COPY instruction doesn’t break.|Documentation
| -|Healthcheck Instruction Missing
b03a748a-542d-44f4-bb86-9199ab4fd2d5|Dockerfile|Low|Insecure Configurations|Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working|Documentation
| -|APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c|Dockerfile|Info|Supply-Chain|Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages.|Documentation
| -|Run Utilities And POSIX Commands
9b6b0f38-92a2-41f9-b881-3a1083d99f1b|Dockerfile|Info|Supply-Chain|Some POSIX commands and interactive utilities shouldn't run inside a Docker Container|Documentation
| -|Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c|Dockerfile|Info|Supply-Chain|After using apt-get install, it is needed to delete apt-get lists|Documentation
| -|Apk Add Using Local Cache Path
ae9c56a6-3ed1-4ac0-9b54-31267f51151d|Dockerfile|Info|Supply-Chain|When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*'|Documentation
| -|PSP Set To Privileged
ee305555-6b1d-4055-94cf-e22131143c34|Pulumi|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| -|Missing App Armor Config
95588189-1abd-4df1-9588-b0a5034f9e87|Pulumi|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| -|ElastiCache Nodes Not Created Across Multi AZ
9b18fc19-7fb8-49b1-8452-9c757c70f926|Pulumi|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster|Documentation
| -|ElastiCache Redis Cluster Without Backup
e93bbe63-a631-4c0f-b6ef-700d48441ff2|Pulumi|Medium|Backup|ElastiCache Redis cluster should have 'snapshotRetentionLimit' higher than 0|Documentation
| -|IAM Password Without Minimum Length
9850d621-7485-44f7-8bdd-b3cf426315cf|Pulumi|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| -|IAM Password Without Lowercase Letter
de92dd34-1b88-43e8-b825-6e02d73c4549|Pulumi|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| -|DynamoDB Table Not Encrypted
b6a7e0ae-aed8-4a19-a993-a95760bf8836|Pulumi|Medium|Encryption|AWS DynamoDB Tables should have serverSideEncryption enabled|Documentation
| -|API Gateway Without SSL Certificate
f27791a5-e2ae-4905-8910-6f995c576d09|Pulumi|Medium|Insecure Configurations|SSL Client Certificate should be defined|Documentation
| -|API Gateway Access Logging Disabled
bf4b48b9-fc1f-4552-984a-4becdb5bf503|Pulumi|Medium|Observability|API Gateway should have Access Log Settings defined|Documentation
| -|EC2 Not EBS Optimized
d991e4ae-42ab-429b-ab43-d5e5fa9ca633|Pulumi|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| -|DynamoDB Table Point In Time Recovery Disabled
327b0729-4c5c-4c44-8b5c-e476cd9c7290|Pulumi|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table|Documentation
| -|EC2 Instance Monitoring Disabled
daa581ef-731c-4121-832d-cf078f67759d|Pulumi|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
48f7e44d-d1d1-44c2-b336-9f11b65c4fb0|Pulumi|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
965e8830-2bec-4b9b-a7f0-24dbc200a68f|Pulumi|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| -|Storage Account Not Forcing HTTPS
cb8e4bf0-903d-45c6-a278-9a947d82a27b|Pulumi|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| -|Redis Cache Allows Non SSL Connections
49e30ac8-f58e-4222-b488-3dcb90158ec1|Pulumi|Medium|Encryption|Redis Cache resource should not allow non-SSL connections.|Documentation
| -|Serverless Role With Full Privileges
59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd|ServerlessFW|High|Access Control|Roles defined in Serverless files should not have policies granting full administrative privileges.|Documentation
| -|Serverless Function Environment Variables Not Encrypted
4495bc5d-4d1e-4a26-ae92-152d18195648|ServerlessFW|High|Encryption|Serverless Function should encrypt environment variables|Documentation
| -|Serverless API Without Content Encoding
d5d1fe08-89db-440c-8725-b93223387309|ServerlessFW|Medium|Encryption|Serverless should have API Gateway with Content Encoding enabled through the attribute 'minimumCompressionSize'. This value should be greater than -1 and smaller than 10485760|Documentation
| -|Serverless Function Without Tags
f99d3482-fa8c-4f79-bad9-35212dded164|ServerlessFW|Medium|Insecure Configurations|Serverless Function should be have associated tags|Documentation
| -|Serverless Function Without Unique IAM Role
165aae3b-a56a-48f3-b76d-d2b5083f5b8f|ServerlessFW|Medium|Insecure Configurations|Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks|Documentation
| -|Serverless API Endpoint Config Not Private
4d424558-c6d1-453c-be98-9a7f877abd9a|ServerlessFW|Medium|Networking and Firewall|Serverless should have endpointType set to 'PRIVATE'. This way, it's not exposed to the public internet|Documentation
| -|Serverless API Access Logging Setting Undefined
a4d32883-aac7-42e1-b403-9415af0f3846|ServerlessFW|Medium|Observability|Serverless FW API should have HTTP Access Logging enabled|Documentation
| -|Serverless API X-Ray Tracing Disabled
434945e5-4dfd-41b1-aba1-47075ccd9265|ServerlessFW|Medium|Observability|Serverless API Gateway should have X-Ray Tracing enabled|Documentation
| -|Serverless Function Without Dead Letter Queue
dec7bc85-d156-4f64-9a33-96ed3d9f3fed|ServerlessFW|Low|Insecure Configurations|Serverless Function should be configured for a Dead Letter Queue(DLQ). A Dead Letter Queue(DLQ) can be set up in 'onError' config parameter|Documentation
| -|Serverless Function Without X-Ray Tracing
0d7ef70f-e176-44e6-bdba-add3e429788d|ServerlessFW|Low|Observability|Serverless Function should have Tracing enabled. For this, property 'tracing' should have the value 'Active'|Documentation
| -|Run Using apt
a1bc27c6-7115-48d8-bf9d-5a7e836845ba|Buildah|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache|Documentation
| -|Key Vault Not Recoverable
7c25f361-7c66-44bf-9b69-022acd5eb4bd|AzureResourceManager|High|Backup|Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true|Documentation
| -|Secret Without Expiration Date
cff9c3f7-e8f0-455f-9fb4-5f72326da96e|AzureResourceManager|High|Best Practices|All Secrets must have an expiration date defined|Documentation
| -|Azure Instance Using Basic Authentication
6797f581-0433-4768-ae3e-7ceb2f8b138e|AzureResourceManager|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication|Documentation
| -|Web App Not Using TLS Last Version
b5c851d5-00f1-43dc-a8de-3218fd6f71be|AzureResourceManager|High|Encryption|Resources of type 'Microsoft.Web/sites' should define 'properties.siteConfig.minTlsVersion' with '1.2'|Documentation
| -|Storage Account Allows Unsecure Transfer
1367dd13-2c90-4020-80b7-e4339a3dc2c4|AzureResourceManager|High|Encryption|'Microsoft.Storage/storageAccounts' should force the use of HTTPS|Documentation
| -|Azure Managed Disk Without Encryption
350f3955-b5be-436f-afaa-3d2be2fa6cdd|AzureResourceManager|High|Encryption|Azure Disk Encryption should be enabled|Documentation
| -|Website Not Forcing HTTPS
488847ff-6031-487c-bf42-98fd6ac5c9a0|AzureResourceManager|High|Insecure Configurations|'Microsoft.Web/sites' should force the use of HTTPS|Documentation
| -|Network Security Group With Unrestricted Access To SSH
2ade1579-4b2c-4590-bebb-f99bf597f612|AzureResourceManager|High|Networking and Firewall|Port 22 (SSH) is exposed to the Internet|Documentation
| -|Website with Client Certificate Auth Disabled
92302b47-b0cc-46cb-a28f-5610ecda140b|AzureResourceManager|High|Networking and Firewall|'Microsoft.Web/sites' should have client certificate authentication enabled|Documentation
| -|Storage Blob Service Container With Public Access
a0ab985d-660b-41f7-ac81-70957ee8e627|AzureResourceManager|High|Networking and Firewall|Storage Blob Service Container should not publicly accessible|Documentation
| -|MySQL Server SSL Enforcement Disabled
90120147-f2e7-4fda-bb21-6fa9109afd63|AzureResourceManager|High|Networking and Firewall|'Microsoft.DBforMySQL/servers' should enforce SSL|Documentation
| -|PostgreSQL Database Server SSL Disabled
bf500309-da53-4dd3-bcf7-95f7974545a5|AzureResourceManager|High|Networking and Firewall|Microsoft.DBforPostgreSQL/servers sslEnforcement property should be set to 'Enabled'|Documentation
| -|Network Security Group With Unrestricted Access To RDP
59cb3da7-f206-4ae6-b827-7abf0a9cab9d|AzureResourceManager|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the Internet|Documentation
| -|SQL Database Server Firewall Allows All IPS
6a3201a5-1630-494b-b294-3129d06b0eca|AzureResourceManager|High|Networking and Firewall|SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS|Documentation
| -|Trusted Microsoft Services Not Enabled
e25b56cd-a4d6-498f-ab92-e6296a082097|AzureResourceManager|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| -|Default Azure Storage Account Network Access Is Too Permissive
d855ced8-6157-448f-9f1d-f05a41d046f7|AzureResourceManager|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it.|Documentation
| -|AKS Cluster RBAC Disabled
9307a2ed-35c2-413d-94de-a1a0682c2158|AzureResourceManager|Medium|Access Control|Microsoft.ContainerService/managedClusters should have enableRBAC set to true|Documentation
| -|Role Definitions Allow Custom Subscription Role Creation
8fa9ceea-881f-4ef0-b0b8-728f589699a7|AzureResourceManager|Medium|Access Control|Role Definitions should not allow custom subscription role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')|Documentation
| -|SQL Server Database With Alerts Disabled
574e8d82-1db2-4b9c-b526-e320ede9a9ff|AzureResourceManager|Medium|Best Practices|All Alerts should be enabled in SQL Database Server SecurityAlerts Policy Properties|Documentation
| -|AKS Cluster Network Policy Not Configured
25c0228e-4444-459b-a2df-93c7df40b7ed|AzureResourceManager|Medium|Insecure Configurations|Azure Kubernetes Service must have a network policy defined.|Documentation
| -|PostgresSQL Database Server Connection Throttling Disabled
a6d774b6-d9ea-4bf4-8433-217bf15d2fb8|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttling' property set to 'on'|Documentation
| -|Standard Price Is Not Selected
2081c7d6-2851-4cce-bda5-cb49d462da42|AzureResourceManager|Medium|Networking and Firewall|Azure Security Center provides more features for standard pricing mode, so it must be activated.|Documentation
| -|PostgreSQL Database Server Log Connections Disabled
e69bda39-e1e2-47ca-b9ee-b6531b23aedd|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' property set to 'on'|Documentation
| -|PostgreSQL Database Server Log Checkpoints Disabled
f9112910-c7bb-4864-9f5e-2059ba413bb7|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' property set to 'on'|Documentation
| -|AKS With Authorized IP Ranges Disabled
2583fab1-953b-4fae-bd02-4a136a6c21f9|AzureResourceManager|Medium|Networking and Firewall|Azure Kubernetes Service must have an authorized IP range for API Services enabled|Documentation
| -|Storage Logging For Read Write And Delete Requests Disabled
43f6e60c-9cdb-4e77-864d-a66595d26518|AzureResourceManager|Medium|Observability|Storage Logging should be enabled for read, write and delete methods|Documentation
| -|Unrecommended Log Profile Retention Policy
25684eac-daaa-4c2c-94b4-8d2dbb627909|AzureResourceManager|Medium|Observability|Log Profile Retention Policy should be enabled and the recommended number of days for the retention should be higher than 365 or 0 (0 will retain the events indefinitely)|Documentation
| -|SQL Server Database Without Auditing
e055285c-bc01-48b4-8aa5-8a54acdd29df|AzureResourceManager|Medium|Observability|Every 'Microsoft.Sql/servers/databases' resource should have Auditing Enabled|Documentation
| -|Log Profile Incorrect Category
4d522e7b-f938-4d51-a3b1-974ada528bd3|AzureResourceManager|Medium|Observability|Log Profile Categories should be set to 'Write', 'Delete', and/or 'Action'|Documentation
| -|Unrecommended Network Watcher Flow Log Retention Policy
564b70f8-41cd-4690-aff8-bb53add86bc9|AzureResourceManager|Medium|Observability|Network Watcher Flow Log Retention Policy should be enabled and the recommended number of days for the retention should be higher than 90|Documentation
| -|SQL Server Database With Unrecommended Retention Days
c09cdac2-7670-458a-bf6c-efad6880973a|AzureResourceManager|Medium|Observability|SQL Server Database Auditing Settings should keep the audit logs in the storage account for at least 90 days|Documentation
| -|AKS Logging To Azure Monitoring Is Disabled
9b09dee1-f09b-4013-91d2-158fa4695f4b|AzureResourceManager|Medium|Observability|Azure Kubernetes Service should have logging to Azure Monitoring enabled.|Documentation
| -|Hardcoded SecureString Parameter Default Value
4d2cf896-c053-4be5-9c95-8b4771112f29|AzureResourceManager|Medium|Secret Management|Secure parameters should not have hardcoded default value|Documentation
| -|Website Azure Active Directory Disabled
e9c133e5-c2dd-4b7b-8fff-40f2de367b56|AzureResourceManager|Low|Access Control|WebApp should have Azure Active Directory enabled with 'identity.type' set to 'SystemAssigned' or 'userAssignedIdentities' set to 'true'|Documentation
| -|Phone Number Not Set For Security Contacts
3e9fcc67-1f64-405f-b2f9-0a6be17598f0|AzureResourceManager|Low|Best Practices|Microsoft.Security securityContacts should have a phone number defined|Documentation
| -|AKS Dashboard Is Enabled
c62d3b92-9a11-4ffd-b7b7-6faaae83faed|AzureResourceManager|Low|Insecure Configurations|Azure Kubernetes Service should have the Kubernetes dashboard disabled.|Documentation
| -|Storage Account Allows Default Network Access
9073f073-5d60-4b46-b569-0d6baa80ed95|AzureResourceManager|Low|Networking and Firewall|'Microsoft.Storage/storageAccounts' should force the use of HTTPS|Documentation
| -|Website with 'Http20Enabled' Disabled
70111098-7f85-48f0-b1b4-e4261cf5f61b|AzureResourceManager|Low|Networking and Firewall|'Microsoft.Web/sites' should have 'Http20Enabled' enabled|Documentation
| -|App Service Authentication Is Not Set
83130a07-235b-4a80-918b-a370e53f0bd9|AzureResourceManager|Info|Access Control|Azure App Service should have App Service Authentication set|Documentation
| -|Account Admins Not Notified By Email
a8852cc0-fd4b-4fc7-9372-1e43fad0732e|AzureResourceManager|Info|Best Practices|Account admins should be notified by email in the event of security alerts|Documentation
| -|SQL Alert Policy Without Emails
89b79fe5-49bd-4d39-84ce-55f5fc6f7764|AzureResourceManager|Info|Best Practices|SQL Database Server should contain emails to be notified in the event of a Security Alert|Documentation
| -|Email Notifications Disabled
79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92|AzureResourceManager|Info|Networking and Firewall|Email notifications about new security alerts, should be set to 'On', and be sent to persons with specific RBAC roles on the subscription|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674|Ansible|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| -|S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|Ansible|High|Access Control|S3 Buckets should not be readable to all users|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|Ansible|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| -|S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a|Ansible|High|Access Control|Checks if the S3 bucket is accessible for all users|Documentation
| -|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|Ansible|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| -|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|Ansible|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| -|SNS Topic is Publicly Accessible
905f4741-f965-45c1-98db-f7a00a0e5c73|Ansible|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| -|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|Ansible|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating|Documentation
| -|SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a|Ansible|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| -|S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|Ansible|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| -|S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|Ansible|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| -|ECS Service Admin Role Is Present
7db727c1-1720-468e-b80e-06697f71e09e|Ansible|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role|Documentation
| -|IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|Ansible|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| -|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|Ansible|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| -|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|Ansible|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76|Ansible|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| -|EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|Ansible|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a|Ansible|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume|Documentation
| -|AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|Ansible|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| -|Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|Ansible|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)|Documentation
| -|S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4|Ansible|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| -|DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|Ansible|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.|Documentation
| -|ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|Ansible|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| -|EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|Ansible|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| -|S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571|Ansible|High|Encryption|AWS S3 Storage should be protected with SSE (Server-Side Encryption)|Documentation
| -|User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|Ansible|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| -|Secure Ciphers Disabled
218413a0-c716-4b94-9e08-0bb70d854709|Ansible|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| -|CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|Ansible|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| -|User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|Ansible|High|Encryption|User Data Shell Script must be encoded|Documentation
| -|ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers.|Documentation
| -|ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols.|Documentation
| -|Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7|Ansible|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| -|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|Ansible|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| -|Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f|Ansible|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| -|S3 Bucket with Unsecured CORS Rule
3505094c-f77c-4ba0-95da-f83db712f86c|Ansible|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| -|Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|Ansible|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| -|DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209|Ansible|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| -|ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f|Ansible|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| -|KMS Key With Vulnerable Policy
5b9d237a-57d5-4177-be0e-71434b0fef47|Ansible|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67|Ansible|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| -|Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|Ansible|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true (default is false)|Documentation
| -|EC2 Group Has Public Interface
5330b503-3319-44ff-9b1c-00ee873f728a|Ansible|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| -|Vulnerable Default SSL Certificate
fb8f8929-afeb-4c46-99f0-a6cf410f7df4|Ansible|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| -|DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640|Ansible|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| -|ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|Ansible|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| -|Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4|Ansible|High|Networking and Firewall|Route53 Record should have a list of records|Documentation
| -|EC2 Instance Has Public IP
a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1|Ansible|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| -|Remote Desktop Port Open To Internet
eda7301d-1f3e-47cf-8d4e-976debc64341|Ansible|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| -|Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|Ansible|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| -|RDS Associated with Public Subnet
16732649-4ff6-4cd2-8746-e72c13fae4b8|Ansible|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| -|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|Ansible|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| -|Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|Ansible|High|Networking and Firewall|AWS Security Group should restrict ingress access|Documentation
| -|HTTP Port Open To Internet
a14ad534-acbe-4a8e-9404-2f7e1045646e|Ansible|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| -|Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|Ansible|High|Networking and Firewall|AWS Security Group should not have public port wide|Documentation
| -|Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b|Ansible|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| -|Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2|Ansible|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0/0|Documentation
| -|Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|Ansible|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| -|CMK Rotation Disabled
af96d737-0818-4162-8c41-40d969bd65d1|Ansible|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.|Documentation
| -|CloudTrail Logging Disabled
d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5|Ansible|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| -|ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd|Ansible|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| -|Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Ansible|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| -|IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Ansible|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root'|Documentation
| -|API Gateway Without Configured Authorizer
b16cdb37-ce15-4ab2-8401-d42b05d123fc|Ansible|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| -|Lambda Permission Principal Is Wildcard
1d972c56-8ec2-48c1-a578-887adb09c57a|Ansible|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| -|AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f|Ansible|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| -|SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10|Ansible|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| -|SES Policy With Allowed IAM Actions
8ed0bfce-f780-46d4-b086-21c3628f09ad|Ansible|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| -|IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060|Ansible|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| -|SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4|Ansible|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
af167837-9636-4086-b815-c239186b9dda|Ansible|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| -|Certificate Has Expired
5a443297-19d4-4381-9e5b-24faf947ec22|Ansible|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| -|S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9|Ansible|Medium|Access Control|S3 Bucket allows public access|Documentation
| -|CMK Is Unusable
133fee21-37ef-45df-a563-4d07edc169f4|Ansible|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined.|Documentation
| -|ECS Service Without Running Tasks
f5c45127-1d28-4b49-a692-0b97da1c3a84|Ansible|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| -|Auto Scaling Group With No Associated ELB
050f085f-a8db-4072-9010-2cca235cc02f|Ansible|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
| -|RDS With Backup Disabled
e69890e6-fce5-461d-98ad-cb98318dfc96|Ansible|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| -|Stack Retention Disabled
17d5ba1d-7667-4729-b1a6-b11fde3db7f7|Ansible|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| -|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Ansible|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number|Documentation
| -|Misconfigured Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9|Ansible|Medium|Best Practices|No password expiration policy|Documentation
| -|IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Ansible|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| -|IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354|Ansible|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| -|Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c|Ansible|Medium|Best Practices|Password policy `password_reuse_prevention` doesn't exist or is equal to 0|Documentation
| -|IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Ansible|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| -|Stack Without Template
32d31f1f-0f83-4721-b7ec-1e6948c60145|Ansible|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body|Documentation
| -|Config Rule For Encrypted Volumes Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84|Ansible|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| -|Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89|Ansible|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| -|CodeBuild Not Encrypted
a1423864-2fbc-4f46-bfe1-fbbf125c71c9|Ansible|Medium|Encryption|CodeBuild Project should be encrypted|Documentation
| -|EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Ansible|Medium|Encryption|EBS volumes should be encrypted|Documentation
| -|SQS With SSE Disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Ansible|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| -|AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472|Ansible|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| -|ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Ansible|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| -|Certificate RSA Key Bytes Lower Than 256
d5ec2080-340a-4259-b885-f833c4ea6a31|Ansible|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| -|Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f|Ansible|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| -|Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5|Ansible|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags.|Documentation
| -|API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33|Ansible|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| -|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Ansible|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| -|API Gateway without WAF
f5f38943-664b-4acc-ab11-f292fa10ed0b|Ansible|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| -|API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215|Ansible|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| -|Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Ansible|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| -|API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f|Ansible|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| -|CloudFront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Ansible|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' should be defined with 'enabled' set to true|Documentation
| -|CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Ansible|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| -|S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Ansible|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| -|S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|Ansible|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| -|CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3|Ansible|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| -|CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Ansible|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events|Documentation
| -|API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Ansible|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled|Documentation
| -|CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Ansible|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'is_multi_region_trail' should be set to true|Documentation
| -|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Ansible|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| -|No Stack Policy
ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9|Ansible|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| -|Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Ansible|Medium|Secret Management|AWS Access Key should not be hardcoded|Documentation
| -|Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645|Ansible|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| -|EC2 Instance Using Default Security Group
8d03993b-8384-419b-a681-d1f55149397c|Ansible|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| -|IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd|Ansible|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| -|IAM Group Without Users
f509931b-bbb0-443c-bd9b-10e92ecf2193|Ansible|Low|Access Control|IAM Group should have at least one user associated|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Ansible|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| -|Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520|Ansible|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|Ansible|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.|Documentation
| -|CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6|Ansible|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| -|EFS Without Tags
b8a9852c-9943-4973-b8d5-77dae9352851|Ansible|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
f5587077-3f57-4370-9b4e-4eb5b1bac85b|Ansible|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| -|Redshift Using Default Port
e01de151-a7bd-4db4-b49b-3c4775a5e881|Ansible|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| -|CloudFront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Ansible|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| -|ElastiCache Using Default Port
7cc6c791-5f68-4816-a564-b9b699f9d26e|Ansible|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| -|EC2 Instance Using Default VPC
8833f180-96f1-46f4-9147-849aafa56029|Ansible|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| -|RDS Using Default Port
2cb674f6-32f9-40be-97f2-62c0dc38f0d5|Ansible|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| -|ElastiCache Without VPC
5527dcfc-94f9-4bf6-b7d4-1b78850cf41f|Ansible|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Ansible|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active'|Documentation
| -|CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Ansible|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| -|EC2 Not EBS Optimized
338b6cab-961d-4998-bb49-e5b6a11c9a5c|Ansible|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| -|BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2|Ansible|High|Access Control|BigQuery dataset is anonymously or publicly accessible|Documentation
| -|VM With Full Cloud Access
bc20bbc6-0697-4568-9a73-85af1dd97bdd|Ansible|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2|Ansible|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers'|Documentation
| -|SQL DB Instance Backup Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8|Ansible|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| -|SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|Ansible|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| -|DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a|Ansible|High|Encryption|DNSSEC should not use the RSASHA1 algorithm|Documentation
| -|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|Ansible|High|Insecure Configurations|SQL Instance should not have Contained Database Authentication On|Documentation
| -|Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false|Documentation
| -|SQL DB Instance Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b|Ansible|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible.|Documentation
| -|Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7|Ansible|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| -|GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1|Ansible|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty|Documentation
| -|MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c|Ansible|High|Insecure Configurations|MySQL Instance should not have Local Infile On|Documentation
| -|IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'.|Documentation
| -|Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true|Documentation
| -|Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| -|Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true.|Documentation
| -|Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f|Ansible|High|Insecure Configurations|GCP SQL Instance should not have Cross DB Ownership Chaining On|Documentation
| -|GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false.|Documentation
| -|PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514|Ansible|High|Insecure Configurations|PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1'|Documentation
| -|Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82|Ansible|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet.|Documentation
| -|GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83|Ansible|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters|Documentation
| -|Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| -|PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b|Ansible|High|Observability|PostgreSQL database 'log_temp_files' flag isn't set to '0'|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd|Ansible|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| -|Cloud Storage Bucket Versioning Disabled
7814ddda-e758-4a56-8be3-289a81ded929|Ansible|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| -|Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| -|PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317|Ansible|High|Observability|PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on'|Documentation
| -|Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf|Ansible|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| -|Disk Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3|Ansible|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Ansible|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| -|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Ansible|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| -|OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Ansible|Medium|Insecure Configurations|VM instance should have OSLogin enabled|Documentation
| -|Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Ansible|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| -|Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Ansible|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| -|Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03|Ansible|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| -|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Ansible|Medium|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| -|GKE Using Default Service Account
dc126833-125a-40fb-905a-ce5f2afde240|Ansible|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
| -|IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Ansible|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| -|Google Compute Network Using Default Firewall Rule
29b8224a-60e9-4011-8ac2-7916a659841f|Ansible|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
| -|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Ansible|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
| -|RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77|Ansible|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| -|SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Ansible|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| -|Google Compute Network Using Firewall Rule that Allows All Ports
3602d273-3290-47b2-80fa-720162b1a8af|Ansible|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports|Documentation
| -|PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Ansible|Medium|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on'|Documentation
| -|PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Ansible|Medium|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Ansible|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| -|High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Ansible|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.|Documentation
| -|Google Compute Network Using Firewall Rule that Allows Port Range
7289eebd-a477-4064-8ad4-3c044bd70b00|Ansible|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range|Documentation
| -|Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b|Ansible|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes|Documentation
| -|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|Ansible|High|Access Control|Storage Account should not be public to grant the principle of least privileges|Documentation
| -|Storage Container Is Publicly Accessible
4d3817db-dd35-4de4-a80d-3867157e7f7f|Ansible|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| -|Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|Ansible|High|Access Control|Admin user is enabled for Container Registry|Documentation
| -|Azure Instance Using Basic Authentication
e2d834b7-8b25-4935-af53-4a60668dcbe0|Ansible|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication|Documentation
| -|MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|Ansible|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| -|Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|Ansible|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| -|SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555|Ansible|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| -|AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|Ansible|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| -|Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91|Ansible|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| -|Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|Ansible|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined|Documentation
| -|VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|Ansible|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| -|Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| -|Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|Ansible|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| -|SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|Ansible|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| -|Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| -|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|Ansible|High|Networking and Firewall|The IP range filter should be defined to secure the data stored|Documentation
| -|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|Ansible|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| -|Role Definition Allows Custom Role Creation
5c80db8e-03f5-43a2-b4af-1f3f87018157|Ansible|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)|Documentation
| -|Default Azure Storage Account Network Access Is Too Permissive
ca4df748-613a-4fbf-9c76-f02cbd580307|Ansible|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it.|Documentation
| -|AKS RBAC Disabled
149fa56c-4404-4f90-9e25-d34b676d5b39|Ansible|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| -|Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854|Ansible|Medium|Backup|Make sure Soft Delete is enabled for Key Vault|Documentation
| -|SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40|Ansible|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict|Documentation
| -|SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308|Ansible|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict|Documentation
| -|Cosmos DB Account Without Tags
23a4dc83-4959-4d99-8056-8e051a82bc1e|Ansible|Medium|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| -|Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee|Ansible|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| -|Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Ansible|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| -|Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Ansible|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections|Documentation
| -|AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Ansible|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined|Documentation
| -|Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Ansible|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache.|Documentation
| -|Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Ansible|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0'|Documentation
| -|WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Ansible|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| -|PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| -|Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| -|PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| -|PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a|Ansible|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| -|AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e|Ansible|Medium|Observability|Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring|Documentation
| -|PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| -|PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| -|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|Terraform|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| -|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|Terraform|High|Access Control|S3 bucket allows public policy|Documentation
| -|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|Terraform|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| -|SSO Policy with full privileges
132a8c31-9837-4203-9fd1-15ca210c7b73|Terraform|High|Access Control|SSO policies should be configured to grant limited administrative privileges, rather than full access to all resources. This approach allows for better security and control over the resources being accessed.|Documentation
| -|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|Terraform|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|Terraform|High|Access Control|S3 Buckets should not be readable and writable to all users|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|Terraform|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| -|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|Terraform|High|Access Control|IAM role policy that allow full administrative privileges (for all resources)|Documentation
| -|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|Terraform|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| -|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|Terraform|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| -|SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|Terraform|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| -|EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|Terraform|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| -|MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857|Terraform|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible|Documentation
| -|S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4|Terraform|High|Access Control|S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket.|Documentation
| -|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|Terraform|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| -|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|Terraform|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating|Documentation
| -|Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|Terraform|High|Access Control|Neptune Cluster Instance should not be publicly accessible|Documentation
| -|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|Terraform|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| -|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|Terraform|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| -|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|Terraform|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|Terraform|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| -|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|Terraform|High|Encryption|AWS DOCDB Cluster storage should be encrypted|Documentation
| -|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|Terraform|High|Encryption|AWS DAX Cluster should have server-side encryption at rest|Documentation
| -|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|Terraform|High|Encryption|EBS Encryption should be enabled|Documentation
| -|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|Terraform|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| -|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.|Documentation
| -|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|Terraform|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| -|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|Terraform|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|Terraform|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true|Documentation
| -|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|Terraform|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)|Documentation
| -|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|Terraform|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted|Documentation
| -|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|Terraform|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| -|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|Terraform|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| -|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|Terraform|High|Encryption|API Gateway Method Settings Cache should be encrypted|Documentation
| -|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|Terraform|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume|Documentation
| -|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|Terraform|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.|Documentation
| -|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|Terraform|High|Encryption|S3 Bucket Object should have server-side encryption enabled|Documentation
| -|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|Terraform|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled|Documentation
| -|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|Terraform|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| -|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers.|Documentation
| -|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|Terraform|High|Encryption|AWS Athena Database data in S3 should be encrypted|Documentation
| -|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|Terraform|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS|Documentation
| -|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|Terraform|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true'|Documentation
| -|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|Terraform|High|Encryption|RDS Database Cluster Encryption should be enabled|Documentation
| -|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|Terraform|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| -|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|Terraform|High|Encryption|User Data Shell Script must be encoded|Documentation
| -|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|Terraform|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| -|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|Terraform|High|Encryption|AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted|Documentation
| -|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|Terraform|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|Terraform|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| -|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|Terraform|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| -|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|Terraform|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| -|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|Terraform|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| -|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|Terraform|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup|Documentation
| -|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|Terraform|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled|Documentation
| -|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|Terraform|High|Encryption|EKS Cluster should be encrypted|Documentation
| -|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|Terraform|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled|Documentation
| -|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|Terraform|High|Encryption|Sagemaker endpoint configuration should encrypt data|Documentation
| -|EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|Terraform|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|Terraform|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|Terraform|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| -|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|Terraform|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| -|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|Terraform|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true)|Documentation
| -|DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|Terraform|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| -|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|Terraform|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| -|Lambda Function With Privileged Role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|Terraform|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions.|Documentation
| -|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|Terraform|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2.|Documentation
| -|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|Terraform|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| -|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|Terraform|High|Insecure Configurations|Check if the root user is authenticated with MFA|Documentation
| -|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|Terraform|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured.|Documentation
| -|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|Terraform|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| -|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|Terraform|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes|Documentation
| -|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|Terraform|High|Insecure Configurations|S3 bucket without restriction of public bucket|Documentation
| -|KMS Key With Vulnerable Policy
7ebc9038-0bde-479a-acc4-6ed7b6758899|Terraform|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| -|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|Terraform|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| -|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|Terraform|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations|Documentation
| -|Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|Terraform|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| -|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL|Documentation
| -|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|Terraform|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing|Documentation
| -|VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|Terraform|High|Networking and Firewall|VPC Peering Route Table should restrict CIDR|Documentation
| -|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|Terraform|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| -|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|Terraform|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| -|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|Terraform|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0"|Documentation
| -|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|Terraform|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| -|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| -|VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|Terraform|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic|Documentation
| -|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|Terraform|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| -|HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|Terraform|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| -|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|Terraform|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0 and/or ::/0|Documentation
| -|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|Terraform|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| -|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|Terraform|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| -|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|Terraform|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| -|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| -|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|Terraform|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL|Documentation
| -|Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|Terraform|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| -|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|Terraform|High|Networking and Firewall|Check if Record is set|Documentation
| -|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|Terraform|High|Observability|Ensure a log metric filter and alarm exist for root acount usage|Documentation
| -|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|Terraform|High|Observability|AWS KMS Key should have a valid deletion window|Documentation
| -|CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|Terraform|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.|Documentation
| -|CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|Terraform|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls|Documentation
| -|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|Terraform|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| -|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled|Documentation
| -|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible|Documentation
| -|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|Terraform|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes|Documentation
| -|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|Terraform|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Terraform|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Terraform|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Terraform|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| -|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Terraform|Medium|Access Control|The attribute 'action' should not have wildcard|Documentation
| -|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Terraform|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Terraform|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Terraform|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined|Documentation
| -|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Terraform|Medium|Access Control|AWS IAM Users should not have access to console|Documentation
| -|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Terraform|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Terraform|Medium|Access Control|S3 bucket allows public ACL|Documentation
| -|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Terraform|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| -|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Terraform|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources|Documentation
| -|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Terraform|Medium|Access Control|An API Key should be required on a method request.|Documentation
| -|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Terraform|Medium|Access Control|IAM Access Key should not be active for root users|Documentation
| -|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Terraform|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal'|Documentation
| -|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Terraform|Medium|Access Control|Public and private EC2 istances should not share the same role.|Documentation
| -|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Terraform|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|API Gateway Without Configured Authorizer
ed35928e-195c-4405-a252-98ccb664ab7C|Terraform|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| -|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Terraform|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions'|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Terraform|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Terraform|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Terraform|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SSO Permission With Inadequate User Session Duration
ce9dfce0-5fc8-433b-944a-3b16153111a8|Terraform|Medium|Access Control|SSO permissions should be configured to limit user sessions to no longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized access or session hijacking. This is a best practice for security and should be implemented in SSO permission settings.|Documentation
| -|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Terraform|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Terraform|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Terraform|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Terraform|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Terraform|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Terraform|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Terraform|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Terraform|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| -|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Terraform|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Terraform|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'|Documentation
| -|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Terraform|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action'|Documentation
| -|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Terraform|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
| -|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Terraform|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| -|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Terraform|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster|Documentation
| -|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Terraform|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| -|RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Terraform|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| -|Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Terraform|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| -|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Terraform|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0|Documentation
| -|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Terraform|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| -|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Terraform|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields|Documentation
| -|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Terraform|Medium|Best Practices|No password expiration policy|Documentation
| -|Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Terraform|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24|Documentation
| -|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Terraform|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| -|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Terraform|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined|Documentation
| -|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Terraform|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| -|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Terraform|Medium|Best Practices|IAM password should have the required symbols|Documentation
| -|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Terraform|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| -|Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Terraform|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body|Documentation
| -|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest|Documentation
| -|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Terraform|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760.|Documentation
| -|DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Terraform|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Terraform|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| -|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit|Documentation
| -|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Terraform|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| -|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Terraform|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| -|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Terraform|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS.|Documentation
| -|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Terraform|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| -|Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Terraform|Medium|Encryption|ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html'|Documentation
| -|CloudWatch Log Group Without KMS
0afbcfe9-d341-4b92-a64c-7e6de0543879|Terraform|Medium|Encryption|AWS CloudWatch Log groups should be encrypted using KMS|Documentation
| -|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted|Documentation
| -|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Terraform|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests|Documentation
| -|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Terraform|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| -|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Terraform|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Terraform|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption|Documentation
| -|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Terraform|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret|Documentation
| -|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Terraform|Medium|Encryption|EBS volumes should be encrypted|Documentation
| -|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Terraform|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| -|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Terraform|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node|Documentation
| -|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Terraform|Medium|Encryption|SSM Session should be encrypted in transit|Documentation
| -|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Terraform|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| -|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Terraform|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials|Documentation
| -|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Terraform|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.|Documentation
| -|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Terraform|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| -|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Terraform|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs).|Documentation
| -|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Terraform|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| -|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Terraform|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| -|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Terraform|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| -|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Terraform|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible|Documentation
| -|EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Terraform|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false|Documentation
| -|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Terraform|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud)|Documentation
| -|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Terraform|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| -|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Terraform|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| -|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Terraform|Medium|Networking and Firewall|VPC should have a Network Firewall associated|Documentation
| -|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Terraform|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol|Documentation
| -|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Terraform|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| -|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Terraform|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association|Documentation
| -|VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Terraform|Medium|Networking and Firewall|VPC Subnet should not assign public IP|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol|Documentation
| -|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Terraform|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| -|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Terraform|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation|Documentation
| -|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Terraform|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| -|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK|Documentation
| -|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Terraform|Medium|Observability|API Gateway should have Access Log Settings defined|Documentation
| -|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Terraform|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| -|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Terraform|Medium|Observability|ELB should have logging enabled to help on error investigation|Documentation
| -|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes|Documentation
| -|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Terraform|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| -|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes|Documentation
| -|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Terraform|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| -|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Terraform|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| -|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Terraform|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| -|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Terraform|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| -|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Terraform|Medium|Observability|It isn't recommended to use resources in default VPC|Documentation
| -|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Terraform|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| -|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Terraform|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| -|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Terraform|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| -|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes|Documentation
| -|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Terraform|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| -|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes|Documentation
| -|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Terraform|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events|Documentation
| -|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Terraform|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled|Documentation
| -|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures|Documentation
| -|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Terraform|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| -|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Terraform|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined|Documentation
| -|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Terraform|Medium|Observability|AWS CloudWatch Log groups should have retention days specified|Documentation
| -|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Terraform|Medium|Observability|AWS Elasticsearch should have logs enabled|Documentation
| -|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Terraform|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| -|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Terraform|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| -|ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Terraform|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| -|No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Terraform|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| -|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Terraform|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| -|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Terraform|Medium|Secret Management|AWS Access Key should not be hardcoded|Documentation
| -|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Terraform|Low|Access Control|IAM Group should have at least one user associated|Documentation
| -|SSO Identity User Unsafe Creation
4003118b-046b-4640-b200-b8c7a4c8b89f|Terraform|Low|Access Control|The use of AWS SSO for creating users may pose a security risk as it does not synchronize with external Identity Providers (IdP) or Active Directory (AD). This can lead to inconsistencies and potential unauthorized access to resources. It is recommended to review and update user creation processes to ensure proper security protocols are in place.|Documentation
| -|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Terraform|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets'|Documentation
| -|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Terraform|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Terraform|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| -|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Terraform|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| -|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Terraform|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| -|Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Terraform|Low|Availability|Autoscaling groups should supply tags to configurate|Documentation
| -|IAM Access Analyzer Not Enabled
e592a0c5-5bdb-414c-9066-5dba7cdea370|Terraform|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions|Documentation
| -|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Terraform|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.|Documentation
| -|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Terraform|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| -|Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Terraform|Low|Best Practices|ECR Repository should have Policies attached to it|Documentation
| -|Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Terraform|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| -|ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Terraform|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation|Documentation
| -|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Terraform|Low|Insecure Configurations|S3 bucket without ignore public ACL|Documentation
| -|ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Terraform|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled|Documentation
| -|RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Terraform|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| -|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Terraform|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Terraform|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Terraform|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| -|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Terraform|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| -|EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Terraform|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| -|Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Terraform|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| -|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Terraform|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks|Documentation
| -|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Terraform|Low|Observability|DocDB logging should be enabled|Documentation
| -|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Terraform|Low|Observability|Amazon EKS control plane logging is not enabled|Documentation
| -|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes|Documentation
| -|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Terraform|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| -|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL|Documentation
| -|API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Terraform|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| -|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for route table changes|Documentation
| -|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| -|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Terraform|Low|Observability|Amazon EKS control plane logging don't enabled for all log types|Documentation
| -|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Terraform|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'|Documentation
| -|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes|Documentation
| -|ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Terraform|Low|Observability|ECS Cluster should enable container insights|Documentation
| -|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes|Documentation
| -|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Terraform|Low|Observability|Global Accelerator should have flow logs enabled|Documentation
| -|API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Terraform|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| -|Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Terraform|Info|Access Control|Security group must be used or not declared|Documentation
| -|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Terraform|Info|Best Practices|AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name'|Documentation
| -|Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Terraform|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description|Documentation
| -|Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Terraform|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description|Documentation
| -|EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Terraform|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| -|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Terraform|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table|Documentation
| -|EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Terraform|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods|Documentation
| -|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Terraform|Info|Observability|Neptune logging should be enabled|Documentation
| -|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Terraform|Info|Observability|RDS does not have any kind of logger|Documentation
| -|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Terraform|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks|Documentation
| -|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Terraform|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')|Documentation
| -|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Terraform|Info|Best Practices|All outputs should contain a valid description.|Documentation
| -|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Terraform|Info|Best Practices|All variables should contain a valid type.|Documentation
| -|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Terraform|Info|Best Practices|All variables should contain a valid description.|Documentation
| -|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Terraform|Info|Best Practices|All generic git repositories should reference a revision.|Documentation
| -|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Terraform|Info|Best Practices|All names should follow snake case pattern.|Documentation
| -|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|Terraform|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined.|Documentation
| -|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|Terraform|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|Terraform|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| -|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|Terraform|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| -|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|Terraform|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false|Documentation
| -|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|Terraform|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|Documentation
| -|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|Terraform|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| -|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Terraform|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| -|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Terraform|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| -|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Terraform|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys|Documentation
| -|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Terraform|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| -|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Terraform|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| -|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Terraform|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| -|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| -|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Terraform|Medium|Insecure Configurations|Containers should not have extra capabilities allowed|Documentation
| -|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Terraform|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| -|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Terraform|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| -|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Terraform|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory|Documentation
| -|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Terraform|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| -|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Terraform|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace|Documentation
| -|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Terraform|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls|Documentation
| -|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Terraform|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| -|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Terraform|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|Documentation
| -|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Terraform|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| -|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| -|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Terraform|Medium|Insecure Configurations|The default namespace should not be used|Documentation
| -|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Terraform|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| -|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Terraform|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| -|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Terraform|Medium|Insecure Configurations|Default service accounts should not be actively used|Documentation
| -|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Terraform|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| -|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Terraform|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty.|Documentation
| -|Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Terraform|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| -|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Terraform|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| -|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Terraform|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| -|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Terraform|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| -|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Terraform|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes|Documentation
| -|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Terraform|Medium|Resource Management|Container should not share the host network namespace|Documentation
| -|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Terraform|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| -|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Terraform|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| -|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Terraform|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| -|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Terraform|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| -|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Terraform|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs|Documentation
| -|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Terraform|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| -|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Terraform|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| -|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Terraform|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| -|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Terraform|Low|Availability|The Horizontal Pod Autoscaler must target a valid object|Documentation
| -|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Terraform|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Terraform|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it|Documentation
| -|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Terraform|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Terraform|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.|Documentation
| -|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Terraform|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| -|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Terraform|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| -|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Terraform|Low|Build Process|Check if the root container filesystem is not being mounted as read-only.|Documentation
| -|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Terraform|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| -|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Terraform|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| -|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Terraform|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| -|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Terraform|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity|Documentation
| -|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Terraform|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified|Documentation
| -|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Terraform|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| -|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Terraform|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined|Documentation
| -|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Terraform|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| -|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Terraform|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| -|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Terraform|Low|Supply-Chain|Image must be defined and not be empty or equal to latest.|Documentation
| -|OSS Bucket Allows List Action From All Principals
88541597-6f88-42c8-bac6-7e0b855e8ff6|Terraform|High|Access Control|OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals.|Documentation
| -|OSS Bucket Allows Put Action From All Principals
fe286195-e75c-4359-bd58-00847c4f855a|Terraform|High|Access Control|OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals.|Documentation
| -|OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|Terraform|High|Access Control|OSS Bucket should have public access disabled|Documentation
| -|OSS Bucket Allows Delete Action From All Principals
8c0695d8-2378-4cd6-8243-7fd5894fa574|Terraform|High|Access Control|OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals.|Documentation
| -|OSS Bucket Allows All Actions From All Principals
ec62a32c-a297-41ca-a850-cab40b42094a|Terraform|High|Access Control|OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals.|Documentation
| -|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|Terraform|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles|Documentation
| -|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|Terraform|High|Access Control|RAM Security preferences should enforce MFA login for RAM users|Documentation
| -|NAS File System Not Encrypted
67bfdff1-31ce-4525-b564-e94368735360|Terraform|High|Encryption|NAS File System must be encrypted|Documentation
| -|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|Terraform|High|Encryption|Ecs Data Disk Kms Key Id should be set|Documentation
| -|NAS File System Without KMS
5f670f9d-b1b4-4c90-8618-2288f1ab9676|Terraform|High|Encryption|NAS File System should have encryption provided by user KMS |Documentation
| -|Launch Template Is Not Encrypted
1455cb21-1d48-46d6-8ae3-cef911b71fd5|Terraform|High|Encryption|ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true.|Documentation
| -|RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|Terraform|High|Encryption|tde_status parameter should be Enabled for supported RDS instances|Documentation
| -|DB Instance Publicly Accessible
faaefc15-51a5-419e-bb5e-51a4b5ab3485|Terraform|High|Insecure Configurations|The field 'address' should not be set to '0.0.0.0/0'|Documentation
| -|RDS DB Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|Terraform|High|Insecure Configurations|'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list|Documentation
| -|OSS Bucket Has Static Website
2b13c6ff-b87a-484d-86fd-21ef6e97d426|Terraform|High|Insecure Configurations|Checks if any static websties are hosted on buckets. Be aware of any website you are running.|Documentation
| -|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|Terraform|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS|Documentation
| -|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|Terraform|High|Networking and Firewall|OSS Bucket should have ip restricted access|Documentation
| -|ALB Listening on HTTP
ee3b1557-9fb5-4685-a95d-93f1edf2a0d7|Terraform|High|Networking and Firewall|Application Load Balancer (alb) Listener should not listen on HTTP|Documentation
| -|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol|Documentation
| -|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|Terraform|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public|Documentation
| -|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|Terraform|High|Networking and Firewall|OSS Buckets should have secure transport enabled|Documentation
| -|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|Terraform|High|Observability|All RDS Instance events trackers should be 'true'|Documentation
| -|ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|Terraform|High|Observability|ActionTrail Trail OSS Bucket should not be publicly accessible|Documentation
| -|Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|Terraform|High|Secret Management|Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts|Documentation
| -|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|Terraform|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above|Documentation
| -|Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Terraform|Medium|Access Control|Ram policies should not be attached to users|Documentation
| -|CMK Is Unusable
ed6e3ba0-278f-47b6-a1f5-173576b40b7e|Terraform|Medium|Availability|Alicloud KMS must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| -|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Terraform|Medium|Backup|OSS Bucket should have versioning enabled|Documentation
| -|ROS Stack Retention Disabled
4bb06fa1-2114-4a00-b7b5-6aeab8b896f0|Terraform|Medium|Backup|The retain_stacks should be enabled to keep the Stack upon deleting the stack instance from the stack group|Documentation
| -|ROS Stack Without Template
92d65c51-5d82-4507-a2a1-d252e9706855|Terraform|Medium|Build Process|Alicloud ROS Stack should have a template defined through the attribute template_url or attribute template_body|Documentation
| -|OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Terraform|Medium|Encryption|OSS Bucket should have encryption enabled using Customer Master Key|Documentation
| -|SLB Policy With Insecure TLS Version In Use
dbfc834a-56e5-4750-b5da-73fda8e73f70|Terraform|Medium|Encryption|SLB Policy should not support insecure versions of TLS protocol|Documentation
| -|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Terraform|Medium|Encryption|Disks should have encryption enabled|Documentation
| -|CS Kubernetes Node Pool Auto Repair Disabled
81ce9394-013d-4731-8fcc-9d229b474073|Terraform|Medium|Insecure Configurations|Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| -|Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Terraform|Medium|Networking and Firewall|A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned|Documentation
| -|Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Terraform|Medium|Networking and Firewall|Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies|Documentation
| -|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Terraform|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180|Documentation
| -|Log Retention Is Not Greater Than 90 Days
ed6cf6ff-9a1f-491c-9f88-e03c0807f390|Terraform|Medium|Observability|OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects.|Documentation
| -|ROS Stack Notifications Disabled
9ef08939-ea40-489c-8851-667870b2ef50|Terraform|Medium|Observability|The ROS Stack Notifications should be defined and populated to receive stack related events|Documentation
| -|Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Terraform|Medium|Observability|Action Trail Logging for all regions should be enabled|Documentation
| -|OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Terraform|Medium|Observability|OSS Bucket should have logging enabled, for better visibility of resources and objects.|Documentation
| -|No ROS Stack Policy
72ceb736-0aee-43ea-a191-3a69ab135681|Terraform|Medium|Resource Management|ROS Stack should have a stack policy in order to protect stack resources from and during update actions|Documentation
| -|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true|Documentation
| -|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Terraform|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91|Documentation
| -|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Terraform|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less|Documentation
| -|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true|Documentation
| -|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true|Documentation
| -|High KMS Key Rotation Period
cb319d87-b90f-485e-a7e7-f2408380f309|Terraform|Medium|Secret Management|KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year|Documentation
| -|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Terraform|Medium|Secret Management|RAM account password security should require at least one symbol|Documentation
| -|OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Terraform|Low|Availability|OSS Bucket should have transfer acceleration enabled|Documentation
| -|OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Terraform|Low|Backup|OSS Bucket should have lifecycle rule enabled and set to true|Documentation
| -|VPC Flow Logs Disabled
d2731f3d-a992-44ed-812e-f4f1c2747d71|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| -|RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Terraform|Low|Observability|log_disconnections parameter should be set to ON for RDS instances|Documentation
| -|RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Terraform|Low|Observability|log_duration parameter should be set to ON for RDS instances|Documentation
| -|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Terraform|Low|Observability|'log_connections' parameter should be set to ON for RDS instances|Documentation
| -|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Terraform|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.|Documentation
| -|BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Terraform|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.|Documentation
| -|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Terraform|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.|Documentation
| -|BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Terraform|Trace|Bill Of Materials|A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime.|Documentation
| -|BOM - GCP Redis
bc75ce52-a60a-4660-b533-bce837a5019b|Terraform|Trace|Bill Of Materials|A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments.|Documentation
| -|BOM - GCP Dataflow
895ed0d9-6fec-4567-8614-d7a74b599a53|Terraform|Trace|Bill Of Materials|A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective.|Documentation
| -|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Terraform|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.|Documentation
| -|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Terraform|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| -|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Terraform|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.|Documentation
| -|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Terraform|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| -|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Terraform|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| -|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Terraform|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| -|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Terraform|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time|Documentation
| -|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Terraform|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| -|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Terraform|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| -|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Terraform|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| -|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Terraform|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| -|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|Terraform|High|Access Control|Verifies that the OSLogin is enabled|Documentation
| -|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|Terraform|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| -|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|Terraform|High|Access Control|BigQuery dataset is anonymously or publicly accessible|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|Terraform|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers'|Documentation
| -|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|Terraform|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible|Documentation
| -|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|Terraform|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| -|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|Terraform|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members'|Documentation
| -|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|Terraform|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad.|Documentation
| -|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|Terraform|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| -|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|Terraform|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible.|Documentation
| -|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|Terraform|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true|Documentation
| -|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|Terraform|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| -|Cluster Master Authentication Disabled
1baba08e-3c8a-4be7-95eb-dced5833de21|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| -|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE |Documentation
| -|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|Terraform|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| -|GKE Basic Authentication Enabled
70cdf849-b7d9-4569-b87d-5d82ffd44719|Terraform|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty|Documentation
| -|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false |Documentation
| -|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true|Documentation
| -|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true|Documentation
| -|Client Certificate Disabled
73fb21a1-b19a-45b1-b648-b47b1678681e|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|Terraform|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| -|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| -|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|Terraform|High|Observability|Audit Logging Configuration is defective|Documentation
| -|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| -|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|Terraform|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| -|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|Terraform|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| -|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Terraform|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member|Documentation
| -|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Terraform|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated|Documentation
| -|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Terraform|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated|Documentation
| -|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Terraform|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Terraform|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| -|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Terraform|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined|Documentation
| -|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Terraform|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| -|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Terraform|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled|Documentation
| -|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Terraform|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| -|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Terraform|Medium|Insecure Configurations|Check if any VM instance disables OSLogin|Documentation
| -|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Terraform|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| -|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Terraform|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| -|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Terraform|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| -|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Terraform|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
| -|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Terraform|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| -|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Terraform|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| -|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Terraform|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| -|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Terraform|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
| -|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Terraform|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
| -|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Terraform|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| -|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Terraform|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports|Documentation
| -|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Terraform|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource.|Documentation
| -|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Terraform|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Terraform|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| -|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Terraform|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.|Documentation
| -|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Terraform|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user|Documentation
| -|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Terraform|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range|Documentation
| -|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Terraform|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks|Documentation
| -|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Terraform|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')|Documentation
| -|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Terraform|Info|Best Practices|All variables should contain a valid type.|Documentation
| -|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Terraform|Info|Best Practices|All outputs should contain a valid description.|Documentation
| -|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Terraform|Info|Best Practices|All variables should contain a valid description.|Documentation
| -|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Terraform|Info|Best Practices|All generic git repositories should reference a revision.|Documentation
| -|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Terraform|Info|Best Practices|All names should follow snake case pattern.|Documentation
| -|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|Terraform|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false|Documentation
| -|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|Terraform|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|Documentation
| -|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|Terraform|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| -|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|Terraform|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|Terraform|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| -|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|Terraform|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined.|Documentation
| -|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|Terraform|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| -|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Terraform|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| -|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Terraform|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys|Documentation
| -|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Terraform|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| -|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Terraform|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| -|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Terraform|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| -|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Terraform|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| -|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Terraform|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| -|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Terraform|Medium|Insecure Configurations|Default service accounts should not be actively used|Documentation
| -|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Terraform|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory|Documentation
| -|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Terraform|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| -|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Terraform|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| -|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Terraform|Medium|Insecure Configurations|Containers should not have extra capabilities allowed|Documentation
| -|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Terraform|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace|Documentation
| -|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Terraform|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| -|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Terraform|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| -|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Terraform|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls|Documentation
| -|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Terraform|Medium|Insecure Configurations|The default namespace should not be used|Documentation
| -|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| -|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Terraform|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| -|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Terraform|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|Documentation
| -|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Terraform|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| -|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| -|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Terraform|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| -|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Terraform|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty.|Documentation
| -|Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Terraform|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| -|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Terraform|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| -|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Terraform|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| -|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Terraform|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| -|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Terraform|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| -|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Terraform|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes|Documentation
| -|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Terraform|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| -|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Terraform|Medium|Resource Management|Container should not share the host network namespace|Documentation
| -|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Terraform|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| -|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Terraform|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| -|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Terraform|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs|Documentation
| -|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Terraform|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| -|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Terraform|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| -|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Terraform|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| -|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Terraform|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.|Documentation
| -|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Terraform|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Terraform|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Terraform|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it|Documentation
| -|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Terraform|Low|Availability|The Horizontal Pod Autoscale must target a valid object|Documentation
| -|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Terraform|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| -|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Terraform|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| -|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Terraform|Low|Build Process|Check if the root container filesystem is not being mounted as read-only.|Documentation
| -|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Terraform|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| -|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Terraform|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| -|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Terraform|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity|Documentation
| -|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Terraform|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| -|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Terraform|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| -|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Terraform|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified|Documentation
| -|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Terraform|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| -|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Terraform|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined|Documentation
| -|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Terraform|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| -|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Terraform|Low|Supply-Chain|Image must be defined and not be empty or equal to latest.|Documentation
| -|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Terraform|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| -|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Terraform|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| -|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Terraform|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| -|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Terraform|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| -|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Terraform|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time|Documentation
| -|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Terraform|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| -|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Terraform|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| -|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Terraform|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.|Documentation
| -|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Terraform|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| -|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Terraform|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| -|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Terraform|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.|Documentation
| -|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|Terraform|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|Terraform|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| -|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|Terraform|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals|Documentation
| -|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|Terraform|High|Access Control|IAM role policy that allow full administrative privileges (for all resources)|Documentation
| -|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|Terraform|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| -|Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|Terraform|High|Access Control|Neptune Cluster Instance should not be publicly accessible|Documentation
| -|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|Terraform|High|Access Control|S3 bucket allows public policy|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|Terraform|High|Access Control|S3 Buckets should not be readable and writable to all users|Documentation
| -|MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857|Terraform|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible|Documentation
| -|EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|Terraform|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| -|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|Terraform|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| -|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|Terraform|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|Terraform|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| -|S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4|Terraform|High|Access Control|S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket.|Documentation
| -|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|Terraform|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| -|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|Terraform|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| -|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|Terraform|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| -|SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|Terraform|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| -|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|Terraform|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating|Documentation
| -|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|Terraform|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role|Documentation
| -|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|Terraform|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled|Documentation
| -|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|Terraform|High|Encryption|API Gateway Method Settings Cache should be encrypted|Documentation
| -|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|Terraform|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| -|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|Terraform|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| -|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|Terraform|High|Encryption|AWS Athena Database data in S3 should be encrypted|Documentation
| -|EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|Terraform|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|Terraform|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| -|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|Terraform|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.|Documentation
| -|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|Terraform|High|Encryption|EBS Encryption should be enabled|Documentation
| -|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|Terraform|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true|Documentation
| -|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|Terraform|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted|Documentation
| -|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|Terraform|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| -|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|Terraform|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true'|Documentation
| -|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|Terraform|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled|Documentation
| -|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|Terraform|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup|Documentation
| -|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.|Documentation
| -|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|Terraform|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|Terraform|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key|Documentation
| -|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|Terraform|High|Encryption|RDS Database Cluster Encryption should be enabled|Documentation
| -|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|Terraform|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| -|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|Terraform|High|Encryption|Launch Configuration EBS should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' argument should be set to true in each volume block|Documentation
| -|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|Terraform|High|Encryption|AWS DOCDB Cluster storage should be encrypted|Documentation
| -|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|Terraform|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| -|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|Terraform|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS|Documentation
| -|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|Terraform|High|Encryption|EKS Cluster should be encrypted|Documentation
| -|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|Terraform|High|Encryption|User Data Shell Script must be encoded|Documentation
| -|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|Terraform|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)|Documentation
| -|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|Terraform|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|Terraform|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| -|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|Terraform|High|Encryption|AWS DAX Cluster should have server-side encryption at rest|Documentation
| -|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|Terraform|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled|Documentation
| -|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers.|Documentation
| -|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|Terraform|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| -|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|Terraform|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| -|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|Terraform|High|Encryption|S3 Bucket Object should have server-side encryption enabled|Documentation
| -|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|Terraform|High|Encryption|AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted|Documentation
| -|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|Terraform|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| -|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|Terraform|High|Encryption|Sagemaker endpoint configuration should encrypt data|Documentation
| -|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|Terraform|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| -|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|Terraform|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes|Documentation
| -|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|Terraform|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true)|Documentation
| -|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|Terraform|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| -|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|Terraform|High|Insecure Configurations|S3 bucket without restriction of public bucket|Documentation
| -|KMS Key With Vulnerable Policy
7ebc9038-0bde-479a-acc4-6ed7b6758899|Terraform|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| -|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|Terraform|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured.|Documentation
| -|DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|Terraform|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| -|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|Terraform|High|Insecure Configurations|Check if the root user is authenticated with MFA|Documentation
| -|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|Terraform|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| -|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|Terraform|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2.|Documentation
| -|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|Terraform|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| -|Lambda Function With Privileged Role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|Terraform|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions.|Documentation
| -|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|Terraform|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations|Documentation
| -|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|Terraform|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| -|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|Terraform|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|Terraform|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| -|Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|Terraform|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| -|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|Terraform|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0"|Documentation
| -|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|Terraform|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing|Documentation
| -|VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|Terraform|High|Networking and Firewall|VPC Peering Route Table should restrict CIDR|Documentation
| -|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|Terraform|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0|Documentation
| -|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| -|Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|Terraform|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| -|VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|Terraform|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic|Documentation
| -|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|Terraform|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| -|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|Terraform|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| -|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|Terraform|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| -|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|Terraform|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL|Documentation
| -|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|Terraform|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| -|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|Terraform|High|Networking and Firewall|Check if Record is set|Documentation
| -|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| -|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|Terraform|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| -|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|Terraform|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| -|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL|Documentation
| -|HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|Terraform|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| -|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|Terraform|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| -|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|Terraform|High|Observability|AWS KMS Key should have a valid deletion window|Documentation
| -|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|Terraform|High|Observability|Ensure a log metric filter and alarm exist for root acount usage|Documentation
| -|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled|Documentation
| -|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|Terraform|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes|Documentation
| -|CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|Terraform|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.|Documentation
| -|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|Terraform|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| -|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible|Documentation
| -|CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|Terraform|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls|Documentation
| -|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|Terraform|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA|Documentation
| -|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Terraform|Medium|Access Control|Public and private EC2 istances should not share the same role.|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Terraform|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Terraform|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| -|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Terraform|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'|Documentation
| -|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Terraform|Medium|Access Control|AWS IAM Users should not have access to console|Documentation
| -|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Terraform|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Terraform|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| -|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Terraform|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal'|Documentation
| -|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Terraform|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication|Documentation
| -|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Terraform|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action'|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Terraform|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Terraform|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Terraform|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| -|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Terraform|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| -|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Terraform|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Terraform|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| -|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Terraform|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled|Documentation
| -|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Terraform|Medium|Access Control|S3 bucket allows public ACL|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Terraform|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions'|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Terraform|Medium|Access Control|An API Key should be required on a method request.|Documentation
| -|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Terraform|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Terraform|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| -|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Terraform|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Terraform|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| -|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Terraform|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| -|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Terraform|Medium|Access Control|IAM Access Key should not be active for root users|Documentation
| -|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Terraform|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Terraform|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Terraform|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources|Documentation
| -|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Terraform|Medium|Access Control|The attribute 'action' should not have wildcard|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Terraform|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| -|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Terraform|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Terraform|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined|Documentation
| -|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Terraform|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| -|Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Terraform|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
| -|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Terraform|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| -|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Terraform|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster|Documentation
| -|RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Terraform|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| -|Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Terraform|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| -|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Terraform|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0|Documentation
| -|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Terraform|Medium|Best Practices|IAM password should have the required symbols|Documentation
| -|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Terraform|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| -|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Terraform|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| -|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Terraform|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| -|Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Terraform|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24|Documentation
| -|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Terraform|Medium|Best Practices|No password expiration policy|Documentation
| -|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Terraform|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields|Documentation
| -|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Terraform|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| -|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Terraform|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined|Documentation
| -|Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Terraform|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body|Documentation
| -|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Terraform|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node|Documentation
| -|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Terraform|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS.|Documentation
| -|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Terraform|Medium|Encryption|EBS volumes should be encrypted|Documentation
| -|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Terraform|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|CloudWatch Log Group Without KMS
0afbcfe9-d341-4b92-a64c-7e6de0543879|Terraform|Medium|Encryption|AWS CloudWatch Log groups should be encrypted using KMS|Documentation
| -|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Terraform|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| -|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted|Documentation
| -|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Terraform|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760.|Documentation
| -|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Terraform|Medium|Encryption|SSM Session should be encrypted in transit|Documentation
| -|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Terraform|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Terraform|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| -|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest|Documentation
| -|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Terraform|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret|Documentation
| -|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Terraform|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| -|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Terraform|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| -|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Terraform|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests|Documentation
| -|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit|Documentation
| -|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Terraform|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| -|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Terraform|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption|Documentation
| -|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Terraform|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| -|Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Terraform|Medium|Encryption|ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html'|Documentation
| -|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Terraform|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| -|EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Terraform|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false|Documentation
| -|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Terraform|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| -|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Terraform|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs).|Documentation
| -|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Terraform|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud)|Documentation
| -|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Terraform|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| -|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Terraform|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.|Documentation
| -|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Terraform|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials|Documentation
| -|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Terraform|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| -|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Terraform|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| -|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Terraform|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol|Documentation
| -|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Terraform|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| -|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Terraform|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| -|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Terraform|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association|Documentation
| -|VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Terraform|Medium|Networking and Firewall|VPC Subnet should not assign public IP|Documentation
| -|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Terraform|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| -|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Terraform|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled|Documentation
| -|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Terraform|Medium|Networking and Firewall|VPC should have a Network Firewall associated|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol|Documentation
| -|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Terraform|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| -|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Terraform|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| -|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Terraform|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| -|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes|Documentation
| -|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Terraform|Medium|Observability|API Gateway should have Access Log Settings defined|Documentation
| -|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Terraform|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| -|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Terraform|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| -|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes|Documentation
| -|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Terraform|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| -|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Terraform|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| -|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Terraform|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events|Documentation
| -|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK|Documentation
| -|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Terraform|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| -|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes|Documentation
| -|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Terraform|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| -|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Terraform|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined|Documentation
| -|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Terraform|Medium|Observability|AWS Elasticsearch should have logs enabled|Documentation
| -|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures|Documentation
| -|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Terraform|Medium|Observability|ELB should have logging enabled to help on error investigation|Documentation
| -|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Terraform|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| -|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Terraform|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| -|ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Terraform|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| -|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Terraform|Medium|Observability|AWS CloudWatch Log groups should have retention days specified|Documentation
| -|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Terraform|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| -|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Terraform|Medium|Observability|It isn't recommended to use resources in default VPC|Documentation
| -|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Terraform|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| -|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Terraform|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| -|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Terraform|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled|Documentation
| -|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes|Documentation
| -|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Terraform|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation|Documentation
| -|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Terraform|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| -|No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Terraform|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| -|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Terraform|Medium|Secret Management|AWS Access Key should not be hardcoded|Documentation
| -|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Terraform|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| -|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Terraform|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets'|Documentation
| -|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Terraform|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| -|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Terraform|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Terraform|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| -|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Terraform|Low|Access Control|IAM Group should have at least one user associated|Documentation
| -|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Terraform|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services|Documentation
| -|Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Terraform|Low|Availability|Autoscaling groups should supply tags to configurate|Documentation
| -|IAM Access Analyzer Not Enabled
e592a0c5-5bdb-414c-9066-5dba7cdea370|Terraform|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions|Documentation
| -|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Terraform|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.|Documentation
| -|ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Terraform|Low|Best Practices|ECR Repository should have Policies attached to it|Documentation
| -|Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Terraform|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Terraform|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| -|ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Terraform|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation|Documentation
| -|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Terraform|Low|Insecure Configurations|S3 bucket without ignore public ACL|Documentation
| -|ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Terraform|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled|Documentation
| -|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Terraform|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks|Documentation
| -|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Terraform|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Terraform|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| -|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Terraform|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| -|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Terraform|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| -|EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Terraform|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| -|RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Terraform|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| -|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Terraform|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Terraform|Low|Observability|Amazon EKS control plane logging is not enabled|Documentation
| -|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Terraform|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| -|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes|Documentation
| -|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Terraform|Low|Observability|Amazon EKS control plane logging don't enabled for all log types|Documentation
| -|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL|Documentation
| -|API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Terraform|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| -|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for route table changes|Documentation
| -|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes|Documentation
| -|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Terraform|Low|Observability|DocDB logging should be enabled|Documentation
| -|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| -|ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Terraform|Low|Observability|ECS Cluster should enable container insights|Documentation
| -|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes|Documentation
| -|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Terraform|Low|Observability|Global Accelerator should have flow logs enabled|Documentation
| -|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Terraform|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'|Documentation
| -|API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Terraform|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| -|Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Terraform|Info|Access Control|Security group must be used or not declared|Documentation
| -|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Terraform|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table|Documentation
| -|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Terraform|Info|Best Practices|AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name'|Documentation
| -|Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Terraform|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description|Documentation
| -|EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Terraform|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| -|Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Terraform|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description|Documentation
| -|EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Terraform|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods|Documentation
| -|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Terraform|Info|Observability|Neptune logging should be enabled|Documentation
| -|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Terraform|Info|Observability|RDS does not have any kind of logger|Documentation
| -|Serverless Function Environment Variables Not Encrypted
a7f8ac28-eed1-483d-87c8-4c325f022572|CloudFormation|High|Encryption|AWS Serverless Function should encrypt environment variables|Documentation
| -|Serverless API Without Content Encoding
a2f2800e-614b-4bc8-89e6-fec8afd24800|CloudFormation|Medium|Encryption|AWS Serverless API should enable Content Encoding through the attribute 'MinimumCompressionSize'. This value should be greater than -1 and smaller than 10485760|Documentation
| -|Serverless Function Without Unique IAM Role
4ba74f01-aba5-4be2-83bc-be79ff1a3b92|CloudFormation|Medium|Insecure Configurations|AWS Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks|Documentation
| -|Serverless Function Without Tags
a71ecabe-03b6-456a-b3bc-d1a39aa20c98|CloudFormation|Medium|Insecure Configurations|AWS Serverless Function should have associated tags|Documentation
| -|Serverless API Endpoint Config Not Private
6b5b0313-771b-4319-ad7a-122ee78700ef|CloudFormation|Medium|Networking and Firewall|AWS Serverless API should set API Endpoint Config type to 'PRIVATE'. This way, it's not exposed to the public internet|Documentation
| -|Serverless API Access Logging Setting Undefined
0a994e04-c6dc-471d-817e-d37451d18a3b|CloudFormation|Medium|Observability|AWS Serverless API/AWS Serverless HTTP API should have Access Logging Setting(s) defined|Documentation
| -|Serverless API X-Ray Tracing Disabled
c757c6a3-ac87-4b9d-b28d-e5a5add6a315|CloudFormation|Medium|Observability|AWS Serverless API should have X-Ray Tracing enabled|Documentation
| -|Serverless Function Without Dead Letter Queue
cb2f612b-ed42-4ff5-9fb9-255c73d39a18|CloudFormation|Low|Insecure Configurations|AWS Serverless Function should be configured for a Dead Letter Queue(DLQ)|Documentation
| -|Serverless API Cache Cluster Disabled
60a05ede-0a68-4d0d-a58f-f538cf55ff79|CloudFormation|Low|Insecure Configurations|AWS Serverless API should have cache clustering enabled|Documentation
| -|Serverless Function Without X-Ray Tracing
dc1ab429-1481-4540-9b1d-280e3f15f1f8|CloudFormation|Low|Observability|AWS Serverless Function should have Tracing enabled. For this, property 'Tracing' should have the value 'Active'|Documentation
| -|BOM - AWS S3 Buckets
b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83|CloudFormation|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| -|BOM - AWS EBS
0b0556ea-9cd9-476f-862e-20679dda752b|CloudFormation|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| -|BOM - AWS SNS
42e7dca3-8cce-4325-8df0-108888259136|CloudFormation|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| -|BOM - AWS MQ
209189f3-c879-48a7-9703-fbcfa96d0cef|CloudFormation|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| -|BOM - AWS Kinesis
d53323be-dde6-4457-9a43-42df737e71d2|CloudFormation|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time|Documentation
| -|BOM - AWS Elasticache
c689f51b-9203-43b3-9d8b-caed123f706c|CloudFormation|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| -|BOM - AWS EFS
ef05a925-8568-4054-8ff1-f5ba82631c16|CloudFormation|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| -|BOM - AWS DynamoDB
4e67c0ae-38a0-47f4-a50c-f0c9b75826df|CloudFormation|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.|Documentation
| -|BOM - AWS SQS
59a849c2-1127-4023-85a5-ef906dcd458c|CloudFormation|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| -|BOM - AWS MSK
2730c169-51d7-4ae7-99b5-584379eff1bb|CloudFormation|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| -|BOM - AWS Cassandra
124b173b-e06d-48a6-8acd-f889443d97a4|CloudFormation|Trace|Bill Of Materials|A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance|Documentation
| -|BOM - AWS RDS
6ef03ff6-a2bd-483c-851f-631f248bc0ea|CloudFormation|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.|Documentation
| -|IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368|CloudFormation|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
835d5497-a526-4aea-a23f-98a9afd1635f|CloudFormation|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| -|S3 Bucket Access to Any Principal
7772bb8c-c0f3-42d4-8e4e-f1b8939ad085|CloudFormation|High|Access Control|The S3 Bucket should not be associated with a policy statement that grants access to any principal|Documentation
| -|IAM Policies With Full Privileges
953b3cdb-ce13-428a-aa12-318726506661|CloudFormation|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| -|S3 Bucket Allows Public Policy
860ba89b-b8de-4e72-af54-d6aee4138a69|CloudFormation|High|Access Control|S3 bucket allows public policy|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
07dda8de-d90d-469e-9b37-1aca53526ced|CloudFormation|High|Access Control|S3 Buckets should not be readable and writable to all users|Documentation
| -|MSK Broker Is Publicly Accessible
0ce1ba20-8ba8-4364-836f-40c24b8cb0ab|CloudFormation|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible|Documentation
| -|S3 Bucket Allows Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0|CloudFormation|High|Access Control|S3 Buckets must not allow Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Restore, for all Principals.|Documentation
| -|Invalid Format (v3)
d929c031-078f-4241-b802-e224656ad890|OpenAPI|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double|Documentation
| -|Invalid Schema External Documentation URL (v2)
f7fa95b7-d819-484c-9a2b-665dd1bba25e|OpenAPI|Info|Best Practices|Schema External Documentation URL should be a valid URL|Documentation
| -|Invalid Schema External Documentation URL (v3)
6952a7e0-6e48-4285-bbc1-27c64e60f888|OpenAPI|Info|Best Practices|Schema External Documentation URL should be a valid URL|Documentation
| -|Header Parameter Named as 'Content-Type' (v2)
51978067-3b22-4c29-aaf3-96bf0bc28897|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored.|Documentation
| -|Header Parameter Named as 'Content-Type' (v3)
72d259ca-9741-48dd-9f62-eb11f2936b37|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored.|Documentation
| -|Path Without Operation (v2)
609cd557-66b4-41fa-8edd-2abc6c7cfd08|OpenAPI|Info|Best Practices|Path object should have at least one operation object defined|Documentation
| -|Path Without Operation (v3)
84c826c9-1893-4b34-8cdd-db97645b4bf3|OpenAPI|Info|Best Practices|Path object should have at least one operation object defined|Documentation
| -|Invalid Global External Documentation URL (v2)
46d3b74d-9fe9-45bf-9e9e-efb7f701ee28|OpenAPI|Info|Best Practices|Global External Documentation URL should be a valid URL|Documentation
| -|Invalid Global External Documentation URL (v3)
b2d9dbf6-539c-4374-a1fd-210ddf5563a8|OpenAPI|Info|Best Practices|Global External Documentation URL should be a valid URL|Documentation
| -|Invalid Contact URL (v2)
c7000383-16d0-4509-8cd3-585e5ea2e2f2|OpenAPI|Info|Best Practices|Contact Object URL should be a valid URL|Documentation
| -|Invalid Contact URL (v3)
332cf2ad-380d-4b90-b436-46f8e635cf38|OpenAPI|Info|Best Practices|Contact Object URL should be a valid URL|Documentation
| -|Header Parameter Named as 'Authorization' (v2)
e2e00c97-7171-4fb4-b461-d631df9a711c|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored.|Documentation
| -|Header Parameter Named as 'Authorization' (v3)
8c84f75e-5048-4926-a4cb-33e7b3431300|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored.|Documentation
| -|Operation Without Successful HTTP Status Code (v2)
a1ee6ebe-3877-42ec-b9a6-e524e7d06aa2|OpenAPI|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined|Documentation
| -|Operation Without Successful HTTP Status Code (v3)
48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd|OpenAPI|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined|Documentation
| -|Example Not Compliant With Schema Type (v2)
448db771-06ea-4dee-b48c-1689cbfb4b43|OpenAPI|Info|Best Practices|Examples values and fields should be compliant with the schema type|Documentation
| -|Example Not Compliant With Schema Type (v3)
881a6e71-c2a7-4fe2-b9c3-dfcf08895331|OpenAPI|Info|Best Practices|Examples values and fields should be compliant with the schema type|Documentation
| -|JSON '$ref' alongside other properties (v2)
f34c1c68-4773-4df0-a103-6e2ca32e585f|OpenAPI|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key|Documentation
| -|JSON '$ref' alongside other properties (v3)
96beb800-566f-49a9-a0ea-dbdf4bc80429|OpenAPI|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key|Documentation
| -|Invalid Tag External Documentation URL (v2)
b4a7d925-738b-4219-99d9-87d6ee262a03|OpenAPI|Info|Best Practices|Tag External Documentation URL should be a valid URL|Documentation
| -|Invalid Tag External Documentation URL (v3)
5aea1d7e-b834-4749-b143-2c7ec3bd5922|OpenAPI|Info|Best Practices|Tag External Documentation URL should be a valid URL|Documentation
| -|Required Property With Default Value (v2)
f7ab6c83-ef89-40e1-8a99-32e2599fb665|OpenAPI|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value|Documentation
| -|Required Property With Default Value (v3)
013bdb4b-9246-4248-b0c3-7fb0fee42a29|OpenAPI|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value|Documentation
| -|Invalid Operation External Documentation URL (v2)
25635c31-ee32-4708-88e5-fced87516f51|OpenAPI|Info|Best Practices|Operation External Documentation URL should be a valid URL|Documentation
| -|Invalid Operation External Documentation URL (v3)
5ea61624-3733-4a3a-8ca4-b96fec9c5aeb|OpenAPI|Info|Best Practices|Operation External Documentation URL should be a valid URL|Documentation
| -|Invalid Contact Email (v2)
d83bebc8-4e5e-4241-b783-cba9fb5a1c9a|OpenAPI|Info|Best Practices|Contact Object Email should be a valid email|Documentation
| -|Invalid Contact Email (v3)
b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7|OpenAPI|Info|Best Practices|Contact Object Email should be a valid email|Documentation
| -|Header Parameter Named as 'Accept' (v2)
3ddd74cc-6582-486c-8b0c-2b48cb38e0a3|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored.|Documentation
| -|Header Parameter Named as 'Accept' (v3)
f2702af5-6016-46cb-bbc8-84c766032095|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored.|Documentation
| -|Object Using Enum With Keyword (v2)
7f15962a-d862-451c-ac9b-84ec13747aa6|OpenAPI|Info|Best Practices|Schema/Parameter/Header Object properties should not contain 'enum' and schema keywords|Documentation
| -|Object Using Enum With Keyword (v3)
2e9b6612-8f69-42e0-a5b8-ed17739c2f3a|OpenAPI|Info|Best Practices|Schema Object properties should not contain 'enum' and schema keywords|Documentation
| -|Invalid License URL (v2)
de2b4910-8484-46d6-a055-dc1e793ee3ff|OpenAPI|Info|Best Practices|License Object URL should be a valid URL|Documentation
| -|Invalid License URL (v3)
9239c289-9e4c-4d92-8be1-9d506057c971|OpenAPI|Info|Best Practices|License Object URL should be a valid URL|Documentation
| -|Header Response Name Is Invalid (v2)
86733e01-a435-4bd5-a8b0-5108be9dc1e4|OpenAPI|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored.|Documentation
| -|Header Response Name Is Invalid (v3)
d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd|OpenAPI|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored.|Documentation
| -|Default Invalid (v2)
78dfd8f0-a6ee-48ec-af8c-e4d9b3292a07|OpenAPI|Info|Structure and Semantics|The field 'default' of Schema/Parameter/Header Object should be consistent with the schema's/parameter's/header's type|Documentation
| -|Default Invalid (v3)
a96bbc06-8cde-4295-ad3c-ee343a7f658e|OpenAPI|Info|Structure and Semantics|The field 'default' of Schema Object should be consistent with the schema's type|Documentation
| -|Properties Missing Required Property (v2)
71beb6ab-8b70-4816-a9ac-a0ff1fb22a62|OpenAPI|Info|Structure and Semantics|Schema Object should have all required properties defined|Documentation
| -|Properties Missing Required Property (v3)
3fb03214-25d4-4bd4-867c-c2d8d708a483|OpenAPI|Info|Structure and Semantics|Schema Object should have all required properties defined|Documentation
| -|OperationId Not Unique (v2)
21245007-91c4-40e5-964e-40c85d1e5aa6|OpenAPI|Info|Structure and Semantics|OperationId should be unique when defined|Documentation
| -|OperationId Not Unique (v3)
c254adc4-ef25-46e1-8270-b7944adb4198|OpenAPI|Info|Structure and Semantics|OperationId should be unique when defined|Documentation
| -|Non-Array Schema With Items (v2)
9d47956b-29cd-43b1-9e6e-b39a4d484353|OpenAPI|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| -|Non-Array Schema With Items (v3)
20cb3159-b219-496b-8dac-54ae3ab2021a|OpenAPI|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| -|Schema Enum Invalid (v2)
8fe6d18a-ad4c-4397-8884-e3a9da57f4c9|OpenAPI|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type|Documentation
| -|Schema Enum Invalid (v3)
03856cb2-e46c-4daf-bfbf-214ec93c882b|OpenAPI|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type|Documentation
| -|Path Parameter Not Required (v2)
ccd0613f-cb77-4684-a892-183bd2674d12|OpenAPI|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.|Documentation
| -|Path Parameter Not Required (v3)
0de50145-e845-47f4-9a15-23bcf2125710|OpenAPI|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.|Documentation
| -|Schema Discriminator Mismatch Defined Properties (v2)
addc0eab-27f6-4c26-8526-d2ccd3732662|OpenAPI|Info|Structure and Semantics|Schema discriminator values should match defined properties.|Documentation
| -|Schema Discriminator Mismatch Defined Properties (v3)
40d3df21-c170-4dbe-9c02-4289b51f994f|OpenAPI|Info|Structure and Semantics|Schema discriminator values should match defined properties.|Documentation
| -|Schema Object Properties With Duplicated Keys (v2)
ded017bf-fb13-4f8d-868b-84aebcc572ad|OpenAPI|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties'|Documentation
| -|Schema Object Properties With Duplicated Keys (v3)
10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa|OpenAPI|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties'|Documentation
| -|Path Template is Empty (v2)
c201b7ad-6173-4598-a407-5edb04a1bcd7|OpenAPI|Info|Structure and Semantics|All path templates should not be empty|Documentation
| -|Path Template is Empty (v3)
ae13a37d-943b-47a7-a970-83c8598bcca3|OpenAPI|Info|Structure and Semantics|All path templates should not be empty|Documentation
| -|Type Has Invalid Keyword (v2)
492c6cbb-f3f8-4807-aa4f-42b8b1c46b59|OpenAPI|Info|Structure and Semantics|Schema/Parameter/Header Object define type should not use a keyword of another type|Documentation
| -|Type Has Invalid Keyword (v3)
a9228976-10cf-4b5f-b902-9e962aad037a|OpenAPI|Info|Structure and Semantics|Schema Object define type should not use a keyword of another type|Documentation
| -|Schema Discriminator Not Required (v2)
be6a3722-af60-438c-b1b9-2a03e2958ab7|OpenAPI|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property|Documentation
| -|Schema Discriminator Not Required (v3)
b481d46c-9c61-480f-86d9-af07146dc4a4|OpenAPI|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property|Documentation
| -|Paths Object is Empty (v2)
3e6c7b1c-8a8d-43ab-98b9-65159f44db4a|OpenAPI|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed|Documentation
| -|Paths Object is Empty (v3)
815021c8-a50c-46d9-b192-24f71072c400|OpenAPI|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed|Documentation
| -|Path Is Ambiguous (v2)
b2468463-3ac4-4930-890c-f35b2bf4485d|OpenAPI|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object|Documentation
| -|Path Is Ambiguous (v3)
237402e2-c2f0-46c9-9cf5-286160cf7bfc|OpenAPI|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object|Documentation
| -|Path Parameter With No Corresponding Template Path (v2)
194ef1f8-360e-4c14-8ed2-e83e2bafa142|OpenAPI|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation|Documentation
| -|Path Parameter With No Corresponding Template Path (v3)
69d7aefd-149d-47b8-8d89-1c2181a8067b|OpenAPI|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation|Documentation
| -|Parameter Objects Headers With Duplicated Name (v2)
bd2cbef5-62c4-40f1-af07-4b7f9ced6616|OpenAPI|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.|Documentation
| -|Parameter Objects Headers With Duplicated Name (v3)
05505192-ba2c-4a81-9b25-dcdbcc973746|OpenAPI|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.|Documentation
| -|Parameters Name In Combination Not Unique (v2)
ab871897-ec02-4835-9818-702536ee1dda|OpenAPI|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations|Documentation
| -|Parameters Name In Combination Not Unique (v3)
f5b2e6af-76f5-496d-8482-8f898c5fdb4a|OpenAPI|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations|Documentation
| -|Responses Object Is Empty (v2)
6172e7ab-d2b7-45f8-a7db-1603931d8ba3|OpenAPI|Info|Structure and Semantics|Responses Object should not be empty|Documentation
| -|Responses Object Is Empty (v3)
990eaf09-d6f1-4c3c-b174-a517b1de8917|OpenAPI|Info|Structure and Semantics|Responses Object should not be empty|Documentation
| -|Template Path With No Corresponding Path Parameter (v2)
e7656d8d-7288-4bbe-b07b-22b389be75ce|OpenAPI|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation|Documentation
| -|Template Path With No Corresponding Path Parameter (v3)
561710b1-b845-4562-95ce-2397a05ccef4|OpenAPI|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation|Documentation
| -|Items Undefined (v2)
3e4d34d2-36cf-4449-976d-6c256db8fc49|OpenAPI|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array.|Documentation
| -|Items Undefined (v3)
a8e859da-4a43-4e7f-94b8-25d6e3bf8e90|OpenAPI|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array.|Documentation
| -|Schema Object With Circular Ref (v2)
cbff2508-85c9-4448-a8b3-770070edf5ca|OpenAPI|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties|Documentation
| -|Schema Object With Circular Ref (v3)
1a1aea94-745b-40a7-b860-0702ea6ee636|OpenAPI|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties|Documentation
| -|Schema Discriminator Property Not String (v2)
949376f1-f560-4c6d-a016-63424ca931bb|OpenAPI|Info|Structure and Semantics|Schema discriminator property should be a string|Documentation
| -|Schema Discriminator Property Not String (v3)
dadc2f36-1f5a-46c0-8289-75e626583123|OpenAPI|Info|Structure and Semantics|Schema discriminator property should be a string|Documentation
| -|Property Defining Minimum Greater Than Maximum (v2)
b5102ea9-6527-4bb7-94fc-9b4076150e55|OpenAPI|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined|Documentation
| -|Property Defining Minimum Greater Than Maximum (v3)
ab2af219-cd08-4233-b5a1-a788aac88b51|OpenAPI|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined|Documentation
| -|Property 'allowEmptyValue' Improperly Defined (v2)
0bc1477d-0922-478b-ae16-674a7634a1a8|OpenAPI|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters|Documentation
| -|Property 'allowEmptyValue' Improperly Defined (v3)
4bcbcd52-3028-469f-bc14-02c7dbba2df2|OpenAPI|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters|Documentation
| -|Responses With Wrong HTTP Status Code (v2)
069a5378-2091-43f0-aa3b-ee8f20996e99|OpenAPI|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599]|Documentation
| -|Responses With Wrong HTTP Status Code (v3)
d86655c0-92f6-4ffc-b4d5-5b5775804c27|OpenAPI|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599]|Documentation
| -|Schema Has A Required Property Undefined (v2)
811762c8-2e99-4f70-88f9-a63875a953b1|OpenAPI|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties|Documentation
| -|Schema Has A Required Property Undefined (v3)
2bd608ae-8a1f-457f-b710-c237883cb313|OpenAPI|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties|Documentation
| -|Security Definitions Undefined or Empty
e3f026e8-fdb4-4d5a-bcfd-bd94452073fe|OpenAPI|High|Access Control|Security Definitions Object should be set and not empty|Documentation
| -|Non OAuth2 Security Requirement Defining OAuth2 Scopes
ba239cb9-f342-4c20-812d-7b5a2aa6969e|OpenAPI|High|Structure and Semantics|If the security scheme is not of type 'oauth2', the array value must be empty|Documentation
| -|Security Requirement Not Defined In Security Definition
a599b0d1-ff89-4cb8-9ece-9951854c06f6|OpenAPI|High|Structure and Semantics|All security requirement objects must be defined in 'securityDefinitions'|Documentation
| -|Invalid OAuth2 Token URL (v2)
274f910a-0665-4f08-b66d-7058fe927dba|OpenAPI|Medium|Access Control|OAuth2 security definition flow requires a valid URL in the tokenUrl field|Documentation
| -|Global Security Using Password Flow
2da46be4-4317-4650-9285-56d7103c4f93|OpenAPI|Medium|Access Control|Security should not use 'password' Flow in OAuth2 authentication|Documentation
| -|Implicit Flow in OAuth2 (v2)
e9817ad8-a8c9-4038-8a2f-db0e6e7b284b|OpenAPI|Medium|Access Control|There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated|Documentation
| -|Operation Using Password Flow
2e44e632-d617-43cb-b294-6bfe72a08938|OpenAPI|Medium|Access Control|Operation Object should not use 'password' Flow in OAuth2 authentication|Documentation
| -|Invalid OAuth2 Authorization URL (v2)
33d96c65-977d-4c33-943f-440baca49185|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL|Documentation
| -|Security Definitions Allows Password Flow
773116aa-2e6d-416f-bd85-f0301cc05d76|OpenAPI|Medium|Access Control|Security Definition Object should not allow 'password' Flow in OAuth2 authentication|Documentation
| -|Schemes Uses HTTP
a46928f1-43d7-4671-94e0-2dd99746f389|OpenAPI|Medium|Encryption|Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials|Documentation
| -|Global Schemes Uses HTTP
f30ee711-0082-4480-85ab-31d922d9a2b2|OpenAPI|Medium|Encryption|Global Schemes should use 'https' protocol instead of 'http'|Documentation
| -|Path Scheme Accepts HTTP (v2)
a6847dc6-f4ea-45ac-a81f-93291ae6c573|OpenAPI|Medium|Encryption|The Scheme list of Operation Object should only allow 'HTTPS' protocol to ensure an encrypted connection|Documentation
| -|Operation Object Without 'consumes'
0c79e50e-b3cf-490c-b8f6-587c644d4d0c|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations|Documentation
| -|Operation Object Without 'produces'
be3e170e-1572-461e-a8b6-d963def581ec|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'produces' feild defined for 'GET'operation|Documentation
| -|Operation Using Basic Auth
ceefb058-8065-418f-9c4c-584a78c7e104|OpenAPI|Low|Access Control|Operation Object should not use basic authentication|Documentation
| -|Undefined Scope 'securityDefinition' On Global 'security' Field
9aa6e95c-d964-4239-a3a8-9f37a3c5a31f|OpenAPI|Low|Access Control|Using an scope on global security field that is undefined on 'securityDefinitions' can be defined by an attacker|Documentation
| -|Operation Using Implicit Flow
f42dfe7e-787d-4478-a75e-a5f3d8a2269e|OpenAPI|Low|Access Control|Operation Object should not use implicit flow|Documentation
| -|Undefined Scope 'securityDefinition' On 'security' Field On Operations
3847280c-9193-40bc-8009-76168e822ce2|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker|Documentation
| -|Security Definitions Using Basic Auth
221015a8-aa2a-43f5-b00b-ad7d2b1d47a8|OpenAPI|Low|Access Control|Security Definition Object should not use basic authentication|Documentation
| -|Operation Summary Too Long
d47940ca-5970-45cc-bdd1-4d81398cee1f|OpenAPI|Low|Best Practices|Operation summary should be short (less than 120 characters)|Documentation
| -|Global Parameter Definition Not Being Used
b30981fa-a12e-49c7-a5bb-eeafb61d0f0f|OpenAPI|Info|Best Practices|All global parameters definitions should be in use|Documentation
| -|Global Responses Definition Not Being Used
0b76d993-ee52-43e0-8b39-3787d2ddabf1|OpenAPI|Info|Best Practices|All global responses definitions should be in use|Documentation
| -|Constraining Enum Property
be1d8733-3731-40c7-a845-734741c6871d|OpenAPI|Info|Best Practices|There is a constraining keyword in a property which is already restricted by enum values|Documentation
| -|Global Schema Definition Not Being Used
6d2e0790-cc3d-4c74-b973-d4e8b09f4455|OpenAPI|Info|Best Practices|All global schemas definitions should be in use|Documentation
| -|Schema with 'additionalProperties' set as Boolean
3a01790c-ebee-4da6-8fd3-e78657383b75|OpenAPI|Info|Best Practices|The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it|Documentation
| -|Invalid Media Type Value (v2)
f985a7d2-d404-4a7f-9814-f645f791e46e|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters]|Documentation
| -|Unknown Prefix (v2)
3b615f00-c443-4ba9-acc4-7c308716917d|OpenAPI|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video'|Documentation
| -|Responses JSON Reference Does Not Exists (v2)
e9db5fb4-6a84-4abb-b4af-3b94fbdace6d|OpenAPI|Info|Structure and Semantics|Responses reference should exist on responses definition field|Documentation
| -|Parameter File Type Not In 'formData'
c3cab8c4-6c52-47a9-942b-c27f26fbd7d2|OpenAPI|Info|Structure and Semantics|The In field of Parameter Object must be 'formData' when type is 'file'|Documentation
| -|Body Parameter Without Schema
ed48229d-d43e-4da7-b453-5f98d964a57a|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined|Documentation
| -|Operation Example Mismatch Produces MimeType
2cf35b40-ded3-43d6-9633-c8dcc8bcc822|OpenAPI|Info|Structure and Semantics|Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces'|Documentation
| -|Schema JSON Reference Does Not Exists (v2)
98295b32-ec09-4b5b-89a9-39853197f914|OpenAPI|Info|Structure and Semantics|Schema reference should exists on definitions field|Documentation
| -|Host With Invalid Pattern
3d7d7b6c-fb0a-475e-8a28-c125e30d15f0|OpenAPI|Info|Structure and Semantics|Host field should be an IP or a valid host name|Documentation
| -|Operation Object Parameters With 'body' And 'formatData' locations
eb3f9744-d24e-4614-b1ff-2a9514eca21c|OpenAPI|Info|Structure and Semantics|Operation object parameters should not have both 'body' and 'formatData' locations|Documentation
| -|Multi 'collectionformat' Not Valid For 'in' Parameter
750f6448-27c0-49f8-a153-b81735c1e19c|OpenAPI|Info|Structure and Semantics|When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'formData'|Documentation
| -|Body Parameter With Wrong Property
c38d630d-a415-4e3e-bac2-65475979ba88|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema'|Documentation
| -|Parameter Object With Incorrect Ref (v2)
2596545e-1757-4ff7-a15a-8a9a180a42f3|OpenAPI|Info|Structure and Semantics|Parameter Object reference must always point to '#/parameters'|Documentation
| -|File Parameter With Wrong Consumes Property
7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a|OpenAPI|Info|Structure and Semantics|Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both|Documentation
| -|Unknown Property (v2)
429b2106-ba37-43ba-9727-7f699cc611e1|OpenAPI|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known|Documentation
| -|Parameter JSON Reference Does Not Exists (v2)
fb889ae9-2d16-40b5-b41f-9da716c5abc1|OpenAPI|Info|Structure and Semantics|Parameter reference should exist on parameters definition field|Documentation
| -|Property Not Unique
750b40be-4bac-4f59-bdc4-1ca0e6c3450e|OpenAPI|Info|Structure and Semantics|Every defined property must be unique throughout the whole API|Documentation
| -|Non Body Parameter Without Schema
73c3bc54-3cc6-4c0a-b30a-e19f2abfc951|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined|Documentation
| -|Multiple Body Parameters In The Same Operation
b90033cf-ad9f-4fb9-acd1-1b9d6d278c87|OpenAPI|Info|Structure and Semantics|Only one body parameter is allowed on operation's parameters type field|Documentation
| -|Schema Object Incorrect Ref (v2)
0220e1c5-65d1-49dd-b7c2-cef6d6cb5283|OpenAPI|Info|Structure and Semantics|Schema Object reference must always point to '#/definitions'|Documentation
| -|BasePath With Wrong Format
b4803607-ed72-4d60-99e2-3fa6edf471c6|OpenAPI|Info|Structure and Semantics|The 'basePath' value format must match the pattern '^/'|Documentation
| -|Object Without Required Property (v2)
5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275|OpenAPI|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields|Documentation
| -|Response Object With Incorrect Ref (v2)
bccfa089-89e4-47e0-a0e5-185fe6902220|OpenAPI|Info|Structure and Semantics|Response Object reference must always point to '#/responses'|Documentation
| -|Field 'securityScheme' On Components Is Undefined
8db5544e-4874-4baa-9322-e9f75a2d219e|OpenAPI|High|Access Control|Components' securityScheme field must have a valid scheme|Documentation
| -|Cleartext Credentials With Basic Authentication For Operation
86b1fa30-9790-4980-994d-a27e0f6f27c1|OpenAPI|High|Access Control|Cleartext credentials over unencrypted channel should not be accepted for the operation|Documentation
| -|OAuth2 With Password Flow
3979b0a4-532c-4ea7-86e4-34c090eaa4f2|OpenAPI|Medium|Access Control|OAuth2 password flow insecurely exposes the credentials of the resource owner to the client|Documentation
| -|Security Scheme Using HTTP Basic
68e5fcac-390c-4939-a373-6074b7be7c71|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using basic authentication|Documentation
| -|Invalid OAuth2 Token URL (v3)
3ba0cca1-b815-47bf-ac62-1e584eb64a05|OpenAPI|Medium|Access Control|OAuth2 security scheme flow requires a valid URL in the tokenUrl field|Documentation
| -|Implicit Flow in OAuth2 (v3)
4a1f3d75-ab73-41b2-83e7-06a93dc3a75a|OpenAPI|Medium|Access Control|There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated|Documentation
| -|Security Scheme Using HTTP Negotiate
f525cc92-9050-4c41-a75c-890dc6f64449|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using negotiate authentication|Documentation
| -|Security Scheme HTTP Unknown Scheme
06764426-3c56-407e-981f-caa25db1c149|OpenAPI|Medium|Access Control|Security Scheme HTTP scheme should be registered in the IANA Authentication Scheme registry|Documentation
| -|Invalid OAuth2 Authorization URL (v3)
52c0d841-60d6-4a81-88dd-c35fef36d315|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL|Documentation
| -|OAuth2 With Implicit Flow
39cb32f2-3a42-4af0-8037-82a7a9654b6c|OpenAPI|Medium|Access Control|OAuth2 implicit flow is vulnerable to access token leakage and access token replay|Documentation
| -|Security Scheme Using HTTP Digest
a4247b11-890b-45df-bf42-350a7a3af9be|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using digest authentication|Documentation
| -|Path Server Object Uses HTTP (v3)
9670f240-7b4d-4955-bd93-edaa9fa38b58|OpenAPI|Medium|Encryption|The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection|Documentation
| -|Global Server Object Uses HTTP
2d8c175a-6d90-412b-8b0e-e034ea49a1fe|OpenAPI|Medium|Encryption|Global server object URL should use 'https' protocol instead of 'http'|Documentation
| -|Media Type Object Without Schema
f79b9d26-e945-44e7-98a1-b93f0f7a68a0|OpenAPI|Medium|Insecure Configurations|The Media Type Object should have the attribute 'schema' defined|Documentation
| -|Parameter Object Without Schema
8fe1846f-52cc-4413-ace9-1933d7d23672|OpenAPI|Medium|Insecure Configurations|The Parameter Object should have the attribute 'schema' defined|Documentation
| -|Additional Properties Too Permissive
9f88c88d-824d-4d9a-b985-e22977046042|OpenAPI|Medium|Insecure Configurations|Objects should not accept 'additionalProperties' if it is possible|Documentation
| -|Additional Properties Too Restrictive
a19c3bbd-c056-40d7-9e1c-eeb0634e320d|OpenAPI|Medium|Insecure Configurations|Objects should accept 'additionalProperties' if it is allOf or an object with anyOf or oneOf|Documentation
| -|Header Object Without Schema
50de3b5b-6465-4e06-a9b0-b4c2ba34326b|OpenAPI|Medium|Networking and Firewall|The header object should have schema defined|Documentation
| -|Success Response Code Undefined for Trace Operation
105e20dd-8449-4d71-95c6-d5dac96639af|OpenAPI|Medium|Networking and Firewall|Trace should define the '200' successful code|Documentation
| -|Global Security Scheme Using Basic Authentication
77276d82-4f45-4cf1-8e2b-4d345b936228|OpenAPI|Low|Access Control|A security scheme is allowing basic authentication credentials to be transported over network|Documentation
| -|Undefined Scope 'securityScheme' On Global 'security' Field
23a9e2d9-8738-4556-a71c-2802b6ffa022|OpenAPI|Low|Access Control|Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker|Documentation
| -|Undefined Scope 'securityScheme' On 'security' Field On Operations
462d6a1d-fed9-4d75-bb9e-3de902f35e6e|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker|Documentation
| -|Security Scheme Using Oauth 1.0
1bc3205c-0d60-44e6-84f3-44fbf4dac5b3|OpenAPI|Low|Access Control|Oauth 1.0 is deprecated, OAuth2 should be used instead|Documentation
| -|API Key Exposed In Global Security Scheme
40e1d1bf-11a9-4f63-a3a2-a8b84c602839|OpenAPI|Low|Access Control|API Keys should not be transported over network|Documentation
| -|Property 'explode' of Encoding Object Ignored
a4dd69b8-49fa-45d2-a060-c76655405b05|OpenAPI|Info|Best Practices|Property 'explode' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored.|Documentation
| -|Components Schema Definition Is Unused
962fa01e-b791-4dcc-b04a-4a3e7389be5e|OpenAPI|Info|Best Practices|Components schemas definitions should be referenced or removed from Open API definition|Documentation
| -|Components Parameter Definition Is Unused
698a464e-bb3e-4ba8-ab5e-e6599b7644a0|OpenAPI|Info|Best Practices|Components parameters definitions should be referenced or removed from Open API definition|Documentation
| -|Property 'allowEmptyValue' Ignored
59c2f769-7cc2-49c8-a3de-4e211135cfab|OpenAPI|Info|Best Practices|Property 'allowEmptyValue' is ignored in the following cases: {"sytle": "simple", "explode": false}, {"sytle": "simple", "explode": true}, {"sytle": "spaceDelimited", "explode": false}, {"sytle": "pipeDelimited", "explode": false}, and {"sytle": "deepObject", "explode": true}|Documentation
| -|Components Example Definition Is Unused
b05bb927-2df5-43cc-8d7b-6825c0e71625|OpenAPI|Info|Best Practices|Components examples definitions should be referenced or removed from Open API definition|Documentation
| -|Components Header Definition Is Unused
a68da022-e95a-4bc2-97d3-481e0bd6d446|OpenAPI|Info|Best Practices|Components headers definitions should be referenced or removed from Open API definition|Documentation
| -|Components Callback Definition Is Unused
d15db953-a553-4b8a-9a14-a3d62ea3d79d|OpenAPI|Info|Best Practices|Components callbacks definitions should be referenced or removed from Open API definition|Documentation
| -|Components Link Definition Is Unused
c19779a9-5774-4d2f-a3a1-a99831730375|OpenAPI|Info|Best Practices|Components links definitions should be referenced or removed from Open API definition|Documentation
| -|Invalid Media Type Value (v3)
cf4a5f45-a27b-49df-843a-9911dbfe71d4|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters]|Documentation
| -|Property 'style' of Encoding Object Ignored
d3ea644a-9a5c-4fee-941f-f8a6786c0470|OpenAPI|Info|Best Practices|Property 'style' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored.|Documentation
| -|Components Response Definition Is Unused
9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae|OpenAPI|Info|Best Practices|Components responses definitions should be referenced or removed from Open API definition|Documentation
| -|Components Request Body Definition Is Unused
6b76f589-9713-44ab-97f5-59a3dba1a285|OpenAPI|Info|Best Practices|Components request bodies definitions should be referenced or removed from Open API definition|Documentation
| -|Property 'allowReserved' of Encoding Object Ignored
4190dda7-af03-4cf0-a128-70ac1661ca09|OpenAPI|Info|Best Practices|Property 'allowReserved' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored.|Documentation
| -|Unknown Prefix (v3)
a5375be3-521c-43bb-9eab-e2432e368ee4|OpenAPI|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video'|Documentation
| -|Encoding Header 'Content-Type' Improperly Defined
4cd8de87-b595-48b6-ab3c-1904567135ab|OpenAPI|Info|Best Practices|Encoding Map Key should not define a 'Content-Type' in the 'headers' field. If so, it will be ignored.|Documentation
| -|Response JSON Reference Does Not Exists (v3)
7a01dfbd-da62-4165-aed7-71349ad42ab4|OpenAPI|Info|Structure and Semantics|Response reference should exists on components field|Documentation
| -|Parameter Object Content With Multiple Entries
8bfed1c6-2d59-4924-bc7f-9b9d793ed0df|OpenAPI|Info|Structure and Semantics|The map content property of the parameter object should only contain one entry|Documentation
| -|Header JSON Reference Does Not Exists
376c9390-7e9e-4cb8-a067-fd31c05451fd|OpenAPI|Info|Structure and Semantics|Header reference should exists on components field|Documentation
| -|Callback JSON Reference Does Not Exists
f29904c8-6041-4bca-b043-dfa0546b8079|OpenAPI|Info|Structure and Semantics|Callback reference should exists on components field|Documentation
| -|Encoding Map Key Mismatch Schema Defined Properties
cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b|OpenAPI|Info|Structure and Semantics|Encoding Map Key should be set in schema defined properties|Documentation
| -|Callback Object With Incorrect Ref
ba066cda-e808-450d-92b6-f29109754d45|OpenAPI|Info|Structure and Semantics|Callback Object reference must always point to '#/components/callbacks'|Documentation
| -|Request Body Object With Incorrect Media Type
58f06434-a88c-4f74-826c-db7e10cc7def|OpenAPI|Info|Structure and Semantics|The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set.|Documentation
| -|Property 'allowReserved' Improperly Defined
7f203940-39c4-4ea7-91ee-7aba16bca9e2|OpenAPI|Info|Structure and Semantics|Property 'allowReserved' should be only defined for query parameters|Documentation
| -|Parameter Object With Undefined Type
46facedc-f243-4108-ab33-583b807d50b0|OpenAPI|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property|Documentation
| -|Schema JSON Reference Does Not Exists (v3)
015eac96-6313-43c0-84e5-81b1374fa637|OpenAPI|Info|Structure and Semantics|Schema reference should exists on components field|Documentation
| -|Schema With Both ReadOnly And WriteOnly
d2361d58-361c-49f0-9e50-b957fd608b29|OpenAPI|Info|Structure and Semantics|Schema should not have both 'writeOnly' and 'readOnly' set to true|Documentation
| -|Request Body JSON Reference Does Not Exists
ca02f4e8-d3ae-4832-b7db-bb037516d9e7|OpenAPI|Info|Structure and Semantics|Request Body reference should exists on components field|Documentation
| -|Server URL Uses Undefined Variables
8d0921d6-4131-461f-a253-99e873f8f77e|OpenAPI|Info|Structure and Semantics|Any variable used in the Service URL should be defined in the Service Object through 'variables'.|Documentation
| -|Parameter Object With Incorrect Ref (v3)
d40f27e6-15fb-4b56-90f8-fc0ff0291c51|OpenAPI|Info|Structure and Semantics|Parameter Object reference must always point to '#/components/parameters'|Documentation
| -|Unknown Property (v3)
fb7d81e7-4150-48c4-b914-92fc05da6a2f|OpenAPI|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known|Documentation
| -|Servers Array Undefined
c66ebeaa-676c-40dc-a3ff-3e49395dcd5e|OpenAPI|Info|Structure and Semantics|The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'.|Documentation
| -|Link Object Incorrect Ref
b9db8a10-020c-49ca-88c6-780e5fdb4328|OpenAPI|Info|Structure and Semantics|Link object reference must always point to '#/components/links'|Documentation
| -|Server Object Variable Not Used
8aee4754-970d-4c5f-8142-a49dfe388b1a|OpenAPI|Info|Structure and Semantics|Every defined Server Variable Object should be used in a Service URL.|Documentation
| -|Parameter JSON Reference Does Not Exists (v3)
2e275f16-b627-4d3f-ae73-a6153a23ae8f|OpenAPI|Info|Structure and Semantics|Parameter reference should exists on components field|Documentation
| -|Link JSON Reference Does Not Exists
801f0c6a-a834-4467-89c6-ddecffb46b5a|OpenAPI|Info|Structure and Semantics|Link reference should exists on components field|Documentation
| -|Header Object With Incorrect Ref
2d6646f4-2946-420f-8c14-3232d49ae0cb|OpenAPI|Info|Structure and Semantics|Header Object reference must always point to '#/components/headers'|Documentation
| -|Security Requirement Object With Wrong Scopes
37140f7f-724a-4c87-a536-e9cee1d61533|OpenAPI|Info|Structure and Semantics|Security Requirement Object should only have scopes defined for security schemes of type 'oauth2' and 'openIdConnect'|Documentation
| -|Example JSON Reference Outside Components Examples
bac56e3c-1f71-4a74-8ae6-2fba07efcddb|OpenAPI|Info|Structure and Semantics|Reference to examples should point to #/components/examples|Documentation
| -|Schema Object Incorrect Ref (v3)
4cac7ace-b0fb-477d-830d-65395d9109d9|OpenAPI|Info|Structure and Semantics|Schema Object reference must always point to '#/components/schemas'|Documentation
| -|Link Object With Both 'operationId' And 'operationRef'
60fb6621-9f02-473b-9424-ba9a825747d3|OpenAPI|Info|Structure and Semantics|Link object 'OperationId' should not have both 'operationId' and 'operationRef' defined since they are mutually exclusive.|Documentation
| -|Empty Array
5915c20f-dffa-4cee-b5d4-f457ddc0151a|OpenAPI|Info|Structure and Semantics|All array fields should not be empty|Documentation
| -|Security Field Undefined
ab1263c2-81df-46f0-9f2c-0b62fdb68419|OpenAPI|Info|Structure and Semantics|Security field should be defined in '#/components/securitySchemes'|Documentation
| -|Security Operation Field Undefined
20a482d5-c5d9-4a7a-b7a4-60d0805047b4|OpenAPI|Info|Structure and Semantics|Security operation field should be defined in '#/components/securitySchemes'|Documentation
| -|Link Object OperationId Does Not Target Operation Object
c5bb7461-aa57-470b-a714-3bc3d74f4669|OpenAPI|Info|Structure and Semantics|Link object 'OperationId' should target an existing operation object in the OpenAPI definition|Documentation
| -|Object Without Required Property (v3)
d172a060-8569-4412-8045-3560ebd477e8|OpenAPI|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields|Documentation
| -|Server URL Not Absolute
a0bf7382-5d5a-4224-924c-3db8466026c9|OpenAPI|Info|Structure and Semantics|The Server URL should be an absolute URL|Documentation
| -|Components Object Fixed Field Key Improperly Named
151331e2-11f4-4bb6-bd35-9a005e695087|OpenAPI|Info|Structure and Semantics|Components object fixed fields (schemas, responses, parameters, examples, requestBodies, headers, securitySchemes, links, and callbacks) should use keys that match the following REGEX: `^[a-zA-Z0-9\.\-_]+$`|Documentation
| -|Response Object With Incorrect Ref (v3)
b3871dd8-9333-4d6c-bd52-67eb898b71ab|OpenAPI|Info|Structure and Semantics|Response Object reference must always point to '#/components/responses'|Documentation
| -|Example JSON Reference Does Not Exists
6a2c219f-da5e-4745-941e-5ea8cde23356|OpenAPI|Info|Structure and Semantics|Example reference should exists on components field|Documentation
| -|Invalid Content Type For Multiple Files Upload
26f06397-36d8-4ce7-b993-17711261d777|OpenAPI|Info|Structure and Semantics|Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array)|Documentation
| -|Request Body With Incorrect Ref
0f6cd0ab-c366-4595-84fc-fbd8b9901e4d|OpenAPI|Info|Structure and Semantics|Request Body reference must always point to '#/components/RequestBodies'|Documentation
| -|Parameter Object With Schema And Content
31dd6fc0-f274-493b-9614-e063086c19fc|OpenAPI|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive|Documentation
| -|Always Admit Admission Control Plugin Set
ce30e584-b33f-4c7d-b418-a3d7027f8f60|Kubernetes|High|Access Control|When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin|Documentation
| -|Basic Auth File Is Set
5da47109-f8d6-4585-9e2b-96a8958a12f5|Kubernetes|High|Access Control|When using kube-apiserver command, the 'basic-auth-file' flag should not be set|Documentation
| -|Node Restriction Admission Control Plugin Not Set
33fc6923-6553-4fe6-9d3a-4efa51eb874b|Kubernetes|High|Access Control|When using kube-apiserver command, the --enable-admission-plugins flag should have 'NodeRestriction' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| -|Token Auth File Is Set
32ecd76e-7bbf-402e-bf48-8b9485749558|Kubernetes|High|Access Control|When using kube-apiserver command, the 'token-auth-file' flag should not be set|Documentation
| -|RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e|Kubernetes|High|Access Control|Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least privilege recommends to specify only the set of needed objects and actions|Documentation
| -|Service Account Lookup Set To False
a5530bd7-225a-48f9-91bb-f40b04200165|Kubernetes|High|Access Control|When using kube-apiserver command, the '--service-account-lookup' flag should be set to true|Documentation
| -|Use Service Account Credentials Not Set To True
1acd93f1-5a37-45c0-aaac-82ece818be7d|Kubernetes|High|Access Control|When using kube-controller-manager commands, the '--use-service-account-credentials' should be set to true|Documentation
| -|Client Certificate Authentication Not Setup Properly
e0e00aba-5f1c-4981-a542-9a9563c0ee20|Kubernetes|High|Access Control|Client Certificate Authentication should be Setup with a .pem or .crt file|Documentation
| -|Pod Security Policy Admission Control Plugin Not Set
afa36afb-39fe-4d94-b9b6-afb236f7a03d|Kubernetes|High|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'PodSecurityPolicy' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| -|Service Account Private Key File Not Defined
ccc98ff7-68a7-436e-9218-185cb0b0b780|Kubernetes|High|Encryption|When using kube-controller-manager commands, the '--service-account-private-key-file' should be defined|Documentation
| -|Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609|Kubernetes|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false|Documentation
| -|Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad|Kubernetes|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined.|Documentation
| -|Tiller (Helm v2) Is Deployed
6d173be7-545a-46c6-a81d-2ae52ed1605d|Kubernetes|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| -|Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d|Kubernetes|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|Documentation
| -|Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d|Kubernetes|High|Insecure Configurations|Check if there is any Tiller Service present|Documentation
| -|Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d|Kubernetes|High|Insecure Configurations|Container should not share the host process ID namespace|Documentation
| -|Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032|Kubernetes|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b|Kubernetes|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| -|Role Binding To Default Service Account
1e749bc9-fde8-471c-af0c-8254efd2dee5|Kubernetes|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| -|Kubelet HTTPS Set To False
cdc8b54e-6b16-4538-a1b0-35849dbe29cf|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--kubelet-https' flag should not be set to false|Documentation
| -|Bind Address Not Properly Set
46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2|Kubernetes|High|Networking and Firewall|When using kube-controller-manager or kube-scheduler commands, the '--bind-address' should not be set to 127.0.0.1|Documentation
| -|Etcd TLS Certificate Not Properly Configured
895a5a95-3756-4b04-9924-2f3bc93181bd|Kubernetes|High|Networking and Firewall|When using kube-apiserver commands, the '--etcd-certfile' and '--etcd-keyfile' flags should be defined|Documentation
| -|Insecure Bind Address Set
b9380fd3-5ffe-4d10-9290-13e18e71eee1|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-bind-address' flag should not be set|Documentation
| -|Etcd TLS Certificate Files Not Properly Set
075ca296-6768-4322-aea2-ba5063b969a9|Kubernetes|High|Networking and Firewall|When using etcd commands, the '--cert-file' and '--key-file' should be defined|Documentation
| -|Secure Port Set To Zero
3d24b204-b73d-42cb-b0bf-1a5438c5f71e|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the --secure-port flag should not be 0|Documentation
| -|Etcd Peer TLS Certificate Files Not Properly Set
09bb9e96-8da3-4736-b89a-b36814acca60|Kubernetes|High|Networking and Firewall|When using etcd commands, the '--peer-cert-file' and '--peer-key-file' should be defined|Documentation
| -|Insecure Port Not Properly Set
fa4def8c-1898-4a35-a139-7b76b1acdef0|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-port' flag should be defined and set to 0|Documentation
| -|Tiller Deployment Is Accessible From Within The Cluster
e17fa86a-6222-4584-a914-56e8f6c87e06|Kubernetes|High|Networking and Firewall|Check if any Tiller Deployment container allows access from within the cluster.|Documentation
| -|TSL Connection Certificate Not Setup
fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f|Kubernetes|High|Networking and Firewall|TSL Connection Certificate files should be Setup|Documentation
| -|PSP With Unrestricted Access to Host Path
de4421f1-4e35-43b4-9783-737dd4e4a47e|Kubernetes|High|Resource Management|PodSecurityPolicy should set 'readOnly' to true in every host path allowed|Documentation
| -|Auto TLS Set To True
98ce8b81-7707-4734-aa39-627c6db3d84b|Kubernetes|High|Secret Management|When using etcd commands, the '--auto-tls' should be set to false|Documentation
| -|Peer Auto TLS Set To True
ae8827e2-4af9-4baa-9998-87539ae0d6f0|Kubernetes|High|Secret Management|When using etcd commands, the '--peer-auto-tls' should be set to false|Documentation
| -|RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14|Kubernetes|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys|Documentation
| -|Non Kube System Pod With Host Mount
aa8f7a35-9923-4cad-bd61-a19b7f6aac91|Kubernetes|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| -|Authorization Mode RBAC Not Set
1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e|Kubernetes|Medium|Access Control|When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode|Documentation
| -|RBAC Roles with Exec Permission
c589f42c-7924-4871-aee2-1cede9bc7cbc|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to run commands in containers via 'kubectl exec' could be abused by attackers to execute malicious code in case of compromise. To prevent this, the 'pods/exec' verb should not be used in production environments|Documentation
| -|RBAC Roles with Attach Permission
d45330fd-f58d-45fb-a682-6481477a0f84|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to attach to containers via 'kubectl attach' could be abused by attackers to read log output (stdout, stderr) and send input data (stdin) to running processes. Additionally, it would allow a malicious user to attach to a privileged container resulting in a privilege escalation attack. To prevent this, the 'pods/attach' verb should not be used in production environments|Documentation
| -|Service Account Admission Control Plugin Disabled
9587c890-0524-40c2-9ce2-663af7c2f063|Kubernetes|Medium|Access Control|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'ServiceAccount' plugin|Documentation
| -|Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942|Kubernetes|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| -|Anonymous Auth Is Not Set To False
1de5cc51-f376-4638-a940-20f2e85ae238|Kubernetes|Medium|Access Control|When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag should be set to false (--anonymous-auth=false)|Documentation
| -|RBAC Roles with Port-Forwarding Permission
38fa11ef-dbcc-4da8-9680-7e1fd855b6fb|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to port-forward into pods can open socket-level communication channels to containers. In case of compromise, attackers may abuse this for direct communication that bypasses network security restrictions|Documentation
| -|RBAC Roles Allow Privilege Escalation
8320826e-7a9c-4b0b-9535-578333193432|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions 'bind' or 'escalate' allow subjects to create new bindings with other roles. This is dangerous, as users with these privileges can bind to roles that may exceed their own privileges|Documentation
| -|RBAC Roles with Impersonate Permission
9f85c3f6-26fd-4007-938a-2e0cb0100980|Kubernetes|Medium|Access Control|Roles or ClusterRoles with the permission 'impersonate' allow subjects to assume the rights of other users, groups, or service accounts. In case of compromise, attackers may abuse this sudo-like functionality to achieve privilege escalation|Documentation
| -|Authorization Mode Set To Always Allow
f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5|Kubernetes|Medium|Access Control|When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode|Documentation
| -|Terminated Pod Garbage Collector Threshold Not Properly Set
49113af4-29ca-458e-b8d4-724c01a4a24f|Kubernetes|Medium|Availability|When using kube-controller-manager commands, the '--terminated-pod-gc-threshold' should be set between 0 and 12501|Documentation
| -|Request Timeout Not Properly Set
d89a15bb-8dba-4c71-9529-bef6729b9c09|Kubernetes|Medium|Availability|When using kube-apiserver command, the '--request-timeout' flag value should not be too long|Documentation
| -|Readiness Probe Is Not Configured
a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3|Kubernetes|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| -|Root Containers Admitted
e3aa0612-4351-4a0d-983f-aefea25cf203|Kubernetes|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| -|Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660|Kubernetes|Medium|Best Practices|Check if containers are running with low UID, which might cause conflicts with the host's user table.|Documentation
| -|Container Running As Root
cf34805e-3872-4c08-bf92-6ff7bb0cfadb|Kubernetes|Medium|Best Practices|Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise|Documentation
| -|Always Pull Images Admission Control Plugin Not Set
a77f4d07-c6e0-4a48-8b35-0eeb51576f4f|Kubernetes|Medium|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'AlwaysPullImages' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| -|Incorrect Volume Claim Access Mode ReadWriteOnce
3878dc92-8e5d-47cf-9cdd-7590f71d21b9|Kubernetes|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| -|Root CA File Not Defined
05fb986f-ac73-4ebb-a5b2-7faafa93d882|Kubernetes|Medium|Encryption|When using kube-controller-manager commands, the '--root-ca-file' should be defined|Documentation
| -|Encryption Provider Not Properly Configured
10efce34-5af6-4d83-b414-9e096d5a06a9|Kubernetes|Medium|Encryption|The EncryptionConfiguration should be configured to have at least one 'aescbc', 'kms' or 'secretbox' provider|Documentation
| -|Weak TLS Cipher Suites
510d5810-9a30-443a-817d-5c1fa527b110|Kubernetes|Medium|Encryption|TLS Connection should use strong Cipher Suites|Documentation
| -|Encryption Provider Config Is Not Defined
cbd2db69-0b21-4c14-8a40-7710a50571a9|Kubernetes|Medium|Encryption|When using kube-apiserver commands, the '--encryption-provider-config' flag should be defined and the encryption should be correctly configured in Encryption Configuration file|Documentation
| -|Seccomp Profile Is Not Configured
f377b83e-bd07-4f48-a591-60c82b14a78b|Kubernetes|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls|Documentation
| -|Containers With Sys Admin Capabilities
235236ee-ad78-4065-bd29-61b061f28ce0|Kubernetes|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| -|Workload Mounting With Sensitive OS Directory
5308a7a8-06f8-45ac-bf10-791fe21de46e|Kubernetes|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| -|Using Unrecommended Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6|Kubernetes|Medium|Insecure Configurations|Namespaces like 'default', 'kube-system' or 'kube-public' should not be used|Documentation
| -|Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b|Kubernetes|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| -|PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| -|PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| -|Security Context Deny Admission Control Plugin Not Set
6a68bebe-c021-492e-8ddb-55b0567fb768|Kubernetes|Medium|Insecure Configurations|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set|Documentation
| -|Not Limited Capabilities For Container
2f1a0619-b12b-48a0-825f-993bb6f01d58|Kubernetes|Medium|Insecure Configurations|Limit the capabilities for a Container.|Documentation
| -|Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40|Kubernetes|Medium|Insecure Configurations|Containers should not have extra capabilities allowed|Documentation
| -|PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9|Kubernetes|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host process ID namespace|Documentation
| -|Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3|Kubernetes|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| -|NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648|Kubernetes|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| -|NET_RAW Capabilities Not Being Dropped
dbbc6705-d541-43b0-b166-dd4be8208b54|Kubernetes|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|Documentation
| -|PSP Allows Sharing Host IPC
80f93444-b240-4ebb-a4c6-5c40b76c04ea|Kubernetes|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| -|Authorization Mode Node Not Set
4d7ee40f-fc5d-427d-8cac-dffbe22d42d1|Kubernetes|Medium|Insecure Configurations|When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode|Documentation
| -|PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91|Kubernetes|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| -|Kubelet Protect Kernel Defaults Set To False
6cf42c97-facd-4fda-b8af-ea4529123355|Kubernetes|Medium|Insecure Configurations|--protect-kernel-defaults should be set to true|Documentation
| -|Service Account Token Automount Not Disabled
48471392-d4d0-47c0-b135-cdec95eb3eef|Kubernetes|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| -|Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9|Kubernetes|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty.|Documentation
| -|CNI Plugin Does Not Support Network Policies
03aabc8c-35d6-481e-9c85-20139cf72d23|Kubernetes|Medium|Networking and Firewall|Ensure the use of CNI Plugin that support Network Policies. If the CNI Plugin in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster|Documentation
| -|Kubelet Read Only Port Is Not Set To Zero
2940d48a-dc5e-4178-a3f8-bfbd80720b41|Kubernetes|Medium|Networking and Firewall|When using the kubelet command, the read-only port should be set to zero (--read-only-port=0)|Documentation
| -|Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be|Kubernetes|Medium|Networking and Firewall|Check if any pod is not being targeted by a proper network policy.|Documentation
| -|Network Policy Is Not Targeting Any Pod
85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3|Kubernetes|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| -|Kubelet Not Managing Ip Tables
5f89001f-6dd9-49ff-9b15-d8cd71b617f4|Kubernetes|Medium|Networking and Firewall|Kubelet argument --make-iptables-util-chains should be true|Documentation
| -|Kubelet Streaming Connection Timeout Disabled
ed89b97d-04e9-4fd4-919f-ee5b27e555e9|Kubernetes|Medium|Networking and Firewall|The flag --streaming-connection-idle-timeout should not be set to 0|Documentation
| -|Service With External Load Balancer
26763a1c-5dda-4772-b507-5fca7fb5f165|Kubernetes|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| -|Audit Log Path Not Set
73e251f0-363d-4e53-86e2-0a93592437eb|Kubernetes|Medium|Observability|When using kube-apiserver command, the 'audit-log-path' flag should be defined|Documentation
| -|Audit Policy File Not Defined
13a49a2e-488e-4309-a7c0-d6b05577a5fb|Kubernetes|Medium|Observability|When using kube-apiserver command, the '--audit-policy-file' flag should be defined|Documentation
| -|Volume Mount With OS Directory Write Permissions
b7652612-de4e-4466-a0bf-1cd81f0c6063|Kubernetes|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| -|CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a|Kubernetes|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| -|Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9|Kubernetes|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| -|CPU Limits Not Set
4ac0e2b7-d2d2-4af7-8799-e8de6721ccda|Kubernetes|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| -|Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded|Kubernetes|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes|Documentation
| -|Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a|Kubernetes|Medium|Resource Management|Container should not share the host network namespace|Documentation
| -|Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536|Kubernetes|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| -|Rotate Kubelet Server Certificate Not Active
1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2|Kubernetes|Medium|Secret Management|The RotateKubeletServerCertificate argument should be true|Documentation
| -|Etcd Client Certificate Authentication Set To False
9391103a-d8d7-4671-ac5d-606ba7ccb0ac|Kubernetes|Medium|Secret Management|When using etcd commands, the '--client-cert-auth' flag should be defined|Documentation
| -|ServiceAccount Allows Access Secrets
056ac60e-fe07-4acc-9b34-8e1d51716ab9|Kubernetes|Medium|Secret Management|Roles and ClusterRoles when binded, should not use get, list or watch as verbs|Documentation
| -|Kubelet Certificate Authority Not Set
ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set|Documentation
| -|Kubelet Client Certificate Or Key Not Set
36a27826-1bf5-49da-aeb0-a60a30c0e834|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-client-key' and 'kubelet-client-certificate' flags should be set|Documentation
| -|Shared Service Account
c1032cf7-3628-44e2-bd53-38c17cf31b6b|Kubernetes|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| -|Etcd Client Certificate File Not Defined
3f5ff8a7-5ad6-4d02-86f5-666307da1b20|Kubernetes|Medium|Secret Management|When using kube-apiserver commands, the '--etcd-cafile' flag should be defined|Documentation
| -|Service Account Key File Not Properly Set
dab4ec72-ce2e-4732-b7c3-1757dcce01a1|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the '--service-account-key-file' flag should be defined|Documentation
| -|Kubelet Client Periodic Certificate Switch Disabled
52d70f2e-3257-474c-b3dc-8ad9ba6a061a|Kubernetes|Medium|Secret Management|Kubelet argument --rotate-certificates should be true|Documentation
| -|Not Unique Certificate Authority
cb7e695d-6a85-495c-b15f-23aed2519303|Kubernetes|Medium|Secret Management|Certificate Authority should be unique for etcd|Documentation
| -|Etcd Peer Client Certificate Authentication Set To False
b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff|Kubernetes|Medium|Secret Management|When using etcd commands, the '--peer-client-cert-auth' flag should be set to true|Documentation
| -|Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828|Kubernetes|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| -|Missing AppArmor Profile
8b36775e-183d-4d46-b0f7-96a6f34a723f|Kubernetes|Low|Access Control|Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources|Documentation
| -|Cluster Admin Rolebinding With Superuser Permissions
249328b8-5f0f-409f-b1dd-029f07882e11|Kubernetes|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| -|StatefulSet Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0|Kubernetes|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.|Documentation
| -|StatefulSet Without PodDisruptionBudget
1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5|Kubernetes|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|HPA Targeted Deployments With Configured Replica Count
5744cbb8-5946-4b75-a196-ade44449525b|Kubernetes|Low|Availability|Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set|Documentation
| -|Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678|Kubernetes|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|Liveness Probe Is Not Defined
ade74944-a674-4e00-859e-c6eab5bde441|Kubernetes|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it|Documentation
| -|Event Rate Limit Admission Control Plugin Not Set
e0099af2-fe17-411f-9991-0de28fe15f3c|Kubernetes|Low|Availability|When using kube-apiserver command, the --enable-admission-plugins flag should have 'EventRateLimit' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| -|HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca|Kubernetes|Low|Availability|The Horizontal Pod Autoscaler must target a valid object|Documentation
| -|Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645|Kubernetes|Low|Best Practices|Kubernetes APIs evolve over time and are sometimes removed with newer releases. To prevent incompatibilities when upgrading Kubernetes, deprecated APIs should be replaced with newer and more stable API versions.|Documentation
| -|Metadata Label Is Invalid
1123031a-f921-4c5b-bd86-ef354ecfd37a|Kubernetes|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| -|No Drop Capabilities for Containers
268ca686-7fb7-4ae9-b129-955a2a89064e|Kubernetes|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| -|Image Policy Webhook Admission Control Plugin Not Set
14abda69-8e91-4acb-9931-76e2bee90284|Kubernetes|Low|Build Process|When using kube-apiserver command, the --enable-admission-plugins flag should have 'ImagePolicyWebhook' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| -|Namespace Lifecycle Admission Control Plugin Disabled
1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37|Kubernetes|Low|Build Process|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'NamespaceLifecycle' plugin|Documentation
| -|Root Container Not Mounted Read-only
a9c2f49d-0671-4fc9-9ece-f4e261e128d0|Kubernetes|Low|Build Process|Check if the root container filesystem is not being mounted read-only.|Documentation
| -|StatefulSet Requests Storage
8cf4671a-cf3d-46fc-8389-21e7405063a2|Kubernetes|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| -|Kubelet Hostname Override Is Set
bf36b900-b5ef-4828-adb7-70eb543b7cfb|Kubernetes|Low|Insecure Configurations|Hostnames should not be overrided|Documentation
| -|Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995|Kubernetes|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| -|Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b|Kubernetes|Low|Insecure Configurations|If not needed, disabling the dashboard can prevent from being used as an attack vector|Documentation
| -|Service Does Not Target Pod
3ca03a61-3249-4c16-8427-6f8e47dda729|Kubernetes|Low|Insecure Configurations|Service should Target a Pod|Documentation
| -|Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678|Kubernetes|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity|Documentation
| -|Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2|Kubernetes|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| -|Pod or Container Without LimitRange
4a20ebac-1060-4c81-95d1-1f7f620e983b|Kubernetes|Low|Insecure Configurations|Each namespace should have a LimitRange policy associated to ensure that resource allocations of Pods, Containers and PersistentVolumeClaims do not exceed the defined boundaries|Documentation
| -|Pod or Container Without ResourceQuota
48a5beba-e4c0-4584-a2aa-e6894e4cf424|Kubernetes|Low|Insecure Configurations|Each namespace should have a ResourceQuota policy associated to limit the total amount of resources Pods, Containers and PersistentVolumeClaims can consume|Documentation
| -|Workload Host Port Not Specified
2b1836f1-dcce-416e-8e16-da8c71920633|Kubernetes|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified|Documentation
| -|Service Type is NodePort
845acfbe-3e10-4b8e-b656-3b404d36dfb2|Kubernetes|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| -|Kubelet Event QPS Not Properly Set
1a07a446-8e61-4e4d-bc16-b0781fcb8211|Kubernetes|Low|Observability|When using the kubelet command, the '--event-qps' should be set to 0|Documentation
| -|Audit Log Maxbackup Not Properly Set
768aab52-2504-4a2f-a3e3-329d5a679848|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxbackup' flag should be defined and set to 10 or more files|Documentation
| -|Audit Policy Not Cover Key Security Concerns
1828a670-5957-4bc5-9974-47da228f75e2|Kubernetes|Low|Observability|Audit Policy should cover key security concerns about the sensitive data logged in Kubernetes audit policies|Documentation
| -|Profiling Not Set To False
2f491173-6375-4a84-b28e-a4e2b9a58a69|Kubernetes|Low|Observability|When using kube-apiserver or kube-controller-manager or kube-scheduler command, the '--profiling' flag should be defined and set to false|Documentation
| -|Audit Log Maxage Not Properly Set
da9f3aa8-fbfb-472f-b5a1-576127944218|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxage' flag should be defined and set to 30 or more days|Documentation
| -|Audit Log Maxsize Not Properly Set
35c0a471-f7c8-4993-aa2c-503a3c712a66|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxsize' flag should be defined and set to 100 or more MegaBytes|Documentation
| -|Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46|Kubernetes|Low|Resource Management|Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively|Documentation
| -|Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined.|Documentation
| -|Deployment Has No PodAntiAffinity
a31b7b82-d994-48c4-bd21-3bab6c31827a|Kubernetes|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| -|Container Memory Requests Not Equal To It's Limits
aafa7d94-62de-4fbf-8838-b69ee217b0e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined.|Documentation
| -|CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3|Kubernetes|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined|Documentation
| -|StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e|Kubernetes|Low|Resource Management|Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| -|Secrets As Environment Variables
3d658f8b-d988-41a0-a841-40043121de1e|Kubernetes|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| -|Invalid Image Tag
583053b7-e632-46f0-b989-f81ff8045385|Kubernetes|Low|Supply-Chain|Image tag must be defined and not be empty or equal to latest.|Documentation
| -|Ensure Administrative Boundaries Between Resources
e84eaf4d-2f45-47b2-abe8-e581b06deb66|Kubernetes|Info|Access Control|As a best practice, ensure that is made the correct use of namespaces to adequately administer your resources. Kubernetes Authorization plugins can also be used to create policies that segregate user access to namespaces.|Documentation
| -|Using Kubernetes Native Secret Management
b9c83569-459b-4110-8f79-6305aa33cb37|Kubernetes|Info|Secret Management|Kubernetes External Secret Storage and Management System usage should be considered if you have more complex secret management needs, rather than using Kubernetes Secrets directly. Additionally, ensure that access to secrets is carefully limited|Documentation
| +|BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2|Ansible|High|Access Control|BigQuery dataset is anonymously or publicly accessible|Documentation
| +|VM With Full Cloud Access
bc20bbc6-0697-4568-9a73-85af1dd97bdd|Ansible|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2|Ansible|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers'|Documentation
| +|SQL DB Instance Backup Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8|Ansible|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| +|SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|Ansible|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| +|DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a|Ansible|High|Encryption|DNSSEC should not use the RSASHA1 algorithm|Documentation
| +|Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false|Documentation
| +|MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c|Ansible|High|Insecure Configurations|MySQL Instance should not have Local Infile On|Documentation
| +|GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1|Ansible|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty|Documentation
| +|SQL DB Instance Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b|Ansible|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible.|Documentation
| +|GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false.|Documentation
| +|Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7|Ansible|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| +|Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true.|Documentation
| +|PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514|Ansible|High|Insecure Configurations|PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1'|Documentation
| +|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|Ansible|High|Insecure Configurations|SQL Instance should not have Contained Database Authentication On|Documentation
| +|IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'.|Documentation
| +|Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true|Documentation
| +|Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f|Ansible|High|Insecure Configurations|GCP SQL Instance should not have Cross DB Ownership Chaining On|Documentation
| +|Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| +|GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83|Ansible|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters|Documentation
| +|Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82|Ansible|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet.|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd|Ansible|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| +|Cloud Storage Bucket Versioning Disabled
7814ddda-e758-4a56-8be3-289a81ded929|Ansible|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| +|PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b|Ansible|High|Observability|PostgreSQL database 'log_temp_files' flag isn't set to '0'|Documentation
| +|PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317|Ansible|High|Observability|PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on'|Documentation
| +|Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| +|Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| +|Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf|Ansible|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Ansible|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| +|Disk Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3|Ansible|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined|Documentation
| +|Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Ansible|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| +|Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03|Ansible|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| +|OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Ansible|Medium|Insecure Configurations|VM instance should have OSLogin enabled|Documentation
| +|Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Ansible|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| +|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Ansible|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| +|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Ansible|Medium|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| +|GKE Using Default Service Account
dc126833-125a-40fb-905a-ce5f2afde240|Ansible|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
| +|Google Compute Network Using Firewall Rule that Allows All Ports
3602d273-3290-47b2-80fa-720162b1a8af|Ansible|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports|Documentation
| +|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Ansible|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
| +|IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Ansible|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| +|Google Compute Network Using Default Firewall Rule
29b8224a-60e9-4011-8ac2-7916a659841f|Ansible|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
| +|RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77|Ansible|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| +|SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Ansible|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| +|PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Ansible|Medium|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on'|Documentation
| +|PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Ansible|Medium|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value|Documentation
| +|High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Ansible|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Ansible|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| +|Google Compute Network Using Firewall Rule that Allows Port Range
7289eebd-a477-4064-8ad4-3c044bd70b00|Ansible|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range|Documentation
| +|Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b|Ansible|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes|Documentation
| +|BOM - AWS MSK
2730c169-51d7-4ae7-99b5-584379eff1bb|CloudFormation|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| +|BOM - AWS Cassandra
124b173b-e06d-48a6-8acd-f889443d97a4|CloudFormation|Trace|Bill Of Materials|A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance|Documentation
| +|BOM - AWS S3 Buckets
b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83|CloudFormation|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| +|BOM - AWS SNS
42e7dca3-8cce-4325-8df0-108888259136|CloudFormation|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| +|BOM - AWS Kinesis
d53323be-dde6-4457-9a43-42df737e71d2|CloudFormation|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time|Documentation
| +|BOM - AWS MQ
209189f3-c879-48a7-9703-fbcfa96d0cef|CloudFormation|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| +|BOM - AWS EFS
ef05a925-8568-4054-8ff1-f5ba82631c16|CloudFormation|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| +|BOM - AWS Elasticache
c689f51b-9203-43b3-9d8b-caed123f706c|CloudFormation|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| +|BOM - AWS SQS
59a849c2-1127-4023-85a5-ef906dcd458c|CloudFormation|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| +|BOM - AWS RDS
6ef03ff6-a2bd-483c-851f-631f248bc0ea|CloudFormation|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.|Documentation
| +|BOM - AWS DynamoDB
4e67c0ae-38a0-47f4-a50c-f0c9b75826df|CloudFormation|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.|Documentation
| +|BOM - AWS EBS
0b0556ea-9cd9-476f-862e-20679dda752b|CloudFormation|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| +|S3 Bucket Allows Get Action From All Principals
f97b7d23-568f-4bcc-9ac9-02df0d57fbba|CloudFormation|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| +|IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368|CloudFormation|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| +|S3 Bucket With All Permissions
4ae8af91-5108-42cb-9471-3bdbe596eac9|CloudFormation|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
835d5497-a526-4aea-a23f-98a9afd1635f|CloudFormation|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| +|S3 Bucket Allows Public Policy
860ba89b-b8de-4e72-af54-d6aee4138a69|CloudFormation|High|Access Control|S3 bucket allows public policy|Documentation
| |S3 Bucket Allows List Action From All Principals
faa8fddf-c0aa-4b2d-84ff-e993e233ebe9|CloudFormation|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| |S3 Bucket Allows Put Action From All Principals
f6397a20-4cf1-4540-a997-1d363c25ef58|CloudFormation|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| -|S3 Bucket ACL Allows Read to All Users
219f4c95-aa50-44e0-97de-cf71f4641170|CloudFormation|High|Access Control|S3 Buckets should not be readable to all users|Documentation
| +|IAM Policies With Full Privileges
953b3cdb-ce13-428a-aa12-318726506661|CloudFormation|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| +|S3 Bucket ACL Allows Read Or Write to All Users
07dda8de-d90d-469e-9b37-1aca53526ced|CloudFormation|High|Access Control|S3 Buckets should not be readable and writable to all users|Documentation
| |S3 Bucket Allows Delete Action From All Principals
acc78859-765e-4011-a229-a65ea57db252|CloudFormation|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| +|S3 Bucket Allows Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0|CloudFormation|High|Access Control|S3 Buckets must not allow Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Restore, for all Principals.|Documentation
| +|ECS Service Admin Role Is Present
01986452-bdd8-4aaa-b5df-d6bf61d616ff|CloudFormation|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role|Documentation
| |Lambda Functions With Full Privileges
a0ae0a4e-712b-4115-8112-51b9eeed9d69|CloudFormation|High|Access Control|AWS Lambda Functions should not have roles with policies granting full administrative privileges.|Documentation
| -|S3 Bucket With All Permissions
4ae8af91-5108-42cb-9471-3bdbe596eac9|CloudFormation|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| +|S3 Bucket ACL Allows Read to All Users
219f4c95-aa50-44e0-97de-cf71f4641170|CloudFormation|High|Access Control|S3 Buckets should not be readable to all users|Documentation
| +|S3 Bucket Access to Any Principal
7772bb8c-c0f3-42d4-8e4e-f1b8939ad085|CloudFormation|High|Access Control|The S3 Bucket should not be associated with a policy statement that grants access to any principal|Documentation
| |SNS Topic is Publicly Accessible
ae53ce91-42b5-46bf-a84f-9a13366a4f13|CloudFormation|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| -|S3 Bucket Allows Get Action From All Principals
f97b7d23-568f-4bcc-9ac9-02df0d57fbba|CloudFormation|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| -|ECS Service Admin Role Is Present
01986452-bdd8-4aaa-b5df-d6bf61d616ff|CloudFormation|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role|Documentation
| -|ECS Task Definition Container With Plaintext Password
f9b10cdb-eaab-4e39-9793-e12b94a582ad|CloudFormation|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| -|User Data Contains Encoded Private Key
568cc372-ca64-420d-9015-ee347d00d288|CloudFormation|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| -|Connection Between CloudFront Origin Not Encrypted
a5366a50-932f-4085-896b-41402714a388|CloudFormation|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted|Documentation
| -|EFS Not Encrypted
2ff8e83c-90e1-4d68-a300-6d652112e622|CloudFormation|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|S3 Bucket Without SSL In Write Actions
38c64e76-c71e-4d92-a337-60174d1de1c9|CloudFormation|High|Encryption|S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL)|Documentation
| +|MSK Broker Is Publicly Accessible
0ce1ba20-8ba8-4364-836f-40c24b8cb0ab|CloudFormation|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible|Documentation
| +|Redshift Not Encrypted
3b316b05-564c-44a7-9c3f-405bb95e211e|CloudFormation|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'Encrypted' field is false or undefined (default is false)|Documentation
| |ElastiCache With Disabled at Rest Encryption
e4ee3903-9225-4b6a-bdfb-e62dbadef821|CloudFormation|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled|Documentation
| -|RDS Storage Not Encrypted
5beacce3-4020-4a3d-9e1d-a36f953df630|CloudFormation|High|Encryption|RDS Storage should be encrypted, which means the attribute 'StorageEncrypted' should be set to 'true'|Documentation
| -|Kinesis SSE Not Configured
7f65be75-90ab-4036-8c2a-410aef7bb650|CloudFormation|High|Encryption|AWS Kinesis Stream should have SSE (Server Side Encryption) defined|Documentation
| -|CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db|CloudFormation|High|Encryption|Specifying credentials in the template itself is probably not safe to do.|Documentation
| -|ELB Using Insecure Protocols
61a94903-3cd3-4780-88ec-fc918819b9c8|CloudFormation|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols.|Documentation
| -|API Gateway Cache Encrypted Disabled
37cca703-b74c-48ba-ac81-595b53398e9b|CloudFormation|High|Encryption|'API::Gateway::Deployment' should have 'CacheDataEncrypted' enabled when 'CachingEnabled' is set to true|Documentation
| |User Data Shell Script Is Encoded
48c3bc58-6959-4f27-b647-4fedeace23be|CloudFormation|High|Encryption|User Data Shell Script must be encoded|Documentation
| +|User Data Contains Encoded Private Key
568cc372-ca64-420d-9015-ee347d00d288|CloudFormation|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| |ElastiCache With Disabled Transit Encryption
3b02569b-fc6f-4153-b3a3-ba91022fed68|CloudFormation|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled|Documentation
| -|Redshift Not Encrypted
3b316b05-564c-44a7-9c3f-405bb95e211e|CloudFormation|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'Encrypted' field is false or undefined (default is false)|Documentation
| -|ELB Without Secure Protocol
80908a75-586b-4c61-ab04-490f4f4525b8|CloudFormation|High|Encryption|Check if the ELB is setup with SSL or HTTPS for secure communication|Documentation
| -|Secure Ciphers Disabled
be96849c-3df6-49c2-bc16-778a7be2519c|CloudFormation|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| -|S3 Bucket Without Server-side-encryption
b2e8752c-3497-4255-98d2-e4ae5b46bbf5|CloudFormation|High|Encryption|S3 Buckets should have server-side encryption at rest enabled to protect sensitive data|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
31733ee2-fef0-4e87-9778-65da22a8ecf1|CloudFormation|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| -|ELB Using Weak Ciphers
809f77f8-d10e-4842-a84f-3be7b6ff1190|CloudFormation|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers.|Documentation
| -|S3 Bucket SSE Disabled
64ab651b-f5b2-4af0-8c89-ddd03c4d0e61|CloudFormation|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| -|CMK Unencrypted Storage
ffee2785-c347-451e-89f3-11aeb08e5c84|CloudFormation|High|Encryption|Ensure that storage is encrypted.|Documentation
| -|Redshift Cluster Without KMS CMK
de76a0d6-66d5-45c9-9022-f05545b85c78|CloudFormation|High|Encryption|AWS Redshift Cluster should have KMS CMK defined|Documentation
| -|SageMaker Data Encryption Disabled
709e6da6-fa1f-44cc-8f17-7f25f96dadbe|CloudFormation|High|Encryption|Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, which means the attribute 'KmsKeyId' must be defined not empty or null.|Documentation
| +|RDS Storage Not Encrypted
5beacce3-4020-4a3d-9e1d-a36f953df630|CloudFormation|High|Encryption|RDS Storage should be encrypted, which means the attribute 'StorageEncrypted' should be set to 'true'|Documentation
| |EFS Without KMS
6d087495-2a42-4735-abf7-02ef5660a7e6|CloudFormation|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| -|ECS Cluster Not Encrypted At Rest
6c131358-c54d-419b-9dd6-1f7dd41d180c|CloudFormation|High|Encryption|Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems.|Documentation
| +|Redshift Cluster Without KMS CMK
de76a0d6-66d5-45c9-9022-f05545b85c78|CloudFormation|High|Encryption|AWS Redshift Cluster should have KMS CMK defined|Documentation
| |DynamoDB With Aws Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac|CloudFormation|High|Encryption|AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false.|Documentation
| +|EFS Not Encrypted
2ff8e83c-90e1-4d68-a300-6d652112e622|CloudFormation|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| +|Secure Ciphers Disabled
be96849c-3df6-49c2-bc16-778a7be2519c|CloudFormation|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| +|SageMaker Data Encryption Disabled
709e6da6-fa1f-44cc-8f17-7f25f96dadbe|CloudFormation|High|Encryption|Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, which means the attribute 'KmsKeyId' must be defined not empty or null.|Documentation
| |MSK Cluster Encryption Disabled
a976d63f-af0e-46e8-b714-8c1a9c4bf768|CloudFormation|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| +|S3 Bucket Without SSL In Write Actions
38c64e76-c71e-4d92-a337-60174d1de1c9|CloudFormation|High|Encryption|S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL)|Documentation
| +|ELB Using Weak Ciphers
809f77f8-d10e-4842-a84f-3be7b6ff1190|CloudFormation|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers.|Documentation
| +|ECS Cluster Not Encrypted At Rest
6c131358-c54d-419b-9dd6-1f7dd41d180c|CloudFormation|High|Encryption|Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems.|Documentation
| +|CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db|CloudFormation|High|Encryption|Specifying credentials in the template itself is probably not safe to do.|Documentation
| +|Connection Between CloudFront Origin Not Encrypted
a5366a50-932f-4085-896b-41402714a388|CloudFormation|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted|Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
31733ee2-fef0-4e87-9778-65da22a8ecf1|CloudFormation|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| +|Kinesis SSE Not Configured
7f65be75-90ab-4036-8c2a-410aef7bb650|CloudFormation|High|Encryption|AWS Kinesis Stream should have SSE (Server Side Encryption) defined|Documentation
| +|CMK Unencrypted Storage
ffee2785-c347-451e-89f3-11aeb08e5c84|CloudFormation|High|Encryption|Ensure that storage is encrypted.|Documentation
| +|S3 Bucket Without Server-side-encryption
b2e8752c-3497-4255-98d2-e4ae5b46bbf5|CloudFormation|High|Encryption|S3 Buckets should have server-side encryption at rest enabled to protect sensitive data|Documentation
| +|ELB Without Secure Protocol
80908a75-586b-4c61-ab04-490f4f4525b8|CloudFormation|High|Encryption|Check if the ELB is setup with SSL or HTTPS for secure communication|Documentation
| +|S3 Bucket SSE Disabled
64ab651b-f5b2-4af0-8c89-ddd03c4d0e61|CloudFormation|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| +|API Gateway Cache Encrypted Disabled
37cca703-b74c-48ba-ac81-595b53398e9b|CloudFormation|High|Encryption|'API::Gateway::Deployment' should have 'CacheDataEncrypted' enabled when 'CachingEnabled' is set to true|Documentation
| +|ELB Using Insecure Protocols
61a94903-3cd3-4780-88ec-fc918819b9c8|CloudFormation|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols.|Documentation
| |IAM Database Auth Not Enabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184|CloudFormation|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| -|Redshift Publicly Accessible
bdf8dcb4-75df-4370-92c4-606e4ae6c4d3|CloudFormation|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false|Documentation
| -|Root Account Has Active Access Keys
4c137350-7307-4803-8c04-17c09a7a9fcf|CloudFormation|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| +|ECS Task Definition Container With Plaintext Password
f9b10cdb-eaab-4e39-9793-e12b94a582ad|CloudFormation|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| |S3 Bucket Without Restriction Of Public Bucket
350cd468-0e2c-44ef-9d22-cfb73a62523c|CloudFormation|High|Insecure Configurations|S3 bucket without restriction of public bucket|Documentation
| -|KMS Key With Vulnerable Policy
da905474-7454-43c0-b8d2-5756ab951aba|CloudFormation|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| +|API Gateway Without Security Policy
8275fab0-68ec-4705-bbf4-86975edb170e|CloudFormation|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2.|Documentation
| |S3 Static Website Host Enabled
90501b1b-cded-4cc1-9e8b-206b85cda317|CloudFormation|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured.|Documentation
| +|Redshift Publicly Accessible
bdf8dcb4-75df-4370-92c4-606e4ae6c4d3|CloudFormation|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
dc17ee4b-ddf2-4e23-96e8-7a36abad1303|CloudFormation|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| |DB Instance Publicly Accessible
de38e1d5-54cb-4111-a868-6f7722695007|CloudFormation|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false.|Documentation
| -|ECS Task Definition Network Mode Not Recommended
027a4b7a-8a59-4938-a04f-ed532512cf45|CloudFormation|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| -|API Gateway Without Security Policy
8275fab0-68ec-4705-bbf4-86975edb170e|CloudFormation|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2.|Documentation
| -|Batch Job Definition With Privileged Container Properties
76ddf32c-85b1-4808-8935-7eef8030ab36|CloudFormation|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| |S3 Bucket With Unsecured CORS Rule
3609d27c-3698-483a-9402-13af6ae80583|CloudFormation|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
dc17ee4b-ddf2-4e23-96e8-7a36abad1303|CloudFormation|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| +|Batch Job Definition With Privileged Container Properties
76ddf32c-85b1-4808-8935-7eef8030ab36|CloudFormation|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| +|ECS Task Definition Network Mode Not Recommended
027a4b7a-8a59-4938-a04f-ed532512cf45|CloudFormation|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| +|KMS Key With Vulnerable Policy
da905474-7454-43c0-b8d2-5756ab951aba|CloudFormation|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| +|Root Account Has Active Access Keys
4c137350-7307-4803-8c04-17c09a7a9fcf|CloudFormation|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| |Permissive Web ACL Default Action
6d64f311-3da6-45f3-80f1-14db9771ea40|CloudFormation|High|Insecure Defaults|WebAcl DefaultAction should not be ALLOW|Documentation
| |Vulnerable Default SSL Certificate
b4d9c12b-bfba-4aeb-9cb8-2358546d8041|CloudFormation|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| -|EKS node group remote access
73d59e76-a12c-4b74-a3d8-d3e1e19c25b3|CloudFormation|High|Networking and Firewall|Ensure Amazon EKS Node group has implict SSH access|Documentation
| -|EC2 Network ACL Overlapping Ports
77b6f1e2-bde4-4a6a-ae7e-a40659ff1576|CloudFormation|High|Networking and Firewall|NetworkACL Entries are reusing or overlapping ports which may create ineffective rules|Documentation
| -|Fully Open Ingress
e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5|CloudFormation|High|Networking and Firewall|ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses|Documentation
| -|Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c|CloudFormation|High|Networking and Firewall|No security group should allow unrestricted egress access|Documentation
| |Unrestricted Security Group Ingress
4a1e6b34-1008-4e61-a5f2-1f7c276f8d14|CloudFormation|High|Networking and Firewall|AWS Security Group Ingress CIDR should not be open to the world|Documentation
| -|Remote Desktop Port Open To Internet
c9846969-d066-431f-9b34-8c4abafe422a|CloudFormation|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| -|SageMaker Notebook Not Placed In VPC
9c7028d9-04c2-45be-b8b2-1188ccaefb36|CloudFormation|High|Networking and Firewall|SageMaker Notebook must be placed in a VPC|Documentation
| -|RDS Associated with Public Subnet
4e88adee-a8eb-4605-a78d-9fb1096e3091|CloudFormation|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| -|DB Security Group Open To Large Scope
0104165b-02d5-426f-abc9-91fb48189899|CloudFormation|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| -|Security Group With Unrestricted Access To SSH
6e856af2-62d7-4ba2-adc1-73b62cef9cc1|CloudFormation|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| |ELB Sensitive Port Is Exposed To Entire Network
78055456-f670-4d2e-94d5-392d1cf4f5e4|CloudFormation|High|Networking and Firewall|The load balancer of the application with a sensitive port connection is exposed to the entire internet.|Documentation
| -|Unknown Port Exposed To Internet
829ce3b8-065c-41a3-ad57-e0accfea82d2|CloudFormation|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| -|Route53 Record Undefined
24d932e1-91f0-46ea-836f-fdbd81694151|CloudFormation|High|Networking and Firewall|Route53 HostedZone must have the Record Set defined.|Documentation
| -|ALB Listening on HTTP
275a3217-ca37-40c1-a6cf-bb57d245ab32|CloudFormation|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| +|EKS node group remote access
73d59e76-a12c-4b74-a3d8-d3e1e19c25b3|CloudFormation|High|Networking and Firewall|Ensure Amazon EKS Node group has implict SSH access|Documentation
| |Default Security Groups With Unrestricted Traffic
ea33fcf7-394b-4d11-a228-985c5d08f205|CloudFormation|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| +|DB Security Group With Public Scope
9564406d-e761-4e61-b8d7-5926e3ab8e79|CloudFormation|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| +|Remote Desktop Port Open To Internet
c9846969-d066-431f-9b34-8c4abafe422a|CloudFormation|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| +|EC2 Network ACL Overlapping Ports
77b6f1e2-bde4-4a6a-ae7e-a40659ff1576|CloudFormation|High|Networking and Firewall|NetworkACL Entries are reusing or overlapping ports which may create ineffective rules|Documentation
| |EC2 Public Instance Exposed Through Subnet
c44c95fc-ae92-4bb8-bdf8-bb9bc412004a|CloudFormation|High|Networking and Firewall|EC2 instances with public IP addresses shouldn't allow for unrestricted traffic to their subnets|Documentation
| -|Security Groups With Meta IP
adcd0082-e90b-4b63-862b-21899f6e6a48|CloudFormation|High|Networking and Firewall|Security Groups allows 0.0.0.0/0 for all ports and protocols.|Documentation
| -|HTTP Port Open To Internet
ddfc4eaa-af23-409f-b96c-bf5c45dc4daa|CloudFormation|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| +|DB Security Group Open To Large Scope
0104165b-02d5-426f-abc9-91fb48189899|CloudFormation|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| |Security Group Unrestricted Access To RDP
3ae83918-7ec7-4cb8-80db-b91ef0f94002|CloudFormation|High|Networking and Firewall|Security Groups does not allow 0.0.0.0/0 for rdp (port:3389)|Documentation
| +|HTTP Port Open To Internet
ddfc4eaa-af23-409f-b96c-bf5c45dc4daa|CloudFormation|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| +|Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c|CloudFormation|High|Networking and Firewall|No security group should allow unrestricted egress access|Documentation
| +|EC2 Sensitive Port Is Publicly Exposed
494b03d3-bf40-4464-8524-7c56ad0700ed|CloudFormation|High|Networking and Firewall|The EC2 instance has a sensitive port connection exposed to the entire network|Documentation
| +|Security Groups With Meta IP
adcd0082-e90b-4b63-862b-21899f6e6a48|CloudFormation|High|Networking and Firewall|Security Groups allows 0.0.0.0/0 for all ports and protocols.|Documentation
| +|Fully Open Ingress
e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5|CloudFormation|High|Networking and Firewall|ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses|Documentation
| |Security Groups With Exposed Admin Ports
cdbb0467-2957-4a77-9992-7b55b29df7b7|CloudFormation|High|Networking and Firewall|Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389)|Documentation
| +|RDS Associated with Public Subnet
4e88adee-a8eb-4605-a78d-9fb1096e3091|CloudFormation|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| +|ALB Listening on HTTP
275a3217-ca37-40c1-a6cf-bb57d245ab32|CloudFormation|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| +|SageMaker Notebook Not Placed In VPC
9c7028d9-04c2-45be-b8b2-1188ccaefb36|CloudFormation|High|Networking and Firewall|SageMaker Notebook must be placed in a VPC|Documentation
| +|Unknown Port Exposed To Internet
829ce3b8-065c-41a3-ad57-e0accfea82d2|CloudFormation|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| +|Security Group With Unrestricted Access To SSH
6e856af2-62d7-4ba2-adc1-73b62cef9cc1|CloudFormation|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| |EC2 Instance Subnet Has Public IP Mapping On Launch
b3de4e4c-14be-4159-b99d-9ad194365e4c|CloudFormation|High|Networking and Firewall|EC2 Instance Subnet should not have MapPublicIpOnLaunch set to true|Documentation
| -|DB Security Group With Public Scope
9564406d-e761-4e61-b8d7-5926e3ab8e79|CloudFormation|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| -|EC2 Sensitive Port Is Publicly Exposed
494b03d3-bf40-4464-8524-7c56ad0700ed|CloudFormation|High|Networking and Firewall|The EC2 instance has a sensitive port connection exposed to the entire network|Documentation
| +|Route53 Record Undefined
24d932e1-91f0-46ea-836f-fdbd81694151|CloudFormation|High|Networking and Firewall|Route53 HostedZone must have the Record Set defined.|Documentation
| |S3 Bucket CloudTrail Logging Disabled
c3ce69fd-e3df-49c6-be78-1db3f802261c|CloudFormation|High|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable when the Service used is CloudTrail|Documentation
| -|CMK Rotation Disabled
1c07bfaf-663c-4f6f-b22b-8e2d481e4df5|CloudFormation|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'EnableKeyRotation' must be set to 'true' when the key is enabled.|Documentation
| |CloudTrail Logging Disabled
5c0b06d5-b7a4-484c-aeb0-75a836269ff0|CloudFormation|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| -|EC2 Network ACL Ineffective Denied Traffic
2623d682-dccb-44cd-99d0-54d9fd62f8f2|CloudFormation|Medium|Access Control|Ineffective deny rules. A deny rule should be applied to all IP addresses.|Documentation
| -|IoT Policy Allows Action as Wildcard
4d32780f-43a4-424a-a06d-943c543576a5|CloudFormation|Medium|Access Control|IoT Policy should not allow Action to be set as *|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7|CloudFormation|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| -|EC2 Instance Has No IAM Role
f914357d-8386-4d56-9ba6-456e5723f9a6|CloudFormation|Medium|Access Control|Check if an EC2 instance refers to an IAM profile, which represents an IAM Role.|Documentation
| +|CMK Rotation Disabled
1c07bfaf-663c-4f6f-b22b-8e2d481e4df5|CloudFormation|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'EnableKeyRotation' must be set to 'true' when the key is enabled.|Documentation
| +|SQS Queue Policy Allows NotPrincipal
4a8fc9a2-2b2f-4b3f-aa8d-401425872034|CloudFormation|Medium|Access Control|Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using `NotPrincipal` in the same policy statement as `"Effect": "Allow"`.|Documentation
| +|API Gateway Without Configured Authorizer
7fd0d461-5b8c-4815-898c-f2b4b117eb28|CloudFormation|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| |Elasticsearch Without IAM Authentication
5c666ed9-b586-49ab-9873-c495a833b705|CloudFormation|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication|Documentation
| -|SQS Queue Policy Allows NotAction
4fbfee74-8186-40d5-a24e-4baa76a855de|CloudFormation|Medium|Access Control|AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited|Documentation
| -|Public Lambda via API Gateway
57b12981-3816-4c31-b190-a1e614361dd2|CloudFormation|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| |IAM Policies Attached To User
edc95c10-7366-4f30-9b4b-f995c84eceb5|CloudFormation|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| |Empty Roles For ECS Cluster Task Definitions
7f384a5f-b5a2-4d84-8ca3-ee0a5247becb|CloudFormation|Medium|Access Control|Check if any ECS cluster has not defined proper roles for services' task definitions.|Documentation
| -|Lambda Permission Principal Is Wildcard
1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7|CloudFormation|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| +|EC2 Instance Has No IAM Role
f914357d-8386-4d56-9ba6-456e5723f9a6|CloudFormation|Medium|Access Control|Check if an EC2 instance refers to an IAM profile, which represents an IAM Role.|Documentation
| +|SNS Topic Publicity Has Allow and NotAction Simultaneously
818f38ed-8446-4132-9c03-474d49e10195|CloudFormation|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| +|EC2 Network ACL Ineffective Denied Traffic
2623d682-dccb-44cd-99d0-54d9fd62f8f2|CloudFormation|Medium|Access Control|Ineffective deny rules. A deny rule should be applied to all IP addresses.|Documentation
| |Neptune Cluster With IAM Database Authentication Disabled
a3aa0087-8228-4e7e-b202-dc9036972d02|CloudFormation|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled|Documentation
| -|S3 Bucket Allows Public ACL
48f100d9-f499-4c6d-b2b8-deafe47ffb26|CloudFormation|Medium|Access Control|S3 bucket allows public ACL|Documentation
| +|ECR Repository Is Publicly Accessible
75be209d-1948-41f6-a8c8-e22dd0121134|CloudFormation|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| |KMS Allows Wildcard Principal
f6049677-ec4a-43af-8779-5190b6d03cba|CloudFormation|Medium|Access Control|KMS Should not allow Principal parameter to be set as *|Documentation
| +|Public Lambda via API Gateway
57b12981-3816-4c31-b190-a1e614361dd2|CloudFormation|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| |IAM Policy On User
e4239438-e639-44aa-adb8-866e400e3ade|CloudFormation|Medium|Access Control|IAM policies should be applied to groups and not to users|Documentation
| |API Gateway Method Does Not Contains An API Key
3641d5b4-d339-4bc2-bfb9-208fe8d3477f|CloudFormation|Medium|Access Control|An API Key should be required on a method request.|Documentation
| -|ECR Repository Is Publicly Accessible
75be209d-1948-41f6-a8c8-e22dd0121134|CloudFormation|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| -|SQS Policy With Public Access
9b6a3f5b-5fd6-40ee-9bc0-ed604911212d|CloudFormation|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| |IoT Policy Allows Wildcard Resource
be5b230d-4371-4a28-a441-85dc760e2aa3|CloudFormation|Medium|Access Control|IoT Policy should not allow Resource to be set as *|Documentation
| -|SQS Queue Policy Allows NotPrincipal
4a8fc9a2-2b2f-4b3f-aa8d-401425872034|CloudFormation|Medium|Access Control|Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using `NotPrincipal` in the same policy statement as `"Effect": "Allow"`.|Documentation
| -|SNS Topic Publicity Has Allow and NotAction Simultaneously
818f38ed-8446-4132-9c03-474d49e10195|CloudFormation|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| -|API Gateway Without Configured Authorizer
7fd0d461-5b8c-4815-898c-f2b4b117eb28|CloudFormation|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| -|ECS Service Without Running Tasks
79d745f0-d5f3-46db-9504-bef73e9fd528|CloudFormation|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| -|EBS Volume Not Attached To Instances
1819ac03-542b-4026-976b-f37addd59f3b|CloudFormation|Medium|Availability|EBS Volumes that are unattached to instances may contain sensitive data|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7|CloudFormation|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| +|Lambda Permission Principal Is Wildcard
1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7|CloudFormation|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| +|IoT Policy Allows Action as Wildcard
4d32780f-43a4-424a-a06d-943c543576a5|CloudFormation|Medium|Access Control|IoT Policy should not allow Action to be set as *|Documentation
| +|SQS Policy With Public Access
9b6a3f5b-5fd6-40ee-9bc0-ed604911212d|CloudFormation|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| +|SQS Queue Policy Allows NotAction
4fbfee74-8186-40d5-a24e-4baa76a855de|CloudFormation|Medium|Access Control|AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited|Documentation
| +|S3 Bucket Allows Public ACL
48f100d9-f499-4c6d-b2b8-deafe47ffb26|CloudFormation|Medium|Access Control|S3 bucket allows public ACL|Documentation
| |Auto Scaling Group With No Associated ELB
ad21e616-5026-4b9d-990d-5b007bfe679c|CloudFormation|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty.|Documentation
| -|CMK Is Unusable
2844c749-bd78-4cd1-90e8-b179df827602|CloudFormation|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined.|Documentation
| |ElastiCache Nodes Not Created Across Multi AZ
cfdef2e5-1fe4-4ef4-bea8-c56e08963150|CloudFormation|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster|Documentation
| +|CMK Is Unusable
2844c749-bd78-4cd1-90e8-b179df827602|CloudFormation|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined.|Documentation
| +|ECS Service Without Running Tasks
79d745f0-d5f3-46db-9504-bef73e9fd528|CloudFormation|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| +|EBS Volume Not Attached To Instances
1819ac03-542b-4026-976b-f37addd59f3b|CloudFormation|Medium|Availability|EBS Volumes that are unattached to instances may contain sensitive data|Documentation
| |RDS Multi-AZ Deployment Disabled
2b1d4935-9acf-48a7-8466-10d18bf51a69|CloudFormation|Medium|Backup|AWS RDS Instance should have a multi-az deployment|Documentation
| +|Stack Retention Disabled
fe974ae9-858e-4991-bbd5-e040a834679f|CloudFormation|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| |Low RDS Backup Retention Period
e649a218-d099-4550-86a4-1231e1fcb60d|CloudFormation|Medium|Backup|AWS RDS backup retention policy should be at least 7 days|Documentation
| |RDS With Backup Disabled
8c415f6f-7b90-4a27-a44a-51047e1506f9|CloudFormation|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| -|Stack Retention Disabled
fe974ae9-858e-4991-bbd5-e040a834679f|CloudFormation|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| +|IAM Password Without Lowercase Letter
f4cf35d6-da92-48de-ab70-57be2b2e6497|CloudFormation|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| |IAM Password Without Symbol
d72a7869-e8b9-4e12-bcd2-e8be10b39fa7|CloudFormation|Medium|Best Practices|IAM password should have the required symbols|Documentation
| -|IAM Password Without Minimum Length
b1b20ae3-8fa7-4af5-a74d-a2145920fcb1|CloudFormation|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| -|IAM Managed Policy Applied to a User
0e5872b4-19a0-4165-8b2f-56d9e14b909f|CloudFormation|Medium|Best Practices|Make sure that any managed IAM policies are implemented in a group and not in a user.|Documentation
| -|Cognito UserPool Without MFA
74a18d1a-cf02-4a31-8791-ed0967ad7fdc|CloudFormation|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| -|IAM Password Without Uppercase Letter
445020f6-b69e-4484-847f-02d4b7768902|CloudFormation|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| -|ECS No Load Balancer Attached
fb2b0ecf-1492-491a-a70d-ba1df579175d|CloudFormation|Medium|Best Practices|Amazon ECS service should be configured to use Load Balancing to distribute traffic evenly across the tasks, which means there must exist at least one LoadBalancer.|Documentation
| |IAM User Without Password Reset
a964d6e3-8e1e-4d93-8120-61fa640dd55a|CloudFormation|Medium|Best Practices|IAM User Login Profile should exist and have PasswordResetRequired property set to true|Documentation
| -|IAM Password Without Lowercase Letter
f4cf35d6-da92-48de-ab70-57be2b2e6497|CloudFormation|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| +|ECS No Load Balancer Attached
fb2b0ecf-1492-491a-a70d-ba1df579175d|CloudFormation|Medium|Best Practices|Amazon ECS service should be configured to use Load Balancing to distribute traffic evenly across the tasks, which means there must exist at least one LoadBalancer.|Documentation
| +|IAM Password Without Uppercase Letter
445020f6-b69e-4484-847f-02d4b7768902|CloudFormation|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| +|Cognito UserPool Without MFA
74a18d1a-cf02-4a31-8791-ed0967ad7fdc|CloudFormation|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| +|IAM Managed Policy Applied to a User
0e5872b4-19a0-4165-8b2f-56d9e14b909f|CloudFormation|Medium|Best Practices|Make sure that any managed IAM policies are implemented in a group and not in a user.|Documentation
| +|IAM Password Without Minimum Length
b1b20ae3-8fa7-4af5-a74d-a2145920fcb1|CloudFormation|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| |IAM Password Without Number
839f238f-2e3a-4a72-b945-8abdf91af955|CloudFormation|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number|Documentation
| -|EMR Security Configuration Encryption Disabled
5b033ec8-f079-4323-b5c8-99d4620433a9|CloudFormation|Medium|Encryption|EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit.|Documentation
| -|EBS Volume Encryption Disabled
80b7ac3f-d2b7-4577-9b10-df7913497162|CloudFormation|Medium|Encryption|EBS volumes should be encrypted|Documentation
| +|ElasticSearch Encryption With KMS Disabled
d926aa95-0a04-4abc-b20c-acf54afe38a1|CloudFormation|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS.|Documentation
| +|ElasticSearch Not Encrypted At Rest
86a248ab-0e01-4564-a82a-878303e253bb|CloudFormation|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| +|KMS Key Rotation Disabled
235ca980-eb71-48f4-9030-df0c371029eb|CloudFormation|Medium|Encryption|EnableKeyRotation should not be false or undefined|Documentation
| +|Neptune Database Cluster Encryption Disabled
bf4473f1-c8a2-4b1b-8134-bd32efabab93|CloudFormation|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| +|Memcached Disabled
dd0971a6-09c3-4168-8474-a7ef8fbfd99d|CloudFormation|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| +|Default KMS Key Usage
e52395b4-250b-4c60-81d5-2e58c1d37abc|CloudFormation|Medium|Encryption|When `StorageEncrypted` is set to true, `KmsKeyId` should be defined, to avoid the use of the default KMS Key|Documentation
| |SageMaker EndPoint Config Should Specify KmsKeyId Attribute
44034eda-1c3f-486a-831d-e09a7dd94354|CloudFormation|Medium|Encryption|KmsKeyId attribute should be defined|Documentation
| -|Config Rule For Encrypted Volumes Disabled
1b6322d9-c755-4f8c-b804-32c19250f2d9|CloudFormation|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| -|IAM Group Inline Policies
a58d1a2d-4078-4b80-855b-84cc3f7f4540|CloudFormation|Medium|Encryption|IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted|Documentation
| -|CodeBuild Not Encrypted
d7467bb6-3ed1-4c82-8095-5e7a818d0aad|CloudFormation|Medium|Encryption|CodeBuild Project should be encrypted, which means 'EncryptionKey' should be defined|Documentation
| -|Workspace Without Encryption
89827c57-5a8a-49eb-9731-976a606d70db|CloudFormation|Medium|Encryption|Workspaces should have encryption enabled|Documentation
| |RDS Storage Encryption Disabled
65844ba3-03a1-40a8-b3dd-919f122e8c95|CloudFormation|Medium|Encryption|RDS DBCluster should have storage encrypted set to true|Documentation
| +|EBS Volume Encryption Disabled
80b7ac3f-d2b7-4577-9b10-df7913497162|CloudFormation|Medium|Encryption|EBS volumes should be encrypted|Documentation
| +|Alexa Skill Plaintext Client Secret Exposed
3c3b7a58-b018-4d07-9444-d9ee7156e111|CloudFormation|Medium|Encryption|Alexa skills' client secrets should not be defined as a plaintext string. It should either use 'AWS Systems Manager Parameter Store' or 'AWS Secrets Manager' to retrieve sensitive information|Documentation
| |SQS With SSE Disabled
12726829-93ed-4d51-9cbe-13423f4299e1|CloudFormation|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| -|ElasticSearch Encryption With KMS Disabled
d926aa95-0a04-4abc-b20c-acf54afe38a1|CloudFormation|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS.|Documentation
| |API Gateway With Invalid Compression
d6653eee-2d4d-4e6a-976f-6794a497999a|CloudFormation|Medium|Encryption|API Gateway should have valid compression, which means attribute 'MinimumCompressionSize' should be set and its value should be greater than -1 and smaller than 10485760.|Documentation
| -|Alexa Skill Plaintext Client Secret Exposed
3c3b7a58-b018-4d07-9444-d9ee7156e111|CloudFormation|Medium|Encryption|Alexa skills' client secrets should not be defined as a plaintext string. It should either use 'AWS Systems Manager Parameter Store' or 'AWS Secrets Manager' to retrieve sensitive information|Documentation
| -|Neptune Database Cluster Encryption Disabled
bf4473f1-c8a2-4b1b-8134-bd32efabab93|CloudFormation|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| -|Memcached Disabled
dd0971a6-09c3-4168-8474-a7ef8fbfd99d|CloudFormation|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| +|Config Rule For Encrypted Volumes Disabled
1b6322d9-c755-4f8c-b804-32c19250f2d9|CloudFormation|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| +|Workspace Without Encryption
89827c57-5a8a-49eb-9731-976a606d70db|CloudFormation|Medium|Encryption|Workspaces should have encryption enabled|Documentation
| +|EMR Security Configuration Encryption Disabled
5b033ec8-f079-4323-b5c8-99d4620433a9|CloudFormation|Medium|Encryption|EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit.|Documentation
| +|CodeBuild Not Encrypted
d7467bb6-3ed1-4c82-8095-5e7a818d0aad|CloudFormation|Medium|Encryption|CodeBuild Project should be encrypted, which means 'EncryptionKey' should be defined|Documentation
| |Unscanned ECR Image
9025b2b3-e554-4842-ba87-db7aeec36d35|CloudFormation|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| +|IAM Group Inline Policies
a58d1a2d-4078-4b80-855b-84cc3f7f4540|CloudFormation|Medium|Encryption|IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted|Documentation
| |AmazonMQ Broker Encryption Disabled
316278b3-87ac-444c-8f8f-a733a28da60f|CloudFormation|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| -|Default KMS Key Usage
e52395b4-250b-4c60-81d5-2e58c1d37abc|CloudFormation|Medium|Encryption|When `StorageEncrypted` is set to true, `KmsKeyId` should be defined, to avoid the use of the default KMS Key|Documentation
| -|ElasticSearch Not Encrypted At Rest
86a248ab-0e01-4564-a82a-878303e253bb|CloudFormation|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| -|KMS Key Rotation Disabled
235ca980-eb71-48f4-9030-df0c371029eb|CloudFormation|Medium|Encryption|EnableKeyRotation should not be false or undefined|Documentation
| -|Instance With No VPC
8a6d36cd-0bc6-42b7-92c4-67acc8576861|CloudFormation|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| -|Inline Policies Are Attached To ECS Service
9e8c89b3-7997-4d15-93e4-7911b9db99fd|CloudFormation|Medium|Insecure Configurations|Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies.|Documentation
| -|Lambda Function Without Tags
8df8e857-bd59-44fa-9f4c-d77594b95b46|CloudFormation|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags.|Documentation
| +|API Gateway Without SSL Certificate
ed4c48b8-eccc-4881-95c1-09fdae23db25|CloudFormation|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| +|IAM User Has Too Many Access Keys
48677914-6fdf-40ec-80c4-2b0e94079f54|CloudFormation|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials|Documentation
| |IAM User LoginProfile Password Is In Plaintext
06adef8c-c284-4de7-aad2-af43b07a8ca1|CloudFormation|Medium|Insecure Configurations|IAM User LoginProfile Password must not be a plaintext string|Documentation
| |SageMaker Enabling Internet Access
88d55d94-315d-4564-beee-d2d725feab11|CloudFormation|Medium|Insecure Configurations|SageMaker must have disabled internet access and root access for Creating Notebook Instances.|Documentation
| -|Lambda Functions Without Unique IAM Roles
ae03f542-1423-402f-9cef-c834e7ee9583|CloudFormation|Medium|Insecure Configurations|AWS Lambda Functions should not share IAM roles to ensure they will have the minimum privileges needed to perform the required tasks|Documentation
| -|ECR Image Tag Not Immutable
33f41d31-86b1-46a4-81f7-9c9a671f59ac|CloudFormation|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| -|API Gateway With Open Access
1056dfbb-5802-4762-bf2b-8b9b9684b1b0|CloudFormation|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.|Documentation
| -|IAM User Has Too Many Access Keys
48677914-6fdf-40ec-80c4-2b0e94079f54|CloudFormation|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials|Documentation
| |GitHub Repository Set To Public
5906092d-5f74-490d-9a03-78febe0f65e1|CloudFormation|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')|Documentation
| -|API Gateway Without SSL Certificate
ed4c48b8-eccc-4881-95c1-09fdae23db25|CloudFormation|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| +|ECR Image Tag Not Immutable
33f41d31-86b1-46a4-81f7-9c9a671f59ac|CloudFormation|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| +|Inline Policies Are Attached To ECS Service
9e8c89b3-7997-4d15-93e4-7911b9db99fd|CloudFormation|Medium|Insecure Configurations|Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies.|Documentation
| |MQ Broker Is Publicly Accessible
68b6a789-82f8-4cfd-85de-e95332fe6a61|CloudFormation|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible|Documentation
| +|Lambda Functions Without Unique IAM Roles
ae03f542-1423-402f-9cef-c834e7ee9583|CloudFormation|Medium|Insecure Configurations|AWS Lambda Functions should not share IAM roles to ensure they will have the minimum privileges needed to perform the required tasks|Documentation
| +|API Gateway With Open Access
1056dfbb-5802-4762-bf2b-8b9b9684b1b0|CloudFormation|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.|Documentation
| +|Instance With No VPC
8a6d36cd-0bc6-42b7-92c4-67acc8576861|CloudFormation|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| |EMR Cluster Without Security Configuration
48af92a5-c89b-4936-bc62-1086fe2bab23|CloudFormation|Medium|Insecure Configurations|EMR Cluster should have security configuration defined.|Documentation
| +|Lambda Function Without Tags
8df8e857-bd59-44fa-9f4c-d77594b95b46|CloudFormation|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags.|Documentation
| |S3 Bucket Should Have Bucket Policy
37fa8188-738b-42c8-bf82-6334ea567738|CloudFormation|Medium|Insecure Defaults|Checks if S3 Bucket has the same name as a Bucket Policy, if it has, S3 Bucket has a Bucket Policy associated|Documentation
| |RouterTable with Default Routing
4f0908b9-eb66-433f-9145-134274e1e944|CloudFormation|Medium|Insecure Defaults|NAT gateways are recommended, and not the default route which permits all traffic, in Route Tables.|Documentation
| +|Security Group Ingress With Port Range
87482183-a8e7-4e42-a566-7a23ec231c16|CloudFormation|Medium|Networking and Firewall|AWS Security Group Ingress should have a single port|Documentation
| +|API Gateway Endpoint Config is Not Private
4a8daf95-709d-4a36-9132-d3e19878fa34|CloudFormation|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| +|Security Group Ingress With All Protocols
1a427b25-2e9e-4298-9530-0499a55e736b|CloudFormation|Medium|Networking and Firewall|AWS Security Group Ingress should not specify all protocols to prevent allow traffic on all ports|Documentation
| +|ELB With Security Group Without Outbound Rules
01d5a458-a6c4-452a-ac50-054d59275b7c|CloudFormation|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules|Documentation
| +|Security Groups Without VPC Attached
493d9591-6249-47bf-8dc0-5c10161cc558|CloudFormation|Medium|Networking and Firewall|Security Groups must have a VPC.|Documentation
| +|VPC Without Network Firewall
3e293410-d5b8-411f-85fd-7d26294f20c9|CloudFormation|Medium|Networking and Firewall|VPC should have a Network Firewall associated|Documentation
| |Security Group Egress CIDR Open To World
1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a|CloudFormation|Medium|Networking and Firewall|AWS Security Group Egress CIDR should not be open to the world|Documentation
| -|API Gateway without WAF
fcbf9019-566c-4832-a65c-af00d8137d2b|CloudFormation|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| |EC2 Permissive Network ACL Protocols
03879981-efa2-47a0-a818-c843e1441b88|CloudFormation|Medium|Networking and Firewall|To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code).|Documentation
| -|TCP/UDP Protocol Network ACL Entry Allows All Ports
f57f849c-883b-4cb7-85e7-f7b199dff163|CloudFormation|Medium|Networking and Firewall|TCP/UDP protocol AWS Network ACL Entry should not allow all ports|Documentation
| |Security Group Egress With All Protocols
ee464fc2-54a6-4e22-b10a-c6dcd2474d0c|CloudFormation|Medium|Networking and Firewall|AWS Security Group Egress should not specify all protocols to prevent allow traffic on all ports|Documentation
| -|Security Group Ingress With Port Range
87482183-a8e7-4e42-a566-7a23ec231c16|CloudFormation|Medium|Networking and Firewall|AWS Security Group Ingress should have a single port|Documentation
| +|ELB With Security Group Without Inbound Rules
e200a6f3-c589-49ec-9143-7421d4a2c845|CloudFormation|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules|Documentation
| |GameLift Fleet EC2 InboundPermissions With Port Range
43356255-495d-4148-ad8d-f6af5eac09dd|CloudFormation|Medium|Networking and Firewall|AWS GameLift Fleet EC2InboundPermissions should have a single port|Documentation
| -|Security Groups Without VPC Attached
493d9591-6249-47bf-8dc0-5c10161cc558|CloudFormation|Medium|Networking and Firewall|Security Groups must have a VPC.|Documentation
| -|ELB With Security Group Without Outbound Rules
01d5a458-a6c4-452a-ac50-054d59275b7c|CloudFormation|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules|Documentation
| -|Security Group Ingress With All Protocols
1a427b25-2e9e-4298-9530-0499a55e736b|CloudFormation|Medium|Networking and Firewall|AWS Security Group Ingress should not specify all protocols to prevent allow traffic on all ports|Documentation
| |Security Group Egress With Port Range
dae9c373-8287-462f-8746-6f93dad93610|CloudFormation|Medium|Networking and Firewall|AWS Security Group Egress should have a single port|Documentation
| +|TCP/UDP Protocol Network ACL Entry Allows All Ports
f57f849c-883b-4cb7-85e7-f7b199dff163|CloudFormation|Medium|Networking and Firewall|TCP/UDP protocol AWS Network ACL Entry should not allow all ports|Documentation
| +|API Gateway without WAF
fcbf9019-566c-4832-a65c-af00d8137d2b|CloudFormation|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| |ALB Is Not Integrated With WAF
105ba098-1e34-48cd-b0f2-a8a43a51bf9b|CloudFormation|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| -|ELB With Security Group Without Inbound Rules
e200a6f3-c589-49ec-9143-7421d4a2c845|CloudFormation|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules|Documentation
| -|VPC Without Network Firewall
3e293410-d5b8-411f-85fd-7d26294f20c9|CloudFormation|Medium|Networking and Firewall|VPC should have a Network Firewall associated|Documentation
| -|API Gateway Endpoint Config is Not Private
4a8daf95-709d-4a36-9132-d3e19878fa34|CloudFormation|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| -|API Gateway V2 Stage Access Logging Settings Not Defined
80d45af4-4920-4236-a56e-b7ef419d1941|CloudFormation|Medium|Observability|API Gateway V2 Stage should have Access Logging Settings defined.|Documentation
| -|CloudWatch Metrics Disabled
5d3c1807-acb3-4bb0-be4e-0440230feeaf|CloudFormation|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| -|API Gateway X-Ray Disabled
4ab10c48-bedb-4deb-8f3b-ff12783b61de|CloudFormation|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| +|GuardDuty Detector Disabled
a25cd877-375c-4121-a640-730929936fac|CloudFormation|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| +|Redshift Cluster Logging Disabled
3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6|CloudFormation|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| +|ELB Access Log Disabled
ee12ad32-2863-4c0f-b13f-28272d115028|CloudFormation|Medium|Observability|ELB should have access log enabled|Documentation
| |S3 Bucket Without Versioning
a227ec01-f97a-4084-91a4-47b350c1db54|CloudFormation|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| -|S3 Bucket Logging Disabled
4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c|CloudFormation|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| -|CloudWatch Logging Disabled
0f0fb06b-0f2f-4374-8588-f2c7c348c7a0|CloudFormation|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| -|CloudTrail SNS Topic Name Undefined
3e09413f-471e-40f3-8626-990c79ae63f3|CloudFormation|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| +|CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7|CloudFormation|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'IsMultiRegionTrail' should be set to true|Documentation
| +|Stack Notifications Disabled
837e033c-4717-40bd-807e-6abaa30161b7|CloudFormation|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| +|CloudFront Logging Disabled
de77cd9f-0e8b-46cc-b4a4-b6b436838642|CloudFormation|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'DistributionConfig.Logging' should be defined|Documentation
| |CloudTrail Not Integrated With CloudWatch
65d07da5-9af5-44df-8983-52d2e6f24c44|CloudFormation|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| +|S3 Bucket Logging Disabled
4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c|CloudFormation|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| |MSK Cluster Logging Disabled
fc7c2c15-f5d0-4b80-adb2-c89019f8f62b|CloudFormation|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| -|CloudFront Logging Disabled
de77cd9f-0e8b-46cc-b4a4-b6b436838642|CloudFormation|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'DistributionConfig.Logging' should be defined|Documentation
| -|ELB Access Log Disabled
ee12ad32-2863-4c0f-b13f-28272d115028|CloudFormation|Medium|Observability|ELB should have access log enabled|Documentation
| -|Stack Notifications Disabled
837e033c-4717-40bd-807e-6abaa30161b7|CloudFormation|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| -|Redshift Cluster Logging Disabled
3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6|CloudFormation|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| +|CloudWatch Metrics Disabled
5d3c1807-acb3-4bb0-be4e-0440230feeaf|CloudFormation|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| +|CloudTrail SNS Topic Name Undefined
3e09413f-471e-40f3-8626-990c79ae63f3|CloudFormation|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| +|API Gateway V2 Stage Access Logging Settings Not Defined
80d45af4-4920-4236-a56e-b7ef419d1941|CloudFormation|Medium|Observability|API Gateway V2 Stage should have Access Logging Settings defined.|Documentation
| +|Configuration Aggregator to All Regions Disabled
9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d|CloudFormation|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| +|CloudWatch Logging Disabled
0f0fb06b-0f2f-4374-8588-f2c7c348c7a0|CloudFormation|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| |ElasticSearch Without Slow Logs
086ea2eb-14a6-4fd4-914b-38e0bc8703e8|CloudFormation|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| -|GuardDuty Detector Disabled
a25cd877-375c-4121-a640-730929936fac|CloudFormation|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| |API Gateway Deployment Without Access Log Setting
06ec63e3-9f72-4fe2-a218-2eb9200b8db5|CloudFormation|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| -|Configuration Aggregator to All Regions Disabled
9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d|CloudFormation|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| -|ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621|CloudFormation|Medium|Observability|ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer.|Documentation
| -|CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7|CloudFormation|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'IsMultiRegionTrail' should be set to true|Documentation
| +|API Gateway X-Ray Disabled
4ab10c48-bedb-4deb-8f3b-ff12783b61de|CloudFormation|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| |MQ Broker Logging Disabled
e519ed6a-8328-4b69-8eb7-8fa549ac3050|CloudFormation|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| +|ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621|CloudFormation|Medium|Observability|ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer.|Documentation
| +|Amplify App Basic Auth Config Password Exposed
71493c8b-3014-404c-9802-078b74496fb7|CloudFormation|Medium|Secret Management|Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| +|RefreshToken Is Exposed
5b48c507-0d1f-41b0-a630-76817c6b4189|CloudFormation|Medium|Secret Management|Alexa ASK Skill AuthenticationConfiguration RefreshToken should not be a plaintext string|Documentation
| |Secrets Manager Should Specify KmsKeyId
c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22|CloudFormation|Medium|Secret Management|Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the secret to be shared cross-account|Documentation
| -|DocDB Cluster Master Password In Plaintext
39423ce4-9011-46cd-b6b1-009edcd9385d|CloudFormation|Medium|Secret Management|DocDB DB Cluster master user password must not be in a plain text string or referenced in a parameter as a default value.|Documentation
| -|Amplify App Access Token Exposed
73980e43-f399-4fcc-a373-658228f7adf7|CloudFormation|Medium|Secret Management|Amplify App Access Token must not be in a plain text string or referenced in a parameter as a default value.|Documentation
| -|High Access Key Rotation Period
800fa019-49dd-421b-9042-7331fdd83fa2|CloudFormation|Medium|Secret Management|ConfigRule should enforce access keys to be rotated within 90 days.|Documentation
| +|Hardcoded AWS Access Key In Lambda
2564172f-c92b-4261-9acd-464aed511696|CloudFormation|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| |Directory Service Microsoft AD Password Set to Plaintext or Default Ref
06b9f52a-8cd5-459b-bdc6-21a22521e1be|CloudFormation|Medium|Secret Management|Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|SNS Topic Without KmsMasterKeyId
9d13b150-a2ab-42a1-b6f4-142e41f81e52|CloudFormation|Medium|Secret Management|KmsMasterKeyId attribute should not be undefined|Documentation
| -|Amplify App Basic Auth Config Password Exposed
71493c8b-3014-404c-9802-078b74496fb7|CloudFormation|Medium|Secret Management|Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| +|High Access Key Rotation Period
800fa019-49dd-421b-9042-7331fdd83fa2|CloudFormation|Medium|Secret Management|ConfigRule should enforce access keys to be rotated within 90 days.|Documentation
| +|DocDB Cluster Master Password In Plaintext
39423ce4-9011-46cd-b6b1-009edcd9385d|CloudFormation|Medium|Secret Management|DocDB DB Cluster master user password must not be in a plain text string or referenced in a parameter as a default value.|Documentation
| +|EBS Volume Without KmsKeyId
b7063015-6c31-4658-a8e7-14f98f37fd42|CloudFormation|Medium|Secret Management|EBS Volume should specify a KmsKeyId value|Documentation
| |Amplify App OAuth Token Exposed
03b38885-8f4e-480c-a0e4-12c1affd15db|CloudFormation|Medium|Secret Management|Amplify App OAuth Token must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|Directory Service Simple AD Password Exposed
6685d912-d81f-4cfa-95ad-e316ea31c989|CloudFormation|Medium|Secret Management|DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|RefreshToken Is Exposed
5b48c507-0d1f-41b0-a630-76817c6b4189|CloudFormation|Medium|Secret Management|Alexa ASK Skill AuthenticationConfiguration RefreshToken should not be a plaintext string|Documentation
| +|SNS Topic Without KmsMasterKeyId
9d13b150-a2ab-42a1-b6f4-142e41f81e52|CloudFormation|Medium|Secret Management|KmsMasterKeyId attribute should not be undefined|Documentation
| |DMS Endpoint MongoDB Settings Password Exposed
f988a17f-1139-46a3-8928-f27eafd8b024|CloudFormation|Medium|Secret Management|DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| |DMS Endpoint Password Exposed
5f700072-b7ce-4e84-b3f3-497bf1c24a4d|CloudFormation|Medium|Secret Management|DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|Hardcoded AWS Access Key In Lambda
2564172f-c92b-4261-9acd-464aed511696|CloudFormation|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| -|EBS Volume Without KmsKeyId
b7063015-6c31-4658-a8e7-14f98f37fd42|CloudFormation|Medium|Secret Management|EBS Volume should specify a KmsKeyId value|Documentation
| |Amplify Branch Basic Auth Config Password Exposed
dfb56e5d-ee68-446e-b32a-657b62befe69|CloudFormation|Medium|Secret Management|Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| +|Amplify App Access Token Exposed
73980e43-f399-4fcc-a373-658228f7adf7|CloudFormation|Medium|Secret Management|Amplify App Access Token must not be in a plain text string or referenced in a parameter as a default value.|Documentation
| +|Directory Service Simple AD Password Exposed
6685d912-d81f-4cfa-95ad-e316ea31c989|CloudFormation|Medium|Secret Management|DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
e835bd0d-65da-49f7-b6d1-b646da8727e6|CloudFormation|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| |IAM Role Allows All Principals To Assume
f80e3aa7-7b34-4185-954e-440a6894dde6|CloudFormation|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| |IAM User With No Group
06933df4-0ea7-461c-b9b5-104d27390e0e|CloudFormation|Low|Access Control|A IAM user should belong to a group|Documentation
| +|Support Has No Role Associated
d71b5fd7-9020-4b2d-9ec8-b3839faa2744|CloudFormation|Low|Access Control|Check if any AWS Support policy does not have any role and users and group associated, which means that is not being managed.|Documentation
| |EC2 Instance Using Default Security Group
08b81bb3-0985-4023-8602-b606ad81d279|CloudFormation|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
e835bd0d-65da-49f7-b6d1-b646da8727e6|CloudFormation|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| |IAM Group Without Users
8f957abd-9703-413d-87d3-c578950a753c|CloudFormation|Low|Access Control|IAM Group should have at least one user associated|Documentation
| -|Support Has No Role Associated
d71b5fd7-9020-4b2d-9ec8-b3839faa2744|CloudFormation|Low|Access Control|Check if any AWS Support policy does not have any role and users and group associated, which means that is not being managed.|Documentation
| |VPC Attached With Too Many Gateways
97e94d17-e2c7-4109-a53b-6536ac1bb64e|CloudFormation|Low|Availability|The number of gateways attached should not approach or go beyond the limit of 3, in a particular VPC|Documentation
| |RDS DB Instance With Deletion Protection Disabled
2c161e58-cb52-454f-abea-6470c37b5e6e|CloudFormation|Low|Backup|RDS DBInstance should have deletion protection set to true|Documentation
| -|IAM Policies Without Groups
5e7acff5-095b-40ac-9073-ac2e4ad8a512|CloudFormation|Low|Best Practices|IAM policy should not apply directly to users, should be with a group|Documentation
| -|IAM Access Analyzer Not Enabled
8d29754a-2a18-460d-a1ba-9509f8d359da|CloudFormation|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions|Documentation
| +|CDN Configuration Is Missing
e4f54ff4-d352-40e8-a096-5141073c37a2|CloudFormation|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| |Automatic Minor Upgrades Disabled
f0104061-8bfc-4b45-8a7d-630eb502f281|CloudFormation|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'AutoMinorVersionUpgrade' must be set to true.|Documentation
| +|IAM Access Analyzer Not Enabled
8d29754a-2a18-460d-a1ba-9509f8d359da|CloudFormation|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions|Documentation
| +|Security Group Ingress Has CIDR Not Recommended
a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd|CloudFormation|Low|Best Practices|AWS Security Group Ingress CIDR should not be /32 in case of IPV4 or /128 in case of IPV6|Documentation
| |Geo Restriction Disabled
7f8843f0-9ea5-42b4-a02b-753055113195|CloudFormation|Low|Best Practices|Geo Restriction feature should be enabled, to restrict or allow users in specific locations accessing web application content|Documentation
| |Lambda Permission Misconfigured
9b83114b-b2a1-4534-990d-06da015e47aa|CloudFormation|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|Security Group Ingress Has CIDR Not Recommended
a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd|CloudFormation|Low|Best Practices|AWS Security Group Ingress CIDR should not be /32 in case of IPV4 or /128 in case of IPV6|Documentation
| -|CDN Configuration Is Missing
e4f54ff4-d352-40e8-a096-5141073c37a2|CloudFormation|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| +|IAM Policies Without Groups
5e7acff5-095b-40ac-9073-ac2e4ad8a512|CloudFormation|Low|Best Practices|IAM policy should not apply directly to users, should be with a group|Documentation
| |EFS Without Tags
08e39832-5e42-4304-98a0-aa5b43393162|CloudFormation|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated|Documentation
| |DynamoDB With Not Recommented Table Billing Mode
c333e906-8d8b-4275-b999-78b6318f8dc6|CloudFormation|Low|Build Process|Checks if DynamoDB Table Billing Mode is set to either PAY_PER_REQUEST or PROVISIONED|Documentation
| |CloudTrail Log Files Not Encrypted With KMS
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85|CloudFormation|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| -|S3 Bucket Without Ignore Public ACL
6c8d51af-218d-4bfb-94a9-94eabaa0703a|CloudFormation|Low|Insecure Configurations|S3 bucket without ignore public ACL|Documentation
| |API Gateway Cache Cluster Disabled
52790cad-d60d-41d5-8483-146f9f21208d|CloudFormation|Low|Insecure Configurations|AWS API Gateway should have cache clustering enabled|Documentation
| -|Lambda Function Without Dead Letter Queue
c2eae442-d3ba-4cb1-84ca-1db4f80eae3d|CloudFormation|Low|Insecure Configurations|AWS Lambda Function should be configured for a Dead Letter Queue(DLQ)|Documentation
| |Wildcard In ACM Certificate Domain Name
cc8b294f-006f-4f8f-b5bb-0a9140c33131|CloudFormation|Low|Insecure Configurations|ACM Certificate should not use wildcards (*) in the domain name|Documentation
| -|Shield Advanced Not In Use
ad7444cf-817a-4765-a79e-2145f7981faf|CloudFormation|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks|Documentation
| -|EC2 Network ACL Duplicate Rule
045ddb54-cfc5-4abb-9e05-e427b2bc96fe|CloudFormation|Low|Networking and Firewall|A Network ACL's rule numbers cannot be repeated unless one is egress and the other is ingress|Documentation
| +|S3 Bucket Without Ignore Public ACL
6c8d51af-218d-4bfb-94a9-94eabaa0703a|CloudFormation|Low|Insecure Configurations|S3 bucket without ignore public ACL|Documentation
| +|Lambda Function Without Dead Letter Queue
c2eae442-d3ba-4cb1-84ca-1db4f80eae3d|CloudFormation|Low|Insecure Configurations|AWS Lambda Function should be configured for a Dead Letter Queue(DLQ)|Documentation
| +|RDS Using Default Port
1fe9d958-ddce-4228-a124-05265a959a8b|CloudFormation|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| |ElastiCache Without VPC
ba766c53-fe71-4bbb-be35-b6803f2ef13e|CloudFormation|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| +|CloudFront Without WAF
0f139403-303f-467c-96bd-e717e6cfd62d|CloudFormation|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| +|Shield Advanced Not In Use
ad7444cf-817a-4765-a79e-2145f7981faf|CloudFormation|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks|Documentation
| +|EMR Without VPC
bf89373a-be40-4c04-99f5-746742dfd7f3|CloudFormation|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)|Documentation
| |Redshift Using Default Port
a478af30-8c3a-404d-aa64-0b673cee509a|CloudFormation|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| |ElastiCache Using Default Port
323db967-c68e-44e6-916c-a777f95af34b|CloudFormation|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| -|CloudFront Without WAF
0f139403-303f-467c-96bd-e717e6cfd62d|CloudFormation|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| +|EC2 Network ACL Duplicate Rule
045ddb54-cfc5-4abb-9e05-e427b2bc96fe|CloudFormation|Low|Networking and Firewall|A Network ACL's rule numbers cannot be repeated unless one is egress and the other is ingress|Documentation
| |EC2 Instance Using Default VPC
e42a3ef0-5325-4667-84bf-075ba1c9d58e|CloudFormation|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| -|RDS Using Default Port
1fe9d958-ddce-4228-a124-05265a959a8b|CloudFormation|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| -|EMR Without VPC
bf89373a-be40-4c04-99f5-746742dfd7f3|CloudFormation|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)|Documentation
| +|Lambda Functions Without X-Ray Tracing
9488c451-074e-4cd3-aee3-7db6104f542c|CloudFormation|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracingConfig.mode' should have the value 'Active'|Documentation
| +|VPC FlowLogs Disabled
f6d299d2-21eb-41cc-b1e1-fe12d857500b|CloudFormation|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| |CloudTrail Log File Validation Disabled
2a3560fe-52ca-4443-b34f-bf0ed5eb74c8|CloudFormation|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| -|ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd|CloudFormation|Low|Observability|Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks|Documentation
| |API Gateway Deployment Without API Gateway UsagePlan Associated
783860a3-6dca-4c8b-81d0-7b62769ccbca|CloudFormation|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| -|VPC FlowLogs Disabled
f6d299d2-21eb-41cc-b1e1-fe12d857500b|CloudFormation|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| -|Lambda Functions Without X-Ray Tracing
9488c451-074e-4cd3-aee3-7db6104f542c|CloudFormation|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracingConfig.mode' should have the value 'Active'|Documentation
| -|SDB Domain Declared As A Resource
6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d|CloudFormation|Low|Resource Management|SimpleDB Domain resource should not be declared|Documentation
| +|ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd|CloudFormation|Low|Observability|Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks|Documentation
| |VPC Without Attached Subnet
3b3b4411-ad1f-40e7-b257-a78a6bb9673a|CloudFormation|Low|Resource Management|VPCs without attached subnets may indicate that they are not being used|Documentation
| -|ECS Task Definition Invalid CPU or Memory
f4c9b5f5-68b8-491f-9e48-4f96644a1d51|CloudFormation|Low|Resource Management|In ECS Task Definition of FARGATE launch type if you specify an invalid CPU or Memory value, you will receive an error|Documentation
| +|SDB Domain Declared As A Resource
6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d|CloudFormation|Low|Resource Management|SimpleDB Domain resource should not be declared|Documentation
| |API Gateway Stage Without API Gateway UsagePlan Associated
7f8f1b60-43df-4c28-aa21-fb836dbd8071|CloudFormation|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| +|ECS Task Definition Invalid CPU or Memory
f4c9b5f5-68b8-491f-9e48-4f96644a1d51|CloudFormation|Low|Resource Management|In ECS Task Definition of FARGATE launch type if you specify an invalid CPU or Memory value, you will receive an error|Documentation
| +|EC2 Not EBS Optimized
8dd0ff1f-0da4-48df-9bb3-7f338ae36a40|CloudFormation|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| |Security Group Rule Without Description
5e6c9c68-8a82-408e-8749-ddad78cbb9c5|CloudFormation|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description|Documentation
| |Serverless Function Environment Variables Not Encrypted
a7f8ac28-eed1-483d-87c8-4c325f022572|CloudFormation|High|Encryption|AWS Serverless Function should encrypt environment variables|Documentation
| |Serverless API Without Content Encoding
a2f2800e-614b-4bc8-89e6-fec8afd24800|CloudFormation|Medium|Encryption|AWS Serverless API should enable Content Encoding through the attribute 'MinimumCompressionSize'. This value should be greater than -1 and smaller than 10485760|Documentation
| -|Serverless Function Without Unique IAM Role
4ba74f01-aba5-4be2-83bc-be79ff1a3b92|CloudFormation|Medium|Insecure Configurations|AWS Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks|Documentation
| |Serverless Function Without Tags
a71ecabe-03b6-456a-b3bc-d1a39aa20c98|CloudFormation|Medium|Insecure Configurations|AWS Serverless Function should have associated tags|Documentation
| +|Serverless Function Without Unique IAM Role
4ba74f01-aba5-4be2-83bc-be79ff1a3b92|CloudFormation|Medium|Insecure Configurations|AWS Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks|Documentation
| |Serverless API Endpoint Config Not Private
6b5b0313-771b-4319-ad7a-122ee78700ef|CloudFormation|Medium|Networking and Firewall|AWS Serverless API should set API Endpoint Config type to 'PRIVATE'. This way, it's not exposed to the public internet|Documentation
| |Serverless API X-Ray Tracing Disabled
c757c6a3-ac87-4b9d-b28d-e5a5add6a315|CloudFormation|Medium|Observability|AWS Serverless API should have X-Ray Tracing enabled|Documentation
| |Serverless API Access Logging Setting Undefined
0a994e04-c6dc-471d-817e-d37451d18a3b|CloudFormation|Medium|Observability|AWS Serverless API/AWS Serverless HTTP API should have Access Logging Setting(s) defined|Documentation
| |Serverless API Cache Cluster Disabled
60a05ede-0a68-4d0d-a58f-f538cf55ff79|CloudFormation|Low|Insecure Configurations|AWS Serverless API should have cache clustering enabled|Documentation
| |Serverless Function Without Dead Letter Queue
cb2f612b-ed42-4ff5-9fb9-255c73d39a18|CloudFormation|Low|Insecure Configurations|AWS Serverless Function should be configured for a Dead Letter Queue(DLQ)|Documentation
| |Serverless Function Without X-Ray Tracing
dc1ab429-1481-4540-9b1d-280e3f15f1f8|CloudFormation|Low|Observability|AWS Serverless Function should have Tracing enabled. For this, property 'Tracing' should have the value 'Active'|Documentation
| -|BOM - AWS Elasticache
c689f51b-9203-43b3-9d8b-caed123f706c|CloudFormation|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| -|BOM - AWS MQ
209189f3-c879-48a7-9703-fbcfa96d0cef|CloudFormation|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| -|BOM - AWS SQS
59a849c2-1127-4023-85a5-ef906dcd458c|CloudFormation|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| -|BOM - AWS S3 Buckets
b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83|CloudFormation|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| -|BOM - AWS RDS
6ef03ff6-a2bd-483c-851f-631f248bc0ea|CloudFormation|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.|Documentation
| -|BOM - AWS MSK
2730c169-51d7-4ae7-99b5-584379eff1bb|CloudFormation|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| -|BOM - AWS SNS
42e7dca3-8cce-4325-8df0-108888259136|CloudFormation|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| -|BOM - AWS DynamoDB
4e67c0ae-38a0-47f4-a50c-f0c9b75826df|CloudFormation|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.|Documentation
| -|BOM - AWS Kinesis
d53323be-dde6-4457-9a43-42df737e71d2|CloudFormation|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time|Documentation
| -|BOM - AWS EFS
ef05a925-8568-4054-8ff1-f5ba82631c16|CloudFormation|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| -|BOM - AWS Cassandra
124b173b-e06d-48a6-8acd-f889443d97a4|CloudFormation|Trace|Bill Of Materials|A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance|Documentation
| -|BOM - AWS EBS
0b0556ea-9cd9-476f-862e-20679dda752b|CloudFormation|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| +|AKS RBAC Disabled
b2418936-cd47-4ea2-8346-623c0bdb87bd|Crossplane|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| +|Redis Cache Allows Non SSL Connections
6c7cfec3-c686-4ed2-bf58-a1ec054b63fc|Crossplane|Medium|Encryption|Redis Cache resource should not allow non-SSL connections.|Documentation
| +|EFS Without KMS
bdecd6db-2600-47dd-a10c-72c97cf17ae9|Crossplane|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| +|EFS Not Encrypted
72840c35-3876-48be-900d-f21b2f0c2ea1|Crossplane|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| +|ELB Using Weak Ciphers
a507daa5-0795-4380-960b-dd7bb7c56661|Crossplane|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers.|Documentation
| +|DB Instance Storage Not Encrypted
e50eb68a-a4af-4048-8bbe-8ec324421469|Crossplane|High|Encryption|RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'.|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
255b0fcc-9f82-41fe-9229-01b163e3376b|Crossplane|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| +|DB Security Group Has Public Interface
dd667399-8d9d-4a8d-bbb4-e49ab53b2f52|Crossplane|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| +|Neptune Database Cluster Encryption Disabled
83bf5aca-138a-498e-b9cd-ad5bc5e117b4|Crossplane|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| +|SQS With SSE Disabled
9296f1cc-7a40-45de-bd41-f31745488a0e|Crossplane|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| +|CloudFront Logging Disabled
7b590235-1ff4-421b-b9ff-5227134be9bb|Crossplane|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true|Documentation
| +|CloudWatch Without Retention Period Specified
934613fe-b12c-4e5a-95f5-c1dcdffac1ff|Crossplane|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events|Documentation
| +|CloudFront Without WAF
6d19ce0f-b3d8-4128-ac3d-1064e0f00494|Crossplane|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
6c2d627c-de0f-45fb-b33d-dad9bffbb421|Crossplane|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| +|Google Container Node Pool Auto Repair Disabled
b4f65d13-a609-4dc1-af7c-63d2e08bffe9|Crossplane|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| +|Serving Revision Spec Without Timeout Seconds
e8bb41e4-2f24-4e84-8bea-8c7c070cf93d|Knative|Info|Insecure Configurations|Serving Revision Spec should have Timeout Seconds defined to avoid Denial of Service|Documentation
| +|Run Using apt
a1bc27c6-7115-48d8-bf9d-5a7e836845ba|Buildah|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache|Documentation
| +|Enum Name Not CamelCase
daaace5f-c0dc-4835-b526-7a116b7f4b4e|GRPC|Low|Best Practices|All Enum Names should follow CamelCase and start with Capital Letter|Documentation
| +|Storage Account Not Forcing HTTPS
cb8e4bf0-903d-45c6-a278-9a947d82a27b|Pulumi|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| +|Redis Cache Allows Non SSL Connections
49e30ac8-f58e-4222-b488-3dcb90158ec1|Pulumi|Medium|Encryption|Redis Cache resource should not allow non-SSL connections.|Documentation
| +|PSP Set To Privileged
ee305555-6b1d-4055-94cf-e22131143c34|Pulumi|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| +|Missing App Armor Config
95588189-1abd-4df1-9588-b0a5034f9e87|Pulumi|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| +|ElastiCache Nodes Not Created Across Multi AZ
9b18fc19-7fb8-49b1-8452-9c757c70f926|Pulumi|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster|Documentation
| +|ElastiCache Redis Cluster Without Backup
e93bbe63-a631-4c0f-b6ef-700d48441ff2|Pulumi|Medium|Backup|ElastiCache Redis cluster should have 'snapshotRetentionLimit' higher than 0|Documentation
| +|IAM Password Without Lowercase Letter
de92dd34-1b88-43e8-b825-6e02d73c4549|Pulumi|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| +|IAM Password Without Minimum Length
9850d621-7485-44f7-8bdd-b3cf426315cf|Pulumi|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| +|DynamoDB Table Not Encrypted
b6a7e0ae-aed8-4a19-a993-a95760bf8836|Pulumi|Medium|Encryption|AWS DynamoDB Tables should have serverSideEncryption enabled|Documentation
| +|API Gateway Without SSL Certificate
f27791a5-e2ae-4905-8910-6f995c576d09|Pulumi|Medium|Insecure Configurations|SSL Client Certificate should be defined|Documentation
| +|API Gateway Access Logging Disabled
bf4b48b9-fc1f-4552-984a-4becdb5bf503|Pulumi|Medium|Observability|API Gateway should have Access Log Settings defined|Documentation
| +|DynamoDB Table Point In Time Recovery Disabled
327b0729-4c5c-4c44-8b5c-e476cd9c7290|Pulumi|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table|Documentation
| +|EC2 Not EBS Optimized
d991e4ae-42ab-429b-ab43-d5e5fa9ca633|Pulumi|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| +|EC2 Instance Monitoring Disabled
daa581ef-731c-4121-832d-cf078f67759d|Pulumi|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
48f7e44d-d1d1-44c2-b336-9f11b65c4fb0|Pulumi|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
965e8830-2bec-4b9b-a7f0-24dbc200a68f|Pulumi|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| +|BOM - GCP PST
9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.|Documentation
| +|BOM - GCP PD
268c65a8-58ad-43e4-9019-1a9bbc56749f|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.|Documentation
| +|BOM - GCP SB
c7781feb-a955-4f9f-b9cf-0d7c6f54bb59|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.|Documentation
| +|BigQuery Dataset Is Public
83103dff-d57f-42a8-bd81-40abab64c1a7|GoogleDeploymentManager|High|Access Control|BigQuery dataset is anonymously or publicly accessible. Attribute access.specialGroup should not contain 'allAuthenticatedUsers'|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
63ae3638-a38c-4ff4-b616-6e1f72a31a6a|GoogleDeploymentManager|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers'|Documentation
| +|Cloud Storage Bucket Is Publicly Accessible
77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc|GoogleDeploymentManager|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible|Documentation
| +|SQL DB Instance Backup Disabled
a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01|GoogleDeploymentManager|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| +|SQL DB Instance With SSL Disabled
660360d3-9ca7-46d1-b147-3acc4002953f|GoogleDeploymentManager|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| +|DNSSEC Using RSASHA1
6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35|GoogleDeploymentManager|High|Encryption|DNSSEC should not use the RSASHA1 algorithm|Documentation
| +|Not Proper Email Account In Use
a21b8df3-c840-4b3d-a41a-10fb2afda171|GoogleDeploymentManager|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| +|Network Policy Disabled
c47f90e8-4a19-43f0-8413-cc434d286c4e|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'networkPolicy.enabled' must be true and the attribute 'addonsConfig.networkPolicyConfig.disabled' must be false|Documentation
| +|MySQL Instance With Local Infile On
c759d6f2-4dd3-4160-82d3-89202ef10d87|GoogleDeploymentManager|High|Insecure Configurations|MySQL Instance should not have Local Infile On|Documentation
| +|GKE Legacy Authorization Enabled
df58d46c-783b-43e0-bdd0-d99164f712ee|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false.|Documentation
| +|Cluster Labels Disabled
8810968b-4b15-421d-918b-d91eb4bb8d1d|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resourceLabels' must be defined|Documentation
| +|Private Cluster Disabled
48c61fbd-09c9-46cc-a521-012e0c325412|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true.|Documentation
| +|IP Aliasing Disabled
28727987-e398-49b8-aef1-8a3e7789d111|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ipAllocationPolicy' must be defined and the subattribute 'useIpAliases' must be set to 'true'.|Documentation
| +|Client Certificate Disabled
dd690686-2bf9-4012-a821-f61912dd77be|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'masterAuth' must have 'clientCertificateConfig' with the attribute 'issueClientCertificate' equal to true|Documentation
| +|Cluster Master Authentication Disabled
7ef7d141-9fbb-4679-a977-fd0883436906|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'masterAuth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| +|GKE Master Authorized Networks Disabled
62c8cf50-87f0-4295-a974-8184ed78fe02|GoogleDeploymentManager|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters|Documentation
| +|Compute Instance Is Publicly Accessible
8212e2d7-e683-49bc-bf78-d6799075c5a7|GoogleDeploymentManager|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet.|Documentation
| +|Cloud Storage Bucket Versioning Disabled
ad0875c1-0b39-4890-9149-173158ba3bba|GoogleDeploymentManager|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| +|Stackdriver Monitoring Disabled
bbfc97ab-e92a-4a7b-954c-e88cec815011|GoogleDeploymentManager|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoringService' must be defined and different than 'none'|Documentation
| +|Stackdriver Logging Disabled
95601b9a-7fe8-4aee-9b58-d36fd9382dfc|GoogleDeploymentManager|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'loggingService' must be defined and different from 'none'|Documentation
| +|Node Auto Upgrade Disabled
dc5c5fee-6c53-43b0-ab11-4c660e064aaf|GoogleDeploymentManager|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means the attribute 'nodePools' must be defined and the subattribute 'managment' must be defined and have the attribute 'autoUpgrade' set to true|Documentation
| +|Disk Encryption Disabled
fc040fb6-4c23-4c0d-b12a-39edac35debb|GoogleDeploymentManager|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined|Documentation
| +|Cloud DNS Without DNSSEC
313d6deb-3b67-4948-b41d-35b699c2492e|GoogleDeploymentManager|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| +|Google Storage Bucket Level Access Disabled
1239f54b-33de-482a-8132-faebe288e6a6|GoogleDeploymentManager|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| +|OSLogin Is Disabled In VM Instance
e66e1b71-c810-4b4e-a737-0ab59e7f5e41|GoogleDeploymentManager|Medium|Insecure Configurations|VM instance should have OSLogin enabled|Documentation
| +|Shielded VM Disabled
9038b526-4c19-4928-bca2-c03d503bdb79|GoogleDeploymentManager|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true|Documentation
| +|COS Node Image Not Used
dbe058d7-b82e-430b-8426-992b2e4677e7|GoogleDeploymentManager|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| +|IP Forwarding Enabled
7c98538a-81c6-444b-bf04-e60bc3ceeec0|GoogleDeploymentManager|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true|Documentation
| +|RDP Access Is Not Restricted
50cb6c3b-c878-4b88-b50e-d1421bada9e8|GoogleDeploymentManager|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| +|SSH Access Is Not Restricted
dee21308-2a7a-49de-8ff7-c9b87e188575|GoogleDeploymentManager|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| +|Bucket Without Versioning
227c2f58-70c6-4432-8e9a-a89c1a548cf5|GoogleDeploymentManager|Medium|Observability|Bucket should have versioning enabled|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
6e2b1ec1-1eca-4eb7-9d4d-2882680b4811|GoogleDeploymentManager|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| +|Passwords And Secrets
a88baa34-e2ad-44ea-ad6f-8cac87bc7c71|Common|High|Secret Management|Query to find passwords and secrets in infrastructure code.|Documentation
| +|Security Definitions Undefined or Empty
e3f026e8-fdb4-4d5a-bcfd-bd94452073fe|OpenAPI|High|Access Control|Security Definitions Object should be set and not empty|Documentation
| +|Non OAuth2 Security Requirement Defining OAuth2 Scopes
ba239cb9-f342-4c20-812d-7b5a2aa6969e|OpenAPI|High|Structure and Semantics|If the security scheme is not of type 'oauth2', the array value must be empty|Documentation
| +|Security Requirement Not Defined In Security Definition
a599b0d1-ff89-4cb8-9ece-9951854c06f6|OpenAPI|High|Structure and Semantics|All security requirement objects must be defined in 'securityDefinitions'|Documentation
| +|Invalid OAuth2 Authorization URL (v2)
33d96c65-977d-4c33-943f-440baca49185|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL|Documentation
| +|Security Definitions Allows Password Flow
773116aa-2e6d-416f-bd85-f0301cc05d76|OpenAPI|Medium|Access Control|Security Definition Object should not allow 'password' Flow in OAuth2 authentication|Documentation
| +|Global Security Using Password Flow
2da46be4-4317-4650-9285-56d7103c4f93|OpenAPI|Medium|Access Control|Security should not use 'password' Flow in OAuth2 authentication|Documentation
| +|Implicit Flow in OAuth2 (v2)
e9817ad8-a8c9-4038-8a2f-db0e6e7b284b|OpenAPI|Medium|Access Control|There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated|Documentation
| +|Invalid OAuth2 Token URL (v2)
274f910a-0665-4f08-b66d-7058fe927dba|OpenAPI|Medium|Access Control|OAuth2 security definition flow requires a valid URL in the tokenUrl field|Documentation
| +|Operation Using Password Flow
2e44e632-d617-43cb-b294-6bfe72a08938|OpenAPI|Medium|Access Control|Operation Object should not use 'password' Flow in OAuth2 authentication|Documentation
| +|Path Scheme Accepts HTTP (v2)
a6847dc6-f4ea-45ac-a81f-93291ae6c573|OpenAPI|Medium|Encryption|The Scheme list of Operation Object should only allow 'HTTPS' protocol to ensure an encrypted connection|Documentation
| +|Schemes Uses HTTP
a46928f1-43d7-4671-94e0-2dd99746f389|OpenAPI|Medium|Encryption|Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials|Documentation
| +|Global Schemes Uses HTTP
f30ee711-0082-4480-85ab-31d922d9a2b2|OpenAPI|Medium|Encryption|Global Schemes should use 'https' protocol instead of 'http'|Documentation
| +|Operation Object Without 'produces'
be3e170e-1572-461e-a8b6-d963def581ec|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'produces' feild defined for 'GET'operation|Documentation
| +|Operation Object Without 'consumes'
0c79e50e-b3cf-490c-b8f6-587c644d4d0c|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations|Documentation
| +|Undefined Scope 'securityDefinition' On 'security' Field On Operations
3847280c-9193-40bc-8009-76168e822ce2|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker|Documentation
| +|Security Definitions Using Basic Auth
221015a8-aa2a-43f5-b00b-ad7d2b1d47a8|OpenAPI|Low|Access Control|Security Definition Object should not use basic authentication|Documentation
| +|Operation Using Basic Auth
ceefb058-8065-418f-9c4c-584a78c7e104|OpenAPI|Low|Access Control|Operation Object should not use basic authentication|Documentation
| +|Undefined Scope 'securityDefinition' On Global 'security' Field
9aa6e95c-d964-4239-a3a8-9f37a3c5a31f|OpenAPI|Low|Access Control|Using an scope on global security field that is undefined on 'securityDefinitions' can be defined by an attacker|Documentation
| +|Operation Using Implicit Flow
f42dfe7e-787d-4478-a75e-a5f3d8a2269e|OpenAPI|Low|Access Control|Operation Object should not use implicit flow|Documentation
| +|Operation Summary Too Long
d47940ca-5970-45cc-bdd1-4d81398cee1f|OpenAPI|Low|Best Practices|Operation summary should be short (less than 120 characters)|Documentation
| +|Constraining Enum Property
be1d8733-3731-40c7-a845-734741c6871d|OpenAPI|Info|Best Practices|There is a constraining keyword in a property which is already restricted by enum values|Documentation
| +|Global Responses Definition Not Being Used
0b76d993-ee52-43e0-8b39-3787d2ddabf1|OpenAPI|Info|Best Practices|All global responses definitions should be in use|Documentation
| +|Invalid Media Type Value (v2)
f985a7d2-d404-4a7f-9814-f645f791e46e|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters]|Documentation
| +|Global Parameter Definition Not Being Used
b30981fa-a12e-49c7-a5bb-eeafb61d0f0f|OpenAPI|Info|Best Practices|All global parameters definitions should be in use|Documentation
| +|Schema with 'additionalProperties' set as Boolean
3a01790c-ebee-4da6-8fd3-e78657383b75|OpenAPI|Info|Best Practices|The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it|Documentation
| +|Unknown Prefix (v2)
3b615f00-c443-4ba9-acc4-7c308716917d|OpenAPI|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video'|Documentation
| +|Global Schema Definition Not Being Used
6d2e0790-cc3d-4c74-b973-d4e8b09f4455|OpenAPI|Info|Best Practices|All global schemas definitions should be in use|Documentation
| +|Parameter JSON Reference Does Not Exists (v2)
fb889ae9-2d16-40b5-b41f-9da716c5abc1|OpenAPI|Info|Structure and Semantics|Parameter reference should exist on parameters definition field|Documentation
| +|Property Not Unique
750b40be-4bac-4f59-bdc4-1ca0e6c3450e|OpenAPI|Info|Structure and Semantics|Every defined property must be unique throughout the whole API|Documentation
| +|Response Object With Incorrect Ref (v2)
bccfa089-89e4-47e0-a0e5-185fe6902220|OpenAPI|Info|Structure and Semantics|Response Object reference must always point to '#/responses'|Documentation
| +|Responses JSON Reference Does Not Exists (v2)
e9db5fb4-6a84-4abb-b4af-3b94fbdace6d|OpenAPI|Info|Structure and Semantics|Responses reference should exist on responses definition field|Documentation
| +|Parameter Object With Incorrect Ref (v2)
2596545e-1757-4ff7-a15a-8a9a180a42f3|OpenAPI|Info|Structure and Semantics|Parameter Object reference must always point to '#/parameters'|Documentation
| +|Schema JSON Reference Does Not Exists (v2)
98295b32-ec09-4b5b-89a9-39853197f914|OpenAPI|Info|Structure and Semantics|Schema reference should exists on definitions field|Documentation
| +|Unknown Property (v2)
429b2106-ba37-43ba-9727-7f699cc611e1|OpenAPI|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known|Documentation
| +|Body Parameter Without Schema
ed48229d-d43e-4da7-b453-5f98d964a57a|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined|Documentation
| +|Multiple Body Parameters In The Same Operation
b90033cf-ad9f-4fb9-acd1-1b9d6d278c87|OpenAPI|Info|Structure and Semantics|Only one body parameter is allowed on operation's parameters type field|Documentation
| +|Object Without Required Property (v2)
5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275|OpenAPI|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields|Documentation
| +|Body Parameter With Wrong Property
c38d630d-a415-4e3e-bac2-65475979ba88|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema'|Documentation
| +|File Parameter With Wrong Consumes Property
7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a|OpenAPI|Info|Structure and Semantics|Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both|Documentation
| +|Host With Invalid Pattern
3d7d7b6c-fb0a-475e-8a28-c125e30d15f0|OpenAPI|Info|Structure and Semantics|Host field should be an IP or a valid host name|Documentation
| +|BasePath With Wrong Format
b4803607-ed72-4d60-99e2-3fa6edf471c6|OpenAPI|Info|Structure and Semantics|The 'basePath' value format must match the pattern '^/'|Documentation
| +|Non Body Parameter Without Schema
73c3bc54-3cc6-4c0a-b30a-e19f2abfc951|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined|Documentation
| +|Parameter File Type Not In 'formData'
c3cab8c4-6c52-47a9-942b-c27f26fbd7d2|OpenAPI|Info|Structure and Semantics|The In field of Parameter Object must be 'formData' when type is 'file'|Documentation
| +|Multi 'collectionformat' Not Valid For 'in' Parameter
750f6448-27c0-49f8-a153-b81735c1e19c|OpenAPI|Info|Structure and Semantics|When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'formData'|Documentation
| +|Operation Example Mismatch Produces MimeType
2cf35b40-ded3-43d6-9633-c8dcc8bcc822|OpenAPI|Info|Structure and Semantics|Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces'|Documentation
| +|Schema Object Incorrect Ref (v2)
0220e1c5-65d1-49dd-b7c2-cef6d6cb5283|OpenAPI|Info|Structure and Semantics|Schema Object reference must always point to '#/definitions'|Documentation
| +|Operation Object Parameters With 'body' And 'formatData' locations
eb3f9744-d24e-4614-b1ff-2a9514eca21c|OpenAPI|Info|Structure and Semantics|Operation object parameters should not have both 'body' and 'formatData' locations|Documentation
| +|Cleartext Credentials With Basic Authentication For Operation
86b1fa30-9790-4980-994d-a27e0f6f27c1|OpenAPI|High|Access Control|Cleartext credentials over unencrypted channel should not be accepted for the operation|Documentation
| +|Field 'securityScheme' On Components Is Undefined
8db5544e-4874-4baa-9322-e9f75a2d219e|OpenAPI|High|Access Control|Components' securityScheme field must have a valid scheme|Documentation
| +|Invalid OAuth2 Authorization URL (v3)
52c0d841-60d6-4a81-88dd-c35fef36d315|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL|Documentation
| +|OAuth2 With Password Flow
3979b0a4-532c-4ea7-86e4-34c090eaa4f2|OpenAPI|Medium|Access Control|OAuth2 password flow insecurely exposes the credentials of the resource owner to the client|Documentation
| +|Security Scheme Using HTTP Digest
a4247b11-890b-45df-bf42-350a7a3af9be|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using digest authentication|Documentation
| +|OAuth2 With Implicit Flow
39cb32f2-3a42-4af0-8037-82a7a9654b6c|OpenAPI|Medium|Access Control|OAuth2 implicit flow is vulnerable to access token leakage and access token replay|Documentation
| +|Implicit Flow in OAuth2 (v3)
4a1f3d75-ab73-41b2-83e7-06a93dc3a75a|OpenAPI|Medium|Access Control|There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated|Documentation
| +|Invalid OAuth2 Token URL (v3)
3ba0cca1-b815-47bf-ac62-1e584eb64a05|OpenAPI|Medium|Access Control|OAuth2 security scheme flow requires a valid URL in the tokenUrl field|Documentation
| +|Security Scheme Using HTTP Negotiate
f525cc92-9050-4c41-a75c-890dc6f64449|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using negotiate authentication|Documentation
| +|Security Scheme HTTP Unknown Scheme
06764426-3c56-407e-981f-caa25db1c149|OpenAPI|Medium|Access Control|Security Scheme HTTP scheme should be registered in the IANA Authentication Scheme registry|Documentation
| +|Security Scheme Using HTTP Basic
68e5fcac-390c-4939-a373-6074b7be7c71|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using basic authentication|Documentation
| +|Path Server Object Uses HTTP (v3)
9670f240-7b4d-4955-bd93-edaa9fa38b58|OpenAPI|Medium|Encryption|The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection|Documentation
| +|Global Server Object Uses HTTP
2d8c175a-6d90-412b-8b0e-e034ea49a1fe|OpenAPI|Medium|Encryption|Global server object URL should use 'https' protocol instead of 'http'|Documentation
| +|Additional Properties Too Restrictive
a19c3bbd-c056-40d7-9e1c-eeb0634e320d|OpenAPI|Medium|Insecure Configurations|Objects should accept 'additionalProperties' if it is allOf or an object with anyOf or oneOf|Documentation
| +|Media Type Object Without Schema
f79b9d26-e945-44e7-98a1-b93f0f7a68a0|OpenAPI|Medium|Insecure Configurations|The Media Type Object should have the attribute 'schema' defined|Documentation
| +|Additional Properties Too Permissive
9f88c88d-824d-4d9a-b985-e22977046042|OpenAPI|Medium|Insecure Configurations|Objects should not accept 'additionalProperties' if it is possible|Documentation
| +|Parameter Object Without Schema
8fe1846f-52cc-4413-ace9-1933d7d23672|OpenAPI|Medium|Insecure Configurations|The Parameter Object should have the attribute 'schema' defined|Documentation
| +|Header Object Without Schema
50de3b5b-6465-4e06-a9b0-b4c2ba34326b|OpenAPI|Medium|Networking and Firewall|The header object should have schema defined|Documentation
| +|Success Response Code Undefined for Trace Operation
105e20dd-8449-4d71-95c6-d5dac96639af|OpenAPI|Medium|Networking and Firewall|Trace should define the '200' successful code|Documentation
| +|Global Security Scheme Using Basic Authentication
77276d82-4f45-4cf1-8e2b-4d345b936228|OpenAPI|Low|Access Control|A security scheme is allowing basic authentication credentials to be transported over network|Documentation
| +|API Key Exposed In Global Security Scheme
40e1d1bf-11a9-4f63-a3a2-a8b84c602839|OpenAPI|Low|Access Control|API Keys should not be transported over network|Documentation
| +|Undefined Scope 'securityScheme' On 'security' Field On Operations
462d6a1d-fed9-4d75-bb9e-3de902f35e6e|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker|Documentation
| +|Security Scheme Using Oauth 1.0
1bc3205c-0d60-44e6-84f3-44fbf4dac5b3|OpenAPI|Low|Access Control|Oauth 1.0 is deprecated, OAuth2 should be used instead|Documentation
| +|Undefined Scope 'securityScheme' On Global 'security' Field
23a9e2d9-8738-4556-a71c-2802b6ffa022|OpenAPI|Low|Access Control|Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker|Documentation
| +|Components Response Definition Is Unused
9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae|OpenAPI|Info|Best Practices|Components responses definitions should be referenced or removed from Open API definition|Documentation
| +|Components Request Body Definition Is Unused
6b76f589-9713-44ab-97f5-59a3dba1a285|OpenAPI|Info|Best Practices|Components request bodies definitions should be referenced or removed from Open API definition|Documentation
| +|Components Schema Definition Is Unused
962fa01e-b791-4dcc-b04a-4a3e7389be5e|OpenAPI|Info|Best Practices|Components schemas definitions should be referenced or removed from Open API definition|Documentation
| +|Components Callback Definition Is Unused
d15db953-a553-4b8a-9a14-a3d62ea3d79d|OpenAPI|Info|Best Practices|Components callbacks definitions should be referenced or removed from Open API definition|Documentation
| +|Components Example Definition Is Unused
b05bb927-2df5-43cc-8d7b-6825c0e71625|OpenAPI|Info|Best Practices|Components examples definitions should be referenced or removed from Open API definition|Documentation
| +|Components Header Definition Is Unused
a68da022-e95a-4bc2-97d3-481e0bd6d446|OpenAPI|Info|Best Practices|Components headers definitions should be referenced or removed from Open API definition|Documentation
| +|Invalid Media Type Value (v3)
cf4a5f45-a27b-49df-843a-9911dbfe71d4|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters]|Documentation
| +|Property 'allowEmptyValue' Ignored
59c2f769-7cc2-49c8-a3de-4e211135cfab|OpenAPI|Info|Best Practices|Property 'allowEmptyValue' is ignored in the following cases: {"sytle": "simple", "explode": false}, {"sytle": "simple", "explode": true}, {"sytle": "spaceDelimited", "explode": false}, {"sytle": "pipeDelimited", "explode": false}, and {"sytle": "deepObject", "explode": true}|Documentation
| +|Components Link Definition Is Unused
c19779a9-5774-4d2f-a3a1-a99831730375|OpenAPI|Info|Best Practices|Components links definitions should be referenced or removed from Open API definition|Documentation
| +|Property 'style' of Encoding Object Ignored
d3ea644a-9a5c-4fee-941f-f8a6786c0470|OpenAPI|Info|Best Practices|Property 'style' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored.|Documentation
| +|Property 'explode' of Encoding Object Ignored
a4dd69b8-49fa-45d2-a060-c76655405b05|OpenAPI|Info|Best Practices|Property 'explode' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored.|Documentation
| +|Property 'allowReserved' of Encoding Object Ignored
4190dda7-af03-4cf0-a128-70ac1661ca09|OpenAPI|Info|Best Practices|Property 'allowReserved' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored.|Documentation
| +|Unknown Prefix (v3)
a5375be3-521c-43bb-9eab-e2432e368ee4|OpenAPI|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video'|Documentation
| +|Components Parameter Definition Is Unused
698a464e-bb3e-4ba8-ab5e-e6599b7644a0|OpenAPI|Info|Best Practices|Components parameters definitions should be referenced or removed from Open API definition|Documentation
| +|Encoding Header 'Content-Type' Improperly Defined
4cd8de87-b595-48b6-ab3c-1904567135ab|OpenAPI|Info|Best Practices|Encoding Map Key should not define a 'Content-Type' in the 'headers' field. If so, it will be ignored.|Documentation
| +|Request Body Object With Incorrect Media Type
58f06434-a88c-4f74-826c-db7e10cc7def|OpenAPI|Info|Structure and Semantics|The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set.|Documentation
| +|Example JSON Reference Outside Components Examples
bac56e3c-1f71-4a74-8ae6-2fba07efcddb|OpenAPI|Info|Structure and Semantics|Reference to examples should point to #/components/examples|Documentation
| +|Parameter JSON Reference Does Not Exists (v3)
2e275f16-b627-4d3f-ae73-a6153a23ae8f|OpenAPI|Info|Structure and Semantics|Parameter reference should exists on components field|Documentation
| +|Response Object With Incorrect Ref (v3)
b3871dd8-9333-4d6c-bd52-67eb898b71ab|OpenAPI|Info|Structure and Semantics|Response Object reference must always point to '#/components/responses'|Documentation
| +|Callback Object With Incorrect Ref
ba066cda-e808-450d-92b6-f29109754d45|OpenAPI|Info|Structure and Semantics|Callback Object reference must always point to '#/components/callbacks'|Documentation
| +|Response JSON Reference Does Not Exists (v3)
7a01dfbd-da62-4165-aed7-71349ad42ab4|OpenAPI|Info|Structure and Semantics|Response reference should exists on components field|Documentation
| +|Parameter Object With Incorrect Ref (v3)
d40f27e6-15fb-4b56-90f8-fc0ff0291c51|OpenAPI|Info|Structure and Semantics|Parameter Object reference must always point to '#/components/parameters'|Documentation
| +|Schema JSON Reference Does Not Exists (v3)
015eac96-6313-43c0-84e5-81b1374fa637|OpenAPI|Info|Structure and Semantics|Schema reference should exists on components field|Documentation
| +|Unknown Property (v3)
fb7d81e7-4150-48c4-b914-92fc05da6a2f|OpenAPI|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known|Documentation
| +|Callback JSON Reference Does Not Exists
f29904c8-6041-4bca-b043-dfa0546b8079|OpenAPI|Info|Structure and Semantics|Callback reference should exists on components field|Documentation
| +|Server Object Variable Not Used
8aee4754-970d-4c5f-8142-a49dfe388b1a|OpenAPI|Info|Structure and Semantics|Every defined Server Variable Object should be used in a Service URL.|Documentation
| +|Schema With Both ReadOnly And WriteOnly
d2361d58-361c-49f0-9e50-b957fd608b29|OpenAPI|Info|Structure and Semantics|Schema should not have both 'writeOnly' and 'readOnly' set to true|Documentation
| +|Server URL Uses Undefined Variables
8d0921d6-4131-461f-a253-99e873f8f77e|OpenAPI|Info|Structure and Semantics|Any variable used in the Service URL should be defined in the Service Object through 'variables'.|Documentation
| +|Object Without Required Property (v3)
d172a060-8569-4412-8045-3560ebd477e8|OpenAPI|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields|Documentation
| +|Server URL Not Absolute
a0bf7382-5d5a-4224-924c-3db8466026c9|OpenAPI|Info|Structure and Semantics|The Server URL should be an absolute URL|Documentation
| +|Invalid Content Type For Multiple Files Upload
26f06397-36d8-4ce7-b993-17711261d777|OpenAPI|Info|Structure and Semantics|Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array)|Documentation
| +|Header Object With Incorrect Ref
2d6646f4-2946-420f-8c14-3232d49ae0cb|OpenAPI|Info|Structure and Semantics|Header Object reference must always point to '#/components/headers'|Documentation
| +|Header JSON Reference Does Not Exists
376c9390-7e9e-4cb8-a067-fd31c05451fd|OpenAPI|Info|Structure and Semantics|Header reference should exists on components field|Documentation
| +|Property 'allowReserved' Improperly Defined
7f203940-39c4-4ea7-91ee-7aba16bca9e2|OpenAPI|Info|Structure and Semantics|Property 'allowReserved' should be only defined for query parameters|Documentation
| +|Servers Array Undefined
c66ebeaa-676c-40dc-a3ff-3e49395dcd5e|OpenAPI|Info|Structure and Semantics|The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'.|Documentation
| +|Parameter Object With Undefined Type
46facedc-f243-4108-ab33-583b807d50b0|OpenAPI|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property|Documentation
| +|Example JSON Reference Does Not Exists
6a2c219f-da5e-4745-941e-5ea8cde23356|OpenAPI|Info|Structure and Semantics|Example reference should exists on components field|Documentation
| +|Link Object Incorrect Ref
b9db8a10-020c-49ca-88c6-780e5fdb4328|OpenAPI|Info|Structure and Semantics|Link object reference must always point to '#/components/links'|Documentation
| +|Parameter Object Content With Multiple Entries
8bfed1c6-2d59-4924-bc7f-9b9d793ed0df|OpenAPI|Info|Structure and Semantics|The map content property of the parameter object should only contain one entry|Documentation
| +|Link JSON Reference Does Not Exists
801f0c6a-a834-4467-89c6-ddecffb46b5a|OpenAPI|Info|Structure and Semantics|Link reference should exists on components field|Documentation
| +|Security Requirement Object With Wrong Scopes
37140f7f-724a-4c87-a536-e9cee1d61533|OpenAPI|Info|Structure and Semantics|Security Requirement Object should only have scopes defined for security schemes of type 'oauth2' and 'openIdConnect'|Documentation
| +|Request Body With Incorrect Ref
0f6cd0ab-c366-4595-84fc-fbd8b9901e4d|OpenAPI|Info|Structure and Semantics|Request Body reference must always point to '#/components/RequestBodies'|Documentation
| +|Security Operation Field Undefined
20a482d5-c5d9-4a7a-b7a4-60d0805047b4|OpenAPI|Info|Structure and Semantics|Security operation field should be defined in '#/components/securitySchemes'|Documentation
| +|Link Object With Both 'operationId' And 'operationRef'
60fb6621-9f02-473b-9424-ba9a825747d3|OpenAPI|Info|Structure and Semantics|Link object 'OperationId' should not have both 'operationId' and 'operationRef' defined since they are mutually exclusive.|Documentation
| +|Parameter Object With Schema And Content
31dd6fc0-f274-493b-9614-e063086c19fc|OpenAPI|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive|Documentation
| +|Encoding Map Key Mismatch Schema Defined Properties
cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b|OpenAPI|Info|Structure and Semantics|Encoding Map Key should be set in schema defined properties|Documentation
| +|Empty Array
5915c20f-dffa-4cee-b5d4-f457ddc0151a|OpenAPI|Info|Structure and Semantics|All array fields should not be empty|Documentation
| +|Link Object OperationId Does Not Target Operation Object
c5bb7461-aa57-470b-a714-3bc3d74f4669|OpenAPI|Info|Structure and Semantics|Link object 'OperationId' should target an existing operation object in the OpenAPI definition|Documentation
| +|Request Body JSON Reference Does Not Exists
ca02f4e8-d3ae-4832-b7db-bb037516d9e7|OpenAPI|Info|Structure and Semantics|Request Body reference should exists on components field|Documentation
| +|Components Object Fixed Field Key Improperly Named
151331e2-11f4-4bb6-bd35-9a005e695087|OpenAPI|Info|Structure and Semantics|Components object fixed fields (schemas, responses, parameters, examples, requestBodies, headers, securitySchemes, links, and callbacks) should use keys that match the following REGEX: `^[a-zA-Z0-9\.\-_]+$`|Documentation
| +|Schema Object Incorrect Ref (v3)
4cac7ace-b0fb-477d-830d-65395d9109d9|OpenAPI|Info|Structure and Semantics|Schema Object reference must always point to '#/components/schemas'|Documentation
| +|Security Field Undefined
ab1263c2-81df-46f0-9f2c-0b62fdb68419|OpenAPI|Info|Structure and Semantics|Security field should be defined in '#/components/securitySchemes'|Documentation
| +|No Global And Operation Security Defined (v2)
586abcee-9653-462d-ad7b-2638a32bd6e6|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| +|No Global And Operation Security Defined (v3)
96729c6b-7400-4d9e-9807-17f00cdde4d2|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| +|Global Security Field Has An Empty Array (v2)
da31d54b-ad54-41dc-95eb-8b3828629213|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| +|Global Security Field Has An Empty Array (v3)
d674aea4-ba8b-454b-bb97-88a772ea33f0|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| +|Global Security Field Is Undefined (v2)
74703c89-0ea2-49ab-a7db-bf04f19f5a57|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securityDefinitions|Documentation
| +|Global Security Field Is Undefined (v3)
8af270ce-298b-4405-9922-82a10aee7a4f|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes (read more)|Documentation
| +|Global Security Field Has An Empty Array (v2)
da31d54b-ad54-41dc-95eb-8b3828629213|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| +|Global Security Field Has An Empty Array (v3)
d674aea4-ba8b-454b-bb97-88a772ea33f0|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme (read more)|Documentation
| +|Security Field On Operations Has An Empty Array (v2)
5d29effc-5d68-481f-9721-d74e5919226b|OpenAPI|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error|Documentation
| +|Security Field On Operations Has An Empty Array (v3)
663c442d-f918-4f62-b096-0bf5dcbeb655|OpenAPI|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error (read more)|Documentation
| +|Security Field On Operations Has An Empty Object Definition (v2)
74581e3b-1d55-4323-a139-5959a7b3abc5|OpenAPI|High|Access Control|Security object for operations should not be empty object or has any empty object definition|Documentation
| +|Security Field On Operations Has An Empty Object Definition (v3)
baade968-7467-41e4-bf22-83ca222f5800|OpenAPI|High|Access Control|Security object for operations should not be empty object or has any empty object definition (read more)|Documentation
| +|Global security field has an empty object (v2)
292919fb-7b26-4454-bee9-ce29094768dd|OpenAPI|High|Access Control|Global security definition must not have empty objects|Documentation
| +|Global security field has an empty object (v3)
543e38f4-1eee-479e-8eb0-15257013aa0a|OpenAPI|High|Access Control|Global security definition must not have empty objects (read more)|Documentation
| +|No Global And Operation Security Defined (v2)
586abcee-9653-462d-ad7b-2638a32bd6e6|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| +|No Global And Operation Security Defined (v3)
96729c6b-7400-4d9e-9807-17f00cdde4d2|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined (read more)|Documentation
| +|Cleartext API Key In Operation Security (v2)
99733b39-6413-4ed8-8acf-dc7cdc9b4e51|OpenAPI|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| +|Cleartext API Key In Operation Security (v3)
d90d4e40-44c1-4125-87a0-e072c3e195b5|OpenAPI|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel (read more)|Documentation
| +|Array Items Has No Type (v2)
8697a1a4-82c6-4603-8ac8-57529756744e|OpenAPI|High|Insecure Configurations|Schema/Parameter array items type should be defined|Documentation
| +|Array Items Has No Type (v3)
be0e0df7-f3d9-42a1-9b6f-d425f94872c4|OpenAPI|High|Insecure Configurations|Schema array items type should be defined (read more)|Documentation
| +|Array Without Maximum Number of Items (v2)
99eb2c95-2040-4104-9e7c-e16f7474d218|OpenAPI|High|Insecure Configurations|Array schema/parameter should have the field 'maxItems' set|Documentation
| +|Array Without Maximum Number of Items (v3)
6998389e-66b2-473d-8d05-c8d71ac4d04d|OpenAPI|High|Insecure Configurations|Array schema should have the field 'maxItems' set (read more)|Documentation
| +|API Key Exposed In Global Security (v2)
533a0d13-6e89-4551-ae33-bce14e5849c1|OpenAPI|Medium|Access Control|API Keys should not be transported over network|Documentation
| +|API Key Exposed In Global Security (v3)
aecee30b-8ea1-4776-a99c-d6d600f0862f|OpenAPI|Medium|Access Control|API Keys should not be transported over network (read more)|Documentation
| +|Cleartext API Key In Global Security (v2)
70d3873e-d537-46e5-ac3b-4e48fbdd29b4|OpenAPI|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| +|Cleartext API Key In Global Security (v3)
9c238c97-1991-4c0b-9c7d-6c7912e1dc7c|OpenAPI|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel (read more)|Documentation
| +|Maximum Length Undefined (v2)
2ec86e48-ab90-4cb6-a131-0502afd1f442|OpenAPI|Medium|Insecure Configurations|String schema/parameter/header should have 'maxLength' defined.|Documentation
| +|Maximum Length Undefined (v3)
8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85|OpenAPI|Medium|Insecure Configurations|String schema should have 'maxLength' defined. (read more)|Documentation
| +|Pattern Undefined (v2)
afde15cf-9444-4126-8c62-41cd79db1d1d|OpenAPI|Medium|Insecure Configurations|String schema/parameter/header should have 'pattern' defined.|Documentation
| +|Pattern Undefined (v3)
00b78adf-b83f-419c-8ed8-c6018441dd3a|OpenAPI|Medium|Insecure Configurations|String schema should have 'pattern' defined. (read more)|Documentation
| +|Schema Object is Empty (v2)
967575e5-eb44-4c24-aadb-7e33608ed30a|OpenAPI|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values|Documentation
| +|Schema Object is Empty (v3)
500ce696-d501-41dd-86eb-eceb011a386f|OpenAPI|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values (read more)|Documentation
| +|Numeric Schema Without Minimum (v2)
efd1dfc8-da91-4909-a3f3-c23abc5ec799|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined.|Documentation
| +|Numeric Schema Without Minimum (v3)
181bd815-767e-4e95-a24d-bb3c87328e19|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined. (read more)|Documentation
| +|JSON Object Schema Without Properties (v2)
3d28f751-bc18-4f83-ace0-216b6086410b|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false.|Documentation
| +|JSON Object Schema Without Properties (v3)
9d967a2b-9d64-41a6-abea-dfc4960299bd|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false. (read more)|Documentation
| +|Numeric Schema Without Maximum (v2)
203eee11-15b6-4d47-b888-4c7f534967ee|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined.|Documentation
| +|Numeric Schema Without Maximum (v3)
2ea04bef-c769-409e-9179-ee3a50b5c0ac|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined. (read more)|Documentation
| +|Numeric Schema Without Format (v2)
3ed8fc82-c2bb-49e0-811f-c53923674c49|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined.|Documentation
| +|Numeric Schema Without Format (v3)
fbf699b5-ef74-4542-9cf1-f6eeac379373|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined. (read more)|Documentation
| +|JSON Object Schema Without Type (v2)
62d52544-82ef-4b75-8308-cad49d50212b|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined.|Documentation
| +|JSON Object Schema Without Type (v3)
e2ffa504-d22a-4c94-b6c5-f661849d2db7|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined. (read more)|Documentation
| +|String Schema with Broad Pattern (v2)
e4a019f0-9af3-49c8-bf68-1939a6ff240d|OpenAPI|Medium|Insecure Configurations|String schema should restrict the pattern|Documentation
| +|String Schema with Broad Pattern (v3)
8c81d6c0-716b-49ec-afa5-2d62da4e3f3c|OpenAPI|Medium|Insecure Configurations|String schema should restrict the pattern (read more)|Documentation
| +|Success Response Code Undefined for Put Operation (v2)
965a043f-5f3c-4d0a-be72-d9ce12fdb4d6|OpenAPI|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Put Operation (v3)
60b5f56b-66ff-4e1c-9b62-5753e16825bc|OpenAPI|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| +|Response on operations that should not have a body has declared content (v2)
268defd2-2839-4e15-8cbc-de86eb38c231|OpenAPI|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a schema defined|Documentation
| +|Response on operations that should not have a body has declared content (v3)
12a7210b-f4b4-47d0-acac-0a819e2a0ca3|OpenAPI|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a content defined (read more)|Documentation
| +|Success Response Code Undefined for Patch Operation (v2)
f36e87cc-a209-4f37-8571-66833e4aead7|OpenAPI|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Patch Operation (v3)
1908a8ee-927d-4166-8f18-241152170cc1|OpenAPI|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| +|Success Response Code Undefined for Delete Operation (v2)
ad432855-b7fb-4429-92a3-93b5ce34f0b1|OpenAPI|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Delete Operation (v3)
3b497874-ae59-46dd-8d72-1868a3b8f150|OpenAPI|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| +|Security Field On Operations Has An Empty Object Definition (v2)
74581e3b-1d55-4323-a139-5959a7b3abc5|OpenAPI|High|Access Control|Security object for operations should not be empty object or has any empty object definition|Documentation
| +|Security Field On Operations Has An Empty Object Definition (v3)
baade968-7467-41e4-bf22-83ca222f5800|OpenAPI|High|Access Control|Security object for operations should not be empty object or has any empty object definition|Documentation
| +|Cleartext API Key In Operation Security (v2)
99733b39-6413-4ed8-8acf-dc7cdc9b4e51|OpenAPI|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| +|Cleartext API Key In Operation Security (v3)
d90d4e40-44c1-4125-87a0-e072c3e195b5|OpenAPI|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| +|Security Field On Operations Has An Empty Array (v2)
5d29effc-5d68-481f-9721-d74e5919226b|OpenAPI|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error|Documentation
| +|Security Field On Operations Has An Empty Array (v3)
663c442d-f918-4f62-b096-0bf5dcbeb655|OpenAPI|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error|Documentation
| +|Global Security Field Is Undefined (v2)
74703c89-0ea2-49ab-a7db-bf04f19f5a57|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securityDefinitions|Documentation
| +|Global Security Field Is Undefined (v3)
8af270ce-298b-4405-9922-82a10aee7a4f|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes|Documentation
| +|Cleartext API Key In Operation Security (v2)
99733b39-6413-4ed8-8acf-dc7cdc9b4e51|OpenAPI|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| +|Cleartext API Key In Operation Security (v3)
d90d4e40-44c1-4125-87a0-e072c3e195b5|OpenAPI|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| +|Global Security Field Has An Empty Array (v2)
da31d54b-ad54-41dc-95eb-8b3828629213|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| +|Global Security Field Has An Empty Array (v3)
d674aea4-ba8b-454b-bb97-88a772ea33f0|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| +|Security Field On Operations Has An Empty Array (v2)
5d29effc-5d68-481f-9721-d74e5919226b|OpenAPI|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error|Documentation
| +|Security Field On Operations Has An Empty Array (v3)
663c442d-f918-4f62-b096-0bf5dcbeb655|OpenAPI|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error|Documentation
| +|Security Field On Operations Has An Empty Object Definition (v2)
74581e3b-1d55-4323-a139-5959a7b3abc5|OpenAPI|High|Access Control|Security object for operations should not be empty object or has any empty object definition|Documentation
| +|Security Field On Operations Has An Empty Object Definition (v3)
baade968-7467-41e4-bf22-83ca222f5800|OpenAPI|High|Access Control|Security object for operations should not be empty object or has any empty object definition|Documentation
| +|Global security field has an empty object (v2)
292919fb-7b26-4454-bee9-ce29094768dd|OpenAPI|High|Access Control|Global security definition must not have empty objects|Documentation
| +|Global security field has an empty object (v3)
543e38f4-1eee-479e-8eb0-15257013aa0a|OpenAPI|High|Access Control|Global security definition must not have empty objects|Documentation
| +|Array Without Maximum Number of Items (v2)
99eb2c95-2040-4104-9e7c-e16f7474d218|OpenAPI|High|Insecure Configurations|Array schema/parameter should have the field 'maxItems' set|Documentation
| +|Array Without Maximum Number of Items (v3)
6998389e-66b2-473d-8d05-c8d71ac4d04d|OpenAPI|High|Insecure Configurations|Array schema should have the field 'maxItems' set|Documentation
| +|Array Items Has No Type (v2)
8697a1a4-82c6-4603-8ac8-57529756744e|OpenAPI|High|Insecure Configurations|Schema/Parameter array items type should be defined|Documentation
| +|Array Items Has No Type (v3)
be0e0df7-f3d9-42a1-9b6f-d425f94872c4|OpenAPI|High|Insecure Configurations|Schema array items type should be defined|Documentation
| +|Cleartext API Key In Global Security (v2)
70d3873e-d537-46e5-ac3b-4e48fbdd29b4|OpenAPI|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| +|Cleartext API Key In Global Security (v3)
9c238c97-1991-4c0b-9c7d-6c7912e1dc7c|OpenAPI|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| +|API Key Exposed In Global Security (v2)
533a0d13-6e89-4551-ae33-bce14e5849c1|OpenAPI|Medium|Access Control|API Keys should not be transported over network|Documentation
| +|API Key Exposed In Global Security (v3)
aecee30b-8ea1-4776-a99c-d6d600f0862f|OpenAPI|Medium|Access Control|API Keys should not be transported over network|Documentation
| +|String Schema with Broad Pattern (v2)
e4a019f0-9af3-49c8-bf68-1939a6ff240d|OpenAPI|Medium|Insecure Configurations|String schema should restrict the pattern|Documentation
| +|String Schema with Broad Pattern (v3)
8c81d6c0-716b-49ec-afa5-2d62da4e3f3c|OpenAPI|Medium|Insecure Configurations|String schema should restrict the pattern|Documentation
| +|Schema Object is Empty (v2)
967575e5-eb44-4c24-aadb-7e33608ed30a|OpenAPI|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values|Documentation
| +|Schema Object is Empty (v3)
500ce696-d501-41dd-86eb-eceb011a386f|OpenAPI|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values|Documentation
| +|Numeric Schema Without Format (v2)
3ed8fc82-c2bb-49e0-811f-c53923674c49|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined.|Documentation
| +|Numeric Schema Without Format (v3)
fbf699b5-ef74-4542-9cf1-f6eeac379373|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined.|Documentation
| +|Numeric Schema Without Minimum (v2)
efd1dfc8-da91-4909-a3f3-c23abc5ec799|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined.|Documentation
| +|Numeric Schema Without Minimum (v3)
181bd815-767e-4e95-a24d-bb3c87328e19|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined.|Documentation
| +|JSON Object Schema Without Properties (v2)
3d28f751-bc18-4f83-ace0-216b6086410b|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false.|Documentation
| +|JSON Object Schema Without Properties (v3)
9d967a2b-9d64-41a6-abea-dfc4960299bd|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false.|Documentation
| +|Numeric Schema Without Maximum (v2)
203eee11-15b6-4d47-b888-4c7f534967ee|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined.|Documentation
| +|Numeric Schema Without Maximum (v3)
2ea04bef-c769-409e-9179-ee3a50b5c0ac|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined.|Documentation
| +|JSON Object Schema Without Type (v2)
62d52544-82ef-4b75-8308-cad49d50212b|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined.|Documentation
| +|JSON Object Schema Without Type (v3)
e2ffa504-d22a-4c94-b6c5-f661849d2db7|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined.|Documentation
| +|Pattern Undefined (v2)
afde15cf-9444-4126-8c62-41cd79db1d1d|OpenAPI|Medium|Insecure Configurations|String schema/parameter/header should have 'pattern' defined.|Documentation
| +|Pattern Undefined (v3)
00b78adf-b83f-419c-8ed8-c6018441dd3a|OpenAPI|Medium|Insecure Configurations|String schema should have 'pattern' defined.|Documentation
| +|Maximum Length Undefined (v2)
2ec86e48-ab90-4cb6-a131-0502afd1f442|OpenAPI|Medium|Insecure Configurations|String schema/parameter/header should have 'maxLength' defined.|Documentation
| +|Maximum Length Undefined (v3)
8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85|OpenAPI|Medium|Insecure Configurations|String schema should have 'maxLength' defined.|Documentation
| +|Success Response Code Undefined for Put Operation (v2)
965a043f-5f3c-4d0a-be72-d9ce12fdb4d6|OpenAPI|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Put Operation (v3)
60b5f56b-66ff-4e1c-9b62-5753e16825bc|OpenAPI|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Delete Operation (v2)
ad432855-b7fb-4429-92a3-93b5ce34f0b1|OpenAPI|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Delete Operation (v3)
3b497874-ae59-46dd-8d72-1868a3b8f150|OpenAPI|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Response Code Missing (v2)
6e96ed39-bf45-4089-99ba-f1fe7cf6966f|OpenAPI|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined.|Documentation
| +<<<<<<< HEAD +|Response Code Missing (v3)
6c35d2c6-09f2-4e5c-a094-e0e91327071d|OpenAPI|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined. (read more)|Documentation
| +|Success Response Code Undefined for Post Operation (v2)
9fedee41-2e6d-4091-b011-4a16b4c18c70|OpenAPI|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Post Operation (v3)
f368dd2d-9344-4146-a05b-7c6faa1269ad|OpenAPI|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| +|Response on operations that should have a body has undefined schema (v2)
31afbcb7-70e0-48bb-a31a-3374f95cf859|OpenAPI|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined|Documentation
| +|Response on operations that should have a body has undefined schema (v3)
a92be1d5-d762-484a-86d6-8cd0907ba100|OpenAPI|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined (read more)|Documentation
| +|Default Response Undefined On Operations (v2)
5f34c7ae-4f3f-4cbb-8fe3-a11d6961062f|OpenAPI|Medium|Networking and Firewall|Operations responses should have a default response defined|Documentation
| +|Default Response Undefined On Operations (v3)
86e3702f-c868-44b2-b61d-ea5316c18110|OpenAPI|Medium|Networking and Firewall|Operations responses should have a default response defined (read more)|Documentation
| +|Success Response Code Undefined for Get Operation (v2)
9b633f3b-c94b-4fbb-a65b-1a4e9134fb63|OpenAPI|Medium|Networking and Firewall|Get should define at least one success response (200 or 202)|Documentation
| +|Success Response Code Undefined for Get Operation (v3)
b2f275be-7d64-4064-b418-be6b431363a7|OpenAPI|Medium|Networking and Firewall|Get should define at least one success response (200 or 202) (read more)|Documentation
| +|Success Response Code Undefined for Head Operation (v2)
4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a|OpenAPI|Medium|Networking and Firewall|Head should define at least one success response (200 or 202)|Documentation
| +|Success Response Code Undefined for Head Operation (v3)
3b066059-f411-4554-ac8d-96f32bff90da|OpenAPI|Medium|Networking and Firewall|Head should define at least one success response (200 or 202) (read more)|Documentation
| +======= +|Response Code Missing (v3)
6c35d2c6-09f2-4e5c-a094-e0e91327071d|OpenAPI|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined.|Documentation
| +|Response on operations that should not have a body has declared content (v2)
268defd2-2839-4e15-8cbc-de86eb38c231|OpenAPI|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a schema defined|Documentation
| +|Response on operations that should not have a body has declared content (v3)
12a7210b-f4b4-47d0-acac-0a819e2a0ca3|OpenAPI|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a content defined|Documentation
| +|Success Response Code Undefined for Head Operation (v2)
4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a|OpenAPI|Medium|Networking and Firewall|Head should define at least one success response (200 or 202)|Documentation
| +|Success Response Code Undefined for Head Operation (v3)
3b066059-f411-4554-ac8d-96f32bff90da|OpenAPI|Medium|Networking and Firewall|Head should define at least one success response (200 or 202)|Documentation
| +|Default Response Undefined On Operations (v2)
5f34c7ae-4f3f-4cbb-8fe3-a11d6961062f|OpenAPI|Medium|Networking and Firewall|Operations responses should have a default response defined|Documentation
| +|Default Response Undefined On Operations (v3)
86e3702f-c868-44b2-b61d-ea5316c18110|OpenAPI|Medium|Networking and Firewall|Operations responses should have a default response defined|Documentation
| +|Success Response Code Undefined for Get Operation (v2)
9b633f3b-c94b-4fbb-a65b-1a4e9134fb63|OpenAPI|Medium|Networking and Firewall|Get should define at least one success response (200 or 202)|Documentation
| +|Success Response Code Undefined for Get Operation (v3)
b2f275be-7d64-4064-b418-be6b431363a7|OpenAPI|Medium|Networking and Firewall|Get should define at least one success response (200 or 202)|Documentation
| +|Success Response Code Undefined for Post Operation (v2)
9fedee41-2e6d-4091-b011-4a16b4c18c70|OpenAPI|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Post Operation (v3)
f368dd2d-9344-4146-a05b-7c6faa1269ad|OpenAPI|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Response on operations that should have a body has undefined schema (v2)
31afbcb7-70e0-48bb-a31a-3374f95cf859|OpenAPI|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined|Documentation
| +|Response on operations that should have a body has undefined schema (v3)
a92be1d5-d762-484a-86d6-8cd0907ba100|OpenAPI|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined|Documentation
| +|Success Response Code Undefined for Patch Operation (v2)
f36e87cc-a209-4f37-8571-66833e4aead7|OpenAPI|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Patch Operation (v3)
1908a8ee-927d-4166-8f18-241152170cc1|OpenAPI|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204)|Documentation
| +>>>>>>> 5a6bfb88e (docs(queries): update queries catalog) +|API Key Exposed In Operation Security (v2)
392599e4-a4e2-403d-bc56-3fe05755782d|OpenAPI|Low|Access Control|API Keys should not be transported over network|Documentation
| +|API Key Exposed In Operation Security (v3)
281b8071-6226-4a43-911d-fec246d422c2|OpenAPI|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| +|Invalid Format (v2)
caf1793e-95dd-4b18-8d90-8f3c0ab5bddf|OpenAPI|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double|Documentation
| +|Invalid Format (v3)
d929c031-078f-4241-b802-e224656ad890|OpenAPI|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double (read more)|Documentation
| +|Required Property With Default Value (v2)
f7ab6c83-ef89-40e1-8a99-32e2599fb665|OpenAPI|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value|Documentation
| +|Required Property With Default Value (v3)
013bdb4b-9246-4248-b0c3-7fb0fee42a29|OpenAPI|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value (read more)|Documentation
| +|Object Using Enum With Keyword (v2)
7f15962a-d862-451c-ac9b-84ec13747aa6|OpenAPI|Info|Best Practices|Schema/Parameter/Header Object properties should not contain 'enum' and schema keywords|Documentation
| +|Object Using Enum With Keyword (v3)
2e9b6612-8f69-42e0-a5b8-ed17739c2f3a|OpenAPI|Info|Best Practices|Schema Object properties should not contain 'enum' and schema keywords (read more)|Documentation
| +|Header Parameter Named as 'Content-Type' (v2)
51978067-3b22-4c29-aaf3-96bf0bc28897|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored.|Documentation
| +|Header Parameter Named as 'Content-Type' (v3)
72d259ca-9741-48dd-9f62-eb11f2936b37|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored. (read more)|Documentation
| +|Header Response Name Is Invalid (v2)
86733e01-a435-4bd5-a8b0-5108be9dc1e4|OpenAPI|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored.|Documentation
| +|Header Response Name Is Invalid (v3)
d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd|OpenAPI|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored. (read more)|Documentation
| +|Invalid Contact URL (v2)
c7000383-16d0-4509-8cd3-585e5ea2e2f2|OpenAPI|Info|Best Practices|Contact Object URL should be a valid URL|Documentation
| +|Invalid Contact URL (v3)
332cf2ad-380d-4b90-b436-46f8e635cf38|OpenAPI|Info|Best Practices|Contact Object URL should be a valid URL (read more)|Documentation
| +|Invalid Tag External Documentation URL (v2)
b4a7d925-738b-4219-99d9-87d6ee262a03|OpenAPI|Info|Best Practices|Tag External Documentation URL should be a valid URL|Documentation
| +|Invalid Tag External Documentation URL (v3)
5aea1d7e-b834-4749-b143-2c7ec3bd5922|OpenAPI|Info|Best Practices|Tag External Documentation URL should be a valid URL (read more)|Documentation
| +|Header Parameter Named as 'Accept' (v2)
3ddd74cc-6582-486c-8b0c-2b48cb38e0a3|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored.|Documentation
| +|Header Parameter Named as 'Accept' (v3)
f2702af5-6016-46cb-bbc8-84c766032095|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored. (read more)|Documentation
| +|Invalid Global External Documentation URL (v2)
46d3b74d-9fe9-45bf-9e9e-efb7f701ee28|OpenAPI|Info|Best Practices|Global External Documentation URL should be a valid URL|Documentation
| +|Invalid Global External Documentation URL (v3)
b2d9dbf6-539c-4374-a1fd-210ddf5563a8|OpenAPI|Info|Best Practices|Global External Documentation URL should be a valid URL (read more)|Documentation
| +|Example Not Compliant With Schema Type (v2)
448db771-06ea-4dee-b48c-1689cbfb4b43|OpenAPI|Info|Best Practices|Examples values and fields should be compliant with the schema type|Documentation
| +|Example Not Compliant With Schema Type (v3)
881a6e71-c2a7-4fe2-b9c3-dfcf08895331|OpenAPI|Info|Best Practices|Examples values and fields should be compliant with the schema type (read more)|Documentation
| +|Header Parameter Named as 'Authorization' (v2)
e2e00c97-7171-4fb4-b461-d631df9a711c|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored.|Documentation
| +|Header Parameter Named as 'Authorization' (v3)
8c84f75e-5048-4926-a4cb-33e7b3431300|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored. (read more)|Documentation
| +|Operation Without Successful HTTP Status Code (v2)
a1ee6ebe-3877-42ec-b9a6-e524e7d06aa2|OpenAPI|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined|Documentation
| +|Operation Without Successful HTTP Status Code (v3)
48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd|OpenAPI|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined (read more)|Documentation
| +|Path Without Operation (v2)
609cd557-66b4-41fa-8edd-2abc6c7cfd08|OpenAPI|Info|Best Practices|Path object should have at least one operation object defined|Documentation
| +|Path Without Operation (v3)
84c826c9-1893-4b34-8cdd-db97645b4bf3|OpenAPI|Info|Best Practices|Path object should have at least one operation object defined (read more)|Documentation
| +|Invalid Operation External Documentation URL (v2)
25635c31-ee32-4708-88e5-fced87516f51|OpenAPI|Info|Best Practices|Operation External Documentation URL should be a valid URL|Documentation
| +|Invalid Operation External Documentation URL (v3)
5ea61624-3733-4a3a-8ca4-b96fec9c5aeb|OpenAPI|Info|Best Practices|Operation External Documentation URL should be a valid URL (read more)|Documentation
| +|Invalid License URL (v2)
de2b4910-8484-46d6-a055-dc1e793ee3ff|OpenAPI|Info|Best Practices|License Object URL should be a valid URL|Documentation
| +|Invalid License URL (v3)
9239c289-9e4c-4d92-8be1-9d506057c971|OpenAPI|Info|Best Practices|License Object URL should be a valid URL (read more)|Documentation
| +|JSON '$ref' alongside other properties (v2)
f34c1c68-4773-4df0-a103-6e2ca32e585f|OpenAPI|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key|Documentation
| +|JSON '$ref' alongside other properties (v3)
96beb800-566f-49a9-a0ea-dbdf4bc80429|OpenAPI|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key (read more)|Documentation
| +|Invalid Contact Email (v2)
d83bebc8-4e5e-4241-b783-cba9fb5a1c9a|OpenAPI|Info|Best Practices|Contact Object Email should be a valid email|Documentation
| +|Invalid Contact Email (v3)
b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7|OpenAPI|Info|Best Practices|Contact Object Email should be a valid email (read more)|Documentation
| +|Invalid Schema External Documentation URL (v2)
f7fa95b7-d819-484c-9a2b-665dd1bba25e|OpenAPI|Info|Best Practices|Schema External Documentation URL should be a valid URL|Documentation
| +|Invalid Schema External Documentation URL (v3)
6952a7e0-6e48-4285-bbc1-27c64e60f888|OpenAPI|Info|Best Practices|Schema External Documentation URL should be a valid URL (read more)|Documentation
| +|Non-Array Schema With Items (v2)
9d47956b-29cd-43b1-9e6e-b39a4d484353|OpenAPI|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| +|Non-Array Schema With Items (v3)
20cb3159-b219-496b-8dac-54ae3ab2021a|OpenAPI|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined (read more)|Documentation
| +|Path Is Ambiguous (v2)
b2468463-3ac4-4930-890c-f35b2bf4485d|OpenAPI|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object|Documentation
| +|Path Is Ambiguous (v3)
237402e2-c2f0-46c9-9cf5-286160cf7bfc|OpenAPI|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object (read more)|Documentation
| +|Schema Discriminator Not Required (v2)
be6a3722-af60-438c-b1b9-2a03e2958ab7|OpenAPI|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property|Documentation
| +|Schema Discriminator Not Required (v3)
b481d46c-9c61-480f-86d9-af07146dc4a4|OpenAPI|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property (read more)|Documentation
| +|Property 'allowEmptyValue' Improperly Defined (v2)
0bc1477d-0922-478b-ae16-674a7634a1a8|OpenAPI|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters|Documentation
| +|Property 'allowEmptyValue' Improperly Defined (v3)
4bcbcd52-3028-469f-bc14-02c7dbba2df2|OpenAPI|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters (read more)|Documentation
| +|OperationId Not Unique (v2)
21245007-91c4-40e5-964e-40c85d1e5aa6|OpenAPI|Info|Structure and Semantics|OperationId should be unique when defined|Documentation
| +|OperationId Not Unique (v3)
c254adc4-ef25-46e1-8270-b7944adb4198|OpenAPI|Info|Structure and Semantics|OperationId should be unique when defined (read more)|Documentation
| +|Paths Object is Empty (v2)
3e6c7b1c-8a8d-43ab-98b9-65159f44db4a|OpenAPI|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed|Documentation
| +|Paths Object is Empty (v3)
815021c8-a50c-46d9-b192-24f71072c400|OpenAPI|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed (read more)|Documentation
| +|Parameters Name In Combination Not Unique (v2)
ab871897-ec02-4835-9818-702536ee1dda|OpenAPI|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations|Documentation
| +|Parameters Name In Combination Not Unique (v3)
f5b2e6af-76f5-496d-8482-8f898c5fdb4a|OpenAPI|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations (read more)|Documentation
| +|Parameter Objects Headers With Duplicated Name (v2)
bd2cbef5-62c4-40f1-af07-4b7f9ced6616|OpenAPI|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.|Documentation
| +|Parameter Objects Headers With Duplicated Name (v3)
05505192-ba2c-4a81-9b25-dcdbcc973746|OpenAPI|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive. (read more)|Documentation
| +|Responses Object Is Empty (v2)
6172e7ab-d2b7-45f8-a7db-1603931d8ba3|OpenAPI|Info|Structure and Semantics|Responses Object should not be empty|Documentation
| +|Responses Object Is Empty (v3)
990eaf09-d6f1-4c3c-b174-a517b1de8917|OpenAPI|Info|Structure and Semantics|Responses Object should not be empty (read more)|Documentation
| +|Schema Has A Required Property Undefined (v2)
811762c8-2e99-4f70-88f9-a63875a953b1|OpenAPI|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties|Documentation
| +|Schema Has A Required Property Undefined (v3)
2bd608ae-8a1f-457f-b710-c237883cb313|OpenAPI|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties (read more)|Documentation
| +|Default Invalid (v2)
78dfd8f0-a6ee-48ec-af8c-e4d9b3292a07|OpenAPI|Info|Structure and Semantics|The field 'default' of Schema/Parameter/Header Object should be consistent with the schema's/parameter's/header's type|Documentation
| +|Default Invalid (v3)
a96bbc06-8cde-4295-ad3c-ee343a7f658e|OpenAPI|Info|Structure and Semantics|The field 'default' of Schema Object should be consistent with the schema's type (read more)|Documentation
| +|Properties Missing Required Property (v2)
71beb6ab-8b70-4816-a9ac-a0ff1fb22a62|OpenAPI|Info|Structure and Semantics|Schema Object should have all required properties defined|Documentation
| +|Properties Missing Required Property (v3)
3fb03214-25d4-4bd4-867c-c2d8d708a483|OpenAPI|Info|Structure and Semantics|Schema Object should have all required properties defined (read more)|Documentation
| +|Path Parameter With No Corresponding Template Path (v2)
194ef1f8-360e-4c14-8ed2-e83e2bafa142|OpenAPI|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation|Documentation
| +|Path Parameter With No Corresponding Template Path (v3)
69d7aefd-149d-47b8-8d89-1c2181a8067b|OpenAPI|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation (read more)|Documentation
| +|Type Has Invalid Keyword (v2)
492c6cbb-f3f8-4807-aa4f-42b8b1c46b59|OpenAPI|Info|Structure and Semantics|Schema/Parameter/Header Object define type should not use a keyword of another type|Documentation
| +|Type Has Invalid Keyword (v3)
a9228976-10cf-4b5f-b902-9e962aad037a|OpenAPI|Info|Structure and Semantics|Schema Object define type should not use a keyword of another type (read more)|Documentation
| +|Responses With Wrong HTTP Status Code (v2)
069a5378-2091-43f0-aa3b-ee8f20996e99|OpenAPI|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599]|Documentation
| +|Responses With Wrong HTTP Status Code (v3)
d86655c0-92f6-4ffc-b4d5-5b5775804c27|OpenAPI|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599] (read more)|Documentation
| +|Template Path With No Corresponding Path Parameter (v2)
e7656d8d-7288-4bbe-b07b-22b389be75ce|OpenAPI|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation|Documentation
| +|Template Path With No Corresponding Path Parameter (v3)
561710b1-b845-4562-95ce-2397a05ccef4|OpenAPI|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation (read more)|Documentation
| +|Schema Enum Invalid (v2)
8fe6d18a-ad4c-4397-8884-e3a9da57f4c9|OpenAPI|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type|Documentation
| +|Schema Enum Invalid (v3)
03856cb2-e46c-4daf-bfbf-214ec93c882b|OpenAPI|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type (read more)|Documentation
| +|Items Undefined (v2)
3e4d34d2-36cf-4449-976d-6c256db8fc49|OpenAPI|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array.|Documentation
| +|Items Undefined (v3)
a8e859da-4a43-4e7f-94b8-25d6e3bf8e90|OpenAPI|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array. (read more)|Documentation
| +|Schema Object Properties With Duplicated Keys (v2)
ded017bf-fb13-4f8d-868b-84aebcc572ad|OpenAPI|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties'|Documentation
| +|Schema Object Properties With Duplicated Keys (v3)
10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa|OpenAPI|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties' (read more)|Documentation
| +|Schema Discriminator Property Not String (v2)
949376f1-f560-4c6d-a016-63424ca931bb|OpenAPI|Info|Structure and Semantics|Schema discriminator property should be a string|Documentation
| +|Schema Discriminator Property Not String (v3)
dadc2f36-1f5a-46c0-8289-75e626583123|OpenAPI|Info|Structure and Semantics|Schema discriminator property should be a string (read more)|Documentation
| +|Path Template is Empty (v2)
c201b7ad-6173-4598-a407-5edb04a1bcd7|OpenAPI|Info|Structure and Semantics|All path templates should not be empty|Documentation
| +|Path Template is Empty (v3)
ae13a37d-943b-47a7-a970-83c8598bcca3|OpenAPI|Info|Structure and Semantics|All path templates should not be empty (read more)|Documentation
| +|Path Parameter Not Required (v2)
ccd0613f-cb77-4684-a892-183bd2674d12|OpenAPI|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.|Documentation
| +|Path Parameter Not Required (v3)
0de50145-e845-47f4-9a15-23bcf2125710|OpenAPI|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true. (read more)|Documentation
| +|Property Defining Minimum Greater Than Maximum (v2)
b5102ea9-6527-4bb7-94fc-9b4076150e55|OpenAPI|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined|Documentation
| +|Property Defining Minimum Greater Than Maximum (v3)
ab2af219-cd08-4233-b5a1-a788aac88b51|OpenAPI|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined (read more)|Documentation
| +|Schema Object With Circular Ref (v2)
cbff2508-85c9-4448-a8b3-770070edf5ca|OpenAPI|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties|Documentation
| +|Schema Object With Circular Ref (v3)
1a1aea94-745b-40a7-b860-0702ea6ee636|OpenAPI|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties (read more)|Documentation
| +|Schema Discriminator Mismatch Defined Properties (v2)
addc0eab-27f6-4c26-8526-d2ccd3732662|OpenAPI|Info|Structure and Semantics|Schema discriminator values should match defined properties.|Documentation
| +|Schema Discriminator Mismatch Defined Properties (v3)
40d3df21-c170-4dbe-9c02-4289b51f994f|OpenAPI|Info|Structure and Semantics|Schema discriminator values should match defined properties. (read more)|Documentation
| +|Security Definitions Undefined or Empty
e3f026e8-fdb4-4d5a-bcfd-bd94452073fe|OpenAPI|High|Access Control|Security Definitions Object should be set and not empty (read more)|Documentation
| +|Security Requirement Not Defined In Security Definition
a599b0d1-ff89-4cb8-9ece-9951854c06f6|OpenAPI|High|Structure and Semantics|All security requirement objects must be defined in 'securityDefinitions' (read more)|Documentation
| +|Non OAuth2 Security Requirement Defining OAuth2 Scopes
ba239cb9-f342-4c20-812d-7b5a2aa6969e|OpenAPI|High|Structure and Semantics|If the security scheme is not of type 'oauth2', the array value must be empty (read more)|Documentation
| +|Global Security Using Password Flow
2da46be4-4317-4650-9285-56d7103c4f93|OpenAPI|Medium|Access Control|Security should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| +|Invalid OAuth2 Authorization URL (v2)
33d96c65-977d-4c33-943f-440baca49185|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| +|Operation Using Password Flow
2e44e632-d617-43cb-b294-6bfe72a08938|OpenAPI|Medium|Access Control|Operation Object should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| +|Implicit Flow in OAuth2 (v2)
e9817ad8-a8c9-4038-8a2f-db0e6e7b284b|OpenAPI|Medium|Access Control|There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| +|Invalid OAuth2 Token URL (v2)
274f910a-0665-4f08-b66d-7058fe927dba|OpenAPI|Medium|Access Control|OAuth2 security definition flow requires a valid URL in the tokenUrl field (read more)|Documentation
| +|Security Definitions Allows Password Flow
773116aa-2e6d-416f-bd85-f0301cc05d76|OpenAPI|Medium|Access Control|Security Definition Object should not allow 'password' Flow in OAuth2 authentication (read more)|Documentation
| +|Path Scheme Accepts HTTP (v2)
a6847dc6-f4ea-45ac-a81f-93291ae6c573|OpenAPI|Medium|Encryption|The Scheme list of Operation Object should only allow 'HTTPS' protocol to ensure an encrypted connection (read more)|Documentation
| +|Schemes Uses HTTP
a46928f1-43d7-4671-94e0-2dd99746f389|OpenAPI|Medium|Encryption|Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials (read more)|Documentation
| +|Global Schemes Uses HTTP
f30ee711-0082-4480-85ab-31d922d9a2b2|OpenAPI|Medium|Encryption|Global Schemes should use 'https' protocol instead of 'http' (read more)|Documentation
| +|Operation Object Without 'consumes'
0c79e50e-b3cf-490c-b8f6-587c644d4d0c|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations (read more)|Documentation
| +|Operation Object Without 'produces'
be3e170e-1572-461e-a8b6-d963def581ec|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'produces' feild defined for 'GET'operation (read more)|Documentation
| +|Operation Using Basic Auth
ceefb058-8065-418f-9c4c-584a78c7e104|OpenAPI|Low|Access Control|Operation Object should not use basic authentication (read more)|Documentation
| +|Security Definitions Using Basic Auth
221015a8-aa2a-43f5-b00b-ad7d2b1d47a8|OpenAPI|Low|Access Control|Security Definition Object should not use basic authentication (read more)|Documentation
| +|Operation Using Implicit Flow
f42dfe7e-787d-4478-a75e-a5f3d8a2269e|OpenAPI|Low|Access Control|Operation Object should not use implicit flow (read more)|Documentation
| +|Undefined Scope 'securityDefinition' On 'security' Field On Operations
3847280c-9193-40bc-8009-76168e822ce2|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| +|Undefined Scope 'securityDefinition' On Global 'security' Field
9aa6e95c-d964-4239-a3a8-9f37a3c5a31f|OpenAPI|Low|Access Control|Using an scope on global security field that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| +|Operation Summary Too Long
d47940ca-5970-45cc-bdd1-4d81398cee1f|OpenAPI|Low|Best Practices|Operation summary should be short (less than 120 characters) (read more)|Documentation
| +|Global Schema Definition Not Being Used
6d2e0790-cc3d-4c74-b973-d4e8b09f4455|OpenAPI|Info|Best Practices|All global schemas definitions should be in use (read more)|Documentation
| +|Global Responses Definition Not Being Used
0b76d993-ee52-43e0-8b39-3787d2ddabf1|OpenAPI|Info|Best Practices|All global responses definitions should be in use (read more)|Documentation
| +|Global Parameter Definition Not Being Used
b30981fa-a12e-49c7-a5bb-eeafb61d0f0f|OpenAPI|Info|Best Practices|All global parameters definitions should be in use (read more)|Documentation
| +|Schema with 'additionalProperties' set as Boolean
3a01790c-ebee-4da6-8fd3-e78657383b75|OpenAPI|Info|Best Practices|The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it (read more)|Documentation
| +|Unknown Prefix (v2)
3b615f00-c443-4ba9-acc4-7c308716917d|OpenAPI|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| +|Constraining Enum Property
be1d8733-3731-40c7-a845-734741c6871d|OpenAPI|Info|Best Practices|There is a constraining keyword in a property which is already restricted by enum values (read more)|Documentation
| +|Invalid Media Type Value (v2)
f985a7d2-d404-4a7f-9814-f645f791e46e|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| +|Multiple Body Parameters In The Same Operation
b90033cf-ad9f-4fb9-acd1-1b9d6d278c87|OpenAPI|Info|Structure and Semantics|Only one body parameter is allowed on operation's parameters type field (read more)|Documentation
| +|Host With Invalid Pattern
3d7d7b6c-fb0a-475e-8a28-c125e30d15f0|OpenAPI|Info|Structure and Semantics|Host field should be an IP or a valid host name (read more)|Documentation
| +|Response Object With Incorrect Ref (v2)
bccfa089-89e4-47e0-a0e5-185fe6902220|OpenAPI|Info|Structure and Semantics|Response Object reference must always point to '#/responses' (read more)|Documentation
| +|Multi 'collectionformat' Not Valid For 'in' Parameter
750f6448-27c0-49f8-a153-b81735c1e19c|OpenAPI|Info|Structure and Semantics|When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'formData' (read more)|Documentation
| +|Schema JSON Reference Does Not Exists (v2)
98295b32-ec09-4b5b-89a9-39853197f914|OpenAPI|Info|Structure and Semantics|Schema reference should exists on definitions field (read more)|Documentation
| +|Responses JSON Reference Does Not Exists (v2)
e9db5fb4-6a84-4abb-b4af-3b94fbdace6d|OpenAPI|Info|Structure and Semantics|Responses reference should exist on responses definition field (read more)|Documentation
| +|Parameter Object With Incorrect Ref (v2)
2596545e-1757-4ff7-a15a-8a9a180a42f3|OpenAPI|Info|Structure and Semantics|Parameter Object reference must always point to '#/parameters' (read more)|Documentation
| +|Object Without Required Property (v2)
5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275|OpenAPI|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| +|Unknown Property (v2)
429b2106-ba37-43ba-9727-7f699cc611e1|OpenAPI|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| +|BasePath With Wrong Format
b4803607-ed72-4d60-99e2-3fa6edf471c6|OpenAPI|Info|Structure and Semantics|The 'basePath' value format must match the pattern '^/' (read more)|Documentation
| +|Body Parameter Without Schema
ed48229d-d43e-4da7-b453-5f98d964a57a|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| +|Operation Object Parameters With 'body' And 'formatData' locations
eb3f9744-d24e-4614-b1ff-2a9514eca21c|OpenAPI|Info|Structure and Semantics|Operation object parameters should not have both 'body' and 'formatData' locations (read more)|Documentation
| +|Schema Object Incorrect Ref (v2)
0220e1c5-65d1-49dd-b7c2-cef6d6cb5283|OpenAPI|Info|Structure and Semantics|Schema Object reference must always point to '#/definitions' (read more)|Documentation
| +|File Parameter With Wrong Consumes Property
7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a|OpenAPI|Info|Structure and Semantics|Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both (read more)|Documentation
| +|Parameter JSON Reference Does Not Exists (v2)
fb889ae9-2d16-40b5-b41f-9da716c5abc1|OpenAPI|Info|Structure and Semantics|Parameter reference should exist on parameters definition field (read more)|Documentation
| +|Operation Example Mismatch Produces MimeType
2cf35b40-ded3-43d6-9633-c8dcc8bcc822|OpenAPI|Info|Structure and Semantics|Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces' (read more)|Documentation
| +|Property Not Unique
750b40be-4bac-4f59-bdc4-1ca0e6c3450e|OpenAPI|Info|Structure and Semantics|Every defined property must be unique throughout the whole API (read more)|Documentation
| +|Non Body Parameter Without Schema
73c3bc54-3cc6-4c0a-b30a-e19f2abfc951|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| +|Body Parameter With Wrong Property
c38d630d-a415-4e3e-bac2-65475979ba88|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema' (read more)|Documentation
| +|Parameter File Type Not In 'formData'
c3cab8c4-6c52-47a9-942b-c27f26fbd7d2|OpenAPI|Info|Structure and Semantics|The In field of Parameter Object must be 'formData' when type is 'file' (read more)|Documentation
| +|Cleartext Credentials With Basic Authentication For Operation
86b1fa30-9790-4980-994d-a27e0f6f27c1|OpenAPI|High|Access Control|Cleartext credentials over unencrypted channel should not be accepted for the operation (read more)|Documentation
| +|Field 'securityScheme' On Components Is Undefined
8db5544e-4874-4baa-9322-e9f75a2d219e|OpenAPI|High|Access Control|Components' securityScheme field must have a valid scheme (read more)|Documentation
| +|OAuth2 With Implicit Flow
39cb32f2-3a42-4af0-8037-82a7a9654b6c|OpenAPI|Medium|Access Control|OAuth2 implicit flow is vulnerable to access token leakage and access token replay (read more)|Documentation
| +|Invalid OAuth2 Authorization URL (v3)
52c0d841-60d6-4a81-88dd-c35fef36d315|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| +|Implicit Flow in OAuth2 (v3)
4a1f3d75-ab73-41b2-83e7-06a93dc3a75a|OpenAPI|Medium|Access Control|There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| +|Security Scheme Using HTTP Basic
68e5fcac-390c-4939-a373-6074b7be7c71|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using basic authentication (read more)|Documentation
| +|OAuth2 With Password Flow
3979b0a4-532c-4ea7-86e4-34c090eaa4f2|OpenAPI|Medium|Access Control|OAuth2 password flow insecurely exposes the credentials of the resource owner to the client (read more)|Documentation
| +|Security Scheme Using HTTP Digest
a4247b11-890b-45df-bf42-350a7a3af9be|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using digest authentication (read more)|Documentation
| +|Invalid OAuth2 Token URL (v3)
3ba0cca1-b815-47bf-ac62-1e584eb64a05|OpenAPI|Medium|Access Control|OAuth2 security scheme flow requires a valid URL in the tokenUrl field (read more)|Documentation
| +|Security Scheme Using HTTP Negotiate
f525cc92-9050-4c41-a75c-890dc6f64449|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using negotiate authentication (read more)|Documentation
| +|Security Scheme HTTP Unknown Scheme
06764426-3c56-407e-981f-caa25db1c149|OpenAPI|Medium|Access Control|Security Scheme HTTP scheme should be registered in the IANA Authentication Scheme registry (read more)|Documentation
| +|Path Server Object Uses HTTP (v3)
9670f240-7b4d-4955-bd93-edaa9fa38b58|OpenAPI|Medium|Encryption|The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection (read more)|Documentation
| +|Global Server Object Uses HTTP
2d8c175a-6d90-412b-8b0e-e034ea49a1fe|OpenAPI|Medium|Encryption|Global server object URL should use 'https' protocol instead of 'http' (read more)|Documentation
| +|Additional Properties Too Permissive
9f88c88d-824d-4d9a-b985-e22977046042|OpenAPI|Medium|Insecure Configurations|Objects should not accept 'additionalProperties' if it is possible (read more)|Documentation
| +|Parameter Object Without Schema
8fe1846f-52cc-4413-ace9-1933d7d23672|OpenAPI|Medium|Insecure Configurations|The Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| +|Media Type Object Without Schema
f79b9d26-e945-44e7-98a1-b93f0f7a68a0|OpenAPI|Medium|Insecure Configurations|The Media Type Object should have the attribute 'schema' defined (read more)|Documentation
| +|Additional Properties Too Restrictive
a19c3bbd-c056-40d7-9e1c-eeb0634e320d|OpenAPI|Medium|Insecure Configurations|Objects should accept 'additionalProperties' if it is allOf or an object with anyOf or oneOf (read more)|Documentation
| +|Success Response Code Undefined for Trace Operation
105e20dd-8449-4d71-95c6-d5dac96639af|OpenAPI|Medium|Networking and Firewall|Trace should define the '200' successful code (read more)|Documentation
| +|Header Object Without Schema
50de3b5b-6465-4e06-a9b0-b4c2ba34326b|OpenAPI|Medium|Networking and Firewall|The header object should have schema defined (read more)|Documentation
| +|API Key Exposed In Global Security Scheme
40e1d1bf-11a9-4f63-a3a2-a8b84c602839|OpenAPI|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| +|Global Security Scheme Using Basic Authentication
77276d82-4f45-4cf1-8e2b-4d345b936228|OpenAPI|Low|Access Control|A security scheme is allowing basic authentication credentials to be transported over network (read more)|Documentation
| +|Security Scheme Using Oauth 1.0
1bc3205c-0d60-44e6-84f3-44fbf4dac5b3|OpenAPI|Low|Access Control|Oauth 1.0 is deprecated, OAuth2 should be used instead (read more)|Documentation
| +|Undefined Scope 'securityScheme' On 'security' Field On Operations
462d6a1d-fed9-4d75-bb9e-3de902f35e6e|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| +|Undefined Scope 'securityScheme' On Global 'security' Field
23a9e2d9-8738-4556-a71c-2802b6ffa022|OpenAPI|Low|Access Control|Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| +|Components Request Body Definition Is Unused
6b76f589-9713-44ab-97f5-59a3dba1a285|OpenAPI|Info|Best Practices|Components request bodies definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Property 'style' of Encoding Object Ignored
d3ea644a-9a5c-4fee-941f-f8a6786c0470|OpenAPI|Info|Best Practices|Property 'style' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| +|Components Header Definition Is Unused
a68da022-e95a-4bc2-97d3-481e0bd6d446|OpenAPI|Info|Best Practices|Components headers definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Link Definition Is Unused
c19779a9-5774-4d2f-a3a1-a99831730375|OpenAPI|Info|Best Practices|Components links definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Callback Definition Is Unused
d15db953-a553-4b8a-9a14-a3d62ea3d79d|OpenAPI|Info|Best Practices|Components callbacks definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Response Definition Is Unused
9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae|OpenAPI|Info|Best Practices|Components responses definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Unknown Prefix (v3)
a5375be3-521c-43bb-9eab-e2432e368ee4|OpenAPI|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| +|Property 'explode' of Encoding Object Ignored
a4dd69b8-49fa-45d2-a060-c76655405b05|OpenAPI|Info|Best Practices|Property 'explode' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| +|Property 'allowReserved' of Encoding Object Ignored
4190dda7-af03-4cf0-a128-70ac1661ca09|OpenAPI|Info|Best Practices|Property 'allowReserved' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| +|Components Parameter Definition Is Unused
698a464e-bb3e-4ba8-ab5e-e6599b7644a0|OpenAPI|Info|Best Practices|Components parameters definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Example Definition Is Unused
b05bb927-2df5-43cc-8d7b-6825c0e71625|OpenAPI|Info|Best Practices|Components examples definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Schema Definition Is Unused
962fa01e-b791-4dcc-b04a-4a3e7389be5e|OpenAPI|Info|Best Practices|Components schemas definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Property 'allowEmptyValue' Ignored
59c2f769-7cc2-49c8-a3de-4e211135cfab|OpenAPI|Info|Best Practices|Property 'allowEmptyValue' is ignored in the following cases: {"sytle": "simple", "explode": false}, {"sytle": "simple", "explode": true}, {"sytle": "spaceDelimited", "explode": false}, {"sytle": "pipeDelimited", "explode": false}, and {"sytle": "deepObject", "explode": true} (read more)|Documentation
| +|Invalid Media Type Value (v3)
cf4a5f45-a27b-49df-843a-9911dbfe71d4|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| +|Encoding Header 'Content-Type' Improperly Defined
4cd8de87-b595-48b6-ab3c-1904567135ab|OpenAPI|Info|Best Practices|Encoding Map Key should not define a 'Content-Type' in the 'headers' field. If so, it will be ignored. (read more)|Documentation
| +|Example JSON Reference Outside Components Examples
bac56e3c-1f71-4a74-8ae6-2fba07efcddb|OpenAPI|Info|Structure and Semantics|Reference to examples should point to #/components/examples (read more)|Documentation
| +|Security Operation Field Undefined
20a482d5-c5d9-4a7a-b7a4-60d0805047b4|OpenAPI|Info|Structure and Semantics|Security operation field should be defined in '#/components/securitySchemes' (read more)|Documentation
| +|Server URL Not Absolute
a0bf7382-5d5a-4224-924c-3db8466026c9|OpenAPI|Info|Structure and Semantics|The Server URL should be an absolute URL (read more)|Documentation
| +|Response Object With Incorrect Ref (v3)
b3871dd8-9333-4d6c-bd52-67eb898b71ab|OpenAPI|Info|Structure and Semantics|Response Object reference must always point to '#/components/responses' (read more)|Documentation
| +|Link Object OperationId Does Not Target Operation Object
c5bb7461-aa57-470b-a714-3bc3d74f4669|OpenAPI|Info|Structure and Semantics|Link object 'OperationId' should target an existing operation object in the OpenAPI definition (read more)|Documentation
| +|Request Body With Incorrect Ref
0f6cd0ab-c366-4595-84fc-fbd8b9901e4d|OpenAPI|Info|Structure and Semantics|Request Body reference must always point to '#/components/RequestBodies' (read more)|Documentation
| +|Encoding Map Key Mismatch Schema Defined Properties
cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b|OpenAPI|Info|Structure and Semantics|Encoding Map Key should be set in schema defined properties (read more)|Documentation
| +|Components Object Fixed Field Key Improperly Named
151331e2-11f4-4bb6-bd35-9a005e695087|OpenAPI|Info|Structure and Semantics|Components object fixed fields (schemas, responses, parameters, examples, requestBodies, headers, securitySchemes, links, and callbacks) should use keys that match the following REGEX: `^[a-zA-Z0-9\.\-_]+$` (read more)|Documentation
| +|Schema JSON Reference Does Not Exists (v3)
015eac96-6313-43c0-84e5-81b1374fa637|OpenAPI|Info|Structure and Semantics|Schema reference should exists on components field (read more)|Documentation
| +|Server URL Uses Undefined Variables
8d0921d6-4131-461f-a253-99e873f8f77e|OpenAPI|Info|Structure and Semantics|Any variable used in the Service URL should be defined in the Service Object through 'variables'. (read more)|Documentation
| +|Response JSON Reference Does Not Exists (v3)
7a01dfbd-da62-4165-aed7-71349ad42ab4|OpenAPI|Info|Structure and Semantics|Response reference should exists on components field (read more)|Documentation
| +|Parameter Object With Incorrect Ref (v3)
d40f27e6-15fb-4b56-90f8-fc0ff0291c51|OpenAPI|Info|Structure and Semantics|Parameter Object reference must always point to '#/components/parameters' (read more)|Documentation
| +|Object Without Required Property (v3)
d172a060-8569-4412-8045-3560ebd477e8|OpenAPI|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| +|Unknown Property (v3)
fb7d81e7-4150-48c4-b914-92fc05da6a2f|OpenAPI|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| +|Parameter Object Content With Multiple Entries
8bfed1c6-2d59-4924-bc7f-9b9d793ed0df|OpenAPI|Info|Structure and Semantics|The map content property of the parameter object should only contain one entry (read more)|Documentation
| +|Link Object Incorrect Ref
b9db8a10-020c-49ca-88c6-780e5fdb4328|OpenAPI|Info|Structure and Semantics|Link object reference must always point to '#/components/links' (read more)|Documentation
| +|Servers Array Undefined
c66ebeaa-676c-40dc-a3ff-3e49395dcd5e|OpenAPI|Info|Structure and Semantics|The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'. (read more)|Documentation
| +|Property 'allowReserved' Improperly Defined
7f203940-39c4-4ea7-91ee-7aba16bca9e2|OpenAPI|Info|Structure and Semantics|Property 'allowReserved' should be only defined for query parameters (read more)|Documentation
| +|Schema Object Incorrect Ref (v3)
4cac7ace-b0fb-477d-830d-65395d9109d9|OpenAPI|Info|Structure and Semantics|Schema Object reference must always point to '#/components/schemas' (read more)|Documentation
| +|Invalid Content Type For Multiple Files Upload
26f06397-36d8-4ce7-b993-17711261d777|OpenAPI|Info|Structure and Semantics|Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array) (read more)|Documentation
| +|Link JSON Reference Does Not Exists
801f0c6a-a834-4467-89c6-ddecffb46b5a|OpenAPI|Info|Structure and Semantics|Link reference should exists on components field (read more)|Documentation
| +|Request Body JSON Reference Does Not Exists
ca02f4e8-d3ae-4832-b7db-bb037516d9e7|OpenAPI|Info|Structure and Semantics|Request Body reference should exists on components field (read more)|Documentation
| +|Callback JSON Reference Does Not Exists
f29904c8-6041-4bca-b043-dfa0546b8079|OpenAPI|Info|Structure and Semantics|Callback reference should exists on components field (read more)|Documentation
| +|Callback Object With Incorrect Ref
ba066cda-e808-450d-92b6-f29109754d45|OpenAPI|Info|Structure and Semantics|Callback Object reference must always point to '#/components/callbacks' (read more)|Documentation
| +|Link Object With Both 'operationId' And 'operationRef'
60fb6621-9f02-473b-9424-ba9a825747d3|OpenAPI|Info|Structure and Semantics|Link object 'OperationId' should not have both 'operationId' and 'operationRef' defined since they are mutually exclusive. (read more)|Documentation
| +|Parameter JSON Reference Does Not Exists (v3)
2e275f16-b627-4d3f-ae73-a6153a23ae8f|OpenAPI|Info|Structure and Semantics|Parameter reference should exists on components field (read more)|Documentation
| +|Empty Array
5915c20f-dffa-4cee-b5d4-f457ddc0151a|OpenAPI|Info|Structure and Semantics|All array fields should not be empty (read more)|Documentation
| +|Server Object Variable Not Used
8aee4754-970d-4c5f-8142-a49dfe388b1a|OpenAPI|Info|Structure and Semantics|Every defined Server Variable Object should be used in a Service URL. (read more)|Documentation
| +|Header Object With Incorrect Ref
2d6646f4-2946-420f-8c14-3232d49ae0cb|OpenAPI|Info|Structure and Semantics|Header Object reference must always point to '#/components/headers' (read more)|Documentation
| +|Security Requirement Object With Wrong Scopes
37140f7f-724a-4c87-a536-e9cee1d61533|OpenAPI|Info|Structure and Semantics|Security Requirement Object should only have scopes defined for security schemes of type 'oauth2' and 'openIdConnect' (read more)|Documentation
| +|Example JSON Reference Does Not Exists
6a2c219f-da5e-4745-941e-5ea8cde23356|OpenAPI|Info|Structure and Semantics|Example reference should exists on components field (read more)|Documentation
| +|Schema With Both ReadOnly And WriteOnly
d2361d58-361c-49f0-9e50-b957fd608b29|OpenAPI|Info|Structure and Semantics|Schema should not have both 'writeOnly' and 'readOnly' set to true (read more)|Documentation
| +|Parameter Object With Undefined Type
46facedc-f243-4108-ab33-583b807d50b0|OpenAPI|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property (read more)|Documentation
| +|Parameter Object With Schema And Content
31dd6fc0-f274-493b-9614-e063086c19fc|OpenAPI|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive (read more)|Documentation
| +|Security Field Undefined
ab1263c2-81df-46f0-9f2c-0b62fdb68419|OpenAPI|Info|Structure and Semantics|Security field should be defined in '#/components/securitySchemes' (read more)|Documentation
| +|Header JSON Reference Does Not Exists
376c9390-7e9e-4cb8-a067-fd31c05451fd|OpenAPI|Info|Structure and Semantics|Header reference should exists on components field (read more)|Documentation
| +|Request Body Object With Incorrect Media Type
58f06434-a88c-4f74-826c-db7e10cc7def|OpenAPI|Info|Structure and Semantics|The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set. (read more)|Documentation
| +|Script Block Injection
62ff6823-927a-427f-acf9-f1ea2932d616|CICD|High|Insecure Configurations|GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event. (read more)|Documentation
| +|Run Block Injection
20f14e1a-a899-4e79-9f09-b6a84cd4649b|CICD|High|Insecure Configurations|GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event. (read more)|Documentation
| +|Unsecured Commands
60fd272d-15f4-4d8f-afe4-77d9c6cc0453|CICD|Medium|Insecure Configurations|There are deprecated set-env and add-path commands that can be explicitly enabled by a user via setting the ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable as true. Depending on the use of the environment variable, this could enable an attacker to, at worst, modify the system path to run a different command than intended, resulting in arbitrary code execution. (read more)|Documentation
| +|Unpinned Actions Full Length Commit SHA
555ab8f9-2001-455e-a077-f2d0f41e2fb9|CICD|Medium|Supply-Chain|Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork. (read more)|Documentation
| +|Serving Revision Spec Without Timeout Seconds
e8bb41e4-2f24-4e84-8bea-8c7c070cf93d|Knative|Info|Insecure Configurations|Serving Revision Spec should have Timeout Seconds defined to avoid Denial of Service (read more)|Documentation
| +|Serverless Role With Full Privileges
59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd|ServerlessFW|High|Access Control|Roles defined in Serverless files should not have policies granting full administrative privileges. (read more)|Documentation
| +|Serverless Function Environment Variables Not Encrypted
4495bc5d-4d1e-4a26-ae92-152d18195648|ServerlessFW|High|Encryption|Serverless Function should encrypt environment variables (read more)|Documentation
| +|Serverless API Without Content Encoding
d5d1fe08-89db-440c-8725-b93223387309|ServerlessFW|Medium|Encryption|Serverless should have API Gateway with Content Encoding enabled through the attribute 'minimumCompressionSize'. This value should be greater than -1 and smaller than 10485760 (read more)|Documentation
| +|Serverless Function Without Tags
f99d3482-fa8c-4f79-bad9-35212dded164|ServerlessFW|Medium|Insecure Configurations|Serverless Function should be have associated tags (read more)|Documentation
| +|Serverless Function Without Unique IAM Role
165aae3b-a56a-48f3-b76d-d2b5083f5b8f|ServerlessFW|Medium|Insecure Configurations|Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| +|Serverless API Endpoint Config Not Private
4d424558-c6d1-453c-be98-9a7f877abd9a|ServerlessFW|Medium|Networking and Firewall|Serverless should have endpointType set to 'PRIVATE'. This way, it's not exposed to the public internet (read more)|Documentation
| +|Serverless API X-Ray Tracing Disabled
434945e5-4dfd-41b1-aba1-47075ccd9265|ServerlessFW|Medium|Observability|Serverless API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| +|Serverless API Access Logging Setting Undefined
a4d32883-aac7-42e1-b403-9415af0f3846|ServerlessFW|Medium|Observability|Serverless FW API should have HTTP Access Logging enabled (read more)|Documentation
| +|Serverless Function Without Dead Letter Queue
dec7bc85-d156-4f64-9a33-96ed3d9f3fed|ServerlessFW|Low|Insecure Configurations|Serverless Function should be configured for a Dead Letter Queue(DLQ). A Dead Letter Queue(DLQ) can be set up in 'onError' config parameter (read more)|Documentation
| +|Serverless Function Without X-Ray Tracing
0d7ef70f-e176-44e6-bdba-add3e429788d|ServerlessFW|Low|Observability|Serverless Function should have Tracing enabled. For this, property 'tracing' should have the value 'Active' (read more)|Documentation
| +|Non-Array Schema With Items (v3)
20cb3159-b219-496b-8dac-54ae3ab2021a|OpenAPI|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| +|Passwords And Secrets
a88baa34-e2ad-44ea-ad6f-8cac87bc7c71|Common|High|Secret Management|Query to find passwords and secrets in infrastructure code.|Documentation
| +|Cloud Storage Bucket Is Publicly Accessible
77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc|GoogleDeploymentManager|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
63ae3638-a38c-4ff4-b616-6e1f72a31a6a|GoogleDeploymentManager|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers'|Documentation
| +|BigQuery Dataset Is Public
83103dff-d57f-42a8-bd81-40abab64c1a7|GoogleDeploymentManager|High|Access Control|BigQuery dataset is anonymously or publicly accessible. Attribute access.specialGroup should not contain 'allAuthenticatedUsers'|Documentation
| +|SQL DB Instance Backup Disabled
a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01|GoogleDeploymentManager|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| +|SQL DB Instance With SSL Disabled
660360d3-9ca7-46d1-b147-3acc4002953f|GoogleDeploymentManager|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| +|DNSSEC Using RSASHA1
6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35|GoogleDeploymentManager|High|Encryption|DNSSEC should not use the RSASHA1 algorithm|Documentation
| +|Network Policy Disabled
c47f90e8-4a19-43f0-8413-cc434d286c4e|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'networkPolicy.enabled' must be true and the attribute 'addonsConfig.networkPolicyConfig.disabled' must be false|Documentation
| +|Cluster Labels Disabled
8810968b-4b15-421d-918b-d91eb4bb8d1d|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resourceLabels' must be defined|Documentation
| +|Not Proper Email Account In Use
a21b8df3-c840-4b3d-a41a-10fb2afda171|GoogleDeploymentManager|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| +|MySQL Instance With Local Infile On
c759d6f2-4dd3-4160-82d3-89202ef10d87|GoogleDeploymentManager|High|Insecure Configurations|MySQL Instance should not have Local Infile On|Documentation
| +|IP Aliasing Disabled
28727987-e398-49b8-aef1-8a3e7789d111|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ipAllocationPolicy' must be defined and the subattribute 'useIpAliases' must be set to 'true'.|Documentation
| +|Client Certificate Disabled
dd690686-2bf9-4012-a821-f61912dd77be|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'masterAuth' must have 'clientCertificateConfig' with the attribute 'issueClientCertificate' equal to true|Documentation
| +|Cluster Master Authentication Disabled
7ef7d141-9fbb-4679-a977-fd0883436906|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'masterAuth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| +|Private Cluster Disabled
48c61fbd-09c9-46cc-a521-012e0c325412|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true.|Documentation
| +|GKE Legacy Authorization Enabled
df58d46c-783b-43e0-bdd0-d99164f712ee|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false.|Documentation
| +|Compute Instance Is Publicly Accessible
8212e2d7-e683-49bc-bf78-d6799075c5a7|GoogleDeploymentManager|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet.|Documentation
| +|GKE Master Authorized Networks Disabled
62c8cf50-87f0-4295-a974-8184ed78fe02|GoogleDeploymentManager|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters|Documentation
| +|Stackdriver Monitoring Disabled
bbfc97ab-e92a-4a7b-954c-e88cec815011|GoogleDeploymentManager|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoringService' must be defined and different than 'none'|Documentation
| +|Cloud Storage Bucket Versioning Disabled
ad0875c1-0b39-4890-9149-173158ba3bba|GoogleDeploymentManager|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| +|Stackdriver Logging Disabled
95601b9a-7fe8-4aee-9b58-d36fd9382dfc|GoogleDeploymentManager|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'loggingService' must be defined and different from 'none'|Documentation
| +|Node Auto Upgrade Disabled
dc5c5fee-6c53-43b0-ab11-4c660e064aaf|GoogleDeploymentManager|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means the attribute 'nodePools' must be defined and the subattribute 'managment' must be defined and have the attribute 'autoUpgrade' set to true|Documentation
| +|Disk Encryption Disabled
fc040fb6-4c23-4c0d-b12a-39edac35debb|GoogleDeploymentManager|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined|Documentation
| +|OSLogin Is Disabled In VM Instance
e66e1b71-c810-4b4e-a737-0ab59e7f5e41|GoogleDeploymentManager|Medium|Insecure Configurations|VM instance should have OSLogin enabled|Documentation
| +|COS Node Image Not Used
dbe058d7-b82e-430b-8426-992b2e4677e7|GoogleDeploymentManager|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| +|Shielded VM Disabled
9038b526-4c19-4928-bca2-c03d503bdb79|GoogleDeploymentManager|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true|Documentation
| +|Cloud DNS Without DNSSEC
313d6deb-3b67-4948-b41d-35b699c2492e|GoogleDeploymentManager|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| +|Google Storage Bucket Level Access Disabled
1239f54b-33de-482a-8132-faebe288e6a6|GoogleDeploymentManager|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| +|IP Forwarding Enabled
7c98538a-81c6-444b-bf04-e60bc3ceeec0|GoogleDeploymentManager|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true|Documentation
| +|RDP Access Is Not Restricted
50cb6c3b-c878-4b88-b50e-d1421bada9e8|GoogleDeploymentManager|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| +|SSH Access Is Not Restricted
dee21308-2a7a-49de-8ff7-c9b87e188575|GoogleDeploymentManager|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| +|Bucket Without Versioning
227c2f58-70c6-4432-8e9a-a89c1a548cf5|GoogleDeploymentManager|Medium|Observability|Bucket should have versioning enabled|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
6e2b1ec1-1eca-4eb7-9d4d-2882680b4811|GoogleDeploymentManager|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| +|BOM - GCP SB
c7781feb-a955-4f9f-b9cf-0d7c6f54bb59|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.|Documentation
| +|BOM - GCP PD
268c65a8-58ad-43e4-9019-1a9bbc56749f|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.|Documentation
| +|BOM - GCP PST
9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.|Documentation
| +|Serving Revision Spec Without Timeout Seconds
e8bb41e4-2f24-4e84-8bea-8c7c070cf93d|Knative|Info|Insecure Configurations|Serving Revision Spec should have Timeout Seconds defined to avoid Denial of Service|Documentation
| +|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Terraform|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| +|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Terraform|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| +|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Terraform|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.|Documentation
| +|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Terraform|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| +|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Terraform|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| +|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Terraform|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.|Documentation
| +|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Terraform|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| +|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Terraform|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| +|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Terraform|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| +|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Terraform|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time|Documentation
| +|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Terraform|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| +|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|Terraform|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false|Documentation
| +|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|Terraform|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|Documentation
| +|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|Terraform|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| +|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|Terraform|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| +|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|Terraform|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined.|Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|Terraform|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| +|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|Terraform|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| +|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Terraform|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys|Documentation
| +|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Terraform|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| +|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Terraform|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| +|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Terraform|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| +|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Terraform|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| +|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Terraform|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| +|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Terraform|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls|Documentation
| +|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Terraform|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| +|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Terraform|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| +|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Terraform|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|Documentation
| +|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Terraform|Medium|Insecure Configurations|Containers should not have extra capabilities allowed|Documentation
| +|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Terraform|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| +|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Terraform|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| +|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| +|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Terraform|Medium|Insecure Configurations|Default service accounts should not be actively used|Documentation
| +|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Terraform|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| +|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Terraform|Medium|Insecure Configurations|The default namespace should not be used|Documentation
| +|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Terraform|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| +|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| +|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Terraform|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| +|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Terraform|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory|Documentation
| +|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Terraform|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace|Documentation
| +|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Terraform|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty.|Documentation
| +|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Terraform|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| +|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Terraform|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| +|Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Terraform|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| +|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Terraform|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| +|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Terraform|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| +|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Terraform|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| +|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Terraform|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes|Documentation
| +|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Terraform|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| +|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Terraform|Medium|Resource Management|Container should not share the host network namespace|Documentation
| +|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Terraform|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| +|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Terraform|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs|Documentation
| +|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Terraform|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| +|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Terraform|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| +|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Terraform|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| +|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Terraform|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| +|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Terraform|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| +|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Terraform|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| +|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Terraform|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.|Documentation
| +|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Terraform|Low|Availability|The Horizontal Pod Autoscaler must target a valid object|Documentation
| +|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Terraform|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it|Documentation
| +|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Terraform|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| +|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Terraform|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| +|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Terraform|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| +|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Terraform|Low|Build Process|Check if the root container filesystem is not being mounted as read-only.|Documentation
| +|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Terraform|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| +|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Terraform|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity|Documentation
| +|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Terraform|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| +|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Terraform|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| +|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Terraform|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified|Documentation
| +|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Terraform|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| +|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Terraform|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined|Documentation
| +|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Terraform|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| +|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Terraform|Low|Supply-Chain|Image must be defined and not be empty or equal to latest.|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|Terraform|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|Terraform|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| +|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|Terraform|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals|Documentation
| +|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|Terraform|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| +|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|Terraform|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| +|EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|Terraform|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| +|SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|Terraform|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| +|Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|Terraform|High|Access Control|Neptune Cluster Instance should not be publicly accessible|Documentation
| +|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|Terraform|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating|Documentation
| +|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|Terraform|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| +|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|Terraform|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| +|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|Terraform|High|Access Control|IAM role policy that allow full administrative privileges (for all resources)|Documentation
| +|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|Terraform|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| +|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|Terraform|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role|Documentation
| +|MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857|Terraform|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible|Documentation
| +|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|Terraform|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| +|SSO Policy with full privileges
132a8c31-9837-4203-9fd1-15ca210c7b73|Terraform|High|Access Control|SSO policies should be configured to grant limited administrative privileges, rather than full access to all resources. This approach allows for better security and control over the resources being accessed.|Documentation
| +|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|Terraform|High|Access Control|S3 Buckets should not be readable and writable to all users|Documentation
| +|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|Terraform|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| +|S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4|Terraform|High|Access Control|S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket.|Documentation
| +|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|Terraform|High|Access Control|S3 bucket allows public policy|Documentation
| +|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|Terraform|High|Encryption|AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted|Documentation
| +|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|Terraform|High|Encryption|AWS DAX Cluster should have server-side encryption at rest|Documentation
| +|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|Terraform|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| +|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|Terraform|High|Encryption|AWS Athena Database data in S3 should be encrypted|Documentation
| +|EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|Terraform|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| +|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|Terraform|High|Encryption|S3 Bucket Object should have server-side encryption enabled|Documentation
| +|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|Terraform|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key|Documentation
| +|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|Terraform|High|Encryption|EKS Cluster should be encrypted|Documentation
| +|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|Terraform|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume|Documentation
| +|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|Terraform|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| +|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|Terraform|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled|Documentation
| +|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|Terraform|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)|Documentation
| +|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|Terraform|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| +|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|Terraform|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true'|Documentation
| +|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|Terraform|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.|Documentation
| +|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|Terraform|High|Encryption|Sagemaker endpoint configuration should encrypt data|Documentation
| +|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|Terraform|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| +|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|Terraform|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted|Documentation
| +|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|Terraform|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| +|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|Terraform|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| +|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|Terraform|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| +|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|Terraform|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| +|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|Terraform|High|Encryption|API Gateway Method Settings Cache should be encrypted|Documentation
| +|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|Terraform|High|Encryption|EBS Encryption should be enabled|Documentation
| +|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|Terraform|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| +|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|Terraform|High|Encryption|User Data Shell Script must be encoded|Documentation
| +|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers.|Documentation
| +|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|Terraform|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS|Documentation
| +|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|Terraform|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup|Documentation
| +|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|Terraform|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|Terraform|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled|Documentation
| +|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|Terraform|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true|Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|Terraform|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| +|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.|Documentation
| +|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|Terraform|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| +|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|Terraform|High|Encryption|AWS DOCDB Cluster storage should be encrypted|Documentation
| +|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|Terraform|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled|Documentation
| +|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|Terraform|High|Encryption|RDS Database Cluster Encryption should be enabled|Documentation
| +|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|Terraform|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| +|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|Terraform|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes|Documentation
| +|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|Terraform|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| +|Lambda Function With Privileged Role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|Terraform|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions.|Documentation
| +|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|Terraform|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| +|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|Terraform|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured.|Documentation
| +|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|Terraform|High|Insecure Configurations|Check if the root user is authenticated with MFA|Documentation
| +|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|Terraform|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations|Documentation
| +|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|Terraform|High|Insecure Configurations|S3 bucket without restriction of public bucket|Documentation
| +|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|Terraform|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| +|DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|Terraform|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| +|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|Terraform|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| +|KMS Key With Vulnerable Policy
7ebc9038-0bde-479a-acc4-6ed7b6758899|Terraform|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| +|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|Terraform|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2.|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|Terraform|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| +|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|Terraform|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| +|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|Terraform|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true)|Documentation
| +|Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|Terraform|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| +|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|Terraform|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| +|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| +|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|Terraform|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| +|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|Terraform|High|Networking and Firewall|Check if Record is set|Documentation
| +|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|Terraform|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| +|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| +|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|Terraform|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| +|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|Terraform|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| +|VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|Terraform|High|Networking and Firewall|VPC Peering Route Table should restrict CIDR|Documentation
| +|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|Terraform|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL|Documentation
| +|HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|Terraform|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| +|Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|Terraform|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| +|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL|Documentation
| +|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|Terraform|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0"|Documentation
| +|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|Terraform|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| +|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|Terraform|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0 and/or ::/0|Documentation
| +|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|Terraform|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| +|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|Terraform|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing|Documentation
| +|VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|Terraform|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic|Documentation
| +|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible|Documentation
| +|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|Terraform|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes|Documentation
| +|CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|Terraform|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.|Documentation
| +|CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|Terraform|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls|Documentation
| +|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|Terraform|High|Observability|AWS KMS Key should have a valid deletion window|Documentation
| +|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled|Documentation
| +|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|Terraform|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| +|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|Terraform|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA|Documentation
| +|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|Terraform|High|Observability|Ensure a log metric filter and alarm exist for root acount usage|Documentation
| +|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Terraform|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Terraform|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Terraform|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| +|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Terraform|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Terraform|Medium|Access Control|IAM Access Key should not be active for root users|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Terraform|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| +|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Terraform|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| +|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Terraform|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| +|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Terraform|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Terraform|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Terraform|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Terraform|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Terraform|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication|Documentation
| +|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Terraform|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal'|Documentation
| +|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Terraform|Medium|Access Control|AWS IAM Users should not have access to console|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Terraform|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|SSO Permission With Inadequate User Session Duration
ce9dfce0-5fc8-433b-944a-3b16153111a8|Terraform|Medium|Access Control|SSO permissions should be configured to limit user sessions to no longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized access or session hijacking. This is a best practice for security and should be implemented in SSO permission settings.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Terraform|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| +|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Terraform|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Terraform|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Terraform|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled|Documentation
| +|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Terraform|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| +|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Terraform|Medium|Access Control|Public and private EC2 istances should not share the same role.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Terraform|Medium|Access Control|The attribute 'action' should not have wildcard|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Terraform|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action'|Documentation
| +|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Terraform|Medium|Access Control|S3 bucket allows public ACL|Documentation
| +|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Terraform|Medium|Access Control|An API Key should be required on a method request.|Documentation
| +|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Terraform|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Terraform|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'|Documentation
| +|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Terraform|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Terraform|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Terraform|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| +|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Terraform|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Terraform|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions'|Documentation
| +|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Terraform|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| +|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Terraform|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| +|Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Terraform|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
| +|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Terraform|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster|Documentation
| +|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Terraform|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0|Documentation
| +|RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Terraform|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| +|Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Terraform|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| +|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Terraform|Medium|Best Practices|No password expiration policy|Documentation
| +|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Terraform|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| +|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Terraform|Medium|Best Practices|IAM password should have the required symbols|Documentation
| +|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Terraform|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined|Documentation
| +|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Terraform|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields|Documentation
| +|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Terraform|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| +|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Terraform|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| +|Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Terraform|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24|Documentation
| +|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Terraform|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| +|Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Terraform|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body|Documentation
| +|DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Terraform|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Terraform|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| +|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Terraform|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret|Documentation
| +|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Terraform|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption|Documentation
| +|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Terraform|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node|Documentation
| +|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Terraform|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| +|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted|Documentation
| +|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Terraform|Medium|Encryption|SSM Session should be encrypted in transit|Documentation
| +|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Terraform|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| +|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Terraform|Medium|Encryption|EBS volumes should be encrypted|Documentation
| +|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest|Documentation
| +|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Terraform|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760.|Documentation
| +|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Terraform|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| +|Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Terraform|Medium|Encryption|ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html'|Documentation
| +|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Terraform|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| +|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit|Documentation
| +|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Terraform|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests|Documentation
| +|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Terraform|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|CloudWatch Log Group Without KMS
0afbcfe9-d341-4b92-a64c-7e6de0543879|Terraform|Medium|Encryption|AWS CloudWatch Log groups should be encrypted using KMS|Documentation
| +|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Terraform|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS.|Documentation
| +|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Terraform|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| +|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Terraform|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| +|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Terraform|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud)|Documentation
| +|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Terraform|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs).|Documentation
| +|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Terraform|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| +|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Terraform|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible|Documentation
| +|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Terraform|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials|Documentation
| +|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Terraform|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| +|EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Terraform|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false|Documentation
| +|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Terraform|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| +|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Terraform|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.|Documentation
| +|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Terraform|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol|Documentation
| +|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Terraform|Medium|Networking and Firewall|VPC should have a Network Firewall associated|Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Terraform|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| +|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Terraform|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| +|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Terraform|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| +|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Terraform|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association|Documentation
| +|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Terraform|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled|Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol|Documentation
| +|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Terraform|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| +|VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Terraform|Medium|Networking and Firewall|VPC Subnet should not assign public IP|Documentation
| +|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Terraform|Medium|Observability|It isn't recommended to use resources in default VPC|Documentation
| +|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Terraform|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| +|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes|Documentation
| +|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Terraform|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| +|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Terraform|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events|Documentation
| +|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Terraform|Medium|Observability|ELB should have logging enabled to help on error investigation|Documentation
| +|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Terraform|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| +|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Terraform|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined|Documentation
| +|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Terraform|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| +|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Terraform|Medium|Observability|AWS Elasticsearch should have logs enabled|Documentation
| +|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Terraform|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| +|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Terraform|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| +|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Terraform|Medium|Observability|API Gateway should have Access Log Settings defined|Documentation
| +|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Terraform|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| +|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Terraform|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| +|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes|Documentation
| +|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Terraform|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| +|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes|Documentation
| +|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Terraform|Medium|Observability|AWS CloudWatch Log groups should have retention days specified|Documentation
| +|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Terraform|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation|Documentation
| +|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes|Documentation
| +|ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Terraform|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| +|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Terraform|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled|Documentation
| +|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Terraform|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| +|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures|Documentation
| +|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Terraform|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| +|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Terraform|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| +|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Terraform|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| +|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK|Documentation
| +|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Terraform|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| +|No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Terraform|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| +|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Terraform|Medium|Secret Management|AWS Access Key should not be hardcoded|Documentation
| +|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Terraform|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| +|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Terraform|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services|Documentation
| +|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Terraform|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets'|Documentation
| +|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Terraform|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| +|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Terraform|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| +|SSO Identity User Unsafe Creation
4003118b-046b-4640-b200-b8c7a4c8b89f|Terraform|Low|Access Control|The use of AWS SSO for creating users may pose a security risk as it does not synchronize with external Identity Providers (IdP) or Active Directory (AD). This can lead to inconsistencies and potential unauthorized access to resources. It is recommended to review and update user creation processes to ensure proper security protocols are in place.|Documentation
| +|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Terraform|Low|Access Control|IAM Group should have at least one user associated|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Terraform|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| +|Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Terraform|Low|Availability|Autoscaling groups should supply tags to configurate|Documentation
| +|Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| +|Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| +|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Terraform|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.|Documentation
| +|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Terraform|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| +|IAM Access Analyzer Not Enabled
e592a0c5-5bdb-414c-9066-5dba7cdea370|Terraform|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions|Documentation
| +|ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Terraform|Low|Best Practices|ECR Repository should have Policies attached to it|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Terraform|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| +|ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Terraform|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation|Documentation
| +|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Terraform|Low|Insecure Configurations|S3 bucket without ignore public ACL|Documentation
| +|ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Terraform|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled|Documentation
| +|Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Terraform|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| +|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Terraform|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| +|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Terraform|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)|Documentation
| +|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Terraform|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| +|EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Terraform|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| +|RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Terraform|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| +|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Terraform|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| +|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Terraform|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks|Documentation
| +|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Terraform|Low|Observability|Amazon EKS control plane logging don't enabled for all log types|Documentation
| +|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Terraform|Low|Observability|Global Accelerator should have flow logs enabled|Documentation
| +|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Terraform|Low|Observability|Amazon EKS control plane logging is not enabled|Documentation
| +|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes|Documentation
| +|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Terraform|Low|Observability|DocDB logging should be enabled|Documentation
| +|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Terraform|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'|Documentation
| +|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL|Documentation
| +|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes|Documentation
| +|API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Terraform|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| +|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Terraform|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| +|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| +|ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Terraform|Low|Observability|ECS Cluster should enable container insights|Documentation
| +|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes|Documentation
| +|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for route table changes|Documentation
| +|API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Terraform|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| +|Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Terraform|Info|Access Control|Security group must be used or not declared|Documentation
| +|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Terraform|Info|Best Practices|AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name'|Documentation
| +|Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Terraform|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description|Documentation
| +|Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Terraform|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description|Documentation
| +|EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Terraform|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| +|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Terraform|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table|Documentation
| +|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Terraform|Info|Observability|Neptune logging should be enabled|Documentation
| +|EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Terraform|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods|Documentation
| +|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Terraform|Info|Observability|RDS does not have any kind of logger|Documentation
| +|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|Terraform|High|Access Control|Verifies that the OSLogin is enabled|Documentation
| +|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|Terraform|High|Access Control|BigQuery dataset is anonymously or publicly accessible|Documentation
| +|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|Terraform|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible|Documentation
| +|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|Terraform|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|Terraform|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers'|Documentation
| +|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|Terraform|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| +|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|Terraform|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| +|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|Terraform|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad.|Documentation
| +|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|Terraform|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members'|Documentation
| +|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false |Documentation
| +|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|Terraform|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible.|Documentation
| +|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|Terraform|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| +|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|Terraform|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| +|Legacy Client Certificate Auth Enabled
73fb21a1-b19a-45b1-b648-b47b1678681e|Terraform|High|Insecure Configurations|Kubernetes Clusters must use the default OAuth authentication, which means 'master_auth' must either be undefined or have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to false|Documentation
| +|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE |Documentation
| +|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|Terraform|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true|Documentation
| +|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true|Documentation
| +|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true|Documentation
| +|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|Terraform|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| +|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|Terraform|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| +|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| +|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|Terraform|High|Observability|Audit Logging Configuration is defective|Documentation
| +|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|Terraform|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| +|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Terraform|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member|Documentation
| +|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Terraform|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated|Documentation
| +|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Terraform|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated|Documentation
| +|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Terraform|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated|Documentation
| +|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Terraform|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Terraform|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| +|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Terraform|Medium|Insecure Configurations|Check if any VM instance disables OSLogin|Documentation
| +|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Terraform|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| +|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Terraform|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled|Documentation
| +|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Terraform|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| +|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Terraform|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| +|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Terraform|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| +|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Terraform|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| +|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Terraform|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
| +|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Terraform|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| +|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Terraform|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
| +|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Terraform|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| +|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Terraform|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
| +|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Terraform|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| +|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Terraform|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| +|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Terraform|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports|Documentation
| +|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Terraform|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource.|Documentation
| +|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Terraform|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Terraform|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| +|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Terraform|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.|Documentation
| +|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Terraform|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user|Documentation
| +|Outdated GKE Version
128df7ec-f185-48bc-8913-ce756a3ccb85|Terraform|Low|Best Practices|Running outdated versions of Google Kubernetes Engine (GKE) can expose it to known vulnerabilities and attacks. To reduce these risks, it is recommended to ensure that GKE is always running the latest version.|Documentation
| +|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Terraform|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true|Documentation
| +|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Terraform|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range|Documentation
| +|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Terraform|Info|Best Practices|All outputs should contain a valid description.|Documentation
| +|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Terraform|Info|Best Practices|All variables should contain a valid type.|Documentation
| +|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Terraform|Info|Best Practices|All variables should contain a valid description.|Documentation
| +|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Terraform|Info|Best Practices|All generic git repositories should reference a revision.|Documentation
| +|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Terraform|Info|Best Practices|All names should follow snake case pattern.|Documentation
| +|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|Terraform|High|Access Control|Storage Account should not be public to grant the principle of least privileges|Documentation
| +|Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|Terraform|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| +|Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|Terraform|High|Access Control|Azure Function App authentication settings should be enabled|Documentation
| +|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|Terraform|High|Access Control|There is a role assignment for guest user|Documentation
| +|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|Terraform|High|Access Control|Admin user is enabled for Container Registry|Documentation
| +|Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|Terraform|High|Access Control|Role Assignment should limit guest user permissions|Documentation
| +|Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|Terraform|High|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled|Documentation
| +|Azure Instance Using Basic Authentication
dafe30ec-325d-4516-85d1-e8e6776f012c|Terraform|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication|Documentation
| +|Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6|Terraform|High|Encryption|Ensure Function App is using the latest version of TLS encryption|Documentation
| +|MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|Terraform|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| +|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|Terraform|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| +|App Service Not Using Latest TLS Encryption Version
b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643|Terraform|High|Encryption|Ensure App Service is using the latest version of TLS encryption|Documentation
| +|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|Terraform|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| +|App Service FTPS Enforce Disabled
85da374f-b00f-4832-9d44-84a1ca1e89f8|Terraform|High|Insecure Configurations|Azure App Service should only enforce FTPS when 'ftps_state' is enabled|Documentation
| +|AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|Terraform|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| +|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|Terraform|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| +|AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|Terraform|High|Insecure Configurations|Azure Kubernetes Service (AKS) API should not be exposed to the internet|Documentation
| +|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|Terraform|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry'|Documentation
| +|Function App FTPS Enforce Disabled
9dab0179-433d-4dff-af8f-0091025691df|Terraform|High|Insecure Configurations|Azure Function App should only enforce FTPS when 'ftps_state' is enabled|Documentation
| +|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|Terraform|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| +|Azure App Service Client Certificate Disabled
a81573f9-3691-4d83-88a0-7d4af63e17a3|Terraform|High|Insecure Configurations|Azure App Service client certificate should be enabled|Documentation
| +|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|Terraform|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates|Documentation
| +|Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|Terraform|High|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false.|Documentation
| +|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| +|Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| +|MySQL Server Public Access Enabled
f118890b-2468-42b1-9ce9-af35146b425b|Terraform|High|Networking and Firewall|MySQL Server public access should be disabled|Documentation
| +|RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|Terraform|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet|Documentation
| +|MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|Terraform|High|Networking and Firewall|MSSQL Server public network access should be disabled|Documentation
| +|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|Terraform|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| +|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| +|SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|Terraform|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet|Documentation
| +|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|Terraform|High|Networking and Firewall|The IP range filter should be defined to secure the data stored|Documentation
| +|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|Terraform|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| +|Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|Terraform|High|Observability|Ensure that logging for Azure KeyVault is 'Enabled'|Documentation
| +|PostgreSQL Server Threat Detection Policy Disabled
c407c3cf-c409-4b29-b590-db5f4138d332|Terraform|High|Resource Management|PostgreSQL Server Threat Detection Policy should be enabled|Documentation
| +|SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a|Terraform|High|Resource Management|Ensure that 'Threat Detection' is enabled for Azure SQL Database|Documentation
| +|App Service Managed Identity Disabled
b61cce4b-0cc4-472b-8096-15617a6d769b|Terraform|High|Resource Management|Azure App Service should have managed identity enabled|Documentation
| +|Key Expiration Not Set
4d080822-5ee2-49a4-8984-68f3d4c890fc|Terraform|High|Secret Management|Make sure that for all keys the expiration date is set|Documentation
| +|Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|Terraform|High|Secret Management|Make sure that for all secrets the expiration date is set|Documentation
| +|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Terraform|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)|Documentation
| +|Storage Share File Allows All ACL Permissions
48bbe0fd-57e4-4678-a4a1-119e79c90fc3|Terraform|Medium|Access Control|Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).|Documentation
| +|Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e|Terraform|Medium|Access Control|Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).|Documentation
| +|AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Terraform|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| +|Virtual Network with DDoS Protection Plan disabled
b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a|Terraform|Medium|Availability|Virtual Network should have DDoS Protection Plan enabled|Documentation
| +|Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Terraform|Medium|Best Practices|Security Contact Email should be defined|Documentation
| +|SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Terraform|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict|Documentation
| +|SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Terraform|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict|Documentation
| +|Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Terraform|Medium|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| +|Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Terraform|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| +|Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Terraform|Medium|Encryption|Ensure that the encryption is active on the disk|Documentation
| +|AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Terraform|Medium|Encryption|Azure Container Service (AKS) should use Disk Encryption Set ID in supported types of disk|Documentation
| +|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Terraform|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| +|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Terraform|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections|Documentation
| +|Function App Managed Identity Disabled
c87749b3-ff10-41f5-9df2-c421e8151759|Terraform|Medium|Insecure Configurations|Azure Function App should have managed identity enabled|Documentation
| +|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Terraform|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected.|Documentation
| +|Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Terraform|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches|Documentation
| +|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Terraform|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined|Documentation
| +|Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Terraform|Medium|Insecure Configurations|Azure Function App should have 'client_cert_mode' set to required|Documentation
| +|Default Azure Storage Account Network Access Is Too Permissive
a5613650-32ec-4975-a305-31af783153ea|Terraform|Medium|Insecure Defaults|Default Azure Storage Account network access should be set to Deny|Documentation
| +|Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Terraform|Medium|Networking and Firewall|Public Network Access should be disabled for Azure Cognitive Search|Documentation
| +|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Terraform|Medium|Networking and Firewall|Network Interfaces IP Forwarding should be disabled|Documentation
| +|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Terraform|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache|Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol|Documentation
| +|Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b|Terraform|Medium|Networking and Firewall|Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline)|Documentation
| +|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Terraform|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'.|Documentation
| +|MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Terraform|Medium|Networking and Firewall|MariaDB Server Public Network Access should be disabled|Documentation
| +|WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Terraform|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol|Documentation
| +|Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Terraform|Medium|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days|Documentation
| +|PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| +|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| +|PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| +|Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Terraform|Medium|Observability|Make sure for SQL Servers that Auditing Retention is greater than 90 days|Documentation
| +|PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Terraform|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| +|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Terraform|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days|Documentation
| +|PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| +|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Terraform|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On'|Documentation
| +|MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Terraform|Medium|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On'|Documentation
| +|Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Terraform|Medium|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact|Documentation
| +|PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Terraform|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'|Documentation
| +|Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Terraform|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater|Documentation
| +|Azure Active Directory Authentication
a21c8da9-41bf-40cf-941d-330cf0d11fc7|Terraform|Low|Access Control|Azure Active Directory must be used for authentication for Service Fabric|Documentation
| +|MariaDB Server Geo-redundant Backup Disabled
0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1|Terraform|Low|Backup|MariaDB Server Geo-redundant Backup should be enabled|Documentation
| +|AKS Uses Azure Policies Add-On Disabled
43789711-161b-4708-b5bb-9d1c626f7492|Terraform|Low|Best Practices|Azure Container Service (AKS) should use Azure Policies Add-On|Documentation
| +|App Service Without Latest PHP Version
96fe318e-d631-4156-99fa-9080d57280ae|Terraform|Low|Best Practices|Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.|Documentation
| +|App Service Without Latest Python Version
cc4aaa9d-1070-461a-b519-04e00f42db8a|Terraform|Low|Best Practices|Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.|Documentation
| +|Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Terraform|Low|Best Practices|Key Vault Secrets should have set Content Type|Documentation
| +|PostgreSQL Server Infrastructure Encryption Disabled
6425c98b-ca4e-41fe-896a-c78772c131f8|Terraform|Low|Encryption|PostgreSQL Server Infrastructure Encryption should be enabled|Documentation
| +|Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Terraform|Low|Insecure Configurations|Check if the Kubernetes Dashboard is enabled.|Documentation
| +|Function App HTTP2 Disabled
ace823d1-4432-4dee-945b-cdf11a5a6bd0|Terraform|Low|Insecure Configurations|Function App should have 'http2_enabled' enabled|Documentation
| +|App Service HTTP2 Disabled
525b53be-62ed-4244-b4df-41aecfcb4071|Terraform|Low|Insecure Configurations|App Service should have 'http2_enabled' enabled|Documentation
| +|Azure Front Door WAF Disabled
835a4f2f-df43-437d-9943-545ccfc55961|Terraform|Low|Networking and Firewall|Azure Front Door WAF should be enabled|Documentation
| +|App Service Authentication Disabled
c7fc1481-2899-4490-bbd8-544a3a61a2f3|Terraform|Info|Access Control|Azure App Service authentication settings should be enabled|Documentation
| +|SQL Server Alert Email Disabled
55975007-f6e7-4134-83c3-298f1fe4b519|Terraform|Info|Best Practices|SQL Server alert email should be enabled|Documentation
| +|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Terraform|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.|Documentation
| +|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Terraform|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.|Documentation
| +|BOM - GCP Redis
bc75ce52-a60a-4660-b533-bce837a5019b|Terraform|Trace|Bill Of Materials|A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments.|Documentation
| +|BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Terraform|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.|Documentation
| +|BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Terraform|Trace|Bill Of Materials|A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime.|Documentation
| +|BOM - GCP Dataflow
895ed0d9-6fec-4567-8614-d7a74b599a53|Terraform|Trace|Bill Of Materials|A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective.|Documentation
| +|OSS Bucket Allows Delete Action From All Principals
8c0695d8-2378-4cd6-8243-7fd5894fa574|Terraform|High|Access Control|OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals.|Documentation
| +|OSS Bucket Allows List Action From All Principals
88541597-6f88-42c8-bac6-7e0b855e8ff6|Terraform|High|Access Control|OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals.|Documentation
| +|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|Terraform|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles|Documentation
| +|OSS Bucket Allows Put Action From All Principals
fe286195-e75c-4359-bd58-00847c4f855a|Terraform|High|Access Control|OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals.|Documentation
| +|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|Terraform|High|Access Control|RAM Security preferences should enforce MFA login for RAM users|Documentation
| +|OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|Terraform|High|Access Control|OSS Bucket should have public access disabled|Documentation
| +|OSS Bucket Allows All Actions From All Principals
ec62a32c-a297-41ca-a850-cab40b42094a|Terraform|High|Access Control|OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals.|Documentation
| +|NAS File System Without KMS
5f670f9d-b1b4-4c90-8618-2288f1ab9676|Terraform|High|Encryption|NAS File System should have encryption provided by user KMS |Documentation
| +|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|Terraform|High|Encryption|Ecs Data Disk Kms Key Id should be set|Documentation
| +|NAS File System Not Encrypted
67bfdff1-31ce-4525-b564-e94368735360|Terraform|High|Encryption|NAS File System must be encrypted|Documentation
| +|Launch Template Is Not Encrypted
1455cb21-1d48-46d6-8ae3-cef911b71fd5|Terraform|High|Encryption|ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true.|Documentation
| +|RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|Terraform|High|Encryption|tde_status parameter should be Enabled for supported RDS instances|Documentation
| +|RDS DB Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|Terraform|High|Insecure Configurations|'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list|Documentation
| +|DB Instance Publicly Accessible
faaefc15-51a5-419e-bb5e-51a4b5ab3485|Terraform|High|Insecure Configurations|The field 'address' should not be set to '0.0.0.0/0'|Documentation
| +|OSS Bucket Has Static Website
2b13c6ff-b87a-484d-86fd-21ef6e97d426|Terraform|High|Insecure Configurations|Checks if any static websties are hosted on buckets. Be aware of any website you are running.|Documentation
| +|ALB Listening on HTTP
ee3b1557-9fb5-4685-a95d-93f1edf2a0d7|Terraform|High|Networking and Firewall|Application Load Balancer (alb) Listener should not listen on HTTP|Documentation
| +|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|Terraform|High|Networking and Firewall|OSS Bucket should have ip restricted access|Documentation
| +|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|Terraform|High|Networking and Firewall|OSS Buckets should have secure transport enabled|Documentation
| +|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|Terraform|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS|Documentation
| +|RDS Instance SSL Action Disabled
7a1ee8a9-71be-4b11-bb70-efb62d16863b|Terraform|High|Networking and Firewall|ssl_action parameter should be set to Open for RDS instances|Documentation
| +|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|Terraform|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public|Documentation
| +|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol|Documentation
| +|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|Terraform|High|Observability|All RDS Instance events trackers should be 'true'|Documentation
| +|ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|Terraform|High|Observability|ActionTrail Trail OSS Bucket should not be publicly accessible|Documentation
| +|Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|Terraform|High|Secret Management|Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts|Documentation
| +|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|Terraform|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above|Documentation
| +|Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Terraform|Medium|Access Control|Ram policies should not be attached to users|Documentation
| +|CMK Is Unusable
ed6e3ba0-278f-47b6-a1f5-173576b40b7e|Terraform|Medium|Availability|Alicloud KMS must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| +|ROS Stack Retention Disabled
4bb06fa1-2114-4a00-b7b5-6aeab8b896f0|Terraform|Medium|Backup|The retain_stacks should be enabled to keep the Stack upon deleting the stack instance from the stack group|Documentation
| +|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Terraform|Medium|Backup|OSS Bucket should have versioning enabled|Documentation
| +|ROS Stack Without Template
92d65c51-5d82-4507-a2a1-d252e9706855|Terraform|Medium|Build Process|Alicloud ROS Stack should have a template defined through the attribute template_url or attribute template_body|Documentation
| +|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Terraform|Medium|Encryption|Disks should have encryption enabled|Documentation
| +|SLB Policy With Insecure TLS Version In Use
dbfc834a-56e5-4750-b5da-73fda8e73f70|Terraform|Medium|Encryption|SLB Policy should not support insecure versions of TLS protocol|Documentation
| +|OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Terraform|Medium|Encryption|OSS Bucket should have encryption enabled using Customer Master Key|Documentation
| +|CS Kubernetes Node Pool Auto Repair Disabled
81ce9394-013d-4731-8fcc-9d229b474073|Terraform|Medium|Insecure Configurations|Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| +|Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Terraform|Medium|Networking and Firewall|A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned|Documentation
| +|Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Terraform|Medium|Networking and Firewall|Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies|Documentation
| +|ROS Stack Notifications Disabled
9ef08939-ea40-489c-8851-667870b2ef50|Terraform|Medium|Observability|The ROS Stack Notifications should be defined and populated to receive stack related events|Documentation
| +|Log Retention Is Not Greater Than 90 Days
ed6cf6ff-9a1f-491c-9f88-e03c0807f390|Terraform|Medium|Observability|OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects.|Documentation
| +|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Terraform|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180|Documentation
| +|OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Terraform|Medium|Observability|OSS Bucket should have logging enabled, for better visibility of resources and objects.|Documentation
| +|Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Terraform|Medium|Observability|Action Trail Logging for all regions should be enabled|Documentation
| +|No ROS Stack Policy
72ceb736-0aee-43ea-a191-3a69ab135681|Terraform|Medium|Resource Management|ROS Stack should have a stack policy in order to protect stack resources from and during update actions|Documentation
| +|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Terraform|Medium|Secret Management|RAM account password security should require at least one symbol|Documentation
| +|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true|Documentation
| +|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Terraform|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91|Documentation
| +|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Terraform|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less|Documentation
| +|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true|Documentation
| +|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true|Documentation
| +|High KMS Key Rotation Period
cb319d87-b90f-485e-a7e7-f2408380f309|Terraform|Medium|Secret Management|KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year|Documentation
| +|OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Terraform|Low|Availability|OSS Bucket should have transfer acceleration enabled|Documentation
| +|OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Terraform|Low|Backup|OSS Bucket should have lifecycle rule enabled and set to true|Documentation
| +|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Terraform|Low|Observability|'log_connections' parameter should be set to ON for RDS instances|Documentation
| +|RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Terraform|Low|Observability|log_duration parameter should be set to ON for RDS instances|Documentation
| +|RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Terraform|Low|Observability|log_disconnections parameter should be set to ON for RDS instances|Documentation
| +|VPC Flow Logs Disabled
d2731f3d-a992-44ed-812e-f4f1c2747d71|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| +|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Terraform|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks|Documentation
| +|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Terraform|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')|Documentation
| +|Enum Name Not CamelCase
daaace5f-c0dc-4835-b526-7a116b7f4b4e|GRPC|Low|Best Practices|All Enum Names should follow CamelCase and start with Capital Letter|Documentation
| +|EFS Not Encrypted
72840c35-3876-48be-900d-f21b2f0c2ea1|Crossplane|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| +|DB Instance Storage Not Encrypted
e50eb68a-a4af-4048-8bbe-8ec324421469|Crossplane|High|Encryption|RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'.|Documentation
| +|EFS Without KMS
bdecd6db-2600-47dd-a10c-72c97cf17ae9|Crossplane|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| +|ELB Using Weak Ciphers
a507daa5-0795-4380-960b-dd7bb7c56661|Crossplane|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers.|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
255b0fcc-9f82-41fe-9229-01b163e3376b|Crossplane|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| +|DB Security Group Has Public Interface
dd667399-8d9d-4a8d-bbb4-e49ab53b2f52|Crossplane|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| +|Neptune Database Cluster Encryption Disabled
83bf5aca-138a-498e-b9cd-ad5bc5e117b4|Crossplane|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| +|SQS With SSE Disabled
9296f1cc-7a40-45de-bd41-f31745488a0e|Crossplane|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| +|CloudFront Logging Disabled
7b590235-1ff4-421b-b9ff-5227134be9bb|Crossplane|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true|Documentation
| +|CloudWatch Without Retention Period Specified
934613fe-b12c-4e5a-95f5-c1dcdffac1ff|Crossplane|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events|Documentation
| +|CloudFront Without WAF
6d19ce0f-b3d8-4128-ac3d-1064e0f00494|Crossplane|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
6c2d627c-de0f-45fb-b33d-dad9bffbb421|Crossplane|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| +|Google Container Node Pool Auto Repair Disabled
b4f65d13-a609-4dc1-af7c-63d2e08bffe9|Crossplane|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| +|AKS RBAC Disabled
b2418936-cd47-4ea2-8346-623c0bdb87bd|Crossplane|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| +|Redis Cache Allows Non SSL Connections
6c7cfec3-c686-4ed2-bf58-a1ec054b63fc|Crossplane|Medium|Encryption|Redis Cache resource should not allow non-SSL connections.|Documentation
| +|UNIX Ports Out Of Range
71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e|Dockerfile|High|Availability|Exposing UNIX ports out of range from 0 to 65535|Documentation
| +|COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b|Dockerfile|High|Build Process|COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself|Documentation
| +|Same Alias In Different Froms
f2daed12-c802-49cd-afed-fe41d0b82fed|Dockerfile|High|Build Process|Different FROMS cant have the same alias defined|Documentation
| +|WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|Dockerfile|High|Build Process|For clarity and reliability, you should always use absolute paths for your WORKDIR|Documentation
| +|Copy With More Than Two Arguments Not Ending With Slash
6db6e0c2-32a3-4a2e-93b5-72c35f4119db|Dockerfile|High|Build Process|When a COPY command has more than two arguments, the last one should end with a slash|Documentation
| +|Multiple ENTRYPOINT Instructions Listed
6938958b-3f1a-451c-909b-baeee14bdc97|Dockerfile|High|Build Process|There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect|Documentation
| +|Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f|Dockerfile|High|Build Process|A user should be specified in the dockerfile, otherwise the image will run as root|Documentation
| +|Run Using Sudo
8ada6e80-0ade-439e-b176-0b28f6bce35a|Dockerfile|High|Insecure Configurations|Avoid RUN with sudo command as it leads to unpredictable behavior|Documentation
| +|Vulnerable OpenSSL Version
5fa731ea-e844-47a6-a1e8-abc25e95847e|Dockerfile|High|Supply-Chain|OpenSSL versions from 3.0.0 to 3.0.5 are affected by a critical vulnerability|Documentation
| +|Last User Is 'root'
67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae|Dockerfile|Medium|Best Practices|Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges|Documentation
| +|Changing Default Shell Using RUN Command
8a301064-c291-4b20-adcb-403fe7fd95fd|Dockerfile|Medium|Best Practices|Using the command RUN to override the default shell instead of the SHELL command leads to inefficiencies. It also does not make sense since Docker provides the SHELL command for this exact purpose.|Documentation
| +|Multiple CMD Instructions Listed
41c195f4-fc31-4a5c-8a1b-90605538d49f|Dockerfile|Medium|Build Process|There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect|Documentation
| +|Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79|Dockerfile|Medium|Build Process|Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments|Documentation
| +|RUN Instruction Using 'cd' Instead of WORKDIR
f4a6bcd3-e231-4acf-993c-aa027be50d2e|Dockerfile|Medium|Build Process|When using RUN command 'cd' should only be used for full path. For relative path make use of WORKDIR command instead.|Documentation
| +|Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd|Dockerfile|Medium|Build Process|Instruction 'RUN update' should always be followed by ' install' in the same RUN statement|Documentation
| +|Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22|Dockerfile|Medium|Insecure Defaults|Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o).|Documentation
| +|Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944|Dockerfile|Medium|Supply-Chain|Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input|Documentation
| +|Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37|Dockerfile|Medium|Supply-Chain|Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size|Documentation
| +|Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9|Dockerfile|Medium|Supply-Chain|Don't use '--platform' flag with FROM|Documentation
| +|Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes|Documentation
| +|Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118|Dockerfile|Medium|Supply-Chain|When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller|Documentation
| +|Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages|Documentation
| +|Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067|Dockerfile|Medium|Supply-Chain|When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag|Documentation
| +|NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5|Dockerfile|Medium|Supply-Chain|Check if packages installed by npm are pinning a specific version.|Documentation
| +|Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd|Dockerfile|Medium|Supply-Chain|Always tag the version of an image explicitly|Documentation
| +|Add Instead of Copy
9513a694-aa0d-41d8-be61-3271e056f36b|Dockerfile|Medium|Supply-Chain|Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script.|Documentation
| +|Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341|Dockerfile|Medium|Supply-Chain|Instead of 'gem install ' we should use 'gem install :'|Documentation
| +|Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03|Dockerfile|Medium|Supply-Chain|Need to use -y to avoid manual input 'yum install -y '|Documentation
| +|Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0|Dockerfile|Medium|Supply-Chain|Cached package data should be cleaned after installation to reduce image size|Documentation
| +|Yum install Without Version
6452c424-1d92-4deb-bb18-a03e95d579c4|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages|Documentation
| +|Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313|Dockerfile|Medium|Supply-Chain|Reduce layer and image size by deleting unneeded caches after running zypper|Documentation
| +|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Dockerfile|Medium|Supply-Chain|When installing a package, its pin version should be defined|Documentation
| +|Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1|Dockerfile|Medium|Supply-Chain|Specifying a package version allows to reduce failures due to unanticipated changes in required packages.|Documentation
| +|Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Dockerfile|Medium|Supply-Chain|Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect|Documentation
| +|APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Dockerfile|Medium|Supply-Chain|Check if apt-get calls use the flag -y to avoid user manual input.|Documentation
| +|Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8|Dockerfile|Medium|Supply-Chain|The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input.|Documentation
| +|Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes|Documentation
| +|Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Dockerfile|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache|Documentation
| +|Curl or Wget Instead of Add
4b410d24-1cbe-4430-a632-62c9a931cf1c|Dockerfile|Low|Best Practices|Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged|Documentation
| +|Exposing Port 22 (SSH)
5907595b-5b6d-4142-b173-dbb0e73fbff8|Dockerfile|Low|Best Practices|Expose only the ports that your application needs and avoid exposing ports like SSH (22)|Documentation
| +|Chown Flag Exists
aa93e17f-b6db-4162-9334-c70334e7ac28|Dockerfile|Low|Best Practices|It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership|Documentation
| +|MAINTAINER Instruction Being Used
99614418-f82b-4852-a9ae-5051402b741c|Dockerfile|Low|Best Practices|The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily|Documentation
| +|Multiple RUN, ADD, COPY, Instructions Listed
0008c003-79aa-42d8-95b8-1c2fe37dbfe6|Dockerfile|Low|Best Practices|Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers.|Documentation
| +|Using Unnamed Build Stages
68a51e22-ae5a-4d48-8e87-b01a323605c9|Dockerfile|Low|Build Process| This query is used to ensure that build stages are named. This way even if the Dockerfile is re-ordered, the COPY instruction doesn’t break.|Documentation
| +|Healthcheck Instruction Missing
b03a748a-542d-44f4-bb86-9199ab4fd2d5|Dockerfile|Low|Insecure Configurations|Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working|Documentation
| +|APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c|Dockerfile|Info|Supply-Chain|Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages.|Documentation
| +|Run Utilities And POSIX Commands
9b6b0f38-92a2-41f9-b881-3a1083d99f1b|Dockerfile|Info|Supply-Chain|Some POSIX commands and interactive utilities shouldn't run inside a Docker Container|Documentation
| +|Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c|Dockerfile|Info|Supply-Chain|After using apt-get install, it is needed to delete apt-get lists|Documentation
| +|Apk Add Using Local Cache Path
ae9c56a6-3ed1-4ac0-9b54-31267f51151d|Dockerfile|Info|Supply-Chain|When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*'|Documentation
| +|PSP Set To Privileged
ee305555-6b1d-4055-94cf-e22131143c34|Pulumi|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| +|Missing App Armor Config
95588189-1abd-4df1-9588-b0a5034f9e87|Pulumi|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| +|ElastiCache Nodes Not Created Across Multi AZ
9b18fc19-7fb8-49b1-8452-9c757c70f926|Pulumi|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster|Documentation
| +|ElastiCache Redis Cluster Without Backup
e93bbe63-a631-4c0f-b6ef-700d48441ff2|Pulumi|Medium|Backup|ElastiCache Redis cluster should have 'snapshotRetentionLimit' higher than 0|Documentation
| +|IAM Password Without Minimum Length
9850d621-7485-44f7-8bdd-b3cf426315cf|Pulumi|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| +|IAM Password Without Lowercase Letter
de92dd34-1b88-43e8-b825-6e02d73c4549|Pulumi|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| +|DynamoDB Table Not Encrypted
b6a7e0ae-aed8-4a19-a993-a95760bf8836|Pulumi|Medium|Encryption|AWS DynamoDB Tables should have serverSideEncryption enabled|Documentation
| +|API Gateway Without SSL Certificate
f27791a5-e2ae-4905-8910-6f995c576d09|Pulumi|Medium|Insecure Configurations|SSL Client Certificate should be defined|Documentation
| +|API Gateway Access Logging Disabled
bf4b48b9-fc1f-4552-984a-4becdb5bf503|Pulumi|Medium|Observability|API Gateway should have Access Log Settings defined|Documentation
| +|EC2 Not EBS Optimized
d991e4ae-42ab-429b-ab43-d5e5fa9ca633|Pulumi|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| +|DynamoDB Table Point In Time Recovery Disabled
327b0729-4c5c-4c44-8b5c-e476cd9c7290|Pulumi|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table|Documentation
| +|EC2 Instance Monitoring Disabled
daa581ef-731c-4121-832d-cf078f67759d|Pulumi|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
48f7e44d-d1d1-44c2-b336-9f11b65c4fb0|Pulumi|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
965e8830-2bec-4b9b-a7f0-24dbc200a68f|Pulumi|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| +|Storage Account Not Forcing HTTPS
cb8e4bf0-903d-45c6-a278-9a947d82a27b|Pulumi|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| +|Redis Cache Allows Non SSL Connections
49e30ac8-f58e-4222-b488-3dcb90158ec1|Pulumi|Medium|Encryption|Redis Cache resource should not allow non-SSL connections.|Documentation
| +|Serverless Role With Full Privileges
59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd|ServerlessFW|High|Access Control|Roles defined in Serverless files should not have policies granting full administrative privileges.|Documentation
| +|Serverless Function Environment Variables Not Encrypted
4495bc5d-4d1e-4a26-ae92-152d18195648|ServerlessFW|High|Encryption|Serverless Function should encrypt environment variables|Documentation
| +|Serverless API Without Content Encoding
d5d1fe08-89db-440c-8725-b93223387309|ServerlessFW|Medium|Encryption|Serverless should have API Gateway with Content Encoding enabled through the attribute 'minimumCompressionSize'. This value should be greater than -1 and smaller than 10485760|Documentation
| +|Serverless Function Without Tags
f99d3482-fa8c-4f79-bad9-35212dded164|ServerlessFW|Medium|Insecure Configurations|Serverless Function should be have associated tags|Documentation
| +|Serverless Function Without Unique IAM Role
165aae3b-a56a-48f3-b76d-d2b5083f5b8f|ServerlessFW|Medium|Insecure Configurations|Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks|Documentation
| +|Serverless API Endpoint Config Not Private
4d424558-c6d1-453c-be98-9a7f877abd9a|ServerlessFW|Medium|Networking and Firewall|Serverless should have endpointType set to 'PRIVATE'. This way, it's not exposed to the public internet|Documentation
| +|Serverless API Access Logging Setting Undefined
a4d32883-aac7-42e1-b403-9415af0f3846|ServerlessFW|Medium|Observability|Serverless FW API should have HTTP Access Logging enabled|Documentation
| +|Serverless API X-Ray Tracing Disabled
434945e5-4dfd-41b1-aba1-47075ccd9265|ServerlessFW|Medium|Observability|Serverless API Gateway should have X-Ray Tracing enabled|Documentation
| +|Serverless Function Without Dead Letter Queue
dec7bc85-d156-4f64-9a33-96ed3d9f3fed|ServerlessFW|Low|Insecure Configurations|Serverless Function should be configured for a Dead Letter Queue(DLQ). A Dead Letter Queue(DLQ) can be set up in 'onError' config parameter|Documentation
| +|Serverless Function Without X-Ray Tracing
0d7ef70f-e176-44e6-bdba-add3e429788d|ServerlessFW|Low|Observability|Serverless Function should have Tracing enabled. For this, property 'tracing' should have the value 'Active'|Documentation
| |Run Using apt
a1bc27c6-7115-48d8-bf9d-5a7e836845ba|Buildah|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache|Documentation
| +|Key Vault Not Recoverable
7c25f361-7c66-44bf-9b69-022acd5eb4bd|AzureResourceManager|High|Backup|Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true|Documentation
| +|Secret Without Expiration Date
cff9c3f7-e8f0-455f-9fb4-5f72326da96e|AzureResourceManager|High|Best Practices|All Secrets must have an expiration date defined|Documentation
| +|Azure Instance Using Basic Authentication
6797f581-0433-4768-ae3e-7ceb2f8b138e|AzureResourceManager|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication|Documentation
| +|Web App Not Using TLS Last Version
b5c851d5-00f1-43dc-a8de-3218fd6f71be|AzureResourceManager|High|Encryption|Resources of type 'Microsoft.Web/sites' should define 'properties.siteConfig.minTlsVersion' with '1.2'|Documentation
| +|Storage Account Allows Unsecure Transfer
1367dd13-2c90-4020-80b7-e4339a3dc2c4|AzureResourceManager|High|Encryption|'Microsoft.Storage/storageAccounts' should force the use of HTTPS|Documentation
| +|Azure Managed Disk Without Encryption
350f3955-b5be-436f-afaa-3d2be2fa6cdd|AzureResourceManager|High|Encryption|Azure Disk Encryption should be enabled|Documentation
| +|Website Not Forcing HTTPS
488847ff-6031-487c-bf42-98fd6ac5c9a0|AzureResourceManager|High|Insecure Configurations|'Microsoft.Web/sites' should force the use of HTTPS|Documentation
| +|Network Security Group With Unrestricted Access To SSH
2ade1579-4b2c-4590-bebb-f99bf597f612|AzureResourceManager|High|Networking and Firewall|Port 22 (SSH) is exposed to the Internet|Documentation
| +|Website with Client Certificate Auth Disabled
92302b47-b0cc-46cb-a28f-5610ecda140b|AzureResourceManager|High|Networking and Firewall|'Microsoft.Web/sites' should have client certificate authentication enabled|Documentation
| +|Storage Blob Service Container With Public Access
a0ab985d-660b-41f7-ac81-70957ee8e627|AzureResourceManager|High|Networking and Firewall|Storage Blob Service Container should not publicly accessible|Documentation
| +|MySQL Server SSL Enforcement Disabled
90120147-f2e7-4fda-bb21-6fa9109afd63|AzureResourceManager|High|Networking and Firewall|'Microsoft.DBforMySQL/servers' should enforce SSL|Documentation
| +|PostgreSQL Database Server SSL Disabled
bf500309-da53-4dd3-bcf7-95f7974545a5|AzureResourceManager|High|Networking and Firewall|Microsoft.DBforPostgreSQL/servers sslEnforcement property should be set to 'Enabled'|Documentation
| +|Network Security Group With Unrestricted Access To RDP
59cb3da7-f206-4ae6-b827-7abf0a9cab9d|AzureResourceManager|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the Internet|Documentation
| +|SQL Database Server Firewall Allows All IPS
6a3201a5-1630-494b-b294-3129d06b0eca|AzureResourceManager|High|Networking and Firewall|SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS|Documentation
| +|Trusted Microsoft Services Not Enabled
e25b56cd-a4d6-498f-ab92-e6296a082097|AzureResourceManager|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| +|Default Azure Storage Account Network Access Is Too Permissive
d855ced8-6157-448f-9f1d-f05a41d046f7|AzureResourceManager|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it.|Documentation
| +|AKS Cluster RBAC Disabled
9307a2ed-35c2-413d-94de-a1a0682c2158|AzureResourceManager|Medium|Access Control|Microsoft.ContainerService/managedClusters should have enableRBAC set to true|Documentation
| +|Role Definitions Allow Custom Subscription Role Creation
8fa9ceea-881f-4ef0-b0b8-728f589699a7|AzureResourceManager|Medium|Access Control|Role Definitions should not allow custom subscription role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')|Documentation
| +|SQL Server Database With Alerts Disabled
574e8d82-1db2-4b9c-b526-e320ede9a9ff|AzureResourceManager|Medium|Best Practices|All Alerts should be enabled in SQL Database Server SecurityAlerts Policy Properties|Documentation
| +|AKS Cluster Network Policy Not Configured
25c0228e-4444-459b-a2df-93c7df40b7ed|AzureResourceManager|Medium|Insecure Configurations|Azure Kubernetes Service must have a network policy defined.|Documentation
| +|PostgresSQL Database Server Connection Throttling Disabled
a6d774b6-d9ea-4bf4-8433-217bf15d2fb8|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttling' property set to 'on'|Documentation
| +|Standard Price Is Not Selected
2081c7d6-2851-4cce-bda5-cb49d462da42|AzureResourceManager|Medium|Networking and Firewall|Azure Security Center provides more features for standard pricing mode, so it must be activated.|Documentation
| +|PostgreSQL Database Server Log Connections Disabled
e69bda39-e1e2-47ca-b9ee-b6531b23aedd|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' property set to 'on'|Documentation
| +|PostgreSQL Database Server Log Checkpoints Disabled
f9112910-c7bb-4864-9f5e-2059ba413bb7|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' property set to 'on'|Documentation
| +|AKS With Authorized IP Ranges Disabled
2583fab1-953b-4fae-bd02-4a136a6c21f9|AzureResourceManager|Medium|Networking and Firewall|Azure Kubernetes Service must have an authorized IP range for API Services enabled|Documentation
| +|Storage Logging For Read Write And Delete Requests Disabled
43f6e60c-9cdb-4e77-864d-a66595d26518|AzureResourceManager|Medium|Observability|Storage Logging should be enabled for read, write and delete methods|Documentation
| +|Unrecommended Log Profile Retention Policy
25684eac-daaa-4c2c-94b4-8d2dbb627909|AzureResourceManager|Medium|Observability|Log Profile Retention Policy should be enabled and the recommended number of days for the retention should be higher than 365 or 0 (0 will retain the events indefinitely)|Documentation
| +|SQL Server Database Without Auditing
e055285c-bc01-48b4-8aa5-8a54acdd29df|AzureResourceManager|Medium|Observability|Every 'Microsoft.Sql/servers/databases' resource should have Auditing Enabled|Documentation
| +|Log Profile Incorrect Category
4d522e7b-f938-4d51-a3b1-974ada528bd3|AzureResourceManager|Medium|Observability|Log Profile Categories should be set to 'Write', 'Delete', and/or 'Action'|Documentation
| +|Unrecommended Network Watcher Flow Log Retention Policy
564b70f8-41cd-4690-aff8-bb53add86bc9|AzureResourceManager|Medium|Observability|Network Watcher Flow Log Retention Policy should be enabled and the recommended number of days for the retention should be higher than 90|Documentation
| +|SQL Server Database With Unrecommended Retention Days
c09cdac2-7670-458a-bf6c-efad6880973a|AzureResourceManager|Medium|Observability|SQL Server Database Auditing Settings should keep the audit logs in the storage account for at least 90 days|Documentation
| +|AKS Logging To Azure Monitoring Is Disabled
9b09dee1-f09b-4013-91d2-158fa4695f4b|AzureResourceManager|Medium|Observability|Azure Kubernetes Service should have logging to Azure Monitoring enabled.|Documentation
| +|Hardcoded SecureString Parameter Default Value
4d2cf896-c053-4be5-9c95-8b4771112f29|AzureResourceManager|Medium|Secret Management|Secure parameters should not have hardcoded default value|Documentation
| +|Website Azure Active Directory Disabled
e9c133e5-c2dd-4b7b-8fff-40f2de367b56|AzureResourceManager|Low|Access Control|WebApp should have Azure Active Directory enabled with 'identity.type' set to 'SystemAssigned' or 'userAssignedIdentities' set to 'true'|Documentation
| +|Phone Number Not Set For Security Contacts
3e9fcc67-1f64-405f-b2f9-0a6be17598f0|AzureResourceManager|Low|Best Practices|Microsoft.Security securityContacts should have a phone number defined|Documentation
| +|AKS Dashboard Is Enabled
c62d3b92-9a11-4ffd-b7b7-6faaae83faed|AzureResourceManager|Low|Insecure Configurations|Azure Kubernetes Service should have the Kubernetes dashboard disabled.|Documentation
| +|Storage Account Allows Default Network Access
9073f073-5d60-4b46-b569-0d6baa80ed95|AzureResourceManager|Low|Networking and Firewall|'Microsoft.Storage/storageAccounts' should force the use of HTTPS|Documentation
| +|Website with 'Http20Enabled' Disabled
70111098-7f85-48f0-b1b4-e4261cf5f61b|AzureResourceManager|Low|Networking and Firewall|'Microsoft.Web/sites' should have 'Http20Enabled' enabled|Documentation
| +|App Service Authentication Is Not Set
83130a07-235b-4a80-918b-a370e53f0bd9|AzureResourceManager|Info|Access Control|Azure App Service should have App Service Authentication set|Documentation
| +|Account Admins Not Notified By Email
a8852cc0-fd4b-4fc7-9372-1e43fad0732e|AzureResourceManager|Info|Best Practices|Account admins should be notified by email in the event of security alerts|Documentation
| +|SQL Alert Policy Without Emails
89b79fe5-49bd-4d39-84ce-55f5fc6f7764|AzureResourceManager|Info|Best Practices|SQL Database Server should contain emails to be notified in the event of a Security Alert|Documentation
| +|Email Notifications Disabled
79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92|AzureResourceManager|Info|Networking and Firewall|Email notifications about new security alerts, should be set to 'On', and be sent to persons with specific RBAC roles on the subscription|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674|Ansible|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| +|S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|Ansible|High|Access Control|S3 Buckets should not be readable to all users|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|Ansible|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| +|S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a|Ansible|High|Access Control|Checks if the S3 bucket is accessible for all users|Documentation
| +|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|Ansible|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| +|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|Ansible|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| +|SNS Topic is Publicly Accessible
905f4741-f965-45c1-98db-f7a00a0e5c73|Ansible|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| +|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|Ansible|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating|Documentation
| +|SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a|Ansible|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| +|S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|Ansible|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| +|S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|Ansible|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| +|ECS Service Admin Role Is Present
7db727c1-1720-468e-b80e-06697f71e09e|Ansible|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role|Documentation
| +|IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|Ansible|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| +|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|Ansible|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| +|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|Ansible|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76|Ansible|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| +|EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|Ansible|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| +|Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a|Ansible|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume|Documentation
| +|AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|Ansible|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| +|Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|Ansible|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)|Documentation
| +|S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4|Ansible|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| +|DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|Ansible|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.|Documentation
| +|ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|Ansible|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| +|EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|Ansible|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| +|S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571|Ansible|High|Encryption|AWS S3 Storage should be protected with SSE (Server-Side Encryption)|Documentation
| +|User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|Ansible|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| +|Secure Ciphers Disabled
218413a0-c716-4b94-9e08-0bb70d854709|Ansible|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| +|CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|Ansible|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| +|User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|Ansible|High|Encryption|User Data Shell Script must be encoded|Documentation
| +|ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers.|Documentation
| +|ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols.|Documentation
| +|Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7|Ansible|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| +|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|Ansible|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| +|Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f|Ansible|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| +|S3 Bucket with Unsecured CORS Rule
3505094c-f77c-4ba0-95da-f83db712f86c|Ansible|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| +|Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|Ansible|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| +|DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209|Ansible|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| +|ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f|Ansible|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| +|KMS Key With Vulnerable Policy
5b9d237a-57d5-4177-be0e-71434b0fef47|Ansible|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67|Ansible|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| +|Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|Ansible|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true (default is false)|Documentation
| +|EC2 Group Has Public Interface
5330b503-3319-44ff-9b1c-00ee873f728a|Ansible|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| +|Vulnerable Default SSL Certificate
fb8f8929-afeb-4c46-99f0-a6cf410f7df4|Ansible|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| +|DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640|Ansible|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| +|ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|Ansible|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| +|Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4|Ansible|High|Networking and Firewall|Route53 Record should have a list of records|Documentation
| +|EC2 Instance Has Public IP
a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1|Ansible|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| +|Remote Desktop Port Open To Internet
eda7301d-1f3e-47cf-8d4e-976debc64341|Ansible|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| +|Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|Ansible|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| +|RDS Associated with Public Subnet
16732649-4ff6-4cd2-8746-e72c13fae4b8|Ansible|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| +|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|Ansible|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| +|Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|Ansible|High|Networking and Firewall|AWS Security Group should restrict ingress access|Documentation
| +|HTTP Port Open To Internet
a14ad534-acbe-4a8e-9404-2f7e1045646e|Ansible|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| +|Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|Ansible|High|Networking and Firewall|AWS Security Group should not have public port wide|Documentation
| +|Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b|Ansible|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| +|Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2|Ansible|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0/0|Documentation
| +|Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|Ansible|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| +|CMK Rotation Disabled
af96d737-0818-4162-8c41-40d969bd65d1|Ansible|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.|Documentation
| +|CloudTrail Logging Disabled
d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5|Ansible|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| +|ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd|Ansible|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| +|Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Ansible|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| +|IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Ansible|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root'|Documentation
| +|API Gateway Without Configured Authorizer
b16cdb37-ce15-4ab2-8401-d42b05d123fc|Ansible|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| +|Lambda Permission Principal Is Wildcard
1d972c56-8ec2-48c1-a578-887adb09c57a|Ansible|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| +|AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f|Ansible|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| +|SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10|Ansible|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| +|SES Policy With Allowed IAM Actions
8ed0bfce-f780-46d4-b086-21c3628f09ad|Ansible|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| +|IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060|Ansible|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| +|SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4|Ansible|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
af167837-9636-4086-b815-c239186b9dda|Ansible|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| +|Certificate Has Expired
5a443297-19d4-4381-9e5b-24faf947ec22|Ansible|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| +|S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9|Ansible|Medium|Access Control|S3 Bucket allows public access|Documentation
| +|CMK Is Unusable
133fee21-37ef-45df-a563-4d07edc169f4|Ansible|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined.|Documentation
| +|ECS Service Without Running Tasks
f5c45127-1d28-4b49-a692-0b97da1c3a84|Ansible|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| +|Auto Scaling Group With No Associated ELB
050f085f-a8db-4072-9010-2cca235cc02f|Ansible|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
| +|RDS With Backup Disabled
e69890e6-fce5-461d-98ad-cb98318dfc96|Ansible|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| +|Stack Retention Disabled
17d5ba1d-7667-4729-b1a6-b11fde3db7f7|Ansible|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| +|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Ansible|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number|Documentation
| +|Misconfigured Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9|Ansible|Medium|Best Practices|No password expiration policy|Documentation
| +|IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Ansible|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| +|IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354|Ansible|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| +|Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c|Ansible|Medium|Best Practices|Password policy `password_reuse_prevention` doesn't exist or is equal to 0|Documentation
| +|IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Ansible|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| +|Stack Without Template
32d31f1f-0f83-4721-b7ec-1e6948c60145|Ansible|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body|Documentation
| +|Config Rule For Encrypted Volumes Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84|Ansible|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| +|Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89|Ansible|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| +|CodeBuild Not Encrypted
a1423864-2fbc-4f46-bfe1-fbbf125c71c9|Ansible|Medium|Encryption|CodeBuild Project should be encrypted|Documentation
| +|EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Ansible|Medium|Encryption|EBS volumes should be encrypted|Documentation
| +|SQS With SSE Disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Ansible|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| +|AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472|Ansible|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| +|ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Ansible|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| +|Certificate RSA Key Bytes Lower Than 256
d5ec2080-340a-4259-b885-f833c4ea6a31|Ansible|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| +|Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f|Ansible|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| +|Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5|Ansible|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags.|Documentation
| +|API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33|Ansible|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Ansible|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| +|API Gateway without WAF
f5f38943-664b-4acc-ab11-f292fa10ed0b|Ansible|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| +|API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215|Ansible|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| +|Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Ansible|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| +|API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f|Ansible|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| +|CloudFront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Ansible|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' should be defined with 'enabled' set to true|Documentation
| +|CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Ansible|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| +|S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Ansible|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| +|S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|Ansible|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| +|CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3|Ansible|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| +|CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Ansible|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events|Documentation
| +|API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Ansible|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled|Documentation
| +|CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Ansible|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'is_multi_region_trail' should be set to true|Documentation
| +|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Ansible|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| +|No Stack Policy
ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9|Ansible|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| +|Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Ansible|Medium|Secret Management|AWS Access Key should not be hardcoded|Documentation
| +|Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645|Ansible|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| +|EC2 Instance Using Default Security Group
8d03993b-8384-419b-a681-d1f55149397c|Ansible|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| +|IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd|Ansible|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| +|IAM Group Without Users
f509931b-bbb0-443c-bd9b-10e92ecf2193|Ansible|Low|Access Control|IAM Group should have at least one user associated|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Ansible|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| +|Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520|Ansible|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| +|Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|Ansible|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.|Documentation
| +|CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6|Ansible|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| +|EFS Without Tags
b8a9852c-9943-4973-b8d5-77dae9352851|Ansible|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
f5587077-3f57-4370-9b4e-4eb5b1bac85b|Ansible|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| +|Redshift Using Default Port
e01de151-a7bd-4db4-b49b-3c4775a5e881|Ansible|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| +|CloudFront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Ansible|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| +|ElastiCache Using Default Port
7cc6c791-5f68-4816-a564-b9b699f9d26e|Ansible|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| +|EC2 Instance Using Default VPC
8833f180-96f1-46f4-9147-849aafa56029|Ansible|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| +|RDS Using Default Port
2cb674f6-32f9-40be-97f2-62c0dc38f0d5|Ansible|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| +|ElastiCache Without VPC
5527dcfc-94f9-4bf6-b7d4-1b78850cf41f|Ansible|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| +|Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Ansible|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active'|Documentation
| +|CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Ansible|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| +|EC2 Not EBS Optimized
338b6cab-961d-4998-bb49-e5b6a11c9a5c|Ansible|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| +|BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2|Ansible|High|Access Control|BigQuery dataset is anonymously or publicly accessible|Documentation
| +|VM With Full Cloud Access
bc20bbc6-0697-4568-9a73-85af1dd97bdd|Ansible|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2|Ansible|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers'|Documentation
| +|SQL DB Instance Backup Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8|Ansible|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| +|SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|Ansible|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| +|DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a|Ansible|High|Encryption|DNSSEC should not use the RSASHA1 algorithm|Documentation
| +|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|Ansible|High|Insecure Configurations|SQL Instance should not have Contained Database Authentication On|Documentation
| +|Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false|Documentation
| +|SQL DB Instance Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b|Ansible|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible.|Documentation
| +|Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7|Ansible|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| +|GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1|Ansible|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty|Documentation
| +|MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c|Ansible|High|Insecure Configurations|MySQL Instance should not have Local Infile On|Documentation
| +|IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'.|Documentation
| +|Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true|Documentation
| +|Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| +|Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true.|Documentation
| +|Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f|Ansible|High|Insecure Configurations|GCP SQL Instance should not have Cross DB Ownership Chaining On|Documentation
| +|GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false.|Documentation
| +|PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514|Ansible|High|Insecure Configurations|PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1'|Documentation
| +|Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82|Ansible|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet.|Documentation
| +|GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83|Ansible|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters|Documentation
| +|Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| +|PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b|Ansible|High|Observability|PostgreSQL database 'log_temp_files' flag isn't set to '0'|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd|Ansible|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| +|Cloud Storage Bucket Versioning Disabled
7814ddda-e758-4a56-8be3-289a81ded929|Ansible|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| +|Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| +|PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317|Ansible|High|Observability|PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on'|Documentation
| +|Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf|Ansible|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| +|Disk Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3|Ansible|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Ansible|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| +|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Ansible|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| +|OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Ansible|Medium|Insecure Configurations|VM instance should have OSLogin enabled|Documentation
| +|Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Ansible|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| +|Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Ansible|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| +|Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03|Ansible|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| +|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Ansible|Medium|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| +|GKE Using Default Service Account
dc126833-125a-40fb-905a-ce5f2afde240|Ansible|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
| +|IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Ansible|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| +|Google Compute Network Using Default Firewall Rule
29b8224a-60e9-4011-8ac2-7916a659841f|Ansible|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
| +|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Ansible|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
| +|RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77|Ansible|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| +|SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Ansible|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| +|Google Compute Network Using Firewall Rule that Allows All Ports
3602d273-3290-47b2-80fa-720162b1a8af|Ansible|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports|Documentation
| +|PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Ansible|Medium|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on'|Documentation
| +|PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Ansible|Medium|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Ansible|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| +|High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Ansible|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.|Documentation
| +|Google Compute Network Using Firewall Rule that Allows Port Range
7289eebd-a477-4064-8ad4-3c044bd70b00|Ansible|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range|Documentation
| +|Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b|Ansible|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes|Documentation
| +|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|Ansible|High|Access Control|Storage Account should not be public to grant the principle of least privileges|Documentation
| +|Storage Container Is Publicly Accessible
4d3817db-dd35-4de4-a80d-3867157e7f7f|Ansible|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| +|Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|Ansible|High|Access Control|Admin user is enabled for Container Registry|Documentation
| +|Azure Instance Using Basic Authentication
e2d834b7-8b25-4935-af53-4a60668dcbe0|Ansible|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication|Documentation
| +|MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|Ansible|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| +|Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|Ansible|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| +|SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555|Ansible|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| +|AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|Ansible|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| +|Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91|Ansible|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| +|Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|Ansible|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined|Documentation
| +|VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|Ansible|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| +|Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| +|Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|Ansible|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| +|SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|Ansible|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| +|Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| +|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|Ansible|High|Networking and Firewall|The IP range filter should be defined to secure the data stored|Documentation
| +|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|Ansible|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| +|Role Definition Allows Custom Role Creation
5c80db8e-03f5-43a2-b4af-1f3f87018157|Ansible|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)|Documentation
| +|Default Azure Storage Account Network Access Is Too Permissive
ca4df748-613a-4fbf-9c76-f02cbd580307|Ansible|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it.|Documentation
| +|AKS RBAC Disabled
149fa56c-4404-4f90-9e25-d34b676d5b39|Ansible|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| +|Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854|Ansible|Medium|Backup|Make sure Soft Delete is enabled for Key Vault|Documentation
| +|SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40|Ansible|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict|Documentation
| +|SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308|Ansible|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict|Documentation
| +|Cosmos DB Account Without Tags
23a4dc83-4959-4d99-8056-8e051a82bc1e|Ansible|Medium|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| +|Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee|Ansible|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| +|Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Ansible|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| +|Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Ansible|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections|Documentation
| +|AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Ansible|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined|Documentation
| +|Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Ansible|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache.|Documentation
| +|Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Ansible|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0'|Documentation
| +|WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Ansible|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| +|PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| +|Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| +|PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| +|PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a|Ansible|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| +|AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e|Ansible|Medium|Observability|Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring|Documentation
| +|PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| +|PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| +|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|Terraform|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| +|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|Terraform|High|Access Control|S3 bucket allows public policy|Documentation
| +|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|Terraform|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| +|SSO Policy with full privileges
132a8c31-9837-4203-9fd1-15ca210c7b73|Terraform|High|Access Control|SSO policies should be configured to grant limited administrative privileges, rather than full access to all resources. This approach allows for better security and control over the resources being accessed.|Documentation
| +|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|Terraform|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals|Documentation
| +|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|Terraform|High|Access Control|S3 Buckets should not be readable and writable to all users|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|Terraform|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| +|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|Terraform|High|Access Control|IAM role policy that allow full administrative privileges (for all resources)|Documentation
| +|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|Terraform|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| +|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|Terraform|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| +|SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|Terraform|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| +|EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|Terraform|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| +|MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857|Terraform|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible|Documentation
| +|S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4|Terraform|High|Access Control|S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket.|Documentation
| +|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|Terraform|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| +|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|Terraform|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating|Documentation
| +|Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|Terraform|High|Access Control|Neptune Cluster Instance should not be publicly accessible|Documentation
| +|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|Terraform|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| +|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|Terraform|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| +|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|Terraform|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|Terraform|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| +|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|Terraform|High|Encryption|AWS DOCDB Cluster storage should be encrypted|Documentation
| +|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|Terraform|High|Encryption|AWS DAX Cluster should have server-side encryption at rest|Documentation
| +|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|Terraform|High|Encryption|EBS Encryption should be enabled|Documentation
| +|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|Terraform|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| +|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.|Documentation
| +|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|Terraform|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| +|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|Terraform|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|Terraform|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true|Documentation
| +|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|Terraform|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)|Documentation
| +|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|Terraform|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted|Documentation
| +|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|Terraform|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| +|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|Terraform|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| +|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|Terraform|High|Encryption|API Gateway Method Settings Cache should be encrypted|Documentation
| +|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|Terraform|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume|Documentation
| +|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|Terraform|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.|Documentation
| +|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|Terraform|High|Encryption|S3 Bucket Object should have server-side encryption enabled|Documentation
| +|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|Terraform|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled|Documentation
| +|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|Terraform|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| +|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers.|Documentation
| +|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|Terraform|High|Encryption|AWS Athena Database data in S3 should be encrypted|Documentation
| +|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|Terraform|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS|Documentation
| +|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|Terraform|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true'|Documentation
| +|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|Terraform|High|Encryption|RDS Database Cluster Encryption should be enabled|Documentation
| +|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|Terraform|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| +|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|Terraform|High|Encryption|User Data Shell Script must be encoded|Documentation
| +|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|Terraform|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| +|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|Terraform|High|Encryption|AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted|Documentation
| +|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|Terraform|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|Terraform|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| +|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|Terraform|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| +|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|Terraform|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| +|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|Terraform|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| +|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|Terraform|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup|Documentation
| +|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|Terraform|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled|Documentation
| +|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|Terraform|High|Encryption|EKS Cluster should be encrypted|Documentation
| +|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|Terraform|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled|Documentation
| +|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|Terraform|High|Encryption|Sagemaker endpoint configuration should encrypt data|Documentation
| +|EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|Terraform|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| +|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|Terraform|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|Terraform|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| +|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|Terraform|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| +|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|Terraform|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true)|Documentation
| +|DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|Terraform|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| +|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|Terraform|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| +|Lambda Function With Privileged Role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|Terraform|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions.|Documentation
| +|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|Terraform|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2.|Documentation
| +|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|Terraform|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| +|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|Terraform|High|Insecure Configurations|Check if the root user is authenticated with MFA|Documentation
| +|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|Terraform|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured.|Documentation
| +|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|Terraform|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| +|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|Terraform|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes|Documentation
| +|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|Terraform|High|Insecure Configurations|S3 bucket without restriction of public bucket|Documentation
| +|KMS Key With Vulnerable Policy
7ebc9038-0bde-479a-acc4-6ed7b6758899|Terraform|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| +|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|Terraform|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| +|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|Terraform|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations|Documentation
| +|Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|Terraform|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| +|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL|Documentation
| +|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|Terraform|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing|Documentation
| +|VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|Terraform|High|Networking and Firewall|VPC Peering Route Table should restrict CIDR|Documentation
| +|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|Terraform|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| +|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|Terraform|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| +|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|Terraform|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0"|Documentation
| +|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|Terraform|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| +|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| +|VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|Terraform|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic|Documentation
| +|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|Terraform|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| +|HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|Terraform|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| +|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|Terraform|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0 and/or ::/0|Documentation
| +|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|Terraform|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| +|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|Terraform|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| +|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|Terraform|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| +|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| +|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|Terraform|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL|Documentation
| +|Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|Terraform|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| +|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|Terraform|High|Networking and Firewall|Check if Record is set|Documentation
| +|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|Terraform|High|Observability|Ensure a log metric filter and alarm exist for root acount usage|Documentation
| +|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|Terraform|High|Observability|AWS KMS Key should have a valid deletion window|Documentation
| +|CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|Terraform|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.|Documentation
| +|CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|Terraform|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls|Documentation
| +|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|Terraform|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| +|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled|Documentation
| +|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible|Documentation
| +|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|Terraform|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes|Documentation
| +|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|Terraform|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Terraform|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Terraform|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Terraform|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Terraform|Medium|Access Control|The attribute 'action' should not have wildcard|Documentation
| +|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Terraform|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Terraform|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Terraform|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined|Documentation
| +|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Terraform|Medium|Access Control|AWS IAM Users should not have access to console|Documentation
| +|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Terraform|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Terraform|Medium|Access Control|S3 bucket allows public ACL|Documentation
| +|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Terraform|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| +|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Terraform|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources|Documentation
| +|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Terraform|Medium|Access Control|An API Key should be required on a method request.|Documentation
| +|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Terraform|Medium|Access Control|IAM Access Key should not be active for root users|Documentation
| +|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Terraform|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal'|Documentation
| +|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Terraform|Medium|Access Control|Public and private EC2 istances should not share the same role.|Documentation
| +|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Terraform|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|API Gateway Without Configured Authorizer
ed35928e-195c-4405-a252-98ccb664ab7C|Terraform|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| +|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Terraform|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions'|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Terraform|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Terraform|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Terraform|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|SSO Permission With Inadequate User Session Duration
ce9dfce0-5fc8-433b-944a-3b16153111a8|Terraform|Medium|Access Control|SSO permissions should be configured to limit user sessions to no longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized access or session hijacking. This is a best practice for security and should be implemented in SSO permission settings.|Documentation
| +|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Terraform|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Terraform|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Terraform|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Terraform|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Terraform|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Terraform|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Terraform|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Terraform|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| +|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Terraform|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Terraform|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'|Documentation
| +|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Terraform|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action'|Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Terraform|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
| +|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Terraform|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| +|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Terraform|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster|Documentation
| +|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Terraform|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| +|RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Terraform|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| +|Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Terraform|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| +|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Terraform|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0|Documentation
| +|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Terraform|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| +|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Terraform|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields|Documentation
| +|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Terraform|Medium|Best Practices|No password expiration policy|Documentation
| +|Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Terraform|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24|Documentation
| +|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Terraform|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| +|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Terraform|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined|Documentation
| +|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Terraform|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| +|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Terraform|Medium|Best Practices|IAM password should have the required symbols|Documentation
| +|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Terraform|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| +|Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Terraform|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body|Documentation
| +|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest|Documentation
| +|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Terraform|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760.|Documentation
| +|DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Terraform|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Terraform|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| +|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit|Documentation
| +|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Terraform|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| +|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Terraform|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| +|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Terraform|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS.|Documentation
| +|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Terraform|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| +|Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Terraform|Medium|Encryption|ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html'|Documentation
| +|CloudWatch Log Group Without KMS
0afbcfe9-d341-4b92-a64c-7e6de0543879|Terraform|Medium|Encryption|AWS CloudWatch Log groups should be encrypted using KMS|Documentation
| +|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted|Documentation
| +|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Terraform|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests|Documentation
| +|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Terraform|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| +|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Terraform|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Terraform|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption|Documentation
| +|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Terraform|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret|Documentation
| +|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Terraform|Medium|Encryption|EBS volumes should be encrypted|Documentation
| +|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Terraform|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| +|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Terraform|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node|Documentation
| +|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Terraform|Medium|Encryption|SSM Session should be encrypted in transit|Documentation
| +|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Terraform|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| +|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Terraform|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials|Documentation
| +|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Terraform|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.|Documentation
| +|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Terraform|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| +|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Terraform|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs).|Documentation
| +|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Terraform|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| +|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Terraform|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| +|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Terraform|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| +|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Terraform|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible|Documentation
| +|EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Terraform|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false|Documentation
| +|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Terraform|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud)|Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Terraform|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| +|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Terraform|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| +|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Terraform|Medium|Networking and Firewall|VPC should have a Network Firewall associated|Documentation
| +|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Terraform|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled|Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol|Documentation
| +|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Terraform|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| +|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Terraform|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association|Documentation
| +|VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Terraform|Medium|Networking and Firewall|VPC Subnet should not assign public IP|Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol|Documentation
| +|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Terraform|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| +|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Terraform|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation|Documentation
| +|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Terraform|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| +|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK|Documentation
| +|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Terraform|Medium|Observability|API Gateway should have Access Log Settings defined|Documentation
| +|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Terraform|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| +|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Terraform|Medium|Observability|ELB should have logging enabled to help on error investigation|Documentation
| +|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes|Documentation
| +|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Terraform|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| +|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes|Documentation
| +|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Terraform|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| +|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Terraform|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| +|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Terraform|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| +|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Terraform|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| +|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Terraform|Medium|Observability|It isn't recommended to use resources in default VPC|Documentation
| +|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Terraform|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| +|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Terraform|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| +|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Terraform|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| +|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes|Documentation
| +|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Terraform|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| +|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes|Documentation
| +|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Terraform|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events|Documentation
| +|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Terraform|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled|Documentation
| +|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures|Documentation
| +|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Terraform|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| +|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Terraform|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined|Documentation
| +|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Terraform|Medium|Observability|AWS CloudWatch Log groups should have retention days specified|Documentation
| +|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Terraform|Medium|Observability|AWS Elasticsearch should have logs enabled|Documentation
| +|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Terraform|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| +|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Terraform|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| +|ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Terraform|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| +|No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Terraform|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| +|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Terraform|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| +|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Terraform|Medium|Secret Management|AWS Access Key should not be hardcoded|Documentation
| +|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Terraform|Low|Access Control|IAM Group should have at least one user associated|Documentation
| +|SSO Identity User Unsafe Creation
4003118b-046b-4640-b200-b8c7a4c8b89f|Terraform|Low|Access Control|The use of AWS SSO for creating users may pose a security risk as it does not synchronize with external Identity Providers (IdP) or Active Directory (AD). This can lead to inconsistencies and potential unauthorized access to resources. It is recommended to review and update user creation processes to ensure proper security protocols are in place.|Documentation
| +|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Terraform|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets'|Documentation
| +|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Terraform|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Terraform|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| +|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Terraform|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| +|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Terraform|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| +|Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Terraform|Low|Availability|Autoscaling groups should supply tags to configurate|Documentation
| +|IAM Access Analyzer Not Enabled
e592a0c5-5bdb-414c-9066-5dba7cdea370|Terraform|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions|Documentation
| +|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Terraform|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.|Documentation
| +|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Terraform|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| +|Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| +|ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Terraform|Low|Best Practices|ECR Repository should have Policies attached to it|Documentation
| +|Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Terraform|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| +|ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Terraform|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation|Documentation
| +|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Terraform|Low|Insecure Configurations|S3 bucket without ignore public ACL|Documentation
| +|ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Terraform|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled|Documentation
| +|RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Terraform|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| +|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Terraform|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)|Documentation
| +|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Terraform|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| +|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Terraform|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| +|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Terraform|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| +|EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Terraform|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| +|Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Terraform|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| +|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Terraform|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks|Documentation
| +|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Terraform|Low|Observability|DocDB logging should be enabled|Documentation
| +|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Terraform|Low|Observability|Amazon EKS control plane logging is not enabled|Documentation
| +|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes|Documentation
| +|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Terraform|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| +|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL|Documentation
| +|API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Terraform|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| +|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for route table changes|Documentation
| +|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| +|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Terraform|Low|Observability|Amazon EKS control plane logging don't enabled for all log types|Documentation
| +|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Terraform|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'|Documentation
| +|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes|Documentation
| +|ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Terraform|Low|Observability|ECS Cluster should enable container insights|Documentation
| +|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes|Documentation
| +|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Terraform|Low|Observability|Global Accelerator should have flow logs enabled|Documentation
| +|API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Terraform|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| +|Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Terraform|Info|Access Control|Security group must be used or not declared|Documentation
| +|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Terraform|Info|Best Practices|AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name'|Documentation
| +|Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Terraform|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description|Documentation
| +|Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Terraform|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description|Documentation
| +|EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Terraform|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| +|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Terraform|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table|Documentation
| +|EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Terraform|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods|Documentation
| +|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Terraform|Info|Observability|Neptune logging should be enabled|Documentation
| +|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Terraform|Info|Observability|RDS does not have any kind of logger|Documentation
| +|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Terraform|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks|Documentation
| +|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Terraform|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')|Documentation
| +|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Terraform|Info|Best Practices|All outputs should contain a valid description.|Documentation
| +|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Terraform|Info|Best Practices|All variables should contain a valid type.|Documentation
| +|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Terraform|Info|Best Practices|All variables should contain a valid description.|Documentation
| +|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Terraform|Info|Best Practices|All generic git repositories should reference a revision.|Documentation
| |Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Terraform|Info|Best Practices|All names should follow snake case pattern.|Documentation
| +|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|Terraform|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined.|Documentation
| +|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|Terraform|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|Terraform|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| +|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|Terraform|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| +|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|Terraform|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false|Documentation
| +|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|Terraform|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|Documentation
| +|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|Terraform|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| +|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Terraform|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| +|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Terraform|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| +|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Terraform|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys|Documentation
| +|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Terraform|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| +|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Terraform|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| +|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Terraform|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| +|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| +|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Terraform|Medium|Insecure Configurations|Containers should not have extra capabilities allowed|Documentation
| +|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Terraform|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| +|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Terraform|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| +|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Terraform|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory|Documentation
| +|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Terraform|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| +|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Terraform|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace|Documentation
| +|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Terraform|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls|Documentation
| +|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Terraform|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| +|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Terraform|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|Documentation
| +|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Terraform|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| +|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| +|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Terraform|Medium|Insecure Configurations|The default namespace should not be used|Documentation
| +|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Terraform|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| +|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Terraform|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| +|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Terraform|Medium|Insecure Configurations|Default service accounts should not be actively used|Documentation
| +|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Terraform|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| +|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Terraform|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty.|Documentation
| +|Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Terraform|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| +|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Terraform|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| +|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Terraform|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| +|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Terraform|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| +|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Terraform|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes|Documentation
| +|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Terraform|Medium|Resource Management|Container should not share the host network namespace|Documentation
| +|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Terraform|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| +|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Terraform|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| +|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Terraform|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| +|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Terraform|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| +|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Terraform|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs|Documentation
| +|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Terraform|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| +|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Terraform|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| +|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Terraform|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| +|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Terraform|Low|Availability|The Horizontal Pod Autoscaler must target a valid object|Documentation
| +|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Terraform|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| +|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Terraform|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it|Documentation
| +|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Terraform|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| +|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Terraform|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.|Documentation
| +|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Terraform|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| +|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Terraform|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| +|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Terraform|Low|Build Process|Check if the root container filesystem is not being mounted as read-only.|Documentation
| +|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Terraform|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| +|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Terraform|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| +|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Terraform|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| +|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Terraform|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity|Documentation
| +|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Terraform|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified|Documentation
| +|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Terraform|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| +|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Terraform|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined|Documentation
| +|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Terraform|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| +|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Terraform|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| +|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Terraform|Low|Supply-Chain|Image must be defined and not be empty or equal to latest.|Documentation
| +|OSS Bucket Allows List Action From All Principals
88541597-6f88-42c8-bac6-7e0b855e8ff6|Terraform|High|Access Control|OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals.|Documentation
| +|OSS Bucket Allows Put Action From All Principals
fe286195-e75c-4359-bd58-00847c4f855a|Terraform|High|Access Control|OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals.|Documentation
| +|OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|Terraform|High|Access Control|OSS Bucket should have public access disabled|Documentation
| +|OSS Bucket Allows Delete Action From All Principals
8c0695d8-2378-4cd6-8243-7fd5894fa574|Terraform|High|Access Control|OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals.|Documentation
| +|OSS Bucket Allows All Actions From All Principals
ec62a32c-a297-41ca-a850-cab40b42094a|Terraform|High|Access Control|OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals.|Documentation
| +|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|Terraform|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles|Documentation
| +|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|Terraform|High|Access Control|RAM Security preferences should enforce MFA login for RAM users|Documentation
| +|NAS File System Not Encrypted
67bfdff1-31ce-4525-b564-e94368735360|Terraform|High|Encryption|NAS File System must be encrypted|Documentation
| +|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|Terraform|High|Encryption|Ecs Data Disk Kms Key Id should be set|Documentation
| +|NAS File System Without KMS
5f670f9d-b1b4-4c90-8618-2288f1ab9676|Terraform|High|Encryption|NAS File System should have encryption provided by user KMS |Documentation
| +|Launch Template Is Not Encrypted
1455cb21-1d48-46d6-8ae3-cef911b71fd5|Terraform|High|Encryption|ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true.|Documentation
| +|RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|Terraform|High|Encryption|tde_status parameter should be Enabled for supported RDS instances|Documentation
| +|DB Instance Publicly Accessible
faaefc15-51a5-419e-bb5e-51a4b5ab3485|Terraform|High|Insecure Configurations|The field 'address' should not be set to '0.0.0.0/0'|Documentation
| +|RDS DB Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|Terraform|High|Insecure Configurations|'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list|Documentation
| +|OSS Bucket Has Static Website
2b13c6ff-b87a-484d-86fd-21ef6e97d426|Terraform|High|Insecure Configurations|Checks if any static websties are hosted on buckets. Be aware of any website you are running.|Documentation
| +|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|Terraform|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS|Documentation
| +|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|Terraform|High|Networking and Firewall|OSS Bucket should have ip restricted access|Documentation
| +|ALB Listening on HTTP
ee3b1557-9fb5-4685-a95d-93f1edf2a0d7|Terraform|High|Networking and Firewall|Application Load Balancer (alb) Listener should not listen on HTTP|Documentation
| +|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol|Documentation
| +|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|Terraform|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public|Documentation
| +|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|Terraform|High|Networking and Firewall|OSS Buckets should have secure transport enabled|Documentation
| +|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|Terraform|High|Observability|All RDS Instance events trackers should be 'true'|Documentation
| +|ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|Terraform|High|Observability|ActionTrail Trail OSS Bucket should not be publicly accessible|Documentation
| +|Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|Terraform|High|Secret Management|Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts|Documentation
| +|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|Terraform|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above|Documentation
| +|Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Terraform|Medium|Access Control|Ram policies should not be attached to users|Documentation
| +|CMK Is Unusable
ed6e3ba0-278f-47b6-a1f5-173576b40b7e|Terraform|Medium|Availability|Alicloud KMS must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| +|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Terraform|Medium|Backup|OSS Bucket should have versioning enabled|Documentation
| +|ROS Stack Retention Disabled
4bb06fa1-2114-4a00-b7b5-6aeab8b896f0|Terraform|Medium|Backup|The retain_stacks should be enabled to keep the Stack upon deleting the stack instance from the stack group|Documentation
| +|ROS Stack Without Template
92d65c51-5d82-4507-a2a1-d252e9706855|Terraform|Medium|Build Process|Alicloud ROS Stack should have a template defined through the attribute template_url or attribute template_body|Documentation
| +|OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Terraform|Medium|Encryption|OSS Bucket should have encryption enabled using Customer Master Key|Documentation
| +|SLB Policy With Insecure TLS Version In Use
dbfc834a-56e5-4750-b5da-73fda8e73f70|Terraform|Medium|Encryption|SLB Policy should not support insecure versions of TLS protocol|Documentation
| +|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Terraform|Medium|Encryption|Disks should have encryption enabled|Documentation
| +|CS Kubernetes Node Pool Auto Repair Disabled
81ce9394-013d-4731-8fcc-9d229b474073|Terraform|Medium|Insecure Configurations|Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| +|Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Terraform|Medium|Networking and Firewall|A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned|Documentation
| +|Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Terraform|Medium|Networking and Firewall|Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies|Documentation
| +|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Terraform|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180|Documentation
| +|Log Retention Is Not Greater Than 90 Days
ed6cf6ff-9a1f-491c-9f88-e03c0807f390|Terraform|Medium|Observability|OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects.|Documentation
| +|ROS Stack Notifications Disabled
9ef08939-ea40-489c-8851-667870b2ef50|Terraform|Medium|Observability|The ROS Stack Notifications should be defined and populated to receive stack related events|Documentation
| +|Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Terraform|Medium|Observability|Action Trail Logging for all regions should be enabled|Documentation
| +|OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Terraform|Medium|Observability|OSS Bucket should have logging enabled, for better visibility of resources and objects.|Documentation
| +|No ROS Stack Policy
72ceb736-0aee-43ea-a191-3a69ab135681|Terraform|Medium|Resource Management|ROS Stack should have a stack policy in order to protect stack resources from and during update actions|Documentation
| +|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true|Documentation
| +|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Terraform|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91|Documentation
| +|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Terraform|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less|Documentation
| +|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true|Documentation
| +|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true|Documentation
| +|High KMS Key Rotation Period
cb319d87-b90f-485e-a7e7-f2408380f309|Terraform|Medium|Secret Management|KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year|Documentation
| +|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Terraform|Medium|Secret Management|RAM account password security should require at least one symbol|Documentation
| +|OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Terraform|Low|Availability|OSS Bucket should have transfer acceleration enabled|Documentation
| +|OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Terraform|Low|Backup|OSS Bucket should have lifecycle rule enabled and set to true|Documentation
| +|VPC Flow Logs Disabled
d2731f3d-a992-44ed-812e-f4f1c2747d71|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| +|RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Terraform|Low|Observability|log_disconnections parameter should be set to ON for RDS instances|Documentation
| +|RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Terraform|Low|Observability|log_duration parameter should be set to ON for RDS instances|Documentation
| +|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Terraform|Low|Observability|'log_connections' parameter should be set to ON for RDS instances|Documentation
| +|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Terraform|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.|Documentation
| +|BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Terraform|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.|Documentation
| +|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Terraform|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.|Documentation
| +|BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Terraform|Trace|Bill Of Materials|A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime.|Documentation
| +|BOM - GCP Redis
bc75ce52-a60a-4660-b533-bce837a5019b|Terraform|Trace|Bill Of Materials|A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments.|Documentation
| +|BOM - GCP Dataflow
895ed0d9-6fec-4567-8614-d7a74b599a53|Terraform|Trace|Bill Of Materials|A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective.|Documentation
| +|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Terraform|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.|Documentation
| +|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Terraform|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| +|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Terraform|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.|Documentation
| +|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Terraform|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| +|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Terraform|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| +|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Terraform|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| +|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Terraform|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time|Documentation
| +|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Terraform|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| +|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Terraform|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| +|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Terraform|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| +|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Terraform|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| +|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|Terraform|High|Access Control|Verifies that the OSLogin is enabled|Documentation
| +|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|Terraform|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| +|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|Terraform|High|Access Control|BigQuery dataset is anonymously or publicly accessible|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|Terraform|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers'|Documentation
| +|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|Terraform|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible|Documentation
| +|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|Terraform|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| +|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|Terraform|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members'|Documentation
| +|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|Terraform|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad.|Documentation
| +|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|Terraform|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| +|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|Terraform|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible.|Documentation
| +|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|Terraform|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true|Documentation
| +|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|Terraform|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| +|Cluster Master Authentication Disabled
1baba08e-3c8a-4be7-95eb-dced5833de21|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| +|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE |Documentation
| +|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|Terraform|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| +|GKE Basic Authentication Enabled
70cdf849-b7d9-4569-b87d-5d82ffd44719|Terraform|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty|Documentation
| +|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false |Documentation
| +|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true|Documentation
| +|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true|Documentation
| +|Client Certificate Disabled
73fb21a1-b19a-45b1-b648-b47b1678681e|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|Terraform|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| +|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| +|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|Terraform|High|Observability|Audit Logging Configuration is defective|Documentation
| +|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| +|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|Terraform|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| +|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|Terraform|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| +|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Terraform|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member|Documentation
| +|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Terraform|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated|Documentation
| +|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Terraform|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated|Documentation
| +|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Terraform|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Terraform|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| +|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Terraform|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined|Documentation
| +|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Terraform|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| +|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Terraform|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled|Documentation
| +|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Terraform|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| +|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Terraform|Medium|Insecure Configurations|Check if any VM instance disables OSLogin|Documentation
| +|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Terraform|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| +|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Terraform|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| +|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Terraform|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| +|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Terraform|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
| +|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Terraform|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| +|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Terraform|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| +|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Terraform|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| +|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Terraform|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
| +|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Terraform|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
| +|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Terraform|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| +|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Terraform|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports|Documentation
| +|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Terraform|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource.|Documentation
| +|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Terraform|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Terraform|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| +|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Terraform|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.|Documentation
| +|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Terraform|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user|Documentation
| +|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Terraform|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range|Documentation
| +|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Terraform|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks|Documentation
| +|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Terraform|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')|Documentation
| +|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Terraform|Info|Best Practices|All variables should contain a valid type.|Documentation
| +|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Terraform|Info|Best Practices|All outputs should contain a valid description.|Documentation
| |Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Terraform|Info|Best Practices|All variables should contain a valid description.|Documentation
| |Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Terraform|Info|Best Practices|All generic git repositories should reference a revision.|Documentation
| -|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Terraform|Info|Best Practices|All outputs should contain a valid description.|Documentation
| -|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Terraform|Info|Best Practices|All variables should contain a valid type.|Documentation
| -|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|Terraform|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| -|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|Terraform|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating|Documentation
| -|S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4|Terraform|High|Access Control|S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket.|Documentation
| +|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Terraform|Info|Best Practices|All names should follow snake case pattern.|Documentation
| +|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|Terraform|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false|Documentation
| +|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|Terraform|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|Documentation
| +|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|Terraform|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| +|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|Terraform|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|Terraform|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| +|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|Terraform|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined.|Documentation
| +|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|Terraform|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| +|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Terraform|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| +|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Terraform|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys|Documentation
| +|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Terraform|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| +|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Terraform|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| +|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Terraform|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| +|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Terraform|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| +|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Terraform|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| +|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Terraform|Medium|Insecure Configurations|Default service accounts should not be actively used|Documentation
| +|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Terraform|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory|Documentation
| +|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Terraform|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| +|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Terraform|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| +|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Terraform|Medium|Insecure Configurations|Containers should not have extra capabilities allowed|Documentation
| +|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Terraform|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace|Documentation
| +|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Terraform|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| +|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Terraform|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| +|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Terraform|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls|Documentation
| +|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Terraform|Medium|Insecure Configurations|The default namespace should not be used|Documentation
| +|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| +|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Terraform|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| +|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Terraform|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|Documentation
| +|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Terraform|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| +|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| +|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Terraform|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| +|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Terraform|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty.|Documentation
| +|Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Terraform|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| +|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Terraform|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| +|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Terraform|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| +|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Terraform|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| +|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Terraform|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| +|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Terraform|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes|Documentation
| +|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Terraform|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| +|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Terraform|Medium|Resource Management|Container should not share the host network namespace|Documentation
| +|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Terraform|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| +|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Terraform|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| +|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Terraform|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs|Documentation
| +|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Terraform|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| +|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Terraform|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| +|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Terraform|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| +|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Terraform|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.|Documentation
| +|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Terraform|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| +|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Terraform|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| +|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Terraform|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it|Documentation
| +|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Terraform|Low|Availability|The Horizontal Pod Autoscale must target a valid object|Documentation
| +|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Terraform|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| +|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Terraform|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| +|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Terraform|Low|Build Process|Check if the root container filesystem is not being mounted as read-only.|Documentation
| +|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Terraform|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| +|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Terraform|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| +|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Terraform|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity|Documentation
| +|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Terraform|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| +|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Terraform|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| +|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Terraform|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified|Documentation
| +|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Terraform|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| +|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Terraform|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined|Documentation
| +|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Terraform|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| +|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Terraform|Low|Supply-Chain|Image must be defined and not be empty or equal to latest.|Documentation
| +|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Terraform|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| +|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Terraform|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| +|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Terraform|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| +|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Terraform|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| +|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Terraform|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time|Documentation
| +|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Terraform|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| +|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Terraform|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| +|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Terraform|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.|Documentation
| +|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Terraform|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| +|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Terraform|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| +|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Terraform|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.|Documentation
| +|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|Terraform|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|Terraform|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| +|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|Terraform|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals|Documentation
| +|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|Terraform|High|Access Control|IAM role policy that allow full administrative privileges (for all resources)|Documentation
| +|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|Terraform|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| +|Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|Terraform|High|Access Control|Neptune Cluster Instance should not be publicly accessible|Documentation
| |S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|Terraform|High|Access Control|S3 bucket allows public policy|Documentation
| +|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|Terraform|High|Access Control|S3 Buckets should not be readable and writable to all users|Documentation
| +|MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857|Terraform|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible|Documentation
| |EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|Terraform|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| -|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|Terraform|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| -|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|Terraform|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals|Documentation
| +|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|Terraform|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| |S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|Terraform|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|Terraform|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| -|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|Terraform|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| -|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|Terraform|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| |S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|Terraform|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| +|S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4|Terraform|High|Access Control|S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket.|Documentation
| +|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|Terraform|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| |S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|Terraform|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| -|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|Terraform|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| -|Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|Terraform|High|Access Control|Neptune Cluster Instance should not be publicly accessible|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|Terraform|High|Access Control|S3 Buckets should not be readable and writable to all users|Documentation
| -|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|Terraform|High|Access Control|IAM role policy that allow full administrative privileges (for all resources)|Documentation
| -|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|Terraform|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role|Documentation
| -|MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857|Terraform|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible|Documentation
| +|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|Terraform|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| |SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|Terraform|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| -|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|Terraform|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|Terraform|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| -|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|Terraform|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled|Documentation
| -|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|Terraform|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key|Documentation
| -|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|Terraform|High|Encryption|EBS Encryption should be enabled|Documentation
| -|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|Terraform|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| -|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|Terraform|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true|Documentation
| -|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|Terraform|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| +|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|Terraform|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating|Documentation
| +|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|Terraform|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role|Documentation
| +|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|Terraform|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled|Documentation
| +|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|Terraform|High|Encryption|API Gateway Method Settings Cache should be encrypted|Documentation
| +|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|Terraform|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| |User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|Terraform|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| -|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|Terraform|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| +|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|Terraform|High|Encryption|AWS Athena Database data in S3 should be encrypted|Documentation
| |EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|Terraform|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.|Documentation
| -|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|Terraform|High|Encryption|AWS DAX Cluster should have server-side encryption at rest|Documentation
| -|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|Terraform|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| +|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|Terraform|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| |DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|Terraform|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.|Documentation
| -|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|Terraform|High|Encryption|AWS DOCDB Cluster storage should be encrypted|Documentation
| -|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|Terraform|High|Encryption|AWS Athena Database data in S3 should be encrypted|Documentation
| -|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers.|Documentation
| +|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|Terraform|High|Encryption|EBS Encryption should be enabled|Documentation
| +|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|Terraform|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true|Documentation
| +|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|Terraform|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted|Documentation
| +|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|Terraform|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| +|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|Terraform|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true'|Documentation
| +|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|Terraform|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled|Documentation
| +|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|Terraform|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup|Documentation
| +|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.|Documentation
| +|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|Terraform|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|Terraform|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key|Documentation
| +|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|Terraform|High|Encryption|RDS Database Cluster Encryption should be enabled|Documentation
| +|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|Terraform|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| |Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|Terraform|High|Encryption|Launch Configuration EBS should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' argument should be set to true in each volume block|Documentation
| -|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|Terraform|High|Encryption|AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted|Documentation
| -|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|Terraform|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled|Documentation
| -|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|Terraform|High|Encryption|User Data Shell Script must be encoded|Documentation
| -|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|Terraform|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| +|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|Terraform|High|Encryption|AWS DOCDB Cluster storage should be encrypted|Documentation
| +|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|Terraform|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| |Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|Terraform|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS|Documentation
| |EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|Terraform|High|Encryption|EKS Cluster should be encrypted|Documentation
| -|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|Terraform|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| -|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|Terraform|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| -|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|Terraform|High|Encryption|RDS Database Cluster Encryption should be enabled|Documentation
| -|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|Terraform|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted|Documentation
| -|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|Terraform|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|Terraform|High|Encryption|User Data Shell Script must be encoded|Documentation
| +|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|Terraform|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)|Documentation
| +|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|Terraform|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|Terraform|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| +|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|Terraform|High|Encryption|AWS DAX Cluster should have server-side encryption at rest|Documentation
| +|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|Terraform|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled|Documentation
| +|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers.|Documentation
| +|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|Terraform|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| +|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|Terraform|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| |S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|Terraform|High|Encryption|S3 Bucket Object should have server-side encryption enabled|Documentation
| -|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|Terraform|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true'|Documentation
| -|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|Terraform|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup|Documentation
| -|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|Terraform|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| -|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|Terraform|High|Encryption|Sagemaker endpoint configuration should encrypt data|Documentation
| +|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|Terraform|High|Encryption|AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted|Documentation
| |MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|Terraform|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| +|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|Terraform|High|Encryption|Sagemaker endpoint configuration should encrypt data|Documentation
| |IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|Terraform|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| -|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|Terraform|High|Encryption|API Gateway Method Settings Cache should be encrypted|Documentation
| -|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|Terraform|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)|Documentation
| +|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|Terraform|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes|Documentation
| +|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|Terraform|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true)|Documentation
| +|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|Terraform|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| |S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|Terraform|High|Insecure Configurations|S3 bucket without restriction of public bucket|Documentation
| -|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|Terraform|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| |KMS Key With Vulnerable Policy
7ebc9038-0bde-479a-acc4-6ed7b6758899|Terraform|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| -|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|Terraform|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|Terraform|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| -|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|Terraform|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes|Documentation
| -|Lambda Function With Privileged Role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|Terraform|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions.|Documentation
| |S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|Terraform|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured.|Documentation
| -|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|Terraform|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| -|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|Terraform|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true)|Documentation
| |DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|Terraform|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| -|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|Terraform|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations|Documentation
| -|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|Terraform|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| -|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|Terraform|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| |IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|Terraform|High|Insecure Configurations|Check if the root user is authenticated with MFA|Documentation
| +|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|Terraform|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| |API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|Terraform|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2.|Documentation
| +|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|Terraform|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| +|Lambda Function With Privileged Role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|Terraform|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions.|Documentation
| +|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|Terraform|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations|Documentation
| +|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|Terraform|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| +|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|Terraform|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|Terraform|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| |Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|Terraform|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| -|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|Terraform|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0|Documentation
| -|HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|Terraform|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| -|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|Terraform|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| -|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL|Documentation
| -|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|Terraform|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL|Documentation
| +|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|Terraform|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0"|Documentation
| +|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|Terraform|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing|Documentation
| |VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|Terraform|High|Networking and Firewall|VPC Peering Route Table should restrict CIDR|Documentation
| -|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|Terraform|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| -|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|Terraform|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| +|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|Terraform|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0|Documentation
| +|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| +|Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|Terraform|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| |VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|Terraform|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic|Documentation
| |EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|Terraform|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| -|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|Terraform|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| -|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|Terraform|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0"|Documentation
| -|Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|Terraform|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| -|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| -|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|Terraform|High|Networking and Firewall|Check if Record is set|Documentation
| -|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| +|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|Terraform|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| |DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|Terraform|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| +|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|Terraform|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL|Documentation
| +|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|Terraform|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| +|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|Terraform|High|Networking and Firewall|Check if Record is set|Documentation
| +|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| +|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|Terraform|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| |Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|Terraform|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| -|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|Terraform|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing|Documentation
| +|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL|Documentation
| +|HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|Terraform|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| +|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|Terraform|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| +|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|Terraform|High|Observability|AWS KMS Key should have a valid deletion window|Documentation
| |CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|Terraform|High|Observability|Ensure a log metric filter and alarm exist for root acount usage|Documentation
| -|CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|Terraform|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls|Documentation
| -|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible|Documentation
| -|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|Terraform|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA|Documentation
| -|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|Terraform|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| +|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled|Documentation
| |CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|Terraform|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes|Documentation
| -|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|Terraform|High|Observability|AWS KMS Key should have a valid deletion window|Documentation
| |CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|Terraform|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.|Documentation
| -|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|Terraform|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| +|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible|Documentation
| +|CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|Terraform|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls|Documentation
| +|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|Terraform|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA|Documentation
| +|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Terraform|Medium|Access Control|Public and private EC2 istances should not share the same role.|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Terraform|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Terraform|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| +|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Terraform|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'|Documentation
| +|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Terraform|Medium|Access Control|AWS IAM Users should not have access to console|Documentation
| +|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Terraform|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Terraform|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Terraform|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal'|Documentation
| |Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Terraform|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Terraform|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication|Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Terraform|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action'|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Terraform|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Terraform|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Terraform|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Terraform|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources|Documentation
| -|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Terraform|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Terraform|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| -|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Terraform|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions'|Documentation
| |Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Terraform|Medium|Access Control|An API Key should be required on a method request.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Terraform|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Terraform|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| -|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Terraform|Medium|Access Control|IAM Access Key should not be active for root users|Documentation
| -|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Terraform|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Terraform|Medium|Access Control|The attribute 'action' should not have wildcard|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Terraform|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| -|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Terraform|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Terraform|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action'|Documentation
| -|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Terraform|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| -|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Terraform|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Terraform|Medium|Access Control|S3 bucket allows public ACL|Documentation
| -|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Terraform|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Terraform|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| -|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Terraform|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Terraform|Medium|Access Control|Public and private EC2 istances should not share the same role.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Terraform|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| +|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Terraform|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Terraform|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| |Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Terraform|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Terraform|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal'|Documentation
| +|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Terraform|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| +|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Terraform|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled|Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Terraform|Medium|Access Control|S3 bucket allows public ACL|Documentation
| |Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Terraform|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions'|Documentation
| |Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Terraform|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication|Documentation
| -|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Terraform|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Terraform|Medium|Access Control|An API Key should be required on a method request.|Documentation
| |User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Terraform|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Terraform|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| +|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Terraform|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| -|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Terraform|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Terraform|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| +|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Terraform|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| |User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Terraform|Medium|Access Control|AWS IAM Users should not have access to console|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Terraform|Medium|Access Control|IAM Access Key should not be active for root users|Documentation
| +|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Terraform|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Terraform|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Terraform|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources|Documentation
| +|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Terraform|Medium|Access Control|The attribute 'action' should not have wildcard|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Terraform|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| +|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Terraform|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Terraform|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined|Documentation
| |ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Terraform|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| +|Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Terraform|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
| |CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Terraform|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| |ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Terraform|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster|Documentation
| -|Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Terraform|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
| +|RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Terraform|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| |Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Terraform|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| |ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Terraform|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0|Documentation
| -|RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Terraform|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| |IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Terraform|Medium|Best Practices|IAM password should have the required symbols|Documentation
| -|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Terraform|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| |IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Terraform|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| |Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Terraform|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| -|Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Terraform|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24|Documentation
| |IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Terraform|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| -|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Terraform|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined|Documentation
| -|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Terraform|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields|Documentation
| +|Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Terraform|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24|Documentation
| |Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Terraform|Medium|Best Practices|No password expiration policy|Documentation
| +|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Terraform|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields|Documentation
| +|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Terraform|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| +|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Terraform|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined|Documentation
| |Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Terraform|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body|Documentation
| -|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Terraform|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| -|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Terraform|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| -|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted|Documentation
| +|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Terraform|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node|Documentation
| +|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Terraform|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS.|Documentation
| +|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Terraform|Medium|Encryption|EBS volumes should be encrypted|Documentation
| |SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Terraform|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| |DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Terraform|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Terraform|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests|Documentation
| -|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit|Documentation
| -|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Terraform|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret|Documentation
| +|CloudWatch Log Group Without KMS
0afbcfe9-d341-4b92-a64c-7e6de0543879|Terraform|Medium|Encryption|AWS CloudWatch Log groups should be encrypted using KMS|Documentation
| |SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Terraform|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| -|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Terraform|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption|Documentation
| -|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Terraform|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node|Documentation
| +|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted|Documentation
| +|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Terraform|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760.|Documentation
| +|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Terraform|Medium|Encryption|SSM Session should be encrypted in transit|Documentation
| +|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Terraform|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| |Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Terraform|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| |ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest|Documentation
| -|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Terraform|Medium|Encryption|EBS volumes should be encrypted|Documentation
| -|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Terraform|Medium|Encryption|SSM Session should be encrypted in transit|Documentation
| +|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Terraform|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret|Documentation
| +|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Terraform|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| +|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Terraform|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| +|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Terraform|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests|Documentation
| +|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit|Documentation
| +|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Terraform|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| +|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Terraform|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption|Documentation
| |ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Terraform|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| -|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Terraform|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|CloudWatch Log Group Without KMS
0afbcfe9-d341-4b92-a64c-7e6de0543879|Terraform|Medium|Encryption|AWS CloudWatch Log groups should be encrypted using KMS|Documentation
| -|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Terraform|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS.|Documentation
| -|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Terraform|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760.|Documentation
| |Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Terraform|Medium|Encryption|ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html'|Documentation
| -|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Terraform|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| -|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Terraform|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials|Documentation
| -|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Terraform|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud)|Documentation
| -|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Terraform|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| -|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Terraform|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.|Documentation
| +|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Terraform|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| |EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Terraform|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false|Documentation
| +|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Terraform|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| |Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Terraform|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs).|Documentation
| +|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Terraform|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud)|Documentation
| +|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Terraform|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| +|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Terraform|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.|Documentation
| +|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Terraform|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials|Documentation
| +|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Terraform|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| |API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Terraform|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| |MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Terraform|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible|Documentation
| -|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Terraform|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| -|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Terraform|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| -|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Terraform|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| -|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Terraform|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association|Documentation
| -|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Terraform|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| |Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol|Documentation
| -|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Terraform|Medium|Networking and Firewall|VPC should have a Network Firewall associated|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol|Documentation
| -|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Terraform|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled|Documentation
| +|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Terraform|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Terraform|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| +|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Terraform|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association|Documentation
| |VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Terraform|Medium|Networking and Firewall|VPC Subnet should not assign public IP|Documentation
| |ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Terraform|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| -|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Terraform|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| +|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Terraform|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled|Documentation
| +|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Terraform|Medium|Networking and Firewall|VPC should have a Network Firewall associated|Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol|Documentation
| +|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Terraform|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| +|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Terraform|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| +|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Terraform|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| +|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes|Documentation
| +|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Terraform|Medium|Observability|API Gateway should have Access Log Settings defined|Documentation
| +|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Terraform|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| +|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Terraform|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| |Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes|Documentation
| -|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK|Documentation
| +|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Terraform|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| |CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Terraform|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| -|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Terraform|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| |S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Terraform|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events|Documentation
| -|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Terraform|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| +|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK|Documentation
| +|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Terraform|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| +|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes|Documentation
| +|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Terraform|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| +|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Terraform|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined|Documentation
| +|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Terraform|Medium|Observability|AWS Elasticsearch should have logs enabled|Documentation
| +|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures|Documentation
| +|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Terraform|Medium|Observability|ELB should have logging enabled to help on error investigation|Documentation
| |Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Terraform|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| -|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Terraform|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| |Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Terraform|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| -|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Terraform|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| -|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Terraform|Medium|Observability|ELB should have logging enabled to help on error investigation|Documentation
| -|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Terraform|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| -|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Terraform|Medium|Observability|AWS Elasticsearch should have logs enabled|Documentation
| |ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Terraform|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| -|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes|Documentation
| |CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Terraform|Medium|Observability|AWS CloudWatch Log groups should have retention days specified|Documentation
| -|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Terraform|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| -|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Terraform|Medium|Observability|API Gateway should have Access Log Settings defined|Documentation
| -|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Terraform|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| -|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures|Documentation
| +|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Terraform|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| +|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Terraform|Medium|Observability|It isn't recommended to use resources in default VPC|Documentation
| +|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Terraform|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| +|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Terraform|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| |CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Terraform|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled|Documentation
| -|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Terraform|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| -|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes|Documentation
| -|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Terraform|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined|Documentation
| |CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes|Documentation
| -|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Terraform|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| -|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Terraform|Medium|Observability|It isn't recommended to use resources in default VPC|Documentation
| -|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Terraform|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| |API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Terraform|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation|Documentation
| -|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Terraform|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| +|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Terraform|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| |No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Terraform|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| -|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Terraform|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| |Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Terraform|Medium|Secret Management|AWS Access Key should not be hardcoded|Documentation
| +|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Terraform|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| +|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Terraform|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets'|Documentation
| +|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Terraform|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| |EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Terraform|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| |IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Terraform|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| -|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Terraform|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| -|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Terraform|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services|Documentation
| |IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Terraform|Low|Access Control|IAM Group should have at least one user associated|Documentation
| -|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Terraform|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets'|Documentation
| +|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Terraform|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services|Documentation
| |Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Terraform|Low|Availability|Autoscaling groups should supply tags to configurate|Documentation
| |IAM Access Analyzer Not Enabled
e592a0c5-5bdb-414c-9066-5dba7cdea370|Terraform|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions|Documentation
| -|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Terraform|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| +|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Terraform|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.|Documentation
| |ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Terraform|Low|Best Practices|ECR Repository should have Policies attached to it|Documentation
| |Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| |Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Terraform|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.|Documentation
| +|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Terraform|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| |CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Terraform|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| |ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Terraform|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation|Documentation
| -|ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Terraform|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled|Documentation
| |S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Terraform|Low|Insecure Configurations|S3 bucket without ignore public ACL|Documentation
| -|RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Terraform|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| -|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Terraform|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| -|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Terraform|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| +|ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Terraform|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled|Documentation
| |Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Terraform|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks|Documentation
| -|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Terraform|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Terraform|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| -|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Terraform|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| +|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Terraform|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| |Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Terraform|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| -|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for route table changes|Documentation
| -|API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Terraform|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| -|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Terraform|Low|Observability|DocDB logging should be enabled|Documentation
| -|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| -|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes|Documentation
| -|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes|Documentation
| +|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Terraform|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| +|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Terraform|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| +|EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Terraform|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| +|RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Terraform|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| +|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Terraform|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)|Documentation
| |EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Terraform|Low|Observability|Amazon EKS control plane logging is not enabled|Documentation
| -|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Terraform|Low|Observability|Global Accelerator should have flow logs enabled|Documentation
| |CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Terraform|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| -|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL|Documentation
| |CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes|Documentation
| -|ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Terraform|Low|Observability|ECS Cluster should enable container insights|Documentation
| |Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Terraform|Low|Observability|Amazon EKS control plane logging don't enabled for all log types|Documentation
| -|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Terraform|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'|Documentation
| -|API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Terraform|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| -|Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Terraform|Info|Access Control|Security group must be used or not declared|Documentation
| -|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Terraform|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table|Documentation
| -|Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Terraform|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description|Documentation
| -|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Terraform|Info|Best Practices|AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name'|Documentation
| -|EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Terraform|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| -|Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Terraform|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description|Documentation
| -|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Terraform|Info|Observability|Neptune logging should be enabled|Documentation
| -|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Terraform|Info|Observability|RDS does not have any kind of logger|Documentation
| -|EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Terraform|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods|Documentation
| -|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|Terraform|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false|Documentation
| -|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|Terraform|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined.|Documentation
| -|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|Terraform|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| -|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|Terraform|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|Documentation
| -|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|Terraform|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|Terraform|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| -|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|Terraform|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| -|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Terraform|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys|Documentation
| -|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Terraform|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| -|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Terraform|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| -|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Terraform|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| -|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Terraform|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| -|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Terraform|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| -|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Terraform|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| -|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Terraform|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| -|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Terraform|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| -|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| -|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| -|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Terraform|Medium|Insecure Configurations|Containers should not have extra capabilities allowed|Documentation
| -|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Terraform|Medium|Insecure Configurations|Default service accounts should not be actively used|Documentation
| -|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Terraform|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| -|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Terraform|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace|Documentation
| -|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Terraform|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| -|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Terraform|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory|Documentation
| -|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Terraform|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|Documentation
| -|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Terraform|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| -|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Terraform|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| -|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Terraform|Medium|Insecure Configurations|The default namespace should not be used|Documentation
| -|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Terraform|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls|Documentation
| -|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Terraform|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| -|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Terraform|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty.|Documentation
| -|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Terraform|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| -|Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Terraform|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| -|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Terraform|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| -|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Terraform|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| -|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Terraform|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| -|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Terraform|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| -|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Terraform|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes|Documentation
| -|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Terraform|Medium|Resource Management|Container should not share the host network namespace|Documentation
| -|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Terraform|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| -|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Terraform|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs|Documentation
| -|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Terraform|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| -|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Terraform|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| -|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Terraform|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| -|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Terraform|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| -|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Terraform|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.|Documentation
| -|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Terraform|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Terraform|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Terraform|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it|Documentation
| -|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Terraform|Low|Availability|The Horizontal Pod Autoscale must target a valid object|Documentation
| -|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Terraform|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| -|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Terraform|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| -|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Terraform|Low|Build Process|Check if the root container filesystem is not being mounted as read-only.|Documentation
| -|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Terraform|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| -|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Terraform|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| -|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Terraform|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity|Documentation
| -|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Terraform|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| -|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Terraform|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified|Documentation
| -|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Terraform|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| -|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Terraform|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| -|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Terraform|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined|Documentation
| -|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Terraform|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| -|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Terraform|Low|Supply-Chain|Image must be defined and not be empty or equal to latest.|Documentation
| -|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Terraform|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| -|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Terraform|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| -|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Terraform|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| -|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Terraform|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| -|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Terraform|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.|Documentation
| -|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Terraform|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| -|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Terraform|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| -|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Terraform|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.|Documentation
| -|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Terraform|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time|Documentation
| -|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Terraform|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| -|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Terraform|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| -|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|Terraform|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles|Documentation
| -|OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|Terraform|High|Access Control|OSS Bucket should have public access disabled|Documentation
| -|OSS Bucket Allows All Actions From All Principals
ec62a32c-a297-41ca-a850-cab40b42094a|Terraform|High|Access Control|OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals.|Documentation
| -|OSS Bucket Allows Put Action From All Principals
fe286195-e75c-4359-bd58-00847c4f855a|Terraform|High|Access Control|OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals.|Documentation
| -|OSS Bucket Allows Delete Action From All Principals
8c0695d8-2378-4cd6-8243-7fd5894fa574|Terraform|High|Access Control|OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals.|Documentation
| -|OSS Bucket Allows List Action From All Principals
88541597-6f88-42c8-bac6-7e0b855e8ff6|Terraform|High|Access Control|OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals.|Documentation
| -|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|Terraform|High|Access Control|RAM Security preferences should enforce MFA login for RAM users|Documentation
| -|Launch Template Is Not Encrypted
1455cb21-1d48-46d6-8ae3-cef911b71fd5|Terraform|High|Encryption|ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true.|Documentation
| -|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|Terraform|High|Encryption|Ecs Data Disk Kms Key Id should be set|Documentation
| -|NAS File System Not Encrypted
67bfdff1-31ce-4525-b564-e94368735360|Terraform|High|Encryption|NAS File System must be encrypted|Documentation
| -|RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|Terraform|High|Encryption|tde_status parameter should be Enabled for supported RDS instances|Documentation
| -|NAS File System Without KMS
5f670f9d-b1b4-4c90-8618-2288f1ab9676|Terraform|High|Encryption|NAS File System should have encryption provided by user KMS |Documentation
| -|RDS DB Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|Terraform|High|Insecure Configurations|'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list|Documentation
| -|OSS Bucket Has Static Website
2b13c6ff-b87a-484d-86fd-21ef6e97d426|Terraform|High|Insecure Configurations|Checks if any static websties are hosted on buckets. Be aware of any website you are running.|Documentation
| -|DB Instance Publicly Accessible
faaefc15-51a5-419e-bb5e-51a4b5ab3485|Terraform|High|Insecure Configurations|The field 'address' should not be set to '0.0.0.0/0'|Documentation
| -|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|Terraform|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public|Documentation
| -|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol|Documentation
| -|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|Terraform|High|Networking and Firewall|OSS Bucket should have ip restricted access|Documentation
| -|ALB Listening on HTTP
ee3b1557-9fb5-4685-a95d-93f1edf2a0d7|Terraform|High|Networking and Firewall|Application Load Balancer (alb) Listener should not listen on HTTP|Documentation
| -|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|Terraform|High|Networking and Firewall|OSS Buckets should have secure transport enabled|Documentation
| -|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|Terraform|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS|Documentation
| -|ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|Terraform|High|Observability|ActionTrail Trail OSS Bucket should not be publicly accessible|Documentation
| -|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|Terraform|High|Observability|All RDS Instance events trackers should be 'true'|Documentation
| -|Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|Terraform|High|Secret Management|Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts|Documentation
| -|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|Terraform|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above|Documentation
| -|Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Terraform|Medium|Access Control|Ram policies should not be attached to users|Documentation
| -|CMK Is Unusable
ed6e3ba0-278f-47b6-a1f5-173576b40b7e|Terraform|Medium|Availability|Alicloud KMS must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| -|ROS Stack Retention Disabled
4bb06fa1-2114-4a00-b7b5-6aeab8b896f0|Terraform|Medium|Backup|The retain_stacks should be enabled to keep the Stack upon deleting the stack instance from the stack group|Documentation
| -|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Terraform|Medium|Backup|OSS Bucket should have versioning enabled|Documentation
| -|ROS Stack Without Template
92d65c51-5d82-4507-a2a1-d252e9706855|Terraform|Medium|Build Process|Alicloud ROS Stack should have a template defined through the attribute template_url or attribute template_body|Documentation
| -|OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Terraform|Medium|Encryption|OSS Bucket should have encryption enabled using Customer Master Key|Documentation
| -|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Terraform|Medium|Encryption|Disks should have encryption enabled|Documentation
| -|SLB Policy With Insecure TLS Version In Use
dbfc834a-56e5-4750-b5da-73fda8e73f70|Terraform|Medium|Encryption|SLB Policy should not support insecure versions of TLS protocol|Documentation
| -|CS Kubernetes Node Pool Auto Repair Disabled
81ce9394-013d-4731-8fcc-9d229b474073|Terraform|Medium|Insecure Configurations|Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| -|Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Terraform|Medium|Networking and Firewall|Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies|Documentation
| -|Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Terraform|Medium|Networking and Firewall|A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned|Documentation
| -|Log Retention Is Not Greater Than 90 Days
ed6cf6ff-9a1f-491c-9f88-e03c0807f390|Terraform|Medium|Observability|OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects.|Documentation
| -|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Terraform|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180|Documentation
| -|OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Terraform|Medium|Observability|OSS Bucket should have logging enabled, for better visibility of resources and objects.|Documentation
| -|ROS Stack Notifications Disabled
9ef08939-ea40-489c-8851-667870b2ef50|Terraform|Medium|Observability|The ROS Stack Notifications should be defined and populated to receive stack related events|Documentation
| -|Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Terraform|Medium|Observability|Action Trail Logging for all regions should be enabled|Documentation
| -|No ROS Stack Policy
72ceb736-0aee-43ea-a191-3a69ab135681|Terraform|Medium|Resource Management|ROS Stack should have a stack policy in order to protect stack resources from and during update actions|Documentation
| -|High KMS Key Rotation Period
cb319d87-b90f-485e-a7e7-f2408380f309|Terraform|Medium|Secret Management|KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year|Documentation
| -|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true|Documentation
| -|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Terraform|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91|Documentation
| -|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Terraform|Medium|Secret Management|RAM account password security should require at least one symbol|Documentation
| -|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Terraform|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less|Documentation
| -|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true|Documentation
| -|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true|Documentation
| -|OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Terraform|Low|Availability|OSS Bucket should have transfer acceleration enabled|Documentation
| -|OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Terraform|Low|Backup|OSS Bucket should have lifecycle rule enabled and set to true|Documentation
| -|RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Terraform|Low|Observability|log_disconnections parameter should be set to ON for RDS instances|Documentation
| -|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Terraform|Low|Observability|'log_connections' parameter should be set to ON for RDS instances|Documentation
| -|VPC Flow Logs Disabled
d2731f3d-a992-44ed-812e-f4f1c2747d71|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| -|RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Terraform|Low|Observability|log_duration parameter should be set to ON for RDS instances|Documentation
| +|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL|Documentation
| +|API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Terraform|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| +|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for route table changes|Documentation
| +|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes|Documentation
| +|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Terraform|Low|Observability|DocDB logging should be enabled|Documentation
| +|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| +|ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Terraform|Low|Observability|ECS Cluster should enable container insights|Documentation
| +|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes|Documentation
| +|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Terraform|Low|Observability|Global Accelerator should have flow logs enabled|Documentation
| +|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Terraform|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'|Documentation
| +|API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Terraform|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| +|Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Terraform|Info|Access Control|Security group must be used or not declared|Documentation
| +|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Terraform|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table|Documentation
| +|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Terraform|Info|Best Practices|AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name'|Documentation
| +|Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Terraform|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description|Documentation
| +|EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Terraform|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| +|Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Terraform|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description|Documentation
| +|EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Terraform|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods|Documentation
| +|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Terraform|Info|Observability|Neptune logging should be enabled|Documentation
| +|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Terraform|Info|Observability|RDS does not have any kind of logger|Documentation
| +|Serverless Function Environment Variables Not Encrypted
a7f8ac28-eed1-483d-87c8-4c325f022572|CloudFormation|High|Encryption|AWS Serverless Function should encrypt environment variables|Documentation
| +|Serverless API Without Content Encoding
a2f2800e-614b-4bc8-89e6-fec8afd24800|CloudFormation|Medium|Encryption|AWS Serverless API should enable Content Encoding through the attribute 'MinimumCompressionSize'. This value should be greater than -1 and smaller than 10485760|Documentation
| +|Serverless Function Without Unique IAM Role
4ba74f01-aba5-4be2-83bc-be79ff1a3b92|CloudFormation|Medium|Insecure Configurations|AWS Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks|Documentation
| +|Serverless Function Without Tags
a71ecabe-03b6-456a-b3bc-d1a39aa20c98|CloudFormation|Medium|Insecure Configurations|AWS Serverless Function should have associated tags|Documentation
| +|Serverless API Endpoint Config Not Private
6b5b0313-771b-4319-ad7a-122ee78700ef|CloudFormation|Medium|Networking and Firewall|AWS Serverless API should set API Endpoint Config type to 'PRIVATE'. This way, it's not exposed to the public internet|Documentation
| +|Serverless API Access Logging Setting Undefined
0a994e04-c6dc-471d-817e-d37451d18a3b|CloudFormation|Medium|Observability|AWS Serverless API/AWS Serverless HTTP API should have Access Logging Setting(s) defined|Documentation
| +|Serverless API X-Ray Tracing Disabled
c757c6a3-ac87-4b9d-b28d-e5a5add6a315|CloudFormation|Medium|Observability|AWS Serverless API should have X-Ray Tracing enabled|Documentation
| +|Serverless Function Without Dead Letter Queue
cb2f612b-ed42-4ff5-9fb9-255c73d39a18|CloudFormation|Low|Insecure Configurations|AWS Serverless Function should be configured for a Dead Letter Queue(DLQ)|Documentation
| +|Serverless API Cache Cluster Disabled
60a05ede-0a68-4d0d-a58f-f538cf55ff79|CloudFormation|Low|Insecure Configurations|AWS Serverless API should have cache clustering enabled|Documentation
| +|Serverless Function Without X-Ray Tracing
dc1ab429-1481-4540-9b1d-280e3f15f1f8|CloudFormation|Low|Observability|AWS Serverless Function should have Tracing enabled. For this, property 'Tracing' should have the value 'Active'|Documentation
| +|BOM - AWS S3 Buckets
b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83|CloudFormation|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| +|BOM - AWS EBS
0b0556ea-9cd9-476f-862e-20679dda752b|CloudFormation|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| +|BOM - AWS SNS
42e7dca3-8cce-4325-8df0-108888259136|CloudFormation|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| +|BOM - AWS MQ
209189f3-c879-48a7-9703-fbcfa96d0cef|CloudFormation|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| +|BOM - AWS Kinesis
d53323be-dde6-4457-9a43-42df737e71d2|CloudFormation|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time|Documentation
| +|BOM - AWS Elasticache
c689f51b-9203-43b3-9d8b-caed123f706c|CloudFormation|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| +|BOM - AWS EFS
ef05a925-8568-4054-8ff1-f5ba82631c16|CloudFormation|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| +|BOM - AWS DynamoDB
4e67c0ae-38a0-47f4-a50c-f0c9b75826df|CloudFormation|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.|Documentation
| +|BOM - AWS SQS
59a849c2-1127-4023-85a5-ef906dcd458c|CloudFormation|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| +|BOM - AWS MSK
2730c169-51d7-4ae7-99b5-584379eff1bb|CloudFormation|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| +|BOM - AWS Cassandra
124b173b-e06d-48a6-8acd-f889443d97a4|CloudFormation|Trace|Bill Of Materials|A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance|Documentation
| +|BOM - AWS RDS
6ef03ff6-a2bd-483c-851f-631f248bc0ea|CloudFormation|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.|Documentation
| +|IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368|CloudFormation|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
835d5497-a526-4aea-a23f-98a9afd1635f|CloudFormation|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| +|S3 Bucket Access to Any Principal
7772bb8c-c0f3-42d4-8e4e-f1b8939ad085|CloudFormation|High|Access Control|The S3 Bucket should not be associated with a policy statement that grants access to any principal|Documentation
| +|IAM Policies With Full Privileges
953b3cdb-ce13-428a-aa12-318726506661|CloudFormation|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| +|S3 Bucket Allows Public Policy
860ba89b-b8de-4e72-af54-d6aee4138a69|CloudFormation|High|Access Control|S3 bucket allows public policy|Documentation
| +|S3 Bucket ACL Allows Read Or Write to All Users
07dda8de-d90d-469e-9b37-1aca53526ced|CloudFormation|High|Access Control|S3 Buckets should not be readable and writable to all users|Documentation
| +|MSK Broker Is Publicly Accessible
0ce1ba20-8ba8-4364-836f-40c24b8cb0ab|CloudFormation|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible|Documentation
| +|S3 Bucket Allows Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0|CloudFormation|High|Access Control|S3 Buckets must not allow Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Restore, for all Principals.|Documentation
| +|Invalid Format (v3)
d929c031-078f-4241-b802-e224656ad890|OpenAPI|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double|Documentation
| +|Invalid Global External Documentation URL (v2)
46d3b74d-9fe9-45bf-9e9e-efb7f701ee28|OpenAPI|Info|Best Practices|Global External Documentation URL should be a valid URL|Documentation
| +|Invalid Global External Documentation URL (v3)
b2d9dbf6-539c-4374-a1fd-210ddf5563a8|OpenAPI|Info|Best Practices|Global External Documentation URL should be a valid URL|Documentation
| +|Header Parameter Named as 'Accept' (v2)
3ddd74cc-6582-486c-8b0c-2b48cb38e0a3|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored.|Documentation
| +|Header Parameter Named as 'Accept' (v3)
f2702af5-6016-46cb-bbc8-84c766032095|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored.|Documentation
| +|Invalid Schema External Documentation URL (v2)
f7fa95b7-d819-484c-9a2b-665dd1bba25e|OpenAPI|Info|Best Practices|Schema External Documentation URL should be a valid URL|Documentation
| +|Invalid Schema External Documentation URL (v3)
6952a7e0-6e48-4285-bbc1-27c64e60f888|OpenAPI|Info|Best Practices|Schema External Documentation URL should be a valid URL|Documentation
| +|Header Parameter Named as 'Content-Type' (v2)
51978067-3b22-4c29-aaf3-96bf0bc28897|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored.|Documentation
| +|Header Parameter Named as 'Content-Type' (v3)
72d259ca-9741-48dd-9f62-eb11f2936b37|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored.|Documentation
| +|Header Response Name Is Invalid (v2)
86733e01-a435-4bd5-a8b0-5108be9dc1e4|OpenAPI|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored.|Documentation
| +|Header Response Name Is Invalid (v3)
d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd|OpenAPI|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored.|Documentation
| +|JSON '$ref' alongside other properties (v2)
f34c1c68-4773-4df0-a103-6e2ca32e585f|OpenAPI|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key|Documentation
| +|JSON '$ref' alongside other properties (v3)
96beb800-566f-49a9-a0ea-dbdf4bc80429|OpenAPI|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key|Documentation
| +|Invalid License URL (v2)
de2b4910-8484-46d6-a055-dc1e793ee3ff|OpenAPI|Info|Best Practices|License Object URL should be a valid URL|Documentation
| +|Invalid License URL (v3)
9239c289-9e4c-4d92-8be1-9d506057c971|OpenAPI|Info|Best Practices|License Object URL should be a valid URL|Documentation
| +|Example Not Compliant With Schema Type (v2)
448db771-06ea-4dee-b48c-1689cbfb4b43|OpenAPI|Info|Best Practices|Examples values and fields should be compliant with the schema type|Documentation
| +|Example Not Compliant With Schema Type (v3)
881a6e71-c2a7-4fe2-b9c3-dfcf08895331|OpenAPI|Info|Best Practices|Examples values and fields should be compliant with the schema type|Documentation
| +|Object Using Enum With Keyword (v2)
7f15962a-d862-451c-ac9b-84ec13747aa6|OpenAPI|Info|Best Practices|Schema/Parameter/Header Object properties should not contain 'enum' and schema keywords|Documentation
| +|Object Using Enum With Keyword (v3)
2e9b6612-8f69-42e0-a5b8-ed17739c2f3a|OpenAPI|Info|Best Practices|Schema Object properties should not contain 'enum' and schema keywords|Documentation
| +|Invalid Contact Email (v2)
d83bebc8-4e5e-4241-b783-cba9fb5a1c9a|OpenAPI|Info|Best Practices|Contact Object Email should be a valid email|Documentation
| +|Invalid Contact Email (v3)
b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7|OpenAPI|Info|Best Practices|Contact Object Email should be a valid email|Documentation
| +|Invalid Contact URL (v2)
c7000383-16d0-4509-8cd3-585e5ea2e2f2|OpenAPI|Info|Best Practices|Contact Object URL should be a valid URL|Documentation
| +|Invalid Contact URL (v3)
332cf2ad-380d-4b90-b436-46f8e635cf38|OpenAPI|Info|Best Practices|Contact Object URL should be a valid URL|Documentation
| +|Operation Without Successful HTTP Status Code (v2)
a1ee6ebe-3877-42ec-b9a6-e524e7d06aa2|OpenAPI|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined|Documentation
| +|Operation Without Successful HTTP Status Code (v3)
48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd|OpenAPI|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined|Documentation
| +|Invalid Operation External Documentation URL (v2)
25635c31-ee32-4708-88e5-fced87516f51|OpenAPI|Info|Best Practices|Operation External Documentation URL should be a valid URL|Documentation
| +|Invalid Operation External Documentation URL (v3)
5ea61624-3733-4a3a-8ca4-b96fec9c5aeb|OpenAPI|Info|Best Practices|Operation External Documentation URL should be a valid URL|Documentation
| +|Invalid Tag External Documentation URL (v2)
b4a7d925-738b-4219-99d9-87d6ee262a03|OpenAPI|Info|Best Practices|Tag External Documentation URL should be a valid URL|Documentation
| +|Invalid Tag External Documentation URL (v3)
5aea1d7e-b834-4749-b143-2c7ec3bd5922|OpenAPI|Info|Best Practices|Tag External Documentation URL should be a valid URL|Documentation
| +|Header Parameter Named as 'Authorization' (v2)
e2e00c97-7171-4fb4-b461-d631df9a711c|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored.|Documentation
| +|Header Parameter Named as 'Authorization' (v3)
8c84f75e-5048-4926-a4cb-33e7b3431300|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored.|Documentation
| +|Required Property With Default Value (v2)
f7ab6c83-ef89-40e1-8a99-32e2599fb665|OpenAPI|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value|Documentation
| +|Required Property With Default Value (v3)
013bdb4b-9246-4248-b0c3-7fb0fee42a29|OpenAPI|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value|Documentation
| +|Path Without Operation (v2)
609cd557-66b4-41fa-8edd-2abc6c7cfd08|OpenAPI|Info|Best Practices|Path object should have at least one operation object defined|Documentation
| +|Path Without Operation (v3)
84c826c9-1893-4b34-8cdd-db97645b4bf3|OpenAPI|Info|Best Practices|Path object should have at least one operation object defined|Documentation
| +|Type Has Invalid Keyword (v2)
492c6cbb-f3f8-4807-aa4f-42b8b1c46b59|OpenAPI|Info|Structure and Semantics|Schema/Parameter/Header Object define type should not use a keyword of another type|Documentation
| +|Type Has Invalid Keyword (v3)
a9228976-10cf-4b5f-b902-9e962aad037a|OpenAPI|Info|Structure and Semantics|Schema Object define type should not use a keyword of another type|Documentation
| +|Property Defining Minimum Greater Than Maximum (v2)
b5102ea9-6527-4bb7-94fc-9b4076150e55|OpenAPI|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined|Documentation
| +|Property Defining Minimum Greater Than Maximum (v3)
ab2af219-cd08-4233-b5a1-a788aac88b51|OpenAPI|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined|Documentation
| +|Schema Discriminator Not Required (v2)
be6a3722-af60-438c-b1b9-2a03e2958ab7|OpenAPI|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property|Documentation
| +|Schema Discriminator Not Required (v3)
b481d46c-9c61-480f-86d9-af07146dc4a4|OpenAPI|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property|Documentation
| +|Path Template is Empty (v2)
c201b7ad-6173-4598-a407-5edb04a1bcd7|OpenAPI|Info|Structure and Semantics|All path templates should not be empty|Documentation
| +|Path Template is Empty (v3)
ae13a37d-943b-47a7-a970-83c8598bcca3|OpenAPI|Info|Structure and Semantics|All path templates should not be empty|Documentation
| +|Items Undefined (v2)
3e4d34d2-36cf-4449-976d-6c256db8fc49|OpenAPI|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array.|Documentation
| +|Items Undefined (v3)
a8e859da-4a43-4e7f-94b8-25d6e3bf8e90|OpenAPI|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array.|Documentation
| +|Schema Enum Invalid (v2)
8fe6d18a-ad4c-4397-8884-e3a9da57f4c9|OpenAPI|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type|Documentation
| +|Schema Enum Invalid (v3)
03856cb2-e46c-4daf-bfbf-214ec93c882b|OpenAPI|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type|Documentation
| +|Properties Missing Required Property (v2)
71beb6ab-8b70-4816-a9ac-a0ff1fb22a62|OpenAPI|Info|Structure and Semantics|Schema Object should have all required properties defined|Documentation
| +|Properties Missing Required Property (v3)
3fb03214-25d4-4bd4-867c-c2d8d708a483|OpenAPI|Info|Structure and Semantics|Schema Object should have all required properties defined|Documentation
| +|Responses With Wrong HTTP Status Code (v2)
069a5378-2091-43f0-aa3b-ee8f20996e99|OpenAPI|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599]|Documentation
| +|Responses With Wrong HTTP Status Code (v3)
d86655c0-92f6-4ffc-b4d5-5b5775804c27|OpenAPI|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599]|Documentation
| +|Responses Object Is Empty (v2)
6172e7ab-d2b7-45f8-a7db-1603931d8ba3|OpenAPI|Info|Structure and Semantics|Responses Object should not be empty|Documentation
| +|Responses Object Is Empty (v3)
990eaf09-d6f1-4c3c-b174-a517b1de8917|OpenAPI|Info|Structure and Semantics|Responses Object should not be empty|Documentation
| +|Schema Has A Required Property Undefined (v2)
811762c8-2e99-4f70-88f9-a63875a953b1|OpenAPI|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties|Documentation
| +|Schema Has A Required Property Undefined (v3)
2bd608ae-8a1f-457f-b710-c237883cb313|OpenAPI|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties|Documentation
| +|Paths Object is Empty (v2)
3e6c7b1c-8a8d-43ab-98b9-65159f44db4a|OpenAPI|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed|Documentation
| +|Paths Object is Empty (v3)
815021c8-a50c-46d9-b192-24f71072c400|OpenAPI|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed|Documentation
| +|Path Parameter With No Corresponding Template Path (v2)
194ef1f8-360e-4c14-8ed2-e83e2bafa142|OpenAPI|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation|Documentation
| +|Path Parameter With No Corresponding Template Path (v3)
69d7aefd-149d-47b8-8d89-1c2181a8067b|OpenAPI|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation|Documentation
| +|Schema Object With Circular Ref (v2)
cbff2508-85c9-4448-a8b3-770070edf5ca|OpenAPI|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties|Documentation
| +|Schema Object With Circular Ref (v3)
1a1aea94-745b-40a7-b860-0702ea6ee636|OpenAPI|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties|Documentation
| +|Schema Object Properties With Duplicated Keys (v2)
ded017bf-fb13-4f8d-868b-84aebcc572ad|OpenAPI|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties'|Documentation
| +|Schema Object Properties With Duplicated Keys (v3)
10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa|OpenAPI|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties'|Documentation
| +|Path Parameter Not Required (v2)
ccd0613f-cb77-4684-a892-183bd2674d12|OpenAPI|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.|Documentation
| +|Path Parameter Not Required (v3)
0de50145-e845-47f4-9a15-23bcf2125710|OpenAPI|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.|Documentation
| +|Property 'allowEmptyValue' Improperly Defined (v2)
0bc1477d-0922-478b-ae16-674a7634a1a8|OpenAPI|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters|Documentation
| +|Property 'allowEmptyValue' Improperly Defined (v3)
4bcbcd52-3028-469f-bc14-02c7dbba2df2|OpenAPI|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters|Documentation
| +|Parameters Name In Combination Not Unique (v2)
ab871897-ec02-4835-9818-702536ee1dda|OpenAPI|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations|Documentation
| +|Parameters Name In Combination Not Unique (v3)
f5b2e6af-76f5-496d-8482-8f898c5fdb4a|OpenAPI|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations|Documentation
| +|Schema Discriminator Mismatch Defined Properties (v2)
addc0eab-27f6-4c26-8526-d2ccd3732662|OpenAPI|Info|Structure and Semantics|Schema discriminator values should match defined properties.|Documentation
| +|Schema Discriminator Mismatch Defined Properties (v3)
40d3df21-c170-4dbe-9c02-4289b51f994f|OpenAPI|Info|Structure and Semantics|Schema discriminator values should match defined properties.|Documentation
| +|Non-Array Schema With Items (v2)
9d47956b-29cd-43b1-9e6e-b39a4d484353|OpenAPI|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| +|Non-Array Schema With Items (v3)
20cb3159-b219-496b-8dac-54ae3ab2021a|OpenAPI|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| +|Default Invalid (v2)
78dfd8f0-a6ee-48ec-af8c-e4d9b3292a07|OpenAPI|Info|Structure and Semantics|The field 'default' of Schema/Parameter/Header Object should be consistent with the schema's/parameter's/header's type|Documentation
| +|Default Invalid (v3)
a96bbc06-8cde-4295-ad3c-ee343a7f658e|OpenAPI|Info|Structure and Semantics|The field 'default' of Schema Object should be consistent with the schema's type|Documentation
| +|Parameter Objects Headers With Duplicated Name (v2)
bd2cbef5-62c4-40f1-af07-4b7f9ced6616|OpenAPI|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.|Documentation
| +|Parameter Objects Headers With Duplicated Name (v3)
05505192-ba2c-4a81-9b25-dcdbcc973746|OpenAPI|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.|Documentation
| +|Path Is Ambiguous (v2)
b2468463-3ac4-4930-890c-f35b2bf4485d|OpenAPI|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object|Documentation
| +|Path Is Ambiguous (v3)
237402e2-c2f0-46c9-9cf5-286160cf7bfc|OpenAPI|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object|Documentation
| +|OperationId Not Unique (v2)
21245007-91c4-40e5-964e-40c85d1e5aa6|OpenAPI|Info|Structure and Semantics|OperationId should be unique when defined|Documentation
| +|OperationId Not Unique (v3)
c254adc4-ef25-46e1-8270-b7944adb4198|OpenAPI|Info|Structure and Semantics|OperationId should be unique when defined|Documentation
| +|Template Path With No Corresponding Path Parameter (v2)
e7656d8d-7288-4bbe-b07b-22b389be75ce|OpenAPI|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation|Documentation
| +|Template Path With No Corresponding Path Parameter (v3)
561710b1-b845-4562-95ce-2397a05ccef4|OpenAPI|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation|Documentation
| +|Schema Discriminator Property Not String (v2)
949376f1-f560-4c6d-a016-63424ca931bb|OpenAPI|Info|Structure and Semantics|Schema discriminator property should be a string|Documentation
| +|Schema Discriminator Property Not String (v3)
dadc2f36-1f5a-46c0-8289-75e626583123|OpenAPI|Info|Structure and Semantics|Schema discriminator property should be a string|Documentation
| +|Always Admit Admission Control Plugin Set
ce30e584-b33f-4c7d-b418-a3d7027f8f60|Kubernetes|High|Access Control|When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin|Documentation
| +|Basic Auth File Is Set
5da47109-f8d6-4585-9e2b-96a8958a12f5|Kubernetes|High|Access Control|When using kube-apiserver command, the 'basic-auth-file' flag should not be set|Documentation
| +|Use Service Account Credentials Not Set To True
1acd93f1-5a37-45c0-aaac-82ece818be7d|Kubernetes|High|Access Control|When using kube-controller-manager commands, the '--use-service-account-credentials' should be set to true|Documentation
| +|Token Auth File Is Set
32ecd76e-7bbf-402e-bf48-8b9485749558|Kubernetes|High|Access Control|When using kube-apiserver command, the 'token-auth-file' flag should not be set|Documentation
| +|Client Certificate Authentication Not Setup Properly
e0e00aba-5f1c-4981-a542-9a9563c0ee20|Kubernetes|High|Access Control|Client Certificate Authentication should be Setup with a .pem or .crt file|Documentation
| +|RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e|Kubernetes|High|Access Control|Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least privilege recommends to specify only the set of needed objects and actions|Documentation
| +|Service Account Lookup Set To False
a5530bd7-225a-48f9-91bb-f40b04200165|Kubernetes|High|Access Control|When using kube-apiserver command, the '--service-account-lookup' flag should be set to true|Documentation
| +|Node Restriction Admission Control Plugin Not Set
33fc6923-6553-4fe6-9d3a-4efa51eb874b|Kubernetes|High|Access Control|When using kube-apiserver command, the --enable-admission-plugins flag should have 'NodeRestriction' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| +|Pod Security Policy Admission Control Plugin Not Set
afa36afb-39fe-4d94-b9b6-afb236f7a03d|Kubernetes|High|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'PodSecurityPolicy' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| +|Service Account Private Key File Not Defined
ccc98ff7-68a7-436e-9218-185cb0b0b780|Kubernetes|High|Encryption|When using kube-controller-manager commands, the '--service-account-private-key-file' should be defined|Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b|Kubernetes|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| +|Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d|Kubernetes|High|Insecure Configurations|Container should not share the host process ID namespace|Documentation
| +|Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609|Kubernetes|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false|Documentation
| +|Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad|Kubernetes|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined.|Documentation
| +|Tiller (Helm v2) Is Deployed
6d173be7-545a-46c6-a81d-2ae52ed1605d|Kubernetes|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| +|Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032|Kubernetes|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| +|Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d|Kubernetes|High|Insecure Configurations|Check if there is any Tiller Service present|Documentation
| +|Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d|Kubernetes|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|Documentation
| +|Role Binding To Default Service Account
1e749bc9-fde8-471c-af0c-8254efd2dee5|Kubernetes|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| +|Tiller Deployment Is Accessible From Within The Cluster
e17fa86a-6222-4584-a914-56e8f6c87e06|Kubernetes|High|Networking and Firewall|Check if any Tiller Deployment container allows access from within the cluster.|Documentation
| +|Secure Port Set To Zero
3d24b204-b73d-42cb-b0bf-1a5438c5f71e|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the --secure-port flag should not be 0|Documentation
| +|Kubelet HTTPS Set To False
cdc8b54e-6b16-4538-a1b0-35849dbe29cf|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--kubelet-https' flag should not be set to false|Documentation
| +|Etcd TLS Certificate Not Properly Configured
895a5a95-3756-4b04-9924-2f3bc93181bd|Kubernetes|High|Networking and Firewall|When using kube-apiserver commands, the '--etcd-certfile' and '--etcd-keyfile' flags should be defined|Documentation
| +|TSL Connection Certificate Not Setup
fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f|Kubernetes|High|Networking and Firewall|TSL Connection Certificate files should be Setup|Documentation
| +|Insecure Port Not Properly Set
fa4def8c-1898-4a35-a139-7b76b1acdef0|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-port' flag should be defined and set to 0|Documentation
| +|Bind Address Not Properly Set
46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2|Kubernetes|High|Networking and Firewall|When using kube-controller-manager or kube-scheduler commands, the '--bind-address' should not be set to 127.0.0.1|Documentation
| +|Insecure Bind Address Set
b9380fd3-5ffe-4d10-9290-13e18e71eee1|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-bind-address' flag should not be set|Documentation
| +|Etcd Peer TLS Certificate Files Not Properly Set
09bb9e96-8da3-4736-b89a-b36814acca60|Kubernetes|High|Networking and Firewall|When using etcd commands, the '--peer-cert-file' and '--peer-key-file' should be defined|Documentation
| +|Etcd TLS Certificate Files Not Properly Set
075ca296-6768-4322-aea2-ba5063b969a9|Kubernetes|High|Networking and Firewall|When using etcd commands, the '--cert-file' and '--key-file' should be defined|Documentation
| +|PSP With Unrestricted Access to Host Path
de4421f1-4e35-43b4-9783-737dd4e4a47e|Kubernetes|High|Resource Management|PodSecurityPolicy should set 'readOnly' to true in every host path allowed|Documentation
| +|Peer Auto TLS Set To True
ae8827e2-4af9-4baa-9998-87539ae0d6f0|Kubernetes|High|Secret Management|When using etcd commands, the '--peer-auto-tls' should be set to false|Documentation
| +|Auto TLS Set To True
98ce8b81-7707-4734-aa39-627c6db3d84b|Kubernetes|High|Secret Management|When using etcd commands, the '--auto-tls' should be set to false|Documentation
| +|RBAC Roles with Port-Forwarding Permission
38fa11ef-dbcc-4da8-9680-7e1fd855b6fb|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to port-forward into pods can open socket-level communication channels to containers. In case of compromise, attackers may abuse this for direct communication that bypasses network security restrictions|Documentation
| +|Authorization Mode Set To Always Allow
f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5|Kubernetes|Medium|Access Control|When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode|Documentation
| +|Anonymous Auth Is Not Set To False
1de5cc51-f376-4638-a940-20f2e85ae238|Kubernetes|Medium|Access Control|When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag should be set to false (--anonymous-auth=false)|Documentation
| +|RBAC Roles with Attach Permission
d45330fd-f58d-45fb-a682-6481477a0f84|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to attach to containers via 'kubectl attach' could be abused by attackers to read log output (stdout, stderr) and send input data (stdin) to running processes. Additionally, it would allow a malicious user to attach to a privileged container resulting in a privilege escalation attack. To prevent this, the 'pods/attach' verb should not be used in production environments|Documentation
| +|RBAC Roles with Impersonate Permission
9f85c3f6-26fd-4007-938a-2e0cb0100980|Kubernetes|Medium|Access Control|Roles or ClusterRoles with the permission 'impersonate' allow subjects to assume the rights of other users, groups, or service accounts. In case of compromise, attackers may abuse this sudo-like functionality to achieve privilege escalation|Documentation
| +|RBAC Roles with Exec Permission
c589f42c-7924-4871-aee2-1cede9bc7cbc|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to run commands in containers via 'kubectl exec' could be abused by attackers to execute malicious code in case of compromise. To prevent this, the 'pods/exec' verb should not be used in production environments|Documentation
| +|Authorization Mode RBAC Not Set
1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e|Kubernetes|Medium|Access Control|When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode|Documentation
| +|Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942|Kubernetes|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| +|Non Kube System Pod With Host Mount
aa8f7a35-9923-4cad-bd61-a19b7f6aac91|Kubernetes|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| +|RBAC Roles Allow Privilege Escalation
8320826e-7a9c-4b0b-9535-578333193432|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions 'bind' or 'escalate' allow subjects to create new bindings with other roles. This is dangerous, as users with these privileges can bind to roles that may exceed their own privileges|Documentation
| +|RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14|Kubernetes|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys|Documentation
| +|Service Account Admission Control Plugin Disabled
9587c890-0524-40c2-9ce2-663af7c2f063|Kubernetes|Medium|Access Control|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'ServiceAccount' plugin|Documentation
| +|Terminated Pod Garbage Collector Threshold Not Properly Set
49113af4-29ca-458e-b8d4-724c01a4a24f|Kubernetes|Medium|Availability|When using kube-controller-manager commands, the '--terminated-pod-gc-threshold' should be set between 0 and 12501|Documentation
| +|Readiness Probe Is Not Configured
a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3|Kubernetes|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| +|Request Timeout Not Properly Set
d89a15bb-8dba-4c71-9529-bef6729b9c09|Kubernetes|Medium|Availability|When using kube-apiserver command, the '--request-timeout' flag value should not be too long|Documentation
| +|Container Running As Root
cf34805e-3872-4c08-bf92-6ff7bb0cfadb|Kubernetes|Medium|Best Practices|Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise|Documentation
| +|Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660|Kubernetes|Medium|Best Practices|Check if containers are running with low UID, which might cause conflicts with the host's user table.|Documentation
| +|Root Containers Admitted
e3aa0612-4351-4a0d-983f-aefea25cf203|Kubernetes|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| +|Always Pull Images Admission Control Plugin Not Set
a77f4d07-c6e0-4a48-8b35-0eeb51576f4f|Kubernetes|Medium|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'AlwaysPullImages' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| +|Incorrect Volume Claim Access Mode ReadWriteOnce
3878dc92-8e5d-47cf-9cdd-7590f71d21b9|Kubernetes|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| +|Encryption Provider Config Is Not Defined
cbd2db69-0b21-4c14-8a40-7710a50571a9|Kubernetes|Medium|Encryption|When using kube-apiserver commands, the '--encryption-provider-config' flag should be defined and the encryption should be correctly configured in Encryption Configuration file|Documentation
| +|Encryption Provider Not Properly Configured
10efce34-5af6-4d83-b414-9e096d5a06a9|Kubernetes|Medium|Encryption|The EncryptionConfiguration should be configured to have at least one 'aescbc', 'kms' or 'secretbox' provider|Documentation
| +|Root CA File Not Defined
05fb986f-ac73-4ebb-a5b2-7faafa93d882|Kubernetes|Medium|Encryption|When using kube-controller-manager commands, the '--root-ca-file' should be defined|Documentation
| +|Weak TLS Cipher Suites
510d5810-9a30-443a-817d-5c1fa527b110|Kubernetes|Medium|Encryption|TLS Connection should use strong Cipher Suites|Documentation
| +|Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3|Kubernetes|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| +|NET_RAW Capabilities Not Being Dropped
dbbc6705-d541-43b0-b166-dd4be8208b54|Kubernetes|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|Documentation
| +|Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b|Kubernetes|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| +|Security Context Deny Admission Control Plugin Not Set
6a68bebe-c021-492e-8ddb-55b0567fb768|Kubernetes|Medium|Insecure Configurations|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set|Documentation
| +|Authorization Mode Node Not Set
4d7ee40f-fc5d-427d-8cac-dffbe22d42d1|Kubernetes|Medium|Insecure Configurations|When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode|Documentation
| +|PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| +|Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40|Kubernetes|Medium|Insecure Configurations|Containers should not have extra capabilities allowed|Documentation
| +|PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91|Kubernetes|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| +|Using Unrecommended Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6|Kubernetes|Medium|Insecure Configurations|Namespaces like 'default', 'kube-system' or 'kube-public' should not be used|Documentation
| +|PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9|Kubernetes|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host process ID namespace|Documentation
| +|PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| +|Not Limited Capabilities For Container
2f1a0619-b12b-48a0-825f-993bb6f01d58|Kubernetes|Medium|Insecure Configurations|Limit the capabilities for a Container.|Documentation
| +|Seccomp Profile Is Not Configured
f377b83e-bd07-4f48-a591-60c82b14a78b|Kubernetes|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls|Documentation
| +|NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648|Kubernetes|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| +|Kubelet Protect Kernel Defaults Set To False
6cf42c97-facd-4fda-b8af-ea4529123355|Kubernetes|Medium|Insecure Configurations|--protect-kernel-defaults should be set to true|Documentation
| +|PSP Allows Sharing Host IPC
80f93444-b240-4ebb-a4c6-5c40b76c04ea|Kubernetes|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| +|Containers With Sys Admin Capabilities
235236ee-ad78-4065-bd29-61b061f28ce0|Kubernetes|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| +|Workload Mounting With Sensitive OS Directory
5308a7a8-06f8-45ac-bf10-791fe21de46e|Kubernetes|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| +|Service Account Token Automount Not Disabled
48471392-d4d0-47c0-b135-cdec95eb3eef|Kubernetes|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| +|Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9|Kubernetes|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty.|Documentation
| +|Network Policy Is Not Targeting Any Pod
85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3|Kubernetes|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| +|Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be|Kubernetes|Medium|Networking and Firewall|Check if any pod is not being targeted by a proper network policy.|Documentation
| +|Kubelet Not Managing Ip Tables
5f89001f-6dd9-49ff-9b15-d8cd71b617f4|Kubernetes|Medium|Networking and Firewall|Kubelet argument --make-iptables-util-chains should be true|Documentation
| +|Kubelet Read Only Port Is Not Set To Zero
2940d48a-dc5e-4178-a3f8-bfbd80720b41|Kubernetes|Medium|Networking and Firewall|When using the kubelet command, the read-only port should be set to zero (--read-only-port=0)|Documentation
| +|Service With External Load Balancer
26763a1c-5dda-4772-b507-5fca7fb5f165|Kubernetes|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| +|CNI Plugin Does Not Support Network Policies
03aabc8c-35d6-481e-9c85-20139cf72d23|Kubernetes|Medium|Networking and Firewall|Ensure the use of CNI Plugin that support Network Policies. If the CNI Plugin in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster|Documentation
| +|Kubelet Streaming Connection Timeout Disabled
ed89b97d-04e9-4fd4-919f-ee5b27e555e9|Kubernetes|Medium|Networking and Firewall|The flag --streaming-connection-idle-timeout should not be set to 0|Documentation
| +|Audit Policy File Not Defined
13a49a2e-488e-4309-a7c0-d6b05577a5fb|Kubernetes|Medium|Observability|When using kube-apiserver command, the '--audit-policy-file' flag should be defined|Documentation
| +|Audit Log Path Not Set
73e251f0-363d-4e53-86e2-0a93592437eb|Kubernetes|Medium|Observability|When using kube-apiserver command, the 'audit-log-path' flag should be defined|Documentation
| +|Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded|Kubernetes|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes|Documentation
| +|Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9|Kubernetes|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| +|CPU Limits Not Set
4ac0e2b7-d2d2-4af7-8799-e8de6721ccda|Kubernetes|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| +|Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a|Kubernetes|Medium|Resource Management|Container should not share the host network namespace|Documentation
| +|Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536|Kubernetes|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| +|Volume Mount With OS Directory Write Permissions
b7652612-de4e-4466-a0bf-1cd81f0c6063|Kubernetes|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| +|CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a|Kubernetes|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| +|Kubelet Client Certificate Or Key Not Set
36a27826-1bf5-49da-aeb0-a60a30c0e834|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-client-key' and 'kubelet-client-certificate' flags should be set|Documentation
| +|Etcd Peer Client Certificate Authentication Set To False
b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff|Kubernetes|Medium|Secret Management|When using etcd commands, the '--peer-client-cert-auth' flag should be set to true|Documentation
| +|Not Unique Certificate Authority
cb7e695d-6a85-495c-b15f-23aed2519303|Kubernetes|Medium|Secret Management|Certificate Authority should be unique for etcd|Documentation
| +|Kubelet Certificate Authority Not Set
ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set|Documentation
| +|Kubelet Client Periodic Certificate Switch Disabled
52d70f2e-3257-474c-b3dc-8ad9ba6a061a|Kubernetes|Medium|Secret Management|Kubelet argument --rotate-certificates should be true|Documentation
| +|Shared Service Account
c1032cf7-3628-44e2-bd53-38c17cf31b6b|Kubernetes|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| +|Rotate Kubelet Server Certificate Not Active
1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2|Kubernetes|Medium|Secret Management|The RotateKubeletServerCertificate argument should be true|Documentation
| +|ServiceAccount Allows Access Secrets
056ac60e-fe07-4acc-9b34-8e1d51716ab9|Kubernetes|Medium|Secret Management|Roles and ClusterRoles when binded, should not use get, list or watch as verbs|Documentation
| +|Service Account Key File Not Properly Set
dab4ec72-ce2e-4732-b7c3-1757dcce01a1|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the '--service-account-key-file' flag should be defined|Documentation
| +|Etcd Client Certificate Authentication Set To False
9391103a-d8d7-4671-ac5d-606ba7ccb0ac|Kubernetes|Medium|Secret Management|When using etcd commands, the '--client-cert-auth' flag should be defined|Documentation
| +|Etcd Client Certificate File Not Defined
3f5ff8a7-5ad6-4d02-86f5-666307da1b20|Kubernetes|Medium|Secret Management|When using kube-apiserver commands, the '--etcd-cafile' flag should be defined|Documentation
| +|Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828|Kubernetes|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| +|Cluster Admin Rolebinding With Superuser Permissions
249328b8-5f0f-409f-b1dd-029f07882e11|Kubernetes|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| +|Missing AppArmor Profile
8b36775e-183d-4d46-b0f7-96a6f34a723f|Kubernetes|Low|Access Control|Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources|Documentation
| +|Event Rate Limit Admission Control Plugin Not Set
e0099af2-fe17-411f-9991-0de28fe15f3c|Kubernetes|Low|Availability|When using kube-apiserver command, the --enable-admission-plugins flag should have 'EventRateLimit' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| +|Liveness Probe Is Not Defined
ade74944-a674-4e00-859e-c6eab5bde441|Kubernetes|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it|Documentation
| +|Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678|Kubernetes|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| +|HPA Targeted Deployments With Configured Replica Count
5744cbb8-5946-4b75-a196-ade44449525b|Kubernetes|Low|Availability|Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set|Documentation
| +|StatefulSet Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0|Kubernetes|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.|Documentation
| +|StatefulSet Without PodDisruptionBudget
1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5|Kubernetes|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| +|HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca|Kubernetes|Low|Availability|The Horizontal Pod Autoscaler must target a valid object|Documentation
| +|Metadata Label Is Invalid
1123031a-f921-4c5b-bd86-ef354ecfd37a|Kubernetes|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| +|Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645|Kubernetes|Low|Best Practices|Kubernetes APIs evolve over time and are sometimes removed with newer releases. To prevent incompatibilities when upgrading Kubernetes, deprecated APIs should be replaced with newer and more stable API versions.|Documentation
| +|No Drop Capabilities for Containers
268ca686-7fb7-4ae9-b129-955a2a89064e|Kubernetes|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| +|StatefulSet Requests Storage
8cf4671a-cf3d-46fc-8389-21e7405063a2|Kubernetes|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| +|Namespace Lifecycle Admission Control Plugin Disabled
1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37|Kubernetes|Low|Build Process|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'NamespaceLifecycle' plugin|Documentation
| +|Root Container Not Mounted Read-only
a9c2f49d-0671-4fc9-9ece-f4e261e128d0|Kubernetes|Low|Build Process|Check if the root container filesystem is not being mounted read-only.|Documentation
| +|Image Policy Webhook Admission Control Plugin Not Set
14abda69-8e91-4acb-9931-76e2bee90284|Kubernetes|Low|Build Process|When using kube-apiserver command, the --enable-admission-plugins flag should have 'ImagePolicyWebhook' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| +|Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678|Kubernetes|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity|Documentation
| +|Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b|Kubernetes|Low|Insecure Configurations|If not needed, disabling the dashboard can prevent from being used as an attack vector|Documentation
| +|Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2|Kubernetes|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| +|Kubelet Hostname Override Is Set
bf36b900-b5ef-4828-adb7-70eb543b7cfb|Kubernetes|Low|Insecure Configurations|Hostnames should not be overrided|Documentation
| +|Pod or Container Without LimitRange
4a20ebac-1060-4c81-95d1-1f7f620e983b|Kubernetes|Low|Insecure Configurations|Each namespace should have a LimitRange policy associated to ensure that resource allocations of Pods, Containers and PersistentVolumeClaims do not exceed the defined boundaries|Documentation
| +|Pod or Container Without ResourceQuota
48a5beba-e4c0-4584-a2aa-e6894e4cf424|Kubernetes|Low|Insecure Configurations|Each namespace should have a ResourceQuota policy associated to limit the total amount of resources Pods, Containers and PersistentVolumeClaims can consume|Documentation
| +|Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995|Kubernetes|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| +|Service Does Not Target Pod
3ca03a61-3249-4c16-8427-6f8e47dda729|Kubernetes|Low|Insecure Configurations|Service should Target a Pod|Documentation
| +|Service Type is NodePort
845acfbe-3e10-4b8e-b656-3b404d36dfb2|Kubernetes|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| +|Workload Host Port Not Specified
2b1836f1-dcce-416e-8e16-da8c71920633|Kubernetes|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified|Documentation
| +|Profiling Not Set To False
2f491173-6375-4a84-b28e-a4e2b9a58a69|Kubernetes|Low|Observability|When using kube-apiserver or kube-controller-manager or kube-scheduler command, the '--profiling' flag should be defined and set to false|Documentation
| +|Audit Log Maxbackup Not Properly Set
768aab52-2504-4a2f-a3e3-329d5a679848|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxbackup' flag should be defined and set to 10 or more files|Documentation
| +|Audit Policy Not Cover Key Security Concerns
1828a670-5957-4bc5-9974-47da228f75e2|Kubernetes|Low|Observability|Audit Policy should cover key security concerns about the sensitive data logged in Kubernetes audit policies|Documentation
| +|Audit Log Maxsize Not Properly Set
35c0a471-f7c8-4993-aa2c-503a3c712a66|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxsize' flag should be defined and set to 100 or more MegaBytes|Documentation
| +|Audit Log Maxage Not Properly Set
da9f3aa8-fbfb-472f-b5a1-576127944218|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxage' flag should be defined and set to 30 or more days|Documentation
| +|Kubelet Event QPS Not Properly Set
1a07a446-8e61-4e4d-bc16-b0781fcb8211|Kubernetes|Low|Observability|When using the kubelet command, the '--event-qps' should be set to 0|Documentation
| +|Deployment Has No PodAntiAffinity
a31b7b82-d994-48c4-bd21-3bab6c31827a|Kubernetes|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| +|Container Memory Requests Not Equal To It's Limits
aafa7d94-62de-4fbf-8838-b69ee217b0e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined.|Documentation
| +|Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined.|Documentation
| +|Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46|Kubernetes|Low|Resource Management|Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively|Documentation
| +|CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3|Kubernetes|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined|Documentation
| +|StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e|Kubernetes|Low|Resource Management|Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| +|Secrets As Environment Variables
3d658f8b-d988-41a0-a841-40043121de1e|Kubernetes|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| +|Invalid Image Tag
583053b7-e632-46f0-b989-f81ff8045385|Kubernetes|Low|Supply-Chain|Image tag must be defined and not be empty or equal to latest.|Documentation
| +|Ensure Administrative Boundaries Between Resources
e84eaf4d-2f45-47b2-abe8-e581b06deb66|Kubernetes|Info|Access Control|As a best practice, ensure that is made the correct use of namespaces to adequately administer your resources. Kubernetes Authorization plugins can also be used to create policies that segregate user access to namespaces.|Documentation
| +|Using Kubernetes Native Secret Management
b9c83569-459b-4110-8f79-6305aa33cb37|Kubernetes|Info|Secret Management|Kubernetes External Secret Storage and Management System usage should be considered if you have more complex secret management needs, rather than using Kubernetes Secrets directly. Additionally, ensure that access to secrets is carefully limited|Documentation
| |Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|Terraform|High|Access Control|Role Assignment should limit guest user permissions|Documentation
| -|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|Terraform|High|Access Control|Admin user is enabled for Container Registry|Documentation
| |Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|Terraform|High|Access Control|Azure Function App authentication settings should be enabled|Documentation
| -|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|Terraform|High|Access Control|There is a role assignment for guest user|Documentation
| |Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|Terraform|High|Access Control|Storage Account should not be public to grant the principle of least privileges|Documentation
| |Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|Terraform|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| +|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|Terraform|High|Access Control|Admin user is enabled for Container Registry|Documentation
| +|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|Terraform|High|Access Control|There is a role assignment for guest user|Documentation
| |Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|Terraform|High|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled|Documentation
| -|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|Terraform|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| |MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|Terraform|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| +|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|Terraform|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| +|Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6|Terraform|High|Encryption|Ensure Function App is using the latest version of TLS encryption|Documentation
| |SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|Terraform|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| |App Service Not Using Latest TLS Encryption Version
b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643|Terraform|High|Encryption|Ensure App Service is using the latest version of TLS encryption|Documentation
| -|Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6|Terraform|High|Encryption|Ensure Function App is using the latest version of TLS encryption|Documentation
| +|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|Terraform|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates|Documentation
| |App Service FTPS Enforce Disabled
85da374f-b00f-4832-9d44-84a1ca1e89f8|Terraform|High|Insecure Configurations|Azure App Service should only enforce FTPS when 'ftps_state' is enabled|Documentation
| -|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|Terraform|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry'|Documentation
| -|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|Terraform|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| |AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|Terraform|High|Insecure Configurations|Azure Kubernetes Service (AKS) API should not be exposed to the internet|Documentation
| -|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|Terraform|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates|Documentation
| -|Azure App Service Client Certificate Disabled
a81573f9-3691-4d83-88a0-7d4af63e17a3|Terraform|High|Insecure Configurations|Azure App Service client certificate should be enabled|Documentation
| -|AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|Terraform|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| -|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|Terraform|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| |Function App FTPS Enforce Disabled
9dab0179-433d-4dff-af8f-0091025691df|Terraform|High|Insecure Configurations|Azure Function App should only enforce FTPS when 'ftps_state' is enabled|Documentation
| |Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|Terraform|High|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false.|Documentation
| +|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|Terraform|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| +|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|Terraform|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry'|Documentation
| +|Azure App Service Client Certificate Disabled
a81573f9-3691-4d83-88a0-7d4af63e17a3|Terraform|High|Insecure Configurations|Azure App Service client certificate should be enabled|Documentation
| +|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|Terraform|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| +|AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|Terraform|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| +|RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|Terraform|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet|Documentation
| +|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|Terraform|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| +|Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| |MySQL Server Public Access Enabled
f118890b-2468-42b1-9ce9-af35146b425b|Terraform|High|Networking and Firewall|MySQL Server public access should be disabled|Documentation
| -|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| +|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| |SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|Terraform|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet|Documentation
| -|RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|Terraform|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet|Documentation
| +|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| |CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|Terraform|High|Networking and Firewall|The IP range filter should be defined to secure the data stored|Documentation
| |MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|Terraform|High|Networking and Firewall|MSSQL Server public network access should be disabled|Documentation
| |Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|Terraform|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| -|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| -|Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| -|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|Terraform|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| |Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|Terraform|High|Observability|Ensure that logging for Azure KeyVault is 'Enabled'|Documentation
| |SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a|Terraform|High|Resource Management|Ensure that 'Threat Detection' is enabled for Azure SQL Database|Documentation
| |PostgreSQL Server Threat Detection Policy Disabled
c407c3cf-c409-4b29-b590-db5f4138d332|Terraform|High|Resource Management|PostgreSQL Server Threat Detection Policy should be enabled|Documentation
| @@ -5317,247 +4917,610 @@ This page contains all queries. |Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|Terraform|High|Secret Management|Make sure that for all secrets the expiration date is set|Documentation
| |Storage Share File Allows All ACL Permissions
48bbe0fd-57e4-4678-a4a1-119e79c90fc3|Terraform|Medium|Access Control|Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).|Documentation
| |Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e|Terraform|Medium|Access Control|Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).|Documentation
| -|AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Terraform|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| |Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Terraform|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)|Documentation
| +|AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Terraform|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| |Virtual Network with DDoS Protection Plan disabled
b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a|Terraform|Medium|Availability|Virtual Network should have DDoS Protection Plan enabled|Documentation
| -|SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Terraform|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict|Documentation
| |Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Terraform|Medium|Best Practices|Security Contact Email should be defined|Documentation
| +|SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Terraform|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict|Documentation
| |SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Terraform|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict|Documentation
| |Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Terraform|Medium|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| -|Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Terraform|Medium|Encryption|Ensure that the encryption is active on the disk|Documentation
| |Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Terraform|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| +|Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Terraform|Medium|Encryption|Ensure that the encryption is active on the disk|Documentation
| |AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Terraform|Medium|Encryption|Azure Container Service (AKS) should use Disk Encryption Set ID in supported types of disk|Documentation
| -|Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Terraform|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches|Documentation
| +|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Terraform|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined|Documentation
| |Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Terraform|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected.|Documentation
| -|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Terraform|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections|Documentation
| -|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Terraform|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| |Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Terraform|Medium|Insecure Configurations|Azure Function App should have 'client_cert_mode' set to required|Documentation
| -|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Terraform|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined|Documentation
| +|Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Terraform|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches|Documentation
| +|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Terraform|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| |Function App Managed Identity Disabled
c87749b3-ff10-41f5-9df2-c421e8151759|Terraform|Medium|Insecure Configurations|Azure Function App should have managed identity enabled|Documentation
| +|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Terraform|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections|Documentation
| |Default Network Access is Allowed
9be09caf-2ba4-4fa9-9787-a670dc32c639|Terraform|Medium|Insecure Defaults|Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny'|Documentation
| |Default Azure Storage Account Network Access Is Too Permissive
a5613650-32ec-4975-a305-31af783153ea|Terraform|Medium|Insecure Defaults|Default Azure Storage Account network access should be set to Deny|Documentation
| -|MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Terraform|Medium|Networking and Firewall|MariaDB Server Public Network Access should be disabled|Documentation
| -|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Terraform|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache|Documentation
| +|Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b|Terraform|Medium|Networking and Firewall|Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline)|Documentation
| +|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Terraform|Medium|Networking and Firewall|Network Interfaces IP Forwarding should be disabled|Documentation
| |Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Terraform|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'.|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol|Documentation
| |Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Terraform|Medium|Networking and Firewall|Public Network Access should be disabled for Azure Cognitive Search|Documentation
| |Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol|Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol|Documentation
| +|MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Terraform|Medium|Networking and Firewall|MariaDB Server Public Network Access should be disabled|Documentation
| +|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Terraform|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache|Documentation
| |WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Terraform|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| -|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Terraform|Medium|Networking and Firewall|Network Interfaces IP Forwarding should be disabled|Documentation
| -|Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b|Terraform|Medium|Networking and Firewall|Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline)|Documentation
| |Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Terraform|Medium|Observability|Make sure for SQL Servers that Auditing Retention is greater than 90 days|Documentation
| -|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| -|Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Terraform|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater|Documentation
| -|PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| +|Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Terraform|Medium|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days|Documentation
| |Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Terraform|Medium|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact|Documentation
| |PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Terraform|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'|Documentation
| -|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Terraform|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days|Documentation
| +|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Terraform|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On'|Documentation
| |PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| +|PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| +|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| |PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Terraform|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| -|PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| +|Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Terraform|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater|Documentation
| |MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Terraform|Medium|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On'|Documentation
| -|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Terraform|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On'|Documentation
| -|Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Terraform|Medium|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days|Documentation
| +|PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| +|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Terraform|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days|Documentation
| |Azure Active Directory Authentication
a21c8da9-41bf-40cf-941d-330cf0d11fc7|Terraform|Low|Access Control|Azure Active Directory must be used for authentication for Service Fabric|Documentation
| |MariaDB Server Geo-redundant Backup Disabled
0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1|Terraform|Low|Backup|MariaDB Server Geo-redundant Backup should be enabled|Documentation
| -|Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Terraform|Low|Best Practices|Key Vault Secrets should have set Content Type|Documentation
| -|AKS Uses Azure Policies Add-On Disabled
43789711-161b-4708-b5bb-9d1c626f7492|Terraform|Low|Best Practices|Azure Container Service (AKS) should use Azure Policies Add-On|Documentation
| |App Service Without Latest PHP Version
96fe318e-d631-4156-99fa-9080d57280ae|Terraform|Low|Best Practices|Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.|Documentation
| +|AKS Uses Azure Policies Add-On Disabled
43789711-161b-4708-b5bb-9d1c626f7492|Terraform|Low|Best Practices|Azure Container Service (AKS) should use Azure Policies Add-On|Documentation
| +|Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Terraform|Low|Best Practices|Key Vault Secrets should have set Content Type|Documentation
| |App Service Without Latest Python Version
cc4aaa9d-1070-461a-b519-04e00f42db8a|Terraform|Low|Best Practices|Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.|Documentation
| |PostgreSQL Server Infrastructure Encryption Disabled
6425c98b-ca4e-41fe-896a-c78772c131f8|Terraform|Low|Encryption|PostgreSQL Server Infrastructure Encryption should be enabled|Documentation
| |Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Terraform|Low|Insecure Configurations|Check if the Kubernetes Dashboard is enabled.|Documentation
| -|Function App HTTP2 Disabled
ace823d1-4432-4dee-945b-cdf11a5a6bd0|Terraform|Low|Insecure Configurations|Function App should have 'http2_enabled' enabled|Documentation
| |App Service HTTP2 Disabled
525b53be-62ed-4244-b4df-41aecfcb4071|Terraform|Low|Insecure Configurations|App Service should have 'http2_enabled' enabled|Documentation
| +|Function App HTTP2 Disabled
ace823d1-4432-4dee-945b-cdf11a5a6bd0|Terraform|Low|Insecure Configurations|Function App should have 'http2_enabled' enabled|Documentation
| |Azure Front Door WAF Disabled
835a4f2f-df43-437d-9943-545ccfc55961|Terraform|Low|Networking and Firewall|Azure Front Door WAF should be enabled|Documentation
| |App Service Authentication Disabled
c7fc1481-2899-4490-bbd8-544a3a61a2f3|Terraform|Info|Access Control|Azure App Service authentication settings should be enabled|Documentation
| |SQL Server Alert Email Disabled
55975007-f6e7-4134-83c3-298f1fe4b519|Terraform|Info|Best Practices|SQL Server alert email should be enabled|Documentation
| |Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Terraform|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks|Documentation
| |GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Terraform|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')|Documentation
| +|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Terraform|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| +|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Terraform|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| +|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Terraform|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| +|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Terraform|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time|Documentation
| +|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Terraform|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| +|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Terraform|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| +|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Terraform|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| +|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Terraform|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| +|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Terraform|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.|Documentation
| +|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Terraform|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.|Documentation
| +|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Terraform|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| +|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|Terraform|High|Access Control|RAM Security preferences should enforce MFA login for RAM users|Documentation
| +|OSS Bucket Allows List Action From All Principals
88541597-6f88-42c8-bac6-7e0b855e8ff6|Terraform|High|Access Control|OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals.|Documentation
| +|OSS Bucket Allows Delete Action From All Principals
8c0695d8-2378-4cd6-8243-7fd5894fa574|Terraform|High|Access Control|OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals.|Documentation
| +|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|Terraform|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles|Documentation
| +|OSS Bucket Allows Put Action From All Principals
fe286195-e75c-4359-bd58-00847c4f855a|Terraform|High|Access Control|OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals.|Documentation
| +|OSS Bucket Allows All Actions From All Principals
ec62a32c-a297-41ca-a850-cab40b42094a|Terraform|High|Access Control|OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals.|Documentation
| +|OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|Terraform|High|Access Control|OSS Bucket should have public access disabled|Documentation
| +|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|Terraform|High|Encryption|Ecs Data Disk Kms Key Id should be set|Documentation
| +|NAS File System Without KMS
5f670f9d-b1b4-4c90-8618-2288f1ab9676|Terraform|High|Encryption|NAS File System should have encryption provided by user KMS |Documentation
| +|RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|Terraform|High|Encryption|tde_status parameter should be Enabled for supported RDS instances|Documentation
| +|Launch Template Is Not Encrypted
1455cb21-1d48-46d6-8ae3-cef911b71fd5|Terraform|High|Encryption|ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true.|Documentation
| +|NAS File System Not Encrypted
67bfdff1-31ce-4525-b564-e94368735360|Terraform|High|Encryption|NAS File System must be encrypted|Documentation
| +|RDS DB Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|Terraform|High|Insecure Configurations|'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list|Documentation
| +|DB Instance Publicly Accessible
faaefc15-51a5-419e-bb5e-51a4b5ab3485|Terraform|High|Insecure Configurations|The field 'address' should not be set to '0.0.0.0/0'|Documentation
| +|OSS Bucket Has Static Website
2b13c6ff-b87a-484d-86fd-21ef6e97d426|Terraform|High|Insecure Configurations|Checks if any static websties are hosted on buckets. Be aware of any website you are running.|Documentation
| +|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|Terraform|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS|Documentation
| +|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|Terraform|High|Networking and Firewall|OSS Bucket should have ip restricted access|Documentation
| +|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol|Documentation
| +|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|Terraform|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public|Documentation
| +|RDS Instance SSL Action Disabled
7a1ee8a9-71be-4b11-bb70-efb62d16863b|Terraform|High|Networking and Firewall|ssl_action parameter should be set to Open for RDS instances|Documentation
| +|ALB Listening on HTTP
ee3b1557-9fb5-4685-a95d-93f1edf2a0d7|Terraform|High|Networking and Firewall|Application Load Balancer (alb) Listener should not listen on HTTP|Documentation
| +|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|Terraform|High|Networking and Firewall|OSS Buckets should have secure transport enabled|Documentation
| +|ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|Terraform|High|Observability|ActionTrail Trail OSS Bucket should not be publicly accessible|Documentation
| +|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|Terraform|High|Observability|All RDS Instance events trackers should be 'true'|Documentation
| +|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|Terraform|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above|Documentation
| +|Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|Terraform|High|Secret Management|Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts|Documentation
| +|Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Terraform|Medium|Access Control|Ram policies should not be attached to users|Documentation
| +|CMK Is Unusable
ed6e3ba0-278f-47b6-a1f5-173576b40b7e|Terraform|Medium|Availability|Alicloud KMS must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| +|ROS Stack Retention Disabled
4bb06fa1-2114-4a00-b7b5-6aeab8b896f0|Terraform|Medium|Backup|The retain_stacks should be enabled to keep the Stack upon deleting the stack instance from the stack group|Documentation
| +|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Terraform|Medium|Backup|OSS Bucket should have versioning enabled|Documentation
| +|ROS Stack Without Template
92d65c51-5d82-4507-a2a1-d252e9706855|Terraform|Medium|Build Process|Alicloud ROS Stack should have a template defined through the attribute template_url or attribute template_body|Documentation
| +|OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Terraform|Medium|Encryption|OSS Bucket should have encryption enabled using Customer Master Key|Documentation
| +|SLB Policy With Insecure TLS Version In Use
dbfc834a-56e5-4750-b5da-73fda8e73f70|Terraform|Medium|Encryption|SLB Policy should not support insecure versions of TLS protocol|Documentation
| +|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Terraform|Medium|Encryption|Disks should have encryption enabled|Documentation
| +|CS Kubernetes Node Pool Auto Repair Disabled
81ce9394-013d-4731-8fcc-9d229b474073|Terraform|Medium|Insecure Configurations|Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| +|Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Terraform|Medium|Networking and Firewall|Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies|Documentation
| +|Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Terraform|Medium|Networking and Firewall|A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned|Documentation
| +|Log Retention Is Not Greater Than 90 Days
ed6cf6ff-9a1f-491c-9f88-e03c0807f390|Terraform|Medium|Observability|OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects.|Documentation
| +|ROS Stack Notifications Disabled
9ef08939-ea40-489c-8851-667870b2ef50|Terraform|Medium|Observability|The ROS Stack Notifications should be defined and populated to receive stack related events|Documentation
| +|OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Terraform|Medium|Observability|OSS Bucket should have logging enabled, for better visibility of resources and objects.|Documentation
| +|Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Terraform|Medium|Observability|Action Trail Logging for all regions should be enabled|Documentation
| +|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Terraform|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180|Documentation
| +|No ROS Stack Policy
72ceb736-0aee-43ea-a191-3a69ab135681|Terraform|Medium|Resource Management|ROS Stack should have a stack policy in order to protect stack resources from and during update actions|Documentation
| +|High KMS Key Rotation Period
cb319d87-b90f-485e-a7e7-f2408380f309|Terraform|Medium|Secret Management|KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year|Documentation
| +|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true|Documentation
| +|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true|Documentation
| +|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Terraform|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91|Documentation
| +|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true|Documentation
| +|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Terraform|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less|Documentation
| +|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Terraform|Medium|Secret Management|RAM account password security should require at least one symbol|Documentation
| +|OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Terraform|Low|Availability|OSS Bucket should have transfer acceleration enabled|Documentation
| +|OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Terraform|Low|Backup|OSS Bucket should have lifecycle rule enabled and set to true|Documentation
| +|RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Terraform|Low|Observability|log_disconnections parameter should be set to ON for RDS instances|Documentation
| +|VPC Flow Logs Disabled
d2731f3d-a992-44ed-812e-f4f1c2747d71|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| +|RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Terraform|Low|Observability|log_duration parameter should be set to ON for RDS instances|Documentation
| +|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Terraform|Low|Observability|'log_connections' parameter should be set to ON for RDS instances|Documentation
| +|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|Terraform|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false|Documentation
| +|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|Terraform|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined.|Documentation
| +|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|Terraform|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| +|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|Terraform|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| +|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|Terraform|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|Terraform|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| +|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|Terraform|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| +|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Terraform|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys|Documentation
| +|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Terraform|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| +|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Terraform|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| +|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Terraform|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| +|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Terraform|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| +|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Terraform|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| +|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Terraform|Medium|Insecure Configurations|Default service accounts should not be actively used|Documentation
| +|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Terraform|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls|Documentation
| +|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Terraform|Medium|Insecure Configurations|The default namespace should not be used|Documentation
| +|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Terraform|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| +|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Terraform|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|Documentation
| +|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Terraform|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| +|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Terraform|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace|Documentation
| +|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| +|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Terraform|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| +|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| +|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Terraform|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| +|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Terraform|Medium|Insecure Configurations|Containers should not have extra capabilities allowed|Documentation
| +|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Terraform|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| +|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Terraform|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| +|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Terraform|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| +|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Terraform|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory|Documentation
| +|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Terraform|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| +|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Terraform|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty.|Documentation
| +|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Terraform|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| +|Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Terraform|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| +|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Terraform|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes|Documentation
| +|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Terraform|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| +|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Terraform|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| +|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Terraform|Medium|Resource Management|Container should not share the host network namespace|Documentation
| +|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Terraform|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| +|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Terraform|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| +|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Terraform|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| +|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Terraform|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| +|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Terraform|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs|Documentation
| +|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Terraform|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| +|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Terraform|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| +|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Terraform|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| +|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Terraform|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| +|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Terraform|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it|Documentation
| +|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Terraform|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| +|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Terraform|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.|Documentation
| +|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Terraform|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| +|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Terraform|Low|Availability|The Horizontal Pod Autoscaler must target a valid object|Documentation
| +|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Terraform|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| +|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Terraform|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| +|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Terraform|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| +|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Terraform|Low|Build Process|Check if the root container filesystem is not being mounted as read-only.|Documentation
| +|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Terraform|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity|Documentation
| +|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Terraform|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| +|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Terraform|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| +|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Terraform|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| +|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Terraform|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified|Documentation
| +|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Terraform|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| +|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Terraform|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined|Documentation
| +|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Terraform|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| +|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Terraform|Low|Supply-Chain|Image must be defined and not be empty or equal to latest.|Documentation
| +|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|Terraform|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| +|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|Terraform|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| +|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|Terraform|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|Terraform|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| +|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|Terraform|High|Access Control|S3 bucket allows public policy|Documentation
| +|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|Terraform|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| +|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|Terraform|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|Terraform|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| +|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|Terraform|High|Access Control|S3 Buckets should not be readable and writable to all users|Documentation
| +|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|Terraform|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating|Documentation
| +|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|Terraform|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role|Documentation
| +|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|Terraform|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| +|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|Terraform|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| +|S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4|Terraform|High|Access Control|S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket.|Documentation
| +|EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|Terraform|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| +|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|Terraform|High|Access Control|IAM role policy that allow full administrative privileges (for all resources)|Documentation
| +|SSO Policy with full privileges
132a8c31-9837-4203-9fd1-15ca210c7b73|Terraform|High|Access Control|SSO policies should be configured to grant limited administrative privileges, rather than full access to all resources. This approach allows for better security and control over the resources being accessed.|Documentation
| +|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|Terraform|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals|Documentation
| +|SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|Terraform|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| +|Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|Terraform|High|Access Control|Neptune Cluster Instance should not be publicly accessible|Documentation
| +|MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857|Terraform|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible|Documentation
| +|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|Terraform|High|Encryption|AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted|Documentation
| +|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|Terraform|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)|Documentation
| +|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|Terraform|High|Encryption|User Data Shell Script must be encoded|Documentation
| +|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|Terraform|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| +|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|Terraform|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| +|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|Terraform|High|Encryption|API Gateway Method Settings Cache should be encrypted|Documentation
| +|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|Terraform|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| +|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|Terraform|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true'|Documentation
| +|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|Terraform|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted|Documentation
| +|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|Terraform|High|Encryption|EBS Encryption should be enabled|Documentation
| +|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|Terraform|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| +|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|Terraform|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true|Documentation
| +|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|Terraform|High|Encryption|Sagemaker endpoint configuration should encrypt data|Documentation
| +|EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|Terraform|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| +|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|Terraform|High|Encryption|AWS Athena Database data in S3 should be encrypted|Documentation
| +|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|Terraform|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| +|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|Terraform|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| +|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers.|Documentation
| +|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|Terraform|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled|Documentation
| +|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|Terraform|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS|Documentation
| +|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|Terraform|High|Encryption|AWS DAX Cluster should have server-side encryption at rest|Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|Terraform|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| +|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|Terraform|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| +|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|Terraform|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| +|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|Terraform|High|Encryption|EKS Cluster should be encrypted|Documentation
| +|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|Terraform|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled|Documentation
| +|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|Terraform|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled|Documentation
| +|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|Terraform|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|Terraform|High|Encryption|S3 Bucket Object should have server-side encryption enabled|Documentation
| +|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|Terraform|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| +|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|Terraform|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key|Documentation
| +|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|Terraform|High|Encryption|AWS DOCDB Cluster storage should be encrypted|Documentation
| +|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|Terraform|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.|Documentation
| +|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|Terraform|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume|Documentation
| +|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|Terraform|High|Encryption|RDS Database Cluster Encryption should be enabled|Documentation
| +|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.|Documentation
| +|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|Terraform|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| +|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|Terraform|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup|Documentation
| +|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|Terraform|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| +|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|Terraform|High|Insecure Configurations|S3 bucket without restriction of public bucket|Documentation
| +|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|Terraform|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes|Documentation
| +|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|Terraform|High|Insecure Configurations|Check if the root user is authenticated with MFA|Documentation
| +|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|Terraform|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2.|Documentation
| +|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|Terraform|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured.|Documentation
| +|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|Terraform|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true)|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|Terraform|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| +|DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|Terraform|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| +|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|Terraform|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| +|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|Terraform|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| +|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|Terraform|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| +|KMS Key With Vulnerable Policy
7ebc9038-0bde-479a-acc4-6ed7b6758899|Terraform|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| +|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|Terraform|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| +|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|Terraform|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| +|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|Terraform|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations|Documentation
| +|Lambda Function With Privileged Role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|Terraform|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions.|Documentation
| +|Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|Terraform|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| +|VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|Terraform|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic|Documentation
| +|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|Terraform|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0 and/or ::/0|Documentation
| +|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|Terraform|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing|Documentation
| +|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|Terraform|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| +|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|Terraform|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| +|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL|Documentation
| +|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| +|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|Terraform|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| +|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|Terraform|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0"|Documentation
| +|Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|Terraform|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| +|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|Terraform|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| +|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| +|VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|Terraform|High|Networking and Firewall|VPC Peering Route Table should restrict CIDR|Documentation
| +|HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|Terraform|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| +|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|Terraform|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL|Documentation
| +|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|Terraform|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| +|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|Terraform|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| +|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|Terraform|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| +|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|Terraform|High|Networking and Firewall|Check if Record is set|Documentation
| +|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|Terraform|High|Observability|AWS KMS Key should have a valid deletion window|Documentation
| +|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|Terraform|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA|Documentation
| +|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|Terraform|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| +|CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|Terraform|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.|Documentation
| +|CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|Terraform|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls|Documentation
| +|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled|Documentation
| +|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|Terraform|High|Observability|Ensure a log metric filter and alarm exist for root acount usage|Documentation
| +|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible|Documentation
| +|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|Terraform|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes|Documentation
| +|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Terraform|Medium|Access Control|IAM Access Key should not be active for root users|Documentation
| +|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Terraform|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Terraform|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Terraform|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| +|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Terraform|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication|Documentation
| +|SSO Permission With Inadequate User Session Duration
ce9dfce0-5fc8-433b-944a-3b16153111a8|Terraform|Medium|Access Control|SSO permissions should be configured to limit user sessions to no longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized access or session hijacking. This is a best practice for security and should be implemented in SSO permission settings.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Terraform|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined|Documentation
| +|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Terraform|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions'|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Terraform|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Terraform|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Terraform|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| +|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Terraform|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Terraform|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| +|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Terraform|Medium|Access Control|The attribute 'action' should not have wildcard|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Terraform|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| +|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Terraform|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Terraform|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Terraform|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Terraform|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| +|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Terraform|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal'|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Terraform|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Terraform|Medium|Access Control|An API Key should be required on a method request.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Terraform|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Terraform|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Terraform|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Terraform|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Terraform|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Terraform|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action'|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Terraform|Medium|Access Control|Public and private EC2 istances should not share the same role.|Documentation
| +|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Terraform|Medium|Access Control|S3 bucket allows public ACL|Documentation
| +|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Terraform|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Terraform|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| +|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Terraform|Medium|Access Control|AWS IAM Users should not have access to console|Documentation
| +|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Terraform|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| +|Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Terraform|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
| +|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Terraform|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster|Documentation
| +|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Terraform|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| +|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Terraform|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| +|Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Terraform|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| +|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Terraform|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0|Documentation
| +|RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Terraform|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| +|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Terraform|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| +|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Terraform|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields|Documentation
| +|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Terraform|Medium|Best Practices|IAM password should have the required symbols|Documentation
| +|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Terraform|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| +|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Terraform|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| +|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Terraform|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined|Documentation
| +|Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Terraform|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24|Documentation
| +|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Terraform|Medium|Best Practices|No password expiration policy|Documentation
| +|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Terraform|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| +|Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Terraform|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body|Documentation
| +|Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Terraform|Medium|Encryption|ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html'|Documentation
| +|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Terraform|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret|Documentation
| +|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Terraform|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| +|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Terraform|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| +|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Terraform|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| +|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Terraform|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests|Documentation
| +|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Terraform|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption|Documentation
| +|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted|Documentation
| +|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Terraform|Medium|Encryption|EBS volumes should be encrypted|Documentation
| +|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Terraform|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| +|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Terraform|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Terraform|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760.|Documentation
| +|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest|Documentation
| +|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit|Documentation
| +|CloudWatch Log Group Without KMS
0afbcfe9-d341-4b92-a64c-7e6de0543879|Terraform|Medium|Encryption|AWS CloudWatch Log groups should be encrypted using KMS|Documentation
| +|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Terraform|Medium|Encryption|SSM Session should be encrypted in transit|Documentation
| +|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Terraform|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| +|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Terraform|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node|Documentation
| +|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Terraform|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| +|DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Terraform|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Terraform|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS.|Documentation
| +|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Terraform|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| +|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Terraform|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud)|Documentation
| +|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Terraform|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials|Documentation
| +|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Terraform|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| +|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Terraform|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| +|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Terraform|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible|Documentation
| +|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Terraform|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs).|Documentation
| +|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Terraform|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.|Documentation
| +|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Terraform|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| +|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Terraform|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| +|EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Terraform|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false|Documentation
| +|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Terraform|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled|Documentation
| +|VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Terraform|Medium|Networking and Firewall|VPC Subnet should not assign public IP|Documentation
| +|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Terraform|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol|Documentation
| +|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Terraform|Medium|Networking and Firewall|VPC should have a Network Firewall associated|Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol|Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Terraform|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| +|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Terraform|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association|Documentation
| +|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Terraform|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| +|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Terraform|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| +|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Terraform|Medium|Observability|ELB should have logging enabled to help on error investigation|Documentation
| +|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Terraform|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| +|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes|Documentation
| +|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Terraform|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| +|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Terraform|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events|Documentation
| +|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Terraform|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| +|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Terraform|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation|Documentation
| +|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures|Documentation
| +|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Terraform|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled|Documentation
| +|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Terraform|Medium|Observability|API Gateway should have Access Log Settings defined|Documentation
| +|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Terraform|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| +|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Terraform|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined|Documentation
| +|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Terraform|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| +|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Terraform|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| +|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Terraform|Medium|Observability|AWS Elasticsearch should have logs enabled|Documentation
| +|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Terraform|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| +|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Terraform|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| +|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Terraform|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| +|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes|Documentation
| +|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Terraform|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| +|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Terraform|Medium|Observability|It isn't recommended to use resources in default VPC|Documentation
| +|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Terraform|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| +|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Terraform|Medium|Observability|AWS CloudWatch Log groups should have retention days specified|Documentation
| +|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK|Documentation
| +|ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Terraform|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| +|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Terraform|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| +|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Terraform|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| +|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes|Documentation
| +|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes|Documentation
| +|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Terraform|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| +|No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Terraform|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| +|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Terraform|Medium|Secret Management|AWS Access Key should not be hardcoded|Documentation
| +|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Terraform|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Terraform|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| +|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Terraform|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets'|Documentation
| +|SSO Identity User Unsafe Creation
4003118b-046b-4640-b200-b8c7a4c8b89f|Terraform|Low|Access Control|The use of AWS SSO for creating users may pose a security risk as it does not synchronize with external Identity Providers (IdP) or Active Directory (AD). This can lead to inconsistencies and potential unauthorized access to resources. It is recommended to review and update user creation processes to ensure proper security protocols are in place.|Documentation
| +|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Terraform|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| +|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Terraform|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services|Documentation
| +|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Terraform|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| +|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Terraform|Low|Access Control|IAM Group should have at least one user associated|Documentation
| +|Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Terraform|Low|Availability|Autoscaling groups should supply tags to configurate|Documentation
| +|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Terraform|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| +|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Terraform|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.|Documentation
| +|IAM Access Analyzer Not Enabled
e592a0c5-5bdb-414c-9066-5dba7cdea370|Terraform|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions|Documentation
| +|ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Terraform|Low|Best Practices|ECR Repository should have Policies attached to it|Documentation
| +|Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| +|Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Terraform|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| +|ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Terraform|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation|Documentation
| +|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Terraform|Low|Insecure Configurations|S3 bucket without ignore public ACL|Documentation
| +|ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Terraform|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled|Documentation
| +|RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Terraform|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| +|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Terraform|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| +|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Terraform|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| +|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Terraform|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks|Documentation
| +|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Terraform|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)|Documentation
| +|Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Terraform|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| +|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Terraform|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| +|EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Terraform|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| +|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL|Documentation
| +|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Terraform|Low|Observability|Amazon EKS control plane logging don't enabled for all log types|Documentation
| +|ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Terraform|Low|Observability|ECS Cluster should enable container insights|Documentation
| +|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Terraform|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'|Documentation
| +|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| +|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes|Documentation
| +|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Terraform|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| +|API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Terraform|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| +|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Terraform|Low|Observability|Amazon EKS control plane logging is not enabled|Documentation
| +|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Terraform|Low|Observability|DocDB logging should be enabled|Documentation
| +|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes|Documentation
| +|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Terraform|Low|Observability|Global Accelerator should have flow logs enabled|Documentation
| +|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for route table changes|Documentation
| +|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes|Documentation
| +|API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Terraform|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| +|Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Terraform|Info|Access Control|Security group must be used or not declared|Documentation
| +|Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Terraform|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description|Documentation
| +|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Terraform|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table|Documentation
| +|EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Terraform|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| +|Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Terraform|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description|Documentation
| +|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Terraform|Info|Best Practices|AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name'|Documentation
| +|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Terraform|Info|Observability|RDS does not have any kind of logger|Documentation
| +|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Terraform|Info|Observability|Neptune logging should be enabled|Documentation
| +|EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Terraform|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods|Documentation
| +|BOM - GCP Redis
bc75ce52-a60a-4660-b533-bce837a5019b|Terraform|Trace|Bill Of Materials|A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments.|Documentation
| +|BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Terraform|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.|Documentation
| +|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Terraform|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.|Documentation
| +|BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Terraform|Trace|Bill Of Materials|A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime.|Documentation
| +|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Terraform|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.|Documentation
| +|BOM - GCP Dataflow
895ed0d9-6fec-4567-8614-d7a74b599a53|Terraform|Trace|Bill Of Materials|A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective.|Documentation
| |BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|Terraform|High|Access Control|BigQuery dataset is anonymously or publicly accessible|Documentation
| -|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|Terraform|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible|Documentation
| |VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|Terraform|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| |Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|Terraform|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers'|Documentation
| +|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|Terraform|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible|Documentation
| |OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|Terraform|High|Access Control|Verifies that the OSLogin is enabled|Documentation
| |SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|Terraform|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| -|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|Terraform|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad.|Documentation
| -|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|Terraform|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| |KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|Terraform|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members'|Documentation
| -|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|Terraform|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible.|Documentation
| -|Cluster Master Authentication Disabled
1baba08e-3c8a-4be7-95eb-dced5833de21|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| -|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true|Documentation
| -|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true|Documentation
| -|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|Terraform|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true|Documentation
| -|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false |Documentation
| +|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|Terraform|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| +|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|Terraform|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad.|Documentation
| |Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|Terraform|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| -|Client Certificate Disabled
73fb21a1-b19a-45b1-b648-b47b1678681e|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true|Documentation
| +|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false |Documentation
| |GKE Basic Authentication Enabled
70cdf849-b7d9-4569-b87d-5d82ffd44719|Terraform|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty|Documentation
| +|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|Terraform|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible.|Documentation
| +|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|Terraform|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true|Documentation
| +|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true|Documentation
| |Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|Terraform|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| +|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true|Documentation
| |IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE |Documentation
| -|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| +|Client Certificate Disabled
73fb21a1-b19a-45b1-b648-b47b1678681e|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true|Documentation
| +|Cluster Master Authentication Disabled
1baba08e-3c8a-4be7-95eb-dced5833de21|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| |Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|Terraform|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| +|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|Terraform|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| +|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| |IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|Terraform|High|Observability|Audit Logging Configuration is defective|Documentation
| |Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| -|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|Terraform|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| |Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|Terraform|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| +|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Terraform|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member|Documentation
| |Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Terraform|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated|Documentation
| |Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Terraform|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated|Documentation
| |Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Terraform|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated|Documentation
| -|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Terraform|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member|Documentation
| -|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Terraform|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined|Documentation
| |Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Terraform|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| -|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Terraform|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| -|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Terraform|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| +|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Terraform|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined|Documentation
| +|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Terraform|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| |Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Terraform|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled|Documentation
| +|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Terraform|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| +|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Terraform|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| |OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Terraform|Medium|Insecure Configurations|Check if any VM instance disables OSLogin|Documentation
| -|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Terraform|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| |Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Terraform|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| -|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Terraform|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| +|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Terraform|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| |GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Terraform|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
| |Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Terraform|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| -|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Terraform|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| +|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Terraform|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
| |Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Terraform|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports|Documentation
| -|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Terraform|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| |IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Terraform|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| -|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Terraform|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
| |Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Terraform|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
| +|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Terraform|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| +|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Terraform|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| |Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Terraform|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource.|Documentation
| |Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Terraform|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Terraform|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| |High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Terraform|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Terraform|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| +|Outdated GKE Version
128df7ec-f185-48bc-8913-ce756a3ccb85|Terraform|Low|Best Practices|Running outdated versions of Google Kubernetes Engine (GKE) can expose it to known vulnerabilities and attacks. To reduce these risks, it is recommended to ensure that GKE is always running the latest version.|Documentation
| |User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Terraform|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user|Documentation
| -|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Terraform|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true|Documentation
| |Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Terraform|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range|Documentation
| -|BOM - GCP Dataflow
895ed0d9-6fec-4567-8614-d7a74b599a53|Terraform|Trace|Bill Of Materials|A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective.|Documentation
| -|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Terraform|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.|Documentation
| -|BOM - GCP Redis
bc75ce52-a60a-4660-b533-bce837a5019b|Terraform|Trace|Bill Of Materials|A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments.|Documentation
| -|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Terraform|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.|Documentation
| -|BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Terraform|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.|Documentation
| -|BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Terraform|Trace|Bill Of Materials|A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime.|Documentation
| -|Serving Revision Spec Without Timeout Seconds
e8bb41e4-2f24-4e84-8bea-8c7c070cf93d|Knative|Info|Insecure Configurations|Serving Revision Spec should have Timeout Seconds defined to avoid Denial of Service|Documentation
| -|UNIX Ports Out Of Range
71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e|Dockerfile|High|Availability|Exposing UNIX ports out of range from 0 to 65535|Documentation
| -|Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f|Dockerfile|High|Build Process|A user should be specified in the dockerfile, otherwise the image will run as root|Documentation
| -|Same Alias In Different Froms
f2daed12-c802-49cd-afed-fe41d0b82fed|Dockerfile|High|Build Process|Different FROMS cant have the same alias defined|Documentation
| -|COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b|Dockerfile|High|Build Process|COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself|Documentation
| -|Copy With More Than Two Arguments Not Ending With Slash
6db6e0c2-32a3-4a2e-93b5-72c35f4119db|Dockerfile|High|Build Process|When a COPY command has more than two arguments, the last one should end with a slash|Documentation
| -|Multiple ENTRYPOINT Instructions Listed
6938958b-3f1a-451c-909b-baeee14bdc97|Dockerfile|High|Build Process|There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect|Documentation
| -|WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|Dockerfile|High|Build Process|For clarity and reliability, you should always use absolute paths for your WORKDIR|Documentation
| -|Run Using Sudo
8ada6e80-0ade-439e-b176-0b28f6bce35a|Dockerfile|High|Insecure Configurations|Avoid RUN with sudo command as it leads to unpredictable behavior|Documentation
| -|Vulnerable OpenSSL Version
5fa731ea-e844-47a6-a1e8-abc25e95847e|Dockerfile|High|Supply-Chain|OpenSSL versions from 3.0.0 to 3.0.5 are affected by a critical vulnerability|Documentation
| -|Changing Default Shell Using RUN Command
8a301064-c291-4b20-adcb-403fe7fd95fd|Dockerfile|Medium|Best Practices|Using the command RUN to override the default shell instead of the SHELL command leads to inefficiencies. It also does not make sense since Docker provides the SHELL command for this exact purpose.|Documentation
| -|Last User Is 'root'
67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae|Dockerfile|Medium|Best Practices|Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges|Documentation
| -|Multiple CMD Instructions Listed
41c195f4-fc31-4a5c-8a1b-90605538d49f|Dockerfile|Medium|Build Process|There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect|Documentation
| -|RUN Instruction Using 'cd' Instead of WORKDIR
f4a6bcd3-e231-4acf-993c-aa027be50d2e|Dockerfile|Medium|Build Process|When using RUN command 'cd' should only be used for full path. For relative path make use of WORKDIR command instead.|Documentation
| -|Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79|Dockerfile|Medium|Build Process|Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments|Documentation
| -|Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd|Dockerfile|Medium|Build Process|Instruction 'RUN update' should always be followed by ' install' in the same RUN statement|Documentation
| -|Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22|Dockerfile|Medium|Insecure Defaults|Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o).|Documentation
| -|Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37|Dockerfile|Medium|Supply-Chain|Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size|Documentation
| -|Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067|Dockerfile|Medium|Supply-Chain|When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag|Documentation
| -|Add Instead of Copy
9513a694-aa0d-41d8-be61-3271e056f36b|Dockerfile|Medium|Supply-Chain|Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script.|Documentation
| -|Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages|Documentation
| -|Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341|Dockerfile|Medium|Supply-Chain|Instead of 'gem install ' we should use 'gem install :'|Documentation
| -|NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5|Dockerfile|Medium|Supply-Chain|Check if packages installed by npm are pinning a specific version.|Documentation
| -|Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd|Dockerfile|Medium|Supply-Chain|Always tag the version of an image explicitly|Documentation
| -|Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03|Dockerfile|Medium|Supply-Chain|Need to use -y to avoid manual input 'yum install -y '|Documentation
| -|Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313|Dockerfile|Medium|Supply-Chain|Reduce layer and image size by deleting unneeded caches after running zypper|Documentation
| -|Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Dockerfile|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache|Documentation
| -|Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118|Dockerfile|Medium|Supply-Chain|When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller|Documentation
| -|Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9|Dockerfile|Medium|Supply-Chain|Don't use '--platform' flag with FROM|Documentation
| -|Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0|Dockerfile|Medium|Supply-Chain|Cached package data should be cleaned after installation to reduce image size|Documentation
| -|Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944|Dockerfile|Medium|Supply-Chain|Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input|Documentation
| -|Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes|Documentation
| -|Yum install Without Version
6452c424-1d92-4deb-bb18-a03e95d579c4|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages|Documentation
| -|Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes|Documentation
| -|APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Dockerfile|Medium|Supply-Chain|Check if apt-get calls use the flag -y to avoid user manual input.|Documentation
| -|Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1|Dockerfile|Medium|Supply-Chain|Specifying a package version allows to reduce failures due to unanticipated changes in required packages.|Documentation
| -|Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8|Dockerfile|Medium|Supply-Chain|The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input.|Documentation
| -|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Dockerfile|Medium|Supply-Chain|When installing a package, its pin version should be defined|Documentation
| -|Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Dockerfile|Medium|Supply-Chain|Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect|Documentation
| -|MAINTAINER Instruction Being Used
99614418-f82b-4852-a9ae-5051402b741c|Dockerfile|Low|Best Practices|The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily|Documentation
| -|Exposing Port 22 (SSH)
5907595b-5b6d-4142-b173-dbb0e73fbff8|Dockerfile|Low|Best Practices|Expose only the ports that your application needs and avoid exposing ports like SSH (22)|Documentation
| -|Curl or Wget Instead of Add
4b410d24-1cbe-4430-a632-62c9a931cf1c|Dockerfile|Low|Best Practices|Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged|Documentation
| -|Multiple RUN, ADD, COPY, Instructions Listed
0008c003-79aa-42d8-95b8-1c2fe37dbfe6|Dockerfile|Low|Best Practices|Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers.|Documentation
| -|Chown Flag Exists
aa93e17f-b6db-4162-9334-c70334e7ac28|Dockerfile|Low|Best Practices|It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership|Documentation
| -|Using Unnamed Build Stages
68a51e22-ae5a-4d48-8e87-b01a323605c9|Dockerfile|Low|Build Process| This query is used to ensure that build stages are named. This way even if the Dockerfile is re-ordered, the COPY instruction doesn’t break.|Documentation
| -|Healthcheck Instruction Missing
b03a748a-542d-44f4-bb86-9199ab4fd2d5|Dockerfile|Low|Insecure Configurations|Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working|Documentation
| -|APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c|Dockerfile|Info|Supply-Chain|Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages.|Documentation
| -|Apk Add Using Local Cache Path
ae9c56a6-3ed1-4ac0-9b54-31267f51151d|Dockerfile|Info|Supply-Chain|When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*'|Documentation
| -|Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c|Dockerfile|Info|Supply-Chain|After using apt-get install, it is needed to delete apt-get lists|Documentation
| -|Run Utilities And POSIX Commands
9b6b0f38-92a2-41f9-b881-3a1083d99f1b|Dockerfile|Info|Supply-Chain|Some POSIX commands and interactive utilities shouldn't run inside a Docker Container|Documentation
| -|Key Vault Not Recoverable
7c25f361-7c66-44bf-9b69-022acd5eb4bd|AzureResourceManager|High|Backup|Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true|Documentation
| -|Azure Instance Using Basic Authentication
6797f581-0433-4768-ae3e-7ceb2f8b138e|AzureResourceManager|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication|Documentation
| -|Secret Without Expiration Date
cff9c3f7-e8f0-455f-9fb4-5f72326da96e|AzureResourceManager|High|Best Practices|All Secrets must have an expiration date defined|Documentation
| -|Web App Not Using TLS Last Version
b5c851d5-00f1-43dc-a8de-3218fd6f71be|AzureResourceManager|High|Encryption|Resources of type 'Microsoft.Web/sites' should define 'properties.siteConfig.minTlsVersion' with '1.2'|Documentation
| -|Storage Account Allows Unsecure Transfer
1367dd13-2c90-4020-80b7-e4339a3dc2c4|AzureResourceManager|High|Encryption|'Microsoft.Storage/storageAccounts' should force the use of HTTPS|Documentation
| -|Azure Managed Disk Without Encryption
350f3955-b5be-436f-afaa-3d2be2fa6cdd|AzureResourceManager|High|Encryption|Azure Disk Encryption should be enabled|Documentation
| -|Website Not Forcing HTTPS
488847ff-6031-487c-bf42-98fd6ac5c9a0|AzureResourceManager|High|Insecure Configurations|'Microsoft.Web/sites' should force the use of HTTPS|Documentation
| -|Network Security Group With Unrestricted Access To RDP
59cb3da7-f206-4ae6-b827-7abf0a9cab9d|AzureResourceManager|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the Internet|Documentation
| -|Storage Blob Service Container With Public Access
a0ab985d-660b-41f7-ac81-70957ee8e627|AzureResourceManager|High|Networking and Firewall|Storage Blob Service Container should not publicly accessible|Documentation
| -|SQL Database Server Firewall Allows All IPS
6a3201a5-1630-494b-b294-3129d06b0eca|AzureResourceManager|High|Networking and Firewall|SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS|Documentation
| -|Website with Client Certificate Auth Disabled
92302b47-b0cc-46cb-a28f-5610ecda140b|AzureResourceManager|High|Networking and Firewall|'Microsoft.Web/sites' should have client certificate authentication enabled|Documentation
| -|Trusted Microsoft Services Not Enabled
e25b56cd-a4d6-498f-ab92-e6296a082097|AzureResourceManager|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| -|PostgreSQL Database Server SSL Disabled
bf500309-da53-4dd3-bcf7-95f7974545a5|AzureResourceManager|High|Networking and Firewall|Microsoft.DBforPostgreSQL/servers sslEnforcement property should be set to 'Enabled'|Documentation
| -|MySQL Server SSL Enforcement Disabled
90120147-f2e7-4fda-bb21-6fa9109afd63|AzureResourceManager|High|Networking and Firewall|'Microsoft.DBforMySQL/servers' should enforce SSL|Documentation
| -|Network Security Group With Unrestricted Access To SSH
2ade1579-4b2c-4590-bebb-f99bf597f612|AzureResourceManager|High|Networking and Firewall|Port 22 (SSH) is exposed to the Internet|Documentation
| -|Role Definitions Allow Custom Subscription Role Creation
8fa9ceea-881f-4ef0-b0b8-728f589699a7|AzureResourceManager|Medium|Access Control|Role Definitions should not allow custom subscription role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')|Documentation
| -|AKS Cluster RBAC Disabled
9307a2ed-35c2-413d-94de-a1a0682c2158|AzureResourceManager|Medium|Access Control|Microsoft.ContainerService/managedClusters should have enableRBAC set to true|Documentation
| -|SQL Server Database With Alerts Disabled
574e8d82-1db2-4b9c-b526-e320ede9a9ff|AzureResourceManager|Medium|Best Practices|All Alerts should be enabled in SQL Database Server SecurityAlerts Policy Properties|Documentation
| -|AKS Cluster Network Policy Not Configured
25c0228e-4444-459b-a2df-93c7df40b7ed|AzureResourceManager|Medium|Insecure Configurations|Azure Kubernetes Service must have a network policy defined.|Documentation
| -|PostgresSQL Database Server Connection Throttling Disabled
a6d774b6-d9ea-4bf4-8433-217bf15d2fb8|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttling' property set to 'on'|Documentation
| -|PostgreSQL Database Server Log Connections Disabled
e69bda39-e1e2-47ca-b9ee-b6531b23aedd|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' property set to 'on'|Documentation
| -|PostgreSQL Database Server Log Checkpoints Disabled
f9112910-c7bb-4864-9f5e-2059ba413bb7|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' property set to 'on'|Documentation
| -|AKS With Authorized IP Ranges Disabled
2583fab1-953b-4fae-bd02-4a136a6c21f9|AzureResourceManager|Medium|Networking and Firewall|Azure Kubernetes Service must have an authorized IP range for API Services enabled|Documentation
| -|Standard Price Is Not Selected
2081c7d6-2851-4cce-bda5-cb49d462da42|AzureResourceManager|Medium|Networking and Firewall|Azure Security Center provides more features for standard pricing mode, so it must be activated.|Documentation
| -|Unrecommended Log Profile Retention Policy
25684eac-daaa-4c2c-94b4-8d2dbb627909|AzureResourceManager|Medium|Observability|Log Profile Retention Policy should be enabled and the recommended number of days for the retention should be higher than 365 or 0 (0 will retain the events indefinitely)|Documentation
| -|SQL Server Database Without Auditing
e055285c-bc01-48b4-8aa5-8a54acdd29df|AzureResourceManager|Medium|Observability|Every 'Microsoft.Sql/servers/databases' resource should have Auditing Enabled|Documentation
| -|Storage Logging For Read Write And Delete Requests Disabled
43f6e60c-9cdb-4e77-864d-a66595d26518|AzureResourceManager|Medium|Observability|Storage Logging should be enabled for read, write and delete methods|Documentation
| -|Unrecommended Network Watcher Flow Log Retention Policy
564b70f8-41cd-4690-aff8-bb53add86bc9|AzureResourceManager|Medium|Observability|Network Watcher Flow Log Retention Policy should be enabled and the recommended number of days for the retention should be higher than 90|Documentation
| -|Log Profile Incorrect Category
4d522e7b-f938-4d51-a3b1-974ada528bd3|AzureResourceManager|Medium|Observability|Log Profile Categories should be set to 'Write', 'Delete', and/or 'Action'|Documentation
| -|AKS Logging To Azure Monitoring Is Disabled
9b09dee1-f09b-4013-91d2-158fa4695f4b|AzureResourceManager|Medium|Observability|Azure Kubernetes Service should have logging to Azure Monitoring enabled.|Documentation
| -|SQL Server Database With Unrecommended Retention Days
c09cdac2-7670-458a-bf6c-efad6880973a|AzureResourceManager|Medium|Observability|SQL Server Database Auditing Settings should keep the audit logs in the storage account for at least 90 days|Documentation
| -|Hardcoded SecureString Parameter Default Value
4d2cf896-c053-4be5-9c95-8b4771112f29|AzureResourceManager|Medium|Secret Management|Secure parameters should not have hardcoded default value|Documentation
| -|Website Azure Active Directory Disabled
e9c133e5-c2dd-4b7b-8fff-40f2de367b56|AzureResourceManager|Low|Access Control|WebApp should have Azure Active Directory enabled with 'identity.type' set to 'SystemAssigned' or 'userAssignedIdentities' set to 'true'|Documentation
| -|Phone Number Not Set For Security Contacts
3e9fcc67-1f64-405f-b2f9-0a6be17598f0|AzureResourceManager|Low|Best Practices|Microsoft.Security securityContacts should have a phone number defined|Documentation
| -|AKS Dashboard Is Enabled
c62d3b92-9a11-4ffd-b7b7-6faaae83faed|AzureResourceManager|Low|Insecure Configurations|Azure Kubernetes Service should have the Kubernetes dashboard disabled.|Documentation
| -|Storage Account Allows Default Network Access
9073f073-5d60-4b46-b569-0d6baa80ed95|AzureResourceManager|Low|Networking and Firewall|'Microsoft.Storage/storageAccounts' should force the use of HTTPS|Documentation
| -|Website with 'Http20Enabled' Disabled
70111098-7f85-48f0-b1b4-e4261cf5f61b|AzureResourceManager|Low|Networking and Firewall|'Microsoft.Web/sites' should have 'Http20Enabled' enabled|Documentation
| -|App Service Authentication Is Not Set
83130a07-235b-4a80-918b-a370e53f0bd9|AzureResourceManager|Info|Access Control|Azure App Service should have App Service Authentication set|Documentation
| -|SQL Alert Policy Without Emails
89b79fe5-49bd-4d39-84ce-55f5fc6f7764|AzureResourceManager|Info|Best Practices|SQL Database Server should contain emails to be notified in the event of a Security Alert|Documentation
| -|Account Admins Not Notified By Email
a8852cc0-fd4b-4fc7-9372-1e43fad0732e|AzureResourceManager|Info|Best Practices|Account admins should be notified by email in the event of security alerts|Documentation
| -|Email Notifications Disabled
79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92|AzureResourceManager|Info|Networking and Firewall|Email notifications about new security alerts, should be set to 'On', and be sent to persons with specific RBAC roles on the subscription|Documentation
| -|Serverless Role With Full Privileges
59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd|ServerlessFW|High|Access Control|Roles defined in Serverless files should not have policies granting full administrative privileges.|Documentation
| -|Serverless Function Environment Variables Not Encrypted
4495bc5d-4d1e-4a26-ae92-152d18195648|ServerlessFW|High|Encryption|Serverless Function should encrypt environment variables|Documentation
| -|Serverless API Without Content Encoding
d5d1fe08-89db-440c-8725-b93223387309|ServerlessFW|Medium|Encryption|Serverless should have API Gateway with Content Encoding enabled through the attribute 'minimumCompressionSize'. This value should be greater than -1 and smaller than 10485760|Documentation
| -|Serverless Function Without Unique IAM Role
165aae3b-a56a-48f3-b76d-d2b5083f5b8f|ServerlessFW|Medium|Insecure Configurations|Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks|Documentation
| -|Serverless Function Without Tags
f99d3482-fa8c-4f79-bad9-35212dded164|ServerlessFW|Medium|Insecure Configurations|Serverless Function should be have associated tags|Documentation
| -|Serverless API Endpoint Config Not Private
4d424558-c6d1-453c-be98-9a7f877abd9a|ServerlessFW|Medium|Networking and Firewall|Serverless should have endpointType set to 'PRIVATE'. This way, it's not exposed to the public internet|Documentation
| -|Serverless API X-Ray Tracing Disabled
434945e5-4dfd-41b1-aba1-47075ccd9265|ServerlessFW|Medium|Observability|Serverless API Gateway should have X-Ray Tracing enabled|Documentation
| -|Serverless API Access Logging Setting Undefined
a4d32883-aac7-42e1-b403-9415af0f3846|ServerlessFW|Medium|Observability|Serverless FW API should have HTTP Access Logging enabled|Documentation
| -|Serverless Function Without Dead Letter Queue
dec7bc85-d156-4f64-9a33-96ed3d9f3fed|ServerlessFW|Low|Insecure Configurations|Serverless Function should be configured for a Dead Letter Queue(DLQ). A Dead Letter Queue(DLQ) can be set up in 'onError' config parameter|Documentation
| -|Serverless Function Without X-Ray Tracing
0d7ef70f-e176-44e6-bdba-add3e429788d|ServerlessFW|Low|Observability|Serverless Function should have Tracing enabled. For this, property 'tracing' should have the value 'Active'|Documentation
| -|Passwords And Secrets
a88baa34-e2ad-44ea-ad6f-8cac87bc7c71|Common|High|Secret Management|Query to find passwords and secrets in infrastructure code.|Documentation
| -|EFS Without KMS
bdecd6db-2600-47dd-a10c-72c97cf17ae9|Crossplane|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| -|EFS Not Encrypted
72840c35-3876-48be-900d-f21b2f0c2ea1|Crossplane|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|DB Instance Storage Not Encrypted
e50eb68a-a4af-4048-8bbe-8ec324421469|Crossplane|High|Encryption|RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'.|Documentation
| -|ELB Using Weak Ciphers
a507daa5-0795-4380-960b-dd7bb7c56661|Crossplane|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers.|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
255b0fcc-9f82-41fe-9229-01b163e3376b|Crossplane|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| -|DB Security Group Has Public Interface
dd667399-8d9d-4a8d-bbb4-e49ab53b2f52|Crossplane|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| -|SQS With SSE Disabled
9296f1cc-7a40-45de-bd41-f31745488a0e|Crossplane|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| -|Neptune Database Cluster Encryption Disabled
83bf5aca-138a-498e-b9cd-ad5bc5e117b4|Crossplane|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| -|CloudWatch Without Retention Period Specified
934613fe-b12c-4e5a-95f5-c1dcdffac1ff|Crossplane|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events|Documentation
| -|CloudFront Logging Disabled
7b590235-1ff4-421b-b9ff-5227134be9bb|Crossplane|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true|Documentation
| -|CloudFront Without WAF
6d19ce0f-b3d8-4128-ac3d-1064e0f00494|Crossplane|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| -|AKS RBAC Disabled
b2418936-cd47-4ea2-8346-623c0bdb87bd|Crossplane|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| -|Redis Cache Allows Non SSL Connections
6c7cfec3-c686-4ed2-bf58-a1ec054b63fc|Crossplane|Medium|Encryption|Redis Cache resource should not allow non-SSL connections.|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
6c2d627c-de0f-45fb-b33d-dad9bffbb421|Crossplane|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| -|Google Container Node Pool Auto Repair Disabled
b4f65d13-a609-4dc1-af7c-63d2e08bffe9|Crossplane|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| -|EFS Not Encrypted
72840c35-3876-48be-900d-f21b2f0c2ea1|Crossplane|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|DB Instance Storage Not Encrypted
e50eb68a-a4af-4048-8bbe-8ec324421469|Crossplane|High|Encryption|RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'.|Documentation
| -|ELB Using Weak Ciphers
a507daa5-0795-4380-960b-dd7bb7c56661|Crossplane|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers.|Documentation
| -|EFS Without KMS
bdecd6db-2600-47dd-a10c-72c97cf17ae9|Crossplane|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| -|DB Security Group Has Public Interface
dd667399-8d9d-4a8d-bbb4-e49ab53b2f52|Crossplane|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
255b0fcc-9f82-41fe-9229-01b163e3376b|Crossplane|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| -|SQS With SSE Disabled
9296f1cc-7a40-45de-bd41-f31745488a0e|Crossplane|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| -|Neptune Database Cluster Encryption Disabled
83bf5aca-138a-498e-b9cd-ad5bc5e117b4|Crossplane|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| -|CloudFront Logging Disabled
7b590235-1ff4-421b-b9ff-5227134be9bb|Crossplane|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true|Documentation
| -|CloudWatch Without Retention Period Specified
934613fe-b12c-4e5a-95f5-c1dcdffac1ff|Crossplane|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events|Documentation
| -|CloudFront Without WAF
6d19ce0f-b3d8-4128-ac3d-1064e0f00494|Crossplane|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| +|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Terraform|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true|Documentation
| +|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Terraform|Info|Best Practices|All variables should contain a valid type.|Documentation
| +|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Terraform|Info|Best Practices|All names should follow snake case pattern.|Documentation
| +|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Terraform|Info|Best Practices|All generic git repositories should reference a revision.|Documentation
| +|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Terraform|Info|Best Practices|All outputs should contain a valid description.|Documentation
| +|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Terraform|Info|Best Practices|All variables should contain a valid description.|Documentation
| +|Volume Mounted In Multiple Containers
baa452f0-1f21-4a25-ace5-844e7a5f410d|DockerCompose|High|Build Process|Volume mounts should not be shared, which means that 'propagation' should not be set to 'shared', 'rshared', 'slave', or 'rslave'|Documentation
| +|Volume Has Sensitive Host Directory
1c1325ff-831d-43a1-973e-839ae57dfcc0|DockerCompose|High|Build Process|Container has sensitive host directory mounted as a volume|Documentation
| +|Docker Socket Mounted In Container
d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b|DockerCompose|High|Build Process|Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands.|Documentation
| +|No New Privileges Not Set
27fcc7d6-c49b-46e0-98f1-6c082a6a2750|DockerCompose|High|Resource Management|Ensuring the process does not gain any new privileges lessens the risk associated with many operations.|Documentation
| +|Privileged Containers Enabled
ae5b6871-7f45-42e0-bb4c-ab300c4d2026|DockerCompose|High|Resource Management|Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker.|Documentation
| +|Healthcheck Not Set
698ed579-b239-4f8f-a388-baa4bcb13ef8|DockerCompose|Medium|Availability|Check containers periodically to see if they are running properly.|Documentation
| +|Restart Policy On Failure Not Set To 5
2fc99041-ddad-49d5-853f-e35e70a48391|DockerCompose|Medium|Build Process|Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used, and 5 retries is the recommended by CIS.|Documentation
| +|Cgroup Not Default
4d9f44c6-2f4a-4317-9bb5-267adbea0232|DockerCompose|Medium|Build Process|Control groups restrict the access processes and containers have to system resources such as CPU, RAM, IOPS and network. Not having a cgroup well configured may prove to be a security fault.|Documentation
| +|Container Traffic Not Bound To Host Interface
451d79dc-0588-476a-ad03-3c7f0320abb3|DockerCompose|Medium|Networking and Firewall|Incoming container traffic should be bound to a specific host interface|Documentation
| +|Networks Not Set
ce14a68b-1668-41a0-ab7d-facd9f784742|DockerCompose|Medium|Networking and Firewall|Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers.|Documentation
| +|Privileged Ports Mapped In Container
bc2908f3-f73c-40a9-8793-c1b7d5544f79|DockerCompose|Medium|Networking and Firewall|Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind_service linux capability from the container unless you absolutely need to use priviledged ports.|Documentation
| +|Host Namespace is Shared
4f31dd9f-2cc3-4751-9b53-67e4af83dac0|DockerCompose|Medium|Resource Management|The hosts process namespace should not be shared by containers|Documentation
| +|Default Seccomp Profile Disabled
404fde2c-bc4b-4371-9747-7054132ac953|DockerCompose|Medium|Resource Management|Seccomp offers a whitelist of common system calls, blocking all others. Having less kernel exposed to an app then increases security.|Documentation
| +|Pids Limit Not Set
221e0658-cb2a-44e3-b08a-db96a341d6fa|DockerCompose|Medium|Resource Management|'pids_limit' should be set and different than -1|Documentation
| +|Security Opt Not Set
610e266e-6c12-4bca-9925-1ed0cd29742b|DockerCompose|Medium|Resource Management|Attribute 'security_opt' should be defined.|Documentation
| +|Shared Host Network Namespace
071a71ff-f868-47a4-ac0b-3c59e4ab5443|DockerCompose|Medium|Resource Management|Container should not share the host network namespace|Documentation
| +|Shared Host User Namespace
8af7162d-6c98-482f-868e-0d33fb675ca8|DockerCompose|Medium|Resource Management|The host's user namespace should not be shared.|Documentation
| +|Memory Not Limited
bb9ac4f7-e13b-423d-a010-c74a1bfbe492|DockerCompose|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| +|Shared Host IPC Namespace
baa3890f-bed7-46f5-ab8f-1da8fc91c729|DockerCompose|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| +|Cpus Not Limited
6b610c50-99fb-4ef0-a5f3-e312fd945bc3|DockerCompose|Low|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| +|Container Capabilities Unrestricted
ce76b7d0-9e77-464d-b86f-c5c48e03e22d|DockerCompose|Low|Resource Management|Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.|Documentation
| diff --git a/docs/queries/ansible-queries.md b/docs/queries/ansible-queries.md index 669ed31088b..7a5b6325ca3 100644 --- a/docs/queries/ansible-queries.md +++ b/docs/queries/ansible-queries.md @@ -62,6 +62,46 @@ Bellow are listed queries related with Ansible SHARED (V2/V3): |Logging of Sensitive Data
59029ddf-e651-412b-ae7b-ff6d403184bc|Low|Best Practices|To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True (read more)|Documentation
| |Unpinned Package Version
c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8|Low|Supply-Chain|Setting state to latest performs an update and installs additional packages possibly resulting in performance degradation or loss of service (read more)|Documentation
| |Risky File Permissions
88841d5c-d22d-4b7e-a6a0-89ca50e44b9f|Info|Supply-Chain|Some modules could end up creating new files on disk with permissions that might be too open or unpredictable (read more)|Documentation
| +|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|High|Access Control|Storage Account should not be public to grant the principle of least privileges|Documentation
| +|Storage Container Is Publicly Accessible
4d3817db-dd35-4de4-a80d-3867157e7f7f|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| +|Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|High|Access Control|Admin user is enabled for Container Registry|Documentation
| +|Azure Instance Using Basic Authentication
e2d834b7-8b25-4935-af53-4a60668dcbe0|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication|Documentation
| +|MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| +|Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| +|SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| +|VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| +|Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined|Documentation
| +|Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| +|AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| +|SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| +|Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| +|Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| +|Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| +|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|High|Networking and Firewall|The IP range filter should be defined to secure the data stored|Documentation
| +|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| +|Role Definition Allows Custom Role Creation
5c80db8e-03f5-43a2-b4af-1f3f87018157|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)|Documentation
| +|AKS RBAC Disabled
149fa56c-4404-4f90-9e25-d34b676d5b39|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| +|Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854|Medium|Backup|Make sure Soft Delete is enabled for Key Vault|Documentation
| +|SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict|Documentation
| +|SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict|Documentation
| +|Cosmos DB Account Without Tags
23a4dc83-4959-4d99-8056-8e051a82bc1e|Medium|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| +|Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| +|AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined|Documentation
| +|Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| +|Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections|Documentation
| +|Default Network Access is Allowed
974e6fe7-63fd-4fa4-aa72-77b21a4a959d|Medium|Insecure Defaults|Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny'|Documentation
| +|Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0'|Documentation
| +|Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache.|Documentation
| +|WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| +|PostgreSQL Log Checkpoints Disabled
7ab33ac0-e4a3-418f-a673-50da4e34df21|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'|Documentation
| +|PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| +|AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e|Medium|Observability|Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring|Documentation
| +|PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| +|Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| +|PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| +|Monitoring Log Profile Without All Activities
89f84a1e-75f8-47c5-83b5-bee8e2de4168|Medium|Observability|Monitoring log profile captures all the activities (Action, Write, Delete)|Documentation
| +|Small Activity Log Retention Period
37fafbea-dedb-4e0d-852e-d16ee0589326|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater|Documentation
| +|PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| ### AWS Bellow are listed queries related with Ansible AWS: @@ -201,6 +241,136 @@ Bellow are listed queries related with Ansible AWS: |CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| |Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active' (read more)|Documentation
| |EC2 Not EBS Optimized
338b6cab-961d-4998-bb49-e5b6a11c9a5c|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| +|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| +|IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| +|S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| +|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| +|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| +|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating|Documentation
| +|ECS Service Admin Role Is Present
7db727c1-1720-468e-b80e-06697f71e09e|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role|Documentation
| +|SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| +|S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|High|Access Control|S3 Buckets should not be readable to all users|Documentation
| +|S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| +|S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a|High|Access Control|Checks if the S3 bucket is accessible for all users|Documentation
| +|SNS Topic is Publicly Accessible
905f4741-f965-45c1-98db-f7a00a0e5c73|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| +|Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)|Documentation
| +|User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|High|Encryption|User Data Shell Script must be encoded|Documentation
| +|CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| +|User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| +|S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571|High|Encryption|AWS S3 Storage should be protected with SSE (Server-Side Encryption)|Documentation
| +|AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| +|EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| +|EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| +|Secure Ciphers Disabled
218413a0-c716-4b94-9e08-0bb70d854709|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| +|ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers.|Documentation
| +|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| +|Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| +|S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| +|DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.|Documentation
| +|Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume|Documentation
| +|ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols.|Documentation
| +|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| +|ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| +|EC2 Group Has Public Interface
5330b503-3319-44ff-9b1c-00ee873f728a|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| +|Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true (default is false)|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| +|DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| +|S3 Bucket with Unsecured CORS Rule
3505094c-f77c-4ba0-95da-f83db712f86c|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| +|Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| +|ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| +|KMS Key With Vulnerable Policy
5b9d237a-57d5-4177-be0e-71434b0fef47|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| +|Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| +|Vulnerable Default SSL Certificate
fb8f8929-afeb-4c46-99f0-a6cf410f7df4|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| +|Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0/0|Documentation
| +|EC2 Instance Has Public IP
a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| +|Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| +|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| +|Remote Desktop Port Open To Internet
eda7301d-1f3e-47cf-8d4e-976debc64341|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| +|DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| +|HTTP Port Open To Internet
a14ad534-acbe-4a8e-9404-2f7e1045646e|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| +|Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| +|RDS Associated with Public Subnet
16732649-4ff6-4cd2-8746-e72c13fae4b8|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| +|ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| +|Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|High|Networking and Firewall|AWS Security Group should not have public port wide|Documentation
| +|Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| +|Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|High|Networking and Firewall|AWS Security Group should restrict ingress access|Documentation
| +|Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4|High|Networking and Firewall|Route53 Record should have a list of records|Documentation
| +|CloudTrail Logging Disabled
d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| +|CMK Rotation Disabled
af96d737-0818-4162-8c41-40d969bd65d1|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.|Documentation
| +|IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root'|Documentation
| +|API Gateway Without Configured Authorizer
b16cdb37-ce15-4ab2-8401-d42b05d123fc|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| +|IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| +|SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| +|Certificate Has Expired
5a443297-19d4-4381-9e5b-24faf947ec22|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| +|ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| +|Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| +|S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9|Medium|Access Control|S3 Bucket allows public access|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
af167837-9636-4086-b815-c239186b9dda|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| +|Lambda Permission Principal Is Wildcard
1d972c56-8ec2-48c1-a578-887adb09c57a|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| +|SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| +|SES Policy With Allowed IAM Actions
8ed0bfce-f780-46d4-b086-21c3628f09ad|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| +|AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| +|Auto Scaling Group With No Associated ELB
050f085f-a8db-4072-9010-2cca235cc02f|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
| +|CMK Is Unusable
133fee21-37ef-45df-a563-4d07edc169f4|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined.|Documentation
| +|ECS Service Without Running Tasks
f5c45127-1d28-4b49-a692-0b97da1c3a84|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| +|Stack Retention Disabled
17d5ba1d-7667-4729-b1a6-b11fde3db7f7|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| +|RDS With Backup Disabled
e69890e6-fce5-461d-98ad-cb98318dfc96|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| +|IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| +|IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| +|Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c|Medium|Best Practices|Password policy `password_reuse_prevention` doesn't exist or is equal to 0|Documentation
| +|Misconfigured Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9|Medium|Best Practices|No password expiration policy|Documentation
| +|IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| +|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number|Documentation
| +|Stack Without Template
32d31f1f-0f83-4721-b7ec-1e6948c60145|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body|Documentation
| +|Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| +|Config Rule For Encrypted Volumes Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| +|EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Medium|Encryption|EBS volumes should be encrypted|Documentation
| +|SQS With SSE Disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| +|CodeBuild Not Encrypted
a1423864-2fbc-4f46-bfe1-fbbf125c71c9|Medium|Encryption|CodeBuild Project should be encrypted|Documentation
| +|API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| +|Certificate RSA Key Bytes Lower Than 256
d5ec2080-340a-4259-b885-f833c4ea6a31|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| +|ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| +|Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| +|AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| +|Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags.|Documentation
| +|API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| +|API Gateway without WAF
f5f38943-664b-4acc-ab11-f292fa10ed0b|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| +|S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| +|API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled|Documentation
| +|CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'is_multi_region_trail' should be set to true|Documentation
| +|Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| +|CloudFront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' should be defined with 'enabled' set to true|Documentation
| +|CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| +|S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| +|CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| +|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| +|CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events|Documentation
| +|API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| +|No Stack Policy
ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| +|Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Medium|Secret Management|AWS Access Key should not be hardcoded|Documentation
| +|Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| +|IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| +|EC2 Instance Using Default Security Group
8d03993b-8384-419b-a681-d1f55149397c|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| +|IAM Group Without Users
f509931b-bbb0-443c-bd9b-10e92ecf2193|Low|Access Control|IAM Group should have at least one user associated|Documentation
| +|CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| +|Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.|Documentation
| +|Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| +|EFS Without Tags
b8a9852c-9943-4973-b8d5-77dae9352851|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
f5587077-3f57-4370-9b4e-4eb5b1bac85b|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| +|RDS Using Default Port
2cb674f6-32f9-40be-97f2-62c0dc38f0d5|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| +|ElastiCache Without VPC
5527dcfc-94f9-4bf6-b7d4-1b78850cf41f|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| +|CloudFront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| +|Redshift Using Default Port
e01de151-a7bd-4db4-b49b-3c4775a5e881|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| +|ElastiCache Using Default Port
7cc6c791-5f68-4816-a564-b9b699f9d26e|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| +|EC2 Instance Using Default VPC
8833f180-96f1-46f4-9147-849aafa56029|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| +|Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active'|Documentation
| +|CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| +|EC2 Not EBS Optimized
338b6cab-961d-4998-bb49-e5b6a11c9a5c|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| ### GCP Bellow are listed queries related with Ansible GCP: @@ -279,3 +449,52 @@ Bellow are listed queries related with Ansible HOSTS: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| |Ansible Tower Exposed To Internet
1b2bf3ff-31e9-460e-bbfb-45e48f4f20cc|Medium|Best Practices|Avoid exposing Ansible Tower to the public internet, effectively reducing the potential attack surface of your deployment (read more)|Documentation
| +|BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2|High|Access Control|BigQuery dataset is anonymously or publicly accessible|Documentation
| +|VM With Full Cloud Access
bc20bbc6-0697-4568-9a73-85af1dd97bdd|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers'|Documentation
| +|SQL DB Instance Backup Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| +|SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| +|DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a|High|Encryption|DNSSEC should not use the RSASHA1 algorithm|Documentation
| +|Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false|Documentation
| +|MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c|High|Insecure Configurations|MySQL Instance should not have Local Infile On|Documentation
| +|GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty|Documentation
| +|SQL DB Instance Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible.|Documentation
| +|GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false.|Documentation
| +|Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| +|Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true.|Documentation
| +|PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514|High|Insecure Configurations|PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1'|Documentation
| +|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|High|Insecure Configurations|SQL Instance should not have Contained Database Authentication On|Documentation
| +|IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'.|Documentation
| +|Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true|Documentation
| +|Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f|High|Insecure Configurations|GCP SQL Instance should not have Cross DB Ownership Chaining On|Documentation
| +|Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| +|GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters|Documentation
| +|Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet.|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| +|Cloud Storage Bucket Versioning Disabled
7814ddda-e758-4a56-8be3-289a81ded929|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| +|PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b|High|Observability|PostgreSQL database 'log_temp_files' flag isn't set to '0'|Documentation
| +|PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317|High|Observability|PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on'|Documentation
| +|Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| +|Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| +|Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| +|Disk Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined|Documentation
| +|Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| +|Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| +|OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Medium|Insecure Configurations|VM instance should have OSLogin enabled|Documentation
| +|Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| +|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| +|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Medium|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| +|GKE Using Default Service Account
dc126833-125a-40fb-905a-ce5f2afde240|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
| +|Google Compute Network Using Firewall Rule that Allows All Ports
3602d273-3290-47b2-80fa-720162b1a8af|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports|Documentation
| +|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
| +|IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| +|Google Compute Network Using Default Firewall Rule
29b8224a-60e9-4011-8ac2-7916a659841f|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
| +|RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| +|SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| +|PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Medium|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on'|Documentation
| +|PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Medium|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value|Documentation
| +|High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| +|Google Compute Network Using Firewall Rule that Allows Port Range
7289eebd-a477-4064-8ad4-3c044bd70b00|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range|Documentation
| +|Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes|Documentation
| diff --git a/docs/queries/azureresourcemanager-queries.md b/docs/queries/azureresourcemanager-queries.md index 6f2f71ad094..6a22c3b1ccc 100644 --- a/docs/queries/azureresourcemanager-queries.md +++ b/docs/queries/azureresourcemanager-queries.md @@ -45,3 +45,46 @@ This page contains all queries from AzureResourceManager. |SQL Alert Policy Without Emails
89b79fe5-49bd-4d39-84ce-55f5fc6f7764|Info|Best Practices|SQL Database Server should contain emails to be notified in the event of a Security Alert (read more)|Documentation
| |Account Admins Not Notified By Email
a8852cc0-fd4b-4fc7-9372-1e43fad0732e|Info|Best Practices|Account admins should be notified by email in the event of security alerts (read more)|Documentation
| |Email Notifications Disabled
79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92|Info|Networking and Firewall|Email notifications about new security alerts, should be set to 'On', and be sent to persons with specific RBAC roles on the subscription (read more)|Documentation
| +|Key Vault Not Recoverable
7c25f361-7c66-44bf-9b69-022acd5eb4bd|High|Backup|Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true|Documentation
| +|Azure Instance Using Basic Authentication
6797f581-0433-4768-ae3e-7ceb2f8b138e|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication|Documentation
| +|Secret Without Expiration Date
cff9c3f7-e8f0-455f-9fb4-5f72326da96e|High|Best Practices|All Secrets must have an expiration date defined|Documentation
| +|Storage Account Allows Unsecure Transfer
1367dd13-2c90-4020-80b7-e4339a3dc2c4|High|Encryption|'Microsoft.Storage/storageAccounts' should force the use of HTTPS|Documentation
| +|Web App Not Using TLS Last Version
b5c851d5-00f1-43dc-a8de-3218fd6f71be|High|Encryption|Resources of type 'Microsoft.Web/sites' should define 'properties.siteConfig.minTlsVersion' with '1.2'|Documentation
| +|Azure Managed Disk Without Encryption
350f3955-b5be-436f-afaa-3d2be2fa6cdd|High|Encryption|Azure Disk Encryption should be enabled|Documentation
| +|Website Not Forcing HTTPS
488847ff-6031-487c-bf42-98fd6ac5c9a0|High|Insecure Configurations|'Microsoft.Web/sites' should force the use of HTTPS|Documentation
| +|Storage Blob Service Container With Public Access
a0ab985d-660b-41f7-ac81-70957ee8e627|High|Networking and Firewall|Storage Blob Service Container should not publicly accessible|Documentation
| +|Network Security Group With Unrestricted Access To SSH
2ade1579-4b2c-4590-bebb-f99bf597f612|High|Networking and Firewall|Port 22 (SSH) is exposed to the Internet|Documentation
| +|SQL Database Server Firewall Allows All IPS
6a3201a5-1630-494b-b294-3129d06b0eca|High|Networking and Firewall|SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS|Documentation
| +|Website with Client Certificate Auth Disabled
92302b47-b0cc-46cb-a28f-5610ecda140b|High|Networking and Firewall|'Microsoft.Web/sites' should have client certificate authentication enabled|Documentation
| +|MySQL Server SSL Enforcement Disabled
90120147-f2e7-4fda-bb21-6fa9109afd63|High|Networking and Firewall|'Microsoft.DBforMySQL/servers' should enforce SSL|Documentation
| +|Network Security Group With Unrestricted Access To RDP
59cb3da7-f206-4ae6-b827-7abf0a9cab9d|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the Internet|Documentation
| +|PostgreSQL Database Server SSL Disabled
bf500309-da53-4dd3-bcf7-95f7974545a5|High|Networking and Firewall|Microsoft.DBforPostgreSQL/servers sslEnforcement property should be set to 'Enabled'|Documentation
| +|Trusted Microsoft Services Not Enabled
e25b56cd-a4d6-498f-ab92-e6296a082097|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| +|Default Azure Storage Account Network Access Is Too Permissive
d855ced8-6157-448f-9f1d-f05a41d046f7|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it.|Documentation
| +|AKS Cluster RBAC Disabled
9307a2ed-35c2-413d-94de-a1a0682c2158|Medium|Access Control|Microsoft.ContainerService/managedClusters should have enableRBAC set to true|Documentation
| +|Role Definitions Allow Custom Subscription Role Creation
8fa9ceea-881f-4ef0-b0b8-728f589699a7|Medium|Access Control|Role Definitions should not allow custom subscription role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')|Documentation
| +|SQL Server Database With Alerts Disabled
574e8d82-1db2-4b9c-b526-e320ede9a9ff|Medium|Best Practices|All Alerts should be enabled in SQL Database Server SecurityAlerts Policy Properties|Documentation
| +|AKS Cluster Network Policy Not Configured
25c0228e-4444-459b-a2df-93c7df40b7ed|Medium|Insecure Configurations|Azure Kubernetes Service must have a network policy defined.|Documentation
| +|AKS With Authorized IP Ranges Disabled
2583fab1-953b-4fae-bd02-4a136a6c21f9|Medium|Networking and Firewall|Azure Kubernetes Service must have an authorized IP range for API Services enabled|Documentation
| +|Standard Price Is Not Selected
2081c7d6-2851-4cce-bda5-cb49d462da42|Medium|Networking and Firewall|Azure Security Center provides more features for standard pricing mode, so it must be activated.|Documentation
| +|PostgreSQL Database Server Log Checkpoints Disabled
f9112910-c7bb-4864-9f5e-2059ba413bb7|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' property set to 'on'|Documentation
| +|PostgresSQL Database Server Connection Throttling Disabled
a6d774b6-d9ea-4bf4-8433-217bf15d2fb8|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttling' property set to 'on'|Documentation
| +|PostgreSQL Database Server Log Connections Disabled
e69bda39-e1e2-47ca-b9ee-b6531b23aedd|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' property set to 'on'|Documentation
| +|AKS Logging To Azure Monitoring Is Disabled
9b09dee1-f09b-4013-91d2-158fa4695f4b|Medium|Observability|Azure Kubernetes Service should have logging to Azure Monitoring enabled.|Documentation
| +|Unrecommended Log Profile Retention Policy
25684eac-daaa-4c2c-94b4-8d2dbb627909|Medium|Observability|Log Profile Retention Policy should be enabled and the recommended number of days for the retention should be higher than 365 or 0 (0 will retain the events indefinitely)|Documentation
| +|SQL Server Database Without Auditing
e055285c-bc01-48b4-8aa5-8a54acdd29df|Medium|Observability|Every 'Microsoft.Sql/servers/databases' resource should have Auditing Enabled|Documentation
| +|Log Profile Incorrect Category
4d522e7b-f938-4d51-a3b1-974ada528bd3|Medium|Observability|Log Profile Categories should be set to 'Write', 'Delete', and/or 'Action'|Documentation
| +|Unrecommended Network Watcher Flow Log Retention Policy
564b70f8-41cd-4690-aff8-bb53add86bc9|Medium|Observability|Network Watcher Flow Log Retention Policy should be enabled and the recommended number of days for the retention should be higher than 90|Documentation
| +|Storage Logging For Read Write And Delete Requests Disabled
43f6e60c-9cdb-4e77-864d-a66595d26518|Medium|Observability|Storage Logging should be enabled for read, write and delete methods|Documentation
| +|SQL Server Database With Unrecommended Retention Days
c09cdac2-7670-458a-bf6c-efad6880973a|Medium|Observability|SQL Server Database Auditing Settings should keep the audit logs in the storage account for at least 90 days|Documentation
| +|AKS Logging To Azure Monitoring Is Disabled
9b09dee1-f09b-4013-91d2-158fa4695f4b|Medium|Observability|Azure Kubernetes Service should have logging to Azure Monitoring enabled.|Documentation
| +|Hardcoded SecureString Parameter Default Value
4d2cf896-c053-4be5-9c95-8b4771112f29|Medium|Secret Management|Secure parameters should not have hardcoded default value|Documentation
| +|Website Azure Active Directory Disabled
e9c133e5-c2dd-4b7b-8fff-40f2de367b56|Low|Access Control|WebApp should have Azure Active Directory enabled with 'identity.type' set to 'SystemAssigned' or 'userAssignedIdentities' set to 'true'|Documentation
| +|Phone Number Not Set For Security Contacts
3e9fcc67-1f64-405f-b2f9-0a6be17598f0|Low|Best Practices|Microsoft.Security securityContacts should have a phone number defined|Documentation
| +|AKS Dashboard Is Enabled
c62d3b92-9a11-4ffd-b7b7-6faaae83faed|Low|Insecure Configurations|Azure Kubernetes Service should have the Kubernetes dashboard disabled.|Documentation
| +|Storage Account Allows Default Network Access
9073f073-5d60-4b46-b569-0d6baa80ed95|Low|Networking and Firewall|'Microsoft.Storage/storageAccounts' should force the use of HTTPS|Documentation
| +|Website with 'Http20Enabled' Disabled
70111098-7f85-48f0-b1b4-e4261cf5f61b|Low|Networking and Firewall|'Microsoft.Web/sites' should have 'Http20Enabled' enabled|Documentation
| +|App Service Authentication Is Not Set
83130a07-235b-4a80-918b-a370e53f0bd9|Info|Access Control|Azure App Service should have App Service Authentication set|Documentation
| +|SQL Alert Policy Without Emails
89b79fe5-49bd-4d39-84ce-55f5fc6f7764|Info|Best Practices|SQL Database Server should contain emails to be notified in the event of a Security Alert|Documentation
| +|Account Admins Not Notified By Email
a8852cc0-fd4b-4fc7-9372-1e43fad0732e|Info|Best Practices|Account admins should be notified by email in the event of security alerts|Documentation
| +|Email Notifications Disabled
79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92|Info|Networking and Firewall|Email notifications about new security alerts, should be set to 'On', and be sent to persons with specific RBAC roles on the subscription|Documentation
| diff --git a/docs/queries/cloudformation-queries.md b/docs/queries/cloudformation-queries.md index f152c9d4fec..a973d466a8e 100644 --- a/docs/queries/cloudformation-queries.md +++ b/docs/queries/cloudformation-queries.md @@ -1,6 +1,26 @@ ## CloudFormation Queries List This page contains all queries from CloudFormation. +### AWS_BOM +Bellow are listed queries related with CloudFormation AWS_BOM: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|BOM - AWS MSK
2730c169-51d7-4ae7-99b5-584379eff1bb|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| +|BOM - AWS Cassandra
124b173b-e06d-48a6-8acd-f889443d97a4|Trace|Bill Of Materials|A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance|Documentation
| +|BOM - AWS S3 Buckets
b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| +|BOM - AWS SNS
42e7dca3-8cce-4325-8df0-108888259136|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| +|BOM - AWS Kinesis
d53323be-dde6-4457-9a43-42df737e71d2|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time|Documentation
| +|BOM - AWS MQ
209189f3-c879-48a7-9703-fbcfa96d0cef|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| +|BOM - AWS EFS
ef05a925-8568-4054-8ff1-f5ba82631c16|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| +|BOM - AWS Elasticache
c689f51b-9203-43b3-9d8b-caed123f706c|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| +|BOM - AWS SQS
59a849c2-1127-4023-85a5-ef906dcd458c|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| +|BOM - AWS RDS
6ef03ff6-a2bd-483c-851f-631f248bc0ea|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.|Documentation
| +|BOM - AWS DynamoDB
4e67c0ae-38a0-47f4-a50c-f0c9b75826df|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.|Documentation
| +|BOM - AWS EBS
0b0556ea-9cd9-476f-862e-20679dda752b|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| + ### AWS Bellow are listed queries related with CloudFormation AWS: @@ -284,6 +304,256 @@ Bellow are listed queries related with CloudFormation AWS_BOM: |BOM - AWS EFS
ef05a925-8568-4054-8ff1-f5ba82631c16|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)|Documentation
| |BOM - AWS SQS
59a849c2-1127-4023-85a5-ef906dcd458c|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)|Documentation
| |BOM - AWS Kinesis
d53323be-dde6-4457-9a43-42df737e71d2|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more)|Documentation
| +|S3 Bucket Allows Get Action From All Principals
f97b7d23-568f-4bcc-9ac9-02df0d57fbba|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| +|IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| +|S3 Bucket With All Permissions
4ae8af91-5108-42cb-9471-3bdbe596eac9|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
835d5497-a526-4aea-a23f-98a9afd1635f|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| +|S3 Bucket Allows Public Policy
860ba89b-b8de-4e72-af54-d6aee4138a69|High|Access Control|S3 bucket allows public policy|Documentation
| +|S3 Bucket Allows List Action From All Principals
faa8fddf-c0aa-4b2d-84ff-e993e233ebe9|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| +|S3 Bucket Allows Put Action From All Principals
f6397a20-4cf1-4540-a997-1d363c25ef58|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| +|IAM Policies With Full Privileges
953b3cdb-ce13-428a-aa12-318726506661|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| +|S3 Bucket ACL Allows Read Or Write to All Users
07dda8de-d90d-469e-9b37-1aca53526ced|High|Access Control|S3 Buckets should not be readable and writable to all users|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
acc78859-765e-4011-a229-a65ea57db252|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| +|S3 Bucket Allows Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0|High|Access Control|S3 Buckets must not allow Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Restore, for all Principals.|Documentation
| +|ECS Service Admin Role Is Present
01986452-bdd8-4aaa-b5df-d6bf61d616ff|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role|Documentation
| +|Lambda Functions With Full Privileges
a0ae0a4e-712b-4115-8112-51b9eeed9d69|High|Access Control|AWS Lambda Functions should not have roles with policies granting full administrative privileges.|Documentation
| +|S3 Bucket ACL Allows Read to All Users
219f4c95-aa50-44e0-97de-cf71f4641170|High|Access Control|S3 Buckets should not be readable to all users|Documentation
| +|S3 Bucket Access to Any Principal
7772bb8c-c0f3-42d4-8e4e-f1b8939ad085|High|Access Control|The S3 Bucket should not be associated with a policy statement that grants access to any principal|Documentation
| +|SNS Topic is Publicly Accessible
ae53ce91-42b5-46bf-a84f-9a13366a4f13|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| +|MSK Broker Is Publicly Accessible
0ce1ba20-8ba8-4364-836f-40c24b8cb0ab|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible|Documentation
| +|Redshift Not Encrypted
3b316b05-564c-44a7-9c3f-405bb95e211e|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'Encrypted' field is false or undefined (default is false)|Documentation
| +|ElastiCache With Disabled at Rest Encryption
e4ee3903-9225-4b6a-bdfb-e62dbadef821|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled|Documentation
| +|User Data Shell Script Is Encoded
48c3bc58-6959-4f27-b647-4fedeace23be|High|Encryption|User Data Shell Script must be encoded|Documentation
| +|User Data Contains Encoded Private Key
568cc372-ca64-420d-9015-ee347d00d288|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| +|ElastiCache With Disabled Transit Encryption
3b02569b-fc6f-4153-b3a3-ba91022fed68|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled|Documentation
| +|RDS Storage Not Encrypted
5beacce3-4020-4a3d-9e1d-a36f953df630|High|Encryption|RDS Storage should be encrypted, which means the attribute 'StorageEncrypted' should be set to 'true'|Documentation
| +|EFS Without KMS
6d087495-2a42-4735-abf7-02ef5660a7e6|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| +|Redshift Cluster Without KMS CMK
de76a0d6-66d5-45c9-9022-f05545b85c78|High|Encryption|AWS Redshift Cluster should have KMS CMK defined|Documentation
| +|DynamoDB With Aws Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac|High|Encryption|AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false.|Documentation
| +|EFS Not Encrypted
2ff8e83c-90e1-4d68-a300-6d652112e622|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| +|Secure Ciphers Disabled
be96849c-3df6-49c2-bc16-778a7be2519c|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| +|SageMaker Data Encryption Disabled
709e6da6-fa1f-44cc-8f17-7f25f96dadbe|High|Encryption|Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, which means the attribute 'KmsKeyId' must be defined not empty or null.|Documentation
| +|MSK Cluster Encryption Disabled
a976d63f-af0e-46e8-b714-8c1a9c4bf768|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| +|S3 Bucket Without SSL In Write Actions
38c64e76-c71e-4d92-a337-60174d1de1c9|High|Encryption|S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL)|Documentation
| +|ELB Using Weak Ciphers
809f77f8-d10e-4842-a84f-3be7b6ff1190|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers.|Documentation
| +|ECS Cluster Not Encrypted At Rest
6c131358-c54d-419b-9dd6-1f7dd41d180c|High|Encryption|Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems.|Documentation
| +|CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db|High|Encryption|Specifying credentials in the template itself is probably not safe to do.|Documentation
| +|Connection Between CloudFront Origin Not Encrypted
a5366a50-932f-4085-896b-41402714a388|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted|Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
31733ee2-fef0-4e87-9778-65da22a8ecf1|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| +|Kinesis SSE Not Configured
7f65be75-90ab-4036-8c2a-410aef7bb650|High|Encryption|AWS Kinesis Stream should have SSE (Server Side Encryption) defined|Documentation
| +|CMK Unencrypted Storage
ffee2785-c347-451e-89f3-11aeb08e5c84|High|Encryption|Ensure that storage is encrypted.|Documentation
| +|S3 Bucket Without Server-side-encryption
b2e8752c-3497-4255-98d2-e4ae5b46bbf5|High|Encryption|S3 Buckets should have server-side encryption at rest enabled to protect sensitive data|Documentation
| +|ELB Without Secure Protocol
80908a75-586b-4c61-ab04-490f4f4525b8|High|Encryption|Check if the ELB is setup with SSL or HTTPS for secure communication|Documentation
| +|S3 Bucket SSE Disabled
64ab651b-f5b2-4af0-8c89-ddd03c4d0e61|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| +|API Gateway Cache Encrypted Disabled
37cca703-b74c-48ba-ac81-595b53398e9b|High|Encryption|'API::Gateway::Deployment' should have 'CacheDataEncrypted' enabled when 'CachingEnabled' is set to true|Documentation
| +|ELB Using Insecure Protocols
61a94903-3cd3-4780-88ec-fc918819b9c8|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols.|Documentation
| +|IAM Database Auth Not Enabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| +|ECS Task Definition Container With Plaintext Password
f9b10cdb-eaab-4e39-9793-e12b94a582ad|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| +|S3 Bucket Without Restriction Of Public Bucket
350cd468-0e2c-44ef-9d22-cfb73a62523c|High|Insecure Configurations|S3 bucket without restriction of public bucket|Documentation
| +|API Gateway Without Security Policy
8275fab0-68ec-4705-bbf4-86975edb170e|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2.|Documentation
| +|S3 Static Website Host Enabled
90501b1b-cded-4cc1-9e8b-206b85cda317|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured.|Documentation
| +|Redshift Publicly Accessible
bdf8dcb4-75df-4370-92c4-606e4ae6c4d3|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
dc17ee4b-ddf2-4e23-96e8-7a36abad1303|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| +|DB Instance Publicly Accessible
de38e1d5-54cb-4111-a868-6f7722695007|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false.|Documentation
| +|S3 Bucket With Unsecured CORS Rule
3609d27c-3698-483a-9402-13af6ae80583|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| +|Batch Job Definition With Privileged Container Properties
76ddf32c-85b1-4808-8935-7eef8030ab36|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| +|ECS Task Definition Network Mode Not Recommended
027a4b7a-8a59-4938-a04f-ed532512cf45|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| +|KMS Key With Vulnerable Policy
da905474-7454-43c0-b8d2-5756ab951aba|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| +|Root Account Has Active Access Keys
4c137350-7307-4803-8c04-17c09a7a9fcf|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| +|Permissive Web ACL Default Action
6d64f311-3da6-45f3-80f1-14db9771ea40|High|Insecure Defaults|WebAcl DefaultAction should not be ALLOW|Documentation
| +|Vulnerable Default SSL Certificate
b4d9c12b-bfba-4aeb-9cb8-2358546d8041|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| +|Unrestricted Security Group Ingress
4a1e6b34-1008-4e61-a5f2-1f7c276f8d14|High|Networking and Firewall|AWS Security Group Ingress CIDR should not be open to the world|Documentation
| +|ELB Sensitive Port Is Exposed To Entire Network
78055456-f670-4d2e-94d5-392d1cf4f5e4|High|Networking and Firewall|The load balancer of the application with a sensitive port connection is exposed to the entire internet.|Documentation
| +|EKS node group remote access
73d59e76-a12c-4b74-a3d8-d3e1e19c25b3|High|Networking and Firewall|Ensure Amazon EKS Node group has implict SSH access|Documentation
| +|Default Security Groups With Unrestricted Traffic
ea33fcf7-394b-4d11-a228-985c5d08f205|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| +|DB Security Group With Public Scope
9564406d-e761-4e61-b8d7-5926e3ab8e79|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| +|Remote Desktop Port Open To Internet
c9846969-d066-431f-9b34-8c4abafe422a|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| +|EC2 Network ACL Overlapping Ports
77b6f1e2-bde4-4a6a-ae7e-a40659ff1576|High|Networking and Firewall|NetworkACL Entries are reusing or overlapping ports which may create ineffective rules|Documentation
| +|EC2 Public Instance Exposed Through Subnet
c44c95fc-ae92-4bb8-bdf8-bb9bc412004a|High|Networking and Firewall|EC2 instances with public IP addresses shouldn't allow for unrestricted traffic to their subnets|Documentation
| +|DB Security Group Open To Large Scope
0104165b-02d5-426f-abc9-91fb48189899|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| +|Security Group Unrestricted Access To RDP
3ae83918-7ec7-4cb8-80db-b91ef0f94002|High|Networking and Firewall|Security Groups does not allow 0.0.0.0/0 for rdp (port:3389)|Documentation
| +|HTTP Port Open To Internet
ddfc4eaa-af23-409f-b96c-bf5c45dc4daa|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| +|Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c|High|Networking and Firewall|No security group should allow unrestricted egress access|Documentation
| +|EC2 Sensitive Port Is Publicly Exposed
494b03d3-bf40-4464-8524-7c56ad0700ed|High|Networking and Firewall|The EC2 instance has a sensitive port connection exposed to the entire network|Documentation
| +|Security Groups With Meta IP
adcd0082-e90b-4b63-862b-21899f6e6a48|High|Networking and Firewall|Security Groups allows 0.0.0.0/0 for all ports and protocols.|Documentation
| +|Fully Open Ingress
e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5|High|Networking and Firewall|ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses|Documentation
| +|Security Groups With Exposed Admin Ports
cdbb0467-2957-4a77-9992-7b55b29df7b7|High|Networking and Firewall|Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389)|Documentation
| +|RDS Associated with Public Subnet
4e88adee-a8eb-4605-a78d-9fb1096e3091|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| +|ALB Listening on HTTP
275a3217-ca37-40c1-a6cf-bb57d245ab32|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| +|SageMaker Notebook Not Placed In VPC
9c7028d9-04c2-45be-b8b2-1188ccaefb36|High|Networking and Firewall|SageMaker Notebook must be placed in a VPC|Documentation
| +|Unknown Port Exposed To Internet
829ce3b8-065c-41a3-ad57-e0accfea82d2|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| +|Security Group With Unrestricted Access To SSH
6e856af2-62d7-4ba2-adc1-73b62cef9cc1|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| +|EC2 Instance Subnet Has Public IP Mapping On Launch
b3de4e4c-14be-4159-b99d-9ad194365e4c|High|Networking and Firewall|EC2 Instance Subnet should not have MapPublicIpOnLaunch set to true|Documentation
| +|Route53 Record Undefined
24d932e1-91f0-46ea-836f-fdbd81694151|High|Networking and Firewall|Route53 HostedZone must have the Record Set defined.|Documentation
| +|S3 Bucket CloudTrail Logging Disabled
c3ce69fd-e3df-49c6-be78-1db3f802261c|High|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable when the Service used is CloudTrail|Documentation
| +|CMK Rotation Disabled
1c07bfaf-663c-4f6f-b22b-8e2d481e4df5|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'EnableKeyRotation' must be set to 'true' when the key is enabled.|Documentation
| +|CloudTrail Logging Disabled
5c0b06d5-b7a4-484c-aeb0-75a836269ff0|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| +|CMK Rotation Disabled
1c07bfaf-663c-4f6f-b22b-8e2d481e4df5|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'EnableKeyRotation' must be set to 'true' when the key is enabled.|Documentation
| +|SQS Queue Policy Allows NotPrincipal
4a8fc9a2-2b2f-4b3f-aa8d-401425872034|Medium|Access Control|Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using `NotPrincipal` in the same policy statement as `"Effect": "Allow"`.|Documentation
| +|API Gateway Without Configured Authorizer
7fd0d461-5b8c-4815-898c-f2b4b117eb28|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| +|Elasticsearch Without IAM Authentication
5c666ed9-b586-49ab-9873-c495a833b705|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication|Documentation
| +|IAM Policies Attached To User
edc95c10-7366-4f30-9b4b-f995c84eceb5|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| +|Empty Roles For ECS Cluster Task Definitions
7f384a5f-b5a2-4d84-8ca3-ee0a5247becb|Medium|Access Control|Check if any ECS cluster has not defined proper roles for services' task definitions.|Documentation
| +|EC2 Instance Has No IAM Role
f914357d-8386-4d56-9ba6-456e5723f9a6|Medium|Access Control|Check if an EC2 instance refers to an IAM profile, which represents an IAM Role.|Documentation
| +|SNS Topic Publicity Has Allow and NotAction Simultaneously
818f38ed-8446-4132-9c03-474d49e10195|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| +|EC2 Network ACL Ineffective Denied Traffic
2623d682-dccb-44cd-99d0-54d9fd62f8f2|Medium|Access Control|Ineffective deny rules. A deny rule should be applied to all IP addresses.|Documentation
| +|Neptune Cluster With IAM Database Authentication Disabled
a3aa0087-8228-4e7e-b202-dc9036972d02|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled|Documentation
| +|ECR Repository Is Publicly Accessible
75be209d-1948-41f6-a8c8-e22dd0121134|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| +|KMS Allows Wildcard Principal
f6049677-ec4a-43af-8779-5190b6d03cba|Medium|Access Control|KMS Should not allow Principal parameter to be set as *|Documentation
| +|Public Lambda via API Gateway
57b12981-3816-4c31-b190-a1e614361dd2|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| +|IAM Policy On User
e4239438-e639-44aa-adb8-866e400e3ade|Medium|Access Control|IAM policies should be applied to groups and not to users|Documentation
| +|API Gateway Method Does Not Contains An API Key
3641d5b4-d339-4bc2-bfb9-208fe8d3477f|Medium|Access Control|An API Key should be required on a method request.|Documentation
| +|IoT Policy Allows Wildcard Resource
be5b230d-4371-4a28-a441-85dc760e2aa3|Medium|Access Control|IoT Policy should not allow Resource to be set as *|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| +|Lambda Permission Principal Is Wildcard
1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| +|IoT Policy Allows Action as Wildcard
4d32780f-43a4-424a-a06d-943c543576a5|Medium|Access Control|IoT Policy should not allow Action to be set as *|Documentation
| +|SQS Policy With Public Access
9b6a3f5b-5fd6-40ee-9bc0-ed604911212d|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| +|SQS Queue Policy Allows NotAction
4fbfee74-8186-40d5-a24e-4baa76a855de|Medium|Access Control|AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited|Documentation
| +|S3 Bucket Allows Public ACL
48f100d9-f499-4c6d-b2b8-deafe47ffb26|Medium|Access Control|S3 bucket allows public ACL|Documentation
| +|Auto Scaling Group With No Associated ELB
ad21e616-5026-4b9d-990d-5b007bfe679c|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty.|Documentation
| +|ElastiCache Nodes Not Created Across Multi AZ
cfdef2e5-1fe4-4ef4-bea8-c56e08963150|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster|Documentation
| +|CMK Is Unusable
2844c749-bd78-4cd1-90e8-b179df827602|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined.|Documentation
| +|ECS Service Without Running Tasks
79d745f0-d5f3-46db-9504-bef73e9fd528|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| +|EBS Volume Not Attached To Instances
1819ac03-542b-4026-976b-f37addd59f3b|Medium|Availability|EBS Volumes that are unattached to instances may contain sensitive data|Documentation
| +|RDS Multi-AZ Deployment Disabled
2b1d4935-9acf-48a7-8466-10d18bf51a69|Medium|Backup|AWS RDS Instance should have a multi-az deployment|Documentation
| +|Stack Retention Disabled
fe974ae9-858e-4991-bbd5-e040a834679f|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| +|Low RDS Backup Retention Period
e649a218-d099-4550-86a4-1231e1fcb60d|Medium|Backup|AWS RDS backup retention policy should be at least 7 days|Documentation
| +|RDS With Backup Disabled
8c415f6f-7b90-4a27-a44a-51047e1506f9|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| +|IAM Password Without Lowercase Letter
f4cf35d6-da92-48de-ab70-57be2b2e6497|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| +|IAM Password Without Symbol
d72a7869-e8b9-4e12-bcd2-e8be10b39fa7|Medium|Best Practices|IAM password should have the required symbols|Documentation
| +|IAM User Without Password Reset
a964d6e3-8e1e-4d93-8120-61fa640dd55a|Medium|Best Practices|IAM User Login Profile should exist and have PasswordResetRequired property set to true|Documentation
| +|ECS No Load Balancer Attached
fb2b0ecf-1492-491a-a70d-ba1df579175d|Medium|Best Practices|Amazon ECS service should be configured to use Load Balancing to distribute traffic evenly across the tasks, which means there must exist at least one LoadBalancer.|Documentation
| +|IAM Password Without Uppercase Letter
445020f6-b69e-4484-847f-02d4b7768902|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| +|Cognito UserPool Without MFA
74a18d1a-cf02-4a31-8791-ed0967ad7fdc|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| +|IAM Managed Policy Applied to a User
0e5872b4-19a0-4165-8b2f-56d9e14b909f|Medium|Best Practices|Make sure that any managed IAM policies are implemented in a group and not in a user.|Documentation
| +|IAM Password Without Minimum Length
b1b20ae3-8fa7-4af5-a74d-a2145920fcb1|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| +|IAM Password Without Number
839f238f-2e3a-4a72-b945-8abdf91af955|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number|Documentation
| +|ElasticSearch Encryption With KMS Disabled
d926aa95-0a04-4abc-b20c-acf54afe38a1|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS.|Documentation
| +|ElasticSearch Not Encrypted At Rest
86a248ab-0e01-4564-a82a-878303e253bb|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| +|KMS Key Rotation Disabled
235ca980-eb71-48f4-9030-df0c371029eb|Medium|Encryption|EnableKeyRotation should not be false or undefined|Documentation
| +|Neptune Database Cluster Encryption Disabled
bf4473f1-c8a2-4b1b-8134-bd32efabab93|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| +|Memcached Disabled
dd0971a6-09c3-4168-8474-a7ef8fbfd99d|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| +|Default KMS Key Usage
e52395b4-250b-4c60-81d5-2e58c1d37abc|Medium|Encryption|When `StorageEncrypted` is set to true, `KmsKeyId` should be defined, to avoid the use of the default KMS Key|Documentation
| +|SageMaker EndPoint Config Should Specify KmsKeyId Attribute
44034eda-1c3f-486a-831d-e09a7dd94354|Medium|Encryption|KmsKeyId attribute should be defined|Documentation
| +|RDS Storage Encryption Disabled
65844ba3-03a1-40a8-b3dd-919f122e8c95|Medium|Encryption|RDS DBCluster should have storage encrypted set to true|Documentation
| +|EBS Volume Encryption Disabled
80b7ac3f-d2b7-4577-9b10-df7913497162|Medium|Encryption|EBS volumes should be encrypted|Documentation
| +|Alexa Skill Plaintext Client Secret Exposed
3c3b7a58-b018-4d07-9444-d9ee7156e111|Medium|Encryption|Alexa skills' client secrets should not be defined as a plaintext string. It should either use 'AWS Systems Manager Parameter Store' or 'AWS Secrets Manager' to retrieve sensitive information|Documentation
| +|SQS With SSE Disabled
12726829-93ed-4d51-9cbe-13423f4299e1|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| +|API Gateway With Invalid Compression
d6653eee-2d4d-4e6a-976f-6794a497999a|Medium|Encryption|API Gateway should have valid compression, which means attribute 'MinimumCompressionSize' should be set and its value should be greater than -1 and smaller than 10485760.|Documentation
| +|Config Rule For Encrypted Volumes Disabled
1b6322d9-c755-4f8c-b804-32c19250f2d9|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| +|Workspace Without Encryption
89827c57-5a8a-49eb-9731-976a606d70db|Medium|Encryption|Workspaces should have encryption enabled|Documentation
| +|EMR Security Configuration Encryption Disabled
5b033ec8-f079-4323-b5c8-99d4620433a9|Medium|Encryption|EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit.|Documentation
| +|CodeBuild Not Encrypted
d7467bb6-3ed1-4c82-8095-5e7a818d0aad|Medium|Encryption|CodeBuild Project should be encrypted, which means 'EncryptionKey' should be defined|Documentation
| +|Unscanned ECR Image
9025b2b3-e554-4842-ba87-db7aeec36d35|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| +|IAM Group Inline Policies
a58d1a2d-4078-4b80-855b-84cc3f7f4540|Medium|Encryption|IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted|Documentation
| +|AmazonMQ Broker Encryption Disabled
316278b3-87ac-444c-8f8f-a733a28da60f|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| +|API Gateway Without SSL Certificate
ed4c48b8-eccc-4881-95c1-09fdae23db25|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| +|IAM User Has Too Many Access Keys
48677914-6fdf-40ec-80c4-2b0e94079f54|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials|Documentation
| +|IAM User LoginProfile Password Is In Plaintext
06adef8c-c284-4de7-aad2-af43b07a8ca1|Medium|Insecure Configurations|IAM User LoginProfile Password must not be a plaintext string|Documentation
| +|SageMaker Enabling Internet Access
88d55d94-315d-4564-beee-d2d725feab11|Medium|Insecure Configurations|SageMaker must have disabled internet access and root access for Creating Notebook Instances.|Documentation
| +|GitHub Repository Set To Public
5906092d-5f74-490d-9a03-78febe0f65e1|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')|Documentation
| +|ECR Image Tag Not Immutable
33f41d31-86b1-46a4-81f7-9c9a671f59ac|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| +|Inline Policies Are Attached To ECS Service
9e8c89b3-7997-4d15-93e4-7911b9db99fd|Medium|Insecure Configurations|Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies.|Documentation
| +|MQ Broker Is Publicly Accessible
68b6a789-82f8-4cfd-85de-e95332fe6a61|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible|Documentation
| +|Lambda Functions Without Unique IAM Roles
ae03f542-1423-402f-9cef-c834e7ee9583|Medium|Insecure Configurations|AWS Lambda Functions should not share IAM roles to ensure they will have the minimum privileges needed to perform the required tasks|Documentation
| +|API Gateway With Open Access
1056dfbb-5802-4762-bf2b-8b9b9684b1b0|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.|Documentation
| +|Instance With No VPC
8a6d36cd-0bc6-42b7-92c4-67acc8576861|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| +|EMR Cluster Without Security Configuration
48af92a5-c89b-4936-bc62-1086fe2bab23|Medium|Insecure Configurations|EMR Cluster should have security configuration defined.|Documentation
| +|Lambda Function Without Tags
8df8e857-bd59-44fa-9f4c-d77594b95b46|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags.|Documentation
| +|S3 Bucket Should Have Bucket Policy
37fa8188-738b-42c8-bf82-6334ea567738|Medium|Insecure Defaults|Checks if S3 Bucket has the same name as a Bucket Policy, if it has, S3 Bucket has a Bucket Policy associated|Documentation
| +|RouterTable with Default Routing
4f0908b9-eb66-433f-9145-134274e1e944|Medium|Insecure Defaults|NAT gateways are recommended, and not the default route which permits all traffic, in Route Tables.|Documentation
| +|Security Group Ingress With Port Range
87482183-a8e7-4e42-a566-7a23ec231c16|Medium|Networking and Firewall|AWS Security Group Ingress should have a single port|Documentation
| +|API Gateway Endpoint Config is Not Private
4a8daf95-709d-4a36-9132-d3e19878fa34|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| +|Security Group Ingress With All Protocols
1a427b25-2e9e-4298-9530-0499a55e736b|Medium|Networking and Firewall|AWS Security Group Ingress should not specify all protocols to prevent allow traffic on all ports|Documentation
| +|ELB With Security Group Without Outbound Rules
01d5a458-a6c4-452a-ac50-054d59275b7c|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules|Documentation
| +|Security Groups Without VPC Attached
493d9591-6249-47bf-8dc0-5c10161cc558|Medium|Networking and Firewall|Security Groups must have a VPC.|Documentation
| +|VPC Without Network Firewall
3e293410-d5b8-411f-85fd-7d26294f20c9|Medium|Networking and Firewall|VPC should have a Network Firewall associated|Documentation
| +|Security Group Egress CIDR Open To World
1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a|Medium|Networking and Firewall|AWS Security Group Egress CIDR should not be open to the world|Documentation
| +|EC2 Permissive Network ACL Protocols
03879981-efa2-47a0-a818-c843e1441b88|Medium|Networking and Firewall|To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code).|Documentation
| +|Security Group Egress With All Protocols
ee464fc2-54a6-4e22-b10a-c6dcd2474d0c|Medium|Networking and Firewall|AWS Security Group Egress should not specify all protocols to prevent allow traffic on all ports|Documentation
| +|ELB With Security Group Without Inbound Rules
e200a6f3-c589-49ec-9143-7421d4a2c845|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules|Documentation
| +|GameLift Fleet EC2 InboundPermissions With Port Range
43356255-495d-4148-ad8d-f6af5eac09dd|Medium|Networking and Firewall|AWS GameLift Fleet EC2InboundPermissions should have a single port|Documentation
| +|Security Group Egress With Port Range
dae9c373-8287-462f-8746-6f93dad93610|Medium|Networking and Firewall|AWS Security Group Egress should have a single port|Documentation
| +|TCP/UDP Protocol Network ACL Entry Allows All Ports
f57f849c-883b-4cb7-85e7-f7b199dff163|Medium|Networking and Firewall|TCP/UDP protocol AWS Network ACL Entry should not allow all ports|Documentation
| +|API Gateway without WAF
fcbf9019-566c-4832-a65c-af00d8137d2b|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| +|ALB Is Not Integrated With WAF
105ba098-1e34-48cd-b0f2-a8a43a51bf9b|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| +|GuardDuty Detector Disabled
a25cd877-375c-4121-a640-730929936fac|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| +|Redshift Cluster Logging Disabled
3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| +|ELB Access Log Disabled
ee12ad32-2863-4c0f-b13f-28272d115028|Medium|Observability|ELB should have access log enabled|Documentation
| +|S3 Bucket Without Versioning
a227ec01-f97a-4084-91a4-47b350c1db54|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| +|CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'IsMultiRegionTrail' should be set to true|Documentation
| +|Stack Notifications Disabled
837e033c-4717-40bd-807e-6abaa30161b7|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| +|CloudFront Logging Disabled
de77cd9f-0e8b-46cc-b4a4-b6b436838642|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'DistributionConfig.Logging' should be defined|Documentation
| +|CloudTrail Not Integrated With CloudWatch
65d07da5-9af5-44df-8983-52d2e6f24c44|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| +|S3 Bucket Logging Disabled
4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| +|MSK Cluster Logging Disabled
fc7c2c15-f5d0-4b80-adb2-c89019f8f62b|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| +|CloudWatch Metrics Disabled
5d3c1807-acb3-4bb0-be4e-0440230feeaf|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| +|CloudTrail SNS Topic Name Undefined
3e09413f-471e-40f3-8626-990c79ae63f3|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| +|API Gateway V2 Stage Access Logging Settings Not Defined
80d45af4-4920-4236-a56e-b7ef419d1941|Medium|Observability|API Gateway V2 Stage should have Access Logging Settings defined.|Documentation
| +|Configuration Aggregator to All Regions Disabled
9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| +|CloudWatch Logging Disabled
0f0fb06b-0f2f-4374-8588-f2c7c348c7a0|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| +|ElasticSearch Without Slow Logs
086ea2eb-14a6-4fd4-914b-38e0bc8703e8|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| +|API Gateway Deployment Without Access Log Setting
06ec63e3-9f72-4fe2-a218-2eb9200b8db5|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| +|API Gateway X-Ray Disabled
4ab10c48-bedb-4deb-8f3b-ff12783b61de|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| +|MQ Broker Logging Disabled
e519ed6a-8328-4b69-8eb7-8fa549ac3050|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| +|ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621|Medium|Observability|ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer.|Documentation
| +|Amplify App Basic Auth Config Password Exposed
71493c8b-3014-404c-9802-078b74496fb7|Medium|Secret Management|Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| +|RefreshToken Is Exposed
5b48c507-0d1f-41b0-a630-76817c6b4189|Medium|Secret Management|Alexa ASK Skill AuthenticationConfiguration RefreshToken should not be a plaintext string|Documentation
| +|Secrets Manager Should Specify KmsKeyId
c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22|Medium|Secret Management|Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the secret to be shared cross-account|Documentation
| +|Hardcoded AWS Access Key In Lambda
2564172f-c92b-4261-9acd-464aed511696|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| +|Directory Service Microsoft AD Password Set to Plaintext or Default Ref
06b9f52a-8cd5-459b-bdc6-21a22521e1be|Medium|Secret Management|Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| +|High Access Key Rotation Period
800fa019-49dd-421b-9042-7331fdd83fa2|Medium|Secret Management|ConfigRule should enforce access keys to be rotated within 90 days.|Documentation
| +|DocDB Cluster Master Password In Plaintext
39423ce4-9011-46cd-b6b1-009edcd9385d|Medium|Secret Management|DocDB DB Cluster master user password must not be in a plain text string or referenced in a parameter as a default value.|Documentation
| +|EBS Volume Without KmsKeyId
b7063015-6c31-4658-a8e7-14f98f37fd42|Medium|Secret Management|EBS Volume should specify a KmsKeyId value|Documentation
| +|Amplify App OAuth Token Exposed
03b38885-8f4e-480c-a0e4-12c1affd15db|Medium|Secret Management|Amplify App OAuth Token must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| +|SNS Topic Without KmsMasterKeyId
9d13b150-a2ab-42a1-b6f4-142e41f81e52|Medium|Secret Management|KmsMasterKeyId attribute should not be undefined|Documentation
| +|DMS Endpoint MongoDB Settings Password Exposed
f988a17f-1139-46a3-8928-f27eafd8b024|Medium|Secret Management|DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| +|DMS Endpoint Password Exposed
5f700072-b7ce-4e84-b3f3-497bf1c24a4d|Medium|Secret Management|DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| +|Amplify Branch Basic Auth Config Password Exposed
dfb56e5d-ee68-446e-b32a-657b62befe69|Medium|Secret Management|Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| +|Amplify App Access Token Exposed
73980e43-f399-4fcc-a373-658228f7adf7|Medium|Secret Management|Amplify App Access Token must not be in a plain text string or referenced in a parameter as a default value.|Documentation
| +|Directory Service Simple AD Password Exposed
6685d912-d81f-4cfa-95ad-e316ea31c989|Medium|Secret Management|DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
e835bd0d-65da-49f7-b6d1-b646da8727e6|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| +|IAM Role Allows All Principals To Assume
f80e3aa7-7b34-4185-954e-440a6894dde6|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| +|IAM User With No Group
06933df4-0ea7-461c-b9b5-104d27390e0e|Low|Access Control|A IAM user should belong to a group|Documentation
| +|Support Has No Role Associated
d71b5fd7-9020-4b2d-9ec8-b3839faa2744|Low|Access Control|Check if any AWS Support policy does not have any role and users and group associated, which means that is not being managed.|Documentation
| +|EC2 Instance Using Default Security Group
08b81bb3-0985-4023-8602-b606ad81d279|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| +|IAM Group Without Users
8f957abd-9703-413d-87d3-c578950a753c|Low|Access Control|IAM Group should have at least one user associated|Documentation
| +|VPC Attached With Too Many Gateways
97e94d17-e2c7-4109-a53b-6536ac1bb64e|Low|Availability|The number of gateways attached should not approach or go beyond the limit of 3, in a particular VPC|Documentation
| +|RDS DB Instance With Deletion Protection Disabled
2c161e58-cb52-454f-abea-6470c37b5e6e|Low|Backup|RDS DBInstance should have deletion protection set to true|Documentation
| +|CDN Configuration Is Missing
e4f54ff4-d352-40e8-a096-5141073c37a2|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| +|Automatic Minor Upgrades Disabled
f0104061-8bfc-4b45-8a7d-630eb502f281|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'AutoMinorVersionUpgrade' must be set to true.|Documentation
| +|IAM Access Analyzer Not Enabled
8d29754a-2a18-460d-a1ba-9509f8d359da|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions|Documentation
| +|Security Group Ingress Has CIDR Not Recommended
a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd|Low|Best Practices|AWS Security Group Ingress CIDR should not be /32 in case of IPV4 or /128 in case of IPV6|Documentation
| +|Geo Restriction Disabled
7f8843f0-9ea5-42b4-a02b-753055113195|Low|Best Practices|Geo Restriction feature should be enabled, to restrict or allow users in specific locations accessing web application content|Documentation
| +|Lambda Permission Misconfigured
9b83114b-b2a1-4534-990d-06da015e47aa|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| +|IAM Policies Without Groups
5e7acff5-095b-40ac-9073-ac2e4ad8a512|Low|Best Practices|IAM policy should not apply directly to users, should be with a group|Documentation
| +|EFS Without Tags
08e39832-5e42-4304-98a0-aa5b43393162|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated|Documentation
| +|DynamoDB With Not Recommented Table Billing Mode
c333e906-8d8b-4275-b999-78b6318f8dc6|Low|Build Process|Checks if DynamoDB Table Billing Mode is set to either PAY_PER_REQUEST or PROVISIONED|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| +|API Gateway Cache Cluster Disabled
52790cad-d60d-41d5-8483-146f9f21208d|Low|Insecure Configurations|AWS API Gateway should have cache clustering enabled|Documentation
| +|Wildcard In ACM Certificate Domain Name
cc8b294f-006f-4f8f-b5bb-0a9140c33131|Low|Insecure Configurations|ACM Certificate should not use wildcards (*) in the domain name|Documentation
| +|S3 Bucket Without Ignore Public ACL
6c8d51af-218d-4bfb-94a9-94eabaa0703a|Low|Insecure Configurations|S3 bucket without ignore public ACL|Documentation
| +|Lambda Function Without Dead Letter Queue
c2eae442-d3ba-4cb1-84ca-1db4f80eae3d|Low|Insecure Configurations|AWS Lambda Function should be configured for a Dead Letter Queue(DLQ)|Documentation
| +|RDS Using Default Port
1fe9d958-ddce-4228-a124-05265a959a8b|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| +|ElastiCache Without VPC
ba766c53-fe71-4bbb-be35-b6803f2ef13e|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| +|CloudFront Without WAF
0f139403-303f-467c-96bd-e717e6cfd62d|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| +|Shield Advanced Not In Use
ad7444cf-817a-4765-a79e-2145f7981faf|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks|Documentation
| +|EMR Without VPC
bf89373a-be40-4c04-99f5-746742dfd7f3|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)|Documentation
| +|Redshift Using Default Port
a478af30-8c3a-404d-aa64-0b673cee509a|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| +|ElastiCache Using Default Port
323db967-c68e-44e6-916c-a777f95af34b|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| +|EC2 Network ACL Duplicate Rule
045ddb54-cfc5-4abb-9e05-e427b2bc96fe|Low|Networking and Firewall|A Network ACL's rule numbers cannot be repeated unless one is egress and the other is ingress|Documentation
| +|EC2 Instance Using Default VPC
e42a3ef0-5325-4667-84bf-075ba1c9d58e|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| +|Lambda Functions Without X-Ray Tracing
9488c451-074e-4cd3-aee3-7db6104f542c|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracingConfig.mode' should have the value 'Active'|Documentation
| +|VPC FlowLogs Disabled
f6d299d2-21eb-41cc-b1e1-fe12d857500b|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| +|CloudTrail Log File Validation Disabled
2a3560fe-52ca-4443-b34f-bf0ed5eb74c8|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| +|API Gateway Deployment Without API Gateway UsagePlan Associated
783860a3-6dca-4c8b-81d0-7b62769ccbca|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| +|ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd|Low|Observability|Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks|Documentation
| +|VPC Without Attached Subnet
3b3b4411-ad1f-40e7-b257-a78a6bb9673a|Low|Resource Management|VPCs without attached subnets may indicate that they are not being used|Documentation
| +|SDB Domain Declared As A Resource
6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d|Low|Resource Management|SimpleDB Domain resource should not be declared|Documentation
| +|API Gateway Stage Without API Gateway UsagePlan Associated
7f8f1b60-43df-4c28-aa21-fb836dbd8071|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| +|ECS Task Definition Invalid CPU or Memory
f4c9b5f5-68b8-491f-9e48-4f96644a1d51|Low|Resource Management|In ECS Task Definition of FARGATE launch type if you specify an invalid CPU or Memory value, you will receive an error|Documentation
| +|EC2 Not EBS Optimized
8dd0ff1f-0da4-48df-9bb3-7f338ae36a40|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| +|Security Group Rule Without Description
5e6c9c68-8a82-408e-8749-ddad78cbb9c5|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description|Documentation
| ### AWS_SAM Bellow are listed queries related with CloudFormation AWS_SAM: @@ -302,3 +572,13 @@ Bellow are listed queries related with CloudFormation AWS_SAM: |Serverless API Cache Cluster Disabled
60a05ede-0a68-4d0d-a58f-f538cf55ff79|Low|Insecure Configurations|AWS Serverless API should have cache clustering enabled (read more)|Documentation
| |Serverless Function Without Dead Letter Queue
cb2f612b-ed42-4ff5-9fb9-255c73d39a18|Low|Insecure Configurations|AWS Serverless Function should be configured for a Dead Letter Queue(DLQ) (read more)|Documentation
| |Serverless Function Without X-Ray Tracing
dc1ab429-1481-4540-9b1d-280e3f15f1f8|Low|Observability|AWS Serverless Function should have Tracing enabled. For this, property 'Tracing' should have the value 'Active' (read more)|Documentation
| +|Serverless Function Environment Variables Not Encrypted
a7f8ac28-eed1-483d-87c8-4c325f022572|High|Encryption|AWS Serverless Function should encrypt environment variables|Documentation
| +|Serverless API Without Content Encoding
a2f2800e-614b-4bc8-89e6-fec8afd24800|Medium|Encryption|AWS Serverless API should enable Content Encoding through the attribute 'MinimumCompressionSize'. This value should be greater than -1 and smaller than 10485760|Documentation
| +|Serverless Function Without Tags
a71ecabe-03b6-456a-b3bc-d1a39aa20c98|Medium|Insecure Configurations|AWS Serverless Function should have associated tags|Documentation
| +|Serverless Function Without Unique IAM Role
4ba74f01-aba5-4be2-83bc-be79ff1a3b92|Medium|Insecure Configurations|AWS Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks|Documentation
| +|Serverless API Endpoint Config Not Private
6b5b0313-771b-4319-ad7a-122ee78700ef|Medium|Networking and Firewall|AWS Serverless API should set API Endpoint Config type to 'PRIVATE'. This way, it's not exposed to the public internet|Documentation
| +|Serverless API X-Ray Tracing Disabled
c757c6a3-ac87-4b9d-b28d-e5a5add6a315|Medium|Observability|AWS Serverless API should have X-Ray Tracing enabled|Documentation
| +|Serverless API Access Logging Setting Undefined
0a994e04-c6dc-471d-817e-d37451d18a3b|Medium|Observability|AWS Serverless API/AWS Serverless HTTP API should have Access Logging Setting(s) defined|Documentation
| +|Serverless API Cache Cluster Disabled
60a05ede-0a68-4d0d-a58f-f538cf55ff79|Low|Insecure Configurations|AWS Serverless API should have cache clustering enabled|Documentation
| +|Serverless Function Without Dead Letter Queue
cb2f612b-ed42-4ff5-9fb9-255c73d39a18|Low|Insecure Configurations|AWS Serverless Function should be configured for a Dead Letter Queue(DLQ)|Documentation
| +|Serverless Function Without X-Ray Tracing
dc1ab429-1481-4540-9b1d-280e3f15f1f8|Low|Observability|AWS Serverless Function should have Tracing enabled. For this, property 'Tracing' should have the value 'Active'|Documentation
| diff --git a/docs/queries/crossplane-queries.md b/docs/queries/crossplane-queries.md index a38dfb8cbbc..bb00182a92f 100644 --- a/docs/queries/crossplane-queries.md +++ b/docs/queries/crossplane-queries.md @@ -10,6 +10,8 @@ Bellow are listed queries related with Crossplane AZURE: |------------------------------|--------|--------|-----------|----| |AKS RBAC Disabled
b2418936-cd47-4ea2-8346-623c0bdb87bd|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| |Redis Cache Allows Non SSL Connections
6c7cfec3-c686-4ed2-bf58-a1ec054b63fc|Medium|Encryption|Redis Cache resource should not allow non-SSL connections. (read more)|Documentation
| +|AKS RBAC Disabled
b2418936-cd47-4ea2-8346-623c0bdb87bd|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| +|Redis Cache Allows Non SSL Connections
6c7cfec3-c686-4ed2-bf58-a1ec054b63fc|Medium|Encryption|Redis Cache resource should not allow non-SSL connections.|Documentation
| ### AWS Bellow are listed queries related with Crossplane AWS: @@ -31,6 +33,17 @@ Bellow are listed queries related with Crossplane AWS: |CloudWatch Without Retention Period Specified
934613fe-b12c-4e5a-95f5-c1dcdffac1ff|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more)|Documentation
| |CloudFront Without WAF
6d19ce0f-b3d8-4128-ac3d-1064e0f00494|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| |DocDB Logging Is Disabled
e6cd49ba-77ed-417f-9bca-4f5303554308|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| +|EFS Without KMS
bdecd6db-2600-47dd-a10c-72c97cf17ae9|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| +|EFS Not Encrypted
72840c35-3876-48be-900d-f21b2f0c2ea1|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| +|ELB Using Weak Ciphers
a507daa5-0795-4380-960b-dd7bb7c56661|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers.|Documentation
| +|DB Instance Storage Not Encrypted
e50eb68a-a4af-4048-8bbe-8ec324421469|High|Encryption|RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'.|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
255b0fcc-9f82-41fe-9229-01b163e3376b|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| +|DB Security Group Has Public Interface
dd667399-8d9d-4a8d-bbb4-e49ab53b2f52|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| +|Neptune Database Cluster Encryption Disabled
83bf5aca-138a-498e-b9cd-ad5bc5e117b4|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| +|SQS With SSE Disabled
9296f1cc-7a40-45de-bd41-f31745488a0e|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| +|CloudFront Logging Disabled
7b590235-1ff4-421b-b9ff-5227134be9bb|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true|Documentation
| +|CloudWatch Without Retention Period Specified
934613fe-b12c-4e5a-95f5-c1dcdffac1ff|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events|Documentation
| +|CloudFront Without WAF
6d19ce0f-b3d8-4128-ac3d-1064e0f00494|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| ### GCP Bellow are listed queries related with Crossplane GCP: @@ -41,3 +54,5 @@ Bellow are listed queries related with Crossplane GCP: |------------------------------|--------|--------|-----------|----| |Cloud Storage Bucket Logging Not Enabled
6c2d627c-de0f-45fb-b33d-dad9bffbb421|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| |Google Container Node Pool Auto Repair Disabled
b4f65d13-a609-4dc1-af7c-63d2e08bffe9|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
6c2d627c-de0f-45fb-b33d-dad9bffbb421|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| +|Google Container Node Pool Auto Repair Disabled
b4f65d13-a609-4dc1-af7c-63d2e08bffe9|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| diff --git a/docs/queries/dockercompose-queries.md b/docs/queries/dockercompose-queries.md index 207d92a26c0..90e095e75b7 100644 --- a/docs/queries/dockercompose-queries.md +++ b/docs/queries/dockercompose-queries.md @@ -24,3 +24,25 @@ This page contains all queries from DockerCompose. |Shared Host IPC Namespace
baa3890f-bed7-46f5-ab8f-1da8fc91c729|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| |Container Capabilities Unrestricted
ce76b7d0-9e77-464d-b86f-c5c48e03e22d|Low|Resource Management|Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well. (read more)|Documentation
| |Cpus Not Limited
6b610c50-99fb-4ef0-a5f3-e312fd945bc3|Low|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| +|Volume Mounted In Multiple Containers
baa452f0-1f21-4a25-ace5-844e7a5f410d|High|Build Process|Volume mounts should not be shared, which means that 'propagation' should not be set to 'shared', 'rshared', 'slave', or 'rslave'|Documentation
| +|Volume Has Sensitive Host Directory
1c1325ff-831d-43a1-973e-839ae57dfcc0|High|Build Process|Container has sensitive host directory mounted as a volume|Documentation
| +|Docker Socket Mounted In Container
d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b|High|Build Process|Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands.|Documentation
| +|Volume Has Sensitive Host Directory
1c1325ff-831d-43a1-973e-839ae57dfcc0|High|Build Process|Container has sensitive host directory mounted as a volume|Documentation
| +|Privileged Containers Enabled
ae5b6871-7f45-42e0-bb4c-ab300c4d2026|High|Resource Management|Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker.|Documentation
| +|No New Privileges Not Set
27fcc7d6-c49b-46e0-98f1-6c082a6a2750|High|Resource Management|Ensuring the process does not gain any new privileges lessens the risk associated with many operations.|Documentation
| +|Healthcheck Not Set
698ed579-b239-4f8f-a388-baa4bcb13ef8|Medium|Availability|Check containers periodically to see if they are running properly.|Documentation
| +|Restart Policy On Failure Not Set To 5
2fc99041-ddad-49d5-853f-e35e70a48391|Medium|Build Process|Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used, and 5 retries is the recommended by CIS.|Documentation
| +|Cgroup Not Default
4d9f44c6-2f4a-4317-9bb5-267adbea0232|Medium|Build Process|Control groups restrict the access processes and containers have to system resources such as CPU, RAM, IOPS and network. Not having a cgroup well configured may prove to be a security fault.|Documentation
| +|Container Traffic Not Bound To Host Interface
451d79dc-0588-476a-ad03-3c7f0320abb3|Medium|Networking and Firewall|Incoming container traffic should be bound to a specific host interface|Documentation
| +|Networks Not Set
ce14a68b-1668-41a0-ab7d-facd9f784742|Medium|Networking and Firewall|Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers.|Documentation
| +|Privileged Ports Mapped In Container
bc2908f3-f73c-40a9-8793-c1b7d5544f79|Medium|Networking and Firewall|Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind_service linux capability from the container unless you absolutely need to use priviledged ports.|Documentation
| +|Host Namespace is Shared
4f31dd9f-2cc3-4751-9b53-67e4af83dac0|Medium|Resource Management|The hosts process namespace should not be shared by containers|Documentation
| +|Default Seccomp Profile Disabled
404fde2c-bc4b-4371-9747-7054132ac953|Medium|Resource Management|Seccomp offers a whitelist of common system calls, blocking all others. Having less kernel exposed to an app then increases security.|Documentation
| +|Pids Limit Not Set
221e0658-cb2a-44e3-b08a-db96a341d6fa|Medium|Resource Management|'pids_limit' should be set and different than -1|Documentation
| +|Security Opt Not Set
610e266e-6c12-4bca-9925-1ed0cd29742b|Medium|Resource Management|Attribute 'security_opt' should be defined.|Documentation
| +|Shared Host Network Namespace
071a71ff-f868-47a4-ac0b-3c59e4ab5443|Medium|Resource Management|Container should not share the host network namespace|Documentation
| +|Shared Host User Namespace
8af7162d-6c98-482f-868e-0d33fb675ca8|Medium|Resource Management|The host's user namespace should not be shared.|Documentation
| +|Memory Not Limited
bb9ac4f7-e13b-423d-a010-c74a1bfbe492|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| +|Shared Host IPC Namespace
baa3890f-bed7-46f5-ab8f-1da8fc91c729|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| +|Cpus Not Limited
6b610c50-99fb-4ef0-a5f3-e312fd945bc3|Low|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| +|Container Capabilities Unrestricted
ce76b7d0-9e77-464d-b86f-c5c48e03e22d|Low|Resource Management|Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.|Documentation
| diff --git a/docs/queries/dockerfile-queries.md b/docs/queries/dockerfile-queries.md index b898263a992..307273d5f87 100644 --- a/docs/queries/dockerfile-queries.md +++ b/docs/queries/dockerfile-queries.md @@ -52,3 +52,56 @@ This page contains all queries from Dockerfile. |Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c|Info|Supply-Chain|After using apt-get install, it is needed to delete apt-get lists (read more)|Documentation
| |Run Utilities And POSIX Commands
9b6b0f38-92a2-41f9-b881-3a1083d99f1b|Info|Supply-Chain|Some POSIX commands and interactive utilities shouldn't run inside a Docker Container (read more)|Documentation
| |APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c|Info|Supply-Chain|Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages. (read more)|Documentation
| +|UNIX Ports Out Of Range
71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e|High|Availability|Exposing UNIX ports out of range from 0 to 65535|Documentation
| +|WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|High|Build Process|For clarity and reliability, you should always use absolute paths for your WORKDIR|Documentation
| +|Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f|High|Build Process|A user should be specified in the dockerfile, otherwise the image will run as root|Documentation
| +|Copy With More Than Two Arguments Not Ending With Slash
6db6e0c2-32a3-4a2e-93b5-72c35f4119db|High|Build Process|When a COPY command has more than two arguments, the last one should end with a slash|Documentation
| +|Multiple ENTRYPOINT Instructions Listed
6938958b-3f1a-451c-909b-baeee14bdc97|High|Build Process|There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect|Documentation
| +|COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b|High|Build Process|COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself|Documentation
| +|Same Alias In Different Froms
f2daed12-c802-49cd-afed-fe41d0b82fed|High|Build Process|Different FROMS cant have the same alias defined|Documentation
| +|Run Using Sudo
8ada6e80-0ade-439e-b176-0b28f6bce35a|High|Insecure Configurations|Avoid RUN with sudo command as it leads to unpredictable behavior|Documentation
| +|Vulnerable OpenSSL Version
5fa731ea-e844-47a6-a1e8-abc25e95847e|High|Supply-Chain|OpenSSL versions from 3.0.0 to 3.0.5 are affected by a critical vulnerability|Documentation
| +|Changing Default Shell Using RUN Command
8a301064-c291-4b20-adcb-403fe7fd95fd|Medium|Best Practices|Using the command RUN to override the default shell instead of the SHELL command leads to inefficiencies. It also does not make sense since Docker provides the SHELL command for this exact purpose.|Documentation
| +|Last User Is 'root'
67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae|Medium|Best Practices|Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges|Documentation
| +|Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd|Medium|Build Process|Instruction 'RUN update' should always be followed by ' install' in the same RUN statement|Documentation
| +|Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79|Medium|Build Process|Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments|Documentation
| +|Multiple CMD Instructions Listed
41c195f4-fc31-4a5c-8a1b-90605538d49f|Medium|Build Process|There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect|Documentation
| +|RUN Instruction Using 'cd' Instead of WORKDIR
f4a6bcd3-e231-4acf-993c-aa027be50d2e|Medium|Build Process|When using RUN command 'cd' should only be used for full path. For relative path make use of WORKDIR command instead.|Documentation
| +|Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd|Medium|Build Process|Instruction 'RUN update' should always be followed by ' install' in the same RUN statement|Documentation
| +|Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22|Medium|Insecure Defaults|Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o).|Documentation
| +|Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37|Medium|Supply-Chain|Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size|Documentation
| +|Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313|Medium|Supply-Chain|Reduce layer and image size by deleting unneeded caches after running zypper|Documentation
| +|Add Instead of Copy
9513a694-aa0d-41d8-be61-3271e056f36b|Medium|Supply-Chain|Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script.|Documentation
| +|Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache|Documentation
| +|Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages|Documentation
| +|Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0|Medium|Supply-Chain|Cached package data should be cleaned after installation to reduce image size|Documentation
| +|Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9|Medium|Supply-Chain|Don't use '--platform' flag with FROM|Documentation
| +|Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes|Documentation
| +|Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944|Medium|Supply-Chain|Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input|Documentation
| +|Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes|Documentation
| +|Yum install Without Version
6452c424-1d92-4deb-bb18-a03e95d579c4|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages|Documentation
| +|Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118|Medium|Supply-Chain|When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller|Documentation
| +|Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Medium|Supply-Chain|Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect|Documentation
| +|NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5|Medium|Supply-Chain|Check if packages installed by npm are pinning a specific version.|Documentation
| +|Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067|Medium|Supply-Chain|When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag|Documentation
| +|Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd|Medium|Supply-Chain|Always tag the version of an image explicitly|Documentation
| +|Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341|Medium|Supply-Chain|Instead of 'gem install ' we should use 'gem install :'|Documentation
| +|APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Medium|Supply-Chain|Check if apt-get calls use the flag -y to avoid user manual input.|Documentation
| +|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Medium|Supply-Chain|When installing a package, its pin version should be defined|Documentation
| +|Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03|Medium|Supply-Chain|Need to use -y to avoid manual input 'yum install -y '|Documentation
| +|Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1|Medium|Supply-Chain|Specifying a package version allows to reduce failures due to unanticipated changes in required packages.|Documentation
| +|Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8|Medium|Supply-Chain|The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input.|Documentation
| +|Chown Flag Exists
aa93e17f-b6db-4162-9334-c70334e7ac28|Low|Best Practices|It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership|Documentation
| +|Multiple RUN, ADD, COPY, Instructions Listed
0008c003-79aa-42d8-95b8-1c2fe37dbfe6|Low|Best Practices|Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers.|Documentation
| +|MAINTAINER Instruction Being Used
99614418-f82b-4852-a9ae-5051402b741c|Low|Best Practices|The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily|Documentation
| +|Curl or Wget Instead of Add
4b410d24-1cbe-4430-a632-62c9a931cf1c|Low|Best Practices|Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged|Documentation
| +|Exposing Port 22 (SSH)
5907595b-5b6d-4142-b173-dbb0e73fbff8|Low|Best Practices|Expose only the ports that your application needs and avoid exposing ports like SSH (22)|Documentation
| +|Chown Flag Exists
aa93e17f-b6db-4162-9334-c70334e7ac28|Low|Best Practices|It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership|Documentation
| +|MAINTAINER Instruction Being Used
99614418-f82b-4852-a9ae-5051402b741c|Low|Best Practices|The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily|Documentation
| +|Multiple RUN, ADD, COPY, Instructions Listed
0008c003-79aa-42d8-95b8-1c2fe37dbfe6|Low|Best Practices|Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers.|Documentation
| +|Using Unnamed Build Stages
68a51e22-ae5a-4d48-8e87-b01a323605c9|Low|Build Process| This query is used to ensure that build stages are named. This way even if the Dockerfile is re-ordered, the COPY instruction doesn’t break.|Documentation
| +|Healthcheck Instruction Missing
b03a748a-542d-44f4-bb86-9199ab4fd2d5|Low|Insecure Configurations|Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working|Documentation
| +|Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c|Info|Supply-Chain|After using apt-get install, it is needed to delete apt-get lists|Documentation
| +|Run Utilities And POSIX Commands
9b6b0f38-92a2-41f9-b881-3a1083d99f1b|Info|Supply-Chain|Some POSIX commands and interactive utilities shouldn't run inside a Docker Container|Documentation
| +|Apk Add Using Local Cache Path
ae9c56a6-3ed1-4ac0-9b54-31267f51151d|Info|Supply-Chain|When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*'|Documentation
| +|APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c|Info|Supply-Chain|Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages.|Documentation
| diff --git a/docs/queries/googledeploymentmanager-queries.md b/docs/queries/googledeploymentmanager-queries.md index 26a1cea5edc..a0fb8fc60e4 100644 --- a/docs/queries/googledeploymentmanager-queries.md +++ b/docs/queries/googledeploymentmanager-queries.md @@ -6,6 +6,57 @@ Bellow are listed queries related with GoogleDeploymentManager GCP_BOM: +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|BOM - GCP PST
9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.|Documentation
| +|BOM - GCP PD
268c65a8-58ad-43e4-9019-1a9bbc56749f|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.|Documentation
| +|BOM - GCP SB
c7781feb-a955-4f9f-b9cf-0d7c6f54bb59|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.|Documentation
| + +### GCP +Bellow are listed queries related with GoogleDeploymentManager GCP: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|BigQuery Dataset Is Public
83103dff-d57f-42a8-bd81-40abab64c1a7|High|Access Control|BigQuery dataset is anonymously or publicly accessible. Attribute access.specialGroup should not contain 'allAuthenticatedUsers'|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
63ae3638-a38c-4ff4-b616-6e1f72a31a6a|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers'|Documentation
| +|Cloud Storage Bucket Is Publicly Accessible
77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible|Documentation
| +|SQL DB Instance Backup Disabled
a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| +|SQL DB Instance With SSL Disabled
660360d3-9ca7-46d1-b147-3acc4002953f|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| +|DNSSEC Using RSASHA1
6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35|High|Encryption|DNSSEC should not use the RSASHA1 algorithm|Documentation
| +|Not Proper Email Account In Use
a21b8df3-c840-4b3d-a41a-10fb2afda171|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| +|Network Policy Disabled
c47f90e8-4a19-43f0-8413-cc434d286c4e|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'networkPolicy.enabled' must be true and the attribute 'addonsConfig.networkPolicyConfig.disabled' must be false|Documentation
| +|MySQL Instance With Local Infile On
c759d6f2-4dd3-4160-82d3-89202ef10d87|High|Insecure Configurations|MySQL Instance should not have Local Infile On|Documentation
| +|GKE Legacy Authorization Enabled
df58d46c-783b-43e0-bdd0-d99164f712ee|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false.|Documentation
| +|Cluster Labels Disabled
8810968b-4b15-421d-918b-d91eb4bb8d1d|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resourceLabels' must be defined|Documentation
| +|Private Cluster Disabled
48c61fbd-09c9-46cc-a521-012e0c325412|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true.|Documentation
| +|IP Aliasing Disabled
28727987-e398-49b8-aef1-8a3e7789d111|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ipAllocationPolicy' must be defined and the subattribute 'useIpAliases' must be set to 'true'.|Documentation
| +|Client Certificate Disabled
dd690686-2bf9-4012-a821-f61912dd77be|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'masterAuth' must have 'clientCertificateConfig' with the attribute 'issueClientCertificate' equal to true|Documentation
| +|Cluster Master Authentication Disabled
7ef7d141-9fbb-4679-a977-fd0883436906|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'masterAuth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| +|GKE Master Authorized Networks Disabled
62c8cf50-87f0-4295-a974-8184ed78fe02|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters|Documentation
| +|Compute Instance Is Publicly Accessible
8212e2d7-e683-49bc-bf78-d6799075c5a7|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet.|Documentation
| +|Cloud Storage Bucket Versioning Disabled
ad0875c1-0b39-4890-9149-173158ba3bba|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| +|Stackdriver Monitoring Disabled
bbfc97ab-e92a-4a7b-954c-e88cec815011|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoringService' must be defined and different than 'none'|Documentation
| +|Stackdriver Logging Disabled
95601b9a-7fe8-4aee-9b58-d36fd9382dfc|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'loggingService' must be defined and different from 'none'|Documentation
| +|Node Auto Upgrade Disabled
dc5c5fee-6c53-43b0-ab11-4c660e064aaf|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means the attribute 'nodePools' must be defined and the subattribute 'managment' must be defined and have the attribute 'autoUpgrade' set to true|Documentation
| +|Disk Encryption Disabled
fc040fb6-4c23-4c0d-b12a-39edac35debb|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined|Documentation
| +|Cloud DNS Without DNSSEC
313d6deb-3b67-4948-b41d-35b699c2492e|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| +|Google Storage Bucket Level Access Disabled
1239f54b-33de-482a-8132-faebe288e6a6|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| +|OSLogin Is Disabled In VM Instance
e66e1b71-c810-4b4e-a737-0ab59e7f5e41|Medium|Insecure Configurations|VM instance should have OSLogin enabled|Documentation
| +|Shielded VM Disabled
9038b526-4c19-4928-bca2-c03d503bdb79|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true|Documentation
| +|COS Node Image Not Used
dbe058d7-b82e-430b-8426-992b2e4677e7|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| +|IP Forwarding Enabled
7c98538a-81c6-444b-bf04-e60bc3ceeec0|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true|Documentation
| +|RDP Access Is Not Restricted
50cb6c3b-c878-4b88-b50e-d1421bada9e8|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| +|SSH Access Is Not Restricted
dee21308-2a7a-49de-8ff7-c9b87e188575|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| +|Bucket Without Versioning
227c2f58-70c6-4432-8e9a-a89c1a548cf5|Medium|Observability|Bucket should have versioning enabled|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
6e2b1ec1-1eca-4eb7-9d4d-2882680b4811|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| + +### GCP_BOM +Bellow are listed queries related with GoogleDeploymentManager GCP_BOM: + + + | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| |BOM - GCP PST
9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more)|Documentation
| diff --git a/docs/queries/kubernetes-queries.md b/docs/queries/kubernetes-queries.md index b40f8a2f217..52d4693f6b6 100644 --- a/docs/queries/kubernetes-queries.md +++ b/docs/queries/kubernetes-queries.md @@ -149,3 +149,155 @@ This page contains all queries from Kubernetes. |Invalid Image Tag
583053b7-e632-46f0-b989-f81ff8045385|Low|Supply-Chain|Image tag must be defined and not be empty or equal to latest. (read more)|Documentation
| |Ensure Administrative Boundaries Between Resources
e84eaf4d-2f45-47b2-abe8-e581b06deb66|Info|Access Control|As a best practice, ensure that is made the correct use of namespaces to adequately administer your resources. Kubernetes Authorization plugins can also be used to create policies that segregate user access to namespaces. (read more)|Documentation
| |Using Kubernetes Native Secret Management
b9c83569-459b-4110-8f79-6305aa33cb37|Info|Secret Management|Kubernetes External Secret Storage and Management System usage should be considered if you have more complex secret management needs, rather than using Kubernetes Secrets directly. Additionally, ensure that access to secrets is carefully limited (read more)|Documentation
| +|Always Admit Admission Control Plugin Set
ce30e584-b33f-4c7d-b418-a3d7027f8f60|High|Access Control|When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin|Documentation
| +|Basic Auth File Is Set
5da47109-f8d6-4585-9e2b-96a8958a12f5|High|Access Control|When using kube-apiserver command, the 'basic-auth-file' flag should not be set|Documentation
| +|Use Service Account Credentials Not Set To True
1acd93f1-5a37-45c0-aaac-82ece818be7d|High|Access Control|When using kube-controller-manager commands, the '--use-service-account-credentials' should be set to true|Documentation
| +|Client Certificate Authentication Not Setup Properly
e0e00aba-5f1c-4981-a542-9a9563c0ee20|High|Access Control|Client Certificate Authentication should be Setup with a .pem or .crt file|Documentation
| +|Token Auth File Is Set
32ecd76e-7bbf-402e-bf48-8b9485749558|High|Access Control|When using kube-apiserver command, the 'token-auth-file' flag should not be set|Documentation
| +|Client Certificate Authentication Not Setup Properly
e0e00aba-5f1c-4981-a542-9a9563c0ee20|High|Access Control|Client Certificate Authentication should be Setup with a .pem or .crt file|Documentation
| +|RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e|High|Access Control|Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least privilege recommends to specify only the set of needed objects and actions|Documentation
| +|Service Account Lookup Set To False
a5530bd7-225a-48f9-91bb-f40b04200165|High|Access Control|When using kube-apiserver command, the '--service-account-lookup' flag should be set to true|Documentation
| +|Node Restriction Admission Control Plugin Not Set
33fc6923-6553-4fe6-9d3a-4efa51eb874b|High|Access Control|When using kube-apiserver command, the --enable-admission-plugins flag should have 'NodeRestriction' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| +|Pod Security Policy Admission Control Plugin Not Set
afa36afb-39fe-4d94-b9b6-afb236f7a03d|High|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'PodSecurityPolicy' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| +|Service Account Private Key File Not Defined
ccc98ff7-68a7-436e-9218-185cb0b0b780|High|Encryption|When using kube-controller-manager commands, the '--service-account-private-key-file' should be defined|Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| +|Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d|High|Insecure Configurations|Container should not share the host process ID namespace|Documentation
| +|Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false|Documentation
| +|Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined.|Documentation
| +|Tiller (Helm v2) Is Deployed
6d173be7-545a-46c6-a81d-2ae52ed1605d|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| +|Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| +|Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d|High|Insecure Configurations|Check if there is any Tiller Service present|Documentation
| +|Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|Documentation
| +|Role Binding To Default Service Account
1e749bc9-fde8-471c-af0c-8254efd2dee5|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| +|Tiller Deployment Is Accessible From Within The Cluster
e17fa86a-6222-4584-a914-56e8f6c87e06|High|Networking and Firewall|Check if any Tiller Deployment container allows access from within the cluster.|Documentation
| +|Secure Port Set To Zero
3d24b204-b73d-42cb-b0bf-1a5438c5f71e|High|Networking and Firewall|When using kube-apiserver command, the --secure-port flag should not be 0|Documentation
| +|Kubelet HTTPS Set To False
cdc8b54e-6b16-4538-a1b0-35849dbe29cf|High|Networking and Firewall|When using kube-apiserver command, the '--kubelet-https' flag should not be set to false|Documentation
| +|Etcd TLS Certificate Not Properly Configured
895a5a95-3756-4b04-9924-2f3bc93181bd|High|Networking and Firewall|When using kube-apiserver commands, the '--etcd-certfile' and '--etcd-keyfile' flags should be defined|Documentation
| +|TSL Connection Certificate Not Setup
fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f|High|Networking and Firewall|TSL Connection Certificate files should be Setup|Documentation
| +|Insecure Port Not Properly Set
fa4def8c-1898-4a35-a139-7b76b1acdef0|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-port' flag should be defined and set to 0|Documentation
| +|Bind Address Not Properly Set
46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2|High|Networking and Firewall|When using kube-controller-manager or kube-scheduler commands, the '--bind-address' should not be set to 127.0.0.1|Documentation
| +|Insecure Bind Address Set
b9380fd3-5ffe-4d10-9290-13e18e71eee1|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-bind-address' flag should not be set|Documentation
| +|Etcd Peer TLS Certificate Files Not Properly Set
09bb9e96-8da3-4736-b89a-b36814acca60|High|Networking and Firewall|When using etcd commands, the '--peer-cert-file' and '--peer-key-file' should be defined|Documentation
| +|Etcd TLS Certificate Files Not Properly Set
075ca296-6768-4322-aea2-ba5063b969a9|High|Networking and Firewall|When using etcd commands, the '--cert-file' and '--key-file' should be defined|Documentation
| +|PSP With Unrestricted Access to Host Path
de4421f1-4e35-43b4-9783-737dd4e4a47e|High|Resource Management|PodSecurityPolicy should set 'readOnly' to true in every host path allowed|Documentation
| +|Peer Auto TLS Set To True
ae8827e2-4af9-4baa-9998-87539ae0d6f0|High|Secret Management|When using etcd commands, the '--peer-auto-tls' should be set to false|Documentation
| +|Auto TLS Set To True
98ce8b81-7707-4734-aa39-627c6db3d84b|High|Secret Management|When using etcd commands, the '--auto-tls' should be set to false|Documentation
| +|RBAC Roles with Port-Forwarding Permission
38fa11ef-dbcc-4da8-9680-7e1fd855b6fb|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to port-forward into pods can open socket-level communication channels to containers. In case of compromise, attackers may abuse this for direct communication that bypasses network security restrictions|Documentation
| +|Authorization Mode Set To Always Allow
f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5|Medium|Access Control|When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode|Documentation
| +|Anonymous Auth Is Not Set To False
1de5cc51-f376-4638-a940-20f2e85ae238|Medium|Access Control|When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag should be set to false (--anonymous-auth=false)|Documentation
| +|RBAC Roles with Attach Permission
d45330fd-f58d-45fb-a682-6481477a0f84|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to attach to containers via 'kubectl attach' could be abused by attackers to read log output (stdout, stderr) and send input data (stdin) to running processes. Additionally, it would allow a malicious user to attach to a privileged container resulting in a privilege escalation attack. To prevent this, the 'pods/attach' verb should not be used in production environments|Documentation
| +|RBAC Roles with Impersonate Permission
9f85c3f6-26fd-4007-938a-2e0cb0100980|Medium|Access Control|Roles or ClusterRoles with the permission 'impersonate' allow subjects to assume the rights of other users, groups, or service accounts. In case of compromise, attackers may abuse this sudo-like functionality to achieve privilege escalation|Documentation
| +|RBAC Roles with Exec Permission
c589f42c-7924-4871-aee2-1cede9bc7cbc|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to run commands in containers via 'kubectl exec' could be abused by attackers to execute malicious code in case of compromise. To prevent this, the 'pods/exec' verb should not be used in production environments|Documentation
| +|Authorization Mode RBAC Not Set
1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e|Medium|Access Control|When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode|Documentation
| +|Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| +|Non Kube System Pod With Host Mount
aa8f7a35-9923-4cad-bd61-a19b7f6aac91|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| +|RBAC Roles Allow Privilege Escalation
8320826e-7a9c-4b0b-9535-578333193432|Medium|Access Control|Roles or ClusterRoles with RBAC permissions 'bind' or 'escalate' allow subjects to create new bindings with other roles. This is dangerous, as users with these privileges can bind to roles that may exceed their own privileges|Documentation
| +|RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys|Documentation
| +|Service Account Admission Control Plugin Disabled
9587c890-0524-40c2-9ce2-663af7c2f063|Medium|Access Control|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'ServiceAccount' plugin|Documentation
| +|Terminated Pod Garbage Collector Threshold Not Properly Set
49113af4-29ca-458e-b8d4-724c01a4a24f|Medium|Availability|When using kube-controller-manager commands, the '--terminated-pod-gc-threshold' should be set between 0 and 12501|Documentation
| +|Readiness Probe Is Not Configured
a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| +|Request Timeout Not Properly Set
d89a15bb-8dba-4c71-9529-bef6729b9c09|Medium|Availability|When using kube-apiserver command, the '--request-timeout' flag value should not be too long|Documentation
| +|Container Running As Root
cf34805e-3872-4c08-bf92-6ff7bb0cfadb|Medium|Best Practices|Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise|Documentation
| +|Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660|Medium|Best Practices|Check if containers are running with low UID, which might cause conflicts with the host's user table.|Documentation
| +|Root Containers Admitted
e3aa0612-4351-4a0d-983f-aefea25cf203|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| +|Always Pull Images Admission Control Plugin Not Set
a77f4d07-c6e0-4a48-8b35-0eeb51576f4f|Medium|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'AlwaysPullImages' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| +|Incorrect Volume Claim Access Mode ReadWriteOnce
3878dc92-8e5d-47cf-9cdd-7590f71d21b9|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| +|Encryption Provider Config Is Not Defined
cbd2db69-0b21-4c14-8a40-7710a50571a9|Medium|Encryption|When using kube-apiserver commands, the '--encryption-provider-config' flag should be defined and the encryption should be correctly configured in Encryption Configuration file|Documentation
| +|Encryption Provider Not Properly Configured
10efce34-5af6-4d83-b414-9e096d5a06a9|Medium|Encryption|The EncryptionConfiguration should be configured to have at least one 'aescbc', 'kms' or 'secretbox' provider|Documentation
| +|Root CA File Not Defined
05fb986f-ac73-4ebb-a5b2-7faafa93d882|Medium|Encryption|When using kube-controller-manager commands, the '--root-ca-file' should be defined|Documentation
| +|Weak TLS Cipher Suites
510d5810-9a30-443a-817d-5c1fa527b110|Medium|Encryption|TLS Connection should use strong Cipher Suites|Documentation
| +|Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| +|NET_RAW Capabilities Not Being Dropped
dbbc6705-d541-43b0-b166-dd4be8208b54|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|Documentation
| +|Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| +|Security Context Deny Admission Control Plugin Not Set
6a68bebe-c021-492e-8ddb-55b0567fb768|Medium|Insecure Configurations|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set|Documentation
| +|Authorization Mode Node Not Set
4d7ee40f-fc5d-427d-8cac-dffbe22d42d1|Medium|Insecure Configurations|When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode|Documentation
| +|PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| +|Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40|Medium|Insecure Configurations|Containers should not have extra capabilities allowed|Documentation
| +|PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| +|Using Unrecommended Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6|Medium|Insecure Configurations|Namespaces like 'default', 'kube-system' or 'kube-public' should not be used|Documentation
| +|PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host process ID namespace|Documentation
| +|PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| +|Not Limited Capabilities For Container
2f1a0619-b12b-48a0-825f-993bb6f01d58|Medium|Insecure Configurations|Limit the capabilities for a Container.|Documentation
| +|Seccomp Profile Is Not Configured
f377b83e-bd07-4f48-a591-60c82b14a78b|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls|Documentation
| +|NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| +|Kubelet Protect Kernel Defaults Set To False
6cf42c97-facd-4fda-b8af-ea4529123355|Medium|Insecure Configurations|--protect-kernel-defaults should be set to true|Documentation
| +|PSP Allows Sharing Host IPC
80f93444-b240-4ebb-a4c6-5c40b76c04ea|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| +|Containers With Sys Admin Capabilities
235236ee-ad78-4065-bd29-61b061f28ce0|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| +|Workload Mounting With Sensitive OS Directory
5308a7a8-06f8-45ac-bf10-791fe21de46e|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| +|Service Account Token Automount Not Disabled
48471392-d4d0-47c0-b135-cdec95eb3eef|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| +|Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty.|Documentation
| +|Network Policy Is Not Targeting Any Pod
85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| +|Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be|Medium|Networking and Firewall|Check if any pod is not being targeted by a proper network policy.|Documentation
| +|Kubelet Not Managing Ip Tables
5f89001f-6dd9-49ff-9b15-d8cd71b617f4|Medium|Networking and Firewall|Kubelet argument --make-iptables-util-chains should be true|Documentation
| +|Kubelet Read Only Port Is Not Set To Zero
2940d48a-dc5e-4178-a3f8-bfbd80720b41|Medium|Networking and Firewall|When using the kubelet command, the read-only port should be set to zero (--read-only-port=0)|Documentation
| +|Service With External Load Balancer
26763a1c-5dda-4772-b507-5fca7fb5f165|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| +|CNI Plugin Does Not Support Network Policies
03aabc8c-35d6-481e-9c85-20139cf72d23|Medium|Networking and Firewall|Ensure the use of CNI Plugin that support Network Policies. If the CNI Plugin in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster|Documentation
| +|Kubelet Streaming Connection Timeout Disabled
ed89b97d-04e9-4fd4-919f-ee5b27e555e9|Medium|Networking and Firewall|The flag --streaming-connection-idle-timeout should not be set to 0|Documentation
| +|Audit Policy File Not Defined
13a49a2e-488e-4309-a7c0-d6b05577a5fb|Medium|Observability|When using kube-apiserver command, the '--audit-policy-file' flag should be defined|Documentation
| +|Audit Log Path Not Set
73e251f0-363d-4e53-86e2-0a93592437eb|Medium|Observability|When using kube-apiserver command, the 'audit-log-path' flag should be defined|Documentation
| +|Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes|Documentation
| +|Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| +|CPU Limits Not Set
4ac0e2b7-d2d2-4af7-8799-e8de6721ccda|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| +|Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a|Medium|Resource Management|Container should not share the host network namespace|Documentation
| +|Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| +|Volume Mount With OS Directory Write Permissions
b7652612-de4e-4466-a0bf-1cd81f0c6063|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| +|CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| +|Kubelet Client Certificate Or Key Not Set
36a27826-1bf5-49da-aeb0-a60a30c0e834|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-client-key' and 'kubelet-client-certificate' flags should be set|Documentation
| +|Etcd Peer Client Certificate Authentication Set To False
b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff|Medium|Secret Management|When using etcd commands, the '--peer-client-cert-auth' flag should be set to true|Documentation
| +|Not Unique Certificate Authority
cb7e695d-6a85-495c-b15f-23aed2519303|Medium|Secret Management|Certificate Authority should be unique for etcd|Documentation
| +|Kubelet Certificate Authority Not Set
ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set|Documentation
| +|Kubelet Client Periodic Certificate Switch Disabled
52d70f2e-3257-474c-b3dc-8ad9ba6a061a|Medium|Secret Management|Kubelet argument --rotate-certificates should be true|Documentation
| +|Shared Service Account
c1032cf7-3628-44e2-bd53-38c17cf31b6b|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| +|Rotate Kubelet Server Certificate Not Active
1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2|Medium|Secret Management|The RotateKubeletServerCertificate argument should be true|Documentation
| +|ServiceAccount Allows Access Secrets
056ac60e-fe07-4acc-9b34-8e1d51716ab9|Medium|Secret Management|Roles and ClusterRoles when binded, should not use get, list or watch as verbs|Documentation
| +|Service Account Key File Not Properly Set
dab4ec72-ce2e-4732-b7c3-1757dcce01a1|Medium|Secret Management|When using kube-apiserver command, the '--service-account-key-file' flag should be defined|Documentation
| +|Etcd Client Certificate Authentication Set To False
9391103a-d8d7-4671-ac5d-606ba7ccb0ac|Medium|Secret Management|When using etcd commands, the '--client-cert-auth' flag should be defined|Documentation
| +|Etcd Client Certificate File Not Defined
3f5ff8a7-5ad6-4d02-86f5-666307da1b20|Medium|Secret Management|When using kube-apiserver commands, the '--etcd-cafile' flag should be defined|Documentation
| +|Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| +|Cluster Admin Rolebinding With Superuser Permissions
249328b8-5f0f-409f-b1dd-029f07882e11|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| +|Missing AppArmor Profile
8b36775e-183d-4d46-b0f7-96a6f34a723f|Low|Access Control|Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources|Documentation
| +|Event Rate Limit Admission Control Plugin Not Set
e0099af2-fe17-411f-9991-0de28fe15f3c|Low|Availability|When using kube-apiserver command, the --enable-admission-plugins flag should have 'EventRateLimit' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| +|Liveness Probe Is Not Defined
ade74944-a674-4e00-859e-c6eab5bde441|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it|Documentation
| +|Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| +|HPA Targeted Deployments With Configured Replica Count
5744cbb8-5946-4b75-a196-ade44449525b|Low|Availability|Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set|Documentation
| +|StatefulSet Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.|Documentation
| +|StatefulSet Without PodDisruptionBudget
1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| +|HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca|Low|Availability|The Horizontal Pod Autoscaler must target a valid object|Documentation
| +|Metadata Label Is Invalid
1123031a-f921-4c5b-bd86-ef354ecfd37a|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| +|Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645|Low|Best Practices|Kubernetes APIs evolve over time and are sometimes removed with newer releases. To prevent incompatibilities when upgrading Kubernetes, deprecated APIs should be replaced with newer and more stable API versions.|Documentation
| +|No Drop Capabilities for Containers
268ca686-7fb7-4ae9-b129-955a2a89064e|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| +|StatefulSet Requests Storage
8cf4671a-cf3d-46fc-8389-21e7405063a2|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| +|Namespace Lifecycle Admission Control Plugin Disabled
1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37|Low|Build Process|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'NamespaceLifecycle' plugin|Documentation
| +|Root Container Not Mounted Read-only
a9c2f49d-0671-4fc9-9ece-f4e261e128d0|Low|Build Process|Check if the root container filesystem is not being mounted read-only.|Documentation
| +|Image Policy Webhook Admission Control Plugin Not Set
14abda69-8e91-4acb-9931-76e2bee90284|Low|Build Process|When using kube-apiserver command, the --enable-admission-plugins flag should have 'ImagePolicyWebhook' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| +|Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity|Documentation
| +|Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b|Low|Insecure Configurations|If not needed, disabling the dashboard can prevent from being used as an attack vector|Documentation
| +|Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| +|Kubelet Hostname Override Is Set
bf36b900-b5ef-4828-adb7-70eb543b7cfb|Low|Insecure Configurations|Hostnames should not be overrided|Documentation
| +|Pod or Container Without LimitRange
4a20ebac-1060-4c81-95d1-1f7f620e983b|Low|Insecure Configurations|Each namespace should have a LimitRange policy associated to ensure that resource allocations of Pods, Containers and PersistentVolumeClaims do not exceed the defined boundaries|Documentation
| +|Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| +|Pod or Container Without ResourceQuota
48a5beba-e4c0-4584-a2aa-e6894e4cf424|Low|Insecure Configurations|Each namespace should have a ResourceQuota policy associated to limit the total amount of resources Pods, Containers and PersistentVolumeClaims can consume|Documentation
| +|Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| +|Service Does Not Target Pod
3ca03a61-3249-4c16-8427-6f8e47dda729|Low|Insecure Configurations|Service should Target a Pod|Documentation
| +|Service Type is NodePort
845acfbe-3e10-4b8e-b656-3b404d36dfb2|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| +|Workload Host Port Not Specified
2b1836f1-dcce-416e-8e16-da8c71920633|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified|Documentation
| +|Profiling Not Set To False
2f491173-6375-4a84-b28e-a4e2b9a58a69|Low|Observability|When using kube-apiserver or kube-controller-manager or kube-scheduler command, the '--profiling' flag should be defined and set to false|Documentation
| +|Audit Log Maxbackup Not Properly Set
768aab52-2504-4a2f-a3e3-329d5a679848|Low|Observability|When using kube-apiserver command, the '--audit-log-maxbackup' flag should be defined and set to 10 or more files|Documentation
| +|Audit Policy Not Cover Key Security Concerns
1828a670-5957-4bc5-9974-47da228f75e2|Low|Observability|Audit Policy should cover key security concerns about the sensitive data logged in Kubernetes audit policies|Documentation
| +|Audit Log Maxsize Not Properly Set
35c0a471-f7c8-4993-aa2c-503a3c712a66|Low|Observability|When using kube-apiserver command, the '--audit-log-maxsize' flag should be defined and set to 100 or more MegaBytes|Documentation
| +|Audit Log Maxage Not Properly Set
da9f3aa8-fbfb-472f-b5a1-576127944218|Low|Observability|When using kube-apiserver command, the '--audit-log-maxage' flag should be defined and set to 30 or more days|Documentation
| +|Kubelet Event QPS Not Properly Set
1a07a446-8e61-4e4d-bc16-b0781fcb8211|Low|Observability|When using the kubelet command, the '--event-qps' should be set to 0|Documentation
| +|Deployment Has No PodAntiAffinity
a31b7b82-d994-48c4-bd21-3bab6c31827a|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| +|Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Low|Resource Management|A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined.|Documentation
| +|StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e|Low|Resource Management|Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| +|Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46|Low|Resource Management|Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively|Documentation
| +|CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined|Documentation
| +|Container Memory Requests Not Equal To It's Limits
aafa7d94-62de-4fbf-8838-b69ee217b0e6|Low|Resource Management|A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined.|Documentation
| +|Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Low|Resource Management|A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined.|Documentation
| +|Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46|Low|Resource Management|Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively|Documentation
| +|CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined|Documentation
| +|StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e|Low|Resource Management|Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| +|Secrets As Environment Variables
3d658f8b-d988-41a0-a841-40043121de1e|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| +|Invalid Image Tag
583053b7-e632-46f0-b989-f81ff8045385|Low|Supply-Chain|Image tag must be defined and not be empty or equal to latest.|Documentation
| +|Ensure Administrative Boundaries Between Resources
e84eaf4d-2f45-47b2-abe8-e581b06deb66|Info|Access Control|As a best practice, ensure that is made the correct use of namespaces to adequately administer your resources. Kubernetes Authorization plugins can also be used to create policies that segregate user access to namespaces.|Documentation
| +|Using Kubernetes Native Secret Management
b9c83569-459b-4110-8f79-6305aa33cb37|Info|Secret Management|Kubernetes External Secret Storage and Management System usage should be considered if you have more complex secret management needs, rather than using Kubernetes Secrets directly. Additionally, ensure that access to secrets is carefully limited|Documentation
| diff --git a/docs/queries/openapi-queries.md b/docs/queries/openapi-queries.md index 63f16d2f8ec..cc2deeec71d 100644 --- a/docs/queries/openapi-queries.md +++ b/docs/queries/openapi-queries.md @@ -1,6 +1,228 @@ ## OpenAPI Queries List This page contains all queries from OpenAPI. +### 3.0 +Bellow are listed queries related with OpenAPI 3.0: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|Field 'securityScheme' On Components Is Undefined
8db5544e-4874-4baa-9322-e9f75a2d219e|High|Access Control|Components' securityScheme field must have a valid scheme|Documentation
| +|Cleartext Credentials With Basic Authentication For Operation
86b1fa30-9790-4980-994d-a27e0f6f27c1|High|Access Control|Cleartext credentials over unencrypted channel should not be accepted for the operation|Documentation
| +|Security Scheme Using HTTP Digest
a4247b11-890b-45df-bf42-350a7a3af9be|Medium|Access Control|Security Scheme HTTP should not be using digest authentication|Documentation
| +|OAuth2 With Implicit Flow
39cb32f2-3a42-4af0-8037-82a7a9654b6c|Medium|Access Control|OAuth2 implicit flow is vulnerable to access token leakage and access token replay|Documentation
| +|Invalid OAuth2 Token URL (v3)
3ba0cca1-b815-47bf-ac62-1e584eb64a05|Medium|Access Control|OAuth2 security scheme flow requires a valid URL in the tokenUrl field|Documentation
| +|Security Scheme Using HTTP Negotiate
f525cc92-9050-4c41-a75c-890dc6f64449|Medium|Access Control|Security Scheme HTTP should not be using negotiate authentication|Documentation
| +|Implicit Flow in OAuth2 (v3)
4a1f3d75-ab73-41b2-83e7-06a93dc3a75a|Medium|Access Control|There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated|Documentation
| +|Security Scheme HTTP Unknown Scheme
06764426-3c56-407e-981f-caa25db1c149|Medium|Access Control|Security Scheme HTTP scheme should be registered in the IANA Authentication Scheme registry|Documentation
| +|Invalid OAuth2 Authorization URL (v3)
52c0d841-60d6-4a81-88dd-c35fef36d315|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL|Documentation
| +|Security Scheme Using HTTP Basic
68e5fcac-390c-4939-a373-6074b7be7c71|Medium|Access Control|Security Scheme HTTP should not be using basic authentication|Documentation
| +|OAuth2 With Password Flow
3979b0a4-532c-4ea7-86e4-34c090eaa4f2|Medium|Access Control|OAuth2 password flow insecurely exposes the credentials of the resource owner to the client|Documentation
| +|Global Server Object Uses HTTP
2d8c175a-6d90-412b-8b0e-e034ea49a1fe|Medium|Encryption|Global server object URL should use 'https' protocol instead of 'http'|Documentation
| +|Path Server Object Uses HTTP (v3)
9670f240-7b4d-4955-bd93-edaa9fa38b58|Medium|Encryption|The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection|Documentation
| +|Parameter Object Without Schema
8fe1846f-52cc-4413-ace9-1933d7d23672|Medium|Insecure Configurations|The Parameter Object should have the attribute 'schema' defined|Documentation
| +|Additional Properties Too Restrictive
a19c3bbd-c056-40d7-9e1c-eeb0634e320d|Medium|Insecure Configurations|Objects should accept 'additionalProperties' if it is allOf or an object with anyOf or oneOf|Documentation
| +|Media Type Object Without Schema
f79b9d26-e945-44e7-98a1-b93f0f7a68a0|Medium|Insecure Configurations|The Media Type Object should have the attribute 'schema' defined|Documentation
| +|Additional Properties Too Permissive
9f88c88d-824d-4d9a-b985-e22977046042|Medium|Insecure Configurations|Objects should not accept 'additionalProperties' if it is possible|Documentation
| +|Header Object Without Schema
50de3b5b-6465-4e06-a9b0-b4c2ba34326b|Medium|Networking and Firewall|The header object should have schema defined|Documentation
| +|Success Response Code Undefined for Trace Operation
105e20dd-8449-4d71-95c6-d5dac96639af|Medium|Networking and Firewall|Trace should define the '200' successful code|Documentation
| +|Undefined Scope 'securityScheme' On Global 'security' Field
23a9e2d9-8738-4556-a71c-2802b6ffa022|Low|Access Control|Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker|Documentation
| +|Undefined Scope 'securityScheme' On 'security' Field On Operations
462d6a1d-fed9-4d75-bb9e-3de902f35e6e|Low|Access Control|Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker|Documentation
| +|API Key Exposed In Global Security Scheme
40e1d1bf-11a9-4f63-a3a2-a8b84c602839|Low|Access Control|API Keys should not be transported over network|Documentation
| +|Global Security Scheme Using Basic Authentication
77276d82-4f45-4cf1-8e2b-4d345b936228|Low|Access Control|A security scheme is allowing basic authentication credentials to be transported over network|Documentation
| +|Security Scheme Using Oauth 1.0
1bc3205c-0d60-44e6-84f3-44fbf4dac5b3|Low|Access Control|Oauth 1.0 is deprecated, OAuth2 should be used instead|Documentation
| +|Invalid Media Type Value (v3)
cf4a5f45-a27b-49df-843a-9911dbfe71d4|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters]|Documentation
| +|Components Request Body Definition Is Unused
6b76f589-9713-44ab-97f5-59a3dba1a285|Info|Best Practices|Components request bodies definitions should be referenced or removed from Open API definition|Documentation
| +|Components Response Definition Is Unused
9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae|Info|Best Practices|Components responses definitions should be referenced or removed from Open API definition|Documentation
| +|Encoding Header 'Content-Type' Improperly Defined
4cd8de87-b595-48b6-ab3c-1904567135ab|Info|Best Practices|Encoding Map Key should not define a 'Content-Type' in the 'headers' field. If so, it will be ignored.|Documentation
| +|Components Header Definition Is Unused
a68da022-e95a-4bc2-97d3-481e0bd6d446|Info|Best Practices|Components headers definitions should be referenced or removed from Open API definition|Documentation
| +|Components Callback Definition Is Unused
d15db953-a553-4b8a-9a14-a3d62ea3d79d|Info|Best Practices|Components callbacks definitions should be referenced or removed from Open API definition|Documentation
| +|Property 'allowReserved' of Encoding Object Ignored
4190dda7-af03-4cf0-a128-70ac1661ca09|Info|Best Practices|Property 'allowReserved' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored.|Documentation
| +|Components Schema Definition Is Unused
962fa01e-b791-4dcc-b04a-4a3e7389be5e|Info|Best Practices|Components schemas definitions should be referenced or removed from Open API definition|Documentation
| +|Components Example Definition Is Unused
b05bb927-2df5-43cc-8d7b-6825c0e71625|Info|Best Practices|Components examples definitions should be referenced or removed from Open API definition|Documentation
| +|Components Link Definition Is Unused
c19779a9-5774-4d2f-a3a1-a99831730375|Info|Best Practices|Components links definitions should be referenced or removed from Open API definition|Documentation
| +|Property 'style' of Encoding Object Ignored
d3ea644a-9a5c-4fee-941f-f8a6786c0470|Info|Best Practices|Property 'style' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored.|Documentation
| +|Components Parameter Definition Is Unused
698a464e-bb3e-4ba8-ab5e-e6599b7644a0|Info|Best Practices|Components parameters definitions should be referenced or removed from Open API definition|Documentation
| +|Property 'allowEmptyValue' Ignored
59c2f769-7cc2-49c8-a3de-4e211135cfab|Info|Best Practices|Property 'allowEmptyValue' is ignored in the following cases: {"sytle": "simple", "explode": false}, {"sytle": "simple", "explode": true}, {"sytle": "spaceDelimited", "explode": false}, {"sytle": "pipeDelimited", "explode": false}, and {"sytle": "deepObject", "explode": true}|Documentation
| +|Property 'explode' of Encoding Object Ignored
a4dd69b8-49fa-45d2-a060-c76655405b05|Info|Best Practices|Property 'explode' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored.|Documentation
| +|Unknown Prefix (v3)
a5375be3-521c-43bb-9eab-e2432e368ee4|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video'|Documentation
| +|Server URL Not Absolute
a0bf7382-5d5a-4224-924c-3db8466026c9|Info|Structure and Semantics|The Server URL should be an absolute URL|Documentation
| +|Request Body With Incorrect Ref
0f6cd0ab-c366-4595-84fc-fbd8b9901e4d|Info|Structure and Semantics|Request Body reference must always point to '#/components/RequestBodies'|Documentation
| +|Response JSON Reference Does Not Exists (v3)
7a01dfbd-da62-4165-aed7-71349ad42ab4|Info|Structure and Semantics|Response reference should exists on components field|Documentation
| +|Parameter Object With Undefined Type
46facedc-f243-4108-ab33-583b807d50b0|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property|Documentation
| +|Servers Array Undefined
c66ebeaa-676c-40dc-a3ff-3e49395dcd5e|Info|Structure and Semantics|The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'.|Documentation
| +|Schema With Both ReadOnly And WriteOnly
d2361d58-361c-49f0-9e50-b957fd608b29|Info|Structure and Semantics|Schema should not have both 'writeOnly' and 'readOnly' set to true|Documentation
| +|Encoding Map Key Mismatch Schema Defined Properties
cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b|Info|Structure and Semantics|Encoding Map Key should be set in schema defined properties|Documentation
| +|Parameter Object Content With Multiple Entries
8bfed1c6-2d59-4924-bc7f-9b9d793ed0df|Info|Structure and Semantics|The map content property of the parameter object should only contain one entry|Documentation
| +|Parameter JSON Reference Does Not Exists (v3)
2e275f16-b627-4d3f-ae73-a6153a23ae8f|Info|Structure and Semantics|Parameter reference should exists on components field|Documentation
| +|Callback Object With Incorrect Ref
ba066cda-e808-450d-92b6-f29109754d45|Info|Structure and Semantics|Callback Object reference must always point to '#/components/callbacks'|Documentation
| +|Property 'allowReserved' Improperly Defined
7f203940-39c4-4ea7-91ee-7aba16bca9e2|Info|Structure and Semantics|Property 'allowReserved' should be only defined for query parameters|Documentation
| +|Security Operation Field Undefined
20a482d5-c5d9-4a7a-b7a4-60d0805047b4|Info|Structure and Semantics|Security operation field should be defined in '#/components/securitySchemes'|Documentation
| +|Server URL Uses Undefined Variables
8d0921d6-4131-461f-a253-99e873f8f77e|Info|Structure and Semantics|Any variable used in the Service URL should be defined in the Service Object through 'variables'.|Documentation
| +|Invalid Content Type For Multiple Files Upload
26f06397-36d8-4ce7-b993-17711261d777|Info|Structure and Semantics|Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array)|Documentation
| +|Link Object With Both 'operationId' And 'operationRef'
60fb6621-9f02-473b-9424-ba9a825747d3|Info|Structure and Semantics|Link object 'OperationId' should not have both 'operationId' and 'operationRef' defined since they are mutually exclusive.|Documentation
| +|Request Body JSON Reference Does Not Exists
ca02f4e8-d3ae-4832-b7db-bb037516d9e7|Info|Structure and Semantics|Request Body reference should exists on components field|Documentation
| +|Object Without Required Property (v3)
d172a060-8569-4412-8045-3560ebd477e8|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields|Documentation
| +|Request Body Object With Incorrect Media Type
58f06434-a88c-4f74-826c-db7e10cc7def|Info|Structure and Semantics|The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set.|Documentation
| +|Link Object OperationId Does Not Target Operation Object
c5bb7461-aa57-470b-a714-3bc3d74f4669|Info|Structure and Semantics|Link object 'OperationId' should target an existing operation object in the OpenAPI definition|Documentation
| +|Header Object With Incorrect Ref
2d6646f4-2946-420f-8c14-3232d49ae0cb|Info|Structure and Semantics|Header Object reference must always point to '#/components/headers'|Documentation
| +|Example JSON Reference Does Not Exists
6a2c219f-da5e-4745-941e-5ea8cde23356|Info|Structure and Semantics|Example reference should exists on components field|Documentation
| +|Response Object With Incorrect Ref (v3)
b3871dd8-9333-4d6c-bd52-67eb898b71ab|Info|Structure and Semantics|Response Object reference must always point to '#/components/responses'|Documentation
| +|Schema JSON Reference Does Not Exists (v3)
015eac96-6313-43c0-84e5-81b1374fa637|Info|Structure and Semantics|Schema reference should exists on components field|Documentation
| +|Schema Object Incorrect Ref (v3)
4cac7ace-b0fb-477d-830d-65395d9109d9|Info|Structure and Semantics|Schema Object reference must always point to '#/components/schemas'|Documentation
| +|Callback JSON Reference Does Not Exists
f29904c8-6041-4bca-b043-dfa0546b8079|Info|Structure and Semantics|Callback reference should exists on components field|Documentation
| +|Parameter Object With Incorrect Ref (v3)
d40f27e6-15fb-4b56-90f8-fc0ff0291c51|Info|Structure and Semantics|Parameter Object reference must always point to '#/components/parameters'|Documentation
| +|Example JSON Reference Outside Components Examples
bac56e3c-1f71-4a74-8ae6-2fba07efcddb|Info|Structure and Semantics|Reference to examples should point to #/components/examples|Documentation
| +|Unknown Property (v3)
fb7d81e7-4150-48c4-b914-92fc05da6a2f|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known|Documentation
| +|Parameter Object With Schema And Content
31dd6fc0-f274-493b-9614-e063086c19fc|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive|Documentation
| +|Header JSON Reference Does Not Exists
376c9390-7e9e-4cb8-a067-fd31c05451fd|Info|Structure and Semantics|Header reference should exists on components field|Documentation
| +|Security Requirement Object With Wrong Scopes
37140f7f-724a-4c87-a536-e9cee1d61533|Info|Structure and Semantics|Security Requirement Object should only have scopes defined for security schemes of type 'oauth2' and 'openIdConnect'|Documentation
| +|Server Object Variable Not Used
8aee4754-970d-4c5f-8142-a49dfe388b1a|Info|Structure and Semantics|Every defined Server Variable Object should be used in a Service URL.|Documentation
| +|Link Object Incorrect Ref
b9db8a10-020c-49ca-88c6-780e5fdb4328|Info|Structure and Semantics|Link object reference must always point to '#/components/links'|Documentation
| +|Link JSON Reference Does Not Exists
801f0c6a-a834-4467-89c6-ddecffb46b5a|Info|Structure and Semantics|Link reference should exists on components field|Documentation
| +|Components Object Fixed Field Key Improperly Named
151331e2-11f4-4bb6-bd35-9a005e695087|Info|Structure and Semantics|Components object fixed fields (schemas, responses, parameters, examples, requestBodies, headers, securitySchemes, links, and callbacks) should use keys that match the following REGEX: `^[a-zA-Z0-9\.\-_]+$`|Documentation
| +|Empty Array
5915c20f-dffa-4cee-b5d4-f457ddc0151a|Info|Structure and Semantics|All array fields should not be empty|Documentation
| +|Security Field Undefined
ab1263c2-81df-46f0-9f2c-0b62fdb68419|Info|Structure and Semantics|Security field should be defined in '#/components/securitySchemes'|Documentation
| + +### 2.0 +Bellow are listed queries related with OpenAPI 2.0: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|Security Definitions Undefined or Empty
e3f026e8-fdb4-4d5a-bcfd-bd94452073fe|High|Access Control|Security Definitions Object should be set and not empty|Documentation
| +|Security Requirement Not Defined In Security Definition
a599b0d1-ff89-4cb8-9ece-9951854c06f6|High|Structure and Semantics|All security requirement objects must be defined in 'securityDefinitions'|Documentation
| +|Invalid OAuth2 Authorization URL (v2)
33d96c65-977d-4c33-943f-440baca49185|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL|Documentation
| +|Security Definitions Allows Password Flow
773116aa-2e6d-416f-bd85-f0301cc05d76|Medium|Access Control|Security Definition Object should not allow 'password' Flow in OAuth2 authentication|Documentation
| +|Global Security Using Password Flow
2da46be4-4317-4650-9285-56d7103c4f93|Medium|Access Control|Security should not use 'password' Flow in OAuth2 authentication|Documentation
| +|Implicit Flow in OAuth2 (v2)
e9817ad8-a8c9-4038-8a2f-db0e6e7b284b|Medium|Access Control|There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated|Documentation
| +|Invalid OAuth2 Token URL (v2)
274f910a-0665-4f08-b66d-7058fe927dba|Medium|Access Control|OAuth2 security definition flow requires a valid URL in the tokenUrl field|Documentation
| +|Operation Using Password Flow
2e44e632-d617-43cb-b294-6bfe72a08938|Medium|Access Control|Operation Object should not use 'password' Flow in OAuth2 authentication|Documentation
| +|Path Scheme Accepts HTTP (v2)
a6847dc6-f4ea-45ac-a81f-93291ae6c573|Medium|Encryption|The Scheme list of Operation Object should only allow 'HTTPS' protocol to ensure an encrypted connection|Documentation
| +|Schemes Uses HTTP
a46928f1-43d7-4671-94e0-2dd99746f389|Medium|Encryption|Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials|Documentation
| +|Global Schemes Uses HTTP
f30ee711-0082-4480-85ab-31d922d9a2b2|Medium|Encryption|Global Schemes should use 'https' protocol instead of 'http'|Documentation
| +|Operation Object Without 'produces'
be3e170e-1572-461e-a8b6-d963def581ec|Medium|Insecure Configurations|Operation Object should have 'produces' feild defined for 'GET'operation|Documentation
| +|Operation Object Without 'consumes'
0c79e50e-b3cf-490c-b8f6-587c644d4d0c|Medium|Insecure Configurations|Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations|Documentation
| +|Undefined Scope 'securityDefinition' On 'security' Field On Operations
3847280c-9193-40bc-8009-76168e822ce2|Low|Access Control|Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker|Documentation
| +|Security Definitions Using Basic Auth
221015a8-aa2a-43f5-b00b-ad7d2b1d47a8|Low|Access Control|Security Definition Object should not use basic authentication|Documentation
| +|Operation Using Basic Auth
ceefb058-8065-418f-9c4c-584a78c7e104|Low|Access Control|Operation Object should not use basic authentication|Documentation
| +|Undefined Scope 'securityDefinition' On Global 'security' Field
9aa6e95c-d964-4239-a3a8-9f37a3c5a31f|Low|Access Control|Using an scope on global security field that is undefined on 'securityDefinitions' can be defined by an attacker|Documentation
| +|Operation Using Implicit Flow
f42dfe7e-787d-4478-a75e-a5f3d8a2269e|Low|Access Control|Operation Object should not use implicit flow|Documentation
| +|Operation Summary Too Long
d47940ca-5970-45cc-bdd1-4d81398cee1f|Low|Best Practices|Operation summary should be short (less than 120 characters)|Documentation
| +|Constraining Enum Property
be1d8733-3731-40c7-a845-734741c6871d|Info|Best Practices|There is a constraining keyword in a property which is already restricted by enum values|Documentation
| +|Global Responses Definition Not Being Used
0b76d993-ee52-43e0-8b39-3787d2ddabf1|Info|Best Practices|All global responses definitions should be in use|Documentation
| +|Invalid Media Type Value (v2)
f985a7d2-d404-4a7f-9814-f645f791e46e|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters]|Documentation
| +|Global Parameter Definition Not Being Used
b30981fa-a12e-49c7-a5bb-eeafb61d0f0f|Info|Best Practices|All global parameters definitions should be in use|Documentation
| +|Schema with 'additionalProperties' set as Boolean
3a01790c-ebee-4da6-8fd3-e78657383b75|Info|Best Practices|The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it|Documentation
| +|Unknown Prefix (v2)
3b615f00-c443-4ba9-acc4-7c308716917d|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video'|Documentation
| +|Global Schema Definition Not Being Used
6d2e0790-cc3d-4c74-b973-d4e8b09f4455|Info|Best Practices|All global schemas definitions should be in use|Documentation
| +|Parameter JSON Reference Does Not Exists (v2)
fb889ae9-2d16-40b5-b41f-9da716c5abc1|Info|Structure and Semantics|Parameter reference should exist on parameters definition field|Documentation
| +|Property Not Unique
750b40be-4bac-4f59-bdc4-1ca0e6c3450e|Info|Structure and Semantics|Every defined property must be unique throughout the whole API|Documentation
| +|Response Object With Incorrect Ref (v2)
bccfa089-89e4-47e0-a0e5-185fe6902220|Info|Structure and Semantics|Response Object reference must always point to '#/responses'|Documentation
| +|Responses JSON Reference Does Not Exists (v2)
e9db5fb4-6a84-4abb-b4af-3b94fbdace6d|Info|Structure and Semantics|Responses reference should exist on responses definition field|Documentation
| +|Parameter Object With Incorrect Ref (v2)
2596545e-1757-4ff7-a15a-8a9a180a42f3|Info|Structure and Semantics|Parameter Object reference must always point to '#/parameters'|Documentation
| +|Schema JSON Reference Does Not Exists (v2)
98295b32-ec09-4b5b-89a9-39853197f914|Info|Structure and Semantics|Schema reference should exists on definitions field|Documentation
| +|Unknown Property (v2)
429b2106-ba37-43ba-9727-7f699cc611e1|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known|Documentation
| +|Body Parameter Without Schema
ed48229d-d43e-4da7-b453-5f98d964a57a|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined|Documentation
| +|Multiple Body Parameters In The Same Operation
b90033cf-ad9f-4fb9-acd1-1b9d6d278c87|Info|Structure and Semantics|Only one body parameter is allowed on operation's parameters type field|Documentation
| +|Object Without Required Property (v2)
5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields|Documentation
| +|Body Parameter With Wrong Property
c38d630d-a415-4e3e-bac2-65475979ba88|Info|Structure and Semantics|The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema'|Documentation
| +|File Parameter With Wrong Consumes Property
7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a|Info|Structure and Semantics|Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both|Documentation
| +|Host With Invalid Pattern
3d7d7b6c-fb0a-475e-8a28-c125e30d15f0|Info|Structure and Semantics|Host field should be an IP or a valid host name|Documentation
| +|BasePath With Wrong Format
b4803607-ed72-4d60-99e2-3fa6edf471c6|Info|Structure and Semantics|The 'basePath' value format must match the pattern '^/'|Documentation
| +|Non Body Parameter Without Schema
73c3bc54-3cc6-4c0a-b30a-e19f2abfc951|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined|Documentation
| +|Parameter File Type Not In 'formData'
c3cab8c4-6c52-47a9-942b-c27f26fbd7d2|Info|Structure and Semantics|The In field of Parameter Object must be 'formData' when type is 'file'|Documentation
| +|Multi 'collectionformat' Not Valid For 'in' Parameter
750f6448-27c0-49f8-a153-b81735c1e19c|Info|Structure and Semantics|When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'formData'|Documentation
| +|Operation Example Mismatch Produces MimeType
2cf35b40-ded3-43d6-9633-c8dcc8bcc822|Info|Structure and Semantics|Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces'|Documentation
| +|Schema Object Incorrect Ref (v2)
0220e1c5-65d1-49dd-b7c2-cef6d6cb5283|Info|Structure and Semantics|Schema Object reference must always point to '#/definitions'|Documentation
| +|Operation Object Parameters With 'body' And 'formatData' locations
eb3f9744-d24e-4614-b1ff-2a9514eca21c|Info|Structure and Semantics|Operation object parameters should not have both 'body' and 'formatData' locations|Documentation
| + +### 3.0 +Bellow are listed queries related with OpenAPI 3.0: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|Cleartext Credentials With Basic Authentication For Operation
86b1fa30-9790-4980-994d-a27e0f6f27c1|High|Access Control|Cleartext credentials over unencrypted channel should not be accepted for the operation|Documentation
| +|Field 'securityScheme' On Components Is Undefined
8db5544e-4874-4baa-9322-e9f75a2d219e|High|Access Control|Components' securityScheme field must have a valid scheme|Documentation
| +|Invalid OAuth2 Authorization URL (v3)
52c0d841-60d6-4a81-88dd-c35fef36d315|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL|Documentation
| +|OAuth2 With Password Flow
3979b0a4-532c-4ea7-86e4-34c090eaa4f2|Medium|Access Control|OAuth2 password flow insecurely exposes the credentials of the resource owner to the client|Documentation
| +|Security Scheme Using HTTP Digest
a4247b11-890b-45df-bf42-350a7a3af9be|Medium|Access Control|Security Scheme HTTP should not be using digest authentication|Documentation
| +|OAuth2 With Implicit Flow
39cb32f2-3a42-4af0-8037-82a7a9654b6c|Medium|Access Control|OAuth2 implicit flow is vulnerable to access token leakage and access token replay|Documentation
| +|Implicit Flow in OAuth2 (v3)
4a1f3d75-ab73-41b2-83e7-06a93dc3a75a|Medium|Access Control|There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated|Documentation
| +|Invalid OAuth2 Token URL (v3)
3ba0cca1-b815-47bf-ac62-1e584eb64a05|Medium|Access Control|OAuth2 security scheme flow requires a valid URL in the tokenUrl field|Documentation
| +|Security Scheme Using HTTP Negotiate
f525cc92-9050-4c41-a75c-890dc6f64449|Medium|Access Control|Security Scheme HTTP should not be using negotiate authentication|Documentation
| +|Security Scheme HTTP Unknown Scheme
06764426-3c56-407e-981f-caa25db1c149|Medium|Access Control|Security Scheme HTTP scheme should be registered in the IANA Authentication Scheme registry|Documentation
| +|Security Scheme Using HTTP Basic
68e5fcac-390c-4939-a373-6074b7be7c71|Medium|Access Control|Security Scheme HTTP should not be using basic authentication|Documentation
| +|Path Server Object Uses HTTP (v3)
9670f240-7b4d-4955-bd93-edaa9fa38b58|Medium|Encryption|The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection|Documentation
| +|Global Server Object Uses HTTP
2d8c175a-6d90-412b-8b0e-e034ea49a1fe|Medium|Encryption|Global server object URL should use 'https' protocol instead of 'http'|Documentation
| +|Additional Properties Too Restrictive
a19c3bbd-c056-40d7-9e1c-eeb0634e320d|Medium|Insecure Configurations|Objects should accept 'additionalProperties' if it is allOf or an object with anyOf or oneOf|Documentation
| +|Media Type Object Without Schema
f79b9d26-e945-44e7-98a1-b93f0f7a68a0|Medium|Insecure Configurations|The Media Type Object should have the attribute 'schema' defined|Documentation
| +|Additional Properties Too Permissive
9f88c88d-824d-4d9a-b985-e22977046042|Medium|Insecure Configurations|Objects should not accept 'additionalProperties' if it is possible|Documentation
| +|Parameter Object Without Schema
8fe1846f-52cc-4413-ace9-1933d7d23672|Medium|Insecure Configurations|The Parameter Object should have the attribute 'schema' defined|Documentation
| +|Header Object Without Schema
50de3b5b-6465-4e06-a9b0-b4c2ba34326b|Medium|Networking and Firewall|The header object should have schema defined|Documentation
| +|Success Response Code Undefined for Trace Operation
105e20dd-8449-4d71-95c6-d5dac96639af|Medium|Networking and Firewall|Trace should define the '200' successful code|Documentation
| +|Global Security Scheme Using Basic Authentication
77276d82-4f45-4cf1-8e2b-4d345b936228|Low|Access Control|A security scheme is allowing basic authentication credentials to be transported over network|Documentation
| +|API Key Exposed In Global Security Scheme
40e1d1bf-11a9-4f63-a3a2-a8b84c602839|Low|Access Control|API Keys should not be transported over network|Documentation
| +|Undefined Scope 'securityScheme' On 'security' Field On Operations
462d6a1d-fed9-4d75-bb9e-3de902f35e6e|Low|Access Control|Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker|Documentation
| +|Security Scheme Using Oauth 1.0
1bc3205c-0d60-44e6-84f3-44fbf4dac5b3|Low|Access Control|Oauth 1.0 is deprecated, OAuth2 should be used instead|Documentation
| +|Undefined Scope 'securityScheme' On Global 'security' Field
23a9e2d9-8738-4556-a71c-2802b6ffa022|Low|Access Control|Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker|Documentation
| +|Components Response Definition Is Unused
9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae|Info|Best Practices|Components responses definitions should be referenced or removed from Open API definition|Documentation
| +|Components Request Body Definition Is Unused
6b76f589-9713-44ab-97f5-59a3dba1a285|Info|Best Practices|Components request bodies definitions should be referenced or removed from Open API definition|Documentation
| +|Components Schema Definition Is Unused
962fa01e-b791-4dcc-b04a-4a3e7389be5e|Info|Best Practices|Components schemas definitions should be referenced or removed from Open API definition|Documentation
| +|Components Callback Definition Is Unused
d15db953-a553-4b8a-9a14-a3d62ea3d79d|Info|Best Practices|Components callbacks definitions should be referenced or removed from Open API definition|Documentation
| +|Components Example Definition Is Unused
b05bb927-2df5-43cc-8d7b-6825c0e71625|Info|Best Practices|Components examples definitions should be referenced or removed from Open API definition|Documentation
| +|Components Header Definition Is Unused
a68da022-e95a-4bc2-97d3-481e0bd6d446|Info|Best Practices|Components headers definitions should be referenced or removed from Open API definition|Documentation
| +|Invalid Media Type Value (v3)
cf4a5f45-a27b-49df-843a-9911dbfe71d4|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters]|Documentation
| +|Property 'allowEmptyValue' Ignored
59c2f769-7cc2-49c8-a3de-4e211135cfab|Info|Best Practices|Property 'allowEmptyValue' is ignored in the following cases: {"sytle": "simple", "explode": false}, {"sytle": "simple", "explode": true}, {"sytle": "spaceDelimited", "explode": false}, {"sytle": "pipeDelimited", "explode": false}, and {"sytle": "deepObject", "explode": true}|Documentation
| +|Components Link Definition Is Unused
c19779a9-5774-4d2f-a3a1-a99831730375|Info|Best Practices|Components links definitions should be referenced or removed from Open API definition|Documentation
| +|Property 'style' of Encoding Object Ignored
d3ea644a-9a5c-4fee-941f-f8a6786c0470|Info|Best Practices|Property 'style' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored.|Documentation
| +|Property 'explode' of Encoding Object Ignored
a4dd69b8-49fa-45d2-a060-c76655405b05|Info|Best Practices|Property 'explode' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored.|Documentation
| +|Property 'allowReserved' of Encoding Object Ignored
4190dda7-af03-4cf0-a128-70ac1661ca09|Info|Best Practices|Property 'allowReserved' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored.|Documentation
| +|Unknown Prefix (v3)
a5375be3-521c-43bb-9eab-e2432e368ee4|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video'|Documentation
| +|Components Parameter Definition Is Unused
698a464e-bb3e-4ba8-ab5e-e6599b7644a0|Info|Best Practices|Components parameters definitions should be referenced or removed from Open API definition|Documentation
| +|Encoding Header 'Content-Type' Improperly Defined
4cd8de87-b595-48b6-ab3c-1904567135ab|Info|Best Practices|Encoding Map Key should not define a 'Content-Type' in the 'headers' field. If so, it will be ignored.|Documentation
| +|Request Body Object With Incorrect Media Type
58f06434-a88c-4f74-826c-db7e10cc7def|Info|Structure and Semantics|The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set.|Documentation
| +|Example JSON Reference Outside Components Examples
bac56e3c-1f71-4a74-8ae6-2fba07efcddb|Info|Structure and Semantics|Reference to examples should point to #/components/examples|Documentation
| +|Parameter JSON Reference Does Not Exists (v3)
2e275f16-b627-4d3f-ae73-a6153a23ae8f|Info|Structure and Semantics|Parameter reference should exists on components field|Documentation
| +|Response Object With Incorrect Ref (v3)
b3871dd8-9333-4d6c-bd52-67eb898b71ab|Info|Structure and Semantics|Response Object reference must always point to '#/components/responses'|Documentation
| +|Callback Object With Incorrect Ref
ba066cda-e808-450d-92b6-f29109754d45|Info|Structure and Semantics|Callback Object reference must always point to '#/components/callbacks'|Documentation
| +|Response JSON Reference Does Not Exists (v3)
7a01dfbd-da62-4165-aed7-71349ad42ab4|Info|Structure and Semantics|Response reference should exists on components field|Documentation
| +|Parameter Object With Incorrect Ref (v3)
d40f27e6-15fb-4b56-90f8-fc0ff0291c51|Info|Structure and Semantics|Parameter Object reference must always point to '#/components/parameters'|Documentation
| +|Schema JSON Reference Does Not Exists (v3)
015eac96-6313-43c0-84e5-81b1374fa637|Info|Structure and Semantics|Schema reference should exists on components field|Documentation
| +|Unknown Property (v3)
fb7d81e7-4150-48c4-b914-92fc05da6a2f|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known|Documentation
| +|Callback JSON Reference Does Not Exists
f29904c8-6041-4bca-b043-dfa0546b8079|Info|Structure and Semantics|Callback reference should exists on components field|Documentation
| +|Server Object Variable Not Used
8aee4754-970d-4c5f-8142-a49dfe388b1a|Info|Structure and Semantics|Every defined Server Variable Object should be used in a Service URL.|Documentation
| +|Schema With Both ReadOnly And WriteOnly
d2361d58-361c-49f0-9e50-b957fd608b29|Info|Structure and Semantics|Schema should not have both 'writeOnly' and 'readOnly' set to true|Documentation
| +|Server URL Uses Undefined Variables
8d0921d6-4131-461f-a253-99e873f8f77e|Info|Structure and Semantics|Any variable used in the Service URL should be defined in the Service Object through 'variables'.|Documentation
| +|Object Without Required Property (v3)
d172a060-8569-4412-8045-3560ebd477e8|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields|Documentation
| +|Server URL Not Absolute
a0bf7382-5d5a-4224-924c-3db8466026c9|Info|Structure and Semantics|The Server URL should be an absolute URL|Documentation
| +|Invalid Content Type For Multiple Files Upload
26f06397-36d8-4ce7-b993-17711261d777|Info|Structure and Semantics|Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array)|Documentation
| +|Header Object With Incorrect Ref
2d6646f4-2946-420f-8c14-3232d49ae0cb|Info|Structure and Semantics|Header Object reference must always point to '#/components/headers'|Documentation
| +|Header JSON Reference Does Not Exists
376c9390-7e9e-4cb8-a067-fd31c05451fd|Info|Structure and Semantics|Header reference should exists on components field|Documentation
| +|Property 'allowReserved' Improperly Defined
7f203940-39c4-4ea7-91ee-7aba16bca9e2|Info|Structure and Semantics|Property 'allowReserved' should be only defined for query parameters|Documentation
| +|Servers Array Undefined
c66ebeaa-676c-40dc-a3ff-3e49395dcd5e|Info|Structure and Semantics|The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'.|Documentation
| +|Parameter Object With Undefined Type
46facedc-f243-4108-ab33-583b807d50b0|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property|Documentation
| +|Example JSON Reference Does Not Exists
6a2c219f-da5e-4745-941e-5ea8cde23356|Info|Structure and Semantics|Example reference should exists on components field|Documentation
| +|Link Object Incorrect Ref
b9db8a10-020c-49ca-88c6-780e5fdb4328|Info|Structure and Semantics|Link object reference must always point to '#/components/links'|Documentation
| +|Parameter Object Content With Multiple Entries
8bfed1c6-2d59-4924-bc7f-9b9d793ed0df|Info|Structure and Semantics|The map content property of the parameter object should only contain one entry|Documentation
| +|Link JSON Reference Does Not Exists
801f0c6a-a834-4467-89c6-ddecffb46b5a|Info|Structure and Semantics|Link reference should exists on components field|Documentation
| +|Security Requirement Object With Wrong Scopes
37140f7f-724a-4c87-a536-e9cee1d61533|Info|Structure and Semantics|Security Requirement Object should only have scopes defined for security schemes of type 'oauth2' and 'openIdConnect'|Documentation
| +|Request Body With Incorrect Ref
0f6cd0ab-c366-4595-84fc-fbd8b9901e4d|Info|Structure and Semantics|Request Body reference must always point to '#/components/RequestBodies'|Documentation
| +|Security Operation Field Undefined
20a482d5-c5d9-4a7a-b7a4-60d0805047b4|Info|Structure and Semantics|Security operation field should be defined in '#/components/securitySchemes'|Documentation
| +|Link Object With Both 'operationId' And 'operationRef'
60fb6621-9f02-473b-9424-ba9a825747d3|Info|Structure and Semantics|Link object 'OperationId' should not have both 'operationId' and 'operationRef' defined since they are mutually exclusive.|Documentation
| +|Parameter Object With Schema And Content
31dd6fc0-f274-493b-9614-e063086c19fc|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive|Documentation
| +|Encoding Map Key Mismatch Schema Defined Properties
cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b|Info|Structure and Semantics|Encoding Map Key should be set in schema defined properties|Documentation
| +|Empty Array
5915c20f-dffa-4cee-b5d4-f457ddc0151a|Info|Structure and Semantics|All array fields should not be empty|Documentation
| +|Link Object OperationId Does Not Target Operation Object
c5bb7461-aa57-470b-a714-3bc3d74f4669|Info|Structure and Semantics|Link object 'OperationId' should target an existing operation object in the OpenAPI definition|Documentation
| +|Request Body JSON Reference Does Not Exists
ca02f4e8-d3ae-4832-b7db-bb037516d9e7|Info|Structure and Semantics|Request Body reference should exists on components field|Documentation
| +|Components Object Fixed Field Key Improperly Named
151331e2-11f4-4bb6-bd35-9a005e695087|Info|Structure and Semantics|Components object fixed fields (schemas, responses, parameters, examples, requestBodies, headers, securitySchemes, links, and callbacks) should use keys that match the following REGEX: `^[a-zA-Z0-9\.\-_]+$`|Documentation
| +|Schema Object Incorrect Ref (v3)
4cac7ace-b0fb-477d-830d-65395d9109d9|Info|Structure and Semantics|Schema Object reference must always point to '#/components/schemas'|Documentation
| +|Security Field Undefined
ab1263c2-81df-46f0-9f2c-0b62fdb68419|Info|Structure and Semantics|Security field should be defined in '#/components/securitySchemes'|Documentation
| + ### SHARED (V2/V3) Bellow are listed queries related with OpenAPI SHARED (V2/V3): @@ -68,6 +290,66 @@ Bellow are listed queries related with OpenAPI SHARED (V2/V3): |Success Response Code Undefined for Get Operation (v3)
b2f275be-7d64-4064-b418-be6b431363a7|Medium|Networking and Firewall|Get should define at least one success response (200 or 202) (read more)|Documentation
| |Success Response Code Undefined for Head Operation (v2)
4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a|Medium|Networking and Firewall|Head should define at least one success response (200 or 202)|Documentation
| |Success Response Code Undefined for Head Operation (v3)
3b066059-f411-4554-ac8d-96f32bff90da|Medium|Networking and Firewall|Head should define at least one success response (200 or 202) (read more)|Documentation
| +|No Global And Operation Security Defined (v2)
586abcee-9653-462d-ad7b-2638a32bd6e6|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| +|No Global And Operation Security Defined (v3)
96729c6b-7400-4d9e-9807-17f00cdde4d2|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| +|Global Security Field Is Undefined (v2)
74703c89-0ea2-49ab-a7db-bf04f19f5a57|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securityDefinitions|Documentation
| +|Global Security Field Is Undefined (v3)
8af270ce-298b-4405-9922-82a10aee7a4f|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes|Documentation
| +|Cleartext API Key In Operation Security (v2)
99733b39-6413-4ed8-8acf-dc7cdc9b4e51|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| +|Cleartext API Key In Operation Security (v3)
d90d4e40-44c1-4125-87a0-e072c3e195b5|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| +|Global Security Field Has An Empty Array (v2)
da31d54b-ad54-41dc-95eb-8b3828629213|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| +|Global Security Field Has An Empty Array (v3)
d674aea4-ba8b-454b-bb97-88a772ea33f0|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| +|Security Field On Operations Has An Empty Array (v2)
5d29effc-5d68-481f-9721-d74e5919226b|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error|Documentation
| +|Security Field On Operations Has An Empty Array (v3)
663c442d-f918-4f62-b096-0bf5dcbeb655|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error|Documentation
| +|Security Field On Operations Has An Empty Object Definition (v2)
74581e3b-1d55-4323-a139-5959a7b3abc5|High|Access Control|Security object for operations should not be empty object or has any empty object definition|Documentation
| +|Security Field On Operations Has An Empty Object Definition (v3)
baade968-7467-41e4-bf22-83ca222f5800|High|Access Control|Security object for operations should not be empty object or has any empty object definition|Documentation
| +|Global security field has an empty object (v2)
292919fb-7b26-4454-bee9-ce29094768dd|High|Access Control|Global security definition must not have empty objects|Documentation
| +|Global security field has an empty object (v3)
543e38f4-1eee-479e-8eb0-15257013aa0a|High|Access Control|Global security definition must not have empty objects|Documentation
| +|Array Without Maximum Number of Items (v2)
99eb2c95-2040-4104-9e7c-e16f7474d218|High|Insecure Configurations|Array schema/parameter should have the field 'maxItems' set|Documentation
| +|Array Without Maximum Number of Items (v3)
6998389e-66b2-473d-8d05-c8d71ac4d04d|High|Insecure Configurations|Array schema should have the field 'maxItems' set|Documentation
| +|Array Items Has No Type (v2)
8697a1a4-82c6-4603-8ac8-57529756744e|High|Insecure Configurations|Schema/Parameter array items type should be defined|Documentation
| +|Array Items Has No Type (v3)
be0e0df7-f3d9-42a1-9b6f-d425f94872c4|High|Insecure Configurations|Schema array items type should be defined|Documentation
| +|Cleartext API Key In Global Security (v2)
70d3873e-d537-46e5-ac3b-4e48fbdd29b4|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| +|Cleartext API Key In Global Security (v3)
9c238c97-1991-4c0b-9c7d-6c7912e1dc7c|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| +|API Key Exposed In Global Security (v2)
533a0d13-6e89-4551-ae33-bce14e5849c1|Medium|Access Control|API Keys should not be transported over network|Documentation
| +|API Key Exposed In Global Security (v3)
aecee30b-8ea1-4776-a99c-d6d600f0862f|Medium|Access Control|API Keys should not be transported over network|Documentation
| +|String Schema with Broad Pattern (v2)
e4a019f0-9af3-49c8-bf68-1939a6ff240d|Medium|Insecure Configurations|String schema should restrict the pattern|Documentation
| +|String Schema with Broad Pattern (v3)
8c81d6c0-716b-49ec-afa5-2d62da4e3f3c|Medium|Insecure Configurations|String schema should restrict the pattern|Documentation
| +|Schema Object is Empty (v2)
967575e5-eb44-4c24-aadb-7e33608ed30a|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values|Documentation
| +|Schema Object is Empty (v3)
500ce696-d501-41dd-86eb-eceb011a386f|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values|Documentation
| +|Numeric Schema Without Format (v2)
3ed8fc82-c2bb-49e0-811f-c53923674c49|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined.|Documentation
| +|Numeric Schema Without Format (v3)
fbf699b5-ef74-4542-9cf1-f6eeac379373|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined.|Documentation
| +|Numeric Schema Without Minimum (v2)
efd1dfc8-da91-4909-a3f3-c23abc5ec799|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined.|Documentation
| +|Numeric Schema Without Minimum (v3)
181bd815-767e-4e95-a24d-bb3c87328e19|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined.|Documentation
| +|JSON Object Schema Without Properties (v2)
3d28f751-bc18-4f83-ace0-216b6086410b|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false.|Documentation
| +|JSON Object Schema Without Properties (v3)
9d967a2b-9d64-41a6-abea-dfc4960299bd|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false.|Documentation
| +|Numeric Schema Without Maximum (v2)
203eee11-15b6-4d47-b888-4c7f534967ee|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined.|Documentation
| +|Numeric Schema Without Maximum (v3)
2ea04bef-c769-409e-9179-ee3a50b5c0ac|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined.|Documentation
| +|JSON Object Schema Without Type (v2)
62d52544-82ef-4b75-8308-cad49d50212b|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined.|Documentation
| +|JSON Object Schema Without Type (v3)
e2ffa504-d22a-4c94-b6c5-f661849d2db7|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined.|Documentation
| +|Pattern Undefined (v2)
afde15cf-9444-4126-8c62-41cd79db1d1d|Medium|Insecure Configurations|String schema/parameter/header should have 'pattern' defined.|Documentation
| +|Pattern Undefined (v3)
00b78adf-b83f-419c-8ed8-c6018441dd3a|Medium|Insecure Configurations|String schema should have 'pattern' defined.|Documentation
| +|Maximum Length Undefined (v2)
2ec86e48-ab90-4cb6-a131-0502afd1f442|Medium|Insecure Configurations|String schema/parameter/header should have 'maxLength' defined.|Documentation
| +|Maximum Length Undefined (v3)
8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85|Medium|Insecure Configurations|String schema should have 'maxLength' defined.|Documentation
| +|Success Response Code Undefined for Put Operation (v2)
965a043f-5f3c-4d0a-be72-d9ce12fdb4d6|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Put Operation (v3)
60b5f56b-66ff-4e1c-9b62-5753e16825bc|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Delete Operation (v2)
ad432855-b7fb-4429-92a3-93b5ce34f0b1|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Delete Operation (v3)
3b497874-ae59-46dd-8d72-1868a3b8f150|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Response Code Missing (v2)
6e96ed39-bf45-4089-99ba-f1fe7cf6966f|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined.|Documentation
| +|Response Code Missing (v3)
6c35d2c6-09f2-4e5c-a094-e0e91327071d|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined.|Documentation
| +|Response on operations that should not have a body has declared content (v2)
268defd2-2839-4e15-8cbc-de86eb38c231|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a schema defined|Documentation
| +|Response on operations that should not have a body has declared content (v3)
12a7210b-f4b4-47d0-acac-0a819e2a0ca3|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a content defined|Documentation
| +|Success Response Code Undefined for Head Operation (v2)
4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a|Medium|Networking and Firewall|Head should define at least one success response (200 or 202)|Documentation
| +|Success Response Code Undefined for Head Operation (v3)
3b066059-f411-4554-ac8d-96f32bff90da|Medium|Networking and Firewall|Head should define at least one success response (200 or 202)|Documentation
| +|Default Response Undefined On Operations (v2)
5f34c7ae-4f3f-4cbb-8fe3-a11d6961062f|Medium|Networking and Firewall|Operations responses should have a default response defined|Documentation
| +|Default Response Undefined On Operations (v3)
86e3702f-c868-44b2-b61d-ea5316c18110|Medium|Networking and Firewall|Operations responses should have a default response defined|Documentation
| +|Success Response Code Undefined for Get Operation (v2)
9b633f3b-c94b-4fbb-a65b-1a4e9134fb63|Medium|Networking and Firewall|Get should define at least one success response (200 or 202)|Documentation
| +|Success Response Code Undefined for Get Operation (v3)
b2f275be-7d64-4064-b418-be6b431363a7|Medium|Networking and Firewall|Get should define at least one success response (200 or 202)|Documentation
| +|Success Response Code Undefined for Post Operation (v2)
9fedee41-2e6d-4091-b011-4a16b4c18c70|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Post Operation (v3)
f368dd2d-9344-4146-a05b-7c6faa1269ad|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Response on operations that should have a body has undefined schema (v2)
31afbcb7-70e0-48bb-a31a-3374f95cf859|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined|Documentation
| +|Response on operations that should have a body has undefined schema (v3)
a92be1d5-d762-484a-86d6-8cd0907ba100|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined|Documentation
| +|Success Response Code Undefined for Patch Operation (v2)
f36e87cc-a209-4f37-8571-66833e4aead7|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Patch Operation (v3)
1908a8ee-927d-4166-8f18-241152170cc1|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204)|Documentation
| |API Key Exposed In Operation Security (v2)
392599e4-a4e2-403d-bc56-3fe05755782d|Low|Access Control|API Keys should not be transported over network|Documentation
| |API Key Exposed In Operation Security (v3)
281b8071-6226-4a43-911d-fec246d422c2|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| |Invalid Format (v2)
caf1793e-95dd-4b18-8d90-8f3c0ab5bddf|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double|Documentation
| @@ -295,3 +577,88 @@ Bellow are listed queries related with OpenAPI 3.0: |Security Field Undefined
ab1263c2-81df-46f0-9f2c-0b62fdb68419|Info|Structure and Semantics|Security field should be defined in '#/components/securitySchemes' (read more)|Documentation
| |Header JSON Reference Does Not Exists
376c9390-7e9e-4cb8-a067-fd31c05451fd|Info|Structure and Semantics|Header reference should exists on components field (read more)|Documentation
| |Request Body Object With Incorrect Media Type
58f06434-a88c-4f74-826c-db7e10cc7def|Info|Structure and Semantics|The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set. (read more)|Documentation
| +|Invalid Format (v3)
d929c031-078f-4241-b802-e224656ad890|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double|Documentation
| +|Invalid Global External Documentation URL (v2)
46d3b74d-9fe9-45bf-9e9e-efb7f701ee28|Info|Best Practices|Global External Documentation URL should be a valid URL|Documentation
| +|Invalid Global External Documentation URL (v3)
b2d9dbf6-539c-4374-a1fd-210ddf5563a8|Info|Best Practices|Global External Documentation URL should be a valid URL|Documentation
| +|Header Parameter Named as 'Accept' (v2)
3ddd74cc-6582-486c-8b0c-2b48cb38e0a3|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored.|Documentation
| +|Header Parameter Named as 'Accept' (v3)
f2702af5-6016-46cb-bbc8-84c766032095|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored.|Documentation
| +|Invalid Schema External Documentation URL (v2)
f7fa95b7-d819-484c-9a2b-665dd1bba25e|Info|Best Practices|Schema External Documentation URL should be a valid URL|Documentation
| +|Invalid Schema External Documentation URL (v3)
6952a7e0-6e48-4285-bbc1-27c64e60f888|Info|Best Practices|Schema External Documentation URL should be a valid URL|Documentation
| +|Header Parameter Named as 'Content-Type' (v2)
51978067-3b22-4c29-aaf3-96bf0bc28897|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored.|Documentation
| +|Header Parameter Named as 'Content-Type' (v3)
72d259ca-9741-48dd-9f62-eb11f2936b37|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored.|Documentation
| +|Header Response Name Is Invalid (v2)
86733e01-a435-4bd5-a8b0-5108be9dc1e4|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored.|Documentation
| +|Header Response Name Is Invalid (v3)
d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored.|Documentation
| +|JSON '$ref' alongside other properties (v2)
f34c1c68-4773-4df0-a103-6e2ca32e585f|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key|Documentation
| +|JSON '$ref' alongside other properties (v3)
96beb800-566f-49a9-a0ea-dbdf4bc80429|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key|Documentation
| +|Invalid License URL (v2)
de2b4910-8484-46d6-a055-dc1e793ee3ff|Info|Best Practices|License Object URL should be a valid URL|Documentation
| +|Invalid License URL (v3)
9239c289-9e4c-4d92-8be1-9d506057c971|Info|Best Practices|License Object URL should be a valid URL|Documentation
| +|Example Not Compliant With Schema Type (v2)
448db771-06ea-4dee-b48c-1689cbfb4b43|Info|Best Practices|Examples values and fields should be compliant with the schema type|Documentation
| +|Example Not Compliant With Schema Type (v3)
881a6e71-c2a7-4fe2-b9c3-dfcf08895331|Info|Best Practices|Examples values and fields should be compliant with the schema type|Documentation
| +|Object Using Enum With Keyword (v2)
7f15962a-d862-451c-ac9b-84ec13747aa6|Info|Best Practices|Schema/Parameter/Header Object properties should not contain 'enum' and schema keywords|Documentation
| +|Object Using Enum With Keyword (v3)
2e9b6612-8f69-42e0-a5b8-ed17739c2f3a|Info|Best Practices|Schema Object properties should not contain 'enum' and schema keywords|Documentation
| +|Invalid Contact Email (v2)
d83bebc8-4e5e-4241-b783-cba9fb5a1c9a|Info|Best Practices|Contact Object Email should be a valid email|Documentation
| +|Invalid Contact Email (v3)
b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7|Info|Best Practices|Contact Object Email should be a valid email|Documentation
| +|Invalid Contact URL (v2)
c7000383-16d0-4509-8cd3-585e5ea2e2f2|Info|Best Practices|Contact Object URL should be a valid URL|Documentation
| +|Invalid Contact URL (v3)
332cf2ad-380d-4b90-b436-46f8e635cf38|Info|Best Practices|Contact Object URL should be a valid URL|Documentation
| +|Operation Without Successful HTTP Status Code (v2)
a1ee6ebe-3877-42ec-b9a6-e524e7d06aa2|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined|Documentation
| +|Operation Without Successful HTTP Status Code (v3)
48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined|Documentation
| +|Invalid Operation External Documentation URL (v2)
25635c31-ee32-4708-88e5-fced87516f51|Info|Best Practices|Operation External Documentation URL should be a valid URL|Documentation
| +|Invalid Operation External Documentation URL (v3)
5ea61624-3733-4a3a-8ca4-b96fec9c5aeb|Info|Best Practices|Operation External Documentation URL should be a valid URL|Documentation
| +|Invalid Tag External Documentation URL (v2)
b4a7d925-738b-4219-99d9-87d6ee262a03|Info|Best Practices|Tag External Documentation URL should be a valid URL|Documentation
| +|Invalid Tag External Documentation URL (v3)
5aea1d7e-b834-4749-b143-2c7ec3bd5922|Info|Best Practices|Tag External Documentation URL should be a valid URL|Documentation
| +|Header Parameter Named as 'Authorization' (v2)
e2e00c97-7171-4fb4-b461-d631df9a711c|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored.|Documentation
| +|Header Parameter Named as 'Authorization' (v3)
8c84f75e-5048-4926-a4cb-33e7b3431300|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored.|Documentation
| +|Required Property With Default Value (v2)
f7ab6c83-ef89-40e1-8a99-32e2599fb665|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value|Documentation
| +|Required Property With Default Value (v3)
013bdb4b-9246-4248-b0c3-7fb0fee42a29|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value|Documentation
| +|Path Without Operation (v2)
609cd557-66b4-41fa-8edd-2abc6c7cfd08|Info|Best Practices|Path object should have at least one operation object defined|Documentation
| +|Path Without Operation (v3)
84c826c9-1893-4b34-8cdd-db97645b4bf3|Info|Best Practices|Path object should have at least one operation object defined|Documentation
| +|Type Has Invalid Keyword (v2)
492c6cbb-f3f8-4807-aa4f-42b8b1c46b59|Info|Structure and Semantics|Schema/Parameter/Header Object define type should not use a keyword of another type|Documentation
| +|Type Has Invalid Keyword (v3)
a9228976-10cf-4b5f-b902-9e962aad037a|Info|Structure and Semantics|Schema Object define type should not use a keyword of another type|Documentation
| +|Property Defining Minimum Greater Than Maximum (v2)
b5102ea9-6527-4bb7-94fc-9b4076150e55|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined|Documentation
| +|Property Defining Minimum Greater Than Maximum (v3)
ab2af219-cd08-4233-b5a1-a788aac88b51|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined|Documentation
| +|Schema Discriminator Not Required (v2)
be6a3722-af60-438c-b1b9-2a03e2958ab7|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property|Documentation
| +|Schema Discriminator Not Required (v3)
b481d46c-9c61-480f-86d9-af07146dc4a4|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property|Documentation
| +|Path Template is Empty (v2)
c201b7ad-6173-4598-a407-5edb04a1bcd7|Info|Structure and Semantics|All path templates should not be empty|Documentation
| +|Path Template is Empty (v3)
ae13a37d-943b-47a7-a970-83c8598bcca3|Info|Structure and Semantics|All path templates should not be empty|Documentation
| +|Items Undefined (v2)
3e4d34d2-36cf-4449-976d-6c256db8fc49|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array.|Documentation
| +|Items Undefined (v3)
a8e859da-4a43-4e7f-94b8-25d6e3bf8e90|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array.|Documentation
| +|Schema Enum Invalid (v2)
8fe6d18a-ad4c-4397-8884-e3a9da57f4c9|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type|Documentation
| +|Schema Enum Invalid (v3)
03856cb2-e46c-4daf-bfbf-214ec93c882b|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type|Documentation
| +|Properties Missing Required Property (v2)
71beb6ab-8b70-4816-a9ac-a0ff1fb22a62|Info|Structure and Semantics|Schema Object should have all required properties defined|Documentation
| +|Properties Missing Required Property (v3)
3fb03214-25d4-4bd4-867c-c2d8d708a483|Info|Structure and Semantics|Schema Object should have all required properties defined|Documentation
| +|Responses With Wrong HTTP Status Code (v2)
069a5378-2091-43f0-aa3b-ee8f20996e99|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599]|Documentation
| +|Responses With Wrong HTTP Status Code (v3)
d86655c0-92f6-4ffc-b4d5-5b5775804c27|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599]|Documentation
| +|Responses Object Is Empty (v2)
6172e7ab-d2b7-45f8-a7db-1603931d8ba3|Info|Structure and Semantics|Responses Object should not be empty|Documentation
| +|Responses Object Is Empty (v3)
990eaf09-d6f1-4c3c-b174-a517b1de8917|Info|Structure and Semantics|Responses Object should not be empty|Documentation
| +|Schema Has A Required Property Undefined (v2)
811762c8-2e99-4f70-88f9-a63875a953b1|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties|Documentation
| +|Schema Has A Required Property Undefined (v3)
2bd608ae-8a1f-457f-b710-c237883cb313|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties|Documentation
| +|Paths Object is Empty (v2)
3e6c7b1c-8a8d-43ab-98b9-65159f44db4a|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed|Documentation
| +|Paths Object is Empty (v3)
815021c8-a50c-46d9-b192-24f71072c400|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed|Documentation
| +|Path Parameter With No Corresponding Template Path (v2)
194ef1f8-360e-4c14-8ed2-e83e2bafa142|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation|Documentation
| +|Path Parameter With No Corresponding Template Path (v3)
69d7aefd-149d-47b8-8d89-1c2181a8067b|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation|Documentation
| +|Schema Object With Circular Ref (v2)
cbff2508-85c9-4448-a8b3-770070edf5ca|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties|Documentation
| +|Schema Object With Circular Ref (v3)
1a1aea94-745b-40a7-b860-0702ea6ee636|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties|Documentation
| +|Schema Object Properties With Duplicated Keys (v2)
ded017bf-fb13-4f8d-868b-84aebcc572ad|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties'|Documentation
| +|Schema Object Properties With Duplicated Keys (v3)
10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties'|Documentation
| +|Path Parameter Not Required (v2)
ccd0613f-cb77-4684-a892-183bd2674d12|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.|Documentation
| +|Path Parameter Not Required (v3)
0de50145-e845-47f4-9a15-23bcf2125710|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.|Documentation
| +|Property 'allowEmptyValue' Improperly Defined (v2)
0bc1477d-0922-478b-ae16-674a7634a1a8|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters|Documentation
| +|Property 'allowEmptyValue' Improperly Defined (v3)
4bcbcd52-3028-469f-bc14-02c7dbba2df2|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters|Documentation
| +|Parameters Name In Combination Not Unique (v2)
ab871897-ec02-4835-9818-702536ee1dda|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations|Documentation
| +|Parameters Name In Combination Not Unique (v3)
f5b2e6af-76f5-496d-8482-8f898c5fdb4a|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations|Documentation
| +|Schema Discriminator Mismatch Defined Properties (v2)
addc0eab-27f6-4c26-8526-d2ccd3732662|Info|Structure and Semantics|Schema discriminator values should match defined properties.|Documentation
| +|Schema Discriminator Mismatch Defined Properties (v3)
40d3df21-c170-4dbe-9c02-4289b51f994f|Info|Structure and Semantics|Schema discriminator values should match defined properties.|Documentation
| +|Non-Array Schema With Items (v2)
9d47956b-29cd-43b1-9e6e-b39a4d484353|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| +|Non-Array Schema With Items (v3)
20cb3159-b219-496b-8dac-54ae3ab2021a|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| +|Default Invalid (v2)
78dfd8f0-a6ee-48ec-af8c-e4d9b3292a07|Info|Structure and Semantics|The field 'default' of Schema/Parameter/Header Object should be consistent with the schema's/parameter's/header's type|Documentation
| +|Default Invalid (v3)
a96bbc06-8cde-4295-ad3c-ee343a7f658e|Info|Structure and Semantics|The field 'default' of Schema Object should be consistent with the schema's type|Documentation
| +|Parameter Objects Headers With Duplicated Name (v2)
bd2cbef5-62c4-40f1-af07-4b7f9ced6616|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.|Documentation
| +|Parameter Objects Headers With Duplicated Name (v3)
05505192-ba2c-4a81-9b25-dcdbcc973746|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.|Documentation
| +|Path Is Ambiguous (v2)
b2468463-3ac4-4930-890c-f35b2bf4485d|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object|Documentation
| +|Path Is Ambiguous (v3)
237402e2-c2f0-46c9-9cf5-286160cf7bfc|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object|Documentation
| +|OperationId Not Unique (v2)
21245007-91c4-40e5-964e-40c85d1e5aa6|Info|Structure and Semantics|OperationId should be unique when defined|Documentation
| +|OperationId Not Unique (v3)
c254adc4-ef25-46e1-8270-b7944adb4198|Info|Structure and Semantics|OperationId should be unique when defined|Documentation
| +|Template Path With No Corresponding Path Parameter (v2)
e7656d8d-7288-4bbe-b07b-22b389be75ce|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation|Documentation
| +|Template Path With No Corresponding Path Parameter (v3)
561710b1-b845-4562-95ce-2397a05ccef4|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation|Documentation
| +|Schema Discriminator Property Not String (v2)
949376f1-f560-4c6d-a016-63424ca931bb|Info|Structure and Semantics|Schema discriminator property should be a string|Documentation
| +|Schema Discriminator Property Not String (v3)
dadc2f36-1f5a-46c0-8289-75e626583123|Info|Structure and Semantics|Schema discriminator property should be a string|Documentation
| diff --git a/docs/queries/pulumi-queries.md b/docs/queries/pulumi-queries.md index b4cdc0a3f3b..8b108096547 100644 --- a/docs/queries/pulumi-queries.md +++ b/docs/queries/pulumi-queries.md @@ -33,6 +33,8 @@ Bellow are listed queries related with Pulumi AWS: |DynamoDB Table Point In Time Recovery Disabled
327b0729-4c5c-4c44-8b5c-e476cd9c7290|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more)|Documentation
| |EC2 Not EBS Optimized
d991e4ae-42ab-429b-ab43-d5e5fa9ca633|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| |EC2 Instance Monitoring Disabled
daa581ef-731c-4121-832d-cf078f67759d|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| +|Storage Account Not Forcing HTTPS
cb8e4bf0-903d-45c6-a278-9a947d82a27b|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| +|Redis Cache Allows Non SSL Connections
49e30ac8-f58e-4222-b488-3dcb90158ec1|Medium|Encryption|Redis Cache resource should not allow non-SSL connections.|Documentation
| ### KUBERNETES Bellow are listed queries related with Pulumi KUBERNETES: @@ -43,6 +45,26 @@ Bellow are listed queries related with Pulumi KUBERNETES: |------------------------------|--------|--------|-----------|----| |PSP Set To Privileged
ee305555-6b1d-4055-94cf-e22131143c34|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| |Missing App Armor Config
95588189-1abd-4df1-9588-b0a5034f9e87|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack (read more)|Documentation
| +|PSP Set To Privileged
ee305555-6b1d-4055-94cf-e22131143c34|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| +|Missing App Armor Config
95588189-1abd-4df1-9588-b0a5034f9e87|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| + +### AWS +Bellow are listed queries related with Pulumi AWS: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|ElastiCache Nodes Not Created Across Multi AZ
9b18fc19-7fb8-49b1-8452-9c757c70f926|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster|Documentation
| +|ElastiCache Redis Cluster Without Backup
e93bbe63-a631-4c0f-b6ef-700d48441ff2|Medium|Backup|ElastiCache Redis cluster should have 'snapshotRetentionLimit' higher than 0|Documentation
| +|IAM Password Without Lowercase Letter
de92dd34-1b88-43e8-b825-6e02d73c4549|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| +|IAM Password Without Minimum Length
9850d621-7485-44f7-8bdd-b3cf426315cf|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| +|DynamoDB Table Not Encrypted
b6a7e0ae-aed8-4a19-a993-a95760bf8836|Medium|Encryption|AWS DynamoDB Tables should have serverSideEncryption enabled|Documentation
| +|API Gateway Without SSL Certificate
f27791a5-e2ae-4905-8910-6f995c576d09|Medium|Insecure Configurations|SSL Client Certificate should be defined|Documentation
| +|API Gateway Access Logging Disabled
bf4b48b9-fc1f-4552-984a-4becdb5bf503|Medium|Observability|API Gateway should have Access Log Settings defined|Documentation
| +|DynamoDB Table Point In Time Recovery Disabled
327b0729-4c5c-4c44-8b5c-e476cd9c7290|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table|Documentation
| +|EC2 Not EBS Optimized
d991e4ae-42ab-429b-ab43-d5e5fa9ca633|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| +|EC2 Instance Monitoring Disabled
daa581ef-731c-4121-832d-cf078f67759d|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods|Documentation
| ### GCP Bellow are listed queries related with Pulumi GCP: @@ -53,3 +75,5 @@ Bellow are listed queries related with Pulumi GCP: |------------------------------|--------|--------|-----------|----| |Cloud Storage Bucket Logging Not Enabled
48f7e44d-d1d1-44c2-b336-9f11b65c4fb0|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| |Google Compute SSL Policy Weak Cipher In Use
965e8830-2bec-4b9b-a7f0-24dbc200a68f|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
48f7e44d-d1d1-44c2-b336-9f11b65c4fb0|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
965e8830-2bec-4b9b-a7f0-24dbc200a68f|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| diff --git a/docs/queries/serverlessfw-queries.md b/docs/queries/serverlessfw-queries.md index 101bf95371c..b56ea3adcef 100644 --- a/docs/queries/serverlessfw-queries.md +++ b/docs/queries/serverlessfw-queries.md @@ -13,3 +13,13 @@ This page contains all queries from ServerlessFW. |Serverless API Access Logging Setting Undefined
a4d32883-aac7-42e1-b403-9415af0f3846|Medium|Observability|Serverless FW API should have HTTP Access Logging enabled (read more)|Documentation
| |Serverless Function Without Dead Letter Queue
dec7bc85-d156-4f64-9a33-96ed3d9f3fed|Low|Insecure Configurations|Serverless Function should be configured for a Dead Letter Queue(DLQ). A Dead Letter Queue(DLQ) can be set up in 'onError' config parameter (read more)|Documentation
| |Serverless Function Without X-Ray Tracing
0d7ef70f-e176-44e6-bdba-add3e429788d|Low|Observability|Serverless Function should have Tracing enabled. For this, property 'tracing' should have the value 'Active' (read more)|Documentation
| +|Serverless Role With Full Privileges
59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd|High|Access Control|Roles defined in Serverless files should not have policies granting full administrative privileges.|Documentation
| +|Serverless Function Environment Variables Not Encrypted
4495bc5d-4d1e-4a26-ae92-152d18195648|High|Encryption|Serverless Function should encrypt environment variables|Documentation
| +|Serverless API Without Content Encoding
d5d1fe08-89db-440c-8725-b93223387309|Medium|Encryption|Serverless should have API Gateway with Content Encoding enabled through the attribute 'minimumCompressionSize'. This value should be greater than -1 and smaller than 10485760|Documentation
| +|Serverless Function Without Tags
f99d3482-fa8c-4f79-bad9-35212dded164|Medium|Insecure Configurations|Serverless Function should be have associated tags|Documentation
| +|Serverless Function Without Unique IAM Role
165aae3b-a56a-48f3-b76d-d2b5083f5b8f|Medium|Insecure Configurations|Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks|Documentation
| +|Serverless API Endpoint Config Not Private
4d424558-c6d1-453c-be98-9a7f877abd9a|Medium|Networking and Firewall|Serverless should have endpointType set to 'PRIVATE'. This way, it's not exposed to the public internet|Documentation
| +|Serverless API X-Ray Tracing Disabled
434945e5-4dfd-41b1-aba1-47075ccd9265|Medium|Observability|Serverless API Gateway should have X-Ray Tracing enabled|Documentation
| +|Serverless API Access Logging Setting Undefined
a4d32883-aac7-42e1-b403-9415af0f3846|Medium|Observability|Serverless FW API should have HTTP Access Logging enabled|Documentation
| +|Serverless Function Without Dead Letter Queue
dec7bc85-d156-4f64-9a33-96ed3d9f3fed|Low|Insecure Configurations|Serverless Function should be configured for a Dead Letter Queue(DLQ). A Dead Letter Queue(DLQ) can be set up in 'onError' config parameter|Documentation
| +|Serverless Function Without X-Ray Tracing
0d7ef70f-e176-44e6-bdba-add3e429788d|Low|Observability|Serverless Function should have Tracing enabled. For this, property 'tracing' should have the value 'Active'|Documentation
| diff --git a/docs/queries/terraform-queries.md b/docs/queries/terraform-queries.md index c59a3843fb2..b8f1803d18e 100644 --- a/docs/queries/terraform-queries.md +++ b/docs/queries/terraform-queries.md @@ -105,6 +105,103 @@ Bellow are listed queries related with Terraform AZURE: ### SHARED (V2/V3) Bellow are listed queries related with Terraform SHARED (V2/V3): +|Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|High|Access Control|Role Assignment should limit guest user permissions|Documentation
| +|Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|High|Access Control|Azure Function App authentication settings should be enabled|Documentation
| +|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|High|Access Control|Storage Account should not be public to grant the principle of least privileges|Documentation
| +|Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| +|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|High|Access Control|Admin user is enabled for Container Registry|Documentation
| +|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|High|Access Control|There is a role assignment for guest user|Documentation
| +|Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|High|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled|Documentation
| +|MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| +|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| +|Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6|High|Encryption|Ensure Function App is using the latest version of TLS encryption|Documentation
| +|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| +|App Service Not Using Latest TLS Encryption Version
b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643|High|Encryption|Ensure App Service is using the latest version of TLS encryption|Documentation
| +|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates|Documentation
| +|App Service FTPS Enforce Disabled
85da374f-b00f-4832-9d44-84a1ca1e89f8|High|Insecure Configurations|Azure App Service should only enforce FTPS when 'ftps_state' is enabled|Documentation
| +|AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|High|Insecure Configurations|Azure Kubernetes Service (AKS) API should not be exposed to the internet|Documentation
| +|Function App FTPS Enforce Disabled
9dab0179-433d-4dff-af8f-0091025691df|High|Insecure Configurations|Azure Function App should only enforce FTPS when 'ftps_state' is enabled|Documentation
| +|Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|High|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false.|Documentation
| +|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| +|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry'|Documentation
| +|Azure App Service Client Certificate Disabled
a81573f9-3691-4d83-88a0-7d4af63e17a3|High|Insecure Configurations|Azure App Service client certificate should be enabled|Documentation
| +|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| +|AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| +|RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet|Documentation
| +|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| +|Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| +|MySQL Server Public Access Enabled
f118890b-2468-42b1-9ce9-af35146b425b|High|Networking and Firewall|MySQL Server public access should be disabled|Documentation
| +|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| +|SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet|Documentation
| +|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| +|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|High|Networking and Firewall|The IP range filter should be defined to secure the data stored|Documentation
| +|MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|High|Networking and Firewall|MSSQL Server public network access should be disabled|Documentation
| +|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| +|Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|High|Observability|Ensure that logging for Azure KeyVault is 'Enabled'|Documentation
| +|SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a|High|Resource Management|Ensure that 'Threat Detection' is enabled for Azure SQL Database|Documentation
| +|PostgreSQL Server Threat Detection Policy Disabled
c407c3cf-c409-4b29-b590-db5f4138d332|High|Resource Management|PostgreSQL Server Threat Detection Policy should be enabled|Documentation
| +|App Service Managed Identity Disabled
b61cce4b-0cc4-472b-8096-15617a6d769b|High|Resource Management|Azure App Service should have managed identity enabled|Documentation
| +|Key Expiration Not Set
4d080822-5ee2-49a4-8984-68f3d4c890fc|High|Secret Management|Make sure that for all keys the expiration date is set|Documentation
| +|Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|High|Secret Management|Make sure that for all secrets the expiration date is set|Documentation
| +|Storage Share File Allows All ACL Permissions
48bbe0fd-57e4-4678-a4a1-119e79c90fc3|Medium|Access Control|Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).|Documentation
| +|Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e|Medium|Access Control|Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).|Documentation
| +|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)|Documentation
| +|AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| +|Virtual Network with DDoS Protection Plan disabled
b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a|Medium|Availability|Virtual Network should have DDoS Protection Plan enabled|Documentation
| +|Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Medium|Best Practices|Security Contact Email should be defined|Documentation
| +|SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict|Documentation
| +|SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict|Documentation
| +|Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Medium|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| +|Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| +|Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Medium|Encryption|Ensure that the encryption is active on the disk|Documentation
| +|AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Medium|Encryption|Azure Container Service (AKS) should use Disk Encryption Set ID in supported types of disk|Documentation
| +|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined|Documentation
| +|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected.|Documentation
| +|Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Medium|Insecure Configurations|Azure Function App should have 'client_cert_mode' set to required|Documentation
| +|Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches|Documentation
| +|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| +|Function App Managed Identity Disabled
c87749b3-ff10-41f5-9df2-c421e8151759|Medium|Insecure Configurations|Azure Function App should have managed identity enabled|Documentation
| +|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections|Documentation
| +|Default Network Access is Allowed
9be09caf-2ba4-4fa9-9787-a670dc32c639|Medium|Insecure Defaults|Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny'|Documentation
| +|Default Azure Storage Account Network Access Is Too Permissive
a5613650-32ec-4975-a305-31af783153ea|Medium|Insecure Defaults|Default Azure Storage Account network access should be set to Deny|Documentation
| +|Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b|Medium|Networking and Firewall|Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline)|Documentation
| +|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Medium|Networking and Firewall|Network Interfaces IP Forwarding should be disabled|Documentation
| +|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'.|Documentation
| +|Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Medium|Networking and Firewall|Public Network Access should be disabled for Azure Cognitive Search|Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol|Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol|Documentation
| +|MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Medium|Networking and Firewall|MariaDB Server Public Network Access should be disabled|Documentation
| +|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache|Documentation
| +|WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| +|Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Medium|Observability|Make sure for SQL Servers that Auditing Retention is greater than 90 days|Documentation
| +|Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Medium|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days|Documentation
| +|Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Medium|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact|Documentation
| +|PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'|Documentation
| +|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On'|Documentation
| +|PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| +|PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| +|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| +|PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| +|Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater|Documentation
| +|MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Medium|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On'|Documentation
| +|PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| +|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days|Documentation
| +|Azure Active Directory Authentication
a21c8da9-41bf-40cf-941d-330cf0d11fc7|Low|Access Control|Azure Active Directory must be used for authentication for Service Fabric|Documentation
| +|MariaDB Server Geo-redundant Backup Disabled
0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1|Low|Backup|MariaDB Server Geo-redundant Backup should be enabled|Documentation
| +|App Service Without Latest PHP Version
96fe318e-d631-4156-99fa-9080d57280ae|Low|Best Practices|Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.|Documentation
| +|AKS Uses Azure Policies Add-On Disabled
43789711-161b-4708-b5bb-9d1c626f7492|Low|Best Practices|Azure Container Service (AKS) should use Azure Policies Add-On|Documentation
| +|Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Low|Best Practices|Key Vault Secrets should have set Content Type|Documentation
| +|App Service Without Latest Python Version
cc4aaa9d-1070-461a-b519-04e00f42db8a|Low|Best Practices|Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.|Documentation
| +|PostgreSQL Server Infrastructure Encryption Disabled
6425c98b-ca4e-41fe-896a-c78772c131f8|Low|Encryption|PostgreSQL Server Infrastructure Encryption should be enabled|Documentation
| +|Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Low|Insecure Configurations|Check if the Kubernetes Dashboard is enabled.|Documentation
| +|App Service HTTP2 Disabled
525b53be-62ed-4244-b4df-41aecfcb4071|Low|Insecure Configurations|App Service should have 'http2_enabled' enabled|Documentation
| +|Function App HTTP2 Disabled
ace823d1-4432-4dee-945b-cdf11a5a6bd0|Low|Insecure Configurations|Function App should have 'http2_enabled' enabled|Documentation
| +|Azure Front Door WAF Disabled
835a4f2f-df43-437d-9943-545ccfc55961|Low|Networking and Firewall|Azure Front Door WAF should be enabled|Documentation
| +|App Service Authentication Disabled
c7fc1481-2899-4490-bbd8-544a3a61a2f3|Info|Access Control|Azure App Service authentication settings should be enabled|Documentation
| +|SQL Server Alert Email Disabled
55975007-f6e7-4134-83c3-298f1fe4b519|Info|Best Practices|SQL Server alert email should be enabled|Documentation
| + +### GITHUB +Bellow are listed queries related with Terraform GITHUB: @@ -112,7 +209,6 @@ Bellow are listed queries related with Terraform SHARED (V2/V3): |------------------------------|--------|--------|-----------|----| |Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Info|Best Practices|All generic git repositories should reference a revision. (read more)|Documentation
| |Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Info|Best Practices|All variables should contain a valid type. (read more)|Documentation
| -|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Info|Best Practices|All names should follow snake case pattern. (read more)|Documentation
| |Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Info|Best Practices|All outputs should contain a valid description. (read more)|Documentation
| |Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Info|Best Practices|All variables should contain a valid description. (read more)|Documentation
| @@ -459,9 +555,61 @@ Bellow are listed queries related with Terraform AWS: |EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| |Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Info|Observability|Neptune logging should be enabled (read more)|Documentation
| |RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Info|Observability|RDS does not have any kind of logger (read more)|Documentation
| +|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|High|Access Control|Verifies that the OSLogin is enabled|Documentation
| +|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|High|Access Control|BigQuery dataset is anonymously or publicly accessible|Documentation
| +|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers'|Documentation
| +|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| +|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| +|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad.|Documentation
| +|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members'|Documentation
| +|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false |Documentation
| +|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible.|Documentation
| +|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| +|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| +|Legacy Client Certificate Auth Enabled
73fb21a1-b19a-45b1-b648-b47b1678681e|High|Insecure Configurations|Kubernetes Clusters must use the default OAuth authentication, which means 'master_auth' must either be undefined or have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to false|Documentation
| +|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE |Documentation
| +|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true|Documentation
| +|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true|Documentation
| +|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true|Documentation
| +|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| +|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| +|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must either be undefined or set to 'monitoring.googleapis.com/kubernetes'|Documentation
| +|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|High|Observability|Audit Logging Configuration is defective|Documentation
| +|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must either be undefined or set to 'logging.googleapis.com/kubernetes'|Documentation
| +|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| +|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member|Documentation
| +|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated|Documentation
| +|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated|Documentation
| +|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated|Documentation
| +|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| +|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Medium|Insecure Configurations|Check if any VM instance disables OSLogin|Documentation
| +|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| +|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled|Documentation
| +|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| +|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| +|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| +|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| +|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
| +|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| +|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
| +|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| +|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
| +|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| +|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| +|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports|Documentation
| +|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource.|Documentation
| +|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| +|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.|Documentation
| +|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user|Documentation
| +|Outdated GKE Version
128df7ec-f185-48bc-8913-ce756a3ccb85|Low|Best Practices|Running outdated versions of Google Kubernetes Engine (GKE) can expose it to known vulnerabilities and attacks. To reduce these risks, it is recommended to ensure that GKE is always running the latest version.|Documentation
| +|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true|Documentation
| +|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range|Documentation
| ### AWS_BOM -Bellow are listed queries related with Terraform AWS_BOM: @@ -478,6 +626,17 @@ Bellow are listed queries related with Terraform AWS_BOM: |BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)|Documentation
| |BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)|Documentation
| |BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more)|Documentation
| +|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| +|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| +|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| +|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time|Documentation
| +|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| +|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| +|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| +|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| +|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.|Documentation
| +|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.|Documentation
| +|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| ### ALICLOUD Bellow are listed queries related with Terraform ALICLOUD: @@ -627,705 +786,634 @@ Bellow are listed queries related with Terraform KUBERNETES: |CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined (read more)|Documentation
| |Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Low|Secret Management|Container should not use secrets as environment variables (read more)|Documentation
| |Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Low|Supply-Chain|Image must be defined and not be empty or equal to latest. (read more)|Documentation
| +|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|High|Access Control|RAM Security preferences should enforce MFA login for RAM users|Documentation
| +|OSS Bucket Allows List Action From All Principals
88541597-6f88-42c8-bac6-7e0b855e8ff6|High|Access Control|OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals.|Documentation
| +|OSS Bucket Allows Delete Action From All Principals
8c0695d8-2378-4cd6-8243-7fd5894fa574|High|Access Control|OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals.|Documentation
| +|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles|Documentation
| +|OSS Bucket Allows Put Action From All Principals
fe286195-e75c-4359-bd58-00847c4f855a|High|Access Control|OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals.|Documentation
| +|OSS Bucket Allows All Actions From All Principals
ec62a32c-a297-41ca-a850-cab40b42094a|High|Access Control|OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals.|Documentation
| +|OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|High|Access Control|OSS Bucket should have public access disabled|Documentation
| +|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|High|Encryption|Ecs Data Disk Kms Key Id should be set|Documentation
| +|NAS File System Without KMS
5f670f9d-b1b4-4c90-8618-2288f1ab9676|High|Encryption|NAS File System should have encryption provided by user KMS |Documentation
| +|RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|High|Encryption|tde_status parameter should be Enabled for supported RDS instances|Documentation
| +|Launch Template Is Not Encrypted
1455cb21-1d48-46d6-8ae3-cef911b71fd5|High|Encryption|ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true.|Documentation
| +|NAS File System Not Encrypted
67bfdff1-31ce-4525-b564-e94368735360|High|Encryption|NAS File System must be encrypted|Documentation
| +|RDS DB Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|High|Insecure Configurations|'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list|Documentation
| +|DB Instance Publicly Accessible
faaefc15-51a5-419e-bb5e-51a4b5ab3485|High|Insecure Configurations|The field 'address' should not be set to '0.0.0.0/0'|Documentation
| +|OSS Bucket Has Static Website
2b13c6ff-b87a-484d-86fd-21ef6e97d426|High|Insecure Configurations|Checks if any static websties are hosted on buckets. Be aware of any website you are running.|Documentation
| +|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS|Documentation
| +|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|High|Networking and Firewall|OSS Bucket should have ip restricted access|Documentation
| +|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol|Documentation
| +|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public|Documentation
| +|RDS Instance SSL Action Disabled
7a1ee8a9-71be-4b11-bb70-efb62d16863b|High|Networking and Firewall|ssl_action parameter should be set to Open for RDS instances|Documentation
| +|ALB Listening on HTTP
ee3b1557-9fb5-4685-a95d-93f1edf2a0d7|High|Networking and Firewall|Application Load Balancer (alb) Listener should not listen on HTTP|Documentation
| +|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|High|Networking and Firewall|OSS Buckets should have secure transport enabled|Documentation
| +|ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|High|Observability|ActionTrail Trail OSS Bucket should not be publicly accessible|Documentation
| +|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|High|Observability|All RDS Instance events trackers should be 'true'|Documentation
| +|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above|Documentation
| +|Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|High|Secret Management|Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts|Documentation
| +|Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Medium|Access Control|Ram policies should not be attached to users|Documentation
| +|CMK Is Unusable
ed6e3ba0-278f-47b6-a1f5-173576b40b7e|Medium|Availability|Alicloud KMS must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| +|ROS Stack Retention Disabled
4bb06fa1-2114-4a00-b7b5-6aeab8b896f0|Medium|Backup|The retain_stacks should be enabled to keep the Stack upon deleting the stack instance from the stack group|Documentation
| +|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Medium|Backup|OSS Bucket should have versioning enabled|Documentation
| +|ROS Stack Without Template
92d65c51-5d82-4507-a2a1-d252e9706855|Medium|Build Process|Alicloud ROS Stack should have a template defined through the attribute template_url or attribute template_body|Documentation
| +|OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Medium|Encryption|OSS Bucket should have encryption enabled using Customer Master Key|Documentation
| +|SLB Policy With Insecure TLS Version In Use
dbfc834a-56e5-4750-b5da-73fda8e73f70|Medium|Encryption|SLB Policy should not support insecure versions of TLS protocol|Documentation
| +|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Medium|Encryption|Disks should have encryption enabled|Documentation
| +|CS Kubernetes Node Pool Auto Repair Disabled
81ce9394-013d-4731-8fcc-9d229b474073|Medium|Insecure Configurations|Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| +|Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Medium|Networking and Firewall|Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies|Documentation
| +|Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Medium|Networking and Firewall|A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned|Documentation
| +|Log Retention Is Not Greater Than 90 Days
ed6cf6ff-9a1f-491c-9f88-e03c0807f390|Medium|Observability|OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects.|Documentation
| +|ROS Stack Notifications Disabled
9ef08939-ea40-489c-8851-667870b2ef50|Medium|Observability|The ROS Stack Notifications should be defined and populated to receive stack related events|Documentation
| +|OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Medium|Observability|OSS Bucket should have logging enabled, for better visibility of resources and objects.|Documentation
| +|Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Medium|Observability|Action Trail Logging for all regions should be enabled|Documentation
| +|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180|Documentation
| +|No ROS Stack Policy
72ceb736-0aee-43ea-a191-3a69ab135681|Medium|Resource Management|ROS Stack should have a stack policy in order to protect stack resources from and during update actions|Documentation
| +|High KMS Key Rotation Period
cb319d87-b90f-485e-a7e7-f2408380f309|Medium|Secret Management|KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year|Documentation
| +|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true|Documentation
| +|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true|Documentation
| +|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91|Documentation
| +|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true|Documentation
| +|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less|Documentation
| +|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Medium|Secret Management|RAM account password security should require at least one symbol|Documentation
| +|OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Low|Availability|OSS Bucket should have transfer acceleration enabled|Documentation
| +|OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Low|Backup|OSS Bucket should have lifecycle rule enabled and set to true|Documentation
| +|RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Low|Observability|log_disconnections parameter should be set to ON for RDS instances|Documentation
| +|VPC Flow Logs Disabled
d2731f3d-a992-44ed-812e-f4f1c2747d71|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| +|RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Low|Observability|log_duration parameter should be set to ON for RDS instances|Documentation
| +|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Low|Observability|'log_connections' parameter should be set to ON for RDS instances|Documentation
| -### GITHUB -Bellow are listed queries related with Terraform GITHUB: +### KUBERNETES +Bellow are listed queries related with Terraform KUBERNETES: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks (read more)|Documentation
| -|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)|Documentation
| - -### GCP -Bellow are listed queries related with Terraform GCP: -|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.|Documentation
| -|BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.|Documentation
| -|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.|Documentation
| -|BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Trace|Bill Of Materials|A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime.|Documentation
| -|BOM - GCP Redis
bc75ce52-a60a-4660-b533-bce837a5019b|Trace|Bill Of Materials|A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments.|Documentation
| -|BOM - GCP Dataflow
895ed0d9-6fec-4567-8614-d7a74b599a53|Trace|Bill Of Materials|A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective.|Documentation
| +|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false|Documentation
| +|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined.|Documentation
| +|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| +|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| +|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| +|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| +|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| +|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| +|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys|Documentation
| +|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| +|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| +|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| +|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Medium|Insecure Configurations|Default service accounts should not be actively used|Documentation
| +|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls|Documentation
| +|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Medium|Insecure Configurations|The default namespace should not be used|Documentation
| +|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| +|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|Documentation
| +|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| +|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace|Documentation
| +|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| +|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| +|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| +|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| +|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Medium|Insecure Configurations|Containers should not have extra capabilities allowed|Documentation
| +|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| +|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| +|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| +|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory|Documentation
| +|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| +|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty.|Documentation
| +|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| +|Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| +|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes|Documentation
| +|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| +|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| +|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Medium|Resource Management|Container should not share the host network namespace|Documentation
| +|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| +|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| +|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| +|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| +|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs|Documentation
| +|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| +|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| +|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| +|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it|Documentation
| +|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| +|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.|Documentation
| +|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| +|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Low|Availability|The Horizontal Pod Autoscaler must target a valid object|Documentation
| +|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| +|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| +|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| +|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Low|Build Process|Check if the root container filesystem is not being mounted as read-only.|Documentation
| +|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity|Documentation
| +|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| +|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| +|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| +|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified|Documentation
| +|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| +|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined|Documentation
| +|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| +|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Low|Supply-Chain|Image must be defined and not be empty or equal to latest.|Documentation
| -### AWS_BOM -Below are listed queries related with Terraform AWS_BOM: +### AWS +Bellow are listed queries related with Terraform AWS: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| -|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible (read more)|Documentation
| -|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|High|Access Control|Verifies that the OSLogin is enabled (read more)|Documentation
| -|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)|Documentation
| -|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|High|Access Control|BigQuery dataset is anonymously or publicly accessible (read more)|Documentation
| -|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| -|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members' (read more)|Documentation
| -|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad. (read more)|Documentation
| -|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|High|Encryption|Cloud SQL Database Instance should have SLL enabled (read more)|Documentation
| -|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials (read more)|Documentation
| -|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true (read more)|Documentation
| -|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)|Documentation
| -|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE (read more)|Documentation
| -|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true (read more)|Documentation
| -|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible. (read more)|Documentation
| -|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true (read more)|Documentation
| -|Legacy Client Certificate Auth Enabled
73fb21a1-b19a-45b1-b648-b47b1678681e|High|Insecure Configurations|Kubernetes Clusters must use the default OAuth authentication, which means 'master_auth' must either be undefined or have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to false (read more)|Documentation
| -|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)|Documentation
| -|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must either be undefined or set to 'logging.googleapis.com/kubernetes' (read more)|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| -|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must either be undefined or set to 'monitoring.googleapis.com/kubernetes' (read more)|Documentation
| -|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|High|Observability|Audit Logging Configuration is defective (read more)|Documentation
| -|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| -|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)|Documentation
| -|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated (read more)|Documentation
| -|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated (read more)|Documentation
| -|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated (read more)|Documentation
| -|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member (read more)|Documentation
| -|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| -|Shielded GKE Nodes Disabled
579a0727-9c29-4d58-8195-fc5802a8bdb4|Medium|Insecure Configurations|GKE cluster nodes must be launched with Shielded VM enabled, which means the attribute 'enable_shielded_nodes' must be set to 'true'. (read more)|Documentation
| -|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| -|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| -|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Medium|Insecure Configurations|Check if any VM instance disables OSLogin (read more)|Documentation
| -|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled (read more)|Documentation
| -|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled (read more)|Documentation
| -|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)|Documentation
| -|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| -|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account. (read more)|Documentation
| -|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account (read more)|Documentation
| -|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| -|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)|Documentation
| -|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports (read more)|Documentation
| -|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| -|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)|Documentation
| -|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource. (read more)|Documentation
| -|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles (read more)|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| -|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)|Documentation
| -|Outdated GKE Version
128df7ec-f185-48bc-8913-ce756a3ccb85|Low|Best Practices|Running outdated versions of Google Kubernetes Engine (GKE) can expose it to known vulnerabilities and attacks. To reduce these risks, it is recommended to ensure that GKE is always running the latest version. (read more)|Documentation
| -|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user (read more)|Documentation
| -|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true (read more)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| -|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.|Documentation
| -|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| -|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.|Documentation
| -|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| -|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| -|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| -|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time|Documentation
| -|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| -|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| -|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| -|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| - -### GCP -Below are listed queries related with Terraform GCP: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|High|Access Control|Verifies that the OSLogin is enabled|Documentation
| -|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| -|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|High|Access Control|BigQuery dataset is anonymously or publicly accessible|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers'|Documentation
| -|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible|Documentation
| -|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| -|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members'|Documentation
| -|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad.|Documentation
| -|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| -|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible.|Documentation
| -|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true|Documentation
| -|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| -|Cluster Master Authentication Disabled
1baba08e-3c8a-4be7-95eb-dced5833de21|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| -|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE |Documentation
| -|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| -|GKE Basic Authentication Enabled
70cdf849-b7d9-4569-b87d-5d82ffd44719|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty|Documentation
| -|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false |Documentation
| -|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true|Documentation
| -|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true|Documentation
| -|Client Certificate Disabled
73fb21a1-b19a-45b1-b648-b47b1678681e|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| -|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| -|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|High|Observability|Audit Logging Configuration is defective|Documentation
| -|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| -|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| -|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| -|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member|Documentation
| -|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated|Documentation
| -|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated|Documentation
| -|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| -|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined|Documentation
| -|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| -|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled|Documentation
| -|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| -|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Medium|Insecure Configurations|Check if any VM instance disables OSLogin|Documentation
| -|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| -|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| -|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| -|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
| -|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| -|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| -|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| -|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
| -|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
| -|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| -|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports|Documentation
| -|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource.|Documentation
| -|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| -|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.|Documentation
| -|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user|Documentation
| -|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range|Documentation
| -|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true|Documentation
| - -### AZURE -Below are listed queries related with Terraform AZURE: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|High|Access Control|There is a role assignment for guest user|Documentation
| -|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|High|Access Control|Storage Account should not be public to grant the principle of least privileges|Documentation
| -|Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|High|Access Control|Azure Function App authentication settings should be enabled|Documentation
| -|Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| -|Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|High|Access Control|Role Assignment should limit guest user permissions|Documentation
| -|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|High|Access Control|Admin user is enabled for Container Registry|Documentation
| -|Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|High|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled|Documentation
| -|App Service Not Using Latest TLS Encryption Version
b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643|High|Encryption|Ensure App Service is using the latest version of TLS encryption|Documentation
| -|MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| -|Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6|High|Encryption|Ensure Function App is using the latest version of TLS encryption|Documentation
| -|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| -|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| -|Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|High|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false.|Documentation
| -|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry'|Documentation
| -|AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|High|Insecure Configurations|Azure Kubernetes Service (AKS) API should not be exposed to the internet|Documentation
| -|Azure App Service Client Certificate Disabled
a81573f9-3691-4d83-88a0-7d4af63e17a3|High|Insecure Configurations|Azure App Service client certificate should be enabled|Documentation
| -|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates|Documentation
| -|AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| -|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| -|Function App FTPS Enforce Disabled
9dab0179-433d-4dff-af8f-0091025691df|High|Insecure Configurations|Azure Function App should only enforce FTPS when 'ftps_state' is enabled|Documentation
| -|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| -|App Service FTPS Enforce Disabled
85da374f-b00f-4832-9d44-84a1ca1e89f8|High|Insecure Configurations|Azure App Service should only enforce FTPS when 'ftps_state' is enabled|Documentation
| -|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|High|Networking and Firewall|The IP range filter should be defined to secure the data stored|Documentation
| -|MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|High|Networking and Firewall|MSSQL Server public network access should be disabled|Documentation
| -|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| -|SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet|Documentation
| -|RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet|Documentation
| -|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| -|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| -|MySQL Server Public Access Enabled
f118890b-2468-42b1-9ce9-af35146b425b|High|Networking and Firewall|MySQL Server public access should be disabled|Documentation
| -|Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| -|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| -|Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|High|Observability|Ensure that logging for Azure KeyVault is 'Enabled'|Documentation
| -|App Service Managed Identity Disabled
b61cce4b-0cc4-472b-8096-15617a6d769b|High|Resource Management|Azure App Service should have managed identity enabled|Documentation
| -|PostgreSQL Server Threat Detection Policy Disabled
c407c3cf-c409-4b29-b590-db5f4138d332|High|Resource Management|PostgreSQL Server Threat Detection Policy should be enabled|Documentation
| -|SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a|High|Resource Management|Ensure that 'Threat Detection' is enabled for Azure SQL Database|Documentation
| -|Key Expiration Not Set
4d080822-5ee2-49a4-8984-68f3d4c890fc|High|Secret Management|Make sure that for all keys the expiration date is set|Documentation
| -|Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|High|Secret Management|Make sure that for all secrets the expiration date is set|Documentation
| -|AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| -|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)|Documentation
| -|Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e|Medium|Access Control|Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).|Documentation
| -|Storage Share File Allows All ACL Permissions
48bbe0fd-57e4-4678-a4a1-119e79c90fc3|Medium|Access Control|Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).|Documentation
| -|Virtual Network with DDoS Protection Plan disabled
b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a|Medium|Availability|Virtual Network should have DDoS Protection Plan enabled|Documentation
| -|SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict|Documentation
| -|SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict|Documentation
| -|Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Medium|Best Practices|Security Contact Email should be defined|Documentation
| -|Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Medium|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| -|Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| -|AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Medium|Encryption|Azure Container Service (AKS) should use Disk Encryption Set ID in supported types of disk|Documentation
| -|Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Medium|Encryption|Ensure that the encryption is active on the disk|Documentation
| -|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections|Documentation
| -|Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Medium|Insecure Configurations|Azure Function App should have 'client_cert_mode' set to required|Documentation
| -|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined|Documentation
| -|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| -|Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches|Documentation
| -|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected.|Documentation
| -|Function App Managed Identity Disabled
c87749b3-ff10-41f5-9df2-c421e8151759|Medium|Insecure Configurations|Azure Function App should have managed identity enabled|Documentation
| -|Default Network Access is Allowed
9be09caf-2ba4-4fa9-9787-a670dc32c639|Medium|Insecure Defaults|Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny'|Documentation
| -|Default Azure Storage Account Network Access Is Too Permissive
a5613650-32ec-4975-a305-31af783153ea|Medium|Insecure Defaults|Default Azure Storage Account network access should be set to Deny|Documentation
| -|WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| -|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Medium|Networking and Firewall|Network Interfaces IP Forwarding should be disabled|Documentation
| -|Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b|Medium|Networking and Firewall|Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline)|Documentation
| -|MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Medium|Networking and Firewall|MariaDB Server Public Network Access should be disabled|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol|Documentation
| -|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'.|Documentation
| -|Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Medium|Networking and Firewall|Public Network Access should be disabled for Azure Cognitive Search|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol|Documentation
| -|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache|Documentation
| -|Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater|Documentation
| -|PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| -|Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Medium|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact|Documentation
| -|PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'|Documentation
| -|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days|Documentation
| -|Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Medium|Observability|Make sure for SQL Servers that Auditing Retention is greater than 90 days|Documentation
| -|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| -|Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Medium|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days|Documentation
| -|PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| -|MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Medium|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On'|Documentation
| -|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On'|Documentation
| -|PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| -|PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| -|Azure Active Directory Authentication
a21c8da9-41bf-40cf-941d-330cf0d11fc7|Low|Access Control|Azure Active Directory must be used for authentication for Service Fabric|Documentation
| -|MariaDB Server Geo-redundant Backup Disabled
0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1|Low|Backup|MariaDB Server Geo-redundant Backup should be enabled|Documentation
| -|Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Low|Best Practices|Key Vault Secrets should have set Content Type|Documentation
| -|AKS Uses Azure Policies Add-On Disabled
43789711-161b-4708-b5bb-9d1c626f7492|Low|Best Practices|Azure Container Service (AKS) should use Azure Policies Add-On|Documentation
| -|App Service Without Latest PHP Version
96fe318e-d631-4156-99fa-9080d57280ae|Low|Best Practices|Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.|Documentation
| -|App Service Without Latest Python Version
cc4aaa9d-1070-461a-b519-04e00f42db8a|Low|Best Practices|Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.|Documentation
| -|PostgreSQL Server Infrastructure Encryption Disabled
6425c98b-ca4e-41fe-896a-c78772c131f8|Low|Encryption|PostgreSQL Server Infrastructure Encryption should be enabled|Documentation
| -|App Service HTTP2 Disabled
525b53be-62ed-4244-b4df-41aecfcb4071|Low|Insecure Configurations|App Service should have 'http2_enabled' enabled|Documentation
| -|Function App HTTP2 Disabled
ace823d1-4432-4dee-945b-cdf11a5a6bd0|Low|Insecure Configurations|Function App should have 'http2_enabled' enabled|Documentation
| -|Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Low|Insecure Configurations|Check if the Kubernetes Dashboard is enabled.|Documentation
| -|Azure Front Door WAF Disabled
835a4f2f-df43-437d-9943-545ccfc55961|Low|Networking and Firewall|Azure Front Door WAF should be enabled|Documentation
| -|App Service Authentication Disabled
c7fc1481-2899-4490-bbd8-544a3a61a2f3|Info|Access Control|Azure App Service authentication settings should be enabled|Documentation
| -|SQL Server Alert Email Disabled
55975007-f6e7-4134-83c3-298f1fe4b519|Info|Best Practices|SQL Server alert email should be enabled|Documentation
| -### KUBERNETES -Bellow are listed queries related with Terraform KUBERNETES: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|High|Insecure Configurations|Container should not share the host IPC namespace|Documentation
| -|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| -|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|High|Insecure Configurations|Do not allow container to be privileged.|Documentation
| -|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| -|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|High|Insecure Configurations|Containers should drop 'NET_RAW' or 'ALL' capabilities|Documentation
| -|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|High|Insecure Configurations|Container should not share the host network namespace|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| -|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|High|Insecure Configurations|Admission of privileged containers should be minimized|Documentation
| -|Host Aliases Undefined Or Empty
5d05ea11-ae3e-470e-9864-97e55fb2b2e0|High|Insecure Configurations|A Kubernetes Pod should have Host Aliases defined as to prevent the container from modifying the file after a pod's containers have already been started. This means the attribute 'spec.host_aliases' must be defined and not empty or null.|Documentation
| -|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined.|Documentation
| -|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| -|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| -|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Medium|Access Control|Minimize access to secrets (RBAC)|Documentation
| -|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| -|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Medium|Availability|Liveness Probe must be defined|Documentation
| -|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| -|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| -|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| -|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Medium|Insecure Configurations|The default namespace should not be used|Documentation
| -|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Medium|Insecure Configurations|Check if any resource does not configure Seccomp default profile properly|Documentation
| -|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| -|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Medium|Insecure Configurations|Do not allow pod to request execution as privileged|Documentation
| -|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| -|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| -|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| -|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| -|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Medium|Insecure Configurations|Default service accounts should not be actively used|Documentation
| -|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| -|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace|Documentation
| -|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| -|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Medium|Insecure Configurations|Kubernetes Pod should not have extra capabilities allowed|Documentation
| -|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory|Documentation
| -|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty.|Documentation
| -|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| -|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| -|Service With External Load Balance
2a52567c-abb8-4651-a038-52fa27c77aed|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| -|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| -|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| -|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Medium|Resource Management|Memory limits should be specified|Documentation
| -|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| -|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Medium|Resource Management|Memory requests should be specified|Documentation
| -|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs|Documentation
| -|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| -|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Low|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| -|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| -|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| -|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| -|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Low|Availability|The Horizontal Pod Autoscale must target a valid object|Documentation
| -|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Low|Availability|Check if the StatefulSet have a headless 'serviceName'|Documentation
| -|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| -|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| -|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| -|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Low|Build Process|Check if the root container filesystem is not being mounted as read-only.|Documentation
| -|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Low|Insecure Configurations|Sees if Kubernetes image has digest on|Documentation
| -|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| -|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| -|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified|Documentation
| -|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| -|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| -|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined|Documentation
| -|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| -|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Low|Supply-Chain|Image must be defined and not be empty or equal to latest.|Documentation
| -### AWS -Bellow are listed queries related with Terraform AWS: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| -|S3 Bucket Allows WriteACP Action From All Principals
64a222aa-7793-4e40-915f-4b302c76e4d4|High|Access Control|S3 Buckets must not allow Write_ACP Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Write_ACP, for all Principals.|Documentation
| +|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| +|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| +|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| |S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|High|Access Control|S3 bucket allows public policy|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|High|Access Control|Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| -|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|High|Access Control|S3 Buckets must not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|High|Access Control|S3 bucket with public READ/WRITE access|Documentation
| -|S3 Bucket Allows All Actions From All Principals
51cf6f14-6a52-4642-97fb-10db078382d3|High|Access Control|S3 Buckets must not allow All Actions (wildcard) From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals.|Documentation
| -|EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| |S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| -|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| -|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|High|Access Control|IAM policies that allow full administrative privileges (for all resources)|Documentation
| +|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| |S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| +|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|High|Access Control|S3 Buckets should not be readable and writable to all users|Documentation
| +|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating|Documentation
| +|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role|Documentation
| +|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| |S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| +|S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4|High|Access Control|S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket.|Documentation
| +|EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| |IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|High|Access Control|IAM role policy that allow full administrative privileges (for all resources)|Documentation
| +|SSO Policy with full privileges
132a8c31-9837-4203-9fd1-15ca210c7b73|High|Access Control|SSO policies should be configured to grant limited administrative privileges, rather than full access to all resources. This approach allows for better security and control over the resources being accessed.|Documentation
| |S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals|Documentation
| +|SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| |Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|High|Access Control|Neptune Cluster Instance should not be publicly accessible|Documentation
| -|ECS Service Admin Role is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role|Documentation
| -|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled|Documentation
| -|Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted|Documentation
| -|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|High|Encryption|Elastic File System (EFS) must have KMS Key ID|Documentation
| -|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|High|Encryption|Data stored in the Launch configuration EBS is not securely encrypted|Documentation
| -|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| -|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|High|Encryption|Base64 Shell Script must be encoded|Documentation
| -|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|High|Encryption|Check if RDS Cluster Storage isn't encrypted. Happens when 'storage_encrypted' is not set to 'true'|Documentation
| -|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| -|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true|Documentation
| -|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled|Documentation
| +|MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible|Documentation
| |ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|High|Encryption|AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted|Documentation
| -|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted|Documentation
| -|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| -|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|High|Encryption|AWS DOCDB Cluster storage should be encrypted|Documentation
| -|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|High|Encryption|User Data Base64 contains an encoded RSA Private Key|Documentation
| -|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| -|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|High|Encryption|RDS Database Cluster Encryption should be enabled|Documentation
| -|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|High|Encryption|AWS Athena Database data in S3 should be encrypted|Documentation
| -|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS|Documentation
| -|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| +|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)|Documentation
| +|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|High|Encryption|User Data Shell Script must be encoded|Documentation
| +|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| +|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| +|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|High|Encryption|API Gateway Method Settings Cache should be encrypted|Documentation
| |AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| -|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|High|Encryption|The parameter storage_encrypted in aws_db_instance must be set to 'true' (the default is 'false').|Documentation
| +|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true'|Documentation
| +|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted|Documentation
| +|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|High|Encryption|EBS Encryption should be enabled|Documentation
| +|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| +|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true|Documentation
| |Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|High|Encryption|Sagemaker endpoint configuration should encrypt data|Documentation
| -|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.|Documentation
| |EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|High|Encryption|Check if 'encrypted' field is false or undefined (default is false)|Documentation
| +|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|High|Encryption|AWS Athena Database data in S3 should be encrypted|Documentation
| +|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| |MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| +|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers.|Documentation
| +|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled|Documentation
| +|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS|Documentation
| +|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|High|Encryption|AWS DAX Cluster should have server-side encryption at rest|Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| +|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| +|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| +|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|High|Encryption|EKS Cluster should be encrypted|Documentation
| |Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled|Documentation
| -|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|High|Encryption|IAM Database Auth Enabled must be configured to true|Documentation
| +|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled|Documentation
| +|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|High|Encryption|S3 Bucket Object should have server-side encryption enabled|Documentation
| +|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| |DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key|Documentation
| +|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|High|Encryption|AWS DOCDB Cluster storage should be encrypted|Documentation
| +|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.|Documentation
| +|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume|Documentation
| +|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|High|Encryption|RDS Database Cluster Encryption should be enabled|Documentation
| +|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.|Documentation
| +|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| |Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup|Documentation
| -|CloudWatch Log Group Not Encrypted
0afbcfe9-d341-4b92-a64c-7e6de0543879|High|Encryption|AWS CloudWatch Log groups should be encrypted using KMS|Documentation
| -|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|High|Encryption|S3 Bucket Object should have server-side encryption enabled|Documentation
| -|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|High|Encryption|EBS Encryption should be enabled|Documentation
| -|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|High|Encryption|EKS Cluster should be encrypted|Documentation
| -|Memcached Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|High|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| -|CA certificate Identifier is outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| -|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|High|Encryption|AWS DAX Cluster should have server-side encryption at rest|Documentation
| -|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|High|Encryption|RDS Instance Auto Minor Version Upgrade feature in Aws Db Instance must be true|Documentation
| -|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|High|Encryption|API Gateway Method Settings Cache should be encrypted|Documentation
| -|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers.|Documentation
| -|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|High|Insecure Configurations|Check if the root user is authenticated with MFA|Documentation
| -|DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|High|Insecure Configurations|The field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| -|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|High|Insecure Configurations|Amazon Simple Queue Service (SQS) queue is not protecting the contents of their messages using Server-Side Encryption (SSE)|Documentation
| -|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| -|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_defenition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| -|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations|Documentation
| +|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| |S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|High|Insecure Configurations|S3 bucket without restriction of public bucket|Documentation
| -|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|High|Insecure Configurations|Check if 'publicly_accessible' field is true or undefined (default is true)|Documentation
| +|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes|Documentation
| +|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|High|Insecure Configurations|Check if the root user is authenticated with MFA|Documentation
| |API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2.|Documentation
| -|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|High|Insecure Configurations|Users should authenticate with MFA (Multi-factor Authentication)|Documentation
| -|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| -|KMS Key With Vulnerable Policy
7ebc9038-0bde-479a-acc4-6ed7b6758899|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| -|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|High|Insecure Configurations|Checks if any static websties are hosted on buckets|Documentation
| +|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured.|Documentation
| +|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true)|Documentation
| |CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| -|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes|Documentation
| +|DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| +|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| |Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| +|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| +|KMS Key With Vulnerable Policy
7ebc9038-0bde-479a-acc4-6ed7b6758899|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| +|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| |DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| -|Lambda Function With Privileged role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions.|Documentation
| +|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations|Documentation
| +|Lambda Function With Privileged Role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions.|Documentation
| |Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| -|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| -|Remote Desktop Port Open
151187cb-0efc-481c-babd-ad24e3c9bc22|High|Networking and Firewall|The Remote Desktop port is open in a Security Group|Documentation
| -|HTTP Port Open
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|High|Networking and Firewall|The HTTP port is open in a Security Group|Documentation
| -|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| +|VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic|Documentation
| +|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0 and/or ::/0|Documentation
| +|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing|Documentation
| +|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| |Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| -|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL|Documentation
| +|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL|Documentation
| +|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| +|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| |EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0"|Documentation
| -|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0|Documentation
| -|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| -|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|High|Networking and Firewall|Check if Record is set|Documentation
| +|Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| +|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| +|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| |VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|High|Networking and Firewall|VPC Peering Route Table should restrict CIDR|Documentation
| -|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| +|HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| +|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL|Documentation
| |RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| -|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| -|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL|Documentation
| -|VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic|Documentation
| +|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| |Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| -|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|High|Networking and Firewall|The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6).|Documentation
| -|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing|Documentation
| -|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|High|Observability|Ensure a log metric filter and alarm exist for root acount usage|Documentation
| -|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|High|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| -|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes|Documentation
| -|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA|Documentation
| +|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|High|Networking and Firewall|Check if Record is set|Documentation
| |KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|High|Observability|AWS KMS Key should have a valid deletion window|Documentation
| -|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible|Documentation
| +|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA|Documentation
| +|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| |CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.|Documentation
| -|CloudTrail Log Files Not Encrypted
5d9e3164-9265-470c-9a10-57ae454ac0c7|High|Observability|Logs delivered by CloudTrail should be encrypted using KMS|Documentation
| |CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls|Documentation
| -|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| |CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled|Documentation
| -|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| -|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Medium|Access Control|AWS IAM Users should not have access to console|Documentation
| -|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| -|IAM Access Analyzer Undefined
e592a0c5-5bdb-414c-9066-5dba7cdea370|Medium|Access Control|IAM Access Analyzer should be defined to identify unintentional access|Documentation
| -|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| +|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|High|Observability|Ensure a log metric filter and alarm exist for root acount usage|Documentation
| +|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible|Documentation
| +|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes|Documentation
| |IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Medium|Access Control|IAM Access Key should not be active for root users|Documentation
| +|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| +|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication|Documentation
| +|SSO Permission With Inadequate User Session Duration
ce9dfce0-5fc8-433b-944a-3b16153111a8|Medium|Access Control|SSO permissions should be configured to limit user sessions to no longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized access or session hijacking. This is a best practice for security and should be implemented in SSO permission settings.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined|Documentation
| +|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions'|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Medium|Access Control|Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| |Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Medium|Access Control|The attribute 'action' should not have wildcard|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| +|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| +|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal'|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action'|Documentation
| -|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| -|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Medium|Access Control|Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Medium|Access Control|S3 bucket allows public ACL|Documentation
| -|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| -|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Medium|Access Control|Public and private EC2 istances should not share the same role.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Medium|Access Control|An API Key should be required on a method request.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| |User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal'|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| |Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication|Documentation
| -|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled|Documentation
| -|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| -|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| -|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Medium|Access Control|AWS IAM Users should not have access to console|Documentation
| +|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action'|Documentation
| |Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| -|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| -|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster|Documentation
| +|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Medium|Access Control|Public and private EC2 istances should not share the same role.|Documentation
| +|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Medium|Access Control|S3 bucket allows public ACL|Documentation
| +|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| +|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Medium|Access Control|AWS IAM Users should not have access to console|Documentation
| +|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| |Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
| +|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster|Documentation
| |CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| |ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| -|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0|Documentation
| -|RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Medium|Backup|RDS configured without backup|Documentation
| |Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| -|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Medium|Best Practices|No password expiration policy|Documentation
| -|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Medium|Best Practices|Check if IAM account password has the required symbols|Documentation
| -|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined|Documentation
| -|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| +|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0|Documentation
| +|RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| +|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| |ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields|Documentation
| -|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Medium|Best Practices|Check if IAM account password has the required minimum length|Documentation
| +|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Medium|Best Practices|IAM password should have the required symbols|Documentation
| +|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| +|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| +|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined|Documentation
| |Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24|Documentation
| +|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Medium|Best Practices|No password expiration policy|Documentation
| +|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| |Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body|Documentation
| -|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Medium|Encryption|Check if Neptune Cluster Storage is securely encrypted|Documentation
| -|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS|Documentation
| +|Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Medium|Encryption|ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html'|Documentation
| +|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret|Documentation
| +|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| +|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| |Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| -|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit|Documentation
| -|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| -|ECR Repository Not Encrypted
0e32d561-4b5a-4664-a6e3-a3fa85649157|Medium|Encryption|ECR (Elastic Container Registry) Repository encryption should be set|Documentation
| +|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests|Documentation
| +|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption|Documentation
| +|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted|Documentation
| +|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Medium|Encryption|EBS volumes should be encrypted|Documentation
| +|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| |Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760.|Documentation
| |ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest|Documentation
| -|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret|Documentation
| -|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted|Documentation
| -|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption|Documentation
| -|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests|Documentation
| +|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit|Documentation
| +|CloudWatch Log Group Without KMS
0afbcfe9-d341-4b92-a64c-7e6de0543879|Medium|Encryption|AWS CloudWatch Log groups should be encrypted using KMS|Documentation
| |SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Medium|Encryption|SSM Session should be encrypted in transit|Documentation
| -|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| -|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| +|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| |Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node|Documentation
| +|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| |DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Medium|Encryption|The value on AWS EBS Volume Cluster Encryption must be true|Documentation
| -|API Gateway Without Content Encoding
ed35928e-195c-4405-a252-98ccb664ab7b|Medium|Encryption|Enable Content Encoding through the attribute 'minimum_compression_size'. This value should be greater than -1 and smaller than 10485760|Documentation
| -|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible|Documentation
| -|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.|Documentation
| +|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS.|Documentation
| +|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| +|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud)|Documentation
| +|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials|Documentation
| |Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| -|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Medium|Insecure Configurations|ECR should have an image tag be immutable|Documentation
| -|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Medium|Insecure Configurations|Check if IAM account password has at least one lowercase letter|Documentation
| +|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| +|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible|Documentation
| |Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs).|Documentation
| -|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Medium|Insecure Configurations|SSL Client Certificate should be enabled in aws_api_gateway_stage resource|Documentation
| +|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.|Documentation
| +|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| |AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| -|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Medium|Insecure Configurations|Check if IAM account password has at least one uppercase letter|Documentation
| -|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Medium|Insecure Configurations|Instance should be configured in VPC (Virtual Private Cloud)|Documentation
| -|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud)|Documentation
| -|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Medium|Insecure Configurations|Allowing to run lambda function using public API Gateway|Documentation
| -|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials|Documentation
| |EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false|Documentation
| +|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled|Documentation
| +|VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Medium|Networking and Firewall|VPC Subnet should not assign public IP|Documentation
| +|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| |Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol|Documentation
| -|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| -|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| |VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Medium|Networking and Firewall|VPC should have a Network Firewall associated|Documentation
| |Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol|Documentation
| -|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association|Documentation
| -|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| -|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled|Documentation
| -|VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Medium|Networking and Firewall|VPC Subnet should not assign public IP|Documentation
| |SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| -|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| -|Cloudfront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Medium|Observability|AWS Cloudfront distributions must be have logging enabled, which means the attribute 'logging_config' must be defined|Documentation
| -|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Medium|Observability|CloudTrail should have 'is_multi_region_trail' and 'include_global_service_events' enabled|Documentation
| -|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled|Documentation
| -|Elasticsearch Log is disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Medium|Observability|AWS Elasticsearch should have logs enabled|Documentation
| -|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| -|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| +|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association|Documentation
| +|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| +|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| +|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Medium|Observability|ELB should have logging enabled to help on error investigation|Documentation
| +|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| +|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes|Documentation
| |Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| -|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes|Documentation
| -|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| -|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| -|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures|Documentation
| -|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Medium|Observability|AWS CloudWatch Log groups should have retention days specified|Documentation
| -|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes|Documentation
| -|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Medium|Observability|VPC hasn't got any FlowLog associated|Documentation
| -|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Medium|Observability|It isn't recommended to use resources in default VPC|Documentation
| -|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| |S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events|Documentation
| -|Api Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Medium|Observability|RDS does not have any kind of logger|Documentation
| -|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| -|Elasticsearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| +|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| +|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation|Documentation
| +|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures|Documentation
| +|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled|Documentation
| +|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Medium|Observability|API Gateway should have Access Log Settings defined|Documentation
| +|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| +|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined|Documentation
| +|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| +|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| +|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Medium|Observability|AWS Elasticsearch should have logs enabled|Documentation
| +|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| +|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| |CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| -|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| -|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes|Documentation
| +|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes|Documentation
| +|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| +|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Medium|Observability|It isn't recommended to use resources in default VPC|Documentation
| +|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| +|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Medium|Observability|AWS CloudWatch Log groups should have retention days specified|Documentation
| |CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK|Documentation
| -|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Medium|Observability|X-ray Tracing is not enabled|Documentation
| -|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Medium|Observability|Enable AWS CloudFormation Stack Notifications|Documentation
| +|ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| +|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| +|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| |CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes|Documentation
| +|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes|Documentation
| +|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| |No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| -|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Medium|Secret Management|Lambda hardcoded AWS access/secret keys|Documentation
| -|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| +|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Medium|Secret Management|AWS Access Key should not be hardcoded|Documentation
| +|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| |S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets'|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Low|Access Control|IAM role allows All services or principals to assume it|Documentation
| -|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Low|Access Control|IAM Group should have at least one user associated|Documentation
| -|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| +|SSO Identity User Unsafe Creation
4003118b-046b-4640-b200-b8c7a4c8b89f|Low|Access Control|The use of AWS SSO for creating users may pose a security risk as it does not synchronize with external Identity Providers (IdP) or Active Directory (AD). This can lead to inconsistencies and potential unauthorized access to resources. It is recommended to review and update user creation processes to ensure proper security protocols are in place.|Documentation
| +|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| |EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services|Documentation
| +|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| +|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Low|Access Control|IAM Group should have at least one user associated|Documentation
| |Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Low|Availability|Autoscaling groups should supply tags to configurate|Documentation
| +|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| +|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.|Documentation
| +|IAM Access Analyzer Not Enabled
e592a0c5-5bdb-414c-9066-5dba7cdea370|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions|Documentation
| |ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Low|Best Practices|ECR Repository should have Policies attached to it|Documentation
| |Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Low|Best Practices|IAM policies should be attached only to groups or roles|Documentation
| -|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| -|Open Access To Resources Through API
108aa260-6dab-4a75-ae3f-de917d634840|Low|Insecure Configurations|Open access to back-end resources through API|Documentation
| -|ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled|Documentation
| +|Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| +|ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation|Documentation
| |S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Low|Insecure Configurations|S3 bucket without ignore public ACL|Documentation
| +|ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled|Documentation
| |RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| -|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|Cloudfront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| |ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| -|EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| +|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| |Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks|Documentation
| +|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)|Documentation
| +|Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| |ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| -|ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Low|Observability|ECS Cluster should enable container insights|Documentation
| -|API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| -|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Low|Observability|S3 bucket without logging|Documentation
| +|EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| +|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL|Documentation
| |Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Low|Observability|Amazon EKS control plane logging don't enabled for all log types|Documentation
| -|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes|Documentation
| -|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes|Documentation
| +|ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Low|Observability|ECS Cluster should enable container insights|Documentation
| |Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'|Documentation
| -|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Low|Observability|Global Accelerator should have flow logs enabled|Documentation
| -|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL|Documentation
| +|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| +|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes|Documentation
| +|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| +|API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| +|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Low|Observability|Amazon EKS control plane logging is not enabled|Documentation
| +|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Low|Observability|DocDB logging should be enabled|Documentation
| |CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes|Documentation
| +|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Low|Observability|Global Accelerator should have flow logs enabled|Documentation
| |CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Low|Observability|Ensure a log metric filter and alarm exist for route table changes|Documentation
| -|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Low|Observability|CloudTrail log file validation should be enabled|Documentation
| -|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Low|Observability|DocDB logging should be enabled|Documentation
| -|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Low|Observability|Amazon EKS control plane logging is not enabled|Documentation
| +|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes|Documentation
| |API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| -|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Low|Secret Management|Hard-coded AWS access key / secret key exists in EC2 user data|Documentation
| |Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Info|Access Control|Security group must be used or not declared|Documentation
| -|Security Group Rules Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description|Documentation
| -|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Info|Best Practices|AWS services resource tags are an essential part of managing components|Documentation
| -|Security Group Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description|Documentation
| +|Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description|Documentation
| |DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table|Documentation
| |EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| -|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Info|Observability|Neptune logging should be enabled|Documentation
| -|ELB Access Logging Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Info|Observability|ELB should have logging enabled to help on error investigation|Documentation
| +|Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description|Documentation
| +|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Info|Best Practices|AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name'|Documentation
| |RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Info|Observability|RDS does not have any kind of logger|Documentation
| +|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Info|Observability|Neptune logging should be enabled|Documentation
| |EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods|Documentation
| + +### GCP_BOM +Bellow are listed queries related with Terraform GCP_BOM: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks (read more)|Documentation
| +|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)|Documentation
| + +### GCP +Bellow are listed queries related with Terraform GCP: +|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.|Documentation
| +|BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.|Documentation
| +|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.|Documentation
| +|BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Trace|Bill Of Materials|A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime.|Documentation
| +|BOM - GCP Redis
bc75ce52-a60a-4660-b533-bce837a5019b|Trace|Bill Of Materials|A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments.|Documentation
| +|BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.|Documentation
| +|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.|Documentation
| +|BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Trace|Bill Of Materials|A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime.|Documentation
| +|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.|Documentation
| +|BOM - GCP Dataflow
895ed0d9-6fec-4567-8614-d7a74b599a53|Trace|Bill Of Materials|A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective.|Documentation
| + ### AWS_BOM -Bellow are listed queries related with Terraform AWS_BOM: +Below are listed queries related with Terraform AWS_BOM: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|BOM - SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| -|BOM - MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| -|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| +|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible (read more)|Documentation
| +|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|High|Access Control|Verifies that the OSLogin is enabled (read more)|Documentation
| +|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)|Documentation
| +|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|High|Access Control|BigQuery dataset is anonymously or publicly accessible (read more)|Documentation
| +|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| +|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members' (read more)|Documentation
| +|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad. (read more)|Documentation
| +|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|High|Encryption|Cloud SQL Database Instance should have SLL enabled (read more)|Documentation
| +|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials (read more)|Documentation
| +|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true (read more)|Documentation
| +|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)|Documentation
| +|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE (read more)|Documentation
| +|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true (read more)|Documentation
| +|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible. (read more)|Documentation
| +|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true (read more)|Documentation
| +|Legacy Client Certificate Auth Enabled
73fb21a1-b19a-45b1-b648-b47b1678681e|High|Insecure Configurations|Kubernetes Clusters must use the default OAuth authentication, which means 'master_auth' must either be undefined or have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to false (read more)|Documentation
| +|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)|Documentation
| +|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must either be undefined or set to 'logging.googleapis.com/kubernetes' (read more)|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| +|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must either be undefined or set to 'monitoring.googleapis.com/kubernetes' (read more)|Documentation
| +|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|High|Observability|Audit Logging Configuration is defective (read more)|Documentation
| +|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| +|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)|Documentation
| +|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated (read more)|Documentation
| +|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated (read more)|Documentation
| +|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated (read more)|Documentation
| +|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member (read more)|Documentation
| +|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| +|Shielded GKE Nodes Disabled
579a0727-9c29-4d58-8195-fc5802a8bdb4|Medium|Insecure Configurations|GKE cluster nodes must be launched with Shielded VM enabled, which means the attribute 'enable_shielded_nodes' must be set to 'true'. (read more)|Documentation
| +|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| +|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| +|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Medium|Insecure Configurations|Check if any VM instance disables OSLogin (read more)|Documentation
| +|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled (read more)|Documentation
| +|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled (read more)|Documentation
| +|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)|Documentation
| +|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| +|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account. (read more)|Documentation
| +|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account (read more)|Documentation
| +|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| +|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)|Documentation
| +|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports (read more)|Documentation
| +|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| +|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)|Documentation
| +|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource. (read more)|Documentation
| +|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles (read more)|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| +|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)|Documentation
| +|Outdated GKE Version
128df7ec-f185-48bc-8913-ce756a3ccb85|Low|Best Practices|Running outdated versions of Google Kubernetes Engine (GKE) can expose it to known vulnerabilities and attacks. To reduce these risks, it is recommended to ensure that GKE is always running the latest version. (read more)|Documentation
| +|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user (read more)|Documentation
| +|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true (read more)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| +|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.|Documentation
| |BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| -|BOM - SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| -|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| +|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.|Documentation
| +|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| +|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| |BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| +|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time|Documentation
| +|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| +|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| |BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| -### ALICLOUD -Bellow are listed queries related with Terraform ALICLOUD: +|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| + +### GCP +Bellow are listed queries related with Terraform GCP: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|High|Access Control|RAM Security preferences should enforce MFA login for RAM users|Documentation
| -|OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|High|Access Control|OSS Bucket should have public access disabled|Documentation
| -|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles|Documentation
| -|RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|High|Encryption|tde_status parameter should be Enabled for supported RDS instances|Documentation
| -|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|High|Encryption|Ecs Data Disk Kms Key Id should be set|Documentation
| -|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|High|Encryption|Disks should have encryption enabled|Documentation
| -|RDS Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|High|Insecure Configurations|'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list|Documentation
| -|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|High|Networking and Firewall|OSS Buckets should have secure transport enabled|Documentation
| -|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS|Documentation
| -|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol|Documentation
| -|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|High|Networking and Firewall|OSS Bucket should have ip restricted access|Documentation
| -|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public|Documentation
| -|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|High|Observability|All RDS Instance events trackers should be 'true'|Documentation
| -|ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|High|Observability|ActionTrail Trail OSS Bucket should not be publicly accessible|Documentation
| -|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above|Documentation
| -|Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|High|Secret Management|Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts|Documentation
| -|Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Medium|Access Control|Ram policies should not be attached to users|Documentation
| -|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Medium|Backup|OSS Bucket should have versioning enabled|Documentation
| -|OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Medium|Encryption|OSS Bucket should have encryption enabled using Customer Master Key|Documentation
| -|Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Medium|Networking and Firewall|A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned|Documentation
| -|Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Medium|Networking and Firewall|Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies|Documentation
| -|OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Medium|Observability|OSS Bucket should have logging enabled, for better visibility of resources and objects.|Documentation
| -|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180|Documentation
| -|Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Medium|Observability|Action Trail Logging for all regions should be enabled|Documentation
| -|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true|Documentation
| -|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Medium|Secret Management|RAM account password security should require at least one symbol|Documentation
| -|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91|Documentation
| -|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less|Documentation
| -|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true|Documentation
| -|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true|Documentation
| -|OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Low|Availability|OSS Bucket should have transfer acceleration enabled|Documentation
| -|OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Low|Backup|OSS Bucket should have lifecycle rule enabled and set to true|Documentation
| -|RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Low|Observability|log_disconnections parameter should be set to ON for RDS instances|Documentation
| -|RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Low|Observability|log_duration parameter should be set to ON for RDS instances|Documentation
| -|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Low|Observability|'log_connections' parameter should be set to ON for RDS instances|Documentation
| +|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|High|Access Control|BigQuery dataset is anonymously or publicly accessible|Documentation
| +|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers'|Documentation
| +|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible|Documentation
| +|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|High|Access Control|Verifies that the OSLogin is enabled|Documentation
| +|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| +|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members'|Documentation
| +|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| +|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad.|Documentation
| +|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| +|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false |Documentation
| +|GKE Basic Authentication Enabled
70cdf849-b7d9-4569-b87d-5d82ffd44719|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty|Documentation
| +|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible.|Documentation
| +|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true|Documentation
| +|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true|Documentation
| +|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| +|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true|Documentation
| +|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE |Documentation
| +|Client Certificate Disabled
73fb21a1-b19a-45b1-b648-b47b1678681e|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true|Documentation
| +|Cluster Master Authentication Disabled
1baba08e-3c8a-4be7-95eb-dced5833de21|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| +|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| +|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| +|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|High|Observability|Audit Logging Configuration is defective|Documentation
| +|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| +|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| +|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member|Documentation
| +|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated|Documentation
| +|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated|Documentation
| +|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| +|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined|Documentation
| +|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| +|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled|Documentation
| +|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| +|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| +|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Medium|Insecure Configurations|Check if any VM instance disables OSLogin|Documentation
| +|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| +|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| +|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
| +|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| +|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
| +|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports|Documentation
| +|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| +|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
| +|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| +|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| +|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource.|Documentation
| +|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles|Documentation
| +|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| +|Outdated GKE Version
128df7ec-f185-48bc-8913-ce756a3ccb85|Low|Best Practices|Running outdated versions of Google Kubernetes Engine (GKE) can expose it to known vulnerabilities and attacks. To reduce these risks, it is recommended to ensure that GKE is always running the latest version.|Documentation
| +|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user|Documentation
| +|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range|Documentation
| +|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true|Documentation
| + ### SHARED (V2/V3) Bellow are listed queries related with Terraform SHARED (V2/V3): @@ -1333,8 +1421,8 @@ Bellow are listed queries related with Terraform SHARED (V2/V3): | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Info|Best Practices|All names should follow snake case pattern.|Documentation
| |Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Info|Best Practices|All variables should contain a valid type.|Documentation
| +|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Info|Best Practices|All names should follow snake case pattern.|Documentation
| |Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Info|Best Practices|All generic git repositories should reference a revision.|Documentation
| |Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Info|Best Practices|All outputs should contain a valid description.|Documentation
| |Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Info|Best Practices|All variables should contain a valid description.|Documentation
| From bd1d6e80479fc991d916173932596f7dda02476b Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Tue, 14 Mar 2023 10:05:07 +0000 Subject: [PATCH 223/379] docs(queries): update queries catalog --- docs/queries/all-queries.md | 4664 ++++------------- docs/queries/ansible-queries.md | 221 +- docs/queries/azureresourcemanager-queries.md | 21 +- docs/queries/cloudformation-queries.md | 316 +- docs/queries/crossplane-queries.md | 13 +- docs/queries/dockercompose-queries.md | 17 +- docs/queries/dockerfile-queries.md | 42 +- .../googledeploymentmanager-queries.md | 33 +- docs/queries/kubernetes-queries.md | 137 +- docs/queries/openapi-queries.md | 311 +- docs/queries/pulumi-queries.md | 14 +- docs/queries/serverlessfw-queries.md | 2 +- docs/queries/terraform-queries.md | 665 ++- 13 files changed, 2064 insertions(+), 4392 deletions(-) diff --git a/docs/queries/all-queries.md b/docs/queries/all-queries.md index f89f623fe7d..b7ef7971fd6 100644 --- a/docs/queries/all-queries.md +++ b/docs/queries/all-queries.md @@ -1527,4000 +1527,1178 @@ This page contains all queries. |Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|Ansible|High|Access Control|Ensure Trusted Microsoft Services have Storage Account access.|Documentation
| |Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|Ansible|High|Access Control|Admin user is enabled for Container Registry|Documentation
| |Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|Ansible|High|Access Control|Check if 'network_acls' is open to public.|Documentation
| -|Serverless Role With Full Privileges
59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd|ServerlessFW|High|Access Control|Roles defined in Serverless files should not have policies granting full administrative privileges.|Documentation
| -|Serverless Function Environment Variables Not Encrypted
4495bc5d-4d1e-4a26-ae92-152d18195648|ServerlessFW|High|Encryption|Serverless Function should encrypt environment variables|Documentation
| -|Serverless API Without Content Encoding
d5d1fe08-89db-440c-8725-b93223387309|ServerlessFW|Medium|Encryption|Serverless should have API Gateway with Content Encoding enabled through the attribute 'minimumCompressionSize'. This value should be greater than -1 and smaller than 10485760|Documentation
| -|Serverless Function Without Tags
f99d3482-fa8c-4f79-bad9-35212dded164|ServerlessFW|Medium|Insecure Configurations|Serverless Function should be have associated tags|Documentation
| -|Serverless Function Without Unique IAM Role
165aae3b-a56a-48f3-b76d-d2b5083f5b8f|ServerlessFW|Medium|Insecure Configurations|Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks|Documentation
| -|Serverless API Endpoint Config Not Private
4d424558-c6d1-453c-be98-9a7f877abd9a|ServerlessFW|Medium|Networking and Firewall|Serverless should have endpointType set to 'PRIVATE'. This way, it's not exposed to the public internet|Documentation
| -|Serverless API X-Ray Tracing Disabled
434945e5-4dfd-41b1-aba1-47075ccd9265|ServerlessFW|Medium|Observability|Serverless API Gateway should have X-Ray Tracing enabled|Documentation
| -|Serverless API Access Logging Setting Undefined
a4d32883-aac7-42e1-b403-9415af0f3846|ServerlessFW|Medium|Observability|Serverless FW API should have HTTP Access Logging enabled|Documentation
| -|Serverless Function Without Dead Letter Queue
dec7bc85-d156-4f64-9a33-96ed3d9f3fed|ServerlessFW|Low|Insecure Configurations|Serverless Function should be configured for a Dead Letter Queue(DLQ). A Dead Letter Queue(DLQ) can be set up in 'onError' config parameter|Documentation
| -|Serverless Function Without X-Ray Tracing
0d7ef70f-e176-44e6-bdba-add3e429788d|ServerlessFW|Low|Observability|Serverless Function should have Tracing enabled. For this, property 'tracing' should have the value 'Active'|Documentation
| -|UNIX Ports Out Of Range
71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e|Dockerfile|High|Availability|Exposing UNIX ports out of range from 0 to 65535|Documentation
| -|WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|Dockerfile|High|Build Process|For clarity and reliability, you should always use absolute paths for your WORKDIR|Documentation
| -|Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f|Dockerfile|High|Build Process|A user should be specified in the dockerfile, otherwise the image will run as root|Documentation
| -|Copy With More Than Two Arguments Not Ending With Slash
6db6e0c2-32a3-4a2e-93b5-72c35f4119db|Dockerfile|High|Build Process|When a COPY command has more than two arguments, the last one should end with a slash|Documentation
| -|Multiple ENTRYPOINT Instructions Listed
6938958b-3f1a-451c-909b-baeee14bdc97|Dockerfile|High|Build Process|There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect|Documentation
| -|COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b|Dockerfile|High|Build Process|COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself|Documentation
| -|Same Alias In Different Froms
f2daed12-c802-49cd-afed-fe41d0b82fed|Dockerfile|High|Build Process|Different FROMS cant have the same alias defined|Documentation
| -|Run Using Sudo
8ada6e80-0ade-439e-b176-0b28f6bce35a|Dockerfile|High|Insecure Configurations|Avoid RUN with sudo command as it leads to unpredictable behavior|Documentation
| -|Vulnerable OpenSSL Version
5fa731ea-e844-47a6-a1e8-abc25e95847e|Dockerfile|High|Supply-Chain|OpenSSL versions from 3.0.0 to 3.0.5 are affected by a critical vulnerability|Documentation
| -|Changing Default Shell Using RUN Command
8a301064-c291-4b20-adcb-403fe7fd95fd|Dockerfile|Medium|Best Practices|Using the command RUN to override the default shell instead of the SHELL command leads to inefficiencies. It also does not make sense since Docker provides the SHELL command for this exact purpose.|Documentation
| -|Last User Is 'root'
67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae|Dockerfile|Medium|Best Practices|Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges|Documentation
| -|Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd|Dockerfile|Medium|Build Process|Instruction 'RUN update' should always be followed by ' install' in the same RUN statement|Documentation
| -|Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79|Dockerfile|Medium|Build Process|Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments|Documentation
| -|Multiple CMD Instructions Listed
41c195f4-fc31-4a5c-8a1b-90605538d49f|Dockerfile|Medium|Build Process|There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect|Documentation
| -|RUN Instruction Using 'cd' Instead of WORKDIR
f4a6bcd3-e231-4acf-993c-aa027be50d2e|Dockerfile|Medium|Build Process|When using RUN command 'cd' should only be used for full path. For relative path make use of WORKDIR command instead.|Documentation
| -|Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22|Dockerfile|Medium|Insecure Defaults|Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o).|Documentation
| -|Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37|Dockerfile|Medium|Supply-Chain|Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size|Documentation
| -|Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313|Dockerfile|Medium|Supply-Chain|Reduce layer and image size by deleting unneeded caches after running zypper|Documentation
| -|Add Instead of Copy
9513a694-aa0d-41d8-be61-3271e056f36b|Dockerfile|Medium|Supply-Chain|Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script.|Documentation
| -|Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Dockerfile|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache|Documentation
| -|Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages|Documentation
| -|Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0|Dockerfile|Medium|Supply-Chain|Cached package data should be cleaned after installation to reduce image size|Documentation
| -|Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9|Dockerfile|Medium|Supply-Chain|Don't use '--platform' flag with FROM|Documentation
| -|Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes|Documentation
| -|Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944|Dockerfile|Medium|Supply-Chain|Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input|Documentation
| -|Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes|Documentation
| -|Yum install Without Version
6452c424-1d92-4deb-bb18-a03e95d579c4|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages|Documentation
| -|Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118|Dockerfile|Medium|Supply-Chain|When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller|Documentation
| -|Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Dockerfile|Medium|Supply-Chain|Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect|Documentation
| -|NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5|Dockerfile|Medium|Supply-Chain|Check if packages installed by npm are pinning a specific version.|Documentation
| -|Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067|Dockerfile|Medium|Supply-Chain|When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag|Documentation
| -|Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd|Dockerfile|Medium|Supply-Chain|Always tag the version of an image explicitly|Documentation
| -|Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341|Dockerfile|Medium|Supply-Chain|Instead of 'gem install ' we should use 'gem install :'|Documentation
| -|APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Dockerfile|Medium|Supply-Chain|Check if apt-get calls use the flag -y to avoid user manual input.|Documentation
| -|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Dockerfile|Medium|Supply-Chain|When installing a package, its pin version should be defined|Documentation
| -|Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03|Dockerfile|Medium|Supply-Chain|Need to use -y to avoid manual input 'yum install -y '|Documentation
| -|Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1|Dockerfile|Medium|Supply-Chain|Specifying a package version allows to reduce failures due to unanticipated changes in required packages.|Documentation
| -|Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8|Dockerfile|Medium|Supply-Chain|The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input.|Documentation
| -|Chown Flag Exists
aa93e17f-b6db-4162-9334-c70334e7ac28|Dockerfile|Low|Best Practices|It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership|Documentation
| -|Multiple RUN, ADD, COPY, Instructions Listed
0008c003-79aa-42d8-95b8-1c2fe37dbfe6|Dockerfile|Low|Best Practices|Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers.|Documentation
| -|MAINTAINER Instruction Being Used
99614418-f82b-4852-a9ae-5051402b741c|Dockerfile|Low|Best Practices|The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily|Documentation
| -|Curl or Wget Instead of Add
4b410d24-1cbe-4430-a632-62c9a931cf1c|Dockerfile|Low|Best Practices|Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged|Documentation
| -|Exposing Port 22 (SSH)
5907595b-5b6d-4142-b173-dbb0e73fbff8|Dockerfile|Low|Best Practices|Expose only the ports that your application needs and avoid exposing ports like SSH (22)|Documentation
| -|Using Unnamed Build Stages
68a51e22-ae5a-4d48-8e87-b01a323605c9|Dockerfile|Low|Build Process| This query is used to ensure that build stages are named. This way even if the Dockerfile is re-ordered, the COPY instruction doesn’t break.|Documentation
| -|Healthcheck Instruction Missing
b03a748a-542d-44f4-bb86-9199ab4fd2d5|Dockerfile|Low|Insecure Configurations|Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working|Documentation
| -|Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c|Dockerfile|Info|Supply-Chain|After using apt-get install, it is needed to delete apt-get lists|Documentation
| -|Run Utilities And POSIX Commands
9b6b0f38-92a2-41f9-b881-3a1083d99f1b|Dockerfile|Info|Supply-Chain|Some POSIX commands and interactive utilities shouldn't run inside a Docker Container|Documentation
| -|Apk Add Using Local Cache Path
ae9c56a6-3ed1-4ac0-9b54-31267f51151d|Dockerfile|Info|Supply-Chain|When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*'|Documentation
| -|APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c|Dockerfile|Info|Supply-Chain|Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages.|Documentation
| -|Key Vault Not Recoverable
7c25f361-7c66-44bf-9b69-022acd5eb4bd|AzureResourceManager|High|Backup|Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true|Documentation
| -|Azure Instance Using Basic Authentication
6797f581-0433-4768-ae3e-7ceb2f8b138e|AzureResourceManager|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication|Documentation
| -|Secret Without Expiration Date
cff9c3f7-e8f0-455f-9fb4-5f72326da96e|AzureResourceManager|High|Best Practices|All Secrets must have an expiration date defined|Documentation
| -|Storage Account Allows Unsecure Transfer
1367dd13-2c90-4020-80b7-e4339a3dc2c4|AzureResourceManager|High|Encryption|'Microsoft.Storage/storageAccounts' should force the use of HTTPS|Documentation
| -|Web App Not Using TLS Last Version
b5c851d5-00f1-43dc-a8de-3218fd6f71be|AzureResourceManager|High|Encryption|Resources of type 'Microsoft.Web/sites' should define 'properties.siteConfig.minTlsVersion' with '1.2'|Documentation
| -|Azure Managed Disk Without Encryption
350f3955-b5be-436f-afaa-3d2be2fa6cdd|AzureResourceManager|High|Encryption|Azure Disk Encryption should be enabled|Documentation
| -|Website Not Forcing HTTPS
488847ff-6031-487c-bf42-98fd6ac5c9a0|AzureResourceManager|High|Insecure Configurations|'Microsoft.Web/sites' should force the use of HTTPS|Documentation
| -|Storage Blob Service Container With Public Access
a0ab985d-660b-41f7-ac81-70957ee8e627|AzureResourceManager|High|Networking and Firewall|Storage Blob Service Container should not publicly accessible|Documentation
| -|Network Security Group With Unrestricted Access To SSH
2ade1579-4b2c-4590-bebb-f99bf597f612|AzureResourceManager|High|Networking and Firewall|Port 22 (SSH) is exposed to the Internet|Documentation
| -|SQL Database Server Firewall Allows All IPS
6a3201a5-1630-494b-b294-3129d06b0eca|AzureResourceManager|High|Networking and Firewall|SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS|Documentation
| -|Website with Client Certificate Auth Disabled
92302b47-b0cc-46cb-a28f-5610ecda140b|AzureResourceManager|High|Networking and Firewall|'Microsoft.Web/sites' should have client certificate authentication enabled|Documentation
| -|MySQL Server SSL Enforcement Disabled
90120147-f2e7-4fda-bb21-6fa9109afd63|AzureResourceManager|High|Networking and Firewall|'Microsoft.DBforMySQL/servers' should enforce SSL|Documentation
| -|Network Security Group With Unrestricted Access To RDP
59cb3da7-f206-4ae6-b827-7abf0a9cab9d|AzureResourceManager|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the Internet|Documentation
| -|PostgreSQL Database Server SSL Disabled
bf500309-da53-4dd3-bcf7-95f7974545a5|AzureResourceManager|High|Networking and Firewall|Microsoft.DBforPostgreSQL/servers sslEnforcement property should be set to 'Enabled'|Documentation
| -|Trusted Microsoft Services Not Enabled
e25b56cd-a4d6-498f-ab92-e6296a082097|AzureResourceManager|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| -|AKS Cluster RBAC Disabled
9307a2ed-35c2-413d-94de-a1a0682c2158|AzureResourceManager|Medium|Access Control|Microsoft.ContainerService/managedClusters should have enableRBAC set to true|Documentation
| -|Role Definitions Allow Custom Subscription Role Creation
8fa9ceea-881f-4ef0-b0b8-728f589699a7|AzureResourceManager|Medium|Access Control|Role Definitions should not allow custom subscription role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')|Documentation
| -|SQL Server Database With Alerts Disabled
574e8d82-1db2-4b9c-b526-e320ede9a9ff|AzureResourceManager|Medium|Best Practices|All Alerts should be enabled in SQL Database Server SecurityAlerts Policy Properties|Documentation
| -|AKS Cluster Network Policy Not Configured
25c0228e-4444-459b-a2df-93c7df40b7ed|AzureResourceManager|Medium|Insecure Configurations|Azure Kubernetes Service must have a network policy defined.|Documentation
| -|AKS With Authorized IP Ranges Disabled
2583fab1-953b-4fae-bd02-4a136a6c21f9|AzureResourceManager|Medium|Networking and Firewall|Azure Kubernetes Service must have an authorized IP range for API Services enabled|Documentation
| -|Standard Price Is Not Selected
2081c7d6-2851-4cce-bda5-cb49d462da42|AzureResourceManager|Medium|Networking and Firewall|Azure Security Center provides more features for standard pricing mode, so it must be activated.|Documentation
| -|PostgreSQL Database Server Log Checkpoints Disabled
f9112910-c7bb-4864-9f5e-2059ba413bb7|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' property set to 'on'|Documentation
| -|PostgresSQL Database Server Connection Throttling Disabled
a6d774b6-d9ea-4bf4-8433-217bf15d2fb8|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttling' property set to 'on'|Documentation
| -|PostgreSQL Database Server Log Connections Disabled
e69bda39-e1e2-47ca-b9ee-b6531b23aedd|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' property set to 'on'|Documentation
| -|AKS Logging To Azure Monitoring Is Disabled
9b09dee1-f09b-4013-91d2-158fa4695f4b|AzureResourceManager|Medium|Observability|Azure Kubernetes Service should have logging to Azure Monitoring enabled.|Documentation
| -|Unrecommended Log Profile Retention Policy
25684eac-daaa-4c2c-94b4-8d2dbb627909|AzureResourceManager|Medium|Observability|Log Profile Retention Policy should be enabled and the recommended number of days for the retention should be higher than 365 or 0 (0 will retain the events indefinitely)|Documentation
| -|SQL Server Database Without Auditing
e055285c-bc01-48b4-8aa5-8a54acdd29df|AzureResourceManager|Medium|Observability|Every 'Microsoft.Sql/servers/databases' resource should have Auditing Enabled|Documentation
| -|Log Profile Incorrect Category
4d522e7b-f938-4d51-a3b1-974ada528bd3|AzureResourceManager|Medium|Observability|Log Profile Categories should be set to 'Write', 'Delete', and/or 'Action'|Documentation
| -|Unrecommended Network Watcher Flow Log Retention Policy
564b70f8-41cd-4690-aff8-bb53add86bc9|AzureResourceManager|Medium|Observability|Network Watcher Flow Log Retention Policy should be enabled and the recommended number of days for the retention should be higher than 90|Documentation
| -|Storage Logging For Read Write And Delete Requests Disabled
43f6e60c-9cdb-4e77-864d-a66595d26518|AzureResourceManager|Medium|Observability|Storage Logging should be enabled for read, write and delete methods|Documentation
| -|SQL Server Database With Unrecommended Retention Days
c09cdac2-7670-458a-bf6c-efad6880973a|AzureResourceManager|Medium|Observability|SQL Server Database Auditing Settings should keep the audit logs in the storage account for at least 90 days|Documentation
| -|Hardcoded SecureString Parameter Default Value
4d2cf896-c053-4be5-9c95-8b4771112f29|AzureResourceManager|Medium|Secret Management|Secure parameters should not have hardcoded default value|Documentation
| -|Website Azure Active Directory Disabled
e9c133e5-c2dd-4b7b-8fff-40f2de367b56|AzureResourceManager|Low|Access Control|WebApp should have Azure Active Directory enabled with 'identity.type' set to 'SystemAssigned' or 'userAssignedIdentities' set to 'true'|Documentation
| -|Phone Number Not Set For Security Contacts
3e9fcc67-1f64-405f-b2f9-0a6be17598f0|AzureResourceManager|Low|Best Practices|Microsoft.Security securityContacts should have a phone number defined|Documentation
| -|AKS Dashboard Is Enabled
c62d3b92-9a11-4ffd-b7b7-6faaae83faed|AzureResourceManager|Low|Insecure Configurations|Azure Kubernetes Service should have the Kubernetes dashboard disabled.|Documentation
| -|Website with 'Http20Enabled' Disabled
70111098-7f85-48f0-b1b4-e4261cf5f61b|AzureResourceManager|Low|Networking and Firewall|'Microsoft.Web/sites' should have 'Http20Enabled' enabled|Documentation
| -|Storage Account Allows Default Network Access
9073f073-5d60-4b46-b569-0d6baa80ed95|AzureResourceManager|Low|Networking and Firewall|'Microsoft.Storage/storageAccounts' should force the use of HTTPS|Documentation
| -|App Service Authentication Is Not Set
83130a07-235b-4a80-918b-a370e53f0bd9|AzureResourceManager|Info|Access Control|Azure App Service should have App Service Authentication set|Documentation
| -|SQL Alert Policy Without Emails
89b79fe5-49bd-4d39-84ce-55f5fc6f7764|AzureResourceManager|Info|Best Practices|SQL Database Server should contain emails to be notified in the event of a Security Alert|Documentation
| -|Account Admins Not Notified By Email
a8852cc0-fd4b-4fc7-9372-1e43fad0732e|AzureResourceManager|Info|Best Practices|Account admins should be notified by email in the event of security alerts|Documentation
| -|Email Notifications Disabled
79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92|AzureResourceManager|Info|Networking and Firewall|Email notifications about new security alerts, should be set to 'On', and be sent to persons with specific RBAC roles on the subscription|Documentation
| -|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|Ansible|High|Access Control|Storage Account should not be public to grant the principle of least privileges|Documentation
| |Storage Container Is Publicly Accessible
4d3817db-dd35-4de4-a80d-3867157e7f7f|Ansible|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| -|Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|Ansible|High|Access Control|Admin user is enabled for Container Registry|Documentation
| +|Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|Ansible|High|Encryption|See that Storage Accounts forces the use of HTTPS|Documentation
| |MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|Ansible|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| -|Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|Ansible|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| |SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555|Ansible|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| |VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|Ansible|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| -|Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|Ansible|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined|Documentation
| -|Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91|Ansible|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| |AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|Ansible|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| +|Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91|Ansible|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| +|Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|Ansible|High|Insecure Configurations|Azurerm Container Registry should contain associated locks through 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association|Documentation
| +|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|Ansible|High|Networking and Firewall|The IP range filter should be defined|Documentation
| |SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|Ansible|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| +|Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| |Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|Ansible|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| |Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| -|Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| -|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|Ansible|High|Networking and Firewall|The IP range filter should be defined to secure the data stored|Documentation
| -|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|Ansible|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| -|Role Definition Allows Custom Role Creation
5c80db8e-03f5-43a2-b4af-1f3f87018157|Ansible|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)|Documentation
| |AKS RBAC Disabled
149fa56c-4404-4f90-9e25-d34b676d5b39|Ansible|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| |Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854|Ansible|Medium|Backup|Make sure Soft Delete is enabled for Key Vault|Documentation
| -|SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40|Ansible|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict|Documentation
| |SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308|Ansible|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict|Documentation
| +|Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Ansible|Medium|Best Practices|Azure SQL Server Accessibility should be set to a minimal address range, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be lesser than 256. Additionally, both ips must be different from '0.0.0.0'|Documentation
| +|SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40|Ansible|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict|Documentation
| |Cosmos DB Account Without Tags
23a4dc83-4959-4d99-8056-8e051a82bc1e|Ansible|Medium|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| |Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee|Ansible|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| -|AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Ansible|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined|Documentation
| +|Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Ansible|Medium|Insecure Configurations|Check if any Redis Cache resource allows non-SSL connections.|Documentation
| |Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Ansible|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| -|Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Ansible|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections|Documentation
| +|AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Ansible|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration|Documentation
| |Default Network Access is Allowed
974e6fe7-63fd-4fa4-aa72-77b21a4a959d|Ansible|Medium|Insecure Defaults|Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny'|Documentation
| -|Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Ansible|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0'|Documentation
| |Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Ansible|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache.|Documentation
| |WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Ansible|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| -|PostgreSQL Log Checkpoints Disabled
7ab33ac0-e4a3-418f-a673-50da4e34df21|Ansible|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'|Documentation
| -|PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| -|AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e|Ansible|Medium|Observability|Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring|Documentation
| |PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| -|Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| |PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a|Ansible|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| +|Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| |Monitoring Log Profile Without All Activities
89f84a1e-75f8-47c5-83b5-bee8e2de4168|Ansible|Medium|Observability|Monitoring log profile captures all the activities (Action, Write, Delete)|Documentation
| +|PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| |Small Activity Log Retention Period
37fafbea-dedb-4e0d-852e-d16ee0589326|Ansible|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater|Documentation
| +|PostgreSQL Log Checkpoints Disabled
7ab33ac0-e4a3-418f-a673-50da4e34df21|Ansible|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'|Documentation
| |PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| -|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|Ansible|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| -|IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|Ansible|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| -|S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|Ansible|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674|Ansible|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| -|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|Ansible|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| -|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|Ansible|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|Ansible|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| -|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|Ansible|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating|Documentation
| -|ECS Service Admin Role Is Present
7db727c1-1720-468e-b80e-06697f71e09e|Ansible|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role|Documentation
| +|AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e|Ansible|Medium|Observability|Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring|Documentation
| |SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a|Ansible|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| -|S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|Ansible|High|Access Control|S3 Buckets should not be readable to all users|Documentation
| -|S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|Ansible|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| +|S3 Bucket Allows WriteACP Action From All Principals
7529b8d2-55d7-44d2-b1cd-d7d2984a2a81|Ansible|High|Access Control|S3 Buckets must not allow Write_ACP Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Write_ACP, for all Principals.|Documentation
| +|DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209|Ansible|High|Access Control|The field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674|Ansible|High|Access Control|Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| +|S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|Ansible|High|Access Control|S3 Buckets must not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| +|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|Ansible|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.|Documentation
| +|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|Ansible|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.|Documentation
| +|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|Ansible|High|Access Control|IAM policies that allow full administrative privileges (for all resources)|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|Ansible|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.|Documentation
| +|S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|Ansible|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.|Documentation
| +|S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|Ansible|High|Access Control|It's not recommended to allow read access for all user groups.|Documentation
| |S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a|Ansible|High|Access Control|Checks if the S3 bucket is accessible for all users|Documentation
| -|SNS Topic is Publicly Accessible
905f4741-f965-45c1-98db-f7a00a0e5c73|Ansible|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| -|Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|Ansible|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)|Documentation
| +|ECS Service Admin Role is Present
7db727c1-1720-468e-b80e-06697f71e09e|Ansible|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role|Documentation
| +|Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76|Ansible|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted|Documentation
| +|EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|Ansible|High|Encryption|Elastic File System (EFS) must have KMS Key ID|Documentation
| +|Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a|Ansible|High|Encryption|AWS Autoscaling Launch Configurations should have encryption enabled|Documentation
| +|Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7|Ansible|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| |User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|Ansible|High|Encryption|User Data Shell Script must be encoded|Documentation
| -|CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|Ansible|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| -|User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|Ansible|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| -|S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571|Ansible|High|Encryption|AWS S3 Storage should be protected with SSE (Server-Side Encryption)|Documentation
| +|ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|Ansible|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| +|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|Ansible|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| +|User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|Ansible|High|Encryption|User Data contains an encoded RSA Private Key|Documentation
| +|S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4|Ansible|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| +|Secure Ciphers Disabled
218413a0-c716-4b94-9e08-0bb70d854709|Ansible|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| |AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|Ansible|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| -|EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|Ansible|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| +|CloudTrail Log Files Not Encrypted
f5587077-3f57-4370-9b4e-4eb5b1bac85b|Ansible|High|Encryption|CloudTrail Log Files should be encrypted with Key Management Service (KMS)|Documentation
| +|DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|Ansible|High|Encryption|The parameter storage_encrypted in aws_db_instance must be set to 'true' (the default is 'false').|Documentation
| +|S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571|Ansible|High|Encryption|AWS S3 Storage should be protected with SSE (Server-Side Encryption)|Documentation
| +|ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols.|Documentation
| |EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|Ansible|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|Secure Ciphers Disabled
218413a0-c716-4b94-9e08-0bb70d854709|Ansible|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| +|Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|Ansible|High|Encryption|Check if 'encrypted' field is false or undefined (default is false)|Documentation
| +|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|Ansible|High|Encryption|IAM Database Auth Enabled must be configured to true|Documentation
| +|Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89|Ansible|High|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| +|CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|Ansible|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| +|Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|Ansible|High|Encryption|RDS instance auto minor version upgrade feature must be true|Documentation
| |ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers.|Documentation
| -|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|Ansible|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| -|Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7|Ansible|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76|Ansible|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| -|S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4|Ansible|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| -|DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|Ansible|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.|Documentation
| -|Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a|Ansible|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume|Documentation
| -|ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols.|Documentation
| -|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|Ansible|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| -|ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|Ansible|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| +|Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|Ansible|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| +|ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f|Ansible|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| +|Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|Ansible|High|Insecure Configurations|Check if 'publicly_accessible' field is true (default is false)|Documentation
| |EC2 Group Has Public Interface
5330b503-3319-44ff-9b1c-00ee873f728a|Ansible|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| -|Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|Ansible|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true (default is false)|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67|Ansible|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| -|DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209|Ansible|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| |S3 Bucket with Unsecured CORS Rule
3505094c-f77c-4ba0-95da-f83db712f86c|Ansible|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| -|Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f|Ansible|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| -|ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f|Ansible|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| |KMS Key With Vulnerable Policy
5b9d237a-57d5-4177-be0e-71434b0fef47|Ansible|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| -|Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|Ansible|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67|Ansible|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| +|Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f|Ansible|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| |Vulnerable Default SSL Certificate
fb8f8929-afeb-4c46-99f0-a6cf410f7df4|Ansible|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| +|Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|Ansible|High|Networking and Firewall|SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| +|Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|Ansible|High|Networking and Firewall|AWS Security Group should restrict ingress access|Documentation
| +|Remote Desktop Port Open
eda7301d-1f3e-47cf-8d4e-976debc64341|Ansible|High|Networking and Firewall|The Remote Desktop port is open in a Security Group|Documentation
| +|HTTP Port Open
a14ad534-acbe-4a8e-9404-2f7e1045646e|Ansible|High|Networking and Firewall|The HTTP port is open in a Security Group|Documentation
| +|Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|Ansible|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| |Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2|Ansible|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0/0|Documentation
| |EC2 Instance Has Public IP
a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1|Ansible|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| -|Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|Ansible|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| -|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|Ansible|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| -|Remote Desktop Port Open To Internet
eda7301d-1f3e-47cf-8d4e-976debc64341|Ansible|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| -|DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640|Ansible|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| -|HTTP Port Open To Internet
a14ad534-acbe-4a8e-9404-2f7e1045646e|Ansible|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| -|Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|Ansible|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| -|RDS Associated with Public Subnet
16732649-4ff6-4cd2-8746-e72c13fae4b8|Ansible|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| +|Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4|Ansible|High|Networking and Firewall|Route53 Record should have a list of records|Documentation
| |ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|Ansible|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| -|Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|Ansible|High|Networking and Firewall|AWS Security Group should not have public port wide|Documentation
| +|RDS Associated with Public Subnet
16732649-4ff6-4cd2-8746-e72c13fae4b8|Ansible|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| +|DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640|Ansible|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| |Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b|Ansible|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| -|Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|Ansible|High|Networking and Firewall|AWS Security Group should restrict ingress access|Documentation
| -|Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4|Ansible|High|Networking and Firewall|Route53 Record should have a list of records|Documentation
| -|CloudTrail Logging Disabled
d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5|Ansible|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| +|Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|Ansible|High|Networking and Firewall|AWS Security Group should not have public port wide|Documentation
| +|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|Ansible|High|Networking and Firewall|The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6).|Documentation
| +|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Ansible|High|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| |CMK Rotation Disabled
af96d737-0818-4162-8c41-40d969bd65d1|Ansible|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.|Documentation
| -|IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Ansible|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root'|Documentation
| +|CloudTrail Logging Disabled
d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5|Ansible|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| +|SES Policy With Allowed IAM Actions
8ed0bfce-f780-46d4-b086-21c3628f09ad|Ansible|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| |API Gateway Without Configured Authorizer
b16cdb37-ce15-4ab2-8401-d42b05d123fc|Ansible|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| -|IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060|Ansible|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| |SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4|Ansible|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| -|Certificate Has Expired
5a443297-19d4-4381-9e5b-24faf947ec22|Ansible|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| +|SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10|Ansible|Medium|Access Control|SQS policy with public access|Documentation
| |ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd|Ansible|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| -|Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Ansible|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| +|AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f|Ansible|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| |S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9|Ansible|Medium|Access Control|S3 Bucket allows public access|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
af167837-9636-4086-b815-c239186b9dda|Ansible|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| +|IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|Ansible|Medium|Access Control|IAM policies allow all ('*') in a statement action|Documentation
| +|Certificate Has Expired
5a443297-19d4-4381-9e5b-24faf947ec22|Ansible|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| +|SNS Topic is Publicly Accessible For Subscription
905f4741-f965-45c1-98db-f7a00a0e5c73|Ansible|Medium|Access Control|This query checks if SNS Topic is Accessible For Subscription|Documentation
| |Lambda Permission Principal Is Wildcard
1d972c56-8ec2-48c1-a578-887adb09c57a|Ansible|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| -|SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10|Ansible|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| -|SES Policy With Allowed IAM Actions
8ed0bfce-f780-46d4-b086-21c3628f09ad|Ansible|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| -|AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f|Ansible|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| +|Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Ansible|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
af167837-9636-4086-b815-c239186b9dda|Ansible|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| +|IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Ansible|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root'|Documentation
| |Auto Scaling Group With No Associated ELB
050f085f-a8db-4072-9010-2cca235cc02f|Ansible|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
| |CMK Is Unusable
133fee21-37ef-45df-a563-4d07edc169f4|Ansible|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined.|Documentation
| |ECS Service Without Running Tasks
f5c45127-1d28-4b49-a692-0b97da1c3a84|Ansible|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| +|RDS With Backup Disabled
e69890e6-fce5-461d-98ad-cb98318dfc96|Ansible|Medium|Backup|RDS configured without backup|Documentation
| |Stack Retention Disabled
17d5ba1d-7667-4729-b1a6-b11fde3db7f7|Ansible|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| -|RDS With Backup Disabled
e69890e6-fce5-461d-98ad-cb98318dfc96|Ansible|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| -|IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Ansible|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| -|IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354|Ansible|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| -|Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c|Ansible|Medium|Best Practices|Password policy `password_reuse_prevention` doesn't exist or is equal to 0|Documentation
| |Misconfigured Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9|Ansible|Medium|Best Practices|No password expiration policy|Documentation
| -|IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Ansible|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| -|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Ansible|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number|Documentation
| +|IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Ansible|Medium|Best Practices|Check if IAM account password has at least one lowercase letter|Documentation
| +|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Ansible|Medium|Best Practices|Check if IAM account password has at least one number|Documentation
| +|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|Ansible|Medium|Best Practices|Users should authenticate with MFA (Multi-factor Authentication)|Documentation
| +|IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Ansible|Medium|Best Practices|Check if IAM account password has the required minimum length|Documentation
| +|Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c|Ansible|Medium|Best Practices|Password policy `password_reuse_prevention` doesn't exist or is equal to 0|Documentation
| |Stack Without Template
32d31f1f-0f83-4721-b7ec-1e6948c60145|Ansible|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body|Documentation
| -|Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89|Ansible|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| |Config Rule For Encrypted Volumes Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84|Ansible|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| -|EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Ansible|Medium|Encryption|EBS volumes should be encrypted|Documentation
| -|SQS With SSE Disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Ansible|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| |CodeBuild Not Encrypted
a1423864-2fbc-4f46-bfe1-fbbf125c71c9|Ansible|Medium|Encryption|CodeBuild Project should be encrypted|Documentation
| -|API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33|Ansible|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| +|EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Ansible|Medium|Encryption|EBS Encryption should be enabled|Documentation
| |Certificate RSA Key Bytes Lower Than 256
d5ec2080-340a-4259-b885-f833c4ea6a31|Ansible|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| -|ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Ansible|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| -|Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f|Ansible|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| -|AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472|Ansible|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| |Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5|Ansible|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags.|Documentation
| -|API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215|Ansible|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| -|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Ansible|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| +|ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Ansible|Medium|Insecure Configurations|ECR should have an image tag immutable|Documentation
| +|API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33|Ansible|Medium|Insecure Configurations|SSL Client Certificate should be enabled in aws_api_gateway|Documentation
| +|AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472|Ansible|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| +|IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354|Ansible|Medium|Insecure Configurations|Check if IAM account password has at least one uppercase letter|Documentation
| +|Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f|Ansible|Medium|Insecure Configurations|Instance should be configured in VPC (Virtual Private Cloud)|Documentation
| |API Gateway without WAF
f5f38943-664b-4acc-ab11-f292fa10ed0b|Ansible|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| -|S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|Ansible|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| -|API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Ansible|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled|Documentation
| -|CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Ansible|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'is_multi_region_trail' should be set to true|Documentation
| -|Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Ansible|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| -|CloudFront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Ansible|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' should be defined with 'enabled' set to true|Documentation
| +|API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215|Ansible|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| +|SQL Analysis Services Port 2383 (TCP) is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Ansible|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| |CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3|Ansible|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| -|S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Ansible|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| -|CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Ansible|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| -|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Ansible|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| +|Cloudfront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Ansible|Medium|Observability|AWS Cloudfront distributions must have logging enabled, which means the attribute 'logging' must be defined with 'enabled' set to true|Documentation
| +|CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Ansible|Medium|Observability|Check if MultiRegion is Enabled|Documentation
| +|API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Ansible|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled|Documentation
| |CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Ansible|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events|Documentation
| +|S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|Ansible|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| +|CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Ansible|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| |API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f|Ansible|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| +|Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Ansible|Medium|Observability|AWS CloudFormation should have stack notifications enabled|Documentation
| |No Stack Policy
ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9|Ansible|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| -|Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Ansible|Medium|Secret Management|AWS Access Key should not be hardcoded|Documentation
| -|Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645|Ansible|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Ansible|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| +|Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645|Ansible|Medium|Secret Management|Lambda access key should not be in plaintext.|Documentation
| |IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd|Ansible|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| -|EC2 Instance Using Default Security Group
8d03993b-8384-419b-a681-d1f55149397c|Ansible|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Ansible|Low|Access Control|IAM role allows All services or principals to assume it|Documentation
| |IAM Group Without Users
f509931b-bbb0-443c-bd9b-10e92ecf2193|Ansible|Low|Access Control|IAM Group should have at least one user associated|Documentation
| -|CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6|Ansible|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| -|Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|Ansible|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.|Documentation
| +|EC2 Instance Using Default Security Group
8d03993b-8384-419b-a681-d1f55149397c|Ansible|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| |Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520|Ansible|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| +|IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060|Ansible|Low|Best Practices|IAM policies should be attached only to groups or roles|Documentation
| +|CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6|Ansible|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| |EFS Without Tags
b8a9852c-9943-4973-b8d5-77dae9352851|Ansible|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
f5587077-3f57-4370-9b4e-4eb5b1bac85b|Ansible|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| +|SQS with SSE disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Ansible|Low|Encryption| SQS Queue should be protected with CMK encryption|Documentation
| |RDS Using Default Port
2cb674f6-32f9-40be-97f2-62c0dc38f0d5|Ansible|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| +|Cloudfront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Ansible|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| |ElastiCache Without VPC
5527dcfc-94f9-4bf6-b7d4-1b78850cf41f|Ansible|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|CloudFront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Ansible|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| |Redshift Using Default Port
e01de151-a7bd-4db4-b49b-3c4775a5e881|Ansible|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| -|ElastiCache Using Default Port
7cc6c791-5f68-4816-a564-b9b699f9d26e|Ansible|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| |EC2 Instance Using Default VPC
8833f180-96f1-46f4-9147-849aafa56029|Ansible|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| +|ElastiCache Using Default Port
7cc6c791-5f68-4816-a564-b9b699f9d26e|Ansible|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| +|S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Ansible|Low|Observability|S3 bucket without debug_botocore_endpoint_logs|Documentation
| |Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Ansible|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active'|Documentation
| -|CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Ansible|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| +|CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Ansible|Low|Observability|CloudTrail Log Files should have validation enabled|Documentation
| +|Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Ansible|Low|Secret Management|Check if the user data in the EC2 instance has the access key hardcoded|Documentation
| |EC2 Not EBS Optimized
338b6cab-961d-4998-bb49-e5b6a11c9a5c|Ansible|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| -|BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2|Ansible|High|Access Control|BigQuery dataset is anonymously or publicly accessible|Documentation
| -|VM With Full Cloud Access
bc20bbc6-0697-4568-9a73-85af1dd97bdd|Ansible|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2|Ansible|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers'|Documentation
| -|SQL DB Instance Backup Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8|Ansible|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| -|SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|Ansible|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| -|DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a|Ansible|High|Encryption|DNSSEC should not use the RSASHA1 algorithm|Documentation
| -|Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false|Documentation
| -|MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c|Ansible|High|Insecure Configurations|MySQL Instance should not have Local Infile On|Documentation
| -|GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1|Ansible|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty|Documentation
| -|SQL DB Instance Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b|Ansible|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible.|Documentation
| -|GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false.|Documentation
| -|Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7|Ansible|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| -|Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true.|Documentation
| -|PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514|Ansible|High|Insecure Configurations|PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1'|Documentation
| -|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|Ansible|High|Insecure Configurations|SQL Instance should not have Contained Database Authentication On|Documentation
| -|IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'.|Documentation
| -|Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true|Documentation
| -|Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f|Ansible|High|Insecure Configurations|GCP SQL Instance should not have Cross DB Ownership Chaining On|Documentation
| -|Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| -|GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83|Ansible|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters|Documentation
| -|Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82|Ansible|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet.|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd|Ansible|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| -|Cloud Storage Bucket Versioning Disabled
7814ddda-e758-4a56-8be3-289a81ded929|Ansible|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| -|PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b|Ansible|High|Observability|PostgreSQL database 'log_temp_files' flag isn't set to '0'|Documentation
| -|PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317|Ansible|High|Observability|PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on'|Documentation
| -|Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| -|Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| -|Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf|Ansible|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Ansible|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| -|Disk Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3|Ansible|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined|Documentation
| -|Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Ansible|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| -|Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03|Ansible|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| -|OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Ansible|Medium|Insecure Configurations|VM instance should have OSLogin enabled|Documentation
| -|Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Ansible|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| -|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Ansible|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| -|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Ansible|Medium|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| -|GKE Using Default Service Account
dc126833-125a-40fb-905a-ce5f2afde240|Ansible|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
| -|Google Compute Network Using Firewall Rule that Allows All Ports
3602d273-3290-47b2-80fa-720162b1a8af|Ansible|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports|Documentation
| -|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Ansible|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
| -|IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Ansible|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| -|Google Compute Network Using Default Firewall Rule
29b8224a-60e9-4011-8ac2-7916a659841f|Ansible|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
| -|RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77|Ansible|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| -|SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Ansible|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| -|PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Ansible|Medium|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on'|Documentation
| -|PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Ansible|Medium|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value|Documentation
| -|High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Ansible|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Ansible|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| -|Google Compute Network Using Firewall Rule that Allows Port Range
7289eebd-a477-4064-8ad4-3c044bd70b00|Ansible|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range|Documentation
| -|Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b|Ansible|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes|Documentation
| -|BOM - AWS MSK
2730c169-51d7-4ae7-99b5-584379eff1bb|CloudFormation|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| -|BOM - AWS Cassandra
124b173b-e06d-48a6-8acd-f889443d97a4|CloudFormation|Trace|Bill Of Materials|A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance|Documentation
| -|BOM - AWS S3 Buckets
b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83|CloudFormation|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| -|BOM - AWS SNS
42e7dca3-8cce-4325-8df0-108888259136|CloudFormation|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| -|BOM - AWS Kinesis
d53323be-dde6-4457-9a43-42df737e71d2|CloudFormation|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time|Documentation
| -|BOM - AWS MQ
209189f3-c879-48a7-9703-fbcfa96d0cef|CloudFormation|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| -|BOM - AWS EFS
ef05a925-8568-4054-8ff1-f5ba82631c16|CloudFormation|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| -|BOM - AWS Elasticache
c689f51b-9203-43b3-9d8b-caed123f706c|CloudFormation|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| -|BOM - AWS SQS
59a849c2-1127-4023-85a5-ef906dcd458c|CloudFormation|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| -|BOM - AWS RDS
6ef03ff6-a2bd-483c-851f-631f248bc0ea|CloudFormation|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.|Documentation
| -|BOM - AWS DynamoDB
4e67c0ae-38a0-47f4-a50c-f0c9b75826df|CloudFormation|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.|Documentation
| -|BOM - AWS EBS
0b0556ea-9cd9-476f-862e-20679dda752b|CloudFormation|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| -|S3 Bucket Allows Get Action From All Principals
f97b7d23-568f-4bcc-9ac9-02df0d57fbba|CloudFormation|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| -|IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368|CloudFormation|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| -|S3 Bucket With All Permissions
4ae8af91-5108-42cb-9471-3bdbe596eac9|CloudFormation|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
835d5497-a526-4aea-a23f-98a9afd1635f|CloudFormation|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| -|S3 Bucket Allows Public Policy
860ba89b-b8de-4e72-af54-d6aee4138a69|CloudFormation|High|Access Control|S3 bucket allows public policy|Documentation
| -|S3 Bucket Allows List Action From All Principals
faa8fddf-c0aa-4b2d-84ff-e993e233ebe9|CloudFormation|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| -|S3 Bucket Allows Put Action From All Principals
f6397a20-4cf1-4540-a997-1d363c25ef58|CloudFormation|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| -|IAM Policies With Full Privileges
953b3cdb-ce13-428a-aa12-318726506661|CloudFormation|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
07dda8de-d90d-469e-9b37-1aca53526ced|CloudFormation|High|Access Control|S3 Buckets should not be readable and writable to all users|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
acc78859-765e-4011-a229-a65ea57db252|CloudFormation|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| -|S3 Bucket Allows Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0|CloudFormation|High|Access Control|S3 Buckets must not allow Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Restore, for all Principals.|Documentation
| -|ECS Service Admin Role Is Present
01986452-bdd8-4aaa-b5df-d6bf61d616ff|CloudFormation|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role|Documentation
| -|Lambda Functions With Full Privileges
a0ae0a4e-712b-4115-8112-51b9eeed9d69|CloudFormation|High|Access Control|AWS Lambda Functions should not have roles with policies granting full administrative privileges.|Documentation
| -|S3 Bucket ACL Allows Read to All Users
219f4c95-aa50-44e0-97de-cf71f4641170|CloudFormation|High|Access Control|S3 Buckets should not be readable to all users|Documentation
| -|S3 Bucket Access to Any Principal
7772bb8c-c0f3-42d4-8e4e-f1b8939ad085|CloudFormation|High|Access Control|The S3 Bucket should not be associated with a policy statement that grants access to any principal|Documentation
| -|SNS Topic is Publicly Accessible
ae53ce91-42b5-46bf-a84f-9a13366a4f13|CloudFormation|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| -|MSK Broker Is Publicly Accessible
0ce1ba20-8ba8-4364-836f-40c24b8cb0ab|CloudFormation|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible|Documentation
| -|Redshift Not Encrypted
3b316b05-564c-44a7-9c3f-405bb95e211e|CloudFormation|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'Encrypted' field is false or undefined (default is false)|Documentation
| -|ElastiCache With Disabled at Rest Encryption
e4ee3903-9225-4b6a-bdfb-e62dbadef821|CloudFormation|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled|Documentation
| -|User Data Shell Script Is Encoded
48c3bc58-6959-4f27-b647-4fedeace23be|CloudFormation|High|Encryption|User Data Shell Script must be encoded|Documentation
| -|User Data Contains Encoded Private Key
568cc372-ca64-420d-9015-ee347d00d288|CloudFormation|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| -|ElastiCache With Disabled Transit Encryption
3b02569b-fc6f-4153-b3a3-ba91022fed68|CloudFormation|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled|Documentation
| -|RDS Storage Not Encrypted
5beacce3-4020-4a3d-9e1d-a36f953df630|CloudFormation|High|Encryption|RDS Storage should be encrypted, which means the attribute 'StorageEncrypted' should be set to 'true'|Documentation
| -|EFS Without KMS
6d087495-2a42-4735-abf7-02ef5660a7e6|CloudFormation|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| -|Redshift Cluster Without KMS CMK
de76a0d6-66d5-45c9-9022-f05545b85c78|CloudFormation|High|Encryption|AWS Redshift Cluster should have KMS CMK defined|Documentation
| -|DynamoDB With Aws Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac|CloudFormation|High|Encryption|AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false.|Documentation
| -|EFS Not Encrypted
2ff8e83c-90e1-4d68-a300-6d652112e622|CloudFormation|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|Secure Ciphers Disabled
be96849c-3df6-49c2-bc16-778a7be2519c|CloudFormation|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| -|SageMaker Data Encryption Disabled
709e6da6-fa1f-44cc-8f17-7f25f96dadbe|CloudFormation|High|Encryption|Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, which means the attribute 'KmsKeyId' must be defined not empty or null.|Documentation
| -|MSK Cluster Encryption Disabled
a976d63f-af0e-46e8-b714-8c1a9c4bf768|CloudFormation|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| -|S3 Bucket Without SSL In Write Actions
38c64e76-c71e-4d92-a337-60174d1de1c9|CloudFormation|High|Encryption|S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL)|Documentation
| -|ELB Using Weak Ciphers
809f77f8-d10e-4842-a84f-3be7b6ff1190|CloudFormation|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers.|Documentation
| -|ECS Cluster Not Encrypted At Rest
6c131358-c54d-419b-9dd6-1f7dd41d180c|CloudFormation|High|Encryption|Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems.|Documentation
| -|CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db|CloudFormation|High|Encryption|Specifying credentials in the template itself is probably not safe to do.|Documentation
| -|Connection Between CloudFront Origin Not Encrypted
a5366a50-932f-4085-896b-41402714a388|CloudFormation|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
31733ee2-fef0-4e87-9778-65da22a8ecf1|CloudFormation|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| -|Kinesis SSE Not Configured
7f65be75-90ab-4036-8c2a-410aef7bb650|CloudFormation|High|Encryption|AWS Kinesis Stream should have SSE (Server Side Encryption) defined|Documentation
| -|CMK Unencrypted Storage
ffee2785-c347-451e-89f3-11aeb08e5c84|CloudFormation|High|Encryption|Ensure that storage is encrypted.|Documentation
| -|S3 Bucket Without Server-side-encryption
b2e8752c-3497-4255-98d2-e4ae5b46bbf5|CloudFormation|High|Encryption|S3 Buckets should have server-side encryption at rest enabled to protect sensitive data|Documentation
| -|ELB Without Secure Protocol
80908a75-586b-4c61-ab04-490f4f4525b8|CloudFormation|High|Encryption|Check if the ELB is setup with SSL or HTTPS for secure communication|Documentation
| -|S3 Bucket SSE Disabled
64ab651b-f5b2-4af0-8c89-ddd03c4d0e61|CloudFormation|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| -|API Gateway Cache Encrypted Disabled
37cca703-b74c-48ba-ac81-595b53398e9b|CloudFormation|High|Encryption|'API::Gateway::Deployment' should have 'CacheDataEncrypted' enabled when 'CachingEnabled' is set to true|Documentation
| -|ELB Using Insecure Protocols
61a94903-3cd3-4780-88ec-fc918819b9c8|CloudFormation|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols.|Documentation
| -|IAM Database Auth Not Enabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184|CloudFormation|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| -|ECS Task Definition Container With Plaintext Password
f9b10cdb-eaab-4e39-9793-e12b94a582ad|CloudFormation|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| -|S3 Bucket Without Restriction Of Public Bucket
350cd468-0e2c-44ef-9d22-cfb73a62523c|CloudFormation|High|Insecure Configurations|S3 bucket without restriction of public bucket|Documentation
| -|API Gateway Without Security Policy
8275fab0-68ec-4705-bbf4-86975edb170e|CloudFormation|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2.|Documentation
| -|S3 Static Website Host Enabled
90501b1b-cded-4cc1-9e8b-206b85cda317|CloudFormation|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured.|Documentation
| -|Redshift Publicly Accessible
bdf8dcb4-75df-4370-92c4-606e4ae6c4d3|CloudFormation|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
dc17ee4b-ddf2-4e23-96e8-7a36abad1303|CloudFormation|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| -|DB Instance Publicly Accessible
de38e1d5-54cb-4111-a868-6f7722695007|CloudFormation|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false.|Documentation
| -|S3 Bucket With Unsecured CORS Rule
3609d27c-3698-483a-9402-13af6ae80583|CloudFormation|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| -|Batch Job Definition With Privileged Container Properties
76ddf32c-85b1-4808-8935-7eef8030ab36|CloudFormation|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| -|ECS Task Definition Network Mode Not Recommended
027a4b7a-8a59-4938-a04f-ed532512cf45|CloudFormation|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| -|KMS Key With Vulnerable Policy
da905474-7454-43c0-b8d2-5756ab951aba|CloudFormation|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| -|Root Account Has Active Access Keys
4c137350-7307-4803-8c04-17c09a7a9fcf|CloudFormation|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| -|Permissive Web ACL Default Action
6d64f311-3da6-45f3-80f1-14db9771ea40|CloudFormation|High|Insecure Defaults|WebAcl DefaultAction should not be ALLOW|Documentation
| -|Vulnerable Default SSL Certificate
b4d9c12b-bfba-4aeb-9cb8-2358546d8041|CloudFormation|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| -|Unrestricted Security Group Ingress
4a1e6b34-1008-4e61-a5f2-1f7c276f8d14|CloudFormation|High|Networking and Firewall|AWS Security Group Ingress CIDR should not be open to the world|Documentation
| -|ELB Sensitive Port Is Exposed To Entire Network
78055456-f670-4d2e-94d5-392d1cf4f5e4|CloudFormation|High|Networking and Firewall|The load balancer of the application with a sensitive port connection is exposed to the entire internet.|Documentation
| -|EKS node group remote access
73d59e76-a12c-4b74-a3d8-d3e1e19c25b3|CloudFormation|High|Networking and Firewall|Ensure Amazon EKS Node group has implict SSH access|Documentation
| -|Default Security Groups With Unrestricted Traffic
ea33fcf7-394b-4d11-a228-985c5d08f205|CloudFormation|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| -|DB Security Group With Public Scope
9564406d-e761-4e61-b8d7-5926e3ab8e79|CloudFormation|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| -|Remote Desktop Port Open To Internet
c9846969-d066-431f-9b34-8c4abafe422a|CloudFormation|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| -|EC2 Network ACL Overlapping Ports
77b6f1e2-bde4-4a6a-ae7e-a40659ff1576|CloudFormation|High|Networking and Firewall|NetworkACL Entries are reusing or overlapping ports which may create ineffective rules|Documentation
| -|EC2 Public Instance Exposed Through Subnet
c44c95fc-ae92-4bb8-bdf8-bb9bc412004a|CloudFormation|High|Networking and Firewall|EC2 instances with public IP addresses shouldn't allow for unrestricted traffic to their subnets|Documentation
| -|DB Security Group Open To Large Scope
0104165b-02d5-426f-abc9-91fb48189899|CloudFormation|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| -|Security Group Unrestricted Access To RDP
3ae83918-7ec7-4cb8-80db-b91ef0f94002|CloudFormation|High|Networking and Firewall|Security Groups does not allow 0.0.0.0/0 for rdp (port:3389)|Documentation
| -|HTTP Port Open To Internet
ddfc4eaa-af23-409f-b96c-bf5c45dc4daa|CloudFormation|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| -|Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c|CloudFormation|High|Networking and Firewall|No security group should allow unrestricted egress access|Documentation
| -|EC2 Sensitive Port Is Publicly Exposed
494b03d3-bf40-4464-8524-7c56ad0700ed|CloudFormation|High|Networking and Firewall|The EC2 instance has a sensitive port connection exposed to the entire network|Documentation
| -|Security Groups With Meta IP
adcd0082-e90b-4b63-862b-21899f6e6a48|CloudFormation|High|Networking and Firewall|Security Groups allows 0.0.0.0/0 for all ports and protocols.|Documentation
| -|Fully Open Ingress
e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5|CloudFormation|High|Networking and Firewall|ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses|Documentation
| -|Security Groups With Exposed Admin Ports
cdbb0467-2957-4a77-9992-7b55b29df7b7|CloudFormation|High|Networking and Firewall|Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389)|Documentation
| -|RDS Associated with Public Subnet
4e88adee-a8eb-4605-a78d-9fb1096e3091|CloudFormation|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| -|ALB Listening on HTTP
275a3217-ca37-40c1-a6cf-bb57d245ab32|CloudFormation|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| -|SageMaker Notebook Not Placed In VPC
9c7028d9-04c2-45be-b8b2-1188ccaefb36|CloudFormation|High|Networking and Firewall|SageMaker Notebook must be placed in a VPC|Documentation
| -|Unknown Port Exposed To Internet
829ce3b8-065c-41a3-ad57-e0accfea82d2|CloudFormation|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| -|Security Group With Unrestricted Access To SSH
6e856af2-62d7-4ba2-adc1-73b62cef9cc1|CloudFormation|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| -|EC2 Instance Subnet Has Public IP Mapping On Launch
b3de4e4c-14be-4159-b99d-9ad194365e4c|CloudFormation|High|Networking and Firewall|EC2 Instance Subnet should not have MapPublicIpOnLaunch set to true|Documentation
| -|Route53 Record Undefined
24d932e1-91f0-46ea-836f-fdbd81694151|CloudFormation|High|Networking and Firewall|Route53 HostedZone must have the Record Set defined.|Documentation
| -|S3 Bucket CloudTrail Logging Disabled
c3ce69fd-e3df-49c6-be78-1db3f802261c|CloudFormation|High|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable when the Service used is CloudTrail|Documentation
| -|CloudTrail Logging Disabled
5c0b06d5-b7a4-484c-aeb0-75a836269ff0|CloudFormation|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| -|CMK Rotation Disabled
1c07bfaf-663c-4f6f-b22b-8e2d481e4df5|CloudFormation|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'EnableKeyRotation' must be set to 'true' when the key is enabled.|Documentation
| -|SQS Queue Policy Allows NotPrincipal
4a8fc9a2-2b2f-4b3f-aa8d-401425872034|CloudFormation|Medium|Access Control|Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using `NotPrincipal` in the same policy statement as `"Effect": "Allow"`.|Documentation
| -|API Gateway Without Configured Authorizer
7fd0d461-5b8c-4815-898c-f2b4b117eb28|CloudFormation|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| -|Elasticsearch Without IAM Authentication
5c666ed9-b586-49ab-9873-c495a833b705|CloudFormation|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication|Documentation
| -|IAM Policies Attached To User
edc95c10-7366-4f30-9b4b-f995c84eceb5|CloudFormation|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| -|Empty Roles For ECS Cluster Task Definitions
7f384a5f-b5a2-4d84-8ca3-ee0a5247becb|CloudFormation|Medium|Access Control|Check if any ECS cluster has not defined proper roles for services' task definitions.|Documentation
| -|EC2 Instance Has No IAM Role
f914357d-8386-4d56-9ba6-456e5723f9a6|CloudFormation|Medium|Access Control|Check if an EC2 instance refers to an IAM profile, which represents an IAM Role.|Documentation
| -|SNS Topic Publicity Has Allow and NotAction Simultaneously
818f38ed-8446-4132-9c03-474d49e10195|CloudFormation|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| -|EC2 Network ACL Ineffective Denied Traffic
2623d682-dccb-44cd-99d0-54d9fd62f8f2|CloudFormation|Medium|Access Control|Ineffective deny rules. A deny rule should be applied to all IP addresses.|Documentation
| -|Neptune Cluster With IAM Database Authentication Disabled
a3aa0087-8228-4e7e-b202-dc9036972d02|CloudFormation|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled|Documentation
| -|ECR Repository Is Publicly Accessible
75be209d-1948-41f6-a8c8-e22dd0121134|CloudFormation|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| -|KMS Allows Wildcard Principal
f6049677-ec4a-43af-8779-5190b6d03cba|CloudFormation|Medium|Access Control|KMS Should not allow Principal parameter to be set as *|Documentation
| -|Public Lambda via API Gateway
57b12981-3816-4c31-b190-a1e614361dd2|CloudFormation|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| -|IAM Policy On User
e4239438-e639-44aa-adb8-866e400e3ade|CloudFormation|Medium|Access Control|IAM policies should be applied to groups and not to users|Documentation
| -|API Gateway Method Does Not Contains An API Key
3641d5b4-d339-4bc2-bfb9-208fe8d3477f|CloudFormation|Medium|Access Control|An API Key should be required on a method request.|Documentation
| -|IoT Policy Allows Wildcard Resource
be5b230d-4371-4a28-a441-85dc760e2aa3|CloudFormation|Medium|Access Control|IoT Policy should not allow Resource to be set as *|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7|CloudFormation|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| -|Lambda Permission Principal Is Wildcard
1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7|CloudFormation|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| -|IoT Policy Allows Action as Wildcard
4d32780f-43a4-424a-a06d-943c543576a5|CloudFormation|Medium|Access Control|IoT Policy should not allow Action to be set as *|Documentation
| -|SQS Policy With Public Access
9b6a3f5b-5fd6-40ee-9bc0-ed604911212d|CloudFormation|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| -|SQS Queue Policy Allows NotAction
4fbfee74-8186-40d5-a24e-4baa76a855de|CloudFormation|Medium|Access Control|AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited|Documentation
| -|S3 Bucket Allows Public ACL
48f100d9-f499-4c6d-b2b8-deafe47ffb26|CloudFormation|Medium|Access Control|S3 bucket allows public ACL|Documentation
| -|Auto Scaling Group With No Associated ELB
ad21e616-5026-4b9d-990d-5b007bfe679c|CloudFormation|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty.|Documentation
| -|ElastiCache Nodes Not Created Across Multi AZ
cfdef2e5-1fe4-4ef4-bea8-c56e08963150|CloudFormation|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster|Documentation
| -|CMK Is Unusable
2844c749-bd78-4cd1-90e8-b179df827602|CloudFormation|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined.|Documentation
| -|ECS Service Without Running Tasks
79d745f0-d5f3-46db-9504-bef73e9fd528|CloudFormation|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| -|EBS Volume Not Attached To Instances
1819ac03-542b-4026-976b-f37addd59f3b|CloudFormation|Medium|Availability|EBS Volumes that are unattached to instances may contain sensitive data|Documentation
| -|RDS Multi-AZ Deployment Disabled
2b1d4935-9acf-48a7-8466-10d18bf51a69|CloudFormation|Medium|Backup|AWS RDS Instance should have a multi-az deployment|Documentation
| -|Stack Retention Disabled
fe974ae9-858e-4991-bbd5-e040a834679f|CloudFormation|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| -|Low RDS Backup Retention Period
e649a218-d099-4550-86a4-1231e1fcb60d|CloudFormation|Medium|Backup|AWS RDS backup retention policy should be at least 7 days|Documentation
| -|RDS With Backup Disabled
8c415f6f-7b90-4a27-a44a-51047e1506f9|CloudFormation|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| -|IAM Password Without Lowercase Letter
f4cf35d6-da92-48de-ab70-57be2b2e6497|CloudFormation|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| -|IAM Password Without Symbol
d72a7869-e8b9-4e12-bcd2-e8be10b39fa7|CloudFormation|Medium|Best Practices|IAM password should have the required symbols|Documentation
| -|IAM User Without Password Reset
a964d6e3-8e1e-4d93-8120-61fa640dd55a|CloudFormation|Medium|Best Practices|IAM User Login Profile should exist and have PasswordResetRequired property set to true|Documentation
| -|ECS No Load Balancer Attached
fb2b0ecf-1492-491a-a70d-ba1df579175d|CloudFormation|Medium|Best Practices|Amazon ECS service should be configured to use Load Balancing to distribute traffic evenly across the tasks, which means there must exist at least one LoadBalancer.|Documentation
| -|IAM Password Without Uppercase Letter
445020f6-b69e-4484-847f-02d4b7768902|CloudFormation|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| -|Cognito UserPool Without MFA
74a18d1a-cf02-4a31-8791-ed0967ad7fdc|CloudFormation|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| -|IAM Managed Policy Applied to a User
0e5872b4-19a0-4165-8b2f-56d9e14b909f|CloudFormation|Medium|Best Practices|Make sure that any managed IAM policies are implemented in a group and not in a user.|Documentation
| -|IAM Password Without Minimum Length
b1b20ae3-8fa7-4af5-a74d-a2145920fcb1|CloudFormation|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| -|IAM Password Without Number
839f238f-2e3a-4a72-b945-8abdf91af955|CloudFormation|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number|Documentation
| -|ElasticSearch Encryption With KMS Disabled
d926aa95-0a04-4abc-b20c-acf54afe38a1|CloudFormation|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS.|Documentation
| -|ElasticSearch Not Encrypted At Rest
86a248ab-0e01-4564-a82a-878303e253bb|CloudFormation|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| -|KMS Key Rotation Disabled
235ca980-eb71-48f4-9030-df0c371029eb|CloudFormation|Medium|Encryption|EnableKeyRotation should not be false or undefined|Documentation
| -|Neptune Database Cluster Encryption Disabled
bf4473f1-c8a2-4b1b-8134-bd32efabab93|CloudFormation|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| -|Memcached Disabled
dd0971a6-09c3-4168-8474-a7ef8fbfd99d|CloudFormation|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| -|Default KMS Key Usage
e52395b4-250b-4c60-81d5-2e58c1d37abc|CloudFormation|Medium|Encryption|When `StorageEncrypted` is set to true, `KmsKeyId` should be defined, to avoid the use of the default KMS Key|Documentation
| -|SageMaker EndPoint Config Should Specify KmsKeyId Attribute
44034eda-1c3f-486a-831d-e09a7dd94354|CloudFormation|Medium|Encryption|KmsKeyId attribute should be defined|Documentation
| -|RDS Storage Encryption Disabled
65844ba3-03a1-40a8-b3dd-919f122e8c95|CloudFormation|Medium|Encryption|RDS DBCluster should have storage encrypted set to true|Documentation
| -|EBS Volume Encryption Disabled
80b7ac3f-d2b7-4577-9b10-df7913497162|CloudFormation|Medium|Encryption|EBS volumes should be encrypted|Documentation
| -|Alexa Skill Plaintext Client Secret Exposed
3c3b7a58-b018-4d07-9444-d9ee7156e111|CloudFormation|Medium|Encryption|Alexa skills' client secrets should not be defined as a plaintext string. It should either use 'AWS Systems Manager Parameter Store' or 'AWS Secrets Manager' to retrieve sensitive information|Documentation
| -|SQS With SSE Disabled
12726829-93ed-4d51-9cbe-13423f4299e1|CloudFormation|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| -|API Gateway With Invalid Compression
d6653eee-2d4d-4e6a-976f-6794a497999a|CloudFormation|Medium|Encryption|API Gateway should have valid compression, which means attribute 'MinimumCompressionSize' should be set and its value should be greater than -1 and smaller than 10485760.|Documentation
| -|Config Rule For Encrypted Volumes Disabled
1b6322d9-c755-4f8c-b804-32c19250f2d9|CloudFormation|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| -|Workspace Without Encryption
89827c57-5a8a-49eb-9731-976a606d70db|CloudFormation|Medium|Encryption|Workspaces should have encryption enabled|Documentation
| -|EMR Security Configuration Encryption Disabled
5b033ec8-f079-4323-b5c8-99d4620433a9|CloudFormation|Medium|Encryption|EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit.|Documentation
| -|CodeBuild Not Encrypted
d7467bb6-3ed1-4c82-8095-5e7a818d0aad|CloudFormation|Medium|Encryption|CodeBuild Project should be encrypted, which means 'EncryptionKey' should be defined|Documentation
| -|Unscanned ECR Image
9025b2b3-e554-4842-ba87-db7aeec36d35|CloudFormation|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| -|IAM Group Inline Policies
a58d1a2d-4078-4b80-855b-84cc3f7f4540|CloudFormation|Medium|Encryption|IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted|Documentation
| -|AmazonMQ Broker Encryption Disabled
316278b3-87ac-444c-8f8f-a733a28da60f|CloudFormation|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| -|API Gateway Without SSL Certificate
ed4c48b8-eccc-4881-95c1-09fdae23db25|CloudFormation|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| -|IAM User Has Too Many Access Keys
48677914-6fdf-40ec-80c4-2b0e94079f54|CloudFormation|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials|Documentation
| -|IAM User LoginProfile Password Is In Plaintext
06adef8c-c284-4de7-aad2-af43b07a8ca1|CloudFormation|Medium|Insecure Configurations|IAM User LoginProfile Password must not be a plaintext string|Documentation
| -|SageMaker Enabling Internet Access
88d55d94-315d-4564-beee-d2d725feab11|CloudFormation|Medium|Insecure Configurations|SageMaker must have disabled internet access and root access for Creating Notebook Instances.|Documentation
| -|GitHub Repository Set To Public
5906092d-5f74-490d-9a03-78febe0f65e1|CloudFormation|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')|Documentation
| -|ECR Image Tag Not Immutable
33f41d31-86b1-46a4-81f7-9c9a671f59ac|CloudFormation|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| -|Inline Policies Are Attached To ECS Service
9e8c89b3-7997-4d15-93e4-7911b9db99fd|CloudFormation|Medium|Insecure Configurations|Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies.|Documentation
| -|MQ Broker Is Publicly Accessible
68b6a789-82f8-4cfd-85de-e95332fe6a61|CloudFormation|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible|Documentation
| -|Lambda Functions Without Unique IAM Roles
ae03f542-1423-402f-9cef-c834e7ee9583|CloudFormation|Medium|Insecure Configurations|AWS Lambda Functions should not share IAM roles to ensure they will have the minimum privileges needed to perform the required tasks|Documentation
| -|API Gateway With Open Access
1056dfbb-5802-4762-bf2b-8b9b9684b1b0|CloudFormation|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.|Documentation
| -|Instance With No VPC
8a6d36cd-0bc6-42b7-92c4-67acc8576861|CloudFormation|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| -|EMR Cluster Without Security Configuration
48af92a5-c89b-4936-bc62-1086fe2bab23|CloudFormation|Medium|Insecure Configurations|EMR Cluster should have security configuration defined.|Documentation
| -|Lambda Function Without Tags
8df8e857-bd59-44fa-9f4c-d77594b95b46|CloudFormation|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags.|Documentation
| -|S3 Bucket Should Have Bucket Policy
37fa8188-738b-42c8-bf82-6334ea567738|CloudFormation|Medium|Insecure Defaults|Checks if S3 Bucket has the same name as a Bucket Policy, if it has, S3 Bucket has a Bucket Policy associated|Documentation
| -|RouterTable with Default Routing
4f0908b9-eb66-433f-9145-134274e1e944|CloudFormation|Medium|Insecure Defaults|NAT gateways are recommended, and not the default route which permits all traffic, in Route Tables.|Documentation
| -|Security Group Ingress With Port Range
87482183-a8e7-4e42-a566-7a23ec231c16|CloudFormation|Medium|Networking and Firewall|AWS Security Group Ingress should have a single port|Documentation
| -|API Gateway Endpoint Config is Not Private
4a8daf95-709d-4a36-9132-d3e19878fa34|CloudFormation|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| -|Security Group Ingress With All Protocols
1a427b25-2e9e-4298-9530-0499a55e736b|CloudFormation|Medium|Networking and Firewall|AWS Security Group Ingress should not specify all protocols to prevent allow traffic on all ports|Documentation
| -|ELB With Security Group Without Outbound Rules
01d5a458-a6c4-452a-ac50-054d59275b7c|CloudFormation|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules|Documentation
| -|Security Groups Without VPC Attached
493d9591-6249-47bf-8dc0-5c10161cc558|CloudFormation|Medium|Networking and Firewall|Security Groups must have a VPC.|Documentation
| -|VPC Without Network Firewall
3e293410-d5b8-411f-85fd-7d26294f20c9|CloudFormation|Medium|Networking and Firewall|VPC should have a Network Firewall associated|Documentation
| -|Security Group Egress CIDR Open To World
1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a|CloudFormation|Medium|Networking and Firewall|AWS Security Group Egress CIDR should not be open to the world|Documentation
| -|EC2 Permissive Network ACL Protocols
03879981-efa2-47a0-a818-c843e1441b88|CloudFormation|Medium|Networking and Firewall|To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code).|Documentation
| -|Security Group Egress With All Protocols
ee464fc2-54a6-4e22-b10a-c6dcd2474d0c|CloudFormation|Medium|Networking and Firewall|AWS Security Group Egress should not specify all protocols to prevent allow traffic on all ports|Documentation
| -|ELB With Security Group Without Inbound Rules
e200a6f3-c589-49ec-9143-7421d4a2c845|CloudFormation|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules|Documentation
| -|GameLift Fleet EC2 InboundPermissions With Port Range
43356255-495d-4148-ad8d-f6af5eac09dd|CloudFormation|Medium|Networking and Firewall|AWS GameLift Fleet EC2InboundPermissions should have a single port|Documentation
| -|Security Group Egress With Port Range
dae9c373-8287-462f-8746-6f93dad93610|CloudFormation|Medium|Networking and Firewall|AWS Security Group Egress should have a single port|Documentation
| -|TCP/UDP Protocol Network ACL Entry Allows All Ports
f57f849c-883b-4cb7-85e7-f7b199dff163|CloudFormation|Medium|Networking and Firewall|TCP/UDP protocol AWS Network ACL Entry should not allow all ports|Documentation
| -|API Gateway without WAF
fcbf9019-566c-4832-a65c-af00d8137d2b|CloudFormation|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| -|ALB Is Not Integrated With WAF
105ba098-1e34-48cd-b0f2-a8a43a51bf9b|CloudFormation|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| -|GuardDuty Detector Disabled
a25cd877-375c-4121-a640-730929936fac|CloudFormation|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| -|Redshift Cluster Logging Disabled
3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6|CloudFormation|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| -|ELB Access Log Disabled
ee12ad32-2863-4c0f-b13f-28272d115028|CloudFormation|Medium|Observability|ELB should have access log enabled|Documentation
| -|S3 Bucket Without Versioning
a227ec01-f97a-4084-91a4-47b350c1db54|CloudFormation|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| -|CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7|CloudFormation|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'IsMultiRegionTrail' should be set to true|Documentation
| -|Stack Notifications Disabled
837e033c-4717-40bd-807e-6abaa30161b7|CloudFormation|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| -|CloudFront Logging Disabled
de77cd9f-0e8b-46cc-b4a4-b6b436838642|CloudFormation|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'DistributionConfig.Logging' should be defined|Documentation
| -|CloudTrail Not Integrated With CloudWatch
65d07da5-9af5-44df-8983-52d2e6f24c44|CloudFormation|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| -|S3 Bucket Logging Disabled
4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c|CloudFormation|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| -|MSK Cluster Logging Disabled
fc7c2c15-f5d0-4b80-adb2-c89019f8f62b|CloudFormation|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| -|CloudWatch Metrics Disabled
5d3c1807-acb3-4bb0-be4e-0440230feeaf|CloudFormation|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| -|CloudTrail SNS Topic Name Undefined
3e09413f-471e-40f3-8626-990c79ae63f3|CloudFormation|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| -|API Gateway V2 Stage Access Logging Settings Not Defined
80d45af4-4920-4236-a56e-b7ef419d1941|CloudFormation|Medium|Observability|API Gateway V2 Stage should have Access Logging Settings defined.|Documentation
| -|Configuration Aggregator to All Regions Disabled
9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d|CloudFormation|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| -|CloudWatch Logging Disabled
0f0fb06b-0f2f-4374-8588-f2c7c348c7a0|CloudFormation|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| -|ElasticSearch Without Slow Logs
086ea2eb-14a6-4fd4-914b-38e0bc8703e8|CloudFormation|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| -|API Gateway Deployment Without Access Log Setting
06ec63e3-9f72-4fe2-a218-2eb9200b8db5|CloudFormation|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| -|API Gateway X-Ray Disabled
4ab10c48-bedb-4deb-8f3b-ff12783b61de|CloudFormation|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| -|MQ Broker Logging Disabled
e519ed6a-8328-4b69-8eb7-8fa549ac3050|CloudFormation|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| -|ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621|CloudFormation|Medium|Observability|ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer.|Documentation
| -|Amplify App Basic Auth Config Password Exposed
71493c8b-3014-404c-9802-078b74496fb7|CloudFormation|Medium|Secret Management|Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|RefreshToken Is Exposed
5b48c507-0d1f-41b0-a630-76817c6b4189|CloudFormation|Medium|Secret Management|Alexa ASK Skill AuthenticationConfiguration RefreshToken should not be a plaintext string|Documentation
| -|Secrets Manager Should Specify KmsKeyId
c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22|CloudFormation|Medium|Secret Management|Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the secret to be shared cross-account|Documentation
| -|Hardcoded AWS Access Key In Lambda
2564172f-c92b-4261-9acd-464aed511696|CloudFormation|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| -|Directory Service Microsoft AD Password Set to Plaintext or Default Ref
06b9f52a-8cd5-459b-bdc6-21a22521e1be|CloudFormation|Medium|Secret Management|Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|High Access Key Rotation Period
800fa019-49dd-421b-9042-7331fdd83fa2|CloudFormation|Medium|Secret Management|ConfigRule should enforce access keys to be rotated within 90 days.|Documentation
| -|DocDB Cluster Master Password In Plaintext
39423ce4-9011-46cd-b6b1-009edcd9385d|CloudFormation|Medium|Secret Management|DocDB DB Cluster master user password must not be in a plain text string or referenced in a parameter as a default value.|Documentation
| -|EBS Volume Without KmsKeyId
b7063015-6c31-4658-a8e7-14f98f37fd42|CloudFormation|Medium|Secret Management|EBS Volume should specify a KmsKeyId value|Documentation
| -|Amplify App OAuth Token Exposed
03b38885-8f4e-480c-a0e4-12c1affd15db|CloudFormation|Medium|Secret Management|Amplify App OAuth Token must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|SNS Topic Without KmsMasterKeyId
9d13b150-a2ab-42a1-b6f4-142e41f81e52|CloudFormation|Medium|Secret Management|KmsMasterKeyId attribute should not be undefined|Documentation
| -|DMS Endpoint MongoDB Settings Password Exposed
f988a17f-1139-46a3-8928-f27eafd8b024|CloudFormation|Medium|Secret Management|DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|DMS Endpoint Password Exposed
5f700072-b7ce-4e84-b3f3-497bf1c24a4d|CloudFormation|Medium|Secret Management|DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|Amplify Branch Basic Auth Config Password Exposed
dfb56e5d-ee68-446e-b32a-657b62befe69|CloudFormation|Medium|Secret Management|Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|Amplify App Access Token Exposed
73980e43-f399-4fcc-a373-658228f7adf7|CloudFormation|Medium|Secret Management|Amplify App Access Token must not be in a plain text string or referenced in a parameter as a default value.|Documentation
| -|Directory Service Simple AD Password Exposed
6685d912-d81f-4cfa-95ad-e316ea31c989|CloudFormation|Medium|Secret Management|DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
e835bd0d-65da-49f7-b6d1-b646da8727e6|CloudFormation|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| -|IAM Role Allows All Principals To Assume
f80e3aa7-7b34-4185-954e-440a6894dde6|CloudFormation|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| -|IAM User With No Group
06933df4-0ea7-461c-b9b5-104d27390e0e|CloudFormation|Low|Access Control|A IAM user should belong to a group|Documentation
| -|Support Has No Role Associated
d71b5fd7-9020-4b2d-9ec8-b3839faa2744|CloudFormation|Low|Access Control|Check if any AWS Support policy does not have any role and users and group associated, which means that is not being managed.|Documentation
| -|EC2 Instance Using Default Security Group
08b81bb3-0985-4023-8602-b606ad81d279|CloudFormation|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| -|IAM Group Without Users
8f957abd-9703-413d-87d3-c578950a753c|CloudFormation|Low|Access Control|IAM Group should have at least one user associated|Documentation
| -|VPC Attached With Too Many Gateways
97e94d17-e2c7-4109-a53b-6536ac1bb64e|CloudFormation|Low|Availability|The number of gateways attached should not approach or go beyond the limit of 3, in a particular VPC|Documentation
| -|RDS DB Instance With Deletion Protection Disabled
2c161e58-cb52-454f-abea-6470c37b5e6e|CloudFormation|Low|Backup|RDS DBInstance should have deletion protection set to true|Documentation
| -|CDN Configuration Is Missing
e4f54ff4-d352-40e8-a096-5141073c37a2|CloudFormation|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| -|Automatic Minor Upgrades Disabled
f0104061-8bfc-4b45-8a7d-630eb502f281|CloudFormation|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'AutoMinorVersionUpgrade' must be set to true.|Documentation
| -|IAM Access Analyzer Not Enabled
8d29754a-2a18-460d-a1ba-9509f8d359da|CloudFormation|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions|Documentation
| -|Security Group Ingress Has CIDR Not Recommended
a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd|CloudFormation|Low|Best Practices|AWS Security Group Ingress CIDR should not be /32 in case of IPV4 or /128 in case of IPV6|Documentation
| -|Geo Restriction Disabled
7f8843f0-9ea5-42b4-a02b-753055113195|CloudFormation|Low|Best Practices|Geo Restriction feature should be enabled, to restrict or allow users in specific locations accessing web application content|Documentation
| -|Lambda Permission Misconfigured
9b83114b-b2a1-4534-990d-06da015e47aa|CloudFormation|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|IAM Policies Without Groups
5e7acff5-095b-40ac-9073-ac2e4ad8a512|CloudFormation|Low|Best Practices|IAM policy should not apply directly to users, should be with a group|Documentation
| -|EFS Without Tags
08e39832-5e42-4304-98a0-aa5b43393162|CloudFormation|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated|Documentation
| -|DynamoDB With Not Recommented Table Billing Mode
c333e906-8d8b-4275-b999-78b6318f8dc6|CloudFormation|Low|Build Process|Checks if DynamoDB Table Billing Mode is set to either PAY_PER_REQUEST or PROVISIONED|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85|CloudFormation|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| -|API Gateway Cache Cluster Disabled
52790cad-d60d-41d5-8483-146f9f21208d|CloudFormation|Low|Insecure Configurations|AWS API Gateway should have cache clustering enabled|Documentation
| -|Wildcard In ACM Certificate Domain Name
cc8b294f-006f-4f8f-b5bb-0a9140c33131|CloudFormation|Low|Insecure Configurations|ACM Certificate should not use wildcards (*) in the domain name|Documentation
| -|S3 Bucket Without Ignore Public ACL
6c8d51af-218d-4bfb-94a9-94eabaa0703a|CloudFormation|Low|Insecure Configurations|S3 bucket without ignore public ACL|Documentation
| -|Lambda Function Without Dead Letter Queue
c2eae442-d3ba-4cb1-84ca-1db4f80eae3d|CloudFormation|Low|Insecure Configurations|AWS Lambda Function should be configured for a Dead Letter Queue(DLQ)|Documentation
| -|RDS Using Default Port
1fe9d958-ddce-4228-a124-05265a959a8b|CloudFormation|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| -|ElastiCache Without VPC
ba766c53-fe71-4bbb-be35-b6803f2ef13e|CloudFormation|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|CloudFront Without WAF
0f139403-303f-467c-96bd-e717e6cfd62d|CloudFormation|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| -|Shield Advanced Not In Use
ad7444cf-817a-4765-a79e-2145f7981faf|CloudFormation|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks|Documentation
| -|EMR Without VPC
bf89373a-be40-4c04-99f5-746742dfd7f3|CloudFormation|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|Redshift Using Default Port
a478af30-8c3a-404d-aa64-0b673cee509a|CloudFormation|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| -|ElastiCache Using Default Port
323db967-c68e-44e6-916c-a777f95af34b|CloudFormation|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| -|EC2 Network ACL Duplicate Rule
045ddb54-cfc5-4abb-9e05-e427b2bc96fe|CloudFormation|Low|Networking and Firewall|A Network ACL's rule numbers cannot be repeated unless one is egress and the other is ingress|Documentation
| -|EC2 Instance Using Default VPC
e42a3ef0-5325-4667-84bf-075ba1c9d58e|CloudFormation|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| -|Lambda Functions Without X-Ray Tracing
9488c451-074e-4cd3-aee3-7db6104f542c|CloudFormation|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracingConfig.mode' should have the value 'Active'|Documentation
| -|VPC FlowLogs Disabled
f6d299d2-21eb-41cc-b1e1-fe12d857500b|CloudFormation|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| -|CloudTrail Log File Validation Disabled
2a3560fe-52ca-4443-b34f-bf0ed5eb74c8|CloudFormation|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| -|API Gateway Deployment Without API Gateway UsagePlan Associated
783860a3-6dca-4c8b-81d0-7b62769ccbca|CloudFormation|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| -|ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd|CloudFormation|Low|Observability|Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks|Documentation
| -|VPC Without Attached Subnet
3b3b4411-ad1f-40e7-b257-a78a6bb9673a|CloudFormation|Low|Resource Management|VPCs without attached subnets may indicate that they are not being used|Documentation
| -|SDB Domain Declared As A Resource
6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d|CloudFormation|Low|Resource Management|SimpleDB Domain resource should not be declared|Documentation
| -|API Gateway Stage Without API Gateway UsagePlan Associated
7f8f1b60-43df-4c28-aa21-fb836dbd8071|CloudFormation|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| -|ECS Task Definition Invalid CPU or Memory
f4c9b5f5-68b8-491f-9e48-4f96644a1d51|CloudFormation|Low|Resource Management|In ECS Task Definition of FARGATE launch type if you specify an invalid CPU or Memory value, you will receive an error|Documentation
| -|EC2 Not EBS Optimized
8dd0ff1f-0da4-48df-9bb3-7f338ae36a40|CloudFormation|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| -|Security Group Rule Without Description
5e6c9c68-8a82-408e-8749-ddad78cbb9c5|CloudFormation|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description|Documentation
| -|Serverless Function Environment Variables Not Encrypted
a7f8ac28-eed1-483d-87c8-4c325f022572|CloudFormation|High|Encryption|AWS Serverless Function should encrypt environment variables|Documentation
| -|Serverless API Without Content Encoding
a2f2800e-614b-4bc8-89e6-fec8afd24800|CloudFormation|Medium|Encryption|AWS Serverless API should enable Content Encoding through the attribute 'MinimumCompressionSize'. This value should be greater than -1 and smaller than 10485760|Documentation
| -|Serverless Function Without Tags
a71ecabe-03b6-456a-b3bc-d1a39aa20c98|CloudFormation|Medium|Insecure Configurations|AWS Serverless Function should have associated tags|Documentation
| -|Serverless Function Without Unique IAM Role
4ba74f01-aba5-4be2-83bc-be79ff1a3b92|CloudFormation|Medium|Insecure Configurations|AWS Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks|Documentation
| -|Serverless API Endpoint Config Not Private
6b5b0313-771b-4319-ad7a-122ee78700ef|CloudFormation|Medium|Networking and Firewall|AWS Serverless API should set API Endpoint Config type to 'PRIVATE'. This way, it's not exposed to the public internet|Documentation
| -|Serverless API X-Ray Tracing Disabled
c757c6a3-ac87-4b9d-b28d-e5a5add6a315|CloudFormation|Medium|Observability|AWS Serverless API should have X-Ray Tracing enabled|Documentation
| -|Serverless API Access Logging Setting Undefined
0a994e04-c6dc-471d-817e-d37451d18a3b|CloudFormation|Medium|Observability|AWS Serverless API/AWS Serverless HTTP API should have Access Logging Setting(s) defined|Documentation
| -|Serverless API Cache Cluster Disabled
60a05ede-0a68-4d0d-a58f-f538cf55ff79|CloudFormation|Low|Insecure Configurations|AWS Serverless API should have cache clustering enabled|Documentation
| -|Serverless Function Without Dead Letter Queue
cb2f612b-ed42-4ff5-9fb9-255c73d39a18|CloudFormation|Low|Insecure Configurations|AWS Serverless Function should be configured for a Dead Letter Queue(DLQ)|Documentation
| -|Serverless Function Without X-Ray Tracing
dc1ab429-1481-4540-9b1d-280e3f15f1f8|CloudFormation|Low|Observability|AWS Serverless Function should have Tracing enabled. For this, property 'Tracing' should have the value 'Active'|Documentation
| -|AKS RBAC Disabled
b2418936-cd47-4ea2-8346-623c0bdb87bd|Crossplane|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| -|Redis Cache Allows Non SSL Connections
6c7cfec3-c686-4ed2-bf58-a1ec054b63fc|Crossplane|Medium|Encryption|Redis Cache resource should not allow non-SSL connections.|Documentation
| -|EFS Without KMS
bdecd6db-2600-47dd-a10c-72c97cf17ae9|Crossplane|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| -|EFS Not Encrypted
72840c35-3876-48be-900d-f21b2f0c2ea1|Crossplane|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|ELB Using Weak Ciphers
a507daa5-0795-4380-960b-dd7bb7c56661|Crossplane|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers.|Documentation
| -|DB Instance Storage Not Encrypted
e50eb68a-a4af-4048-8bbe-8ec324421469|Crossplane|High|Encryption|RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'.|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
255b0fcc-9f82-41fe-9229-01b163e3376b|Crossplane|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| -|DB Security Group Has Public Interface
dd667399-8d9d-4a8d-bbb4-e49ab53b2f52|Crossplane|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| -|Neptune Database Cluster Encryption Disabled
83bf5aca-138a-498e-b9cd-ad5bc5e117b4|Crossplane|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| -|SQS With SSE Disabled
9296f1cc-7a40-45de-bd41-f31745488a0e|Crossplane|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| -|CloudFront Logging Disabled
7b590235-1ff4-421b-b9ff-5227134be9bb|Crossplane|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true|Documentation
| -|CloudWatch Without Retention Period Specified
934613fe-b12c-4e5a-95f5-c1dcdffac1ff|Crossplane|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events|Documentation
| -|CloudFront Without WAF
6d19ce0f-b3d8-4128-ac3d-1064e0f00494|Crossplane|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
6c2d627c-de0f-45fb-b33d-dad9bffbb421|Crossplane|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| -|Google Container Node Pool Auto Repair Disabled
b4f65d13-a609-4dc1-af7c-63d2e08bffe9|Crossplane|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| -|Serving Revision Spec Without Timeout Seconds
e8bb41e4-2f24-4e84-8bea-8c7c070cf93d|Knative|Info|Insecure Configurations|Serving Revision Spec should have Timeout Seconds defined to avoid Denial of Service|Documentation
| -|Run Using apt
a1bc27c6-7115-48d8-bf9d-5a7e836845ba|Buildah|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache|Documentation
| -|Enum Name Not CamelCase
daaace5f-c0dc-4835-b526-7a116b7f4b4e|GRPC|Low|Best Practices|All Enum Names should follow CamelCase and start with Capital Letter|Documentation
| -|Storage Account Not Forcing HTTPS
cb8e4bf0-903d-45c6-a278-9a947d82a27b|Pulumi|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| -|Redis Cache Allows Non SSL Connections
49e30ac8-f58e-4222-b488-3dcb90158ec1|Pulumi|Medium|Encryption|Redis Cache resource should not allow non-SSL connections.|Documentation
| -|PSP Set To Privileged
ee305555-6b1d-4055-94cf-e22131143c34|Pulumi|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| -|Missing App Armor Config
95588189-1abd-4df1-9588-b0a5034f9e87|Pulumi|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| -|ElastiCache Nodes Not Created Across Multi AZ
9b18fc19-7fb8-49b1-8452-9c757c70f926|Pulumi|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster|Documentation
| -|ElastiCache Redis Cluster Without Backup
e93bbe63-a631-4c0f-b6ef-700d48441ff2|Pulumi|Medium|Backup|ElastiCache Redis cluster should have 'snapshotRetentionLimit' higher than 0|Documentation
| -|IAM Password Without Lowercase Letter
de92dd34-1b88-43e8-b825-6e02d73c4549|Pulumi|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| -|IAM Password Without Minimum Length
9850d621-7485-44f7-8bdd-b3cf426315cf|Pulumi|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| -|DynamoDB Table Not Encrypted
b6a7e0ae-aed8-4a19-a993-a95760bf8836|Pulumi|Medium|Encryption|AWS DynamoDB Tables should have serverSideEncryption enabled|Documentation
| -|API Gateway Without SSL Certificate
f27791a5-e2ae-4905-8910-6f995c576d09|Pulumi|Medium|Insecure Configurations|SSL Client Certificate should be defined|Documentation
| -|API Gateway Access Logging Disabled
bf4b48b9-fc1f-4552-984a-4becdb5bf503|Pulumi|Medium|Observability|API Gateway should have Access Log Settings defined|Documentation
| -|DynamoDB Table Point In Time Recovery Disabled
327b0729-4c5c-4c44-8b5c-e476cd9c7290|Pulumi|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table|Documentation
| -|EC2 Not EBS Optimized
d991e4ae-42ab-429b-ab43-d5e5fa9ca633|Pulumi|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| -|EC2 Instance Monitoring Disabled
daa581ef-731c-4121-832d-cf078f67759d|Pulumi|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
48f7e44d-d1d1-44c2-b336-9f11b65c4fb0|Pulumi|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
965e8830-2bec-4b9b-a7f0-24dbc200a68f|Pulumi|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| -|BOM - GCP PST
9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.|Documentation
| -|BOM - GCP PD
268c65a8-58ad-43e4-9019-1a9bbc56749f|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.|Documentation
| -|BOM - GCP SB
c7781feb-a955-4f9f-b9cf-0d7c6f54bb59|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.|Documentation
| -|BigQuery Dataset Is Public
83103dff-d57f-42a8-bd81-40abab64c1a7|GoogleDeploymentManager|High|Access Control|BigQuery dataset is anonymously or publicly accessible. Attribute access.specialGroup should not contain 'allAuthenticatedUsers'|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
63ae3638-a38c-4ff4-b616-6e1f72a31a6a|GoogleDeploymentManager|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers'|Documentation
| +|Client Certificate Authentication Not Setup Properly
e0e00aba-5f1c-4981-a542-9a9563c0ee20|Kubernetes|High|Access Control|Client Certificate Authentication should be Setup with a .pem file|Documentation
| +|Always Admit Admission Control Plugin Set
ce30e584-b33f-4c7d-b418-a3d7027f8f60|Kubernetes|High|Access Control|When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin|Documentation
| +|Token Auth File Is Set
32ecd76e-7bbf-402e-bf48-8b9485749558|Kubernetes|High|Access Control|When using kube-apiserver command, the 'token-auth-file' flag should not be set|Documentation
| +|Tiller (Helm v2) Is Deployed
6d173be7-545a-46c6-a81d-2ae52ed1605d|Kubernetes|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| +|Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609|Kubernetes|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false|Documentation
| +|Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645|Kubernetes|High|Insecure Configurations|Check if any objects are using a deprecated version of API.|Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b|Kubernetes|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| +|NET_RAW Capabilities Not Being Dropped
dbbc6705-d541-43b0-b166-dd4be8208b54|Kubernetes|High|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|Documentation
| +|Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a|Kubernetes|High|Insecure Configurations|Container should not share the host network namespace|Documentation
| +|Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536|Kubernetes|High|Insecure Configurations|Container should not share the host IPC namespace|Documentation
| +|Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d|Kubernetes|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|Documentation
| +|Host Aliases Undefined Or Empty
72b03514-20ae-4409-8842-2dd70c2e25aa|Kubernetes|High|Insecure Configurations|A Pod should have Host Aliases defined as to prevent the container from modifying the file after a pod's containers have already been started. This means the attribute 'spec.hostAliases' must be defined and not empty or null.|Documentation
| +|Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d|Kubernetes|High|Insecure Configurations|Container should not share the host process ID namespace|Documentation
| +|Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad|Kubernetes|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined.|Documentation
| +|Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d|Kubernetes|High|Insecure Configurations|Check if there is any Tiller Service present|Documentation
| +|Role Binding To Default Service Account
1e749bc9-fde8-471c-af0c-8254efd2dee5|Kubernetes|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| +|Tiller Deployment Is Accessible From Within The Cluster
e17fa86a-6222-4584-a914-56e8f6c87e06|Kubernetes|High|Networking and Firewall|Check if any Tiller Deployment container allows access from within the cluster.|Documentation
| +|TSL Connection Certificate Not Setup
fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f|Kubernetes|High|Networking and Firewall|TSL Connection Certificate files should be Setup|Documentation
| +|PSP With Unrestricted Access to Host Path
de4421f1-4e35-43b4-9783-737dd4e4a47e|Kubernetes|High|Resource Management|PodSecurityPolicy should set 'readOnly' to true in every host path allowed|Documentation
| +|Authorization Mode RBAC Not Set
1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e|Kubernetes|Medium|Access Control|When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode|Documentation
| +|Non Kube System Pod With Host Mount
aa8f7a35-9923-4cad-bd61-a19b7f6aac91|Kubernetes|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| +|Authorization Mode Set To Always Allow
f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5|Kubernetes|Medium|Access Control|When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode|Documentation
| +|RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14|Kubernetes|Medium|Access Control|Minimize access to secrets (RBAC)|Documentation
| +|Anonymous Auth Is Not Set To False
1de5cc51-f376-4638-a940-20f2e85ae238|Kubernetes|Medium|Access Control|When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag should be set to false (--anonymous-auth=false)|Documentation
| +|Readiness Probe Is Not Configured
a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3|Kubernetes|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| +|Root Containers Admitted
e3aa0612-4351-4a0d-983f-aefea25cf203|Kubernetes|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| +|Container Running As Root
cf34805e-3872-4c08-bf92-6ff7bb0cfadb|Kubernetes|Medium|Best Practices|Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise|Documentation
| +|Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660|Kubernetes|Medium|Best Practices|Check if containers are running with low UID, which might cause conflicts with the host's user table.|Documentation
| +|Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032|Kubernetes|Medium|Build Process|Limit capabilities for a Pod Security Policy|Documentation
| +|Incorrect Volume Claim Access Mode ReadWriteOnce
3878dc92-8e5d-47cf-9cdd-7590f71d21b9|Kubernetes|Medium|Build Process|Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| +|Always Pull Images Admission Control Plugin Not Set
a77f4d07-c6e0-4a48-8b35-0eeb51576f4f|Kubernetes|Medium|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'AlwaysPullImages' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| +|Weak TLS Cipher Suites
510d5810-9a30-443a-817d-5c1fa527b110|Kubernetes|Medium|Encryption|TLS Connection should use strong Cipher Suites|Documentation
| +|Security Context Deny Admission Control Plugin Not Set
6a68bebe-c021-492e-8ddb-55b0567fb768|Kubernetes|Medium|Insecure Configurations|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set|Documentation
| +|Authorization Mode Node Not Set
4d7ee40f-fc5d-427d-8cac-dffbe22d42d1|Kubernetes|Medium|Insecure Configurations|When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode|Documentation
| +|Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b|Kubernetes|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| +|Kubelet Protect Kernel Defaults Set To False
6cf42c97-facd-4fda-b8af-ea4529123355|Kubernetes|Medium|Insecure Configurations|--protect-kernel-defaults should be set to true|Documentation
| +|Seccomp Profile Is Not Configured
f377b83e-bd07-4f48-a591-60c82b14a78b|Kubernetes|Medium|Insecure Configurations|Check if any resource does not configure Seccomp default profile properly|Documentation
| +|NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648|Kubernetes|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| +|PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91|Kubernetes|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| +|Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40|Kubernetes|Medium|Insecure Configurations|Containers should not have added capability|Documentation
| +|PSP Allows Sharing Host IPC
80f93444-b240-4ebb-a4c6-5c40b76c04ea|Kubernetes|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| +|Workload Mounting With Sensitive OS Directory
5308a7a8-06f8-45ac-bf10-791fe21de46e|Kubernetes|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| +|PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| +|Containers With Sys Admin Capabilities
235236ee-ad78-4065-bd29-61b061f28ce0|Kubernetes|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| +|Not Limited Capabilities For Container
2f1a0619-b12b-48a0-825f-993bb6f01d58|Kubernetes|Medium|Insecure Configurations|Limit the capabilities for a Container.|Documentation
| +|PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9|Kubernetes|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host process ID namespace|Documentation
| +|Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3|Kubernetes|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| +|PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| +|Using Unrecommended Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6|Kubernetes|Medium|Insecure Configurations|Namespaces like 'default', 'kube-system' or 'kube-public' should not be used|Documentation
| +|Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9|Kubernetes|Medium|Insecure Defaults|A Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty.|Documentation
| +|Service Account Token Automount Not Disabled
48471392-d4d0-47c0-b135-cdec95eb3eef|Kubernetes|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| +|Kubelet Not Managing Ip Tables
5f89001f-6dd9-49ff-9b15-d8cd71b617f4|Kubernetes|Medium|Networking and Firewall|Kubelet argument --make-iptables-util-chains should be true|Documentation
| +|Network Policy Is Not Targeting Any Pod
85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3|Kubernetes|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| +|Service With External Load Balance
26763a1c-5dda-4772-b507-5fca7fb5f165|Kubernetes|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| +|Kubelet Read Only Port Is Not Set To Zero
2940d48a-dc5e-4178-a3f8-bfbd80720b41|Kubernetes|Medium|Networking and Firewall|When using the kubelet command, the read-only port should be set to zero (--read-only-port=0)|Documentation
| +|Kubelet Streaming Connection Timeout Disabled
ed89b97d-04e9-4fd4-919f-ee5b27e555e9|Kubernetes|Medium|Networking and Firewall|The flag --streaming-connection-idle-timeout should not be set to 0|Documentation
| +|Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be|Kubernetes|Medium|Networking and Firewall|Check if any pod is not being targeted by a proper network policy.|Documentation
| +|CPU Limits Not Set
4ac0e2b7-d2d2-4af7-8799-e8de6721ccda|Kubernetes|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| +|CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a|Kubernetes|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| +|Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9|Kubernetes|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| +|Volume Mount With OS Directory Write Permissions
b7652612-de4e-4466-a0bf-1cd81f0c6063|Kubernetes|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| +|Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded|Kubernetes|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes|Documentation
| +|Kubelet Client Periodic Certificate Switch Disabled
52d70f2e-3257-474c-b3dc-8ad9ba6a061a|Kubernetes|Medium|Secret Management|Kubelet argument --rotate-certificates should be true|Documentation
| +|Kubelet Client Certificate Or Key Not Set
36a27826-1bf5-49da-aeb0-a60a30c0e834|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-client-key' and 'kubelet-client-certificate' flags should be set|Documentation
| +|Rotate Kubelet Server Certificate Not Active
1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2|Kubernetes|Medium|Secret Management|The RotateKubeletServerCertificate argument should be true|Documentation
| +|Kubelet Certificate Authority Not Set
ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set|Documentation
| +|Not Unique Certificate Authority
cb7e695d-6a85-495c-b15f-23aed2519303|Kubernetes|Medium|Secret Management|Certificate Authority should be unique for etcd|Documentation
| +|ServiceAccount Allows Access Secrets
056ac60e-fe07-4acc-9b34-8e1d51716ab9|Kubernetes|Medium|Secret Management|Roles and ClusterRoles when binded, should not use get, list or watch as verbs|Documentation
| +|Shared Service Account
c1032cf7-3628-44e2-bd53-38c17cf31b6b|Kubernetes|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| +|Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942|Kubernetes|Low|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| +|Missing AppArmor Profile
8b36775e-183d-4d46-b0f7-96a6f34a723f|Kubernetes|Low|Access Control|Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources|Documentation
| +|Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828|Kubernetes|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| +|RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e|Kubernetes|Low|Access Control|Kubernetes Roles and ClusterRoles should not use wildcards in rules (objects or actions)|Documentation
| +|Cluster Admin Rolebinding With Superuser Permissions
249328b8-5f0f-409f-b1dd-029f07882e11|Kubernetes|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| +|HPA Targeted Deployments With Configured Replica Count
5744cbb8-5946-4b75-a196-ade44449525b|Kubernetes|Low|Availability|Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set|Documentation
| +|StatefulSet Without PodDisruptionBudget
1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5|Kubernetes|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| +|HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca|Kubernetes|Low|Availability|The Horizontal Pod Autoscale must target a valid object|Documentation
| +|Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678|Kubernetes|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| +|StatefulSet Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0|Kubernetes|Low|Availability|Check if the StatefulSets have a headless 'serviceName'|Documentation
| +|Event Rate Limit Admission Control Plugin Not Set
e0099af2-fe17-411f-9991-0de28fe15f3c|Kubernetes|Low|Availability|When using kube-apiserver command, the --enable-admission-plugins flag should have 'EventRateLimit' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| +|Metadata Label Is Invalid
1123031a-f921-4c5b-bd86-ef354ecfd37a|Kubernetes|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| +|No Drop Capabilities for Containers
268ca686-7fb7-4ae9-b129-955a2a89064e|Kubernetes|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| +|StatefulSet Requests Storage
8cf4671a-cf3d-46fc-8389-21e7405063a2|Kubernetes|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| +|Root Container Not Mounted Read-only
a9c2f49d-0671-4fc9-9ece-f4e261e128d0|Kubernetes|Low|Build Process|Check if the root container filesystem is not being mounted read-only.|Documentation
| +|Image Policy Webhook Admission Control Plugin Not Set
14abda69-8e91-4acb-9931-76e2bee90284|Kubernetes|Low|Build Process|When using kube-apiserver command, the --enable-admission-plugins flag should have 'ImagePolicyWebhook' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| +|Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678|Kubernetes|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity|Documentation
| +|Pod or Container Without ResourceQuota
48a5beba-e4c0-4584-a2aa-e6894e4cf424|Kubernetes|Low|Insecure Configurations|Pod or Container should have a ResourceQuota associated|Documentation
| +|Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b|Kubernetes|Low|Insecure Configurations|If not needed, disabling the dashboard can prevent from being used as an attack vector|Documentation
| +|Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2|Kubernetes|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| +|Pod or Container Without LimitRange
4a20ebac-1060-4c81-95d1-1f7f620e983b|Kubernetes|Low|Insecure Configurations|Pod or Container should have a LimitRange associated|Documentation
| +|Kubelet Hostname Override Is Set
bf36b900-b5ef-4828-adb7-70eb543b7cfb|Kubernetes|Low|Insecure Configurations|Hostnames should not be overrided|Documentation
| +|Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995|Kubernetes|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| +|Service Does Not Target Pod
3ca03a61-3249-4c16-8427-6f8e47dda729|Kubernetes|Low|Insecure Configurations|Service should Target a Pod|Documentation
| +|Workload Host Port Not Specified
2b1836f1-dcce-416e-8e16-da8c71920633|Kubernetes|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified|Documentation
| +|Service Type is NodePort
845acfbe-3e10-4b8e-b656-3b404d36dfb2|Kubernetes|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| +|Audit Policy Not Cover Key Security Concerns
1828a670-5957-4bc5-9974-47da228f75e2|Kubernetes|Low|Observability|Audit Policy should cover key security concerns about the sensitive data logged in Kubernetes audit policies|Documentation
| +|Kubelet Event QPS Not Properly Set
1a07a446-8e61-4e4d-bc16-b0781fcb8211|Kubernetes|Low|Observability|When using the kubelet command, the '--event-qps' should be set to 0|Documentation
| +|Deployment Has No PodAntiAffinity
a31b7b82-d994-48c4-bd21-3bab6c31827a|Kubernetes|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| +|Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined.|Documentation
| +|StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e|Kubernetes|Low|Resource Management|Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| +|Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46|Kubernetes|Low|Resource Management|Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively|Documentation
| +|CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3|Kubernetes|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined|Documentation
| +|Container Memory Requests Not Equal To It's Limits
aafa7d94-62de-4fbf-8838-b69ee217b0e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined.|Documentation
| +|Secrets As Environment Variables
3d658f8b-d988-41a0-a841-40043121de1e|Kubernetes|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| +|Invalid Image Tag
583053b7-e632-46f0-b989-f81ff8045385|Kubernetes|Low|Supply-Chain|Image tag must be defined and not be empty or equal to latest.|Documentation
| +|Liveness Probe Is Not Defined
ade74944-a674-4e00-859e-c6eab5bde441|Kubernetes|Info|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it|Documentation
| |Cloud Storage Bucket Is Publicly Accessible
77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc|GoogleDeploymentManager|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible|Documentation
| |SQL DB Instance Backup Disabled
a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01|GoogleDeploymentManager|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| -|SQL DB Instance With SSL Disabled
660360d3-9ca7-46d1-b147-3acc4002953f|GoogleDeploymentManager|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| |DNSSEC Using RSASHA1
6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35|GoogleDeploymentManager|High|Encryption|DNSSEC should not use the RSASHA1 algorithm|Documentation
| -|Not Proper Email Account In Use
a21b8df3-c840-4b3d-a41a-10fb2afda171|GoogleDeploymentManager|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| -|Network Policy Disabled
c47f90e8-4a19-43f0-8413-cc434d286c4e|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'networkPolicy.enabled' must be true and the attribute 'addonsConfig.networkPolicyConfig.disabled' must be false|Documentation
| +|SQL DB Instance With SSL Disabled
660360d3-9ca7-46d1-b147-3acc4002953f|GoogleDeploymentManager|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| +|IP Aliasing Disabled
28727987-e398-49b8-aef1-8a3e7789d111|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ipAllocationPolicy' must be defined and the subattribute 'useIpAliases' must be set to 'true'.|Documentation
| +|COS Node Image Not Used
dbe058d7-b82e-430b-8426-992b2e4677e7|GoogleDeploymentManager|High|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| |MySQL Instance With Local Infile On
c759d6f2-4dd3-4160-82d3-89202ef10d87|GoogleDeploymentManager|High|Insecure Configurations|MySQL Instance should not have Local Infile On|Documentation
| -|GKE Legacy Authorization Enabled
df58d46c-783b-43e0-bdd0-d99164f712ee|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false.|Documentation
| -|Cluster Labels Disabled
8810968b-4b15-421d-918b-d91eb4bb8d1d|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resourceLabels' must be defined|Documentation
| +|Cluster Master Authentication Disabled
7ef7d141-9fbb-4679-a977-fd0883436906|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'masterAuth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| |Private Cluster Disabled
48c61fbd-09c9-46cc-a521-012e0c325412|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true.|Documentation
| -|IP Aliasing Disabled
28727987-e398-49b8-aef1-8a3e7789d111|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ipAllocationPolicy' must be defined and the subattribute 'useIpAliases' must be set to 'true'.|Documentation
| |Client Certificate Disabled
dd690686-2bf9-4012-a821-f61912dd77be|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'masterAuth' must have 'clientCertificateConfig' with the attribute 'issueClientCertificate' equal to true|Documentation
| -|Cluster Master Authentication Disabled
7ef7d141-9fbb-4679-a977-fd0883436906|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'masterAuth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| -|GKE Master Authorized Networks Disabled
62c8cf50-87f0-4295-a974-8184ed78fe02|GoogleDeploymentManager|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters|Documentation
| +|Cluster Labels Disabled
8810968b-4b15-421d-918b-d91eb4bb8d1d|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resourceLabels' must be defined|Documentation
| +|Network Policy Disabled
c47f90e8-4a19-43f0-8413-cc434d286c4e|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'networkPolicy.enabled' must be true and the attribute 'addonsConfig.networkPolicyConfig.disabled' must be false|Documentation
| +|BigQuery Dataset Is Public
83103dff-d57f-42a8-bd81-40abab64c1a7|GoogleDeploymentManager|High|Insecure Configurations|BigQuery dataset is anonymously or publicly accessible. Attribute access.specialGroup should not contain 'allAuthenticatedUsers'|Documentation
| +|Not Proper Email Account In Use
a21b8df3-c840-4b3d-a41a-10fb2afda171|GoogleDeploymentManager|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| +|GKE Legacy Authorization Enabled
df58d46c-783b-43e0-bdd0-d99164f712ee|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false.|Documentation
| |Compute Instance Is Publicly Accessible
8212e2d7-e683-49bc-bf78-d6799075c5a7|GoogleDeploymentManager|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet.|Documentation
| -|Cloud Storage Bucket Versioning Disabled
ad0875c1-0b39-4890-9149-173158ba3bba|GoogleDeploymentManager|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| +|GKE Master Authorized Networks Disabled
62c8cf50-87f0-4295-a974-8184ed78fe02|GoogleDeploymentManager|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters|Documentation
| |Stackdriver Monitoring Disabled
bbfc97ab-e92a-4a7b-954c-e88cec815011|GoogleDeploymentManager|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoringService' must be defined and different than 'none'|Documentation
| |Stackdriver Logging Disabled
95601b9a-7fe8-4aee-9b58-d36fd9382dfc|GoogleDeploymentManager|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'loggingService' must be defined and different from 'none'|Documentation
| +|Cloud Storage Bucket Versioning Disabled
ad0875c1-0b39-4890-9149-173158ba3bba|GoogleDeploymentManager|High|Observability|Cloud Storage Bucket should be enabled|Documentation
| |Node Auto Upgrade Disabled
dc5c5fee-6c53-43b0-ab11-4c660e064aaf|GoogleDeploymentManager|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means the attribute 'nodePools' must be defined and the subattribute 'managment' must be defined and have the attribute 'autoUpgrade' set to true|Documentation
| |Disk Encryption Disabled
fc040fb6-4c23-4c0d-b12a-39edac35debb|GoogleDeploymentManager|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined|Documentation
| +|OSLogin Is Disabled In VM Instance
e66e1b71-c810-4b4e-a737-0ab59e7f5e41|GoogleDeploymentManager|Medium|Insecure Configurations|VM instance should have OSLogin enabled|Documentation
| |Cloud DNS Without DNSSEC
313d6deb-3b67-4948-b41d-35b699c2492e|GoogleDeploymentManager|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
63ae3638-a38c-4ff4-b616-6e1f72a31a6a|GoogleDeploymentManager|Medium|Insecure Configurations|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers'|Documentation
| |Google Storage Bucket Level Access Disabled
1239f54b-33de-482a-8132-faebe288e6a6|GoogleDeploymentManager|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| -|OSLogin Is Disabled In VM Instance
e66e1b71-c810-4b4e-a737-0ab59e7f5e41|GoogleDeploymentManager|Medium|Insecure Configurations|VM instance should have OSLogin enabled|Documentation
| |Shielded VM Disabled
9038b526-4c19-4928-bca2-c03d503bdb79|GoogleDeploymentManager|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true|Documentation
| -|COS Node Image Not Used
dbe058d7-b82e-430b-8426-992b2e4677e7|GoogleDeploymentManager|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| |IP Forwarding Enabled
7c98538a-81c6-444b-bf04-e60bc3ceeec0|GoogleDeploymentManager|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true|Documentation
| |RDP Access Is Not Restricted
50cb6c3b-c878-4b88-b50e-d1421bada9e8|GoogleDeploymentManager|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| -|SSH Access Is Not Restricted
dee21308-2a7a-49de-8ff7-c9b87e188575|GoogleDeploymentManager|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| -|Bucket Without Versioning
227c2f58-70c6-4432-8e9a-a89c1a548cf5|GoogleDeploymentManager|Medium|Observability|Bucket should have versioning enabled|Documentation
| +|SSH Access Is Not Restricted
dee21308-2a7a-49de-8ff7-c9b87e188575|GoogleDeploymentManager|Medium|Networking and Firewall|Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block)|Documentation
| +|S3 Bucket Without Versioning
227c2f58-70c6-4432-8e9a-a89c1a548cf5|GoogleDeploymentManager|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| |Project-wide SSH Keys Are Enabled In VM Instances
6e2b1ec1-1eca-4eb7-9d4d-2882680b4811|GoogleDeploymentManager|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| -|Passwords And Secrets
a88baa34-e2ad-44ea-ad6f-8cac87bc7c71|Common|High|Secret Management|Query to find passwords and secrets in infrastructure code.|Documentation
| -|Security Definitions Undefined or Empty
e3f026e8-fdb4-4d5a-bcfd-bd94452073fe|OpenAPI|High|Access Control|Security Definitions Object should be set and not empty|Documentation
| -|Non OAuth2 Security Requirement Defining OAuth2 Scopes
ba239cb9-f342-4c20-812d-7b5a2aa6969e|OpenAPI|High|Structure and Semantics|If the security scheme is not of type 'oauth2', the array value must be empty|Documentation
| -|Security Requirement Not Defined In Security Definition
a599b0d1-ff89-4cb8-9ece-9951854c06f6|OpenAPI|High|Structure and Semantics|All security requirement objects must be defined in 'securityDefinitions'|Documentation
| -|Invalid OAuth2 Authorization URL (v2)
33d96c65-977d-4c33-943f-440baca49185|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL|Documentation
| -|Security Definitions Allows Password Flow
773116aa-2e6d-416f-bd85-f0301cc05d76|OpenAPI|Medium|Access Control|Security Definition Object should not allow 'password' Flow in OAuth2 authentication|Documentation
| -|Global Security Using Password Flow
2da46be4-4317-4650-9285-56d7103c4f93|OpenAPI|Medium|Access Control|Security should not use 'password' Flow in OAuth2 authentication|Documentation
| -|Implicit Flow in OAuth2 (v2)
e9817ad8-a8c9-4038-8a2f-db0e6e7b284b|OpenAPI|Medium|Access Control|There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated|Documentation
| -|Invalid OAuth2 Token URL (v2)
274f910a-0665-4f08-b66d-7058fe927dba|OpenAPI|Medium|Access Control|OAuth2 security definition flow requires a valid URL in the tokenUrl field|Documentation
| -|Operation Using Password Flow
2e44e632-d617-43cb-b294-6bfe72a08938|OpenAPI|Medium|Access Control|Operation Object should not use 'password' Flow in OAuth2 authentication|Documentation
| -|Path Scheme Accepts HTTP (v2)
a6847dc6-f4ea-45ac-a81f-93291ae6c573|OpenAPI|Medium|Encryption|The Scheme list of Operation Object should only allow 'HTTPS' protocol to ensure an encrypted connection|Documentation
| -|Schemes Uses HTTP
a46928f1-43d7-4671-94e0-2dd99746f389|OpenAPI|Medium|Encryption|Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials|Documentation
| -|Global Schemes Uses HTTP
f30ee711-0082-4480-85ab-31d922d9a2b2|OpenAPI|Medium|Encryption|Global Schemes should use 'https' protocol instead of 'http'|Documentation
| -|Operation Object Without 'produces'
be3e170e-1572-461e-a8b6-d963def581ec|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'produces' feild defined for 'GET'operation|Documentation
| -|Operation Object Without 'consumes'
0c79e50e-b3cf-490c-b8f6-587c644d4d0c|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations|Documentation
| -|Undefined Scope 'securityDefinition' On 'security' Field On Operations
3847280c-9193-40bc-8009-76168e822ce2|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker|Documentation
| -|Security Definitions Using Basic Auth
221015a8-aa2a-43f5-b00b-ad7d2b1d47a8|OpenAPI|Low|Access Control|Security Definition Object should not use basic authentication|Documentation
| -|Operation Using Basic Auth
ceefb058-8065-418f-9c4c-584a78c7e104|OpenAPI|Low|Access Control|Operation Object should not use basic authentication|Documentation
| -|Undefined Scope 'securityDefinition' On Global 'security' Field
9aa6e95c-d964-4239-a3a8-9f37a3c5a31f|OpenAPI|Low|Access Control|Using an scope on global security field that is undefined on 'securityDefinitions' can be defined by an attacker|Documentation
| -|Operation Using Implicit Flow
f42dfe7e-787d-4478-a75e-a5f3d8a2269e|OpenAPI|Low|Access Control|Operation Object should not use implicit flow|Documentation
| -|Operation Summary Too Long
d47940ca-5970-45cc-bdd1-4d81398cee1f|OpenAPI|Low|Best Practices|Operation summary should be short (less than 120 characters)|Documentation
| -|Constraining Enum Property
be1d8733-3731-40c7-a845-734741c6871d|OpenAPI|Info|Best Practices|There is a constraining keyword in a property which is already restricted by enum values|Documentation
| -|Global Responses Definition Not Being Used
0b76d993-ee52-43e0-8b39-3787d2ddabf1|OpenAPI|Info|Best Practices|All global responses definitions should be in use|Documentation
| -|Invalid Media Type Value (v2)
f985a7d2-d404-4a7f-9814-f645f791e46e|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters]|Documentation
| -|Global Parameter Definition Not Being Used
b30981fa-a12e-49c7-a5bb-eeafb61d0f0f|OpenAPI|Info|Best Practices|All global parameters definitions should be in use|Documentation
| -|Schema with 'additionalProperties' set as Boolean
3a01790c-ebee-4da6-8fd3-e78657383b75|OpenAPI|Info|Best Practices|The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it|Documentation
| -|Unknown Prefix (v2)
3b615f00-c443-4ba9-acc4-7c308716917d|OpenAPI|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video'|Documentation
| -|Global Schema Definition Not Being Used
6d2e0790-cc3d-4c74-b973-d4e8b09f4455|OpenAPI|Info|Best Practices|All global schemas definitions should be in use|Documentation
| -|Parameter JSON Reference Does Not Exists (v2)
fb889ae9-2d16-40b5-b41f-9da716c5abc1|OpenAPI|Info|Structure and Semantics|Parameter reference should exist on parameters definition field|Documentation
| -|Property Not Unique
750b40be-4bac-4f59-bdc4-1ca0e6c3450e|OpenAPI|Info|Structure and Semantics|Every defined property must be unique throughout the whole API|Documentation
| -|Response Object With Incorrect Ref (v2)
bccfa089-89e4-47e0-a0e5-185fe6902220|OpenAPI|Info|Structure and Semantics|Response Object reference must always point to '#/responses'|Documentation
| -|Responses JSON Reference Does Not Exists (v2)
e9db5fb4-6a84-4abb-b4af-3b94fbdace6d|OpenAPI|Info|Structure and Semantics|Responses reference should exist on responses definition field|Documentation
| -|Parameter Object With Incorrect Ref (v2)
2596545e-1757-4ff7-a15a-8a9a180a42f3|OpenAPI|Info|Structure and Semantics|Parameter Object reference must always point to '#/parameters'|Documentation
| -|Schema JSON Reference Does Not Exists (v2)
98295b32-ec09-4b5b-89a9-39853197f914|OpenAPI|Info|Structure and Semantics|Schema reference should exists on definitions field|Documentation
| -|Unknown Property (v2)
429b2106-ba37-43ba-9727-7f699cc611e1|OpenAPI|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known|Documentation
| -|Body Parameter Without Schema
ed48229d-d43e-4da7-b453-5f98d964a57a|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined|Documentation
| -|Multiple Body Parameters In The Same Operation
b90033cf-ad9f-4fb9-acd1-1b9d6d278c87|OpenAPI|Info|Structure and Semantics|Only one body parameter is allowed on operation's parameters type field|Documentation
| -|Object Without Required Property (v2)
5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275|OpenAPI|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields|Documentation
| -|Body Parameter With Wrong Property
c38d630d-a415-4e3e-bac2-65475979ba88|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema'|Documentation
| -|File Parameter With Wrong Consumes Property
7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a|OpenAPI|Info|Structure and Semantics|Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both|Documentation
| -|Host With Invalid Pattern
3d7d7b6c-fb0a-475e-8a28-c125e30d15f0|OpenAPI|Info|Structure and Semantics|Host field should be an IP or a valid host name|Documentation
| -|BasePath With Wrong Format
b4803607-ed72-4d60-99e2-3fa6edf471c6|OpenAPI|Info|Structure and Semantics|The 'basePath' value format must match the pattern '^/'|Documentation
| -|Non Body Parameter Without Schema
73c3bc54-3cc6-4c0a-b30a-e19f2abfc951|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined|Documentation
| -|Parameter File Type Not In 'formData'
c3cab8c4-6c52-47a9-942b-c27f26fbd7d2|OpenAPI|Info|Structure and Semantics|The In field of Parameter Object must be 'formData' when type is 'file'|Documentation
| -|Multi 'collectionformat' Not Valid For 'in' Parameter
750f6448-27c0-49f8-a153-b81735c1e19c|OpenAPI|Info|Structure and Semantics|When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'formData'|Documentation
| -|Operation Example Mismatch Produces MimeType
2cf35b40-ded3-43d6-9633-c8dcc8bcc822|OpenAPI|Info|Structure and Semantics|Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces'|Documentation
| -|Schema Object Incorrect Ref (v2)
0220e1c5-65d1-49dd-b7c2-cef6d6cb5283|OpenAPI|Info|Structure and Semantics|Schema Object reference must always point to '#/definitions'|Documentation
| -|Operation Object Parameters With 'body' And 'formatData' locations
eb3f9744-d24e-4614-b1ff-2a9514eca21c|OpenAPI|Info|Structure and Semantics|Operation object parameters should not have both 'body' and 'formatData' locations|Documentation
| -|Cleartext Credentials With Basic Authentication For Operation
86b1fa30-9790-4980-994d-a27e0f6f27c1|OpenAPI|High|Access Control|Cleartext credentials over unencrypted channel should not be accepted for the operation|Documentation
| -|Field 'securityScheme' On Components Is Undefined
8db5544e-4874-4baa-9322-e9f75a2d219e|OpenAPI|High|Access Control|Components' securityScheme field must have a valid scheme|Documentation
| -|Invalid OAuth2 Authorization URL (v3)
52c0d841-60d6-4a81-88dd-c35fef36d315|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL|Documentation
| -|OAuth2 With Password Flow
3979b0a4-532c-4ea7-86e4-34c090eaa4f2|OpenAPI|Medium|Access Control|OAuth2 password flow insecurely exposes the credentials of the resource owner to the client|Documentation
| -|Security Scheme Using HTTP Digest
a4247b11-890b-45df-bf42-350a7a3af9be|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using digest authentication|Documentation
| -|OAuth2 With Implicit Flow
39cb32f2-3a42-4af0-8037-82a7a9654b6c|OpenAPI|Medium|Access Control|OAuth2 implicit flow is vulnerable to access token leakage and access token replay|Documentation
| -|Implicit Flow in OAuth2 (v3)
4a1f3d75-ab73-41b2-83e7-06a93dc3a75a|OpenAPI|Medium|Access Control|There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated|Documentation
| -|Invalid OAuth2 Token URL (v3)
3ba0cca1-b815-47bf-ac62-1e584eb64a05|OpenAPI|Medium|Access Control|OAuth2 security scheme flow requires a valid URL in the tokenUrl field|Documentation
| -|Security Scheme Using HTTP Negotiate
f525cc92-9050-4c41-a75c-890dc6f64449|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using negotiate authentication|Documentation
| -|Security Scheme HTTP Unknown Scheme
06764426-3c56-407e-981f-caa25db1c149|OpenAPI|Medium|Access Control|Security Scheme HTTP scheme should be registered in the IANA Authentication Scheme registry|Documentation
| -|Security Scheme Using HTTP Basic
68e5fcac-390c-4939-a373-6074b7be7c71|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using basic authentication|Documentation
| -|Path Server Object Uses HTTP (v3)
9670f240-7b4d-4955-bd93-edaa9fa38b58|OpenAPI|Medium|Encryption|The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection|Documentation
| -|Global Server Object Uses HTTP
2d8c175a-6d90-412b-8b0e-e034ea49a1fe|OpenAPI|Medium|Encryption|Global server object URL should use 'https' protocol instead of 'http'|Documentation
| -|Additional Properties Too Restrictive
a19c3bbd-c056-40d7-9e1c-eeb0634e320d|OpenAPI|Medium|Insecure Configurations|Objects should accept 'additionalProperties' if it is allOf or an object with anyOf or oneOf|Documentation
| -|Media Type Object Without Schema
f79b9d26-e945-44e7-98a1-b93f0f7a68a0|OpenAPI|Medium|Insecure Configurations|The Media Type Object should have the attribute 'schema' defined|Documentation
| -|Additional Properties Too Permissive
9f88c88d-824d-4d9a-b985-e22977046042|OpenAPI|Medium|Insecure Configurations|Objects should not accept 'additionalProperties' if it is possible|Documentation
| -|Parameter Object Without Schema
8fe1846f-52cc-4413-ace9-1933d7d23672|OpenAPI|Medium|Insecure Configurations|The Parameter Object should have the attribute 'schema' defined|Documentation
| -|Header Object Without Schema
50de3b5b-6465-4e06-a9b0-b4c2ba34326b|OpenAPI|Medium|Networking and Firewall|The header object should have schema defined|Documentation
| -|Success Response Code Undefined for Trace Operation
105e20dd-8449-4d71-95c6-d5dac96639af|OpenAPI|Medium|Networking and Firewall|Trace should define the '200' successful code|Documentation
| -|Global Security Scheme Using Basic Authentication
77276d82-4f45-4cf1-8e2b-4d345b936228|OpenAPI|Low|Access Control|A security scheme is allowing basic authentication credentials to be transported over network|Documentation
| -|API Key Exposed In Global Security Scheme
40e1d1bf-11a9-4f63-a3a2-a8b84c602839|OpenAPI|Low|Access Control|API Keys should not be transported over network|Documentation
| -|Undefined Scope 'securityScheme' On 'security' Field On Operations
462d6a1d-fed9-4d75-bb9e-3de902f35e6e|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker|Documentation
| -|Security Scheme Using Oauth 1.0
1bc3205c-0d60-44e6-84f3-44fbf4dac5b3|OpenAPI|Low|Access Control|Oauth 1.0 is deprecated, OAuth2 should be used instead|Documentation
| -|Undefined Scope 'securityScheme' On Global 'security' Field
23a9e2d9-8738-4556-a71c-2802b6ffa022|OpenAPI|Low|Access Control|Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker|Documentation
| -|Components Response Definition Is Unused
9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae|OpenAPI|Info|Best Practices|Components responses definitions should be referenced or removed from Open API definition|Documentation
| -|Components Request Body Definition Is Unused
6b76f589-9713-44ab-97f5-59a3dba1a285|OpenAPI|Info|Best Practices|Components request bodies definitions should be referenced or removed from Open API definition|Documentation
| -|Components Schema Definition Is Unused
962fa01e-b791-4dcc-b04a-4a3e7389be5e|OpenAPI|Info|Best Practices|Components schemas definitions should be referenced or removed from Open API definition|Documentation
| -|Components Callback Definition Is Unused
d15db953-a553-4b8a-9a14-a3d62ea3d79d|OpenAPI|Info|Best Practices|Components callbacks definitions should be referenced or removed from Open API definition|Documentation
| -|Components Example Definition Is Unused
b05bb927-2df5-43cc-8d7b-6825c0e71625|OpenAPI|Info|Best Practices|Components examples definitions should be referenced or removed from Open API definition|Documentation
| -|Components Header Definition Is Unused
a68da022-e95a-4bc2-97d3-481e0bd6d446|OpenAPI|Info|Best Practices|Components headers definitions should be referenced or removed from Open API definition|Documentation
| -|Invalid Media Type Value (v3)
cf4a5f45-a27b-49df-843a-9911dbfe71d4|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters]|Documentation
| -|Property 'allowEmptyValue' Ignored
59c2f769-7cc2-49c8-a3de-4e211135cfab|OpenAPI|Info|Best Practices|Property 'allowEmptyValue' is ignored in the following cases: {"sytle": "simple", "explode": false}, {"sytle": "simple", "explode": true}, {"sytle": "spaceDelimited", "explode": false}, {"sytle": "pipeDelimited", "explode": false}, and {"sytle": "deepObject", "explode": true}|Documentation
| -|Components Link Definition Is Unused
c19779a9-5774-4d2f-a3a1-a99831730375|OpenAPI|Info|Best Practices|Components links definitions should be referenced or removed from Open API definition|Documentation
| -|Property 'style' of Encoding Object Ignored
d3ea644a-9a5c-4fee-941f-f8a6786c0470|OpenAPI|Info|Best Practices|Property 'style' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored.|Documentation
| -|Property 'explode' of Encoding Object Ignored
a4dd69b8-49fa-45d2-a060-c76655405b05|OpenAPI|Info|Best Practices|Property 'explode' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored.|Documentation
| -|Property 'allowReserved' of Encoding Object Ignored
4190dda7-af03-4cf0-a128-70ac1661ca09|OpenAPI|Info|Best Practices|Property 'allowReserved' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored.|Documentation
| -|Unknown Prefix (v3)
a5375be3-521c-43bb-9eab-e2432e368ee4|OpenAPI|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video'|Documentation
| -|Components Parameter Definition Is Unused
698a464e-bb3e-4ba8-ab5e-e6599b7644a0|OpenAPI|Info|Best Practices|Components parameters definitions should be referenced or removed from Open API definition|Documentation
| -|Encoding Header 'Content-Type' Improperly Defined
4cd8de87-b595-48b6-ab3c-1904567135ab|OpenAPI|Info|Best Practices|Encoding Map Key should not define a 'Content-Type' in the 'headers' field. If so, it will be ignored.|Documentation
| -|Request Body Object With Incorrect Media Type
58f06434-a88c-4f74-826c-db7e10cc7def|OpenAPI|Info|Structure and Semantics|The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set.|Documentation
| -|Example JSON Reference Outside Components Examples
bac56e3c-1f71-4a74-8ae6-2fba07efcddb|OpenAPI|Info|Structure and Semantics|Reference to examples should point to #/components/examples|Documentation
| -|Parameter JSON Reference Does Not Exists (v3)
2e275f16-b627-4d3f-ae73-a6153a23ae8f|OpenAPI|Info|Structure and Semantics|Parameter reference should exists on components field|Documentation
| -|Response Object With Incorrect Ref (v3)
b3871dd8-9333-4d6c-bd52-67eb898b71ab|OpenAPI|Info|Structure and Semantics|Response Object reference must always point to '#/components/responses'|Documentation
| -|Callback Object With Incorrect Ref
ba066cda-e808-450d-92b6-f29109754d45|OpenAPI|Info|Structure and Semantics|Callback Object reference must always point to '#/components/callbacks'|Documentation
| -|Response JSON Reference Does Not Exists (v3)
7a01dfbd-da62-4165-aed7-71349ad42ab4|OpenAPI|Info|Structure and Semantics|Response reference should exists on components field|Documentation
| -|Parameter Object With Incorrect Ref (v3)
d40f27e6-15fb-4b56-90f8-fc0ff0291c51|OpenAPI|Info|Structure and Semantics|Parameter Object reference must always point to '#/components/parameters'|Documentation
| -|Schema JSON Reference Does Not Exists (v3)
015eac96-6313-43c0-84e5-81b1374fa637|OpenAPI|Info|Structure and Semantics|Schema reference should exists on components field|Documentation
| -|Unknown Property (v3)
fb7d81e7-4150-48c4-b914-92fc05da6a2f|OpenAPI|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known|Documentation
| -|Callback JSON Reference Does Not Exists
f29904c8-6041-4bca-b043-dfa0546b8079|OpenAPI|Info|Structure and Semantics|Callback reference should exists on components field|Documentation
| -|Server Object Variable Not Used
8aee4754-970d-4c5f-8142-a49dfe388b1a|OpenAPI|Info|Structure and Semantics|Every defined Server Variable Object should be used in a Service URL.|Documentation
| -|Schema With Both ReadOnly And WriteOnly
d2361d58-361c-49f0-9e50-b957fd608b29|OpenAPI|Info|Structure and Semantics|Schema should not have both 'writeOnly' and 'readOnly' set to true|Documentation
| -|Server URL Uses Undefined Variables
8d0921d6-4131-461f-a253-99e873f8f77e|OpenAPI|Info|Structure and Semantics|Any variable used in the Service URL should be defined in the Service Object through 'variables'.|Documentation
| -|Object Without Required Property (v3)
d172a060-8569-4412-8045-3560ebd477e8|OpenAPI|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields|Documentation
| -|Server URL Not Absolute
a0bf7382-5d5a-4224-924c-3db8466026c9|OpenAPI|Info|Structure and Semantics|The Server URL should be an absolute URL|Documentation
| -|Invalid Content Type For Multiple Files Upload
26f06397-36d8-4ce7-b993-17711261d777|OpenAPI|Info|Structure and Semantics|Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array)|Documentation
| -|Header Object With Incorrect Ref
2d6646f4-2946-420f-8c14-3232d49ae0cb|OpenAPI|Info|Structure and Semantics|Header Object reference must always point to '#/components/headers'|Documentation
| -|Header JSON Reference Does Not Exists
376c9390-7e9e-4cb8-a067-fd31c05451fd|OpenAPI|Info|Structure and Semantics|Header reference should exists on components field|Documentation
| -|Property 'allowReserved' Improperly Defined
7f203940-39c4-4ea7-91ee-7aba16bca9e2|OpenAPI|Info|Structure and Semantics|Property 'allowReserved' should be only defined for query parameters|Documentation
| -|Servers Array Undefined
c66ebeaa-676c-40dc-a3ff-3e49395dcd5e|OpenAPI|Info|Structure and Semantics|The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'.|Documentation
| -|Parameter Object With Undefined Type
46facedc-f243-4108-ab33-583b807d50b0|OpenAPI|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property|Documentation
| -|Example JSON Reference Does Not Exists
6a2c219f-da5e-4745-941e-5ea8cde23356|OpenAPI|Info|Structure and Semantics|Example reference should exists on components field|Documentation
| -|Link Object Incorrect Ref
b9db8a10-020c-49ca-88c6-780e5fdb4328|OpenAPI|Info|Structure and Semantics|Link object reference must always point to '#/components/links'|Documentation
| -|Parameter Object Content With Multiple Entries
8bfed1c6-2d59-4924-bc7f-9b9d793ed0df|OpenAPI|Info|Structure and Semantics|The map content property of the parameter object should only contain one entry|Documentation
| -|Link JSON Reference Does Not Exists
801f0c6a-a834-4467-89c6-ddecffb46b5a|OpenAPI|Info|Structure and Semantics|Link reference should exists on components field|Documentation
| -|Security Requirement Object With Wrong Scopes
37140f7f-724a-4c87-a536-e9cee1d61533|OpenAPI|Info|Structure and Semantics|Security Requirement Object should only have scopes defined for security schemes of type 'oauth2' and 'openIdConnect'|Documentation
| -|Request Body With Incorrect Ref
0f6cd0ab-c366-4595-84fc-fbd8b9901e4d|OpenAPI|Info|Structure and Semantics|Request Body reference must always point to '#/components/RequestBodies'|Documentation
| -|Security Operation Field Undefined
20a482d5-c5d9-4a7a-b7a4-60d0805047b4|OpenAPI|Info|Structure and Semantics|Security operation field should be defined in '#/components/securitySchemes'|Documentation
| -|Link Object With Both 'operationId' And 'operationRef'
60fb6621-9f02-473b-9424-ba9a825747d3|OpenAPI|Info|Structure and Semantics|Link object 'OperationId' should not have both 'operationId' and 'operationRef' defined since they are mutually exclusive.|Documentation
| -|Parameter Object With Schema And Content
31dd6fc0-f274-493b-9614-e063086c19fc|OpenAPI|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive|Documentation
| -|Encoding Map Key Mismatch Schema Defined Properties
cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b|OpenAPI|Info|Structure and Semantics|Encoding Map Key should be set in schema defined properties|Documentation
| -|Empty Array
5915c20f-dffa-4cee-b5d4-f457ddc0151a|OpenAPI|Info|Structure and Semantics|All array fields should not be empty|Documentation
| -|Link Object OperationId Does Not Target Operation Object
c5bb7461-aa57-470b-a714-3bc3d74f4669|OpenAPI|Info|Structure and Semantics|Link object 'OperationId' should target an existing operation object in the OpenAPI definition|Documentation
| -|Request Body JSON Reference Does Not Exists
ca02f4e8-d3ae-4832-b7db-bb037516d9e7|OpenAPI|Info|Structure and Semantics|Request Body reference should exists on components field|Documentation
| -|Components Object Fixed Field Key Improperly Named
151331e2-11f4-4bb6-bd35-9a005e695087|OpenAPI|Info|Structure and Semantics|Components object fixed fields (schemas, responses, parameters, examples, requestBodies, headers, securitySchemes, links, and callbacks) should use keys that match the following REGEX: `^[a-zA-Z0-9\.\-_]+$`|Documentation
| -|Schema Object Incorrect Ref (v3)
4cac7ace-b0fb-477d-830d-65395d9109d9|OpenAPI|Info|Structure and Semantics|Schema Object reference must always point to '#/components/schemas'|Documentation
| -|Security Field Undefined
ab1263c2-81df-46f0-9f2c-0b62fdb68419|OpenAPI|Info|Structure and Semantics|Security field should be defined in '#/components/securitySchemes'|Documentation
| -|No Global And Operation Security Defined (v2)
586abcee-9653-462d-ad7b-2638a32bd6e6|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| -|No Global And Operation Security Defined (v3)
96729c6b-7400-4d9e-9807-17f00cdde4d2|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| -|Global Security Field Has An Empty Array (v2)
da31d54b-ad54-41dc-95eb-8b3828629213|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| -|Global Security Field Has An Empty Array (v3)
d674aea4-ba8b-454b-bb97-88a772ea33f0|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| -|Global Security Field Is Undefined (v2)
74703c89-0ea2-49ab-a7db-bf04f19f5a57|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securityDefinitions|Documentation
| -|Global Security Field Is Undefined (v3)
8af270ce-298b-4405-9922-82a10aee7a4f|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes (read more)|Documentation
| -|Global Security Field Has An Empty Array (v2)
da31d54b-ad54-41dc-95eb-8b3828629213|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| -|Global Security Field Has An Empty Array (v3)
d674aea4-ba8b-454b-bb97-88a772ea33f0|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme (read more)|Documentation
| -|Security Field On Operations Has An Empty Array (v2)
5d29effc-5d68-481f-9721-d74e5919226b|OpenAPI|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error|Documentation
| -|Security Field On Operations Has An Empty Array (v3)
663c442d-f918-4f62-b096-0bf5dcbeb655|OpenAPI|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error (read more)|Documentation
| -|Security Field On Operations Has An Empty Object Definition (v2)
74581e3b-1d55-4323-a139-5959a7b3abc5|OpenAPI|High|Access Control|Security object for operations should not be empty object or has any empty object definition|Documentation
| -|Security Field On Operations Has An Empty Object Definition (v3)
baade968-7467-41e4-bf22-83ca222f5800|OpenAPI|High|Access Control|Security object for operations should not be empty object or has any empty object definition (read more)|Documentation
| -|Global security field has an empty object (v2)
292919fb-7b26-4454-bee9-ce29094768dd|OpenAPI|High|Access Control|Global security definition must not have empty objects|Documentation
| -|Global security field has an empty object (v3)
543e38f4-1eee-479e-8eb0-15257013aa0a|OpenAPI|High|Access Control|Global security definition must not have empty objects (read more)|Documentation
| -|No Global And Operation Security Defined (v2)
586abcee-9653-462d-ad7b-2638a32bd6e6|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| -|No Global And Operation Security Defined (v3)
96729c6b-7400-4d9e-9807-17f00cdde4d2|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined (read more)|Documentation
| -|Cleartext API Key In Operation Security (v2)
99733b39-6413-4ed8-8acf-dc7cdc9b4e51|OpenAPI|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| -|Cleartext API Key In Operation Security (v3)
d90d4e40-44c1-4125-87a0-e072c3e195b5|OpenAPI|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel (read more)|Documentation
| -|Array Items Has No Type (v2)
8697a1a4-82c6-4603-8ac8-57529756744e|OpenAPI|High|Insecure Configurations|Schema/Parameter array items type should be defined|Documentation
| -|Array Items Has No Type (v3)
be0e0df7-f3d9-42a1-9b6f-d425f94872c4|OpenAPI|High|Insecure Configurations|Schema array items type should be defined (read more)|Documentation
| -|Array Without Maximum Number of Items (v2)
99eb2c95-2040-4104-9e7c-e16f7474d218|OpenAPI|High|Insecure Configurations|Array schema/parameter should have the field 'maxItems' set|Documentation
| -|Array Without Maximum Number of Items (v3)
6998389e-66b2-473d-8d05-c8d71ac4d04d|OpenAPI|High|Insecure Configurations|Array schema should have the field 'maxItems' set (read more)|Documentation
| -|API Key Exposed In Global Security (v2)
533a0d13-6e89-4551-ae33-bce14e5849c1|OpenAPI|Medium|Access Control|API Keys should not be transported over network|Documentation
| -|API Key Exposed In Global Security (v3)
aecee30b-8ea1-4776-a99c-d6d600f0862f|OpenAPI|Medium|Access Control|API Keys should not be transported over network (read more)|Documentation
| -|Cleartext API Key In Global Security (v2)
70d3873e-d537-46e5-ac3b-4e48fbdd29b4|OpenAPI|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| -|Cleartext API Key In Global Security (v3)
9c238c97-1991-4c0b-9c7d-6c7912e1dc7c|OpenAPI|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel (read more)|Documentation
| -|Maximum Length Undefined (v2)
2ec86e48-ab90-4cb6-a131-0502afd1f442|OpenAPI|Medium|Insecure Configurations|String schema/parameter/header should have 'maxLength' defined.|Documentation
| -|Maximum Length Undefined (v3)
8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85|OpenAPI|Medium|Insecure Configurations|String schema should have 'maxLength' defined. (read more)|Documentation
| -|Pattern Undefined (v2)
afde15cf-9444-4126-8c62-41cd79db1d1d|OpenAPI|Medium|Insecure Configurations|String schema/parameter/header should have 'pattern' defined.|Documentation
| -|Pattern Undefined (v3)
00b78adf-b83f-419c-8ed8-c6018441dd3a|OpenAPI|Medium|Insecure Configurations|String schema should have 'pattern' defined. (read more)|Documentation
| -|Schema Object is Empty (v2)
967575e5-eb44-4c24-aadb-7e33608ed30a|OpenAPI|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values|Documentation
| -|Schema Object is Empty (v3)
500ce696-d501-41dd-86eb-eceb011a386f|OpenAPI|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values (read more)|Documentation
| -|Numeric Schema Without Minimum (v2)
efd1dfc8-da91-4909-a3f3-c23abc5ec799|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined.|Documentation
| -|Numeric Schema Without Minimum (v3)
181bd815-767e-4e95-a24d-bb3c87328e19|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined. (read more)|Documentation
| -|JSON Object Schema Without Properties (v2)
3d28f751-bc18-4f83-ace0-216b6086410b|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false.|Documentation
| -|JSON Object Schema Without Properties (v3)
9d967a2b-9d64-41a6-abea-dfc4960299bd|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false. (read more)|Documentation
| -|Numeric Schema Without Maximum (v2)
203eee11-15b6-4d47-b888-4c7f534967ee|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined.|Documentation
| -|Numeric Schema Without Maximum (v3)
2ea04bef-c769-409e-9179-ee3a50b5c0ac|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined. (read more)|Documentation
| -|Numeric Schema Without Format (v2)
3ed8fc82-c2bb-49e0-811f-c53923674c49|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined.|Documentation
| -|Numeric Schema Without Format (v3)
fbf699b5-ef74-4542-9cf1-f6eeac379373|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined. (read more)|Documentation
| -|JSON Object Schema Without Type (v2)
62d52544-82ef-4b75-8308-cad49d50212b|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined.|Documentation
| -|JSON Object Schema Without Type (v3)
e2ffa504-d22a-4c94-b6c5-f661849d2db7|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined. (read more)|Documentation
| -|String Schema with Broad Pattern (v2)
e4a019f0-9af3-49c8-bf68-1939a6ff240d|OpenAPI|Medium|Insecure Configurations|String schema should restrict the pattern|Documentation
| -|String Schema with Broad Pattern (v3)
8c81d6c0-716b-49ec-afa5-2d62da4e3f3c|OpenAPI|Medium|Insecure Configurations|String schema should restrict the pattern (read more)|Documentation
| -|Success Response Code Undefined for Put Operation (v2)
965a043f-5f3c-4d0a-be72-d9ce12fdb4d6|OpenAPI|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Put Operation (v3)
60b5f56b-66ff-4e1c-9b62-5753e16825bc|OpenAPI|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|Response on operations that should not have a body has declared content (v2)
268defd2-2839-4e15-8cbc-de86eb38c231|OpenAPI|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a schema defined|Documentation
| -|Response on operations that should not have a body has declared content (v3)
12a7210b-f4b4-47d0-acac-0a819e2a0ca3|OpenAPI|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a content defined (read more)|Documentation
| -|Success Response Code Undefined for Patch Operation (v2)
f36e87cc-a209-4f37-8571-66833e4aead7|OpenAPI|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Patch Operation (v3)
1908a8ee-927d-4166-8f18-241152170cc1|OpenAPI|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|Success Response Code Undefined for Delete Operation (v2)
ad432855-b7fb-4429-92a3-93b5ce34f0b1|OpenAPI|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Delete Operation (v3)
3b497874-ae59-46dd-8d72-1868a3b8f150|OpenAPI|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|Security Field On Operations Has An Empty Object Definition (v2)
74581e3b-1d55-4323-a139-5959a7b3abc5|OpenAPI|High|Access Control|Security object for operations should not be empty object or has any empty object definition|Documentation
| -|Security Field On Operations Has An Empty Object Definition (v3)
baade968-7467-41e4-bf22-83ca222f5800|OpenAPI|High|Access Control|Security object for operations should not be empty object or has any empty object definition|Documentation
| -|Cleartext API Key In Operation Security (v2)
99733b39-6413-4ed8-8acf-dc7cdc9b4e51|OpenAPI|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| -|Cleartext API Key In Operation Security (v3)
d90d4e40-44c1-4125-87a0-e072c3e195b5|OpenAPI|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| -|Security Field On Operations Has An Empty Array (v2)
5d29effc-5d68-481f-9721-d74e5919226b|OpenAPI|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error|Documentation
| -|Security Field On Operations Has An Empty Array (v3)
663c442d-f918-4f62-b096-0bf5dcbeb655|OpenAPI|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error|Documentation
| -|Global Security Field Is Undefined (v2)
74703c89-0ea2-49ab-a7db-bf04f19f5a57|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securityDefinitions|Documentation
| -|Global Security Field Is Undefined (v3)
8af270ce-298b-4405-9922-82a10aee7a4f|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes|Documentation
| -|Cleartext API Key In Operation Security (v2)
99733b39-6413-4ed8-8acf-dc7cdc9b4e51|OpenAPI|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| -|Cleartext API Key In Operation Security (v3)
d90d4e40-44c1-4125-87a0-e072c3e195b5|OpenAPI|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| -|Global Security Field Has An Empty Array (v2)
da31d54b-ad54-41dc-95eb-8b3828629213|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| -|Global Security Field Has An Empty Array (v3)
d674aea4-ba8b-454b-bb97-88a772ea33f0|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| -|Security Field On Operations Has An Empty Array (v2)
5d29effc-5d68-481f-9721-d74e5919226b|OpenAPI|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error|Documentation
| -|Security Field On Operations Has An Empty Array (v3)
663c442d-f918-4f62-b096-0bf5dcbeb655|OpenAPI|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error|Documentation
| -|Security Field On Operations Has An Empty Object Definition (v2)
74581e3b-1d55-4323-a139-5959a7b3abc5|OpenAPI|High|Access Control|Security object for operations should not be empty object or has any empty object definition|Documentation
| -|Security Field On Operations Has An Empty Object Definition (v3)
baade968-7467-41e4-bf22-83ca222f5800|OpenAPI|High|Access Control|Security object for operations should not be empty object or has any empty object definition|Documentation
| -|Global security field has an empty object (v2)
292919fb-7b26-4454-bee9-ce29094768dd|OpenAPI|High|Access Control|Global security definition must not have empty objects|Documentation
| -|Global security field has an empty object (v3)
543e38f4-1eee-479e-8eb0-15257013aa0a|OpenAPI|High|Access Control|Global security definition must not have empty objects|Documentation
| -|Array Without Maximum Number of Items (v2)
99eb2c95-2040-4104-9e7c-e16f7474d218|OpenAPI|High|Insecure Configurations|Array schema/parameter should have the field 'maxItems' set|Documentation
| -|Array Without Maximum Number of Items (v3)
6998389e-66b2-473d-8d05-c8d71ac4d04d|OpenAPI|High|Insecure Configurations|Array schema should have the field 'maxItems' set|Documentation
| -|Array Items Has No Type (v2)
8697a1a4-82c6-4603-8ac8-57529756744e|OpenAPI|High|Insecure Configurations|Schema/Parameter array items type should be defined|Documentation
| -|Array Items Has No Type (v3)
be0e0df7-f3d9-42a1-9b6f-d425f94872c4|OpenAPI|High|Insecure Configurations|Schema array items type should be defined|Documentation
| -|Cleartext API Key In Global Security (v2)
70d3873e-d537-46e5-ac3b-4e48fbdd29b4|OpenAPI|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| -|Cleartext API Key In Global Security (v3)
9c238c97-1991-4c0b-9c7d-6c7912e1dc7c|OpenAPI|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| -|API Key Exposed In Global Security (v2)
533a0d13-6e89-4551-ae33-bce14e5849c1|OpenAPI|Medium|Access Control|API Keys should not be transported over network|Documentation
| -|API Key Exposed In Global Security (v3)
aecee30b-8ea1-4776-a99c-d6d600f0862f|OpenAPI|Medium|Access Control|API Keys should not be transported over network|Documentation
| -|String Schema with Broad Pattern (v2)
e4a019f0-9af3-49c8-bf68-1939a6ff240d|OpenAPI|Medium|Insecure Configurations|String schema should restrict the pattern|Documentation
| -|String Schema with Broad Pattern (v3)
8c81d6c0-716b-49ec-afa5-2d62da4e3f3c|OpenAPI|Medium|Insecure Configurations|String schema should restrict the pattern|Documentation
| -|Schema Object is Empty (v2)
967575e5-eb44-4c24-aadb-7e33608ed30a|OpenAPI|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values|Documentation
| -|Schema Object is Empty (v3)
500ce696-d501-41dd-86eb-eceb011a386f|OpenAPI|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values|Documentation
| -|Numeric Schema Without Format (v2)
3ed8fc82-c2bb-49e0-811f-c53923674c49|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined.|Documentation
| -|Numeric Schema Without Format (v3)
fbf699b5-ef74-4542-9cf1-f6eeac379373|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined.|Documentation
| -|Numeric Schema Without Minimum (v2)
efd1dfc8-da91-4909-a3f3-c23abc5ec799|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined.|Documentation
| -|Numeric Schema Without Minimum (v3)
181bd815-767e-4e95-a24d-bb3c87328e19|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined.|Documentation
| -|JSON Object Schema Without Properties (v2)
3d28f751-bc18-4f83-ace0-216b6086410b|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false.|Documentation
| -|JSON Object Schema Without Properties (v3)
9d967a2b-9d64-41a6-abea-dfc4960299bd|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false.|Documentation
| -|Numeric Schema Without Maximum (v2)
203eee11-15b6-4d47-b888-4c7f534967ee|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined.|Documentation
| -|Numeric Schema Without Maximum (v3)
2ea04bef-c769-409e-9179-ee3a50b5c0ac|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined.|Documentation
| -|JSON Object Schema Without Type (v2)
62d52544-82ef-4b75-8308-cad49d50212b|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined.|Documentation
| -|JSON Object Schema Without Type (v3)
e2ffa504-d22a-4c94-b6c5-f661849d2db7|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined.|Documentation
| -|Pattern Undefined (v2)
afde15cf-9444-4126-8c62-41cd79db1d1d|OpenAPI|Medium|Insecure Configurations|String schema/parameter/header should have 'pattern' defined.|Documentation
| -|Pattern Undefined (v3)
00b78adf-b83f-419c-8ed8-c6018441dd3a|OpenAPI|Medium|Insecure Configurations|String schema should have 'pattern' defined.|Documentation
| -|Maximum Length Undefined (v2)
2ec86e48-ab90-4cb6-a131-0502afd1f442|OpenAPI|Medium|Insecure Configurations|String schema/parameter/header should have 'maxLength' defined.|Documentation
| -|Maximum Length Undefined (v3)
8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85|OpenAPI|Medium|Insecure Configurations|String schema should have 'maxLength' defined.|Documentation
| -|Success Response Code Undefined for Put Operation (v2)
965a043f-5f3c-4d0a-be72-d9ce12fdb4d6|OpenAPI|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Put Operation (v3)
60b5f56b-66ff-4e1c-9b62-5753e16825bc|OpenAPI|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Delete Operation (v2)
ad432855-b7fb-4429-92a3-93b5ce34f0b1|OpenAPI|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Delete Operation (v3)
3b497874-ae59-46dd-8d72-1868a3b8f150|OpenAPI|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Response Code Missing (v2)
6e96ed39-bf45-4089-99ba-f1fe7cf6966f|OpenAPI|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined.|Documentation
| -<<<<<<< HEAD -|Response Code Missing (v3)
6c35d2c6-09f2-4e5c-a094-e0e91327071d|OpenAPI|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined. (read more)|Documentation
| -|Success Response Code Undefined for Post Operation (v2)
9fedee41-2e6d-4091-b011-4a16b4c18c70|OpenAPI|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Post Operation (v3)
f368dd2d-9344-4146-a05b-7c6faa1269ad|OpenAPI|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|Response on operations that should have a body has undefined schema (v2)
31afbcb7-70e0-48bb-a31a-3374f95cf859|OpenAPI|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined|Documentation
| -|Response on operations that should have a body has undefined schema (v3)
a92be1d5-d762-484a-86d6-8cd0907ba100|OpenAPI|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined (read more)|Documentation
| -|Default Response Undefined On Operations (v2)
5f34c7ae-4f3f-4cbb-8fe3-a11d6961062f|OpenAPI|Medium|Networking and Firewall|Operations responses should have a default response defined|Documentation
| -|Default Response Undefined On Operations (v3)
86e3702f-c868-44b2-b61d-ea5316c18110|OpenAPI|Medium|Networking and Firewall|Operations responses should have a default response defined (read more)|Documentation
| -|Success Response Code Undefined for Get Operation (v2)
9b633f3b-c94b-4fbb-a65b-1a4e9134fb63|OpenAPI|Medium|Networking and Firewall|Get should define at least one success response (200 or 202)|Documentation
| -|Success Response Code Undefined for Get Operation (v3)
b2f275be-7d64-4064-b418-be6b431363a7|OpenAPI|Medium|Networking and Firewall|Get should define at least one success response (200 or 202) (read more)|Documentation
| -|Success Response Code Undefined for Head Operation (v2)
4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a|OpenAPI|Medium|Networking and Firewall|Head should define at least one success response (200 or 202)|Documentation
| -|Success Response Code Undefined for Head Operation (v3)
3b066059-f411-4554-ac8d-96f32bff90da|OpenAPI|Medium|Networking and Firewall|Head should define at least one success response (200 or 202) (read more)|Documentation
| -======= -|Response Code Missing (v3)
6c35d2c6-09f2-4e5c-a094-e0e91327071d|OpenAPI|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined.|Documentation
| -|Response on operations that should not have a body has declared content (v2)
268defd2-2839-4e15-8cbc-de86eb38c231|OpenAPI|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a schema defined|Documentation
| -|Response on operations that should not have a body has declared content (v3)
12a7210b-f4b4-47d0-acac-0a819e2a0ca3|OpenAPI|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a content defined|Documentation
| -|Success Response Code Undefined for Head Operation (v2)
4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a|OpenAPI|Medium|Networking and Firewall|Head should define at least one success response (200 or 202)|Documentation
| -|Success Response Code Undefined for Head Operation (v3)
3b066059-f411-4554-ac8d-96f32bff90da|OpenAPI|Medium|Networking and Firewall|Head should define at least one success response (200 or 202)|Documentation
| -|Default Response Undefined On Operations (v2)
5f34c7ae-4f3f-4cbb-8fe3-a11d6961062f|OpenAPI|Medium|Networking and Firewall|Operations responses should have a default response defined|Documentation
| -|Default Response Undefined On Operations (v3)
86e3702f-c868-44b2-b61d-ea5316c18110|OpenAPI|Medium|Networking and Firewall|Operations responses should have a default response defined|Documentation
| -|Success Response Code Undefined for Get Operation (v2)
9b633f3b-c94b-4fbb-a65b-1a4e9134fb63|OpenAPI|Medium|Networking and Firewall|Get should define at least one success response (200 or 202)|Documentation
| -|Success Response Code Undefined for Get Operation (v3)
b2f275be-7d64-4064-b418-be6b431363a7|OpenAPI|Medium|Networking and Firewall|Get should define at least one success response (200 or 202)|Documentation
| -|Success Response Code Undefined for Post Operation (v2)
9fedee41-2e6d-4091-b011-4a16b4c18c70|OpenAPI|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Post Operation (v3)
f368dd2d-9344-4146-a05b-7c6faa1269ad|OpenAPI|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Response on operations that should have a body has undefined schema (v2)
31afbcb7-70e0-48bb-a31a-3374f95cf859|OpenAPI|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined|Documentation
| -|Response on operations that should have a body has undefined schema (v3)
a92be1d5-d762-484a-86d6-8cd0907ba100|OpenAPI|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined|Documentation
| -|Success Response Code Undefined for Patch Operation (v2)
f36e87cc-a209-4f37-8571-66833e4aead7|OpenAPI|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Patch Operation (v3)
1908a8ee-927d-4166-8f18-241152170cc1|OpenAPI|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204)|Documentation
| ->>>>>>> 5a6bfb88e (docs(queries): update queries catalog) -|API Key Exposed In Operation Security (v2)
392599e4-a4e2-403d-bc56-3fe05755782d|OpenAPI|Low|Access Control|API Keys should not be transported over network|Documentation
| -|API Key Exposed In Operation Security (v3)
281b8071-6226-4a43-911d-fec246d422c2|OpenAPI|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| -|Invalid Format (v2)
caf1793e-95dd-4b18-8d90-8f3c0ab5bddf|OpenAPI|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double|Documentation
| -|Invalid Format (v3)
d929c031-078f-4241-b802-e224656ad890|OpenAPI|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double (read more)|Documentation
| -|Required Property With Default Value (v2)
f7ab6c83-ef89-40e1-8a99-32e2599fb665|OpenAPI|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value|Documentation
| -|Required Property With Default Value (v3)
013bdb4b-9246-4248-b0c3-7fb0fee42a29|OpenAPI|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value (read more)|Documentation
| -|Object Using Enum With Keyword (v2)
7f15962a-d862-451c-ac9b-84ec13747aa6|OpenAPI|Info|Best Practices|Schema/Parameter/Header Object properties should not contain 'enum' and schema keywords|Documentation
| -|Object Using Enum With Keyword (v3)
2e9b6612-8f69-42e0-a5b8-ed17739c2f3a|OpenAPI|Info|Best Practices|Schema Object properties should not contain 'enum' and schema keywords (read more)|Documentation
| -|Header Parameter Named as 'Content-Type' (v2)
51978067-3b22-4c29-aaf3-96bf0bc28897|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored.|Documentation
| -|Header Parameter Named as 'Content-Type' (v3)
72d259ca-9741-48dd-9f62-eb11f2936b37|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored. (read more)|Documentation
| -|Header Response Name Is Invalid (v2)
86733e01-a435-4bd5-a8b0-5108be9dc1e4|OpenAPI|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored.|Documentation
| -|Header Response Name Is Invalid (v3)
d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd|OpenAPI|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored. (read more)|Documentation
| -|Invalid Contact URL (v2)
c7000383-16d0-4509-8cd3-585e5ea2e2f2|OpenAPI|Info|Best Practices|Contact Object URL should be a valid URL|Documentation
| -|Invalid Contact URL (v3)
332cf2ad-380d-4b90-b436-46f8e635cf38|OpenAPI|Info|Best Practices|Contact Object URL should be a valid URL (read more)|Documentation
| -|Invalid Tag External Documentation URL (v2)
b4a7d925-738b-4219-99d9-87d6ee262a03|OpenAPI|Info|Best Practices|Tag External Documentation URL should be a valid URL|Documentation
| -|Invalid Tag External Documentation URL (v3)
5aea1d7e-b834-4749-b143-2c7ec3bd5922|OpenAPI|Info|Best Practices|Tag External Documentation URL should be a valid URL (read more)|Documentation
| -|Header Parameter Named as 'Accept' (v2)
3ddd74cc-6582-486c-8b0c-2b48cb38e0a3|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored.|Documentation
| -|Header Parameter Named as 'Accept' (v3)
f2702af5-6016-46cb-bbc8-84c766032095|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored. (read more)|Documentation
| -|Invalid Global External Documentation URL (v2)
46d3b74d-9fe9-45bf-9e9e-efb7f701ee28|OpenAPI|Info|Best Practices|Global External Documentation URL should be a valid URL|Documentation
| -|Invalid Global External Documentation URL (v3)
b2d9dbf6-539c-4374-a1fd-210ddf5563a8|OpenAPI|Info|Best Practices|Global External Documentation URL should be a valid URL (read more)|Documentation
| -|Example Not Compliant With Schema Type (v2)
448db771-06ea-4dee-b48c-1689cbfb4b43|OpenAPI|Info|Best Practices|Examples values and fields should be compliant with the schema type|Documentation
| -|Example Not Compliant With Schema Type (v3)
881a6e71-c2a7-4fe2-b9c3-dfcf08895331|OpenAPI|Info|Best Practices|Examples values and fields should be compliant with the schema type (read more)|Documentation
| -|Header Parameter Named as 'Authorization' (v2)
e2e00c97-7171-4fb4-b461-d631df9a711c|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored.|Documentation
| -|Header Parameter Named as 'Authorization' (v3)
8c84f75e-5048-4926-a4cb-33e7b3431300|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored. (read more)|Documentation
| -|Operation Without Successful HTTP Status Code (v2)
a1ee6ebe-3877-42ec-b9a6-e524e7d06aa2|OpenAPI|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined|Documentation
| -|Operation Without Successful HTTP Status Code (v3)
48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd|OpenAPI|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined (read more)|Documentation
| -|Path Without Operation (v2)
609cd557-66b4-41fa-8edd-2abc6c7cfd08|OpenAPI|Info|Best Practices|Path object should have at least one operation object defined|Documentation
| -|Path Without Operation (v3)
84c826c9-1893-4b34-8cdd-db97645b4bf3|OpenAPI|Info|Best Practices|Path object should have at least one operation object defined (read more)|Documentation
| -|Invalid Operation External Documentation URL (v2)
25635c31-ee32-4708-88e5-fced87516f51|OpenAPI|Info|Best Practices|Operation External Documentation URL should be a valid URL|Documentation
| -|Invalid Operation External Documentation URL (v3)
5ea61624-3733-4a3a-8ca4-b96fec9c5aeb|OpenAPI|Info|Best Practices|Operation External Documentation URL should be a valid URL (read more)|Documentation
| -|Invalid License URL (v2)
de2b4910-8484-46d6-a055-dc1e793ee3ff|OpenAPI|Info|Best Practices|License Object URL should be a valid URL|Documentation
| -|Invalid License URL (v3)
9239c289-9e4c-4d92-8be1-9d506057c971|OpenAPI|Info|Best Practices|License Object URL should be a valid URL (read more)|Documentation
| -|JSON '$ref' alongside other properties (v2)
f34c1c68-4773-4df0-a103-6e2ca32e585f|OpenAPI|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key|Documentation
| -|JSON '$ref' alongside other properties (v3)
96beb800-566f-49a9-a0ea-dbdf4bc80429|OpenAPI|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key (read more)|Documentation
| -|Invalid Contact Email (v2)
d83bebc8-4e5e-4241-b783-cba9fb5a1c9a|OpenAPI|Info|Best Practices|Contact Object Email should be a valid email|Documentation
| -|Invalid Contact Email (v3)
b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7|OpenAPI|Info|Best Practices|Contact Object Email should be a valid email (read more)|Documentation
| -|Invalid Schema External Documentation URL (v2)
f7fa95b7-d819-484c-9a2b-665dd1bba25e|OpenAPI|Info|Best Practices|Schema External Documentation URL should be a valid URL|Documentation
| -|Invalid Schema External Documentation URL (v3)
6952a7e0-6e48-4285-bbc1-27c64e60f888|OpenAPI|Info|Best Practices|Schema External Documentation URL should be a valid URL (read more)|Documentation
| -|Non-Array Schema With Items (v2)
9d47956b-29cd-43b1-9e6e-b39a4d484353|OpenAPI|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| -|Non-Array Schema With Items (v3)
20cb3159-b219-496b-8dac-54ae3ab2021a|OpenAPI|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined (read more)|Documentation
| -|Path Is Ambiguous (v2)
b2468463-3ac4-4930-890c-f35b2bf4485d|OpenAPI|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object|Documentation
| -|Path Is Ambiguous (v3)
237402e2-c2f0-46c9-9cf5-286160cf7bfc|OpenAPI|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object (read more)|Documentation
| -|Schema Discriminator Not Required (v2)
be6a3722-af60-438c-b1b9-2a03e2958ab7|OpenAPI|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property|Documentation
| -|Schema Discriminator Not Required (v3)
b481d46c-9c61-480f-86d9-af07146dc4a4|OpenAPI|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property (read more)|Documentation
| -|Property 'allowEmptyValue' Improperly Defined (v2)
0bc1477d-0922-478b-ae16-674a7634a1a8|OpenAPI|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters|Documentation
| -|Property 'allowEmptyValue' Improperly Defined (v3)
4bcbcd52-3028-469f-bc14-02c7dbba2df2|OpenAPI|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters (read more)|Documentation
| -|OperationId Not Unique (v2)
21245007-91c4-40e5-964e-40c85d1e5aa6|OpenAPI|Info|Structure and Semantics|OperationId should be unique when defined|Documentation
| -|OperationId Not Unique (v3)
c254adc4-ef25-46e1-8270-b7944adb4198|OpenAPI|Info|Structure and Semantics|OperationId should be unique when defined (read more)|Documentation
| -|Paths Object is Empty (v2)
3e6c7b1c-8a8d-43ab-98b9-65159f44db4a|OpenAPI|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed|Documentation
| -|Paths Object is Empty (v3)
815021c8-a50c-46d9-b192-24f71072c400|OpenAPI|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed (read more)|Documentation
| -|Parameters Name In Combination Not Unique (v2)
ab871897-ec02-4835-9818-702536ee1dda|OpenAPI|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations|Documentation
| -|Parameters Name In Combination Not Unique (v3)
f5b2e6af-76f5-496d-8482-8f898c5fdb4a|OpenAPI|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations (read more)|Documentation
| -|Parameter Objects Headers With Duplicated Name (v2)
bd2cbef5-62c4-40f1-af07-4b7f9ced6616|OpenAPI|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.|Documentation
| -|Parameter Objects Headers With Duplicated Name (v3)
05505192-ba2c-4a81-9b25-dcdbcc973746|OpenAPI|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive. (read more)|Documentation
| -|Responses Object Is Empty (v2)
6172e7ab-d2b7-45f8-a7db-1603931d8ba3|OpenAPI|Info|Structure and Semantics|Responses Object should not be empty|Documentation
| -|Responses Object Is Empty (v3)
990eaf09-d6f1-4c3c-b174-a517b1de8917|OpenAPI|Info|Structure and Semantics|Responses Object should not be empty (read more)|Documentation
| -|Schema Has A Required Property Undefined (v2)
811762c8-2e99-4f70-88f9-a63875a953b1|OpenAPI|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties|Documentation
| -|Schema Has A Required Property Undefined (v3)
2bd608ae-8a1f-457f-b710-c237883cb313|OpenAPI|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties (read more)|Documentation
| -|Default Invalid (v2)
78dfd8f0-a6ee-48ec-af8c-e4d9b3292a07|OpenAPI|Info|Structure and Semantics|The field 'default' of Schema/Parameter/Header Object should be consistent with the schema's/parameter's/header's type|Documentation
| -|Default Invalid (v3)
a96bbc06-8cde-4295-ad3c-ee343a7f658e|OpenAPI|Info|Structure and Semantics|The field 'default' of Schema Object should be consistent with the schema's type (read more)|Documentation
| -|Properties Missing Required Property (v2)
71beb6ab-8b70-4816-a9ac-a0ff1fb22a62|OpenAPI|Info|Structure and Semantics|Schema Object should have all required properties defined|Documentation
| -|Properties Missing Required Property (v3)
3fb03214-25d4-4bd4-867c-c2d8d708a483|OpenAPI|Info|Structure and Semantics|Schema Object should have all required properties defined (read more)|Documentation
| -|Path Parameter With No Corresponding Template Path (v2)
194ef1f8-360e-4c14-8ed2-e83e2bafa142|OpenAPI|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation|Documentation
| -|Path Parameter With No Corresponding Template Path (v3)
69d7aefd-149d-47b8-8d89-1c2181a8067b|OpenAPI|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation (read more)|Documentation
| -|Type Has Invalid Keyword (v2)
492c6cbb-f3f8-4807-aa4f-42b8b1c46b59|OpenAPI|Info|Structure and Semantics|Schema/Parameter/Header Object define type should not use a keyword of another type|Documentation
| -|Type Has Invalid Keyword (v3)
a9228976-10cf-4b5f-b902-9e962aad037a|OpenAPI|Info|Structure and Semantics|Schema Object define type should not use a keyword of another type (read more)|Documentation
| -|Responses With Wrong HTTP Status Code (v2)
069a5378-2091-43f0-aa3b-ee8f20996e99|OpenAPI|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599]|Documentation
| -|Responses With Wrong HTTP Status Code (v3)
d86655c0-92f6-4ffc-b4d5-5b5775804c27|OpenAPI|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599] (read more)|Documentation
| -|Template Path With No Corresponding Path Parameter (v2)
e7656d8d-7288-4bbe-b07b-22b389be75ce|OpenAPI|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation|Documentation
| -|Template Path With No Corresponding Path Parameter (v3)
561710b1-b845-4562-95ce-2397a05ccef4|OpenAPI|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation (read more)|Documentation
| -|Schema Enum Invalid (v2)
8fe6d18a-ad4c-4397-8884-e3a9da57f4c9|OpenAPI|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type|Documentation
| -|Schema Enum Invalid (v3)
03856cb2-e46c-4daf-bfbf-214ec93c882b|OpenAPI|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type (read more)|Documentation
| -|Items Undefined (v2)
3e4d34d2-36cf-4449-976d-6c256db8fc49|OpenAPI|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array.|Documentation
| -|Items Undefined (v3)
a8e859da-4a43-4e7f-94b8-25d6e3bf8e90|OpenAPI|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array. (read more)|Documentation
| -|Schema Object Properties With Duplicated Keys (v2)
ded017bf-fb13-4f8d-868b-84aebcc572ad|OpenAPI|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties'|Documentation
| -|Schema Object Properties With Duplicated Keys (v3)
10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa|OpenAPI|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties' (read more)|Documentation
| -|Schema Discriminator Property Not String (v2)
949376f1-f560-4c6d-a016-63424ca931bb|OpenAPI|Info|Structure and Semantics|Schema discriminator property should be a string|Documentation
| -|Schema Discriminator Property Not String (v3)
dadc2f36-1f5a-46c0-8289-75e626583123|OpenAPI|Info|Structure and Semantics|Schema discriminator property should be a string (read more)|Documentation
| -|Path Template is Empty (v2)
c201b7ad-6173-4598-a407-5edb04a1bcd7|OpenAPI|Info|Structure and Semantics|All path templates should not be empty|Documentation
| -|Path Template is Empty (v3)
ae13a37d-943b-47a7-a970-83c8598bcca3|OpenAPI|Info|Structure and Semantics|All path templates should not be empty (read more)|Documentation
| -|Path Parameter Not Required (v2)
ccd0613f-cb77-4684-a892-183bd2674d12|OpenAPI|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.|Documentation
| -|Path Parameter Not Required (v3)
0de50145-e845-47f4-9a15-23bcf2125710|OpenAPI|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true. (read more)|Documentation
| -|Property Defining Minimum Greater Than Maximum (v2)
b5102ea9-6527-4bb7-94fc-9b4076150e55|OpenAPI|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined|Documentation
| -|Property Defining Minimum Greater Than Maximum (v3)
ab2af219-cd08-4233-b5a1-a788aac88b51|OpenAPI|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined (read more)|Documentation
| -|Schema Object With Circular Ref (v2)
cbff2508-85c9-4448-a8b3-770070edf5ca|OpenAPI|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties|Documentation
| -|Schema Object With Circular Ref (v3)
1a1aea94-745b-40a7-b860-0702ea6ee636|OpenAPI|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties (read more)|Documentation
| -|Schema Discriminator Mismatch Defined Properties (v2)
addc0eab-27f6-4c26-8526-d2ccd3732662|OpenAPI|Info|Structure and Semantics|Schema discriminator values should match defined properties.|Documentation
| -|Schema Discriminator Mismatch Defined Properties (v3)
40d3df21-c170-4dbe-9c02-4289b51f994f|OpenAPI|Info|Structure and Semantics|Schema discriminator values should match defined properties. (read more)|Documentation
| -|Security Definitions Undefined or Empty
e3f026e8-fdb4-4d5a-bcfd-bd94452073fe|OpenAPI|High|Access Control|Security Definitions Object should be set and not empty (read more)|Documentation
| -|Security Requirement Not Defined In Security Definition
a599b0d1-ff89-4cb8-9ece-9951854c06f6|OpenAPI|High|Structure and Semantics|All security requirement objects must be defined in 'securityDefinitions' (read more)|Documentation
| -|Non OAuth2 Security Requirement Defining OAuth2 Scopes
ba239cb9-f342-4c20-812d-7b5a2aa6969e|OpenAPI|High|Structure and Semantics|If the security scheme is not of type 'oauth2', the array value must be empty (read more)|Documentation
| -|Global Security Using Password Flow
2da46be4-4317-4650-9285-56d7103c4f93|OpenAPI|Medium|Access Control|Security should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| -|Invalid OAuth2 Authorization URL (v2)
33d96c65-977d-4c33-943f-440baca49185|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| -|Operation Using Password Flow
2e44e632-d617-43cb-b294-6bfe72a08938|OpenAPI|Medium|Access Control|Operation Object should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| -|Implicit Flow in OAuth2 (v2)
e9817ad8-a8c9-4038-8a2f-db0e6e7b284b|OpenAPI|Medium|Access Control|There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| -|Invalid OAuth2 Token URL (v2)
274f910a-0665-4f08-b66d-7058fe927dba|OpenAPI|Medium|Access Control|OAuth2 security definition flow requires a valid URL in the tokenUrl field (read more)|Documentation
| -|Security Definitions Allows Password Flow
773116aa-2e6d-416f-bd85-f0301cc05d76|OpenAPI|Medium|Access Control|Security Definition Object should not allow 'password' Flow in OAuth2 authentication (read more)|Documentation
| -|Path Scheme Accepts HTTP (v2)
a6847dc6-f4ea-45ac-a81f-93291ae6c573|OpenAPI|Medium|Encryption|The Scheme list of Operation Object should only allow 'HTTPS' protocol to ensure an encrypted connection (read more)|Documentation
| -|Schemes Uses HTTP
a46928f1-43d7-4671-94e0-2dd99746f389|OpenAPI|Medium|Encryption|Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials (read more)|Documentation
| -|Global Schemes Uses HTTP
f30ee711-0082-4480-85ab-31d922d9a2b2|OpenAPI|Medium|Encryption|Global Schemes should use 'https' protocol instead of 'http' (read more)|Documentation
| -|Operation Object Without 'consumes'
0c79e50e-b3cf-490c-b8f6-587c644d4d0c|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations (read more)|Documentation
| -|Operation Object Without 'produces'
be3e170e-1572-461e-a8b6-d963def581ec|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'produces' feild defined for 'GET'operation (read more)|Documentation
| -|Operation Using Basic Auth
ceefb058-8065-418f-9c4c-584a78c7e104|OpenAPI|Low|Access Control|Operation Object should not use basic authentication (read more)|Documentation
| -|Security Definitions Using Basic Auth
221015a8-aa2a-43f5-b00b-ad7d2b1d47a8|OpenAPI|Low|Access Control|Security Definition Object should not use basic authentication (read more)|Documentation
| -|Operation Using Implicit Flow
f42dfe7e-787d-4478-a75e-a5f3d8a2269e|OpenAPI|Low|Access Control|Operation Object should not use implicit flow (read more)|Documentation
| -|Undefined Scope 'securityDefinition' On 'security' Field On Operations
3847280c-9193-40bc-8009-76168e822ce2|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| -|Undefined Scope 'securityDefinition' On Global 'security' Field
9aa6e95c-d964-4239-a3a8-9f37a3c5a31f|OpenAPI|Low|Access Control|Using an scope on global security field that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| -|Operation Summary Too Long
d47940ca-5970-45cc-bdd1-4d81398cee1f|OpenAPI|Low|Best Practices|Operation summary should be short (less than 120 characters) (read more)|Documentation
| -|Global Schema Definition Not Being Used
6d2e0790-cc3d-4c74-b973-d4e8b09f4455|OpenAPI|Info|Best Practices|All global schemas definitions should be in use (read more)|Documentation
| -|Global Responses Definition Not Being Used
0b76d993-ee52-43e0-8b39-3787d2ddabf1|OpenAPI|Info|Best Practices|All global responses definitions should be in use (read more)|Documentation
| -|Global Parameter Definition Not Being Used
b30981fa-a12e-49c7-a5bb-eeafb61d0f0f|OpenAPI|Info|Best Practices|All global parameters definitions should be in use (read more)|Documentation
| -|Schema with 'additionalProperties' set as Boolean
3a01790c-ebee-4da6-8fd3-e78657383b75|OpenAPI|Info|Best Practices|The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it (read more)|Documentation
| -|Unknown Prefix (v2)
3b615f00-c443-4ba9-acc4-7c308716917d|OpenAPI|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| -|Constraining Enum Property
be1d8733-3731-40c7-a845-734741c6871d|OpenAPI|Info|Best Practices|There is a constraining keyword in a property which is already restricted by enum values (read more)|Documentation
| -|Invalid Media Type Value (v2)
f985a7d2-d404-4a7f-9814-f645f791e46e|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| -|Multiple Body Parameters In The Same Operation
b90033cf-ad9f-4fb9-acd1-1b9d6d278c87|OpenAPI|Info|Structure and Semantics|Only one body parameter is allowed on operation's parameters type field (read more)|Documentation
| -|Host With Invalid Pattern
3d7d7b6c-fb0a-475e-8a28-c125e30d15f0|OpenAPI|Info|Structure and Semantics|Host field should be an IP or a valid host name (read more)|Documentation
| -|Response Object With Incorrect Ref (v2)
bccfa089-89e4-47e0-a0e5-185fe6902220|OpenAPI|Info|Structure and Semantics|Response Object reference must always point to '#/responses' (read more)|Documentation
| -|Multi 'collectionformat' Not Valid For 'in' Parameter
750f6448-27c0-49f8-a153-b81735c1e19c|OpenAPI|Info|Structure and Semantics|When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'formData' (read more)|Documentation
| -|Schema JSON Reference Does Not Exists (v2)
98295b32-ec09-4b5b-89a9-39853197f914|OpenAPI|Info|Structure and Semantics|Schema reference should exists on definitions field (read more)|Documentation
| -|Responses JSON Reference Does Not Exists (v2)
e9db5fb4-6a84-4abb-b4af-3b94fbdace6d|OpenAPI|Info|Structure and Semantics|Responses reference should exist on responses definition field (read more)|Documentation
| -|Parameter Object With Incorrect Ref (v2)
2596545e-1757-4ff7-a15a-8a9a180a42f3|OpenAPI|Info|Structure and Semantics|Parameter Object reference must always point to '#/parameters' (read more)|Documentation
| -|Object Without Required Property (v2)
5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275|OpenAPI|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| -|Unknown Property (v2)
429b2106-ba37-43ba-9727-7f699cc611e1|OpenAPI|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| -|BasePath With Wrong Format
b4803607-ed72-4d60-99e2-3fa6edf471c6|OpenAPI|Info|Structure and Semantics|The 'basePath' value format must match the pattern '^/' (read more)|Documentation
| -|Body Parameter Without Schema
ed48229d-d43e-4da7-b453-5f98d964a57a|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| -|Operation Object Parameters With 'body' And 'formatData' locations
eb3f9744-d24e-4614-b1ff-2a9514eca21c|OpenAPI|Info|Structure and Semantics|Operation object parameters should not have both 'body' and 'formatData' locations (read more)|Documentation
| -|Schema Object Incorrect Ref (v2)
0220e1c5-65d1-49dd-b7c2-cef6d6cb5283|OpenAPI|Info|Structure and Semantics|Schema Object reference must always point to '#/definitions' (read more)|Documentation
| -|File Parameter With Wrong Consumes Property
7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a|OpenAPI|Info|Structure and Semantics|Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both (read more)|Documentation
| -|Parameter JSON Reference Does Not Exists (v2)
fb889ae9-2d16-40b5-b41f-9da716c5abc1|OpenAPI|Info|Structure and Semantics|Parameter reference should exist on parameters definition field (read more)|Documentation
| -|Operation Example Mismatch Produces MimeType
2cf35b40-ded3-43d6-9633-c8dcc8bcc822|OpenAPI|Info|Structure and Semantics|Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces' (read more)|Documentation
| -|Property Not Unique
750b40be-4bac-4f59-bdc4-1ca0e6c3450e|OpenAPI|Info|Structure and Semantics|Every defined property must be unique throughout the whole API (read more)|Documentation
| -|Non Body Parameter Without Schema
73c3bc54-3cc6-4c0a-b30a-e19f2abfc951|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| -|Body Parameter With Wrong Property
c38d630d-a415-4e3e-bac2-65475979ba88|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema' (read more)|Documentation
| -|Parameter File Type Not In 'formData'
c3cab8c4-6c52-47a9-942b-c27f26fbd7d2|OpenAPI|Info|Structure and Semantics|The In field of Parameter Object must be 'formData' when type is 'file' (read more)|Documentation
| -|Cleartext Credentials With Basic Authentication For Operation
86b1fa30-9790-4980-994d-a27e0f6f27c1|OpenAPI|High|Access Control|Cleartext credentials over unencrypted channel should not be accepted for the operation (read more)|Documentation
| -|Field 'securityScheme' On Components Is Undefined
8db5544e-4874-4baa-9322-e9f75a2d219e|OpenAPI|High|Access Control|Components' securityScheme field must have a valid scheme (read more)|Documentation
| -|OAuth2 With Implicit Flow
39cb32f2-3a42-4af0-8037-82a7a9654b6c|OpenAPI|Medium|Access Control|OAuth2 implicit flow is vulnerable to access token leakage and access token replay (read more)|Documentation
| -|Invalid OAuth2 Authorization URL (v3)
52c0d841-60d6-4a81-88dd-c35fef36d315|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| -|Implicit Flow in OAuth2 (v3)
4a1f3d75-ab73-41b2-83e7-06a93dc3a75a|OpenAPI|Medium|Access Control|There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| -|Security Scheme Using HTTP Basic
68e5fcac-390c-4939-a373-6074b7be7c71|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using basic authentication (read more)|Documentation
| -|OAuth2 With Password Flow
3979b0a4-532c-4ea7-86e4-34c090eaa4f2|OpenAPI|Medium|Access Control|OAuth2 password flow insecurely exposes the credentials of the resource owner to the client (read more)|Documentation
| -|Security Scheme Using HTTP Digest
a4247b11-890b-45df-bf42-350a7a3af9be|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using digest authentication (read more)|Documentation
| -|Invalid OAuth2 Token URL (v3)
3ba0cca1-b815-47bf-ac62-1e584eb64a05|OpenAPI|Medium|Access Control|OAuth2 security scheme flow requires a valid URL in the tokenUrl field (read more)|Documentation
| -|Security Scheme Using HTTP Negotiate
f525cc92-9050-4c41-a75c-890dc6f64449|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using negotiate authentication (read more)|Documentation
| -|Security Scheme HTTP Unknown Scheme
06764426-3c56-407e-981f-caa25db1c149|OpenAPI|Medium|Access Control|Security Scheme HTTP scheme should be registered in the IANA Authentication Scheme registry (read more)|Documentation
| -|Path Server Object Uses HTTP (v3)
9670f240-7b4d-4955-bd93-edaa9fa38b58|OpenAPI|Medium|Encryption|The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection (read more)|Documentation
| -|Global Server Object Uses HTTP
2d8c175a-6d90-412b-8b0e-e034ea49a1fe|OpenAPI|Medium|Encryption|Global server object URL should use 'https' protocol instead of 'http' (read more)|Documentation
| -|Additional Properties Too Permissive
9f88c88d-824d-4d9a-b985-e22977046042|OpenAPI|Medium|Insecure Configurations|Objects should not accept 'additionalProperties' if it is possible (read more)|Documentation
| -|Parameter Object Without Schema
8fe1846f-52cc-4413-ace9-1933d7d23672|OpenAPI|Medium|Insecure Configurations|The Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| -|Media Type Object Without Schema
f79b9d26-e945-44e7-98a1-b93f0f7a68a0|OpenAPI|Medium|Insecure Configurations|The Media Type Object should have the attribute 'schema' defined (read more)|Documentation
| -|Additional Properties Too Restrictive
a19c3bbd-c056-40d7-9e1c-eeb0634e320d|OpenAPI|Medium|Insecure Configurations|Objects should accept 'additionalProperties' if it is allOf or an object with anyOf or oneOf (read more)|Documentation
| -|Success Response Code Undefined for Trace Operation
105e20dd-8449-4d71-95c6-d5dac96639af|OpenAPI|Medium|Networking and Firewall|Trace should define the '200' successful code (read more)|Documentation
| -|Header Object Without Schema
50de3b5b-6465-4e06-a9b0-b4c2ba34326b|OpenAPI|Medium|Networking and Firewall|The header object should have schema defined (read more)|Documentation
| -|API Key Exposed In Global Security Scheme
40e1d1bf-11a9-4f63-a3a2-a8b84c602839|OpenAPI|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| -|Global Security Scheme Using Basic Authentication
77276d82-4f45-4cf1-8e2b-4d345b936228|OpenAPI|Low|Access Control|A security scheme is allowing basic authentication credentials to be transported over network (read more)|Documentation
| -|Security Scheme Using Oauth 1.0
1bc3205c-0d60-44e6-84f3-44fbf4dac5b3|OpenAPI|Low|Access Control|Oauth 1.0 is deprecated, OAuth2 should be used instead (read more)|Documentation
| -|Undefined Scope 'securityScheme' On 'security' Field On Operations
462d6a1d-fed9-4d75-bb9e-3de902f35e6e|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| -|Undefined Scope 'securityScheme' On Global 'security' Field
23a9e2d9-8738-4556-a71c-2802b6ffa022|OpenAPI|Low|Access Control|Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| -|Components Request Body Definition Is Unused
6b76f589-9713-44ab-97f5-59a3dba1a285|OpenAPI|Info|Best Practices|Components request bodies definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Property 'style' of Encoding Object Ignored
d3ea644a-9a5c-4fee-941f-f8a6786c0470|OpenAPI|Info|Best Practices|Property 'style' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| -|Components Header Definition Is Unused
a68da022-e95a-4bc2-97d3-481e0bd6d446|OpenAPI|Info|Best Practices|Components headers definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Link Definition Is Unused
c19779a9-5774-4d2f-a3a1-a99831730375|OpenAPI|Info|Best Practices|Components links definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Callback Definition Is Unused
d15db953-a553-4b8a-9a14-a3d62ea3d79d|OpenAPI|Info|Best Practices|Components callbacks definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Response Definition Is Unused
9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae|OpenAPI|Info|Best Practices|Components responses definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Unknown Prefix (v3)
a5375be3-521c-43bb-9eab-e2432e368ee4|OpenAPI|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| -|Property 'explode' of Encoding Object Ignored
a4dd69b8-49fa-45d2-a060-c76655405b05|OpenAPI|Info|Best Practices|Property 'explode' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| -|Property 'allowReserved' of Encoding Object Ignored
4190dda7-af03-4cf0-a128-70ac1661ca09|OpenAPI|Info|Best Practices|Property 'allowReserved' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| -|Components Parameter Definition Is Unused
698a464e-bb3e-4ba8-ab5e-e6599b7644a0|OpenAPI|Info|Best Practices|Components parameters definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Example Definition Is Unused
b05bb927-2df5-43cc-8d7b-6825c0e71625|OpenAPI|Info|Best Practices|Components examples definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Schema Definition Is Unused
962fa01e-b791-4dcc-b04a-4a3e7389be5e|OpenAPI|Info|Best Practices|Components schemas definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Property 'allowEmptyValue' Ignored
59c2f769-7cc2-49c8-a3de-4e211135cfab|OpenAPI|Info|Best Practices|Property 'allowEmptyValue' is ignored in the following cases: {"sytle": "simple", "explode": false}, {"sytle": "simple", "explode": true}, {"sytle": "spaceDelimited", "explode": false}, {"sytle": "pipeDelimited", "explode": false}, and {"sytle": "deepObject", "explode": true} (read more)|Documentation
| -|Invalid Media Type Value (v3)
cf4a5f45-a27b-49df-843a-9911dbfe71d4|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| -|Encoding Header 'Content-Type' Improperly Defined
4cd8de87-b595-48b6-ab3c-1904567135ab|OpenAPI|Info|Best Practices|Encoding Map Key should not define a 'Content-Type' in the 'headers' field. If so, it will be ignored. (read more)|Documentation
| -|Example JSON Reference Outside Components Examples
bac56e3c-1f71-4a74-8ae6-2fba07efcddb|OpenAPI|Info|Structure and Semantics|Reference to examples should point to #/components/examples (read more)|Documentation
| -|Security Operation Field Undefined
20a482d5-c5d9-4a7a-b7a4-60d0805047b4|OpenAPI|Info|Structure and Semantics|Security operation field should be defined in '#/components/securitySchemes' (read more)|Documentation
| -|Server URL Not Absolute
a0bf7382-5d5a-4224-924c-3db8466026c9|OpenAPI|Info|Structure and Semantics|The Server URL should be an absolute URL (read more)|Documentation
| -|Response Object With Incorrect Ref (v3)
b3871dd8-9333-4d6c-bd52-67eb898b71ab|OpenAPI|Info|Structure and Semantics|Response Object reference must always point to '#/components/responses' (read more)|Documentation
| -|Link Object OperationId Does Not Target Operation Object
c5bb7461-aa57-470b-a714-3bc3d74f4669|OpenAPI|Info|Structure and Semantics|Link object 'OperationId' should target an existing operation object in the OpenAPI definition (read more)|Documentation
| -|Request Body With Incorrect Ref
0f6cd0ab-c366-4595-84fc-fbd8b9901e4d|OpenAPI|Info|Structure and Semantics|Request Body reference must always point to '#/components/RequestBodies' (read more)|Documentation
| -|Encoding Map Key Mismatch Schema Defined Properties
cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b|OpenAPI|Info|Structure and Semantics|Encoding Map Key should be set in schema defined properties (read more)|Documentation
| -|Components Object Fixed Field Key Improperly Named
151331e2-11f4-4bb6-bd35-9a005e695087|OpenAPI|Info|Structure and Semantics|Components object fixed fields (schemas, responses, parameters, examples, requestBodies, headers, securitySchemes, links, and callbacks) should use keys that match the following REGEX: `^[a-zA-Z0-9\.\-_]+$` (read more)|Documentation
| -|Schema JSON Reference Does Not Exists (v3)
015eac96-6313-43c0-84e5-81b1374fa637|OpenAPI|Info|Structure and Semantics|Schema reference should exists on components field (read more)|Documentation
| -|Server URL Uses Undefined Variables
8d0921d6-4131-461f-a253-99e873f8f77e|OpenAPI|Info|Structure and Semantics|Any variable used in the Service URL should be defined in the Service Object through 'variables'. (read more)|Documentation
| -|Response JSON Reference Does Not Exists (v3)
7a01dfbd-da62-4165-aed7-71349ad42ab4|OpenAPI|Info|Structure and Semantics|Response reference should exists on components field (read more)|Documentation
| -|Parameter Object With Incorrect Ref (v3)
d40f27e6-15fb-4b56-90f8-fc0ff0291c51|OpenAPI|Info|Structure and Semantics|Parameter Object reference must always point to '#/components/parameters' (read more)|Documentation
| -|Object Without Required Property (v3)
d172a060-8569-4412-8045-3560ebd477e8|OpenAPI|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| -|Unknown Property (v3)
fb7d81e7-4150-48c4-b914-92fc05da6a2f|OpenAPI|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| -|Parameter Object Content With Multiple Entries
8bfed1c6-2d59-4924-bc7f-9b9d793ed0df|OpenAPI|Info|Structure and Semantics|The map content property of the parameter object should only contain one entry (read more)|Documentation
| -|Link Object Incorrect Ref
b9db8a10-020c-49ca-88c6-780e5fdb4328|OpenAPI|Info|Structure and Semantics|Link object reference must always point to '#/components/links' (read more)|Documentation
| -|Servers Array Undefined
c66ebeaa-676c-40dc-a3ff-3e49395dcd5e|OpenAPI|Info|Structure and Semantics|The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'. (read more)|Documentation
| -|Property 'allowReserved' Improperly Defined
7f203940-39c4-4ea7-91ee-7aba16bca9e2|OpenAPI|Info|Structure and Semantics|Property 'allowReserved' should be only defined for query parameters (read more)|Documentation
| -|Schema Object Incorrect Ref (v3)
4cac7ace-b0fb-477d-830d-65395d9109d9|OpenAPI|Info|Structure and Semantics|Schema Object reference must always point to '#/components/schemas' (read more)|Documentation
| -|Invalid Content Type For Multiple Files Upload
26f06397-36d8-4ce7-b993-17711261d777|OpenAPI|Info|Structure and Semantics|Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array) (read more)|Documentation
| -|Link JSON Reference Does Not Exists
801f0c6a-a834-4467-89c6-ddecffb46b5a|OpenAPI|Info|Structure and Semantics|Link reference should exists on components field (read more)|Documentation
| -|Request Body JSON Reference Does Not Exists
ca02f4e8-d3ae-4832-b7db-bb037516d9e7|OpenAPI|Info|Structure and Semantics|Request Body reference should exists on components field (read more)|Documentation
| -|Callback JSON Reference Does Not Exists
f29904c8-6041-4bca-b043-dfa0546b8079|OpenAPI|Info|Structure and Semantics|Callback reference should exists on components field (read more)|Documentation
| -|Callback Object With Incorrect Ref
ba066cda-e808-450d-92b6-f29109754d45|OpenAPI|Info|Structure and Semantics|Callback Object reference must always point to '#/components/callbacks' (read more)|Documentation
| -|Link Object With Both 'operationId' And 'operationRef'
60fb6621-9f02-473b-9424-ba9a825747d3|OpenAPI|Info|Structure and Semantics|Link object 'OperationId' should not have both 'operationId' and 'operationRef' defined since they are mutually exclusive. (read more)|Documentation
| -|Parameter JSON Reference Does Not Exists (v3)
2e275f16-b627-4d3f-ae73-a6153a23ae8f|OpenAPI|Info|Structure and Semantics|Parameter reference should exists on components field (read more)|Documentation
| -|Empty Array
5915c20f-dffa-4cee-b5d4-f457ddc0151a|OpenAPI|Info|Structure and Semantics|All array fields should not be empty (read more)|Documentation
| -|Server Object Variable Not Used
8aee4754-970d-4c5f-8142-a49dfe388b1a|OpenAPI|Info|Structure and Semantics|Every defined Server Variable Object should be used in a Service URL. (read more)|Documentation
| -|Header Object With Incorrect Ref
2d6646f4-2946-420f-8c14-3232d49ae0cb|OpenAPI|Info|Structure and Semantics|Header Object reference must always point to '#/components/headers' (read more)|Documentation
| -|Security Requirement Object With Wrong Scopes
37140f7f-724a-4c87-a536-e9cee1d61533|OpenAPI|Info|Structure and Semantics|Security Requirement Object should only have scopes defined for security schemes of type 'oauth2' and 'openIdConnect' (read more)|Documentation
| -|Example JSON Reference Does Not Exists
6a2c219f-da5e-4745-941e-5ea8cde23356|OpenAPI|Info|Structure and Semantics|Example reference should exists on components field (read more)|Documentation
| -|Schema With Both ReadOnly And WriteOnly
d2361d58-361c-49f0-9e50-b957fd608b29|OpenAPI|Info|Structure and Semantics|Schema should not have both 'writeOnly' and 'readOnly' set to true (read more)|Documentation
| -|Parameter Object With Undefined Type
46facedc-f243-4108-ab33-583b807d50b0|OpenAPI|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property (read more)|Documentation
| -|Parameter Object With Schema And Content
31dd6fc0-f274-493b-9614-e063086c19fc|OpenAPI|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive (read more)|Documentation
| -|Security Field Undefined
ab1263c2-81df-46f0-9f2c-0b62fdb68419|OpenAPI|Info|Structure and Semantics|Security field should be defined in '#/components/securitySchemes' (read more)|Documentation
| -|Header JSON Reference Does Not Exists
376c9390-7e9e-4cb8-a067-fd31c05451fd|OpenAPI|Info|Structure and Semantics|Header reference should exists on components field (read more)|Documentation
| -|Request Body Object With Incorrect Media Type
58f06434-a88c-4f74-826c-db7e10cc7def|OpenAPI|Info|Structure and Semantics|The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set. (read more)|Documentation
| -|Script Block Injection
62ff6823-927a-427f-acf9-f1ea2932d616|CICD|High|Insecure Configurations|GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event. (read more)|Documentation
| -|Run Block Injection
20f14e1a-a899-4e79-9f09-b6a84cd4649b|CICD|High|Insecure Configurations|GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event. (read more)|Documentation
| -|Unsecured Commands
60fd272d-15f4-4d8f-afe4-77d9c6cc0453|CICD|Medium|Insecure Configurations|There are deprecated set-env and add-path commands that can be explicitly enabled by a user via setting the ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable as true. Depending on the use of the environment variable, this could enable an attacker to, at worst, modify the system path to run a different command than intended, resulting in arbitrary code execution. (read more)|Documentation
| -|Unpinned Actions Full Length Commit SHA
555ab8f9-2001-455e-a077-f2d0f41e2fb9|CICD|Medium|Supply-Chain|Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork. (read more)|Documentation
| -|Serving Revision Spec Without Timeout Seconds
e8bb41e4-2f24-4e84-8bea-8c7c070cf93d|Knative|Info|Insecure Configurations|Serving Revision Spec should have Timeout Seconds defined to avoid Denial of Service (read more)|Documentation
| -|Serverless Role With Full Privileges
59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd|ServerlessFW|High|Access Control|Roles defined in Serverless files should not have policies granting full administrative privileges. (read more)|Documentation
| -|Serverless Function Environment Variables Not Encrypted
4495bc5d-4d1e-4a26-ae92-152d18195648|ServerlessFW|High|Encryption|Serverless Function should encrypt environment variables (read more)|Documentation
| -|Serverless API Without Content Encoding
d5d1fe08-89db-440c-8725-b93223387309|ServerlessFW|Medium|Encryption|Serverless should have API Gateway with Content Encoding enabled through the attribute 'minimumCompressionSize'. This value should be greater than -1 and smaller than 10485760 (read more)|Documentation
| -|Serverless Function Without Tags
f99d3482-fa8c-4f79-bad9-35212dded164|ServerlessFW|Medium|Insecure Configurations|Serverless Function should be have associated tags (read more)|Documentation
| -|Serverless Function Without Unique IAM Role
165aae3b-a56a-48f3-b76d-d2b5083f5b8f|ServerlessFW|Medium|Insecure Configurations|Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| -|Serverless API Endpoint Config Not Private
4d424558-c6d1-453c-be98-9a7f877abd9a|ServerlessFW|Medium|Networking and Firewall|Serverless should have endpointType set to 'PRIVATE'. This way, it's not exposed to the public internet (read more)|Documentation
| -|Serverless API X-Ray Tracing Disabled
434945e5-4dfd-41b1-aba1-47075ccd9265|ServerlessFW|Medium|Observability|Serverless API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| -|Serverless API Access Logging Setting Undefined
a4d32883-aac7-42e1-b403-9415af0f3846|ServerlessFW|Medium|Observability|Serverless FW API should have HTTP Access Logging enabled (read more)|Documentation
| -|Serverless Function Without Dead Letter Queue
dec7bc85-d156-4f64-9a33-96ed3d9f3fed|ServerlessFW|Low|Insecure Configurations|Serverless Function should be configured for a Dead Letter Queue(DLQ). A Dead Letter Queue(DLQ) can be set up in 'onError' config parameter (read more)|Documentation
| -|Serverless Function Without X-Ray Tracing
0d7ef70f-e176-44e6-bdba-add3e429788d|ServerlessFW|Low|Observability|Serverless Function should have Tracing enabled. For this, property 'tracing' should have the value 'Active' (read more)|Documentation
| -|Non-Array Schema With Items (v3)
20cb3159-b219-496b-8dac-54ae3ab2021a|OpenAPI|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| -|Passwords And Secrets
a88baa34-e2ad-44ea-ad6f-8cac87bc7c71|Common|High|Secret Management|Query to find passwords and secrets in infrastructure code.|Documentation
| -|Cloud Storage Bucket Is Publicly Accessible
77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc|GoogleDeploymentManager|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
63ae3638-a38c-4ff4-b616-6e1f72a31a6a|GoogleDeploymentManager|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers'|Documentation
| -|BigQuery Dataset Is Public
83103dff-d57f-42a8-bd81-40abab64c1a7|GoogleDeploymentManager|High|Access Control|BigQuery dataset is anonymously or publicly accessible. Attribute access.specialGroup should not contain 'allAuthenticatedUsers'|Documentation
| -|SQL DB Instance Backup Disabled
a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01|GoogleDeploymentManager|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| -|SQL DB Instance With SSL Disabled
660360d3-9ca7-46d1-b147-3acc4002953f|GoogleDeploymentManager|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| -|DNSSEC Using RSASHA1
6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35|GoogleDeploymentManager|High|Encryption|DNSSEC should not use the RSASHA1 algorithm|Documentation
| -|Network Policy Disabled
c47f90e8-4a19-43f0-8413-cc434d286c4e|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'networkPolicy.enabled' must be true and the attribute 'addonsConfig.networkPolicyConfig.disabled' must be false|Documentation
| -|Cluster Labels Disabled
8810968b-4b15-421d-918b-d91eb4bb8d1d|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resourceLabels' must be defined|Documentation
| -|Not Proper Email Account In Use
a21b8df3-c840-4b3d-a41a-10fb2afda171|GoogleDeploymentManager|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| -|MySQL Instance With Local Infile On
c759d6f2-4dd3-4160-82d3-89202ef10d87|GoogleDeploymentManager|High|Insecure Configurations|MySQL Instance should not have Local Infile On|Documentation
| -|IP Aliasing Disabled
28727987-e398-49b8-aef1-8a3e7789d111|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ipAllocationPolicy' must be defined and the subattribute 'useIpAliases' must be set to 'true'.|Documentation
| -|Client Certificate Disabled
dd690686-2bf9-4012-a821-f61912dd77be|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'masterAuth' must have 'clientCertificateConfig' with the attribute 'issueClientCertificate' equal to true|Documentation
| -|Cluster Master Authentication Disabled
7ef7d141-9fbb-4679-a977-fd0883436906|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'masterAuth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| -|Private Cluster Disabled
48c61fbd-09c9-46cc-a521-012e0c325412|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true.|Documentation
| -|GKE Legacy Authorization Enabled
df58d46c-783b-43e0-bdd0-d99164f712ee|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false.|Documentation
| -|Compute Instance Is Publicly Accessible
8212e2d7-e683-49bc-bf78-d6799075c5a7|GoogleDeploymentManager|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet.|Documentation
| -|GKE Master Authorized Networks Disabled
62c8cf50-87f0-4295-a974-8184ed78fe02|GoogleDeploymentManager|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters|Documentation
| -|Stackdriver Monitoring Disabled
bbfc97ab-e92a-4a7b-954c-e88cec815011|GoogleDeploymentManager|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoringService' must be defined and different than 'none'|Documentation
| -|Cloud Storage Bucket Versioning Disabled
ad0875c1-0b39-4890-9149-173158ba3bba|GoogleDeploymentManager|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| -|Stackdriver Logging Disabled
95601b9a-7fe8-4aee-9b58-d36fd9382dfc|GoogleDeploymentManager|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'loggingService' must be defined and different from 'none'|Documentation
| -|Node Auto Upgrade Disabled
dc5c5fee-6c53-43b0-ab11-4c660e064aaf|GoogleDeploymentManager|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means the attribute 'nodePools' must be defined and the subattribute 'managment' must be defined and have the attribute 'autoUpgrade' set to true|Documentation
| -|Disk Encryption Disabled
fc040fb6-4c23-4c0d-b12a-39edac35debb|GoogleDeploymentManager|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined|Documentation
| -|OSLogin Is Disabled In VM Instance
e66e1b71-c810-4b4e-a737-0ab59e7f5e41|GoogleDeploymentManager|Medium|Insecure Configurations|VM instance should have OSLogin enabled|Documentation
| -|COS Node Image Not Used
dbe058d7-b82e-430b-8426-992b2e4677e7|GoogleDeploymentManager|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| -|Shielded VM Disabled
9038b526-4c19-4928-bca2-c03d503bdb79|GoogleDeploymentManager|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true|Documentation
| -|Cloud DNS Without DNSSEC
313d6deb-3b67-4948-b41d-35b699c2492e|GoogleDeploymentManager|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| -|Google Storage Bucket Level Access Disabled
1239f54b-33de-482a-8132-faebe288e6a6|GoogleDeploymentManager|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| -|IP Forwarding Enabled
7c98538a-81c6-444b-bf04-e60bc3ceeec0|GoogleDeploymentManager|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true|Documentation
| -|RDP Access Is Not Restricted
50cb6c3b-c878-4b88-b50e-d1421bada9e8|GoogleDeploymentManager|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| -|SSH Access Is Not Restricted
dee21308-2a7a-49de-8ff7-c9b87e188575|GoogleDeploymentManager|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| -|Bucket Without Versioning
227c2f58-70c6-4432-8e9a-a89c1a548cf5|GoogleDeploymentManager|Medium|Observability|Bucket should have versioning enabled|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
6e2b1ec1-1eca-4eb7-9d4d-2882680b4811|GoogleDeploymentManager|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| -|BOM - GCP SB
c7781feb-a955-4f9f-b9cf-0d7c6f54bb59|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.|Documentation
| -|BOM - GCP PD
268c65a8-58ad-43e4-9019-1a9bbc56749f|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.|Documentation
| -|BOM - GCP PST
9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.|Documentation
| -|Serving Revision Spec Without Timeout Seconds
e8bb41e4-2f24-4e84-8bea-8c7c070cf93d|Knative|Info|Insecure Configurations|Serving Revision Spec should have Timeout Seconds defined to avoid Denial of Service|Documentation
| -|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Terraform|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| -|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Terraform|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| -|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Terraform|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.|Documentation
| -|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Terraform|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| -|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Terraform|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| -|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Terraform|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.|Documentation
| -|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Terraform|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| -|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Terraform|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| -|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Terraform|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| -|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Terraform|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time|Documentation
| -|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Terraform|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| -|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|Terraform|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false|Documentation
| -|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|Terraform|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|Documentation
| -|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|Terraform|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| -|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|Terraform|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| -|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|Terraform|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined.|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|Terraform|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| -|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|Terraform|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| -|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Terraform|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys|Documentation
| -|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Terraform|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| -|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Terraform|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| -|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Terraform|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| -|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Terraform|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| -|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Terraform|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| -|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Terraform|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls|Documentation
| -|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Terraform|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| -|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Terraform|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| -|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Terraform|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|Documentation
| -|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Terraform|Medium|Insecure Configurations|Containers should not have extra capabilities allowed|Documentation
| -|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Terraform|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| -|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Terraform|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| -|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| -|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Terraform|Medium|Insecure Configurations|Default service accounts should not be actively used|Documentation
| -|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Terraform|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| -|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Terraform|Medium|Insecure Configurations|The default namespace should not be used|Documentation
| -|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Terraform|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| -|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| -|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Terraform|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| -|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Terraform|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory|Documentation
| -|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Terraform|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace|Documentation
| -|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Terraform|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty.|Documentation
| -|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Terraform|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| -|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Terraform|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| -|Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Terraform|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| -|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Terraform|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| -|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Terraform|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| -|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Terraform|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| -|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Terraform|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes|Documentation
| -|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Terraform|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| -|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Terraform|Medium|Resource Management|Container should not share the host network namespace|Documentation
| -|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Terraform|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| -|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Terraform|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs|Documentation
| -|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Terraform|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| -|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Terraform|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| -|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Terraform|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| -|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Terraform|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| -|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Terraform|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Terraform|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Terraform|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.|Documentation
| -|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Terraform|Low|Availability|The Horizontal Pod Autoscaler must target a valid object|Documentation
| -|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Terraform|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it|Documentation
| -|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Terraform|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| -|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Terraform|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| -|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Terraform|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| -|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Terraform|Low|Build Process|Check if the root container filesystem is not being mounted as read-only.|Documentation
| -|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Terraform|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| -|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Terraform|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity|Documentation
| -|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Terraform|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| -|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Terraform|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| -|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Terraform|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified|Documentation
| -|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Terraform|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| -|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Terraform|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined|Documentation
| -|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Terraform|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| -|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Terraform|Low|Supply-Chain|Image must be defined and not be empty or equal to latest.|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|Terraform|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|Terraform|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| -|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|Terraform|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals|Documentation
| -|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|Terraform|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| -|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|Terraform|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| -|EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|Terraform|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| -|SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|Terraform|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| -|Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|Terraform|High|Access Control|Neptune Cluster Instance should not be publicly accessible|Documentation
| -|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|Terraform|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating|Documentation
| -|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|Terraform|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| -|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|Terraform|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| -|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|Terraform|High|Access Control|IAM role policy that allow full administrative privileges (for all resources)|Documentation
| -|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|Terraform|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| -|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|Terraform|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role|Documentation
| -|MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857|Terraform|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible|Documentation
| -|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|Terraform|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| -|SSO Policy with full privileges
132a8c31-9837-4203-9fd1-15ca210c7b73|Terraform|High|Access Control|SSO policies should be configured to grant limited administrative privileges, rather than full access to all resources. This approach allows for better security and control over the resources being accessed.|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|Terraform|High|Access Control|S3 Buckets should not be readable and writable to all users|Documentation
| -|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|Terraform|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| -|S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4|Terraform|High|Access Control|S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket.|Documentation
| -|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|Terraform|High|Access Control|S3 bucket allows public policy|Documentation
| -|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|Terraform|High|Encryption|AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted|Documentation
| -|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|Terraform|High|Encryption|AWS DAX Cluster should have server-side encryption at rest|Documentation
| -|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|Terraform|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| -|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|Terraform|High|Encryption|AWS Athena Database data in S3 should be encrypted|Documentation
| -|EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|Terraform|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|Terraform|High|Encryption|S3 Bucket Object should have server-side encryption enabled|Documentation
| -|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|Terraform|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key|Documentation
| -|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|Terraform|High|Encryption|EKS Cluster should be encrypted|Documentation
| -|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|Terraform|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume|Documentation
| -|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|Terraform|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| -|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|Terraform|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled|Documentation
| -|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|Terraform|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)|Documentation
| -|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|Terraform|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| -|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|Terraform|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true'|Documentation
| -|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|Terraform|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.|Documentation
| -|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|Terraform|High|Encryption|Sagemaker endpoint configuration should encrypt data|Documentation
| -|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|Terraform|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| -|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|Terraform|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted|Documentation
| -|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|Terraform|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| -|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|Terraform|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| -|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|Terraform|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| -|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|Terraform|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| -|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|Terraform|High|Encryption|API Gateway Method Settings Cache should be encrypted|Documentation
| -|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|Terraform|High|Encryption|EBS Encryption should be enabled|Documentation
| -|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|Terraform|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| -|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|Terraform|High|Encryption|User Data Shell Script must be encoded|Documentation
| -|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers.|Documentation
| -|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|Terraform|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS|Documentation
| -|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|Terraform|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup|Documentation
| -|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|Terraform|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|Terraform|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled|Documentation
| -|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|Terraform|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|Terraform|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| -|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.|Documentation
| -|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|Terraform|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| -|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|Terraform|High|Encryption|AWS DOCDB Cluster storage should be encrypted|Documentation
| -|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|Terraform|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled|Documentation
| -|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|Terraform|High|Encryption|RDS Database Cluster Encryption should be enabled|Documentation
| -|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|Terraform|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| -|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|Terraform|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes|Documentation
| -|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|Terraform|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| -|Lambda Function With Privileged Role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|Terraform|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions.|Documentation
| -|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|Terraform|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| -|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|Terraform|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured.|Documentation
| -|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|Terraform|High|Insecure Configurations|Check if the root user is authenticated with MFA|Documentation
| -|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|Terraform|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations|Documentation
| -|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|Terraform|High|Insecure Configurations|S3 bucket without restriction of public bucket|Documentation
| -|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|Terraform|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| -|DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|Terraform|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| -|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|Terraform|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| -|KMS Key With Vulnerable Policy
7ebc9038-0bde-479a-acc4-6ed7b6758899|Terraform|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| -|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|Terraform|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2.|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|Terraform|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| -|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|Terraform|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| -|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|Terraform|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true)|Documentation
| -|Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|Terraform|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| -|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|Terraform|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| -|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| -|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|Terraform|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| -|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|Terraform|High|Networking and Firewall|Check if Record is set|Documentation
| -|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|Terraform|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| -|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| -|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|Terraform|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| -|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|Terraform|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| -|VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|Terraform|High|Networking and Firewall|VPC Peering Route Table should restrict CIDR|Documentation
| -|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|Terraform|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL|Documentation
| -|HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|Terraform|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| -|Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|Terraform|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| -|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL|Documentation
| -|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|Terraform|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0"|Documentation
| -|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|Terraform|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| -|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|Terraform|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0 and/or ::/0|Documentation
| -|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|Terraform|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| -|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|Terraform|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing|Documentation
| -|VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|Terraform|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic|Documentation
| -|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible|Documentation
| -|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|Terraform|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes|Documentation
| -|CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|Terraform|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.|Documentation
| -|CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|Terraform|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls|Documentation
| -|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|Terraform|High|Observability|AWS KMS Key should have a valid deletion window|Documentation
| -|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled|Documentation
| -|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|Terraform|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| -|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|Terraform|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA|Documentation
| -|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|Terraform|High|Observability|Ensure a log metric filter and alarm exist for root acount usage|Documentation
| -|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Terraform|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Terraform|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Terraform|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| -|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Terraform|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Terraform|Medium|Access Control|IAM Access Key should not be active for root users|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Terraform|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| -|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Terraform|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| -|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Terraform|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| -|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Terraform|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Terraform|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Terraform|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Terraform|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Terraform|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication|Documentation
| -|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Terraform|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal'|Documentation
| -|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Terraform|Medium|Access Control|AWS IAM Users should not have access to console|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Terraform|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SSO Permission With Inadequate User Session Duration
ce9dfce0-5fc8-433b-944a-3b16153111a8|Terraform|Medium|Access Control|SSO permissions should be configured to limit user sessions to no longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized access or session hijacking. This is a best practice for security and should be implemented in SSO permission settings.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Terraform|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| -|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Terraform|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Terraform|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Terraform|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled|Documentation
| -|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Terraform|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| -|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Terraform|Medium|Access Control|Public and private EC2 istances should not share the same role.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Terraform|Medium|Access Control|The attribute 'action' should not have wildcard|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Terraform|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action'|Documentation
| -|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Terraform|Medium|Access Control|S3 bucket allows public ACL|Documentation
| -|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Terraform|Medium|Access Control|An API Key should be required on a method request.|Documentation
| -|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Terraform|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Terraform|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'|Documentation
| -|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Terraform|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Terraform|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Terraform|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| -|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Terraform|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Terraform|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions'|Documentation
| -|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Terraform|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| -|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Terraform|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| -|Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Terraform|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
| -|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Terraform|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster|Documentation
| -|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Terraform|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0|Documentation
| -|RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Terraform|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| -|Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Terraform|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| -|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Terraform|Medium|Best Practices|No password expiration policy|Documentation
| -|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Terraform|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| -|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Terraform|Medium|Best Practices|IAM password should have the required symbols|Documentation
| -|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Terraform|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined|Documentation
| -|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Terraform|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields|Documentation
| -|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Terraform|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| -|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Terraform|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| -|Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Terraform|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24|Documentation
| -|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Terraform|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| -|Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Terraform|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body|Documentation
| -|DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Terraform|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Terraform|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| -|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Terraform|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret|Documentation
| -|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Terraform|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption|Documentation
| -|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Terraform|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node|Documentation
| -|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Terraform|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| -|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted|Documentation
| -|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Terraform|Medium|Encryption|SSM Session should be encrypted in transit|Documentation
| -|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Terraform|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| -|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Terraform|Medium|Encryption|EBS volumes should be encrypted|Documentation
| -|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest|Documentation
| -|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Terraform|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760.|Documentation
| -|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Terraform|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| -|Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Terraform|Medium|Encryption|ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html'|Documentation
| -|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Terraform|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| -|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit|Documentation
| -|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Terraform|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests|Documentation
| -|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Terraform|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|CloudWatch Log Group Without KMS
0afbcfe9-d341-4b92-a64c-7e6de0543879|Terraform|Medium|Encryption|AWS CloudWatch Log groups should be encrypted using KMS|Documentation
| -|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Terraform|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS.|Documentation
| -|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Terraform|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| -|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Terraform|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| -|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Terraform|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud)|Documentation
| -|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Terraform|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs).|Documentation
| -|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Terraform|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| -|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Terraform|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible|Documentation
| -|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Terraform|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials|Documentation
| -|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Terraform|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| -|EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Terraform|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false|Documentation
| -|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Terraform|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| -|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Terraform|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.|Documentation
| -|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Terraform|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol|Documentation
| -|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Terraform|Medium|Networking and Firewall|VPC should have a Network Firewall associated|Documentation
| -|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Terraform|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| -|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Terraform|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| -|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Terraform|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| -|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Terraform|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association|Documentation
| -|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Terraform|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol|Documentation
| -|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Terraform|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| -|VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Terraform|Medium|Networking and Firewall|VPC Subnet should not assign public IP|Documentation
| -|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Terraform|Medium|Observability|It isn't recommended to use resources in default VPC|Documentation
| -|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Terraform|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| -|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes|Documentation
| -|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Terraform|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| -|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Terraform|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events|Documentation
| -|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Terraform|Medium|Observability|ELB should have logging enabled to help on error investigation|Documentation
| -|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Terraform|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| -|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Terraform|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined|Documentation
| -|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Terraform|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| -|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Terraform|Medium|Observability|AWS Elasticsearch should have logs enabled|Documentation
| -|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Terraform|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| -|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Terraform|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| -|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Terraform|Medium|Observability|API Gateway should have Access Log Settings defined|Documentation
| -|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Terraform|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| -|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Terraform|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| -|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes|Documentation
| -|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Terraform|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| -|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes|Documentation
| -|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Terraform|Medium|Observability|AWS CloudWatch Log groups should have retention days specified|Documentation
| -|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Terraform|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation|Documentation
| -|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes|Documentation
| -|ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Terraform|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| -|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Terraform|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled|Documentation
| -|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Terraform|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| -|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures|Documentation
| -|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Terraform|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| -|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Terraform|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| -|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Terraform|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| -|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK|Documentation
| -|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Terraform|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| -|No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Terraform|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| -|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Terraform|Medium|Secret Management|AWS Access Key should not be hardcoded|Documentation
| -|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Terraform|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| -|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Terraform|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services|Documentation
| -|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Terraform|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets'|Documentation
| -|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Terraform|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| -|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Terraform|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| -|SSO Identity User Unsafe Creation
4003118b-046b-4640-b200-b8c7a4c8b89f|Terraform|Low|Access Control|The use of AWS SSO for creating users may pose a security risk as it does not synchronize with external Identity Providers (IdP) or Active Directory (AD). This can lead to inconsistencies and potential unauthorized access to resources. It is recommended to review and update user creation processes to ensure proper security protocols are in place.|Documentation
| -|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Terraform|Low|Access Control|IAM Group should have at least one user associated|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Terraform|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| -|Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Terraform|Low|Availability|Autoscaling groups should supply tags to configurate|Documentation
| -|Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Terraform|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.|Documentation
| -|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Terraform|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| -|IAM Access Analyzer Not Enabled
e592a0c5-5bdb-414c-9066-5dba7cdea370|Terraform|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions|Documentation
| -|ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Terraform|Low|Best Practices|ECR Repository should have Policies attached to it|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Terraform|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| -|ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Terraform|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation|Documentation
| -|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Terraform|Low|Insecure Configurations|S3 bucket without ignore public ACL|Documentation
| -|ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Terraform|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled|Documentation
| -|Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Terraform|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| -|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Terraform|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| -|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Terraform|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Terraform|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| -|EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Terraform|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| -|RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Terraform|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| -|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Terraform|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Terraform|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks|Documentation
| -|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Terraform|Low|Observability|Amazon EKS control plane logging don't enabled for all log types|Documentation
| -|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Terraform|Low|Observability|Global Accelerator should have flow logs enabled|Documentation
| -|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Terraform|Low|Observability|Amazon EKS control plane logging is not enabled|Documentation
| -|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes|Documentation
| -|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Terraform|Low|Observability|DocDB logging should be enabled|Documentation
| -|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Terraform|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'|Documentation
| -|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL|Documentation
| -|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes|Documentation
| -|API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Terraform|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| -|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Terraform|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| -|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| -|ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Terraform|Low|Observability|ECS Cluster should enable container insights|Documentation
| -|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes|Documentation
| -|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for route table changes|Documentation
| -|API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Terraform|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| -|Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Terraform|Info|Access Control|Security group must be used or not declared|Documentation
| -|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Terraform|Info|Best Practices|AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name'|Documentation
| -|Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Terraform|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description|Documentation
| -|Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Terraform|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description|Documentation
| -|EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Terraform|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| -|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Terraform|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table|Documentation
| -|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Terraform|Info|Observability|Neptune logging should be enabled|Documentation
| -|EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Terraform|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods|Documentation
| -|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Terraform|Info|Observability|RDS does not have any kind of logger|Documentation
| -|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|Terraform|High|Access Control|Verifies that the OSLogin is enabled|Documentation
| -|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|Terraform|High|Access Control|BigQuery dataset is anonymously or publicly accessible|Documentation
| -|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|Terraform|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible|Documentation
| -|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|Terraform|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|Terraform|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers'|Documentation
| -|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|Terraform|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| -|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|Terraform|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| -|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|Terraform|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad.|Documentation
| -|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|Terraform|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members'|Documentation
| -|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false |Documentation
| -|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|Terraform|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible.|Documentation
| -|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|Terraform|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| -|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|Terraform|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| -|Legacy Client Certificate Auth Enabled
73fb21a1-b19a-45b1-b648-b47b1678681e|Terraform|High|Insecure Configurations|Kubernetes Clusters must use the default OAuth authentication, which means 'master_auth' must either be undefined or have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to false|Documentation
| -|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE |Documentation
| -|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|Terraform|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true|Documentation
| -|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true|Documentation
| -|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true|Documentation
| -|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|Terraform|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| -|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|Terraform|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| -|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| -|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|Terraform|High|Observability|Audit Logging Configuration is defective|Documentation
| -|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|Terraform|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| -|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Terraform|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member|Documentation
| -|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Terraform|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated|Documentation
| -|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Terraform|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated|Documentation
| -|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Terraform|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated|Documentation
| -|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Terraform|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Terraform|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| -|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Terraform|Medium|Insecure Configurations|Check if any VM instance disables OSLogin|Documentation
| -|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Terraform|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| -|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Terraform|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled|Documentation
| -|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Terraform|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| -|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Terraform|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| -|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Terraform|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| -|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Terraform|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| -|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Terraform|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
| -|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Terraform|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| -|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Terraform|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
| -|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Terraform|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| -|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Terraform|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
| -|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Terraform|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| -|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Terraform|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| -|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Terraform|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports|Documentation
| -|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Terraform|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource.|Documentation
| -|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Terraform|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Terraform|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| -|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Terraform|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.|Documentation
| -|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Terraform|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user|Documentation
| -|Outdated GKE Version
128df7ec-f185-48bc-8913-ce756a3ccb85|Terraform|Low|Best Practices|Running outdated versions of Google Kubernetes Engine (GKE) can expose it to known vulnerabilities and attacks. To reduce these risks, it is recommended to ensure that GKE is always running the latest version.|Documentation
| -|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Terraform|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true|Documentation
| -|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Terraform|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range|Documentation
| -|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Terraform|Info|Best Practices|All outputs should contain a valid description.|Documentation
| -|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Terraform|Info|Best Practices|All variables should contain a valid type.|Documentation
| -|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Terraform|Info|Best Practices|All variables should contain a valid description.|Documentation
| -|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Terraform|Info|Best Practices|All generic git repositories should reference a revision.|Documentation
| -|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Terraform|Info|Best Practices|All names should follow snake case pattern.|Documentation
| -|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|Terraform|High|Access Control|Storage Account should not be public to grant the principle of least privileges|Documentation
| -|Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|Terraform|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| -|Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|Terraform|High|Access Control|Azure Function App authentication settings should be enabled|Documentation
| -|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|Terraform|High|Access Control|There is a role assignment for guest user|Documentation
| -|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|Terraform|High|Access Control|Admin user is enabled for Container Registry|Documentation
| -|Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|Terraform|High|Access Control|Role Assignment should limit guest user permissions|Documentation
| -|Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|Terraform|High|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled|Documentation
| -|Azure Instance Using Basic Authentication
dafe30ec-325d-4516-85d1-e8e6776f012c|Terraform|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication|Documentation
| -|Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6|Terraform|High|Encryption|Ensure Function App is using the latest version of TLS encryption|Documentation
| -|MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|Terraform|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| -|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|Terraform|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| -|App Service Not Using Latest TLS Encryption Version
b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643|Terraform|High|Encryption|Ensure App Service is using the latest version of TLS encryption|Documentation
| -|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|Terraform|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| -|App Service FTPS Enforce Disabled
85da374f-b00f-4832-9d44-84a1ca1e89f8|Terraform|High|Insecure Configurations|Azure App Service should only enforce FTPS when 'ftps_state' is enabled|Documentation
| -|AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|Terraform|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| -|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|Terraform|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| -|AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|Terraform|High|Insecure Configurations|Azure Kubernetes Service (AKS) API should not be exposed to the internet|Documentation
| -|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|Terraform|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry'|Documentation
| -|Function App FTPS Enforce Disabled
9dab0179-433d-4dff-af8f-0091025691df|Terraform|High|Insecure Configurations|Azure Function App should only enforce FTPS when 'ftps_state' is enabled|Documentation
| -|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|Terraform|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| -|Azure App Service Client Certificate Disabled
a81573f9-3691-4d83-88a0-7d4af63e17a3|Terraform|High|Insecure Configurations|Azure App Service client certificate should be enabled|Documentation
| -|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|Terraform|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates|Documentation
| -|Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|Terraform|High|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false.|Documentation
| -|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| -|Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| -|MySQL Server Public Access Enabled
f118890b-2468-42b1-9ce9-af35146b425b|Terraform|High|Networking and Firewall|MySQL Server public access should be disabled|Documentation
| -|RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|Terraform|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet|Documentation
| -|MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|Terraform|High|Networking and Firewall|MSSQL Server public network access should be disabled|Documentation
| -|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|Terraform|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| -|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| -|SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|Terraform|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet|Documentation
| -|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|Terraform|High|Networking and Firewall|The IP range filter should be defined to secure the data stored|Documentation
| -|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|Terraform|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| -|Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|Terraform|High|Observability|Ensure that logging for Azure KeyVault is 'Enabled'|Documentation
| -|PostgreSQL Server Threat Detection Policy Disabled
c407c3cf-c409-4b29-b590-db5f4138d332|Terraform|High|Resource Management|PostgreSQL Server Threat Detection Policy should be enabled|Documentation
| -|SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a|Terraform|High|Resource Management|Ensure that 'Threat Detection' is enabled for Azure SQL Database|Documentation
| -|App Service Managed Identity Disabled
b61cce4b-0cc4-472b-8096-15617a6d769b|Terraform|High|Resource Management|Azure App Service should have managed identity enabled|Documentation
| -|Key Expiration Not Set
4d080822-5ee2-49a4-8984-68f3d4c890fc|Terraform|High|Secret Management|Make sure that for all keys the expiration date is set|Documentation
| -|Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|Terraform|High|Secret Management|Make sure that for all secrets the expiration date is set|Documentation
| -|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Terraform|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)|Documentation
| -|Storage Share File Allows All ACL Permissions
48bbe0fd-57e4-4678-a4a1-119e79c90fc3|Terraform|Medium|Access Control|Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).|Documentation
| -|Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e|Terraform|Medium|Access Control|Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).|Documentation
| -|AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Terraform|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| -|Virtual Network with DDoS Protection Plan disabled
b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a|Terraform|Medium|Availability|Virtual Network should have DDoS Protection Plan enabled|Documentation
| -|Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Terraform|Medium|Best Practices|Security Contact Email should be defined|Documentation
| -|SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Terraform|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict|Documentation
| -|SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Terraform|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict|Documentation
| -|Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Terraform|Medium|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| -|Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Terraform|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| -|Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Terraform|Medium|Encryption|Ensure that the encryption is active on the disk|Documentation
| -|AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Terraform|Medium|Encryption|Azure Container Service (AKS) should use Disk Encryption Set ID in supported types of disk|Documentation
| -|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Terraform|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| -|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Terraform|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections|Documentation
| -|Function App Managed Identity Disabled
c87749b3-ff10-41f5-9df2-c421e8151759|Terraform|Medium|Insecure Configurations|Azure Function App should have managed identity enabled|Documentation
| -|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Terraform|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected.|Documentation
| -|Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Terraform|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches|Documentation
| -|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Terraform|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined|Documentation
| -|Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Terraform|Medium|Insecure Configurations|Azure Function App should have 'client_cert_mode' set to required|Documentation
| -|Default Azure Storage Account Network Access Is Too Permissive
a5613650-32ec-4975-a305-31af783153ea|Terraform|Medium|Insecure Defaults|Default Azure Storage Account network access should be set to Deny|Documentation
| -|Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Terraform|Medium|Networking and Firewall|Public Network Access should be disabled for Azure Cognitive Search|Documentation
| -|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Terraform|Medium|Networking and Firewall|Network Interfaces IP Forwarding should be disabled|Documentation
| -|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Terraform|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol|Documentation
| -|Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b|Terraform|Medium|Networking and Firewall|Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline)|Documentation
| -|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Terraform|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'.|Documentation
| -|MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Terraform|Medium|Networking and Firewall|MariaDB Server Public Network Access should be disabled|Documentation
| -|WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Terraform|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol|Documentation
| -|Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Terraform|Medium|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days|Documentation
| -|PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| -|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| -|PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| -|Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Terraform|Medium|Observability|Make sure for SQL Servers that Auditing Retention is greater than 90 days|Documentation
| -|PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Terraform|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| -|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Terraform|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days|Documentation
| -|PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| -|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Terraform|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On'|Documentation
| -|MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Terraform|Medium|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On'|Documentation
| -|Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Terraform|Medium|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact|Documentation
| -|PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Terraform|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'|Documentation
| -|Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Terraform|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater|Documentation
| -|Azure Active Directory Authentication
a21c8da9-41bf-40cf-941d-330cf0d11fc7|Terraform|Low|Access Control|Azure Active Directory must be used for authentication for Service Fabric|Documentation
| -|MariaDB Server Geo-redundant Backup Disabled
0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1|Terraform|Low|Backup|MariaDB Server Geo-redundant Backup should be enabled|Documentation
| -|AKS Uses Azure Policies Add-On Disabled
43789711-161b-4708-b5bb-9d1c626f7492|Terraform|Low|Best Practices|Azure Container Service (AKS) should use Azure Policies Add-On|Documentation
| -|App Service Without Latest PHP Version
96fe318e-d631-4156-99fa-9080d57280ae|Terraform|Low|Best Practices|Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.|Documentation
| -|App Service Without Latest Python Version
cc4aaa9d-1070-461a-b519-04e00f42db8a|Terraform|Low|Best Practices|Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.|Documentation
| -|Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Terraform|Low|Best Practices|Key Vault Secrets should have set Content Type|Documentation
| -|PostgreSQL Server Infrastructure Encryption Disabled
6425c98b-ca4e-41fe-896a-c78772c131f8|Terraform|Low|Encryption|PostgreSQL Server Infrastructure Encryption should be enabled|Documentation
| -|Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Terraform|Low|Insecure Configurations|Check if the Kubernetes Dashboard is enabled.|Documentation
| -|Function App HTTP2 Disabled
ace823d1-4432-4dee-945b-cdf11a5a6bd0|Terraform|Low|Insecure Configurations|Function App should have 'http2_enabled' enabled|Documentation
| -|App Service HTTP2 Disabled
525b53be-62ed-4244-b4df-41aecfcb4071|Terraform|Low|Insecure Configurations|App Service should have 'http2_enabled' enabled|Documentation
| -|Azure Front Door WAF Disabled
835a4f2f-df43-437d-9943-545ccfc55961|Terraform|Low|Networking and Firewall|Azure Front Door WAF should be enabled|Documentation
| -|App Service Authentication Disabled
c7fc1481-2899-4490-bbd8-544a3a61a2f3|Terraform|Info|Access Control|Azure App Service authentication settings should be enabled|Documentation
| -|SQL Server Alert Email Disabled
55975007-f6e7-4134-83c3-298f1fe4b519|Terraform|Info|Best Practices|SQL Server alert email should be enabled|Documentation
| -|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Terraform|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.|Documentation
| -|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Terraform|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.|Documentation
| -|BOM - GCP Redis
bc75ce52-a60a-4660-b533-bce837a5019b|Terraform|Trace|Bill Of Materials|A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments.|Documentation
| -|BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Terraform|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.|Documentation
| -|BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Terraform|Trace|Bill Of Materials|A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime.|Documentation
| -|BOM - GCP Dataflow
895ed0d9-6fec-4567-8614-d7a74b599a53|Terraform|Trace|Bill Of Materials|A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective.|Documentation
| -|OSS Bucket Allows Delete Action From All Principals
8c0695d8-2378-4cd6-8243-7fd5894fa574|Terraform|High|Access Control|OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals.|Documentation
| -|OSS Bucket Allows List Action From All Principals
88541597-6f88-42c8-bac6-7e0b855e8ff6|Terraform|High|Access Control|OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals.|Documentation
| -|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|Terraform|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles|Documentation
| -|OSS Bucket Allows Put Action From All Principals
fe286195-e75c-4359-bd58-00847c4f855a|Terraform|High|Access Control|OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals.|Documentation
| -|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|Terraform|High|Access Control|RAM Security preferences should enforce MFA login for RAM users|Documentation
| -|OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|Terraform|High|Access Control|OSS Bucket should have public access disabled|Documentation
| -|OSS Bucket Allows All Actions From All Principals
ec62a32c-a297-41ca-a850-cab40b42094a|Terraform|High|Access Control|OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals.|Documentation
| -|NAS File System Without KMS
5f670f9d-b1b4-4c90-8618-2288f1ab9676|Terraform|High|Encryption|NAS File System should have encryption provided by user KMS |Documentation
| -|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|Terraform|High|Encryption|Ecs Data Disk Kms Key Id should be set|Documentation
| -|NAS File System Not Encrypted
67bfdff1-31ce-4525-b564-e94368735360|Terraform|High|Encryption|NAS File System must be encrypted|Documentation
| -|Launch Template Is Not Encrypted
1455cb21-1d48-46d6-8ae3-cef911b71fd5|Terraform|High|Encryption|ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true.|Documentation
| -|RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|Terraform|High|Encryption|tde_status parameter should be Enabled for supported RDS instances|Documentation
| -|RDS DB Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|Terraform|High|Insecure Configurations|'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list|Documentation
| -|DB Instance Publicly Accessible
faaefc15-51a5-419e-bb5e-51a4b5ab3485|Terraform|High|Insecure Configurations|The field 'address' should not be set to '0.0.0.0/0'|Documentation
| -|OSS Bucket Has Static Website
2b13c6ff-b87a-484d-86fd-21ef6e97d426|Terraform|High|Insecure Configurations|Checks if any static websties are hosted on buckets. Be aware of any website you are running.|Documentation
| -|ALB Listening on HTTP
ee3b1557-9fb5-4685-a95d-93f1edf2a0d7|Terraform|High|Networking and Firewall|Application Load Balancer (alb) Listener should not listen on HTTP|Documentation
| -|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|Terraform|High|Networking and Firewall|OSS Bucket should have ip restricted access|Documentation
| -|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|Terraform|High|Networking and Firewall|OSS Buckets should have secure transport enabled|Documentation
| -|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|Terraform|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS|Documentation
| -|RDS Instance SSL Action Disabled
7a1ee8a9-71be-4b11-bb70-efb62d16863b|Terraform|High|Networking and Firewall|ssl_action parameter should be set to Open for RDS instances|Documentation
| -|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|Terraform|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public|Documentation
| -|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol|Documentation
| -|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|Terraform|High|Observability|All RDS Instance events trackers should be 'true'|Documentation
| -|ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|Terraform|High|Observability|ActionTrail Trail OSS Bucket should not be publicly accessible|Documentation
| -|Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|Terraform|High|Secret Management|Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts|Documentation
| -|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|Terraform|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above|Documentation
| -|Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Terraform|Medium|Access Control|Ram policies should not be attached to users|Documentation
| -|CMK Is Unusable
ed6e3ba0-278f-47b6-a1f5-173576b40b7e|Terraform|Medium|Availability|Alicloud KMS must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| -|ROS Stack Retention Disabled
4bb06fa1-2114-4a00-b7b5-6aeab8b896f0|Terraform|Medium|Backup|The retain_stacks should be enabled to keep the Stack upon deleting the stack instance from the stack group|Documentation
| -|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Terraform|Medium|Backup|OSS Bucket should have versioning enabled|Documentation
| -|ROS Stack Without Template
92d65c51-5d82-4507-a2a1-d252e9706855|Terraform|Medium|Build Process|Alicloud ROS Stack should have a template defined through the attribute template_url or attribute template_body|Documentation
| -|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Terraform|Medium|Encryption|Disks should have encryption enabled|Documentation
| -|SLB Policy With Insecure TLS Version In Use
dbfc834a-56e5-4750-b5da-73fda8e73f70|Terraform|Medium|Encryption|SLB Policy should not support insecure versions of TLS protocol|Documentation
| -|OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Terraform|Medium|Encryption|OSS Bucket should have encryption enabled using Customer Master Key|Documentation
| -|CS Kubernetes Node Pool Auto Repair Disabled
81ce9394-013d-4731-8fcc-9d229b474073|Terraform|Medium|Insecure Configurations|Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| -|Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Terraform|Medium|Networking and Firewall|A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned|Documentation
| -|Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Terraform|Medium|Networking and Firewall|Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies|Documentation
| -|ROS Stack Notifications Disabled
9ef08939-ea40-489c-8851-667870b2ef50|Terraform|Medium|Observability|The ROS Stack Notifications should be defined and populated to receive stack related events|Documentation
| -|Log Retention Is Not Greater Than 90 Days
ed6cf6ff-9a1f-491c-9f88-e03c0807f390|Terraform|Medium|Observability|OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects.|Documentation
| -|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Terraform|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180|Documentation
| -|OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Terraform|Medium|Observability|OSS Bucket should have logging enabled, for better visibility of resources and objects.|Documentation
| -|Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Terraform|Medium|Observability|Action Trail Logging for all regions should be enabled|Documentation
| -|No ROS Stack Policy
72ceb736-0aee-43ea-a191-3a69ab135681|Terraform|Medium|Resource Management|ROS Stack should have a stack policy in order to protect stack resources from and during update actions|Documentation
| -|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Terraform|Medium|Secret Management|RAM account password security should require at least one symbol|Documentation
| -|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true|Documentation
| -|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Terraform|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91|Documentation
| -|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Terraform|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less|Documentation
| -|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true|Documentation
| -|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true|Documentation
| -|High KMS Key Rotation Period
cb319d87-b90f-485e-a7e7-f2408380f309|Terraform|Medium|Secret Management|KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year|Documentation
| -|OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Terraform|Low|Availability|OSS Bucket should have transfer acceleration enabled|Documentation
| -|OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Terraform|Low|Backup|OSS Bucket should have lifecycle rule enabled and set to true|Documentation
| -|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Terraform|Low|Observability|'log_connections' parameter should be set to ON for RDS instances|Documentation
| -|RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Terraform|Low|Observability|log_duration parameter should be set to ON for RDS instances|Documentation
| -|RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Terraform|Low|Observability|log_disconnections parameter should be set to ON for RDS instances|Documentation
| -|VPC Flow Logs Disabled
d2731f3d-a992-44ed-812e-f4f1c2747d71|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| -|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Terraform|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks|Documentation
| -|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Terraform|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')|Documentation
| -|Enum Name Not CamelCase
daaace5f-c0dc-4835-b526-7a116b7f4b4e|GRPC|Low|Best Practices|All Enum Names should follow CamelCase and start with Capital Letter|Documentation
| -|EFS Not Encrypted
72840c35-3876-48be-900d-f21b2f0c2ea1|Crossplane|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|DB Instance Storage Not Encrypted
e50eb68a-a4af-4048-8bbe-8ec324421469|Crossplane|High|Encryption|RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'.|Documentation
| -|EFS Without KMS
bdecd6db-2600-47dd-a10c-72c97cf17ae9|Crossplane|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| -|ELB Using Weak Ciphers
a507daa5-0795-4380-960b-dd7bb7c56661|Crossplane|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers.|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
255b0fcc-9f82-41fe-9229-01b163e3376b|Crossplane|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| -|DB Security Group Has Public Interface
dd667399-8d9d-4a8d-bbb4-e49ab53b2f52|Crossplane|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| -|Neptune Database Cluster Encryption Disabled
83bf5aca-138a-498e-b9cd-ad5bc5e117b4|Crossplane|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| -|SQS With SSE Disabled
9296f1cc-7a40-45de-bd41-f31745488a0e|Crossplane|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| -|CloudFront Logging Disabled
7b590235-1ff4-421b-b9ff-5227134be9bb|Crossplane|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true|Documentation
| -|CloudWatch Without Retention Period Specified
934613fe-b12c-4e5a-95f5-c1dcdffac1ff|Crossplane|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events|Documentation
| -|CloudFront Without WAF
6d19ce0f-b3d8-4128-ac3d-1064e0f00494|Crossplane|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
6c2d627c-de0f-45fb-b33d-dad9bffbb421|Crossplane|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| -|Google Container Node Pool Auto Repair Disabled
b4f65d13-a609-4dc1-af7c-63d2e08bffe9|Crossplane|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| -|AKS RBAC Disabled
b2418936-cd47-4ea2-8346-623c0bdb87bd|Crossplane|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| -|Redis Cache Allows Non SSL Connections
6c7cfec3-c686-4ed2-bf58-a1ec054b63fc|Crossplane|Medium|Encryption|Redis Cache resource should not allow non-SSL connections.|Documentation
| -|UNIX Ports Out Of Range
71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e|Dockerfile|High|Availability|Exposing UNIX ports out of range from 0 to 65535|Documentation
| -|COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b|Dockerfile|High|Build Process|COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself|Documentation
| -|Same Alias In Different Froms
f2daed12-c802-49cd-afed-fe41d0b82fed|Dockerfile|High|Build Process|Different FROMS cant have the same alias defined|Documentation
| -|WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|Dockerfile|High|Build Process|For clarity and reliability, you should always use absolute paths for your WORKDIR|Documentation
| -|Copy With More Than Two Arguments Not Ending With Slash
6db6e0c2-32a3-4a2e-93b5-72c35f4119db|Dockerfile|High|Build Process|When a COPY command has more than two arguments, the last one should end with a slash|Documentation
| -|Multiple ENTRYPOINT Instructions Listed
6938958b-3f1a-451c-909b-baeee14bdc97|Dockerfile|High|Build Process|There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect|Documentation
| -|Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f|Dockerfile|High|Build Process|A user should be specified in the dockerfile, otherwise the image will run as root|Documentation
| -|Run Using Sudo
8ada6e80-0ade-439e-b176-0b28f6bce35a|Dockerfile|High|Insecure Configurations|Avoid RUN with sudo command as it leads to unpredictable behavior|Documentation
| -|Vulnerable OpenSSL Version
5fa731ea-e844-47a6-a1e8-abc25e95847e|Dockerfile|High|Supply-Chain|OpenSSL versions from 3.0.0 to 3.0.5 are affected by a critical vulnerability|Documentation
| -|Last User Is 'root'
67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae|Dockerfile|Medium|Best Practices|Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges|Documentation
| -|Changing Default Shell Using RUN Command
8a301064-c291-4b20-adcb-403fe7fd95fd|Dockerfile|Medium|Best Practices|Using the command RUN to override the default shell instead of the SHELL command leads to inefficiencies. It also does not make sense since Docker provides the SHELL command for this exact purpose.|Documentation
| -|Multiple CMD Instructions Listed
41c195f4-fc31-4a5c-8a1b-90605538d49f|Dockerfile|Medium|Build Process|There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect|Documentation
| -|Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79|Dockerfile|Medium|Build Process|Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments|Documentation
| -|RUN Instruction Using 'cd' Instead of WORKDIR
f4a6bcd3-e231-4acf-993c-aa027be50d2e|Dockerfile|Medium|Build Process|When using RUN command 'cd' should only be used for full path. For relative path make use of WORKDIR command instead.|Documentation
| -|Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd|Dockerfile|Medium|Build Process|Instruction 'RUN update' should always be followed by ' install' in the same RUN statement|Documentation
| -|Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22|Dockerfile|Medium|Insecure Defaults|Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o).|Documentation
| -|Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944|Dockerfile|Medium|Supply-Chain|Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input|Documentation
| -|Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37|Dockerfile|Medium|Supply-Chain|Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size|Documentation
| -|Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9|Dockerfile|Medium|Supply-Chain|Don't use '--platform' flag with FROM|Documentation
| -|Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes|Documentation
| -|Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118|Dockerfile|Medium|Supply-Chain|When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller|Documentation
| -|Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages|Documentation
| -|Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067|Dockerfile|Medium|Supply-Chain|When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag|Documentation
| -|NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5|Dockerfile|Medium|Supply-Chain|Check if packages installed by npm are pinning a specific version.|Documentation
| -|Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd|Dockerfile|Medium|Supply-Chain|Always tag the version of an image explicitly|Documentation
| -|Add Instead of Copy
9513a694-aa0d-41d8-be61-3271e056f36b|Dockerfile|Medium|Supply-Chain|Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script.|Documentation
| -|Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341|Dockerfile|Medium|Supply-Chain|Instead of 'gem install ' we should use 'gem install :'|Documentation
| -|Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03|Dockerfile|Medium|Supply-Chain|Need to use -y to avoid manual input 'yum install -y '|Documentation
| -|Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0|Dockerfile|Medium|Supply-Chain|Cached package data should be cleaned after installation to reduce image size|Documentation
| -|Yum install Without Version
6452c424-1d92-4deb-bb18-a03e95d579c4|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages|Documentation
| -|Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313|Dockerfile|Medium|Supply-Chain|Reduce layer and image size by deleting unneeded caches after running zypper|Documentation
| -|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Dockerfile|Medium|Supply-Chain|When installing a package, its pin version should be defined|Documentation
| -|Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1|Dockerfile|Medium|Supply-Chain|Specifying a package version allows to reduce failures due to unanticipated changes in required packages.|Documentation
| -|Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Dockerfile|Medium|Supply-Chain|Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect|Documentation
| -|APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Dockerfile|Medium|Supply-Chain|Check if apt-get calls use the flag -y to avoid user manual input.|Documentation
| -|Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8|Dockerfile|Medium|Supply-Chain|The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input.|Documentation
| -|Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes|Documentation
| -|Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Dockerfile|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache|Documentation
| -|Curl or Wget Instead of Add
4b410d24-1cbe-4430-a632-62c9a931cf1c|Dockerfile|Low|Best Practices|Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged|Documentation
| -|Exposing Port 22 (SSH)
5907595b-5b6d-4142-b173-dbb0e73fbff8|Dockerfile|Low|Best Practices|Expose only the ports that your application needs and avoid exposing ports like SSH (22)|Documentation
| -|Chown Flag Exists
aa93e17f-b6db-4162-9334-c70334e7ac28|Dockerfile|Low|Best Practices|It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership|Documentation
| -|MAINTAINER Instruction Being Used
99614418-f82b-4852-a9ae-5051402b741c|Dockerfile|Low|Best Practices|The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily|Documentation
| -|Multiple RUN, ADD, COPY, Instructions Listed
0008c003-79aa-42d8-95b8-1c2fe37dbfe6|Dockerfile|Low|Best Practices|Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers.|Documentation
| -|Using Unnamed Build Stages
68a51e22-ae5a-4d48-8e87-b01a323605c9|Dockerfile|Low|Build Process| This query is used to ensure that build stages are named. This way even if the Dockerfile is re-ordered, the COPY instruction doesn’t break.|Documentation
| -|Healthcheck Instruction Missing
b03a748a-542d-44f4-bb86-9199ab4fd2d5|Dockerfile|Low|Insecure Configurations|Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working|Documentation
| -|APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c|Dockerfile|Info|Supply-Chain|Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages.|Documentation
| -|Run Utilities And POSIX Commands
9b6b0f38-92a2-41f9-b881-3a1083d99f1b|Dockerfile|Info|Supply-Chain|Some POSIX commands and interactive utilities shouldn't run inside a Docker Container|Documentation
| -|Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c|Dockerfile|Info|Supply-Chain|After using apt-get install, it is needed to delete apt-get lists|Documentation
| -|Apk Add Using Local Cache Path
ae9c56a6-3ed1-4ac0-9b54-31267f51151d|Dockerfile|Info|Supply-Chain|When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*'|Documentation
| -|PSP Set To Privileged
ee305555-6b1d-4055-94cf-e22131143c34|Pulumi|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| -|Missing App Armor Config
95588189-1abd-4df1-9588-b0a5034f9e87|Pulumi|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| -|ElastiCache Nodes Not Created Across Multi AZ
9b18fc19-7fb8-49b1-8452-9c757c70f926|Pulumi|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster|Documentation
| -|ElastiCache Redis Cluster Without Backup
e93bbe63-a631-4c0f-b6ef-700d48441ff2|Pulumi|Medium|Backup|ElastiCache Redis cluster should have 'snapshotRetentionLimit' higher than 0|Documentation
| -|IAM Password Without Minimum Length
9850d621-7485-44f7-8bdd-b3cf426315cf|Pulumi|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| -|IAM Password Without Lowercase Letter
de92dd34-1b88-43e8-b825-6e02d73c4549|Pulumi|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| -|DynamoDB Table Not Encrypted
b6a7e0ae-aed8-4a19-a993-a95760bf8836|Pulumi|Medium|Encryption|AWS DynamoDB Tables should have serverSideEncryption enabled|Documentation
| -|API Gateway Without SSL Certificate
f27791a5-e2ae-4905-8910-6f995c576d09|Pulumi|Medium|Insecure Configurations|SSL Client Certificate should be defined|Documentation
| -|API Gateway Access Logging Disabled
bf4b48b9-fc1f-4552-984a-4becdb5bf503|Pulumi|Medium|Observability|API Gateway should have Access Log Settings defined|Documentation
| -|EC2 Not EBS Optimized
d991e4ae-42ab-429b-ab43-d5e5fa9ca633|Pulumi|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| -|DynamoDB Table Point In Time Recovery Disabled
327b0729-4c5c-4c44-8b5c-e476cd9c7290|Pulumi|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table|Documentation
| -|EC2 Instance Monitoring Disabled
daa581ef-731c-4121-832d-cf078f67759d|Pulumi|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
48f7e44d-d1d1-44c2-b336-9f11b65c4fb0|Pulumi|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
965e8830-2bec-4b9b-a7f0-24dbc200a68f|Pulumi|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| -|Storage Account Not Forcing HTTPS
cb8e4bf0-903d-45c6-a278-9a947d82a27b|Pulumi|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| -|Redis Cache Allows Non SSL Connections
49e30ac8-f58e-4222-b488-3dcb90158ec1|Pulumi|Medium|Encryption|Redis Cache resource should not allow non-SSL connections.|Documentation
| -|Serverless Role With Full Privileges
59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd|ServerlessFW|High|Access Control|Roles defined in Serverless files should not have policies granting full administrative privileges.|Documentation
| -|Serverless Function Environment Variables Not Encrypted
4495bc5d-4d1e-4a26-ae92-152d18195648|ServerlessFW|High|Encryption|Serverless Function should encrypt environment variables|Documentation
| -|Serverless API Without Content Encoding
d5d1fe08-89db-440c-8725-b93223387309|ServerlessFW|Medium|Encryption|Serverless should have API Gateway with Content Encoding enabled through the attribute 'minimumCompressionSize'. This value should be greater than -1 and smaller than 10485760|Documentation
| -|Serverless Function Without Tags
f99d3482-fa8c-4f79-bad9-35212dded164|ServerlessFW|Medium|Insecure Configurations|Serverless Function should be have associated tags|Documentation
| -|Serverless Function Without Unique IAM Role
165aae3b-a56a-48f3-b76d-d2b5083f5b8f|ServerlessFW|Medium|Insecure Configurations|Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks|Documentation
| -|Serverless API Endpoint Config Not Private
4d424558-c6d1-453c-be98-9a7f877abd9a|ServerlessFW|Medium|Networking and Firewall|Serverless should have endpointType set to 'PRIVATE'. This way, it's not exposed to the public internet|Documentation
| -|Serverless API Access Logging Setting Undefined
a4d32883-aac7-42e1-b403-9415af0f3846|ServerlessFW|Medium|Observability|Serverless FW API should have HTTP Access Logging enabled|Documentation
| -|Serverless API X-Ray Tracing Disabled
434945e5-4dfd-41b1-aba1-47075ccd9265|ServerlessFW|Medium|Observability|Serverless API Gateway should have X-Ray Tracing enabled|Documentation
| -|Serverless Function Without Dead Letter Queue
dec7bc85-d156-4f64-9a33-96ed3d9f3fed|ServerlessFW|Low|Insecure Configurations|Serverless Function should be configured for a Dead Letter Queue(DLQ). A Dead Letter Queue(DLQ) can be set up in 'onError' config parameter|Documentation
| -|Serverless Function Without X-Ray Tracing
0d7ef70f-e176-44e6-bdba-add3e429788d|ServerlessFW|Low|Observability|Serverless Function should have Tracing enabled. For this, property 'tracing' should have the value 'Active'|Documentation
| -|Run Using apt
a1bc27c6-7115-48d8-bf9d-5a7e836845ba|Buildah|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache|Documentation
| -|Key Vault Not Recoverable
7c25f361-7c66-44bf-9b69-022acd5eb4bd|AzureResourceManager|High|Backup|Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true|Documentation
| -|Secret Without Expiration Date
cff9c3f7-e8f0-455f-9fb4-5f72326da96e|AzureResourceManager|High|Best Practices|All Secrets must have an expiration date defined|Documentation
| -|Azure Instance Using Basic Authentication
6797f581-0433-4768-ae3e-7ceb2f8b138e|AzureResourceManager|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication|Documentation
| -|Web App Not Using TLS Last Version
b5c851d5-00f1-43dc-a8de-3218fd6f71be|AzureResourceManager|High|Encryption|Resources of type 'Microsoft.Web/sites' should define 'properties.siteConfig.minTlsVersion' with '1.2'|Documentation
| -|Storage Account Allows Unsecure Transfer
1367dd13-2c90-4020-80b7-e4339a3dc2c4|AzureResourceManager|High|Encryption|'Microsoft.Storage/storageAccounts' should force the use of HTTPS|Documentation
| -|Azure Managed Disk Without Encryption
350f3955-b5be-436f-afaa-3d2be2fa6cdd|AzureResourceManager|High|Encryption|Azure Disk Encryption should be enabled|Documentation
| -|Website Not Forcing HTTPS
488847ff-6031-487c-bf42-98fd6ac5c9a0|AzureResourceManager|High|Insecure Configurations|'Microsoft.Web/sites' should force the use of HTTPS|Documentation
| -|Network Security Group With Unrestricted Access To SSH
2ade1579-4b2c-4590-bebb-f99bf597f612|AzureResourceManager|High|Networking and Firewall|Port 22 (SSH) is exposed to the Internet|Documentation
| -|Website with Client Certificate Auth Disabled
92302b47-b0cc-46cb-a28f-5610ecda140b|AzureResourceManager|High|Networking and Firewall|'Microsoft.Web/sites' should have client certificate authentication enabled|Documentation
| -|Storage Blob Service Container With Public Access
a0ab985d-660b-41f7-ac81-70957ee8e627|AzureResourceManager|High|Networking and Firewall|Storage Blob Service Container should not publicly accessible|Documentation
| -|MySQL Server SSL Enforcement Disabled
90120147-f2e7-4fda-bb21-6fa9109afd63|AzureResourceManager|High|Networking and Firewall|'Microsoft.DBforMySQL/servers' should enforce SSL|Documentation
| -|PostgreSQL Database Server SSL Disabled
bf500309-da53-4dd3-bcf7-95f7974545a5|AzureResourceManager|High|Networking and Firewall|Microsoft.DBforPostgreSQL/servers sslEnforcement property should be set to 'Enabled'|Documentation
| -|Network Security Group With Unrestricted Access To RDP
59cb3da7-f206-4ae6-b827-7abf0a9cab9d|AzureResourceManager|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the Internet|Documentation
| -|SQL Database Server Firewall Allows All IPS
6a3201a5-1630-494b-b294-3129d06b0eca|AzureResourceManager|High|Networking and Firewall|SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS|Documentation
| -|Trusted Microsoft Services Not Enabled
e25b56cd-a4d6-498f-ab92-e6296a082097|AzureResourceManager|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| -|Default Azure Storage Account Network Access Is Too Permissive
d855ced8-6157-448f-9f1d-f05a41d046f7|AzureResourceManager|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it.|Documentation
| -|AKS Cluster RBAC Disabled
9307a2ed-35c2-413d-94de-a1a0682c2158|AzureResourceManager|Medium|Access Control|Microsoft.ContainerService/managedClusters should have enableRBAC set to true|Documentation
| -|Role Definitions Allow Custom Subscription Role Creation
8fa9ceea-881f-4ef0-b0b8-728f589699a7|AzureResourceManager|Medium|Access Control|Role Definitions should not allow custom subscription role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')|Documentation
| -|SQL Server Database With Alerts Disabled
574e8d82-1db2-4b9c-b526-e320ede9a9ff|AzureResourceManager|Medium|Best Practices|All Alerts should be enabled in SQL Database Server SecurityAlerts Policy Properties|Documentation
| -|AKS Cluster Network Policy Not Configured
25c0228e-4444-459b-a2df-93c7df40b7ed|AzureResourceManager|Medium|Insecure Configurations|Azure Kubernetes Service must have a network policy defined.|Documentation
| -|PostgresSQL Database Server Connection Throttling Disabled
a6d774b6-d9ea-4bf4-8433-217bf15d2fb8|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttling' property set to 'on'|Documentation
| -|Standard Price Is Not Selected
2081c7d6-2851-4cce-bda5-cb49d462da42|AzureResourceManager|Medium|Networking and Firewall|Azure Security Center provides more features for standard pricing mode, so it must be activated.|Documentation
| -|PostgreSQL Database Server Log Connections Disabled
e69bda39-e1e2-47ca-b9ee-b6531b23aedd|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' property set to 'on'|Documentation
| -|PostgreSQL Database Server Log Checkpoints Disabled
f9112910-c7bb-4864-9f5e-2059ba413bb7|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' property set to 'on'|Documentation
| -|AKS With Authorized IP Ranges Disabled
2583fab1-953b-4fae-bd02-4a136a6c21f9|AzureResourceManager|Medium|Networking and Firewall|Azure Kubernetes Service must have an authorized IP range for API Services enabled|Documentation
| -|Storage Logging For Read Write And Delete Requests Disabled
43f6e60c-9cdb-4e77-864d-a66595d26518|AzureResourceManager|Medium|Observability|Storage Logging should be enabled for read, write and delete methods|Documentation
| -|Unrecommended Log Profile Retention Policy
25684eac-daaa-4c2c-94b4-8d2dbb627909|AzureResourceManager|Medium|Observability|Log Profile Retention Policy should be enabled and the recommended number of days for the retention should be higher than 365 or 0 (0 will retain the events indefinitely)|Documentation
| -|SQL Server Database Without Auditing
e055285c-bc01-48b4-8aa5-8a54acdd29df|AzureResourceManager|Medium|Observability|Every 'Microsoft.Sql/servers/databases' resource should have Auditing Enabled|Documentation
| -|Log Profile Incorrect Category
4d522e7b-f938-4d51-a3b1-974ada528bd3|AzureResourceManager|Medium|Observability|Log Profile Categories should be set to 'Write', 'Delete', and/or 'Action'|Documentation
| -|Unrecommended Network Watcher Flow Log Retention Policy
564b70f8-41cd-4690-aff8-bb53add86bc9|AzureResourceManager|Medium|Observability|Network Watcher Flow Log Retention Policy should be enabled and the recommended number of days for the retention should be higher than 90|Documentation
| -|SQL Server Database With Unrecommended Retention Days
c09cdac2-7670-458a-bf6c-efad6880973a|AzureResourceManager|Medium|Observability|SQL Server Database Auditing Settings should keep the audit logs in the storage account for at least 90 days|Documentation
| -|AKS Logging To Azure Monitoring Is Disabled
9b09dee1-f09b-4013-91d2-158fa4695f4b|AzureResourceManager|Medium|Observability|Azure Kubernetes Service should have logging to Azure Monitoring enabled.|Documentation
| -|Hardcoded SecureString Parameter Default Value
4d2cf896-c053-4be5-9c95-8b4771112f29|AzureResourceManager|Medium|Secret Management|Secure parameters should not have hardcoded default value|Documentation
| -|Website Azure Active Directory Disabled
e9c133e5-c2dd-4b7b-8fff-40f2de367b56|AzureResourceManager|Low|Access Control|WebApp should have Azure Active Directory enabled with 'identity.type' set to 'SystemAssigned' or 'userAssignedIdentities' set to 'true'|Documentation
| -|Phone Number Not Set For Security Contacts
3e9fcc67-1f64-405f-b2f9-0a6be17598f0|AzureResourceManager|Low|Best Practices|Microsoft.Security securityContacts should have a phone number defined|Documentation
| -|AKS Dashboard Is Enabled
c62d3b92-9a11-4ffd-b7b7-6faaae83faed|AzureResourceManager|Low|Insecure Configurations|Azure Kubernetes Service should have the Kubernetes dashboard disabled.|Documentation
| -|Storage Account Allows Default Network Access
9073f073-5d60-4b46-b569-0d6baa80ed95|AzureResourceManager|Low|Networking and Firewall|'Microsoft.Storage/storageAccounts' should force the use of HTTPS|Documentation
| -|Website with 'Http20Enabled' Disabled
70111098-7f85-48f0-b1b4-e4261cf5f61b|AzureResourceManager|Low|Networking and Firewall|'Microsoft.Web/sites' should have 'Http20Enabled' enabled|Documentation
| -|App Service Authentication Is Not Set
83130a07-235b-4a80-918b-a370e53f0bd9|AzureResourceManager|Info|Access Control|Azure App Service should have App Service Authentication set|Documentation
| -|Account Admins Not Notified By Email
a8852cc0-fd4b-4fc7-9372-1e43fad0732e|AzureResourceManager|Info|Best Practices|Account admins should be notified by email in the event of security alerts|Documentation
| -|SQL Alert Policy Without Emails
89b79fe5-49bd-4d39-84ce-55f5fc6f7764|AzureResourceManager|Info|Best Practices|SQL Database Server should contain emails to be notified in the event of a Security Alert|Documentation
| -|Email Notifications Disabled
79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92|AzureResourceManager|Info|Networking and Firewall|Email notifications about new security alerts, should be set to 'On', and be sent to persons with specific RBAC roles on the subscription|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674|Ansible|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| -|S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|Ansible|High|Access Control|S3 Buckets should not be readable to all users|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|Ansible|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| -|S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a|Ansible|High|Access Control|Checks if the S3 bucket is accessible for all users|Documentation
| -|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|Ansible|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| -|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|Ansible|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| -|SNS Topic is Publicly Accessible
905f4741-f965-45c1-98db-f7a00a0e5c73|Ansible|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| -|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|Ansible|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating|Documentation
| -|SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a|Ansible|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| -|S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|Ansible|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| -|S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|Ansible|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| -|ECS Service Admin Role Is Present
7db727c1-1720-468e-b80e-06697f71e09e|Ansible|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role|Documentation
| -|IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|Ansible|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| -|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|Ansible|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| -|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|Ansible|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76|Ansible|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| -|EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|Ansible|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a|Ansible|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume|Documentation
| -|AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|Ansible|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| -|Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|Ansible|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)|Documentation
| -|S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4|Ansible|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| -|DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|Ansible|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.|Documentation
| -|ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|Ansible|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| -|EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|Ansible|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| -|S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571|Ansible|High|Encryption|AWS S3 Storage should be protected with SSE (Server-Side Encryption)|Documentation
| -|User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|Ansible|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| -|Secure Ciphers Disabled
218413a0-c716-4b94-9e08-0bb70d854709|Ansible|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| -|CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|Ansible|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| -|User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|Ansible|High|Encryption|User Data Shell Script must be encoded|Documentation
| -|ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers.|Documentation
| -|ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols.|Documentation
| -|Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7|Ansible|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| -|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|Ansible|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| -|Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f|Ansible|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| -|S3 Bucket with Unsecured CORS Rule
3505094c-f77c-4ba0-95da-f83db712f86c|Ansible|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| -|Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|Ansible|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| -|DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209|Ansible|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| -|ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f|Ansible|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| -|KMS Key With Vulnerable Policy
5b9d237a-57d5-4177-be0e-71434b0fef47|Ansible|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67|Ansible|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| -|Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|Ansible|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true (default is false)|Documentation
| -|EC2 Group Has Public Interface
5330b503-3319-44ff-9b1c-00ee873f728a|Ansible|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| -|Vulnerable Default SSL Certificate
fb8f8929-afeb-4c46-99f0-a6cf410f7df4|Ansible|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| -|DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640|Ansible|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| -|ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|Ansible|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| -|Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4|Ansible|High|Networking and Firewall|Route53 Record should have a list of records|Documentation
| -|EC2 Instance Has Public IP
a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1|Ansible|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| -|Remote Desktop Port Open To Internet
eda7301d-1f3e-47cf-8d4e-976debc64341|Ansible|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| -|Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|Ansible|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| -|RDS Associated with Public Subnet
16732649-4ff6-4cd2-8746-e72c13fae4b8|Ansible|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| -|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|Ansible|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| -|Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|Ansible|High|Networking and Firewall|AWS Security Group should restrict ingress access|Documentation
| -|HTTP Port Open To Internet
a14ad534-acbe-4a8e-9404-2f7e1045646e|Ansible|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| -|Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|Ansible|High|Networking and Firewall|AWS Security Group should not have public port wide|Documentation
| -|Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b|Ansible|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| -|Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2|Ansible|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0/0|Documentation
| -|Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|Ansible|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| -|CMK Rotation Disabled
af96d737-0818-4162-8c41-40d969bd65d1|Ansible|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.|Documentation
| -|CloudTrail Logging Disabled
d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5|Ansible|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| -|ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd|Ansible|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| -|Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Ansible|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| -|IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Ansible|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root'|Documentation
| -|API Gateway Without Configured Authorizer
b16cdb37-ce15-4ab2-8401-d42b05d123fc|Ansible|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| -|Lambda Permission Principal Is Wildcard
1d972c56-8ec2-48c1-a578-887adb09c57a|Ansible|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| -|AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f|Ansible|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| -|SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10|Ansible|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| -|SES Policy With Allowed IAM Actions
8ed0bfce-f780-46d4-b086-21c3628f09ad|Ansible|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| -|IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060|Ansible|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| -|SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4|Ansible|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
af167837-9636-4086-b815-c239186b9dda|Ansible|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| -|Certificate Has Expired
5a443297-19d4-4381-9e5b-24faf947ec22|Ansible|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| -|S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9|Ansible|Medium|Access Control|S3 Bucket allows public access|Documentation
| -|CMK Is Unusable
133fee21-37ef-45df-a563-4d07edc169f4|Ansible|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined.|Documentation
| -|ECS Service Without Running Tasks
f5c45127-1d28-4b49-a692-0b97da1c3a84|Ansible|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| -|Auto Scaling Group With No Associated ELB
050f085f-a8db-4072-9010-2cca235cc02f|Ansible|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
| -|RDS With Backup Disabled
e69890e6-fce5-461d-98ad-cb98318dfc96|Ansible|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| -|Stack Retention Disabled
17d5ba1d-7667-4729-b1a6-b11fde3db7f7|Ansible|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| -|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Ansible|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number|Documentation
| -|Misconfigured Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9|Ansible|Medium|Best Practices|No password expiration policy|Documentation
| -|IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Ansible|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| -|IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354|Ansible|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| -|Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c|Ansible|Medium|Best Practices|Password policy `password_reuse_prevention` doesn't exist or is equal to 0|Documentation
| -|IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Ansible|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| -|Stack Without Template
32d31f1f-0f83-4721-b7ec-1e6948c60145|Ansible|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body|Documentation
| -|Config Rule For Encrypted Volumes Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84|Ansible|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| -|Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89|Ansible|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| -|CodeBuild Not Encrypted
a1423864-2fbc-4f46-bfe1-fbbf125c71c9|Ansible|Medium|Encryption|CodeBuild Project should be encrypted|Documentation
| -|EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Ansible|Medium|Encryption|EBS volumes should be encrypted|Documentation
| -|SQS With SSE Disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Ansible|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| -|AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472|Ansible|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| -|ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Ansible|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| -|Certificate RSA Key Bytes Lower Than 256
d5ec2080-340a-4259-b885-f833c4ea6a31|Ansible|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| -|Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f|Ansible|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| -|Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5|Ansible|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags.|Documentation
| -|API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33|Ansible|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| -|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Ansible|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| -|API Gateway without WAF
f5f38943-664b-4acc-ab11-f292fa10ed0b|Ansible|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| -|API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215|Ansible|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| -|Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Ansible|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| -|API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f|Ansible|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| -|CloudFront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Ansible|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' should be defined with 'enabled' set to true|Documentation
| -|CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Ansible|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| -|S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Ansible|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| -|S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|Ansible|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| -|CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3|Ansible|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| -|CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Ansible|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events|Documentation
| -|API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Ansible|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled|Documentation
| -|CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Ansible|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'is_multi_region_trail' should be set to true|Documentation
| -|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Ansible|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| -|No Stack Policy
ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9|Ansible|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| -|Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Ansible|Medium|Secret Management|AWS Access Key should not be hardcoded|Documentation
| -|Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645|Ansible|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| -|EC2 Instance Using Default Security Group
8d03993b-8384-419b-a681-d1f55149397c|Ansible|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| -|IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd|Ansible|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| -|IAM Group Without Users
f509931b-bbb0-443c-bd9b-10e92ecf2193|Ansible|Low|Access Control|IAM Group should have at least one user associated|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Ansible|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| -|Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520|Ansible|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|Ansible|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.|Documentation
| -|CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6|Ansible|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| -|EFS Without Tags
b8a9852c-9943-4973-b8d5-77dae9352851|Ansible|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
f5587077-3f57-4370-9b4e-4eb5b1bac85b|Ansible|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| -|Redshift Using Default Port
e01de151-a7bd-4db4-b49b-3c4775a5e881|Ansible|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| -|CloudFront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Ansible|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| -|ElastiCache Using Default Port
7cc6c791-5f68-4816-a564-b9b699f9d26e|Ansible|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| -|EC2 Instance Using Default VPC
8833f180-96f1-46f4-9147-849aafa56029|Ansible|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| -|RDS Using Default Port
2cb674f6-32f9-40be-97f2-62c0dc38f0d5|Ansible|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| -|ElastiCache Without VPC
5527dcfc-94f9-4bf6-b7d4-1b78850cf41f|Ansible|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Ansible|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active'|Documentation
| -|CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Ansible|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| -|EC2 Not EBS Optimized
338b6cab-961d-4998-bb49-e5b6a11c9a5c|Ansible|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| -|BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2|Ansible|High|Access Control|BigQuery dataset is anonymously or publicly accessible|Documentation
| -|VM With Full Cloud Access
bc20bbc6-0697-4568-9a73-85af1dd97bdd|Ansible|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2|Ansible|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers'|Documentation
| -|SQL DB Instance Backup Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8|Ansible|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| -|SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|Ansible|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| -|DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a|Ansible|High|Encryption|DNSSEC should not use the RSASHA1 algorithm|Documentation
| -|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|Ansible|High|Insecure Configurations|SQL Instance should not have Contained Database Authentication On|Documentation
| -|Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false|Documentation
| -|SQL DB Instance Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b|Ansible|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible.|Documentation
| -|Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7|Ansible|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| -|GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1|Ansible|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty|Documentation
| -|MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c|Ansible|High|Insecure Configurations|MySQL Instance should not have Local Infile On|Documentation
| -|IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'.|Documentation
| -|Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true|Documentation
| -|Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| -|Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true.|Documentation
| -|Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f|Ansible|High|Insecure Configurations|GCP SQL Instance should not have Cross DB Ownership Chaining On|Documentation
| -|GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false.|Documentation
| -|PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514|Ansible|High|Insecure Configurations|PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1'|Documentation
| -|Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82|Ansible|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet.|Documentation
| -|GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83|Ansible|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters|Documentation
| -|Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| -|PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b|Ansible|High|Observability|PostgreSQL database 'log_temp_files' flag isn't set to '0'|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd|Ansible|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| -|Cloud Storage Bucket Versioning Disabled
7814ddda-e758-4a56-8be3-289a81ded929|Ansible|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| -|Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| -|PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317|Ansible|High|Observability|PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on'|Documentation
| -|Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf|Ansible|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| -|Disk Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3|Ansible|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Ansible|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| -|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Ansible|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| -|OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Ansible|Medium|Insecure Configurations|VM instance should have OSLogin enabled|Documentation
| -|Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Ansible|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| -|Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Ansible|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| -|Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03|Ansible|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| -|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Ansible|Medium|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| -|GKE Using Default Service Account
dc126833-125a-40fb-905a-ce5f2afde240|Ansible|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
| -|IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Ansible|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| -|Google Compute Network Using Default Firewall Rule
29b8224a-60e9-4011-8ac2-7916a659841f|Ansible|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
| -|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Ansible|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
| -|RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77|Ansible|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| -|SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Ansible|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| -|Google Compute Network Using Firewall Rule that Allows All Ports
3602d273-3290-47b2-80fa-720162b1a8af|Ansible|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports|Documentation
| -|PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Ansible|Medium|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on'|Documentation
| -|PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Ansible|Medium|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Ansible|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| -|High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Ansible|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.|Documentation
| -|Google Compute Network Using Firewall Rule that Allows Port Range
7289eebd-a477-4064-8ad4-3c044bd70b00|Ansible|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range|Documentation
| -|Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b|Ansible|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes|Documentation
| -|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|Ansible|High|Access Control|Storage Account should not be public to grant the principle of least privileges|Documentation
| -|Storage Container Is Publicly Accessible
4d3817db-dd35-4de4-a80d-3867157e7f7f|Ansible|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| -|Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|Ansible|High|Access Control|Admin user is enabled for Container Registry|Documentation
| -|Azure Instance Using Basic Authentication
e2d834b7-8b25-4935-af53-4a60668dcbe0|Ansible|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication|Documentation
| -|MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|Ansible|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| -|Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|Ansible|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| -|SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555|Ansible|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| -|AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|Ansible|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| -|Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91|Ansible|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| -|Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|Ansible|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined|Documentation
| -|VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|Ansible|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| -|Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| -|Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|Ansible|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| -|SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|Ansible|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| -|Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| -|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|Ansible|High|Networking and Firewall|The IP range filter should be defined to secure the data stored|Documentation
| -|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|Ansible|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| -|Role Definition Allows Custom Role Creation
5c80db8e-03f5-43a2-b4af-1f3f87018157|Ansible|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)|Documentation
| -|Default Azure Storage Account Network Access Is Too Permissive
ca4df748-613a-4fbf-9c76-f02cbd580307|Ansible|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it.|Documentation
| -|AKS RBAC Disabled
149fa56c-4404-4f90-9e25-d34b676d5b39|Ansible|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| -|Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854|Ansible|Medium|Backup|Make sure Soft Delete is enabled for Key Vault|Documentation
| -|SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40|Ansible|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict|Documentation
| -|SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308|Ansible|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict|Documentation
| -|Cosmos DB Account Without Tags
23a4dc83-4959-4d99-8056-8e051a82bc1e|Ansible|Medium|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| -|Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee|Ansible|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| -|Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Ansible|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| -|Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Ansible|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections|Documentation
| -|AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Ansible|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined|Documentation
| -|Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Ansible|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache.|Documentation
| -|Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Ansible|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0'|Documentation
| -|WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Ansible|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| -|PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| -|Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| -|PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| -|PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a|Ansible|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| -|AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e|Ansible|Medium|Observability|Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring|Documentation
| -|PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| -|PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| -|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|Terraform|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| -|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|Terraform|High|Access Control|S3 bucket allows public policy|Documentation
| -|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|Terraform|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| -|SSO Policy with full privileges
132a8c31-9837-4203-9fd1-15ca210c7b73|Terraform|High|Access Control|SSO policies should be configured to grant limited administrative privileges, rather than full access to all resources. This approach allows for better security and control over the resources being accessed.|Documentation
| -|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|Terraform|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|Terraform|High|Access Control|S3 Buckets should not be readable and writable to all users|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|Terraform|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| -|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|Terraform|High|Access Control|IAM role policy that allow full administrative privileges (for all resources)|Documentation
| -|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|Terraform|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| -|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|Terraform|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| -|SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|Terraform|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| -|EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|Terraform|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| -|MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857|Terraform|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible|Documentation
| -|S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4|Terraform|High|Access Control|S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket.|Documentation
| -|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|Terraform|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| -|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|Terraform|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating|Documentation
| -|Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|Terraform|High|Access Control|Neptune Cluster Instance should not be publicly accessible|Documentation
| -|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|Terraform|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| -|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|Terraform|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| -|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|Terraform|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|Terraform|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| -|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|Terraform|High|Encryption|AWS DOCDB Cluster storage should be encrypted|Documentation
| -|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|Terraform|High|Encryption|AWS DAX Cluster should have server-side encryption at rest|Documentation
| -|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|Terraform|High|Encryption|EBS Encryption should be enabled|Documentation
| -|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|Terraform|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| -|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.|Documentation
| -|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|Terraform|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| -|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|Terraform|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|Terraform|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true|Documentation
| -|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|Terraform|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)|Documentation
| -|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|Terraform|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted|Documentation
| -|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|Terraform|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| -|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|Terraform|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| -|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|Terraform|High|Encryption|API Gateway Method Settings Cache should be encrypted|Documentation
| -|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|Terraform|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume|Documentation
| -|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|Terraform|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.|Documentation
| -|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|Terraform|High|Encryption|S3 Bucket Object should have server-side encryption enabled|Documentation
| -|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|Terraform|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled|Documentation
| -|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|Terraform|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| -|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers.|Documentation
| -|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|Terraform|High|Encryption|AWS Athena Database data in S3 should be encrypted|Documentation
| -|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|Terraform|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS|Documentation
| -|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|Terraform|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true'|Documentation
| -|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|Terraform|High|Encryption|RDS Database Cluster Encryption should be enabled|Documentation
| -|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|Terraform|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| -|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|Terraform|High|Encryption|User Data Shell Script must be encoded|Documentation
| -|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|Terraform|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| -|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|Terraform|High|Encryption|AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted|Documentation
| -|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|Terraform|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|Terraform|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| -|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|Terraform|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| -|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|Terraform|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| -|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|Terraform|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| -|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|Terraform|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup|Documentation
| -|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|Terraform|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled|Documentation
| -|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|Terraform|High|Encryption|EKS Cluster should be encrypted|Documentation
| -|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|Terraform|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled|Documentation
| -|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|Terraform|High|Encryption|Sagemaker endpoint configuration should encrypt data|Documentation
| -|EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|Terraform|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|Terraform|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|Terraform|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| -|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|Terraform|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| -|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|Terraform|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true)|Documentation
| -|DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|Terraform|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| -|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|Terraform|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| -|Lambda Function With Privileged Role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|Terraform|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions.|Documentation
| -|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|Terraform|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2.|Documentation
| -|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|Terraform|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| -|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|Terraform|High|Insecure Configurations|Check if the root user is authenticated with MFA|Documentation
| -|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|Terraform|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured.|Documentation
| -|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|Terraform|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| -|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|Terraform|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes|Documentation
| -|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|Terraform|High|Insecure Configurations|S3 bucket without restriction of public bucket|Documentation
| -|KMS Key With Vulnerable Policy
7ebc9038-0bde-479a-acc4-6ed7b6758899|Terraform|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| -|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|Terraform|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| -|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|Terraform|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations|Documentation
| -|Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|Terraform|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| -|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL|Documentation
| -|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|Terraform|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing|Documentation
| -|VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|Terraform|High|Networking and Firewall|VPC Peering Route Table should restrict CIDR|Documentation
| -|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|Terraform|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| -|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|Terraform|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| -|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|Terraform|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0"|Documentation
| -|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|Terraform|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| -|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| -|VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|Terraform|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic|Documentation
| -|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|Terraform|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| -|HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|Terraform|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| -|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|Terraform|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0 and/or ::/0|Documentation
| -|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|Terraform|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| -|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|Terraform|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| -|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|Terraform|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| -|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| -|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|Terraform|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL|Documentation
| -|Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|Terraform|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| -|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|Terraform|High|Networking and Firewall|Check if Record is set|Documentation
| -|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|Terraform|High|Observability|Ensure a log metric filter and alarm exist for root acount usage|Documentation
| -|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|Terraform|High|Observability|AWS KMS Key should have a valid deletion window|Documentation
| -|CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|Terraform|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.|Documentation
| -|CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|Terraform|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls|Documentation
| -|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|Terraform|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| -|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled|Documentation
| -|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible|Documentation
| -|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|Terraform|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes|Documentation
| -|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|Terraform|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Terraform|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Terraform|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Terraform|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| -|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Terraform|Medium|Access Control|The attribute 'action' should not have wildcard|Documentation
| -|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Terraform|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Terraform|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Terraform|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined|Documentation
| -|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Terraform|Medium|Access Control|AWS IAM Users should not have access to console|Documentation
| -|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Terraform|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Terraform|Medium|Access Control|S3 bucket allows public ACL|Documentation
| -|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Terraform|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| -|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Terraform|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources|Documentation
| -|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Terraform|Medium|Access Control|An API Key should be required on a method request.|Documentation
| -|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Terraform|Medium|Access Control|IAM Access Key should not be active for root users|Documentation
| -|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Terraform|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal'|Documentation
| -|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Terraform|Medium|Access Control|Public and private EC2 istances should not share the same role.|Documentation
| -|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Terraform|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|API Gateway Without Configured Authorizer
ed35928e-195c-4405-a252-98ccb664ab7C|Terraform|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| -|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Terraform|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions'|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Terraform|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Terraform|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Terraform|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SSO Permission With Inadequate User Session Duration
ce9dfce0-5fc8-433b-944a-3b16153111a8|Terraform|Medium|Access Control|SSO permissions should be configured to limit user sessions to no longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized access or session hijacking. This is a best practice for security and should be implemented in SSO permission settings.|Documentation
| -|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Terraform|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Terraform|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Terraform|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Terraform|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Terraform|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Terraform|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Terraform|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Terraform|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| -|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Terraform|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Terraform|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'|Documentation
| -|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Terraform|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action'|Documentation
| -|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Terraform|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
| -|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Terraform|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| -|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Terraform|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster|Documentation
| -|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Terraform|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| -|RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Terraform|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| -|Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Terraform|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| -|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Terraform|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0|Documentation
| -|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Terraform|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| -|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Terraform|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields|Documentation
| -|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Terraform|Medium|Best Practices|No password expiration policy|Documentation
| -|Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Terraform|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24|Documentation
| -|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Terraform|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| -|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Terraform|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined|Documentation
| -|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Terraform|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| -|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Terraform|Medium|Best Practices|IAM password should have the required symbols|Documentation
| -|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Terraform|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| -|Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Terraform|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body|Documentation
| -|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest|Documentation
| -|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Terraform|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760.|Documentation
| -|DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Terraform|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Terraform|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| -|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit|Documentation
| -|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Terraform|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| -|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Terraform|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| -|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Terraform|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS.|Documentation
| -|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Terraform|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| -|Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Terraform|Medium|Encryption|ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html'|Documentation
| -|CloudWatch Log Group Without KMS
0afbcfe9-d341-4b92-a64c-7e6de0543879|Terraform|Medium|Encryption|AWS CloudWatch Log groups should be encrypted using KMS|Documentation
| -|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted|Documentation
| -|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Terraform|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests|Documentation
| -|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Terraform|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| -|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Terraform|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Terraform|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption|Documentation
| -|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Terraform|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret|Documentation
| -|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Terraform|Medium|Encryption|EBS volumes should be encrypted|Documentation
| -|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Terraform|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| -|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Terraform|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node|Documentation
| -|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Terraform|Medium|Encryption|SSM Session should be encrypted in transit|Documentation
| -|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Terraform|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| -|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Terraform|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials|Documentation
| -|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Terraform|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.|Documentation
| -|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Terraform|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| -|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Terraform|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs).|Documentation
| -|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Terraform|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| -|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Terraform|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| -|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Terraform|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| -|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Terraform|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible|Documentation
| -|EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Terraform|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false|Documentation
| -|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Terraform|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud)|Documentation
| -|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Terraform|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| -|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Terraform|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| -|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Terraform|Medium|Networking and Firewall|VPC should have a Network Firewall associated|Documentation
| -|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Terraform|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol|Documentation
| -|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Terraform|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| -|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Terraform|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association|Documentation
| -|VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Terraform|Medium|Networking and Firewall|VPC Subnet should not assign public IP|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol|Documentation
| -|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Terraform|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| -|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Terraform|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation|Documentation
| -|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Terraform|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| -|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK|Documentation
| -|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Terraform|Medium|Observability|API Gateway should have Access Log Settings defined|Documentation
| -|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Terraform|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| -|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Terraform|Medium|Observability|ELB should have logging enabled to help on error investigation|Documentation
| -|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes|Documentation
| -|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Terraform|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| -|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes|Documentation
| -|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Terraform|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| -|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Terraform|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| -|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Terraform|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| -|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Terraform|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| -|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Terraform|Medium|Observability|It isn't recommended to use resources in default VPC|Documentation
| -|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Terraform|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| -|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Terraform|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| -|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Terraform|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| -|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes|Documentation
| -|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Terraform|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| -|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes|Documentation
| -|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Terraform|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events|Documentation
| -|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Terraform|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled|Documentation
| -|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures|Documentation
| -|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Terraform|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| -|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Terraform|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined|Documentation
| -|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Terraform|Medium|Observability|AWS CloudWatch Log groups should have retention days specified|Documentation
| -|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Terraform|Medium|Observability|AWS Elasticsearch should have logs enabled|Documentation
| -|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Terraform|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| -|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Terraform|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| -|ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Terraform|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| -|No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Terraform|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| -|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Terraform|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| -|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Terraform|Medium|Secret Management|AWS Access Key should not be hardcoded|Documentation
| -|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Terraform|Low|Access Control|IAM Group should have at least one user associated|Documentation
| -|SSO Identity User Unsafe Creation
4003118b-046b-4640-b200-b8c7a4c8b89f|Terraform|Low|Access Control|The use of AWS SSO for creating users may pose a security risk as it does not synchronize with external Identity Providers (IdP) or Active Directory (AD). This can lead to inconsistencies and potential unauthorized access to resources. It is recommended to review and update user creation processes to ensure proper security protocols are in place.|Documentation
| -|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Terraform|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets'|Documentation
| -|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Terraform|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Terraform|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| -|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Terraform|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| -|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Terraform|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| -|Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Terraform|Low|Availability|Autoscaling groups should supply tags to configurate|Documentation
| -|IAM Access Analyzer Not Enabled
e592a0c5-5bdb-414c-9066-5dba7cdea370|Terraform|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions|Documentation
| -|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Terraform|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.|Documentation
| -|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Terraform|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| -|Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Terraform|Low|Best Practices|ECR Repository should have Policies attached to it|Documentation
| -|Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Terraform|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| -|ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Terraform|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation|Documentation
| -|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Terraform|Low|Insecure Configurations|S3 bucket without ignore public ACL|Documentation
| -|ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Terraform|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled|Documentation
| -|RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Terraform|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| -|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Terraform|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Terraform|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Terraform|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| -|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Terraform|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| -|EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Terraform|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| -|Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Terraform|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| -|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Terraform|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks|Documentation
| -|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Terraform|Low|Observability|DocDB logging should be enabled|Documentation
| -|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Terraform|Low|Observability|Amazon EKS control plane logging is not enabled|Documentation
| -|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes|Documentation
| -|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Terraform|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| -|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL|Documentation
| -|API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Terraform|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| -|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for route table changes|Documentation
| -|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| -|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Terraform|Low|Observability|Amazon EKS control plane logging don't enabled for all log types|Documentation
| -|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Terraform|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'|Documentation
| -|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes|Documentation
| -|ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Terraform|Low|Observability|ECS Cluster should enable container insights|Documentation
| -|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes|Documentation
| -|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Terraform|Low|Observability|Global Accelerator should have flow logs enabled|Documentation
| -|API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Terraform|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| -|Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Terraform|Info|Access Control|Security group must be used or not declared|Documentation
| -|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Terraform|Info|Best Practices|AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name'|Documentation
| -|Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Terraform|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description|Documentation
| -|Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Terraform|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description|Documentation
| -|EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Terraform|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| -|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Terraform|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table|Documentation
| -|EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Terraform|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods|Documentation
| -|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Terraform|Info|Observability|Neptune logging should be enabled|Documentation
| -|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Terraform|Info|Observability|RDS does not have any kind of logger|Documentation
| -|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Terraform|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks|Documentation
| -|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Terraform|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')|Documentation
| -|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Terraform|Info|Best Practices|All outputs should contain a valid description.|Documentation
| -|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Terraform|Info|Best Practices|All variables should contain a valid type.|Documentation
| -|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Terraform|Info|Best Practices|All variables should contain a valid description.|Documentation
| -|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Terraform|Info|Best Practices|All generic git repositories should reference a revision.|Documentation
| -|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Terraform|Info|Best Practices|All names should follow snake case pattern.|Documentation
| -|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|Terraform|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined.|Documentation
| -|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|Terraform|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|Terraform|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| -|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|Terraform|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| -|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|Terraform|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false|Documentation
| -|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|Terraform|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|Documentation
| -|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|Terraform|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| -|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Terraform|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| -|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Terraform|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| -|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Terraform|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys|Documentation
| -|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Terraform|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| -|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Terraform|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| -|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Terraform|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| -|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| -|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Terraform|Medium|Insecure Configurations|Containers should not have extra capabilities allowed|Documentation
| -|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Terraform|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| -|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Terraform|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| -|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Terraform|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory|Documentation
| -|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Terraform|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| -|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Terraform|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace|Documentation
| -|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Terraform|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls|Documentation
| -|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Terraform|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| -|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Terraform|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|Documentation
| -|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Terraform|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| -|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| -|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Terraform|Medium|Insecure Configurations|The default namespace should not be used|Documentation
| -|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Terraform|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| -|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Terraform|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| -|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Terraform|Medium|Insecure Configurations|Default service accounts should not be actively used|Documentation
| -|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Terraform|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| -|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Terraform|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty.|Documentation
| -|Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Terraform|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| -|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Terraform|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| -|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Terraform|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| -|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Terraform|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| -|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Terraform|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes|Documentation
| -|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Terraform|Medium|Resource Management|Container should not share the host network namespace|Documentation
| -|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Terraform|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| -|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Terraform|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| -|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Terraform|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| -|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Terraform|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| -|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Terraform|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs|Documentation
| -|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Terraform|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| -|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Terraform|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| -|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Terraform|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| -|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Terraform|Low|Availability|The Horizontal Pod Autoscaler must target a valid object|Documentation
| -|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Terraform|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Terraform|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it|Documentation
| -|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Terraform|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Terraform|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.|Documentation
| -|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Terraform|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| -|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Terraform|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| -|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Terraform|Low|Build Process|Check if the root container filesystem is not being mounted as read-only.|Documentation
| -|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Terraform|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| -|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Terraform|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| -|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Terraform|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| -|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Terraform|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity|Documentation
| -|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Terraform|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified|Documentation
| -|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Terraform|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| -|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Terraform|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined|Documentation
| -|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Terraform|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| -|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Terraform|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| -|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Terraform|Low|Supply-Chain|Image must be defined and not be empty or equal to latest.|Documentation
| -|OSS Bucket Allows List Action From All Principals
88541597-6f88-42c8-bac6-7e0b855e8ff6|Terraform|High|Access Control|OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals.|Documentation
| -|OSS Bucket Allows Put Action From All Principals
fe286195-e75c-4359-bd58-00847c4f855a|Terraform|High|Access Control|OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals.|Documentation
| -|OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|Terraform|High|Access Control|OSS Bucket should have public access disabled|Documentation
| -|OSS Bucket Allows Delete Action From All Principals
8c0695d8-2378-4cd6-8243-7fd5894fa574|Terraform|High|Access Control|OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals.|Documentation
| -|OSS Bucket Allows All Actions From All Principals
ec62a32c-a297-41ca-a850-cab40b42094a|Terraform|High|Access Control|OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals.|Documentation
| -|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|Terraform|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles|Documentation
| -|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|Terraform|High|Access Control|RAM Security preferences should enforce MFA login for RAM users|Documentation
| -|NAS File System Not Encrypted
67bfdff1-31ce-4525-b564-e94368735360|Terraform|High|Encryption|NAS File System must be encrypted|Documentation
| -|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|Terraform|High|Encryption|Ecs Data Disk Kms Key Id should be set|Documentation
| -|NAS File System Without KMS
5f670f9d-b1b4-4c90-8618-2288f1ab9676|Terraform|High|Encryption|NAS File System should have encryption provided by user KMS |Documentation
| -|Launch Template Is Not Encrypted
1455cb21-1d48-46d6-8ae3-cef911b71fd5|Terraform|High|Encryption|ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true.|Documentation
| -|RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|Terraform|High|Encryption|tde_status parameter should be Enabled for supported RDS instances|Documentation
| -|DB Instance Publicly Accessible
faaefc15-51a5-419e-bb5e-51a4b5ab3485|Terraform|High|Insecure Configurations|The field 'address' should not be set to '0.0.0.0/0'|Documentation
| -|RDS DB Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|Terraform|High|Insecure Configurations|'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list|Documentation
| -|OSS Bucket Has Static Website
2b13c6ff-b87a-484d-86fd-21ef6e97d426|Terraform|High|Insecure Configurations|Checks if any static websties are hosted on buckets. Be aware of any website you are running.|Documentation
| -|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|Terraform|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS|Documentation
| -|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|Terraform|High|Networking and Firewall|OSS Bucket should have ip restricted access|Documentation
| -|ALB Listening on HTTP
ee3b1557-9fb5-4685-a95d-93f1edf2a0d7|Terraform|High|Networking and Firewall|Application Load Balancer (alb) Listener should not listen on HTTP|Documentation
| -|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol|Documentation
| -|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|Terraform|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public|Documentation
| -|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|Terraform|High|Networking and Firewall|OSS Buckets should have secure transport enabled|Documentation
| -|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|Terraform|High|Observability|All RDS Instance events trackers should be 'true'|Documentation
| -|ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|Terraform|High|Observability|ActionTrail Trail OSS Bucket should not be publicly accessible|Documentation
| -|Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|Terraform|High|Secret Management|Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts|Documentation
| -|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|Terraform|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above|Documentation
| -|Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Terraform|Medium|Access Control|Ram policies should not be attached to users|Documentation
| -|CMK Is Unusable
ed6e3ba0-278f-47b6-a1f5-173576b40b7e|Terraform|Medium|Availability|Alicloud KMS must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| -|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Terraform|Medium|Backup|OSS Bucket should have versioning enabled|Documentation
| -|ROS Stack Retention Disabled
4bb06fa1-2114-4a00-b7b5-6aeab8b896f0|Terraform|Medium|Backup|The retain_stacks should be enabled to keep the Stack upon deleting the stack instance from the stack group|Documentation
| -|ROS Stack Without Template
92d65c51-5d82-4507-a2a1-d252e9706855|Terraform|Medium|Build Process|Alicloud ROS Stack should have a template defined through the attribute template_url or attribute template_body|Documentation
| -|OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Terraform|Medium|Encryption|OSS Bucket should have encryption enabled using Customer Master Key|Documentation
| -|SLB Policy With Insecure TLS Version In Use
dbfc834a-56e5-4750-b5da-73fda8e73f70|Terraform|Medium|Encryption|SLB Policy should not support insecure versions of TLS protocol|Documentation
| -|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Terraform|Medium|Encryption|Disks should have encryption enabled|Documentation
| -|CS Kubernetes Node Pool Auto Repair Disabled
81ce9394-013d-4731-8fcc-9d229b474073|Terraform|Medium|Insecure Configurations|Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| -|Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Terraform|Medium|Networking and Firewall|A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned|Documentation
| -|Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Terraform|Medium|Networking and Firewall|Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies|Documentation
| -|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Terraform|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180|Documentation
| -|Log Retention Is Not Greater Than 90 Days
ed6cf6ff-9a1f-491c-9f88-e03c0807f390|Terraform|Medium|Observability|OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects.|Documentation
| -|ROS Stack Notifications Disabled
9ef08939-ea40-489c-8851-667870b2ef50|Terraform|Medium|Observability|The ROS Stack Notifications should be defined and populated to receive stack related events|Documentation
| -|Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Terraform|Medium|Observability|Action Trail Logging for all regions should be enabled|Documentation
| -|OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Terraform|Medium|Observability|OSS Bucket should have logging enabled, for better visibility of resources and objects.|Documentation
| -|No ROS Stack Policy
72ceb736-0aee-43ea-a191-3a69ab135681|Terraform|Medium|Resource Management|ROS Stack should have a stack policy in order to protect stack resources from and during update actions|Documentation
| -|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true|Documentation
| -|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Terraform|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91|Documentation
| -|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Terraform|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less|Documentation
| -|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true|Documentation
| -|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true|Documentation
| -|High KMS Key Rotation Period
cb319d87-b90f-485e-a7e7-f2408380f309|Terraform|Medium|Secret Management|KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year|Documentation
| -|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Terraform|Medium|Secret Management|RAM account password security should require at least one symbol|Documentation
| -|OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Terraform|Low|Availability|OSS Bucket should have transfer acceleration enabled|Documentation
| -|OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Terraform|Low|Backup|OSS Bucket should have lifecycle rule enabled and set to true|Documentation
| -|VPC Flow Logs Disabled
d2731f3d-a992-44ed-812e-f4f1c2747d71|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| -|RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Terraform|Low|Observability|log_disconnections parameter should be set to ON for RDS instances|Documentation
| -|RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Terraform|Low|Observability|log_duration parameter should be set to ON for RDS instances|Documentation
| -|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Terraform|Low|Observability|'log_connections' parameter should be set to ON for RDS instances|Documentation
| -|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Terraform|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.|Documentation
| -|BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Terraform|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.|Documentation
| -|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Terraform|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.|Documentation
| -|BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Terraform|Trace|Bill Of Materials|A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime.|Documentation
| -|BOM - GCP Redis
bc75ce52-a60a-4660-b533-bce837a5019b|Terraform|Trace|Bill Of Materials|A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments.|Documentation
| -|BOM - GCP Dataflow
895ed0d9-6fec-4567-8614-d7a74b599a53|Terraform|Trace|Bill Of Materials|A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective.|Documentation
| -|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Terraform|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.|Documentation
| -|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Terraform|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| -|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Terraform|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.|Documentation
| -|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Terraform|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| -|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Terraform|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| -|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Terraform|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| -|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Terraform|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time|Documentation
| -|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Terraform|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| -|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Terraform|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| -|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Terraform|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| -|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Terraform|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| -|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|Terraform|High|Access Control|Verifies that the OSLogin is enabled|Documentation
| -|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|Terraform|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| -|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|Terraform|High|Access Control|BigQuery dataset is anonymously or publicly accessible|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|Terraform|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers'|Documentation
| -|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|Terraform|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible|Documentation
| -|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|Terraform|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| -|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|Terraform|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members'|Documentation
| -|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|Terraform|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad.|Documentation
| -|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|Terraform|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| -|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|Terraform|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible.|Documentation
| -|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|Terraform|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true|Documentation
| -|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|Terraform|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| -|Cluster Master Authentication Disabled
1baba08e-3c8a-4be7-95eb-dced5833de21|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| -|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE |Documentation
| -|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|Terraform|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| -|GKE Basic Authentication Enabled
70cdf849-b7d9-4569-b87d-5d82ffd44719|Terraform|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty|Documentation
| -|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false |Documentation
| -|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true|Documentation
| -|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true|Documentation
| -|Client Certificate Disabled
73fb21a1-b19a-45b1-b648-b47b1678681e|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|Terraform|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| -|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| -|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|Terraform|High|Observability|Audit Logging Configuration is defective|Documentation
| -|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| -|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|Terraform|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| -|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|Terraform|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| -|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Terraform|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member|Documentation
| -|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Terraform|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated|Documentation
| -|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Terraform|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated|Documentation
| -|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Terraform|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Terraform|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| -|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Terraform|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined|Documentation
| -|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Terraform|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| -|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Terraform|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled|Documentation
| -|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Terraform|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| -|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Terraform|Medium|Insecure Configurations|Check if any VM instance disables OSLogin|Documentation
| -|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Terraform|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| -|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Terraform|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| -|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Terraform|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| -|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Terraform|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
| -|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Terraform|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| -|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Terraform|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| -|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Terraform|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| -|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Terraform|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
| -|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Terraform|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
| -|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Terraform|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| -|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Terraform|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports|Documentation
| -|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Terraform|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource.|Documentation
| -|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Terraform|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Terraform|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| -|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Terraform|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.|Documentation
| -|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Terraform|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user|Documentation
| -|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Terraform|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range|Documentation
| -|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Terraform|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks|Documentation
| -|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Terraform|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')|Documentation
| -|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Terraform|Info|Best Practices|All variables should contain a valid type.|Documentation
| -|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Terraform|Info|Best Practices|All outputs should contain a valid description.|Documentation
| -|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Terraform|Info|Best Practices|All variables should contain a valid description.|Documentation
| -|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Terraform|Info|Best Practices|All generic git repositories should reference a revision.|Documentation
| -|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Terraform|Info|Best Practices|All names should follow snake case pattern.|Documentation
| -|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|Terraform|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false|Documentation
| -|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|Terraform|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|Documentation
| -|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|Terraform|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| -|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|Terraform|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|Terraform|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| -|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|Terraform|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined.|Documentation
| -|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|Terraform|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| -|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Terraform|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| -|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Terraform|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys|Documentation
| -|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Terraform|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| -|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Terraform|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| -|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Terraform|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| -|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Terraform|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| -|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Terraform|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| -|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Terraform|Medium|Insecure Configurations|Default service accounts should not be actively used|Documentation
| -|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Terraform|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory|Documentation
| -|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Terraform|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| -|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Terraform|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| -|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Terraform|Medium|Insecure Configurations|Containers should not have extra capabilities allowed|Documentation
| -|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Terraform|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace|Documentation
| -|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Terraform|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| -|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Terraform|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| -|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Terraform|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls|Documentation
| -|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Terraform|Medium|Insecure Configurations|The default namespace should not be used|Documentation
| -|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| -|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Terraform|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| -|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Terraform|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|Documentation
| -|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Terraform|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| -|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| -|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Terraform|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| -|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Terraform|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty.|Documentation
| -|Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Terraform|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| -|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Terraform|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| -|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Terraform|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| -|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Terraform|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| -|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Terraform|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| -|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Terraform|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes|Documentation
| -|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Terraform|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| -|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Terraform|Medium|Resource Management|Container should not share the host network namespace|Documentation
| -|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Terraform|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| -|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Terraform|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| -|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Terraform|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs|Documentation
| -|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Terraform|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| -|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Terraform|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| -|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Terraform|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| -|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Terraform|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.|Documentation
| -|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Terraform|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Terraform|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Terraform|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it|Documentation
| -|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Terraform|Low|Availability|The Horizontal Pod Autoscale must target a valid object|Documentation
| -|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Terraform|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| -|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Terraform|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| -|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Terraform|Low|Build Process|Check if the root container filesystem is not being mounted as read-only.|Documentation
| -|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Terraform|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| -|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Terraform|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| -|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Terraform|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity|Documentation
| -|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Terraform|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| -|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Terraform|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| -|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Terraform|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified|Documentation
| -|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Terraform|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| -|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Terraform|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined|Documentation
| -|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Terraform|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| -|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Terraform|Low|Supply-Chain|Image must be defined and not be empty or equal to latest.|Documentation
| -|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Terraform|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| -|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Terraform|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| -|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Terraform|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| -|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Terraform|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| -|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Terraform|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time|Documentation
| -|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Terraform|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| -|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Terraform|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| -|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Terraform|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.|Documentation
| -|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Terraform|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| -|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Terraform|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| -|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Terraform|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.|Documentation
| -|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|Terraform|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|Terraform|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| -|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|Terraform|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals|Documentation
| -|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|Terraform|High|Access Control|IAM role policy that allow full administrative privileges (for all resources)|Documentation
| -|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|Terraform|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| -|Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|Terraform|High|Access Control|Neptune Cluster Instance should not be publicly accessible|Documentation
| -|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|Terraform|High|Access Control|S3 bucket allows public policy|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|Terraform|High|Access Control|S3 Buckets should not be readable and writable to all users|Documentation
| -|MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857|Terraform|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible|Documentation
| -|EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|Terraform|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| -|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|Terraform|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| -|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|Terraform|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|Terraform|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| -|S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4|Terraform|High|Access Control|S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket.|Documentation
| -|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|Terraform|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| -|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|Terraform|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| -|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|Terraform|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| -|SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|Terraform|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| -|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|Terraform|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating|Documentation
| -|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|Terraform|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role|Documentation
| -|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|Terraform|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled|Documentation
| -|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|Terraform|High|Encryption|API Gateway Method Settings Cache should be encrypted|Documentation
| -|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|Terraform|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| -|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|Terraform|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| -|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|Terraform|High|Encryption|AWS Athena Database data in S3 should be encrypted|Documentation
| -|EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|Terraform|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|Terraform|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| -|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|Terraform|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.|Documentation
| -|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|Terraform|High|Encryption|EBS Encryption should be enabled|Documentation
| -|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|Terraform|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true|Documentation
| -|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|Terraform|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted|Documentation
| -|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|Terraform|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| -|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|Terraform|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true'|Documentation
| -|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|Terraform|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled|Documentation
| -|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|Terraform|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup|Documentation
| -|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.|Documentation
| -|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|Terraform|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|Terraform|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key|Documentation
| -|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|Terraform|High|Encryption|RDS Database Cluster Encryption should be enabled|Documentation
| -|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|Terraform|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| -|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|Terraform|High|Encryption|Launch Configuration EBS should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' argument should be set to true in each volume block|Documentation
| -|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|Terraform|High|Encryption|AWS DOCDB Cluster storage should be encrypted|Documentation
| -|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|Terraform|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| -|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|Terraform|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS|Documentation
| -|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|Terraform|High|Encryption|EKS Cluster should be encrypted|Documentation
| -|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|Terraform|High|Encryption|User Data Shell Script must be encoded|Documentation
| -|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|Terraform|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)|Documentation
| -|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|Terraform|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|Terraform|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| -|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|Terraform|High|Encryption|AWS DAX Cluster should have server-side encryption at rest|Documentation
| -|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|Terraform|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled|Documentation
| -|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers.|Documentation
| -|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|Terraform|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| -|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|Terraform|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| -|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|Terraform|High|Encryption|S3 Bucket Object should have server-side encryption enabled|Documentation
| -|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|Terraform|High|Encryption|AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted|Documentation
| -|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|Terraform|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| -|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|Terraform|High|Encryption|Sagemaker endpoint configuration should encrypt data|Documentation
| -|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|Terraform|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| -|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|Terraform|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes|Documentation
| -|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|Terraform|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true)|Documentation
| -|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|Terraform|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| -|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|Terraform|High|Insecure Configurations|S3 bucket without restriction of public bucket|Documentation
| -|KMS Key With Vulnerable Policy
7ebc9038-0bde-479a-acc4-6ed7b6758899|Terraform|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| -|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|Terraform|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured.|Documentation
| -|DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|Terraform|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| -|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|Terraform|High|Insecure Configurations|Check if the root user is authenticated with MFA|Documentation
| -|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|Terraform|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| -|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|Terraform|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2.|Documentation
| -|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|Terraform|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| -|Lambda Function With Privileged Role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|Terraform|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions.|Documentation
| -|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|Terraform|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations|Documentation
| -|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|Terraform|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| -|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|Terraform|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|Terraform|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| -|Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|Terraform|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| -|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|Terraform|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0"|Documentation
| -|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|Terraform|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing|Documentation
| -|VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|Terraform|High|Networking and Firewall|VPC Peering Route Table should restrict CIDR|Documentation
| -|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|Terraform|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0|Documentation
| -|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| -|Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|Terraform|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| -|VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|Terraform|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic|Documentation
| -|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|Terraform|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| -|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|Terraform|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| -|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|Terraform|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| -|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|Terraform|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL|Documentation
| -|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|Terraform|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| -|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|Terraform|High|Networking and Firewall|Check if Record is set|Documentation
| -|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| -|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|Terraform|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| -|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|Terraform|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| -|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL|Documentation
| -|HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|Terraform|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| -|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|Terraform|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| -|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|Terraform|High|Observability|AWS KMS Key should have a valid deletion window|Documentation
| -|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|Terraform|High|Observability|Ensure a log metric filter and alarm exist for root acount usage|Documentation
| -|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled|Documentation
| -|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|Terraform|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes|Documentation
| -|CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|Terraform|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.|Documentation
| -|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|Terraform|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| -|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible|Documentation
| -|CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|Terraform|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls|Documentation
| -|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|Terraform|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA|Documentation
| -|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Terraform|Medium|Access Control|Public and private EC2 istances should not share the same role.|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Terraform|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Terraform|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| -|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Terraform|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'|Documentation
| -|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Terraform|Medium|Access Control|AWS IAM Users should not have access to console|Documentation
| -|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Terraform|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Terraform|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| -|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Terraform|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal'|Documentation
| -|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Terraform|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication|Documentation
| -|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Terraform|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action'|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Terraform|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Terraform|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Terraform|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| -|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Terraform|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| -|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Terraform|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Terraform|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| -|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Terraform|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled|Documentation
| -|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Terraform|Medium|Access Control|S3 bucket allows public ACL|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Terraform|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions'|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Terraform|Medium|Access Control|An API Key should be required on a method request.|Documentation
| -|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Terraform|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Terraform|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| -|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Terraform|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Terraform|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| -|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Terraform|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| -|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Terraform|Medium|Access Control|IAM Access Key should not be active for root users|Documentation
| -|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Terraform|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Terraform|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Terraform|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources|Documentation
| -|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Terraform|Medium|Access Control|The attribute 'action' should not have wildcard|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Terraform|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| -|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Terraform|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Terraform|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined|Documentation
| -|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Terraform|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| -|Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Terraform|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
| -|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Terraform|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| -|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Terraform|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster|Documentation
| -|RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Terraform|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| -|Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Terraform|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| -|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Terraform|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0|Documentation
| -|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Terraform|Medium|Best Practices|IAM password should have the required symbols|Documentation
| -|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Terraform|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| -|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Terraform|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| -|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Terraform|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| -|Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Terraform|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24|Documentation
| -|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Terraform|Medium|Best Practices|No password expiration policy|Documentation
| -|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Terraform|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields|Documentation
| -|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Terraform|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| -|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Terraform|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined|Documentation
| -|Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Terraform|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body|Documentation
| -|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Terraform|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node|Documentation
| -|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Terraform|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS.|Documentation
| -|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Terraform|Medium|Encryption|EBS volumes should be encrypted|Documentation
| -|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Terraform|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|CloudWatch Log Group Without KMS
0afbcfe9-d341-4b92-a64c-7e6de0543879|Terraform|Medium|Encryption|AWS CloudWatch Log groups should be encrypted using KMS|Documentation
| -|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Terraform|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| -|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted|Documentation
| -|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Terraform|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760.|Documentation
| -|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Terraform|Medium|Encryption|SSM Session should be encrypted in transit|Documentation
| -|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Terraform|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Terraform|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| -|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest|Documentation
| -|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Terraform|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret|Documentation
| -|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Terraform|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| -|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Terraform|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| -|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Terraform|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests|Documentation
| -|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit|Documentation
| -|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Terraform|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| -|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Terraform|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption|Documentation
| -|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Terraform|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| -|Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Terraform|Medium|Encryption|ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html'|Documentation
| -|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Terraform|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| -|EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Terraform|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false|Documentation
| -|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Terraform|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| -|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Terraform|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs).|Documentation
| -|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Terraform|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud)|Documentation
| -|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Terraform|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| -|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Terraform|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.|Documentation
| -|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Terraform|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials|Documentation
| -|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Terraform|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| -|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Terraform|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| -|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Terraform|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol|Documentation
| -|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Terraform|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| -|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Terraform|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| -|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Terraform|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association|Documentation
| -|VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Terraform|Medium|Networking and Firewall|VPC Subnet should not assign public IP|Documentation
| -|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Terraform|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| -|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Terraform|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled|Documentation
| -|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Terraform|Medium|Networking and Firewall|VPC should have a Network Firewall associated|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol|Documentation
| -|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Terraform|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| -|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Terraform|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| -|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Terraform|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| -|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes|Documentation
| -|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Terraform|Medium|Observability|API Gateway should have Access Log Settings defined|Documentation
| -|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Terraform|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| -|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Terraform|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| -|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes|Documentation
| -|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Terraform|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| -|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Terraform|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| -|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Terraform|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events|Documentation
| -|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK|Documentation
| -|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Terraform|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| -|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes|Documentation
| -|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Terraform|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| -|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Terraform|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined|Documentation
| -|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Terraform|Medium|Observability|AWS Elasticsearch should have logs enabled|Documentation
| -|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures|Documentation
| -|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Terraform|Medium|Observability|ELB should have logging enabled to help on error investigation|Documentation
| -|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Terraform|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| -|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Terraform|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| -|ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Terraform|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| -|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Terraform|Medium|Observability|AWS CloudWatch Log groups should have retention days specified|Documentation
| -|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Terraform|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| -|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Terraform|Medium|Observability|It isn't recommended to use resources in default VPC|Documentation
| -|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Terraform|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| -|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Terraform|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| -|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Terraform|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled|Documentation
| -|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes|Documentation
| -|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Terraform|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation|Documentation
| -|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Terraform|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| -|No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Terraform|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| -|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Terraform|Medium|Secret Management|AWS Access Key should not be hardcoded|Documentation
| -|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Terraform|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| -|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Terraform|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets'|Documentation
| -|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Terraform|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| -|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Terraform|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Terraform|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| -|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Terraform|Low|Access Control|IAM Group should have at least one user associated|Documentation
| -|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Terraform|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services|Documentation
| -|Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Terraform|Low|Availability|Autoscaling groups should supply tags to configurate|Documentation
| -|IAM Access Analyzer Not Enabled
e592a0c5-5bdb-414c-9066-5dba7cdea370|Terraform|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions|Documentation
| -|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Terraform|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.|Documentation
| -|ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Terraform|Low|Best Practices|ECR Repository should have Policies attached to it|Documentation
| -|Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Terraform|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Terraform|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| -|ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Terraform|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation|Documentation
| -|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Terraform|Low|Insecure Configurations|S3 bucket without ignore public ACL|Documentation
| -|ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Terraform|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled|Documentation
| -|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Terraform|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks|Documentation
| -|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Terraform|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Terraform|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| -|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Terraform|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| -|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Terraform|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| -|EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Terraform|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| -|RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Terraform|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| -|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Terraform|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Terraform|Low|Observability|Amazon EKS control plane logging is not enabled|Documentation
| -|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Terraform|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| -|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes|Documentation
| -|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Terraform|Low|Observability|Amazon EKS control plane logging don't enabled for all log types|Documentation
| -|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL|Documentation
| -|API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Terraform|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| -|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for route table changes|Documentation
| -|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes|Documentation
| -|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Terraform|Low|Observability|DocDB logging should be enabled|Documentation
| -|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| -|ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Terraform|Low|Observability|ECS Cluster should enable container insights|Documentation
| -|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes|Documentation
| -|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Terraform|Low|Observability|Global Accelerator should have flow logs enabled|Documentation
| -|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Terraform|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'|Documentation
| -|API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Terraform|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| -|Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Terraform|Info|Access Control|Security group must be used or not declared|Documentation
| -|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Terraform|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table|Documentation
| -|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Terraform|Info|Best Practices|AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name'|Documentation
| -|Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Terraform|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description|Documentation
| -|EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Terraform|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| -|Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Terraform|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description|Documentation
| -|EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Terraform|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods|Documentation
| -|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Terraform|Info|Observability|Neptune logging should be enabled|Documentation
| -|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Terraform|Info|Observability|RDS does not have any kind of logger|Documentation
| -|Serverless Function Environment Variables Not Encrypted
a7f8ac28-eed1-483d-87c8-4c325f022572|CloudFormation|High|Encryption|AWS Serverless Function should encrypt environment variables|Documentation
| -|Serverless API Without Content Encoding
a2f2800e-614b-4bc8-89e6-fec8afd24800|CloudFormation|Medium|Encryption|AWS Serverless API should enable Content Encoding through the attribute 'MinimumCompressionSize'. This value should be greater than -1 and smaller than 10485760|Documentation
| -|Serverless Function Without Unique IAM Role
4ba74f01-aba5-4be2-83bc-be79ff1a3b92|CloudFormation|Medium|Insecure Configurations|AWS Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks|Documentation
| -|Serverless Function Without Tags
a71ecabe-03b6-456a-b3bc-d1a39aa20c98|CloudFormation|Medium|Insecure Configurations|AWS Serverless Function should have associated tags|Documentation
| -|Serverless API Endpoint Config Not Private
6b5b0313-771b-4319-ad7a-122ee78700ef|CloudFormation|Medium|Networking and Firewall|AWS Serverless API should set API Endpoint Config type to 'PRIVATE'. This way, it's not exposed to the public internet|Documentation
| -|Serverless API Access Logging Setting Undefined
0a994e04-c6dc-471d-817e-d37451d18a3b|CloudFormation|Medium|Observability|AWS Serverless API/AWS Serverless HTTP API should have Access Logging Setting(s) defined|Documentation
| -|Serverless API X-Ray Tracing Disabled
c757c6a3-ac87-4b9d-b28d-e5a5add6a315|CloudFormation|Medium|Observability|AWS Serverless API should have X-Ray Tracing enabled|Documentation
| -|Serverless Function Without Dead Letter Queue
cb2f612b-ed42-4ff5-9fb9-255c73d39a18|CloudFormation|Low|Insecure Configurations|AWS Serverless Function should be configured for a Dead Letter Queue(DLQ)|Documentation
| -|Serverless API Cache Cluster Disabled
60a05ede-0a68-4d0d-a58f-f538cf55ff79|CloudFormation|Low|Insecure Configurations|AWS Serverless API should have cache clustering enabled|Documentation
| -|Serverless Function Without X-Ray Tracing
dc1ab429-1481-4540-9b1d-280e3f15f1f8|CloudFormation|Low|Observability|AWS Serverless Function should have Tracing enabled. For this, property 'Tracing' should have the value 'Active'|Documentation
| -|BOM - AWS S3 Buckets
b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83|CloudFormation|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| -|BOM - AWS EBS
0b0556ea-9cd9-476f-862e-20679dda752b|CloudFormation|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| -|BOM - AWS SNS
42e7dca3-8cce-4325-8df0-108888259136|CloudFormation|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| -|BOM - AWS MQ
209189f3-c879-48a7-9703-fbcfa96d0cef|CloudFormation|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| -|BOM - AWS Kinesis
d53323be-dde6-4457-9a43-42df737e71d2|CloudFormation|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time|Documentation
| -|BOM - AWS Elasticache
c689f51b-9203-43b3-9d8b-caed123f706c|CloudFormation|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| -|BOM - AWS EFS
ef05a925-8568-4054-8ff1-f5ba82631c16|CloudFormation|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| -|BOM - AWS DynamoDB
4e67c0ae-38a0-47f4-a50c-f0c9b75826df|CloudFormation|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.|Documentation
| -|BOM - AWS SQS
59a849c2-1127-4023-85a5-ef906dcd458c|CloudFormation|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| -|BOM - AWS MSK
2730c169-51d7-4ae7-99b5-584379eff1bb|CloudFormation|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| -|BOM - AWS Cassandra
124b173b-e06d-48a6-8acd-f889443d97a4|CloudFormation|Trace|Bill Of Materials|A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance|Documentation
| -|BOM - AWS RDS
6ef03ff6-a2bd-483c-851f-631f248bc0ea|CloudFormation|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.|Documentation
| -|IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368|CloudFormation|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
835d5497-a526-4aea-a23f-98a9afd1635f|CloudFormation|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| -|S3 Bucket Access to Any Principal
7772bb8c-c0f3-42d4-8e4e-f1b8939ad085|CloudFormation|High|Access Control|The S3 Bucket should not be associated with a policy statement that grants access to any principal|Documentation
| -|IAM Policies With Full Privileges
953b3cdb-ce13-428a-aa12-318726506661|CloudFormation|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| -|S3 Bucket Allows Public Policy
860ba89b-b8de-4e72-af54-d6aee4138a69|CloudFormation|High|Access Control|S3 bucket allows public policy|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
07dda8de-d90d-469e-9b37-1aca53526ced|CloudFormation|High|Access Control|S3 Buckets should not be readable and writable to all users|Documentation
| -|MSK Broker Is Publicly Accessible
0ce1ba20-8ba8-4364-836f-40c24b8cb0ab|CloudFormation|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible|Documentation
| -|S3 Bucket Allows Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0|CloudFormation|High|Access Control|S3 Buckets must not allow Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Restore, for all Principals.|Documentation
| -|Invalid Format (v3)
d929c031-078f-4241-b802-e224656ad890|OpenAPI|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double|Documentation
| -|Invalid Global External Documentation URL (v2)
46d3b74d-9fe9-45bf-9e9e-efb7f701ee28|OpenAPI|Info|Best Practices|Global External Documentation URL should be a valid URL|Documentation
| -|Invalid Global External Documentation URL (v3)
b2d9dbf6-539c-4374-a1fd-210ddf5563a8|OpenAPI|Info|Best Practices|Global External Documentation URL should be a valid URL|Documentation
| -|Header Parameter Named as 'Accept' (v2)
3ddd74cc-6582-486c-8b0c-2b48cb38e0a3|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored.|Documentation
| -|Header Parameter Named as 'Accept' (v3)
f2702af5-6016-46cb-bbc8-84c766032095|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored.|Documentation
| -|Invalid Schema External Documentation URL (v2)
f7fa95b7-d819-484c-9a2b-665dd1bba25e|OpenAPI|Info|Best Practices|Schema External Documentation URL should be a valid URL|Documentation
| -|Invalid Schema External Documentation URL (v3)
6952a7e0-6e48-4285-bbc1-27c64e60f888|OpenAPI|Info|Best Practices|Schema External Documentation URL should be a valid URL|Documentation
| -|Header Parameter Named as 'Content-Type' (v2)
51978067-3b22-4c29-aaf3-96bf0bc28897|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored.|Documentation
| -|Header Parameter Named as 'Content-Type' (v3)
72d259ca-9741-48dd-9f62-eb11f2936b37|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored.|Documentation
| -|Header Response Name Is Invalid (v2)
86733e01-a435-4bd5-a8b0-5108be9dc1e4|OpenAPI|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored.|Documentation
| -|Header Response Name Is Invalid (v3)
d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd|OpenAPI|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored.|Documentation
| -|JSON '$ref' alongside other properties (v2)
f34c1c68-4773-4df0-a103-6e2ca32e585f|OpenAPI|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key|Documentation
| -|JSON '$ref' alongside other properties (v3)
96beb800-566f-49a9-a0ea-dbdf4bc80429|OpenAPI|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key|Documentation
| -|Invalid License URL (v2)
de2b4910-8484-46d6-a055-dc1e793ee3ff|OpenAPI|Info|Best Practices|License Object URL should be a valid URL|Documentation
| -|Invalid License URL (v3)
9239c289-9e4c-4d92-8be1-9d506057c971|OpenAPI|Info|Best Practices|License Object URL should be a valid URL|Documentation
| -|Example Not Compliant With Schema Type (v2)
448db771-06ea-4dee-b48c-1689cbfb4b43|OpenAPI|Info|Best Practices|Examples values and fields should be compliant with the schema type|Documentation
| -|Example Not Compliant With Schema Type (v3)
881a6e71-c2a7-4fe2-b9c3-dfcf08895331|OpenAPI|Info|Best Practices|Examples values and fields should be compliant with the schema type|Documentation
| -|Object Using Enum With Keyword (v2)
7f15962a-d862-451c-ac9b-84ec13747aa6|OpenAPI|Info|Best Practices|Schema/Parameter/Header Object properties should not contain 'enum' and schema keywords|Documentation
| -|Object Using Enum With Keyword (v3)
2e9b6612-8f69-42e0-a5b8-ed17739c2f3a|OpenAPI|Info|Best Practices|Schema Object properties should not contain 'enum' and schema keywords|Documentation
| -|Invalid Contact Email (v2)
d83bebc8-4e5e-4241-b783-cba9fb5a1c9a|OpenAPI|Info|Best Practices|Contact Object Email should be a valid email|Documentation
| -|Invalid Contact Email (v3)
b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7|OpenAPI|Info|Best Practices|Contact Object Email should be a valid email|Documentation
| -|Invalid Contact URL (v2)
c7000383-16d0-4509-8cd3-585e5ea2e2f2|OpenAPI|Info|Best Practices|Contact Object URL should be a valid URL|Documentation
| -|Invalid Contact URL (v3)
332cf2ad-380d-4b90-b436-46f8e635cf38|OpenAPI|Info|Best Practices|Contact Object URL should be a valid URL|Documentation
| -|Operation Without Successful HTTP Status Code (v2)
a1ee6ebe-3877-42ec-b9a6-e524e7d06aa2|OpenAPI|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined|Documentation
| -|Operation Without Successful HTTP Status Code (v3)
48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd|OpenAPI|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined|Documentation
| -|Invalid Operation External Documentation URL (v2)
25635c31-ee32-4708-88e5-fced87516f51|OpenAPI|Info|Best Practices|Operation External Documentation URL should be a valid URL|Documentation
| -|Invalid Operation External Documentation URL (v3)
5ea61624-3733-4a3a-8ca4-b96fec9c5aeb|OpenAPI|Info|Best Practices|Operation External Documentation URL should be a valid URL|Documentation
| -|Invalid Tag External Documentation URL (v2)
b4a7d925-738b-4219-99d9-87d6ee262a03|OpenAPI|Info|Best Practices|Tag External Documentation URL should be a valid URL|Documentation
| -|Invalid Tag External Documentation URL (v3)
5aea1d7e-b834-4749-b143-2c7ec3bd5922|OpenAPI|Info|Best Practices|Tag External Documentation URL should be a valid URL|Documentation
| -|Header Parameter Named as 'Authorization' (v2)
e2e00c97-7171-4fb4-b461-d631df9a711c|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored.|Documentation
| -|Header Parameter Named as 'Authorization' (v3)
8c84f75e-5048-4926-a4cb-33e7b3431300|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored.|Documentation
| -|Required Property With Default Value (v2)
f7ab6c83-ef89-40e1-8a99-32e2599fb665|OpenAPI|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value|Documentation
| -|Required Property With Default Value (v3)
013bdb4b-9246-4248-b0c3-7fb0fee42a29|OpenAPI|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value|Documentation
| -|Path Without Operation (v2)
609cd557-66b4-41fa-8edd-2abc6c7cfd08|OpenAPI|Info|Best Practices|Path object should have at least one operation object defined|Documentation
| -|Path Without Operation (v3)
84c826c9-1893-4b34-8cdd-db97645b4bf3|OpenAPI|Info|Best Practices|Path object should have at least one operation object defined|Documentation
| -|Type Has Invalid Keyword (v2)
492c6cbb-f3f8-4807-aa4f-42b8b1c46b59|OpenAPI|Info|Structure and Semantics|Schema/Parameter/Header Object define type should not use a keyword of another type|Documentation
| -|Type Has Invalid Keyword (v3)
a9228976-10cf-4b5f-b902-9e962aad037a|OpenAPI|Info|Structure and Semantics|Schema Object define type should not use a keyword of another type|Documentation
| -|Property Defining Minimum Greater Than Maximum (v2)
b5102ea9-6527-4bb7-94fc-9b4076150e55|OpenAPI|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined|Documentation
| -|Property Defining Minimum Greater Than Maximum (v3)
ab2af219-cd08-4233-b5a1-a788aac88b51|OpenAPI|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined|Documentation
| -|Schema Discriminator Not Required (v2)
be6a3722-af60-438c-b1b9-2a03e2958ab7|OpenAPI|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property|Documentation
| -|Schema Discriminator Not Required (v3)
b481d46c-9c61-480f-86d9-af07146dc4a4|OpenAPI|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property|Documentation
| -|Path Template is Empty (v2)
c201b7ad-6173-4598-a407-5edb04a1bcd7|OpenAPI|Info|Structure and Semantics|All path templates should not be empty|Documentation
| -|Path Template is Empty (v3)
ae13a37d-943b-47a7-a970-83c8598bcca3|OpenAPI|Info|Structure and Semantics|All path templates should not be empty|Documentation
| -|Items Undefined (v2)
3e4d34d2-36cf-4449-976d-6c256db8fc49|OpenAPI|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array.|Documentation
| -|Items Undefined (v3)
a8e859da-4a43-4e7f-94b8-25d6e3bf8e90|OpenAPI|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array.|Documentation
| -|Schema Enum Invalid (v2)
8fe6d18a-ad4c-4397-8884-e3a9da57f4c9|OpenAPI|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type|Documentation
| -|Schema Enum Invalid (v3)
03856cb2-e46c-4daf-bfbf-214ec93c882b|OpenAPI|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type|Documentation
| -|Properties Missing Required Property (v2)
71beb6ab-8b70-4816-a9ac-a0ff1fb22a62|OpenAPI|Info|Structure and Semantics|Schema Object should have all required properties defined|Documentation
| -|Properties Missing Required Property (v3)
3fb03214-25d4-4bd4-867c-c2d8d708a483|OpenAPI|Info|Structure and Semantics|Schema Object should have all required properties defined|Documentation
| -|Responses With Wrong HTTP Status Code (v2)
069a5378-2091-43f0-aa3b-ee8f20996e99|OpenAPI|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599]|Documentation
| -|Responses With Wrong HTTP Status Code (v3)
d86655c0-92f6-4ffc-b4d5-5b5775804c27|OpenAPI|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599]|Documentation
| -|Responses Object Is Empty (v2)
6172e7ab-d2b7-45f8-a7db-1603931d8ba3|OpenAPI|Info|Structure and Semantics|Responses Object should not be empty|Documentation
| -|Responses Object Is Empty (v3)
990eaf09-d6f1-4c3c-b174-a517b1de8917|OpenAPI|Info|Structure and Semantics|Responses Object should not be empty|Documentation
| -|Schema Has A Required Property Undefined (v2)
811762c8-2e99-4f70-88f9-a63875a953b1|OpenAPI|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties|Documentation
| -|Schema Has A Required Property Undefined (v3)
2bd608ae-8a1f-457f-b710-c237883cb313|OpenAPI|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties|Documentation
| -|Paths Object is Empty (v2)
3e6c7b1c-8a8d-43ab-98b9-65159f44db4a|OpenAPI|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed|Documentation
| -|Paths Object is Empty (v3)
815021c8-a50c-46d9-b192-24f71072c400|OpenAPI|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed|Documentation
| -|Path Parameter With No Corresponding Template Path (v2)
194ef1f8-360e-4c14-8ed2-e83e2bafa142|OpenAPI|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation|Documentation
| -|Path Parameter With No Corresponding Template Path (v3)
69d7aefd-149d-47b8-8d89-1c2181a8067b|OpenAPI|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation|Documentation
| -|Schema Object With Circular Ref (v2)
cbff2508-85c9-4448-a8b3-770070edf5ca|OpenAPI|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties|Documentation
| -|Schema Object With Circular Ref (v3)
1a1aea94-745b-40a7-b860-0702ea6ee636|OpenAPI|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties|Documentation
| -|Schema Object Properties With Duplicated Keys (v2)
ded017bf-fb13-4f8d-868b-84aebcc572ad|OpenAPI|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties'|Documentation
| -|Schema Object Properties With Duplicated Keys (v3)
10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa|OpenAPI|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties'|Documentation
| -|Path Parameter Not Required (v2)
ccd0613f-cb77-4684-a892-183bd2674d12|OpenAPI|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.|Documentation
| -|Path Parameter Not Required (v3)
0de50145-e845-47f4-9a15-23bcf2125710|OpenAPI|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.|Documentation
| -|Property 'allowEmptyValue' Improperly Defined (v2)
0bc1477d-0922-478b-ae16-674a7634a1a8|OpenAPI|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters|Documentation
| -|Property 'allowEmptyValue' Improperly Defined (v3)
4bcbcd52-3028-469f-bc14-02c7dbba2df2|OpenAPI|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters|Documentation
| -|Parameters Name In Combination Not Unique (v2)
ab871897-ec02-4835-9818-702536ee1dda|OpenAPI|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations|Documentation
| -|Parameters Name In Combination Not Unique (v3)
f5b2e6af-76f5-496d-8482-8f898c5fdb4a|OpenAPI|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations|Documentation
| -|Schema Discriminator Mismatch Defined Properties (v2)
addc0eab-27f6-4c26-8526-d2ccd3732662|OpenAPI|Info|Structure and Semantics|Schema discriminator values should match defined properties.|Documentation
| -|Schema Discriminator Mismatch Defined Properties (v3)
40d3df21-c170-4dbe-9c02-4289b51f994f|OpenAPI|Info|Structure and Semantics|Schema discriminator values should match defined properties.|Documentation
| -|Non-Array Schema With Items (v2)
9d47956b-29cd-43b1-9e6e-b39a4d484353|OpenAPI|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| -|Non-Array Schema With Items (v3)
20cb3159-b219-496b-8dac-54ae3ab2021a|OpenAPI|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| -|Default Invalid (v2)
78dfd8f0-a6ee-48ec-af8c-e4d9b3292a07|OpenAPI|Info|Structure and Semantics|The field 'default' of Schema/Parameter/Header Object should be consistent with the schema's/parameter's/header's type|Documentation
| -|Default Invalid (v3)
a96bbc06-8cde-4295-ad3c-ee343a7f658e|OpenAPI|Info|Structure and Semantics|The field 'default' of Schema Object should be consistent with the schema's type|Documentation
| -|Parameter Objects Headers With Duplicated Name (v2)
bd2cbef5-62c4-40f1-af07-4b7f9ced6616|OpenAPI|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.|Documentation
| -|Parameter Objects Headers With Duplicated Name (v3)
05505192-ba2c-4a81-9b25-dcdbcc973746|OpenAPI|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.|Documentation
| -|Path Is Ambiguous (v2)
b2468463-3ac4-4930-890c-f35b2bf4485d|OpenAPI|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object|Documentation
| -|Path Is Ambiguous (v3)
237402e2-c2f0-46c9-9cf5-286160cf7bfc|OpenAPI|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object|Documentation
| -|OperationId Not Unique (v2)
21245007-91c4-40e5-964e-40c85d1e5aa6|OpenAPI|Info|Structure and Semantics|OperationId should be unique when defined|Documentation
| -|OperationId Not Unique (v3)
c254adc4-ef25-46e1-8270-b7944adb4198|OpenAPI|Info|Structure and Semantics|OperationId should be unique when defined|Documentation
| -|Template Path With No Corresponding Path Parameter (v2)
e7656d8d-7288-4bbe-b07b-22b389be75ce|OpenAPI|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation|Documentation
| -|Template Path With No Corresponding Path Parameter (v3)
561710b1-b845-4562-95ce-2397a05ccef4|OpenAPI|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation|Documentation
| -|Schema Discriminator Property Not String (v2)
949376f1-f560-4c6d-a016-63424ca931bb|OpenAPI|Info|Structure and Semantics|Schema discriminator property should be a string|Documentation
| -|Schema Discriminator Property Not String (v3)
dadc2f36-1f5a-46c0-8289-75e626583123|OpenAPI|Info|Structure and Semantics|Schema discriminator property should be a string|Documentation
| -|Always Admit Admission Control Plugin Set
ce30e584-b33f-4c7d-b418-a3d7027f8f60|Kubernetes|High|Access Control|When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin|Documentation
| -|Basic Auth File Is Set
5da47109-f8d6-4585-9e2b-96a8958a12f5|Kubernetes|High|Access Control|When using kube-apiserver command, the 'basic-auth-file' flag should not be set|Documentation
| -|Use Service Account Credentials Not Set To True
1acd93f1-5a37-45c0-aaac-82ece818be7d|Kubernetes|High|Access Control|When using kube-controller-manager commands, the '--use-service-account-credentials' should be set to true|Documentation
| -|Token Auth File Is Set
32ecd76e-7bbf-402e-bf48-8b9485749558|Kubernetes|High|Access Control|When using kube-apiserver command, the 'token-auth-file' flag should not be set|Documentation
| -|Client Certificate Authentication Not Setup Properly
e0e00aba-5f1c-4981-a542-9a9563c0ee20|Kubernetes|High|Access Control|Client Certificate Authentication should be Setup with a .pem or .crt file|Documentation
| -|RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e|Kubernetes|High|Access Control|Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least privilege recommends to specify only the set of needed objects and actions|Documentation
| -|Service Account Lookup Set To False
a5530bd7-225a-48f9-91bb-f40b04200165|Kubernetes|High|Access Control|When using kube-apiserver command, the '--service-account-lookup' flag should be set to true|Documentation
| -|Node Restriction Admission Control Plugin Not Set
33fc6923-6553-4fe6-9d3a-4efa51eb874b|Kubernetes|High|Access Control|When using kube-apiserver command, the --enable-admission-plugins flag should have 'NodeRestriction' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| -|Pod Security Policy Admission Control Plugin Not Set
afa36afb-39fe-4d94-b9b6-afb236f7a03d|Kubernetes|High|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'PodSecurityPolicy' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| -|Service Account Private Key File Not Defined
ccc98ff7-68a7-436e-9218-185cb0b0b780|Kubernetes|High|Encryption|When using kube-controller-manager commands, the '--service-account-private-key-file' should be defined|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b|Kubernetes|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| -|Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d|Kubernetes|High|Insecure Configurations|Container should not share the host process ID namespace|Documentation
| -|Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609|Kubernetes|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false|Documentation
| -|Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad|Kubernetes|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined.|Documentation
| -|Tiller (Helm v2) Is Deployed
6d173be7-545a-46c6-a81d-2ae52ed1605d|Kubernetes|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| -|Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032|Kubernetes|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| -|Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d|Kubernetes|High|Insecure Configurations|Check if there is any Tiller Service present|Documentation
| -|Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d|Kubernetes|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|Documentation
| -|Role Binding To Default Service Account
1e749bc9-fde8-471c-af0c-8254efd2dee5|Kubernetes|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| -|Tiller Deployment Is Accessible From Within The Cluster
e17fa86a-6222-4584-a914-56e8f6c87e06|Kubernetes|High|Networking and Firewall|Check if any Tiller Deployment container allows access from within the cluster.|Documentation
| -|Secure Port Set To Zero
3d24b204-b73d-42cb-b0bf-1a5438c5f71e|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the --secure-port flag should not be 0|Documentation
| -|Kubelet HTTPS Set To False
cdc8b54e-6b16-4538-a1b0-35849dbe29cf|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--kubelet-https' flag should not be set to false|Documentation
| -|Etcd TLS Certificate Not Properly Configured
895a5a95-3756-4b04-9924-2f3bc93181bd|Kubernetes|High|Networking and Firewall|When using kube-apiserver commands, the '--etcd-certfile' and '--etcd-keyfile' flags should be defined|Documentation
| -|TSL Connection Certificate Not Setup
fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f|Kubernetes|High|Networking and Firewall|TSL Connection Certificate files should be Setup|Documentation
| -|Insecure Port Not Properly Set
fa4def8c-1898-4a35-a139-7b76b1acdef0|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-port' flag should be defined and set to 0|Documentation
| -|Bind Address Not Properly Set
46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2|Kubernetes|High|Networking and Firewall|When using kube-controller-manager or kube-scheduler commands, the '--bind-address' should not be set to 127.0.0.1|Documentation
| -|Insecure Bind Address Set
b9380fd3-5ffe-4d10-9290-13e18e71eee1|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-bind-address' flag should not be set|Documentation
| -|Etcd Peer TLS Certificate Files Not Properly Set
09bb9e96-8da3-4736-b89a-b36814acca60|Kubernetes|High|Networking and Firewall|When using etcd commands, the '--peer-cert-file' and '--peer-key-file' should be defined|Documentation
| -|Etcd TLS Certificate Files Not Properly Set
075ca296-6768-4322-aea2-ba5063b969a9|Kubernetes|High|Networking and Firewall|When using etcd commands, the '--cert-file' and '--key-file' should be defined|Documentation
| -|PSP With Unrestricted Access to Host Path
de4421f1-4e35-43b4-9783-737dd4e4a47e|Kubernetes|High|Resource Management|PodSecurityPolicy should set 'readOnly' to true in every host path allowed|Documentation
| -|Peer Auto TLS Set To True
ae8827e2-4af9-4baa-9998-87539ae0d6f0|Kubernetes|High|Secret Management|When using etcd commands, the '--peer-auto-tls' should be set to false|Documentation
| -|Auto TLS Set To True
98ce8b81-7707-4734-aa39-627c6db3d84b|Kubernetes|High|Secret Management|When using etcd commands, the '--auto-tls' should be set to false|Documentation
| -|RBAC Roles with Port-Forwarding Permission
38fa11ef-dbcc-4da8-9680-7e1fd855b6fb|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to port-forward into pods can open socket-level communication channels to containers. In case of compromise, attackers may abuse this for direct communication that bypasses network security restrictions|Documentation
| -|Authorization Mode Set To Always Allow
f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5|Kubernetes|Medium|Access Control|When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode|Documentation
| -|Anonymous Auth Is Not Set To False
1de5cc51-f376-4638-a940-20f2e85ae238|Kubernetes|Medium|Access Control|When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag should be set to false (--anonymous-auth=false)|Documentation
| -|RBAC Roles with Attach Permission
d45330fd-f58d-45fb-a682-6481477a0f84|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to attach to containers via 'kubectl attach' could be abused by attackers to read log output (stdout, stderr) and send input data (stdin) to running processes. Additionally, it would allow a malicious user to attach to a privileged container resulting in a privilege escalation attack. To prevent this, the 'pods/attach' verb should not be used in production environments|Documentation
| -|RBAC Roles with Impersonate Permission
9f85c3f6-26fd-4007-938a-2e0cb0100980|Kubernetes|Medium|Access Control|Roles or ClusterRoles with the permission 'impersonate' allow subjects to assume the rights of other users, groups, or service accounts. In case of compromise, attackers may abuse this sudo-like functionality to achieve privilege escalation|Documentation
| -|RBAC Roles with Exec Permission
c589f42c-7924-4871-aee2-1cede9bc7cbc|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to run commands in containers via 'kubectl exec' could be abused by attackers to execute malicious code in case of compromise. To prevent this, the 'pods/exec' verb should not be used in production environments|Documentation
| -|Authorization Mode RBAC Not Set
1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e|Kubernetes|Medium|Access Control|When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode|Documentation
| -|Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942|Kubernetes|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| -|Non Kube System Pod With Host Mount
aa8f7a35-9923-4cad-bd61-a19b7f6aac91|Kubernetes|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| -|RBAC Roles Allow Privilege Escalation
8320826e-7a9c-4b0b-9535-578333193432|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions 'bind' or 'escalate' allow subjects to create new bindings with other roles. This is dangerous, as users with these privileges can bind to roles that may exceed their own privileges|Documentation
| -|RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14|Kubernetes|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys|Documentation
| -|Service Account Admission Control Plugin Disabled
9587c890-0524-40c2-9ce2-663af7c2f063|Kubernetes|Medium|Access Control|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'ServiceAccount' plugin|Documentation
| -|Terminated Pod Garbage Collector Threshold Not Properly Set
49113af4-29ca-458e-b8d4-724c01a4a24f|Kubernetes|Medium|Availability|When using kube-controller-manager commands, the '--terminated-pod-gc-threshold' should be set between 0 and 12501|Documentation
| -|Readiness Probe Is Not Configured
a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3|Kubernetes|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| -|Request Timeout Not Properly Set
d89a15bb-8dba-4c71-9529-bef6729b9c09|Kubernetes|Medium|Availability|When using kube-apiserver command, the '--request-timeout' flag value should not be too long|Documentation
| -|Container Running As Root
cf34805e-3872-4c08-bf92-6ff7bb0cfadb|Kubernetes|Medium|Best Practices|Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise|Documentation
| -|Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660|Kubernetes|Medium|Best Practices|Check if containers are running with low UID, which might cause conflicts with the host's user table.|Documentation
| -|Root Containers Admitted
e3aa0612-4351-4a0d-983f-aefea25cf203|Kubernetes|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| -|Always Pull Images Admission Control Plugin Not Set
a77f4d07-c6e0-4a48-8b35-0eeb51576f4f|Kubernetes|Medium|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'AlwaysPullImages' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| -|Incorrect Volume Claim Access Mode ReadWriteOnce
3878dc92-8e5d-47cf-9cdd-7590f71d21b9|Kubernetes|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| -|Encryption Provider Config Is Not Defined
cbd2db69-0b21-4c14-8a40-7710a50571a9|Kubernetes|Medium|Encryption|When using kube-apiserver commands, the '--encryption-provider-config' flag should be defined and the encryption should be correctly configured in Encryption Configuration file|Documentation
| -|Encryption Provider Not Properly Configured
10efce34-5af6-4d83-b414-9e096d5a06a9|Kubernetes|Medium|Encryption|The EncryptionConfiguration should be configured to have at least one 'aescbc', 'kms' or 'secretbox' provider|Documentation
| -|Root CA File Not Defined
05fb986f-ac73-4ebb-a5b2-7faafa93d882|Kubernetes|Medium|Encryption|When using kube-controller-manager commands, the '--root-ca-file' should be defined|Documentation
| -|Weak TLS Cipher Suites
510d5810-9a30-443a-817d-5c1fa527b110|Kubernetes|Medium|Encryption|TLS Connection should use strong Cipher Suites|Documentation
| -|Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3|Kubernetes|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| -|NET_RAW Capabilities Not Being Dropped
dbbc6705-d541-43b0-b166-dd4be8208b54|Kubernetes|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|Documentation
| -|Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b|Kubernetes|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| -|Security Context Deny Admission Control Plugin Not Set
6a68bebe-c021-492e-8ddb-55b0567fb768|Kubernetes|Medium|Insecure Configurations|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set|Documentation
| -|Authorization Mode Node Not Set
4d7ee40f-fc5d-427d-8cac-dffbe22d42d1|Kubernetes|Medium|Insecure Configurations|When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode|Documentation
| -|PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| -|Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40|Kubernetes|Medium|Insecure Configurations|Containers should not have extra capabilities allowed|Documentation
| -|PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91|Kubernetes|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| -|Using Unrecommended Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6|Kubernetes|Medium|Insecure Configurations|Namespaces like 'default', 'kube-system' or 'kube-public' should not be used|Documentation
| -|PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9|Kubernetes|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host process ID namespace|Documentation
| -|PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| -|Not Limited Capabilities For Container
2f1a0619-b12b-48a0-825f-993bb6f01d58|Kubernetes|Medium|Insecure Configurations|Limit the capabilities for a Container.|Documentation
| -|Seccomp Profile Is Not Configured
f377b83e-bd07-4f48-a591-60c82b14a78b|Kubernetes|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls|Documentation
| -|NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648|Kubernetes|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| -|Kubelet Protect Kernel Defaults Set To False
6cf42c97-facd-4fda-b8af-ea4529123355|Kubernetes|Medium|Insecure Configurations|--protect-kernel-defaults should be set to true|Documentation
| -|PSP Allows Sharing Host IPC
80f93444-b240-4ebb-a4c6-5c40b76c04ea|Kubernetes|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| -|Containers With Sys Admin Capabilities
235236ee-ad78-4065-bd29-61b061f28ce0|Kubernetes|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| -|Workload Mounting With Sensitive OS Directory
5308a7a8-06f8-45ac-bf10-791fe21de46e|Kubernetes|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| -|Service Account Token Automount Not Disabled
48471392-d4d0-47c0-b135-cdec95eb3eef|Kubernetes|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| -|Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9|Kubernetes|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty.|Documentation
| -|Network Policy Is Not Targeting Any Pod
85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3|Kubernetes|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| -|Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be|Kubernetes|Medium|Networking and Firewall|Check if any pod is not being targeted by a proper network policy.|Documentation
| -|Kubelet Not Managing Ip Tables
5f89001f-6dd9-49ff-9b15-d8cd71b617f4|Kubernetes|Medium|Networking and Firewall|Kubelet argument --make-iptables-util-chains should be true|Documentation
| -|Kubelet Read Only Port Is Not Set To Zero
2940d48a-dc5e-4178-a3f8-bfbd80720b41|Kubernetes|Medium|Networking and Firewall|When using the kubelet command, the read-only port should be set to zero (--read-only-port=0)|Documentation
| -|Service With External Load Balancer
26763a1c-5dda-4772-b507-5fca7fb5f165|Kubernetes|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| -|CNI Plugin Does Not Support Network Policies
03aabc8c-35d6-481e-9c85-20139cf72d23|Kubernetes|Medium|Networking and Firewall|Ensure the use of CNI Plugin that support Network Policies. If the CNI Plugin in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster|Documentation
| -|Kubelet Streaming Connection Timeout Disabled
ed89b97d-04e9-4fd4-919f-ee5b27e555e9|Kubernetes|Medium|Networking and Firewall|The flag --streaming-connection-idle-timeout should not be set to 0|Documentation
| -|Audit Policy File Not Defined
13a49a2e-488e-4309-a7c0-d6b05577a5fb|Kubernetes|Medium|Observability|When using kube-apiserver command, the '--audit-policy-file' flag should be defined|Documentation
| -|Audit Log Path Not Set
73e251f0-363d-4e53-86e2-0a93592437eb|Kubernetes|Medium|Observability|When using kube-apiserver command, the 'audit-log-path' flag should be defined|Documentation
| -|Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded|Kubernetes|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes|Documentation
| -|Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9|Kubernetes|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| -|CPU Limits Not Set
4ac0e2b7-d2d2-4af7-8799-e8de6721ccda|Kubernetes|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| -|Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a|Kubernetes|Medium|Resource Management|Container should not share the host network namespace|Documentation
| -|Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536|Kubernetes|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| -|Volume Mount With OS Directory Write Permissions
b7652612-de4e-4466-a0bf-1cd81f0c6063|Kubernetes|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| -|CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a|Kubernetes|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| -|Kubelet Client Certificate Or Key Not Set
36a27826-1bf5-49da-aeb0-a60a30c0e834|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-client-key' and 'kubelet-client-certificate' flags should be set|Documentation
| -|Etcd Peer Client Certificate Authentication Set To False
b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff|Kubernetes|Medium|Secret Management|When using etcd commands, the '--peer-client-cert-auth' flag should be set to true|Documentation
| -|Not Unique Certificate Authority
cb7e695d-6a85-495c-b15f-23aed2519303|Kubernetes|Medium|Secret Management|Certificate Authority should be unique for etcd|Documentation
| -|Kubelet Certificate Authority Not Set
ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set|Documentation
| -|Kubelet Client Periodic Certificate Switch Disabled
52d70f2e-3257-474c-b3dc-8ad9ba6a061a|Kubernetes|Medium|Secret Management|Kubelet argument --rotate-certificates should be true|Documentation
| -|Shared Service Account
c1032cf7-3628-44e2-bd53-38c17cf31b6b|Kubernetes|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| -|Rotate Kubelet Server Certificate Not Active
1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2|Kubernetes|Medium|Secret Management|The RotateKubeletServerCertificate argument should be true|Documentation
| -|ServiceAccount Allows Access Secrets
056ac60e-fe07-4acc-9b34-8e1d51716ab9|Kubernetes|Medium|Secret Management|Roles and ClusterRoles when binded, should not use get, list or watch as verbs|Documentation
| -|Service Account Key File Not Properly Set
dab4ec72-ce2e-4732-b7c3-1757dcce01a1|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the '--service-account-key-file' flag should be defined|Documentation
| -|Etcd Client Certificate Authentication Set To False
9391103a-d8d7-4671-ac5d-606ba7ccb0ac|Kubernetes|Medium|Secret Management|When using etcd commands, the '--client-cert-auth' flag should be defined|Documentation
| -|Etcd Client Certificate File Not Defined
3f5ff8a7-5ad6-4d02-86f5-666307da1b20|Kubernetes|Medium|Secret Management|When using kube-apiserver commands, the '--etcd-cafile' flag should be defined|Documentation
| -|Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828|Kubernetes|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| -|Cluster Admin Rolebinding With Superuser Permissions
249328b8-5f0f-409f-b1dd-029f07882e11|Kubernetes|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| -|Missing AppArmor Profile
8b36775e-183d-4d46-b0f7-96a6f34a723f|Kubernetes|Low|Access Control|Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources|Documentation
| -|Event Rate Limit Admission Control Plugin Not Set
e0099af2-fe17-411f-9991-0de28fe15f3c|Kubernetes|Low|Availability|When using kube-apiserver command, the --enable-admission-plugins flag should have 'EventRateLimit' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| -|Liveness Probe Is Not Defined
ade74944-a674-4e00-859e-c6eab5bde441|Kubernetes|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it|Documentation
| -|Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678|Kubernetes|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|HPA Targeted Deployments With Configured Replica Count
5744cbb8-5946-4b75-a196-ade44449525b|Kubernetes|Low|Availability|Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set|Documentation
| -|StatefulSet Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0|Kubernetes|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.|Documentation
| -|StatefulSet Without PodDisruptionBudget
1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5|Kubernetes|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca|Kubernetes|Low|Availability|The Horizontal Pod Autoscaler must target a valid object|Documentation
| -|Metadata Label Is Invalid
1123031a-f921-4c5b-bd86-ef354ecfd37a|Kubernetes|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| -|Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645|Kubernetes|Low|Best Practices|Kubernetes APIs evolve over time and are sometimes removed with newer releases. To prevent incompatibilities when upgrading Kubernetes, deprecated APIs should be replaced with newer and more stable API versions.|Documentation
| -|No Drop Capabilities for Containers
268ca686-7fb7-4ae9-b129-955a2a89064e|Kubernetes|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| -|StatefulSet Requests Storage
8cf4671a-cf3d-46fc-8389-21e7405063a2|Kubernetes|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| -|Namespace Lifecycle Admission Control Plugin Disabled
1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37|Kubernetes|Low|Build Process|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'NamespaceLifecycle' plugin|Documentation
| -|Root Container Not Mounted Read-only
a9c2f49d-0671-4fc9-9ece-f4e261e128d0|Kubernetes|Low|Build Process|Check if the root container filesystem is not being mounted read-only.|Documentation
| -|Image Policy Webhook Admission Control Plugin Not Set
14abda69-8e91-4acb-9931-76e2bee90284|Kubernetes|Low|Build Process|When using kube-apiserver command, the --enable-admission-plugins flag should have 'ImagePolicyWebhook' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| -|Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678|Kubernetes|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity|Documentation
| -|Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b|Kubernetes|Low|Insecure Configurations|If not needed, disabling the dashboard can prevent from being used as an attack vector|Documentation
| -|Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2|Kubernetes|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| -|Kubelet Hostname Override Is Set
bf36b900-b5ef-4828-adb7-70eb543b7cfb|Kubernetes|Low|Insecure Configurations|Hostnames should not be overrided|Documentation
| -|Pod or Container Without LimitRange
4a20ebac-1060-4c81-95d1-1f7f620e983b|Kubernetes|Low|Insecure Configurations|Each namespace should have a LimitRange policy associated to ensure that resource allocations of Pods, Containers and PersistentVolumeClaims do not exceed the defined boundaries|Documentation
| -|Pod or Container Without ResourceQuota
48a5beba-e4c0-4584-a2aa-e6894e4cf424|Kubernetes|Low|Insecure Configurations|Each namespace should have a ResourceQuota policy associated to limit the total amount of resources Pods, Containers and PersistentVolumeClaims can consume|Documentation
| -|Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995|Kubernetes|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| -|Service Does Not Target Pod
3ca03a61-3249-4c16-8427-6f8e47dda729|Kubernetes|Low|Insecure Configurations|Service should Target a Pod|Documentation
| -|Service Type is NodePort
845acfbe-3e10-4b8e-b656-3b404d36dfb2|Kubernetes|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| -|Workload Host Port Not Specified
2b1836f1-dcce-416e-8e16-da8c71920633|Kubernetes|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified|Documentation
| -|Profiling Not Set To False
2f491173-6375-4a84-b28e-a4e2b9a58a69|Kubernetes|Low|Observability|When using kube-apiserver or kube-controller-manager or kube-scheduler command, the '--profiling' flag should be defined and set to false|Documentation
| -|Audit Log Maxbackup Not Properly Set
768aab52-2504-4a2f-a3e3-329d5a679848|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxbackup' flag should be defined and set to 10 or more files|Documentation
| -|Audit Policy Not Cover Key Security Concerns
1828a670-5957-4bc5-9974-47da228f75e2|Kubernetes|Low|Observability|Audit Policy should cover key security concerns about the sensitive data logged in Kubernetes audit policies|Documentation
| -|Audit Log Maxsize Not Properly Set
35c0a471-f7c8-4993-aa2c-503a3c712a66|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxsize' flag should be defined and set to 100 or more MegaBytes|Documentation
| -|Audit Log Maxage Not Properly Set
da9f3aa8-fbfb-472f-b5a1-576127944218|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxage' flag should be defined and set to 30 or more days|Documentation
| -|Kubelet Event QPS Not Properly Set
1a07a446-8e61-4e4d-bc16-b0781fcb8211|Kubernetes|Low|Observability|When using the kubelet command, the '--event-qps' should be set to 0|Documentation
| -|Deployment Has No PodAntiAffinity
a31b7b82-d994-48c4-bd21-3bab6c31827a|Kubernetes|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| -|Container Memory Requests Not Equal To It's Limits
aafa7d94-62de-4fbf-8838-b69ee217b0e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined.|Documentation
| -|Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined.|Documentation
| -|Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46|Kubernetes|Low|Resource Management|Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively|Documentation
| -|CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3|Kubernetes|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined|Documentation
| -|StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e|Kubernetes|Low|Resource Management|Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| -|Secrets As Environment Variables
3d658f8b-d988-41a0-a841-40043121de1e|Kubernetes|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| -|Invalid Image Tag
583053b7-e632-46f0-b989-f81ff8045385|Kubernetes|Low|Supply-Chain|Image tag must be defined and not be empty or equal to latest.|Documentation
| -|Ensure Administrative Boundaries Between Resources
e84eaf4d-2f45-47b2-abe8-e581b06deb66|Kubernetes|Info|Access Control|As a best practice, ensure that is made the correct use of namespaces to adequately administer your resources. Kubernetes Authorization plugins can also be used to create policies that segregate user access to namespaces.|Documentation
| -|Using Kubernetes Native Secret Management
b9c83569-459b-4110-8f79-6305aa33cb37|Kubernetes|Info|Secret Management|Kubernetes External Secret Storage and Management System usage should be considered if you have more complex secret management needs, rather than using Kubernetes Secrets directly. Additionally, ensure that access to secrets is carefully limited|Documentation
| -|Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|Terraform|High|Access Control|Role Assignment should limit guest user permissions|Documentation
| -|Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|Terraform|High|Access Control|Azure Function App authentication settings should be enabled|Documentation
| -|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|Terraform|High|Access Control|Storage Account should not be public to grant the principle of least privileges|Documentation
| -|Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|Terraform|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| -|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|Terraform|High|Access Control|Admin user is enabled for Container Registry|Documentation
| +|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|Terraform|High|Access Control|Verifies that the OSLogin is enabled|Documentation
| +|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|Terraform|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| +|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|Terraform|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible|Documentation
| +|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|Terraform|High|Access Control|BigQuery dataset is anonymously or publicly accessible|Documentation
| +|SQL DB Instance Is Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|Terraform|High|Access Control|Check if any Cloud SQL instances are publicly accessible.|Documentation
| +|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|Terraform|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| +|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|Terraform|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members'|Documentation
| +|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|Terraform|High|Encryption|Checks if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad.|Documentation
| +|High KMS Rotation Period
352271ca-842f-408a-8b24-f6f2b76eb027|Terraform|High|Encryption|Check that keys aren't the same for a period greater than 365 days.|Documentation
| +|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|Terraform|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| +|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE |Documentation
| +|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Terraform|High|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| +|GKE Basic Authentication Enabled
70cdf849-b7d9-4569-b87d-5d82ffd44719|Terraform|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty|Documentation
| +|Cluster Master Authentication Disabled
1baba08e-3c8a-4be7-95eb-dced5833de21|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| +|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true|Documentation
| +|Client Certificate Disabled
73fb21a1-b19a-45b1-b648-b47b1678681e|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true|Documentation
| +|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|Terraform|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| +|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false |Documentation
| +|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|Terraform|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true|Documentation
| +|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|Terraform|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| +|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true|Documentation
| +|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|Terraform|High|Observability|Cloud storage bucket with logging not enabled|Documentation
| +|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| +|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|Terraform|High|Observability|Object Versioning Not Enabled on Cloud Storage Bucket|Documentation
| +|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|Terraform|High|Observability|Audit Logging Configuration is defective|Documentation
| +|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|Terraform|High|Resource Management|Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| +|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Terraform|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|Terraform|Medium|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers'|Documentation
| +|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Terraform|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member|Documentation
| +|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Terraform|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated|Documentation
| +|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Terraform|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Terraform|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| +|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Terraform|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined|Documentation
| +|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Terraform|Medium|Encryption|Make sure Encryption keys change after 90 days|Documentation
| +|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Terraform|Medium|Insecure Configurations|Check if any VM instance disables OSLogin|Documentation
| +|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Terraform|Medium|Insecure Configurations|Verifies if Google Container Node Pool Auto Repair is Enabled|Documentation
| +|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Terraform|Medium|Insecure Configurations|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
| +|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Terraform|Medium|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Terraform|Medium|Insecure Configurations|VM Instance should block project-wide SSH keys|Documentation
| +|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Terraform|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| +|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Terraform|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled|Documentation
| +|Cloud DNS without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Terraform|Medium|Insecure Configurations|Cloud DNS without DNSSEC|Documentation
| +|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Terraform|Medium|Insecure Configurations|Check if VM instance enables serial ports|Documentation
| +|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Terraform|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| +|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Terraform|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| +|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Terraform|Medium|Networking and Firewall|Check if Google Firewall ingress allows RDP access (port 3389)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Terraform|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports|Documentation
| +|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Terraform|Medium|Networking and Firewall|Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block)|Documentation
| +|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Terraform|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
| +|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Terraform|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource.|Documentation
| +|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Terraform|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles|Documentation
| +|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Terraform|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user|Documentation
| +|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Terraform|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range|Documentation
| +|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Terraform|Low|Networking and Firewall|Google Compute Subnetwork should have 'private_ip_google_access' set to true|Documentation
| +|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Terraform|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks|Documentation
| +|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Terraform|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')|Documentation
| +|Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|Terraform|High|Access Control|Role Assignment should limit guest user permissions|Documentation
| |Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|Terraform|High|Access Control|There is a role assignment for guest user|Documentation
| +|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|Terraform|High|Access Control|Admin user is enabled for Container Registry|Documentation
| +|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|Terraform|High|Access Control|Storage Account should not be public|Documentation
| +|Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|Terraform|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| +|Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|Terraform|High|Access Control|Azure Function App authentication settings should be enabled|Documentation
| |Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|Terraform|High|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled|Documentation
| +|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|Terraform|High|Encryption|See that Storage Accounts forces the use of HTTPS|Documentation
| |MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|Terraform|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| -|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|Terraform|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| |Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6|Terraform|High|Encryption|Ensure Function App is using the latest version of TLS encryption|Documentation
| -|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|Terraform|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| |App Service Not Using Latest TLS Encryption Version
b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643|Terraform|High|Encryption|Ensure App Service is using the latest version of TLS encryption|Documentation
| -|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|Terraform|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates|Documentation
| +|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|Terraform|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| +|Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|Terraform|High|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false.|Documentation
| |App Service FTPS Enforce Disabled
85da374f-b00f-4832-9d44-84a1ca1e89f8|Terraform|High|Insecure Configurations|Azure App Service should only enforce FTPS when 'ftps_state' is enabled|Documentation
| -|AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|Terraform|High|Insecure Configurations|Azure Kubernetes Service (AKS) API should not be exposed to the internet|Documentation
| +|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|Terraform|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates|Documentation
| +|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|Terraform|High|Insecure Configurations|Trusted MIcrosoft Services are not enabled for Storage Account access|Documentation
| |Function App FTPS Enforce Disabled
9dab0179-433d-4dff-af8f-0091025691df|Terraform|High|Insecure Configurations|Azure Function App should only enforce FTPS when 'ftps_state' is enabled|Documentation
| -|Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|Terraform|High|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false.|Documentation
| |VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|Terraform|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| -|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|Terraform|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry'|Documentation
| -|Azure App Service Client Certificate Disabled
a81573f9-3691-4d83-88a0-7d4af63e17a3|Terraform|High|Insecure Configurations|Azure App Service client certificate should be enabled|Documentation
| -|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|Terraform|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| |AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|Terraform|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| -|RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|Terraform|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet|Documentation
| +|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|Terraform|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| +|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|Terraform|High|Insecure Configurations|Azurerm Container Registry Must Contain Associated Locks |Documentation
| +|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|Terraform|High|Networking and Firewall|The Ip Range Must Contain Ips|Documentation
| |SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|Terraform|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| +|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| |Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| +|RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|Terraform|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet|Documentation
| |MySQL Server Public Access Enabled
f118890b-2468-42b1-9ce9-af35146b425b|Terraform|High|Networking and Firewall|MySQL Server public access should be disabled|Documentation
| -|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| -|SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|Terraform|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet|Documentation
| -|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| -|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|Terraform|High|Networking and Firewall|The IP range filter should be defined to secure the data stored|Documentation
| |MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|Terraform|High|Networking and Firewall|MSSQL Server public network access should be disabled|Documentation
| -|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|Terraform|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| +|SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|Terraform|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet|Documentation
| +|Azure App Service Client Certificate Disabled
a81573f9-3691-4d83-88a0-7d4af63e17a3|Terraform|High|Networking and Firewall|Azure App Service client certificate should be enabled|Documentation
| +|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| |Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|Terraform|High|Observability|Ensure that logging for Azure KeyVault is 'Enabled'|Documentation
| -|SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a|Terraform|High|Resource Management|Ensure that 'Threat Detection' is enabled for Azure SQL Database|Documentation
| |PostgreSQL Server Threat Detection Policy Disabled
c407c3cf-c409-4b29-b590-db5f4138d332|Terraform|High|Resource Management|PostgreSQL Server Threat Detection Policy should be enabled|Documentation
| +|SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a|Terraform|High|Resource Management|Ensure that 'Threat Detection' is enabled for Azure SQL Database|Documentation
| |App Service Managed Identity Disabled
b61cce4b-0cc4-472b-8096-15617a6d769b|Terraform|High|Resource Management|Azure App Service should have managed identity enabled|Documentation
| -|Key Expiration Not Set
4d080822-5ee2-49a4-8984-68f3d4c890fc|Terraform|High|Secret Management|Make sure that for all keys the expiration date is set|Documentation
| |Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|Terraform|High|Secret Management|Make sure that for all secrets the expiration date is set|Documentation
| +|Key Expiration Not Set
4d080822-5ee2-49a4-8984-68f3d4c890fc|Terraform|High|Secret Management|Make sure that for all keys the expiration date is set|Documentation
| |Storage Share File Allows All ACL Permissions
48bbe0fd-57e4-4678-a4a1-119e79c90fc3|Terraform|Medium|Access Control|Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).|Documentation
| |Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e|Terraform|Medium|Access Control|Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).|Documentation
| -|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Terraform|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)|Documentation
| |AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Terraform|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| +|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Terraform|Medium|Access Control|Role Definition should not allow custom role creation|Documentation
| |Virtual Network with DDoS Protection Plan disabled
b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a|Terraform|Medium|Availability|Virtual Network should have DDoS Protection Plan enabled|Documentation
| +|SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Terraform|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict|Documentation
| +|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Terraform|Medium|Best Practices|Azure SQL Server Accessibility must be set to a minimal address range, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be lesser than 256. Additionally, both ips must be different from '0.0.0.0'|Documentation
| |Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Terraform|Medium|Best Practices|Security Contact Email should be defined|Documentation
| |SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Terraform|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict|Documentation
| -|SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Terraform|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict|Documentation
| |Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Terraform|Medium|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| +|AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Terraform|Medium|Encryption|Azure Container Service (AKS) should use Disk Encryption Set ID|Documentation
| +|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Terraform|Medium|Encryption|Check if any Redis Cache resource allows non-SSL connections.|Documentation
| |Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Terraform|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| |Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Terraform|Medium|Encryption|Ensure that the encryption is active on the disk|Documentation
| -|AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Terraform|Medium|Encryption|Azure Container Service (AKS) should use Disk Encryption Set ID in supported types of disk|Documentation
| -|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Terraform|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined|Documentation
| -|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Terraform|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected.|Documentation
| -|Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Terraform|Medium|Insecure Configurations|Azure Function App should have 'client_cert_mode' set to required|Documentation
| |Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Terraform|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches|Documentation
| |Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Terraform|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| |Function App Managed Identity Disabled
c87749b3-ff10-41f5-9df2-c421e8151759|Terraform|Medium|Insecure Configurations|Azure Function App should have managed identity enabled|Documentation
| -|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Terraform|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections|Documentation
| -|Default Network Access is Allowed
9be09caf-2ba4-4fa9-9787-a670dc32c639|Terraform|Medium|Insecure Defaults|Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny'|Documentation
| +|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Terraform|Medium|Insecure Configurations|Check if the Azure Kubernetes Service doesn't have the proper network policy configuration.|Documentation
| +|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Terraform|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected.|Documentation
| +|Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Terraform|Medium|Insecure Configurations|Azure Function App should have 'client_cert_mode' set to required|Documentation
| |Default Azure Storage Account Network Access Is Too Permissive
a5613650-32ec-4975-a305-31af783153ea|Terraform|Medium|Insecure Defaults|Default Azure Storage Account network access should be set to Deny|Documentation
| -|Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b|Terraform|Medium|Networking and Firewall|Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline)|Documentation
| -|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Terraform|Medium|Networking and Firewall|Network Interfaces IP Forwarding should be disabled|Documentation
| -|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Terraform|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'.|Documentation
| -|Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Terraform|Medium|Networking and Firewall|Public Network Access should be disabled for Azure Cognitive Search|Documentation
| +|Default Network Access is Allowed
9be09caf-2ba4-4fa9-9787-a670dc32c639|Terraform|Medium|Insecure Defaults|Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny'|Documentation
| |Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol|Documentation
| |MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Terraform|Medium|Networking and Firewall|MariaDB Server Public Network Access should be disabled|Documentation
| +|Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b|Terraform|Medium|Networking and Firewall|Network Interfaces must not be exposed with a public IP address|Documentation
| +|Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Terraform|Medium|Networking and Firewall|Public Network Access should be disabled for Azure Cognitive Search|Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol|Documentation
| |Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Terraform|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache|Documentation
| |WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Terraform|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| -|Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Terraform|Medium|Observability|Make sure for SQL Servers that Auditing Retention is greater than 90 days|Documentation
| -|Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Terraform|Medium|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days|Documentation
| +|PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| +|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Terraform|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days|Documentation
| +|PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Terraform|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| +|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| |Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Terraform|Medium|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact|Documentation
| -|PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Terraform|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'|Documentation
| +|Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Terraform|Medium|Observability|Make sure for SQL Servers that Auditing Retention is greater than 90 days|Documentation
| |SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Terraform|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On'|Documentation
| |PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| -|PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| -|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| -|PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Terraform|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| +|Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Terraform|Medium|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days|Documentation
| |Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Terraform|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater|Documentation
| |MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Terraform|Medium|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On'|Documentation
| +|PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Terraform|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'|Documentation
| |PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| -|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Terraform|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days|Documentation
| |Azure Active Directory Authentication
a21c8da9-41bf-40cf-941d-330cf0d11fc7|Terraform|Low|Access Control|Azure Active Directory must be used for authentication for Service Fabric|Documentation
| |MariaDB Server Geo-redundant Backup Disabled
0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1|Terraform|Low|Backup|MariaDB Server Geo-redundant Backup should be enabled|Documentation
| -|App Service Without Latest PHP Version
96fe318e-d631-4156-99fa-9080d57280ae|Terraform|Low|Best Practices|Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.|Documentation
| -|AKS Uses Azure Policies Add-On Disabled
43789711-161b-4708-b5bb-9d1c626f7492|Terraform|Low|Best Practices|Azure Container Service (AKS) should use Azure Policies Add-On|Documentation
| |Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Terraform|Low|Best Practices|Key Vault Secrets should have set Content Type|Documentation
| -|App Service Without Latest Python Version
cc4aaa9d-1070-461a-b519-04e00f42db8a|Terraform|Low|Best Practices|Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.|Documentation
| +|AKS Uses Azure Policies Add-On Disabled
43789711-161b-4708-b5bb-9d1c626f7492|Terraform|Low|Best Practices|Azure Container Service (AKS) should use Azure Policies Add-On|Documentation
| |PostgreSQL Server Infrastructure Encryption Disabled
6425c98b-ca4e-41fe-896a-c78772c131f8|Terraform|Low|Encryption|PostgreSQL Server Infrastructure Encryption should be enabled|Documentation
| |Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Terraform|Low|Insecure Configurations|Check if the Kubernetes Dashboard is enabled.|Documentation
| -|App Service HTTP2 Disabled
525b53be-62ed-4244-b4df-41aecfcb4071|Terraform|Low|Insecure Configurations|App Service should have 'http2_enabled' enabled|Documentation
| |Function App HTTP2 Disabled
ace823d1-4432-4dee-945b-cdf11a5a6bd0|Terraform|Low|Insecure Configurations|Function App should have 'http2_enabled' enabled|Documentation
| +|App Service HTTP2 Disabled
525b53be-62ed-4244-b4df-41aecfcb4071|Terraform|Low|Insecure Configurations|App Service should have 'http2_enabled' enabled|Documentation
| +|AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|Terraform|Low|Networking and Firewall|Azure Kubernetes Service (AKS) API should not be exposed to the internet|Documentation
| |Azure Front Door WAF Disabled
835a4f2f-df43-437d-9943-545ccfc55961|Terraform|Low|Networking and Firewall|Azure Front Door WAF should be enabled|Documentation
| +|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Terraform|Low|Networking and Firewall|Network Interfaces IP Forwarding should be disabled|Documentation
| |App Service Authentication Disabled
c7fc1481-2899-4490-bbd8-544a3a61a2f3|Terraform|Info|Access Control|Azure App Service authentication settings should be enabled|Documentation
| |SQL Server Alert Email Disabled
55975007-f6e7-4134-83c3-298f1fe4b519|Terraform|Info|Best Practices|SQL Server alert email should be enabled|Documentation
| -|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Terraform|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks|Documentation
| -|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Terraform|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')|Documentation
| -|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Terraform|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| -|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Terraform|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| -|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Terraform|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| -|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Terraform|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time|Documentation
| -|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Terraform|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| -|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Terraform|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| -|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Terraform|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| -|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Terraform|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| -|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Terraform|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.|Documentation
| -|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Terraform|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.|Documentation
| -|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Terraform|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| -|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|Terraform|High|Access Control|RAM Security preferences should enforce MFA login for RAM users|Documentation
| -|OSS Bucket Allows List Action From All Principals
88541597-6f88-42c8-bac6-7e0b855e8ff6|Terraform|High|Access Control|OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals.|Documentation
| -|OSS Bucket Allows Delete Action From All Principals
8c0695d8-2378-4cd6-8243-7fd5894fa574|Terraform|High|Access Control|OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals.|Documentation
| -|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|Terraform|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles|Documentation
| -|OSS Bucket Allows Put Action From All Principals
fe286195-e75c-4359-bd58-00847c4f855a|Terraform|High|Access Control|OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals.|Documentation
| -|OSS Bucket Allows All Actions From All Principals
ec62a32c-a297-41ca-a850-cab40b42094a|Terraform|High|Access Control|OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals.|Documentation
| -|OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|Terraform|High|Access Control|OSS Bucket should have public access disabled|Documentation
| -|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|Terraform|High|Encryption|Ecs Data Disk Kms Key Id should be set|Documentation
| -|NAS File System Without KMS
5f670f9d-b1b4-4c90-8618-2288f1ab9676|Terraform|High|Encryption|NAS File System should have encryption provided by user KMS |Documentation
| -|RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|Terraform|High|Encryption|tde_status parameter should be Enabled for supported RDS instances|Documentation
| -|Launch Template Is Not Encrypted
1455cb21-1d48-46d6-8ae3-cef911b71fd5|Terraform|High|Encryption|ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true.|Documentation
| -|NAS File System Not Encrypted
67bfdff1-31ce-4525-b564-e94368735360|Terraform|High|Encryption|NAS File System must be encrypted|Documentation
| -|RDS DB Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|Terraform|High|Insecure Configurations|'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list|Documentation
| -|DB Instance Publicly Accessible
faaefc15-51a5-419e-bb5e-51a4b5ab3485|Terraform|High|Insecure Configurations|The field 'address' should not be set to '0.0.0.0/0'|Documentation
| -|OSS Bucket Has Static Website
2b13c6ff-b87a-484d-86fd-21ef6e97d426|Terraform|High|Insecure Configurations|Checks if any static websties are hosted on buckets. Be aware of any website you are running.|Documentation
| -|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|Terraform|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS|Documentation
| -|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|Terraform|High|Networking and Firewall|OSS Bucket should have ip restricted access|Documentation
| -|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol|Documentation
| -|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|Terraform|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public|Documentation
| -|RDS Instance SSL Action Disabled
7a1ee8a9-71be-4b11-bb70-efb62d16863b|Terraform|High|Networking and Firewall|ssl_action parameter should be set to Open for RDS instances|Documentation
| -|ALB Listening on HTTP
ee3b1557-9fb5-4685-a95d-93f1edf2a0d7|Terraform|High|Networking and Firewall|Application Load Balancer (alb) Listener should not listen on HTTP|Documentation
| -|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|Terraform|High|Networking and Firewall|OSS Buckets should have secure transport enabled|Documentation
| -|ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|Terraform|High|Observability|ActionTrail Trail OSS Bucket should not be publicly accessible|Documentation
| -|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|Terraform|High|Observability|All RDS Instance events trackers should be 'true'|Documentation
| -|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|Terraform|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above|Documentation
| -|Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|Terraform|High|Secret Management|Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts|Documentation
| -|Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Terraform|Medium|Access Control|Ram policies should not be attached to users|Documentation
| -|CMK Is Unusable
ed6e3ba0-278f-47b6-a1f5-173576b40b7e|Terraform|Medium|Availability|Alicloud KMS must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| -|ROS Stack Retention Disabled
4bb06fa1-2114-4a00-b7b5-6aeab8b896f0|Terraform|Medium|Backup|The retain_stacks should be enabled to keep the Stack upon deleting the stack instance from the stack group|Documentation
| -|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Terraform|Medium|Backup|OSS Bucket should have versioning enabled|Documentation
| -|ROS Stack Without Template
92d65c51-5d82-4507-a2a1-d252e9706855|Terraform|Medium|Build Process|Alicloud ROS Stack should have a template defined through the attribute template_url or attribute template_body|Documentation
| -|OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Terraform|Medium|Encryption|OSS Bucket should have encryption enabled using Customer Master Key|Documentation
| -|SLB Policy With Insecure TLS Version In Use
dbfc834a-56e5-4750-b5da-73fda8e73f70|Terraform|Medium|Encryption|SLB Policy should not support insecure versions of TLS protocol|Documentation
| -|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Terraform|Medium|Encryption|Disks should have encryption enabled|Documentation
| -|CS Kubernetes Node Pool Auto Repair Disabled
81ce9394-013d-4731-8fcc-9d229b474073|Terraform|Medium|Insecure Configurations|Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| -|Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Terraform|Medium|Networking and Firewall|Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies|Documentation
| -|Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Terraform|Medium|Networking and Firewall|A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned|Documentation
| -|Log Retention Is Not Greater Than 90 Days
ed6cf6ff-9a1f-491c-9f88-e03c0807f390|Terraform|Medium|Observability|OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects.|Documentation
| -|ROS Stack Notifications Disabled
9ef08939-ea40-489c-8851-667870b2ef50|Terraform|Medium|Observability|The ROS Stack Notifications should be defined and populated to receive stack related events|Documentation
| -|OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Terraform|Medium|Observability|OSS Bucket should have logging enabled, for better visibility of resources and objects.|Documentation
| -|Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Terraform|Medium|Observability|Action Trail Logging for all regions should be enabled|Documentation
| -|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Terraform|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180|Documentation
| -|No ROS Stack Policy
72ceb736-0aee-43ea-a191-3a69ab135681|Terraform|Medium|Resource Management|ROS Stack should have a stack policy in order to protect stack resources from and during update actions|Documentation
| -|High KMS Key Rotation Period
cb319d87-b90f-485e-a7e7-f2408380f309|Terraform|Medium|Secret Management|KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year|Documentation
| -|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true|Documentation
| -|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true|Documentation
| -|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Terraform|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91|Documentation
| -|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true|Documentation
| -|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Terraform|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less|Documentation
| -|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Terraform|Medium|Secret Management|RAM account password security should require at least one symbol|Documentation
| -|OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Terraform|Low|Availability|OSS Bucket should have transfer acceleration enabled|Documentation
| -|OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Terraform|Low|Backup|OSS Bucket should have lifecycle rule enabled and set to true|Documentation
| -|RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Terraform|Low|Observability|log_disconnections parameter should be set to ON for RDS instances|Documentation
| -|VPC Flow Logs Disabled
d2731f3d-a992-44ed-812e-f4f1c2747d71|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| -|RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Terraform|Low|Observability|log_duration parameter should be set to ON for RDS instances|Documentation
| -|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Terraform|Low|Observability|'log_connections' parameter should be set to ON for RDS instances|Documentation
| -|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|Terraform|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false|Documentation
| -|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|Terraform|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined.|Documentation
| +|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Terraform|High|Insecure Configurations|Container should not share the host IPC namespace|Documentation
| |Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|Terraform|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| +|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|Terraform|High|Insecure Configurations|Do not allow container to be privileged.|Documentation
| |Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|Terraform|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| -|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|Terraform|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|Documentation
| +|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Terraform|High|Insecure Configurations|Containers should drop 'NET_RAW' or 'ALL' capabilities|Documentation
| +|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Terraform|High|Insecure Configurations|Container should not share the host network namespace|Documentation
| |PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|Terraform|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| +|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|Terraform|High|Insecure Configurations|Admission of privileged containers should be minimized|Documentation
| +|Host Aliases Undefined Or Empty
5d05ea11-ae3e-470e-9864-97e55fb2b2e0|Terraform|High|Insecure Configurations|A Kubernetes Pod should have Host Aliases defined as to prevent the container from modifying the file after a pod's containers have already been started. This means the attribute 'spec.host_aliases' must be defined and not empty or null.|Documentation
| +|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|Terraform|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined.|Documentation
| |Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|Terraform|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| -|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Terraform|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys|Documentation
| |Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Terraform|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| -|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Terraform|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| +|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Terraform|Medium|Access Control|Minimize access to secrets (RBAC)|Documentation
| |Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Terraform|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| +|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Terraform|Medium|Availability|Liveness Probe must be defined|Documentation
| |Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Terraform|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| |Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Terraform|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| -|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Terraform|Medium|Insecure Configurations|Default service accounts should not be actively used|Documentation
| -|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Terraform|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls|Documentation
| -|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Terraform|Medium|Insecure Configurations|The default namespace should not be used|Documentation
| -|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Terraform|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| -|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Terraform|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|Documentation
| |Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Terraform|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| -|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Terraform|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace|Documentation
| -|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| -|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Terraform|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| -|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| +|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Terraform|Medium|Insecure Configurations|The default namespace should not be used|Documentation
| +|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Terraform|Medium|Insecure Configurations|Check if any resource does not configure Seccomp default profile properly|Documentation
| |NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Terraform|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| -|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Terraform|Medium|Insecure Configurations|Containers should not have extra capabilities allowed|Documentation
| +|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Terraform|Medium|Insecure Configurations|Do not allow pod to request execution as privileged|Documentation
| |PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Terraform|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| -|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Terraform|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| |Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Terraform|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| +|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| +|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Terraform|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| +|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Terraform|Medium|Insecure Configurations|Default service accounts should not be actively used|Documentation
| +|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Terraform|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| +|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Terraform|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace|Documentation
| +|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| +|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Terraform|Medium|Insecure Configurations|Kubernetes Pod should not have extra capabilities allowed|Documentation
| |Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Terraform|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory|Documentation
| -|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Terraform|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| |Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Terraform|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty.|Documentation
| +|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Terraform|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| |Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Terraform|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| -|Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Terraform|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| -|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Terraform|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes|Documentation
| -|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Terraform|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| +|Service With External Load Balance
2a52567c-abb8-4651-a038-52fa27c77aed|Terraform|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| |CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Terraform|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| -|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Terraform|Medium|Resource Management|Container should not share the host network namespace|Documentation
| -|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Terraform|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| -|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Terraform|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| |CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Terraform|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| -|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Terraform|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| +|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Terraform|Medium|Resource Management|Memory limits should be specified|Documentation
| +|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Terraform|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| +|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Terraform|Medium|Resource Management|Memory requests should be specified|Documentation
| |Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Terraform|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs|Documentation
| |Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Terraform|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| +|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Terraform|Low|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| +|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Terraform|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| |Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Terraform|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| |Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Terraform|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| -|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Terraform|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| -|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Terraform|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it|Documentation
| -|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Terraform|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Terraform|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.|Documentation
| |StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Terraform|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Terraform|Low|Availability|The Horizontal Pod Autoscaler must target a valid object|Documentation
| +|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Terraform|Low|Availability|The Horizontal Pod Autoscale must target a valid object|Documentation
| +|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Terraform|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| +|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Terraform|Low|Availability|Check if the StatefulSet have a headless 'serviceName'|Documentation
| |Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Terraform|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| |No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Terraform|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| |StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Terraform|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| |Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Terraform|Low|Build Process|Check if the root container filesystem is not being mounted as read-only.|Documentation
| -|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Terraform|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity|Documentation
| +|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Terraform|Low|Insecure Configurations|Sees if Kubernetes image has digest on|Documentation
| |Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Terraform|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| |Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Terraform|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| -|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Terraform|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| |Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Terraform|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified|Documentation
| +|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Terraform|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| |Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Terraform|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| |CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Terraform|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined|Documentation
| |Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Terraform|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| |Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Terraform|Low|Supply-Chain|Image must be defined and not be empty or equal to latest.|Documentation
| -|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|Terraform|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| -|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|Terraform|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| -|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|Terraform|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|Terraform|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| +|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|Terraform|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| +|S3 Bucket Allows WriteACP Action From All Principals
64a222aa-7793-4e40-915f-4b302c76e4d4|Terraform|High|Access Control|S3 Buckets must not allow Write_ACP Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Write_ACP, for all Principals.|Documentation
| |S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|Terraform|High|Access Control|S3 bucket allows public policy|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|Terraform|High|Access Control|Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| +|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|Terraform|High|Access Control|S3 Buckets must not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| +|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|Terraform|High|Access Control|S3 bucket with public READ/WRITE access|Documentation
| +|S3 Bucket Allows All Actions From All Principals
51cf6f14-6a52-4642-97fb-10db078382d3|Terraform|High|Access Control|S3 Buckets must not allow All Actions (wildcard) From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals.|Documentation
| +|EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|Terraform|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| |S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|Terraform|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| -|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|Terraform|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| +|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|Terraform|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| +|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|Terraform|High|Access Control|IAM policies that allow full administrative privileges (for all resources)|Documentation
| |S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|Terraform|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|Terraform|High|Access Control|S3 Buckets should not be readable and writable to all users|Documentation
| -|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|Terraform|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating|Documentation
| -|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|Terraform|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role|Documentation
| -|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|Terraform|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| |S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|Terraform|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| -|S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4|Terraform|High|Access Control|S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket.|Documentation
| -|EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|Terraform|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| |IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|Terraform|High|Access Control|IAM role policy that allow full administrative privileges (for all resources)|Documentation
| -|SSO Policy with full privileges
132a8c31-9837-4203-9fd1-15ca210c7b73|Terraform|High|Access Control|SSO policies should be configured to grant limited administrative privileges, rather than full access to all resources. This approach allows for better security and control over the resources being accessed.|Documentation
| |S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|Terraform|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals|Documentation
| -|SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|Terraform|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| |Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|Terraform|High|Access Control|Neptune Cluster Instance should not be publicly accessible|Documentation
| -|MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857|Terraform|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible|Documentation
| +|ECS Service Admin Role is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|Terraform|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role|Documentation
| +|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|Terraform|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled|Documentation
| +|Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|Terraform|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted|Documentation
| +|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|Terraform|High|Encryption|Elastic File System (EFS) must have KMS Key ID|Documentation
| +|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|Terraform|High|Encryption|Data stored in the Launch configuration EBS is not securely encrypted|Documentation
| +|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|Terraform|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| +|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|Terraform|High|Encryption|Base64 Shell Script must be encoded|Documentation
| +|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|Terraform|High|Encryption|Check if RDS Cluster Storage isn't encrypted. Happens when 'storage_encrypted' is not set to 'true'|Documentation
| +|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|Terraform|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| +|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|Terraform|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true|Documentation
| +|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|Terraform|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|Terraform|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled|Documentation
| |ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|Terraform|High|Encryption|AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted|Documentation
| -|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|Terraform|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)|Documentation
| -|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|Terraform|High|Encryption|User Data Shell Script must be encoded|Documentation
| -|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|Terraform|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| -|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|Terraform|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| -|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|Terraform|High|Encryption|API Gateway Method Settings Cache should be encrypted|Documentation
| -|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|Terraform|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| -|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|Terraform|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true'|Documentation
| |Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|Terraform|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted|Documentation
| -|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|Terraform|High|Encryption|EBS Encryption should be enabled|Documentation
| -|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|Terraform|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| -|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|Terraform|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true|Documentation
| -|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|Terraform|High|Encryption|Sagemaker endpoint configuration should encrypt data|Documentation
| -|EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|Terraform|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| +|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|Terraform|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| +|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|Terraform|High|Encryption|AWS DOCDB Cluster storage should be encrypted|Documentation
| +|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|Terraform|High|Encryption|User Data Base64 contains an encoded RSA Private Key|Documentation
| +|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|Terraform|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| +|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|Terraform|High|Encryption|RDS Database Cluster Encryption should be enabled|Documentation
| |Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|Terraform|High|Encryption|AWS Athena Database data in S3 should be encrypted|Documentation
| +|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|Terraform|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS|Documentation
| |Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|Terraform|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| +|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|Terraform|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| +|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|Terraform|High|Encryption|The parameter storage_encrypted in aws_db_instance must be set to 'true' (the default is 'false').|Documentation
| +|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|Terraform|High|Encryption|Sagemaker endpoint configuration should encrypt data|Documentation
| +|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.|Documentation
| +|EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|Terraform|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| +|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|Terraform|High|Encryption|Check if 'encrypted' field is false or undefined (default is false)|Documentation
| |MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|Terraform|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| -|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers.|Documentation
| -|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|Terraform|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled|Documentation
| -|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|Terraform|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS|Documentation
| -|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|Terraform|High|Encryption|AWS DAX Cluster should have server-side encryption at rest|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|Terraform|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| -|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|Terraform|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| -|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|Terraform|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| -|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|Terraform|High|Encryption|EKS Cluster should be encrypted|Documentation
| |Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|Terraform|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled|Documentation
| -|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|Terraform|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled|Documentation
| -|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|Terraform|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|Terraform|High|Encryption|S3 Bucket Object should have server-side encryption enabled|Documentation
| -|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|Terraform|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| +|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|Terraform|High|Encryption|IAM Database Auth Enabled must be configured to true|Documentation
| |DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|Terraform|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key|Documentation
| -|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|Terraform|High|Encryption|AWS DOCDB Cluster storage should be encrypted|Documentation
| -|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|Terraform|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.|Documentation
| -|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|Terraform|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume|Documentation
| -|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|Terraform|High|Encryption|RDS Database Cluster Encryption should be enabled|Documentation
| -|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.|Documentation
| -|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|Terraform|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| |Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|Terraform|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup|Documentation
| -|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|Terraform|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| -|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|Terraform|High|Insecure Configurations|S3 bucket without restriction of public bucket|Documentation
| -|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|Terraform|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes|Documentation
| +|CloudWatch Log Group Not Encrypted
0afbcfe9-d341-4b92-a64c-7e6de0543879|Terraform|High|Encryption|AWS CloudWatch Log groups should be encrypted using KMS|Documentation
| +|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|Terraform|High|Encryption|S3 Bucket Object should have server-side encryption enabled|Documentation
| +|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|Terraform|High|Encryption|EBS Encryption should be enabled|Documentation
| +|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|Terraform|High|Encryption|EKS Cluster should be encrypted|Documentation
| +|Memcached Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Terraform|High|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| +|CA certificate Identifier is outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|Terraform|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| +|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|Terraform|High|Encryption|AWS DAX Cluster should have server-side encryption at rest|Documentation
| +|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Terraform|High|Encryption|RDS Instance Auto Minor Version Upgrade feature in Aws Db Instance must be true|Documentation
| +|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|Terraform|High|Encryption|API Gateway Method Settings Cache should be encrypted|Documentation
| +|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers.|Documentation
| |IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|Terraform|High|Insecure Configurations|Check if the root user is authenticated with MFA|Documentation
| +|DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|Terraform|High|Insecure Configurations|The field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| +|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Terraform|High|Insecure Configurations|Amazon Simple Queue Service (SQS) queue is not protecting the contents of their messages using Server-Side Encryption (SSE)|Documentation
| +|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|Terraform|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| +|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|Terraform|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_defenition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| +|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|Terraform|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations|Documentation
| +|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|Terraform|High|Insecure Configurations|S3 bucket without restriction of public bucket|Documentation
| +|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|Terraform|High|Insecure Configurations|Check if 'publicly_accessible' field is true or undefined (default is true)|Documentation
| |API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|Terraform|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2.|Documentation
| -|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|Terraform|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured.|Documentation
| -|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|Terraform|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true)|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|Terraform|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| -|DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|Terraform|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| +|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|Terraform|High|Insecure Configurations|Users should authenticate with MFA (Multi-factor Authentication)|Documentation
| |S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|Terraform|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| -|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|Terraform|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| -|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|Terraform|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| |KMS Key With Vulnerable Policy
7ebc9038-0bde-479a-acc4-6ed7b6758899|Terraform|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| -|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|Terraform|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| +|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|Terraform|High|Insecure Configurations|Checks if any static websties are hosted on buckets|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|Terraform|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| +|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|Terraform|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes|Documentation
| +|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|Terraform|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| |DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|Terraform|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| -|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|Terraform|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations|Documentation
| -|Lambda Function With Privileged Role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|Terraform|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions.|Documentation
| +|Lambda Function With Privileged role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|Terraform|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions.|Documentation
| |Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|Terraform|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| -|VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|Terraform|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic|Documentation
| -|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|Terraform|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0 and/or ::/0|Documentation
| -|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|Terraform|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing|Documentation
| -|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|Terraform|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| -|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|Terraform|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| -|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL|Documentation
| +|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| +|Remote Desktop Port Open
151187cb-0efc-481c-babd-ad24e3c9bc22|Terraform|High|Networking and Firewall|The Remote Desktop port is open in a Security Group|Documentation
| +|HTTP Port Open
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|Terraform|High|Networking and Firewall|The HTTP port is open in a Security Group|Documentation
| |Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| -|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|Terraform|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| +|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|Terraform|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| +|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|Terraform|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL|Documentation
| |EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|Terraform|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0"|Documentation
| -|Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|Terraform|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| -|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|Terraform|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| -|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| +|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|Terraform|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0|Documentation
| +|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|Terraform|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| +|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|Terraform|High|Networking and Firewall|Check if Record is set|Documentation
| |VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|Terraform|High|Networking and Firewall|VPC Peering Route Table should restrict CIDR|Documentation
| -|HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|Terraform|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| -|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|Terraform|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL|Documentation
| -|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|Terraform|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| |ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|Terraform|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| +|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|Terraform|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| +|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|Terraform|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| +|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL|Documentation
| +|VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|Terraform|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic|Documentation
| |Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|Terraform|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| -|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|Terraform|High|Networking and Firewall|Check if Record is set|Documentation
| -|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|Terraform|High|Observability|AWS KMS Key should have a valid deletion window|Documentation
| +|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|Terraform|High|Networking and Firewall|The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6).|Documentation
| +|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|Terraform|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing|Documentation
| +|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|Terraform|High|Observability|Ensure a log metric filter and alarm exist for root acount usage|Documentation
| +|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Terraform|High|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| +|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|Terraform|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes|Documentation
| |CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|Terraform|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA|Documentation
| -|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|Terraform|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| +|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|Terraform|High|Observability|AWS KMS Key should have a valid deletion window|Documentation
| +|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible|Documentation
| |CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|Terraform|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.|Documentation
| +|CloudTrail Log Files Not Encrypted
5d9e3164-9265-470c-9a10-57ae454ac0c7|Terraform|High|Observability|Logs delivered by CloudTrail should be encrypted using KMS|Documentation
| |CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|Terraform|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls|Documentation
| +|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|Terraform|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| |CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled|Documentation
| -|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|Terraform|High|Observability|Ensure a log metric filter and alarm exist for root acount usage|Documentation
| -|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible|Documentation
| -|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|Terraform|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes|Documentation
| -|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Terraform|Medium|Access Control|IAM Access Key should not be active for root users|Documentation
| -|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Terraform|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Terraform|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Terraform|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| +|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Terraform|Medium|Access Control|AWS IAM Users should not have access to console|Documentation
| |API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Terraform|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| -|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Terraform|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication|Documentation
| -|SSO Permission With Inadequate User Session Duration
ce9dfce0-5fc8-433b-944a-3b16153111a8|Terraform|Medium|Access Control|SSO permissions should be configured to limit user sessions to no longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized access or session hijacking. This is a best practice for security and should be implemented in SSO permission settings.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Terraform|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined|Documentation
| -|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Terraform|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions'|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Terraform|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Terraform|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Terraform|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| -|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Terraform|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|IAM Access Analyzer Undefined
e592a0c5-5bdb-414c-9066-5dba7cdea370|Terraform|Medium|Access Control|IAM Access Analyzer should be defined to identify unintentional access|Documentation
| |SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Terraform|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| -|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Terraform|Medium|Access Control|The attribute 'action' should not have wildcard|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Terraform|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| -|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Terraform|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Terraform|Medium|Access Control|SQS policy with public access|Documentation
| +|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Terraform|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources|Documentation
| +|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Terraform|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication|Documentation
| |ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Terraform|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Terraform|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Terraform|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| +|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Terraform|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| +|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Terraform|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| |REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Terraform|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal'|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Terraform|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Terraform|Medium|Access Control|An API Key should be required on a method request.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Terraform|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Terraform|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Terraform|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|Terraform|Medium|Access Control|IAM policies allow all ('*') in a statement action|Documentation
| +|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Terraform|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled|Documentation
| +|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Terraform|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| +|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Terraform|Medium|Access Control|An API Key should be required on a method request.|Documentation
| +|SNS Topic is Publicly Accessible For Subscription
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|Terraform|Medium|Access Control|This query checks if SNS Topic is Accessible For Subscription|Documentation
| |Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Terraform|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Terraform|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Terraform|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined|Documentation
| +|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Terraform|Medium|Access Control|S3 bucket allows public ACL|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Terraform|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| |Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Terraform|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action'|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Terraform|Medium|Access Control|Public and private EC2 istances should not share the same role.|Documentation
| -|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Terraform|Medium|Access Control|S3 bucket allows public ACL|Documentation
| -|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Terraform|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Terraform|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| -|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Terraform|Medium|Access Control|AWS IAM Users should not have access to console|Documentation
| -|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Terraform|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| +|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Terraform|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| +|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Terraform|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root'|Documentation
| +|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Terraform|Medium|Access Control|The attribute 'action' should not have wildcard|Documentation
| +|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Terraform|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions'|Documentation
| +|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Terraform|Medium|Availability|Check if ElastiCache nodes are not being created across multi AZ|Documentation
| |Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Terraform|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
| -|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Terraform|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster|Documentation
| |CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Terraform|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| |ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Terraform|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| -|Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Terraform|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| |ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Terraform|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0|Documentation
| -|RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Terraform|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| -|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Terraform|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| -|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Terraform|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields|Documentation
| -|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Terraform|Medium|Best Practices|IAM password should have the required symbols|Documentation
| -|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Terraform|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| -|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Terraform|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| +|RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Terraform|Medium|Backup|RDS configured without backup|Documentation
| +|Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Terraform|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| +|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Terraform|Medium|Best Practices|No password expiration policy|Documentation
| +|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Terraform|Medium|Best Practices|Check if IAM account password has the required symbols|Documentation
| |RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Terraform|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined|Documentation
| +|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Terraform|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| +|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Terraform|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields|Documentation
| +|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Terraform|Medium|Best Practices|Check if IAM account password has the required minimum length|Documentation
| |Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Terraform|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24|Documentation
| -|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Terraform|Medium|Best Practices|No password expiration policy|Documentation
| -|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Terraform|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| -|Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Terraform|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body|Documentation
| -|Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Terraform|Medium|Encryption|ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html'|Documentation
| -|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Terraform|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret|Documentation
| -|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Terraform|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| -|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Terraform|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| +|Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Terraform|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body|Documentation
| +|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Terraform|Medium|Encryption|Check if Neptune Cluster Storage is securely encrypted|Documentation
| +|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Terraform|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS|Documentation
| |Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Terraform|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| -|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Terraform|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests|Documentation
| -|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Terraform|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption|Documentation
| -|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted|Documentation
| -|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Terraform|Medium|Encryption|EBS volumes should be encrypted|Documentation
| -|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Terraform|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| +|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit|Documentation
| +|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Terraform|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| +|ECR Repository Not Encrypted
0e32d561-4b5a-4664-a6e3-a3fa85649157|Terraform|Medium|Encryption|ECR (Elastic Container Registry) Repository encryption should be set|Documentation
| |Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Terraform|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Terraform|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760.|Documentation
| +|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| |ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest|Documentation
| -|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit|Documentation
| -|CloudWatch Log Group Without KMS
0afbcfe9-d341-4b92-a64c-7e6de0543879|Terraform|Medium|Encryption|AWS CloudWatch Log groups should be encrypted using KMS|Documentation
| +|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Terraform|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret|Documentation
| +|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted|Documentation
| +|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Terraform|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption|Documentation
| +|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Terraform|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests|Documentation
| |SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Terraform|Medium|Encryption|SSM Session should be encrypted in transit|Documentation
| -|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Terraform|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| -|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Terraform|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node|Documentation
| |AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Terraform|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| +|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Terraform|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| +|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Terraform|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node|Documentation
| |DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Terraform|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Terraform|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS.|Documentation
| -|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Terraform|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| -|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Terraform|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud)|Documentation
| -|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Terraform|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials|Documentation
| -|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Terraform|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| -|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Terraform|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| +|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Terraform|Medium|Encryption|The value on AWS EBS Volume Cluster Encryption must be true|Documentation
| +|API Gateway Without Content Encoding
ed35928e-195c-4405-a252-98ccb664ab7b|Terraform|Medium|Encryption|Enable Content Encoding through the attribute 'minimum_compression_size'. This value should be greater than -1 and smaller than 10485760|Documentation
| |MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Terraform|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible|Documentation
| -|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Terraform|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs).|Documentation
| |API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Terraform|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.|Documentation
| -|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Terraform|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| +|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Terraform|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| +|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Terraform|Medium|Insecure Configurations|ECR should have an image tag be immutable|Documentation
| +|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Terraform|Medium|Insecure Configurations|Check if IAM account password has at least one lowercase letter|Documentation
| +|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Terraform|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs).|Documentation
| +|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Terraform|Medium|Insecure Configurations|SSL Client Certificate should be enabled in aws_api_gateway_stage resource|Documentation
| |AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Terraform|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| +|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Terraform|Medium|Insecure Configurations|Check if IAM account password has at least one uppercase letter|Documentation
| +|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Terraform|Medium|Insecure Configurations|Instance should be configured in VPC (Virtual Private Cloud)|Documentation
| +|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Terraform|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud)|Documentation
| +|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Terraform|Medium|Insecure Configurations|Allowing to run lambda function using public API Gateway|Documentation
| +|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Terraform|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials|Documentation
| |EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Terraform|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false|Documentation
| -|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Terraform|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled|Documentation
| -|VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Terraform|Medium|Networking and Firewall|VPC Subnet should not assign public IP|Documentation
| -|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Terraform|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| |Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol|Documentation
| +|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Terraform|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| +|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Terraform|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| |VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Terraform|Medium|Networking and Firewall|VPC should have a Network Firewall associated|Documentation
| |Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol|Documentation
| -|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Terraform|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| |Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Terraform|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association|Documentation
| -|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Terraform|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| -|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Terraform|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| -|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Terraform|Medium|Observability|ELB should have logging enabled to help on error investigation|Documentation
| -|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Terraform|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| -|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes|Documentation
| -|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Terraform|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| -|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Terraform|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events|Documentation
| -|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Terraform|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| -|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Terraform|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation|Documentation
| -|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures|Documentation
| -|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Terraform|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled|Documentation
| -|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Terraform|Medium|Observability|API Gateway should have Access Log Settings defined|Documentation
| -|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Terraform|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| -|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Terraform|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined|Documentation
| +|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Terraform|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| +|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Terraform|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled|Documentation
| +|VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Terraform|Medium|Networking and Firewall|VPC Subnet should not assign public IP|Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Terraform|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| |CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Terraform|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| -|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Terraform|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| -|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Terraform|Medium|Observability|AWS Elasticsearch should have logs enabled|Documentation
| -|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Terraform|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| -|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Terraform|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| -|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Terraform|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| -|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes|Documentation
| -|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Terraform|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| -|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Terraform|Medium|Observability|It isn't recommended to use resources in default VPC|Documentation
| +|Cloudfront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Terraform|Medium|Observability|AWS Cloudfront distributions must be have logging enabled, which means the attribute 'logging_config' must be defined|Documentation
| +|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Terraform|Medium|Observability|CloudTrail should have 'is_multi_region_trail' and 'include_global_service_events' enabled|Documentation
| +|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Terraform|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled|Documentation
| +|Elasticsearch Log is disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Terraform|Medium|Observability|AWS Elasticsearch should have logs enabled|Documentation
| |CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Terraform|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| -|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Terraform|Medium|Observability|AWS CloudWatch Log groups should have retention days specified|Documentation
| -|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK|Documentation
| -|ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Terraform|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| |API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Terraform|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| -|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Terraform|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| -|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes|Documentation
| +|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Terraform|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| +|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes|Documentation
| +|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Terraform|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| +|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Terraform|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| +|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures|Documentation
| +|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Terraform|Medium|Observability|AWS CloudWatch Log groups should have retention days specified|Documentation
| |Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes|Documentation
| +|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Terraform|Medium|Observability|VPC hasn't got any FlowLog associated|Documentation
| +|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Terraform|Medium|Observability|It isn't recommended to use resources in default VPC|Documentation
| +|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Terraform|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| +|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Terraform|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events|Documentation
| +|Api Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Terraform|Medium|Observability|RDS does not have any kind of logger|Documentation
| |MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Terraform|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| +|Elasticsearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Terraform|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| +|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Terraform|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| +|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Terraform|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| +|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes|Documentation
| +|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK|Documentation
| +|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Terraform|Medium|Observability|X-ray Tracing is not enabled|Documentation
| +|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Terraform|Medium|Observability|Enable AWS CloudFormation Stack Notifications|Documentation
| +|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes|Documentation
| |No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Terraform|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| -|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Terraform|Medium|Secret Management|AWS Access Key should not be hardcoded|Documentation
| -|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Terraform|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Terraform|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| -|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Terraform|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets'|Documentation
| -|SSO Identity User Unsafe Creation
4003118b-046b-4640-b200-b8c7a4c8b89f|Terraform|Low|Access Control|The use of AWS SSO for creating users may pose a security risk as it does not synchronize with external Identity Providers (IdP) or Active Directory (AD). This can lead to inconsistencies and potential unauthorized access to resources. It is recommended to review and update user creation processes to ensure proper security protocols are in place.|Documentation
| +|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Terraform|Medium|Secret Management|Lambda hardcoded AWS access/secret keys|Documentation
| |IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Terraform|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| -|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Terraform|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services|Documentation
| -|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Terraform|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| +|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Terraform|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets'|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Terraform|Low|Access Control|IAM role allows All services or principals to assume it|Documentation
| |IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Terraform|Low|Access Control|IAM Group should have at least one user associated|Documentation
| +|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Terraform|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| +|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Terraform|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services|Documentation
| |Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Terraform|Low|Availability|Autoscaling groups should supply tags to configurate|Documentation
| -|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Terraform|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| -|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Terraform|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.|Documentation
| -|IAM Access Analyzer Not Enabled
e592a0c5-5bdb-414c-9066-5dba7cdea370|Terraform|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions|Documentation
| |ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Terraform|Low|Best Practices|ECR Repository should have Policies attached to it|Documentation
| |Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Terraform|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| -|ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Terraform|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation|Documentation
| -|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Terraform|Low|Insecure Configurations|S3 bucket without ignore public ACL|Documentation
| +|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Terraform|Low|Best Practices|IAM policies should be attached only to groups or roles|Documentation
| +|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Terraform|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| +|Open Access To Resources Through API
108aa260-6dab-4a75-ae3f-de917d634840|Terraform|Low|Insecure Configurations|Open access to back-end resources through API|Documentation
| |ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Terraform|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled|Documentation
| +|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Terraform|Low|Insecure Configurations|S3 bucket without ignore public ACL|Documentation
| |RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Terraform|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| -|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Terraform|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Terraform|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| -|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Terraform|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks|Documentation
| |EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Terraform|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)|Documentation
| +|Cloudfront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Terraform|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| +|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Terraform|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| |Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Terraform|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| -|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Terraform|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| |EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Terraform|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| -|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL|Documentation
| -|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Terraform|Low|Observability|Amazon EKS control plane logging don't enabled for all log types|Documentation
| +|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Terraform|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks|Documentation
| +|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Terraform|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| |ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Terraform|Low|Observability|ECS Cluster should enable container insights|Documentation
| -|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Terraform|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'|Documentation
| -|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| -|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes|Documentation
| -|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Terraform|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| |API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Terraform|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| -|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Terraform|Low|Observability|Amazon EKS control plane logging is not enabled|Documentation
| -|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Terraform|Low|Observability|DocDB logging should be enabled|Documentation
| -|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes|Documentation
| +|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Terraform|Low|Observability|S3 bucket without logging|Documentation
| +|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Terraform|Low|Observability|Amazon EKS control plane logging don't enabled for all log types|Documentation
| +|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes|Documentation
| +|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes|Documentation
| +|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Terraform|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'|Documentation
| |Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Terraform|Low|Observability|Global Accelerator should have flow logs enabled|Documentation
| +|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL|Documentation
| +|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes|Documentation
| |CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for route table changes|Documentation
| -|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes|Documentation
| +|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Terraform|Low|Observability|CloudTrail log file validation should be enabled|Documentation
| +|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Terraform|Low|Observability|DocDB logging should be enabled|Documentation
| +|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Terraform|Low|Observability|Amazon EKS control plane logging is not enabled|Documentation
| |API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Terraform|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| +|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Terraform|Low|Secret Management|Hard-coded AWS access key / secret key exists in EC2 user data|Documentation
| |Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Terraform|Info|Access Control|Security group must be used or not declared|Documentation
| -|Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Terraform|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description|Documentation
| +|Security Group Rules Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Terraform|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description|Documentation
| +|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Terraform|Info|Best Practices|AWS services resource tags are an essential part of managing components|Documentation
| +|Security Group Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Terraform|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description|Documentation
| |DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Terraform|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table|Documentation
| |EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Terraform|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| -|Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Terraform|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description|Documentation
| -|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Terraform|Info|Best Practices|AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name'|Documentation
| -|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Terraform|Info|Observability|RDS does not have any kind of logger|Documentation
| |Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Terraform|Info|Observability|Neptune logging should be enabled|Documentation
| +|ELB Access Logging Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Terraform|Info|Observability|ELB should have logging enabled to help on error investigation|Documentation
| +|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Terraform|Info|Observability|RDS does not have any kind of logger|Documentation
| |EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Terraform|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods|Documentation
| -|BOM - GCP Redis
bc75ce52-a60a-4660-b533-bce837a5019b|Terraform|Trace|Bill Of Materials|A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments.|Documentation
| -|BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Terraform|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.|Documentation
| -|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Terraform|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.|Documentation
| -|BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Terraform|Trace|Bill Of Materials|A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime.|Documentation
| -|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Terraform|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.|Documentation
| -|BOM - GCP Dataflow
895ed0d9-6fec-4567-8614-d7a74b599a53|Terraform|Trace|Bill Of Materials|A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective.|Documentation
| -|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|Terraform|High|Access Control|BigQuery dataset is anonymously or publicly accessible|Documentation
| -|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|Terraform|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|Terraform|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers'|Documentation
| -|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|Terraform|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible|Documentation
| -|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|Terraform|High|Access Control|Verifies that the OSLogin is enabled|Documentation
| -|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|Terraform|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| -|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|Terraform|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members'|Documentation
| -|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|Terraform|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| -|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|Terraform|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad.|Documentation
| -|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|Terraform|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| -|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false |Documentation
| -|GKE Basic Authentication Enabled
70cdf849-b7d9-4569-b87d-5d82ffd44719|Terraform|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty|Documentation
| -|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|Terraform|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible.|Documentation
| -|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|Terraform|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true|Documentation
| -|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true|Documentation
| -|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|Terraform|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| -|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true|Documentation
| -|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE |Documentation
| -|Client Certificate Disabled
73fb21a1-b19a-45b1-b648-b47b1678681e|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true|Documentation
| -|Cluster Master Authentication Disabled
1baba08e-3c8a-4be7-95eb-dced5833de21|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|Terraform|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| -|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|Terraform|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| -|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| -|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|Terraform|High|Observability|Audit Logging Configuration is defective|Documentation
| -|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| -|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|Terraform|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| -|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Terraform|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member|Documentation
| -|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Terraform|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated|Documentation
| -|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Terraform|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated|Documentation
| -|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Terraform|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Terraform|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| -|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Terraform|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined|Documentation
| -|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Terraform|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| -|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Terraform|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled|Documentation
| -|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Terraform|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| -|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Terraform|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| -|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Terraform|Medium|Insecure Configurations|Check if any VM instance disables OSLogin|Documentation
| -|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Terraform|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| -|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Terraform|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| -|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Terraform|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
| -|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Terraform|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| -|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Terraform|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
| -|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Terraform|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports|Documentation
| -|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Terraform|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| -|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Terraform|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
| -|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Terraform|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| -|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Terraform|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| -|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Terraform|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource.|Documentation
| -|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Terraform|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles|Documentation
| -|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Terraform|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Terraform|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| -|Outdated GKE Version
128df7ec-f185-48bc-8913-ce756a3ccb85|Terraform|Low|Best Practices|Running outdated versions of Google Kubernetes Engine (GKE) can expose it to known vulnerabilities and attacks. To reduce these risks, it is recommended to ensure that GKE is always running the latest version.|Documentation
| -|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Terraform|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user|Documentation
| -|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Terraform|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range|Documentation
| -|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Terraform|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true|Documentation
| -|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Terraform|Info|Best Practices|All variables should contain a valid type.|Documentation
| +|BOM - SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Terraform|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| +|BOM - MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Terraform|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| +|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Terraform|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| +|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Terraform|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| +|BOM - SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Terraform|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| +|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Terraform|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| +|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Terraform|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| +|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Terraform|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| +|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|Terraform|High|Access Control|RAM Security preferences should enforce MFA login for RAM users|Documentation
| +|OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|Terraform|High|Access Control|OSS Bucket should have public access disabled|Documentation
| +|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|Terraform|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles|Documentation
| +|RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|Terraform|High|Encryption|tde_status parameter should be Enabled for supported RDS instances|Documentation
| +|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|Terraform|High|Encryption|Ecs Data Disk Kms Key Id should be set|Documentation
| +|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Terraform|High|Encryption|Disks should have encryption enabled|Documentation
| +|RDS Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|Terraform|High|Insecure Configurations|'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list|Documentation
| +|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|Terraform|High|Networking and Firewall|OSS Buckets should have secure transport enabled|Documentation
| +|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|Terraform|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS|Documentation
| +|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol|Documentation
| +|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|Terraform|High|Networking and Firewall|OSS Bucket should have ip restricted access|Documentation
| +|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|Terraform|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public|Documentation
| +|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|Terraform|High|Observability|All RDS Instance events trackers should be 'true'|Documentation
| +|ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|Terraform|High|Observability|ActionTrail Trail OSS Bucket should not be publicly accessible|Documentation
| +|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|Terraform|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above|Documentation
| +|Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|Terraform|High|Secret Management|Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts|Documentation
| +|Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Terraform|Medium|Access Control|Ram policies should not be attached to users|Documentation
| +|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Terraform|Medium|Backup|OSS Bucket should have versioning enabled|Documentation
| +|OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Terraform|Medium|Encryption|OSS Bucket should have encryption enabled using Customer Master Key|Documentation
| +|Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Terraform|Medium|Networking and Firewall|A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned|Documentation
| +|Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Terraform|Medium|Networking and Firewall|Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies|Documentation
| +|OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Terraform|Medium|Observability|OSS Bucket should have logging enabled, for better visibility of resources and objects.|Documentation
| +|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Terraform|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180|Documentation
| +|Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Terraform|Medium|Observability|Action Trail Logging for all regions should be enabled|Documentation
| +|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true|Documentation
| +|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Terraform|Medium|Secret Management|RAM account password security should require at least one symbol|Documentation
| +|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Terraform|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91|Documentation
| +|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Terraform|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less|Documentation
| +|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true|Documentation
| +|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true|Documentation
| +|OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Terraform|Low|Availability|OSS Bucket should have transfer acceleration enabled|Documentation
| +|OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Terraform|Low|Backup|OSS Bucket should have lifecycle rule enabled and set to true|Documentation
| +|RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Terraform|Low|Observability|log_disconnections parameter should be set to ON for RDS instances|Documentation
| +|RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Terraform|Low|Observability|log_duration parameter should be set to ON for RDS instances|Documentation
| +|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Terraform|Low|Observability|'log_connections' parameter should be set to ON for RDS instances|Documentation
| |Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Terraform|Info|Best Practices|All names should follow snake case pattern.|Documentation
| +|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Terraform|Info|Best Practices|All variables should contain a valid type.|Documentation
| |Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Terraform|Info|Best Practices|All generic git repositories should reference a revision.|Documentation
| |Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Terraform|Info|Best Practices|All outputs should contain a valid description.|Documentation
| |Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Terraform|Info|Best Practices|All variables should contain a valid description.|Documentation
| -|Volume Mounted In Multiple Containers
baa452f0-1f21-4a25-ace5-844e7a5f410d|DockerCompose|High|Build Process|Volume mounts should not be shared, which means that 'propagation' should not be set to 'shared', 'rshared', 'slave', or 'rslave'|Documentation
| -|Volume Has Sensitive Host Directory
1c1325ff-831d-43a1-973e-839ae57dfcc0|DockerCompose|High|Build Process|Container has sensitive host directory mounted as a volume|Documentation
| -|Docker Socket Mounted In Container
d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b|DockerCompose|High|Build Process|Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands.|Documentation
| -|No New Privileges Not Set
27fcc7d6-c49b-46e0-98f1-6c082a6a2750|DockerCompose|High|Resource Management|Ensuring the process does not gain any new privileges lessens the risk associated with many operations.|Documentation
| -|Privileged Containers Enabled
ae5b6871-7f45-42e0-bb4c-ab300c4d2026|DockerCompose|High|Resource Management|Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker.|Documentation
| -|Healthcheck Not Set
698ed579-b239-4f8f-a388-baa4bcb13ef8|DockerCompose|Medium|Availability|Check containers periodically to see if they are running properly.|Documentation
| -|Restart Policy On Failure Not Set To 5
2fc99041-ddad-49d5-853f-e35e70a48391|DockerCompose|Medium|Build Process|Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used, and 5 retries is the recommended by CIS.|Documentation
| -|Cgroup Not Default
4d9f44c6-2f4a-4317-9bb5-267adbea0232|DockerCompose|Medium|Build Process|Control groups restrict the access processes and containers have to system resources such as CPU, RAM, IOPS and network. Not having a cgroup well configured may prove to be a security fault.|Documentation
| -|Container Traffic Not Bound To Host Interface
451d79dc-0588-476a-ad03-3c7f0320abb3|DockerCompose|Medium|Networking and Firewall|Incoming container traffic should be bound to a specific host interface|Documentation
| -|Networks Not Set
ce14a68b-1668-41a0-ab7d-facd9f784742|DockerCompose|Medium|Networking and Firewall|Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers.|Documentation
| -|Privileged Ports Mapped In Container
bc2908f3-f73c-40a9-8793-c1b7d5544f79|DockerCompose|Medium|Networking and Firewall|Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind_service linux capability from the container unless you absolutely need to use priviledged ports.|Documentation
| -|Host Namespace is Shared
4f31dd9f-2cc3-4751-9b53-67e4af83dac0|DockerCompose|Medium|Resource Management|The hosts process namespace should not be shared by containers|Documentation
| -|Default Seccomp Profile Disabled
404fde2c-bc4b-4371-9747-7054132ac953|DockerCompose|Medium|Resource Management|Seccomp offers a whitelist of common system calls, blocking all others. Having less kernel exposed to an app then increases security.|Documentation
| -|Pids Limit Not Set
221e0658-cb2a-44e3-b08a-db96a341d6fa|DockerCompose|Medium|Resource Management|'pids_limit' should be set and different than -1|Documentation
| -|Security Opt Not Set
610e266e-6c12-4bca-9925-1ed0cd29742b|DockerCompose|Medium|Resource Management|Attribute 'security_opt' should be defined.|Documentation
| -|Shared Host Network Namespace
071a71ff-f868-47a4-ac0b-3c59e4ab5443|DockerCompose|Medium|Resource Management|Container should not share the host network namespace|Documentation
| -|Shared Host User Namespace
8af7162d-6c98-482f-868e-0d33fb675ca8|DockerCompose|Medium|Resource Management|The host's user namespace should not be shared.|Documentation
| -|Memory Not Limited
bb9ac4f7-e13b-423d-a010-c74a1bfbe492|DockerCompose|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| -|Shared Host IPC Namespace
baa3890f-bed7-46f5-ab8f-1da8fc91c729|DockerCompose|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| -|Cpus Not Limited
6b610c50-99fb-4ef0-a5f3-e312fd945bc3|DockerCompose|Low|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| -|Container Capabilities Unrestricted
ce76b7d0-9e77-464d-b86f-c5c48e03e22d|DockerCompose|Low|Resource Management|Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.|Documentation
| +|Security Definitions Undefined or Empty
e3f026e8-fdb4-4d5a-bcfd-bd94452073fe|OpenAPI|High|Access Control|Security Definitions Object should be set and not empty|Documentation
| +|Security Requirement Not Defined In Security Definition
a599b0d1-ff89-4cb8-9ece-9951854c06f6|OpenAPI|High|Structure and Semantics|All security requirement objects must be defined in 'securityDefinitions'|Documentation
| +|Non OAuth2 Security Requirement Defining OAuth2 Scopes
ba239cb9-f342-4c20-812d-7b5a2aa6969e|OpenAPI|High|Structure and Semantics|If the security scheme is not of type 'oauth2', the array value must be empty|Documentation
| +|Invalid OAuth2 Token URL (v2)
274f910a-0665-4f08-b66d-7058fe927dba|OpenAPI|Medium|Access Control|OAuth2 security definition flow requires a valid URL in the tokenUrl field|Documentation
| +|Implicit Flow in OAuth2 (v2)
e9817ad8-a8c9-4038-8a2f-db0e6e7b284b|OpenAPI|Medium|Access Control|There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated|Documentation
| +|Invalid OAuth2 Authorization URL (v2)
33d96c65-977d-4c33-943f-440baca49185|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL|Documentation
| +|Global Security Using Password Flow
2da46be4-4317-4650-9285-56d7103c4f93|OpenAPI|Medium|Access Control|Security should not use 'password' Flow in OAuth2 authentication|Documentation
| +|Security Definitions Allows Password Flow
773116aa-2e6d-416f-bd85-f0301cc05d76|OpenAPI|Medium|Access Control|Security Definition Object should not allow 'password' Flow in OAuth2 authentication|Documentation
| +|Operation Using Password Flow
2e44e632-d617-43cb-b294-6bfe72a08938|OpenAPI|Medium|Access Control|Operation Object should not use 'password' Flow in OAuth2 authentication|Documentation
| +|Path Scheme Accepts HTTP (v2)
a6847dc6-f4ea-45ac-a81f-93291ae6c573|OpenAPI|Medium|Encryption|The Scheme list of Operation Object should only allow 'HTTPS' protocol to ensure an encrypted connection|Documentation
| +|Global Schemes Uses HTTP
f30ee711-0082-4480-85ab-31d922d9a2b2|OpenAPI|Medium|Encryption|Global Schemes should use 'https' protocol instead of 'http'|Documentation
| +|Schemes Uses HTTP
a46928f1-43d7-4671-94e0-2dd99746f389|OpenAPI|Medium|Encryption|Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials|Documentation
| +|Operation Object Without 'produces'
be3e170e-1572-461e-a8b6-d963def581ec|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'produces' feild defined for 'GET'operation|Documentation
| +|Operation Object Without 'consumes'
0c79e50e-b3cf-490c-b8f6-587c644d4d0c|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations|Documentation
| +|Undefined Scope 'securityDefinition' On Global 'security' Field
9aa6e95c-d964-4239-a3a8-9f37a3c5a31f|OpenAPI|Low|Access Control|Using an scope on global security field that is undefined on 'securityDefinitions' can be defined by an attacker|Documentation
| +|Undefined Scope 'securityDefinition' On 'security' Field On Operations
3847280c-9193-40bc-8009-76168e822ce2|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker|Documentation
| +|Operation Using Basic Auth
ceefb058-8065-418f-9c4c-584a78c7e104|OpenAPI|Low|Access Control|Operation Object should not use basic authentication|Documentation
| +|Operation Using Implicit Flow
f42dfe7e-787d-4478-a75e-a5f3d8a2269e|OpenAPI|Low|Access Control|Operation Object should not use implicit flow|Documentation
| +|Security Definitions Using Basic Auth
221015a8-aa2a-43f5-b00b-ad7d2b1d47a8|OpenAPI|Low|Access Control|Security Definition Object should not use basic authentication|Documentation
| +|Operation Summary Too Long
d47940ca-5970-45cc-bdd1-4d81398cee1f|OpenAPI|Low|Best Practices|Operation summary should be short (less than 120 characters)|Documentation
| +|Invalid Media Type Value (v2)
f985a7d2-d404-4a7f-9814-f645f791e46e|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters]|Documentation
| +|Global Schema Definition Not Being Used
6d2e0790-cc3d-4c74-b973-d4e8b09f4455|OpenAPI|Info|Best Practices|All global schemas definitions should be in use|Documentation
| +|Global Responses Definition Not Being Used
0b76d993-ee52-43e0-8b39-3787d2ddabf1|OpenAPI|Info|Best Practices|All global responses definitions should be in use|Documentation
| +|Schema with 'additionalProperties' set as Boolean
3a01790c-ebee-4da6-8fd3-e78657383b75|OpenAPI|Info|Best Practices|The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it|Documentation
| +|Constraining Enum Property
be1d8733-3731-40c7-a845-734741c6871d|OpenAPI|Info|Best Practices|There is a constraining keyword in a property which is already restricted by enum values|Documentation
| +|Global Parameter Definition Not Being Used
b30981fa-a12e-49c7-a5bb-eeafb61d0f0f|OpenAPI|Info|Best Practices|All global parameters definitions should be in use|Documentation
| +|Unknown Prefix (v2)
3b615f00-c443-4ba9-acc4-7c308716917d|OpenAPI|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video'|Documentation
| +|Responses JSON Reference Does Not Exists (v2)
e9db5fb4-6a84-4abb-b4af-3b94fbdace6d|OpenAPI|Info|Structure and Semantics|Responses reference should exist on responses definition field|Documentation
| +|Parameter File Type Not In 'formData'
c3cab8c4-6c52-47a9-942b-c27f26fbd7d2|OpenAPI|Info|Structure and Semantics|The In field of Parameter Object must be 'formData' when type is 'file'|Documentation
| +|Property Not Unique
750b40be-4bac-4f59-bdc4-1ca0e6c3450e|OpenAPI|Info|Structure and Semantics|Every defined property must be unique throughout the whole API|Documentation
| +|File Parameter With Wrong Consumes Property
7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a|OpenAPI|Info|Structure and Semantics|Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both|Documentation
| +|Parameter JSON Reference Does Not Exists (v2)
fb889ae9-2d16-40b5-b41f-9da716c5abc1|OpenAPI|Info|Structure and Semantics|Parameter reference should exist on parameters definition field|Documentation
| +|Object Without Required Property (v2)
5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275|OpenAPI|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields|Documentation
| +|Multi 'collectionformat' Not Valid For 'in' Parameter
750f6448-27c0-49f8-a153-b81735c1e19c|OpenAPI|Info|Structure and Semantics|When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'formData'|Documentation
| +|Response Object With Incorrect Ref (v2)
bccfa089-89e4-47e0-a0e5-185fe6902220|OpenAPI|Info|Structure and Semantics|Response Object reference must always point to '#/responses'|Documentation
| +|Host With Invalid Pattern
3d7d7b6c-fb0a-475e-8a28-c125e30d15f0|OpenAPI|Info|Structure and Semantics|Host field should be an IP or a valid host name|Documentation
| +|Schema JSON Reference Does Not Exists (v2)
98295b32-ec09-4b5b-89a9-39853197f914|OpenAPI|Info|Structure and Semantics|Schema reference should exists on definitions field|Documentation
| +|Schema Object Incorrect Ref (v2)
0220e1c5-65d1-49dd-b7c2-cef6d6cb5283|OpenAPI|Info|Structure and Semantics|Schema Object reference must always point to '#/definitions'|Documentation
| +|Parameter Object With Incorrect Ref (v2)
2596545e-1757-4ff7-a15a-8a9a180a42f3|OpenAPI|Info|Structure and Semantics|Parameter Object reference must always point to '#/parameters'|Documentation
| +|Unknown Property (v2)
429b2106-ba37-43ba-9727-7f699cc611e1|OpenAPI|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known|Documentation
| +|BasePath With Wrong Format
b4803607-ed72-4d60-99e2-3fa6edf471c6|OpenAPI|Info|Structure and Semantics|The 'basePath' value format must match the pattern '^/'|Documentation
| +|Multiple Body Parameters In The Same Operation
b90033cf-ad9f-4fb9-acd1-1b9d6d278c87|OpenAPI|Info|Structure and Semantics|Only one body parameter is allowed on operation's parameters type field|Documentation
| +|Operation Example Mismatch Produces MimeType
2cf35b40-ded3-43d6-9633-c8dcc8bcc822|OpenAPI|Info|Structure and Semantics|Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces'|Documentation
| +|Operation Object Parameters With 'body' And 'formatData' locations
eb3f9744-d24e-4614-b1ff-2a9514eca21c|OpenAPI|Info|Structure and Semantics|Operation object parameters should not have both 'body' and 'formatData' locations|Documentation
| +|Body Parameter With Wrong Property
c38d630d-a415-4e3e-bac2-65475979ba88|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema'|Documentation
| +|Body Parameter Without Schema
ed48229d-d43e-4da7-b453-5f98d964a57a|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined|Documentation
| +|Non Body Parameter Without Schema
73c3bc54-3cc6-4c0a-b30a-e19f2abfc951|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined|Documentation
| +|No Global And Operation Security Defined (v2)
586abcee-9653-462d-ad7b-2638a32bd6e6|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| +|No Global And Operation Security Defined (v3)
96729c6b-7400-4d9e-9807-17f00cdde4d2|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| +|Global Security Field Has An Empty Array (v2)
da31d54b-ad54-41dc-95eb-8b3828629213|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| +|Global Security Field Has An Empty Array (v3)
d674aea4-ba8b-454b-bb97-88a772ea33f0|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| +|Global Security Field Is Undefined (v2)
74703c89-0ea2-49ab-a7db-bf04f19f5a57|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securityDefinitions|Documentation
| +|Global Security Field Is Undefined (v3)
8af270ce-298b-4405-9922-82a10aee7a4f|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes (read more)|Documentation
| +|Global Security Field Has An Empty Array (v2)
da31d54b-ad54-41dc-95eb-8b3828629213|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| +|Global Security Field Has An Empty Array (v3)
d674aea4-ba8b-454b-bb97-88a772ea33f0|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme (read more)|Documentation
| +|Security Field On Operations Has An Empty Array (v2)
5d29effc-5d68-481f-9721-d74e5919226b|OpenAPI|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error|Documentation
| +|Security Field On Operations Has An Empty Array (v3)
663c442d-f918-4f62-b096-0bf5dcbeb655|OpenAPI|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error (read more)|Documentation
| +|Security Field On Operations Has An Empty Object Definition (v2)
74581e3b-1d55-4323-a139-5959a7b3abc5|OpenAPI|High|Access Control|Security object for operations should not be empty object or has any empty object definition|Documentation
| +|Security Field On Operations Has An Empty Object Definition (v3)
baade968-7467-41e4-bf22-83ca222f5800|OpenAPI|High|Access Control|Security object for operations should not be empty object or has any empty object definition (read more)|Documentation
| +|Global security field has an empty object (v2)
292919fb-7b26-4454-bee9-ce29094768dd|OpenAPI|High|Access Control|Global security definition must not have empty objects|Documentation
| +|Global security field has an empty object (v3)
543e38f4-1eee-479e-8eb0-15257013aa0a|OpenAPI|High|Access Control|Global security definition must not have empty objects (read more)|Documentation
| +|No Global And Operation Security Defined (v2)
586abcee-9653-462d-ad7b-2638a32bd6e6|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| +|No Global And Operation Security Defined (v3)
96729c6b-7400-4d9e-9807-17f00cdde4d2|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined (read more)|Documentation
| +|Cleartext API Key In Operation Security (v2)
99733b39-6413-4ed8-8acf-dc7cdc9b4e51|OpenAPI|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| +|Cleartext API Key In Operation Security (v3)
d90d4e40-44c1-4125-87a0-e072c3e195b5|OpenAPI|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel (read more)|Documentation
| +|Array Items Has No Type (v2)
8697a1a4-82c6-4603-8ac8-57529756744e|OpenAPI|High|Insecure Configurations|Schema/Parameter array items type should be defined|Documentation
| +|Array Items Has No Type (v3)
be0e0df7-f3d9-42a1-9b6f-d425f94872c4|OpenAPI|High|Insecure Configurations|Schema array items type should be defined (read more)|Documentation
| +|Array Without Maximum Number of Items (v2)
99eb2c95-2040-4104-9e7c-e16f7474d218|OpenAPI|High|Insecure Configurations|Array schema/parameter should have the field 'maxItems' set|Documentation
| +|Array Without Maximum Number of Items (v3)
6998389e-66b2-473d-8d05-c8d71ac4d04d|OpenAPI|High|Insecure Configurations|Array schema should have the field 'maxItems' set (read more)|Documentation
| +|API Key Exposed In Global Security (v2)
533a0d13-6e89-4551-ae33-bce14e5849c1|OpenAPI|Medium|Access Control|API Keys should not be transported over network|Documentation
| +|API Key Exposed In Global Security (v3)
aecee30b-8ea1-4776-a99c-d6d600f0862f|OpenAPI|Medium|Access Control|API Keys should not be transported over network (read more)|Documentation
| +|Cleartext API Key In Global Security (v2)
70d3873e-d537-46e5-ac3b-4e48fbdd29b4|OpenAPI|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| +|Cleartext API Key In Global Security (v3)
9c238c97-1991-4c0b-9c7d-6c7912e1dc7c|OpenAPI|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel (read more)|Documentation
| +|Maximum Length Undefined (v2)
2ec86e48-ab90-4cb6-a131-0502afd1f442|OpenAPI|Medium|Insecure Configurations|String schema/parameter/header should have 'maxLength' defined.|Documentation
| +|Maximum Length Undefined (v3)
8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85|OpenAPI|Medium|Insecure Configurations|String schema should have 'maxLength' defined. (read more)|Documentation
| +|Pattern Undefined (v2)
afde15cf-9444-4126-8c62-41cd79db1d1d|OpenAPI|Medium|Insecure Configurations|String schema/parameter/header should have 'pattern' defined.|Documentation
| +|Pattern Undefined (v3)
00b78adf-b83f-419c-8ed8-c6018441dd3a|OpenAPI|Medium|Insecure Configurations|String schema should have 'pattern' defined. (read more)|Documentation
| +|Schema Object is Empty (v2)
967575e5-eb44-4c24-aadb-7e33608ed30a|OpenAPI|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values|Documentation
| +|Schema Object is Empty (v3)
500ce696-d501-41dd-86eb-eceb011a386f|OpenAPI|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values (read more)|Documentation
| +|Numeric Schema Without Minimum (v2)
efd1dfc8-da91-4909-a3f3-c23abc5ec799|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined.|Documentation
| +|Numeric Schema Without Minimum (v3)
181bd815-767e-4e95-a24d-bb3c87328e19|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined. (read more)|Documentation
| +|JSON Object Schema Without Properties (v2)
3d28f751-bc18-4f83-ace0-216b6086410b|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false.|Documentation
| +|JSON Object Schema Without Properties (v3)
9d967a2b-9d64-41a6-abea-dfc4960299bd|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false. (read more)|Documentation
| +|Numeric Schema Without Maximum (v2)
203eee11-15b6-4d47-b888-4c7f534967ee|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined.|Documentation
| +|Numeric Schema Without Maximum (v3)
2ea04bef-c769-409e-9179-ee3a50b5c0ac|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined. (read more)|Documentation
| +|Numeric Schema Without Format (v2)
3ed8fc82-c2bb-49e0-811f-c53923674c49|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined.|Documentation
| +|Numeric Schema Without Format (v3)
fbf699b5-ef74-4542-9cf1-f6eeac379373|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined. (read more)|Documentation
| +|JSON Object Schema Without Type (v2)
62d52544-82ef-4b75-8308-cad49d50212b|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined.|Documentation
| +|JSON Object Schema Without Type (v3)
e2ffa504-d22a-4c94-b6c5-f661849d2db7|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined. (read more)|Documentation
| +|String Schema with Broad Pattern (v2)
e4a019f0-9af3-49c8-bf68-1939a6ff240d|OpenAPI|Medium|Insecure Configurations|String schema should restrict the pattern|Documentation
| +|String Schema with Broad Pattern (v3)
8c81d6c0-716b-49ec-afa5-2d62da4e3f3c|OpenAPI|Medium|Insecure Configurations|String schema should restrict the pattern (read more)|Documentation
| +|Success Response Code Undefined for Put Operation (v2)
965a043f-5f3c-4d0a-be72-d9ce12fdb4d6|OpenAPI|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Put Operation (v3)
60b5f56b-66ff-4e1c-9b62-5753e16825bc|OpenAPI|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| +|Response on operations that should not have a body has declared content (v2)
268defd2-2839-4e15-8cbc-de86eb38c231|OpenAPI|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a schema defined|Documentation
| +|Response on operations that should not have a body has declared content (v3)
12a7210b-f4b4-47d0-acac-0a819e2a0ca3|OpenAPI|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a content defined (read more)|Documentation
| +|Success Response Code Undefined for Patch Operation (v2)
f36e87cc-a209-4f37-8571-66833e4aead7|OpenAPI|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Patch Operation (v3)
1908a8ee-927d-4166-8f18-241152170cc1|OpenAPI|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| +|Success Response Code Undefined for Delete Operation (v2)
ad432855-b7fb-4429-92a3-93b5ce34f0b1|OpenAPI|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Delete Operation (v3)
3b497874-ae59-46dd-8d72-1868a3b8f150|OpenAPI|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| +|Response Code Missing (v2)
6e96ed39-bf45-4089-99ba-f1fe7cf6966f|OpenAPI|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined.|Documentation
| +|Response Code Missing (v3)
6c35d2c6-09f2-4e5c-a094-e0e91327071d|OpenAPI|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined. (read more)|Documentation
| +|Success Response Code Undefined for Post Operation (v2)
9fedee41-2e6d-4091-b011-4a16b4c18c70|OpenAPI|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Post Operation (v3)
f368dd2d-9344-4146-a05b-7c6faa1269ad|OpenAPI|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| +|Response on operations that should have a body has undefined schema (v2)
31afbcb7-70e0-48bb-a31a-3374f95cf859|OpenAPI|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined|Documentation
| +|Response on operations that should have a body has undefined schema (v3)
a92be1d5-d762-484a-86d6-8cd0907ba100|OpenAPI|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined (read more)|Documentation
| +|Default Response Undefined On Operations (v2)
5f34c7ae-4f3f-4cbb-8fe3-a11d6961062f|OpenAPI|Medium|Networking and Firewall|Operations responses should have a default response defined|Documentation
| +|Default Response Undefined On Operations (v3)
86e3702f-c868-44b2-b61d-ea5316c18110|OpenAPI|Medium|Networking and Firewall|Operations responses should have a default response defined (read more)|Documentation
| +|Success Response Code Undefined for Get Operation (v2)
9b633f3b-c94b-4fbb-a65b-1a4e9134fb63|OpenAPI|Medium|Networking and Firewall|Get should define at least one success response (200 or 202)|Documentation
| +|Success Response Code Undefined for Get Operation (v3)
b2f275be-7d64-4064-b418-be6b431363a7|OpenAPI|Medium|Networking and Firewall|Get should define at least one success response (200 or 202) (read more)|Documentation
| +|Success Response Code Undefined for Head Operation (v2)
4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a|OpenAPI|Medium|Networking and Firewall|Head should define at least one success response (200 or 202)|Documentation
| +|Success Response Code Undefined for Head Operation (v3)
3b066059-f411-4554-ac8d-96f32bff90da|OpenAPI|Medium|Networking and Firewall|Head should define at least one success response (200 or 202) (read more)|Documentation
| +|API Key Exposed In Operation Security (v2)
392599e4-a4e2-403d-bc56-3fe05755782d|OpenAPI|Low|Access Control|API Keys should not be transported over network|Documentation
| +|API Key Exposed In Operation Security (v3)
281b8071-6226-4a43-911d-fec246d422c2|OpenAPI|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| +|Invalid Format (v2)
caf1793e-95dd-4b18-8d90-8f3c0ab5bddf|OpenAPI|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double|Documentation
| +|Invalid Format (v3)
d929c031-078f-4241-b802-e224656ad890|OpenAPI|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double (read more)|Documentation
| +|Required Property With Default Value (v2)
f7ab6c83-ef89-40e1-8a99-32e2599fb665|OpenAPI|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value|Documentation
| +|Required Property With Default Value (v3)
013bdb4b-9246-4248-b0c3-7fb0fee42a29|OpenAPI|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value (read more)|Documentation
| +|Object Using Enum With Keyword (v2)
7f15962a-d862-451c-ac9b-84ec13747aa6|OpenAPI|Info|Best Practices|Schema/Parameter/Header Object properties should not contain 'enum' and schema keywords|Documentation
| +|Object Using Enum With Keyword (v3)
2e9b6612-8f69-42e0-a5b8-ed17739c2f3a|OpenAPI|Info|Best Practices|Schema Object properties should not contain 'enum' and schema keywords (read more)|Documentation
| +|Header Parameter Named as 'Content-Type' (v2)
51978067-3b22-4c29-aaf3-96bf0bc28897|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored.|Documentation
| +|Header Parameter Named as 'Content-Type' (v3)
72d259ca-9741-48dd-9f62-eb11f2936b37|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored. (read more)|Documentation
| +|Header Response Name Is Invalid (v2)
86733e01-a435-4bd5-a8b0-5108be9dc1e4|OpenAPI|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored.|Documentation
| +|Header Response Name Is Invalid (v3)
d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd|OpenAPI|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored. (read more)|Documentation
| +|Invalid Contact URL (v2)
c7000383-16d0-4509-8cd3-585e5ea2e2f2|OpenAPI|Info|Best Practices|Contact Object URL should be a valid URL|Documentation
| +|Invalid Contact URL (v3)
332cf2ad-380d-4b90-b436-46f8e635cf38|OpenAPI|Info|Best Practices|Contact Object URL should be a valid URL (read more)|Documentation
| +|Invalid Tag External Documentation URL (v2)
b4a7d925-738b-4219-99d9-87d6ee262a03|OpenAPI|Info|Best Practices|Tag External Documentation URL should be a valid URL|Documentation
| +|Invalid Tag External Documentation URL (v3)
5aea1d7e-b834-4749-b143-2c7ec3bd5922|OpenAPI|Info|Best Practices|Tag External Documentation URL should be a valid URL (read more)|Documentation
| +|Header Parameter Named as 'Accept' (v2)
3ddd74cc-6582-486c-8b0c-2b48cb38e0a3|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored.|Documentation
| +|Header Parameter Named as 'Accept' (v3)
f2702af5-6016-46cb-bbc8-84c766032095|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored. (read more)|Documentation
| +|Invalid Global External Documentation URL (v2)
46d3b74d-9fe9-45bf-9e9e-efb7f701ee28|OpenAPI|Info|Best Practices|Global External Documentation URL should be a valid URL|Documentation
| +|Invalid Global External Documentation URL (v3)
b2d9dbf6-539c-4374-a1fd-210ddf5563a8|OpenAPI|Info|Best Practices|Global External Documentation URL should be a valid URL (read more)|Documentation
| +|Example Not Compliant With Schema Type (v2)
448db771-06ea-4dee-b48c-1689cbfb4b43|OpenAPI|Info|Best Practices|Examples values and fields should be compliant with the schema type|Documentation
| +|Example Not Compliant With Schema Type (v3)
881a6e71-c2a7-4fe2-b9c3-dfcf08895331|OpenAPI|Info|Best Practices|Examples values and fields should be compliant with the schema type (read more)|Documentation
| +|Header Parameter Named as 'Authorization' (v2)
e2e00c97-7171-4fb4-b461-d631df9a711c|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored.|Documentation
| +|Header Parameter Named as 'Authorization' (v3)
8c84f75e-5048-4926-a4cb-33e7b3431300|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored. (read more)|Documentation
| +|Operation Without Successful HTTP Status Code (v2)
a1ee6ebe-3877-42ec-b9a6-e524e7d06aa2|OpenAPI|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined|Documentation
| +|Operation Without Successful HTTP Status Code (v3)
48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd|OpenAPI|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined (read more)|Documentation
| +|Path Without Operation (v2)
609cd557-66b4-41fa-8edd-2abc6c7cfd08|OpenAPI|Info|Best Practices|Path object should have at least one operation object defined|Documentation
| +|Path Without Operation (v3)
84c826c9-1893-4b34-8cdd-db97645b4bf3|OpenAPI|Info|Best Practices|Path object should have at least one operation object defined (read more)|Documentation
| +|Invalid Operation External Documentation URL (v2)
25635c31-ee32-4708-88e5-fced87516f51|OpenAPI|Info|Best Practices|Operation External Documentation URL should be a valid URL|Documentation
| +|Invalid Operation External Documentation URL (v3)
5ea61624-3733-4a3a-8ca4-b96fec9c5aeb|OpenAPI|Info|Best Practices|Operation External Documentation URL should be a valid URL (read more)|Documentation
| +|Invalid License URL (v2)
de2b4910-8484-46d6-a055-dc1e793ee3ff|OpenAPI|Info|Best Practices|License Object URL should be a valid URL|Documentation
| +|Invalid License URL (v3)
9239c289-9e4c-4d92-8be1-9d506057c971|OpenAPI|Info|Best Practices|License Object URL should be a valid URL (read more)|Documentation
| +|JSON '$ref' alongside other properties (v2)
f34c1c68-4773-4df0-a103-6e2ca32e585f|OpenAPI|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key|Documentation
| +|JSON '$ref' alongside other properties (v3)
96beb800-566f-49a9-a0ea-dbdf4bc80429|OpenAPI|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key (read more)|Documentation
| +|Invalid Contact Email (v2)
d83bebc8-4e5e-4241-b783-cba9fb5a1c9a|OpenAPI|Info|Best Practices|Contact Object Email should be a valid email|Documentation
| +|Invalid Contact Email (v3)
b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7|OpenAPI|Info|Best Practices|Contact Object Email should be a valid email (read more)|Documentation
| +|Invalid Schema External Documentation URL (v2)
f7fa95b7-d819-484c-9a2b-665dd1bba25e|OpenAPI|Info|Best Practices|Schema External Documentation URL should be a valid URL|Documentation
| +|Invalid Schema External Documentation URL (v3)
6952a7e0-6e48-4285-bbc1-27c64e60f888|OpenAPI|Info|Best Practices|Schema External Documentation URL should be a valid URL (read more)|Documentation
| +|Non-Array Schema With Items (v2)
9d47956b-29cd-43b1-9e6e-b39a4d484353|OpenAPI|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| +|Non-Array Schema With Items (v3)
20cb3159-b219-496b-8dac-54ae3ab2021a|OpenAPI|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined (read more)|Documentation
| +|Path Is Ambiguous (v2)
b2468463-3ac4-4930-890c-f35b2bf4485d|OpenAPI|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object|Documentation
| +|Path Is Ambiguous (v3)
237402e2-c2f0-46c9-9cf5-286160cf7bfc|OpenAPI|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object (read more)|Documentation
| +|Schema Discriminator Not Required (v2)
be6a3722-af60-438c-b1b9-2a03e2958ab7|OpenAPI|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property|Documentation
| +|Schema Discriminator Not Required (v3)
b481d46c-9c61-480f-86d9-af07146dc4a4|OpenAPI|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property (read more)|Documentation
| +|Property 'allowEmptyValue' Improperly Defined (v2)
0bc1477d-0922-478b-ae16-674a7634a1a8|OpenAPI|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters|Documentation
| +|Property 'allowEmptyValue' Improperly Defined (v3)
4bcbcd52-3028-469f-bc14-02c7dbba2df2|OpenAPI|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters (read more)|Documentation
| +|OperationId Not Unique (v2)
21245007-91c4-40e5-964e-40c85d1e5aa6|OpenAPI|Info|Structure and Semantics|OperationId should be unique when defined|Documentation
| +|OperationId Not Unique (v3)
c254adc4-ef25-46e1-8270-b7944adb4198|OpenAPI|Info|Structure and Semantics|OperationId should be unique when defined (read more)|Documentation
| +|Paths Object is Empty (v2)
3e6c7b1c-8a8d-43ab-98b9-65159f44db4a|OpenAPI|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed|Documentation
| +|Paths Object is Empty (v3)
815021c8-a50c-46d9-b192-24f71072c400|OpenAPI|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed (read more)|Documentation
| +|Parameters Name In Combination Not Unique (v2)
ab871897-ec02-4835-9818-702536ee1dda|OpenAPI|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations|Documentation
| +|Parameters Name In Combination Not Unique (v3)
f5b2e6af-76f5-496d-8482-8f898c5fdb4a|OpenAPI|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations (read more)|Documentation
| +|Parameter Objects Headers With Duplicated Name (v2)
bd2cbef5-62c4-40f1-af07-4b7f9ced6616|OpenAPI|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.|Documentation
| +|Parameter Objects Headers With Duplicated Name (v3)
05505192-ba2c-4a81-9b25-dcdbcc973746|OpenAPI|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive. (read more)|Documentation
| +|Responses Object Is Empty (v2)
6172e7ab-d2b7-45f8-a7db-1603931d8ba3|OpenAPI|Info|Structure and Semantics|Responses Object should not be empty|Documentation
| +|Responses Object Is Empty (v3)
990eaf09-d6f1-4c3c-b174-a517b1de8917|OpenAPI|Info|Structure and Semantics|Responses Object should not be empty (read more)|Documentation
| +|Schema Has A Required Property Undefined (v2)
811762c8-2e99-4f70-88f9-a63875a953b1|OpenAPI|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties|Documentation
| +|Schema Has A Required Property Undefined (v3)
2bd608ae-8a1f-457f-b710-c237883cb313|OpenAPI|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties (read more)|Documentation
| +|Default Invalid (v2)
78dfd8f0-a6ee-48ec-af8c-e4d9b3292a07|OpenAPI|Info|Structure and Semantics|The field 'default' of Schema/Parameter/Header Object should be consistent with the schema's/parameter's/header's type|Documentation
| +|Default Invalid (v3)
a96bbc06-8cde-4295-ad3c-ee343a7f658e|OpenAPI|Info|Structure and Semantics|The field 'default' of Schema Object should be consistent with the schema's type (read more)|Documentation
| +|Properties Missing Required Property (v2)
71beb6ab-8b70-4816-a9ac-a0ff1fb22a62|OpenAPI|Info|Structure and Semantics|Schema Object should have all required properties defined|Documentation
| +|Properties Missing Required Property (v3)
3fb03214-25d4-4bd4-867c-c2d8d708a483|OpenAPI|Info|Structure and Semantics|Schema Object should have all required properties defined (read more)|Documentation
| +|Path Parameter With No Corresponding Template Path (v2)
194ef1f8-360e-4c14-8ed2-e83e2bafa142|OpenAPI|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation|Documentation
| +|Path Parameter With No Corresponding Template Path (v3)
69d7aefd-149d-47b8-8d89-1c2181a8067b|OpenAPI|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation (read more)|Documentation
| +|Type Has Invalid Keyword (v2)
492c6cbb-f3f8-4807-aa4f-42b8b1c46b59|OpenAPI|Info|Structure and Semantics|Schema/Parameter/Header Object define type should not use a keyword of another type|Documentation
| +|Type Has Invalid Keyword (v3)
a9228976-10cf-4b5f-b902-9e962aad037a|OpenAPI|Info|Structure and Semantics|Schema Object define type should not use a keyword of another type (read more)|Documentation
| +|Responses With Wrong HTTP Status Code (v2)
069a5378-2091-43f0-aa3b-ee8f20996e99|OpenAPI|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599]|Documentation
| +|Responses With Wrong HTTP Status Code (v3)
d86655c0-92f6-4ffc-b4d5-5b5775804c27|OpenAPI|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599] (read more)|Documentation
| +|Template Path With No Corresponding Path Parameter (v2)
e7656d8d-7288-4bbe-b07b-22b389be75ce|OpenAPI|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation|Documentation
| +|Template Path With No Corresponding Path Parameter (v3)
561710b1-b845-4562-95ce-2397a05ccef4|OpenAPI|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation (read more)|Documentation
| +|Schema Enum Invalid (v2)
8fe6d18a-ad4c-4397-8884-e3a9da57f4c9|OpenAPI|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type|Documentation
| +|Schema Enum Invalid (v3)
03856cb2-e46c-4daf-bfbf-214ec93c882b|OpenAPI|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type (read more)|Documentation
| +|Items Undefined (v2)
3e4d34d2-36cf-4449-976d-6c256db8fc49|OpenAPI|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array.|Documentation
| +|Items Undefined (v3)
a8e859da-4a43-4e7f-94b8-25d6e3bf8e90|OpenAPI|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array. (read more)|Documentation
| +|Schema Object Properties With Duplicated Keys (v2)
ded017bf-fb13-4f8d-868b-84aebcc572ad|OpenAPI|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties'|Documentation
| +|Schema Object Properties With Duplicated Keys (v3)
10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa|OpenAPI|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties' (read more)|Documentation
| +|Schema Discriminator Property Not String (v2)
949376f1-f560-4c6d-a016-63424ca931bb|OpenAPI|Info|Structure and Semantics|Schema discriminator property should be a string|Documentation
| +|Schema Discriminator Property Not String (v3)
dadc2f36-1f5a-46c0-8289-75e626583123|OpenAPI|Info|Structure and Semantics|Schema discriminator property should be a string (read more)|Documentation
| +|Path Template is Empty (v2)
c201b7ad-6173-4598-a407-5edb04a1bcd7|OpenAPI|Info|Structure and Semantics|All path templates should not be empty|Documentation
| +|Path Template is Empty (v3)
ae13a37d-943b-47a7-a970-83c8598bcca3|OpenAPI|Info|Structure and Semantics|All path templates should not be empty (read more)|Documentation
| +|Path Parameter Not Required (v2)
ccd0613f-cb77-4684-a892-183bd2674d12|OpenAPI|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.|Documentation
| +|Path Parameter Not Required (v3)
0de50145-e845-47f4-9a15-23bcf2125710|OpenAPI|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true. (read more)|Documentation
| +|Property Defining Minimum Greater Than Maximum (v2)
b5102ea9-6527-4bb7-94fc-9b4076150e55|OpenAPI|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined|Documentation
| +|Property Defining Minimum Greater Than Maximum (v3)
ab2af219-cd08-4233-b5a1-a788aac88b51|OpenAPI|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined (read more)|Documentation
| +|Schema Object With Circular Ref (v2)
cbff2508-85c9-4448-a8b3-770070edf5ca|OpenAPI|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties|Documentation
| +|Schema Object With Circular Ref (v3)
1a1aea94-745b-40a7-b860-0702ea6ee636|OpenAPI|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties (read more)|Documentation
| +|Schema Discriminator Mismatch Defined Properties (v2)
addc0eab-27f6-4c26-8526-d2ccd3732662|OpenAPI|Info|Structure and Semantics|Schema discriminator values should match defined properties.|Documentation
| +|Schema Discriminator Mismatch Defined Properties (v3)
40d3df21-c170-4dbe-9c02-4289b51f994f|OpenAPI|Info|Structure and Semantics|Schema discriminator values should match defined properties. (read more)|Documentation
| +|Security Definitions Undefined or Empty
e3f026e8-fdb4-4d5a-bcfd-bd94452073fe|OpenAPI|High|Access Control|Security Definitions Object should be set and not empty (read more)|Documentation
| +|Security Requirement Not Defined In Security Definition
a599b0d1-ff89-4cb8-9ece-9951854c06f6|OpenAPI|High|Structure and Semantics|All security requirement objects must be defined in 'securityDefinitions' (read more)|Documentation
| +|Non OAuth2 Security Requirement Defining OAuth2 Scopes
ba239cb9-f342-4c20-812d-7b5a2aa6969e|OpenAPI|High|Structure and Semantics|If the security scheme is not of type 'oauth2', the array value must be empty (read more)|Documentation
| +|Global Security Using Password Flow
2da46be4-4317-4650-9285-56d7103c4f93|OpenAPI|Medium|Access Control|Security should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| +|Invalid OAuth2 Authorization URL (v2)
33d96c65-977d-4c33-943f-440baca49185|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| +|Operation Using Password Flow
2e44e632-d617-43cb-b294-6bfe72a08938|OpenAPI|Medium|Access Control|Operation Object should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| +|Implicit Flow in OAuth2 (v2)
e9817ad8-a8c9-4038-8a2f-db0e6e7b284b|OpenAPI|Medium|Access Control|There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| +|Invalid OAuth2 Token URL (v2)
274f910a-0665-4f08-b66d-7058fe927dba|OpenAPI|Medium|Access Control|OAuth2 security definition flow requires a valid URL in the tokenUrl field (read more)|Documentation
| +|Security Definitions Allows Password Flow
773116aa-2e6d-416f-bd85-f0301cc05d76|OpenAPI|Medium|Access Control|Security Definition Object should not allow 'password' Flow in OAuth2 authentication (read more)|Documentation
| +|Path Scheme Accepts HTTP (v2)
a6847dc6-f4ea-45ac-a81f-93291ae6c573|OpenAPI|Medium|Encryption|The Scheme list of Operation Object should only allow 'HTTPS' protocol to ensure an encrypted connection (read more)|Documentation
| +|Schemes Uses HTTP
a46928f1-43d7-4671-94e0-2dd99746f389|OpenAPI|Medium|Encryption|Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials (read more)|Documentation
| +|Global Schemes Uses HTTP
f30ee711-0082-4480-85ab-31d922d9a2b2|OpenAPI|Medium|Encryption|Global Schemes should use 'https' protocol instead of 'http' (read more)|Documentation
| +|Operation Object Without 'consumes'
0c79e50e-b3cf-490c-b8f6-587c644d4d0c|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations (read more)|Documentation
| +|Operation Object Without 'produces'
be3e170e-1572-461e-a8b6-d963def581ec|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'produces' feild defined for 'GET'operation (read more)|Documentation
| +|Operation Using Basic Auth
ceefb058-8065-418f-9c4c-584a78c7e104|OpenAPI|Low|Access Control|Operation Object should not use basic authentication (read more)|Documentation
| +|Security Definitions Using Basic Auth
221015a8-aa2a-43f5-b00b-ad7d2b1d47a8|OpenAPI|Low|Access Control|Security Definition Object should not use basic authentication (read more)|Documentation
| +|Operation Using Implicit Flow
f42dfe7e-787d-4478-a75e-a5f3d8a2269e|OpenAPI|Low|Access Control|Operation Object should not use implicit flow (read more)|Documentation
| +|Undefined Scope 'securityDefinition' On 'security' Field On Operations
3847280c-9193-40bc-8009-76168e822ce2|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| +|Undefined Scope 'securityDefinition' On Global 'security' Field
9aa6e95c-d964-4239-a3a8-9f37a3c5a31f|OpenAPI|Low|Access Control|Using an scope on global security field that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| +|Operation Summary Too Long
d47940ca-5970-45cc-bdd1-4d81398cee1f|OpenAPI|Low|Best Practices|Operation summary should be short (less than 120 characters) (read more)|Documentation
| +|Global Schema Definition Not Being Used
6d2e0790-cc3d-4c74-b973-d4e8b09f4455|OpenAPI|Info|Best Practices|All global schemas definitions should be in use (read more)|Documentation
| +|Global Responses Definition Not Being Used
0b76d993-ee52-43e0-8b39-3787d2ddabf1|OpenAPI|Info|Best Practices|All global responses definitions should be in use (read more)|Documentation
| +|Global Parameter Definition Not Being Used
b30981fa-a12e-49c7-a5bb-eeafb61d0f0f|OpenAPI|Info|Best Practices|All global parameters definitions should be in use (read more)|Documentation
| +|Schema with 'additionalProperties' set as Boolean
3a01790c-ebee-4da6-8fd3-e78657383b75|OpenAPI|Info|Best Practices|The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it (read more)|Documentation
| +|Unknown Prefix (v2)
3b615f00-c443-4ba9-acc4-7c308716917d|OpenAPI|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| +|Constraining Enum Property
be1d8733-3731-40c7-a845-734741c6871d|OpenAPI|Info|Best Practices|There is a constraining keyword in a property which is already restricted by enum values (read more)|Documentation
| +|Invalid Media Type Value (v2)
f985a7d2-d404-4a7f-9814-f645f791e46e|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| +|Multiple Body Parameters In The Same Operation
b90033cf-ad9f-4fb9-acd1-1b9d6d278c87|OpenAPI|Info|Structure and Semantics|Only one body parameter is allowed on operation's parameters type field (read more)|Documentation
| +|Host With Invalid Pattern
3d7d7b6c-fb0a-475e-8a28-c125e30d15f0|OpenAPI|Info|Structure and Semantics|Host field should be an IP or a valid host name (read more)|Documentation
| +|Response Object With Incorrect Ref (v2)
bccfa089-89e4-47e0-a0e5-185fe6902220|OpenAPI|Info|Structure and Semantics|Response Object reference must always point to '#/responses' (read more)|Documentation
| +|Multi 'collectionformat' Not Valid For 'in' Parameter
750f6448-27c0-49f8-a153-b81735c1e19c|OpenAPI|Info|Structure and Semantics|When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'formData' (read more)|Documentation
| +|Schema JSON Reference Does Not Exists (v2)
98295b32-ec09-4b5b-89a9-39853197f914|OpenAPI|Info|Structure and Semantics|Schema reference should exists on definitions field (read more)|Documentation
| +|Responses JSON Reference Does Not Exists (v2)
e9db5fb4-6a84-4abb-b4af-3b94fbdace6d|OpenAPI|Info|Structure and Semantics|Responses reference should exist on responses definition field (read more)|Documentation
| +|Parameter Object With Incorrect Ref (v2)
2596545e-1757-4ff7-a15a-8a9a180a42f3|OpenAPI|Info|Structure and Semantics|Parameter Object reference must always point to '#/parameters' (read more)|Documentation
| +|Object Without Required Property (v2)
5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275|OpenAPI|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| +|Unknown Property (v2)
429b2106-ba37-43ba-9727-7f699cc611e1|OpenAPI|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| +|BasePath With Wrong Format
b4803607-ed72-4d60-99e2-3fa6edf471c6|OpenAPI|Info|Structure and Semantics|The 'basePath' value format must match the pattern '^/' (read more)|Documentation
| +|Body Parameter Without Schema
ed48229d-d43e-4da7-b453-5f98d964a57a|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| +|Operation Object Parameters With 'body' And 'formatData' locations
eb3f9744-d24e-4614-b1ff-2a9514eca21c|OpenAPI|Info|Structure and Semantics|Operation object parameters should not have both 'body' and 'formatData' locations (read more)|Documentation
| +|Schema Object Incorrect Ref (v2)
0220e1c5-65d1-49dd-b7c2-cef6d6cb5283|OpenAPI|Info|Structure and Semantics|Schema Object reference must always point to '#/definitions' (read more)|Documentation
| +|File Parameter With Wrong Consumes Property
7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a|OpenAPI|Info|Structure and Semantics|Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both (read more)|Documentation
| +|Parameter JSON Reference Does Not Exists (v2)
fb889ae9-2d16-40b5-b41f-9da716c5abc1|OpenAPI|Info|Structure and Semantics|Parameter reference should exist on parameters definition field (read more)|Documentation
| +|Operation Example Mismatch Produces MimeType
2cf35b40-ded3-43d6-9633-c8dcc8bcc822|OpenAPI|Info|Structure and Semantics|Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces' (read more)|Documentation
| +|Property Not Unique
750b40be-4bac-4f59-bdc4-1ca0e6c3450e|OpenAPI|Info|Structure and Semantics|Every defined property must be unique throughout the whole API (read more)|Documentation
| +|Non Body Parameter Without Schema
73c3bc54-3cc6-4c0a-b30a-e19f2abfc951|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| +|Body Parameter With Wrong Property
c38d630d-a415-4e3e-bac2-65475979ba88|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema' (read more)|Documentation
| +|Parameter File Type Not In 'formData'
c3cab8c4-6c52-47a9-942b-c27f26fbd7d2|OpenAPI|Info|Structure and Semantics|The In field of Parameter Object must be 'formData' when type is 'file' (read more)|Documentation
| +|Cleartext Credentials With Basic Authentication For Operation
86b1fa30-9790-4980-994d-a27e0f6f27c1|OpenAPI|High|Access Control|Cleartext credentials over unencrypted channel should not be accepted for the operation (read more)|Documentation
| +|Field 'securityScheme' On Components Is Undefined
8db5544e-4874-4baa-9322-e9f75a2d219e|OpenAPI|High|Access Control|Components' securityScheme field must have a valid scheme (read more)|Documentation
| +|OAuth2 With Implicit Flow
39cb32f2-3a42-4af0-8037-82a7a9654b6c|OpenAPI|Medium|Access Control|OAuth2 implicit flow is vulnerable to access token leakage and access token replay (read more)|Documentation
| +|Invalid OAuth2 Authorization URL (v3)
52c0d841-60d6-4a81-88dd-c35fef36d315|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| +|Implicit Flow in OAuth2 (v3)
4a1f3d75-ab73-41b2-83e7-06a93dc3a75a|OpenAPI|Medium|Access Control|There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| +|Security Scheme Using HTTP Basic
68e5fcac-390c-4939-a373-6074b7be7c71|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using basic authentication (read more)|Documentation
| +|OAuth2 With Password Flow
3979b0a4-532c-4ea7-86e4-34c090eaa4f2|OpenAPI|Medium|Access Control|OAuth2 password flow insecurely exposes the credentials of the resource owner to the client (read more)|Documentation
| +|Security Scheme Using HTTP Digest
a4247b11-890b-45df-bf42-350a7a3af9be|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using digest authentication (read more)|Documentation
| +|Invalid OAuth2 Token URL (v3)
3ba0cca1-b815-47bf-ac62-1e584eb64a05|OpenAPI|Medium|Access Control|OAuth2 security scheme flow requires a valid URL in the tokenUrl field (read more)|Documentation
| +|Security Scheme Using HTTP Negotiate
f525cc92-9050-4c41-a75c-890dc6f64449|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using negotiate authentication (read more)|Documentation
| +|Security Scheme HTTP Unknown Scheme
06764426-3c56-407e-981f-caa25db1c149|OpenAPI|Medium|Access Control|Security Scheme HTTP scheme should be registered in the IANA Authentication Scheme registry (read more)|Documentation
| +|Path Server Object Uses HTTP (v3)
9670f240-7b4d-4955-bd93-edaa9fa38b58|OpenAPI|Medium|Encryption|The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection (read more)|Documentation
| +|Global Server Object Uses HTTP
2d8c175a-6d90-412b-8b0e-e034ea49a1fe|OpenAPI|Medium|Encryption|Global server object URL should use 'https' protocol instead of 'http' (read more)|Documentation
| +|Additional Properties Too Permissive
9f88c88d-824d-4d9a-b985-e22977046042|OpenAPI|Medium|Insecure Configurations|Objects should not accept 'additionalProperties' if it is possible (read more)|Documentation
| +|Parameter Object Without Schema
8fe1846f-52cc-4413-ace9-1933d7d23672|OpenAPI|Medium|Insecure Configurations|The Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| +|Media Type Object Without Schema
f79b9d26-e945-44e7-98a1-b93f0f7a68a0|OpenAPI|Medium|Insecure Configurations|The Media Type Object should have the attribute 'schema' defined (read more)|Documentation
| +|Additional Properties Too Restrictive
a19c3bbd-c056-40d7-9e1c-eeb0634e320d|OpenAPI|Medium|Insecure Configurations|Objects should accept 'additionalProperties' if it is allOf or an object with anyOf or oneOf (read more)|Documentation
| +|Success Response Code Undefined for Trace Operation
105e20dd-8449-4d71-95c6-d5dac96639af|OpenAPI|Medium|Networking and Firewall|Trace should define the '200' successful code (read more)|Documentation
| +|Header Object Without Schema
50de3b5b-6465-4e06-a9b0-b4c2ba34326b|OpenAPI|Medium|Networking and Firewall|The header object should have schema defined (read more)|Documentation
| +|API Key Exposed In Global Security Scheme
40e1d1bf-11a9-4f63-a3a2-a8b84c602839|OpenAPI|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| +|Global Security Scheme Using Basic Authentication
77276d82-4f45-4cf1-8e2b-4d345b936228|OpenAPI|Low|Access Control|A security scheme is allowing basic authentication credentials to be transported over network (read more)|Documentation
| +|Security Scheme Using Oauth 1.0
1bc3205c-0d60-44e6-84f3-44fbf4dac5b3|OpenAPI|Low|Access Control|Oauth 1.0 is deprecated, OAuth2 should be used instead (read more)|Documentation
| +|Undefined Scope 'securityScheme' On 'security' Field On Operations
462d6a1d-fed9-4d75-bb9e-3de902f35e6e|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| +|Undefined Scope 'securityScheme' On Global 'security' Field
23a9e2d9-8738-4556-a71c-2802b6ffa022|OpenAPI|Low|Access Control|Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| +|Components Request Body Definition Is Unused
6b76f589-9713-44ab-97f5-59a3dba1a285|OpenAPI|Info|Best Practices|Components request bodies definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Property 'style' of Encoding Object Ignored
d3ea644a-9a5c-4fee-941f-f8a6786c0470|OpenAPI|Info|Best Practices|Property 'style' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| +|Components Header Definition Is Unused
a68da022-e95a-4bc2-97d3-481e0bd6d446|OpenAPI|Info|Best Practices|Components headers definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Link Definition Is Unused
c19779a9-5774-4d2f-a3a1-a99831730375|OpenAPI|Info|Best Practices|Components links definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Callback Definition Is Unused
d15db953-a553-4b8a-9a14-a3d62ea3d79d|OpenAPI|Info|Best Practices|Components callbacks definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Response Definition Is Unused
9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae|OpenAPI|Info|Best Practices|Components responses definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Unknown Prefix (v3)
a5375be3-521c-43bb-9eab-e2432e368ee4|OpenAPI|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| +|Property 'explode' of Encoding Object Ignored
a4dd69b8-49fa-45d2-a060-c76655405b05|OpenAPI|Info|Best Practices|Property 'explode' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| +|Property 'allowReserved' of Encoding Object Ignored
4190dda7-af03-4cf0-a128-70ac1661ca09|OpenAPI|Info|Best Practices|Property 'allowReserved' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| +|Components Parameter Definition Is Unused
698a464e-bb3e-4ba8-ab5e-e6599b7644a0|OpenAPI|Info|Best Practices|Components parameters definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Example Definition Is Unused
b05bb927-2df5-43cc-8d7b-6825c0e71625|OpenAPI|Info|Best Practices|Components examples definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Schema Definition Is Unused
962fa01e-b791-4dcc-b04a-4a3e7389be5e|OpenAPI|Info|Best Practices|Components schemas definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Property 'allowEmptyValue' Ignored
59c2f769-7cc2-49c8-a3de-4e211135cfab|OpenAPI|Info|Best Practices|Property 'allowEmptyValue' is ignored in the following cases: {"sytle": "simple", "explode": false}, {"sytle": "simple", "explode": true}, {"sytle": "spaceDelimited", "explode": false}, {"sytle": "pipeDelimited", "explode": false}, and {"sytle": "deepObject", "explode": true} (read more)|Documentation
| +|Invalid Media Type Value (v3)
cf4a5f45-a27b-49df-843a-9911dbfe71d4|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| +|Encoding Header 'Content-Type' Improperly Defined
4cd8de87-b595-48b6-ab3c-1904567135ab|OpenAPI|Info|Best Practices|Encoding Map Key should not define a 'Content-Type' in the 'headers' field. If so, it will be ignored. (read more)|Documentation
| +|Example JSON Reference Outside Components Examples
bac56e3c-1f71-4a74-8ae6-2fba07efcddb|OpenAPI|Info|Structure and Semantics|Reference to examples should point to #/components/examples (read more)|Documentation
| +|Security Operation Field Undefined
20a482d5-c5d9-4a7a-b7a4-60d0805047b4|OpenAPI|Info|Structure and Semantics|Security operation field should be defined in '#/components/securitySchemes' (read more)|Documentation
| +|Server URL Not Absolute
a0bf7382-5d5a-4224-924c-3db8466026c9|OpenAPI|Info|Structure and Semantics|The Server URL should be an absolute URL (read more)|Documentation
| +|Response Object With Incorrect Ref (v3)
b3871dd8-9333-4d6c-bd52-67eb898b71ab|OpenAPI|Info|Structure and Semantics|Response Object reference must always point to '#/components/responses' (read more)|Documentation
| +|Link Object OperationId Does Not Target Operation Object
c5bb7461-aa57-470b-a714-3bc3d74f4669|OpenAPI|Info|Structure and Semantics|Link object 'OperationId' should target an existing operation object in the OpenAPI definition (read more)|Documentation
| +|Request Body With Incorrect Ref
0f6cd0ab-c366-4595-84fc-fbd8b9901e4d|OpenAPI|Info|Structure and Semantics|Request Body reference must always point to '#/components/RequestBodies' (read more)|Documentation
| +|Encoding Map Key Mismatch Schema Defined Properties
cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b|OpenAPI|Info|Structure and Semantics|Encoding Map Key should be set in schema defined properties (read more)|Documentation
| +|Components Object Fixed Field Key Improperly Named
151331e2-11f4-4bb6-bd35-9a005e695087|OpenAPI|Info|Structure and Semantics|Components object fixed fields (schemas, responses, parameters, examples, requestBodies, headers, securitySchemes, links, and callbacks) should use keys that match the following REGEX: `^[a-zA-Z0-9\.\-_]+$` (read more)|Documentation
| +|Schema JSON Reference Does Not Exists (v3)
015eac96-6313-43c0-84e5-81b1374fa637|OpenAPI|Info|Structure and Semantics|Schema reference should exists on components field (read more)|Documentation
| +|Server URL Uses Undefined Variables
8d0921d6-4131-461f-a253-99e873f8f77e|OpenAPI|Info|Structure and Semantics|Any variable used in the Service URL should be defined in the Service Object through 'variables'. (read more)|Documentation
| +|Response JSON Reference Does Not Exists (v3)
7a01dfbd-da62-4165-aed7-71349ad42ab4|OpenAPI|Info|Structure and Semantics|Response reference should exists on components field (read more)|Documentation
| +|Parameter Object With Incorrect Ref (v3)
d40f27e6-15fb-4b56-90f8-fc0ff0291c51|OpenAPI|Info|Structure and Semantics|Parameter Object reference must always point to '#/components/parameters' (read more)|Documentation
| +|Object Without Required Property (v3)
d172a060-8569-4412-8045-3560ebd477e8|OpenAPI|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| +|Unknown Property (v3)
fb7d81e7-4150-48c4-b914-92fc05da6a2f|OpenAPI|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| +|Parameter Object Content With Multiple Entries
8bfed1c6-2d59-4924-bc7f-9b9d793ed0df|OpenAPI|Info|Structure and Semantics|The map content property of the parameter object should only contain one entry (read more)|Documentation
| +|Link Object Incorrect Ref
b9db8a10-020c-49ca-88c6-780e5fdb4328|OpenAPI|Info|Structure and Semantics|Link object reference must always point to '#/components/links' (read more)|Documentation
| +|Servers Array Undefined
c66ebeaa-676c-40dc-a3ff-3e49395dcd5e|OpenAPI|Info|Structure and Semantics|The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'. (read more)|Documentation
| +|Property 'allowReserved' Improperly Defined
7f203940-39c4-4ea7-91ee-7aba16bca9e2|OpenAPI|Info|Structure and Semantics|Property 'allowReserved' should be only defined for query parameters (read more)|Documentation
| +|Schema Object Incorrect Ref (v3)
4cac7ace-b0fb-477d-830d-65395d9109d9|OpenAPI|Info|Structure and Semantics|Schema Object reference must always point to '#/components/schemas' (read more)|Documentation
| +|Invalid Content Type For Multiple Files Upload
26f06397-36d8-4ce7-b993-17711261d777|OpenAPI|Info|Structure and Semantics|Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array) (read more)|Documentation
| +|Link JSON Reference Does Not Exists
801f0c6a-a834-4467-89c6-ddecffb46b5a|OpenAPI|Info|Structure and Semantics|Link reference should exists on components field (read more)|Documentation
| +|Request Body JSON Reference Does Not Exists
ca02f4e8-d3ae-4832-b7db-bb037516d9e7|OpenAPI|Info|Structure and Semantics|Request Body reference should exists on components field (read more)|Documentation
| +|Callback JSON Reference Does Not Exists
f29904c8-6041-4bca-b043-dfa0546b8079|OpenAPI|Info|Structure and Semantics|Callback reference should exists on components field (read more)|Documentation
| +|Callback Object With Incorrect Ref
ba066cda-e808-450d-92b6-f29109754d45|OpenAPI|Info|Structure and Semantics|Callback Object reference must always point to '#/components/callbacks' (read more)|Documentation
| +|Link Object With Both 'operationId' And 'operationRef'
60fb6621-9f02-473b-9424-ba9a825747d3|OpenAPI|Info|Structure and Semantics|Link object 'OperationId' should not have both 'operationId' and 'operationRef' defined since they are mutually exclusive. (read more)|Documentation
| +|Parameter JSON Reference Does Not Exists (v3)
2e275f16-b627-4d3f-ae73-a6153a23ae8f|OpenAPI|Info|Structure and Semantics|Parameter reference should exists on components field (read more)|Documentation
| +|Empty Array
5915c20f-dffa-4cee-b5d4-f457ddc0151a|OpenAPI|Info|Structure and Semantics|All array fields should not be empty (read more)|Documentation
| +|Server Object Variable Not Used
8aee4754-970d-4c5f-8142-a49dfe388b1a|OpenAPI|Info|Structure and Semantics|Every defined Server Variable Object should be used in a Service URL. (read more)|Documentation
| +|Header Object With Incorrect Ref
2d6646f4-2946-420f-8c14-3232d49ae0cb|OpenAPI|Info|Structure and Semantics|Header Object reference must always point to '#/components/headers' (read more)|Documentation
| +|Security Requirement Object With Wrong Scopes
37140f7f-724a-4c87-a536-e9cee1d61533|OpenAPI|Info|Structure and Semantics|Security Requirement Object should only have scopes defined for security schemes of type 'oauth2' and 'openIdConnect' (read more)|Documentation
| +|Example JSON Reference Does Not Exists
6a2c219f-da5e-4745-941e-5ea8cde23356|OpenAPI|Info|Structure and Semantics|Example reference should exists on components field (read more)|Documentation
| +|Schema With Both ReadOnly And WriteOnly
d2361d58-361c-49f0-9e50-b957fd608b29|OpenAPI|Info|Structure and Semantics|Schema should not have both 'writeOnly' and 'readOnly' set to true (read more)|Documentation
| +|Parameter Object With Undefined Type
46facedc-f243-4108-ab33-583b807d50b0|OpenAPI|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property (read more)|Documentation
| +|Parameter Object With Schema And Content
31dd6fc0-f274-493b-9614-e063086c19fc|OpenAPI|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive (read more)|Documentation
| +|Security Field Undefined
ab1263c2-81df-46f0-9f2c-0b62fdb68419|OpenAPI|Info|Structure and Semantics|Security field should be defined in '#/components/securitySchemes' (read more)|Documentation
| +|Header JSON Reference Does Not Exists
376c9390-7e9e-4cb8-a067-fd31c05451fd|OpenAPI|Info|Structure and Semantics|Header reference should exists on components field (read more)|Documentation
| +|Request Body Object With Incorrect Media Type
58f06434-a88c-4f74-826c-db7e10cc7def|OpenAPI|Info|Structure and Semantics|The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set. (read more)|Documentation
| +|Script Block Injection
62ff6823-927a-427f-acf9-f1ea2932d616|CICD|High|Insecure Configurations|GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event. (read more)|Documentation
| +|Run Block Injection
20f14e1a-a899-4e79-9f09-b6a84cd4649b|CICD|High|Insecure Configurations|GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event. (read more)|Documentation
| +|Unsecured Commands
60fd272d-15f4-4d8f-afe4-77d9c6cc0453|CICD|Medium|Insecure Configurations|There are deprecated set-env and add-path commands that can be explicitly enabled by a user via setting the ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable as true. Depending on the use of the environment variable, this could enable an attacker to, at worst, modify the system path to run a different command than intended, resulting in arbitrary code execution. (read more)|Documentation
| +|Unpinned Actions Full Length Commit SHA
555ab8f9-2001-455e-a077-f2d0f41e2fb9|CICD|Medium|Supply-Chain|Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork. (read more)|Documentation
| +|Serving Revision Spec Without Timeout Seconds
e8bb41e4-2f24-4e84-8bea-8c7c070cf93d|Knative|Info|Insecure Configurations|Serving Revision Spec should have Timeout Seconds defined to avoid Denial of Service (read more)|Documentation
| +|Serverless Role With Full Privileges
59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd|ServerlessFW|High|Access Control|Roles defined in Serverless files should not have policies granting full administrative privileges. (read more)|Documentation
| +|Serverless Function Environment Variables Not Encrypted
4495bc5d-4d1e-4a26-ae92-152d18195648|ServerlessFW|High|Encryption|Serverless Function should encrypt environment variables (read more)|Documentation
| +|Serverless API Without Content Encoding
d5d1fe08-89db-440c-8725-b93223387309|ServerlessFW|Medium|Encryption|Serverless should have API Gateway with Content Encoding enabled through the attribute 'minimumCompressionSize'. This value should be greater than -1 and smaller than 10485760 (read more)|Documentation
| +|Serverless Function Without Tags
f99d3482-fa8c-4f79-bad9-35212dded164|ServerlessFW|Medium|Insecure Configurations|Serverless Function should be have associated tags (read more)|Documentation
| +|Serverless Function Without Unique IAM Role
165aae3b-a56a-48f3-b76d-d2b5083f5b8f|ServerlessFW|Medium|Insecure Configurations|Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| +|Serverless API Endpoint Config Not Private
4d424558-c6d1-453c-be98-9a7f877abd9a|ServerlessFW|Medium|Networking and Firewall|Serverless should have endpointType set to 'PRIVATE'. This way, it's not exposed to the public internet (read more)|Documentation
| +|Serverless API X-Ray Tracing Disabled
434945e5-4dfd-41b1-aba1-47075ccd9265|ServerlessFW|Medium|Observability|Serverless API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| +|Serverless API Access Logging Setting Undefined
a4d32883-aac7-42e1-b403-9415af0f3846|ServerlessFW|Medium|Observability|Serverless FW API should have HTTP Access Logging enabled (read more)|Documentation
| +|Serverless Function Without Dead Letter Queue
dec7bc85-d156-4f64-9a33-96ed3d9f3fed|ServerlessFW|Low|Insecure Configurations|Serverless Function should be configured for a Dead Letter Queue(DLQ). A Dead Letter Queue(DLQ) can be set up in 'onError' config parameter (read more)|Documentation
| +|Serverless Function Without X-Ray Tracing
0d7ef70f-e176-44e6-bdba-add3e429788d|ServerlessFW|Low|Observability|Serverless Function should have Tracing enabled. For this, property 'tracing' should have the value 'Active' (read more)|Documentation
| diff --git a/docs/queries/ansible-queries.md b/docs/queries/ansible-queries.md index 7a5b6325ca3..163483e43f6 100644 --- a/docs/queries/ansible-queries.md +++ b/docs/queries/ansible-queries.md @@ -245,129 +245,132 @@ Bellow are listed queries related with Ansible AWS: |IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| |S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| |S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| -|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| -|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| +|S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|High|Access Control|S3 Buckets should not be readable to all users|Documentation
| |S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| +|S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a|High|Access Control|Checks if the S3 bucket is accessible for all users|Documentation
| +|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| +|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| +|SNS Topic is Publicly Accessible
905f4741-f965-45c1-98db-f7a00a0e5c73|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| |Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating|Documentation
| -|ECS Service Admin Role Is Present
7db727c1-1720-468e-b80e-06697f71e09e|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role|Documentation
| |SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| -|S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|High|Access Control|S3 Buckets should not be readable to all users|Documentation
| +|S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| |S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| -|S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a|High|Access Control|Checks if the S3 bucket is accessible for all users|Documentation
| -|SNS Topic is Publicly Accessible
905f4741-f965-45c1-98db-f7a00a0e5c73|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| -|Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)|Documentation
| -|User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|High|Encryption|User Data Shell Script must be encoded|Documentation
| -|CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| -|User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| -|S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571|High|Encryption|AWS S3 Storage should be protected with SSE (Server-Side Encryption)|Documentation
| -|AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| -|EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| -|EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|Secure Ciphers Disabled
218413a0-c716-4b94-9e08-0bb70d854709|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| -|ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers.|Documentation
| +|ECS Service Admin Role Is Present
7db727c1-1720-468e-b80e-06697f71e09e|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role|Documentation
| +|IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| +|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| |Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| -|Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| |Cloudfront Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| +|EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| +|Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume|Documentation
| +|AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| +|Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)|Documentation
| |S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| |DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.|Documentation
| -|Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume|Documentation
| +|ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| +|EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| +|S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571|High|Encryption|AWS S3 Storage should be protected with SSE (Server-Side Encryption)|Documentation
| +|User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| +|Secure Ciphers Disabled
218413a0-c716-4b94-9e08-0bb70d854709|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| +|CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| +|User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|High|Encryption|User Data Shell Script must be encoded|Documentation
| +|ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers.|Documentation
| |ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols.|Documentation
| +|Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| |IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| -|ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| -|EC2 Group Has Public Interface
5330b503-3319-44ff-9b1c-00ee873f728a|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| -|Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true (default is false)|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| -|DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| -|S3 Bucket with Unsecured CORS Rule
3505094c-f77c-4ba0-95da-f83db712f86c|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| |Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| +|S3 Bucket with Unsecured CORS Rule
3505094c-f77c-4ba0-95da-f83db712f86c|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| +|Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| +|DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| |ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| |KMS Key With Vulnerable Policy
5b9d237a-57d5-4177-be0e-71434b0fef47|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| -|Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| +|Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true (default is false)|Documentation
| +|EC2 Group Has Public Interface
5330b503-3319-44ff-9b1c-00ee873f728a|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| |Vulnerable Default SSL Certificate
fb8f8929-afeb-4c46-99f0-a6cf410f7df4|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| -|Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0/0|Documentation
| +|DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| +|ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| +|Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4|High|Networking and Firewall|Route53 Record should have a list of records|Documentation
| |EC2 Instance Has Public IP
a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| -|Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| -|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| |Remote Desktop Port Open To Internet
eda7301d-1f3e-47cf-8d4e-976debc64341|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| -|DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| -|HTTP Port Open To Internet
a14ad534-acbe-4a8e-9404-2f7e1045646e|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| |Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| |RDS Associated with Public Subnet
16732649-4ff6-4cd2-8746-e72c13fae4b8|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| -|ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| +|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| +|Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|High|Networking and Firewall|AWS Security Group should restrict ingress access|Documentation
| +|HTTP Port Open To Internet
a14ad534-acbe-4a8e-9404-2f7e1045646e|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| |Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|High|Networking and Firewall|AWS Security Group should not have public port wide|Documentation
| |Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| -|Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|High|Networking and Firewall|AWS Security Group should restrict ingress access|Documentation
| -|Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4|High|Networking and Firewall|Route53 Record should have a list of records|Documentation
| -|CloudTrail Logging Disabled
d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| +|Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0/0|Documentation
| +|Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| |CMK Rotation Disabled
af96d737-0818-4162-8c41-40d969bd65d1|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.|Documentation
| +|CloudTrail Logging Disabled
d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| +|ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| +|Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| |IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root'|Documentation
| |API Gateway Without Configured Authorizer
b16cdb37-ce15-4ab2-8401-d42b05d123fc|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| +|Lambda Permission Principal Is Wildcard
1d972c56-8ec2-48c1-a578-887adb09c57a|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| +|AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| +|SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| +|SES Policy With Allowed IAM Actions
8ed0bfce-f780-46d4-b086-21c3628f09ad|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| |IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| |SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
af167837-9636-4086-b815-c239186b9dda|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| |Certificate Has Expired
5a443297-19d4-4381-9e5b-24faf947ec22|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| -|ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| -|Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| |S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9|Medium|Access Control|S3 Bucket allows public access|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
af167837-9636-4086-b815-c239186b9dda|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| -|Lambda Permission Principal Is Wildcard
1d972c56-8ec2-48c1-a578-887adb09c57a|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| -|SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| -|SES Policy With Allowed IAM Actions
8ed0bfce-f780-46d4-b086-21c3628f09ad|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| -|AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| -|Auto Scaling Group With No Associated ELB
050f085f-a8db-4072-9010-2cca235cc02f|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
| |CMK Is Unusable
133fee21-37ef-45df-a563-4d07edc169f4|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined.|Documentation
| |ECS Service Without Running Tasks
f5c45127-1d28-4b49-a692-0b97da1c3a84|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| -|Stack Retention Disabled
17d5ba1d-7667-4729-b1a6-b11fde3db7f7|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| +|Auto Scaling Group With No Associated ELB
050f085f-a8db-4072-9010-2cca235cc02f|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
| |RDS With Backup Disabled
e69890e6-fce5-461d-98ad-cb98318dfc96|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| -|IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| -|IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| -|Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c|Medium|Best Practices|Password policy `password_reuse_prevention` doesn't exist or is equal to 0|Documentation
| +|Stack Retention Disabled
17d5ba1d-7667-4729-b1a6-b11fde3db7f7|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| +|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number|Documentation
| |Misconfigured Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9|Medium|Best Practices|No password expiration policy|Documentation
| |IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| -|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number|Documentation
| +|IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| +|Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c|Medium|Best Practices|Password policy `password_reuse_prevention` doesn't exist or is equal to 0|Documentation
| +|IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| |Stack Without Template
32d31f1f-0f83-4721-b7ec-1e6948c60145|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body|Documentation
| -|Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| |Config Rule For Encrypted Volumes Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| +|Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| +|CodeBuild Not Encrypted
a1423864-2fbc-4f46-bfe1-fbbf125c71c9|Medium|Encryption|CodeBuild Project should be encrypted|Documentation
| |EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Medium|Encryption|EBS volumes should be encrypted|Documentation
| |SQS With SSE Disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| -|CodeBuild Not Encrypted
a1423864-2fbc-4f46-bfe1-fbbf125c71c9|Medium|Encryption|CodeBuild Project should be encrypted|Documentation
| -|API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| -|Certificate RSA Key Bytes Lower Than 256
d5ec2080-340a-4259-b885-f833c4ea6a31|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| +|AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| |ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| +|Certificate RSA Key Bytes Lower Than 256
d5ec2080-340a-4259-b885-f833c4ea6a31|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| |Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| -|AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| |Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags.|Documentation
| -|API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| +|API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| |SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| |API Gateway without WAF
f5f38943-664b-4acc-ab11-f292fa10ed0b|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| -|S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| -|API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled|Documentation
| -|CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'is_multi_region_trail' should be set to true|Documentation
| +|API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| |Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| +|API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| |CloudFront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' should be defined with 'enabled' set to true|Documentation
| -|CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| -|S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| |CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| -|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| +|S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| +|S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| +|CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| |CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events|Documentation
| -|API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| +|API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled|Documentation
| +|CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'is_multi_region_trail' should be set to true|Documentation
| +|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| |No Stack Policy
ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| |Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Medium|Secret Management|AWS Access Key should not be hardcoded|Documentation
| |Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| -|IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| |EC2 Instance Using Default Security Group
8d03993b-8384-419b-a681-d1f55149397c|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| +|IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| |IAM Group Without Users
f509931b-bbb0-443c-bd9b-10e92ecf2193|Low|Access Control|IAM Group should have at least one user associated|Documentation
| -|CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| -|Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| |Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| +|Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.|Documentation
| +|CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| |EFS Without Tags
b8a9852c-9943-4973-b8d5-77dae9352851|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated|Documentation
| |CloudTrail Log Files Not Encrypted With KMS
f5587077-3f57-4370-9b4e-4eb5b1bac85b|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| -|RDS Using Default Port
2cb674f6-32f9-40be-97f2-62c0dc38f0d5|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| -|ElastiCache Without VPC
5527dcfc-94f9-4bf6-b7d4-1b78850cf41f|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|CloudFront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| |Redshift Using Default Port
e01de151-a7bd-4db4-b49b-3c4775a5e881|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| +|CloudFront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| |ElastiCache Using Default Port
7cc6c791-5f68-4816-a564-b9b699f9d26e|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| |EC2 Instance Using Default VPC
8833f180-96f1-46f4-9147-849aafa56029|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| +|RDS Using Default Port
2cb674f6-32f9-40be-97f2-62c0dc38f0d5|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| +|ElastiCache Without VPC
5527dcfc-94f9-4bf6-b7d4-1b78850cf41f|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| |Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active'|Documentation
| |CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| |EC2 Not EBS Optimized
338b6cab-961d-4998-bb49-e5b6a11c9a5c|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| @@ -455,46 +458,94 @@ Bellow are listed queries related with Ansible HOSTS: |SQL DB Instance Backup Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| |SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| |DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a|High|Encryption|DNSSEC should not use the RSASHA1 algorithm|Documentation
| +|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|High|Insecure Configurations|SQL Instance should not have Contained Database Authentication On|Documentation
| |Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false|Documentation
| -|MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c|High|Insecure Configurations|MySQL Instance should not have Local Infile On|Documentation
| -|GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty|Documentation
| |SQL DB Instance Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible.|Documentation
| -|GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false.|Documentation
| |Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| -|Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true.|Documentation
| -|PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514|High|Insecure Configurations|PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1'|Documentation
| -|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|High|Insecure Configurations|SQL Instance should not have Contained Database Authentication On|Documentation
| +|GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty|Documentation
| +|MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c|High|Insecure Configurations|MySQL Instance should not have Local Infile On|Documentation
| |IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'.|Documentation
| |Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true|Documentation
| -|Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f|High|Insecure Configurations|GCP SQL Instance should not have Cross DB Ownership Chaining On|Documentation
| |Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| -|GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters|Documentation
| +|Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true.|Documentation
| +|Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f|High|Insecure Configurations|GCP SQL Instance should not have Cross DB Ownership Chaining On|Documentation
| +|GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false.|Documentation
| +|PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514|High|Insecure Configurations|PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1'|Documentation
| |Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet.|Documentation
| +|GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters|Documentation
| +|Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| +|PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b|High|Observability|PostgreSQL database 'log_temp_files' flag isn't set to '0'|Documentation
| |Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| |Cloud Storage Bucket Versioning Disabled
7814ddda-e758-4a56-8be3-289a81ded929|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| -|PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b|High|Observability|PostgreSQL database 'log_temp_files' flag isn't set to '0'|Documentation
| -|PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317|High|Observability|PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on'|Documentation
| -|Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| |Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| +|PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317|High|Observability|PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on'|Documentation
| |Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| |Disk Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined|Documentation
| -|Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| -|Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| +|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| |OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Medium|Insecure Configurations|VM instance should have OSLogin enabled|Documentation
| |Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| -|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| +|Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| +|Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| |Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Medium|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| |GKE Using Default Service Account
dc126833-125a-40fb-905a-ce5f2afde240|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
| -|Google Compute Network Using Firewall Rule that Allows All Ports
3602d273-3290-47b2-80fa-720162b1a8af|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports|Documentation
| -|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
| |IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| |Google Compute Network Using Default Firewall Rule
29b8224a-60e9-4011-8ac2-7916a659841f|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
| +|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
| |RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| |SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| +|Google Compute Network Using Firewall Rule that Allows All Ports
3602d273-3290-47b2-80fa-720162b1a8af|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports|Documentation
| |PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Medium|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on'|Documentation
| |PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Medium|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value|Documentation
| -|High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.|Documentation
| |Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| +|High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.|Documentation
| |Google Compute Network Using Firewall Rule that Allows Port Range
7289eebd-a477-4064-8ad4-3c044bd70b00|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range|Documentation
| |Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes|Documentation
| + +### AZURE +Bellow are listed queries related with Ansible AZURE: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|High|Access Control|Storage Account should not be public to grant the principle of least privileges|Documentation
| +|Storage Container Is Publicly Accessible
4d3817db-dd35-4de4-a80d-3867157e7f7f|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| +|Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|High|Access Control|Admin user is enabled for Container Registry|Documentation
| +|Azure Instance Using Basic Authentication
e2d834b7-8b25-4935-af53-4a60668dcbe0|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication|Documentation
| +|MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| +|Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| +|SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| +|AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| +|Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| +|Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined|Documentation
| +|VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| +|Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| +|Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| +|SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| +|Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| +|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|High|Networking and Firewall|The IP range filter should be defined to secure the data stored|Documentation
| +|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| +|Role Definition Allows Custom Role Creation
5c80db8e-03f5-43a2-b4af-1f3f87018157|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)|Documentation
| +|Default Azure Storage Account Network Access Is Too Permissive
ca4df748-613a-4fbf-9c76-f02cbd580307|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it.|Documentation
| +|AKS RBAC Disabled
149fa56c-4404-4f90-9e25-d34b676d5b39|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| +|Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854|Medium|Backup|Make sure Soft Delete is enabled for Key Vault|Documentation
| +|SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict|Documentation
| +|SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict|Documentation
| +|Cosmos DB Account Without Tags
23a4dc83-4959-4d99-8056-8e051a82bc1e|Medium|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| +|Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| +|Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| +|Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections|Documentation
| +|AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined|Documentation
| +|Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache.|Documentation
| +|Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0'|Documentation
| +|WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| +|PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| +|Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| +|PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| +|PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| +|AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e|Medium|Observability|Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring|Documentation
| +|PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| +|Monitoring Log Profile Without All Activities
89f84a1e-75f8-47c5-83b5-bee8e2de4168|Medium|Observability|Monitoring log profile captures all the activities (Action, Write, Delete)|Documentation
| +|PostgreSQL Log Checkpoints Disabled
7ab33ac0-e4a3-418f-a673-50da4e34df21|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'|Documentation
| +|Small Activity Log Retention Period
37fafbea-dedb-4e0d-852e-d16ee0589326|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater|Documentation
| diff --git a/docs/queries/azureresourcemanager-queries.md b/docs/queries/azureresourcemanager-queries.md index 6a22c3b1ccc..246ca7bf71a 100644 --- a/docs/queries/azureresourcemanager-queries.md +++ b/docs/queries/azureresourcemanager-queries.md @@ -46,36 +46,35 @@ This page contains all queries from AzureResourceManager. |Account Admins Not Notified By Email
a8852cc0-fd4b-4fc7-9372-1e43fad0732e|Info|Best Practices|Account admins should be notified by email in the event of security alerts (read more)|Documentation
| |Email Notifications Disabled
79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92|Info|Networking and Firewall|Email notifications about new security alerts, should be set to 'On', and be sent to persons with specific RBAC roles on the subscription (read more)|Documentation
| |Key Vault Not Recoverable
7c25f361-7c66-44bf-9b69-022acd5eb4bd|High|Backup|Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true|Documentation
| -|Azure Instance Using Basic Authentication
6797f581-0433-4768-ae3e-7ceb2f8b138e|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication|Documentation
| |Secret Without Expiration Date
cff9c3f7-e8f0-455f-9fb4-5f72326da96e|High|Best Practices|All Secrets must have an expiration date defined|Documentation
| -|Storage Account Allows Unsecure Transfer
1367dd13-2c90-4020-80b7-e4339a3dc2c4|High|Encryption|'Microsoft.Storage/storageAccounts' should force the use of HTTPS|Documentation
| +|Azure Instance Using Basic Authentication
6797f581-0433-4768-ae3e-7ceb2f8b138e|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication|Documentation
| |Web App Not Using TLS Last Version
b5c851d5-00f1-43dc-a8de-3218fd6f71be|High|Encryption|Resources of type 'Microsoft.Web/sites' should define 'properties.siteConfig.minTlsVersion' with '1.2'|Documentation
| +|Storage Account Allows Unsecure Transfer
1367dd13-2c90-4020-80b7-e4339a3dc2c4|High|Encryption|'Microsoft.Storage/storageAccounts' should force the use of HTTPS|Documentation
| |Azure Managed Disk Without Encryption
350f3955-b5be-436f-afaa-3d2be2fa6cdd|High|Encryption|Azure Disk Encryption should be enabled|Documentation
| |Website Not Forcing HTTPS
488847ff-6031-487c-bf42-98fd6ac5c9a0|High|Insecure Configurations|'Microsoft.Web/sites' should force the use of HTTPS|Documentation
| -|Storage Blob Service Container With Public Access
a0ab985d-660b-41f7-ac81-70957ee8e627|High|Networking and Firewall|Storage Blob Service Container should not publicly accessible|Documentation
| |Network Security Group With Unrestricted Access To SSH
2ade1579-4b2c-4590-bebb-f99bf597f612|High|Networking and Firewall|Port 22 (SSH) is exposed to the Internet|Documentation
| -|SQL Database Server Firewall Allows All IPS
6a3201a5-1630-494b-b294-3129d06b0eca|High|Networking and Firewall|SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS|Documentation
| |Website with Client Certificate Auth Disabled
92302b47-b0cc-46cb-a28f-5610ecda140b|High|Networking and Firewall|'Microsoft.Web/sites' should have client certificate authentication enabled|Documentation
| +|Storage Blob Service Container With Public Access
a0ab985d-660b-41f7-ac81-70957ee8e627|High|Networking and Firewall|Storage Blob Service Container should not publicly accessible|Documentation
| |MySQL Server SSL Enforcement Disabled
90120147-f2e7-4fda-bb21-6fa9109afd63|High|Networking and Firewall|'Microsoft.DBforMySQL/servers' should enforce SSL|Documentation
| -|Network Security Group With Unrestricted Access To RDP
59cb3da7-f206-4ae6-b827-7abf0a9cab9d|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the Internet|Documentation
| |PostgreSQL Database Server SSL Disabled
bf500309-da53-4dd3-bcf7-95f7974545a5|High|Networking and Firewall|Microsoft.DBforPostgreSQL/servers sslEnforcement property should be set to 'Enabled'|Documentation
| +|Network Security Group With Unrestricted Access To RDP
59cb3da7-f206-4ae6-b827-7abf0a9cab9d|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the Internet|Documentation
| +|SQL Database Server Firewall Allows All IPS
6a3201a5-1630-494b-b294-3129d06b0eca|High|Networking and Firewall|SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS|Documentation
| |Trusted Microsoft Services Not Enabled
e25b56cd-a4d6-498f-ab92-e6296a082097|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| |Default Azure Storage Account Network Access Is Too Permissive
d855ced8-6157-448f-9f1d-f05a41d046f7|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it.|Documentation
| |AKS Cluster RBAC Disabled
9307a2ed-35c2-413d-94de-a1a0682c2158|Medium|Access Control|Microsoft.ContainerService/managedClusters should have enableRBAC set to true|Documentation
| |Role Definitions Allow Custom Subscription Role Creation
8fa9ceea-881f-4ef0-b0b8-728f589699a7|Medium|Access Control|Role Definitions should not allow custom subscription role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')|Documentation
| |SQL Server Database With Alerts Disabled
574e8d82-1db2-4b9c-b526-e320ede9a9ff|Medium|Best Practices|All Alerts should be enabled in SQL Database Server SecurityAlerts Policy Properties|Documentation
| |AKS Cluster Network Policy Not Configured
25c0228e-4444-459b-a2df-93c7df40b7ed|Medium|Insecure Configurations|Azure Kubernetes Service must have a network policy defined.|Documentation
| -|AKS With Authorized IP Ranges Disabled
2583fab1-953b-4fae-bd02-4a136a6c21f9|Medium|Networking and Firewall|Azure Kubernetes Service must have an authorized IP range for API Services enabled|Documentation
| -|Standard Price Is Not Selected
2081c7d6-2851-4cce-bda5-cb49d462da42|Medium|Networking and Firewall|Azure Security Center provides more features for standard pricing mode, so it must be activated.|Documentation
| -|PostgreSQL Database Server Log Checkpoints Disabled
f9112910-c7bb-4864-9f5e-2059ba413bb7|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' property set to 'on'|Documentation
| |PostgresSQL Database Server Connection Throttling Disabled
a6d774b6-d9ea-4bf4-8433-217bf15d2fb8|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttling' property set to 'on'|Documentation
| +|Standard Price Is Not Selected
2081c7d6-2851-4cce-bda5-cb49d462da42|Medium|Networking and Firewall|Azure Security Center provides more features for standard pricing mode, so it must be activated.|Documentation
| |PostgreSQL Database Server Log Connections Disabled
e69bda39-e1e2-47ca-b9ee-b6531b23aedd|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' property set to 'on'|Documentation
| -|AKS Logging To Azure Monitoring Is Disabled
9b09dee1-f09b-4013-91d2-158fa4695f4b|Medium|Observability|Azure Kubernetes Service should have logging to Azure Monitoring enabled.|Documentation
| +|PostgreSQL Database Server Log Checkpoints Disabled
f9112910-c7bb-4864-9f5e-2059ba413bb7|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' property set to 'on'|Documentation
| +|AKS With Authorized IP Ranges Disabled
2583fab1-953b-4fae-bd02-4a136a6c21f9|Medium|Networking and Firewall|Azure Kubernetes Service must have an authorized IP range for API Services enabled|Documentation
| +|Storage Logging For Read Write And Delete Requests Disabled
43f6e60c-9cdb-4e77-864d-a66595d26518|Medium|Observability|Storage Logging should be enabled for read, write and delete methods|Documentation
| |Unrecommended Log Profile Retention Policy
25684eac-daaa-4c2c-94b4-8d2dbb627909|Medium|Observability|Log Profile Retention Policy should be enabled and the recommended number of days for the retention should be higher than 365 or 0 (0 will retain the events indefinitely)|Documentation
| |SQL Server Database Without Auditing
e055285c-bc01-48b4-8aa5-8a54acdd29df|Medium|Observability|Every 'Microsoft.Sql/servers/databases' resource should have Auditing Enabled|Documentation
| |Log Profile Incorrect Category
4d522e7b-f938-4d51-a3b1-974ada528bd3|Medium|Observability|Log Profile Categories should be set to 'Write', 'Delete', and/or 'Action'|Documentation
| |Unrecommended Network Watcher Flow Log Retention Policy
564b70f8-41cd-4690-aff8-bb53add86bc9|Medium|Observability|Network Watcher Flow Log Retention Policy should be enabled and the recommended number of days for the retention should be higher than 90|Documentation
| -|Storage Logging For Read Write And Delete Requests Disabled
43f6e60c-9cdb-4e77-864d-a66595d26518|Medium|Observability|Storage Logging should be enabled for read, write and delete methods|Documentation
| |SQL Server Database With Unrecommended Retention Days
c09cdac2-7670-458a-bf6c-efad6880973a|Medium|Observability|SQL Server Database Auditing Settings should keep the audit logs in the storage account for at least 90 days|Documentation
| |AKS Logging To Azure Monitoring Is Disabled
9b09dee1-f09b-4013-91d2-158fa4695f4b|Medium|Observability|Azure Kubernetes Service should have logging to Azure Monitoring enabled.|Documentation
| |Hardcoded SecureString Parameter Default Value
4d2cf896-c053-4be5-9c95-8b4771112f29|Medium|Secret Management|Secure parameters should not have hardcoded default value|Documentation
| @@ -85,6 +84,6 @@ This page contains all queries from AzureResourceManager. |Storage Account Allows Default Network Access
9073f073-5d60-4b46-b569-0d6baa80ed95|Low|Networking and Firewall|'Microsoft.Storage/storageAccounts' should force the use of HTTPS|Documentation
| |Website with 'Http20Enabled' Disabled
70111098-7f85-48f0-b1b4-e4261cf5f61b|Low|Networking and Firewall|'Microsoft.Web/sites' should have 'Http20Enabled' enabled|Documentation
| |App Service Authentication Is Not Set
83130a07-235b-4a80-918b-a370e53f0bd9|Info|Access Control|Azure App Service should have App Service Authentication set|Documentation
| -|SQL Alert Policy Without Emails
89b79fe5-49bd-4d39-84ce-55f5fc6f7764|Info|Best Practices|SQL Database Server should contain emails to be notified in the event of a Security Alert|Documentation
| |Account Admins Not Notified By Email
a8852cc0-fd4b-4fc7-9372-1e43fad0732e|Info|Best Practices|Account admins should be notified by email in the event of security alerts|Documentation
| +|SQL Alert Policy Without Emails
89b79fe5-49bd-4d39-84ce-55f5fc6f7764|Info|Best Practices|SQL Database Server should contain emails to be notified in the event of a Security Alert|Documentation
| |Email Notifications Disabled
79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92|Info|Networking and Firewall|Email notifications about new security alerts, should be set to 'On', and be sent to persons with specific RBAC roles on the subscription|Documentation
| diff --git a/docs/queries/cloudformation-queries.md b/docs/queries/cloudformation-queries.md index a973d466a8e..44c39240be6 100644 --- a/docs/queries/cloudformation-queries.md +++ b/docs/queries/cloudformation-queries.md @@ -8,18 +8,18 @@ Bellow are listed queries related with CloudFormation AWS_BOM: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|BOM - AWS MSK
2730c169-51d7-4ae7-99b5-584379eff1bb|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| -|BOM - AWS Cassandra
124b173b-e06d-48a6-8acd-f889443d97a4|Trace|Bill Of Materials|A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance|Documentation
| |BOM - AWS S3 Buckets
b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| -|BOM - AWS SNS
42e7dca3-8cce-4325-8df0-108888259136|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| -|BOM - AWS Kinesis
d53323be-dde6-4457-9a43-42df737e71d2|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time|Documentation
| -|BOM - AWS MQ
209189f3-c879-48a7-9703-fbcfa96d0cef|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| -|BOM - AWS EFS
ef05a925-8568-4054-8ff1-f5ba82631c16|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| +|BOM - AWS MSK
2730c169-51d7-4ae7-99b5-584379eff1bb|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| +|BOM - AWS RDS
6ef03ff6-a2bd-483c-851f-631f248bc0ea|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.|Documentation
| |BOM - AWS Elasticache
c689f51b-9203-43b3-9d8b-caed123f706c|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| +|BOM - AWS Cassandra
124b173b-e06d-48a6-8acd-f889443d97a4|Trace|Bill Of Materials|A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance|Documentation
| |BOM - AWS SQS
59a849c2-1127-4023-85a5-ef906dcd458c|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| -|BOM - AWS RDS
6ef03ff6-a2bd-483c-851f-631f248bc0ea|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.|Documentation
| |BOM - AWS DynamoDB
4e67c0ae-38a0-47f4-a50c-f0c9b75826df|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.|Documentation
| +|BOM - AWS MQ
209189f3-c879-48a7-9703-fbcfa96d0cef|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| +|BOM - AWS SNS
42e7dca3-8cce-4325-8df0-108888259136|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| |BOM - AWS EBS
0b0556ea-9cd9-476f-862e-20679dda752b|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| +|BOM - AWS Kinesis
d53323be-dde6-4457-9a43-42df737e71d2|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time|Documentation
| +|BOM - AWS EFS
ef05a925-8568-4054-8ff1-f5ba82631c16|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| ### AWS Bellow are listed queries related with CloudFormation AWS: @@ -308,252 +308,254 @@ Bellow are listed queries related with CloudFormation AWS_BOM: |IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| |S3 Bucket With All Permissions
4ae8af91-5108-42cb-9471-3bdbe596eac9|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| |S3 Bucket ACL Allows Read to Any Authenticated User
835d5497-a526-4aea-a23f-98a9afd1635f|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| -|S3 Bucket Allows Public Policy
860ba89b-b8de-4e72-af54-d6aee4138a69|High|Access Control|S3 bucket allows public policy|Documentation
| -|S3 Bucket Allows List Action From All Principals
faa8fddf-c0aa-4b2d-84ff-e993e233ebe9|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| -|S3 Bucket Allows Put Action From All Principals
f6397a20-4cf1-4540-a997-1d363c25ef58|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| -|IAM Policies With Full Privileges
953b3cdb-ce13-428a-aa12-318726506661|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
07dda8de-d90d-469e-9b37-1aca53526ced|High|Access Control|S3 Buckets should not be readable and writable to all users|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
acc78859-765e-4011-a229-a65ea57db252|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| -|S3 Bucket Allows Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0|High|Access Control|S3 Buckets must not allow Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Restore, for all Principals.|Documentation
| -|ECS Service Admin Role Is Present
01986452-bdd8-4aaa-b5df-d6bf61d616ff|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role|Documentation
| -|Lambda Functions With Full Privileges
a0ae0a4e-712b-4115-8112-51b9eeed9d69|High|Access Control|AWS Lambda Functions should not have roles with policies granting full administrative privileges.|Documentation
| |S3 Bucket ACL Allows Read to All Users
219f4c95-aa50-44e0-97de-cf71f4641170|High|Access Control|S3 Buckets should not be readable to all users|Documentation
| |S3 Bucket Access to Any Principal
7772bb8c-c0f3-42d4-8e4e-f1b8939ad085|High|Access Control|The S3 Bucket should not be associated with a policy statement that grants access to any principal|Documentation
| +|S3 Bucket Allows Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0|High|Access Control|S3 Buckets must not allow Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Restore, for all Principals.|Documentation
| +|IAM Policies With Full Privileges
953b3cdb-ce13-428a-aa12-318726506661|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| |SNS Topic is Publicly Accessible
ae53ce91-42b5-46bf-a84f-9a13366a4f13|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| +|S3 Bucket Allows Put Action From All Principals
f6397a20-4cf1-4540-a997-1d363c25ef58|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| +|S3 Bucket Allows Get Action From All Principals
f97b7d23-568f-4bcc-9ac9-02df0d57fbba|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| +|S3 Bucket With All Permissions
4ae8af91-5108-42cb-9471-3bdbe596eac9|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| +|ECS Service Admin Role Is Present
01986452-bdd8-4aaa-b5df-d6bf61d616ff|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role|Documentation
| |MSK Broker Is Publicly Accessible
0ce1ba20-8ba8-4364-836f-40c24b8cb0ab|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible|Documentation
| -|Redshift Not Encrypted
3b316b05-564c-44a7-9c3f-405bb95e211e|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'Encrypted' field is false or undefined (default is false)|Documentation
| -|ElastiCache With Disabled at Rest Encryption
e4ee3903-9225-4b6a-bdfb-e62dbadef821|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled|Documentation
| -|User Data Shell Script Is Encoded
48c3bc58-6959-4f27-b647-4fedeace23be|High|Encryption|User Data Shell Script must be encoded|Documentation
| -|User Data Contains Encoded Private Key
568cc372-ca64-420d-9015-ee347d00d288|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| +|IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| +|S3 Bucket Allows List Action From All Principals
faa8fddf-c0aa-4b2d-84ff-e993e233ebe9|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
acc78859-765e-4011-a229-a65ea57db252|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| +|S3 Bucket ACL Allows Read Or Write to All Users
07dda8de-d90d-469e-9b37-1aca53526ced|High|Access Control|S3 Buckets should not be readable and writable to all users|Documentation
| +|Lambda Functions With Full Privileges
a0ae0a4e-712b-4115-8112-51b9eeed9d69|High|Access Control|AWS Lambda Functions should not have roles with policies granting full administrative privileges.|Documentation
| +|S3 Bucket Allows Public Policy
860ba89b-b8de-4e72-af54-d6aee4138a69|High|Access Control|S3 bucket allows public policy|Documentation
| |ElastiCache With Disabled Transit Encryption
3b02569b-fc6f-4153-b3a3-ba91022fed68|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled|Documentation
| -|RDS Storage Not Encrypted
5beacce3-4020-4a3d-9e1d-a36f953df630|High|Encryption|RDS Storage should be encrypted, which means the attribute 'StorageEncrypted' should be set to 'true'|Documentation
| -|EFS Without KMS
6d087495-2a42-4735-abf7-02ef5660a7e6|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| |Redshift Cluster Without KMS CMK
de76a0d6-66d5-45c9-9022-f05545b85c78|High|Encryption|AWS Redshift Cluster should have KMS CMK defined|Documentation
| -|DynamoDB With Aws Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac|High|Encryption|AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false.|Documentation
| |EFS Not Encrypted
2ff8e83c-90e1-4d68-a300-6d652112e622|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|Secure Ciphers Disabled
be96849c-3df6-49c2-bc16-778a7be2519c|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| +|ECS Cluster Not Encrypted At Rest
6c131358-c54d-419b-9dd6-1f7dd41d180c|High|Encryption|Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems.|Documentation
| +|DynamoDB With Aws Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac|High|Encryption|AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false.|Documentation
| |SageMaker Data Encryption Disabled
709e6da6-fa1f-44cc-8f17-7f25f96dadbe|High|Encryption|Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, which means the attribute 'KmsKeyId' must be defined not empty or null.|Documentation
| +|Redshift Not Encrypted
3b316b05-564c-44a7-9c3f-405bb95e211e|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'Encrypted' field is false or undefined (default is false)|Documentation
| +|S3 Bucket SSE Disabled
64ab651b-f5b2-4af0-8c89-ddd03c4d0e61|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| +|Connection Between CloudFront Origin Not Encrypted
a5366a50-932f-4085-896b-41402714a388|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted|Documentation
| +|RDS Storage Not Encrypted
5beacce3-4020-4a3d-9e1d-a36f953df630|High|Encryption|RDS Storage should be encrypted, which means the attribute 'StorageEncrypted' should be set to 'true'|Documentation
| +|ElastiCache With Disabled at Rest Encryption
e4ee3903-9225-4b6a-bdfb-e62dbadef821|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled|Documentation
| +|ECS Task Definition Container With Plaintext Password
f9b10cdb-eaab-4e39-9793-e12b94a582ad|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| +|EFS Without KMS
6d087495-2a42-4735-abf7-02ef5660a7e6|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| |MSK Cluster Encryption Disabled
a976d63f-af0e-46e8-b714-8c1a9c4bf768|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| -|S3 Bucket Without SSL In Write Actions
38c64e76-c71e-4d92-a337-60174d1de1c9|High|Encryption|S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL)|Documentation
| -|ELB Using Weak Ciphers
809f77f8-d10e-4842-a84f-3be7b6ff1190|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers.|Documentation
| -|ECS Cluster Not Encrypted At Rest
6c131358-c54d-419b-9dd6-1f7dd41d180c|High|Encryption|Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems.|Documentation
| +|User Data Contains Encoded Private Key
568cc372-ca64-420d-9015-ee347d00d288|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| +|Secure Ciphers Disabled
be96849c-3df6-49c2-bc16-778a7be2519c|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| +|ELB Without Secure Protocol
80908a75-586b-4c61-ab04-490f4f4525b8|High|Encryption|Check if the ELB is setup with SSL or HTTPS for secure communication|Documentation
| |CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db|High|Encryption|Specifying credentials in the template itself is probably not safe to do.|Documentation
| -|Connection Between CloudFront Origin Not Encrypted
a5366a50-932f-4085-896b-41402714a388|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted|Documentation
| +|S3 Bucket Without Server-side-encryption
b2e8752c-3497-4255-98d2-e4ae5b46bbf5|High|Encryption|S3 Buckets should have server-side encryption at rest enabled to protect sensitive data|Documentation
| +|User Data Shell Script Is Encoded
48c3bc58-6959-4f27-b647-4fedeace23be|High|Encryption|User Data Shell Script must be encoded|Documentation
| +|ELB Using Weak Ciphers
809f77f8-d10e-4842-a84f-3be7b6ff1190|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers.|Documentation
| |Cloudfront Viewer Protocol Policy Allows HTTP
31733ee2-fef0-4e87-9778-65da22a8ecf1|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| +|ELB Using Insecure Protocols
61a94903-3cd3-4780-88ec-fc918819b9c8|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols.|Documentation
| |Kinesis SSE Not Configured
7f65be75-90ab-4036-8c2a-410aef7bb650|High|Encryption|AWS Kinesis Stream should have SSE (Server Side Encryption) defined|Documentation
| -|CMK Unencrypted Storage
ffee2785-c347-451e-89f3-11aeb08e5c84|High|Encryption|Ensure that storage is encrypted.|Documentation
| -|S3 Bucket Without Server-side-encryption
b2e8752c-3497-4255-98d2-e4ae5b46bbf5|High|Encryption|S3 Buckets should have server-side encryption at rest enabled to protect sensitive data|Documentation
| -|ELB Without Secure Protocol
80908a75-586b-4c61-ab04-490f4f4525b8|High|Encryption|Check if the ELB is setup with SSL or HTTPS for secure communication|Documentation
| -|S3 Bucket SSE Disabled
64ab651b-f5b2-4af0-8c89-ddd03c4d0e61|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| +|S3 Bucket Without SSL In Write Actions
38c64e76-c71e-4d92-a337-60174d1de1c9|High|Encryption|S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL)|Documentation
| |API Gateway Cache Encrypted Disabled
37cca703-b74c-48ba-ac81-595b53398e9b|High|Encryption|'API::Gateway::Deployment' should have 'CacheDataEncrypted' enabled when 'CachingEnabled' is set to true|Documentation
| -|ELB Using Insecure Protocols
61a94903-3cd3-4780-88ec-fc918819b9c8|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols.|Documentation
| |IAM Database Auth Not Enabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| -|ECS Task Definition Container With Plaintext Password
f9b10cdb-eaab-4e39-9793-e12b94a582ad|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| -|S3 Bucket Without Restriction Of Public Bucket
350cd468-0e2c-44ef-9d22-cfb73a62523c|High|Insecure Configurations|S3 bucket without restriction of public bucket|Documentation
| -|API Gateway Without Security Policy
8275fab0-68ec-4705-bbf4-86975edb170e|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2.|Documentation
| +|CMK Unencrypted Storage
ffee2785-c347-451e-89f3-11aeb08e5c84|High|Encryption|Ensure that storage is encrypted.|Documentation
| +|Batch Job Definition With Privileged Container Properties
76ddf32c-85b1-4808-8935-7eef8030ab36|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| +|S3 Bucket With Unsecured CORS Rule
3609d27c-3698-483a-9402-13af6ae80583|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| |S3 Static Website Host Enabled
90501b1b-cded-4cc1-9e8b-206b85cda317|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured.|Documentation
| -|Redshift Publicly Accessible
bdf8dcb4-75df-4370-92c4-606e4ae6c4d3|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
dc17ee4b-ddf2-4e23-96e8-7a36abad1303|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| +|S3 Bucket Without Restriction Of Public Bucket
350cd468-0e2c-44ef-9d22-cfb73a62523c|High|Insecure Configurations|S3 bucket without restriction of public bucket|Documentation
| +|Root Account Has Active Access Keys
4c137350-7307-4803-8c04-17c09a7a9fcf|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| |DB Instance Publicly Accessible
de38e1d5-54cb-4111-a868-6f7722695007|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false.|Documentation
| -|S3 Bucket With Unsecured CORS Rule
3609d27c-3698-483a-9402-13af6ae80583|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| -|Batch Job Definition With Privileged Container Properties
76ddf32c-85b1-4808-8935-7eef8030ab36|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| |ECS Task Definition Network Mode Not Recommended
027a4b7a-8a59-4938-a04f-ed532512cf45|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| |KMS Key With Vulnerable Policy
da905474-7454-43c0-b8d2-5756ab951aba|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| -|Root Account Has Active Access Keys
4c137350-7307-4803-8c04-17c09a7a9fcf|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| -|Permissive Web ACL Default Action
6d64f311-3da6-45f3-80f1-14db9771ea40|High|Insecure Defaults|WebAcl DefaultAction should not be ALLOW|Documentation
| +|API Gateway Without Security Policy
8275fab0-68ec-4705-bbf4-86975edb170e|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2.|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
dc17ee4b-ddf2-4e23-96e8-7a36abad1303|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| +|Redshift Publicly Accessible
bdf8dcb4-75df-4370-92c4-606e4ae6c4d3|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false|Documentation
| |Vulnerable Default SSL Certificate
b4d9c12b-bfba-4aeb-9cb8-2358546d8041|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| -|Unrestricted Security Group Ingress
4a1e6b34-1008-4e61-a5f2-1f7c276f8d14|High|Networking and Firewall|AWS Security Group Ingress CIDR should not be open to the world|Documentation
| -|ELB Sensitive Port Is Exposed To Entire Network
78055456-f670-4d2e-94d5-392d1cf4f5e4|High|Networking and Firewall|The load balancer of the application with a sensitive port connection is exposed to the entire internet.|Documentation
| +|Permissive Web ACL Default Action
6d64f311-3da6-45f3-80f1-14db9771ea40|High|Insecure Defaults|WebAcl DefaultAction should not be ALLOW|Documentation
| +|DB Security Group Open To Large Scope
0104165b-02d5-426f-abc9-91fb48189899|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| +|ALB Listening on HTTP
275a3217-ca37-40c1-a6cf-bb57d245ab32|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| |EKS node group remote access
73d59e76-a12c-4b74-a3d8-d3e1e19c25b3|High|Networking and Firewall|Ensure Amazon EKS Node group has implict SSH access|Documentation
| -|Default Security Groups With Unrestricted Traffic
ea33fcf7-394b-4d11-a228-985c5d08f205|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| +|SageMaker Notebook Not Placed In VPC
9c7028d9-04c2-45be-b8b2-1188ccaefb36|High|Networking and Firewall|SageMaker Notebook must be placed in a VPC|Documentation
| +|Route53 Record Undefined
24d932e1-91f0-46ea-836f-fdbd81694151|High|Networking and Firewall|Route53 HostedZone must have the Record Set defined.|Documentation
| +|EC2 Sensitive Port Is Publicly Exposed
494b03d3-bf40-4464-8524-7c56ad0700ed|High|Networking and Firewall|The EC2 instance has a sensitive port connection exposed to the entire network|Documentation
| +|RDS Associated with Public Subnet
4e88adee-a8eb-4605-a78d-9fb1096e3091|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| |DB Security Group With Public Scope
9564406d-e761-4e61-b8d7-5926e3ab8e79|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| +|ELB Sensitive Port Is Exposed To Entire Network
78055456-f670-4d2e-94d5-392d1cf4f5e4|High|Networking and Firewall|The load balancer of the application with a sensitive port connection is exposed to the entire internet.|Documentation
| +|EC2 Instance Subnet Has Public IP Mapping On Launch
b3de4e4c-14be-4159-b99d-9ad194365e4c|High|Networking and Firewall|EC2 Instance Subnet should not have MapPublicIpOnLaunch set to true|Documentation
| +|Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c|High|Networking and Firewall|No security group should allow unrestricted egress access|Documentation
| +|Fully Open Ingress
e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5|High|Networking and Firewall|ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses|Documentation
| +|HTTP Port Open To Internet
ddfc4eaa-af23-409f-b96c-bf5c45dc4daa|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| |Remote Desktop Port Open To Internet
c9846969-d066-431f-9b34-8c4abafe422a|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| +|Security Groups With Meta IP
adcd0082-e90b-4b63-862b-21899f6e6a48|High|Networking and Firewall|Security Groups allows 0.0.0.0/0 for all ports and protocols.|Documentation
| |EC2 Network ACL Overlapping Ports
77b6f1e2-bde4-4a6a-ae7e-a40659ff1576|High|Networking and Firewall|NetworkACL Entries are reusing or overlapping ports which may create ineffective rules|Documentation
| +|Security Group With Unrestricted Access To SSH
6e856af2-62d7-4ba2-adc1-73b62cef9cc1|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| +|Unknown Port Exposed To Internet
829ce3b8-065c-41a3-ad57-e0accfea82d2|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| +|Unrestricted Security Group Ingress
4a1e6b34-1008-4e61-a5f2-1f7c276f8d14|High|Networking and Firewall|AWS Security Group Ingress CIDR should not be open to the world|Documentation
| +|Security Groups With Exposed Admin Ports
cdbb0467-2957-4a77-9992-7b55b29df7b7|High|Networking and Firewall|Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389)|Documentation
| |EC2 Public Instance Exposed Through Subnet
c44c95fc-ae92-4bb8-bdf8-bb9bc412004a|High|Networking and Firewall|EC2 instances with public IP addresses shouldn't allow for unrestricted traffic to their subnets|Documentation
| -|DB Security Group Open To Large Scope
0104165b-02d5-426f-abc9-91fb48189899|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| |Security Group Unrestricted Access To RDP
3ae83918-7ec7-4cb8-80db-b91ef0f94002|High|Networking and Firewall|Security Groups does not allow 0.0.0.0/0 for rdp (port:3389)|Documentation
| -|HTTP Port Open To Internet
ddfc4eaa-af23-409f-b96c-bf5c45dc4daa|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| -|Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c|High|Networking and Firewall|No security group should allow unrestricted egress access|Documentation
| -|EC2 Sensitive Port Is Publicly Exposed
494b03d3-bf40-4464-8524-7c56ad0700ed|High|Networking and Firewall|The EC2 instance has a sensitive port connection exposed to the entire network|Documentation
| -|Security Groups With Meta IP
adcd0082-e90b-4b63-862b-21899f6e6a48|High|Networking and Firewall|Security Groups allows 0.0.0.0/0 for all ports and protocols.|Documentation
| -|Fully Open Ingress
e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5|High|Networking and Firewall|ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses|Documentation
| -|Security Groups With Exposed Admin Ports
cdbb0467-2957-4a77-9992-7b55b29df7b7|High|Networking and Firewall|Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389)|Documentation
| -|RDS Associated with Public Subnet
4e88adee-a8eb-4605-a78d-9fb1096e3091|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| -|ALB Listening on HTTP
275a3217-ca37-40c1-a6cf-bb57d245ab32|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| -|SageMaker Notebook Not Placed In VPC
9c7028d9-04c2-45be-b8b2-1188ccaefb36|High|Networking and Firewall|SageMaker Notebook must be placed in a VPC|Documentation
| -|Unknown Port Exposed To Internet
829ce3b8-065c-41a3-ad57-e0accfea82d2|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| -|Security Group With Unrestricted Access To SSH
6e856af2-62d7-4ba2-adc1-73b62cef9cc1|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| -|EC2 Instance Subnet Has Public IP Mapping On Launch
b3de4e4c-14be-4159-b99d-9ad194365e4c|High|Networking and Firewall|EC2 Instance Subnet should not have MapPublicIpOnLaunch set to true|Documentation
| -|Route53 Record Undefined
24d932e1-91f0-46ea-836f-fdbd81694151|High|Networking and Firewall|Route53 HostedZone must have the Record Set defined.|Documentation
| +|Default Security Groups With Unrestricted Traffic
ea33fcf7-394b-4d11-a228-985c5d08f205|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| |S3 Bucket CloudTrail Logging Disabled
c3ce69fd-e3df-49c6-be78-1db3f802261c|High|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable when the Service used is CloudTrail|Documentation
| |CMK Rotation Disabled
1c07bfaf-663c-4f6f-b22b-8e2d481e4df5|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'EnableKeyRotation' must be set to 'true' when the key is enabled.|Documentation
| |CloudTrail Logging Disabled
5c0b06d5-b7a4-484c-aeb0-75a836269ff0|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| -|CMK Rotation Disabled
1c07bfaf-663c-4f6f-b22b-8e2d481e4df5|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'EnableKeyRotation' must be set to 'true' when the key is enabled.|Documentation
| -|SQS Queue Policy Allows NotPrincipal
4a8fc9a2-2b2f-4b3f-aa8d-401425872034|Medium|Access Control|Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using `NotPrincipal` in the same policy statement as `"Effect": "Allow"`.|Documentation
| -|API Gateway Without Configured Authorizer
7fd0d461-5b8c-4815-898c-f2b4b117eb28|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| -|Elasticsearch Without IAM Authentication
5c666ed9-b586-49ab-9873-c495a833b705|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication|Documentation
| -|IAM Policies Attached To User
edc95c10-7366-4f30-9b4b-f995c84eceb5|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| -|Empty Roles For ECS Cluster Task Definitions
7f384a5f-b5a2-4d84-8ca3-ee0a5247becb|Medium|Access Control|Check if any ECS cluster has not defined proper roles for services' task definitions.|Documentation
| -|EC2 Instance Has No IAM Role
f914357d-8386-4d56-9ba6-456e5723f9a6|Medium|Access Control|Check if an EC2 instance refers to an IAM profile, which represents an IAM Role.|Documentation
| -|SNS Topic Publicity Has Allow and NotAction Simultaneously
818f38ed-8446-4132-9c03-474d49e10195|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| -|EC2 Network ACL Ineffective Denied Traffic
2623d682-dccb-44cd-99d0-54d9fd62f8f2|Medium|Access Control|Ineffective deny rules. A deny rule should be applied to all IP addresses.|Documentation
| -|Neptune Cluster With IAM Database Authentication Disabled
a3aa0087-8228-4e7e-b202-dc9036972d02|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled|Documentation
| |ECR Repository Is Publicly Accessible
75be209d-1948-41f6-a8c8-e22dd0121134|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| -|KMS Allows Wildcard Principal
f6049677-ec4a-43af-8779-5190b6d03cba|Medium|Access Control|KMS Should not allow Principal parameter to be set as *|Documentation
| |Public Lambda via API Gateway
57b12981-3816-4c31-b190-a1e614361dd2|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| -|IAM Policy On User
e4239438-e639-44aa-adb8-866e400e3ade|Medium|Access Control|IAM policies should be applied to groups and not to users|Documentation
| -|API Gateway Method Does Not Contains An API Key
3641d5b4-d339-4bc2-bfb9-208fe8d3477f|Medium|Access Control|An API Key should be required on a method request.|Documentation
| -|IoT Policy Allows Wildcard Resource
be5b230d-4371-4a28-a441-85dc760e2aa3|Medium|Access Control|IoT Policy should not allow Resource to be set as *|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| +|API Gateway Without Configured Authorizer
7fd0d461-5b8c-4815-898c-f2b4b117eb28|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| |Lambda Permission Principal Is Wildcard
1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| +|SQS Queue Policy Allows NotPrincipal
4a8fc9a2-2b2f-4b3f-aa8d-401425872034|Medium|Access Control|Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using `NotPrincipal` in the same policy statement as `"Effect": "Allow"`.|Documentation
| +|IAM Policy On User
e4239438-e639-44aa-adb8-866e400e3ade|Medium|Access Control|IAM policies should be applied to groups and not to users|Documentation
| +|Elasticsearch Without IAM Authentication
5c666ed9-b586-49ab-9873-c495a833b705|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication|Documentation
| |IoT Policy Allows Action as Wildcard
4d32780f-43a4-424a-a06d-943c543576a5|Medium|Access Control|IoT Policy should not allow Action to be set as *|Documentation
| +|IoT Policy Allows Wildcard Resource
be5b230d-4371-4a28-a441-85dc760e2aa3|Medium|Access Control|IoT Policy should not allow Resource to be set as *|Documentation
| |SQS Policy With Public Access
9b6a3f5b-5fd6-40ee-9bc0-ed604911212d|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| +|KMS Allows Wildcard Principal
f6049677-ec4a-43af-8779-5190b6d03cba|Medium|Access Control|KMS Should not allow Principal parameter to be set as *|Documentation
| +|Empty Roles For ECS Cluster Task Definitions
7f384a5f-b5a2-4d84-8ca3-ee0a5247becb|Medium|Access Control|Check if any ECS cluster has not defined proper roles for services' task definitions.|Documentation
| +|IAM Policies Attached To User
edc95c10-7366-4f30-9b4b-f995c84eceb5|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| +|Neptune Cluster With IAM Database Authentication Disabled
a3aa0087-8228-4e7e-b202-dc9036972d02|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled|Documentation
| +|SNS Topic Publicity Has Allow and NotAction Simultaneously
818f38ed-8446-4132-9c03-474d49e10195|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| |SQS Queue Policy Allows NotAction
4fbfee74-8186-40d5-a24e-4baa76a855de|Medium|Access Control|AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited|Documentation
| +|EC2 Network ACL Ineffective Denied Traffic
2623d682-dccb-44cd-99d0-54d9fd62f8f2|Medium|Access Control|Ineffective deny rules. A deny rule should be applied to all IP addresses.|Documentation
| |S3 Bucket Allows Public ACL
48f100d9-f499-4c6d-b2b8-deafe47ffb26|Medium|Access Control|S3 bucket allows public ACL|Documentation
| -|Auto Scaling Group With No Associated ELB
ad21e616-5026-4b9d-990d-5b007bfe679c|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty.|Documentation
| -|ElastiCache Nodes Not Created Across Multi AZ
cfdef2e5-1fe4-4ef4-bea8-c56e08963150|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster|Documentation
| +|API Gateway Method Does Not Contains An API Key
3641d5b4-d339-4bc2-bfb9-208fe8d3477f|Medium|Access Control|An API Key should be required on a method request.|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| +|EC2 Instance Has No IAM Role
f914357d-8386-4d56-9ba6-456e5723f9a6|Medium|Access Control|Check if an EC2 instance refers to an IAM profile, which represents an IAM Role.|Documentation
| |CMK Is Unusable
2844c749-bd78-4cd1-90e8-b179df827602|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined.|Documentation
| |ECS Service Without Running Tasks
79d745f0-d5f3-46db-9504-bef73e9fd528|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| |EBS Volume Not Attached To Instances
1819ac03-542b-4026-976b-f37addd59f3b|Medium|Availability|EBS Volumes that are unattached to instances may contain sensitive data|Documentation
| +|Auto Scaling Group With No Associated ELB
ad21e616-5026-4b9d-990d-5b007bfe679c|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty.|Documentation
| +|ElastiCache Nodes Not Created Across Multi AZ
cfdef2e5-1fe4-4ef4-bea8-c56e08963150|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster|Documentation
| |RDS Multi-AZ Deployment Disabled
2b1d4935-9acf-48a7-8466-10d18bf51a69|Medium|Backup|AWS RDS Instance should have a multi-az deployment|Documentation
| +|RDS With Backup Disabled
8c415f6f-7b90-4a27-a44a-51047e1506f9|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| |Stack Retention Disabled
fe974ae9-858e-4991-bbd5-e040a834679f|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| |Low RDS Backup Retention Period
e649a218-d099-4550-86a4-1231e1fcb60d|Medium|Backup|AWS RDS backup retention policy should be at least 7 days|Documentation
| -|RDS With Backup Disabled
8c415f6f-7b90-4a27-a44a-51047e1506f9|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| -|IAM Password Without Lowercase Letter
f4cf35d6-da92-48de-ab70-57be2b2e6497|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| -|IAM Password Without Symbol
d72a7869-e8b9-4e12-bcd2-e8be10b39fa7|Medium|Best Practices|IAM password should have the required symbols|Documentation
| -|IAM User Without Password Reset
a964d6e3-8e1e-4d93-8120-61fa640dd55a|Medium|Best Practices|IAM User Login Profile should exist and have PasswordResetRequired property set to true|Documentation
| +|IAM Password Without Number
839f238f-2e3a-4a72-b945-8abdf91af955|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number|Documentation
| |ECS No Load Balancer Attached
fb2b0ecf-1492-491a-a70d-ba1df579175d|Medium|Best Practices|Amazon ECS service should be configured to use Load Balancing to distribute traffic evenly across the tasks, which means there must exist at least one LoadBalancer.|Documentation
| -|IAM Password Without Uppercase Letter
445020f6-b69e-4484-847f-02d4b7768902|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| +|IAM User Without Password Reset
a964d6e3-8e1e-4d93-8120-61fa640dd55a|Medium|Best Practices|IAM User Login Profile should exist and have PasswordResetRequired property set to true|Documentation
| +|IAM Password Without Minimum Length
b1b20ae3-8fa7-4af5-a74d-a2145920fcb1|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| +|IAM Password Without Symbol
d72a7869-e8b9-4e12-bcd2-e8be10b39fa7|Medium|Best Practices|IAM password should have the required symbols|Documentation
| |Cognito UserPool Without MFA
74a18d1a-cf02-4a31-8791-ed0967ad7fdc|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| |IAM Managed Policy Applied to a User
0e5872b4-19a0-4165-8b2f-56d9e14b909f|Medium|Best Practices|Make sure that any managed IAM policies are implemented in a group and not in a user.|Documentation
| -|IAM Password Without Minimum Length
b1b20ae3-8fa7-4af5-a74d-a2145920fcb1|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| -|IAM Password Without Number
839f238f-2e3a-4a72-b945-8abdf91af955|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number|Documentation
| -|ElasticSearch Encryption With KMS Disabled
d926aa95-0a04-4abc-b20c-acf54afe38a1|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS.|Documentation
| -|ElasticSearch Not Encrypted At Rest
86a248ab-0e01-4564-a82a-878303e253bb|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| -|KMS Key Rotation Disabled
235ca980-eb71-48f4-9030-df0c371029eb|Medium|Encryption|EnableKeyRotation should not be false or undefined|Documentation
| -|Neptune Database Cluster Encryption Disabled
bf4473f1-c8a2-4b1b-8134-bd32efabab93|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| +|IAM Password Without Uppercase Letter
445020f6-b69e-4484-847f-02d4b7768902|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| +|IAM Password Without Lowercase Letter
f4cf35d6-da92-48de-ab70-57be2b2e6497|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| +|Config Rule For Encrypted Volumes Disabled
1b6322d9-c755-4f8c-b804-32c19250f2d9|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| +|Workspace Without Encryption
89827c57-5a8a-49eb-9731-976a606d70db|Medium|Encryption|Workspaces should have encryption enabled|Documentation
| |Memcached Disabled
dd0971a6-09c3-4168-8474-a7ef8fbfd99d|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| +|Neptune Database Cluster Encryption Disabled
bf4473f1-c8a2-4b1b-8134-bd32efabab93|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| +|CodeBuild Not Encrypted
d7467bb6-3ed1-4c82-8095-5e7a818d0aad|Medium|Encryption|CodeBuild Project should be encrypted, which means 'EncryptionKey' should be defined|Documentation
| |Default KMS Key Usage
e52395b4-250b-4c60-81d5-2e58c1d37abc|Medium|Encryption|When `StorageEncrypted` is set to true, `KmsKeyId` should be defined, to avoid the use of the default KMS Key|Documentation
| -|SageMaker EndPoint Config Should Specify KmsKeyId Attribute
44034eda-1c3f-486a-831d-e09a7dd94354|Medium|Encryption|KmsKeyId attribute should be defined|Documentation
| -|RDS Storage Encryption Disabled
65844ba3-03a1-40a8-b3dd-919f122e8c95|Medium|Encryption|RDS DBCluster should have storage encrypted set to true|Documentation
| -|EBS Volume Encryption Disabled
80b7ac3f-d2b7-4577-9b10-df7913497162|Medium|Encryption|EBS volumes should be encrypted|Documentation
| |Alexa Skill Plaintext Client Secret Exposed
3c3b7a58-b018-4d07-9444-d9ee7156e111|Medium|Encryption|Alexa skills' client secrets should not be defined as a plaintext string. It should either use 'AWS Systems Manager Parameter Store' or 'AWS Secrets Manager' to retrieve sensitive information|Documentation
| -|SQS With SSE Disabled
12726829-93ed-4d51-9cbe-13423f4299e1|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| +|Unscanned ECR Image
9025b2b3-e554-4842-ba87-db7aeec36d35|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| +|EBS Volume Encryption Disabled
80b7ac3f-d2b7-4577-9b10-df7913497162|Medium|Encryption|EBS volumes should be encrypted|Documentation
| |API Gateway With Invalid Compression
d6653eee-2d4d-4e6a-976f-6794a497999a|Medium|Encryption|API Gateway should have valid compression, which means attribute 'MinimumCompressionSize' should be set and its value should be greater than -1 and smaller than 10485760.|Documentation
| -|Config Rule For Encrypted Volumes Disabled
1b6322d9-c755-4f8c-b804-32c19250f2d9|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| -|Workspace Without Encryption
89827c57-5a8a-49eb-9731-976a606d70db|Medium|Encryption|Workspaces should have encryption enabled|Documentation
| +|RDS Storage Encryption Disabled
65844ba3-03a1-40a8-b3dd-919f122e8c95|Medium|Encryption|RDS DBCluster should have storage encrypted set to true|Documentation
| +|SQS With SSE Disabled
12726829-93ed-4d51-9cbe-13423f4299e1|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| +|AmazonMQ Broker Encryption Disabled
316278b3-87ac-444c-8f8f-a733a28da60f|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| +|SageMaker EndPoint Config Should Specify KmsKeyId Attribute
44034eda-1c3f-486a-831d-e09a7dd94354|Medium|Encryption|KmsKeyId attribute should be defined|Documentation
| +|KMS Key Rotation Disabled
235ca980-eb71-48f4-9030-df0c371029eb|Medium|Encryption|EnableKeyRotation should not be false or undefined|Documentation
| +|ElasticSearch Encryption With KMS Disabled
d926aa95-0a04-4abc-b20c-acf54afe38a1|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS.|Documentation
| |EMR Security Configuration Encryption Disabled
5b033ec8-f079-4323-b5c8-99d4620433a9|Medium|Encryption|EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit.|Documentation
| -|CodeBuild Not Encrypted
d7467bb6-3ed1-4c82-8095-5e7a818d0aad|Medium|Encryption|CodeBuild Project should be encrypted, which means 'EncryptionKey' should be defined|Documentation
| -|Unscanned ECR Image
9025b2b3-e554-4842-ba87-db7aeec36d35|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| |IAM Group Inline Policies
a58d1a2d-4078-4b80-855b-84cc3f7f4540|Medium|Encryption|IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted|Documentation
| -|AmazonMQ Broker Encryption Disabled
316278b3-87ac-444c-8f8f-a733a28da60f|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| -|API Gateway Without SSL Certificate
ed4c48b8-eccc-4881-95c1-09fdae23db25|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| -|IAM User Has Too Many Access Keys
48677914-6fdf-40ec-80c4-2b0e94079f54|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials|Documentation
| -|IAM User LoginProfile Password Is In Plaintext
06adef8c-c284-4de7-aad2-af43b07a8ca1|Medium|Insecure Configurations|IAM User LoginProfile Password must not be a plaintext string|Documentation
| -|SageMaker Enabling Internet Access
88d55d94-315d-4564-beee-d2d725feab11|Medium|Insecure Configurations|SageMaker must have disabled internet access and root access for Creating Notebook Instances.|Documentation
| -|GitHub Repository Set To Public
5906092d-5f74-490d-9a03-78febe0f65e1|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')|Documentation
| +|ElasticSearch Not Encrypted At Rest
86a248ab-0e01-4564-a82a-878303e253bb|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| |ECR Image Tag Not Immutable
33f41d31-86b1-46a4-81f7-9c9a671f59ac|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| -|Inline Policies Are Attached To ECS Service
9e8c89b3-7997-4d15-93e4-7911b9db99fd|Medium|Insecure Configurations|Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies.|Documentation
| +|EMR Cluster Without Security Configuration
48af92a5-c89b-4936-bc62-1086fe2bab23|Medium|Insecure Configurations|EMR Cluster should have security configuration defined.|Documentation
| |MQ Broker Is Publicly Accessible
68b6a789-82f8-4cfd-85de-e95332fe6a61|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible|Documentation
| |Lambda Functions Without Unique IAM Roles
ae03f542-1423-402f-9cef-c834e7ee9583|Medium|Insecure Configurations|AWS Lambda Functions should not share IAM roles to ensure they will have the minimum privileges needed to perform the required tasks|Documentation
| -|API Gateway With Open Access
1056dfbb-5802-4762-bf2b-8b9b9684b1b0|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.|Documentation
| +|IAM User Has Too Many Access Keys
48677914-6fdf-40ec-80c4-2b0e94079f54|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials|Documentation
| |Instance With No VPC
8a6d36cd-0bc6-42b7-92c4-67acc8576861|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| -|EMR Cluster Without Security Configuration
48af92a5-c89b-4936-bc62-1086fe2bab23|Medium|Insecure Configurations|EMR Cluster should have security configuration defined.|Documentation
| +|IAM User LoginProfile Password Is In Plaintext
06adef8c-c284-4de7-aad2-af43b07a8ca1|Medium|Insecure Configurations|IAM User LoginProfile Password must not be a plaintext string|Documentation
| |Lambda Function Without Tags
8df8e857-bd59-44fa-9f4c-d77594b95b46|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags.|Documentation
| -|S3 Bucket Should Have Bucket Policy
37fa8188-738b-42c8-bf82-6334ea567738|Medium|Insecure Defaults|Checks if S3 Bucket has the same name as a Bucket Policy, if it has, S3 Bucket has a Bucket Policy associated|Documentation
| +|API Gateway With Open Access
1056dfbb-5802-4762-bf2b-8b9b9684b1b0|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.|Documentation
| +|GitHub Repository Set To Public
5906092d-5f74-490d-9a03-78febe0f65e1|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')|Documentation
| +|API Gateway Without SSL Certificate
ed4c48b8-eccc-4881-95c1-09fdae23db25|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| +|SageMaker Enabling Internet Access
88d55d94-315d-4564-beee-d2d725feab11|Medium|Insecure Configurations|SageMaker must have disabled internet access and root access for Creating Notebook Instances.|Documentation
| +|Inline Policies Are Attached To ECS Service
9e8c89b3-7997-4d15-93e4-7911b9db99fd|Medium|Insecure Configurations|Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies.|Documentation
| |RouterTable with Default Routing
4f0908b9-eb66-433f-9145-134274e1e944|Medium|Insecure Defaults|NAT gateways are recommended, and not the default route which permits all traffic, in Route Tables.|Documentation
| -|Security Group Ingress With Port Range
87482183-a8e7-4e42-a566-7a23ec231c16|Medium|Networking and Firewall|AWS Security Group Ingress should have a single port|Documentation
| +|S3 Bucket Should Have Bucket Policy
37fa8188-738b-42c8-bf82-6334ea567738|Medium|Insecure Defaults|Checks if S3 Bucket has the same name as a Bucket Policy, if it has, S3 Bucket has a Bucket Policy associated|Documentation
| +|Security Group Egress With All Protocols
ee464fc2-54a6-4e22-b10a-c6dcd2474d0c|Medium|Networking and Firewall|AWS Security Group Egress should not specify all protocols to prevent allow traffic on all ports|Documentation
| +|GameLift Fleet EC2 InboundPermissions With Port Range
43356255-495d-4148-ad8d-f6af5eac09dd|Medium|Networking and Firewall|AWS GameLift Fleet EC2InboundPermissions should have a single port|Documentation
| +|VPC Without Network Firewall
3e293410-d5b8-411f-85fd-7d26294f20c9|Medium|Networking and Firewall|VPC should have a Network Firewall associated|Documentation
| +|ELB With Security Group Without Inbound Rules
e200a6f3-c589-49ec-9143-7421d4a2c845|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules|Documentation
| +|API Gateway without WAF
fcbf9019-566c-4832-a65c-af00d8137d2b|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| +|ELB With Security Group Without Outbound Rules
01d5a458-a6c4-452a-ac50-054d59275b7c|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules|Documentation
| |API Gateway Endpoint Config is Not Private
4a8daf95-709d-4a36-9132-d3e19878fa34|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| +|EC2 Permissive Network ACL Protocols
03879981-efa2-47a0-a818-c843e1441b88|Medium|Networking and Firewall|To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code).|Documentation
| |Security Group Ingress With All Protocols
1a427b25-2e9e-4298-9530-0499a55e736b|Medium|Networking and Firewall|AWS Security Group Ingress should not specify all protocols to prevent allow traffic on all ports|Documentation
| -|ELB With Security Group Without Outbound Rules
01d5a458-a6c4-452a-ac50-054d59275b7c|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules|Documentation
| |Security Groups Without VPC Attached
493d9591-6249-47bf-8dc0-5c10161cc558|Medium|Networking and Firewall|Security Groups must have a VPC.|Documentation
| -|VPC Without Network Firewall
3e293410-d5b8-411f-85fd-7d26294f20c9|Medium|Networking and Firewall|VPC should have a Network Firewall associated|Documentation
| -|Security Group Egress CIDR Open To World
1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a|Medium|Networking and Firewall|AWS Security Group Egress CIDR should not be open to the world|Documentation
| -|EC2 Permissive Network ACL Protocols
03879981-efa2-47a0-a818-c843e1441b88|Medium|Networking and Firewall|To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code).|Documentation
| -|Security Group Egress With All Protocols
ee464fc2-54a6-4e22-b10a-c6dcd2474d0c|Medium|Networking and Firewall|AWS Security Group Egress should not specify all protocols to prevent allow traffic on all ports|Documentation
| -|ELB With Security Group Without Inbound Rules
e200a6f3-c589-49ec-9143-7421d4a2c845|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules|Documentation
| -|GameLift Fleet EC2 InboundPermissions With Port Range
43356255-495d-4148-ad8d-f6af5eac09dd|Medium|Networking and Firewall|AWS GameLift Fleet EC2InboundPermissions should have a single port|Documentation
| +|ALB Is Not Integrated With WAF
105ba098-1e34-48cd-b0f2-a8a43a51bf9b|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| |Security Group Egress With Port Range
dae9c373-8287-462f-8746-6f93dad93610|Medium|Networking and Firewall|AWS Security Group Egress should have a single port|Documentation
| +|Security Group Egress CIDR Open To World
1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a|Medium|Networking and Firewall|AWS Security Group Egress CIDR should not be open to the world|Documentation
| +|Security Group Ingress With Port Range
87482183-a8e7-4e42-a566-7a23ec231c16|Medium|Networking and Firewall|AWS Security Group Ingress should have a single port|Documentation
| |TCP/UDP Protocol Network ACL Entry Allows All Ports
f57f849c-883b-4cb7-85e7-f7b199dff163|Medium|Networking and Firewall|TCP/UDP protocol AWS Network ACL Entry should not allow all ports|Documentation
| -|API Gateway without WAF
fcbf9019-566c-4832-a65c-af00d8137d2b|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| -|ALB Is Not Integrated With WAF
105ba098-1e34-48cd-b0f2-a8a43a51bf9b|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| -|GuardDuty Detector Disabled
a25cd877-375c-4121-a640-730929936fac|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| -|Redshift Cluster Logging Disabled
3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| |ELB Access Log Disabled
ee12ad32-2863-4c0f-b13f-28272d115028|Medium|Observability|ELB should have access log enabled|Documentation
| -|S3 Bucket Without Versioning
a227ec01-f97a-4084-91a4-47b350c1db54|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| -|CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'IsMultiRegionTrail' should be set to true|Documentation
| |Stack Notifications Disabled
837e033c-4717-40bd-807e-6abaa30161b7|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| -|CloudFront Logging Disabled
de77cd9f-0e8b-46cc-b4a4-b6b436838642|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'DistributionConfig.Logging' should be defined|Documentation
| -|CloudTrail Not Integrated With CloudWatch
65d07da5-9af5-44df-8983-52d2e6f24c44|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| -|S3 Bucket Logging Disabled
4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| -|MSK Cluster Logging Disabled
fc7c2c15-f5d0-4b80-adb2-c89019f8f62b|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| +|API Gateway X-Ray Disabled
4ab10c48-bedb-4deb-8f3b-ff12783b61de|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| |CloudWatch Metrics Disabled
5d3c1807-acb3-4bb0-be4e-0440230feeaf|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| +|ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621|Medium|Observability|ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer.|Documentation
| +|CloudFront Logging Disabled
de77cd9f-0e8b-46cc-b4a4-b6b436838642|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'DistributionConfig.Logging' should be defined|Documentation
| |CloudTrail SNS Topic Name Undefined
3e09413f-471e-40f3-8626-990c79ae63f3|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| +|S3 Bucket Logging Disabled
4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| +|GuardDuty Detector Disabled
a25cd877-375c-4121-a640-730929936fac|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| +|S3 Bucket Without Versioning
a227ec01-f97a-4084-91a4-47b350c1db54|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| +|API Gateway Deployment Without Access Log Setting
06ec63e3-9f72-4fe2-a218-2eb9200b8db5|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| |API Gateway V2 Stage Access Logging Settings Not Defined
80d45af4-4920-4236-a56e-b7ef419d1941|Medium|Observability|API Gateway V2 Stage should have Access Logging Settings defined.|Documentation
| -|Configuration Aggregator to All Regions Disabled
9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| -|CloudWatch Logging Disabled
0f0fb06b-0f2f-4374-8588-f2c7c348c7a0|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| +|CloudTrail Not Integrated With CloudWatch
65d07da5-9af5-44df-8983-52d2e6f24c44|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| |ElasticSearch Without Slow Logs
086ea2eb-14a6-4fd4-914b-38e0bc8703e8|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| -|API Gateway Deployment Without Access Log Setting
06ec63e3-9f72-4fe2-a218-2eb9200b8db5|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| -|API Gateway X-Ray Disabled
4ab10c48-bedb-4deb-8f3b-ff12783b61de|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| +|CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'IsMultiRegionTrail' should be set to true|Documentation
| |MQ Broker Logging Disabled
e519ed6a-8328-4b69-8eb7-8fa549ac3050|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| -|ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621|Medium|Observability|ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer.|Documentation
| -|Amplify App Basic Auth Config Password Exposed
71493c8b-3014-404c-9802-078b74496fb7|Medium|Secret Management|Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|RefreshToken Is Exposed
5b48c507-0d1f-41b0-a630-76817c6b4189|Medium|Secret Management|Alexa ASK Skill AuthenticationConfiguration RefreshToken should not be a plaintext string|Documentation
| +|MSK Cluster Logging Disabled
fc7c2c15-f5d0-4b80-adb2-c89019f8f62b|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| +|Redshift Cluster Logging Disabled
3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| +|Configuration Aggregator to All Regions Disabled
9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| +|CloudWatch Logging Disabled
0f0fb06b-0f2f-4374-8588-f2c7c348c7a0|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| +|EBS Volume Without KmsKeyId
b7063015-6c31-4658-a8e7-14f98f37fd42|Medium|Secret Management|EBS Volume should specify a KmsKeyId value|Documentation
| |Secrets Manager Should Specify KmsKeyId
c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22|Medium|Secret Management|Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the secret to be shared cross-account|Documentation
| -|Hardcoded AWS Access Key In Lambda
2564172f-c92b-4261-9acd-464aed511696|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| |Directory Service Microsoft AD Password Set to Plaintext or Default Ref
06b9f52a-8cd5-459b-bdc6-21a22521e1be|Medium|Secret Management|Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|High Access Key Rotation Period
800fa019-49dd-421b-9042-7331fdd83fa2|Medium|Secret Management|ConfigRule should enforce access keys to be rotated within 90 days.|Documentation
| -|DocDB Cluster Master Password In Plaintext
39423ce4-9011-46cd-b6b1-009edcd9385d|Medium|Secret Management|DocDB DB Cluster master user password must not be in a plain text string or referenced in a parameter as a default value.|Documentation
| -|EBS Volume Without KmsKeyId
b7063015-6c31-4658-a8e7-14f98f37fd42|Medium|Secret Management|EBS Volume should specify a KmsKeyId value|Documentation
| -|Amplify App OAuth Token Exposed
03b38885-8f4e-480c-a0e4-12c1affd15db|Medium|Secret Management|Amplify App OAuth Token must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|SNS Topic Without KmsMasterKeyId
9d13b150-a2ab-42a1-b6f4-142e41f81e52|Medium|Secret Management|KmsMasterKeyId attribute should not be undefined|Documentation
| |DMS Endpoint MongoDB Settings Password Exposed
f988a17f-1139-46a3-8928-f27eafd8b024|Medium|Secret Management|DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| +|Amplify App Basic Auth Config Password Exposed
71493c8b-3014-404c-9802-078b74496fb7|Medium|Secret Management|Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| +|Directory Service Simple AD Password Exposed
6685d912-d81f-4cfa-95ad-e316ea31c989|Medium|Secret Management|DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| +|Amplify App OAuth Token Exposed
03b38885-8f4e-480c-a0e4-12c1affd15db|Medium|Secret Management|Amplify App OAuth Token must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| |DMS Endpoint Password Exposed
5f700072-b7ce-4e84-b3f3-497bf1c24a4d|Medium|Secret Management|DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| |Amplify Branch Basic Auth Config Password Exposed
dfb56e5d-ee68-446e-b32a-657b62befe69|Medium|Secret Management|Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| +|DocDB Cluster Master Password In Plaintext
39423ce4-9011-46cd-b6b1-009edcd9385d|Medium|Secret Management|DocDB DB Cluster master user password must not be in a plain text string or referenced in a parameter as a default value.|Documentation
| +|Hardcoded AWS Access Key In Lambda
2564172f-c92b-4261-9acd-464aed511696|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| +|High Access Key Rotation Period
800fa019-49dd-421b-9042-7331fdd83fa2|Medium|Secret Management|ConfigRule should enforce access keys to be rotated within 90 days.|Documentation
| |Amplify App Access Token Exposed
73980e43-f399-4fcc-a373-658228f7adf7|Medium|Secret Management|Amplify App Access Token must not be in a plain text string or referenced in a parameter as a default value.|Documentation
| -|Directory Service Simple AD Password Exposed
6685d912-d81f-4cfa-95ad-e316ea31c989|Medium|Secret Management|DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
e835bd0d-65da-49f7-b6d1-b646da8727e6|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| -|IAM Role Allows All Principals To Assume
f80e3aa7-7b34-4185-954e-440a6894dde6|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| -|IAM User With No Group
06933df4-0ea7-461c-b9b5-104d27390e0e|Low|Access Control|A IAM user should belong to a group|Documentation
| -|Support Has No Role Associated
d71b5fd7-9020-4b2d-9ec8-b3839faa2744|Low|Access Control|Check if any AWS Support policy does not have any role and users and group associated, which means that is not being managed.|Documentation
| +|SNS Topic Without KmsMasterKeyId
9d13b150-a2ab-42a1-b6f4-142e41f81e52|Medium|Secret Management|KmsMasterKeyId attribute should not be undefined|Documentation
| +|RefreshToken Is Exposed
5b48c507-0d1f-41b0-a630-76817c6b4189|Medium|Secret Management|Alexa ASK Skill AuthenticationConfiguration RefreshToken should not be a plaintext string|Documentation
| |EC2 Instance Using Default Security Group
08b81bb3-0985-4023-8602-b606ad81d279|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| +|Support Has No Role Associated
d71b5fd7-9020-4b2d-9ec8-b3839faa2744|Low|Access Control|Check if any AWS Support policy does not have any role and users and group associated, which means that is not being managed.|Documentation
| +|IAM User With No Group
06933df4-0ea7-461c-b9b5-104d27390e0e|Low|Access Control|A IAM user should belong to a group|Documentation
| +|IAM Role Allows All Principals To Assume
f80e3aa7-7b34-4185-954e-440a6894dde6|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| |IAM Group Without Users
8f957abd-9703-413d-87d3-c578950a753c|Low|Access Control|IAM Group should have at least one user associated|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
e835bd0d-65da-49f7-b6d1-b646da8727e6|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| |VPC Attached With Too Many Gateways
97e94d17-e2c7-4109-a53b-6536ac1bb64e|Low|Availability|The number of gateways attached should not approach or go beyond the limit of 3, in a particular VPC|Documentation
| |RDS DB Instance With Deletion Protection Disabled
2c161e58-cb52-454f-abea-6470c37b5e6e|Low|Backup|RDS DBInstance should have deletion protection set to true|Documentation
| -|CDN Configuration Is Missing
e4f54ff4-d352-40e8-a096-5141073c37a2|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| -|Automatic Minor Upgrades Disabled
f0104061-8bfc-4b45-8a7d-630eb502f281|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'AutoMinorVersionUpgrade' must be set to true.|Documentation
| -|IAM Access Analyzer Not Enabled
8d29754a-2a18-460d-a1ba-9509f8d359da|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions|Documentation
| -|Security Group Ingress Has CIDR Not Recommended
a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd|Low|Best Practices|AWS Security Group Ingress CIDR should not be /32 in case of IPV4 or /128 in case of IPV6|Documentation
| |Geo Restriction Disabled
7f8843f0-9ea5-42b4-a02b-753055113195|Low|Best Practices|Geo Restriction feature should be enabled, to restrict or allow users in specific locations accessing web application content|Documentation
| +|Security Group Ingress Has CIDR Not Recommended
a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd|Low|Best Practices|AWS Security Group Ingress CIDR should not be /32 in case of IPV4 or /128 in case of IPV6|Documentation
| |Lambda Permission Misconfigured
9b83114b-b2a1-4534-990d-06da015e47aa|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| |IAM Policies Without Groups
5e7acff5-095b-40ac-9073-ac2e4ad8a512|Low|Best Practices|IAM policy should not apply directly to users, should be with a group|Documentation
| +|Automatic Minor Upgrades Disabled
f0104061-8bfc-4b45-8a7d-630eb502f281|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'AutoMinorVersionUpgrade' must be set to true.|Documentation
| +|CDN Configuration Is Missing
e4f54ff4-d352-40e8-a096-5141073c37a2|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| +|IAM Access Analyzer Not Enabled
8d29754a-2a18-460d-a1ba-9509f8d359da|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions|Documentation
| |EFS Without Tags
08e39832-5e42-4304-98a0-aa5b43393162|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated|Documentation
| |DynamoDB With Not Recommented Table Billing Mode
c333e906-8d8b-4275-b999-78b6318f8dc6|Low|Build Process|Checks if DynamoDB Table Billing Mode is set to either PAY_PER_REQUEST or PROVISIONED|Documentation
| |CloudTrail Log Files Not Encrypted With KMS
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| +|Lambda Function Without Dead Letter Queue
c2eae442-d3ba-4cb1-84ca-1db4f80eae3d|Low|Insecure Configurations|AWS Lambda Function should be configured for a Dead Letter Queue(DLQ)|Documentation
| |API Gateway Cache Cluster Disabled
52790cad-d60d-41d5-8483-146f9f21208d|Low|Insecure Configurations|AWS API Gateway should have cache clustering enabled|Documentation
| |Wildcard In ACM Certificate Domain Name
cc8b294f-006f-4f8f-b5bb-0a9140c33131|Low|Insecure Configurations|ACM Certificate should not use wildcards (*) in the domain name|Documentation
| |S3 Bucket Without Ignore Public ACL
6c8d51af-218d-4bfb-94a9-94eabaa0703a|Low|Insecure Configurations|S3 bucket without ignore public ACL|Documentation
| -|Lambda Function Without Dead Letter Queue
c2eae442-d3ba-4cb1-84ca-1db4f80eae3d|Low|Insecure Configurations|AWS Lambda Function should be configured for a Dead Letter Queue(DLQ)|Documentation
| +|Redshift Using Default Port
a478af30-8c3a-404d-aa64-0b673cee509a|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| +|CloudFront Without WAF
0f139403-303f-467c-96bd-e717e6cfd62d|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| +|ElastiCache Using Default Port
323db967-c68e-44e6-916c-a777f95af34b|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| +|EC2 Instance Using Default VPC
e42a3ef0-5325-4667-84bf-075ba1c9d58e|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| |RDS Using Default Port
1fe9d958-ddce-4228-a124-05265a959a8b|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| |ElastiCache Without VPC
ba766c53-fe71-4bbb-be35-b6803f2ef13e|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|CloudFront Without WAF
0f139403-303f-467c-96bd-e717e6cfd62d|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| +|EC2 Network ACL Duplicate Rule
045ddb54-cfc5-4abb-9e05-e427b2bc96fe|Low|Networking and Firewall|A Network ACL's rule numbers cannot be repeated unless one is egress and the other is ingress|Documentation
| |Shield Advanced Not In Use
ad7444cf-817a-4765-a79e-2145f7981faf|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks|Documentation
| |EMR Without VPC
bf89373a-be40-4c04-99f5-746742dfd7f3|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|Redshift Using Default Port
a478af30-8c3a-404d-aa64-0b673cee509a|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| -|ElastiCache Using Default Port
323db967-c68e-44e6-916c-a777f95af34b|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| -|EC2 Network ACL Duplicate Rule
045ddb54-cfc5-4abb-9e05-e427b2bc96fe|Low|Networking and Firewall|A Network ACL's rule numbers cannot be repeated unless one is egress and the other is ingress|Documentation
| -|EC2 Instance Using Default VPC
e42a3ef0-5325-4667-84bf-075ba1c9d58e|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| +|ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd|Low|Observability|Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks|Documentation
| |Lambda Functions Without X-Ray Tracing
9488c451-074e-4cd3-aee3-7db6104f542c|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracingConfig.mode' should have the value 'Active'|Documentation
| -|VPC FlowLogs Disabled
f6d299d2-21eb-41cc-b1e1-fe12d857500b|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| -|CloudTrail Log File Validation Disabled
2a3560fe-52ca-4443-b34f-bf0ed5eb74c8|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| |API Gateway Deployment Without API Gateway UsagePlan Associated
783860a3-6dca-4c8b-81d0-7b62769ccbca|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| -|ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd|Low|Observability|Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks|Documentation
| -|VPC Without Attached Subnet
3b3b4411-ad1f-40e7-b257-a78a6bb9673a|Low|Resource Management|VPCs without attached subnets may indicate that they are not being used|Documentation
| +|CloudTrail Log File Validation Disabled
2a3560fe-52ca-4443-b34f-bf0ed5eb74c8|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| +|VPC FlowLogs Disabled
f6d299d2-21eb-41cc-b1e1-fe12d857500b|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| |SDB Domain Declared As A Resource
6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d|Low|Resource Management|SimpleDB Domain resource should not be declared|Documentation
| |API Gateway Stage Without API Gateway UsagePlan Associated
7f8f1b60-43df-4c28-aa21-fb836dbd8071|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| +|VPC Without Attached Subnet
3b3b4411-ad1f-40e7-b257-a78a6bb9673a|Low|Resource Management|VPCs without attached subnets may indicate that they are not being used|Documentation
| |ECS Task Definition Invalid CPU or Memory
f4c9b5f5-68b8-491f-9e48-4f96644a1d51|Low|Resource Management|In ECS Task Definition of FARGATE launch type if you specify an invalid CPU or Memory value, you will receive an error|Documentation
| -|EC2 Not EBS Optimized
8dd0ff1f-0da4-48df-9bb3-7f338ae36a40|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| |Security Group Rule Without Description
5e6c9c68-8a82-408e-8749-ddad78cbb9c5|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description|Documentation
| +|EC2 Not EBS Optimized
8dd0ff1f-0da4-48df-9bb3-7f338ae36a40|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| ### AWS_SAM Bellow are listed queries related with CloudFormation AWS_SAM: @@ -577,8 +579,8 @@ Bellow are listed queries related with CloudFormation AWS_SAM: |Serverless Function Without Tags
a71ecabe-03b6-456a-b3bc-d1a39aa20c98|Medium|Insecure Configurations|AWS Serverless Function should have associated tags|Documentation
| |Serverless Function Without Unique IAM Role
4ba74f01-aba5-4be2-83bc-be79ff1a3b92|Medium|Insecure Configurations|AWS Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks|Documentation
| |Serverless API Endpoint Config Not Private
6b5b0313-771b-4319-ad7a-122ee78700ef|Medium|Networking and Firewall|AWS Serverless API should set API Endpoint Config type to 'PRIVATE'. This way, it's not exposed to the public internet|Documentation
| -|Serverless API X-Ray Tracing Disabled
c757c6a3-ac87-4b9d-b28d-e5a5add6a315|Medium|Observability|AWS Serverless API should have X-Ray Tracing enabled|Documentation
| |Serverless API Access Logging Setting Undefined
0a994e04-c6dc-471d-817e-d37451d18a3b|Medium|Observability|AWS Serverless API/AWS Serverless HTTP API should have Access Logging Setting(s) defined|Documentation
| +|Serverless API X-Ray Tracing Disabled
c757c6a3-ac87-4b9d-b28d-e5a5add6a315|Medium|Observability|AWS Serverless API should have X-Ray Tracing enabled|Documentation
| |Serverless API Cache Cluster Disabled
60a05ede-0a68-4d0d-a58f-f538cf55ff79|Low|Insecure Configurations|AWS Serverless API should have cache clustering enabled|Documentation
| |Serverless Function Without Dead Letter Queue
cb2f612b-ed42-4ff5-9fb9-255c73d39a18|Low|Insecure Configurations|AWS Serverless Function should be configured for a Dead Letter Queue(DLQ)|Documentation
| |Serverless Function Without X-Ray Tracing
dc1ab429-1481-4540-9b1d-280e3f15f1f8|Low|Observability|AWS Serverless Function should have Tracing enabled. For this, property 'Tracing' should have the value 'Active'|Documentation
| diff --git a/docs/queries/crossplane-queries.md b/docs/queries/crossplane-queries.md index bb00182a92f..4f18a1e2a67 100644 --- a/docs/queries/crossplane-queries.md +++ b/docs/queries/crossplane-queries.md @@ -35,8 +35,9 @@ Bellow are listed queries related with Crossplane AWS: |DocDB Logging Is Disabled
e6cd49ba-77ed-417f-9bca-4f5303554308|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| |EFS Without KMS
bdecd6db-2600-47dd-a10c-72c97cf17ae9|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| |EFS Not Encrypted
72840c35-3876-48be-900d-f21b2f0c2ea1|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|ELB Using Weak Ciphers
a507daa5-0795-4380-960b-dd7bb7c56661|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers.|Documentation
| |DB Instance Storage Not Encrypted
e50eb68a-a4af-4048-8bbe-8ec324421469|High|Encryption|RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'.|Documentation
| +|EFS Without KMS
bdecd6db-2600-47dd-a10c-72c97cf17ae9|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| +|ELB Using Weak Ciphers
a507daa5-0795-4380-960b-dd7bb7c56661|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers.|Documentation
| |CloudFront Without Minimum Protocol TLS 1.2
255b0fcc-9f82-41fe-9229-01b163e3376b|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| |DB Security Group Has Public Interface
dd667399-8d9d-4a8d-bbb4-e49ab53b2f52|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| |Neptune Database Cluster Encryption Disabled
83bf5aca-138a-498e-b9cd-ad5bc5e117b4|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| @@ -56,3 +57,13 @@ Bellow are listed queries related with Crossplane GCP: |Google Container Node Pool Auto Repair Disabled
b4f65d13-a609-4dc1-af7c-63d2e08bffe9|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| |Cloud Storage Bucket Logging Not Enabled
6c2d627c-de0f-45fb-b33d-dad9bffbb421|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| |Google Container Node Pool Auto Repair Disabled
b4f65d13-a609-4dc1-af7c-63d2e08bffe9|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| + +### AZURE +Bellow are listed queries related with Crossplane AZURE: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|AKS RBAC Disabled
b2418936-cd47-4ea2-8346-623c0bdb87bd|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| +|Redis Cache Allows Non SSL Connections
6c7cfec3-c686-4ed2-bf58-a1ec054b63fc|Medium|Encryption|Redis Cache resource should not allow non-SSL connections.|Documentation
| diff --git a/docs/queries/dockercompose-queries.md b/docs/queries/dockercompose-queries.md index 90e095e75b7..96a197c5eb5 100644 --- a/docs/queries/dockercompose-queries.md +++ b/docs/queries/dockercompose-queries.md @@ -25,7 +25,6 @@ This page contains all queries from DockerCompose. |Container Capabilities Unrestricted
ce76b7d0-9e77-464d-b86f-c5c48e03e22d|Low|Resource Management|Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well. (read more)|Documentation
| |Cpus Not Limited
6b610c50-99fb-4ef0-a5f3-e312fd945bc3|Low|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| |Volume Mounted In Multiple Containers
baa452f0-1f21-4a25-ace5-844e7a5f410d|High|Build Process|Volume mounts should not be shared, which means that 'propagation' should not be set to 'shared', 'rshared', 'slave', or 'rslave'|Documentation
| -|Volume Has Sensitive Host Directory
1c1325ff-831d-43a1-973e-839ae57dfcc0|High|Build Process|Container has sensitive host directory mounted as a volume|Documentation
| |Docker Socket Mounted In Container
d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b|High|Build Process|Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands.|Documentation
| |Volume Has Sensitive Host Directory
1c1325ff-831d-43a1-973e-839ae57dfcc0|High|Build Process|Container has sensitive host directory mounted as a volume|Documentation
| |Privileged Containers Enabled
ae5b6871-7f45-42e0-bb4c-ab300c4d2026|High|Resource Management|Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker.|Documentation
| @@ -33,16 +32,16 @@ This page contains all queries from DockerCompose. |Healthcheck Not Set
698ed579-b239-4f8f-a388-baa4bcb13ef8|Medium|Availability|Check containers periodically to see if they are running properly.|Documentation
| |Restart Policy On Failure Not Set To 5
2fc99041-ddad-49d5-853f-e35e70a48391|Medium|Build Process|Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used, and 5 retries is the recommended by CIS.|Documentation
| |Cgroup Not Default
4d9f44c6-2f4a-4317-9bb5-267adbea0232|Medium|Build Process|Control groups restrict the access processes and containers have to system resources such as CPU, RAM, IOPS and network. Not having a cgroup well configured may prove to be a security fault.|Documentation
| -|Container Traffic Not Bound To Host Interface
451d79dc-0588-476a-ad03-3c7f0320abb3|Medium|Networking and Firewall|Incoming container traffic should be bound to a specific host interface|Documentation
| -|Networks Not Set
ce14a68b-1668-41a0-ab7d-facd9f784742|Medium|Networking and Firewall|Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers.|Documentation
| |Privileged Ports Mapped In Container
bc2908f3-f73c-40a9-8793-c1b7d5544f79|Medium|Networking and Firewall|Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind_service linux capability from the container unless you absolutely need to use priviledged ports.|Documentation
| -|Host Namespace is Shared
4f31dd9f-2cc3-4751-9b53-67e4af83dac0|Medium|Resource Management|The hosts process namespace should not be shared by containers|Documentation
| -|Default Seccomp Profile Disabled
404fde2c-bc4b-4371-9747-7054132ac953|Medium|Resource Management|Seccomp offers a whitelist of common system calls, blocking all others. Having less kernel exposed to an app then increases security.|Documentation
| -|Pids Limit Not Set
221e0658-cb2a-44e3-b08a-db96a341d6fa|Medium|Resource Management|'pids_limit' should be set and different than -1|Documentation
| +|Networks Not Set
ce14a68b-1668-41a0-ab7d-facd9f784742|Medium|Networking and Firewall|Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers.|Documentation
| +|Container Traffic Not Bound To Host Interface
451d79dc-0588-476a-ad03-3c7f0320abb3|Medium|Networking and Firewall|Incoming container traffic should be bound to a specific host interface|Documentation
| +|Shared Host IPC Namespace
baa3890f-bed7-46f5-ab8f-1da8fc91c729|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| |Security Opt Not Set
610e266e-6c12-4bca-9925-1ed0cd29742b|Medium|Resource Management|Attribute 'security_opt' should be defined.|Documentation
| -|Shared Host Network Namespace
071a71ff-f868-47a4-ac0b-3c59e4ab5443|Medium|Resource Management|Container should not share the host network namespace|Documentation
| +|Pids Limit Not Set
221e0658-cb2a-44e3-b08a-db96a341d6fa|Medium|Resource Management|'pids_limit' should be set and different than -1|Documentation
| |Shared Host User Namespace
8af7162d-6c98-482f-868e-0d33fb675ca8|Medium|Resource Management|The host's user namespace should not be shared.|Documentation
| +|Shared Host Network Namespace
071a71ff-f868-47a4-ac0b-3c59e4ab5443|Medium|Resource Management|Container should not share the host network namespace|Documentation
| +|Host Namespace is Shared
4f31dd9f-2cc3-4751-9b53-67e4af83dac0|Medium|Resource Management|The hosts process namespace should not be shared by containers|Documentation
| |Memory Not Limited
bb9ac4f7-e13b-423d-a010-c74a1bfbe492|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| -|Shared Host IPC Namespace
baa3890f-bed7-46f5-ab8f-1da8fc91c729|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| -|Cpus Not Limited
6b610c50-99fb-4ef0-a5f3-e312fd945bc3|Low|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| +|Default Seccomp Profile Disabled
404fde2c-bc4b-4371-9747-7054132ac953|Medium|Resource Management|Seccomp offers a whitelist of common system calls, blocking all others. Having less kernel exposed to an app then increases security.|Documentation
| |Container Capabilities Unrestricted
ce76b7d0-9e77-464d-b86f-c5c48e03e22d|Low|Resource Management|Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.|Documentation
| +|Cpus Not Limited
6b610c50-99fb-4ef0-a5f3-e312fd945bc3|Low|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| diff --git a/docs/queries/dockerfile-queries.md b/docs/queries/dockerfile-queries.md index 307273d5f87..45cdbc15f7c 100644 --- a/docs/queries/dockerfile-queries.md +++ b/docs/queries/dockerfile-queries.md @@ -53,47 +53,43 @@ This page contains all queries from Dockerfile. |Run Utilities And POSIX Commands
9b6b0f38-92a2-41f9-b881-3a1083d99f1b|Info|Supply-Chain|Some POSIX commands and interactive utilities shouldn't run inside a Docker Container (read more)|Documentation
| |APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c|Info|Supply-Chain|Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages. (read more)|Documentation
| |UNIX Ports Out Of Range
71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e|High|Availability|Exposing UNIX ports out of range from 0 to 65535|Documentation
| +|COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b|High|Build Process|COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself|Documentation
| +|Same Alias In Different Froms
f2daed12-c802-49cd-afed-fe41d0b82fed|High|Build Process|Different FROMS cant have the same alias defined|Documentation
| |WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|High|Build Process|For clarity and reliability, you should always use absolute paths for your WORKDIR|Documentation
| -|Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f|High|Build Process|A user should be specified in the dockerfile, otherwise the image will run as root|Documentation
| |Copy With More Than Two Arguments Not Ending With Slash
6db6e0c2-32a3-4a2e-93b5-72c35f4119db|High|Build Process|When a COPY command has more than two arguments, the last one should end with a slash|Documentation
| |Multiple ENTRYPOINT Instructions Listed
6938958b-3f1a-451c-909b-baeee14bdc97|High|Build Process|There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect|Documentation
| -|COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b|High|Build Process|COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself|Documentation
| -|Same Alias In Different Froms
f2daed12-c802-49cd-afed-fe41d0b82fed|High|Build Process|Different FROMS cant have the same alias defined|Documentation
| +|Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f|High|Build Process|A user should be specified in the dockerfile, otherwise the image will run as root|Documentation
| |Run Using Sudo
8ada6e80-0ade-439e-b176-0b28f6bce35a|High|Insecure Configurations|Avoid RUN with sudo command as it leads to unpredictable behavior|Documentation
| |Vulnerable OpenSSL Version
5fa731ea-e844-47a6-a1e8-abc25e95847e|High|Supply-Chain|OpenSSL versions from 3.0.0 to 3.0.5 are affected by a critical vulnerability|Documentation
| -|Changing Default Shell Using RUN Command
8a301064-c291-4b20-adcb-403fe7fd95fd|Medium|Best Practices|Using the command RUN to override the default shell instead of the SHELL command leads to inefficiencies. It also does not make sense since Docker provides the SHELL command for this exact purpose.|Documentation
| |Last User Is 'root'
67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae|Medium|Best Practices|Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges|Documentation
| -|Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd|Medium|Build Process|Instruction 'RUN update' should always be followed by ' install' in the same RUN statement|Documentation
| -|Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79|Medium|Build Process|Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments|Documentation
| +|Changing Default Shell Using RUN Command
8a301064-c291-4b20-adcb-403fe7fd95fd|Medium|Best Practices|Using the command RUN to override the default shell instead of the SHELL command leads to inefficiencies. It also does not make sense since Docker provides the SHELL command for this exact purpose.|Documentation
| |Multiple CMD Instructions Listed
41c195f4-fc31-4a5c-8a1b-90605538d49f|Medium|Build Process|There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect|Documentation
| +|Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79|Medium|Build Process|Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments|Documentation
| |RUN Instruction Using 'cd' Instead of WORKDIR
f4a6bcd3-e231-4acf-993c-aa027be50d2e|Medium|Build Process|When using RUN command 'cd' should only be used for full path. For relative path make use of WORKDIR command instead.|Documentation
| |Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd|Medium|Build Process|Instruction 'RUN update' should always be followed by ' install' in the same RUN statement|Documentation
| |Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22|Medium|Insecure Defaults|Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o).|Documentation
| +|Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944|Medium|Supply-Chain|Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input|Documentation
| |Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37|Medium|Supply-Chain|Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size|Documentation
| -|Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313|Medium|Supply-Chain|Reduce layer and image size by deleting unneeded caches after running zypper|Documentation
| -|Add Instead of Copy
9513a694-aa0d-41d8-be61-3271e056f36b|Medium|Supply-Chain|Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script.|Documentation
| -|Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache|Documentation
| -|Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages|Documentation
| -|Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0|Medium|Supply-Chain|Cached package data should be cleaned after installation to reduce image size|Documentation
| |Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9|Medium|Supply-Chain|Don't use '--platform' flag with FROM|Documentation
| |Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes|Documentation
| -|Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944|Medium|Supply-Chain|Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input|Documentation
| -|Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes|Documentation
| -|Yum install Without Version
6452c424-1d92-4deb-bb18-a03e95d579c4|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages|Documentation
| |Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118|Medium|Supply-Chain|When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller|Documentation
| -|Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Medium|Supply-Chain|Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect|Documentation
| -|NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5|Medium|Supply-Chain|Check if packages installed by npm are pinning a specific version.|Documentation
| +|Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages|Documentation
| |Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067|Medium|Supply-Chain|When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag|Documentation
| +|NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5|Medium|Supply-Chain|Check if packages installed by npm are pinning a specific version.|Documentation
| |Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd|Medium|Supply-Chain|Always tag the version of an image explicitly|Documentation
| +|Add Instead of Copy
9513a694-aa0d-41d8-be61-3271e056f36b|Medium|Supply-Chain|Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script.|Documentation
| |Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341|Medium|Supply-Chain|Instead of 'gem install ' we should use 'gem install :'|Documentation
| -|APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Medium|Supply-Chain|Check if apt-get calls use the flag -y to avoid user manual input.|Documentation
| -|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Medium|Supply-Chain|When installing a package, its pin version should be defined|Documentation
| |Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03|Medium|Supply-Chain|Need to use -y to avoid manual input 'yum install -y '|Documentation
| +|Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0|Medium|Supply-Chain|Cached package data should be cleaned after installation to reduce image size|Documentation
| +|Yum install Without Version
6452c424-1d92-4deb-bb18-a03e95d579c4|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages|Documentation
| +|Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313|Medium|Supply-Chain|Reduce layer and image size by deleting unneeded caches after running zypper|Documentation
| +|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Medium|Supply-Chain|When installing a package, its pin version should be defined|Documentation
| |Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1|Medium|Supply-Chain|Specifying a package version allows to reduce failures due to unanticipated changes in required packages.|Documentation
| +|Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Medium|Supply-Chain|Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect|Documentation
| +|APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Medium|Supply-Chain|Check if apt-get calls use the flag -y to avoid user manual input.|Documentation
| |Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8|Medium|Supply-Chain|The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input.|Documentation
| -|Chown Flag Exists
aa93e17f-b6db-4162-9334-c70334e7ac28|Low|Best Practices|It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership|Documentation
| -|Multiple RUN, ADD, COPY, Instructions Listed
0008c003-79aa-42d8-95b8-1c2fe37dbfe6|Low|Best Practices|Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers.|Documentation
| -|MAINTAINER Instruction Being Used
99614418-f82b-4852-a9ae-5051402b741c|Low|Best Practices|The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily|Documentation
| +|Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes|Documentation
| +|Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache|Documentation
| |Curl or Wget Instead of Add
4b410d24-1cbe-4430-a632-62c9a931cf1c|Low|Best Practices|Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged|Documentation
| |Exposing Port 22 (SSH)
5907595b-5b6d-4142-b173-dbb0e73fbff8|Low|Best Practices|Expose only the ports that your application needs and avoid exposing ports like SSH (22)|Documentation
| |Chown Flag Exists
aa93e17f-b6db-4162-9334-c70334e7ac28|Low|Best Practices|It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership|Documentation
| @@ -101,7 +97,7 @@ This page contains all queries from Dockerfile. |Multiple RUN, ADD, COPY, Instructions Listed
0008c003-79aa-42d8-95b8-1c2fe37dbfe6|Low|Best Practices|Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers.|Documentation
| |Using Unnamed Build Stages
68a51e22-ae5a-4d48-8e87-b01a323605c9|Low|Build Process| This query is used to ensure that build stages are named. This way even if the Dockerfile is re-ordered, the COPY instruction doesn’t break.|Documentation
| |Healthcheck Instruction Missing
b03a748a-542d-44f4-bb86-9199ab4fd2d5|Low|Insecure Configurations|Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working|Documentation
| -|Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c|Info|Supply-Chain|After using apt-get install, it is needed to delete apt-get lists|Documentation
| +|APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c|Info|Supply-Chain|Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages.|Documentation
| |Run Utilities And POSIX Commands
9b6b0f38-92a2-41f9-b881-3a1083d99f1b|Info|Supply-Chain|Some POSIX commands and interactive utilities shouldn't run inside a Docker Container|Documentation
| +|Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c|Info|Supply-Chain|After using apt-get install, it is needed to delete apt-get lists|Documentation
| |Apk Add Using Local Cache Path
ae9c56a6-3ed1-4ac0-9b54-31267f51151d|Info|Supply-Chain|When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*'|Documentation
| -|APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c|Info|Supply-Chain|Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages.|Documentation
| diff --git a/docs/queries/googledeploymentmanager-queries.md b/docs/queries/googledeploymentmanager-queries.md index a0fb8fc60e4..1520ccc7f16 100644 --- a/docs/queries/googledeploymentmanager-queries.md +++ b/docs/queries/googledeploymentmanager-queries.md @@ -1,17 +1,6 @@ ## GoogleDeploymentManager Queries List This page contains all queries from GoogleDeploymentManager. -### GCP_BOM -Bellow are listed queries related with GoogleDeploymentManager GCP_BOM: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|BOM - GCP PST
9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.|Documentation
| -|BOM - GCP PD
268c65a8-58ad-43e4-9019-1a9bbc56749f|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.|Documentation
| -|BOM - GCP SB
c7781feb-a955-4f9f-b9cf-0d7c6f54bb59|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.|Documentation
| - ### GCP Bellow are listed queries related with GoogleDeploymentManager GCP: @@ -19,33 +8,33 @@ Bellow are listed queries related with GoogleDeploymentManager GCP: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|BigQuery Dataset Is Public
83103dff-d57f-42a8-bd81-40abab64c1a7|High|Access Control|BigQuery dataset is anonymously or publicly accessible. Attribute access.specialGroup should not contain 'allAuthenticatedUsers'|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
63ae3638-a38c-4ff4-b616-6e1f72a31a6a|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers'|Documentation
| |Cloud Storage Bucket Is Publicly Accessible
77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
63ae3638-a38c-4ff4-b616-6e1f72a31a6a|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers'|Documentation
| +|BigQuery Dataset Is Public
83103dff-d57f-42a8-bd81-40abab64c1a7|High|Access Control|BigQuery dataset is anonymously or publicly accessible. Attribute access.specialGroup should not contain 'allAuthenticatedUsers'|Documentation
| |SQL DB Instance Backup Disabled
a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| |SQL DB Instance With SSL Disabled
660360d3-9ca7-46d1-b147-3acc4002953f|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| |DNSSEC Using RSASHA1
6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35|High|Encryption|DNSSEC should not use the RSASHA1 algorithm|Documentation
| -|Not Proper Email Account In Use
a21b8df3-c840-4b3d-a41a-10fb2afda171|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| |Network Policy Disabled
c47f90e8-4a19-43f0-8413-cc434d286c4e|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'networkPolicy.enabled' must be true and the attribute 'addonsConfig.networkPolicyConfig.disabled' must be false|Documentation
| -|MySQL Instance With Local Infile On
c759d6f2-4dd3-4160-82d3-89202ef10d87|High|Insecure Configurations|MySQL Instance should not have Local Infile On|Documentation
| -|GKE Legacy Authorization Enabled
df58d46c-783b-43e0-bdd0-d99164f712ee|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false.|Documentation
| |Cluster Labels Disabled
8810968b-4b15-421d-918b-d91eb4bb8d1d|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resourceLabels' must be defined|Documentation
| -|Private Cluster Disabled
48c61fbd-09c9-46cc-a521-012e0c325412|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true.|Documentation
| +|Not Proper Email Account In Use
a21b8df3-c840-4b3d-a41a-10fb2afda171|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| +|MySQL Instance With Local Infile On
c759d6f2-4dd3-4160-82d3-89202ef10d87|High|Insecure Configurations|MySQL Instance should not have Local Infile On|Documentation
| |IP Aliasing Disabled
28727987-e398-49b8-aef1-8a3e7789d111|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ipAllocationPolicy' must be defined and the subattribute 'useIpAliases' must be set to 'true'.|Documentation
| |Client Certificate Disabled
dd690686-2bf9-4012-a821-f61912dd77be|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'masterAuth' must have 'clientCertificateConfig' with the attribute 'issueClientCertificate' equal to true|Documentation
| |Cluster Master Authentication Disabled
7ef7d141-9fbb-4679-a977-fd0883436906|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'masterAuth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| -|GKE Master Authorized Networks Disabled
62c8cf50-87f0-4295-a974-8184ed78fe02|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters|Documentation
| +|Private Cluster Disabled
48c61fbd-09c9-46cc-a521-012e0c325412|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true.|Documentation
| +|GKE Legacy Authorization Enabled
df58d46c-783b-43e0-bdd0-d99164f712ee|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false.|Documentation
| |Compute Instance Is Publicly Accessible
8212e2d7-e683-49bc-bf78-d6799075c5a7|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet.|Documentation
| -|Cloud Storage Bucket Versioning Disabled
ad0875c1-0b39-4890-9149-173158ba3bba|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| +|GKE Master Authorized Networks Disabled
62c8cf50-87f0-4295-a974-8184ed78fe02|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters|Documentation
| |Stackdriver Monitoring Disabled
bbfc97ab-e92a-4a7b-954c-e88cec815011|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoringService' must be defined and different than 'none'|Documentation
| +|Cloud Storage Bucket Versioning Disabled
ad0875c1-0b39-4890-9149-173158ba3bba|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| |Stackdriver Logging Disabled
95601b9a-7fe8-4aee-9b58-d36fd9382dfc|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'loggingService' must be defined and different from 'none'|Documentation
| |Node Auto Upgrade Disabled
dc5c5fee-6c53-43b0-ab11-4c660e064aaf|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means the attribute 'nodePools' must be defined and the subattribute 'managment' must be defined and have the attribute 'autoUpgrade' set to true|Documentation
| |Disk Encryption Disabled
fc040fb6-4c23-4c0d-b12a-39edac35debb|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined|Documentation
| -|Cloud DNS Without DNSSEC
313d6deb-3b67-4948-b41d-35b699c2492e|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| -|Google Storage Bucket Level Access Disabled
1239f54b-33de-482a-8132-faebe288e6a6|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| |OSLogin Is Disabled In VM Instance
e66e1b71-c810-4b4e-a737-0ab59e7f5e41|Medium|Insecure Configurations|VM instance should have OSLogin enabled|Documentation
| -|Shielded VM Disabled
9038b526-4c19-4928-bca2-c03d503bdb79|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true|Documentation
| |COS Node Image Not Used
dbe058d7-b82e-430b-8426-992b2e4677e7|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| +|Shielded VM Disabled
9038b526-4c19-4928-bca2-c03d503bdb79|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true|Documentation
| +|Cloud DNS Without DNSSEC
313d6deb-3b67-4948-b41d-35b699c2492e|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| +|Google Storage Bucket Level Access Disabled
1239f54b-33de-482a-8132-faebe288e6a6|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| |IP Forwarding Enabled
7c98538a-81c6-444b-bf04-e60bc3ceeec0|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true|Documentation
| |RDP Access Is Not Restricted
50cb6c3b-c878-4b88-b50e-d1421bada9e8|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| |SSH Access Is Not Restricted
dee21308-2a7a-49de-8ff7-c9b87e188575|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| diff --git a/docs/queries/kubernetes-queries.md b/docs/queries/kubernetes-queries.md index 52d4693f6b6..ca861b46cbb 100644 --- a/docs/queries/kubernetes-queries.md +++ b/docs/queries/kubernetes-queries.md @@ -151,152 +151,147 @@ This page contains all queries from Kubernetes. |Using Kubernetes Native Secret Management
b9c83569-459b-4110-8f79-6305aa33cb37|Info|Secret Management|Kubernetes External Secret Storage and Management System usage should be considered if you have more complex secret management needs, rather than using Kubernetes Secrets directly. Additionally, ensure that access to secrets is carefully limited (read more)|Documentation
| |Always Admit Admission Control Plugin Set
ce30e584-b33f-4c7d-b418-a3d7027f8f60|High|Access Control|When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin|Documentation
| |Basic Auth File Is Set
5da47109-f8d6-4585-9e2b-96a8958a12f5|High|Access Control|When using kube-apiserver command, the 'basic-auth-file' flag should not be set|Documentation
| +|Service Account Lookup Set To False
a5530bd7-225a-48f9-91bb-f40b04200165|High|Access Control|When using kube-apiserver command, the '--service-account-lookup' flag should be set to true|Documentation
| |Use Service Account Credentials Not Set To True
1acd93f1-5a37-45c0-aaac-82ece818be7d|High|Access Control|When using kube-controller-manager commands, the '--use-service-account-credentials' should be set to true|Documentation
| |Client Certificate Authentication Not Setup Properly
e0e00aba-5f1c-4981-a542-9a9563c0ee20|High|Access Control|Client Certificate Authentication should be Setup with a .pem or .crt file|Documentation
| |Token Auth File Is Set
32ecd76e-7bbf-402e-bf48-8b9485749558|High|Access Control|When using kube-apiserver command, the 'token-auth-file' flag should not be set|Documentation
| -|Client Certificate Authentication Not Setup Properly
e0e00aba-5f1c-4981-a542-9a9563c0ee20|High|Access Control|Client Certificate Authentication should be Setup with a .pem or .crt file|Documentation
| |RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e|High|Access Control|Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least privilege recommends to specify only the set of needed objects and actions|Documentation
| -|Service Account Lookup Set To False
a5530bd7-225a-48f9-91bb-f40b04200165|High|Access Control|When using kube-apiserver command, the '--service-account-lookup' flag should be set to true|Documentation
| +|Always Admit Admission Control Plugin Set
ce30e584-b33f-4c7d-b418-a3d7027f8f60|High|Access Control|When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin|Documentation
| |Node Restriction Admission Control Plugin Not Set
33fc6923-6553-4fe6-9d3a-4efa51eb874b|High|Access Control|When using kube-apiserver command, the --enable-admission-plugins flag should have 'NodeRestriction' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| |Pod Security Policy Admission Control Plugin Not Set
afa36afb-39fe-4d94-b9b6-afb236f7a03d|High|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'PodSecurityPolicy' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| |Service Account Private Key File Not Defined
ccc98ff7-68a7-436e-9218-185cb0b0b780|High|Encryption|When using kube-controller-manager commands, the '--service-account-private-key-file' should be defined|Documentation
| +|Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false|Documentation
| |PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| |Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d|High|Insecure Configurations|Container should not share the host process ID namespace|Documentation
| -|Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false|Documentation
| -|Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined.|Documentation
| -|Tiller (Helm v2) Is Deployed
6d173be7-545a-46c6-a81d-2ae52ed1605d|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| +|Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|Documentation
| |Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| +|Tiller (Helm v2) Is Deployed
6d173be7-545a-46c6-a81d-2ae52ed1605d|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| +|Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined.|Documentation
| |Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d|High|Insecure Configurations|Check if there is any Tiller Service present|Documentation
| -|Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|Documentation
| |Role Binding To Default Service Account
1e749bc9-fde8-471c-af0c-8254efd2dee5|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| -|Tiller Deployment Is Accessible From Within The Cluster
e17fa86a-6222-4584-a914-56e8f6c87e06|High|Networking and Firewall|Check if any Tiller Deployment container allows access from within the cluster.|Documentation
| -|Secure Port Set To Zero
3d24b204-b73d-42cb-b0bf-1a5438c5f71e|High|Networking and Firewall|When using kube-apiserver command, the --secure-port flag should not be 0|Documentation
| -|Kubelet HTTPS Set To False
cdc8b54e-6b16-4538-a1b0-35849dbe29cf|High|Networking and Firewall|When using kube-apiserver command, the '--kubelet-https' flag should not be set to false|Documentation
| -|Etcd TLS Certificate Not Properly Configured
895a5a95-3756-4b04-9924-2f3bc93181bd|High|Networking and Firewall|When using kube-apiserver commands, the '--etcd-certfile' and '--etcd-keyfile' flags should be defined|Documentation
| -|TSL Connection Certificate Not Setup
fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f|High|Networking and Firewall|TSL Connection Certificate files should be Setup|Documentation
| |Insecure Port Not Properly Set
fa4def8c-1898-4a35-a139-7b76b1acdef0|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-port' flag should be defined and set to 0|Documentation
| -|Bind Address Not Properly Set
46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2|High|Networking and Firewall|When using kube-controller-manager or kube-scheduler commands, the '--bind-address' should not be set to 127.0.0.1|Documentation
| +|TSL Connection Certificate Not Setup
fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f|High|Networking and Firewall|TSL Connection Certificate files should be Setup|Documentation
| |Insecure Bind Address Set
b9380fd3-5ffe-4d10-9290-13e18e71eee1|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-bind-address' flag should not be set|Documentation
| +|Bind Address Not Properly Set
46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2|High|Networking and Firewall|When using kube-controller-manager or kube-scheduler commands, the '--bind-address' should not be set to 127.0.0.1|Documentation
| +|Secure Port Set To Zero
3d24b204-b73d-42cb-b0bf-1a5438c5f71e|High|Networking and Firewall|When using kube-apiserver command, the --secure-port flag should not be 0|Documentation
| +|Tiller Deployment Is Accessible From Within The Cluster
e17fa86a-6222-4584-a914-56e8f6c87e06|High|Networking and Firewall|Check if any Tiller Deployment container allows access from within the cluster.|Documentation
| +|Etcd TLS Certificate Not Properly Configured
895a5a95-3756-4b04-9924-2f3bc93181bd|High|Networking and Firewall|When using kube-apiserver commands, the '--etcd-certfile' and '--etcd-keyfile' flags should be defined|Documentation
| |Etcd Peer TLS Certificate Files Not Properly Set
09bb9e96-8da3-4736-b89a-b36814acca60|High|Networking and Firewall|When using etcd commands, the '--peer-cert-file' and '--peer-key-file' should be defined|Documentation
| +|Kubelet HTTPS Set To False
cdc8b54e-6b16-4538-a1b0-35849dbe29cf|High|Networking and Firewall|When using kube-apiserver command, the '--kubelet-https' flag should not be set to false|Documentation
| |Etcd TLS Certificate Files Not Properly Set
075ca296-6768-4322-aea2-ba5063b969a9|High|Networking and Firewall|When using etcd commands, the '--cert-file' and '--key-file' should be defined|Documentation
| |PSP With Unrestricted Access to Host Path
de4421f1-4e35-43b4-9783-737dd4e4a47e|High|Resource Management|PodSecurityPolicy should set 'readOnly' to true in every host path allowed|Documentation
| |Peer Auto TLS Set To True
ae8827e2-4af9-4baa-9998-87539ae0d6f0|High|Secret Management|When using etcd commands, the '--peer-auto-tls' should be set to false|Documentation
| |Auto TLS Set To True
98ce8b81-7707-4734-aa39-627c6db3d84b|High|Secret Management|When using etcd commands, the '--auto-tls' should be set to false|Documentation
| -|RBAC Roles with Port-Forwarding Permission
38fa11ef-dbcc-4da8-9680-7e1fd855b6fb|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to port-forward into pods can open socket-level communication channels to containers. In case of compromise, attackers may abuse this for direct communication that bypasses network security restrictions|Documentation
| -|Authorization Mode Set To Always Allow
f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5|Medium|Access Control|When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode|Documentation
| -|Anonymous Auth Is Not Set To False
1de5cc51-f376-4638-a940-20f2e85ae238|Medium|Access Control|When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag should be set to false (--anonymous-auth=false)|Documentation
| |RBAC Roles with Attach Permission
d45330fd-f58d-45fb-a682-6481477a0f84|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to attach to containers via 'kubectl attach' could be abused by attackers to read log output (stdout, stderr) and send input data (stdin) to running processes. Additionally, it would allow a malicious user to attach to a privileged container resulting in a privilege escalation attack. To prevent this, the 'pods/attach' verb should not be used in production environments|Documentation
| -|RBAC Roles with Impersonate Permission
9f85c3f6-26fd-4007-938a-2e0cb0100980|Medium|Access Control|Roles or ClusterRoles with the permission 'impersonate' allow subjects to assume the rights of other users, groups, or service accounts. In case of compromise, attackers may abuse this sudo-like functionality to achieve privilege escalation|Documentation
| -|RBAC Roles with Exec Permission
c589f42c-7924-4871-aee2-1cede9bc7cbc|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to run commands in containers via 'kubectl exec' could be abused by attackers to execute malicious code in case of compromise. To prevent this, the 'pods/exec' verb should not be used in production environments|Documentation
| +|Anonymous Auth Is Not Set To False
1de5cc51-f376-4638-a940-20f2e85ae238|Medium|Access Control|When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag should be set to false (--anonymous-auth=false)|Documentation
| +|RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys|Documentation
| |Authorization Mode RBAC Not Set
1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e|Medium|Access Control|When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode|Documentation
| +|RBAC Roles with Exec Permission
c589f42c-7924-4871-aee2-1cede9bc7cbc|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to run commands in containers via 'kubectl exec' could be abused by attackers to execute malicious code in case of compromise. To prevent this, the 'pods/exec' verb should not be used in production environments|Documentation
| +|RBAC Roles with Port-Forwarding Permission
38fa11ef-dbcc-4da8-9680-7e1fd855b6fb|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to port-forward into pods can open socket-level communication channels to containers. In case of compromise, attackers may abuse this for direct communication that bypasses network security restrictions|Documentation
| +|RBAC Roles with Impersonate Permission
9f85c3f6-26fd-4007-938a-2e0cb0100980|Medium|Access Control|Roles or ClusterRoles with the permission 'impersonate' allow subjects to assume the rights of other users, groups, or service accounts. In case of compromise, attackers may abuse this sudo-like functionality to achieve privilege escalation|Documentation
| +|Service Account Admission Control Plugin Disabled
9587c890-0524-40c2-9ce2-663af7c2f063|Medium|Access Control|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'ServiceAccount' plugin|Documentation
| +|RBAC Roles Allow Privilege Escalation
8320826e-7a9c-4b0b-9535-578333193432|Medium|Access Control|Roles or ClusterRoles with RBAC permissions 'bind' or 'escalate' allow subjects to create new bindings with other roles. This is dangerous, as users with these privileges can bind to roles that may exceed their own privileges|Documentation
| |Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| |Non Kube System Pod With Host Mount
aa8f7a35-9923-4cad-bd61-a19b7f6aac91|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| -|RBAC Roles Allow Privilege Escalation
8320826e-7a9c-4b0b-9535-578333193432|Medium|Access Control|Roles or ClusterRoles with RBAC permissions 'bind' or 'escalate' allow subjects to create new bindings with other roles. This is dangerous, as users with these privileges can bind to roles that may exceed their own privileges|Documentation
| -|RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys|Documentation
| -|Service Account Admission Control Plugin Disabled
9587c890-0524-40c2-9ce2-663af7c2f063|Medium|Access Control|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'ServiceAccount' plugin|Documentation
| +|Authorization Mode Set To Always Allow
f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5|Medium|Access Control|When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode|Documentation
| |Terminated Pod Garbage Collector Threshold Not Properly Set
49113af4-29ca-458e-b8d4-724c01a4a24f|Medium|Availability|When using kube-controller-manager commands, the '--terminated-pod-gc-threshold' should be set between 0 and 12501|Documentation
| |Readiness Probe Is Not Configured
a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| |Request Timeout Not Properly Set
d89a15bb-8dba-4c71-9529-bef6729b9c09|Medium|Availability|When using kube-apiserver command, the '--request-timeout' flag value should not be too long|Documentation
| |Container Running As Root
cf34805e-3872-4c08-bf92-6ff7bb0cfadb|Medium|Best Practices|Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise|Documentation
| -|Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660|Medium|Best Practices|Check if containers are running with low UID, which might cause conflicts with the host's user table.|Documentation
| |Root Containers Admitted
e3aa0612-4351-4a0d-983f-aefea25cf203|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| -|Always Pull Images Admission Control Plugin Not Set
a77f4d07-c6e0-4a48-8b35-0eeb51576f4f|Medium|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'AlwaysPullImages' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| +|Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660|Medium|Best Practices|Check if containers are running with low UID, which might cause conflicts with the host's user table.|Documentation
| |Incorrect Volume Claim Access Mode ReadWriteOnce
3878dc92-8e5d-47cf-9cdd-7590f71d21b9|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| -|Encryption Provider Config Is Not Defined
cbd2db69-0b21-4c14-8a40-7710a50571a9|Medium|Encryption|When using kube-apiserver commands, the '--encryption-provider-config' flag should be defined and the encryption should be correctly configured in Encryption Configuration file|Documentation
| +|Always Pull Images Admission Control Plugin Not Set
a77f4d07-c6e0-4a48-8b35-0eeb51576f4f|Medium|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'AlwaysPullImages' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| +|Weak TLS Cipher Suites
510d5810-9a30-443a-817d-5c1fa527b110|Medium|Encryption|TLS Connection should use strong Cipher Suites|Documentation
| |Encryption Provider Not Properly Configured
10efce34-5af6-4d83-b414-9e096d5a06a9|Medium|Encryption|The EncryptionConfiguration should be configured to have at least one 'aescbc', 'kms' or 'secretbox' provider|Documentation
| +|Encryption Provider Config Is Not Defined
cbd2db69-0b21-4c14-8a40-7710a50571a9|Medium|Encryption|When using kube-apiserver commands, the '--encryption-provider-config' flag should be defined and the encryption should be correctly configured in Encryption Configuration file|Documentation
| |Root CA File Not Defined
05fb986f-ac73-4ebb-a5b2-7faafa93d882|Medium|Encryption|When using kube-controller-manager commands, the '--root-ca-file' should be defined|Documentation
| -|Weak TLS Cipher Suites
510d5810-9a30-443a-817d-5c1fa527b110|Medium|Encryption|TLS Connection should use strong Cipher Suites|Documentation
| -|Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| -|NET_RAW Capabilities Not Being Dropped
dbbc6705-d541-43b0-b166-dd4be8208b54|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|Documentation
| -|Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| -|Security Context Deny Admission Control Plugin Not Set
6a68bebe-c021-492e-8ddb-55b0567fb768|Medium|Insecure Configurations|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set|Documentation
| -|Authorization Mode Node Not Set
4d7ee40f-fc5d-427d-8cac-dffbe22d42d1|Medium|Insecure Configurations|When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode|Documentation
| -|PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| |Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40|Medium|Insecure Configurations|Containers should not have extra capabilities allowed|Documentation
| +|Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| +|Containers With Sys Admin Capabilities
235236ee-ad78-4065-bd29-61b061f28ce0|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| +|NET_RAW Capabilities Not Being Dropped
dbbc6705-d541-43b0-b166-dd4be8208b54|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|Documentation
| |PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| -|Using Unrecommended Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6|Medium|Insecure Configurations|Namespaces like 'default', 'kube-system' or 'kube-public' should not be used|Documentation
| -|PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host process ID namespace|Documentation
| +|NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| +|Authorization Mode Node Not Set
4d7ee40f-fc5d-427d-8cac-dffbe22d42d1|Medium|Insecure Configurations|When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode|Documentation
| |PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| +|PSP Allows Sharing Host IPC
80f93444-b240-4ebb-a4c6-5c40b76c04ea|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| +|Workload Mounting With Sensitive OS Directory
5308a7a8-06f8-45ac-bf10-791fe21de46e|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| +|PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host process ID namespace|Documentation
| |Not Limited Capabilities For Container
2f1a0619-b12b-48a0-825f-993bb6f01d58|Medium|Insecure Configurations|Limit the capabilities for a Container.|Documentation
| +|Security Context Deny Admission Control Plugin Not Set
6a68bebe-c021-492e-8ddb-55b0567fb768|Medium|Insecure Configurations|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set|Documentation
| +|PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| |Seccomp Profile Is Not Configured
f377b83e-bd07-4f48-a591-60c82b14a78b|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls|Documentation
| -|NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| |Kubelet Protect Kernel Defaults Set To False
6cf42c97-facd-4fda-b8af-ea4529123355|Medium|Insecure Configurations|--protect-kernel-defaults should be set to true|Documentation
| -|PSP Allows Sharing Host IPC
80f93444-b240-4ebb-a4c6-5c40b76c04ea|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| -|Containers With Sys Admin Capabilities
235236ee-ad78-4065-bd29-61b061f28ce0|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| -|Workload Mounting With Sensitive OS Directory
5308a7a8-06f8-45ac-bf10-791fe21de46e|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| -|Service Account Token Automount Not Disabled
48471392-d4d0-47c0-b135-cdec95eb3eef|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| +|Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| +|Using Unrecommended Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6|Medium|Insecure Configurations|Namespaces like 'default', 'kube-system' or 'kube-public' should not be used|Documentation
| |Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty.|Documentation
| -|Network Policy Is Not Targeting Any Pod
85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| +|Service Account Token Automount Not Disabled
48471392-d4d0-47c0-b135-cdec95eb3eef|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| +|Kubelet Streaming Connection Timeout Disabled
ed89b97d-04e9-4fd4-919f-ee5b27e555e9|Medium|Networking and Firewall|The flag --streaming-connection-idle-timeout should not be set to 0|Documentation
| |Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be|Medium|Networking and Firewall|Check if any pod is not being targeted by a proper network policy.|Documentation
| |Kubelet Not Managing Ip Tables
5f89001f-6dd9-49ff-9b15-d8cd71b617f4|Medium|Networking and Firewall|Kubelet argument --make-iptables-util-chains should be true|Documentation
| -|Kubelet Read Only Port Is Not Set To Zero
2940d48a-dc5e-4178-a3f8-bfbd80720b41|Medium|Networking and Firewall|When using the kubelet command, the read-only port should be set to zero (--read-only-port=0)|Documentation
| -|Service With External Load Balancer
26763a1c-5dda-4772-b507-5fca7fb5f165|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| |CNI Plugin Does Not Support Network Policies
03aabc8c-35d6-481e-9c85-20139cf72d23|Medium|Networking and Firewall|Ensure the use of CNI Plugin that support Network Policies. If the CNI Plugin in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster|Documentation
| -|Kubelet Streaming Connection Timeout Disabled
ed89b97d-04e9-4fd4-919f-ee5b27e555e9|Medium|Networking and Firewall|The flag --streaming-connection-idle-timeout should not be set to 0|Documentation
| -|Audit Policy File Not Defined
13a49a2e-488e-4309-a7c0-d6b05577a5fb|Medium|Observability|When using kube-apiserver command, the '--audit-policy-file' flag should be defined|Documentation
| +|Network Policy Is Not Targeting Any Pod
85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| +|Service With External Load Balancer
26763a1c-5dda-4772-b507-5fca7fb5f165|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| +|Kubelet Read Only Port Is Not Set To Zero
2940d48a-dc5e-4178-a3f8-bfbd80720b41|Medium|Networking and Firewall|When using the kubelet command, the read-only port should be set to zero (--read-only-port=0)|Documentation
| |Audit Log Path Not Set
73e251f0-363d-4e53-86e2-0a93592437eb|Medium|Observability|When using kube-apiserver command, the 'audit-log-path' flag should be defined|Documentation
| +|Audit Policy File Not Defined
13a49a2e-488e-4309-a7c0-d6b05577a5fb|Medium|Observability|When using kube-apiserver command, the '--audit-policy-file' flag should be defined|Documentation
| +|Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| +|CPU Limits Not Set
4ac0e2b7-d2d2-4af7-8799-e8de6721ccda|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| +|CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| |Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes|Documentation
| |Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| -|CPU Limits Not Set
4ac0e2b7-d2d2-4af7-8799-e8de6721ccda|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| |Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a|Medium|Resource Management|Container should not share the host network namespace|Documentation
| -|Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| |Volume Mount With OS Directory Write Permissions
b7652612-de4e-4466-a0bf-1cd81f0c6063|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| -|CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| -|Kubelet Client Certificate Or Key Not Set
36a27826-1bf5-49da-aeb0-a60a30c0e834|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-client-key' and 'kubelet-client-certificate' flags should be set|Documentation
| +|ServiceAccount Allows Access Secrets
056ac60e-fe07-4acc-9b34-8e1d51716ab9|Medium|Secret Management|Roles and ClusterRoles when binded, should not use get, list or watch as verbs|Documentation
| |Etcd Peer Client Certificate Authentication Set To False
b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff|Medium|Secret Management|When using etcd commands, the '--peer-client-cert-auth' flag should be set to true|Documentation
| |Not Unique Certificate Authority
cb7e695d-6a85-495c-b15f-23aed2519303|Medium|Secret Management|Certificate Authority should be unique for etcd|Documentation
| |Kubelet Certificate Authority Not Set
ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set|Documentation
| -|Kubelet Client Periodic Certificate Switch Disabled
52d70f2e-3257-474c-b3dc-8ad9ba6a061a|Medium|Secret Management|Kubelet argument --rotate-certificates should be true|Documentation
| +|Etcd Client Certificate File Not Defined
3f5ff8a7-5ad6-4d02-86f5-666307da1b20|Medium|Secret Management|When using kube-apiserver commands, the '--etcd-cafile' flag should be defined|Documentation
| +|Etcd Client Certificate Authentication Set To False
9391103a-d8d7-4671-ac5d-606ba7ccb0ac|Medium|Secret Management|When using etcd commands, the '--client-cert-auth' flag should be defined|Documentation
| +|Service Account Key File Not Properly Set
dab4ec72-ce2e-4732-b7c3-1757dcce01a1|Medium|Secret Management|When using kube-apiserver command, the '--service-account-key-file' flag should be defined|Documentation
| |Shared Service Account
c1032cf7-3628-44e2-bd53-38c17cf31b6b|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| |Rotate Kubelet Server Certificate Not Active
1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2|Medium|Secret Management|The RotateKubeletServerCertificate argument should be true|Documentation
| -|ServiceAccount Allows Access Secrets
056ac60e-fe07-4acc-9b34-8e1d51716ab9|Medium|Secret Management|Roles and ClusterRoles when binded, should not use get, list or watch as verbs|Documentation
| -|Service Account Key File Not Properly Set
dab4ec72-ce2e-4732-b7c3-1757dcce01a1|Medium|Secret Management|When using kube-apiserver command, the '--service-account-key-file' flag should be defined|Documentation
| -|Etcd Client Certificate Authentication Set To False
9391103a-d8d7-4671-ac5d-606ba7ccb0ac|Medium|Secret Management|When using etcd commands, the '--client-cert-auth' flag should be defined|Documentation
| -|Etcd Client Certificate File Not Defined
3f5ff8a7-5ad6-4d02-86f5-666307da1b20|Medium|Secret Management|When using kube-apiserver commands, the '--etcd-cafile' flag should be defined|Documentation
| -|Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| +|Kubelet Client Certificate Or Key Not Set
36a27826-1bf5-49da-aeb0-a60a30c0e834|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-client-key' and 'kubelet-client-certificate' flags should be set|Documentation
| +|Kubelet Client Periodic Certificate Switch Disabled
52d70f2e-3257-474c-b3dc-8ad9ba6a061a|Medium|Secret Management|Kubelet argument --rotate-certificates should be true|Documentation
| |Cluster Admin Rolebinding With Superuser Permissions
249328b8-5f0f-409f-b1dd-029f07882e11|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| +|Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| |Missing AppArmor Profile
8b36775e-183d-4d46-b0f7-96a6f34a723f|Low|Access Control|Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources|Documentation
| |Event Rate Limit Admission Control Plugin Not Set
e0099af2-fe17-411f-9991-0de28fe15f3c|Low|Availability|When using kube-apiserver command, the --enable-admission-plugins flag should have 'EventRateLimit' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| -|Liveness Probe Is Not Defined
ade74944-a674-4e00-859e-c6eab5bde441|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it|Documentation
| +|StatefulSet Without PodDisruptionBudget
1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| |Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|HPA Targeted Deployments With Configured Replica Count
5744cbb8-5946-4b75-a196-ade44449525b|Low|Availability|Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set|Documentation
| |StatefulSet Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.|Documentation
| -|StatefulSet Without PodDisruptionBudget
1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| |HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca|Low|Availability|The Horizontal Pod Autoscaler must target a valid object|Documentation
| -|Metadata Label Is Invalid
1123031a-f921-4c5b-bd86-ef354ecfd37a|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| -|Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645|Low|Best Practices|Kubernetes APIs evolve over time and are sometimes removed with newer releases. To prevent incompatibilities when upgrading Kubernetes, deprecated APIs should be replaced with newer and more stable API versions.|Documentation
| +|Liveness Probe Is Not Defined
ade74944-a674-4e00-859e-c6eab5bde441|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it|Documentation
| +|HPA Targeted Deployments With Configured Replica Count
5744cbb8-5946-4b75-a196-ade44449525b|Low|Availability|Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set|Documentation
| |No Drop Capabilities for Containers
268ca686-7fb7-4ae9-b129-955a2a89064e|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| +|Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645|Low|Best Practices|Kubernetes APIs evolve over time and are sometimes removed with newer releases. To prevent incompatibilities when upgrading Kubernetes, deprecated APIs should be replaced with newer and more stable API versions.|Documentation
| +|Metadata Label Is Invalid
1123031a-f921-4c5b-bd86-ef354ecfd37a|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| |StatefulSet Requests Storage
8cf4671a-cf3d-46fc-8389-21e7405063a2|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| -|Namespace Lifecycle Admission Control Plugin Disabled
1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37|Low|Build Process|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'NamespaceLifecycle' plugin|Documentation
| -|Root Container Not Mounted Read-only
a9c2f49d-0671-4fc9-9ece-f4e261e128d0|Low|Build Process|Check if the root container filesystem is not being mounted read-only.|Documentation
| |Image Policy Webhook Admission Control Plugin Not Set
14abda69-8e91-4acb-9931-76e2bee90284|Low|Build Process|When using kube-apiserver command, the --enable-admission-plugins flag should have 'ImagePolicyWebhook' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| -|Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity|Documentation
| -|Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b|Low|Insecure Configurations|If not needed, disabling the dashboard can prevent from being used as an attack vector|Documentation
| -|Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| -|Kubelet Hostname Override Is Set
bf36b900-b5ef-4828-adb7-70eb543b7cfb|Low|Insecure Configurations|Hostnames should not be overrided|Documentation
| +|Root Container Not Mounted Read-only
a9c2f49d-0671-4fc9-9ece-f4e261e128d0|Low|Build Process|Check if the root container filesystem is not being mounted read-only.|Documentation
| +|Namespace Lifecycle Admission Control Plugin Disabled
1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37|Low|Build Process|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'NamespaceLifecycle' plugin|Documentation
| |Pod or Container Without LimitRange
4a20ebac-1060-4c81-95d1-1f7f620e983b|Low|Insecure Configurations|Each namespace should have a LimitRange policy associated to ensure that resource allocations of Pods, Containers and PersistentVolumeClaims do not exceed the defined boundaries|Documentation
| |Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| |Pod or Container Without ResourceQuota
48a5beba-e4c0-4584-a2aa-e6894e4cf424|Low|Insecure Configurations|Each namespace should have a ResourceQuota policy associated to limit the total amount of resources Pods, Containers and PersistentVolumeClaims can consume|Documentation
| +|Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b|Low|Insecure Configurations|If not needed, disabling the dashboard can prevent from being used as an attack vector|Documentation
| +|Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity|Documentation
| |Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| +|Kubelet Hostname Override Is Set
bf36b900-b5ef-4828-adb7-70eb543b7cfb|Low|Insecure Configurations|Hostnames should not be overrided|Documentation
| |Service Does Not Target Pod
3ca03a61-3249-4c16-8427-6f8e47dda729|Low|Insecure Configurations|Service should Target a Pod|Documentation
| |Service Type is NodePort
845acfbe-3e10-4b8e-b656-3b404d36dfb2|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| |Workload Host Port Not Specified
2b1836f1-dcce-416e-8e16-da8c71920633|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified|Documentation
| -|Profiling Not Set To False
2f491173-6375-4a84-b28e-a4e2b9a58a69|Low|Observability|When using kube-apiserver or kube-controller-manager or kube-scheduler command, the '--profiling' flag should be defined and set to false|Documentation
| -|Audit Log Maxbackup Not Properly Set
768aab52-2504-4a2f-a3e3-329d5a679848|Low|Observability|When using kube-apiserver command, the '--audit-log-maxbackup' flag should be defined and set to 10 or more files|Documentation
| -|Audit Policy Not Cover Key Security Concerns
1828a670-5957-4bc5-9974-47da228f75e2|Low|Observability|Audit Policy should cover key security concerns about the sensitive data logged in Kubernetes audit policies|Documentation
| -|Audit Log Maxsize Not Properly Set
35c0a471-f7c8-4993-aa2c-503a3c712a66|Low|Observability|When using kube-apiserver command, the '--audit-log-maxsize' flag should be defined and set to 100 or more MegaBytes|Documentation
| |Audit Log Maxage Not Properly Set
da9f3aa8-fbfb-472f-b5a1-576127944218|Low|Observability|When using kube-apiserver command, the '--audit-log-maxage' flag should be defined and set to 30 or more days|Documentation
| +|Audit Policy Not Cover Key Security Concerns
1828a670-5957-4bc5-9974-47da228f75e2|Low|Observability|Audit Policy should cover key security concerns about the sensitive data logged in Kubernetes audit policies|Documentation
| +|Audit Log Maxbackup Not Properly Set
768aab52-2504-4a2f-a3e3-329d5a679848|Low|Observability|When using kube-apiserver command, the '--audit-log-maxbackup' flag should be defined and set to 10 or more files|Documentation
| +|Profiling Not Set To False
2f491173-6375-4a84-b28e-a4e2b9a58a69|Low|Observability|When using kube-apiserver or kube-controller-manager or kube-scheduler command, the '--profiling' flag should be defined and set to false|Documentation
| |Kubelet Event QPS Not Properly Set
1a07a446-8e61-4e4d-bc16-b0781fcb8211|Low|Observability|When using the kubelet command, the '--event-qps' should be set to 0|Documentation
| +|Audit Log Maxsize Not Properly Set
35c0a471-f7c8-4993-aa2c-503a3c712a66|Low|Observability|When using kube-apiserver command, the '--audit-log-maxsize' flag should be defined and set to 100 or more MegaBytes|Documentation
| |Deployment Has No PodAntiAffinity
a31b7b82-d994-48c4-bd21-3bab6c31827a|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| |Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Low|Resource Management|A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined.|Documentation
| |StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e|Low|Resource Management|Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| |Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46|Low|Resource Management|Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively|Documentation
| |CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined|Documentation
| |Container Memory Requests Not Equal To It's Limits
aafa7d94-62de-4fbf-8838-b69ee217b0e6|Low|Resource Management|A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined.|Documentation
| -|Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Low|Resource Management|A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined.|Documentation
| -|Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46|Low|Resource Management|Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively|Documentation
| -|CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined|Documentation
| -|StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e|Low|Resource Management|Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| |Secrets As Environment Variables
3d658f8b-d988-41a0-a841-40043121de1e|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| |Invalid Image Tag
583053b7-e632-46f0-b989-f81ff8045385|Low|Supply-Chain|Image tag must be defined and not be empty or equal to latest.|Documentation
| |Ensure Administrative Boundaries Between Resources
e84eaf4d-2f45-47b2-abe8-e581b06deb66|Info|Access Control|As a best practice, ensure that is made the correct use of namespaces to adequately administer your resources. Kubernetes Authorization plugins can also be used to create policies that segregate user access to namespaces.|Documentation
| diff --git a/docs/queries/openapi-queries.md b/docs/queries/openapi-queries.md index cc2deeec71d..2126991ab53 100644 --- a/docs/queries/openapi-queries.md +++ b/docs/queries/openapi-queries.md @@ -94,134 +94,51 @@ Bellow are listed queries related with OpenAPI 2.0: |------------------------------|--------|--------|-----------|----| |Security Definitions Undefined or Empty
e3f026e8-fdb4-4d5a-bcfd-bd94452073fe|High|Access Control|Security Definitions Object should be set and not empty|Documentation
| |Security Requirement Not Defined In Security Definition
a599b0d1-ff89-4cb8-9ece-9951854c06f6|High|Structure and Semantics|All security requirement objects must be defined in 'securityDefinitions'|Documentation
| +|Non OAuth2 Security Requirement Defining OAuth2 Scopes
ba239cb9-f342-4c20-812d-7b5a2aa6969e|High|Structure and Semantics|If the security scheme is not of type 'oauth2', the array value must be empty|Documentation
| +|Invalid OAuth2 Token URL (v2)
274f910a-0665-4f08-b66d-7058fe927dba|Medium|Access Control|OAuth2 security definition flow requires a valid URL in the tokenUrl field|Documentation
| +|Implicit Flow in OAuth2 (v2)
e9817ad8-a8c9-4038-8a2f-db0e6e7b284b|Medium|Access Control|There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated|Documentation
| |Invalid OAuth2 Authorization URL (v2)
33d96c65-977d-4c33-943f-440baca49185|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL|Documentation
| -|Security Definitions Allows Password Flow
773116aa-2e6d-416f-bd85-f0301cc05d76|Medium|Access Control|Security Definition Object should not allow 'password' Flow in OAuth2 authentication|Documentation
| |Global Security Using Password Flow
2da46be4-4317-4650-9285-56d7103c4f93|Medium|Access Control|Security should not use 'password' Flow in OAuth2 authentication|Documentation
| -|Implicit Flow in OAuth2 (v2)
e9817ad8-a8c9-4038-8a2f-db0e6e7b284b|Medium|Access Control|There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated|Documentation
| -|Invalid OAuth2 Token URL (v2)
274f910a-0665-4f08-b66d-7058fe927dba|Medium|Access Control|OAuth2 security definition flow requires a valid URL in the tokenUrl field|Documentation
| +|Security Definitions Allows Password Flow
773116aa-2e6d-416f-bd85-f0301cc05d76|Medium|Access Control|Security Definition Object should not allow 'password' Flow in OAuth2 authentication|Documentation
| |Operation Using Password Flow
2e44e632-d617-43cb-b294-6bfe72a08938|Medium|Access Control|Operation Object should not use 'password' Flow in OAuth2 authentication|Documentation
| |Path Scheme Accepts HTTP (v2)
a6847dc6-f4ea-45ac-a81f-93291ae6c573|Medium|Encryption|The Scheme list of Operation Object should only allow 'HTTPS' protocol to ensure an encrypted connection|Documentation
| -|Schemes Uses HTTP
a46928f1-43d7-4671-94e0-2dd99746f389|Medium|Encryption|Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials|Documentation
| |Global Schemes Uses HTTP
f30ee711-0082-4480-85ab-31d922d9a2b2|Medium|Encryption|Global Schemes should use 'https' protocol instead of 'http'|Documentation
| +|Schemes Uses HTTP
a46928f1-43d7-4671-94e0-2dd99746f389|Medium|Encryption|Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials|Documentation
| |Operation Object Without 'produces'
be3e170e-1572-461e-a8b6-d963def581ec|Medium|Insecure Configurations|Operation Object should have 'produces' feild defined for 'GET'operation|Documentation
| |Operation Object Without 'consumes'
0c79e50e-b3cf-490c-b8f6-587c644d4d0c|Medium|Insecure Configurations|Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations|Documentation
| +|Undefined Scope 'securityDefinition' On Global 'security' Field
9aa6e95c-d964-4239-a3a8-9f37a3c5a31f|Low|Access Control|Using an scope on global security field that is undefined on 'securityDefinitions' can be defined by an attacker|Documentation
| |Undefined Scope 'securityDefinition' On 'security' Field On Operations
3847280c-9193-40bc-8009-76168e822ce2|Low|Access Control|Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker|Documentation
| -|Security Definitions Using Basic Auth
221015a8-aa2a-43f5-b00b-ad7d2b1d47a8|Low|Access Control|Security Definition Object should not use basic authentication|Documentation
| |Operation Using Basic Auth
ceefb058-8065-418f-9c4c-584a78c7e104|Low|Access Control|Operation Object should not use basic authentication|Documentation
| -|Undefined Scope 'securityDefinition' On Global 'security' Field
9aa6e95c-d964-4239-a3a8-9f37a3c5a31f|Low|Access Control|Using an scope on global security field that is undefined on 'securityDefinitions' can be defined by an attacker|Documentation
| |Operation Using Implicit Flow
f42dfe7e-787d-4478-a75e-a5f3d8a2269e|Low|Access Control|Operation Object should not use implicit flow|Documentation
| +|Security Definitions Using Basic Auth
221015a8-aa2a-43f5-b00b-ad7d2b1d47a8|Low|Access Control|Security Definition Object should not use basic authentication|Documentation
| |Operation Summary Too Long
d47940ca-5970-45cc-bdd1-4d81398cee1f|Low|Best Practices|Operation summary should be short (less than 120 characters)|Documentation
| -|Constraining Enum Property
be1d8733-3731-40c7-a845-734741c6871d|Info|Best Practices|There is a constraining keyword in a property which is already restricted by enum values|Documentation
| -|Global Responses Definition Not Being Used
0b76d993-ee52-43e0-8b39-3787d2ddabf1|Info|Best Practices|All global responses definitions should be in use|Documentation
| |Invalid Media Type Value (v2)
f985a7d2-d404-4a7f-9814-f645f791e46e|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters]|Documentation
| -|Global Parameter Definition Not Being Used
b30981fa-a12e-49c7-a5bb-eeafb61d0f0f|Info|Best Practices|All global parameters definitions should be in use|Documentation
| +|Global Schema Definition Not Being Used
6d2e0790-cc3d-4c74-b973-d4e8b09f4455|Info|Best Practices|All global schemas definitions should be in use|Documentation
| +|Global Responses Definition Not Being Used
0b76d993-ee52-43e0-8b39-3787d2ddabf1|Info|Best Practices|All global responses definitions should be in use|Documentation
| |Schema with 'additionalProperties' set as Boolean
3a01790c-ebee-4da6-8fd3-e78657383b75|Info|Best Practices|The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it|Documentation
| +|Constraining Enum Property
be1d8733-3731-40c7-a845-734741c6871d|Info|Best Practices|There is a constraining keyword in a property which is already restricted by enum values|Documentation
| +|Global Parameter Definition Not Being Used
b30981fa-a12e-49c7-a5bb-eeafb61d0f0f|Info|Best Practices|All global parameters definitions should be in use|Documentation
| |Unknown Prefix (v2)
3b615f00-c443-4ba9-acc4-7c308716917d|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video'|Documentation
| -|Global Schema Definition Not Being Used
6d2e0790-cc3d-4c74-b973-d4e8b09f4455|Info|Best Practices|All global schemas definitions should be in use|Documentation
| -|Parameter JSON Reference Does Not Exists (v2)
fb889ae9-2d16-40b5-b41f-9da716c5abc1|Info|Structure and Semantics|Parameter reference should exist on parameters definition field|Documentation
| +|Responses JSON Reference Does Not Exists (v2)
e9db5fb4-6a84-4abb-b4af-3b94fbdace6d|Info|Structure and Semantics|Responses reference should exist on responses definition field|Documentation
| +|Parameter File Type Not In 'formData'
c3cab8c4-6c52-47a9-942b-c27f26fbd7d2|Info|Structure and Semantics|The In field of Parameter Object must be 'formData' when type is 'file'|Documentation
| |Property Not Unique
750b40be-4bac-4f59-bdc4-1ca0e6c3450e|Info|Structure and Semantics|Every defined property must be unique throughout the whole API|Documentation
| +|File Parameter With Wrong Consumes Property
7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a|Info|Structure and Semantics|Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both|Documentation
| +|Parameter JSON Reference Does Not Exists (v2)
fb889ae9-2d16-40b5-b41f-9da716c5abc1|Info|Structure and Semantics|Parameter reference should exist on parameters definition field|Documentation
| +|Object Without Required Property (v2)
5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields|Documentation
| +|Multi 'collectionformat' Not Valid For 'in' Parameter
750f6448-27c0-49f8-a153-b81735c1e19c|Info|Structure and Semantics|When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'formData'|Documentation
| |Response Object With Incorrect Ref (v2)
bccfa089-89e4-47e0-a0e5-185fe6902220|Info|Structure and Semantics|Response Object reference must always point to '#/responses'|Documentation
| -|Responses JSON Reference Does Not Exists (v2)
e9db5fb4-6a84-4abb-b4af-3b94fbdace6d|Info|Structure and Semantics|Responses reference should exist on responses definition field|Documentation
| -|Parameter Object With Incorrect Ref (v2)
2596545e-1757-4ff7-a15a-8a9a180a42f3|Info|Structure and Semantics|Parameter Object reference must always point to '#/parameters'|Documentation
| +|Host With Invalid Pattern
3d7d7b6c-fb0a-475e-8a28-c125e30d15f0|Info|Structure and Semantics|Host field should be an IP or a valid host name|Documentation
| |Schema JSON Reference Does Not Exists (v2)
98295b32-ec09-4b5b-89a9-39853197f914|Info|Structure and Semantics|Schema reference should exists on definitions field|Documentation
| +|Schema Object Incorrect Ref (v2)
0220e1c5-65d1-49dd-b7c2-cef6d6cb5283|Info|Structure and Semantics|Schema Object reference must always point to '#/definitions'|Documentation
| +|Parameter Object With Incorrect Ref (v2)
2596545e-1757-4ff7-a15a-8a9a180a42f3|Info|Structure and Semantics|Parameter Object reference must always point to '#/parameters'|Documentation
| |Unknown Property (v2)
429b2106-ba37-43ba-9727-7f699cc611e1|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known|Documentation
| -|Body Parameter Without Schema
ed48229d-d43e-4da7-b453-5f98d964a57a|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined|Documentation
| -|Multiple Body Parameters In The Same Operation
b90033cf-ad9f-4fb9-acd1-1b9d6d278c87|Info|Structure and Semantics|Only one body parameter is allowed on operation's parameters type field|Documentation
| -|Object Without Required Property (v2)
5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields|Documentation
| -|Body Parameter With Wrong Property
c38d630d-a415-4e3e-bac2-65475979ba88|Info|Structure and Semantics|The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema'|Documentation
| -|File Parameter With Wrong Consumes Property
7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a|Info|Structure and Semantics|Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both|Documentation
| -|Host With Invalid Pattern
3d7d7b6c-fb0a-475e-8a28-c125e30d15f0|Info|Structure and Semantics|Host field should be an IP or a valid host name|Documentation
| |BasePath With Wrong Format
b4803607-ed72-4d60-99e2-3fa6edf471c6|Info|Structure and Semantics|The 'basePath' value format must match the pattern '^/'|Documentation
| -|Non Body Parameter Without Schema
73c3bc54-3cc6-4c0a-b30a-e19f2abfc951|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined|Documentation
| -|Parameter File Type Not In 'formData'
c3cab8c4-6c52-47a9-942b-c27f26fbd7d2|Info|Structure and Semantics|The In field of Parameter Object must be 'formData' when type is 'file'|Documentation
| -|Multi 'collectionformat' Not Valid For 'in' Parameter
750f6448-27c0-49f8-a153-b81735c1e19c|Info|Structure and Semantics|When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'formData'|Documentation
| +|Multiple Body Parameters In The Same Operation
b90033cf-ad9f-4fb9-acd1-1b9d6d278c87|Info|Structure and Semantics|Only one body parameter is allowed on operation's parameters type field|Documentation
| |Operation Example Mismatch Produces MimeType
2cf35b40-ded3-43d6-9633-c8dcc8bcc822|Info|Structure and Semantics|Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces'|Documentation
| -|Schema Object Incorrect Ref (v2)
0220e1c5-65d1-49dd-b7c2-cef6d6cb5283|Info|Structure and Semantics|Schema Object reference must always point to '#/definitions'|Documentation
| |Operation Object Parameters With 'body' And 'formatData' locations
eb3f9744-d24e-4614-b1ff-2a9514eca21c|Info|Structure and Semantics|Operation object parameters should not have both 'body' and 'formatData' locations|Documentation
| - -### 3.0 -Bellow are listed queries related with OpenAPI 3.0: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Cleartext Credentials With Basic Authentication For Operation
86b1fa30-9790-4980-994d-a27e0f6f27c1|High|Access Control|Cleartext credentials over unencrypted channel should not be accepted for the operation|Documentation
| -|Field 'securityScheme' On Components Is Undefined
8db5544e-4874-4baa-9322-e9f75a2d219e|High|Access Control|Components' securityScheme field must have a valid scheme|Documentation
| -|Invalid OAuth2 Authorization URL (v3)
52c0d841-60d6-4a81-88dd-c35fef36d315|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL|Documentation
| -|OAuth2 With Password Flow
3979b0a4-532c-4ea7-86e4-34c090eaa4f2|Medium|Access Control|OAuth2 password flow insecurely exposes the credentials of the resource owner to the client|Documentation
| -|Security Scheme Using HTTP Digest
a4247b11-890b-45df-bf42-350a7a3af9be|Medium|Access Control|Security Scheme HTTP should not be using digest authentication|Documentation
| -|OAuth2 With Implicit Flow
39cb32f2-3a42-4af0-8037-82a7a9654b6c|Medium|Access Control|OAuth2 implicit flow is vulnerable to access token leakage and access token replay|Documentation
| -|Implicit Flow in OAuth2 (v3)
4a1f3d75-ab73-41b2-83e7-06a93dc3a75a|Medium|Access Control|There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated|Documentation
| -|Invalid OAuth2 Token URL (v3)
3ba0cca1-b815-47bf-ac62-1e584eb64a05|Medium|Access Control|OAuth2 security scheme flow requires a valid URL in the tokenUrl field|Documentation
| -|Security Scheme Using HTTP Negotiate
f525cc92-9050-4c41-a75c-890dc6f64449|Medium|Access Control|Security Scheme HTTP should not be using negotiate authentication|Documentation
| -|Security Scheme HTTP Unknown Scheme
06764426-3c56-407e-981f-caa25db1c149|Medium|Access Control|Security Scheme HTTP scheme should be registered in the IANA Authentication Scheme registry|Documentation
| -|Security Scheme Using HTTP Basic
68e5fcac-390c-4939-a373-6074b7be7c71|Medium|Access Control|Security Scheme HTTP should not be using basic authentication|Documentation
| -|Path Server Object Uses HTTP (v3)
9670f240-7b4d-4955-bd93-edaa9fa38b58|Medium|Encryption|The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection|Documentation
| -|Global Server Object Uses HTTP
2d8c175a-6d90-412b-8b0e-e034ea49a1fe|Medium|Encryption|Global server object URL should use 'https' protocol instead of 'http'|Documentation
| -|Additional Properties Too Restrictive
a19c3bbd-c056-40d7-9e1c-eeb0634e320d|Medium|Insecure Configurations|Objects should accept 'additionalProperties' if it is allOf or an object with anyOf or oneOf|Documentation
| -|Media Type Object Without Schema
f79b9d26-e945-44e7-98a1-b93f0f7a68a0|Medium|Insecure Configurations|The Media Type Object should have the attribute 'schema' defined|Documentation
| -|Additional Properties Too Permissive
9f88c88d-824d-4d9a-b985-e22977046042|Medium|Insecure Configurations|Objects should not accept 'additionalProperties' if it is possible|Documentation
| -|Parameter Object Without Schema
8fe1846f-52cc-4413-ace9-1933d7d23672|Medium|Insecure Configurations|The Parameter Object should have the attribute 'schema' defined|Documentation
| -|Header Object Without Schema
50de3b5b-6465-4e06-a9b0-b4c2ba34326b|Medium|Networking and Firewall|The header object should have schema defined|Documentation
| -|Success Response Code Undefined for Trace Operation
105e20dd-8449-4d71-95c6-d5dac96639af|Medium|Networking and Firewall|Trace should define the '200' successful code|Documentation
| -|Global Security Scheme Using Basic Authentication
77276d82-4f45-4cf1-8e2b-4d345b936228|Low|Access Control|A security scheme is allowing basic authentication credentials to be transported over network|Documentation
| -|API Key Exposed In Global Security Scheme
40e1d1bf-11a9-4f63-a3a2-a8b84c602839|Low|Access Control|API Keys should not be transported over network|Documentation
| -|Undefined Scope 'securityScheme' On 'security' Field On Operations
462d6a1d-fed9-4d75-bb9e-3de902f35e6e|Low|Access Control|Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker|Documentation
| -|Security Scheme Using Oauth 1.0
1bc3205c-0d60-44e6-84f3-44fbf4dac5b3|Low|Access Control|Oauth 1.0 is deprecated, OAuth2 should be used instead|Documentation
| -|Undefined Scope 'securityScheme' On Global 'security' Field
23a9e2d9-8738-4556-a71c-2802b6ffa022|Low|Access Control|Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker|Documentation
| -|Components Response Definition Is Unused
9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae|Info|Best Practices|Components responses definitions should be referenced or removed from Open API definition|Documentation
| -|Components Request Body Definition Is Unused
6b76f589-9713-44ab-97f5-59a3dba1a285|Info|Best Practices|Components request bodies definitions should be referenced or removed from Open API definition|Documentation
| -|Components Schema Definition Is Unused
962fa01e-b791-4dcc-b04a-4a3e7389be5e|Info|Best Practices|Components schemas definitions should be referenced or removed from Open API definition|Documentation
| -|Components Callback Definition Is Unused
d15db953-a553-4b8a-9a14-a3d62ea3d79d|Info|Best Practices|Components callbacks definitions should be referenced or removed from Open API definition|Documentation
| -|Components Example Definition Is Unused
b05bb927-2df5-43cc-8d7b-6825c0e71625|Info|Best Practices|Components examples definitions should be referenced or removed from Open API definition|Documentation
| -|Components Header Definition Is Unused
a68da022-e95a-4bc2-97d3-481e0bd6d446|Info|Best Practices|Components headers definitions should be referenced or removed from Open API definition|Documentation
| -|Invalid Media Type Value (v3)
cf4a5f45-a27b-49df-843a-9911dbfe71d4|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters]|Documentation
| -|Property 'allowEmptyValue' Ignored
59c2f769-7cc2-49c8-a3de-4e211135cfab|Info|Best Practices|Property 'allowEmptyValue' is ignored in the following cases: {"sytle": "simple", "explode": false}, {"sytle": "simple", "explode": true}, {"sytle": "spaceDelimited", "explode": false}, {"sytle": "pipeDelimited", "explode": false}, and {"sytle": "deepObject", "explode": true}|Documentation
| -|Components Link Definition Is Unused
c19779a9-5774-4d2f-a3a1-a99831730375|Info|Best Practices|Components links definitions should be referenced or removed from Open API definition|Documentation
| -|Property 'style' of Encoding Object Ignored
d3ea644a-9a5c-4fee-941f-f8a6786c0470|Info|Best Practices|Property 'style' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored.|Documentation
| -|Property 'explode' of Encoding Object Ignored
a4dd69b8-49fa-45d2-a060-c76655405b05|Info|Best Practices|Property 'explode' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored.|Documentation
| -|Property 'allowReserved' of Encoding Object Ignored
4190dda7-af03-4cf0-a128-70ac1661ca09|Info|Best Practices|Property 'allowReserved' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored.|Documentation
| -|Unknown Prefix (v3)
a5375be3-521c-43bb-9eab-e2432e368ee4|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video'|Documentation
| -|Components Parameter Definition Is Unused
698a464e-bb3e-4ba8-ab5e-e6599b7644a0|Info|Best Practices|Components parameters definitions should be referenced or removed from Open API definition|Documentation
| -|Encoding Header 'Content-Type' Improperly Defined
4cd8de87-b595-48b6-ab3c-1904567135ab|Info|Best Practices|Encoding Map Key should not define a 'Content-Type' in the 'headers' field. If so, it will be ignored.|Documentation
| -|Request Body Object With Incorrect Media Type
58f06434-a88c-4f74-826c-db7e10cc7def|Info|Structure and Semantics|The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set.|Documentation
| -|Example JSON Reference Outside Components Examples
bac56e3c-1f71-4a74-8ae6-2fba07efcddb|Info|Structure and Semantics|Reference to examples should point to #/components/examples|Documentation
| -|Parameter JSON Reference Does Not Exists (v3)
2e275f16-b627-4d3f-ae73-a6153a23ae8f|Info|Structure and Semantics|Parameter reference should exists on components field|Documentation
| -|Response Object With Incorrect Ref (v3)
b3871dd8-9333-4d6c-bd52-67eb898b71ab|Info|Structure and Semantics|Response Object reference must always point to '#/components/responses'|Documentation
| -|Callback Object With Incorrect Ref
ba066cda-e808-450d-92b6-f29109754d45|Info|Structure and Semantics|Callback Object reference must always point to '#/components/callbacks'|Documentation
| -|Response JSON Reference Does Not Exists (v3)
7a01dfbd-da62-4165-aed7-71349ad42ab4|Info|Structure and Semantics|Response reference should exists on components field|Documentation
| -|Parameter Object With Incorrect Ref (v3)
d40f27e6-15fb-4b56-90f8-fc0ff0291c51|Info|Structure and Semantics|Parameter Object reference must always point to '#/components/parameters'|Documentation
| -|Schema JSON Reference Does Not Exists (v3)
015eac96-6313-43c0-84e5-81b1374fa637|Info|Structure and Semantics|Schema reference should exists on components field|Documentation
| -|Unknown Property (v3)
fb7d81e7-4150-48c4-b914-92fc05da6a2f|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known|Documentation
| -|Callback JSON Reference Does Not Exists
f29904c8-6041-4bca-b043-dfa0546b8079|Info|Structure and Semantics|Callback reference should exists on components field|Documentation
| -|Server Object Variable Not Used
8aee4754-970d-4c5f-8142-a49dfe388b1a|Info|Structure and Semantics|Every defined Server Variable Object should be used in a Service URL.|Documentation
| -|Schema With Both ReadOnly And WriteOnly
d2361d58-361c-49f0-9e50-b957fd608b29|Info|Structure and Semantics|Schema should not have both 'writeOnly' and 'readOnly' set to true|Documentation
| -|Server URL Uses Undefined Variables
8d0921d6-4131-461f-a253-99e873f8f77e|Info|Structure and Semantics|Any variable used in the Service URL should be defined in the Service Object through 'variables'.|Documentation
| -|Object Without Required Property (v3)
d172a060-8569-4412-8045-3560ebd477e8|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields|Documentation
| -|Server URL Not Absolute
a0bf7382-5d5a-4224-924c-3db8466026c9|Info|Structure and Semantics|The Server URL should be an absolute URL|Documentation
| -|Invalid Content Type For Multiple Files Upload
26f06397-36d8-4ce7-b993-17711261d777|Info|Structure and Semantics|Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array)|Documentation
| -|Header Object With Incorrect Ref
2d6646f4-2946-420f-8c14-3232d49ae0cb|Info|Structure and Semantics|Header Object reference must always point to '#/components/headers'|Documentation
| -|Header JSON Reference Does Not Exists
376c9390-7e9e-4cb8-a067-fd31c05451fd|Info|Structure and Semantics|Header reference should exists on components field|Documentation
| -|Property 'allowReserved' Improperly Defined
7f203940-39c4-4ea7-91ee-7aba16bca9e2|Info|Structure and Semantics|Property 'allowReserved' should be only defined for query parameters|Documentation
| -|Servers Array Undefined
c66ebeaa-676c-40dc-a3ff-3e49395dcd5e|Info|Structure and Semantics|The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'.|Documentation
| -|Parameter Object With Undefined Type
46facedc-f243-4108-ab33-583b807d50b0|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property|Documentation
| -|Example JSON Reference Does Not Exists
6a2c219f-da5e-4745-941e-5ea8cde23356|Info|Structure and Semantics|Example reference should exists on components field|Documentation
| -|Link Object Incorrect Ref
b9db8a10-020c-49ca-88c6-780e5fdb4328|Info|Structure and Semantics|Link object reference must always point to '#/components/links'|Documentation
| -|Parameter Object Content With Multiple Entries
8bfed1c6-2d59-4924-bc7f-9b9d793ed0df|Info|Structure and Semantics|The map content property of the parameter object should only contain one entry|Documentation
| -|Link JSON Reference Does Not Exists
801f0c6a-a834-4467-89c6-ddecffb46b5a|Info|Structure and Semantics|Link reference should exists on components field|Documentation
| -|Security Requirement Object With Wrong Scopes
37140f7f-724a-4c87-a536-e9cee1d61533|Info|Structure and Semantics|Security Requirement Object should only have scopes defined for security schemes of type 'oauth2' and 'openIdConnect'|Documentation
| -|Request Body With Incorrect Ref
0f6cd0ab-c366-4595-84fc-fbd8b9901e4d|Info|Structure and Semantics|Request Body reference must always point to '#/components/RequestBodies'|Documentation
| -|Security Operation Field Undefined
20a482d5-c5d9-4a7a-b7a4-60d0805047b4|Info|Structure and Semantics|Security operation field should be defined in '#/components/securitySchemes'|Documentation
| -|Link Object With Both 'operationId' And 'operationRef'
60fb6621-9f02-473b-9424-ba9a825747d3|Info|Structure and Semantics|Link object 'OperationId' should not have both 'operationId' and 'operationRef' defined since they are mutually exclusive.|Documentation
| -|Parameter Object With Schema And Content
31dd6fc0-f274-493b-9614-e063086c19fc|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive|Documentation
| -|Encoding Map Key Mismatch Schema Defined Properties
cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b|Info|Structure and Semantics|Encoding Map Key should be set in schema defined properties|Documentation
| -|Empty Array
5915c20f-dffa-4cee-b5d4-f457ddc0151a|Info|Structure and Semantics|All array fields should not be empty|Documentation
| -|Link Object OperationId Does Not Target Operation Object
c5bb7461-aa57-470b-a714-3bc3d74f4669|Info|Structure and Semantics|Link object 'OperationId' should target an existing operation object in the OpenAPI definition|Documentation
| -|Request Body JSON Reference Does Not Exists
ca02f4e8-d3ae-4832-b7db-bb037516d9e7|Info|Structure and Semantics|Request Body reference should exists on components field|Documentation
| -|Components Object Fixed Field Key Improperly Named
151331e2-11f4-4bb6-bd35-9a005e695087|Info|Structure and Semantics|Components object fixed fields (schemas, responses, parameters, examples, requestBodies, headers, securitySchemes, links, and callbacks) should use keys that match the following REGEX: `^[a-zA-Z0-9\.\-_]+$`|Documentation
| -|Schema Object Incorrect Ref (v3)
4cac7ace-b0fb-477d-830d-65395d9109d9|Info|Structure and Semantics|Schema Object reference must always point to '#/components/schemas'|Documentation
| -|Security Field Undefined
ab1263c2-81df-46f0-9f2c-0b62fdb68419|Info|Structure and Semantics|Security field should be defined in '#/components/securitySchemes'|Documentation
| +|Body Parameter With Wrong Property
c38d630d-a415-4e3e-bac2-65475979ba88|Info|Structure and Semantics|The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema'|Documentation
| +|Body Parameter Without Schema
ed48229d-d43e-4da7-b453-5f98d964a57a|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined|Documentation
| +|Non Body Parameter Without Schema
73c3bc54-3cc6-4c0a-b30a-e19f2abfc951|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined|Documentation
| ### SHARED (V2/V3) Bellow are listed queries related with OpenAPI SHARED (V2/V3): @@ -292,64 +209,64 @@ Bellow are listed queries related with OpenAPI SHARED (V2/V3): |Success Response Code Undefined for Head Operation (v3)
3b066059-f411-4554-ac8d-96f32bff90da|Medium|Networking and Firewall|Head should define at least one success response (200 or 202) (read more)|Documentation
| |No Global And Operation Security Defined (v2)
586abcee-9653-462d-ad7b-2638a32bd6e6|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| |No Global And Operation Security Defined (v3)
96729c6b-7400-4d9e-9807-17f00cdde4d2|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| -|Global Security Field Is Undefined (v2)
74703c89-0ea2-49ab-a7db-bf04f19f5a57|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securityDefinitions|Documentation
| -|Global Security Field Is Undefined (v3)
8af270ce-298b-4405-9922-82a10aee7a4f|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes|Documentation
| -|Cleartext API Key In Operation Security (v2)
99733b39-6413-4ed8-8acf-dc7cdc9b4e51|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| -|Cleartext API Key In Operation Security (v3)
d90d4e40-44c1-4125-87a0-e072c3e195b5|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| |Global Security Field Has An Empty Array (v2)
da31d54b-ad54-41dc-95eb-8b3828629213|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| |Global Security Field Has An Empty Array (v3)
d674aea4-ba8b-454b-bb97-88a772ea33f0|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| -|Security Field On Operations Has An Empty Array (v2)
5d29effc-5d68-481f-9721-d74e5919226b|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error|Documentation
| -|Security Field On Operations Has An Empty Array (v3)
663c442d-f918-4f62-b096-0bf5dcbeb655|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error|Documentation
| +|Global Security Field Is Undefined (v2)
74703c89-0ea2-49ab-a7db-bf04f19f5a57|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securityDefinitions|Documentation
| +|Global Security Field Is Undefined (v3)
8af270ce-298b-4405-9922-82a10aee7a4f|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes|Documentation
| |Security Field On Operations Has An Empty Object Definition (v2)
74581e3b-1d55-4323-a139-5959a7b3abc5|High|Access Control|Security object for operations should not be empty object or has any empty object definition|Documentation
| |Security Field On Operations Has An Empty Object Definition (v3)
baade968-7467-41e4-bf22-83ca222f5800|High|Access Control|Security object for operations should not be empty object or has any empty object definition|Documentation
| +|Cleartext API Key In Operation Security (v2)
99733b39-6413-4ed8-8acf-dc7cdc9b4e51|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| +|Cleartext API Key In Operation Security (v3)
d90d4e40-44c1-4125-87a0-e072c3e195b5|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| |Global security field has an empty object (v2)
292919fb-7b26-4454-bee9-ce29094768dd|High|Access Control|Global security definition must not have empty objects|Documentation
| |Global security field has an empty object (v3)
543e38f4-1eee-479e-8eb0-15257013aa0a|High|Access Control|Global security definition must not have empty objects|Documentation
| -|Array Without Maximum Number of Items (v2)
99eb2c95-2040-4104-9e7c-e16f7474d218|High|Insecure Configurations|Array schema/parameter should have the field 'maxItems' set|Documentation
| -|Array Without Maximum Number of Items (v3)
6998389e-66b2-473d-8d05-c8d71ac4d04d|High|Insecure Configurations|Array schema should have the field 'maxItems' set|Documentation
| +|Security Field On Operations Has An Empty Array (v2)
5d29effc-5d68-481f-9721-d74e5919226b|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error|Documentation
| +|Security Field On Operations Has An Empty Array (v3)
663c442d-f918-4f62-b096-0bf5dcbeb655|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error|Documentation
| |Array Items Has No Type (v2)
8697a1a4-82c6-4603-8ac8-57529756744e|High|Insecure Configurations|Schema/Parameter array items type should be defined|Documentation
| |Array Items Has No Type (v3)
be0e0df7-f3d9-42a1-9b6f-d425f94872c4|High|Insecure Configurations|Schema array items type should be defined|Documentation
| -|Cleartext API Key In Global Security (v2)
70d3873e-d537-46e5-ac3b-4e48fbdd29b4|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| -|Cleartext API Key In Global Security (v3)
9c238c97-1991-4c0b-9c7d-6c7912e1dc7c|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| +|Array Without Maximum Number of Items (v2)
99eb2c95-2040-4104-9e7c-e16f7474d218|High|Insecure Configurations|Array schema/parameter should have the field 'maxItems' set|Documentation
| +|Array Without Maximum Number of Items (v3)
6998389e-66b2-473d-8d05-c8d71ac4d04d|High|Insecure Configurations|Array schema should have the field 'maxItems' set|Documentation
| |API Key Exposed In Global Security (v2)
533a0d13-6e89-4551-ae33-bce14e5849c1|Medium|Access Control|API Keys should not be transported over network|Documentation
| |API Key Exposed In Global Security (v3)
aecee30b-8ea1-4776-a99c-d6d600f0862f|Medium|Access Control|API Keys should not be transported over network|Documentation
| +|Cleartext API Key In Global Security (v2)
70d3873e-d537-46e5-ac3b-4e48fbdd29b4|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| +|Cleartext API Key In Global Security (v3)
9c238c97-1991-4c0b-9c7d-6c7912e1dc7c|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| +|JSON Object Schema Without Properties (v2)
3d28f751-bc18-4f83-ace0-216b6086410b|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false.|Documentation
| +|JSON Object Schema Without Properties (v3)
9d967a2b-9d64-41a6-abea-dfc4960299bd|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false.|Documentation
| +|Numeric Schema Without Maximum (v2)
203eee11-15b6-4d47-b888-4c7f534967ee|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined.|Documentation
| +|Numeric Schema Without Maximum (v3)
2ea04bef-c769-409e-9179-ee3a50b5c0ac|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined.|Documentation
| |String Schema with Broad Pattern (v2)
e4a019f0-9af3-49c8-bf68-1939a6ff240d|Medium|Insecure Configurations|String schema should restrict the pattern|Documentation
| |String Schema with Broad Pattern (v3)
8c81d6c0-716b-49ec-afa5-2d62da4e3f3c|Medium|Insecure Configurations|String schema should restrict the pattern|Documentation
| -|Schema Object is Empty (v2)
967575e5-eb44-4c24-aadb-7e33608ed30a|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values|Documentation
| -|Schema Object is Empty (v3)
500ce696-d501-41dd-86eb-eceb011a386f|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values|Documentation
| |Numeric Schema Without Format (v2)
3ed8fc82-c2bb-49e0-811f-c53923674c49|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined.|Documentation
| |Numeric Schema Without Format (v3)
fbf699b5-ef74-4542-9cf1-f6eeac379373|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined.|Documentation
| |Numeric Schema Without Minimum (v2)
efd1dfc8-da91-4909-a3f3-c23abc5ec799|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined.|Documentation
| |Numeric Schema Without Minimum (v3)
181bd815-767e-4e95-a24d-bb3c87328e19|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined.|Documentation
| -|JSON Object Schema Without Properties (v2)
3d28f751-bc18-4f83-ace0-216b6086410b|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false.|Documentation
| -|JSON Object Schema Without Properties (v3)
9d967a2b-9d64-41a6-abea-dfc4960299bd|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false.|Documentation
| -|Numeric Schema Without Maximum (v2)
203eee11-15b6-4d47-b888-4c7f534967ee|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined.|Documentation
| -|Numeric Schema Without Maximum (v3)
2ea04bef-c769-409e-9179-ee3a50b5c0ac|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined.|Documentation
| -|JSON Object Schema Without Type (v2)
62d52544-82ef-4b75-8308-cad49d50212b|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined.|Documentation
| -|JSON Object Schema Without Type (v3)
e2ffa504-d22a-4c94-b6c5-f661849d2db7|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined.|Documentation
| -|Pattern Undefined (v2)
afde15cf-9444-4126-8c62-41cd79db1d1d|Medium|Insecure Configurations|String schema/parameter/header should have 'pattern' defined.|Documentation
| -|Pattern Undefined (v3)
00b78adf-b83f-419c-8ed8-c6018441dd3a|Medium|Insecure Configurations|String schema should have 'pattern' defined.|Documentation
| +|Schema Object is Empty (v2)
967575e5-eb44-4c24-aadb-7e33608ed30a|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values|Documentation
| +|Schema Object is Empty (v3)
500ce696-d501-41dd-86eb-eceb011a386f|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values|Documentation
| |Maximum Length Undefined (v2)
2ec86e48-ab90-4cb6-a131-0502afd1f442|Medium|Insecure Configurations|String schema/parameter/header should have 'maxLength' defined.|Documentation
| |Maximum Length Undefined (v3)
8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85|Medium|Insecure Configurations|String schema should have 'maxLength' defined.|Documentation
| -|Success Response Code Undefined for Put Operation (v2)
965a043f-5f3c-4d0a-be72-d9ce12fdb4d6|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Put Operation (v3)
60b5f56b-66ff-4e1c-9b62-5753e16825bc|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Pattern Undefined (v2)
afde15cf-9444-4126-8c62-41cd79db1d1d|Medium|Insecure Configurations|String schema/parameter/header should have 'pattern' defined.|Documentation
| +|Pattern Undefined (v3)
00b78adf-b83f-419c-8ed8-c6018441dd3a|Medium|Insecure Configurations|String schema should have 'pattern' defined.|Documentation
| +|JSON Object Schema Without Type (v2)
62d52544-82ef-4b75-8308-cad49d50212b|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined.|Documentation
| +|JSON Object Schema Without Type (v3)
e2ffa504-d22a-4c94-b6c5-f661849d2db7|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined.|Documentation
| |Success Response Code Undefined for Delete Operation (v2)
ad432855-b7fb-4429-92a3-93b5ce34f0b1|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204)|Documentation
| |Success Response Code Undefined for Delete Operation (v3)
3b497874-ae59-46dd-8d72-1868a3b8f150|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Response Code Missing (v2)
6e96ed39-bf45-4089-99ba-f1fe7cf6966f|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined.|Documentation
| -|Response Code Missing (v3)
6c35d2c6-09f2-4e5c-a094-e0e91327071d|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined.|Documentation
| -|Response on operations that should not have a body has declared content (v2)
268defd2-2839-4e15-8cbc-de86eb38c231|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a schema defined|Documentation
| -|Response on operations that should not have a body has declared content (v3)
12a7210b-f4b4-47d0-acac-0a819e2a0ca3|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a content defined|Documentation
| -|Success Response Code Undefined for Head Operation (v2)
4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a|Medium|Networking and Firewall|Head should define at least one success response (200 or 202)|Documentation
| -|Success Response Code Undefined for Head Operation (v3)
3b066059-f411-4554-ac8d-96f32bff90da|Medium|Networking and Firewall|Head should define at least one success response (200 or 202)|Documentation
| -|Default Response Undefined On Operations (v2)
5f34c7ae-4f3f-4cbb-8fe3-a11d6961062f|Medium|Networking and Firewall|Operations responses should have a default response defined|Documentation
| -|Default Response Undefined On Operations (v3)
86e3702f-c868-44b2-b61d-ea5316c18110|Medium|Networking and Firewall|Operations responses should have a default response defined|Documentation
| -|Success Response Code Undefined for Get Operation (v2)
9b633f3b-c94b-4fbb-a65b-1a4e9134fb63|Medium|Networking and Firewall|Get should define at least one success response (200 or 202)|Documentation
| -|Success Response Code Undefined for Get Operation (v3)
b2f275be-7d64-4064-b418-be6b431363a7|Medium|Networking and Firewall|Get should define at least one success response (200 or 202)|Documentation
| -|Success Response Code Undefined for Post Operation (v2)
9fedee41-2e6d-4091-b011-4a16b4c18c70|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Post Operation (v3)
f368dd2d-9344-4146-a05b-7c6faa1269ad|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Put Operation (v2)
965a043f-5f3c-4d0a-be72-d9ce12fdb4d6|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Put Operation (v3)
60b5f56b-66ff-4e1c-9b62-5753e16825bc|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204)|Documentation
| |Response on operations that should have a body has undefined schema (v2)
31afbcb7-70e0-48bb-a31a-3374f95cf859|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined|Documentation
| |Response on operations that should have a body has undefined schema (v3)
a92be1d5-d762-484a-86d6-8cd0907ba100|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined|Documentation
| |Success Response Code Undefined for Patch Operation (v2)
f36e87cc-a209-4f37-8571-66833e4aead7|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204)|Documentation
| |Success Response Code Undefined for Patch Operation (v3)
1908a8ee-927d-4166-8f18-241152170cc1|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Post Operation (v2)
9fedee41-2e6d-4091-b011-4a16b4c18c70|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Post Operation (v3)
f368dd2d-9344-4146-a05b-7c6faa1269ad|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Default Response Undefined On Operations (v2)
5f34c7ae-4f3f-4cbb-8fe3-a11d6961062f|Medium|Networking and Firewall|Operations responses should have a default response defined|Documentation
| +|Default Response Undefined On Operations (v3)
86e3702f-c868-44b2-b61d-ea5316c18110|Medium|Networking and Firewall|Operations responses should have a default response defined|Documentation
| +|Success Response Code Undefined for Head Operation (v2)
4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a|Medium|Networking and Firewall|Head should define at least one success response (200 or 202)|Documentation
| +|Success Response Code Undefined for Head Operation (v3)
3b066059-f411-4554-ac8d-96f32bff90da|Medium|Networking and Firewall|Head should define at least one success response (200 or 202)|Documentation
| +|Success Response Code Undefined for Get Operation (v2)
9b633f3b-c94b-4fbb-a65b-1a4e9134fb63|Medium|Networking and Firewall|Get should define at least one success response (200 or 202)|Documentation
| +|Success Response Code Undefined for Get Operation (v3)
b2f275be-7d64-4064-b418-be6b431363a7|Medium|Networking and Firewall|Get should define at least one success response (200 or 202)|Documentation
| +|Response on operations that should not have a body has declared content (v2)
268defd2-2839-4e15-8cbc-de86eb38c231|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a schema defined|Documentation
| +|Response on operations that should not have a body has declared content (v3)
12a7210b-f4b4-47d0-acac-0a819e2a0ca3|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a content defined|Documentation
| +|Response Code Missing (v2)
6e96ed39-bf45-4089-99ba-f1fe7cf6966f|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined.|Documentation
| +|Response Code Missing (v3)
6c35d2c6-09f2-4e5c-a094-e0e91327071d|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined.|Documentation
| |API Key Exposed In Operation Security (v2)
392599e4-a4e2-403d-bc56-3fe05755782d|Low|Access Control|API Keys should not be transported over network|Documentation
| |API Key Exposed In Operation Security (v3)
281b8071-6226-4a43-911d-fec246d422c2|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| |Invalid Format (v2)
caf1793e-95dd-4b18-8d90-8f3c0ab5bddf|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double|Documentation
| @@ -578,87 +495,87 @@ Bellow are listed queries related with OpenAPI 3.0: |Header JSON Reference Does Not Exists
376c9390-7e9e-4cb8-a067-fd31c05451fd|Info|Structure and Semantics|Header reference should exists on components field (read more)|Documentation
| |Request Body Object With Incorrect Media Type
58f06434-a88c-4f74-826c-db7e10cc7def|Info|Structure and Semantics|The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set. (read more)|Documentation
| |Invalid Format (v3)
d929c031-078f-4241-b802-e224656ad890|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double|Documentation
| -|Invalid Global External Documentation URL (v2)
46d3b74d-9fe9-45bf-9e9e-efb7f701ee28|Info|Best Practices|Global External Documentation URL should be a valid URL|Documentation
| -|Invalid Global External Documentation URL (v3)
b2d9dbf6-539c-4374-a1fd-210ddf5563a8|Info|Best Practices|Global External Documentation URL should be a valid URL|Documentation
| +|Header Parameter Named as 'Authorization' (v2)
e2e00c97-7171-4fb4-b461-d631df9a711c|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored.|Documentation
| +|Header Parameter Named as 'Authorization' (v3)
8c84f75e-5048-4926-a4cb-33e7b3431300|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored.|Documentation
| +|Invalid Contact URL (v2)
c7000383-16d0-4509-8cd3-585e5ea2e2f2|Info|Best Practices|Contact Object URL should be a valid URL|Documentation
| +|Invalid Contact URL (v3)
332cf2ad-380d-4b90-b436-46f8e635cf38|Info|Best Practices|Contact Object URL should be a valid URL|Documentation
| +|Invalid Operation External Documentation URL (v2)
25635c31-ee32-4708-88e5-fced87516f51|Info|Best Practices|Operation External Documentation URL should be a valid URL|Documentation
| +|Invalid Operation External Documentation URL (v3)
5ea61624-3733-4a3a-8ca4-b96fec9c5aeb|Info|Best Practices|Operation External Documentation URL should be a valid URL|Documentation
| +|Invalid License URL (v2)
de2b4910-8484-46d6-a055-dc1e793ee3ff|Info|Best Practices|License Object URL should be a valid URL|Documentation
| +|Invalid License URL (v3)
9239c289-9e4c-4d92-8be1-9d506057c971|Info|Best Practices|License Object URL should be a valid URL|Documentation
| |Header Parameter Named as 'Accept' (v2)
3ddd74cc-6582-486c-8b0c-2b48cb38e0a3|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored.|Documentation
| |Header Parameter Named as 'Accept' (v3)
f2702af5-6016-46cb-bbc8-84c766032095|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored.|Documentation
| +|Header Response Name Is Invalid (v2)
86733e01-a435-4bd5-a8b0-5108be9dc1e4|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored.|Documentation
| +|Header Response Name Is Invalid (v3)
d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored.|Documentation
| +|Operation Without Successful HTTP Status Code (v2)
a1ee6ebe-3877-42ec-b9a6-e524e7d06aa2|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined|Documentation
| +|Operation Without Successful HTTP Status Code (v3)
48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined|Documentation
| |Invalid Schema External Documentation URL (v2)
f7fa95b7-d819-484c-9a2b-665dd1bba25e|Info|Best Practices|Schema External Documentation URL should be a valid URL|Documentation
| |Invalid Schema External Documentation URL (v3)
6952a7e0-6e48-4285-bbc1-27c64e60f888|Info|Best Practices|Schema External Documentation URL should be a valid URL|Documentation
| +|Path Without Operation (v2)
609cd557-66b4-41fa-8edd-2abc6c7cfd08|Info|Best Practices|Path object should have at least one operation object defined|Documentation
| +|Path Without Operation (v3)
84c826c9-1893-4b34-8cdd-db97645b4bf3|Info|Best Practices|Path object should have at least one operation object defined|Documentation
| +|Invalid Contact Email (v2)
d83bebc8-4e5e-4241-b783-cba9fb5a1c9a|Info|Best Practices|Contact Object Email should be a valid email|Documentation
| +|Invalid Contact Email (v3)
b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7|Info|Best Practices|Contact Object Email should be a valid email|Documentation
| |Header Parameter Named as 'Content-Type' (v2)
51978067-3b22-4c29-aaf3-96bf0bc28897|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored.|Documentation
| |Header Parameter Named as 'Content-Type' (v3)
72d259ca-9741-48dd-9f62-eb11f2936b37|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored.|Documentation
| -|Header Response Name Is Invalid (v2)
86733e01-a435-4bd5-a8b0-5108be9dc1e4|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored.|Documentation
| -|Header Response Name Is Invalid (v3)
d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored.|Documentation
| |JSON '$ref' alongside other properties (v2)
f34c1c68-4773-4df0-a103-6e2ca32e585f|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key|Documentation
| |JSON '$ref' alongside other properties (v3)
96beb800-566f-49a9-a0ea-dbdf4bc80429|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key|Documentation
| -|Invalid License URL (v2)
de2b4910-8484-46d6-a055-dc1e793ee3ff|Info|Best Practices|License Object URL should be a valid URL|Documentation
| -|Invalid License URL (v3)
9239c289-9e4c-4d92-8be1-9d506057c971|Info|Best Practices|License Object URL should be a valid URL|Documentation
| -|Example Not Compliant With Schema Type (v2)
448db771-06ea-4dee-b48c-1689cbfb4b43|Info|Best Practices|Examples values and fields should be compliant with the schema type|Documentation
| -|Example Not Compliant With Schema Type (v3)
881a6e71-c2a7-4fe2-b9c3-dfcf08895331|Info|Best Practices|Examples values and fields should be compliant with the schema type|Documentation
| |Object Using Enum With Keyword (v2)
7f15962a-d862-451c-ac9b-84ec13747aa6|Info|Best Practices|Schema/Parameter/Header Object properties should not contain 'enum' and schema keywords|Documentation
| |Object Using Enum With Keyword (v3)
2e9b6612-8f69-42e0-a5b8-ed17739c2f3a|Info|Best Practices|Schema Object properties should not contain 'enum' and schema keywords|Documentation
| -|Invalid Contact Email (v2)
d83bebc8-4e5e-4241-b783-cba9fb5a1c9a|Info|Best Practices|Contact Object Email should be a valid email|Documentation
| -|Invalid Contact Email (v3)
b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7|Info|Best Practices|Contact Object Email should be a valid email|Documentation
| -|Invalid Contact URL (v2)
c7000383-16d0-4509-8cd3-585e5ea2e2f2|Info|Best Practices|Contact Object URL should be a valid URL|Documentation
| -|Invalid Contact URL (v3)
332cf2ad-380d-4b90-b436-46f8e635cf38|Info|Best Practices|Contact Object URL should be a valid URL|Documentation
| -|Operation Without Successful HTTP Status Code (v2)
a1ee6ebe-3877-42ec-b9a6-e524e7d06aa2|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined|Documentation
| -|Operation Without Successful HTTP Status Code (v3)
48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined|Documentation
| -|Invalid Operation External Documentation URL (v2)
25635c31-ee32-4708-88e5-fced87516f51|Info|Best Practices|Operation External Documentation URL should be a valid URL|Documentation
| -|Invalid Operation External Documentation URL (v3)
5ea61624-3733-4a3a-8ca4-b96fec9c5aeb|Info|Best Practices|Operation External Documentation URL should be a valid URL|Documentation
| +|Invalid Global External Documentation URL (v2)
46d3b74d-9fe9-45bf-9e9e-efb7f701ee28|Info|Best Practices|Global External Documentation URL should be a valid URL|Documentation
| +|Invalid Global External Documentation URL (v3)
b2d9dbf6-539c-4374-a1fd-210ddf5563a8|Info|Best Practices|Global External Documentation URL should be a valid URL|Documentation
| |Invalid Tag External Documentation URL (v2)
b4a7d925-738b-4219-99d9-87d6ee262a03|Info|Best Practices|Tag External Documentation URL should be a valid URL|Documentation
| |Invalid Tag External Documentation URL (v3)
5aea1d7e-b834-4749-b143-2c7ec3bd5922|Info|Best Practices|Tag External Documentation URL should be a valid URL|Documentation
| -|Header Parameter Named as 'Authorization' (v2)
e2e00c97-7171-4fb4-b461-d631df9a711c|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored.|Documentation
| -|Header Parameter Named as 'Authorization' (v3)
8c84f75e-5048-4926-a4cb-33e7b3431300|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored.|Documentation
| +|Example Not Compliant With Schema Type (v2)
448db771-06ea-4dee-b48c-1689cbfb4b43|Info|Best Practices|Examples values and fields should be compliant with the schema type|Documentation
| +|Example Not Compliant With Schema Type (v3)
881a6e71-c2a7-4fe2-b9c3-dfcf08895331|Info|Best Practices|Examples values and fields should be compliant with the schema type|Documentation
| |Required Property With Default Value (v2)
f7ab6c83-ef89-40e1-8a99-32e2599fb665|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value|Documentation
| |Required Property With Default Value (v3)
013bdb4b-9246-4248-b0c3-7fb0fee42a29|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value|Documentation
| -|Path Without Operation (v2)
609cd557-66b4-41fa-8edd-2abc6c7cfd08|Info|Best Practices|Path object should have at least one operation object defined|Documentation
| -|Path Without Operation (v3)
84c826c9-1893-4b34-8cdd-db97645b4bf3|Info|Best Practices|Path object should have at least one operation object defined|Documentation
| -|Type Has Invalid Keyword (v2)
492c6cbb-f3f8-4807-aa4f-42b8b1c46b59|Info|Structure and Semantics|Schema/Parameter/Header Object define type should not use a keyword of another type|Documentation
| -|Type Has Invalid Keyword (v3)
a9228976-10cf-4b5f-b902-9e962aad037a|Info|Structure and Semantics|Schema Object define type should not use a keyword of another type|Documentation
| -|Property Defining Minimum Greater Than Maximum (v2)
b5102ea9-6527-4bb7-94fc-9b4076150e55|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined|Documentation
| -|Property Defining Minimum Greater Than Maximum (v3)
ab2af219-cd08-4233-b5a1-a788aac88b51|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined|Documentation
| -|Schema Discriminator Not Required (v2)
be6a3722-af60-438c-b1b9-2a03e2958ab7|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property|Documentation
| -|Schema Discriminator Not Required (v3)
b481d46c-9c61-480f-86d9-af07146dc4a4|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property|Documentation
| -|Path Template is Empty (v2)
c201b7ad-6173-4598-a407-5edb04a1bcd7|Info|Structure and Semantics|All path templates should not be empty|Documentation
| -|Path Template is Empty (v3)
ae13a37d-943b-47a7-a970-83c8598bcca3|Info|Structure and Semantics|All path templates should not be empty|Documentation
| -|Items Undefined (v2)
3e4d34d2-36cf-4449-976d-6c256db8fc49|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array.|Documentation
| -|Items Undefined (v3)
a8e859da-4a43-4e7f-94b8-25d6e3bf8e90|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array.|Documentation
| -|Schema Enum Invalid (v2)
8fe6d18a-ad4c-4397-8884-e3a9da57f4c9|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type|Documentation
| -|Schema Enum Invalid (v3)
03856cb2-e46c-4daf-bfbf-214ec93c882b|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type|Documentation
| -|Properties Missing Required Property (v2)
71beb6ab-8b70-4816-a9ac-a0ff1fb22a62|Info|Structure and Semantics|Schema Object should have all required properties defined|Documentation
| -|Properties Missing Required Property (v3)
3fb03214-25d4-4bd4-867c-c2d8d708a483|Info|Structure and Semantics|Schema Object should have all required properties defined|Documentation
| -|Responses With Wrong HTTP Status Code (v2)
069a5378-2091-43f0-aa3b-ee8f20996e99|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599]|Documentation
| -|Responses With Wrong HTTP Status Code (v3)
d86655c0-92f6-4ffc-b4d5-5b5775804c27|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599]|Documentation
| |Responses Object Is Empty (v2)
6172e7ab-d2b7-45f8-a7db-1603931d8ba3|Info|Structure and Semantics|Responses Object should not be empty|Documentation
| |Responses Object Is Empty (v3)
990eaf09-d6f1-4c3c-b174-a517b1de8917|Info|Structure and Semantics|Responses Object should not be empty|Documentation
| +|Properties Missing Required Property (v2)
71beb6ab-8b70-4816-a9ac-a0ff1fb22a62|Info|Structure and Semantics|Schema Object should have all required properties defined|Documentation
| +|Properties Missing Required Property (v3)
3fb03214-25d4-4bd4-867c-c2d8d708a483|Info|Structure and Semantics|Schema Object should have all required properties defined|Documentation
| +|Path Is Ambiguous (v2)
b2468463-3ac4-4930-890c-f35b2bf4485d|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object|Documentation
| +|Path Is Ambiguous (v3)
237402e2-c2f0-46c9-9cf5-286160cf7bfc|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object|Documentation
| |Schema Has A Required Property Undefined (v2)
811762c8-2e99-4f70-88f9-a63875a953b1|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties|Documentation
| |Schema Has A Required Property Undefined (v3)
2bd608ae-8a1f-457f-b710-c237883cb313|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties|Documentation
| +|Property Defining Minimum Greater Than Maximum (v2)
b5102ea9-6527-4bb7-94fc-9b4076150e55|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined|Documentation
| +|Property Defining Minimum Greater Than Maximum (v3)
ab2af219-cd08-4233-b5a1-a788aac88b51|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined|Documentation
| +|Type Has Invalid Keyword (v2)
492c6cbb-f3f8-4807-aa4f-42b8b1c46b59|Info|Structure and Semantics|Schema/Parameter/Header Object define type should not use a keyword of another type|Documentation
| +|Type Has Invalid Keyword (v3)
a9228976-10cf-4b5f-b902-9e962aad037a|Info|Structure and Semantics|Schema Object define type should not use a keyword of another type|Documentation
| +|Template Path With No Corresponding Path Parameter (v2)
e7656d8d-7288-4bbe-b07b-22b389be75ce|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation|Documentation
| +|Template Path With No Corresponding Path Parameter (v3)
561710b1-b845-4562-95ce-2397a05ccef4|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation|Documentation
| +|Schema Discriminator Property Not String (v2)
949376f1-f560-4c6d-a016-63424ca931bb|Info|Structure and Semantics|Schema discriminator property should be a string|Documentation
| +|Schema Discriminator Property Not String (v3)
dadc2f36-1f5a-46c0-8289-75e626583123|Info|Structure and Semantics|Schema discriminator property should be a string|Documentation
| |Paths Object is Empty (v2)
3e6c7b1c-8a8d-43ab-98b9-65159f44db4a|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed|Documentation
| |Paths Object is Empty (v3)
815021c8-a50c-46d9-b192-24f71072c400|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed|Documentation
| -|Path Parameter With No Corresponding Template Path (v2)
194ef1f8-360e-4c14-8ed2-e83e2bafa142|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation|Documentation
| -|Path Parameter With No Corresponding Template Path (v3)
69d7aefd-149d-47b8-8d89-1c2181a8067b|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation|Documentation
| -|Schema Object With Circular Ref (v2)
cbff2508-85c9-4448-a8b3-770070edf5ca|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties|Documentation
| -|Schema Object With Circular Ref (v3)
1a1aea94-745b-40a7-b860-0702ea6ee636|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties|Documentation
| |Schema Object Properties With Duplicated Keys (v2)
ded017bf-fb13-4f8d-868b-84aebcc572ad|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties'|Documentation
| |Schema Object Properties With Duplicated Keys (v3)
10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties'|Documentation
| -|Path Parameter Not Required (v2)
ccd0613f-cb77-4684-a892-183bd2674d12|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.|Documentation
| -|Path Parameter Not Required (v3)
0de50145-e845-47f4-9a15-23bcf2125710|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.|Documentation
| -|Property 'allowEmptyValue' Improperly Defined (v2)
0bc1477d-0922-478b-ae16-674a7634a1a8|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters|Documentation
| -|Property 'allowEmptyValue' Improperly Defined (v3)
4bcbcd52-3028-469f-bc14-02c7dbba2df2|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters|Documentation
| +|Schema Object With Circular Ref (v2)
cbff2508-85c9-4448-a8b3-770070edf5ca|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties|Documentation
| +|Schema Object With Circular Ref (v3)
1a1aea94-745b-40a7-b860-0702ea6ee636|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties|Documentation
| +|Items Undefined (v2)
3e4d34d2-36cf-4449-976d-6c256db8fc49|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array.|Documentation
| +|Items Undefined (v3)
a8e859da-4a43-4e7f-94b8-25d6e3bf8e90|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array.|Documentation
| |Parameters Name In Combination Not Unique (v2)
ab871897-ec02-4835-9818-702536ee1dda|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations|Documentation
| |Parameters Name In Combination Not Unique (v3)
f5b2e6af-76f5-496d-8482-8f898c5fdb4a|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations|Documentation
| -|Schema Discriminator Mismatch Defined Properties (v2)
addc0eab-27f6-4c26-8526-d2ccd3732662|Info|Structure and Semantics|Schema discriminator values should match defined properties.|Documentation
| -|Schema Discriminator Mismatch Defined Properties (v3)
40d3df21-c170-4dbe-9c02-4289b51f994f|Info|Structure and Semantics|Schema discriminator values should match defined properties.|Documentation
| -|Non-Array Schema With Items (v2)
9d47956b-29cd-43b1-9e6e-b39a4d484353|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| -|Non-Array Schema With Items (v3)
20cb3159-b219-496b-8dac-54ae3ab2021a|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| +|Property 'allowEmptyValue' Improperly Defined (v2)
0bc1477d-0922-478b-ae16-674a7634a1a8|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters|Documentation
| +|Property 'allowEmptyValue' Improperly Defined (v3)
4bcbcd52-3028-469f-bc14-02c7dbba2df2|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters|Documentation
| +|Responses With Wrong HTTP Status Code (v2)
069a5378-2091-43f0-aa3b-ee8f20996e99|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599]|Documentation
| +|Responses With Wrong HTTP Status Code (v3)
d86655c0-92f6-4ffc-b4d5-5b5775804c27|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599]|Documentation
| +|OperationId Not Unique (v2)
21245007-91c4-40e5-964e-40c85d1e5aa6|Info|Structure and Semantics|OperationId should be unique when defined|Documentation
| +|OperationId Not Unique (v3)
c254adc4-ef25-46e1-8270-b7944adb4198|Info|Structure and Semantics|OperationId should be unique when defined|Documentation
| |Default Invalid (v2)
78dfd8f0-a6ee-48ec-af8c-e4d9b3292a07|Info|Structure and Semantics|The field 'default' of Schema/Parameter/Header Object should be consistent with the schema's/parameter's/header's type|Documentation
| |Default Invalid (v3)
a96bbc06-8cde-4295-ad3c-ee343a7f658e|Info|Structure and Semantics|The field 'default' of Schema Object should be consistent with the schema's type|Documentation
| +|Path Parameter Not Required (v2)
ccd0613f-cb77-4684-a892-183bd2674d12|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.|Documentation
| +|Path Parameter Not Required (v3)
0de50145-e845-47f4-9a15-23bcf2125710|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.|Documentation
| +|Path Template is Empty (v2)
c201b7ad-6173-4598-a407-5edb04a1bcd7|Info|Structure and Semantics|All path templates should not be empty|Documentation
| +|Path Template is Empty (v3)
ae13a37d-943b-47a7-a970-83c8598bcca3|Info|Structure and Semantics|All path templates should not be empty|Documentation
| +|Schema Discriminator Mismatch Defined Properties (v2)
addc0eab-27f6-4c26-8526-d2ccd3732662|Info|Structure and Semantics|Schema discriminator values should match defined properties.|Documentation
| +|Schema Discriminator Mismatch Defined Properties (v3)
40d3df21-c170-4dbe-9c02-4289b51f994f|Info|Structure and Semantics|Schema discriminator values should match defined properties.|Documentation
| +|Schema Discriminator Not Required (v2)
be6a3722-af60-438c-b1b9-2a03e2958ab7|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property|Documentation
| +|Schema Discriminator Not Required (v3)
b481d46c-9c61-480f-86d9-af07146dc4a4|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property|Documentation
| +|Path Parameter With No Corresponding Template Path (v2)
194ef1f8-360e-4c14-8ed2-e83e2bafa142|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation|Documentation
| +|Path Parameter With No Corresponding Template Path (v3)
69d7aefd-149d-47b8-8d89-1c2181a8067b|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation|Documentation
| |Parameter Objects Headers With Duplicated Name (v2)
bd2cbef5-62c4-40f1-af07-4b7f9ced6616|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.|Documentation
| |Parameter Objects Headers With Duplicated Name (v3)
05505192-ba2c-4a81-9b25-dcdbcc973746|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.|Documentation
| -|Path Is Ambiguous (v2)
b2468463-3ac4-4930-890c-f35b2bf4485d|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object|Documentation
| -|Path Is Ambiguous (v3)
237402e2-c2f0-46c9-9cf5-286160cf7bfc|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object|Documentation
| -|OperationId Not Unique (v2)
21245007-91c4-40e5-964e-40c85d1e5aa6|Info|Structure and Semantics|OperationId should be unique when defined|Documentation
| -|OperationId Not Unique (v3)
c254adc4-ef25-46e1-8270-b7944adb4198|Info|Structure and Semantics|OperationId should be unique when defined|Documentation
| -|Template Path With No Corresponding Path Parameter (v2)
e7656d8d-7288-4bbe-b07b-22b389be75ce|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation|Documentation
| -|Template Path With No Corresponding Path Parameter (v3)
561710b1-b845-4562-95ce-2397a05ccef4|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation|Documentation
| -|Schema Discriminator Property Not String (v2)
949376f1-f560-4c6d-a016-63424ca931bb|Info|Structure and Semantics|Schema discriminator property should be a string|Documentation
| -|Schema Discriminator Property Not String (v3)
dadc2f36-1f5a-46c0-8289-75e626583123|Info|Structure and Semantics|Schema discriminator property should be a string|Documentation
| +|Schema Enum Invalid (v2)
8fe6d18a-ad4c-4397-8884-e3a9da57f4c9|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type|Documentation
| +|Schema Enum Invalid (v3)
03856cb2-e46c-4daf-bfbf-214ec93c882b|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type|Documentation
| +|Non-Array Schema With Items (v2)
9d47956b-29cd-43b1-9e6e-b39a4d484353|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| +|Non-Array Schema With Items (v3)
20cb3159-b219-496b-8dac-54ae3ab2021a|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| diff --git a/docs/queries/pulumi-queries.md b/docs/queries/pulumi-queries.md index 8b108096547..68ad2af1863 100644 --- a/docs/queries/pulumi-queries.md +++ b/docs/queries/pulumi-queries.md @@ -57,13 +57,13 @@ Bellow are listed queries related with Pulumi AWS: |------------------------------|--------|--------|-----------|----| |ElastiCache Nodes Not Created Across Multi AZ
9b18fc19-7fb8-49b1-8452-9c757c70f926|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster|Documentation
| |ElastiCache Redis Cluster Without Backup
e93bbe63-a631-4c0f-b6ef-700d48441ff2|Medium|Backup|ElastiCache Redis cluster should have 'snapshotRetentionLimit' higher than 0|Documentation
| -|IAM Password Without Lowercase Letter
de92dd34-1b88-43e8-b825-6e02d73c4549|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| |IAM Password Without Minimum Length
9850d621-7485-44f7-8bdd-b3cf426315cf|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| +|IAM Password Without Lowercase Letter
de92dd34-1b88-43e8-b825-6e02d73c4549|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| |DynamoDB Table Not Encrypted
b6a7e0ae-aed8-4a19-a993-a95760bf8836|Medium|Encryption|AWS DynamoDB Tables should have serverSideEncryption enabled|Documentation
| |API Gateway Without SSL Certificate
f27791a5-e2ae-4905-8910-6f995c576d09|Medium|Insecure Configurations|SSL Client Certificate should be defined|Documentation
| |API Gateway Access Logging Disabled
bf4b48b9-fc1f-4552-984a-4becdb5bf503|Medium|Observability|API Gateway should have Access Log Settings defined|Documentation
| -|DynamoDB Table Point In Time Recovery Disabled
327b0729-4c5c-4c44-8b5c-e476cd9c7290|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table|Documentation
| |EC2 Not EBS Optimized
d991e4ae-42ab-429b-ab43-d5e5fa9ca633|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| +|DynamoDB Table Point In Time Recovery Disabled
327b0729-4c5c-4c44-8b5c-e476cd9c7290|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table|Documentation
| |EC2 Instance Monitoring Disabled
daa581ef-731c-4121-832d-cf078f67759d|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods|Documentation
| ### GCP @@ -77,3 +77,13 @@ Bellow are listed queries related with Pulumi GCP: |Google Compute SSL Policy Weak Cipher In Use
965e8830-2bec-4b9b-a7f0-24dbc200a68f|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| |Cloud Storage Bucket Logging Not Enabled
48f7e44d-d1d1-44c2-b336-9f11b65c4fb0|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| |Google Compute SSL Policy Weak Cipher In Use
965e8830-2bec-4b9b-a7f0-24dbc200a68f|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| + +### AZURE +Bellow are listed queries related with Pulumi AZURE: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|Storage Account Not Forcing HTTPS
cb8e4bf0-903d-45c6-a278-9a947d82a27b|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| +|Redis Cache Allows Non SSL Connections
49e30ac8-f58e-4222-b488-3dcb90158ec1|Medium|Encryption|Redis Cache resource should not allow non-SSL connections.|Documentation
| diff --git a/docs/queries/serverlessfw-queries.md b/docs/queries/serverlessfw-queries.md index b56ea3adcef..0c66cf5f337 100644 --- a/docs/queries/serverlessfw-queries.md +++ b/docs/queries/serverlessfw-queries.md @@ -19,7 +19,7 @@ This page contains all queries from ServerlessFW. |Serverless Function Without Tags
f99d3482-fa8c-4f79-bad9-35212dded164|Medium|Insecure Configurations|Serverless Function should be have associated tags|Documentation
| |Serverless Function Without Unique IAM Role
165aae3b-a56a-48f3-b76d-d2b5083f5b8f|Medium|Insecure Configurations|Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks|Documentation
| |Serverless API Endpoint Config Not Private
4d424558-c6d1-453c-be98-9a7f877abd9a|Medium|Networking and Firewall|Serverless should have endpointType set to 'PRIVATE'. This way, it's not exposed to the public internet|Documentation
| -|Serverless API X-Ray Tracing Disabled
434945e5-4dfd-41b1-aba1-47075ccd9265|Medium|Observability|Serverless API Gateway should have X-Ray Tracing enabled|Documentation
| |Serverless API Access Logging Setting Undefined
a4d32883-aac7-42e1-b403-9415af0f3846|Medium|Observability|Serverless FW API should have HTTP Access Logging enabled|Documentation
| +|Serverless API X-Ray Tracing Disabled
434945e5-4dfd-41b1-aba1-47075ccd9265|Medium|Observability|Serverless API Gateway should have X-Ray Tracing enabled|Documentation
| |Serverless Function Without Dead Letter Queue
dec7bc85-d156-4f64-9a33-96ed3d9f3fed|Low|Insecure Configurations|Serverless Function should be configured for a Dead Letter Queue(DLQ). A Dead Letter Queue(DLQ) can be set up in 'onError' config parameter|Documentation
| |Serverless Function Without X-Ray Tracing
0d7ef70f-e176-44e6-bdba-add3e429788d|Low|Observability|Serverless Function should have Tracing enabled. For this, property 'tracing' should have the value 'Active'|Documentation
| diff --git a/docs/queries/terraform-queries.md b/docs/queries/terraform-queries.md index b8f1803d18e..c04f224f07a 100644 --- a/docs/queries/terraform-queries.md +++ b/docs/queries/terraform-queries.md @@ -1,8 +1,8 @@ ## Terraform Queries List This page contains all queries from Terraform. -### AZURE -Bellow are listed queries related with Terraform AZURE: +### AWS_BOM +Bellow are listed queries related with Terraform AWS_BOM: @@ -199,9 +199,432 @@ Bellow are listed queries related with Terraform SHARED (V2/V3): |Azure Front Door WAF Disabled
835a4f2f-df43-437d-9943-545ccfc55961|Low|Networking and Firewall|Azure Front Door WAF should be enabled|Documentation
| |App Service Authentication Disabled
c7fc1481-2899-4490-bbd8-544a3a61a2f3|Info|Access Control|Azure App Service authentication settings should be enabled|Documentation
| |SQL Server Alert Email Disabled
55975007-f6e7-4134-83c3-298f1fe4b519|Info|Best Practices|SQL Server alert email should be enabled|Documentation
| +|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| +|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| +|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.|Documentation
| +|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| +|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| +|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.|Documentation
| +|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| +|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| +|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| +|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time|Documentation
| +|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| + +### KUBERNETES +Bellow are listed queries related with Terraform KUBERNETES: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false|Documentation
| +|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|Documentation
| +|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| +|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| +|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined.|Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| +|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| +|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys|Documentation
| +|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| +|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| +|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| +|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| +|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| +|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls|Documentation
| +|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| +|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| +|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|Documentation
| +|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Medium|Insecure Configurations|Containers should not have extra capabilities allowed|Documentation
| +|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| +|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| +|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| +|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Medium|Insecure Configurations|Default service accounts should not be actively used|Documentation
| +|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| +|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Medium|Insecure Configurations|The default namespace should not be used|Documentation
| +|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| +|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| +|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| +|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory|Documentation
| +|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace|Documentation
| +|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty.|Documentation
| +|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| +|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| +|Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| +|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| +|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| +|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| +|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes|Documentation
| +|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| +|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Medium|Resource Management|Container should not share the host network namespace|Documentation
| +|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| +|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs|Documentation
| +|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| +|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| +|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| +|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| +|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| +|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| +|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.|Documentation
| +|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Low|Availability|The Horizontal Pod Autoscaler must target a valid object|Documentation
| +|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it|Documentation
| +|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| +|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| +|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| +|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Low|Build Process|Check if the root container filesystem is not being mounted as read-only.|Documentation
| +|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| +|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity|Documentation
| +|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| +|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| +|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified|Documentation
| +|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| +|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined|Documentation
| +|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| +|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Low|Supply-Chain|Image must be defined and not be empty or equal to latest.|Documentation
| + +### AWS +Bellow are listed queries related with Terraform AWS: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| +|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals|Documentation
| +|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| +|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| +|EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| +|SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| +|Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|High|Access Control|Neptune Cluster Instance should not be publicly accessible|Documentation
| +|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating|Documentation
| +|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| +|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| +|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|High|Access Control|IAM role policy that allow full administrative privileges (for all resources)|Documentation
| +|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| +|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role|Documentation
| +|MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible|Documentation
| +|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| +|SSO Policy with full privileges
132a8c31-9837-4203-9fd1-15ca210c7b73|High|Access Control|SSO policies should be configured to grant limited administrative privileges, rather than full access to all resources. This approach allows for better security and control over the resources being accessed.|Documentation
| +|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|High|Access Control|S3 Buckets should not be readable and writable to all users|Documentation
| +|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| +|S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4|High|Access Control|S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket.|Documentation
| +|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|High|Access Control|S3 bucket allows public policy|Documentation
| +|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|High|Encryption|AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted|Documentation
| +|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|High|Encryption|AWS DAX Cluster should have server-side encryption at rest|Documentation
| +|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| +|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|High|Encryption|AWS Athena Database data in S3 should be encrypted|Documentation
| +|EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| +|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|High|Encryption|S3 Bucket Object should have server-side encryption enabled|Documentation
| +|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key|Documentation
| +|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|High|Encryption|EKS Cluster should be encrypted|Documentation
| +|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume|Documentation
| +|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| +|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled|Documentation
| +|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)|Documentation
| +|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| +|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true'|Documentation
| +|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.|Documentation
| +|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|High|Encryption|Sagemaker endpoint configuration should encrypt data|Documentation
| +|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| +|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted|Documentation
| +|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| +|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| +|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| +|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| +|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|High|Encryption|API Gateway Method Settings Cache should be encrypted|Documentation
| +|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|High|Encryption|EBS Encryption should be enabled|Documentation
| +|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| +|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|High|Encryption|User Data Shell Script must be encoded|Documentation
| +|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers.|Documentation
| +|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS|Documentation
| +|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup|Documentation
| +|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled|Documentation
| +|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true|Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| +|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.|Documentation
| +|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| +|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|High|Encryption|AWS DOCDB Cluster storage should be encrypted|Documentation
| +|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled|Documentation
| +|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|High|Encryption|RDS Database Cluster Encryption should be enabled|Documentation
| +|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| +|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes|Documentation
| +|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| +|Lambda Function With Privileged Role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions.|Documentation
| +|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| +|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured.|Documentation
| +|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|High|Insecure Configurations|Check if the root user is authenticated with MFA|Documentation
| +|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations|Documentation
| +|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|High|Insecure Configurations|S3 bucket without restriction of public bucket|Documentation
| +|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| +|DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| +|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| +|KMS Key With Vulnerable Policy
7ebc9038-0bde-479a-acc4-6ed7b6758899|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| +|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2.|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| +|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| +|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true)|Documentation
| +|Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| +|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| +|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| +|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| +|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|High|Networking and Firewall|Check if Record is set|Documentation
| +|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| +|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| +|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| +|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| +|VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|High|Networking and Firewall|VPC Peering Route Table should restrict CIDR|Documentation
| +|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL|Documentation
| +|HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| +|Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| +|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL|Documentation
| +|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0"|Documentation
| +|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| +|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0 and/or ::/0|Documentation
| +|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| +|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing|Documentation
| +|VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic|Documentation
| +|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible|Documentation
| +|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes|Documentation
| +|CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.|Documentation
| +|CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls|Documentation
| +|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|High|Observability|AWS KMS Key should have a valid deletion window|Documentation
| +|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled|Documentation
| +|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| +|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA|Documentation
| +|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|High|Observability|Ensure a log metric filter and alarm exist for root acount usage|Documentation
| +|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| +|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Medium|Access Control|IAM Access Key should not be active for root users|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| +|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| +|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| +|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication|Documentation
| +|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal'|Documentation
| +|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Medium|Access Control|AWS IAM Users should not have access to console|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|SSO Permission With Inadequate User Session Duration
ce9dfce0-5fc8-433b-944a-3b16153111a8|Medium|Access Control|SSO permissions should be configured to limit user sessions to no longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized access or session hijacking. This is a best practice for security and should be implemented in SSO permission settings.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| +|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled|Documentation
| +|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| +|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Medium|Access Control|Public and private EC2 istances should not share the same role.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Medium|Access Control|The attribute 'action' should not have wildcard|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action'|Documentation
| +|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Medium|Access Control|S3 bucket allows public ACL|Documentation
| +|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Medium|Access Control|An API Key should be required on a method request.|Documentation
| +|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'|Documentation
| +|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Medium|Access Control|Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| +|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions'|Documentation
| +|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| +|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| +|Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
| +|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster|Documentation
| +|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0|Documentation
| +|RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| +|Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| +|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Medium|Best Practices|No password expiration policy|Documentation
| +|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| +|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Medium|Best Practices|IAM password should have the required symbols|Documentation
| +|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined|Documentation
| +|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields|Documentation
| +|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| +|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| +|Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24|Documentation
| +|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| +|Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body|Documentation
| +|DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| +|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret|Documentation
| +|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption|Documentation
| +|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node|Documentation
| +|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| +|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted|Documentation
| +|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Medium|Encryption|SSM Session should be encrypted in transit|Documentation
| +|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| +|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Medium|Encryption|EBS volumes should be encrypted|Documentation
| +|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest|Documentation
| +|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760.|Documentation
| +|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| +|Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Medium|Encryption|ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html'|Documentation
| +|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| +|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit|Documentation
| +|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests|Documentation
| +|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| +|CloudWatch Log Group Without KMS
0afbcfe9-d341-4b92-a64c-7e6de0543879|Medium|Encryption|AWS CloudWatch Log groups should be encrypted using KMS|Documentation
| +|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS.|Documentation
| +|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| +|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| +|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud)|Documentation
| +|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs).|Documentation
| +|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| +|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible|Documentation
| +|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials|Documentation
| +|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| +|EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false|Documentation
| +|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| +|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.|Documentation
| +|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol|Documentation
| +|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Medium|Networking and Firewall|VPC should have a Network Firewall associated|Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| +|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| +|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| +|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association|Documentation
| +|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled|Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol|Documentation
| +|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| +|VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Medium|Networking and Firewall|VPC Subnet should not assign public IP|Documentation
| +|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Medium|Observability|It isn't recommended to use resources in default VPC|Documentation
| +|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| +|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes|Documentation
| +|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| +|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events|Documentation
| +|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Medium|Observability|ELB should have logging enabled to help on error investigation|Documentation
| +|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| +|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined|Documentation
| +|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| +|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Medium|Observability|AWS Elasticsearch should have logs enabled|Documentation
| +|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| +|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| +|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Medium|Observability|API Gateway should have Access Log Settings defined|Documentation
| +|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| +|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| +|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes|Documentation
| +|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| +|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes|Documentation
| +|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Medium|Observability|AWS CloudWatch Log groups should have retention days specified|Documentation
| +|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation|Documentation
| +|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes|Documentation
| +|ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| +|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled|Documentation
| +|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| +|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures|Documentation
| +|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| +|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| +|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| +|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK|Documentation
| +|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| +|No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| +|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Medium|Secret Management|AWS Access Key should not be hardcoded|Documentation
| +|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| +|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services|Documentation
| +|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets'|Documentation
| +|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| +|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| +|SSO Identity User Unsafe Creation
4003118b-046b-4640-b200-b8c7a4c8b89f|Low|Access Control|The use of AWS SSO for creating users may pose a security risk as it does not synchronize with external Identity Providers (IdP) or Active Directory (AD). This can lead to inconsistencies and potential unauthorized access to resources. It is recommended to review and update user creation processes to ensure proper security protocols are in place.|Documentation
| +|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Low|Access Control|IAM Group should have at least one user associated|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| +|Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Low|Availability|Autoscaling groups should supply tags to configurate|Documentation
| +|Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| +|Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| +|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.|Documentation
| +|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| +|IAM Access Analyzer Not Enabled
e592a0c5-5bdb-414c-9066-5dba7cdea370|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions|Documentation
| +|ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Low|Best Practices|ECR Repository should have Policies attached to it|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| +|ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation|Documentation
| +|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Low|Insecure Configurations|S3 bucket without ignore public ACL|Documentation
| +|ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled|Documentation
| +|Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| +|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| +|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)|Documentation
| +|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| +|EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| +|RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| +|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| +|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks|Documentation
| +|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Low|Observability|Amazon EKS control plane logging don't enabled for all log types|Documentation
| +|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Low|Observability|Global Accelerator should have flow logs enabled|Documentation
| +|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Low|Observability|Amazon EKS control plane logging is not enabled|Documentation
| +|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes|Documentation
| +|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Low|Observability|DocDB logging should be enabled|Documentation
| +|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'|Documentation
| +|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL|Documentation
| +|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes|Documentation
| +|API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| +|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| +|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| +|ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Low|Observability|ECS Cluster should enable container insights|Documentation
| +|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes|Documentation
| +|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Low|Observability|Ensure a log metric filter and alarm exist for route table changes|Documentation
| +|API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| +|Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Info|Access Control|Security group must be used or not declared|Documentation
| +|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Info|Best Practices|AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name'|Documentation
| +|Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description|Documentation
| +|Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description|Documentation
| +|EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| +|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table|Documentation
| +|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Info|Observability|Neptune logging should be enabled|Documentation
| +|EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods|Documentation
| +|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Info|Observability|RDS does not have any kind of logger|Documentation
| -### GITHUB -Bellow are listed queries related with Terraform GITHUB: +### GCP +Bellow are listed queries related with Terraform GCP: @@ -564,6 +987,7 @@ Bellow are listed queries related with Terraform AWS: |DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad.|Documentation
| |KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members'|Documentation
| |Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false |Documentation
| +|GKE Basic Authentication Enabled
70cdf849-b7d9-4569-b87d-5d82ffd44719|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty|Documentation
| |SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible.|Documentation
| |Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| |Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| @@ -610,6 +1034,8 @@ Bellow are listed queries related with Terraform AWS: |Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range|Documentation
| ### AWS_BOM +### SHARED (V2/V3) +Bellow are listed queries related with Terraform SHARED (V2/V3): @@ -637,9 +1063,14 @@ Bellow are listed queries related with Terraform AWS: |BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.|Documentation
| |BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.|Documentation
| |BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| +|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Info|Best Practices|All outputs should contain a valid description.|Documentation
| +|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Info|Best Practices|All variables should contain a valid type.|Documentation
| +|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Info|Best Practices|All variables should contain a valid description.|Documentation
| +|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Info|Best Practices|All generic git repositories should reference a revision.|Documentation
| +|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Info|Best Practices|All names should follow snake case pattern.|Documentation
| -### ALICLOUD -Bellow are listed queries related with Terraform ALICLOUD: +### AZURE +Bellow are listed queries related with Terraform AZURE: @@ -1254,6 +1685,100 @@ Bellow are listed queries related with Terraform AWS: |RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Info|Observability|RDS does not have any kind of logger|Documentation
| |Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Info|Observability|Neptune logging should be enabled|Documentation
| |EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods|Documentation
| +|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|High|Access Control|Storage Account should not be public to grant the principle of least privileges|Documentation
| +|Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| +|Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|High|Access Control|Azure Function App authentication settings should be enabled|Documentation
| +|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|High|Access Control|There is a role assignment for guest user|Documentation
| +|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|High|Access Control|Admin user is enabled for Container Registry|Documentation
| +|Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|High|Access Control|Role Assignment should limit guest user permissions|Documentation
| +|Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|High|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled|Documentation
| +|Azure Instance Using Basic Authentication
dafe30ec-325d-4516-85d1-e8e6776f012c|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication|Documentation
| +|Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6|High|Encryption|Ensure Function App is using the latest version of TLS encryption|Documentation
| +|MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| +|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| +|App Service Not Using Latest TLS Encryption Version
b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643|High|Encryption|Ensure App Service is using the latest version of TLS encryption|Documentation
| +|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| +|App Service FTPS Enforce Disabled
85da374f-b00f-4832-9d44-84a1ca1e89f8|High|Insecure Configurations|Azure App Service should only enforce FTPS when 'ftps_state' is enabled|Documentation
| +|AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| +|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| +|AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|High|Insecure Configurations|Azure Kubernetes Service (AKS) API should not be exposed to the internet|Documentation
| +|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry'|Documentation
| +|Function App FTPS Enforce Disabled
9dab0179-433d-4dff-af8f-0091025691df|High|Insecure Configurations|Azure Function App should only enforce FTPS when 'ftps_state' is enabled|Documentation
| +|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| +|Azure App Service Client Certificate Disabled
a81573f9-3691-4d83-88a0-7d4af63e17a3|High|Insecure Configurations|Azure App Service client certificate should be enabled|Documentation
| +|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates|Documentation
| +|Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|High|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false.|Documentation
| +|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| +|Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| +|MySQL Server Public Access Enabled
f118890b-2468-42b1-9ce9-af35146b425b|High|Networking and Firewall|MySQL Server public access should be disabled|Documentation
| +|RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet|Documentation
| +|MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|High|Networking and Firewall|MSSQL Server public network access should be disabled|Documentation
| +|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| +|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| +|SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet|Documentation
| +|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|High|Networking and Firewall|The IP range filter should be defined to secure the data stored|Documentation
| +|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| +|Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|High|Observability|Ensure that logging for Azure KeyVault is 'Enabled'|Documentation
| +|PostgreSQL Server Threat Detection Policy Disabled
c407c3cf-c409-4b29-b590-db5f4138d332|High|Resource Management|PostgreSQL Server Threat Detection Policy should be enabled|Documentation
| +|SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a|High|Resource Management|Ensure that 'Threat Detection' is enabled for Azure SQL Database|Documentation
| +|App Service Managed Identity Disabled
b61cce4b-0cc4-472b-8096-15617a6d769b|High|Resource Management|Azure App Service should have managed identity enabled|Documentation
| +|Key Expiration Not Set
4d080822-5ee2-49a4-8984-68f3d4c890fc|High|Secret Management|Make sure that for all keys the expiration date is set|Documentation
| +|Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|High|Secret Management|Make sure that for all secrets the expiration date is set|Documentation
| +|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)|Documentation
| +|Storage Share File Allows All ACL Permissions
48bbe0fd-57e4-4678-a4a1-119e79c90fc3|Medium|Access Control|Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).|Documentation
| +|Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e|Medium|Access Control|Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).|Documentation
| +|AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| +|Virtual Network with DDoS Protection Plan disabled
b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a|Medium|Availability|Virtual Network should have DDoS Protection Plan enabled|Documentation
| +|Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Medium|Best Practices|Security Contact Email should be defined|Documentation
| +|SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict|Documentation
| +|SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict|Documentation
| +|Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Medium|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| +|Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| +|Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Medium|Encryption|Ensure that the encryption is active on the disk|Documentation
| +|AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Medium|Encryption|Azure Container Service (AKS) should use Disk Encryption Set ID in supported types of disk|Documentation
| +|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| +|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections|Documentation
| +|Function App Managed Identity Disabled
c87749b3-ff10-41f5-9df2-c421e8151759|Medium|Insecure Configurations|Azure Function App should have managed identity enabled|Documentation
| +|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected.|Documentation
| +|Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches|Documentation
| +|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined|Documentation
| +|Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Medium|Insecure Configurations|Azure Function App should have 'client_cert_mode' set to required|Documentation
| +|Default Azure Storage Account Network Access Is Too Permissive
a5613650-32ec-4975-a305-31af783153ea|Medium|Insecure Defaults|Default Azure Storage Account network access should be set to Deny|Documentation
| +|Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Medium|Networking and Firewall|Public Network Access should be disabled for Azure Cognitive Search|Documentation
| +|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Medium|Networking and Firewall|Network Interfaces IP Forwarding should be disabled|Documentation
| +|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache|Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol|Documentation
| +|Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b|Medium|Networking and Firewall|Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline)|Documentation
| +|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'.|Documentation
| +|MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Medium|Networking and Firewall|MariaDB Server Public Network Access should be disabled|Documentation
| +|WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol|Documentation
| +|Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Medium|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days|Documentation
| +|PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| +|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| +|PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| +|Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Medium|Observability|Make sure for SQL Servers that Auditing Retention is greater than 90 days|Documentation
| +|PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| +|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days|Documentation
| +|PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| +|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On'|Documentation
| +|MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Medium|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On'|Documentation
| +|Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Medium|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact|Documentation
| +|PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'|Documentation
| +|Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater|Documentation
| +|Azure Active Directory Authentication
a21c8da9-41bf-40cf-941d-330cf0d11fc7|Low|Access Control|Azure Active Directory must be used for authentication for Service Fabric|Documentation
| +|MariaDB Server Geo-redundant Backup Disabled
0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1|Low|Backup|MariaDB Server Geo-redundant Backup should be enabled|Documentation
| +|AKS Uses Azure Policies Add-On Disabled
43789711-161b-4708-b5bb-9d1c626f7492|Low|Best Practices|Azure Container Service (AKS) should use Azure Policies Add-On|Documentation
| +|App Service Without Latest PHP Version
96fe318e-d631-4156-99fa-9080d57280ae|Low|Best Practices|Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.|Documentation
| +|App Service Without Latest Python Version
cc4aaa9d-1070-461a-b519-04e00f42db8a|Low|Best Practices|Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.|Documentation
| +|Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Low|Best Practices|Key Vault Secrets should have set Content Type|Documentation
| +|PostgreSQL Server Infrastructure Encryption Disabled
6425c98b-ca4e-41fe-896a-c78772c131f8|Low|Encryption|PostgreSQL Server Infrastructure Encryption should be enabled|Documentation
| +|Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Low|Insecure Configurations|Check if the Kubernetes Dashboard is enabled.|Documentation
| +|Function App HTTP2 Disabled
ace823d1-4432-4dee-945b-cdf11a5a6bd0|Low|Insecure Configurations|Function App should have 'http2_enabled' enabled|Documentation
| +|App Service HTTP2 Disabled
525b53be-62ed-4244-b4df-41aecfcb4071|Low|Insecure Configurations|App Service should have 'http2_enabled' enabled|Documentation
| +|Azure Front Door WAF Disabled
835a4f2f-df43-437d-9943-545ccfc55961|Low|Networking and Firewall|Azure Front Door WAF should be enabled|Documentation
| +|App Service Authentication Disabled
c7fc1481-2899-4490-bbd8-544a3a61a2f3|Info|Access Control|Azure App Service authentication settings should be enabled|Documentation
| +|SQL Server Alert Email Disabled
55975007-f6e7-4134-83c3-298f1fe4b519|Info|Best Practices|SQL Server alert email should be enabled|Documentation
| ### GCP_BOM Bellow are listed queries related with Terraform GCP_BOM: @@ -1271,11 +1796,11 @@ Bellow are listed queries related with Terraform GCP: |BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.|Documentation
| |BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.|Documentation
| |BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Trace|Bill Of Materials|A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime.|Documentation
| +|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.|Documentation
| +|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.|Documentation
| |BOM - GCP Redis
bc75ce52-a60a-4660-b533-bce837a5019b|Trace|Bill Of Materials|A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments.|Documentation
| |BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.|Documentation
| -|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.|Documentation
| |BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Trace|Bill Of Materials|A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime.|Documentation
| -|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.|Documentation
| |BOM - GCP Dataflow
895ed0d9-6fec-4567-8614-d7a74b599a53|Trace|Bill Of Materials|A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective.|Documentation
| ### AWS_BOM @@ -1353,76 +1878,76 @@ Below are listed queries related with Terraform AWS_BOM: ### GCP Bellow are listed queries related with Terraform GCP: +### ALICLOUD +Bellow are listed queries related with Terraform ALICLOUD: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|High|Access Control|BigQuery dataset is anonymously or publicly accessible|Documentation
| -|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers'|Documentation
| -|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible|Documentation
| -|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|High|Access Control|Verifies that the OSLogin is enabled|Documentation
| -|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| -|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members'|Documentation
| -|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| -|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad.|Documentation
| -|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| -|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false |Documentation
| -|GKE Basic Authentication Enabled
70cdf849-b7d9-4569-b87d-5d82ffd44719|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty|Documentation
| -|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible.|Documentation
| -|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true|Documentation
| -|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true|Documentation
| -|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| -|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true|Documentation
| -|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE |Documentation
| -|Client Certificate Disabled
73fb21a1-b19a-45b1-b648-b47b1678681e|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true|Documentation
| -|Cluster Master Authentication Disabled
1baba08e-3c8a-4be7-95eb-dced5833de21|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| -|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| -|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| -|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|High|Observability|Audit Logging Configuration is defective|Documentation
| -|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| -|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| -|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member|Documentation
| -|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated|Documentation
| -|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated|Documentation
| -|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| -|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined|Documentation
| -|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| -|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled|Documentation
| -|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| -|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| -|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Medium|Insecure Configurations|Check if any VM instance disables OSLogin|Documentation
| -|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| -|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| -|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
| -|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| -|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
| -|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports|Documentation
| -|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| -|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
| -|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| -|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| -|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource.|Documentation
| -|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles|Documentation
| -|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| -|Outdated GKE Version
128df7ec-f185-48bc-8913-ce756a3ccb85|Low|Best Practices|Running outdated versions of Google Kubernetes Engine (GKE) can expose it to known vulnerabilities and attacks. To reduce these risks, it is recommended to ensure that GKE is always running the latest version.|Documentation
| -|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user|Documentation
| -|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range|Documentation
| -|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true|Documentation
| +|OSS Bucket Allows Delete Action From All Principals
8c0695d8-2378-4cd6-8243-7fd5894fa574|High|Access Control|OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals.|Documentation
| +|OSS Bucket Allows List Action From All Principals
88541597-6f88-42c8-bac6-7e0b855e8ff6|High|Access Control|OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals.|Documentation
| +|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles|Documentation
| +|OSS Bucket Allows Put Action From All Principals
fe286195-e75c-4359-bd58-00847c4f855a|High|Access Control|OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals.|Documentation
| +|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|High|Access Control|RAM Security preferences should enforce MFA login for RAM users|Documentation
| +|OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|High|Access Control|OSS Bucket should have public access disabled|Documentation
| +|OSS Bucket Allows All Actions From All Principals
ec62a32c-a297-41ca-a850-cab40b42094a|High|Access Control|OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals.|Documentation
| +|NAS File System Without KMS
5f670f9d-b1b4-4c90-8618-2288f1ab9676|High|Encryption|NAS File System should have encryption provided by user KMS |Documentation
| +|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|High|Encryption|Ecs Data Disk Kms Key Id should be set|Documentation
| +|NAS File System Not Encrypted
67bfdff1-31ce-4525-b564-e94368735360|High|Encryption|NAS File System must be encrypted|Documentation
| +|Launch Template Is Not Encrypted
1455cb21-1d48-46d6-8ae3-cef911b71fd5|High|Encryption|ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true.|Documentation
| +|RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|High|Encryption|tde_status parameter should be Enabled for supported RDS instances|Documentation
| +|RDS DB Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|High|Insecure Configurations|'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list|Documentation
| +|DB Instance Publicly Accessible
faaefc15-51a5-419e-bb5e-51a4b5ab3485|High|Insecure Configurations|The field 'address' should not be set to '0.0.0.0/0'|Documentation
| +|OSS Bucket Has Static Website
2b13c6ff-b87a-484d-86fd-21ef6e97d426|High|Insecure Configurations|Checks if any static websties are hosted on buckets. Be aware of any website you are running.|Documentation
| +|ALB Listening on HTTP
ee3b1557-9fb5-4685-a95d-93f1edf2a0d7|High|Networking and Firewall|Application Load Balancer (alb) Listener should not listen on HTTP|Documentation
| +|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|High|Networking and Firewall|OSS Bucket should have ip restricted access|Documentation
| +|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|High|Networking and Firewall|OSS Buckets should have secure transport enabled|Documentation
| +|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS|Documentation
| +|RDS Instance SSL Action Disabled
7a1ee8a9-71be-4b11-bb70-efb62d16863b|High|Networking and Firewall|ssl_action parameter should be set to Open for RDS instances|Documentation
| +|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public|Documentation
| +|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol|Documentation
| +|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|High|Observability|All RDS Instance events trackers should be 'true'|Documentation
| +|ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|High|Observability|ActionTrail Trail OSS Bucket should not be publicly accessible|Documentation
| +|Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|High|Secret Management|Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts|Documentation
| +|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above|Documentation
| +|Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Medium|Access Control|Ram policies should not be attached to users|Documentation
| +|CMK Is Unusable
ed6e3ba0-278f-47b6-a1f5-173576b40b7e|Medium|Availability|Alicloud KMS must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| +|ROS Stack Retention Disabled
4bb06fa1-2114-4a00-b7b5-6aeab8b896f0|Medium|Backup|The retain_stacks should be enabled to keep the Stack upon deleting the stack instance from the stack group|Documentation
| +|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Medium|Backup|OSS Bucket should have versioning enabled|Documentation
| +|ROS Stack Without Template
92d65c51-5d82-4507-a2a1-d252e9706855|Medium|Build Process|Alicloud ROS Stack should have a template defined through the attribute template_url or attribute template_body|Documentation
| +|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Medium|Encryption|Disks should have encryption enabled|Documentation
| +|SLB Policy With Insecure TLS Version In Use
dbfc834a-56e5-4750-b5da-73fda8e73f70|Medium|Encryption|SLB Policy should not support insecure versions of TLS protocol|Documentation
| +|OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Medium|Encryption|OSS Bucket should have encryption enabled using Customer Master Key|Documentation
| +|CS Kubernetes Node Pool Auto Repair Disabled
81ce9394-013d-4731-8fcc-9d229b474073|Medium|Insecure Configurations|Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| +|Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Medium|Networking and Firewall|A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned|Documentation
| +|Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Medium|Networking and Firewall|Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies|Documentation
| +|ROS Stack Notifications Disabled
9ef08939-ea40-489c-8851-667870b2ef50|Medium|Observability|The ROS Stack Notifications should be defined and populated to receive stack related events|Documentation
| +|Log Retention Is Not Greater Than 90 Days
ed6cf6ff-9a1f-491c-9f88-e03c0807f390|Medium|Observability|OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects.|Documentation
| +|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180|Documentation
| +|OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Medium|Observability|OSS Bucket should have logging enabled, for better visibility of resources and objects.|Documentation
| +|Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Medium|Observability|Action Trail Logging for all regions should be enabled|Documentation
| +|No ROS Stack Policy
72ceb736-0aee-43ea-a191-3a69ab135681|Medium|Resource Management|ROS Stack should have a stack policy in order to protect stack resources from and during update actions|Documentation
| +|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Medium|Secret Management|RAM account password security should require at least one symbol|Documentation
| +|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true|Documentation
| +|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91|Documentation
| +|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less|Documentation
| +|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true|Documentation
| +|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true|Documentation
| +|High KMS Key Rotation Period
cb319d87-b90f-485e-a7e7-f2408380f309|Medium|Secret Management|KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year|Documentation
| +|OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Low|Availability|OSS Bucket should have transfer acceleration enabled|Documentation
| +|OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Low|Backup|OSS Bucket should have lifecycle rule enabled and set to true|Documentation
| +|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Low|Observability|'log_connections' parameter should be set to ON for RDS instances|Documentation
| +|RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Low|Observability|log_duration parameter should be set to ON for RDS instances|Documentation
| +|RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Low|Observability|log_disconnections parameter should be set to ON for RDS instances|Documentation
| +|VPC Flow Logs Disabled
d2731f3d-a992-44ed-812e-f4f1c2747d71|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| -### SHARED (V2/V3) -Bellow are listed queries related with Terraform SHARED (V2/V3): +### GITHUB +Bellow are listed queries related with Terraform GITHUB: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Info|Best Practices|All variables should contain a valid type.|Documentation
| -|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Info|Best Practices|All names should follow snake case pattern.|Documentation
| -|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Info|Best Practices|All generic git repositories should reference a revision.|Documentation
| -|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Info|Best Practices|All outputs should contain a valid description.|Documentation
| -|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Info|Best Practices|All variables should contain a valid description.|Documentation
| +|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks|Documentation
| +|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')|Documentation
| From 20d1fd9046c89131b5a9892d7d2b78787c98ef5b Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Tue, 3 Oct 2023 20:37:46 +0200 Subject: [PATCH 224/379] docs: add databricks logo --- README.md | 2 +- docs/index.md | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 8a496f15626..42dad30c051 100644 --- a/README.md +++ b/README.md @@ -58,7 +58,7 @@ Find security vulnerabilities, compliance issues, and infrastructure misconfigur Databricks    #### Beta Features -Soon... +Databricks    ## Getting Started diff --git a/docs/index.md b/docs/index.md index ceb46663888..8458bc0a41a 100644 --- a/docs/index.md +++ b/docs/index.md @@ -82,7 +82,9 @@ KICS scans and detects issues in following Infrastructure as Code solutions: #### Beta Features -Soon... +
+ Databricks    +
## Getting Started From 621893a915a2474e3f1510f5809406b60ec22b3c Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Wed, 4 Oct 2023 13:51:08 +0200 Subject: [PATCH 225/379] test: add databricks queriesPaths --- test/main_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/test/main_test.go b/test/main_test.go index 812c2096f22..99040ffacb9 100644 --- a/test/main_test.go +++ b/test/main_test.go @@ -33,6 +33,7 @@ var ( "../assets/queries/terraform/aws_bom": {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"}, "../assets/queries/terraform/aws": {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"}, "../assets/queries/terraform/azure": {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"}, + "../assets/queries/terraform/databricks": {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"}, "../assets/queries/terraform/gcp": {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"}, "../assets/queries/terraform/gcp_bom": {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"}, "../assets/queries/terraform/github": {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"}, From d64ece7c33d54ec9b83a4eb9ed0823203616d22a Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Fri, 20 Oct 2023 13:54:26 +0200 Subject: [PATCH 226/379] fix: update descriptionID --- .../terraform/databricks/use_spark_submit_task/metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/terraform/databricks/use_spark_submit_task/metadata.json b/assets/queries/terraform/databricks/use_spark_submit_task/metadata.json index 02a0beb0480..55678909945 100644 --- a/assets/queries/terraform/databricks/use_spark_submit_task/metadata.json +++ b/assets/queries/terraform/databricks/use_spark_submit_task/metadata.json @@ -5,7 +5,7 @@ "category": "Best Practices", "descriptionText": "Job's Task Is spark_submit_task", "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/job#spark_submit_task-configuration-block", - "descriptionID": "fdaa059f", + "descriptionID": "fcfdfbd3", "platform": "Terraform", "cloudProvider": "common" } From f41b060617222d1402da82168fea199a4058f471 Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Wed, 8 Nov 2023 10:08:56 +0100 Subject: [PATCH 227/379] fix rebase --- docs/queries/all-queries.md | 943 ------------ docs/queries/ansible-queries.md | 270 ---- docs/queries/azureresourcemanager-queries.md | 42 - docs/queries/cloudformation-queries.md | 282 ---- docs/queries/crossplane-queries.md | 26 - docs/queries/dockercompose-queries.md | 21 - docs/queries/dockerfile-queries.md | 49 - .../googledeploymentmanager-queries.md | 40 - docs/queries/kubernetes-queries.md | 147 -- docs/queries/openapi-queries.md | 284 ---- docs/queries/pulumi-queries.md | 34 - docs/queries/serverlessfw-queries.md | 10 - docs/queries/terraform-queries.md | 1268 +---------------- 13 files changed, 8 insertions(+), 3408 deletions(-) diff --git a/docs/queries/all-queries.md b/docs/queries/all-queries.md index b7ef7971fd6..e77f2917cf3 100644 --- a/docs/queries/all-queries.md +++ b/docs/queries/all-queries.md @@ -1473,949 +1473,6 @@ This page contains all queries. |Missing App Armor Config
95588189-1abd-4df1-9588-b0a5034f9e87|Pulumi|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack (read more)|Documentation
| |Cloud Storage Bucket Logging Not Enabled
48f7e44d-d1d1-44c2-b336-9f11b65c4fb0|Pulumi|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| |Google Compute SSL Policy Weak Cipher In Use
965e8830-2bec-4b9b-a7f0-24dbc200a68f|Pulumi|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| -|Run Using apt
a1bc27c6-7115-48d8-bf9d-5a7e836845ba|Buildah|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache|Documentation
| -|VM With Full Cloud Access
bc20bbc6-0697-4568-9a73-85af1dd97bdd|Ansible|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| -|SQL DB Instance Is Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b|Ansible|High|Access Control|Check if any Cloud SQL instances are publicly accessible.|Documentation
| -|SQL DB Instance Backup Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8|Ansible|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| -|DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a|Ansible|High|Encryption|DNSSEC should not use the RSASHA1 algorithm|Documentation
| -|High KMS Rotation Period
79f45008-60b3-4a0a-a302-8311fd3701b4|Ansible|High|Encryption|Check if any KMS rotation period surpasses 365 days.|Documentation
| -|SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|Ansible|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| -|IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'.|Documentation
| -|MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c|Ansible|High|Insecure Configurations|MySQL Instance should not have Local Infile On|Documentation
| -|Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f|Ansible|High|Insecure Configurations|GCP SQL Instance should not have Cross DB Ownership Chaining On|Documentation
| -|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|Ansible|High|Insecure Configurations|SQL Instance should not have Contained Database Authentication On|Documentation
| -|GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1|Ansible|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty|Documentation
| -|Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| -|Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true.|Documentation
| -|Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true|Documentation
| -|Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7|Ansible|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| -|Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false|Documentation
| -|BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2|Ansible|High|Insecure Configurations|BigQuery dataset is anonymously or publicly accessible|Documentation
| -|PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514|Ansible|High|Insecure Configurations|PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1'|Documentation
| -|GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false.|Documentation
| -|Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82|Ansible|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet.|Documentation
| -|GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83|Ansible|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters|Documentation
| -|PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317|Ansible|High|Observability|PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on'|Documentation
| -|Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd|Ansible|High|Observability|Cloud storage bucket with logging not enabled|Documentation
| -|Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| -|PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b|Ansible|High|Observability|PostgreSQL database 'log_temp_files' flag isn't set to '0'|Documentation
| -|Cloud Storage Bucket Versioning Disabled
7814ddda-e758-4a56-8be3-289a81ded929|Ansible|High|Observability|Object Versioning not fully enabled on Cloud Storage Bucket|Documentation
| -|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Ansible|High|Resource Management|The node image should be Container-Optimized OS(COS)|Documentation
| -|Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf|Ansible|High|Resource Management|Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Ansible|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| -|Disk Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3|Ansible|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined|Documentation
| -|High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Ansible|Medium|Encryption|Make sure Encryption keys changes after 90 days|Documentation
| -|Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Ansible|Medium|Insecure Configurations|Verifies if Google Container Node Pool Auto Repair is Enabled|Documentation
| -|GKE Using Default Service Account
dc126833-125a-40fb-905a-ce5f2afde240|Ansible|Medium|Insecure Configurations|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
| -|Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03|Ansible|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2|Ansible|Medium|Insecure Configurations|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers'|Documentation
| -|Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Ansible|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| -|OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Ansible|Medium|Insecure Configurations|VM instance should have OSLogin enabled|Documentation
| -|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Ansible|Medium|Insecure Defaults|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| -|IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Ansible|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| -|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Ansible|Medium|Networking and Firewall|Check if serial ports are enabled in Google Compute Engine VM instances|Documentation
| -|RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77|Ansible|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access.|Documentation
| -|Google Compute Network Using Firewall Rule that Allows All Ports
3602d273-3290-47b2-80fa-720162b1a8af|Ansible|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports|Documentation
| -|SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Ansible|Medium|Networking and Firewall|Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block).|Documentation
| -|Google Compute Network Using Default Firewall Rule
29b8224a-60e9-4011-8ac2-7916a659841f|Ansible|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
| -|PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Ansible|Medium|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value|Documentation
| -|PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Ansible|Medium|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on'|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Ansible|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| -|Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b|Ansible|Low|Networking and Firewall|Google Compute Subnetwork should have 'private_ip_google_access' set to yes|Documentation
| -|Google Compute Network Using Firewall Rule that Allows Port Range
7289eebd-a477-4064-8ad4-3c044bd70b00|Ansible|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range|Documentation
| -|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|Ansible|High|Access Control|Ensure Trusted Microsoft Services have Storage Account access.|Documentation
| -|Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|Ansible|High|Access Control|Admin user is enabled for Container Registry|Documentation
| -|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|Ansible|High|Access Control|Check if 'network_acls' is open to public.|Documentation
| -|Storage Container Is Publicly Accessible
4d3817db-dd35-4de4-a80d-3867157e7f7f|Ansible|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| -|Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|Ansible|High|Encryption|See that Storage Accounts forces the use of HTTPS|Documentation
| -|MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|Ansible|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| -|SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555|Ansible|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| -|VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|Ansible|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| -|AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|Ansible|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| -|Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91|Ansible|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| -|Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|Ansible|High|Insecure Configurations|Azurerm Container Registry should contain associated locks through 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association|Documentation
| -|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|Ansible|High|Networking and Firewall|The IP range filter should be defined|Documentation
| -|SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|Ansible|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| -|Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| -|Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|Ansible|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| -|Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| -|AKS RBAC Disabled
149fa56c-4404-4f90-9e25-d34b676d5b39|Ansible|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| -|Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854|Ansible|Medium|Backup|Make sure Soft Delete is enabled for Key Vault|Documentation
| -|SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308|Ansible|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict|Documentation
| -|Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Ansible|Medium|Best Practices|Azure SQL Server Accessibility should be set to a minimal address range, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be lesser than 256. Additionally, both ips must be different from '0.0.0.0'|Documentation
| -|SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40|Ansible|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict|Documentation
| -|Cosmos DB Account Without Tags
23a4dc83-4959-4d99-8056-8e051a82bc1e|Ansible|Medium|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| -|Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee|Ansible|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| -|Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Ansible|Medium|Insecure Configurations|Check if any Redis Cache resource allows non-SSL connections.|Documentation
| -|Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Ansible|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| -|AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Ansible|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration|Documentation
| -|Default Network Access is Allowed
974e6fe7-63fd-4fa4-aa72-77b21a4a959d|Ansible|Medium|Insecure Defaults|Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny'|Documentation
| -|Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Ansible|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache.|Documentation
| -|WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Ansible|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| -|PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| -|PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a|Ansible|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| -|Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| -|Monitoring Log Profile Without All Activities
89f84a1e-75f8-47c5-83b5-bee8e2de4168|Ansible|Medium|Observability|Monitoring log profile captures all the activities (Action, Write, Delete)|Documentation
| -|PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| -|Small Activity Log Retention Period
37fafbea-dedb-4e0d-852e-d16ee0589326|Ansible|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater|Documentation
| -|PostgreSQL Log Checkpoints Disabled
7ab33ac0-e4a3-418f-a673-50da4e34df21|Ansible|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'|Documentation
| -|PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| -|AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e|Ansible|Medium|Observability|Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring|Documentation
| -|SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a|Ansible|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| -|S3 Bucket Allows WriteACP Action From All Principals
7529b8d2-55d7-44d2-b1cd-d7d2984a2a81|Ansible|High|Access Control|S3 Buckets must not allow Write_ACP Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Write_ACP, for all Principals.|Documentation
| -|DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209|Ansible|High|Access Control|The field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674|Ansible|High|Access Control|Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| -|S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|Ansible|High|Access Control|S3 Buckets must not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| -|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|Ansible|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.|Documentation
| -|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|Ansible|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.|Documentation
| -|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|Ansible|High|Access Control|IAM policies that allow full administrative privileges (for all resources)|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|Ansible|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.|Documentation
| -|S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|Ansible|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.|Documentation
| -|S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|Ansible|High|Access Control|It's not recommended to allow read access for all user groups.|Documentation
| -|S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a|Ansible|High|Access Control|Checks if the S3 bucket is accessible for all users|Documentation
| -|ECS Service Admin Role is Present
7db727c1-1720-468e-b80e-06697f71e09e|Ansible|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role|Documentation
| -|Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76|Ansible|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted|Documentation
| -|EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|Ansible|High|Encryption|Elastic File System (EFS) must have KMS Key ID|Documentation
| -|Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a|Ansible|High|Encryption|AWS Autoscaling Launch Configurations should have encryption enabled|Documentation
| -|Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7|Ansible|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| -|User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|Ansible|High|Encryption|User Data Shell Script must be encoded|Documentation
| -|ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|Ansible|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| -|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|Ansible|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| -|User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|Ansible|High|Encryption|User Data contains an encoded RSA Private Key|Documentation
| -|S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4|Ansible|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| -|Secure Ciphers Disabled
218413a0-c716-4b94-9e08-0bb70d854709|Ansible|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| -|AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|Ansible|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| -|CloudTrail Log Files Not Encrypted
f5587077-3f57-4370-9b4e-4eb5b1bac85b|Ansible|High|Encryption|CloudTrail Log Files should be encrypted with Key Management Service (KMS)|Documentation
| -|DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|Ansible|High|Encryption|The parameter storage_encrypted in aws_db_instance must be set to 'true' (the default is 'false').|Documentation
| -|S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571|Ansible|High|Encryption|AWS S3 Storage should be protected with SSE (Server-Side Encryption)|Documentation
| -|ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols.|Documentation
| -|EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|Ansible|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|Ansible|High|Encryption|Check if 'encrypted' field is false or undefined (default is false)|Documentation
| -|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|Ansible|High|Encryption|IAM Database Auth Enabled must be configured to true|Documentation
| -|Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89|Ansible|High|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| -|CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|Ansible|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| -|Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|Ansible|High|Encryption|RDS instance auto minor version upgrade feature must be true|Documentation
| -|ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers.|Documentation
| -|Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|Ansible|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| -|ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f|Ansible|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| -|Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|Ansible|High|Insecure Configurations|Check if 'publicly_accessible' field is true (default is false)|Documentation
| -|EC2 Group Has Public Interface
5330b503-3319-44ff-9b1c-00ee873f728a|Ansible|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| -|S3 Bucket with Unsecured CORS Rule
3505094c-f77c-4ba0-95da-f83db712f86c|Ansible|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| -|KMS Key With Vulnerable Policy
5b9d237a-57d5-4177-be0e-71434b0fef47|Ansible|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67|Ansible|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| -|Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f|Ansible|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| -|Vulnerable Default SSL Certificate
fb8f8929-afeb-4c46-99f0-a6cf410f7df4|Ansible|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| -|Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|Ansible|High|Networking and Firewall|SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| -|Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|Ansible|High|Networking and Firewall|AWS Security Group should restrict ingress access|Documentation
| -|Remote Desktop Port Open
eda7301d-1f3e-47cf-8d4e-976debc64341|Ansible|High|Networking and Firewall|The Remote Desktop port is open in a Security Group|Documentation
| -|HTTP Port Open
a14ad534-acbe-4a8e-9404-2f7e1045646e|Ansible|High|Networking and Firewall|The HTTP port is open in a Security Group|Documentation
| -|Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|Ansible|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| -|Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2|Ansible|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0/0|Documentation
| -|EC2 Instance Has Public IP
a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1|Ansible|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| -|Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4|Ansible|High|Networking and Firewall|Route53 Record should have a list of records|Documentation
| -|ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|Ansible|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| -|RDS Associated with Public Subnet
16732649-4ff6-4cd2-8746-e72c13fae4b8|Ansible|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| -|DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640|Ansible|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| -|Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b|Ansible|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| -|Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|Ansible|High|Networking and Firewall|AWS Security Group should not have public port wide|Documentation
| -|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|Ansible|High|Networking and Firewall|The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6).|Documentation
| -|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Ansible|High|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| -|CMK Rotation Disabled
af96d737-0818-4162-8c41-40d969bd65d1|Ansible|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.|Documentation
| -|CloudTrail Logging Disabled
d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5|Ansible|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| -|SES Policy With Allowed IAM Actions
8ed0bfce-f780-46d4-b086-21c3628f09ad|Ansible|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| -|API Gateway Without Configured Authorizer
b16cdb37-ce15-4ab2-8401-d42b05d123fc|Ansible|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| -|SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4|Ansible|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| -|SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10|Ansible|Medium|Access Control|SQS policy with public access|Documentation
| -|ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd|Ansible|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| -|AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f|Ansible|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| -|S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9|Ansible|Medium|Access Control|S3 Bucket allows public access|Documentation
| -|IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|Ansible|Medium|Access Control|IAM policies allow all ('*') in a statement action|Documentation
| -|Certificate Has Expired
5a443297-19d4-4381-9e5b-24faf947ec22|Ansible|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| -|SNS Topic is Publicly Accessible For Subscription
905f4741-f965-45c1-98db-f7a00a0e5c73|Ansible|Medium|Access Control|This query checks if SNS Topic is Accessible For Subscription|Documentation
| -|Lambda Permission Principal Is Wildcard
1d972c56-8ec2-48c1-a578-887adb09c57a|Ansible|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| -|Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Ansible|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
af167837-9636-4086-b815-c239186b9dda|Ansible|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| -|IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Ansible|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root'|Documentation
| -|Auto Scaling Group With No Associated ELB
050f085f-a8db-4072-9010-2cca235cc02f|Ansible|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
| -|CMK Is Unusable
133fee21-37ef-45df-a563-4d07edc169f4|Ansible|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined.|Documentation
| -|ECS Service Without Running Tasks
f5c45127-1d28-4b49-a692-0b97da1c3a84|Ansible|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| -|RDS With Backup Disabled
e69890e6-fce5-461d-98ad-cb98318dfc96|Ansible|Medium|Backup|RDS configured without backup|Documentation
| -|Stack Retention Disabled
17d5ba1d-7667-4729-b1a6-b11fde3db7f7|Ansible|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| -|Misconfigured Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9|Ansible|Medium|Best Practices|No password expiration policy|Documentation
| -|IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Ansible|Medium|Best Practices|Check if IAM account password has at least one lowercase letter|Documentation
| -|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Ansible|Medium|Best Practices|Check if IAM account password has at least one number|Documentation
| -|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|Ansible|Medium|Best Practices|Users should authenticate with MFA (Multi-factor Authentication)|Documentation
| -|IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Ansible|Medium|Best Practices|Check if IAM account password has the required minimum length|Documentation
| -|Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c|Ansible|Medium|Best Practices|Password policy `password_reuse_prevention` doesn't exist or is equal to 0|Documentation
| -|Stack Without Template
32d31f1f-0f83-4721-b7ec-1e6948c60145|Ansible|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body|Documentation
| -|Config Rule For Encrypted Volumes Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84|Ansible|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| -|CodeBuild Not Encrypted
a1423864-2fbc-4f46-bfe1-fbbf125c71c9|Ansible|Medium|Encryption|CodeBuild Project should be encrypted|Documentation
| -|EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Ansible|Medium|Encryption|EBS Encryption should be enabled|Documentation
| -|Certificate RSA Key Bytes Lower Than 256
d5ec2080-340a-4259-b885-f833c4ea6a31|Ansible|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| -|Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5|Ansible|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags.|Documentation
| -|ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Ansible|Medium|Insecure Configurations|ECR should have an image tag immutable|Documentation
| -|API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33|Ansible|Medium|Insecure Configurations|SSL Client Certificate should be enabled in aws_api_gateway|Documentation
| -|AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472|Ansible|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| -|IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354|Ansible|Medium|Insecure Configurations|Check if IAM account password has at least one uppercase letter|Documentation
| -|Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f|Ansible|Medium|Insecure Configurations|Instance should be configured in VPC (Virtual Private Cloud)|Documentation
| -|API Gateway without WAF
f5f38943-664b-4acc-ab11-f292fa10ed0b|Ansible|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| -|API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215|Ansible|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| -|SQL Analysis Services Port 2383 (TCP) is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Ansible|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| -|CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3|Ansible|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| -|Cloudfront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Ansible|Medium|Observability|AWS Cloudfront distributions must have logging enabled, which means the attribute 'logging' must be defined with 'enabled' set to true|Documentation
| -|CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Ansible|Medium|Observability|Check if MultiRegion is Enabled|Documentation
| -|API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Ansible|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled|Documentation
| -|CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Ansible|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events|Documentation
| -|S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|Ansible|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| -|CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Ansible|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| -|API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f|Ansible|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| -|Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Ansible|Medium|Observability|AWS CloudFormation should have stack notifications enabled|Documentation
| -|No Stack Policy
ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9|Ansible|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| -|Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645|Ansible|Medium|Secret Management|Lambda access key should not be in plaintext.|Documentation
| -|IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd|Ansible|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Ansible|Low|Access Control|IAM role allows All services or principals to assume it|Documentation
| -|IAM Group Without Users
f509931b-bbb0-443c-bd9b-10e92ecf2193|Ansible|Low|Access Control|IAM Group should have at least one user associated|Documentation
| -|EC2 Instance Using Default Security Group
8d03993b-8384-419b-a681-d1f55149397c|Ansible|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| -|Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520|Ansible|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060|Ansible|Low|Best Practices|IAM policies should be attached only to groups or roles|Documentation
| -|CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6|Ansible|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| -|EFS Without Tags
b8a9852c-9943-4973-b8d5-77dae9352851|Ansible|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated|Documentation
| -|SQS with SSE disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Ansible|Low|Encryption| SQS Queue should be protected with CMK encryption|Documentation
| -|RDS Using Default Port
2cb674f6-32f9-40be-97f2-62c0dc38f0d5|Ansible|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| -|Cloudfront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Ansible|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| -|ElastiCache Without VPC
5527dcfc-94f9-4bf6-b7d4-1b78850cf41f|Ansible|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|Redshift Using Default Port
e01de151-a7bd-4db4-b49b-3c4775a5e881|Ansible|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| -|EC2 Instance Using Default VPC
8833f180-96f1-46f4-9147-849aafa56029|Ansible|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| -|ElastiCache Using Default Port
7cc6c791-5f68-4816-a564-b9b699f9d26e|Ansible|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| -|S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Ansible|Low|Observability|S3 bucket without debug_botocore_endpoint_logs|Documentation
| -|Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Ansible|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active'|Documentation
| -|CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Ansible|Low|Observability|CloudTrail Log Files should have validation enabled|Documentation
| -|Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Ansible|Low|Secret Management|Check if the user data in the EC2 instance has the access key hardcoded|Documentation
| -|EC2 Not EBS Optimized
338b6cab-961d-4998-bb49-e5b6a11c9a5c|Ansible|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| -|Client Certificate Authentication Not Setup Properly
e0e00aba-5f1c-4981-a542-9a9563c0ee20|Kubernetes|High|Access Control|Client Certificate Authentication should be Setup with a .pem file|Documentation
| -|Always Admit Admission Control Plugin Set
ce30e584-b33f-4c7d-b418-a3d7027f8f60|Kubernetes|High|Access Control|When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin|Documentation
| -|Token Auth File Is Set
32ecd76e-7bbf-402e-bf48-8b9485749558|Kubernetes|High|Access Control|When using kube-apiserver command, the 'token-auth-file' flag should not be set|Documentation
| -|Tiller (Helm v2) Is Deployed
6d173be7-545a-46c6-a81d-2ae52ed1605d|Kubernetes|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| -|Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609|Kubernetes|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false|Documentation
| -|Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645|Kubernetes|High|Insecure Configurations|Check if any objects are using a deprecated version of API.|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b|Kubernetes|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| -|NET_RAW Capabilities Not Being Dropped
dbbc6705-d541-43b0-b166-dd4be8208b54|Kubernetes|High|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|Documentation
| -|Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a|Kubernetes|High|Insecure Configurations|Container should not share the host network namespace|Documentation
| -|Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536|Kubernetes|High|Insecure Configurations|Container should not share the host IPC namespace|Documentation
| -|Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d|Kubernetes|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|Documentation
| -|Host Aliases Undefined Or Empty
72b03514-20ae-4409-8842-2dd70c2e25aa|Kubernetes|High|Insecure Configurations|A Pod should have Host Aliases defined as to prevent the container from modifying the file after a pod's containers have already been started. This means the attribute 'spec.hostAliases' must be defined and not empty or null.|Documentation
| -|Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d|Kubernetes|High|Insecure Configurations|Container should not share the host process ID namespace|Documentation
| -|Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad|Kubernetes|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined.|Documentation
| -|Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d|Kubernetes|High|Insecure Configurations|Check if there is any Tiller Service present|Documentation
| -|Role Binding To Default Service Account
1e749bc9-fde8-471c-af0c-8254efd2dee5|Kubernetes|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| -|Tiller Deployment Is Accessible From Within The Cluster
e17fa86a-6222-4584-a914-56e8f6c87e06|Kubernetes|High|Networking and Firewall|Check if any Tiller Deployment container allows access from within the cluster.|Documentation
| -|TSL Connection Certificate Not Setup
fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f|Kubernetes|High|Networking and Firewall|TSL Connection Certificate files should be Setup|Documentation
| -|PSP With Unrestricted Access to Host Path
de4421f1-4e35-43b4-9783-737dd4e4a47e|Kubernetes|High|Resource Management|PodSecurityPolicy should set 'readOnly' to true in every host path allowed|Documentation
| -|Authorization Mode RBAC Not Set
1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e|Kubernetes|Medium|Access Control|When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode|Documentation
| -|Non Kube System Pod With Host Mount
aa8f7a35-9923-4cad-bd61-a19b7f6aac91|Kubernetes|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| -|Authorization Mode Set To Always Allow
f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5|Kubernetes|Medium|Access Control|When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode|Documentation
| -|RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14|Kubernetes|Medium|Access Control|Minimize access to secrets (RBAC)|Documentation
| -|Anonymous Auth Is Not Set To False
1de5cc51-f376-4638-a940-20f2e85ae238|Kubernetes|Medium|Access Control|When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag should be set to false (--anonymous-auth=false)|Documentation
| -|Readiness Probe Is Not Configured
a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3|Kubernetes|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| -|Root Containers Admitted
e3aa0612-4351-4a0d-983f-aefea25cf203|Kubernetes|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| -|Container Running As Root
cf34805e-3872-4c08-bf92-6ff7bb0cfadb|Kubernetes|Medium|Best Practices|Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise|Documentation
| -|Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660|Kubernetes|Medium|Best Practices|Check if containers are running with low UID, which might cause conflicts with the host's user table.|Documentation
| -|Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032|Kubernetes|Medium|Build Process|Limit capabilities for a Pod Security Policy|Documentation
| -|Incorrect Volume Claim Access Mode ReadWriteOnce
3878dc92-8e5d-47cf-9cdd-7590f71d21b9|Kubernetes|Medium|Build Process|Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| -|Always Pull Images Admission Control Plugin Not Set
a77f4d07-c6e0-4a48-8b35-0eeb51576f4f|Kubernetes|Medium|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'AlwaysPullImages' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| -|Weak TLS Cipher Suites
510d5810-9a30-443a-817d-5c1fa527b110|Kubernetes|Medium|Encryption|TLS Connection should use strong Cipher Suites|Documentation
| -|Security Context Deny Admission Control Plugin Not Set
6a68bebe-c021-492e-8ddb-55b0567fb768|Kubernetes|Medium|Insecure Configurations|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set|Documentation
| -|Authorization Mode Node Not Set
4d7ee40f-fc5d-427d-8cac-dffbe22d42d1|Kubernetes|Medium|Insecure Configurations|When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode|Documentation
| -|Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b|Kubernetes|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| -|Kubelet Protect Kernel Defaults Set To False
6cf42c97-facd-4fda-b8af-ea4529123355|Kubernetes|Medium|Insecure Configurations|--protect-kernel-defaults should be set to true|Documentation
| -|Seccomp Profile Is Not Configured
f377b83e-bd07-4f48-a591-60c82b14a78b|Kubernetes|Medium|Insecure Configurations|Check if any resource does not configure Seccomp default profile properly|Documentation
| -|NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648|Kubernetes|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| -|PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91|Kubernetes|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| -|Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40|Kubernetes|Medium|Insecure Configurations|Containers should not have added capability|Documentation
| -|PSP Allows Sharing Host IPC
80f93444-b240-4ebb-a4c6-5c40b76c04ea|Kubernetes|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| -|Workload Mounting With Sensitive OS Directory
5308a7a8-06f8-45ac-bf10-791fe21de46e|Kubernetes|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| -|PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| -|Containers With Sys Admin Capabilities
235236ee-ad78-4065-bd29-61b061f28ce0|Kubernetes|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| -|Not Limited Capabilities For Container
2f1a0619-b12b-48a0-825f-993bb6f01d58|Kubernetes|Medium|Insecure Configurations|Limit the capabilities for a Container.|Documentation
| -|PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9|Kubernetes|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host process ID namespace|Documentation
| -|Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3|Kubernetes|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| -|PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| -|Using Unrecommended Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6|Kubernetes|Medium|Insecure Configurations|Namespaces like 'default', 'kube-system' or 'kube-public' should not be used|Documentation
| -|Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9|Kubernetes|Medium|Insecure Defaults|A Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty.|Documentation
| -|Service Account Token Automount Not Disabled
48471392-d4d0-47c0-b135-cdec95eb3eef|Kubernetes|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| -|Kubelet Not Managing Ip Tables
5f89001f-6dd9-49ff-9b15-d8cd71b617f4|Kubernetes|Medium|Networking and Firewall|Kubelet argument --make-iptables-util-chains should be true|Documentation
| -|Network Policy Is Not Targeting Any Pod
85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3|Kubernetes|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| -|Service With External Load Balance
26763a1c-5dda-4772-b507-5fca7fb5f165|Kubernetes|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| -|Kubelet Read Only Port Is Not Set To Zero
2940d48a-dc5e-4178-a3f8-bfbd80720b41|Kubernetes|Medium|Networking and Firewall|When using the kubelet command, the read-only port should be set to zero (--read-only-port=0)|Documentation
| -|Kubelet Streaming Connection Timeout Disabled
ed89b97d-04e9-4fd4-919f-ee5b27e555e9|Kubernetes|Medium|Networking and Firewall|The flag --streaming-connection-idle-timeout should not be set to 0|Documentation
| -|Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be|Kubernetes|Medium|Networking and Firewall|Check if any pod is not being targeted by a proper network policy.|Documentation
| -|CPU Limits Not Set
4ac0e2b7-d2d2-4af7-8799-e8de6721ccda|Kubernetes|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| -|CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a|Kubernetes|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| -|Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9|Kubernetes|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| -|Volume Mount With OS Directory Write Permissions
b7652612-de4e-4466-a0bf-1cd81f0c6063|Kubernetes|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| -|Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded|Kubernetes|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes|Documentation
| -|Kubelet Client Periodic Certificate Switch Disabled
52d70f2e-3257-474c-b3dc-8ad9ba6a061a|Kubernetes|Medium|Secret Management|Kubelet argument --rotate-certificates should be true|Documentation
| -|Kubelet Client Certificate Or Key Not Set
36a27826-1bf5-49da-aeb0-a60a30c0e834|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-client-key' and 'kubelet-client-certificate' flags should be set|Documentation
| -|Rotate Kubelet Server Certificate Not Active
1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2|Kubernetes|Medium|Secret Management|The RotateKubeletServerCertificate argument should be true|Documentation
| -|Kubelet Certificate Authority Not Set
ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set|Documentation
| -|Not Unique Certificate Authority
cb7e695d-6a85-495c-b15f-23aed2519303|Kubernetes|Medium|Secret Management|Certificate Authority should be unique for etcd|Documentation
| -|ServiceAccount Allows Access Secrets
056ac60e-fe07-4acc-9b34-8e1d51716ab9|Kubernetes|Medium|Secret Management|Roles and ClusterRoles when binded, should not use get, list or watch as verbs|Documentation
| -|Shared Service Account
c1032cf7-3628-44e2-bd53-38c17cf31b6b|Kubernetes|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| -|Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942|Kubernetes|Low|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| -|Missing AppArmor Profile
8b36775e-183d-4d46-b0f7-96a6f34a723f|Kubernetes|Low|Access Control|Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources|Documentation
| -|Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828|Kubernetes|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| -|RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e|Kubernetes|Low|Access Control|Kubernetes Roles and ClusterRoles should not use wildcards in rules (objects or actions)|Documentation
| -|Cluster Admin Rolebinding With Superuser Permissions
249328b8-5f0f-409f-b1dd-029f07882e11|Kubernetes|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| -|HPA Targeted Deployments With Configured Replica Count
5744cbb8-5946-4b75-a196-ade44449525b|Kubernetes|Low|Availability|Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set|Documentation
| -|StatefulSet Without PodDisruptionBudget
1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5|Kubernetes|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca|Kubernetes|Low|Availability|The Horizontal Pod Autoscale must target a valid object|Documentation
| -|Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678|Kubernetes|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|StatefulSet Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0|Kubernetes|Low|Availability|Check if the StatefulSets have a headless 'serviceName'|Documentation
| -|Event Rate Limit Admission Control Plugin Not Set
e0099af2-fe17-411f-9991-0de28fe15f3c|Kubernetes|Low|Availability|When using kube-apiserver command, the --enable-admission-plugins flag should have 'EventRateLimit' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| -|Metadata Label Is Invalid
1123031a-f921-4c5b-bd86-ef354ecfd37a|Kubernetes|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| -|No Drop Capabilities for Containers
268ca686-7fb7-4ae9-b129-955a2a89064e|Kubernetes|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| -|StatefulSet Requests Storage
8cf4671a-cf3d-46fc-8389-21e7405063a2|Kubernetes|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| -|Root Container Not Mounted Read-only
a9c2f49d-0671-4fc9-9ece-f4e261e128d0|Kubernetes|Low|Build Process|Check if the root container filesystem is not being mounted read-only.|Documentation
| -|Image Policy Webhook Admission Control Plugin Not Set
14abda69-8e91-4acb-9931-76e2bee90284|Kubernetes|Low|Build Process|When using kube-apiserver command, the --enable-admission-plugins flag should have 'ImagePolicyWebhook' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| -|Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678|Kubernetes|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity|Documentation
| -|Pod or Container Without ResourceQuota
48a5beba-e4c0-4584-a2aa-e6894e4cf424|Kubernetes|Low|Insecure Configurations|Pod or Container should have a ResourceQuota associated|Documentation
| -|Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b|Kubernetes|Low|Insecure Configurations|If not needed, disabling the dashboard can prevent from being used as an attack vector|Documentation
| -|Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2|Kubernetes|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| -|Pod or Container Without LimitRange
4a20ebac-1060-4c81-95d1-1f7f620e983b|Kubernetes|Low|Insecure Configurations|Pod or Container should have a LimitRange associated|Documentation
| -|Kubelet Hostname Override Is Set
bf36b900-b5ef-4828-adb7-70eb543b7cfb|Kubernetes|Low|Insecure Configurations|Hostnames should not be overrided|Documentation
| -|Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995|Kubernetes|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| -|Service Does Not Target Pod
3ca03a61-3249-4c16-8427-6f8e47dda729|Kubernetes|Low|Insecure Configurations|Service should Target a Pod|Documentation
| -|Workload Host Port Not Specified
2b1836f1-dcce-416e-8e16-da8c71920633|Kubernetes|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified|Documentation
| -|Service Type is NodePort
845acfbe-3e10-4b8e-b656-3b404d36dfb2|Kubernetes|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| -|Audit Policy Not Cover Key Security Concerns
1828a670-5957-4bc5-9974-47da228f75e2|Kubernetes|Low|Observability|Audit Policy should cover key security concerns about the sensitive data logged in Kubernetes audit policies|Documentation
| -|Kubelet Event QPS Not Properly Set
1a07a446-8e61-4e4d-bc16-b0781fcb8211|Kubernetes|Low|Observability|When using the kubelet command, the '--event-qps' should be set to 0|Documentation
| -|Deployment Has No PodAntiAffinity
a31b7b82-d994-48c4-bd21-3bab6c31827a|Kubernetes|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| -|Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined.|Documentation
| -|StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e|Kubernetes|Low|Resource Management|Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| -|Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46|Kubernetes|Low|Resource Management|Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively|Documentation
| -|CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3|Kubernetes|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined|Documentation
| -|Container Memory Requests Not Equal To It's Limits
aafa7d94-62de-4fbf-8838-b69ee217b0e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined.|Documentation
| -|Secrets As Environment Variables
3d658f8b-d988-41a0-a841-40043121de1e|Kubernetes|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| -|Invalid Image Tag
583053b7-e632-46f0-b989-f81ff8045385|Kubernetes|Low|Supply-Chain|Image tag must be defined and not be empty or equal to latest.|Documentation
| -|Liveness Probe Is Not Defined
ade74944-a674-4e00-859e-c6eab5bde441|Kubernetes|Info|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it|Documentation
| -|Cloud Storage Bucket Is Publicly Accessible
77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc|GoogleDeploymentManager|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible|Documentation
| -|SQL DB Instance Backup Disabled
a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01|GoogleDeploymentManager|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| -|DNSSEC Using RSASHA1
6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35|GoogleDeploymentManager|High|Encryption|DNSSEC should not use the RSASHA1 algorithm|Documentation
| -|SQL DB Instance With SSL Disabled
660360d3-9ca7-46d1-b147-3acc4002953f|GoogleDeploymentManager|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| -|IP Aliasing Disabled
28727987-e398-49b8-aef1-8a3e7789d111|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ipAllocationPolicy' must be defined and the subattribute 'useIpAliases' must be set to 'true'.|Documentation
| -|COS Node Image Not Used
dbe058d7-b82e-430b-8426-992b2e4677e7|GoogleDeploymentManager|High|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| -|MySQL Instance With Local Infile On
c759d6f2-4dd3-4160-82d3-89202ef10d87|GoogleDeploymentManager|High|Insecure Configurations|MySQL Instance should not have Local Infile On|Documentation
| -|Cluster Master Authentication Disabled
7ef7d141-9fbb-4679-a977-fd0883436906|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'masterAuth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| -|Private Cluster Disabled
48c61fbd-09c9-46cc-a521-012e0c325412|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true.|Documentation
| -|Client Certificate Disabled
dd690686-2bf9-4012-a821-f61912dd77be|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'masterAuth' must have 'clientCertificateConfig' with the attribute 'issueClientCertificate' equal to true|Documentation
| -|Cluster Labels Disabled
8810968b-4b15-421d-918b-d91eb4bb8d1d|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resourceLabels' must be defined|Documentation
| -|Network Policy Disabled
c47f90e8-4a19-43f0-8413-cc434d286c4e|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'networkPolicy.enabled' must be true and the attribute 'addonsConfig.networkPolicyConfig.disabled' must be false|Documentation
| -|BigQuery Dataset Is Public
83103dff-d57f-42a8-bd81-40abab64c1a7|GoogleDeploymentManager|High|Insecure Configurations|BigQuery dataset is anonymously or publicly accessible. Attribute access.specialGroup should not contain 'allAuthenticatedUsers'|Documentation
| -|Not Proper Email Account In Use
a21b8df3-c840-4b3d-a41a-10fb2afda171|GoogleDeploymentManager|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| -|GKE Legacy Authorization Enabled
df58d46c-783b-43e0-bdd0-d99164f712ee|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false.|Documentation
| -|Compute Instance Is Publicly Accessible
8212e2d7-e683-49bc-bf78-d6799075c5a7|GoogleDeploymentManager|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet.|Documentation
| -|GKE Master Authorized Networks Disabled
62c8cf50-87f0-4295-a974-8184ed78fe02|GoogleDeploymentManager|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters|Documentation
| -|Stackdriver Monitoring Disabled
bbfc97ab-e92a-4a7b-954c-e88cec815011|GoogleDeploymentManager|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoringService' must be defined and different than 'none'|Documentation
| -|Stackdriver Logging Disabled
95601b9a-7fe8-4aee-9b58-d36fd9382dfc|GoogleDeploymentManager|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'loggingService' must be defined and different from 'none'|Documentation
| -|Cloud Storage Bucket Versioning Disabled
ad0875c1-0b39-4890-9149-173158ba3bba|GoogleDeploymentManager|High|Observability|Cloud Storage Bucket should be enabled|Documentation
| -|Node Auto Upgrade Disabled
dc5c5fee-6c53-43b0-ab11-4c660e064aaf|GoogleDeploymentManager|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means the attribute 'nodePools' must be defined and the subattribute 'managment' must be defined and have the attribute 'autoUpgrade' set to true|Documentation
| -|Disk Encryption Disabled
fc040fb6-4c23-4c0d-b12a-39edac35debb|GoogleDeploymentManager|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined|Documentation
| -|OSLogin Is Disabled In VM Instance
e66e1b71-c810-4b4e-a737-0ab59e7f5e41|GoogleDeploymentManager|Medium|Insecure Configurations|VM instance should have OSLogin enabled|Documentation
| -|Cloud DNS Without DNSSEC
313d6deb-3b67-4948-b41d-35b699c2492e|GoogleDeploymentManager|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
63ae3638-a38c-4ff4-b616-6e1f72a31a6a|GoogleDeploymentManager|Medium|Insecure Configurations|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers'|Documentation
| -|Google Storage Bucket Level Access Disabled
1239f54b-33de-482a-8132-faebe288e6a6|GoogleDeploymentManager|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| -|Shielded VM Disabled
9038b526-4c19-4928-bca2-c03d503bdb79|GoogleDeploymentManager|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true|Documentation
| -|IP Forwarding Enabled
7c98538a-81c6-444b-bf04-e60bc3ceeec0|GoogleDeploymentManager|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true|Documentation
| -|RDP Access Is Not Restricted
50cb6c3b-c878-4b88-b50e-d1421bada9e8|GoogleDeploymentManager|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| -|SSH Access Is Not Restricted
dee21308-2a7a-49de-8ff7-c9b87e188575|GoogleDeploymentManager|Medium|Networking and Firewall|Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block)|Documentation
| -|S3 Bucket Without Versioning
227c2f58-70c6-4432-8e9a-a89c1a548cf5|GoogleDeploymentManager|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
6e2b1ec1-1eca-4eb7-9d4d-2882680b4811|GoogleDeploymentManager|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| -|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|Terraform|High|Access Control|Verifies that the OSLogin is enabled|Documentation
| -|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|Terraform|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| -|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|Terraform|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible|Documentation
| -|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|Terraform|High|Access Control|BigQuery dataset is anonymously or publicly accessible|Documentation
| -|SQL DB Instance Is Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|Terraform|High|Access Control|Check if any Cloud SQL instances are publicly accessible.|Documentation
| -|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|Terraform|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| -|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|Terraform|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members'|Documentation
| -|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|Terraform|High|Encryption|Checks if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad.|Documentation
| -|High KMS Rotation Period
352271ca-842f-408a-8b24-f6f2b76eb027|Terraform|High|Encryption|Check that keys aren't the same for a period greater than 365 days.|Documentation
| -|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|Terraform|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| -|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE |Documentation
| -|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Terraform|High|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| -|GKE Basic Authentication Enabled
70cdf849-b7d9-4569-b87d-5d82ffd44719|Terraform|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty|Documentation
| -|Cluster Master Authentication Disabled
1baba08e-3c8a-4be7-95eb-dced5833de21|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| -|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true|Documentation
| -|Client Certificate Disabled
73fb21a1-b19a-45b1-b648-b47b1678681e|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true|Documentation
| -|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|Terraform|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| -|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false |Documentation
| -|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|Terraform|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true|Documentation
| -|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|Terraform|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| -|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true|Documentation
| -|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|Terraform|High|Observability|Cloud storage bucket with logging not enabled|Documentation
| -|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| -|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|Terraform|High|Observability|Object Versioning Not Enabled on Cloud Storage Bucket|Documentation
| -|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|Terraform|High|Observability|Audit Logging Configuration is defective|Documentation
| -|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|Terraform|High|Resource Management|Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| -|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Terraform|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|Terraform|Medium|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers'|Documentation
| -|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Terraform|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member|Documentation
| -|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Terraform|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated|Documentation
| -|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Terraform|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Terraform|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| -|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Terraform|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined|Documentation
| -|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Terraform|Medium|Encryption|Make sure Encryption keys change after 90 days|Documentation
| -|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Terraform|Medium|Insecure Configurations|Check if any VM instance disables OSLogin|Documentation
| -|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Terraform|Medium|Insecure Configurations|Verifies if Google Container Node Pool Auto Repair is Enabled|Documentation
| -|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Terraform|Medium|Insecure Configurations|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
| -|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Terraform|Medium|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Terraform|Medium|Insecure Configurations|VM Instance should block project-wide SSH keys|Documentation
| -|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Terraform|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| -|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Terraform|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled|Documentation
| -|Cloud DNS without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Terraform|Medium|Insecure Configurations|Cloud DNS without DNSSEC|Documentation
| -|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Terraform|Medium|Insecure Configurations|Check if VM instance enables serial ports|Documentation
| -|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Terraform|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| -|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Terraform|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| -|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Terraform|Medium|Networking and Firewall|Check if Google Firewall ingress allows RDP access (port 3389)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Terraform|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports|Documentation
| -|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Terraform|Medium|Networking and Firewall|Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block)|Documentation
| -|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Terraform|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
| -|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Terraform|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource.|Documentation
| -|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Terraform|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles|Documentation
| -|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Terraform|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user|Documentation
| -|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Terraform|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range|Documentation
| -|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Terraform|Low|Networking and Firewall|Google Compute Subnetwork should have 'private_ip_google_access' set to true|Documentation
| -|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Terraform|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks|Documentation
| -|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Terraform|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')|Documentation
| -|Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|Terraform|High|Access Control|Role Assignment should limit guest user permissions|Documentation
| -|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|Terraform|High|Access Control|There is a role assignment for guest user|Documentation
| -|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|Terraform|High|Access Control|Admin user is enabled for Container Registry|Documentation
| -|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|Terraform|High|Access Control|Storage Account should not be public|Documentation
| -|Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|Terraform|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| -|Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|Terraform|High|Access Control|Azure Function App authentication settings should be enabled|Documentation
| -|Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|Terraform|High|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled|Documentation
| -|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|Terraform|High|Encryption|See that Storage Accounts forces the use of HTTPS|Documentation
| -|MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|Terraform|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| -|Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6|Terraform|High|Encryption|Ensure Function App is using the latest version of TLS encryption|Documentation
| -|App Service Not Using Latest TLS Encryption Version
b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643|Terraform|High|Encryption|Ensure App Service is using the latest version of TLS encryption|Documentation
| -|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|Terraform|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| -|Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|Terraform|High|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false.|Documentation
| -|App Service FTPS Enforce Disabled
85da374f-b00f-4832-9d44-84a1ca1e89f8|Terraform|High|Insecure Configurations|Azure App Service should only enforce FTPS when 'ftps_state' is enabled|Documentation
| -|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|Terraform|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates|Documentation
| -|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|Terraform|High|Insecure Configurations|Trusted MIcrosoft Services are not enabled for Storage Account access|Documentation
| -|Function App FTPS Enforce Disabled
9dab0179-433d-4dff-af8f-0091025691df|Terraform|High|Insecure Configurations|Azure Function App should only enforce FTPS when 'ftps_state' is enabled|Documentation
| -|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|Terraform|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| -|AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|Terraform|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| -|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|Terraform|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| -|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|Terraform|High|Insecure Configurations|Azurerm Container Registry Must Contain Associated Locks |Documentation
| -|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|Terraform|High|Networking and Firewall|The Ip Range Must Contain Ips|Documentation
| -|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|Terraform|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| -|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| -|Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| -|RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|Terraform|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet|Documentation
| -|MySQL Server Public Access Enabled
f118890b-2468-42b1-9ce9-af35146b425b|Terraform|High|Networking and Firewall|MySQL Server public access should be disabled|Documentation
| -|MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|Terraform|High|Networking and Firewall|MSSQL Server public network access should be disabled|Documentation
| -|SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|Terraform|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet|Documentation
| -|Azure App Service Client Certificate Disabled
a81573f9-3691-4d83-88a0-7d4af63e17a3|Terraform|High|Networking and Firewall|Azure App Service client certificate should be enabled|Documentation
| -|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| -|Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|Terraform|High|Observability|Ensure that logging for Azure KeyVault is 'Enabled'|Documentation
| -|PostgreSQL Server Threat Detection Policy Disabled
c407c3cf-c409-4b29-b590-db5f4138d332|Terraform|High|Resource Management|PostgreSQL Server Threat Detection Policy should be enabled|Documentation
| -|SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a|Terraform|High|Resource Management|Ensure that 'Threat Detection' is enabled for Azure SQL Database|Documentation
| -|App Service Managed Identity Disabled
b61cce4b-0cc4-472b-8096-15617a6d769b|Terraform|High|Resource Management|Azure App Service should have managed identity enabled|Documentation
| -|Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|Terraform|High|Secret Management|Make sure that for all secrets the expiration date is set|Documentation
| -|Key Expiration Not Set
4d080822-5ee2-49a4-8984-68f3d4c890fc|Terraform|High|Secret Management|Make sure that for all keys the expiration date is set|Documentation
| -|Storage Share File Allows All ACL Permissions
48bbe0fd-57e4-4678-a4a1-119e79c90fc3|Terraform|Medium|Access Control|Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).|Documentation
| -|Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e|Terraform|Medium|Access Control|Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).|Documentation
| -|AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Terraform|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| -|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Terraform|Medium|Access Control|Role Definition should not allow custom role creation|Documentation
| -|Virtual Network with DDoS Protection Plan disabled
b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a|Terraform|Medium|Availability|Virtual Network should have DDoS Protection Plan enabled|Documentation
| -|SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Terraform|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict|Documentation
| -|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Terraform|Medium|Best Practices|Azure SQL Server Accessibility must be set to a minimal address range, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be lesser than 256. Additionally, both ips must be different from '0.0.0.0'|Documentation
| -|Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Terraform|Medium|Best Practices|Security Contact Email should be defined|Documentation
| -|SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Terraform|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict|Documentation
| -|Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Terraform|Medium|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| -|AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Terraform|Medium|Encryption|Azure Container Service (AKS) should use Disk Encryption Set ID|Documentation
| -|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Terraform|Medium|Encryption|Check if any Redis Cache resource allows non-SSL connections.|Documentation
| -|Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Terraform|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| -|Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Terraform|Medium|Encryption|Ensure that the encryption is active on the disk|Documentation
| -|Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Terraform|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches|Documentation
| -|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Terraform|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| -|Function App Managed Identity Disabled
c87749b3-ff10-41f5-9df2-c421e8151759|Terraform|Medium|Insecure Configurations|Azure Function App should have managed identity enabled|Documentation
| -|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Terraform|Medium|Insecure Configurations|Check if the Azure Kubernetes Service doesn't have the proper network policy configuration.|Documentation
| -|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Terraform|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected.|Documentation
| -|Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Terraform|Medium|Insecure Configurations|Azure Function App should have 'client_cert_mode' set to required|Documentation
| -|Default Azure Storage Account Network Access Is Too Permissive
a5613650-32ec-4975-a305-31af783153ea|Terraform|Medium|Insecure Defaults|Default Azure Storage Account network access should be set to Deny|Documentation
| -|Default Network Access is Allowed
9be09caf-2ba4-4fa9-9787-a670dc32c639|Terraform|Medium|Insecure Defaults|Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny'|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol|Documentation
| -|MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Terraform|Medium|Networking and Firewall|MariaDB Server Public Network Access should be disabled|Documentation
| -|Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b|Terraform|Medium|Networking and Firewall|Network Interfaces must not be exposed with a public IP address|Documentation
| -|Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Terraform|Medium|Networking and Firewall|Public Network Access should be disabled for Azure Cognitive Search|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol|Documentation
| -|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Terraform|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache|Documentation
| -|WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Terraform|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| -|PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| -|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Terraform|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days|Documentation
| -|PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Terraform|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| -|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| -|Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Terraform|Medium|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact|Documentation
| -|Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Terraform|Medium|Observability|Make sure for SQL Servers that Auditing Retention is greater than 90 days|Documentation
| -|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Terraform|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On'|Documentation
| -|PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| -|Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Terraform|Medium|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days|Documentation
| -|Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Terraform|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater|Documentation
| -|MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Terraform|Medium|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On'|Documentation
| -|PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Terraform|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'|Documentation
| -|PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| -|Azure Active Directory Authentication
a21c8da9-41bf-40cf-941d-330cf0d11fc7|Terraform|Low|Access Control|Azure Active Directory must be used for authentication for Service Fabric|Documentation
| -|MariaDB Server Geo-redundant Backup Disabled
0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1|Terraform|Low|Backup|MariaDB Server Geo-redundant Backup should be enabled|Documentation
| -|Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Terraform|Low|Best Practices|Key Vault Secrets should have set Content Type|Documentation
| -|AKS Uses Azure Policies Add-On Disabled
43789711-161b-4708-b5bb-9d1c626f7492|Terraform|Low|Best Practices|Azure Container Service (AKS) should use Azure Policies Add-On|Documentation
| -|PostgreSQL Server Infrastructure Encryption Disabled
6425c98b-ca4e-41fe-896a-c78772c131f8|Terraform|Low|Encryption|PostgreSQL Server Infrastructure Encryption should be enabled|Documentation
| -|Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Terraform|Low|Insecure Configurations|Check if the Kubernetes Dashboard is enabled.|Documentation
| -|Function App HTTP2 Disabled
ace823d1-4432-4dee-945b-cdf11a5a6bd0|Terraform|Low|Insecure Configurations|Function App should have 'http2_enabled' enabled|Documentation
| -|App Service HTTP2 Disabled
525b53be-62ed-4244-b4df-41aecfcb4071|Terraform|Low|Insecure Configurations|App Service should have 'http2_enabled' enabled|Documentation
| -|AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|Terraform|Low|Networking and Firewall|Azure Kubernetes Service (AKS) API should not be exposed to the internet|Documentation
| -|Azure Front Door WAF Disabled
835a4f2f-df43-437d-9943-545ccfc55961|Terraform|Low|Networking and Firewall|Azure Front Door WAF should be enabled|Documentation
| -|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Terraform|Low|Networking and Firewall|Network Interfaces IP Forwarding should be disabled|Documentation
| -|App Service Authentication Disabled
c7fc1481-2899-4490-bbd8-544a3a61a2f3|Terraform|Info|Access Control|Azure App Service authentication settings should be enabled|Documentation
| -|SQL Server Alert Email Disabled
55975007-f6e7-4134-83c3-298f1fe4b519|Terraform|Info|Best Practices|SQL Server alert email should be enabled|Documentation
| -|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Terraform|High|Insecure Configurations|Container should not share the host IPC namespace|Documentation
| -|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|Terraform|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| -|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|Terraform|High|Insecure Configurations|Do not allow container to be privileged.|Documentation
| -|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|Terraform|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| -|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Terraform|High|Insecure Configurations|Containers should drop 'NET_RAW' or 'ALL' capabilities|Documentation
| -|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Terraform|High|Insecure Configurations|Container should not share the host network namespace|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|Terraform|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| -|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|Terraform|High|Insecure Configurations|Admission of privileged containers should be minimized|Documentation
| -|Host Aliases Undefined Or Empty
5d05ea11-ae3e-470e-9864-97e55fb2b2e0|Terraform|High|Insecure Configurations|A Kubernetes Pod should have Host Aliases defined as to prevent the container from modifying the file after a pod's containers have already been started. This means the attribute 'spec.host_aliases' must be defined and not empty or null.|Documentation
| -|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|Terraform|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined.|Documentation
| -|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|Terraform|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| -|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Terraform|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| -|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Terraform|Medium|Access Control|Minimize access to secrets (RBAC)|Documentation
| -|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Terraform|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| -|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Terraform|Medium|Availability|Liveness Probe must be defined|Documentation
| -|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Terraform|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| -|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Terraform|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| -|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Terraform|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| -|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Terraform|Medium|Insecure Configurations|The default namespace should not be used|Documentation
| -|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Terraform|Medium|Insecure Configurations|Check if any resource does not configure Seccomp default profile properly|Documentation
| -|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Terraform|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| -|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Terraform|Medium|Insecure Configurations|Do not allow pod to request execution as privileged|Documentation
| -|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Terraform|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| -|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Terraform|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| -|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| -|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Terraform|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| -|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Terraform|Medium|Insecure Configurations|Default service accounts should not be actively used|Documentation
| -|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Terraform|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| -|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Terraform|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace|Documentation
| -|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| -|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Terraform|Medium|Insecure Configurations|Kubernetes Pod should not have extra capabilities allowed|Documentation
| -|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Terraform|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory|Documentation
| -|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Terraform|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty.|Documentation
| -|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Terraform|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| -|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Terraform|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| -|Service With External Load Balance
2a52567c-abb8-4651-a038-52fa27c77aed|Terraform|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| -|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Terraform|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| -|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Terraform|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| -|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Terraform|Medium|Resource Management|Memory limits should be specified|Documentation
| -|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Terraform|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| -|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Terraform|Medium|Resource Management|Memory requests should be specified|Documentation
| -|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Terraform|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs|Documentation
| -|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Terraform|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| -|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Terraform|Low|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| -|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Terraform|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| -|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Terraform|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| -|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Terraform|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| -|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Terraform|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Terraform|Low|Availability|The Horizontal Pod Autoscale must target a valid object|Documentation
| -|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Terraform|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Terraform|Low|Availability|Check if the StatefulSet have a headless 'serviceName'|Documentation
| -|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Terraform|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| -|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Terraform|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| -|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Terraform|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| -|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Terraform|Low|Build Process|Check if the root container filesystem is not being mounted as read-only.|Documentation
| -|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Terraform|Low|Insecure Configurations|Sees if Kubernetes image has digest on|Documentation
| -|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Terraform|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| -|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Terraform|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| -|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Terraform|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified|Documentation
| -|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Terraform|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| -|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Terraform|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| -|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Terraform|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined|Documentation
| -|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Terraform|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| -|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Terraform|Low|Supply-Chain|Image must be defined and not be empty or equal to latest.|Documentation
| -|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|Terraform|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| -|S3 Bucket Allows WriteACP Action From All Principals
64a222aa-7793-4e40-915f-4b302c76e4d4|Terraform|High|Access Control|S3 Buckets must not allow Write_ACP Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Write_ACP, for all Principals.|Documentation
| -|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|Terraform|High|Access Control|S3 bucket allows public policy|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|Terraform|High|Access Control|Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| -|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|Terraform|High|Access Control|S3 Buckets must not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|Terraform|High|Access Control|S3 bucket with public READ/WRITE access|Documentation
| -|S3 Bucket Allows All Actions From All Principals
51cf6f14-6a52-4642-97fb-10db078382d3|Terraform|High|Access Control|S3 Buckets must not allow All Actions (wildcard) From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals.|Documentation
| -|EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|Terraform|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| -|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|Terraform|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| -|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|Terraform|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| -|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|Terraform|High|Access Control|IAM policies that allow full administrative privileges (for all resources)|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|Terraform|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| -|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|Terraform|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| -|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|Terraform|High|Access Control|IAM role policy that allow full administrative privileges (for all resources)|Documentation
| -|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|Terraform|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals|Documentation
| -|Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|Terraform|High|Access Control|Neptune Cluster Instance should not be publicly accessible|Documentation
| -|ECS Service Admin Role is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|Terraform|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role|Documentation
| -|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|Terraform|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled|Documentation
| -|Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|Terraform|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted|Documentation
| -|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|Terraform|High|Encryption|Elastic File System (EFS) must have KMS Key ID|Documentation
| -|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|Terraform|High|Encryption|Data stored in the Launch configuration EBS is not securely encrypted|Documentation
| -|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|Terraform|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| -|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|Terraform|High|Encryption|Base64 Shell Script must be encoded|Documentation
| -|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|Terraform|High|Encryption|Check if RDS Cluster Storage isn't encrypted. Happens when 'storage_encrypted' is not set to 'true'|Documentation
| -|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|Terraform|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| -|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|Terraform|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true|Documentation
| -|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|Terraform|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|Terraform|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled|Documentation
| -|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|Terraform|High|Encryption|AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted|Documentation
| -|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|Terraform|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted|Documentation
| -|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|Terraform|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| -|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|Terraform|High|Encryption|AWS DOCDB Cluster storage should be encrypted|Documentation
| -|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|Terraform|High|Encryption|User Data Base64 contains an encoded RSA Private Key|Documentation
| -|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|Terraform|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| -|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|Terraform|High|Encryption|RDS Database Cluster Encryption should be enabled|Documentation
| -|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|Terraform|High|Encryption|AWS Athena Database data in S3 should be encrypted|Documentation
| -|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|Terraform|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS|Documentation
| -|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|Terraform|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| -|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|Terraform|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| -|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|Terraform|High|Encryption|The parameter storage_encrypted in aws_db_instance must be set to 'true' (the default is 'false').|Documentation
| -|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|Terraform|High|Encryption|Sagemaker endpoint configuration should encrypt data|Documentation
| -|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.|Documentation
| -|EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|Terraform|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|Terraform|High|Encryption|Check if 'encrypted' field is false or undefined (default is false)|Documentation
| -|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|Terraform|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| -|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|Terraform|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled|Documentation
| -|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|Terraform|High|Encryption|IAM Database Auth Enabled must be configured to true|Documentation
| -|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|Terraform|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key|Documentation
| -|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|Terraform|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup|Documentation
| -|CloudWatch Log Group Not Encrypted
0afbcfe9-d341-4b92-a64c-7e6de0543879|Terraform|High|Encryption|AWS CloudWatch Log groups should be encrypted using KMS|Documentation
| -|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|Terraform|High|Encryption|S3 Bucket Object should have server-side encryption enabled|Documentation
| -|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|Terraform|High|Encryption|EBS Encryption should be enabled|Documentation
| -|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|Terraform|High|Encryption|EKS Cluster should be encrypted|Documentation
| -|Memcached Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Terraform|High|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| -|CA certificate Identifier is outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|Terraform|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| -|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|Terraform|High|Encryption|AWS DAX Cluster should have server-side encryption at rest|Documentation
| -|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Terraform|High|Encryption|RDS Instance Auto Minor Version Upgrade feature in Aws Db Instance must be true|Documentation
| -|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|Terraform|High|Encryption|API Gateway Method Settings Cache should be encrypted|Documentation
| -|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers.|Documentation
| -|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|Terraform|High|Insecure Configurations|Check if the root user is authenticated with MFA|Documentation
| -|DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|Terraform|High|Insecure Configurations|The field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| -|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Terraform|High|Insecure Configurations|Amazon Simple Queue Service (SQS) queue is not protecting the contents of their messages using Server-Side Encryption (SSE)|Documentation
| -|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|Terraform|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| -|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|Terraform|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_defenition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| -|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|Terraform|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations|Documentation
| -|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|Terraform|High|Insecure Configurations|S3 bucket without restriction of public bucket|Documentation
| -|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|Terraform|High|Insecure Configurations|Check if 'publicly_accessible' field is true or undefined (default is true)|Documentation
| -|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|Terraform|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2.|Documentation
| -|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|Terraform|High|Insecure Configurations|Users should authenticate with MFA (Multi-factor Authentication)|Documentation
| -|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|Terraform|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| -|KMS Key With Vulnerable Policy
7ebc9038-0bde-479a-acc4-6ed7b6758899|Terraform|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| -|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|Terraform|High|Insecure Configurations|Checks if any static websties are hosted on buckets|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|Terraform|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| -|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|Terraform|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes|Documentation
| -|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|Terraform|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| -|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|Terraform|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| -|Lambda Function With Privileged role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|Terraform|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions.|Documentation
| -|Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|Terraform|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| -|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| -|Remote Desktop Port Open
151187cb-0efc-481c-babd-ad24e3c9bc22|Terraform|High|Networking and Firewall|The Remote Desktop port is open in a Security Group|Documentation
| -|HTTP Port Open
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|Terraform|High|Networking and Firewall|The HTTP port is open in a Security Group|Documentation
| -|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| -|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|Terraform|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| -|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|Terraform|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL|Documentation
| -|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|Terraform|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0"|Documentation
| -|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|Terraform|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0|Documentation
| -|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|Terraform|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| -|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|Terraform|High|Networking and Firewall|Check if Record is set|Documentation
| -|VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|Terraform|High|Networking and Firewall|VPC Peering Route Table should restrict CIDR|Documentation
| -|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|Terraform|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| -|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|Terraform|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| -|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|Terraform|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| -|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL|Documentation
| -|VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|Terraform|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic|Documentation
| -|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|Terraform|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| -|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|Terraform|High|Networking and Firewall|The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6).|Documentation
| -|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|Terraform|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing|Documentation
| -|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|Terraform|High|Observability|Ensure a log metric filter and alarm exist for root acount usage|Documentation
| -|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Terraform|High|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| -|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|Terraform|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes|Documentation
| -|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|Terraform|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA|Documentation
| -|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|Terraform|High|Observability|AWS KMS Key should have a valid deletion window|Documentation
| -|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible|Documentation
| -|CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|Terraform|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.|Documentation
| -|CloudTrail Log Files Not Encrypted
5d9e3164-9265-470c-9a10-57ae454ac0c7|Terraform|High|Observability|Logs delivered by CloudTrail should be encrypted using KMS|Documentation
| -|CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|Terraform|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls|Documentation
| -|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|Terraform|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| -|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled|Documentation
| -|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Terraform|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| -|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Terraform|Medium|Access Control|AWS IAM Users should not have access to console|Documentation
| -|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Terraform|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| -|IAM Access Analyzer Undefined
e592a0c5-5bdb-414c-9066-5dba7cdea370|Terraform|Medium|Access Control|IAM Access Analyzer should be defined to identify unintentional access|Documentation
| -|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Terraform|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| -|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Terraform|Medium|Access Control|SQS policy with public access|Documentation
| -|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Terraform|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources|Documentation
| -|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Terraform|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication|Documentation
| -|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Terraform|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| -|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Terraform|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| -|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Terraform|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| -|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Terraform|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal'|Documentation
| -|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Terraform|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'|Documentation
| -|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|Terraform|Medium|Access Control|IAM policies allow all ('*') in a statement action|Documentation
| -|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Terraform|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled|Documentation
| -|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Terraform|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| -|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Terraform|Medium|Access Control|An API Key should be required on a method request.|Documentation
| -|SNS Topic is Publicly Accessible For Subscription
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|Terraform|Medium|Access Control|This query checks if SNS Topic is Accessible For Subscription|Documentation
| -|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Terraform|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| -|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Terraform|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined|Documentation
| -|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Terraform|Medium|Access Control|S3 bucket allows public ACL|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Terraform|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| -|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Terraform|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action'|Documentation
| -|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Terraform|Medium|Access Control|Public and private EC2 istances should not share the same role.|Documentation
| -|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Terraform|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| -|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Terraform|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root'|Documentation
| -|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Terraform|Medium|Access Control|The attribute 'action' should not have wildcard|Documentation
| -|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Terraform|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions'|Documentation
| -|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Terraform|Medium|Availability|Check if ElastiCache nodes are not being created across multi AZ|Documentation
| -|Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Terraform|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
| -|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Terraform|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| -|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Terraform|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| -|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Terraform|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0|Documentation
| -|RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Terraform|Medium|Backup|RDS configured without backup|Documentation
| -|Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Terraform|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| -|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Terraform|Medium|Best Practices|No password expiration policy|Documentation
| -|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Terraform|Medium|Best Practices|Check if IAM account password has the required symbols|Documentation
| -|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Terraform|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined|Documentation
| -|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Terraform|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| -|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Terraform|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields|Documentation
| -|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Terraform|Medium|Best Practices|Check if IAM account password has the required minimum length|Documentation
| -|Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Terraform|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24|Documentation
| -|Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Terraform|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body|Documentation
| -|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Terraform|Medium|Encryption|Check if Neptune Cluster Storage is securely encrypted|Documentation
| -|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Terraform|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS|Documentation
| -|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Terraform|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| -|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit|Documentation
| -|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Terraform|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| -|ECR Repository Not Encrypted
0e32d561-4b5a-4664-a6e3-a3fa85649157|Terraform|Medium|Encryption|ECR (Elastic Container Registry) Repository encryption should be set|Documentation
| -|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Terraform|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest|Documentation
| -|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Terraform|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret|Documentation
| -|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted|Documentation
| -|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Terraform|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption|Documentation
| -|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Terraform|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests|Documentation
| -|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Terraform|Medium|Encryption|SSM Session should be encrypted in transit|Documentation
| -|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Terraform|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| -|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Terraform|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| -|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Terraform|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node|Documentation
| -|DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Terraform|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Terraform|Medium|Encryption|The value on AWS EBS Volume Cluster Encryption must be true|Documentation
| -|API Gateway Without Content Encoding
ed35928e-195c-4405-a252-98ccb664ab7b|Terraform|Medium|Encryption|Enable Content Encoding through the attribute 'minimum_compression_size'. This value should be greater than -1 and smaller than 10485760|Documentation
| -|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Terraform|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible|Documentation
| -|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Terraform|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.|Documentation
| -|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Terraform|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| -|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Terraform|Medium|Insecure Configurations|ECR should have an image tag be immutable|Documentation
| -|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Terraform|Medium|Insecure Configurations|Check if IAM account password has at least one lowercase letter|Documentation
| -|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Terraform|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs).|Documentation
| -|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Terraform|Medium|Insecure Configurations|SSL Client Certificate should be enabled in aws_api_gateway_stage resource|Documentation
| -|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Terraform|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| -|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Terraform|Medium|Insecure Configurations|Check if IAM account password has at least one uppercase letter|Documentation
| -|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Terraform|Medium|Insecure Configurations|Instance should be configured in VPC (Virtual Private Cloud)|Documentation
| -|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Terraform|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud)|Documentation
| -|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Terraform|Medium|Insecure Configurations|Allowing to run lambda function using public API Gateway|Documentation
| -|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Terraform|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials|Documentation
| -|EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Terraform|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol|Documentation
| -|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Terraform|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| -|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Terraform|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| -|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Terraform|Medium|Networking and Firewall|VPC should have a Network Firewall associated|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol|Documentation
| -|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Terraform|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association|Documentation
| -|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Terraform|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| -|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Terraform|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled|Documentation
| -|VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Terraform|Medium|Networking and Firewall|VPC Subnet should not assign public IP|Documentation
| -|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Terraform|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| -|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Terraform|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| -|Cloudfront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Terraform|Medium|Observability|AWS Cloudfront distributions must be have logging enabled, which means the attribute 'logging_config' must be defined|Documentation
| -|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Terraform|Medium|Observability|CloudTrail should have 'is_multi_region_trail' and 'include_global_service_events' enabled|Documentation
| -|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Terraform|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled|Documentation
| -|Elasticsearch Log is disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Terraform|Medium|Observability|AWS Elasticsearch should have logs enabled|Documentation
| -|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Terraform|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| -|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Terraform|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| -|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Terraform|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| -|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes|Documentation
| -|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Terraform|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| -|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Terraform|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| -|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures|Documentation
| -|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Terraform|Medium|Observability|AWS CloudWatch Log groups should have retention days specified|Documentation
| -|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes|Documentation
| -|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Terraform|Medium|Observability|VPC hasn't got any FlowLog associated|Documentation
| -|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Terraform|Medium|Observability|It isn't recommended to use resources in default VPC|Documentation
| -|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Terraform|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| -|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Terraform|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events|Documentation
| -|Api Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Terraform|Medium|Observability|RDS does not have any kind of logger|Documentation
| -|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Terraform|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| -|Elasticsearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Terraform|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| -|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Terraform|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| -|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Terraform|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| -|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes|Documentation
| -|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK|Documentation
| -|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Terraform|Medium|Observability|X-ray Tracing is not enabled|Documentation
| -|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Terraform|Medium|Observability|Enable AWS CloudFormation Stack Notifications|Documentation
| -|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes|Documentation
| -|No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Terraform|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| -|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Terraform|Medium|Secret Management|Lambda hardcoded AWS access/secret keys|Documentation
| -|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Terraform|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| -|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Terraform|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets'|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Terraform|Low|Access Control|IAM role allows All services or principals to assume it|Documentation
| -|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Terraform|Low|Access Control|IAM Group should have at least one user associated|Documentation
| -|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Terraform|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| -|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Terraform|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services|Documentation
| -|Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Terraform|Low|Availability|Autoscaling groups should supply tags to configurate|Documentation
| -|ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Terraform|Low|Best Practices|ECR Repository should have Policies attached to it|Documentation
| -|Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Terraform|Low|Best Practices|IAM policies should be attached only to groups or roles|Documentation
| -|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Terraform|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| -|Open Access To Resources Through API
108aa260-6dab-4a75-ae3f-de917d634840|Terraform|Low|Insecure Configurations|Open access to back-end resources through API|Documentation
| -|ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Terraform|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled|Documentation
| -|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Terraform|Low|Insecure Configurations|S3 bucket without ignore public ACL|Documentation
| -|RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Terraform|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| -|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Terraform|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|Cloudfront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Terraform|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| -|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Terraform|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Terraform|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| -|EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Terraform|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| -|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Terraform|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks|Documentation
| -|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Terraform|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| -|ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Terraform|Low|Observability|ECS Cluster should enable container insights|Documentation
| -|API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Terraform|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| -|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Terraform|Low|Observability|S3 bucket without logging|Documentation
| -|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Terraform|Low|Observability|Amazon EKS control plane logging don't enabled for all log types|Documentation
| -|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes|Documentation
| -|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes|Documentation
| -|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Terraform|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'|Documentation
| -|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Terraform|Low|Observability|Global Accelerator should have flow logs enabled|Documentation
| -|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL|Documentation
| -|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes|Documentation
| -|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for route table changes|Documentation
| -|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Terraform|Low|Observability|CloudTrail log file validation should be enabled|Documentation
| -|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Terraform|Low|Observability|DocDB logging should be enabled|Documentation
| -|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Terraform|Low|Observability|Amazon EKS control plane logging is not enabled|Documentation
| -|API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Terraform|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| -|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Terraform|Low|Secret Management|Hard-coded AWS access key / secret key exists in EC2 user data|Documentation
| -|Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Terraform|Info|Access Control|Security group must be used or not declared|Documentation
| -|Security Group Rules Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Terraform|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description|Documentation
| -|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Terraform|Info|Best Practices|AWS services resource tags are an essential part of managing components|Documentation
| -|Security Group Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Terraform|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description|Documentation
| -|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Terraform|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table|Documentation
| -|EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Terraform|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| -|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Terraform|Info|Observability|Neptune logging should be enabled|Documentation
| -|ELB Access Logging Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Terraform|Info|Observability|ELB should have logging enabled to help on error investigation|Documentation
| -|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Terraform|Info|Observability|RDS does not have any kind of logger|Documentation
| -|EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Terraform|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods|Documentation
| -|BOM - SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Terraform|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| -|BOM - MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Terraform|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| -|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Terraform|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| -|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Terraform|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| -|BOM - SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Terraform|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| -|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Terraform|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| -|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Terraform|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| -|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Terraform|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| -|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|Terraform|High|Access Control|RAM Security preferences should enforce MFA login for RAM users|Documentation
| -|OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|Terraform|High|Access Control|OSS Bucket should have public access disabled|Documentation
| -|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|Terraform|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles|Documentation
| -|RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|Terraform|High|Encryption|tde_status parameter should be Enabled for supported RDS instances|Documentation
| -|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|Terraform|High|Encryption|Ecs Data Disk Kms Key Id should be set|Documentation
| -|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Terraform|High|Encryption|Disks should have encryption enabled|Documentation
| -|RDS Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|Terraform|High|Insecure Configurations|'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list|Documentation
| -|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|Terraform|High|Networking and Firewall|OSS Buckets should have secure transport enabled|Documentation
| -|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|Terraform|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS|Documentation
| -|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol|Documentation
| -|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|Terraform|High|Networking and Firewall|OSS Bucket should have ip restricted access|Documentation
| -|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|Terraform|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public|Documentation
| -|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|Terraform|High|Observability|All RDS Instance events trackers should be 'true'|Documentation
| -|ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|Terraform|High|Observability|ActionTrail Trail OSS Bucket should not be publicly accessible|Documentation
| -|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|Terraform|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above|Documentation
| -|Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|Terraform|High|Secret Management|Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts|Documentation
| -|Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Terraform|Medium|Access Control|Ram policies should not be attached to users|Documentation
| -|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Terraform|Medium|Backup|OSS Bucket should have versioning enabled|Documentation
| -|OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Terraform|Medium|Encryption|OSS Bucket should have encryption enabled using Customer Master Key|Documentation
| -|Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Terraform|Medium|Networking and Firewall|A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned|Documentation
| -|Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Terraform|Medium|Networking and Firewall|Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies|Documentation
| -|OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Terraform|Medium|Observability|OSS Bucket should have logging enabled, for better visibility of resources and objects.|Documentation
| -|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Terraform|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180|Documentation
| -|Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Terraform|Medium|Observability|Action Trail Logging for all regions should be enabled|Documentation
| -|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true|Documentation
| -|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Terraform|Medium|Secret Management|RAM account password security should require at least one symbol|Documentation
| -|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Terraform|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91|Documentation
| -|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Terraform|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less|Documentation
| -|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true|Documentation
| -|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true|Documentation
| -|OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Terraform|Low|Availability|OSS Bucket should have transfer acceleration enabled|Documentation
| -|OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Terraform|Low|Backup|OSS Bucket should have lifecycle rule enabled and set to true|Documentation
| -|RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Terraform|Low|Observability|log_disconnections parameter should be set to ON for RDS instances|Documentation
| -|RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Terraform|Low|Observability|log_duration parameter should be set to ON for RDS instances|Documentation
| -|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Terraform|Low|Observability|'log_connections' parameter should be set to ON for RDS instances|Documentation
| -|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Terraform|Info|Best Practices|All names should follow snake case pattern.|Documentation
| -|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Terraform|Info|Best Practices|All variables should contain a valid type.|Documentation
| -|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Terraform|Info|Best Practices|All generic git repositories should reference a revision.|Documentation
| -|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Terraform|Info|Best Practices|All outputs should contain a valid description.|Documentation
| -|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Terraform|Info|Best Practices|All variables should contain a valid description.|Documentation
| -|Security Definitions Undefined or Empty
e3f026e8-fdb4-4d5a-bcfd-bd94452073fe|OpenAPI|High|Access Control|Security Definitions Object should be set and not empty|Documentation
| -|Security Requirement Not Defined In Security Definition
a599b0d1-ff89-4cb8-9ece-9951854c06f6|OpenAPI|High|Structure and Semantics|All security requirement objects must be defined in 'securityDefinitions'|Documentation
| -|Non OAuth2 Security Requirement Defining OAuth2 Scopes
ba239cb9-f342-4c20-812d-7b5a2aa6969e|OpenAPI|High|Structure and Semantics|If the security scheme is not of type 'oauth2', the array value must be empty|Documentation
| -|Invalid OAuth2 Token URL (v2)
274f910a-0665-4f08-b66d-7058fe927dba|OpenAPI|Medium|Access Control|OAuth2 security definition flow requires a valid URL in the tokenUrl field|Documentation
| -|Implicit Flow in OAuth2 (v2)
e9817ad8-a8c9-4038-8a2f-db0e6e7b284b|OpenAPI|Medium|Access Control|There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated|Documentation
| -|Invalid OAuth2 Authorization URL (v2)
33d96c65-977d-4c33-943f-440baca49185|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL|Documentation
| -|Global Security Using Password Flow
2da46be4-4317-4650-9285-56d7103c4f93|OpenAPI|Medium|Access Control|Security should not use 'password' Flow in OAuth2 authentication|Documentation
| -|Security Definitions Allows Password Flow
773116aa-2e6d-416f-bd85-f0301cc05d76|OpenAPI|Medium|Access Control|Security Definition Object should not allow 'password' Flow in OAuth2 authentication|Documentation
| -|Operation Using Password Flow
2e44e632-d617-43cb-b294-6bfe72a08938|OpenAPI|Medium|Access Control|Operation Object should not use 'password' Flow in OAuth2 authentication|Documentation
| -|Path Scheme Accepts HTTP (v2)
a6847dc6-f4ea-45ac-a81f-93291ae6c573|OpenAPI|Medium|Encryption|The Scheme list of Operation Object should only allow 'HTTPS' protocol to ensure an encrypted connection|Documentation
| -|Global Schemes Uses HTTP
f30ee711-0082-4480-85ab-31d922d9a2b2|OpenAPI|Medium|Encryption|Global Schemes should use 'https' protocol instead of 'http'|Documentation
| -|Schemes Uses HTTP
a46928f1-43d7-4671-94e0-2dd99746f389|OpenAPI|Medium|Encryption|Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials|Documentation
| -|Operation Object Without 'produces'
be3e170e-1572-461e-a8b6-d963def581ec|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'produces' feild defined for 'GET'operation|Documentation
| -|Operation Object Without 'consumes'
0c79e50e-b3cf-490c-b8f6-587c644d4d0c|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations|Documentation
| -|Undefined Scope 'securityDefinition' On Global 'security' Field
9aa6e95c-d964-4239-a3a8-9f37a3c5a31f|OpenAPI|Low|Access Control|Using an scope on global security field that is undefined on 'securityDefinitions' can be defined by an attacker|Documentation
| -|Undefined Scope 'securityDefinition' On 'security' Field On Operations
3847280c-9193-40bc-8009-76168e822ce2|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker|Documentation
| -|Operation Using Basic Auth
ceefb058-8065-418f-9c4c-584a78c7e104|OpenAPI|Low|Access Control|Operation Object should not use basic authentication|Documentation
| -|Operation Using Implicit Flow
f42dfe7e-787d-4478-a75e-a5f3d8a2269e|OpenAPI|Low|Access Control|Operation Object should not use implicit flow|Documentation
| -|Security Definitions Using Basic Auth
221015a8-aa2a-43f5-b00b-ad7d2b1d47a8|OpenAPI|Low|Access Control|Security Definition Object should not use basic authentication|Documentation
| -|Operation Summary Too Long
d47940ca-5970-45cc-bdd1-4d81398cee1f|OpenAPI|Low|Best Practices|Operation summary should be short (less than 120 characters)|Documentation
| -|Invalid Media Type Value (v2)
f985a7d2-d404-4a7f-9814-f645f791e46e|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters]|Documentation
| -|Global Schema Definition Not Being Used
6d2e0790-cc3d-4c74-b973-d4e8b09f4455|OpenAPI|Info|Best Practices|All global schemas definitions should be in use|Documentation
| -|Global Responses Definition Not Being Used
0b76d993-ee52-43e0-8b39-3787d2ddabf1|OpenAPI|Info|Best Practices|All global responses definitions should be in use|Documentation
| -|Schema with 'additionalProperties' set as Boolean
3a01790c-ebee-4da6-8fd3-e78657383b75|OpenAPI|Info|Best Practices|The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it|Documentation
| -|Constraining Enum Property
be1d8733-3731-40c7-a845-734741c6871d|OpenAPI|Info|Best Practices|There is a constraining keyword in a property which is already restricted by enum values|Documentation
| -|Global Parameter Definition Not Being Used
b30981fa-a12e-49c7-a5bb-eeafb61d0f0f|OpenAPI|Info|Best Practices|All global parameters definitions should be in use|Documentation
| -|Unknown Prefix (v2)
3b615f00-c443-4ba9-acc4-7c308716917d|OpenAPI|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video'|Documentation
| -|Responses JSON Reference Does Not Exists (v2)
e9db5fb4-6a84-4abb-b4af-3b94fbdace6d|OpenAPI|Info|Structure and Semantics|Responses reference should exist on responses definition field|Documentation
| -|Parameter File Type Not In 'formData'
c3cab8c4-6c52-47a9-942b-c27f26fbd7d2|OpenAPI|Info|Structure and Semantics|The In field of Parameter Object must be 'formData' when type is 'file'|Documentation
| -|Property Not Unique
750b40be-4bac-4f59-bdc4-1ca0e6c3450e|OpenAPI|Info|Structure and Semantics|Every defined property must be unique throughout the whole API|Documentation
| -|File Parameter With Wrong Consumes Property
7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a|OpenAPI|Info|Structure and Semantics|Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both|Documentation
| -|Parameter JSON Reference Does Not Exists (v2)
fb889ae9-2d16-40b5-b41f-9da716c5abc1|OpenAPI|Info|Structure and Semantics|Parameter reference should exist on parameters definition field|Documentation
| -|Object Without Required Property (v2)
5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275|OpenAPI|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields|Documentation
| -|Multi 'collectionformat' Not Valid For 'in' Parameter
750f6448-27c0-49f8-a153-b81735c1e19c|OpenAPI|Info|Structure and Semantics|When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'formData'|Documentation
| -|Response Object With Incorrect Ref (v2)
bccfa089-89e4-47e0-a0e5-185fe6902220|OpenAPI|Info|Structure and Semantics|Response Object reference must always point to '#/responses'|Documentation
| -|Host With Invalid Pattern
3d7d7b6c-fb0a-475e-8a28-c125e30d15f0|OpenAPI|Info|Structure and Semantics|Host field should be an IP or a valid host name|Documentation
| -|Schema JSON Reference Does Not Exists (v2)
98295b32-ec09-4b5b-89a9-39853197f914|OpenAPI|Info|Structure and Semantics|Schema reference should exists on definitions field|Documentation
| -|Schema Object Incorrect Ref (v2)
0220e1c5-65d1-49dd-b7c2-cef6d6cb5283|OpenAPI|Info|Structure and Semantics|Schema Object reference must always point to '#/definitions'|Documentation
| -|Parameter Object With Incorrect Ref (v2)
2596545e-1757-4ff7-a15a-8a9a180a42f3|OpenAPI|Info|Structure and Semantics|Parameter Object reference must always point to '#/parameters'|Documentation
| -|Unknown Property (v2)
429b2106-ba37-43ba-9727-7f699cc611e1|OpenAPI|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known|Documentation
| -|BasePath With Wrong Format
b4803607-ed72-4d60-99e2-3fa6edf471c6|OpenAPI|Info|Structure and Semantics|The 'basePath' value format must match the pattern '^/'|Documentation
| -|Multiple Body Parameters In The Same Operation
b90033cf-ad9f-4fb9-acd1-1b9d6d278c87|OpenAPI|Info|Structure and Semantics|Only one body parameter is allowed on operation's parameters type field|Documentation
| -|Operation Example Mismatch Produces MimeType
2cf35b40-ded3-43d6-9633-c8dcc8bcc822|OpenAPI|Info|Structure and Semantics|Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces'|Documentation
| -|Operation Object Parameters With 'body' And 'formatData' locations
eb3f9744-d24e-4614-b1ff-2a9514eca21c|OpenAPI|Info|Structure and Semantics|Operation object parameters should not have both 'body' and 'formatData' locations|Documentation
| -|Body Parameter With Wrong Property
c38d630d-a415-4e3e-bac2-65475979ba88|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema'|Documentation
| -|Body Parameter Without Schema
ed48229d-d43e-4da7-b453-5f98d964a57a|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined|Documentation
| -|Non Body Parameter Without Schema
73c3bc54-3cc6-4c0a-b30a-e19f2abfc951|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined|Documentation
| -|No Global And Operation Security Defined (v2)
586abcee-9653-462d-ad7b-2638a32bd6e6|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| -|No Global And Operation Security Defined (v3)
96729c6b-7400-4d9e-9807-17f00cdde4d2|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| -|Global Security Field Has An Empty Array (v2)
da31d54b-ad54-41dc-95eb-8b3828629213|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| -|Global Security Field Has An Empty Array (v3)
d674aea4-ba8b-454b-bb97-88a772ea33f0|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| |Global Security Field Is Undefined (v2)
74703c89-0ea2-49ab-a7db-bf04f19f5a57|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securityDefinitions|Documentation
| |Global Security Field Is Undefined (v3)
8af270ce-298b-4405-9922-82a10aee7a4f|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes (read more)|Documentation
| |Global Security Field Has An Empty Array (v2)
da31d54b-ad54-41dc-95eb-8b3828629213|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| diff --git a/docs/queries/ansible-queries.md b/docs/queries/ansible-queries.md index 163483e43f6..669ed31088b 100644 --- a/docs/queries/ansible-queries.md +++ b/docs/queries/ansible-queries.md @@ -62,46 +62,6 @@ Bellow are listed queries related with Ansible SHARED (V2/V3): |Logging of Sensitive Data
59029ddf-e651-412b-ae7b-ff6d403184bc|Low|Best Practices|To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True (read more)|Documentation
| |Unpinned Package Version
c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8|Low|Supply-Chain|Setting state to latest performs an update and installs additional packages possibly resulting in performance degradation or loss of service (read more)|Documentation
| |Risky File Permissions
88841d5c-d22d-4b7e-a6a0-89ca50e44b9f|Info|Supply-Chain|Some modules could end up creating new files on disk with permissions that might be too open or unpredictable (read more)|Documentation
| -|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|High|Access Control|Storage Account should not be public to grant the principle of least privileges|Documentation
| -|Storage Container Is Publicly Accessible
4d3817db-dd35-4de4-a80d-3867157e7f7f|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| -|Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|High|Access Control|Admin user is enabled for Container Registry|Documentation
| -|Azure Instance Using Basic Authentication
e2d834b7-8b25-4935-af53-4a60668dcbe0|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication|Documentation
| -|MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| -|Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| -|SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| -|VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| -|Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined|Documentation
| -|Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| -|AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| -|SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| -|Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| -|Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| -|Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| -|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|High|Networking and Firewall|The IP range filter should be defined to secure the data stored|Documentation
| -|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| -|Role Definition Allows Custom Role Creation
5c80db8e-03f5-43a2-b4af-1f3f87018157|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)|Documentation
| -|AKS RBAC Disabled
149fa56c-4404-4f90-9e25-d34b676d5b39|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| -|Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854|Medium|Backup|Make sure Soft Delete is enabled for Key Vault|Documentation
| -|SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict|Documentation
| -|SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict|Documentation
| -|Cosmos DB Account Without Tags
23a4dc83-4959-4d99-8056-8e051a82bc1e|Medium|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| -|Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| -|AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined|Documentation
| -|Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| -|Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections|Documentation
| -|Default Network Access is Allowed
974e6fe7-63fd-4fa4-aa72-77b21a4a959d|Medium|Insecure Defaults|Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny'|Documentation
| -|Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0'|Documentation
| -|Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache.|Documentation
| -|WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| -|PostgreSQL Log Checkpoints Disabled
7ab33ac0-e4a3-418f-a673-50da4e34df21|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'|Documentation
| -|PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| -|AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e|Medium|Observability|Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring|Documentation
| -|PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| -|Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| -|PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| -|Monitoring Log Profile Without All Activities
89f84a1e-75f8-47c5-83b5-bee8e2de4168|Medium|Observability|Monitoring log profile captures all the activities (Action, Write, Delete)|Documentation
| -|Small Activity Log Retention Period
37fafbea-dedb-4e0d-852e-d16ee0589326|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater|Documentation
| -|PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| ### AWS Bellow are listed queries related with Ansible AWS: @@ -241,139 +201,6 @@ Bellow are listed queries related with Ansible AWS: |CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| |Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active' (read more)|Documentation
| |EC2 Not EBS Optimized
338b6cab-961d-4998-bb49-e5b6a11c9a5c|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| -|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| -|IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| -|S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| -|S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|High|Access Control|S3 Buckets should not be readable to all users|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| -|S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a|High|Access Control|Checks if the S3 bucket is accessible for all users|Documentation
| -|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| -|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| -|SNS Topic is Publicly Accessible
905f4741-f965-45c1-98db-f7a00a0e5c73|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| -|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating|Documentation
| -|SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| -|S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| -|S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| -|ECS Service Admin Role Is Present
7db727c1-1720-468e-b80e-06697f71e09e|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role|Documentation
| -|IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| -|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| -|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| -|EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume|Documentation
| -|AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| -|Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)|Documentation
| -|S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| -|DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.|Documentation
| -|ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| -|EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| -|S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571|High|Encryption|AWS S3 Storage should be protected with SSE (Server-Side Encryption)|Documentation
| -|User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| -|Secure Ciphers Disabled
218413a0-c716-4b94-9e08-0bb70d854709|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| -|CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| -|User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|High|Encryption|User Data Shell Script must be encoded|Documentation
| -|ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers.|Documentation
| -|ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols.|Documentation
| -|Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| -|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| -|Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| -|S3 Bucket with Unsecured CORS Rule
3505094c-f77c-4ba0-95da-f83db712f86c|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| -|Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| -|DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| -|ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| -|KMS Key With Vulnerable Policy
5b9d237a-57d5-4177-be0e-71434b0fef47|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| -|Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true (default is false)|Documentation
| -|EC2 Group Has Public Interface
5330b503-3319-44ff-9b1c-00ee873f728a|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| -|Vulnerable Default SSL Certificate
fb8f8929-afeb-4c46-99f0-a6cf410f7df4|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| -|DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| -|ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| -|Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4|High|Networking and Firewall|Route53 Record should have a list of records|Documentation
| -|EC2 Instance Has Public IP
a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| -|Remote Desktop Port Open To Internet
eda7301d-1f3e-47cf-8d4e-976debc64341|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| -|Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| -|RDS Associated with Public Subnet
16732649-4ff6-4cd2-8746-e72c13fae4b8|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| -|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| -|Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|High|Networking and Firewall|AWS Security Group should restrict ingress access|Documentation
| -|HTTP Port Open To Internet
a14ad534-acbe-4a8e-9404-2f7e1045646e|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| -|Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|High|Networking and Firewall|AWS Security Group should not have public port wide|Documentation
| -|Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| -|Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0/0|Documentation
| -|Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| -|CMK Rotation Disabled
af96d737-0818-4162-8c41-40d969bd65d1|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.|Documentation
| -|CloudTrail Logging Disabled
d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| -|ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| -|Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| -|IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root'|Documentation
| -|API Gateway Without Configured Authorizer
b16cdb37-ce15-4ab2-8401-d42b05d123fc|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| -|Lambda Permission Principal Is Wildcard
1d972c56-8ec2-48c1-a578-887adb09c57a|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| -|AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| -|SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| -|SES Policy With Allowed IAM Actions
8ed0bfce-f780-46d4-b086-21c3628f09ad|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| -|IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| -|SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
af167837-9636-4086-b815-c239186b9dda|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| -|Certificate Has Expired
5a443297-19d4-4381-9e5b-24faf947ec22|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| -|S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9|Medium|Access Control|S3 Bucket allows public access|Documentation
| -|CMK Is Unusable
133fee21-37ef-45df-a563-4d07edc169f4|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined.|Documentation
| -|ECS Service Without Running Tasks
f5c45127-1d28-4b49-a692-0b97da1c3a84|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| -|Auto Scaling Group With No Associated ELB
050f085f-a8db-4072-9010-2cca235cc02f|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
| -|RDS With Backup Disabled
e69890e6-fce5-461d-98ad-cb98318dfc96|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| -|Stack Retention Disabled
17d5ba1d-7667-4729-b1a6-b11fde3db7f7|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| -|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number|Documentation
| -|Misconfigured Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9|Medium|Best Practices|No password expiration policy|Documentation
| -|IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| -|IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| -|Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c|Medium|Best Practices|Password policy `password_reuse_prevention` doesn't exist or is equal to 0|Documentation
| -|IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| -|Stack Without Template
32d31f1f-0f83-4721-b7ec-1e6948c60145|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body|Documentation
| -|Config Rule For Encrypted Volumes Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| -|Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| -|CodeBuild Not Encrypted
a1423864-2fbc-4f46-bfe1-fbbf125c71c9|Medium|Encryption|CodeBuild Project should be encrypted|Documentation
| -|EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Medium|Encryption|EBS volumes should be encrypted|Documentation
| -|SQS With SSE Disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| -|AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| -|ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| -|Certificate RSA Key Bytes Lower Than 256
d5ec2080-340a-4259-b885-f833c4ea6a31|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| -|Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| -|Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags.|Documentation
| -|API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| -|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| -|API Gateway without WAF
f5f38943-664b-4acc-ab11-f292fa10ed0b|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| -|API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| -|Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| -|API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| -|CloudFront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' should be defined with 'enabled' set to true|Documentation
| -|CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| -|S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| -|S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| -|CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| -|CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events|Documentation
| -|API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled|Documentation
| -|CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'is_multi_region_trail' should be set to true|Documentation
| -|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| -|No Stack Policy
ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| -|Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Medium|Secret Management|AWS Access Key should not be hardcoded|Documentation
| -|Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| -|EC2 Instance Using Default Security Group
8d03993b-8384-419b-a681-d1f55149397c|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| -|IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| -|IAM Group Without Users
f509931b-bbb0-443c-bd9b-10e92ecf2193|Low|Access Control|IAM Group should have at least one user associated|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| -|Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.|Documentation
| -|CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| -|EFS Without Tags
b8a9852c-9943-4973-b8d5-77dae9352851|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
f5587077-3f57-4370-9b4e-4eb5b1bac85b|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| -|Redshift Using Default Port
e01de151-a7bd-4db4-b49b-3c4775a5e881|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| -|CloudFront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| -|ElastiCache Using Default Port
7cc6c791-5f68-4816-a564-b9b699f9d26e|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| -|EC2 Instance Using Default VPC
8833f180-96f1-46f4-9147-849aafa56029|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| -|RDS Using Default Port
2cb674f6-32f9-40be-97f2-62c0dc38f0d5|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| -|ElastiCache Without VPC
5527dcfc-94f9-4bf6-b7d4-1b78850cf41f|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active'|Documentation
| -|CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| -|EC2 Not EBS Optimized
338b6cab-961d-4998-bb49-e5b6a11c9a5c|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| ### GCP Bellow are listed queries related with Ansible GCP: @@ -452,100 +279,3 @@ Bellow are listed queries related with Ansible HOSTS: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| |Ansible Tower Exposed To Internet
1b2bf3ff-31e9-460e-bbfb-45e48f4f20cc|Medium|Best Practices|Avoid exposing Ansible Tower to the public internet, effectively reducing the potential attack surface of your deployment (read more)|Documentation
| -|BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2|High|Access Control|BigQuery dataset is anonymously or publicly accessible|Documentation
| -|VM With Full Cloud Access
bc20bbc6-0697-4568-9a73-85af1dd97bdd|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers'|Documentation
| -|SQL DB Instance Backup Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| -|SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| -|DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a|High|Encryption|DNSSEC should not use the RSASHA1 algorithm|Documentation
| -|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|High|Insecure Configurations|SQL Instance should not have Contained Database Authentication On|Documentation
| -|Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false|Documentation
| -|SQL DB Instance Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible.|Documentation
| -|Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| -|GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty|Documentation
| -|MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c|High|Insecure Configurations|MySQL Instance should not have Local Infile On|Documentation
| -|IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'.|Documentation
| -|Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true|Documentation
| -|Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| -|Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true.|Documentation
| -|Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f|High|Insecure Configurations|GCP SQL Instance should not have Cross DB Ownership Chaining On|Documentation
| -|GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false.|Documentation
| -|PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514|High|Insecure Configurations|PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1'|Documentation
| -|Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet.|Documentation
| -|GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters|Documentation
| -|Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| -|PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b|High|Observability|PostgreSQL database 'log_temp_files' flag isn't set to '0'|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| -|Cloud Storage Bucket Versioning Disabled
7814ddda-e758-4a56-8be3-289a81ded929|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| -|Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| -|PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317|High|Observability|PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on'|Documentation
| -|Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| -|Disk Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| -|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| -|OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Medium|Insecure Configurations|VM instance should have OSLogin enabled|Documentation
| -|Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| -|Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| -|Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| -|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Medium|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| -|GKE Using Default Service Account
dc126833-125a-40fb-905a-ce5f2afde240|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
| -|IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| -|Google Compute Network Using Default Firewall Rule
29b8224a-60e9-4011-8ac2-7916a659841f|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
| -|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
| -|RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| -|SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| -|Google Compute Network Using Firewall Rule that Allows All Ports
3602d273-3290-47b2-80fa-720162b1a8af|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports|Documentation
| -|PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Medium|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on'|Documentation
| -|PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Medium|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| -|High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.|Documentation
| -|Google Compute Network Using Firewall Rule that Allows Port Range
7289eebd-a477-4064-8ad4-3c044bd70b00|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range|Documentation
| -|Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes|Documentation
| - -### AZURE -Bellow are listed queries related with Ansible AZURE: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|High|Access Control|Storage Account should not be public to grant the principle of least privileges|Documentation
| -|Storage Container Is Publicly Accessible
4d3817db-dd35-4de4-a80d-3867157e7f7f|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| -|Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|High|Access Control|Admin user is enabled for Container Registry|Documentation
| -|Azure Instance Using Basic Authentication
e2d834b7-8b25-4935-af53-4a60668dcbe0|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication|Documentation
| -|MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| -|Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| -|SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| -|AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| -|Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| -|Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined|Documentation
| -|VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| -|Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| -|Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| -|SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| -|Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| -|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|High|Networking and Firewall|The IP range filter should be defined to secure the data stored|Documentation
| -|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| -|Role Definition Allows Custom Role Creation
5c80db8e-03f5-43a2-b4af-1f3f87018157|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)|Documentation
| -|Default Azure Storage Account Network Access Is Too Permissive
ca4df748-613a-4fbf-9c76-f02cbd580307|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it.|Documentation
| -|AKS RBAC Disabled
149fa56c-4404-4f90-9e25-d34b676d5b39|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| -|Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854|Medium|Backup|Make sure Soft Delete is enabled for Key Vault|Documentation
| -|SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict|Documentation
| -|SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict|Documentation
| -|Cosmos DB Account Without Tags
23a4dc83-4959-4d99-8056-8e051a82bc1e|Medium|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| -|Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| -|Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| -|Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections|Documentation
| -|AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined|Documentation
| -|Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache.|Documentation
| -|Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0'|Documentation
| -|WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| -|PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| -|Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| -|PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| -|PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| -|AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e|Medium|Observability|Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring|Documentation
| -|PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| -|Monitoring Log Profile Without All Activities
89f84a1e-75f8-47c5-83b5-bee8e2de4168|Medium|Observability|Monitoring log profile captures all the activities (Action, Write, Delete)|Documentation
| -|PostgreSQL Log Checkpoints Disabled
7ab33ac0-e4a3-418f-a673-50da4e34df21|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'|Documentation
| -|Small Activity Log Retention Period
37fafbea-dedb-4e0d-852e-d16ee0589326|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater|Documentation
| diff --git a/docs/queries/azureresourcemanager-queries.md b/docs/queries/azureresourcemanager-queries.md index 246ca7bf71a..6f2f71ad094 100644 --- a/docs/queries/azureresourcemanager-queries.md +++ b/docs/queries/azureresourcemanager-queries.md @@ -45,45 +45,3 @@ This page contains all queries from AzureResourceManager. |SQL Alert Policy Without Emails
89b79fe5-49bd-4d39-84ce-55f5fc6f7764|Info|Best Practices|SQL Database Server should contain emails to be notified in the event of a Security Alert (read more)|Documentation
| |Account Admins Not Notified By Email
a8852cc0-fd4b-4fc7-9372-1e43fad0732e|Info|Best Practices|Account admins should be notified by email in the event of security alerts (read more)|Documentation
| |Email Notifications Disabled
79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92|Info|Networking and Firewall|Email notifications about new security alerts, should be set to 'On', and be sent to persons with specific RBAC roles on the subscription (read more)|Documentation
| -|Key Vault Not Recoverable
7c25f361-7c66-44bf-9b69-022acd5eb4bd|High|Backup|Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true|Documentation
| -|Secret Without Expiration Date
cff9c3f7-e8f0-455f-9fb4-5f72326da96e|High|Best Practices|All Secrets must have an expiration date defined|Documentation
| -|Azure Instance Using Basic Authentication
6797f581-0433-4768-ae3e-7ceb2f8b138e|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication|Documentation
| -|Web App Not Using TLS Last Version
b5c851d5-00f1-43dc-a8de-3218fd6f71be|High|Encryption|Resources of type 'Microsoft.Web/sites' should define 'properties.siteConfig.minTlsVersion' with '1.2'|Documentation
| -|Storage Account Allows Unsecure Transfer
1367dd13-2c90-4020-80b7-e4339a3dc2c4|High|Encryption|'Microsoft.Storage/storageAccounts' should force the use of HTTPS|Documentation
| -|Azure Managed Disk Without Encryption
350f3955-b5be-436f-afaa-3d2be2fa6cdd|High|Encryption|Azure Disk Encryption should be enabled|Documentation
| -|Website Not Forcing HTTPS
488847ff-6031-487c-bf42-98fd6ac5c9a0|High|Insecure Configurations|'Microsoft.Web/sites' should force the use of HTTPS|Documentation
| -|Network Security Group With Unrestricted Access To SSH
2ade1579-4b2c-4590-bebb-f99bf597f612|High|Networking and Firewall|Port 22 (SSH) is exposed to the Internet|Documentation
| -|Website with Client Certificate Auth Disabled
92302b47-b0cc-46cb-a28f-5610ecda140b|High|Networking and Firewall|'Microsoft.Web/sites' should have client certificate authentication enabled|Documentation
| -|Storage Blob Service Container With Public Access
a0ab985d-660b-41f7-ac81-70957ee8e627|High|Networking and Firewall|Storage Blob Service Container should not publicly accessible|Documentation
| -|MySQL Server SSL Enforcement Disabled
90120147-f2e7-4fda-bb21-6fa9109afd63|High|Networking and Firewall|'Microsoft.DBforMySQL/servers' should enforce SSL|Documentation
| -|PostgreSQL Database Server SSL Disabled
bf500309-da53-4dd3-bcf7-95f7974545a5|High|Networking and Firewall|Microsoft.DBforPostgreSQL/servers sslEnforcement property should be set to 'Enabled'|Documentation
| -|Network Security Group With Unrestricted Access To RDP
59cb3da7-f206-4ae6-b827-7abf0a9cab9d|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the Internet|Documentation
| -|SQL Database Server Firewall Allows All IPS
6a3201a5-1630-494b-b294-3129d06b0eca|High|Networking and Firewall|SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS|Documentation
| -|Trusted Microsoft Services Not Enabled
e25b56cd-a4d6-498f-ab92-e6296a082097|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| -|Default Azure Storage Account Network Access Is Too Permissive
d855ced8-6157-448f-9f1d-f05a41d046f7|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it.|Documentation
| -|AKS Cluster RBAC Disabled
9307a2ed-35c2-413d-94de-a1a0682c2158|Medium|Access Control|Microsoft.ContainerService/managedClusters should have enableRBAC set to true|Documentation
| -|Role Definitions Allow Custom Subscription Role Creation
8fa9ceea-881f-4ef0-b0b8-728f589699a7|Medium|Access Control|Role Definitions should not allow custom subscription role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')|Documentation
| -|SQL Server Database With Alerts Disabled
574e8d82-1db2-4b9c-b526-e320ede9a9ff|Medium|Best Practices|All Alerts should be enabled in SQL Database Server SecurityAlerts Policy Properties|Documentation
| -|AKS Cluster Network Policy Not Configured
25c0228e-4444-459b-a2df-93c7df40b7ed|Medium|Insecure Configurations|Azure Kubernetes Service must have a network policy defined.|Documentation
| -|PostgresSQL Database Server Connection Throttling Disabled
a6d774b6-d9ea-4bf4-8433-217bf15d2fb8|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttling' property set to 'on'|Documentation
| -|Standard Price Is Not Selected
2081c7d6-2851-4cce-bda5-cb49d462da42|Medium|Networking and Firewall|Azure Security Center provides more features for standard pricing mode, so it must be activated.|Documentation
| -|PostgreSQL Database Server Log Connections Disabled
e69bda39-e1e2-47ca-b9ee-b6531b23aedd|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' property set to 'on'|Documentation
| -|PostgreSQL Database Server Log Checkpoints Disabled
f9112910-c7bb-4864-9f5e-2059ba413bb7|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' property set to 'on'|Documentation
| -|AKS With Authorized IP Ranges Disabled
2583fab1-953b-4fae-bd02-4a136a6c21f9|Medium|Networking and Firewall|Azure Kubernetes Service must have an authorized IP range for API Services enabled|Documentation
| -|Storage Logging For Read Write And Delete Requests Disabled
43f6e60c-9cdb-4e77-864d-a66595d26518|Medium|Observability|Storage Logging should be enabled for read, write and delete methods|Documentation
| -|Unrecommended Log Profile Retention Policy
25684eac-daaa-4c2c-94b4-8d2dbb627909|Medium|Observability|Log Profile Retention Policy should be enabled and the recommended number of days for the retention should be higher than 365 or 0 (0 will retain the events indefinitely)|Documentation
| -|SQL Server Database Without Auditing
e055285c-bc01-48b4-8aa5-8a54acdd29df|Medium|Observability|Every 'Microsoft.Sql/servers/databases' resource should have Auditing Enabled|Documentation
| -|Log Profile Incorrect Category
4d522e7b-f938-4d51-a3b1-974ada528bd3|Medium|Observability|Log Profile Categories should be set to 'Write', 'Delete', and/or 'Action'|Documentation
| -|Unrecommended Network Watcher Flow Log Retention Policy
564b70f8-41cd-4690-aff8-bb53add86bc9|Medium|Observability|Network Watcher Flow Log Retention Policy should be enabled and the recommended number of days for the retention should be higher than 90|Documentation
| -|SQL Server Database With Unrecommended Retention Days
c09cdac2-7670-458a-bf6c-efad6880973a|Medium|Observability|SQL Server Database Auditing Settings should keep the audit logs in the storage account for at least 90 days|Documentation
| -|AKS Logging To Azure Monitoring Is Disabled
9b09dee1-f09b-4013-91d2-158fa4695f4b|Medium|Observability|Azure Kubernetes Service should have logging to Azure Monitoring enabled.|Documentation
| -|Hardcoded SecureString Parameter Default Value
4d2cf896-c053-4be5-9c95-8b4771112f29|Medium|Secret Management|Secure parameters should not have hardcoded default value|Documentation
| -|Website Azure Active Directory Disabled
e9c133e5-c2dd-4b7b-8fff-40f2de367b56|Low|Access Control|WebApp should have Azure Active Directory enabled with 'identity.type' set to 'SystemAssigned' or 'userAssignedIdentities' set to 'true'|Documentation
| -|Phone Number Not Set For Security Contacts
3e9fcc67-1f64-405f-b2f9-0a6be17598f0|Low|Best Practices|Microsoft.Security securityContacts should have a phone number defined|Documentation
| -|AKS Dashboard Is Enabled
c62d3b92-9a11-4ffd-b7b7-6faaae83faed|Low|Insecure Configurations|Azure Kubernetes Service should have the Kubernetes dashboard disabled.|Documentation
| -|Storage Account Allows Default Network Access
9073f073-5d60-4b46-b569-0d6baa80ed95|Low|Networking and Firewall|'Microsoft.Storage/storageAccounts' should force the use of HTTPS|Documentation
| -|Website with 'Http20Enabled' Disabled
70111098-7f85-48f0-b1b4-e4261cf5f61b|Low|Networking and Firewall|'Microsoft.Web/sites' should have 'Http20Enabled' enabled|Documentation
| -|App Service Authentication Is Not Set
83130a07-235b-4a80-918b-a370e53f0bd9|Info|Access Control|Azure App Service should have App Service Authentication set|Documentation
| -|Account Admins Not Notified By Email
a8852cc0-fd4b-4fc7-9372-1e43fad0732e|Info|Best Practices|Account admins should be notified by email in the event of security alerts|Documentation
| -|SQL Alert Policy Without Emails
89b79fe5-49bd-4d39-84ce-55f5fc6f7764|Info|Best Practices|SQL Database Server should contain emails to be notified in the event of a Security Alert|Documentation
| -|Email Notifications Disabled
79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92|Info|Networking and Firewall|Email notifications about new security alerts, should be set to 'On', and be sent to persons with specific RBAC roles on the subscription|Documentation
| diff --git a/docs/queries/cloudformation-queries.md b/docs/queries/cloudformation-queries.md index 44c39240be6..f152c9d4fec 100644 --- a/docs/queries/cloudformation-queries.md +++ b/docs/queries/cloudformation-queries.md @@ -1,26 +1,6 @@ ## CloudFormation Queries List This page contains all queries from CloudFormation. -### AWS_BOM -Bellow are listed queries related with CloudFormation AWS_BOM: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|BOM - AWS S3 Buckets
b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| -|BOM - AWS MSK
2730c169-51d7-4ae7-99b5-584379eff1bb|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| -|BOM - AWS RDS
6ef03ff6-a2bd-483c-851f-631f248bc0ea|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.|Documentation
| -|BOM - AWS Elasticache
c689f51b-9203-43b3-9d8b-caed123f706c|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| -|BOM - AWS Cassandra
124b173b-e06d-48a6-8acd-f889443d97a4|Trace|Bill Of Materials|A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance|Documentation
| -|BOM - AWS SQS
59a849c2-1127-4023-85a5-ef906dcd458c|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| -|BOM - AWS DynamoDB
4e67c0ae-38a0-47f4-a50c-f0c9b75826df|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.|Documentation
| -|BOM - AWS MQ
209189f3-c879-48a7-9703-fbcfa96d0cef|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| -|BOM - AWS SNS
42e7dca3-8cce-4325-8df0-108888259136|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| -|BOM - AWS EBS
0b0556ea-9cd9-476f-862e-20679dda752b|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| -|BOM - AWS Kinesis
d53323be-dde6-4457-9a43-42df737e71d2|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time|Documentation
| -|BOM - AWS EFS
ef05a925-8568-4054-8ff1-f5ba82631c16|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| - ### AWS Bellow are listed queries related with CloudFormation AWS: @@ -304,258 +284,6 @@ Bellow are listed queries related with CloudFormation AWS_BOM: |BOM - AWS EFS
ef05a925-8568-4054-8ff1-f5ba82631c16|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)|Documentation
| |BOM - AWS SQS
59a849c2-1127-4023-85a5-ef906dcd458c|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)|Documentation
| |BOM - AWS Kinesis
d53323be-dde6-4457-9a43-42df737e71d2|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more)|Documentation
| -|S3 Bucket Allows Get Action From All Principals
f97b7d23-568f-4bcc-9ac9-02df0d57fbba|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| -|IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| -|S3 Bucket With All Permissions
4ae8af91-5108-42cb-9471-3bdbe596eac9|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
835d5497-a526-4aea-a23f-98a9afd1635f|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| -|S3 Bucket ACL Allows Read to All Users
219f4c95-aa50-44e0-97de-cf71f4641170|High|Access Control|S3 Buckets should not be readable to all users|Documentation
| -|S3 Bucket Access to Any Principal
7772bb8c-c0f3-42d4-8e4e-f1b8939ad085|High|Access Control|The S3 Bucket should not be associated with a policy statement that grants access to any principal|Documentation
| -|S3 Bucket Allows Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0|High|Access Control|S3 Buckets must not allow Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Restore, for all Principals.|Documentation
| -|IAM Policies With Full Privileges
953b3cdb-ce13-428a-aa12-318726506661|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| -|SNS Topic is Publicly Accessible
ae53ce91-42b5-46bf-a84f-9a13366a4f13|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| -|S3 Bucket Allows Put Action From All Principals
f6397a20-4cf1-4540-a997-1d363c25ef58|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| -|S3 Bucket Allows Get Action From All Principals
f97b7d23-568f-4bcc-9ac9-02df0d57fbba|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| -|S3 Bucket With All Permissions
4ae8af91-5108-42cb-9471-3bdbe596eac9|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| -|ECS Service Admin Role Is Present
01986452-bdd8-4aaa-b5df-d6bf61d616ff|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role|Documentation
| -|MSK Broker Is Publicly Accessible
0ce1ba20-8ba8-4364-836f-40c24b8cb0ab|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible|Documentation
| -|IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| -|S3 Bucket Allows List Action From All Principals
faa8fddf-c0aa-4b2d-84ff-e993e233ebe9|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
acc78859-765e-4011-a229-a65ea57db252|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
07dda8de-d90d-469e-9b37-1aca53526ced|High|Access Control|S3 Buckets should not be readable and writable to all users|Documentation
| -|Lambda Functions With Full Privileges
a0ae0a4e-712b-4115-8112-51b9eeed9d69|High|Access Control|AWS Lambda Functions should not have roles with policies granting full administrative privileges.|Documentation
| -|S3 Bucket Allows Public Policy
860ba89b-b8de-4e72-af54-d6aee4138a69|High|Access Control|S3 bucket allows public policy|Documentation
| -|ElastiCache With Disabled Transit Encryption
3b02569b-fc6f-4153-b3a3-ba91022fed68|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled|Documentation
| -|Redshift Cluster Without KMS CMK
de76a0d6-66d5-45c9-9022-f05545b85c78|High|Encryption|AWS Redshift Cluster should have KMS CMK defined|Documentation
| -|EFS Not Encrypted
2ff8e83c-90e1-4d68-a300-6d652112e622|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|ECS Cluster Not Encrypted At Rest
6c131358-c54d-419b-9dd6-1f7dd41d180c|High|Encryption|Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems.|Documentation
| -|DynamoDB With Aws Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac|High|Encryption|AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false.|Documentation
| -|SageMaker Data Encryption Disabled
709e6da6-fa1f-44cc-8f17-7f25f96dadbe|High|Encryption|Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, which means the attribute 'KmsKeyId' must be defined not empty or null.|Documentation
| -|Redshift Not Encrypted
3b316b05-564c-44a7-9c3f-405bb95e211e|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'Encrypted' field is false or undefined (default is false)|Documentation
| -|S3 Bucket SSE Disabled
64ab651b-f5b2-4af0-8c89-ddd03c4d0e61|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| -|Connection Between CloudFront Origin Not Encrypted
a5366a50-932f-4085-896b-41402714a388|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted|Documentation
| -|RDS Storage Not Encrypted
5beacce3-4020-4a3d-9e1d-a36f953df630|High|Encryption|RDS Storage should be encrypted, which means the attribute 'StorageEncrypted' should be set to 'true'|Documentation
| -|ElastiCache With Disabled at Rest Encryption
e4ee3903-9225-4b6a-bdfb-e62dbadef821|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled|Documentation
| -|ECS Task Definition Container With Plaintext Password
f9b10cdb-eaab-4e39-9793-e12b94a582ad|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| -|EFS Without KMS
6d087495-2a42-4735-abf7-02ef5660a7e6|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| -|MSK Cluster Encryption Disabled
a976d63f-af0e-46e8-b714-8c1a9c4bf768|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| -|User Data Contains Encoded Private Key
568cc372-ca64-420d-9015-ee347d00d288|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| -|Secure Ciphers Disabled
be96849c-3df6-49c2-bc16-778a7be2519c|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| -|ELB Without Secure Protocol
80908a75-586b-4c61-ab04-490f4f4525b8|High|Encryption|Check if the ELB is setup with SSL or HTTPS for secure communication|Documentation
| -|CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db|High|Encryption|Specifying credentials in the template itself is probably not safe to do.|Documentation
| -|S3 Bucket Without Server-side-encryption
b2e8752c-3497-4255-98d2-e4ae5b46bbf5|High|Encryption|S3 Buckets should have server-side encryption at rest enabled to protect sensitive data|Documentation
| -|User Data Shell Script Is Encoded
48c3bc58-6959-4f27-b647-4fedeace23be|High|Encryption|User Data Shell Script must be encoded|Documentation
| -|ELB Using Weak Ciphers
809f77f8-d10e-4842-a84f-3be7b6ff1190|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers.|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
31733ee2-fef0-4e87-9778-65da22a8ecf1|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| -|ELB Using Insecure Protocols
61a94903-3cd3-4780-88ec-fc918819b9c8|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols.|Documentation
| -|Kinesis SSE Not Configured
7f65be75-90ab-4036-8c2a-410aef7bb650|High|Encryption|AWS Kinesis Stream should have SSE (Server Side Encryption) defined|Documentation
| -|S3 Bucket Without SSL In Write Actions
38c64e76-c71e-4d92-a337-60174d1de1c9|High|Encryption|S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL)|Documentation
| -|API Gateway Cache Encrypted Disabled
37cca703-b74c-48ba-ac81-595b53398e9b|High|Encryption|'API::Gateway::Deployment' should have 'CacheDataEncrypted' enabled when 'CachingEnabled' is set to true|Documentation
| -|IAM Database Auth Not Enabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| -|CMK Unencrypted Storage
ffee2785-c347-451e-89f3-11aeb08e5c84|High|Encryption|Ensure that storage is encrypted.|Documentation
| -|Batch Job Definition With Privileged Container Properties
76ddf32c-85b1-4808-8935-7eef8030ab36|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| -|S3 Bucket With Unsecured CORS Rule
3609d27c-3698-483a-9402-13af6ae80583|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| -|S3 Static Website Host Enabled
90501b1b-cded-4cc1-9e8b-206b85cda317|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured.|Documentation
| -|S3 Bucket Without Restriction Of Public Bucket
350cd468-0e2c-44ef-9d22-cfb73a62523c|High|Insecure Configurations|S3 bucket without restriction of public bucket|Documentation
| -|Root Account Has Active Access Keys
4c137350-7307-4803-8c04-17c09a7a9fcf|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| -|DB Instance Publicly Accessible
de38e1d5-54cb-4111-a868-6f7722695007|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false.|Documentation
| -|ECS Task Definition Network Mode Not Recommended
027a4b7a-8a59-4938-a04f-ed532512cf45|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| -|KMS Key With Vulnerable Policy
da905474-7454-43c0-b8d2-5756ab951aba|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| -|API Gateway Without Security Policy
8275fab0-68ec-4705-bbf4-86975edb170e|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2.|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
dc17ee4b-ddf2-4e23-96e8-7a36abad1303|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| -|Redshift Publicly Accessible
bdf8dcb4-75df-4370-92c4-606e4ae6c4d3|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false|Documentation
| -|Vulnerable Default SSL Certificate
b4d9c12b-bfba-4aeb-9cb8-2358546d8041|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| -|Permissive Web ACL Default Action
6d64f311-3da6-45f3-80f1-14db9771ea40|High|Insecure Defaults|WebAcl DefaultAction should not be ALLOW|Documentation
| -|DB Security Group Open To Large Scope
0104165b-02d5-426f-abc9-91fb48189899|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| -|ALB Listening on HTTP
275a3217-ca37-40c1-a6cf-bb57d245ab32|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| -|EKS node group remote access
73d59e76-a12c-4b74-a3d8-d3e1e19c25b3|High|Networking and Firewall|Ensure Amazon EKS Node group has implict SSH access|Documentation
| -|SageMaker Notebook Not Placed In VPC
9c7028d9-04c2-45be-b8b2-1188ccaefb36|High|Networking and Firewall|SageMaker Notebook must be placed in a VPC|Documentation
| -|Route53 Record Undefined
24d932e1-91f0-46ea-836f-fdbd81694151|High|Networking and Firewall|Route53 HostedZone must have the Record Set defined.|Documentation
| -|EC2 Sensitive Port Is Publicly Exposed
494b03d3-bf40-4464-8524-7c56ad0700ed|High|Networking and Firewall|The EC2 instance has a sensitive port connection exposed to the entire network|Documentation
| -|RDS Associated with Public Subnet
4e88adee-a8eb-4605-a78d-9fb1096e3091|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| -|DB Security Group With Public Scope
9564406d-e761-4e61-b8d7-5926e3ab8e79|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| -|ELB Sensitive Port Is Exposed To Entire Network
78055456-f670-4d2e-94d5-392d1cf4f5e4|High|Networking and Firewall|The load balancer of the application with a sensitive port connection is exposed to the entire internet.|Documentation
| -|EC2 Instance Subnet Has Public IP Mapping On Launch
b3de4e4c-14be-4159-b99d-9ad194365e4c|High|Networking and Firewall|EC2 Instance Subnet should not have MapPublicIpOnLaunch set to true|Documentation
| -|Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c|High|Networking and Firewall|No security group should allow unrestricted egress access|Documentation
| -|Fully Open Ingress
e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5|High|Networking and Firewall|ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses|Documentation
| -|HTTP Port Open To Internet
ddfc4eaa-af23-409f-b96c-bf5c45dc4daa|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| -|Remote Desktop Port Open To Internet
c9846969-d066-431f-9b34-8c4abafe422a|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| -|Security Groups With Meta IP
adcd0082-e90b-4b63-862b-21899f6e6a48|High|Networking and Firewall|Security Groups allows 0.0.0.0/0 for all ports and protocols.|Documentation
| -|EC2 Network ACL Overlapping Ports
77b6f1e2-bde4-4a6a-ae7e-a40659ff1576|High|Networking and Firewall|NetworkACL Entries are reusing or overlapping ports which may create ineffective rules|Documentation
| -|Security Group With Unrestricted Access To SSH
6e856af2-62d7-4ba2-adc1-73b62cef9cc1|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| -|Unknown Port Exposed To Internet
829ce3b8-065c-41a3-ad57-e0accfea82d2|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| -|Unrestricted Security Group Ingress
4a1e6b34-1008-4e61-a5f2-1f7c276f8d14|High|Networking and Firewall|AWS Security Group Ingress CIDR should not be open to the world|Documentation
| -|Security Groups With Exposed Admin Ports
cdbb0467-2957-4a77-9992-7b55b29df7b7|High|Networking and Firewall|Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389)|Documentation
| -|EC2 Public Instance Exposed Through Subnet
c44c95fc-ae92-4bb8-bdf8-bb9bc412004a|High|Networking and Firewall|EC2 instances with public IP addresses shouldn't allow for unrestricted traffic to their subnets|Documentation
| -|Security Group Unrestricted Access To RDP
3ae83918-7ec7-4cb8-80db-b91ef0f94002|High|Networking and Firewall|Security Groups does not allow 0.0.0.0/0 for rdp (port:3389)|Documentation
| -|Default Security Groups With Unrestricted Traffic
ea33fcf7-394b-4d11-a228-985c5d08f205|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| -|S3 Bucket CloudTrail Logging Disabled
c3ce69fd-e3df-49c6-be78-1db3f802261c|High|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable when the Service used is CloudTrail|Documentation
| -|CMK Rotation Disabled
1c07bfaf-663c-4f6f-b22b-8e2d481e4df5|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'EnableKeyRotation' must be set to 'true' when the key is enabled.|Documentation
| -|CloudTrail Logging Disabled
5c0b06d5-b7a4-484c-aeb0-75a836269ff0|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| -|ECR Repository Is Publicly Accessible
75be209d-1948-41f6-a8c8-e22dd0121134|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| -|Public Lambda via API Gateway
57b12981-3816-4c31-b190-a1e614361dd2|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| -|API Gateway Without Configured Authorizer
7fd0d461-5b8c-4815-898c-f2b4b117eb28|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| -|Lambda Permission Principal Is Wildcard
1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| -|SQS Queue Policy Allows NotPrincipal
4a8fc9a2-2b2f-4b3f-aa8d-401425872034|Medium|Access Control|Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using `NotPrincipal` in the same policy statement as `"Effect": "Allow"`.|Documentation
| -|IAM Policy On User
e4239438-e639-44aa-adb8-866e400e3ade|Medium|Access Control|IAM policies should be applied to groups and not to users|Documentation
| -|Elasticsearch Without IAM Authentication
5c666ed9-b586-49ab-9873-c495a833b705|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication|Documentation
| -|IoT Policy Allows Action as Wildcard
4d32780f-43a4-424a-a06d-943c543576a5|Medium|Access Control|IoT Policy should not allow Action to be set as *|Documentation
| -|IoT Policy Allows Wildcard Resource
be5b230d-4371-4a28-a441-85dc760e2aa3|Medium|Access Control|IoT Policy should not allow Resource to be set as *|Documentation
| -|SQS Policy With Public Access
9b6a3f5b-5fd6-40ee-9bc0-ed604911212d|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| -|KMS Allows Wildcard Principal
f6049677-ec4a-43af-8779-5190b6d03cba|Medium|Access Control|KMS Should not allow Principal parameter to be set as *|Documentation
| -|Empty Roles For ECS Cluster Task Definitions
7f384a5f-b5a2-4d84-8ca3-ee0a5247becb|Medium|Access Control|Check if any ECS cluster has not defined proper roles for services' task definitions.|Documentation
| -|IAM Policies Attached To User
edc95c10-7366-4f30-9b4b-f995c84eceb5|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| -|Neptune Cluster With IAM Database Authentication Disabled
a3aa0087-8228-4e7e-b202-dc9036972d02|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled|Documentation
| -|SNS Topic Publicity Has Allow and NotAction Simultaneously
818f38ed-8446-4132-9c03-474d49e10195|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| -|SQS Queue Policy Allows NotAction
4fbfee74-8186-40d5-a24e-4baa76a855de|Medium|Access Control|AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited|Documentation
| -|EC2 Network ACL Ineffective Denied Traffic
2623d682-dccb-44cd-99d0-54d9fd62f8f2|Medium|Access Control|Ineffective deny rules. A deny rule should be applied to all IP addresses.|Documentation
| -|S3 Bucket Allows Public ACL
48f100d9-f499-4c6d-b2b8-deafe47ffb26|Medium|Access Control|S3 bucket allows public ACL|Documentation
| -|API Gateway Method Does Not Contains An API Key
3641d5b4-d339-4bc2-bfb9-208fe8d3477f|Medium|Access Control|An API Key should be required on a method request.|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| -|EC2 Instance Has No IAM Role
f914357d-8386-4d56-9ba6-456e5723f9a6|Medium|Access Control|Check if an EC2 instance refers to an IAM profile, which represents an IAM Role.|Documentation
| -|CMK Is Unusable
2844c749-bd78-4cd1-90e8-b179df827602|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined.|Documentation
| -|ECS Service Without Running Tasks
79d745f0-d5f3-46db-9504-bef73e9fd528|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| -|EBS Volume Not Attached To Instances
1819ac03-542b-4026-976b-f37addd59f3b|Medium|Availability|EBS Volumes that are unattached to instances may contain sensitive data|Documentation
| -|Auto Scaling Group With No Associated ELB
ad21e616-5026-4b9d-990d-5b007bfe679c|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty.|Documentation
| -|ElastiCache Nodes Not Created Across Multi AZ
cfdef2e5-1fe4-4ef4-bea8-c56e08963150|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster|Documentation
| -|RDS Multi-AZ Deployment Disabled
2b1d4935-9acf-48a7-8466-10d18bf51a69|Medium|Backup|AWS RDS Instance should have a multi-az deployment|Documentation
| -|RDS With Backup Disabled
8c415f6f-7b90-4a27-a44a-51047e1506f9|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| -|Stack Retention Disabled
fe974ae9-858e-4991-bbd5-e040a834679f|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| -|Low RDS Backup Retention Period
e649a218-d099-4550-86a4-1231e1fcb60d|Medium|Backup|AWS RDS backup retention policy should be at least 7 days|Documentation
| -|IAM Password Without Number
839f238f-2e3a-4a72-b945-8abdf91af955|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number|Documentation
| -|ECS No Load Balancer Attached
fb2b0ecf-1492-491a-a70d-ba1df579175d|Medium|Best Practices|Amazon ECS service should be configured to use Load Balancing to distribute traffic evenly across the tasks, which means there must exist at least one LoadBalancer.|Documentation
| -|IAM User Without Password Reset
a964d6e3-8e1e-4d93-8120-61fa640dd55a|Medium|Best Practices|IAM User Login Profile should exist and have PasswordResetRequired property set to true|Documentation
| -|IAM Password Without Minimum Length
b1b20ae3-8fa7-4af5-a74d-a2145920fcb1|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| -|IAM Password Without Symbol
d72a7869-e8b9-4e12-bcd2-e8be10b39fa7|Medium|Best Practices|IAM password should have the required symbols|Documentation
| -|Cognito UserPool Without MFA
74a18d1a-cf02-4a31-8791-ed0967ad7fdc|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| -|IAM Managed Policy Applied to a User
0e5872b4-19a0-4165-8b2f-56d9e14b909f|Medium|Best Practices|Make sure that any managed IAM policies are implemented in a group and not in a user.|Documentation
| -|IAM Password Without Uppercase Letter
445020f6-b69e-4484-847f-02d4b7768902|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| -|IAM Password Without Lowercase Letter
f4cf35d6-da92-48de-ab70-57be2b2e6497|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| -|Config Rule For Encrypted Volumes Disabled
1b6322d9-c755-4f8c-b804-32c19250f2d9|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| -|Workspace Without Encryption
89827c57-5a8a-49eb-9731-976a606d70db|Medium|Encryption|Workspaces should have encryption enabled|Documentation
| -|Memcached Disabled
dd0971a6-09c3-4168-8474-a7ef8fbfd99d|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| -|Neptune Database Cluster Encryption Disabled
bf4473f1-c8a2-4b1b-8134-bd32efabab93|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| -|CodeBuild Not Encrypted
d7467bb6-3ed1-4c82-8095-5e7a818d0aad|Medium|Encryption|CodeBuild Project should be encrypted, which means 'EncryptionKey' should be defined|Documentation
| -|Default KMS Key Usage
e52395b4-250b-4c60-81d5-2e58c1d37abc|Medium|Encryption|When `StorageEncrypted` is set to true, `KmsKeyId` should be defined, to avoid the use of the default KMS Key|Documentation
| -|Alexa Skill Plaintext Client Secret Exposed
3c3b7a58-b018-4d07-9444-d9ee7156e111|Medium|Encryption|Alexa skills' client secrets should not be defined as a plaintext string. It should either use 'AWS Systems Manager Parameter Store' or 'AWS Secrets Manager' to retrieve sensitive information|Documentation
| -|Unscanned ECR Image
9025b2b3-e554-4842-ba87-db7aeec36d35|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| -|EBS Volume Encryption Disabled
80b7ac3f-d2b7-4577-9b10-df7913497162|Medium|Encryption|EBS volumes should be encrypted|Documentation
| -|API Gateway With Invalid Compression
d6653eee-2d4d-4e6a-976f-6794a497999a|Medium|Encryption|API Gateway should have valid compression, which means attribute 'MinimumCompressionSize' should be set and its value should be greater than -1 and smaller than 10485760.|Documentation
| -|RDS Storage Encryption Disabled
65844ba3-03a1-40a8-b3dd-919f122e8c95|Medium|Encryption|RDS DBCluster should have storage encrypted set to true|Documentation
| -|SQS With SSE Disabled
12726829-93ed-4d51-9cbe-13423f4299e1|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| -|AmazonMQ Broker Encryption Disabled
316278b3-87ac-444c-8f8f-a733a28da60f|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| -|SageMaker EndPoint Config Should Specify KmsKeyId Attribute
44034eda-1c3f-486a-831d-e09a7dd94354|Medium|Encryption|KmsKeyId attribute should be defined|Documentation
| -|KMS Key Rotation Disabled
235ca980-eb71-48f4-9030-df0c371029eb|Medium|Encryption|EnableKeyRotation should not be false or undefined|Documentation
| -|ElasticSearch Encryption With KMS Disabled
d926aa95-0a04-4abc-b20c-acf54afe38a1|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS.|Documentation
| -|EMR Security Configuration Encryption Disabled
5b033ec8-f079-4323-b5c8-99d4620433a9|Medium|Encryption|EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit.|Documentation
| -|IAM Group Inline Policies
a58d1a2d-4078-4b80-855b-84cc3f7f4540|Medium|Encryption|IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted|Documentation
| -|ElasticSearch Not Encrypted At Rest
86a248ab-0e01-4564-a82a-878303e253bb|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| -|ECR Image Tag Not Immutable
33f41d31-86b1-46a4-81f7-9c9a671f59ac|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| -|EMR Cluster Without Security Configuration
48af92a5-c89b-4936-bc62-1086fe2bab23|Medium|Insecure Configurations|EMR Cluster should have security configuration defined.|Documentation
| -|MQ Broker Is Publicly Accessible
68b6a789-82f8-4cfd-85de-e95332fe6a61|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible|Documentation
| -|Lambda Functions Without Unique IAM Roles
ae03f542-1423-402f-9cef-c834e7ee9583|Medium|Insecure Configurations|AWS Lambda Functions should not share IAM roles to ensure they will have the minimum privileges needed to perform the required tasks|Documentation
| -|IAM User Has Too Many Access Keys
48677914-6fdf-40ec-80c4-2b0e94079f54|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials|Documentation
| -|Instance With No VPC
8a6d36cd-0bc6-42b7-92c4-67acc8576861|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| -|IAM User LoginProfile Password Is In Plaintext
06adef8c-c284-4de7-aad2-af43b07a8ca1|Medium|Insecure Configurations|IAM User LoginProfile Password must not be a plaintext string|Documentation
| -|Lambda Function Without Tags
8df8e857-bd59-44fa-9f4c-d77594b95b46|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags.|Documentation
| -|API Gateway With Open Access
1056dfbb-5802-4762-bf2b-8b9b9684b1b0|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.|Documentation
| -|GitHub Repository Set To Public
5906092d-5f74-490d-9a03-78febe0f65e1|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')|Documentation
| -|API Gateway Without SSL Certificate
ed4c48b8-eccc-4881-95c1-09fdae23db25|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| -|SageMaker Enabling Internet Access
88d55d94-315d-4564-beee-d2d725feab11|Medium|Insecure Configurations|SageMaker must have disabled internet access and root access for Creating Notebook Instances.|Documentation
| -|Inline Policies Are Attached To ECS Service
9e8c89b3-7997-4d15-93e4-7911b9db99fd|Medium|Insecure Configurations|Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies.|Documentation
| -|RouterTable with Default Routing
4f0908b9-eb66-433f-9145-134274e1e944|Medium|Insecure Defaults|NAT gateways are recommended, and not the default route which permits all traffic, in Route Tables.|Documentation
| -|S3 Bucket Should Have Bucket Policy
37fa8188-738b-42c8-bf82-6334ea567738|Medium|Insecure Defaults|Checks if S3 Bucket has the same name as a Bucket Policy, if it has, S3 Bucket has a Bucket Policy associated|Documentation
| -|Security Group Egress With All Protocols
ee464fc2-54a6-4e22-b10a-c6dcd2474d0c|Medium|Networking and Firewall|AWS Security Group Egress should not specify all protocols to prevent allow traffic on all ports|Documentation
| -|GameLift Fleet EC2 InboundPermissions With Port Range
43356255-495d-4148-ad8d-f6af5eac09dd|Medium|Networking and Firewall|AWS GameLift Fleet EC2InboundPermissions should have a single port|Documentation
| -|VPC Without Network Firewall
3e293410-d5b8-411f-85fd-7d26294f20c9|Medium|Networking and Firewall|VPC should have a Network Firewall associated|Documentation
| -|ELB With Security Group Without Inbound Rules
e200a6f3-c589-49ec-9143-7421d4a2c845|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules|Documentation
| -|API Gateway without WAF
fcbf9019-566c-4832-a65c-af00d8137d2b|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| -|ELB With Security Group Without Outbound Rules
01d5a458-a6c4-452a-ac50-054d59275b7c|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules|Documentation
| -|API Gateway Endpoint Config is Not Private
4a8daf95-709d-4a36-9132-d3e19878fa34|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| -|EC2 Permissive Network ACL Protocols
03879981-efa2-47a0-a818-c843e1441b88|Medium|Networking and Firewall|To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code).|Documentation
| -|Security Group Ingress With All Protocols
1a427b25-2e9e-4298-9530-0499a55e736b|Medium|Networking and Firewall|AWS Security Group Ingress should not specify all protocols to prevent allow traffic on all ports|Documentation
| -|Security Groups Without VPC Attached
493d9591-6249-47bf-8dc0-5c10161cc558|Medium|Networking and Firewall|Security Groups must have a VPC.|Documentation
| -|ALB Is Not Integrated With WAF
105ba098-1e34-48cd-b0f2-a8a43a51bf9b|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| -|Security Group Egress With Port Range
dae9c373-8287-462f-8746-6f93dad93610|Medium|Networking and Firewall|AWS Security Group Egress should have a single port|Documentation
| -|Security Group Egress CIDR Open To World
1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a|Medium|Networking and Firewall|AWS Security Group Egress CIDR should not be open to the world|Documentation
| -|Security Group Ingress With Port Range
87482183-a8e7-4e42-a566-7a23ec231c16|Medium|Networking and Firewall|AWS Security Group Ingress should have a single port|Documentation
| -|TCP/UDP Protocol Network ACL Entry Allows All Ports
f57f849c-883b-4cb7-85e7-f7b199dff163|Medium|Networking and Firewall|TCP/UDP protocol AWS Network ACL Entry should not allow all ports|Documentation
| -|ELB Access Log Disabled
ee12ad32-2863-4c0f-b13f-28272d115028|Medium|Observability|ELB should have access log enabled|Documentation
| -|Stack Notifications Disabled
837e033c-4717-40bd-807e-6abaa30161b7|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| -|API Gateway X-Ray Disabled
4ab10c48-bedb-4deb-8f3b-ff12783b61de|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| -|CloudWatch Metrics Disabled
5d3c1807-acb3-4bb0-be4e-0440230feeaf|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| -|ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621|Medium|Observability|ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer.|Documentation
| -|CloudFront Logging Disabled
de77cd9f-0e8b-46cc-b4a4-b6b436838642|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'DistributionConfig.Logging' should be defined|Documentation
| -|CloudTrail SNS Topic Name Undefined
3e09413f-471e-40f3-8626-990c79ae63f3|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| -|S3 Bucket Logging Disabled
4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| -|GuardDuty Detector Disabled
a25cd877-375c-4121-a640-730929936fac|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| -|S3 Bucket Without Versioning
a227ec01-f97a-4084-91a4-47b350c1db54|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| -|API Gateway Deployment Without Access Log Setting
06ec63e3-9f72-4fe2-a218-2eb9200b8db5|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| -|API Gateway V2 Stage Access Logging Settings Not Defined
80d45af4-4920-4236-a56e-b7ef419d1941|Medium|Observability|API Gateway V2 Stage should have Access Logging Settings defined.|Documentation
| -|CloudTrail Not Integrated With CloudWatch
65d07da5-9af5-44df-8983-52d2e6f24c44|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| -|ElasticSearch Without Slow Logs
086ea2eb-14a6-4fd4-914b-38e0bc8703e8|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| -|CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'IsMultiRegionTrail' should be set to true|Documentation
| -|MQ Broker Logging Disabled
e519ed6a-8328-4b69-8eb7-8fa549ac3050|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| -|MSK Cluster Logging Disabled
fc7c2c15-f5d0-4b80-adb2-c89019f8f62b|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| -|Redshift Cluster Logging Disabled
3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| -|Configuration Aggregator to All Regions Disabled
9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| -|CloudWatch Logging Disabled
0f0fb06b-0f2f-4374-8588-f2c7c348c7a0|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| -|EBS Volume Without KmsKeyId
b7063015-6c31-4658-a8e7-14f98f37fd42|Medium|Secret Management|EBS Volume should specify a KmsKeyId value|Documentation
| -|Secrets Manager Should Specify KmsKeyId
c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22|Medium|Secret Management|Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the secret to be shared cross-account|Documentation
| -|Directory Service Microsoft AD Password Set to Plaintext or Default Ref
06b9f52a-8cd5-459b-bdc6-21a22521e1be|Medium|Secret Management|Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|DMS Endpoint MongoDB Settings Password Exposed
f988a17f-1139-46a3-8928-f27eafd8b024|Medium|Secret Management|DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|Amplify App Basic Auth Config Password Exposed
71493c8b-3014-404c-9802-078b74496fb7|Medium|Secret Management|Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|Directory Service Simple AD Password Exposed
6685d912-d81f-4cfa-95ad-e316ea31c989|Medium|Secret Management|DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|Amplify App OAuth Token Exposed
03b38885-8f4e-480c-a0e4-12c1affd15db|Medium|Secret Management|Amplify App OAuth Token must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|DMS Endpoint Password Exposed
5f700072-b7ce-4e84-b3f3-497bf1c24a4d|Medium|Secret Management|DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|Amplify Branch Basic Auth Config Password Exposed
dfb56e5d-ee68-446e-b32a-657b62befe69|Medium|Secret Management|Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|DocDB Cluster Master Password In Plaintext
39423ce4-9011-46cd-b6b1-009edcd9385d|Medium|Secret Management|DocDB DB Cluster master user password must not be in a plain text string or referenced in a parameter as a default value.|Documentation
| -|Hardcoded AWS Access Key In Lambda
2564172f-c92b-4261-9acd-464aed511696|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| -|High Access Key Rotation Period
800fa019-49dd-421b-9042-7331fdd83fa2|Medium|Secret Management|ConfigRule should enforce access keys to be rotated within 90 days.|Documentation
| -|Amplify App Access Token Exposed
73980e43-f399-4fcc-a373-658228f7adf7|Medium|Secret Management|Amplify App Access Token must not be in a plain text string or referenced in a parameter as a default value.|Documentation
| -|SNS Topic Without KmsMasterKeyId
9d13b150-a2ab-42a1-b6f4-142e41f81e52|Medium|Secret Management|KmsMasterKeyId attribute should not be undefined|Documentation
| -|RefreshToken Is Exposed
5b48c507-0d1f-41b0-a630-76817c6b4189|Medium|Secret Management|Alexa ASK Skill AuthenticationConfiguration RefreshToken should not be a plaintext string|Documentation
| -|EC2 Instance Using Default Security Group
08b81bb3-0985-4023-8602-b606ad81d279|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| -|Support Has No Role Associated
d71b5fd7-9020-4b2d-9ec8-b3839faa2744|Low|Access Control|Check if any AWS Support policy does not have any role and users and group associated, which means that is not being managed.|Documentation
| -|IAM User With No Group
06933df4-0ea7-461c-b9b5-104d27390e0e|Low|Access Control|A IAM user should belong to a group|Documentation
| -|IAM Role Allows All Principals To Assume
f80e3aa7-7b34-4185-954e-440a6894dde6|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| -|IAM Group Without Users
8f957abd-9703-413d-87d3-c578950a753c|Low|Access Control|IAM Group should have at least one user associated|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
e835bd0d-65da-49f7-b6d1-b646da8727e6|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| -|VPC Attached With Too Many Gateways
97e94d17-e2c7-4109-a53b-6536ac1bb64e|Low|Availability|The number of gateways attached should not approach or go beyond the limit of 3, in a particular VPC|Documentation
| -|RDS DB Instance With Deletion Protection Disabled
2c161e58-cb52-454f-abea-6470c37b5e6e|Low|Backup|RDS DBInstance should have deletion protection set to true|Documentation
| -|Geo Restriction Disabled
7f8843f0-9ea5-42b4-a02b-753055113195|Low|Best Practices|Geo Restriction feature should be enabled, to restrict or allow users in specific locations accessing web application content|Documentation
| -|Security Group Ingress Has CIDR Not Recommended
a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd|Low|Best Practices|AWS Security Group Ingress CIDR should not be /32 in case of IPV4 or /128 in case of IPV6|Documentation
| -|Lambda Permission Misconfigured
9b83114b-b2a1-4534-990d-06da015e47aa|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|IAM Policies Without Groups
5e7acff5-095b-40ac-9073-ac2e4ad8a512|Low|Best Practices|IAM policy should not apply directly to users, should be with a group|Documentation
| -|Automatic Minor Upgrades Disabled
f0104061-8bfc-4b45-8a7d-630eb502f281|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'AutoMinorVersionUpgrade' must be set to true.|Documentation
| -|CDN Configuration Is Missing
e4f54ff4-d352-40e8-a096-5141073c37a2|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| -|IAM Access Analyzer Not Enabled
8d29754a-2a18-460d-a1ba-9509f8d359da|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions|Documentation
| -|EFS Without Tags
08e39832-5e42-4304-98a0-aa5b43393162|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated|Documentation
| -|DynamoDB With Not Recommented Table Billing Mode
c333e906-8d8b-4275-b999-78b6318f8dc6|Low|Build Process|Checks if DynamoDB Table Billing Mode is set to either PAY_PER_REQUEST or PROVISIONED|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| -|Lambda Function Without Dead Letter Queue
c2eae442-d3ba-4cb1-84ca-1db4f80eae3d|Low|Insecure Configurations|AWS Lambda Function should be configured for a Dead Letter Queue(DLQ)|Documentation
| -|API Gateway Cache Cluster Disabled
52790cad-d60d-41d5-8483-146f9f21208d|Low|Insecure Configurations|AWS API Gateway should have cache clustering enabled|Documentation
| -|Wildcard In ACM Certificate Domain Name
cc8b294f-006f-4f8f-b5bb-0a9140c33131|Low|Insecure Configurations|ACM Certificate should not use wildcards (*) in the domain name|Documentation
| -|S3 Bucket Without Ignore Public ACL
6c8d51af-218d-4bfb-94a9-94eabaa0703a|Low|Insecure Configurations|S3 bucket without ignore public ACL|Documentation
| -|Redshift Using Default Port
a478af30-8c3a-404d-aa64-0b673cee509a|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| -|CloudFront Without WAF
0f139403-303f-467c-96bd-e717e6cfd62d|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| -|ElastiCache Using Default Port
323db967-c68e-44e6-916c-a777f95af34b|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| -|EC2 Instance Using Default VPC
e42a3ef0-5325-4667-84bf-075ba1c9d58e|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| -|RDS Using Default Port
1fe9d958-ddce-4228-a124-05265a959a8b|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| -|ElastiCache Without VPC
ba766c53-fe71-4bbb-be35-b6803f2ef13e|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|EC2 Network ACL Duplicate Rule
045ddb54-cfc5-4abb-9e05-e427b2bc96fe|Low|Networking and Firewall|A Network ACL's rule numbers cannot be repeated unless one is egress and the other is ingress|Documentation
| -|Shield Advanced Not In Use
ad7444cf-817a-4765-a79e-2145f7981faf|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks|Documentation
| -|EMR Without VPC
bf89373a-be40-4c04-99f5-746742dfd7f3|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd|Low|Observability|Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks|Documentation
| -|Lambda Functions Without X-Ray Tracing
9488c451-074e-4cd3-aee3-7db6104f542c|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracingConfig.mode' should have the value 'Active'|Documentation
| -|API Gateway Deployment Without API Gateway UsagePlan Associated
783860a3-6dca-4c8b-81d0-7b62769ccbca|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| -|CloudTrail Log File Validation Disabled
2a3560fe-52ca-4443-b34f-bf0ed5eb74c8|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| -|VPC FlowLogs Disabled
f6d299d2-21eb-41cc-b1e1-fe12d857500b|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| -|SDB Domain Declared As A Resource
6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d|Low|Resource Management|SimpleDB Domain resource should not be declared|Documentation
| -|API Gateway Stage Without API Gateway UsagePlan Associated
7f8f1b60-43df-4c28-aa21-fb836dbd8071|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| -|VPC Without Attached Subnet
3b3b4411-ad1f-40e7-b257-a78a6bb9673a|Low|Resource Management|VPCs without attached subnets may indicate that they are not being used|Documentation
| -|ECS Task Definition Invalid CPU or Memory
f4c9b5f5-68b8-491f-9e48-4f96644a1d51|Low|Resource Management|In ECS Task Definition of FARGATE launch type if you specify an invalid CPU or Memory value, you will receive an error|Documentation
| -|Security Group Rule Without Description
5e6c9c68-8a82-408e-8749-ddad78cbb9c5|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description|Documentation
| -|EC2 Not EBS Optimized
8dd0ff1f-0da4-48df-9bb3-7f338ae36a40|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| ### AWS_SAM Bellow are listed queries related with CloudFormation AWS_SAM: @@ -574,13 +302,3 @@ Bellow are listed queries related with CloudFormation AWS_SAM: |Serverless API Cache Cluster Disabled
60a05ede-0a68-4d0d-a58f-f538cf55ff79|Low|Insecure Configurations|AWS Serverless API should have cache clustering enabled (read more)|Documentation
| |Serverless Function Without Dead Letter Queue
cb2f612b-ed42-4ff5-9fb9-255c73d39a18|Low|Insecure Configurations|AWS Serverless Function should be configured for a Dead Letter Queue(DLQ) (read more)|Documentation
| |Serverless Function Without X-Ray Tracing
dc1ab429-1481-4540-9b1d-280e3f15f1f8|Low|Observability|AWS Serverless Function should have Tracing enabled. For this, property 'Tracing' should have the value 'Active' (read more)|Documentation
| -|Serverless Function Environment Variables Not Encrypted
a7f8ac28-eed1-483d-87c8-4c325f022572|High|Encryption|AWS Serverless Function should encrypt environment variables|Documentation
| -|Serverless API Without Content Encoding
a2f2800e-614b-4bc8-89e6-fec8afd24800|Medium|Encryption|AWS Serverless API should enable Content Encoding through the attribute 'MinimumCompressionSize'. This value should be greater than -1 and smaller than 10485760|Documentation
| -|Serverless Function Without Tags
a71ecabe-03b6-456a-b3bc-d1a39aa20c98|Medium|Insecure Configurations|AWS Serverless Function should have associated tags|Documentation
| -|Serverless Function Without Unique IAM Role
4ba74f01-aba5-4be2-83bc-be79ff1a3b92|Medium|Insecure Configurations|AWS Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks|Documentation
| -|Serverless API Endpoint Config Not Private
6b5b0313-771b-4319-ad7a-122ee78700ef|Medium|Networking and Firewall|AWS Serverless API should set API Endpoint Config type to 'PRIVATE'. This way, it's not exposed to the public internet|Documentation
| -|Serverless API Access Logging Setting Undefined
0a994e04-c6dc-471d-817e-d37451d18a3b|Medium|Observability|AWS Serverless API/AWS Serverless HTTP API should have Access Logging Setting(s) defined|Documentation
| -|Serverless API X-Ray Tracing Disabled
c757c6a3-ac87-4b9d-b28d-e5a5add6a315|Medium|Observability|AWS Serverless API should have X-Ray Tracing enabled|Documentation
| -|Serverless API Cache Cluster Disabled
60a05ede-0a68-4d0d-a58f-f538cf55ff79|Low|Insecure Configurations|AWS Serverless API should have cache clustering enabled|Documentation
| -|Serverless Function Without Dead Letter Queue
cb2f612b-ed42-4ff5-9fb9-255c73d39a18|Low|Insecure Configurations|AWS Serverless Function should be configured for a Dead Letter Queue(DLQ)|Documentation
| -|Serverless Function Without X-Ray Tracing
dc1ab429-1481-4540-9b1d-280e3f15f1f8|Low|Observability|AWS Serverless Function should have Tracing enabled. For this, property 'Tracing' should have the value 'Active'|Documentation
| diff --git a/docs/queries/crossplane-queries.md b/docs/queries/crossplane-queries.md index 4f18a1e2a67..a38dfb8cbbc 100644 --- a/docs/queries/crossplane-queries.md +++ b/docs/queries/crossplane-queries.md @@ -10,8 +10,6 @@ Bellow are listed queries related with Crossplane AZURE: |------------------------------|--------|--------|-----------|----| |AKS RBAC Disabled
b2418936-cd47-4ea2-8346-623c0bdb87bd|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| |Redis Cache Allows Non SSL Connections
6c7cfec3-c686-4ed2-bf58-a1ec054b63fc|Medium|Encryption|Redis Cache resource should not allow non-SSL connections. (read more)|Documentation
| -|AKS RBAC Disabled
b2418936-cd47-4ea2-8346-623c0bdb87bd|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| -|Redis Cache Allows Non SSL Connections
6c7cfec3-c686-4ed2-bf58-a1ec054b63fc|Medium|Encryption|Redis Cache resource should not allow non-SSL connections.|Documentation
| ### AWS Bellow are listed queries related with Crossplane AWS: @@ -33,18 +31,6 @@ Bellow are listed queries related with Crossplane AWS: |CloudWatch Without Retention Period Specified
934613fe-b12c-4e5a-95f5-c1dcdffac1ff|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more)|Documentation
| |CloudFront Without WAF
6d19ce0f-b3d8-4128-ac3d-1064e0f00494|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| |DocDB Logging Is Disabled
e6cd49ba-77ed-417f-9bca-4f5303554308|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| -|EFS Without KMS
bdecd6db-2600-47dd-a10c-72c97cf17ae9|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| -|EFS Not Encrypted
72840c35-3876-48be-900d-f21b2f0c2ea1|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|DB Instance Storage Not Encrypted
e50eb68a-a4af-4048-8bbe-8ec324421469|High|Encryption|RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'.|Documentation
| -|EFS Without KMS
bdecd6db-2600-47dd-a10c-72c97cf17ae9|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| -|ELB Using Weak Ciphers
a507daa5-0795-4380-960b-dd7bb7c56661|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers.|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
255b0fcc-9f82-41fe-9229-01b163e3376b|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| -|DB Security Group Has Public Interface
dd667399-8d9d-4a8d-bbb4-e49ab53b2f52|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| -|Neptune Database Cluster Encryption Disabled
83bf5aca-138a-498e-b9cd-ad5bc5e117b4|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| -|SQS With SSE Disabled
9296f1cc-7a40-45de-bd41-f31745488a0e|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| -|CloudFront Logging Disabled
7b590235-1ff4-421b-b9ff-5227134be9bb|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true|Documentation
| -|CloudWatch Without Retention Period Specified
934613fe-b12c-4e5a-95f5-c1dcdffac1ff|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events|Documentation
| -|CloudFront Without WAF
6d19ce0f-b3d8-4128-ac3d-1064e0f00494|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| ### GCP Bellow are listed queries related with Crossplane GCP: @@ -55,15 +41,3 @@ Bellow are listed queries related with Crossplane GCP: |------------------------------|--------|--------|-----------|----| |Cloud Storage Bucket Logging Not Enabled
6c2d627c-de0f-45fb-b33d-dad9bffbb421|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| |Google Container Node Pool Auto Repair Disabled
b4f65d13-a609-4dc1-af7c-63d2e08bffe9|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
6c2d627c-de0f-45fb-b33d-dad9bffbb421|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| -|Google Container Node Pool Auto Repair Disabled
b4f65d13-a609-4dc1-af7c-63d2e08bffe9|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| - -### AZURE -Bellow are listed queries related with Crossplane AZURE: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|AKS RBAC Disabled
b2418936-cd47-4ea2-8346-623c0bdb87bd|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| -|Redis Cache Allows Non SSL Connections
6c7cfec3-c686-4ed2-bf58-a1ec054b63fc|Medium|Encryption|Redis Cache resource should not allow non-SSL connections.|Documentation
| diff --git a/docs/queries/dockercompose-queries.md b/docs/queries/dockercompose-queries.md index 96a197c5eb5..207d92a26c0 100644 --- a/docs/queries/dockercompose-queries.md +++ b/docs/queries/dockercompose-queries.md @@ -24,24 +24,3 @@ This page contains all queries from DockerCompose. |Shared Host IPC Namespace
baa3890f-bed7-46f5-ab8f-1da8fc91c729|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| |Container Capabilities Unrestricted
ce76b7d0-9e77-464d-b86f-c5c48e03e22d|Low|Resource Management|Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well. (read more)|Documentation
| |Cpus Not Limited
6b610c50-99fb-4ef0-a5f3-e312fd945bc3|Low|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| -|Volume Mounted In Multiple Containers
baa452f0-1f21-4a25-ace5-844e7a5f410d|High|Build Process|Volume mounts should not be shared, which means that 'propagation' should not be set to 'shared', 'rshared', 'slave', or 'rslave'|Documentation
| -|Docker Socket Mounted In Container
d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b|High|Build Process|Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands.|Documentation
| -|Volume Has Sensitive Host Directory
1c1325ff-831d-43a1-973e-839ae57dfcc0|High|Build Process|Container has sensitive host directory mounted as a volume|Documentation
| -|Privileged Containers Enabled
ae5b6871-7f45-42e0-bb4c-ab300c4d2026|High|Resource Management|Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker.|Documentation
| -|No New Privileges Not Set
27fcc7d6-c49b-46e0-98f1-6c082a6a2750|High|Resource Management|Ensuring the process does not gain any new privileges lessens the risk associated with many operations.|Documentation
| -|Healthcheck Not Set
698ed579-b239-4f8f-a388-baa4bcb13ef8|Medium|Availability|Check containers periodically to see if they are running properly.|Documentation
| -|Restart Policy On Failure Not Set To 5
2fc99041-ddad-49d5-853f-e35e70a48391|Medium|Build Process|Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used, and 5 retries is the recommended by CIS.|Documentation
| -|Cgroup Not Default
4d9f44c6-2f4a-4317-9bb5-267adbea0232|Medium|Build Process|Control groups restrict the access processes and containers have to system resources such as CPU, RAM, IOPS and network. Not having a cgroup well configured may prove to be a security fault.|Documentation
| -|Privileged Ports Mapped In Container
bc2908f3-f73c-40a9-8793-c1b7d5544f79|Medium|Networking and Firewall|Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind_service linux capability from the container unless you absolutely need to use priviledged ports.|Documentation
| -|Networks Not Set
ce14a68b-1668-41a0-ab7d-facd9f784742|Medium|Networking and Firewall|Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers.|Documentation
| -|Container Traffic Not Bound To Host Interface
451d79dc-0588-476a-ad03-3c7f0320abb3|Medium|Networking and Firewall|Incoming container traffic should be bound to a specific host interface|Documentation
| -|Shared Host IPC Namespace
baa3890f-bed7-46f5-ab8f-1da8fc91c729|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| -|Security Opt Not Set
610e266e-6c12-4bca-9925-1ed0cd29742b|Medium|Resource Management|Attribute 'security_opt' should be defined.|Documentation
| -|Pids Limit Not Set
221e0658-cb2a-44e3-b08a-db96a341d6fa|Medium|Resource Management|'pids_limit' should be set and different than -1|Documentation
| -|Shared Host User Namespace
8af7162d-6c98-482f-868e-0d33fb675ca8|Medium|Resource Management|The host's user namespace should not be shared.|Documentation
| -|Shared Host Network Namespace
071a71ff-f868-47a4-ac0b-3c59e4ab5443|Medium|Resource Management|Container should not share the host network namespace|Documentation
| -|Host Namespace is Shared
4f31dd9f-2cc3-4751-9b53-67e4af83dac0|Medium|Resource Management|The hosts process namespace should not be shared by containers|Documentation
| -|Memory Not Limited
bb9ac4f7-e13b-423d-a010-c74a1bfbe492|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| -|Default Seccomp Profile Disabled
404fde2c-bc4b-4371-9747-7054132ac953|Medium|Resource Management|Seccomp offers a whitelist of common system calls, blocking all others. Having less kernel exposed to an app then increases security.|Documentation
| -|Container Capabilities Unrestricted
ce76b7d0-9e77-464d-b86f-c5c48e03e22d|Low|Resource Management|Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.|Documentation
| -|Cpus Not Limited
6b610c50-99fb-4ef0-a5f3-e312fd945bc3|Low|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| diff --git a/docs/queries/dockerfile-queries.md b/docs/queries/dockerfile-queries.md index 45cdbc15f7c..b898263a992 100644 --- a/docs/queries/dockerfile-queries.md +++ b/docs/queries/dockerfile-queries.md @@ -52,52 +52,3 @@ This page contains all queries from Dockerfile. |Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c|Info|Supply-Chain|After using apt-get install, it is needed to delete apt-get lists (read more)|Documentation
| |Run Utilities And POSIX Commands
9b6b0f38-92a2-41f9-b881-3a1083d99f1b|Info|Supply-Chain|Some POSIX commands and interactive utilities shouldn't run inside a Docker Container (read more)|Documentation
| |APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c|Info|Supply-Chain|Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages. (read more)|Documentation
| -|UNIX Ports Out Of Range
71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e|High|Availability|Exposing UNIX ports out of range from 0 to 65535|Documentation
| -|COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b|High|Build Process|COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself|Documentation
| -|Same Alias In Different Froms
f2daed12-c802-49cd-afed-fe41d0b82fed|High|Build Process|Different FROMS cant have the same alias defined|Documentation
| -|WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|High|Build Process|For clarity and reliability, you should always use absolute paths for your WORKDIR|Documentation
| -|Copy With More Than Two Arguments Not Ending With Slash
6db6e0c2-32a3-4a2e-93b5-72c35f4119db|High|Build Process|When a COPY command has more than two arguments, the last one should end with a slash|Documentation
| -|Multiple ENTRYPOINT Instructions Listed
6938958b-3f1a-451c-909b-baeee14bdc97|High|Build Process|There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect|Documentation
| -|Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f|High|Build Process|A user should be specified in the dockerfile, otherwise the image will run as root|Documentation
| -|Run Using Sudo
8ada6e80-0ade-439e-b176-0b28f6bce35a|High|Insecure Configurations|Avoid RUN with sudo command as it leads to unpredictable behavior|Documentation
| -|Vulnerable OpenSSL Version
5fa731ea-e844-47a6-a1e8-abc25e95847e|High|Supply-Chain|OpenSSL versions from 3.0.0 to 3.0.5 are affected by a critical vulnerability|Documentation
| -|Last User Is 'root'
67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae|Medium|Best Practices|Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges|Documentation
| -|Changing Default Shell Using RUN Command
8a301064-c291-4b20-adcb-403fe7fd95fd|Medium|Best Practices|Using the command RUN to override the default shell instead of the SHELL command leads to inefficiencies. It also does not make sense since Docker provides the SHELL command for this exact purpose.|Documentation
| -|Multiple CMD Instructions Listed
41c195f4-fc31-4a5c-8a1b-90605538d49f|Medium|Build Process|There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect|Documentation
| -|Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79|Medium|Build Process|Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments|Documentation
| -|RUN Instruction Using 'cd' Instead of WORKDIR
f4a6bcd3-e231-4acf-993c-aa027be50d2e|Medium|Build Process|When using RUN command 'cd' should only be used for full path. For relative path make use of WORKDIR command instead.|Documentation
| -|Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd|Medium|Build Process|Instruction 'RUN update' should always be followed by ' install' in the same RUN statement|Documentation
| -|Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22|Medium|Insecure Defaults|Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o).|Documentation
| -|Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944|Medium|Supply-Chain|Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input|Documentation
| -|Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37|Medium|Supply-Chain|Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size|Documentation
| -|Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9|Medium|Supply-Chain|Don't use '--platform' flag with FROM|Documentation
| -|Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes|Documentation
| -|Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118|Medium|Supply-Chain|When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller|Documentation
| -|Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages|Documentation
| -|Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067|Medium|Supply-Chain|When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag|Documentation
| -|NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5|Medium|Supply-Chain|Check if packages installed by npm are pinning a specific version.|Documentation
| -|Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd|Medium|Supply-Chain|Always tag the version of an image explicitly|Documentation
| -|Add Instead of Copy
9513a694-aa0d-41d8-be61-3271e056f36b|Medium|Supply-Chain|Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script.|Documentation
| -|Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341|Medium|Supply-Chain|Instead of 'gem install ' we should use 'gem install :'|Documentation
| -|Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03|Medium|Supply-Chain|Need to use -y to avoid manual input 'yum install -y '|Documentation
| -|Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0|Medium|Supply-Chain|Cached package data should be cleaned after installation to reduce image size|Documentation
| -|Yum install Without Version
6452c424-1d92-4deb-bb18-a03e95d579c4|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages|Documentation
| -|Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313|Medium|Supply-Chain|Reduce layer and image size by deleting unneeded caches after running zypper|Documentation
| -|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Medium|Supply-Chain|When installing a package, its pin version should be defined|Documentation
| -|Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1|Medium|Supply-Chain|Specifying a package version allows to reduce failures due to unanticipated changes in required packages.|Documentation
| -|Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Medium|Supply-Chain|Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect|Documentation
| -|APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Medium|Supply-Chain|Check if apt-get calls use the flag -y to avoid user manual input.|Documentation
| -|Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8|Medium|Supply-Chain|The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input.|Documentation
| -|Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes|Documentation
| -|Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache|Documentation
| -|Curl or Wget Instead of Add
4b410d24-1cbe-4430-a632-62c9a931cf1c|Low|Best Practices|Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged|Documentation
| -|Exposing Port 22 (SSH)
5907595b-5b6d-4142-b173-dbb0e73fbff8|Low|Best Practices|Expose only the ports that your application needs and avoid exposing ports like SSH (22)|Documentation
| -|Chown Flag Exists
aa93e17f-b6db-4162-9334-c70334e7ac28|Low|Best Practices|It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership|Documentation
| -|MAINTAINER Instruction Being Used
99614418-f82b-4852-a9ae-5051402b741c|Low|Best Practices|The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily|Documentation
| -|Multiple RUN, ADD, COPY, Instructions Listed
0008c003-79aa-42d8-95b8-1c2fe37dbfe6|Low|Best Practices|Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers.|Documentation
| -|Using Unnamed Build Stages
68a51e22-ae5a-4d48-8e87-b01a323605c9|Low|Build Process| This query is used to ensure that build stages are named. This way even if the Dockerfile is re-ordered, the COPY instruction doesn’t break.|Documentation
| -|Healthcheck Instruction Missing
b03a748a-542d-44f4-bb86-9199ab4fd2d5|Low|Insecure Configurations|Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working|Documentation
| -|APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c|Info|Supply-Chain|Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages.|Documentation
| -|Run Utilities And POSIX Commands
9b6b0f38-92a2-41f9-b881-3a1083d99f1b|Info|Supply-Chain|Some POSIX commands and interactive utilities shouldn't run inside a Docker Container|Documentation
| -|Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c|Info|Supply-Chain|After using apt-get install, it is needed to delete apt-get lists|Documentation
| -|Apk Add Using Local Cache Path
ae9c56a6-3ed1-4ac0-9b54-31267f51151d|Info|Supply-Chain|When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*'|Documentation
| diff --git a/docs/queries/googledeploymentmanager-queries.md b/docs/queries/googledeploymentmanager-queries.md index 1520ccc7f16..26a1cea5edc 100644 --- a/docs/queries/googledeploymentmanager-queries.md +++ b/docs/queries/googledeploymentmanager-queries.md @@ -1,46 +1,6 @@ ## GoogleDeploymentManager Queries List This page contains all queries from GoogleDeploymentManager. -### GCP -Bellow are listed queries related with GoogleDeploymentManager GCP: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Cloud Storage Bucket Is Publicly Accessible
77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
63ae3638-a38c-4ff4-b616-6e1f72a31a6a|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers'|Documentation
| -|BigQuery Dataset Is Public
83103dff-d57f-42a8-bd81-40abab64c1a7|High|Access Control|BigQuery dataset is anonymously or publicly accessible. Attribute access.specialGroup should not contain 'allAuthenticatedUsers'|Documentation
| -|SQL DB Instance Backup Disabled
a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| -|SQL DB Instance With SSL Disabled
660360d3-9ca7-46d1-b147-3acc4002953f|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| -|DNSSEC Using RSASHA1
6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35|High|Encryption|DNSSEC should not use the RSASHA1 algorithm|Documentation
| -|Network Policy Disabled
c47f90e8-4a19-43f0-8413-cc434d286c4e|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'networkPolicy.enabled' must be true and the attribute 'addonsConfig.networkPolicyConfig.disabled' must be false|Documentation
| -|Cluster Labels Disabled
8810968b-4b15-421d-918b-d91eb4bb8d1d|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resourceLabels' must be defined|Documentation
| -|Not Proper Email Account In Use
a21b8df3-c840-4b3d-a41a-10fb2afda171|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| -|MySQL Instance With Local Infile On
c759d6f2-4dd3-4160-82d3-89202ef10d87|High|Insecure Configurations|MySQL Instance should not have Local Infile On|Documentation
| -|IP Aliasing Disabled
28727987-e398-49b8-aef1-8a3e7789d111|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ipAllocationPolicy' must be defined and the subattribute 'useIpAliases' must be set to 'true'.|Documentation
| -|Client Certificate Disabled
dd690686-2bf9-4012-a821-f61912dd77be|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'masterAuth' must have 'clientCertificateConfig' with the attribute 'issueClientCertificate' equal to true|Documentation
| -|Cluster Master Authentication Disabled
7ef7d141-9fbb-4679-a977-fd0883436906|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'masterAuth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| -|Private Cluster Disabled
48c61fbd-09c9-46cc-a521-012e0c325412|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true.|Documentation
| -|GKE Legacy Authorization Enabled
df58d46c-783b-43e0-bdd0-d99164f712ee|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false.|Documentation
| -|Compute Instance Is Publicly Accessible
8212e2d7-e683-49bc-bf78-d6799075c5a7|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet.|Documentation
| -|GKE Master Authorized Networks Disabled
62c8cf50-87f0-4295-a974-8184ed78fe02|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters|Documentation
| -|Stackdriver Monitoring Disabled
bbfc97ab-e92a-4a7b-954c-e88cec815011|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoringService' must be defined and different than 'none'|Documentation
| -|Cloud Storage Bucket Versioning Disabled
ad0875c1-0b39-4890-9149-173158ba3bba|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| -|Stackdriver Logging Disabled
95601b9a-7fe8-4aee-9b58-d36fd9382dfc|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'loggingService' must be defined and different from 'none'|Documentation
| -|Node Auto Upgrade Disabled
dc5c5fee-6c53-43b0-ab11-4c660e064aaf|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means the attribute 'nodePools' must be defined and the subattribute 'managment' must be defined and have the attribute 'autoUpgrade' set to true|Documentation
| -|Disk Encryption Disabled
fc040fb6-4c23-4c0d-b12a-39edac35debb|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined|Documentation
| -|OSLogin Is Disabled In VM Instance
e66e1b71-c810-4b4e-a737-0ab59e7f5e41|Medium|Insecure Configurations|VM instance should have OSLogin enabled|Documentation
| -|COS Node Image Not Used
dbe058d7-b82e-430b-8426-992b2e4677e7|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| -|Shielded VM Disabled
9038b526-4c19-4928-bca2-c03d503bdb79|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true|Documentation
| -|Cloud DNS Without DNSSEC
313d6deb-3b67-4948-b41d-35b699c2492e|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| -|Google Storage Bucket Level Access Disabled
1239f54b-33de-482a-8132-faebe288e6a6|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| -|IP Forwarding Enabled
7c98538a-81c6-444b-bf04-e60bc3ceeec0|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true|Documentation
| -|RDP Access Is Not Restricted
50cb6c3b-c878-4b88-b50e-d1421bada9e8|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| -|SSH Access Is Not Restricted
dee21308-2a7a-49de-8ff7-c9b87e188575|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| -|Bucket Without Versioning
227c2f58-70c6-4432-8e9a-a89c1a548cf5|Medium|Observability|Bucket should have versioning enabled|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
6e2b1ec1-1eca-4eb7-9d4d-2882680b4811|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| - ### GCP_BOM Bellow are listed queries related with GoogleDeploymentManager GCP_BOM: diff --git a/docs/queries/kubernetes-queries.md b/docs/queries/kubernetes-queries.md index ca861b46cbb..b40f8a2f217 100644 --- a/docs/queries/kubernetes-queries.md +++ b/docs/queries/kubernetes-queries.md @@ -149,150 +149,3 @@ This page contains all queries from Kubernetes. |Invalid Image Tag
583053b7-e632-46f0-b989-f81ff8045385|Low|Supply-Chain|Image tag must be defined and not be empty or equal to latest. (read more)|Documentation
| |Ensure Administrative Boundaries Between Resources
e84eaf4d-2f45-47b2-abe8-e581b06deb66|Info|Access Control|As a best practice, ensure that is made the correct use of namespaces to adequately administer your resources. Kubernetes Authorization plugins can also be used to create policies that segregate user access to namespaces. (read more)|Documentation
| |Using Kubernetes Native Secret Management
b9c83569-459b-4110-8f79-6305aa33cb37|Info|Secret Management|Kubernetes External Secret Storage and Management System usage should be considered if you have more complex secret management needs, rather than using Kubernetes Secrets directly. Additionally, ensure that access to secrets is carefully limited (read more)|Documentation
| -|Always Admit Admission Control Plugin Set
ce30e584-b33f-4c7d-b418-a3d7027f8f60|High|Access Control|When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin|Documentation
| -|Basic Auth File Is Set
5da47109-f8d6-4585-9e2b-96a8958a12f5|High|Access Control|When using kube-apiserver command, the 'basic-auth-file' flag should not be set|Documentation
| -|Service Account Lookup Set To False
a5530bd7-225a-48f9-91bb-f40b04200165|High|Access Control|When using kube-apiserver command, the '--service-account-lookup' flag should be set to true|Documentation
| -|Use Service Account Credentials Not Set To True
1acd93f1-5a37-45c0-aaac-82ece818be7d|High|Access Control|When using kube-controller-manager commands, the '--use-service-account-credentials' should be set to true|Documentation
| -|Client Certificate Authentication Not Setup Properly
e0e00aba-5f1c-4981-a542-9a9563c0ee20|High|Access Control|Client Certificate Authentication should be Setup with a .pem or .crt file|Documentation
| -|Token Auth File Is Set
32ecd76e-7bbf-402e-bf48-8b9485749558|High|Access Control|When using kube-apiserver command, the 'token-auth-file' flag should not be set|Documentation
| -|RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e|High|Access Control|Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least privilege recommends to specify only the set of needed objects and actions|Documentation
| -|Always Admit Admission Control Plugin Set
ce30e584-b33f-4c7d-b418-a3d7027f8f60|High|Access Control|When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin|Documentation
| -|Node Restriction Admission Control Plugin Not Set
33fc6923-6553-4fe6-9d3a-4efa51eb874b|High|Access Control|When using kube-apiserver command, the --enable-admission-plugins flag should have 'NodeRestriction' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| -|Pod Security Policy Admission Control Plugin Not Set
afa36afb-39fe-4d94-b9b6-afb236f7a03d|High|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'PodSecurityPolicy' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| -|Service Account Private Key File Not Defined
ccc98ff7-68a7-436e-9218-185cb0b0b780|High|Encryption|When using kube-controller-manager commands, the '--service-account-private-key-file' should be defined|Documentation
| -|Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| -|Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d|High|Insecure Configurations|Container should not share the host process ID namespace|Documentation
| -|Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|Documentation
| -|Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| -|Tiller (Helm v2) Is Deployed
6d173be7-545a-46c6-a81d-2ae52ed1605d|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| -|Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined.|Documentation
| -|Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d|High|Insecure Configurations|Check if there is any Tiller Service present|Documentation
| -|Role Binding To Default Service Account
1e749bc9-fde8-471c-af0c-8254efd2dee5|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| -|Insecure Port Not Properly Set
fa4def8c-1898-4a35-a139-7b76b1acdef0|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-port' flag should be defined and set to 0|Documentation
| -|TSL Connection Certificate Not Setup
fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f|High|Networking and Firewall|TSL Connection Certificate files should be Setup|Documentation
| -|Insecure Bind Address Set
b9380fd3-5ffe-4d10-9290-13e18e71eee1|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-bind-address' flag should not be set|Documentation
| -|Bind Address Not Properly Set
46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2|High|Networking and Firewall|When using kube-controller-manager or kube-scheduler commands, the '--bind-address' should not be set to 127.0.0.1|Documentation
| -|Secure Port Set To Zero
3d24b204-b73d-42cb-b0bf-1a5438c5f71e|High|Networking and Firewall|When using kube-apiserver command, the --secure-port flag should not be 0|Documentation
| -|Tiller Deployment Is Accessible From Within The Cluster
e17fa86a-6222-4584-a914-56e8f6c87e06|High|Networking and Firewall|Check if any Tiller Deployment container allows access from within the cluster.|Documentation
| -|Etcd TLS Certificate Not Properly Configured
895a5a95-3756-4b04-9924-2f3bc93181bd|High|Networking and Firewall|When using kube-apiserver commands, the '--etcd-certfile' and '--etcd-keyfile' flags should be defined|Documentation
| -|Etcd Peer TLS Certificate Files Not Properly Set
09bb9e96-8da3-4736-b89a-b36814acca60|High|Networking and Firewall|When using etcd commands, the '--peer-cert-file' and '--peer-key-file' should be defined|Documentation
| -|Kubelet HTTPS Set To False
cdc8b54e-6b16-4538-a1b0-35849dbe29cf|High|Networking and Firewall|When using kube-apiserver command, the '--kubelet-https' flag should not be set to false|Documentation
| -|Etcd TLS Certificate Files Not Properly Set
075ca296-6768-4322-aea2-ba5063b969a9|High|Networking and Firewall|When using etcd commands, the '--cert-file' and '--key-file' should be defined|Documentation
| -|PSP With Unrestricted Access to Host Path
de4421f1-4e35-43b4-9783-737dd4e4a47e|High|Resource Management|PodSecurityPolicy should set 'readOnly' to true in every host path allowed|Documentation
| -|Peer Auto TLS Set To True
ae8827e2-4af9-4baa-9998-87539ae0d6f0|High|Secret Management|When using etcd commands, the '--peer-auto-tls' should be set to false|Documentation
| -|Auto TLS Set To True
98ce8b81-7707-4734-aa39-627c6db3d84b|High|Secret Management|When using etcd commands, the '--auto-tls' should be set to false|Documentation
| -|RBAC Roles with Attach Permission
d45330fd-f58d-45fb-a682-6481477a0f84|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to attach to containers via 'kubectl attach' could be abused by attackers to read log output (stdout, stderr) and send input data (stdin) to running processes. Additionally, it would allow a malicious user to attach to a privileged container resulting in a privilege escalation attack. To prevent this, the 'pods/attach' verb should not be used in production environments|Documentation
| -|Anonymous Auth Is Not Set To False
1de5cc51-f376-4638-a940-20f2e85ae238|Medium|Access Control|When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag should be set to false (--anonymous-auth=false)|Documentation
| -|RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys|Documentation
| -|Authorization Mode RBAC Not Set
1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e|Medium|Access Control|When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode|Documentation
| -|RBAC Roles with Exec Permission
c589f42c-7924-4871-aee2-1cede9bc7cbc|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to run commands in containers via 'kubectl exec' could be abused by attackers to execute malicious code in case of compromise. To prevent this, the 'pods/exec' verb should not be used in production environments|Documentation
| -|RBAC Roles with Port-Forwarding Permission
38fa11ef-dbcc-4da8-9680-7e1fd855b6fb|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to port-forward into pods can open socket-level communication channels to containers. In case of compromise, attackers may abuse this for direct communication that bypasses network security restrictions|Documentation
| -|RBAC Roles with Impersonate Permission
9f85c3f6-26fd-4007-938a-2e0cb0100980|Medium|Access Control|Roles or ClusterRoles with the permission 'impersonate' allow subjects to assume the rights of other users, groups, or service accounts. In case of compromise, attackers may abuse this sudo-like functionality to achieve privilege escalation|Documentation
| -|Service Account Admission Control Plugin Disabled
9587c890-0524-40c2-9ce2-663af7c2f063|Medium|Access Control|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'ServiceAccount' plugin|Documentation
| -|RBAC Roles Allow Privilege Escalation
8320826e-7a9c-4b0b-9535-578333193432|Medium|Access Control|Roles or ClusterRoles with RBAC permissions 'bind' or 'escalate' allow subjects to create new bindings with other roles. This is dangerous, as users with these privileges can bind to roles that may exceed their own privileges|Documentation
| -|Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| -|Non Kube System Pod With Host Mount
aa8f7a35-9923-4cad-bd61-a19b7f6aac91|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| -|Authorization Mode Set To Always Allow
f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5|Medium|Access Control|When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode|Documentation
| -|Terminated Pod Garbage Collector Threshold Not Properly Set
49113af4-29ca-458e-b8d4-724c01a4a24f|Medium|Availability|When using kube-controller-manager commands, the '--terminated-pod-gc-threshold' should be set between 0 and 12501|Documentation
| -|Readiness Probe Is Not Configured
a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| -|Request Timeout Not Properly Set
d89a15bb-8dba-4c71-9529-bef6729b9c09|Medium|Availability|When using kube-apiserver command, the '--request-timeout' flag value should not be too long|Documentation
| -|Container Running As Root
cf34805e-3872-4c08-bf92-6ff7bb0cfadb|Medium|Best Practices|Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise|Documentation
| -|Root Containers Admitted
e3aa0612-4351-4a0d-983f-aefea25cf203|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| -|Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660|Medium|Best Practices|Check if containers are running with low UID, which might cause conflicts with the host's user table.|Documentation
| -|Incorrect Volume Claim Access Mode ReadWriteOnce
3878dc92-8e5d-47cf-9cdd-7590f71d21b9|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| -|Always Pull Images Admission Control Plugin Not Set
a77f4d07-c6e0-4a48-8b35-0eeb51576f4f|Medium|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'AlwaysPullImages' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| -|Weak TLS Cipher Suites
510d5810-9a30-443a-817d-5c1fa527b110|Medium|Encryption|TLS Connection should use strong Cipher Suites|Documentation
| -|Encryption Provider Not Properly Configured
10efce34-5af6-4d83-b414-9e096d5a06a9|Medium|Encryption|The EncryptionConfiguration should be configured to have at least one 'aescbc', 'kms' or 'secretbox' provider|Documentation
| -|Encryption Provider Config Is Not Defined
cbd2db69-0b21-4c14-8a40-7710a50571a9|Medium|Encryption|When using kube-apiserver commands, the '--encryption-provider-config' flag should be defined and the encryption should be correctly configured in Encryption Configuration file|Documentation
| -|Root CA File Not Defined
05fb986f-ac73-4ebb-a5b2-7faafa93d882|Medium|Encryption|When using kube-controller-manager commands, the '--root-ca-file' should be defined|Documentation
| -|Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40|Medium|Insecure Configurations|Containers should not have extra capabilities allowed|Documentation
| -|Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| -|Containers With Sys Admin Capabilities
235236ee-ad78-4065-bd29-61b061f28ce0|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| -|NET_RAW Capabilities Not Being Dropped
dbbc6705-d541-43b0-b166-dd4be8208b54|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|Documentation
| -|PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| -|NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| -|Authorization Mode Node Not Set
4d7ee40f-fc5d-427d-8cac-dffbe22d42d1|Medium|Insecure Configurations|When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode|Documentation
| -|PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| -|PSP Allows Sharing Host IPC
80f93444-b240-4ebb-a4c6-5c40b76c04ea|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| -|Workload Mounting With Sensitive OS Directory
5308a7a8-06f8-45ac-bf10-791fe21de46e|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| -|PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host process ID namespace|Documentation
| -|Not Limited Capabilities For Container
2f1a0619-b12b-48a0-825f-993bb6f01d58|Medium|Insecure Configurations|Limit the capabilities for a Container.|Documentation
| -|Security Context Deny Admission Control Plugin Not Set
6a68bebe-c021-492e-8ddb-55b0567fb768|Medium|Insecure Configurations|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set|Documentation
| -|PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| -|Seccomp Profile Is Not Configured
f377b83e-bd07-4f48-a591-60c82b14a78b|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls|Documentation
| -|Kubelet Protect Kernel Defaults Set To False
6cf42c97-facd-4fda-b8af-ea4529123355|Medium|Insecure Configurations|--protect-kernel-defaults should be set to true|Documentation
| -|Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| -|Using Unrecommended Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6|Medium|Insecure Configurations|Namespaces like 'default', 'kube-system' or 'kube-public' should not be used|Documentation
| -|Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty.|Documentation
| -|Service Account Token Automount Not Disabled
48471392-d4d0-47c0-b135-cdec95eb3eef|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| -|Kubelet Streaming Connection Timeout Disabled
ed89b97d-04e9-4fd4-919f-ee5b27e555e9|Medium|Networking and Firewall|The flag --streaming-connection-idle-timeout should not be set to 0|Documentation
| -|Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be|Medium|Networking and Firewall|Check if any pod is not being targeted by a proper network policy.|Documentation
| -|Kubelet Not Managing Ip Tables
5f89001f-6dd9-49ff-9b15-d8cd71b617f4|Medium|Networking and Firewall|Kubelet argument --make-iptables-util-chains should be true|Documentation
| -|CNI Plugin Does Not Support Network Policies
03aabc8c-35d6-481e-9c85-20139cf72d23|Medium|Networking and Firewall|Ensure the use of CNI Plugin that support Network Policies. If the CNI Plugin in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster|Documentation
| -|Network Policy Is Not Targeting Any Pod
85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| -|Service With External Load Balancer
26763a1c-5dda-4772-b507-5fca7fb5f165|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| -|Kubelet Read Only Port Is Not Set To Zero
2940d48a-dc5e-4178-a3f8-bfbd80720b41|Medium|Networking and Firewall|When using the kubelet command, the read-only port should be set to zero (--read-only-port=0)|Documentation
| -|Audit Log Path Not Set
73e251f0-363d-4e53-86e2-0a93592437eb|Medium|Observability|When using kube-apiserver command, the 'audit-log-path' flag should be defined|Documentation
| -|Audit Policy File Not Defined
13a49a2e-488e-4309-a7c0-d6b05577a5fb|Medium|Observability|When using kube-apiserver command, the '--audit-policy-file' flag should be defined|Documentation
| -|Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| -|CPU Limits Not Set
4ac0e2b7-d2d2-4af7-8799-e8de6721ccda|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| -|CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| -|Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes|Documentation
| -|Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| -|Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a|Medium|Resource Management|Container should not share the host network namespace|Documentation
| -|Volume Mount With OS Directory Write Permissions
b7652612-de4e-4466-a0bf-1cd81f0c6063|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| -|ServiceAccount Allows Access Secrets
056ac60e-fe07-4acc-9b34-8e1d51716ab9|Medium|Secret Management|Roles and ClusterRoles when binded, should not use get, list or watch as verbs|Documentation
| -|Etcd Peer Client Certificate Authentication Set To False
b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff|Medium|Secret Management|When using etcd commands, the '--peer-client-cert-auth' flag should be set to true|Documentation
| -|Not Unique Certificate Authority
cb7e695d-6a85-495c-b15f-23aed2519303|Medium|Secret Management|Certificate Authority should be unique for etcd|Documentation
| -|Kubelet Certificate Authority Not Set
ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set|Documentation
| -|Etcd Client Certificate File Not Defined
3f5ff8a7-5ad6-4d02-86f5-666307da1b20|Medium|Secret Management|When using kube-apiserver commands, the '--etcd-cafile' flag should be defined|Documentation
| -|Etcd Client Certificate Authentication Set To False
9391103a-d8d7-4671-ac5d-606ba7ccb0ac|Medium|Secret Management|When using etcd commands, the '--client-cert-auth' flag should be defined|Documentation
| -|Service Account Key File Not Properly Set
dab4ec72-ce2e-4732-b7c3-1757dcce01a1|Medium|Secret Management|When using kube-apiserver command, the '--service-account-key-file' flag should be defined|Documentation
| -|Shared Service Account
c1032cf7-3628-44e2-bd53-38c17cf31b6b|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| -|Rotate Kubelet Server Certificate Not Active
1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2|Medium|Secret Management|The RotateKubeletServerCertificate argument should be true|Documentation
| -|Kubelet Client Certificate Or Key Not Set
36a27826-1bf5-49da-aeb0-a60a30c0e834|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-client-key' and 'kubelet-client-certificate' flags should be set|Documentation
| -|Kubelet Client Periodic Certificate Switch Disabled
52d70f2e-3257-474c-b3dc-8ad9ba6a061a|Medium|Secret Management|Kubelet argument --rotate-certificates should be true|Documentation
| -|Cluster Admin Rolebinding With Superuser Permissions
249328b8-5f0f-409f-b1dd-029f07882e11|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| -|Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| -|Missing AppArmor Profile
8b36775e-183d-4d46-b0f7-96a6f34a723f|Low|Access Control|Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources|Documentation
| -|Event Rate Limit Admission Control Plugin Not Set
e0099af2-fe17-411f-9991-0de28fe15f3c|Low|Availability|When using kube-apiserver command, the --enable-admission-plugins flag should have 'EventRateLimit' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| -|StatefulSet Without PodDisruptionBudget
1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|StatefulSet Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.|Documentation
| -|HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca|Low|Availability|The Horizontal Pod Autoscaler must target a valid object|Documentation
| -|Liveness Probe Is Not Defined
ade74944-a674-4e00-859e-c6eab5bde441|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it|Documentation
| -|HPA Targeted Deployments With Configured Replica Count
5744cbb8-5946-4b75-a196-ade44449525b|Low|Availability|Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set|Documentation
| -|No Drop Capabilities for Containers
268ca686-7fb7-4ae9-b129-955a2a89064e|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| -|Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645|Low|Best Practices|Kubernetes APIs evolve over time and are sometimes removed with newer releases. To prevent incompatibilities when upgrading Kubernetes, deprecated APIs should be replaced with newer and more stable API versions.|Documentation
| -|Metadata Label Is Invalid
1123031a-f921-4c5b-bd86-ef354ecfd37a|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| -|StatefulSet Requests Storage
8cf4671a-cf3d-46fc-8389-21e7405063a2|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| -|Image Policy Webhook Admission Control Plugin Not Set
14abda69-8e91-4acb-9931-76e2bee90284|Low|Build Process|When using kube-apiserver command, the --enable-admission-plugins flag should have 'ImagePolicyWebhook' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| -|Root Container Not Mounted Read-only
a9c2f49d-0671-4fc9-9ece-f4e261e128d0|Low|Build Process|Check if the root container filesystem is not being mounted read-only.|Documentation
| -|Namespace Lifecycle Admission Control Plugin Disabled
1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37|Low|Build Process|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'NamespaceLifecycle' plugin|Documentation
| -|Pod or Container Without LimitRange
4a20ebac-1060-4c81-95d1-1f7f620e983b|Low|Insecure Configurations|Each namespace should have a LimitRange policy associated to ensure that resource allocations of Pods, Containers and PersistentVolumeClaims do not exceed the defined boundaries|Documentation
| -|Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| -|Pod or Container Without ResourceQuota
48a5beba-e4c0-4584-a2aa-e6894e4cf424|Low|Insecure Configurations|Each namespace should have a ResourceQuota policy associated to limit the total amount of resources Pods, Containers and PersistentVolumeClaims can consume|Documentation
| -|Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b|Low|Insecure Configurations|If not needed, disabling the dashboard can prevent from being used as an attack vector|Documentation
| -|Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity|Documentation
| -|Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| -|Kubelet Hostname Override Is Set
bf36b900-b5ef-4828-adb7-70eb543b7cfb|Low|Insecure Configurations|Hostnames should not be overrided|Documentation
| -|Service Does Not Target Pod
3ca03a61-3249-4c16-8427-6f8e47dda729|Low|Insecure Configurations|Service should Target a Pod|Documentation
| -|Service Type is NodePort
845acfbe-3e10-4b8e-b656-3b404d36dfb2|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| -|Workload Host Port Not Specified
2b1836f1-dcce-416e-8e16-da8c71920633|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified|Documentation
| -|Audit Log Maxage Not Properly Set
da9f3aa8-fbfb-472f-b5a1-576127944218|Low|Observability|When using kube-apiserver command, the '--audit-log-maxage' flag should be defined and set to 30 or more days|Documentation
| -|Audit Policy Not Cover Key Security Concerns
1828a670-5957-4bc5-9974-47da228f75e2|Low|Observability|Audit Policy should cover key security concerns about the sensitive data logged in Kubernetes audit policies|Documentation
| -|Audit Log Maxbackup Not Properly Set
768aab52-2504-4a2f-a3e3-329d5a679848|Low|Observability|When using kube-apiserver command, the '--audit-log-maxbackup' flag should be defined and set to 10 or more files|Documentation
| -|Profiling Not Set To False
2f491173-6375-4a84-b28e-a4e2b9a58a69|Low|Observability|When using kube-apiserver or kube-controller-manager or kube-scheduler command, the '--profiling' flag should be defined and set to false|Documentation
| -|Kubelet Event QPS Not Properly Set
1a07a446-8e61-4e4d-bc16-b0781fcb8211|Low|Observability|When using the kubelet command, the '--event-qps' should be set to 0|Documentation
| -|Audit Log Maxsize Not Properly Set
35c0a471-f7c8-4993-aa2c-503a3c712a66|Low|Observability|When using kube-apiserver command, the '--audit-log-maxsize' flag should be defined and set to 100 or more MegaBytes|Documentation
| -|Deployment Has No PodAntiAffinity
a31b7b82-d994-48c4-bd21-3bab6c31827a|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| -|Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Low|Resource Management|A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined.|Documentation
| -|StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e|Low|Resource Management|Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| -|Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46|Low|Resource Management|Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively|Documentation
| -|CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined|Documentation
| -|Container Memory Requests Not Equal To It's Limits
aafa7d94-62de-4fbf-8838-b69ee217b0e6|Low|Resource Management|A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined.|Documentation
| -|Secrets As Environment Variables
3d658f8b-d988-41a0-a841-40043121de1e|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| -|Invalid Image Tag
583053b7-e632-46f0-b989-f81ff8045385|Low|Supply-Chain|Image tag must be defined and not be empty or equal to latest.|Documentation
| -|Ensure Administrative Boundaries Between Resources
e84eaf4d-2f45-47b2-abe8-e581b06deb66|Info|Access Control|As a best practice, ensure that is made the correct use of namespaces to adequately administer your resources. Kubernetes Authorization plugins can also be used to create policies that segregate user access to namespaces.|Documentation
| -|Using Kubernetes Native Secret Management
b9c83569-459b-4110-8f79-6305aa33cb37|Info|Secret Management|Kubernetes External Secret Storage and Management System usage should be considered if you have more complex secret management needs, rather than using Kubernetes Secrets directly. Additionally, ensure that access to secrets is carefully limited|Documentation
| diff --git a/docs/queries/openapi-queries.md b/docs/queries/openapi-queries.md index 2126991ab53..63f16d2f8ec 100644 --- a/docs/queries/openapi-queries.md +++ b/docs/queries/openapi-queries.md @@ -1,145 +1,6 @@ ## OpenAPI Queries List This page contains all queries from OpenAPI. -### 3.0 -Bellow are listed queries related with OpenAPI 3.0: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Field 'securityScheme' On Components Is Undefined
8db5544e-4874-4baa-9322-e9f75a2d219e|High|Access Control|Components' securityScheme field must have a valid scheme|Documentation
| -|Cleartext Credentials With Basic Authentication For Operation
86b1fa30-9790-4980-994d-a27e0f6f27c1|High|Access Control|Cleartext credentials over unencrypted channel should not be accepted for the operation|Documentation
| -|Security Scheme Using HTTP Digest
a4247b11-890b-45df-bf42-350a7a3af9be|Medium|Access Control|Security Scheme HTTP should not be using digest authentication|Documentation
| -|OAuth2 With Implicit Flow
39cb32f2-3a42-4af0-8037-82a7a9654b6c|Medium|Access Control|OAuth2 implicit flow is vulnerable to access token leakage and access token replay|Documentation
| -|Invalid OAuth2 Token URL (v3)
3ba0cca1-b815-47bf-ac62-1e584eb64a05|Medium|Access Control|OAuth2 security scheme flow requires a valid URL in the tokenUrl field|Documentation
| -|Security Scheme Using HTTP Negotiate
f525cc92-9050-4c41-a75c-890dc6f64449|Medium|Access Control|Security Scheme HTTP should not be using negotiate authentication|Documentation
| -|Implicit Flow in OAuth2 (v3)
4a1f3d75-ab73-41b2-83e7-06a93dc3a75a|Medium|Access Control|There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated|Documentation
| -|Security Scheme HTTP Unknown Scheme
06764426-3c56-407e-981f-caa25db1c149|Medium|Access Control|Security Scheme HTTP scheme should be registered in the IANA Authentication Scheme registry|Documentation
| -|Invalid OAuth2 Authorization URL (v3)
52c0d841-60d6-4a81-88dd-c35fef36d315|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL|Documentation
| -|Security Scheme Using HTTP Basic
68e5fcac-390c-4939-a373-6074b7be7c71|Medium|Access Control|Security Scheme HTTP should not be using basic authentication|Documentation
| -|OAuth2 With Password Flow
3979b0a4-532c-4ea7-86e4-34c090eaa4f2|Medium|Access Control|OAuth2 password flow insecurely exposes the credentials of the resource owner to the client|Documentation
| -|Global Server Object Uses HTTP
2d8c175a-6d90-412b-8b0e-e034ea49a1fe|Medium|Encryption|Global server object URL should use 'https' protocol instead of 'http'|Documentation
| -|Path Server Object Uses HTTP (v3)
9670f240-7b4d-4955-bd93-edaa9fa38b58|Medium|Encryption|The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection|Documentation
| -|Parameter Object Without Schema
8fe1846f-52cc-4413-ace9-1933d7d23672|Medium|Insecure Configurations|The Parameter Object should have the attribute 'schema' defined|Documentation
| -|Additional Properties Too Restrictive
a19c3bbd-c056-40d7-9e1c-eeb0634e320d|Medium|Insecure Configurations|Objects should accept 'additionalProperties' if it is allOf or an object with anyOf or oneOf|Documentation
| -|Media Type Object Without Schema
f79b9d26-e945-44e7-98a1-b93f0f7a68a0|Medium|Insecure Configurations|The Media Type Object should have the attribute 'schema' defined|Documentation
| -|Additional Properties Too Permissive
9f88c88d-824d-4d9a-b985-e22977046042|Medium|Insecure Configurations|Objects should not accept 'additionalProperties' if it is possible|Documentation
| -|Header Object Without Schema
50de3b5b-6465-4e06-a9b0-b4c2ba34326b|Medium|Networking and Firewall|The header object should have schema defined|Documentation
| -|Success Response Code Undefined for Trace Operation
105e20dd-8449-4d71-95c6-d5dac96639af|Medium|Networking and Firewall|Trace should define the '200' successful code|Documentation
| -|Undefined Scope 'securityScheme' On Global 'security' Field
23a9e2d9-8738-4556-a71c-2802b6ffa022|Low|Access Control|Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker|Documentation
| -|Undefined Scope 'securityScheme' On 'security' Field On Operations
462d6a1d-fed9-4d75-bb9e-3de902f35e6e|Low|Access Control|Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker|Documentation
| -|API Key Exposed In Global Security Scheme
40e1d1bf-11a9-4f63-a3a2-a8b84c602839|Low|Access Control|API Keys should not be transported over network|Documentation
| -|Global Security Scheme Using Basic Authentication
77276d82-4f45-4cf1-8e2b-4d345b936228|Low|Access Control|A security scheme is allowing basic authentication credentials to be transported over network|Documentation
| -|Security Scheme Using Oauth 1.0
1bc3205c-0d60-44e6-84f3-44fbf4dac5b3|Low|Access Control|Oauth 1.0 is deprecated, OAuth2 should be used instead|Documentation
| -|Invalid Media Type Value (v3)
cf4a5f45-a27b-49df-843a-9911dbfe71d4|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters]|Documentation
| -|Components Request Body Definition Is Unused
6b76f589-9713-44ab-97f5-59a3dba1a285|Info|Best Practices|Components request bodies definitions should be referenced or removed from Open API definition|Documentation
| -|Components Response Definition Is Unused
9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae|Info|Best Practices|Components responses definitions should be referenced or removed from Open API definition|Documentation
| -|Encoding Header 'Content-Type' Improperly Defined
4cd8de87-b595-48b6-ab3c-1904567135ab|Info|Best Practices|Encoding Map Key should not define a 'Content-Type' in the 'headers' field. If so, it will be ignored.|Documentation
| -|Components Header Definition Is Unused
a68da022-e95a-4bc2-97d3-481e0bd6d446|Info|Best Practices|Components headers definitions should be referenced or removed from Open API definition|Documentation
| -|Components Callback Definition Is Unused
d15db953-a553-4b8a-9a14-a3d62ea3d79d|Info|Best Practices|Components callbacks definitions should be referenced or removed from Open API definition|Documentation
| -|Property 'allowReserved' of Encoding Object Ignored
4190dda7-af03-4cf0-a128-70ac1661ca09|Info|Best Practices|Property 'allowReserved' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored.|Documentation
| -|Components Schema Definition Is Unused
962fa01e-b791-4dcc-b04a-4a3e7389be5e|Info|Best Practices|Components schemas definitions should be referenced or removed from Open API definition|Documentation
| -|Components Example Definition Is Unused
b05bb927-2df5-43cc-8d7b-6825c0e71625|Info|Best Practices|Components examples definitions should be referenced or removed from Open API definition|Documentation
| -|Components Link Definition Is Unused
c19779a9-5774-4d2f-a3a1-a99831730375|Info|Best Practices|Components links definitions should be referenced or removed from Open API definition|Documentation
| -|Property 'style' of Encoding Object Ignored
d3ea644a-9a5c-4fee-941f-f8a6786c0470|Info|Best Practices|Property 'style' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored.|Documentation
| -|Components Parameter Definition Is Unused
698a464e-bb3e-4ba8-ab5e-e6599b7644a0|Info|Best Practices|Components parameters definitions should be referenced or removed from Open API definition|Documentation
| -|Property 'allowEmptyValue' Ignored
59c2f769-7cc2-49c8-a3de-4e211135cfab|Info|Best Practices|Property 'allowEmptyValue' is ignored in the following cases: {"sytle": "simple", "explode": false}, {"sytle": "simple", "explode": true}, {"sytle": "spaceDelimited", "explode": false}, {"sytle": "pipeDelimited", "explode": false}, and {"sytle": "deepObject", "explode": true}|Documentation
| -|Property 'explode' of Encoding Object Ignored
a4dd69b8-49fa-45d2-a060-c76655405b05|Info|Best Practices|Property 'explode' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored.|Documentation
| -|Unknown Prefix (v3)
a5375be3-521c-43bb-9eab-e2432e368ee4|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video'|Documentation
| -|Server URL Not Absolute
a0bf7382-5d5a-4224-924c-3db8466026c9|Info|Structure and Semantics|The Server URL should be an absolute URL|Documentation
| -|Request Body With Incorrect Ref
0f6cd0ab-c366-4595-84fc-fbd8b9901e4d|Info|Structure and Semantics|Request Body reference must always point to '#/components/RequestBodies'|Documentation
| -|Response JSON Reference Does Not Exists (v3)
7a01dfbd-da62-4165-aed7-71349ad42ab4|Info|Structure and Semantics|Response reference should exists on components field|Documentation
| -|Parameter Object With Undefined Type
46facedc-f243-4108-ab33-583b807d50b0|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property|Documentation
| -|Servers Array Undefined
c66ebeaa-676c-40dc-a3ff-3e49395dcd5e|Info|Structure and Semantics|The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'.|Documentation
| -|Schema With Both ReadOnly And WriteOnly
d2361d58-361c-49f0-9e50-b957fd608b29|Info|Structure and Semantics|Schema should not have both 'writeOnly' and 'readOnly' set to true|Documentation
| -|Encoding Map Key Mismatch Schema Defined Properties
cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b|Info|Structure and Semantics|Encoding Map Key should be set in schema defined properties|Documentation
| -|Parameter Object Content With Multiple Entries
8bfed1c6-2d59-4924-bc7f-9b9d793ed0df|Info|Structure and Semantics|The map content property of the parameter object should only contain one entry|Documentation
| -|Parameter JSON Reference Does Not Exists (v3)
2e275f16-b627-4d3f-ae73-a6153a23ae8f|Info|Structure and Semantics|Parameter reference should exists on components field|Documentation
| -|Callback Object With Incorrect Ref
ba066cda-e808-450d-92b6-f29109754d45|Info|Structure and Semantics|Callback Object reference must always point to '#/components/callbacks'|Documentation
| -|Property 'allowReserved' Improperly Defined
7f203940-39c4-4ea7-91ee-7aba16bca9e2|Info|Structure and Semantics|Property 'allowReserved' should be only defined for query parameters|Documentation
| -|Security Operation Field Undefined
20a482d5-c5d9-4a7a-b7a4-60d0805047b4|Info|Structure and Semantics|Security operation field should be defined in '#/components/securitySchemes'|Documentation
| -|Server URL Uses Undefined Variables
8d0921d6-4131-461f-a253-99e873f8f77e|Info|Structure and Semantics|Any variable used in the Service URL should be defined in the Service Object through 'variables'.|Documentation
| -|Invalid Content Type For Multiple Files Upload
26f06397-36d8-4ce7-b993-17711261d777|Info|Structure and Semantics|Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array)|Documentation
| -|Link Object With Both 'operationId' And 'operationRef'
60fb6621-9f02-473b-9424-ba9a825747d3|Info|Structure and Semantics|Link object 'OperationId' should not have both 'operationId' and 'operationRef' defined since they are mutually exclusive.|Documentation
| -|Request Body JSON Reference Does Not Exists
ca02f4e8-d3ae-4832-b7db-bb037516d9e7|Info|Structure and Semantics|Request Body reference should exists on components field|Documentation
| -|Object Without Required Property (v3)
d172a060-8569-4412-8045-3560ebd477e8|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields|Documentation
| -|Request Body Object With Incorrect Media Type
58f06434-a88c-4f74-826c-db7e10cc7def|Info|Structure and Semantics|The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set.|Documentation
| -|Link Object OperationId Does Not Target Operation Object
c5bb7461-aa57-470b-a714-3bc3d74f4669|Info|Structure and Semantics|Link object 'OperationId' should target an existing operation object in the OpenAPI definition|Documentation
| -|Header Object With Incorrect Ref
2d6646f4-2946-420f-8c14-3232d49ae0cb|Info|Structure and Semantics|Header Object reference must always point to '#/components/headers'|Documentation
| -|Example JSON Reference Does Not Exists
6a2c219f-da5e-4745-941e-5ea8cde23356|Info|Structure and Semantics|Example reference should exists on components field|Documentation
| -|Response Object With Incorrect Ref (v3)
b3871dd8-9333-4d6c-bd52-67eb898b71ab|Info|Structure and Semantics|Response Object reference must always point to '#/components/responses'|Documentation
| -|Schema JSON Reference Does Not Exists (v3)
015eac96-6313-43c0-84e5-81b1374fa637|Info|Structure and Semantics|Schema reference should exists on components field|Documentation
| -|Schema Object Incorrect Ref (v3)
4cac7ace-b0fb-477d-830d-65395d9109d9|Info|Structure and Semantics|Schema Object reference must always point to '#/components/schemas'|Documentation
| -|Callback JSON Reference Does Not Exists
f29904c8-6041-4bca-b043-dfa0546b8079|Info|Structure and Semantics|Callback reference should exists on components field|Documentation
| -|Parameter Object With Incorrect Ref (v3)
d40f27e6-15fb-4b56-90f8-fc0ff0291c51|Info|Structure and Semantics|Parameter Object reference must always point to '#/components/parameters'|Documentation
| -|Example JSON Reference Outside Components Examples
bac56e3c-1f71-4a74-8ae6-2fba07efcddb|Info|Structure and Semantics|Reference to examples should point to #/components/examples|Documentation
| -|Unknown Property (v3)
fb7d81e7-4150-48c4-b914-92fc05da6a2f|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known|Documentation
| -|Parameter Object With Schema And Content
31dd6fc0-f274-493b-9614-e063086c19fc|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive|Documentation
| -|Header JSON Reference Does Not Exists
376c9390-7e9e-4cb8-a067-fd31c05451fd|Info|Structure and Semantics|Header reference should exists on components field|Documentation
| -|Security Requirement Object With Wrong Scopes
37140f7f-724a-4c87-a536-e9cee1d61533|Info|Structure and Semantics|Security Requirement Object should only have scopes defined for security schemes of type 'oauth2' and 'openIdConnect'|Documentation
| -|Server Object Variable Not Used
8aee4754-970d-4c5f-8142-a49dfe388b1a|Info|Structure and Semantics|Every defined Server Variable Object should be used in a Service URL.|Documentation
| -|Link Object Incorrect Ref
b9db8a10-020c-49ca-88c6-780e5fdb4328|Info|Structure and Semantics|Link object reference must always point to '#/components/links'|Documentation
| -|Link JSON Reference Does Not Exists
801f0c6a-a834-4467-89c6-ddecffb46b5a|Info|Structure and Semantics|Link reference should exists on components field|Documentation
| -|Components Object Fixed Field Key Improperly Named
151331e2-11f4-4bb6-bd35-9a005e695087|Info|Structure and Semantics|Components object fixed fields (schemas, responses, parameters, examples, requestBodies, headers, securitySchemes, links, and callbacks) should use keys that match the following REGEX: `^[a-zA-Z0-9\.\-_]+$`|Documentation
| -|Empty Array
5915c20f-dffa-4cee-b5d4-f457ddc0151a|Info|Structure and Semantics|All array fields should not be empty|Documentation
| -|Security Field Undefined
ab1263c2-81df-46f0-9f2c-0b62fdb68419|Info|Structure and Semantics|Security field should be defined in '#/components/securitySchemes'|Documentation
| - -### 2.0 -Bellow are listed queries related with OpenAPI 2.0: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Security Definitions Undefined or Empty
e3f026e8-fdb4-4d5a-bcfd-bd94452073fe|High|Access Control|Security Definitions Object should be set and not empty|Documentation
| -|Security Requirement Not Defined In Security Definition
a599b0d1-ff89-4cb8-9ece-9951854c06f6|High|Structure and Semantics|All security requirement objects must be defined in 'securityDefinitions'|Documentation
| -|Non OAuth2 Security Requirement Defining OAuth2 Scopes
ba239cb9-f342-4c20-812d-7b5a2aa6969e|High|Structure and Semantics|If the security scheme is not of type 'oauth2', the array value must be empty|Documentation
| -|Invalid OAuth2 Token URL (v2)
274f910a-0665-4f08-b66d-7058fe927dba|Medium|Access Control|OAuth2 security definition flow requires a valid URL in the tokenUrl field|Documentation
| -|Implicit Flow in OAuth2 (v2)
e9817ad8-a8c9-4038-8a2f-db0e6e7b284b|Medium|Access Control|There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated|Documentation
| -|Invalid OAuth2 Authorization URL (v2)
33d96c65-977d-4c33-943f-440baca49185|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL|Documentation
| -|Global Security Using Password Flow
2da46be4-4317-4650-9285-56d7103c4f93|Medium|Access Control|Security should not use 'password' Flow in OAuth2 authentication|Documentation
| -|Security Definitions Allows Password Flow
773116aa-2e6d-416f-bd85-f0301cc05d76|Medium|Access Control|Security Definition Object should not allow 'password' Flow in OAuth2 authentication|Documentation
| -|Operation Using Password Flow
2e44e632-d617-43cb-b294-6bfe72a08938|Medium|Access Control|Operation Object should not use 'password' Flow in OAuth2 authentication|Documentation
| -|Path Scheme Accepts HTTP (v2)
a6847dc6-f4ea-45ac-a81f-93291ae6c573|Medium|Encryption|The Scheme list of Operation Object should only allow 'HTTPS' protocol to ensure an encrypted connection|Documentation
| -|Global Schemes Uses HTTP
f30ee711-0082-4480-85ab-31d922d9a2b2|Medium|Encryption|Global Schemes should use 'https' protocol instead of 'http'|Documentation
| -|Schemes Uses HTTP
a46928f1-43d7-4671-94e0-2dd99746f389|Medium|Encryption|Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials|Documentation
| -|Operation Object Without 'produces'
be3e170e-1572-461e-a8b6-d963def581ec|Medium|Insecure Configurations|Operation Object should have 'produces' feild defined for 'GET'operation|Documentation
| -|Operation Object Without 'consumes'
0c79e50e-b3cf-490c-b8f6-587c644d4d0c|Medium|Insecure Configurations|Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations|Documentation
| -|Undefined Scope 'securityDefinition' On Global 'security' Field
9aa6e95c-d964-4239-a3a8-9f37a3c5a31f|Low|Access Control|Using an scope on global security field that is undefined on 'securityDefinitions' can be defined by an attacker|Documentation
| -|Undefined Scope 'securityDefinition' On 'security' Field On Operations
3847280c-9193-40bc-8009-76168e822ce2|Low|Access Control|Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker|Documentation
| -|Operation Using Basic Auth
ceefb058-8065-418f-9c4c-584a78c7e104|Low|Access Control|Operation Object should not use basic authentication|Documentation
| -|Operation Using Implicit Flow
f42dfe7e-787d-4478-a75e-a5f3d8a2269e|Low|Access Control|Operation Object should not use implicit flow|Documentation
| -|Security Definitions Using Basic Auth
221015a8-aa2a-43f5-b00b-ad7d2b1d47a8|Low|Access Control|Security Definition Object should not use basic authentication|Documentation
| -|Operation Summary Too Long
d47940ca-5970-45cc-bdd1-4d81398cee1f|Low|Best Practices|Operation summary should be short (less than 120 characters)|Documentation
| -|Invalid Media Type Value (v2)
f985a7d2-d404-4a7f-9814-f645f791e46e|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters]|Documentation
| -|Global Schema Definition Not Being Used
6d2e0790-cc3d-4c74-b973-d4e8b09f4455|Info|Best Practices|All global schemas definitions should be in use|Documentation
| -|Global Responses Definition Not Being Used
0b76d993-ee52-43e0-8b39-3787d2ddabf1|Info|Best Practices|All global responses definitions should be in use|Documentation
| -|Schema with 'additionalProperties' set as Boolean
3a01790c-ebee-4da6-8fd3-e78657383b75|Info|Best Practices|The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it|Documentation
| -|Constraining Enum Property
be1d8733-3731-40c7-a845-734741c6871d|Info|Best Practices|There is a constraining keyword in a property which is already restricted by enum values|Documentation
| -|Global Parameter Definition Not Being Used
b30981fa-a12e-49c7-a5bb-eeafb61d0f0f|Info|Best Practices|All global parameters definitions should be in use|Documentation
| -|Unknown Prefix (v2)
3b615f00-c443-4ba9-acc4-7c308716917d|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video'|Documentation
| -|Responses JSON Reference Does Not Exists (v2)
e9db5fb4-6a84-4abb-b4af-3b94fbdace6d|Info|Structure and Semantics|Responses reference should exist on responses definition field|Documentation
| -|Parameter File Type Not In 'formData'
c3cab8c4-6c52-47a9-942b-c27f26fbd7d2|Info|Structure and Semantics|The In field of Parameter Object must be 'formData' when type is 'file'|Documentation
| -|Property Not Unique
750b40be-4bac-4f59-bdc4-1ca0e6c3450e|Info|Structure and Semantics|Every defined property must be unique throughout the whole API|Documentation
| -|File Parameter With Wrong Consumes Property
7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a|Info|Structure and Semantics|Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both|Documentation
| -|Parameter JSON Reference Does Not Exists (v2)
fb889ae9-2d16-40b5-b41f-9da716c5abc1|Info|Structure and Semantics|Parameter reference should exist on parameters definition field|Documentation
| -|Object Without Required Property (v2)
5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields|Documentation
| -|Multi 'collectionformat' Not Valid For 'in' Parameter
750f6448-27c0-49f8-a153-b81735c1e19c|Info|Structure and Semantics|When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'formData'|Documentation
| -|Response Object With Incorrect Ref (v2)
bccfa089-89e4-47e0-a0e5-185fe6902220|Info|Structure and Semantics|Response Object reference must always point to '#/responses'|Documentation
| -|Host With Invalid Pattern
3d7d7b6c-fb0a-475e-8a28-c125e30d15f0|Info|Structure and Semantics|Host field should be an IP or a valid host name|Documentation
| -|Schema JSON Reference Does Not Exists (v2)
98295b32-ec09-4b5b-89a9-39853197f914|Info|Structure and Semantics|Schema reference should exists on definitions field|Documentation
| -|Schema Object Incorrect Ref (v2)
0220e1c5-65d1-49dd-b7c2-cef6d6cb5283|Info|Structure and Semantics|Schema Object reference must always point to '#/definitions'|Documentation
| -|Parameter Object With Incorrect Ref (v2)
2596545e-1757-4ff7-a15a-8a9a180a42f3|Info|Structure and Semantics|Parameter Object reference must always point to '#/parameters'|Documentation
| -|Unknown Property (v2)
429b2106-ba37-43ba-9727-7f699cc611e1|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known|Documentation
| -|BasePath With Wrong Format
b4803607-ed72-4d60-99e2-3fa6edf471c6|Info|Structure and Semantics|The 'basePath' value format must match the pattern '^/'|Documentation
| -|Multiple Body Parameters In The Same Operation
b90033cf-ad9f-4fb9-acd1-1b9d6d278c87|Info|Structure and Semantics|Only one body parameter is allowed on operation's parameters type field|Documentation
| -|Operation Example Mismatch Produces MimeType
2cf35b40-ded3-43d6-9633-c8dcc8bcc822|Info|Structure and Semantics|Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces'|Documentation
| -|Operation Object Parameters With 'body' And 'formatData' locations
eb3f9744-d24e-4614-b1ff-2a9514eca21c|Info|Structure and Semantics|Operation object parameters should not have both 'body' and 'formatData' locations|Documentation
| -|Body Parameter With Wrong Property
c38d630d-a415-4e3e-bac2-65475979ba88|Info|Structure and Semantics|The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema'|Documentation
| -|Body Parameter Without Schema
ed48229d-d43e-4da7-b453-5f98d964a57a|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined|Documentation
| -|Non Body Parameter Without Schema
73c3bc54-3cc6-4c0a-b30a-e19f2abfc951|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined|Documentation
| - ### SHARED (V2/V3) Bellow are listed queries related with OpenAPI SHARED (V2/V3): @@ -207,66 +68,6 @@ Bellow are listed queries related with OpenAPI SHARED (V2/V3): |Success Response Code Undefined for Get Operation (v3)
b2f275be-7d64-4064-b418-be6b431363a7|Medium|Networking and Firewall|Get should define at least one success response (200 or 202) (read more)|Documentation
| |Success Response Code Undefined for Head Operation (v2)
4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a|Medium|Networking and Firewall|Head should define at least one success response (200 or 202)|Documentation
| |Success Response Code Undefined for Head Operation (v3)
3b066059-f411-4554-ac8d-96f32bff90da|Medium|Networking and Firewall|Head should define at least one success response (200 or 202) (read more)|Documentation
| -|No Global And Operation Security Defined (v2)
586abcee-9653-462d-ad7b-2638a32bd6e6|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| -|No Global And Operation Security Defined (v3)
96729c6b-7400-4d9e-9807-17f00cdde4d2|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| -|Global Security Field Has An Empty Array (v2)
da31d54b-ad54-41dc-95eb-8b3828629213|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| -|Global Security Field Has An Empty Array (v3)
d674aea4-ba8b-454b-bb97-88a772ea33f0|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| -|Global Security Field Is Undefined (v2)
74703c89-0ea2-49ab-a7db-bf04f19f5a57|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securityDefinitions|Documentation
| -|Global Security Field Is Undefined (v3)
8af270ce-298b-4405-9922-82a10aee7a4f|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes|Documentation
| -|Security Field On Operations Has An Empty Object Definition (v2)
74581e3b-1d55-4323-a139-5959a7b3abc5|High|Access Control|Security object for operations should not be empty object or has any empty object definition|Documentation
| -|Security Field On Operations Has An Empty Object Definition (v3)
baade968-7467-41e4-bf22-83ca222f5800|High|Access Control|Security object for operations should not be empty object or has any empty object definition|Documentation
| -|Cleartext API Key In Operation Security (v2)
99733b39-6413-4ed8-8acf-dc7cdc9b4e51|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| -|Cleartext API Key In Operation Security (v3)
d90d4e40-44c1-4125-87a0-e072c3e195b5|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| -|Global security field has an empty object (v2)
292919fb-7b26-4454-bee9-ce29094768dd|High|Access Control|Global security definition must not have empty objects|Documentation
| -|Global security field has an empty object (v3)
543e38f4-1eee-479e-8eb0-15257013aa0a|High|Access Control|Global security definition must not have empty objects|Documentation
| -|Security Field On Operations Has An Empty Array (v2)
5d29effc-5d68-481f-9721-d74e5919226b|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error|Documentation
| -|Security Field On Operations Has An Empty Array (v3)
663c442d-f918-4f62-b096-0bf5dcbeb655|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error|Documentation
| -|Array Items Has No Type (v2)
8697a1a4-82c6-4603-8ac8-57529756744e|High|Insecure Configurations|Schema/Parameter array items type should be defined|Documentation
| -|Array Items Has No Type (v3)
be0e0df7-f3d9-42a1-9b6f-d425f94872c4|High|Insecure Configurations|Schema array items type should be defined|Documentation
| -|Array Without Maximum Number of Items (v2)
99eb2c95-2040-4104-9e7c-e16f7474d218|High|Insecure Configurations|Array schema/parameter should have the field 'maxItems' set|Documentation
| -|Array Without Maximum Number of Items (v3)
6998389e-66b2-473d-8d05-c8d71ac4d04d|High|Insecure Configurations|Array schema should have the field 'maxItems' set|Documentation
| -|API Key Exposed In Global Security (v2)
533a0d13-6e89-4551-ae33-bce14e5849c1|Medium|Access Control|API Keys should not be transported over network|Documentation
| -|API Key Exposed In Global Security (v3)
aecee30b-8ea1-4776-a99c-d6d600f0862f|Medium|Access Control|API Keys should not be transported over network|Documentation
| -|Cleartext API Key In Global Security (v2)
70d3873e-d537-46e5-ac3b-4e48fbdd29b4|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| -|Cleartext API Key In Global Security (v3)
9c238c97-1991-4c0b-9c7d-6c7912e1dc7c|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| -|JSON Object Schema Without Properties (v2)
3d28f751-bc18-4f83-ace0-216b6086410b|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false.|Documentation
| -|JSON Object Schema Without Properties (v3)
9d967a2b-9d64-41a6-abea-dfc4960299bd|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false.|Documentation
| -|Numeric Schema Without Maximum (v2)
203eee11-15b6-4d47-b888-4c7f534967ee|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined.|Documentation
| -|Numeric Schema Without Maximum (v3)
2ea04bef-c769-409e-9179-ee3a50b5c0ac|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined.|Documentation
| -|String Schema with Broad Pattern (v2)
e4a019f0-9af3-49c8-bf68-1939a6ff240d|Medium|Insecure Configurations|String schema should restrict the pattern|Documentation
| -|String Schema with Broad Pattern (v3)
8c81d6c0-716b-49ec-afa5-2d62da4e3f3c|Medium|Insecure Configurations|String schema should restrict the pattern|Documentation
| -|Numeric Schema Without Format (v2)
3ed8fc82-c2bb-49e0-811f-c53923674c49|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined.|Documentation
| -|Numeric Schema Without Format (v3)
fbf699b5-ef74-4542-9cf1-f6eeac379373|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined.|Documentation
| -|Numeric Schema Without Minimum (v2)
efd1dfc8-da91-4909-a3f3-c23abc5ec799|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined.|Documentation
| -|Numeric Schema Without Minimum (v3)
181bd815-767e-4e95-a24d-bb3c87328e19|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined.|Documentation
| -|Schema Object is Empty (v2)
967575e5-eb44-4c24-aadb-7e33608ed30a|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values|Documentation
| -|Schema Object is Empty (v3)
500ce696-d501-41dd-86eb-eceb011a386f|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values|Documentation
| -|Maximum Length Undefined (v2)
2ec86e48-ab90-4cb6-a131-0502afd1f442|Medium|Insecure Configurations|String schema/parameter/header should have 'maxLength' defined.|Documentation
| -|Maximum Length Undefined (v3)
8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85|Medium|Insecure Configurations|String schema should have 'maxLength' defined.|Documentation
| -|Pattern Undefined (v2)
afde15cf-9444-4126-8c62-41cd79db1d1d|Medium|Insecure Configurations|String schema/parameter/header should have 'pattern' defined.|Documentation
| -|Pattern Undefined (v3)
00b78adf-b83f-419c-8ed8-c6018441dd3a|Medium|Insecure Configurations|String schema should have 'pattern' defined.|Documentation
| -|JSON Object Schema Without Type (v2)
62d52544-82ef-4b75-8308-cad49d50212b|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined.|Documentation
| -|JSON Object Schema Without Type (v3)
e2ffa504-d22a-4c94-b6c5-f661849d2db7|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined.|Documentation
| -|Success Response Code Undefined for Delete Operation (v2)
ad432855-b7fb-4429-92a3-93b5ce34f0b1|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Delete Operation (v3)
3b497874-ae59-46dd-8d72-1868a3b8f150|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Put Operation (v2)
965a043f-5f3c-4d0a-be72-d9ce12fdb4d6|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Put Operation (v3)
60b5f56b-66ff-4e1c-9b62-5753e16825bc|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Response on operations that should have a body has undefined schema (v2)
31afbcb7-70e0-48bb-a31a-3374f95cf859|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined|Documentation
| -|Response on operations that should have a body has undefined schema (v3)
a92be1d5-d762-484a-86d6-8cd0907ba100|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined|Documentation
| -|Success Response Code Undefined for Patch Operation (v2)
f36e87cc-a209-4f37-8571-66833e4aead7|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Patch Operation (v3)
1908a8ee-927d-4166-8f18-241152170cc1|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Post Operation (v2)
9fedee41-2e6d-4091-b011-4a16b4c18c70|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Post Operation (v3)
f368dd2d-9344-4146-a05b-7c6faa1269ad|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Default Response Undefined On Operations (v2)
5f34c7ae-4f3f-4cbb-8fe3-a11d6961062f|Medium|Networking and Firewall|Operations responses should have a default response defined|Documentation
| -|Default Response Undefined On Operations (v3)
86e3702f-c868-44b2-b61d-ea5316c18110|Medium|Networking and Firewall|Operations responses should have a default response defined|Documentation
| -|Success Response Code Undefined for Head Operation (v2)
4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a|Medium|Networking and Firewall|Head should define at least one success response (200 or 202)|Documentation
| -|Success Response Code Undefined for Head Operation (v3)
3b066059-f411-4554-ac8d-96f32bff90da|Medium|Networking and Firewall|Head should define at least one success response (200 or 202)|Documentation
| -|Success Response Code Undefined for Get Operation (v2)
9b633f3b-c94b-4fbb-a65b-1a4e9134fb63|Medium|Networking and Firewall|Get should define at least one success response (200 or 202)|Documentation
| -|Success Response Code Undefined for Get Operation (v3)
b2f275be-7d64-4064-b418-be6b431363a7|Medium|Networking and Firewall|Get should define at least one success response (200 or 202)|Documentation
| -|Response on operations that should not have a body has declared content (v2)
268defd2-2839-4e15-8cbc-de86eb38c231|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a schema defined|Documentation
| -|Response on operations that should not have a body has declared content (v3)
12a7210b-f4b4-47d0-acac-0a819e2a0ca3|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a content defined|Documentation
| -|Response Code Missing (v2)
6e96ed39-bf45-4089-99ba-f1fe7cf6966f|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined.|Documentation
| -|Response Code Missing (v3)
6c35d2c6-09f2-4e5c-a094-e0e91327071d|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined.|Documentation
| |API Key Exposed In Operation Security (v2)
392599e4-a4e2-403d-bc56-3fe05755782d|Low|Access Control|API Keys should not be transported over network|Documentation
| |API Key Exposed In Operation Security (v3)
281b8071-6226-4a43-911d-fec246d422c2|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| |Invalid Format (v2)
caf1793e-95dd-4b18-8d90-8f3c0ab5bddf|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double|Documentation
| @@ -494,88 +295,3 @@ Bellow are listed queries related with OpenAPI 3.0: |Security Field Undefined
ab1263c2-81df-46f0-9f2c-0b62fdb68419|Info|Structure and Semantics|Security field should be defined in '#/components/securitySchemes' (read more)|Documentation
| |Header JSON Reference Does Not Exists
376c9390-7e9e-4cb8-a067-fd31c05451fd|Info|Structure and Semantics|Header reference should exists on components field (read more)|Documentation
| |Request Body Object With Incorrect Media Type
58f06434-a88c-4f74-826c-db7e10cc7def|Info|Structure and Semantics|The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set. (read more)|Documentation
| -|Invalid Format (v3)
d929c031-078f-4241-b802-e224656ad890|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double|Documentation
| -|Header Parameter Named as 'Authorization' (v2)
e2e00c97-7171-4fb4-b461-d631df9a711c|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored.|Documentation
| -|Header Parameter Named as 'Authorization' (v3)
8c84f75e-5048-4926-a4cb-33e7b3431300|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored.|Documentation
| -|Invalid Contact URL (v2)
c7000383-16d0-4509-8cd3-585e5ea2e2f2|Info|Best Practices|Contact Object URL should be a valid URL|Documentation
| -|Invalid Contact URL (v3)
332cf2ad-380d-4b90-b436-46f8e635cf38|Info|Best Practices|Contact Object URL should be a valid URL|Documentation
| -|Invalid Operation External Documentation URL (v2)
25635c31-ee32-4708-88e5-fced87516f51|Info|Best Practices|Operation External Documentation URL should be a valid URL|Documentation
| -|Invalid Operation External Documentation URL (v3)
5ea61624-3733-4a3a-8ca4-b96fec9c5aeb|Info|Best Practices|Operation External Documentation URL should be a valid URL|Documentation
| -|Invalid License URL (v2)
de2b4910-8484-46d6-a055-dc1e793ee3ff|Info|Best Practices|License Object URL should be a valid URL|Documentation
| -|Invalid License URL (v3)
9239c289-9e4c-4d92-8be1-9d506057c971|Info|Best Practices|License Object URL should be a valid URL|Documentation
| -|Header Parameter Named as 'Accept' (v2)
3ddd74cc-6582-486c-8b0c-2b48cb38e0a3|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored.|Documentation
| -|Header Parameter Named as 'Accept' (v3)
f2702af5-6016-46cb-bbc8-84c766032095|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored.|Documentation
| -|Header Response Name Is Invalid (v2)
86733e01-a435-4bd5-a8b0-5108be9dc1e4|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored.|Documentation
| -|Header Response Name Is Invalid (v3)
d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored.|Documentation
| -|Operation Without Successful HTTP Status Code (v2)
a1ee6ebe-3877-42ec-b9a6-e524e7d06aa2|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined|Documentation
| -|Operation Without Successful HTTP Status Code (v3)
48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined|Documentation
| -|Invalid Schema External Documentation URL (v2)
f7fa95b7-d819-484c-9a2b-665dd1bba25e|Info|Best Practices|Schema External Documentation URL should be a valid URL|Documentation
| -|Invalid Schema External Documentation URL (v3)
6952a7e0-6e48-4285-bbc1-27c64e60f888|Info|Best Practices|Schema External Documentation URL should be a valid URL|Documentation
| -|Path Without Operation (v2)
609cd557-66b4-41fa-8edd-2abc6c7cfd08|Info|Best Practices|Path object should have at least one operation object defined|Documentation
| -|Path Without Operation (v3)
84c826c9-1893-4b34-8cdd-db97645b4bf3|Info|Best Practices|Path object should have at least one operation object defined|Documentation
| -|Invalid Contact Email (v2)
d83bebc8-4e5e-4241-b783-cba9fb5a1c9a|Info|Best Practices|Contact Object Email should be a valid email|Documentation
| -|Invalid Contact Email (v3)
b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7|Info|Best Practices|Contact Object Email should be a valid email|Documentation
| -|Header Parameter Named as 'Content-Type' (v2)
51978067-3b22-4c29-aaf3-96bf0bc28897|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored.|Documentation
| -|Header Parameter Named as 'Content-Type' (v3)
72d259ca-9741-48dd-9f62-eb11f2936b37|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored.|Documentation
| -|JSON '$ref' alongside other properties (v2)
f34c1c68-4773-4df0-a103-6e2ca32e585f|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key|Documentation
| -|JSON '$ref' alongside other properties (v3)
96beb800-566f-49a9-a0ea-dbdf4bc80429|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key|Documentation
| -|Object Using Enum With Keyword (v2)
7f15962a-d862-451c-ac9b-84ec13747aa6|Info|Best Practices|Schema/Parameter/Header Object properties should not contain 'enum' and schema keywords|Documentation
| -|Object Using Enum With Keyword (v3)
2e9b6612-8f69-42e0-a5b8-ed17739c2f3a|Info|Best Practices|Schema Object properties should not contain 'enum' and schema keywords|Documentation
| -|Invalid Global External Documentation URL (v2)
46d3b74d-9fe9-45bf-9e9e-efb7f701ee28|Info|Best Practices|Global External Documentation URL should be a valid URL|Documentation
| -|Invalid Global External Documentation URL (v3)
b2d9dbf6-539c-4374-a1fd-210ddf5563a8|Info|Best Practices|Global External Documentation URL should be a valid URL|Documentation
| -|Invalid Tag External Documentation URL (v2)
b4a7d925-738b-4219-99d9-87d6ee262a03|Info|Best Practices|Tag External Documentation URL should be a valid URL|Documentation
| -|Invalid Tag External Documentation URL (v3)
5aea1d7e-b834-4749-b143-2c7ec3bd5922|Info|Best Practices|Tag External Documentation URL should be a valid URL|Documentation
| -|Example Not Compliant With Schema Type (v2)
448db771-06ea-4dee-b48c-1689cbfb4b43|Info|Best Practices|Examples values and fields should be compliant with the schema type|Documentation
| -|Example Not Compliant With Schema Type (v3)
881a6e71-c2a7-4fe2-b9c3-dfcf08895331|Info|Best Practices|Examples values and fields should be compliant with the schema type|Documentation
| -|Required Property With Default Value (v2)
f7ab6c83-ef89-40e1-8a99-32e2599fb665|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value|Documentation
| -|Required Property With Default Value (v3)
013bdb4b-9246-4248-b0c3-7fb0fee42a29|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value|Documentation
| -|Responses Object Is Empty (v2)
6172e7ab-d2b7-45f8-a7db-1603931d8ba3|Info|Structure and Semantics|Responses Object should not be empty|Documentation
| -|Responses Object Is Empty (v3)
990eaf09-d6f1-4c3c-b174-a517b1de8917|Info|Structure and Semantics|Responses Object should not be empty|Documentation
| -|Properties Missing Required Property (v2)
71beb6ab-8b70-4816-a9ac-a0ff1fb22a62|Info|Structure and Semantics|Schema Object should have all required properties defined|Documentation
| -|Properties Missing Required Property (v3)
3fb03214-25d4-4bd4-867c-c2d8d708a483|Info|Structure and Semantics|Schema Object should have all required properties defined|Documentation
| -|Path Is Ambiguous (v2)
b2468463-3ac4-4930-890c-f35b2bf4485d|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object|Documentation
| -|Path Is Ambiguous (v3)
237402e2-c2f0-46c9-9cf5-286160cf7bfc|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object|Documentation
| -|Schema Has A Required Property Undefined (v2)
811762c8-2e99-4f70-88f9-a63875a953b1|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties|Documentation
| -|Schema Has A Required Property Undefined (v3)
2bd608ae-8a1f-457f-b710-c237883cb313|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties|Documentation
| -|Property Defining Minimum Greater Than Maximum (v2)
b5102ea9-6527-4bb7-94fc-9b4076150e55|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined|Documentation
| -|Property Defining Minimum Greater Than Maximum (v3)
ab2af219-cd08-4233-b5a1-a788aac88b51|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined|Documentation
| -|Type Has Invalid Keyword (v2)
492c6cbb-f3f8-4807-aa4f-42b8b1c46b59|Info|Structure and Semantics|Schema/Parameter/Header Object define type should not use a keyword of another type|Documentation
| -|Type Has Invalid Keyword (v3)
a9228976-10cf-4b5f-b902-9e962aad037a|Info|Structure and Semantics|Schema Object define type should not use a keyword of another type|Documentation
| -|Template Path With No Corresponding Path Parameter (v2)
e7656d8d-7288-4bbe-b07b-22b389be75ce|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation|Documentation
| -|Template Path With No Corresponding Path Parameter (v3)
561710b1-b845-4562-95ce-2397a05ccef4|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation|Documentation
| -|Schema Discriminator Property Not String (v2)
949376f1-f560-4c6d-a016-63424ca931bb|Info|Structure and Semantics|Schema discriminator property should be a string|Documentation
| -|Schema Discriminator Property Not String (v3)
dadc2f36-1f5a-46c0-8289-75e626583123|Info|Structure and Semantics|Schema discriminator property should be a string|Documentation
| -|Paths Object is Empty (v2)
3e6c7b1c-8a8d-43ab-98b9-65159f44db4a|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed|Documentation
| -|Paths Object is Empty (v3)
815021c8-a50c-46d9-b192-24f71072c400|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed|Documentation
| -|Schema Object Properties With Duplicated Keys (v2)
ded017bf-fb13-4f8d-868b-84aebcc572ad|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties'|Documentation
| -|Schema Object Properties With Duplicated Keys (v3)
10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties'|Documentation
| -|Schema Object With Circular Ref (v2)
cbff2508-85c9-4448-a8b3-770070edf5ca|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties|Documentation
| -|Schema Object With Circular Ref (v3)
1a1aea94-745b-40a7-b860-0702ea6ee636|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties|Documentation
| -|Items Undefined (v2)
3e4d34d2-36cf-4449-976d-6c256db8fc49|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array.|Documentation
| -|Items Undefined (v3)
a8e859da-4a43-4e7f-94b8-25d6e3bf8e90|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array.|Documentation
| -|Parameters Name In Combination Not Unique (v2)
ab871897-ec02-4835-9818-702536ee1dda|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations|Documentation
| -|Parameters Name In Combination Not Unique (v3)
f5b2e6af-76f5-496d-8482-8f898c5fdb4a|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations|Documentation
| -|Property 'allowEmptyValue' Improperly Defined (v2)
0bc1477d-0922-478b-ae16-674a7634a1a8|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters|Documentation
| -|Property 'allowEmptyValue' Improperly Defined (v3)
4bcbcd52-3028-469f-bc14-02c7dbba2df2|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters|Documentation
| -|Responses With Wrong HTTP Status Code (v2)
069a5378-2091-43f0-aa3b-ee8f20996e99|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599]|Documentation
| -|Responses With Wrong HTTP Status Code (v3)
d86655c0-92f6-4ffc-b4d5-5b5775804c27|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599]|Documentation
| -|OperationId Not Unique (v2)
21245007-91c4-40e5-964e-40c85d1e5aa6|Info|Structure and Semantics|OperationId should be unique when defined|Documentation
| -|OperationId Not Unique (v3)
c254adc4-ef25-46e1-8270-b7944adb4198|Info|Structure and Semantics|OperationId should be unique when defined|Documentation
| -|Default Invalid (v2)
78dfd8f0-a6ee-48ec-af8c-e4d9b3292a07|Info|Structure and Semantics|The field 'default' of Schema/Parameter/Header Object should be consistent with the schema's/parameter's/header's type|Documentation
| -|Default Invalid (v3)
a96bbc06-8cde-4295-ad3c-ee343a7f658e|Info|Structure and Semantics|The field 'default' of Schema Object should be consistent with the schema's type|Documentation
| -|Path Parameter Not Required (v2)
ccd0613f-cb77-4684-a892-183bd2674d12|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.|Documentation
| -|Path Parameter Not Required (v3)
0de50145-e845-47f4-9a15-23bcf2125710|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.|Documentation
| -|Path Template is Empty (v2)
c201b7ad-6173-4598-a407-5edb04a1bcd7|Info|Structure and Semantics|All path templates should not be empty|Documentation
| -|Path Template is Empty (v3)
ae13a37d-943b-47a7-a970-83c8598bcca3|Info|Structure and Semantics|All path templates should not be empty|Documentation
| -|Schema Discriminator Mismatch Defined Properties (v2)
addc0eab-27f6-4c26-8526-d2ccd3732662|Info|Structure and Semantics|Schema discriminator values should match defined properties.|Documentation
| -|Schema Discriminator Mismatch Defined Properties (v3)
40d3df21-c170-4dbe-9c02-4289b51f994f|Info|Structure and Semantics|Schema discriminator values should match defined properties.|Documentation
| -|Schema Discriminator Not Required (v2)
be6a3722-af60-438c-b1b9-2a03e2958ab7|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property|Documentation
| -|Schema Discriminator Not Required (v3)
b481d46c-9c61-480f-86d9-af07146dc4a4|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property|Documentation
| -|Path Parameter With No Corresponding Template Path (v2)
194ef1f8-360e-4c14-8ed2-e83e2bafa142|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation|Documentation
| -|Path Parameter With No Corresponding Template Path (v3)
69d7aefd-149d-47b8-8d89-1c2181a8067b|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation|Documentation
| -|Parameter Objects Headers With Duplicated Name (v2)
bd2cbef5-62c4-40f1-af07-4b7f9ced6616|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.|Documentation
| -|Parameter Objects Headers With Duplicated Name (v3)
05505192-ba2c-4a81-9b25-dcdbcc973746|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.|Documentation
| -|Schema Enum Invalid (v2)
8fe6d18a-ad4c-4397-8884-e3a9da57f4c9|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type|Documentation
| -|Schema Enum Invalid (v3)
03856cb2-e46c-4daf-bfbf-214ec93c882b|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type|Documentation
| -|Non-Array Schema With Items (v2)
9d47956b-29cd-43b1-9e6e-b39a4d484353|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| -|Non-Array Schema With Items (v3)
20cb3159-b219-496b-8dac-54ae3ab2021a|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| diff --git a/docs/queries/pulumi-queries.md b/docs/queries/pulumi-queries.md index 68ad2af1863..b4cdc0a3f3b 100644 --- a/docs/queries/pulumi-queries.md +++ b/docs/queries/pulumi-queries.md @@ -33,8 +33,6 @@ Bellow are listed queries related with Pulumi AWS: |DynamoDB Table Point In Time Recovery Disabled
327b0729-4c5c-4c44-8b5c-e476cd9c7290|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more)|Documentation
| |EC2 Not EBS Optimized
d991e4ae-42ab-429b-ab43-d5e5fa9ca633|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| |EC2 Instance Monitoring Disabled
daa581ef-731c-4121-832d-cf078f67759d|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| -|Storage Account Not Forcing HTTPS
cb8e4bf0-903d-45c6-a278-9a947d82a27b|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| -|Redis Cache Allows Non SSL Connections
49e30ac8-f58e-4222-b488-3dcb90158ec1|Medium|Encryption|Redis Cache resource should not allow non-SSL connections.|Documentation
| ### KUBERNETES Bellow are listed queries related with Pulumi KUBERNETES: @@ -45,26 +43,6 @@ Bellow are listed queries related with Pulumi KUBERNETES: |------------------------------|--------|--------|-----------|----| |PSP Set To Privileged
ee305555-6b1d-4055-94cf-e22131143c34|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| |Missing App Armor Config
95588189-1abd-4df1-9588-b0a5034f9e87|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack (read more)|Documentation
| -|PSP Set To Privileged
ee305555-6b1d-4055-94cf-e22131143c34|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| -|Missing App Armor Config
95588189-1abd-4df1-9588-b0a5034f9e87|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| - -### AWS -Bellow are listed queries related with Pulumi AWS: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|ElastiCache Nodes Not Created Across Multi AZ
9b18fc19-7fb8-49b1-8452-9c757c70f926|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster|Documentation
| -|ElastiCache Redis Cluster Without Backup
e93bbe63-a631-4c0f-b6ef-700d48441ff2|Medium|Backup|ElastiCache Redis cluster should have 'snapshotRetentionLimit' higher than 0|Documentation
| -|IAM Password Without Minimum Length
9850d621-7485-44f7-8bdd-b3cf426315cf|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| -|IAM Password Without Lowercase Letter
de92dd34-1b88-43e8-b825-6e02d73c4549|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| -|DynamoDB Table Not Encrypted
b6a7e0ae-aed8-4a19-a993-a95760bf8836|Medium|Encryption|AWS DynamoDB Tables should have serverSideEncryption enabled|Documentation
| -|API Gateway Without SSL Certificate
f27791a5-e2ae-4905-8910-6f995c576d09|Medium|Insecure Configurations|SSL Client Certificate should be defined|Documentation
| -|API Gateway Access Logging Disabled
bf4b48b9-fc1f-4552-984a-4becdb5bf503|Medium|Observability|API Gateway should have Access Log Settings defined|Documentation
| -|EC2 Not EBS Optimized
d991e4ae-42ab-429b-ab43-d5e5fa9ca633|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| -|DynamoDB Table Point In Time Recovery Disabled
327b0729-4c5c-4c44-8b5c-e476cd9c7290|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table|Documentation
| -|EC2 Instance Monitoring Disabled
daa581ef-731c-4121-832d-cf078f67759d|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods|Documentation
| ### GCP Bellow are listed queries related with Pulumi GCP: @@ -75,15 +53,3 @@ Bellow are listed queries related with Pulumi GCP: |------------------------------|--------|--------|-----------|----| |Cloud Storage Bucket Logging Not Enabled
48f7e44d-d1d1-44c2-b336-9f11b65c4fb0|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| |Google Compute SSL Policy Weak Cipher In Use
965e8830-2bec-4b9b-a7f0-24dbc200a68f|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
48f7e44d-d1d1-44c2-b336-9f11b65c4fb0|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
965e8830-2bec-4b9b-a7f0-24dbc200a68f|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| - -### AZURE -Bellow are listed queries related with Pulumi AZURE: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Storage Account Not Forcing HTTPS
cb8e4bf0-903d-45c6-a278-9a947d82a27b|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| -|Redis Cache Allows Non SSL Connections
49e30ac8-f58e-4222-b488-3dcb90158ec1|Medium|Encryption|Redis Cache resource should not allow non-SSL connections.|Documentation
| diff --git a/docs/queries/serverlessfw-queries.md b/docs/queries/serverlessfw-queries.md index 0c66cf5f337..101bf95371c 100644 --- a/docs/queries/serverlessfw-queries.md +++ b/docs/queries/serverlessfw-queries.md @@ -13,13 +13,3 @@ This page contains all queries from ServerlessFW. |Serverless API Access Logging Setting Undefined
a4d32883-aac7-42e1-b403-9415af0f3846|Medium|Observability|Serverless FW API should have HTTP Access Logging enabled (read more)|Documentation
| |Serverless Function Without Dead Letter Queue
dec7bc85-d156-4f64-9a33-96ed3d9f3fed|Low|Insecure Configurations|Serverless Function should be configured for a Dead Letter Queue(DLQ). A Dead Letter Queue(DLQ) can be set up in 'onError' config parameter (read more)|Documentation
| |Serverless Function Without X-Ray Tracing
0d7ef70f-e176-44e6-bdba-add3e429788d|Low|Observability|Serverless Function should have Tracing enabled. For this, property 'tracing' should have the value 'Active' (read more)|Documentation
| -|Serverless Role With Full Privileges
59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd|High|Access Control|Roles defined in Serverless files should not have policies granting full administrative privileges.|Documentation
| -|Serverless Function Environment Variables Not Encrypted
4495bc5d-4d1e-4a26-ae92-152d18195648|High|Encryption|Serverless Function should encrypt environment variables|Documentation
| -|Serverless API Without Content Encoding
d5d1fe08-89db-440c-8725-b93223387309|Medium|Encryption|Serverless should have API Gateway with Content Encoding enabled through the attribute 'minimumCompressionSize'. This value should be greater than -1 and smaller than 10485760|Documentation
| -|Serverless Function Without Tags
f99d3482-fa8c-4f79-bad9-35212dded164|Medium|Insecure Configurations|Serverless Function should be have associated tags|Documentation
| -|Serverless Function Without Unique IAM Role
165aae3b-a56a-48f3-b76d-d2b5083f5b8f|Medium|Insecure Configurations|Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks|Documentation
| -|Serverless API Endpoint Config Not Private
4d424558-c6d1-453c-be98-9a7f877abd9a|Medium|Networking and Firewall|Serverless should have endpointType set to 'PRIVATE'. This way, it's not exposed to the public internet|Documentation
| -|Serverless API Access Logging Setting Undefined
a4d32883-aac7-42e1-b403-9415af0f3846|Medium|Observability|Serverless FW API should have HTTP Access Logging enabled|Documentation
| -|Serverless API X-Ray Tracing Disabled
434945e5-4dfd-41b1-aba1-47075ccd9265|Medium|Observability|Serverless API Gateway should have X-Ray Tracing enabled|Documentation
| -|Serverless Function Without Dead Letter Queue
dec7bc85-d156-4f64-9a33-96ed3d9f3fed|Low|Insecure Configurations|Serverless Function should be configured for a Dead Letter Queue(DLQ). A Dead Letter Queue(DLQ) can be set up in 'onError' config parameter|Documentation
| -|Serverless Function Without X-Ray Tracing
0d7ef70f-e176-44e6-bdba-add3e429788d|Low|Observability|Serverless Function should have Tracing enabled. For this, property 'tracing' should have the value 'Active'|Documentation
| diff --git a/docs/queries/terraform-queries.md b/docs/queries/terraform-queries.md index c04f224f07a..9f0bba8809e 100644 --- a/docs/queries/terraform-queries.md +++ b/docs/queries/terraform-queries.md @@ -1,8 +1,8 @@ ## Terraform Queries List This page contains all queries from Terraform. -### AWS_BOM -Bellow are listed queries related with Terraform AWS_BOM: +### AZURE +Bellow are listed queries related with Terraform AZURE: @@ -105,526 +105,6 @@ Bellow are listed queries related with Terraform AWS_BOM: ### SHARED (V2/V3) Bellow are listed queries related with Terraform SHARED (V2/V3): -|Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|High|Access Control|Role Assignment should limit guest user permissions|Documentation
| -|Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|High|Access Control|Azure Function App authentication settings should be enabled|Documentation
| -|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|High|Access Control|Storage Account should not be public to grant the principle of least privileges|Documentation
| -|Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| -|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|High|Access Control|Admin user is enabled for Container Registry|Documentation
| -|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|High|Access Control|There is a role assignment for guest user|Documentation
| -|Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|High|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled|Documentation
| -|MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| -|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| -|Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6|High|Encryption|Ensure Function App is using the latest version of TLS encryption|Documentation
| -|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| -|App Service Not Using Latest TLS Encryption Version
b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643|High|Encryption|Ensure App Service is using the latest version of TLS encryption|Documentation
| -|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates|Documentation
| -|App Service FTPS Enforce Disabled
85da374f-b00f-4832-9d44-84a1ca1e89f8|High|Insecure Configurations|Azure App Service should only enforce FTPS when 'ftps_state' is enabled|Documentation
| -|AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|High|Insecure Configurations|Azure Kubernetes Service (AKS) API should not be exposed to the internet|Documentation
| -|Function App FTPS Enforce Disabled
9dab0179-433d-4dff-af8f-0091025691df|High|Insecure Configurations|Azure Function App should only enforce FTPS when 'ftps_state' is enabled|Documentation
| -|Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|High|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false.|Documentation
| -|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| -|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry'|Documentation
| -|Azure App Service Client Certificate Disabled
a81573f9-3691-4d83-88a0-7d4af63e17a3|High|Insecure Configurations|Azure App Service client certificate should be enabled|Documentation
| -|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| -|AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| -|RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet|Documentation
| -|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| -|Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| -|MySQL Server Public Access Enabled
f118890b-2468-42b1-9ce9-af35146b425b|High|Networking and Firewall|MySQL Server public access should be disabled|Documentation
| -|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| -|SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet|Documentation
| -|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| -|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|High|Networking and Firewall|The IP range filter should be defined to secure the data stored|Documentation
| -|MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|High|Networking and Firewall|MSSQL Server public network access should be disabled|Documentation
| -|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| -|Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|High|Observability|Ensure that logging for Azure KeyVault is 'Enabled'|Documentation
| -|SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a|High|Resource Management|Ensure that 'Threat Detection' is enabled for Azure SQL Database|Documentation
| -|PostgreSQL Server Threat Detection Policy Disabled
c407c3cf-c409-4b29-b590-db5f4138d332|High|Resource Management|PostgreSQL Server Threat Detection Policy should be enabled|Documentation
| -|App Service Managed Identity Disabled
b61cce4b-0cc4-472b-8096-15617a6d769b|High|Resource Management|Azure App Service should have managed identity enabled|Documentation
| -|Key Expiration Not Set
4d080822-5ee2-49a4-8984-68f3d4c890fc|High|Secret Management|Make sure that for all keys the expiration date is set|Documentation
| -|Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|High|Secret Management|Make sure that for all secrets the expiration date is set|Documentation
| -|Storage Share File Allows All ACL Permissions
48bbe0fd-57e4-4678-a4a1-119e79c90fc3|Medium|Access Control|Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).|Documentation
| -|Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e|Medium|Access Control|Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).|Documentation
| -|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)|Documentation
| -|AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| -|Virtual Network with DDoS Protection Plan disabled
b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a|Medium|Availability|Virtual Network should have DDoS Protection Plan enabled|Documentation
| -|Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Medium|Best Practices|Security Contact Email should be defined|Documentation
| -|SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict|Documentation
| -|SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict|Documentation
| -|Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Medium|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| -|Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| -|Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Medium|Encryption|Ensure that the encryption is active on the disk|Documentation
| -|AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Medium|Encryption|Azure Container Service (AKS) should use Disk Encryption Set ID in supported types of disk|Documentation
| -|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined|Documentation
| -|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected.|Documentation
| -|Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Medium|Insecure Configurations|Azure Function App should have 'client_cert_mode' set to required|Documentation
| -|Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches|Documentation
| -|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| -|Function App Managed Identity Disabled
c87749b3-ff10-41f5-9df2-c421e8151759|Medium|Insecure Configurations|Azure Function App should have managed identity enabled|Documentation
| -|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections|Documentation
| -|Default Network Access is Allowed
9be09caf-2ba4-4fa9-9787-a670dc32c639|Medium|Insecure Defaults|Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny'|Documentation
| -|Default Azure Storage Account Network Access Is Too Permissive
a5613650-32ec-4975-a305-31af783153ea|Medium|Insecure Defaults|Default Azure Storage Account network access should be set to Deny|Documentation
| -|Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b|Medium|Networking and Firewall|Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline)|Documentation
| -|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Medium|Networking and Firewall|Network Interfaces IP Forwarding should be disabled|Documentation
| -|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'.|Documentation
| -|Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Medium|Networking and Firewall|Public Network Access should be disabled for Azure Cognitive Search|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol|Documentation
| -|MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Medium|Networking and Firewall|MariaDB Server Public Network Access should be disabled|Documentation
| -|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache|Documentation
| -|WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| -|Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Medium|Observability|Make sure for SQL Servers that Auditing Retention is greater than 90 days|Documentation
| -|Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Medium|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days|Documentation
| -|Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Medium|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact|Documentation
| -|PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'|Documentation
| -|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On'|Documentation
| -|PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| -|PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| -|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| -|PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| -|Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater|Documentation
| -|MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Medium|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On'|Documentation
| -|PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| -|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days|Documentation
| -|Azure Active Directory Authentication
a21c8da9-41bf-40cf-941d-330cf0d11fc7|Low|Access Control|Azure Active Directory must be used for authentication for Service Fabric|Documentation
| -|MariaDB Server Geo-redundant Backup Disabled
0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1|Low|Backup|MariaDB Server Geo-redundant Backup should be enabled|Documentation
| -|App Service Without Latest PHP Version
96fe318e-d631-4156-99fa-9080d57280ae|Low|Best Practices|Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.|Documentation
| -|AKS Uses Azure Policies Add-On Disabled
43789711-161b-4708-b5bb-9d1c626f7492|Low|Best Practices|Azure Container Service (AKS) should use Azure Policies Add-On|Documentation
| -|Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Low|Best Practices|Key Vault Secrets should have set Content Type|Documentation
| -|App Service Without Latest Python Version
cc4aaa9d-1070-461a-b519-04e00f42db8a|Low|Best Practices|Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.|Documentation
| -|PostgreSQL Server Infrastructure Encryption Disabled
6425c98b-ca4e-41fe-896a-c78772c131f8|Low|Encryption|PostgreSQL Server Infrastructure Encryption should be enabled|Documentation
| -|Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Low|Insecure Configurations|Check if the Kubernetes Dashboard is enabled.|Documentation
| -|App Service HTTP2 Disabled
525b53be-62ed-4244-b4df-41aecfcb4071|Low|Insecure Configurations|App Service should have 'http2_enabled' enabled|Documentation
| -|Function App HTTP2 Disabled
ace823d1-4432-4dee-945b-cdf11a5a6bd0|Low|Insecure Configurations|Function App should have 'http2_enabled' enabled|Documentation
| -|Azure Front Door WAF Disabled
835a4f2f-df43-437d-9943-545ccfc55961|Low|Networking and Firewall|Azure Front Door WAF should be enabled|Documentation
| -|App Service Authentication Disabled
c7fc1481-2899-4490-bbd8-544a3a61a2f3|Info|Access Control|Azure App Service authentication settings should be enabled|Documentation
| -|SQL Server Alert Email Disabled
55975007-f6e7-4134-83c3-298f1fe4b519|Info|Best Practices|SQL Server alert email should be enabled|Documentation
| -|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| -|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| -|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.|Documentation
| -|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| -|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| -|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.|Documentation
| -|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| -|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| -|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| -|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time|Documentation
| -|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| - -### KUBERNETES -Bellow are listed queries related with Terraform KUBERNETES: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false|Documentation
| -|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|Documentation
| -|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| -|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| -|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined.|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| -|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| -|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys|Documentation
| -|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| -|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| -|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| -|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| -|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| -|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls|Documentation
| -|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| -|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| -|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|Documentation
| -|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Medium|Insecure Configurations|Containers should not have extra capabilities allowed|Documentation
| -|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| -|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| -|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| -|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Medium|Insecure Configurations|Default service accounts should not be actively used|Documentation
| -|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| -|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Medium|Insecure Configurations|The default namespace should not be used|Documentation
| -|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| -|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| -|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| -|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory|Documentation
| -|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace|Documentation
| -|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty.|Documentation
| -|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| -|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| -|Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| -|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| -|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| -|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| -|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes|Documentation
| -|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| -|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Medium|Resource Management|Container should not share the host network namespace|Documentation
| -|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| -|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs|Documentation
| -|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| -|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| -|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| -|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| -|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.|Documentation
| -|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Low|Availability|The Horizontal Pod Autoscaler must target a valid object|Documentation
| -|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it|Documentation
| -|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| -|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| -|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| -|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Low|Build Process|Check if the root container filesystem is not being mounted as read-only.|Documentation
| -|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| -|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity|Documentation
| -|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| -|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| -|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified|Documentation
| -|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| -|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined|Documentation
| -|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| -|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Low|Supply-Chain|Image must be defined and not be empty or equal to latest.|Documentation
| - -### AWS -Bellow are listed queries related with Terraform AWS: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| -|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals|Documentation
| -|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| -|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| -|EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| -|SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| -|Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|High|Access Control|Neptune Cluster Instance should not be publicly accessible|Documentation
| -|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating|Documentation
| -|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| -|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| -|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|High|Access Control|IAM role policy that allow full administrative privileges (for all resources)|Documentation
| -|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| -|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role|Documentation
| -|MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible|Documentation
| -|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| -|SSO Policy with full privileges
132a8c31-9837-4203-9fd1-15ca210c7b73|High|Access Control|SSO policies should be configured to grant limited administrative privileges, rather than full access to all resources. This approach allows for better security and control over the resources being accessed.|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|High|Access Control|S3 Buckets should not be readable and writable to all users|Documentation
| -|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| -|S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4|High|Access Control|S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket.|Documentation
| -|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|High|Access Control|S3 bucket allows public policy|Documentation
| -|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|High|Encryption|AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted|Documentation
| -|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|High|Encryption|AWS DAX Cluster should have server-side encryption at rest|Documentation
| -|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| -|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|High|Encryption|AWS Athena Database data in S3 should be encrypted|Documentation
| -|EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|High|Encryption|S3 Bucket Object should have server-side encryption enabled|Documentation
| -|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key|Documentation
| -|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|High|Encryption|EKS Cluster should be encrypted|Documentation
| -|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume|Documentation
| -|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| -|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled|Documentation
| -|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)|Documentation
| -|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| -|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true'|Documentation
| -|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.|Documentation
| -|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|High|Encryption|Sagemaker endpoint configuration should encrypt data|Documentation
| -|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| -|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted|Documentation
| -|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| -|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| -|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| -|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| -|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|High|Encryption|API Gateway Method Settings Cache should be encrypted|Documentation
| -|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|High|Encryption|EBS Encryption should be enabled|Documentation
| -|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| -|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|High|Encryption|User Data Shell Script must be encoded|Documentation
| -|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers.|Documentation
| -|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS|Documentation
| -|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup|Documentation
| -|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled|Documentation
| -|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| -|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.|Documentation
| -|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| -|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|High|Encryption|AWS DOCDB Cluster storage should be encrypted|Documentation
| -|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled|Documentation
| -|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|High|Encryption|RDS Database Cluster Encryption should be enabled|Documentation
| -|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| -|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes|Documentation
| -|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| -|Lambda Function With Privileged Role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions.|Documentation
| -|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| -|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured.|Documentation
| -|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|High|Insecure Configurations|Check if the root user is authenticated with MFA|Documentation
| -|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations|Documentation
| -|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|High|Insecure Configurations|S3 bucket without restriction of public bucket|Documentation
| -|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| -|DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| -|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| -|KMS Key With Vulnerable Policy
7ebc9038-0bde-479a-acc4-6ed7b6758899|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| -|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2.|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| -|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| -|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true)|Documentation
| -|Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| -|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| -|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| -|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| -|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|High|Networking and Firewall|Check if Record is set|Documentation
| -|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| -|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| -|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| -|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| -|VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|High|Networking and Firewall|VPC Peering Route Table should restrict CIDR|Documentation
| -|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL|Documentation
| -|HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| -|Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| -|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL|Documentation
| -|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0"|Documentation
| -|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| -|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0 and/or ::/0|Documentation
| -|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| -|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing|Documentation
| -|VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic|Documentation
| -|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible|Documentation
| -|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes|Documentation
| -|CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.|Documentation
| -|CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls|Documentation
| -|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|High|Observability|AWS KMS Key should have a valid deletion window|Documentation
| -|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled|Documentation
| -|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| -|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA|Documentation
| -|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|High|Observability|Ensure a log metric filter and alarm exist for root acount usage|Documentation
| -|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| -|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Medium|Access Control|IAM Access Key should not be active for root users|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| -|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| -|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| -|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication|Documentation
| -|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal'|Documentation
| -|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Medium|Access Control|AWS IAM Users should not have access to console|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SSO Permission With Inadequate User Session Duration
ce9dfce0-5fc8-433b-944a-3b16153111a8|Medium|Access Control|SSO permissions should be configured to limit user sessions to no longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized access or session hijacking. This is a best practice for security and should be implemented in SSO permission settings.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| -|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled|Documentation
| -|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| -|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Medium|Access Control|Public and private EC2 istances should not share the same role.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Medium|Access Control|The attribute 'action' should not have wildcard|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action'|Documentation
| -|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Medium|Access Control|S3 bucket allows public ACL|Documentation
| -|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Medium|Access Control|An API Key should be required on a method request.|Documentation
| -|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'|Documentation
| -|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Medium|Access Control|Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| -|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions'|Documentation
| -|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| -|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| -|Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
| -|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster|Documentation
| -|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0|Documentation
| -|RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| -|Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| -|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Medium|Best Practices|No password expiration policy|Documentation
| -|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| -|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Medium|Best Practices|IAM password should have the required symbols|Documentation
| -|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined|Documentation
| -|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields|Documentation
| -|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| -|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| -|Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24|Documentation
| -|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| -|Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body|Documentation
| -|DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| -|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret|Documentation
| -|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption|Documentation
| -|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node|Documentation
| -|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| -|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted|Documentation
| -|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Medium|Encryption|SSM Session should be encrypted in transit|Documentation
| -|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| -|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Medium|Encryption|EBS volumes should be encrypted|Documentation
| -|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest|Documentation
| -|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760.|Documentation
| -|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| -|Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Medium|Encryption|ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html'|Documentation
| -|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| -|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit|Documentation
| -|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests|Documentation
| -|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|CloudWatch Log Group Without KMS
0afbcfe9-d341-4b92-a64c-7e6de0543879|Medium|Encryption|AWS CloudWatch Log groups should be encrypted using KMS|Documentation
| -|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS.|Documentation
| -|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| -|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| -|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud)|Documentation
| -|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs).|Documentation
| -|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| -|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible|Documentation
| -|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials|Documentation
| -|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| -|EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false|Documentation
| -|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| -|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.|Documentation
| -|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol|Documentation
| -|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Medium|Networking and Firewall|VPC should have a Network Firewall associated|Documentation
| -|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| -|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| -|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| -|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association|Documentation
| -|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol|Documentation
| -|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| -|VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Medium|Networking and Firewall|VPC Subnet should not assign public IP|Documentation
| -|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Medium|Observability|It isn't recommended to use resources in default VPC|Documentation
| -|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| -|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes|Documentation
| -|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| -|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events|Documentation
| -|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Medium|Observability|ELB should have logging enabled to help on error investigation|Documentation
| -|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| -|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined|Documentation
| -|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| -|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Medium|Observability|AWS Elasticsearch should have logs enabled|Documentation
| -|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| -|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| -|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Medium|Observability|API Gateway should have Access Log Settings defined|Documentation
| -|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| -|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| -|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes|Documentation
| -|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| -|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes|Documentation
| -|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Medium|Observability|AWS CloudWatch Log groups should have retention days specified|Documentation
| -|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation|Documentation
| -|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes|Documentation
| -|ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| -|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled|Documentation
| -|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| -|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures|Documentation
| -|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| -|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| -|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| -|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK|Documentation
| -|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| -|No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| -|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Medium|Secret Management|AWS Access Key should not be hardcoded|Documentation
| -|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| -|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services|Documentation
| -|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets'|Documentation
| -|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| -|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| -|SSO Identity User Unsafe Creation
4003118b-046b-4640-b200-b8c7a4c8b89f|Low|Access Control|The use of AWS SSO for creating users may pose a security risk as it does not synchronize with external Identity Providers (IdP) or Active Directory (AD). This can lead to inconsistencies and potential unauthorized access to resources. It is recommended to review and update user creation processes to ensure proper security protocols are in place.|Documentation
| -|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Low|Access Control|IAM Group should have at least one user associated|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| -|Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Low|Availability|Autoscaling groups should supply tags to configurate|Documentation
| -|Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.|Documentation
| -|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| -|IAM Access Analyzer Not Enabled
e592a0c5-5bdb-414c-9066-5dba7cdea370|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions|Documentation
| -|ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Low|Best Practices|ECR Repository should have Policies attached to it|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| -|ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation|Documentation
| -|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Low|Insecure Configurations|S3 bucket without ignore public ACL|Documentation
| -|ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled|Documentation
| -|Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| -|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| -|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| -|EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| -|RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| -|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks|Documentation
| -|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Low|Observability|Amazon EKS control plane logging don't enabled for all log types|Documentation
| -|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Low|Observability|Global Accelerator should have flow logs enabled|Documentation
| -|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Low|Observability|Amazon EKS control plane logging is not enabled|Documentation
| -|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes|Documentation
| -|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Low|Observability|DocDB logging should be enabled|Documentation
| -|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'|Documentation
| -|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL|Documentation
| -|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes|Documentation
| -|API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| -|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| -|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| -|ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Low|Observability|ECS Cluster should enable container insights|Documentation
| -|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes|Documentation
| -|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Low|Observability|Ensure a log metric filter and alarm exist for route table changes|Documentation
| -|API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| -|Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Info|Access Control|Security group must be used or not declared|Documentation
| -|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Info|Best Practices|AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name'|Documentation
| -|Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description|Documentation
| -|Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description|Documentation
| -|EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| -|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table|Documentation
| -|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Info|Observability|Neptune logging should be enabled|Documentation
| -|EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods|Documentation
| -|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Info|Observability|RDS does not have any kind of logger|Documentation
| - -### GCP -Bellow are listed queries related with Terraform GCP: @@ -632,6 +112,7 @@ Bellow are listed queries related with Terraform GCP: |------------------------------|--------|--------|-----------|----| |Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Info|Best Practices|All generic git repositories should reference a revision. (read more)|Documentation
| |Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Info|Best Practices|All variables should contain a valid type. (read more)|Documentation
| +|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Info|Best Practices|All names should follow snake case pattern. (read more)|Documentation
| |Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Info|Best Practices|All outputs should contain a valid description. (read more)|Documentation
| |Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Info|Best Practices|All variables should contain a valid description. (read more)|Documentation
| @@ -978,64 +459,9 @@ Bellow are listed queries related with Terraform AWS: |EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| |Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Info|Observability|Neptune logging should be enabled (read more)|Documentation
| |RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Info|Observability|RDS does not have any kind of logger (read more)|Documentation
| -|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|High|Access Control|Verifies that the OSLogin is enabled|Documentation
| -|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|High|Access Control|BigQuery dataset is anonymously or publicly accessible|Documentation
| -|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers'|Documentation
| -|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| -|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| -|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad.|Documentation
| -|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members'|Documentation
| -|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false |Documentation
| -|GKE Basic Authentication Enabled
70cdf849-b7d9-4569-b87d-5d82ffd44719|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty|Documentation
| -|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible.|Documentation
| -|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| -|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| -|Legacy Client Certificate Auth Enabled
73fb21a1-b19a-45b1-b648-b47b1678681e|High|Insecure Configurations|Kubernetes Clusters must use the default OAuth authentication, which means 'master_auth' must either be undefined or have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to false|Documentation
| -|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE |Documentation
| -|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true|Documentation
| -|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true|Documentation
| -|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true|Documentation
| -|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| -|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| -|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must either be undefined or set to 'monitoring.googleapis.com/kubernetes'|Documentation
| -|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|High|Observability|Audit Logging Configuration is defective|Documentation
| -|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must either be undefined or set to 'logging.googleapis.com/kubernetes'|Documentation
| -|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| -|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member|Documentation
| -|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated|Documentation
| -|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated|Documentation
| -|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated|Documentation
| -|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| -|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Medium|Insecure Configurations|Check if any VM instance disables OSLogin|Documentation
| -|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| -|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled|Documentation
| -|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| -|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| -|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| -|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| -|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
| -|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| -|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
| -|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| -|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
| -|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| -|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| -|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports|Documentation
| -|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource.|Documentation
| -|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| -|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.|Documentation
| -|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user|Documentation
| -|Outdated GKE Version
128df7ec-f185-48bc-8913-ce756a3ccb85|Low|Best Practices|Running outdated versions of Google Kubernetes Engine (GKE) can expose it to known vulnerabilities and attacks. To reduce these risks, it is recommended to ensure that GKE is always running the latest version.|Documentation
| -|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true|Documentation
| -|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range|Documentation
| ### AWS_BOM -### SHARED (V2/V3) -Bellow are listed queries related with Terraform SHARED (V2/V3): +Bellow are listed queries related with Terraform AWS_BOM: @@ -1052,25 +478,9 @@ Bellow are listed queries related with Terraform SHARED (V2/V3): |BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)|Documentation
| |BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)|Documentation
| |BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more)|Documentation
| -|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| -|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| -|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| -|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time|Documentation
| -|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| -|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| -|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| -|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| -|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.|Documentation
| -|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.|Documentation
| -|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| -|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Info|Best Practices|All outputs should contain a valid description.|Documentation
| -|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Info|Best Practices|All variables should contain a valid type.|Documentation
| -|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Info|Best Practices|All variables should contain a valid description.|Documentation
| -|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Info|Best Practices|All generic git repositories should reference a revision.|Documentation
| -|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Info|Best Practices|All names should follow snake case pattern.|Documentation
| -### AZURE -Bellow are listed queries related with Terraform AZURE: +### ALICLOUD +Bellow are listed queries related with Terraform ALICLOUD: @@ -1217,571 +627,9 @@ Bellow are listed queries related with Terraform KUBERNETES: |CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined (read more)|Documentation
| |Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Low|Secret Management|Container should not use secrets as environment variables (read more)|Documentation
| |Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Low|Supply-Chain|Image must be defined and not be empty or equal to latest. (read more)|Documentation
| -|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|High|Access Control|RAM Security preferences should enforce MFA login for RAM users|Documentation
| -|OSS Bucket Allows List Action From All Principals
88541597-6f88-42c8-bac6-7e0b855e8ff6|High|Access Control|OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals.|Documentation
| -|OSS Bucket Allows Delete Action From All Principals
8c0695d8-2378-4cd6-8243-7fd5894fa574|High|Access Control|OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals.|Documentation
| -|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles|Documentation
| -|OSS Bucket Allows Put Action From All Principals
fe286195-e75c-4359-bd58-00847c4f855a|High|Access Control|OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals.|Documentation
| -|OSS Bucket Allows All Actions From All Principals
ec62a32c-a297-41ca-a850-cab40b42094a|High|Access Control|OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals.|Documentation
| -|OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|High|Access Control|OSS Bucket should have public access disabled|Documentation
| -|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|High|Encryption|Ecs Data Disk Kms Key Id should be set|Documentation
| -|NAS File System Without KMS
5f670f9d-b1b4-4c90-8618-2288f1ab9676|High|Encryption|NAS File System should have encryption provided by user KMS |Documentation
| -|RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|High|Encryption|tde_status parameter should be Enabled for supported RDS instances|Documentation
| -|Launch Template Is Not Encrypted
1455cb21-1d48-46d6-8ae3-cef911b71fd5|High|Encryption|ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true.|Documentation
| -|NAS File System Not Encrypted
67bfdff1-31ce-4525-b564-e94368735360|High|Encryption|NAS File System must be encrypted|Documentation
| -|RDS DB Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|High|Insecure Configurations|'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list|Documentation
| -|DB Instance Publicly Accessible
faaefc15-51a5-419e-bb5e-51a4b5ab3485|High|Insecure Configurations|The field 'address' should not be set to '0.0.0.0/0'|Documentation
| -|OSS Bucket Has Static Website
2b13c6ff-b87a-484d-86fd-21ef6e97d426|High|Insecure Configurations|Checks if any static websties are hosted on buckets. Be aware of any website you are running.|Documentation
| -|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS|Documentation
| -|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|High|Networking and Firewall|OSS Bucket should have ip restricted access|Documentation
| -|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol|Documentation
| -|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public|Documentation
| -|RDS Instance SSL Action Disabled
7a1ee8a9-71be-4b11-bb70-efb62d16863b|High|Networking and Firewall|ssl_action parameter should be set to Open for RDS instances|Documentation
| -|ALB Listening on HTTP
ee3b1557-9fb5-4685-a95d-93f1edf2a0d7|High|Networking and Firewall|Application Load Balancer (alb) Listener should not listen on HTTP|Documentation
| -|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|High|Networking and Firewall|OSS Buckets should have secure transport enabled|Documentation
| -|ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|High|Observability|ActionTrail Trail OSS Bucket should not be publicly accessible|Documentation
| -|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|High|Observability|All RDS Instance events trackers should be 'true'|Documentation
| -|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above|Documentation
| -|Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|High|Secret Management|Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts|Documentation
| -|Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Medium|Access Control|Ram policies should not be attached to users|Documentation
| -|CMK Is Unusable
ed6e3ba0-278f-47b6-a1f5-173576b40b7e|Medium|Availability|Alicloud KMS must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| -|ROS Stack Retention Disabled
4bb06fa1-2114-4a00-b7b5-6aeab8b896f0|Medium|Backup|The retain_stacks should be enabled to keep the Stack upon deleting the stack instance from the stack group|Documentation
| -|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Medium|Backup|OSS Bucket should have versioning enabled|Documentation
| -|ROS Stack Without Template
92d65c51-5d82-4507-a2a1-d252e9706855|Medium|Build Process|Alicloud ROS Stack should have a template defined through the attribute template_url or attribute template_body|Documentation
| -|OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Medium|Encryption|OSS Bucket should have encryption enabled using Customer Master Key|Documentation
| -|SLB Policy With Insecure TLS Version In Use
dbfc834a-56e5-4750-b5da-73fda8e73f70|Medium|Encryption|SLB Policy should not support insecure versions of TLS protocol|Documentation
| -|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Medium|Encryption|Disks should have encryption enabled|Documentation
| -|CS Kubernetes Node Pool Auto Repair Disabled
81ce9394-013d-4731-8fcc-9d229b474073|Medium|Insecure Configurations|Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| -|Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Medium|Networking and Firewall|Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies|Documentation
| -|Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Medium|Networking and Firewall|A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned|Documentation
| -|Log Retention Is Not Greater Than 90 Days
ed6cf6ff-9a1f-491c-9f88-e03c0807f390|Medium|Observability|OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects.|Documentation
| -|ROS Stack Notifications Disabled
9ef08939-ea40-489c-8851-667870b2ef50|Medium|Observability|The ROS Stack Notifications should be defined and populated to receive stack related events|Documentation
| -|OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Medium|Observability|OSS Bucket should have logging enabled, for better visibility of resources and objects.|Documentation
| -|Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Medium|Observability|Action Trail Logging for all regions should be enabled|Documentation
| -|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180|Documentation
| -|No ROS Stack Policy
72ceb736-0aee-43ea-a191-3a69ab135681|Medium|Resource Management|ROS Stack should have a stack policy in order to protect stack resources from and during update actions|Documentation
| -|High KMS Key Rotation Period
cb319d87-b90f-485e-a7e7-f2408380f309|Medium|Secret Management|KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year|Documentation
| -|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true|Documentation
| -|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true|Documentation
| -|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91|Documentation
| -|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true|Documentation
| -|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less|Documentation
| -|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Medium|Secret Management|RAM account password security should require at least one symbol|Documentation
| -|OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Low|Availability|OSS Bucket should have transfer acceleration enabled|Documentation
| -|OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Low|Backup|OSS Bucket should have lifecycle rule enabled and set to true|Documentation
| -|RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Low|Observability|log_disconnections parameter should be set to ON for RDS instances|Documentation
| -|VPC Flow Logs Disabled
d2731f3d-a992-44ed-812e-f4f1c2747d71|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| -|RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Low|Observability|log_duration parameter should be set to ON for RDS instances|Documentation
| -|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Low|Observability|'log_connections' parameter should be set to ON for RDS instances|Documentation
| - -### KUBERNETES -Bellow are listed queries related with Terraform KUBERNETES: - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false|Documentation
| -|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined.|Documentation
| -|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| -|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| -|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| -|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| -|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| -|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| -|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys|Documentation
| -|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| -|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| -|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| -|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Medium|Insecure Configurations|Default service accounts should not be actively used|Documentation
| -|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls|Documentation
| -|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Medium|Insecure Configurations|The default namespace should not be used|Documentation
| -|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| -|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|Documentation
| -|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| -|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace|Documentation
| -|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| -|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| -|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| -|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| -|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Medium|Insecure Configurations|Containers should not have extra capabilities allowed|Documentation
| -|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| -|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| -|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| -|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory|Documentation
| -|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| -|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty.|Documentation
| -|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| -|Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| -|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes|Documentation
| -|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| -|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| -|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Medium|Resource Management|Container should not share the host network namespace|Documentation
| -|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| -|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| -|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| -|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| -|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs|Documentation
| -|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| -|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| -|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| -|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it|Documentation
| -|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.|Documentation
| -|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Low|Availability|The Horizontal Pod Autoscaler must target a valid object|Documentation
| -|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| -|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| -|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| -|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Low|Build Process|Check if the root container filesystem is not being mounted as read-only.|Documentation
| -|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity|Documentation
| -|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| -|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| -|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| -|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified|Documentation
| -|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| -|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined|Documentation
| -|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| -|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Low|Supply-Chain|Image must be defined and not be empty or equal to latest.|Documentation
| - -### AWS -Bellow are listed queries related with Terraform AWS: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| -|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| -|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| -|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|High|Access Control|S3 bucket allows public policy|Documentation
| -|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| -|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|High|Access Control|S3 Buckets should not be readable and writable to all users|Documentation
| -|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating|Documentation
| -|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role|Documentation
| -|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| -|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| -|S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4|High|Access Control|S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket.|Documentation
| -|EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| -|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|High|Access Control|IAM role policy that allow full administrative privileges (for all resources)|Documentation
| -|SSO Policy with full privileges
132a8c31-9837-4203-9fd1-15ca210c7b73|High|Access Control|SSO policies should be configured to grant limited administrative privileges, rather than full access to all resources. This approach allows for better security and control over the resources being accessed.|Documentation
| -|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals|Documentation
| -|SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| -|Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|High|Access Control|Neptune Cluster Instance should not be publicly accessible|Documentation
| -|MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible|Documentation
| -|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|High|Encryption|AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted|Documentation
| -|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)|Documentation
| -|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|High|Encryption|User Data Shell Script must be encoded|Documentation
| -|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| -|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| -|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|High|Encryption|API Gateway Method Settings Cache should be encrypted|Documentation
| -|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| -|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true'|Documentation
| -|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted|Documentation
| -|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|High|Encryption|EBS Encryption should be enabled|Documentation
| -|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| -|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true|Documentation
| -|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|High|Encryption|Sagemaker endpoint configuration should encrypt data|Documentation
| -|EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|High|Encryption|AWS Athena Database data in S3 should be encrypted|Documentation
| -|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| -|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| -|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers.|Documentation
| -|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled|Documentation
| -|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS|Documentation
| -|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|High|Encryption|AWS DAX Cluster should have server-side encryption at rest|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| -|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| -|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| -|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|High|Encryption|EKS Cluster should be encrypted|Documentation
| -|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled|Documentation
| -|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled|Documentation
| -|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|High|Encryption|S3 Bucket Object should have server-side encryption enabled|Documentation
| -|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| -|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key|Documentation
| -|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|High|Encryption|AWS DOCDB Cluster storage should be encrypted|Documentation
| -|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.|Documentation
| -|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume|Documentation
| -|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|High|Encryption|RDS Database Cluster Encryption should be enabled|Documentation
| -|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.|Documentation
| -|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| -|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup|Documentation
| -|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| -|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|High|Insecure Configurations|S3 bucket without restriction of public bucket|Documentation
| -|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes|Documentation
| -|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|High|Insecure Configurations|Check if the root user is authenticated with MFA|Documentation
| -|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2.|Documentation
| -|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured.|Documentation
| -|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true)|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| -|DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| -|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| -|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| -|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| -|KMS Key With Vulnerable Policy
7ebc9038-0bde-479a-acc4-6ed7b6758899|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| -|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| -|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| -|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations|Documentation
| -|Lambda Function With Privileged Role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions.|Documentation
| -|Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| -|VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic|Documentation
| -|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0 and/or ::/0|Documentation
| -|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing|Documentation
| -|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| -|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| -|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL|Documentation
| -|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| -|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| -|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0"|Documentation
| -|Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| -|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| -|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| -|VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|High|Networking and Firewall|VPC Peering Route Table should restrict CIDR|Documentation
| -|HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| -|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL|Documentation
| -|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| -|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| -|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| -|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|High|Networking and Firewall|Check if Record is set|Documentation
| -|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|High|Observability|AWS KMS Key should have a valid deletion window|Documentation
| -|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA|Documentation
| -|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| -|CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.|Documentation
| -|CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls|Documentation
| -|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled|Documentation
| -|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|High|Observability|Ensure a log metric filter and alarm exist for root acount usage|Documentation
| -|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible|Documentation
| -|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes|Documentation
| -|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Medium|Access Control|IAM Access Key should not be active for root users|Documentation
| -|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| -|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication|Documentation
| -|SSO Permission With Inadequate User Session Duration
ce9dfce0-5fc8-433b-944a-3b16153111a8|Medium|Access Control|SSO permissions should be configured to limit user sessions to no longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized access or session hijacking. This is a best practice for security and should be implemented in SSO permission settings.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined|Documentation
| -|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions'|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Medium|Access Control|Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| -|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| -|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Medium|Access Control|The attribute 'action' should not have wildcard|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| -|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| -|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal'|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Medium|Access Control|An API Key should be required on a method request.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action'|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Medium|Access Control|Public and private EC2 istances should not share the same role.|Documentation
| -|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Medium|Access Control|S3 bucket allows public ACL|Documentation
| -|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| -|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Medium|Access Control|AWS IAM Users should not have access to console|Documentation
| -|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| -|Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
| -|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster|Documentation
| -|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| -|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| -|Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| -|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0|Documentation
| -|RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| -|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| -|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields|Documentation
| -|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Medium|Best Practices|IAM password should have the required symbols|Documentation
| -|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| -|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| -|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined|Documentation
| -|Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24|Documentation
| -|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Medium|Best Practices|No password expiration policy|Documentation
| -|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| -|Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body|Documentation
| -|Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Medium|Encryption|ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html'|Documentation
| -|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret|Documentation
| -|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| -|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| -|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| -|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests|Documentation
| -|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption|Documentation
| -|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted|Documentation
| -|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Medium|Encryption|EBS volumes should be encrypted|Documentation
| -|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| -|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760.|Documentation
| -|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest|Documentation
| -|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit|Documentation
| -|CloudWatch Log Group Without KMS
0afbcfe9-d341-4b92-a64c-7e6de0543879|Medium|Encryption|AWS CloudWatch Log groups should be encrypted using KMS|Documentation
| -|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Medium|Encryption|SSM Session should be encrypted in transit|Documentation
| -|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| -|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node|Documentation
| -|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| -|DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS.|Documentation
| -|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| -|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud)|Documentation
| -|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials|Documentation
| -|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| -|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| -|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible|Documentation
| -|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs).|Documentation
| -|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.|Documentation
| -|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| -|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| -|EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false|Documentation
| -|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled|Documentation
| -|VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Medium|Networking and Firewall|VPC Subnet should not assign public IP|Documentation
| -|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol|Documentation
| -|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Medium|Networking and Firewall|VPC should have a Network Firewall associated|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol|Documentation
| -|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| -|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association|Documentation
| -|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| -|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| -|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Medium|Observability|ELB should have logging enabled to help on error investigation|Documentation
| -|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| -|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes|Documentation
| -|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| -|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events|Documentation
| -|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| -|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation|Documentation
| -|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures|Documentation
| -|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled|Documentation
| -|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Medium|Observability|API Gateway should have Access Log Settings defined|Documentation
| -|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| -|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined|Documentation
| -|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| -|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| -|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Medium|Observability|AWS Elasticsearch should have logs enabled|Documentation
| -|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| -|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| -|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| -|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes|Documentation
| -|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| -|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Medium|Observability|It isn't recommended to use resources in default VPC|Documentation
| -|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| -|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Medium|Observability|AWS CloudWatch Log groups should have retention days specified|Documentation
| -|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK|Documentation
| -|ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| -|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| -|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| -|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes|Documentation
| -|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes|Documentation
| -|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| -|No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| -|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Medium|Secret Management|AWS Access Key should not be hardcoded|Documentation
| -|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| -|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets'|Documentation
| -|SSO Identity User Unsafe Creation
4003118b-046b-4640-b200-b8c7a4c8b89f|Low|Access Control|The use of AWS SSO for creating users may pose a security risk as it does not synchronize with external Identity Providers (IdP) or Active Directory (AD). This can lead to inconsistencies and potential unauthorized access to resources. It is recommended to review and update user creation processes to ensure proper security protocols are in place.|Documentation
| -|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| -|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services|Documentation
| -|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| -|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Low|Access Control|IAM Group should have at least one user associated|Documentation
| -|Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Low|Availability|Autoscaling groups should supply tags to configurate|Documentation
| -|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| -|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.|Documentation
| -|IAM Access Analyzer Not Enabled
e592a0c5-5bdb-414c-9066-5dba7cdea370|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions|Documentation
| -|ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Low|Best Practices|ECR Repository should have Policies attached to it|Documentation
| -|Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| -|ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation|Documentation
| -|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Low|Insecure Configurations|S3 bucket without ignore public ACL|Documentation
| -|ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled|Documentation
| -|RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| -|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| -|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks|Documentation
| -|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| -|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| -|EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| -|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL|Documentation
| -|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Low|Observability|Amazon EKS control plane logging don't enabled for all log types|Documentation
| -|ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Low|Observability|ECS Cluster should enable container insights|Documentation
| -|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'|Documentation
| -|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| -|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes|Documentation
| -|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| -|API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| -|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Low|Observability|Amazon EKS control plane logging is not enabled|Documentation
| -|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Low|Observability|DocDB logging should be enabled|Documentation
| -|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes|Documentation
| -|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Low|Observability|Global Accelerator should have flow logs enabled|Documentation
| -|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Low|Observability|Ensure a log metric filter and alarm exist for route table changes|Documentation
| -|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes|Documentation
| -|API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| -|Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Info|Access Control|Security group must be used or not declared|Documentation
| -|Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description|Documentation
| -|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table|Documentation
| -|EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| -|Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description|Documentation
| -|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Info|Best Practices|AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name'|Documentation
| -|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Info|Observability|RDS does not have any kind of logger|Documentation
| -|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Info|Observability|Neptune logging should be enabled|Documentation
| -|EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods|Documentation
| -|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|High|Access Control|Storage Account should not be public to grant the principle of least privileges|Documentation
| -|Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| -|Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|High|Access Control|Azure Function App authentication settings should be enabled|Documentation
| -|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|High|Access Control|There is a role assignment for guest user|Documentation
| -|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|High|Access Control|Admin user is enabled for Container Registry|Documentation
| -|Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|High|Access Control|Role Assignment should limit guest user permissions|Documentation
| -|Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|High|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled|Documentation
| -|Azure Instance Using Basic Authentication
dafe30ec-325d-4516-85d1-e8e6776f012c|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication|Documentation
| -|Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6|High|Encryption|Ensure Function App is using the latest version of TLS encryption|Documentation
| -|MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| -|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| -|App Service Not Using Latest TLS Encryption Version
b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643|High|Encryption|Ensure App Service is using the latest version of TLS encryption|Documentation
| -|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| -|App Service FTPS Enforce Disabled
85da374f-b00f-4832-9d44-84a1ca1e89f8|High|Insecure Configurations|Azure App Service should only enforce FTPS when 'ftps_state' is enabled|Documentation
| -|AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| -|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| -|AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|High|Insecure Configurations|Azure Kubernetes Service (AKS) API should not be exposed to the internet|Documentation
| -|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry'|Documentation
| -|Function App FTPS Enforce Disabled
9dab0179-433d-4dff-af8f-0091025691df|High|Insecure Configurations|Azure Function App should only enforce FTPS when 'ftps_state' is enabled|Documentation
| -|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| -|Azure App Service Client Certificate Disabled
a81573f9-3691-4d83-88a0-7d4af63e17a3|High|Insecure Configurations|Azure App Service client certificate should be enabled|Documentation
| -|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates|Documentation
| -|Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|High|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false.|Documentation
| -|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| -|Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| -|MySQL Server Public Access Enabled
f118890b-2468-42b1-9ce9-af35146b425b|High|Networking and Firewall|MySQL Server public access should be disabled|Documentation
| -|RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet|Documentation
| -|MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|High|Networking and Firewall|MSSQL Server public network access should be disabled|Documentation
| -|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| -|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| -|SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet|Documentation
| -|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|High|Networking and Firewall|The IP range filter should be defined to secure the data stored|Documentation
| -|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| -|Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|High|Observability|Ensure that logging for Azure KeyVault is 'Enabled'|Documentation
| -|PostgreSQL Server Threat Detection Policy Disabled
c407c3cf-c409-4b29-b590-db5f4138d332|High|Resource Management|PostgreSQL Server Threat Detection Policy should be enabled|Documentation
| -|SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a|High|Resource Management|Ensure that 'Threat Detection' is enabled for Azure SQL Database|Documentation
| -|App Service Managed Identity Disabled
b61cce4b-0cc4-472b-8096-15617a6d769b|High|Resource Management|Azure App Service should have managed identity enabled|Documentation
| -|Key Expiration Not Set
4d080822-5ee2-49a4-8984-68f3d4c890fc|High|Secret Management|Make sure that for all keys the expiration date is set|Documentation
| -|Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|High|Secret Management|Make sure that for all secrets the expiration date is set|Documentation
| -|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)|Documentation
| -|Storage Share File Allows All ACL Permissions
48bbe0fd-57e4-4678-a4a1-119e79c90fc3|Medium|Access Control|Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).|Documentation
| -|Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e|Medium|Access Control|Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).|Documentation
| -|AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| -|Virtual Network with DDoS Protection Plan disabled
b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a|Medium|Availability|Virtual Network should have DDoS Protection Plan enabled|Documentation
| -|Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Medium|Best Practices|Security Contact Email should be defined|Documentation
| -|SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict|Documentation
| -|SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict|Documentation
| -|Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Medium|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| -|Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| -|Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Medium|Encryption|Ensure that the encryption is active on the disk|Documentation
| -|AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Medium|Encryption|Azure Container Service (AKS) should use Disk Encryption Set ID in supported types of disk|Documentation
| -|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| -|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections|Documentation
| -|Function App Managed Identity Disabled
c87749b3-ff10-41f5-9df2-c421e8151759|Medium|Insecure Configurations|Azure Function App should have managed identity enabled|Documentation
| -|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected.|Documentation
| -|Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches|Documentation
| -|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined|Documentation
| -|Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Medium|Insecure Configurations|Azure Function App should have 'client_cert_mode' set to required|Documentation
| -|Default Azure Storage Account Network Access Is Too Permissive
a5613650-32ec-4975-a305-31af783153ea|Medium|Insecure Defaults|Default Azure Storage Account network access should be set to Deny|Documentation
| -|Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Medium|Networking and Firewall|Public Network Access should be disabled for Azure Cognitive Search|Documentation
| -|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Medium|Networking and Firewall|Network Interfaces IP Forwarding should be disabled|Documentation
| -|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol|Documentation
| -|Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b|Medium|Networking and Firewall|Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline)|Documentation
| -|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'.|Documentation
| -|MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Medium|Networking and Firewall|MariaDB Server Public Network Access should be disabled|Documentation
| -|WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol|Documentation
| -|Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Medium|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days|Documentation
| -|PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| -|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| -|PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| -|Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Medium|Observability|Make sure for SQL Servers that Auditing Retention is greater than 90 days|Documentation
| -|PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| -|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days|Documentation
| -|PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| -|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On'|Documentation
| -|MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Medium|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On'|Documentation
| -|Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Medium|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact|Documentation
| -|PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'|Documentation
| -|Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater|Documentation
| -|Azure Active Directory Authentication
a21c8da9-41bf-40cf-941d-330cf0d11fc7|Low|Access Control|Azure Active Directory must be used for authentication for Service Fabric|Documentation
| -|MariaDB Server Geo-redundant Backup Disabled
0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1|Low|Backup|MariaDB Server Geo-redundant Backup should be enabled|Documentation
| -|AKS Uses Azure Policies Add-On Disabled
43789711-161b-4708-b5bb-9d1c626f7492|Low|Best Practices|Azure Container Service (AKS) should use Azure Policies Add-On|Documentation
| -|App Service Without Latest PHP Version
96fe318e-d631-4156-99fa-9080d57280ae|Low|Best Practices|Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.|Documentation
| -|App Service Without Latest Python Version
cc4aaa9d-1070-461a-b519-04e00f42db8a|Low|Best Practices|Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.|Documentation
| -|Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Low|Best Practices|Key Vault Secrets should have set Content Type|Documentation
| -|PostgreSQL Server Infrastructure Encryption Disabled
6425c98b-ca4e-41fe-896a-c78772c131f8|Low|Encryption|PostgreSQL Server Infrastructure Encryption should be enabled|Documentation
| -|Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Low|Insecure Configurations|Check if the Kubernetes Dashboard is enabled.|Documentation
| -|Function App HTTP2 Disabled
ace823d1-4432-4dee-945b-cdf11a5a6bd0|Low|Insecure Configurations|Function App should have 'http2_enabled' enabled|Documentation
| -|App Service HTTP2 Disabled
525b53be-62ed-4244-b4df-41aecfcb4071|Low|Insecure Configurations|App Service should have 'http2_enabled' enabled|Documentation
| -|Azure Front Door WAF Disabled
835a4f2f-df43-437d-9943-545ccfc55961|Low|Networking and Firewall|Azure Front Door WAF should be enabled|Documentation
| -|App Service Authentication Disabled
c7fc1481-2899-4490-bbd8-544a3a61a2f3|Info|Access Control|Azure App Service authentication settings should be enabled|Documentation
| -|SQL Server Alert Email Disabled
55975007-f6e7-4134-83c3-298f1fe4b519|Info|Best Practices|SQL Server alert email should be enabled|Documentation
| - -### GCP_BOM -Bellow are listed queries related with Terraform GCP_BOM: +### GITHUB +Bellow are listed queries related with Terraform GITHUB: @@ -1792,19 +640,6 @@ Bellow are listed queries related with Terraform GCP_BOM: ### GCP Bellow are listed queries related with Terraform GCP: -|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.|Documentation
| -|BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.|Documentation
| -|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.|Documentation
| -|BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Trace|Bill Of Materials|A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime.|Documentation
| -|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.|Documentation
| -|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.|Documentation
| -|BOM - GCP Redis
bc75ce52-a60a-4660-b533-bce837a5019b|Trace|Bill Of Materials|A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments.|Documentation
| -|BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.|Documentation
| -|BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Trace|Bill Of Materials|A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime.|Documentation
| -|BOM - GCP Dataflow
895ed0d9-6fec-4567-8614-d7a74b599a53|Trace|Bill Of Materials|A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective.|Documentation
| - -### AWS_BOM -Below are listed queries related with Terraform AWS_BOM: @@ -1864,90 +699,3 @@ Below are listed queries related with Terraform AWS_BOM: |User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user (read more)|Documentation
| |Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true (read more)|Documentation
| |Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| -|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.|Documentation
| -|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| -|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.|Documentation
| -|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| -|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| -|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| -|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time|Documentation
| -|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| -|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| -|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| -|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| - -### GCP -Bellow are listed queries related with Terraform GCP: -### ALICLOUD -Bellow are listed queries related with Terraform ALICLOUD: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|OSS Bucket Allows Delete Action From All Principals
8c0695d8-2378-4cd6-8243-7fd5894fa574|High|Access Control|OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals.|Documentation
| -|OSS Bucket Allows List Action From All Principals
88541597-6f88-42c8-bac6-7e0b855e8ff6|High|Access Control|OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals.|Documentation
| -|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles|Documentation
| -|OSS Bucket Allows Put Action From All Principals
fe286195-e75c-4359-bd58-00847c4f855a|High|Access Control|OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals.|Documentation
| -|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|High|Access Control|RAM Security preferences should enforce MFA login for RAM users|Documentation
| -|OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|High|Access Control|OSS Bucket should have public access disabled|Documentation
| -|OSS Bucket Allows All Actions From All Principals
ec62a32c-a297-41ca-a850-cab40b42094a|High|Access Control|OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals.|Documentation
| -|NAS File System Without KMS
5f670f9d-b1b4-4c90-8618-2288f1ab9676|High|Encryption|NAS File System should have encryption provided by user KMS |Documentation
| -|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|High|Encryption|Ecs Data Disk Kms Key Id should be set|Documentation
| -|NAS File System Not Encrypted
67bfdff1-31ce-4525-b564-e94368735360|High|Encryption|NAS File System must be encrypted|Documentation
| -|Launch Template Is Not Encrypted
1455cb21-1d48-46d6-8ae3-cef911b71fd5|High|Encryption|ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true.|Documentation
| -|RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|High|Encryption|tde_status parameter should be Enabled for supported RDS instances|Documentation
| -|RDS DB Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|High|Insecure Configurations|'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list|Documentation
| -|DB Instance Publicly Accessible
faaefc15-51a5-419e-bb5e-51a4b5ab3485|High|Insecure Configurations|The field 'address' should not be set to '0.0.0.0/0'|Documentation
| -|OSS Bucket Has Static Website
2b13c6ff-b87a-484d-86fd-21ef6e97d426|High|Insecure Configurations|Checks if any static websties are hosted on buckets. Be aware of any website you are running.|Documentation
| -|ALB Listening on HTTP
ee3b1557-9fb5-4685-a95d-93f1edf2a0d7|High|Networking and Firewall|Application Load Balancer (alb) Listener should not listen on HTTP|Documentation
| -|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|High|Networking and Firewall|OSS Bucket should have ip restricted access|Documentation
| -|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|High|Networking and Firewall|OSS Buckets should have secure transport enabled|Documentation
| -|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS|Documentation
| -|RDS Instance SSL Action Disabled
7a1ee8a9-71be-4b11-bb70-efb62d16863b|High|Networking and Firewall|ssl_action parameter should be set to Open for RDS instances|Documentation
| -|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public|Documentation
| -|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol|Documentation
| -|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|High|Observability|All RDS Instance events trackers should be 'true'|Documentation
| -|ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|High|Observability|ActionTrail Trail OSS Bucket should not be publicly accessible|Documentation
| -|Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|High|Secret Management|Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts|Documentation
| -|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above|Documentation
| -|Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Medium|Access Control|Ram policies should not be attached to users|Documentation
| -|CMK Is Unusable
ed6e3ba0-278f-47b6-a1f5-173576b40b7e|Medium|Availability|Alicloud KMS must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| -|ROS Stack Retention Disabled
4bb06fa1-2114-4a00-b7b5-6aeab8b896f0|Medium|Backup|The retain_stacks should be enabled to keep the Stack upon deleting the stack instance from the stack group|Documentation
| -|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Medium|Backup|OSS Bucket should have versioning enabled|Documentation
| -|ROS Stack Without Template
92d65c51-5d82-4507-a2a1-d252e9706855|Medium|Build Process|Alicloud ROS Stack should have a template defined through the attribute template_url or attribute template_body|Documentation
| -|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Medium|Encryption|Disks should have encryption enabled|Documentation
| -|SLB Policy With Insecure TLS Version In Use
dbfc834a-56e5-4750-b5da-73fda8e73f70|Medium|Encryption|SLB Policy should not support insecure versions of TLS protocol|Documentation
| -|OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Medium|Encryption|OSS Bucket should have encryption enabled using Customer Master Key|Documentation
| -|CS Kubernetes Node Pool Auto Repair Disabled
81ce9394-013d-4731-8fcc-9d229b474073|Medium|Insecure Configurations|Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| -|Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Medium|Networking and Firewall|A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned|Documentation
| -|Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Medium|Networking and Firewall|Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies|Documentation
| -|ROS Stack Notifications Disabled
9ef08939-ea40-489c-8851-667870b2ef50|Medium|Observability|The ROS Stack Notifications should be defined and populated to receive stack related events|Documentation
| -|Log Retention Is Not Greater Than 90 Days
ed6cf6ff-9a1f-491c-9f88-e03c0807f390|Medium|Observability|OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects.|Documentation
| -|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180|Documentation
| -|OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Medium|Observability|OSS Bucket should have logging enabled, for better visibility of resources and objects.|Documentation
| -|Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Medium|Observability|Action Trail Logging for all regions should be enabled|Documentation
| -|No ROS Stack Policy
72ceb736-0aee-43ea-a191-3a69ab135681|Medium|Resource Management|ROS Stack should have a stack policy in order to protect stack resources from and during update actions|Documentation
| -|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Medium|Secret Management|RAM account password security should require at least one symbol|Documentation
| -|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true|Documentation
| -|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91|Documentation
| -|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less|Documentation
| -|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true|Documentation
| -|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true|Documentation
| -|High KMS Key Rotation Period
cb319d87-b90f-485e-a7e7-f2408380f309|Medium|Secret Management|KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year|Documentation
| -|OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Low|Availability|OSS Bucket should have transfer acceleration enabled|Documentation
| -|OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Low|Backup|OSS Bucket should have lifecycle rule enabled and set to true|Documentation
| -|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Low|Observability|'log_connections' parameter should be set to ON for RDS instances|Documentation
| -|RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Low|Observability|log_duration parameter should be set to ON for RDS instances|Documentation
| -|RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Low|Observability|log_disconnections parameter should be set to ON for RDS instances|Documentation
| -|VPC Flow Logs Disabled
d2731f3d-a992-44ed-812e-f4f1c2747d71|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| - -### GITHUB -Bellow are listed queries related with Terraform GITHUB: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks|Documentation
| -|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')|Documentation
| From 6bf359ada076a9a9beb35c908b15c09002a47076 Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Wed, 8 Nov 2023 11:01:54 +0100 Subject: [PATCH 228/379] feat(databricks): add new TLS support --- .../terraform/databricks/use_lts_spark_version/query.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/terraform/databricks/use_lts_spark_version/query.rego b/assets/queries/terraform/databricks/use_lts_spark_version/query.rego index 8798aa48cc6..4c3d22a2afb 100644 --- a/assets/queries/terraform/databricks/use_lts_spark_version/query.rego +++ b/assets/queries/terraform/databricks/use_lts_spark_version/query.rego @@ -36,6 +36,6 @@ CxPolicy[result] { } isLtsVersion(version) { - versions = {"3.0.1", "3.1.2", "3.2.1", "3.3.0"} + versions = {"3.0.1", "3.1.2", "3.2.1", "3.3.0", "3.3.2", "3.4.1"} version = versions[j] } From dd017203264f9420f39b6dd9de4dbe29ed1db02c Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Wed, 8 Nov 2023 11:02:44 +0100 Subject: [PATCH 229/379] fix(databricks): improve not condition --- .../databricks/cluster_aws_attributes/query.rego | 8 ++++---- .../databricks/cluster_azure_attributes/query.rego | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/assets/queries/terraform/databricks/cluster_aws_attributes/query.rego b/assets/queries/terraform/databricks/cluster_aws_attributes/query.rego index c0a8a5df2e0..a2e41bb6a5c 100644 --- a/assets/queries/terraform/databricks/cluster_aws_attributes/query.rego +++ b/assets/queries/terraform/databricks/cluster_aws_attributes/query.rego @@ -33,8 +33,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.databricks_cluster[name] - not resource.aws_attributes.first_on_demand + resource := input.document[i].resource.databricks_cluster[name].aws_attributes + not resource.first_on_demand result := { "documentId": input.document[i].id, @@ -48,8 +48,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.databricks_cluster[name] - not resource.aws_attributes.zone_id == "auto" + resource := input.document[i].resource.databricks_cluster[name].aws_attributes + not resource.zone_id == "auto" result := { "documentId": input.document[i].id, diff --git a/assets/queries/terraform/databricks/cluster_azure_attributes/query.rego b/assets/queries/terraform/databricks/cluster_azure_attributes/query.rego index ecbe2969822..29f8e7e43d4 100644 --- a/assets/queries/terraform/databricks/cluster_azure_attributes/query.rego +++ b/assets/queries/terraform/databricks/cluster_azure_attributes/query.rego @@ -33,8 +33,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.databricks_cluster[name] - not resource.azure_attributes.first_on_demand + resource := input.document[i].resource.databricks_cluster[name].azure_attributes + not resource.first_on_demand result := { "documentId": input.document[i].id, From 64d39a8d9b9dddae2c58938451c3b6c91887181f Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Wed, 8 Nov 2023 11:02:58 +0100 Subject: [PATCH 230/379] fix(databricks): improve UT --- .../databricks/autoscale_badly_setup/test/negative.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/assets/queries/terraform/databricks/autoscale_badly_setup/test/negative.tf b/assets/queries/terraform/databricks/autoscale_badly_setup/test/negative.tf index e6b32fd300c..fd472dc5407 100644 --- a/assets/queries/terraform/databricks/autoscale_badly_setup/test/negative.tf +++ b/assets/queries/terraform/databricks/autoscale_badly_setup/test/negative.tf @@ -8,8 +8,8 @@ resource "databricks_cluster" "negative" { max_workers = 50 } aws_attributes { - availability = "SPOT" - zone_id = "us-east-1" + availability = "SPOT_WITH_FALLBACK" + zone_id = "auto" first_on_demand = 1 spot_bid_price_percent = 100 } From 68b3d894314359b3fa9a592f3ee412e2b5acf229 Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Wed, 8 Nov 2023 13:40:42 +0100 Subject: [PATCH 231/379] fix(databricks): update line error --- .../use_spark_submit_task/test/positive_expected_result.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/terraform/databricks/use_spark_submit_task/test/positive_expected_result.json b/assets/queries/terraform/databricks/use_spark_submit_task/test/positive_expected_result.json index f115199fa4a..46aaf14647e 100644 --- a/assets/queries/terraform/databricks/use_spark_submit_task/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/use_spark_submit_task/test/positive_expected_result.json @@ -8,7 +8,7 @@ { "queryName": "Job's Task is Legacy (spark_submit_task)", "severity": "MEDIUM", - "line": 26, + "line": 36, "fileName": "positive2.tf" } ] From c6e9b2b02f5512131466a7d10c060f5880b8ec72 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Wed, 8 Nov 2023 12:45:25 +0000 Subject: [PATCH 232/379] fix e2e 004 --- e2e/testcases/e2e-cli-004_invalid_combination.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/e2e/testcases/e2e-cli-004_invalid_combination.go b/e2e/testcases/e2e-cli-004_invalid_combination.go index 30abe89aa29..cdc6c3786ed 100644 --- a/e2e/testcases/e2e-cli-004_invalid_combination.go +++ b/e2e/testcases/e2e-cli-004_invalid_combination.go @@ -8,8 +8,8 @@ func init() { //nolint Name: "should display an error of invalid flag combination [E2E-CLI-004]", Args: args{ Args: []cmdArgs{ - []string{"scan", "--ci", "--verbose"}, - []string{"--ci", "scan", "--verbose"}, + []string{"scan", "--ci", "--verbose", "--resolve-references"}, + []string{"--ci", "scan", "--verbose", "--resolve-references"}, }, ExpectedOut: []string{ "E2E_CLI_004", From 0771d4d50627863b8c7a1b62d7a0a4a096309f01 Mon Sep 17 00:00:00 2001 From: gabriel-cx Date: Wed, 8 Nov 2023 12:58:56 +0000 Subject: [PATCH 233/379] docs(kicsbot): preparing for release 1.7.11 --- docs/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/index.md b/docs/index.md index ceb46663888..fb91ea3e29f 100644 --- a/docs/index.md +++ b/docs/index.md @@ -10,7 +10,7 @@


Version 1.7.10

-

2023.10.10

+

2023.11.08

Contribute!

From c66384179ae44879862442c1d2d5c86be93aa5e4 Mon Sep 17 00:00:00 2001 From: gabriel-cx Date: Wed, 8 Nov 2023 13:04:10 +0000 Subject: [PATCH 234/379] update --- docker/Dockerfile.ubi8 | 2 +- docs/index.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docker/Dockerfile.ubi8 b/docker/Dockerfile.ubi8 index d6a00080966..96f816056a7 100644 --- a/docker/Dockerfile.ubi8 +++ b/docker/Dockerfile.ubi8 @@ -44,7 +44,7 @@ LABEL name="KICS" \ description="Checkmarx/kics is an opensource project that enable you to find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code find more in https://kics.io" \ maintainer="kics@checkmarx.com" \ vendor="Checkmarx" \ - version="v1.7.10" \ + version="v1.7.11" \ release="1" \ io.k8s.display-name="KICS by Checkmarx" \ io.openshift.tags="kics checkmarx" diff --git a/docs/index.md b/docs/index.md index fb91ea3e29f..bbdf9f145fa 100644 --- a/docs/index.md +++ b/docs/index.md @@ -9,7 +9,7 @@


-

Version 1.7.10

+

Version 1.7.11

2023.11.08

Contribute!

From 0956ce99e406367097b8d49ca2c3a0d5e0d8267c Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Wed, 8 Nov 2023 14:07:30 +0100 Subject: [PATCH 235/379] fix(ci): update line number and file name --- .../test/positive_expected_result.json | 2 +- .../cluster_gcp_attributes/test/{positive.tf => positive1.tf} | 0 .../use_spark_submit_task/test/positive_expected_result.json | 4 ++-- 3 files changed, 3 insertions(+), 3 deletions(-) rename assets/queries/terraform/databricks/cluster_gcp_attributes/test/{positive.tf => positive1.tf} (100%) diff --git a/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive_expected_result.json b/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive_expected_result.json index d1eddaf3c4a..4c2466707c3 100644 --- a/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive_expected_result.json @@ -8,7 +8,7 @@ { "queryName": "Check Databricks Cluster Azure Attribute Best Practices", "severity": "MEDIUM", - "line": 13, + "line": 12, "fileName": "positive2.tf" }, { diff --git a/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive.tf b/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive1.tf similarity index 100% rename from assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive.tf rename to assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive1.tf diff --git a/assets/queries/terraform/databricks/use_spark_submit_task/test/positive_expected_result.json b/assets/queries/terraform/databricks/use_spark_submit_task/test/positive_expected_result.json index 46aaf14647e..435ab8cd80c 100644 --- a/assets/queries/terraform/databricks/use_spark_submit_task/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/use_spark_submit_task/test/positive_expected_result.json @@ -2,13 +2,13 @@ { "queryName": "Job's Task is Legacy (spark_submit_task)", "severity": "MEDIUM", - "line": 18, + "line": 36, "fileName": "positive1.tf" }, { "queryName": "Job's Task is Legacy (spark_submit_task)", "severity": "MEDIUM", - "line": 36, + "line": 18, "fileName": "positive2.tf" } ] From b924a67359f88a95d0cd3e139d7f5f52d1d98cd8 Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Wed, 8 Nov 2023 14:22:29 +0100 Subject: [PATCH 236/379] fic(databricks): rename queryName to match with GCP --- .../cluster_gcp_attributes/test/positive_expected_result.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive_expected_result.json b/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive_expected_result.json index f7526627c61..7698ad2d938 100644 --- a/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Check Databricks Cluster AWS Attribute Best Practices", + "queryName": "Check Databricks Cluster GCP Attribute Best Practices", "severity": "MEDIUM", "line": 11, "fileName": "positive1.tf" From f1150b45eb11c428bb954cd7650960da677321d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Wed, 8 Nov 2023 14:18:13 +0000 Subject: [PATCH 237/379] wip --- docs/commands.md | 4 ++-- docs/dockerhub.md | 2 +- e2e/fixtures/assets/scan_help | 2 +- e2e/testcases/e2e-cli-004_invalid_combination.go | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/commands.md b/docs/commands.md index 0891d20c144..d8a19229fc3 100644 --- a/docs/commands.md +++ b/docs/commands.md @@ -93,6 +93,7 @@ Flags: --preview-lines int number of lines to be display in CLI results (min: 1, max: 30) (default 3) -q, --queries-path strings paths to directory with queries (default [./assets/queries]) --report-formats strings formats in which the results will be exported (all, asff, codeclimate, csv, cyclonedx, glsast, html, json, junit, pdf, sarif, sonarqube) (default [json]) + --resolve-references resolve the file reference (default [false]) -r, --secrets-regexes-path string path to secrets regex rules configuration file --terraform-vars-path string path where terraform variables are present --timeout int number of seconds the query has to execute before being canceled (default 60) @@ -102,8 +103,7 @@ Flags: --exclude-type strings case insensitive list of platform types not to scan (Ansible, AzureResourceManager, Buildah, CICD, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Pulumi, ServerLessFW, Terraform) cannot be provided with type inclusion flags - --resolve-references resolve the file reference (default [false]) - + Global Flags: --ci display only log messages to CLI output (mutually exclusive with silent) -f, --log-format string determines log format (pretty,json) (default "pretty") diff --git a/docs/dockerhub.md b/docs/dockerhub.md index ac766224a50..2e5c6a055b7 100644 --- a/docs/dockerhub.md +++ b/docs/dockerhub.md @@ -129,6 +129,7 @@ Flags: --preview-lines int number of lines to be display in CLI results (min: 1, max: 30) (default 3) -q, --queries-path strings paths to directory with queries (default [./assets/queries]) --report-formats strings formats in which the results will be exported (all, asff, codeclimate, csv, cyclonedx, glsast, html, json, junit, pdf, sarif, sonarqube) (default [json]) + --resolve-references resolve the file reference (default [false]) -r, --secrets-regexes-path string path to secrets regex rules configuration file --timeout int number of seconds the query has to execute before being canceled (default 60) -t, --type strings case insensitive list of platform types to scan @@ -137,7 +138,6 @@ Flags: --exclude-type strings case insensitive list of platform types not to scan (Ansible, AzureResourceManager, Buildah, CICD, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Pulumi, ServerLessFW, Terraform) cannot be provided with type inclusion flags - --resolve-references resolve the file reference (default [false]) ``` diff --git a/e2e/fixtures/assets/scan_help b/e2e/fixtures/assets/scan_help index e8166d7ebf8..3a72c1e1278 100644 --- a/e2e/fixtures/assets/scan_help +++ b/e2e/fixtures/assets/scan_help @@ -53,13 +53,13 @@ Flags: --preview-lines int number of lines to be display in CLI results (min: 1, max: 30) (default 3) -q, --queries-path strings paths to directory with queries (default [./assets/queries]) --report-formats strings formats in which the results will be exported (all, asff, codeclimate, csv, cyclonedx, glsast, html, json, junit, pdf, sarif, sonarqube) (default [json]) + --resolve-references resolve the file reference -r, --secrets-regexes-path string path to secrets regex rules configuration file --terraform-vars-path string path where terraform variables are present --timeout int number of seconds the query has to execute before being canceled (default 60) -t, --type strings case insensitive list of platform types to scan (Ansible, AzureResourceManager, Buildah, CICD, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Pulumi, ServerlessFW, Terraform) cannot be provided with type exclusion flags - --resolve-references resolve the file reference Global Flags: --ci display only log messages to CLI output (mutually exclusive with silent) diff --git a/e2e/testcases/e2e-cli-004_invalid_combination.go b/e2e/testcases/e2e-cli-004_invalid_combination.go index cdc6c3786ed..30abe89aa29 100644 --- a/e2e/testcases/e2e-cli-004_invalid_combination.go +++ b/e2e/testcases/e2e-cli-004_invalid_combination.go @@ -8,8 +8,8 @@ func init() { //nolint Name: "should display an error of invalid flag combination [E2E-CLI-004]", Args: args{ Args: []cmdArgs{ - []string{"scan", "--ci", "--verbose", "--resolve-references"}, - []string{"--ci", "scan", "--verbose", "--resolve-references"}, + []string{"scan", "--ci", "--verbose"}, + []string{"--ci", "scan", "--verbose"}, }, ExpectedOut: []string{ "E2E_CLI_004", From cbe17872883bbe826435f533f23260ca698c27bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Wed, 8 Nov 2023 15:37:22 +0000 Subject: [PATCH 238/379] wip --- pkg/resolver/file/file_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/resolver/file/file_test.go b/pkg/resolver/file/file_test.go index 1c662311238..e28851c40e0 100644 --- a/pkg/resolver/file/file_test.go +++ b/pkg/resolver/file/file_test.go @@ -171,6 +171,7 @@ func getFileContent(path string) ([]byte, error) { func prepareString(content string) string { content = strings.Replace(content, "\n", "", -1) content = strings.Replace(content, "\t", "", -1) + content = strings.Replace(content, "\r", "", -1) content = strings.Replace(content, " ", "", -1) return content } From b19d9bed9aacd529b785baec4e56363bfa905538 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Wed, 8 Nov 2023 16:47:13 +0000 Subject: [PATCH 239/379] new e2e --- e2e/fixtures/E2E_CLI_071_RESULT.json | 52 ++++++++++ e2e/fixtures/E2E_CLI_072_RESULT.json | 97 +++++++++++++++++++ .../e2e-cli-071_no_flag_resolve_references.go | 27 ++++++ .../e2e-cli-072_flag_resolve_references.go | 28 ++++++ .../resolve_references/paths/users/user.yaml | 18 ++++ .../schemas/MyResponse.yaml | 5 + test/fixtures/resolve_references/swagger.yaml | 18 ++++ 7 files changed, 245 insertions(+) create mode 100644 e2e/fixtures/E2E_CLI_071_RESULT.json create mode 100644 e2e/fixtures/E2E_CLI_072_RESULT.json create mode 100644 e2e/testcases/e2e-cli-071_no_flag_resolve_references.go create mode 100644 e2e/testcases/e2e-cli-072_flag_resolve_references.go create mode 100644 test/fixtures/resolve_references/paths/users/user.yaml create mode 100644 test/fixtures/resolve_references/schemas/MyResponse.yaml create mode 100644 test/fixtures/resolve_references/swagger.yaml diff --git a/e2e/fixtures/E2E_CLI_071_RESULT.json b/e2e/fixtures/E2E_CLI_071_RESULT.json new file mode 100644 index 00000000000..7ecfdd26159 --- /dev/null +++ b/e2e/fixtures/E2E_CLI_071_RESULT.json @@ -0,0 +1,52 @@ +{ + "kics_version": "development", + "files_scanned": 1, + "lines_scanned": 19, + "files_parsed": 1, + "lines_parsed": 19, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 17, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "HIGH": 0, + "INFO": 1, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 1, + "total_bom_resources": 0, + "start": "2023-11-08T16:02:34.2300252Z", + "end": "2023-11-08T16:02:36.2803423Z", + "paths": [ + "/path/test/fixtures/resolve_references" + ], + "queries": [ + { + "query_name": "Components Schema Definition Is Unused", + "query_id": "962fa01e-b791-4dcc-b04a-4a3e7389be5e", + "query_url": "https://swagger.io/specification/#components-object", + "severity": "INFO", + "platform": "OpenAPI", + "category": "Best Practices", + "description": "Components schemas definitions should be referenced or removed from Open API definition", + "description_id": "5cdc0f3b", + "files": [ + { + "file_name": "path\\test\\fixtures\\resolve_references\\swagger.yaml", + "similarity_id": "ff39e561509c13315ce34a0be602a974d63231b70cb5cdf778109e062302f8eb", + "line": 17, + "issue_type": "IncorrectValue", + "search_key": "components.schemas.{{MyResponse}}", + "search_line": -1, + "search_value": "", + "expected_value": "Schema should be used as reference somewhere", + "actual_value": "Schema is not used as reference" + } + ] + } + ] +} diff --git a/e2e/fixtures/E2E_CLI_072_RESULT.json b/e2e/fixtures/E2E_CLI_072_RESULT.json new file mode 100644 index 00000000000..cadf5e9d26a --- /dev/null +++ b/e2e/fixtures/E2E_CLI_072_RESULT.json @@ -0,0 +1,97 @@ +{ + "kics_version": "development", + "files_scanned": 1, + "lines_scanned": 50, + "files_parsed": 1, + "lines_parsed": 55, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 17, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "HIGH": 0, + "INFO": 1, + "LOW": 0, + "MEDIUM": 3, + "TRACE": 0 + }, + "total_counter": 4, + "total_bom_resources": 0, + "start": "2023-11-08T16:01:57.5219527Z", + "end": "2023-11-08T16:01:59.1971883Z", + "paths": [ + "/path/test/fixtures/resolve_references" + ], + "queries": [ + { + "query_name": "Response Code Missing (v3)", + "query_id": "6c35d2c6-09f2-4e5c-a094-e0e91327071d", + "query_url": "https://swagger.io/specification/#operation-object", + "severity": "MEDIUM", + "platform": "OpenAPI", + "category": "Networking and Firewall", + "description": "500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined.", + "description_id": "dbf15009", + "files": [ + { + "file_name": "path\\test\\fixtures\\resolve_references\\swagger.yaml", + "similarity_id": "0e9d0a90c2069babcc7d07b581105ebda5dba82dc83c0ef588103f8805662c8c", + "line": 14, + "issue_type": "MissingAttribute", + "search_key": "paths.{{/users/{userId}}}.$ref=./paths/users/user.yaml", + "search_line": 0, + "search_value": "400 response", + "expected_value": "400 response should be set", + "actual_value": "400 response is undefined" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references\\swagger.yaml", + "similarity_id": "21b4b94761ab17c403b6455c8b88f295729ed9e98fd3101b2bb5cf5373fba1e6", + "line": 14, + "issue_type": "MissingAttribute", + "search_key": "paths.{{/users/{userId}}}.$ref=./paths/users/user.yaml", + "search_line": 0, + "search_value": "429 response", + "expected_value": "429 response should be set", + "actual_value": "429 response is undefined" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references\\swagger.yaml", + "similarity_id": "22e82edb39085e8787d853eed386b45f1774e7bbf7e1f08ed9662c33cd69d883", + "line": 14, + "issue_type": "MissingAttribute", + "search_key": "paths.{{/users/{userId}}}.$ref=./paths/users/user.yaml", + "search_line": 0, + "search_value": "500 response", + "expected_value": "500 response should be set", + "actual_value": "500 response is undefined" + } + ] + }, + { + "query_name": "Components Schema Definition Is Unused", + "query_id": "962fa01e-b791-4dcc-b04a-4a3e7389be5e", + "query_url": "https://swagger.io/specification/#components-object", + "severity": "INFO", + "platform": "OpenAPI", + "category": "Best Practices", + "description": "Components schemas definitions should be referenced or removed from Open API definition", + "description_id": "5cdc0f3b", + "files": [ + { + "file_name": "path\\test\\fixtures\\resolve_references\\swagger.yaml", + "similarity_id": "ff39e561509c13315ce34a0be602a974d63231b70cb5cdf778109e062302f8eb", + "line": 17, + "issue_type": "IncorrectValue", + "search_key": "components.schemas.{{MyResponse}}", + "search_line": 0, + "search_value": "", + "expected_value": "Schema should be used as reference somewhere", + "actual_value": "Schema is not used as reference" + } + ] + } + ] +} diff --git a/e2e/testcases/e2e-cli-071_no_flag_resolve_references.go b/e2e/testcases/e2e-cli-071_no_flag_resolve_references.go new file mode 100644 index 00000000000..c0de9e72766 --- /dev/null +++ b/e2e/testcases/e2e-cli-071_no_flag_resolve_references.go @@ -0,0 +1,27 @@ +package testcases + +// E2E-CLI-071 - KICS scan and ignore references +// should perform the scan successfully and return exit code 20 +func init() { //nolint + testSample := TestCase{ + Name: "should perform a valid scan and not resolve references [E2E-CLI-071]", + Args: args{ + Args: []cmdArgs{ + []string{"scan", "-o", "/path/e2e/output", + "--output-name", "E2E_CLI_071_RESULT", + "-p", "\"/path/test/fixtures/resolve_references\"", + "-i", "6c35d2c6-09f2-4e5c-a094-e0e91327071d,962fa01e-b791-4dcc-b04a-4a3e7389be5e", + }, + }, + ExpectedResult: []ResultsValidation{ + { + ResultsFile: "E2E_CLI_071_RESULT", + ResultsFormats: []string{"json"}, + }, + }, + }, + WantStatus: []int{20}, + } + + Tests = append(Tests, testSample) +} diff --git a/e2e/testcases/e2e-cli-072_flag_resolve_references.go b/e2e/testcases/e2e-cli-072_flag_resolve_references.go new file mode 100644 index 00000000000..86acdd44b9d --- /dev/null +++ b/e2e/testcases/e2e-cli-072_flag_resolve_references.go @@ -0,0 +1,28 @@ +package testcases + +// E2E-CLI-072 - KICS scan and ignore references +// should perform the scan successfully and return exit code 40,20 +func init() { //nolint + testSample := TestCase{ + Name: "should perform a valid scan and resolve references [E2E-CLI-072]", + Args: args{ + Args: []cmdArgs{ + []string{"scan", "-o", "/path/e2e/output", + "--output-name", "E2E_CLI_072_RESULT", + "-p", "\"/path/test/fixtures/resolve_references\"", + "-i", "6c35d2c6-09f2-4e5c-a094-e0e91327071d,962fa01e-b791-4dcc-b04a-4a3e7389be5e", + "--resolve-references", + }, + }, + ExpectedResult: []ResultsValidation{ + { + ResultsFile: "E2E_CLI_072_RESULT", + ResultsFormats: []string{"json"}, + }, + }, + }, + WantStatus: []int{40}, + } + + Tests = append(Tests, testSample) +} diff --git a/test/fixtures/resolve_references/paths/users/user.yaml b/test/fixtures/resolve_references/paths/users/user.yaml new file mode 100644 index 00000000000..5a7596e8e17 --- /dev/null +++ b/test/fixtures/resolve_references/paths/users/user.yaml @@ -0,0 +1,18 @@ +--- +get: + tags: + - users + summary: Get user + responses: + "200": + description: Ok + content: + application/json: + schema: + $ref: ../../schemas/MyResponse.yaml + "404": + description: not found + content: + application/json: + schema: + $ref: ../../schemas/MyResponse.yaml diff --git a/test/fixtures/resolve_references/schemas/MyResponse.yaml b/test/fixtures/resolve_references/schemas/MyResponse.yaml new file mode 100644 index 00000000000..9a12086dbd9 --- /dev/null +++ b/test/fixtures/resolve_references/schemas/MyResponse.yaml @@ -0,0 +1,5 @@ +--- +properties: + message: + type: string +type: object diff --git a/test/fixtures/resolve_references/swagger.yaml b/test/fixtures/resolve_references/swagger.yaml new file mode 100644 index 00000000000..e4c3f144916 --- /dev/null +++ b/test/fixtures/resolve_references/swagger.yaml @@ -0,0 +1,18 @@ +--- +openapi: 3.0.0 +info: + description: my description + version: 1.8.8 + title: my title +servers: + - url: http://localhost:3000/ +tags: + - name: users + description: users tag description +paths: + "/users/{userId}": + $ref: ./paths/users/user.yaml +components: + schemas: + MyResponse: + $ref: ./schemas/MyResponse.yaml From 4deb7aebc6e0d30849c31d23730cc505b809b067 Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Wed, 8 Nov 2023 17:37:10 +0000 Subject: [PATCH 240/379] update version --- docker/Dockerfile.debian | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/Dockerfile.debian b/docker/Dockerfile.debian index 6c9137aa75f..f4617ba4c66 100644 --- a/docker/Dockerfile.debian +++ b/docker/Dockerfile.debian @@ -3,7 +3,7 @@ # it does not define an ENTRYPOINT as this is a requirement described here: # https://docs.microsoft.com/en-us/azure/devops/pipelines/process/container-phases?view=azure-devops#linux-based-containers # -FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.18.2-buster as build_env +FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.20.5-buster as build_env # Create a group and user RUN groupadd checkmarx && useradd -g checkmarx -M -s /bin/bash checkmarx USER checkmarx From 1d07026d43f6d1df2abceba5d9eaad5471418df7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Thu, 9 Nov 2023 09:23:00 +0000 Subject: [PATCH 241/379] clean code --- internal/console/flags/flags.go | 8 -------- 1 file changed, 8 deletions(-) diff --git a/internal/console/flags/flags.go b/internal/console/flags/flags.go index f4b92178efa..3ee7287c9d7 100644 --- a/internal/console/flags/flags.go +++ b/internal/console/flags/flags.go @@ -22,14 +22,6 @@ var ( validations = make(map[string][]string) ) -type FlagInterface interface { - GetBoolFlag(flagName string) bool - GetStrFlag(flagName string) string -} - -type FlagStruct struct { -} - type flagJSON struct { FlagType string ShorthandFlag string From ebbd4b0bb2fa891526dc95553c626b9765af2db9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Thu, 9 Nov 2023 15:45:12 +0000 Subject: [PATCH 242/379] improve detection of open api --- e2e/fixtures/E2E_CLI_073_RESULT.json | 28 + e2e/fixtures/E2E_CLI_074_RESULT.json | 844 ++++++++++++++++++ e2e/fixtures/E2E_CLI_075_RESULT.json | 276 ++++++ ...cli-073_json_no_flag_resolve_references.go | 28 + ...2e-cli-074_json_flag_resolve_references.go | 28 + ...075_not_openapi_with_resolve_references.go | 22 + ..._not_openapi_without_resolve_references.go | 22 + pkg/analyzer/analyzer.go | 13 +- pkg/kics/sink.go | 4 +- pkg/resolver/file/file.go | 17 +- pkg/resolver/file/file_test.go | 41 + .../resolve_references_json/definitions.json | 68 ++ .../resolve_references_json/scan-2files.json | 565 ++++++++++++ .../resolve_references_no_change/vpc.yml | 168 ++++ 14 files changed, 2116 insertions(+), 8 deletions(-) create mode 100644 e2e/fixtures/E2E_CLI_073_RESULT.json create mode 100644 e2e/fixtures/E2E_CLI_074_RESULT.json create mode 100644 e2e/fixtures/E2E_CLI_075_RESULT.json create mode 100644 e2e/testcases/e2e-cli-073_json_no_flag_resolve_references.go create mode 100644 e2e/testcases/e2e-cli-074_json_flag_resolve_references.go create mode 100644 e2e/testcases/e2e-cli-075_not_openapi_with_resolve_references.go create mode 100644 e2e/testcases/e2e-cli-076_not_openapi_without_resolve_references.go create mode 100644 test/fixtures/resolve_references_json/definitions.json create mode 100644 test/fixtures/resolve_references_json/scan-2files.json create mode 100644 test/fixtures/resolve_references_no_change/vpc.yml diff --git a/e2e/fixtures/E2E_CLI_073_RESULT.json b/e2e/fixtures/E2E_CLI_073_RESULT.json new file mode 100644 index 00000000000..7b173664e38 --- /dev/null +++ b/e2e/fixtures/E2E_CLI_073_RESULT.json @@ -0,0 +1,28 @@ +{ + "kics_version": "development", + "files_scanned": 1, + "lines_scanned": 565, + "files_parsed": 1, + "lines_parsed": 565, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2023-11-09T14:36:44.3290943Z", + "end": "2023-11-09T14:36:45.6631156Z", + "paths": [ + "/path/test/fixtures/resolve_references_json" + ], + "queries": [] +} diff --git a/e2e/fixtures/E2E_CLI_074_RESULT.json b/e2e/fixtures/E2E_CLI_074_RESULT.json new file mode 100644 index 00000000000..f9611aa2e62 --- /dev/null +++ b/e2e/fixtures/E2E_CLI_074_RESULT.json @@ -0,0 +1,844 @@ +{ + "kics_version": "development", + "files_scanned": 1, + "lines_scanned": 633, + "files_parsed": 1, + "lines_parsed": 909, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "HIGH": 0, + "INFO": 73, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 73, + "total_bom_resources": 0, + "start": "2023-11-09T14:37:15.1921981Z", + "end": "2023-11-09T14:37:16.6705939Z", + "paths": [ + "/path/test/fixtures/resolve_references_json" + ], + "queries": [ + { + "query_name": "Property Not Unique", + "query_id": "750b40be-4bac-4f59-bdc4-1ca0e6c3450e", + "query_url": "https://swagger.io/specification/v2/#schemaObject", + "severity": "INFO", + "platform": "OpenAPI", + "category": "Structure and Semantics", + "description": "Every defined property must be unique throughout the whole API", + "description_id": "eb2e14e6", + "files": [ + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "d0afe0e12eb9e83f4ad891f0349a94bd059d33765209ceaa827ea5153ffcf8ed", + "line": 563, + "issue_type": "IncorrectValue", + "search_key": "definitions.$ref=./definitions.json", + "search_line": 0, + "search_value": "", + "expected_value": "'countryName' property is unique throughout the whole API", + "actual_value": "'countryName' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "ab36a26fc165f9e6f99745303d833c21eb3f0ebc8fe29a3f7f4c00ebdd7f5f4a", + "line": 307, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/create/password}}.post.responses.200.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'firstName' property is unique throughout the whole API", + "actual_value": "'firstName' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "d8e93cca1ed74130a03faee787fd52a35a64c4d5093a264c969d47f05d8a7e53", + "line": 545, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/users/findAll}}.get.responses.200.schema.items.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'info' property is unique throughout the whole API", + "actual_value": "'info' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "506a8a035b6eafb480cdb17248ec20312a6977b73043a60da2ac4f7ae77777e5", + "line": 563, + "issue_type": "IncorrectValue", + "search_key": "definitions.$ref=./definitions.json", + "search_line": 0, + "search_value": "", + "expected_value": "'email' property is unique throughout the whole API", + "actual_value": "'email' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "5a722738fa25f4a6eb01b730edf5b4552255e4b76de45dc9ff4f7d78aa94210f", + "line": 299, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/create/password}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'email' property is unique throughout the whole API", + "actual_value": "'email' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "7a7de79e78550abfe8a44b27648d61bf7d2e22e563792d106292d8110428b60f", + "line": 387, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/get/byId/{id}}}.get.responses.200.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'email' property is unique throughout the whole API", + "actual_value": "'email' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "dd12c8363e0fcd3f36136d30a87321885a42d5da08b937e65f9ca4e74b8eb85f", + "line": 468, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/insert}}.post.responses.200.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'email' property is unique throughout the whole API", + "actual_value": "'email' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "00f42dde173a16ce24cee4f0c29f4da7af613a0ea5dbbf875323f1cb39ec214f", + "line": 506, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/update}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'id' property is unique throughout the whole API", + "actual_value": "'id' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "5a33cd81809bbfbc0dd79fad23450999e4f9153e798ee7d1703cfb8230fe974a", + "line": 468, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/insert}}.post.responses.200.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'info' property is unique throughout the whole API", + "actual_value": "'info' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "5eda8746744c20aeccec4b5e818cbed3788cd3703f4c2aa7327a88e1045dd256", + "line": 387, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/get/byId/{id}}}.get.responses.200.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'firstName' property is unique throughout the whole API", + "actual_value": "'firstName' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "eb7a06cc175f972b5d7edcb3616905a9a1cc3b8b20223316addd6f1114d5c33f", + "line": 307, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/create/password}}.post.responses.200.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'id' property is unique throughout the whole API", + "actual_value": "'id' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "d922a00ae36332672049542c53e877ca3cea762566073824805efe7902afa1b7", + "line": 307, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/create/password}}.post.responses.200.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'info' property is unique throughout the whole API", + "actual_value": "'info' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "63de9d74b7d91a430a8935b2b351a0bdef31166b67ddc5be974a684b2c58f576", + "line": 49, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/country/get/byId/{id}}}.get.responses.200.schema.$ref=./definitions.json#/Country", + "search_line": 0, + "search_value": "", + "expected_value": "'phoneCode' property is unique throughout the whole API", + "actual_value": "'phoneCode' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "e3077490ffad83609036247b4010681858afe1663ca767c8787ad86c83b63a42", + "line": 506, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/update}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'email' property is unique throughout the whole API", + "actual_value": "'email' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "ae9a2c4194ef97f7a5e8dd6699ca69a23b5776268a44405e26ae261586c49aaa", + "line": 460, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/insert}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'firstName' property is unique throughout the whole API", + "actual_value": "'firstName' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "4e1e62ee80dc6711e967c9be6a1d14df22033bfe3b3e12b8385508d9ad942da6", + "line": 49, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/country/get/byId/{id}}}.get.responses.200.schema.$ref=./definitions.json#/Country", + "search_line": 0, + "search_value": "", + "expected_value": "'countryName' property is unique throughout the whole API", + "actual_value": "'countryName' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "68309d0960a7dc0655457b3ebf9fc6ba6ffe06957c7ee22fa569cc138d91868b", + "line": 49, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/country/get/byId/{id}}}.get.responses.200.schema.$ref=./definitions.json#/Country", + "search_line": 0, + "search_value": "", + "expected_value": "'definition' property is unique throughout the whole API", + "actual_value": "'definition' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "03296fbe7d92c85cc639a282edacb96f285ea877602c60f95a9ea46052d07bbb", + "line": 348, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/get/byEmail/{email}}}.get.responses.200.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'email' property is unique throughout the whole API", + "actual_value": "'email' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "36abb555656ac0fa2cb2b975b1a4a90076d424c1083144673dfce7e1daa44512", + "line": 194, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/create/cart}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'firstName' property is unique throughout the whole API", + "actual_value": "'firstName' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "a36106e9755dd59573e65e745036739846241c265d2265ce433882d80991d216", + "line": 545, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/users/findAll}}.get.responses.200.schema.items.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'firstName' property is unique throughout the whole API", + "actual_value": "'firstName' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "e26a1373b6b00c852b5734d922665c09b9f200a32d796f0a08f5f0fd1b63935c", + "line": 468, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/insert}}.post.responses.200.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'id' property is unique throughout the whole API", + "actual_value": "'id' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "9c53f0e8c5ed42f8c81e44b07ab37c073ec4af1bf6654c85e6795b17fee8d9f6", + "line": 563, + "issue_type": "IncorrectValue", + "search_key": "definitions.$ref=./definitions.json", + "search_line": 0, + "search_value": "", + "expected_value": "'info' property is unique throughout the whole API", + "actual_value": "'info' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "d63880c933e60f14fe31e1706419ad0131a43c47639fbfa68e9e18dc29353d89", + "line": 299, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/create/password}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'info' property is unique throughout the whole API", + "actual_value": "'info' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "c9fc36b4134eceed43134427be36539a2733c36f0be7b001e2e28acf70138451", + "line": 49, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/country/get/byId/{id}}}.get.responses.200.schema.$ref=./definitions.json#/Country", + "search_line": 0, + "search_value": "", + "expected_value": "'a2' property is unique throughout the whole API", + "actual_value": "'a2' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "5caaee296537e635d3def3adaa4a110f1251f45f9c87682372e6dd8f0f7e64df", + "line": 563, + "issue_type": "IncorrectValue", + "search_key": "definitions.$ref=./definitions.json", + "search_line": 0, + "search_value": "", + "expected_value": "'definition' property is unique throughout the whole API", + "actual_value": "'definition' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "931de466521d641a25205229ac2c975fb74d54bd9a6ff5a80b8a61b742bda09b", + "line": 249, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/create/mapCart}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'email' property is unique throughout the whole API", + "actual_value": "'email' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "0ed9019bf3b823e4b9cec5623ecb02c577f495d7b3be84dceb009b9f6e7dc8ff", + "line": 299, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/create/password}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'firstName' property is unique throughout the whole API", + "actual_value": "'firstName' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "6f2361667cb5eef4416ee89133e7f000bc857bab23be7f63dc29fb219932ffae", + "line": 468, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/insert}}.post.responses.200.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'firstName' property is unique throughout the whole API", + "actual_value": "'firstName' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "3f50576472289df6d0dc0a3ada162734486f5ca9b65c39fdd2d86b7e97ef3bfc", + "line": 249, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/create/mapCart}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'info' property is unique throughout the whole API", + "actual_value": "'info' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "33d4880a27d20f1d94813f7839ffba6bd421d515b2a4a1a1d2f9439577a44cbd", + "line": 506, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/update}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'info' property is unique throughout the whole API", + "actual_value": "'info' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "12cba189eca9ebafb21b6d2b8c50e8b323bbd1a0032b93598b85573e27387c3e", + "line": 249, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/create/mapCart}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'firstName' property is unique throughout the whole API", + "actual_value": "'firstName' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "090388d5ad23a89ba5a21dd99ca769b91921ba85ac62f9fea9eef9b2a35ca3c2", + "line": 506, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/update}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'firstName' property is unique throughout the whole API", + "actual_value": "'firstName' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "a60875f03b9d4ba7e30e984a1721574d40ae990a07f9580810362309499b47a9", + "line": 563, + "issue_type": "IncorrectValue", + "search_key": "definitions.$ref=./definitions.json", + "search_line": 0, + "search_value": "", + "expected_value": "'governmentForm' property is unique throughout the whole API", + "actual_value": "'governmentForm' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "d7dc8a4773bc3422171faf9375a10992195d2995804cc67a1b397283e5be9742", + "line": 194, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/create/cart}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'id' property is unique throughout the whole API", + "actual_value": "'id' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "1f1c4e0ee7b45e50c78cd7a2947a5c380620e2ff6099fd207985c81ebab2c193", + "line": 194, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/create/cart}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'password' property is unique throughout the whole API", + "actual_value": "'password' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "ba0fe4366991ff946be2b3264f2f12971e5b7a913bc67464bc1b7bda6aaff15b", + "line": 307, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/create/password}}.post.responses.200.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'password' property is unique throughout the whole API", + "actual_value": "'password' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "70d44bfb825c6276aefef00842ac929b64193c9030066ecea83f8bfc9ed6f964", + "line": 545, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/users/findAll}}.get.responses.200.schema.items.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'password' property is unique throughout the whole API", + "actual_value": "'password' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "6a933de1599716878e2e3ef21cdadff44c5481452d18dc63d835546693df7ebe", + "line": 49, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/country/get/byId/{id}}}.get.responses.200.schema.$ref=./definitions.json#/Country", + "search_line": 0, + "search_value": "", + "expected_value": "'gmtOffset' property is unique throughout the whole API", + "actual_value": "'gmtOffset' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "28c44bb9f10e51406f2e7afb8287fdd192eb5f02c2a8acdb1b2df4f8823da145", + "line": 194, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/create/cart}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'info' property is unique throughout the whole API", + "actual_value": "'info' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "bf9a072e845e726db76c3c4b3de244e611f2cace131d1ae7d6f206d90b2a1ed6", + "line": 387, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/get/byId/{id}}}.get.responses.200.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'info' property is unique throughout the whole API", + "actual_value": "'info' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "115612d7d5a2e88c8ebdfda5c4e3c2e35671d903bf1c00a3a68465a4bc3c3a8a", + "line": 506, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/update}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'password' property is unique throughout the whole API", + "actual_value": "'password' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "9d19bd172ff710d659a31e4196991fc11f4fb9ba856ea0c82bf86ab4ac1b0b53", + "line": 307, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/create/password}}.post.responses.200.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'email' property is unique throughout the whole API", + "actual_value": "'email' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "06131bef351103acfb7ee9fbb205cd3072eab03438dc64574bb4541cd7ba48d9", + "line": 348, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/get/byEmail/{email}}}.get.responses.200.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'password' property is unique throughout the whole API", + "actual_value": "'password' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "ca6add4f28bb864af1341d26682aa2d0fa6d759b3efc99479127ca1c9758cc12", + "line": 460, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/insert}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'email' property is unique throughout the whole API", + "actual_value": "'email' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "78e7639ae2bdaa28b67a3b147d83befcbdc6fa12eff4bcbc04dd3d17fee8269e", + "line": 563, + "issue_type": "IncorrectValue", + "search_key": "definitions.$ref=./definitions.json", + "search_line": 0, + "search_value": "", + "expected_value": "'firstName' property is unique throughout the whole API", + "actual_value": "'firstName' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "a18abf68c25c5626c5f3bb02f7804120cfec2b0af7d25234b35424965e7b9d57", + "line": 563, + "issue_type": "IncorrectValue", + "search_key": "definitions.$ref=./definitions.json", + "search_line": 0, + "search_value": "", + "expected_value": "'gmtOffset' property is unique throughout the whole API", + "actual_value": "'gmtOffset' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "9e825d84c9683c86687eac7a319c0ef77d5296a6f64ef1224e9808181e52879c", + "line": 348, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/get/byEmail/{email}}}.get.responses.200.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'id' property is unique throughout the whole API", + "actual_value": "'id' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "2b831616eccfc184da4ed859fd2ee92e6c3e53753608eb855c65021d0ebfbdc9", + "line": 563, + "issue_type": "IncorrectValue", + "search_key": "definitions.$ref=./definitions.json", + "search_line": 0, + "search_value": "", + "expected_value": "'phoneCode' property is unique throughout the whole API", + "actual_value": "'phoneCode' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "a29891f01be9d769faeb1937e8d5d741a05876fde469b6c50246b7a67e2597f1", + "line": 49, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/country/get/byId/{id}}}.get.responses.200.schema.$ref=./definitions.json#/Country", + "search_line": 0, + "search_value": "", + "expected_value": "'a3' property is unique throughout the whole API", + "actual_value": "'a3' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "db633da9cf870fa37830b3c65fb285c9a4b8cff92a36343e40a7cd9796c55e2f", + "line": 545, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/users/findAll}}.get.responses.200.schema.items.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'email' property is unique throughout the whole API", + "actual_value": "'email' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "1ebf2eee6e73bf46d0b14e39a6a8b32b3c987ab78bfdf877203be7730ca8213a", + "line": 563, + "issue_type": "IncorrectValue", + "search_key": "definitions.$ref=./definitions.json", + "search_line": 0, + "search_value": "", + "expected_value": "'id' property is unique throughout the whole API", + "actual_value": "'id' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "f864a2440ec855e97e618df141d6d64560ae2b8c85f6fedcdbfcfa268e2f5eaf", + "line": 299, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/create/password}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'id' property is unique throughout the whole API", + "actual_value": "'id' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "485cca9ca27689883477aadaff52f90dc1d5a264a423e1e32a4007a27d7d51bf", + "line": 249, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/create/mapCart}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'password' property is unique throughout the whole API", + "actual_value": "'password' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "3ff7cf91a10e3c0dae8a89638de17797354aa05c16c0dc58b45e916bd393f1b3", + "line": 387, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/get/byId/{id}}}.get.responses.200.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'password' property is unique throughout the whole API", + "actual_value": "'password' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "21c3a8b9dbb3622aa45eaa495d925bf9d298cc5d7c6618ff44ff6b15fff93183", + "line": 563, + "issue_type": "IncorrectValue", + "search_key": "definitions.$ref=./definitions.json", + "search_line": 0, + "search_value": "", + "expected_value": "'a2' property is unique throughout the whole API", + "actual_value": "'a2' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "ae22dd7f5074e293bd07c146e0ef6e070c34c323307841641d9b19250d976896", + "line": 563, + "issue_type": "IncorrectValue", + "search_key": "definitions.$ref=./definitions.json", + "search_line": 0, + "search_value": "", + "expected_value": "'displayName' property is unique throughout the whole API", + "actual_value": "'displayName' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "6e356e76aa611d446e8b47bcb98c2e89a60f4e11ec0215fa4c3cb68e6b8ef39b", + "line": 49, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/country/get/byId/{id}}}.get.responses.200.schema.$ref=./definitions.json#/Country", + "search_line": 0, + "search_value": "", + "expected_value": "'displayName' property is unique throughout the whole API", + "actual_value": "'displayName' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "c13e062ec0e0a367b6fd475c182fb6db2e485cd29bd98cba6c8efc8715493280", + "line": 348, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/get/byEmail/{email}}}.get.responses.200.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'firstName' property is unique throughout the whole API", + "actual_value": "'firstName' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "742df9bdb7b0bbdfd27893a2328da8c0cf3313562121f05b4933e49df8d71d71", + "line": 299, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/create/password}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'password' property is unique throughout the whole API", + "actual_value": "'password' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "3c85384e7ef46fcbe92f029694d68dd19c8621a1a81d40c30c7ec7aba9a34278", + "line": 460, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/insert}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'password' property is unique throughout the whole API", + "actual_value": "'password' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "960914db94494373fc175325d916372db0940040c1d8a73c153dae8b398a6b3e", + "line": 194, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/create/cart}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'email' property is unique throughout the whole API", + "actual_value": "'email' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "f27d2a4dda9db71d94614e720681050e5cd74c17cdd01f7ff7061ab58707981c", + "line": 49, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/country/get/byId/{id}}}.get.responses.200.schema.$ref=./definitions.json#/Country", + "search_line": 0, + "search_value": "", + "expected_value": "'governmentForm' property is unique throughout the whole API", + "actual_value": "'governmentForm' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "910467f7887c76affc7cea19c0fe396e3d3531ea8a43fd3144a91010f73f5f8e", + "line": 249, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/create/mapCart}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'id' property is unique throughout the whole API", + "actual_value": "'id' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "9e71d759cb0f8f63855f0215e2c95c646c20083100bfa04ebf609e80841f816b", + "line": 460, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/insert}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'id' property is unique throughout the whole API", + "actual_value": "'id' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "066626dc90876e4b8e0acb085e4883f8742ead6e726f66b33ed364ed3aeb2d92", + "line": 563, + "issue_type": "IncorrectValue", + "search_key": "definitions.$ref=./definitions.json", + "search_line": 0, + "search_value": "", + "expected_value": "'password' property is unique throughout the whole API", + "actual_value": "'password' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "850677a8f5bf1c669df3dab2b7c7a825af4fb99bf2012197de0d1729455aac8f", + "line": 563, + "issue_type": "IncorrectValue", + "search_key": "definitions.$ref=./definitions.json", + "search_line": 0, + "search_value": "", + "expected_value": "'a3' property is unique throughout the whole API", + "actual_value": "'a3' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "cd645894b66fff7e5353951a29877faf402ba3e3d51d56b9f2e936105949512f", + "line": 563, + "issue_type": "IncorrectValue", + "search_key": "definitions.$ref=./definitions.json", + "search_line": 0, + "search_value": "", + "expected_value": "'id' property is unique throughout the whole API", + "actual_value": "'id' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "44ff15d550e3eb9cb2a7b5d4de12a5df15ad61577ffc297ea27e832a453e7ab6", + "line": 49, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/country/get/byId/{id}}}.get.responses.200.schema.$ref=./definitions.json#/Country", + "search_line": 0, + "search_value": "", + "expected_value": "'id' property is unique throughout the whole API", + "actual_value": "'id' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "076023938ac61210137d19ce19c441e9418be944be4c04a7fae641f2f3b086a8", + "line": 387, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/get/byId/{id}}}.get.responses.200.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'id' property is unique throughout the whole API", + "actual_value": "'id' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "bb64c1c7f4b43fdb4a2d84048203a0183f1b88c8fcbfc505916cc8a974fef901", + "line": 545, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/users/findAll}}.get.responses.200.schema.items.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'id' property is unique throughout the whole API", + "actual_value": "'id' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "6a86f8ece0f67a20a6f2d953aeec7133a4d8b2db05a91c88b77e6daa559da255", + "line": 460, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/insert}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'info' property is unique throughout the whole API", + "actual_value": "'info' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "1596f75c7fa2b0d4362c6ea777462156610fca823d3025cb2999200b025130c2", + "line": 468, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/insert}}.post.responses.200.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'password' property is unique throughout the whole API", + "actual_value": "'password' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "3e833473f334445d14dea0b81ad200bb6f9715983d5c330cea890862e3e621a1", + "line": 348, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/get/byEmail/{email}}}.get.responses.200.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'info' property is unique throughout the whole API", + "actual_value": "'info' property is not unique throughout the whole API" + } + ] + } + ] +} diff --git a/e2e/fixtures/E2E_CLI_075_RESULT.json b/e2e/fixtures/E2E_CLI_075_RESULT.json new file mode 100644 index 00000000000..d9dc33ed972 --- /dev/null +++ b/e2e/fixtures/E2E_CLI_075_RESULT.json @@ -0,0 +1,276 @@ +{ + "kics_version": "development", + "files_scanned": 1, + "lines_scanned": 169, + "files_parsed": 1, + "lines_parsed": 169, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 508, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "HIGH": 5, + "INFO": 0, + "LOW": 2, + "MEDIUM": 5, + "TRACE": 0 + }, + "total_counter": 12, + "total_bom_resources": 0, + "start": "2023-11-09T15:21:48.1040438Z", + "end": "2023-11-09T15:22:01.3482112Z", + "paths": [ + "C:\\CxKics\\kics\\test\\fixtures\\resolve_references_no_change\\vpc.yml" + ], + "queries": [ + { + "query_name": "EC2 Instance Subnet Has Public IP Mapping On Launch", + "query_id": "b3de4e4c-14be-4159-b99d-9ad194365e4c", + "query_url": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-subnet.html#cfn-ec2-subnet-mappubliciponlaunch", + "severity": "HIGH", + "platform": "CloudFormation", + "cloud_provider": "AWS", + "category": "Networking and Firewall", + "description": "EC2 Instance Subnet should not have MapPublicIpOnLaunch set to true", + "description_id": "22e3d598", + "files": [ + { + "file_name": "test\\fixtures\\resolve_references_no_change\\vpc.yml", + "similarity_id": "5183cf3cdba0ad8ddf21bac6fe281bbb5d5b31daede42642a416bf02eb403617", + "line": 142, + "resource_type": "AWS::EC2::Subnet", + "resource_name": "eks-example-c", + "issue_type": "IncorrectValue", + "search_key": "Resources.Subnet1c.Properties.MapPublicIpOnLaunch", + "search_line": -1, + "search_value": "", + "expected_value": "'Resources.Subnet1c.Properties.MapPublicIpOnLaunch' should be false", + "actual_value": "'Resources.Subnet1c.Properties.MapPublicIpOnLaunch' is true" + }, + { + "file_name": "test\\fixtures\\resolve_references_no_change\\vpc.yml", + "similarity_id": "6bdb419c262e4b3b6e895a68af0aeb001ed5d2bd14af0d5419247727c0cb0ff7", + "line": 94, + "resource_type": "AWS::EC2::Subnet", + "resource_name": "eks-example-a", + "issue_type": "IncorrectValue", + "search_key": "Resources.Subnet1a.Properties.MapPublicIpOnLaunch", + "search_line": -1, + "search_value": "", + "expected_value": "'Resources.Subnet1a.Properties.MapPublicIpOnLaunch' should be false", + "actual_value": "'Resources.Subnet1a.Properties.MapPublicIpOnLaunch' is true" + }, + { + "file_name": "test\\fixtures\\resolve_references_no_change\\vpc.yml", + "similarity_id": "0d16b0acab457cf81c0b3ae1aa0312234e18c2c651e7c353a56cd835227ce079", + "line": 118, + "resource_type": "AWS::EC2::Subnet", + "resource_name": "eks-example-b", + "issue_type": "IncorrectValue", + "search_key": "Resources.Subnet1b.Properties.MapPublicIpOnLaunch", + "search_line": -1, + "search_value": "", + "expected_value": "'Resources.Subnet1b.Properties.MapPublicIpOnLaunch' should be false", + "actual_value": "'Resources.Subnet1b.Properties.MapPublicIpOnLaunch' is true" + } + ] + }, + { + "query_name": "EC2 Network ACL Overlapping Ports", + "query_id": "77b6f1e2-bde4-4a6a-ae7e-a40659ff1576", + "query_url": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-networkaclentry-portrange.html", + "severity": "HIGH", + "platform": "CloudFormation", + "cloud_provider": "AWS", + "category": "Networking and Firewall", + "description": "NetworkACL Entries are reusing or overlapping ports which may create ineffective rules", + "description_id": "cb7c8980", + "files": [ + { + "file_name": "test\\fixtures\\resolve_references_no_change\\vpc.yml", + "similarity_id": "837e8e314dd4166ccf51bd778863e5a3a4d0ac04550a84d6e4838d1b961bd344", + "line": 70, + "resource_type": "AWS::EC2::NetworkAclEntry", + "resource_name": "InboundNetworkAclEntrySSH", + "issue_type": "IncorrectValue", + "search_key": "Resources.InboundNetworkAclEntrySSH.Properties.PortRange", + "search_line": -1, + "search_value": "", + "expected_value": "'Resources.InboundNetworkAclEntrySSH.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actual_value": "'Resources.InboundNetworkAclEntrySSH.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" + }, + { + "file_name": "test\\fixtures\\resolve_references_no_change\\vpc.yml", + "similarity_id": "9a875c5c1a441ea46b62ffef3b48a2795496502045860f2514694dd7fdd2f2f3", + "line": 83, + "resource_type": "AWS::EC2::NetworkAclEntry", + "resource_name": "OutboundNetworkAclEntryAll", + "issue_type": "IncorrectValue", + "search_key": "Resources.OutboundNetworkAclEntryAll.Properties.PortRange", + "search_line": -1, + "search_value": "", + "expected_value": "'Resources.OutboundNetworkAclEntryAll.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actual_value": "'Resources.OutboundNetworkAclEntryAll.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" + } + ] + }, + { + "query_name": "EC2 Permissive Network ACL Protocols", + "query_id": "03879981-efa2-47a0-a818-c843e1441b88", + "query_url": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-network-acl-entry.html", + "severity": "MEDIUM", + "platform": "CloudFormation", + "cloud_provider": "AWS", + "category": "Networking and Firewall", + "description": "To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code).", + "description_id": "397e89de", + "files": [ + { + "file_name": "test\\fixtures\\resolve_references_no_change\\vpc.yml", + "similarity_id": "fda8decc41d4efc2b027e859d962fdbf8b98f645d7081aba4e75e9d7dea04665", + "line": 67, + "resource_type": "AWS::EC2::NetworkAclEntry", + "resource_name": "InboundNetworkAclEntrySSH", + "issue_type": "IncorrectValue", + "search_key": "Resources.InboundNetworkAclEntrySSH.Properties.Protocol", + "search_line": -1, + "search_value": "", + "expected_value": "'Resources.InboundNetworkAclEntrySSH.Properties.Protocol' should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code)", + "actual_value": "'Resources.InboundNetworkAclEntrySSH.Properties.Protocol' is configured with a protocol different than 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code)" + }, + { + "file_name": "test\\fixtures\\resolve_references_no_change\\vpc.yml", + "similarity_id": "91e40e6e85e9a999d5b62ea9ed43d38cb31e4e77568f21048ff6a606322b032c", + "line": 80, + "resource_type": "AWS::EC2::NetworkAclEntry", + "resource_name": "OutboundNetworkAclEntryAll", + "issue_type": "IncorrectValue", + "search_key": "Resources.OutboundNetworkAclEntryAll.Properties.Protocol", + "search_line": -1, + "search_value": "", + "expected_value": "'Resources.OutboundNetworkAclEntryAll.Properties.Protocol' should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code)", + "actual_value": "'Resources.OutboundNetworkAclEntryAll.Properties.Protocol' is configured with a protocol different than 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code)" + } + ] + }, + { + "query_name": "RouterTable with Default Routing", + "query_id": "4f0908b9-eb66-433f-9145-134274e1e944", + "query_url": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-route-table.html", + "severity": "MEDIUM", + "platform": "CloudFormation", + "cloud_provider": "AWS", + "category": "Insecure Defaults", + "description": "NAT gateways are recommended, and not the default route which permits all traffic, in Route Tables.", + "description_id": "1f341247", + "files": [ + { + "file_name": "test\\fixtures\\resolve_references_no_change\\vpc.yml", + "similarity_id": "801f53a8218989c78e6bf3a282b9fea359b98bff797b3d82f5f669db2f68b0bd", + "line": 49, + "resource_type": "AWS::EC2::Route", + "resource_name": "Route", + "issue_type": "IncorrectValue", + "search_key": "Resources.Route.Properties.DestinationCidrBlock", + "search_line": -1, + "search_value": "", + "expected_value": "Resources.Route.Properties.DestinationCidrBlock should be different from the default value", + "actual_value": "Resources.Route.Properties.DestinationCidrBlock is 0.0.0.0/0" + }, + { + "file_name": "test\\fixtures\\resolve_references_no_change\\vpc.yml", + "similarity_id": "b5b44886071d0127c4f82dcb3ee0a439451be7bf851c4ed98839190610a85b0c", + "line": 47, + "resource_type": "AWS::EC2::Route", + "resource_name": "Route", + "issue_type": "MissingAttribute", + "search_key": "Resources.Route.Properties", + "search_line": -1, + "search_value": "", + "expected_value": "Resources.Route.Properties.NatGatewayId should be defined", + "actual_value": "Resources.Route.Properties.NatGatewayId is undefined" + } + ] + }, + { + "query_name": "VPC Without Network Firewall", + "query_id": "3e293410-d5b8-411f-85fd-7d26294f20c9", + "query_url": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-firewall.html#cfn-networkfirewall-firewall-vpcid", + "severity": "MEDIUM", + "platform": "CloudFormation", + "cloud_provider": "AWS", + "category": "Networking and Firewall", + "description": "VPC should have a Network Firewall associated", + "description_id": "f090ffd2", + "files": [ + { + "file_name": "test\\fixtures\\resolve_references_no_change\\vpc.yml", + "similarity_id": "68a4041b80f4197c8ec899e0c9845723e4c0b5441e9c626639bdfd34c63db491", + "line": 14, + "resource_type": "AWS::EC2::VPC", + "resource_name": "eks-example", + "issue_type": "MissingAttribute", + "search_key": "Resources.VPC", + "search_line": 14, + "search_value": "", + "expected_value": "'Resources.VPC' should be associated with a AWS Network Firewall", + "actual_value": "'Resources.VPC' is not associated with a AWS Network Firewall" + } + ] + }, + { + "query_name": "IAM Access Analyzer Not Enabled", + "query_id": "8d29754a-2a18-460d-a1ba-9509f8d359da", + "query_url": "https://docs.amazonaws.cn/en_us/AWSCloudFormation/latest/UserGuide/aws-resource-accessanalyzer-analyzer.html", + "severity": "LOW", + "platform": "CloudFormation", + "cloud_provider": "AWS", + "category": "Best Practices", + "description": "IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions", + "description_id": "24a6978e", + "files": [ + { + "file_name": "test\\fixtures\\resolve_references_no_change\\vpc.yml", + "similarity_id": "304c64d5ddfd93593c8aa4e9f10b34fe7d2e7e3634c6e64465b3be292029775c", + "line": 12, + "resource_type": "n/a", + "resource_name": "n/a", + "issue_type": "MissingAttribute", + "search_key": "Resources", + "search_line": -1, + "search_value": "", + "expected_value": "'AWS::AccessAnalyzer::Analyzer' should be set", + "actual_value": "'AWS::AccessAnalyzer::Analyzer' is undefined" + } + ] + }, + { + "query_name": "VPC FlowLogs Disabled", + "query_id": "f6d299d2-21eb-41cc-b1e1-fe12d857500b", + "query_url": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-flowlog.html", + "severity": "LOW", + "platform": "CloudFormation", + "cloud_provider": "AWS", + "category": "Observability", + "description": "Every VPC resource should have an associated Flow Log", + "description_id": "0fb02ca5", + "files": [ + { + "file_name": "test\\fixtures\\resolve_references_no_change\\vpc.yml", + "similarity_id": "394a32784bda3c52380e6cec242d3fd09bd5f6a498aa7b64dc03472ecd32843f", + "line": 14, + "resource_type": "AWS::EC2::VPC", + "resource_name": "eks-example", + "issue_type": "MissingAttribute", + "search_key": "Resources.VPC", + "search_line": -1, + "search_value": "", + "expected_value": "Resources.VPC has a FlowLogs resource associated", + "actual_value": "Resources.VPC doesn't have a FlowLogs resource associated" + } + ] + } + ] +} diff --git a/e2e/testcases/e2e-cli-073_json_no_flag_resolve_references.go b/e2e/testcases/e2e-cli-073_json_no_flag_resolve_references.go new file mode 100644 index 00000000000..e27f8b74745 --- /dev/null +++ b/e2e/testcases/e2e-cli-073_json_no_flag_resolve_references.go @@ -0,0 +1,28 @@ +package testcases + +// E2E-CLI-073 - KICS scan and ignore references +// should perform the scan successfully and return exit code 0 +// no results expected +func init() { //nolint + testSample := TestCase{ + Name: "should perform a valid scan and not resolve references [E2E-CLI-073]", + Args: args{ + Args: []cmdArgs{ + []string{"scan", "-o", "/path/e2e/output", + "--output-name", "E2E_CLI_073_RESULT", + "-p", "\"/path/test/fixtures/resolve_references_json\"", + "-i", "750b40be-4bac-4f59-bdc4-1ca0e6c3450e", + }, + }, + ExpectedResult: []ResultsValidation{ + { + ResultsFile: "E2E_CLI_073_RESULT", + ResultsFormats: []string{"json"}, + }, + }, + }, + WantStatus: []int{0}, + } + + Tests = append(Tests, testSample) +} diff --git a/e2e/testcases/e2e-cli-074_json_flag_resolve_references.go b/e2e/testcases/e2e-cli-074_json_flag_resolve_references.go new file mode 100644 index 00000000000..f159111f477 --- /dev/null +++ b/e2e/testcases/e2e-cli-074_json_flag_resolve_references.go @@ -0,0 +1,28 @@ +package testcases + +// E2E-CLI-074 - KICS scan and ignore references +// should perform the scan successfully and return exit code 20 +func init() { //nolint + testSample := TestCase{ + Name: "should perform a valid scan and resolve references [E2E-CLI-074]", + Args: args{ + Args: []cmdArgs{ + []string{"scan", "-o", "/path/e2e/output", + "--output-name", "E2E_CLI_074_RESULT", + "-p", "\"/path/test/fixtures/resolve_references\"", + "-i", "750b40be-4bac-4f59-bdc4-1ca0e6c3450e", + "--resolve-references", + }, + }, + ExpectedResult: []ResultsValidation{ + { + ResultsFile: "E2E_CLI_074_RESULT", + ResultsFormats: []string{"json"}, + }, + }, + }, + WantStatus: []int{20}, + } + + Tests = append(Tests, testSample) +} diff --git a/e2e/testcases/e2e-cli-075_not_openapi_with_resolve_references.go b/e2e/testcases/e2e-cli-075_not_openapi_with_resolve_references.go new file mode 100644 index 00000000000..865a356a9e5 --- /dev/null +++ b/e2e/testcases/e2e-cli-075_not_openapi_with_resolve_references.go @@ -0,0 +1,22 @@ +package testcases + +// E2E-CLI-075 - KICS scan and not ignore references +// should perform the scan successfully and return exit code 50 +// same test as 76 but with flag +func init() { //nolint + testSample := TestCase{ + Name: "should display line references in the payload file [E2E-CLI-075]", + Args: args{ + Args: []cmdArgs{ + []string{"scan", "--silent", "-p", "/path/test/fixtures/resolve_references_no_change/vpc.yml", + "--payload-path", "/path/e2e/output/E2E_CLI_075_PAYLOAD.json", "--payload-lines", "--resolve-references"}, + }, + ExpectedPayload: []string{ + "E2E_CLI_075_PAYLOAD.json", + }, + }, + WantStatus: []int{50}, + } + + Tests = append(Tests, testSample) +} diff --git a/e2e/testcases/e2e-cli-076_not_openapi_without_resolve_references.go b/e2e/testcases/e2e-cli-076_not_openapi_without_resolve_references.go new file mode 100644 index 00000000000..f5ae39dece0 --- /dev/null +++ b/e2e/testcases/e2e-cli-076_not_openapi_without_resolve_references.go @@ -0,0 +1,22 @@ +package testcases + +// E2E-CLI-076 - KICS scan and ignore references +// should perform the scan successfully and return exit code 50 +// same test as 75 but without flag, we will expect the same file that test 75 expect +func init() { //nolint + testSample := TestCase{ + Name: "should display line references in the payload file [E2E-CLI-075]", + Args: args{ + Args: []cmdArgs{ + []string{"scan", "--silent", "-p", "/path/test/fixtures/resolve_references_no_change/vpc.yml", + "--payload-path", "/path/e2e/output/E2E_CLI_076_PAYLOAD.json", "--payload-lines"}, + }, + ExpectedPayload: []string{ + "E2E_CLI_075_PAYLOAD.json", + }, + }, + WantStatus: []int{50}, + } + + Tests = append(Tests, testSample) +} diff --git a/pkg/analyzer/analyzer.go b/pkg/analyzer/analyzer.go index 82a1fc95b81..5326c782681 100644 --- a/pkg/analyzer/analyzer.go +++ b/pkg/analyzer/analyzer.go @@ -19,6 +19,7 @@ import ( yamlParser "gopkg.in/yaml.v3" ) +// move the openApi regex to public to be used on file.go // openAPIRegex - Regex that finds OpenAPI defining property "openapi" or "swagger" // openAPIRegexInfo - Regex that finds OpenAPI defining property "info" // openAPIRegexPath - Regex that finds OpenAPI defining property "paths", "components", or "webhooks" (from 3.1.0) @@ -28,9 +29,9 @@ import ( // k8sRegexMetadata - Regex that finds Kubernetes defining property "metadata" // k8sRegexSpec - Regex that finds Kubernetes defining property "spec" var ( - openAPIRegex = regexp.MustCompile(`("(openapi|swagger)"|(openapi|swagger))\s*:`) - openAPIRegexInfo = regexp.MustCompile(`("info"|info)\s*:`) - openAPIRegexPath = regexp.MustCompile(`("(paths|components|webhooks)"|(paths|components|webhooks))\s*:`) + OpenAPIRegex = regexp.MustCompile(`("(openapi|swagger)"|(openapi|swagger))\s*:`) + OpenAPIRegexInfo = regexp.MustCompile(`("info"|info)\s*:`) + OpenAPIRegexPath = regexp.MustCompile(`("(paths|components|webhooks)"|(paths|components|webhooks))\s*:`) armRegexContentVersion = regexp.MustCompile(`"contentVersion"\s*:`) armRegexResources = regexp.MustCompile(`"resources"\s*:`) cloudRegex = regexp.MustCompile(`("Resources"|Resources)\s*:`) @@ -152,9 +153,9 @@ type Analyzer struct { var types = map[string]regexSlice{ "openapi": { regex: []*regexp.Regexp{ - openAPIRegex, - openAPIRegexInfo, - openAPIRegexPath, + OpenAPIRegex, + OpenAPIRegexInfo, + OpenAPIRegexPath, }, }, "kubernetes": { diff --git a/pkg/kics/sink.go b/pkg/kics/sink.go index bcd6dac78d1..49a61cb7a5f 100644 --- a/pkg/kics/sink.go +++ b/pkg/kics/sink.go @@ -26,7 +26,9 @@ var ( } ) -func (s *Service) sink(ctx context.Context, filename, scanID string, rc io.Reader, data []byte, resolveReferences bool) error { +func (s *Service) sink(ctx context.Context, filename, scanID string, + rc io.Reader, data []byte, + resolveReferences bool) error { s.Tracker.TrackFileFound() log.Debug().Msgf("Starting to process file %s", filename) diff --git a/pkg/resolver/file/file.go b/pkg/resolver/file/file.go index 8194ccccd8f..7e3a34e0b73 100644 --- a/pkg/resolver/file/file.go +++ b/pkg/resolver/file/file.go @@ -4,6 +4,7 @@ import ( "encoding/json" "errors" "fmt" + "github.com/Checkmarx/kics/pkg/analyzer" "io" "os" "path/filepath" @@ -46,6 +47,19 @@ func NewResolver( } } +func isOpenApi(fileContent []byte) bool { + regexToRun := + []*regexp.Regexp{analyzer.OpenAPIRegexInfo, + analyzer.OpenAPIRegexPath, + analyzer.OpenAPIRegex} + for _, regex := range regexToRun { + if !regex.Match(fileContent) { + return false + } + } + return true +} + // Resolve - replace or modifies in-memory content before parsing func (r *Resolver) Resolve(fileContent []byte, path string, resolveCount int, resolvedFilesCache map[string]ResolvedFile, @@ -58,7 +72,7 @@ func (r *Resolver) Resolve(fileContent []byte, path string, } }() - if !resolveReferences { + if !resolveReferences && isOpenApi(fileContent) { return fileContent } @@ -112,6 +126,7 @@ func (r *Resolver) walk( func (r *Resolver) handleMap(originalFileContent []byte, fullObject interface{}, value map[string]interface{}, path string, resolveCount int, resolvedFilesCache map[string]ResolvedFile, resolveReferences bool) (any, bool) { + for k, v := range value { isRef := strings.Contains(strings.ToLower(k), "$ref") val, res := r.walk(originalFileContent, fullObject, v, path, resolveCount, resolvedFilesCache, isRef, resolveReferences) diff --git a/pkg/resolver/file/file_test.go b/pkg/resolver/file/file_test.go index e28851c40e0..3554e1fc344 100644 --- a/pkg/resolver/file/file_test.go +++ b/pkg/resolver/file/file_test.go @@ -2,6 +2,9 @@ package file import ( "encoding/json" + "fmt" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" "io/ioutil" "os" "path/filepath" @@ -159,6 +162,44 @@ func TestResolver_Resolve_Without_ResolveReferences(t *testing.T) { } } +func Test_IsOpenApi(t *testing.T) { + err := test.ChangeCurrentDir("kics") + if err != nil { + t.Fatal(err) + } + + tests := []struct { + name string + path string + want bool + }{ + { + name: "yaml Open Api", + path: "test/fixtures/resolve_references/swagger.yaml", + want: true, + }, + { + name: "json Open Api", + path: "test/fixtures/resolve_references_json/scan-2files.json", + want: true, + }, + { + name: "yml not Open Api", + path: "test/fixtures/resolve_references_no_change/vpc.yml", + want: false, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + cont, err := getFileContent(tt.path) + require.NoError(t, err) + got := isOpenApi(cont) + assert.Equal(t, tt.want, got, fmt.Sprintf("Error: %s", tt.name)) + }) + } +} + func getFileContent(path string) ([]byte, error) { _, err := os.Stat(path) if err != nil { diff --git a/test/fixtures/resolve_references_json/definitions.json b/test/fixtures/resolve_references_json/definitions.json new file mode 100644 index 00000000000..c3054db28ca --- /dev/null +++ b/test/fixtures/resolve_references_json/definitions.json @@ -0,0 +1,68 @@ +{ + "Country": { + "type": "object", + "properties": { + "a2": { + "type": "string" + }, + "a3": { + "type": "string" + }, + "countryName": { + "type": "string" + }, + "definition": { + "type": "string" + }, + "displayName": { + "type": "string" + }, + "gmtOffset": { + "type": "string" + }, + "governmentForm": { + "type": "string", + "enum": [ + "ARISTOCRACY", + "DEMOCRACY", + "MONARCHY", + "OLIGARCHY", + "OTHER", + "THEOCRACY", + "TIMOCRACY", + "TYRANNY" + ] + }, + "id": { + "type": "integer", + "format": "int32" + }, + "phoneCode": { + "type": "string" + } + }, + "title": "Country" + }, + "User": { + "type": "object", + "properties": { + "email": { + "type": "string" + }, + "firstName": { + "type": "string" + }, + "id": { + "type": "integer", + "format": "int64" + }, + "info": { + "type": "string" + }, + "password": { + "type": "string" + } + }, + "title": "User" + } +} \ No newline at end of file diff --git a/test/fixtures/resolve_references_json/scan-2files.json b/test/fixtures/resolve_references_json/scan-2files.json new file mode 100644 index 00000000000..60955492a17 --- /dev/null +++ b/test/fixtures/resolve_references_json/scan-2files.json @@ -0,0 +1,565 @@ +{ + "swagger": "2.0", + "info": { + "description": "API Endpoint Decoration", + "version": "1.0.0", + "title": "SANITY SCAN" + }, + "host": "localhost:8080", + "basePath": "/", + "tags": [ + { + "name": "country-controller", + "description": "Country Controller" + }, + { + "name": "user-controller", + "description": "User Controller" + }, + { + "name": "util-controller", + "description": "Util Controller" + } + ], + "paths": { + "/country/get/byId/{id}": { + "get": { + "tags": [ + "country-controller" + ], + "summary": "getCountryById", + "operationId": "getCountryByIdUsingGET", + "produces": [ + "*/*" + ], + "parameters": [ + { + "name": "id", + "in": "path", + "description": "id", + "required": true, + "type": "integer", + "format": "int32" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "./definitions.json#/Country" + } + }, + "401": { + "description": "Unauthorized" + }, + "403": { + "description": "Forbidden" + }, + "404": { + "description": "Not Found" + } + } + } + }, + "/country/get/governmentForm/{id}": { + "get": { + "tags": [ + "country-controller" + ], + "summary": "getGovernmentFormById", + "operationId": "getGovernmentFormByIdUsingGET", + "produces": [ + "*/*" + ], + "parameters": [ + { + "name": "id", + "in": "path", + "description": "id", + "required": true, + "type": "integer", + "format": "int32" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "type": "string", + "enum": [ + "ARISTOCRACY", + "DEMOCRACY", + "MONARCHY", + "OLIGARCHY", + "OTHER", + "THEOCRACY", + "TIMOCRACY", + "TYRANNY" + ] + } + }, + "401": { + "description": "Unauthorized" + }, + "403": { + "description": "Forbidden" + }, + "404": { + "description": "Not Found" + } + } + } + }, + "/runCommand/{cmd}": { + "get": { + "tags": [ + "util-controller" + ], + "summary": "runCommand", + "operationId": "runCommandUsingGET", + "produces": [ + "*/*" + ], + "parameters": [ + { + "name": "cmd", + "in": "path", + "description": "cmd", + "required": true, + "type": "string" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "type": "string" + } + }, + "401": { + "description": "Unauthorized" + }, + "403": { + "description": "Forbidden" + }, + "404": { + "description": "Not Found" + } + } + } + }, + "/user/create/cart": { + "post": { + "tags": [ + "user-controller" + ], + "summary": "createUserCart", + "operationId": "createUserCartUsingPOST", + "consumes": [ + "application/json" + ], + "produces": [ + "*/*" + ], + "parameters": [ + { + "name": "product_ids", + "in": "query", + "description": "product_ids", + "required": true, + "type": "array", + "items": { + "type": "string" + }, + "collectionFormat": "multi" + }, + { + "name": "quantities", + "in": "query", + "description": "quantities", + "required": true, + "type": "array", + "items": { + "type": "integer", + "format": "int32" + }, + "collectionFormat": "multi" + }, + { + "in": "body", + "name": "user", + "description": "user", + "required": true, + "schema": { + "$ref": "./definitions.json#/User" + } + } + ], + "responses": { + "200": { + "description": "OK" + }, + "201": { + "description": "Created" + }, + "401": { + "description": "Unauthorized" + }, + "403": { + "description": "Forbidden" + }, + "404": { + "description": "Not Found" + } + } + } + }, + "/user/create/mapCart": { + "post": { + "tags": [ + "user-controller" + ], + "summary": "createUserMapCart", + "operationId": "createUserMapCartUsingPOST", + "consumes": [ + "application/json" + ], + "produces": [ + "*/*" + ], + "parameters": [ + { + "name": "mapCart", + "in": "query", + "description": "mapCart", + "required": true, + "items": { + "type": "object", + "additionalProperties": { + "type": "string" + } + } + }, + { + "in": "body", + "name": "user", + "description": "user", + "required": true, + "schema": { + "$ref": "./definitions.json#/User" + } + } + ], + "responses": { + "200": { + "description": "OK" + }, + "201": { + "description": "Created" + }, + "401": { + "description": "Unauthorized" + }, + "403": { + "description": "Forbidden" + }, + "404": { + "description": "Not Found" + } + } + } + }, + "/user/create/password": { + "post": { + "tags": [ + "user-controller" + ], + "summary": "createUserVar", + "operationId": "createUserVarUsingPOST", + "consumes": [ + "application/json" + ], + "produces": [ + "*/*" + ], + "parameters": [ + { + "name": "password", + "in": "query", + "description": "password", + "required": true, + "type": "string" + }, + { + "in": "body", + "name": "user", + "description": "user", + "required": true, + "schema": { + "$ref": "./definitions.json#/User" + } + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "./definitions.json#/User" + } + }, + "201": { + "description": "Created" + }, + "401": { + "description": "Unauthorized" + }, + "403": { + "description": "Forbidden" + }, + "404": { + "description": "Not Found" + } + } + } + }, + "/user/get/byEmail/{email}": { + "get": { + "tags": [ + "user-controller" + ], + "summary": "getUserByEmail", + "operationId": "getUserByEmailUsingGET", + "produces": [ + "*/*" + ], + "parameters": [ + { + "name": "email", + "in": "path", + "description": "email", + "required": true, + "type": "string" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "./definitions.json#/User" + } + }, + "401": { + "description": "Unauthorized" + }, + "403": { + "description": "Forbidden" + }, + "404": { + "description": "Not Found" + } + } + } + }, + "/user/get/byId/{id}": { + "get": { + "tags": [ + "user-controller" + ], + "summary": "getUserById", + "operationId": "getUserByIdUsingGET", + "produces": [ + "*/*" + ], + "parameters": [ + { + "name": "id", + "in": "path", + "description": "id", + "required": true, + "type": "integer", + "format": "int64" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "./definitions.json#/User" + } + }, + "401": { + "description": "Unauthorized" + }, + "403": { + "description": "Forbidden" + }, + "404": { + "description": "Not Found" + } + } + } + }, + "/user/get/firstName/byEmail/{email}": { + "get": { + "tags": [ + "user-controller" + ], + "summary": "getUserFirstName", + "operationId": "getUserFirstNameUsingGET", + "produces": [ + "*/*" + ], + "parameters": [ + { + "name": "email", + "in": "path", + "description": "email", + "required": true, + "type": "string" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "type": "string" + } + }, + "401": { + "description": "Unauthorized" + }, + "403": { + "description": "Forbidden" + }, + "404": { + "description": "Not Found" + } + } + } + }, + "/user/insert": { + "post": { + "tags": [ + "user-controller" + ], + "summary": "createUser", + "operationId": "createUserUsingPOST", + "consumes": [ + "application/json" + ], + "produces": [ + "*/*" + ], + "parameters": [ + { + "in": "body", + "name": "user", + "description": "user", + "required": true, + "schema": { + "$ref": "./definitions.json#/User" + } + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "./definitions.json#/User" + } + }, + "201": { + "description": "Created" + }, + "401": { + "description": "Unauthorized" + }, + "403": { + "description": "Forbidden" + }, + "404": { + "description": "Not Found" + } + } + } + }, + "/user/update": { + "post": { + "tags": [ + "user-controller" + ], + "summary": "updateUser", + "operationId": "updateUserUsingPOST", + "consumes": [ + "application/json" + ], + "produces": [ + "*/*" + ], + "parameters": [ + { + "in": "body", + "name": "user", + "description": "user", + "required": true, + "schema": { + "$ref": "./definitions.json#/User" + } + } + ], + "responses": { + "200": { + "description": "OK" + }, + "201": { + "description": "Created" + }, + "401": { + "description": "Unauthorized" + }, + "403": { + "description": "Forbidden" + }, + "404": { + "description": "Not Found" + } + } + } + }, + "/users/findAll": { + "get": { + "tags": [ + "user-controller" + ], + "summary": "findAllUsers", + "operationId": "findAllUsersUsingGET", + "produces": [ + "*/*" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "type": "array", + "items": { + "$ref": "./definitions.json#/User" + } + } + }, + "401": { + "description": "Unauthorized" + }, + "403": { + "description": "Forbidden" + }, + "404": { + "description": "Not Found" + } + } + } + } + }, + "definitions" : { + "$ref": "./definitions.json" + } +} \ No newline at end of file diff --git a/test/fixtures/resolve_references_no_change/vpc.yml b/test/fixtures/resolve_references_no_change/vpc.yml new file mode 100644 index 00000000000..4ed0523c403 --- /dev/null +++ b/test/fixtures/resolve_references_no_change/vpc.yml @@ -0,0 +1,168 @@ +--- +AWSTemplateFormatVersion: '2010-09-09' +Description: VPC and network configuration for an EKS cluster. + +Parameters: + + Region: + Type: String + Default: us-east-1 + Description: AWS Region for the VPC. + +Resources: + + VPC: + Type: AWS::EC2::VPC + Properties: + CidrBlock: 172.16.0.0/16 + EnableDnsSupport: true + EnableDnsHostnames: true + Tags: + - Key: Name + Value: eks-example + + InternetGateway: + Type: AWS::EC2::InternetGateway + Properties: + Tags: + - Key: Name + Value: eks-example + + AttachGateway: + Type: AWS::EC2::VPCGatewayAttachment + Properties: + VpcId: !Ref VPC + InternetGatewayId: !Ref InternetGateway + + RouteTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref VPC + Tags: + - Key: Name + Value: eks-example + + Route: + Type: AWS::EC2::Route + Properties: + RouteTableId: !Ref RouteTable + DestinationCidrBlock: 0.0.0.0/0 + GatewayId: !Ref InternetGateway + DependsOn: AttachGateway + + NetworkAcl: + Type: AWS::EC2::NetworkAcl + Properties: + VpcId: !Ref VPC + Tags: + - Key: Name + Value: eks-example + + InboundNetworkAclEntrySSH: + Type: AWS::EC2::NetworkAclEntry + Properties: + NetworkAclId: !Ref NetworkAcl + RuleNumber: 100 + RuleAction: allow + Protocol: -1 + Egress: false + CidrBlock: 0.0.0.0/0 + PortRange: + From: 22 + To: 22 + + OutboundNetworkAclEntryAll: + Type: AWS::EC2::NetworkAclEntry + Properties: + NetworkAclId: !Ref NetworkAcl + RuleNumber: 101 + RuleAction: allow + Protocol: -1 + Egress: true + CidrBlock: 0.0.0.0/0 + PortRange: + From: 0 + To: 65535 + + Subnet1a: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref VPC + AvailabilityZone: + Fn::Sub: '${Region}a' + CidrBlock: 172.16.0.0/18 + MapPublicIpOnLaunch: true + Tags: + - Key: Name + Value: eks-example-a + + Subnet1aRouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + SubnetId: !Ref Subnet1a + RouteTableId: !Ref RouteTable + + Subnet1aNetworkAclAssociation: + Type: AWS::EC2::SubnetNetworkAclAssociation + Properties: + SubnetId: !Ref Subnet1a + NetworkAclId: !Ref NetworkAcl + + Subnet1b: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref VPC + AvailabilityZone: + Fn::Sub: '${Region}b' + CidrBlock: 172.16.64.0/18 + MapPublicIpOnLaunch: true + Tags: + - Key: Name + Value: eks-example-b + + Subnet1bRouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + SubnetId: !Ref Subnet1b + RouteTableId: !Ref RouteTable + + Subnet1bNetworkAclAssociation: + Type: AWS::EC2::SubnetNetworkAclAssociation + Properties: + SubnetId: !Ref Subnet1b + NetworkAclId: !Ref NetworkAcl + + Subnet1c: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref VPC + AvailabilityZone: + Fn::Sub: '${Region}c' + CidrBlock: 172.16.128.0/18 + MapPublicIpOnLaunch: true + Tags: + - Key: Name + Value: eks-example-c + + Subnet1cRouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + SubnetId: !Ref Subnet1c + RouteTableId: !Ref RouteTable + + Subnet1cNetworkAclAssociation: + Type: AWS::EC2::SubnetNetworkAclAssociation + Properties: + SubnetId: !Ref Subnet1c + NetworkAclId: !Ref NetworkAcl + +Outputs: + + VpcId: + Description: VPC id + Value: !Ref VPC + + Subnets: + Description: List of Subnets in the VPC + Value: + Fn::Sub: '${Subnet1a},${Subnet1b},${Subnet1c}' From 8b447248dd72bd54a7f70463b1e7489668a4983f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Thu, 9 Nov 2023 23:23:08 +0000 Subject: [PATCH 243/379] linter --- pkg/resolver/file/file.go | 18 ++++++++++++------ pkg/resolver/file/file_test.go | 2 +- 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/pkg/resolver/file/file.go b/pkg/resolver/file/file.go index 7e3a34e0b73..c2c3cbd24f1 100644 --- a/pkg/resolver/file/file.go +++ b/pkg/resolver/file/file.go @@ -4,7 +4,6 @@ import ( "encoding/json" "errors" "fmt" - "github.com/Checkmarx/kics/pkg/analyzer" "io" "os" "path/filepath" @@ -13,6 +12,7 @@ import ( "strings" "github.com/Checkmarx/kics/internal/constants" + "github.com/Checkmarx/kics/pkg/analyzer" "gopkg.in/yaml.v3" "github.com/Checkmarx/kics/pkg/model" @@ -47,7 +47,7 @@ func NewResolver( } } -func isOpenApi(fileContent []byte) bool { +func isOpenAPI(fileContent []byte) bool { regexToRun := []*regexp.Regexp{analyzer.OpenAPIRegexInfo, analyzer.OpenAPIRegexPath, @@ -72,7 +72,7 @@ func (r *Resolver) Resolve(fileContent []byte, path string, } }() - if !resolveReferences && isOpenApi(fileContent) { + if !resolveReferences && isOpenAPI(fileContent) { return fileContent } @@ -124,9 +124,15 @@ func (r *Resolver) walk( } } -func (r *Resolver) handleMap(originalFileContent []byte, fullObject interface{}, value map[string]interface{}, path string, - resolveCount int, resolvedFilesCache map[string]ResolvedFile, resolveReferences bool) (any, bool) { - +func (r *Resolver) handleMap( + originalFileContent []byte, + fullObject interface{}, + value map[string]interface{}, + path string, + resolveCount int, + resolvedFilesCache map[string]ResolvedFile, + resolveReferences bool, +) (any, bool) { for k, v := range value { isRef := strings.Contains(strings.ToLower(k), "$ref") val, res := r.walk(originalFileContent, fullObject, v, path, resolveCount, resolvedFilesCache, isRef, resolveReferences) diff --git a/pkg/resolver/file/file_test.go b/pkg/resolver/file/file_test.go index 3554e1fc344..b4bae5ab58d 100644 --- a/pkg/resolver/file/file_test.go +++ b/pkg/resolver/file/file_test.go @@ -194,7 +194,7 @@ func Test_IsOpenApi(t *testing.T) { t.Run(tt.name, func(t *testing.T) { cont, err := getFileContent(tt.path) require.NoError(t, err) - got := isOpenApi(cont) + got := isOpenAPI(cont) assert.Equal(t, tt.want, got, fmt.Sprintf("Error: %s", tt.name)) }) } From c6c9eac0f9a998e5f63e876599b76a006234f70d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Thu, 9 Nov 2023 23:38:14 +0000 Subject: [PATCH 244/379] wip --- pkg/resolver/file/file_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/resolver/file/file_test.go b/pkg/resolver/file/file_test.go index b4bae5ab58d..f78f12df0ef 100644 --- a/pkg/resolver/file/file_test.go +++ b/pkg/resolver/file/file_test.go @@ -183,11 +183,11 @@ func Test_IsOpenApi(t *testing.T) { path: "test/fixtures/resolve_references_json/scan-2files.json", want: true, }, - { + /*{ name: "yml not Open Api", path: "test/fixtures/resolve_references_no_change/vpc.yml", want: false, - }, + },*/ } for _, tt := range tests { From f9d99b431cc8370f92dea80cdb2c7af396ea5ae1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Fri, 10 Nov 2023 08:32:15 +0000 Subject: [PATCH 245/379] delete and add tests --- e2e/fixtures/E2E_CLI_075_RESULT.json | 276 ------------------ ...075_not_openapi_with_resolve_references.go | 22 -- ..._not_openapi_without_resolve_references.go | 22 -- pkg/resolver/file/file_test.go | 11 +- .../resolve_references_no_change/vpc.yml | 168 ----------- 5 files changed, 8 insertions(+), 491 deletions(-) delete mode 100644 e2e/fixtures/E2E_CLI_075_RESULT.json delete mode 100644 e2e/testcases/e2e-cli-075_not_openapi_with_resolve_references.go delete mode 100644 e2e/testcases/e2e-cli-076_not_openapi_without_resolve_references.go delete mode 100644 test/fixtures/resolve_references_no_change/vpc.yml diff --git a/e2e/fixtures/E2E_CLI_075_RESULT.json b/e2e/fixtures/E2E_CLI_075_RESULT.json deleted file mode 100644 index d9dc33ed972..00000000000 --- a/e2e/fixtures/E2E_CLI_075_RESULT.json +++ /dev/null @@ -1,276 +0,0 @@ -{ - "kics_version": "development", - "files_scanned": 1, - "lines_scanned": 169, - "files_parsed": 1, - "lines_parsed": 169, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 508, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "HIGH": 5, - "INFO": 0, - "LOW": 2, - "MEDIUM": 5, - "TRACE": 0 - }, - "total_counter": 12, - "total_bom_resources": 0, - "start": "2023-11-09T15:21:48.1040438Z", - "end": "2023-11-09T15:22:01.3482112Z", - "paths": [ - "C:\\CxKics\\kics\\test\\fixtures\\resolve_references_no_change\\vpc.yml" - ], - "queries": [ - { - "query_name": "EC2 Instance Subnet Has Public IP Mapping On Launch", - "query_id": "b3de4e4c-14be-4159-b99d-9ad194365e4c", - "query_url": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-subnet.html#cfn-ec2-subnet-mappubliciponlaunch", - "severity": "HIGH", - "platform": "CloudFormation", - "cloud_provider": "AWS", - "category": "Networking and Firewall", - "description": "EC2 Instance Subnet should not have MapPublicIpOnLaunch set to true", - "description_id": "22e3d598", - "files": [ - { - "file_name": "test\\fixtures\\resolve_references_no_change\\vpc.yml", - "similarity_id": "5183cf3cdba0ad8ddf21bac6fe281bbb5d5b31daede42642a416bf02eb403617", - "line": 142, - "resource_type": "AWS::EC2::Subnet", - "resource_name": "eks-example-c", - "issue_type": "IncorrectValue", - "search_key": "Resources.Subnet1c.Properties.MapPublicIpOnLaunch", - "search_line": -1, - "search_value": "", - "expected_value": "'Resources.Subnet1c.Properties.MapPublicIpOnLaunch' should be false", - "actual_value": "'Resources.Subnet1c.Properties.MapPublicIpOnLaunch' is true" - }, - { - "file_name": "test\\fixtures\\resolve_references_no_change\\vpc.yml", - "similarity_id": "6bdb419c262e4b3b6e895a68af0aeb001ed5d2bd14af0d5419247727c0cb0ff7", - "line": 94, - "resource_type": "AWS::EC2::Subnet", - "resource_name": "eks-example-a", - "issue_type": "IncorrectValue", - "search_key": "Resources.Subnet1a.Properties.MapPublicIpOnLaunch", - "search_line": -1, - "search_value": "", - "expected_value": "'Resources.Subnet1a.Properties.MapPublicIpOnLaunch' should be false", - "actual_value": "'Resources.Subnet1a.Properties.MapPublicIpOnLaunch' is true" - }, - { - "file_name": "test\\fixtures\\resolve_references_no_change\\vpc.yml", - "similarity_id": "0d16b0acab457cf81c0b3ae1aa0312234e18c2c651e7c353a56cd835227ce079", - "line": 118, - "resource_type": "AWS::EC2::Subnet", - "resource_name": "eks-example-b", - "issue_type": "IncorrectValue", - "search_key": "Resources.Subnet1b.Properties.MapPublicIpOnLaunch", - "search_line": -1, - "search_value": "", - "expected_value": "'Resources.Subnet1b.Properties.MapPublicIpOnLaunch' should be false", - "actual_value": "'Resources.Subnet1b.Properties.MapPublicIpOnLaunch' is true" - } - ] - }, - { - "query_name": "EC2 Network ACL Overlapping Ports", - "query_id": "77b6f1e2-bde4-4a6a-ae7e-a40659ff1576", - "query_url": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-networkaclentry-portrange.html", - "severity": "HIGH", - "platform": "CloudFormation", - "cloud_provider": "AWS", - "category": "Networking and Firewall", - "description": "NetworkACL Entries are reusing or overlapping ports which may create ineffective rules", - "description_id": "cb7c8980", - "files": [ - { - "file_name": "test\\fixtures\\resolve_references_no_change\\vpc.yml", - "similarity_id": "837e8e314dd4166ccf51bd778863e5a3a4d0ac04550a84d6e4838d1b961bd344", - "line": 70, - "resource_type": "AWS::EC2::NetworkAclEntry", - "resource_name": "InboundNetworkAclEntrySSH", - "issue_type": "IncorrectValue", - "search_key": "Resources.InboundNetworkAclEntrySSH.Properties.PortRange", - "search_line": -1, - "search_value": "", - "expected_value": "'Resources.InboundNetworkAclEntrySSH.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", - "actual_value": "'Resources.InboundNetworkAclEntrySSH.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" - }, - { - "file_name": "test\\fixtures\\resolve_references_no_change\\vpc.yml", - "similarity_id": "9a875c5c1a441ea46b62ffef3b48a2795496502045860f2514694dd7fdd2f2f3", - "line": 83, - "resource_type": "AWS::EC2::NetworkAclEntry", - "resource_name": "OutboundNetworkAclEntryAll", - "issue_type": "IncorrectValue", - "search_key": "Resources.OutboundNetworkAclEntryAll.Properties.PortRange", - "search_line": -1, - "search_value": "", - "expected_value": "'Resources.OutboundNetworkAclEntryAll.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", - "actual_value": "'Resources.OutboundNetworkAclEntryAll.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'" - } - ] - }, - { - "query_name": "EC2 Permissive Network ACL Protocols", - "query_id": "03879981-efa2-47a0-a818-c843e1441b88", - "query_url": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-network-acl-entry.html", - "severity": "MEDIUM", - "platform": "CloudFormation", - "cloud_provider": "AWS", - "category": "Networking and Firewall", - "description": "To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code).", - "description_id": "397e89de", - "files": [ - { - "file_name": "test\\fixtures\\resolve_references_no_change\\vpc.yml", - "similarity_id": "fda8decc41d4efc2b027e859d962fdbf8b98f645d7081aba4e75e9d7dea04665", - "line": 67, - "resource_type": "AWS::EC2::NetworkAclEntry", - "resource_name": "InboundNetworkAclEntrySSH", - "issue_type": "IncorrectValue", - "search_key": "Resources.InboundNetworkAclEntrySSH.Properties.Protocol", - "search_line": -1, - "search_value": "", - "expected_value": "'Resources.InboundNetworkAclEntrySSH.Properties.Protocol' should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code)", - "actual_value": "'Resources.InboundNetworkAclEntrySSH.Properties.Protocol' is configured with a protocol different than 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code)" - }, - { - "file_name": "test\\fixtures\\resolve_references_no_change\\vpc.yml", - "similarity_id": "91e40e6e85e9a999d5b62ea9ed43d38cb31e4e77568f21048ff6a606322b032c", - "line": 80, - "resource_type": "AWS::EC2::NetworkAclEntry", - "resource_name": "OutboundNetworkAclEntryAll", - "issue_type": "IncorrectValue", - "search_key": "Resources.OutboundNetworkAclEntryAll.Properties.Protocol", - "search_line": -1, - "search_value": "", - "expected_value": "'Resources.OutboundNetworkAclEntryAll.Properties.Protocol' should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code)", - "actual_value": "'Resources.OutboundNetworkAclEntryAll.Properties.Protocol' is configured with a protocol different than 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code)" - } - ] - }, - { - "query_name": "RouterTable with Default Routing", - "query_id": "4f0908b9-eb66-433f-9145-134274e1e944", - "query_url": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-route-table.html", - "severity": "MEDIUM", - "platform": "CloudFormation", - "cloud_provider": "AWS", - "category": "Insecure Defaults", - "description": "NAT gateways are recommended, and not the default route which permits all traffic, in Route Tables.", - "description_id": "1f341247", - "files": [ - { - "file_name": "test\\fixtures\\resolve_references_no_change\\vpc.yml", - "similarity_id": "801f53a8218989c78e6bf3a282b9fea359b98bff797b3d82f5f669db2f68b0bd", - "line": 49, - "resource_type": "AWS::EC2::Route", - "resource_name": "Route", - "issue_type": "IncorrectValue", - "search_key": "Resources.Route.Properties.DestinationCidrBlock", - "search_line": -1, - "search_value": "", - "expected_value": "Resources.Route.Properties.DestinationCidrBlock should be different from the default value", - "actual_value": "Resources.Route.Properties.DestinationCidrBlock is 0.0.0.0/0" - }, - { - "file_name": "test\\fixtures\\resolve_references_no_change\\vpc.yml", - "similarity_id": "b5b44886071d0127c4f82dcb3ee0a439451be7bf851c4ed98839190610a85b0c", - "line": 47, - "resource_type": "AWS::EC2::Route", - "resource_name": "Route", - "issue_type": "MissingAttribute", - "search_key": "Resources.Route.Properties", - "search_line": -1, - "search_value": "", - "expected_value": "Resources.Route.Properties.NatGatewayId should be defined", - "actual_value": "Resources.Route.Properties.NatGatewayId is undefined" - } - ] - }, - { - "query_name": "VPC Without Network Firewall", - "query_id": "3e293410-d5b8-411f-85fd-7d26294f20c9", - "query_url": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-firewall.html#cfn-networkfirewall-firewall-vpcid", - "severity": "MEDIUM", - "platform": "CloudFormation", - "cloud_provider": "AWS", - "category": "Networking and Firewall", - "description": "VPC should have a Network Firewall associated", - "description_id": "f090ffd2", - "files": [ - { - "file_name": "test\\fixtures\\resolve_references_no_change\\vpc.yml", - "similarity_id": "68a4041b80f4197c8ec899e0c9845723e4c0b5441e9c626639bdfd34c63db491", - "line": 14, - "resource_type": "AWS::EC2::VPC", - "resource_name": "eks-example", - "issue_type": "MissingAttribute", - "search_key": "Resources.VPC", - "search_line": 14, - "search_value": "", - "expected_value": "'Resources.VPC' should be associated with a AWS Network Firewall", - "actual_value": "'Resources.VPC' is not associated with a AWS Network Firewall" - } - ] - }, - { - "query_name": "IAM Access Analyzer Not Enabled", - "query_id": "8d29754a-2a18-460d-a1ba-9509f8d359da", - "query_url": "https://docs.amazonaws.cn/en_us/AWSCloudFormation/latest/UserGuide/aws-resource-accessanalyzer-analyzer.html", - "severity": "LOW", - "platform": "CloudFormation", - "cloud_provider": "AWS", - "category": "Best Practices", - "description": "IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions", - "description_id": "24a6978e", - "files": [ - { - "file_name": "test\\fixtures\\resolve_references_no_change\\vpc.yml", - "similarity_id": "304c64d5ddfd93593c8aa4e9f10b34fe7d2e7e3634c6e64465b3be292029775c", - "line": 12, - "resource_type": "n/a", - "resource_name": "n/a", - "issue_type": "MissingAttribute", - "search_key": "Resources", - "search_line": -1, - "search_value": "", - "expected_value": "'AWS::AccessAnalyzer::Analyzer' should be set", - "actual_value": "'AWS::AccessAnalyzer::Analyzer' is undefined" - } - ] - }, - { - "query_name": "VPC FlowLogs Disabled", - "query_id": "f6d299d2-21eb-41cc-b1e1-fe12d857500b", - "query_url": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-flowlog.html", - "severity": "LOW", - "platform": "CloudFormation", - "cloud_provider": "AWS", - "category": "Observability", - "description": "Every VPC resource should have an associated Flow Log", - "description_id": "0fb02ca5", - "files": [ - { - "file_name": "test\\fixtures\\resolve_references_no_change\\vpc.yml", - "similarity_id": "394a32784bda3c52380e6cec242d3fd09bd5f6a498aa7b64dc03472ecd32843f", - "line": 14, - "resource_type": "AWS::EC2::VPC", - "resource_name": "eks-example", - "issue_type": "MissingAttribute", - "search_key": "Resources.VPC", - "search_line": -1, - "search_value": "", - "expected_value": "Resources.VPC has a FlowLogs resource associated", - "actual_value": "Resources.VPC doesn't have a FlowLogs resource associated" - } - ] - } - ] -} diff --git a/e2e/testcases/e2e-cli-075_not_openapi_with_resolve_references.go b/e2e/testcases/e2e-cli-075_not_openapi_with_resolve_references.go deleted file mode 100644 index 865a356a9e5..00000000000 --- a/e2e/testcases/e2e-cli-075_not_openapi_with_resolve_references.go +++ /dev/null @@ -1,22 +0,0 @@ -package testcases - -// E2E-CLI-075 - KICS scan and not ignore references -// should perform the scan successfully and return exit code 50 -// same test as 76 but with flag -func init() { //nolint - testSample := TestCase{ - Name: "should display line references in the payload file [E2E-CLI-075]", - Args: args{ - Args: []cmdArgs{ - []string{"scan", "--silent", "-p", "/path/test/fixtures/resolve_references_no_change/vpc.yml", - "--payload-path", "/path/e2e/output/E2E_CLI_075_PAYLOAD.json", "--payload-lines", "--resolve-references"}, - }, - ExpectedPayload: []string{ - "E2E_CLI_075_PAYLOAD.json", - }, - }, - WantStatus: []int{50}, - } - - Tests = append(Tests, testSample) -} diff --git a/e2e/testcases/e2e-cli-076_not_openapi_without_resolve_references.go b/e2e/testcases/e2e-cli-076_not_openapi_without_resolve_references.go deleted file mode 100644 index f5ae39dece0..00000000000 --- a/e2e/testcases/e2e-cli-076_not_openapi_without_resolve_references.go +++ /dev/null @@ -1,22 +0,0 @@ -package testcases - -// E2E-CLI-076 - KICS scan and ignore references -// should perform the scan successfully and return exit code 50 -// same test as 75 but without flag, we will expect the same file that test 75 expect -func init() { //nolint - testSample := TestCase{ - Name: "should display line references in the payload file [E2E-CLI-075]", - Args: args{ - Args: []cmdArgs{ - []string{"scan", "--silent", "-p", "/path/test/fixtures/resolve_references_no_change/vpc.yml", - "--payload-path", "/path/e2e/output/E2E_CLI_076_PAYLOAD.json", "--payload-lines"}, - }, - ExpectedPayload: []string{ - "E2E_CLI_075_PAYLOAD.json", - }, - }, - WantStatus: []int{50}, - } - - Tests = append(Tests, testSample) -} diff --git a/pkg/resolver/file/file_test.go b/pkg/resolver/file/file_test.go index f78f12df0ef..529b1d69bae 100644 --- a/pkg/resolver/file/file_test.go +++ b/pkg/resolver/file/file_test.go @@ -183,11 +183,16 @@ func Test_IsOpenApi(t *testing.T) { path: "test/fixtures/resolve_references_json/scan-2files.json", want: true, }, - /*{ + { name: "yml not Open Api", - path: "test/fixtures/resolve_references_no_change/vpc.yml", + path: "test/fixtures/resolve_references/paths/users/user.yaml", want: false, - },*/ + }, + { + name: "json not Open Api", + path: "test/fixtures/resolve_references_json/definitions.json", + want: false, + }, } for _, tt := range tests { diff --git a/test/fixtures/resolve_references_no_change/vpc.yml b/test/fixtures/resolve_references_no_change/vpc.yml deleted file mode 100644 index 4ed0523c403..00000000000 --- a/test/fixtures/resolve_references_no_change/vpc.yml +++ /dev/null @@ -1,168 +0,0 @@ ---- -AWSTemplateFormatVersion: '2010-09-09' -Description: VPC and network configuration for an EKS cluster. - -Parameters: - - Region: - Type: String - Default: us-east-1 - Description: AWS Region for the VPC. - -Resources: - - VPC: - Type: AWS::EC2::VPC - Properties: - CidrBlock: 172.16.0.0/16 - EnableDnsSupport: true - EnableDnsHostnames: true - Tags: - - Key: Name - Value: eks-example - - InternetGateway: - Type: AWS::EC2::InternetGateway - Properties: - Tags: - - Key: Name - Value: eks-example - - AttachGateway: - Type: AWS::EC2::VPCGatewayAttachment - Properties: - VpcId: !Ref VPC - InternetGatewayId: !Ref InternetGateway - - RouteTable: - Type: AWS::EC2::RouteTable - Properties: - VpcId: !Ref VPC - Tags: - - Key: Name - Value: eks-example - - Route: - Type: AWS::EC2::Route - Properties: - RouteTableId: !Ref RouteTable - DestinationCidrBlock: 0.0.0.0/0 - GatewayId: !Ref InternetGateway - DependsOn: AttachGateway - - NetworkAcl: - Type: AWS::EC2::NetworkAcl - Properties: - VpcId: !Ref VPC - Tags: - - Key: Name - Value: eks-example - - InboundNetworkAclEntrySSH: - Type: AWS::EC2::NetworkAclEntry - Properties: - NetworkAclId: !Ref NetworkAcl - RuleNumber: 100 - RuleAction: allow - Protocol: -1 - Egress: false - CidrBlock: 0.0.0.0/0 - PortRange: - From: 22 - To: 22 - - OutboundNetworkAclEntryAll: - Type: AWS::EC2::NetworkAclEntry - Properties: - NetworkAclId: !Ref NetworkAcl - RuleNumber: 101 - RuleAction: allow - Protocol: -1 - Egress: true - CidrBlock: 0.0.0.0/0 - PortRange: - From: 0 - To: 65535 - - Subnet1a: - Type: AWS::EC2::Subnet - Properties: - VpcId: !Ref VPC - AvailabilityZone: - Fn::Sub: '${Region}a' - CidrBlock: 172.16.0.0/18 - MapPublicIpOnLaunch: true - Tags: - - Key: Name - Value: eks-example-a - - Subnet1aRouteTableAssociation: - Type: AWS::EC2::SubnetRouteTableAssociation - Properties: - SubnetId: !Ref Subnet1a - RouteTableId: !Ref RouteTable - - Subnet1aNetworkAclAssociation: - Type: AWS::EC2::SubnetNetworkAclAssociation - Properties: - SubnetId: !Ref Subnet1a - NetworkAclId: !Ref NetworkAcl - - Subnet1b: - Type: AWS::EC2::Subnet - Properties: - VpcId: !Ref VPC - AvailabilityZone: - Fn::Sub: '${Region}b' - CidrBlock: 172.16.64.0/18 - MapPublicIpOnLaunch: true - Tags: - - Key: Name - Value: eks-example-b - - Subnet1bRouteTableAssociation: - Type: AWS::EC2::SubnetRouteTableAssociation - Properties: - SubnetId: !Ref Subnet1b - RouteTableId: !Ref RouteTable - - Subnet1bNetworkAclAssociation: - Type: AWS::EC2::SubnetNetworkAclAssociation - Properties: - SubnetId: !Ref Subnet1b - NetworkAclId: !Ref NetworkAcl - - Subnet1c: - Type: AWS::EC2::Subnet - Properties: - VpcId: !Ref VPC - AvailabilityZone: - Fn::Sub: '${Region}c' - CidrBlock: 172.16.128.0/18 - MapPublicIpOnLaunch: true - Tags: - - Key: Name - Value: eks-example-c - - Subnet1cRouteTableAssociation: - Type: AWS::EC2::SubnetRouteTableAssociation - Properties: - SubnetId: !Ref Subnet1c - RouteTableId: !Ref RouteTable - - Subnet1cNetworkAclAssociation: - Type: AWS::EC2::SubnetNetworkAclAssociation - Properties: - SubnetId: !Ref Subnet1c - NetworkAclId: !Ref NetworkAcl - -Outputs: - - VpcId: - Description: VPC id - Value: !Ref VPC - - Subnets: - Description: List of Subnets in the VPC - Value: - Fn::Sub: '${Subnet1a},${Subnet1b},${Subnet1c}' From 900a3ee5bb3a7e0f7c038e83a3d4451189fea2c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Fri, 10 Nov 2023 09:05:24 +0000 Subject: [PATCH 246/379] fix unit --- pkg/resolver/file/file_test.go | 17 +++-------------- 1 file changed, 3 insertions(+), 14 deletions(-) diff --git a/pkg/resolver/file/file_test.go b/pkg/resolver/file/file_test.go index 529b1d69bae..f80fcc10b02 100644 --- a/pkg/resolver/file/file_test.go +++ b/pkg/resolver/file/file_test.go @@ -107,7 +107,7 @@ func TestResolver_Resolve_Without_ResolveReferences(t *testing.T) { want []byte }{ { - name: "test", + name: "yaml should resolve because is not openapi file", fields: fields{ Resolver: NewResolver(yaml.Unmarshal, yaml.Marshal, []string{".yml", ".yaml"}), }, @@ -115,10 +115,10 @@ func TestResolver_Resolve_Without_ResolveReferences(t *testing.T) { path: filepath.ToSlash("test/fixtures/unresolved_openapi/responses/_index.yaml"), }, want: []byte( - `UnexpectedError:$ref:"./UnexpectedError.yaml"NullResponse:$ref:"./NullResponse.yaml"`), + `UnexpectedError:description:unexpectederrorcontent:application/json:schema:type:objectrequired:-code-messageproperties:code:type:integerformat:int32message:type:stringRefMetadata:$ref:"../schemas/Error.yaml"alone:trueRefMetadata:$ref:"./UnexpectedError.yaml"alone:trueNullResponse:description:NullresponseRefMetadata:$ref:"./NullResponse.yaml"alone:true`), }, { - name: "json test", + name: "json should not resolve because is a openapi file", fields: fields{ Resolver: NewResolver(json.Unmarshal, json.Marshal, []string{".json"}), }, @@ -129,17 +129,6 @@ func TestResolver_Resolve_Without_ResolveReferences(t *testing.T) { "{\"openapi\":\"3.0.3\",\"info\":{\"title\":\"Reference in reference example\",\"version\":\"1.0.0\"},\"paths\":{\"/api/test/ref/in/ref\":{\"post\":{\"requestBody\":{\"content\":{\"application/json\":{\"schema\":{\"$ref\":\"messages/request.json\"}}}},\"responses\":{\"200\":{\"description\":\"Successful response\",\"content\":{\"application/json\":{\"schema\":{\"$ref\":\"messages/response.json\"}}}}}}}}}", ), }, - { - name: "test_serverless", - fields: fields{ - Resolver: NewResolver(yaml.Unmarshal, yaml.Marshal, []string{".yml", ".yaml"}), - }, - args: args{ - path: filepath.ToSlash("test/fixtures/unresolved_serverless/serverless.yml"), - }, - want: []byte( - "service:aws-node-projectframeworkVersion:'3'provider:name:awsruntime:nodejs14.xfunctions:eventRouterHandler:${file(eventRouterHandler.yml)}"), - }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { From ef7c7efa75d7edb681a29508f8b32bddcb5d80ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Fri, 10 Nov 2023 10:14:02 +0000 Subject: [PATCH 247/379] rename ff --- docs/commands.md | 2 +- docs/dockerhub.md | 2 +- e2e/testcases/e2e-cli-072_flag_resolve_references.go | 2 +- e2e/testcases/e2e-cli-074_json_flag_resolve_references.go | 2 +- internal/console/assets/scan-flags.json | 4 ++-- internal/console/flags/scan_flags.go | 2 +- internal/console/remediate.go | 2 +- internal/console/scan.go | 2 +- 8 files changed, 9 insertions(+), 9 deletions(-) diff --git a/docs/commands.md b/docs/commands.md index d8a19229fc3..d2ea7f96499 100644 --- a/docs/commands.md +++ b/docs/commands.md @@ -93,7 +93,7 @@ Flags: --preview-lines int number of lines to be display in CLI results (min: 1, max: 30) (default 3) -q, --queries-path strings paths to directory with queries (default [./assets/queries]) --report-formats strings formats in which the results will be exported (all, asff, codeclimate, csv, cyclonedx, glsast, html, json, junit, pdf, sarif, sonarqube) (default [json]) - --resolve-references resolve the file reference (default [false]) + --enable-openapi-refs resolve the file reference, on OpenAPI files (default [false]) -r, --secrets-regexes-path string path to secrets regex rules configuration file --terraform-vars-path string path where terraform variables are present --timeout int number of seconds the query has to execute before being canceled (default 60) diff --git a/docs/dockerhub.md b/docs/dockerhub.md index 2e5c6a055b7..b7e78cce88b 100644 --- a/docs/dockerhub.md +++ b/docs/dockerhub.md @@ -129,7 +129,7 @@ Flags: --preview-lines int number of lines to be display in CLI results (min: 1, max: 30) (default 3) -q, --queries-path strings paths to directory with queries (default [./assets/queries]) --report-formats strings formats in which the results will be exported (all, asff, codeclimate, csv, cyclonedx, glsast, html, json, junit, pdf, sarif, sonarqube) (default [json]) - --resolve-references resolve the file reference (default [false]) + --enable-openapi-refs resolve the file reference, on OpenAPI files (default [false]) -r, --secrets-regexes-path string path to secrets regex rules configuration file --timeout int number of seconds the query has to execute before being canceled (default 60) -t, --type strings case insensitive list of platform types to scan diff --git a/e2e/testcases/e2e-cli-072_flag_resolve_references.go b/e2e/testcases/e2e-cli-072_flag_resolve_references.go index 86acdd44b9d..413b6b6a14a 100644 --- a/e2e/testcases/e2e-cli-072_flag_resolve_references.go +++ b/e2e/testcases/e2e-cli-072_flag_resolve_references.go @@ -11,7 +11,7 @@ func init() { //nolint "--output-name", "E2E_CLI_072_RESULT", "-p", "\"/path/test/fixtures/resolve_references\"", "-i", "6c35d2c6-09f2-4e5c-a094-e0e91327071d,962fa01e-b791-4dcc-b04a-4a3e7389be5e", - "--resolve-references", + "--enable-openapi-refs", }, }, ExpectedResult: []ResultsValidation{ diff --git a/e2e/testcases/e2e-cli-074_json_flag_resolve_references.go b/e2e/testcases/e2e-cli-074_json_flag_resolve_references.go index f159111f477..99cff05e7fb 100644 --- a/e2e/testcases/e2e-cli-074_json_flag_resolve_references.go +++ b/e2e/testcases/e2e-cli-074_json_flag_resolve_references.go @@ -11,7 +11,7 @@ func init() { //nolint "--output-name", "E2E_CLI_074_RESULT", "-p", "\"/path/test/fixtures/resolve_references\"", "-i", "750b40be-4bac-4f59-bdc4-1ca0e6c3450e", - "--resolve-references", + "--enable-openapi-refs", }, }, ExpectedResult: []ResultsValidation{ diff --git a/internal/console/assets/scan-flags.json b/internal/console/assets/scan-flags.json index dab9a6ebb23..73484b94778 100644 --- a/internal/console/assets/scan-flags.json +++ b/internal/console/assets/scan-flags.json @@ -202,10 +202,10 @@ "defaultValue": "false", "usage": "disables the exclusion of paths specified within .gitignore file" }, - "resolve-references": { + "enable-openapi-refs": { "flagType": "bool", "shorthandFlag": "", "defaultValue": "false", - "usage": "resolve the file reference" + "usage": "resolve the file reference, on OpenAPI files" } } diff --git a/internal/console/flags/scan_flags.go b/internal/console/flags/scan_flags.go index 9d462b31ff7..95f0caa0009 100644 --- a/internal/console/flags/scan_flags.go +++ b/internal/console/flags/scan_flags.go @@ -34,5 +34,5 @@ const ( DisableSecretsFlag = "disable-secrets" SecretsRegexesPathFlag = "secrets-regexes-path" //nolint:gosec ExcludeGitIgnore = "exclude-gitignore" - ResolveReferencesFlag = "resolve-references" + OpenAPIReferencesFlag = "enable-openapi-refs" ) diff --git a/internal/console/remediate.go b/internal/console/remediate.go index 4518e5764ae..2e52bbae775 100644 --- a/internal/console/remediate.go +++ b/internal/console/remediate.go @@ -78,7 +78,7 @@ func preRemediate(cmd *cobra.Command) error { func remediate() error { resultsPath := flags.GetStrFlag(flags.Results) include := flags.GetMultiStrFlag(flags.IncludeIds) - resolveReferences := flags.GetBoolFlag(flags.ResolveReferencesFlag) + resolveReferences := flags.GetBoolFlag(flags.OpenAPIReferencesFlag) filepath.Clean(resultsPath) diff --git a/internal/console/scan.go b/internal/console/scan.go index 696fffaed18..853062f520a 100644 --- a/internal/console/scan.go +++ b/internal/console/scan.go @@ -139,7 +139,7 @@ func getScanParameters(changedDefaultQueryPath, changedDefaultLibrariesPath bool ChangedDefaultQueryPath: changedDefaultQueryPath, BillOfMaterials: flags.GetBoolFlag(flags.BomFlag), ExcludeGitIgnore: flags.GetBoolFlag(flags.ExcludeGitIgnore), - ResolveReferences: flags.GetBoolFlag(flags.ResolveReferencesFlag), + ResolveReferences: flags.GetBoolFlag(flags.OpenAPIReferencesFlag), } return &scanParams From c72e96178a99e4fd64cbe814261bce050c57793c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Fri, 10 Nov 2023 11:55:22 +0000 Subject: [PATCH 248/379] marco code review --- internal/console/remediate.go | 4 ++-- internal/console/scan.go | 2 +- pkg/kics/resolver_sink.go | 4 ++-- pkg/kics/service.go | 9 ++++++--- pkg/kics/sink.go | 4 ++-- pkg/parser/ansible/ini/config/parser.go | 2 +- pkg/parser/parser.go | 4 ++-- pkg/remediation/remediation.go | 6 +++--- pkg/remediation/scan.go | 8 ++++---- pkg/remediation/utils.go | 4 ++-- pkg/scan/client.go | 2 +- pkg/scan/scan.go | 4 ++-- pkg/scanner/scanner.go | 10 +++++++--- test/queries_test.go | 2 +- 14 files changed, 36 insertions(+), 29 deletions(-) diff --git a/internal/console/remediate.go b/internal/console/remediate.go index 2e52bbae775..ffe7dbc7f3a 100644 --- a/internal/console/remediate.go +++ b/internal/console/remediate.go @@ -78,7 +78,7 @@ func preRemediate(cmd *cobra.Command) error { func remediate() error { resultsPath := flags.GetStrFlag(flags.Results) include := flags.GetMultiStrFlag(flags.IncludeIds) - resolveReferences := flags.GetBoolFlag(flags.OpenAPIReferencesFlag) + openAPIResolveReferences := flags.GetBoolFlag(flags.OpenAPIReferencesFlag) filepath.Clean(resultsPath) @@ -106,7 +106,7 @@ func remediate() error { for filePath := range remediationSets { fix := remediationSets[filePath].(remediation.Set) - err = summary.RemediateFile(filePath, fix, resolveReferences) + err = summary.RemediateFile(filePath, fix, openAPIResolveReferences) if err != nil { return err } diff --git a/internal/console/scan.go b/internal/console/scan.go index 853062f520a..26d132f309d 100644 --- a/internal/console/scan.go +++ b/internal/console/scan.go @@ -139,7 +139,7 @@ func getScanParameters(changedDefaultQueryPath, changedDefaultLibrariesPath bool ChangedDefaultQueryPath: changedDefaultQueryPath, BillOfMaterials: flags.GetBoolFlag(flags.BomFlag), ExcludeGitIgnore: flags.GetBoolFlag(flags.ExcludeGitIgnore), - ResolveReferences: flags.GetBoolFlag(flags.OpenAPIReferencesFlag), + OpenAPIResolveReferences: flags.GetBoolFlag(flags.OpenAPIReferencesFlag), } return &scanParams diff --git a/pkg/kics/resolver_sink.go b/pkg/kics/resolver_sink.go index c7bbd0a5ddf..c6da572dff2 100644 --- a/pkg/kics/resolver_sink.go +++ b/pkg/kics/resolver_sink.go @@ -14,7 +14,7 @@ import ( "github.com/rs/zerolog/log" ) -func (s *Service) resolverSink(ctx context.Context, filename, scanID string, resolveReferences bool) ([]string, error) { +func (s *Service) resolverSink(ctx context.Context, filename, scanID string, openAPIResolveReferences bool) ([]string, error) { kind := s.Resolver.GetType(filename) if kind == model.KindCOMMON { return []string{}, nil @@ -30,7 +30,7 @@ func (s *Service) resolverSink(ctx context.Context, filename, scanID string, res countLines := bytes.Count(rfile.Content, []byte{'\n'}) + 1 s.Tracker.TrackFileFoundCountLines(countLines) - documents, err := s.Parser.Parse(rfile.FileName, rfile.Content, resolveReferences) + documents, err := s.Parser.Parse(rfile.FileName, rfile.Content, openAPIResolveReferences) if err != nil { if documents.Kind == "break" { return []string{}, nil diff --git a/pkg/kics/service.go b/pkg/kics/service.go index 6e0eb6db8cf..af04818b09e 100644 --- a/pkg/kics/service.go +++ b/pkg/kics/service.go @@ -61,7 +61,10 @@ type Service struct { } // PrepareSources will prepare the sources to be scanned -func (s *Service) PrepareSources(ctx context.Context, scanID string, wg *sync.WaitGroup, errCh chan<- error, resolveReferences bool) { +func (s *Service) PrepareSources(ctx context.Context, + scanID string, + openApiResolveReferences bool, + wg *sync.WaitGroup, errCh chan<- error) { defer wg.Done() // CxSAST query under review data := make([]byte, mbConst) @@ -69,10 +72,10 @@ func (s *Service) PrepareSources(ctx context.Context, scanID string, wg *sync.Wa ctx, s.Parser.SupportedExtensions(), func(ctx context.Context, filename string, rc io.ReadCloser) error { - return s.sink(ctx, filename, scanID, rc, data, resolveReferences) + return s.sink(ctx, filename, scanID, rc, data, openApiResolveReferences) }, func(ctx context.Context, filename string) ([]string, error) { // Sink used for resolver files and templates - return s.resolverSink(ctx, filename, scanID, resolveReferences) + return s.resolverSink(ctx, filename, scanID, openApiResolveReferences) }, ); err != nil { errCh <- errors.Wrap(err, "failed to read sources") diff --git a/pkg/kics/sink.go b/pkg/kics/sink.go index 49a61cb7a5f..10524e63937 100644 --- a/pkg/kics/sink.go +++ b/pkg/kics/sink.go @@ -28,7 +28,7 @@ var ( func (s *Service) sink(ctx context.Context, filename, scanID string, rc io.Reader, data []byte, - resolveReferences bool) error { + openAPIResolveReferences bool) error { s.Tracker.TrackFileFound() log.Debug().Msgf("Starting to process file %s", filename) @@ -42,7 +42,7 @@ func (s *Service) sink(ctx context.Context, filename, scanID string, if err != nil { return errors.Wrapf(err, "failed to get file content: %s", filename) } - documents, err := s.Parser.Parse(filename, *content, resolveReferences) + documents, err := s.Parser.Parse(filename, *content, openAPIResolveReferences) if err != nil { log.Err(err).Msgf("failed to parse file content: %s", filename) return nil diff --git a/pkg/parser/ansible/ini/config/parser.go b/pkg/parser/ansible/ini/config/parser.go index e4a32a05a86..67e9b8be983 100644 --- a/pkg/parser/ansible/ini/config/parser.go +++ b/pkg/parser/ansible/ini/config/parser.go @@ -13,7 +13,7 @@ import ( type Parser struct { } -func (p *Parser) Resolve(fileContent []byte, filename string, _ bool) ([]byte, error) { +func (p *Parser) Resolve(fileContent []byte, _ string, _ bool) ([]byte, error) { return fileContent, nil } diff --git a/pkg/parser/parser.go b/pkg/parser/parser.go index e3993f1a7f3..a42fcf5ee7e 100644 --- a/pkg/parser/parser.go +++ b/pkg/parser/parser.go @@ -117,11 +117,11 @@ func (c *Parser) CommentsCommands(filePath string, fileContent []byte) model.Com // Parse executes a parser on the fileContent and returns the file content as a Document, the file kind and // an error, if an error has occurred -func (c *Parser) Parse(filePath string, fileContent []byte, resolveReferences bool) (ParsedDocument, error) { +func (c *Parser) Parse(filePath string, fileContent []byte, openAPIResolveReferences bool) (ParsedDocument, error) { fileContent = utils.DecryptAnsibleVault(fileContent, os.Getenv("ANSIBLE_VAULT_PASSWORD_FILE")) if c.isValidExtension(filePath) { - resolved, err := c.parsers.Resolve(fileContent, filePath, resolveReferences) + resolved, err := c.parsers.Resolve(fileContent, filePath, openAPIResolveReferences) if err != nil { return ParsedDocument{}, err } diff --git a/pkg/remediation/remediation.go b/pkg/remediation/remediation.go index 8673a2e4c64..024e15ba589 100644 --- a/pkg/remediation/remediation.go +++ b/pkg/remediation/remediation.go @@ -51,7 +51,7 @@ type Set struct { } // RemediateFile remediationSets the replacements first and secondly, the additions sorted down -func (s *Summary) RemediateFile(filePath string, remediationSet Set, resolveReferences bool) error { +func (s *Summary) RemediateFile(filePath string, remediationSet Set, openAPIResolveReferences bool) error { filepath.Clean(filePath) content, err := os.ReadFile(filePath) @@ -67,7 +67,7 @@ func (s *Summary) RemediateFile(filePath string, remediationSet Set, resolveRefe for i := range remediationSet.Replacement { r := remediationSet.Replacement[i] remediatedLines := replacement(&r, lines) - if len(remediatedLines) > 0 && willRemediate(remediatedLines, filePath, &r, resolveReferences) { + if len(remediatedLines) > 0 && willRemediate(remediatedLines, filePath, &r, openAPIResolveReferences) { lines = s.writeRemediation(remediatedLines, lines, filePath, r.SimilarityID) } } @@ -83,7 +83,7 @@ func (s *Summary) RemediateFile(filePath string, remediationSet Set, resolveRefe for i := range remediationSet.Addition { a := remediationSet.Addition[i] remediatedLines := addition(&a, &lines) - if len(remediatedLines) > 0 && willRemediate(remediatedLines, filePath, &a, resolveReferences) { + if len(remediatedLines) > 0 && willRemediate(remediatedLines, filePath, &a, openAPIResolveReferences) { lines = s.writeRemediation(remediatedLines, lines, filePath, a.SimilarityID) } } diff --git a/pkg/remediation/scan.go b/pkg/remediation/scan.go index f59e06947d0..afa81532c7d 100644 --- a/pkg/remediation/scan.go +++ b/pkg/remediation/scan.go @@ -36,9 +36,9 @@ type runQueryInfo struct { } // scanTmpFile scans a temporary file against a specific query -func scanTmpFile(tmpFile, queryID string, remediated []byte, resolveReferences bool) ([]model.Vulnerability, error) { +func scanTmpFile(tmpFile, queryID string, remediated []byte, openAPIResolveReferences bool) ([]model.Vulnerability, error) { // get payload - files, err := getPayload(tmpFile, remediated, resolveReferences) + files, err := getPayload(tmpFile, remediated, openAPIResolveReferences) if err != nil { log.Err(err) @@ -81,7 +81,7 @@ func scanTmpFile(tmpFile, queryID string, remediated []byte, resolveReferences b } // getPayload gets the payload of a file -func getPayload(filePath string, content []byte, resolveReferences bool) (model.FileMetadatas, error) { +func getPayload(filePath string, content []byte, openAPIResolveReferences bool) (model.FileMetadatas, error) { ext := utils.GetExtension(filePath) var p []*parser.Parser var err error @@ -116,7 +116,7 @@ func getPayload(filePath string, content []byte, resolveReferences bool) (model. return model.FileMetadatas{}, errors.New("failed to get parser") } - documents, er := p[0].Parse(filePath, content, resolveReferences) + documents, er := p[0].Parse(filePath, content, openAPIResolveReferences) if er != nil { log.Error().Msgf("failed to parse file '%s': %s", filePath, er) diff --git a/pkg/remediation/utils.go b/pkg/remediation/utils.go index 3bc3de42ef1..1bda7da3482 100644 --- a/pkg/remediation/utils.go +++ b/pkg/remediation/utils.go @@ -49,7 +49,7 @@ func getBefore(line string) string { } // willRemediate verifies if the remediation actually removes the result -func willRemediate(remediated []string, originalFileName string, remediation *Remediation, resolveReferences bool) bool { +func willRemediate(remediated []string, originalFileName string, remediation *Remediation, openAPIResolveReferences bool) bool { filepath.Clean(originalFileName) // create temporary file tmpFile := filepath.Join(os.TempDir(), "temporary-remediation-"+utils.NextRandom()+"-"+filepath.Base(originalFileName)) @@ -75,7 +75,7 @@ func willRemediate(remediated []string, originalFileName string, remediation *Re } // scan the temporary file to verify if the remediation removed the result - results, err := scanTmpFile(tmpFile, remediation.QueryID, content, resolveReferences) + results, err := scanTmpFile(tmpFile, remediation.QueryID, content, openAPIResolveReferences) if err != nil { log.Error().Msgf("failed to get results of query %s: %s", remediation.QueryID, err) diff --git a/pkg/scan/client.go b/pkg/scan/client.go index a0317faf9fa..d1c780350c5 100644 --- a/pkg/scan/client.go +++ b/pkg/scan/client.go @@ -44,7 +44,7 @@ type Parameters struct { ScanID string BillOfMaterials bool ExcludeGitIgnore bool - ResolveReferences bool + OpenAPIResolveReferences bool } // Client represents a scan client diff --git a/pkg/scan/scan.go b/pkg/scan/scan.go index d763db2e87e..b624dbf343f 100644 --- a/pkg/scan/scan.go +++ b/pkg/scan/scan.go @@ -135,8 +135,8 @@ func (c *Client) executeScan(ctx context.Context) (*Results, error) { return nil, nil } - if err = scanner.PrepareAndScan(ctx, c.ScanParams.ScanID, *c.ProBarBuilder, - executeScanParameters.services, c.ScanParams.ResolveReferences); err != nil { + if err = scanner.PrepareAndScan(ctx, c.ScanParams.ScanID, c.ScanParams.OpenAPIResolveReferences, *c.ProBarBuilder, + executeScanParameters.services); err != nil { log.Err(err) return nil, err } diff --git a/pkg/scanner/scanner.go b/pkg/scanner/scanner.go index e4283dac35b..c74ada02e4f 100644 --- a/pkg/scanner/scanner.go +++ b/pkg/scanner/scanner.go @@ -12,9 +12,13 @@ import ( type serviceSlice []*kics.Service -func PrepareAndScan(ctx context.Context, scanID string, +func PrepareAndScan( + ctx context.Context, + scanID string, + openAPIResolveReferences bool, proBarBuilder progress.PbBuilder, - services serviceSlice, resolveReferences bool) error { + services serviceSlice, +) error { metrics.Metric.Start("prepare_sources") var wg sync.WaitGroup wgDone := make(chan bool) @@ -23,7 +27,7 @@ func PrepareAndScan(ctx context.Context, scanID string, for _, service := range services { wg.Add(1) - go service.PrepareSources(ctx, scanID, &wg, errCh, resolveReferences) + go service.PrepareSources(ctx, scanID, openAPIResolveReferences, &wg, errCh) } go func() { diff --git a/test/queries_test.go b/test/queries_test.go index e8835b9120b..daebe2ecf33 100644 --- a/test/queries_test.go +++ b/test/queries_test.go @@ -96,7 +96,7 @@ func testRemediationQuery(t testing.TB, entry queryEntry, vulnerabilities []mode for filePath := range temporaryRemediationSets { fix := temporaryRemediationSets[filePath].(remediation.Set) - err = summary.RemediateFile(filePath, fix, true) + err = summary.RemediateFile(filePath, fix, false) os.Remove(filePath) if err != nil { require.NoError(t, err) From bb7284a671e00b87ac3b32a0e4524c81173d32cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Fri, 10 Nov 2023 12:05:54 +0000 Subject: [PATCH 249/379] linter --- pkg/kics/service.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/kics/service.go b/pkg/kics/service.go index af04818b09e..f13c40ae5e0 100644 --- a/pkg/kics/service.go +++ b/pkg/kics/service.go @@ -63,7 +63,7 @@ type Service struct { // PrepareSources will prepare the sources to be scanned func (s *Service) PrepareSources(ctx context.Context, scanID string, - openApiResolveReferences bool, + openAPIResolveReferences bool, wg *sync.WaitGroup, errCh chan<- error) { defer wg.Done() // CxSAST query under review @@ -72,10 +72,10 @@ func (s *Service) PrepareSources(ctx context.Context, ctx, s.Parser.SupportedExtensions(), func(ctx context.Context, filename string, rc io.ReadCloser) error { - return s.sink(ctx, filename, scanID, rc, data, openApiResolveReferences) + return s.sink(ctx, filename, scanID, rc, data, openAPIResolveReferences) }, func(ctx context.Context, filename string) ([]string, error) { // Sink used for resolver files and templates - return s.resolverSink(ctx, filename, scanID, openApiResolveReferences) + return s.resolverSink(ctx, filename, scanID, openAPIResolveReferences) }, ); err != nil { errCh <- errors.Wrap(err, "failed to read sources") From c4dab1e7a221d7c7931e4e76c0ca88a53adc27f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Fri, 10 Nov 2023 12:09:06 +0000 Subject: [PATCH 250/379] wip --- pkg/remediation/remediation_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/remediation/remediation_test.go b/pkg/remediation/remediation_test.go index 6e04beafe8f..e9826b2e2fc 100644 --- a/pkg/remediation/remediation_test.go +++ b/pkg/remediation/remediation_test.go @@ -111,7 +111,7 @@ func Test_RemediateFile(t *testing.T) { tmpFileName := filepath.Join(os.TempDir(), "temporary-remediation"+utils.NextRandom()+filepath.Ext(filePathCopyFrom)) tmpFile := CreateTempFile(filePathCopyFrom, tmpFileName) - s.RemediateFile(tmpFile, tt.args.remediate, true) + s.RemediateFile(tmpFile, tt.args.remediate, false) os.Remove(tmpFile) require.Equal(t, s.ActualRemediationDoneNumber, tt.actualRemediationDoneNumber) From 1cb1252950a2d3d405005b9cd32d63007e92e154 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Fri, 10 Nov 2023 13:10:16 +0000 Subject: [PATCH 251/379] fix files --- docs/commands.md | 2 +- docs/dockerhub.md | 2 +- e2e/fixtures/assets/scan_help | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/commands.md b/docs/commands.md index d2ea7f96499..f3b922d717d 100644 --- a/docs/commands.md +++ b/docs/commands.md @@ -49,6 +49,7 @@ Flags: --config string path to configuration file --disable-full-descriptions disable request for full descriptions and use default vulnerability descriptions --disable-secrets disable secrets scanning + --enable-openapi-refs resolve the file reference, on OpenAPI files (default [false]) --exclude-categories strings exclude categories by providing its name cannot be provided with query inclusion flags can be provided multiple times or as a comma separated string @@ -93,7 +94,6 @@ Flags: --preview-lines int number of lines to be display in CLI results (min: 1, max: 30) (default 3) -q, --queries-path strings paths to directory with queries (default [./assets/queries]) --report-formats strings formats in which the results will be exported (all, asff, codeclimate, csv, cyclonedx, glsast, html, json, junit, pdf, sarif, sonarqube) (default [json]) - --enable-openapi-refs resolve the file reference, on OpenAPI files (default [false]) -r, --secrets-regexes-path string path to secrets regex rules configuration file --terraform-vars-path string path where terraform variables are present --timeout int number of seconds the query has to execute before being canceled (default 60) diff --git a/docs/dockerhub.md b/docs/dockerhub.md index b7e78cce88b..341626f261d 100644 --- a/docs/dockerhub.md +++ b/docs/dockerhub.md @@ -86,6 +86,7 @@ Flags: --config string path to configuration file --disable-full-descriptions disable request for full descriptions and use default vulnerability descriptions --disable-secrets disable secrets scanning + --enable-openapi-refs resolve the file reference, on OpenAPI files (default [false]) --exclude-categories strings exclude categories by providing its name cannot be provided with query inclusion flags can be provided multiple times or as a comma separated string @@ -129,7 +130,6 @@ Flags: --preview-lines int number of lines to be display in CLI results (min: 1, max: 30) (default 3) -q, --queries-path strings paths to directory with queries (default [./assets/queries]) --report-formats strings formats in which the results will be exported (all, asff, codeclimate, csv, cyclonedx, glsast, html, json, junit, pdf, sarif, sonarqube) (default [json]) - --enable-openapi-refs resolve the file reference, on OpenAPI files (default [false]) -r, --secrets-regexes-path string path to secrets regex rules configuration file --timeout int number of seconds the query has to execute before being canceled (default 60) -t, --type strings case insensitive list of platform types to scan diff --git a/e2e/fixtures/assets/scan_help b/e2e/fixtures/assets/scan_help index 3a72c1e1278..a4f312c088a 100644 --- a/e2e/fixtures/assets/scan_help +++ b/e2e/fixtures/assets/scan_help @@ -7,6 +7,7 @@ Flags: --config string path to configuration file --disable-full-descriptions disable request for full descriptions and use default vulnerability descriptions --disable-secrets disable secrets scanning + --enable-openapi-refs resolve the file reference, on OpenAPI files (default [false]) --exclude-categories strings exclude categories by providing its name cannot be provided with query inclusion flags can be provided multiple times or as a comma separated string @@ -53,7 +54,6 @@ Flags: --preview-lines int number of lines to be display in CLI results (min: 1, max: 30) (default 3) -q, --queries-path strings paths to directory with queries (default [./assets/queries]) --report-formats strings formats in which the results will be exported (all, asff, codeclimate, csv, cyclonedx, glsast, html, json, junit, pdf, sarif, sonarqube) (default [json]) - --resolve-references resolve the file reference -r, --secrets-regexes-path string path to secrets regex rules configuration file --terraform-vars-path string path where terraform variables are present --timeout int number of seconds the query has to execute before being canceled (default 60) From 27351bc3bce0cef1c05b8a16bffa47354e9e7363 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Fri, 10 Nov 2023 13:16:33 +0000 Subject: [PATCH 252/379] clean --- e2e/fixtures/assets/scan_help | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/e2e/fixtures/assets/scan_help b/e2e/fixtures/assets/scan_help index a4f312c088a..e4a6c188b67 100644 --- a/e2e/fixtures/assets/scan_help +++ b/e2e/fixtures/assets/scan_help @@ -7,7 +7,7 @@ Flags: --config string path to configuration file --disable-full-descriptions disable request for full descriptions and use default vulnerability descriptions --disable-secrets disable secrets scanning - --enable-openapi-refs resolve the file reference, on OpenAPI files (default [false]) + --enable-openapi-refs resolve the file reference, on OpenAPI files --exclude-categories strings exclude categories by providing its name cannot be provided with query inclusion flags can be provided multiple times or as a comma separated string From 65f4eb7f28c7d771b5856430349d7f5552dc87f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Sat, 11 Nov 2023 20:30:37 +0000 Subject: [PATCH 253/379] fix e2e --- e2e/fixtures/E2E_CLI_070_RESULT.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/e2e/fixtures/E2E_CLI_070_RESULT.json b/e2e/fixtures/E2E_CLI_070_RESULT.json index 7b4f1b32ba5..c77e0cd8a94 100644 --- a/e2e/fixtures/E2E_CLI_070_RESULT.json +++ b/e2e/fixtures/E2E_CLI_070_RESULT.json @@ -22,8 +22,8 @@ "start": "2023-10-27T16:46:52.5513995+01:00", "end": "2023-10-27T16:46:52.8805179+01:00", "paths": [ - "/path/test/fixtures/experimental_test/sample", - "/path/test/fixtures/experimental_test/queries" + "/path/test/fixtures/experimental_test/queries", + "/path/test/fixtures/experimental_test/sample" ], "queries": [ { From b3501dc094df05723ce9ad8591e490ac248409fe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Sat, 11 Nov 2023 21:27:17 +0000 Subject: [PATCH 254/379] fix e2e --- e2e/fixtures/E2E_CLI_074_RESULT.json | 616 +++++++++--------- ...2e-cli-074_json_flag_resolve_references.go | 2 +- 2 files changed, 309 insertions(+), 309 deletions(-) diff --git a/e2e/fixtures/E2E_CLI_074_RESULT.json b/e2e/fixtures/E2E_CLI_074_RESULT.json index f9611aa2e62..c6cd943d8fa 100644 --- a/e2e/fixtures/E2E_CLI_074_RESULT.json +++ b/e2e/fixtures/E2E_CLI_074_RESULT.json @@ -19,8 +19,8 @@ }, "total_counter": 73, "total_bom_resources": 0, - "start": "2023-11-09T14:37:15.1921981Z", - "end": "2023-11-09T14:37:16.6705939Z", + "start": "2023-11-11T21:07:30.1876667Z", + "end": "2023-11-11T21:07:32.1639213Z", "paths": [ "/path/test/fixtures/resolve_references_json" ], @@ -37,21 +37,21 @@ "files": [ { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "d0afe0e12eb9e83f4ad891f0349a94bd059d33765209ceaa827ea5153ffcf8ed", - "line": 563, + "similarity_id": "d922a00ae36332672049542c53e877ca3cea762566073824805efe7902afa1b7", + "line": 307, "issue_type": "IncorrectValue", - "search_key": "definitions.$ref=./definitions.json", + "search_key": "paths.{{/user/create/password}}.post.responses.200.schema.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", - "expected_value": "'countryName' property is unique throughout the whole API", - "actual_value": "'countryName' property is not unique throughout the whole API" + "expected_value": "'info' property is unique throughout the whole API", + "actual_value": "'info' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "ab36a26fc165f9e6f99745303d833c21eb3f0ebc8fe29a3f7f4c00ebdd7f5f4a", - "line": 307, + "similarity_id": "ae9a2c4194ef97f7a5e8dd6699ca69a23b5776268a44405e26ae261586c49aaa", + "line": 460, "issue_type": "IncorrectValue", - "search_key": "paths.{{/user/create/password}}.post.responses.200.schema.$ref=./definitions.json#/User", + "search_key": "paths.{{/user/insert}}.post.parameters.schema.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", "expected_value": "'firstName' property is unique throughout the whole API", @@ -59,54 +59,54 @@ }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "d8e93cca1ed74130a03faee787fd52a35a64c4d5093a264c969d47f05d8a7e53", - "line": 545, + "similarity_id": "e26a1373b6b00c852b5734d922665c09b9f200a32d796f0a08f5f0fd1b63935c", + "line": 468, "issue_type": "IncorrectValue", - "search_key": "paths.{{/users/findAll}}.get.responses.200.schema.items.$ref=./definitions.json#/User", + "search_key": "paths.{{/user/insert}}.post.responses.200.schema.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", - "expected_value": "'info' property is unique throughout the whole API", - "actual_value": "'info' property is not unique throughout the whole API" + "expected_value": "'id' property is unique throughout the whole API", + "actual_value": "'id' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "506a8a035b6eafb480cdb17248ec20312a6977b73043a60da2ac4f7ae77777e5", - "line": 563, + "similarity_id": "f864a2440ec855e97e618df141d6d64560ae2b8c85f6fedcdbfcfa268e2f5eaf", + "line": 299, "issue_type": "IncorrectValue", - "search_key": "definitions.$ref=./definitions.json", + "search_key": "paths.{{/user/create/password}}.post.parameters.schema.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", - "expected_value": "'email' property is unique throughout the whole API", - "actual_value": "'email' property is not unique throughout the whole API" + "expected_value": "'id' property is unique throughout the whole API", + "actual_value": "'id' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "5a722738fa25f4a6eb01b730edf5b4552255e4b76de45dc9ff4f7d78aa94210f", - "line": 299, + "similarity_id": "3f50576472289df6d0dc0a3ada162734486f5ca9b65c39fdd2d86b7e97ef3bfc", + "line": 249, "issue_type": "IncorrectValue", - "search_key": "paths.{{/user/create/password}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_key": "paths.{{/user/create/mapCart}}.post.parameters.schema.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", - "expected_value": "'email' property is unique throughout the whole API", - "actual_value": "'email' property is not unique throughout the whole API" + "expected_value": "'info' property is unique throughout the whole API", + "actual_value": "'info' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "7a7de79e78550abfe8a44b27648d61bf7d2e22e563792d106292d8110428b60f", - "line": 387, + "similarity_id": "33d4880a27d20f1d94813f7839ffba6bd421d515b2a4a1a1d2f9439577a44cbd", + "line": 506, "issue_type": "IncorrectValue", - "search_key": "paths.{{/user/get/byId/{id}}}.get.responses.200.schema.$ref=./definitions.json#/User", + "search_key": "paths.{{/user/update}}.post.parameters.schema.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", - "expected_value": "'email' property is unique throughout the whole API", - "actual_value": "'email' property is not unique throughout the whole API" + "expected_value": "'info' property is unique throughout the whole API", + "actual_value": "'info' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "dd12c8363e0fcd3f36136d30a87321885a42d5da08b937e65f9ca4e74b8eb85f", - "line": 468, + "similarity_id": "9d19bd172ff710d659a31e4196991fc11f4fb9ba856ea0c82bf86ab4ac1b0b53", + "line": 307, "issue_type": "IncorrectValue", - "search_key": "paths.{{/user/insert}}.post.responses.200.schema.$ref=./definitions.json#/User", + "search_key": "paths.{{/user/create/password}}.post.responses.200.schema.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", "expected_value": "'email' property is unique throughout the whole API", @@ -114,10 +114,10 @@ }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "00f42dde173a16ce24cee4f0c29f4da7af613a0ea5dbbf875323f1cb39ec214f", - "line": 506, + "similarity_id": "076023938ac61210137d19ce19c441e9418be944be4c04a7fae641f2f3b086a8", + "line": 387, "issue_type": "IncorrectValue", - "search_key": "paths.{{/user/update}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_key": "paths.{{/user/get/byId/{id}}}.get.responses.200.schema.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", "expected_value": "'id' property is unique throughout the whole API", @@ -125,25 +125,14 @@ }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "5a33cd81809bbfbc0dd79fad23450999e4f9153e798ee7d1703cfb8230fe974a", - "line": 468, - "issue_type": "IncorrectValue", - "search_key": "paths.{{/user/insert}}.post.responses.200.schema.$ref=./definitions.json#/User", - "search_line": 0, - "search_value": "", - "expected_value": "'info' property is unique throughout the whole API", - "actual_value": "'info' property is not unique throughout the whole API" - }, - { - "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "5eda8746744c20aeccec4b5e818cbed3788cd3703f4c2aa7327a88e1045dd256", - "line": 387, + "similarity_id": "a18abf68c25c5626c5f3bb02f7804120cfec2b0af7d25234b35424965e7b9d57", + "line": 563, "issue_type": "IncorrectValue", - "search_key": "paths.{{/user/get/byId/{id}}}.get.responses.200.schema.$ref=./definitions.json#/User", + "search_key": "definitions.$ref=./definitions.json", "search_line": 0, "search_value": "", - "expected_value": "'firstName' property is unique throughout the whole API", - "actual_value": "'firstName' property is not unique throughout the whole API" + "expected_value": "'gmtOffset' property is unique throughout the whole API", + "actual_value": "'gmtOffset' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", @@ -158,32 +147,21 @@ }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "d922a00ae36332672049542c53e877ca3cea762566073824805efe7902afa1b7", - "line": 307, - "issue_type": "IncorrectValue", - "search_key": "paths.{{/user/create/password}}.post.responses.200.schema.$ref=./definitions.json#/User", - "search_line": 0, - "search_value": "", - "expected_value": "'info' property is unique throughout the whole API", - "actual_value": "'info' property is not unique throughout the whole API" - }, - { - "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "63de9d74b7d91a430a8935b2b351a0bdef31166b67ddc5be974a684b2c58f576", - "line": 49, + "similarity_id": "21c3a8b9dbb3622aa45eaa495d925bf9d298cc5d7c6618ff44ff6b15fff93183", + "line": 563, "issue_type": "IncorrectValue", - "search_key": "paths.{{/country/get/byId/{id}}}.get.responses.200.schema.$ref=./definitions.json#/Country", + "search_key": "definitions.$ref=./definitions.json", "search_line": 0, "search_value": "", - "expected_value": "'phoneCode' property is unique throughout the whole API", - "actual_value": "'phoneCode' property is not unique throughout the whole API" + "expected_value": "'a2' property is unique throughout the whole API", + "actual_value": "'a2' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "e3077490ffad83609036247b4010681858afe1663ca767c8787ad86c83b63a42", - "line": 506, + "similarity_id": "db633da9cf870fa37830b3c65fb285c9a4b8cff92a36343e40a7cd9796c55e2f", + "line": 545, "issue_type": "IncorrectValue", - "search_key": "paths.{{/user/update}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_key": "paths.{{/users/findAll}}.get.responses.200.schema.items.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", "expected_value": "'email' property is unique throughout the whole API", @@ -191,43 +169,32 @@ }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "ae9a2c4194ef97f7a5e8dd6699ca69a23b5776268a44405e26ae261586c49aaa", - "line": 460, - "issue_type": "IncorrectValue", - "search_key": "paths.{{/user/insert}}.post.parameters.schema.$ref=./definitions.json#/User", - "search_line": 0, - "search_value": "", - "expected_value": "'firstName' property is unique throughout the whole API", - "actual_value": "'firstName' property is not unique throughout the whole API" - }, - { - "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "4e1e62ee80dc6711e967c9be6a1d14df22033bfe3b3e12b8385508d9ad942da6", - "line": 49, + "similarity_id": "066626dc90876e4b8e0acb085e4883f8742ead6e726f66b33ed364ed3aeb2d92", + "line": 563, "issue_type": "IncorrectValue", - "search_key": "paths.{{/country/get/byId/{id}}}.get.responses.200.schema.$ref=./definitions.json#/Country", + "search_key": "definitions.$ref=./definitions.json", "search_line": 0, "search_value": "", - "expected_value": "'countryName' property is unique throughout the whole API", - "actual_value": "'countryName' property is not unique throughout the whole API" + "expected_value": "'password' property is unique throughout the whole API", + "actual_value": "'password' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "68309d0960a7dc0655457b3ebf9fc6ba6ffe06957c7ee22fa569cc138d91868b", - "line": 49, + "similarity_id": "06131bef351103acfb7ee9fbb205cd3072eab03438dc64574bb4541cd7ba48d9", + "line": 348, "issue_type": "IncorrectValue", - "search_key": "paths.{{/country/get/byId/{id}}}.get.responses.200.schema.$ref=./definitions.json#/Country", + "search_key": "paths.{{/user/get/byEmail/{email}}}.get.responses.200.schema.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", - "expected_value": "'definition' property is unique throughout the whole API", - "actual_value": "'definition' property is not unique throughout the whole API" + "expected_value": "'password' property is unique throughout the whole API", + "actual_value": "'password' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "03296fbe7d92c85cc639a282edacb96f285ea877602c60f95a9ea46052d07bbb", - "line": 348, + "similarity_id": "7a7de79e78550abfe8a44b27648d61bf7d2e22e563792d106292d8110428b60f", + "line": 387, "issue_type": "IncorrectValue", - "search_key": "paths.{{/user/get/byEmail/{email}}}.get.responses.200.schema.$ref=./definitions.json#/User", + "search_key": "paths.{{/user/get/byId/{id}}}.get.responses.200.schema.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", "expected_value": "'email' property is unique throughout the whole API", @@ -235,10 +202,10 @@ }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "36abb555656ac0fa2cb2b975b1a4a90076d424c1083144673dfce7e1daa44512", - "line": 194, + "similarity_id": "0ed9019bf3b823e4b9cec5623ecb02c577f495d7b3be84dceb009b9f6e7dc8ff", + "line": 299, "issue_type": "IncorrectValue", - "search_key": "paths.{{/user/create/cart}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_key": "paths.{{/user/create/password}}.post.parameters.schema.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", "expected_value": "'firstName' property is unique throughout the whole API", @@ -257,21 +224,21 @@ }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "e26a1373b6b00c852b5734d922665c09b9f200a32d796f0a08f5f0fd1b63935c", - "line": 468, + "similarity_id": "3e833473f334445d14dea0b81ad200bb6f9715983d5c330cea890862e3e621a1", + "line": 348, "issue_type": "IncorrectValue", - "search_key": "paths.{{/user/insert}}.post.responses.200.schema.$ref=./definitions.json#/User", + "search_key": "paths.{{/user/get/byEmail/{email}}}.get.responses.200.schema.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", - "expected_value": "'id' property is unique throughout the whole API", - "actual_value": "'id' property is not unique throughout the whole API" + "expected_value": "'info' property is unique throughout the whole API", + "actual_value": "'info' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "9c53f0e8c5ed42f8c81e44b07ab37c073ec4af1bf6654c85e6795b17fee8d9f6", - "line": 563, + "similarity_id": "6a86f8ece0f67a20a6f2d953aeec7133a4d8b2db05a91c88b77e6daa559da255", + "line": 460, "issue_type": "IncorrectValue", - "search_key": "definitions.$ref=./definitions.json", + "search_key": "paths.{{/user/insert}}.post.parameters.schema.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", "expected_value": "'info' property is unique throughout the whole API", @@ -279,54 +246,54 @@ }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "d63880c933e60f14fe31e1706419ad0131a43c47639fbfa68e9e18dc29353d89", + "similarity_id": "742df9bdb7b0bbdfd27893a2328da8c0cf3313562121f05b4933e49df8d71d71", "line": 299, "issue_type": "IncorrectValue", "search_key": "paths.{{/user/create/password}}.post.parameters.schema.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", - "expected_value": "'info' property is unique throughout the whole API", - "actual_value": "'info' property is not unique throughout the whole API" + "expected_value": "'password' property is unique throughout the whole API", + "actual_value": "'password' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "c9fc36b4134eceed43134427be36539a2733c36f0be7b001e2e28acf70138451", - "line": 49, + "similarity_id": "70d44bfb825c6276aefef00842ac929b64193c9030066ecea83f8bfc9ed6f964", + "line": 545, "issue_type": "IncorrectValue", - "search_key": "paths.{{/country/get/byId/{id}}}.get.responses.200.schema.$ref=./definitions.json#/Country", + "search_key": "paths.{{/users/findAll}}.get.responses.200.schema.items.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", - "expected_value": "'a2' property is unique throughout the whole API", - "actual_value": "'a2' property is not unique throughout the whole API" + "expected_value": "'password' property is unique throughout the whole API", + "actual_value": "'password' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "5caaee296537e635d3def3adaa4a110f1251f45f9c87682372e6dd8f0f7e64df", - "line": 563, + "similarity_id": "c9fc36b4134eceed43134427be36539a2733c36f0be7b001e2e28acf70138451", + "line": 49, "issue_type": "IncorrectValue", - "search_key": "definitions.$ref=./definitions.json", + "search_key": "paths.{{/country/get/byId/{id}}}.get.responses.200.schema.$ref=./definitions.json#/Country", "search_line": 0, "search_value": "", - "expected_value": "'definition' property is unique throughout the whole API", - "actual_value": "'definition' property is not unique throughout the whole API" + "expected_value": "'a2' property is unique throughout the whole API", + "actual_value": "'a2' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "931de466521d641a25205229ac2c975fb74d54bd9a6ff5a80b8a61b742bda09b", - "line": 249, + "similarity_id": "6f2361667cb5eef4416ee89133e7f000bc857bab23be7f63dc29fb219932ffae", + "line": 468, "issue_type": "IncorrectValue", - "search_key": "paths.{{/user/create/mapCart}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_key": "paths.{{/user/insert}}.post.responses.200.schema.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", - "expected_value": "'email' property is unique throughout the whole API", - "actual_value": "'email' property is not unique throughout the whole API" + "expected_value": "'firstName' property is unique throughout the whole API", + "actual_value": "'firstName' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "0ed9019bf3b823e4b9cec5623ecb02c577f495d7b3be84dceb009b9f6e7dc8ff", - "line": 299, + "similarity_id": "5eda8746744c20aeccec4b5e818cbed3788cd3703f4c2aa7327a88e1045dd256", + "line": 387, "issue_type": "IncorrectValue", - "search_key": "paths.{{/user/create/password}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_key": "paths.{{/user/get/byId/{id}}}.get.responses.200.schema.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", "expected_value": "'firstName' property is unique throughout the whole API", @@ -334,164 +301,164 @@ }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "6f2361667cb5eef4416ee89133e7f000bc857bab23be7f63dc29fb219932ffae", - "line": 468, + "similarity_id": "3ff7cf91a10e3c0dae8a89638de17797354aa05c16c0dc58b45e916bd393f1b3", + "line": 387, "issue_type": "IncorrectValue", - "search_key": "paths.{{/user/insert}}.post.responses.200.schema.$ref=./definitions.json#/User", + "search_key": "paths.{{/user/get/byId/{id}}}.get.responses.200.schema.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", - "expected_value": "'firstName' property is unique throughout the whole API", - "actual_value": "'firstName' property is not unique throughout the whole API" + "expected_value": "'password' property is unique throughout the whole API", + "actual_value": "'password' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "3f50576472289df6d0dc0a3ada162734486f5ca9b65c39fdd2d86b7e97ef3bfc", + "similarity_id": "910467f7887c76affc7cea19c0fe396e3d3531ea8a43fd3144a91010f73f5f8e", "line": 249, "issue_type": "IncorrectValue", "search_key": "paths.{{/user/create/mapCart}}.post.parameters.schema.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", - "expected_value": "'info' property is unique throughout the whole API", - "actual_value": "'info' property is not unique throughout the whole API" + "expected_value": "'id' property is unique throughout the whole API", + "actual_value": "'id' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "33d4880a27d20f1d94813f7839ffba6bd421d515b2a4a1a1d2f9439577a44cbd", - "line": 506, + "similarity_id": "68309d0960a7dc0655457b3ebf9fc6ba6ffe06957c7ee22fa569cc138d91868b", + "line": 49, "issue_type": "IncorrectValue", - "search_key": "paths.{{/user/update}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_key": "paths.{{/country/get/byId/{id}}}.get.responses.200.schema.$ref=./definitions.json#/Country", "search_line": 0, "search_value": "", - "expected_value": "'info' property is unique throughout the whole API", - "actual_value": "'info' property is not unique throughout the whole API" + "expected_value": "'definition' property is unique throughout the whole API", + "actual_value": "'definition' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "12cba189eca9ebafb21b6d2b8c50e8b323bbd1a0032b93598b85573e27387c3e", - "line": 249, + "similarity_id": "960914db94494373fc175325d916372db0940040c1d8a73c153dae8b398a6b3e", + "line": 194, "issue_type": "IncorrectValue", - "search_key": "paths.{{/user/create/mapCart}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_key": "paths.{{/user/create/cart}}.post.parameters.schema.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", - "expected_value": "'firstName' property is unique throughout the whole API", - "actual_value": "'firstName' property is not unique throughout the whole API" + "expected_value": "'email' property is unique throughout the whole API", + "actual_value": "'email' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "090388d5ad23a89ba5a21dd99ca769b91921ba85ac62f9fea9eef9b2a35ca3c2", - "line": 506, + "similarity_id": "d8e93cca1ed74130a03faee787fd52a35a64c4d5093a264c969d47f05d8a7e53", + "line": 545, "issue_type": "IncorrectValue", - "search_key": "paths.{{/user/update}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_key": "paths.{{/users/findAll}}.get.responses.200.schema.items.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", - "expected_value": "'firstName' property is unique throughout the whole API", - "actual_value": "'firstName' property is not unique throughout the whole API" + "expected_value": "'info' property is unique throughout the whole API", + "actual_value": "'info' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "a60875f03b9d4ba7e30e984a1721574d40ae990a07f9580810362309499b47a9", - "line": 563, + "similarity_id": "115612d7d5a2e88c8ebdfda5c4e3c2e35671d903bf1c00a3a68465a4bc3c3a8a", + "line": 506, "issue_type": "IncorrectValue", - "search_key": "definitions.$ref=./definitions.json", + "search_key": "paths.{{/user/update}}.post.parameters.schema.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", - "expected_value": "'governmentForm' property is unique throughout the whole API", - "actual_value": "'governmentForm' property is not unique throughout the whole API" + "expected_value": "'password' property is unique throughout the whole API", + "actual_value": "'password' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "d7dc8a4773bc3422171faf9375a10992195d2995804cc67a1b397283e5be9742", - "line": 194, + "similarity_id": "4e1e62ee80dc6711e967c9be6a1d14df22033bfe3b3e12b8385508d9ad942da6", + "line": 49, "issue_type": "IncorrectValue", - "search_key": "paths.{{/user/create/cart}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_key": "paths.{{/country/get/byId/{id}}}.get.responses.200.schema.$ref=./definitions.json#/Country", "search_line": 0, "search_value": "", - "expected_value": "'id' property is unique throughout the whole API", - "actual_value": "'id' property is not unique throughout the whole API" + "expected_value": "'countryName' property is unique throughout the whole API", + "actual_value": "'countryName' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "1f1c4e0ee7b45e50c78cd7a2947a5c380620e2ff6099fd207985c81ebab2c193", - "line": 194, + "similarity_id": "f27d2a4dda9db71d94614e720681050e5cd74c17cdd01f7ff7061ab58707981c", + "line": 49, "issue_type": "IncorrectValue", - "search_key": "paths.{{/user/create/cart}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_key": "paths.{{/country/get/byId/{id}}}.get.responses.200.schema.$ref=./definitions.json#/Country", "search_line": 0, "search_value": "", - "expected_value": "'password' property is unique throughout the whole API", - "actual_value": "'password' property is not unique throughout the whole API" + "expected_value": "'governmentForm' property is unique throughout the whole API", + "actual_value": "'governmentForm' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "ba0fe4366991ff946be2b3264f2f12971e5b7a913bc67464bc1b7bda6aaff15b", - "line": 307, + "similarity_id": "5a722738fa25f4a6eb01b730edf5b4552255e4b76de45dc9ff4f7d78aa94210f", + "line": 299, "issue_type": "IncorrectValue", - "search_key": "paths.{{/user/create/password}}.post.responses.200.schema.$ref=./definitions.json#/User", + "search_key": "paths.{{/user/create/password}}.post.parameters.schema.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", - "expected_value": "'password' property is unique throughout the whole API", - "actual_value": "'password' property is not unique throughout the whole API" + "expected_value": "'email' property is unique throughout the whole API", + "actual_value": "'email' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "70d44bfb825c6276aefef00842ac929b64193c9030066ecea83f8bfc9ed6f964", - "line": 545, + "similarity_id": "ca6add4f28bb864af1341d26682aa2d0fa6d759b3efc99479127ca1c9758cc12", + "line": 460, "issue_type": "IncorrectValue", - "search_key": "paths.{{/users/findAll}}.get.responses.200.schema.items.$ref=./definitions.json#/User", + "search_key": "paths.{{/user/insert}}.post.parameters.schema.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", - "expected_value": "'password' property is unique throughout the whole API", - "actual_value": "'password' property is not unique throughout the whole API" + "expected_value": "'email' property is unique throughout the whole API", + "actual_value": "'email' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "6a933de1599716878e2e3ef21cdadff44c5481452d18dc63d835546693df7ebe", - "line": 49, + "similarity_id": "36abb555656ac0fa2cb2b975b1a4a90076d424c1083144673dfce7e1daa44512", + "line": 194, "issue_type": "IncorrectValue", - "search_key": "paths.{{/country/get/byId/{id}}}.get.responses.200.schema.$ref=./definitions.json#/Country", + "search_key": "paths.{{/user/create/cart}}.post.parameters.schema.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", - "expected_value": "'gmtOffset' property is unique throughout the whole API", - "actual_value": "'gmtOffset' property is not unique throughout the whole API" + "expected_value": "'firstName' property is unique throughout the whole API", + "actual_value": "'firstName' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "28c44bb9f10e51406f2e7afb8287fdd192eb5f02c2a8acdb1b2df4f8823da145", - "line": 194, + "similarity_id": "44ff15d550e3eb9cb2a7b5d4de12a5df15ad61577ffc297ea27e832a453e7ab6", + "line": 49, "issue_type": "IncorrectValue", - "search_key": "paths.{{/user/create/cart}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_key": "paths.{{/country/get/byId/{id}}}.get.responses.200.schema.$ref=./definitions.json#/Country", "search_line": 0, "search_value": "", - "expected_value": "'info' property is unique throughout the whole API", - "actual_value": "'info' property is not unique throughout the whole API" + "expected_value": "'id' property is unique throughout the whole API", + "actual_value": "'id' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "bf9a072e845e726db76c3c4b3de244e611f2cace131d1ae7d6f206d90b2a1ed6", - "line": 387, + "similarity_id": "bb64c1c7f4b43fdb4a2d84048203a0183f1b88c8fcbfc505916cc8a974fef901", + "line": 545, "issue_type": "IncorrectValue", - "search_key": "paths.{{/user/get/byId/{id}}}.get.responses.200.schema.$ref=./definitions.json#/User", + "search_key": "paths.{{/users/findAll}}.get.responses.200.schema.items.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", - "expected_value": "'info' property is unique throughout the whole API", - "actual_value": "'info' property is not unique throughout the whole API" + "expected_value": "'id' property is unique throughout the whole API", + "actual_value": "'id' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "115612d7d5a2e88c8ebdfda5c4e3c2e35671d903bf1c00a3a68465a4bc3c3a8a", - "line": 506, + "similarity_id": "ae22dd7f5074e293bd07c146e0ef6e070c34c323307841641d9b19250d976896", + "line": 563, "issue_type": "IncorrectValue", - "search_key": "paths.{{/user/update}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_key": "definitions.$ref=./definitions.json", "search_line": 0, "search_value": "", - "expected_value": "'password' property is unique throughout the whole API", - "actual_value": "'password' property is not unique throughout the whole API" + "expected_value": "'displayName' property is unique throughout the whole API", + "actual_value": "'displayName' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "9d19bd172ff710d659a31e4196991fc11f4fb9ba856ea0c82bf86ab4ac1b0b53", - "line": 307, + "similarity_id": "506a8a035b6eafb480cdb17248ec20312a6977b73043a60da2ac4f7ae77777e5", + "line": 563, "issue_type": "IncorrectValue", - "search_key": "paths.{{/user/create/password}}.post.responses.200.schema.$ref=./definitions.json#/User", + "search_key": "definitions.$ref=./definitions.json", "search_line": 0, "search_value": "", "expected_value": "'email' property is unique throughout the whole API", @@ -499,25 +466,25 @@ }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "06131bef351103acfb7ee9fbb205cd3072eab03438dc64574bb4541cd7ba48d9", - "line": 348, + "similarity_id": "d0afe0e12eb9e83f4ad891f0349a94bd059d33765209ceaa827ea5153ffcf8ed", + "line": 563, "issue_type": "IncorrectValue", - "search_key": "paths.{{/user/get/byEmail/{email}}}.get.responses.200.schema.$ref=./definitions.json#/User", + "search_key": "definitions.$ref=./definitions.json", "search_line": 0, "search_value": "", - "expected_value": "'password' property is unique throughout the whole API", - "actual_value": "'password' property is not unique throughout the whole API" + "expected_value": "'countryName' property is unique throughout the whole API", + "actual_value": "'countryName' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "ca6add4f28bb864af1341d26682aa2d0fa6d759b3efc99479127ca1c9758cc12", - "line": 460, + "similarity_id": "1f1c4e0ee7b45e50c78cd7a2947a5c380620e2ff6099fd207985c81ebab2c193", + "line": 194, "issue_type": "IncorrectValue", - "search_key": "paths.{{/user/insert}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_key": "paths.{{/user/create/cart}}.post.parameters.schema.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", - "expected_value": "'email' property is unique throughout the whole API", - "actual_value": "'email' property is not unique throughout the whole API" + "expected_value": "'password' property is unique throughout the whole API", + "actual_value": "'password' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", @@ -532,10 +499,10 @@ }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "a18abf68c25c5626c5f3bb02f7804120cfec2b0af7d25234b35424965e7b9d57", - "line": 563, + "similarity_id": "6a933de1599716878e2e3ef21cdadff44c5481452d18dc63d835546693df7ebe", + "line": 49, "issue_type": "IncorrectValue", - "search_key": "definitions.$ref=./definitions.json", + "search_key": "paths.{{/country/get/byId/{id}}}.get.responses.200.schema.$ref=./definitions.json#/Country", "search_line": 0, "search_value": "", "expected_value": "'gmtOffset' property is unique throughout the whole API", @@ -543,10 +510,10 @@ }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "9e825d84c9683c86687eac7a319c0ef77d5296a6f64ef1224e9808181e52879c", - "line": 348, + "similarity_id": "1ebf2eee6e73bf46d0b14e39a6a8b32b3c987ab78bfdf877203be7730ca8213a", + "line": 563, "issue_type": "IncorrectValue", - "search_key": "paths.{{/user/get/byEmail/{email}}}.get.responses.200.schema.$ref=./definitions.json#/User", + "search_key": "definitions.$ref=./definitions.json", "search_line": 0, "search_value": "", "expected_value": "'id' property is unique throughout the whole API", @@ -554,32 +521,32 @@ }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "2b831616eccfc184da4ed859fd2ee92e6c3e53753608eb855c65021d0ebfbdc9", - "line": 563, + "similarity_id": "5a33cd81809bbfbc0dd79fad23450999e4f9153e798ee7d1703cfb8230fe974a", + "line": 468, "issue_type": "IncorrectValue", - "search_key": "definitions.$ref=./definitions.json", + "search_key": "paths.{{/user/insert}}.post.responses.200.schema.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", - "expected_value": "'phoneCode' property is unique throughout the whole API", - "actual_value": "'phoneCode' property is not unique throughout the whole API" + "expected_value": "'info' property is unique throughout the whole API", + "actual_value": "'info' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "a29891f01be9d769faeb1937e8d5d741a05876fde469b6c50246b7a67e2597f1", + "similarity_id": "6e356e76aa611d446e8b47bcb98c2e89a60f4e11ec0215fa4c3cb68e6b8ef39b", "line": 49, "issue_type": "IncorrectValue", "search_key": "paths.{{/country/get/byId/{id}}}.get.responses.200.schema.$ref=./definitions.json#/Country", "search_line": 0, "search_value": "", - "expected_value": "'a3' property is unique throughout the whole API", - "actual_value": "'a3' property is not unique throughout the whole API" + "expected_value": "'displayName' property is unique throughout the whole API", + "actual_value": "'displayName' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "db633da9cf870fa37830b3c65fb285c9a4b8cff92a36343e40a7cd9796c55e2f", - "line": 545, + "similarity_id": "931de466521d641a25205229ac2c975fb74d54bd9a6ff5a80b8a61b742bda09b", + "line": 249, "issue_type": "IncorrectValue", - "search_key": "paths.{{/users/findAll}}.get.responses.200.schema.items.$ref=./definitions.json#/User", + "search_key": "paths.{{/user/create/mapCart}}.post.parameters.schema.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", "expected_value": "'email' property is unique throughout the whole API", @@ -587,21 +554,21 @@ }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "1ebf2eee6e73bf46d0b14e39a6a8b32b3c987ab78bfdf877203be7730ca8213a", - "line": 563, + "similarity_id": "090388d5ad23a89ba5a21dd99ca769b91921ba85ac62f9fea9eef9b2a35ca3c2", + "line": 506, "issue_type": "IncorrectValue", - "search_key": "definitions.$ref=./definitions.json", + "search_key": "paths.{{/user/update}}.post.parameters.schema.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", - "expected_value": "'id' property is unique throughout the whole API", - "actual_value": "'id' property is not unique throughout the whole API" + "expected_value": "'firstName' property is unique throughout the whole API", + "actual_value": "'firstName' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "f864a2440ec855e97e618df141d6d64560ae2b8c85f6fedcdbfcfa268e2f5eaf", - "line": 299, + "similarity_id": "d7dc8a4773bc3422171faf9375a10992195d2995804cc67a1b397283e5be9742", + "line": 194, "issue_type": "IncorrectValue", - "search_key": "paths.{{/user/create/password}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_key": "paths.{{/user/create/cart}}.post.parameters.schema.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", "expected_value": "'id' property is unique throughout the whole API", @@ -609,76 +576,76 @@ }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "485cca9ca27689883477aadaff52f90dc1d5a264a423e1e32a4007a27d7d51bf", - "line": 249, + "similarity_id": "00f42dde173a16ce24cee4f0c29f4da7af613a0ea5dbbf875323f1cb39ec214f", + "line": 506, "issue_type": "IncorrectValue", - "search_key": "paths.{{/user/create/mapCart}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_key": "paths.{{/user/update}}.post.parameters.schema.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", - "expected_value": "'password' property is unique throughout the whole API", - "actual_value": "'password' property is not unique throughout the whole API" + "expected_value": "'id' property is unique throughout the whole API", + "actual_value": "'id' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "3ff7cf91a10e3c0dae8a89638de17797354aa05c16c0dc58b45e916bd393f1b3", - "line": 387, + "similarity_id": "2b831616eccfc184da4ed859fd2ee92e6c3e53753608eb855c65021d0ebfbdc9", + "line": 563, "issue_type": "IncorrectValue", - "search_key": "paths.{{/user/get/byId/{id}}}.get.responses.200.schema.$ref=./definitions.json#/User", + "search_key": "definitions.$ref=./definitions.json", "search_line": 0, "search_value": "", - "expected_value": "'password' property is unique throughout the whole API", - "actual_value": "'password' property is not unique throughout the whole API" + "expected_value": "'phoneCode' property is unique throughout the whole API", + "actual_value": "'phoneCode' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "21c3a8b9dbb3622aa45eaa495d925bf9d298cc5d7c6618ff44ff6b15fff93183", + "similarity_id": "850677a8f5bf1c669df3dab2b7c7a825af4fb99bf2012197de0d1729455aac8f", "line": 563, "issue_type": "IncorrectValue", "search_key": "definitions.$ref=./definitions.json", "search_line": 0, "search_value": "", - "expected_value": "'a2' property is unique throughout the whole API", - "actual_value": "'a2' property is not unique throughout the whole API" + "expected_value": "'a3' property is unique throughout the whole API", + "actual_value": "'a3' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "ae22dd7f5074e293bd07c146e0ef6e070c34c323307841641d9b19250d976896", + "similarity_id": "5caaee296537e635d3def3adaa4a110f1251f45f9c87682372e6dd8f0f7e64df", "line": 563, "issue_type": "IncorrectValue", "search_key": "definitions.$ref=./definitions.json", "search_line": 0, "search_value": "", - "expected_value": "'displayName' property is unique throughout the whole API", - "actual_value": "'displayName' property is not unique throughout the whole API" + "expected_value": "'definition' property is unique throughout the whole API", + "actual_value": "'definition' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "6e356e76aa611d446e8b47bcb98c2e89a60f4e11ec0215fa4c3cb68e6b8ef39b", - "line": 49, + "similarity_id": "28c44bb9f10e51406f2e7afb8287fdd192eb5f02c2a8acdb1b2df4f8823da145", + "line": 194, "issue_type": "IncorrectValue", - "search_key": "paths.{{/country/get/byId/{id}}}.get.responses.200.schema.$ref=./definitions.json#/Country", + "search_key": "paths.{{/user/create/cart}}.post.parameters.schema.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", - "expected_value": "'displayName' property is unique throughout the whole API", - "actual_value": "'displayName' property is not unique throughout the whole API" + "expected_value": "'info' property is unique throughout the whole API", + "actual_value": "'info' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "c13e062ec0e0a367b6fd475c182fb6db2e485cd29bd98cba6c8efc8715493280", - "line": 348, + "similarity_id": "bf9a072e845e726db76c3c4b3de244e611f2cace131d1ae7d6f206d90b2a1ed6", + "line": 387, "issue_type": "IncorrectValue", - "search_key": "paths.{{/user/get/byEmail/{email}}}.get.responses.200.schema.$ref=./definitions.json#/User", + "search_key": "paths.{{/user/get/byId/{id}}}.get.responses.200.schema.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", - "expected_value": "'firstName' property is unique throughout the whole API", - "actual_value": "'firstName' property is not unique throughout the whole API" + "expected_value": "'info' property is unique throughout the whole API", + "actual_value": "'info' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "742df9bdb7b0bbdfd27893a2328da8c0cf3313562121f05b4933e49df8d71d71", - "line": 299, + "similarity_id": "485cca9ca27689883477aadaff52f90dc1d5a264a423e1e32a4007a27d7d51bf", + "line": 249, "issue_type": "IncorrectValue", - "search_key": "paths.{{/user/create/password}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_key": "paths.{{/user/create/mapCart}}.post.parameters.schema.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", "expected_value": "'password' property is unique throughout the whole API", @@ -697,10 +664,10 @@ }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "960914db94494373fc175325d916372db0940040c1d8a73c153dae8b398a6b3e", - "line": 194, + "similarity_id": "e3077490ffad83609036247b4010681858afe1663ca767c8787ad86c83b63a42", + "line": 506, "issue_type": "IncorrectValue", - "search_key": "paths.{{/user/create/cart}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_key": "paths.{{/user/update}}.post.parameters.schema.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", "expected_value": "'email' property is unique throughout the whole API", @@ -708,10 +675,10 @@ }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "f27d2a4dda9db71d94614e720681050e5cd74c17cdd01f7ff7061ab58707981c", - "line": 49, + "similarity_id": "a60875f03b9d4ba7e30e984a1721574d40ae990a07f9580810362309499b47a9", + "line": 563, "issue_type": "IncorrectValue", - "search_key": "paths.{{/country/get/byId/{id}}}.get.responses.200.schema.$ref=./definitions.json#/Country", + "search_key": "definitions.$ref=./definitions.json", "search_line": 0, "search_value": "", "expected_value": "'governmentForm' property is unique throughout the whole API", @@ -719,10 +686,10 @@ }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "910467f7887c76affc7cea19c0fe396e3d3531ea8a43fd3144a91010f73f5f8e", - "line": 249, + "similarity_id": "9e71d759cb0f8f63855f0215e2c95c646c20083100bfa04ebf609e80841f816b", + "line": 460, "issue_type": "IncorrectValue", - "search_key": "paths.{{/user/create/mapCart}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_key": "paths.{{/user/insert}}.post.parameters.schema.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", "expected_value": "'id' property is unique throughout the whole API", @@ -730,21 +697,21 @@ }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "9e71d759cb0f8f63855f0215e2c95c646c20083100bfa04ebf609e80841f816b", - "line": 460, + "similarity_id": "d63880c933e60f14fe31e1706419ad0131a43c47639fbfa68e9e18dc29353d89", + "line": 299, "issue_type": "IncorrectValue", - "search_key": "paths.{{/user/insert}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_key": "paths.{{/user/create/password}}.post.parameters.schema.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", - "expected_value": "'id' property is unique throughout the whole API", - "actual_value": "'id' property is not unique throughout the whole API" + "expected_value": "'info' property is unique throughout the whole API", + "actual_value": "'info' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "066626dc90876e4b8e0acb085e4883f8742ead6e726f66b33ed364ed3aeb2d92", - "line": 563, + "similarity_id": "ba0fe4366991ff946be2b3264f2f12971e5b7a913bc67464bc1b7bda6aaff15b", + "line": 307, "issue_type": "IncorrectValue", - "search_key": "definitions.$ref=./definitions.json", + "search_key": "paths.{{/user/create/password}}.post.responses.200.schema.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", "expected_value": "'password' property is unique throughout the whole API", @@ -752,43 +719,65 @@ }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "850677a8f5bf1c669df3dab2b7c7a825af4fb99bf2012197de0d1729455aac8f", - "line": 563, + "similarity_id": "63de9d74b7d91a430a8935b2b351a0bdef31166b67ddc5be974a684b2c58f576", + "line": 49, "issue_type": "IncorrectValue", - "search_key": "definitions.$ref=./definitions.json", + "search_key": "paths.{{/country/get/byId/{id}}}.get.responses.200.schema.$ref=./definitions.json#/Country", "search_line": 0, "search_value": "", - "expected_value": "'a3' property is unique throughout the whole API", - "actual_value": "'a3' property is not unique throughout the whole API" + "expected_value": "'phoneCode' property is unique throughout the whole API", + "actual_value": "'phoneCode' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "cd645894b66fff7e5353951a29877faf402ba3e3d51d56b9f2e936105949512f", - "line": 563, + "similarity_id": "03296fbe7d92c85cc639a282edacb96f285ea877602c60f95a9ea46052d07bbb", + "line": 348, "issue_type": "IncorrectValue", - "search_key": "definitions.$ref=./definitions.json", + "search_key": "paths.{{/user/get/byEmail/{email}}}.get.responses.200.schema.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", - "expected_value": "'id' property is unique throughout the whole API", - "actual_value": "'id' property is not unique throughout the whole API" + "expected_value": "'email' property is unique throughout the whole API", + "actual_value": "'email' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "44ff15d550e3eb9cb2a7b5d4de12a5df15ad61577ffc297ea27e832a453e7ab6", - "line": 49, + "similarity_id": "12cba189eca9ebafb21b6d2b8c50e8b323bbd1a0032b93598b85573e27387c3e", + "line": 249, "issue_type": "IncorrectValue", - "search_key": "paths.{{/country/get/byId/{id}}}.get.responses.200.schema.$ref=./definitions.json#/Country", + "search_key": "paths.{{/user/create/mapCart}}.post.parameters.schema.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", - "expected_value": "'id' property is unique throughout the whole API", - "actual_value": "'id' property is not unique throughout the whole API" + "expected_value": "'firstName' property is unique throughout the whole API", + "actual_value": "'firstName' property is not unique throughout the whole API" }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "076023938ac61210137d19ce19c441e9418be944be4c04a7fae641f2f3b086a8", - "line": 387, + "similarity_id": "ab36a26fc165f9e6f99745303d833c21eb3f0ebc8fe29a3f7f4c00ebdd7f5f4a", + "line": 307, "issue_type": "IncorrectValue", - "search_key": "paths.{{/user/get/byId/{id}}}.get.responses.200.schema.$ref=./definitions.json#/User", + "search_key": "paths.{{/user/create/password}}.post.responses.200.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'firstName' property is unique throughout the whole API", + "actual_value": "'firstName' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "c13e062ec0e0a367b6fd475c182fb6db2e485cd29bd98cba6c8efc8715493280", + "line": 348, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/get/byEmail/{email}}}.get.responses.200.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'firstName' property is unique throughout the whole API", + "actual_value": "'firstName' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "cd645894b66fff7e5353951a29877faf402ba3e3d51d56b9f2e936105949512f", + "line": 563, + "issue_type": "IncorrectValue", + "search_key": "definitions.$ref=./definitions.json", "search_line": 0, "search_value": "", "expected_value": "'id' property is unique throughout the whole API", @@ -796,10 +785,10 @@ }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "bb64c1c7f4b43fdb4a2d84048203a0183f1b88c8fcbfc505916cc8a974fef901", - "line": 545, + "similarity_id": "9e825d84c9683c86687eac7a319c0ef77d5296a6f64ef1224e9808181e52879c", + "line": 348, "issue_type": "IncorrectValue", - "search_key": "paths.{{/users/findAll}}.get.responses.200.schema.items.$ref=./definitions.json#/User", + "search_key": "paths.{{/user/get/byEmail/{email}}}.get.responses.200.schema.$ref=./definitions.json#/User", "search_line": 0, "search_value": "", "expected_value": "'id' property is unique throughout the whole API", @@ -807,10 +796,10 @@ }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "6a86f8ece0f67a20a6f2d953aeec7133a4d8b2db05a91c88b77e6daa559da255", - "line": 460, + "similarity_id": "9c53f0e8c5ed42f8c81e44b07ab37c073ec4af1bf6654c85e6795b17fee8d9f6", + "line": 563, "issue_type": "IncorrectValue", - "search_key": "paths.{{/user/insert}}.post.parameters.schema.$ref=./definitions.json#/User", + "search_key": "definitions.$ref=./definitions.json", "search_line": 0, "search_value": "", "expected_value": "'info' property is unique throughout the whole API", @@ -829,14 +818,25 @@ }, { "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", - "similarity_id": "3e833473f334445d14dea0b81ad200bb6f9715983d5c330cea890862e3e621a1", - "line": 348, + "similarity_id": "a29891f01be9d769faeb1937e8d5d741a05876fde469b6c50246b7a67e2597f1", + "line": 49, "issue_type": "IncorrectValue", - "search_key": "paths.{{/user/get/byEmail/{email}}}.get.responses.200.schema.$ref=./definitions.json#/User", + "search_key": "paths.{{/country/get/byId/{id}}}.get.responses.200.schema.$ref=./definitions.json#/Country", "search_line": 0, "search_value": "", - "expected_value": "'info' property is unique throughout the whole API", - "actual_value": "'info' property is not unique throughout the whole API" + "expected_value": "'a3' property is unique throughout the whole API", + "actual_value": "'a3' property is not unique throughout the whole API" + }, + { + "file_name": "path\\test\\fixtures\\resolve_references_json\\scan-2files.json", + "similarity_id": "dd12c8363e0fcd3f36136d30a87321885a42d5da08b937e65f9ca4e74b8eb85f", + "line": 468, + "issue_type": "IncorrectValue", + "search_key": "paths.{{/user/insert}}.post.responses.200.schema.$ref=./definitions.json#/User", + "search_line": 0, + "search_value": "", + "expected_value": "'email' property is unique throughout the whole API", + "actual_value": "'email' property is not unique throughout the whole API" } ] } diff --git a/e2e/testcases/e2e-cli-074_json_flag_resolve_references.go b/e2e/testcases/e2e-cli-074_json_flag_resolve_references.go index 99cff05e7fb..90a5388c959 100644 --- a/e2e/testcases/e2e-cli-074_json_flag_resolve_references.go +++ b/e2e/testcases/e2e-cli-074_json_flag_resolve_references.go @@ -9,7 +9,7 @@ func init() { //nolint Args: []cmdArgs{ []string{"scan", "-o", "/path/e2e/output", "--output-name", "E2E_CLI_074_RESULT", - "-p", "\"/path/test/fixtures/resolve_references\"", + "-p", "\"/path/test/fixtures/resolve_references_json\"", "-i", "750b40be-4bac-4f59-bdc4-1ca0e6c3450e", "--enable-openapi-refs", }, From f5da2569bf7c552a98ba29f69436d3b5c26a5733 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Sat, 11 Nov 2023 21:59:41 +0000 Subject: [PATCH 255/379] wip --- e2e/fixtures/E2E_CLI_070_RESULT.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/e2e/fixtures/E2E_CLI_070_RESULT.json b/e2e/fixtures/E2E_CLI_070_RESULT.json index c77e0cd8a94..688ce800039 100644 --- a/e2e/fixtures/E2E_CLI_070_RESULT.json +++ b/e2e/fixtures/E2E_CLI_070_RESULT.json @@ -22,8 +22,8 @@ "start": "2023-10-27T16:46:52.5513995+01:00", "end": "2023-10-27T16:46:52.8805179+01:00", "paths": [ - "/path/test/fixtures/experimental_test/queries", - "/path/test/fixtures/experimental_test/sample" + "/path/test/fixtures/experimental_test/sample", + "/path/test/fixtures/experimental_test/queries" ], "queries": [ { From d8fe4baeb61dc2251a7962ddbdcb4a4af353d58c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Mon, 13 Nov 2023 10:51:42 +0000 Subject: [PATCH 256/379] order paths --- pkg/scan/post_scan.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/scan/post_scan.go b/pkg/scan/post_scan.go index 1396e7dc8bc..e73a07b8f3e 100644 --- a/pkg/scan/post_scan.go +++ b/pkg/scan/post_scan.go @@ -4,6 +4,7 @@ import ( _ "embed" // Embed kics CLI img and scan-flags "os" "path/filepath" + "sort" "strings" "time" @@ -114,7 +115,7 @@ func (c *Client) postScan(scanResults *Results) error { return err } } - + sort.Strings(c.ScanParams.Path) summary := c.getSummary(scanResults.Results, time.Now(), model.PathParameters{ ScannedPaths: c.ScanParams.Path, PathExtractionMap: scanResults.ExtractedPaths.ExtractionMap, From 41f164103668ec7a010200873430a836c04906ec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Mon, 13 Nov 2023 14:54:42 +0000 Subject: [PATCH 257/379] improve experimental signal on the results and cli --- pkg/engine/inspector.go | 1 + pkg/engine/vulnerability_builder.go | 1 + pkg/engine/vulnerability_utils.go | 19 +++++++++ pkg/model/model.go | 1 + pkg/model/summary.go | 2 + pkg/printer/printer.go | 5 +++ pkg/printer/printer_test.go | 43 ++++++++++++++++++++ test/helpers.go | 61 +++++++++++++++++++++++++++++ 8 files changed, 133 insertions(+) diff --git a/pkg/engine/inspector.go b/pkg/engine/inspector.go index d47e989b7a7..f5cb39c3171 100644 --- a/pkg/engine/inspector.go +++ b/pkg/engine/inspector.go @@ -30,6 +30,7 @@ const ( UndetectedVulnerabilityLine = -1 DefaultQueryID = "Undefined" DefaultQueryName = "Anonymous" + DefaultExperimental = false DefaultQueryDescription = "Undefined" DefaultQueryDescriptionID = "Undefined" DefaultQueryURI = "https://github.com/Checkmarx/kics/" diff --git a/pkg/engine/vulnerability_builder.go b/pkg/engine/vulnerability_builder.go index e9fd8c016e4..0a64d377ea7 100644 --- a/pkg/engine/vulnerability_builder.go +++ b/pkg/engine/vulnerability_builder.go @@ -175,6 +175,7 @@ var DefaultVulnerabilityBuilder = func(ctx *QueryContext, tracker Tracker, FileName: linesVulne.ResolvedFile, QueryName: getStringFromMap("queryName", DefaultQueryName, overrideKey, vObj, &logWithFields), QueryID: queryID, + Experimental: getBoolFromMap("experimental", DefaultExperimental, overrideKey, vObj, &logWithFields), QueryURI: getStringFromMap("descriptionUrl", DefaultQueryURI, overrideKey, vObj, &logWithFields), Category: getStringFromMap("category", "", overrideKey, vObj, &logWithFields), Description: getStringFromMap("descriptionText", "", overrideKey, vObj, &logWithFields), diff --git a/pkg/engine/vulnerability_utils.go b/pkg/engine/vulnerability_utils.go index 3805a0d99ce..fe022f86e20 100644 --- a/pkg/engine/vulnerability_utils.go +++ b/pkg/engine/vulnerability_utils.go @@ -129,6 +129,25 @@ func getStringFromMap(vulnParam, defaultParam, overrideKey string, vObj map[stri } return *ts } +func getBoolFromMap(vulnParam string, defaultParam bool, overrideKey string, vObj map[string]interface{}, logWithFields *zerolog.Logger) bool { + ts, err := mapKeyToString(vObj, vulnParam, false) + if err != nil { + logWithFields.Err(err). + Msgf("Saving result. failed to detect %s", vulnParam) + return defaultParam + } + overrideValue := tryOverride(overrideKey, vulnParam, vObj) + if overrideValue != nil { + ts = overrideValue + } + res, err := strconv.ParseBool(*ts) + if err != nil { + logWithFields.Err(err). + Msgf("Saving result. failed to detect %s", vulnParam) + return defaultParam + } + return res +} func getSeverity(severity string) model.Severity { for _, si := range model.AllSeverities { if severity == string(si) { diff --git a/pkg/model/model.go b/pkg/model/model.go index 8abe34bd083..4c37957db29 100644 --- a/pkg/model/model.go +++ b/pkg/model/model.go @@ -157,6 +157,7 @@ type Vulnerability struct { QueryName string `db:"query_name" json:"queryName"` QueryURI string `json:"-"` Category string `json:"category"` + Experimental bool `json:"experimental"` Description string `json:"description"` DescriptionID string `json:"descriptionID"` Platform string `db:"platform" json:"platform"` diff --git a/pkg/model/summary.go b/pkg/model/summary.go index aca310f0fcc..31e5721812d 100644 --- a/pkg/model/summary.go +++ b/pkg/model/summary.go @@ -47,6 +47,7 @@ type QueryResult struct { Platform string `json:"platform"` CloudProvider string `json:"cloud_provider,omitempty"` Category string `json:"category"` + Experimental bool `json:"experimental"` Description string `json:"description"` DescriptionID string `json:"description_id"` CISDescriptionIDFormatted string `json:"cis_description_id,omitempty"` @@ -199,6 +200,7 @@ func CreateSummary(counters Counters, vulnerabilities []Vulnerability, Severity: item.Severity, QueryURI: item.QueryURI, Platform: item.Platform, + Experimental: item.Experimental, CloudProvider: strings.ToUpper(item.CloudProvider), Category: item.Category, Description: item.Description, diff --git a/pkg/printer/printer.go b/pkg/printer/printer.go index 986dee54fb4..13b29fa9bdf 100644 --- a/pkg/printer/printer.go +++ b/pkg/printer/printer.go @@ -127,6 +127,11 @@ func PrintResult(summary *model.Summary, failedQueries map[string]error, printer printer.PrintBySev(string(summary.Queries[idx].Severity), string(summary.Queries[idx].Severity)), len(summary.Queries[idx].Files), ) + + if summary.Queries[idx].Experimental { + fmt.Println("Experimental") + } + if !printer.minimal { if summary.Queries[idx].CISDescriptionID != "" { fmt.Printf("%s %s\n", printer.Bold("Description ID:"), summary.Queries[idx].CISDescriptionIDFormatted) diff --git a/pkg/printer/printer_test.go b/pkg/printer/printer_test.go index 3f04d648075..19e7529b43b 100644 --- a/pkg/printer/printer_test.go +++ b/pkg/printer/printer_test.go @@ -188,6 +188,49 @@ var printTests = []struct { "TOTAL: 3\n\n", customQueries: true, }, + { + caseTest: test.ComplexSummaryMockWithExperimental, + expectedResult: "Files scanned: 2\n" + + "Parsed files: 2\n" + + "Queries loaded: 2\n" + + "Queries failed to execute: 0\n\n" + + "------------------------------------\n\n" + + "AmazonMQ Broker Encryption Disabled, Severity: MEDIUM, Results: 1\n" + + "\t[1]: positive.tf:1\n" + + "ALB protocol is HTTP, Severity: HIGH, Results: 2\n" + + "Experimental\n" + + "\t[1]: positive.tf:25\n" + + "\t[2]: positive.tf:19\n\n" + + "Results Summary:\n" + + "HIGH: 2\n" + + "MEDIUM: 1\n" + + "LOW: 0\n" + + "INFO: 0\n" + + "TOTAL: 3\n\n", + expectedResultFull: "Files scanned: 2\n" + + "Parsed files: 2\n" + + "Queries loaded: 2\n" + + "Queries failed to execute: 0\n\n" + + "------------------------------------\n\n" + + "AmazonMQ Broker Encryption Disabled, Severity: MEDIUM, Results: 1\n" + + "Description: AmazonMQ Broker should have Encryption Options defined\nPlatform: \n" + + "Learn more about this vulnerability: https://docs.kics.io/latest/queries/-queries/aws/3db3f534-e3a3-487f-88c7-0a9fbf64b702\n\n" + + "\t[1]: positive.tf:1\n\n\n\n" + + "ALB protocol is HTTP, Severity: HIGH, Results: 2\n" + + "Experimental\n" + + "Description: ALB protocol is HTTP Description\n" + + "Platform: \n" + + "Learn more about this vulnerability: https://docs.kics.io/latest/queries/-queries/de7f5e83-da88-4046-871f-ea18504b1d43\n\n" + + "\t[1]: positive.tf:25\n\n\n\n" + + "\t[2]: positive.tf:19\n\n\n\n\n" + + "Results Summary:\n" + + "HIGH: 2\n" + + "MEDIUM: 1\n" + + "LOW: 0\n" + + "INFO: 0\n" + + "TOTAL: 3\n\n", + customQueries: false, + }, } var failedQueries = map[string]error{} diff --git a/test/helpers.go b/test/helpers.go index 8d73463591e..8c8a6cc5ee2 100644 --- a/test/helpers.go +++ b/test/helpers.go @@ -212,6 +212,40 @@ var queryInfo = model.QueryResult{ Description: "AWS services resource tags are an essential part of managing components", } +var queryHighExperimental = model.QueryResult{ + QueryName: "ALB protocol is HTTP", + QueryID: "de7f5e83-da88-4046-871f-ea18504b1d43", + Description: "ALB protocol is HTTP Description", + DescriptionID: "504b1d43", + CISDescriptionIDFormatted: "testCISID", + CISDescriptionTitle: "testCISTitle", + CISDescriptionTextFormatted: "testCISDescription", + Severity: model.SeverityHigh, + Experimental: true, + Files: []model.VulnerableFile{ + { + FileName: positive, + Line: 25, + IssueType: "MissingAttribute", + SearchKey: "aws_alb_listener[front_end].default_action.redirect", + KeyExpectedValue: "'default_action.redirect.protocol' is equal 'HTTPS'", + KeyActualValue: "'default_action.redirect.protocol' is missing", + Value: nil, + VulnLines: &[]model.CodeLine{}, + }, + { + FileName: positive, + Line: 19, + IssueType: "IncorrectValue", + SearchKey: "aws_alb_listener[front_end].default_action.redirect", + KeyExpectedValue: "'default_action.redirect.protocol' is equal 'HTTPS'", + KeyActualValue: "'default_action.redirect.protocol' is equal 'HTTP'", + Value: nil, + VulnLines: &[]model.CodeLine{}, + }, + }, +} + // SummaryMock a summary to be used without running kics scan var SummaryMock = model.Summary{ Counters: model.Counters{ @@ -267,6 +301,33 @@ var ComplexSummaryMock = model.Summary{ }, } +var ComplexSummaryMockWithExperimental = model.Summary{ + Counters: model.Counters{ + ScannedFiles: 2, + ParsedFiles: 2, + FailedToScanFiles: 0, + TotalQueries: 2, + FailedToExecuteQueries: 0, + }, + Queries: []model.QueryResult{ + queryHighExperimental, + queryMedium, + }, + SeveritySummary: model.SeveritySummary{ + ScanID: "console", + SeverityCounters: map[model.Severity]int{ + model.SeverityInfo: 0, + model.SeverityLow: 0, + model.SeverityMedium: 1, + model.SeverityHigh: 2, + }, + TotalCounter: 3, + }, + LatestVersion: model.Version{ + Latest: true, + }, +} + // ExampleSummaryMock a summary with specific results to CycloneDX report tests var ExampleSummaryMock = model.Summary{ Counters: model.Counters{ From cc26913cba87766941a49895b8f66b94e6583cd6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Mon, 13 Nov 2023 15:02:46 +0000 Subject: [PATCH 258/379] linter --- pkg/engine/vulnerability_utils.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/pkg/engine/vulnerability_utils.go b/pkg/engine/vulnerability_utils.go index fe022f86e20..49ec252a0f7 100644 --- a/pkg/engine/vulnerability_utils.go +++ b/pkg/engine/vulnerability_utils.go @@ -129,7 +129,12 @@ func getStringFromMap(vulnParam, defaultParam, overrideKey string, vObj map[stri } return *ts } -func getBoolFromMap(vulnParam string, defaultParam bool, overrideKey string, vObj map[string]interface{}, logWithFields *zerolog.Logger) bool { +func getBoolFromMap( + vulnParam string, + defaultParam bool, + overrideKey string, + vObj map[string]interface{}, + logWithFields *zerolog.Logger) bool { ts, err := mapKeyToString(vObj, vulnParam, false) if err != nil { logWithFields.Err(err). From ceab64150e2d382b2dca8a899e92feaf8160fa28 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Mon, 13 Nov 2023 15:34:41 +0000 Subject: [PATCH 259/379] improve message and fix e2e --- e2e/fixtures/E2E_CLI_032_RESULT.json | 17 +++++++++++++++++ e2e/fixtures/E2E_CLI_033_RESULT.json | 5 +++++ e2e/fixtures/E2E_CLI_036_RESULT.json | 13 +++++++++++++ e2e/fixtures/E2E_CLI_036_RESULT_2.json | 1 + e2e/fixtures/E2E_CLI_068_RESULT.json | 3 +++ e2e/fixtures/E2E_CLI_069_RESULT.json | 1 + e2e/fixtures/E2E_CLI_070_RESULT.json | 2 ++ pkg/printer/printer.go | 2 +- pkg/printer/printer_test.go | 4 ++-- 9 files changed, 45 insertions(+), 3 deletions(-) diff --git a/e2e/fixtures/E2E_CLI_032_RESULT.json b/e2e/fixtures/E2E_CLI_032_RESULT.json index 75202b93ceb..cbb98bc89c5 100644 --- a/e2e/fixtures/E2E_CLI_032_RESULT.json +++ b/e2e/fixtures/E2E_CLI_032_RESULT.json @@ -33,6 +33,7 @@ "platform": "CloudFormation", "cloud_provider": "AWS", "category": "Networking and Firewall", + "experimental": false, "description": "AWS Application Load Balancer (alb) should not listen on HTTP", "description_id": "55f05412", "files": [ @@ -59,6 +60,7 @@ "platform": "CloudFormation", "cloud_provider": "AWS", "category": "Insecure Configurations", + "experimental": false, "description": "Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations", "description_id": "bded2e99", "files": [ @@ -85,6 +87,7 @@ "platform": "CloudFormation", "cloud_provider": "AWS", "category": "Networking and Firewall", + "experimental": false, "description": "ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses", "description_id": "747f49ac", "files": [ @@ -124,6 +127,7 @@ "platform": "Common", "cloud_provider": "COMMON", "category": "Secret Management", + "experimental": false, "description": "Query to find passwords and secrets in infrastructure code.", "description_id": "d69d8a89", "files": [ @@ -148,6 +152,7 @@ "platform": "Common", "cloud_provider": "COMMON", "category": "Secret Management", + "experimental": false, "description": "Query to find passwords and secrets in infrastructure code.", "description_id": "d69d8a89", "files": [ @@ -172,6 +177,7 @@ "platform": "CloudFormation", "cloud_provider": "AWS", "category": "Networking and Firewall", + "experimental": false, "description": "AWS Security Group Ingress CIDR should not be open to the world", "description_id": "08256d31", "files": [ @@ -211,6 +217,7 @@ "platform": "CloudFormation", "cloud_provider": "AWS", "category": "Networking and Firewall", + "experimental": false, "description": "All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service", "description_id": "2cad71a7", "files": [ @@ -237,6 +244,7 @@ "platform": "CloudFormation", "cloud_provider": "AWS", "category": "Availability", + "experimental": false, "description": "AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty.", "description_id": "99966f58", "files": [ @@ -263,6 +271,7 @@ "platform": "CloudFormation", "cloud_provider": "AWS", "category": "Availability", + "experimental": false, "description": "ECS Service should have at least 1 task running", "description_id": "cd242bdd", "files": [ @@ -289,6 +298,7 @@ "platform": "CloudFormation", "cloud_provider": "AWS", "category": "Networking and Firewall", + "experimental": false, "description": "An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules", "description_id": "3ccdd7d2", "files": [ @@ -315,6 +325,7 @@ "platform": "CloudFormation", "cloud_provider": "AWS", "category": "Networking and Firewall", + "experimental": false, "description": "An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules", "description_id": "7b876844", "files": [ @@ -341,6 +352,7 @@ "platform": "CloudFormation", "cloud_provider": "AWS", "category": "Access Control", + "experimental": false, "description": "Check if any ECS cluster has not defined proper roles for services' task definitions.", "description_id": "b47b42b2", "files": [ @@ -367,6 +379,7 @@ "platform": "CloudFormation", "cloud_provider": "AWS", "category": "Secret Management", + "experimental": false, "description": "Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the secret to be shared cross-account", "description_id": "d78bb871", "files": [ @@ -393,6 +406,7 @@ "platform": "CloudFormation", "cloud_provider": "AWS", "category": "Networking and Firewall", + "experimental": false, "description": "AWS Security Group Ingress should have a single port", "description_id": "5f2b65f3", "files": [ @@ -445,6 +459,7 @@ "platform": "CloudFormation", "cloud_provider": "AWS", "category": "Observability", + "experimental": false, "description": "Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks", "description_id": "e2e3a50a", "files": [ @@ -484,6 +499,7 @@ "platform": "CloudFormation", "cloud_provider": "AWS", "category": "Best Practices", + "experimental": false, "description": "IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions", "description_id": "24a6978e", "files": [ @@ -510,6 +526,7 @@ "platform": "CloudFormation", "cloud_provider": "AWS", "category": "Best Practices", + "experimental": false, "description": "It's considered a best practice for AWS Security Group to have a description", "description_id": "f7c62b11", "files": [ diff --git a/e2e/fixtures/E2E_CLI_033_RESULT.json b/e2e/fixtures/E2E_CLI_033_RESULT.json index 079816da1b5..56a407715e4 100644 --- a/e2e/fixtures/E2E_CLI_033_RESULT.json +++ b/e2e/fixtures/E2E_CLI_033_RESULT.json @@ -33,6 +33,7 @@ "platform": "Terraform", "cloud_provider": "AWS", "category": "Observability", + "experimental": false, "description": "Make sure Logging is enabled for Redshift Cluster", "description_id": "458fe7a3", "files": [ @@ -61,6 +62,7 @@ "platform": "Terraform", "cloud_provider": "AWS", "category": "Insecure Configurations", + "experimental": false, "description": "Redshift Cluster should be configured in VPC (Virtual Private Cloud)", "description_id": "6fd531fa", "files": [ @@ -100,6 +102,7 @@ "platform": "Terraform", "cloud_provider": "AWS", "category": "Best Practices", + "experimental": false, "description": "IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions", "description_id": "d03e85ae", "files": [ @@ -126,6 +129,7 @@ "platform": "Terraform", "cloud_provider": "AWS", "category": "Networking and Firewall", + "experimental": false, "description": "Redshift should not use the default port (5439) because an attacker can easily guess the port", "description_id": "e2e48d27", "files": [ @@ -152,6 +156,7 @@ "platform": "Terraform", "cloud_provider": "AWS", "category": "Best Practices", + "experimental": false, "description": "AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name'", "description_id": "09db2d52", "files": [ diff --git a/e2e/fixtures/E2E_CLI_036_RESULT.json b/e2e/fixtures/E2E_CLI_036_RESULT.json index 794a4f7d2d5..38ad275afd4 100644 --- a/e2e/fixtures/E2E_CLI_036_RESULT.json +++ b/e2e/fixtures/E2E_CLI_036_RESULT.json @@ -33,6 +33,7 @@ "platform": "CloudFormation", "cloud_provider": "AWS", "category": "Networking and Firewall", + "experimental": false, "description": "AWS Application Load Balancer (alb) should not listen on HTTP", "description_id": "55f05412", "files": [ @@ -59,6 +60,7 @@ "platform": "CloudFormation", "cloud_provider": "AWS", "category": "Insecure Configurations", + "experimental": false, "description": "Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations", "description_id": "bded2e99", "files": [ @@ -85,6 +87,7 @@ "platform": "CloudFormation", "cloud_provider": "AWS", "category": "Networking and Firewall", + "experimental": false, "description": "ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses", "description_id": "747f49ac", "files": [ @@ -124,6 +127,7 @@ "platform": "CloudFormation", "cloud_provider": "AWS", "category": "Networking and Firewall", + "experimental": false, "description": "AWS Security Group Ingress CIDR should not be open to the world", "description_id": "08256d31", "files": [ @@ -163,6 +167,7 @@ "platform": "CloudFormation", "cloud_provider": "AWS", "category": "Networking and Firewall", + "experimental": false, "description": "All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service", "description_id": "2cad71a7", "files": [ @@ -189,6 +194,7 @@ "platform": "CloudFormation", "cloud_provider": "AWS", "category": "Availability", + "experimental": false, "description": "AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty.", "description_id": "99966f58", "files": [ @@ -215,6 +221,7 @@ "platform": "CloudFormation", "cloud_provider": "AWS", "category": "Availability", + "experimental": false, "description": "ECS Service should have at least 1 task running", "description_id": "cd242bdd", "files": [ @@ -241,6 +248,7 @@ "platform": "CloudFormation", "cloud_provider": "AWS", "category": "Networking and Firewall", + "experimental": false, "description": "An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules", "description_id": "3ccdd7d2", "files": [ @@ -267,6 +275,7 @@ "platform": "CloudFormation", "cloud_provider": "AWS", "category": "Networking and Firewall", + "experimental": false, "description": "An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules", "description_id": "7b876844", "files": [ @@ -293,6 +302,7 @@ "platform": "CloudFormation", "cloud_provider": "AWS", "category": "Access Control", + "experimental": false, "description": "Check if any ECS cluster has not defined proper roles for services' task definitions.", "description_id": "b47b42b2", "files": [ @@ -319,6 +329,7 @@ "platform": "CloudFormation", "cloud_provider": "AWS", "category": "Networking and Firewall", + "experimental": false, "description": "AWS Security Group Ingress should have a single port", "description_id": "5f2b65f3", "files": [ @@ -371,6 +382,7 @@ "platform": "CloudFormation", "cloud_provider": "AWS", "category": "Observability", + "experimental": false, "description": "Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks", "description_id": "e2e3a50a", "files": [ @@ -410,6 +422,7 @@ "platform": "CloudFormation", "cloud_provider": "AWS", "category": "Best Practices", + "experimental": false, "description": "It's considered a best practice for AWS Security Group to have a description", "description_id": "f7c62b11", "files": [ diff --git a/e2e/fixtures/E2E_CLI_036_RESULT_2.json b/e2e/fixtures/E2E_CLI_036_RESULT_2.json index e02df77837b..cc2eb4166e3 100644 --- a/e2e/fixtures/E2E_CLI_036_RESULT_2.json +++ b/e2e/fixtures/E2E_CLI_036_RESULT_2.json @@ -33,6 +33,7 @@ "platform": "CloudFormation", "cloud_provider": "AWS", "category": "Networking and Firewall", + "experimental": false, "description": "AWS Security Group Ingress should have a single port", "description_id": "5f2b65f3", "files": [ diff --git a/e2e/fixtures/E2E_CLI_068_RESULT.json b/e2e/fixtures/E2E_CLI_068_RESULT.json index 00f5353502a..97a1d081da4 100644 --- a/e2e/fixtures/E2E_CLI_068_RESULT.json +++ b/e2e/fixtures/E2E_CLI_068_RESULT.json @@ -32,6 +32,7 @@ "severity": "HIGH", "platform": "Dockerfile", "category": "Build Process", + "experimental": false, "description": "A user should be specified in the dockerfile, otherwise the image will run as root", "description_id": "eb49caf6", "files": [ @@ -55,6 +56,7 @@ "severity": "MEDIUM", "platform": "Dockerfile", "category": "Supply-Chain", + "experimental": false, "description": "When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag", "description_id": "22f535ec", "files": [ @@ -78,6 +80,7 @@ "severity": "LOW", "platform": "Dockerfile", "category": "Insecure Configurations", + "experimental": false, "description": "Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working", "description_id": "426121ee", "files": [ diff --git a/e2e/fixtures/E2E_CLI_069_RESULT.json b/e2e/fixtures/E2E_CLI_069_RESULT.json index 2253d7b85a1..a2279b47b77 100644 --- a/e2e/fixtures/E2E_CLI_069_RESULT.json +++ b/e2e/fixtures/E2E_CLI_069_RESULT.json @@ -34,6 +34,7 @@ "platform": "Terraform", "cloud_provider": "AWS", "category": "Encryption", + "experimental": false, "description": "ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html'", "description_id": "68984bf2", "files": [ diff --git a/e2e/fixtures/E2E_CLI_070_RESULT.json b/e2e/fixtures/E2E_CLI_070_RESULT.json index 7b4f1b32ba5..36d67b2b5a7 100644 --- a/e2e/fixtures/E2E_CLI_070_RESULT.json +++ b/e2e/fixtures/E2E_CLI_070_RESULT.json @@ -34,6 +34,7 @@ "platform": "Terraform", "cloud_provider": "AWS", "category": "Encryption", + "experimental": true, "description": "ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html'", "description_id": "68984bf2", "files": [ @@ -62,6 +63,7 @@ "platform": "Terraform", "cloud_provider": "AWS", "category": "Encryption", + "experimental": false, "description": "ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html'", "description_id": "68984bf2", "files": [ diff --git a/pkg/printer/printer.go b/pkg/printer/printer.go index 13b29fa9bdf..0e0a6c365eb 100644 --- a/pkg/printer/printer.go +++ b/pkg/printer/printer.go @@ -129,7 +129,7 @@ func PrintResult(summary *model.Summary, failedQueries map[string]error, printer ) if summary.Queries[idx].Experimental { - fmt.Println("Experimental") + fmt.Println("Note: this is an experimental query") } if !printer.minimal { diff --git a/pkg/printer/printer_test.go b/pkg/printer/printer_test.go index 19e7529b43b..edcd176ec01 100644 --- a/pkg/printer/printer_test.go +++ b/pkg/printer/printer_test.go @@ -198,7 +198,7 @@ var printTests = []struct { "AmazonMQ Broker Encryption Disabled, Severity: MEDIUM, Results: 1\n" + "\t[1]: positive.tf:1\n" + "ALB protocol is HTTP, Severity: HIGH, Results: 2\n" + - "Experimental\n" + + "Note: this is an experimental query\n" + "\t[1]: positive.tf:25\n" + "\t[2]: positive.tf:19\n\n" + "Results Summary:\n" + @@ -217,7 +217,7 @@ var printTests = []struct { "Learn more about this vulnerability: https://docs.kics.io/latest/queries/-queries/aws/3db3f534-e3a3-487f-88c7-0a9fbf64b702\n\n" + "\t[1]: positive.tf:1\n\n\n\n" + "ALB protocol is HTTP, Severity: HIGH, Results: 2\n" + - "Experimental\n" + + "Note: this is an experimental query\n" + "Description: ALB protocol is HTTP Description\n" + "Platform: \n" + "Learn more about this vulnerability: https://docs.kics.io/latest/queries/-queries/de7f5e83-da88-4046-871f-ea18504b1d43\n\n" + From 926f6d40e65bfff892c7b08829c45bbcb2150953 Mon Sep 17 00:00:00 2001 From: Dimitri GRISARD Date: Tue, 14 Nov 2023 20:53:08 +0100 Subject: [PATCH 260/379] feat(databricks): add experimental in metadata queries --- .../terraform/databricks/autoscale_badly_setup/metadata.json | 3 ++- .../terraform/databricks/cluster_aws_attributes/metadata.json | 3 ++- .../databricks/cluster_azure_attributes/metadata.json | 3 ++- .../terraform/databricks/cluster_gcp_attributes/metadata.json | 3 ++- .../terraform/databricks/databricks_permissions/metadata.json | 3 ++- .../group_without_user_or_instance_profile/metadata.json | 3 ++- .../terraform/databricks/indefinitely_obo_token/metadata.json | 3 ++- .../terraform/databricks/indefinitely_token/metadata.json | 3 ++- .../terraform/databricks/unrestricted_acl/metadata.json | 3 ++- .../terraform/databricks/use_lts_spark_version/metadata.json | 3 ++- .../terraform/databricks/use_spark_submit_task/metadata.json | 3 ++- 11 files changed, 22 insertions(+), 11 deletions(-) diff --git a/assets/queries/terraform/databricks/autoscale_badly_setup/metadata.json b/assets/queries/terraform/databricks/autoscale_badly_setup/metadata.json index eb142edbd69..9a944688909 100644 --- a/assets/queries/terraform/databricks/autoscale_badly_setup/metadata.json +++ b/assets/queries/terraform/databricks/autoscale_badly_setup/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/cluster", "descriptionID": "e6eabd3e", "platform": "Terraform", - "cloudProvider": "common" + "cloudProvider": "common", + "experimental": "true" } diff --git a/assets/queries/terraform/databricks/cluster_aws_attributes/metadata.json b/assets/queries/terraform/databricks/cluster_aws_attributes/metadata.json index 7eb47cf253d..940ae115e3c 100644 --- a/assets/queries/terraform/databricks/cluster_aws_attributes/metadata.json +++ b/assets/queries/terraform/databricks/cluster_aws_attributes/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.databricks.com/clusters/cluster-config-best-practices.html", "descriptionID": "b6345aa6", "platform": "Terraform", - "cloudProvider": "common" + "cloudProvider": "common", + "experimental": "true" } diff --git a/assets/queries/terraform/databricks/cluster_azure_attributes/metadata.json b/assets/queries/terraform/databricks/cluster_azure_attributes/metadata.json index 7454795f031..55261d56011 100644 --- a/assets/queries/terraform/databricks/cluster_azure_attributes/metadata.json +++ b/assets/queries/terraform/databricks/cluster_azure_attributes/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.databricks.com/clusters/cluster-config-best-practices.html", "descriptionID": "bb2e4c81", "platform": "Terraform", - "cloudProvider": "common" + "cloudProvider": "common", + "experimental": "true" } diff --git a/assets/queries/terraform/databricks/cluster_gcp_attributes/metadata.json b/assets/queries/terraform/databricks/cluster_gcp_attributes/metadata.json index 386bf8b51e3..4a98480a439 100644 --- a/assets/queries/terraform/databricks/cluster_gcp_attributes/metadata.json +++ b/assets/queries/terraform/databricks/cluster_gcp_attributes/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.databricks.com/clusters/cluster-config-best-practices.html", "descriptionID": "c1fe1954", "platform": "Terraform", - "cloudProvider": "common" + "cloudProvider": "common", + "experimental": "true" } diff --git a/assets/queries/terraform/databricks/databricks_permissions/metadata.json b/assets/queries/terraform/databricks/databricks_permissions/metadata.json index 4f50f0c3772..bfef6689a7d 100755 --- a/assets/queries/terraform/databricks/databricks_permissions/metadata.json +++ b/assets/queries/terraform/databricks/databricks_permissions/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/permissions", "platform": "Terraform", "descriptionID": "66b9bc6e", - "cloudProvider": "common" + "cloudProvider": "common", + "experimental": "true" } diff --git a/assets/queries/terraform/databricks/group_without_user_or_instance_profile/metadata.json b/assets/queries/terraform/databricks/group_without_user_or_instance_profile/metadata.json index b138804c4dc..881b6bdfa68 100644 --- a/assets/queries/terraform/databricks/group_without_user_or_instance_profile/metadata.json +++ b/assets/queries/terraform/databricks/group_without_user_or_instance_profile/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/group", "descriptionID": "4bb78f12", "platform": "Terraform", - "cloudProvider": "common" + "cloudProvider": "common", + "experimental": "true" } diff --git a/assets/queries/terraform/databricks/indefinitely_obo_token/metadata.json b/assets/queries/terraform/databricks/indefinitely_obo_token/metadata.json index c624df76b71..5b270a1f597 100644 --- a/assets/queries/terraform/databricks/indefinitely_obo_token/metadata.json +++ b/assets/queries/terraform/databricks/indefinitely_obo_token/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/obo_token", "descriptionID": "df3aa7ed", "platform": "Terraform", - "cloudProvider": "common" + "cloudProvider": "common", + "experimental": "true" } diff --git a/assets/queries/terraform/databricks/indefinitely_token/metadata.json b/assets/queries/terraform/databricks/indefinitely_token/metadata.json index 1dc228380bd..59c51288f96 100644 --- a/assets/queries/terraform/databricks/indefinitely_token/metadata.json +++ b/assets/queries/terraform/databricks/indefinitely_token/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/token", "descriptionID": "79759163", "platform": "Terraform", - "cloudProvider": "common" + "cloudProvider": "common", + "experimental": "true" } diff --git a/assets/queries/terraform/databricks/unrestricted_acl/metadata.json b/assets/queries/terraform/databricks/unrestricted_acl/metadata.json index 187b3fa1449..673c13da8e3 100644 --- a/assets/queries/terraform/databricks/unrestricted_acl/metadata.json +++ b/assets/queries/terraform/databricks/unrestricted_acl/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/ip_access_list", "descriptionID": "9670a9f6", "platform": "Terraform", - "cloudProvider": "common" + "cloudProvider": "common", + "experimental": "true" } diff --git a/assets/queries/terraform/databricks/use_lts_spark_version/metadata.json b/assets/queries/terraform/databricks/use_lts_spark_version/metadata.json index 88aa0d001e6..3455ce2187b 100644 --- a/assets/queries/terraform/databricks/use_lts_spark_version/metadata.json +++ b/assets/queries/terraform/databricks/use_lts_spark_version/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/data-sources/spark_version", "descriptionID": "fdaa059f", "platform": "Terraform", - "cloudProvider": "common" + "cloudProvider": "common", + "experimental": "true" } diff --git a/assets/queries/terraform/databricks/use_spark_submit_task/metadata.json b/assets/queries/terraform/databricks/use_spark_submit_task/metadata.json index 55678909945..eca898e51a0 100644 --- a/assets/queries/terraform/databricks/use_spark_submit_task/metadata.json +++ b/assets/queries/terraform/databricks/use_spark_submit_task/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/job#spark_submit_task-configuration-block", "descriptionID": "fcfdfbd3", "platform": "Terraform", - "cloudProvider": "common" + "cloudProvider": "common", + "experimental": "true" } From b285c3711576e8f05264da8f30a453c8b1b6b19f Mon Sep 17 00:00:00 2001 From: tunakyonn Date: Mon, 24 Apr 2023 16:26:33 +0900 Subject: [PATCH 261/379] feat: add nifcloud engine support --- .github/scripts/queries-validator/metadata-schema.json | 3 ++- internal/constants/constants.go | 1 + pkg/engine/source/filesystem.go | 2 +- pkg/engine/source/filesystem_test.go | 2 +- test/main_test.go | 1 + 5 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/scripts/queries-validator/metadata-schema.json b/.github/scripts/queries-validator/metadata-schema.json index 164343dff53..ac361f53732 100644 --- a/.github/scripts/queries-validator/metadata-schema.json +++ b/.github/scripts/queries-validator/metadata-schema.json @@ -76,7 +76,8 @@ "aws", "azure", "common", - "gcp" + "gcp", + "nifcloud" ] }, "platform": { diff --git a/internal/constants/constants.go b/internal/constants/constants.go index 2a95664f04f..330c50a34b0 100644 --- a/internal/constants/constants.go +++ b/internal/constants/constants.go @@ -83,6 +83,7 @@ var ( "aws": "", "azure": "", "gcp": "", + "nifcloud": "", } ) diff --git a/pkg/engine/source/filesystem.go b/pkg/engine/source/filesystem.go index 5ad463d944c..b41c0c499dc 100644 --- a/pkg/engine/source/filesystem.go +++ b/pkg/engine/source/filesystem.go @@ -82,7 +82,7 @@ func ListSupportedPlatforms() []string { // ListSupportedCloudProviders returns a list of supported cloud providers func ListSupportedCloudProviders() []string { - return []string{"alicloud", "aws", "azure", "gcp"} + return []string{"alicloud", "aws", "azure", "gcp", "nifcloud"} } func getLibraryInDir(platform, libraryDirPath string) string { diff --git a/pkg/engine/source/filesystem_test.go b/pkg/engine/source/filesystem_test.go index af4a516802e..9915451dbd2 100644 --- a/pkg/engine/source/filesystem_test.go +++ b/pkg/engine/source/filesystem_test.go @@ -821,7 +821,7 @@ func TestSource_validateMetadata(t *testing.T) { // TestSource_ListSupportedCloudProviders tests the function ListSupportedCloudProviders. func TestSource_ListSupportedCloudProviders(t *testing.T) { - want := []string{"alicloud", "aws", "azure", "gcp"} + want := []string{"alicloud", "aws", "azure", "gcp", "nifcloud"} t.Run("test List Supported CP", func(t *testing.T) { got := ListSupportedCloudProviders() require.Equal(t, want, got) diff --git a/test/main_test.go b/test/main_test.go index 812c2096f22..195e3ccba8a 100644 --- a/test/main_test.go +++ b/test/main_test.go @@ -39,6 +39,7 @@ var ( "../assets/queries/terraform/kubernetes": {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"}, "../assets/queries/terraform/general": {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"}, "../assets/queries/terraform/alicloud": {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"}, + "../assets/queries/terraform/nifcloud": {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"}, "../assets/queries/crossplane/aws": {FileKind: []model.FileKind{model.KindYAML}, Platform: "crossplane"}, "../assets/queries/crossplane/azure": {FileKind: []model.FileKind{model.KindYAML}, Platform: "crossplane"}, "../assets/queries/crossplane/gcp": {FileKind: []model.FileKind{model.KindYAML}, Platform: "crossplane"}, From f7aa5830ca7fb8ae692a652f089f7bdd2604f179 Mon Sep 17 00:00:00 2001 From: tunakyonn Date: Wed, 30 Aug 2023 18:26:43 +0900 Subject: [PATCH 262/379] feat: add nifcloud computing_instance_has_common_private query --- .../queries/terraform/nifcloud/metadata.json | 11 ++++++++++ assets/queries/terraform/nifcloud/query.rego | 20 +++++++++++++++++++ .../terraform/nifcloud/test/negative.tf | 7 +++++++ .../terraform/nifcloud/test/positive.tf | 7 +++++++ .../test/positive_expected_result.json | 8 ++++++++ 5 files changed, 53 insertions(+) create mode 100644 assets/queries/terraform/nifcloud/metadata.json create mode 100644 assets/queries/terraform/nifcloud/query.rego create mode 100644 assets/queries/terraform/nifcloud/test/negative.tf create mode 100644 assets/queries/terraform/nifcloud/test/positive.tf create mode 100644 assets/queries/terraform/nifcloud/test/positive_expected_result.json diff --git a/assets/queries/terraform/nifcloud/metadata.json b/assets/queries/terraform/nifcloud/metadata.json new file mode 100644 index 00000000000..2bf02dd2790 --- /dev/null +++ b/assets/queries/terraform/nifcloud/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "df58dd45-8009-43c2-90f7-c90eb9d53ed9", + "queryName": "Nifcloud Computing Has Common Private Network", + "severity": "LOW", + "category": "Networking and Firewall", + "descriptionText": "The instance has common private network", + "descriptionUrl": "https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/instance#network_id", + "platform": "Terraform", + "descriptionID": "c5065d3a", + "cloudProvider": "nifcloud" +} diff --git a/assets/queries/terraform/nifcloud/query.rego b/assets/queries/terraform/nifcloud/query.rego new file mode 100644 index 00000000000..1b2516cbd25 --- /dev/null +++ b/assets/queries/terraform/nifcloud/query.rego @@ -0,0 +1,20 @@ +package Cx + +import data.generic.terraform as tf_lib +import data.generic.common as common_lib + +CxPolicy[result] { + + instance := input.document[i].resource.nifcloud_instance[name] + instance.network_interface[_].network_id == "net-COMMON_PRIVATE" + + result := { + "documentId": input.document[i].id, + "resourceType": "nifcloud_instance", + "resourceName": tf_lib.get_resource_name(instance, name), + "searchKey": sprintf("nifcloud_instance[%s]", [name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("'nifcloud_instance[%s]' should use a private LAN to isolate the private side network from the shared network", [name]), + "keyActualValue": sprintf("'nifcloud_instance[%s]' has common private network", [name]), + } +} diff --git a/assets/queries/terraform/nifcloud/test/negative.tf b/assets/queries/terraform/nifcloud/test/negative.tf new file mode 100644 index 00000000000..cb66ffe99c8 --- /dev/null +++ b/assets/queries/terraform/nifcloud/test/negative.tf @@ -0,0 +1,7 @@ +resource "nifcloud_instance" "negative" { + image_id = data.nifcloud_image.ubuntu.id + security_group = nifcloud_security_group.example.group_name + network_interface { + network_id = nifcloud_private_lan.main.id + } +} diff --git a/assets/queries/terraform/nifcloud/test/positive.tf b/assets/queries/terraform/nifcloud/test/positive.tf new file mode 100644 index 00000000000..d96a367784f --- /dev/null +++ b/assets/queries/terraform/nifcloud/test/positive.tf @@ -0,0 +1,7 @@ +resource "nifcloud_instance" "positive" { + image_id = data.nifcloud_image.ubuntu.id + security_group = nifcloud_security_group.example.group_name + network_interface { + network_id = "net-COMMON_PRIVATE" + } +} diff --git a/assets/queries/terraform/nifcloud/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/test/positive_expected_result.json new file mode 100644 index 00000000000..d11bb39efc0 --- /dev/null +++ b/assets/queries/terraform/nifcloud/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Nifcloud Computing Has Common Private Network", + "severity": "LOW", + "line": 1, + "fileName": "positive.tf" + } +] From e9027b08de9983d97251488c2cf6f9a125de91ab Mon Sep 17 00:00:00 2001 From: tunakyonn Date: Thu, 31 Aug 2023 19:43:03 +0900 Subject: [PATCH 263/379] fix: change file path nifcloud computing_instance_has_common_private query --- .../{ => computing_instance_has_common_private}/metadata.json | 0 .../{ => computing_instance_has_common_private}/query.rego | 0 .../{ => computing_instance_has_common_private}/test/negative.tf | 0 .../{ => computing_instance_has_common_private}/test/positive.tf | 0 .../test/positive_expected_result.json | 0 5 files changed, 0 insertions(+), 0 deletions(-) rename assets/queries/terraform/nifcloud/{ => computing_instance_has_common_private}/metadata.json (100%) rename assets/queries/terraform/nifcloud/{ => computing_instance_has_common_private}/query.rego (100%) rename assets/queries/terraform/nifcloud/{ => computing_instance_has_common_private}/test/negative.tf (100%) rename assets/queries/terraform/nifcloud/{ => computing_instance_has_common_private}/test/positive.tf (100%) rename assets/queries/terraform/nifcloud/{ => computing_instance_has_common_private}/test/positive_expected_result.json (100%) diff --git a/assets/queries/terraform/nifcloud/metadata.json b/assets/queries/terraform/nifcloud/computing_instance_has_common_private/metadata.json similarity index 100% rename from assets/queries/terraform/nifcloud/metadata.json rename to assets/queries/terraform/nifcloud/computing_instance_has_common_private/metadata.json diff --git a/assets/queries/terraform/nifcloud/query.rego b/assets/queries/terraform/nifcloud/computing_instance_has_common_private/query.rego similarity index 100% rename from assets/queries/terraform/nifcloud/query.rego rename to assets/queries/terraform/nifcloud/computing_instance_has_common_private/query.rego diff --git a/assets/queries/terraform/nifcloud/test/negative.tf b/assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/negative.tf similarity index 100% rename from assets/queries/terraform/nifcloud/test/negative.tf rename to assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/negative.tf diff --git a/assets/queries/terraform/nifcloud/test/positive.tf b/assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/positive.tf similarity index 100% rename from assets/queries/terraform/nifcloud/test/positive.tf rename to assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/positive.tf diff --git a/assets/queries/terraform/nifcloud/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/nifcloud/test/positive_expected_result.json rename to assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/positive_expected_result.json From fc8c3f2799779da1cf412d53e22dbd8a15bd42ee Mon Sep 17 00:00:00 2001 From: tunakyonn Date: Mon, 4 Sep 2023 14:54:34 +0900 Subject: [PATCH 264/379] fix(nifcloud): fix rego file and test for nifcloud computing_instance_has_common_private query --- .../query.rego | 18 +++++++++++++++++- .../test/{positive.tf => positive1.tf} | 0 .../test/positive2.tf | 10 ++++++++++ .../test/positive_expected_result.json | 8 +++++++- 4 files changed, 34 insertions(+), 2 deletions(-) rename assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/{positive.tf => positive1.tf} (100%) create mode 100644 assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/positive2.tf diff --git a/assets/queries/terraform/nifcloud/computing_instance_has_common_private/query.rego b/assets/queries/terraform/nifcloud/computing_instance_has_common_private/query.rego index 1b2516cbd25..adebc5501e8 100644 --- a/assets/queries/terraform/nifcloud/computing_instance_has_common_private/query.rego +++ b/assets/queries/terraform/nifcloud/computing_instance_has_common_private/query.rego @@ -6,7 +6,23 @@ import data.generic.common as common_lib CxPolicy[result] { instance := input.document[i].resource.nifcloud_instance[name] - instance.network_interface[_].network_id == "net-COMMON_PRIVATE" + instance.network_interface[_].network_id == "net-COMMON_PRIVATE" + + result := { + "documentId": input.document[i].id, + "resourceType": "nifcloud_instance", + "resourceName": tf_lib.get_resource_name(instance, name), + "searchKey": sprintf("nifcloud_instance[%s]", [name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("'nifcloud_instance[%s]' should use a private LAN to isolate the private side network from the shared network", [name]), + "keyActualValue": sprintf("'nifcloud_instance[%s]' has common private network", [name]), + } +} + +CxPolicy[result] { + + instance := input.document[i].resource.nifcloud_instance[name] + instance.network_interface.network_id == "net-COMMON_PRIVATE" result := { "documentId": input.document[i].id, diff --git a/assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/positive.tf b/assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/positive1.tf similarity index 100% rename from assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/positive.tf rename to assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/positive1.tf diff --git a/assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/positive2.tf b/assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/positive2.tf new file mode 100644 index 00000000000..c66343857b2 --- /dev/null +++ b/assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/positive2.tf @@ -0,0 +1,10 @@ +resource "nifcloud_instance" "positive" { + image_id = data.nifcloud_image.ubuntu.id + security_group = nifcloud_security_group.example.group_name + network_interface { + network_id = "net-COMMON_GLOBAL" + } + network_interface { + network_id = "net-COMMON_PRIVATE" + } +} diff --git a/assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/positive_expected_result.json index d11bb39efc0..3b339c90f90 100644 --- a/assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/positive_expected_result.json @@ -3,6 +3,12 @@ "queryName": "Nifcloud Computing Has Common Private Network", "severity": "LOW", "line": 1, - "fileName": "positive.tf" + "fileName": "positive1.tf" + }, + { + "queryName": "Nifcloud Computing Has Common Private Network", + "severity": "LOW", + "line": 1, + "fileName": "positive2.tf" } ] From 99930d948ab0f5b0608a45bf551f0e0891f11ddd Mon Sep 17 00:00:00 2001 From: tunakyonn Date: Thu, 7 Sep 2023 19:06:05 +0900 Subject: [PATCH 265/379] feature(nifcloud): add nifcloud for e2e scan_help --- e2e/fixtures/assets/scan_help | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/e2e/fixtures/assets/scan_help b/e2e/fixtures/assets/scan_help index 4531f28b2c5..4fe4c91fc54 100644 --- a/e2e/fixtures/assets/scan_help +++ b/e2e/fixtures/assets/scan_help @@ -3,7 +3,7 @@ Usage: Flags: -m, --bom include bill of materials (BoM) in results output - --cloud-provider strings list of cloud providers to scan (alicloud, aws, azure, gcp) + --cloud-provider strings list of cloud providers to scan (alicloud, aws, azure, gcp, nifcloud) --config string path to configuration file --disable-full-descriptions disable request for full descriptions and use default vulnerability descriptions --disable-secrets disable secrets scanning From e001464621716ee5fa512236c6969edcfe5fed39 Mon Sep 17 00:00:00 2001 From: tunakyonn Date: Wed, 15 Nov 2023 18:43:43 +0900 Subject: [PATCH 266/379] feature(nifcloud): add experimental for terraform nifcloud metadata.json --- .../computing_instance_has_common_private/metadata.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/assets/queries/terraform/nifcloud/computing_instance_has_common_private/metadata.json b/assets/queries/terraform/nifcloud/computing_instance_has_common_private/metadata.json index 2bf02dd2790..cee4410a22a 100644 --- a/assets/queries/terraform/nifcloud/computing_instance_has_common_private/metadata.json +++ b/assets/queries/terraform/nifcloud/computing_instance_has_common_private/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/instance#network_id", "platform": "Terraform", "descriptionID": "c5065d3a", - "cloudProvider": "nifcloud" + "cloudProvider": "nifcloud", + "experimental": "true" } From ea3a7decfa253ded01136c8d9b8e77ba12f39982 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Cunha=20Martins?= Date: Wed, 15 Nov 2023 09:55:54 +0000 Subject: [PATCH 267/379] remove unnecessary log --- pkg/engine/vulnerability_utils.go | 2 -- 1 file changed, 2 deletions(-) diff --git a/pkg/engine/vulnerability_utils.go b/pkg/engine/vulnerability_utils.go index 49ec252a0f7..8662f4a5785 100644 --- a/pkg/engine/vulnerability_utils.go +++ b/pkg/engine/vulnerability_utils.go @@ -137,8 +137,6 @@ func getBoolFromMap( logWithFields *zerolog.Logger) bool { ts, err := mapKeyToString(vObj, vulnParam, false) if err != nil { - logWithFields.Err(err). - Msgf("Saving result. failed to detect %s", vulnParam) return defaultParam } overrideValue := tryOverride(overrideKey, vulnParam, vObj) From 451b40e082a9ae99f1f4402f12db2fcd760d22dc Mon Sep 17 00:00:00 2001 From: Lior Jacobian Date: Wed, 15 Nov 2023 10:26:53 +0200 Subject: [PATCH 268/379] fix(parser): tf function evaluation - uknown type --- e2e/fixtures/E2E_CLI_071_PAYLOAD.json | 19 ++++++++++++++++ .../samples/tf-eval-func-unknown-type/main.tf | 8 +++++++ .../tf-eval-func-unknown-type/variables.tf | 11 ++++++++++ .../e2e-cli-071_tf_eval_func_unknown_type.go | 22 +++++++++++++++++++ pkg/parser/terraform/converter/default.go | 6 +++++ 5 files changed, 66 insertions(+) create mode 100644 e2e/fixtures/E2E_CLI_071_PAYLOAD.json create mode 100644 e2e/fixtures/samples/tf-eval-func-unknown-type/main.tf create mode 100644 e2e/fixtures/samples/tf-eval-func-unknown-type/variables.tf create mode 100644 e2e/testcases/e2e-cli-071_tf_eval_func_unknown_type.go diff --git a/e2e/fixtures/E2E_CLI_071_PAYLOAD.json b/e2e/fixtures/E2E_CLI_071_PAYLOAD.json new file mode 100644 index 00000000000..73b02b91169 --- /dev/null +++ b/e2e/fixtures/E2E_CLI_071_PAYLOAD.json @@ -0,0 +1,19 @@ +{ + "document": [ + { + "id": "0", + "resource": { + "aws_vpc": { + "my_vpc": { + "cidr_block": "172.16.0.0/16", + "tags": { + "Name": "${format(\"my-vpc-%s\", var.name)}", + "Name2": "my-vpc-name2" + } + } + } + }, + "file": "file" + } + ] +} diff --git a/e2e/fixtures/samples/tf-eval-func-unknown-type/main.tf b/e2e/fixtures/samples/tf-eval-func-unknown-type/main.tf new file mode 100644 index 00000000000..ec914cb62db --- /dev/null +++ b/e2e/fixtures/samples/tf-eval-func-unknown-type/main.tf @@ -0,0 +1,8 @@ +resource "aws_vpc" "my_vpc" { + cidr_block = "172.16.0.0/16" + + tags = { + Name = format("my-vpc-%s", var.name) + Name2 = format("my-vpc-%s", var.name2) + } +} diff --git a/e2e/fixtures/samples/tf-eval-func-unknown-type/variables.tf b/e2e/fixtures/samples/tf-eval-func-unknown-type/variables.tf new file mode 100644 index 00000000000..8a15880e410 --- /dev/null +++ b/e2e/fixtures/samples/tf-eval-func-unknown-type/variables.tf @@ -0,0 +1,11 @@ +variable "name" { + type = string + default = null + description = "just a name" +} + +variable "name2" { + type = string + default = "name2" + description = "just another name" +} diff --git a/e2e/testcases/e2e-cli-071_tf_eval_func_unknown_type.go b/e2e/testcases/e2e-cli-071_tf_eval_func_unknown_type.go new file mode 100644 index 00000000000..2a68c32d74e --- /dev/null +++ b/e2e/testcases/e2e-cli-071_tf_eval_func_unknown_type.go @@ -0,0 +1,22 @@ +// Package testcases provides end-to-end (E2E) testing functionality for the application. +package testcases + +// E2E-CLI-071 - KICS scan while evaluating the terraform functions with unknown type +// should perform the scan successfully and return exit code 40 +func init() { //nolint + testSample := TestCase{ + Name: "should perform a valid scan while evaluating the terraform functions with unknown type [E2E-CLI-071]", + Args: args{ + Args: []cmdArgs{ + []string{"scan", "-p", "\"/path/e2e/fixtures/samples/tf-eval-func-unknown-type/main.tf\"", + "--silent", "--payload-path", "/path/e2e/output/E2E_CLI_071_PAYLOAD.json"}, + }, + ExpectedPayload: []string{ + "E2E_CLI_071_PAYLOAD.json", + }, + }, + WantStatus: []int{40}, + } + + Tests = append(Tests, testSample) +} diff --git a/pkg/parser/terraform/converter/default.go b/pkg/parser/terraform/converter/default.go index 3d728ce37c9..baf9cb17c19 100644 --- a/pkg/parser/terraform/converter/default.go +++ b/pkg/parser/terraform/converter/default.go @@ -496,6 +496,12 @@ func (c *converter) evalFunction(expression hclsyntax.Expression) (interface{}, return c.wrapExpr(expression) } } + if !expressionEvaluated.HasWhollyKnownType() { + // in some cases, the expression is evaluated with no error but the type is unknown. + // this causes the json marshaling of the Document later on to fail with an error, and the entire scan fails. + // Therefore, we prefer to wrap it as a string and continue the scan. + return c.wrapExpr(expression) + } return ctyjson.SimpleJSONValue{Value: expressionEvaluated}, nil } From 6c1598e56d664f6c6de75ac28883dde9a54f6561 Mon Sep 17 00:00:00 2001 From: gabriel-cx Date: Wed, 15 Nov 2023 15:15:14 +0000 Subject: [PATCH 269/379] query added to test queries validator --- assets/queries/ansible/aws/alb_listening_on_http/metadata.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/assets/queries/ansible/aws/alb_listening_on_http/metadata.json b/assets/queries/ansible/aws/alb_listening_on_http/metadata.json index 3b48cff42d8..dd1c6339a65 100644 --- a/assets/queries/ansible/aws/alb_listening_on_http/metadata.json +++ b/assets/queries/ansible/aws/alb_listening_on_http/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/elb_application_lb_module.html", "platform": "Ansible", "descriptionID": "3a7576e5", - "cloudProvider": "aws" + "cloudProvider": "aws", + "experimental": true } From 20fcda09801ea937ad7e9788e7c5c07b02cb07e4 Mon Sep 17 00:00:00 2001 From: gabriel-cx Date: Wed, 15 Nov 2023 15:21:58 +0000 Subject: [PATCH 270/379] metadata-schema update --- .github/scripts/queries-validator/metadata-schema.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/scripts/queries-validator/metadata-schema.json b/.github/scripts/queries-validator/metadata-schema.json index 164343dff53..d17b4d7c6c4 100644 --- a/.github/scripts/queries-validator/metadata-schema.json +++ b/.github/scripts/queries-validator/metadata-schema.json @@ -139,6 +139,10 @@ } } } + }, + "experimental": { + "type": "string", + "minLength": 4 } } } From 14a25d7221ffe0d88ce10af8846090eb4c344f36 Mon Sep 17 00:00:00 2001 From: gabriel-cx Date: Wed, 15 Nov 2023 15:29:27 +0000 Subject: [PATCH 271/379] experimental type fixed --- assets/queries/ansible/aws/alb_listening_on_http/metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/ansible/aws/alb_listening_on_http/metadata.json b/assets/queries/ansible/aws/alb_listening_on_http/metadata.json index dd1c6339a65..75174c9d886 100644 --- a/assets/queries/ansible/aws/alb_listening_on_http/metadata.json +++ b/assets/queries/ansible/aws/alb_listening_on_http/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "3a7576e5", "cloudProvider": "aws", - "experimental": true + "experimental": "true" } From 6b0b5e9d251c1f3139dcacf08d3881e2f73a81d0 Mon Sep 17 00:00:00 2001 From: gabriel-cx Date: Wed, 15 Nov 2023 15:32:15 +0000 Subject: [PATCH 272/379] query test --- assets/queries/ansible/aws/alb_listening_on_http/metadata.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/assets/queries/ansible/aws/alb_listening_on_http/metadata.json b/assets/queries/ansible/aws/alb_listening_on_http/metadata.json index 75174c9d886..69deccf9b49 100644 --- a/assets/queries/ansible/aws/alb_listening_on_http/metadata.json +++ b/assets/queries/ansible/aws/alb_listening_on_http/metadata.json @@ -7,6 +7,5 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/elb_application_lb_module.html", "platform": "Ansible", "descriptionID": "3a7576e5", - "cloudProvider": "aws", - "experimental": "true" + "cloudProvider": "aws2" } From b3ac4e8d5846f8bc4572abf34b399e7b5165559b Mon Sep 17 00:00:00 2001 From: gabriel-cx Date: Wed, 15 Nov 2023 15:33:43 +0000 Subject: [PATCH 273/379] quesry test --- assets/queries/ansible/aws/alb_listening_on_http/metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/ansible/aws/alb_listening_on_http/metadata.json b/assets/queries/ansible/aws/alb_listening_on_http/metadata.json index 69deccf9b49..61e3a8ee0eb 100644 --- a/assets/queries/ansible/aws/alb_listening_on_http/metadata.json +++ b/assets/queries/ansible/aws/alb_listening_on_http/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/elb_application_lb_module.html", "platform": "Ansible", "descriptionID": "3a7576e5", - "cloudProvider": "aws2" + "cloudProvider": "azure" } From ff8574a01a78f8eca0d3f568c032b04e646e7e68 Mon Sep 17 00:00:00 2001 From: gabriel-cx Date: Wed, 15 Nov 2023 15:36:04 +0000 Subject: [PATCH 274/379] enum "true" added --- .github/scripts/queries-validator/metadata-schema.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/scripts/queries-validator/metadata-schema.json b/.github/scripts/queries-validator/metadata-schema.json index d17b4d7c6c4..e2a2b4365b2 100644 --- a/.github/scripts/queries-validator/metadata-schema.json +++ b/.github/scripts/queries-validator/metadata-schema.json @@ -142,7 +142,9 @@ }, "experimental": { "type": "string", - "minLength": 4 + "enum": [ + "true" + ] } } } From c2f2fcbd67c6b844ce567e0e792f70fcb46cfcef Mon Sep 17 00:00:00 2001 From: gabriel-cx Date: Wed, 15 Nov 2023 15:37:38 +0000 Subject: [PATCH 275/379] True must fail --- assets/queries/ansible/aws/alb_listening_on_http/metadata.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/assets/queries/ansible/aws/alb_listening_on_http/metadata.json b/assets/queries/ansible/aws/alb_listening_on_http/metadata.json index 61e3a8ee0eb..0d59f3b5327 100644 --- a/assets/queries/ansible/aws/alb_listening_on_http/metadata.json +++ b/assets/queries/ansible/aws/alb_listening_on_http/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/elb_application_lb_module.html", "platform": "Ansible", "descriptionID": "3a7576e5", - "cloudProvider": "azure" + "cloudProvider": "aws", + "experimental": "True" } From 5a586a26c48e6fafa61b730bc43b5722596eb531 Mon Sep 17 00:00:00 2001 From: gabriel-cx Date: Wed, 15 Nov 2023 15:40:18 +0000 Subject: [PATCH 276/379] true must pass --- assets/queries/ansible/aws/alb_listening_on_http/metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/ansible/aws/alb_listening_on_http/metadata.json b/assets/queries/ansible/aws/alb_listening_on_http/metadata.json index 0d59f3b5327..75174c9d886 100644 --- a/assets/queries/ansible/aws/alb_listening_on_http/metadata.json +++ b/assets/queries/ansible/aws/alb_listening_on_http/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "3a7576e5", "cloudProvider": "aws", - "experimental": "True" + "experimental": "true" } From a25bc78d92d22d1af6200eee429646fa36da0064 Mon Sep 17 00:00:00 2001 From: gabriel-cx Date: Wed, 15 Nov 2023 15:42:48 +0000 Subject: [PATCH 277/379] undo query changes for testing --- assets/queries/ansible/aws/alb_listening_on_http/metadata.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/assets/queries/ansible/aws/alb_listening_on_http/metadata.json b/assets/queries/ansible/aws/alb_listening_on_http/metadata.json index 75174c9d886..3b48cff42d8 100644 --- a/assets/queries/ansible/aws/alb_listening_on_http/metadata.json +++ b/assets/queries/ansible/aws/alb_listening_on_http/metadata.json @@ -7,6 +7,5 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/elb_application_lb_module.html", "platform": "Ansible", "descriptionID": "3a7576e5", - "cloudProvider": "aws", - "experimental": "true" + "cloudProvider": "aws" } From 037a038dd220c36fe40fc494a639af2bb216164f Mon Sep 17 00:00:00 2001 From: Gabriel Date: Wed, 15 Nov 2023 17:23:52 +0000 Subject: [PATCH 278/379] Update README.md --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 42dad30c051..1f9bf866e28 100644 --- a/README.md +++ b/README.md @@ -55,7 +55,6 @@ Find security vulnerabilities, compliance issues, and infrastructure misconfigur
Azure BluePrints    GitHub Workflows    -Databricks    #### Beta Features Databricks    From 0078c3ebff6d5b4cb3d881ca0ae6f0baa52537c9 Mon Sep 17 00:00:00 2001 From: gabriel-cx Date: Wed, 15 Nov 2023 17:32:10 +0000 Subject: [PATCH 279/379] update --- README.md | 2 ++ docs/index.md | 2 ++ 2 files changed, 4 insertions(+) diff --git a/README.md b/README.md index 1f9bf866e28..2e15528e67c 100644 --- a/README.md +++ b/README.md @@ -59,6 +59,8 @@ Find security vulnerabilities, compliance issues, and infrastructure misconfigur #### Beta Features Databricks    +In order to run the Databricks queries, use the `--experimental-queries` flag when running KICS. + ## Getting Started Setting up and using KICS is super-easy. diff --git a/docs/index.md b/docs/index.md index e8da672a241..940f03edb6c 100644 --- a/docs/index.md +++ b/docs/index.md @@ -86,6 +86,8 @@ KICS scans and detects issues in following Infrastructure as Code solutions: Databricks    +In order to run the Databricks queries, use the `--experimental-queries` flag when running KICS. + ## Getting Started Setting up and using KICS is super-easy. From b524054b24ffdbf41936a97355963c6043e68ecc Mon Sep 17 00:00:00 2001 From: Dima Steklar Date: Thu, 16 Nov 2023 14:24:15 +0200 Subject: [PATCH 280/379] feat(CLI): added platfrom field for sarif format --- pkg/report/model/sarif.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/pkg/report/model/sarif.go b/pkg/report/model/sarif.go index b0cc8a9b61f..2182cbe62c9 100644 --- a/pkg/report/model/sarif.go +++ b/pkg/report/model/sarif.go @@ -42,6 +42,7 @@ type ruleCISMetadata struct { type sarifMessage struct { Text string `json:"text"` + MessageProperties sarifProperties `json:"properties,omitempty"` } type sarifComponentReference struct { @@ -294,7 +295,10 @@ func (sr *sarifReport) BuildSarifIssue(issue *model.QueryResult) { ResultRuleID: issue.QueryID, ResultRuleIndex: ruleIndex, ResultKind: kind, - ResultMessage: sarifMessage{Text: issue.Files[idx].KeyActualValue}, + ResultMessage: sarifMessage{ + Text: issue.Files[idx].KeyActualValue, + MessageProperties: sarifProperties{"platform": issue.Platform}, + }, ResultLocations: []sarifLocation{ { PhysicalLocation: sarifPhysicalLocation{ From 2fec8ca2239a84e324f1ecb89553dc2cfdd9493d Mon Sep 17 00:00:00 2001 From: gabriel-cx Date: Thu, 16 Nov 2023 12:52:26 +0000 Subject: [PATCH 281/379] add logos for nifcloud and opentofu --- README.md | 4 +++- docs/img/logo-nifcloud.png | Bin 0 -> 10825 bytes docs/img/logo-opentofu.png | Bin 0 -> 6050 bytes docs/index.md | 10 +++++++++- 4 files changed, 12 insertions(+), 2 deletions(-) create mode 100644 docs/img/logo-nifcloud.png create mode 100644 docs/img/logo-opentofu.png diff --git a/README.md b/README.md index 2e15528e67c..0ca93f65188 100644 --- a/README.md +++ b/README.md @@ -55,11 +55,13 @@ Find security vulnerabilities, compliance issues, and infrastructure misconfigur
Azure BluePrints    GitHub Workflows    +OpenTofu    #### Beta Features Databricks    +NIFCloud    -In order to run the Databricks queries, use the `--experimental-queries` flag when running KICS. +In order to run the Databricks and NIFCloud queries, use the `--experimental-queries` flag when running KICS. ## Getting Started diff --git a/docs/img/logo-nifcloud.png b/docs/img/logo-nifcloud.png new file mode 100644 index 0000000000000000000000000000000000000000..fd64ea2129bc157ead76fd54f5b7c5b8644ec460 GIT binary patch literal 10825 zcmaKSWmp_N)b;|4yE`oITD-{O3lw)R6n7|YMGF+S;_mLn3berDR=j9&Slk^xp7*-m z_viOxCMTJ5GLw^>Ozu00Qd5z~L?c53005W@5E%^s01oF(envrhyStY$KffiYE)f0C z0027ve-|7eGn?eCkknmP&t22m%H7M%%@QDK;cRXRQgAf0w$!jRv+!{pwiE>bSmqUE zB(=PkjspBr$e}q-sa7AU6TBhc6TogYM~6;rf(=4xVY*3)zg4~mH8^l1k&}>KD&Ay| z0^pKXKaL6vH=_1Sw{o__-H+m$T~#%E9U&Bj{0)5k#p(3ik*vE&|2+C`Qmd${hFy416+^HbS1BrF}W-IYm|$# zxDxWh5qvNJ{4;V3Ve{2GoF?x$kdNhWXD7zF4~8mbp|z6{#@lD;wXqvI5uS`#m3s8} za$kVQMVS-N1j7w4Z42Z~j$0lRrILYo(p0(*_usi^ol$i+1^K+Bmc1Q6i)%{6wK$jd zRe#xHZT~D3r(!wRo_3#f9;*fdOi^BV%Q44~u7n4vw&YV#skabkZD}B^6DV$f2H^nq zQCuCwjE_w4`_JCzVtoJEL9?9*@h@HtrH6-y+guh(v)iWGLh4y=mTXCq9@K z^D0b$0+1;b&rQeaEO|*my7#g)n%P-1W;$^>2oA<{2bluiJfs)Pd)t59yEtIrkSf|n zXB3Q~g*r4bp2#W>t)WGywH-gqcCpq$!TXC04=3ViqqJ9MyXQWpR#?%33+3($!$IT`&OGlkf3L*XyKdW3trLoK z(erXC@$GfTh)5oKQ)pAnHIu8YdCtiZ8||MrZSK7-M^7X{vW2B0qYKu7PwS9Bbr~5x2jXB3@_}_kdi!AtI@2#jg>&mecnI$&VS2$T&&$3$&H3r#uC{7B~QY!um!hzjCbxekMOT;fq-9kSVUpYsh=>vhYtfd8b~4vBvzTN(74Ll_QoIDrRx#n796RC(*>5 zE)00o$NDVZuv83!p#dIIDL11beLmOc!?&s!;#0|dC~#wsdRSW=*BGYNdbZcGDI{pt z|K1gTCTiQ#jkUuWDH7q{*JSb5qSm?eFUP?}q(>UfuRtIrUCq>jRq?s@bwvhWv03fq ze$tktvUt?G#p#XYUMq-`z&RNpuGxZnuu2z6Aj_h=qg0?pVi#j3$9^w(^93fsL0S~F*c;m zHR4%E>MNKHQqJhpf_~+zfrR=Ancn+dwzRbTn5XXxvk$jR8<@b>Y9cR|VfZnbC`c=|=`e41aG{4as=Ge{l!<5zF z*T94i4K96Uf{};IlsGzOlv85sSHHe4?)Vz(%`HH@_Rc@Fzb{rh6W;p|j?bL)&ilRL zsL7(WtNi`Vws&n0iU3z_P%RsSi`+CqLFJ`_C##IDFcPx*F9Zs(N##i2Z;lAo-GY~h zcFs(=IqVSd17g!>?5H1S-MRD_Y~&<3@Sfi(Hp5ru4f6@SP<_hBYBuC|C12~Nh+sdSjmPKg$^JS`8i6<_fo|oBTXeHa`bR|oS zwG&qoz6vW;F7kd~fQi`5oF6Vx`-Kv|epVm?=KS`0xX)LFr;L*`+Xi~3?bD##BjnNr&m4j%Z9h%ydCbOt0#SsO{NX4arEcan%#54bDEw@g>{xNZG zj&OXvY{N`s)()L{s;C^iv`R>&=-$dkG$o(_CIu}HPN=@yr1o%_n%!wbJ_TH!!KqIO zN8}QArdIc%xPNu|iI+&SR>(j-x4S>BmJDJ3=7$U)RrS#JS10aKU_Zf6$6pZQd_ScX z*(YpqpV=)HkIG_DJbmVl7HAszG)KpDNV@97EQk(F0$-myx%SjyI7Q>)BJog%mcknu zBFRWY>WcK%ef z`o%ggm1-GNos1u!5mbE?@32kfBWi*%o_lt4Lfa-AgTcONy8R*C{tUx(9Z0u<89yYo zO}1zS(3S2nt66!HsY^cc{2SAmkIj9$OIO!Hr7W zI{ZxJLS2i&b9gyMr$_q8gahI7<*M>DwiB+8g!U)&i40GA#JqGlGi>U{-U(0qi@Sr3 zZ>+7Kd5BEvIZTvEg1QuFh^xeW9)h^5r~k2P$c9r$!Aj0Wy8ENiw==xk9(~3i9(zCu zx!c$ekiku|z%A^+=^ILaEe~}JRbP!G9fnDw5q~|8GyC#+N?{zePNho|T zDp87FlvvR=Ki}`G=}xSDA?}4on0^D~C?Cdv<-;d@N7Hj8lwx^O`oyr`w6rl(uwTItt1uh%u5aN0mpMkw^dEXb>%jPkaTy*rGcj7Sn8V~fkC+D`0m>9p7_Mbk zVj2tDv-^gxI^CEreMO0qwD@4M&1HdjR#+(}{CRM4;KL>1yVG3akQ&b|{$~~FJ8u~o zy!zI!MyeRH6ya)Lu!F#x7a+s?tDP8|iaVir?W(YM2B0j_4{b9P!b*Ty-Mvna%-2Sm6n8E_)3bd7W{YpXF*Lpp{+TCfnKQE}k zAY;0i<5S`=*D_G_WIgNik2`;jt*9X%d+DufFVbdI$4MvPn(nc0bjcn1W?kRaw)Uqb z7JF=r9MSjh2UN(auQ$rHkW_=YMO5fnyZ9?*Hg`*LDp-^`I4s*Q^voS<(sWAk6}LnM z-rp(<2;Q2-Qp8GEw!7A7&RCE37;bMHZuS_5IzM0JRAglATvTOv<&F$_So&b~Mv^(P z^|U<8aP}-e{S!!!5w%#nUzEP;zkn(p`!fm~7#7eSB<=*URi1hg!R z?95H`GBF$g(?TUl8rtp$?jpa@p2OzLfqGqSten5KCnVD7mz6|=&#Lm4MpVX(s!|y& zJvGOGW(I^clH5N%LdZWwSDaRAyM_}~aTU=Mr!lUf-U7omav<@sHI~ z#}Tz8D946tLG(FL;N4}b!;c4XCEb1%AH8SC7J`xtib^+zAHR14nBuou`ZUNvF(1!y zm1t2lW4T*M=ay%@jk9leinVV)N)6Kuu8DV#8h9+SU?4A)KqIS7;J21|w=J>>(=~rZ zCBLr`@J-2z1&AFGKKW9C6>onc+lYu62b_WOn0B`Lqv0xEv^|Wh~*LntvsLl zZT!HqG88%uu>u#|_+Mi$%D;%|I=++Q$Y-^t-E#%Sh-;CWY|MY!nl;2PFB@3PQJ|DC z$@PQ5J|`KJM5%+GGAVWIx84=aqxJn3+t68UTKUe*{`x&n^B7GAOTOqgAPlax7~L*R z_~$b$9|8}RtM;=+`f^UB^bEU;NHQv^kXgC4_wtXSl;~bw6XS8NSQ58<=vY>{ED>kkNN4fTOUG+5qK>oo94nbE%!H`gGGYrwq)RME%Hj-dvK znYI7f**x?BB|tW*R8KAEV4aTI5ynq+mO8|o+rNGM`s{pu6;m*x?}B2wL3p(gz6W9= z`eYH#l)QX8MH@relr0VKRb5UXj+rQ4fRB@a0bqBr(dDkGp@NgPs+aY8b1#V z+Ng*(rVGiLnP|Wa-`M|gj>WZY<{z3?ZStdu1{X)JaW(UwOmCHx?bul3JhbUru)Sj5 zs$!RFQpubjsvA5uUSoe#D0J09(&MFpRrySz#l8KvDd^E4d;=5G%$<3x=#fb(#p#?RdETj*me z#sB1(rK>r1uzt#_c%F(0KFj2T3l0loHMTge)$1~|PXZ{)Ip2-5to`w1k3^^k;n~Fo z^L2gqoSw?b+HD-ENSTlY!lUkV#~eLJmOsz1f1+fWIebtV>6_AVK_v~PhZGa8z2$eD!k5eu0uFI!Ko~zV7n#tuQx30w)v-6l@!sy`ic<| zP%#){OcHv*-TDW~HhmXoqvG{lr{z6)6ualjTKI-N zkLX3uC19t=wab`AT91~3e64&DKzSlXtTFFgGO$3Ch6E)A zJ}Az%!4fel1z#2P6h|CEPd5U8@VM*lG{^dh$tq{~m%tj_92|g?o>wu8i<2=440MI0 z@+`@bSy4z7oHT;e&;TY4jO=&^D8VS335rFaA7&-^+w{!?xc-%u2%P8u_Y@gg2AsgX zjpjwd)TpA3fk@HuiKPT&_!0mPS(JZ(83-?`np`&_LW|-RmLb|~bUvRJ3kx$d!v3D| z-5mh<#WoO@V`W|fzB4xXN?*l+l9GT?sxz$b7$gJ$FHWM-gF8TnF1;j9wYumCD){Am66usK5HdK_@nS$u^%MvaqfrtHQVIgu( z&4}dXK1qv`E|Fk7T>=LgAagKcvH#nlq=*ya^=UiZD2Ard+%@8_4IBVvCY8n4!xEka zC-An|-Ectt7BKZr4`NEr$s$h*pCFI54F?d5FyBTCTffxEoMZIMiFiN?%I)KQfH5%@ zYJu=U*noX~=G!4}Mw|k1H1>TE4*;+kV`jFeNT(%s-CG=X*eh25#z02Nn#e|Z9}es| zVAP@mg1}@c`D8MbZMP-WiIFK?FH2mZ4(0C4b~I*4?Z8UW}fK-qd@y8!-p zC=u{*fM2cfX8tJJKtK@XiaF?i9&~c23!wl2d7K#E-{@9Q(3@6%kGk6fPx!-|KAff` z$~FlM8}LB31LFJ;ZpQo`aK#aLpBkU$kB<`aMzbvl!90Vq&^4tf-&)%{_o8j|#>YP3 z*Nz%?U|Mn&Vd2Nx?&1Lt0o#vS>3=wb9rtRuObI>&M*>I6UWVCbYygR$rmtH09#{~C zg|AE7P`D2J12Xbgw51G#JT+%GT2Apr1sL0}uENzC`H&(--Ko8k$&DAVK6SrKue=c~S51 zO&hwlmYABYF^PH;jv?OZ4_VLTgS z7?=^W77+r!kAmUo&>L<9Q)HYNVL09S$bd+DKEc(c5tXQFLyzWj$tuzFT8Ng(n?Qi# zSIL%IE!p7i_mVT5$2K7TlNE;)gQb3APzu&X#t>k7e_tBSEr19Sy+Ss5hFhfn{%A5x zVpQM|VO;QY0Y8N>vj68Jtu~ESBeSY=NF@MZ=4Bg-o)SBRxCA64EQ zT#k3 z0DKWTT&C{+86T2~)w?Cb=?R~`t7+#xHF&ktdE&XA!9)pz2mCAi05nCZWgec)MNWbP z0A_Tjqa-H`W~RUuc0rZ-xIW1cBc&|C#)s@c*?1{BI@Z zA(C2>jlWMt*@?ju+;U42l!QzEt|euo0ncmI6=RmZ7mDogT!*{Z)RO|N1NCS0&vQ!} z`wMOcOBV>YugbrlC`oy*`yMCQ?%MZB$>WM;X?=L?{Rs*&~`r!K0EK{)W$mwsMEi!a_S|;dvn=5zM9%#@G}L?-H2j5n zRtoG&&|4*F;5*Y6`{-)HC8|gW#&O|s2t$_>Lh%7xS9O+Sht_<3_v!@km%Vhku*vl! zC5&Q!>w>Q#J$`sEA!`I?inAHCi;40&y10krs-z2|YDR1e=sw#X)8q}_A(c|Oh8qhf zBhcETbNv~U9~IXj5LW*`Uc8BTk+S!Dc`XN!AM&icU{97LbJU9jIrp|$ArbW`p1r;#~WQ0AB zB|n{HR1(Br!(y+-X9Y$W4#ZI|5_Y;*OU7ioR^+zb7e3~W2axV999dkw{hhr9x~CQ) z9T`bMWgir<4m>lP{6YMe+?+R0s37?qO*SW4E$6IoDTL(eIce|WnRa#NCy!3g z&yZ6O0Hadg7B$k2F6X{isr!FhJcHHmpP650z2u>RP11#1Pf7BlSG^py*C}W$m*K_h zUl&RKh;d=^?14+X;b(-erg}pVe46J^`=VKgxry9ZZv&S)M6IQ%TAEso`56Qhx*sW5 zGI-W^%7$XPi-xB^3&!#kes<@#jzE>9mBz(~M58G%t@~FTi@OJ}3@llCM>mh4T`+r9 za*9A{{Ko?i0@+<$41eD3`uJ_-n{~U%izAI!cj|k;>^3^)XwWh8l92^7r?gMid@F8S zV>pFLC!Iw~^9W2y|8Xk4P}t~Nrt-KLp>lR-b1=u0JPJr?z0 zuRXDb8a^?m8Oqoht~YOs7gJ93Na89~yx7-&u&wdISDl)XuyLKnGcjHk0d*DuUldy^ zTuX-ck#c$@LLQ{NKEyea<+naSCvDs?zAbP5nKS%=HdqaLbj@>IBgj2xV*KX21m6Bp zp>)UPJ#>8{tOC3kfAU@x2ZgeUIkaj!s&iG79i_k5(VyG!K=y!UCC&Y~Kqe6K3sdF1 z5b+5{DLqnC7}1G#kZ}0O{Z|dOAIe3ktxltme}>hXQ7zrg*kMeJt0T8`AkrIft_*4p zkR2|;Aw}Xdl8tzzhyf3o+~|3vj%!|UN!t~5O(FE1`mpp>%c*HFt8TQ7HdG&b47p~9 zu*QX-4D@e2r=MN^lligH&OPh$X(F$%1I?BTqht6d&DJ#ch?pGN4I2HEo9@x59FN)v zLE76c#P+><8@Gzn*wd|(Xp-tt&3+|ri?M$u)!5C2jPL=cz_$;&&t4i?_BT z(cwftb#rQ=ymLRuRNF88&BVT&8g<8#%`AXffn3^oVtV1E4pr?i>xz9ZrNe5`m-rOF zkY{=n{Fv~3E%9Z)uht*)k~UfowSOmseY zw-MOin9K%Gaj#|i4g`9Qh)X|e3z`f14}7J|=wCsT3WXPOi7$i&AJj{cVN}(>{y2G> zeiWd}u$XUB9(AR;hiK_p8{J?!d%4Ipt}PrIcQZnNqTy|8lt`)kBXEEnW zRM&G8Ql>_agNMz*p9USi5uSQkbld{UuNuTXS^Y>5j;65$eJlNr*(L4o6P^PUW!-;= zDF2mP*YtK|K0+(X<)&TMz_`T@RwDpzrpO6X5s{$_vEqpMXQ{%|m=ZGY)z$mWNyzI6 za@umrx4AeBJ=OLd)Q-P&fT5pcvK(+*nI)4jrdHPDd|l=Q*78$|Ur=itR=0 zdh)dOmXonljR@;>pV;Y)l^N7i4o_&GCeAkT=D=T= zclv8j>iVgmE>J@pHD35`@b5{IoI4>Hnw>qn(6LwR`4{8}Jy@|_@==}=%!%lIKiOTy zXLqJVl?v-yXilmq|DdT$Bb$|X8Hco-7Z@|s94+$ zdO*A+D7zg;sDpv*dp&g$rizywM8jjzg=%Wva4qrZq z*%XAFkN1alUGLXlj)?kU2m760^9E3mfPrZ9=$7g%Vx zFc13|NQubM&c=>Vd>)F+JC`oPf@bFDER+wBXB*|1bss6zvC{8JAIRW8>J>x9DV7K* z@nJ zTzILea=H{lLH#A`(gQkAgM8byI84qo^a-L#yuFVZ*4pOz@m0Jc8O38QK`z4wL)o5c z05QtlMaJ2hHRuO>mK_$j`R8srD6zWA%!sYii89vpLwUTS4Gfaxdomo;NU7Ixx~Xu= z76jAv@npfU6N$9j-8d$iWHsG4>JK>(uP8;Lq-3JlnFh|^PFd<6hmZy z!&4;6MiQ00e-SC>CSh;9TmaILEo53q5^S68nRyBmx|N4 zAN^W(9;Svr$DYL~4r+G}poXdDGC6K$i(d#hnR&{5xXeE=8fWP26;%7fI4nFr>!@X! zEieUAIeiI{7Y&UwwpdZsFicZ!Ft|M|9`zt1895TzHvZ9B9r3FIF{=7IQoG#7l-V%$31~qgHh5D(((?++`7#w_`Qx*KaqDz83ifHHS`1I0*?GTwEj(+X z6_LvDq`6FlAxos>SM^4PD;gfl+2Ku0!){9YC8266XATA+4s{dddhI}wzAsHozlXSw zYDM^filBvL;&&p-5`mAHzsBSwu*;>2D`ZC|eMr#upVv_itMjGv`-iHhxlK7s5qBk)6w&{X&RI0U8wmYBH1i)M`X2!F zf5Lx|=zo#W{|W!Wss8}bf4C~Bo+pwO(2F#wYSGL-64;1}jz4b+0adO>g!13)^iO7HKNTw~HWB7-gPkf-h zz0v~Z>AvX3-*bb3!q8mT)x?I#Z|qSO!jC_f`+aMonXwC?L16Q!CIQOfZ$Es~G3?nB zorW#+4)V<=J9rMQy3Fjh!o%}@>P=l%%yG-7B$0Zjh{iZC4sS@($7M|1LN+MbqQyD+ z=Jb%7^{bo+KMD~8g6ZMn97VL~);^BX-=rzLbHv0SFGo=F?Y8=2;$;Y1$R3Po`fj*a zv|nXlk56Fz=NA~%^|j)m5vB6#qaJGG=4~Mp)m@nNPGMbxp_d>l+_3b7oQbJ|Dr)*}Bq-?1wtG=tsWUt4J#Bmoa`Csn4tI8#j`{){fy&1c zJxJMRF9_ux1TK$ns-|-;gVDnCMqG1gG?y*NOk_OqnI5$T<`W#HJa*g`JwOd7?6U;4 z3=0fPIS?Tb9{9_qZ*#~LlspVz=11vI6}_u8_L(=zy&yT(JBSAF|H3TlMsYs(VigJg zfPRbEkcJafaP(Xu-iSo}FWvMuoXU_E^&=^rNW?%|N5bGqLFO{p*p&w8V_~;lf@_6Z z13&|weS&yVQB4~~l+I2fE5uXvNNLLs{jxR=ptu&kp#wq*hdki(!4K)8Cn84FI^wEd z@SF=Go-43b7mT|M69{7YJ`tpx+O$ht8M z3JP4GqeME*K}^${f-+rC_Lux*`341(-vq<}Vn*KV_5(;%Igz0amLXGLy@%C(uHvZ6 z?b04*PupvunmO?4WVjhppDz}iwOW=W+IV%wka#U~c6e(A_1GD8LN^%Rg2jnG-<vrge{d5;svR8!vLxckkSacQn%ndYQ1r zc@t}mH9xBpk<_xtm&Q%s5GE!g_gtN4o1EazsM_yOjk_3wK@DFW@)^p!j8jmcdxxh8 zx80)jd}EUida!h>{wyvm{-E-n*QBagyOR5_Lh{cE3bFOM2I{Ce?3`R9f?wpXaa*L# zdwvy$Fp-+9$H&!2p|ng%LslP?C^WlLaTlxHfm$cFN+hiuqU; zb0YLq3o+DclT*x7^on!b;2X5(b)s^jqX5sqAbnS*rVoA@v5HqM8$SF)^h`8?Cl7X)4 zzdhA9*9{1vqoE48`ll3stjGWWm`t=(;ZFj8ZWmI9GE5Z?d7|AZSAd$DJM&-A*aM7ut^Jte$t?cPinr)-0Q1+|x%;S+K&AEU@K4+YCEuUbGeq_XSp+@2W zqLD{X)YG|MNUev`CPWta`#>adAVNOO;9^`WX1PPnRs7|Qlg1?Uf$OysUN!FVPgKuj zh%A*fBU|0xbq4hMs2PQ1t6I2bt1r*`3n%Ve;Z}MDgPEMiYGEnPp7v{%s}JJ-QNFWI z3}&f`p5a5^zGw93X<(p%RAd_`aIw{Wy>#O^K_;_K+nim-N$}^$$NnwYokxsG1Me#f zyiPmJZ2i1%ybYslp=U4ziT<*XY7k+FoNGNgNSsD7o3+Z}SZqubL8QUo&u%fT?~yf` z3K>%z84Qy~%3<$W4sbna;x=b9Y3mY5@}DE|%Aej}8&UJ5VYySSWzM;)Vd0}W(}U(7 zM>LuyFnD2KDz=-GXiD=$%DFyq`?V&MI8AY*-Thg?!Ah}fxvD||@rrOR-L^LVjH;VR zh_U)l)ti;1h8x}N#erhLPgo{QYmZddJM){7`Yz{Ls4Iy`zCTUftZ|wU_PRF#*c4XfP3|W;QiR#eB`C}lCjiyvf{;&dPjfIi9 zz$2r9-B86{)x+ghu(gb6=b0e)WO718zKQt7Yz@=;la}UYw&VcFe+~lxOR95irB_|q zD4|~y6h9E#dn!r-KU(cNwyxdDw}$Q+To!++ zdX8d~Q0xvH+EMTZLXl=dj4?T6OR6EqSmkAj#CU5qrJ#L#%O_Nb>s*4gqJK6-ftJ)n z)sL5)s5)#Wd)tZr(=ZozmI)}Oyp1~$6-e5x9B(685`Kksy+AdIuvzv0vo1pMkl#I3 z5f{f6iAzq5RXD+V=6^#HQhG=~>o4*-Nx!p_nfq^g*)}ugI@ebjkaMk%%1DPuvxk<9 zMAiN?f{?uo+xFTrQl{iezPo6A}6FmSMm z?E8#ke9JTJRlq@U>aT_Zg>cbetqU83_xI0Z9p@iGxVm3bA)>4yx__AM)hBl~d%hL) zafZD=XsK6*f8eke+@crz>a(beH^KKY%#JSn@eya(hT;h)&u<;=hZBb12i|EapfI*c z?VC4eI0PMpV_n)-WlTPLPsCL_v`27T6>$f-%7rexovvbQH2qbobe9s)KY5H z+kQ#-8GZAU;U+Er_`)j*$Z-aqNBK3k+5WM>*=Lp3z0muWZ&jQv_SlrGj|-(|vuG>t z)rpc5dAk^_r+GWu(dN^3T|h8?F9LAzi5TBK&7-)wp1Eyx5F7~Q!>3UrJ`MUW&Rm_J z^X3!^Zw@pyRFoEOUm&!#yUCb*=tDPxnfP4&98G)r%C;$z;G+;m7EiShbRq81?qTUw zP>@PUFV~(3ew;gD_l`oReb}$z3#oLNrBcL1x&W{L@3c36=5kmj>M|#;c5)Mgb@t~l z1Fh8e!x*^Z1|T%^+IVA`L6HAIwXMng%*eCNM+Uc}Uf~Vb#^<%41?hg?Iy>sHAcoI> zusz7yn%zs&LQS4539y}RhVC64MKtRvek^RaWne2B8D^Fe0(ryS`u0cZDrOU!xEdwG zzS@X2p(fH*~Lbd4WmXSqz-JiQPdljo|Te;$AIly?& zg?L)`L(l!KA_NDs%yn+o52KC#Y&P7~Ba}{D%AMXm099%4hfoZaUbx7R|v5T<%^7088UB}RhotC8;^1m70C(dR;4{y zi}iUq*7+}AQ7>yZ^p`$!UW9|@3l@48u1H`#Rw=p4JqdIe<&vk)yBiI^OOw~=-ssU2 zUU!G-yq90bJH{WK-)jUs;4XyC&fa&{r7^A?p-X8`);h7;=!q}+N)w}eJD33zw^wMV zWg1z-#U^It+k%6RQXLPi8^3tsrW0D14@ z-yM+cytNBbC$En?nj?lGJy>ZqaR{V(k3Gx2n(?5_KD#{>X(g!(e((;Bg6278M&5D= z)Xzb3WNf1yXJ5|?8>kW*0my(3M@c6rk_AJB&{&ODQ1;0hb!%>1fq*77G--Aj5USl5TZ8w?e=RBcJ?)Tv4h?Zt= zx^;V*$ip@eKLk+>%d`!YeMtzkV&L<(RzEbewDTOORf-Nu+m=LC>!au%);-FySV)r$ zb7_7qwy@z)w<_eINj2{hp15q2i~1YbYSX@!Y26XrEtylIflAKuEzVCX%eSKZ^F7N0!-OAsG85F*w-KH$?xjpYFl3A zvpmm^sNL-awhlPI~5yn2vqga|#xR9{=@2VwmupQO_#HrCL{TAWK7-fObt^8h7y`Q!67 z0T(`#sLSxSrs&yy#;P4vN~N&tfw?J8Zuu1gF*$AMD(uEU zd+3Wb4v;q*?sj`{6_eT(Xl?Efx1Ek+{Eo2_~^j z5b2L*FTSv<&V@e=9*59~BR|JH4KJC2wCYWkcQld!FtduAWgD??ywNYX6aBxQyZ7Ah z&WL2*CG6gyTJlhIl$?)cm}bEMNuXIiZ>cOh^EWAwx&S&4k0B9ZAP`zNzYdNo>52(2 zYIv^}#uXgt#2=sufz>zIY^I5Od^tpaOknwUY^(@Ry*=2K!ZZ~>vRjouzGoN3RbZJ*)F=OC?-fIe0S4lk8Y>a+h78Wh9^&0@9kX<3V8?^Kb#oHR+t^iZ$7wxbztO7DmSqcw@WDg7Rs zo!-zSxn&p~20Mi)g9o2v)2di}>(h<&t{HiS?w<`a>8Csvibwhbik2b`bkD|Az94qh;W2z{>I?Fo|WtY z*>Co7toJA}IR+YgC3kdg&ma|R234skWzR!l45tCzbtWeUln5y~W zkvn68Dn0pdHVBxNzg$w~NJny#|RaU zPr0L?yH^lFd3d;t19teR#3YWYtiVeB5E?KtnaY|t;<0b?J`lrt_gJ(>nu`b{i(@;U z3x70uYa&t|I&JeRx@d<3IdyWs&?WkbyZX~rx9%vx^01TlKd6=#9iDP`kbWKo=KrSb z^{Ow8MC2y3z8_t)FI*k{u2QHU*wC|X&#+-DxhTqvIflDEnTEWv^z+R^;9KU#joTvO zY?5G&=BpC+yBiUQJG@bJHv5*n$hQd{<7Xa9{ft@W>A3Vm046{JNiK*e6L|4KP4zZd z3F{ck4r-hu^*_zi^Oq*&_dD61ITL%nUj}2&3;3p^ii9a{BEPR1I)dAx zD1_Ytv-?kv1$r^~2QjiXkk;Sx)d{o?ycca$Gxv#4=}_jDJXbm)i_JY;(@JV>_ewt7 zuQ57%2b-tR3mZW6meu+o9zIunXAHNB{IHU**RWpfz)U4dAtcs8znxZeZs9cJCT?Ma z5_ykFv`IjD7#?FubNGS!Z0b4Ojjhy5RQmN9fv2tfRuG%!Wr+do8(D~7W4T~Y|MjSY zX(q<1hun4Gzvreu50phyHW`pwJ5?{&W6`(HH`$2$(Y&9K)*(e?J&a~Yed(ESYH_V6 z$<#k;_~29t`@?-u~Y3NE5GiH0tN%{3HGEctv%Kja?vjdvd z4u*RHYYa$eA%J)D6B?e8;FGvME{FnMcoyKzuRgY1-@ zat{|ZrTQX1k)a6usb45LtbakV&WHC1}iAigyS zrvZjWE#^x!6^9aMi89sjp4fI8x#_FP=Rf)U^F`%$X%RlU@%cR8RRpL})k5TS@rN6= z`W-t{9LuSS%@9(n*oG#hc{G4aF5!fd0~SJo=v(R^e&z8-TJyIS+T$j-F}BGc%yJxh zmyGN6p}(ZrNe-M^?A@LhtDuNl$T)>B9!(h_&;ju;iEZKdDUahV7aTB77Df632IuLv z`wYQ@R7;uhZDsdkI06k|D6NDS^qcwB3(1qd&9!0i7m$)-GLf})AZ4w)r_O#mL@4^k zk~tN$t<6sDTQ}dq@8?&4AhQHgp7@83;+Hn+TXRiCkXD+R z-$xE8wv}@)6&A;!OmsBfX!uwj33>ZOLz>obY8U@kSJHN{bdNP|RpjfoIX(g~6mVEnG%AAC%A%M3k;!#Iv@tIbFuXNdr&8J+H>8 zMQX(grnsBZ9P&OvP{J{@G?VCqIOAN4ckHBOPx+I8*TcjfU`m{f%xC6a6Afn?IHf&W zn@=SoCDT6v5a`$1}?w+|T#1*G4 zvqKVBg;=5w?l`8IdsZr{2x>$IM4q|hcRqgePcdzph$Yief*1Iziv#N)MR#m72h%0o z!INrlu)6#zaI7SyeEF%L!orugiKohXLmZ?jB@p>G)fowi3?g5~KZ zb0j$;b{rToq_^TM9<%8*iN=Yp^&0954JrgLP&t`YuyoOoUY1w5abhoRecu+UTO}_( zXgcU%{wClWBJ;ufuOySnWA!?c$oC9@*wc4yW}>Et+)6eeAwUDR0I-AQ2_+AC?o3Np z<6j+}q`sRl>Nk3W{D8pFB$=CLQ`sx<#@va-e{`U^Xs; zUrf_<_N#!0ER&l;1Ug;bc^R`&?_0?bL%gIXOyA1Fc} GitHub Workflows    +
+ OpenTofu    +
#### Beta Features +
Databricks   
+
+ NIFCloud    +
+
-In order to run the Databricks queries, use the `--experimental-queries` flag when running KICS. +In order to run the Databricks and NIFCloud queries, use the `--experimental-queries` flag when running KICS. ## Getting Started From 11fa79583c49d780dc83143424ce81d8954c40a3 Mon Sep 17 00:00:00 2001 From: Dima Steklar Date: Thu, 16 Nov 2023 15:16:48 +0200 Subject: [PATCH 282/379] fixed tests --- pkg/report/model/sarif_test.go | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/pkg/report/model/sarif_test.go b/pkg/report/model/sarif_test.go index 094bf6cbddb..e17297f8f3e 100644 --- a/pkg/report/model/sarif_test.go +++ b/pkg/report/model/sarif_test.go @@ -89,7 +89,7 @@ var sarifTests = []sarifTest{ ResultRuleID: "1", ResultRuleIndex: 0, ResultKind: "fail", - ResultMessage: sarifMessage{Text: "test"}, + ResultMessage: sarifMessage{Text: "test", MessageProperties: sarifProperties{"platform": ""}}, ResultLocations: []sarifLocation{ { PhysicalLocation: sarifPhysicalLocation{ @@ -193,7 +193,10 @@ var sarifTests = []sarifTest{ ResultRuleID: "1", ResultRuleIndex: 0, ResultKind: "fail", - ResultMessage: sarifMessage{Text: "test"}, + ResultMessage: sarifMessage{ + Text: "test", + MessageProperties: sarifProperties{"platform": ""}, + }, ResultLocations: []sarifLocation{ { PhysicalLocation: sarifPhysicalLocation{ @@ -207,7 +210,10 @@ var sarifTests = []sarifTest{ ResultRuleID: "1", ResultRuleIndex: 0, ResultKind: "fail", - ResultMessage: sarifMessage{Text: "test"}, + ResultMessage: sarifMessage{ + Text: "test", + MessageProperties: sarifProperties{"platform": ""}, + }, ResultLocations: []sarifLocation{ { PhysicalLocation: sarifPhysicalLocation{ @@ -221,7 +227,10 @@ var sarifTests = []sarifTest{ ResultRuleID: "2", ResultRuleIndex: 1, ResultKind: "informational", - ResultMessage: sarifMessage{Text: "test"}, + ResultMessage: sarifMessage{ + Text: "test", + MessageProperties: sarifProperties{"platform": ""}, + }, ResultLocations: []sarifLocation{ { PhysicalLocation: sarifPhysicalLocation{ From 23c20ce5f7360f33582a57698fce889d094479ef Mon Sep 17 00:00:00 2001 From: Dima Steklar Date: Thu, 16 Nov 2023 15:22:34 +0200 Subject: [PATCH 283/379] added spaces --- pkg/report/model/sarif.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/report/model/sarif.go b/pkg/report/model/sarif.go index 2182cbe62c9..67ddadcce89 100644 --- a/pkg/report/model/sarif.go +++ b/pkg/report/model/sarif.go @@ -41,7 +41,7 @@ type ruleCISMetadata struct { } type sarifMessage struct { - Text string `json:"text"` + Text string `json:"text"` MessageProperties sarifProperties `json:"properties,omitempty"` } @@ -295,8 +295,8 @@ func (sr *sarifReport) BuildSarifIssue(issue *model.QueryResult) { ResultRuleID: issue.QueryID, ResultRuleIndex: ruleIndex, ResultKind: kind, - ResultMessage: sarifMessage{ - Text: issue.Files[idx].KeyActualValue, + ResultMessage: sarifMessage{ + Text: issue.Files[idx].KeyActualValue, MessageProperties: sarifProperties{"platform": issue.Platform}, }, ResultLocations: []sarifLocation{ From e1f803cc5d2fdde4234f29a58955d9bbff00496c Mon Sep 17 00:00:00 2001 From: gabriel-cx Date: Thu, 16 Nov 2023 18:22:05 +0000 Subject: [PATCH 284/379] security improvements --- .../scripts/queries-validator/requirements.txt | Bin 332 -> 334 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/.github/scripts/queries-validator/requirements.txt b/.github/scripts/queries-validator/requirements.txt index 40ddcf78b8e76e77ee3a99580cb858f17cee8a16..b8e43c66632c741fff101ba8106f7f25a064e1d0 100644 GIT binary patch delta 27 icmX@ZbdG7lA9iB~Lk2wtgUQT{&K!me77V-$Tnqqb<^@&& delta 25 gcmX@dbcSidA9f=Ka|S&I!^zBy&TN(pybN3n09^ Date: Tue, 21 Nov 2023 23:17:17 +0000 Subject: [PATCH 285/379] fix for e2e tests --- e2e/fixtures/E2E_CLI_071_RESULT.json | 1 + e2e/fixtures/E2E_CLI_072_RESULT.json | 2 ++ e2e/fixtures/E2E_CLI_074_RESULT.json | 1 + 3 files changed, 4 insertions(+) diff --git a/e2e/fixtures/E2E_CLI_071_RESULT.json b/e2e/fixtures/E2E_CLI_071_RESULT.json index 7ecfdd26159..2b1573a6508 100644 --- a/e2e/fixtures/E2E_CLI_071_RESULT.json +++ b/e2e/fixtures/E2E_CLI_071_RESULT.json @@ -32,6 +32,7 @@ "severity": "INFO", "platform": "OpenAPI", "category": "Best Practices", + "experimental": false, "description": "Components schemas definitions should be referenced or removed from Open API definition", "description_id": "5cdc0f3b", "files": [ diff --git a/e2e/fixtures/E2E_CLI_072_RESULT.json b/e2e/fixtures/E2E_CLI_072_RESULT.json index cadf5e9d26a..f9982d51012 100644 --- a/e2e/fixtures/E2E_CLI_072_RESULT.json +++ b/e2e/fixtures/E2E_CLI_072_RESULT.json @@ -32,6 +32,7 @@ "severity": "MEDIUM", "platform": "OpenAPI", "category": "Networking and Firewall", + "experimental": false, "description": "500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined.", "description_id": "dbf15009", "files": [ @@ -77,6 +78,7 @@ "severity": "INFO", "platform": "OpenAPI", "category": "Best Practices", + "experimental": false, "description": "Components schemas definitions should be referenced or removed from Open API definition", "description_id": "5cdc0f3b", "files": [ diff --git a/e2e/fixtures/E2E_CLI_074_RESULT.json b/e2e/fixtures/E2E_CLI_074_RESULT.json index c6cd943d8fa..3fec7af1ec3 100644 --- a/e2e/fixtures/E2E_CLI_074_RESULT.json +++ b/e2e/fixtures/E2E_CLI_074_RESULT.json @@ -32,6 +32,7 @@ "severity": "INFO", "platform": "OpenAPI", "category": "Structure and Semantics", + "experimental": false, "description": "Every defined property must be unique throughout the whole API", "description_id": "eb2e14e6", "files": [ From 20d8d3335f0aa8278215691568ef7ec9476d9b99 Mon Sep 17 00:00:00 2001 From: gabriel-cx Date: Wed, 22 Nov 2023 10:39:01 +0000 Subject: [PATCH 286/379] fix typo --- Makefile | 8 +- .../01aec7c2-3e4d-4274-ae47-2b8fea22fd1f.md | 2 +- .../050f085f-a8db-4072-9010-2cca235cc02f.md | 4 +- .../0956aedf-6a7a-478b-ab56-63e2b19923ad.md | 2 +- .../0ed012a4-9199-43d2-b9e4-9bd049a48aa4.md | 2 +- .../12a7a7ce-39d6-49dd-923d-aeb4564eb66c.md | 2 +- .../133fee21-37ef-45df-a563-4d07edc169f4.md | 4 +- .../16732649-4ff6-4cd2-8746-e72c13fae4b8.md | 2 +- .../17d5ba1d-7667-4729-b1a6-b11fde3db7f7.md | 2 +- .../1d972c56-8ec2-48c1-a578-887adb09c57a.md | 2 +- .../1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89.md | 2 +- .../2034fb37-bc23-4ca0-8d95-2b9f15829ab5.md | 2 +- .../2059155b-27fd-441e-b616-6966c468561f.md | 2 +- .../218413a0-c716-4b94-9e08-0bb70d854709.md | 2 +- .../22c80725-e390-4055-8d14-a872230f6607.md | 2 +- .../265d9725-2fb8-42a2-bc57-3279c5db82d5.md | 2 +- .../2cb674f6-32f9-40be-97f2-62c0dc38f0d5.md | 8 +- .../2d55ef88-b616-4890-b822-47f280763e89.md | 2 +- .../309edc5b-5a59-42b4-a357-d4d098311fd4.md | 2 +- .../32d31f1f-0f83-4721-b7ec-1e6948c60145.md | 2 +- .../338b6cab-961d-4998-bb49-e5b6a11c9a5c.md | 6 +- .../3505094c-f77c-4ba0-95da-f83db712f86c.md | 4 +- .../3ab1f27d-52cc-4943-af1d-43c1939e739a.md | 2 +- .../3ddf3417-424d-420d-8275-0724dc426520.md | 2 +- .../3f2cf811-88fa-4eda-be45-7a191a18aba9.md | 2 +- .../445dce51-7e53-4e50-80ef-7f94f14169e4.md | 2 +- .../4b6012e7-7176-46e4-8108-e441785eae57.md | 2 +- .../4d8681a2-3d30-4c89-8070-08acd142748e.md | 2 +- .../5330b503-3319-44ff-9b1c-00ee873f728a.md | 2 +- .../53bce6a8-5492-4b1b-81cf-664385f0c4bf.md | 2 +- .../5527dcfc-94f9-4bf6-b7d4-1b78850cf41f.md | 2 +- .../559439b2-3e9c-4739-ac46-17e3b24ec215.md | 2 +- .../57ced4b9-6ba4-487b-8843-b65562b90c77.md | 2 +- .../594f54e7-f744-45ab-93e4-c6dbaf6cd571.md | 2 +- .../5a443297-19d4-4381-9e5b-24faf947ec22.md | 2 +- .../5b9d237a-57d5-4177-be0e-71434b0fef47.md | 2 +- .../5ba316a9-c466-4ec1-8d5b-bc6107dc9a92.md | 2 +- .../5c6b727b-1382-4629-8ba9-abd1365e5610.md | 2 +- .../5e92d816-2177-4083-85b4-f61b4f7176d9.md | 2 +- .../5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce.md | 2 +- .../60bfbb8a-c72f-467f-a6dd-a46b7d612789.md | 2 +- .../61d1a2d0-4db8-405a-913d-5d2ce49dff6f.md | 2 +- .../66477506-6abb-49ed-803d-3fa174cd5f6a.md | 2 +- .../6a647814-def5-4b85-88f5-897c19f509cd.md | 2 +- .../6a6d7e56-c913-4549-b5c5-5221e624d2ec.md | 2 +- .../6ad087d7-a509-4b20-b853-9ef6f5ebaa98.md | 2 +- .../6f5f5444-1422-495f-81ef-24cefd61ed2c.md | 2 +- .../6fa44721-ef21-41c6-8665-330d59461163.md | 2 +- .../71397b34-1d50-4ee1-97cb-c96c34676f74.md | 2 +- .../71ea648a-d31a-4b5a-a589-5674243f1c33.md | 2 +- .../722b0f24-5a64-4cca-aa96-cfc26b7e3a5b.md | 2 +- .../727c4fd4-d604-4df6-a179-7713d3c85e20.md | 2 +- .../72a931c2-12f5-40d1-93cc-47bff2f7aa2a.md | 2 +- .../730a5951-2760-407a-b032-dd629b55c23a.md | 2 +- .../75480b31-f349-4b9a-861f-bce19588e674.md | 2 +- .../7674a686-e4b1-4a95-83d4-1fd53c623d84.md | 2 +- .../7af1c447-c014-4f05-bd8b-ebe3a15734ac.md | 2 +- .../7cc6c791-5f68-4816-a564-b9b699f9d26e.md | 4 +- .../7db727c1-1720-468e-b80e-06697f71e09e.md | 2 +- .../7dfb316c-a6c2-454d-b8a2-97f147b0c0ff.md | 2 +- .../7f79f858-fbe8-4186-8a2c-dfd0d958a40f.md | 2 +- .../7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892.md | 2 +- .../8010e17a-00e9-4635-a692-90d6bcec68bd.md | 2 +- .../83957b81-39c1-4191-8e12-671d2ce14354.md | 2 +- .../83c5fa4c-e098-48fc-84ee-0a537287ddd2.md | 2 +- .../857f8808-e96a-4ba8-a9b7-f2d4ec6cad94.md | 2 +- .../86b0efa7-4901-4edd-a37a-c034bec6645a.md | 2 +- .../8833f180-96f1-46f4-9147-849aafa56029.md | 2 +- .../8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d.md | 2 +- .../8d03993b-8384-419b-a681-d1f55149397c.md | 4 +- .../8e3063f4-b511-45c3-b030-f3b0c9131951.md | 2 +- .../8ed0bfce-f780-46d4-b086-21c3628f09ad.md | 2 +- .../905f4741-f965-45c1-98db-f7a00a0e5c73.md | 2 +- .../9232306a-f839-40aa-b3ef-b352001da9a5.md | 2 +- .../97707503-a22c-4cd7-b7c0-f088fa7cf830.md | 2 +- .../9cf25d62-0b96-42c8-b66d-998cd6ee5bb8.md | 2 +- .../9f34885e-c08f-4d13-a7d1-cf190c5bd268.md | 2 +- .../a0f1bfe0-741e-473f-b3b2-13e66f856fab.md | 2 +- .../a1423864-2fbc-4f46-bfe1-fbbf125c71c9.md | 2 +- .../a14ad534-acbe-4a8e-9404-2f7e1045646e.md | 2 +- .../a19b2942-142e-4e2b-93b7-6cf6a6c8d90f.md | 2 +- .../a1ef9d2e-4163-40cb-bd92-04f0d602a15d.md | 2 +- .../a2fdf451-89dd-451e-af92-bf6c0f4bab96.md | 2 +- .../a6d27cf7-61dc-4bde-ae08-3b353b609f76.md | 2 +- .../a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1.md | 2 +- .../af167837-9636-4086-b815-c239186b9dda.md | 6 +- .../af96d737-0818-4162-8c41-40d969bd65d1.md | 4 +- .../b16cdb37-ce15-4ab2-8401-d42b05d123fc.md | 8 +- .../b25398a2-0625-4e61-8e4d-a1bb23905bf6.md | 2 +- .../b47b98ab-e481-4a82-8bb1-1ab39fd36e33.md | 2 +- .../b5ed026d-a772-4f07-97f9-664ba0b116f8.md | 2 +- .../b8a9852c-9943-4973-b8d5-77dae9352851.md | 2 +- .../babdedcf-d859-43da-9a7b-6d72e661a8fd.md | 2 +- .../bd77554e-f138-40c5-91b2-2a09f878608e.md | 2 +- .../c09e3ca5-f08a-4717-9c87-3919c5e6d209.md | 2 +- .../c09f4d3e-27d2-4d46-9453-abbe9687a64e.md | 2 +- .../c2f15af3-66a0-4176-a56e-e4711e502e5c.md | 2 +- .../c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d.md | 2 +- .../c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9.md | 2 +- .../d0c13053-d2c8-44a6-95da-d592996e9e67.md | 2 +- .../d31cb911-bf5b-4eb6-9fc3-16780c77c7bd.md | 2 +- .../d395a950-12ce-4314-a742-ac5a785ab44e.md | 2 +- .../d39761d7-94ab-45b0-ab5e-27c44e381d58.md | 2 +- .../d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5.md | 2 +- .../d5ec2080-340a-4259-b885-f833c4ea6a31.md | 2 +- .../d6c2d06f-43c1-488a-9ba1-8d75b40fc62d.md | 6 +- .../d994585f-defb-4b51-b6d2-c70f020ceb10.md | 2 +- .../defe5b18-978d-4722-9325-4d1975d3699f.md | 2 +- .../e01de151-a7bd-4db4-b49b-3c4775a5e881.md | 2 +- .../e1e7b278-2a8b-49bd-a26e-66a7f70b17eb.md | 2 +- .../e24e18d9-4c2b-4649-b3d0-18c088145e24.md | 2 +- .../e28ceb92-d588-4166-aac5-766c8f5b7472.md | 2 +- .../e401d614-8026-4f4b-9af9-75d1197461ba.md | 2 +- .../e69890e6-fce5-461d-98ad-cb98318dfc96.md | 2 +- .../e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40.md | 2 +- .../ea0ed1c7-9aef-4464-b7c7-94c762da3640.md | 2 +- .../ea6bc7a6-d696-4dcf-a788-17fa03c17c81.md | 2 +- .../eafe4bc3-1042-4f88-b988-1939e64bf060.md | 2 +- .../ebb2118a-03bc-4d53-ab43-d8750f5cb8d3.md | 2 +- .../ed9b3beb-92cf-44d9-a9d2-171eeba569d4.md | 2 +- .../eda7301d-1f3e-47cf-8d4e-976debc64341.md | 2 +- .../eee107f9-b3d8-45d3-b9c6-43b5a7263ce1.md | 2 +- .../f2ea6481-1d31-4d40-946a-520dc6321dd7.md | 2 +- .../f34508b9-f574-4330-b42d-88c44cced645.md | 2 +- .../f509931b-bbb0-443c-bd9b-10e92ecf2193.md | 4 +- .../f5587077-3f57-4370-9b4e-4eb5b1bac85b.md | 2 +- .../f5c45127-1d28-4b49-a692-0b97da1c3a84.md | 2 +- .../f5f38943-664b-4acc-ab11-f292fa10ed0b.md | 2 +- .../f81d63d2-c5d7-43a4-a5b5-66717a41c895.md | 2 +- .../fb5a5df7-6d74-4243-ab82-ff779a958bfd.md | 2 +- .../fb8f8929-afeb-4c46-99f0-a6cf410f7df4.md | 2 +- .../ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9.md | 2 +- .../0461b4fd-21ef-4687-929e-484ee4796785.md | 2 +- .../054d07b5-941b-4c28-8eef-18989dc62323.md | 2 +- .../0632d0db-9190-450a-8bb3-c283bffea445.md | 2 +- .../0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc.md | 2 +- .../0d0c12b9-edce-4510-9065-13f6a758750c.md | 2 +- .../149fa56c-4404-4f90-9e25-d34b676d5b39.md | 2 +- .../1bc398a8-d274-47de-a4c8-6ac867b353de.md | 2 +- .../1e5f5307-3e01-438d-8da6-985307ed25ce.md | 2 +- .../23a4dc83-4959-4d99-8056-8e051a82bc1e.md | 2 +- .../29f35127-98e6-43af-8ec1-201b79f99604.md | 2 +- .../2a901825-0f3b-4655-a0fe-e0470e50f8e6.md | 2 +- .../2c99a474-2a3c-4c17-8294-53ffa5ed0522.md | 2 +- .../2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255.md | 2 +- .../35e2f133-a395-40de-a79d-b260d973d1bd.md | 2 +- .../37fafbea-dedb-4e0d-852e-d16ee0589326.md | 2 +- .../3f23c96c-f9f5-488d-9b17-605b8da5842f.md | 2 +- .../4d3817db-dd35-4de4-a80d-3867157e7f7f.md | 2 +- .../530e8291-2f22-4bab-b7ea-306f1bc2a308.md | 2 +- .../581dae78-307d-45d5-aae4-fe2b0db267a5.md | 4 +- .../5c80db8e-03f5-43a2-b4af-1f3f87018157.md | 4 +- .../663062e9-473d-4e87-99bc-6f3684b3df40.md | 2 +- .../69f72007-502e-457b-bd2d-5012e31ac049.md | 2 +- .../729ebb15-8060-40f7-9017-cb72676a5487.md | 2 +- .../7ab33ac0-e4a3-418f-a673-50da4e34df21.md | 2 +- .../7b47138f-ec0e-47dc-8516-e7728fe3cc17.md | 2 +- .../869e7fb4-30f0-4bdb-b360-ad548f337f2f.md | 2 +- .../881696a8-68c5-4073-85bc-7c38a3deb854.md | 2 +- .../89f84a1e-75f8-47c5-83b5-bee8e2de4168.md | 2 +- .../8c3bedf1-c570-4c3b-b414-d068cd39a00c.md | 2 +- .../961ce567-a16d-4d7d-9027-f0ec2628a555.md | 2 +- .../a9becca7-892a-4af7-b9e1-44bf20a4cd9a.md | 2 +- .../b176e927-bbe2-44a6-a9c3-041417137e5f.md | 2 +- .../c62746cf-92d5-4649-9acf-7d48d086f2ee.md | 2 +- .../ca4df748-613a-4fbf-9c76-f02cbd580307.md | 6 +- .../d5e83b32-56dd-4247-8c2e-074f43b38a5e.md | 2 +- .../da4f2739-174f-4cdd-b9ef-dc3f14b5931f.md | 2 +- .../e2d834b7-8b25-4935-af53-4a60668dcbe0.md | 2 +- .../e8c80448-31d8-4755-85fc-6dbab69c2717.md | 2 +- .../eb8c2560-8bee-4248-9d0d-e80c8641dd91.md | 2 +- .../f4e9ff70-0f3b-4c50-a713-26cbe7ec4039.md | 2 +- .../0e75052f-cc02-41b8-ac39-a78017527e95.md | 2 +- .../2e8d4922-8362-4606-8c14-aa10466a1ce3.md | 2 +- .../59029ddf-e651-412b-ae7b-ff6d403184bc.md | 4 +- .../88841d5c-d22d-4b7e-a6a0-89ca50e44b9f.md | 2 +- .../8d22ae91-6ac1-459f-95be-d37bd373f244.md | 2 +- .../c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8.md | 2 +- .../086031e1-9d4a-4249-acb3-5bfe4c363db2.md | 2 +- .../092bae86-6105-4802-99d2-99cd7e7431f3.md | 4 +- .../099b4411-d11e-4537-a0fc-146b19762a79.md | 2 +- .../0c82eae2-aca0-401f-93e4-fb37a0f9e5e8.md | 2 +- .../11bd3554-cd56-4257-8e25-7aaf30cf8f5f.md | 2 +- .../18d3a83d-4414-49dc-90ea-f0387b2856cc.md | 2 +- .../19c9e2a0-fc33-4264-bba1-e3682661e8f7.md | 2 +- .../20180133-a0d0-4745-bfe0-94049fbb12a9.md | 2 +- .../20dcd953-a8b8-4892-9026-9afa6d05a525.md | 2 +- .../2263b286-2fe9-4747-a0ae-8b4768a2bbd2.md | 2 +- .../2775e169-e708-42a9-9305-b58aadd2c4dd.md | 2 +- .../28a757fc-3d8f-424a-90c0-4233363b2711.md | 2 +- .../29b8224a-60e9-4011-8ac2-7916a659841f.md | 2 +- .../300a9964-b086-41f7-9378-b6de3ba1c32b.md | 2 +- .../344bf8ab-9308-462b-a6b2-697432e40ba1.md | 2 +- .../3602d273-3290-47b2-80fa-720162b1a8af.md | 2 +- .../3b30e3d6-c99b-4318-b38f-b99db74578b5.md | 2 +- .../507df964-ad97-4035-ab14-94a82eabdfdd.md | 2 +- .../66dae697-507b-4aef-be18-eec5bd707f33.md | 2 +- .../6a4080ae-79bd-42f6-a924-8f534c1c018b.md | 4 +- .../6cf4c3a7-ceb0-4475-8892-3745b84be24a.md | 2 +- .../6d34aff3-fdd2-460c-8190-756a3b4969e8.md | 2 +- .../7289eebd-a477-4064-8ad4-3c044bd70b00.md | 2 +- .../75418eb9-39ec-465f-913c-6f2b6a80dc77.md | 2 +- .../7814ddda-e758-4a56-8be3-289a81ded929.md | 2 +- .../7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b.md | 2 +- .../80b15fb1-6207-40f4-a803-6915ae619a03.md | 2 +- .../829f1c60-2bab-44c6-8a21-5cd9d39a2c82.md | 2 +- .../89afe3f0-4681-4ce3-89ed-896cebd4277c.md | 2 +- .../98e04ca0-34f5-4c74-8fec-d2e611ce2790.md | 2 +- .../9df7f78f-ebe3-432e-ac3b-b67189c15518.md | 2 +- .../9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f.md | 2 +- .../a7b520bb-2509-4fb0-be05-bc38f54c7a4c.md | 2 +- .../aed98a2a-e680-497a-8886-277cea0f4514.md | 2 +- .../b28bcd2f-c309-490e-ab7c-35fc4023eb26.md | 2 +- .../b2fbf1df-76dd-4d78-a6c0-e538f4a9b016.md | 2 +- .../bc20bbc6-0697-4568-9a73-85af1dd97bdd.md | 2 +- .../be41f891-96b1-4b9d-b74f-b922a918c778.md | 2 +- .../c6fc6f29-dc04-46b6-99ba-683c01aff350.md | 2 +- .../d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb.md | 2 +- .../d43366c5-80b0-45de-bbe8-2338f4ab0a83.md | 2 +- .../d58c6f24-3763-4269-9f5b-86b2569a003b.md | 2 +- .../d6e10477-2e19-4bcd-b8a8-19c65b89ccdf.md | 2 +- .../d6fae5b6-ada9-46c0-8b36-3108a2a2f77b.md | 2 +- .../d7a5616f-0a3f-4d43-bc2b-29d1a183e317.md | 2 +- .../dc126833-125a-40fb-905a-ce5f2afde240.md | 4 +- .../ed672a9f-fbf0-44d8-a47d-779501b0db05.md | 2 +- .../f9b7086b-deb8-4034-9330-d7fd38f1b8de.md | 2 +- .../fbe9b2d0-a2b7-47a1-a534-03775f3013f7.md | 2 +- .../1367dd13-2c90-4020-80b7-e4339a3dc2c4.md | 12 +- .../2081c7d6-2851-4cce-bda5-cb49d462da42.md | 6 +- .../25684eac-daaa-4c2c-94b4-8d2dbb627909.md | 8 +- .../2583fab1-953b-4fae-bd02-4a136a6c21f9.md | 20 +- .../25c0228e-4444-459b-a2df-93c7df40b7ed.md | 8 +- .../2ade1579-4b2c-4590-bebb-f99bf597f612.md | 12 +- .../350f3955-b5be-436f-afaa-3d2be2fa6cdd.md | 8 +- .../3e9fcc67-1f64-405f-b2f9-0a6be17598f0.md | 4 +- .../43f6e60c-9cdb-4e77-864d-a66595d26518.md | 12 +- .../488847ff-6031-487c-bf42-98fd6ac5c9a0.md | 8 +- .../4d2cf896-c053-4be5-9c95-8b4771112f29.md | 4 +- .../4d522e7b-f938-4d51-a3b1-974ada528bd3.md | 4 +- .../564b70f8-41cd-4690-aff8-bb53add86bc9.md | 16 +- .../574e8d82-1db2-4b9c-b526-e320ede9a9ff.md | 4 +- .../59cb3da7-f206-4ae6-b827-7abf0a9cab9d.md | 12 +- .../6797f581-0433-4768-ae3e-7ceb2f8b138e.md | 8 +- .../6a3201a5-1630-494b-b294-3129d06b0eca.md | 8 +- .../70111098-7f85-48f0-b1b4-e4261cf5f61b.md | 12 +- .../79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92.md | 24 +- .../7c25f361-7c66-44bf-9b69-022acd5eb4bd.md | 8 +- .../83130a07-235b-4a80-918b-a370e53f0bd9.md | 16 +- .../89b79fe5-49bd-4d39-84ce-55f5fc6f7764.md | 12 +- .../8fa9ceea-881f-4ef0-b0b8-728f589699a7.md | 8 +- .../90120147-f2e7-4fda-bb21-6fa9109afd63.md | 8 +- .../9073f073-5d60-4b46-b569-0d6baa80ed95.md | 12 +- .../92302b47-b0cc-46cb-a28f-5610ecda140b.md | 8 +- .../9307a2ed-35c2-413d-94de-a1a0682c2158.md | 8 +- .../9b09dee1-f09b-4013-91d2-158fa4695f4b.md | 8 +- .../a0ab985d-660b-41f7-ac81-70957ee8e627.md | 12 +- .../a6d774b6-d9ea-4bf4-8433-217bf15d2fb8.md | 12 +- .../a8852cc0-fd4b-4fc7-9372-1e43fad0732e.md | 8 +- .../b5c851d5-00f1-43dc-a8de-3218fd6f71be.md | 8 +- .../bf500309-da53-4dd3-bcf7-95f7974545a5.md | 8 +- .../c09cdac2-7670-458a-bf6c-efad6880973a.md | 8 +- .../c62d3b92-9a11-4ffd-b7b7-6faaae83faed.md | 4 +- .../cff9c3f7-e8f0-455f-9fb4-5f72326da96e.md | 8 +- .../d855ced8-6157-448f-9f1d-f05a41d046f7.md | 6 +- .../e055285c-bc01-48b4-8aa5-8a54acdd29df.md | 8 +- .../e25b56cd-a4d6-498f-ab92-e6296a082097.md | 8 +- .../e69bda39-e1e2-47ca-b9ee-b6531b23aedd.md | 16 +- .../e9c133e5-c2dd-4b7b-8fff-40f2de367b56.md | 12 +- .../f9112910-c7bb-4864-9f5e-2059ba413bb7.md | 16 +- .../20f14e1a-a899-4e79-9f09-b6a84cd4649b.md | 14 +- .../555ab8f9-2001-455e-a077-f2d0f41e2fb9.md | 2 +- .../60fd272d-15f4-4d8f-afe4-77d9c6cc0453.md | 6 +- .../62ff6823-927a-427f-acf9-f1ea2932d616.md | 14 +- .../0104165b-02d5-426f-abc9-91fb48189899.md | 12 +- .../01986452-bdd8-4aaa-b5df-d6bf61d616ff.md | 4 +- .../01d5a458-a6c4-452a-ac50-054d59275b7c.md | 4 +- .../0264093f-6791-4475-af34-4b8102dcbcd0.md | 4 +- .../027a4b7a-8a59-4938-a04f-ed532512cf45.md | 4 +- .../03879981-efa2-47a0-a818-c843e1441b88.md | 4 +- .../03b38885-8f4e-480c-a0e4-12c1affd15db.md | 8 +- .../045ddb54-cfc5-4abb-9e05-e427b2bc96fe.md | 4 +- .../050a9ba8-d1cb-4c61-a5e8-8805a70d3b85.md | 6 +- .../058ac855-989f-4378-ba4d-52d004020da7.md | 4 +- .../06933df4-0ea7-461c-b9b5-104d27390e0e.md | 8 +- .../06adef8c-c284-4de7-aad2-af43b07a8ca1.md | 4 +- .../06b9f52a-8cd5-459b-bdc6-21a22521e1be.md | 12 +- .../06ec63e3-9f72-4fe2-a218-2eb9200b8db5.md | 12 +- .../07dda8de-d90d-469e-9b37-1aca53526ced.md | 16 +- .../086ea2eb-14a6-4fd4-914b-38e0bc8703e8.md | 12 +- .../08b81bb3-0985-4023-8602-b606ad81d279.md | 4 +- .../08e39832-5e42-4304-98a0-aa5b43393162.md | 4 +- .../0a994e04-c6dc-471d-817e-d37451d18a3b.md | 4 +- .../0b0556ea-9cd9-476f-862e-20679dda752b.md | 12 +- .../0ce1ba20-8ba8-4364-836f-40c24b8cb0ab.md | 4 +- .../0e5872b4-19a0-4165-8b2f-56d9e14b909f.md | 4 +- .../0f0fb06b-0f2f-4374-8588-f2c7c348c7a0.md | 4 +- .../0f139403-303f-467c-96bd-e717e6cfd62d.md | 4 +- .../1056dfbb-5802-4762-bf2b-8b9b9684b1b0.md | 4 +- .../105ba098-1e34-48cd-b0f2-a8a43a51bf9b.md | 8 +- .../124b173b-e06d-48a6-8acd-f889443d97a4.md | 4 +- .../12726829-93ed-4d51-9cbe-13423f4299e1.md | 4 +- .../1819ac03-542b-4026-976b-f37addd59f3b.md | 4 +- .../1a427b25-2e9e-4298-9530-0499a55e736b.md | 4 +- .../1b6322d9-c755-4f8c-b804-32c19250f2d9.md | 4 +- .../1bf3b3d4-f373-4d7c-afbb-7d85948a67a5.md | 8 +- .../1c07bfaf-663c-4f6f-b22b-8e2d481e4df5.md | 4 +- .../1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a.md | 4 +- .../1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7.md | 4 +- .../1fe9d958-ddce-4228-a124-05265a959a8b.md | 8 +- .../209189f3-c879-48a7-9703-fbcfa96d0cef.md | 4 +- .../219f4c95-aa50-44e0-97de-cf71f4641170.md | 16 +- .../235ca980-eb71-48f4-9030-df0c371029eb.md | 4 +- .../24d932e1-91f0-46ea-836f-fdbd81694151.md | 4 +- .../2564172f-c92b-4261-9acd-464aed511696.md | 8 +- .../2623d682-dccb-44cd-99d0-54d9fd62f8f2.md | 4 +- .../2730c169-51d7-4ae7-99b5-584379eff1bb.md | 4 +- .../275a3217-ca37-40c1-a6cf-bb57d245ab32.md | 6 +- .../2844c749-bd78-4cd1-90e8-b179df827602.md | 4 +- .../2a3560fe-52ca-4443-b34f-bf0ed5eb74c8.md | 4 +- .../2b1d4935-9acf-48a7-8466-10d18bf51a69.md | 4 +- .../2c161e58-cb52-454f-abea-6470c37b5e6e.md | 8 +- .../2ff8e83c-90e1-4d68-a300-6d652112e622.md | 4 +- .../316278b3-87ac-444c-8f8f-a733a28da60f.md | 4 +- .../31733ee2-fef0-4e87-9778-65da22a8ecf1.md | 4 +- .../323db967-c68e-44e6-916c-a777f95af34b.md | 8 +- .../33f41d31-86b1-46a4-81f7-9c9a671f59ac.md | 4 +- .../350cd468-0e2c-44ef-9d22-cfb73a62523c.md | 4 +- .../3609d27c-3698-483a-9402-13af6ae80583.md | 4 +- .../3641d5b4-d339-4bc2-bfb9-208fe8d3477f.md | 8 +- .../37cca703-b74c-48ba-ac81-595b53398e9b.md | 8 +- .../37fa8188-738b-42c8-bf82-6334ea567738.md | 8 +- .../38c64e76-c71e-4d92-a337-60174d1de1c9.md | 20 +- .../39423ce4-9011-46cd-b6b1-009edcd9385d.md | 12 +- .../3ae83918-7ec7-4cb8-80db-b91ef0f94002.md | 4 +- .../3b02569b-fc6f-4153-b3a3-ba91022fed68.md | 8 +- .../3b316b05-564c-44a7-9c3f-405bb95e211e.md | 8 +- .../3b3b4411-ad1f-40e7-b257-a78a6bb9673a.md | 4 +- .../3c3b7a58-b018-4d07-9444-d9ee7156e111.md | 4 +- .../3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6.md | 4 +- .../3e09413f-471e-40f3-8626-990c79ae63f3.md | 4 +- .../3e293410-d5b8-411f-85fd-7d26294f20c9.md | 4 +- .../42e7dca3-8cce-4325-8df0-108888259136.md | 4 +- .../43356255-495d-4148-ad8d-f6af5eac09dd.md | 4 +- .../44034eda-1c3f-486a-831d-e09a7dd94354.md | 4 +- .../445020f6-b69e-4484-847f-02d4b7768902.md | 4 +- .../4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c.md | 4 +- .../456b00a3-1072-4149-9740-6b8bb60251b0.md | 4 +- .../48677914-6fdf-40ec-80c4-2b0e94079f54.md | 4 +- .../48af92a5-c89b-4936-bc62-1086fe2bab23.md | 8 +- .../48c3bc58-6959-4f27-b647-4fedeace23be.md | 4 +- .../48f100d9-f499-4c6d-b2b8-deafe47ffb26.md | 4 +- .../493d9591-6249-47bf-8dc0-5c10161cc558.md | 4 +- .../494b03d3-bf40-4464-8524-7c56ad0700ed.md | 16 +- .../4a1e6b34-1008-4e61-a5f2-1f7c276f8d14.md | 4 +- .../4a8daf95-709d-4a36-9132-d3e19878fa34.md | 4 +- .../4a8fc9a2-2b2f-4b3f-aa8d-401425872034.md | 8 +- .../4ab10c48-bedb-4deb-8f3b-ff12783b61de.md | 8 +- .../4ae8af91-5108-42cb-9471-3bdbe596eac9.md | 4 +- .../4ba74f01-aba5-4be2-83bc-be79ff1a3b92.md | 4 +- .../4bd21e68-38c1-4d58-acdc-6a14b203237f.md | 4 +- .../4c137350-7307-4803-8c04-17c09a7a9fcf.md | 4 +- .../4cdc88e6-c0c8-4081-a639-bb3a557cbedf.md | 6 +- .../4d32780f-43a4-424a-a06d-943c543576a5.md | 4 +- .../4e67c0ae-38a0-47f4-a50c-f0c9b75826df.md | 8 +- .../4e88adee-a8eb-4605-a78d-9fb1096e3091.md | 4 +- .../4f0908b9-eb66-433f-9145-134274e1e944.md | 4 +- .../4fbfee74-8186-40d5-a24e-4baa76a855de.md | 4 +- .../52790cad-d60d-41d5-8483-146f9f21208d.md | 8 +- .../568cc372-ca64-420d-9015-ee347d00d288.md | 4 +- .../57b12981-3816-4c31-b190-a1e614361dd2.md | 4 +- .../5864fb39-d719-4182-80e2-89dbe627be63.md | 4 +- .../5906092d-5f74-490d-9a03-78febe0f65e1.md | 8 +- .../59a849c2-1127-4023-85a5-ef906dcd458c.md | 4 +- .../5b033ec8-f079-4323-b5c8-99d4620433a9.md | 16 +- .../5b48c507-0d1f-41b0-a630-76817c6b4189.md | 4 +- .../5beacce3-4020-4a3d-9e1d-a36f953df630.md | 8 +- .../5c0b06d5-b7a4-484c-aeb0-75a836269ff0.md | 4 +- .../5c666ed9-b586-49ab-9873-c495a833b705.md | 4 +- .../5d3c1807-acb3-4bb0-be4e-0440230feeaf.md | 8 +- .../5e6c9c68-8a82-408e-8749-ddad78cbb9c5.md | 4 +- .../5e7acff5-095b-40ac-9073-ac2e4ad8a512.md | 4 +- .../5f700072-b7ce-4e84-b3f3-497bf1c24a4d.md | 12 +- .../60a05ede-0a68-4d0d-a58f-f538cf55ff79.md | 4 +- .../61a94903-3cd3-4780-88ec-fc918819b9c8.md | 4 +- .../64ab651b-f5b2-4af0-8c89-ddd03c4d0e61.md | 8 +- .../65844ba3-03a1-40a8-b3dd-919f122e8c95.md | 10 +- .../65d07da5-9af5-44df-8983-52d2e6f24c44.md | 12 +- .../6685d912-d81f-4cfa-95ad-e316ea31c989.md | 12 +- .../66f2d8f9-a911-4ced-ae27-34f09690bb2c.md | 4 +- .../68b6a789-82f8-4cfd-85de-e95332fe6a61.md | 4 +- .../6b5b0313-771b-4319-ad7a-122ee78700ef.md | 6 +- .../6c131358-c54d-419b-9dd6-1f7dd41d180c.md | 8 +- .../6c8d51af-218d-4bfb-94a9-94eabaa0703a.md | 4 +- .../6d087495-2a42-4735-abf7-02ef5660a7e6.md | 4 +- .../6d64f311-3da6-45f3-80f1-14db9771ea40.md | 4 +- .../6e856af2-62d7-4ba2-adc1-73b62cef9cc1.md | 4 +- .../6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d.md | 4 +- .../6ef03ff6-a2bd-483c-851f-631f248bc0ea.md | 12 +- .../709e6da6-fa1f-44cc-8f17-7f25f96dadbe.md | 4 +- .../71493c8b-3014-404c-9802-078b74496fb7.md | 8 +- .../73980e43-f399-4fcc-a373-658228f7adf7.md | 12 +- .../73d59e76-a12c-4b74-a3d8-d3e1e19c25b3.md | 4 +- .../74a18d1a-cf02-4a31-8791-ed0967ad7fdc.md | 4 +- .../75be209d-1948-41f6-a8c8-e22dd0121134.md | 4 +- .../76ddf32c-85b1-4808-8935-7eef8030ab36.md | 4 +- .../7772bb8c-c0f3-42d4-8e4e-f1b8939ad085.md | 4 +- .../77b6f1e2-bde4-4a6a-ae7e-a40659ff1576.md | 4 +- .../78055456-f670-4d2e-94d5-392d1cf4f5e4.md | 16 +- .../783860a3-6dca-4c8b-81d0-7b62769ccbca.md | 12 +- .../79d745f0-d5f3-46db-9504-bef73e9fd528.md | 4 +- .../7f384a5f-b5a2-4d84-8ca3-ee0a5247becb.md | 4 +- .../7f65be75-90ab-4036-8c2a-410aef7bb650.md | 4 +- .../7f8843f0-9ea5-42b4-a02b-753055113195.md | 4 +- .../7f8f1b60-43df-4c28-aa21-fb836dbd8071.md | 12 +- .../7fd0d461-5b8c-4815-898c-f2b4b117eb28.md | 16 +- .../800fa019-49dd-421b-9042-7331fdd83fa2.md | 4 +- .../80908a75-586b-4c61-ab04-490f4f4525b8.md | 4 +- .../809f77f8-d10e-4842-a84f-3be7b6ff1190.md | 4 +- .../80b7ac3f-d2b7-4577-9b10-df7913497162.md | 8 +- .../80d45af4-4920-4236-a56e-b7ef419d1941.md | 8 +- .../818f38ed-8446-4132-9c03-474d49e10195.md | 4 +- .../8275fab0-68ec-4705-bbf4-86975edb170e.md | 8 +- .../829ce3b8-065c-41a3-ad57-e0accfea82d2.md | 4 +- .../835d5497-a526-4aea-a23f-98a9afd1635f.md | 16 +- .../837e033c-4717-40bd-807e-6abaa30161b7.md | 4 +- .../839f238f-2e3a-4a72-b945-8abdf91af955.md | 4 +- .../85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7.md | 12 +- .../860ba89b-b8de-4e72-af54-d6aee4138a69.md | 4 +- .../86a248ab-0e01-4564-a82a-878303e253bb.md | 8 +- .../87482183-a8e7-4e42-a566-7a23ec231c16.md | 4 +- .../88d55d94-315d-4564-beee-d2d725feab11.md | 4 +- .../89827c57-5a8a-49eb-9731-976a606d70db.md | 8 +- .../8a6d36cd-0bc6-42b7-92c4-67acc8576861.md | 8 +- .../8c415f6f-7b90-4a27-a44a-51047e1506f9.md | 4 +- .../8d29754a-2a18-460d-a1ba-9509f8d359da.md | 65 +++- .../8dd0ff1f-0da4-48df-9bb3-7f338ae36a40.md | 12 +- .../8df8e857-bd59-44fa-9f4c-d77594b95b46.md | 4 +- .../8f957abd-9703-413d-87d3-c578950a753c.md | 4 +- .../9025b2b3-e554-4842-ba87-db7aeec36d35.md | 8 +- .../90501b1b-cded-4cc1-9e8b-206b85cda317.md | 4 +- .../9488c451-074e-4cd3-aee3-7db6104f542c.md | 8 +- .../953b3cdb-ce13-428a-aa12-318726506661.md | 4 +- .../9564406d-e761-4e61-b8d7-5926e3ab8e79.md | 12 +- .../97e94d17-e2c7-4109-a53b-6536ac1bb64e.md | 4 +- .../9b6a3f5b-5fd6-40ee-9bc0-ed604911212d.md | 8 +- .../9b83114b-b2a1-4534-990d-06da015e47aa.md | 4 +- .../9c7028d9-04c2-45be-b8b2-1188ccaefb36.md | 4 +- .../9d13b150-a2ab-42a1-b6f4-142e41f81e52.md | 4 +- .../9e8c89b3-7997-4d15-93e4-7911b9db99fd.md | 4 +- .../9ecb6b21-18bc-4aa7-bd07-db20f1c746db.md | 4 +- .../9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d.md | 4 +- .../9fcd0a0a-9b6f-4670-a215-d94e6bf3f184.md | 8 +- .../a0ae0a4e-712b-4115-8112-51b9eeed9d69.md | 4 +- .../a227ec01-f97a-4084-91a4-47b350c1db54.md | 8 +- .../a25cd877-375c-4121-a640-730929936fac.md | 4 +- .../a2f2800e-614b-4bc8-89e6-fec8afd24800.md | 6 +- .../a3aa0087-8228-4e7e-b202-dc9036972d02.md | 4 +- .../a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd.md | 4 +- .../a478af30-8c3a-404d-aa64-0b673cee509a.md | 4 +- .../a5366a50-932f-4085-896b-41402714a388.md | 4 +- .../a58d1a2d-4078-4b80-855b-84cc3f7f4540.md | 4 +- .../a71ecabe-03b6-456a-b3bc-d1a39aa20c98.md | 2 +- .../a7f8ac28-eed1-483d-87c8-4c325f022572.md | 2 +- .../a964d6e3-8e1e-4d93-8120-61fa640dd55a.md | 12 +- .../a976d63f-af0e-46e8-b714-8c1a9c4bf768.md | 12 +- .../acc78859-765e-4011-a229-a65ea57db252.md | 4 +- .../ad21e616-5026-4b9d-990d-5b007bfe679c.md | 4 +- .../ad7444cf-817a-4765-a79e-2145f7981faf.md | 4 +- .../adcd0082-e90b-4b63-862b-21899f6e6a48.md | 4 +- .../ae03f542-1423-402f-9cef-c834e7ee9583.md | 4 +- .../ae53ce91-42b5-46bf-a84f-9a13366a4f13.md | 4 +- .../b1b20ae3-8fa7-4af5-a74d-a2145920fcb1.md | 4 +- .../b2e8752c-3497-4255-98d2-e4ae5b46bbf5.md | 4 +- .../b3de4e4c-14be-4159-b99d-9ad194365e4c.md | 4 +- .../b4d9c12b-bfba-4aeb-9cb8-2358546d8041.md | 8 +- .../b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83.md | 4 +- .../b7063015-6c31-4658-a8e7-14f98f37fd42.md | 4 +- .../ba766c53-fe71-4bbb-be35-b6803f2ef13e.md | 4 +- .../bdf8dcb4-75df-4370-92c4-606e4ae6c4d3.md | 4 +- .../be5b230d-4371-4a28-a441-85dc760e2aa3.md | 4 +- .../be96849c-3df6-49c2-bc16-778a7be2519c.md | 4 +- .../bf4473f1-c8a2-4b1b-8134-bd32efabab93.md | 4 +- .../bf89373a-be40-4c04-99f5-746742dfd7f3.md | 4 +- .../c1282e03-b285-4637-aee7-eefe3a7bb658.md | 4 +- .../c2eae442-d3ba-4cb1-84ca-1db4f80eae3d.md | 4 +- .../c333e906-8d8b-4275-b999-78b6318f8dc6.md | 4 +- .../c3ce69fd-e3df-49c6-be78-1db3f802261c.md | 4 +- .../c44c95fc-ae92-4bb8-bdf8-bb9bc412004a.md | 4 +- .../c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621.md | 8 +- .../c689f51b-9203-43b3-9d8b-caed123f706c.md | 6 +- .../c757c6a3-ac87-4b9d-b28d-e5a5add6a315.md | 4 +- .../c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22.md | 4 +- .../c8dee387-a2e6-4a73-a942-183c975549ac.md | 8 +- .../c9846969-d066-431f-9b34-8c4abafe422a.md | 4 +- .../cb2f612b-ed42-4ff5-9fb9-255c73d39a18.md | 2 +- .../cc8b294f-006f-4f8f-b5bb-0a9140c33131.md | 4 +- .../cdbb0467-2957-4a77-9992-7b55b29df7b7.md | 4 +- .../cfdef2e5-1fe4-4ef4-bea8-c56e08963150.md | 8 +- .../d24389b4-b209-4ff0-8345-dc7a4569dcdd.md | 4 +- .../d53323be-dde6-4457-9a43-42df737e71d2.md | 4 +- .../d6653eee-2d4d-4e6a-976f-6794a497999a.md | 12 +- .../d71b5fd7-9020-4b2d-9ec8-b3839faa2744.md | 4 +- .../d72a7869-e8b9-4e12-bcd2-e8be10b39fa7.md | 4 +- .../d7467bb6-3ed1-4c82-8095-5e7a818d0aad.md | 4 +- .../d926aa95-0a04-4abc-b20c-acf54afe38a1.md | 8 +- .../da905474-7454-43c0-b8d2-5756ab951aba.md | 4 +- .../dae9c373-8287-462f-8746-6f93dad93610.md | 4 +- .../dc17ee4b-ddf2-4e23-96e8-7a36abad1303.md | 4 +- .../dc1ab429-1481-4540-9b1d-280e3f15f1f8.md | 4 +- .../dd0971a6-09c3-4168-8474-a7ef8fbfd99d.md | 4 +- .../ddfc4eaa-af23-409f-b96c-bf5c45dc4daa.md | 4 +- .../de38e1d5-54cb-4111-a868-6f7722695007.md | 4 +- .../de76a0d6-66d5-45c9-9022-f05545b85c78.md | 4 +- .../de77cd9f-0e8b-46cc-b4a4-b6b436838642.md | 8 +- .../dfb56e5d-ee68-446e-b32a-657b62befe69.md | 8 +- .../e200a6f3-c589-49ec-9143-7421d4a2c845.md | 4 +- .../e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5.md | 8 +- .../e4239438-e639-44aa-adb8-866e400e3ade.md | 4 +- .../e42a3ef0-5325-4667-84bf-075ba1c9d58e.md | 4 +- .../e4ee3903-9225-4b6a-bdfb-e62dbadef821.md | 8 +- .../e4f54ff4-d352-40e8-a096-5141073c37a2.md | 4 +- .../e519ed6a-8328-4b69-8eb7-8fa549ac3050.md | 4 +- .../e52395b4-250b-4c60-81d5-2e58c1d37abc.md | 4 +- .../e649a218-d099-4550-86a4-1231e1fcb60d.md | 16 +- .../e835bd0d-65da-49f7-b6d1-b646da8727e6.md | 4 +- .../ea33fcf7-394b-4d11-a228-985c5d08f205.md | 4 +- .../ed4c48b8-eccc-4881-95c1-09fdae23db25.md | 4 +- .../edbd62d4-8700-41de-b000-b3cfebb5e996.md | 10 +- .../edc95c10-7366-4f30-9b4b-f995c84eceb5.md | 4 +- .../ee12ad32-2863-4c0f-b13f-28272d115028.md | 8 +- .../ee464fc2-54a6-4e22-b10a-c6dcd2474d0c.md | 4 +- .../ef05a925-8568-4054-8ff1-f5ba82631c16.md | 8 +- .../f0104061-8bfc-4b45-8a7d-630eb502f281.md | 4 +- .../f4c9b5f5-68b8-491f-9e48-4f96644a1d51.md | 4 +- .../f4cf35d6-da92-48de-ab70-57be2b2e6497.md | 4 +- .../f57f849c-883b-4cb7-85e7-f7b199dff163.md | 4 +- .../f6049677-ec4a-43af-8779-5190b6d03cba.md | 4 +- .../f62aa827-4ade-4dc4-89e4-1433d384a368.md | 4 +- .../f6397a20-4cf1-4540-a997-1d363c25ef58.md | 4 +- .../f6d299d2-21eb-41cc-b1e1-fe12d857500b.md | 4 +- .../f80e3aa7-7b34-4185-954e-440a6894dde6.md | 4 +- .../f914357d-8386-4d56-9ba6-456e5723f9a6.md | 6 +- .../f97b7d23-568f-4bcc-9ac9-02df0d57fbba.md | 4 +- .../f988a17f-1139-46a3-8928-f27eafd8b024.md | 12 +- .../f9b10cdb-eaab-4e39-9793-e12b94a582ad.md | 4 +- .../faa8fddf-c0aa-4b2d-84ff-e993e233ebe9.md | 4 +- .../fb2b0ecf-1492-491a-a70d-ba1df579175d.md | 4 +- .../fc7c2c15-f5d0-4b80-adb2-c89019f8f62b.md | 12 +- .../fcbf9019-566c-4832-a65c-af00d8137d2b.md | 4 +- .../fe974ae9-858e-4991-bbd5-e040a834679f.md | 4 +- .../ffee2785-c347-451e-89f3-11aeb08e5c84.md | 16 +- .../a88baa34-e2ad-44ea-ad6f-8cac87bc7c71.md | 96 +++--- .../255b0fcc-9f82-41fe-9229-01b163e3376b.md | 2 +- .../6d19ce0f-b3d8-4128-ac3d-1064e0f00494.md | 2 +- .../72840c35-3876-48be-900d-f21b2f0c2ea1.md | 2 +- .../7b590235-1ff4-421b-b9ff-5227134be9bb.md | 2 +- .../83bf5aca-138a-498e-b9cd-ad5bc5e117b4.md | 2 +- .../9296f1cc-7a40-45de-bd41-f31745488a0e.md | 2 +- .../934613fe-b12c-4e5a-95f5-c1dcdffac1ff.md | 2 +- .../a507daa5-0795-4380-960b-dd7bb7c56661.md | 2 +- .../bdecd6db-2600-47dd-a10c-72c97cf17ae9.md | 2 +- .../d9dc6429-5140-498a-8f55-a10daac5f000.md | 4 +- .../dd667399-8d9d-4a8d-bbb4-e49ab53b2f52.md | 2 +- .../e50eb68a-a4af-4048-8bbe-8ec324421469.md | 2 +- .../e6cd49ba-77ed-417f-9bca-4f5303554308.md | 6 +- .../6c7cfec3-c686-4ed2-bf58-a1ec054b63fc.md | 2 +- .../b2418936-cd47-4ea2-8346-623c0bdb87bd.md | 2 +- .../6c2d627c-de0f-45fb-b33d-dad9bffbb421.md | 2 +- .../b4f65d13-a609-4dc1-af7c-63d2e08bffe9.md | 2 +- .../071a71ff-f868-47a4-ac0b-3c59e4ab5443.md | 2 +- .../1c1325ff-831d-43a1-973e-839ae57dfcc0.md | 8 +- .../221e0658-cb2a-44e3-b08a-db96a341d6fa.md | 4 +- .../27fcc7d6-c49b-46e0-98f1-6c082a6a2750.md | 4 +- .../2fc99041-ddad-49d5-853f-e35e70a48391.md | 8 +- .../404fde2c-bc4b-4371-9747-7054132ac953.md | 4 +- .../451d79dc-0588-476a-ad03-3c7f0320abb3.md | 6 +- .../4d9f44c6-2f4a-4317-9bb5-267adbea0232.md | 2 +- .../4f31dd9f-2cc3-4751-9b53-67e4af83dac0.md | 6 +- .../610e266e-6c12-4bca-9925-1ed0cd29742b.md | 2 +- .../698ed579-b239-4f8f-a388-baa4bcb13ef8.md | 6 +- .../6b610c50-99fb-4ef0-a5f3-e312fd945bc3.md | 10 +- .../8af7162d-6c98-482f-868e-0d33fb675ca8.md | 2 +- .../ae5b6871-7f45-42e0-bb4c-ab300c4d2026.md | 4 +- .../baa3890f-bed7-46f5-ab8f-1da8fc91c729.md | 4 +- .../baa452f0-1f21-4a25-ace5-844e7a5f410d.md | 8 +- .../bb9ac4f7-e13b-423d-a010-c74a1bfbe492.md | 10 +- .../bc2908f3-f73c-40a9-8793-c1b7d5544f79.md | 24 +- .../ce14a68b-1668-41a0-ab7d-facd9f784742.md | 4 +- .../ce76b7d0-9e77-464d-b86f-c5c48e03e22d.md | 8 +- .../d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b.md | 2 +- .../0008c003-79aa-42d8-95b8-1c2fe37dbfe6.md | 6 +- .../00481784-25aa-4a55-8633-3136dfcf4f37.md | 2 +- .../02d9c71f-3ee8-4986-9c27-1a20d0d19bfc.md | 2 +- .../22cd11f7-9c6c-4f6e-84c0-02058120b341.md | 2 +- .../295acb63-9246-4b21-b441-7c1f1fb62dc0.md | 2 +- .../38300d1a-feb2-4a48-936a-d1ef1cd24313.md | 2 +- .../41c195f4-fc31-4a5c-8a1b-90605538d49f.md | 2 +- .../45e1fca5-f90e-465d-825f-c2cb63fa3944.md | 2 +- .../4b410d24-1cbe-4430-a632-62c9a931cf1c.md | 2 +- .../562952e4-0348-4dea-9826-44f3a2c6117b.md | 2 +- .../5907595b-5b6d-4142-b173-dbb0e73fbff8.md | 2 +- .../5fa731ea-e844-47a6-a1e8-abc25e95847e.md | 14 +- .../6452c424-1d92-4deb-bb18-a03e95d579c4.md | 2 +- .../67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae.md | 2 +- .../68a51e22-ae5a-4d48-8e87-b01a323605c9.md | 2 +- .../6938958b-3f1a-451c-909b-baeee14bdc97.md | 2 +- .../6b376af8-cfe8-49ab-a08d-f32de23661a4.md | 2 +- .../6db6e0c2-32a3-4a2e-93b5-72c35f4119db.md | 2 +- .../6e19193a-8753-436d-8a09-76dcff91bb03.md | 2 +- .../71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e.md | 2 +- .../7384dfb2-fcd1-4fbf-91cd-6c44c318c33c.md | 2 +- .../77783205-c4ca-4f80-bb80-c777f267c547.md | 6 +- .../7ebd323c-31b7-4e5b-b26f-de5e9e477af8.md | 2 +- .../8a301064-c291-4b20-adcb-403fe7fd95fd.md | 4 +- .../8ada6e80-0ade-439e-b176-0b28f6bce35a.md | 2 +- .../93d88cf7-f078-46a8-8ddc-178e03aeacf1.md | 2 +- .../9513a694-aa0d-41d8-be61-3271e056f36b.md | 2 +- .../965a08d7-ef86-4f14-8792-4a3b2098937e.md | 2 +- .../99614418-f82b-4852-a9ae-5051402b741c.md | 2 +- .../9b6b0f38-92a2-41f9-b881-3a1083d99f1b.md | 2 +- .../9bae49be-0aa3-4de5-bab2-4c3a069e40cd.md | 2 +- .../9efb0b2d-89c9-41a3-91ca-dcc0aec911fd.md | 4 +- .../aa93e17f-b6db-4162-9334-c70334e7ac28.md | 2 +- .../ae9c56a6-3ed1-4ac0-9b54-31267f51151d.md | 2 +- .../b03a748a-542d-44f4-bb86-9199ab4fd2d5.md | 2 +- .../b16e8501-ef3c-44e1-a543-a093238099c9.md | 2 +- .../b84a0b47-2e99-4c9f-8933-98bcabe2b94d.md | 2 +- .../b86987e1-6397-4619-81d5-8807f2387c79.md | 2 +- .../cdddb86f-95f6-4fc4-b5a1-483d9afceb2b.md | 2 +- .../d3499f6d-1651-41bb-a9a7-de925fea487b.md | 2 +- .../df746b39-6564-4fed-bf85-e9c44382303c.md | 2 +- .../e36d8880-3f78-4546-b9a1-12f0745ca0d5.md | 2 +- .../efbf148a-67e9-42d2-ac47-02fa1c0d0b22.md | 2 +- .../f2daed12-c802-49cd-afed-fe41d0b82fed.md | 2 +- .../f2f903fb-b977-461e-98d7-b3e2185c6118.md | 2 +- .../f45ea400-6bbe-4501-9fc7-1c3d75c32067.md | 2 +- .../f4a6bcd3-e231-4acf-993c-aa027be50d2e.md | 2 +- .../fc775e75-fcfb-4c98-b2f2-910c5858b359.md | 2 +- .../fd54f200-402c-4333-a5a4-36ef6709af2f.md | 2 +- .../1239f54b-33de-482a-8132-faebe288e6a6.md | 2 +- .../227c2f58-70c6-4432-8e9a-a89c1a548cf5.md | 4 +- .../268c65a8-58ad-43e4-9019-1a9bbc56749f.md | 2 +- .../28727987-e398-49b8-aef1-8a3e7789d111.md | 6 +- .../313d6deb-3b67-4948-b41d-35b699c2492e.md | 6 +- .../48c61fbd-09c9-46cc-a521-012e0c325412.md | 4 +- .../50cb6c3b-c878-4b88-b50e-d1421bada9e8.md | 6 +- .../62c8cf50-87f0-4295-a974-8184ed78fe02.md | 4 +- .../63ae3638-a38c-4ff4-b616-6e1f72a31a6a.md | 6 +- .../660360d3-9ca7-46d1-b147-3acc4002953f.md | 6 +- .../6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35.md | 2 +- .../6e2b1ec1-1eca-4eb7-9d4d-2882680b4811.md | 6 +- .../77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc.md | 4 +- .../7c98538a-81c6-444b-bf04-e60bc3ceeec0.md | 2 +- .../7ef7d141-9fbb-4679-a977-fd0883436906.md | 6 +- .../8212e2d7-e683-49bc-bf78-d6799075c5a7.md | 2 +- .../83103dff-d57f-42a8-bd81-40abab64c1a7.md | 2 +- .../8810968b-4b15-421d-918b-d91eb4bb8d1d.md | 2 +- .../9038b526-4c19-4928-bca2-c03d503bdb79.md | 4 +- .../95601b9a-7fe8-4aee-9b58-d36fd9382dfc.md | 4 +- .../9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8.md | 2 +- .../a21b8df3-c840-4b3d-a41a-10fb2afda171.md | 2 +- .../a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01.md | 6 +- .../ad0875c1-0b39-4890-9149-173158ba3bba.md | 4 +- .../bbfc97ab-e92a-4a7b-954c-e88cec815011.md | 4 +- .../c47f90e8-4a19-43f0-8413-cc434d286c4e.md | 8 +- .../c759d6f2-4dd3-4160-82d3-89202ef10d87.md | 2 +- .../c7781feb-a955-4f9f-b9cf-0d7c6f54bb59.md | 2 +- .../dbe058d7-b82e-430b-8426-992b2e4677e7.md | 2 +- .../dc5c5fee-6c53-43b0-ab11-4c660e064aaf.md | 8 +- .../dd690686-2bf9-4012-a821-f61912dd77be.md | 6 +- .../dee21308-2a7a-49de-8ff7-c9b87e188575.md | 6 +- .../df58d46c-783b-43e0-bdd0-d99164f712ee.md | 2 +- .../e66e1b71-c810-4b4e-a737-0ab59e7f5e41.md | 2 +- .../fc040fb6-4c23-4c0d-b12a-39edac35debb.md | 6 +- .../e8bb41e4-2f24-4e84-8bea-8c7c070cf93d.md | 2 +- .../02323c00-cdc3-4fdc-a310-4f2b3e7a1660.md | 14 +- .../03aabc8c-35d6-481e-9c85-20139cf72d23.md | 2 +- .../0401f71b-9c1e-4821-ab15-a955caa621be.md | 4 +- .../056ac60e-fe07-4acc-9b34-8e1d51716ab9.md | 2 +- .../05fb986f-ac73-4ebb-a5b2-7faafa93d882.md | 2 +- .../075ca296-6768-4322-aea2-ba5063b969a9.md | 4 +- .../09bb9e96-8da3-4736-b89a-b36814acca60.md | 4 +- .../10efce34-5af6-4d83-b414-9e096d5a06a9.md | 2 +- .../1123031a-f921-4c5b-bd86-ef354ecfd37a.md | 2 +- .../13a49a2e-488e-4309-a7c0-d6b05577a5fb.md | 6 +- .../14abda69-8e91-4acb-9931-76e2bee90284.md | 2 +- .../1828a670-5957-4bc5-9974-47da228f75e2.md | 6 +- .../192fe40b-b1c3-448a-aba2-6cc19a300fe3.md | 2 +- .../19ebaa28-fc86-4a58-bcfa-015c9e22fe40.md | 2 +- .../1a07a446-8e61-4e4d-bc16-b0781fcb8211.md | 8 +- .../1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e.md | 4 +- .../1acd93f1-5a37-45c0-aaac-82ece818be7d.md | 4 +- .../1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2.md | 8 +- .../1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5.md | 2 +- .../1de5cc51-f376-4638-a940-20f2e85ae238.md | 12 +- .../1e749bc9-fde8-471c-af0c-8254efd2dee5.md | 2 +- .../1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37.md | 4 +- .../2270987f-bb51-479f-b8be-3ca73e5ad648.md | 2 +- .../229588ef-8fde-40c8-8756-f4f2b5825ded.md | 4 +- .../235236ee-ad78-4065-bd29-61b061f28ce0.md | 2 +- .../249328b8-5f0f-409f-b1dd-029f07882e11.md | 2 +- .../26763a1c-5dda-4772-b507-5fca7fb5f165.md | 2 +- .../268ca686-7fb7-4ae9-b129-955a2a89064e.md | 2 +- .../2940d48a-dc5e-4178-a3f8-bfbd80720b41.md | 8 +- .../2b1836f1-dcce-416e-8e16-da8c71920633.md | 2 +- .../2f1a0619-b12b-48a0-825f-993bb6f01d58.md | 2 +- .../2f491173-6375-4a84-b28e-a4e2b9a58a69.md | 14 +- .../2f652c42-619d-4361-b361-9f599688f8ca.md | 2 +- .../302736f4-b16c-41b8-befe-c0baffa0bd9d.md | 2 +- .../32ecd76e-7bbf-402e-bf48-8b9485749558.md | 4 +- .../33fc6923-6553-4fe6-9d3a-4efa51eb874b.md | 2 +- .../35c0a471-f7c8-4993-aa2c-503a3c712a66.md | 6 +- .../36a27826-1bf5-49da-aeb0-a60a30c0e834.md | 6 +- .../3878dc92-8e5d-47cf-9cdd-7590f71d21b9.md | 2 +- .../38fa11ef-dbcc-4da8-9680-7e1fd855b6fb.md | 2 +- .../3ca03a61-3249-4c16-8427-6f8e47dda729.md | 4 +- .../3d24b204-b73d-42cb-b0bf-1a5438c5f71e.md | 2 +- .../3d658f8b-d988-41a0-a841-40043121de1e.md | 2 +- .../3f5ff8a7-5ad6-4d02-86f5-666307da1b20.md | 2 +- .../46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2.md | 8 +- .../48471392-d4d0-47c0-b135-cdec95eb3eef.md | 4 +- .../48a5beba-e4c0-4584-a2aa-e6894e4cf424.md | 8 +- .../49113af4-29ca-458e-b8d4-724c01a4a24f.md | 4 +- .../4a20ebac-1060-4c81-95d1-1f7f620e983b.md | 8 +- .../4ac0e2b7-d2d2-4af7-8799-e8de6721ccda.md | 2 +- .../4d7ee40f-fc5d-427d-8cac-dffbe22d42d1.md | 4 +- .../510d5810-9a30-443a-817d-5c1fa527b110.md | 8 +- .../52d70f2e-3257-474c-b3dc-8ad9ba6a061a.md | 8 +- .../5308a7a8-06f8-45ac-bf10-791fe21de46e.md | 2 +- .../5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d.md | 4 +- .../5744cbb8-5946-4b75-a196-ade44449525b.md | 2 +- .../583053b7-e632-46f0-b989-f81ff8045385.md | 2 +- .../591ade62-d6b0-4580-b1ae-209f80ba1cd9.md | 2 +- .../592ad21d-ad9b-46c6-8d2d-fad09d62a942.md | 4 +- .../5da47109-f8d6-4585-9e2b-96a8958a12f5.md | 4 +- .../5f89001f-6dd9-49ff-9b15-d8cd71b617f4.md | 6 +- .../611ab018-c4aa-4ba2-b0f6-a448337509a6.md | 10 +- .../69bbc5e3-0818-4150-89cc-1e989b48f23b.md | 2 +- .../6a68bebe-c021-492e-8ddb-55b0567fb768.md | 2 +- .../6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a.md | 2 +- .../6b896afb-ca07-467a-b256-1a0077a1c08e.md | 2 +- .../6cf42c97-facd-4fda-b8af-ea4529123355.md | 8 +- .../6d173be7-545a-46c6-a81d-2ae52ed1605d.md | 2 +- .../7307579a-3abb-46ad-9ce5-2a915634d5c8.md | 2 +- .../73e251f0-363d-4e53-86e2-0a93592437eb.md | 4 +- .../768aab52-2504-4a2f-a3e3-329d5a679848.md | 6 +- .../7c81d34c-8e5a-402b-9798-9f442630e678.md | 2 +- .../80f93444-b240-4ebb-a4c6-5c40b76c04ea.md | 2 +- .../8320826e-7a9c-4b0b-9535-578333193432.md | 2 +- .../845acfbe-3e10-4b8e-b656-3b404d36dfb2.md | 2 +- .../85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3.md | 2 +- .../87554eef-154d-411d-bdce-9dbd91e56851.md | 2 +- .../895a5a95-3756-4b04-9924-2f3bc93181bd.md | 4 +- .../8b36775e-183d-4d46-b0f7-96a6f34a723f.md | 2 +- .../8b862ca9-0fbd-4959-ad72-b6609bdaa22d.md | 2 +- .../8cf4671a-cf3d-46fc-8389-21e7405063a2.md | 2 +- .../9127f0d9-2310-42e7-866f-5fd9d20dcbad.md | 4 +- .../91dacd0e-d189-4a9c-8272-5999a3cc32d9.md | 2 +- .../9391103a-d8d7-4671-ac5d-606ba7ccb0ac.md | 4 +- .../94b76ea5-e074-4ca2-8a03-c5a606e30645.md | 2 +- .../9587c890-0524-40c2-9ce2-663af7c2f063.md | 4 +- .../98ce8b81-7707-4734-aa39-627c6db3d84b.md | 2 +- .../9d43040e-e703-4e16-8bfe-8d4da10fa7e6.md | 2 +- .../9f85c3f6-26fd-4007-938a-2e0cb0100980.md | 2 +- .../a31b7b82-d994-48c4-bd21-3bab6c31827a.md | 2 +- .../a33e9173-b674-4dfb-9d82-cf3754816e4b.md | 2 +- .../a5530bd7-225a-48f9-91bb-f40b04200165.md | 2 +- .../a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3.md | 2 +- .../a6f34658-fdfb-4154-9536-56d516f65828.md | 2 +- .../a77f4d07-c6e0-4a48-8b35-0eeb51576f4f.md | 2 +- .../a97a340a-0063-418e-b3a1-3028941d0995.md | 2 +- .../a9c2f49d-0671-4fc9-9ece-f4e261e128d0.md | 2 +- .../aa8f7a35-9923-4cad-bd61-a19b7f6aac91.md | 2 +- .../aafa7d94-62de-4fbf-8838-b69ee217b0e6.md | 2 +- .../ade74944-a674-4e00-859e-c6eab5bde441.md | 2 +- .../ae8827e2-4af9-4baa-9998-87539ae0d6f0.md | 2 +- .../aee3c7d2-a811-4201-90c7-11c028be9a46.md | 2 +- .../afa36afb-39fe-4d94-b9b6-afb236f7a03d.md | 2 +- .../b14d1bc4-a208-45db-92f0-e21f8e2588e9.md | 4 +- .../b23e9b98-0cb6-4fc9-b257-1f3270442678.md | 2 +- .../b7652612-de4e-4466-a0bf-1cd81f0c6063.md | 2 +- .../b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14.md | 2 +- .../b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff.md | 4 +- .../b9380fd3-5ffe-4d10-9290-13e18e71eee1.md | 4 +- .../b9c83569-459b-4110-8f79-6305aa33cb37.md | 2 +- .../bb241e61-77c3-4b97-9575-c0f8a1e008d0.md | 2 +- .../bf36b900-b5ef-4828-adb7-70eb543b7cfb.md | 4 +- .../c1032cf7-3628-44e2-bd53-38c17cf31b6b.md | 2 +- .../c48e57d3-d642-4e0b-90db-37f807b41b91.md | 2 +- .../c589f42c-7924-4871-aee2-1cede9bc7cbc.md | 2 +- .../ca469dd4-c736-448f-8ac1-30a642705e0a.md | 2 +- .../caa3479d-885d-4882-9aac-95e5e78ef5c2.md | 6 +- .../caa93370-791f-4fc6-814b-ba6ce0cb4032.md | 2 +- .../cb7e695d-6a85-495c-b15f-23aed2519303.md | 2 +- .../cbd2db69-0b21-4c14-8a40-7710a50571a9.md | 2 +- .../ccc98ff7-68a7-436e-9218-185cb0b0b780.md | 2 +- .../cd290efd-6c82-4e9d-a698-be12ae31d536.md | 2 +- .../cdc8b54e-6b16-4538-a1b0-35849dbe29cf.md | 2 +- .../ce30e584-b33f-4c7d-b418-a3d7027f8f60.md | 2 +- .../cf34805e-3872-4c08-bf92-6ff7bb0cfadb.md | 8 +- .../d2ad057f-0928-41ef-a83c-f59203bb855b.md | 2 +- .../d45330fd-f58d-45fb-a682-6481477a0f84.md | 2 +- .../d740d048-8ed3-49d3-b77b-6f072f3b669e.md | 2 +- .../d89a15bb-8dba-4c71-9529-bef6729b9c09.md | 12 +- .../da9f3aa8-fbfb-472f-b5a1-576127944218.md | 6 +- .../dab4ec72-ce2e-4732-b7c3-1757dcce01a1.md | 2 +- .../dbbc6705-d541-43b0-b166-dd4be8208b54.md | 4 +- .../dd29336b-fe57-445b-a26e-e6aa867ae609.md | 4 +- .../de4421f1-4e35-43b4-9783-737dd4e4a47e.md | 6 +- .../e0099af2-fe17-411f-9991-0de28fe15f3c.md | 2 +- .../e0e00aba-5f1c-4981-a542-9a9563c0ee20.md | 12 +- .../e17fa86a-6222-4584-a914-56e8f6c87e06.md | 2 +- .../e3aa0612-4351-4a0d-983f-aefea25cf203.md | 2 +- .../e84eaf4d-2f45-47b2-abe8-e581b06deb66.md | 2 +- .../ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0.md | 2 +- .../ed89b97d-04e9-4fd4-919f-ee5b27e555e9.md | 6 +- .../f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5.md | 12 +- .../f377b83e-bd07-4f48-a591-60c82b14a78b.md | 8 +- .../f922827f-aab6-447c-832a-e1ff63312bd3.md | 2 +- .../fa4def8c-1898-4a35-a139-7b76b1acdef0.md | 4 +- .../fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f.md | 4 +- .../00b78adf-b83f-419c-8ed8-c6018441dd3a.md | 12 +- .../013bdb4b-9246-4248-b0c3-7fb0fee42a29.md | 12 +- .../015eac96-6313-43c0-84e5-81b1374fa637.md | 4 +- .../0220e1c5-65d1-49dd-b7c2-cef6d6cb5283.md | 4 +- .../03856cb2-e46c-4daf-bfbf-214ec93c882b.md | 12 +- .../05505192-ba2c-4a81-9b25-dcdbcc973746.md | 12 +- .../06764426-3c56-407e-981f-caa25db1c149.md | 4 +- .../0b76d993-ee52-43e0-8b39-3787d2ddabf1.md | 4 +- .../0c79e50e-b3cf-490c-b8f6-587c644d4d0c.md | 4 +- .../0de50145-e845-47f4-9a15-23bcf2125710.md | 16 +- .../0f6cd0ab-c366-4595-84fc-fbd8b9901e4d.md | 4 +- .../105e20dd-8449-4d71-95c6-d5dac96639af.md | 4 +- .../10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa.md | 12 +- .../12a7210b-f4b4-47d0-acac-0a819e2a0ca3.md | 12 +- .../151331e2-11f4-4bb6-bd35-9a005e695087.md | 4 +- .../181bd815-767e-4e95-a24d-bb3c87328e19.md | 12 +- .../1908a8ee-927d-4166-8f18-241152170cc1.md | 12 +- .../1a1aea94-745b-40a7-b860-0702ea6ee636.md | 8 +- .../1bc3205c-0d60-44e6-84f3-44fbf4dac5b3.md | 4 +- .../20a482d5-c5d9-4a7a-b7a4-60d0805047b4.md | 8 +- .../20cb3159-b219-496b-8dac-54ae3ab2021a.md | 12 +- .../221015a8-aa2a-43f5-b00b-ad7d2b1d47a8.md | 4 +- .../237402e2-c2f0-46c9-9cf5-286160cf7bfc.md | 8 +- .../23a9e2d9-8738-4556-a71c-2802b6ffa022.md | 8 +- .../2596545e-1757-4ff7-a15a-8a9a180a42f3.md | 4 +- .../26f06397-36d8-4ce7-b993-17711261d777.md | 8 +- .../274f910a-0665-4f08-b66d-7058fe927dba.md | 4 +- .../281b8071-6226-4a43-911d-fec246d422c2.md | 46 ++- .../2bd608ae-8a1f-457f-b710-c237883cb313.md | 12 +- .../2cf35b40-ded3-43d6-9633-c8dcc8bcc822.md | 4 +- .../2d6646f4-2946-420f-8c14-3232d49ae0cb.md | 8 +- .../2d8c175a-6d90-412b-8b0e-e034ea49a1fe.md | 6 +- .../2da46be4-4317-4650-9285-56d7103c4f93.md | 4 +- .../2e275f16-b627-4d3f-ae73-a6153a23ae8f.md | 4 +- .../2e44e632-d617-43cb-b294-6bfe72a08938.md | 4 +- .../2e9b6612-8f69-42e0-a5b8-ed17739c2f3a.md | 12 +- .../2ea04bef-c769-409e-9179-ee3a50b5c0ac.md | 12 +- .../31dd6fc0-f274-493b-9614-e063086c19fc.md | 8 +- .../332cf2ad-380d-4b90-b436-46f8e635cf38.md | 8 +- .../33d96c65-977d-4c33-943f-440baca49185.md | 4 +- .../37140f7f-724a-4c87-a536-e9cee1d61533.md | 8 +- .../376c9390-7e9e-4cb8-a067-fd31c05451fd.md | 4 +- .../3847280c-9193-40bc-8009-76168e822ce2.md | 4 +- .../3979b0a4-532c-4ea7-86e4-34c090eaa4f2.md | 4 +- .../39cb32f2-3a42-4af0-8037-82a7a9654b6c.md | 4 +- .../3a01790c-ebee-4da6-8fd3-e78657383b75.md | 8 +- .../3b066059-f411-4554-ac8d-96f32bff90da.md | 8 +- .../3b497874-ae59-46dd-8d72-1868a3b8f150.md | 12 +- .../3b615f00-c443-4ba9-acc4-7c308716917d.md | 8 +- .../3ba0cca1-b815-47bf-ac62-1e584eb64a05.md | 12 +- .../3d7d7b6c-fb0a-475e-8a28-c125e30d15f0.md | 4 +- .../3fb03214-25d4-4bd4-867c-c2d8d708a483.md | 12 +- .../40d3df21-c170-4dbe-9c02-4289b51f994f.md | 16 +- .../40e1d1bf-11a9-4f63-a3a2-a8b84c602839.md | 4 +- .../4190dda7-af03-4cf0-a128-70ac1661ca09.md | 8 +- .../429b2106-ba37-43ba-9727-7f699cc611e1.md | 8 +- .../462d6a1d-fed9-4d75-bb9e-3de902f35e6e.md | 8 +- .../46facedc-f243-4108-ab33-583b807d50b0.md | 8 +- .../48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd.md | 8 +- .../4a1f3d75-ab73-41b2-83e7-06a93dc3a75a.md | 12 +- .../4bcbcd52-3028-469f-bc14-02c7dbba2df2.md | 12 +- .../4cac7ace-b0fb-477d-830d-65395d9109d9.md | 8 +- .../4cd8de87-b595-48b6-ab3c-1904567135ab.md | 8 +- .../500ce696-d501-41dd-86eb-eceb011a386f.md | 16 +- .../50de3b5b-6465-4e06-a9b0-b4c2ba34326b.md | 8 +- .../52c0d841-60d6-4a81-88dd-c35fef36d315.md | 8 +- .../543e38f4-1eee-479e-8eb0-15257013aa0a.md | 24 +- .../561710b1-b845-4562-95ce-2397a05ccef4.md | 16 +- .../58f06434-a88c-4f74-826c-db7e10cc7def.md | 8 +- .../5915c20f-dffa-4cee-b5d4-f457ddc0151a.md | 4 +- .../59c2f769-7cc2-49c8-a3de-4e211135cfab.md | 12 +- .../5aea1d7e-b834-4749-b143-2c7ec3bd5922.md | 8 +- .../5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275.md | 4 +- .../5ea61624-3733-4a3a-8ca4-b96fec9c5aeb.md | 8 +- .../60b5f56b-66ff-4e1c-9b62-5753e16825bc.md | 12 +- .../60fb6621-9f02-473b-9424-ba9a825747d3.md | 12 +- .../663c442d-f918-4f62-b096-0bf5dcbeb655.md | 20 +- .../68e5fcac-390c-4939-a373-6074b7be7c71.md | 4 +- .../6952a7e0-6e48-4285-bbc1-27c64e60f888.md | 16 +- .../698a464e-bb3e-4ba8-ab5e-e6599b7644a0.md | 4 +- .../6998389e-66b2-473d-8d05-c8d71ac4d04d.md | 12 +- .../69d7aefd-149d-47b8-8d89-1c2181a8067b.md | 8 +- .../6a2c219f-da5e-4745-941e-5ea8cde23356.md | 4 +- .../6b76f589-9713-44ab-97f5-59a3dba1a285.md | 4 +- .../6c35d2c6-09f2-4e5c-a094-e0e91327071d.md | 12 +- .../6d2e0790-cc3d-4c74-b973-d4e8b09f4455.md | 4 +- .../72d259ca-9741-48dd-9f62-eb11f2936b37.md | 12 +- .../73c3bc54-3cc6-4c0a-b30a-e19f2abfc951.md | 4 +- .../750b40be-4bac-4f59-bdc4-1ca0e6c3450e.md | 4 +- .../750f6448-27c0-49f8-a153-b81735c1e19c.md | 4 +- .../77276d82-4f45-4cf1-8e2b-4d345b936228.md | 4 +- .../773116aa-2e6d-416f-bd85-f0301cc05d76.md | 4 +- .../7a01dfbd-da62-4165-aed7-71349ad42ab4.md | 4 +- .../7f203940-39c4-4ea7-91ee-7aba16bca9e2.md | 8 +- .../7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a.md | 4 +- .../801f0c6a-a834-4467-89c6-ddecffb46b5a.md | 4 +- .../815021c8-a50c-46d9-b192-24f71072c400.md | 8 +- .../84c826c9-1893-4b34-8cdd-db97645b4bf3.md | 8 +- .../86b1fa30-9790-4980-994d-a27e0f6f27c1.md | 4 +- .../86e3702f-c868-44b2-b61d-ea5316c18110.md | 12 +- .../881a6e71-c2a7-4fe2-b9c3-dfcf08895331.md | 24 +- .../8aee4754-970d-4c5f-8142-a49dfe388b1a.md | 8 +- .../8af270ce-298b-4405-9922-82a10aee7a4f.md | 8 +- .../8bfed1c6-2d59-4924-bc7f-9b9d793ed0df.md | 8 +- .../8c81d6c0-716b-49ec-afa5-2d62da4e3f3c.md | 12 +- .../8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85.md | 12 +- .../8c84f75e-5048-4926-a4cb-33e7b3431300.md | 12 +- .../8d0921d6-4131-461f-a253-99e873f8f77e.md | 8 +- .../8db5544e-4874-4baa-9322-e9f75a2d219e.md | 12 +- .../8fe1846f-52cc-4413-ace9-1933d7d23672.md | 8 +- .../9239c289-9e4c-4d92-8be1-9d506057c971.md | 8 +- .../962fa01e-b791-4dcc-b04a-4a3e7389be5e.md | 4 +- .../9670f240-7b4d-4955-bd93-edaa9fa38b58.md | 4 +- .../96729c6b-7400-4d9e-9807-17f00cdde4d2.md | 12 +- .../96beb800-566f-49a9-a0ea-dbdf4bc80429.md | 8 +- .../98295b32-ec09-4b5b-89a9-39853197f914.md | 4 +- .../990eaf09-d6f1-4c3c-b174-a517b1de8917.md | 12 +- .../9aa6e95c-d964-4239-a3a8-9f37a3c5a31f.md | 4 +- .../9c238c97-1991-4c0b-9c7d-6c7912e1dc7c.md | 8 +- .../9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae.md | 4 +- .../9d967a2b-9d64-41a6-abea-dfc4960299bd.md | 12 +- .../9f88c88d-824d-4d9a-b985-e22977046042.md | 12 +- .../a0bf7382-5d5a-4224-924c-3db8466026c9.md | 8 +- .../a19c3bbd-c056-40d7-9e1c-eeb0634e320d.md | 8 +- .../a4247b11-890b-45df-bf42-350a7a3af9be.md | 4 +- .../a46928f1-43d7-4671-94e0-2dd99746f389.md | 4 +- .../a4dd69b8-49fa-45d2-a060-c76655405b05.md | 8 +- .../a5375be3-521c-43bb-9eab-e2432e368ee4.md | 8 +- .../a599b0d1-ff89-4cb8-9ece-9951854c06f6.md | 8 +- .../a6847dc6-f4ea-45ac-a81f-93291ae6c573.md | 4 +- .../a68da022-e95a-4bc2-97d3-481e0bd6d446.md | 4 +- .../a8e859da-4a43-4e7f-94b8-25d6e3bf8e90.md | 12 +- .../a9228976-10cf-4b5f-b902-9e962aad037a.md | 20 +- .../a92be1d5-d762-484a-86d6-8cd0907ba100.md | 20 +- .../a96bbc06-8cde-4295-ad3c-ee343a7f658e.md | 20 +- .../ab1263c2-81df-46f0-9f2c-0b62fdb68419.md | 8 +- .../ab2af219-cd08-4233-b5a1-a788aac88b51.md | 14 +- .../ae13a37d-943b-47a7-a970-83c8598bcca3.md | 8 +- .../aecee30b-8ea1-4776-a99c-d6d600f0862f.md | 46 ++- .../b05bb927-2df5-43cc-8d7b-6825c0e71625.md | 4 +- .../b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7.md | 8 +- .../b2d9dbf6-539c-4374-a1fd-210ddf5563a8.md | 8 +- .../b2f275be-7d64-4064-b418-be6b431363a7.md | 8 +- .../b30981fa-a12e-49c7-a5bb-eeafb61d0f0f.md | 4 +- .../b3871dd8-9333-4d6c-bd52-67eb898b71ab.md | 4 +- .../b4803607-ed72-4d60-99e2-3fa6edf471c6.md | 4 +- .../b481d46c-9c61-480f-86d9-af07146dc4a4.md | 16 +- .../b90033cf-ad9f-4fb9-acd1-1b9d6d278c87.md | 4 +- .../b9db8a10-020c-49ca-88c6-780e5fdb4328.md | 8 +- .../ba066cda-e808-450d-92b6-f29109754d45.md | 4 +- .../ba239cb9-f342-4c20-812d-7b5a2aa6969e.md | 4 +- .../baade968-7467-41e4-bf22-83ca222f5800.md | 20 +- .../bac56e3c-1f71-4a74-8ae6-2fba07efcddb.md | 4 +- .../bccfa089-89e4-47e0-a0e5-185fe6902220.md | 4 +- .../be0e0df7-f3d9-42a1-9b6f-d425f94872c4.md | 16 +- .../be1d8733-3731-40c7-a845-734741c6871d.md | 4 +- .../be3e170e-1572-461e-a8b6-d963def581ec.md | 4 +- .../c19779a9-5774-4d2f-a3a1-a99831730375.md | 4 +- .../c254adc4-ef25-46e1-8270-b7944adb4198.md | 8 +- .../c38d630d-a415-4e3e-bac2-65475979ba88.md | 4 +- .../c3cab8c4-6c52-47a9-942b-c27f26fbd7d2.md | 4 +- .../c5bb7461-aa57-470b-a714-3bc3d74f4669.md | 12 +- .../c66ebeaa-676c-40dc-a3ff-3e49395dcd5e.md | 8 +- .../ca02f4e8-d3ae-4832-b7db-bb037516d9e7.md | 4 +- .../cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b.md | 8 +- .../ceefb058-8065-418f-9c4c-584a78c7e104.md | 4 +- .../cf4a5f45-a27b-49df-843a-9911dbfe71d4.md | 4 +- .../d15db953-a553-4b8a-9a14-a3d62ea3d79d.md | 4 +- .../d172a060-8569-4412-8045-3560ebd477e8.md | 16 +- .../d2361d58-361c-49f0-9e50-b957fd608b29.md | 8 +- .../d3ea644a-9a5c-4fee-941f-f8a6786c0470.md | 8 +- .../d40f27e6-15fb-4b56-90f8-fc0ff0291c51.md | 4 +- .../d47940ca-5970-45cc-bdd1-4d81398cee1f.md | 4 +- .../d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd.md | 8 +- .../d674aea4-ba8b-454b-bb97-88a772ea33f0.md | 8 +- .../d86655c0-92f6-4ffc-b4d5-5b5775804c27.md | 8 +- .../d90d4e40-44c1-4125-87a0-e072c3e195b5.md | 8 +- .../d929c031-078f-4241-b802-e224656ad890.md | 8 +- .../dadc2f36-1f5a-46c0-8289-75e626583123.md | 16 +- .../e2ffa504-d22a-4c94-b6c5-f661849d2db7.md | 12 +- .../e3f026e8-fdb4-4d5a-bcfd-bd94452073fe.md | 8 +- .../e9817ad8-a8c9-4038-8a2f-db0e6e7b284b.md | 4 +- .../e9db5fb4-6a84-4abb-b4af-3b94fbdace6d.md | 4 +- .../eb3f9744-d24e-4614-b1ff-2a9514eca21c.md | 4 +- .../ed48229d-d43e-4da7-b453-5f98d964a57a.md | 4 +- .../f2702af5-6016-46cb-bbc8-84c766032095.md | 12 +- .../f29904c8-6041-4bca-b043-dfa0546b8079.md | 4 +- .../f30ee711-0082-4480-85ab-31d922d9a2b2.md | 4 +- .../f368dd2d-9344-4146-a05b-7c6faa1269ad.md | 12 +- .../f42dfe7e-787d-4478-a75e-a5f3d8a2269e.md | 4 +- .../f525cc92-9050-4c41-a75c-890dc6f64449.md | 4 +- .../f5b2e6af-76f5-496d-8482-8f898c5fdb4a.md | 8 +- .../f79b9d26-e945-44e7-98a1-b93f0f7a68a0.md | 8 +- .../f985a7d2-d404-4a7f-9814-f645f791e46e.md | 4 +- .../fb7d81e7-4150-48c4-b914-92fc05da6a2f.md | 12 +- .../fb889ae9-2d16-40b5-b41f-9da716c5abc1.md | 4 +- .../fbf699b5-ef74-4542-9cf1-f6eeac379373.md | 12 +- .../95588189-1abd-4df1-9588-b0a5034f9e87.md | 2 +- .../00603add-7f72-448f-a6c0-9e456a7a3f94.md | 2 +- .../2ca87964-fe7e-4cdc-899c-427f0f3525f8.md | 6 +- .../327b0729-4c5c-4c44-8b5c-e476cd9c7290.md | 2 +- .../647de8aa-5a42-41b5-9faf-22136f117380.md | 2 +- .../9850d621-7485-44f7-8bdd-b3cf426315cf.md | 2 +- .../9b18fc19-7fb8-49b1-8452-9c757c70f926.md | 2 +- .../a1120ee4-a712-42d9-8fb5-22595fed643b.md | 6 +- .../b6a7e0ae-aed8-4a19-a993-a95760bf8836.md | 2 +- .../bccb296f-362c-4b05-9221-86d1437a1016.md | 4 +- .../bf4b48b9-fc1f-4552-984a-4becdb5bf503.md | 2 +- .../d991e4ae-42ab-429b-ab43-d5e5fa9ca633.md | 2 +- .../daa581ef-731c-4121-832d-cf078f67759d.md | 2 +- .../de92dd34-1b88-43e8-b825-6e02d73c4549.md | 2 +- .../e93bbe63-a631-4c0f-b6ef-700d48441ff2.md | 2 +- .../f27791a5-e2ae-4905-8910-6f995c576d09.md | 2 +- .../49e30ac8-f58e-4222-b488-3dcb90158ec1.md | 2 +- .../cb8e4bf0-903d-45c6-a278-9a947d82a27b.md | 2 +- .../ee305555-6b1d-4055-94cf-e22131143c34.md | 2 +- .../48f7e44d-d1d1-44c2-b336-9f11b65c4fb0.md | 2 +- .../965e8830-2bec-4b9b-a7f0-24dbc200a68f.md | 2 +- .../07fc3413-e572-42f7-9877-5c8fc6fccfb5.md | 2 +- .../0ad60203-c050-4115-83b6-b94bde92541d.md | 2 +- .../15d8a7fd-465a-4d15-a868-add86552f17b.md | 2 +- .../17172bc2-56fb-4f17-916f-a014147706cd.md | 2 +- .../17e52ca3-ddd0-4610-9d56-ce107442e110.md | 2 +- .../21719347-d02b-497d-bda4-04a03c8e5b61.md | 2 +- .../21cef75f-289f-470e-8038-c7cee0664164.md | 6 +- .../228c4c19-feeb-4c18-848c-800ac70fdfb7.md | 2 +- .../24b132df-5cc7-4823-8029-f898e1c50b72.md | 6 +- .../26b047a9-0329-48fd-8fb7-05bbe5ba80ee.md | 2 +- .../2a52567c-abb8-4651-a038-52fa27c77aed.md | 4 +- .../2acb555f-f4ad-4b1b-b984-84e6588f4b05.md | 2 +- .../2bff9906-4e9b-4f71-9346-8ebedfdf43ef.md | 2 +- .../3360c01e-c8c0-4812-96a2-a6329b9b7f9f.md | 2 +- .../3f55386d-75cd-4e9a-ac47-167b26c04724.md | 2 +- .../420e6360-47bb-46f6-9072-b20ed22c842d.md | 2 +- .../455f2e0c-686d-4fcb-8b5f-3f953f12c43c.md | 2 +- .../461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3.md | 8 +- .../48388bd2-7201-4dcc-b56d-e8a9efa58fad.md | 2 +- .../4950837c-0ce5-4e42-9bee-a25eae73740b.md | 2 +- .../4c415497-7410-4559-90e8-f2c8ac64ee38.md | 2 +- .../4e203a65-c8d8-49a2-b749-b124d43c9dc1.md | 2 +- .../4e74cf4f-ff65-4c1a-885c-67ab608206ce.md | 4 +- .../51bed0ac-a8ae-407a-895e-90c6cb0610ce.md | 2 +- .../522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba.md | 4 +- .../577ac19c-6a77-46d7-9f14-e049cdd15ec2.md | 2 +- .../587d5d82-70cf-449b-9817-f60f9bccb88c.md | 2 +- .../58876b44-a690-4e9f-9214-7735fa0dd15d.md | 2 +- .../5b6d53dd-3ba3-4269-b4d7-f82e880e43c3.md | 4 +- .../5c281bf8-d9bb-47f2-b909-3f6bb11874ad.md | 2 +- .../5f4735ce-b9ba-4d95-a089-a37a767b716f.md | 2 +- .../60af03ff-a421-45c8-b214-6741035476fa.md | 2 +- .../6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8.md | 2 +- .../7249e3b0-9231-4af3-bc5f-5daf4988ecbf.md | 2 +- .../737a0dd9-0aaa-4145-8118-f01778262b8a.md | 2 +- .../826abb30-3cd5-4e0b-a93b-67729b4f7e63.md | 2 +- .../8657197e-3f87-4694-892b-8144701d83c1.md | 2 +- .../86a947ea-f577-4efb-a8b0-5fc00257d521.md | 2 +- .../87065ef8-de9b-40d8-9753-f4a4303e27a4.md | 2 +- .../9aa32890-ac1a-45ee-81ca-5164e2098556.md | 2 +- .../a05331ee-1653-45cb-91e6-13637a76e4f0.md | 2 +- .../a62a99d1-8196-432f-8f80-3c100b05d62a.md | 6 +- .../a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9.md | 2 +- .../a737be28-37d8-4bff-aa6d-1be8aa0a0015.md | 2 +- .../a9174d31-d526-4ad9-ace4-ce7ddbf52e03.md | 4 +- .../a9a13d4f-f17a-491b-b074-f54bffffcb4a.md | 2 +- .../aa737abf-6b1d-4aba-95aa-5c160bd7f96e.md | 4 +- .../abcb818b-5af7-4d72-aba9-6dd84956b451.md | 2 +- .../ac1564a3-c324-4747-9fa1-9dfc234dace0.md | 2 +- .../ad69e38a-d92e-4357-a8da-f2f29d545883.md | 2 +- .../05db341e-de7d-4972-a106-3e2bd5ee53e1.md | 4 +- .../063234c0-91c0-4ab5-bbd0-47ddb5f23786.md | 2 +- .../140869ea-25f2-40d4-a595-0c0da135114e.md | 6 +- .../1455cb21-1d48-46d6-8ae3-cef911b71fd5.md | 4 +- .../1b4565c0-4877-49ac-ab03-adebbccd42ae.md | 4 +- .../1bcdf9f0-b1aa-40a4-b8c6-cd7785836843.md | 4 +- .../2ae9d554-23fb-4065-bfd1-fe43d5f7c419.md | 6 +- .../2b13c6ff-b87a-484d-86fd-21ef6e97d426.md | 2 +- .../2bb13841-7575-439e-8e0a-cccd9ede2fa8.md | 6 +- .../39750e32-3fe9-453b-8c33-dd277acdb2cc.md | 4 +- .../41a38329-d81b-4be4-aef4-55b2615d3282.md | 2 +- .../44d434ca-a9bf-4203-8828-4c81a8d5a598.md | 8 +- .../4bb06fa1-2114-4a00-b7b5-6aeab8b896f0.md | 2 +- .../5e0fb613-ba9b-44c3-88f0-b44188466bfd.md | 2 +- .../5f670f9d-b1b4-4c90-8618-2288f1ab9676.md | 2 +- .../60587dbd-6b67-432e-90f7-a8cf1892d968.md | 6 +- .../6107c530-7178-464a-88bc-df9cdd364ac8.md | 2 +- .../62232513-b16f-4010-83d7-51d0e1d45426.md | 4 +- .../66505003-7aba-45a1-8d83-5162d5706ef5.md | 2 +- .../67bfdff1-31ce-4525-b564-e94368735360.md | 2 +- .../69b5d7da-a5db-4db9-a42e-90b65d0efb0b.md | 4 +- .../70919c0b-2548-4e6b-8d7a-3d84ab6dabba.md | 4 +- .../72ceb736-0aee-43ea-a191-3a69ab135681.md | 2 +- .../7a1ee8a9-71be-4b11-bb70-efb62d16863b.md | 4 +- .../7db8bd7e-9772-478c-9ec5-4bc202c5686f.md | 4 +- .../81ce9394-013d-4731-8fcc-9d229b474073.md | 6 +- .../88541597-6f88-42c8-bac6-7e0b855e8ff6.md | 4 +- .../89143358-cec6-49f5-9392-920c591c669c.md | 2 +- .../8c0695d8-2378-4cd6-8243-7fd5894fa574.md | 2 +- .../8f98334a-99aa-4d85-b72a-1399ca010413.md | 4 +- .../9ef08939-ea40-489c-8851-667870b2ef50.md | 2 +- .../a597e05a-c065-44e7-9cc8-742f572a504a.md | 6 +- .../a8128dd2-89b0-464b-98e9-5d629041dfe0.md | 4 +- .../a9dfec39-a740-4105-bbd6-721ba163c053.md | 4 +- .../b9b7ada8-3868-4a35-854e-6100a2bb863d.md | 6 +- .../b9c524a4-fe76-4021-a6a2-cb978fb4fde1.md | 4 +- .../c01d10de-c468-4790-b3a0-fc887a56f289.md | 4 +- .../c065b98e-1515-4991-9dca-b602bd6a2fbb.md | 18 +- .../cb319d87-b90f-485e-a7e7-f2408380f309.md | 8 +- .../d2731f3d-a992-44ed-812e-f4f1c2747d71.md | 2 +- .../d53f4123-f8d8-4224-8cb3-f920b151cc98.md | 6 +- .../dbfc834a-56e5-4750-b5da-73fda8e73f70.md | 2 +- .../dc158941-28ce-481d-a7fa-dc80761edf46.md | 8 +- .../dcda2d32-e482-43ee-a926-75eaabeaa4e0.md | 6 +- .../dd706080-b7a8-47dc-81fb-3e8184430ec0.md | 4 +- .../e76fd7ab-7333-40c6-a2d8-ea28af4a319e.md | 2 +- .../e8e62026-da63-4904-b402-65adfe3ca975.md | 6 +- .../ec62a32c-a297-41ca-a850-cab40b42094a.md | 2 +- .../ed6cf6ff-9a1f-491c-9f88-e03c0807f390.md | 4 +- .../ed6e3ba0-278f-47b6-a1f5-173576b40b7e.md | 4 +- .../ee3b1557-9fb5-4685-a95d-93f1edf2a0d7.md | 2 +- .../f20e97f9-4919-43f1-9be9-f203cd339cdd.md | 4 +- .../f262118c-1ac6-4bb3-8495-cc48f1775b85.md | 2 +- .../faaefc15-51a5-419e-bb5e-51a4b5ab3485.md | 2 +- .../fe286195-e75c-4359-bd58-00847c4f855a.md | 4 +- .../00e5e55e-c2ff-46b3-a757-a7a1cd802456.md | 8 +- .../01d50b14-e933-4c99-b314-6d08cd37ad35.md | 8 +- .../030d3b18-1821-45b4-9e08-50efbe7becbb.md | 2 +- .../034d0aee-620f-4bf7-b7fb-efdf661fdb9e.md | 2 +- .../04c686f1-e0cd-4812-88e1-4e038410074c.md | 2 +- .../051f2063-2517-4295-ad8e-ba88c1bf5cfc.md | 4 +- .../081069cb-588b-4ce1-884c-2a1ce3029fe5.md | 2 +- .../084c6686-2a70-4710-91b1-000393e54c12.md | 4 +- .../08bd0760-8752-44e1-9779-7bb369b2b4e4.md | 6 +- .../09c35abf-5852-4622-ac7a-b987b331232e.md | 6 +- .../0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3.md | 2 +- .../0a592060-8166-49f5-8e65-99ac6dce9871.md | 2 +- .../0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0.md | 4 +- .../0a96ce49-4163-4ee6-8169-eb3b0797d694.md | 2 +- .../0afa6ab8-a047-48cf-be07-93a2f8c34cf7.md | 4 +- .../0afbcfe9-d341-4b92-a64c-7e6de0543879.md | 2 +- .../0b4869fc-a842-4597-aa00-1294df425440.md | 2 +- .../0b530315-0ea4-497f-b34c-4ff86268f59d.md | 2 +- .../0b93729a-d882-4803-bdc3-ac429a21f158.md | 24 +- .../0bc534c5-13d1-4353-a7fe-b8665d5c1d7d.md | 2 +- .../0c10d7da-85c4-4d62-b2a8-d6c104f1bd77.md | 2 +- .../0ca1017d-3b80-423e-bb9c-6cd5898d34bd.md | 12 +- .../0e32d561-4b5a-4664-a6e3-a3fa85649157.md | 2 +- .../0e59d33e-bba2-4037-8f88-9765647ca7ad.md | 2 +- .../0f6cbf69-41bb-47dc-93f3-3844640bf480.md | 6 +- .../0fd7d920-4711-46bd-aff2-d307d82cd8b7.md | 2 +- .../113208f2-a886-4526-9ecc-f3218600e12c.md | 2 +- .../118281d0-6471-422e-a7c5-051bc667926e.md | 2 +- .../126c1788-23c2-4a10-906c-ef179f4f96ec.md | 2 +- .../12933609-c5bf-44b4-9a41-a6467c3b685b.md | 2 +- .../12b7e704-37f0-4d1e-911a-44bf60c48c21.md | 2 +- .../132a8c31-9837-4203-9fd1-15ca210c7b73.md | 2 +- .../1402afd8-a95c-4e84-8b0b-6fb43758e6ce.md | 2 +- .../1419b4c6-6d5c-4534-9cf6-6a5266085333.md | 2 +- .../151187cb-0efc-481c-babd-ad24e3c9bc22.md | 2 +- .../15ccec05-5476-4890-ad19-53991eba1db8.md | 2 +- .../15e6ad8c-f420-49a6-bafb-074f5eb1ec74.md | 2 +- .../15ffbacc-fa42-4f6f-a57d-2feac7365caa.md | 2 +- .../16c4216a-50d3-4785-bfb2-4adb5144a8ba.md | 2 +- .../1743f5f1-0bb0-4934-acef-c80baa5dadfa.md | 2 +- .../17b30f8f-8dfb-4597-adf6-57600b6cf25e.md | 2 +- .../19ffbe31-9d72-4379-9768-431195eae328.md | 2 +- .../1a4bc881-9f69-4d44-8c9a-d37d08f54c50.md | 6 +- .../1a690d1d-0ae7-49fa-b2db-b75ae0dd1d3e.md | 4 +- .../1afbb3fa-cf6c-4a3d-b730-95e9f4df343e.md | 4 +- .../1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2.md | 2 +- .../1b6799eb-4a7a-4b04-9001-8cceb9999326.md | 2 +- .../1bc1c685-e593-450e-88fb-19db4c82aa1d.md | 2 +- .../1bc367f6-901d-4870-ad0c-71d79762ef52.md | 2 +- .../1dc73fb4-5b51-430c-8c5f-25dcf9090b02.md | 8 +- .../1df37f4b-7197-45ce-83f8-9994d2fcf885.md | 4 +- .../1e0ef61b-ad85-4518-a3d3-85eaad164885.md | 2 +- .../1ec253ab-c220-4d63-b2de-5b40e0af9293.md | 6 +- .../20018359-6fd7-4d05-ab26-d4dffccbdf79.md | 8 +- .../2134641d-30a4-4b16-8ffc-2cd4c4ffd15d.md | 2 +- .../2285e608-ddbc-47f3-ba54-ce7121e31216.md | 6 +- .../22fbfeac-7b5a-421a-8a27-7a2178bb910b.md | 10 +- .../23b70e32-032e-4fa6-ba5c-82f56b9980e6.md | 10 +- .../23edf35f-7c22-4ff9-87e6-0ca74261cfbf.md | 8 +- .../24e16922-4330-4e9d-be8a-caa90299466a.md | 2 +- .../254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4.md | 2 +- .../25d251f3-f348-4f95-845c-1090e41a615c.md | 2 +- .../25db74bf-fa3b-44da-934e-8c3e005c0453.md | 2 +- .../27c6a499-895a-4dc7-9617-5c485218db13.md | 10 +- .../28545147-2fc6-42d5-a1f9-cf226658e591.md | 4 +- .../2b3c8a6d-9856-43e6-ab1d-d651094f03b4.md | 2 +- .../2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045.md | 20 +- .../2e9e0729-66d5-4148-9d39-5e6fb4bf2a4e.md | 2 +- .../2f01fb2d-828a-499d-b98e-b83747305052.md | 2 +- .../2f37c4a3-58b9-4afe-8a87-d7f1d2286f84.md | 2 +- .../2f56b7ab-7fba-4e93-82f0-247e5ddeb239.md | 2 +- .../2f737336-b18a-4602-8ea0-b200312e1ac1.md | 4 +- .../30b88745-eebe-4ecb-a3a9-5cf886e96204.md | 2 +- .../31245f98-a6a9-4182-9fc1-45482b9d030a.md | 2 +- .../3199c26c-7871-4cb3-99c2-10a59244ce7f.md | 4 +- .../3206240f-2e87-4e58-8d24-3e19e7c83d7c.md | 2 +- .../33627268-1445-4385-988a-318fd9d1a512.md | 2 +- .../34b921bd-90a0-402e-a0a5-dc73371fd963.md | 2 +- .../35113e6f-2c6b-414d-beec-7a9482d3b2d1.md | 4 +- .../3561130e-9c5f-485b-9e16-2764c82763e5.md | 2 +- .../35ccf766-0e4d-41ed-9ec4-2dab155082b4.md | 2 +- .../37304d3f-f852-40b8-ae3f-725e87a7cedf.md | 2 +- .../381c3f2a-ef6f-4eff-99f7-b169cda3422c.md | 2 +- .../38b85c45-e772-4de8-a247-69619ca137b3.md | 4 +- .../38c5ee0d-7f22-4260-ab72-5073048df100.md | 12 +- .../3a1e94df-6847-4c0e-a3b6-6c6af4e128ef.md | 2 +- .../3af7f2fd-06e6-4dab-b996-2912bea19ba4.md | 8 +- .../3b6d777b-76e3-4133-80a3-0d6f667ade7f.md | 4 +- .../3d3f6270-546b-443c-adb4-bb6fb2187ca6.md | 2 +- .../3db3f534-e3a3-487f-88c7-0a9fbf64b702.md | 2 +- .../3dd96caa-0b5f-4a85-b929-acfac4646cc2.md | 2 +- .../3ddfa124-6407-4845-a501-179f90c65097.md | 4 +- .../3deec14b-03d2-4d27-9670-7d79322e3340.md | 2 +- .../3ef8696c-e4ae-4872-92c7-520bb44dfe77.md | 2 +- .../4003118b-046b-4640-b200-b8c7a4c8b89f.md | 2 +- .../41abc6cc-dde1-4217-83d3-fb5f0cc09d8f.md | 4 +- .../42bb6b7f-6d54-4428-b707-666f669d94fb.md | 6 +- .../42f4b905-3736-4213-bfe9-c0660518cda8.md | 2 +- .../43a41523-386a-4cb1-becb-42af6b414433.md | 2 +- .../443488f5-c734-460b-a36d-5b3f330174dc.md | 6 +- .../44ceb4fa-0897-4fd2-b676-30e7a58f2933.md | 8 +- .../45cff7b6-3b80-40c1-ba7b-2cf480678bb8.md | 6 +- .../46883ce1-dc3e-4b17-9195-c6a601624c73.md | 2 +- .../4728cd65-a20c-49da-8b31-9c08b423e4db.md | 20 +- .../4766d3ea-241c-4ee6-93ff-c380c996bd1a.md | 2 +- .../48207659-729f-4b5c-9402-f884257d794f.md | 2 +- .../482b7d26-0bdb-4b5f-bf6f-545826c0a3dd.md | 2 +- .../4849211b-ac39-479e-ae78-5694d506cb24.md | 8 +- .../4a800e14-c94a-442d-9067-5a2e9f6c0a4c.md | 2 +- .../4bb76f17-3d63-4529-bdca-2b454529d774.md | 2 +- .../4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9.md | 10 +- .../4bd15dd9-8d5e-4008-8532-27eb0c3706d3.md | 2 +- .../4beaf898-9f8b-4237-89e2-5ffdc7ee6006.md | 6 +- .../4c18a45b-4ab1-4790-9f83-399ac695f1e5.md | 8 +- .../4d46ff3b-7160-41d1-a310-71d6d370b08f.md | 6 +- .../4de9de27-254e-424f-bd70-4c1e95790838.md | 8 +- .../4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b.md | 4 +- .../4eb5f791-c861-4afd-9f94-f2a6a3fe49cb.md | 2 +- .../4f615f3e-fb9c-4fad-8b70-2e9f781806ce.md | 2 +- .../4fa66806-0dd9-4f8d-9480-3174d39c7c91.md | 8 +- .../52f04a44-6bfa-4c41-b1d3-4ae99a2de05c.md | 6 +- .../52ffcfa6-6c70-4ea6-8376-d828d3961669.md | 2 +- .../54229498-850b-4f78-b3a7-218d24ef2c37.md | 12 +- .../54378d69-dd7c-4b08-a43e-80d563396857.md | 2 +- .../54c417bf-c762-48b9-9d31-b3d87047e3f0.md | 2 +- .../55af1353-2f62-4fa0-a8e1-a210ca2708f5.md | 2 +- .../568a4d22-3517-44a6-a7ad-6a7eed88722c.md | 16 +- .../56a585f5-555c-48b2-8395-e64e4740a9cf.md | 6 +- .../56f6a008-1b14-4af4-b9b2-ab7cf7e27641.md | 8 +- .../571254d8-aa6a-432e-9725-535d3ef04d69.md | 2 +- .../575a2155-6af1-4026-b1af-d5bc8fe2a904.md | 4 +- .../57b9893d-33b1-4419-bcea-a717ea87e139.md | 6 +- .../5813ef56-fa94-406a-b35d-977d4a56ff2b.md | 2 +- .../5864d189-ee9a-4009-ac0c-8a582e6b7919.md | 8 +- .../58b35504-0287-4154-bf69-02c0573deab8.md | 2 +- .../590d878b-abdc-428f-895a-e2b68a0e1998.md | 2 +- .../5a2486aa-facf-477d-a5c1-b010789459ce.md | 6 +- .../5b4d4aee-ac94-4810-9611-833636e5916d.md | 2 +- .../5b8d7527-de8e-4114-b9dd-9d988f1f418f.md | 8 +- .../5ba6229c-8057-433e-91d0-21cf13569ca9.md | 2 +- .../5c0003fb-9aa0-42c1-9da3-eb0e332bef21.md | 2 +- .../5c6dd5e7-1fe0-4cae-8f81-4c122717cef3.md | 2 +- .../5d89db57-8b51-4b38-bb76-b9bd42bd40f0.md | 8 +- .../5d9e3164-9265-470c-9a10-57ae454ac0c7.md | 2 +- .../5ea624e4-c8b1-4bb3-87a4-4235a776adcc.md | 4 +- .../5fb49a69-8d46-4495-a2f8-9c8c622b2b6e.md | 2 +- .../60224630-175a-472a-9e23-133827040766.md | 8 +- .../60263b4a-6801-4587-911d-919c37ed733b.md | 2 +- .../61cf9883-1752-4768-b18c-0d57f2737709.md | 2 +- .../625abc0e-f980-4ac9-a775-f7519ee34296.md | 6 +- .../63ebcb19-2739-4d3f-aa5c-e8bbb9b85281.md | 4 +- .../64a222aa-7793-4e40-915f-4b302c76e4d4.md | 4 +- .../656880aa-1388-488f-a6d4-8f73c23149b2.md | 4 +- .../65905cec-d691-4320-b320-2000436cb696.md | 8 +- .../66c6f96f-2d9e-417e-a998-9058aeeecd44.md | 6 +- .../66cd88ac-9ddf-424a-b77e-e55e17630bee.md | 2 +- .../66f130d9-b81d-4e8e-9b08-da74b9c891df.md | 2 +- .../671211c5-5d2a-4e97-8867-30fc28b02216.md | 2 +- .../6726dcc0-5ff5-459d-b473-a780bef7665c.md | 20 +- .../68eb4bf3-f9bf-463d-b5cf-e029bb446d2e.md | 6 +- .../69e7c320-b65d-41bb-be02-d63ecc0bcc9d.md | 4 +- .../6b2739db-9c49-4db7-b980-7816e0c248c1.md | 2 +- .../6b6874fe-4c2f-4eea-8b90-7cceaa4a125e.md | 6 +- .../6d23d87e-1c5b-4308-b224-92624300f29b.md | 2 +- .../6db03a91-f933-4f13-ab38-a8b87a7de54d.md | 2 +- .../6db52fa6-d4da-4608-908a-89f0c59e743e.md | 2 +- .../6deb34e2-5d9c-499a-801b-ea6d9eda894f.md | 2 +- .../6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97.md | 2 +- .../6e3fd2ed-5c83-4c68-9679-7700d224d379.md | 12 +- .../6e8849c1-3aa7-40e3-9063-b85ee300f29f.md | 14 +- .../704dadd3-54fc-48ac-b6a0-02f170011473.md | 2 +- .../7081f85c-b94d-40fd-8b45-a4f1cac75e46.md | 2 +- .../70b42736-efee-4bce-80d5-50358ed94990.md | 2 +- .../70cb518c-d990-46f6-bc05-44a5041493d6.md | 2 +- .../730675f9-52ed-49b6-8ead-0acb5dd7df7f.md | 2 +- .../7350fa23-dcf7-4938-916d-6a60b0c73b50.md | 2 +- .../741f1291-47ac-4a85-a07b-3d32a9d6bd3e.md | 4 +- .../75ec6890-83af-4bf1-9f16-e83726df0bd0.md | 2 +- .../76976de7-c7b1-4f64-a94f-90c1345914c2.md | 4 +- .../7782d4b3-e23e-432b-9742-d9528432e771.md | 2 +- .../78f1ec6f-5659-41ea-bd48-d0a142dce4f2.md | 2 +- .../7a70eed6-de3a-4da2-94da-a2bbc8fe2a48.md | 2 +- .../7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2.md | 2 +- .../7af43613-6bb9-4a0e-8c4d-1314b799425e.md | 4 +- .../7c96920c-6fd0-449d-9a52-0aa431b6beaf.md | 2 +- .../7d544dad-8a6c-431c-84c1-5f07fe9afc0e.md | 2 +- .../7dbba512-e244-42dc-98bb-422339827967.md | 2 +- .../7e4a6e76-568d-43ef-8c4e-36dea481bff1.md | 2 +- .../7ebc9038-0bde-479a-acc4-6ed7b6758899.md | 6 +- .../8055dec2-efb8-4fe6-8837-d9bed6ff202a.md | 2 +- .../8152e0cf-d2f0-47ad-96d5-d003a76eabd1.md | 2 +- .../816ea8cf-d589-442d-a917-2dd0ce0e45e3.md | 4 +- .../8173d5eb-96b5-4aa6-a71b-ecfa153c123d.md | 6 +- .../846646e3-2af1-428c-ac5d-271eccfa6faf.md | 2 +- .../862fe4bf-3eec-4767-a517-40f378886b88.md | 2 +- .../86571149-eef3-4280-a645-01e60df854b0.md | 4 +- .../874d68a3-bfbe-4a4b-aaa0-9e74d7da634b.md | 4 +- .../88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6.md | 8 +- .../89561b03-cb35-44a9-a7e9-8356e71606f4.md | 2 +- .../89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a.md | 2 +- .../8b1b1e67-6248-4dca-bbad-93486bb181c0.md | 8 +- .../8bbb242f-6e38-4127-86d4-d8f0b2687ae2.md | 2 +- .../8bfbf7ab-d5e8-4100-8618-798956e101e0.md | 2 +- .../8c849af7-a399-46f7-a34c-32d3dc96f1fc.md | 2 +- .../8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56.md | 8 +- .../8e94dced-9bcc-4203-8eb7-7e41202b2505.md | 12 +- .../8f3c16b3-354d-45db-8ad5-5066778a9485.md | 2 +- .../8f75840d-9ee7-42f3-b203-b40e3979eb12.md | 2 +- .../8fdb08a0-a868-4fdf-9c27-ccab0237f1ab.md | 2 +- .../91bea7b8-0c31-4863-adc9-93f6177266c4.md | 2 +- .../91f16d09-689e-4926-aca7-155157f634ed.md | 2 +- .../92d65c51-5d82-4507-a2a1-d252e9706855.md | 2 +- .../92fe237e-074c-4262-81a4-2077acb928c1.md | 18 +- .../94690d79-b3b0-43de-b656-84ebef5753e5.md | 2 +- .../94fbe150-27e3-4eba-9ca6-af32865e4503.md | 2 +- .../9630336b-3fed-4096-8173-b9afdfe346a7.md | 2 +- .../967eb3e6-26fc-497d-8895-6428beb6e8e2.md | 4 +- .../96e8183b-e985-457b-90cd-61c0503a3369.md | 6 +- .../96ed3526-0179-4c73-b1b2-372fde2e0d13.md | 4 +- .../970d224d-b42a-416b-81f9-8f4dfe70c4bc.md | 4 +- .../970ed7a2-0aca-4425-acf1-0453c9ecbca1.md | 2 +- .../97cb0688-369a-4d26-b1f7-86c4c91231bc.md | 2 +- .../982aa526-6970-4c59-8b9b-2ce7e019fe36.md | 2 +- .../98a8f708-121b-455b-ae2f-da3fb59d17e1.md | 10 +- .../98d59056-f745-4ef5-8613-32bca8d40b7e.md | 2 +- .../9a205ba3-0dd1-42eb-8d54-2ffec836b51a.md | 2 +- .../9a4ef195-74b9-4c58-b8ed-2b2fe4353a75.md | 4 +- .../9b0ffadc-a61f-4c2a-b1e6-68fab60f6267.md | 2 +- .../9b877bd8-94b4-4c10-a060-8e0436cc09fa.md | 2 +- .../9ba198e0-fef4-464a-8a4d-75ea55300de7.md | 2 +- .../9cf718ce-46f9-430e-89ec-c456f8b469ee.md | 4 +- .../9d0d4512-1959-43a2-a17f-72360ff06d1b.md | 6 +- .../9ec311bf-dfd9-421f-8498-0b063c8bc552.md | 2 +- .../9ef7d25d-9764-4224-9968-fa321c56ef76.md | 2 +- .../9f40c07e-699e-4410-8856-3ba0f2e3a2dd.md | 4 +- .../9f4a9409-9c60-4671-be96-9716dbf63db1.md | 2 +- .../a186e82c-1078-4a7b-85d8-579561fde884.md | 2 +- .../a20be318-cac7-457b-911d-04cc6e812c25.md | 8 +- .../a2f548f2-188c-4fff-b172-e9a6acb216bd.md | 2 +- .../a31a5a29-718a-4ff4-8001-a69e5e4d029e.md | 4 +- .../a4966c4f-9141-48b8-a564-ffe9959945bc.md | 4 +- .../a8fc2180-b3ac-4c93-bd0d-a55b974e4b07.md | 4 +- .../abb06e5f-ef9a-4a99-98c6-376d396bfcdf.md | 4 +- .../abdb29d4-5ca1-4e91-800b-b3569bbd788c.md | 2 +- .../ac5a0bc0-a54c-45aa-90c3-15f7703b9132.md | 2 +- .../acb6b4e2-a086-4f35-aefd-4db6ea51ada2.md | 4 +- .../ad296c0d-8131-4d6b-b030-1b0e73a99ad3.md | 2 +- .../ad5b4e97-2850-4adf-be17-1d293e0b85ee.md | 6 +- .../ad9dabc7-7839-4bae-a957-aa9120013f39.md | 2 +- .../af173fde-95ea-4584-b904-bb3923ac4bda.md | 2 +- .../afecd1f1-6378-4f7e-bb3b-60c35801fdd4.md | 12 +- .../b0d3ef3f-845d-4b1b-83d6-63a5a380375f.md | 4 +- .../b161c11b-a59b-4431-9a29-4e19f63e6b27.md | 2 +- .../b1a72f66-2236-4f3b-87ba-0da1b366956f.md | 4 +- .../b1ffa705-19a3-4b73-b9d0-0c97d0663842.md | 2 +- .../b2315cae-b110-4426-81e0-80bb8640cdd3.md | 2 +- .../b26d2b7e-60f6-413d-a3a1-a57db24aa2b3.md | 2 +- .../b3a41501-f712-4c4f-81e5-db9a7dc0e34e.md | 6 +- .../b3a59b8e-94a3-403e-b6e2-527abaf12034.md | 4 +- .../b4378389-a9aa-44ee-91e7-ef183f11079e.md | 6 +- .../b5681959-6c09-4f55-b42b-c40fa12d03ec.md | 2 +- .../b592ffd4-0577-44b6-bd35-8c5ee81b5918.md | 2 +- .../b69247e5-7e73-464e-ba74-ec9b715c6e12.md | 2 +- .../b72d0026-f649-4c91-a9ea-15d8f681ac09.md | 2 +- .../b7c9a40c-23e4-4a2d-8d39-a3352f10f288.md | 2 +- .../b8a31292-509d-4b61-bc40-13b167db7e9c.md | 2 +- .../b9033580-6886-401a-8631-5f19f5bb24c7.md | 8 +- .../ba40ace1-a047-483c-8a8d-bc2d3a67a82d.md | 2 +- .../ba48df05-eaa1-4d64-905e-4a4b051e7587.md | 4 +- .../ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698.md | 2 +- .../baecd2da-492a-4d59-b9dc-29540a1398e0.md | 10 +- .../bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9.md | 2 +- .../bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54.md | 2 +- .../bc1f9009-84a0-490f-ae09-3e0ea6d74ad6.md | 2 +- .../bca7cc4d-b3a4-4345-9461-eb69c68fcd26.md | 8 +- .../bcdcbdc6-a350-4855-ae7c-d1e6436f7c97.md | 2 +- .../bd0088a5-c133-4b20-b129-ec9968b16ef3.md | 6 +- .../be2aa235-bd93-4b68-978a-1cc65d49082f.md | 2 +- .../bf878b1a-7418-4de3-b13c-3a86cf894920.md | 6 +- .../bf9d42c7-c2f9-4dfe-942c-c8cc8249a081.md | 2 +- .../c0c1e744-0f37-445e-924a-1846f0839f69.md | 2 +- .../c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6.md | 4 +- .../c53c7a89-f9d7-4c7b-8b66-8a555be99593.md | 4 +- .../c583f0f9-7dfd-476b-a056-f47c62b47b46.md | 2 +- .../c5b31ab9-0f26-4a49-b8aa-4cc064392f4d.md | 20 +- .../c5ff7bc9-d8ea-46dd-81cb-8286f3222249.md | 2 +- .../c91d7ea0-d4d1-403b-8fe1-c9961ac082c5.md | 2 +- .../c999cf62-0920-40f8-8dda-0caccd66ed7e.md | 2 +- .../cb3f5ed6-0d18-40de-a93d-b3538db31e8c.md | 2 +- .../cc997676-481b-4e93-aa81-d19f8c5e9b12.md | 4 +- .../ce089fd4-1406-47bd-8aad-c259772bb294.md | 2 +- .../ce60cc6b-6831-4bd7-84a2-cc7f8ee71433.md | 4 +- .../ce60d060-efb8-4bfd-9cf7-ff8945d00d90.md | 2 +- .../ce9dfce0-5fc8-433b-944a-3b16153111a8.md | 2 +- .../cfdcabb0-fc06-427c-865b-c59f13e898ce.md | 2 +- .../d0cc8694-fcad-43ff-ac86-32331d7e867f.md | 6 +- .../d1846b12-20c5-4d45-8798-fc35b79268eb.md | 2 +- .../d24c0755-c028-44b1-b503-8e719c898832.md | 6 +- .../d25edb51-07fb-4a73-97d4-41cecdc53a22.md | 2 +- .../d364984a-a222-4b5f-a8b0-e23ab19ebff3.md | 2 +- .../d40210ea-64b9-4cce-a4fb-e8604f3c062c.md | 2 +- .../d6047119-a0b2-4b59-a4f2-127a36fb685b.md | 2 +- .../d7b9d850-3e06-4a75-852f-c46c2e92240b.md | 4 +- .../db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8.md | 2 +- .../db78d14b-10e5-4e6e-84b1-dace6327b1ec.md | 2 +- .../de7f5e83-da88-4046-871f-ea18504b1d43.md | 4 +- .../e08ed7eb-f3ef-494d-9d22-2e3db756a347.md | 2 +- .../e227091e-2228-4b40-b046-fc13650d8e88.md | 2 +- .../e35c16a2-d54e-419d-8546-a804d8e024d0.md | 2 +- .../e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10.md | 2 +- .../e39bee8c-fe54-4a3f-824d-e5e2d1cca40a.md | 2 +- .../e542bd46-58c4-4e0f-a52a-1fb4f9548e02.md | 2 +- .../e592a0c5-5bdb-414c-9066-5dba7cdea370.md | 2 +- .../e6b4b943-6883-47a9-9739-7ada9568f8ca.md | 4 +- .../e7530c3c-b7cf-4149-8db9-d037a0b5268e.md | 4 +- .../e77c89f6-9c85-49ea-b95b-5f960fe5be92.md | 2 +- .../e86e26fc-489e-44f0-9bcd-97305e4ba69a.md | 2 +- .../e979fcbc-df6c-422d-9458-c33d65e71c45.md | 2 +- .../e9b7acf9-9ba0-4837-a744-31e7df1e434d.md | 4 +- .../eaaba502-2f94-411a-a3c2-83d63cc1776d.md | 4 +- .../eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7.md | 2 +- .../ec28bf61-a474-4dbe-b414-6dd3a067d6f0.md | 2 +- .../ec49cbfd-fae4-45f3-81b1-860526d66e3f.md | 2 +- .../eccc4d59-74b9-4974-86f1-74386e0c7f33.md | 10 +- .../ed35928e-195c-4405-a252-98ccb664ab7b.md | 2 +- .../eda48c88-2b7d-4e34-b6ca-04c0194aee17.md | 2 +- .../ee49557d-750c-4cc1-aa95-94ab36cbefde.md | 2 +- .../ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4.md | 6 +- .../eeb4d37a-3c59-4789-a00c-1509bc3af1e5.md | 2 +- .../ef0b316a-211e-42f1-888e-64efe172b755.md | 2 +- .../f0d8781f-99bf-4958-9917-d39283b168a0.md | 4 +- .../f1173d8c-3264-4148-9fdb-61181e031b51.md | 2 +- .../f11aec39-858f-4b6f-b946-0a1bf46c0c87.md | 2 +- .../f1adc521-f79a-4d71-b55b-a68294687432.md | 4 +- .../f3674e0c-f6be-43fa-b71c-bf346d1aed99.md | 2 +- .../f465fff1-0a0f-457d-aa4d-1bddb6f204ff.md | 2 +- .../f53f16d6-46a9-4277-9fbe-617b1e24cdca.md | 4 +- .../f83121ea-03da-434f-9277-9cd247ab3047.md | 8 +- .../f861041c-8c9f-4156-acfc-5e6e524f5884.md | 6 +- .../f906113d-cdc0-415a-ba60-609cc6daaf4d.md | 2 +- .../fa00ce45-386d-4718-8392-fb485e1f3c5b.md | 2 +- .../fa62ac4f-f5b9-45b9-97c1-625c8b6253ca.md | 2 +- .../fae52418-bb8b-4ac2-b287-0b9082d6a3fd.md | 2 +- .../fc101ca7-c9dd-4198-a1eb-0fbe92e80044.md | 2 +- .../fcb1b388-f558-4b7f-9b6e-f4e98abb7380.md | 4 +- .../fd632aaf-b8a1-424d-a4d1-0de22fd3247a.md | 2 +- .../ffac8a12-322e-42c1-b9b9-81ff85c39ef7.md | 2 +- .../ffdf4b37-7703-4dfe-a682-9d2e99bc6c09.md | 6 +- .../0437633b-daa6-4bbc-8526-c0d2443b946e.md | 2 +- .../07f7134f-9f37-476e-8664-670c218e4702.md | 2 +- .../0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1.md | 4 +- .../11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe.md | 2 +- .../12944ec4-1fa0-47be-8b17-42a034f937c2.md | 2 +- .../16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f.md | 2 +- .../17f75827-0684-48f4-8747-61129c7e4198.md | 4 +- .../25c0ea09-f1c5-4380-b055-3b83863f2bb8.md | 2 +- .../261a83f8-dd72-4e8c-b5e1-ebf06e8fe606.md | 2 +- .../2ab6de9a-0136-415c-be92-79d2e4fd750f.md | 2 +- .../2b3c671f-1b76-4741-8789-ed1fe0785dc4.md | 2 +- .../2b856bf9-8e8c-4005-875f-303a8cba3918.md | 2 +- .../2bc626a8-0751-446f-975d-8139214fc790.md | 2 +- .../2e48d91c-50e4-45c8-9312-27b625868a72.md | 2 +- .../34664094-59e0-4524-b69f-deaa1a68cce3.md | 2 +- .../3790d386-be81-4dcf-9850-eaa7df6c10d9.md | 2 +- .../38c71c00-c177-4cd7-8d36-cd1007cdb190.md | 2 +- .../3ac3e75c-6374-4a32-8ba0-6ed69bda404e.md | 2 +- .../3e3c175e-aadf-4e2b-a464-3fdac5748d24.md | 2 +- .../3fa5900f-9aac-4982-96b2-a6143d9c99fb.md | 4 +- .../4216ebac-d74c-4423-b437-35025cb88af5.md | 2 +- .../43789711-161b-4708-b5bb-9d1c626f7492.md | 8 +- .../45fc717a-bd86-415c-bdd8-677901be1aa6.md | 4 +- .../48bbe0fd-57e4-4678-a4a1-119e79c90fc3.md | 2 +- .../4a9e0f00-0765-4f72-a0d4-d31110b78279.md | 4 +- .../4d080822-5ee2-49a4-8984-68f3d4c890fc.md | 2 +- .../5089d055-53ff-421b-9482-a5267bdce629.md | 2 +- .../525b53be-62ed-4244-b4df-41aecfcb4071.md | 6 +- .../5400f379-a347-4bdd-a032-446465fdcc6f.md | 2 +- .../55975007-f6e7-4134-83c3-298f1fe4b519.md | 4 +- .../56dad03e-e94f-4dd6-93a4-c253a03ff7a0.md | 2 +- .../594c198b-4d79-41b8-9b36-fde13348b619.md | 2 +- .../599318f2-6653-4569-9e21-041d06c63a89.md | 4 +- .../59acb56b-2b10-4c2c-ba38-f2223c3f5cfc.md | 2 +- .../5c822443-e1ea-46b8-84eb-758ec602e844.md | 2 +- .../609839ae-bd81-4375-9910-5bce72ae7b92.md | 2 +- .../61c3cb8b-0715-47e4-b788-86dde40dd2db.md | 2 +- .../6425c98b-ca4e-41fe-896a-c78772c131f8.md | 4 +- .../73e42469-3a86-4f39-ad78-098f325b4e9f.md | 2 +- .../7750fcca-dd03-4d38-b663-4b70289bcfd4.md | 2 +- .../7f0a8696-7159-4337-ad0d-8a3ab4a78195.md | 2 +- .../819d50fd-1cdf-45c3-9936-be408aaad93e.md | 2 +- .../8263f146-5e03-43e0-9cfe-db960d56d1e7.md | 2 +- .../835a4f2f-df43-437d-9943-545ccfc55961.md | 2 +- .../83a229ba-483e-47c6-8db7-dc96969bce5a.md | 2 +- .../85da374f-b00f-4832-9d44-84a1ca1e89f8.md | 2 +- .../86f92117-eed8-4614-9c6c-b26da20ff37f.md | 2 +- .../8b042c30-e441-453f-b162-7696982ebc58.md | 2 +- .../8e75e431-449f-49e9-b56a-c8f1378025cf.md | 2 +- .../96fe318e-d631-4156-99fa-9080d57280ae.md | 6 +- .../9bb3c639-5edf-458c-8ee5-30c17c7d671d.md | 4 +- .../9c301481-e6ec-44f7-8a49-8ec63e2969ea.md | 2 +- .../9dab0179-433d-4dff-af8f-0091025691df.md | 4 +- .../9db38e87-f6aa-4b5e-a1ec-7266df259409.md | 2 +- .../a187ac47-8163-42ce-8a63-c115236be6fb.md | 2 +- .../a21c8da9-41bf-40cf-941d-330cf0d11fc7.md | 4 +- .../a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b.md | 2 +- .../a5613650-32ec-4975-a305-31af783153ea.md | 8 +- .../a81573f9-3691-4d83-88a0-7d4af63e17a3.md | 4 +- .../a829b715-cf75-4e92-b645-54c9b739edfb.md | 2 +- .../a99130ab-4c0e-43aa-97f8-78d4fcb30024.md | 2 +- .../ace823d1-4432-4dee-945b-cdf11a5a6bd0.md | 6 +- .../ade36cf4-329f-4830-a83d-9db72c800507.md | 4 +- .../b17d8bb8-4c08-4785-867e-cb9e62a622aa.md | 2 +- .../b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a.md | 4 +- .../b61cce4b-0cc4-472b-8096-15617a6d769b.md | 2 +- .../b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643.md | 2 +- .../b897dfbf-322c-45a8-b67c-1e698beeaa51.md | 2 +- .../b90842e5-6779-44d4-9760-972f4c03ba1c.md | 2 +- .../b947809d-dd2f-4de9-b724-04d101c515aa.md | 2 +- .../bbf6b3df-4b65-4f87-82cc-da9f30f8c033.md | 2 +- .../bcd3fc01-5902-4f2a-b05a-227f9bbf5450.md | 2 +- .../c1573577-e494-4417-8854-7e119368dc8b.md | 2 +- .../c2a3efb6-8a58-481c-82f2-bfddf34bb4b7.md | 2 +- .../c407c3cf-c409-4b29-b590-db5f4138d332.md | 4 +- .../c640d783-10c5-4071-b6c1-23507300d333.md | 2 +- .../c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e.md | 2 +- .../c7fc1481-2899-4490-bbd8-544a3a61a2f3.md | 4 +- .../c87749b3-ff10-41f5-9df2-c421e8151759.md | 2 +- .../cc4aaa9d-1070-461a-b519-04e00f42db8a.md | 6 +- .../d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28.md | 2 +- .../dafe30ec-325d-4516-85d1-e8e6776f012c.md | 4 +- .../dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299.md | 2 +- .../dfa20ffa-f476-428f-a490-424b41e91c7f.md | 2 +- .../e29a75e6-aba3-4896-b42d-b87818c16b58.md | 2 +- .../e65a0733-94a0-4826-82f4-df529f4c593f.md | 4 +- .../e9dee01f-2505-4df2-b9bf-7804d1fd9082.md | 2 +- .../efbf6449-5ec5-4cfe-8f15-acc51e0d787c.md | 2 +- .../f118890b-2468-42b1-9ce9-af35146b425b.md | 4 +- .../f5342045-b935-402d-adf1-8dbbd09c0eef.md | 2 +- .../f7e296b0-6660-4bc5-8f87-22ac4a815edf.md | 2 +- .../f8e08a38-fc6e-4915-abbe-a7aadf1d59ef.md | 2 +- .../fd8da341-6760-4450-b26c-9f6d8850575e.md | 2 +- .../ffb02aca-0d12-475e-b77c-a726f7aeff4b.md | 2 +- .../b80b14c6-aaa2-4876-b651-8a48b6c32fbf.md | 2 +- .../bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e.md | 2 +- .../bd6bd46c-57db-4887-956d-d372f21291b6.md | 2 +- .../c878abb4-cca5-4724-92b9-289be68bd47c.md | 2 +- .../ca2fba76-c1a7-4afd-be67-5249f861cb0e.md | 2 +- .../ce7c874e-1b88-450b-a5e4-cb76ada3c8a9.md | 2 +- .../1e434b25-8763-4b00-a5ca-ca03b7abbb66.md | 4 +- .../23c3067a-8cc9-480c-b645-7c1e0ad4bf60.md | 107 +++++++ .../23e1f5f0-12b7-4d7e-9087-f60f42ccd514.md | 50 +++ .../2a153952-2544-4687-bcc9-cc8fea814a9b.md | 6 +- .../2c4fe4a9-f44b-4c70-b09b-5b75cd251805.md | 87 +++++ .../375cdab9-3f94-4ae0-b1e3-8fbdf9cdf4d7.md | 209 ++++++++++++ .../38028698-e663-4ef7-aa92-773fef0ca86f.md | 105 ++++++ .../3a81fc06-566f-492a-91dd-7448e409e2cd.md | 2 +- .../539e4557-d2b5-4d57-a001-cb01140a4e2d.md | 69 ++++ .../59312e8a-a64e-41e7-a252-618533dd1ea8.md | 6 +- .../5a627dfa-a4dd-4020-a4c6-5f3caf4abcd6.md | 150 +++++++++ .../7d05ca25-91b4-42ee-b6f6-b06611a87ce8.md | 49 +++ .../953c0cc6-5f30-44cb-a803-bf4ef2571be8.md | 88 +++++ .../a4edb7e1-c0e0-4f7f-9d7c-d1b603e81ad5.md | 301 ++++++++++++++++++ .../b0749c53-e3ff-4d09-bbe4-dca94e2e7a38.md | 130 ++++++++ .../fc5109bf-01fd-49fb-8bde-4492b543c34a.md | 6 +- .../d532566b-8d9d-4f3b-80bd-361fe802f9c2.md | 2 +- .../e2c83c1f-84d7-4467-966c-ed41fd015bb9.md | 6 +- .../e5587d53-a673-4a6b-b3f2-ba07ec274def.md | 2 +- .../e76cca7c-c3f9-4fc9-884c-b2831168ebd8.md | 2 +- .../e94d3121-c2d1-4e34-a295-139bfeb73ea3.md | 2 +- .../f74b9c43-161a-4799-bc95-0b0ec81801b9.md | 2 +- .../fcc2612a-1dfe-46e4-8ce6-0320959f0040.md | 2 +- .../fd097ed0-7fe6-4f58-8b71-fef9f0820a21.md | 2 +- .../fe771ff7-ba15-4f8f-ad7a-8aa232b49a28.md | 2 +- .../02474449-71aa-40a1-87ae-e14497747b00.md | 2 +- .../11e7550e-c4b6-472e-adff-c698f157cdd7.md | 2 +- .../128df7ec-f185-48bc-8913-ce756a3ccb85.md | 2 +- .../14a457f0-473d-4d1d-9e37-6d99b355b336.md | 2 +- .../16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5.md | 4 +- .../1b44e234-3d73-41a8-9954-0b154135280e.md | 2 +- .../1c8eef02-17b1-4a3e-b01d-dcc3292d2c38.md | 4 +- .../22ef1d26-80f8-4a6c-8c15-f35aab3cac78.md | 2 +- .../2f06d22c-56bd-4f73-8a51-db001fcf2150.md | 2 +- .../30e8dfd2-3591-4d19-8d11-79e93106c93d.md | 2 +- .../32ecd6eb-0711-421f-9627-1a28d9eff217.md | 2 +- .../3cb4af0b-056d-4fb1-8b95-fdc4593625ff.md | 2 +- .../3e4d5ce6-3280-4027-8010-c26eeea1ec01.md | 2 +- .../40430747-442d-450a-a34f-dc57149f4609.md | 2 +- .../40abce54-95b1-478c-8e5f-ea0bf0bb0e33.md | 2 +- .../4b82202a-b18e-4891-a1eb-a0989850bbb3.md | 2 +- .../4c7ebcb2-eae2-461e-bc83-456ee2d4f694.md | 2 +- .../579a0727-9c29-4d58-8195-fc5802a8bdb4.md | 2 +- .../59571246-3f62-4965-a96f-c7d97e269351.md | 2 +- .../5baa92d2-d8ee-4c75-88a4-52d9d8bb8067.md | 2 +- .../5ef61c88-bbb4-4725-b1df-55d23c9676bb.md | 2 +- .../617ef6ff-711e-4bd7-94ae-e965911b1b40.md | 2 +- .../65c1bc7a-4835-4ac4-a2b6-13d310b0648d.md | 2 +- .../678fd659-96f2-454a-a2a0-c2571f83a4a3.md | 2 +- .../6ccb85d7-0420-4907-9380-50313f80946b.md | 2 +- .../704fcc44-a58f-4af5-82e2-93f2a58ef918.md | 4 +- .../73fb21a1-b19a-45b1-b648-b47b1678681e.md | 2 +- .../84d36481-fd63-48cb-838e-635c44806ec2.md | 2 +- .../895ed0d9-6fec-4567-8614-d7a74b599a53.md | 2 +- .../89fe890f-b480-460c-8b6b-7d8b1468adb4.md | 2 +- .../8a893e46-e267-485a-8690-51f39951de58.md | 2 +- .../9192e0f9-eca5-4056-9282-ae2a736a4088.md | 2 +- .../92e4464a-4139-4d57-8742-b5acc0347680.md | 2 +- .../9356962e-4a4f-4d06-ac59-dc8008775eaa.md | 2 +- .../97fa667a-d05b-4f16-9071-58b939f34751.md | 2 +- .../a6cd52a1-3056-4910-96a5-894de9f3f3b3.md | 2 +- .../acfdbec6-4a17-471f-b412-169d77553332.md | 2 +- .../b139213e-7d24-49c2-8025-c18faa21ecaa.md | 2 +- .../b187edca-b81e-4fdc-aff4-aab57db45edb.md | 2 +- .../b1d51728-7270-4991-ac2f-fc26e2695b38.md | 6 +- .../bb0db090-5509-4853-a827-75ced0b3caa0.md | 2 +- .../bc280331-27b9-4acb-a010-018e8098aa5d.md | 2 +- .../bc75ce52-a60a-4660-b533-bce837a5019b.md | 2 +- .../c010082c-76e0-4b91-91d9-6e8439e455dd.md | 2 +- .../c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0.md | 2 +- .../c606ba1d-d736-43eb-ac24-e16108f3a9e0.md | 2 +- .../c68b4e6d-4e01-4ca1-b256-1e18e875785c.md | 2 +- .../c9d81239-c818-4869-9917-1570c62b81fd.md | 2 +- .../ccc3100c-0fdd-4a5e-9908-c10107291860.md | 2 +- .../cefdad16-0dd5-4ac5-8ed2-a37502c78672.md | 8 +- .../cf3c7631-cd1e-42f3-8801-a561214a6e79.md | 2 +- .../d0b4d550-c001-46c3-bbdb-d5d75d33f05f.md | 2 +- .../d6cabc3a-d57e-48c2-b341-bf3dd4f4a120.md | 2 +- .../d8c57c4e-bf6f-4e32-a2bf-8643532de77b.md | 2 +- .../dd7d70aa-a6ec-460d-b5d2-38b40253b16f.md | 2 +- .../e576ce44-dd03-4022-a8c0-3906acca2ab4.md | 2 +- .../e6f61c37-106b-449f-a5bb-81bfcaceb8b4.md | 2 +- .../e7e961ac-d17e-4413-84bc-8a1fbe242944.md | 2 +- .../ee7b93c1-b3f8-4a3b-9588-146d481814f5.md | 4 +- .../f34c0c25-47b4-41eb-9c79-249b4dd47b89.md | 2 +- .../df58dd45-8009-43c2-90f7-c90eb9d53ed9.md | 66 ++++ 1678 files changed, 5254 insertions(+), 3704 deletions(-) create mode 100644 docs/queries/terraform-queries/common/23c3067a-8cc9-480c-b645-7c1e0ad4bf60.md create mode 100644 docs/queries/terraform-queries/common/23e1f5f0-12b7-4d7e-9087-f60f42ccd514.md create mode 100644 docs/queries/terraform-queries/common/2c4fe4a9-f44b-4c70-b09b-5b75cd251805.md create mode 100644 docs/queries/terraform-queries/common/375cdab9-3f94-4ae0-b1e3-8fbdf9cdf4d7.md create mode 100644 docs/queries/terraform-queries/common/38028698-e663-4ef7-aa92-773fef0ca86f.md create mode 100644 docs/queries/terraform-queries/common/539e4557-d2b5-4d57-a001-cb01140a4e2d.md create mode 100644 docs/queries/terraform-queries/common/5a627dfa-a4dd-4020-a4c6-5f3caf4abcd6.md create mode 100644 docs/queries/terraform-queries/common/7d05ca25-91b4-42ee-b6f6-b06611a87ce8.md create mode 100644 docs/queries/terraform-queries/common/953c0cc6-5f30-44cb-a803-bf4ef2571be8.md create mode 100644 docs/queries/terraform-queries/common/a4edb7e1-c0e0-4f7f-9d7c-d1b603e81ad5.md create mode 100644 docs/queries/terraform-queries/common/b0749c53-e3ff-4d09-bbe4-dca94e2e7a38.md create mode 100644 docs/queries/terraform-queries/nifcloud/df58dd45-8009-43c2-90f7-c90eb9d53ed9.md diff --git a/Makefile b/Makefile index 8adb1a45332..daa754e7cbb 100644 --- a/Makefile +++ b/Makefile @@ -148,13 +148,13 @@ run-local: build .PHONY: generate-queries-docs generate-queries-docs: ## generate queries catalog md files $(call print-target) - @pip3 install -r .github/generators/requirements.txt - @python3 -u .github/generators/docs_generator.py \ + @pip3 install -r .github/scripts/docs-generator/requirements.txt + @python3 -u .github/scripts/docs-generator/docs-generator.py \ -p ./assets/queries/ \ -o ./docs/queries/ \ -f md \ - -t .github/generators/templates - @python3 -u .github/scripts/docs-generator/query-page-generator/query-page-generator.py \ + -t .github/scripts/docs-generator/templates + @python3 -u -B .github/scripts/docs-generator/query-page-generator/query-page-generator.py \ -p ./assets/queries/ \ -o ./docs/queries/ \ -f md \ diff --git a/docs/queries/ansible-queries/aws/01aec7c2-3e4d-4274-ae47-2b8fea22fd1f.md b/docs/queries/ansible-queries/aws/01aec7c2-3e4d-4274-ae47-2b8fea22fd1f.md index b09e774f5f9..ddefe537629 100644 --- a/docs/queries/ansible-queries/aws/01aec7c2-3e4d-4274-ae47-2b8fea22fd1f.md +++ b/docs/queries/ansible-queries/aws/01aec7c2-3e4d-4274-ae47-2b8fea22fd1f.md @@ -28,7 +28,7 @@ Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the co ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="31 15" +```yaml title="Positive test num. 1 - yaml file" hl_lines="31 15" --- - name: Create task definition community.aws.ecs_taskdefinition: diff --git a/docs/queries/ansible-queries/aws/050f085f-a8db-4072-9010-2cca235cc02f.md b/docs/queries/ansible-queries/aws/050f085f-a8db-4072-9010-2cca235cc02f.md index ea3c83393b9..e1c7c03287e 100644 --- a/docs/queries/ansible-queries/aws/050f085f-a8db-4072-9010-2cca235cc02f.md +++ b/docs/queries/ansible-queries/aws/050f085f-a8db-4072-9010-2cca235cc02f.md @@ -28,7 +28,7 @@ AWS Auto Scaling Groups must have associated ELBs to ensure high availability an ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" - name: elb1 community.aws.ec2_asg: name: special @@ -44,7 +44,7 @@ AWS Auto Scaling Groups must have associated ELBs to ensure high availability an propagate_at_launch: no ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="2" +```yaml title="Positive test num. 2 - yaml file" hl_lines="2" - name: elb2 ec2_asg: name: special diff --git a/docs/queries/ansible-queries/aws/0956aedf-6a7a-478b-ab56-63e2b19923ad.md b/docs/queries/ansible-queries/aws/0956aedf-6a7a-478b-ab56-63e2b19923ad.md index 213d33876bc..ecc01b11922 100644 --- a/docs/queries/ansible-queries/aws/0956aedf-6a7a-478b-ab56-63e2b19923ad.md +++ b/docs/queries/ansible-queries/aws/0956aedf-6a7a-478b-ab56-63e2b19923ad.md @@ -28,7 +28,7 @@ The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="53 22" +```yaml title="Positive test num. 1 - yaml file" hl_lines="53 22" - name: create minimal aurora instance in default VPC and default subnet group community.aws.rds_instance: engine: aurora diff --git a/docs/queries/ansible-queries/aws/0ed012a4-9199-43d2-b9e4-9bd049a48aa4.md b/docs/queries/ansible-queries/aws/0ed012a4-9199-43d2-b9e4-9bd049a48aa4.md index 34cbeb3fa9f..8386d67ddbf 100644 --- a/docs/queries/ansible-queries/aws/0ed012a4-9199-43d2-b9e4-9bd049a48aa4.md +++ b/docs/queries/ansible-queries/aws/0ed012a4-9199-43d2-b9e4-9bd049a48aa4.md @@ -28,7 +28,7 @@ IAM Database Auth Enabled should be configured to true when using compatible eng ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9 22" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9 22" - name: create minimal aurora instance in default VPC and default subnet group community.aws.rds_instance: engine: mysql diff --git a/docs/queries/ansible-queries/aws/12a7a7ce-39d6-49dd-923d-aeb4564eb66c.md b/docs/queries/ansible-queries/aws/12a7a7ce-39d6-49dd-923d-aeb4564eb66c.md index 8124151633a..cd1e8ce4a4e 100644 --- a/docs/queries/ansible-queries/aws/12a7a7ce-39d6-49dd-923d-aeb4564eb66c.md +++ b/docs/queries/ansible-queries/aws/12a7a7ce-39d6-49dd-923d-aeb4564eb66c.md @@ -28,7 +28,7 @@ IAM Policy should not grant 'AssumeRole' permission across all services.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" - name: Create IAM Managed Policy community.aws.iam_managed_policy: policy_name: "ManagedPolicy" diff --git a/docs/queries/ansible-queries/aws/133fee21-37ef-45df-a563-4d07edc169f4.md b/docs/queries/ansible-queries/aws/133fee21-37ef-45df-a563-4d07edc169f4.md index e5521eb32d3..aef2c1bc250 100644 --- a/docs/queries/ansible-queries/aws/133fee21-37ef-45df-a563-4d07edc169f4.md +++ b/docs/queries/ansible-queries/aws/133fee21-37ef-45df-a563-4d07edc169f4.md @@ -28,7 +28,7 @@ AWS Key Management Service (KMS) must only possess usable Customer Master Keys ( ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" - name: Update IAM policy on an existing KMS key1 community.aws.aws_kms: alias: my-kms-key @@ -37,7 +37,7 @@ AWS Key Management Service (KMS) must only possess usable Customer Master Keys ( enabled: false ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="6" +```yaml title="Positive test num. 2 - yaml file" hl_lines="6" - name: Update IAM policy on an existing KMS key2 community.aws.aws_kms: alias: my-kms-key diff --git a/docs/queries/ansible-queries/aws/16732649-4ff6-4cd2-8746-e72c13fae4b8.md b/docs/queries/ansible-queries/aws/16732649-4ff6-4cd2-8746-e72c13fae4b8.md index a6d9a283be3..9be52c980c2 100644 --- a/docs/queries/ansible-queries/aws/16732649-4ff6-4cd2-8746-e72c13fae4b8.md +++ b/docs/queries/ansible-queries/aws/16732649-4ff6-4cd2-8746-e72c13fae4b8.md @@ -28,7 +28,7 @@ RDS should not run in public subnet
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9" - name: create minimal aurora instance in default VPC and default subnet group community.aws.rds_instance: engine: aurora diff --git a/docs/queries/ansible-queries/aws/17d5ba1d-7667-4729-b1a6-b11fde3db7f7.md b/docs/queries/ansible-queries/aws/17d5ba1d-7667-4729-b1a6-b11fde3db7f7.md index 97fcbd31bd4..16a67d13d18 100644 --- a/docs/queries/ansible-queries/aws/17d5ba1d-7667-4729-b1a6-b11fde3db7f7.md +++ b/docs/queries/ansible-queries/aws/17d5ba1d-7667-4729-b1a6-b11fde3db7f7.md @@ -28,7 +28,7 @@ Make sure that retain_stack is enabled to keep the Stack and it's associated res ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="2 23" +```yaml title="Positive test num. 1 - yaml file" hl_lines="2 23" - name: Create a stack set with instances in two accounts community.aws.cloudformation_stack_set: name: my-stack2 diff --git a/docs/queries/ansible-queries/aws/1d972c56-8ec2-48c1-a578-887adb09c57a.md b/docs/queries/ansible-queries/aws/1d972c56-8ec2-48c1-a578-887adb09c57a.md index 0822a7f6ea0..98f183ce180 100644 --- a/docs/queries/ansible-queries/aws/1d972c56-8ec2-48c1-a578-887adb09c57a.md +++ b/docs/queries/ansible-queries/aws/1d972c56-8ec2-48c1-a578-887adb09c57a.md @@ -28,7 +28,7 @@ Lambda Permission Principal should not contain a wildcard.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8" - name: Lambda S3 event notification community.aws.lambda_policy: state: present diff --git a/docs/queries/ansible-queries/aws/1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89.md b/docs/queries/ansible-queries/aws/1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89.md index 388541bd77f..e504cf79fd8 100644 --- a/docs/queries/ansible-queries/aws/1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89.md +++ b/docs/queries/ansible-queries/aws/1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89.md @@ -28,7 +28,7 @@ User Data Shell Script must be encoded
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9" --- - name: note that encrypted volumes are only supported in >= Ansible 2.4 community.aws.ec2_lc: diff --git a/docs/queries/ansible-queries/aws/2034fb37-bc23-4ca0-8d95-2b9f15829ab5.md b/docs/queries/ansible-queries/aws/2034fb37-bc23-4ca0-8d95-2b9f15829ab5.md index 3c6942b4ebb..60a53954732 100644 --- a/docs/queries/ansible-queries/aws/2034fb37-bc23-4ca0-8d95-2b9f15829ab5.md +++ b/docs/queries/ansible-queries/aws/2034fb37-bc23-4ca0-8d95-2b9f15829ab5.md @@ -28,7 +28,7 @@ ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="3 70 40 52 21 89" +```yaml title="Positive test num. 1 - yaml file" hl_lines="3 70 40 52 21 89" #this is a problematic code where the query should report a result(s) - name: elb1 community.aws.elb_application_lb: diff --git a/docs/queries/ansible-queries/aws/2059155b-27fd-441e-b616-6966c468561f.md b/docs/queries/ansible-queries/aws/2059155b-27fd-441e-b616-6966c468561f.md index 8f79f0e3f4b..6990e3b80f1 100644 --- a/docs/queries/ansible-queries/aws/2059155b-27fd-441e-b616-6966c468561f.md +++ b/docs/queries/ansible-queries/aws/2059155b-27fd-441e-b616-6966c468561f.md @@ -28,7 +28,7 @@ API Gateway should have X-Ray Tracing enabled
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 12" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8 12" --- - name: Setup AWS API Gateway setup on AWS and deploy API definition community.aws.aws_api_gateway: diff --git a/docs/queries/ansible-queries/aws/218413a0-c716-4b94-9e08-0bb70d854709.md b/docs/queries/ansible-queries/aws/218413a0-c716-4b94-9e08-0bb70d854709.md index 990ebcc4bba..da33f46b540 100644 --- a/docs/queries/ansible-queries/aws/218413a0-c716-4b94-9e08-0bb70d854709.md +++ b/docs/queries/ansible-queries/aws/218413a0-c716-4b94-9e08-0bb70d854709.md @@ -28,7 +28,7 @@ Check if secure ciphers aren't used in CloudFront
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="14" +```yaml title="Positive test num. 1 - yaml file" hl_lines="14" - name: example community.aws.cloudfront_distribution: state: present diff --git a/docs/queries/ansible-queries/aws/22c80725-e390-4055-8d14-a872230f6607.md b/docs/queries/ansible-queries/aws/22c80725-e390-4055-8d14-a872230f6607.md index db9aa9e189c..beb65446ab4 100644 --- a/docs/queries/ansible-queries/aws/22c80725-e390-4055-8d14-a872230f6607.md +++ b/docs/queries/ansible-queries/aws/22c80725-e390-4055-8d14-a872230f6607.md @@ -28,7 +28,7 @@ All AWS CloudFront distributions should be integrated with the Web Application F ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="2" +```yaml title="Positive test num. 1 - yaml file" hl_lines="2" - name: create a basic distribution with defaults and tags community.aws.cloudfront_distribution: state: present diff --git a/docs/queries/ansible-queries/aws/265d9725-2fb8-42a2-bc57-3279c5db82d5.md b/docs/queries/ansible-queries/aws/265d9725-2fb8-42a2-bc57-3279c5db82d5.md index 29702f31228..23c855aa0e3 100644 --- a/docs/queries/ansible-queries/aws/265d9725-2fb8-42a2-bc57-3279c5db82d5.md +++ b/docs/queries/ansible-queries/aws/265d9725-2fb8-42a2-bc57-3279c5db82d5.md @@ -28,7 +28,7 @@ AWS Lambda Functions must have associated tags.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="2" +```yaml title="Positive test num. 1 - yaml file" hl_lines="2" - name: add tags community.aws.lambda: name: 'Lambda function' diff --git a/docs/queries/ansible-queries/aws/2cb674f6-32f9-40be-97f2-62c0dc38f0d5.md b/docs/queries/ansible-queries/aws/2cb674f6-32f9-40be-97f2-62c0dc38f0d5.md index 9fad3b4db95..04711024c2f 100644 --- a/docs/queries/ansible-queries/aws/2cb674f6-32f9-40be-97f2-62c0dc38f0d5.md +++ b/docs/queries/ansible-queries/aws/2cb674f6-32f9-40be-97f2-62c0dc38f0d5.md @@ -28,7 +28,7 @@ RDS should not use the default port (an attacker can easily guess the port). For ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10" - name: create minimal aurora instance in default VPC and default subnet group community.aws.rds_instance: engine: aurora @@ -41,7 +41,7 @@ RDS should not use the default port (an attacker can easily guess the port). For port: 3306 ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="10" +```yaml title="Positive test num. 2 - yaml file" hl_lines="10" - name: create minimal aurora instance in default VPC and default subnet group2 community.aws.rds_instance: engine: postgres @@ -54,7 +54,7 @@ RDS should not use the default port (an attacker can easily guess the port). For port: 5432 ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="10" +```yaml title="Positive test num. 3 - yaml file" hl_lines="10" - name: create minimal aurora instance in default VPC and default subnet group2 community.aws.rds_instance: engine: oracle-ee @@ -67,7 +67,7 @@ RDS should not use the default port (an attacker can easily guess the port). For port: 1521 ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="10" - name: create minimal aurora instance in default VPC and default subnet group2 diff --git a/docs/queries/ansible-queries/aws/2d55ef88-b616-4890-b822-47f280763e89.md b/docs/queries/ansible-queries/aws/2d55ef88-b616-4890-b822-47f280763e89.md index b3834586275..6333814be71 100644 --- a/docs/queries/ansible-queries/aws/2d55ef88-b616-4890-b822-47f280763e89.md +++ b/docs/queries/ansible-queries/aws/2d55ef88-b616-4890-b822-47f280763e89.md @@ -28,7 +28,7 @@ Check if the Memcached is disabled on the ElastiCache
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +```yaml title="Positive test num. 1 - yaml file" hl_lines="5" - name: Basic example community.aws.elasticache: name: "test-please-delete" diff --git a/docs/queries/ansible-queries/aws/309edc5b-5a59-42b4-a357-d4d098311fd4.md b/docs/queries/ansible-queries/aws/309edc5b-5a59-42b4-a357-d4d098311fd4.md index e77d342e7e3..96056a2f3f9 100644 --- a/docs/queries/ansible-queries/aws/309edc5b-5a59-42b4-a357-d4d098311fd4.md +++ b/docs/queries/ansible-queries/aws/309edc5b-5a59-42b4-a357-d4d098311fd4.md @@ -28,7 +28,7 @@ If algorithm is AES256 then the master key is null, empty or undefined, otherwis ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" --- - name: mys3Bucket amazon.aws.s3_bucket: diff --git a/docs/queries/ansible-queries/aws/32d31f1f-0f83-4721-b7ec-1e6948c60145.md b/docs/queries/ansible-queries/aws/32d31f1f-0f83-4721-b7ec-1e6948c60145.md index d6829929193..1d1accddf40 100644 --- a/docs/queries/ansible-queries/aws/32d31f1f-0f83-4721-b7ec-1e6948c60145.md +++ b/docs/queries/ansible-queries/aws/32d31f1f-0f83-4721-b7ec-1e6948c60145.md @@ -28,7 +28,7 @@ AWS CloudFormation should have a template defined through the attribute template ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="40 2 30 15" +```yaml title="Positive test num. 1 - yaml file" hl_lines="40 2 30 15" - name: create a stack, pass in the template via an URL amazon.aws.cloudformation: stack_name: "ansible-cloudformation" diff --git a/docs/queries/ansible-queries/aws/338b6cab-961d-4998-bb49-e5b6a11c9a5c.md b/docs/queries/ansible-queries/aws/338b6cab-961d-4998-bb49-e5b6a11c9a5c.md index 01ebd0e8e25..ba9a4ba2963 100644 --- a/docs/queries/ansible-queries/aws/338b6cab-961d-4998-bb49-e5b6a11c9a5c.md +++ b/docs/queries/ansible-queries/aws/338b6cab-961d-4998-bb49-e5b6a11c9a5c.md @@ -28,7 +28,7 @@ It's considered a best practice for an EC2 instance to use an EBS optimized inst ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="2" +```yaml title="Positive test num. 1 - yaml file" hl_lines="2" - name: example amazon.aws.ec2: key_name: mykey @@ -40,7 +40,7 @@ It's considered a best practice for an EC2 instance to use an EBS optimized inst vpc_subnet_id: subnet-29e63245 ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="10" +```yaml title="Positive test num. 2 - yaml file" hl_lines="10" - name: example2 amazon.aws.ec2: key_name: mykey @@ -53,7 +53,7 @@ It's considered a best practice for an EC2 instance to use an EBS optimized inst ebs_optimized: false ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="2" +```yaml title="Positive test num. 3 - yaml file" hl_lines="2" - name: example3 amazon.aws.ec2: key_name: mykey diff --git a/docs/queries/ansible-queries/aws/3505094c-f77c-4ba0-95da-f83db712f86c.md b/docs/queries/ansible-queries/aws/3505094c-f77c-4ba0-95da-f83db712f86c.md index 1a34d6df21e..f1e0e8c14a4 100644 --- a/docs/queries/ansible-queries/aws/3505094c-f77c-4ba0-95da-f83db712f86c.md +++ b/docs/queries/ansible-queries/aws/3505094c-f77c-4ba0-95da-f83db712f86c.md @@ -28,7 +28,7 @@ If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +```yaml title="Positive test num. 1 - yaml file" hl_lines="5" - name: Create s3 bucket2 community.aws.aws_s3_cors: name: mys3bucket @@ -50,7 +50,7 @@ If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it max_age_seconds: 30000 ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="5" +```yaml title="Positive test num. 2 - yaml file" hl_lines="5" - name: Create s3 bucket4 aws_s3_cors: name: mys3bucket2 diff --git a/docs/queries/ansible-queries/aws/3ab1f27d-52cc-4943-af1d-43c1939e739a.md b/docs/queries/ansible-queries/aws/3ab1f27d-52cc-4943-af1d-43c1939e739a.md index 8c92354d225..4cc15be83d3 100644 --- a/docs/queries/ansible-queries/aws/3ab1f27d-52cc-4943-af1d-43c1939e739a.md +++ b/docs/queries/ansible-queries/aws/3ab1f27d-52cc-4943-af1d-43c1939e739a.md @@ -28,7 +28,7 @@ Checks if the S3 bucket is accessible for all users
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" - name: Create a simple s3 bucket with a policy amazon.aws.s3_bucket: name: mys3bucket diff --git a/docs/queries/ansible-queries/aws/3ddf3417-424d-420d-8275-0724dc426520.md b/docs/queries/ansible-queries/aws/3ddf3417-424d-420d-8275-0724dc426520.md index cbd51f46aa0..ba6ea812e04 100644 --- a/docs/queries/ansible-queries/aws/3ddf3417-424d-420d-8275-0724dc426520.md +++ b/docs/queries/ansible-queries/aws/3ddf3417-424d-420d-8275-0724dc426520.md @@ -28,7 +28,7 @@ Lambda permission may be misconfigured if the action field is not filled in by ' ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" - name: Lambda S3 notification positive community.aws.lambda_policy: state: present diff --git a/docs/queries/ansible-queries/aws/3f2cf811-88fa-4eda-be45-7a191a18aba9.md b/docs/queries/ansible-queries/aws/3f2cf811-88fa-4eda-be45-7a191a18aba9.md index 65e7213e9ec..7d793d067fa 100644 --- a/docs/queries/ansible-queries/aws/3f2cf811-88fa-4eda-be45-7a191a18aba9.md +++ b/docs/queries/ansible-queries/aws/3f2cf811-88fa-4eda-be45-7a191a18aba9.md @@ -28,7 +28,7 @@ No password expiration policy
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="33 2 21" +```yaml title="Positive test num. 1 - yaml file" hl_lines="33 2 21" - name: Missing Password policy for AWS account community.aws.iam_password_policy: state: present diff --git a/docs/queries/ansible-queries/aws/445dce51-7e53-4e50-80ef-7f94f14169e4.md b/docs/queries/ansible-queries/aws/445dce51-7e53-4e50-80ef-7f94f14169e4.md index 85ccf9b60cf..98bf916524e 100644 --- a/docs/queries/ansible-queries/aws/445dce51-7e53-4e50-80ef-7f94f14169e4.md +++ b/docs/queries/ansible-queries/aws/445dce51-7e53-4e50-80ef-7f94f14169e4.md @@ -28,7 +28,7 @@ Route53 Record should have a list of records
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="3 14" +```yaml title="Positive test num. 1 - yaml file" hl_lines="3 14" --- - name: Use a routing policy to distribute traffic02 community.aws.route53: diff --git a/docs/queries/ansible-queries/aws/4b6012e7-7176-46e4-8108-e441785eae57.md b/docs/queries/ansible-queries/aws/4b6012e7-7176-46e4-8108-e441785eae57.md index bd4c90335b1..cb6a23a4e15 100644 --- a/docs/queries/ansible-queries/aws/4b6012e7-7176-46e4-8108-e441785eae57.md +++ b/docs/queries/ansible-queries/aws/4b6012e7-7176-46e4-8108-e441785eae57.md @@ -28,7 +28,7 @@ EBS volumes should be encrypted
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="24 19 12 5" +```yaml title="Positive test num. 1 - yaml file" hl_lines="24 19 12 5" --- - name: Creating EBS volume01 amazon.aws.ec2_vol: diff --git a/docs/queries/ansible-queries/aws/4d8681a2-3d30-4c89-8070-08acd142748e.md b/docs/queries/ansible-queries/aws/4d8681a2-3d30-4c89-8070-08acd142748e.md index 18351816781..1aefcb20c75 100644 --- a/docs/queries/ansible-queries/aws/4d8681a2-3d30-4c89-8070-08acd142748e.md +++ b/docs/queries/ansible-queries/aws/4d8681a2-3d30-4c89-8070-08acd142748e.md @@ -28,7 +28,7 @@ CloudTrail log file validation should be enabled to determine whether a log file ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="2 21" +```yaml title="Positive test num. 1 - yaml file" hl_lines="2 21" - name: create multi-region trail with validation and tags community.aws.cloudtrail: state: present diff --git a/docs/queries/ansible-queries/aws/5330b503-3319-44ff-9b1c-00ee873f728a.md b/docs/queries/ansible-queries/aws/5330b503-3319-44ff-9b1c-00ee873f728a.md index f776a57006d..c7368849718 100644 --- a/docs/queries/ansible-queries/aws/5330b503-3319-44ff-9b1c-00ee873f728a.md +++ b/docs/queries/ansible-queries/aws/5330b503-3319-44ff-9b1c-00ee873f728a.md @@ -28,7 +28,7 @@ The CIDR IP should not be a public interface
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="22" +```yaml title="Positive test num. 1 - yaml file" hl_lines="22" - name: create minimal aurora instance in default VPC and default subnet group community.aws.rds_instance: engine: aurora diff --git a/docs/queries/ansible-queries/aws/53bce6a8-5492-4b1b-81cf-664385f0c4bf.md b/docs/queries/ansible-queries/aws/53bce6a8-5492-4b1b-81cf-664385f0c4bf.md index 5d86d9bbdfd..bc8ff64a2aa 100644 --- a/docs/queries/ansible-queries/aws/53bce6a8-5492-4b1b-81cf-664385f0c4bf.md +++ b/docs/queries/ansible-queries/aws/53bce6a8-5492-4b1b-81cf-664385f0c4bf.md @@ -28,7 +28,7 @@ S3 Buckets must not allow Get Action From All Principals, as to prevent leaking ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" #this is a problematic code where the query should report a result(s) - name: Bucket amazon.aws.s3_bucket: diff --git a/docs/queries/ansible-queries/aws/5527dcfc-94f9-4bf6-b7d4-1b78850cf41f.md b/docs/queries/ansible-queries/aws/5527dcfc-94f9-4bf6-b7d4-1b78850cf41f.md index 0cf75405d25..95c4d742c2b 100644 --- a/docs/queries/ansible-queries/aws/5527dcfc-94f9-4bf6-b7d4-1b78850cf41f.md +++ b/docs/queries/ansible-queries/aws/5527dcfc-94f9-4bf6-b7d4-1b78850cf41f.md @@ -28,7 +28,7 @@ ElastiCache should be launched in a Virtual Private Cloud (VPC)
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="2" +```yaml title="Positive test num. 1 - yaml file" hl_lines="2" - name: Basic example community.aws.elasticache: name: "test-please-delete" diff --git a/docs/queries/ansible-queries/aws/559439b2-3e9c-4739-ac46-17e3b24ec215.md b/docs/queries/ansible-queries/aws/559439b2-3e9c-4739-ac46-17e3b24ec215.md index 61f14827632..05b6370f61c 100644 --- a/docs/queries/ansible-queries/aws/559439b2-3e9c-4739-ac46-17e3b24ec215.md +++ b/docs/queries/ansible-queries/aws/559439b2-3e9c-4739-ac46-17e3b24ec215.md @@ -28,7 +28,7 @@ The API Endpoint type in API Gateway should be set to PRIVATE so it's not expose ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8" - name: Setup AWS API Gateway setup on AWS and deploy API definition community.aws.aws_api_gateway: swagger_file: my_api.yml diff --git a/docs/queries/ansible-queries/aws/57ced4b9-6ba4-487b-8843-b65562b90c77.md b/docs/queries/ansible-queries/aws/57ced4b9-6ba4-487b-8843-b65562b90c77.md index 27c396e6499..c3b448d2619 100644 --- a/docs/queries/ansible-queries/aws/57ced4b9-6ba4-487b-8843-b65562b90c77.md +++ b/docs/queries/ansible-queries/aws/57ced4b9-6ba4-487b-8843-b65562b90c77.md @@ -28,7 +28,7 @@ hide: ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" - name: example ec2 group amazon.aws.ec2_group: name: example diff --git a/docs/queries/ansible-queries/aws/594f54e7-f744-45ab-93e4-c6dbaf6cd571.md b/docs/queries/ansible-queries/aws/594f54e7-f744-45ab-93e4-c6dbaf6cd571.md index ee237922031..0b2b019199a 100644 --- a/docs/queries/ansible-queries/aws/594f54e7-f744-45ab-93e4-c6dbaf6cd571.md +++ b/docs/queries/ansible-queries/aws/594f54e7-f744-45ab-93e4-c6dbaf6cd571.md @@ -28,7 +28,7 @@ AWS S3 Storage should be protected with SSE (Server-Side Encryption)
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +```yaml title="Positive test num. 1 - yaml file" hl_lines="5" - name: Create a simple s3 bucket amazon.aws.s3_bucket: name: mys3bucket diff --git a/docs/queries/ansible-queries/aws/5a443297-19d4-4381-9e5b-24faf947ec22.md b/docs/queries/ansible-queries/aws/5a443297-19d4-4381-9e5b-24faf947ec22.md index eab5fb73851..986301e03ad 100644 --- a/docs/queries/ansible-queries/aws/5a443297-19d4-4381-9e5b-24faf947ec22.md +++ b/docs/queries/ansible-queries/aws/5a443297-19d4-4381-9e5b-24faf947ec22.md @@ -28,7 +28,7 @@ Expired SSL/TLS certificates should be removed
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +```yaml title="Positive test num. 1 - yaml file" hl_lines="3" - name: upload a self-signed certificate community.aws.aws_acm: certificate: "{{ lookup('file', 'expiredCertificate.pem' ) }}" diff --git a/docs/queries/ansible-queries/aws/5b9d237a-57d5-4177-be0e-71434b0fef47.md b/docs/queries/ansible-queries/aws/5b9d237a-57d5-4177-be0e-71434b0fef47.md index b3cc49c119f..4effa400697 100644 --- a/docs/queries/ansible-queries/aws/5b9d237a-57d5-4177-be0e-71434b0fef47.md +++ b/docs/queries/ansible-queries/aws/5b9d237a-57d5-4177-be0e-71434b0fef47.md @@ -28,7 +28,7 @@ The KMS key has a policy that is too permissive, as it provides the AWS account ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="3 5" +```yaml title="Positive test num. 1 - yaml file" hl_lines="3 5" --- - name: Update IAM policy on an existing KMS key community.aws.aws_kms: diff --git a/docs/queries/ansible-queries/aws/5ba316a9-c466-4ec1-8d5b-bc6107dc9a92.md b/docs/queries/ansible-queries/aws/5ba316a9-c466-4ec1-8d5b-bc6107dc9a92.md index 3629f6e67bf..c9da3140e79 100644 --- a/docs/queries/ansible-queries/aws/5ba316a9-c466-4ec1-8d5b-bc6107dc9a92.md +++ b/docs/queries/ansible-queries/aws/5ba316a9-c466-4ec1-8d5b-bc6107dc9a92.md @@ -28,7 +28,7 @@ Check if SNS topic name is set for CloudTrail
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="2 15" +```yaml title="Positive test num. 1 - yaml file" hl_lines="2 15" - name: no sns topic name community.aws.cloudtrail: state: present diff --git a/docs/queries/ansible-queries/aws/5c6b727b-1382-4629-8ba9-abd1365e5610.md b/docs/queries/ansible-queries/aws/5c6b727b-1382-4629-8ba9-abd1365e5610.md index 9041fa7de95..3ec038d44e7 100644 --- a/docs/queries/ansible-queries/aws/5c6b727b-1382-4629-8ba9-abd1365e5610.md +++ b/docs/queries/ansible-queries/aws/5c6b727b-1382-4629-8ba9-abd1365e5610.md @@ -28,7 +28,7 @@ AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_access ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9 17 25" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9 17 25" --- - name: Basic cluster provisioning example04 community.aws.redshift: diff --git a/docs/queries/ansible-queries/aws/5e92d816-2177-4083-85b4-f61b4f7176d9.md b/docs/queries/ansible-queries/aws/5e92d816-2177-4083-85b4-f61b4f7176d9.md index 10069b07842..04f24ac19e2 100644 --- a/docs/queries/ansible-queries/aws/5e92d816-2177-4083-85b4-f61b4f7176d9.md +++ b/docs/queries/ansible-queries/aws/5e92d816-2177-4083-85b4-f61b4f7176d9.md @@ -28,7 +28,7 @@ Allowing to run lambda function using public API Gateway
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9" - name: Lambda S3 event notification lambda_policy: state: "{{ state | default('present') }}" diff --git a/docs/queries/ansible-queries/aws/5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce.md b/docs/queries/ansible-queries/aws/5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce.md index 4f094edaa24..54d0d62c55e 100644 --- a/docs/queries/ansible-queries/aws/5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce.md +++ b/docs/queries/ansible-queries/aws/5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce.md @@ -28,7 +28,7 @@ The CA certificate Identifier must be 'rds-ca-2019'.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10 12" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10 12" --- - name: create minimal aurora instance in default VPC and default subnet group community.aws.rds_instance: diff --git a/docs/queries/ansible-queries/aws/60bfbb8a-c72f-467f-a6dd-a46b7d612789.md b/docs/queries/ansible-queries/aws/60bfbb8a-c72f-467f-a6dd-a46b7d612789.md index e52233e8929..fbf35906910 100644 --- a/docs/queries/ansible-queries/aws/60bfbb8a-c72f-467f-a6dd-a46b7d612789.md +++ b/docs/queries/ansible-queries/aws/60bfbb8a-c72f-467f-a6dd-a46b7d612789.md @@ -28,7 +28,7 @@ ECR should have an image tag be immutable. This prevents image tags from being o ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="2 7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="2 7" - name: create immutable ecr-repo community.aws.ecs_ecr: name: super/cool diff --git a/docs/queries/ansible-queries/aws/61d1a2d0-4db8-405a-913d-5d2ce49dff6f.md b/docs/queries/ansible-queries/aws/61d1a2d0-4db8-405a-913d-5d2ce49dff6f.md index fc1eb5739bc..182ef178447 100644 --- a/docs/queries/ansible-queries/aws/61d1a2d0-4db8-405a-913d-5d2ce49dff6f.md +++ b/docs/queries/ansible-queries/aws/61d1a2d0-4db8-405a-913d-5d2ce49dff6f.md @@ -28,7 +28,7 @@ EC2 Instances should be configured under a VPC network. AWS VPCs provide the con ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="2 18" +```yaml title="Positive test num. 1 - yaml file" hl_lines="2 18" - name: Start an instance and have it begin a Tower callback on boot community.aws.ec2_instance: name: "tower-callback-test" diff --git a/docs/queries/ansible-queries/aws/66477506-6abb-49ed-803d-3fa174cd5f6a.md b/docs/queries/ansible-queries/aws/66477506-6abb-49ed-803d-3fa174cd5f6a.md index b316e2b8169..818d775f729 100644 --- a/docs/queries/ansible-queries/aws/66477506-6abb-49ed-803d-3fa174cd5f6a.md +++ b/docs/queries/ansible-queries/aws/66477506-6abb-49ed-803d-3fa174cd5f6a.md @@ -28,7 +28,7 @@ Launch Configurations should have the data in the volumes encrypted. To encrypt ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 29 22" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8 29 22" - name: note that encrypted volumes are only supported in >= Ansible 2.4 community.aws.ec2_lc: name: special diff --git a/docs/queries/ansible-queries/aws/6a647814-def5-4b85-88f5-897c19f509cd.md b/docs/queries/ansible-queries/aws/6a647814-def5-4b85-88f5-897c19f509cd.md index 35df848636e..4c9fda0c6b0 100644 --- a/docs/queries/ansible-queries/aws/6a647814-def5-4b85-88f5-897c19f509cd.md +++ b/docs/queries/ansible-queries/aws/6a647814-def5-4b85-88f5-897c19f509cd.md @@ -28,7 +28,7 @@ AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="2 19 29" +```yaml title="Positive test num. 1 - yaml file" hl_lines="2 19 29" - name: Basic cluster provisioning example community.aws.redshift: identifier: tf-redshift-cluster diff --git a/docs/queries/ansible-queries/aws/6a6d7e56-c913-4549-b5c5-5221e624d2ec.md b/docs/queries/ansible-queries/aws/6a6d7e56-c913-4549-b5c5-5221e624d2ec.md index b58821edfa7..9ccff7e4f64 100644 --- a/docs/queries/ansible-queries/aws/6a6d7e56-c913-4549-b5c5-5221e624d2ec.md +++ b/docs/queries/ansible-queries/aws/6a6d7e56-c913-4549-b5c5-5221e624d2ec.md @@ -28,7 +28,7 @@ S3 Buckets should not have all permissions, as to prevent leaking private inform ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +```yaml title="Positive test num. 1 - yaml file" hl_lines="5" --- - name: Create s3 bucket amazon.aws.s3_bucket: diff --git a/docs/queries/ansible-queries/aws/6ad087d7-a509-4b20-b853-9ef6f5ebaa98.md b/docs/queries/ansible-queries/aws/6ad087d7-a509-4b20-b853-9ef6f5ebaa98.md index 21f9316b189..e61a42c0001 100644 --- a/docs/queries/ansible-queries/aws/6ad087d7-a509-4b20-b853-9ef6f5ebaa98.md +++ b/docs/queries/ansible-queries/aws/6ad087d7-a509-4b20-b853-9ef6f5ebaa98.md @@ -28,7 +28,7 @@ CloudTrail multi region should be enabled, which means attribute 'is_multi_regio ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" - name: example1 community.aws.cloudtrail: state: present diff --git a/docs/queries/ansible-queries/aws/6f5f5444-1422-495f-81ef-24cefd61ed2c.md b/docs/queries/ansible-queries/aws/6f5f5444-1422-495f-81ef-24cefd61ed2c.md index c7694e6686b..8c779f5296a 100644 --- a/docs/queries/ansible-queries/aws/6f5f5444-1422-495f-81ef-24cefd61ed2c.md +++ b/docs/queries/ansible-queries/aws/6f5f5444-1422-495f-81ef-24cefd61ed2c.md @@ -28,7 +28,7 @@ Password policy `password_reuse_prevention` doesn't exist or is equal to 0
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="26 3 23" +```yaml title="Positive test num. 1 - yaml file" hl_lines="26 3 23" --- - name: Password policy for AWS account community.aws.iam_password_policy: diff --git a/docs/queries/ansible-queries/aws/6fa44721-ef21-41c6-8665-330d59461163.md b/docs/queries/ansible-queries/aws/6fa44721-ef21-41c6-8665-330d59461163.md index 2cf8b9c6e88..cf0535c3523 100644 --- a/docs/queries/ansible-queries/aws/6fa44721-ef21-41c6-8665-330d59461163.md +++ b/docs/queries/ansible-queries/aws/6fa44721-ef21-41c6-8665-330d59461163.md @@ -28,7 +28,7 @@ S3 Buckets must not allow Delete Action From All Principals, as to prevent leaki ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" #this is a problematic code where the query should report a result(s) - name: Bucket amazon.aws.s3_bucket: diff --git a/docs/queries/ansible-queries/aws/71397b34-1d50-4ee1-97cb-c96c34676f74.md b/docs/queries/ansible-queries/aws/71397b34-1d50-4ee1-97cb-c96c34676f74.md index 769c63a24ea..6a35173c87f 100644 --- a/docs/queries/ansible-queries/aws/71397b34-1d50-4ee1-97cb-c96c34676f74.md +++ b/docs/queries/ansible-queries/aws/71397b34-1d50-4ee1-97cb-c96c34676f74.md @@ -28,7 +28,7 @@ AWS Lambda functions should have TracingConfig enabled. For this, property 'trac ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="2 37" +```yaml title="Positive test num. 1 - yaml file" hl_lines="2 37" - name: looped creation community.aws.lambda: name: '{{ item.name }}' diff --git a/docs/queries/ansible-queries/aws/71ea648a-d31a-4b5a-a589-5674243f1c33.md b/docs/queries/ansible-queries/aws/71ea648a-d31a-4b5a-a589-5674243f1c33.md index 4708e06f98c..6569a0615fb 100644 --- a/docs/queries/ansible-queries/aws/71ea648a-d31a-4b5a-a589-5674243f1c33.md +++ b/docs/queries/ansible-queries/aws/71ea648a-d31a-4b5a-a589-5674243f1c33.md @@ -28,7 +28,7 @@ AWS Security Group should not have public port wide
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" - name: example ec2 group amazon.aws.ec2_group: name: example diff --git a/docs/queries/ansible-queries/aws/722b0f24-5a64-4cca-aa96-cfc26b7e3a5b.md b/docs/queries/ansible-queries/aws/722b0f24-5a64-4cca-aa96-cfc26b7e3a5b.md index 2d348a5774d..6d0d0c0538e 100644 --- a/docs/queries/ansible-queries/aws/722b0f24-5a64-4cca-aa96-cfc26b7e3a5b.md +++ b/docs/queries/ansible-queries/aws/722b0f24-5a64-4cca-aa96-cfc26b7e3a5b.md @@ -28,7 +28,7 @@ AWS Security Group should not have an unknown port exposed to the entire Interne ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9 13" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9 13" - name: example ec2 group amazon.aws.ec2_group: name: example diff --git a/docs/queries/ansible-queries/aws/727c4fd4-d604-4df6-a179-7713d3c85e20.md b/docs/queries/ansible-queries/aws/727c4fd4-d604-4df6-a179-7713d3c85e20.md index 22bd576a3d0..54b4f74d67f 100644 --- a/docs/queries/ansible-queries/aws/727c4fd4-d604-4df6-a179-7713d3c85e20.md +++ b/docs/queries/ansible-queries/aws/727c4fd4-d604-4df6-a179-7713d3c85e20.md @@ -28,7 +28,7 @@ Elastic File System (EFS) must be encrypted
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="17 6 25" +```yaml title="Positive test num. 1 - yaml file" hl_lines="17 6 25" --- - name: foo community.aws.efs: diff --git a/docs/queries/ansible-queries/aws/72a931c2-12f5-40d1-93cc-47bff2f7aa2a.md b/docs/queries/ansible-queries/aws/72a931c2-12f5-40d1-93cc-47bff2f7aa2a.md index 0b3970faf3e..d6aee9ca78f 100644 --- a/docs/queries/ansible-queries/aws/72a931c2-12f5-40d1-93cc-47bff2f7aa2a.md +++ b/docs/queries/ansible-queries/aws/72a931c2-12f5-40d1-93cc-47bff2f7aa2a.md @@ -28,7 +28,7 @@ AWS CloudWatch Logs for APIs is not enabled
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +```yaml title="Positive test num. 1 - yaml file" hl_lines="3" --- - name: Setup AWS API Gateway setup on AWS cloudwatchlogs community.aws.cloudwatchlogs_log_group: diff --git a/docs/queries/ansible-queries/aws/730a5951-2760-407a-b032-dd629b55c23a.md b/docs/queries/ansible-queries/aws/730a5951-2760-407a-b032-dd629b55c23a.md index 64fe6da5eae..738ff6e2fe6 100644 --- a/docs/queries/ansible-queries/aws/730a5951-2760-407a-b032-dd629b55c23a.md +++ b/docs/queries/ansible-queries/aws/730a5951-2760-407a-b032-dd629b55c23a.md @@ -28,7 +28,7 @@ ELB Predefined or Custom Security Policies must not use insecure protocols, to r ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="3 70 40 52 21 89" +```yaml title="Positive test num. 1 - yaml file" hl_lines="3 70 40 52 21 89" #this is a problematic code where the query should report a result(s) - name: elb1 community.aws.elb_application_lb: diff --git a/docs/queries/ansible-queries/aws/75480b31-f349-4b9a-861f-bce19588e674.md b/docs/queries/ansible-queries/aws/75480b31-f349-4b9a-861f-bce19588e674.md index a0a6239ffec..985ddb7f134 100644 --- a/docs/queries/ansible-queries/aws/75480b31-f349-4b9a-861f-bce19588e674.md +++ b/docs/queries/ansible-queries/aws/75480b31-f349-4b9a-861f-bce19588e674.md @@ -28,7 +28,7 @@ S3 Buckets should not be readable to any authenticated user
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" --- - name: Create an empty bucket2 amazon.aws.aws_s3: diff --git a/docs/queries/ansible-queries/aws/7674a686-e4b1-4a95-83d4-1fd53c623d84.md b/docs/queries/ansible-queries/aws/7674a686-e4b1-4a95-83d4-1fd53c623d84.md index d819c7dd9e8..f2ee4ed4126 100644 --- a/docs/queries/ansible-queries/aws/7674a686-e4b1-4a95-83d4-1fd53c623d84.md +++ b/docs/queries/ansible-queries/aws/7674a686-e4b1-4a95-83d4-1fd53c623d84.md @@ -28,7 +28,7 @@ Check if AWS config rules do not identify Encrypted Volumes as a source.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="2" +```yaml title="Positive test num. 1 - yaml file" hl_lines="2" --- - name: foo community.aws.aws_config_rule: diff --git a/docs/queries/ansible-queries/aws/7af1c447-c014-4f05-bd8b-ebe3a15734ac.md b/docs/queries/ansible-queries/aws/7af1c447-c014-4f05-bd8b-ebe3a15734ac.md index 0b4bc5aa921..60a4ce1c6c9 100644 --- a/docs/queries/ansible-queries/aws/7af1c447-c014-4f05-bd8b-ebe3a15734ac.md +++ b/docs/queries/ansible-queries/aws/7af1c447-c014-4f05-bd8b-ebe3a15734ac.md @@ -28,7 +28,7 @@ Check if port 2383 on TCP is publicly accessible by checking the CIDR block rang ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="65 37 9 51 23" +```yaml title="Positive test num. 1 - yaml file" hl_lines="65 37 9 51 23" --- - name: example using security group rule descriptions amazon.aws.ec2_group: diff --git a/docs/queries/ansible-queries/aws/7cc6c791-5f68-4816-a564-b9b699f9d26e.md b/docs/queries/ansible-queries/aws/7cc6c791-5f68-4816-a564-b9b699f9d26e.md index d5fa1d31066..7411f4c2ab6 100644 --- a/docs/queries/ansible-queries/aws/7cc6c791-5f68-4816-a564-b9b699f9d26e.md +++ b/docs/queries/ansible-queries/aws/7cc6c791-5f68-4816-a564-b9b699f9d26e.md @@ -28,7 +28,7 @@ ElastiCache should not use the default port (an attacker can easily guess the po ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9" - name: Basic example community.aws.elasticache: name: "test-please-delete" @@ -42,7 +42,7 @@ ElastiCache should not use the default port (an attacker can easily guess the po zone: us-east-1d ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="9" +```yaml title="Positive test num. 2 - yaml file" hl_lines="9" - name: Basic example2 community.aws.elasticache: name: "test-please-delete" diff --git a/docs/queries/ansible-queries/aws/7db727c1-1720-468e-b80e-06697f71e09e.md b/docs/queries/ansible-queries/aws/7db727c1-1720-468e-b80e-06697f71e09e.md index 53d15ffa6d6..bc00ed4a169 100644 --- a/docs/queries/ansible-queries/aws/7db727c1-1720-468e-b80e-06697f71e09e.md +++ b/docs/queries/ansible-queries/aws/7db727c1-1720-468e-b80e-06697f71e09e.md @@ -28,7 +28,7 @@ ECS Services must not have Admin roles, which means the attribute 'role' must no ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9" #this is a problematic code where the query should report a result(s) - name: ECS Service community.aws.ecs_service: diff --git a/docs/queries/ansible-queries/aws/7dfb316c-a6c2-454d-b8a2-97f147b0c0ff.md b/docs/queries/ansible-queries/aws/7dfb316c-a6c2-454d-b8a2-97f147b0c0ff.md index 4743ca3e15e..5c5442fb726 100644 --- a/docs/queries/ansible-queries/aws/7dfb316c-a6c2-454d-b8a2-97f147b0c0ff.md +++ b/docs/queries/ansible-queries/aws/7dfb316c-a6c2-454d-b8a2-97f147b0c0ff.md @@ -28,7 +28,7 @@ AWS DB Instance should have its storage encrypted by setting the parameter to 't ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="17 23 7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="17 23 7" --- - name: foo community.aws.rds_instance: diff --git a/docs/queries/ansible-queries/aws/7f79f858-fbe8-4186-8a2c-dfd0d958a40f.md b/docs/queries/ansible-queries/aws/7f79f858-fbe8-4186-8a2c-dfd0d958a40f.md index 98c8e9a3949..737cabe7da9 100644 --- a/docs/queries/ansible-queries/aws/7f79f858-fbe8-4186-8a2c-dfd0d958a40f.md +++ b/docs/queries/ansible-queries/aws/7f79f858-fbe8-4186-8a2c-dfd0d958a40f.md @@ -28,7 +28,7 @@ Check if IAM Access Key is active for some user besides 'root'
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="26 36 7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="26 36 7" - name: Create two new IAM users with API keys community.aws.iam: iam_type: user diff --git a/docs/queries/ansible-queries/aws/7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892.md b/docs/queries/ansible-queries/aws/7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892.md index 50fd1220cf8..a81daaa081d 100644 --- a/docs/queries/ansible-queries/aws/7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892.md +++ b/docs/queries/ansible-queries/aws/7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892.md @@ -28,7 +28,7 @@ It's not recommended to use plaintext environment variables for sensitive inform ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" - name: Create task definition community.aws.ecs_taskdefinition: family: nginx diff --git a/docs/queries/ansible-queries/aws/8010e17a-00e9-4635-a692-90d6bcec68bd.md b/docs/queries/ansible-queries/aws/8010e17a-00e9-4635-a692-90d6bcec68bd.md index 5382de6d938..dac134f05da 100644 --- a/docs/queries/ansible-queries/aws/8010e17a-00e9-4635-a692-90d6bcec68bd.md +++ b/docs/queries/ansible-queries/aws/8010e17a-00e9-4635-a692-90d6bcec68bd.md @@ -28,7 +28,7 @@ Check if default security group does not restrict all inbound and outbound traff ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="48 17 83 61 30" +```yaml title="Positive test num. 1 - yaml file" hl_lines="48 17 83 61 30" --- - name: example ec2 group amazon.aws.ec2_group: diff --git a/docs/queries/ansible-queries/aws/83957b81-39c1-4191-8e12-671d2ce14354.md b/docs/queries/ansible-queries/aws/83957b81-39c1-4191-8e12-671d2ce14354.md index 41da3bf6edc..947dc1620cc 100644 --- a/docs/queries/ansible-queries/aws/83957b81-39c1-4191-8e12-671d2ce14354.md +++ b/docs/queries/ansible-queries/aws/83957b81-39c1-4191-8e12-671d2ce14354.md @@ -28,7 +28,7 @@ IAM password should have at least one uppercase letter
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="14 7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="14 7" - name: Password policy for AWS account community.aws.iam_password_policy: state: present diff --git a/docs/queries/ansible-queries/aws/83c5fa4c-e098-48fc-84ee-0a537287ddd2.md b/docs/queries/ansible-queries/aws/83c5fa4c-e098-48fc-84ee-0a537287ddd2.md index 81f69f1862b..960fceb4c73 100644 --- a/docs/queries/ansible-queries/aws/83c5fa4c-e098-48fc-84ee-0a537287ddd2.md +++ b/docs/queries/ansible-queries/aws/83c5fa4c-e098-48fc-84ee-0a537287ddd2.md @@ -28,7 +28,7 @@ Security groups allow ingress from 0.0.0.0/0
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="41 28 14 55" +```yaml title="Positive test num. 1 - yaml file" hl_lines="41 28 14 55" --- - name: example1 amazon.aws.ec2_group: diff --git a/docs/queries/ansible-queries/aws/857f8808-e96a-4ba8-a9b7-f2d4ec6cad94.md b/docs/queries/ansible-queries/aws/857f8808-e96a-4ba8-a9b7-f2d4ec6cad94.md index 73629297649..3deea88ae4e 100644 --- a/docs/queries/ansible-queries/aws/857f8808-e96a-4ba8-a9b7-f2d4ec6cad94.md +++ b/docs/queries/ansible-queries/aws/857f8808-e96a-4ba8-a9b7-f2d4ec6cad94.md @@ -28,7 +28,7 @@ RDS instance should have automatic minor upgrades enabled, which means the attri ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10 12" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10 12" --- - name: community - create minimal aurora instance in default VPC and default subnet group community.aws.rds_instance: diff --git a/docs/queries/ansible-queries/aws/86b0efa7-4901-4edd-a37a-c034bec6645a.md b/docs/queries/ansible-queries/aws/86b0efa7-4901-4edd-a37a-c034bec6645a.md index 626a618470c..37364738f1c 100644 --- a/docs/queries/ansible-queries/aws/86b0efa7-4901-4edd-a37a-c034bec6645a.md +++ b/docs/queries/ansible-queries/aws/86b0efa7-4901-4edd-a37a-c034bec6645a.md @@ -28,7 +28,7 @@ Checks if the SQS Queue is exposed
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10 31" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10 31" - name: example community.aws.sqs_queue: name: my-queue diff --git a/docs/queries/ansible-queries/aws/8833f180-96f1-46f4-9147-849aafa56029.md b/docs/queries/ansible-queries/aws/8833f180-96f1-46f4-9147-849aafa56029.md index 5b581a95543..0b0cbebe68b 100644 --- a/docs/queries/ansible-queries/aws/8833f180-96f1-46f4-9147-849aafa56029.md +++ b/docs/queries/ansible-queries/aws/8833f180-96f1-46f4-9147-849aafa56029.md @@ -28,7 +28,7 @@ EC2 Instances should not be configured under a default VPC network
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8" - name: example amazon.aws.ec2: key_name: mykey diff --git a/docs/queries/ansible-queries/aws/8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d.md b/docs/queries/ansible-queries/aws/8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d.md index e32903086f9..23ab44e673b 100644 --- a/docs/queries/ansible-queries/aws/8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d.md +++ b/docs/queries/ansible-queries/aws/8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d.md @@ -28,7 +28,7 @@ IAM password should have the required minimum length
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="16 2 27" +```yaml title="Positive test num. 1 - yaml file" hl_lines="16 2 27" - name: Password policy for AWS account community.aws.iam_password_policy: state: present diff --git a/docs/queries/ansible-queries/aws/8d03993b-8384-419b-a681-d1f55149397c.md b/docs/queries/ansible-queries/aws/8d03993b-8384-419b-a681-d1f55149397c.md index 177307342ac..e99dffa36bf 100644 --- a/docs/queries/ansible-queries/aws/8d03993b-8384-419b-a681-d1f55149397c.md +++ b/docs/queries/ansible-queries/aws/8d03993b-8384-419b-a681-d1f55149397c.md @@ -28,7 +28,7 @@ EC2 instances should not use default security group(s)
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" - name: example amazon.aws.ec2: key_name: mykey @@ -41,7 +41,7 @@ EC2 instances should not use default security group(s)
assign_public_ip: yes ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="8" +```yaml title="Positive test num. 2 - yaml file" hl_lines="8" - name: example2 amazon.aws.ec2: key_name: mykey diff --git a/docs/queries/ansible-queries/aws/8e3063f4-b511-45c3-b030-f3b0c9131951.md b/docs/queries/ansible-queries/aws/8e3063f4-b511-45c3-b030-f3b0c9131951.md index 94a020f15b5..dc6195f3e95 100644 --- a/docs/queries/ansible-queries/aws/8e3063f4-b511-45c3-b030-f3b0c9131951.md +++ b/docs/queries/ansible-queries/aws/8e3063f4-b511-45c3-b030-f3b0c9131951.md @@ -28,7 +28,7 @@ IAM Password should have at least one lowercase letter
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 14" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8 14" - name: Password policy for AWS account community.aws.iam_password_policy: state: present diff --git a/docs/queries/ansible-queries/aws/8ed0bfce-f780-46d4-b086-21c3628f09ad.md b/docs/queries/ansible-queries/aws/8ed0bfce-f780-46d4-b086-21c3628f09ad.md index 1adb338759b..a901d592338 100644 --- a/docs/queries/ansible-queries/aws/8ed0bfce-f780-46d4-b086-21c3628f09ad.md +++ b/docs/queries/ansible-queries/aws/8ed0bfce-f780-46d4-b086-21c3628f09ad.md @@ -28,7 +28,7 @@ SES policy should not allow IAM actions to all principals
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +```yaml title="Positive test num. 1 - yaml file" hl_lines="5" - name: add sending authorization policy to email identityyy community.aws.aws_ses_identity_policy: identity: example@example.com diff --git a/docs/queries/ansible-queries/aws/905f4741-f965-45c1-98db-f7a00a0e5c73.md b/docs/queries/ansible-queries/aws/905f4741-f965-45c1-98db-f7a00a0e5c73.md index 14d0378aec0..76807bc25ae 100644 --- a/docs/queries/ansible-queries/aws/905f4741-f965-45c1-98db-f7a00a0e5c73.md +++ b/docs/queries/ansible-queries/aws/905f4741-f965-45c1-98db-f7a00a0e5c73.md @@ -28,7 +28,7 @@ SNS Topic Policy should not allow any principal to access
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="50 23" +```yaml title="Positive test num. 1 - yaml file" hl_lines="50 23" --- - name: Create alarm SNS topic community community.aws.sns_topic: diff --git a/docs/queries/ansible-queries/aws/9232306a-f839-40aa-b3ef-b352001da9a5.md b/docs/queries/ansible-queries/aws/9232306a-f839-40aa-b3ef-b352001da9a5.md index 9a1b71ad915..ec94718df4e 100644 --- a/docs/queries/ansible-queries/aws/9232306a-f839-40aa-b3ef-b352001da9a5.md +++ b/docs/queries/ansible-queries/aws/9232306a-f839-40aa-b3ef-b352001da9a5.md @@ -28,7 +28,7 @@ S3 bucket should have versioning enabled
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="3 15" +```yaml title="Positive test num. 1 - yaml file" hl_lines="3 15" --- - name: foo amazon.aws.s3_bucket: diff --git a/docs/queries/ansible-queries/aws/97707503-a22c-4cd7-b7c0-f088fa7cf830.md b/docs/queries/ansible-queries/aws/97707503-a22c-4cd7-b7c0-f088fa7cf830.md index 379b8de2840..393e3276de6 100644 --- a/docs/queries/ansible-queries/aws/97707503-a22c-4cd7-b7c0-f088fa7cf830.md +++ b/docs/queries/ansible-queries/aws/97707503-a22c-4cd7-b7c0-f088fa7cf830.md @@ -28,7 +28,7 @@ AWS AMI Encryption is not enabled
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="13 6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="13 6" - name: Basic AMI Creation amazon.aws.ec2_ami: instance_id: i-xxxxxx diff --git a/docs/queries/ansible-queries/aws/9cf25d62-0b96-42c8-b66d-998cd6ee5bb8.md b/docs/queries/ansible-queries/aws/9cf25d62-0b96-42c8-b66d-998cd6ee5bb8.md index cbacca0b1c2..de36f5c2db6 100644 --- a/docs/queries/ansible-queries/aws/9cf25d62-0b96-42c8-b66d-998cd6ee5bb8.md +++ b/docs/queries/ansible-queries/aws/9cf25d62-0b96-42c8-b66d-998cd6ee5bb8.md @@ -28,7 +28,7 @@ IAM user resource Login Profile Password should have at least one number
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="14 7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="14 7" --- - name: Password policy for AWS account community.aws.iam_password_policy: diff --git a/docs/queries/ansible-queries/aws/9f34885e-c08f-4d13-a7d1-cf190c5bd268.md b/docs/queries/ansible-queries/aws/9f34885e-c08f-4d13-a7d1-cf190c5bd268.md index 1eca8f7be3e..69ce406ad58 100644 --- a/docs/queries/ansible-queries/aws/9f34885e-c08f-4d13-a7d1-cf190c5bd268.md +++ b/docs/queries/ansible-queries/aws/9f34885e-c08f-4d13-a7d1-cf190c5bd268.md @@ -28,7 +28,7 @@ Check if the redis version is compliant with the necessary AWS PCI DSS requireme ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" - name: Basic example community.aws.elasticache: name: "test-please-delete" diff --git a/docs/queries/ansible-queries/aws/a0f1bfe0-741e-473f-b3b2-13e66f856fab.md b/docs/queries/ansible-queries/aws/a0f1bfe0-741e-473f-b3b2-13e66f856fab.md index da61a17767e..5799b297515 100644 --- a/docs/queries/ansible-queries/aws/a0f1bfe0-741e-473f-b3b2-13e66f856fab.md +++ b/docs/queries/ansible-queries/aws/a0f1bfe0-741e-473f-b3b2-13e66f856fab.md @@ -28,7 +28,7 @@ S3 Buckets must not allow Put Action From All Principals, as to prevent leaking ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" #this is a problematic code where the query should report a result(s) - name: Bucket amazon.aws.s3_bucket: diff --git a/docs/queries/ansible-queries/aws/a1423864-2fbc-4f46-bfe1-fbbf125c71c9.md b/docs/queries/ansible-queries/aws/a1423864-2fbc-4f46-bfe1-fbbf125c71c9.md index 31c7a993663..6235e78b657 100644 --- a/docs/queries/ansible-queries/aws/a1423864-2fbc-4f46-bfe1-fbbf125c71c9.md +++ b/docs/queries/ansible-queries/aws/a1423864-2fbc-4f46-bfe1-fbbf125c71c9.md @@ -28,7 +28,7 @@ CodeBuild Project should be encrypted
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="2" +```yaml title="Positive test num. 1 - yaml file" hl_lines="2" - name: My project community.aws.aws_codebuild: description: My nice little project v2 diff --git a/docs/queries/ansible-queries/aws/a14ad534-acbe-4a8e-9404-2f7e1045646e.md b/docs/queries/ansible-queries/aws/a14ad534-acbe-4a8e-9404-2f7e1045646e.md index 616afe15f11..7db103b37f5 100644 --- a/docs/queries/ansible-queries/aws/a14ad534-acbe-4a8e-9404-2f7e1045646e.md +++ b/docs/queries/ansible-queries/aws/a14ad534-acbe-4a8e-9404-2f7e1045646e.md @@ -28,7 +28,7 @@ The HTTP port is open to the internet in a Security Group
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="64 36 9 79 49 23 93" +```yaml title="Positive test num. 1 - yaml file" hl_lines="64 36 9 79 49 23 93" - name: example ec2 group1 amazon.aws.ec2_group: name: example diff --git a/docs/queries/ansible-queries/aws/a19b2942-142e-4e2b-93b7-6cf6a6c8d90f.md b/docs/queries/ansible-queries/aws/a19b2942-142e-4e2b-93b7-6cf6a6c8d90f.md index a228b16f699..a33b75213cd 100644 --- a/docs/queries/ansible-queries/aws/a19b2942-142e-4e2b-93b7-6cf6a6c8d90f.md +++ b/docs/queries/ansible-queries/aws/a19b2942-142e-4e2b-93b7-6cf6a6c8d90f.md @@ -28,7 +28,7 @@ Limits access to AWS AMIs by checking if more than one account is using the same ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11 5" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11 5" - name: Update AMI Launch Permissions, making it public amazon.aws.ec2_ami: image_id: "{{ instance.image_id }}" diff --git a/docs/queries/ansible-queries/aws/a1ef9d2e-4163-40cb-bd92-04f0d602a15d.md b/docs/queries/ansible-queries/aws/a1ef9d2e-4163-40cb-bd92-04f0d602a15d.md index b0fa7d7f0b3..2a57864b8b9 100644 --- a/docs/queries/ansible-queries/aws/a1ef9d2e-4163-40cb-bd92-04f0d602a15d.md +++ b/docs/queries/ansible-queries/aws/a1ef9d2e-4163-40cb-bd92-04f0d602a15d.md @@ -28,7 +28,7 @@ S3 Buckets should not be readable to all users
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11 6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11 6" --- - name: Create an empty bucket amazon.aws.aws_s3: diff --git a/docs/queries/ansible-queries/aws/a2fdf451-89dd-451e-af92-bf6c0f4bab96.md b/docs/queries/ansible-queries/aws/a2fdf451-89dd-451e-af92-bf6c0f4bab96.md index 726cc76665e..dacc29be57a 100644 --- a/docs/queries/ansible-queries/aws/a2fdf451-89dd-451e-af92-bf6c0f4bab96.md +++ b/docs/queries/ansible-queries/aws/a2fdf451-89dd-451e-af92-bf6c0f4bab96.md @@ -28,7 +28,7 @@ AWS Config Configuration Aggregator All Regions must be set to True
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="24 10" +```yaml title="Positive test num. 1 - yaml file" hl_lines="24 10" - name: Create cross-account aggregator community.aws.aws_config_aggregator: name: test_config_rule diff --git a/docs/queries/ansible-queries/aws/a6d27cf7-61dc-4bde-ae08-3b353b609f76.md b/docs/queries/ansible-queries/aws/a6d27cf7-61dc-4bde-ae08-3b353b609f76.md index ee01a11273f..0daecb25920 100644 --- a/docs/queries/ansible-queries/aws/a6d27cf7-61dc-4bde-ae08-3b353b609f76.md +++ b/docs/queries/ansible-queries/aws/a6d27cf7-61dc-4bde-ae08-3b353b609f76.md @@ -28,7 +28,7 @@ Checks if the connection between CloudFront and the viewer is encrypted
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="50 20" +```yaml title="Positive test num. 1 - yaml file" hl_lines="50 20" - name: example1 community.aws.cloudfront_distribution: state: present diff --git a/docs/queries/ansible-queries/aws/a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1.md b/docs/queries/ansible-queries/aws/a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1.md index 4514ea16287..04cf9170e4f 100644 --- a/docs/queries/ansible-queries/aws/a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1.md +++ b/docs/queries/ansible-queries/aws/a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1.md @@ -28,7 +28,7 @@ EC2 Instance should not have a public IP address.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="24 15 7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="24 15 7" - name: example amazon.aws.ec2: key_name: mykey diff --git a/docs/queries/ansible-queries/aws/af167837-9636-4086-b815-c239186b9dda.md b/docs/queries/ansible-queries/aws/af167837-9636-4086-b815-c239186b9dda.md index 66d219531aa..3623f2d0156 100644 --- a/docs/queries/ansible-queries/aws/af167837-9636-4086-b815-c239186b9dda.md +++ b/docs/queries/ansible-queries/aws/af167837-9636-4086-b815-c239186b9dda.md @@ -28,7 +28,7 @@ Cross-Account IAM Assume Role Policy should require external ID or MFA to protec ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" - name: Create a role with description and tags community.aws.iam_role: name: mynewrole @@ -52,7 +52,7 @@ Cross-Account IAM Assume Role Policy should require external ID or MFA to protec env: dev ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="4" +```yaml title="Positive test num. 2 - yaml file" hl_lines="4" - name: Create a role with description and tags2 community.aws.iam_role: name: mynewrole2 @@ -79,7 +79,7 @@ Cross-Account IAM Assume Role Policy should require external ID or MFA to protec env: dev ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="4" +```yaml title="Positive test num. 3 - yaml file" hl_lines="4" - name: Create a role with description and tags3 community.aws.iam_role: name: mynewrole3 diff --git a/docs/queries/ansible-queries/aws/af96d737-0818-4162-8c41-40d969bd65d1.md b/docs/queries/ansible-queries/aws/af96d737-0818-4162-8c41-40d969bd65d1.md index 6e763fa37f0..421326988e1 100644 --- a/docs/queries/ansible-queries/aws/af96d737-0818-4162-8c41-40d969bd65d1.md +++ b/docs/queries/ansible-queries/aws/af96d737-0818-4162-8c41-40d969bd65d1.md @@ -28,7 +28,7 @@ Customer Master Keys (CMK) must have rotation enabled, which means the attribute ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="2" +```yaml title="Positive test num. 1 - yaml file" hl_lines="2" - name: Update IAM policy on an existing KMS key community.aws.aws_kms: alias: my-kms-key @@ -37,7 +37,7 @@ Customer Master Keys (CMK) must have rotation enabled, which means the attribute enabled: true ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="7" +```yaml title="Positive test num. 2 - yaml file" hl_lines="7" - name: Update IAM policy on an existing KMS key2 community.aws.aws_kms: alias: my-kms-key diff --git a/docs/queries/ansible-queries/aws/b16cdb37-ce15-4ab2-8401-d42b05d123fc.md b/docs/queries/ansible-queries/aws/b16cdb37-ce15-4ab2-8401-d42b05d123fc.md index 93e447ba8b7..7d65d5b6e59 100644 --- a/docs/queries/ansible-queries/aws/b16cdb37-ce15-4ab2-8401-d42b05d123fc.md +++ b/docs/queries/ansible-queries/aws/b16cdb37-ce15-4ab2-8401-d42b05d123fc.md @@ -28,7 +28,7 @@ API Gateway REST API should have an API Gateway Authorizer
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +```yaml title="Positive test num. 1 - yaml file" hl_lines="3" - name: Setup AWS API Gateway setup on AWS and deploy API definition community.aws.aws_api_gateway: swagger_dict: @@ -62,7 +62,7 @@ API Gateway REST API should have an API Gateway Authorizer
state: present ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="2" +```yaml title="Positive test num. 2 - yaml file" hl_lines="2" - name: Setup AWS API Gateway setup on AWS and deploy API definition2 aws_api_gateway: stage: production @@ -73,7 +73,7 @@ API Gateway REST API should have an API Gateway Authorizer
state: present ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="3" +```yaml title="Positive test num. 3 - yaml file" hl_lines="3" - name: Setup AWS API Gateway setup on AWS and deploy API 222 aws_api_gateway: swagger_file: swaggerFileWithoutAuthorizer.yaml @@ -85,7 +85,7 @@ API Gateway REST API should have an API Gateway Authorizer
state: present ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="3" - name: Setup AWS API Gateway setup on AWS and deploy API 222 diff --git a/docs/queries/ansible-queries/aws/b25398a2-0625-4e61-8e4d-a1bb23905bf6.md b/docs/queries/ansible-queries/aws/b25398a2-0625-4e61-8e4d-a1bb23905bf6.md index 0a42aa226db..26df3423c29 100644 --- a/docs/queries/ansible-queries/aws/b25398a2-0625-4e61-8e4d-a1bb23905bf6.md +++ b/docs/queries/ansible-queries/aws/b25398a2-0625-4e61-8e4d-a1bb23905bf6.md @@ -28,7 +28,7 @@ Content Delivery Network (CDN) service is used within an AWS account to secure a ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="2 23" +```yaml title="Positive test num. 1 - yaml file" hl_lines="2 23" - name: create a distribution without an origin and with enabled=false community.aws.cloudfront_distribution: state: present diff --git a/docs/queries/ansible-queries/aws/b47b98ab-e481-4a82-8bb1-1ab39fd36e33.md b/docs/queries/ansible-queries/aws/b47b98ab-e481-4a82-8bb1-1ab39fd36e33.md index 480c0bec175..94e2853d98d 100644 --- a/docs/queries/ansible-queries/aws/b47b98ab-e481-4a82-8bb1-1ab39fd36e33.md +++ b/docs/queries/ansible-queries/aws/b47b98ab-e481-4a82-8bb1-1ab39fd36e33.md @@ -28,7 +28,7 @@ SSL Client Certificate should be enabled
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 21 6 23" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8 21 6 23" - name: update API aws_api_gateway: api_id: 'abc123321cba' diff --git a/docs/queries/ansible-queries/aws/b5ed026d-a772-4f07-97f9-664ba0b116f8.md b/docs/queries/ansible-queries/aws/b5ed026d-a772-4f07-97f9-664ba0b116f8.md index df8d391fdbf..dd8be8f16e1 100644 --- a/docs/queries/ansible-queries/aws/b5ed026d-a772-4f07-97f9-664ba0b116f8.md +++ b/docs/queries/ansible-queries/aws/b5ed026d-a772-4f07-97f9-664ba0b116f8.md @@ -28,7 +28,7 @@ IAM policy should not grant full permissions to resources from the get-go, inste ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" - name: Create IAM Managed Policy community.aws.iam_managed_policy: policy_name: "ManagedPolicy" diff --git a/docs/queries/ansible-queries/aws/b8a9852c-9943-4973-b8d5-77dae9352851.md b/docs/queries/ansible-queries/aws/b8a9852c-9943-4973-b8d5-77dae9352851.md index 23bd1a8013a..ae05252450b 100644 --- a/docs/queries/ansible-queries/aws/b8a9852c-9943-4973-b8d5-77dae9352851.md +++ b/docs/queries/ansible-queries/aws/b8a9852c-9943-4973-b8d5-77dae9352851.md @@ -28,7 +28,7 @@ Amazon Elastic Filesystem should have filesystem tags associated
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="2" +```yaml title="Positive test num. 1 - yaml file" hl_lines="2" - name: EFS provisioning without tags community.aws.efs: state: present diff --git a/docs/queries/ansible-queries/aws/babdedcf-d859-43da-9a7b-6d72e661a8fd.md b/docs/queries/ansible-queries/aws/babdedcf-d859-43da-9a7b-6d72e661a8fd.md index ac2616dff16..8c168c0ce64 100644 --- a/docs/queries/ansible-queries/aws/babdedcf-d859-43da-9a7b-6d72e661a8fd.md +++ b/docs/queries/ansible-queries/aws/babdedcf-d859-43da-9a7b-6d72e661a8fd.md @@ -28,7 +28,7 @@ IAM role allows all services or principals to assume it
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="17 4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="17 4" - name: Create IAM Managed Policy community.aws.iam_managed_policy: policy_name: "ManagedPolicy" diff --git a/docs/queries/ansible-queries/aws/bd77554e-f138-40c5-91b2-2a09f878608e.md b/docs/queries/ansible-queries/aws/bd77554e-f138-40c5-91b2-2a09f878608e.md index 6a7f98b7b5a..c0a4b9af9d8 100644 --- a/docs/queries/ansible-queries/aws/bd77554e-f138-40c5-91b2-2a09f878608e.md +++ b/docs/queries/ansible-queries/aws/bd77554e-f138-40c5-91b2-2a09f878608e.md @@ -28,7 +28,7 @@ Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CM ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +```yaml title="Positive test num. 1 - yaml file" hl_lines="3" --- - name: foo community.aws.efs: diff --git a/docs/queries/ansible-queries/aws/c09e3ca5-f08a-4717-9c87-3919c5e6d209.md b/docs/queries/ansible-queries/aws/c09e3ca5-f08a-4717-9c87-3919c5e6d209.md index 08c7e141d46..bd2e1f7825c 100644 --- a/docs/queries/ansible-queries/aws/c09e3ca5-f08a-4717-9c87-3919c5e6d209.md +++ b/docs/queries/ansible-queries/aws/c09e3ca5-f08a-4717-9c87-3919c5e6d209.md @@ -28,7 +28,7 @@ RDS must not be defined with public interface, which means the field 'publicly_a ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="12 22" +```yaml title="Positive test num. 1 - yaml file" hl_lines="12 22" --- - name: community - Create a DB instance using the default AWS KMS encryption key community.aws.rds_instance: diff --git a/docs/queries/ansible-queries/aws/c09f4d3e-27d2-4d46-9453-abbe9687a64e.md b/docs/queries/ansible-queries/aws/c09f4d3e-27d2-4d46-9453-abbe9687a64e.md index c41b265c5ee..af60291b627 100644 --- a/docs/queries/ansible-queries/aws/c09f4d3e-27d2-4d46-9453-abbe9687a64e.md +++ b/docs/queries/ansible-queries/aws/c09f4d3e-27d2-4d46-9453-abbe9687a64e.md @@ -28,7 +28,7 @@ User Data should not contain a base64 encoded private key. If so, anyone can dec ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9" --- - name: note that encrypted volumes are only supported in >= Ansible 2.4 community.aws.ec2_lc: diff --git a/docs/queries/ansible-queries/aws/c2f15af3-66a0-4176-a56e-e4711e502e5c.md b/docs/queries/ansible-queries/aws/c2f15af3-66a0-4176-a56e-e4711e502e5c.md index 6c615dddfb3..5131cdbd98c 100644 --- a/docs/queries/ansible-queries/aws/c2f15af3-66a0-4176-a56e-e4711e502e5c.md +++ b/docs/queries/ansible-queries/aws/c2f15af3-66a0-4176-a56e-e4711e502e5c.md @@ -28,7 +28,7 @@ AWS Access Key should not be hardcoded
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" - name: start an instance with a cpu_options community.aws.ec2_instance: name: "public-cpuoption-instance" diff --git a/docs/queries/ansible-queries/aws/c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d.md b/docs/queries/ansible-queries/aws/c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d.md index b07b3c65cc4..02113376c8d 100644 --- a/docs/queries/ansible-queries/aws/c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d.md +++ b/docs/queries/ansible-queries/aws/c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d.md @@ -28,7 +28,7 @@ Server Access Logging should be enabled on S3 Buckets so that all changes are lo ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" --- - name: "Create S3 bucket" amazon.aws.s3_bucket: diff --git a/docs/queries/ansible-queries/aws/c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9.md b/docs/queries/ansible-queries/aws/c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9.md index ed1ba01835e..e20a60e5b66 100644 --- a/docs/queries/ansible-queries/aws/c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9.md +++ b/docs/queries/ansible-queries/aws/c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9.md @@ -28,7 +28,7 @@ S3 Bucket allows public access
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11 6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11 6" --- - name: Create an empty bucket amazon.aws.aws_s3: diff --git a/docs/queries/ansible-queries/aws/d0c13053-d2c8-44a6-95da-d592996e9e67.md b/docs/queries/ansible-queries/aws/d0c13053-d2c8-44a6-95da-d592996e9e67.md index 2ce244f926f..6bf8f87f25b 100644 --- a/docs/queries/ansible-queries/aws/d0c13053-d2c8-44a6-95da-d592996e9e67.md +++ b/docs/queries/ansible-queries/aws/d0c13053-d2c8-44a6-95da-d592996e9e67.md @@ -28,7 +28,7 @@ CloudFront Minimum Protocol version should be at least TLS 1.2
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="40 18 37" +```yaml title="Positive test num. 1 - yaml file" hl_lines="40 18 37" - name: create a distribution with an origin and logging community.aws.cloudfront_distribution: state: present diff --git a/docs/queries/ansible-queries/aws/d31cb911-bf5b-4eb6-9fc3-16780c77c7bd.md b/docs/queries/ansible-queries/aws/d31cb911-bf5b-4eb6-9fc3-16780c77c7bd.md index 054fc336a53..784149a6c0b 100644 --- a/docs/queries/ansible-queries/aws/d31cb911-bf5b-4eb6-9fc3-16780c77c7bd.md +++ b/docs/queries/ansible-queries/aws/d31cb911-bf5b-4eb6-9fc3-16780c77c7bd.md @@ -28,7 +28,7 @@ AWS CloudFront distributions should have logging enabled to collect all viewer r ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="2 62" +```yaml title="Positive test num. 1 - yaml file" hl_lines="2 62" - name: create a distribution with an origin, logging and default cache behavior community.aws.cloudfront_distribution: state: present diff --git a/docs/queries/ansible-queries/aws/d395a950-12ce-4314-a742-ac5a785ab44e.md b/docs/queries/ansible-queries/aws/d395a950-12ce-4314-a742-ac5a785ab44e.md index 696ca377bfc..a29b814af11 100644 --- a/docs/queries/ansible-queries/aws/d395a950-12ce-4314-a742-ac5a785ab44e.md +++ b/docs/queries/ansible-queries/aws/d395a950-12ce-4314-a742-ac5a785ab44e.md @@ -28,7 +28,7 @@ S3 Buckets must not allow List Action From All Principals, as to prevent leaking ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" #this is a problematic code where the query should report a result(s) - name: Bucket amazon.aws.s3_bucket: diff --git a/docs/queries/ansible-queries/aws/d39761d7-94ab-45b0-ab5e-27c44e381d58.md b/docs/queries/ansible-queries/aws/d39761d7-94ab-45b0-ab5e-27c44e381d58.md index 86069b459d2..d6338605903 100644 --- a/docs/queries/ansible-queries/aws/d39761d7-94ab-45b0-ab5e-27c44e381d58.md +++ b/docs/queries/ansible-queries/aws/d39761d7-94ab-45b0-ab5e-27c44e381d58.md @@ -28,7 +28,7 @@ AWS CloudFormation should have stack notifications enabled to be notified when a ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="2" +```yaml title="Positive test num. 1 - yaml file" hl_lines="2" - name: create a stack, pass in the template via an URL amazon.aws.cloudformation: stack_name: "ansible-cloudformation" diff --git a/docs/queries/ansible-queries/aws/d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5.md b/docs/queries/ansible-queries/aws/d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5.md index 94026e8db7b..366c2698275 100644 --- a/docs/queries/ansible-queries/aws/d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5.md +++ b/docs/queries/ansible-queries/aws/d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5.md @@ -28,7 +28,7 @@ Checks if logging is enabled for CloudTrail.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +```yaml title="Positive test num. 1 - yaml file" hl_lines="5" - name: example community.aws.cloudtrail: state: present diff --git a/docs/queries/ansible-queries/aws/d5ec2080-340a-4259-b885-f833c4ea6a31.md b/docs/queries/ansible-queries/aws/d5ec2080-340a-4259-b885-f833c4ea6a31.md index e10ad0a88d7..ec57a7e71e2 100644 --- a/docs/queries/ansible-queries/aws/d5ec2080-340a-4259-b885-f833c4ea6a31.md +++ b/docs/queries/ansible-queries/aws/d5ec2080-340a-4259-b885-f833c4ea6a31.md @@ -28,7 +28,7 @@ The certificate should use a RSA key with a length equal to or higher than 256 b ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +```yaml title="Positive test num. 1 - yaml file" hl_lines="3" - name: upload a self-signed certificate community.aws.aws_acm: certificate: "{{ lookup('file', 'rsa1024.pem' ) }}" diff --git a/docs/queries/ansible-queries/aws/d6c2d06f-43c1-488a-9ba1-8d75b40fc62d.md b/docs/queries/ansible-queries/aws/d6c2d06f-43c1-488a-9ba1-8d75b40fc62d.md index 02dba79deff..22d26c657c2 100644 --- a/docs/queries/ansible-queries/aws/d6c2d06f-43c1-488a-9ba1-8d75b40fc62d.md +++ b/docs/queries/ansible-queries/aws/d6c2d06f-43c1-488a-9ba1-8d75b40fc62d.md @@ -28,7 +28,7 @@ Amazon Elasticsearch does not have encryption for its domains enabled. To preven ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" - name: Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters community.aws.opensearch: domain_name: "dev-cluster" @@ -47,7 +47,7 @@ Amazon Elasticsearch does not have encryption for its domains enabled. To preven access_policies: "{{ lookup('file', 'policy.json') | from_json }}" ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="10" +```yaml title="Positive test num. 2 - yaml file" hl_lines="10" - name: Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters community.aws.opensearch: domain_name: "dev-cluster" @@ -66,7 +66,7 @@ Amazon Elasticsearch does not have encryption for its domains enabled. To preven access_policies: "{{ lookup('file', 'policy.json') | from_json }}" ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="2" +```yaml title="Positive test num. 3 - yaml file" hl_lines="2" - name: Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters community.aws.opensearch: domain_name: "dev-cluster" diff --git a/docs/queries/ansible-queries/aws/d994585f-defb-4b51-b6d2-c70f020ceb10.md b/docs/queries/ansible-queries/aws/d994585f-defb-4b51-b6d2-c70f020ceb10.md index 56639d6a21d..7f8fed4998f 100644 --- a/docs/queries/ansible-queries/aws/d994585f-defb-4b51-b6d2-c70f020ceb10.md +++ b/docs/queries/ansible-queries/aws/d994585f-defb-4b51-b6d2-c70f020ceb10.md @@ -28,7 +28,7 @@ Checks for dangerous permissions in Action statements in an SQS Queue Policy. Th ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10 28" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10 28" - name: First SQS queue with policy community.aws.sqs_queue: name: my-queue1 diff --git a/docs/queries/ansible-queries/aws/defe5b18-978d-4722-9325-4d1975d3699f.md b/docs/queries/ansible-queries/aws/defe5b18-978d-4722-9325-4d1975d3699f.md index b4724fae2dd..e8464f8c252 100644 --- a/docs/queries/ansible-queries/aws/defe5b18-978d-4722-9325-4d1975d3699f.md +++ b/docs/queries/ansible-queries/aws/defe5b18-978d-4722-9325-4d1975d3699f.md @@ -28,7 +28,7 @@ Batch Job Definition should not have Privileged Container Properties
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9" - name: My Batch Job Definition community.aws.aws_batch_job_definition: job_definition_name: My Batch Job Definition diff --git a/docs/queries/ansible-queries/aws/e01de151-a7bd-4db4-b49b-3c4775a5e881.md b/docs/queries/ansible-queries/aws/e01de151-a7bd-4db4-b49b-3c4775a5e881.md index 1c18f74c268..2bc4c6638ef 100644 --- a/docs/queries/ansible-queries/aws/e01de151-a7bd-4db4-b49b-3c4775a5e881.md +++ b/docs/queries/ansible-queries/aws/e01de151-a7bd-4db4-b49b-3c4775a5e881.md @@ -28,7 +28,7 @@ Redshift should not use the default port (5439) because an attacker can easily g ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8" - name: Redshift community.aws.redshift: command: create diff --git a/docs/queries/ansible-queries/aws/e1e7b278-2a8b-49bd-a26e-66a7f70b17eb.md b/docs/queries/ansible-queries/aws/e1e7b278-2a8b-49bd-a26e-66a7f70b17eb.md index 9d122e2e9f7..6e3b28c0737 100644 --- a/docs/queries/ansible-queries/aws/e1e7b278-2a8b-49bd-a26e-66a7f70b17eb.md +++ b/docs/queries/ansible-queries/aws/e1e7b278-2a8b-49bd-a26e-66a7f70b17eb.md @@ -28,7 +28,7 @@ Amazon Simple Queue Service (SQS) queue should protect the contents of their mes ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="16 2 29 22" +```yaml title="Positive test num. 1 - yaml file" hl_lines="16 2 29 22" - name: Create SQS queue with redrive policy community.aws.sqs_queue: name: my-queue diff --git a/docs/queries/ansible-queries/aws/e24e18d9-4c2b-4649-b3d0-18c088145e24.md b/docs/queries/ansible-queries/aws/e24e18d9-4c2b-4649-b3d0-18c088145e24.md index 4d6a727f863..708af91afda 100644 --- a/docs/queries/ansible-queries/aws/e24e18d9-4c2b-4649-b3d0-18c088145e24.md +++ b/docs/queries/ansible-queries/aws/e24e18d9-4c2b-4649-b3d0-18c088145e24.md @@ -28,7 +28,7 @@ AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, a ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="2 7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="2 7" - name: example ec2 group community.aws.cloudwatchlogs_log_group: log_group_name: test-log-group diff --git a/docs/queries/ansible-queries/aws/e28ceb92-d588-4166-aac5-766c8f5b7472.md b/docs/queries/ansible-queries/aws/e28ceb92-d588-4166-aac5-766c8f5b7472.md index b46499f5ff9..4c66fdcfd74 100644 --- a/docs/queries/ansible-queries/aws/e28ceb92-d588-4166-aac5-766c8f5b7472.md +++ b/docs/queries/ansible-queries/aws/e28ceb92-d588-4166-aac5-766c8f5b7472.md @@ -28,7 +28,7 @@ Unchangeable passwords in AWS password policy
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9 21" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9 21" - name: Password policy for AWS account community.aws.iam_password_policy: state: present diff --git a/docs/queries/ansible-queries/aws/e401d614-8026-4f4b-9af9-75d1197461ba.md b/docs/queries/ansible-queries/aws/e401d614-8026-4f4b-9af9-75d1197461ba.md index 64b8d7ebbdc..7f950e9afcb 100644 --- a/docs/queries/ansible-queries/aws/e401d614-8026-4f4b-9af9-75d1197461ba.md +++ b/docs/queries/ansible-queries/aws/e401d614-8026-4f4b-9af9-75d1197461ba.md @@ -28,7 +28,7 @@ IAM policies shouldn't allow full administrative privileges (for all resources)< ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" - name: Create IAM Managed Policy community.aws.iam_managed_policy: policy_name: "ManagedPolicy" diff --git a/docs/queries/ansible-queries/aws/e69890e6-fce5-461d-98ad-cb98318dfc96.md b/docs/queries/ansible-queries/aws/e69890e6-fce5-461d-98ad-cb98318dfc96.md index 6e5fed73f24..7ffe1395180 100644 --- a/docs/queries/ansible-queries/aws/e69890e6-fce5-461d-98ad-cb98318dfc96.md +++ b/docs/queries/ansible-queries/aws/e69890e6-fce5-461d-98ad-cb98318dfc96.md @@ -28,7 +28,7 @@ Make sure the AWS RDS configuration has automatic backup configured. If the rete ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10" --- - name: create minimal aurora instance in default VPC and default subnet group community.aws.rds_instance: diff --git a/docs/queries/ansible-queries/aws/e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40.md b/docs/queries/ansible-queries/aws/e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40.md index 9470411ce90..3c197affb43 100644 --- a/docs/queries/ansible-queries/aws/e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40.md +++ b/docs/queries/ansible-queries/aws/e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40.md @@ -28,7 +28,7 @@ The AWS Root Account must not have active access keys associated, which means if ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +```yaml title="Positive test num. 1 - yaml file" hl_lines="3" #this is a problematic code where the query should report a result(s) - name: Create two new IAM users with API keys community.aws.iam: diff --git a/docs/queries/ansible-queries/aws/ea0ed1c7-9aef-4464-b7c7-94c762da3640.md b/docs/queries/ansible-queries/aws/ea0ed1c7-9aef-4464-b7c7-94c762da3640.md index f205e2f4d4c..d5de938cd3e 100644 --- a/docs/queries/ansible-queries/aws/ea0ed1c7-9aef-4464-b7c7-94c762da3640.md +++ b/docs/queries/ansible-queries/aws/ea0ed1c7-9aef-4464-b7c7-94c762da3640.md @@ -28,7 +28,7 @@ The IP address in a DB Security Group must not have more than 256 hosts.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="22" +```yaml title="Positive test num. 1 - yaml file" hl_lines="22" - name: create minimal aurora instance in default VPC and default subnet group community.aws.rds_instance: engine: aurora diff --git a/docs/queries/ansible-queries/aws/ea6bc7a6-d696-4dcf-a788-17fa03c17c81.md b/docs/queries/ansible-queries/aws/ea6bc7a6-d696-4dcf-a788-17fa03c17c81.md index db7324f592b..8e7aa226375 100644 --- a/docs/queries/ansible-queries/aws/ea6bc7a6-d696-4dcf-a788-17fa03c17c81.md +++ b/docs/queries/ansible-queries/aws/ea6bc7a6-d696-4dcf-a788-17fa03c17c81.md @@ -28,7 +28,7 @@ AWS Security Group should restrict ingress access
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="26 7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="26 7" - name: example ec2 group amazon.aws.ec2_group: name: example diff --git a/docs/queries/ansible-queries/aws/eafe4bc3-1042-4f88-b988-1939e64bf060.md b/docs/queries/ansible-queries/aws/eafe4bc3-1042-4f88-b988-1939e64bf060.md index 98c2ff355ad..9cc0a55cfe7 100644 --- a/docs/queries/ansible-queries/aws/eafe4bc3-1042-4f88-b988-1939e64bf060.md +++ b/docs/queries/ansible-queries/aws/eafe4bc3-1042-4f88-b988-1939e64bf060.md @@ -28,7 +28,7 @@ IAM policies should be attached only to groups or roles
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +```yaml title="Positive test num. 1 - yaml file" hl_lines="3" - name: Assign a policy called Admin to user community.aws.iam_policy: iam_type: user diff --git a/docs/queries/ansible-queries/aws/ebb2118a-03bc-4d53-ab43-d8750f5cb8d3.md b/docs/queries/ansible-queries/aws/ebb2118a-03bc-4d53-ab43-d8750f5cb8d3.md index cb92086b896..5a049828676 100644 --- a/docs/queries/ansible-queries/aws/ebb2118a-03bc-4d53-ab43-d8750f5cb8d3.md +++ b/docs/queries/ansible-queries/aws/ebb2118a-03bc-4d53-ab43-d8750f5cb8d3.md @@ -28,7 +28,7 @@ CloudTrail should be integrated with CloudWatch
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="2 27 14" +```yaml title="Positive test num. 1 - yaml file" hl_lines="2 27 14" - name: positive1 community.aws.cloudtrail: state: present diff --git a/docs/queries/ansible-queries/aws/ed9b3beb-92cf-44d9-a9d2-171eeba569d4.md b/docs/queries/ansible-queries/aws/ed9b3beb-92cf-44d9-a9d2-171eeba569d4.md index 3daee730587..32438c67ca6 100644 --- a/docs/queries/ansible-queries/aws/ed9b3beb-92cf-44d9-a9d2-171eeba569d4.md +++ b/docs/queries/ansible-queries/aws/ed9b3beb-92cf-44d9-a9d2-171eeba569d4.md @@ -28,7 +28,7 @@ SQS policy allows ALL (*) actions
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10" - name: Second SQS queue with policy community.aws.sqs_queue: name: my-queue2 diff --git a/docs/queries/ansible-queries/aws/eda7301d-1f3e-47cf-8d4e-976debc64341.md b/docs/queries/ansible-queries/aws/eda7301d-1f3e-47cf-8d4e-976debc64341.md index 42247057641..d72c7b80c13 100644 --- a/docs/queries/ansible-queries/aws/eda7301d-1f3e-47cf-8d4e-976debc64341.md +++ b/docs/queries/ansible-queries/aws/eda7301d-1f3e-47cf-8d4e-976debc64341.md @@ -28,7 +28,7 @@ The Remote Desktop port is open to the internet in a Security Group
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="64 36 9 79 49 23 93" +```yaml title="Positive test num. 1 - yaml file" hl_lines="64 36 9 79 49 23 93" - name: example ec2 group1 amazon.aws.ec2_group: name: example diff --git a/docs/queries/ansible-queries/aws/eee107f9-b3d8-45d3-b9c6-43b5a7263ce1.md b/docs/queries/ansible-queries/aws/eee107f9-b3d8-45d3-b9c6-43b5a7263ce1.md index 98e46a28585..bd05532f3d9 100644 --- a/docs/queries/ansible-queries/aws/eee107f9-b3d8-45d3-b9c6-43b5a7263ce1.md +++ b/docs/queries/ansible-queries/aws/eee107f9-b3d8-45d3-b9c6-43b5a7263ce1.md @@ -28,7 +28,7 @@ Users should authenticate with MFA (Multi-factor Authentication) to ensure an ex ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9 2" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9 2" - name: Assume an existing role community.aws.sts_assume_role: mfa_serial_number: "{{ mfa_devices.mfa_devices[0].serial_number }}" diff --git a/docs/queries/ansible-queries/aws/f2ea6481-1d31-4d40-946a-520dc6321dd7.md b/docs/queries/ansible-queries/aws/f2ea6481-1d31-4d40-946a-520dc6321dd7.md index d239b2e3970..5ba3856e8c6 100644 --- a/docs/queries/ansible-queries/aws/f2ea6481-1d31-4d40-946a-520dc6321dd7.md +++ b/docs/queries/ansible-queries/aws/f2ea6481-1d31-4d40-946a-520dc6321dd7.md @@ -28,7 +28,7 @@ AWS Kinesis Streams and metadata should be protected with KMS
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="2 38 44 16 23" +```yaml title="Positive test num. 1 - yaml file" hl_lines="2 38 44 16 23" - name: Encrypt Kinesis Stream test-stream. community.aws.kinesis_stream: name: test-stream diff --git a/docs/queries/ansible-queries/aws/f34508b9-f574-4330-b42d-88c44cced645.md b/docs/queries/ansible-queries/aws/f34508b9-f574-4330-b42d-88c44cced645.md index 1a3d41d723f..d37656a1cb5 100644 --- a/docs/queries/ansible-queries/aws/f34508b9-f574-4330-b42d-88c44cced645.md +++ b/docs/queries/ansible-queries/aws/f34508b9-f574-4330-b42d-88c44cced645.md @@ -28,7 +28,7 @@ Lambda access/secret keys should not be hardcoded
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="32 3" +```yaml title="Positive test num. 1 - yaml file" hl_lines="32 3" - name: looped creation community.aws.lambda: aws_access_key: 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY' diff --git a/docs/queries/ansible-queries/aws/f509931b-bbb0-443c-bd9b-10e92ecf2193.md b/docs/queries/ansible-queries/aws/f509931b-bbb0-443c-bd9b-10e92ecf2193.md index a5a5ba38c16..4414a34271d 100644 --- a/docs/queries/ansible-queries/aws/f509931b-bbb0-443c-bd9b-10e92ecf2193.md +++ b/docs/queries/ansible-queries/aws/f509931b-bbb0-443c-bd9b-10e92ecf2193.md @@ -28,14 +28,14 @@ IAM Group should have at least one user associated
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="2" +```yaml title="Positive test num. 1 - yaml file" hl_lines="2" - name: Group1 iam_group: name: testgroup1 state: present ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="2" +```yaml title="Positive test num. 2 - yaml file" hl_lines="2" - name: Group2 iam_group: name: testgroup2 diff --git a/docs/queries/ansible-queries/aws/f5587077-3f57-4370-9b4e-4eb5b1bac85b.md b/docs/queries/ansible-queries/aws/f5587077-3f57-4370-9b4e-4eb5b1bac85b.md index b81c92e75a8..75a2d54662e 100644 --- a/docs/queries/ansible-queries/aws/f5587077-3f57-4370-9b4e-4eb5b1bac85b.md +++ b/docs/queries/ansible-queries/aws/f5587077-3f57-4370-9b4e-4eb5b1bac85b.md @@ -28,7 +28,7 @@ Logs delivered by CloudTrail should be encrypted using KMS to increase security ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="2" +```yaml title="Positive test num. 1 - yaml file" hl_lines="2" - name: no sns topic name community.aws.cloudtrail: state: present diff --git a/docs/queries/ansible-queries/aws/f5c45127-1d28-4b49-a692-0b97da1c3a84.md b/docs/queries/ansible-queries/aws/f5c45127-1d28-4b49-a692-0b97da1c3a84.md index 6fafae6356d..2a98a67f455 100644 --- a/docs/queries/ansible-queries/aws/f5c45127-1d28-4b49-a692-0b97da1c3a84.md +++ b/docs/queries/ansible-queries/aws/f5c45127-1d28-4b49-a692-0b97da1c3a84.md @@ -28,7 +28,7 @@ ECS Service should have at least 1 task running
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="2" +```yaml title="Positive test num. 1 - yaml file" hl_lines="2" - name: ECS Service community.aws.ecs_service: state: present diff --git a/docs/queries/ansible-queries/aws/f5f38943-664b-4acc-ab11-f292fa10ed0b.md b/docs/queries/ansible-queries/aws/f5f38943-664b-4acc-ab11-f292fa10ed0b.md index 6fc1e7072f9..ebca932f01e 100644 --- a/docs/queries/ansible-queries/aws/f5f38943-664b-4acc-ab11-f292fa10ed0b.md +++ b/docs/queries/ansible-queries/aws/f5f38943-664b-4acc-ab11-f292fa10ed0b.md @@ -28,7 +28,7 @@ API Gateway should have WAF (Web Application Firewall) enabled
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8" - name: add test alb to waf string032 community.aws.wafv2_resources: name: string03 diff --git a/docs/queries/ansible-queries/aws/f81d63d2-c5d7-43a4-a5b5-66717a41c895.md b/docs/queries/ansible-queries/aws/f81d63d2-c5d7-43a4-a5b5-66717a41c895.md index c29bd60b613..c7752af3e64 100644 --- a/docs/queries/ansible-queries/aws/f81d63d2-c5d7-43a4-a5b5-66717a41c895.md +++ b/docs/queries/ansible-queries/aws/f81d63d2-c5d7-43a4-a5b5-66717a41c895.md @@ -28,7 +28,7 @@ AWS Application Load Balancer (alb) should not listen on HTTP
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11 29" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11 29" - name: my_elb_application community.aws.elb_application_lb: name: myelb diff --git a/docs/queries/ansible-queries/aws/fb5a5df7-6d74-4243-ab82-ff779a958bfd.md b/docs/queries/ansible-queries/aws/fb5a5df7-6d74-4243-ab82-ff779a958bfd.md index 13adf971f48..b09ae4150f0 100644 --- a/docs/queries/ansible-queries/aws/fb5a5df7-6d74-4243-ab82-ff779a958bfd.md +++ b/docs/queries/ansible-queries/aws/fb5a5df7-6d74-4243-ab82-ff779a958bfd.md @@ -28,7 +28,7 @@ Amazon ECR image repositories shouldn't have public access
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="17 4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="17 4" - name: set-policy as object community.aws.ecs_ecr: name: needs-policy-object diff --git a/docs/queries/ansible-queries/aws/fb8f8929-afeb-4c46-99f0-a6cf410f7df4.md b/docs/queries/ansible-queries/aws/fb8f8929-afeb-4c46-99f0-a6cf410f7df4.md index 18ab4d7fc41..05827a6e62d 100644 --- a/docs/queries/ansible-queries/aws/fb8f8929-afeb-4c46-99f0-a6cf410f7df4.md +++ b/docs/queries/ansible-queries/aws/fb8f8929-afeb-4c46-99f0-a6cf410f7df4.md @@ -28,7 +28,7 @@ CloudFront web distributions should use custom (and not default) SSL certificate ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6 15" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6 15" - name: create a basic distribution with defaults, tags and default SSL certificate community.aws.cloudfront_distribution: state: present diff --git a/docs/queries/ansible-queries/aws/ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9.md b/docs/queries/ansible-queries/aws/ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9.md index 8df9b7e5b4c..b3c18854731 100644 --- a/docs/queries/ansible-queries/aws/ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9.md +++ b/docs/queries/ansible-queries/aws/ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9.md @@ -28,7 +28,7 @@ AWS CloudFormation Stack should have a stack policy in order to protect stack re ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="2" +```yaml title="Positive test num. 1 - yaml file" hl_lines="2" - name: create a stack, pass in the template via an URL amazon.aws.cloudformation: stack_name: "ansible-cloudformation" diff --git a/docs/queries/ansible-queries/azure/0461b4fd-21ef-4687-929e-484ee4796785.md b/docs/queries/ansible-queries/azure/0461b4fd-21ef-4687-929e-484ee4796785.md index 7eeb2b5ebb7..c9732268ca2 100644 --- a/docs/queries/ansible-queries/azure/0461b4fd-21ef-4687-929e-484ee4796785.md +++ b/docs/queries/ansible-queries/azure/0461b4fd-21ef-4687-929e-484ee4796785.md @@ -28,7 +28,7 @@ Make sure that for PostgreSQL Database, server parameter 'log_retention' is set ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" --- - name: Update PostgreSQL Server setting azure_rm_postgresqlconfiguration: diff --git a/docs/queries/ansible-queries/azure/054d07b5-941b-4c28-8eef-18989dc62323.md b/docs/queries/ansible-queries/azure/054d07b5-941b-4c28-8eef-18989dc62323.md index 47dd49fe0d8..ece60e20dc7 100644 --- a/docs/queries/ansible-queries/azure/054d07b5-941b-4c28-8eef-18989dc62323.md +++ b/docs/queries/ansible-queries/azure/054d07b5-941b-4c28-8eef-18989dc62323.md @@ -28,7 +28,7 @@ Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="37 7 13 19 25 31" +```yaml title="Positive test num. 1 - yaml file" hl_lines="37 7 13 19 25 31" --- - name: Update PostgreSQL Server setting azure.azcollection.azure_rm_postgresqlconfiguration: diff --git a/docs/queries/ansible-queries/azure/0632d0db-9190-450a-8bb3-c283bffea445.md b/docs/queries/ansible-queries/azure/0632d0db-9190-450a-8bb3-c283bffea445.md index c68e98fcded..b9b629f0dd6 100644 --- a/docs/queries/ansible-queries/azure/0632d0db-9190-450a-8bb3-c283bffea445.md +++ b/docs/queries/ansible-queries/azure/0632d0db-9190-450a-8bb3-c283bffea445.md @@ -28,7 +28,7 @@ Firewall rule allowing unrestricted access to Redis from other Azure sources
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" --- - name: Create a Firewall rule for Azure Cache for Redis azure_rm_rediscachefirewallrule: diff --git a/docs/queries/ansible-queries/azure/0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc.md b/docs/queries/ansible-queries/azure/0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc.md index f8c42111933..c83da79a9a1 100644 --- a/docs/queries/ansible-queries/azure/0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc.md +++ b/docs/queries/ansible-queries/azure/0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc.md @@ -28,7 +28,7 @@ A sensitive port, such as port 23 or port 110, is open for the whole network in ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="130 99 69 41 13 142 113 85 55 27" +```yaml title="Positive test num. 1 - yaml file" hl_lines="130 99 69 41 13 142 113 85 55 27" --- - name: foo1 azure_rm_securitygroup: diff --git a/docs/queries/ansible-queries/azure/0d0c12b9-edce-4510-9065-13f6a758750c.md b/docs/queries/ansible-queries/azure/0d0c12b9-edce-4510-9065-13f6a758750c.md index 2decd466aef..10da001fc8e 100644 --- a/docs/queries/ansible-queries/azure/0d0c12b9-edce-4510-9065-13f6a758750c.md +++ b/docs/queries/ansible-queries/azure/0d0c12b9-edce-4510-9065-13f6a758750c.md @@ -28,7 +28,7 @@ Firewall rule allowing unrestricted access to Redis from the Internet
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" --- - name: Create a Firewall rule for Azure Cache for Redis azure_rm_rediscachefirewallrule: diff --git a/docs/queries/ansible-queries/azure/149fa56c-4404-4f90-9e25-d34b676d5b39.md b/docs/queries/ansible-queries/azure/149fa56c-4404-4f90-9e25-d34b676d5b39.md index 8ea992a250f..50b630e0355 100644 --- a/docs/queries/ansible-queries/azure/149fa56c-4404-4f90-9e25-d34b676d5b39.md +++ b/docs/queries/ansible-queries/azure/149fa56c-4404-4f90-9e25-d34b676d5b39.md @@ -28,7 +28,7 @@ Azure Container Service (AKS) instance should have role-based access control (RB ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="21 23" +```yaml title="Positive test num. 1 - yaml file" hl_lines="21 23" - name: Create an AKS instance azure_rm_aks: name: myAKS diff --git a/docs/queries/ansible-queries/azure/1bc398a8-d274-47de-a4c8-6ac867b353de.md b/docs/queries/ansible-queries/azure/1bc398a8-d274-47de-a4c8-6ac867b353de.md index 2f40717ba4a..8863330c421 100644 --- a/docs/queries/ansible-queries/azure/1bc398a8-d274-47de-a4c8-6ac867b353de.md +++ b/docs/queries/ansible-queries/azure/1bc398a8-d274-47de-a4c8-6ac867b353de.md @@ -28,7 +28,7 @@ Trusted Microsoft Services should be enabled for Storage Account access
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="24 40 7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="24 40 7" - name: configure firewall and virtual networks azure_rm_storageaccount: resource_group: myResourceGroup diff --git a/docs/queries/ansible-queries/azure/1e5f5307-3e01-438d-8da6-985307ed25ce.md b/docs/queries/ansible-queries/azure/1e5f5307-3e01-438d-8da6-985307ed25ce.md index 496177d4ee1..9a17a170e6e 100644 --- a/docs/queries/ansible-queries/azure/1e5f5307-3e01-438d-8da6-985307ed25ce.md +++ b/docs/queries/ansible-queries/azure/1e5f5307-3e01-438d-8da6-985307ed25ce.md @@ -28,7 +28,7 @@ No Network Security Group is attached to the Virtual Machine
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +```yaml title="Positive test num. 1 - yaml file" hl_lines="3" --- - name: Create a VM with a custom image azure_rm_virtualmachine: diff --git a/docs/queries/ansible-queries/azure/23a4dc83-4959-4d99-8056-8e051a82bc1e.md b/docs/queries/ansible-queries/azure/23a4dc83-4959-4d99-8056-8e051a82bc1e.md index dd26ec4cd16..afde9244949 100644 --- a/docs/queries/ansible-queries/azure/23a4dc83-4959-4d99-8056-8e051a82bc1e.md +++ b/docs/queries/ansible-queries/azure/23a4dc83-4959-4d99-8056-8e051a82bc1e.md @@ -28,7 +28,7 @@ Cosmos DB Account must have a mapping of tags.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +```yaml title="Positive test num. 1 - yaml file" hl_lines="3" --- - name: Create Cosmos DB Account - min azure_rm_cosmosdbaccount: diff --git a/docs/queries/ansible-queries/azure/29f35127-98e6-43af-8ec1-201b79f99604.md b/docs/queries/ansible-queries/azure/29f35127-98e6-43af-8ec1-201b79f99604.md index 2558133f6fa..fb51a6e4f06 100644 --- a/docs/queries/ansible-queries/azure/29f35127-98e6-43af-8ec1-201b79f99604.md +++ b/docs/queries/ansible-queries/azure/29f35127-98e6-43af-8ec1-201b79f99604.md @@ -28,7 +28,7 @@ Admin user is enabled for Container Registry
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="17 7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="17 7" --- - name: Create an azure container registry azure.azcollection.azure_rm_containerregistry: diff --git a/docs/queries/ansible-queries/azure/2a901825-0f3b-4655-a0fe-e0470e50f8e6.md b/docs/queries/ansible-queries/azure/2a901825-0f3b-4655-a0fe-e0470e50f8e6.md index c256a19a0a4..90be4bb5631 100644 --- a/docs/queries/ansible-queries/azure/2a901825-0f3b-4655-a0fe-e0470e50f8e6.md +++ b/docs/queries/ansible-queries/azure/2a901825-0f3b-4655-a0fe-e0470e50f8e6.md @@ -28,7 +28,7 @@ Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="33 3 69 42 78 15 51 24 60" +```yaml title="Positive test num. 1 - yaml file" hl_lines="33 3 69 42 78 15 51 24 60" --- - name: create an account azure.azcollection.azure_rm_storageaccount: diff --git a/docs/queries/ansible-queries/azure/2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255.md b/docs/queries/ansible-queries/azure/2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255.md index f627722f9a8..9f3b7dbb047 100644 --- a/docs/queries/ansible-queries/azure/2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255.md +++ b/docs/queries/ansible-queries/azure/2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255.md @@ -28,7 +28,7 @@ Check if Web Application Firewall is disabled or not configured for Azure's Appl ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" - name: Create instance of Application Gateway azure_rm_appgateway: resource_group: myResourceGroup diff --git a/docs/queries/ansible-queries/azure/35e2f133-a395-40de-a79d-b260d973d1bd.md b/docs/queries/ansible-queries/azure/35e2f133-a395-40de-a79d-b260d973d1bd.md index 4f1ffaa7c52..7915f40827c 100644 --- a/docs/queries/ansible-queries/azure/35e2f133-a395-40de-a79d-b260d973d1bd.md +++ b/docs/queries/ansible-queries/azure/35e2f133-a395-40de-a79d-b260d973d1bd.md @@ -28,7 +28,7 @@ Storage Account should not be public to grant the principle of least privileges< ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9 19" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9 19" - name: configure firewall and virtual networks azure_rm_storageaccount: resource_group: myResourceGroup diff --git a/docs/queries/ansible-queries/azure/37fafbea-dedb-4e0d-852e-d16ee0589326.md b/docs/queries/ansible-queries/azure/37fafbea-dedb-4e0d-852e-d16ee0589326.md index 24daf0b1e99..9244924e44b 100644 --- a/docs/queries/ansible-queries/azure/37fafbea-dedb-4e0d-852e-d16ee0589326.md +++ b/docs/queries/ansible-queries/azure/37fafbea-dedb-4e0d-852e-d16ee0589326.md @@ -28,7 +28,7 @@ Ensure that Activity Log Retention is set 365 days or greater
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="20 13 46" +```yaml title="Positive test num. 1 - yaml file" hl_lines="20 13 46" --- - name: Create a log profile azure_rm_monitorlogprofile: diff --git a/docs/queries/ansible-queries/azure/3f23c96c-f9f5-488d-9b17-605b8da5842f.md b/docs/queries/ansible-queries/azure/3f23c96c-f9f5-488d-9b17-605b8da5842f.md index 570d3c17a69..78eccfa4a8b 100644 --- a/docs/queries/ansible-queries/azure/3f23c96c-f9f5-488d-9b17-605b8da5842f.md +++ b/docs/queries/ansible-queries/azure/3f23c96c-f9f5-488d-9b17-605b8da5842f.md @@ -28,7 +28,7 @@ Azure SQL Server Accessibility should be set to a minimal address range to grant ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10 3" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10 3" #this is a problematic code where the query should report a result(s) - name: Create (or update) Firewall Rule1 azure_rm_sqlfirewallrule: diff --git a/docs/queries/ansible-queries/azure/4d3817db-dd35-4de4-a80d-3867157e7f7f.md b/docs/queries/ansible-queries/azure/4d3817db-dd35-4de4-a80d-3867157e7f7f.md index a2008bc31b7..d52847e2622 100644 --- a/docs/queries/ansible-queries/azure/4d3817db-dd35-4de4-a80d-3867157e7f7f.md +++ b/docs/queries/ansible-queries/azure/4d3817db-dd35-4de4-a80d-3867157e7f7f.md @@ -28,7 +28,7 @@ Anonymous, public read access to a container and its blobs are enabled in Azure ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9 17" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9 17" - name: Create container foo and upload a file azure_rm_storageblob: resource_group: myResourceGroup diff --git a/docs/queries/ansible-queries/azure/530e8291-2f22-4bab-b7ea-306f1bc2a308.md b/docs/queries/ansible-queries/azure/530e8291-2f22-4bab-b7ea-306f1bc2a308.md index 41c55bbf863..e50f87ed509 100644 --- a/docs/queries/ansible-queries/azure/530e8291-2f22-4bab-b7ea-306f1bc2a308.md +++ b/docs/queries/ansible-queries/azure/530e8291-2f22-4bab-b7ea-306f1bc2a308.md @@ -28,7 +28,7 @@ Azure SQL Server must avoid using predictable Active Directory Administrator Acc ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="19 13 7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="19 13 7" #this is a problematic code where the query should report a result(s) - name: create ad sp azure_ad_serviceprincipal: diff --git a/docs/queries/ansible-queries/azure/581dae78-307d-45d5-aae4-fe2b0db267a5.md b/docs/queries/ansible-queries/azure/581dae78-307d-45d5-aae4-fe2b0db267a5.md index 7956f65b749..9c396d8aca2 100644 --- a/docs/queries/ansible-queries/azure/581dae78-307d-45d5-aae4-fe2b0db267a5.md +++ b/docs/queries/ansible-queries/azure/581dae78-307d-45d5-aae4-fe2b0db267a5.md @@ -28,7 +28,7 @@ Azurerm Container Registry should contain associated locks, which means 'azure_r ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="17 2" +```yaml title="Positive test num. 1 - yaml file" hl_lines="17 2" - name: Create an azure container registry azure_rm_containerregistry: name: myRegistry @@ -56,7 +56,7 @@ Azurerm Container Registry should contain associated locks, which means 'azure_r Environment: Production ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="2" +```yaml title="Positive test num. 2 - yaml file" hl_lines="2" - name: Create an azure container registryy1 azure.azcollection.azure_rm_containerregistry: name: myRegistry diff --git a/docs/queries/ansible-queries/azure/5c80db8e-03f5-43a2-b4af-1f3f87018157.md b/docs/queries/ansible-queries/azure/5c80db8e-03f5-43a2-b4af-1f3f87018157.md index 1b155caf465..df11f9612b2 100644 --- a/docs/queries/ansible-queries/azure/5c80db8e-03f5-43a2-b4af-1f3f87018157.md +++ b/docs/queries/ansible-queries/azure/5c80db8e-03f5-43a2-b4af-1f3f87018157.md @@ -28,7 +28,7 @@ Role Definition should not allow custom role creation (Microsoft.Authorization/r ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" --- - name: Create a role definition azure_rm_roledefinition: @@ -41,7 +41,7 @@ Role Definition should not allow custom role creation (Microsoft.Authorization/r - "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="7" +```yaml title="Positive test num. 2 - yaml file" hl_lines="7" --- - name: Create a role definition2 azure_rm_roledefinition: diff --git a/docs/queries/ansible-queries/azure/663062e9-473d-4e87-99bc-6f3684b3df40.md b/docs/queries/ansible-queries/azure/663062e9-473d-4e87-99bc-6f3684b3df40.md index 8731938b34b..91becf1801d 100644 --- a/docs/queries/ansible-queries/azure/663062e9-473d-4e87-99bc-6f3684b3df40.md +++ b/docs/queries/ansible-queries/azure/663062e9-473d-4e87-99bc-6f3684b3df40.md @@ -28,7 +28,7 @@ Azure SQL Server's Admin account login must avoid using names like 'Admin', that ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="21 14 7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="21 14 7" #this is a problematic code where the query should report a result(s) - name: Create (or update) SQL Server1 azure_rm_sqlserver: diff --git a/docs/queries/ansible-queries/azure/69f72007-502e-457b-bd2d-5012e31ac049.md b/docs/queries/ansible-queries/azure/69f72007-502e-457b-bd2d-5012e31ac049.md index 68c068e731c..28164b45950 100644 --- a/docs/queries/ansible-queries/azure/69f72007-502e-457b-bd2d-5012e31ac049.md +++ b/docs/queries/ansible-queries/azure/69f72007-502e-457b-bd2d-5012e31ac049.md @@ -28,7 +28,7 @@ Check if any firewall rule allows too many hosts to access Redis Cache.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" - name: too_many_hosts azure_rm_rediscachefirewallrule: resource_group: myResourceGroup diff --git a/docs/queries/ansible-queries/azure/729ebb15-8060-40f7-9017-cb72676a5487.md b/docs/queries/ansible-queries/azure/729ebb15-8060-40f7-9017-cb72676a5487.md index e64f6662ed6..2c265aa5201 100644 --- a/docs/queries/ansible-queries/azure/729ebb15-8060-40f7-9017-cb72676a5487.md +++ b/docs/queries/ansible-queries/azure/729ebb15-8060-40f7-9017-cb72676a5487.md @@ -28,7 +28,7 @@ Make sure that for PostgreSQL Database, server parameter 'log_duration' is set t ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="36 6 12 18 24 30" +```yaml title="Positive test num. 1 - yaml file" hl_lines="36 6 12 18 24 30" - name: example1 azure.azcollection.azure_rm_postgresqlconfiguration: resource_group: myResourceGroup diff --git a/docs/queries/ansible-queries/azure/7ab33ac0-e4a3-418f-a673-50da4e34df21.md b/docs/queries/ansible-queries/azure/7ab33ac0-e4a3-418f-a673-50da4e34df21.md index ad7edb50cc2..c625aa72caf 100644 --- a/docs/queries/ansible-queries/azure/7ab33ac0-e4a3-418f-a673-50da4e34df21.md +++ b/docs/queries/ansible-queries/azure/7ab33ac0-e4a3-418f-a673-50da4e34df21.md @@ -28,7 +28,7 @@ Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is s ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="37 7 13 19 25 31" +```yaml title="Positive test num. 1 - yaml file" hl_lines="37 7 13 19 25 31" --- - name: Update PostgreSQL Server setting azure.azcollection.azure_rm_postgresqlconfiguration: diff --git a/docs/queries/ansible-queries/azure/7b47138f-ec0e-47dc-8516-e7728fe3cc17.md b/docs/queries/ansible-queries/azure/7b47138f-ec0e-47dc-8516-e7728fe3cc17.md index 39414e9db2f..8f63033499a 100644 --- a/docs/queries/ansible-queries/azure/7b47138f-ec0e-47dc-8516-e7728fe3cc17.md +++ b/docs/queries/ansible-queries/azure/7b47138f-ec0e-47dc-8516-e7728fe3cc17.md @@ -28,7 +28,7 @@ Make sure that for PostgreSQL Database, server parameter 'log_connections' is se ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="37 7 13 19 25 31" +```yaml title="Positive test num. 1 - yaml file" hl_lines="37 7 13 19 25 31" --- - name: Update PostgreSQL Server setting azure.azcollection.azure_rm_postgresqlconfiguration: diff --git a/docs/queries/ansible-queries/azure/869e7fb4-30f0-4bdb-b360-ad548f337f2f.md b/docs/queries/ansible-queries/azure/869e7fb4-30f0-4bdb-b360-ad548f337f2f.md index 2088c8fa27f..551d38a2d2d 100644 --- a/docs/queries/ansible-queries/azure/869e7fb4-30f0-4bdb-b360-ad548f337f2f.md +++ b/docs/queries/ansible-queries/azure/869e7fb4-30f0-4bdb-b360-ad548f337f2f.md @@ -28,7 +28,7 @@ Redis Cache resources should not allow non-SSL connections
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +```yaml title="Positive test num. 1 - yaml file" hl_lines="5" - name: Non SSl Allowed azure_rm_rediscache: resource_group: myResourceGroup diff --git a/docs/queries/ansible-queries/azure/881696a8-68c5-4073-85bc-7c38a3deb854.md b/docs/queries/ansible-queries/azure/881696a8-68c5-4073-85bc-7c38a3deb854.md index 9063b660f61..1edd7001502 100644 --- a/docs/queries/ansible-queries/azure/881696a8-68c5-4073-85bc-7c38a3deb854.md +++ b/docs/queries/ansible-queries/azure/881696a8-68c5-4073-85bc-7c38a3deb854.md @@ -28,7 +28,7 @@ Make sure Soft Delete is enabled for Key Vault
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="18 7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="18 7" --- - name: Create instance of Key Vault azure_rm_keyvault: diff --git a/docs/queries/ansible-queries/azure/89f84a1e-75f8-47c5-83b5-bee8e2de4168.md b/docs/queries/ansible-queries/azure/89f84a1e-75f8-47c5-83b5-bee8e2de4168.md index d8a82ab4746..2dc9957d9a0 100644 --- a/docs/queries/ansible-queries/azure/89f84a1e-75f8-47c5-83b5-bee8e2de4168.md +++ b/docs/queries/ansible-queries/azure/89f84a1e-75f8-47c5-83b5-bee8e2de4168.md @@ -28,7 +28,7 @@ Monitoring log profile captures all the activities (Action, Write, Delete)
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9 21" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9 21" --- - name: Create a log profile azure_rm_monitorlogprofile: diff --git a/docs/queries/ansible-queries/azure/8c3bedf1-c570-4c3b-b414-d068cd39a00c.md b/docs/queries/ansible-queries/azure/8c3bedf1-c570-4c3b-b414-d068cd39a00c.md index dbc8b333111..bfb6560302b 100644 --- a/docs/queries/ansible-queries/azure/8c3bedf1-c570-4c3b-b414-d068cd39a00c.md +++ b/docs/queries/ansible-queries/azure/8c3bedf1-c570-4c3b-b414-d068cd39a00c.md @@ -28,7 +28,7 @@ Azure Kubernetes Service should have the proper network policy configuration to ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="24 10" +```yaml title="Positive test num. 1 - yaml file" hl_lines="24 10" --- - name: Create a managed Azure Container Services (AKS) instance03 azure_rm_aks: diff --git a/docs/queries/ansible-queries/azure/961ce567-a16d-4d7d-9027-f0ec2628a555.md b/docs/queries/ansible-queries/azure/961ce567-a16d-4d7d-9027-f0ec2628a555.md index d94b83619fd..2f4531e9ff8 100644 --- a/docs/queries/ansible-queries/azure/961ce567-a16d-4d7d-9027-f0ec2628a555.md +++ b/docs/queries/ansible-queries/azure/961ce567-a16d-4d7d-9027-f0ec2628a555.md @@ -28,7 +28,7 @@ Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="37 7 13 19 25 31" +```yaml title="Positive test num. 1 - yaml file" hl_lines="37 7 13 19 25 31" --- - name: Update PostgreSQL Server setting azure.azcollection.azure_rm_postgresqlconfiguration: diff --git a/docs/queries/ansible-queries/azure/b176e927-bbe2-44a6-a9c3-041417137e5f.md b/docs/queries/ansible-queries/azure/b176e927-bbe2-44a6-a9c3-041417137e5f.md index 982144d5b45..63bee22bb3a 100644 --- a/docs/queries/ansible-queries/azure/b176e927-bbe2-44a6-a9c3-041417137e5f.md +++ b/docs/queries/ansible-queries/azure/b176e927-bbe2-44a6-a9c3-041417137e5f.md @@ -28,7 +28,7 @@ The Active Directory Administrator is not configured for a SQL server
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +```yaml title="Positive test num. 1 - yaml file" hl_lines="3" --- - name: Create (or update) SQL Server azure_rm_sqlserver: diff --git a/docs/queries/ansible-queries/azure/c62746cf-92d5-4649-9acf-7d48d086f2ee.md b/docs/queries/ansible-queries/azure/c62746cf-92d5-4649-9acf-7d48d086f2ee.md index 59567c8bcee..fbce438cb0d 100644 --- a/docs/queries/ansible-queries/azure/c62746cf-92d5-4649-9acf-7d48d086f2ee.md +++ b/docs/queries/ansible-queries/azure/c62746cf-92d5-4649-9acf-7d48d086f2ee.md @@ -28,7 +28,7 @@ Ensure Storage Account is using the latest version of TLS encryption
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 12" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8 12" --- - name: Create an account with kind of FileStorage azure_rm_storageaccount: diff --git a/docs/queries/ansible-queries/azure/ca4df748-613a-4fbf-9c76-f02cbd580307.md b/docs/queries/ansible-queries/azure/ca4df748-613a-4fbf-9c76-f02cbd580307.md index b6258405bf6..dcc1491a727 100644 --- a/docs/queries/ansible-queries/azure/ca4df748-613a-4fbf-9c76-f02cbd580307.md +++ b/docs/queries/ansible-queries/azure/ca4df748-613a-4fbf-9c76-f02cbd580307.md @@ -28,7 +28,7 @@ Make sure that your Azure Storage Account access is limited to those who require ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +```yaml title="Positive test num. 1 - yaml file" hl_lines="3" --- - name: create an account azure.azcollection.azure_rm_storageaccount: @@ -41,7 +41,7 @@ Make sure that your Azure Storage Account access is limited to those who require public_network_access: Enabled ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="3" +```yaml title="Positive test num. 2 - yaml file" hl_lines="3" --- - name: create an account azure.azcollection.azure_rm_storageaccount: @@ -53,7 +53,7 @@ Make sure that your Azure Storage Account access is limited to those who require delete: on-exit ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="3" +```yaml title="Positive test num. 3 - yaml file" hl_lines="3" --- - name: create an account azure.azcollection.azure_rm_storageaccount: diff --git a/docs/queries/ansible-queries/azure/d5e83b32-56dd-4247-8c2e-074f43b38a5e.md b/docs/queries/ansible-queries/azure/d5e83b32-56dd-4247-8c2e-074f43b38a5e.md index ad27b832d44..a1b3d05d276 100644 --- a/docs/queries/ansible-queries/azure/d5e83b32-56dd-4247-8c2e-074f43b38a5e.md +++ b/docs/queries/ansible-queries/azure/d5e83b32-56dd-4247-8c2e-074f43b38a5e.md @@ -28,7 +28,7 @@ Azure Container Service (AKS) instance should have logging enabled to Azure Moni ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="2 43 68 94" +```yaml title="Positive test num. 1 - yaml file" hl_lines="2 43 68 94" - name: Create an AKS instance v0 azure_rm_aks: name: myAKS diff --git a/docs/queries/ansible-queries/azure/da4f2739-174f-4cdd-b9ef-dc3f14b5931f.md b/docs/queries/ansible-queries/azure/da4f2739-174f-4cdd-b9ef-dc3f14b5931f.md index 83e0d65fd83..29eb55afe9e 100644 --- a/docs/queries/ansible-queries/azure/da4f2739-174f-4cdd-b9ef-dc3f14b5931f.md +++ b/docs/queries/ansible-queries/azure/da4f2739-174f-4cdd-b9ef-dc3f14b5931f.md @@ -28,7 +28,7 @@ Azure Virtual Network subnet must be configured with a Network Security Group, w ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="3 35 9 16 28" +```yaml title="Positive test num. 1 - yaml file" hl_lines="3 35 9 16 28" #this is a problematic code where the query should report a result(s) - name: Create a subnet1 azure_rm_subnet: diff --git a/docs/queries/ansible-queries/azure/e2d834b7-8b25-4935-af53-4a60668dcbe0.md b/docs/queries/ansible-queries/azure/e2d834b7-8b25-4935-af53-4a60668dcbe0.md index 8e1bc38728e..830b7dc060d 100644 --- a/docs/queries/ansible-queries/azure/e2d834b7-8b25-4935-af53-4a60668dcbe0.md +++ b/docs/queries/ansible-queries/azure/e2d834b7-8b25-4935-af53-4a60668dcbe0.md @@ -28,7 +28,7 @@ Azure Instances should use SSH Key instead of basic authentication
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="1" +```yaml title="Positive test num. 1 - yaml file" hl_lines="1" --- - name: Create a VM with a custom image azure_rm_virtualmachine: diff --git a/docs/queries/ansible-queries/azure/e8c80448-31d8-4755-85fc-6dbab69c2717.md b/docs/queries/ansible-queries/azure/e8c80448-31d8-4755-85fc-6dbab69c2717.md index 9e4b85376de..cbc20688e7f 100644 --- a/docs/queries/ansible-queries/azure/e8c80448-31d8-4755-85fc-6dbab69c2717.md +++ b/docs/queries/ansible-queries/azure/e8c80448-31d8-4755-85fc-6dbab69c2717.md @@ -28,7 +28,7 @@ The IP range filter should be defined to secure the data stored
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="2" +```yaml title="Positive test num. 1 - yaml file" hl_lines="2" - name: Create Cosmos DB Account - max azure_rm_cosmosdbaccount: resource_group: myResourceGroup diff --git a/docs/queries/ansible-queries/azure/eb8c2560-8bee-4248-9d0d-e80c8641dd91.md b/docs/queries/ansible-queries/azure/eb8c2560-8bee-4248-9d0d-e80c8641dd91.md index aff552f1e0f..e53435acf87 100644 --- a/docs/queries/ansible-queries/azure/eb8c2560-8bee-4248-9d0d-e80c8641dd91.md +++ b/docs/queries/ansible-queries/azure/eb8c2560-8bee-4248-9d0d-e80c8641dd91.md @@ -28,7 +28,7 @@ Web app should only accept HTTPS traffic in Azure Web App Service.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="12 5" +```yaml title="Positive test num. 1 - yaml file" hl_lines="12 5" - name: Create a windows web app with non-exist app service plan azure_rm_webapp: resource_group: myResourceGroup diff --git a/docs/queries/ansible-queries/azure/f4e9ff70-0f3b-4c50-a713-26cbe7ec4039.md b/docs/queries/ansible-queries/azure/f4e9ff70-0f3b-4c50-a713-26cbe7ec4039.md index 1f9a137c237..bb9c8821182 100644 --- a/docs/queries/ansible-queries/azure/f4e9ff70-0f3b-4c50-a713-26cbe7ec4039.md +++ b/docs/queries/ansible-queries/azure/f4e9ff70-0f3b-4c50-a713-26cbe7ec4039.md @@ -28,7 +28,7 @@ Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9 4 15" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9 4 15" - name: ssh_keys_unblocked google.cloud.gcp_compute_instance: metadata: diff --git a/docs/queries/ansible-queries/gcp/0c82eae2-aca0-401f-93e4-fb37a0f9e5e8.md b/docs/queries/ansible-queries/gcp/0c82eae2-aca0-401f-93e4-fb37a0f9e5e8.md index 7d964613042..442ea47ccec 100644 --- a/docs/queries/ansible-queries/gcp/0c82eae2-aca0-401f-93e4-fb37a0f9e5e8.md +++ b/docs/queries/ansible-queries/gcp/0c82eae2-aca0-401f-93e4-fb37a0f9e5e8.md @@ -28,7 +28,7 @@ Checks if backup configuration is enabled for all Cloud SQL Database instances ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +```yaml title="Positive test num. 1 - yaml file" hl_lines="5" --- - name: create a dataset google.cloud.gcp_bigquery_dataset: diff --git a/docs/queries/ansible-queries/gcp/2775e169-e708-42a9-9305-b58aadd2c4dd.md b/docs/queries/ansible-queries/gcp/2775e169-e708-42a9-9305-b58aadd2c4dd.md index 8c10e184e02..4012ade5e40 100644 --- a/docs/queries/ansible-queries/gcp/2775e169-e708-42a9-9305-b58aadd2c4dd.md +++ b/docs/queries/ansible-queries/gcp/2775e169-e708-42a9-9305-b58aadd2c4dd.md @@ -28,7 +28,7 @@ Instances must not be configured to use the Default Service Account, that has fu ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="115 57 3 86" +```yaml title="Positive test num. 1 - yaml file" hl_lines="115 57 3 86" #this is a problematic code where the query should report a result(s) - name: create a instance1 google.cloud.gcp_compute_instance: diff --git a/docs/queries/ansible-queries/gcp/28a757fc-3d8f-424a-90c0-4233363b2711.md b/docs/queries/ansible-queries/gcp/28a757fc-3d8f-424a-90c0-4233363b2711.md index 4496527db2f..cabc45ca828 100644 --- a/docs/queries/ansible-queries/gcp/28a757fc-3d8f-424a-90c0-4233363b2711.md +++ b/docs/queries/ansible-queries/gcp/28a757fc-3d8f-424a-90c0-4233363b2711.md @@ -28,7 +28,7 @@ PostgreSQL database 'log_min_messages' flag isn't set to a valid value
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" - name: sql_instance google.cloud.gcp_sql_instance: auth_kind: serviceaccount diff --git a/docs/queries/ansible-queries/gcp/29b8224a-60e9-4011-8ac2-7916a659841f.md b/docs/queries/ansible-queries/gcp/29b8224a-60e9-4011-8ac2-7916a659841f.md index 766873b0973..9f23d15b4e0 100644 --- a/docs/queries/ansible-queries/gcp/29b8224a-60e9-4011-8ac2-7916a659841f.md +++ b/docs/queries/ansible-queries/gcp/29b8224a-60e9-4011-8ac2-7916a659841f.md @@ -28,7 +28,7 @@ Google Compute Network should not use default firewall rule
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" - name: create a firewall2 google.cloud.gcp_compute_firewall: name: default diff --git a/docs/queries/ansible-queries/gcp/300a9964-b086-41f7-9378-b6de3ba1c32b.md b/docs/queries/ansible-queries/gcp/300a9964-b086-41f7-9378-b6de3ba1c32b.md index a97e66b97d0..aef3c096ffb 100644 --- a/docs/queries/ansible-queries/gcp/300a9964-b086-41f7-9378-b6de3ba1c32b.md +++ b/docs/queries/ansible-queries/gcp/300a9964-b086-41f7-9378-b6de3ba1c32b.md @@ -28,7 +28,7 @@ Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="18" +```yaml title="Positive test num. 1 - yaml file" hl_lines="18" #this is a problematic code where the query should report a result(s) - name: create a cluster google.cloud.gcp_container_cluster: diff --git a/docs/queries/ansible-queries/gcp/344bf8ab-9308-462b-a6b2-697432e40ba1.md b/docs/queries/ansible-queries/gcp/344bf8ab-9308-462b-a6b2-697432e40ba1.md index e857f058faa..2a31e2d3e98 100644 --- a/docs/queries/ansible-queries/gcp/344bf8ab-9308-462b-a6b2-697432e40ba1.md +++ b/docs/queries/ansible-queries/gcp/344bf8ab-9308-462b-a6b2-697432e40ba1.md @@ -28,7 +28,7 @@ GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, whic ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="32 3 47 18 63" +```yaml title="Positive test num. 1 - yaml file" hl_lines="32 3 47 18 63" #this is a problematic code where the query should report a result(s) - name: create a cluster1 google.cloud.gcp_container_cluster: diff --git a/docs/queries/ansible-queries/gcp/3602d273-3290-47b2-80fa-720162b1a8af.md b/docs/queries/ansible-queries/gcp/3602d273-3290-47b2-80fa-720162b1a8af.md index a9bf319e955..1a2af096385 100644 --- a/docs/queries/ansible-queries/gcp/3602d273-3290-47b2-80fa-720162b1a8af.md +++ b/docs/queries/ansible-queries/gcp/3602d273-3290-47b2-80fa-720162b1a8af.md @@ -28,7 +28,7 @@ Google Compute Network should not use a firewall rule that allows all ports
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="19" +```yaml title="Positive test num. 1 - yaml file" hl_lines="19" - name: create a firewall2 google.cloud.gcp_compute_firewall: name: test_object diff --git a/docs/queries/ansible-queries/gcp/3b30e3d6-c99b-4318-b38f-b99db74578b5.md b/docs/queries/ansible-queries/gcp/3b30e3d6-c99b-4318-b38f-b99db74578b5.md index 1d6c11f29cb..3a75a0f3658 100644 --- a/docs/queries/ansible-queries/gcp/3b30e3d6-c99b-4318-b38f-b99db74578b5.md +++ b/docs/queries/ansible-queries/gcp/3b30e3d6-c99b-4318-b38f-b99db74578b5.md @@ -28,7 +28,7 @@ Kubernetes Clusters must be created with Private Clusters enabled, meaning the ' ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="2 66 48 85 31" +```yaml title="Positive test num. 1 - yaml file" hl_lines="2 66 48 85 31" - name: create a cluster1 google.cloud.gcp_container_cluster: name: my-cluster1 diff --git a/docs/queries/ansible-queries/gcp/507df964-ad97-4035-ab14-94a82eabdfdd.md b/docs/queries/ansible-queries/gcp/507df964-ad97-4035-ab14-94a82eabdfdd.md index 2a7aa48c448..f870b5307d8 100644 --- a/docs/queries/ansible-queries/gcp/507df964-ad97-4035-ab14-94a82eabdfdd.md +++ b/docs/queries/ansible-queries/gcp/507df964-ad97-4035-ab14-94a82eabdfdd.md @@ -28,7 +28,7 @@ Cloud storage bucket should have logging enabled
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +```yaml title="Positive test num. 1 - yaml file" hl_lines="3" --- - name: create a bucket google.cloud.gcp_storage_bucket: diff --git a/docs/queries/ansible-queries/gcp/66dae697-507b-4aef-be18-eec5bd707f33.md b/docs/queries/ansible-queries/gcp/66dae697-507b-4aef-be18-eec5bd707f33.md index 44b56fab352..73a147b0697 100644 --- a/docs/queries/ansible-queries/gcp/66dae697-507b-4aef-be18-eec5bd707f33.md +++ b/docs/queries/ansible-queries/gcp/66dae697-507b-4aef-be18-eec5bd707f33.md @@ -28,7 +28,7 @@ VM instance should have OSLogin enabled
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" - name: oslogin-disabled google.cloud.gcp_compute_instance: metadata: diff --git a/docs/queries/ansible-queries/gcp/6a4080ae-79bd-42f6-a924-8f534c1c018b.md b/docs/queries/ansible-queries/gcp/6a4080ae-79bd-42f6-a924-8f534c1c018b.md index 64c8a40532c..b81694a9797 100644 --- a/docs/queries/ansible-queries/gcp/6a4080ae-79bd-42f6-a924-8f534c1c018b.md +++ b/docs/queries/ansible-queries/gcp/6a4080ae-79bd-42f6-a924-8f534c1c018b.md @@ -28,7 +28,7 @@ Google Compute Subnetwork should have Private Google Access enabled, which means ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="2" +```yaml title="Positive test num. 1 - yaml file" hl_lines="2" - name: create a subnetwork google.cloud.gcp_compute_subnetwork: name: ansiblenet @@ -41,7 +41,7 @@ Google Compute Subnetwork should have Private Google Access enabled, which means state: present ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="10" +```yaml title="Positive test num. 2 - yaml file" hl_lines="10" - name: create a subnetwork2 google.cloud.gcp_compute_subnetwork: name: ansiblenet diff --git a/docs/queries/ansible-queries/gcp/6cf4c3a7-ceb0-4475-8892-3745b84be24a.md b/docs/queries/ansible-queries/gcp/6cf4c3a7-ceb0-4475-8892-3745b84be24a.md index da2f120ab37..d136241fcb9 100644 --- a/docs/queries/ansible-queries/gcp/6cf4c3a7-ceb0-4475-8892-3745b84be24a.md +++ b/docs/queries/ansible-queries/gcp/6cf4c3a7-ceb0-4475-8892-3745b84be24a.md @@ -28,7 +28,7 @@ DNSSEC should not use the RSASHA1 algorithm
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="13" +```yaml title="Positive test num. 1 - yaml file" hl_lines="13" --- - name: create a managed zone google.cloud.gcp_dns_managed_zone: diff --git a/docs/queries/ansible-queries/gcp/6d34aff3-fdd2-460c-8190-756a3b4969e8.md b/docs/queries/ansible-queries/gcp/6d34aff3-fdd2-460c-8190-756a3b4969e8.md index 8f762c1f5f5..1c19622d7e1 100644 --- a/docs/queries/ansible-queries/gcp/6d34aff3-fdd2-460c-8190-756a3b4969e8.md +++ b/docs/queries/ansible-queries/gcp/6d34aff3-fdd2-460c-8190-756a3b4969e8.md @@ -28,7 +28,7 @@ SQL Instance should not have Contained Database Authentication On
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10" - name: sql_instance google.cloud.gcp_sql_instance: auth_kind: serviceaccount diff --git a/docs/queries/ansible-queries/gcp/7289eebd-a477-4064-8ad4-3c044bd70b00.md b/docs/queries/ansible-queries/gcp/7289eebd-a477-4064-8ad4-3c044bd70b00.md index ffd7447de0c..d7ad9810706 100644 --- a/docs/queries/ansible-queries/gcp/7289eebd-a477-4064-8ad4-3c044bd70b00.md +++ b/docs/queries/ansible-queries/gcp/7289eebd-a477-4064-8ad4-3c044bd70b00.md @@ -28,7 +28,7 @@ Google Compute Network should not use a firewall rule that allows port range
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="19" +```yaml title="Positive test num. 1 - yaml file" hl_lines="19" - name: create a firewall2 google.cloud.gcp_compute_firewall: name: test_object diff --git a/docs/queries/ansible-queries/gcp/75418eb9-39ec-465f-913c-6f2b6a80dc77.md b/docs/queries/ansible-queries/gcp/75418eb9-39ec-465f-913c-6f2b6a80dc77.md index 39661fe890f..f7087a23341 100644 --- a/docs/queries/ansible-queries/gcp/75418eb9-39ec-465f-913c-6f2b6a80dc77.md +++ b/docs/queries/ansible-queries/gcp/75418eb9-39ec-465f-913c-6f2b6a80dc77.md @@ -28,7 +28,7 @@ Check if the Google compute firewall allows unrestricted RDP access. Allowed por ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 29" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8 29" - name: rdp_in_range google.cloud.gcp_compute_firewall: name: test_object diff --git a/docs/queries/ansible-queries/gcp/7814ddda-e758-4a56-8be3-289a81ded929.md b/docs/queries/ansible-queries/gcp/7814ddda-e758-4a56-8be3-289a81ded929.md index 63f1584112d..c6da60046a5 100644 --- a/docs/queries/ansible-queries/gcp/7814ddda-e758-4a56-8be3-289a81ded929.md +++ b/docs/queries/ansible-queries/gcp/7814ddda-e758-4a56-8be3-289a81ded929.md @@ -28,7 +28,7 @@ Cloud Storage Bucket should have versioning enabled
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="17 3" +```yaml title="Positive test num. 1 - yaml file" hl_lines="17 3" --- - name: create a bucket google.cloud.gcp_storage_bucket: diff --git a/docs/queries/ansible-queries/gcp/7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b.md b/docs/queries/ansible-queries/gcp/7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b.md index 1851651bb14..7e58c1aea9b 100644 --- a/docs/queries/ansible-queries/gcp/7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b.md +++ b/docs/queries/ansible-queries/gcp/7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b.md @@ -28,7 +28,7 @@ Cloud SQL instances should not be publicly accessible.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="24 34 12" +```yaml title="Positive test num. 1 - yaml file" hl_lines="24 34 12" - name: sql_instance google.cloud.gcp_sql_instance: auth_kind: serviceaccount diff --git a/docs/queries/ansible-queries/gcp/80b15fb1-6207-40f4-a803-6915ae619a03.md b/docs/queries/ansible-queries/gcp/80b15fb1-6207-40f4-a803-6915ae619a03.md index 0305edcda16..df436b495fd 100644 --- a/docs/queries/ansible-queries/gcp/80b15fb1-6207-40f4-a803-6915ae619a03.md +++ b/docs/queries/ansible-queries/gcp/80b15fb1-6207-40f4-a803-6915ae619a03.md @@ -28,7 +28,7 @@ DNSSEC must be enabled for Cloud DNS
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="33 3 20" +```yaml title="Positive test num. 1 - yaml file" hl_lines="33 3 20" --- - name: create a managed zone google.cloud.gcp_dns_managed_zone: diff --git a/docs/queries/ansible-queries/gcp/829f1c60-2bab-44c6-8a21-5cd9d39a2c82.md b/docs/queries/ansible-queries/gcp/829f1c60-2bab-44c6-8a21-5cd9d39a2c82.md index 74ebf47b919..cbc8d166638 100644 --- a/docs/queries/ansible-queries/gcp/829f1c60-2bab-44c6-8a21-5cd9d39a2c82.md +++ b/docs/queries/ansible-queries/gcp/829f1c60-2bab-44c6-8a21-5cd9d39a2c82.md @@ -28,7 +28,7 @@ Compute instances shouldn't be accessible from the Internet.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" - name: create a instance google.cloud.gcp_compute_instance: name: test_object diff --git a/docs/queries/ansible-queries/gcp/89afe3f0-4681-4ce3-89ed-896cebd4277c.md b/docs/queries/ansible-queries/gcp/89afe3f0-4681-4ce3-89ed-896cebd4277c.md index 4154d513ced..177d6ca306f 100644 --- a/docs/queries/ansible-queries/gcp/89afe3f0-4681-4ce3-89ed-896cebd4277c.md +++ b/docs/queries/ansible-queries/gcp/89afe3f0-4681-4ce3-89ed-896cebd4277c.md @@ -28,7 +28,7 @@ PostgreSQL database instance should have a 'log_checkpoints' flag with its value ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="16 5" +```yaml title="Positive test num. 1 - yaml file" hl_lines="16 5" - name: create instance google.cloud.gcp_sql_instance: name: GCP instance diff --git a/docs/queries/ansible-queries/gcp/98e04ca0-34f5-4c74-8fec-d2e611ce2790.md b/docs/queries/ansible-queries/gcp/98e04ca0-34f5-4c74-8fec-d2e611ce2790.md index 812ba74c49e..b82103f18b8 100644 --- a/docs/queries/ansible-queries/gcp/98e04ca0-34f5-4c74-8fec-d2e611ce2790.md +++ b/docs/queries/ansible-queries/gcp/98e04ca0-34f5-4c74-8fec-d2e611ce2790.md @@ -28,7 +28,7 @@ Kubernetes Engine Clusters must have Network Policy enabled, meaning that the at ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="96 3 73 21 54" +```yaml title="Positive test num. 1 - yaml file" hl_lines="96 3 73 21 54" #this is a problematic code where the query should report a result(s) - name: create a cluster1 google.cloud.gcp_container_cluster: diff --git a/docs/queries/ansible-queries/gcp/9df7f78f-ebe3-432e-ac3b-b67189c15518.md b/docs/queries/ansible-queries/gcp/9df7f78f-ebe3-432e-ac3b-b67189c15518.md index 390963ff6b9..0563363f10c 100644 --- a/docs/queries/ansible-queries/gcp/9df7f78f-ebe3-432e-ac3b-b67189c15518.md +++ b/docs/queries/ansible-queries/gcp/9df7f78f-ebe3-432e-ac3b-b67189c15518.md @@ -28,7 +28,7 @@ Kubernetes Engine Clusters must have Master Authentication set to enabled, which ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="32 3 46 18 61" +```yaml title="Positive test num. 1 - yaml file" hl_lines="32 3 46 18 61" #this is a problematic code where the query should report a result(s) - name: create a cluster1 google.cloud.gcp_container_cluster: diff --git a/docs/queries/ansible-queries/gcp/9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f.md b/docs/queries/ansible-queries/gcp/9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f.md index 68a51f40ece..c2a9486c495 100644 --- a/docs/queries/ansible-queries/gcp/9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f.md +++ b/docs/queries/ansible-queries/gcp/9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f.md @@ -28,7 +28,7 @@ GCP SQL Instance should not have Cross DB Ownership Chaining On
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10" - name: sql_instance google.cloud.gcp_sql_instance: auth_kind: serviceaccount diff --git a/docs/queries/ansible-queries/gcp/a7b520bb-2509-4fb0-be05-bc38f54c7a4c.md b/docs/queries/ansible-queries/gcp/a7b520bb-2509-4fb0-be05-bc38f54c7a4c.md index d2a6a22f412..b03b754a37c 100644 --- a/docs/queries/ansible-queries/gcp/a7b520bb-2509-4fb0-be05-bc38f54c7a4c.md +++ b/docs/queries/ansible-queries/gcp/a7b520bb-2509-4fb0-be05-bc38f54c7a4c.md @@ -28,7 +28,7 @@ MySQL Instance should not have Local Infile On
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10" - name: sql_instance google.cloud.gcp_sql_instance: auth_kind: serviceaccount diff --git a/docs/queries/ansible-queries/gcp/aed98a2a-e680-497a-8886-277cea0f4514.md b/docs/queries/ansible-queries/gcp/aed98a2a-e680-497a-8886-277cea0f4514.md index d7840e712e7..4ae8531985f 100644 --- a/docs/queries/ansible-queries/gcp/aed98a2a-e680-497a-8886-277cea0f4514.md +++ b/docs/queries/ansible-queries/gcp/aed98a2a-e680-497a-8886-277cea0f4514.md @@ -28,7 +28,7 @@ PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1'
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10" - name: sql_instance google.cloud.gcp_sql_instance: auth_kind: serviceaccount diff --git a/docs/queries/ansible-queries/gcp/b28bcd2f-c309-490e-ab7c-35fc4023eb26.md b/docs/queries/ansible-queries/gcp/b28bcd2f-c309-490e-ab7c-35fc4023eb26.md index ccdde05deb2..789c250cabb 100644 --- a/docs/queries/ansible-queries/gcp/b28bcd2f-c309-490e-ab7c-35fc4023eb26.md +++ b/docs/queries/ansible-queries/gcp/b28bcd2f-c309-490e-ab7c-35fc4023eb26.md @@ -28,7 +28,7 @@ This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, t ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="16 2" +```yaml title="Positive test num. 1 - yaml file" hl_lines="16 2" - name: create a SSL policy google.cloud.gcp_compute_ssl_policy: name: test_object diff --git a/docs/queries/ansible-queries/gcp/b2fbf1df-76dd-4d78-a6c0-e538f4a9b016.md b/docs/queries/ansible-queries/gcp/b2fbf1df-76dd-4d78-a6c0-e538f4a9b016.md index 8e3a000e985..187356e40f4 100644 --- a/docs/queries/ansible-queries/gcp/b2fbf1df-76dd-4d78-a6c0-e538f4a9b016.md +++ b/docs/queries/ansible-queries/gcp/b2fbf1df-76dd-4d78-a6c0-e538f4a9b016.md @@ -28,7 +28,7 @@ Google Firewall should not allow SSH access (port 22) from the Internet (public ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" - name: ssh_unrestricted google.cloud.gcp_compute_firewall: name: test_object diff --git a/docs/queries/ansible-queries/gcp/bc20bbc6-0697-4568-9a73-85af1dd97bdd.md b/docs/queries/ansible-queries/gcp/bc20bbc6-0697-4568-9a73-85af1dd97bdd.md index 0da62b66cb9..7c15d9d4bdb 100644 --- a/docs/queries/ansible-queries/gcp/bc20bbc6-0697-4568-9a73-85af1dd97bdd.md +++ b/docs/queries/ansible-queries/gcp/bc20bbc6-0697-4568-9a73-85af1dd97bdd.md @@ -28,7 +28,7 @@ A VM instance is configured to use the default service account with full access ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" - name: create a instance google.cloud.gcp_compute_instance: name: test_object diff --git a/docs/queries/ansible-queries/gcp/be41f891-96b1-4b9d-b74f-b922a918c778.md b/docs/queries/ansible-queries/gcp/be41f891-96b1-4b9d-b74f-b922a918c778.md index 812f11b4b0f..1d152e057a3 100644 --- a/docs/queries/ansible-queries/gcp/be41f891-96b1-4b9d-b74f-b922a918c778.md +++ b/docs/queries/ansible-queries/gcp/be41f891-96b1-4b9d-b74f-b922a918c778.md @@ -28,7 +28,7 @@ The node image should be Container-Optimized OS(COS)
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="13" +```yaml title="Positive test num. 1 - yaml file" hl_lines="13" --- - name: create a node pool google.cloud.gcp_container_node_pool: diff --git a/docs/queries/ansible-queries/gcp/c6fc6f29-dc04-46b6-99ba-683c01aff350.md b/docs/queries/ansible-queries/gcp/c6fc6f29-dc04-46b6-99ba-683c01aff350.md index 3c5b274bda4..914775949ae 100644 --- a/docs/queries/ansible-queries/gcp/c6fc6f29-dc04-46b6-99ba-683c01aff350.md +++ b/docs/queries/ansible-queries/gcp/c6fc6f29-dc04-46b6-99ba-683c01aff350.md @@ -28,7 +28,7 @@ Google Compute Engine VM instances should not enable serial ports. When enabled, ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" - name: serial_enabled google.cloud.gcp_compute_instance: metadata: diff --git a/docs/queries/ansible-queries/gcp/d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb.md b/docs/queries/ansible-queries/gcp/d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb.md index e1733be190e..7fa085088cd 100644 --- a/docs/queries/ansible-queries/gcp/d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb.md +++ b/docs/queries/ansible-queries/gcp/d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb.md @@ -28,7 +28,7 @@ Cloud SQL Database Instance should have SLL enabled
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="24 3 13 39" +```yaml title="Positive test num. 1 - yaml file" hl_lines="24 3 13 39" --- - name: create a instance google.cloud.gcp_sql_instance: diff --git a/docs/queries/ansible-queries/gcp/d43366c5-80b0-45de-bbe8-2338f4ab0a83.md b/docs/queries/ansible-queries/gcp/d43366c5-80b0-45de-bbe8-2338f4ab0a83.md index a292263afa6..8924c94254f 100644 --- a/docs/queries/ansible-queries/gcp/d43366c5-80b0-45de-bbe8-2338f4ab0a83.md +++ b/docs/queries/ansible-queries/gcp/d43366c5-80b0-45de-bbe8-2338f4ab0a83.md @@ -28,7 +28,7 @@ Master authorized networks must be enabled in GKE clusters
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="17 10 22" +```yaml title="Positive test num. 1 - yaml file" hl_lines="17 10 22" --- - name: create a cluster google.cloud.gcp_container_cluster: diff --git a/docs/queries/ansible-queries/gcp/d58c6f24-3763-4269-9f5b-86b2569a003b.md b/docs/queries/ansible-queries/gcp/d58c6f24-3763-4269-9f5b-86b2569a003b.md index 7374ee28412..b488985894e 100644 --- a/docs/queries/ansible-queries/gcp/d58c6f24-3763-4269-9f5b-86b2569a003b.md +++ b/docs/queries/ansible-queries/gcp/d58c6f24-3763-4269-9f5b-86b2569a003b.md @@ -28,7 +28,7 @@ Google Container Node Pool Auto Repair should be enabled. This service periodica ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="26 29 13" +```yaml title="Positive test num. 1 - yaml file" hl_lines="26 29 13" --- - name: create a node pool google.cloud.gcp_container_node_pool: diff --git a/docs/queries/ansible-queries/gcp/d6e10477-2e19-4bcd-b8a8-19c65b89ccdf.md b/docs/queries/ansible-queries/gcp/d6e10477-2e19-4bcd-b8a8-19c65b89ccdf.md index b107df816f9..4f75cc4d558 100644 --- a/docs/queries/ansible-queries/gcp/d6e10477-2e19-4bcd-b8a8-19c65b89ccdf.md +++ b/docs/queries/ansible-queries/gcp/d6e10477-2e19-4bcd-b8a8-19c65b89ccdf.md @@ -28,7 +28,7 @@ Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upg ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="3 36 22" +```yaml title="Positive test num. 1 - yaml file" hl_lines="3 36 22" --- - name: create a node pool google.cloud.gcp_container_node_pool: diff --git a/docs/queries/ansible-queries/gcp/d6fae5b6-ada9-46c0-8b36-3108a2a2f77b.md b/docs/queries/ansible-queries/gcp/d6fae5b6-ada9-46c0-8b36-3108a2a2f77b.md index 1aa11f63f4e..01b4e869419 100644 --- a/docs/queries/ansible-queries/gcp/d6fae5b6-ada9-46c0-8b36-3108a2a2f77b.md +++ b/docs/queries/ansible-queries/gcp/d6fae5b6-ada9-46c0-8b36-3108a2a2f77b.md @@ -28,7 +28,7 @@ PostgreSQL database 'log_temp_files' flag isn't set to '0'
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10" - name: sql_instance google.cloud.gcp_sql_instance: auth_kind: serviceaccount diff --git a/docs/queries/ansible-queries/gcp/d7a5616f-0a3f-4d43-bc2b-29d1a183e317.md b/docs/queries/ansible-queries/gcp/d7a5616f-0a3f-4d43-bc2b-29d1a183e317.md index 17a7152f719..a870a49ee4a 100644 --- a/docs/queries/ansible-queries/gcp/d7a5616f-0a3f-4d43-bc2b-29d1a183e317.md +++ b/docs/queries/ansible-queries/gcp/d7a5616f-0a3f-4d43-bc2b-29d1a183e317.md @@ -28,7 +28,7 @@ PostgreSQL database instance should have a 'log_connections' flag with its value ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="16 5" +```yaml title="Positive test num. 1 - yaml file" hl_lines="16 5" - name: create instance google.cloud.gcp_sql_instance: name: GCP instance diff --git a/docs/queries/ansible-queries/gcp/dc126833-125a-40fb-905a-ce5f2afde240.md b/docs/queries/ansible-queries/gcp/dc126833-125a-40fb-905a-ce5f2afde240.md index 4276ae3eed4..0e791847f73 100644 --- a/docs/queries/ansible-queries/gcp/dc126833-125a-40fb-905a-ce5f2afde240.md +++ b/docs/queries/ansible-queries/gcp/dc126833-125a-40fb-905a-ce5f2afde240.md @@ -28,7 +28,7 @@ Kubernetes Engine Clusters should not be configured to use the default service a ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8" - name: create a cluster google.cloud.gcp_container_cluster: name: my-cluster @@ -46,7 +46,7 @@ Kubernetes Engine Clusters should not be configured to use the default service a state: present ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +```yaml title="Positive test num. 2 - yaml file" hl_lines="11" - name: create a cluster google.cloud.gcp_container_cluster: name: my-cluster diff --git a/docs/queries/ansible-queries/gcp/ed672a9f-fbf0-44d8-a47d-779501b0db05.md b/docs/queries/ansible-queries/gcp/ed672a9f-fbf0-44d8-a47d-779501b0db05.md index c0a5de150e1..b0088fd5ea8 100644 --- a/docs/queries/ansible-queries/gcp/ed672a9f-fbf0-44d8-a47d-779501b0db05.md +++ b/docs/queries/ansible-queries/gcp/ed672a9f-fbf0-44d8-a47d-779501b0db05.md @@ -28,7 +28,7 @@ Kubernetes Clusters must be created with Alias IP ranges enabled, which means th ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="2 50 31" +```yaml title="Positive test num. 1 - yaml file" hl_lines="2 50 31" - name: create a cluster1 google.cloud.gcp_container_cluster: name: my-cluster1 diff --git a/docs/queries/ansible-queries/gcp/f9b7086b-deb8-4034-9330-d7fd38f1b8de.md b/docs/queries/ansible-queries/gcp/f9b7086b-deb8-4034-9330-d7fd38f1b8de.md index 54d24d5f913..bf975813b98 100644 --- a/docs/queries/ansible-queries/gcp/f9b7086b-deb8-4034-9330-d7fd38f1b8de.md +++ b/docs/queries/ansible-queries/gcp/f9b7086b-deb8-4034-9330-d7fd38f1b8de.md @@ -28,7 +28,7 @@ KMS encryption keys should be rotated every 90 days or less. A short lifetime of ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="18 23" +```yaml title="Positive test num. 1 - yaml file" hl_lines="18 23" --- - name: create a key ring google.cloud.gcp_kms_key_ring: diff --git a/docs/queries/ansible-queries/gcp/fbe9b2d0-a2b7-47a1-a534-03775f3013f7.md b/docs/queries/ansible-queries/gcp/fbe9b2d0-a2b7-47a1-a534-03775f3013f7.md index 25a9cba2bf7..a32d2987231 100644 --- a/docs/queries/ansible-queries/gcp/fbe9b2d0-a2b7-47a1-a534-03775f3013f7.md +++ b/docs/queries/ansible-queries/gcp/fbe9b2d0-a2b7-47a1-a534-03775f3013f7.md @@ -28,7 +28,7 @@ Kubernetes Clusters must be configured with labels, which means the attribute 'r ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="17 2 47" +```yaml title="Positive test num. 1 - yaml file" hl_lines="17 2 47" - name: create a cluster1 google.cloud.gcp_container_cluster: name: my-cluster1 diff --git a/docs/queries/azureresourcemanager-queries/azure/1367dd13-2c90-4020-80b7-e4339a3dc2c4.md b/docs/queries/azureresourcemanager-queries/azure/1367dd13-2c90-4020-80b7-e4339a3dc2c4.md index a9f95adbc70..e661ec4402e 100644 --- a/docs/queries/azureresourcemanager-queries/azure/1367dd13-2c90-4020-80b7-e4339a3dc2c4.md +++ b/docs/queries/azureresourcemanager-queries/azure/1367dd13-2c90-4020-80b7-e4339a3dc2c4.md @@ -28,7 +28,7 @@ hide: ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="19" +```json title="Positive test num. 1 - json file" hl_lines="19" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -55,7 +55,7 @@ hide: } ``` -```json title="Postitive test num. 2 - json file" hl_lines="6" +```json title="Positive test num. 2 - json file" hl_lines="6" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -79,7 +79,7 @@ hide: } ``` -```json title="Postitive test num. 3 - json file" hl_lines="18" +```json title="Positive test num. 3 - json file" hl_lines="18" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -104,7 +104,7 @@ hide: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="21" { @@ -142,7 +142,7 @@ hide: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="8" { @@ -177,7 +177,7 @@ hide: ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="20" { diff --git a/docs/queries/azureresourcemanager-queries/azure/2081c7d6-2851-4cce-bda5-cb49d462da42.md b/docs/queries/azureresourcemanager-queries/azure/2081c7d6-2851-4cce-bda5-cb49d462da42.md index 5d50cfd9bb0..f982abf0b7f 100644 --- a/docs/queries/azureresourcemanager-queries/azure/2081c7d6-2851-4cce-bda5-cb49d462da42.md +++ b/docs/queries/azureresourcemanager-queries/azure/2081c7d6-2851-4cce-bda5-cb49d462da42.md @@ -28,7 +28,7 @@ Azure Security Center provides more features for standard pricing mode, so it mu ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="27" +```json title="Positive test num. 1 - json file" hl_lines="27" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -62,7 +62,7 @@ Azure Security Center provides more features for standard pricing mode, so it mu } ``` -```json title="Postitive test num. 2 - json file" hl_lines="29" +```json title="Positive test num. 2 - json file" hl_lines="29" { "properties": { "template": { @@ -105,7 +105,7 @@ Azure Security Center provides more features for standard pricing mode, so it mu } ``` -```json title="Postitive test num. 3 - json file" hl_lines="23" +```json title="Positive test num. 3 - json file" hl_lines="23" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.1", diff --git a/docs/queries/azureresourcemanager-queries/azure/25684eac-daaa-4c2c-94b4-8d2dbb627909.md b/docs/queries/azureresourcemanager-queries/azure/25684eac-daaa-4c2c-94b4-8d2dbb627909.md index 2e33d9c1abd..fb414a71f94 100644 --- a/docs/queries/azureresourcemanager-queries/azure/25684eac-daaa-4c2c-94b4-8d2dbb627909.md +++ b/docs/queries/azureresourcemanager-queries/azure/25684eac-daaa-4c2c-94b4-8d2dbb627909.md @@ -28,7 +28,7 @@ Log Profile Retention Policy should be enabled and the recommended number of day ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="26" +```json title="Positive test num. 1 - json file" hl_lines="26" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -63,7 +63,7 @@ Log Profile Retention Policy should be enabled and the recommended number of day } ``` -```json title="Postitive test num. 2 - json file" hl_lines="25 26" +```json title="Positive test num. 2 - json file" hl_lines="25 26" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -98,7 +98,7 @@ Log Profile Retention Policy should be enabled and the recommended number of day } ``` -```json title="Postitive test num. 3 - json file" hl_lines="28" +```json title="Positive test num. 3 - json file" hl_lines="28" { "properties": { "template": { @@ -141,7 +141,7 @@ Log Profile Retention Policy should be enabled and the recommended number of day } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="27 28" { diff --git a/docs/queries/azureresourcemanager-queries/azure/2583fab1-953b-4fae-bd02-4a136a6c21f9.md b/docs/queries/azureresourcemanager-queries/azure/2583fab1-953b-4fae-bd02-4a136a6c21f9.md index e9806cbd530..562424991d0 100644 --- a/docs/queries/azureresourcemanager-queries/azure/2583fab1-953b-4fae-bd02-4a136a6c21f9.md +++ b/docs/queries/azureresourcemanager-queries/azure/2583fab1-953b-4fae-bd02-4a136a6c21f9.md @@ -28,7 +28,7 @@ Azure Kubernetes Service must have an authorized IP range for API Services enabl ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="8" +```json title="Positive test num. 1 - json file" hl_lines="8" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -70,7 +70,7 @@ Azure Kubernetes Service must have an authorized IP range for API Services enabl } ``` -```json title="Postitive test num. 2 - json file" hl_lines="6" +```json title="Positive test num. 2 - json file" hl_lines="6" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -112,7 +112,7 @@ Azure Kubernetes Service must have an authorized IP range for API Services enabl } ``` -```json title="Postitive test num. 3 - json file" hl_lines="36" +```json title="Positive test num. 3 - json file" hl_lines="36" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -155,7 +155,7 @@ Azure Kubernetes Service must have an authorized IP range for API Services enabl } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="6" { @@ -200,7 +200,7 @@ Azure Kubernetes Service must have an authorized IP range for API Services enabl ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="37" { @@ -248,7 +248,7 @@ Azure Kubernetes Service must have an authorized IP range for API Services enabl ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="10" { @@ -302,7 +302,7 @@ Azure Kubernetes Service must have an authorized IP range for API Services enabl ```
-
Postitive test num. 7 - json file +
Positive test num. 7 - json file ```json hl_lines="8" { @@ -356,7 +356,7 @@ Azure Kubernetes Service must have an authorized IP range for API Services enabl ```
-
Postitive test num. 8 - json file +
Positive test num. 8 - json file ```json hl_lines="38" { @@ -411,7 +411,7 @@ Azure Kubernetes Service must have an authorized IP range for API Services enabl ```
-
Postitive test num. 9 - json file +
Positive test num. 9 - json file ```json hl_lines="8" { @@ -465,7 +465,7 @@ Azure Kubernetes Service must have an authorized IP range for API Services enabl ```
-
Postitive test num. 10 - json file +
Positive test num. 10 - json file ```json hl_lines="39" { diff --git a/docs/queries/azureresourcemanager-queries/azure/25c0228e-4444-459b-a2df-93c7df40b7ed.md b/docs/queries/azureresourcemanager-queries/azure/25c0228e-4444-459b-a2df-93c7df40b7ed.md index eb196c50a62..e5f88296d89 100644 --- a/docs/queries/azureresourcemanager-queries/azure/25c0228e-4444-459b-a2df-93c7df40b7ed.md +++ b/docs/queries/azureresourcemanager-queries/azure/25c0228e-4444-459b-a2df-93c7df40b7ed.md @@ -28,7 +28,7 @@ Azure Kubernetes Service must have a network policy defined.
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="6" +```json title="Positive test num. 1 - json file" hl_lines="6" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -70,7 +70,7 @@ Azure Kubernetes Service must have a network policy defined.
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="37" +```json title="Positive test num. 2 - json file" hl_lines="37" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -115,7 +115,7 @@ Azure Kubernetes Service must have a network policy defined.
} ``` -```json title="Postitive test num. 3 - json file" hl_lines="8" +```json title="Positive test num. 3 - json file" hl_lines="8" { "properties": { "template": { @@ -166,7 +166,7 @@ Azure Kubernetes Service must have a network policy defined.
} ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="39" { diff --git a/docs/queries/azureresourcemanager-queries/azure/2ade1579-4b2c-4590-bebb-f99bf597f612.md b/docs/queries/azureresourcemanager-queries/azure/2ade1579-4b2c-4590-bebb-f99bf597f612.md index 39cb11d318f..9b4c0988664 100644 --- a/docs/queries/azureresourcemanager-queries/azure/2ade1579-4b2c-4590-bebb-f99bf597f612.md +++ b/docs/queries/azureresourcemanager-queries/azure/2ade1579-4b2c-4590-bebb-f99bf597f612.md @@ -28,7 +28,7 @@ Port 22 (SSH) is exposed to the Internet
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="19" +```json title="Positive test num. 1 - json file" hl_lines="19" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -84,7 +84,7 @@ Port 22 (SSH) is exposed to the Internet
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="13" +```json title="Positive test num. 2 - json file" hl_lines="13" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -116,7 +116,7 @@ Port 22 (SSH) is exposed to the Internet
} ``` -```json title="Postitive test num. 3 - json file" hl_lines="20" +```json title="Positive test num. 3 - json file" hl_lines="20" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -159,7 +159,7 @@ Port 22 (SSH) is exposed to the Internet
} ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="21" { @@ -211,7 +211,7 @@ Port 22 (SSH) is exposed to the Internet
```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="15" { @@ -254,7 +254,7 @@ Port 22 (SSH) is exposed to the Internet
```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="22" { diff --git a/docs/queries/azureresourcemanager-queries/azure/350f3955-b5be-436f-afaa-3d2be2fa6cdd.md b/docs/queries/azureresourcemanager-queries/azure/350f3955-b5be-436f-afaa-3d2be2fa6cdd.md index 8bcfb8784f2..265975dd435 100644 --- a/docs/queries/azureresourcemanager-queries/azure/350f3955-b5be-436f-afaa-3d2be2fa6cdd.md +++ b/docs/queries/azureresourcemanager-queries/azure/350f3955-b5be-436f-afaa-3d2be2fa6cdd.md @@ -28,7 +28,7 @@ Azure Disk Encryption should be enabled
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="30" +```json title="Positive test num. 1 - json file" hl_lines="30" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -76,7 +76,7 @@ Azure Disk Encryption should be enabled
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="19" +```json title="Positive test num. 2 - json file" hl_lines="19" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -111,7 +111,7 @@ Azure Disk Encryption should be enabled
} ``` -```json title="Postitive test num. 3 - json file" hl_lines="32" +```json title="Positive test num. 3 - json file" hl_lines="32" { "properties": { "template": { @@ -168,7 +168,7 @@ Azure Disk Encryption should be enabled
} ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="21" { diff --git a/docs/queries/azureresourcemanager-queries/azure/3e9fcc67-1f64-405f-b2f9-0a6be17598f0.md b/docs/queries/azureresourcemanager-queries/azure/3e9fcc67-1f64-405f-b2f9-0a6be17598f0.md index fafb33df225..d8ad5473102 100644 --- a/docs/queries/azureresourcemanager-queries/azure/3e9fcc67-1f64-405f-b2f9-0a6be17598f0.md +++ b/docs/queries/azureresourcemanager-queries/azure/3e9fcc67-1f64-405f-b2f9-0a6be17598f0.md @@ -28,7 +28,7 @@ Microsoft.Security securityContacts should have a phone number defined
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="13" +```json title="Positive test num. 1 - json file" hl_lines="13" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -60,7 +60,7 @@ Microsoft.Security securityContacts should have a phone number defined
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="15" +```json title="Positive test num. 2 - json file" hl_lines="15" { "properties": { "template": { diff --git a/docs/queries/azureresourcemanager-queries/azure/43f6e60c-9cdb-4e77-864d-a66595d26518.md b/docs/queries/azureresourcemanager-queries/azure/43f6e60c-9cdb-4e77-864d-a66595d26518.md index 72739bb799a..d52bbf138f2 100644 --- a/docs/queries/azureresourcemanager-queries/azure/43f6e60c-9cdb-4e77-864d-a66595d26518.md +++ b/docs/queries/azureresourcemanager-queries/azure/43f6e60c-9cdb-4e77-864d-a66595d26518.md @@ -28,7 +28,7 @@ Storage Logging should be enabled for read, write and delete methods
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="83 87 79" +```json title="Positive test num. 1 - json file" hl_lines="83 87 79" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -135,7 +135,7 @@ Storage Logging should be enabled for read, write and delete methods
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="77 79" +```json title="Positive test num. 2 - json file" hl_lines="77 79" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -234,7 +234,7 @@ Storage Logging should be enabled for read, write and delete methods
} ``` -```json title="Postitive test num. 3 - json file" hl_lines="67" +```json title="Positive test num. 3 - json file" hl_lines="67" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -311,7 +311,7 @@ Storage Logging should be enabled for read, write and delete methods
} ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="89 81 85" { @@ -430,7 +430,7 @@ Storage Logging should be enabled for read, write and delete methods
```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="81 79" { @@ -541,7 +541,7 @@ Storage Logging should be enabled for read, write and delete methods
```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="69" { diff --git a/docs/queries/azureresourcemanager-queries/azure/488847ff-6031-487c-bf42-98fd6ac5c9a0.md b/docs/queries/azureresourcemanager-queries/azure/488847ff-6031-487c-bf42-98fd6ac5c9a0.md index 23e3cfe8a57..7622f93f4ab 100644 --- a/docs/queries/azureresourcemanager-queries/azure/488847ff-6031-487c-bf42-98fd6ac5c9a0.md +++ b/docs/queries/azureresourcemanager-queries/azure/488847ff-6031-487c-bf42-98fd6ac5c9a0.md @@ -28,7 +28,7 @@ hide: ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="15" +```json title="Positive test num. 1 - json file" hl_lines="15" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -53,7 +53,7 @@ hide: } ``` -```json title="Postitive test num. 2 - json file" hl_lines="17" +```json title="Positive test num. 2 - json file" hl_lines="17" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -79,7 +79,7 @@ hide: } ``` -```json title="Postitive test num. 3 - json file" hl_lines="17" +```json title="Positive test num. 3 - json file" hl_lines="17" { "properties": { "template": { @@ -112,7 +112,7 @@ hide: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="19" { diff --git a/docs/queries/azureresourcemanager-queries/azure/4d2cf896-c053-4be5-9c95-8b4771112f29.md b/docs/queries/azureresourcemanager-queries/azure/4d2cf896-c053-4be5-9c95-8b4771112f29.md index debe607b323..17ff69b1edb 100644 --- a/docs/queries/azureresourcemanager-queries/azure/4d2cf896-c053-4be5-9c95-8b4771112f29.md +++ b/docs/queries/azureresourcemanager-queries/azure/4d2cf896-c053-4be5-9c95-8b4771112f29.md @@ -28,7 +28,7 @@ Secure parameters should not have hardcoded default value
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="7" +```json title="Positive test num. 1 - json file" hl_lines="7" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -65,7 +65,7 @@ Secure parameters should not have hardcoded default value
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="9" +```json title="Positive test num. 2 - json file" hl_lines="9" { "properties": { "template": { diff --git a/docs/queries/azureresourcemanager-queries/azure/4d522e7b-f938-4d51-a3b1-974ada528bd3.md b/docs/queries/azureresourcemanager-queries/azure/4d522e7b-f938-4d51-a3b1-974ada528bd3.md index efcab1e91c3..1f8b740b600 100644 --- a/docs/queries/azureresourcemanager-queries/azure/4d522e7b-f938-4d51-a3b1-974ada528bd3.md +++ b/docs/queries/azureresourcemanager-queries/azure/4d522e7b-f938-4d51-a3b1-974ada528bd3.md @@ -28,7 +28,7 @@ Log Profile Categories should be set to 'Write', 'Delete', and/or 'Action'
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="22" +```json title="Positive test num. 1 - json file" hl_lines="22" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -63,7 +63,7 @@ Log Profile Categories should be set to 'Write', 'Delete', and/or 'Action'
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="24" +```json title="Positive test num. 2 - json file" hl_lines="24" { "properties": { "template": { diff --git a/docs/queries/azureresourcemanager-queries/azure/564b70f8-41cd-4690-aff8-bb53add86bc9.md b/docs/queries/azureresourcemanager-queries/azure/564b70f8-41cd-4690-aff8-bb53add86bc9.md index fe89e050ccc..13ad3588711 100644 --- a/docs/queries/azureresourcemanager-queries/azure/564b70f8-41cd-4690-aff8-bb53add86bc9.md +++ b/docs/queries/azureresourcemanager-queries/azure/564b70f8-41cd-4690-aff8-bb53add86bc9.md @@ -28,7 +28,7 @@ Network Watcher Flow Log Retention Policy should be enabled and the recommended ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="20 21" +```json title="Positive test num. 1 - json file" hl_lines="20 21" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -61,7 +61,7 @@ Network Watcher Flow Log Retention Policy should be enabled and the recommended } ``` -```json title="Postitive test num. 2 - json file" hl_lines="19 20" +```json title="Positive test num. 2 - json file" hl_lines="19 20" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -93,7 +93,7 @@ Network Watcher Flow Log Retention Policy should be enabled and the recommended } ``` -```json title="Postitive test num. 3 - json file" hl_lines="15" +```json title="Positive test num. 3 - json file" hl_lines="15" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -122,7 +122,7 @@ Network Watcher Flow Log Retention Policy should be enabled and the recommended } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="15" { @@ -157,7 +157,7 @@ Network Watcher Flow Log Retention Policy should be enabled and the recommended ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="22 23" { @@ -201,7 +201,7 @@ Network Watcher Flow Log Retention Policy should be enabled and the recommended ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="21 22" { @@ -244,7 +244,7 @@ Network Watcher Flow Log Retention Policy should be enabled and the recommended ```
-
Postitive test num. 7 - json file +
Positive test num. 7 - json file ```json hl_lines="17" { @@ -284,7 +284,7 @@ Network Watcher Flow Log Retention Policy should be enabled and the recommended ```
-
Postitive test num. 8 - json file +
Positive test num. 8 - json file ```json hl_lines="17" { diff --git a/docs/queries/azureresourcemanager-queries/azure/574e8d82-1db2-4b9c-b526-e320ede9a9ff.md b/docs/queries/azureresourcemanager-queries/azure/574e8d82-1db2-4b9c-b526-e320ede9a9ff.md index 89781afb7d3..a19aecaa1a3 100644 --- a/docs/queries/azureresourcemanager-queries/azure/574e8d82-1db2-4b9c-b526-e320ede9a9ff.md +++ b/docs/queries/azureresourcemanager-queries/azure/574e8d82-1db2-4b9c-b526-e320ede9a9ff.md @@ -28,7 +28,7 @@ All Alerts should be enabled in SQL Database Server SecurityAlerts Policy Proper ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="14" +```json title="Positive test num. 1 - json file" hl_lines="14" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -54,7 +54,7 @@ All Alerts should be enabled in SQL Database Server SecurityAlerts Policy Proper } ``` -```json title="Postitive test num. 2 - json file" hl_lines="16" +```json title="Positive test num. 2 - json file" hl_lines="16" { "properties": { "template": { diff --git a/docs/queries/azureresourcemanager-queries/azure/59cb3da7-f206-4ae6-b827-7abf0a9cab9d.md b/docs/queries/azureresourcemanager-queries/azure/59cb3da7-f206-4ae6-b827-7abf0a9cab9d.md index 95ed0f1bdf0..977584de0bf 100644 --- a/docs/queries/azureresourcemanager-queries/azure/59cb3da7-f206-4ae6-b827-7abf0a9cab9d.md +++ b/docs/queries/azureresourcemanager-queries/azure/59cb3da7-f206-4ae6-b827-7abf0a9cab9d.md @@ -28,7 +28,7 @@ Port 3389 (Remote Desktop) is exposed to the Internet
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="19" +```json title="Positive test num. 1 - json file" hl_lines="19" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -84,7 +84,7 @@ Port 3389 (Remote Desktop) is exposed to the Internet
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="13" +```json title="Positive test num. 2 - json file" hl_lines="13" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -116,7 +116,7 @@ Port 3389 (Remote Desktop) is exposed to the Internet
} ``` -```json title="Postitive test num. 3 - json file" hl_lines="20" +```json title="Positive test num. 3 - json file" hl_lines="20" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -159,7 +159,7 @@ Port 3389 (Remote Desktop) is exposed to the Internet
} ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="21" { @@ -211,7 +211,7 @@ Port 3389 (Remote Desktop) is exposed to the Internet
```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="15" { @@ -254,7 +254,7 @@ Port 3389 (Remote Desktop) is exposed to the Internet
```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="22" { diff --git a/docs/queries/azureresourcemanager-queries/azure/6797f581-0433-4768-ae3e-7ceb2f8b138e.md b/docs/queries/azureresourcemanager-queries/azure/6797f581-0433-4768-ae3e-7ceb2f8b138e.md index 683b52a8fca..c6032e55260 100644 --- a/docs/queries/azureresourcemanager-queries/azure/6797f581-0433-4768-ae3e-7ceb2f8b138e.md +++ b/docs/queries/azureresourcemanager-queries/azure/6797f581-0433-4768-ae3e-7ceb2f8b138e.md @@ -28,7 +28,7 @@ Azure Instances should use SSH Key instead of basic authentication
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="53" +```json title="Positive test num. 1 - json file" hl_lines="53" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -108,7 +108,7 @@ Azure Instances should use SSH Key instead of basic authentication
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="40" +```json title="Positive test num. 2 - json file" hl_lines="40" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -185,7 +185,7 @@ Azure Instances should use SSH Key instead of basic authentication
} ``` -```json title="Postitive test num. 3 - json file" hl_lines="55" +```json title="Positive test num. 3 - json file" hl_lines="55" { "properties": { "template": { @@ -274,7 +274,7 @@ Azure Instances should use SSH Key instead of basic authentication
} ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="42" { diff --git a/docs/queries/azureresourcemanager-queries/azure/6a3201a5-1630-494b-b294-3129d06b0eca.md b/docs/queries/azureresourcemanager-queries/azure/6a3201a5-1630-494b-b294-3129d06b0eca.md index 12c3c0878c2..61aeabb5902 100644 --- a/docs/queries/azureresourcemanager-queries/azure/6a3201a5-1630-494b-b294-3129d06b0eca.md +++ b/docs/queries/azureresourcemanager-queries/azure/6a3201a5-1630-494b-b294-3129d06b0eca.md @@ -28,7 +28,7 @@ SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when s ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="31" +```json title="Positive test num. 1 - json file" hl_lines="31" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -70,7 +70,7 @@ SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when s } ``` -```json title="Postitive test num. 2 - json file" hl_lines="14" +```json title="Positive test num. 2 - json file" hl_lines="14" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -93,7 +93,7 @@ SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when s } ``` -```json title="Postitive test num. 3 - json file" hl_lines="33" +```json title="Positive test num. 3 - json file" hl_lines="33" { "properties": { "template": { @@ -143,7 +143,7 @@ SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when s } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="16" { diff --git a/docs/queries/azureresourcemanager-queries/azure/70111098-7f85-48f0-b1b4-e4261cf5f61b.md b/docs/queries/azureresourcemanager-queries/azure/70111098-7f85-48f0-b1b4-e4261cf5f61b.md index 6eaceb1123b..96f02814937 100644 --- a/docs/queries/azureresourcemanager-queries/azure/70111098-7f85-48f0-b1b4-e4261cf5f61b.md +++ b/docs/queries/azureresourcemanager-queries/azure/70111098-7f85-48f0-b1b4-e4261cf5f61b.md @@ -28,7 +28,7 @@ hide: ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="15" +```json title="Positive test num. 1 - json file" hl_lines="15" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -54,7 +54,7 @@ hide: } ``` -```json title="Postitive test num. 2 - json file" hl_lines="15" +```json title="Positive test num. 2 - json file" hl_lines="15" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -83,7 +83,7 @@ hide: } ``` -```json title="Postitive test num. 3 - json file" hl_lines="15" +```json title="Positive test num. 3 - json file" hl_lines="15" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -110,7 +110,7 @@ hide: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="17" { @@ -147,7 +147,7 @@ hide: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="17" { @@ -187,7 +187,7 @@ hide: ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="17" { diff --git a/docs/queries/azureresourcemanager-queries/azure/79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92.md b/docs/queries/azureresourcemanager-queries/azure/79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92.md index ab0d7bd8864..4597d27a7e5 100644 --- a/docs/queries/azureresourcemanager-queries/azure/79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92.md +++ b/docs/queries/azureresourcemanager-queries/azure/79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92.md @@ -28,7 +28,7 @@ Email notifications about new security alerts, should be set to 'On', and be sen ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="17" +```json title="Positive test num. 1 - json file" hl_lines="17" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -61,7 +61,7 @@ Email notifications about new security alerts, should be set to 'On', and be sen } ``` -```json title="Postitive test num. 2 - json file" hl_lines="13" +```json title="Positive test num. 2 - json file" hl_lines="13" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -90,7 +90,7 @@ Email notifications about new security alerts, should be set to 'On', and be sen } ``` -```json title="Postitive test num. 3 - json file" hl_lines="16" +```json title="Positive test num. 3 - json file" hl_lines="16" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -122,7 +122,7 @@ Email notifications about new security alerts, should be set to 'On', and be sen } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="13" { @@ -152,7 +152,7 @@ Email notifications about new security alerts, should be set to 'On', and be sen ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="21" { @@ -188,7 +188,7 @@ Email notifications about new security alerts, should be set to 'On', and be sen ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="20" { @@ -223,7 +223,7 @@ Email notifications about new security alerts, should be set to 'On', and be sen ```
-
Postitive test num. 7 - json file +
Positive test num. 7 - json file ```json hl_lines="19" { @@ -267,7 +267,7 @@ Email notifications about new security alerts, should be set to 'On', and be sen ```
-
Postitive test num. 8 - json file +
Positive test num. 8 - json file ```json hl_lines="15" { @@ -307,7 +307,7 @@ Email notifications about new security alerts, should be set to 'On', and be sen ```
-
Postitive test num. 9 - json file +
Positive test num. 9 - json file ```json hl_lines="18" { @@ -350,7 +350,7 @@ Email notifications about new security alerts, should be set to 'On', and be sen ```
-
Postitive test num. 10 - json file +
Positive test num. 10 - json file ```json hl_lines="15" { @@ -388,7 +388,7 @@ Email notifications about new security alerts, should be set to 'On', and be sen ```
-
Postitive test num. 11 - json file +
Positive test num. 11 - json file ```json hl_lines="23" { @@ -432,7 +432,7 @@ Email notifications about new security alerts, should be set to 'On', and be sen ```
-
Postitive test num. 12 - json file +
Positive test num. 12 - json file ```json hl_lines="22" { diff --git a/docs/queries/azureresourcemanager-queries/azure/7c25f361-7c66-44bf-9b69-022acd5eb4bd.md b/docs/queries/azureresourcemanager-queries/azure/7c25f361-7c66-44bf-9b69-022acd5eb4bd.md index 4e0b3a109fd..aed74f3bab5 100644 --- a/docs/queries/azureresourcemanager-queries/azure/7c25f361-7c66-44bf-9b69-022acd5eb4bd.md +++ b/docs/queries/azureresourcemanager-queries/azure/7c25f361-7c66-44bf-9b69-022acd5eb4bd.md @@ -28,7 +28,7 @@ Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="15" +```json title="Positive test num. 1 - json file" hl_lines="15" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -75,7 +75,7 @@ Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true } ``` -```json title="Postitive test num. 2 - json file" hl_lines="39" +```json title="Positive test num. 2 - json file" hl_lines="39" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -123,7 +123,7 @@ Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true } ``` -```json title="Postitive test num. 3 - json file" hl_lines="17" +```json title="Positive test num. 3 - json file" hl_lines="17" { "properties": { "template": { @@ -184,7 +184,7 @@ Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="41" { diff --git a/docs/queries/azureresourcemanager-queries/azure/83130a07-235b-4a80-918b-a370e53f0bd9.md b/docs/queries/azureresourcemanager-queries/azure/83130a07-235b-4a80-918b-a370e53f0bd9.md index 6acb237dbed..4e5bb8f280e 100644 --- a/docs/queries/azureresourcemanager-queries/azure/83130a07-235b-4a80-918b-a370e53f0bd9.md +++ b/docs/queries/azureresourcemanager-queries/azure/83130a07-235b-4a80-918b-a370e53f0bd9.md @@ -28,7 +28,7 @@ Azure App Service should have App Service Authentication set
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="37" +```json title="Positive test num. 1 - json file" hl_lines="37" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -81,7 +81,7 @@ Azure App Service should have App Service Authentication set
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="33" +```json title="Positive test num. 2 - json file" hl_lines="33" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -134,7 +134,7 @@ Azure App Service should have App Service Authentication set
} ``` -```json title="Postitive test num. 3 - json file" hl_lines="44" +```json title="Positive test num. 3 - json file" hl_lines="44" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -185,7 +185,7 @@ Azure App Service should have App Service Authentication set
} ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="40" { @@ -239,7 +239,7 @@ Azure App Service should have App Service Authentication set
```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="39" { @@ -304,7 +304,7 @@ Azure App Service should have App Service Authentication set
```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="35" { @@ -369,7 +369,7 @@ Azure App Service should have App Service Authentication set
```
-
Postitive test num. 7 - json file +
Positive test num. 7 - json file ```json hl_lines="46" { @@ -432,7 +432,7 @@ Azure App Service should have App Service Authentication set
```
-
Postitive test num. 8 - json file +
Positive test num. 8 - json file ```json hl_lines="42" { diff --git a/docs/queries/azureresourcemanager-queries/azure/89b79fe5-49bd-4d39-84ce-55f5fc6f7764.md b/docs/queries/azureresourcemanager-queries/azure/89b79fe5-49bd-4d39-84ce-55f5fc6f7764.md index be9841a901b..4a0f2a52784 100644 --- a/docs/queries/azureresourcemanager-queries/azure/89b79fe5-49bd-4d39-84ce-55f5fc6f7764.md +++ b/docs/queries/azureresourcemanager-queries/azure/89b79fe5-49bd-4d39-84ce-55f5fc6f7764.md @@ -28,7 +28,7 @@ SQL Database Server should contain emails to be notified in the event of a Secur ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="46" +```json title="Positive test num. 1 - json file" hl_lines="46" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -87,7 +87,7 @@ SQL Database Server should contain emails to be notified in the event of a Secur } ``` -```json title="Postitive test num. 2 - json file" hl_lines="48" +```json title="Positive test num. 2 - json file" hl_lines="48" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -147,7 +147,7 @@ SQL Database Server should contain emails to be notified in the event of a Secur } ``` -```json title="Postitive test num. 3 - json file" hl_lines="48" +```json title="Positive test num. 3 - json file" hl_lines="48" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -207,7 +207,7 @@ SQL Database Server should contain emails to be notified in the event of a Secur } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="48" { @@ -277,7 +277,7 @@ SQL Database Server should contain emails to be notified in the event of a Secur ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="50" { @@ -348,7 +348,7 @@ SQL Database Server should contain emails to be notified in the event of a Secur ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="50" { diff --git a/docs/queries/azureresourcemanager-queries/azure/8fa9ceea-881f-4ef0-b0b8-728f589699a7.md b/docs/queries/azureresourcemanager-queries/azure/8fa9ceea-881f-4ef0-b0b8-728f589699a7.md index 73de90855f9..8abf8d41f7f 100644 --- a/docs/queries/azureresourcemanager-queries/azure/8fa9ceea-881f-4ef0-b0b8-728f589699a7.md +++ b/docs/queries/azureresourcemanager-queries/azure/8fa9ceea-881f-4ef0-b0b8-728f589699a7.md @@ -28,7 +28,7 @@ Role Definitions should not allow custom subscription role creation (actions set ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="18" +```json title="Positive test num. 1 - json file" hl_lines="18" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -61,7 +61,7 @@ Role Definitions should not allow custom subscription role creation (actions set } ``` -```json title="Postitive test num. 2 - json file" hl_lines="18" +```json title="Positive test num. 2 - json file" hl_lines="18" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -94,7 +94,7 @@ Role Definitions should not allow custom subscription role creation (actions set } ``` -```json title="Postitive test num. 3 - json file" hl_lines="20" +```json title="Positive test num. 3 - json file" hl_lines="20" { "properties": { "template": { @@ -135,7 +135,7 @@ Role Definitions should not allow custom subscription role creation (actions set } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="20" { diff --git a/docs/queries/azureresourcemanager-queries/azure/90120147-f2e7-4fda-bb21-6fa9109afd63.md b/docs/queries/azureresourcemanager-queries/azure/90120147-f2e7-4fda-bb21-6fa9109afd63.md index 66ebdec4f0b..71de04d9b9b 100644 --- a/docs/queries/azureresourcemanager-queries/azure/90120147-f2e7-4fda-bb21-6fa9109afd63.md +++ b/docs/queries/azureresourcemanager-queries/azure/90120147-f2e7-4fda-bb21-6fa9109afd63.md @@ -28,7 +28,7 @@ hide: ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="16" +```json title="Positive test num. 1 - json file" hl_lines="16" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -58,7 +58,7 @@ hide: } ``` -```json title="Postitive test num. 2 - json file" hl_lines="18" +```json title="Positive test num. 2 - json file" hl_lines="18" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -89,7 +89,7 @@ hide: } ``` -```json title="Postitive test num. 3 - json file" hl_lines="18" +```json title="Positive test num. 3 - json file" hl_lines="18" { "properties": { "template": { @@ -127,7 +127,7 @@ hide: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="20" { diff --git a/docs/queries/azureresourcemanager-queries/azure/9073f073-5d60-4b46-b569-0d6baa80ed95.md b/docs/queries/azureresourcemanager-queries/azure/9073f073-5d60-4b46-b569-0d6baa80ed95.md index b899536050c..5eff325581d 100644 --- a/docs/queries/azureresourcemanager-queries/azure/9073f073-5d60-4b46-b569-0d6baa80ed95.md +++ b/docs/queries/azureresourcemanager-queries/azure/9073f073-5d60-4b46-b569-0d6baa80ed95.md @@ -28,7 +28,7 @@ hide: ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="41" +```json title="Positive test num. 1 - json file" hl_lines="41" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -83,7 +83,7 @@ hide: } ``` -```json title="Postitive test num. 2 - json file" hl_lines="18" +```json title="Positive test num. 2 - json file" hl_lines="18" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -109,7 +109,7 @@ hide: } ``` -```json title="Postitive test num. 3 - json file" hl_lines="8" +```json title="Positive test num. 3 - json file" hl_lines="8" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -134,7 +134,7 @@ hide: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="43" { @@ -206,7 +206,7 @@ hide: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="20" { @@ -249,7 +249,7 @@ hide: ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="10" { diff --git a/docs/queries/azureresourcemanager-queries/azure/92302b47-b0cc-46cb-a28f-5610ecda140b.md b/docs/queries/azureresourcemanager-queries/azure/92302b47-b0cc-46cb-a28f-5610ecda140b.md index 7d0bca24f3a..deda1002280 100644 --- a/docs/queries/azureresourcemanager-queries/azure/92302b47-b0cc-46cb-a28f-5610ecda140b.md +++ b/docs/queries/azureresourcemanager-queries/azure/92302b47-b0cc-46cb-a28f-5610ecda140b.md @@ -28,7 +28,7 @@ hide: ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="15" +```json title="Positive test num. 1 - json file" hl_lines="15" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -53,7 +53,7 @@ hide: } ``` -```json title="Postitive test num. 2 - json file" hl_lines="17" +```json title="Positive test num. 2 - json file" hl_lines="17" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -79,7 +79,7 @@ hide: } ``` -```json title="Postitive test num. 3 - json file" hl_lines="17" +```json title="Positive test num. 3 - json file" hl_lines="17" { "properties": { "template": { @@ -112,7 +112,7 @@ hide: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="19" { diff --git a/docs/queries/azureresourcemanager-queries/azure/9307a2ed-35c2-413d-94de-a1a0682c2158.md b/docs/queries/azureresourcemanager-queries/azure/9307a2ed-35c2-413d-94de-a1a0682c2158.md index 81c2ed4bc6a..fbefeed7991 100644 --- a/docs/queries/azureresourcemanager-queries/azure/9307a2ed-35c2-413d-94de-a1a0682c2158.md +++ b/docs/queries/azureresourcemanager-queries/azure/9307a2ed-35c2-413d-94de-a1a0682c2158.md @@ -28,7 +28,7 @@ Microsoft.ContainerService/managedClusters should have enableRBAC set to true
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="38" { diff --git a/docs/queries/azureresourcemanager-queries/azure/9b09dee1-f09b-4013-91d2-158fa4695f4b.md b/docs/queries/azureresourcemanager-queries/azure/9b09dee1-f09b-4013-91d2-158fa4695f4b.md index 87cf53b8f25..5e1d3ca6f6f 100644 --- a/docs/queries/azureresourcemanager-queries/azure/9b09dee1-f09b-4013-91d2-158fa4695f4b.md +++ b/docs/queries/azureresourcemanager-queries/azure/9b09dee1-f09b-4013-91d2-158fa4695f4b.md @@ -28,7 +28,7 @@ Azure Kubernetes Service should have logging to Azure Monitoring enabled.
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="14" +```json title="Positive test num. 1 - json file" hl_lines="14" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -78,7 +78,7 @@ Azure Kubernetes Service should have logging to Azure Monitoring enabled.
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="6" +```json title="Positive test num. 2 - json file" hl_lines="6" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -123,7 +123,7 @@ Azure Kubernetes Service should have logging to Azure Monitoring enabled.
} ``` -```json title="Postitive test num. 3 - json file" hl_lines="16" +```json title="Positive test num. 3 - json file" hl_lines="16" { "properties": { "template": { @@ -182,7 +182,7 @@ Azure Kubernetes Service should have logging to Azure Monitoring enabled.
} ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="8" { diff --git a/docs/queries/azureresourcemanager-queries/azure/a0ab985d-660b-41f7-ac81-70957ee8e627.md b/docs/queries/azureresourcemanager-queries/azure/a0ab985d-660b-41f7-ac81-70957ee8e627.md index e5671afff09..56aca644a54 100644 --- a/docs/queries/azureresourcemanager-queries/azure/a0ab985d-660b-41f7-ac81-70957ee8e627.md +++ b/docs/queries/azureresourcemanager-queries/azure/a0ab985d-660b-41f7-ac81-70957ee8e627.md @@ -28,7 +28,7 @@ Storage Blob Service Container should not publicly accessible
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="15" +```json title="Positive test num. 1 - json file" hl_lines="15" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -53,7 +53,7 @@ Storage Blob Service Container should not publicly accessible
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="107" +```json title="Positive test num. 2 - json file" hl_lines="107" { "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -170,7 +170,7 @@ Storage Blob Service Container should not publicly accessible
} ``` -```json title="Postitive test num. 3 - json file" hl_lines="50" +```json title="Positive test num. 3 - json file" hl_lines="50" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -230,7 +230,7 @@ Storage Blob Service Container should not publicly accessible
} ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="17" { @@ -272,7 +272,7 @@ Storage Blob Service Container should not publicly accessible
```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="109" { @@ -406,7 +406,7 @@ Storage Blob Service Container should not publicly accessible
```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="52" { diff --git a/docs/queries/azureresourcemanager-queries/azure/a6d774b6-d9ea-4bf4-8433-217bf15d2fb8.md b/docs/queries/azureresourcemanager-queries/azure/a6d774b6-d9ea-4bf4-8433-217bf15d2fb8.md index bfe3589627f..31610132fa8 100644 --- a/docs/queries/azureresourcemanager-queries/azure/a6d774b6-d9ea-4bf4-8433-217bf15d2fb8.md +++ b/docs/queries/azureresourcemanager-queries/azure/a6d774b6-d9ea-4bf4-8433-217bf15d2fb8.md @@ -28,7 +28,7 @@ Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttl ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="45" +```json title="Positive test num. 1 - json file" hl_lines="45" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -83,7 +83,7 @@ Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttl } ``` -```json title="Postitive test num. 2 - json file" hl_lines="9" +```json title="Positive test num. 2 - json file" hl_lines="9" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -129,7 +129,7 @@ Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttl } ``` -```json title="Postitive test num. 3 - json file" hl_lines="9" +```json title="Positive test num. 3 - json file" hl_lines="9" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -184,7 +184,7 @@ Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttl } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="47" { @@ -250,7 +250,7 @@ Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttl ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="11" { @@ -307,7 +307,7 @@ Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttl ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="11" { diff --git a/docs/queries/azureresourcemanager-queries/azure/a8852cc0-fd4b-4fc7-9372-1e43fad0732e.md b/docs/queries/azureresourcemanager-queries/azure/a8852cc0-fd4b-4fc7-9372-1e43fad0732e.md index 6bdecd8080e..f2ddf034af6 100644 --- a/docs/queries/azureresourcemanager-queries/azure/a8852cc0-fd4b-4fc7-9372-1e43fad0732e.md +++ b/docs/queries/azureresourcemanager-queries/azure/a8852cc0-fd4b-4fc7-9372-1e43fad0732e.md @@ -28,7 +28,7 @@ Account admins should be notified by email in the event of security alerts
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="14" +```json title="Positive test num. 1 - json file" hl_lines="14" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -53,7 +53,7 @@ Account admins should be notified by email in the event of security alerts
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="13" +```json title="Positive test num. 2 - json file" hl_lines="13" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -77,7 +77,7 @@ Account admins should be notified by email in the event of security alerts
} ``` -```json title="Postitive test num. 3 - json file" hl_lines="16" +```json title="Positive test num. 3 - json file" hl_lines="16" { "properties": { "template": { @@ -110,7 +110,7 @@ Account admins should be notified by email in the event of security alerts
} ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="15" { diff --git a/docs/queries/azureresourcemanager-queries/azure/b5c851d5-00f1-43dc-a8de-3218fd6f71be.md b/docs/queries/azureresourcemanager-queries/azure/b5c851d5-00f1-43dc-a8de-3218fd6f71be.md index 94acce7ed41..f2cfa804128 100644 --- a/docs/queries/azureresourcemanager-queries/azure/b5c851d5-00f1-43dc-a8de-3218fd6f71be.md +++ b/docs/queries/azureresourcemanager-queries/azure/b5c851d5-00f1-43dc-a8de-3218fd6f71be.md @@ -28,7 +28,7 @@ Resources of type 'Microsoft.Web/sites' should define 'properties.siteConfig.min ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="12" +```json title="Positive test num. 1 - json file" hl_lines="12" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -48,7 +48,7 @@ Resources of type 'Microsoft.Web/sites' should define 'properties.siteConfig.min } ``` -```json title="Postitive test num. 2 - json file" hl_lines="8" +```json title="Positive test num. 2 - json file" hl_lines="8" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -64,7 +64,7 @@ Resources of type 'Microsoft.Web/sites' should define 'properties.siteConfig.min } ``` -```json title="Postitive test num. 3 - json file" hl_lines="14" +```json title="Positive test num. 3 - json file" hl_lines="14" { "properties": { "template": { @@ -93,7 +93,7 @@ Resources of type 'Microsoft.Web/sites' should define 'properties.siteConfig.min } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="10" { diff --git a/docs/queries/azureresourcemanager-queries/azure/bf500309-da53-4dd3-bcf7-95f7974545a5.md b/docs/queries/azureresourcemanager-queries/azure/bf500309-da53-4dd3-bcf7-95f7974545a5.md index fc4aab72ec9..260ae4951eb 100644 --- a/docs/queries/azureresourcemanager-queries/azure/bf500309-da53-4dd3-bcf7-95f7974545a5.md +++ b/docs/queries/azureresourcemanager-queries/azure/bf500309-da53-4dd3-bcf7-95f7974545a5.md @@ -28,7 +28,7 @@ Microsoft.DBforPostgreSQL/servers sslEnforcement property should be set to 'Enab ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="14" +```json title="Positive test num. 1 - json file" hl_lines="14" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -98,7 +98,7 @@ Microsoft.DBforPostgreSQL/servers sslEnforcement property should be set to 'Enab } ``` -```json title="Postitive test num. 2 - json file" hl_lines="13" +```json title="Positive test num. 2 - json file" hl_lines="13" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -172,7 +172,7 @@ Microsoft.DBforPostgreSQL/servers sslEnforcement property should be set to 'Enab } ``` -```json title="Postitive test num. 3 - json file" hl_lines="16" +```json title="Positive test num. 3 - json file" hl_lines="16" { "properties": { "template": { @@ -250,7 +250,7 @@ Microsoft.DBforPostgreSQL/servers sslEnforcement property should be set to 'Enab } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="15" { diff --git a/docs/queries/azureresourcemanager-queries/azure/c09cdac2-7670-458a-bf6c-efad6880973a.md b/docs/queries/azureresourcemanager-queries/azure/c09cdac2-7670-458a-bf6c-efad6880973a.md index 377eb4f8414..77d75cf549e 100644 --- a/docs/queries/azureresourcemanager-queries/azure/c09cdac2-7670-458a-bf6c-efad6880973a.md +++ b/docs/queries/azureresourcemanager-queries/azure/c09cdac2-7670-458a-bf6c-efad6880973a.md @@ -28,7 +28,7 @@ SQL Server Database Auditing Settings should keep the audit logs in the storage ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="48" +```json title="Positive test num. 1 - json file" hl_lines="48" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -92,7 +92,7 @@ SQL Server Database Auditing Settings should keep the audit logs in the storage } ``` -```json title="Postitive test num. 2 - json file" hl_lines="43" +```json title="Positive test num. 2 - json file" hl_lines="43" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -155,7 +155,7 @@ SQL Server Database Auditing Settings should keep the audit logs in the storage } ``` -```json title="Postitive test num. 3 - json file" hl_lines="50" +```json title="Positive test num. 3 - json file" hl_lines="50" { "properties": { "template": { @@ -227,7 +227,7 @@ SQL Server Database Auditing Settings should keep the audit logs in the storage } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="45" { diff --git a/docs/queries/azureresourcemanager-queries/azure/c62d3b92-9a11-4ffd-b7b7-6faaae83faed.md b/docs/queries/azureresourcemanager-queries/azure/c62d3b92-9a11-4ffd-b7b7-6faaae83faed.md index 9c5aa0fbd13..fc494cc279b 100644 --- a/docs/queries/azureresourcemanager-queries/azure/c62d3b92-9a11-4ffd-b7b7-6faaae83faed.md +++ b/docs/queries/azureresourcemanager-queries/azure/c62d3b92-9a11-4ffd-b7b7-6faaae83faed.md @@ -28,7 +28,7 @@ Azure Kubernetes Service should have the Kubernetes dashboard disabled.
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="14" +```json title="Positive test num. 1 - json file" hl_lines="14" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -78,7 +78,7 @@ Azure Kubernetes Service should have the Kubernetes dashboard disabled.
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="16" +```json title="Positive test num. 2 - json file" hl_lines="16" { "properties": { "template": { diff --git a/docs/queries/azureresourcemanager-queries/azure/cff9c3f7-e8f0-455f-9fb4-5f72326da96e.md b/docs/queries/azureresourcemanager-queries/azure/cff9c3f7-e8f0-455f-9fb4-5f72326da96e.md index e0c4a136ecc..220a27d9f65 100644 --- a/docs/queries/azureresourcemanager-queries/azure/cff9c3f7-e8f0-455f-9fb4-5f72326da96e.md +++ b/docs/queries/azureresourcemanager-queries/azure/cff9c3f7-e8f0-455f-9fb4-5f72326da96e.md @@ -28,7 +28,7 @@ All Secrets must have an expiration date defined
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="49" +```json title="Positive test num. 1 - json file" hl_lines="49" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -87,7 +87,7 @@ All Secrets must have an expiration date defined
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="54" +```json title="Positive test num. 2 - json file" hl_lines="54" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -154,7 +154,7 @@ All Secrets must have an expiration date defined
} ``` -```json title="Postitive test num. 3 - json file" hl_lines="51" +```json title="Positive test num. 3 - json file" hl_lines="51" { "properties": { "template": { @@ -221,7 +221,7 @@ All Secrets must have an expiration date defined
} ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="56" { diff --git a/docs/queries/azureresourcemanager-queries/azure/d855ced8-6157-448f-9f1d-f05a41d046f7.md b/docs/queries/azureresourcemanager-queries/azure/d855ced8-6157-448f-9f1d-f05a41d046f7.md index 18386f7396c..630357f1b08 100644 --- a/docs/queries/azureresourcemanager-queries/azure/d855ced8-6157-448f-9f1d-f05a41d046f7.md +++ b/docs/queries/azureresourcemanager-queries/azure/d855ced8-6157-448f-9f1d-f05a41d046f7.md @@ -28,7 +28,7 @@ Make sure that your Azure Storage Account access is limited to those who require ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="13" +```json title="Positive test num. 1 - json file" hl_lines="13" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -53,7 +53,7 @@ Make sure that your Azure Storage Account access is limited to those who require ] } ``` -```json title="Postitive test num. 2 - json file" hl_lines="11" +```json title="Positive test num. 2 - json file" hl_lines="11" { "document": [ { @@ -76,7 +76,7 @@ Make sure that your Azure Storage Account access is limited to those who require ] } ``` -```json title="Postitive test num. 3 - json file" hl_lines="12" +```json title="Positive test num. 3 - json file" hl_lines="12" { "document": [ { diff --git a/docs/queries/azureresourcemanager-queries/azure/e055285c-bc01-48b4-8aa5-8a54acdd29df.md b/docs/queries/azureresourcemanager-queries/azure/e055285c-bc01-48b4-8aa5-8a54acdd29df.md index 61d02ad8816..7861a710657 100644 --- a/docs/queries/azureresourcemanager-queries/azure/e055285c-bc01-48b4-8aa5-8a54acdd29df.md +++ b/docs/queries/azureresourcemanager-queries/azure/e055285c-bc01-48b4-8aa5-8a54acdd29df.md @@ -28,7 +28,7 @@ Every 'Microsoft.Sql/servers/databases' resource should have Auditing Enabled
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="24" { diff --git a/docs/queries/azureresourcemanager-queries/azure/e25b56cd-a4d6-498f-ab92-e6296a082097.md b/docs/queries/azureresourcemanager-queries/azure/e25b56cd-a4d6-498f-ab92-e6296a082097.md index 6ac8dfb7ef1..0773e79f61e 100644 --- a/docs/queries/azureresourcemanager-queries/azure/e25b56cd-a4d6-498f-ab92-e6296a082097.md +++ b/docs/queries/azureresourcemanager-queries/azure/e25b56cd-a4d6-498f-ab92-e6296a082097.md @@ -28,7 +28,7 @@ Trusted Microsoft Services should be enabled for Storage Account access
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="21" +```json title="Positive test num. 1 - json file" hl_lines="21" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -72,7 +72,7 @@ Trusted Microsoft Services should be enabled for Storage Account access
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="21" +```json title="Positive test num. 2 - json file" hl_lines="21" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -106,7 +106,7 @@ Trusted Microsoft Services should be enabled for Storage Account access
} ``` -```json title="Postitive test num. 3 - json file" hl_lines="23" +```json title="Positive test num. 3 - json file" hl_lines="23" { "properties": { "template": { @@ -158,7 +158,7 @@ Trusted Microsoft Services should be enabled for Storage Account access
} ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="23" { diff --git a/docs/queries/azureresourcemanager-queries/azure/e69bda39-e1e2-47ca-b9ee-b6531b23aedd.md b/docs/queries/azureresourcemanager-queries/azure/e69bda39-e1e2-47ca-b9ee-b6531b23aedd.md index a9572850ff9..6ec0d24b214 100644 --- a/docs/queries/azureresourcemanager-queries/azure/e69bda39-e1e2-47ca-b9ee-b6531b23aedd.md +++ b/docs/queries/azureresourcemanager-queries/azure/e69bda39-e1e2-47ca-b9ee-b6531b23aedd.md @@ -28,7 +28,7 @@ Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' p ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="40" +```json title="Positive test num. 1 - json file" hl_lines="40" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -87,7 +87,7 @@ Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' p } ``` -```json title="Postitive test num. 2 - json file" hl_lines="45" +```json title="Positive test num. 2 - json file" hl_lines="45" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -143,7 +143,7 @@ Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' p } ``` -```json title="Postitive test num. 3 - json file" hl_lines="44" +```json title="Positive test num. 3 - json file" hl_lines="44" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -199,7 +199,7 @@ Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' p } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="43" { @@ -265,7 +265,7 @@ Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' p ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="42" { @@ -336,7 +336,7 @@ Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' p ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="47" { @@ -403,7 +403,7 @@ Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' p ```
-
Postitive test num. 7 - json file +
Positive test num. 7 - json file ```json hl_lines="46" { @@ -470,7 +470,7 @@ Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' p ```
-
Postitive test num. 8 - json file +
Positive test num. 8 - json file ```json hl_lines="45" { diff --git a/docs/queries/azureresourcemanager-queries/azure/e9c133e5-c2dd-4b7b-8fff-40f2de367b56.md b/docs/queries/azureresourcemanager-queries/azure/e9c133e5-c2dd-4b7b-8fff-40f2de367b56.md index fb0ae3d9f28..cd6810720c4 100644 --- a/docs/queries/azureresourcemanager-queries/azure/e9c133e5-c2dd-4b7b-8fff-40f2de367b56.md +++ b/docs/queries/azureresourcemanager-queries/azure/e9c133e5-c2dd-4b7b-8fff-40f2de367b56.md @@ -28,7 +28,7 @@ WebApp should have Azure Active Directory enabled with 'identity.type' set to ' ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="10" +```json title="Positive test num. 1 - json file" hl_lines="10" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -54,7 +54,7 @@ WebApp should have Azure Active Directory enabled with 'identity.type' set to ' } ``` -```json title="Postitive test num. 2 - json file" hl_lines="15" +```json title="Positive test num. 2 - json file" hl_lines="15" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -83,7 +83,7 @@ WebApp should have Azure Active Directory enabled with 'identity.type' set to ' } ``` -```json title="Postitive test num. 3 - json file" hl_lines="15" +```json title="Positive test num. 3 - json file" hl_lines="15" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", @@ -110,7 +110,7 @@ WebApp should have Azure Active Directory enabled with 'identity.type' set to ' } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="12" { @@ -147,7 +147,7 @@ WebApp should have Azure Active Directory enabled with 'identity.type' set to ' ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="17" { @@ -187,7 +187,7 @@ WebApp should have Azure Active Directory enabled with 'identity.type' set to ' ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="17" { diff --git a/docs/queries/azureresourcemanager-queries/azure/f9112910-c7bb-4864-9f5e-2059ba413bb7.md b/docs/queries/azureresourcemanager-queries/azure/f9112910-c7bb-4864-9f5e-2059ba413bb7.md index 1a16c7e3f23..8e321903916 100644 --- a/docs/queries/azureresourcemanager-queries/azure/f9112910-c7bb-4864-9f5e-2059ba413bb7.md +++ b/docs/queries/azureresourcemanager-queries/azure/f9112910-c7bb-4864-9f5e-2059ba413bb7.md @@ -28,7 +28,7 @@ Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' pr ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="43" +```json title="Positive test num. 1 - json file" hl_lines="43" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -125,7 +125,7 @@ Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' pr } ``` -```json title="Postitive test num. 2 - json file" hl_lines="45" +```json title="Positive test num. 2 - json file" hl_lines="45" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -181,7 +181,7 @@ Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' pr } ``` -```json title="Postitive test num. 3 - json file" hl_lines="44" +```json title="Positive test num. 3 - json file" hl_lines="44" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -237,7 +237,7 @@ Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' pr } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="43" { @@ -296,7 +296,7 @@ Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' pr ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="45" { @@ -404,7 +404,7 @@ Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' pr ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="47" { @@ -471,7 +471,7 @@ Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' pr ```
-
Postitive test num. 7 - json file +
Positive test num. 7 - json file ```json hl_lines="46" { @@ -538,7 +538,7 @@ Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' pr ```
-
Postitive test num. 8 - json file +
Positive test num. 8 - json file ```json hl_lines="45" { diff --git a/docs/queries/cicd-queries/common/20f14e1a-a899-4e79-9f09-b6a84cd4649b.md b/docs/queries/cicd-queries/common/20f14e1a-a899-4e79-9f09-b6a84cd4649b.md index 1f46c02011b..41c1d16eb85 100644 --- a/docs/queries/cicd-queries/common/20f14e1a-a899-4e79-9f09-b6a84cd4649b.md +++ b/docs/queries/cicd-queries/common/20f14e1a-a899-4e79-9f09-b6a84cd4649b.md @@ -28,7 +28,7 @@ GitHub Actions workflows can be triggered by a variety of events. Every workflow ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10" name: Web Page To Markdown on: issues: @@ -69,7 +69,7 @@ jobs: commit_user_name: PageToMarkdown Bot commit_user_email: PageToMarkdown-bot@freeCodeCamp.org ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="13" +```yaml title="Positive test num. 2 - yaml file" hl_lines="13" name: Pull Request Workflow on: @@ -87,7 +87,7 @@ jobs: ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="13" +```yaml title="Positive test num. 3 - yaml file" hl_lines="13" name: Issue Comment Workflow on: @@ -104,7 +104,7 @@ jobs: echo "Issue Comment Body: ${{ github.event.comment.body }}" ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="13" name: Discussion Workflow @@ -124,7 +124,7 @@ jobs: ```
-
Postitive test num. 5 - yaml file +
Positive test num. 5 - yaml file ```yaml hl_lines="13" name: Discussion Comment Workflow @@ -144,7 +144,7 @@ jobs: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="13" name: Author Workflow @@ -164,7 +164,7 @@ jobs: ```
-
Postitive test num. 7 - yaml file +
Positive test num. 7 - yaml file ```yaml hl_lines="13" name: Workflow Run Workflow diff --git a/docs/queries/cicd-queries/common/555ab8f9-2001-455e-a077-f2d0f41e2fb9.md b/docs/queries/cicd-queries/common/555ab8f9-2001-455e-a077-f2d0f41e2fb9.md index 7348df26d97..66179c4a82d 100644 --- a/docs/queries/cicd-queries/common/555ab8f9-2001-455e-a077-f2d0f41e2fb9.md +++ b/docs/queries/cicd-queries/common/555ab8f9-2001-455e-a077-f2d0f41e2fb9.md @@ -28,7 +28,7 @@ Pinning an action to a full length commit SHA is currently the only way to use a ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="12" +```yaml title="Positive test num. 1 - yaml file" hl_lines="12" name: test-positive on: pull_request: diff --git a/docs/queries/cicd-queries/common/60fd272d-15f4-4d8f-afe4-77d9c6cc0453.md b/docs/queries/cicd-queries/common/60fd272d-15f4-4d8f-afe4-77d9c6cc0453.md index 9bd015d46b2..b8fda6ad71e 100644 --- a/docs/queries/cicd-queries/common/60fd272d-15f4-4d8f-afe4-77d9c6cc0453.md +++ b/docs/queries/cicd-queries/common/60fd272d-15f4-4d8f-afe4-77d9c6cc0453.md @@ -28,7 +28,7 @@ There are deprecated set-env and add-path commands that can be explicitly enable ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8" name: Vulnerable workflow on: @@ -63,7 +63,7 @@ jobs: }); github-token: ${{ secrets.GITHUB_TOKEN }} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +```yaml title="Positive test num. 2 - yaml file" hl_lines="11" name: Vulnerable workflow on: @@ -96,7 +96,7 @@ jobs: }); github-token: ${{ secrets.GITHUB_TOKEN }} ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="16" +```yaml title="Positive test num. 3 - yaml file" hl_lines="16" name: Vulnerable workflow on: diff --git a/docs/queries/cicd-queries/common/62ff6823-927a-427f-acf9-f1ea2932d616.md b/docs/queries/cicd-queries/common/62ff6823-927a-427f-acf9-f1ea2932d616.md index 9ac4e2e1f66..d34afbfd9c3 100644 --- a/docs/queries/cicd-queries/common/62ff6823-927a-427f-acf9-f1ea2932d616.md +++ b/docs/queries/cicd-queries/common/62ff6823-927a-427f-acf9-f1ea2932d616.md @@ -28,7 +28,7 @@ GitHub Actions workflows can be triggered by a variety of events. Every workflow ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="17" +```yaml title="Positive test num. 1 - yaml file" hl_lines="17" name: test-script-run on: @@ -58,7 +58,7 @@ jobs: return true; ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="17" +```yaml title="Positive test num. 2 - yaml file" hl_lines="17" name: test-script-run on: @@ -88,7 +88,7 @@ jobs: return true; ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="17" +```yaml title="Positive test num. 3 - yaml file" hl_lines="17" name: test-script-run on: @@ -118,7 +118,7 @@ jobs: return true; ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="17" name: test-script-run @@ -151,7 +151,7 @@ jobs: return true; ```
-
Postitive test num. 5 - yaml file +
Positive test num. 5 - yaml file ```yaml hl_lines="17" name: test-script-run @@ -184,7 +184,7 @@ jobs: return true; ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="17" name: test-script-run @@ -217,7 +217,7 @@ jobs: return true; ```
-
Postitive test num. 7 - yaml file +
Positive test num. 7 - yaml file ```yaml hl_lines="17" name: test-script-run diff --git a/docs/queries/cloudformation-queries/aws/0104165b-02d5-426f-abc9-91fb48189899.md b/docs/queries/cloudformation-queries/aws/0104165b-02d5-426f-abc9-91fb48189899.md index 98201a57663..42821449547 100644 --- a/docs/queries/cloudformation-queries/aws/0104165b-02d5-426f-abc9-91fb48189899.md +++ b/docs/queries/cloudformation-queries/aws/0104165b-02d5-426f-abc9-91fb48189899.md @@ -28,7 +28,7 @@ The IP address in a DB Security Group must not have more than 256 hosts.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="18" +```yaml title="Positive test num. 1 - yaml file" hl_lines="18" Resources: DBinstance1: Type: AWS::RDS::DBInstance @@ -50,7 +50,7 @@ Resources: CIDRIP: 1.2.3.4/23 ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="18" +```yaml title="Positive test num. 2 - yaml file" hl_lines="18" Resources: DBinstance2: Type: AWS::RDS::DBInstance @@ -72,7 +72,7 @@ Resources: CidrIp: 1.2.3.4/23 ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="18" +```yaml title="Positive test num. 3 - yaml file" hl_lines="18" Resources: DBinstance3: Type: AWS::RDS::DBInstance @@ -94,7 +94,7 @@ Resources: CidrIpv6: 2001:db8:a::123/64 ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="23" { @@ -129,7 +129,7 @@ Resources: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="23" { @@ -164,7 +164,7 @@ Resources: ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="23" { diff --git a/docs/queries/cloudformation-queries/aws/01986452-bdd8-4aaa-b5df-d6bf61d616ff.md b/docs/queries/cloudformation-queries/aws/01986452-bdd8-4aaa-b5df-d6bf61d616ff.md index 58fe99ea486..6367d749e33 100644 --- a/docs/queries/cloudformation-queries/aws/01986452-bdd8-4aaa-b5df-d6bf61d616ff.md +++ b/docs/queries/cloudformation-queries/aws/01986452-bdd8-4aaa-b5df-d6bf61d616ff.md @@ -28,7 +28,7 @@ ECS Services must not have Admin roles, which means the attribute 'role' must no ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="87" +```yaml title="Positive test num. 1 - yaml file" hl_lines="87" #this is a problematic code where the query should report a result(s) AWSTemplateFormatVersion: 2010-09-09 Description: Creating ECS service @@ -147,7 +147,7 @@ Outputs: Cluster: Value: !Ref cluster ``` -```json title="Postitive test num. 2 - json file" hl_lines="66" +```json title="Positive test num. 2 - json file" hl_lines="66" { "Parameters": { "HealthCheckGracePeriodSeconds": { diff --git a/docs/queries/cloudformation-queries/aws/01d5a458-a6c4-452a-ac50-054d59275b7c.md b/docs/queries/cloudformation-queries/aws/01d5a458-a6c4-452a-ac50-054d59275b7c.md index 3ffdf4eb1fe..e080bb61858 100644 --- a/docs/queries/cloudformation-queries/aws/01d5a458-a6c4-452a-ac50-054d59275b7c.md +++ b/docs/queries/cloudformation-queries/aws/01d5a458-a6c4-452a-ac50-054d59275b7c.md @@ -28,7 +28,7 @@ An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbo ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +```yaml title="Positive test num. 1 - yaml file" hl_lines="5" AWSTemplateFormatVersion: 2010-09-09 Resources: sgwithoutegress: @@ -41,7 +41,7 @@ Resources: SecurityGroups: - sgwithoutegress ``` -```json title="Postitive test num. 2 - json file" hl_lines="6" +```json title="Positive test num. 2 - json file" hl_lines="6" { "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", "Resources": { diff --git a/docs/queries/cloudformation-queries/aws/0264093f-6791-4475-af34-4b8102dcbcd0.md b/docs/queries/cloudformation-queries/aws/0264093f-6791-4475-af34-4b8102dcbcd0.md index 5d3e4653a85..49c3e020c8f 100644 --- a/docs/queries/cloudformation-queries/aws/0264093f-6791-4475-af34-4b8102dcbcd0.md +++ b/docs/queries/cloudformation-queries/aws/0264093f-6791-4475-af34-4b8102dcbcd0.md @@ -28,7 +28,7 @@ EC2 Instance should have detailed monitoring enabled. With detailed monitoring e ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" Resources: MyEC2Instance: Type: AWS::EC2::Instance @@ -38,7 +38,7 @@ Resources: Monitoring: false ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="4" +```yaml title="Positive test num. 2 - yaml file" hl_lines="4" Resources: MyEC2Instance: Type: AWS::EC2::Instance diff --git a/docs/queries/cloudformation-queries/aws/027a4b7a-8a59-4938-a04f-ed532512cf45.md b/docs/queries/cloudformation-queries/aws/027a4b7a-8a59-4938-a04f-ed532512cf45.md index 7ac1222391b..ec39679b0c3 100644 --- a/docs/queries/cloudformation-queries/aws/027a4b7a-8a59-4938-a04f-ed532512cf45.md +++ b/docs/queries/cloudformation-queries/aws/027a4b7a-8a59-4938-a04f-ed532512cf45.md @@ -28,7 +28,7 @@ Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the co ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" AWSTemplateFormatVersion: "2010-09-09" Description: A sample template Resources: @@ -57,7 +57,7 @@ Resources: Essential: true ``` -```json title="Postitive test num. 2 - json file" hl_lines="7" +```json title="Positive test num. 2 - json file" hl_lines="7" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "A sample template", diff --git a/docs/queries/cloudformation-queries/aws/03879981-efa2-47a0-a818-c843e1441b88.md b/docs/queries/cloudformation-queries/aws/03879981-efa2-47a0-a818-c843e1441b88.md index b8478021045..f1474a9805b 100644 --- a/docs/queries/cloudformation-queries/aws/03879981-efa2-47a0-a818-c843e1441b88.md +++ b/docs/queries/cloudformation-queries/aws/03879981-efa2-47a0-a818-c843e1441b88.md @@ -28,7 +28,7 @@ To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="17" +```yaml title="Positive test num. 1 - yaml file" hl_lines="17" AWSTemplateFormatVersion: "2010-09-09" Description: A sample template Resources: @@ -50,7 +50,7 @@ Resources: RuleAction: allow CidrBlock: 0.0.0.0/0 ``` -```json title="Postitive test num. 2 - json file" hl_lines="24" +```json title="Positive test num. 2 - json file" hl_lines="24" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "A sample template", diff --git a/docs/queries/cloudformation-queries/aws/03b38885-8f4e-480c-a0e4-12c1affd15db.md b/docs/queries/cloudformation-queries/aws/03b38885-8f4e-480c-a0e4-12c1affd15db.md index cf162de2c0e..13da3868337 100644 --- a/docs/queries/cloudformation-queries/aws/03b38885-8f4e-480c-a0e4-12c1affd15db.md +++ b/docs/queries/cloudformation-queries/aws/03b38885-8f4e-480c-a0e4-12c1affd15db.md @@ -28,7 +28,7 @@ Amplify App OAuth Token must not be a plaintext string or a Ref to a Parameter w ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" Resources: NewAmpApp-1: Type: AWS::Amplify::App @@ -44,7 +44,7 @@ Resources: ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="5" +```yaml title="Positive test num. 2 - yaml file" hl_lines="5" Parameters: ParentPassword: Description: 'Password' @@ -72,7 +72,7 @@ Resources: Username: !Ref ParentUsername ``` -```json title="Postitive test num. 3 - json file" hl_lines="5" +```json title="Positive test num. 3 - json file" hl_lines="5" { "Resources": { "NewAmpApp-1": { @@ -92,7 +92,7 @@ Resources: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="11" { diff --git a/docs/queries/cloudformation-queries/aws/045ddb54-cfc5-4abb-9e05-e427b2bc96fe.md b/docs/queries/cloudformation-queries/aws/045ddb54-cfc5-4abb-9e05-e427b2bc96fe.md index 5da80c5cf38..40c527b15a5 100644 --- a/docs/queries/cloudformation-queries/aws/045ddb54-cfc5-4abb-9e05-e427b2bc96fe.md +++ b/docs/queries/cloudformation-queries/aws/045ddb54-cfc5-4abb-9e05-e427b2bc96fe.md @@ -28,7 +28,7 @@ A Network ACL's rule numbers cannot be repeated unless one is egress and the oth ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="25 12 52 39" +```yaml title="Positive test num. 1 - yaml file" hl_lines="25 12 52 39" AWSTemplateFormatVersion: '2010-09-09' Resources: MyNACL: @@ -87,7 +87,7 @@ Resources: CidrBlock: 0.0.0.0/0 ``` -```json title="Postitive test num. 2 - json file" hl_lines="33 23 57 71" +```json title="Positive test num. 2 - json file" hl_lines="33 23 57 71" { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { diff --git a/docs/queries/cloudformation-queries/aws/050a9ba8-d1cb-4c61-a5e8-8805a70d3b85.md b/docs/queries/cloudformation-queries/aws/050a9ba8-d1cb-4c61-a5e8-8805a70d3b85.md index bdabbc1b8fe..07f80a0e7f5 100644 --- a/docs/queries/cloudformation-queries/aws/050a9ba8-d1cb-4c61-a5e8-8805a70d3b85.md +++ b/docs/queries/cloudformation-queries/aws/050a9ba8-d1cb-4c61-a5e8-8805a70d3b85.md @@ -28,7 +28,7 @@ Logs delivered by CloudTrail should be encrypted using KMS to increase security ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="62" +```yaml title="Positive test num. 1 - yaml file" hl_lines="62" AWSTemplateFormatVersion: "2010-09-09" Parameters: OperatorEmail: @@ -101,7 +101,7 @@ Resources: IsMultiRegionTrail: true ``` -```json title="Postitive test num. 2 - json file" hl_lines="53" +```json title="Positive test num. 2 - json file" hl_lines="53" { "AWSTemplateFormatVersion": "2010-09-09", "Parameters": { @@ -213,7 +213,7 @@ Resources: } ``` -```json title="Postitive test num. 3 - json file" hl_lines="6" +```json title="Positive test num. 3 - json file" hl_lines="6" { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { diff --git a/docs/queries/cloudformation-queries/aws/058ac855-989f-4378-ba4d-52d004020da7.md b/docs/queries/cloudformation-queries/aws/058ac855-989f-4378-ba4d-52d004020da7.md index 919f8954f80..f89865b666b 100644 --- a/docs/queries/cloudformation-queries/aws/058ac855-989f-4378-ba4d-52d004020da7.md +++ b/docs/queries/cloudformation-queries/aws/058ac855-989f-4378-ba4d-52d004020da7.md @@ -28,7 +28,7 @@ CloudTrail multi region should be enabled, which means attribute 'IsMultiRegionT ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="76 70" +```yaml title="Positive test num. 1 - yaml file" hl_lines="76 70" AWSTemplateFormatVersion: "2010-09-09" Parameters: OperatorEmail: @@ -114,7 +114,7 @@ Resources: IsLogging: true ``` -```json title="Postitive test num. 2 - json file" hl_lines="32 17" +```json title="Positive test num. 2 - json file" hl_lines="32 17" { "AWSTemplateFormatVersion": "2010-09-09", "Parameters": { diff --git a/docs/queries/cloudformation-queries/aws/06933df4-0ea7-461c-b9b5-104d27390e0e.md b/docs/queries/cloudformation-queries/aws/06933df4-0ea7-461c-b9b5-104d27390e0e.md index 92bae34aecb..a098fd1b101 100644 --- a/docs/queries/cloudformation-queries/aws/06933df4-0ea7-461c-b9b5-104d27390e0e.md +++ b/docs/queries/cloudformation-queries/aws/06933df4-0ea7-461c-b9b5-104d27390e0e.md @@ -28,7 +28,7 @@ A IAM user should belong to a group
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" AWSTemplateFormatVersion: "2010-09-09" Description: A sample template Resources: @@ -58,7 +58,7 @@ Resources: UserName: TestUser ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="7" +```yaml title="Positive test num. 2 - yaml file" hl_lines="7" AWSTemplateFormatVersion: "2010-09-09" Description: A sample template Resources: @@ -89,7 +89,7 @@ Resources: UserName: TestUser ``` -```json title="Postitive test num. 3 - json file" hl_lines="5" +```json title="Positive test num. 3 - json file" hl_lines="5" { "Resources": { "MyUser": { @@ -139,7 +139,7 @@ Resources: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="8" { diff --git a/docs/queries/cloudformation-queries/aws/06adef8c-c284-4de7-aad2-af43b07a8ca1.md b/docs/queries/cloudformation-queries/aws/06adef8c-c284-4de7-aad2-af43b07a8ca1.md index b2a13a75bbb..04a48cb93b1 100644 --- a/docs/queries/cloudformation-queries/aws/06adef8c-c284-4de7-aad2-af43b07a8ca1.md +++ b/docs/queries/cloudformation-queries/aws/06adef8c-c284-4de7-aad2-af43b07a8ca1.md @@ -28,7 +28,7 @@ IAM User LoginProfile Password must not be a plaintext string
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9" AWSTemplateFormatVersion: "2010-09-09" Description: A sample template Resources: @@ -56,7 +56,7 @@ Resources: - !GetAtt myqueue.Arn ``` -```json title="Postitive test num. 2 - json file" hl_lines="9" +```json title="Positive test num. 2 - json file" hl_lines="9" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "A sample template", diff --git a/docs/queries/cloudformation-queries/aws/06b9f52a-8cd5-459b-bdc6-21a22521e1be.md b/docs/queries/cloudformation-queries/aws/06b9f52a-8cd5-459b-bdc6-21a22521e1be.md index d7fef6966da..b76fe582605 100644 --- a/docs/queries/cloudformation-queries/aws/06b9f52a-8cd5-459b-bdc6-21a22521e1be.md +++ b/docs/queries/cloudformation-queries/aws/06b9f52a-8cd5-459b-bdc6-21a22521e1be.md @@ -28,7 +28,7 @@ Directory Service Microsoft AD password must not be a plaintext string or a Ref ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="14" +```yaml title="Positive test num. 1 - yaml file" hl_lines="14" Parameters: ParentMasterUsername: Description: 'username' @@ -46,7 +46,7 @@ Resources: ShortName: String ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="9" +```yaml title="Positive test num. 2 - yaml file" hl_lines="9" Resources: NewAmpApp: Type: AWS::DirectoryService::MicrosoftAD @@ -59,7 +59,7 @@ Resources: ShortName: String ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="5" +```yaml title="Positive test num. 3 - yaml file" hl_lines="5" Parameters: ParentMasterPassword: Description: 'Password' @@ -82,7 +82,7 @@ Resources: ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="17" { @@ -110,7 +110,7 @@ Resources: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="11" { @@ -131,7 +131,7 @@ Resources: ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="5" { diff --git a/docs/queries/cloudformation-queries/aws/06ec63e3-9f72-4fe2-a218-2eb9200b8db5.md b/docs/queries/cloudformation-queries/aws/06ec63e3-9f72-4fe2-a218-2eb9200b8db5.md index 7ec15c6ec45..2df47512b81 100644 --- a/docs/queries/cloudformation-queries/aws/06ec63e3-9f72-4fe2-a218-2eb9200b8db5.md +++ b/docs/queries/cloudformation-queries/aws/06ec63e3-9f72-4fe2-a218-2eb9200b8db5.md @@ -28,7 +28,7 @@ API Gateway Deployment should have access log setting defined when connected to ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="29" +```yaml title="Positive test num. 1 - yaml file" hl_lines="29" AWSTemplateFormatVersion: "2010-09-09" Description: "ApiGateway" Resources: @@ -62,7 +62,7 @@ Resources: ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="21" +```yaml title="Positive test num. 2 - yaml file" hl_lines="21" AWSTemplateFormatVersion: "2010-09-09" Description: "ApiGateway" Resources: @@ -95,7 +95,7 @@ Resources: ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="21" +```yaml title="Positive test num. 3 - yaml file" hl_lines="21" AWSTemplateFormatVersion: "2010-09-09" Description: "ApiGateway" Resources: @@ -126,7 +126,7 @@ Resources: StageName: DummyStage ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="15" { @@ -179,7 +179,7 @@ Resources: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="31" { @@ -229,7 +229,7 @@ Resources: ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="31" { diff --git a/docs/queries/cloudformation-queries/aws/07dda8de-d90d-469e-9b37-1aca53526ced.md b/docs/queries/cloudformation-queries/aws/07dda8de-d90d-469e-9b37-1aca53526ced.md index 0f40957338b..e6ac242f913 100644 --- a/docs/queries/cloudformation-queries/aws/07dda8de-d90d-469e-9b37-1aca53526ced.md +++ b/docs/queries/cloudformation-queries/aws/07dda8de-d90d-469e-9b37-1aca53526ced.md @@ -28,7 +28,7 @@ S3 Buckets should not be readable and writable to all users
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" AWSTemplateFormatVersion: 2010-09-09 Description: Creating S3 bucket Resources: @@ -42,7 +42,7 @@ Resources: Value: ITEngineering ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="7" +```yaml title="Positive test num. 2 - yaml file" hl_lines="7" AWSTemplateFormatVersion: 2010-09-09 Description: Creating S3 bucket Resources: @@ -59,7 +59,7 @@ Resources: Value: ITEngineering ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="7" +```yaml title="Positive test num. 3 - yaml file" hl_lines="7" AWSTemplateFormatVersion: 2010-09-09 Description: Creating S3 bucket Resources: @@ -79,7 +79,7 @@ Resources: Value: CICD ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="7" AWSTemplateFormatVersion: 2010-09-09 @@ -95,7 +95,7 @@ Resources: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="13" { @@ -120,7 +120,7 @@ Resources: ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="8" { @@ -149,7 +149,7 @@ Resources: ```
-
Postitive test num. 7 - json file +
Positive test num. 7 - json file ```json hl_lines="8" { @@ -184,7 +184,7 @@ Resources: ```
-
Postitive test num. 8 - json file +
Positive test num. 8 - json file ```json hl_lines="8" { diff --git a/docs/queries/cloudformation-queries/aws/086ea2eb-14a6-4fd4-914b-38e0bc8703e8.md b/docs/queries/cloudformation-queries/aws/086ea2eb-14a6-4fd4-914b-38e0bc8703e8.md index 869035fe16b..f6fd32645e1 100644 --- a/docs/queries/cloudformation-queries/aws/086ea2eb-14a6-4fd4-914b-38e0bc8703e8.md +++ b/docs/queries/cloudformation-queries/aws/086ea2eb-14a6-4fd4-914b-38e0bc8703e8.md @@ -28,7 +28,7 @@ Ensure that AWS Elasticsearch enables support for slow logs
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="34" +```yaml title="Positive test num. 1 - yaml file" hl_lines="34" AWSTemplateFormatVersion: "2010-09-09" Description: ElasticsearchDomain resource Resources: @@ -71,7 +71,7 @@ Resources: rest.action.multi.allow_explicit_index: "true" ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="30" +```yaml title="Positive test num. 2 - yaml file" hl_lines="30" AWSTemplateFormatVersion: "2010-09-09" Description: ElasticsearchDomain resource Resources: @@ -110,7 +110,7 @@ Resources: rest.action.multi.allow_explicit_index: "true" ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="6" +```yaml title="Positive test num. 3 - yaml file" hl_lines="6" AWSTemplateFormatVersion: "2010-09-09" Description: ElasticsearchDomain resource Resources: @@ -144,7 +144,7 @@ Resources: rest.action.multi.allow_explicit_index: "true" ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="44" { @@ -204,7 +204,7 @@ Resources: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="42" { @@ -264,7 +264,7 @@ Resources: ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="7" { diff --git a/docs/queries/cloudformation-queries/aws/08b81bb3-0985-4023-8602-b606ad81d279.md b/docs/queries/cloudformation-queries/aws/08b81bb3-0985-4023-8602-b606ad81d279.md index fa4b2fe1899..46c20aecdaf 100644 --- a/docs/queries/cloudformation-queries/aws/08b81bb3-0985-4023-8602-b606ad81d279.md +++ b/docs/queries/cloudformation-queries/aws/08b81bb3-0985-4023-8602-b606ad81d279.md @@ -28,7 +28,7 @@ EC2 instances should not use default security group(s)
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8" Resources: MyEC2Instance: Type: AWS::EC2::Instance @@ -48,7 +48,7 @@ EC2 instances should not use default security group(s)
NoDevice: {} ``` -```json title="Postitive test num. 2 - json file" hl_lines="23" +```json title="Positive test num. 2 - json file" hl_lines="23" { "Resources": { "MyEC2Instance": { diff --git a/docs/queries/cloudformation-queries/aws/08e39832-5e42-4304-98a0-aa5b43393162.md b/docs/queries/cloudformation-queries/aws/08e39832-5e42-4304-98a0-aa5b43393162.md index 551aab16c17..41105d1fce3 100644 --- a/docs/queries/cloudformation-queries/aws/08e39832-5e42-4304-98a0-aa5b43393162.md +++ b/docs/queries/cloudformation-queries/aws/08e39832-5e42-4304-98a0-aa5b43393162.md @@ -28,7 +28,7 @@ Amazon Elastic Filesystem should have filesystem tags associated
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="15" +```yaml title="Positive test num. 1 - yaml file" hl_lines="15" AWSTemplateFormatVersion: '2010-09-09' Description: Create Elastic File System Parameters: @@ -69,7 +69,7 @@ Resources: Value: !Ref Project ``` -```json title="Postitive test num. 2 - json file" hl_lines="40" +```json title="Positive test num. 2 - json file" hl_lines="40" { "Parameters": { "Project": { diff --git a/docs/queries/cloudformation-queries/aws/0a994e04-c6dc-471d-817e-d37451d18a3b.md b/docs/queries/cloudformation-queries/aws/0a994e04-c6dc-471d-817e-d37451d18a3b.md index e8ffb6fe376..9500ed888e4 100644 --- a/docs/queries/cloudformation-queries/aws/0a994e04-c6dc-471d-817e-d37451d18a3b.md +++ b/docs/queries/cloudformation-queries/aws/0a994e04-c6dc-471d-817e-d37451d18a3b.md @@ -28,7 +28,7 @@ AWS Serverless API/AWS Serverless HTTP API should have Access Logging Setting(s) ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: AWS SAM template with a simple API definition @@ -41,7 +41,7 @@ Resources: CacheClusterEnabled: true ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="7" +```yaml title="Positive test num. 2 - yaml file" hl_lines="7" AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: AWS SAM template with a simple API definition diff --git a/docs/queries/cloudformation-queries/aws/0b0556ea-9cd9-476f-862e-20679dda752b.md b/docs/queries/cloudformation-queries/aws/0b0556ea-9cd9-476f-862e-20679dda752b.md index c7139420a94..8a472e7df8b 100644 --- a/docs/queries/cloudformation-queries/aws/0b0556ea-9cd9-476f-862e-20679dda752b.md +++ b/docs/queries/cloudformation-queries/aws/0b0556ea-9cd9-476f-862e-20679dda752b.md @@ -28,7 +28,7 @@ A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an eas ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" AWSTemplateFormatVersion: "2010-09-09" Description: "Volume" Resources: @@ -44,7 +44,7 @@ Resources: DeletionPolicy: Snapshot ``` -```json title="Postitive test num. 2 - json file" hl_lines="5" +```json title="Positive test num. 2 - json file" hl_lines="5" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "Volume", @@ -68,7 +68,7 @@ Resources: } ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="4" +```yaml title="Positive test num. 3 - yaml file" hl_lines="4" AWSTemplateFormatVersion: "2010-09-09" Description: "Volume" Resources: @@ -84,7 +84,7 @@ Resources: DeletionPolicy: Snapshot ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="5" { @@ -111,7 +111,7 @@ Resources: ```
-
Postitive test num. 5 - yaml file +
Positive test num. 5 - yaml file ```yaml hl_lines="4" AWSTemplateFormatVersion: "2010-09-09" @@ -129,7 +129,7 @@ Resources: ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="5" { diff --git a/docs/queries/cloudformation-queries/aws/0ce1ba20-8ba8-4364-836f-40c24b8cb0ab.md b/docs/queries/cloudformation-queries/aws/0ce1ba20-8ba8-4364-836f-40c24b8cb0ab.md index a0ff971097c..e408d5a7c2f 100644 --- a/docs/queries/cloudformation-queries/aws/0ce1ba20-8ba8-4364-836f-40c24b8cb0ab.md +++ b/docs/queries/cloudformation-queries/aws/0ce1ba20-8ba8-4364-836f-40c24b8cb0ab.md @@ -28,7 +28,7 @@ Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="18" +```yaml title="Positive test num. 1 - yaml file" hl_lines="18" AWSTemplateFormatVersion: "2010-09-09" Description: MSK Cluster with required properties. Resources: @@ -49,7 +49,7 @@ Resources: Type: SERVICE_PROVIDED_EIPS ``` -```json title="Postitive test num. 2 - json file" hl_lines="15" +```json title="Positive test num. 2 - json file" hl_lines="15" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "MSK Cluster with required properties.", diff --git a/docs/queries/cloudformation-queries/aws/0e5872b4-19a0-4165-8b2f-56d9e14b909f.md b/docs/queries/cloudformation-queries/aws/0e5872b4-19a0-4165-8b2f-56d9e14b909f.md index 4021adb5c6f..ca1e9d715d5 100644 --- a/docs/queries/cloudformation-queries/aws/0e5872b4-19a0-4165-8b2f-56d9e14b909f.md +++ b/docs/queries/cloudformation-queries/aws/0e5872b4-19a0-4165-8b2f-56d9e14b909f.md @@ -28,7 +28,7 @@ Make sure that any managed IAM policies are implemented in a group and not in a ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10" Resources: CreateTestDBPolicy: Type: 'AWS::IAM::ManagedPolicy' @@ -41,7 +41,7 @@ Resources: Users: - TestUser ``` -```json title="Postitive test num. 2 - json file" hl_lines="11" +```json title="Positive test num. 2 - json file" hl_lines="11" { "Resources": { "CreateTestDBPolicy": { diff --git a/docs/queries/cloudformation-queries/aws/0f0fb06b-0f2f-4374-8588-f2c7c348c7a0.md b/docs/queries/cloudformation-queries/aws/0f0fb06b-0f2f-4374-8588-f2c7c348c7a0.md index b44c61daa55..aa05b9e03ee 100644 --- a/docs/queries/cloudformation-queries/aws/0f0fb06b-0f2f-4374-8588-f2c7c348c7a0.md +++ b/docs/queries/cloudformation-queries/aws/0f0fb06b-0f2f-4374-8588-f2c7c348c7a0.md @@ -28,7 +28,7 @@ Check if CloudWatch logging is disabled for Route53 hosted zones
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" AWSTemplateFormatVersion: "2010-09-09" Description: "Router53" Resources: @@ -38,7 +38,7 @@ Resources: Name: "HostedZone" ``` -```json title="Postitive test num. 2 - json file" hl_lines="7" +```json title="Positive test num. 2 - json file" hl_lines="7" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "Router53", diff --git a/docs/queries/cloudformation-queries/aws/0f139403-303f-467c-96bd-e717e6cfd62d.md b/docs/queries/cloudformation-queries/aws/0f139403-303f-467c-96bd-e717e6cfd62d.md index f41e82ff96b..24e41c6ac1c 100644 --- a/docs/queries/cloudformation-queries/aws/0f139403-303f-467c-96bd-e717e6cfd62d.md +++ b/docs/queries/cloudformation-queries/aws/0f139403-303f-467c-96bd-e717e6cfd62d.md @@ -28,7 +28,7 @@ All AWS CloudFront distributions should be integrated with the Web Application F ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" AWSTemplateFormatVersion: 2010-09-09 Resources: cloudfrontdistribution: @@ -54,7 +54,7 @@ Resources: Value: string-value ``` -```json title="Postitive test num. 2 - json file" hl_lines="13" +```json title="Positive test num. 2 - json file" hl_lines="13" { "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", "Resources": { diff --git a/docs/queries/cloudformation-queries/aws/1056dfbb-5802-4762-bf2b-8b9b9684b1b0.md b/docs/queries/cloudformation-queries/aws/1056dfbb-5802-4762-bf2b-8b9b9684b1b0.md index 37937692824..2cd5ca9a9c7 100644 --- a/docs/queries/cloudformation-queries/aws/1056dfbb-5802-4762-bf2b-8b9b9684b1b0.md +++ b/docs/queries/cloudformation-queries/aws/1056dfbb-5802-4762-bf2b-8b9b9684b1b0.md @@ -28,7 +28,7 @@ API Gateway Method should restrict the authorization type, except for the HTTP O ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" AWSTemplateFormatVersion: "2010-09-09" Description: "Router53" Resources: @@ -45,7 +45,7 @@ Resources: Type: MOCK ``` -```json title="Postitive test num. 2 - json file" hl_lines="7" +```json title="Positive test num. 2 - json file" hl_lines="7" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "Router53", diff --git a/docs/queries/cloudformation-queries/aws/105ba098-1e34-48cd-b0f2-a8a43a51bf9b.md b/docs/queries/cloudformation-queries/aws/105ba098-1e34-48cd-b0f2-a8a43a51bf9b.md index ceb0c63f0a4..9f9887b525c 100644 --- a/docs/queries/cloudformation-queries/aws/105ba098-1e34-48cd-b0f2-a8a43a51bf9b.md +++ b/docs/queries/cloudformation-queries/aws/105ba098-1e34-48cd-b0f2-a8a43a51bf9b.md @@ -28,7 +28,7 @@ All Application Load Balancers (ALB) must be protected with Web Application Fire ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +```yaml title="Positive test num. 1 - yaml file" hl_lines="3" AWSTemplateFormatVersion: 2010-09-09 Resources: MyLoadBalancer22: @@ -49,7 +49,7 @@ Resources: ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="3" +```yaml title="Positive test num. 2 - yaml file" hl_lines="3" AWSTemplateFormatVersion: 2010-09-09 Resources: MyLoadBalancerV2: @@ -59,7 +59,7 @@ Resources: Scheme: internet-facing ``` -```json title="Postitive test num. 3 - json file" hl_lines="4" +```json title="Positive test num. 3 - json file" hl_lines="4" { "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", "Resources": { @@ -89,7 +89,7 @@ Resources: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="4" { diff --git a/docs/queries/cloudformation-queries/aws/124b173b-e06d-48a6-8acd-f889443d97a4.md b/docs/queries/cloudformation-queries/aws/124b173b-e06d-48a6-8acd-f889443d97a4.md index d8112e7b557..7475a34080b 100644 --- a/docs/queries/cloudformation-queries/aws/124b173b-e06d-48a6-8acd-f889443d97a4.md +++ b/docs/queries/cloudformation-queries/aws/124b173b-e06d-48a6-8acd-f889443d97a4.md @@ -28,7 +28,7 @@ A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL da ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +```yaml title="Positive test num. 1 - yaml file" hl_lines="3" AWSTemplateFormatVersion: 2010-09-09 Resources: myNewTable1: @@ -41,7 +41,7 @@ Resources: ColumnType: ASCII ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="3" +```yaml title="Positive test num. 2 - yaml file" hl_lines="3" AWSTemplateFormatVersion: '2010-09-09' Resources: myNewTable2: diff --git a/docs/queries/cloudformation-queries/aws/12726829-93ed-4d51-9cbe-13423f4299e1.md b/docs/queries/cloudformation-queries/aws/12726829-93ed-4d51-9cbe-13423f4299e1.md index f716d9d86dd..88a1642da8b 100644 --- a/docs/queries/cloudformation-queries/aws/12726829-93ed-4d51-9cbe-13423f4299e1.md +++ b/docs/queries/cloudformation-queries/aws/12726829-93ed-4d51-9cbe-13423f4299e1.md @@ -28,7 +28,7 @@ Amazon Simple Queue Service (SQS) queue should protect the contents of their mes ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8 4" Resources: MyQueue: Type: AWS::SQS::Queue @@ -41,7 +41,7 @@ Resources: SqsManagedSseEnabled: false ``` -```json title="Postitive test num. 2 - json file" hl_lines="11 5" +```json title="Positive test num. 2 - json file" hl_lines="11 5" { "Resources": { "MyQueue": { diff --git a/docs/queries/cloudformation-queries/aws/1819ac03-542b-4026-976b-f37addd59f3b.md b/docs/queries/cloudformation-queries/aws/1819ac03-542b-4026-976b-f37addd59f3b.md index b63999348b2..34c976f5363 100644 --- a/docs/queries/cloudformation-queries/aws/1819ac03-542b-4026-976b-f37addd59f3b.md +++ b/docs/queries/cloudformation-queries/aws/1819ac03-542b-4026-976b-f37addd59f3b.md @@ -28,7 +28,7 @@ EBS Volumes that are unattached to instances may contain sensitive data
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +```yaml title="Positive test num. 1 - yaml file" hl_lines="3" AWSTemplateFormatVersion: 2010-09-09 Resources: NewVolume: @@ -37,7 +37,7 @@ Resources: Size: 100 AvailabilityZone: us-west-1 ``` -```json title="Postitive test num. 2 - json file" hl_lines="4" +```json title="Positive test num. 2 - json file" hl_lines="4" { "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", "Resources": { diff --git a/docs/queries/cloudformation-queries/aws/1a427b25-2e9e-4298-9530-0499a55e736b.md b/docs/queries/cloudformation-queries/aws/1a427b25-2e9e-4298-9530-0499a55e736b.md index 59df80e782f..cb0191d8531 100644 --- a/docs/queries/cloudformation-queries/aws/1a427b25-2e9e-4298-9530-0499a55e736b.md +++ b/docs/queries/cloudformation-queries/aws/1a427b25-2e9e-4298-9530-0499a55e736b.md @@ -28,7 +28,7 @@ AWS Security Group Ingress should not specify all protocols to prevent allow tra ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9 35" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9 35" Resources: InstanceSecurityGroup: Type: AWS::EC2::SecurityGroup @@ -75,7 +75,7 @@ Resources: - TargetSG - GroupId ``` -```json title="Postitive test num. 2 - json file" hl_lines="11 51" +```json title="Positive test num. 2 - json file" hl_lines="11 51" { "Resources": { "InstanceSecurityGroup": { diff --git a/docs/queries/cloudformation-queries/aws/1b6322d9-c755-4f8c-b804-32c19250f2d9.md b/docs/queries/cloudformation-queries/aws/1b6322d9-c755-4f8c-b804-32c19250f2d9.md index e9d00abaa34..0ced4f3c183 100644 --- a/docs/queries/cloudformation-queries/aws/1b6322d9-c755-4f8c-b804-32c19250f2d9.md +++ b/docs/queries/cloudformation-queries/aws/1b6322d9-c755-4f8c-b804-32c19250f2d9.md @@ -28,7 +28,7 @@ Check if AWS config rules do not identify Encrypted Volumes as a source.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="2" +```yaml title="Positive test num. 1 - yaml file" hl_lines="2" Resources: ConfigRule: Type: AWS::Config::ConfigRule @@ -43,7 +43,7 @@ Resources: ``` -```json title="Postitive test num. 2 - json file" hl_lines="3" +```json title="Positive test num. 2 - json file" hl_lines="3" { "Resources": { "ConfigRule": { diff --git a/docs/queries/cloudformation-queries/aws/1bf3b3d4-f373-4d7c-afbb-7d85948a67a5.md b/docs/queries/cloudformation-queries/aws/1bf3b3d4-f373-4d7c-afbb-7d85948a67a5.md index bff1f9382bf..37dfdf66a5e 100644 --- a/docs/queries/cloudformation-queries/aws/1bf3b3d4-f373-4d7c-afbb-7d85948a67a5.md +++ b/docs/queries/cloudformation-queries/aws/1bf3b3d4-f373-4d7c-afbb-7d85948a67a5.md @@ -28,7 +28,7 @@ DocDB logging should be enabled
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="6" +```json title="Positive test num. 1 - json file" hl_lines="6" { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { @@ -64,7 +64,7 @@ DocDB logging should be enabled
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="15" +```yaml title="Positive test num. 2 - yaml file" hl_lines="15" AWSTemplateFormatVersion: '2010-09-09' Resources: MyDocDBCluster: @@ -97,7 +97,7 @@ Resources: - sg-abcdef01234567890 ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="15" +```yaml title="Positive test num. 3 - yaml file" hl_lines="15" AWSTemplateFormatVersion: '2010-09-09' Resources: MyDocDBCluster: @@ -133,7 +133,7 @@ Resources: - sg-abcdef01234567890 ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="14" { diff --git a/docs/queries/cloudformation-queries/aws/1c07bfaf-663c-4f6f-b22b-8e2d481e4df5.md b/docs/queries/cloudformation-queries/aws/1c07bfaf-663c-4f6f-b22b-8e2d481e4df5.md index 2d365e3161a..e5964f7bb41 100644 --- a/docs/queries/cloudformation-queries/aws/1c07bfaf-663c-4f6f-b22b-8e2d481e4df5.md +++ b/docs/queries/cloudformation-queries/aws/1c07bfaf-663c-4f6f-b22b-8e2d481e4df5.md @@ -28,7 +28,7 @@ Customer Master Keys (CMK) must have rotation enabled, which means the attribute ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="5 31" +```yaml title="Positive test num. 1 - yaml file" hl_lines="5 31" #this is a problematic code where the query should report a result(s) Resources: myKey: @@ -86,7 +86,7 @@ Parameters: Value: Type: String ``` -```json title="Postitive test num. 2 - json file" hl_lines="49 5" +```json title="Positive test num. 2 - json file" hl_lines="49 5" { "Resources": { "myKey": { diff --git a/docs/queries/cloudformation-queries/aws/1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a.md b/docs/queries/cloudformation-queries/aws/1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a.md index f8b0530ba3a..208a7ec045e 100644 --- a/docs/queries/cloudformation-queries/aws/1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a.md +++ b/docs/queries/cloudformation-queries/aws/1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a.md @@ -28,7 +28,7 @@ AWS Security Group Egress CIDR should not be open to the world
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="27 4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="27 4" Resources: InstanceSecurityGroup: Type: AWS::EC2::SecurityGroup @@ -81,7 +81,7 @@ Resources: - TargetSG - GroupId ``` -```json title="Postitive test num. 2 - json file" hl_lines="34 5" +```json title="Positive test num. 2 - json file" hl_lines="34 5" { "Resources": { "InstanceSecurityGroup": { diff --git a/docs/queries/cloudformation-queries/aws/1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7.md b/docs/queries/cloudformation-queries/aws/1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7.md index 720fa7498b8..33621576a78 100644 --- a/docs/queries/cloudformation-queries/aws/1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7.md +++ b/docs/queries/cloudformation-queries/aws/1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7.md @@ -28,7 +28,7 @@ Lambda Permission Principal should not contain a wildcard.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9" AWSTemplateFormatVersion: "2010-09-09" Description: Creates RDS Cluster Resources: @@ -42,7 +42,7 @@ Resources: SourceArn: !GetAtt bucket.Arn ``` -```json title="Postitive test num. 2 - json file" hl_lines="10" +```json title="Positive test num. 2 - json file" hl_lines="10" { "Resources": { "s3Permission": { diff --git a/docs/queries/cloudformation-queries/aws/1fe9d958-ddce-4228-a124-05265a959a8b.md b/docs/queries/cloudformation-queries/aws/1fe9d958-ddce-4228-a124-05265a959a8b.md index 5f8139919f4..47c1578660b 100644 --- a/docs/queries/cloudformation-queries/aws/1fe9d958-ddce-4228-a124-05265a959a8b.md +++ b/docs/queries/cloudformation-queries/aws/1fe9d958-ddce-4228-a124-05265a959a8b.md @@ -28,7 +28,7 @@ RDS should not use the default port (an attacker can easily guess the port). For ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="15" +```yaml title="Positive test num. 1 - yaml file" hl_lines="15" Resources: MyDB: Type: AWS::RDS::DBInstance @@ -47,7 +47,7 @@ Resources: DeletionPolicy: Snapshot ``` -```json title="Postitive test num. 2 - json file" hl_lines="21" +```json title="Positive test num. 2 - json file" hl_lines="21" { "Resources": { "MyDB": { @@ -76,7 +76,7 @@ Resources: } ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="15" +```yaml title="Positive test num. 3 - yaml file" hl_lines="15" Resources: MyDB: Type: AWS::RDS::DBInstance @@ -95,7 +95,7 @@ Resources: DeletionPolicy: Snapshot ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="21" { diff --git a/docs/queries/cloudformation-queries/aws/209189f3-c879-48a7-9703-fbcfa96d0cef.md b/docs/queries/cloudformation-queries/aws/209189f3-c879-48a7-9703-fbcfa96d0cef.md index 4756b6d55da..fbfd0a23374 100644 --- a/docs/queries/cloudformation-queries/aws/209189f3-c879-48a7-9703-fbcfa96d0cef.md +++ b/docs/queries/cloudformation-queries/aws/209189f3-c879-48a7-9703-fbcfa96d0cef.md @@ -28,7 +28,7 @@ A list of MQ resources found. Amazon MQ is a managed message broker service for ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" AWSTemplateFormatVersion: "2010-09-09" Description: "Create a basic ActiveMQ broker" Resources: @@ -55,7 +55,7 @@ Resources: Ref: "BrokerUsername" ``` -```json title="Postitive test num. 2 - json file" hl_lines="5" +```json title="Positive test num. 2 - json file" hl_lines="5" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "Create a basic ActiveMQ broker", diff --git a/docs/queries/cloudformation-queries/aws/219f4c95-aa50-44e0-97de-cf71f4641170.md b/docs/queries/cloudformation-queries/aws/219f4c95-aa50-44e0-97de-cf71f4641170.md index 7f9734db4ee..027395df5f5 100644 --- a/docs/queries/cloudformation-queries/aws/219f4c95-aa50-44e0-97de-cf71f4641170.md +++ b/docs/queries/cloudformation-queries/aws/219f4c95-aa50-44e0-97de-cf71f4641170.md @@ -28,7 +28,7 @@ S3 Buckets should not be readable to all users
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" AWSTemplateFormatVersion: 2010-09-09 Description: Creating S3 bucket Resources: @@ -42,7 +42,7 @@ Resources: Value: ITEngineering ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="7" +```yaml title="Positive test num. 2 - yaml file" hl_lines="7" AWSTemplateFormatVersion: 2010-09-09 Description: Creating S3 bucket Resources: @@ -59,7 +59,7 @@ Resources: Value: ITEngineering ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="7" +```yaml title="Positive test num. 3 - yaml file" hl_lines="7" AWSTemplateFormatVersion: 2010-09-09 Description: Creating S3 bucket Resources: @@ -79,7 +79,7 @@ Resources: Value: CICD ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="7" AWSTemplateFormatVersion: 2010-09-09 @@ -95,7 +95,7 @@ Resources: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="13" { @@ -120,7 +120,7 @@ Resources: ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="7" { @@ -149,7 +149,7 @@ Resources: ```
-
Postitive test num. 7 - json file +
Positive test num. 7 - json file ```json hl_lines="8" { @@ -184,7 +184,7 @@ Resources: ```
-
Postitive test num. 8 - json file +
Positive test num. 8 - json file ```json hl_lines="8" { diff --git a/docs/queries/cloudformation-queries/aws/235ca980-eb71-48f4-9030-df0c371029eb.md b/docs/queries/cloudformation-queries/aws/235ca980-eb71-48f4-9030-df0c371029eb.md index 53fc04b387e..ed93ebf7080 100644 --- a/docs/queries/cloudformation-queries/aws/235ca980-eb71-48f4-9030-df0c371029eb.md +++ b/docs/queries/cloudformation-queries/aws/235ca980-eb71-48f4-9030-df0c371029eb.md @@ -28,7 +28,7 @@ EnableKeyRotation should not be false or undefined
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 51" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8 51" AWSTemplateFormatVersion: 2010-09-09 Description: A sample template Resources: @@ -122,7 +122,7 @@ Resources: - kms:GenerateDataKeyWithoutPlaintext Resource: '*' ``` -```json title="Postitive test num. 2 - json file" hl_lines="65 60" +```json title="Positive test num. 2 - json file" hl_lines="65 60" { "Resources": { "myKey": { diff --git a/docs/queries/cloudformation-queries/aws/24d932e1-91f0-46ea-836f-fdbd81694151.md b/docs/queries/cloudformation-queries/aws/24d932e1-91f0-46ea-836f-fdbd81694151.md index 11986356bc9..ded020b3f55 100644 --- a/docs/queries/cloudformation-queries/aws/24d932e1-91f0-46ea-836f-fdbd81694151.md +++ b/docs/queries/cloudformation-queries/aws/24d932e1-91f0-46ea-836f-fdbd81694151.md @@ -28,7 +28,7 @@ Route53 HostedZone must have the Record Set defined.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" AWSTemplateFormatVersion: "2010-09-09" Description: "Router53" Resources: @@ -38,7 +38,7 @@ Resources: Name: "HostedZone" ``` -```json title="Postitive test num. 2 - json file" hl_lines="5" +```json title="Positive test num. 2 - json file" hl_lines="5" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "Router53", diff --git a/docs/queries/cloudformation-queries/aws/2564172f-c92b-4261-9acd-464aed511696.md b/docs/queries/cloudformation-queries/aws/2564172f-c92b-4261-9acd-464aed511696.md index ce67b16f356..440057af35b 100644 --- a/docs/queries/cloudformation-queries/aws/2564172f-c92b-4261-9acd-464aed511696.md +++ b/docs/queries/cloudformation-queries/aws/2564172f-c92b-4261-9acd-464aed511696.md @@ -28,7 +28,7 @@ Lambda access/secret keys should not be hardcoded
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10" AWSTemplateFormatVersion: '2010-09-09' Description: VPC function. Resources: @@ -57,7 +57,7 @@ Resources: - subnet-07fd123456788a036 ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="10" +```yaml title="Positive test num. 2 - yaml file" hl_lines="10" AWSTemplateFormatVersion: '2010-09-09' Description: VPC function. Resources: @@ -84,7 +84,7 @@ Resources: - subnet-07fd123456788a036 ``` -```json title="Postitive test num. 3 - json file" hl_lines="29" +```json title="Positive test num. 3 - json file" hl_lines="29" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "VPC function.", @@ -125,7 +125,7 @@ Resources: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="29" { diff --git a/docs/queries/cloudformation-queries/aws/2623d682-dccb-44cd-99d0-54d9fd62f8f2.md b/docs/queries/cloudformation-queries/aws/2623d682-dccb-44cd-99d0-54d9fd62f8f2.md index bab08010d43..3b7575c957d 100644 --- a/docs/queries/cloudformation-queries/aws/2623d682-dccb-44cd-99d0-54d9fd62f8f2.md +++ b/docs/queries/cloudformation-queries/aws/2623d682-dccb-44cd-99d0-54d9fd62f8f2.md @@ -28,7 +28,7 @@ Ineffective deny rules. A deny rule should be applied to all IP addresses.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="17" +```yaml title="Positive test num. 1 - yaml file" hl_lines="17" Resources: MyNACL: Type: AWS::EC2::NetworkAcl @@ -61,7 +61,7 @@ Resources: CidrBlock: 0.0.0.0/0 ``` -```json title="Postitive test num. 2 - json file" hl_lines="20" +```json title="Positive test num. 2 - json file" hl_lines="20" { "Resources": { "MyNACL": { diff --git a/docs/queries/cloudformation-queries/aws/2730c169-51d7-4ae7-99b5-584379eff1bb.md b/docs/queries/cloudformation-queries/aws/2730c169-51d7-4ae7-99b5-584379eff1bb.md index f14495b6798..cd9bf22b434 100644 --- a/docs/queries/cloudformation-queries/aws/2730c169-51d7-4ae7-99b5-584379eff1bb.md +++ b/docs/queries/cloudformation-queries/aws/2730c169-51d7-4ae7-99b5-584379eff1bb.md @@ -28,7 +28,7 @@ A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Am ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +```yaml title="Positive test num. 1 - yaml file" hl_lines="3" Description: MSK Cluster with all properties Resources: TestCluster: @@ -77,7 +77,7 @@ Resources: Type: SERVICE_PROVIDED_EIPS ``` -```json title="Postitive test num. 2 - json file" hl_lines="4" +```json title="Positive test num. 2 - json file" hl_lines="4" { "Description": "MSK Cluster with all properties", "Resources": { diff --git a/docs/queries/cloudformation-queries/aws/275a3217-ca37-40c1-a6cf-bb57d245ab32.md b/docs/queries/cloudformation-queries/aws/275a3217-ca37-40c1-a6cf-bb57d245ab32.md index 6fde026770d..93af6ff43cc 100644 --- a/docs/queries/cloudformation-queries/aws/275a3217-ca37-40c1-a6cf-bb57d245ab32.md +++ b/docs/queries/cloudformation-queries/aws/275a3217-ca37-40c1-a6cf-bb57d245ab32.md @@ -28,7 +28,7 @@ AWS Application Load Balancer (alb) should not listen on HTTP
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="25 13" +```yaml title="Positive test num. 1 - yaml file" hl_lines="25 13" AWSTemplateFormatVersion: 2010-09-09 Resources: MyLoadBalancer: @@ -55,7 +55,7 @@ Resources: Port: 80 Protocol: HTTP ``` -```json title="Postitive test num. 2 - json file" hl_lines="9 35" +```json title="Positive test num. 2 - json file" hl_lines="9 35" { "Resources": { "MyLoadBalancer": { @@ -98,7 +98,7 @@ Resources: } ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="16" +```yaml title="Positive test num. 3 - yaml file" hl_lines="16" Resources: HTTPlistener: Type: "AWS::ElasticLoadBalancingV2::Listener" diff --git a/docs/queries/cloudformation-queries/aws/2844c749-bd78-4cd1-90e8-b179df827602.md b/docs/queries/cloudformation-queries/aws/2844c749-bd78-4cd1-90e8-b179df827602.md index 9d53a21af24..66e4f698d7b 100644 --- a/docs/queries/cloudformation-queries/aws/2844c749-bd78-4cd1-90e8-b179df827602.md +++ b/docs/queries/cloudformation-queries/aws/2844c749-bd78-4cd1-90e8-b179df827602.md @@ -28,7 +28,7 @@ AWS Key Management Service (KMS) must only possess usable Customer Master Keys ( ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6 31" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6 31" #this is a problematic code where the query should report a result(s) Resources: myKey: @@ -87,7 +87,7 @@ Parameters: Type: String ``` -```json title="Postitive test num. 2 - json file" hl_lines="59 6" +```json title="Positive test num. 2 - json file" hl_lines="59 6" { "Resources": { "myKey": { diff --git a/docs/queries/cloudformation-queries/aws/2a3560fe-52ca-4443-b34f-bf0ed5eb74c8.md b/docs/queries/cloudformation-queries/aws/2a3560fe-52ca-4443-b34f-bf0ed5eb74c8.md index ef3d30e33d2..f4dc48d1631 100644 --- a/docs/queries/cloudformation-queries/aws/2a3560fe-52ca-4443-b34f-bf0ed5eb74c8.md +++ b/docs/queries/cloudformation-queries/aws/2a3560fe-52ca-4443-b34f-bf0ed5eb74c8.md @@ -28,7 +28,7 @@ CloudTrail log file validation should be enabled to determine whether a log file ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="77 62" +```yaml title="Positive test num. 1 - yaml file" hl_lines="77 62" AWSTemplateFormatVersion: "2010-09-09" Parameters: OperatorEmail: @@ -116,7 +116,7 @@ Resources: IsMultiRegionTrail: true ``` -```json title="Postitive test num. 2 - json file" hl_lines="108 87" +```json title="Positive test num. 2 - json file" hl_lines="108 87" { "Resources": { "S3Bucket": { diff --git a/docs/queries/cloudformation-queries/aws/2b1d4935-9acf-48a7-8466-10d18bf51a69.md b/docs/queries/cloudformation-queries/aws/2b1d4935-9acf-48a7-8466-10d18bf51a69.md index d90442df5d1..af925846e29 100644 --- a/docs/queries/cloudformation-queries/aws/2b1d4935-9acf-48a7-8466-10d18bf51a69.md +++ b/docs/queries/cloudformation-queries/aws/2b1d4935-9acf-48a7-8466-10d18bf51a69.md @@ -28,7 +28,7 @@ AWS RDS Instance should have a multi-az deployment
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="128 148" +```yaml title="Positive test num. 1 - yaml file" hl_lines="128 148" AWSTemplateFormatVersion: 2010-09-09 Description: "AWS CloudFormation Sample Template RDS_MySQL_With_Read_Replica: Sample template showing how to create a highly-available, RDS DBInstance with @@ -224,7 +224,7 @@ Outputs: - Ref: DBName ``` -```json title="Postitive test num. 2 - json file" hl_lines="89 124" +```json title="Positive test num. 2 - json file" hl_lines="89 124" { "Conditions": { "Is-EC2-VPC": { diff --git a/docs/queries/cloudformation-queries/aws/2c161e58-cb52-454f-abea-6470c37b5e6e.md b/docs/queries/cloudformation-queries/aws/2c161e58-cb52-454f-abea-6470c37b5e6e.md index 7adc01161c4..8fd7e00e492 100644 --- a/docs/queries/cloudformation-queries/aws/2c161e58-cb52-454f-abea-6470c37b5e6e.md +++ b/docs/queries/cloudformation-queries/aws/2c161e58-cb52-454f-abea-6470c37b5e6e.md @@ -28,7 +28,7 @@ RDS DBInstance should have deletion protection set to true
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="34" +```yaml title="Positive test num. 1 - yaml file" hl_lines="34" AWSTemplateFormatVersion: 2010-09-09 Description: RDS Storage Encrypted Parameters: @@ -71,7 +71,7 @@ Outputs: ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="30" +```yaml title="Positive test num. 2 - yaml file" hl_lines="30" AWSTemplateFormatVersion: 2010-09-09 Description: RDS Storage Encrypted Parameters: @@ -112,7 +112,7 @@ Outputs: Value: !Ref MyDBSmall1 ``` -```json title="Postitive test num. 3 - json file" hl_lines="49" +```json title="Positive test num. 3 - json file" hl_lines="49" { "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", "Description": "RDS Storage Encrypted", @@ -175,7 +175,7 @@ Outputs: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="45" { diff --git a/docs/queries/cloudformation-queries/aws/2ff8e83c-90e1-4d68-a300-6d652112e622.md b/docs/queries/cloudformation-queries/aws/2ff8e83c-90e1-4d68-a300-6d652112e622.md index 04f42861d56..0dca2b08cba 100644 --- a/docs/queries/cloudformation-queries/aws/2ff8e83c-90e1-4d68-a300-6d652112e622.md +++ b/docs/queries/cloudformation-queries/aws/2ff8e83c-90e1-4d68-a300-6d652112e622.md @@ -28,7 +28,7 @@ Elastic File System (EFS) must be encrypted
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="49" +```yaml title="Positive test num. 1 - yaml file" hl_lines="49" AWSTemplateFormatVersion: "2010-09-09" Description: "Create EFS system and Mount Targets for test VPC" Parameters: @@ -139,7 +139,7 @@ Outputs: Value: !Ref MountTarget4 ``` -```json title="Postitive test num. 2 - json file" hl_lines="90" +```json title="Positive test num. 2 - json file" hl_lines="90" { "Description": "Create EFS system and Mount Targets for test VPC", "Parameters": { diff --git a/docs/queries/cloudformation-queries/aws/316278b3-87ac-444c-8f8f-a733a28da60f.md b/docs/queries/cloudformation-queries/aws/316278b3-87ac-444c-8f8f-a733a28da60f.md index ab22021b95d..35e88854596 100644 --- a/docs/queries/cloudformation-queries/aws/316278b3-87ac-444c-8f8f-a733a28da60f.md +++ b/docs/queries/cloudformation-queries/aws/316278b3-87ac-444c-8f8f-a733a28da60f.md @@ -28,7 +28,7 @@ AmazonMQ Broker should have Encryption Options defined
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" AWSTemplateFormatVersion: "2010-09-09" Description: "Create a basic ActiveMQ broker" Resources: @@ -53,7 +53,7 @@ Resources: Ref: "BrokerUsername" ``` -```json title="Postitive test num. 2 - json file" hl_lines="7" +```json title="Positive test num. 2 - json file" hl_lines="7" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "Create a basic ActiveMQ broker", diff --git a/docs/queries/cloudformation-queries/aws/31733ee2-fef0-4e87-9778-65da22a8ecf1.md b/docs/queries/cloudformation-queries/aws/31733ee2-fef0-4e87-9778-65da22a8ecf1.md index 3e79b5fffa4..7bdf34bdfda 100644 --- a/docs/queries/cloudformation-queries/aws/31733ee2-fef0-4e87-9778-65da22a8ecf1.md +++ b/docs/queries/cloudformation-queries/aws/31733ee2-fef0-4e87-9778-65da22a8ecf1.md @@ -28,7 +28,7 @@ Checks if the connection between CloudFront and the viewer is encrypted
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="13 30" +```yaml title="Positive test num. 1 - yaml file" hl_lines="13 30" #this is a problematic code where the query should report a result(s) AWSTemplateFormatVersion: "2010-09-09" Resources: @@ -75,7 +75,7 @@ Resources: - Key: name Value: example ``` -```json title="Postitive test num. 2 - json file" hl_lines="10 50" +```json title="Positive test num. 2 - json file" hl_lines="10 50" { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { diff --git a/docs/queries/cloudformation-queries/aws/323db967-c68e-44e6-916c-a777f95af34b.md b/docs/queries/cloudformation-queries/aws/323db967-c68e-44e6-916c-a777f95af34b.md index 3d8f5b39576..3c8303d1a94 100644 --- a/docs/queries/cloudformation-queries/aws/323db967-c68e-44e6-916c-a777f95af34b.md +++ b/docs/queries/cloudformation-queries/aws/323db967-c68e-44e6-916c-a777f95af34b.md @@ -28,7 +28,7 @@ ElastiCache should not use the default port (an attacker can easily guess the po ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="12" +```yaml title="Positive test num. 1 - yaml file" hl_lines="12" Resources: BasicReplicationGroup: Type: 'AWS::ElastiCache::ReplicationGroup' @@ -49,7 +49,7 @@ Resources: SnapshotWindow: '10:00-12:00' ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="12" +```yaml title="Positive test num. 2 - yaml file" hl_lines="12" Resources: BasicReplicationGroup: Type: 'AWS::ElastiCache::ReplicationGroup' @@ -70,7 +70,7 @@ Resources: SnapshotWindow: '10:00-12:00' ``` -```json title="Postitive test num. 3 - json file" hl_lines="15" +```json title="Positive test num. 3 - json file" hl_lines="15" { "Resources": { "BasicReplicationGroup": { @@ -101,7 +101,7 @@ Resources: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="15" { diff --git a/docs/queries/cloudformation-queries/aws/33f41d31-86b1-46a4-81f7-9c9a671f59ac.md b/docs/queries/cloudformation-queries/aws/33f41d31-86b1-46a4-81f7-9c9a671f59ac.md index f07e486e086..bef0231ff40 100644 --- a/docs/queries/cloudformation-queries/aws/33f41d31-86b1-46a4-81f7-9c9a671f59ac.md +++ b/docs/queries/cloudformation-queries/aws/33f41d31-86b1-46a4-81f7-9c9a671f59ac.md @@ -28,7 +28,7 @@ ECR should have an image tag be immutable. This prevents image tags from being o ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="27 5" +```yaml title="Positive test num. 1 - yaml file" hl_lines="27 5" Resources: MyRepository3: Type: AWS::ECR::Repository @@ -77,7 +77,7 @@ Resources: - "ecr:CompleteLayerUpload" ``` -```json title="Postitive test num. 2 - json file" hl_lines="36 6" +```json title="Positive test num. 2 - json file" hl_lines="36 6" { "Resources": { "MyRepository5": { diff --git a/docs/queries/cloudformation-queries/aws/350cd468-0e2c-44ef-9d22-cfb73a62523c.md b/docs/queries/cloudformation-queries/aws/350cd468-0e2c-44ef-9d22-cfb73a62523c.md index 319ec99181d..9257814b7ee 100644 --- a/docs/queries/cloudformation-queries/aws/350cd468-0e2c-44ef-9d22-cfb73a62523c.md +++ b/docs/queries/cloudformation-queries/aws/350cd468-0e2c-44ef-9d22-cfb73a62523c.md @@ -28,7 +28,7 @@ S3 bucket without restriction of public bucket
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10 4 21" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10 4 21" Resources: Bucket11: Type: AWS::S3::Bucket @@ -52,7 +52,7 @@ Resources: RestrictPublicBuckets : false ``` -```json title="Postitive test num. 2 - json file" hl_lines="10" +```json title="Positive test num. 2 - json file" hl_lines="10" { "Resources": { "Bucket1": { diff --git a/docs/queries/cloudformation-queries/aws/3609d27c-3698-483a-9402-13af6ae80583.md b/docs/queries/cloudformation-queries/aws/3609d27c-3698-483a-9402-13af6ae80583.md index 740ae302b4e..4b9cfe74d45 100644 --- a/docs/queries/cloudformation-queries/aws/3609d27c-3698-483a-9402-13af6ae80583.md +++ b/docs/queries/cloudformation-queries/aws/3609d27c-3698-483a-9402-13af6ae80583.md @@ -28,7 +28,7 @@ If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8" AWSTemplateFormatVersion: 2010-09-09 Resources: S3Bucket: @@ -60,7 +60,7 @@ Resources: MaxAge: 1800 ``` -```json title="Postitive test num. 2 - json file" hl_lines="9" +```json title="Positive test num. 2 - json file" hl_lines="9" { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { diff --git a/docs/queries/cloudformation-queries/aws/3641d5b4-d339-4bc2-bfb9-208fe8d3477f.md b/docs/queries/cloudformation-queries/aws/3641d5b4-d339-4bc2-bfb9-208fe8d3477f.md index 48d72db0e4e..399e3317329 100644 --- a/docs/queries/cloudformation-queries/aws/3641d5b4-d339-4bc2-bfb9-208fe8d3477f.md +++ b/docs/queries/cloudformation-queries/aws/3641d5b4-d339-4bc2-bfb9-208fe8d3477f.md @@ -28,7 +28,7 @@ An API Key should be required on a method request.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" AWSTemplateFormatVersion: "2010-09-09" Description: ApiGateway Resources: @@ -49,7 +49,7 @@ Resources: ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="6" +```yaml title="Positive test num. 2 - yaml file" hl_lines="6" AWSTemplateFormatVersion: "2010-09-09" Description: ApiGateway Resources: @@ -69,7 +69,7 @@ Resources: ``` -```json title="Postitive test num. 3 - json file" hl_lines="13" +```json title="Positive test num. 3 - json file" hl_lines="13" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "ApiGateway", @@ -99,7 +99,7 @@ Resources: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="6" { diff --git a/docs/queries/cloudformation-queries/aws/37cca703-b74c-48ba-ac81-595b53398e9b.md b/docs/queries/cloudformation-queries/aws/37cca703-b74c-48ba-ac81-595b53398e9b.md index d72d4594ced..032dd8948f1 100644 --- a/docs/queries/cloudformation-queries/aws/37cca703-b74c-48ba-ac81-595b53398e9b.md +++ b/docs/queries/cloudformation-queries/aws/37cca703-b74c-48ba-ac81-595b53398e9b.md @@ -28,7 +28,7 @@ hide: ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8" Resources: Deployment: Type: 'AWS::ApiGateway::Deployment' @@ -40,7 +40,7 @@ Resources: CachingEnabled: true ``` -```json title="Postitive test num. 2 - json file" hl_lines="11" +```json title="Positive test num. 2 - json file" hl_lines="11" { "Resources": { "Deployment": { @@ -60,7 +60,7 @@ Resources: } ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="9" +```yaml title="Positive test num. 3 - yaml file" hl_lines="9" Resources: Deployment: Type: 'AWS::ApiGateway::Deployment' @@ -73,7 +73,7 @@ Resources: CachingEnabled: true ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="12" { diff --git a/docs/queries/cloudformation-queries/aws/37fa8188-738b-42c8-bf82-6334ea567738.md b/docs/queries/cloudformation-queries/aws/37fa8188-738b-42c8-bf82-6334ea567738.md index b179b75b723..02b6da6d423 100644 --- a/docs/queries/cloudformation-queries/aws/37fa8188-738b-42c8-bf82-6334ea567738.md +++ b/docs/queries/cloudformation-queries/aws/37fa8188-738b-42c8-bf82-6334ea567738.md @@ -28,7 +28,7 @@ Checks if S3 Bucket has the same name as a Bucket Policy, if it has, S3 Bucket h ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="56 4 31" +```yaml title="Positive test num. 1 - yaml file" hl_lines="56 4 31" AWSTemplateFormatVersion: 2010-09-09 Description: A sample template Resources: @@ -112,7 +112,7 @@ Resources: - 'http://example.net/*' ``` -```json title="Postitive test num. 2 - json file" hl_lines="88 42 130" +```json title="Positive test num. 2 - json file" hl_lines="88 42 130" { "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", "Description": "A sample template", @@ -253,7 +253,7 @@ Resources: } ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="4" +```yaml title="Positive test num. 3 - yaml file" hl_lines="4" AWSTemplateFormatVersion: 2010-09-09 Description: A sample template Resources: @@ -275,7 +275,7 @@ Resources: ReplaceKeyPrefixWith: report-404/ ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="5" { diff --git a/docs/queries/cloudformation-queries/aws/38c64e76-c71e-4d92-a337-60174d1de1c9.md b/docs/queries/cloudformation-queries/aws/38c64e76-c71e-4d92-a337-60174d1de1c9.md index 90166ef75fd..6f2055f0f3b 100644 --- a/docs/queries/cloudformation-queries/aws/38c64e76-c71e-4d92-a337-60174d1de1c9.md +++ b/docs/queries/cloudformation-queries/aws/38c64e76-c71e-4d92-a337-60174d1de1c9.md @@ -28,7 +28,7 @@ S3 Buckets should enforce encryption of data transfers using Secure Sockets Laye ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +```yaml title="Positive test num. 1 - yaml file" hl_lines="3" AWSTemplateFormatVersion: 2010-09-09 Resources: S3Bucket: @@ -73,7 +73,7 @@ Outputs: Description: Name of S3 bucket to hold website content ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="3" +```yaml title="Positive test num. 2 - yaml file" hl_lines="3" AWSTemplateFormatVersion: 2010-09-09 Resources: S3Bucket2: @@ -121,7 +121,7 @@ Outputs: Description: Name of S3 bucket to hold website content ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="3 12" +```yaml title="Positive test num. 3 - yaml file" hl_lines="3 12" AWSTemplateFormatVersion: 2010-09-09 Resources: S3Bucket3: @@ -178,7 +178,7 @@ Outputs: Description: Name of S3 bucket to hold website content ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="3 12" AWSTemplateFormatVersion: 2010-09-09 @@ -218,7 +218,7 @@ Outputs: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="30" { @@ -289,7 +289,7 @@ Outputs: ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="4" { @@ -365,7 +365,7 @@ Outputs: ```
-
Postitive test num. 7 - json file +
Positive test num. 7 - json file ```json hl_lines="47" { @@ -453,7 +453,7 @@ Outputs: ```
-
Postitive test num. 8 - json file +
Positive test num. 8 - json file ```json hl_lines="4 15" { @@ -509,7 +509,7 @@ Outputs: ```
-
Postitive test num. 9 - yaml file +
Positive test num. 9 - yaml file ```yaml hl_lines="3" AWSTemplateFormatVersion: 2010-09-09 @@ -545,7 +545,7 @@ Resources: ```
-
Postitive test num. 10 - json file +
Positive test num. 10 - json file ```json hl_lines="34" { diff --git a/docs/queries/cloudformation-queries/aws/39423ce4-9011-46cd-b6b1-009edcd9385d.md b/docs/queries/cloudformation-queries/aws/39423ce4-9011-46cd-b6b1-009edcd9385d.md index ebd97f7df5c..a1aee05a590 100644 --- a/docs/queries/cloudformation-queries/aws/39423ce4-9011-46cd-b6b1-009edcd9385d.md +++ b/docs/queries/cloudformation-queries/aws/39423ce4-9011-46cd-b6b1-009edcd9385d.md @@ -28,7 +28,7 @@ DocDB DB Cluster master user password must not be in a plain text string or refe ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="12" +```yaml title="Positive test num. 1 - yaml file" hl_lines="12" Resources: NewAmpApp: Type: AWS::DocDB::DBCluster @@ -48,7 +48,7 @@ Resources: StorageEncrypted: true ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="5" +```yaml title="Positive test num. 2 - yaml file" hl_lines="5" Parameters: ParentMasterPassword: Description: 'Password' @@ -73,7 +73,7 @@ Resources: StorageEncrypted: true ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="12" +```yaml title="Positive test num. 3 - yaml file" hl_lines="12" Resources: NewAmpApp03: Type: AWS::DocDB::DBCluster @@ -93,7 +93,7 @@ Resources: StorageEncrypted: true ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="17" { @@ -121,7 +121,7 @@ Resources: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="6" { @@ -156,7 +156,7 @@ Resources: ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="18" { diff --git a/docs/queries/cloudformation-queries/aws/3ae83918-7ec7-4cb8-80db-b91ef0f94002.md b/docs/queries/cloudformation-queries/aws/3ae83918-7ec7-4cb8-80db-b91ef0f94002.md index 81b52015823..19d98d08c73 100644 --- a/docs/queries/cloudformation-queries/aws/3ae83918-7ec7-4cb8-80db-b91ef0f94002.md +++ b/docs/queries/cloudformation-queries/aws/3ae83918-7ec7-4cb8-80db-b91ef0f94002.md @@ -28,7 +28,7 @@ Security Groups does not allow 0.0.0.0/0 for rdp (port:3389)
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="15" +```yaml title="Positive test num. 1 - yaml file" hl_lines="15" Resources: Ec2Instance: Type: 'AWS::EC2::Instance' @@ -54,7 +54,7 @@ Resources: ToPort: 80 CidrIp: 0.0.0.0/0 ``` -```json title="Postitive test num. 2 - json file" hl_lines="10" +```json title="Positive test num. 2 - json file" hl_lines="10" { "Resources": { "InstanceSecurityGroup": { diff --git a/docs/queries/cloudformation-queries/aws/3b02569b-fc6f-4153-b3a3-ba91022fed68.md b/docs/queries/cloudformation-queries/aws/3b02569b-fc6f-4153-b3a3-ba91022fed68.md index 6d9124b450b..310497c972f 100644 --- a/docs/queries/cloudformation-queries/aws/3b02569b-fc6f-4153-b3a3-ba91022fed68.md +++ b/docs/queries/cloudformation-queries/aws/3b02569b-fc6f-4153-b3a3-ba91022fed68.md @@ -28,7 +28,7 @@ Ensure AWS ElastiCache Redis clusters have encryption for data at transit enable ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" Resources: ReplicationGroup: DeletionPolicy: Snapshot @@ -58,7 +58,7 @@ Resources: UseOnlineResharding: true ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="26" +```yaml title="Positive test num. 2 - yaml file" hl_lines="26" Resources: MyReplicationGroup: DeletionPolicy: Snapshot @@ -89,7 +89,7 @@ Resources: UseOnlineResharding: true ``` -```json title="Postitive test num. 3 - json file" hl_lines="4" +```json title="Positive test num. 3 - json file" hl_lines="4" { "Resources": { "ReplicationGroup": { @@ -150,7 +150,7 @@ Resources: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="18" { diff --git a/docs/queries/cloudformation-queries/aws/3b316b05-564c-44a7-9c3f-405bb95e211e.md b/docs/queries/cloudformation-queries/aws/3b316b05-564c-44a7-9c3f-405bb95e211e.md index 65294097fc3..8c28e77960e 100644 --- a/docs/queries/cloudformation-queries/aws/3b316b05-564c-44a7-9c3f-405bb95e211e.md +++ b/docs/queries/cloudformation-queries/aws/3b316b05-564c-44a7-9c3f-405bb95e211e.md @@ -28,7 +28,7 @@ AWS Redshift Cluster should be encrypted. Check if 'Encrypted' field is false or ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" AWSTemplateFormatVersion: 2010-09-09 Description: Redshift Stack Resources: @@ -57,7 +57,7 @@ Resources: ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="21" +```yaml title="Positive test num. 2 - yaml file" hl_lines="21" AWSTemplateFormatVersion: 2010-09-11 Description: Redshift Stack2 Resources: @@ -85,7 +85,7 @@ Resources: BucketName: !Sub ${DataBucketName} ``` -```json title="Postitive test num. 3 - json file" hl_lines="7" +```json title="Positive test num. 3 - json file" hl_lines="7" { "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", "Description": "Redshift Stack", @@ -129,7 +129,7 @@ Resources: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="32" { diff --git a/docs/queries/cloudformation-queries/aws/3b3b4411-ad1f-40e7-b257-a78a6bb9673a.md b/docs/queries/cloudformation-queries/aws/3b3b4411-ad1f-40e7-b257-a78a6bb9673a.md index 0a3d6f0aae9..300470e2c32 100644 --- a/docs/queries/cloudformation-queries/aws/3b3b4411-ad1f-40e7-b257-a78a6bb9673a.md +++ b/docs/queries/cloudformation-queries/aws/3b3b4411-ad1f-40e7-b257-a78a6bb9673a.md @@ -28,7 +28,7 @@ VPCs without attached subnets may indicate that they are not being used
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +```yaml title="Positive test num. 1 - yaml file" hl_lines="3" AWSTemplateFormatVersion: '2010-09-09' Resources: myVPC_1: @@ -40,7 +40,7 @@ Resources: InstanceTenancy: dedicated ``` -```json title="Postitive test num. 2 - json file" hl_lines="4" +```json title="Positive test num. 2 - json file" hl_lines="4" { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { diff --git a/docs/queries/cloudformation-queries/aws/3c3b7a58-b018-4d07-9444-d9ee7156e111.md b/docs/queries/cloudformation-queries/aws/3c3b7a58-b018-4d07-9444-d9ee7156e111.md index 8d0ab54b6c1..2ae49337de9 100644 --- a/docs/queries/cloudformation-queries/aws/3c3b7a58-b018-4d07-9444-d9ee7156e111.md +++ b/docs/queries/cloudformation-queries/aws/3c3b7a58-b018-4d07-9444-d9ee7156e111.md @@ -28,7 +28,7 @@ Alexa skills' client secrets should not be defined as a plaintext string. It sho ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="17" +```yaml title="Positive test num. 1 - yaml file" hl_lines="17" Resources: MySkill: Type: "Alexa::ASK::Skill" @@ -50,7 +50,7 @@ Resources: VendorId: "1234" ``` -```json title="Postitive test num. 2 - json file" hl_lines="24" +```json title="Positive test num. 2 - json file" hl_lines="24" { "Resources": { "MySkill": { diff --git a/docs/queries/cloudformation-queries/aws/3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6.md b/docs/queries/cloudformation-queries/aws/3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6.md index 4e1084ad2dd..e8147cc3174 100644 --- a/docs/queries/cloudformation-queries/aws/3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6.md +++ b/docs/queries/cloudformation-queries/aws/3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6.md @@ -28,7 +28,7 @@ Make sure Logging is enabled for Redshift Cluster
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" AWSTemplateFormatVersion: 2010-09-09 Description: Redshift Stack Resources: @@ -51,7 +51,7 @@ Resources: PreferredMaintenanceWindow: Sun:09:15-Sun:09:45 ``` -```json title="Postitive test num. 2 - json file" hl_lines="6" +```json title="Positive test num. 2 - json file" hl_lines="6" { "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", "Description": "Redshift Stack", diff --git a/docs/queries/cloudformation-queries/aws/3e09413f-471e-40f3-8626-990c79ae63f3.md b/docs/queries/cloudformation-queries/aws/3e09413f-471e-40f3-8626-990c79ae63f3.md index d6baf3bf205..68c85a6bff1 100644 --- a/docs/queries/cloudformation-queries/aws/3e09413f-471e-40f3-8626-990c79ae63f3.md +++ b/docs/queries/cloudformation-queries/aws/3e09413f-471e-40f3-8626-990c79ae63f3.md @@ -28,7 +28,7 @@ Check if SNS topic name is set for CloudTrail
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="12 22" +```yaml title="Positive test num. 1 - yaml file" hl_lines="12 22" AWSTemplateFormatVersion: "2010-09-09" Parameters: OperatorEmail: @@ -59,7 +59,7 @@ Resources: IsMultiRegionTrail: true ``` -```json title="Postitive test num. 2 - json file" hl_lines="9 23" +```json title="Positive test num. 2 - json file" hl_lines="9 23" { "Resources": { "myTrail5": { diff --git a/docs/queries/cloudformation-queries/aws/3e293410-d5b8-411f-85fd-7d26294f20c9.md b/docs/queries/cloudformation-queries/aws/3e293410-d5b8-411f-85fd-7d26294f20c9.md index af238c01c9b..70a441c1729 100644 --- a/docs/queries/cloudformation-queries/aws/3e293410-d5b8-411f-85fd-7d26294f20c9.md +++ b/docs/queries/cloudformation-queries/aws/3e293410-d5b8-411f-85fd-7d26294f20c9.md @@ -28,7 +28,7 @@ VPC should have a Network Firewall associated
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +```yaml title="Positive test num. 1 - yaml file" hl_lines="3" AWSTemplateFormatVersion: '2010-09-09' Resources: myVPC11: @@ -50,7 +50,7 @@ Resources: Description: Firewall description goes here ``` -```json title="Postitive test num. 2 - json file" hl_lines="21" +```json title="Positive test num. 2 - json file" hl_lines="21" { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { diff --git a/docs/queries/cloudformation-queries/aws/42e7dca3-8cce-4325-8df0-108888259136.md b/docs/queries/cloudformation-queries/aws/42e7dca3-8cce-4325-8df0-108888259136.md index bf21a8a1230..8119ef20188 100644 --- a/docs/queries/cloudformation-queries/aws/42e7dca3-8cce-4325-8df0-108888259136.md +++ b/docs/queries/cloudformation-queries/aws/42e7dca3-8cce-4325-8df0-108888259136.md @@ -28,7 +28,7 @@ A list of SNS resources specified. Amazon Simple Notification Service (Amazon SN ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" AWSTemplateFormatVersion: '2010-09-09' Description: '' Resources: @@ -55,7 +55,7 @@ Resources: Resource: "*" ``` -```json title="Postitive test num. 2 - json file" hl_lines="5" +```json title="Positive test num. 2 - json file" hl_lines="5" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "", diff --git a/docs/queries/cloudformation-queries/aws/43356255-495d-4148-ad8d-f6af5eac09dd.md b/docs/queries/cloudformation-queries/aws/43356255-495d-4148-ad8d-f6af5eac09dd.md index e4e7680890b..d83485f3871 100644 --- a/docs/queries/cloudformation-queries/aws/43356255-495d-4148-ad8d-f6af5eac09dd.md +++ b/docs/queries/cloudformation-queries/aws/43356255-495d-4148-ad8d-f6af5eac09dd.md @@ -28,7 +28,7 @@ AWS GameLift Fleet EC2InboundPermissions should have a single port
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10 27" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10 27" Resources: FleetResource1: Type: AWS::GameLift::Fleet @@ -66,7 +66,7 @@ Resources: Protocol: UDP ``` -```json title="Postitive test num. 2 - json file" hl_lines="37 6" +```json title="Positive test num. 2 - json file" hl_lines="37 6" { "Resources": { "FleetResource1": { diff --git a/docs/queries/cloudformation-queries/aws/44034eda-1c3f-486a-831d-e09a7dd94354.md b/docs/queries/cloudformation-queries/aws/44034eda-1c3f-486a-831d-e09a7dd94354.md index b1d3832ba3f..9c170f552a7 100644 --- a/docs/queries/cloudformation-queries/aws/44034eda-1c3f-486a-831d-e09a7dd94354.md +++ b/docs/queries/cloudformation-queries/aws/44034eda-1c3f-486a-831d-e09a7dd94354.md @@ -28,7 +28,7 @@ KmsKeyId attribute should be defined
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="28" +```yaml title="Positive test num. 1 - yaml file" hl_lines="28" Description: "Basic Hosting entities test. We need models to create endpoint configs." Mappings: RegionMap: @@ -100,7 +100,7 @@ Outputs: EndpointName: Value: !GetAtt Endpoint.EndpointName ``` -```json title="Postitive test num. 2 - json file" hl_lines="40" +```json title="Positive test num. 2 - json file" hl_lines="40" { "Description": "Basic Hosting entities test. We need models to create endpoint configs.", "Mappings": { diff --git a/docs/queries/cloudformation-queries/aws/445020f6-b69e-4484-847f-02d4b7768902.md b/docs/queries/cloudformation-queries/aws/445020f6-b69e-4484-847f-02d4b7768902.md index 6e059c022d8..b9dabadfb53 100644 --- a/docs/queries/cloudformation-queries/aws/445020f6-b69e-4484-847f-02d4b7768902.md +++ b/docs/queries/cloudformation-queries/aws/445020f6-b69e-4484-847f-02d4b7768902.md @@ -28,7 +28,7 @@ IAM password should have at least one uppercase letter
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9" AWSTemplateFormatVersion: "2010-09-09" Description: A sample template Resources: @@ -68,7 +68,7 @@ Resources: NotResource: - !Ref mytopic ``` -```json title="Postitive test num. 2 - json file" hl_lines="10" +```json title="Positive test num. 2 - json file" hl_lines="10" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "A sample template", diff --git a/docs/queries/cloudformation-queries/aws/4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c.md b/docs/queries/cloudformation-queries/aws/4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c.md index 552899b6b9d..341c8b15d7f 100644 --- a/docs/queries/cloudformation-queries/aws/4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c.md +++ b/docs/queries/cloudformation-queries/aws/4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c.md @@ -28,7 +28,7 @@ Server Access Logging should be enabled on S3 Buckets so that all changes are lo ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" AWSTemplateFormatVersion: "2010-09-09" Description: A sample template Resources: @@ -112,7 +112,7 @@ Resources: - Ref: WorkItemBucketBackupRole ``` -```json title="Postitive test num. 2 - json file" hl_lines="113" +```json title="Positive test num. 2 - json file" hl_lines="113" { "Description": "A sample template", "Resources": { diff --git a/docs/queries/cloudformation-queries/aws/456b00a3-1072-4149-9740-6b8bb60251b0.md b/docs/queries/cloudformation-queries/aws/456b00a3-1072-4149-9740-6b8bb60251b0.md index 2957c7c92ec..d26430203c2 100644 --- a/docs/queries/cloudformation-queries/aws/456b00a3-1072-4149-9740-6b8bb60251b0.md +++ b/docs/queries/cloudformation-queries/aws/456b00a3-1072-4149-9740-6b8bb60251b0.md @@ -28,7 +28,7 @@ S3 Buckets must not allow Restore Actions From All Principals, as to prevent lea ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="22 7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="22 7" #this is a problematic code where the query should report a result(s) Resources: SampleBucketPolicy3: @@ -65,7 +65,7 @@ Resources: - 'http://example.net/*' ``` -```json title="Postitive test num. 2 - json file" hl_lines="9 35" +```json title="Positive test num. 2 - json file" hl_lines="9 35" { "Resources": { "SampleBucketPolicy5": { diff --git a/docs/queries/cloudformation-queries/aws/48677914-6fdf-40ec-80c4-2b0e94079f54.md b/docs/queries/cloudformation-queries/aws/48677914-6fdf-40ec-80c4-2b0e94079f54.md index d674ae2447a..bb7514978a6 100644 --- a/docs/queries/cloudformation-queries/aws/48677914-6fdf-40ec-80c4-2b0e94079f54.md +++ b/docs/queries/cloudformation-queries/aws/48677914-6fdf-40ec-80c4-2b0e94079f54.md @@ -28,7 +28,7 @@ Any IAM User should not have more than one access key since it increases the ris ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10 14" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10 14" AWSTemplateFormatVersion: "2010-09-09" Description: A sample template Resources: @@ -47,7 +47,7 @@ Resources: Properties: UserName: !Ref myuser ``` -```json title="Postitive test num. 2 - json file" hl_lines="20 5" +```json title="Positive test num. 2 - json file" hl_lines="20 5" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "A sample template", diff --git a/docs/queries/cloudformation-queries/aws/48af92a5-c89b-4936-bc62-1086fe2bab23.md b/docs/queries/cloudformation-queries/aws/48af92a5-c89b-4936-bc62-1086fe2bab23.md index 069e904a9ae..2bf8f1ec595 100644 --- a/docs/queries/cloudformation-queries/aws/48af92a5-c89b-4936-bc62-1086fe2bab23.md +++ b/docs/queries/cloudformation-queries/aws/48af92a5-c89b-4936-bc62-1086fe2bab23.md @@ -28,7 +28,7 @@ EMR Cluster should have security configuration defined.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="18" +```yaml title="Positive test num. 1 - yaml file" hl_lines="18" AWSTemplateFormatVersion: 2010-09-09 Parameters: CrossRealmTrustPrincipalPassword: @@ -153,7 +153,7 @@ Outputs: ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="18" +```yaml title="Positive test num. 2 - yaml file" hl_lines="18" AWSTemplateFormatVersion: 2010-09-09 Parameters: CrossRealmTrustPrincipalPassword: @@ -262,7 +262,7 @@ Outputs: - Arn ``` -```json title="Postitive test num. 3 - json file" hl_lines="43" +```json title="Positive test num. 3 - json file" hl_lines="43" { "Outputs": { "keyArn": { @@ -448,7 +448,7 @@ Outputs: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="5" { diff --git a/docs/queries/cloudformation-queries/aws/48c3bc58-6959-4f27-b647-4fedeace23be.md b/docs/queries/cloudformation-queries/aws/48c3bc58-6959-4f27-b647-4fedeace23be.md index 084b86b0fe5..629bb8007d3 100644 --- a/docs/queries/cloudformation-queries/aws/48c3bc58-6959-4f27-b647-4fedeace23be.md +++ b/docs/queries/cloudformation-queries/aws/48c3bc58-6959-4f27-b647-4fedeace23be.md @@ -28,7 +28,7 @@ User Data Shell Script must be encoded
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="19" +```yaml title="Positive test num. 1 - yaml file" hl_lines="19" Resources: myLaunchConfig: Type: AWS::AutoScaling::LaunchConfiguration @@ -50,7 +50,7 @@ Resources: UserData: IyEvYmluL3NoCmVjaG8gIkhlbGxvIHdvcmxkIg== ``` -```json title="Postitive test num. 2 - json file" hl_lines="33" +```json title="Positive test num. 2 - json file" hl_lines="33" { "Resources": { "myLaunchConfig": { diff --git a/docs/queries/cloudformation-queries/aws/48f100d9-f499-4c6d-b2b8-deafe47ffb26.md b/docs/queries/cloudformation-queries/aws/48f100d9-f499-4c6d-b2b8-deafe47ffb26.md index f1af819d85d..035748e7b16 100644 --- a/docs/queries/cloudformation-queries/aws/48f100d9-f499-4c6d-b2b8-deafe47ffb26.md +++ b/docs/queries/cloudformation-queries/aws/48f100d9-f499-4c6d-b2b8-deafe47ffb26.md @@ -28,7 +28,7 @@ S3 bucket allows public ACL
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10 4 20" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10 4 20" Resources: Bucket11: Type: AWS::S3::Bucket @@ -54,7 +54,7 @@ Resources: RestrictPublicBuckets : true ``` -```json title="Postitive test num. 2 - json file" hl_lines="7" +```json title="Positive test num. 2 - json file" hl_lines="7" { "Resources": { "Bucket1": { diff --git a/docs/queries/cloudformation-queries/aws/493d9591-6249-47bf-8dc0-5c10161cc558.md b/docs/queries/cloudformation-queries/aws/493d9591-6249-47bf-8dc0-5c10161cc558.md index e4f5e0a4125..fd153392bb8 100644 --- a/docs/queries/cloudformation-queries/aws/493d9591-6249-47bf-8dc0-5c10161cc558.md +++ b/docs/queries/cloudformation-queries/aws/493d9591-6249-47bf-8dc0-5c10161cc558.md @@ -28,7 +28,7 @@ Security Groups must have a VPC.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="16" +```yaml title="Positive test num. 1 - yaml file" hl_lines="16" Parameters: KeyName: Description: The EC2 Key Pair to allow SSH access to the instance @@ -53,7 +53,7 @@ Resources: ToPort: '22' CidrIp: 0.0.0.0/0 ``` -```json title="Postitive test num. 2 - json file" hl_lines="22" +```json title="Positive test num. 2 - json file" hl_lines="22" { "Parameters": { "KeyName": { diff --git a/docs/queries/cloudformation-queries/aws/494b03d3-bf40-4464-8524-7c56ad0700ed.md b/docs/queries/cloudformation-queries/aws/494b03d3-bf40-4464-8524-7c56ad0700ed.md index c30d583b773..90514a86639 100644 --- a/docs/queries/cloudformation-queries/aws/494b03d3-bf40-4464-8524-7c56ad0700ed.md +++ b/docs/queries/cloudformation-queries/aws/494b03d3-bf40-4464-8524-7c56ad0700ed.md @@ -28,7 +28,7 @@ The EC2 instance has a sensitive port connection exposed to the entire networkPostitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="13" AWSTemplateFormatVersion: 2010-09-09T00:00:00Z @@ -167,7 +167,7 @@ Resources: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="17" { @@ -218,7 +218,7 @@ Resources: ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="9" { @@ -275,7 +275,7 @@ Resources: ```
-
Postitive test num. 7 - json file +
Positive test num. 7 - json file ```json hl_lines="16" { @@ -326,7 +326,7 @@ Resources: ```
-
Postitive test num. 8 - json file +
Positive test num. 8 - json file ```json hl_lines="16" { diff --git a/docs/queries/cloudformation-queries/aws/4a1e6b34-1008-4e61-a5f2-1f7c276f8d14.md b/docs/queries/cloudformation-queries/aws/4a1e6b34-1008-4e61-a5f2-1f7c276f8d14.md index f9a916a98c1..5f63e36a030 100644 --- a/docs/queries/cloudformation-queries/aws/4a1e6b34-1008-4e61-a5f2-1f7c276f8d14.md +++ b/docs/queries/cloudformation-queries/aws/4a1e6b34-1008-4e61-a5f2-1f7c276f8d14.md @@ -28,7 +28,7 @@ AWS Security Group Ingress CIDR should not be open to the world
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="43 13" +```yaml title="Positive test num. 1 - yaml file" hl_lines="43 13" Resources: InstanceSecurityGroup: Type: AWS::EC2::SecurityGroup @@ -81,7 +81,7 @@ Resources: - TargetSG - GroupId ``` -```json title="Postitive test num. 2 - json file" hl_lines="56 30" +```json title="Positive test num. 2 - json file" hl_lines="56 30" { "Resources": { "OutboundRule": { diff --git a/docs/queries/cloudformation-queries/aws/4a8daf95-709d-4a36-9132-d3e19878fa34.md b/docs/queries/cloudformation-queries/aws/4a8daf95-709d-4a36-9132-d3e19878fa34.md index b92c1e41a31..19c15a17463 100644 --- a/docs/queries/cloudformation-queries/aws/4a8daf95-709d-4a36-9132-d3e19878fa34.md +++ b/docs/queries/cloudformation-queries/aws/4a8daf95-709d-4a36-9132-d3e19878fa34.md @@ -28,7 +28,7 @@ The API Endpoint type in API Gateway should be set to PRIVATE so it's not expose ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11 5" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11 5" AWSTemplateFormatVersion: 2010-09-09 Resources: MyRestApi: @@ -43,7 +43,7 @@ Resources: - EDGE Name: myRestApi2 ``` -```json title="Postitive test num. 2 - json file" hl_lines="6 14" +```json title="Positive test num. 2 - json file" hl_lines="6 14" { "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", "Resources": { diff --git a/docs/queries/cloudformation-queries/aws/4a8fc9a2-2b2f-4b3f-aa8d-401425872034.md b/docs/queries/cloudformation-queries/aws/4a8fc9a2-2b2f-4b3f-aa8d-401425872034.md index de84cf04654..d9493bb8b16 100644 --- a/docs/queries/cloudformation-queries/aws/4a8fc9a2-2b2f-4b3f-aa8d-401425872034.md +++ b/docs/queries/cloudformation-queries/aws/4a8fc9a2-2b2f-4b3f-aa8d-401425872034.md @@ -28,7 +28,7 @@ Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly reco ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" Resources: SampleSQSPolicy: Type: AWS::SQS::QueuePolicy @@ -49,7 +49,7 @@ Resources: - "*" ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="7" +```yaml title="Positive test num. 2 - yaml file" hl_lines="7" Resources: SampleSQSPolicy2: Type: AWS::SQS::QueuePolicy @@ -69,7 +69,7 @@ Resources: - "111122223333" ``` -```json title="Postitive test num. 3 - json file" hl_lines="9" +```json title="Positive test num. 3 - json file" hl_lines="9" { "Resources": { "SampleSQSPolicy": { @@ -102,7 +102,7 @@ Resources: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="9" { diff --git a/docs/queries/cloudformation-queries/aws/4ab10c48-bedb-4deb-8f3b-ff12783b61de.md b/docs/queries/cloudformation-queries/aws/4ab10c48-bedb-4deb-8f3b-ff12783b61de.md index 1d47d85f185..4ccaed56fe6 100644 --- a/docs/queries/cloudformation-queries/aws/4ab10c48-bedb-4deb-8f3b-ff12783b61de.md +++ b/docs/queries/cloudformation-queries/aws/4ab10c48-bedb-4deb-8f3b-ff12783b61de.md @@ -28,7 +28,7 @@ API Gateway should have X-Ray Tracing enabled
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="13" +```yaml title="Positive test num. 1 - yaml file" hl_lines="13" AWSTemplateFormatVersion: "2010-09-09" Description: "BatchJobDefinition" Resources: @@ -61,7 +61,7 @@ Resources: ThrottlingBurstLimit: '555' ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="6" +```yaml title="Positive test num. 2 - yaml file" hl_lines="6" AWSTemplateFormatVersion: "2010-09-09" Description: "BatchJobDefinition" Resources: @@ -93,7 +93,7 @@ Resources: ThrottlingBurstLimit: '555' ``` -```json title="Postitive test num. 3 - json file" hl_lines="23" +```json title="Positive test num. 3 - json file" hl_lines="23" { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { @@ -145,7 +145,7 @@ Resources: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="6" { diff --git a/docs/queries/cloudformation-queries/aws/4ae8af91-5108-42cb-9471-3bdbe596eac9.md b/docs/queries/cloudformation-queries/aws/4ae8af91-5108-42cb-9471-3bdbe596eac9.md index b376d57ccae..220a4d0a122 100644 --- a/docs/queries/cloudformation-queries/aws/4ae8af91-5108-42cb-9471-3bdbe596eac9.md +++ b/docs/queries/cloudformation-queries/aws/4ae8af91-5108-42cb-9471-3bdbe596eac9.md @@ -28,7 +28,7 @@ S3 Buckets should not have all permissions, as to prevent leaking private inform ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" #this is a problematic code where the query should report a result(s) Resources: SampleBucketPolicy3: @@ -48,7 +48,7 @@ Resources: - 'http://example.net/*' ``` -```json title="Postitive test num. 2 - json file" hl_lines="9" +```json title="Positive test num. 2 - json file" hl_lines="9" { "Resources": { "SampleBucketPolicy4": { diff --git a/docs/queries/cloudformation-queries/aws/4ba74f01-aba5-4be2-83bc-be79ff1a3b92.md b/docs/queries/cloudformation-queries/aws/4ba74f01-aba5-4be2-83bc-be79ff1a3b92.md index 6fd701ca3ab..70a30ed9b5a 100644 --- a/docs/queries/cloudformation-queries/aws/4ba74f01-aba5-4be2-83bc-be79ff1a3b92.md +++ b/docs/queries/cloudformation-queries/aws/4ba74f01-aba5-4be2-83bc-be79ff1a3b92.md @@ -28,7 +28,7 @@ AWS Serverless Function should not share IAM Role to ensure it will have the min ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="34 19" +```yaml title="Positive test num. 1 - yaml file" hl_lines="34 19" AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: AWS SAM template with a simple API definition @@ -65,7 +65,7 @@ Resources: Role: arn:aws:iam::123456789012:role/lambda-role ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="34 19" +```yaml title="Positive test num. 2 - yaml file" hl_lines="34 19" AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: AWS SAM template with a simple API definition diff --git a/docs/queries/cloudformation-queries/aws/4bd21e68-38c1-4d58-acdc-6a14b203237f.md b/docs/queries/cloudformation-queries/aws/4bd21e68-38c1-4d58-acdc-6a14b203237f.md index 29d8653806a..07dd3656606 100644 --- a/docs/queries/cloudformation-queries/aws/4bd21e68-38c1-4d58-acdc-6a14b203237f.md +++ b/docs/queries/cloudformation-queries/aws/4bd21e68-38c1-4d58-acdc-6a14b203237f.md @@ -28,7 +28,7 @@ AWS DynamoDB Tables should have server-side encryption
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="18" +```yaml title="Positive test num. 1 - yaml file" hl_lines="18" Resources: MyDynamoDBTable: Type: AWS::DynamoDB::Table @@ -49,7 +49,7 @@ Resources: SSEEnabled: false ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="17" +```yaml title="Positive test num. 2 - yaml file" hl_lines="17" Resources: MyDynamoDBTable: Type: AWS::DynamoDB::Table diff --git a/docs/queries/cloudformation-queries/aws/4c137350-7307-4803-8c04-17c09a7a9fcf.md b/docs/queries/cloudformation-queries/aws/4c137350-7307-4803-8c04-17c09a7a9fcf.md index 216ecce69e4..f0744112cea 100644 --- a/docs/queries/cloudformation-queries/aws/4c137350-7307-4803-8c04-17c09a7a9fcf.md +++ b/docs/queries/cloudformation-queries/aws/4c137350-7307-4803-8c04-17c09a7a9fcf.md @@ -28,7 +28,7 @@ The AWS Root Account must not have active access keys associated, which means if ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" AWSTemplateFormatVersion: '2010-09-09' Resources: CFNKeys: @@ -37,7 +37,7 @@ Resources: UserName: Root ``` -```json title="Postitive test num. 2 - json file" hl_lines="7" +```json title="Positive test num. 2 - json file" hl_lines="7" { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { diff --git a/docs/queries/cloudformation-queries/aws/4cdc88e6-c0c8-4081-a639-bb3a557cbedf.md b/docs/queries/cloudformation-queries/aws/4cdc88e6-c0c8-4081-a639-bb3a557cbedf.md index d461ea3ab49..8702f57c3e2 100644 --- a/docs/queries/cloudformation-queries/aws/4cdc88e6-c0c8-4081-a639-bb3a557cbedf.md +++ b/docs/queries/cloudformation-queries/aws/4cdc88e6-c0c8-4081-a639-bb3a557cbedf.md @@ -28,7 +28,7 @@ Amazon Elasticsearch does not have encryption for its domains enabled. To preven ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="15" +```yaml title="Positive test num. 1 - yaml file" hl_lines="15" AWSTemplateFormatVersion: "2010-09-09" Description: description Resources: @@ -47,7 +47,7 @@ Resources: TLSSecurityPolicy: "Policy-Min-TLS-1-2-2019-07" ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="24" +```yaml title="Positive test num. 2 - yaml file" hl_lines="24" AWSTemplateFormatVersion: "2010-09-09" Description: description Resources: @@ -75,7 +75,7 @@ Resources: TLSSecurityPolicy: "Policy-Min-TLS-1-2-2019-07" ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="6" +```yaml title="Positive test num. 3 - yaml file" hl_lines="6" AWSTemplateFormatVersion: "2010-09-09" Description: description Resources: diff --git a/docs/queries/cloudformation-queries/aws/4d32780f-43a4-424a-a06d-943c543576a5.md b/docs/queries/cloudformation-queries/aws/4d32780f-43a4-424a-a06d-943c543576a5.md index b1343120ed5..08fc231b04c 100644 --- a/docs/queries/cloudformation-queries/aws/4d32780f-43a4-424a-a06d-943c543576a5.md +++ b/docs/queries/cloudformation-queries/aws/4d32780f-43a4-424a-a06d-943c543576a5.md @@ -28,7 +28,7 @@ IoT Policy should not allow Action to be set as *
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" AWSTemplateFormatVersion: 2010-09-09 Description: A sample template Resources: @@ -49,7 +49,7 @@ Resources: PolicyName: PolicyName ``` -```json title="Postitive test num. 2 - json file" hl_lines="6" +```json title="Positive test num. 2 - json file" hl_lines="6" { "Resources": { "IoTPolicy": { diff --git a/docs/queries/cloudformation-queries/aws/4e67c0ae-38a0-47f4-a50c-f0c9b75826df.md b/docs/queries/cloudformation-queries/aws/4e67c0ae-38a0-47f4-a50c-f0c9b75826df.md index 059092851e8..7684df88af1 100644 --- a/docs/queries/cloudformation-queries/aws/4e67c0ae-38a0-47f4-a50c-f0c9b75826df.md +++ b/docs/queries/cloudformation-queries/aws/4e67c0ae-38a0-47f4-a50c-f0c9b75826df.md @@ -28,7 +28,7 @@ A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverle ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="27" +```yaml title="Positive test num. 1 - yaml file" hl_lines="27" AWSTemplateFormatVersion: '2010-09-09' Resources: DynamoDBEndpoint: @@ -71,7 +71,7 @@ Resources: SSEType: "KMS" ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="27" +```yaml title="Positive test num. 2 - yaml file" hl_lines="27" AWSTemplateFormatVersion: '2010-09-09' Resources: DynamoDBEndpoint: @@ -114,7 +114,7 @@ Resources: SSEType: "KMS" ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="27" +```yaml title="Positive test num. 3 - yaml file" hl_lines="27" AWSTemplateFormatVersion: '2010-09-09' Resources: DynamoDBEndpoint: @@ -157,7 +157,7 @@ Resources: SSEType: "KMS" ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="3" AWSTemplateFormatVersion: '2010-09-09' diff --git a/docs/queries/cloudformation-queries/aws/4e88adee-a8eb-4605-a78d-9fb1096e3091.md b/docs/queries/cloudformation-queries/aws/4e88adee-a8eb-4605-a78d-9fb1096e3091.md index 295964e5077..003c5d61da7 100644 --- a/docs/queries/cloudformation-queries/aws/4e88adee-a8eb-4605-a78d-9fb1096e3091.md +++ b/docs/queries/cloudformation-queries/aws/4e88adee-a8eb-4605-a78d-9fb1096e3091.md @@ -28,7 +28,7 @@ RDS should not run in public subnet
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="12" +```yaml title="Positive test num. 1 - yaml file" hl_lines="12" Resources: Positive1: Type: AWS::RDS::DBInstance @@ -76,7 +76,7 @@ Resources: Value: production ``` -```json title="Postitive test num. 2 - json file" hl_lines="9" +```json title="Positive test num. 2 - json file" hl_lines="9" { "Resources": { "Positive1": { diff --git a/docs/queries/cloudformation-queries/aws/4f0908b9-eb66-433f-9145-134274e1e944.md b/docs/queries/cloudformation-queries/aws/4f0908b9-eb66-433f-9145-134274e1e944.md index 62fcb264a55..aad320e6efd 100644 --- a/docs/queries/cloudformation-queries/aws/4f0908b9-eb66-433f-9145-134274e1e944.md +++ b/docs/queries/cloudformation-queries/aws/4f0908b9-eb66-433f-9145-134274e1e944.md @@ -28,7 +28,7 @@ NAT gateways are recommended, and not the default route which permits all traffi ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="66 61 54" +```yaml title="Positive test num. 1 - yaml file" hl_lines="66 61 54" Resources: VPC: Type: AWS::EC2::VPC @@ -99,7 +99,7 @@ Resources: DestinationCidrBlock: 10.1.10.0/24 ``` -```json title="Postitive test num. 2 - json file" hl_lines="43 108 37" +```json title="Positive test num. 2 - json file" hl_lines="43 108 37" { "Resources": { "InternetGateway": { diff --git a/docs/queries/cloudformation-queries/aws/4fbfee74-8186-40d5-a24e-4baa76a855de.md b/docs/queries/cloudformation-queries/aws/4fbfee74-8186-40d5-a24e-4baa76a855de.md index b1badeb017f..9eab6f80a28 100644 --- a/docs/queries/cloudformation-queries/aws/4fbfee74-8186-40d5-a24e-4baa76a855de.md +++ b/docs/queries/cloudformation-queries/aws/4fbfee74-8186-40d5-a24e-4baa76a855de.md @@ -28,7 +28,7 @@ AWS SQS Queue Policy should not allow NotAction since the actions specified in t ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" Resources: SampleSQSPolicy2: Type: AWS::SQS::QueuePolicy @@ -47,7 +47,7 @@ Resources: AWS: - "111122223333" ``` -```json title="Postitive test num. 2 - json file" hl_lines="6" +```json title="Positive test num. 2 - json file" hl_lines="6" { "Resources": { "SampleSQSPolicy2": { diff --git a/docs/queries/cloudformation-queries/aws/52790cad-d60d-41d5-8483-146f9f21208d.md b/docs/queries/cloudformation-queries/aws/52790cad-d60d-41d5-8483-146f9f21208d.md index 59240f5ef62..2445cfb3028 100644 --- a/docs/queries/cloudformation-queries/aws/52790cad-d60d-41d5-8483-146f9f21208d.md +++ b/docs/queries/cloudformation-queries/aws/52790cad-d60d-41d5-8483-146f9f21208d.md @@ -28,7 +28,7 @@ AWS API Gateway should have cache clustering enabled
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" AWSTemplateFormatVersion: "2010-09-09" Description: "BatchJobDefinition" Resources: @@ -61,7 +61,7 @@ Resources: ThrottlingBurstLimit: '555' ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="31" +```yaml title="Positive test num. 2 - yaml file" hl_lines="31" AWSTemplateFormatVersion: "2010-09-09" Description: "BatchJobDefinition" Resources: @@ -95,7 +95,7 @@ Resources: CacheClusterEnabled: false ``` -```json title="Postitive test num. 3 - json file" hl_lines="6" +```json title="Positive test num. 3 - json file" hl_lines="6" { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { @@ -147,7 +147,7 @@ Resources: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="6" { diff --git a/docs/queries/cloudformation-queries/aws/568cc372-ca64-420d-9015-ee347d00d288.md b/docs/queries/cloudformation-queries/aws/568cc372-ca64-420d-9015-ee347d00d288.md index cbc30664dfa..57f48163d55 100644 --- a/docs/queries/cloudformation-queries/aws/568cc372-ca64-420d-9015-ee347d00d288.md +++ b/docs/queries/cloudformation-queries/aws/568cc372-ca64-420d-9015-ee347d00d288.md @@ -28,7 +28,7 @@ User Data should not contain a base64 encoded private key. If so, anyone can dec ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="12 13" +```json title="Positive test num. 1 - json file" hl_lines="12 13" { "Resources":{ "myLaunchConfig3":{ @@ -47,7 +47,7 @@ User Data should not contain a base64 encoded private key. If so, anyone can dec } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="12 13" +```yaml title="Positive test num. 2 - yaml file" hl_lines="12 13" --- Resources: myLaunchConfig4: diff --git a/docs/queries/cloudformation-queries/aws/57b12981-3816-4c31-b190-a1e614361dd2.md b/docs/queries/cloudformation-queries/aws/57b12981-3816-4c31-b190-a1e614361dd2.md index 24989cd810a..40ffc293f3a 100644 --- a/docs/queries/cloudformation-queries/aws/57b12981-3816-4c31-b190-a1e614361dd2.md +++ b/docs/queries/cloudformation-queries/aws/57b12981-3816-4c31-b190-a1e614361dd2.md @@ -28,7 +28,7 @@ Allowing to run lambda function using public API Gateway
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" AWSTemplateFormatVersion: "2010-09-09" Description: "BatchJobDefinition" Resources: @@ -42,7 +42,7 @@ Resources: SourceArn: arn:aws:s3:eu-central-1:123456789012/*/* ``` -```json title="Postitive test num. 2 - json file" hl_lines="18" +```json title="Positive test num. 2 - json file" hl_lines="18" { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { diff --git a/docs/queries/cloudformation-queries/aws/5864fb39-d719-4182-80e2-89dbe627be63.md b/docs/queries/cloudformation-queries/aws/5864fb39-d719-4182-80e2-89dbe627be63.md index d0be7dc86d0..8e9ad13f5be 100644 --- a/docs/queries/cloudformation-queries/aws/5864fb39-d719-4182-80e2-89dbe627be63.md +++ b/docs/queries/cloudformation-queries/aws/5864fb39-d719-4182-80e2-89dbe627be63.md @@ -28,7 +28,7 @@ Amazon DMS is publicly accessible, therefore exposing possible sensitive informa ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9" Resources: ReplicationInstance: Type: "AWS::DMS::ReplicationInstance" @@ -40,7 +40,7 @@ Resources: PubliclyAccessible: true ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="4" +```yaml title="Positive test num. 2 - yaml file" hl_lines="4" Resources: ReplicationInstance: Type: "AWS::DMS::ReplicationInstance" diff --git a/docs/queries/cloudformation-queries/aws/5906092d-5f74-490d-9a03-78febe0f65e1.md b/docs/queries/cloudformation-queries/aws/5906092d-5f74-490d-9a03-78febe0f65e1.md index cbc775781dd..e6666af099b 100644 --- a/docs/queries/cloudformation-queries/aws/5906092d-5f74-490d-9a03-78febe0f65e1.md +++ b/docs/queries/cloudformation-queries/aws/5906092d-5f74-490d-9a03-78febe0f65e1.md @@ -28,7 +28,7 @@ Repositories must be set to private, which means the attribute 'visibility' must ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="12" +```yaml title="Positive test num. 1 - yaml file" hl_lines="12" AWSTemplateFormatVersion: "2010-09-09" Resources: MyRepo3: @@ -47,7 +47,7 @@ Resources: RepositoryOwner: my-github-account ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="5" +```yaml title="Positive test num. 2 - yaml file" hl_lines="5" AWSTemplateFormatVersion: "2010-09-09" Resources: MyRepo4: @@ -65,7 +65,7 @@ Resources: RepositoryOwner: my-github-account ``` -```json title="Postitive test num. 3 - json file" hl_lines="5" +```json title="Positive test num. 3 - json file" hl_lines="5" { "Resources": { "MyRepo5": { @@ -89,7 +89,7 @@ Resources: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="14" { diff --git a/docs/queries/cloudformation-queries/aws/59a849c2-1127-4023-85a5-ef906dcd458c.md b/docs/queries/cloudformation-queries/aws/59a849c2-1127-4023-85a5-ef906dcd458c.md index e4f6813ee06..55cf42b18ca 100644 --- a/docs/queries/cloudformation-queries/aws/59a849c2-1127-4023-85a5-ef906dcd458c.md +++ b/docs/queries/cloudformation-queries/aws/59a849c2-1127-4023-85a5-ef906dcd458c.md @@ -28,7 +28,7 @@ A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="2" +```yaml title="Positive test num. 1 - yaml file" hl_lines="2" Resources: MyQueue: Type: AWS::SQS::Queue @@ -53,7 +53,7 @@ Resources: - "111122223333" ``` -```json title="Postitive test num. 2 - json file" hl_lines="3" +```json title="Positive test num. 2 - json file" hl_lines="3" { "Resources": { "MyQueue": { diff --git a/docs/queries/cloudformation-queries/aws/5b033ec8-f079-4323-b5c8-99d4620433a9.md b/docs/queries/cloudformation-queries/aws/5b033ec8-f079-4323-b5c8-99d4620433a9.md index eda273499fc..e8088f60181 100644 --- a/docs/queries/cloudformation-queries/aws/5b033ec8-f079-4323-b5c8-99d4620433a9.md +++ b/docs/queries/cloudformation-queries/aws/5b033ec8-f079-4323-b5c8-99d4620433a9.md @@ -28,7 +28,7 @@ EMR SecurityConfiguration should enable and properly configure encryption at res ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 9" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8 9" Resources: EMRSecurityConfiguration: Type: AWS::EMR::SecurityConfiguration @@ -45,7 +45,7 @@ Resources: AwsKmsKey: arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012 ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="9 10" +```yaml title="Positive test num. 2 - yaml file" hl_lines="9 10" Resources: EMRSecurityConfiguration01: Type: AWS::EMR::SecurityConfiguration @@ -58,7 +58,7 @@ Resources: EnableEbsEncryption: false ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="8 9" +```yaml title="Positive test num. 3 - yaml file" hl_lines="8 9" Resources: EMRSecurityConfiguration03: Type: AWS::EMR::SecurityConfiguration @@ -70,7 +70,7 @@ Resources: EnableAtRestEncryption: false ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="6" Resources: @@ -83,7 +83,7 @@ Resources: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="9 10" { @@ -112,7 +112,7 @@ Resources: ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="9 10" { @@ -137,7 +137,7 @@ Resources: ```
-
Postitive test num. 7 - json file +
Positive test num. 7 - json file ```json hl_lines="8 9" { @@ -159,7 +159,7 @@ Resources: ```
-
Postitive test num. 8 - json file +
Positive test num. 8 - json file ```json hl_lines="7" { diff --git a/docs/queries/cloudformation-queries/aws/5b48c507-0d1f-41b0-a630-76817c6b4189.md b/docs/queries/cloudformation-queries/aws/5b48c507-0d1f-41b0-a630-76817c6b4189.md index 3ac9eb509c8..e44bae70dec 100644 --- a/docs/queries/cloudformation-queries/aws/5b48c507-0d1f-41b0-a630-76817c6b4189.md +++ b/docs/queries/cloudformation-queries/aws/5b48c507-0d1f-41b0-a630-76817c6b4189.md @@ -28,7 +28,7 @@ Alexa ASK Skill AuthenticationConfiguration RefreshToken should not be a plainte ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="18" +```yaml title="Positive test num. 1 - yaml file" hl_lines="18" Resources: MySkill: Type: "Alexa::ASK::Skill" @@ -50,7 +50,7 @@ Resources: VendorId: "1234" ``` -```json title="Postitive test num. 2 - json file" hl_lines="26" +```json title="Positive test num. 2 - json file" hl_lines="26" { "Resources": { "MySkill": { diff --git a/docs/queries/cloudformation-queries/aws/5beacce3-4020-4a3d-9e1d-a36f953df630.md b/docs/queries/cloudformation-queries/aws/5beacce3-4020-4a3d-9e1d-a36f953df630.md index 5edaa456091..ad49570e698 100644 --- a/docs/queries/cloudformation-queries/aws/5beacce3-4020-4a3d-9e1d-a36f953df630.md +++ b/docs/queries/cloudformation-queries/aws/5beacce3-4020-4a3d-9e1d-a36f953df630.md @@ -28,7 +28,7 @@ RDS Storage should be encrypted, which means the attribute 'StorageEncrypted' sh ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="35" +```yaml title="Positive test num. 1 - yaml file" hl_lines="35" AWSTemplateFormatVersion: 2010-09-09 Description: RDS Storage Encrypted Parameters: @@ -68,7 +68,7 @@ Resources: ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="30" +```yaml title="Positive test num. 2 - yaml file" hl_lines="30" AWSTemplateFormatVersion: 2010-09-11 Description: RDS Storage Encrypted2 Parameters: @@ -105,7 +105,7 @@ Resources: KmsKeyId: !Ref MyKey ``` -```json title="Postitive test num. 3 - json file" hl_lines="50" +```json title="Positive test num. 3 - json file" hl_lines="50" { "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", "Description": "RDS Storage Encrypted", @@ -162,7 +162,7 @@ Resources: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="45" { diff --git a/docs/queries/cloudformation-queries/aws/5c0b06d5-b7a4-484c-aeb0-75a836269ff0.md b/docs/queries/cloudformation-queries/aws/5c0b06d5-b7a4-484c-aeb0-75a836269ff0.md index ed89846545a..9caac15ae28 100644 --- a/docs/queries/cloudformation-queries/aws/5c0b06d5-b7a4-484c-aeb0-75a836269ff0.md +++ b/docs/queries/cloudformation-queries/aws/5c0b06d5-b7a4-484c-aeb0-75a836269ff0.md @@ -28,7 +28,7 @@ Checks if logging is enabled for CloudTrail.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="84 69" +```yaml title="Positive test num. 1 - yaml file" hl_lines="84 69" AWSTemplateFormatVersion: "2010-09-09" Parameters: OperatorEmail: @@ -116,7 +116,7 @@ Resources: IsMultiRegionTrail: true ``` -```json title="Postitive test num. 2 - json file" hl_lines="98 118" +```json title="Positive test num. 2 - json file" hl_lines="98 118" { "Resources": { "S3Bucket": { diff --git a/docs/queries/cloudformation-queries/aws/5c666ed9-b586-49ab-9873-c495a833b705.md b/docs/queries/cloudformation-queries/aws/5c666ed9-b586-49ab-9873-c495a833b705.md index 0e3633d4e65..be8ac401958 100644 --- a/docs/queries/cloudformation-queries/aws/5c666ed9-b586-49ab-9873-c495a833b705.md +++ b/docs/queries/cloudformation-queries/aws/5c666ed9-b586-49ab-9873-c495a833b705.md @@ -28,7 +28,7 @@ AWS Elasticsearch should ensure IAM Authentication
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="24" +```yaml title="Positive test num. 1 - yaml file" hl_lines="24" AWSTemplateFormatVersion: "2010-09-09" Description: Creates ES Resources: @@ -71,7 +71,7 @@ Resources: rest.action.multi.allow_explicit_index: true ``` -```json title="Postitive test num. 2 - json file" hl_lines="26" +```json title="Positive test num. 2 - json file" hl_lines="26" { "Resources": { "ElasticsearchDomain": { diff --git a/docs/queries/cloudformation-queries/aws/5d3c1807-acb3-4bb0-be4e-0440230feeaf.md b/docs/queries/cloudformation-queries/aws/5d3c1807-acb3-4bb0-be4e-0440230feeaf.md index e61e8a9483c..009f451ea40 100644 --- a/docs/queries/cloudformation-queries/aws/5d3c1807-acb3-4bb0-be4e-0440230feeaf.md +++ b/docs/queries/cloudformation-queries/aws/5d3c1807-acb3-4bb0-be4e-0440230feeaf.md @@ -28,7 +28,7 @@ Checks if CloudWatch Metrics is Enabled
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="18 20" +```yaml title="Positive test num. 1 - yaml file" hl_lines="18 20" AWSTemplateFormatVersion: 2010-09-09 Description: Creating TestDeployment Resources: @@ -59,7 +59,7 @@ Resources: ThrottlingBurstLimit: '555' ``` -```json title="Postitive test num. 2 - json file" hl_lines="32 25" +```json title="Positive test num. 2 - json file" hl_lines="32 25" { "Resources": { "Prod": { @@ -109,7 +109,7 @@ Resources: } ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="6" +```yaml title="Positive test num. 3 - yaml file" hl_lines="6" AWSTemplateFormatVersion: 2010-09-09 Description: Creating TestDeployment Resources: @@ -126,7 +126,7 @@ Resources: Stack: Prod ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="5" { diff --git a/docs/queries/cloudformation-queries/aws/5e6c9c68-8a82-408e-8749-ddad78cbb9c5.md b/docs/queries/cloudformation-queries/aws/5e6c9c68-8a82-408e-8749-ddad78cbb9c5.md index bf4124a604c..3466b5d2f58 100644 --- a/docs/queries/cloudformation-queries/aws/5e6c9c68-8a82-408e-8749-ddad78cbb9c5.md +++ b/docs/queries/cloudformation-queries/aws/5e6c9c68-8a82-408e-8749-ddad78cbb9c5.md @@ -28,7 +28,7 @@ It's considered a best practice for AWS Security Group to have a description
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="33 4 7 12 19" +```yaml title="Positive test num. 1 - yaml file" hl_lines="33 4 7 12 19" Resources: InstanceSecurityGroup: Type: AWS::EC2::SecurityGroup @@ -74,7 +74,7 @@ Resources: - TargetSG - GroupId ``` -```json title="Postitive test num. 2 - json file" hl_lines="5 45 46 54 25" +```json title="Positive test num. 2 - json file" hl_lines="5 45 46 54 25" { "Resources": { "OutboundRule": { diff --git a/docs/queries/cloudformation-queries/aws/5e7acff5-095b-40ac-9073-ac2e4ad8a512.md b/docs/queries/cloudformation-queries/aws/5e7acff5-095b-40ac-9073-ac2e4ad8a512.md index 422b5ae53ec..db924093403 100644 --- a/docs/queries/cloudformation-queries/aws/5e7acff5-095b-40ac-9073-ac2e4ad8a512.md +++ b/docs/queries/cloudformation-queries/aws/5e7acff5-095b-40ac-9073-ac2e4ad8a512.md @@ -28,7 +28,7 @@ IAM policy should not apply directly to users, should be with a group
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="25" +```yaml title="Positive test num. 1 - yaml file" hl_lines="25" AWSTemplateFormatVersion: "2010-09-09" Description: A sample template Resources: @@ -57,7 +57,7 @@ Resources: - existinguser1 - existinguser2 ``` -```json title="Postitive test num. 2 - json file" hl_lines="38" +```json title="Positive test num. 2 - json file" hl_lines="38" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "A sample template", diff --git a/docs/queries/cloudformation-queries/aws/5f700072-b7ce-4e84-b3f3-497bf1c24a4d.md b/docs/queries/cloudformation-queries/aws/5f700072-b7ce-4e84-b3f3-497bf1c24a4d.md index 5f2cf75bd65..1e169194baf 100644 --- a/docs/queries/cloudformation-queries/aws/5f700072-b7ce-4e84-b3f3-497bf1c24a4d.md +++ b/docs/queries/cloudformation-queries/aws/5f700072-b7ce-4e84-b3f3-497bf1c24a4d.md @@ -28,7 +28,7 @@ DMS Endpoint password must not be a plaintext string or a Ref to a Parameter wit ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="20" +```yaml title="Positive test num. 1 - yaml file" hl_lines="20" Resources: DMSEndpoint4: Type: AWS::DMS::Endpoint @@ -59,7 +59,7 @@ Resources: Username: String ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="5" +```yaml title="Positive test num. 2 - yaml file" hl_lines="5" Parameters: ParentMasterPassword: Description: 'Password' @@ -99,7 +99,7 @@ Resources: Username: String ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="25" +```yaml title="Positive test num. 3 - yaml file" hl_lines="25" Parameters: ParentMasterUsername: Description: 'username' @@ -135,7 +135,7 @@ Resources: Username: String ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="23" { @@ -170,7 +170,7 @@ Resources: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="6" { @@ -217,7 +217,7 @@ Resources: ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="26" { diff --git a/docs/queries/cloudformation-queries/aws/60a05ede-0a68-4d0d-a58f-f538cf55ff79.md b/docs/queries/cloudformation-queries/aws/60a05ede-0a68-4d0d-a58f-f538cf55ff79.md index 228f09eb765..0f334f3d4c7 100644 --- a/docs/queries/cloudformation-queries/aws/60a05ede-0a68-4d0d-a58f-f538cf55ff79.md +++ b/docs/queries/cloudformation-queries/aws/60a05ede-0a68-4d0d-a58f-f538cf55ff79.md @@ -28,7 +28,7 @@ AWS Serverless API should have cache clustering enabled
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: AWS SAM template with a simple API definition @@ -40,7 +40,7 @@ Resources: TracingEnabled: true ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="10" +```yaml title="Positive test num. 2 - yaml file" hl_lines="10" AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: AWS SAM template with a simple API definition diff --git a/docs/queries/cloudformation-queries/aws/61a94903-3cd3-4780-88ec-fc918819b9c8.md b/docs/queries/cloudformation-queries/aws/61a94903-3cd3-4780-88ec-fc918819b9c8.md index 1aff3cb9d25..96beff644af 100644 --- a/docs/queries/cloudformation-queries/aws/61a94903-3cd3-4780-88ec-fc918819b9c8.md +++ b/docs/queries/cloudformation-queries/aws/61a94903-3cd3-4780-88ec-fc918819b9c8.md @@ -28,7 +28,7 @@ ELB Predefined or Custom Security Policies must not use insecure protocols, to r ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="34 27" +```yaml title="Positive test num. 1 - yaml file" hl_lines="34 27" #this is a problematic code where the query should report a result(s) Resources: MyLoadBalancer: @@ -65,7 +65,7 @@ Resources: - Name: Protocol-TLSv1 Value: ELBSecurityPolicy-TLS-1-2-2017-01 ``` -```json title="Postitive test num. 2 - json file" hl_lines="50 35" +```json title="Positive test num. 2 - json file" hl_lines="50 35" { "Resources": { "MyLoadBalancer": { diff --git a/docs/queries/cloudformation-queries/aws/64ab651b-f5b2-4af0-8c89-ddd03c4d0e61.md b/docs/queries/cloudformation-queries/aws/64ab651b-f5b2-4af0-8c89-ddd03c4d0e61.md index ecc53ceea0b..6c47e84502c 100644 --- a/docs/queries/cloudformation-queries/aws/64ab651b-f5b2-4af0-8c89-ddd03c4d0e61.md +++ b/docs/queries/cloudformation-queries/aws/64ab651b-f5b2-4af0-8c89-ddd03c4d0e61.md @@ -28,7 +28,7 @@ If algorithm is AES256 then the master key is null, empty or undefined, otherwis ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="15" +```json title="Positive test num. 1 - json file" hl_lines="15" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "S3 bucket with default encryption", @@ -55,7 +55,7 @@ If algorithm is AES256 then the master key is null, empty or undefined, otherwis } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="12" +```yaml title="Positive test num. 2 - yaml file" hl_lines="12" AWSTemplateFormatVersion: '2010-09-09' Description: S3 bucket with default encryption Resources: @@ -71,7 +71,7 @@ Resources: DeletionPolicy: Delete ``` -```json title="Postitive test num. 3 - json file" hl_lines="16" +```json title="Positive test num. 3 - json file" hl_lines="16" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "S3 bucket with default encryption", @@ -99,7 +99,7 @@ Resources: } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="13" AWSTemplateFormatVersion: '2010-09-09' diff --git a/docs/queries/cloudformation-queries/aws/65844ba3-03a1-40a8-b3dd-919f122e8c95.md b/docs/queries/cloudformation-queries/aws/65844ba3-03a1-40a8-b3dd-919f122e8c95.md index e7a14429a86..c752abd760a 100644 --- a/docs/queries/cloudformation-queries/aws/65844ba3-03a1-40a8-b3dd-919f122e8c95.md +++ b/docs/queries/cloudformation-queries/aws/65844ba3-03a1-40a8-b3dd-919f122e8c95.md @@ -28,7 +28,7 @@ RDS DBCluster should have storage encrypted set to true
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="12" +```yaml title="Positive test num. 1 - yaml file" hl_lines="12" AWSTemplateFormatVersion: "2010-09-09" Description: Creates RDS Cluster Resources: @@ -85,7 +85,7 @@ Resources: ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="5" +```yaml title="Positive test num. 2 - yaml file" hl_lines="5" AWSTemplateFormatVersion: "2010-09-09" Description: Creates RDS Cluster Resources: @@ -140,7 +140,7 @@ Resources: innodb_buffer_pool_size: '{DBInstanceClassMemory*3/4}' ``` -```json title="Postitive test num. 3 - json file" hl_lines="9" +```json title="Positive test num. 3 - json file" hl_lines="9" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "Creates RDS Cluster", @@ -216,7 +216,7 @@ Resources: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="59" { @@ -294,7 +294,7 @@ Resources: ```
-
Postitive test num. 5 - yaml file +
Positive test num. 5 - yaml file ```yaml hl_lines="5" AWSTemplateFormatVersion: "2010-09-09" diff --git a/docs/queries/cloudformation-queries/aws/65d07da5-9af5-44df-8983-52d2e6f24c44.md b/docs/queries/cloudformation-queries/aws/65d07da5-9af5-44df-8983-52d2e6f24c44.md index ca3a1d0b03e..cab07d1bbec 100644 --- a/docs/queries/cloudformation-queries/aws/65d07da5-9af5-44df-8983-52d2e6f24c44.md +++ b/docs/queries/cloudformation-queries/aws/65d07da5-9af5-44df-8983-52d2e6f24c44.md @@ -28,7 +28,7 @@ CloudTrail should be integrated with CloudWatch
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="62" +```yaml title="Positive test num. 1 - yaml file" hl_lines="62" AWSTemplateFormatVersion: "2010-09-09" Parameters: OperatorEmail: @@ -101,7 +101,7 @@ Resources: IsMultiRegionTrail: true ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="62" +```yaml title="Positive test num. 2 - yaml file" hl_lines="62" AWSTemplateFormatVersion: "2010-09-09" Parameters: OperatorEmail: @@ -199,7 +199,7 @@ Resources: Resource: "*" ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="62" +```yaml title="Positive test num. 3 - yaml file" hl_lines="62" AWSTemplateFormatVersion: "2010-09-09" Parameters: OperatorEmail: @@ -294,7 +294,7 @@ Resources: Resource: "*" ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="82" { @@ -409,7 +409,7 @@ Resources: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="82" { @@ -530,7 +530,7 @@ Resources: ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="82" { diff --git a/docs/queries/cloudformation-queries/aws/6685d912-d81f-4cfa-95ad-e316ea31c989.md b/docs/queries/cloudformation-queries/aws/6685d912-d81f-4cfa-95ad-e316ea31c989.md index dbcd4aa2234..18ea43616f0 100644 --- a/docs/queries/cloudformation-queries/aws/6685d912-d81f-4cfa-95ad-e316ea31c989.md +++ b/docs/queries/cloudformation-queries/aws/6685d912-d81f-4cfa-95ad-e316ea31c989.md @@ -28,7 +28,7 @@ DirectoryService SimpleAD password must not be a plaintext string or a Ref to a ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="18" +```yaml title="Positive test num. 1 - yaml file" hl_lines="18" Parameters: ParentMasterPassword: Description: 'Password' @@ -51,7 +51,7 @@ Resources: Size: String ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="9" +```yaml title="Positive test num. 2 - yaml file" hl_lines="9" Resources: NewAmpApp5: Type: AWS::DirectoryService::SimpleAD @@ -65,7 +65,7 @@ Resources: Size: String ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="5" +```yaml title="Positive test num. 3 - yaml file" hl_lines="5" Parameters: ParentMasterPassword: Description: 'Password' @@ -89,7 +89,7 @@ Resources: ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="20" { @@ -123,7 +123,7 @@ Resources: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="12" { @@ -145,7 +145,7 @@ Resources: ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="6" { diff --git a/docs/queries/cloudformation-queries/aws/66f2d8f9-a911-4ced-ae27-34f09690bb2c.md b/docs/queries/cloudformation-queries/aws/66f2d8f9-a911-4ced-ae27-34f09690bb2c.md index 1e6e7b7ccc7..8a6c55f1e57 100644 --- a/docs/queries/cloudformation-queries/aws/66f2d8f9-a911-4ced-ae27-34f09690bb2c.md +++ b/docs/queries/cloudformation-queries/aws/66f2d8f9-a911-4ced-ae27-34f09690bb2c.md @@ -28,7 +28,7 @@ No security group should allow unrestricted egress access
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="16" +```yaml title="Positive test num. 1 - yaml file" hl_lines="16" Parameters: KeyName: Description: The EC2 Key Pair to allow SSH access to the instance @@ -57,7 +57,7 @@ Resources: ToPort: '22' CidrIp: 0.0.0.0/0 ``` -```json title="Postitive test num. 2 - json file" hl_lines="21" +```json title="Positive test num. 2 - json file" hl_lines="21" { "Parameters": { "KeyName": { diff --git a/docs/queries/cloudformation-queries/aws/68b6a789-82f8-4cfd-85de-e95332fe6a61.md b/docs/queries/cloudformation-queries/aws/68b6a789-82f8-4cfd-85de-e95332fe6a61.md index d6452cdb52a..2a367a64a21 100644 --- a/docs/queries/cloudformation-queries/aws/68b6a789-82f8-4cfd-85de-e95332fe6a61.md +++ b/docs/queries/cloudformation-queries/aws/68b6a789-82f8-4cfd-85de-e95332fe6a61.md @@ -28,7 +28,7 @@ Check if any MQ Broker is not publicly accessible
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="15" +```yaml title="Positive test num. 1 - yaml file" hl_lines="15" AWSTemplateFormatVersion: "2010-09-09" Description: "Create a basic ActiveMQ broker" Resources: @@ -55,7 +55,7 @@ Resources: Ref: "BrokerUsername" ``` -```json title="Postitive test num. 2 - json file" hl_lines="31" +```json title="Positive test num. 2 - json file" hl_lines="31" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "Create a basic ActiveMQ broker", diff --git a/docs/queries/cloudformation-queries/aws/6b5b0313-771b-4319-ad7a-122ee78700ef.md b/docs/queries/cloudformation-queries/aws/6b5b0313-771b-4319-ad7a-122ee78700ef.md index 4673088c2ce..39ac0c3ca7a 100644 --- a/docs/queries/cloudformation-queries/aws/6b5b0313-771b-4319-ad7a-122ee78700ef.md +++ b/docs/queries/cloudformation-queries/aws/6b5b0313-771b-4319-ad7a-122ee78700ef.md @@ -28,7 +28,7 @@ AWS Serverless API should set API Endpoint Config type to 'PRIVATE'. This way, i ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: AWS SAM template with a simple API definition @@ -41,7 +41,7 @@ Resources: CacheClusterEnabled: true ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +```yaml title="Positive test num. 2 - yaml file" hl_lines="11" AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: AWS SAM template with a simple API definition @@ -57,7 +57,7 @@ Resources: - !Ref ApiGatewayVPCEndpoint ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="12" +```yaml title="Positive test num. 3 - yaml file" hl_lines="12" AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: AWS SAM template with a simple API definition diff --git a/docs/queries/cloudformation-queries/aws/6c131358-c54d-419b-9dd6-1f7dd41d180c.md b/docs/queries/cloudformation-queries/aws/6c131358-c54d-419b-9dd6-1f7dd41d180c.md index 20d507980e9..bfb199bb54e 100644 --- a/docs/queries/cloudformation-queries/aws/6c131358-c54d-419b-9dd6-1f7dd41d180c.md +++ b/docs/queries/cloudformation-queries/aws/6c131358-c54d-419b-9dd6-1f7dd41d180c.md @@ -28,7 +28,7 @@ Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents un ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="37" +```yaml title="Positive test num. 1 - yaml file" hl_lines="37" Resources: cluster: Type: AWS::ECS::Cluster @@ -139,7 +139,7 @@ Resources: - 'arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole' ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="26" +```yaml title="Positive test num. 2 - yaml file" hl_lines="26" Resources: cluster: Type: AWS::ECS::Cluster @@ -210,7 +210,7 @@ Resources: - 'arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole' ``` -```json title="Postitive test num. 3 - json file" hl_lines="122" +```json title="Positive test num. 3 - json file" hl_lines="122" { "Resources": { "cluster": { @@ -384,7 +384,7 @@ Resources: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="54" { diff --git a/docs/queries/cloudformation-queries/aws/6c8d51af-218d-4bfb-94a9-94eabaa0703a.md b/docs/queries/cloudformation-queries/aws/6c8d51af-218d-4bfb-94a9-94eabaa0703a.md index 34cbf68f635..128955e2edf 100644 --- a/docs/queries/cloudformation-queries/aws/6c8d51af-218d-4bfb-94a9-94eabaa0703a.md +++ b/docs/queries/cloudformation-queries/aws/6c8d51af-218d-4bfb-94a9-94eabaa0703a.md @@ -28,7 +28,7 @@ S3 bucket without ignore public ACL
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10 4 21" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10 4 21" Resources: Bucket11: Type: AWS::S3::Bucket @@ -53,7 +53,7 @@ Resources: RestrictPublicBuckets : true ``` -```json title="Postitive test num. 2 - json file" hl_lines="9" +```json title="Positive test num. 2 - json file" hl_lines="9" { "Resources": { "Bucket1": { diff --git a/docs/queries/cloudformation-queries/aws/6d087495-2a42-4735-abf7-02ef5660a7e6.md b/docs/queries/cloudformation-queries/aws/6d087495-2a42-4735-abf7-02ef5660a7e6.md index 44ff020d5d6..f9894b6a5b9 100644 --- a/docs/queries/cloudformation-queries/aws/6d087495-2a42-4735-abf7-02ef5660a7e6.md +++ b/docs/queries/cloudformation-queries/aws/6d087495-2a42-4735-abf7-02ef5660a7e6.md @@ -28,7 +28,7 @@ Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CM ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="82" +```yaml title="Positive test num. 1 - yaml file" hl_lines="82" AWSTemplateFormatVersion: "2010-09-09" Description: "Create EFS system and Mount Targets for test VPC" Parameters: @@ -177,7 +177,7 @@ Outputs: Value: !Ref MountTarget4 ``` -```json title="Postitive test num. 2 - json file" hl_lines="157" +```json title="Positive test num. 2 - json file" hl_lines="157" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "Create EFS system and Mount Targets for test VPC", diff --git a/docs/queries/cloudformation-queries/aws/6d64f311-3da6-45f3-80f1-14db9771ea40.md b/docs/queries/cloudformation-queries/aws/6d64f311-3da6-45f3-80f1-14db9771ea40.md index c9e41f44c4a..f66c1394514 100644 --- a/docs/queries/cloudformation-queries/aws/6d64f311-3da6-45f3-80f1-14db9771ea40.md +++ b/docs/queries/cloudformation-queries/aws/6d64f311-3da6-45f3-80f1-14db9771ea40.md @@ -28,7 +28,7 @@ WebAcl DefaultAction should not be ALLOW
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8" #this is a problematic code where the query should report a result(s) Resources: MyWebACL: @@ -59,7 +59,7 @@ Resources: Ref: "SqlInjRule" ``` -```json title="Postitive test num. 2 - json file" hl_lines="8" +```json title="Positive test num. 2 - json file" hl_lines="8" { "Resources": { "MyWebACL": { diff --git a/docs/queries/cloudformation-queries/aws/6e856af2-62d7-4ba2-adc1-73b62cef9cc1.md b/docs/queries/cloudformation-queries/aws/6e856af2-62d7-4ba2-adc1-73b62cef9cc1.md index 572c3e9a850..0a882c1c71b 100644 --- a/docs/queries/cloudformation-queries/aws/6e856af2-62d7-4ba2-adc1-73b62cef9cc1.md +++ b/docs/queries/cloudformation-queries/aws/6e856af2-62d7-4ba2-adc1-73b62cef9cc1.md @@ -28,7 +28,7 @@ hide: ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="15" +```yaml title="Positive test num. 1 - yaml file" hl_lines="15" Resources: Ec2Instance: Type: 'AWS::EC2::Instance' @@ -54,7 +54,7 @@ Resources: ToPort: 80 CidrIp: 0.0.0.0/0 ``` -```json title="Postitive test num. 2 - json file" hl_lines="27" +```json title="Positive test num. 2 - json file" hl_lines="27" { "Resources": { "Ec2Instance": { diff --git a/docs/queries/cloudformation-queries/aws/6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d.md b/docs/queries/cloudformation-queries/aws/6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d.md index f4b803411ec..20309bd487f 100644 --- a/docs/queries/cloudformation-queries/aws/6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d.md +++ b/docs/queries/cloudformation-queries/aws/6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d.md @@ -28,7 +28,7 @@ SimpleDB Domain resource should not be declared
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8" AWSTemplateFormatVersion: "2010-09-09" Description: "SDB Domain declared" Resources: @@ -42,7 +42,7 @@ Resources: Description: "Some information" ``` -```json title="Postitive test num. 2 - json file" hl_lines="11" +```json title="Positive test num. 2 - json file" hl_lines="11" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "SDB Domain declared", diff --git a/docs/queries/cloudformation-queries/aws/6ef03ff6-a2bd-483c-851f-631f248bc0ea.md b/docs/queries/cloudformation-queries/aws/6ef03ff6-a2bd-483c-851f-631f248bc0ea.md index 60c5761ecc4..bd951db4b0d 100644 --- a/docs/queries/cloudformation-queries/aws/6ef03ff6-a2bd-483c-851f-631f248bc0ea.md +++ b/docs/queries/cloudformation-queries/aws/6ef03ff6-a2bd-483c-851f-631f248bc0ea.md @@ -28,7 +28,7 @@ A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) i ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="4" +```json title="Positive test num. 1 - json file" hl_lines="4" { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { @@ -71,7 +71,7 @@ A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) i } ``` -```json title="Postitive test num. 2 - json file" hl_lines="4 14" +```json title="Positive test num. 2 - json file" hl_lines="4 14" { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { @@ -116,7 +116,7 @@ A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) i } ``` -```json title="Postitive test num. 3 - json file" hl_lines="4 14" +```json title="Positive test num. 3 - json file" hl_lines="4 14" { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { @@ -161,7 +161,7 @@ A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) i } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="3" AWSTemplateFormatVersion: '2010-09-09' @@ -190,7 +190,7 @@ Resources: ```
-
Postitive test num. 5 - yaml file +
Positive test num. 5 - yaml file ```yaml hl_lines="3" AWSTemplateFormatVersion: '2010-09-09' @@ -234,7 +234,7 @@ Resources: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="3" AWSTemplateFormatVersion: '2010-09-09' diff --git a/docs/queries/cloudformation-queries/aws/709e6da6-fa1f-44cc-8f17-7f25f96dadbe.md b/docs/queries/cloudformation-queries/aws/709e6da6-fa1f-44cc-8f17-7f25f96dadbe.md index 3c4ac5ea36b..958afcd62d9 100644 --- a/docs/queries/cloudformation-queries/aws/709e6da6-fa1f-44cc-8f17-7f25f96dadbe.md +++ b/docs/queries/cloudformation-queries/aws/709e6da6-fa1f-44cc-8f17-7f25f96dadbe.md @@ -28,7 +28,7 @@ Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, whic ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="20 6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="20 6" #this is a problematic code where the query should report a result(s) Description: "Basic NotebookInstance test update to a different instance type" Resources: @@ -78,7 +78,7 @@ Outputs: Value: !Ref BasicNotebookInstance ``` -```json title="Postitive test num. 2 - json file" hl_lines="16 59" +```json title="Positive test num. 2 - json file" hl_lines="16 59" { "Description": "Basic NotebookInstance test update to a different instance type", "Resources": { diff --git a/docs/queries/cloudformation-queries/aws/71493c8b-3014-404c-9802-078b74496fb7.md b/docs/queries/cloudformation-queries/aws/71493c8b-3014-404c-9802-078b74496fb7.md index 5f9d00a3861..03b08f1b7ef 100644 --- a/docs/queries/cloudformation-queries/aws/71493c8b-3014-404c-9802-078b74496fb7.md +++ b/docs/queries/cloudformation-queries/aws/71493c8b-3014-404c-9802-078b74496fb7.md @@ -28,7 +28,7 @@ Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="16" +```yaml title="Positive test num. 1 - yaml file" hl_lines="16" AWSTemplateFormatVersion: 2010-09-09 Resources: NewAmpApp-1: @@ -48,7 +48,7 @@ Resources: Username: admin ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="6" +```yaml title="Positive test num. 2 - yaml file" hl_lines="6" AWSTemplateFormatVersion: 2010-09-09 Parameters: ParentPassword: @@ -77,7 +77,7 @@ Resources: Username: !Ref ParentUsername ``` -```json title="Postitive test num. 3 - json file" hl_lines="12" +```json title="Positive test num. 3 - json file" hl_lines="12" { "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", "Resources": { @@ -103,7 +103,7 @@ Resources: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="12" { diff --git a/docs/queries/cloudformation-queries/aws/73980e43-f399-4fcc-a373-658228f7adf7.md b/docs/queries/cloudformation-queries/aws/73980e43-f399-4fcc-a373-658228f7adf7.md index c4760a74619..84ec2360ce7 100644 --- a/docs/queries/cloudformation-queries/aws/73980e43-f399-4fcc-a373-658228f7adf7.md +++ b/docs/queries/cloudformation-queries/aws/73980e43-f399-4fcc-a373-658228f7adf7.md @@ -28,7 +28,7 @@ Amplify App Access Token must not be in a plain text string or referenced in a p ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" AWSTemplateFormatVersion: 2010-09-09 Resources: NewAmpApp: @@ -45,7 +45,7 @@ Resources: Repository: String ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="6" +```yaml title="Positive test num. 2 - yaml file" hl_lines="6" AWSTemplateFormatVersion: 2010-09-09 Parameters: ParentAccessToken: @@ -67,7 +67,7 @@ Resources: Repository: String ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="10" +```yaml title="Positive test num. 3 - yaml file" hl_lines="10" AWSTemplateFormatVersion: 2010-09-09 Parameters: ParentUserToken: @@ -88,7 +88,7 @@ Resources: Repository: String ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="11" { @@ -113,7 +113,7 @@ Resources: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="7" { @@ -145,7 +145,7 @@ Resources: ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="9" { diff --git a/docs/queries/cloudformation-queries/aws/73d59e76-a12c-4b74-a3d8-d3e1e19c25b3.md b/docs/queries/cloudformation-queries/aws/73d59e76-a12c-4b74-a3d8-d3e1e19c25b3.md index acd28ff9695..3354de3dc55 100644 --- a/docs/queries/cloudformation-queries/aws/73d59e76-a12c-4b74-a3d8-d3e1e19c25b3.md +++ b/docs/queries/cloudformation-queries/aws/73d59e76-a12c-4b74-a3d8-d3e1e19c25b3.md @@ -28,7 +28,7 @@ Ensure Amazon EKS Node group has implict SSH access
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="17" +```yaml title="Positive test num. 1 - yaml file" hl_lines="17" Resources: EKSNodegroup: Type: 'AWS::EKS::Nodegroup' @@ -49,7 +49,7 @@ Resources: Ec2SshKey: ED25519 ``` -```json title="Postitive test num. 2 - json file" hl_lines="21" +```json title="Positive test num. 2 - json file" hl_lines="21" { "Resources": { "EKSNodegroup": { diff --git a/docs/queries/cloudformation-queries/aws/74a18d1a-cf02-4a31-8791-ed0967ad7fdc.md b/docs/queries/cloudformation-queries/aws/74a18d1a-cf02-4a31-8791-ed0967ad7fdc.md index ffeae045078..1d7810652cc 100644 --- a/docs/queries/cloudformation-queries/aws/74a18d1a-cf02-4a31-8791-ed0967ad7fdc.md +++ b/docs/queries/cloudformation-queries/aws/74a18d1a-cf02-4a31-8791-ed0967ad7fdc.md @@ -28,7 +28,7 @@ AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to us ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 14" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8 14" Resources: UserPool2: Type: "AWS::Cognito::UserPool" @@ -50,7 +50,7 @@ Resources: ExternalId: !Sub ${AuthName}-external SnsCallerArn: !GetAtt SNSRole.Arn ``` -```json title="Postitive test num. 2 - json file" hl_lines="10 19" +```json title="Positive test num. 2 - json file" hl_lines="10 19" { "Resources": { "UserPool2": { diff --git a/docs/queries/cloudformation-queries/aws/75be209d-1948-41f6-a8c8-e22dd0121134.md b/docs/queries/cloudformation-queries/aws/75be209d-1948-41f6-a8c8-e22dd0121134.md index 82ce32203b3..7e0053a855a 100644 --- a/docs/queries/cloudformation-queries/aws/75be209d-1948-41f6-a8c8-e22dd0121134.md +++ b/docs/queries/cloudformation-queries/aws/75be209d-1948-41f6-a8c8-e22dd0121134.md @@ -28,7 +28,7 @@ Amazon ECR image repositories shouldn't have public access
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" Resources: MyRepository3: Type: AWS::ECR::Repository @@ -51,7 +51,7 @@ Resources: - "ecr:CompleteLayerUpload" ``` -```json title="Postitive test num. 2 - json file" hl_lines="7" +```json title="Positive test num. 2 - json file" hl_lines="7" { "Resources": { "MyRepository4": { diff --git a/docs/queries/cloudformation-queries/aws/76ddf32c-85b1-4808-8935-7eef8030ab36.md b/docs/queries/cloudformation-queries/aws/76ddf32c-85b1-4808-8935-7eef8030ab36.md index e528c45ee2b..352e2a17797 100644 --- a/docs/queries/cloudformation-queries/aws/76ddf32c-85b1-4808-8935-7eef8030ab36.md +++ b/docs/queries/cloudformation-queries/aws/76ddf32c-85b1-4808-8935-7eef8030ab36.md @@ -28,7 +28,7 @@ Batch Job Definition should not have Privileged Container Properties
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="21" +```yaml title="Positive test num. 1 - yaml file" hl_lines="21" AWSTemplateFormatVersion: "2010-09-09" Description: "BatchJobDefinition" Resources: @@ -56,7 +56,7 @@ Resources: Image: nvidia/cuda ``` -```json title="Postitive test num. 2 - json file" hl_lines="12" +```json title="Positive test num. 2 - json file" hl_lines="12" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "BatchJobDefinition", diff --git a/docs/queries/cloudformation-queries/aws/7772bb8c-c0f3-42d4-8e4e-f1b8939ad085.md b/docs/queries/cloudformation-queries/aws/7772bb8c-c0f3-42d4-8e4e-f1b8939ad085.md index f6d0b846904..ade8b35a5d2 100644 --- a/docs/queries/cloudformation-queries/aws/7772bb8c-c0f3-42d4-8e4e-f1b8939ad085.md +++ b/docs/queries/cloudformation-queries/aws/7772bb8c-c0f3-42d4-8e4e-f1b8939ad085.md @@ -28,7 +28,7 @@ The S3 Bucket should not be associated with a policy statement that grants acces ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="2 27" +```yaml title="Positive test num. 1 - yaml file" hl_lines="2 27" Resources: Bucket: Type: AWS::S3::Bucket @@ -81,7 +81,7 @@ Resources: - 'http://www.example.com/*' - 'http://example.net/*' ``` -```json title="Postitive test num. 2 - json file" hl_lines="42 3" +```json title="Positive test num. 2 - json file" hl_lines="42 3" { "Resources": { "Bucket": { diff --git a/docs/queries/cloudformation-queries/aws/77b6f1e2-bde4-4a6a-ae7e-a40659ff1576.md b/docs/queries/cloudformation-queries/aws/77b6f1e2-bde4-4a6a-ae7e-a40659ff1576.md index 94f2cdfcc8c..96704a2d5df 100644 --- a/docs/queries/cloudformation-queries/aws/77b6f1e2-bde4-4a6a-ae7e-a40659ff1576.md +++ b/docs/queries/cloudformation-queries/aws/77b6f1e2-bde4-4a6a-ae7e-a40659ff1576.md @@ -28,7 +28,7 @@ NetworkACL Entries are reusing or overlapping ports which may create ineffective ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="42 78 18 54 90 30" +```yaml title="Positive test num. 1 - yaml file" hl_lines="42 78 18 54 90 30" Resources: MyNACL: Type: AWS::EC2::NetworkAcl @@ -123,7 +123,7 @@ Resources: To: 5 ``` -```json title="Postitive test num. 2 - json file" hl_lines="38 73 105 82 116 22" +```json title="Positive test num. 2 - json file" hl_lines="38 73 105 82 116 22" { "Resources": { "Default": { diff --git a/docs/queries/cloudformation-queries/aws/78055456-f670-4d2e-94d5-392d1cf4f5e4.md b/docs/queries/cloudformation-queries/aws/78055456-f670-4d2e-94d5-392d1cf4f5e4.md index 413971fc24b..254a9a79abe 100644 --- a/docs/queries/cloudformation-queries/aws/78055456-f670-4d2e-94d5-392d1cf4f5e4.md +++ b/docs/queries/cloudformation-queries/aws/78055456-f670-4d2e-94d5-392d1cf4f5e4.md @@ -28,7 +28,7 @@ The load balancer of the application with a sensitive port connection is exposed ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="37" +```yaml title="Positive test num. 1 - yaml file" hl_lines="37" AWSTemplateFormatVersion: 2010-09-09 Resources: MyLoadBalancer: @@ -81,7 +81,7 @@ Resources: CidrIp: 0.0.0.0/0 ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="22" +```yaml title="Positive test num. 2 - yaml file" hl_lines="22" AWSTemplateFormatVersion: 2010-09-09 Parameters: MySubnets: @@ -162,7 +162,7 @@ Resources: Enabled: false ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="19" +```yaml title="Positive test num. 3 - yaml file" hl_lines="19" AWSTemplateFormatVersion: 2010-09-09 Parameters: MySubnet: @@ -246,7 +246,7 @@ Resources: ListenerArn: !Ref GatewayLoadBalancerListener ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="22" AWSTemplateFormatVersion: 2010-09-09 @@ -336,7 +336,7 @@ Resources: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="52" { @@ -420,7 +420,7 @@ Resources: ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="31" { @@ -547,7 +547,7 @@ Resources: ```
-
Postitive test num. 7 - json file +
Positive test num. 7 - json file ```json hl_lines="28" { @@ -680,7 +680,7 @@ Resources: ```
-
Postitive test num. 8 - json file +
Positive test num. 8 - json file ```json hl_lines="97" { diff --git a/docs/queries/cloudformation-queries/aws/783860a3-6dca-4c8b-81d0-7b62769ccbca.md b/docs/queries/cloudformation-queries/aws/783860a3-6dca-4c8b-81d0-7b62769ccbca.md index 844cadc0f0d..363107d5080 100644 --- a/docs/queries/cloudformation-queries/aws/783860a3-6dca-4c8b-81d0-7b62769ccbca.md +++ b/docs/queries/cloudformation-queries/aws/783860a3-6dca-4c8b-81d0-7b62769ccbca.md @@ -28,7 +28,7 @@ API Gateway Deployment should have API Gateway UsagePlan defined and associated. ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" AWSTemplateFormatVersion: "2010-09-09" Description: "Router53" Resources: @@ -41,7 +41,7 @@ Resources: ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="4" +```yaml title="Positive test num. 2 - yaml file" hl_lines="4" AWSTemplateFormatVersion: "2010-09-09" Description: "Router53" Resources: @@ -68,7 +68,7 @@ Resources: ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="4" +```yaml title="Positive test num. 3 - yaml file" hl_lines="4" AWSTemplateFormatVersion: "2010-09-09" Description: "Router53" Resources: @@ -94,7 +94,7 @@ Resources: UsagePlanName: Plan_ABC ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="5" { @@ -114,7 +114,7 @@ Resources: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="5" { @@ -155,7 +155,7 @@ Resources: ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="5" { diff --git a/docs/queries/cloudformation-queries/aws/79d745f0-d5f3-46db-9504-bef73e9fd528.md b/docs/queries/cloudformation-queries/aws/79d745f0-d5f3-46db-9504-bef73e9fd528.md index 275dc6fad5a..2ffb41698f1 100644 --- a/docs/queries/cloudformation-queries/aws/79d745f0-d5f3-46db-9504-bef73e9fd528.md +++ b/docs/queries/cloudformation-queries/aws/79d745f0-d5f3-46db-9504-bef73e9fd528.md @@ -28,7 +28,7 @@ ECS Service should have at least 1 task running
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="64" +```yaml title="Positive test num. 1 - yaml file" hl_lines="64" AWSTemplateFormatVersion: 2010-09-09 Description: Creating ECS service Parameters: @@ -157,7 +157,7 @@ Outputs: Value: !Ref cluster ``` -```json title="Postitive test num. 2 - json file" hl_lines="152" +```json title="Positive test num. 2 - json file" hl_lines="152" { "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", "Description": "Creating ECS service", diff --git a/docs/queries/cloudformation-queries/aws/7f384a5f-b5a2-4d84-8ca3-ee0a5247becb.md b/docs/queries/cloudformation-queries/aws/7f384a5f-b5a2-4d84-8ca3-ee0a5247becb.md index 8d60bacc272..c3b3512d18f 100644 --- a/docs/queries/cloudformation-queries/aws/7f384a5f-b5a2-4d84-8ca3-ee0a5247becb.md +++ b/docs/queries/cloudformation-queries/aws/7f384a5f-b5a2-4d84-8ca3-ee0a5247becb.md @@ -28,7 +28,7 @@ Check if any ECS cluster has not defined proper roles for services' task definit ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="24 41 6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="24 41 6" Resources: NoTaskDefinition: Type: AWS::ECS::Service @@ -100,7 +100,7 @@ Resources: - ContainerPort: !Ref 'ContainerPort' ``` -```json title="Postitive test num. 2 - json file" hl_lines="96 11 39" +```json title="Positive test num. 2 - json file" hl_lines="96 11 39" { "Resources": { "InvalidTaskDefinition": { diff --git a/docs/queries/cloudformation-queries/aws/7f65be75-90ab-4036-8c2a-410aef7bb650.md b/docs/queries/cloudformation-queries/aws/7f65be75-90ab-4036-8c2a-410aef7bb650.md index bc72f219e02..e524d4d8971 100644 --- a/docs/queries/cloudformation-queries/aws/7f65be75-90ab-4036-8c2a-410aef7bb650.md +++ b/docs/queries/cloudformation-queries/aws/7f65be75-90ab-4036-8c2a-410aef7bb650.md @@ -28,7 +28,7 @@ AWS Kinesis Stream should have SSE (Server Side Encryption) defined
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 26 19" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8 26 19" Resources: EventStream1: Type: AWS::Kinesis::Stream @@ -64,7 +64,7 @@ Resources: ``` -```json title="Postitive test num. 2 - json file" hl_lines="9 26 39" +```json title="Positive test num. 2 - json file" hl_lines="9 26 39" { "Resources": { "EventStream1": { diff --git a/docs/queries/cloudformation-queries/aws/7f8843f0-9ea5-42b4-a02b-753055113195.md b/docs/queries/cloudformation-queries/aws/7f8843f0-9ea5-42b4-a02b-753055113195.md index 35b1fd0a194..21d14fbf97c 100644 --- a/docs/queries/cloudformation-queries/aws/7f8843f0-9ea5-42b4-a02b-753055113195.md +++ b/docs/queries/cloudformation-queries/aws/7f8843f0-9ea5-42b4-a02b-753055113195.md @@ -28,7 +28,7 @@ Geo Restriction feature should be enabled, to restrict or allow users in specifi ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="13" +```yaml title="Positive test num. 1 - yaml file" hl_lines="13" AWSTemplateFormatVersion: '2010-09-09' Resources: myDistribution: @@ -45,7 +45,7 @@ Resources: ViewerCertificate: CloudFrontDefaultCertificate: 'true' ``` -```json title="Postitive test num. 2 - json file" hl_lines="15" +```json title="Positive test num. 2 - json file" hl_lines="15" { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { diff --git a/docs/queries/cloudformation-queries/aws/7f8f1b60-43df-4c28-aa21-fb836dbd8071.md b/docs/queries/cloudformation-queries/aws/7f8f1b60-43df-4c28-aa21-fb836dbd8071.md index 6abac0398e3..219778dc327 100644 --- a/docs/queries/cloudformation-queries/aws/7f8f1b60-43df-4c28-aa21-fb836dbd8071.md +++ b/docs/queries/cloudformation-queries/aws/7f8f1b60-43df-4c28-aa21-fb836dbd8071.md @@ -28,7 +28,7 @@ API Gateway Stage should have API Gateway UsagePlan defined and associated.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" AWSTemplateFormatVersion: "2010-09-09" Description: "Router53" Resources: @@ -61,7 +61,7 @@ Resources: ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="4" +```yaml title="Positive test num. 2 - yaml file" hl_lines="4" AWSTemplateFormatVersion: "2010-09-09" Description: "Router53" Resources: @@ -108,7 +108,7 @@ Resources: ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="4" +```yaml title="Positive test num. 3 - yaml file" hl_lines="4" AWSTemplateFormatVersion: "2010-09-09" Description: "Router53" Resources: @@ -161,7 +161,7 @@ Resources: ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="5" { @@ -209,7 +209,7 @@ Resources: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="5" { @@ -278,7 +278,7 @@ Resources: ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="5" { diff --git a/docs/queries/cloudformation-queries/aws/7fd0d461-5b8c-4815-898c-f2b4b117eb28.md b/docs/queries/cloudformation-queries/aws/7fd0d461-5b8c-4815-898c-f2b4b117eb28.md index d73619255ef..99fe9b880b8 100644 --- a/docs/queries/cloudformation-queries/aws/7fd0d461-5b8c-4815-898c-f2b4b117eb28.md +++ b/docs/queries/cloudformation-queries/aws/7fd0d461-5b8c-4815-898c-f2b4b117eb28.md @@ -28,7 +28,7 @@ API Gateway REST API should have an API Gateway Authorizer
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +```yaml title="Positive test num. 1 - yaml file" hl_lines="3" AWSTemplateFormatVersion: 2010-09-09 Resources: DevWebSocket: @@ -39,7 +39,7 @@ Resources: RouteSelectionExpression: $request.body.action ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="3" +```yaml title="Positive test num. 2 - yaml file" hl_lines="3" AWSTemplateFormatVersion: 2010-09-09 Resources: DevWebSocket5: @@ -84,7 +84,7 @@ Resources: - route.request.querystring.token ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="3" +```yaml title="Positive test num. 3 - yaml file" hl_lines="3" AWSTemplateFormatVersion: 2010-09-09 Resources: MyRestApi6: @@ -96,7 +96,7 @@ Resources: Name: myRestApi ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="3" AWSTemplateFormatVersion: 2010-09-09 @@ -115,7 +115,7 @@ Resources: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="4" { @@ -134,7 +134,7 @@ Resources: ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="20" { @@ -202,7 +202,7 @@ Resources: ```
-
Postitive test num. 7 - json file +
Positive test num. 7 - json file ```json hl_lines="4" { @@ -224,7 +224,7 @@ Resources: ```
-
Postitive test num. 8 - json file +
Positive test num. 8 - json file ```json hl_lines="4" { diff --git a/docs/queries/cloudformation-queries/aws/800fa019-49dd-421b-9042-7331fdd83fa2.md b/docs/queries/cloudformation-queries/aws/800fa019-49dd-421b-9042-7331fdd83fa2.md index aa691cd5a8f..25dc3613f3a 100644 --- a/docs/queries/cloudformation-queries/aws/800fa019-49dd-421b-9042-7331fdd83fa2.md +++ b/docs/queries/cloudformation-queries/aws/800fa019-49dd-421b-9042-7331fdd83fa2.md @@ -28,7 +28,7 @@ ConfigRule should enforce access keys to be rotated within 90 days.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" Resources: ConfigRule: Type: AWS::Config::ConfigRule @@ -43,7 +43,7 @@ Resources: ``` -```json title="Postitive test num. 2 - json file" hl_lines="8" +```json title="Positive test num. 2 - json file" hl_lines="8" { "Resources": { "ConfigRule": { diff --git a/docs/queries/cloudformation-queries/aws/80908a75-586b-4c61-ab04-490f4f4525b8.md b/docs/queries/cloudformation-queries/aws/80908a75-586b-4c61-ab04-490f4f4525b8.md index 524a214563e..8f86b38c6f3 100644 --- a/docs/queries/cloudformation-queries/aws/80908a75-586b-4c61-ab04-490f4f4525b8.md +++ b/docs/queries/cloudformation-queries/aws/80908a75-586b-4c61-ab04-490f4f4525b8.md @@ -28,7 +28,7 @@ Check if the ELB is setup with SSL or HTTPS for secure communication
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11 13" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11 13" #this is a problematic code where the query should report a result(s) Resources: MyLoadBalancer: @@ -58,7 +58,7 @@ Resources: - Name: Reference-Security-Policy Value: ELBSecurityPolicy-TLS-1-2-2017-01 ``` -```json title="Postitive test num. 2 - json file" hl_lines="9 11" +```json title="Positive test num. 2 - json file" hl_lines="9 11" { "Resources": { "MyLoadBalancer": { diff --git a/docs/queries/cloudformation-queries/aws/809f77f8-d10e-4842-a84f-3be7b6ff1190.md b/docs/queries/cloudformation-queries/aws/809f77f8-d10e-4842-a84f-3be7b6ff1190.md index e784e08a62b..2164a70a2f7 100644 --- a/docs/queries/cloudformation-queries/aws/809f77f8-d10e-4842-a84f-3be7b6ff1190.md +++ b/docs/queries/cloudformation-queries/aws/809f77f8-d10e-4842-a84f-3be7b6ff1190.md @@ -28,7 +28,7 @@ ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="34 27 29" +```yaml title="Positive test num. 1 - yaml file" hl_lines="34 27 29" #this is a problematic code where the query should report a result(s) Resources: MyLoadBalancer: @@ -65,7 +65,7 @@ Resources: - Name: TLS_DHE_PSK_WITH_NULL_SHA256 Value: ELBSecurityPolicy-TLS-1-2-2017-01 ``` -```json title="Postitive test num. 2 - json file" hl_lines="40 49 35" +```json title="Positive test num. 2 - json file" hl_lines="40 49 35" { "Resources": { "MyLoadBalancer": { diff --git a/docs/queries/cloudformation-queries/aws/80b7ac3f-d2b7-4577-9b10-df7913497162.md b/docs/queries/cloudformation-queries/aws/80b7ac3f-d2b7-4577-9b10-df7913497162.md index 35b014972df..186f75c2134 100644 --- a/docs/queries/cloudformation-queries/aws/80b7ac3f-d2b7-4577-9b10-df7913497162.md +++ b/docs/queries/cloudformation-queries/aws/80b7ac3f-d2b7-4577-9b10-df7913497162.md @@ -28,7 +28,7 @@ EBS volumes should be encrypted
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8" AWSTemplateFormatVersion: "2010-09-09" Description: "Volume" Resources: @@ -45,7 +45,7 @@ Resources: ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="6" +```yaml title="Positive test num. 2 - yaml file" hl_lines="6" AWSTemplateFormatVersion: "2010-09-09" Description: "Volume 02" Resources: @@ -60,7 +60,7 @@ Resources: DeletionPolicy: Snapshot ``` -```json title="Postitive test num. 3 - json file" hl_lines="15" +```json title="Positive test num. 3 - json file" hl_lines="15" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "Volume", @@ -84,7 +84,7 @@ Resources: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="6" { diff --git a/docs/queries/cloudformation-queries/aws/80d45af4-4920-4236-a56e-b7ef419d1941.md b/docs/queries/cloudformation-queries/aws/80d45af4-4920-4236-a56e-b7ef419d1941.md index 090e170f5f2..4bd9710f538 100644 --- a/docs/queries/cloudformation-queries/aws/80d45af4-4920-4236-a56e-b7ef419d1941.md +++ b/docs/queries/cloudformation-queries/aws/80d45af4-4920-4236-a56e-b7ef419d1941.md @@ -28,7 +28,7 @@ API Gateway Stage should have Access Logging Settings defined
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" Resources: Prod: Type: AWS::ApiGateway::Stage @@ -56,7 +56,7 @@ Resources: DataTraceEnabled: false ``` -```json title="Postitive test num. 2 - json file" hl_lines="7" +```json title="Positive test num. 2 - json file" hl_lines="7" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "Router53", @@ -74,7 +74,7 @@ Resources: } ``` -```json title="Postitive test num. 3 - json file" hl_lines="17" +```json title="Positive test num. 3 - json file" hl_lines="17" { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { @@ -102,7 +102,7 @@ Resources: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="15" { diff --git a/docs/queries/cloudformation-queries/aws/818f38ed-8446-4132-9c03-474d49e10195.md b/docs/queries/cloudformation-queries/aws/818f38ed-8446-4132-9c03-474d49e10195.md index 1723b2882ae..607ff27f744 100644 --- a/docs/queries/cloudformation-queries/aws/818f38ed-8446-4132-9c03-474d49e10195.md +++ b/docs/queries/cloudformation-queries/aws/818f38ed-8446-4132-9c03-474d49e10195.md @@ -28,7 +28,7 @@ SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" AWSTemplateFormatVersion: 2010-09-09 Description: A sample template Resources: @@ -50,7 +50,7 @@ Resources: Topics: - !Ref mytopic ``` -```json title="Postitive test num. 2 - json file" hl_lines="8" +```json title="Positive test num. 2 - json file" hl_lines="8" { "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", "Description": "A sample template", diff --git a/docs/queries/cloudformation-queries/aws/8275fab0-68ec-4705-bbf4-86975edb170e.md b/docs/queries/cloudformation-queries/aws/8275fab0-68ec-4705-bbf4-86975edb170e.md index ab050a78399..db5b2d6ba31 100644 --- a/docs/queries/cloudformation-queries/aws/8275fab0-68ec-4705-bbf4-86975edb170e.md +++ b/docs/queries/cloudformation-queries/aws/8275fab0-68ec-4705-bbf4-86975edb170e.md @@ -28,7 +28,7 @@ API Gateway should have a Security Policy defined and use TLS 1.2.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="20" +```yaml title="Positive test num. 1 - yaml file" hl_lines="20" AWSTemplateFormatVersion: "2010-09-09" Description: "Router53" Parameters: @@ -55,7 +55,7 @@ Outputs: ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="13" +```yaml title="Positive test num. 2 - yaml file" hl_lines="13" AWSTemplateFormatVersion: "2010-09-09" Description: "Router53" Parameters: @@ -80,7 +80,7 @@ Outputs: Value: !Ref myDomainName ``` -```json title="Postitive test num. 3 - json file" hl_lines="26" +```json title="Positive test num. 3 - json file" hl_lines="26" { "Description": "Router53", "Parameters": { @@ -119,7 +119,7 @@ Outputs: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="15" { diff --git a/docs/queries/cloudformation-queries/aws/829ce3b8-065c-41a3-ad57-e0accfea82d2.md b/docs/queries/cloudformation-queries/aws/829ce3b8-065c-41a3-ad57-e0accfea82d2.md index 7258c2d8c2b..9ab3eef44ee 100644 --- a/docs/queries/cloudformation-queries/aws/829ce3b8-065c-41a3-ad57-e0accfea82d2.md +++ b/docs/queries/cloudformation-queries/aws/829ce3b8-065c-41a3-ad57-e0accfea82d2.md @@ -28,7 +28,7 @@ AWS Security Group should not have an unknown port exposed to the entire Interne ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9" Resources: InstanceSecurityGroup: Type: AWS::EC2::SecurityGroup @@ -43,7 +43,7 @@ Resources: CidrIp: 0.0.0.0/0 ``` -```json title="Postitive test num. 2 - json file" hl_lines="12" +```json title="Positive test num. 2 - json file" hl_lines="12" { "Resources": { "InstanceSecurityGroup": { diff --git a/docs/queries/cloudformation-queries/aws/835d5497-a526-4aea-a23f-98a9afd1635f.md b/docs/queries/cloudformation-queries/aws/835d5497-a526-4aea-a23f-98a9afd1635f.md index d0b88b2c0d6..36a94f29037 100644 --- a/docs/queries/cloudformation-queries/aws/835d5497-a526-4aea-a23f-98a9afd1635f.md +++ b/docs/queries/cloudformation-queries/aws/835d5497-a526-4aea-a23f-98a9afd1635f.md @@ -28,7 +28,7 @@ S3 Buckets should not be readable to any authenticated user
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" AWSTemplateFormatVersion: 2010-09-09 Description: Creating S3 bucket Resources: @@ -42,7 +42,7 @@ Resources: Value: ITEngineering ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="7" +```yaml title="Positive test num. 2 - yaml file" hl_lines="7" AWSTemplateFormatVersion: 2010-09-09 Description: Creating S3 bucket Resources: @@ -59,7 +59,7 @@ Resources: Value: ITEngineering ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="7" +```yaml title="Positive test num. 3 - yaml file" hl_lines="7" AWSTemplateFormatVersion: 2010-09-09 Description: Creating S3 bucket Resources: @@ -79,7 +79,7 @@ Resources: Value: CICD ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="7" AWSTemplateFormatVersion: 2010-09-09 @@ -95,7 +95,7 @@ Resources: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="7" { @@ -120,7 +120,7 @@ Resources: ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="7" { @@ -149,7 +149,7 @@ Resources: ```
-
Postitive test num. 7 - json file +
Positive test num. 7 - json file ```json hl_lines="20" { @@ -184,7 +184,7 @@ Resources: ```
-
Postitive test num. 8 - json file +
Positive test num. 8 - json file ```json hl_lines="7" { diff --git a/docs/queries/cloudformation-queries/aws/837e033c-4717-40bd-807e-6abaa30161b7.md b/docs/queries/cloudformation-queries/aws/837e033c-4717-40bd-807e-6abaa30161b7.md index 8df26b78a91..460e7083a56 100644 --- a/docs/queries/cloudformation-queries/aws/837e033c-4717-40bd-807e-6abaa30161b7.md +++ b/docs/queries/cloudformation-queries/aws/837e033c-4717-40bd-807e-6abaa30161b7.md @@ -28,7 +28,7 @@ AWS CloudFormation should have stack notifications enabled to be notified when a ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +```yaml title="Positive test num. 1 - yaml file" hl_lines="5" AWSTemplateFormatVersion: '2010-09-09' Resources: myStackWithParams: @@ -40,7 +40,7 @@ Resources: KeyName: mykey ``` -```json title="Postitive test num. 2 - json file" hl_lines="6" +```json title="Positive test num. 2 - json file" hl_lines="6" { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { diff --git a/docs/queries/cloudformation-queries/aws/839f238f-2e3a-4a72-b945-8abdf91af955.md b/docs/queries/cloudformation-queries/aws/839f238f-2e3a-4a72-b945-8abdf91af955.md index 09b9286528e..bdd9d7eb83f 100644 --- a/docs/queries/cloudformation-queries/aws/839f238f-2e3a-4a72-b945-8abdf91af955.md +++ b/docs/queries/cloudformation-queries/aws/839f238f-2e3a-4a72-b945-8abdf91af955.md @@ -28,7 +28,7 @@ IAM user resource Login Profile Password should have at least one number
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9" AWSTemplateFormatVersion: "2010-09-09" Description: A sample template Resources: @@ -68,7 +68,7 @@ Resources: NotResource: - !Ref mytopic ``` -```json title="Postitive test num. 2 - json file" hl_lines="10" +```json title="Positive test num. 2 - json file" hl_lines="10" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "A sample template", diff --git a/docs/queries/cloudformation-queries/aws/85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7.md b/docs/queries/cloudformation-queries/aws/85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7.md index c19ec09e966..6c940710580 100644 --- a/docs/queries/cloudformation-queries/aws/85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7.md +++ b/docs/queries/cloudformation-queries/aws/85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7.md @@ -28,7 +28,7 @@ Cross-Account IAM Assume Role Policy should require external ID or MFA to protec ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" AWSTemplateFormatVersion: "2010-09-09" Resources: RootRole: @@ -51,7 +51,7 @@ Resources: } ``` -```json title="Postitive test num. 2 - json file" hl_lines="7" +```json title="Positive test num. 2 - json file" hl_lines="7" { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { @@ -79,7 +79,7 @@ Resources: } ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="6" +```yaml title="Positive test num. 3 - yaml file" hl_lines="6" AWSTemplateFormatVersion: "2010-09-09" Resources: RootRole: @@ -105,7 +105,7 @@ Resources: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="7" { @@ -139,7 +139,7 @@ Resources: ```
-
Postitive test num. 5 - yaml file +
Positive test num. 5 - yaml file ```yaml hl_lines="6" AWSTemplateFormatVersion: "2010-09-09" @@ -168,7 +168,7 @@ Resources: ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="7" { diff --git a/docs/queries/cloudformation-queries/aws/860ba89b-b8de-4e72-af54-d6aee4138a69.md b/docs/queries/cloudformation-queries/aws/860ba89b-b8de-4e72-af54-d6aee4138a69.md index 8dfc8dc5863..8aff470a8da 100644 --- a/docs/queries/cloudformation-queries/aws/860ba89b-b8de-4e72-af54-d6aee4138a69.md +++ b/docs/queries/cloudformation-queries/aws/860ba89b-b8de-4e72-af54-d6aee4138a69.md @@ -28,7 +28,7 @@ S3 bucket allows public policy
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10 19 4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10 19 4" Resources: Bucket11: Type: AWS::S3::Bucket @@ -52,7 +52,7 @@ Resources: RestrictPublicBuckets : true ``` -```json title="Postitive test num. 2 - json file" hl_lines="8" +```json title="Positive test num. 2 - json file" hl_lines="8" { "Resources": { "Bucket1": { diff --git a/docs/queries/cloudformation-queries/aws/86a248ab-0e01-4564-a82a-878303e253bb.md b/docs/queries/cloudformation-queries/aws/86a248ab-0e01-4564-a82a-878303e253bb.md index e8d8dcb1c7f..a65671d4733 100644 --- a/docs/queries/cloudformation-queries/aws/86a248ab-0e01-4564-a82a-878303e253bb.md +++ b/docs/queries/cloudformation-queries/aws/86a248ab-0e01-4564-a82a-878303e253bb.md @@ -28,7 +28,7 @@ Check if ElasticSearch encryption is disabled at Rest
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="16" +```yaml title="Positive test num. 1 - yaml file" hl_lines="16" AWSTemplateFormatVersion: "2010-09-09" Description: Creates RDS Cluster Resources: @@ -66,7 +66,7 @@ Resources: ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="6" +```yaml title="Positive test num. 2 - yaml file" hl_lines="6" AWSTemplateFormatVersion: "2010-09-09" Description: Creates RDS Cluster Resources: @@ -101,7 +101,7 @@ Resources: rest.action.multi.allow_explicit_index: "true" ``` -```json title="Postitive test num. 3 - json file" hl_lines="8" +```json title="Positive test num. 3 - json file" hl_lines="8" { "Description": "Creates RDS Cluster", "Resources": { @@ -152,7 +152,7 @@ Resources: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="5" { diff --git a/docs/queries/cloudformation-queries/aws/87482183-a8e7-4e42-a566-7a23ec231c16.md b/docs/queries/cloudformation-queries/aws/87482183-a8e7-4e42-a566-7a23ec231c16.md index 00badd92714..2ad8b91671e 100644 --- a/docs/queries/cloudformation-queries/aws/87482183-a8e7-4e42-a566-7a23ec231c16.md +++ b/docs/queries/cloudformation-queries/aws/87482183-a8e7-4e42-a566-7a23ec231c16.md @@ -28,7 +28,7 @@ AWS Security Group Ingress should have a single port
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 37" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8 37" Resources: InstanceSecurityGroup: Type: AWS::EC2::SecurityGroup @@ -80,7 +80,7 @@ Resources: - GroupId ``` -```json title="Postitive test num. 2 - json file" hl_lines="9 53" +```json title="Positive test num. 2 - json file" hl_lines="9 53" { "Resources": { "InstanceSecurityGroup": { diff --git a/docs/queries/cloudformation-queries/aws/88d55d94-315d-4564-beee-d2d725feab11.md b/docs/queries/cloudformation-queries/aws/88d55d94-315d-4564-beee-d2d725feab11.md index 2c6b8bd5533..c0d379b1835 100644 --- a/docs/queries/cloudformation-queries/aws/88d55d94-315d-4564-beee-d2d725feab11.md +++ b/docs/queries/cloudformation-queries/aws/88d55d94-315d-4564-beee-d2d725feab11.md @@ -28,7 +28,7 @@ SageMaker must have disabled internet access and root access for Creating Notebo ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" AWSTemplateFormatVersion: "2010-09-09" Description: "Internet access and root access for Creating Notebook Instances" Resources: @@ -40,7 +40,7 @@ Resources: RoleArn: "role" ``` -```json title="Postitive test num. 2 - json file" hl_lines="8" +```json title="Positive test num. 2 - json file" hl_lines="8" { "Resources": { "Notebook": { diff --git a/docs/queries/cloudformation-queries/aws/89827c57-5a8a-49eb-9731-976a606d70db.md b/docs/queries/cloudformation-queries/aws/89827c57-5a8a-49eb-9731-976a606d70db.md index a2072a7a51d..76d66f7304f 100644 --- a/docs/queries/cloudformation-queries/aws/89827c57-5a8a-49eb-9731-976a606d70db.md +++ b/docs/queries/cloudformation-queries/aws/89827c57-5a8a-49eb-9731-976a606d70db.md @@ -28,7 +28,7 @@ Workspaces should have encryption enabled
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" Resources: MyWorkSpace: Type: AWS::WorkSpaces::Workspace @@ -44,7 +44,7 @@ Resources: UserName: !Ref 'UserName' ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="14" +```yaml title="Positive test num. 2 - yaml file" hl_lines="14" Resources: MyWorkSpace2: Type: AWS::WorkSpaces::Workspace @@ -61,7 +61,7 @@ Resources: UserVolumeEncryptionEnabled: false ``` -```json title="Postitive test num. 3 - json file" hl_lines="5" +```json title="Positive test num. 3 - json file" hl_lines="5" { "Resources": { "MyWorkSpace": { @@ -84,7 +84,7 @@ Resources: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="17" { diff --git a/docs/queries/cloudformation-queries/aws/8a6d36cd-0bc6-42b7-92c4-67acc8576861.md b/docs/queries/cloudformation-queries/aws/8a6d36cd-0bc6-42b7-92c4-67acc8576861.md index d35bad3453d..09a383d34de 100644 --- a/docs/queries/cloudformation-queries/aws/8a6d36cd-0bc6-42b7-92c4-67acc8576861.md +++ b/docs/queries/cloudformation-queries/aws/8a6d36cd-0bc6-42b7-92c4-67acc8576861.md @@ -28,7 +28,7 @@ EC2 Instances should be configured under a VPC network. AWS VPCs provide the con ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="21" +```yaml title="Positive test num. 1 - yaml file" hl_lines="21" Resources: VPC: Type: AWS::EC2::VPC @@ -71,7 +71,7 @@ Resources: SubnetId: !Ref PublicSubnetA ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="4" +```yaml title="Positive test num. 2 - yaml file" hl_lines="4" Resources: Ec2Instance-02: Type: AWS::EC2::Instance @@ -85,7 +85,7 @@ Resources: Ref: "KeyName" ``` -```json title="Postitive test num. 3 - json file" hl_lines="35" +```json title="Positive test num. 3 - json file" hl_lines="35" { "Resources": { "VPC": { @@ -161,7 +161,7 @@ Resources: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="5" { diff --git a/docs/queries/cloudformation-queries/aws/8c415f6f-7b90-4a27-a44a-51047e1506f9.md b/docs/queries/cloudformation-queries/aws/8c415f6f-7b90-4a27-a44a-51047e1506f9.md index bc426687104..853d4c143a5 100644 --- a/docs/queries/cloudformation-queries/aws/8c415f6f-7b90-4a27-a44a-51047e1506f9.md +++ b/docs/queries/cloudformation-queries/aws/8c415f6f-7b90-4a27-a44a-51047e1506f9.md @@ -28,7 +28,7 @@ Make sure the AWS RDS configuration has automatic backup configured. If the rete ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="14" +```yaml title="Positive test num. 1 - yaml file" hl_lines="14" Resources: MyDB: Type: AWS::RDS::DBInstance @@ -45,7 +45,7 @@ Resources: BackupRetentionPeriod: 0 DeletionPolicy: Snapshot ``` -```json title="Postitive test num. 2 - json file" hl_lines="6" +```json title="Positive test num. 2 - json file" hl_lines="6" { "Resources": { "MyDB": { diff --git a/docs/queries/cloudformation-queries/aws/8d29754a-2a18-460d-a1ba-9509f8d359da.md b/docs/queries/cloudformation-queries/aws/8d29754a-2a18-460d-a1ba-9509f8d359da.md index 3e16b45108d..5002881db71 100644 --- a/docs/queries/cloudformation-queries/aws/8d29754a-2a18-460d-a1ba-9509f8d359da.md +++ b/docs/queries/cloudformation-queries/aws/8d29754a-2a18-460d-a1ba-9509f8d359da.md @@ -28,7 +28,7 @@ IAM Access Analyzer should be enabled and configured to continuously monitor res ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +```yaml title="Positive test num. 1 - yaml file" hl_lines="3" AWSTemplateFormatVersion: "2010-09-09" Description: A sample template 2 Resources: @@ -40,6 +40,24 @@ Resources: Password: myP@ssW0rd ``` +```json title="Positive test num. 2 - json file" hl_lines="4" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template 2", + "Resources": { + "myuseeer": { + "Type": "AWS::IAM::Group", + "Properties": { + "Path": "/", + "LoginProfile": { + "Password": "myP@ssW0rd" + } + } + } + } + } + +``` #### Code samples without security vulnerabilities @@ -70,3 +88,48 @@ Resources: - "arn:aws:s3:::clients-bucket" ``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "Analyzer": { + "Type": "AWS::AccessAnalyzer::Analyzer", + "Properties": { + "AnalyzerName": "MyAccountAnalyzer", + "Type": "ACCOUNT", + "Tags": [ + { + "Key": "Kind", + "Value": "Dev" + } + ], + "ArchiveRules": [ + { + "RuleName": "ArchiveTrustedAccountAccess", + "Filter": [ + { + "Property": "principal.AWS", + "Eq": [ + "123456789012" + ] + } + ] + }, + { + "RuleName": "ArchivePublicS3BucketsAccess", + "Filter": [ + { + "Property": "resource", + "Contains": [ + "arn:aws:s3:::docs-bucket", + "arn:aws:s3:::clients-bucket" + ] + } + ] + } + ] + } + } + } + } +``` diff --git a/docs/queries/cloudformation-queries/aws/8dd0ff1f-0da4-48df-9bb3-7f338ae36a40.md b/docs/queries/cloudformation-queries/aws/8dd0ff1f-0da4-48df-9bb3-7f338ae36a40.md index 91b144ba5c4..a8b1d09dc4b 100644 --- a/docs/queries/cloudformation-queries/aws/8dd0ff1f-0da4-48df-9bb3-7f338ae36a40.md +++ b/docs/queries/cloudformation-queries/aws/8dd0ff1f-0da4-48df-9bb3-7f338ae36a40.md @@ -28,7 +28,7 @@ It's considered a best practice for an EC2 instance to use an EBS optimized inst ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" Resources: MyEC2Instance: Type: AWS::EC2::Instance @@ -46,7 +46,7 @@ Resources: NoDevice: {} ``` -```json title="Postitive test num. 2 - json file" hl_lines="5" +```json title="Positive test num. 2 - json file" hl_lines="5" { "Resources": { "MyEC2Instance": { @@ -75,7 +75,7 @@ Resources: } ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="16" +```yaml title="Positive test num. 3 - yaml file" hl_lines="16" Resources: MyEC2Instance: Type: AWS::EC2::Instance @@ -94,7 +94,7 @@ Resources: EbsOptimized: false ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="23" { @@ -127,7 +127,7 @@ Resources: ```
-
Postitive test num. 5 - yaml file +
Positive test num. 5 - yaml file ```yaml hl_lines="4" Resources: @@ -149,7 +149,7 @@ Resources: ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="5" { diff --git a/docs/queries/cloudformation-queries/aws/8df8e857-bd59-44fa-9f4c-d77594b95b46.md b/docs/queries/cloudformation-queries/aws/8df8e857-bd59-44fa-9f4c-d77594b95b46.md index 9060c093114..ed3bf9f70b3 100644 --- a/docs/queries/cloudformation-queries/aws/8df8e857-bd59-44fa-9f4c-d77594b95b46.md +++ b/docs/queries/cloudformation-queries/aws/8df8e857-bd59-44fa-9f4c-d77594b95b46.md @@ -28,7 +28,7 @@ AWS Lambda Functions must have associated tags.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="52" +```yaml title="Positive test num. 1 - yaml file" hl_lines="52" AWSTemplateFormatVersion: '2010-09-09' Parameters: ExistingSecurityGroups: @@ -139,7 +139,7 @@ Outputs: - Value ``` -```json title="Postitive test num. 2 - json file" hl_lines="75" +```json title="Positive test num. 2 - json file" hl_lines="75" { "AWSTemplateFormatVersion": "2010-09-09", "Parameters": { diff --git a/docs/queries/cloudformation-queries/aws/8f957abd-9703-413d-87d3-c578950a753c.md b/docs/queries/cloudformation-queries/aws/8f957abd-9703-413d-87d3-c578950a753c.md index d0128848fe0..6d525a73058 100644 --- a/docs/queries/cloudformation-queries/aws/8f957abd-9703-413d-87d3-c578950a753c.md +++ b/docs/queries/cloudformation-queries/aws/8f957abd-9703-413d-87d3-c578950a753c.md @@ -28,7 +28,7 @@ IAM Group should have at least one user associated
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" AWSTemplateFormatVersion: "2010-09-09" Description: A sample template 2 Resources: @@ -62,7 +62,7 @@ Resources: - !Ref 'myu2ser' ``` -```json title="Postitive test num. 2 - json file" hl_lines="5" +```json title="Positive test num. 2 - json file" hl_lines="5" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "A sample template", diff --git a/docs/queries/cloudformation-queries/aws/9025b2b3-e554-4842-ba87-db7aeec36d35.md b/docs/queries/cloudformation-queries/aws/9025b2b3-e554-4842-ba87-db7aeec36d35.md index 0c36842315b..4a7a5b54adc 100644 --- a/docs/queries/cloudformation-queries/aws/9025b2b3-e554-4842-ba87-db7aeec36d35.md +++ b/docs/queries/cloudformation-queries/aws/9025b2b3-e554-4842-ba87-db7aeec36d35.md @@ -28,7 +28,7 @@ Checks if the ECR Image has been scanned
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +```yaml title="Positive test num. 1 - yaml file" hl_lines="5" AWSTemplateFormatVersion: "2010-09-11" Resources: MyRepository3: @@ -57,7 +57,7 @@ Resources: ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="8" +```yaml title="Positive test num. 2 - yaml file" hl_lines="8" AWSTemplateFormatVersion: "2010-09-11" Resources: MyRepository4: @@ -68,7 +68,7 @@ Resources: ScanOnPush: "false" ``` -```json title="Postitive test num. 3 - json file" hl_lines="6" +```json title="Positive test num. 3 - json file" hl_lines="6" { "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", "Resources": { @@ -106,7 +106,7 @@ Resources: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="9" { diff --git a/docs/queries/cloudformation-queries/aws/90501b1b-cded-4cc1-9e8b-206b85cda317.md b/docs/queries/cloudformation-queries/aws/90501b1b-cded-4cc1-9e8b-206b85cda317.md index 01319470203..825b17b61a3 100644 --- a/docs/queries/cloudformation-queries/aws/90501b1b-cded-4cc1-9e8b-206b85cda317.md +++ b/docs/queries/cloudformation-queries/aws/90501b1b-cded-4cc1-9e8b-206b85cda317.md @@ -28,7 +28,7 @@ Checks if any static websites are hosted on buckets. Even static websites can be ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" Resources: Bucket2: Type: AWS::S3::Bucket @@ -39,7 +39,7 @@ Resources: ErrorDocument: error.html ``` -```json title="Postitive test num. 2 - json file" hl_lines="7" +```json title="Positive test num. 2 - json file" hl_lines="7" { "Resources": { "Bucket2": { diff --git a/docs/queries/cloudformation-queries/aws/9488c451-074e-4cd3-aee3-7db6104f542c.md b/docs/queries/cloudformation-queries/aws/9488c451-074e-4cd3-aee3-7db6104f542c.md index 9474655e36d..e21890916c0 100644 --- a/docs/queries/cloudformation-queries/aws/9488c451-074e-4cd3-aee3-7db6104f542c.md +++ b/docs/queries/cloudformation-queries/aws/9488c451-074e-4cd3-aee3-7db6104f542c.md @@ -28,7 +28,7 @@ AWS Lambda functions should have TracingConfig enabled. For this, property 'trac ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="37" +```yaml title="Positive test num. 1 - yaml file" hl_lines="37" #this is a problematic code where the query should report a result(s) AWSTemplateFormatVersion: '2010-09-09' Description: Lambda function with cfn-response. @@ -68,7 +68,7 @@ Resources: Mode: PassThrough ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="4" +```yaml title="Positive test num. 2 - yaml file" hl_lines="4" Resources: Function: Type: AWS::Lambda::Function @@ -88,7 +88,7 @@ Resources: - subnet-07fd123456788a036 ``` -```json title="Postitive test num. 3 - json file" hl_lines="16" +```json title="Positive test num. 3 - json file" hl_lines="16" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "Lambda function with cfn-response.", @@ -112,7 +112,7 @@ Resources: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="4" { diff --git a/docs/queries/cloudformation-queries/aws/953b3cdb-ce13-428a-aa12-318726506661.md b/docs/queries/cloudformation-queries/aws/953b3cdb-ce13-428a-aa12-318726506661.md index cc601746e91..686fbc8f956 100644 --- a/docs/queries/cloudformation-queries/aws/953b3cdb-ce13-428a-aa12-318726506661.md +++ b/docs/queries/cloudformation-queries/aws/953b3cdb-ce13-428a-aa12-318726506661.md @@ -28,7 +28,7 @@ IAM policies shouldn't allow full administrative privileges (for all resources)< ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 21" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8 21" AWSTemplateFormatVersion: "2010-09-09" Description: A sample template Resources: @@ -63,7 +63,7 @@ Resources: ``` -```json title="Postitive test num. 2 - json file" hl_lines="9 31" +```json title="Positive test num. 2 - json file" hl_lines="9 31" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "A sample template", diff --git a/docs/queries/cloudformation-queries/aws/9564406d-e761-4e61-b8d7-5926e3ab8e79.md b/docs/queries/cloudformation-queries/aws/9564406d-e761-4e61-b8d7-5926e3ab8e79.md index 2c4b947a004..de185ab3e3b 100644 --- a/docs/queries/cloudformation-queries/aws/9564406d-e761-4e61-b8d7-5926e3ab8e79.md +++ b/docs/queries/cloudformation-queries/aws/9564406d-e761-4e61-b8d7-5926e3ab8e79.md @@ -28,7 +28,7 @@ The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" Resources: DBEC2SecurityGroup: Type: AWS::EC2::SecurityGroup @@ -65,7 +65,7 @@ Resources: - !GetAtt DBEC2SecurityGroup.GroupId ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="19" +```yaml title="Positive test num. 2 - yaml file" hl_lines="19" Resources: DBinstance2: Type: AWS::RDS::DBInstance @@ -89,7 +89,7 @@ Resources: CIDRIP: 0.0.0.0/0 ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="6" +```yaml title="Positive test num. 3 - yaml file" hl_lines="6" Resources: DBEC2SecurityGroup2: Type: AWS::EC2::SecurityGroup @@ -126,7 +126,7 @@ Resources: - !GetAtt DBEC2SecurityGroup2.GroupId ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="6" { @@ -186,7 +186,7 @@ Resources: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="24" { @@ -224,7 +224,7 @@ Resources: ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="15" { diff --git a/docs/queries/cloudformation-queries/aws/97e94d17-e2c7-4109-a53b-6536ac1bb64e.md b/docs/queries/cloudformation-queries/aws/97e94d17-e2c7-4109-a53b-6536ac1bb64e.md index dc5aa4c7ce6..c4275d93d27 100644 --- a/docs/queries/cloudformation-queries/aws/97e94d17-e2c7-4109-a53b-6536ac1bb64e.md +++ b/docs/queries/cloudformation-queries/aws/97e94d17-e2c7-4109-a53b-6536ac1bb64e.md @@ -28,7 +28,7 @@ The number of gateways attached should not approach or go beyond the limit of 3, ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +```yaml title="Positive test num. 1 - yaml file" hl_lines="3" AWSTemplateFormatVersion: '2010-09-09' Resources: myVPC: @@ -68,7 +68,7 @@ Resources: Ref: myVPNGateway4 ``` -```json title="Postitive test num. 2 - json file" hl_lines="7" +```json title="Positive test num. 2 - json file" hl_lines="7" { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { diff --git a/docs/queries/cloudformation-queries/aws/9b6a3f5b-5fd6-40ee-9bc0-ed604911212d.md b/docs/queries/cloudformation-queries/aws/9b6a3f5b-5fd6-40ee-9bc0-ed604911212d.md index 2b9ccc43989..1f339c8e653 100644 --- a/docs/queries/cloudformation-queries/aws/9b6a3f5b-5fd6-40ee-9bc0-ed604911212d.md +++ b/docs/queries/cloudformation-queries/aws/9b6a3f5b-5fd6-40ee-9bc0-ed604911212d.md @@ -28,7 +28,7 @@ Checks for dangerous permissions in Action statements in an SQS Queue Policy. Th ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" Resources: SampleSQSPolicy: Type: AWS::SQS::QueuePolicy @@ -49,7 +49,7 @@ Resources: - "*" ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="7" +```yaml title="Positive test num. 2 - yaml file" hl_lines="7" Resources: SampleSQSPolicy: Type: AWS::SQS::QueuePolicy @@ -70,7 +70,7 @@ Resources: - "arn:aws:iam::437628376:*" ``` -```json title="Postitive test num. 3 - json file" hl_lines="9" +```json title="Positive test num. 3 - json file" hl_lines="9" { "Resources": { "SampleSQSPolicy": { @@ -103,7 +103,7 @@ Resources: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="9" { diff --git a/docs/queries/cloudformation-queries/aws/9b83114b-b2a1-4534-990d-06da015e47aa.md b/docs/queries/cloudformation-queries/aws/9b83114b-b2a1-4534-990d-06da015e47aa.md index a9c20fbe0d7..34d29cfd596 100644 --- a/docs/queries/cloudformation-queries/aws/9b83114b-b2a1-4534-990d-06da015e47aa.md +++ b/docs/queries/cloudformation-queries/aws/9b83114b-b2a1-4534-990d-06da015e47aa.md @@ -28,7 +28,7 @@ Lambda permission may be misconfigured if the action field is not filled in by ' ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" Resources: s3Permission: Type: AWS::Lambda::Permission @@ -40,7 +40,7 @@ Resources: SourceArn: !GetAtt bucket.Arn ``` -```json title="Postitive test num. 2 - json file" hl_lines="8" +```json title="Positive test num. 2 - json file" hl_lines="8" { "Resources": { "s3Permission": { diff --git a/docs/queries/cloudformation-queries/aws/9c7028d9-04c2-45be-b8b2-1188ccaefb36.md b/docs/queries/cloudformation-queries/aws/9c7028d9-04c2-45be-b8b2-1188ccaefb36.md index 3a8ca185021..afbf6d2d2d4 100644 --- a/docs/queries/cloudformation-queries/aws/9c7028d9-04c2-45be-b8b2-1188ccaefb36.md +++ b/docs/queries/cloudformation-queries/aws/9c7028d9-04c2-45be-b8b2-1188ccaefb36.md @@ -28,7 +28,7 @@ SageMaker Notebook must be placed in a VPC
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" AWSTemplateFormatVersion: "2010-09-09" Description: "NotebookInstance" Resources: @@ -63,7 +63,7 @@ Resources: Value: !Ref 'AWS::StackName' ``` -```json title="Postitive test num. 2 - json file" hl_lines="27" +```json title="Positive test num. 2 - json file" hl_lines="27" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "NotebookInstance", diff --git a/docs/queries/cloudformation-queries/aws/9d13b150-a2ab-42a1-b6f4-142e41f81e52.md b/docs/queries/cloudformation-queries/aws/9d13b150-a2ab-42a1-b6f4-142e41f81e52.md index 4e4d2900edb..aed5db475df 100644 --- a/docs/queries/cloudformation-queries/aws/9d13b150-a2ab-42a1-b6f4-142e41f81e52.md +++ b/docs/queries/cloudformation-queries/aws/9d13b150-a2ab-42a1-b6f4-142e41f81e52.md @@ -28,7 +28,7 @@ KmsMasterKeyId attribute should not be undefined
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +```yaml title="Positive test num. 1 - yaml file" hl_lines="5" AWSTemplateFormatVersion: 2010-09-09 Resources: MySNSTopic: @@ -48,7 +48,7 @@ Resources: TopicName: "SampleTopic" ``` -```json title="Postitive test num. 2 - json file" hl_lines="6" +```json title="Positive test num. 2 - json file" hl_lines="6" { "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", "Resources": { diff --git a/docs/queries/cloudformation-queries/aws/9e8c89b3-7997-4d15-93e4-7911b9db99fd.md b/docs/queries/cloudformation-queries/aws/9e8c89b3-7997-4d15-93e4-7911b9db99fd.md index e2a5183ff35..eca6347ea79 100644 --- a/docs/queries/cloudformation-queries/aws/9e8c89b3-7997-4d15-93e4-7911b9db99fd.md +++ b/docs/queries/cloudformation-queries/aws/9e8c89b3-7997-4d15-93e4-7911b9db99fd.md @@ -28,7 +28,7 @@ Check if any ECS service has inline policies attached, which are embedded direct ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" Resources: InlinePolicy: Type: AWS::ECS::Service @@ -56,7 +56,7 @@ Resources: Resource: '*' ``` -```json title="Postitive test num. 2 - json file" hl_lines="9" +```json title="Positive test num. 2 - json file" hl_lines="9" { "Resources": { "InlinePolicy": { diff --git a/docs/queries/cloudformation-queries/aws/9ecb6b21-18bc-4aa7-bd07-db20f1c746db.md b/docs/queries/cloudformation-queries/aws/9ecb6b21-18bc-4aa7-bd07-db20f1c746db.md index df852469e34..b65ca6f7481 100644 --- a/docs/queries/cloudformation-queries/aws/9ecb6b21-18bc-4aa7-bd07-db20f1c746db.md +++ b/docs/queries/cloudformation-queries/aws/9ecb6b21-18bc-4aa7-bd07-db20f1c746db.md @@ -28,7 +28,7 @@ Specifying credentials in the template itself is probably not safe to do.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="33 35 71" +```yaml title="Positive test num. 1 - yaml file" hl_lines="33 35 71" AWSTemplateFormatVersion: 2010-09-09 Resources: WebServer: @@ -106,7 +106,7 @@ Resources: Properties: EC2 Resource Properties ... ``` -```json title="Postitive test num. 2 - json file" hl_lines="48 51 112" +```json title="Positive test num. 2 - json file" hl_lines="48 51 112" { "Properties": "EC2 Resource Properties ...", "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", diff --git a/docs/queries/cloudformation-queries/aws/9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d.md b/docs/queries/cloudformation-queries/aws/9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d.md index 136c61f166e..2bc5b3ca3b9 100644 --- a/docs/queries/cloudformation-queries/aws/9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d.md +++ b/docs/queries/cloudformation-queries/aws/9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d.md @@ -28,7 +28,7 @@ AWS Config Configuration Aggregator All Regions must be set to True
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="33 10 21 49" +```yaml title="Positive test num. 1 - yaml file" hl_lines="33 10 21 49" AWSTemplateFormatVersion: "2010-09-09" Parameters: OperatorEmail: @@ -81,7 +81,7 @@ Resources: ConfigurationAggregatorName: MyConfigurationAggregator ``` -```json title="Postitive test num. 2 - json file" hl_lines="24 62 43 6" +```json title="Positive test num. 2 - json file" hl_lines="24 62 43 6" { "Resources": { "ConfigurationAggregator5": { diff --git a/docs/queries/cloudformation-queries/aws/9fcd0a0a-9b6f-4670-a215-d94e6bf3f184.md b/docs/queries/cloudformation-queries/aws/9fcd0a0a-9b6f-4670-a215-d94e6bf3f184.md index 92ab698863f..6610e9d66bd 100644 --- a/docs/queries/cloudformation-queries/aws/9fcd0a0a-9b6f-4670-a215-d94e6bf3f184.md +++ b/docs/queries/cloudformation-queries/aws/9fcd0a0a-9b6f-4670-a215-d94e6bf3f184.md @@ -28,7 +28,7 @@ IAM Database Auth Enabled should be configured to true when using compatible eng ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="19" +```yaml title="Positive test num. 1 - yaml file" hl_lines="19" AWSTemplateFormatVersion: 2010-09-09 Description: RDS Storage Encrypted Parameters: @@ -51,7 +51,7 @@ Resources: Engine: aurora ``` -```json title="Postitive test num. 2 - json file" hl_lines="31" +```json title="Positive test num. 2 - json file" hl_lines="31" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "RDS Storage Encrypted", @@ -90,7 +90,7 @@ Resources: } ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="13" +```yaml title="Positive test num. 3 - yaml file" hl_lines="13" AWSTemplateFormatVersion: 2010-09-09 Description: RDS Storage Encrypted Parameters: @@ -112,7 +112,7 @@ Resources: Engine: mysql ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="18" { diff --git a/docs/queries/cloudformation-queries/aws/a0ae0a4e-712b-4115-8112-51b9eeed9d69.md b/docs/queries/cloudformation-queries/aws/a0ae0a4e-712b-4115-8112-51b9eeed9d69.md index 87e38175ec9..b136d4a799c 100644 --- a/docs/queries/cloudformation-queries/aws/a0ae0a4e-712b-4115-8112-51b9eeed9d69.md +++ b/docs/queries/cloudformation-queries/aws/a0ae0a4e-712b-4115-8112-51b9eeed9d69.md @@ -28,7 +28,7 @@ AWS Lambda Functions should not have roles with policies granting full administr ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="76" +```yaml title="Positive test num. 1 - yaml file" hl_lines="76" AWSTemplateFormatVersion: '2010-09-09' Parameters: ExistingSecurityGroups: @@ -113,7 +113,7 @@ Resources: Resource: arn:aws:logs:*:*:* ``` -```json title="Postitive test num. 2 - json file" hl_lines="101" +```json title="Positive test num. 2 - json file" hl_lines="101" { "AWSTemplateFormatVersion": "2010-09-09", "Parameters": { diff --git a/docs/queries/cloudformation-queries/aws/a227ec01-f97a-4084-91a4-47b350c1db54.md b/docs/queries/cloudformation-queries/aws/a227ec01-f97a-4084-91a4-47b350c1db54.md index be04978df98..0499f69fd01 100644 --- a/docs/queries/cloudformation-queries/aws/a227ec01-f97a-4084-91a4-47b350c1db54.md +++ b/docs/queries/cloudformation-queries/aws/a227ec01-f97a-4084-91a4-47b350c1db54.md @@ -28,7 +28,7 @@ S3 bucket should have versioning enabled
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +```yaml title="Positive test num. 1 - yaml file" hl_lines="5" Resources: RecordServiceS3Bucket: Type: 'AWS::S3::Bucket' @@ -56,7 +56,7 @@ Resources: Status: Enabled ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="27" +```yaml title="Positive test num. 2 - yaml file" hl_lines="27" Resources: RecordServiceS3Bucket2: Type: 'AWS::S3::Bucket' @@ -86,7 +86,7 @@ Resources: Status: Suspended ``` -```json title="Postitive test num. 3 - json file" hl_lines="4" +```json title="Positive test num. 3 - json file" hl_lines="4" { "Resources": { "RecordServiceS3Bucket": { @@ -139,7 +139,7 @@ Resources: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="48" { diff --git a/docs/queries/cloudformation-queries/aws/a25cd877-375c-4121-a640-730929936fac.md b/docs/queries/cloudformation-queries/aws/a25cd877-375c-4121-a640-730929936fac.md index d0cdab85c90..587c8f84ca9 100644 --- a/docs/queries/cloudformation-queries/aws/a25cd877-375c-4121-a640-730929936fac.md +++ b/docs/queries/cloudformation-queries/aws/a25cd877-375c-4121-a640-730929936fac.md @@ -28,7 +28,7 @@ Make sure that Amazon GuardDuty is Enabled
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" AWSTemplateFormatVersion: "2010-09-09" Resources: mydetector3: @@ -38,7 +38,7 @@ Resources: FindingPublishingFrequency: FIFTEEN_MINUTES ``` -```json title="Postitive test num. 2 - json file" hl_lines="6" +```json title="Positive test num. 2 - json file" hl_lines="6" { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { diff --git a/docs/queries/cloudformation-queries/aws/a2f2800e-614b-4bc8-89e6-fec8afd24800.md b/docs/queries/cloudformation-queries/aws/a2f2800e-614b-4bc8-89e6-fec8afd24800.md index 502ff533095..8dfc1ec7d07 100644 --- a/docs/queries/cloudformation-queries/aws/a2f2800e-614b-4bc8-89e6-fec8afd24800.md +++ b/docs/queries/cloudformation-queries/aws/a2f2800e-614b-4bc8-89e6-fec8afd24800.md @@ -28,7 +28,7 @@ AWS Serverless API should enable Content Encoding through the attribute 'Minimum ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: AWS SAM template with a simple API definition @@ -50,7 +50,7 @@ Resources: ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="19" +```yaml title="Positive test num. 2 - yaml file" hl_lines="19" AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: AWS SAM template with a simple API definition @@ -73,7 +73,7 @@ Resources: ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="19" +```yaml title="Positive test num. 3 - yaml file" hl_lines="19" AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: AWS SAM template with a simple API definition diff --git a/docs/queries/cloudformation-queries/aws/a3aa0087-8228-4e7e-b202-dc9036972d02.md b/docs/queries/cloudformation-queries/aws/a3aa0087-8228-4e7e-b202-dc9036972d02.md index bcd1ea9df77..3fd18f51e7c 100644 --- a/docs/queries/cloudformation-queries/aws/a3aa0087-8228-4e7e-b202-dc9036972d02.md +++ b/docs/queries/cloudformation-queries/aws/a3aa0087-8228-4e7e-b202-dc9036972d02.md @@ -28,7 +28,7 @@ Neptune Cluster should have IAM Database Authentication enabled
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="12 7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="12 7" AWSTemplateFormatVersion: 2010-09-09 Description: A sample template Resources: @@ -44,7 +44,7 @@ Resources: StorageEncrypted: true ``` -```json title="Postitive test num. 2 - json file" hl_lines="8 15" +```json title="Positive test num. 2 - json file" hl_lines="8 15" { "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", "Description": "A sample template", diff --git a/docs/queries/cloudformation-queries/aws/a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd.md b/docs/queries/cloudformation-queries/aws/a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd.md index 38383f9eea9..d7ed6a14730 100644 --- a/docs/queries/cloudformation-queries/aws/a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd.md +++ b/docs/queries/cloudformation-queries/aws/a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd.md @@ -28,7 +28,7 @@ AWS Security Group Ingress CIDR should not be /32 in case of IPV4 or /128 in cas ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="43 13" +```yaml title="Positive test num. 1 - yaml file" hl_lines="43 13" Resources: InstanceSecurityGroup: Type: AWS::EC2::SecurityGroup @@ -81,7 +81,7 @@ Resources: - TargetSG - GroupId ``` -```json title="Postitive test num. 2 - json file" hl_lines="44 69" +```json title="Positive test num. 2 - json file" hl_lines="44 69" { "Resources": { "OutboundRule": { diff --git a/docs/queries/cloudformation-queries/aws/a478af30-8c3a-404d-aa64-0b673cee509a.md b/docs/queries/cloudformation-queries/aws/a478af30-8c3a-404d-aa64-0b673cee509a.md index e6c2eec296c..24e8ce5a574 100644 --- a/docs/queries/cloudformation-queries/aws/a478af30-8c3a-404d-aa64-0b673cee509a.md +++ b/docs/queries/cloudformation-queries/aws/a478af30-8c3a-404d-aa64-0b673cee509a.md @@ -28,7 +28,7 @@ Redshift should not use the default port (5439) because an attacker can easily g ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4 28" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4 28" Resources: myCluster: Type: "AWS::Redshift::Cluster" @@ -59,7 +59,7 @@ Resources: Port: 5439 ``` -```json title="Postitive test num. 2 - json file" hl_lines="5 39" +```json title="Positive test num. 2 - json file" hl_lines="5 39" { "Resources": { "myCluster": { diff --git a/docs/queries/cloudformation-queries/aws/a5366a50-932f-4085-896b-41402714a388.md b/docs/queries/cloudformation-queries/aws/a5366a50-932f-4085-896b-41402714a388.md index 9b49ee2e436..1e34d5d16c3 100644 --- a/docs/queries/cloudformation-queries/aws/a5366a50-932f-4085-896b-41402714a388.md +++ b/docs/queries/cloudformation-queries/aws/a5366a50-932f-4085-896b-41402714a388.md @@ -28,7 +28,7 @@ Checks if the connection between the CloudFront and the origin server is encrypt ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="13 30" +```yaml title="Positive test num. 1 - yaml file" hl_lines="13 30" #this is a problematic code where the query should report a result(s) AWSTemplateFormatVersion: "2010-09-09" Resources: @@ -75,7 +75,7 @@ Resources: - Key: name Value: example ``` -```json title="Postitive test num. 2 - json file" hl_lines="56 19" +```json title="Positive test num. 2 - json file" hl_lines="56 19" { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { diff --git a/docs/queries/cloudformation-queries/aws/a58d1a2d-4078-4b80-855b-84cc3f7f4540.md b/docs/queries/cloudformation-queries/aws/a58d1a2d-4078-4b80-855b-84cc3f7f4540.md index 98ec68310d6..f619650a86a 100644 --- a/docs/queries/cloudformation-queries/aws/a58d1a2d-4078-4b80-855b-84cc3f7f4540.md +++ b/docs/queries/cloudformation-queries/aws/a58d1a2d-4078-4b80-855b-84cc3f7f4540.md @@ -28,7 +28,7 @@ IAM Groups should not use inline policies and instead use managed policies. If a ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10" AWSTemplateFormatVersion: "2010-09-09" Description: A sample template Resources: @@ -54,7 +54,7 @@ Resources: NotResource: - !GetAtt myqueue.Arn ``` -```json title="Postitive test num. 2 - json file" hl_lines="12" +```json title="Positive test num. 2 - json file" hl_lines="12" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "A sample template", diff --git a/docs/queries/cloudformation-queries/aws/a71ecabe-03b6-456a-b3bc-d1a39aa20c98.md b/docs/queries/cloudformation-queries/aws/a71ecabe-03b6-456a-b3bc-d1a39aa20c98.md index d47a7e8a104..fb026daf4ba 100644 --- a/docs/queries/cloudformation-queries/aws/a71ecabe-03b6-456a-b3bc-d1a39aa20c98.md +++ b/docs/queries/cloudformation-queries/aws/a71ecabe-03b6-456a-b3bc-d1a39aa20c98.md @@ -28,7 +28,7 @@ AWS Serverless Function should have associated tags
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: AWS SAM template with a simple API definition diff --git a/docs/queries/cloudformation-queries/aws/a7f8ac28-eed1-483d-87c8-4c325f022572.md b/docs/queries/cloudformation-queries/aws/a7f8ac28-eed1-483d-87c8-4c325f022572.md index 3d7b936f57c..8c943307f4d 100644 --- a/docs/queries/cloudformation-queries/aws/a7f8ac28-eed1-483d-87c8-4c325f022572.md +++ b/docs/queries/cloudformation-queries/aws/a7f8ac28-eed1-483d-87c8-4c325f022572.md @@ -28,7 +28,7 @@ AWS Serverless Function should encrypt environment variables
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: AWS SAM template with a simple API definition diff --git a/docs/queries/cloudformation-queries/aws/a964d6e3-8e1e-4d93-8120-61fa640dd55a.md b/docs/queries/cloudformation-queries/aws/a964d6e3-8e1e-4d93-8120-61fa640dd55a.md index 48607f13933..f6054d583fc 100644 --- a/docs/queries/cloudformation-queries/aws/a964d6e3-8e1e-4d93-8120-61fa640dd55a.md +++ b/docs/queries/cloudformation-queries/aws/a964d6e3-8e1e-4d93-8120-61fa640dd55a.md @@ -28,7 +28,7 @@ IAM User Login Profile should exist and have PasswordResetRequired property set ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10" AWSTemplateFormatVersion: "2010-09-09" Description: A sample template Resources: @@ -56,7 +56,7 @@ Resources: - !GetAtt myqueue.Arn ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="8" +```yaml title="Positive test num. 2 - yaml file" hl_lines="8" AWSTemplateFormatVersion: "2010-09-09" Description: A sample template Resources: @@ -83,7 +83,7 @@ Resources: - !GetAtt myqueue.Arn ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="6" +```yaml title="Positive test num. 3 - yaml file" hl_lines="6" AWSTemplateFormatVersion: "2010-09-09" Description: A sample template Resources: @@ -108,7 +108,7 @@ Resources: - !GetAtt myqueue.Arn ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="38" { @@ -158,7 +158,7 @@ Resources: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="9" { @@ -207,7 +207,7 @@ Resources: ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="7" { diff --git a/docs/queries/cloudformation-queries/aws/a976d63f-af0e-46e8-b714-8c1a9c4bf768.md b/docs/queries/cloudformation-queries/aws/a976d63f-af0e-46e8-b714-8c1a9c4bf768.md index 2fab87f045f..40a9fd05749 100644 --- a/docs/queries/cloudformation-queries/aws/a976d63f-af0e-46e8-b714-8c1a9c4bf768.md +++ b/docs/queries/cloudformation-queries/aws/a976d63f-af0e-46e8-b714-8c1a9c4bf768.md @@ -28,7 +28,7 @@ Ensure MSK Cluster encryption in rest and transit is enabled
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +```yaml title="Positive test num. 1 - yaml file" hl_lines="5" Description: MSK Cluster with all properties Resources: TestCluster5: @@ -68,7 +68,7 @@ Resources: - ReplaceWithSubnetId3 ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="14" +```yaml title="Positive test num. 2 - yaml file" hl_lines="14" Description: MSK Cluster with all properties Resources: TestCluster6: @@ -113,7 +113,7 @@ Resources: - ReplaceWithSubnetId3 ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="14" +```yaml title="Positive test num. 3 - yaml file" hl_lines="14" Description: MSK Cluster with all properties Resources: TestCluster7: @@ -158,7 +158,7 @@ Resources: - ReplaceWithSubnetId3 ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="6" { @@ -220,7 +220,7 @@ Resources: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="16" { @@ -290,7 +290,7 @@ Resources: ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="16" { diff --git a/docs/queries/cloudformation-queries/aws/acc78859-765e-4011-a229-a65ea57db252.md b/docs/queries/cloudformation-queries/aws/acc78859-765e-4011-a229-a65ea57db252.md index f6f33c6fe83..2f4a8b77577 100644 --- a/docs/queries/cloudformation-queries/aws/acc78859-765e-4011-a229-a65ea57db252.md +++ b/docs/queries/cloudformation-queries/aws/acc78859-765e-4011-a229-a65ea57db252.md @@ -28,7 +28,7 @@ S3 Buckets must not allow Delete Action From All Principals, as to prevent leaki ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="22 7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="22 7" #this is a problematic code where the query should report a result(s) Resources: SampleBucketPolicy3: @@ -65,7 +65,7 @@ Resources: - 'http://example.net/*' ``` -```json title="Postitive test num. 2 - json file" hl_lines="9 35" +```json title="Positive test num. 2 - json file" hl_lines="9 35" { "Resources": { "SampleBucketPolicy5": { diff --git a/docs/queries/cloudformation-queries/aws/ad21e616-5026-4b9d-990d-5b007bfe679c.md b/docs/queries/cloudformation-queries/aws/ad21e616-5026-4b9d-990d-5b007bfe679c.md index c4173c7cb41..2279b997b1e 100644 --- a/docs/queries/cloudformation-queries/aws/ad21e616-5026-4b9d-990d-5b007bfe679c.md +++ b/docs/queries/cloudformation-queries/aws/ad21e616-5026-4b9d-990d-5b007bfe679c.md @@ -28,7 +28,7 @@ AWS Auto Scaling Groups must have associated ELBs to ensure high availability an ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="28 60 87" +```yaml title="Positive test num. 1 - yaml file" hl_lines="28 60 87" #this is a problematic code where the query should report a result(s) AWSTemplateFormatVersion: '2010-09-09' Resources: @@ -136,7 +136,7 @@ Resources: PropagateAtLaunch: "false" ``` -```json title="Postitive test num. 2 - json file" hl_lines="78 126 38" +```json title="Positive test num. 2 - json file" hl_lines="78 126 38" { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { diff --git a/docs/queries/cloudformation-queries/aws/ad7444cf-817a-4765-a79e-2145f7981faf.md b/docs/queries/cloudformation-queries/aws/ad7444cf-817a-4765-a79e-2145f7981faf.md index 7b8d6905016..111ccccc6d6 100644 --- a/docs/queries/cloudformation-queries/aws/ad7444cf-817a-4765-a79e-2145f7981faf.md +++ b/docs/queries/cloudformation-queries/aws/ad7444cf-817a-4765-a79e-2145f7981faf.md @@ -28,7 +28,7 @@ AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global A ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="2" +```yaml title="Positive test num. 1 - yaml file" hl_lines="2" Resources: HostedZone: Type: AWS::Route53::HostedZone @@ -63,7 +63,7 @@ Resources: Value: value ``` -```json title="Postitive test num. 2 - json file" hl_lines="3" +```json title="Positive test num. 2 - json file" hl_lines="3" { "Resources": { "HostedZone": { diff --git a/docs/queries/cloudformation-queries/aws/adcd0082-e90b-4b63-862b-21899f6e6a48.md b/docs/queries/cloudformation-queries/aws/adcd0082-e90b-4b63-862b-21899f6e6a48.md index 8722fe89ecb..5c7570fccbe 100644 --- a/docs/queries/cloudformation-queries/aws/adcd0082-e90b-4b63-862b-21899f6e6a48.md +++ b/docs/queries/cloudformation-queries/aws/adcd0082-e90b-4b63-862b-21899f6e6a48.md @@ -28,7 +28,7 @@ Security Groups allows 0.0.0.0/0 for all ports and protocols.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="19" +```yaml title="Positive test num. 1 - yaml file" hl_lines="19" Resources: Ec2Instance: Type: 'AWS::EC2::Instance' @@ -54,7 +54,7 @@ Resources: ToPort: 80 CidrIp: 0.0.0.0/0 ``` -```json title="Postitive test num. 2 - json file" hl_lines="24" +```json title="Positive test num. 2 - json file" hl_lines="24" { "Resources": { "Ec2Instance": { diff --git a/docs/queries/cloudformation-queries/aws/ae03f542-1423-402f-9cef-c834e7ee9583.md b/docs/queries/cloudformation-queries/aws/ae03f542-1423-402f-9cef-c834e7ee9583.md index 1ca0d6c8cf3..4b042f29eb2 100644 --- a/docs/queries/cloudformation-queries/aws/ae03f542-1423-402f-9cef-c834e7ee9583.md +++ b/docs/queries/cloudformation-queries/aws/ae03f542-1423-402f-9cef-c834e7ee9583.md @@ -28,7 +28,7 @@ AWS Lambda Functions should not share IAM roles to ensure they will have the min ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 41" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8 41" AWSTemplateFormatVersion: '2010-09-09' Description: Lambda function with cfn-response. Resources: @@ -99,7 +99,7 @@ Resources: TracingConfig: Mode: Active ``` -```json title="Postitive test num. 2 - json file" hl_lines="24 7" +```json title="Positive test num. 2 - json file" hl_lines="24 7" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "Lambda function with cfn-response.", diff --git a/docs/queries/cloudformation-queries/aws/ae53ce91-42b5-46bf-a84f-9a13366a4f13.md b/docs/queries/cloudformation-queries/aws/ae53ce91-42b5-46bf-a84f-9a13366a4f13.md index 115a1462300..ec325fbcd32 100644 --- a/docs/queries/cloudformation-queries/aws/ae53ce91-42b5-46bf-a84f-9a13366a4f13.md +++ b/docs/queries/cloudformation-queries/aws/ae53ce91-42b5-46bf-a84f-9a13366a4f13.md @@ -28,7 +28,7 @@ SNS Topic Policy should not allow any principal to access
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" AWSTemplateFormatVersion: '2010-09-09' Description: '' Resources: @@ -46,7 +46,7 @@ Resources: }] ``` -```json title="Postitive test num. 2 - json file" hl_lines="8" +```json title="Positive test num. 2 - json file" hl_lines="8" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "", diff --git a/docs/queries/cloudformation-queries/aws/b1b20ae3-8fa7-4af5-a74d-a2145920fcb1.md b/docs/queries/cloudformation-queries/aws/b1b20ae3-8fa7-4af5-a74d-a2145920fcb1.md index 52c673bcbcf..399d5b1328a 100644 --- a/docs/queries/cloudformation-queries/aws/b1b20ae3-8fa7-4af5-a74d-a2145920fcb1.md +++ b/docs/queries/cloudformation-queries/aws/b1b20ae3-8fa7-4af5-a74d-a2145920fcb1.md @@ -28,7 +28,7 @@ IAM password should have the required minimum length
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9" AWSTemplateFormatVersion: "2010-09-09" Description: A sample template Resources: @@ -68,7 +68,7 @@ Resources: NotResource: - !Ref mytopic ``` -```json title="Postitive test num. 2 - json file" hl_lines="10" +```json title="Positive test num. 2 - json file" hl_lines="10" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "A sample template", diff --git a/docs/queries/cloudformation-queries/aws/b2e8752c-3497-4255-98d2-e4ae5b46bbf5.md b/docs/queries/cloudformation-queries/aws/b2e8752c-3497-4255-98d2-e4ae5b46bbf5.md index 8862a7f6673..fb9c438fdca 100644 --- a/docs/queries/cloudformation-queries/aws/b2e8752c-3497-4255-98d2-e4ae5b46bbf5.md +++ b/docs/queries/cloudformation-queries/aws/b2e8752c-3497-4255-98d2-e4ae5b46bbf5.md @@ -28,7 +28,7 @@ S3 Buckets should have server-side encryption at rest enabled to protect sensiti ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" #this is a problematic code where the query should report a result(s) AWSTemplateFormatVersion: '2010-09-09' Description: S3 bucket without default encryption @@ -40,7 +40,7 @@ Resources: 'Fn::Sub': 'bucket-${AWS::Region}-${AWS::AccountId}' DeletionPolicy: Delete ``` -```json title="Postitive test num. 2 - json file" hl_lines="5" +```json title="Positive test num. 2 - json file" hl_lines="5" { "Resources": { "S3Bucket": { diff --git a/docs/queries/cloudformation-queries/aws/b3de4e4c-14be-4159-b99d-9ad194365e4c.md b/docs/queries/cloudformation-queries/aws/b3de4e4c-14be-4159-b99d-9ad194365e4c.md index 555f87cd085..7df558367b8 100644 --- a/docs/queries/cloudformation-queries/aws/b3de4e4c-14be-4159-b99d-9ad194365e4c.md +++ b/docs/queries/cloudformation-queries/aws/b3de4e4c-14be-4159-b99d-9ad194365e4c.md @@ -28,7 +28,7 @@ EC2 Instance Subnet should not have MapPublicIpOnLaunch set to true
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" AWSTemplateFormatVersion: "2010-09-09" Description: A sample template Resources: @@ -44,7 +44,7 @@ Resources: Value: bar ``` -```json title="Postitive test num. 2 - json file" hl_lines="8" +```json title="Positive test num. 2 - json file" hl_lines="8" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "A sample template", diff --git a/docs/queries/cloudformation-queries/aws/b4d9c12b-bfba-4aeb-9cb8-2358546d8041.md b/docs/queries/cloudformation-queries/aws/b4d9c12b-bfba-4aeb-9cb8-2358546d8041.md index 245f24f7ce9..41ea7a2a7c5 100644 --- a/docs/queries/cloudformation-queries/aws/b4d9c12b-bfba-4aeb-9cb8-2358546d8041.md +++ b/docs/queries/cloudformation-queries/aws/b4d9c12b-bfba-4aeb-9cb8-2358546d8041.md @@ -28,7 +28,7 @@ CloudFront web distributions should use custom (and not default) SSL certificate ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" AWSTemplateFormatVersion: 2010-09-09 Resources: myDistribution: @@ -39,7 +39,7 @@ Resources: AcmCertificateArn: arn:aws:autoscaling:us-west-2:123456789012:autoScalingGroup:a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="8" +```yaml title="Positive test num. 2 - yaml file" hl_lines="8" AWSTemplateFormatVersion: 2010-09-09 Resources: myDistribution: @@ -50,7 +50,7 @@ Resources: CloudfrontDefaultCertificate: true ``` -```json title="Postitive test num. 3 - json file" hl_lines="8" +```json title="Positive test num. 3 - json file" hl_lines="8" { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { @@ -68,7 +68,7 @@ Resources: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="9" { diff --git a/docs/queries/cloudformation-queries/aws/b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83.md b/docs/queries/cloudformation-queries/aws/b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83.md index eeec31bc0fd..ad7fb905c17 100644 --- a/docs/queries/cloudformation-queries/aws/b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83.md +++ b/docs/queries/cloudformation-queries/aws/b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83.md @@ -28,7 +28,7 @@ A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an ob ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" AWSTemplateFormatVersion: 2010-09-09 Description: Creating S3 bucket Resources: @@ -72,7 +72,7 @@ Resources: - 'http://example.net/*' ``` -```json title="Postitive test num. 2 - json file" hl_lines="5" +```json title="Positive test num. 2 - json file" hl_lines="5" { "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", "Description": "Creating S3 bucket", diff --git a/docs/queries/cloudformation-queries/aws/b7063015-6c31-4658-a8e7-14f98f37fd42.md b/docs/queries/cloudformation-queries/aws/b7063015-6c31-4658-a8e7-14f98f37fd42.md index 6d5e796bc6f..dd9785ec339 100644 --- a/docs/queries/cloudformation-queries/aws/b7063015-6c31-4658-a8e7-14f98f37fd42.md +++ b/docs/queries/cloudformation-queries/aws/b7063015-6c31-4658-a8e7-14f98f37fd42.md @@ -28,7 +28,7 @@ EBS Volume should specify a KmsKeyId value
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" AWSTemplateFormatVersion: 2010-09-09 Description: Creating ECS service Resources: @@ -43,7 +43,7 @@ Resources: Value: TagValue DeletionPolicy: Snapshot ``` -```json title="Postitive test num. 2 - json file" hl_lines="7" +```json title="Positive test num. 2 - json file" hl_lines="7" { "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", "Description": "Creating ECS service", diff --git a/docs/queries/cloudformation-queries/aws/ba766c53-fe71-4bbb-be35-b6803f2ef13e.md b/docs/queries/cloudformation-queries/aws/ba766c53-fe71-4bbb-be35-b6803f2ef13e.md index f8774c011c3..84b635bd880 100644 --- a/docs/queries/cloudformation-queries/aws/ba766c53-fe71-4bbb-be35-b6803f2ef13e.md +++ b/docs/queries/cloudformation-queries/aws/ba766c53-fe71-4bbb-be35-b6803f2ef13e.md @@ -28,7 +28,7 @@ ElastiCache should be launched in a Virtual Private Cloud (VPC)
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" Resources: ElasticacheCluster: Type: 'AWS::ElastiCache::CacheCluster' @@ -38,7 +38,7 @@ Resources: NumCacheNodes: '1' ``` -```json title="Postitive test num. 2 - json file" hl_lines="5" +```json title="Positive test num. 2 - json file" hl_lines="5" { "Resources": { "ElasticacheCluster": { diff --git a/docs/queries/cloudformation-queries/aws/bdf8dcb4-75df-4370-92c4-606e4ae6c4d3.md b/docs/queries/cloudformation-queries/aws/bdf8dcb4-75df-4370-92c4-606e4ae6c4d3.md index 722326e64df..2da81a94adf 100644 --- a/docs/queries/cloudformation-queries/aws/bdf8dcb4-75df-4370-92c4-606e4ae6c4d3.md +++ b/docs/queries/cloudformation-queries/aws/bdf8dcb4-75df-4370-92c4-606e4ae6c4d3.md @@ -28,7 +28,7 @@ AWS Redshift Clusters must not be publicly accessible, which means the attribute ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="17 4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="17 4" Resources: myCluster: Type: "AWS::Redshift::Cluster" @@ -57,7 +57,7 @@ Resources: Value: bar ``` -```json title="Postitive test num. 2 - json file" hl_lines="5 30" +```json title="Positive test num. 2 - json file" hl_lines="5 30" { "Resources": { "myCluster": { diff --git a/docs/queries/cloudformation-queries/aws/be5b230d-4371-4a28-a441-85dc760e2aa3.md b/docs/queries/cloudformation-queries/aws/be5b230d-4371-4a28-a441-85dc760e2aa3.md index 95763940b23..b19dea8d49c 100644 --- a/docs/queries/cloudformation-queries/aws/be5b230d-4371-4a28-a441-85dc760e2aa3.md +++ b/docs/queries/cloudformation-queries/aws/be5b230d-4371-4a28-a441-85dc760e2aa3.md @@ -28,7 +28,7 @@ IoT Policy should not allow Resource to be set as *
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" AWSTemplateFormatVersion: 2010-09-09 Description: A sample template Resources: @@ -49,7 +49,7 @@ Resources: PolicyName: PolicyName ``` -```json title="Postitive test num. 2 - json file" hl_lines="7" +```json title="Positive test num. 2 - json file" hl_lines="7" { "Description": "A sample template", "Resources": { diff --git a/docs/queries/cloudformation-queries/aws/be96849c-3df6-49c2-bc16-778a7be2519c.md b/docs/queries/cloudformation-queries/aws/be96849c-3df6-49c2-bc16-778a7be2519c.md index 025de777e5c..523be4881ec 100644 --- a/docs/queries/cloudformation-queries/aws/be96849c-3df6-49c2-bc16-778a7be2519c.md +++ b/docs/queries/cloudformation-queries/aws/be96849c-3df6-49c2-bc16-778a7be2519c.md @@ -28,7 +28,7 @@ Check if secure ciphers aren't used in CloudFront
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="26" +```yaml title="Positive test num. 1 - yaml file" hl_lines="26" #this is a problematic code where the query should report a result(s) AWSTemplateFormatVersion: "2010-09-09" Resources: @@ -56,7 +56,7 @@ Resources: CloudFrontDefaultCertificate: false MinimumProtocolVersion: SSLv3 ``` -```json title="Postitive test num. 2 - json file" hl_lines="44" +```json title="Positive test num. 2 - json file" hl_lines="44" { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { diff --git a/docs/queries/cloudformation-queries/aws/bf4473f1-c8a2-4b1b-8134-bd32efabab93.md b/docs/queries/cloudformation-queries/aws/bf4473f1-c8a2-4b1b-8134-bd32efabab93.md index a6e86f92e13..216f13a0a74 100644 --- a/docs/queries/cloudformation-queries/aws/bf4473f1-c8a2-4b1b-8134-bd32efabab93.md +++ b/docs/queries/cloudformation-queries/aws/bf4473f1-c8a2-4b1b-8134-bd32efabab93.md @@ -28,7 +28,7 @@ Neptune database cluster storage should have encryption enabled
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="27" +```yaml title="Positive test num. 1 - yaml file" hl_lines="27" AWSTemplateFormatVersion: 2010-09-09 Description: A sample template Resources: @@ -63,7 +63,7 @@ Resources: - String ``` -```json title="Postitive test num. 2 - json file" hl_lines="21" +```json title="Positive test num. 2 - json file" hl_lines="21" { "Resources": { "NeptuneDBCluster": { diff --git a/docs/queries/cloudformation-queries/aws/bf89373a-be40-4c04-99f5-746742dfd7f3.md b/docs/queries/cloudformation-queries/aws/bf89373a-be40-4c04-99f5-746742dfd7f3.md index c86e0328da9..f060d9016d7 100644 --- a/docs/queries/cloudformation-queries/aws/bf89373a-be40-4c04-99f5-746742dfd7f3.md +++ b/docs/queries/cloudformation-queries/aws/bf89373a-be40-4c04-99f5-746742dfd7f3.md @@ -28,7 +28,7 @@ Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (V ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="23" +```yaml title="Positive test num. 1 - yaml file" hl_lines="23" AWSTemplateFormatVersion: 2010-09-09 Parameters: CustomAmiId: @@ -107,7 +107,7 @@ Resources: - !Ref emrEc2Role ``` -```json title="Postitive test num. 2 - json file" hl_lines="32" +```json title="Positive test num. 2 - json file" hl_lines="32" { "AWSTemplateFormatVersion": "2010-09-09", "Parameters" : { diff --git a/docs/queries/cloudformation-queries/aws/c1282e03-b285-4637-aee7-eefe3a7bb658.md b/docs/queries/cloudformation-queries/aws/c1282e03-b285-4637-aee7-eefe3a7bb658.md index 4b595d77ac7..7b65dd02fc9 100644 --- a/docs/queries/cloudformation-queries/aws/c1282e03-b285-4637-aee7-eefe3a7bb658.md +++ b/docs/queries/cloudformation-queries/aws/c1282e03-b285-4637-aee7-eefe3a7bb658.md @@ -28,7 +28,7 @@ Amazon EFS volume does not have encryption for data at transit enabled. To preve ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="64" +```json title="Positive test num. 1 - json file" hl_lines="64" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "A sample template", @@ -101,7 +101,7 @@ Amazon EFS volume does not have encryption for data at transit enabled. To preve } } ``` -```json title="Postitive test num. 2 - json file" hl_lines="59" +```json title="Positive test num. 2 - json file" hl_lines="59" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "A sample template", diff --git a/docs/queries/cloudformation-queries/aws/c2eae442-d3ba-4cb1-84ca-1db4f80eae3d.md b/docs/queries/cloudformation-queries/aws/c2eae442-d3ba-4cb1-84ca-1db4f80eae3d.md index a6b07a9fb68..a55214284f5 100644 --- a/docs/queries/cloudformation-queries/aws/c2eae442-d3ba-4cb1-84ca-1db4f80eae3d.md +++ b/docs/queries/cloudformation-queries/aws/c2eae442-d3ba-4cb1-84ca-1db4f80eae3d.md @@ -28,7 +28,7 @@ AWS Lambda Function should be configured for a Dead Letter Queue(DLQ)
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" AWSTemplateFormatVersion: '2010-09-09' Description: VPC function. Resources: @@ -57,7 +57,7 @@ Resources: Value: AWS Lambda Function ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="27 6" +```yaml title="Positive test num. 2 - yaml file" hl_lines="27 6" AWSTemplateFormatVersion: '2010-09-09' Description: VPC function. Resources: diff --git a/docs/queries/cloudformation-queries/aws/c333e906-8d8b-4275-b999-78b6318f8dc6.md b/docs/queries/cloudformation-queries/aws/c333e906-8d8b-4275-b999-78b6318f8dc6.md index 5969fd08fad..225aa795294 100644 --- a/docs/queries/cloudformation-queries/aws/c333e906-8d8b-4275-b999-78b6318f8dc6.md +++ b/docs/queries/cloudformation-queries/aws/c333e906-8d8b-4275-b999-78b6318f8dc6.md @@ -28,7 +28,7 @@ Checks if DynamoDB Table Billing Mode is set to either PAY_PER_REQUEST or PROVIS ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="13" +```yaml title="Positive test num. 1 - yaml file" hl_lines="13" AWSTemplateFormatVersion: "2010-09-09" Resources: myDynamoDBTable: @@ -52,7 +52,7 @@ Resources: TableName: "myTableName" ``` -```json title="Postitive test num. 2 - json file" hl_lines="16" +```json title="Positive test num. 2 - json file" hl_lines="16" { "Resources": { "myDynamoDBTable": { diff --git a/docs/queries/cloudformation-queries/aws/c3ce69fd-e3df-49c6-be78-1db3f802261c.md b/docs/queries/cloudformation-queries/aws/c3ce69fd-e3df-49c6-be78-1db3f802261c.md index 3b41fb04ff2..c39b59b2c1b 100644 --- a/docs/queries/cloudformation-queries/aws/c3ce69fd-e3df-49c6-be78-1db3f802261c.md +++ b/docs/queries/cloudformation-queries/aws/c3ce69fd-e3df-49c6-be78-1db3f802261c.md @@ -28,7 +28,7 @@ Server Access Logging should be enabled on S3 Buckets so that all changes are lo ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" AWSTemplateFormatVersion: "2010-09-09" Description: A sample template Resources: @@ -94,7 +94,7 @@ Resources: - 'http://example.net/*' ``` -```json title="Postitive test num. 2 - json file" hl_lines="67" +```json title="Positive test num. 2 - json file" hl_lines="67" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "A sample template", diff --git a/docs/queries/cloudformation-queries/aws/c44c95fc-ae92-4bb8-bdf8-bb9bc412004a.md b/docs/queries/cloudformation-queries/aws/c44c95fc-ae92-4bb8-bdf8-bb9bc412004a.md index 774299769ee..ba199f9c844 100644 --- a/docs/queries/cloudformation-queries/aws/c44c95fc-ae92-4bb8-bdf8-bb9bc412004a.md +++ b/docs/queries/cloudformation-queries/aws/c44c95fc-ae92-4bb8-bdf8-bb9bc412004a.md @@ -28,7 +28,7 @@ EC2 instances with public IP addresses shouldn't allow for unrestricted traffic ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="28" +```yaml title="Positive test num. 1 - yaml file" hl_lines="28" Resources: myVPC_1: Type: AWS::EC2::VPC @@ -78,7 +78,7 @@ Resources: SubnetId: !Ref mySubnet ``` -```json title="Postitive test num. 2 - json file" hl_lines="3" +```json title="Positive test num. 2 - json file" hl_lines="3" { "Resources": { "mySubnet": { diff --git a/docs/queries/cloudformation-queries/aws/c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621.md b/docs/queries/cloudformation-queries/aws/c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621.md index 615069882a0..5229c0a5aa4 100644 --- a/docs/queries/cloudformation-queries/aws/c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621.md +++ b/docs/queries/cloudformation-queries/aws/c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621.md @@ -28,7 +28,7 @@ ELBv2 ALBs should have access log enabled to capture detailed information about ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="22" +```yaml title="Positive test num. 1 - yaml file" hl_lines="22" AWSTemplateFormatVersion: "2010-09-09" Description: A simple EC2 instance Parameters: @@ -60,7 +60,7 @@ Resources: Value: !Ref EnvironmentName ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="30" +```yaml title="Positive test num. 2 - yaml file" hl_lines="30" AWSTemplateFormatVersion: "2010-09-09" Description: A simple EC2 instance Parameters: @@ -95,7 +95,7 @@ Resources: Value: false ``` -```json title="Postitive test num. 3 - json file" hl_lines="23" +```json title="Positive test num. 3 - json file" hl_lines="23" { "Parameters": { "SecurityGroup": { @@ -138,7 +138,7 @@ Resources: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="36" { diff --git a/docs/queries/cloudformation-queries/aws/c689f51b-9203-43b3-9d8b-caed123f706c.md b/docs/queries/cloudformation-queries/aws/c689f51b-9203-43b3-9d8b-caed123f706c.md index 63868c7a1ad..a909030ab35 100644 --- a/docs/queries/cloudformation-queries/aws/c689f51b-9203-43b3-9d8b-caed123f706c.md +++ b/docs/queries/cloudformation-queries/aws/c689f51b-9203-43b3-9d8b-caed123f706c.md @@ -28,7 +28,7 @@ A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="2" +```yaml title="Positive test num. 1 - yaml file" hl_lines="2" Resources: ElasticacheCluster: Type: 'AWS::ElastiCache::CacheCluster' @@ -65,7 +65,7 @@ Resources: CidrIp: 0.0.0.0/0 ``` -```json title="Postitive test num. 2 - json file" hl_lines="3" +```json title="Positive test num. 2 - json file" hl_lines="3" { "Resources": { "ElasticacheCluster": { @@ -81,7 +81,7 @@ Resources: } ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="2" +```yaml title="Positive test num. 3 - yaml file" hl_lines="2" Resources: ElasticacheCluster: Type: 'AWS::ElastiCache::CacheCluster' diff --git a/docs/queries/cloudformation-queries/aws/c757c6a3-ac87-4b9d-b28d-e5a5add6a315.md b/docs/queries/cloudformation-queries/aws/c757c6a3-ac87-4b9d-b28d-e5a5add6a315.md index 94377c033fe..01d993d9829 100644 --- a/docs/queries/cloudformation-queries/aws/c757c6a3-ac87-4b9d-b28d-e5a5add6a315.md +++ b/docs/queries/cloudformation-queries/aws/c757c6a3-ac87-4b9d-b28d-e5a5add6a315.md @@ -28,7 +28,7 @@ AWS Serverless API should have X-Ray Tracing enabled
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: AWS SAM template with a simple API definition @@ -39,7 +39,7 @@ Resources: StageName: prod ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="9" +```yaml title="Positive test num. 2 - yaml file" hl_lines="9" AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: AWS SAM template with a simple API definition diff --git a/docs/queries/cloudformation-queries/aws/c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22.md b/docs/queries/cloudformation-queries/aws/c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22.md index 03044315620..bea14685ce7 100644 --- a/docs/queries/cloudformation-queries/aws/c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22.md +++ b/docs/queries/cloudformation-queries/aws/c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22.md @@ -28,7 +28,7 @@ Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the s ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" AWSTemplateFormatVersion: 2010-09-09 Description: A sample template Resources: @@ -44,7 +44,7 @@ Resources: Tags: - Tag ``` -```json title="Postitive test num. 2 - json file" hl_lines="7" +```json title="Positive test num. 2 - json file" hl_lines="7" { "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", "Description": "A sample template", diff --git a/docs/queries/cloudformation-queries/aws/c8dee387-a2e6-4a73-a942-183c975549ac.md b/docs/queries/cloudformation-queries/aws/c8dee387-a2e6-4a73-a942-183c975549ac.md index 91eca703a89..1081f8d8ce8 100644 --- a/docs/queries/cloudformation-queries/aws/c8dee387-a2e6-4a73-a942-183c975549ac.md +++ b/docs/queries/cloudformation-queries/aws/c8dee387-a2e6-4a73-a942-183c975549ac.md @@ -28,7 +28,7 @@ AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" AWSTemplateFormatVersion: "2010-09-09" Description: Sample CloudFormation template for DynamoDB with AWS-Owned CMK Resources: @@ -48,7 +48,7 @@ Resources: SSEType: "KMS" ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="4" +```yaml title="Positive test num. 2 - yaml file" hl_lines="4" AWSTemplateFormatVersion: "2010-09-11" Description: Sample CloudFormation template for DynamoDB with AWS-Owned CMK Resources: @@ -67,7 +67,7 @@ Resources: SSEType: "KMS" ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="4" +```yaml title="Positive test num. 3 - yaml file" hl_lines="4" AWSTemplateFormatVersion: "2010-09-10" Description: Sample CloudFormation template for DynamoDB with AWS-Owned CMK Resources: @@ -84,7 +84,7 @@ Resources: BillingMode: PAY_PER_REQUEST ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="5" { diff --git a/docs/queries/cloudformation-queries/aws/c9846969-d066-431f-9b34-8c4abafe422a.md b/docs/queries/cloudformation-queries/aws/c9846969-d066-431f-9b34-8c4abafe422a.md index ce509441a68..f8060b5b872 100644 --- a/docs/queries/cloudformation-queries/aws/c9846969-d066-431f-9b34-8c4abafe422a.md +++ b/docs/queries/cloudformation-queries/aws/c9846969-d066-431f-9b34-8c4abafe422a.md @@ -28,7 +28,7 @@ The Remote Desktop port is open to the internet in a Security Group
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8" Resources: InstanceSecurityGroup: Type: AWS::EC2::SecurityGroup @@ -43,7 +43,7 @@ Resources: CidrIp: 0.0.0.0/0 ``` -```json title="Postitive test num. 2 - json file" hl_lines="10" +```json title="Positive test num. 2 - json file" hl_lines="10" { "Resources": { "InstanceSecurityGroup": { diff --git a/docs/queries/cloudformation-queries/aws/cb2f612b-ed42-4ff5-9fb9-255c73d39a18.md b/docs/queries/cloudformation-queries/aws/cb2f612b-ed42-4ff5-9fb9-255c73d39a18.md index 4e3c8d7a7ca..eb39ba3f85e 100644 --- a/docs/queries/cloudformation-queries/aws/cb2f612b-ed42-4ff5-9fb9-255c73d39a18.md +++ b/docs/queries/cloudformation-queries/aws/cb2f612b-ed42-4ff5-9fb9-255c73d39a18.md @@ -28,7 +28,7 @@ AWS Serverless Function should be configured for a Dead Letter Queue(DLQ)
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: AWS SAM template with a simple API definition diff --git a/docs/queries/cloudformation-queries/aws/cc8b294f-006f-4f8f-b5bb-0a9140c33131.md b/docs/queries/cloudformation-queries/aws/cc8b294f-006f-4f8f-b5bb-0a9140c33131.md index 505c2c352f4..69914e12b9f 100644 --- a/docs/queries/cloudformation-queries/aws/cc8b294f-006f-4f8f-b5bb-0a9140c33131.md +++ b/docs/queries/cloudformation-queries/aws/cc8b294f-006f-4f8f-b5bb-0a9140c33131.md @@ -28,7 +28,7 @@ ACM Certificate should not use wildcards (*) in the domain name
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="16" +```yaml title="Positive test num. 1 - yaml file" hl_lines="16" AWSTemplateFormatVersion: '2010-09-09' Parameters: DomainName: @@ -50,7 +50,7 @@ Resources: HostedZoneId: !Ref HostedZoneId ValidationMethod: 'DNS' ``` -```json title="Postitive test num. 2 - json file" hl_lines="19" +```json title="Positive test num. 2 - json file" hl_lines="19" { "AWSTemplateFormatVersion": "2010-09-09", "Parameters": { diff --git a/docs/queries/cloudformation-queries/aws/cdbb0467-2957-4a77-9992-7b55b29df7b7.md b/docs/queries/cloudformation-queries/aws/cdbb0467-2957-4a77-9992-7b55b29df7b7.md index 8e432d95700..ca55960eb70 100644 --- a/docs/queries/cloudformation-queries/aws/cdbb0467-2957-4a77-9992-7b55b29df7b7.md +++ b/docs/queries/cloudformation-queries/aws/cdbb0467-2957-4a77-9992-7b55b29df7b7.md @@ -28,7 +28,7 @@ Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 13 ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="15" +```yaml title="Positive test num. 1 - yaml file" hl_lines="15" Resources: Ec2Instance: Type: 'AWS::EC2::Instance' @@ -54,7 +54,7 @@ Resources: ToPort: 80 CidrIp: 0.0.0.0/0 ``` -```json title="Postitive test num. 2 - json file" hl_lines="19" +```json title="Positive test num. 2 - json file" hl_lines="19" { "Resources": { "Ec2Instance": { diff --git a/docs/queries/cloudformation-queries/aws/cfdef2e5-1fe4-4ef4-bea8-c56e08963150.md b/docs/queries/cloudformation-queries/aws/cfdef2e5-1fe4-4ef4-bea8-c56e08963150.md index dac62e1036c..6989806f018 100644 --- a/docs/queries/cloudformation-queries/aws/cfdef2e5-1fe4-4ef4-bea8-c56e08963150.md +++ b/docs/queries/cloudformation-queries/aws/cfdef2e5-1fe4-4ef4-bea8-c56e08963150.md @@ -28,7 +28,7 @@ ElastiCache Nodes should be created across multi az, which means 'AZMode' should ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" AWSTemplateFormatVersion: "2010-09-09" Resources: myCacheCluster3: @@ -44,7 +44,7 @@ Resources: - us-west-2b ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="5" +```yaml title="Positive test num. 2 - yaml file" hl_lines="5" AWSTemplateFormatVersion: "2010-09-09" Resources: myCacheCluster4: @@ -59,7 +59,7 @@ Resources: - us-west-2b ``` -```json title="Postitive test num. 3 - json file" hl_lines="6" +```json title="Positive test num. 3 - json file" hl_lines="6" { "Resources": { "myCacheCluster5": { @@ -80,7 +80,7 @@ Resources: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="5" { diff --git a/docs/queries/cloudformation-queries/aws/d24389b4-b209-4ff0-8345-dc7a4569dcdd.md b/docs/queries/cloudformation-queries/aws/d24389b4-b209-4ff0-8345-dc7a4569dcdd.md index c94cccbd6a9..2a5e70ef69a 100644 --- a/docs/queries/cloudformation-queries/aws/d24389b4-b209-4ff0-8345-dc7a4569dcdd.md +++ b/docs/queries/cloudformation-queries/aws/d24389b4-b209-4ff0-8345-dc7a4569dcdd.md @@ -28,7 +28,7 @@ Amazon ECS must have the HealthCheck property defined to give more control over ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="47" +```yaml title="Positive test num. 1 - yaml file" hl_lines="47" AWSTemplateFormatVersion: "2010-09-09" Description: A sample template Resources: @@ -99,7 +99,7 @@ Resources: Name: "my-vol" ``` -```json title="Postitive test num. 2 - json file" hl_lines="29" +```json title="Positive test num. 2 - json file" hl_lines="29" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "A sample template", diff --git a/docs/queries/cloudformation-queries/aws/d53323be-dde6-4457-9a43-42df737e71d2.md b/docs/queries/cloudformation-queries/aws/d53323be-dde6-4457-9a43-42df737e71d2.md index 53c980b1870..563e54ca65e 100644 --- a/docs/queries/cloudformation-queries/aws/d53323be-dde6-4457-9a43-42df737e71d2.md +++ b/docs/queries/cloudformation-queries/aws/d53323be-dde6-4457-9a43-42df737e71d2.md @@ -28,7 +28,7 @@ A list of Kinesis resources found. Amazon Kinesis is a real-time streaming servi ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +```yaml title="Positive test num. 1 - yaml file" hl_lines="3" Description: Kinesis Resources: MyStream: @@ -42,7 +42,7 @@ Resources: KeyId: !Ref myKey ``` -```json title="Postitive test num. 2 - json file" hl_lines="4" +```json title="Positive test num. 2 - json file" hl_lines="4" { "Description": "Kinesis", "Resources": { diff --git a/docs/queries/cloudformation-queries/aws/d6653eee-2d4d-4e6a-976f-6794a497999a.md b/docs/queries/cloudformation-queries/aws/d6653eee-2d4d-4e6a-976f-6794a497999a.md index d466b0f6288..4a1868c13b3 100644 --- a/docs/queries/cloudformation-queries/aws/d6653eee-2d4d-4e6a-976f-6794a497999a.md +++ b/docs/queries/cloudformation-queries/aws/d6653eee-2d4d-4e6a-976f-6794a497999a.md @@ -28,7 +28,7 @@ API Gateway should have valid compression, which means attribute 'MinimumCompres ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="17" +```yaml title="Positive test num. 1 - yaml file" hl_lines="17" AWSTemplateFormatVersion: "2010-09-09" Resources: RestApi3: @@ -52,7 +52,7 @@ Resources: ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="17" +```yaml title="Positive test num. 2 - yaml file" hl_lines="17" AWSTemplateFormatVersion: "2010-09-09" Resources: RestApi4: @@ -75,7 +75,7 @@ Resources: endpointConfigurationTypes: REGIONAL ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="5" +```yaml title="Positive test num. 3 - yaml file" hl_lines="5" AWSTemplateFormatVersion: "2010-09-09" Resources: RestApi5: @@ -97,7 +97,7 @@ Resources: endpointConfigurationTypes: REGIONAL ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="22" { @@ -133,7 +133,7 @@ Resources: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="22" { @@ -169,7 +169,7 @@ Resources: ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="5" { diff --git a/docs/queries/cloudformation-queries/aws/d71b5fd7-9020-4b2d-9ec8-b3839faa2744.md b/docs/queries/cloudformation-queries/aws/d71b5fd7-9020-4b2d-9ec8-b3839faa2744.md index 618ced36158..87b049b272e 100644 --- a/docs/queries/cloudformation-queries/aws/d71b5fd7-9020-4b2d-9ec8-b3839faa2744.md +++ b/docs/queries/cloudformation-queries/aws/d71b5fd7-9020-4b2d-9ec8-b3839faa2744.md @@ -28,7 +28,7 @@ Check if any AWS Support policy does not have any role and users and group assoc ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="16 4 28" +```yaml title="Positive test num. 1 - yaml file" hl_lines="16 4 28" AWSTemplateFormatVersion: "2010-09-09" Description: A sample template Resources: @@ -72,7 +72,7 @@ Resources: ``` -```json title="Postitive test num. 2 - json file" hl_lines="29 53 5" +```json title="Positive test num. 2 - json file" hl_lines="29 53 5" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "A sample template", diff --git a/docs/queries/cloudformation-queries/aws/d72a7869-e8b9-4e12-bcd2-e8be10b39fa7.md b/docs/queries/cloudformation-queries/aws/d72a7869-e8b9-4e12-bcd2-e8be10b39fa7.md index 8010d0a260c..aa38edb90fc 100644 --- a/docs/queries/cloudformation-queries/aws/d72a7869-e8b9-4e12-bcd2-e8be10b39fa7.md +++ b/docs/queries/cloudformation-queries/aws/d72a7869-e8b9-4e12-bcd2-e8be10b39fa7.md @@ -28,7 +28,7 @@ IAM password should have the required symbols
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9" AWSTemplateFormatVersion: "2010-09-09" Description: A sample template Resources: @@ -68,7 +68,7 @@ Resources: NotResource: - !Ref mytopic ``` -```json title="Postitive test num. 2 - json file" hl_lines="10" +```json title="Positive test num. 2 - json file" hl_lines="10" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "A sample template", diff --git a/docs/queries/cloudformation-queries/aws/d7467bb6-3ed1-4c82-8095-5e7a818d0aad.md b/docs/queries/cloudformation-queries/aws/d7467bb6-3ed1-4c82-8095-5e7a818d0aad.md index 6922b9d79e4..a664ed0bb17 100644 --- a/docs/queries/cloudformation-queries/aws/d7467bb6-3ed1-4c82-8095-5e7a818d0aad.md +++ b/docs/queries/cloudformation-queries/aws/d7467bb6-3ed1-4c82-8095-5e7a818d0aad.md @@ -28,7 +28,7 @@ CodeBuild Project should be encrypted, which means 'EncryptionKey' should be def ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" AWSTemplateFormatVersion: 2010-09-09 Description: A sample template Resources: @@ -59,7 +59,7 @@ Resources: - Key: Key2 Value: Value2 ``` -```json title="Postitive test num. 2 - json file" hl_lines="8" +```json title="Positive test num. 2 - json file" hl_lines="8" { "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", "Description": "A sample template", diff --git a/docs/queries/cloudformation-queries/aws/d926aa95-0a04-4abc-b20c-acf54afe38a1.md b/docs/queries/cloudformation-queries/aws/d926aa95-0a04-4abc-b20c-acf54afe38a1.md index 7ead2981bfe..11891dd56fb 100644 --- a/docs/queries/cloudformation-queries/aws/d926aa95-0a04-4abc-b20c-acf54afe38a1.md +++ b/docs/queries/cloudformation-queries/aws/d926aa95-0a04-4abc-b20c-acf54afe38a1.md @@ -28,7 +28,7 @@ Check if any ElasticSearch domain isn't encrypted with KMS.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="15" +```yaml title="Positive test num. 1 - yaml file" hl_lines="15" AWSTemplateFormatVersion: "2010-09-09" Description: Creates RDS Cluster Resources: @@ -66,7 +66,7 @@ Resources: ``` -```json title="Postitive test num. 2 - json file" hl_lines="7" +```json title="Positive test num. 2 - json file" hl_lines="7" { "Description": "Creates RDS Cluster", "Resources": { @@ -117,7 +117,7 @@ Resources: } ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="6" +```yaml title="Positive test num. 3 - yaml file" hl_lines="6" AWSTemplateFormatVersion: "2010-09-09" Description: Creates RDS Cluster2 Resources: @@ -153,7 +153,7 @@ Resources: ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="6" { diff --git a/docs/queries/cloudformation-queries/aws/da905474-7454-43c0-b8d2-5756ab951aba.md b/docs/queries/cloudformation-queries/aws/da905474-7454-43c0-b8d2-5756ab951aba.md index b1733eb6ce3..bcd42ee3957 100644 --- a/docs/queries/cloudformation-queries/aws/da905474-7454-43c0-b8d2-5756ab951aba.md +++ b/docs/queries/cloudformation-queries/aws/da905474-7454-43c0-b8d2-5756ab951aba.md @@ -28,7 +28,7 @@ The KMS key has a policy that is too permissive, as it provides the AWS account ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="8 9 4 5" +```json title="Positive test num. 1 - json file" hl_lines="8 9 4 5" { "Resources": { "RSASigningKey": { @@ -58,7 +58,7 @@ The KMS key has a policy that is too permissive, as it provides the AWS account } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="8 9 4 5" +```yaml title="Positive test num. 2 - yaml file" hl_lines="8 9 4 5" Resources: RSASigningKey: Type: AWS::KMS::Key diff --git a/docs/queries/cloudformation-queries/aws/dae9c373-8287-462f-8746-6f93dad93610.md b/docs/queries/cloudformation-queries/aws/dae9c373-8287-462f-8746-6f93dad93610.md index 869d4ddf2fa..eb729818d6d 100644 --- a/docs/queries/cloudformation-queries/aws/dae9c373-8287-462f-8746-6f93dad93610.md +++ b/docs/queries/cloudformation-queries/aws/dae9c373-8287-462f-8746-6f93dad93610.md @@ -28,7 +28,7 @@ AWS Security Group Egress should have a single port
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4 22" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4 22" Resources: InstanceSecurityGroup: Type: AWS::EC2::SecurityGroup @@ -79,7 +79,7 @@ Resources: - TargetSG - GroupId ``` -```json title="Postitive test num. 2 - json file" hl_lines="32 5" +```json title="Positive test num. 2 - json file" hl_lines="32 5" { "Resources": { "InstanceSecurityGroup": { diff --git a/docs/queries/cloudformation-queries/aws/dc17ee4b-ddf2-4e23-96e8-7a36abad1303.md b/docs/queries/cloudformation-queries/aws/dc17ee4b-ddf2-4e23-96e8-7a36abad1303.md index 09c2c897704..4e676c40cd7 100644 --- a/docs/queries/cloudformation-queries/aws/dc17ee4b-ddf2-4e23-96e8-7a36abad1303.md +++ b/docs/queries/cloudformation-queries/aws/dc17ee4b-ddf2-4e23-96e8-7a36abad1303.md @@ -28,7 +28,7 @@ CloudFront Minimum Protocol version should be at least TLS 1.2
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="25 33" +```yaml title="Positive test num. 1 - yaml file" hl_lines="25 33" AWSTemplateFormatVersion: 2010-09-09 Resources: cloudfrontdistribution: @@ -81,7 +81,7 @@ Resources: Value: string-value ``` -```json title="Postitive test num. 2 - json file" hl_lines="11 55" +```json title="Positive test num. 2 - json file" hl_lines="11 55" { "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", "Resources": { diff --git a/docs/queries/cloudformation-queries/aws/dc1ab429-1481-4540-9b1d-280e3f15f1f8.md b/docs/queries/cloudformation-queries/aws/dc1ab429-1481-4540-9b1d-280e3f15f1f8.md index 8c08237fd64..b358efae410 100644 --- a/docs/queries/cloudformation-queries/aws/dc1ab429-1481-4540-9b1d-280e3f15f1f8.md +++ b/docs/queries/cloudformation-queries/aws/dc1ab429-1481-4540-9b1d-280e3f15f1f8.md @@ -28,7 +28,7 @@ AWS Serverless Function should have Tracing enabled. For this, property 'Tracing ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: AWS SAM template with a simple API definition @@ -49,7 +49,7 @@ Resources: Value: AWS Serverless Function ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="19" +```yaml title="Positive test num. 2 - yaml file" hl_lines="19" AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: AWS SAM template with a simple API definition diff --git a/docs/queries/cloudformation-queries/aws/dd0971a6-09c3-4168-8474-a7ef8fbfd99d.md b/docs/queries/cloudformation-queries/aws/dd0971a6-09c3-4168-8474-a7ef8fbfd99d.md index 115211f81d3..a707f588912 100644 --- a/docs/queries/cloudformation-queries/aws/dd0971a6-09c3-4168-8474-a7ef8fbfd99d.md +++ b/docs/queries/cloudformation-queries/aws/dd0971a6-09c3-4168-8474-a7ef8fbfd99d.md @@ -28,7 +28,7 @@ Check if the Memcached is disabled on the ElastiCache
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" AWSTemplateFormatVersion: 2010-09-09 Description: A sample template Resources: @@ -44,7 +44,7 @@ Resources: - GroupId ``` -```json title="Postitive test num. 2 - json file" hl_lines="7" +```json title="Positive test num. 2 - json file" hl_lines="7" { "Description": "A sample template", "Resources": { diff --git a/docs/queries/cloudformation-queries/aws/ddfc4eaa-af23-409f-b96c-bf5c45dc4daa.md b/docs/queries/cloudformation-queries/aws/ddfc4eaa-af23-409f-b96c-bf5c45dc4daa.md index 7ecd19fbf29..f111717e1b6 100644 --- a/docs/queries/cloudformation-queries/aws/ddfc4eaa-af23-409f-b96c-bf5c45dc4daa.md +++ b/docs/queries/cloudformation-queries/aws/ddfc4eaa-af23-409f-b96c-bf5c45dc4daa.md @@ -28,7 +28,7 @@ The HTTP port is open to the internet in a Security Group
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10 11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10 11" Resources: InstanceSecurityGroup: Type: AWS::EC2::SecurityGroup @@ -43,7 +43,7 @@ Resources: CidrIp: 0.0.0.0/0 ``` -```json title="Postitive test num. 2 - json file" hl_lines="13 14" +```json title="Positive test num. 2 - json file" hl_lines="13 14" { "Resources": { "InstanceSecurityGroup": { diff --git a/docs/queries/cloudformation-queries/aws/de38e1d5-54cb-4111-a868-6f7722695007.md b/docs/queries/cloudformation-queries/aws/de38e1d5-54cb-4111-a868-6f7722695007.md index eb0db21755a..4df74d2e225 100644 --- a/docs/queries/cloudformation-queries/aws/de38e1d5-54cb-4111-a868-6f7722695007.md +++ b/docs/queries/cloudformation-queries/aws/de38e1d5-54cb-4111-a868-6f7722695007.md @@ -28,7 +28,7 @@ RDS must not be defined with public interface, which means the attribute 'Public ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="69" +```yaml title="Positive test num. 1 - yaml file" hl_lines="69" #this is a problematic code where the query should report a result(s) AWSTemplateFormatVersion: 2010-09-09 Description: >- @@ -99,7 +99,7 @@ Resources: MonitoringRoleArn: 'arn:aws:iam::123456789012:role/rds-monitoring-role' PubliclyAccessible: true ``` -```json title="Postitive test num. 2 - json file" hl_lines="61" +```json title="Positive test num. 2 - json file" hl_lines="61" { "Description": "Description\": \"AWS CloudFormation Sample Template for creating an Amazon RDS DB instance: Sample template showing how to create a DB instance with Enhanced Monitoring enabled. **WARNING** This template creates an RDS DB instance. You will be billed for the AWS resources used if you create a stack from this template.", "Parameters": { diff --git a/docs/queries/cloudformation-queries/aws/de76a0d6-66d5-45c9-9022-f05545b85c78.md b/docs/queries/cloudformation-queries/aws/de76a0d6-66d5-45c9-9022-f05545b85c78.md index e4ec7f4e8cc..278e9c51b3a 100644 --- a/docs/queries/cloudformation-queries/aws/de76a0d6-66d5-45c9-9022-f05545b85c78.md +++ b/docs/queries/cloudformation-queries/aws/de76a0d6-66d5-45c9-9022-f05545b85c78.md @@ -28,7 +28,7 @@ AWS Redshift Cluster should have KMS CMK defined
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" AWSTemplateFormatVersion: 2010-09-09 Description: Redshift Stack Resources: @@ -54,7 +54,7 @@ Resources: Properties: BucketName: !Sub ${DataBucketName} ``` -```json title="Postitive test num. 2 - json file" hl_lines="12" +```json title="Positive test num. 2 - json file" hl_lines="12" { "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", "Description": "Redshift Stack", diff --git a/docs/queries/cloudformation-queries/aws/de77cd9f-0e8b-46cc-b4a4-b6b436838642.md b/docs/queries/cloudformation-queries/aws/de77cd9f-0e8b-46cc-b4a4-b6b436838642.md index 6be839294c0..60dc1a0fb5a 100644 --- a/docs/queries/cloudformation-queries/aws/de77cd9f-0e8b-46cc-b4a4-b6b436838642.md +++ b/docs/queries/cloudformation-queries/aws/de77cd9f-0e8b-46cc-b4a4-b6b436838642.md @@ -28,7 +28,7 @@ AWS CloudFront distributions should have logging enabled to collect all viewer r ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +```yaml title="Positive test num. 1 - yaml file" hl_lines="5" AWSTemplateFormatVersion: '2010-09-09' Resources: myDistribution1: @@ -58,7 +58,7 @@ Resources: DefaultRootObject: index.html ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="30" +```yaml title="Positive test num. 2 - yaml file" hl_lines="30" AWSTemplateFormatVersion: '2010-09-09' Resources: myDistribution2: @@ -92,7 +92,7 @@ Resources: Prefix: myprefix ``` -```json title="Postitive test num. 3 - json file" hl_lines="6" +```json title="Positive test num. 3 - json file" hl_lines="6" { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { @@ -137,7 +137,7 @@ Resources: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="40" { diff --git a/docs/queries/cloudformation-queries/aws/dfb56e5d-ee68-446e-b32a-657b62befe69.md b/docs/queries/cloudformation-queries/aws/dfb56e5d-ee68-446e-b32a-657b62befe69.md index 20173d8d6ed..923e4ad1737 100644 --- a/docs/queries/cloudformation-queries/aws/dfb56e5d-ee68-446e-b32a-657b62befe69.md +++ b/docs/queries/cloudformation-queries/aws/dfb56e5d-ee68-446e-b32a-657b62befe69.md @@ -28,7 +28,7 @@ Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="18" +```yaml title="Positive test num. 1 - yaml file" hl_lines="18" Resources: NewAmpApp1: Type: AWS::Amplify::Branch @@ -51,7 +51,7 @@ Resources: ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="5" +```yaml title="Positive test num. 2 - yaml file" hl_lines="5" Parameters: ParentPassword: Description: 'Password' @@ -82,7 +82,7 @@ Resources: Username: !Ref ParentUsername ``` -```json title="Postitive test num. 3 - json file" hl_lines="19" +```json title="Positive test num. 3 - json file" hl_lines="19" { "Resources": { "NewAmpApp1": { @@ -111,7 +111,7 @@ Resources: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="35" { diff --git a/docs/queries/cloudformation-queries/aws/e200a6f3-c589-49ec-9143-7421d4a2c845.md b/docs/queries/cloudformation-queries/aws/e200a6f3-c589-49ec-9143-7421d4a2c845.md index 5f2dad4d1b3..0e2d1b60e70 100644 --- a/docs/queries/cloudformation-queries/aws/e200a6f3-c589-49ec-9143-7421d4a2c845.md +++ b/docs/queries/cloudformation-queries/aws/e200a6f3-c589-49ec-9143-7421d4a2c845.md @@ -28,7 +28,7 @@ An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbo ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +```yaml title="Positive test num. 1 - yaml file" hl_lines="5" AWSTemplateFormatVersion: 2010-09-09 Resources: sgwithoutingress: @@ -41,7 +41,7 @@ Resources: SecurityGroups: - sgwithoutingress ``` -```json title="Postitive test num. 2 - json file" hl_lines="6" +```json title="Positive test num. 2 - json file" hl_lines="6" { "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", "Resources": { diff --git a/docs/queries/cloudformation-queries/aws/e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5.md b/docs/queries/cloudformation-queries/aws/e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5.md index 0ac18b3c6df..c5e360b14fb 100644 --- a/docs/queries/cloudformation-queries/aws/e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5.md +++ b/docs/queries/cloudformation-queries/aws/e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5.md @@ -28,7 +28,7 @@ ECS Service's security group should not allow unrestricted access to all ports f ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="32 24" +```yaml title="Positive test num. 1 - yaml file" hl_lines="32 24" AWSTemplateFormatVersion: '2010-09-09' Parameters: VpcId: @@ -308,7 +308,7 @@ Outputs: Value: !Ref 'TaskDefinition' ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="24" +```yaml title="Positive test num. 2 - yaml file" hl_lines="24" AWSTemplateFormatVersion: '2010-09-09' Parameters: VpcId: @@ -579,7 +579,7 @@ Resources: ``` -```json title="Postitive test num. 3 - json file" hl_lines="115 326" +```json title="Positive test num. 3 - json file" hl_lines="115 326" { "AWSTemplateFormatVersion": "2010-09-09", "Parameters": { @@ -1070,7 +1070,7 @@ Resources: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="268" { diff --git a/docs/queries/cloudformation-queries/aws/e4239438-e639-44aa-adb8-866e400e3ade.md b/docs/queries/cloudformation-queries/aws/e4239438-e639-44aa-adb8-866e400e3ade.md index 4b9f1b0fba7..a7d40786070 100644 --- a/docs/queries/cloudformation-queries/aws/e4239438-e639-44aa-adb8-866e400e3ade.md +++ b/docs/queries/cloudformation-queries/aws/e4239438-e639-44aa-adb8-866e400e3ade.md @@ -28,7 +28,7 @@ IAM policies should be applied to groups and not to users
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" #this is a problematic code where the query should report a result(s) Resources: BadPolicy: @@ -42,7 +42,7 @@ Resources: Users: - Ref: TestUser ``` -```json title="Postitive test num. 2 - json file" hl_lines="12" +```json title="Positive test num. 2 - json file" hl_lines="12" { "Resources": { "BadPolicy": { diff --git a/docs/queries/cloudformation-queries/aws/e42a3ef0-5325-4667-84bf-075ba1c9d58e.md b/docs/queries/cloudformation-queries/aws/e42a3ef0-5325-4667-84bf-075ba1c9d58e.md index 0f65013e8aa..78c37623428 100644 --- a/docs/queries/cloudformation-queries/aws/e42a3ef0-5325-4667-84bf-075ba1c9d58e.md +++ b/docs/queries/cloudformation-queries/aws/e42a3ef0-5325-4667-84bf-075ba1c9d58e.md @@ -28,7 +28,7 @@ EC2 Instances should not be configured under a default VPC network
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" Resources: DefaultVPC: Type: AWS::EC2::Instance @@ -47,7 +47,7 @@ Resources: Value: !Sub ${AWS::StackName}-Public-A ``` -```json title="Postitive test num. 2 - json file" hl_lines="7" +```json title="Positive test num. 2 - json file" hl_lines="7" { "Resources": { "DefaultVPC": { diff --git a/docs/queries/cloudformation-queries/aws/e4ee3903-9225-4b6a-bdfb-e62dbadef821.md b/docs/queries/cloudformation-queries/aws/e4ee3903-9225-4b6a-bdfb-e62dbadef821.md index b2aa2c09ca3..833e91a234f 100644 --- a/docs/queries/cloudformation-queries/aws/e4ee3903-9225-4b6a-bdfb-e62dbadef821.md +++ b/docs/queries/cloudformation-queries/aws/e4ee3903-9225-4b6a-bdfb-e62dbadef821.md @@ -28,7 +28,7 @@ Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabledPostitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="7" { diff --git a/docs/queries/cloudformation-queries/aws/e4f54ff4-d352-40e8-a096-5141073c37a2.md b/docs/queries/cloudformation-queries/aws/e4f54ff4-d352-40e8-a096-5141073c37a2.md index 6fa2ec42019..30d1e368b5c 100644 --- a/docs/queries/cloudformation-queries/aws/e4f54ff4-d352-40e8-a096-5141073c37a2.md +++ b/docs/queries/cloudformation-queries/aws/e4f54ff4-d352-40e8-a096-5141073c37a2.md @@ -28,7 +28,7 @@ Content Delivery Network (CDN) service is used within an AWS account to secure a ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6 7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6 7" AWSTemplateFormatVersion: '2010-09-09' Resources: myDistribution: @@ -44,7 +44,7 @@ Resources: Prefix: myprefix ``` -```json title="Postitive test num. 2 - json file" hl_lines="15 7" +```json title="Positive test num. 2 - json file" hl_lines="15 7" { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { diff --git a/docs/queries/cloudformation-queries/aws/e519ed6a-8328-4b69-8eb7-8fa549ac3050.md b/docs/queries/cloudformation-queries/aws/e519ed6a-8328-4b69-8eb7-8fa549ac3050.md index 507ce7290bf..e78c7d72d6a 100644 --- a/docs/queries/cloudformation-queries/aws/e519ed6a-8328-4b69-8eb7-8fa549ac3050.md +++ b/docs/queries/cloudformation-queries/aws/e519ed6a-8328-4b69-8eb7-8fa549ac3050.md @@ -28,7 +28,7 @@ Check if MQ Brokers don't have logging enabled in any of the two options possibl ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="42 84 22 88 63" +```yaml title="Positive test num. 1 - yaml file" hl_lines="42 84 22 88 63" AWSTemplateFormatVersion: "2010-09-09" Description: "Create a basic ActiveMQ broker" Resources: @@ -134,7 +134,7 @@ Resources: Ref: "BrokerUsername" ``` -```json title="Postitive test num. 2 - json file" hl_lines="115 85 56 121 28" +```json title="Positive test num. 2 - json file" hl_lines="115 85 56 121 28" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "Create a basic ActiveMQ broker", diff --git a/docs/queries/cloudformation-queries/aws/e52395b4-250b-4c60-81d5-2e58c1d37abc.md b/docs/queries/cloudformation-queries/aws/e52395b4-250b-4c60-81d5-2e58c1d37abc.md index b7cd52dde2f..4b7b6cc7eae 100644 --- a/docs/queries/cloudformation-queries/aws/e52395b4-250b-4c60-81d5-2e58c1d37abc.md +++ b/docs/queries/cloudformation-queries/aws/e52395b4-250b-4c60-81d5-2e58c1d37abc.md @@ -28,7 +28,7 @@ When `StorageEncrypted` is set to true, `KmsKeyId` should be defined, to avoid t ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="24" +```yaml title="Positive test num. 1 - yaml file" hl_lines="24" AWSTemplateFormatVersion: 2010-09-09 Description: >- AWS CloudFormation Sample Template @@ -67,7 +67,7 @@ Resources: StorageEncrypted: true ``` -```json title="Postitive test num. 2 - json file" hl_lines="25" +```json title="Positive test num. 2 - json file" hl_lines="25" { "Parameters": { "DBUsername": { diff --git a/docs/queries/cloudformation-queries/aws/e649a218-d099-4550-86a4-1231e1fcb60d.md b/docs/queries/cloudformation-queries/aws/e649a218-d099-4550-86a4-1231e1fcb60d.md index c5858505fa0..42e27f1ce5e 100644 --- a/docs/queries/cloudformation-queries/aws/e649a218-d099-4550-86a4-1231e1fcb60d.md +++ b/docs/queries/cloudformation-queries/aws/e649a218-d099-4550-86a4-1231e1fcb60d.md @@ -28,7 +28,7 @@ AWS RDS backup retention policy should be at least 7 days
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="52" +```yaml title="Positive test num. 1 - yaml file" hl_lines="52" AWSTemplateFormatVersion: "2010-09-09" Description: Creates RDS Cluster Parameters: @@ -140,7 +140,7 @@ Outputs: Value: !Ref "PMDatabasePassword" ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="35" +```yaml title="Positive test num. 2 - yaml file" hl_lines="35" AWSTemplateFormatVersion: 2010-09-09 Description: RDS Storage Encrypted Parameters: @@ -182,7 +182,7 @@ Outputs: Value: !Ref MyDBSmall ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="22" +```yaml title="Positive test num. 3 - yaml file" hl_lines="22" AWSTemplateFormatVersion: "2010-09-09" Parameters: DBUser: @@ -223,7 +223,7 @@ Resources: old_passwords: '0' ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="43" AWSTemplateFormatVersion: "2010-09-09" @@ -337,7 +337,7 @@ Outputs: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="113" { @@ -482,7 +482,7 @@ Outputs: ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="55" { @@ -548,7 +548,7 @@ Outputs: ```
-
Postitive test num. 7 - json file +
Positive test num. 7 - json file ```json hl_lines="26" { @@ -603,7 +603,7 @@ Outputs: ```
-
Postitive test num. 8 - json file +
Positive test num. 8 - json file ```json hl_lines="54" { diff --git a/docs/queries/cloudformation-queries/aws/e835bd0d-65da-49f7-b6d1-b646da8727e6.md b/docs/queries/cloudformation-queries/aws/e835bd0d-65da-49f7-b6d1-b646da8727e6.md index 9e419e81fa6..4236cdf73cd 100644 --- a/docs/queries/cloudformation-queries/aws/e835bd0d-65da-49f7-b6d1-b646da8727e6.md +++ b/docs/queries/cloudformation-queries/aws/e835bd0d-65da-49f7-b6d1-b646da8727e6.md @@ -28,7 +28,7 @@ IAM Policy should not grant 'AssumeRole' permission across all services.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8" AWSTemplateFormatVersion: "2010-09-09" Description: A sample template Resources: @@ -45,7 +45,7 @@ Resources: Users: ["SomeUser"] ``` -```json title="Postitive test num. 2 - json file" hl_lines="8" +```json title="Positive test num. 2 - json file" hl_lines="8" { "Description": "A sample template", "Resources": { diff --git a/docs/queries/cloudformation-queries/aws/ea33fcf7-394b-4d11-a228-985c5d08f205.md b/docs/queries/cloudformation-queries/aws/ea33fcf7-394b-4d11-a228-985c5d08f205.md index a01edb45b98..cf30d387875 100644 --- a/docs/queries/cloudformation-queries/aws/ea33fcf7-394b-4d11-a228-985c5d08f205.md +++ b/docs/queries/cloudformation-queries/aws/ea33fcf7-394b-4d11-a228-985c5d08f205.md @@ -28,7 +28,7 @@ Check if default security group does not restrict all inbound and outbound traff ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="16" +```yaml title="Positive test num. 1 - yaml file" hl_lines="16" Parameters: KeyName: Description: The EC2 Key Pair to allow SSH access to the instance @@ -58,7 +58,7 @@ Resources: ToPort: '22' CidrIp: 0.0.0.0/0 ``` -```json title="Postitive test num. 2 - json file" hl_lines="21" +```json title="Positive test num. 2 - json file" hl_lines="21" { "Parameters": { "KeyName": { diff --git a/docs/queries/cloudformation-queries/aws/ed4c48b8-eccc-4881-95c1-09fdae23db25.md b/docs/queries/cloudformation-queries/aws/ed4c48b8-eccc-4881-95c1-09fdae23db25.md index 6328ca7d960..55bc265375a 100644 --- a/docs/queries/cloudformation-queries/aws/ed4c48b8-eccc-4881-95c1-09fdae23db25.md +++ b/docs/queries/cloudformation-queries/aws/ed4c48b8-eccc-4881-95c1-09fdae23db25.md @@ -28,7 +28,7 @@ SSL Client Certificate should be enabled
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +```yaml title="Positive test num. 1 - yaml file" hl_lines="5" AWSTemplateFormatVersion: "2010-09-09" Resources: ProdApiGatewayStagePos: @@ -59,7 +59,7 @@ Resources: ``` -```json title="Postitive test num. 2 - json file" hl_lines="6" +```json title="Positive test num. 2 - json file" hl_lines="6" { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { diff --git a/docs/queries/cloudformation-queries/aws/edbd62d4-8700-41de-b000-b3cfebb5e996.md b/docs/queries/cloudformation-queries/aws/edbd62d4-8700-41de-b000-b3cfebb5e996.md index ae30bac3968..76e0fe38ec4 100644 --- a/docs/queries/cloudformation-queries/aws/edbd62d4-8700-41de-b000-b3cfebb5e996.md +++ b/docs/queries/cloudformation-queries/aws/edbd62d4-8700-41de-b000-b3cfebb5e996.md @@ -28,7 +28,7 @@ AWS Elasticsearch should have logs enabled
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="34" +```yaml title="Positive test num. 1 - yaml file" hl_lines="34" AWSTemplateFormatVersion: "2010-09-09" Description: ElasticsearchDomain resource Resources: @@ -79,7 +79,7 @@ Resources: rest.action.multi.allow_explicit_index: "true" ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="6" +```yaml title="Positive test num. 2 - yaml file" hl_lines="6" AWSTemplateFormatVersion: "2010-09-09" Description: ElasticsearchDomain resource Resources: @@ -113,7 +113,7 @@ Resources: rest.action.multi.allow_explicit_index: "true" ``` -```json title="Postitive test num. 3 - json file" hl_lines="44" +```json title="Positive test num. 3 - json file" hl_lines="44" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "ElasticsearchDomain resource", @@ -170,7 +170,7 @@ Resources: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="7" { @@ -224,7 +224,7 @@ Resources: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="43" { diff --git a/docs/queries/cloudformation-queries/aws/edc95c10-7366-4f30-9b4b-f995c84eceb5.md b/docs/queries/cloudformation-queries/aws/edc95c10-7366-4f30-9b4b-f995c84eceb5.md index 84adf51d236..6199aa91645 100644 --- a/docs/queries/cloudformation-queries/aws/edc95c10-7366-4f30-9b4b-f995c84eceb5.md +++ b/docs/queries/cloudformation-queries/aws/edc95c10-7366-4f30-9b4b-f995c84eceb5.md @@ -28,7 +28,7 @@ IAM policies should be attached only to groups or roles
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10 14" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10 14" AWSTemplateFormatVersion: "2010-09-09" Description: A sample template Resources: @@ -58,7 +58,7 @@ Resources: NotResource: - !GetAtt myqueue.Arn ``` -```json title="Postitive test num. 2 - json file" hl_lines="10 14" +```json title="Positive test num. 2 - json file" hl_lines="10 14" { "Resources": { "myuser": { diff --git a/docs/queries/cloudformation-queries/aws/ee12ad32-2863-4c0f-b13f-28272d115028.md b/docs/queries/cloudformation-queries/aws/ee12ad32-2863-4c0f-b13f-28272d115028.md index b768386892c..a3973a83f48 100644 --- a/docs/queries/cloudformation-queries/aws/ee12ad32-2863-4c0f-b13f-28272d115028.md +++ b/docs/queries/cloudformation-queries/aws/ee12ad32-2863-4c0f-b13f-28272d115028.md @@ -28,7 +28,7 @@ ELB should have access log enabled
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" AWSTemplateFormatVersion: "2010-09-09" Description: A simple EC2 instance Resources: @@ -60,7 +60,7 @@ Resources: Value: ELBSecurityPolicy-TLS-1-2-2017-01 ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="31" +```yaml title="Positive test num. 2 - yaml file" hl_lines="31" AWSTemplateFormatVersion: "2010-09-09" Description: A simple EC2 instance Resources: @@ -95,7 +95,7 @@ Resources: S3BucketName: teste ``` -```json title="Postitive test num. 3 - json file" hl_lines="7" +```json title="Positive test num. 3 - json file" hl_lines="7" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "A simple EC2 instance", @@ -144,7 +144,7 @@ Resources: } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="18" { diff --git a/docs/queries/cloudformation-queries/aws/ee464fc2-54a6-4e22-b10a-c6dcd2474d0c.md b/docs/queries/cloudformation-queries/aws/ee464fc2-54a6-4e22-b10a-c6dcd2474d0c.md index ee3c805f062..df836b76e4b 100644 --- a/docs/queries/cloudformation-queries/aws/ee464fc2-54a6-4e22-b10a-c6dcd2474d0c.md +++ b/docs/queries/cloudformation-queries/aws/ee464fc2-54a6-4e22-b10a-c6dcd2474d0c.md @@ -28,7 +28,7 @@ AWS Security Group Egress should not specify all protocols to prevent allow traf ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="21 14" +```yaml title="Positive test num. 1 - yaml file" hl_lines="21 14" Resources: InstanceSecurityGroup: Type: AWS::EC2::SecurityGroup @@ -75,7 +75,7 @@ Resources: - TargetSG - GroupId ``` -```json title="Postitive test num. 2 - json file" hl_lines="43 21" +```json title="Positive test num. 2 - json file" hl_lines="43 21" { "Resources": { "InstanceSecurityGroup": { diff --git a/docs/queries/cloudformation-queries/aws/ef05a925-8568-4054-8ff1-f5ba82631c16.md b/docs/queries/cloudformation-queries/aws/ef05a925-8568-4054-8ff1-f5ba82631c16.md index f887fdf22c7..2d2bd2496c0 100644 --- a/docs/queries/cloudformation-queries/aws/ef05a925-8568-4054-8ff1-f5ba82631c16.md +++ b/docs/queries/cloudformation-queries/aws/ef05a925-8568-4054-8ff1-f5ba82631c16.md @@ -28,7 +28,7 @@ A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatic ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" AWSTemplateFormatVersion: "2010-09-09" Description: "Create EFS system and Mount Targets for test VPC" Resources: @@ -57,7 +57,7 @@ Resources: - Arn ``` -```json title="Postitive test num. 2 - json file" hl_lines="4" +```json title="Positive test num. 2 - json file" hl_lines="4" { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { @@ -104,7 +104,7 @@ Resources: } ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="4" +```yaml title="Positive test num. 3 - yaml file" hl_lines="4" AWSTemplateFormatVersion: "2010-09-09" Description: "Create EFS system and Mount Targets for test VPC" Resources: @@ -122,7 +122,7 @@ Resources: Value: TestFileSystem ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="4" { diff --git a/docs/queries/cloudformation-queries/aws/f0104061-8bfc-4b45-8a7d-630eb502f281.md b/docs/queries/cloudformation-queries/aws/f0104061-8bfc-4b45-8a7d-630eb502f281.md index 935caeeef78..51f512d2a97 100644 --- a/docs/queries/cloudformation-queries/aws/f0104061-8bfc-4b45-8a7d-630eb502f281.md +++ b/docs/queries/cloudformation-queries/aws/f0104061-8bfc-4b45-8a7d-630eb502f281.md @@ -28,7 +28,7 @@ RDS instance should have automatic minor upgrades enabled, which means the attri ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="58 82" +```yaml title="Positive test num. 1 - yaml file" hl_lines="58 82" #this is a problematic code where the query should report a result(s) AWSTemplateFormatVersion: 2010-09-09 Description: >- @@ -112,7 +112,7 @@ Resources: MonitoringRoleArn: 'arn:aws:iam::123456789012:role/rds-monitoring-role' AutoMinorVersionUpgrade: false ``` -```json title="Postitive test num. 2 - json file" hl_lines="58 85" +```json title="Positive test num. 2 - json file" hl_lines="58 85" { "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", "Description": "Description\": \"AWS CloudFormation Sample Template for creating an Amazon RDS DB instance: Sample template showing how to create a DB instance with Enhanced Monitoring enabled. **WARNING** This template creates an RDS DB instance. You will be billed for the AWS resources used if you create a stack from this template.", diff --git a/docs/queries/cloudformation-queries/aws/f4c9b5f5-68b8-491f-9e48-4f96644a1d51.md b/docs/queries/cloudformation-queries/aws/f4c9b5f5-68b8-491f-9e48-4f96644a1d51.md index adc4437c021..34fe0c27cae 100644 --- a/docs/queries/cloudformation-queries/aws/f4c9b5f5-68b8-491f-9e48-4f96644a1d51.md +++ b/docs/queries/cloudformation-queries/aws/f4c9b5f5-68b8-491f-9e48-4f96644a1d51.md @@ -28,7 +28,7 @@ In ECS Task Definition of FARGATE launch type if you specify an invalid CPU or M ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="27 53" +```yaml title="Positive test num. 1 - yaml file" hl_lines="27 53" AWSTemplateFormatVersion: "2010-09-09" Description: A sample template Resources: @@ -104,7 +104,7 @@ Resources: Name: "my-vol" ``` -```json title="Postitive test num. 2 - json file" hl_lines="84 38" +```json title="Positive test num. 2 - json file" hl_lines="84 38" { "Resources": { "ECSService": { diff --git a/docs/queries/cloudformation-queries/aws/f4cf35d6-da92-48de-ab70-57be2b2e6497.md b/docs/queries/cloudformation-queries/aws/f4cf35d6-da92-48de-ab70-57be2b2e6497.md index 6b99f1732ce..38a76293ab2 100644 --- a/docs/queries/cloudformation-queries/aws/f4cf35d6-da92-48de-ab70-57be2b2e6497.md +++ b/docs/queries/cloudformation-queries/aws/f4cf35d6-da92-48de-ab70-57be2b2e6497.md @@ -28,7 +28,7 @@ IAM Password should have at least one lowercase letter
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9" AWSTemplateFormatVersion: "2010-09-09" Description: A sample template Resources: @@ -68,7 +68,7 @@ Resources: NotResource: - !Ref mytopic ``` -```json title="Postitive test num. 2 - json file" hl_lines="8" +```json title="Positive test num. 2 - json file" hl_lines="8" { "Resources": { "myuser": { diff --git a/docs/queries/cloudformation-queries/aws/f57f849c-883b-4cb7-85e7-f7b199dff163.md b/docs/queries/cloudformation-queries/aws/f57f849c-883b-4cb7-85e7-f7b199dff163.md index 8a0eb703351..4dbfb0455e6 100644 --- a/docs/queries/cloudformation-queries/aws/f57f849c-883b-4cb7-85e7-f7b199dff163.md +++ b/docs/queries/cloudformation-queries/aws/f57f849c-883b-4cb7-85e7-f7b199dff163.md @@ -28,7 +28,7 @@ TCP/UDP protocol AWS Network ACL Entry should not allow all ports
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="33 18 29 49" +```yaml title="Positive test num. 1 - yaml file" hl_lines="33 18 29 49" Resources: MyNACL: Type: AWS::EC2::NetworkAcl @@ -81,7 +81,7 @@ Resources: From: 0 To: 65535 ``` -```json title="Postitive test num. 2 - json file" hl_lines="40 61 21 47" +```json title="Positive test num. 2 - json file" hl_lines="40 61 21 47" { "Resources": { "MyNACL": { diff --git a/docs/queries/cloudformation-queries/aws/f6049677-ec4a-43af-8779-5190b6d03cba.md b/docs/queries/cloudformation-queries/aws/f6049677-ec4a-43af-8779-5190b6d03cba.md index 2b4e2a9ce43..687b98d7f7a 100644 --- a/docs/queries/cloudformation-queries/aws/f6049677-ec4a-43af-8779-5190b6d03cba.md +++ b/docs/queries/cloudformation-queries/aws/f6049677-ec4a-43af-8779-5190b6d03cba.md @@ -28,7 +28,7 @@ KMS Should not allow Principal parameter to be set as *
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8" AWSTemplateFormatVersion: 2010-09-09 Description: A sample template Resources: @@ -77,7 +77,7 @@ Resources: Resource: '*' ``` -```json title="Postitive test num. 2 - json file" hl_lines="8" +```json title="Positive test num. 2 - json file" hl_lines="8" { "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", "Description": "A sample template", diff --git a/docs/queries/cloudformation-queries/aws/f62aa827-4ade-4dc4-89e4-1433d384a368.md b/docs/queries/cloudformation-queries/aws/f62aa827-4ade-4dc4-89e4-1433d384a368.md index 13e17e92c11..c170b896c46 100644 --- a/docs/queries/cloudformation-queries/aws/f62aa827-4ade-4dc4-89e4-1433d384a368.md +++ b/docs/queries/cloudformation-queries/aws/f62aa827-4ade-4dc4-89e4-1433d384a368.md @@ -28,7 +28,7 @@ IAM policy should not grant full permissions to resources from the get-go, inste ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 21" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8 21" AWSTemplateFormatVersion: "2010-09-09" Description: A sample template Resources: @@ -63,7 +63,7 @@ Resources: ``` -```json title="Postitive test num. 2 - json file" hl_lines="9 29" +```json title="Positive test num. 2 - json file" hl_lines="9 29" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "A sample template", diff --git a/docs/queries/cloudformation-queries/aws/f6397a20-4cf1-4540-a997-1d363c25ef58.md b/docs/queries/cloudformation-queries/aws/f6397a20-4cf1-4540-a997-1d363c25ef58.md index 4b611fbc23e..cf73a90b26f 100644 --- a/docs/queries/cloudformation-queries/aws/f6397a20-4cf1-4540-a997-1d363c25ef58.md +++ b/docs/queries/cloudformation-queries/aws/f6397a20-4cf1-4540-a997-1d363c25ef58.md @@ -28,7 +28,7 @@ S3 Buckets must not allow Put Action From All Principals, as to prevent leaking ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="22 7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="22 7" #this is a problematic code where the query should report a result(s) Resources: SampleBucketPolicy3: @@ -65,7 +65,7 @@ Resources: - 'http://example.net/*' ``` -```json title="Postitive test num. 2 - json file" hl_lines="9 35" +```json title="Positive test num. 2 - json file" hl_lines="9 35" { "Resources": { "SampleBucketPolicy5": { diff --git a/docs/queries/cloudformation-queries/aws/f6d299d2-21eb-41cc-b1e1-fe12d857500b.md b/docs/queries/cloudformation-queries/aws/f6d299d2-21eb-41cc-b1e1-fe12d857500b.md index a52931b510b..6934c4a9980 100644 --- a/docs/queries/cloudformation-queries/aws/f6d299d2-21eb-41cc-b1e1-fe12d857500b.md +++ b/docs/queries/cloudformation-queries/aws/f6d299d2-21eb-41cc-b1e1-fe12d857500b.md @@ -28,7 +28,7 @@ Every VPC resource should have an associated Flow Log
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="34" +```yaml title="Positive test num. 1 - yaml file" hl_lines="34" AWSTemplateFormatVersion: '2010-09-09' Description: 'VPC: public and private subnets in two availability zones, a cloudonaut.io template' Parameters: @@ -85,7 +85,7 @@ Resources: ResourceType: 'VPC' TrafficType: ACCEPT ``` -```json title="Postitive test num. 2 - json file" hl_lines="52" +```json title="Positive test num. 2 - json file" hl_lines="52" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "VPC: public and private subnets in two availability zones, a cloudonaut.io template", diff --git a/docs/queries/cloudformation-queries/aws/f80e3aa7-7b34-4185-954e-440a6894dde6.md b/docs/queries/cloudformation-queries/aws/f80e3aa7-7b34-4185-954e-440a6894dde6.md index e1bc88d7cce..75c5c3abfc3 100644 --- a/docs/queries/cloudformation-queries/aws/f80e3aa7-7b34-4185-954e-440a6894dde6.md +++ b/docs/queries/cloudformation-queries/aws/f80e3aa7-7b34-4185-954e-440a6894dde6.md @@ -28,7 +28,7 @@ IAM role allows all services or principals to assume it
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" AWSTemplateFormatVersion: "2010-09-09" Resources: RootRole: @@ -50,7 +50,7 @@ Resources: } ``` -```json title="Postitive test num. 2 - json file" hl_lines="7" +```json title="Positive test num. 2 - json file" hl_lines="7" { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { diff --git a/docs/queries/cloudformation-queries/aws/f914357d-8386-4d56-9ba6-456e5723f9a6.md b/docs/queries/cloudformation-queries/aws/f914357d-8386-4d56-9ba6-456e5723f9a6.md index eb094c69591..1269cd52fc6 100644 --- a/docs/queries/cloudformation-queries/aws/f914357d-8386-4d56-9ba6-456e5723f9a6.md +++ b/docs/queries/cloudformation-queries/aws/f914357d-8386-4d56-9ba6-456e5723f9a6.md @@ -28,7 +28,7 @@ Check if an EC2 instance refers to an IAM profile, which represents an IAM Role. ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4 29 55" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4 29 55" Resources: NoIAM: Type: AWS::EC2::Instance @@ -87,7 +87,7 @@ Resources: Path: "/" ``` -```json title="Postitive test num. 2 - json file" hl_lines="5 94 47" +```json title="Positive test num. 2 - json file" hl_lines="5 94 47" { "Resources": { "NoIAM": { @@ -189,7 +189,7 @@ Resources: } ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="29 4 53" +```yaml title="Positive test num. 3 - yaml file" hl_lines="29 4 53" Resources: NoIAM: Type: AWS::EC2::Instance diff --git a/docs/queries/cloudformation-queries/aws/f97b7d23-568f-4bcc-9ac9-02df0d57fbba.md b/docs/queries/cloudformation-queries/aws/f97b7d23-568f-4bcc-9ac9-02df0d57fbba.md index 53bef7c82aa..f724218aca3 100644 --- a/docs/queries/cloudformation-queries/aws/f97b7d23-568f-4bcc-9ac9-02df0d57fbba.md +++ b/docs/queries/cloudformation-queries/aws/f97b7d23-568f-4bcc-9ac9-02df0d57fbba.md @@ -28,7 +28,7 @@ S3 Buckets must not allow Get Action From All Principals, as to prevent leaking ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="22 7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="22 7" #this is a problematic code where the query should report a result(s) Resources: SampleBucketPolicy3: @@ -65,7 +65,7 @@ Resources: - 'http://example.net/*' ``` -```json title="Postitive test num. 2 - json file" hl_lines="9 35" +```json title="Positive test num. 2 - json file" hl_lines="9 35" { "Resources": { "SampleBucketPolicy5": { diff --git a/docs/queries/cloudformation-queries/aws/f988a17f-1139-46a3-8928-f27eafd8b024.md b/docs/queries/cloudformation-queries/aws/f988a17f-1139-46a3-8928-f27eafd8b024.md index 41dc8430379..c68b34013fb 100644 --- a/docs/queries/cloudformation-queries/aws/f988a17f-1139-46a3-8928-f27eafd8b024.md +++ b/docs/queries/cloudformation-queries/aws/f988a17f-1139-46a3-8928-f27eafd8b024.md @@ -28,7 +28,7 @@ DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="13" +```yaml title="Positive test num. 1 - yaml file" hl_lines="13" Parameters: ParentMasterPassword: Description: 'Password' @@ -82,7 +82,7 @@ Resources: Username: String ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="24" +```yaml title="Positive test num. 2 - yaml file" hl_lines="24" Resources: NewAmpApp5: Type: AWS::DMS::Endpoint @@ -123,7 +123,7 @@ Resources: Username: String ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="35" +```yaml title="Positive test num. 3 - yaml file" hl_lines="35" Parameters: ParentMasterPassword: Description: 'Password' @@ -175,7 +175,7 @@ Resources: Username: String ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="16" { @@ -239,7 +239,7 @@ Resources: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="26" { @@ -286,7 +286,7 @@ Resources: ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="38" { diff --git a/docs/queries/cloudformation-queries/aws/f9b10cdb-eaab-4e39-9793-e12b94a582ad.md b/docs/queries/cloudformation-queries/aws/f9b10cdb-eaab-4e39-9793-e12b94a582ad.md index 494ee54e42b..6af91296e06 100644 --- a/docs/queries/cloudformation-queries/aws/f9b10cdb-eaab-4e39-9793-e12b94a582ad.md +++ b/docs/queries/cloudformation-queries/aws/f9b10cdb-eaab-4e39-9793-e12b94a582ad.md @@ -28,7 +28,7 @@ It's not recommended to use plaintext environment variables for sensitive inform ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="40 27" +```json title="Positive test num. 1 - json file" hl_lines="40 27" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "A sample template", @@ -88,7 +88,7 @@ It's not recommended to use plaintext environment variables for sensitive inform } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="40 27" +```yaml title="Positive test num. 2 - yaml file" hl_lines="40 27" AWSTemplateFormatVersion: "2010-09-09" Description: A sample template Resources: diff --git a/docs/queries/cloudformation-queries/aws/faa8fddf-c0aa-4b2d-84ff-e993e233ebe9.md b/docs/queries/cloudformation-queries/aws/faa8fddf-c0aa-4b2d-84ff-e993e233ebe9.md index 8e62b046149..0d4299d8e46 100644 --- a/docs/queries/cloudformation-queries/aws/faa8fddf-c0aa-4b2d-84ff-e993e233ebe9.md +++ b/docs/queries/cloudformation-queries/aws/faa8fddf-c0aa-4b2d-84ff-e993e233ebe9.md @@ -28,7 +28,7 @@ S3 Buckets must not allow List Action From All Principals, as to prevent leaking ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="22 7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="22 7" #this is a problematic code where the query should report a result(s) Resources: SampleBucketPolicy3: @@ -65,7 +65,7 @@ Resources: - 'http://example.net/*' ``` -```json title="Postitive test num. 2 - json file" hl_lines="9 35" +```json title="Positive test num. 2 - json file" hl_lines="9 35" { "Resources": { "SampleBucketPolicy5": { diff --git a/docs/queries/cloudformation-queries/aws/fb2b0ecf-1492-491a-a70d-ba1df579175d.md b/docs/queries/cloudformation-queries/aws/fb2b0ecf-1492-491a-a70d-ba1df579175d.md index 68a0b4339e5..2de2556f762 100644 --- a/docs/queries/cloudformation-queries/aws/fb2b0ecf-1492-491a-a70d-ba1df579175d.md +++ b/docs/queries/cloudformation-queries/aws/fb2b0ecf-1492-491a-a70d-ba1df579175d.md @@ -28,7 +28,7 @@ Amazon ECS service should be configured to use Load Balancing to distribute traf ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="25 7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="25 7" #this is a problematic code where the query should report a result(s) Resources: ECSService: @@ -58,7 +58,7 @@ Resources: Ref: ECSCluster ``` -```json title="Postitive test num. 2 - json file" hl_lines="27 7" +```json title="Positive test num. 2 - json file" hl_lines="27 7" { "Resources": { "ECSService": { diff --git a/docs/queries/cloudformation-queries/aws/fc7c2c15-f5d0-4b80-adb2-c89019f8f62b.md b/docs/queries/cloudformation-queries/aws/fc7c2c15-f5d0-4b80-adb2-c89019f8f62b.md index a3e9967605d..334959984e0 100644 --- a/docs/queries/cloudformation-queries/aws/fc7c2c15-f5d0-4b80-adb2-c89019f8f62b.md +++ b/docs/queries/cloudformation-queries/aws/fc7c2c15-f5d0-4b80-adb2-c89019f8f62b.md @@ -28,7 +28,7 @@ Ensure MSK Cluster Logging is enabled
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" AWSTemplateFormatVersion: "2010-09-09" Description: MSK Cluster with required properties. Resources: @@ -46,7 +46,7 @@ Resources: - ReplaceWithSubnetId3 ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="18 12 15" +```yaml title="Positive test num. 2 - yaml file" hl_lines="18 12 15" AWSTemplateFormatVersion: "2010-09-09" Description: MSK Cluster with required properties. Resources: @@ -75,7 +75,7 @@ Resources: - ReplaceWithSubnetId3 ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="12" +```yaml title="Positive test num. 3 - yaml file" hl_lines="12" AWSTemplateFormatVersion: "2010-09-09" Description: MSK Cluster with required properties. Resources: @@ -98,7 +98,7 @@ Resources: - ReplaceWithSubnetId3 ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="7" { @@ -126,7 +126,7 @@ Resources: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="17 21 13" { @@ -170,7 +170,7 @@ Resources: ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="13" { diff --git a/docs/queries/cloudformation-queries/aws/fcbf9019-566c-4832-a65c-af00d8137d2b.md b/docs/queries/cloudformation-queries/aws/fcbf9019-566c-4832-a65c-af00d8137d2b.md index 0ae79ba1381..b56246a1e32 100644 --- a/docs/queries/cloudformation-queries/aws/fcbf9019-566c-4832-a65c-af00d8137d2b.md +++ b/docs/queries/cloudformation-queries/aws/fcbf9019-566c-4832-a65c-af00d8137d2b.md @@ -28,7 +28,7 @@ API Gateway should have WAF (Web Application Firewall) enabled
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" AWSTemplateFormatVersion: "2010-09-09" Description: "BatchJobDefinition" Resources: @@ -65,7 +65,7 @@ Resources: ResourceArn: arn:aws:apigateway:region::/restapis/api-id/stages/stage ``` -```json title="Postitive test num. 2 - json file" hl_lines="33" +```json title="Positive test num. 2 - json file" hl_lines="33" { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { diff --git a/docs/queries/cloudformation-queries/aws/fe974ae9-858e-4991-bbd5-e040a834679f.md b/docs/queries/cloudformation-queries/aws/fe974ae9-858e-4991-bbd5-e040a834679f.md index 57a9c0150e9..13835b76cd2 100644 --- a/docs/queries/cloudformation-queries/aws/fe974ae9-858e-4991-bbd5-e040a834679f.md +++ b/docs/queries/cloudformation-queries/aws/fe974ae9-858e-4991-bbd5-e040a834679f.md @@ -28,7 +28,7 @@ Make sure that retain_stack is enabled to keep the Stack and it's associated res ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="35 39 11 18 27" +```yaml title="Positive test num. 1 - yaml file" hl_lines="35 39 11 18 27" AWSTemplateFormatVersion: '2010-09-09' Resources: stackset3: @@ -73,7 +73,7 @@ Resources: TemplateURL: some_stack_link ``` -```json title="Postitive test num. 2 - json file" hl_lines="34 12 45 52 22" +```json title="Positive test num. 2 - json file" hl_lines="34 12 45 52 22" { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { diff --git a/docs/queries/cloudformation-queries/aws/ffee2785-c347-451e-89f3-11aeb08e5c84.md b/docs/queries/cloudformation-queries/aws/ffee2785-c347-451e-89f3-11aeb08e5c84.md index a98a6a62685..14cec52e54c 100644 --- a/docs/queries/cloudformation-queries/aws/ffee2785-c347-451e-89f3-11aeb08e5c84.md +++ b/docs/queries/cloudformation-queries/aws/ffee2785-c347-451e-89f3-11aeb08e5c84.md @@ -28,7 +28,7 @@ Ensure that storage is encrypted.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="54" +```yaml title="Positive test num. 1 - yaml file" hl_lines="54" AWSTemplateFormatVersion: 2010-09-09 Description: >- AWS CloudFormation Sample @@ -95,7 +95,7 @@ Resources: MonitoringRoleArn: 'arn:aws:iam::123456789012:role/rds-monitoring-role' ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="24" +```yaml title="Positive test num. 2 - yaml file" hl_lines="24" AWSTemplateFormatVersion: 2010-09-09 Description: >- AWS CloudFormation Sample Template @@ -133,7 +133,7 @@ Resources: SecondsUntilAutoPause: 1000 ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="36" +```yaml title="Positive test num. 3 - yaml file" hl_lines="36" AWSTemplateFormatVersion: 2010-09-09 Description: >- AWS CloudFormation Sample Template AuroraServerlessDBCluster @@ -172,7 +172,7 @@ Resources: StorageEncrypted: false ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="58" { @@ -251,7 +251,7 @@ Resources: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="25" { @@ -300,7 +300,7 @@ Resources: ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="37" { @@ -350,7 +350,7 @@ Resources: ```
-
Postitive test num. 7 - yaml file +
Positive test num. 7 - yaml file ```yaml hl_lines="4" Resources: @@ -369,7 +369,7 @@ Resources: ```
-
Postitive test num. 8 - json file +
Positive test num. 8 - json file ```json hl_lines="5" { diff --git a/docs/queries/common-queries/common/a88baa34-e2ad-44ea-ad6f-8cac87bc7c71.md b/docs/queries/common-queries/common/a88baa34-e2ad-44ea-ad6f-8cac87bc7c71.md index 77a6adfe476..01f265ab51d 100644 --- a/docs/queries/common-queries/common/a88baa34-e2ad-44ea-ad6f-8cac87bc7c71.md +++ b/docs/queries/common-queries/common/a88baa34-e2ad-44ea-ad6f-8cac87bc7c71.md @@ -28,7 +28,7 @@ Query to find passwords and secrets in infrastructure code.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8" #k8s test apiVersion: v1 kind: Secret @@ -39,7 +39,7 @@ stringData: password: "root" ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="6" +```yaml title="Positive test num. 2 - yaml file" hl_lines="6" #cloud formation test Resources: RDSCluster1: @@ -57,7 +57,7 @@ Resources: SecondsUntilAutoPause: 1000 ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="7" +```yaml title="Positive test num. 3 - yaml file" hl_lines="7" #ansible test - name: create a cluster1 google.cloud.gcp_container_cluster: @@ -75,7 +75,7 @@ Resources: state: present ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="9" #this is a problematic code where the query should report a result(s) @@ -101,7 +101,7 @@ resource "google_container_cluster" "primary1" { ```
-
Postitive test num. 5 - tf file +
Positive test num. 5 - tf file ```tf hl_lines="2" resource "google_secret_manager_secret_version" "secret-version-basic2" { @@ -112,7 +112,7 @@ resource "google_secret_manager_secret_version" "secret-version-basic2" { ```
-
Postitive test num. 6 - dockerfile file +
Positive test num. 6 - dockerfile file ```dockerfile hl_lines="3 7" FROM baseImage @@ -125,7 +125,7 @@ ARG password=pass!1213Fs ```
-
Postitive test num. 7 - tf file +
Positive test num. 7 - tf file ```tf hl_lines="8" resource "google_container_cluster" "primary2" { @@ -150,7 +150,7 @@ resource "google_container_cluster" "primary2" { ```
-
Postitive test num. 8 - json file +
Positive test num. 8 - json file ```json hl_lines="3 6" { @@ -164,7 +164,7 @@ resource "google_container_cluster" "primary2" { ```
-
Postitive test num. 9 - tf file +
Positive test num. 9 - tf file ```tf hl_lines="8" resource "google_container_cluster" "primary4" { @@ -189,7 +189,7 @@ resource "google_container_cluster" "primary4" { ```
-
Postitive test num. 10 - json file +
Positive test num. 10 - json file ```json hl_lines="17 27 7" { @@ -230,7 +230,7 @@ resource "google_container_cluster" "primary4" { ```
-
Postitive test num. 11 - yaml file +
Positive test num. 11 - yaml file ```yaml hl_lines="9 11 7" openapi: 3.0.0 @@ -248,7 +248,7 @@ servers: ```
-
Postitive test num. 12 - json file +
Positive test num. 12 - json file ```json hl_lines="8 19 11 15" { @@ -277,7 +277,7 @@ servers: ```
-
Postitive test num. 13 - tf file +
Positive test num. 13 - tf file ```tf hl_lines="6" resource "aws_transfer_ssh_key" "example" { @@ -298,7 +298,7 @@ EOT ```
-
Postitive test num. 14 - tf file +
Positive test num. 14 - tf file ```tf hl_lines="17 18" @@ -328,7 +328,7 @@ EOF ```
-
Postitive test num. 15 - tf file +
Positive test num. 15 - tf file ```tf hl_lines="14 15" resource "aws_instance" "web_host" { @@ -593,7 +593,7 @@ output "public_subnet2" { ```
-
Postitive test num. 16 - yaml file +
Positive test num. 16 - yaml file ```yaml hl_lines="34 36" apiVersion: apps/v1 @@ -637,7 +637,7 @@ spec: ```
-
Postitive test num. 17 - tf file +
Positive test num. 17 - tf file ```tf hl_lines="7" resource "azurerm_sql_server" "example" { @@ -656,7 +656,7 @@ resource "azurerm_sql_server" "example" { ```
-
Postitive test num. 18 - tf file +
Positive test num. 18 - tf file ```tf hl_lines="5" resource "auth0_connection" "google_oauth2" { @@ -673,7 +673,7 @@ resource "auth0_connection" "google_oauth2" { ```
-
Postitive test num. 19 - tf file +
Positive test num. 19 - tf file ```tf hl_lines="2" provider "slack" { @@ -682,7 +682,7 @@ provider "slack" { ```
-
Postitive test num. 20 - tf file +
Positive test num. 20 - tf file ```tf hl_lines="2" provider "stripe" { @@ -691,7 +691,7 @@ provider "stripe" { ```
-
Postitive test num. 21 - tf file +
Positive test num. 21 - tf file ```tf hl_lines="50" resource "aws_ecs_task_definition" "webapp" { @@ -782,7 +782,7 @@ EOF ```
-
Postitive test num. 22 - tf file +
Positive test num. 22 - tf file ```tf hl_lines="3" provider "heroku" { @@ -792,7 +792,7 @@ provider "heroku" { ```
-
Postitive test num. 23 - tf file +
Positive test num. 23 - tf file ```tf hl_lines="3" @@ -802,7 +802,7 @@ provider "github" { ```
-
Postitive test num. 24 - tf file +
Positive test num. 24 - tf file ```tf hl_lines="4" provider "cloudflare" { @@ -813,7 +813,7 @@ provider "cloudflare" { ```
-
Postitive test num. 25 - dockerfile file +
Positive test num. 25 - dockerfile file ```dockerfile hl_lines="3 5 7 9 11" FROM baseImage @@ -830,7 +830,7 @@ ARG sgApiK=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 ```
-
Postitive test num. 26 - yaml file +
Positive test num. 26 - yaml file ```yaml hl_lines="9" Resources: @@ -845,7 +845,7 @@ Resources: ```
-
Postitive test num. 27 - yaml file +
Positive test num. 27 - yaml file ```yaml hl_lines="5 22" Resources: @@ -874,7 +874,7 @@ Resources: ```
-
Postitive test num. 28 - yaml file +
Positive test num. 28 - yaml file ```yaml hl_lines="5" - name: Start a workflow in the Itential Automation Platform @@ -889,7 +889,7 @@ Resources: ```
-
Postitive test num. 29 - tf file +
Positive test num. 29 - tf file ```tf hl_lines="2" provider "mailgun" { @@ -898,7 +898,7 @@ provider "mailgun" { ```
-
Postitive test num. 30 - tf file +
Positive test num. 30 - tf file ```tf hl_lines="2" provider "stripe" { @@ -907,7 +907,7 @@ provider "stripe" { ```
-
Postitive test num. 31 - yaml file +
Positive test num. 31 - yaml file ```yaml hl_lines="4" - hosts: all @@ -918,7 +918,7 @@ provider "stripe" { ```
-
Postitive test num. 32 - yaml file +
Positive test num. 32 - yaml file ```yaml hl_lines="4" - hosts: all @@ -929,7 +929,7 @@ provider "stripe" { ```
-
Postitive test num. 33 - yaml file +
Positive test num. 33 - yaml file ```yaml hl_lines="13" apiVersion: v1 @@ -949,7 +949,7 @@ spec: ```
-
Postitive test num. 34 - yaml file +
Positive test num. 34 - yaml file ```yaml hl_lines="13" apiVersion: v1 @@ -969,7 +969,7 @@ spec: ```
-
Postitive test num. 35 - yaml file +
Positive test num. 35 - yaml file ```yaml hl_lines="13" apiVersion: v1 @@ -994,7 +994,7 @@ users: ```
-
Postitive test num. 36 - tf file +
Positive test num. 36 - tf file ```tf hl_lines="5" resource "aws_transfer_ssh_key" "example2" { @@ -1032,7 +1032,7 @@ EOF ```
-
Postitive test num. 37 - tf file +
Positive test num. 37 - tf file ```tf hl_lines="14" resource "aws_lambda_function" "analysis_lambda2" { @@ -1055,7 +1055,7 @@ resource "aws_lambda_function" "analysis_lambda2" { ```
-
Postitive test num. 38 - yaml file +
Positive test num. 38 - yaml file ```yaml hl_lines="16" Resources: @@ -1080,7 +1080,7 @@ Resources: ```
-
Postitive test num. 39 - tf file +
Positive test num. 39 - tf file ```tf hl_lines="3" locals { @@ -1091,7 +1091,7 @@ locals { ```
-
Postitive test num. 40 - tf file +
Positive test num. 40 - tf file ```tf hl_lines="14 15" resource "aws_instance" "web_host" { @@ -1124,7 +1124,7 @@ EOF ```
-
Postitive test num. 41 - tf file +
Positive test num. 41 - tf file ```tf hl_lines="6" resource "aws_transfer_ssh_key" "positive44" { @@ -1148,7 +1148,7 @@ EOT ```
-
Postitive test num. 42 - tf file +
Positive test num. 42 - tf file ```tf hl_lines="7" data "terraform_remote_state" "intnet" { @@ -1164,7 +1164,7 @@ data "terraform_remote_state" "intnet" { ```
-
Postitive test num. 43 - yaml file +
Positive test num. 43 - yaml file ```yaml hl_lines="5" Resources: @@ -1184,7 +1184,7 @@ Resources: ```
-
Postitive test num. 44 - yaml file +
Positive test num. 44 - yaml file ```yaml hl_lines="17" Transform: 'AWS::Serverless-2016-10-31' @@ -1208,7 +1208,7 @@ Parameters: ```
-
Postitive test num. 45 - tf file +
Positive test num. 45 - tf file ```tf hl_lines="9" #this is a problematic code where the query should report a result(s) @@ -1234,7 +1234,7 @@ resource "google_container_cluster" "primary1" { ```
-
Postitive test num. 46 - yaml file +
Positive test num. 46 - yaml file ```yaml hl_lines="20" version: '3.9' @@ -1259,7 +1259,7 @@ services: - POSTGRES_PASSWORD=postgres ```
-
Postitive test num. 47 - tf file +
Positive test num. 47 - tf file ```tf hl_lines="5 6" resource "auth0_connection" "google_oauth2" { @@ -1276,7 +1276,7 @@ resource "auth0_connection" "google_oauth2" { ```
-
Postitive test num. 48 - tf file +
Positive test num. 48 - tf file ```tf hl_lines="8" resource "google_container_cluster" "primary1" { diff --git a/docs/queries/crossplane-queries/aws/255b0fcc-9f82-41fe-9229-01b163e3376b.md b/docs/queries/crossplane-queries/aws/255b0fcc-9f82-41fe-9229-01b163e3376b.md index 188616678b1..de490450926 100644 --- a/docs/queries/crossplane-queries/aws/255b0fcc-9f82-41fe-9229-01b163e3376b.md +++ b/docs/queries/crossplane-queries/aws/255b0fcc-9f82-41fe-9229-01b163e3376b.md @@ -28,7 +28,7 @@ CloudFront Minimum Protocol version should be at least TLS 1.2
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 11 44 14 50 54" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8 11 44 14 50 54" apiVersion: cloudfront.aws.crossplane.io/v1alpha1 kind: Distribution metadata: diff --git a/docs/queries/crossplane-queries/aws/6d19ce0f-b3d8-4128-ac3d-1064e0f00494.md b/docs/queries/crossplane-queries/aws/6d19ce0f-b3d8-4128-ac3d-1064e0f00494.md index a0e2f9355e2..c3cedc1f69b 100644 --- a/docs/queries/crossplane-queries/aws/6d19ce0f-b3d8-4128-ac3d-1064e0f00494.md +++ b/docs/queries/crossplane-queries/aws/6d19ce0f-b3d8-4128-ac3d-1064e0f00494.md @@ -28,7 +28,7 @@ All AWS CloudFront distributions should be integrated with the Web Application F ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 48" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8 48" apiVersion: cloudfront.aws.crossplane.io/v1alpha1 kind: Distribution metadata: diff --git a/docs/queries/crossplane-queries/aws/72840c35-3876-48be-900d-f21b2f0c2ea1.md b/docs/queries/crossplane-queries/aws/72840c35-3876-48be-900d-f21b2f0c2ea1.md index 30f3f9b7597..0b78b5a1681 100644 --- a/docs/queries/crossplane-queries/aws/72840c35-3876-48be-900d-f21b2f0c2ea1.md +++ b/docs/queries/crossplane-queries/aws/72840c35-3876-48be-900d-f21b2f0c2ea1.md @@ -28,7 +28,7 @@ Elastic File System (EFS) must be encrypted
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 35 38 6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8 35 38 6" apiVersion: efs.aws.crossplane.io/v1alpha1 kind: FileSystem metadata: diff --git a/docs/queries/crossplane-queries/aws/7b590235-1ff4-421b-b9ff-5227134be9bb.md b/docs/queries/crossplane-queries/aws/7b590235-1ff4-421b-b9ff-5227134be9bb.md index 98eea6c448f..806e01e3aff 100644 --- a/docs/queries/crossplane-queries/aws/7b590235-1ff4-421b-b9ff-5227134be9bb.md +++ b/docs/queries/crossplane-queries/aws/7b590235-1ff4-421b-b9ff-5227134be9bb.md @@ -28,7 +28,7 @@ AWS CloudFront distributions should have logging enabled to collect all viewer r ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 41 11 12 47 50" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8 41 11 12 47 50" apiVersion: cloudfront.aws.crossplane.io/v1alpha1 kind: Distribution metadata: diff --git a/docs/queries/crossplane-queries/aws/83bf5aca-138a-498e-b9cd-ad5bc5e117b4.md b/docs/queries/crossplane-queries/aws/83bf5aca-138a-498e-b9cd-ad5bc5e117b4.md index c2c16d03e45..73b2f38d36a 100644 --- a/docs/queries/crossplane-queries/aws/83bf5aca-138a-498e-b9cd-ad5bc5e117b4.md +++ b/docs/queries/crossplane-queries/aws/83bf5aca-138a-498e-b9cd-ad5bc5e117b4.md @@ -28,7 +28,7 @@ Neptune database cluster storage should have encryption enabled
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="40 50 6 15" +```yaml title="Positive test num. 1 - yaml file" hl_lines="40 50 6 15" apiVersion: neptune.aws.crossplane.io/v1alpha1 kind: DBCluster metadata: diff --git a/docs/queries/crossplane-queries/aws/9296f1cc-7a40-45de-bd41-f31745488a0e.md b/docs/queries/crossplane-queries/aws/9296f1cc-7a40-45de-bd41-f31745488a0e.md index 37c08feb153..80ef8213eda 100644 --- a/docs/queries/crossplane-queries/aws/9296f1cc-7a40-45de-bd41-f31745488a0e.md +++ b/docs/queries/crossplane-queries/aws/9296f1cc-7a40-45de-bd41-f31745488a0e.md @@ -28,7 +28,7 @@ Amazon Simple Queue Service (SQS) queue should protect the contents of their mes ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="40 6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="40 6" apiVersion: sqs.aws.crossplane.io/v1beta1 kind: Queue metadata: diff --git a/docs/queries/crossplane-queries/aws/934613fe-b12c-4e5a-95f5-c1dcdffac1ff.md b/docs/queries/crossplane-queries/aws/934613fe-b12c-4e5a-95f5-c1dcdffac1ff.md index c6fbf70e215..5df3ad50ae1 100644 --- a/docs/queries/crossplane-queries/aws/934613fe-b12c-4e5a-95f5-c1dcdffac1ff.md +++ b/docs/queries/crossplane-queries/aws/934613fe-b12c-4e5a-95f5-c1dcdffac1ff.md @@ -28,7 +28,7 @@ AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, a ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9 34 38 6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9 34 38 6" apiVersion: cloudwatchlogs.aws.crossplane.io/v1alpha1 kind: LogGroup metadata: diff --git a/docs/queries/crossplane-queries/aws/a507daa5-0795-4380-960b-dd7bb7c56661.md b/docs/queries/crossplane-queries/aws/a507daa5-0795-4380-960b-dd7bb7c56661.md index dc0b4f7cc26..e3a60deed55 100644 --- a/docs/queries/crossplane-queries/aws/a507daa5-0795-4380-960b-dd7bb7c56661.md +++ b/docs/queries/crossplane-queries/aws/a507daa5-0795-4380-960b-dd7bb7c56661.md @@ -28,7 +28,7 @@ ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="18 58" +```yaml title="Positive test num. 1 - yaml file" hl_lines="18 58" apiVersion: elbv2.aws.crossplane.io/v1alpha1 kind: Listener metadata: diff --git a/docs/queries/crossplane-queries/aws/bdecd6db-2600-47dd-a10c-72c97cf17ae9.md b/docs/queries/crossplane-queries/aws/bdecd6db-2600-47dd-a10c-72c97cf17ae9.md index 5ec5d141145..1d8b639933c 100644 --- a/docs/queries/crossplane-queries/aws/bdecd6db-2600-47dd-a10c-72c97cf17ae9.md +++ b/docs/queries/crossplane-queries/aws/bdecd6db-2600-47dd-a10c-72c97cf17ae9.md @@ -28,7 +28,7 @@ Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CM ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="36 6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="36 6" apiVersion: efs.aws.crossplane.io/v1alpha1 kind: FileSystem metadata: diff --git a/docs/queries/crossplane-queries/aws/d9dc6429-5140-498a-8f55-a10daac5f000.md b/docs/queries/crossplane-queries/aws/d9dc6429-5140-498a-8f55-a10daac5f000.md index cfee2dad243..650d946e5e3 100644 --- a/docs/queries/crossplane-queries/aws/d9dc6429-5140-498a-8f55-a10daac5f000.md +++ b/docs/queries/crossplane-queries/aws/d9dc6429-5140-498a-8f55-a10daac5f000.md @@ -28,7 +28,7 @@ RDS must not be defined with public interface, which means the attribute 'Public ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" apiVersion: database.aws.crossplane.io/v1beta1 kind: RDSInstance metadata: @@ -51,7 +51,7 @@ spec: - subnet-87654321 ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +```yaml title="Positive test num. 2 - yaml file" hl_lines="11" apiVersion: database.aws.crossplane.io/v1beta1 kind: RDSInstance metadata: diff --git a/docs/queries/crossplane-queries/aws/dd667399-8d9d-4a8d-bbb4-e49ab53b2f52.md b/docs/queries/crossplane-queries/aws/dd667399-8d9d-4a8d-bbb4-e49ab53b2f52.md index a12e1987b21..1d1c5c11504 100644 --- a/docs/queries/crossplane-queries/aws/dd667399-8d9d-4a8d-bbb4-e49ab53b2f52.md +++ b/docs/queries/crossplane-queries/aws/dd667399-8d9d-4a8d-bbb4-e49ab53b2f52.md @@ -28,7 +28,7 @@ The CIDR IP should not be a public interface
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="17 55" +```yaml title="Positive test num. 1 - yaml file" hl_lines="17 55" apiVersion: ec2.aws.crossplane.io/v1beta1 kind: SecurityGroup metadata: diff --git a/docs/queries/crossplane-queries/aws/e50eb68a-a4af-4048-8bbe-8ec324421469.md b/docs/queries/crossplane-queries/aws/e50eb68a-a4af-4048-8bbe-8ec324421469.md index ebafa66c0d9..68f39662e79 100644 --- a/docs/queries/crossplane-queries/aws/e50eb68a-a4af-4048-8bbe-8ec324421469.md +++ b/docs/queries/crossplane-queries/aws/e50eb68a-a4af-4048-8bbe-8ec324421469.md @@ -28,7 +28,7 @@ RDS Instance should have its storage encrypted by setting the parameter to 'true ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="47 21 6 63" +```yaml title="Positive test num. 1 - yaml file" hl_lines="47 21 6 63" apiVersion: database.aws.crossplane.io/v1beta1 kind: RDSInstance metadata: diff --git a/docs/queries/crossplane-queries/aws/e6cd49ba-77ed-417f-9bca-4f5303554308.md b/docs/queries/crossplane-queries/aws/e6cd49ba-77ed-417f-9bca-4f5303554308.md index cb43ff28267..e3c618f13fb 100644 --- a/docs/queries/crossplane-queries/aws/e6cd49ba-77ed-417f-9bca-4f5303554308.md +++ b/docs/queries/crossplane-queries/aws/e6cd49ba-77ed-417f-9bca-4f5303554308.md @@ -28,7 +28,7 @@ DocDB logging should be enabled
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" apiVersion: docdb.aws.crossplane.io/v1alpha1 kind: DBCluster metadata: @@ -57,7 +57,7 @@ spec: providerConfigRef: name: example ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="26" +```yaml title="Positive test num. 2 - yaml file" hl_lines="26" apiVersion: docdb.aws.crossplane.io/v1alpha1 kind: DBCluster metadata: @@ -87,7 +87,7 @@ spec: providerConfigRef: name: example ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="26" +```yaml title="Positive test num. 3 - yaml file" hl_lines="26" apiVersion: docdb.aws.crossplane.io/v1alpha1 kind: DBCluster metadata: diff --git a/docs/queries/crossplane-queries/azure/6c7cfec3-c686-4ed2-bf58-a1ec054b63fc.md b/docs/queries/crossplane-queries/azure/6c7cfec3-c686-4ed2-bf58-a1ec054b63fc.md index 10d29344ce4..6fb0fd1277e 100644 --- a/docs/queries/crossplane-queries/azure/6c7cfec3-c686-4ed2-bf58-a1ec054b63fc.md +++ b/docs/queries/crossplane-queries/azure/6c7cfec3-c686-4ed2-bf58-a1ec054b63fc.md @@ -28,7 +28,7 @@ Redis Cache resource should not allow non-SSL connections.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="14" +```yaml title="Positive test num. 1 - yaml file" hl_lines="14" apiVersion: cache.azure.crossplane.io/v1beta1 kind: Redis metadata: diff --git a/docs/queries/crossplane-queries/azure/b2418936-cd47-4ea2-8346-623c0bdb87bd.md b/docs/queries/crossplane-queries/azure/b2418936-cd47-4ea2-8346-623c0bdb87bd.md index 0f88ef509b4..387f8e03f56 100644 --- a/docs/queries/crossplane-queries/azure/b2418936-cd47-4ea2-8346-623c0bdb87bd.md +++ b/docs/queries/crossplane-queries/azure/b2418936-cd47-4ea2-8346-623c0bdb87bd.md @@ -28,7 +28,7 @@ Azure Container Service (AKS) instance should have role-based access control (RB ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="40 13" +```yaml title="Positive test num. 1 - yaml file" hl_lines="40 13" apiVersion: compute.azure.crossplane.io/v1alpha3 kind: AKSCluster metadata: diff --git a/docs/queries/crossplane-queries/gcp/6c2d627c-de0f-45fb-b33d-dad9bffbb421.md b/docs/queries/crossplane-queries/gcp/6c2d627c-de0f-45fb-b33d-dad9bffbb421.md index 2ba49a900ec..59336b4574b 100644 --- a/docs/queries/crossplane-queries/gcp/6c2d627c-de0f-45fb-b33d-dad9bffbb421.md +++ b/docs/queries/crossplane-queries/gcp/6c2d627c-de0f-45fb-b33d-dad9bffbb421.md @@ -28,7 +28,7 @@ Cloud storage bucket should have logging enabled
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +```yaml title="Positive test num. 1 - yaml file" hl_lines="5" apiVersion: storage.gcp.crossplane.io/v1alpha3 kind: Bucket metadata: diff --git a/docs/queries/crossplane-queries/gcp/b4f65d13-a609-4dc1-af7c-63d2e08bffe9.md b/docs/queries/crossplane-queries/gcp/b4f65d13-a609-4dc1-af7c-63d2e08bffe9.md index 8143e65f44b..a1ae62fac51 100644 --- a/docs/queries/crossplane-queries/gcp/b4f65d13-a609-4dc1-af7c-63d2e08bffe9.md +++ b/docs/queries/crossplane-queries/gcp/b4f65d13-a609-4dc1-af7c-63d2e08bffe9.md @@ -28,7 +28,7 @@ Google Container Node Pool Auto Repair should be enabled. This service periodica ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="27 6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="27 6" apiVersion: container.gcp.crossplane.io/v1beta1 kind: NodePool metadata: diff --git a/docs/queries/dockercompose-queries/071a71ff-f868-47a4-ac0b-3c59e4ab5443.md b/docs/queries/dockercompose-queries/071a71ff-f868-47a4-ac0b-3c59e4ab5443.md index c15eb57dcce..fbfed233a9e 100644 --- a/docs/queries/dockercompose-queries/071a71ff-f868-47a4-ac0b-3c59e4ab5443.md +++ b/docs/queries/dockercompose-queries/071a71ff-f868-47a4-ac0b-3c59e4ab5443.md @@ -28,7 +28,7 @@ Container should not share the host network namespace
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" version: '2' volumes: diff --git a/docs/queries/dockercompose-queries/1c1325ff-831d-43a1-973e-839ae57dfcc0.md b/docs/queries/dockercompose-queries/1c1325ff-831d-43a1-973e-839ae57dfcc0.md index b67557363d6..e5a173387d0 100644 --- a/docs/queries/dockercompose-queries/1c1325ff-831d-43a1-973e-839ae57dfcc0.md +++ b/docs/queries/dockercompose-queries/1c1325ff-831d-43a1-973e-839ae57dfcc0.md @@ -28,7 +28,7 @@ Container has sensitive host directory mounted as a volume
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" version: "3.9" services: @@ -45,7 +45,7 @@ volumes: data-volume: ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="18" +```yaml title="Positive test num. 2 - yaml file" hl_lines="18" version: "3.9" services: web: @@ -67,7 +67,7 @@ volumes: o: bind ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="12" +```yaml title="Positive test num. 3 - yaml file" hl_lines="12" version: '3' volumes: @@ -82,7 +82,7 @@ volumes: mountpoint: /var/data ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="11" version: "3.8" diff --git a/docs/queries/dockercompose-queries/221e0658-cb2a-44e3-b08a-db96a341d6fa.md b/docs/queries/dockercompose-queries/221e0658-cb2a-44e3-b08a-db96a341d6fa.md index 310b4f7b17f..f8f0cfc35b0 100644 --- a/docs/queries/dockercompose-queries/221e0658-cb2a-44e3-b08a-db96a341d6fa.md +++ b/docs/queries/dockercompose-queries/221e0658-cb2a-44e3-b08a-db96a341d6fa.md @@ -28,7 +28,7 @@ hide: ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" version: '2.2' volumes: @@ -44,7 +44,7 @@ services: mem_limit: 500M ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="12" +```yaml title="Positive test num. 2 - yaml file" hl_lines="12" version: '2.2' volumes: diff --git a/docs/queries/dockercompose-queries/27fcc7d6-c49b-46e0-98f1-6c082a6a2750.md b/docs/queries/dockercompose-queries/27fcc7d6-c49b-46e0-98f1-6c082a6a2750.md index 2c5527b6521..d1542c2bb1c 100644 --- a/docs/queries/dockercompose-queries/27fcc7d6-c49b-46e0-98f1-6c082a6a2750.md +++ b/docs/queries/dockercompose-queries/27fcc7d6-c49b-46e0-98f1-6c082a6a2750.md @@ -28,7 +28,7 @@ Ensuring the process does not gain any new privileges lessens the risk associate ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="12" +```yaml title="Positive test num. 1 - yaml file" hl_lines="12" version: "3.4" services: service-service-service: @@ -47,7 +47,7 @@ networks: service-service-frontend: ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="12" +```yaml title="Positive test num. 2 - yaml file" hl_lines="12" version: "3.4" services: service-service-service: diff --git a/docs/queries/dockercompose-queries/2fc99041-ddad-49d5-853f-e35e70a48391.md b/docs/queries/dockercompose-queries/2fc99041-ddad-49d5-853f-e35e70a48391.md index e887923a7a3..23a278645f0 100644 --- a/docs/queries/dockercompose-queries/2fc99041-ddad-49d5-853f-e35e70a48391.md +++ b/docs/queries/dockercompose-queries/2fc99041-ddad-49d5-853f-e35e70a48391.md @@ -28,7 +28,7 @@ Attribute 'restart:on-failure' should be set to 5. Restart policies in general s ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="17 6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="17 6" version: "3.9" services: @@ -52,7 +52,7 @@ networks: netnet: ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="15" +```yaml title="Positive test num. 2 - yaml file" hl_lines="15" version: '3.6' networks: @@ -72,7 +72,7 @@ services: - name_of_network ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="6" +```yaml title="Positive test num. 3 - yaml file" hl_lines="6" version: "3.9" services: @@ -96,7 +96,7 @@ networks: netnet: ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="17" version: "3.9" diff --git a/docs/queries/dockercompose-queries/404fde2c-bc4b-4371-9747-7054132ac953.md b/docs/queries/dockercompose-queries/404fde2c-bc4b-4371-9747-7054132ac953.md index 97569297c63..81ae1c6157b 100644 --- a/docs/queries/dockercompose-queries/404fde2c-bc4b-4371-9747-7054132ac953.md +++ b/docs/queries/dockercompose-queries/404fde2c-bc4b-4371-9747-7054132ac953.md @@ -28,7 +28,7 @@ Seccomp offers a whitelist of common system calls, blocking all others. Having l ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="13" +```yaml title="Positive test num. 1 - yaml file" hl_lines="13" version: "3.8" services: @@ -47,7 +47,7 @@ volumes: not-a-real-source-docker: ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="10" +```yaml title="Positive test num. 2 - yaml file" hl_lines="10" version: "3.9" networks: diff --git a/docs/queries/dockercompose-queries/451d79dc-0588-476a-ad03-3c7f0320abb3.md b/docs/queries/dockercompose-queries/451d79dc-0588-476a-ad03-3c7f0320abb3.md index 980e78a7198..8f4e01377cc 100644 --- a/docs/queries/dockercompose-queries/451d79dc-0588-476a-ad03-3c7f0320abb3.md +++ b/docs/queries/dockercompose-queries/451d79dc-0588-476a-ad03-3c7f0320abb3.md @@ -28,7 +28,7 @@ Incoming container traffic should be bound to a specific host interface
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" version: '2.1' services: @@ -46,7 +46,7 @@ services: network_mode: "LDC" ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +```yaml title="Positive test num. 2 - yaml file" hl_lines="11" version: '2.1' services: @@ -64,7 +64,7 @@ services: network_mode: "LDC" ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="11" +```yaml title="Positive test num. 3 - yaml file" hl_lines="11" version: '3.2' services: diff --git a/docs/queries/dockercompose-queries/4d9f44c6-2f4a-4317-9bb5-267adbea0232.md b/docs/queries/dockercompose-queries/4d9f44c6-2f4a-4317-9bb5-267adbea0232.md index 16935d892e2..1e1306a163e 100644 --- a/docs/queries/dockercompose-queries/4d9f44c6-2f4a-4317-9bb5-267adbea0232.md +++ b/docs/queries/dockercompose-queries/4d9f44c6-2f4a-4317-9bb5-267adbea0232.md @@ -28,7 +28,7 @@ Control groups restrict the access processes and containers have to system resou ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9" version: '2' services: diff --git a/docs/queries/dockercompose-queries/4f31dd9f-2cc3-4751-9b53-67e4af83dac0.md b/docs/queries/dockercompose-queries/4f31dd9f-2cc3-4751-9b53-67e4af83dac0.md index 2844f8a8519..638a2bb8a37 100644 --- a/docs/queries/dockercompose-queries/4f31dd9f-2cc3-4751-9b53-67e4af83dac0.md +++ b/docs/queries/dockercompose-queries/4f31dd9f-2cc3-4751-9b53-67e4af83dac0.md @@ -28,7 +28,7 @@ The hosts process namespace should not be shared by containers
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10" version: '3' services: @@ -41,7 +41,7 @@ services: pid: "host" # Share Process ID Namespace ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="6" +```yaml title="Positive test num. 2 - yaml file" hl_lines="6" version: "2.4" services: service_name_2: @@ -53,7 +53,7 @@ services: - "./directory:/app" ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="5" +```yaml title="Positive test num. 3 - yaml file" hl_lines="5" version: '3' services: diff --git a/docs/queries/dockercompose-queries/610e266e-6c12-4bca-9925-1ed0cd29742b.md b/docs/queries/dockercompose-queries/610e266e-6c12-4bca-9925-1ed0cd29742b.md index b4786beb3f5..4a1d5812eee 100644 --- a/docs/queries/dockercompose-queries/610e266e-6c12-4bca-9925-1ed0cd29742b.md +++ b/docs/queries/dockercompose-queries/610e266e-6c12-4bca-9925-1ed0cd29742b.md @@ -28,7 +28,7 @@ Attribute 'security_opt' should be defined.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" version: "3.9" services: diff --git a/docs/queries/dockercompose-queries/698ed579-b239-4f8f-a388-baa4bcb13ef8.md b/docs/queries/dockercompose-queries/698ed579-b239-4f8f-a388-baa4bcb13ef8.md index eb1c2c186fd..a8243a5558c 100644 --- a/docs/queries/dockercompose-queries/698ed579-b239-4f8f-a388-baa4bcb13ef8.md +++ b/docs/queries/dockercompose-queries/698ed579-b239-4f8f-a388-baa4bcb13ef8.md @@ -28,7 +28,7 @@ Check containers periodically to see if they are running properly.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" version: '2.1' services: @@ -43,7 +43,7 @@ services: - 8092:8092 ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="14" +```yaml title="Positive test num. 2 - yaml file" hl_lines="14" version: '2.1' services: @@ -60,7 +60,7 @@ services: disable: true ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="14" +```yaml title="Positive test num. 3 - yaml file" hl_lines="14" version: '2.1' services: diff --git a/docs/queries/dockercompose-queries/6b610c50-99fb-4ef0-a5f3-e312fd945bc3.md b/docs/queries/dockercompose-queries/6b610c50-99fb-4ef0-a5f3-e312fd945bc3.md index 644981847ef..8cce9c4a6db 100644 --- a/docs/queries/dockercompose-queries/6b610c50-99fb-4ef0-a5f3-e312fd945bc3.md +++ b/docs/queries/dockercompose-queries/6b610c50-99fb-4ef0-a5f3-e312fd945bc3.md @@ -28,7 +28,7 @@ CPU limits should be set because if the system has CPU time free, a container is ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9" version: "3.7" services: zapzop: @@ -43,7 +43,7 @@ services: cpus: '0.1' ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="4" +```yaml title="Positive test num. 2 - yaml file" hl_lines="4" version: "2.4" services: @@ -60,7 +60,7 @@ services: - 12345:6000 ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="3 7" +```yaml title="Positive test num. 3 - yaml file" hl_lines="3 7" version: "3.7" services: zapzop: @@ -70,7 +70,7 @@ services: deploy: ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="5" version: "3.9" @@ -86,7 +86,7 @@ services: ```
-
Postitive test num. 5 - yaml file +
Positive test num. 5 - yaml file ```yaml hl_lines="8" version: "3.7" diff --git a/docs/queries/dockercompose-queries/8af7162d-6c98-482f-868e-0d33fb675ca8.md b/docs/queries/dockercompose-queries/8af7162d-6c98-482f-868e-0d33fb675ca8.md index 5d655931210..f6d9e44d794 100644 --- a/docs/queries/dockercompose-queries/8af7162d-6c98-482f-868e-0d33fb675ca8.md +++ b/docs/queries/dockercompose-queries/8af7162d-6c98-482f-868e-0d33fb675ca8.md @@ -28,7 +28,7 @@ The host's user namespace should not be shared.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9" version: "3" services: diff --git a/docs/queries/dockercompose-queries/ae5b6871-7f45-42e0-bb4c-ab300c4d2026.md b/docs/queries/dockercompose-queries/ae5b6871-7f45-42e0-bb4c-ab300c4d2026.md index ed55091a3bc..d6ec9b57698 100644 --- a/docs/queries/dockercompose-queries/ae5b6871-7f45-42e0-bb4c-ab300c4d2026.md +++ b/docs/queries/dockercompose-queries/ae5b6871-7f45-42e0-bb4c-ab300c4d2026.md @@ -28,7 +28,7 @@ Privileged containers should be used with extreme caution, they have all of the ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10" version: "3.9" services: @@ -41,7 +41,7 @@ services: privileged: true ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="13" +```yaml title="Positive test num. 2 - yaml file" hl_lines="13" version: "3.9" services: diff --git a/docs/queries/dockercompose-queries/baa3890f-bed7-46f5-ab8f-1da8fc91c729.md b/docs/queries/dockercompose-queries/baa3890f-bed7-46f5-ab8f-1da8fc91c729.md index 20cf9ff9036..7bd73ed707b 100644 --- a/docs/queries/dockercompose-queries/baa3890f-bed7-46f5-ab8f-1da8fc91c729.md +++ b/docs/queries/dockercompose-queries/baa3890f-bed7-46f5-ab8f-1da8fc91c729.md @@ -28,7 +28,7 @@ Container should not share the host IPC namespace
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10" version: "3.9" services: @@ -41,7 +41,7 @@ services: ipc: "host" ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="13" +```yaml title="Positive test num. 2 - yaml file" hl_lines="13" version: "3.9" services: diff --git a/docs/queries/dockercompose-queries/baa452f0-1f21-4a25-ace5-844e7a5f410d.md b/docs/queries/dockercompose-queries/baa452f0-1f21-4a25-ace5-844e7a5f410d.md index eb54cd32d5a..c52e1ab3e10 100644 --- a/docs/queries/dockercompose-queries/baa452f0-1f21-4a25-ace5-844e7a5f410d.md +++ b/docs/queries/dockercompose-queries/baa452f0-1f21-4a25-ace5-844e7a5f410d.md @@ -28,7 +28,7 @@ Volume mounts should not be shared, which means that 'propagation' should not be ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="15" +```yaml title="Positive test num. 1 - yaml file" hl_lines="15" version: "3.2" services: old8k: @@ -46,7 +46,7 @@ services: propagation: rshared ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="15" +```yaml title="Positive test num. 2 - yaml file" hl_lines="15" version: "3.2" services: old8k: @@ -64,7 +64,7 @@ services: propagation: shared ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="15" +```yaml title="Positive test num. 3 - yaml file" hl_lines="15" version: "3.2" services: old8k: @@ -82,7 +82,7 @@ services: propagation: rslave ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="15" version: "3.2" diff --git a/docs/queries/dockercompose-queries/bb9ac4f7-e13b-423d-a010-c74a1bfbe492.md b/docs/queries/dockercompose-queries/bb9ac4f7-e13b-423d-a010-c74a1bfbe492.md index 7660c05c0b3..036bd18255a 100644 --- a/docs/queries/dockercompose-queries/bb9ac4f7-e13b-423d-a010-c74a1bfbe492.md +++ b/docs/queries/dockercompose-queries/bb9ac4f7-e13b-423d-a010-c74a1bfbe492.md @@ -28,7 +28,7 @@ Memory limits should be defined for each container. This prevents potential reso ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9" version: "3.7" services: zapzop: @@ -43,7 +43,7 @@ services: cpus: '0.1' ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="4" +```yaml title="Positive test num. 2 - yaml file" hl_lines="4" version: "2.4" services: @@ -60,7 +60,7 @@ services: - 12345:6000 ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="3 7" +```yaml title="Positive test num. 3 - yaml file" hl_lines="3 7" version: "3.7" services: zapzop: @@ -70,7 +70,7 @@ services: deploy: ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="8" version: "3.7" @@ -87,7 +87,7 @@ services: ```
-
Postitive test num. 5 - yaml file +
Positive test num. 5 - yaml file ```yaml hl_lines="5" version: "3.9" diff --git a/docs/queries/dockercompose-queries/bc2908f3-f73c-40a9-8793-c1b7d5544f79.md b/docs/queries/dockercompose-queries/bc2908f3-f73c-40a9-8793-c1b7d5544f79.md index b4ec762fd23..2e9f00cd160 100644 --- a/docs/queries/dockercompose-queries/bc2908f3-f73c-40a9-8793-c1b7d5544f79.md +++ b/docs/queries/dockercompose-queries/bc2908f3-f73c-40a9-8793-c1b7d5544f79.md @@ -28,7 +28,7 @@ Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="12 5" +```yaml title="Positive test num. 1 - yaml file" hl_lines="12 5" services: dhcpd: image: networkboot/dhcpd:latest @@ -50,7 +50,7 @@ networks: - subnet: 192.168.0.0/24 ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +```yaml title="Positive test num. 2 - yaml file" hl_lines="11" version: '2.1' services: @@ -66,7 +66,7 @@ services: network_mode: "LDC" ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="11" +```yaml title="Positive test num. 3 - yaml file" hl_lines="11" version: '2.1' services: @@ -82,7 +82,7 @@ services: network_mode: "LDC" ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="11" version: '2.1' @@ -101,7 +101,7 @@ services: ```
-
Postitive test num. 5 - yaml file +
Positive test num. 5 - yaml file ```yaml hl_lines="11" version: '2.1' @@ -120,7 +120,7 @@ services: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="11" version: '2.1' @@ -139,7 +139,7 @@ services: ```
-
Postitive test num. 7 - yaml file +
Positive test num. 7 - yaml file ```yaml hl_lines="11" version: '2.1' @@ -158,7 +158,7 @@ services: ```
-
Postitive test num. 8 - yaml file +
Positive test num. 8 - yaml file ```yaml hl_lines="11" version: '2.1' @@ -177,7 +177,7 @@ services: ```
-
Postitive test num. 9 - yaml file +
Positive test num. 9 - yaml file ```yaml hl_lines="11" version: '2.1' @@ -196,7 +196,7 @@ services: ```
-
Postitive test num. 10 - yaml file +
Positive test num. 10 - yaml file ```yaml hl_lines="11" version: '2.1' @@ -215,7 +215,7 @@ services: ```
-
Postitive test num. 11 - yaml file +
Positive test num. 11 - yaml file ```yaml hl_lines="11" version: '2.1' @@ -234,7 +234,7 @@ services: ```
-
Postitive test num. 12 - yaml file +
Positive test num. 12 - yaml file ```yaml hl_lines="11" version: '2.1' diff --git a/docs/queries/dockercompose-queries/ce14a68b-1668-41a0-ab7d-facd9f784742.md b/docs/queries/dockercompose-queries/ce14a68b-1668-41a0-ab7d-facd9f784742.md index d09bdab54e7..89892052c72 100644 --- a/docs/queries/dockercompose-queries/ce14a68b-1668-41a0-ab7d-facd9f784742.md +++ b/docs/queries/dockercompose-queries/ce14a68b-1668-41a0-ab7d-facd9f784742.md @@ -28,7 +28,7 @@ Setting networks in services ensures you are not using dockers default bridge (d ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" version: '2.2' volumes: @@ -45,7 +45,7 @@ services: mem_limit: 500M ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="16" +```yaml title="Positive test num. 2 - yaml file" hl_lines="16" version: '2.2' services: diff --git a/docs/queries/dockercompose-queries/ce76b7d0-9e77-464d-b86f-c5c48e03e22d.md b/docs/queries/dockercompose-queries/ce76b7d0-9e77-464d-b86f-c5c48e03e22d.md index 1a1aa1416b5..53e7eeeb388 100644 --- a/docs/queries/dockercompose-queries/ce76b7d0-9e77-464d-b86f-c5c48e03e22d.md +++ b/docs/queries/dockercompose-queries/ce76b7d0-9e77-464d-b86f-c5c48e03e22d.md @@ -28,7 +28,7 @@ Some capabilities are not needed in certain (or any) containers. Make sure that ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4 13" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4 13" version: "3.9" services: @@ -45,7 +45,7 @@ services: - all ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="13" +```yaml title="Positive test num. 2 - yaml file" hl_lines="13" version: "3.9" services: @@ -64,7 +64,7 @@ services: - SYS_CHROOT ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="13" +```yaml title="Positive test num. 3 - yaml file" hl_lines="13" version: "3.9" services: @@ -83,7 +83,7 @@ services: - all ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="4" version: "3.9" diff --git a/docs/queries/dockercompose-queries/d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b.md b/docs/queries/dockercompose-queries/d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b.md index 9fb205d90b4..418a5c05d24 100644 --- a/docs/queries/dockercompose-queries/d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b.md +++ b/docs/queries/dockercompose-queries/d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b.md @@ -28,7 +28,7 @@ Docker socket docker.sock should not be mounted on host. If the docker socket is ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9" version: "3.1" services: diff --git a/docs/queries/dockerfile-queries/0008c003-79aa-42d8-95b8-1c2fe37dbfe6.md b/docs/queries/dockerfile-queries/0008c003-79aa-42d8-95b8-1c2fe37dbfe6.md index c0f99223e1c..5e67dcbf391 100644 --- a/docs/queries/dockerfile-queries/0008c003-79aa-42d8-95b8-1c2fe37dbfe6.md +++ b/docs/queries/dockerfile-queries/0008c003-79aa-42d8-95b8-1c2fe37dbfe6.md @@ -28,7 +28,7 @@ Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the numb ### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="2" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="2" FROM ubuntu RUN apt-get install -y wget RUN wget https://…/downloadedfile.tar @@ -37,7 +37,7 @@ RUN rm downloadedfile.tar RUN apt-get remove wget ``` -```dockerfile title="Postitive test num. 2 - dockerfile file" hl_lines="2" +```dockerfile title="Positive test num. 2 - dockerfile file" hl_lines="2" FROM ubuntu COPY README.md ./ COPY package.json ./ @@ -45,7 +45,7 @@ COPY gulpfile.js ./ COPY __BUILD_NUMBER ./ ``` -```dockerfile title="Postitive test num. 3 - dockerfile file" hl_lines="2" +```dockerfile title="Positive test num. 3 - dockerfile file" hl_lines="2" FROM ubuntu ADD cairo.spec /rpmbuild/SOURCES ADD cairo-1.13.1.tar.xz /rpmbuild/SOURCES diff --git a/docs/queries/dockerfile-queries/00481784-25aa-4a55-8633-3136dfcf4f37.md b/docs/queries/dockerfile-queries/00481784-25aa-4a55-8633-3136dfcf4f37.md index 8149fddedbc..68f3c2565fb 100644 --- a/docs/queries/dockerfile-queries/00481784-25aa-4a55-8633-3136dfcf4f37.md +++ b/docs/queries/dockerfile-queries/00481784-25aa-4a55-8633-3136dfcf4f37.md @@ -28,7 +28,7 @@ Need to use 'yum clean all' after using a 'yum install' command to clean package ### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="12" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="12" FROM alpine:3.5 RUN apk add --update py2-pip RUN yum install diff --git a/docs/queries/dockerfile-queries/02d9c71f-3ee8-4986-9c27-1a20d0d19bfc.md b/docs/queries/dockerfile-queries/02d9c71f-3ee8-4986-9c27-1a20d0d19bfc.md index eef045db77a..056b6e45a1e 100644 --- a/docs/queries/dockerfile-queries/02d9c71f-3ee8-4986-9c27-1a20d0d19bfc.md +++ b/docs/queries/dockerfile-queries/02d9c71f-3ee8-4986-9c27-1a20d0d19bfc.md @@ -28,7 +28,7 @@ Package version pinning reduces the range of versions that can be installed, red ### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="18 3 4 15" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="18 3 4 15" FROM alpine:3.9 RUN apk add --update py-pip=7.1.2-r0 RUN pip install --user pip diff --git a/docs/queries/dockerfile-queries/22cd11f7-9c6c-4f6e-84c0-02058120b341.md b/docs/queries/dockerfile-queries/22cd11f7-9c6c-4f6e-84c0-02058120b341.md index 475fe0c25f1..7c22db3aa19 100644 --- a/docs/queries/dockerfile-queries/22cd11f7-9c6c-4f6e-84c0-02058120b341.md +++ b/docs/queries/dockerfile-queries/22cd11f7-9c6c-4f6e-84c0-02058120b341.md @@ -28,7 +28,7 @@ Instead of 'gem install ' we should use 'gem install :'
### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="3 4 5" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="3 4 5" FROM alpine:3.5 RUN apk add --update py2-pip RUN gem install bundler diff --git a/docs/queries/dockerfile-queries/295acb63-9246-4b21-b441-7c1f1fb62dc0.md b/docs/queries/dockerfile-queries/295acb63-9246-4b21-b441-7c1f1fb62dc0.md index 57a2a0837d1..3f164e67360 100644 --- a/docs/queries/dockerfile-queries/295acb63-9246-4b21-b441-7c1f1fb62dc0.md +++ b/docs/queries/dockerfile-queries/295acb63-9246-4b21-b441-7c1f1fb62dc0.md @@ -28,7 +28,7 @@ Cached package data should be cleaned after installation to reduce image size
### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="2" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="2" FROM busybox:1.0 RUN zypper install HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1 diff --git a/docs/queries/dockerfile-queries/41c195f4-fc31-4a5c-8a1b-90605538d49f.md b/docs/queries/dockerfile-queries/41c195f4-fc31-4a5c-8a1b-90605538d49f.md index d2f3d828ec8..df94468e1d6 100644 --- a/docs/queries/dockerfile-queries/41c195f4-fc31-4a5c-8a1b-90605538d49f.md +++ b/docs/queries/dockerfile-queries/41c195f4-fc31-4a5c-8a1b-90605538d49f.md @@ -28,7 +28,7 @@ There can only be one CMD instruction in a Dockerfile. If you list more than one ### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="11" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="11" FROM golang:1.7.3 WORKDIR /go/src/github.com/alexellis/href-counter/ RUN go get -d -v golang.org/x/net/html diff --git a/docs/queries/dockerfile-queries/45e1fca5-f90e-465d-825f-c2cb63fa3944.md b/docs/queries/dockerfile-queries/45e1fca5-f90e-465d-825f-c2cb63fa3944.md index 2188da0629c..4b11ed2babc 100644 --- a/docs/queries/dockerfile-queries/45e1fca5-f90e-465d-825f-c2cb63fa3944.md +++ b/docs/queries/dockerfile-queries/45e1fca5-f90e-465d-825f-c2cb63fa3944.md @@ -28,7 +28,7 @@ Omitting the non-interactive switch causes the command to fail during the build ### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="2" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="2" FROM busybox:1.0 RUN zypper install httpd && zypper clean HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1 diff --git a/docs/queries/dockerfile-queries/4b410d24-1cbe-4430-a632-62c9a931cf1c.md b/docs/queries/dockerfile-queries/4b410d24-1cbe-4430-a632-62c9a931cf1c.md index 5530c73e509..b2325c07a1a 100644 --- a/docs/queries/dockerfile-queries/4b410d24-1cbe-4430-a632-62c9a931cf1c.md +++ b/docs/queries/dockerfile-queries/4b410d24-1cbe-4430-a632-62c9a931cf1c.md @@ -28,7 +28,7 @@ Use of Curl or Wget should be done instead of Add to fetch packages from remote ### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="3" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="3" FROM openjdk:10-jdk VOLUME /tmp ADD https://example.com/big.tar.xz /usr/src/things/ diff --git a/docs/queries/dockerfile-queries/562952e4-0348-4dea-9826-44f3a2c6117b.md b/docs/queries/dockerfile-queries/562952e4-0348-4dea-9826-44f3a2c6117b.md index 01cb265134d..c6c265d5daa 100644 --- a/docs/queries/dockerfile-queries/562952e4-0348-4dea-9826-44f3a2c6117b.md +++ b/docs/queries/dockerfile-queries/562952e4-0348-4dea-9826-44f3a2c6117b.md @@ -28,7 +28,7 @@ Not specifying the package version can cause failures due to unanticipated chang ### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="2 3" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="2 3" FROM opensuse/leap:15.2 RUN zypper install -y httpd && zypper clean RUN ["zypper", "install", "http"] diff --git a/docs/queries/dockerfile-queries/5907595b-5b6d-4142-b173-dbb0e73fbff8.md b/docs/queries/dockerfile-queries/5907595b-5b6d-4142-b173-dbb0e73fbff8.md index 49cd6b9f84c..72d9cb5ae17 100644 --- a/docs/queries/dockerfile-queries/5907595b-5b6d-4142-b173-dbb0e73fbff8.md +++ b/docs/queries/dockerfile-queries/5907595b-5b6d-4142-b173-dbb0e73fbff8.md @@ -28,7 +28,7 @@ Expose only the ports that your application needs and avoid exposing ports like ### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="3" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="3" FROM gliderlabs/alpine:3.3 RUN apk --no-cache add nginx EXPOSE 3000 80 443 22 diff --git a/docs/queries/dockerfile-queries/5fa731ea-e844-47a6-a1e8-abc25e95847e.md b/docs/queries/dockerfile-queries/5fa731ea-e844-47a6-a1e8-abc25e95847e.md index 15b641ece08..ae0a21a58e8 100644 --- a/docs/queries/dockerfile-queries/5fa731ea-e844-47a6-a1e8-abc25e95847e.md +++ b/docs/queries/dockerfile-queries/5fa731ea-e844-47a6-a1e8-abc25e95847e.md @@ -28,14 +28,14 @@ OpenSSL versions from 3.0.0 to 3.0.5 are affected by a critical vulnerability
Postitive test num. 4 - dockerfile file +
Positive test num. 4 - dockerfile file ```dockerfile hl_lines="11" # example with envs usage @@ -74,7 +74,7 @@ RUN yum -y install \ ```
-
Postitive test num. 5 - dockerfile file +
Positive test num. 5 - dockerfile file ```dockerfile hl_lines="11" # example with envs usage @@ -93,7 +93,7 @@ RUN yum -y install \ ```
-
Postitive test num. 6 - dockerfile file +
Positive test num. 6 - dockerfile file ```dockerfile hl_lines="5" # simple usage @@ -104,7 +104,7 @@ RUN ["curl", "https://www.openssl.org/source/openssl-3.0.2.tar.gz"] ```
-
Postitive test num. 7 - dockerfile file +
Positive test num. 7 - dockerfile file ```dockerfile hl_lines="7" # example with envs usage diff --git a/docs/queries/dockerfile-queries/6452c424-1d92-4deb-bb18-a03e95d579c4.md b/docs/queries/dockerfile-queries/6452c424-1d92-4deb-bb18-a03e95d579c4.md index bc887f7d8f6..0f79c8b035b 100644 --- a/docs/queries/dockerfile-queries/6452c424-1d92-4deb-bb18-a03e95d579c4.md +++ b/docs/queries/dockerfile-queries/6452c424-1d92-4deb-bb18-a03e95d579c4.md @@ -28,7 +28,7 @@ Not specifying the package version can cause failures due to unanticipated chang ### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="2 3" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="2 3" FROM opensuse/leap:15.2 RUN yum install -y httpd && yum clean all RUN ["yum", "install", "httpd"] diff --git a/docs/queries/dockerfile-queries/67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae.md b/docs/queries/dockerfile-queries/67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae.md index e43f8181cbc..c98e345e2c8 100644 --- a/docs/queries/dockerfile-queries/67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae.md +++ b/docs/queries/dockerfile-queries/67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae.md @@ -28,7 +28,7 @@ Leaving the last user as root can cause security risks. Change to another user a ### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="2" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="2" FROM alpine:2.6 USER root RUN npm install diff --git a/docs/queries/dockerfile-queries/68a51e22-ae5a-4d48-8e87-b01a323605c9.md b/docs/queries/dockerfile-queries/68a51e22-ae5a-4d48-8e87-b01a323605c9.md index 228e9f2669e..b992239e1a0 100644 --- a/docs/queries/dockerfile-queries/68a51e22-ae5a-4d48-8e87-b01a323605c9.md +++ b/docs/queries/dockerfile-queries/68a51e22-ae5a-4d48-8e87-b01a323605c9.md @@ -28,7 +28,7 @@ hide: ### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="10" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="10" FROM golang:1.16 WORKDIR /go/src/github.com/alexellis/href-counter/ RUN go get -d -v golang.org/x/net/html diff --git a/docs/queries/dockerfile-queries/6938958b-3f1a-451c-909b-baeee14bdc97.md b/docs/queries/dockerfile-queries/6938958b-3f1a-451c-909b-baeee14bdc97.md index 381b9879f06..f9f85f148ce 100644 --- a/docs/queries/dockerfile-queries/6938958b-3f1a-451c-909b-baeee14bdc97.md +++ b/docs/queries/dockerfile-queries/6938958b-3f1a-451c-909b-baeee14bdc97.md @@ -28,7 +28,7 @@ There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTR ### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="11" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="11" FROM golang:1.7.3 WORKDIR /go/src/github.com/alexellis/href-counter/ RUN go get -d -v golang.org/x/net/html diff --git a/docs/queries/dockerfile-queries/6b376af8-cfe8-49ab-a08d-f32de23661a4.md b/docs/queries/dockerfile-queries/6b376af8-cfe8-49ab-a08d-f32de23661a4.md index 07e063fc0e9..2736f2456bc 100644 --- a/docs/queries/dockerfile-queries/6b376af8-cfe8-49ab-a08d-f32de23661a4.md +++ b/docs/queries/dockerfile-queries/6b376af8-cfe8-49ab-a08d-f32de23661a4.md @@ -28,7 +28,7 @@ For clarity and reliability, you should always use absolute paths for your WORKD ### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="5" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="5" FROM alpine:3.5 RUN apk add --update py2-pip RUN pip install --upgrade pip diff --git a/docs/queries/dockerfile-queries/6db6e0c2-32a3-4a2e-93b5-72c35f4119db.md b/docs/queries/dockerfile-queries/6db6e0c2-32a3-4a2e-93b5-72c35f4119db.md index e7cf83d96e5..acb4ec48733 100644 --- a/docs/queries/dockerfile-queries/6db6e0c2-32a3-4a2e-93b5-72c35f4119db.md +++ b/docs/queries/dockerfile-queries/6db6e0c2-32a3-4a2e-93b5-72c35f4119db.md @@ -28,7 +28,7 @@ When a COPY command has more than two arguments, the last one should end with a ### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="2" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="2" FROM node:carbon2 COPY package.json yarn.lock my_app diff --git a/docs/queries/dockerfile-queries/6e19193a-8753-436d-8a09-76dcff91bb03.md b/docs/queries/dockerfile-queries/6e19193a-8753-436d-8a09-76dcff91bb03.md index bdf7c2bfa24..e1678fe1fa7 100644 --- a/docs/queries/dockerfile-queries/6e19193a-8753-436d-8a09-76dcff91bb03.md +++ b/docs/queries/dockerfile-queries/6e19193a-8753-436d-8a09-76dcff91bb03.md @@ -28,7 +28,7 @@ Need to use -y to avoid manual input 'yum install -y '
### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="3 4" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="3 4" FROM alpine:3.5 RUN apk add --update py2-pip RUN sudo yum install bundler diff --git a/docs/queries/dockerfile-queries/71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e.md b/docs/queries/dockerfile-queries/71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e.md index c91c79ca523..c592e343ea5 100644 --- a/docs/queries/dockerfile-queries/71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e.md +++ b/docs/queries/dockerfile-queries/71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e.md @@ -28,7 +28,7 @@ Exposing UNIX ports out of range from 0 to 65535
### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="3" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="3" FROM gliderlabs/alpine:3.3 RUN apk --no-cache add nginx EXPOSE 65536/tcp 80 443 22 diff --git a/docs/queries/dockerfile-queries/7384dfb2-fcd1-4fbf-91cd-6c44c318c33c.md b/docs/queries/dockerfile-queries/7384dfb2-fcd1-4fbf-91cd-6c44c318c33c.md index 2f89160b936..703dd7dedf5 100644 --- a/docs/queries/dockerfile-queries/7384dfb2-fcd1-4fbf-91cd-6c44c318c33c.md +++ b/docs/queries/dockerfile-queries/7384dfb2-fcd1-4fbf-91cd-6c44c318c33c.md @@ -28,7 +28,7 @@ Check if any apt-get installs don't use '--no-install-recommends' flag to avoid ### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="2 3" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="2 3" FROM node:12 RUN apt-get install apt-utils RUN ["apt-get", "install", "apt-utils"] diff --git a/docs/queries/dockerfile-queries/77783205-c4ca-4f80-bb80-c777f267c547.md b/docs/queries/dockerfile-queries/77783205-c4ca-4f80-bb80-c777f267c547.md index 8f5a77edd63..21c0c7651fd 100644 --- a/docs/queries/dockerfile-queries/77783205-c4ca-4f80-bb80-c777f267c547.md +++ b/docs/queries/dockerfile-queries/77783205-c4ca-4f80-bb80-c777f267c547.md @@ -28,21 +28,21 @@ Check if apt-get calls use the flag -y to avoid user manual input.
### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="2 3 4" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="2 3 4" FROM node:12 RUN apt-get install python=2.7 RUN apt-get install apt-utils RUN ["apt-get", "install", "apt-utils"] ``` -```dockerfile title="Postitive test num. 2 - dockerfile file" hl_lines="2 3 4" +```dockerfile title="Positive test num. 2 - dockerfile file" hl_lines="2 3 4" FROM node:12 RUN sudo apt-get install python=2.7 RUN sudo apt-get install apt-utils RUN ["sudo", "apt-get", "install", "apt-utils"] ``` -```dockerfile title="Postitive test num. 3 - dockerfile file" hl_lines="2" +```dockerfile title="Positive test num. 3 - dockerfile file" hl_lines="2" FROM node:12 RUN DUMMY=test apt-get install python=2.7 diff --git a/docs/queries/dockerfile-queries/7ebd323c-31b7-4e5b-b26f-de5e9e477af8.md b/docs/queries/dockerfile-queries/7ebd323c-31b7-4e5b-b26f-de5e9e477af8.md index 6a3b740c316..ccfa2405078 100644 --- a/docs/queries/dockerfile-queries/7ebd323c-31b7-4e5b-b26f-de5e9e477af8.md +++ b/docs/queries/dockerfile-queries/7ebd323c-31b7-4e5b-b26f-de5e9e477af8.md @@ -28,7 +28,7 @@ The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omi ### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="2 10" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="2 10" FROM fedora:27 RUN set -uex && \ dnf config-manager --set-enabled docker-ce-test && \ diff --git a/docs/queries/dockerfile-queries/8a301064-c291-4b20-adcb-403fe7fd95fd.md b/docs/queries/dockerfile-queries/8a301064-c291-4b20-adcb-403fe7fd95fd.md index 064f3327123..23a4793ae02 100644 --- a/docs/queries/dockerfile-queries/8a301064-c291-4b20-adcb-403fe7fd95fd.md +++ b/docs/queries/dockerfile-queries/8a301064-c291-4b20-adcb-403fe7fd95fd.md @@ -28,7 +28,7 @@ Using the command RUN to override the default shell instead of the SHELL command ### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="5" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="5" FROM alpine:3.5 RUN apk add --update py2-pip RUN sudo yum install -y bundler @@ -42,7 +42,7 @@ EXPOSE 5000 CMD ["python", "/usr/src/app/app.py"] ``` -```dockerfile title="Postitive test num. 2 - dockerfile file" hl_lines="5" +```dockerfile title="Positive test num. 2 - dockerfile file" hl_lines="5" FROM alpine:3.5 RUN apk add --update py2-pip RUN sudo yum install -y bundler diff --git a/docs/queries/dockerfile-queries/8ada6e80-0ade-439e-b176-0b28f6bce35a.md b/docs/queries/dockerfile-queries/8ada6e80-0ade-439e-b176-0b28f6bce35a.md index 1efebeb3184..06a26059c29 100644 --- a/docs/queries/dockerfile-queries/8ada6e80-0ade-439e-b176-0b28f6bce35a.md +++ b/docs/queries/dockerfile-queries/8ada6e80-0ade-439e-b176-0b28f6bce35a.md @@ -28,7 +28,7 @@ Avoid RUN with sudo command as it leads to unpredictable behavior
### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="3" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="3" FROM alpine:3.5 RUN apk add --update py2-pip RUN sudo pip install --upgrade pip diff --git a/docs/queries/dockerfile-queries/93d88cf7-f078-46a8-8ddc-178e03aeacf1.md b/docs/queries/dockerfile-queries/93d88cf7-f078-46a8-8ddc-178e03aeacf1.md index 5df72135cee..5a32cf16e3b 100644 --- a/docs/queries/dockerfile-queries/93d88cf7-f078-46a8-8ddc-178e03aeacf1.md +++ b/docs/queries/dockerfile-queries/93d88cf7-f078-46a8-8ddc-178e03aeacf1.md @@ -28,7 +28,7 @@ Specifying a package version allows to reduce failures due to unanticipated chan ### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="2 3" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="2 3" FROM fedora:latest RUN dnf -y update && dnf -y install httpd && dnf clean all RUN ["dnf", "install", "httpd"] diff --git a/docs/queries/dockerfile-queries/9513a694-aa0d-41d8-be61-3271e056f36b.md b/docs/queries/dockerfile-queries/9513a694-aa0d-41d8-be61-3271e056f36b.md index 1b200caed1e..602a02c635d 100644 --- a/docs/queries/dockerfile-queries/9513a694-aa0d-41d8-be61-3271e056f36b.md +++ b/docs/queries/dockerfile-queries/9513a694-aa0d-41d8-be61-3271e056f36b.md @@ -28,7 +28,7 @@ Using ADD to load external installation scripts could lead to an evil web server ### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="8" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="8" FROM openjdk:10-jdk VOLUME /tmp ADD http://source.file/package.file.tar.gz /temp diff --git a/docs/queries/dockerfile-queries/965a08d7-ef86-4f14-8792-4a3b2098937e.md b/docs/queries/dockerfile-queries/965a08d7-ef86-4f14-8792-4a3b2098937e.md index 89ca05f19ea..b522ecf7e4f 100644 --- a/docs/queries/dockerfile-queries/965a08d7-ef86-4f14-8792-4a3b2098937e.md +++ b/docs/queries/dockerfile-queries/965a08d7-ef86-4f14-8792-4a3b2098937e.md @@ -28,7 +28,7 @@ When installing a package, its pin version should be defined
### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="9 2 3 6" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="9 2 3 6" FROM busybox RUN apt-get install python RUN ["apt-get", "install", "python"] diff --git a/docs/queries/dockerfile-queries/99614418-f82b-4852-a9ae-5051402b741c.md b/docs/queries/dockerfile-queries/99614418-f82b-4852-a9ae-5051402b741c.md index 570a2c99b52..507b99b3371 100644 --- a/docs/queries/dockerfile-queries/99614418-f82b-4852-a9ae-5051402b741c.md +++ b/docs/queries/dockerfile-queries/99614418-f82b-4852-a9ae-5051402b741c.md @@ -28,7 +28,7 @@ The MAINTAINER instruction sets the Author field of the generated images. The LA ### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="4" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="4" FROM alpine:3.5 RUN apk add --update py2-pip RUN pip install --upgrade pip diff --git a/docs/queries/dockerfile-queries/9b6b0f38-92a2-41f9-b881-3a1083d99f1b.md b/docs/queries/dockerfile-queries/9b6b0f38-92a2-41f9-b881-3a1083d99f1b.md index cb671453045..d64ccf01298 100644 --- a/docs/queries/dockerfile-queries/9b6b0f38-92a2-41f9-b881-3a1083d99f1b.md +++ b/docs/queries/dockerfile-queries/9b6b0f38-92a2-41f9-b881-3a1083d99f1b.md @@ -28,7 +28,7 @@ Some POSIX commands and interactive utilities shouldn't run inside a Docker Cont ### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="4 5" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="4 5" FROM golang:1.12.0-stretch WORKDIR /go COPY . /go diff --git a/docs/queries/dockerfile-queries/9bae49be-0aa3-4de5-bab2-4c3a069e40cd.md b/docs/queries/dockerfile-queries/9bae49be-0aa3-4de5-bab2-4c3a069e40cd.md index 4b09e390d3d..58568586d0d 100644 --- a/docs/queries/dockerfile-queries/9bae49be-0aa3-4de5-bab2-4c3a069e40cd.md +++ b/docs/queries/dockerfile-queries/9bae49be-0aa3-4de5-bab2-4c3a069e40cd.md @@ -28,7 +28,7 @@ Instruction 'RUN update' should always be followed by ' ### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="1" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="1" FROM alpine RUN apk add --update py2-pip RUN pip install --upgrade pip @@ -39,7 +39,7 @@ COPY templates/index.html /usr/src/app/templates/ EXPOSE 5000 CMD ["python", "/usr/src/app/app.py"] ``` -```dockerfile title="Postitive test num. 2 - dockerfile file" hl_lines="7" +```dockerfile title="Positive test num. 2 - dockerfile file" hl_lines="7" FROM ubuntu:22.04 AS test RUN echo "hello" diff --git a/docs/queries/dockerfile-queries/aa93e17f-b6db-4162-9334-c70334e7ac28.md b/docs/queries/dockerfile-queries/aa93e17f-b6db-4162-9334-c70334e7ac28.md index 688a7de0ab8..fad9543df3d 100644 --- a/docs/queries/dockerfile-queries/aa93e17f-b6db-4162-9334-c70334e7ac28.md +++ b/docs/queries/dockerfile-queries/aa93e17f-b6db-4162-9334-c70334e7ac28.md @@ -28,7 +28,7 @@ It is considered a best practice for every executable in a container to be owned ### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="4" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="4" FROM python:3.7 RUN pip install Flask==0.11.1 RUN useradd -ms /bin/bash patrick diff --git a/docs/queries/dockerfile-queries/ae9c56a6-3ed1-4ac0-9b54-31267f51151d.md b/docs/queries/dockerfile-queries/ae9c56a6-3ed1-4ac0-9b54-31267f51151d.md index a1b7877b7f9..2ad7ac8b9cb 100644 --- a/docs/queries/dockerfile-queries/ae9c56a6-3ed1-4ac0-9b54-31267f51151d.md +++ b/docs/queries/dockerfile-queries/ae9c56a6-3ed1-4ac0-9b54-31267f51151d.md @@ -28,7 +28,7 @@ When installing packages, use the '--no-cache' switch to avoid the need to use ' ### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="2" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="2" FROM gliderlabs/alpine:3.3 RUN apk add --update-cache python WORKDIR /app diff --git a/docs/queries/dockerfile-queries/b03a748a-542d-44f4-bb86-9199ab4fd2d5.md b/docs/queries/dockerfile-queries/b03a748a-542d-44f4-bb86-9199ab4fd2d5.md index 25d902724e8..cf17740a5f3 100644 --- a/docs/queries/dockerfile-queries/b03a748a-542d-44f4-bb86-9199ab4fd2d5.md +++ b/docs/queries/dockerfile-queries/b03a748a-542d-44f4-bb86-9199ab4fd2d5.md @@ -28,7 +28,7 @@ Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker ### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="1 7" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="1 7" FROM node:alpine WORKDIR /usr/src/app COPY package*.json ./ diff --git a/docs/queries/dockerfile-queries/b16e8501-ef3c-44e1-a543-a093238099c9.md b/docs/queries/dockerfile-queries/b16e8501-ef3c-44e1-a543-a093238099c9.md index d676e20e7d3..3a5a0344fb4 100644 --- a/docs/queries/dockerfile-queries/b16e8501-ef3c-44e1-a543-a093238099c9.md +++ b/docs/queries/dockerfile-queries/b16e8501-ef3c-44e1-a543-a093238099c9.md @@ -28,7 +28,7 @@ Don't use '--platform' flag with FROM
### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="6" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="6" FROM alpine:3.5 RUN apk add --update py2-pip RUN pip install --upgrade pip diff --git a/docs/queries/dockerfile-queries/b84a0b47-2e99-4c9f-8933-98bcabe2b94d.md b/docs/queries/dockerfile-queries/b84a0b47-2e99-4c9f-8933-98bcabe2b94d.md index 6bde3215eb0..ab64cfd1965 100644 --- a/docs/queries/dockerfile-queries/b84a0b47-2e99-4c9f-8933-98bcabe2b94d.md +++ b/docs/queries/dockerfile-queries/b84a0b47-2e99-4c9f-8933-98bcabe2b94d.md @@ -28,7 +28,7 @@ apt is discouraged by the linux distributions as an unattended tool as its inter ### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="2" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="2" FROM busybox:1.0 RUN apt install curl HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1 diff --git a/docs/queries/dockerfile-queries/b86987e1-6397-4619-81d5-8807f2387c79.md b/docs/queries/dockerfile-queries/b86987e1-6397-4619-81d5-8807f2387c79.md index 14e1442e78a..7acdf00674b 100644 --- a/docs/queries/dockerfile-queries/b86987e1-6397-4619-81d5-8807f2387c79.md +++ b/docs/queries/dockerfile-queries/b86987e1-6397-4619-81d5-8807f2387c79.md @@ -28,7 +28,7 @@ Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments
### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="10 11" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="10 11" FROM alpine:3.5 RUN apk add --update py2-pip RUN sudo yum install bundler diff --git a/docs/queries/dockerfile-queries/cdddb86f-95f6-4fc4-b5a1-483d9afceb2b.md b/docs/queries/dockerfile-queries/cdddb86f-95f6-4fc4-b5a1-483d9afceb2b.md index 26c11fd0f20..4aecc3e72c8 100644 --- a/docs/queries/dockerfile-queries/cdddb86f-95f6-4fc4-b5a1-483d9afceb2b.md +++ b/docs/queries/dockerfile-queries/cdddb86f-95f6-4fc4-b5a1-483d9afceb2b.md @@ -28,7 +28,7 @@ COPY '--from' should not mention the current FROM alias, since it is impossible ### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="2" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="2" FROM myimage:tag as dep COPY --from=dep /binary / RUN dir c:\ diff --git a/docs/queries/dockerfile-queries/d3499f6d-1651-41bb-a9a7-de925fea487b.md b/docs/queries/dockerfile-queries/d3499f6d-1651-41bb-a9a7-de925fea487b.md index 20cebf222e5..42c75f77acd 100644 --- a/docs/queries/dockerfile-queries/d3499f6d-1651-41bb-a9a7-de925fea487b.md +++ b/docs/queries/dockerfile-queries/d3499f6d-1651-41bb-a9a7-de925fea487b.md @@ -28,7 +28,7 @@ Package version pinning reduces the range of versions that can be installed, red ### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="2 13 14 16 18" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="2 13 14 16 18" FROM alpine:3.9 RUN apk add --update py-pip RUN sudo pip install --upgrade pip diff --git a/docs/queries/dockerfile-queries/df746b39-6564-4fed-bf85-e9c44382303c.md b/docs/queries/dockerfile-queries/df746b39-6564-4fed-bf85-e9c44382303c.md index ea86f281404..84f28478a0c 100644 --- a/docs/queries/dockerfile-queries/df746b39-6564-4fed-bf85-e9c44382303c.md +++ b/docs/queries/dockerfile-queries/df746b39-6564-4fed-bf85-e9c44382303c.md @@ -28,7 +28,7 @@ After using apt-get install, it is needed to delete apt-get lists
### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="8 2 12 5" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="8 2 12 5" FROM busybox1 RUN apt-get update && apt-get install --no-install-recommends -y python diff --git a/docs/queries/dockerfile-queries/e36d8880-3f78-4546-b9a1-12f0745ca0d5.md b/docs/queries/dockerfile-queries/e36d8880-3f78-4546-b9a1-12f0745ca0d5.md index 00627ebf393..c7fb51acdfa 100644 --- a/docs/queries/dockerfile-queries/e36d8880-3f78-4546-b9a1-12f0745ca0d5.md +++ b/docs/queries/dockerfile-queries/e36d8880-3f78-4546-b9a1-12f0745ca0d5.md @@ -28,7 +28,7 @@ Check if packages installed by npm are pinning a specific version.
### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="2 3 4 5 6 7 8" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="2 3 4 5 6 7 8" FROM node:12 RUN npm install sax RUN npm install sax --no-cache diff --git a/docs/queries/dockerfile-queries/efbf148a-67e9-42d2-ac47-02fa1c0d0b22.md b/docs/queries/dockerfile-queries/efbf148a-67e9-42d2-ac47-02fa1c0d0b22.md index 786aa9e9dd9..c2747ee4e36 100644 --- a/docs/queries/dockerfile-queries/efbf148a-67e9-42d2-ac47-02fa1c0d0b22.md +++ b/docs/queries/dockerfile-queries/efbf148a-67e9-42d2-ac47-02fa1c0d0b22.md @@ -28,7 +28,7 @@ Check if shell commands with pipes (except Powershell) have the pipefail flag se ### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="2 3" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="2 3" FROM node:12 RUN zsh ./some_output | ./some_script RUN [ "/bin/bash", "./some_output", "|", "./some_script" ] diff --git a/docs/queries/dockerfile-queries/f2daed12-c802-49cd-afed-fe41d0b82fed.md b/docs/queries/dockerfile-queries/f2daed12-c802-49cd-afed-fe41d0b82fed.md index 4bd51c987be..4f10ac71639 100644 --- a/docs/queries/dockerfile-queries/f2daed12-c802-49cd-afed-fe41d0b82fed.md +++ b/docs/queries/dockerfile-queries/f2daed12-c802-49cd-afed-fe41d0b82fed.md @@ -28,7 +28,7 @@ Different FROMS cant have the same alias defined
### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="4" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="4" FROM baseImage RUN Test diff --git a/docs/queries/dockerfile-queries/f2f903fb-b977-461e-98d7-b3e2185c6118.md b/docs/queries/dockerfile-queries/f2f903fb-b977-461e-98d7-b3e2185c6118.md index a999cacd00c..ba975cc91bc 100644 --- a/docs/queries/dockerfile-queries/f2f903fb-b977-461e-98d7-b3e2185c6118.md +++ b/docs/queries/dockerfile-queries/f2f903fb-b977-461e-98d7-b3e2185c6118.md @@ -28,7 +28,7 @@ When installing packages with pip, the '--no-cache-dir' flag should be set to ma ### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="2 8 9 10 11" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="2 8 9 10 11" FROM python:3 RUN pip install --upgrade pip && \ pip install nibabel pydicom matplotlib pillow && \ diff --git a/docs/queries/dockerfile-queries/f45ea400-6bbe-4501-9fc7-1c3d75c32067.md b/docs/queries/dockerfile-queries/f45ea400-6bbe-4501-9fc7-1c3d75c32067.md index 566d5d85cfe..55199fd726e 100644 --- a/docs/queries/dockerfile-queries/f45ea400-6bbe-4501-9fc7-1c3d75c32067.md +++ b/docs/queries/dockerfile-queries/f45ea400-6bbe-4501-9fc7-1c3d75c32067.md @@ -28,7 +28,7 @@ When building images, always tag them with useful tags which codify version info ### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="1" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="1" FROM alpine:latest RUN apk add --update py2-pip RUN pip install --upgrade pip diff --git a/docs/queries/dockerfile-queries/f4a6bcd3-e231-4acf-993c-aa027be50d2e.md b/docs/queries/dockerfile-queries/f4a6bcd3-e231-4acf-993c-aa027be50d2e.md index 5af45e9e53d..7a42e9ddd44 100644 --- a/docs/queries/dockerfile-queries/f4a6bcd3-e231-4acf-993c-aa027be50d2e.md +++ b/docs/queries/dockerfile-queries/f4a6bcd3-e231-4acf-993c-aa027be50d2e.md @@ -28,7 +28,7 @@ When using RUN command 'cd' should only be used for full path. For relative path ### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="9 3 15" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="9 3 15" FROM nginx ENV AUTHOR=Docker RUN cd /../share/nginx/html diff --git a/docs/queries/dockerfile-queries/fc775e75-fcfb-4c98-b2f2-910c5858b359.md b/docs/queries/dockerfile-queries/fc775e75-fcfb-4c98-b2f2-910c5858b359.md index 450f2bb0f56..b6dbebe7951 100644 --- a/docs/queries/dockerfile-queries/fc775e75-fcfb-4c98-b2f2-910c5858b359.md +++ b/docs/queries/dockerfile-queries/fc775e75-fcfb-4c98-b2f2-910c5858b359.md @@ -28,7 +28,7 @@ Shouldn't use both 'wget' and 'curl' since they are two tools that have the same ### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="8 3 7" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="8 3 7" FROM debian RUN wget http://google.com RUN curl http://bing.com diff --git a/docs/queries/dockerfile-queries/fd54f200-402c-4333-a5a4-36ef6709af2f.md b/docs/queries/dockerfile-queries/fd54f200-402c-4333-a5a4-36ef6709af2f.md index 8958ccc1456..2065bd67456 100644 --- a/docs/queries/dockerfile-queries/fd54f200-402c-4333-a5a4-36ef6709af2f.md +++ b/docs/queries/dockerfile-queries/fd54f200-402c-4333-a5a4-36ef6709af2f.md @@ -28,7 +28,7 @@ A user should be specified in the dockerfile, otherwise the image will run as ro ### Code samples #### Code samples with security vulnerabilities -```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="1 7" +```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="1 7" FROM python:2.7 RUN pip install Flask==0.11.1 RUN useradd -ms /bin/bash patrick diff --git a/docs/queries/googledeploymentmanager-queries/gcp/1239f54b-33de-482a-8132-faebe288e6a6.md b/docs/queries/googledeploymentmanager-queries/gcp/1239f54b-33de-482a-8132-faebe288e6a6.md index e6c74ec14d8..5e6f705aa50 100644 --- a/docs/queries/googledeploymentmanager-queries/gcp/1239f54b-33de-482a-8132-faebe288e6a6.md +++ b/docs/queries/googledeploymentmanager-queries/gcp/1239f54b-33de-482a-8132-faebe288e6a6.md @@ -28,7 +28,7 @@ Google Storage Bucket Level Access should be enabled
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" resources: - name: a-new-pubsub-topic1 type: storage.v1.bucket diff --git a/docs/queries/googledeploymentmanager-queries/gcp/227c2f58-70c6-4432-8e9a-a89c1a548cf5.md b/docs/queries/googledeploymentmanager-queries/gcp/227c2f58-70c6-4432-8e9a-a89c1a548cf5.md index a3fb30fc8ed..24133b376c4 100644 --- a/docs/queries/googledeploymentmanager-queries/gcp/227c2f58-70c6-4432-8e9a-a89c1a548cf5.md +++ b/docs/queries/googledeploymentmanager-queries/gcp/227c2f58-70c6-4432-8e9a-a89c1a548cf5.md @@ -28,7 +28,7 @@ Bucket should have versioning enabled
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" resources: - name: bucket type: storage.v1.bucket @@ -36,7 +36,7 @@ resources: name: my-bucket ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="7" +```yaml title="Positive test num. 2 - yaml file" hl_lines="7" resources: - name: bucket type: storage.v1.bucket diff --git a/docs/queries/googledeploymentmanager-queries/gcp/268c65a8-58ad-43e4-9019-1a9bbc56749f.md b/docs/queries/googledeploymentmanager-queries/gcp/268c65a8-58ad-43e4-9019-1a9bbc56749f.md index 97de5b073a4..c08d4feaff0 100644 --- a/docs/queries/googledeploymentmanager-queries/gcp/268c65a8-58ad-43e4-9019-1a9bbc56749f.md +++ b/docs/queries/googledeploymentmanager-queries/gcp/268c65a8-58ad-43e4-9019-1a9bbc56749f.md @@ -28,7 +28,7 @@ A list of Persistent Disk resources found. Persistent Disk is Google's local dur ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="3 11 19 24 31" +```yaml title="Positive test num. 1 - yaml file" hl_lines="3 11 19 24 31" resources: - type: compute.v1.disk name: disk-1-data diff --git a/docs/queries/googledeploymentmanager-queries/gcp/28727987-e398-49b8-aef1-8a3e7789d111.md b/docs/queries/googledeploymentmanager-queries/gcp/28727987-e398-49b8-aef1-8a3e7789d111.md index 850f63c8601..407e0aafc67 100644 --- a/docs/queries/googledeploymentmanager-queries/gcp/28727987-e398-49b8-aef1-8a3e7789d111.md +++ b/docs/queries/googledeploymentmanager-queries/gcp/28727987-e398-49b8-aef1-8a3e7789d111.md @@ -28,7 +28,7 @@ Kubernetes Clusters must be created with Alias IP ranges enabled, which means th ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" resources: - name: cluster type: container.v1.cluster @@ -36,7 +36,7 @@ resources: description: my-cluster ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="6" +```yaml title="Positive test num. 2 - yaml file" hl_lines="6" resources: - name: cluster type: container.v1.cluster @@ -46,7 +46,7 @@ resources: subnetworkName: my-network ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="8" +```yaml title="Positive test num. 3 - yaml file" hl_lines="8" resources: - name: cluster type: container.v1.cluster diff --git a/docs/queries/googledeploymentmanager-queries/gcp/313d6deb-3b67-4948-b41d-35b699c2492e.md b/docs/queries/googledeploymentmanager-queries/gcp/313d6deb-3b67-4948-b41d-35b699c2492e.md index 019c565a2a3..444b2e1c18b 100644 --- a/docs/queries/googledeploymentmanager-queries/gcp/313d6deb-3b67-4948-b41d-35b699c2492e.md +++ b/docs/queries/googledeploymentmanager-queries/gcp/313d6deb-3b67-4948-b41d-35b699c2492e.md @@ -28,7 +28,7 @@ DNSSEC must be enabled for Cloud DNS
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" resources: - name: dns type: dns.v1.managedZone @@ -36,7 +36,7 @@ resources: name: my-zone ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="6" +```yaml title="Positive test num. 2 - yaml file" hl_lines="6" resources: - name: dns2 type: dns.v1.managedZone @@ -46,7 +46,7 @@ resources: kind: "dns#managedZoneDnsSecConfig" ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="7" +```yaml title="Positive test num. 3 - yaml file" hl_lines="7" resources: - name: dns3 type: dns.v1.managedZone diff --git a/docs/queries/googledeploymentmanager-queries/gcp/48c61fbd-09c9-46cc-a521-012e0c325412.md b/docs/queries/googledeploymentmanager-queries/gcp/48c61fbd-09c9-46cc-a521-012e0c325412.md index 0dc856a56b0..d4fcf7df1a7 100644 --- a/docs/queries/googledeploymentmanager-queries/gcp/48c61fbd-09c9-46cc-a521-012e0c325412.md +++ b/docs/queries/googledeploymentmanager-queries/gcp/48c61fbd-09c9-46cc-a521-012e0c325412.md @@ -28,7 +28,7 @@ Kubernetes Clusters must be created with Private Clusters enabled, meaning the ' ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" resources: - name: mycluster type: container.v1.cluster @@ -36,7 +36,7 @@ resources: zone: us-east1-b ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="6 7" +```yaml title="Positive test num. 2 - yaml file" hl_lines="6 7" resources: - name: mycluster2 type: container.v1.cluster diff --git a/docs/queries/googledeploymentmanager-queries/gcp/50cb6c3b-c878-4b88-b50e-d1421bada9e8.md b/docs/queries/googledeploymentmanager-queries/gcp/50cb6c3b-c878-4b88-b50e-d1421bada9e8.md index 85bef5bb7c6..9a0c62e8391 100644 --- a/docs/queries/googledeploymentmanager-queries/gcp/50cb6c3b-c878-4b88-b50e-d1421bada9e8.md +++ b/docs/queries/googledeploymentmanager-queries/gcp/50cb6c3b-c878-4b88-b50e-d1421bada9e8.md @@ -28,7 +28,7 @@ Check if the Google compute firewall allows unrestricted RDP access. Allowed por ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="14" +```yaml title="Positive test num. 1 - yaml file" hl_lines="14" resources: - name: firewall type: compute.v1.firewall @@ -50,7 +50,7 @@ resources: - "3389" ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="14" +```yaml title="Positive test num. 2 - yaml file" hl_lines="14" resources: - name: firewall type: compute.v1.firewall @@ -72,7 +72,7 @@ resources: - "21-3389" ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="9" +```yaml title="Positive test num. 3 - yaml file" hl_lines="9" resources: - name: firewall type: compute.v1.firewall diff --git a/docs/queries/googledeploymentmanager-queries/gcp/62c8cf50-87f0-4295-a974-8184ed78fe02.md b/docs/queries/googledeploymentmanager-queries/gcp/62c8cf50-87f0-4295-a974-8184ed78fe02.md index 39ac6c6b69a..d4225a6f1ff 100644 --- a/docs/queries/googledeploymentmanager-queries/gcp/62c8cf50-87f0-4295-a974-8184ed78fe02.md +++ b/docs/queries/googledeploymentmanager-queries/gcp/62c8cf50-87f0-4295-a974-8184ed78fe02.md @@ -28,7 +28,7 @@ Master authorized networks must be enabled in GKE clusters
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" resources: - name: my-cluster type: container.v1.cluster @@ -36,7 +36,7 @@ resources: description: cluster ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="7" +```yaml title="Positive test num. 2 - yaml file" hl_lines="7" resources: - name: my-cluster type: container.v1.cluster diff --git a/docs/queries/googledeploymentmanager-queries/gcp/63ae3638-a38c-4ff4-b616-6e1f72a31a6a.md b/docs/queries/googledeploymentmanager-queries/gcp/63ae3638-a38c-4ff4-b616-6e1f72a31a6a.md index 94642382b46..db882c130e1 100644 --- a/docs/queries/googledeploymentmanager-queries/gcp/63ae3638-a38c-4ff4-b616-6e1f72a31a6a.md +++ b/docs/queries/googledeploymentmanager-queries/gcp/63ae3638-a38c-4ff4-b616-6e1f72a31a6a.md @@ -28,7 +28,7 @@ Cloud Storage Buckets must not be anonymously or publicly accessible, which mean ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" resources: - name: storage-bucket type: storage.v1.bucket @@ -36,7 +36,7 @@ resources: name: my-bucket ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="4 7" +```yaml title="Positive test num. 2 - yaml file" hl_lines="4 7" resources: - name: storage-bucket type: storage.v1.bucket @@ -46,7 +46,7 @@ resources: - entity: allAuthenticatedUsers ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="10 7" +```yaml title="Positive test num. 3 - yaml file" hl_lines="10 7" resources: - name: storage-bucket type: storage.v1.bucket diff --git a/docs/queries/googledeploymentmanager-queries/gcp/660360d3-9ca7-46d1-b147-3acc4002953f.md b/docs/queries/googledeploymentmanager-queries/gcp/660360d3-9ca7-46d1-b147-3acc4002953f.md index 8ccefcee800..7abae728cb9 100644 --- a/docs/queries/googledeploymentmanager-queries/gcp/660360d3-9ca7-46d1-b147-3acc4002953f.md +++ b/docs/queries/googledeploymentmanager-queries/gcp/660360d3-9ca7-46d1-b147-3acc4002953f.md @@ -28,7 +28,7 @@ Cloud SQL Database Instance should have SLL enabled
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +```yaml title="Positive test num. 1 - yaml file" hl_lines="5" resources: - name: sql-instance type: sqladmin.v1beta4.instance @@ -37,7 +37,7 @@ resources: tier: db-custom-1-3840 ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="7" +```yaml title="Positive test num. 2 - yaml file" hl_lines="7" resources: - name: sql-instance type: sqladmin.v1beta4.instance @@ -48,7 +48,7 @@ resources: ipv4Enabled: true ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="9" +```yaml title="Positive test num. 3 - yaml file" hl_lines="9" resources: - name: sql-instance type: sqladmin.v1beta4.instance diff --git a/docs/queries/googledeploymentmanager-queries/gcp/6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35.md b/docs/queries/googledeploymentmanager-queries/gcp/6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35.md index 4c3ecde75e2..c3685cca705 100644 --- a/docs/queries/googledeploymentmanager-queries/gcp/6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35.md +++ b/docs/queries/googledeploymentmanager-queries/gcp/6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35.md @@ -28,7 +28,7 @@ DNSSEC should not use the RSASHA1 algorithm
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9" resources: - name: dns type: dns.v1.managedZone diff --git a/docs/queries/googledeploymentmanager-queries/gcp/6e2b1ec1-1eca-4eb7-9d4d-2882680b4811.md b/docs/queries/googledeploymentmanager-queries/gcp/6e2b1ec1-1eca-4eb7-9d4d-2882680b4811.md index 008ac2a3b4d..0bc08a3c3d9 100644 --- a/docs/queries/googledeploymentmanager-queries/gcp/6e2b1ec1-1eca-4eb7-9d4d-2882680b4811.md +++ b/docs/queries/googledeploymentmanager-queries/gcp/6e2b1ec1-1eca-4eb7-9d4d-2882680b4811.md @@ -28,7 +28,7 @@ VM Instance should block project-wide SSH keys
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" resources: - name: vm type: compute.v1.instance @@ -36,7 +36,7 @@ resources: description: my-vm ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="8" +```yaml title="Positive test num. 2 - yaml file" hl_lines="8" resources: - name: vm type: compute.v1.instance @@ -51,7 +51,7 @@ resources: value: false ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="12" +```yaml title="Positive test num. 3 - yaml file" hl_lines="12" resources: - name: vm type: compute.v1.instance diff --git a/docs/queries/googledeploymentmanager-queries/gcp/77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc.md b/docs/queries/googledeploymentmanager-queries/gcp/77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc.md index 1e25957487f..1a6d5e8d63f 100644 --- a/docs/queries/googledeploymentmanager-queries/gcp/77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc.md +++ b/docs/queries/googledeploymentmanager-queries/gcp/77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc.md @@ -28,7 +28,7 @@ Cloud Storage Bucket is anonymously or publicly accessible
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +```yaml title="Positive test num. 1 - yaml file" hl_lines="5" resources: - name: bucket-access-control type: storage.v1.bucketAccessControl @@ -36,7 +36,7 @@ resources: entity: allUsers ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="5" +```yaml title="Positive test num. 2 - yaml file" hl_lines="5" resources: - name: bucket-access-control type: storage.v1.bucketAccessControl diff --git a/docs/queries/googledeploymentmanager-queries/gcp/7c98538a-81c6-444b-bf04-e60bc3ceeec0.md b/docs/queries/googledeploymentmanager-queries/gcp/7c98538a-81c6-444b-bf04-e60bc3ceeec0.md index fc11426dbdf..431ec84ca3c 100644 --- a/docs/queries/googledeploymentmanager-queries/gcp/7c98538a-81c6-444b-bf04-e60bc3ceeec0.md +++ b/docs/queries/googledeploymentmanager-queries/gcp/7c98538a-81c6-444b-bf04-e60bc3ceeec0.md @@ -28,7 +28,7 @@ Instances must not have IP forwarding enabled, which means the attribute 'canIpF ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="16" +```yaml title="Positive test num. 1 - yaml file" hl_lines="16" resources: - name: vm-template type: compute.v1.instance diff --git a/docs/queries/googledeploymentmanager-queries/gcp/7ef7d141-9fbb-4679-a977-fd0883436906.md b/docs/queries/googledeploymentmanager-queries/gcp/7ef7d141-9fbb-4679-a977-fd0883436906.md index 0569d48f28b..2714fa3bef7 100644 --- a/docs/queries/googledeploymentmanager-queries/gcp/7ef7d141-9fbb-4679-a977-fd0883436906.md +++ b/docs/queries/googledeploymentmanager-queries/gcp/7ef7d141-9fbb-4679-a977-fd0883436906.md @@ -28,7 +28,7 @@ Kubernetes Engine Clusters must have Master Authentication set to enabled, which ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" resources: - name: cluster type: container.v1.cluster @@ -36,7 +36,7 @@ resources: description: cluster ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="5" +```yaml title="Positive test num. 2 - yaml file" hl_lines="5" resources: - name: cluster type: container.v1.cluster @@ -45,7 +45,7 @@ resources: clientKey: test ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="5" +```yaml title="Positive test num. 3 - yaml file" hl_lines="5" resources: - name: cluster type: container.v1.cluster diff --git a/docs/queries/googledeploymentmanager-queries/gcp/8212e2d7-e683-49bc-bf78-d6799075c5a7.md b/docs/queries/googledeploymentmanager-queries/gcp/8212e2d7-e683-49bc-bf78-d6799075c5a7.md index de34089de7a..2da28cb04f2 100644 --- a/docs/queries/googledeploymentmanager-queries/gcp/8212e2d7-e683-49bc-bf78-d6799075c5a7.md +++ b/docs/queries/googledeploymentmanager-queries/gcp/8212e2d7-e683-49bc-bf78-d6799075c5a7.md @@ -28,7 +28,7 @@ Compute instances shouldn't be accessible from the Internet.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8" resources: - name: instance type: compute.v1.instance diff --git a/docs/queries/googledeploymentmanager-queries/gcp/83103dff-d57f-42a8-bd81-40abab64c1a7.md b/docs/queries/googledeploymentmanager-queries/gcp/83103dff-d57f-42a8-bd81-40abab64c1a7.md index 781aa334961..7119d18607e 100644 --- a/docs/queries/googledeploymentmanager-queries/gcp/83103dff-d57f-42a8-bd81-40abab64c1a7.md +++ b/docs/queries/googledeploymentmanager-queries/gcp/83103dff-d57f-42a8-bd81-40abab64c1a7.md @@ -28,7 +28,7 @@ BigQuery dataset is anonymously or publicly accessible. Attribute access.special ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" resources: - name: bigquery type: bigquery.v2.dataset diff --git a/docs/queries/googledeploymentmanager-queries/gcp/8810968b-4b15-421d-918b-d91eb4bb8d1d.md b/docs/queries/googledeploymentmanager-queries/gcp/8810968b-4b15-421d-918b-d91eb4bb8d1d.md index fb841d0cc02..0ffebd7be00 100644 --- a/docs/queries/googledeploymentmanager-queries/gcp/8810968b-4b15-421d-918b-d91eb4bb8d1d.md +++ b/docs/queries/googledeploymentmanager-queries/gcp/8810968b-4b15-421d-918b-d91eb4bb8d1d.md @@ -28,7 +28,7 @@ Kubernetes Clusters must be configured with labels, which means the attribute 'r ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" resources: - name: cluster type: container.v1.cluster diff --git a/docs/queries/googledeploymentmanager-queries/gcp/9038b526-4c19-4928-bca2-c03d503bdb79.md b/docs/queries/googledeploymentmanager-queries/gcp/9038b526-4c19-4928-bca2-c03d503bdb79.md index 798d1f37d2a..d2253de3c4f 100644 --- a/docs/queries/googledeploymentmanager-queries/gcp/9038b526-4c19-4928-bca2-c03d503bdb79.md +++ b/docs/queries/googledeploymentmanager-queries/gcp/9038b526-4c19-4928-bca2-c03d503bdb79.md @@ -28,7 +28,7 @@ Compute instances must be launched with Shielded VM enabled, which means the att ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" resources: - name: vm-template type: compute.v1.instance @@ -47,7 +47,7 @@ resources: canIpForward: false ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="17 18" +```yaml title="Positive test num. 2 - yaml file" hl_lines="17 18" resources: - name: vm-template2 type: compute.v1.instance diff --git a/docs/queries/googledeploymentmanager-queries/gcp/95601b9a-7fe8-4aee-9b58-d36fd9382dfc.md b/docs/queries/googledeploymentmanager-queries/gcp/95601b9a-7fe8-4aee-9b58-d36fd9382dfc.md index d4d69d58852..539fc12c325 100644 --- a/docs/queries/googledeploymentmanager-queries/gcp/95601b9a-7fe8-4aee-9b58-d36fd9382dfc.md +++ b/docs/queries/googledeploymentmanager-queries/gcp/95601b9a-7fe8-4aee-9b58-d36fd9382dfc.md @@ -28,7 +28,7 @@ Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means th ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" resources: - name: cluster type: container.v1.cluster @@ -36,7 +36,7 @@ resources: name: my-cluster ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="6" +```yaml title="Positive test num. 2 - yaml file" hl_lines="6" resources: - name: cluster type: container.v1.cluster diff --git a/docs/queries/googledeploymentmanager-queries/gcp/9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8.md b/docs/queries/googledeploymentmanager-queries/gcp/9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8.md index 77a21b8e3f1..0cd6ebb9b40 100644 --- a/docs/queries/googledeploymentmanager-queries/gcp/9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8.md +++ b/docs/queries/googledeploymentmanager-queries/gcp/9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8.md @@ -28,7 +28,7 @@ A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide re ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 3" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8 3" resources: - type: pubsub.v1.topic name: topic-1 diff --git a/docs/queries/googledeploymentmanager-queries/gcp/a21b8df3-c840-4b3d-a41a-10fb2afda171.md b/docs/queries/googledeploymentmanager-queries/gcp/a21b8df3-c840-4b3d-a41a-10fb2afda171.md index a88a86f847f..29c826436a0 100644 --- a/docs/queries/googledeploymentmanager-queries/gcp/a21b8df3-c840-4b3d-a41a-10fb2afda171.md +++ b/docs/queries/googledeploymentmanager-queries/gcp/a21b8df3-c840-4b3d-a41a-10fb2afda171.md @@ -28,7 +28,7 @@ Gmail accounts are being used instead of corporate credentials
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9" resources: - name: a-new-pubsub-topic type: pubsub.v1.topic diff --git a/docs/queries/googledeploymentmanager-queries/gcp/a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01.md b/docs/queries/googledeploymentmanager-queries/gcp/a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01.md index da91e61fe69..247087b758d 100644 --- a/docs/queries/googledeploymentmanager-queries/gcp/a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01.md +++ b/docs/queries/googledeploymentmanager-queries/gcp/a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01.md @@ -28,7 +28,7 @@ Checks if backup configuration is enabled for all Cloud SQL Database instances ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" resources: - name: a-new-pubsub-topic type: storage.v1.bucket @@ -37,7 +37,7 @@ resources: location: EUROPE-WEST3 ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="8" +```yaml title="Positive test num. 2 - yaml file" hl_lines="8" resources: - name: a-new-pubsub-topic2 type: storage.v1.bucket diff --git a/docs/queries/googledeploymentmanager-queries/gcp/bbfc97ab-e92a-4a7b-954c-e88cec815011.md b/docs/queries/googledeploymentmanager-queries/gcp/bbfc97ab-e92a-4a7b-954c-e88cec815011.md index b099b0bf2d7..302078df400 100644 --- a/docs/queries/googledeploymentmanager-queries/gcp/bbfc97ab-e92a-4a7b-954c-e88cec815011.md +++ b/docs/queries/googledeploymentmanager-queries/gcp/bbfc97ab-e92a-4a7b-954c-e88cec815011.md @@ -28,7 +28,7 @@ Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" resources: - name: my-cluster type: container.v1.cluster @@ -36,7 +36,7 @@ resources: description: cluster ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="6" +```yaml title="Positive test num. 2 - yaml file" hl_lines="6" resources: - name: my-cluster type: container.v1.cluster diff --git a/docs/queries/googledeploymentmanager-queries/gcp/c47f90e8-4a19-43f0-8413-cc434d286c4e.md b/docs/queries/googledeploymentmanager-queries/gcp/c47f90e8-4a19-43f0-8413-cc434d286c4e.md index 09eed7f47c4..4cb1a1a59d9 100644 --- a/docs/queries/googledeploymentmanager-queries/gcp/c47f90e8-4a19-43f0-8413-cc434d286c4e.md +++ b/docs/queries/googledeploymentmanager-queries/gcp/c47f90e8-4a19-43f0-8413-cc434d286c4e.md @@ -28,7 +28,7 @@ Kubernetes Engine Clusters must have Network Policy enabled, meaning that the at ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" resources: - name: cluster type: container.v1.cluster @@ -36,7 +36,7 @@ resources: description: my-cluster ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="4 7" +```yaml title="Positive test num. 2 - yaml file" hl_lines="4 7" resources: - name: cluster type: container.v1.cluster @@ -46,7 +46,7 @@ resources: enabled: false ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="8 4" +```yaml title="Positive test num. 3 - yaml file" hl_lines="8 4" resources: - name: cluster type: container.v1.cluster @@ -57,7 +57,7 @@ resources: disabled: true ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="10 7" resources: diff --git a/docs/queries/googledeploymentmanager-queries/gcp/c759d6f2-4dd3-4160-82d3-89202ef10d87.md b/docs/queries/googledeploymentmanager-queries/gcp/c759d6f2-4dd3-4160-82d3-89202ef10d87.md index 7ffec4051d0..72549a26f41 100644 --- a/docs/queries/googledeploymentmanager-queries/gcp/c759d6f2-4dd3-4160-82d3-89202ef10d87.md +++ b/docs/queries/googledeploymentmanager-queries/gcp/c759d6f2-4dd3-4160-82d3-89202ef10d87.md @@ -28,7 +28,7 @@ MySQL Instance should not have Local Infile On
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8" resources: - name: db-instance type: sqladmin.v1beta4.instance diff --git a/docs/queries/googledeploymentmanager-queries/gcp/c7781feb-a955-4f9f-b9cf-0d7c6f54bb59.md b/docs/queries/googledeploymentmanager-queries/gcp/c7781feb-a955-4f9f-b9cf-0d7c6f54bb59.md index f3953bff04d..87dadac69d6 100644 --- a/docs/queries/googledeploymentmanager-queries/gcp/c7781feb-a955-4f9f-b9cf-0d7c6f54bb59.md +++ b/docs/queries/googledeploymentmanager-queries/gcp/c7781feb-a955-4f9f-b9cf-0d7c6f54bb59.md @@ -28,7 +28,7 @@ A list of Storage Bucket resources found. Buckets are the basic containers that ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="33 2 12 44 20" +```yaml title="Positive test num. 1 - yaml file" hl_lines="33 2 12 44 20" resources: - name: sample-input type: storage.v1.bucket diff --git a/docs/queries/googledeploymentmanager-queries/gcp/dbe058d7-b82e-430b-8426-992b2e4677e7.md b/docs/queries/googledeploymentmanager-queries/gcp/dbe058d7-b82e-430b-8426-992b2e4677e7.md index 6f2ddef75f6..e7677931710 100644 --- a/docs/queries/googledeploymentmanager-queries/gcp/dbe058d7-b82e-430b-8426-992b2e4677e7.md +++ b/docs/queries/googledeploymentmanager-queries/gcp/dbe058d7-b82e-430b-8426-992b2e4677e7.md @@ -28,7 +28,7 @@ The node image should be Container-Optimized OS(COS)
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" resources: - name: nodePool type: container.v1.nodePool diff --git a/docs/queries/googledeploymentmanager-queries/gcp/dc5c5fee-6c53-43b0-ab11-4c660e064aaf.md b/docs/queries/googledeploymentmanager-queries/gcp/dc5c5fee-6c53-43b0-ab11-4c660e064aaf.md index 46f1a765b43..f65feaa24e7 100644 --- a/docs/queries/googledeploymentmanager-queries/gcp/dc5c5fee-6c53-43b0-ab11-4c660e064aaf.md +++ b/docs/queries/googledeploymentmanager-queries/gcp/dc5c5fee-6c53-43b0-ab11-4c660e064aaf.md @@ -28,7 +28,7 @@ Kubernetes nodes must have auto upgrades set to true, which means the attribute ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" resources: - name: cluster type: container.v1.cluster @@ -36,7 +36,7 @@ resources: description: my-cluster ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="6" +```yaml title="Positive test num. 2 - yaml file" hl_lines="6" resources: - name: cluster type: container.v1.cluster @@ -46,7 +46,7 @@ resources: initialNodeCount: 2 ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="8" +```yaml title="Positive test num. 3 - yaml file" hl_lines="8" resources: - name: cluster type: container.v1.cluster @@ -58,7 +58,7 @@ resources: autoRepair: true ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="9" resources: diff --git a/docs/queries/googledeploymentmanager-queries/gcp/dd690686-2bf9-4012-a821-f61912dd77be.md b/docs/queries/googledeploymentmanager-queries/gcp/dd690686-2bf9-4012-a821-f61912dd77be.md index c1cab85f919..227402b4df6 100644 --- a/docs/queries/googledeploymentmanager-queries/gcp/dd690686-2bf9-4012-a821-f61912dd77be.md +++ b/docs/queries/googledeploymentmanager-queries/gcp/dd690686-2bf9-4012-a821-f61912dd77be.md @@ -28,7 +28,7 @@ Kubernetes Clusters must be created with Client Certificate enabled, which means ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" resources: - name: cluster type: container.v1.cluster @@ -36,7 +36,7 @@ resources: name: my-cluster ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="6" +```yaml title="Positive test num. 2 - yaml file" hl_lines="6" resources: - name: cluster type: container.v1.cluster @@ -46,7 +46,7 @@ resources: clientKey: key ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="8" +```yaml title="Positive test num. 3 - yaml file" hl_lines="8" resources: - name: cluster type: container.v1.cluster diff --git a/docs/queries/googledeploymentmanager-queries/gcp/dee21308-2a7a-49de-8ff7-c9b87e188575.md b/docs/queries/googledeploymentmanager-queries/gcp/dee21308-2a7a-49de-8ff7-c9b87e188575.md index e7d7eda725e..388f083cd2a 100644 --- a/docs/queries/googledeploymentmanager-queries/gcp/dee21308-2a7a-49de-8ff7-c9b87e188575.md +++ b/docs/queries/googledeploymentmanager-queries/gcp/dee21308-2a7a-49de-8ff7-c9b87e188575.md @@ -28,7 +28,7 @@ Google Firewall should not allow SSH access (port 22) from the Internet (public ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10" resources: - name: firewall type: compute.v1.firewall @@ -45,7 +45,7 @@ resources: - "22" ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="10" +```yaml title="Positive test num. 2 - yaml file" hl_lines="10" resources: - name: firewall type: compute.v1.firewall @@ -62,7 +62,7 @@ resources: - "21-3390" ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="4" +```yaml title="Positive test num. 3 - yaml file" hl_lines="4" resources: - name: firewall type: compute.v1.firewall diff --git a/docs/queries/googledeploymentmanager-queries/gcp/df58d46c-783b-43e0-bdd0-d99164f712ee.md b/docs/queries/googledeploymentmanager-queries/gcp/df58d46c-783b-43e0-bdd0-d99164f712ee.md index ea90dfa7d6c..5f3a2049f08 100644 --- a/docs/queries/googledeploymentmanager-queries/gcp/df58d46c-783b-43e0-bdd0-d99164f712ee.md +++ b/docs/queries/googledeploymentmanager-queries/gcp/df58d46c-783b-43e0-bdd0-d99164f712ee.md @@ -28,7 +28,7 @@ Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" resources: - name: cluster type: container.v1.cluster diff --git a/docs/queries/googledeploymentmanager-queries/gcp/e66e1b71-c810-4b4e-a737-0ab59e7f5e41.md b/docs/queries/googledeploymentmanager-queries/gcp/e66e1b71-c810-4b4e-a737-0ab59e7f5e41.md index 829d9f513ea..b5ea76c7b49 100644 --- a/docs/queries/googledeploymentmanager-queries/gcp/e66e1b71-c810-4b4e-a737-0ab59e7f5e41.md +++ b/docs/queries/googledeploymentmanager-queries/gcp/e66e1b71-c810-4b4e-a737-0ab59e7f5e41.md @@ -28,7 +28,7 @@ VM instance should have OSLogin enabled
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10" resources: - name: vm type: compute.v1.instance diff --git a/docs/queries/googledeploymentmanager-queries/gcp/fc040fb6-4c23-4c0d-b12a-39edac35debb.md b/docs/queries/googledeploymentmanager-queries/gcp/fc040fb6-4c23-4c0d-b12a-39edac35debb.md index 14938105c84..0ca0e710962 100644 --- a/docs/queries/googledeploymentmanager-queries/gcp/fc040fb6-4c23-4c0d-b12a-39edac35debb.md +++ b/docs/queries/googledeploymentmanager-queries/gcp/fc040fb6-4c23-4c0d-b12a-39edac35debb.md @@ -28,7 +28,7 @@ VM disks for critical VMs must be encrypted with Customer Supplied Encryption Ke ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 18" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8 18" resources: - name: vm-template type: compute.v1.instance @@ -51,7 +51,7 @@ resources: zone: us-east1-c ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="14 23" +```yaml title="Positive test num. 2 - yaml file" hl_lines="14 23" resources: - name: vm-template2 type: compute.v1.instance @@ -78,7 +78,7 @@ resources: sha_256: 68b4caecf5d5130426a8b8f0222cdd7f31232b5c99a5bf0daf19099e26e2ec29 ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="16 26" +```yaml title="Positive test num. 3 - yaml file" hl_lines="16 26" resources: - name: vm-template3 type: compute.v1.instance diff --git a/docs/queries/knative-queries/e8bb41e4-2f24-4e84-8bea-8c7c070cf93d.md b/docs/queries/knative-queries/e8bb41e4-2f24-4e84-8bea-8c7c070cf93d.md index 3fe4aced22d..dc47ef2e336 100644 --- a/docs/queries/knative-queries/e8bb41e4-2f24-4e84-8bea-8c7c070cf93d.md +++ b/docs/queries/knative-queries/e8bb41e4-2f24-4e84-8bea-8c7c070cf93d.md @@ -28,7 +28,7 @@ Serving Revision Spec should have Timeout Seconds defined to avoid Denial of Ser ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="42 7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="42 7" apiVersion: serving.knative.dev/v1 kind: Service metadata: diff --git a/docs/queries/kubernetes-queries/02323c00-cdc3-4fdc-a310-4f2b3e7a1660.md b/docs/queries/kubernetes-queries/02323c00-cdc3-4fdc-a310-4f2b3e7a1660.md index f67387b3e04..56109528837 100644 --- a/docs/queries/kubernetes-queries/02323c00-cdc3-4fdc-a310-4f2b3e7a1660.md +++ b/docs/queries/kubernetes-queries/02323c00-cdc3-4fdc-a310-4f2b3e7a1660.md @@ -28,7 +28,7 @@ Check if containers are running with low UID, which might cause conflicts with t ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="12" +```yaml title="Positive test num. 1 - yaml file" hl_lines="12" apiVersion: v1 kind: Pod metadata: @@ -44,7 +44,7 @@ spec: allowPrivilegeEscalation: false ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="18 13" +```yaml title="Positive test num. 2 - yaml file" hl_lines="18 13" apiVersion: v1 kind: Pod metadata: @@ -66,7 +66,7 @@ spec: runAsNonRoot: false ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="12" +```yaml title="Positive test num. 3 - yaml file" hl_lines="12" apiVersion: v1 kind: Pod metadata: @@ -82,7 +82,7 @@ spec: runAsNonRoot: false ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="18" apiVersion: apps/v1 @@ -119,7 +119,7 @@ spec: ```
-
Postitive test num. 5 - yaml file +
Positive test num. 5 - yaml file ```yaml hl_lines="28 22" apiVersion: apps/v1 @@ -154,7 +154,7 @@ spec: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="32 25" apiVersion: apps/v1 @@ -193,7 +193,7 @@ spec: ```
-
Postitive test num. 7 - yaml file +
Positive test num. 7 - yaml file ```yaml hl_lines="25 23" apiVersion: apps/v1 diff --git a/docs/queries/kubernetes-queries/03aabc8c-35d6-481e-9c85-20139cf72d23.md b/docs/queries/kubernetes-queries/03aabc8c-35d6-481e-9c85-20139cf72d23.md index ed852e747f7..70b47ad4b07 100644 --- a/docs/queries/kubernetes-queries/03aabc8c-35d6-481e-9c85-20139cf72d23.md +++ b/docs/queries/kubernetes-queries/03aabc8c-35d6-481e-9c85-20139cf72d23.md @@ -28,7 +28,7 @@ Ensure the use of CNI Plugin that support Network Policies. If the CNI Plugin in ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="10 6" +```json title="Positive test num. 1 - json file" hl_lines="10 6" { "name": "k8s-pod-network", "cniVersion": "0.3.0", diff --git a/docs/queries/kubernetes-queries/0401f71b-9c1e-4821-ab15-a955caa621be.md b/docs/queries/kubernetes-queries/0401f71b-9c1e-4821-ab15-a955caa621be.md index 58fccabfd1e..fb45894dfca 100644 --- a/docs/queries/kubernetes-queries/0401f71b-9c1e-4821-ab15-a955caa621be.md +++ b/docs/queries/kubernetes-queries/0401f71b-9c1e-4821-ab15-a955caa621be.md @@ -28,7 +28,7 @@ Check if any pod is not being targeted by a proper network policy.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" apiVersion: v1 kind: Pod metadata: @@ -57,7 +57,7 @@ spec: policyTypes: [] ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="4" +```yaml title="Positive test num. 2 - yaml file" hl_lines="4" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/056ac60e-fe07-4acc-9b34-8e1d51716ab9.md b/docs/queries/kubernetes-queries/056ac60e-fe07-4acc-9b34-8e1d51716ab9.md index b5a519a2d17..3980bc6bf42 100644 --- a/docs/queries/kubernetes-queries/056ac60e-fe07-4acc-9b34-8e1d51716ab9.md +++ b/docs/queries/kubernetes-queries/056ac60e-fe07-4acc-9b34-8e1d51716ab9.md @@ -28,7 +28,7 @@ Roles and ClusterRoles when binded, should not use get, list or watch as verbs ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/13a49a2e-488e-4309-a7c0-d6b05577a5fb.md b/docs/queries/kubernetes-queries/13a49a2e-488e-4309-a7c0-d6b05577a5fb.md index 2d694bc3a2e..6064a79dae5 100644 --- a/docs/queries/kubernetes-queries/13a49a2e-488e-4309-a7c0-d6b05577a5fb.md +++ b/docs/queries/kubernetes-queries/13a49a2e-488e-4309-a7c0-d6b05577a5fb.md @@ -28,7 +28,7 @@ When using kube-apiserver command, the '--audit-policy-file' flag should be defi ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -44,7 +44,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +```yaml title="Positive test num. 2 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -60,7 +60,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="12" +```yaml title="Positive test num. 3 - yaml file" hl_lines="12" apiVersion: serving.knative.dev/v1 kind: Service metadata: diff --git a/docs/queries/kubernetes-queries/14abda69-8e91-4acb-9931-76e2bee90284.md b/docs/queries/kubernetes-queries/14abda69-8e91-4acb-9931-76e2bee90284.md index bbe9ab1ea1a..d7f8ee7ca65 100644 --- a/docs/queries/kubernetes-queries/14abda69-8e91-4acb-9931-76e2bee90284.md +++ b/docs/queries/kubernetes-queries/14abda69-8e91-4acb-9931-76e2bee90284.md @@ -28,7 +28,7 @@ When using kube-apiserver command, the --enable-admission-plugins flag should ha ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/1828a670-5957-4bc5-9974-47da228f75e2.md b/docs/queries/kubernetes-queries/1828a670-5957-4bc5-9974-47da228f75e2.md index dc3d314442c..b7dfb795b98 100644 --- a/docs/queries/kubernetes-queries/1828a670-5957-4bc5-9974-47da228f75e2.md +++ b/docs/queries/kubernetes-queries/1828a670-5957-4bc5-9974-47da228f75e2.md @@ -28,7 +28,7 @@ Audit Policy should cover key security concerns about the sensitive data logged ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" apiVersion: audit.k8s.io/v1 # This is required. kind: Policy # Don't generate audit events for all requests in RequestReceived stage. @@ -37,7 +37,7 @@ omitStages: rules: ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="4" +```yaml title="Positive test num. 2 - yaml file" hl_lines="4" apiVersion: audit.k8s.io/v1 # This is required. kind: Policy # Don't generate audit events for all requests in RequestReceived stage. @@ -56,7 +56,7 @@ rules: resources: ["pods/exec", "pods/portforward", "pods/proxy", "services/proxy"] ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="6" +```yaml title="Positive test num. 3 - yaml file" hl_lines="6" apiVersion: audit.k8s.io/v1 # This is required. kind: Policy # Don't generate audit events for all requests in RequestReceived stage. diff --git a/docs/queries/kubernetes-queries/192fe40b-b1c3-448a-aba2-6cc19a300fe3.md b/docs/queries/kubernetes-queries/192fe40b-b1c3-448a-aba2-6cc19a300fe3.md index 2829dff61b7..4c078b8a41d 100644 --- a/docs/queries/kubernetes-queries/192fe40b-b1c3-448a-aba2-6cc19a300fe3.md +++ b/docs/queries/kubernetes-queries/192fe40b-b1c3-448a-aba2-6cc19a300fe3.md @@ -28,7 +28,7 @@ Cronjobs must have a configured deadline, which means the attribute 'startingDea ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" #this is a problematic code where the query should report a result(s) apiVersion: batch/v1beta1 kind: CronJob diff --git a/docs/queries/kubernetes-queries/19ebaa28-fc86-4a58-bcfa-015c9e22fe40.md b/docs/queries/kubernetes-queries/19ebaa28-fc86-4a58-bcfa-015c9e22fe40.md index ec892f6f36a..a9aaa32d1c2 100644 --- a/docs/queries/kubernetes-queries/19ebaa28-fc86-4a58-bcfa-015c9e22fe40.md +++ b/docs/queries/kubernetes-queries/19ebaa28-fc86-4a58-bcfa-015c9e22fe40.md @@ -28,7 +28,7 @@ Containers should not have extra capabilities allowed
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="43 12" +```yaml title="Positive test num. 1 - yaml file" hl_lines="43 12" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/1a07a446-8e61-4e4d-bc16-b0781fcb8211.md b/docs/queries/kubernetes-queries/1a07a446-8e61-4e4d-bc16-b0781fcb8211.md index c40f3a2fada..dcfcf6756e7 100644 --- a/docs/queries/kubernetes-queries/1a07a446-8e61-4e4d-bc16-b0781fcb8211.md +++ b/docs/queries/kubernetes-queries/1a07a446-8e61-4e4d-bc16-b0781fcb8211.md @@ -28,7 +28,7 @@ When using the kubelet command, the '--event-qps' should be set to 0
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -44,7 +44,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +```yaml title="Positive test num. 2 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -60,7 +60,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="5" +```yaml title="Positive test num. 3 - yaml file" hl_lines="5" apiVersion: kubelet.config.k8s.io/v1beta1 kind: KubeletConfiguration address: "192.168.0.8" @@ -73,7 +73,7 @@ evictionHard: memory.available: "200Mi" ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="2" apiVersion: kubelet.config.k8s.io/v1beta1 diff --git a/docs/queries/kubernetes-queries/1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e.md b/docs/queries/kubernetes-queries/1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e.md index cfa26b2e2bf..ce085efa4f6 100644 --- a/docs/queries/kubernetes-queries/1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e.md +++ b/docs/queries/kubernetes-queries/1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e.md @@ -28,7 +28,7 @@ When using kube-apiserver command, the 'authorization-mode' flag should have 'RB ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -44,7 +44,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +```yaml title="Positive test num. 2 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/1acd93f1-5a37-45c0-aaac-82ece818be7d.md b/docs/queries/kubernetes-queries/1acd93f1-5a37-45c0-aaac-82ece818be7d.md index 7faae70466c..ad81a3e2afb 100644 --- a/docs/queries/kubernetes-queries/1acd93f1-5a37-45c0-aaac-82ece818be7d.md +++ b/docs/queries/kubernetes-queries/1acd93f1-5a37-45c0-aaac-82ece818be7d.md @@ -28,7 +28,7 @@ When using kube-controller-manager commands, the '--use-service-account-credenti ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -44,7 +44,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +```yaml title="Positive test num. 2 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2.md b/docs/queries/kubernetes-queries/1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2.md index 25eb0721e2a..b0908e83f23 100644 --- a/docs/queries/kubernetes-queries/1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2.md +++ b/docs/queries/kubernetes-queries/1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2.md @@ -28,7 +28,7 @@ The RotateKubeletServerCertificate argument should be true
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8" apiVersion: kubelet.config.k8s.io/v1beta1 kind: KubeletConfiguration address: "192.168.0.8" @@ -40,7 +40,7 @@ featureGates: RotateKubeletServerCertificate: false ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +```yaml title="Positive test num. 2 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -56,7 +56,7 @@ spec: restartPolicy: OnFailure ``` -```json title="Postitive test num. 3 - json file" hl_lines="8" +```json title="Positive test num. 3 - json file" hl_lines="8" { "kind": "KubeletConfiguration", "address": "192.168.0.8", @@ -72,7 +72,7 @@ spec: } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="11" apiVersion: v1 diff --git a/docs/queries/kubernetes-queries/1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5.md b/docs/queries/kubernetes-queries/1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5.md index d3ef0e9da55..3c741f3c935 100644 --- a/docs/queries/kubernetes-queries/1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5.md +++ b/docs/queries/kubernetes-queries/1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5.md @@ -28,7 +28,7 @@ StatefulSets should be assigned with a PodDisruptionBudget to ensure high availa ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="19" +```yaml title="Positive test num. 1 - yaml file" hl_lines="19" apiVersion: policy/v1beta1 kind: PodDisruptionBudget metadata: diff --git a/docs/queries/kubernetes-queries/1de5cc51-f376-4638-a940-20f2e85ae238.md b/docs/queries/kubernetes-queries/1de5cc51-f376-4638-a940-20f2e85ae238.md index b86c3633955..a2d47cf0aea 100644 --- a/docs/queries/kubernetes-queries/1de5cc51-f376-4638-a940-20f2e85ae238.md +++ b/docs/queries/kubernetes-queries/1de5cc51-f376-4638-a940-20f2e85ae238.md @@ -28,7 +28,7 @@ When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag shou ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -43,7 +43,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +```yaml title="Positive test num. 2 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -59,7 +59,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="11" +```yaml title="Positive test num. 3 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -74,7 +74,7 @@ spec: restartPolicy: OnFailure ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="11" apiVersion: v1 @@ -93,7 +93,7 @@ spec: ```
-
Postitive test num. 5 - yaml file +
Positive test num. 5 - yaml file ```yaml hl_lines="9" apiVersion: kubelet.config.k8s.io/v1beta1 @@ -108,7 +108,7 @@ authentication: ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="7" { diff --git a/docs/queries/kubernetes-queries/1e749bc9-fde8-471c-af0c-8254efd2dee5.md b/docs/queries/kubernetes-queries/1e749bc9-fde8-471c-af0c-8254efd2dee5.md index 529daf55575..75259f3c67d 100644 --- a/docs/queries/kubernetes-queries/1e749bc9-fde8-471c-af0c-8254efd2dee5.md +++ b/docs/queries/kubernetes-queries/1e749bc9-fde8-471c-af0c-8254efd2dee5.md @@ -28,7 +28,7 @@ No role nor cluster role should bind to a default service account
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: diff --git a/docs/queries/kubernetes-queries/1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37.md b/docs/queries/kubernetes-queries/1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37.md index f0a66c49f15..633ae5fc76c 100644 --- a/docs/queries/kubernetes-queries/1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37.md +++ b/docs/queries/kubernetes-queries/1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37.md @@ -28,7 +28,7 @@ When using kube-apiserver command, the '--disable-admission-plugins' flag should ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -44,7 +44,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +```yaml title="Positive test num. 2 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/2270987f-bb51-479f-b8be-3ca73e5ad648.md b/docs/queries/kubernetes-queries/2270987f-bb51-479f-b8be-3ca73e5ad648.md index 5822fbb2322..c947bfa1faa 100644 --- a/docs/queries/kubernetes-queries/2270987f-bb51-479f-b8be-3ca73e5ad648.md +++ b/docs/queries/kubernetes-queries/2270987f-bb51-479f-b8be-3ca73e5ad648.md @@ -28,7 +28,7 @@ Containers need to have NET_RAW or All as drop capabilities
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="57 13" +```yaml title="Positive test num. 1 - yaml file" hl_lines="57 13" apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/docs/queries/kubernetes-queries/229588ef-8fde-40c8-8756-f4f2b5825ded.md b/docs/queries/kubernetes-queries/229588ef-8fde-40c8-8756-f4f2b5825ded.md index 343858a5033..81d552c003f 100644 --- a/docs/queries/kubernetes-queries/229588ef-8fde-40c8-8756-f4f2b5825ded.md +++ b/docs/queries/kubernetes-queries/229588ef-8fde-40c8-8756-f4f2b5825ded.md @@ -28,7 +28,7 @@ Memory requests should be defined for each container. This allows the kubelet to ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="40 25 59 13" +```yaml title="Positive test num. 1 - yaml file" hl_lines="40 25 59 13" apiVersion: v1 kind: Pod metadata: @@ -92,7 +92,7 @@ spec: command: ["stress"] ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="18" +```yaml title="Positive test num. 2 - yaml file" hl_lines="18" apiVersion: apps/v1 kind: Deployment metadata: diff --git a/docs/queries/kubernetes-queries/235236ee-ad78-4065-bd29-61b061f28ce0.md b/docs/queries/kubernetes-queries/235236ee-ad78-4065-bd29-61b061f28ce0.md index e83f9649874..888644ed435 100644 --- a/docs/queries/kubernetes-queries/235236ee-ad78-4065-bd29-61b061f28ce0.md +++ b/docs/queries/kubernetes-queries/235236ee-ad78-4065-bd29-61b061f28ce0.md @@ -28,7 +28,7 @@ Containers should not have CAP_SYS_ADMIN Linux capability
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="12" +```yaml title="Positive test num. 1 - yaml file" hl_lines="12" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/249328b8-5f0f-409f-b1dd-029f07882e11.md b/docs/queries/kubernetes-queries/249328b8-5f0f-409f-b1dd-029f07882e11.md index da2c459df77..aa9a5351734 100644 --- a/docs/queries/kubernetes-queries/249328b8-5f0f-409f-b1dd-029f07882e11.md +++ b/docs/queries/kubernetes-queries/249328b8-5f0f-409f-b1dd-029f07882e11.md @@ -28,7 +28,7 @@ Ensure that the cluster-admin role is only used where required (RBAC)
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: diff --git a/docs/queries/kubernetes-queries/26763a1c-5dda-4772-b507-5fca7fb5f165.md b/docs/queries/kubernetes-queries/26763a1c-5dda-4772-b507-5fca7fb5f165.md index a36f986c4da..0950bb522f1 100644 --- a/docs/queries/kubernetes-queries/26763a1c-5dda-4772-b507-5fca7fb5f165.md +++ b/docs/queries/kubernetes-queries/26763a1c-5dda-4772-b507-5fca7fb5f165.md @@ -28,7 +28,7 @@ Service has an external load balancer, which may cause accessibility from other ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="33 4 48 18 63" +```yaml title="Positive test num. 1 - yaml file" hl_lines="33 4 48 18 63" apiVersion: v1 kind: Service metadata: diff --git a/docs/queries/kubernetes-queries/268ca686-7fb7-4ae9-b129-955a2a89064e.md b/docs/queries/kubernetes-queries/268ca686-7fb7-4ae9-b129-955a2a89064e.md index 2169e3705b7..782f0e34383 100644 --- a/docs/queries/kubernetes-queries/268ca686-7fb7-4ae9-b129-955a2a89064e.md +++ b/docs/queries/kubernetes-queries/268ca686-7fb7-4ae9-b129-955a2a89064e.md @@ -28,7 +28,7 @@ Sees if Kubernetes Drop Capabilities exists to ensure containers security contex ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="26 28 21" +```yaml title="Positive test num. 1 - yaml file" hl_lines="26 28 21" apiVersion: extensions/v1beta1 kind: Deployment metadata: diff --git a/docs/queries/kubernetes-queries/2940d48a-dc5e-4178-a3f8-bfbd80720b41.md b/docs/queries/kubernetes-queries/2940d48a-dc5e-4178-a3f8-bfbd80720b41.md index 6e4adc6b2a4..bcfd14d6480 100644 --- a/docs/queries/kubernetes-queries/2940d48a-dc5e-4178-a3f8-bfbd80720b41.md +++ b/docs/queries/kubernetes-queries/2940d48a-dc5e-4178-a3f8-bfbd80720b41.md @@ -28,7 +28,7 @@ When using the kubelet command, the read-only port should be set to zero (--read ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -44,7 +44,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +```yaml title="Positive test num. 2 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -59,7 +59,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="8" +```yaml title="Positive test num. 3 - yaml file" hl_lines="8" apiVersion: kubelet.config.k8s.io/v1beta1 kind: KubeletConfiguration address: "192.168.0.8" @@ -70,7 +70,7 @@ evictionHard: readOnlyPort: 1 ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="5" { diff --git a/docs/queries/kubernetes-queries/2b1836f1-dcce-416e-8e16-da8c71920633.md b/docs/queries/kubernetes-queries/2b1836f1-dcce-416e-8e16-da8c71920633.md index 3b1e77cb3c5..05d4db57078 100644 --- a/docs/queries/kubernetes-queries/2b1836f1-dcce-416e-8e16-da8c71920633.md +++ b/docs/queries/kubernetes-queries/2b1836f1-dcce-416e-8e16-da8c71920633.md @@ -28,7 +28,7 @@ Verifies if Kubernetes workload's host port is specified
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="24 9" +```yaml title="Positive test num. 1 - yaml file" hl_lines="24 9" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/2f1a0619-b12b-48a0-825f-993bb6f01d58.md b/docs/queries/kubernetes-queries/2f1a0619-b12b-48a0-825f-993bb6f01d58.md index 5d9e0e0a533..834157797c0 100644 --- a/docs/queries/kubernetes-queries/2f1a0619-b12b-48a0-825f-993bb6f01d58.md +++ b/docs/queries/kubernetes-queries/2f1a0619-b12b-48a0-825f-993bb6f01d58.md @@ -28,7 +28,7 @@ Limit the capabilities for a Container.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="34 11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="34 11" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/2f491173-6375-4a84-b28e-a4e2b9a58a69.md b/docs/queries/kubernetes-queries/2f491173-6375-4a84-b28e-a4e2b9a58a69.md index 55443d831d2..d4f206f9ab5 100644 --- a/docs/queries/kubernetes-queries/2f491173-6375-4a84-b28e-a4e2b9a58a69.md +++ b/docs/queries/kubernetes-queries/2f491173-6375-4a84-b28e-a4e2b9a58a69.md @@ -28,7 +28,7 @@ When using kube-apiserver or kube-controller-manager or kube-scheduler command, ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -44,7 +44,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +```yaml title="Positive test num. 2 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -60,7 +60,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="21" +```yaml title="Positive test num. 3 - yaml file" hl_lines="21" apiVersion: v1 kind: Pod metadata: @@ -86,7 +86,7 @@ spec: restartPolicy: OnFailure ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="21" apiVersion: v1 @@ -115,7 +115,7 @@ spec: ```
-
Postitive test num. 5 - yaml file +
Positive test num. 5 - yaml file ```yaml hl_lines="2" apiVersion: kubescheduler.config.k8s.io/v1beta2 @@ -132,7 +132,7 @@ profiles: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="3" apiVersion: kubescheduler.config.k8s.io/v1beta2 @@ -150,7 +150,7 @@ profiles: ```
-
Postitive test num. 7 - yaml file +
Positive test num. 7 - yaml file ```yaml hl_lines="14" apiVersion: v1 diff --git a/docs/queries/kubernetes-queries/2f652c42-619d-4361-b361-9f599688f8ca.md b/docs/queries/kubernetes-queries/2f652c42-619d-4361-b361-9f599688f8ca.md index 0a32701839d..756638442cb 100644 --- a/docs/queries/kubernetes-queries/2f652c42-619d-4361-b361-9f599688f8ca.md +++ b/docs/queries/kubernetes-queries/2f652c42-619d-4361-b361-9f599688f8ca.md @@ -28,7 +28,7 @@ The Horizontal Pod Autoscaler must target a valid object
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="12" +```yaml title="Positive test num. 1 - yaml file" hl_lines="12" apiVersion: autoscaling/v2beta2 kind: HorizontalPodAutoscaler metadata: diff --git a/docs/queries/kubernetes-queries/302736f4-b16c-41b8-befe-c0baffa0bd9d.md b/docs/queries/kubernetes-queries/302736f4-b16c-41b8-befe-c0baffa0bd9d.md index d086a9d62ad..657f64e2447 100644 --- a/docs/queries/kubernetes-queries/302736f4-b16c-41b8-befe-c0baffa0bd9d.md +++ b/docs/queries/kubernetes-queries/302736f4-b16c-41b8-befe-c0baffa0bd9d.md @@ -28,7 +28,7 @@ Container should not share the host process ID namespace
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9 6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9 6" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/32ecd76e-7bbf-402e-bf48-8b9485749558.md b/docs/queries/kubernetes-queries/32ecd76e-7bbf-402e-bf48-8b9485749558.md index ae3a3c74386..140d8218afe 100644 --- a/docs/queries/kubernetes-queries/32ecd76e-7bbf-402e-bf48-8b9485749558.md +++ b/docs/queries/kubernetes-queries/32ecd76e-7bbf-402e-bf48-8b9485749558.md @@ -28,7 +28,7 @@ When using kube-apiserver command, the 'token-auth-file' flag should not be set< ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -43,7 +43,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +```yaml title="Positive test num. 2 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/33fc6923-6553-4fe6-9d3a-4efa51eb874b.md b/docs/queries/kubernetes-queries/33fc6923-6553-4fe6-9d3a-4efa51eb874b.md index 6e86e537c99..6de96d3d639 100644 --- a/docs/queries/kubernetes-queries/33fc6923-6553-4fe6-9d3a-4efa51eb874b.md +++ b/docs/queries/kubernetes-queries/33fc6923-6553-4fe6-9d3a-4efa51eb874b.md @@ -28,7 +28,7 @@ When using kube-apiserver command, the --enable-admission-plugins flag should ha ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/35c0a471-f7c8-4993-aa2c-503a3c712a66.md b/docs/queries/kubernetes-queries/35c0a471-f7c8-4993-aa2c-503a3c712a66.md index 9c5709c8486..4487e7eadc9 100644 --- a/docs/queries/kubernetes-queries/35c0a471-f7c8-4993-aa2c-503a3c712a66.md +++ b/docs/queries/kubernetes-queries/35c0a471-f7c8-4993-aa2c-503a3c712a66.md @@ -28,7 +28,7 @@ When using kube-apiserver command, the '--audit-log-maxsize' flag should be defi ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -44,7 +44,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +```yaml title="Positive test num. 2 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -60,7 +60,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="40 27 12 55" +```yaml title="Positive test num. 3 - yaml file" hl_lines="40 27 12 55" apiVersion: serving.knative.dev/v1 kind: Service metadata: diff --git a/docs/queries/kubernetes-queries/36a27826-1bf5-49da-aeb0-a60a30c0e834.md b/docs/queries/kubernetes-queries/36a27826-1bf5-49da-aeb0-a60a30c0e834.md index ced98aed55f..22e5a7d2ca6 100644 --- a/docs/queries/kubernetes-queries/36a27826-1bf5-49da-aeb0-a60a30c0e834.md +++ b/docs/queries/kubernetes-queries/36a27826-1bf5-49da-aeb0-a60a30c0e834.md @@ -28,7 +28,7 @@ When using kube-apiserver command, the 'kubelet-client-key' and 'kubelet-client- ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -43,7 +43,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +```yaml title="Positive test num. 2 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -59,7 +59,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="11" +```yaml title="Positive test num. 3 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/3878dc92-8e5d-47cf-9cdd-7590f71d21b9.md b/docs/queries/kubernetes-queries/3878dc92-8e5d-47cf-9cdd-7590f71d21b9.md index dc3c647fcda..2f48cfc28fe 100644 --- a/docs/queries/kubernetes-queries/3878dc92-8e5d-47cf-9cdd-7590f71d21b9.md +++ b/docs/queries/kubernetes-queries/3878dc92-8e5d-47cf-9cdd-7590f71d21b9.md @@ -28,7 +28,7 @@ Kubernetes Stateful Sets must have one Volume Claim template with the access mod ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="72 27" +```yaml title="Positive test num. 1 - yaml file" hl_lines="72 27" #this is a problematic code where the query should report a result(s) apiVersion: apps/v1 kind: StatefulSet diff --git a/docs/queries/kubernetes-queries/38fa11ef-dbcc-4da8-9680-7e1fd855b6fb.md b/docs/queries/kubernetes-queries/38fa11ef-dbcc-4da8-9680-7e1fd855b6fb.md index de29e0a002d..a5dae4c17e7 100644 --- a/docs/queries/kubernetes-queries/38fa11ef-dbcc-4da8-9680-7e1fd855b6fb.md +++ b/docs/queries/kubernetes-queries/38fa11ef-dbcc-4da8-9680-7e1fd855b6fb.md @@ -28,7 +28,7 @@ Roles or ClusterRoles with RBAC permissions to port-forward into pods can open s ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8" apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: diff --git a/docs/queries/kubernetes-queries/3ca03a61-3249-4c16-8427-6f8e47dda729.md b/docs/queries/kubernetes-queries/3ca03a61-3249-4c16-8427-6f8e47dda729.md index b5e52c1f7b8..436f9f81617 100644 --- a/docs/queries/kubernetes-queries/3ca03a61-3249-4c16-8427-6f8e47dda729.md +++ b/docs/queries/kubernetes-queries/3ca03a61-3249-4c16-8427-6f8e47dda729.md @@ -28,7 +28,7 @@ Service should Target a Pod
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" apiVersion: v1 kind: Service metadata: @@ -58,7 +58,7 @@ spec: - containerPort: 9377 ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="12" +```yaml title="Positive test num. 2 - yaml file" hl_lines="12" apiVersion: v1 kind: Service metadata: diff --git a/docs/queries/kubernetes-queries/3d24b204-b73d-42cb-b0bf-1a5438c5f71e.md b/docs/queries/kubernetes-queries/3d24b204-b73d-42cb-b0bf-1a5438c5f71e.md index 8f05835c863..fe8dc650099 100644 --- a/docs/queries/kubernetes-queries/3d24b204-b73d-42cb-b0bf-1a5438c5f71e.md +++ b/docs/queries/kubernetes-queries/3d24b204-b73d-42cb-b0bf-1a5438c5f71e.md @@ -28,7 +28,7 @@ When using kube-apiserver command, the --secure-port flag should not be 0
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/3d658f8b-d988-41a0-a841-40043121de1e.md b/docs/queries/kubernetes-queries/3d658f8b-d988-41a0-a841-40043121de1e.md index b1768b80702..75fa76d66f3 100644 --- a/docs/queries/kubernetes-queries/3d658f8b-d988-41a0-a841-40043121de1e.md +++ b/docs/queries/kubernetes-queries/3d658f8b-d988-41a0-a841-40043121de1e.md @@ -28,7 +28,7 @@ Container should not use secrets as environment variables
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="17 12 30" +```yaml title="Positive test num. 1 - yaml file" hl_lines="17 12 30" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/3f5ff8a7-5ad6-4d02-86f5-666307da1b20.md b/docs/queries/kubernetes-queries/3f5ff8a7-5ad6-4d02-86f5-666307da1b20.md index 358dd17f9af..39b33713838 100644 --- a/docs/queries/kubernetes-queries/3f5ff8a7-5ad6-4d02-86f5-666307da1b20.md +++ b/docs/queries/kubernetes-queries/3f5ff8a7-5ad6-4d02-86f5-666307da1b20.md @@ -28,7 +28,7 @@ When using kube-apiserver commands, the '--etcd-cafile' flag should be definedPostitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="20" apiVersion: v1 diff --git a/docs/queries/kubernetes-queries/48471392-d4d0-47c0-b135-cdec95eb3eef.md b/docs/queries/kubernetes-queries/48471392-d4d0-47c0-b135-cdec95eb3eef.md index 570756e5642..d61720fc1ab 100644 --- a/docs/queries/kubernetes-queries/48471392-d4d0-47c0-b135-cdec95eb3eef.md +++ b/docs/queries/kubernetes-queries/48471392-d4d0-47c0-b135-cdec95eb3eef.md @@ -28,7 +28,7 @@ Service Account Tokens are automatically mounted even if not necessary
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="28 5 54" +```yaml title="Positive test num. 1 - yaml file" hl_lines="28 5 54" apiVersion: v1 kind: Pod metadata: @@ -101,7 +101,7 @@ spec: allowPrivilegeEscalation: false ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="5" +```yaml title="Positive test num. 2 - yaml file" hl_lines="5" apiVersion: v1 kind: ServiceAccount metadata: diff --git a/docs/queries/kubernetes-queries/48a5beba-e4c0-4584-a2aa-e6894e4cf424.md b/docs/queries/kubernetes-queries/48a5beba-e4c0-4584-a2aa-e6894e4cf424.md index d37a3dd6452..95e0dfa7bf7 100644 --- a/docs/queries/kubernetes-queries/48a5beba-e4c0-4584-a2aa-e6894e4cf424.md +++ b/docs/queries/kubernetes-queries/48a5beba-e4c0-4584-a2aa-e6894e4cf424.md @@ -28,7 +28,7 @@ Each namespace should have a ResourceQuota policy associated to limit the total ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +```yaml title="Positive test num. 1 - yaml file" hl_lines="5" apiVersion: v1 kind: Pod metadata: @@ -49,7 +49,7 @@ spec: cpu: "500m" ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="4" +```yaml title="Positive test num. 2 - yaml file" hl_lines="4" apiVersion: v1 kind: Pod metadata: @@ -69,7 +69,7 @@ spec: cpu: "500m" ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="5" +```yaml title="Positive test num. 3 - yaml file" hl_lines="5" apiVersion: apps/v1 kind: DaemonSet metadata: @@ -115,7 +115,7 @@ spec: path: /var/lib/docker/containers ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="5" kind: PersistentVolumeClaim diff --git a/docs/queries/kubernetes-queries/49113af4-29ca-458e-b8d4-724c01a4a24f.md b/docs/queries/kubernetes-queries/49113af4-29ca-458e-b8d4-724c01a4a24f.md index a03687d4873..82ee3b78529 100644 --- a/docs/queries/kubernetes-queries/49113af4-29ca-458e-b8d4-724c01a4a24f.md +++ b/docs/queries/kubernetes-queries/49113af4-29ca-458e-b8d4-724c01a4a24f.md @@ -28,7 +28,7 @@ When using kube-controller-manager commands, the '--terminated-pod-gc-threshold' ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -44,7 +44,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +```yaml title="Positive test num. 2 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/4a20ebac-1060-4c81-95d1-1f7f620e983b.md b/docs/queries/kubernetes-queries/4a20ebac-1060-4c81-95d1-1f7f620e983b.md index 8d3ee08cce0..7b3bdb3dc56 100644 --- a/docs/queries/kubernetes-queries/4a20ebac-1060-4c81-95d1-1f7f620e983b.md +++ b/docs/queries/kubernetes-queries/4a20ebac-1060-4c81-95d1-1f7f620e983b.md @@ -28,7 +28,7 @@ Each namespace should have a LimitRange policy associated to ensure that resourc ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +```yaml title="Positive test num. 1 - yaml file" hl_lines="5" apiVersion: v1 kind: Pod metadata: @@ -49,7 +49,7 @@ spec: cpu: "500m" ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="4" +```yaml title="Positive test num. 2 - yaml file" hl_lines="4" apiVersion: v1 kind: Pod metadata: @@ -69,7 +69,7 @@ spec: cpu: "500m" ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="5" +```yaml title="Positive test num. 3 - yaml file" hl_lines="5" apiVersion: apps/v1 kind: DaemonSet metadata: @@ -115,7 +115,7 @@ spec: path: /var/lib/docker/containers ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="5" kind: PersistentVolumeClaim diff --git a/docs/queries/kubernetes-queries/4ac0e2b7-d2d2-4af7-8799-e8de6721ccda.md b/docs/queries/kubernetes-queries/4ac0e2b7-d2d2-4af7-8799-e8de6721ccda.md index 940dc684b7b..65c40bc3548 100644 --- a/docs/queries/kubernetes-queries/4ac0e2b7-d2d2-4af7-8799-e8de6721ccda.md +++ b/docs/queries/kubernetes-queries/4ac0e2b7-d2d2-4af7-8799-e8de6721ccda.md @@ -28,7 +28,7 @@ CPU limits should be set because if the system has CPU time free, a container is ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10 35 14 31" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10 35 14 31" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/4d7ee40f-fc5d-427d-8cac-dffbe22d42d1.md b/docs/queries/kubernetes-queries/4d7ee40f-fc5d-427d-8cac-dffbe22d42d1.md index 22603b56769..76cdf61c024 100644 --- a/docs/queries/kubernetes-queries/4d7ee40f-fc5d-427d-8cac-dffbe22d42d1.md +++ b/docs/queries/kubernetes-queries/4d7ee40f-fc5d-427d-8cac-dffbe22d42d1.md @@ -28,7 +28,7 @@ When using kube-apiserver command, the 'authorization-mode' flag should have 'No ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -44,7 +44,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +```yaml title="Positive test num. 2 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/510d5810-9a30-443a-817d-5c1fa527b110.md b/docs/queries/kubernetes-queries/510d5810-9a30-443a-817d-5c1fa527b110.md index 0be01fa74d6..7e045490a24 100644 --- a/docs/queries/kubernetes-queries/510d5810-9a30-443a-817d-5c1fa527b110.md +++ b/docs/queries/kubernetes-queries/510d5810-9a30-443a-817d-5c1fa527b110.md @@ -28,7 +28,7 @@ TLS Connection should use strong Cipher Suites
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -44,7 +44,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +```yaml title="Positive test num. 2 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -60,7 +60,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="9" +```yaml title="Positive test num. 3 - yaml file" hl_lines="9" apiVersion: kubelet.config.k8s.io/v1beta1 kind: KubeletConfiguration address: "192.168.0.8" @@ -74,7 +74,7 @@ evictionHard: memory.available: "200Mi" ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="2" { diff --git a/docs/queries/kubernetes-queries/52d70f2e-3257-474c-b3dc-8ad9ba6a061a.md b/docs/queries/kubernetes-queries/52d70f2e-3257-474c-b3dc-8ad9ba6a061a.md index 8ef53376deb..dff7389353a 100644 --- a/docs/queries/kubernetes-queries/52d70f2e-3257-474c-b3dc-8ad9ba6a061a.md +++ b/docs/queries/kubernetes-queries/52d70f2e-3257-474c-b3dc-8ad9ba6a061a.md @@ -28,7 +28,7 @@ Kubelet argument --rotate-certificates should be true
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -44,7 +44,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="8" +```yaml title="Positive test num. 2 - yaml file" hl_lines="8" apiVersion: kubelet.config.k8s.io/v1beta1 kind: KubeletConfiguration address: "192.168.0.8" @@ -55,7 +55,7 @@ evictionHard: rotateCertificates: false ``` -```json title="Postitive test num. 3 - json file" hl_lines="6" +```json title="Positive test num. 3 - json file" hl_lines="6" { "port": 20250, "evictionHard": { @@ -68,7 +68,7 @@ rotateCertificates: false } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="2" apiVersion: kubelet.config.k8s.io/v1beta1 diff --git a/docs/queries/kubernetes-queries/5308a7a8-06f8-45ac-bf10-791fe21de46e.md b/docs/queries/kubernetes-queries/5308a7a8-06f8-45ac-bf10-791fe21de46e.md index adf50836a99..aaa049b56cf 100644 --- a/docs/queries/kubernetes-queries/5308a7a8-06f8-45ac-bf10-791fe21de46e.md +++ b/docs/queries/kubernetes-queries/5308a7a8-06f8-45ac-bf10-791fe21de46e.md @@ -28,7 +28,7 @@ Workload is mounting a volume with sensitive OS Directory
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="193 66 229 70 265 203 299 175 112 145 115 280 250" +```yaml title="Positive test num. 1 - yaml file" hl_lines="193 66 229 70 265 203 299 175 112 145 115 280 250" apiVersion: apps/v1 kind: DaemonSet metadata: diff --git a/docs/queries/kubernetes-queries/5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d.md b/docs/queries/kubernetes-queries/5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d.md index d1d4db198b8..b60367c329c 100644 --- a/docs/queries/kubernetes-queries/5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d.md +++ b/docs/queries/kubernetes-queries/5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d.md @@ -28,7 +28,7 @@ Containers should not run with allowPrivilegeEscalation in order to prevent them ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10 21" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10 21" apiVersion: v1 kind: Pod metadata: @@ -60,7 +60,7 @@ spec: cpu: "500m" ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="9 13 17" +```yaml title="Positive test num. 2 - yaml file" hl_lines="9 13 17" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/5744cbb8-5946-4b75-a196-ade44449525b.md b/docs/queries/kubernetes-queries/5744cbb8-5946-4b75-a196-ade44449525b.md index 439e211715e..9f215cc4b6a 100644 --- a/docs/queries/kubernetes-queries/5744cbb8-5946-4b75-a196-ade44449525b.md +++ b/docs/queries/kubernetes-queries/5744cbb8-5946-4b75-a196-ade44449525b.md @@ -28,7 +28,7 @@ Deployments targeted by HorizontalPodAutoscaler should not have a statically con ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10" #this is a problematic code where the query should report a result(s) apiVersion: apps/v1 kind: Deployment diff --git a/docs/queries/kubernetes-queries/583053b7-e632-46f0-b989-f81ff8045385.md b/docs/queries/kubernetes-queries/583053b7-e632-46f0-b989-f81ff8045385.md index 27e54af3ed1..db027c1cee8 100644 --- a/docs/queries/kubernetes-queries/583053b7-e632-46f0-b989-f81ff8045385.md +++ b/docs/queries/kubernetes-queries/583053b7-e632-46f0-b989-f81ff8045385.md @@ -28,7 +28,7 @@ Image tag must be defined and not be empty or equal to latest.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 19" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8 19" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/591ade62-d6b0-4580-b1ae-209f80ba1cd9.md b/docs/queries/kubernetes-queries/591ade62-d6b0-4580-b1ae-209f80ba1cd9.md index cf1ff717b9a..65b81a21b53 100644 --- a/docs/queries/kubernetes-queries/591ade62-d6b0-4580-b1ae-209f80ba1cd9.md +++ b/docs/queries/kubernetes-queries/591ade62-d6b0-4580-b1ae-209f80ba1cd9.md @@ -28,7 +28,7 @@ A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="58 28 6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="58 28 6" #this is a problematic code where the query should report a result(s) apiVersion: v1 kind: Pod diff --git a/docs/queries/kubernetes-queries/592ad21d-ad9b-46c6-8d2d-fad09d62a942.md b/docs/queries/kubernetes-queries/592ad21d-ad9b-46c6-8d2d-fad09d62a942.md index 4cd80c7a786..3f378176ef1 100644 --- a/docs/queries/kubernetes-queries/592ad21d-ad9b-46c6-8d2d-fad09d62a942.md +++ b/docs/queries/kubernetes-queries/592ad21d-ad9b-46c6-8d2d-fad09d62a942.md @@ -28,7 +28,7 @@ The permission to create pods in a cluster should be restricted because it allow ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="39 9 48 21 60 30" +```yaml title="Positive test num. 1 - yaml file" hl_lines="39 9 48 21 60 30" #this is a problematic code where the query should report a result(s) apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -90,7 +90,7 @@ rules: resources: ["p*ds"] verbs: ["get", "watch", "create"] ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="26" +```yaml title="Positive test num. 2 - yaml file" hl_lines="26" #this is a problematic code where the query should report a result(s) apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/docs/queries/kubernetes-queries/5da47109-f8d6-4585-9e2b-96a8958a12f5.md b/docs/queries/kubernetes-queries/5da47109-f8d6-4585-9e2b-96a8958a12f5.md index aef783a68c7..6218e07ad5f 100644 --- a/docs/queries/kubernetes-queries/5da47109-f8d6-4585-9e2b-96a8958a12f5.md +++ b/docs/queries/kubernetes-queries/5da47109-f8d6-4585-9e2b-96a8958a12f5.md @@ -28,7 +28,7 @@ When using kube-apiserver command, the 'basic-auth-file' flag should not be set< ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -43,7 +43,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +```yaml title="Positive test num. 2 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/5f89001f-6dd9-49ff-9b15-d8cd71b617f4.md b/docs/queries/kubernetes-queries/5f89001f-6dd9-49ff-9b15-d8cd71b617f4.md index 2cc4e955b3c..32a533cd8d5 100644 --- a/docs/queries/kubernetes-queries/5f89001f-6dd9-49ff-9b15-d8cd71b617f4.md +++ b/docs/queries/kubernetes-queries/5f89001f-6dd9-49ff-9b15-d8cd71b617f4.md @@ -28,7 +28,7 @@ Kubelet argument --make-iptables-util-chains should be true
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -44,7 +44,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="8" +```yaml title="Positive test num. 2 - yaml file" hl_lines="8" apiVersion: kubelet.config.k8s.io/v1beta1 kind: KubeletConfiguration address: "192.168.0.8" @@ -55,7 +55,7 @@ evictionHard: makeIPTablesUtilChains: false ``` -```json title="Postitive test num. 3 - json file" hl_lines="7" +```json title="Positive test num. 3 - json file" hl_lines="7" { "apiVersion": "kubelet.config.k8s.io/v1beta1", "evictionHard": { diff --git a/docs/queries/kubernetes-queries/611ab018-c4aa-4ba2-b0f6-a448337509a6.md b/docs/queries/kubernetes-queries/611ab018-c4aa-4ba2-b0f6-a448337509a6.md index a33b654c06d..8d2de033a6f 100644 --- a/docs/queries/kubernetes-queries/611ab018-c4aa-4ba2-b0f6-a448337509a6.md +++ b/docs/queries/kubernetes-queries/611ab018-c4aa-4ba2-b0f6-a448337509a6.md @@ -28,7 +28,7 @@ Namespaces like 'default', 'kube-system' or 'kube-public' should not be used
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +```yaml title="Positive test num. 1 - yaml file" hl_lines="5" apiVersion: v1 kind: Pod metadata: @@ -62,7 +62,7 @@ spec: ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="4" +```yaml title="Positive test num. 2 - yaml file" hl_lines="4" apiVersion: v1 kind: Pod metadata: @@ -94,7 +94,7 @@ spec: cpu: "500m" ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="5" +```yaml title="Positive test num. 3 - yaml file" hl_lines="5" apiVersion: v1 kind: Pod metadata: @@ -102,7 +102,7 @@ metadata: namespace: kube-public ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="5" apiVersion: v1 @@ -113,7 +113,7 @@ metadata: ```
-
Postitive test num. 5 - yaml file +
Positive test num. 5 - yaml file ```yaml hl_lines="5" apiVersion: serving.knative.dev/v1 diff --git a/docs/queries/kubernetes-queries/69bbc5e3-0818-4150-89cc-1e989b48f23b.md b/docs/queries/kubernetes-queries/69bbc5e3-0818-4150-89cc-1e989b48f23b.md index e8a4e77064c..f3a25a949ca 100644 --- a/docs/queries/kubernetes-queries/69bbc5e3-0818-4150-89cc-1e989b48f23b.md +++ b/docs/queries/kubernetes-queries/69bbc5e3-0818-4150-89cc-1e989b48f23b.md @@ -28,7 +28,7 @@ Ingress Controllers should not expose workload in order to avoid vulnerabilities ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="31" +```yaml title="Positive test num. 1 - yaml file" hl_lines="31" apiVersion: v1 kind: Service metadata: diff --git a/docs/queries/kubernetes-queries/6a68bebe-c021-492e-8ddb-55b0567fb768.md b/docs/queries/kubernetes-queries/6a68bebe-c021-492e-8ddb-55b0567fb768.md index ebdb82f88e1..af651d6ff6b 100644 --- a/docs/queries/kubernetes-queries/6a68bebe-c021-492e-8ddb-55b0567fb768.md +++ b/docs/queries/kubernetes-queries/6a68bebe-c021-492e-8ddb-55b0567fb768.md @@ -28,7 +28,7 @@ When using kube-apiserver command, the '--enable-admission-plugins' flag should ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a.md b/docs/queries/kubernetes-queries/6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a.md index ddea47d5eee..5c5b4d5d04a 100644 --- a/docs/queries/kubernetes-queries/6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a.md +++ b/docs/queries/kubernetes-queries/6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a.md @@ -28,7 +28,7 @@ Container should not share the host network namespace
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9 6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9 6" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/6b896afb-ca07-467a-b256-1a0077a1c08e.md b/docs/queries/kubernetes-queries/6b896afb-ca07-467a-b256-1a0077a1c08e.md index 40d439f0bc9..0c47dd7b81b 100644 --- a/docs/queries/kubernetes-queries/6b896afb-ca07-467a-b256-1a0077a1c08e.md +++ b/docs/queries/kubernetes-queries/6b896afb-ca07-467a-b256-1a0077a1c08e.md @@ -28,7 +28,7 @@ Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights t ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7 9 18 19 20 29 31" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7 9 18 19 20 29 31" kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: diff --git a/docs/queries/kubernetes-queries/6cf42c97-facd-4fda-b8af-ea4529123355.md b/docs/queries/kubernetes-queries/6cf42c97-facd-4fda-b8af-ea4529123355.md index b5250a2d3b7..8c4d4984249 100644 --- a/docs/queries/kubernetes-queries/6cf42c97-facd-4fda-b8af-ea4529123355.md +++ b/docs/queries/kubernetes-queries/6cf42c97-facd-4fda-b8af-ea4529123355.md @@ -28,7 +28,7 @@ hide: ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -44,7 +44,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +```yaml title="Positive test num. 2 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -60,7 +60,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="5" +```yaml title="Positive test num. 3 - yaml file" hl_lines="5" apiVersion: kubelet.config.k8s.io/v1beta1 kind: KubeletConfiguration address: "192.168.0.8" @@ -73,7 +73,7 @@ evictionHard: memory.available: "200Mi" ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="2" apiVersion: kubelet.config.k8s.io/v1beta1 diff --git a/docs/queries/kubernetes-queries/6d173be7-545a-46c6-a81d-2ae52ed1605d.md b/docs/queries/kubernetes-queries/6d173be7-545a-46c6-a81d-2ae52ed1605d.md index 416c37dd1a7..471fbae2ab8 100644 --- a/docs/queries/kubernetes-queries/6d173be7-545a-46c6-a81d-2ae52ed1605d.md +++ b/docs/queries/kubernetes-queries/6d173be7-545a-46c6-a81d-2ae52ed1605d.md @@ -28,7 +28,7 @@ Check if Tiller is deployed.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 10 20 15" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8 10 20 15" --- apiVersion: extensions/v1beta1 kind: Deployment diff --git a/docs/queries/kubernetes-queries/7307579a-3abb-46ad-9ce5-2a915634d5c8.md b/docs/queries/kubernetes-queries/7307579a-3abb-46ad-9ce5-2a915634d5c8.md index 3e4f06fc1ac..92ecefc338c 100644 --- a/docs/queries/kubernetes-queries/7307579a-3abb-46ad-9ce5-2a915634d5c8.md +++ b/docs/queries/kubernetes-queries/7307579a-3abb-46ad-9ce5-2a915634d5c8.md @@ -28,7 +28,7 @@ PodSecurityPolicy should not have added capabilities
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10" apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/docs/queries/kubernetes-queries/73e251f0-363d-4e53-86e2-0a93592437eb.md b/docs/queries/kubernetes-queries/73e251f0-363d-4e53-86e2-0a93592437eb.md index 1856ac96805..ba1f7820ccb 100644 --- a/docs/queries/kubernetes-queries/73e251f0-363d-4e53-86e2-0a93592437eb.md +++ b/docs/queries/kubernetes-queries/73e251f0-363d-4e53-86e2-0a93592437eb.md @@ -28,7 +28,7 @@ When using kube-apiserver command, the 'audit-log-path' flag should be defined ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/80f93444-b240-4ebb-a4c6-5c40b76c04ea.md b/docs/queries/kubernetes-queries/80f93444-b240-4ebb-a4c6-5c40b76c04ea.md index 36fecf2a631..9417b11b26e 100644 --- a/docs/queries/kubernetes-queries/80f93444-b240-4ebb-a4c6-5c40b76c04ea.md +++ b/docs/queries/kubernetes-queries/80f93444-b240-4ebb-a4c6-5c40b76c04ea.md @@ -28,7 +28,7 @@ Pod Security Policy allows containers to share the host IPC namespace
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/docs/queries/kubernetes-queries/8320826e-7a9c-4b0b-9535-578333193432.md b/docs/queries/kubernetes-queries/8320826e-7a9c-4b0b-9535-578333193432.md index 995a753a932..c1f19dd4b8a 100644 --- a/docs/queries/kubernetes-queries/8320826e-7a9c-4b0b-9535-578333193432.md +++ b/docs/queries/kubernetes-queries/8320826e-7a9c-4b0b-9535-578333193432.md @@ -28,7 +28,7 @@ Roles or ClusterRoles with RBAC permissions 'bind' or 'escalate' allow subjects ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8" apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/docs/queries/kubernetes-queries/845acfbe-3e10-4b8e-b656-3b404d36dfb2.md b/docs/queries/kubernetes-queries/845acfbe-3e10-4b8e-b656-3b404d36dfb2.md index 80b15a0ab38..ffa1b485865 100644 --- a/docs/queries/kubernetes-queries/845acfbe-3e10-4b8e-b656-3b404d36dfb2.md +++ b/docs/queries/kubernetes-queries/845acfbe-3e10-4b8e-b656-3b404d36dfb2.md @@ -28,7 +28,7 @@ Service type should not be NodePort
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" apiVersion: v1 kind: Service metadata: diff --git a/docs/queries/kubernetes-queries/85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3.md b/docs/queries/kubernetes-queries/85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3.md index 45e7d7917a2..0a1180f5764 100644 --- a/docs/queries/kubernetes-queries/85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3.md +++ b/docs/queries/kubernetes-queries/85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3.md @@ -28,7 +28,7 @@ Check if any network policy is not targeting any pod.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="22" +```yaml title="Positive test num. 1 - yaml file" hl_lines="22" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/87554eef-154d-411d-bdce-9dbd91e56851.md b/docs/queries/kubernetes-queries/87554eef-154d-411d-bdce-9dbd91e56851.md index 3c51695ac86..a372555fb14 100644 --- a/docs/queries/kubernetes-queries/87554eef-154d-411d-bdce-9dbd91e56851.md +++ b/docs/queries/kubernetes-queries/87554eef-154d-411d-bdce-9dbd91e56851.md @@ -28,7 +28,7 @@ PodSecurityPolicy should not allow privilege escalation
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="32 9" +```yaml title="Positive test num. 1 - yaml file" hl_lines="32 9" apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/docs/queries/kubernetes-queries/895a5a95-3756-4b04-9924-2f3bc93181bd.md b/docs/queries/kubernetes-queries/895a5a95-3756-4b04-9924-2f3bc93181bd.md index 23cd84ecb74..03e9dc08dc7 100644 --- a/docs/queries/kubernetes-queries/895a5a95-3756-4b04-9924-2f3bc93181bd.md +++ b/docs/queries/kubernetes-queries/895a5a95-3756-4b04-9924-2f3bc93181bd.md @@ -28,7 +28,7 @@ When using kube-apiserver commands, the '--etcd-certfile' and '--etcd-keyfile' f ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -44,7 +44,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +```yaml title="Positive test num. 2 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/8b36775e-183d-4d46-b0f7-96a6f34a723f.md b/docs/queries/kubernetes-queries/8b36775e-183d-4d46-b0f7-96a6f34a723f.md index a1ec47f949f..d78de27d8fd 100644 --- a/docs/queries/kubernetes-queries/8b36775e-183d-4d46-b0f7-96a6f34a723f.md +++ b/docs/queries/kubernetes-queries/8b36775e-183d-4d46-b0f7-96a6f34a723f.md @@ -28,7 +28,7 @@ Containers should be configured with an AppArmor profile to enforce fine-grained ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4 5 36" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4 5 36" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/8b862ca9-0fbd-4959-ad72-b6609bdaa22d.md b/docs/queries/kubernetes-queries/8b862ca9-0fbd-4959-ad72-b6609bdaa22d.md index 023977eb218..60125db89ed 100644 --- a/docs/queries/kubernetes-queries/8b862ca9-0fbd-4959-ad72-b6609bdaa22d.md +++ b/docs/queries/kubernetes-queries/8b862ca9-0fbd-4959-ad72-b6609bdaa22d.md @@ -28,7 +28,7 @@ Check if there is any Tiller Service present
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4 12" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4 12" apiVersion: v1 kind: Service metadata: diff --git a/docs/queries/kubernetes-queries/8cf4671a-cf3d-46fc-8389-21e7405063a2.md b/docs/queries/kubernetes-queries/8cf4671a-cf3d-46fc-8389-21e7405063a2.md index 890c8cb265b..be0ab91abe6 100644 --- a/docs/queries/kubernetes-queries/8cf4671a-cf3d-46fc-8389-21e7405063a2.md +++ b/docs/queries/kubernetes-queries/8cf4671a-cf3d-46fc-8389-21e7405063a2.md @@ -28,7 +28,7 @@ A StatefulSet requests volume storage.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="73 33 66" +```yaml title="Positive test num. 1 - yaml file" hl_lines="73 33 66" #this is a problematic code where the query should report a result(s) apiVersion: apps/v1 kind: StatefulSet diff --git a/docs/queries/kubernetes-queries/9127f0d9-2310-42e7-866f-5fd9d20dcbad.md b/docs/queries/kubernetes-queries/9127f0d9-2310-42e7-866f-5fd9d20dcbad.md index 619b1b62a3e..5c22eca5562 100644 --- a/docs/queries/kubernetes-queries/9127f0d9-2310-42e7-866f-5fd9d20dcbad.md +++ b/docs/queries/kubernetes-queries/9127f0d9-2310-42e7-866f-5fd9d20dcbad.md @@ -28,7 +28,7 @@ A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="24 11 13" +```yaml title="Positive test num. 1 - yaml file" hl_lines="24 11 13" #this is a problematic code where the query should report a result(s) apiVersion: v1 kind: Pod @@ -66,7 +66,7 @@ spec: rule: RunAsAny ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="18" +```yaml title="Positive test num. 2 - yaml file" hl_lines="18" apiVersion: apps/v1 kind: Deployment metadata: diff --git a/docs/queries/kubernetes-queries/91dacd0e-d189-4a9c-8272-5999a3cc32d9.md b/docs/queries/kubernetes-queries/91dacd0e-d189-4a9c-8272-5999a3cc32d9.md index d8e09242364..7c081a79ec2 100644 --- a/docs/queries/kubernetes-queries/91dacd0e-d189-4a9c-8272-5999a3cc32d9.md +++ b/docs/queries/kubernetes-queries/91dacd0e-d189-4a9c-8272-5999a3cc32d9.md @@ -28,7 +28,7 @@ Pod Security Policy allows containers to share the host process ID namespace
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/docs/queries/kubernetes-queries/9391103a-d8d7-4671-ac5d-606ba7ccb0ac.md b/docs/queries/kubernetes-queries/9391103a-d8d7-4671-ac5d-606ba7ccb0ac.md index 3ce3b404d40..983c94e6e30 100644 --- a/docs/queries/kubernetes-queries/9391103a-d8d7-4671-ac5d-606ba7ccb0ac.md +++ b/docs/queries/kubernetes-queries/9391103a-d8d7-4671-ac5d-606ba7ccb0ac.md @@ -28,7 +28,7 @@ When using etcd commands, the '--client-cert-auth' flag should be defined
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="21" +```yaml title="Positive test num. 1 - yaml file" hl_lines="21" apiVersion: apps/v1 kind: Deployment metadata: @@ -56,7 +56,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="21" +```yaml title="Positive test num. 2 - yaml file" hl_lines="21" apiVersion: apps/v1 kind: Deployment metadata: diff --git a/docs/queries/kubernetes-queries/94b76ea5-e074-4ca2-8a03-c5a606e30645.md b/docs/queries/kubernetes-queries/94b76ea5-e074-4ca2-8a03-c5a606e30645.md index 49e3d96c4ed..219cc0047b7 100644 --- a/docs/queries/kubernetes-queries/94b76ea5-e074-4ca2-8a03-c5a606e30645.md +++ b/docs/queries/kubernetes-queries/94b76ea5-e074-4ca2-8a03-c5a606e30645.md @@ -28,7 +28,7 @@ Kubernetes APIs evolve over time and are sometimes removed with newer releases. ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="1 76 23 58 94" +```yaml title="Positive test num. 1 - yaml file" hl_lines="1 76 23 58 94" apiVersion: apps/v1beta1 kind: Deployment metadata: diff --git a/docs/queries/kubernetes-queries/9587c890-0524-40c2-9ce2-663af7c2f063.md b/docs/queries/kubernetes-queries/9587c890-0524-40c2-9ce2-663af7c2f063.md index b3f049c8b30..92901179252 100644 --- a/docs/queries/kubernetes-queries/9587c890-0524-40c2-9ce2-663af7c2f063.md +++ b/docs/queries/kubernetes-queries/9587c890-0524-40c2-9ce2-663af7c2f063.md @@ -28,7 +28,7 @@ When using kube-apiserver command, the '--disable-admission-plugins' flag should ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -44,7 +44,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +```yaml title="Positive test num. 2 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/98ce8b81-7707-4734-aa39-627c6db3d84b.md b/docs/queries/kubernetes-queries/98ce8b81-7707-4734-aa39-627c6db3d84b.md index 10b55e1001e..5e8ac52fcef 100644 --- a/docs/queries/kubernetes-queries/98ce8b81-7707-4734-aa39-627c6db3d84b.md +++ b/docs/queries/kubernetes-queries/98ce8b81-7707-4734-aa39-627c6db3d84b.md @@ -28,7 +28,7 @@ When using etcd commands, the '--auto-tls' should be set to false
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="21" +```yaml title="Positive test num. 1 - yaml file" hl_lines="21" apiVersion: apps/v1 kind: Deployment metadata: diff --git a/docs/queries/kubernetes-queries/9d43040e-e703-4e16-8bfe-8d4da10fa7e6.md b/docs/queries/kubernetes-queries/9d43040e-e703-4e16-8bfe-8d4da10fa7e6.md index 77ef309823f..2971285b7da 100644 --- a/docs/queries/kubernetes-queries/9d43040e-e703-4e16-8bfe-8d4da10fa7e6.md +++ b/docs/queries/kubernetes-queries/9d43040e-e703-4e16-8bfe-8d4da10fa7e6.md @@ -28,7 +28,7 @@ A Pod's Containers must have the same CPU requests as limits set, which is recom ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10 26 11 22" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10 26 11 22" #this is a problematic code where the query should report a result(s) apiVersion: v1 kind: Pod diff --git a/docs/queries/kubernetes-queries/9f85c3f6-26fd-4007-938a-2e0cb0100980.md b/docs/queries/kubernetes-queries/9f85c3f6-26fd-4007-938a-2e0cb0100980.md index de1ce975c6d..1bfea6479df 100644 --- a/docs/queries/kubernetes-queries/9f85c3f6-26fd-4007-938a-2e0cb0100980.md +++ b/docs/queries/kubernetes-queries/9f85c3f6-26fd-4007-938a-2e0cb0100980.md @@ -28,7 +28,7 @@ Roles or ClusterRoles with the permission 'impersonate' allow subjects to assume ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9" apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/docs/queries/kubernetes-queries/a31b7b82-d994-48c4-bd21-3bab6c31827a.md b/docs/queries/kubernetes-queries/a31b7b82-d994-48c4-bd21-3bab6c31827a.md index 9972f92ca71..fae5222b8a7 100644 --- a/docs/queries/kubernetes-queries/a31b7b82-d994-48c4-bd21-3bab6c31827a.md +++ b/docs/queries/kubernetes-queries/a31b7b82-d994-48c4-bd21-3bab6c31827a.md @@ -28,7 +28,7 @@ Check if Deployment resources don't have a podAntiAffinity policy, which prevent ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="19 39" +```yaml title="Positive test num. 1 - yaml file" hl_lines="19 39" apiVersion: apps/v1 kind: Deployment metadata: diff --git a/docs/queries/kubernetes-queries/a33e9173-b674-4dfb-9d82-cf3754816e4b.md b/docs/queries/kubernetes-queries/a33e9173-b674-4dfb-9d82-cf3754816e4b.md index ad8e9966e3d..c27775f1c12 100644 --- a/docs/queries/kubernetes-queries/a33e9173-b674-4dfb-9d82-cf3754816e4b.md +++ b/docs/queries/kubernetes-queries/a33e9173-b674-4dfb-9d82-cf3754816e4b.md @@ -28,7 +28,7 @@ Check if Pod Security Policies allow containers to share the host network namesp ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="14" +```yaml title="Positive test num. 1 - yaml file" hl_lines="14" apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/docs/queries/kubernetes-queries/a5530bd7-225a-48f9-91bb-f40b04200165.md b/docs/queries/kubernetes-queries/a5530bd7-225a-48f9-91bb-f40b04200165.md index 8ce3cceed88..732865760c1 100644 --- a/docs/queries/kubernetes-queries/a5530bd7-225a-48f9-91bb-f40b04200165.md +++ b/docs/queries/kubernetes-queries/a5530bd7-225a-48f9-91bb-f40b04200165.md @@ -28,7 +28,7 @@ When using kube-apiserver command, the '--service-account-lookup' flag should be ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3.md b/docs/queries/kubernetes-queries/a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3.md index 66e085e644c..e0d22190d10 100644 --- a/docs/queries/kubernetes-queries/a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3.md +++ b/docs/queries/kubernetes-queries/a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3.md @@ -28,7 +28,7 @@ Check if Readiness Probe is not configured.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/a6f34658-fdfb-4154-9536-56d516f65828.md b/docs/queries/kubernetes-queries/a6f34658-fdfb-4154-9536-56d516f65828.md index 03a7f58ddd6..f702ded9263 100644 --- a/docs/queries/kubernetes-queries/a6f34658-fdfb-4154-9536-56d516f65828.md +++ b/docs/queries/kubernetes-queries/a6f34658-fdfb-4154-9536-56d516f65828.md @@ -28,7 +28,7 @@ Sees if Docker Daemon Socket is not exposed to Containers
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="67 43 15" +```yaml title="Positive test num. 1 - yaml file" hl_lines="67 43 15" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/a77f4d07-c6e0-4a48-8b35-0eeb51576f4f.md b/docs/queries/kubernetes-queries/a77f4d07-c6e0-4a48-8b35-0eeb51576f4f.md index b1cf4f2e932..a1c25b27ad4 100644 --- a/docs/queries/kubernetes-queries/a77f4d07-c6e0-4a48-8b35-0eeb51576f4f.md +++ b/docs/queries/kubernetes-queries/a77f4d07-c6e0-4a48-8b35-0eeb51576f4f.md @@ -28,7 +28,7 @@ When using kube-apiserver command, the '--enable-admission-plugins' flag should ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/a97a340a-0063-418e-b3a1-3028941d0995.md b/docs/queries/kubernetes-queries/a97a340a-0063-418e-b3a1-3028941d0995.md index 0158105d13b..7654d649ae5 100644 --- a/docs/queries/kubernetes-queries/a97a340a-0063-418e-b3a1-3028941d0995.md +++ b/docs/queries/kubernetes-queries/a97a340a-0063-418e-b3a1-3028941d0995.md @@ -28,7 +28,7 @@ A security context defines privilege and access control settings for a Pod or Co ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="19 5" +```yaml title="Positive test num. 1 - yaml file" hl_lines="19 5" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/a9c2f49d-0671-4fc9-9ece-f4e261e128d0.md b/docs/queries/kubernetes-queries/a9c2f49d-0671-4fc9-9ece-f4e261e128d0.md index 3309d316f55..98f54e20a36 100644 --- a/docs/queries/kubernetes-queries/a9c2f49d-0671-4fc9-9ece-f4e261e128d0.md +++ b/docs/queries/kubernetes-queries/a9c2f49d-0671-4fc9-9ece-f4e261e128d0.md @@ -28,7 +28,7 @@ Check if the root container filesystem is not being mounted read-only.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="24 12" +```yaml title="Positive test num. 1 - yaml file" hl_lines="24 12" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/aa8f7a35-9923-4cad-bd61-a19b7f6aac91.md b/docs/queries/kubernetes-queries/aa8f7a35-9923-4cad-bd61-a19b7f6aac91.md index 83e083e2b00..6926e184fbd 100644 --- a/docs/queries/kubernetes-queries/aa8f7a35-9923-4cad-bd61-a19b7f6aac91.md +++ b/docs/queries/kubernetes-queries/aa8f7a35-9923-4cad-bd61-a19b7f6aac91.md @@ -28,7 +28,7 @@ A non kube-system workload should not have hostPath mounted
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="185 40 136 106 43 76 168 153 59" +```yaml title="Positive test num. 1 - yaml file" hl_lines="185 40 136 106 43 76 168 153 59" apiVersion: apps/v1 kind: DaemonSet metadata: diff --git a/docs/queries/kubernetes-queries/aafa7d94-62de-4fbf-8838-b69ee217b0e6.md b/docs/queries/kubernetes-queries/aafa7d94-62de-4fbf-8838-b69ee217b0e6.md index 1f90f87083f..c9f9f1ee2b7 100644 --- a/docs/queries/kubernetes-queries/aafa7d94-62de-4fbf-8838-b69ee217b0e6.md +++ b/docs/queries/kubernetes-queries/aafa7d94-62de-4fbf-8838-b69ee217b0e6.md @@ -28,7 +28,7 @@ A Pod's Containers must have the same Memory requests as limits set, which is re ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="26 11 22" +```yaml title="Positive test num. 1 - yaml file" hl_lines="26 11 22" #this is a problematic code where the query should report a result(s) apiVersion: v1 kind: Pod diff --git a/docs/queries/kubernetes-queries/ade74944-a674-4e00-859e-c6eab5bde441.md b/docs/queries/kubernetes-queries/ade74944-a674-4e00-859e-c6eab5bde441.md index 80b943b2cc0..938f38f23da 100644 --- a/docs/queries/kubernetes-queries/ade74944-a674-4e00-859e-c6eab5bde441.md +++ b/docs/queries/kubernetes-queries/ade74944-a674-4e00-859e-c6eab5bde441.md @@ -28,7 +28,7 @@ In case of an unresponsive container, a Liveness Probe can help your application ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/ae8827e2-4af9-4baa-9998-87539ae0d6f0.md b/docs/queries/kubernetes-queries/ae8827e2-4af9-4baa-9998-87539ae0d6f0.md index fa50c337346..605cb4c7d7b 100644 --- a/docs/queries/kubernetes-queries/ae8827e2-4af9-4baa-9998-87539ae0d6f0.md +++ b/docs/queries/kubernetes-queries/ae8827e2-4af9-4baa-9998-87539ae0d6f0.md @@ -28,7 +28,7 @@ When using etcd commands, the '--peer-auto-tls' should be set to false
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="21" +```yaml title="Positive test num. 1 - yaml file" hl_lines="21" apiVersion: apps/v1 kind: Deployment metadata: diff --git a/docs/queries/kubernetes-queries/aee3c7d2-a811-4201-90c7-11c028be9a46.md b/docs/queries/kubernetes-queries/aee3c7d2-a811-4201-90c7-11c028be9a46.md index 15e42a3c610..1aa4287151c 100644 --- a/docs/queries/kubernetes-queries/aee3c7d2-a811-4201-90c7-11c028be9a46.md +++ b/docs/queries/kubernetes-queries/aee3c7d2-a811-4201-90c7-11c028be9a46.md @@ -28,7 +28,7 @@ Containers must have the same resource requests set as limits. This is recommend ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="26 51" +```yaml title="Positive test num. 1 - yaml file" hl_lines="26 51" #this is a problematic code where the query should report a result(s) apiVersion: v1 kind: Pod diff --git a/docs/queries/kubernetes-queries/afa36afb-39fe-4d94-b9b6-afb236f7a03d.md b/docs/queries/kubernetes-queries/afa36afb-39fe-4d94-b9b6-afb236f7a03d.md index bdbd7c819c4..02d6e3af664 100644 --- a/docs/queries/kubernetes-queries/afa36afb-39fe-4d94-b9b6-afb236f7a03d.md +++ b/docs/queries/kubernetes-queries/afa36afb-39fe-4d94-b9b6-afb236f7a03d.md @@ -28,7 +28,7 @@ When using kube-apiserver command, the '--enable-admission-plugins' flag should ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/b14d1bc4-a208-45db-92f0-e21f8e2588e9.md b/docs/queries/kubernetes-queries/b14d1bc4-a208-45db-92f0-e21f8e2588e9.md index 834a7d3f104..ea90fecbf24 100644 --- a/docs/queries/kubernetes-queries/b14d1bc4-a208-45db-92f0-e21f8e2588e9.md +++ b/docs/queries/kubernetes-queries/b14d1bc4-a208-45db-92f0-e21f8e2588e9.md @@ -28,7 +28,7 @@ Memory limits should be defined for each container. This prevents potential reso ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 57 38 23" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8 57 38 23" apiVersion: v1 kind: Pod metadata: @@ -90,7 +90,7 @@ spec: command: ["stress"] ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="21" +```yaml title="Positive test num. 2 - yaml file" hl_lines="21" apiVersion: apps/v1 kind: Deployment metadata: diff --git a/docs/queries/kubernetes-queries/b23e9b98-0cb6-4fc9-b257-1f3270442678.md b/docs/queries/kubernetes-queries/b23e9b98-0cb6-4fc9-b257-1f3270442678.md index 5e0782a9103..3048b840909 100644 --- a/docs/queries/kubernetes-queries/b23e9b98-0cb6-4fc9-b257-1f3270442678.md +++ b/docs/queries/kubernetes-queries/b23e9b98-0cb6-4fc9-b257-1f3270442678.md @@ -28,7 +28,7 @@ Deployments should be assigned with a PodDisruptionBudget to ensure high availab ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="20" +```yaml title="Positive test num. 1 - yaml file" hl_lines="20" apiVersion: policy/v1beta1 kind: PodDisruptionBudget metadata: diff --git a/docs/queries/kubernetes-queries/b7652612-de4e-4466-a0bf-1cd81f0c6063.md b/docs/queries/kubernetes-queries/b7652612-de4e-4466-a0bf-1cd81f0c6063.md index e295902df2a..2541e5dc219 100644 --- a/docs/queries/kubernetes-queries/b7652612-de4e-4466-a0bf-1cd81f0c6063.md +++ b/docs/queries/kubernetes-queries/b7652612-de4e-4466-a0bf-1cd81f0c6063.md @@ -28,7 +28,7 @@ Containers can mount sensitive folders from the hosts, giving them potentially d ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="40 11 37 14" +```yaml title="Positive test num. 1 - yaml file" hl_lines="40 11 37 14" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14.md b/docs/queries/kubernetes-queries/b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14.md index 3b7e5bc1132..f3127f72c49 100644 --- a/docs/queries/kubernetes-queries/b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14.md +++ b/docs/queries/kubernetes-queries/b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14.md @@ -28,7 +28,7 @@ Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secret ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9 18" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9 18" apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: diff --git a/docs/queries/kubernetes-queries/b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff.md b/docs/queries/kubernetes-queries/b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff.md index 3d0996804e5..0c18c6a2de0 100644 --- a/docs/queries/kubernetes-queries/b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff.md +++ b/docs/queries/kubernetes-queries/b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff.md @@ -28,7 +28,7 @@ When using etcd commands, the '--peer-client-cert-auth' flag should be set to tr ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="21" +```yaml title="Positive test num. 1 - yaml file" hl_lines="21" apiVersion: apps/v1 kind: Deployment metadata: @@ -56,7 +56,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="21" +```yaml title="Positive test num. 2 - yaml file" hl_lines="21" apiVersion: apps/v1 kind: Deployment metadata: diff --git a/docs/queries/kubernetes-queries/b9380fd3-5ffe-4d10-9290-13e18e71eee1.md b/docs/queries/kubernetes-queries/b9380fd3-5ffe-4d10-9290-13e18e71eee1.md index 48c092b01d1..d67966b4297 100644 --- a/docs/queries/kubernetes-queries/b9380fd3-5ffe-4d10-9290-13e18e71eee1.md +++ b/docs/queries/kubernetes-queries/b9380fd3-5ffe-4d10-9290-13e18e71eee1.md @@ -28,7 +28,7 @@ When using kube-apiserver command, the '--insecure-bind-address' flag should not ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -43,7 +43,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +```yaml title="Positive test num. 2 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/b9c83569-459b-4110-8f79-6305aa33cb37.md b/docs/queries/kubernetes-queries/b9c83569-459b-4110-8f79-6305aa33cb37.md index 53de1dec573..5c3cf7f2cfb 100644 --- a/docs/queries/kubernetes-queries/b9c83569-459b-4110-8f79-6305aa33cb37.md +++ b/docs/queries/kubernetes-queries/b9c83569-459b-4110-8f79-6305aa33cb37.md @@ -28,7 +28,7 @@ Kubernetes External Secret Storage and Management System usage should be conside ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" apiVersion: v1 kind: Secret metadata: diff --git a/docs/queries/kubernetes-queries/bb241e61-77c3-4b97-9575-c0f8a1e008d0.md b/docs/queries/kubernetes-queries/bb241e61-77c3-4b97-9575-c0f8a1e008d0.md index 588a4e81083..fc9273ded93 100644 --- a/docs/queries/kubernetes-queries/bb241e61-77c3-4b97-9575-c0f8a1e008d0.md +++ b/docs/queries/kubernetes-queries/bb241e61-77c3-4b97-9575-c0f8a1e008d0.md @@ -28,7 +28,7 @@ StatefulSets should have an existing headless 'serviceName'. The headless servic ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="26" +```yaml title="Positive test num. 1 - yaml file" hl_lines="26" #this is a problematic code where the query should report a result(s) apiVersion: v1 kind: Service diff --git a/docs/queries/kubernetes-queries/bf36b900-b5ef-4828-adb7-70eb543b7cfb.md b/docs/queries/kubernetes-queries/bf36b900-b5ef-4828-adb7-70eb543b7cfb.md index c3520343235..3c8f26a99e0 100644 --- a/docs/queries/kubernetes-queries/bf36b900-b5ef-4828-adb7-70eb543b7cfb.md +++ b/docs/queries/kubernetes-queries/bf36b900-b5ef-4828-adb7-70eb543b7cfb.md @@ -28,7 +28,7 @@ Hostnames should not be overrided
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -44,7 +44,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +```yaml title="Positive test num. 2 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/c1032cf7-3628-44e2-bd53-38c17cf31b6b.md b/docs/queries/kubernetes-queries/c1032cf7-3628-44e2-bd53-38c17cf31b6b.md index 77e913ba197..0886e7f6e5f 100644 --- a/docs/queries/kubernetes-queries/c1032cf7-3628-44e2-bd53-38c17cf31b6b.md +++ b/docs/queries/kubernetes-queries/c1032cf7-3628-44e2-bd53-38c17cf31b6b.md @@ -28,7 +28,7 @@ A Service Account token is shared between workloads
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="16 6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="16 6" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/c48e57d3-d642-4e0b-90db-37f807b41b91.md b/docs/queries/kubernetes-queries/c48e57d3-d642-4e0b-90db-37f807b41b91.md index 661d8ae69e3..4aeb94f8a22 100644 --- a/docs/queries/kubernetes-queries/c48e57d3-d642-4e0b-90db-37f807b41b91.md +++ b/docs/queries/kubernetes-queries/c48e57d3-d642-4e0b-90db-37f807b41b91.md @@ -28,7 +28,7 @@ Do not allow pod to request execution as privileged.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/docs/queries/kubernetes-queries/c589f42c-7924-4871-aee2-1cede9bc7cbc.md b/docs/queries/kubernetes-queries/c589f42c-7924-4871-aee2-1cede9bc7cbc.md index 4a1957742d9..6f72dff485a 100644 --- a/docs/queries/kubernetes-queries/c589f42c-7924-4871-aee2-1cede9bc7cbc.md +++ b/docs/queries/kubernetes-queries/c589f42c-7924-4871-aee2-1cede9bc7cbc.md @@ -28,7 +28,7 @@ Roles or ClusterRoles with RBAC permissions to run commands in containers via 'k ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8" apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: diff --git a/docs/queries/kubernetes-queries/ca469dd4-c736-448f-8ac1-30a642705e0a.md b/docs/queries/kubernetes-queries/ca469dd4-c736-448f-8ac1-30a642705e0a.md index d859868364e..6c70f06dbf6 100644 --- a/docs/queries/kubernetes-queries/ca469dd4-c736-448f-8ac1-30a642705e0a.md +++ b/docs/queries/kubernetes-queries/ca469dd4-c736-448f-8ac1-30a642705e0a.md @@ -28,7 +28,7 @@ CPU requests should be set to ensure the sum of the resource requests of the sch ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="17 10 34 41" +```yaml title="Positive test num. 1 - yaml file" hl_lines="17 10 34 41" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/caa3479d-885d-4882-9aac-95e5e78ef5c2.md b/docs/queries/kubernetes-queries/caa3479d-885d-4882-9aac-95e5e78ef5c2.md index 1b739eed0c1..cde93385434 100644 --- a/docs/queries/kubernetes-queries/caa3479d-885d-4882-9aac-95e5e78ef5c2.md +++ b/docs/queries/kubernetes-queries/caa3479d-885d-4882-9aac-95e5e78ef5c2.md @@ -28,7 +28,7 @@ Image Pull Policy of the container must be defined and set to Always
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9" apiVersion: v1 kind: Pod metadata: @@ -40,7 +40,7 @@ spec: imagePullPolicy: Never command: [ "echo", "SUCCESS" ] ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="18" +```yaml title="Positive test num. 2 - yaml file" hl_lines="18" apiVersion: apps/v1 kind: Deployment metadata: @@ -61,7 +61,7 @@ spec: imagePullPolicy: IfNotPresent ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="16" +```yaml title="Positive test num. 3 - yaml file" hl_lines="16" apiVersion: apps/v1 kind: Deployment metadata: diff --git a/docs/queries/kubernetes-queries/caa93370-791f-4fc6-814b-ba6ce0cb4032.md b/docs/queries/kubernetes-queries/caa93370-791f-4fc6-814b-ba6ce0cb4032.md index e75ea1532a0..bfdd076e236 100644 --- a/docs/queries/kubernetes-queries/caa93370-791f-4fc6-814b-ba6ce0cb4032.md +++ b/docs/queries/kubernetes-queries/caa93370-791f-4fc6-814b-ba6ce0cb4032.md @@ -28,7 +28,7 @@ Limit capabilities for a Pod Security Policy
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10" apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/docs/queries/kubernetes-queries/cb7e695d-6a85-495c-b15f-23aed2519303.md b/docs/queries/kubernetes-queries/cb7e695d-6a85-495c-b15f-23aed2519303.md index ee46ece8641..966ef121e8c 100644 --- a/docs/queries/kubernetes-queries/cb7e695d-6a85-495c-b15f-23aed2519303.md +++ b/docs/queries/kubernetes-queries/cb7e695d-6a85-495c-b15f-23aed2519303.md @@ -28,7 +28,7 @@ Certificate Authority should be unique for etcd
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="22" +```yaml title="Positive test num. 1 - yaml file" hl_lines="22" apiVersion: apps/v1 kind: Deployment metadata: diff --git a/docs/queries/kubernetes-queries/cbd2db69-0b21-4c14-8a40-7710a50571a9.md b/docs/queries/kubernetes-queries/cbd2db69-0b21-4c14-8a40-7710a50571a9.md index cf4cea060ef..1b56b9d7ca6 100644 --- a/docs/queries/kubernetes-queries/cbd2db69-0b21-4c14-8a40-7710a50571a9.md +++ b/docs/queries/kubernetes-queries/cbd2db69-0b21-4c14-8a40-7710a50571a9.md @@ -28,7 +28,7 @@ When using kube-apiserver commands, the '--encryption-provider-config' flag shou ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/ccc98ff7-68a7-436e-9218-185cb0b0b780.md b/docs/queries/kubernetes-queries/ccc98ff7-68a7-436e-9218-185cb0b0b780.md index be23ca05255..5f9c36948c1 100644 --- a/docs/queries/kubernetes-queries/ccc98ff7-68a7-436e-9218-185cb0b0b780.md +++ b/docs/queries/kubernetes-queries/ccc98ff7-68a7-436e-9218-185cb0b0b780.md @@ -28,7 +28,7 @@ When using kube-controller-manager commands, the '--service-account-private-key- ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/cd290efd-6c82-4e9d-a698-be12ae31d536.md b/docs/queries/kubernetes-queries/cd290efd-6c82-4e9d-a698-be12ae31d536.md index e510b7ea356..938c1776e3d 100644 --- a/docs/queries/kubernetes-queries/cd290efd-6c82-4e9d-a698-be12ae31d536.md +++ b/docs/queries/kubernetes-queries/cd290efd-6c82-4e9d-a698-be12ae31d536.md @@ -28,7 +28,7 @@ Container should not share the host IPC namespace
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9 6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9 6" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/cdc8b54e-6b16-4538-a1b0-35849dbe29cf.md b/docs/queries/kubernetes-queries/cdc8b54e-6b16-4538-a1b0-35849dbe29cf.md index a677d92eb6f..56840c34364 100644 --- a/docs/queries/kubernetes-queries/cdc8b54e-6b16-4538-a1b0-35849dbe29cf.md +++ b/docs/queries/kubernetes-queries/cdc8b54e-6b16-4538-a1b0-35849dbe29cf.md @@ -28,7 +28,7 @@ When using kube-apiserver command, the '--kubelet-https' flag should not be set ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/ce30e584-b33f-4c7d-b418-a3d7027f8f60.md b/docs/queries/kubernetes-queries/ce30e584-b33f-4c7d-b418-a3d7027f8f60.md index 37d22e16639..a977b909fd1 100644 --- a/docs/queries/kubernetes-queries/ce30e584-b33f-4c7d-b418-a3d7027f8f60.md +++ b/docs/queries/kubernetes-queries/ce30e584-b33f-4c7d-b418-a3d7027f8f60.md @@ -28,7 +28,7 @@ When using kube-apiserver command, the '--enable-admission-plugins' flag should ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/cf34805e-3872-4c08-bf92-6ff7bb0cfadb.md b/docs/queries/kubernetes-queries/cf34805e-3872-4c08-bf92-6ff7bb0cfadb.md index 5d285869f0a..c8e92cbc2ca 100644 --- a/docs/queries/kubernetes-queries/cf34805e-3872-4c08-bf92-6ff7bb0cfadb.md +++ b/docs/queries/kubernetes-queries/cf34805e-3872-4c08-bf92-6ff7bb0cfadb.md @@ -28,7 +28,7 @@ Containers should only run as non-root user. This limits the exploitability of s ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="44 13 38" +```yaml title="Positive test num. 1 - yaml file" hl_lines="44 13 38" apiVersion: v1 kind: Pod metadata: @@ -77,7 +77,7 @@ spec: runAsNonRoot: false ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="18 13" +```yaml title="Positive test num. 2 - yaml file" hl_lines="18 13" apiVersion: v1 kind: Pod metadata: @@ -99,7 +99,7 @@ spec: runAsNonRoot: false ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="13" +```yaml title="Positive test num. 3 - yaml file" hl_lines="13" apiVersion: v1 kind: Pod metadata: @@ -117,7 +117,7 @@ spec: ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="12 7" apiVersion: v1 diff --git a/docs/queries/kubernetes-queries/d2ad057f-0928-41ef-a83c-f59203bb855b.md b/docs/queries/kubernetes-queries/d2ad057f-0928-41ef-a83c-f59203bb855b.md index 882a93e79f1..2d87fd427c4 100644 --- a/docs/queries/kubernetes-queries/d2ad057f-0928-41ef-a83c-f59203bb855b.md +++ b/docs/queries/kubernetes-queries/d2ad057f-0928-41ef-a83c-f59203bb855b.md @@ -28,7 +28,7 @@ If not needed, disabling the dashboard can prevent from being used as an attack ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="67 22" +```yaml title="Positive test num. 1 - yaml file" hl_lines="67 22" kind: Deployment apiVersion: apps/v1 diff --git a/docs/queries/kubernetes-queries/d45330fd-f58d-45fb-a682-6481477a0f84.md b/docs/queries/kubernetes-queries/d45330fd-f58d-45fb-a682-6481477a0f84.md index b833db71a00..4bb8b75105c 100644 --- a/docs/queries/kubernetes-queries/d45330fd-f58d-45fb-a682-6481477a0f84.md +++ b/docs/queries/kubernetes-queries/d45330fd-f58d-45fb-a682-6481477a0f84.md @@ -28,7 +28,7 @@ Roles or ClusterRoles with RBAC permissions to attach to containers via 'kubectl ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8" apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: diff --git a/docs/queries/kubernetes-queries/d740d048-8ed3-49d3-b77b-6f072f3b669e.md b/docs/queries/kubernetes-queries/d740d048-8ed3-49d3-b77b-6f072f3b669e.md index b123381ef6f..c1ac9866cdd 100644 --- a/docs/queries/kubernetes-queries/d740d048-8ed3-49d3-b77b-6f072f3b669e.md +++ b/docs/queries/kubernetes-queries/d740d048-8ed3-49d3-b77b-6f072f3b669e.md @@ -28,7 +28,7 @@ Check if StatefulSet resources don't have a podAntiAffinity policy, which preven ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="53 23" +```yaml title="Positive test num. 1 - yaml file" hl_lines="53 23" apiVersion: apps/v1 kind: StatefulSet metadata: diff --git a/docs/queries/kubernetes-queries/d89a15bb-8dba-4c71-9529-bef6729b9c09.md b/docs/queries/kubernetes-queries/d89a15bb-8dba-4c71-9529-bef6729b9c09.md index e411882700f..c25b2cc34e2 100644 --- a/docs/queries/kubernetes-queries/d89a15bb-8dba-4c71-9529-bef6729b9c09.md +++ b/docs/queries/kubernetes-queries/d89a15bb-8dba-4c71-9529-bef6729b9c09.md @@ -28,7 +28,7 @@ When using kube-apiserver command, the '--request-timeout' flag value should not ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -44,7 +44,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +```yaml title="Positive test num. 2 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -60,7 +60,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="11" +```yaml title="Positive test num. 3 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -76,7 +76,7 @@ spec: restartPolicy: OnFailure ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="11" apiVersion: v1 @@ -95,7 +95,7 @@ spec: ```
-
Postitive test num. 5 - yaml file +
Positive test num. 5 - yaml file ```yaml hl_lines="11" apiVersion: v1 @@ -114,7 +114,7 @@ spec: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="11" apiVersion: v1 diff --git a/docs/queries/kubernetes-queries/da9f3aa8-fbfb-472f-b5a1-576127944218.md b/docs/queries/kubernetes-queries/da9f3aa8-fbfb-472f-b5a1-576127944218.md index 422448b74fe..41546302aa5 100644 --- a/docs/queries/kubernetes-queries/da9f3aa8-fbfb-472f-b5a1-576127944218.md +++ b/docs/queries/kubernetes-queries/da9f3aa8-fbfb-472f-b5a1-576127944218.md @@ -28,7 +28,7 @@ When using kube-apiserver command, the '--audit-log-maxage' flag should be defin ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -44,7 +44,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +```yaml title="Positive test num. 2 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -60,7 +60,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="40 27 12 55" +```yaml title="Positive test num. 3 - yaml file" hl_lines="40 27 12 55" apiVersion: serving.knative.dev/v1 kind: Service metadata: diff --git a/docs/queries/kubernetes-queries/dab4ec72-ce2e-4732-b7c3-1757dcce01a1.md b/docs/queries/kubernetes-queries/dab4ec72-ce2e-4732-b7c3-1757dcce01a1.md index e1708681aee..d5255536733 100644 --- a/docs/queries/kubernetes-queries/dab4ec72-ce2e-4732-b7c3-1757dcce01a1.md +++ b/docs/queries/kubernetes-queries/dab4ec72-ce2e-4732-b7c3-1757dcce01a1.md @@ -28,7 +28,7 @@ When using kube-apiserver command, the '--service-account-key-file' flag should ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/dbbc6705-d541-43b0-b166-dd4be8208b54.md b/docs/queries/kubernetes-queries/dbbc6705-d541-43b0-b166-dd4be8208b54.md index 0d2a1e9c59e..2d9ea19fbcb 100644 --- a/docs/queries/kubernetes-queries/dbbc6705-d541-43b0-b166-dd4be8208b54.md +++ b/docs/queries/kubernetes-queries/dbbc6705-d541-43b0-b166-dd4be8208b54.md @@ -28,7 +28,7 @@ Containers should drop 'ALL' or at least 'NET_RAW' capabilities
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="13 18 11 21" +```yaml title="Positive test num. 1 - yaml file" hl_lines="13 18 11 21" apiVersion: v1 kind: Pod metadata: @@ -55,7 +55,7 @@ spec: allowPrivilegeEscalation: false ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="31" +```yaml title="Positive test num. 2 - yaml file" hl_lines="31" apiVersion: apps/v1 kind: Deployment metadata: diff --git a/docs/queries/kubernetes-queries/dd29336b-fe57-445b-a26e-e6aa867ae609.md b/docs/queries/kubernetes-queries/dd29336b-fe57-445b-a26e-e6aa867ae609.md index bca975219f3..7fc0efd5bd0 100644 --- a/docs/queries/kubernetes-queries/dd29336b-fe57-445b-a26e-e6aa867ae609.md +++ b/docs/queries/kubernetes-queries/dd29336b-fe57-445b-a26e-e6aa867ae609.md @@ -28,7 +28,7 @@ Privileged containers lack essential security restrictions and should be avoided ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10 23" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10 23" apiVersion: v1 kind: Pod metadata: @@ -59,7 +59,7 @@ spec: image: gcr.io/google-samples/node-hello:1.0 ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="21" +```yaml title="Positive test num. 2 - yaml file" hl_lines="21" apiVersion: apps/v1 kind: Deployment metadata: diff --git a/docs/queries/kubernetes-queries/de4421f1-4e35-43b4-9783-737dd4e4a47e.md b/docs/queries/kubernetes-queries/de4421f1-4e35-43b4-9783-737dd4e4a47e.md index 7dec159eb27..bd84dafb7c6 100644 --- a/docs/queries/kubernetes-queries/de4421f1-4e35-43b4-9783-737dd4e4a47e.md +++ b/docs/queries/kubernetes-queries/de4421f1-4e35-43b4-9783-737dd4e4a47e.md @@ -28,7 +28,7 @@ PodSecurityPolicy should set 'readOnly' to true in every host path allowed
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +```yaml title="Positive test num. 1 - yaml file" hl_lines="5" apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: @@ -45,7 +45,7 @@ spec: rule: 'RunAsAny' ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="8" +```yaml title="Positive test num. 2 - yaml file" hl_lines="8" apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: @@ -64,7 +64,7 @@ spec: rule: 'RunAsAny' ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="9" +```yaml title="Positive test num. 3 - yaml file" hl_lines="9" apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/docs/queries/kubernetes-queries/e0099af2-fe17-411f-9991-0de28fe15f3c.md b/docs/queries/kubernetes-queries/e0099af2-fe17-411f-9991-0de28fe15f3c.md index 18997f9c3ae..0feecfe7ba3 100644 --- a/docs/queries/kubernetes-queries/e0099af2-fe17-411f-9991-0de28fe15f3c.md +++ b/docs/queries/kubernetes-queries/e0099af2-fe17-411f-9991-0de28fe15f3c.md @@ -28,7 +28,7 @@ When using kube-apiserver command, the --enable-admission-plugins flag should ha ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/e0e00aba-5f1c-4981-a542-9a9563c0ee20.md b/docs/queries/kubernetes-queries/e0e00aba-5f1c-4981-a542-9a9563c0ee20.md index 43df9c7633d..91f0a402ae4 100644 --- a/docs/queries/kubernetes-queries/e0e00aba-5f1c-4981-a542-9a9563c0ee20.md +++ b/docs/queries/kubernetes-queries/e0e00aba-5f1c-4981-a542-9a9563c0ee20.md @@ -28,7 +28,7 @@ Client Certificate Authentication should be Setup with a .pem or .crt file
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -44,7 +44,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +```yaml title="Positive test num. 2 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -60,7 +60,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="11" +```yaml title="Positive test num. 3 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -76,7 +76,7 @@ spec: restartPolicy: OnFailure ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="2" apiVersion: kubelet.config.k8s.io/v1beta1 @@ -98,7 +98,7 @@ evictionHard: ```
-
Postitive test num. 5 - yaml file +
Positive test num. 5 - yaml file ```yaml hl_lines="2" apiVersion: kubelet.config.k8s.io/v1beta1 @@ -118,7 +118,7 @@ evictionHard: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="2" apiVersion: kubelet.config.k8s.io/v1beta1 diff --git a/docs/queries/kubernetes-queries/e17fa86a-6222-4584-a914-56e8f6c87e06.md b/docs/queries/kubernetes-queries/e17fa86a-6222-4584-a914-56e8f6c87e06.md index 0f8cd9ae674..660a8c45942 100644 --- a/docs/queries/kubernetes-queries/e17fa86a-6222-4584-a914-56e8f6c87e06.md +++ b/docs/queries/kubernetes-queries/e17fa86a-6222-4584-a914-56e8f6c87e06.md @@ -28,7 +28,7 @@ Check if any Tiller Deployment container allows access from within the cluster.< ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="53 21" +```yaml title="Positive test num. 1 - yaml file" hl_lines="53 21" --- apiVersion: apps/v1 kind: Deployment diff --git a/docs/queries/kubernetes-queries/e3aa0612-4351-4a0d-983f-aefea25cf203.md b/docs/queries/kubernetes-queries/e3aa0612-4351-4a0d-983f-aefea25cf203.md index cd395fe4622..005eff2118e 100644 --- a/docs/queries/kubernetes-queries/e3aa0612-4351-4a0d-983f-aefea25cf203.md +++ b/docs/queries/kubernetes-queries/e3aa0612-4351-4a0d-983f-aefea25cf203.md @@ -28,7 +28,7 @@ Containers must not be allowed to run with root privileges, which means the attr ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="32 12 13 27 31" +```yaml title="Positive test num. 1 - yaml file" hl_lines="32 12 13 27 31" #this is a problematic code where the query should report a result(s) apiVersion: policy/v1beta1 kind: PodSecurityPolicy diff --git a/docs/queries/kubernetes-queries/e84eaf4d-2f45-47b2-abe8-e581b06deb66.md b/docs/queries/kubernetes-queries/e84eaf4d-2f45-47b2-abe8-e581b06deb66.md index 79b3507af16..ede8c94b182 100644 --- a/docs/queries/kubernetes-queries/e84eaf4d-2f45-47b2-abe8-e581b06deb66.md +++ b/docs/queries/kubernetes-queries/e84eaf4d-2f45-47b2-abe8-e581b06deb66.md @@ -28,7 +28,7 @@ As a best practice, ensure that is made the correct use of namespaces to adequat ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +```yaml title="Positive test num. 1 - yaml file" hl_lines="5" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0.md b/docs/queries/kubernetes-queries/ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0.md index 6611931fc36..ce67eda4032 100644 --- a/docs/queries/kubernetes-queries/ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0.md +++ b/docs/queries/kubernetes-queries/ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0.md @@ -28,7 +28,7 @@ When using kube-apiserver command, the 'kubelet-certificate-authority' flag shou ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/ed89b97d-04e9-4fd4-919f-ee5b27e555e9.md b/docs/queries/kubernetes-queries/ed89b97d-04e9-4fd4-919f-ee5b27e555e9.md index c1a7bed6da8..8de862c12cf 100644 --- a/docs/queries/kubernetes-queries/ed89b97d-04e9-4fd4-919f-ee5b27e555e9.md +++ b/docs/queries/kubernetes-queries/ed89b97d-04e9-4fd4-919f-ee5b27e555e9.md @@ -28,7 +28,7 @@ The flag --streaming-connection-idle-timeout should not be set to 0
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -44,7 +44,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="8" +```yaml title="Positive test num. 2 - yaml file" hl_lines="8" apiVersion: kubelet.config.k8s.io/v1beta1 kind: KubeletConfiguration address: "192.168.0.8" @@ -55,7 +55,7 @@ evictionHard: streamingConnectionIdleTimeout: 0s ``` -```json title="Postitive test num. 3 - json file" hl_lines="10" +```json title="Positive test num. 3 - json file" hl_lines="10" { "apiVersion": "kubelet.config.k8s.io/v1beta1", "evictionHard": { diff --git a/docs/queries/kubernetes-queries/f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5.md b/docs/queries/kubernetes-queries/f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5.md index ff21dc5b313..25514ba0ee8 100644 --- a/docs/queries/kubernetes-queries/f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5.md +++ b/docs/queries/kubernetes-queries/f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5.md @@ -28,7 +28,7 @@ When using the kubelet command, the authorization-mode flag should not have 'Alw ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -45,7 +45,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +```yaml title="Positive test num. 2 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -60,7 +60,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="11" +```yaml title="Positive test num. 3 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -77,7 +77,7 @@ spec: restartPolicy: OnFailure ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="11" apiVersion: v1 @@ -95,7 +95,7 @@ spec: ```
-
Postitive test num. 5 - yaml file +
Positive test num. 5 - yaml file ```yaml hl_lines="11" apiVersion: kubelet.config.k8s.io/v1beta1 @@ -112,7 +112,7 @@ authorization: ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="6" { diff --git a/docs/queries/kubernetes-queries/f377b83e-bd07-4f48-a591-60c82b14a78b.md b/docs/queries/kubernetes-queries/f377b83e-bd07-4f48-a591-60c82b14a78b.md index 3c4cd4f72d6..3a7878a4327 100644 --- a/docs/queries/kubernetes-queries/f377b83e-bd07-4f48-a591-60c82b14a78b.md +++ b/docs/queries/kubernetes-queries/f377b83e-bd07-4f48-a591-60c82b14a78b.md @@ -28,7 +28,7 @@ Containers should be configured with a secure Seccomp profile to restrict potent ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="43 18 26 7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="43 18 26 7" apiVersion: v1 kind: Pod metadata: @@ -84,7 +84,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="24" +```yaml title="Positive test num. 2 - yaml file" hl_lines="24" apiVersion: apps/v1 kind: Deployment metadata: @@ -120,7 +120,7 @@ spec: type: RuntimeDefault ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="24 33" +```yaml title="Positive test num. 3 - yaml file" hl_lines="24 33" apiVersion: apps/v1 kind: Deployment metadata: @@ -156,7 +156,7 @@ spec: type: Unconfined ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="35" apiVersion: apps/v1 diff --git a/docs/queries/kubernetes-queries/f922827f-aab6-447c-832a-e1ff63312bd3.md b/docs/queries/kubernetes-queries/f922827f-aab6-447c-832a-e1ff63312bd3.md index 16a607ececf..16dc9f61cbe 100644 --- a/docs/queries/kubernetes-queries/f922827f-aab6-447c-832a-e1ff63312bd3.md +++ b/docs/queries/kubernetes-queries/f922827f-aab6-447c-832a-e1ff63312bd3.md @@ -28,7 +28,7 @@ Check if a container has full access (unmasked) to the host’s /proc command, w ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="12" +```yaml title="Positive test num. 1 - yaml file" hl_lines="12" #this is a problematic code where the query should report a result(s) apiVersion: policy/v1beta1 kind: PodSecurityPolicy diff --git a/docs/queries/kubernetes-queries/fa4def8c-1898-4a35-a139-7b76b1acdef0.md b/docs/queries/kubernetes-queries/fa4def8c-1898-4a35-a139-7b76b1acdef0.md index 8aff06f50cc..ab8c00393c0 100644 --- a/docs/queries/kubernetes-queries/fa4def8c-1898-4a35-a139-7b76b1acdef0.md +++ b/docs/queries/kubernetes-queries/fa4def8c-1898-4a35-a139-7b76b1acdef0.md @@ -28,7 +28,7 @@ When using kube-apiserver command, the '--insecure-port' flag should be defined ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -43,7 +43,7 @@ spec: restartPolicy: OnFailure ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +```yaml title="Positive test num. 2 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: diff --git a/docs/queries/kubernetes-queries/fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f.md b/docs/queries/kubernetes-queries/fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f.md index cc2b9d524a9..c9e4799ffbf 100644 --- a/docs/queries/kubernetes-queries/fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f.md +++ b/docs/queries/kubernetes-queries/fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f.md @@ -28,7 +28,7 @@ TSL Connection Certificate files should be Setup
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" apiVersion: v1 kind: Pod metadata: @@ -47,7 +47,7 @@ spec: ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="2" +```yaml title="Positive test num. 2 - yaml file" hl_lines="2" apiVersion: kubelet.config.k8s.io/v1beta1 kind: KubeletConfiguration address: "192.168.0.8" diff --git a/docs/queries/openapi-queries/00b78adf-b83f-419c-8ed8-c6018441dd3a.md b/docs/queries/openapi-queries/00b78adf-b83f-419c-8ed8-c6018441dd3a.md index c91166ebd71..8fe320fe7af 100644 --- a/docs/queries/openapi-queries/00b78adf-b83f-419c-8ed8-c6018441dd3a.md +++ b/docs/queries/openapi-queries/00b78adf-b83f-419c-8ed8-c6018441dd3a.md @@ -28,7 +28,7 @@ String schema should have 'pattern' defined.
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="58 79 63" +```json title="Positive test num. 1 - json file" hl_lines="58 79 63" { "openapi": "3.0.0", "info": { @@ -117,7 +117,7 @@ String schema should have 'pattern' defined.
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="32 27" +```json title="Positive test num. 2 - json file" hl_lines="32 27" { "openapi": "3.0.0", "info": { @@ -189,7 +189,7 @@ String schema should have 'pattern' defined.
} ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="49 34 38" +```yaml title="Positive test num. 3 - yaml file" hl_lines="49 34 38" openapi: 3.0.0 info: title: Simple API Overview @@ -241,7 +241,7 @@ components: $ref: "#/components/schemas/GeneralError" ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="26 22" openapi: 3.0.0 @@ -284,7 +284,7 @@ paths: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="28 23" { @@ -332,7 +332,7 @@ paths: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="19 23" swagger: "2.0" diff --git a/docs/queries/openapi-queries/013bdb4b-9246-4248-b0c3-7fb0fee42a29.md b/docs/queries/openapi-queries/013bdb4b-9246-4248-b0c3-7fb0fee42a29.md index 81afa7fa257..1ef462d0de3 100644 --- a/docs/queries/openapi-queries/013bdb4b-9246-4248-b0c3-7fb0fee42a29.md +++ b/docs/queries/openapi-queries/013bdb4b-9246-4248-b0c3-7fb0fee42a29.md @@ -28,7 +28,7 @@ Required properties receive value from requests, which makes unnecessary declare ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="30 14" +```json title="Positive test num. 1 - json file" hl_lines="30 14" { "openapi": "3.0.0", "info": { @@ -71,7 +71,7 @@ Required properties receive value from requests, which makes unnecessary declare } ``` -```json title="Postitive test num. 2 - json file" hl_lines="25" +```json title="Positive test num. 2 - json file" hl_lines="25" { "openapi": "3.0.0", "info": { @@ -114,7 +114,7 @@ Required properties receive value from requests, which makes unnecessary declare } ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="12 22" +```yaml title="Positive test num. 3 - yaml file" hl_lines="12 22" openapi: 3.0.0 info: title: Simple API Overview @@ -142,7 +142,7 @@ components: default: guest ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="23" --- @@ -174,7 +174,7 @@ paths: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="23" { @@ -221,7 +221,7 @@ paths: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="19" swagger: "2.0" diff --git a/docs/queries/openapi-queries/015eac96-6313-43c0-84e5-81b1374fa637.md b/docs/queries/openapi-queries/015eac96-6313-43c0-84e5-81b1374fa637.md index 0f8ff3e7025..a01d4c6a583 100644 --- a/docs/queries/openapi-queries/015eac96-6313-43c0-84e5-81b1374fa637.md +++ b/docs/queries/openapi-queries/015eac96-6313-43c0-84e5-81b1374fa637.md @@ -28,7 +28,7 @@ Schema reference should exists on components field
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="14" +```json title="Positive test num. 1 - json file" hl_lines="14" { "openapi": "3.0.0", "info": { @@ -66,7 +66,7 @@ Schema reference should exists on components field
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="13" +```yaml title="Positive test num. 2 - yaml file" hl_lines="13" --- openapi: 3.0.0 info: diff --git a/docs/queries/openapi-queries/0220e1c5-65d1-49dd-b7c2-cef6d6cb5283.md b/docs/queries/openapi-queries/0220e1c5-65d1-49dd-b7c2-cef6d6cb5283.md index dadaa187935..3692b7e13a7 100644 --- a/docs/queries/openapi-queries/0220e1c5-65d1-49dd-b7c2-cef6d6cb5283.md +++ b/docs/queries/openapi-queries/0220e1c5-65d1-49dd-b7c2-cef6d6cb5283.md @@ -28,7 +28,7 @@ Schema Object reference must always point to '#/definitions'
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="29" +```json title="Positive test num. 1 - json file" hl_lines="29" { "swagger": "2.0", "info": { @@ -93,7 +93,7 @@ Schema Object reference must always point to '#/definitions'
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="19" +```yaml title="Positive test num. 2 - yaml file" hl_lines="19" swagger: '2.0' info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/03856cb2-e46c-4daf-bfbf-214ec93c882b.md b/docs/queries/openapi-queries/03856cb2-e46c-4daf-bfbf-214ec93c882b.md index 074c9468215..6d33651a6f8 100644 --- a/docs/queries/openapi-queries/03856cb2-e46c-4daf-bfbf-214ec93c882b.md +++ b/docs/queries/openapi-queries/03856cb2-e46c-4daf-bfbf-214ec93c882b.md @@ -28,7 +28,7 @@ The field 'enum' of Schema Object should be consistent with the schema's type
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="18" openapi: 3.0.0 @@ -139,7 +139,7 @@ paths: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="50 14" { @@ -203,7 +203,7 @@ paths: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="35 12" swagger: "2.0" diff --git a/docs/queries/openapi-queries/05505192-ba2c-4a81-9b25-dcdbcc973746.md b/docs/queries/openapi-queries/05505192-ba2c-4a81-9b25-dcdbcc973746.md index 78d8a682d7c..0f9d5e80d58 100644 --- a/docs/queries/openapi-queries/05505192-ba2c-4a81-9b25-dcdbcc973746.md +++ b/docs/queries/openapi-queries/05505192-ba2c-4a81-9b25-dcdbcc973746.md @@ -28,7 +28,7 @@ Parameter Objects should not have duplicate names for 'header' location, since H ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="82 68 28 14" +```json title="Positive test num. 1 - json file" hl_lines="82 68 28 14" { "openapi": "3.0.0", "info": { @@ -124,7 +124,7 @@ Parameter Objects should not have duplicate names for 'header' location, since H } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="11 21 43 53" +```yaml title="Positive test num. 2 - yaml file" hl_lines="11 21 43 53" openapi: 3.0.0 info: title: Simple API Overview @@ -185,7 +185,7 @@ paths: type: string ``` -```json title="Postitive test num. 3 - json file" hl_lines="24 10" +```json title="Positive test num. 3 - json file" hl_lines="24 10" { "openapi": "3.0.0", "info": { @@ -258,7 +258,7 @@ paths: } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="8 19" openapi: 3.0.0 @@ -308,7 +308,7 @@ paths: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="18 11 47 39" { @@ -366,7 +366,7 @@ paths: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="32 26 19 14" swagger: "2.0" diff --git a/docs/queries/openapi-queries/06764426-3c56-407e-981f-caa25db1c149.md b/docs/queries/openapi-queries/06764426-3c56-407e-981f-caa25db1c149.md index 847c0f7e92b..af6fdd6af98 100644 --- a/docs/queries/openapi-queries/06764426-3c56-407e-981f-caa25db1c149.md +++ b/docs/queries/openapi-queries/06764426-3c56-407e-981f-caa25db1c149.md @@ -28,7 +28,7 @@ Security Scheme HTTP scheme should be registered in the IANA Authentication Sche ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="57" +```json title="Positive test num. 1 - json file" hl_lines="57" { "openapi": "3.0.0", "info": { @@ -92,7 +92,7 @@ Security Scheme HTTP scheme should be registered in the IANA Authentication Sche } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="33" +```yaml title="Positive test num. 2 - yaml file" hl_lines="33" openapi: 3.0.0 info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/0b76d993-ee52-43e0-8b39-3787d2ddabf1.md b/docs/queries/openapi-queries/0b76d993-ee52-43e0-8b39-3787d2ddabf1.md index 5afd7b831ae..7e862ab83d3 100644 --- a/docs/queries/openapi-queries/0b76d993-ee52-43e0-8b39-3787d2ddabf1.md +++ b/docs/queries/openapi-queries/0b76d993-ee52-43e0-8b39-3787d2ddabf1.md @@ -28,7 +28,7 @@ All global responses definitions should be in use
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="41 38" +```json title="Positive test num. 1 - json file" hl_lines="41 38" { "swagger": "2.0", "info": { @@ -76,7 +76,7 @@ All global responses definitions should be in use
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="25 27" +```yaml title="Positive test num. 2 - yaml file" hl_lines="25 27" swagger: "2.0" info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/0c79e50e-b3cf-490c-b8f6-587c644d4d0c.md b/docs/queries/openapi-queries/0c79e50e-b3cf-490c-b8f6-587c644d4d0c.md index 9f68955a5e4..a3b1b57103f 100644 --- a/docs/queries/openapi-queries/0c79e50e-b3cf-490c-b8f6-587c644d4d0c.md +++ b/docs/queries/openapi-queries/0c79e50e-b3cf-490c-b8f6-587c644d4d0c.md @@ -28,7 +28,7 @@ Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PAT ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="9" +```json title="Positive test num. 1 - json file" hl_lines="9" { "swagger": "2.0", "info": { @@ -51,7 +51,7 @@ Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PAT } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="7" +```yaml title="Positive test num. 2 - yaml file" hl_lines="7" swagger: "2.0" info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/0de50145-e845-47f4-9a15-23bcf2125710.md b/docs/queries/openapi-queries/0de50145-e845-47f4-9a15-23bcf2125710.md index 5eb374b7408..a939f71e111 100644 --- a/docs/queries/openapi-queries/0de50145-e845-47f4-9a15-23bcf2125710.md +++ b/docs/queries/openapi-queries/0de50145-e845-47f4-9a15-23bcf2125710.md @@ -28,7 +28,7 @@ The property 'required' determines whether the parameter is mandatory. If the pa ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="43" +```json title="Positive test num. 1 - json file" hl_lines="43" { "openapi": "3.0.0", "info": { @@ -85,7 +85,7 @@ The property 'required' determines whether the parameter is mandatory. If the pa } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="26" +```yaml title="Positive test num. 2 - yaml file" hl_lines="26" openapi: 3.0.0 info: title: Simple API overview @@ -119,7 +119,7 @@ paths: type: integer ``` -```json title="Postitive test num. 3 - json file" hl_lines="43" +```json title="Positive test num. 3 - json file" hl_lines="43" { "openapi": "3.0.0", "info": { @@ -175,7 +175,7 @@ paths: } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="26" openapi: 3.0.0 @@ -211,7 +211,7 @@ paths: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="10 19" { @@ -286,7 +286,7 @@ paths: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="8 15" openapi: 3.0.0 @@ -333,7 +333,7 @@ paths: ```
-
Postitive test num. 7 - json file +
Positive test num. 7 - json file ```json hl_lines="20" { @@ -367,7 +367,7 @@ paths: ```
-
Postitive test num. 8 - yaml file +
Positive test num. 8 - yaml file ```yaml hl_lines="14" swagger: "2.0" diff --git a/docs/queries/openapi-queries/0f6cd0ab-c366-4595-84fc-fbd8b9901e4d.md b/docs/queries/openapi-queries/0f6cd0ab-c366-4595-84fc-fbd8b9901e4d.md index 8ad10019d2a..135191f9383 100644 --- a/docs/queries/openapi-queries/0f6cd0ab-c366-4595-84fc-fbd8b9901e4d.md +++ b/docs/queries/openapi-queries/0f6cd0ab-c366-4595-84fc-fbd8b9901e4d.md @@ -28,7 +28,7 @@ Request Body reference must always point to '#/components/RequestBodies'
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="30" +```json title="Positive test num. 1 - json file" hl_lines="30" { "openapi": "3.0.0", "info": { @@ -94,7 +94,7 @@ Request Body reference must always point to '#/components/RequestBodies'
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="22" +```yaml title="Positive test num. 2 - yaml file" hl_lines="22" openapi: 3.0.0 info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/105e20dd-8449-4d71-95c6-d5dac96639af.md b/docs/queries/openapi-queries/105e20dd-8449-4d71-95c6-d5dac96639af.md index 95530514119..15d08476520 100644 --- a/docs/queries/openapi-queries/105e20dd-8449-4d71-95c6-d5dac96639af.md +++ b/docs/queries/openapi-queries/105e20dd-8449-4d71-95c6-d5dac96639af.md @@ -28,7 +28,7 @@ Trace should define the '200' successful code
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="12" +```json title="Positive test num. 1 - json file" hl_lines="12" { "openapi": "3.0.0", "info": { @@ -73,7 +73,7 @@ Trace should define the '200' successful code
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="10" +```yaml title="Positive test num. 2 - yaml file" hl_lines="10" openapi: 3.0.0 info: title: Simple API diff --git a/docs/queries/openapi-queries/10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa.md b/docs/queries/openapi-queries/10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa.md index 4cf056be5d5..0643457a5bb 100644 --- a/docs/queries/openapi-queries/10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa.md +++ b/docs/queries/openapi-queries/10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa.md @@ -28,7 +28,7 @@ Schema Object Property key should be unique through out the fields 'properties', ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="19 53 38" +```json title="Positive test num. 1 - json file" hl_lines="19 53 38" { "openapi": "3.0.0", "info": { @@ -96,7 +96,7 @@ Schema Object Property key should be unique through out the fields 'properties', } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="16 28 37" +```yaml title="Positive test num. 2 - yaml file" hl_lines="16 28 37" openapi: 3.0.0 info: title: Simple API Overview @@ -139,7 +139,7 @@ components: type: string ``` -```json title="Postitive test num. 3 - json file" hl_lines="57 28 44" +```json title="Positive test num. 3 - json file" hl_lines="57 28 44" { "openapi": "3.0.0", "info": { @@ -216,7 +216,7 @@ components: } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="24 41 34" openapi: 3.0.0 @@ -266,7 +266,7 @@ paths: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="57 28 44" { @@ -346,7 +346,7 @@ paths: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="24 41 34" swagger: '2.0' diff --git a/docs/queries/openapi-queries/12a7210b-f4b4-47d0-acac-0a819e2a0ca3.md b/docs/queries/openapi-queries/12a7210b-f4b4-47d0-acac-0a819e2a0ca3.md index d93696dd3b8..2a1c0474ca8 100644 --- a/docs/queries/openapi-queries/12a7210b-f4b4-47d0-acac-0a819e2a0ca3.md +++ b/docs/queries/openapi-queries/12a7210b-f4b4-47d0-acac-0a819e2a0ca3.md @@ -28,7 +28,7 @@ If a response is head or its code is 204 or 304, it shouldn't have a content def ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="29" +```json title="Positive test num. 1 - json file" hl_lines="29" { "openapi": "3.0.0", "info": { @@ -91,7 +91,7 @@ If a response is head or its code is 204 or 304, it shouldn't have a content def } ``` -```json title="Postitive test num. 2 - json file" hl_lines="20" +```json title="Positive test num. 2 - json file" hl_lines="20" { "openapi": "3.0.0", "info": { @@ -145,7 +145,7 @@ If a response is head or its code is 204 or 304, it shouldn't have a content def } ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="23" +```yaml title="Positive test num. 3 - yaml file" hl_lines="23" openapi: 3.0.0 info: title: Simple API Overview @@ -186,7 +186,7 @@ components: type: string ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="17" openapi: 3.0.0 @@ -224,7 +224,7 @@ components: ```
-
Postitive test num. 5 - yaml file +
Positive test num. 5 - yaml file ```yaml hl_lines="13" swagger: "2.0" @@ -252,7 +252,7 @@ paths: ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="15" { diff --git a/docs/queries/openapi-queries/151331e2-11f4-4bb6-bd35-9a005e695087.md b/docs/queries/openapi-queries/151331e2-11f4-4bb6-bd35-9a005e695087.md index 857b33af163..b10f9c5b009 100644 --- a/docs/queries/openapi-queries/151331e2-11f4-4bb6-bd35-9a005e695087.md +++ b/docs/queries/openapi-queries/151331e2-11f4-4bb6-bd35-9a005e695087.md @@ -28,7 +28,7 @@ Components object fixed fields (schemas, responses, parameters, examples, reques ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="45" +```json title="Positive test num. 1 - json file" hl_lines="45" { "openapi": "3.0.0", "info": { @@ -96,7 +96,7 @@ Components object fixed fields (schemas, responses, parameters, examples, reques } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="27" +```yaml title="Positive test num. 2 - yaml file" hl_lines="27" openapi: 3.0.0 info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/181bd815-767e-4e95-a24d-bb3c87328e19.md b/docs/queries/openapi-queries/181bd815-767e-4e95-a24d-bb3c87328e19.md index e526a80c226..63a6377ac2a 100644 --- a/docs/queries/openapi-queries/181bd815-767e-4e95-a24d-bb3c87328e19.md +++ b/docs/queries/openapi-queries/181bd815-767e-4e95-a24d-bb3c87328e19.md @@ -28,7 +28,7 @@ Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="58 74" +```json title="Positive test num. 1 - json file" hl_lines="58 74" { "openapi": "3.0.0", "info": { @@ -112,7 +112,7 @@ Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined } ``` -```json title="Postitive test num. 2 - json file" hl_lines="27" +```json title="Positive test num. 2 - json file" hl_lines="27" { "openapi": "3.0.0", "info": { @@ -179,7 +179,7 @@ Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined } ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="34 45" +```yaml title="Positive test num. 3 - yaml file" hl_lines="34 45" openapi: 3.0.0 info: title: Simple API Overview @@ -227,7 +227,7 @@ components: $ref: "#/components/schemas/GeneralError" ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="22" openapi: 3.0.0 @@ -268,7 +268,7 @@ paths: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="23" { @@ -314,7 +314,7 @@ paths: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="20" swagger: "2.0" diff --git a/docs/queries/openapi-queries/1908a8ee-927d-4166-8f18-241152170cc1.md b/docs/queries/openapi-queries/1908a8ee-927d-4166-8f18-241152170cc1.md index 1b0eb8be6fc..0e44f2059cf 100644 --- a/docs/queries/openapi-queries/1908a8ee-927d-4166-8f18-241152170cc1.md +++ b/docs/queries/openapi-queries/1908a8ee-927d-4166-8f18-241152170cc1.md @@ -28,7 +28,7 @@ Patch should define at least one success response (200, 201, 202 or 204)
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="12" +```json title="Positive test num. 1 - json file" hl_lines="12" { "openapi": "3.0.0", "info": { @@ -51,7 +51,7 @@ Patch should define at least one success response (200, 201, 202 or 204)
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="24" +```json title="Positive test num. 2 - json file" hl_lines="24" { "openapi": "3.0.0", "info": { @@ -86,7 +86,7 @@ Patch should define at least one success response (200, 201, 202 or 204)
} ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="10" +```yaml title="Positive test num. 3 - yaml file" hl_lines="10" openapi: 3.0.0 info: title: Simple API @@ -101,7 +101,7 @@ paths: description: Error ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="18" openapi: 3.0.0 @@ -127,7 +127,7 @@ paths: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="24" { @@ -165,7 +165,7 @@ paths: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="18" swagger: "2.0" diff --git a/docs/queries/openapi-queries/1a1aea94-745b-40a7-b860-0702ea6ee636.md b/docs/queries/openapi-queries/1a1aea94-745b-40a7-b860-0702ea6ee636.md index 9150aadd1b9..f22db10b306 100644 --- a/docs/queries/openapi-queries/1a1aea94-745b-40a7-b860-0702ea6ee636.md +++ b/docs/queries/openapi-queries/1a1aea94-745b-40a7-b860-0702ea6ee636.md @@ -28,7 +28,7 @@ Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="70" +```json title="Positive test num. 1 - json file" hl_lines="70" { "openapi": "3.0.0", "info": { @@ -118,7 +118,7 @@ Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not } ``` -```json title="Postitive test num. 2 - json file" hl_lines="46" +```json title="Positive test num. 2 - json file" hl_lines="46" { "swagger": "2.0", "info": { @@ -183,7 +183,7 @@ Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not } ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="45" +```yaml title="Positive test num. 3 - yaml file" hl_lines="45" openapi: 3.0.0 info: title: Simple API Overview @@ -237,7 +237,7 @@ components: type: string ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="32" swagger: "2.0" diff --git a/docs/queries/openapi-queries/1bc3205c-0d60-44e6-84f3-44fbf4dac5b3.md b/docs/queries/openapi-queries/1bc3205c-0d60-44e6-84f3-44fbf4dac5b3.md index 50fcd4a233c..fef27857ad5 100644 --- a/docs/queries/openapi-queries/1bc3205c-0d60-44e6-84f3-44fbf4dac5b3.md +++ b/docs/queries/openapi-queries/1bc3205c-0d60-44e6-84f3-44fbf4dac5b3.md @@ -28,7 +28,7 @@ Oauth 1.0 is deprecated, OAuth2 should be used instead
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="55" +```json title="Positive test num. 1 - json file" hl_lines="55" { "openapi": "3.0.0", "info": { @@ -92,7 +92,7 @@ Oauth 1.0 is deprecated, OAuth2 should be used instead
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="31" +```yaml title="Positive test num. 2 - yaml file" hl_lines="31" openapi: 3.0.0 info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/20a482d5-c5d9-4a7a-b7a4-60d0805047b4.md b/docs/queries/openapi-queries/20a482d5-c5d9-4a7a-b7a4-60d0805047b4.md index 479672fb624..9819b7b7a75 100644 --- a/docs/queries/openapi-queries/20a482d5-c5d9-4a7a-b7a4-60d0805047b4.md +++ b/docs/queries/openapi-queries/20a482d5-c5d9-4a7a-b7a4-60d0805047b4.md @@ -28,7 +28,7 @@ Security operation field should be defined in '#/components/securitySchemes'
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="14" +```json title="Positive test num. 1 - json file" hl_lines="14" { "openapi": "3.0.0", "info": { @@ -82,7 +82,7 @@ Security operation field should be defined in '#/components/securitySchemes'
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="14" +```json title="Positive test num. 2 - json file" hl_lines="14" { "openapi": "3.0.0", "info": { @@ -144,7 +144,7 @@ Security operation field should be defined in '#/components/securitySchemes'
} ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="11" +```yaml title="Positive test num. 3 - yaml file" hl_lines="11" openapi: 3.0.0 info: title: Simple API overview @@ -175,7 +175,7 @@ paths: rel: self ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="11" openapi: 3.0.0 diff --git a/docs/queries/openapi-queries/20cb3159-b219-496b-8dac-54ae3ab2021a.md b/docs/queries/openapi-queries/20cb3159-b219-496b-8dac-54ae3ab2021a.md index 8aeea485325..4cf007e40a6 100644 --- a/docs/queries/openapi-queries/20cb3159-b219-496b-8dac-54ae3ab2021a.md +++ b/docs/queries/openapi-queries/20cb3159-b219-496b-8dac-54ae3ab2021a.md @@ -28,7 +28,7 @@ Non-Array Schema should not have 'items' defined
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="52" +```json title="Positive test num. 1 - json file" hl_lines="52" { "openapi": "3.0.0", "info": { @@ -101,7 +101,7 @@ Non-Array Schema should not have 'items' defined
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="24" +```json title="Positive test num. 2 - json file" hl_lines="24" { "openapi": "3.0.0", "info": { @@ -167,7 +167,7 @@ Non-Array Schema should not have 'items' defined
} ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="29" +```yaml title="Positive test num. 3 - yaml file" hl_lines="29" openapi: 3.0.0 info: title: Simple API Overview @@ -208,7 +208,7 @@ components: - name ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="17" openapi: 3.0.0 @@ -248,7 +248,7 @@ paths: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="44 22" { @@ -305,7 +305,7 @@ paths: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="32 19" swagger: '2.0' diff --git a/docs/queries/openapi-queries/221015a8-aa2a-43f5-b00b-ad7d2b1d47a8.md b/docs/queries/openapi-queries/221015a8-aa2a-43f5-b00b-ad7d2b1d47a8.md index 94f6151bcc7..e449ed3cfef 100644 --- a/docs/queries/openapi-queries/221015a8-aa2a-43f5-b00b-ad7d2b1d47a8.md +++ b/docs/queries/openapi-queries/221015a8-aa2a-43f5-b00b-ad7d2b1d47a8.md @@ -28,7 +28,7 @@ Security Definition Object should not use basic authentication
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="25" +```json title="Positive test num. 1 - json file" hl_lines="25" { "swagger": "2.0", "info": { @@ -60,7 +60,7 @@ Security Definition Object should not use basic authentication
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="17" +```yaml title="Positive test num. 2 - yaml file" hl_lines="17" swagger: "2.0" info: title: Simple API overview diff --git a/docs/queries/openapi-queries/237402e2-c2f0-46c9-9cf5-286160cf7bfc.md b/docs/queries/openapi-queries/237402e2-c2f0-46c9-9cf5-286160cf7bfc.md index 463563728b6..32844be56c7 100644 --- a/docs/queries/openapi-queries/237402e2-c2f0-46c9-9cf5-286160cf7bfc.md +++ b/docs/queries/openapi-queries/237402e2-c2f0-46c9-9cf5-286160cf7bfc.md @@ -28,7 +28,7 @@ All path should be unique, if has more than one operation, all operations should ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="19 6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="19 6" openapi: 3.0.0 info: title: Simple API overview @@ -62,7 +62,7 @@ paths: description: 200 response ``` -```json title="Postitive test num. 2 - json file" hl_lines="8 29" +```json title="Positive test num. 2 - json file" hl_lines="8 29" { "openapi": "3.0.0", "info": { @@ -116,7 +116,7 @@ paths: } ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="10 21" +```yaml title="Positive test num. 3 - yaml file" hl_lines="10 21" swagger: "2.0" info: title: Simple API Overview @@ -150,7 +150,7 @@ paths: description: 200 response ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="13 31" { diff --git a/docs/queries/openapi-queries/23a9e2d9-8738-4556-a71c-2802b6ffa022.md b/docs/queries/openapi-queries/23a9e2d9-8738-4556-a71c-2802b6ffa022.md index b185ceecc7f..4390c43ceac 100644 --- a/docs/queries/openapi-queries/23a9e2d9-8738-4556-a71c-2802b6ffa022.md +++ b/docs/queries/openapi-queries/23a9e2d9-8738-4556-a71c-2802b6ffa022.md @@ -28,7 +28,7 @@ Using an scope on global security field that is undefined on 'securityScheme' ca ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="24" +```json title="Positive test num. 1 - json file" hl_lines="24" { "openapi": "3.0.0", "info": { @@ -84,7 +84,7 @@ Using an scope on global security field that is undefined on 'securityScheme' ca } ``` -```json title="Postitive test num. 2 - json file" hl_lines="25" +```json title="Positive test num. 2 - json file" hl_lines="25" { "openapi": "3.0.0", "info": { @@ -142,7 +142,7 @@ Using an scope on global security field that is undefined on 'securityScheme' ca } ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="16" +```yaml title="Positive test num. 3 - yaml file" hl_lines="16" openapi: 3.0.0 info: title: Simple API overview @@ -179,7 +179,7 @@ components: write:api: write your apis ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="16" openapi: 3.0.0 diff --git a/docs/queries/openapi-queries/2596545e-1757-4ff7-a15a-8a9a180a42f3.md b/docs/queries/openapi-queries/2596545e-1757-4ff7-a15a-8a9a180a42f3.md index 5699a5200e3..13ca9e4ce49 100644 --- a/docs/queries/openapi-queries/2596545e-1757-4ff7-a15a-8a9a180a42f3.md +++ b/docs/queries/openapi-queries/2596545e-1757-4ff7-a15a-8a9a180a42f3.md @@ -28,7 +28,7 @@ Parameter Object reference must always point to '#/parameters'
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="22" +```json title="Positive test num. 1 - json file" hl_lines="22" { "swagger": "2.0", "info": { @@ -88,7 +88,7 @@ Parameter Object reference must always point to '#/parameters'
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="16" +```yaml title="Positive test num. 2 - yaml file" hl_lines="16" swagger: '2.0' info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/26f06397-36d8-4ce7-b993-17711261d777.md b/docs/queries/openapi-queries/26f06397-36d8-4ce7-b993-17711261d777.md index a7f26530ef2..d37f23d5260 100644 --- a/docs/queries/openapi-queries/26f06397-36d8-4ce7-b993-17711261d777.md +++ b/docs/queries/openapi-queries/26f06397-36d8-4ce7-b993-17711261d777.md @@ -28,7 +28,7 @@ Content Type should be set to 'multipart/form-data' in case of uploading an arbi ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="16" +```json title="Positive test num. 1 - json file" hl_lines="16" { "openapi": "3.0.0", "info": { @@ -66,7 +66,7 @@ Content Type should be set to 'multipart/form-data' in case of uploading an arbi } ``` -```json title="Postitive test num. 2 - json file" hl_lines="16" +```json title="Positive test num. 2 - json file" hl_lines="16" { "openapi": "3.0.0", "info": { @@ -103,7 +103,7 @@ Content Type should be set to 'multipart/form-data' in case of uploading an arbi } ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="13" +```yaml title="Positive test num. 3 - yaml file" hl_lines="13" openapi: 3.0.0 info: title: Simple API Overview @@ -127,7 +127,7 @@ paths: format: binary ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="13" openapi: 3.0.0 diff --git a/docs/queries/openapi-queries/274f910a-0665-4f08-b66d-7058fe927dba.md b/docs/queries/openapi-queries/274f910a-0665-4f08-b66d-7058fe927dba.md index 53c94e7ed60..a60626cec01 100644 --- a/docs/queries/openapi-queries/274f910a-0665-4f08-b66d-7058fe927dba.md +++ b/docs/queries/openapi-queries/274f910a-0665-4f08-b66d-7058fe927dba.md @@ -28,7 +28,7 @@ OAuth2 security definition flow requires a valid URL in the tokenUrl field
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="22" +```yaml title="Positive test num. 1 - yaml file" hl_lines="22" swagger: "2.0" info: title: Simple API Overview @@ -55,7 +55,7 @@ securityDefinitions: read:api: read your apis ``` -```json title="Postitive test num. 2 - json file" hl_lines="30" +```json title="Positive test num. 2 - json file" hl_lines="30" { "swagger": "2.0", "info": { diff --git a/docs/queries/openapi-queries/281b8071-6226-4a43-911d-fec246d422c2.md b/docs/queries/openapi-queries/281b8071-6226-4a43-911d-fec246d422c2.md index e5e0c9394bf..cd21c3edc8e 100644 --- a/docs/queries/openapi-queries/281b8071-6226-4a43-911d-fec246d422c2.md +++ b/docs/queries/openapi-queries/281b8071-6226-4a43-911d-fec246d422c2.md @@ -28,7 +28,7 @@ API Keys should not be transported over network
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="16 14 15" +```json title="Positive test num. 1 - json file" hl_lines="16 14 15" { "openapi": "3.0.0", "info": { @@ -77,7 +77,7 @@ API Keys should not be transported over network
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="11 12 13" +```yaml title="Positive test num. 2 - yaml file" hl_lines="11 12 13" openapi: 3.0.0 info: title: Simple API overview @@ -110,7 +110,7 @@ components: in: query ``` -```json title="Postitive test num. 3 - json file" hl_lines="14 15" +```json title="Positive test num. 3 - json file" hl_lines="14 15" { "swagger": "2.0", "info": { @@ -151,7 +151,7 @@ components: } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="11 12" swagger: "2.0" @@ -336,3 +336,41 @@ securityDefinitions: ```
+
Negative test num. 5 - yaml file + +```yaml +openapi: "3.0.1" +info: + title: "test" + version: "1.0" +servers: + - url: "https://@API-GW-ID.execute-api.us-east-1.amazonaws.com/{basePath}" + variables: + basePath: + default: "/api" + +paths: + /address: + get: + summary: test + description: test + security: + - apiKey1: [ ] + - authorizer: [ ] + responses: + '200': + description: test + content: + text/plain: + schema: + type: string + +components: + securitySchemes: + authorizer: + type: "apiKey" + name: "authorization" + in: "header" + +``` +
diff --git a/docs/queries/openapi-queries/2bd608ae-8a1f-457f-b710-c237883cb313.md b/docs/queries/openapi-queries/2bd608ae-8a1f-457f-b710-c237883cb313.md index 86fd4874f16..71fea39a424 100644 --- a/docs/queries/openapi-queries/2bd608ae-8a1f-457f-b710-c237883cb313.md +++ b/docs/queries/openapi-queries/2bd608ae-8a1f-457f-b710-c237883cb313.md @@ -28,7 +28,7 @@ Schema Object should not be have a required property that is not defined on prop ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="50" +```json title="Positive test num. 1 - json file" hl_lines="50" { "openapi": "3.0.0", "info": { @@ -99,7 +99,7 @@ Schema Object should not be have a required property that is not defined on prop } ``` -```json title="Postitive test num. 2 - json file" hl_lines="22" +```json title="Positive test num. 2 - json file" hl_lines="22" { "openapi": "3.0.0", "info": { @@ -166,7 +166,7 @@ Schema Object should not be have a required property that is not defined on prop } ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="31" +```yaml title="Positive test num. 3 - yaml file" hl_lines="31" openapi: 3.0.0 info: title: Simple API Overview @@ -210,7 +210,7 @@ components: - message ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="19" openapi: 3.0.0 @@ -255,7 +255,7 @@ paths: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="20" { @@ -318,7 +318,7 @@ paths: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="17" swagger: "2.0" diff --git a/docs/queries/openapi-queries/2cf35b40-ded3-43d6-9633-c8dcc8bcc822.md b/docs/queries/openapi-queries/2cf35b40-ded3-43d6-9633-c8dcc8bcc822.md index 2f2e54e13e5..f36458fc014 100644 --- a/docs/queries/openapi-queries/2cf35b40-ded3-43d6-9633-c8dcc8bcc822.md +++ b/docs/queries/openapi-queries/2cf35b40-ded3-43d6-9633-c8dcc8bcc822.md @@ -28,7 +28,7 @@ Example should match one of MimeTypes on 'produces'. It is important to know tha ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="34" +```json title="Positive test num. 1 - json file" hl_lines="34" { "swagger": "2.0", "info": { @@ -83,7 +83,7 @@ Example should match one of MimeTypes on 'produces'. It is important to know tha } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="27" +```yaml title="Positive test num. 2 - yaml file" hl_lines="27" --- swagger: '2.0' info: diff --git a/docs/queries/openapi-queries/2d6646f4-2946-420f-8c14-3232d49ae0cb.md b/docs/queries/openapi-queries/2d6646f4-2946-420f-8c14-3232d49ae0cb.md index 15ab777b8e7..4130d6b337c 100644 --- a/docs/queries/openapi-queries/2d6646f4-2946-420f-8c14-3232d49ae0cb.md +++ b/docs/queries/openapi-queries/2d6646f4-2946-420f-8c14-3232d49ae0cb.md @@ -28,7 +28,7 @@ Header Object reference must always point to '#/components/headers'
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="73" +```json title="Positive test num. 1 - json file" hl_lines="73" { "openapi": "3.0.0", "info": { @@ -114,7 +114,7 @@ Header Object reference must always point to '#/components/headers'
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="43" +```json title="Positive test num. 2 - json file" hl_lines="43" { "openapi": "3.0.0", "info": { @@ -191,7 +191,7 @@ Header Object reference must always point to '#/components/headers'
} ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="45" +```yaml title="Positive test num. 3 - yaml file" hl_lines="45" openapi: 3.0.0 info: title: Simple API Overview @@ -239,7 +239,7 @@ components: $ref: "#components/h" ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="29" openapi: 3.0.0 diff --git a/docs/queries/openapi-queries/2d8c175a-6d90-412b-8b0e-e034ea49a1fe.md b/docs/queries/openapi-queries/2d8c175a-6d90-412b-8b0e-e034ea49a1fe.md index e15c490a925..90a7a7b0d9c 100644 --- a/docs/queries/openapi-queries/2d8c175a-6d90-412b-8b0e-e034ea49a1fe.md +++ b/docs/queries/openapi-queries/2d8c175a-6d90-412b-8b0e-e034ea49a1fe.md @@ -28,7 +28,7 @@ Global server object URL should use 'https' protocol instead of 'http'
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="13" +```json title="Positive test num. 1 - json file" hl_lines="13" { "openapi": "3.0.0", "info": { @@ -84,7 +84,7 @@ Global server object URL should use 'https' protocol instead of 'http'
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="8" +```yaml title="Positive test num. 2 - yaml file" hl_lines="8" openapi: 3.0.0 info: title: Simple API overview @@ -116,7 +116,7 @@ paths: rel: self ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="1" +```yaml title="Positive test num. 3 - yaml file" hl_lines="1" openapi: 3.0.0 info: title: Simple API overview diff --git a/docs/queries/openapi-queries/2da46be4-4317-4650-9285-56d7103c4f93.md b/docs/queries/openapi-queries/2da46be4-4317-4650-9285-56d7103c4f93.md index 7d4d3050613..a20c2b32ae2 100644 --- a/docs/queries/openapi-queries/2da46be4-4317-4650-9285-56d7103c4f93.md +++ b/docs/queries/openapi-queries/2da46be4-4317-4650-9285-56d7103c4f93.md @@ -28,7 +28,7 @@ Security should not use 'password' Flow in OAuth2 authentication
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="33" +```json title="Positive test num. 1 - json file" hl_lines="33" { "swagger": "2.0", "info": { @@ -70,7 +70,7 @@ Security should not use 'password' Flow in OAuth2 authentication
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="22" +```yaml title="Positive test num. 2 - yaml file" hl_lines="22" swagger: "2.0" info: title: Simple API overview diff --git a/docs/queries/openapi-queries/2e275f16-b627-4d3f-ae73-a6153a23ae8f.md b/docs/queries/openapi-queries/2e275f16-b627-4d3f-ae73-a6153a23ae8f.md index 310161566e1..9ce0fc8a0cc 100644 --- a/docs/queries/openapi-queries/2e275f16-b627-4d3f-ae73-a6153a23ae8f.md +++ b/docs/queries/openapi-queries/2e275f16-b627-4d3f-ae73-a6153a23ae8f.md @@ -28,7 +28,7 @@ Parameter reference should exists on components field
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="19" +```json title="Positive test num. 1 - json file" hl_lines="19" { "openapi": "3.0.0", "info": { @@ -69,7 +69,7 @@ Parameter reference should exists on components field
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="14" +```yaml title="Positive test num. 2 - yaml file" hl_lines="14" openapi: 3.0.0 info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/2e44e632-d617-43cb-b294-6bfe72a08938.md b/docs/queries/openapi-queries/2e44e632-d617-43cb-b294-6bfe72a08938.md index 61e10fa9168..dceff8eb8b9 100644 --- a/docs/queries/openapi-queries/2e44e632-d617-43cb-b294-6bfe72a08938.md +++ b/docs/queries/openapi-queries/2e44e632-d617-43cb-b294-6bfe72a08938.md @@ -28,7 +28,7 @@ Operation Object should not use 'password' Flow in OAuth2 authentication
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="22" +```json title="Positive test num. 1 - json file" hl_lines="22" { "swagger": "2.0", "info": { @@ -70,7 +70,7 @@ Operation Object should not use 'password' Flow in OAuth2 authentication
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="16" +```yaml title="Positive test num. 2 - yaml file" hl_lines="16" swagger: "2.0" info: title: Simple API overview diff --git a/docs/queries/openapi-queries/2e9b6612-8f69-42e0-a5b8-ed17739c2f3a.md b/docs/queries/openapi-queries/2e9b6612-8f69-42e0-a5b8-ed17739c2f3a.md index 661a85bf79f..98f63606dae 100644 --- a/docs/queries/openapi-queries/2e9b6612-8f69-42e0-a5b8-ed17739c2f3a.md +++ b/docs/queries/openapi-queries/2e9b6612-8f69-42e0-a5b8-ed17739c2f3a.md @@ -28,7 +28,7 @@ Schema Object properties should not contain 'enum' and schema keywords
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="42" +```json title="Positive test num. 1 - json file" hl_lines="42" { "openapi": "3.0.0", "info": { @@ -117,7 +117,7 @@ Schema Object properties should not contain 'enum' and schema keywords
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="32" +```yaml title="Positive test num. 2 - yaml file" hl_lines="32" openapi: 3.0.0 info: title: Simple API Overview @@ -179,7 +179,7 @@ components: - packSize ``` -```json title="Postitive test num. 3 - json file" hl_lines="39" +```json title="Positive test num. 3 - json file" hl_lines="39" { "swagger": "2.0", "info": { @@ -264,7 +264,7 @@ components: } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="29" swagger: "2.0" @@ -325,7 +325,7 @@ definitions: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="21" { @@ -378,7 +378,7 @@ definitions: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="22" swagger: "2.0" diff --git a/docs/queries/openapi-queries/2ea04bef-c769-409e-9179-ee3a50b5c0ac.md b/docs/queries/openapi-queries/2ea04bef-c769-409e-9179-ee3a50b5c0ac.md index b44a05dd342..b3ce5a058e1 100644 --- a/docs/queries/openapi-queries/2ea04bef-c769-409e-9179-ee3a50b5c0ac.md +++ b/docs/queries/openapi-queries/2ea04bef-c769-409e-9179-ee3a50b5c0ac.md @@ -28,7 +28,7 @@ Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="58 75" +```json title="Positive test num. 1 - json file" hl_lines="58 75" { "openapi": "3.0.0", "info": { @@ -113,7 +113,7 @@ Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined } ``` -```json title="Postitive test num. 2 - json file" hl_lines="27" +```json title="Positive test num. 2 - json file" hl_lines="27" { "openapi": "3.0.0", "info": { @@ -181,7 +181,7 @@ Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined } ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="34 46" +```yaml title="Positive test num. 3 - yaml file" hl_lines="34 46" openapi: 3.0.0 info: title: Simple API Overview @@ -230,7 +230,7 @@ components: $ref: "#/components/schemas/GeneralError" ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="22" openapi: 3.0.0 @@ -270,7 +270,7 @@ paths: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="23" { @@ -316,7 +316,7 @@ paths: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="20" swagger: "2.0" diff --git a/docs/queries/openapi-queries/31dd6fc0-f274-493b-9614-e063086c19fc.md b/docs/queries/openapi-queries/31dd6fc0-f274-493b-9614-e063086c19fc.md index 2b005f128b0..1f4ecb97a74 100644 --- a/docs/queries/openapi-queries/31dd6fc0-f274-493b-9614-e063086c19fc.md +++ b/docs/queries/openapi-queries/31dd6fc0-f274-493b-9614-e063086c19fc.md @@ -28,7 +28,7 @@ A Parameter Object must contain either a 'schema' property, or a 'content' prope ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="73 43" +```json title="Positive test num. 1 - json file" hl_lines="73 43" { "openapi": "3.0.0", "info": { @@ -123,7 +123,7 @@ A Parameter Object must contain either a 'schema' property, or a 'content' prope } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="26 45" +```yaml title="Positive test num. 2 - yaml file" hl_lines="26 45" openapi: 3.0.0 info: title: Simple API overview @@ -180,7 +180,7 @@ paths: type: integer ``` -```json title="Postitive test num. 3 - json file" hl_lines="20" +```json title="Positive test num. 3 - json file" hl_lines="20" { "openapi": "3.0.0", "info": { @@ -270,7 +270,7 @@ paths: } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="16" openapi: 3.0.0 diff --git a/docs/queries/openapi-queries/332cf2ad-380d-4b90-b436-46f8e635cf38.md b/docs/queries/openapi-queries/332cf2ad-380d-4b90-b436-46f8e635cf38.md index bd00345e710..fe3027ebb71 100644 --- a/docs/queries/openapi-queries/332cf2ad-380d-4b90-b436-46f8e635cf38.md +++ b/docs/queries/openapi-queries/332cf2ad-380d-4b90-b436-46f8e635cf38.md @@ -28,7 +28,7 @@ Contact Object URL should be a valid URL
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="8" +```json title="Positive test num. 1 - json file" hl_lines="8" { "openapi": "3.0.0", "info": { @@ -79,7 +79,7 @@ Contact Object URL should be a valid URL
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="7" +```yaml title="Positive test num. 2 - yaml file" hl_lines="7" openapi: 3.0.0 info: title: Simple API Overview @@ -110,7 +110,7 @@ paths: rel: self ``` -```json title="Postitive test num. 3 - json file" hl_lines="8" +```json title="Positive test num. 3 - json file" hl_lines="8" { "swagger": "2.0", "info": { @@ -138,7 +138,7 @@ paths: } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="7" swagger: "2.0" diff --git a/docs/queries/openapi-queries/33d96c65-977d-4c33-943f-440baca49185.md b/docs/queries/openapi-queries/33d96c65-977d-4c33-943f-440baca49185.md index 6823c374499..92a7789c1e9 100644 --- a/docs/queries/openapi-queries/33d96c65-977d-4c33-943f-440baca49185.md +++ b/docs/queries/openapi-queries/33d96c65-977d-4c33-943f-440baca49185.md @@ -28,7 +28,7 @@ The field authorizationUrl on implicit or authorizationCode fields from OAuth mu ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="19 23" +```yaml title="Positive test num. 1 - yaml file" hl_lines="19 23" swagger: "2.0" info: title: Simple API Overview @@ -58,7 +58,7 @@ securityDefinitions: read:pets: read your pets ``` -```json title="Postitive test num. 2 - json file" hl_lines="32 27" +```json title="Positive test num. 2 - json file" hl_lines="32 27" { "swagger": "2.0", "info": { diff --git a/docs/queries/openapi-queries/37140f7f-724a-4c87-a536-e9cee1d61533.md b/docs/queries/openapi-queries/37140f7f-724a-4c87-a536-e9cee1d61533.md index bed066a7367..4768dfc54b3 100644 --- a/docs/queries/openapi-queries/37140f7f-724a-4c87-a536-e9cee1d61533.md +++ b/docs/queries/openapi-queries/37140f7f-724a-4c87-a536-e9cee1d61533.md @@ -28,7 +28,7 @@ Security Requirement Object should only have scopes defined for security schemes ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="9" +```json title="Positive test num. 1 - json file" hl_lines="9" { "openapi": "3.0.0", "info": { @@ -74,7 +74,7 @@ Security Requirement Object should only have scopes defined for security schemes } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="6" +```yaml title="Positive test num. 2 - yaml file" hl_lines="6" openapi: 3.0.0 info: title: Simple API Overview @@ -103,7 +103,7 @@ components: read:pets: read your pets ``` -```json title="Postitive test num. 3 - json file" hl_lines="28" +```json title="Positive test num. 3 - json file" hl_lines="28" { "openapi": "3.0.0", "info": { @@ -170,7 +170,7 @@ components: } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="19" openapi: 3.0.0 diff --git a/docs/queries/openapi-queries/376c9390-7e9e-4cb8-a067-fd31c05451fd.md b/docs/queries/openapi-queries/376c9390-7e9e-4cb8-a067-fd31c05451fd.md index b271de42327..70fa6d4a5ad 100644 --- a/docs/queries/openapi-queries/376c9390-7e9e-4cb8-a067-fd31c05451fd.md +++ b/docs/queries/openapi-queries/376c9390-7e9e-4cb8-a067-fd31c05451fd.md @@ -28,7 +28,7 @@ Header reference should exists on components field
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="25" +```json title="Positive test num. 1 - json file" hl_lines="25" { "openapi": "3.0.0", "info": { @@ -89,7 +89,7 @@ Header reference should exists on components field
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="21" +```yaml title="Positive test num. 2 - yaml file" hl_lines="21" openapi: 3.0.0 info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/3847280c-9193-40bc-8009-76168e822ce2.md b/docs/queries/openapi-queries/3847280c-9193-40bc-8009-76168e822ce2.md index adf1a8d735e..2d04e4ee2ed 100644 --- a/docs/queries/openapi-queries/3847280c-9193-40bc-8009-76168e822ce2.md +++ b/docs/queries/openapi-queries/3847280c-9193-40bc-8009-76168e822ce2.md @@ -28,7 +28,7 @@ Using an scope on security of operations that is undefined on 'securityDefinitio ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" swagger: "2.0" info: title: Simple API Overview @@ -56,7 +56,7 @@ securityDefinitions: read:api: read your apis ``` -```json title="Postitive test num. 2 - json file" hl_lines="14" +```json title="Positive test num. 2 - json file" hl_lines="14" { "swagger": "2.0", "info": { diff --git a/docs/queries/openapi-queries/3979b0a4-532c-4ea7-86e4-34c090eaa4f2.md b/docs/queries/openapi-queries/3979b0a4-532c-4ea7-86e4-34c090eaa4f2.md index 887e15c0e23..8629d521498 100644 --- a/docs/queries/openapi-queries/3979b0a4-532c-4ea7-86e4-34c090eaa4f2.md +++ b/docs/queries/openapi-queries/3979b0a4-532c-4ea7-86e4-34c090eaa4f2.md @@ -28,7 +28,7 @@ OAuth2 password flow insecurely exposes the credentials of the resource owner to ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="58" +```json title="Positive test num. 1 - json file" hl_lines="58" { "openapi": "3.0.0", "info": { @@ -100,7 +100,7 @@ OAuth2 password flow insecurely exposes the credentials of the resource owner to } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="34" +```yaml title="Positive test num. 2 - yaml file" hl_lines="34" openapi: 3.0.0 info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/39cb32f2-3a42-4af0-8037-82a7a9654b6c.md b/docs/queries/openapi-queries/39cb32f2-3a42-4af0-8037-82a7a9654b6c.md index fe6c54f3e35..9c5c2bcb22f 100644 --- a/docs/queries/openapi-queries/39cb32f2-3a42-4af0-8037-82a7a9654b6c.md +++ b/docs/queries/openapi-queries/39cb32f2-3a42-4af0-8037-82a7a9654b6c.md @@ -28,7 +28,7 @@ OAuth2 implicit flow is vulnerable to access token leakage and access token repl ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="58" +```json title="Positive test num. 1 - json file" hl_lines="58" { "openapi": "3.0.0", "info": { @@ -100,7 +100,7 @@ OAuth2 implicit flow is vulnerable to access token leakage and access token repl } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="34" +```yaml title="Positive test num. 2 - yaml file" hl_lines="34" openapi: 3.0.0 info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/3a01790c-ebee-4da6-8fd3-e78657383b75.md b/docs/queries/openapi-queries/3a01790c-ebee-4da6-8fd3-e78657383b75.md index fd418cc1bb1..3cfc57a3e41 100644 --- a/docs/queries/openapi-queries/3a01790c-ebee-4da6-8fd3-e78657383b75.md +++ b/docs/queries/openapi-queries/3a01790c-ebee-4da6-8fd3-e78657383b75.md @@ -28,7 +28,7 @@ The value of 'additionalProperties' should be set as object instead of boolean, ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="28" +```json title="Positive test num. 1 - json file" hl_lines="28" { "swagger": "2.0", "info": { @@ -66,7 +66,7 @@ The value of 'additionalProperties' should be set as object instead of boolean, } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="22" +```yaml title="Positive test num. 2 - yaml file" hl_lines="22" swagger: "2.0" info: title: Simple API Overview @@ -101,7 +101,7 @@ definitions: - name ``` -```json title="Postitive test num. 3 - json file" hl_lines="51 29" +```json title="Positive test num. 3 - json file" hl_lines="51 29" { "swagger": "2.0", "info": { @@ -158,7 +158,7 @@ definitions: } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="34 23" swagger: "2.0" diff --git a/docs/queries/openapi-queries/3b066059-f411-4554-ac8d-96f32bff90da.md b/docs/queries/openapi-queries/3b066059-f411-4554-ac8d-96f32bff90da.md index a012dfa4986..1880461eb47 100644 --- a/docs/queries/openapi-queries/3b066059-f411-4554-ac8d-96f32bff90da.md +++ b/docs/queries/openapi-queries/3b066059-f411-4554-ac8d-96f32bff90da.md @@ -28,7 +28,7 @@ Head should define at least one success response (200 or 202)
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="12" +```json title="Positive test num. 1 - json file" hl_lines="12" { "openapi": "3.0.0", "info": { @@ -51,7 +51,7 @@ Head should define at least one success response (200 or 202)
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="10" +```yaml title="Positive test num. 2 - yaml file" hl_lines="10" openapi: 3.0.0 info: title: Simple API @@ -66,7 +66,7 @@ paths: description: Error ``` -```json title="Postitive test num. 3 - json file" hl_lines="12" +```json title="Positive test num. 3 - json file" hl_lines="12" { "swagger": "2.0", "info": { @@ -89,7 +89,7 @@ paths: } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="10" swagger: "2.0" diff --git a/docs/queries/openapi-queries/3b497874-ae59-46dd-8d72-1868a3b8f150.md b/docs/queries/openapi-queries/3b497874-ae59-46dd-8d72-1868a3b8f150.md index c8d22c6d79e..22d854f028f 100644 --- a/docs/queries/openapi-queries/3b497874-ae59-46dd-8d72-1868a3b8f150.md +++ b/docs/queries/openapi-queries/3b497874-ae59-46dd-8d72-1868a3b8f150.md @@ -28,7 +28,7 @@ Delete should define at least one success response (200, 201, 202 or 204)
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="12" +```json title="Positive test num. 1 - json file" hl_lines="12" { "openapi": "3.0.0", "info": { @@ -51,7 +51,7 @@ Delete should define at least one success response (200, 201, 202 or 204)
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="12" +```json title="Positive test num. 2 - json file" hl_lines="12" { "openapi": "3.0.0", "info": { @@ -86,7 +86,7 @@ Delete should define at least one success response (200, 201, 202 or 204)
} ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="10" +```yaml title="Positive test num. 3 - yaml file" hl_lines="10" openapi: 3.0.0 info: title: Simple API @@ -101,7 +101,7 @@ paths: description: Error ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="10" openapi: 3.0.0 @@ -127,7 +127,7 @@ paths: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="12" { @@ -165,7 +165,7 @@ paths: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="10" swagger: "2.0" diff --git a/docs/queries/openapi-queries/3b615f00-c443-4ba9-acc4-7c308716917d.md b/docs/queries/openapi-queries/3b615f00-c443-4ba9-acc4-7c308716917d.md index 181e8bb6573..23cae1463ec 100644 --- a/docs/queries/openapi-queries/3b615f00-c443-4ba9-acc4-7c308716917d.md +++ b/docs/queries/openapi-queries/3b615f00-c443-4ba9-acc4-7c308716917d.md @@ -28,7 +28,7 @@ The media type prefix should be set as 'application', 'audio', 'font', 'example' ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="12" +```json title="Positive test num. 1 - json file" hl_lines="12" { "swagger": "2.0", "info": { @@ -90,7 +90,7 @@ The media type prefix should be set as 'application', 'audio', 'font', 'example' } ``` -```json title="Postitive test num. 2 - json file" hl_lines="38" +```json title="Positive test num. 2 - json file" hl_lines="38" { "swagger": "2.0", "info": { @@ -152,7 +152,7 @@ The media type prefix should be set as 'application', 'audio', 'font', 'example' } ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="10" +```yaml title="Positive test num. 3 - yaml file" hl_lines="10" swagger: '2.0' info: title: Simple API Overview @@ -192,7 +192,7 @@ definitions: type: string ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="24" swagger: '2.0' diff --git a/docs/queries/openapi-queries/3ba0cca1-b815-47bf-ac62-1e584eb64a05.md b/docs/queries/openapi-queries/3ba0cca1-b815-47bf-ac62-1e584eb64a05.md index 730ecaee1a6..c515640b97b 100644 --- a/docs/queries/openapi-queries/3ba0cca1-b815-47bf-ac62-1e584eb64a05.md +++ b/docs/queries/openapi-queries/3ba0cca1-b815-47bf-ac62-1e584eb64a05.md @@ -28,7 +28,7 @@ OAuth2 security scheme flow requires a valid URL in the tokenUrl field
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="23" +```yaml title="Positive test num. 1 - yaml file" hl_lines="23" openapi: 3.0.0 info: title: Simple API overview @@ -56,7 +56,7 @@ components: read:api: read your apis ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="12" +```yaml title="Positive test num. 2 - yaml file" hl_lines="12" openapi: 3.0.0 info: title: Simple API overview @@ -83,7 +83,7 @@ paths: application/json: ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="22" +```yaml title="Positive test num. 3 - yaml file" hl_lines="22" openapi: 3.0.0 info: title: Simple API overview @@ -110,7 +110,7 @@ components: read:api: read your apis ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="31" { @@ -156,7 +156,7 @@ components: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="14" { @@ -201,7 +201,7 @@ components: ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="30" { diff --git a/docs/queries/openapi-queries/3d7d7b6c-fb0a-475e-8a28-c125e30d15f0.md b/docs/queries/openapi-queries/3d7d7b6c-fb0a-475e-8a28-c125e30d15f0.md index 02cc806306c..53171c11a04 100644 --- a/docs/queries/openapi-queries/3d7d7b6c-fb0a-475e-8a28-c125e30d15f0.md +++ b/docs/queries/openapi-queries/3d7d7b6c-fb0a-475e-8a28-c125e30d15f0.md @@ -28,7 +28,7 @@ Host field should be an IP or a valid host name
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="7" +```json title="Positive test num. 1 - json file" hl_lines="7" { "swagger": "2.0", "info": { @@ -74,7 +74,7 @@ Host field should be an IP or a valid host name
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="6" +```yaml title="Positive test num. 2 - yaml file" hl_lines="6" --- swagger: '2.0' info: diff --git a/docs/queries/openapi-queries/3fb03214-25d4-4bd4-867c-c2d8d708a483.md b/docs/queries/openapi-queries/3fb03214-25d4-4bd4-867c-c2d8d708a483.md index bce71cc4612..e3060e20f2b 100644 --- a/docs/queries/openapi-queries/3fb03214-25d4-4bd4-867c-c2d8d708a483.md +++ b/docs/queries/openapi-queries/3fb03214-25d4-4bd4-867c-c2d8d708a483.md @@ -28,7 +28,7 @@ Schema Object should have all required properties defined
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="56" +```json title="Positive test num. 1 - json file" hl_lines="56" { "openapi": "3.0.0", "info": { @@ -108,7 +108,7 @@ Schema Object should have all required properties defined
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="38" +```yaml title="Positive test num. 2 - yaml file" hl_lines="38" openapi: 3.0.0 info: title: Simple API Overview @@ -156,7 +156,7 @@ components: allowReserved: true ``` -```json title="Postitive test num. 3 - json file" hl_lines="54" +```json title="Positive test num. 3 - json file" hl_lines="54" { "openapi": "3.0.0", "info": { @@ -227,7 +227,7 @@ components: } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="37" openapi: 3.0.0 @@ -273,7 +273,7 @@ paths: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="27" { @@ -317,7 +317,7 @@ paths: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="20" swagger: "2.0" diff --git a/docs/queries/openapi-queries/40d3df21-c170-4dbe-9c02-4289b51f994f.md b/docs/queries/openapi-queries/40d3df21-c170-4dbe-9c02-4289b51f994f.md index 2e076a1ec38..db6628cd59f 100644 --- a/docs/queries/openapi-queries/40d3df21-c170-4dbe-9c02-4289b51f994f.md +++ b/docs/queries/openapi-queries/40d3df21-c170-4dbe-9c02-4289b51f994f.md @@ -28,7 +28,7 @@ Schema discriminator values should match defined properties.
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="53" +```json title="Positive test num. 1 - json file" hl_lines="53" { "openapi": "3.0.0", "info": { @@ -101,7 +101,7 @@ Schema discriminator values should match defined properties.
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="25" +```json title="Positive test num. 2 - json file" hl_lines="25" { "openapi": "3.0.0", "info": { @@ -170,7 +170,7 @@ Schema discriminator values should match defined properties.
} ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="32" +```yaml title="Positive test num. 3 - yaml file" hl_lines="32" openapi: 3.0.0 info: title: Simple API Overview @@ -213,7 +213,7 @@ components: - petType ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="18" openapi: 3.0.0 @@ -257,7 +257,7 @@ security: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="28" { @@ -306,7 +306,7 @@ security: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="16" swagger: "2.0" @@ -336,7 +336,7 @@ definitions: ```
-
Postitive test num. 7 - json file +
Positive test num. 7 - json file ```json hl_lines="25" { @@ -383,7 +383,7 @@ definitions: ```
-
Postitive test num. 8 - yaml file +
Positive test num. 8 - yaml file ```yaml hl_lines="15" swagger: "2.0" diff --git a/docs/queries/openapi-queries/40e1d1bf-11a9-4f63-a3a2-a8b84c602839.md b/docs/queries/openapi-queries/40e1d1bf-11a9-4f63-a3a2-a8b84c602839.md index d19f1b19353..c5010c2ed73 100644 --- a/docs/queries/openapi-queries/40e1d1bf-11a9-4f63-a3a2-a8b84c602839.md +++ b/docs/queries/openapi-queries/40e1d1bf-11a9-4f63-a3a2-a8b84c602839.md @@ -28,7 +28,7 @@ API Keys should not be transported over network
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="57 52 62" +```json title="Positive test num. 1 - json file" hl_lines="57 52 62" { "openapi": "3.0.0", "info": { @@ -100,7 +100,7 @@ API Keys should not be transported over network
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="35 39 31" +```yaml title="Positive test num. 2 - yaml file" hl_lines="35 39 31" openapi: 3.0.0 info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/4190dda7-af03-4cf0-a128-70ac1661ca09.md b/docs/queries/openapi-queries/4190dda7-af03-4cf0-a128-70ac1661ca09.md index def4c33d12a..e2e9cae77f4 100644 --- a/docs/queries/openapi-queries/4190dda7-af03-4cf0-a128-70ac1661ca09.md +++ b/docs/queries/openapi-queries/4190dda7-af03-4cf0-a128-70ac1661ca09.md @@ -28,7 +28,7 @@ Property 'allowReserved' of the encoding object should be defined when the media ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="49" +```json title="Positive test num. 1 - json file" hl_lines="49" { "openapi": "3.0.0", "info": { @@ -106,7 +106,7 @@ Property 'allowReserved' of the encoding object should be defined when the media } ``` -```json title="Postitive test num. 2 - json file" hl_lines="43" +```json title="Positive test num. 2 - json file" hl_lines="43" { "openapi": "3.0.0", "info": { @@ -175,7 +175,7 @@ Property 'allowReserved' of the encoding object should be defined when the media } ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="31" +```yaml title="Positive test num. 3 - yaml file" hl_lines="31" openapi: 3.0.0 info: title: Simple API Overview @@ -222,7 +222,7 @@ components: allowReserved: true ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="30" openapi: 3.0.0 diff --git a/docs/queries/openapi-queries/429b2106-ba37-43ba-9727-7f699cc611e1.md b/docs/queries/openapi-queries/429b2106-ba37-43ba-9727-7f699cc611e1.md index 96ae81f1196..177b4333878 100644 --- a/docs/queries/openapi-queries/429b2106-ba37-43ba-9727-7f699cc611e1.md +++ b/docs/queries/openapi-queries/429b2106-ba37-43ba-9727-7f699cc611e1.md @@ -28,7 +28,7 @@ All properties defined in OpenAPI objects should be known
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="40 20" +```json title="Positive test num. 1 - json file" hl_lines="40 20" { "swagger": "2.0", "info": { @@ -83,7 +83,7 @@ All properties defined in OpenAPI objects should be known
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="25 7" +```json title="Positive test num. 2 - json file" hl_lines="25 7" { "swagger": "2.0", "info": { @@ -116,7 +116,7 @@ All properties defined in OpenAPI objects should be known
} ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="16 28" +```yaml title="Positive test num. 3 - yaml file" hl_lines="16 28" swagger: "2.0" info: title: Simple API Overview @@ -153,7 +153,7 @@ definitions: maximum: 600 ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="17 6" swagger: "2.0" diff --git a/docs/queries/openapi-queries/462d6a1d-fed9-4d75-bb9e-3de902f35e6e.md b/docs/queries/openapi-queries/462d6a1d-fed9-4d75-bb9e-3de902f35e6e.md index d8d3c8e217f..152c53a72e4 100644 --- a/docs/queries/openapi-queries/462d6a1d-fed9-4d75-bb9e-3de902f35e6e.md +++ b/docs/queries/openapi-queries/462d6a1d-fed9-4d75-bb9e-3de902f35e6e.md @@ -28,7 +28,7 @@ Using an scope on security of operations that is undefined on 'securityScheme' c ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="13" +```json title="Positive test num. 1 - json file" hl_lines="13" { "openapi": "3.0.0", "info": { @@ -84,7 +84,7 @@ Using an scope on security of operations that is undefined on 'securityScheme' c } ``` -```json title="Postitive test num. 2 - json file" hl_lines="14" +```json title="Positive test num. 2 - json file" hl_lines="14" { "openapi": "3.0.0", "info": { @@ -142,7 +142,7 @@ Using an scope on security of operations that is undefined on 'securityScheme' c } ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="11" +```yaml title="Positive test num. 3 - yaml file" hl_lines="11" openapi: 3.0.0 info: title: Simple API overview @@ -179,7 +179,7 @@ components: write:api: write your apis ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="11" openapi: 3.0.0 diff --git a/docs/queries/openapi-queries/46facedc-f243-4108-ab33-583b807d50b0.md b/docs/queries/openapi-queries/46facedc-f243-4108-ab33-583b807d50b0.md index 67e5d1f6dd6..094c049e06c 100644 --- a/docs/queries/openapi-queries/46facedc-f243-4108-ab33-583b807d50b0.md +++ b/docs/queries/openapi-queries/46facedc-f243-4108-ab33-583b807d50b0.md @@ -28,7 +28,7 @@ A Parameter Object must contain either a 'schema' property, or a 'content' prope ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="43 55" +```json title="Positive test num. 1 - json file" hl_lines="43 55" { "openapi": "3.0.0", "info": { @@ -94,7 +94,7 @@ A Parameter Object must contain either a 'schema' property, or a 'content' prope } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="40 26" +```yaml title="Positive test num. 2 - yaml file" hl_lines="40 26" openapi: 3.0.0 info: title: Simple API overview @@ -139,7 +139,7 @@ paths: description: The user ID ``` -```json title="Postitive test num. 3 - json file" hl_lines="10" +```json title="Positive test num. 3 - json file" hl_lines="10" { "openapi": "3.0.0", "info": { @@ -200,7 +200,7 @@ paths: } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="8" openapi: 3.0.0 diff --git a/docs/queries/openapi-queries/48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd.md b/docs/queries/openapi-queries/48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd.md index 9409e30ce4c..76f0358acb2 100644 --- a/docs/queries/openapi-queries/48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd.md +++ b/docs/queries/openapi-queries/48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd.md @@ -28,7 +28,7 @@ Operation Object should have at least one successful HTTP status code defined
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="10" swagger: "2.0" diff --git a/docs/queries/openapi-queries/4a1f3d75-ab73-41b2-83e7-06a93dc3a75a.md b/docs/queries/openapi-queries/4a1f3d75-ab73-41b2-83e7-06a93dc3a75a.md index b7a8d4bdfb1..115062aeeb1 100644 --- a/docs/queries/openapi-queries/4a1f3d75-ab73-41b2-83e7-06a93dc3a75a.md +++ b/docs/queries/openapi-queries/4a1f3d75-ab73-41b2-83e7-06a93dc3a75a.md @@ -28,7 +28,7 @@ There is a 'securityScheme' using implicit flow on OAuth2, which is deprecatedPostitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="21" openapi: 3.0.0 @@ -210,7 +210,7 @@ components: ```
-
Postitive test num. 5 - yaml file +
Positive test num. 5 - yaml file ```yaml hl_lines="27" openapi: 3.0.0 @@ -247,7 +247,7 @@ components: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="31" openapi: 3.0.0 diff --git a/docs/queries/openapi-queries/4bcbcd52-3028-469f-bc14-02c7dbba2df2.md b/docs/queries/openapi-queries/4bcbcd52-3028-469f-bc14-02c7dbba2df2.md index 0b9adfd8791..9c05b509f7e 100644 --- a/docs/queries/openapi-queries/4bcbcd52-3028-469f-bc14-02c7dbba2df2.md +++ b/docs/queries/openapi-queries/4bcbcd52-3028-469f-bc14-02c7dbba2df2.md @@ -28,7 +28,7 @@ Property 'allowEmptyValue' should be only defined for query parameters and formD ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="43 59" +```json title="Positive test num. 1 - json file" hl_lines="43 59" { "openapi": "3.0.0", "info": { @@ -108,7 +108,7 @@ Property 'allowEmptyValue' should be only defined for query parameters and formD } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="26 37" +```yaml title="Positive test num. 2 - yaml file" hl_lines="26 37" openapi: 3.0.0 info: title: Simple API overview @@ -157,7 +157,7 @@ paths: description: 200 response ``` -```json title="Postitive test num. 3 - json file" hl_lines="43" +```json title="Positive test num. 3 - json file" hl_lines="43" { "openapi": "3.0.0", "info": { @@ -227,7 +227,7 @@ paths: } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="26" openapi: 3.0.0 @@ -272,7 +272,7 @@ paths: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="20" { @@ -307,7 +307,7 @@ paths: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="15" swagger: "2.0" diff --git a/docs/queries/openapi-queries/4cac7ace-b0fb-477d-830d-65395d9109d9.md b/docs/queries/openapi-queries/4cac7ace-b0fb-477d-830d-65395d9109d9.md index 071bb20ef8f..5faddb7c3f6 100644 --- a/docs/queries/openapi-queries/4cac7ace-b0fb-477d-830d-65395d9109d9.md +++ b/docs/queries/openapi-queries/4cac7ace-b0fb-477d-830d-65395d9109d9.md @@ -28,7 +28,7 @@ Schema Object reference must always point to '#/components/schemas'
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="76" +```json title="Positive test num. 1 - json file" hl_lines="76" { "openapi": "3.0.0", "info": { @@ -119,7 +119,7 @@ Schema Object reference must always point to '#/components/schemas'
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="16" +```json title="Positive test num. 2 - json file" hl_lines="16" { "openapi": "3.0.0", "info": { @@ -190,7 +190,7 @@ Schema Object reference must always point to '#/components/schemas'
} ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="46" +```yaml title="Positive test num. 3 - yaml file" hl_lines="46" openapi: 3.0.0 info: title: Simple API Overview @@ -242,7 +242,7 @@ components: $ref: "#/components/examples/tshirt" ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="16" openapi: 3.0.0 diff --git a/docs/queries/openapi-queries/4cd8de87-b595-48b6-ab3c-1904567135ab.md b/docs/queries/openapi-queries/4cd8de87-b595-48b6-ab3c-1904567135ab.md index 16462bc7cc2..27790918258 100644 --- a/docs/queries/openapi-queries/4cd8de87-b595-48b6-ab3c-1904567135ab.md +++ b/docs/queries/openapi-queries/4cd8de87-b595-48b6-ab3c-1904567135ab.md @@ -28,7 +28,7 @@ Encoding Map Key should not define a 'Content-Type' in the 'headers' field. If s ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="70" +```json title="Positive test num. 1 - json file" hl_lines="70" { "openapi": "3.0.0", "info": { @@ -114,7 +114,7 @@ Encoding Map Key should not define a 'Content-Type' in the 'headers' field. If s } ``` -```json title="Postitive test num. 2 - json file" hl_lines="36" +```json title="Positive test num. 2 - json file" hl_lines="36" { "openapi": "3.0.0", "info": { @@ -170,7 +170,7 @@ Encoding Map Key should not define a 'Content-Type' in the 'headers' field. If s } ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="42" +```yaml title="Positive test num. 3 - yaml file" hl_lines="42" openapi: 3.0.0 info: title: Simple API Overview @@ -218,7 +218,7 @@ components: contentType: image/png, image/jpeg ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="26" openapi: 3.0.0 diff --git a/docs/queries/openapi-queries/500ce696-d501-41dd-86eb-eceb011a386f.md b/docs/queries/openapi-queries/500ce696-d501-41dd-86eb-eceb011a386f.md index 5e33d0ee7ef..675ec48c090 100644 --- a/docs/queries/openapi-queries/500ce696-d501-41dd-86eb-eceb011a386f.md +++ b/docs/queries/openapi-queries/500ce696-d501-41dd-86eb-eceb011a386f.md @@ -28,7 +28,7 @@ The Schema Object should not be empty to avoid accepting any JSON values
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="50" +```json title="Positive test num. 1 - json file" hl_lines="50" { "openapi": "3.0.0", "info": { @@ -84,7 +84,7 @@ The Schema Object should not be empty to avoid accepting any JSON values
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="22" +```json title="Positive test num. 2 - json file" hl_lines="22" { "openapi": "3.0.0", "info": { @@ -136,7 +136,7 @@ The Schema Object should not be empty to avoid accepting any JSON values
} ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="27" +```yaml title="Positive test num. 3 - yaml file" hl_lines="27" openapi: 3.0.0 info: title: Simple API Overview @@ -166,7 +166,7 @@ components: GeneralError: {} ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="15" openapi: 3.0.0 @@ -187,7 +187,7 @@ paths: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="20" { @@ -219,7 +219,7 @@ paths: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="13" swagger: "2.0" @@ -238,7 +238,7 @@ paths: ```
-
Postitive test num. 7 - json file +
Positive test num. 7 - json file ```json hl_lines="26" { @@ -272,7 +272,7 @@ paths: ```
-
Postitive test num. 8 - yaml file +
Positive test num. 8 - yaml file ```yaml hl_lines="14" swagger: "2.0" diff --git a/docs/queries/openapi-queries/50de3b5b-6465-4e06-a9b0-b4c2ba34326b.md b/docs/queries/openapi-queries/50de3b5b-6465-4e06-a9b0-b4c2ba34326b.md index 28ae7b7bf80..2a8514685c6 100644 --- a/docs/queries/openapi-queries/50de3b5b-6465-4e06-a9b0-b4c2ba34326b.md +++ b/docs/queries/openapi-queries/50de3b5b-6465-4e06-a9b0-b4c2ba34326b.md @@ -28,7 +28,7 @@ The header object should have schema defined
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="72" +```json title="Positive test num. 1 - json file" hl_lines="72" { "openapi": "3.0.0", "info": { @@ -114,7 +114,7 @@ The header object should have schema defined
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="42" +```json title="Positive test num. 2 - json file" hl_lines="42" { "openapi": "3.0.0", "info": { @@ -191,7 +191,7 @@ The header object should have schema defined
} ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="44" +```yaml title="Positive test num. 3 - yaml file" hl_lines="44" openapi: 3.0.0 info: title: Simple API Overview @@ -239,7 +239,7 @@ components: description: The number of allowed requests in the current period ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="28" openapi: 3.0.0 diff --git a/docs/queries/openapi-queries/52c0d841-60d6-4a81-88dd-c35fef36d315.md b/docs/queries/openapi-queries/52c0d841-60d6-4a81-88dd-c35fef36d315.md index b8c9fb4fdbb..a4680a0b0fc 100644 --- a/docs/queries/openapi-queries/52c0d841-60d6-4a81-88dd-c35fef36d315.md +++ b/docs/queries/openapi-queries/52c0d841-60d6-4a81-88dd-c35fef36d315.md @@ -28,7 +28,7 @@ The field authorizationUrl on implicit or authorizationCode fields from OAuth mu ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="50" +```json title="Positive test num. 1 - json file" hl_lines="50" { "openapi": "3.0.0", "info": { @@ -92,7 +92,7 @@ The field authorizationUrl on implicit or authorizationCode fields from OAuth mu } ``` -```json title="Postitive test num. 2 - json file" hl_lines="50" +```json title="Positive test num. 2 - json file" hl_lines="50" { "openapi": "3.0.0", "info": { @@ -155,7 +155,7 @@ The field authorizationUrl on implicit or authorizationCode fields from OAuth mu } ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="32" +```yaml title="Positive test num. 3 - yaml file" hl_lines="32" openapi: 3.0.0 info: title: Simple API Overview @@ -194,7 +194,7 @@ components: read:api: read your apis ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="32" openapi: 3.0.0 diff --git a/docs/queries/openapi-queries/543e38f4-1eee-479e-8eb0-15257013aa0a.md b/docs/queries/openapi-queries/543e38f4-1eee-479e-8eb0-15257013aa0a.md index 1cefa69dfb1..0b440c60c54 100644 --- a/docs/queries/openapi-queries/543e38f4-1eee-479e-8eb0-15257013aa0a.md +++ b/docs/queries/openapi-queries/543e38f4-1eee-479e-8eb0-15257013aa0a.md @@ -28,7 +28,7 @@ Global security definition must not have empty objects
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="43" +```json title="Positive test num. 1 - json file" hl_lines="43" { "openapi": "3.0.0", "info": { @@ -77,7 +77,7 @@ Global security definition must not have empty objects
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="43" +```json title="Positive test num. 2 - json file" hl_lines="43" { "openapi": "3.0.0", "info": { @@ -135,7 +135,7 @@ Global security definition must not have empty objects
} ``` -```json title="Postitive test num. 3 - json file" hl_lines="43" +```json title="Positive test num. 3 - json file" hl_lines="43" { "openapi": "3.0.0", "info": { @@ -193,7 +193,7 @@ Global security definition must not have empty objects
} ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="43" { @@ -243,7 +243,7 @@ Global security definition must not have empty objects
```
-
Postitive test num. 5 - yaml file +
Positive test num. 5 - yaml file ```yaml hl_lines="25" openapi: 3.0.0 @@ -275,7 +275,7 @@ security: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="25" openapi: 3.0.0 @@ -312,7 +312,7 @@ components: ```
-
Postitive test num. 7 - yaml file +
Positive test num. 7 - yaml file ```yaml hl_lines="25" openapi: 3.0.0 @@ -349,7 +349,7 @@ components: ```
-
Postitive test num. 8 - yaml file +
Positive test num. 8 - yaml file ```yaml hl_lines="25" openapi: 3.0.0 @@ -380,7 +380,7 @@ security: {} ```
-
Postitive test num. 9 - yaml file +
Positive test num. 9 - yaml file ```yaml hl_lines="38" swagger: "2.0" @@ -426,7 +426,7 @@ security: ```
-
Postitive test num. 10 - json file +
Positive test num. 10 - json file ```json hl_lines="60" { @@ -498,7 +498,7 @@ security: ```
-
Postitive test num. 11 - yaml file +
Positive test num. 11 - yaml file ```yaml hl_lines="38" swagger: "2.0" @@ -542,7 +542,7 @@ security: {} ```
-
Postitive test num. 12 - json file +
Positive test num. 12 - json file ```json hl_lines="60" { diff --git a/docs/queries/openapi-queries/561710b1-b845-4562-95ce-2397a05ccef4.md b/docs/queries/openapi-queries/561710b1-b845-4562-95ce-2397a05ccef4.md index d606d741f2e..a3f64e587a6 100644 --- a/docs/queries/openapi-queries/561710b1-b845-4562-95ce-2397a05ccef4.md +++ b/docs/queries/openapi-queries/561710b1-b845-4562-95ce-2397a05ccef4.md @@ -28,7 +28,7 @@ The template path must have a corresponding path parameter for a given operation ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10" openapi: 3.0.0 info: title: Simple API overview @@ -75,7 +75,7 @@ paths: type: integer ``` -```json title="Postitive test num. 2 - json file" hl_lines="58" +```json title="Positive test num. 2 - json file" hl_lines="58" { "openapi": "3.0.0", "info": { @@ -153,7 +153,7 @@ paths: } ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="40 34" +```yaml title="Positive test num. 3 - yaml file" hl_lines="40 34" openapi: 3.0.0 info: title: Simple API overview @@ -199,7 +199,7 @@ paths: description: 200 response ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="65 55" { @@ -279,7 +279,7 @@ paths: ```
-
Postitive test num. 5 - yaml file +
Positive test num. 5 - yaml file ```yaml hl_lines="14" swagger: "2.0" @@ -318,7 +318,7 @@ paths: ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="38" { @@ -376,7 +376,7 @@ paths: ```
-
Postitive test num. 7 - yaml file +
Positive test num. 7 - yaml file ```yaml hl_lines="25 31" swagger: "2.0" @@ -416,7 +416,7 @@ paths: ```
-
Postitive test num. 8 - json file +
Positive test num. 8 - json file ```json hl_lines="35 45" { diff --git a/docs/queries/openapi-queries/58f06434-a88c-4f74-826c-db7e10cc7def.md b/docs/queries/openapi-queries/58f06434-a88c-4f74-826c-db7e10cc7def.md index 25f8424d18b..355d483e50c 100644 --- a/docs/queries/openapi-queries/58f06434-a88c-4f74-826c-db7e10cc7def.md +++ b/docs/queries/openapi-queries/58f06434-a88c-4f74-826c-db7e10cc7def.md @@ -28,7 +28,7 @@ The field 'content' of the request body object should be set to 'multipart' or ' ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="64" +```json title="Positive test num. 1 - json file" hl_lines="64" { "openapi": "3.0.0", "info": { @@ -105,7 +105,7 @@ The field 'content' of the request body object should be set to 'multipart' or ' } ``` -```json title="Postitive test num. 2 - json file" hl_lines="43" +```json title="Positive test num. 2 - json file" hl_lines="43" { "openapi": "3.0.0", "info": { @@ -173,7 +173,7 @@ The field 'content' of the request body object should be set to 'multipart' or ' } ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="41" +```yaml title="Positive test num. 3 - yaml file" hl_lines="41" openapi: 3.0.0 info: title: Simple API Overview @@ -219,7 +219,7 @@ components: contentType: image/png, image/jpeg ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="30" openapi: 3.0.0 diff --git a/docs/queries/openapi-queries/5915c20f-dffa-4cee-b5d4-f457ddc0151a.md b/docs/queries/openapi-queries/5915c20f-dffa-4cee-b5d4-f457ddc0151a.md index 7b9fc559934..28436a29025 100644 --- a/docs/queries/openapi-queries/5915c20f-dffa-4cee-b5d4-f457ddc0151a.md +++ b/docs/queries/openapi-queries/5915c20f-dffa-4cee-b5d4-f457ddc0151a.md @@ -28,7 +28,7 @@ All array fields should not be empty
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="43" +```json title="Positive test num. 1 - json file" hl_lines="43" { "openapi": "3.0.0", "info": { @@ -75,7 +75,7 @@ All array fields should not be empty
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="25" +```yaml title="Positive test num. 2 - yaml file" hl_lines="25" openapi: 3.0.0 info: title: Simple API overview diff --git a/docs/queries/openapi-queries/59c2f769-7cc2-49c8-a3de-4e211135cfab.md b/docs/queries/openapi-queries/59c2f769-7cc2-49c8-a3de-4e211135cfab.md index c742b9d1797..ddb75cc0a14 100644 --- a/docs/queries/openapi-queries/59c2f769-7cc2-49c8-a3de-4e211135cfab.md +++ b/docs/queries/openapi-queries/59c2f769-7cc2-49c8-a3de-4e211135cfab.md @@ -28,7 +28,7 @@ Property 'allowEmptyValue' is ignored in the following cases: {"sytle": "simple" ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="47" +```json title="Positive test num. 1 - json file" hl_lines="47" { "openapi": "3.0.0", "info": { @@ -86,7 +86,7 @@ Property 'allowEmptyValue' is ignored in the following cases: {"sytle": "simple" } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="30" +```yaml title="Positive test num. 2 - yaml file" hl_lines="30" openapi: 3.0.0 info: title: Simple API overview @@ -121,7 +121,7 @@ paths: type: integer ``` -```json title="Postitive test num. 3 - json file" hl_lines="12" +```json title="Positive test num. 3 - json file" hl_lines="12" { "openapi": "3.0.0", "info": { @@ -181,7 +181,7 @@ paths: } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="32" openapi: 3.0.0 @@ -221,7 +221,7 @@ paths: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="16" { @@ -283,7 +283,7 @@ paths: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="31" openapi: 3.0.0 diff --git a/docs/queries/openapi-queries/5aea1d7e-b834-4749-b143-2c7ec3bd5922.md b/docs/queries/openapi-queries/5aea1d7e-b834-4749-b143-2c7ec3bd5922.md index ab0444ad571..8669e93fc6a 100644 --- a/docs/queries/openapi-queries/5aea1d7e-b834-4749-b143-2c7ec3bd5922.md +++ b/docs/queries/openapi-queries/5aea1d7e-b834-4749-b143-2c7ec3bd5922.md @@ -28,7 +28,7 @@ Tag External Documentation URL should be a valid URL
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="57 53" +```json title="Positive test num. 1 - json file" hl_lines="57 53" { "openapi": "3.0.0", "info": { @@ -95,7 +95,7 @@ Tag External Documentation URL should be a valid URL
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="26 30" +```yaml title="Positive test num. 2 - yaml file" hl_lines="26 30" openapi: 3.0.0 info: title: Simple API Overview @@ -131,7 +131,7 @@ tags: url: / ``` -```json title="Postitive test num. 3 - json file" hl_lines="34 30" +```json title="Positive test num. 3 - json file" hl_lines="34 30" { "swagger": "2.0", "info": { @@ -175,7 +175,7 @@ tags: } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="18 22" swagger: "2.0" diff --git a/docs/queries/openapi-queries/5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275.md b/docs/queries/openapi-queries/5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275.md index 158580dbbd8..a5f5d965ec3 100644 --- a/docs/queries/openapi-queries/5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275.md +++ b/docs/queries/openapi-queries/5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275.md @@ -28,7 +28,7 @@ OpenAPI Object should contain all of its required fields
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="3 20" +```json title="Positive test num. 1 - json file" hl_lines="3 20" { "swagger": "2.0", "info": { @@ -58,7 +58,7 @@ OpenAPI Object should contain all of its required fields
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="2 13" +```yaml title="Positive test num. 2 - yaml file" hl_lines="2 13" swagger: "2.0" info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/5ea61624-3733-4a3a-8ca4-b96fec9c5aeb.md b/docs/queries/openapi-queries/5ea61624-3733-4a3a-8ca4-b96fec9c5aeb.md index 1944e1d4556..1325d03df06 100644 --- a/docs/queries/openapi-queries/5ea61624-3733-4a3a-8ca4-b96fec9c5aeb.md +++ b/docs/queries/openapi-queries/5ea61624-3733-4a3a-8ca4-b96fec9c5aeb.md @@ -28,7 +28,7 @@ Operation External Documentation URL should be a valid URL
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="18" +```json title="Positive test num. 1 - json file" hl_lines="18" { "openapi": "3.0.0", "info": { @@ -82,7 +82,7 @@ Operation External Documentation URL should be a valid URL
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +```yaml title="Positive test num. 2 - yaml file" hl_lines="11" openapi: 3.0.0 info: title: Simple API Overview @@ -117,7 +117,7 @@ components: scheme: basic ``` -```json title="Postitive test num. 3 - json file" hl_lines="18" +```json title="Positive test num. 3 - json file" hl_lines="18" { "swagger": "2.0", "info": { @@ -148,7 +148,7 @@ components: } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="15" swagger: "2.0" diff --git a/docs/queries/openapi-queries/60b5f56b-66ff-4e1c-9b62-5753e16825bc.md b/docs/queries/openapi-queries/60b5f56b-66ff-4e1c-9b62-5753e16825bc.md index 258ccaf052d..e9115a15bbd 100644 --- a/docs/queries/openapi-queries/60b5f56b-66ff-4e1c-9b62-5753e16825bc.md +++ b/docs/queries/openapi-queries/60b5f56b-66ff-4e1c-9b62-5753e16825bc.md @@ -28,7 +28,7 @@ Put should define at least one success response (200, 201, 202 or 204)
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="12" +```json title="Positive test num. 1 - json file" hl_lines="12" { "openapi": "3.0.0", "info": { @@ -51,7 +51,7 @@ Put should define at least one success response (200, 201, 202 or 204)
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="24" +```json title="Positive test num. 2 - json file" hl_lines="24" { "openapi": "3.0.0", "info": { @@ -86,7 +86,7 @@ Put should define at least one success response (200, 201, 202 or 204)
} ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="10" +```yaml title="Positive test num. 3 - yaml file" hl_lines="10" openapi: 3.0.0 info: title: Simple API @@ -101,7 +101,7 @@ paths: description: Error ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="18" openapi: 3.0.0 @@ -127,7 +127,7 @@ paths: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="24" { @@ -165,7 +165,7 @@ paths: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="18" swagger: "2.0" diff --git a/docs/queries/openapi-queries/60fb6621-9f02-473b-9424-ba9a825747d3.md b/docs/queries/openapi-queries/60fb6621-9f02-473b-9424-ba9a825747d3.md index 7885dcab25b..1250b09a764 100644 --- a/docs/queries/openapi-queries/60fb6621-9f02-473b-9424-ba9a825747d3.md +++ b/docs/queries/openapi-queries/60fb6621-9f02-473b-9424-ba9a825747d3.md @@ -28,7 +28,7 @@ Link object 'OperationId' should not have both 'operationId' and 'operationRef' ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="70" +```json title="Positive test num. 1 - json file" hl_lines="70" { "openapi": "3.0.0", "info": { @@ -120,7 +120,7 @@ Link object 'OperationId' should not have both 'operationId' and 'operationRef' } ``` -```json title="Postitive test num. 2 - json file" hl_lines="27" +```json title="Positive test num. 2 - json file" hl_lines="27" { "openapi": "3.0.0", "info": { @@ -184,7 +184,7 @@ Link object 'OperationId' should not have both 'operationId' and 'operationRef' } ``` -```json title="Postitive test num. 3 - json file" hl_lines="67" +```json title="Positive test num. 3 - json file" hl_lines="67" { "openapi": "3.0.0", "info": { @@ -263,7 +263,7 @@ Link object 'OperationId' should not have both 'operationId' and 'operationRef' } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="50" openapi: 3.0.0 @@ -323,7 +323,7 @@ components: ```
-
Postitive test num. 5 - yaml file +
Positive test num. 5 - yaml file ```yaml hl_lines="20" openapi: 3.0.0 @@ -366,7 +366,7 @@ paths: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="42" openapi: 3.0.0 diff --git a/docs/queries/openapi-queries/663c442d-f918-4f62-b096-0bf5dcbeb655.md b/docs/queries/openapi-queries/663c442d-f918-4f62-b096-0bf5dcbeb655.md index 40a9ac4c8c4..fc49c64d56e 100644 --- a/docs/queries/openapi-queries/663c442d-f918-4f62-b096-0bf5dcbeb655.md +++ b/docs/queries/openapi-queries/663c442d-f918-4f62-b096-0bf5dcbeb655.md @@ -28,7 +28,7 @@ Security object for operations, if defined, must define a security scheme, other ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="12" +```json title="Positive test num. 1 - json file" hl_lines="12" { "openapi": "3.0.0", "info": { @@ -82,7 +82,7 @@ Security object for operations, if defined, must define a security scheme, other } ``` -```json title="Postitive test num. 2 - json file" hl_lines="51" +```json title="Positive test num. 2 - json file" hl_lines="51" { "openapi": "3.0.0", "info": { @@ -152,7 +152,7 @@ Security object for operations, if defined, must define a security scheme, other } ``` -```json title="Postitive test num. 3 - json file" hl_lines="51" +```json title="Positive test num. 3 - json file" hl_lines="51" { "openapi": "3.0.0", "info": { @@ -222,7 +222,7 @@ Security object for operations, if defined, must define a security scheme, other } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="53" { @@ -320,7 +320,7 @@ Security object for operations, if defined, must define a security scheme, other ```
-
Postitive test num. 5 - yaml file +
Positive test num. 5 - yaml file ```yaml hl_lines="10" openapi: 3.0.0 @@ -354,7 +354,7 @@ security: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="31" openapi: 3.0.0 @@ -397,7 +397,7 @@ security: ```
-
Postitive test num. 7 - yaml file +
Positive test num. 7 - yaml file ```yaml hl_lines="31" openapi: 3.0.0 @@ -440,7 +440,7 @@ security: ```
-
Postitive test num. 8 - yaml file +
Positive test num. 8 - yaml file ```yaml hl_lines="32" openapi: 3.0.0 @@ -496,7 +496,7 @@ security: ```
-
Postitive test num. 9 - yaml file +
Positive test num. 9 - yaml file ```yaml hl_lines="14" swagger: "2.0" @@ -530,7 +530,7 @@ paths: ```
-
Postitive test num. 10 - json file +
Positive test num. 10 - json file ```json hl_lines="17" { diff --git a/docs/queries/openapi-queries/68e5fcac-390c-4939-a373-6074b7be7c71.md b/docs/queries/openapi-queries/68e5fcac-390c-4939-a373-6074b7be7c71.md index 7b79b5228c7..1562558fe56 100644 --- a/docs/queries/openapi-queries/68e5fcac-390c-4939-a373-6074b7be7c71.md +++ b/docs/queries/openapi-queries/68e5fcac-390c-4939-a373-6074b7be7c71.md @@ -28,7 +28,7 @@ Security Scheme HTTP should not be using basic authentication
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="57" +```json title="Positive test num. 1 - json file" hl_lines="57" { "openapi": "3.0.0", "info": { @@ -92,7 +92,7 @@ Security Scheme HTTP should not be using basic authentication
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="33" +```yaml title="Positive test num. 2 - yaml file" hl_lines="33" openapi: 3.0.0 info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/6952a7e0-6e48-4285-bbc1-27c64e60f888.md b/docs/queries/openapi-queries/6952a7e0-6e48-4285-bbc1-27c64e60f888.md index 61b3af73302..5dfec2196ca 100644 --- a/docs/queries/openapi-queries/6952a7e0-6e48-4285-bbc1-27c64e60f888.md +++ b/docs/queries/openapi-queries/6952a7e0-6e48-4285-bbc1-27c64e60f888.md @@ -28,7 +28,7 @@ Schema External Documentation URL should be a valid URL
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="61" +```json title="Positive test num. 1 - json file" hl_lines="61" { "openapi": "3.0.0", "info": { @@ -97,7 +97,7 @@ Schema External Documentation URL should be a valid URL
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="24" +```json title="Positive test num. 2 - json file" hl_lines="24" { "openapi": "3.0.0", "info": { @@ -153,7 +153,7 @@ Schema External Documentation URL should be a valid URL
} ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="35" +```yaml title="Positive test num. 3 - yaml file" hl_lines="35" openapi: 3.0.0 info: title: Simple API Overview @@ -191,7 +191,7 @@ components: url: / ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="17" openapi: 3.0.0 @@ -224,7 +224,7 @@ paths: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="22" { @@ -260,7 +260,7 @@ paths: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="15" swagger: "2.0" @@ -281,7 +281,7 @@ paths: ```
-
Postitive test num. 7 - json file +
Positive test num. 7 - json file ```json hl_lines="37" { @@ -328,7 +328,7 @@ paths: ```
-
Postitive test num. 8 - yaml file +
Positive test num. 8 - yaml file ```yaml hl_lines="22" swagger: "2.0" diff --git a/docs/queries/openapi-queries/698a464e-bb3e-4ba8-ab5e-e6599b7644a0.md b/docs/queries/openapi-queries/698a464e-bb3e-4ba8-ab5e-e6599b7644a0.md index 2e0784c3e70..f69b3267786 100644 --- a/docs/queries/openapi-queries/698a464e-bb3e-4ba8-ab5e-e6599b7644a0.md +++ b/docs/queries/openapi-queries/698a464e-bb3e-4ba8-ab5e-e6599b7644a0.md @@ -28,7 +28,7 @@ Components parameters definitions should be referenced or removed from Open API ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="22" +```json title="Positive test num. 1 - json file" hl_lines="22" { "openapi": "3.0.0", "info": { @@ -64,7 +64,7 @@ Components parameters definitions should be referenced or removed from Open API } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="15" +```yaml title="Positive test num. 2 - yaml file" hl_lines="15" openapi: 3.0.0 info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/6998389e-66b2-473d-8d05-c8d71ac4d04d.md b/docs/queries/openapi-queries/6998389e-66b2-473d-8d05-c8d71ac4d04d.md index 7437d50e2f1..ffa06e6eaef 100644 --- a/docs/queries/openapi-queries/6998389e-66b2-473d-8d05-c8d71ac4d04d.md +++ b/docs/queries/openapi-queries/6998389e-66b2-473d-8d05-c8d71ac4d04d.md @@ -28,7 +28,7 @@ Array schema should have the field 'maxItems' set
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="56" +```json title="Positive test num. 1 - json file" hl_lines="56" { "openapi": "3.0.0", "info": { @@ -97,7 +97,7 @@ Array schema should have the field 'maxItems' set
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="28" +```json title="Positive test num. 2 - json file" hl_lines="28" { "openapi": "3.0.0", "info": { @@ -162,7 +162,7 @@ Array schema should have the field 'maxItems' set
} ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="32" +```yaml title="Positive test num. 3 - yaml file" hl_lines="32" openapi: 3.0.0 info: title: Simple API Overview @@ -200,7 +200,7 @@ components: type: string ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="20" openapi: 3.0.0 @@ -239,7 +239,7 @@ paths: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="31" { @@ -292,7 +292,7 @@ paths: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="23" swagger: "2.0" diff --git a/docs/queries/openapi-queries/69d7aefd-149d-47b8-8d89-1c2181a8067b.md b/docs/queries/openapi-queries/69d7aefd-149d-47b8-8d89-1c2181a8067b.md index 5e98c3defba..3c2f4d74fd0 100644 --- a/docs/queries/openapi-queries/69d7aefd-149d-47b8-8d89-1c2181a8067b.md +++ b/docs/queries/openapi-queries/69d7aefd-149d-47b8-8d89-1c2181a8067b.md @@ -28,7 +28,7 @@ The path parameter must have a corresponding template path for a given operation ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="16" +```yaml title="Positive test num. 1 - yaml file" hl_lines="16" openapi: 3.0.0 info: title: Simple API overview @@ -73,7 +73,7 @@ paths: minimum: 1 ``` -```json title="Postitive test num. 2 - json file" hl_lines="24" +```json title="Positive test num. 2 - json file" hl_lines="24" { "openapi": "3.0.0", "info": { @@ -147,7 +147,7 @@ paths: } ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="29" +```yaml title="Positive test num. 3 - yaml file" hl_lines="29" swagger: "2.0" info: title: Simple API Overview @@ -189,7 +189,7 @@ paths: collectionFormat: csv ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="47" { diff --git a/docs/queries/openapi-queries/6a2c219f-da5e-4745-941e-5ea8cde23356.md b/docs/queries/openapi-queries/6a2c219f-da5e-4745-941e-5ea8cde23356.md index 5f78c1d58f3..abc604dfee1 100644 --- a/docs/queries/openapi-queries/6a2c219f-da5e-4745-941e-5ea8cde23356.md +++ b/docs/queries/openapi-queries/6a2c219f-da5e-4745-941e-5ea8cde23356.md @@ -28,7 +28,7 @@ Example reference should exists on components field
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="22" +```json title="Positive test num. 1 - json file" hl_lines="22" { "openapi": "3.0.0", "info": { @@ -87,7 +87,7 @@ Example reference should exists on components field
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="19" +```yaml title="Positive test num. 2 - yaml file" hl_lines="19" openapi: 3.0.0 info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/6b76f589-9713-44ab-97f5-59a3dba1a285.md b/docs/queries/openapi-queries/6b76f589-9713-44ab-97f5-59a3dba1a285.md index 6f220c7660c..394deae8814 100644 --- a/docs/queries/openapi-queries/6b76f589-9713-44ab-97f5-59a3dba1a285.md +++ b/docs/queries/openapi-queries/6b76f589-9713-44ab-97f5-59a3dba1a285.md @@ -28,7 +28,7 @@ Components request bodies definitions should be referenced or removed from Open ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="35" +```json title="Positive test num. 1 - json file" hl_lines="35" { "openapi": "3.0.0", "info": { @@ -78,7 +78,7 @@ Components request bodies definitions should be referenced or removed from Open } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="23" +```yaml title="Positive test num. 2 - yaml file" hl_lines="23" openapi: 3.0.0 info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/6c35d2c6-09f2-4e5c-a094-e0e91327071d.md b/docs/queries/openapi-queries/6c35d2c6-09f2-4e5c-a094-e0e91327071d.md index 08d3272df02..048ac3b3548 100644 --- a/docs/queries/openapi-queries/6c35d2c6-09f2-4e5c-a094-e0e91327071d.md +++ b/docs/queries/openapi-queries/6c35d2c6-09f2-4e5c-a094-e0e91327071d.md @@ -28,7 +28,7 @@ hide: ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="12 21" +```json title="Positive test num. 1 - json file" hl_lines="12 21" { "openapi": "3.0.0", "info": { @@ -79,7 +79,7 @@ hide: } ``` -```json title="Postitive test num. 2 - json file" hl_lines="12" +```json title="Positive test num. 2 - json file" hl_lines="12" { "openapi": "3.0.0", "info": { @@ -141,7 +141,7 @@ hide: } ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="16 10" +```yaml title="Positive test num. 3 - yaml file" hl_lines="16 10" openapi: 3.0.0 info: title: Simple API @@ -174,7 +174,7 @@ components: - message ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="10" openapi: 3.0.0 @@ -216,7 +216,7 @@ security: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="12" { @@ -262,7 +262,7 @@ security: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="10" swagger: "2.0" diff --git a/docs/queries/openapi-queries/6d2e0790-cc3d-4c74-b973-d4e8b09f4455.md b/docs/queries/openapi-queries/6d2e0790-cc3d-4c74-b973-d4e8b09f4455.md index 1c34cbb31d5..0f83525bf26 100644 --- a/docs/queries/openapi-queries/6d2e0790-cc3d-4c74-b973-d4e8b09f4455.md +++ b/docs/queries/openapi-queries/6d2e0790-cc3d-4c74-b973-d4e8b09f4455.md @@ -28,7 +28,7 @@ All global schemas definitions should be in use
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="44" +```json title="Positive test num. 1 - json file" hl_lines="44" { "swagger": "2.0", "info": { @@ -88,7 +88,7 @@ All global schemas definitions should be in use
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="29" +```yaml title="Positive test num. 2 - yaml file" hl_lines="29" swagger: "2.0" info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/72d259ca-9741-48dd-9f62-eb11f2936b37.md b/docs/queries/openapi-queries/72d259ca-9741-48dd-9f62-eb11f2936b37.md index 485ec29c68c..a70caac33d6 100644 --- a/docs/queries/openapi-queries/72d259ca-9741-48dd-9f62-eb11f2936b37.md +++ b/docs/queries/openapi-queries/72d259ca-9741-48dd-9f62-eb11f2936b37.md @@ -28,7 +28,7 @@ The header Parameter should not be named as 'Content-Type'. If so, it will be ig ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="58 43" +```json title="Positive test num. 1 - json file" hl_lines="58 43" { "openapi": "3.0.0", "info": { @@ -101,7 +101,7 @@ The header Parameter should not be named as 'Content-Type'. If so, it will be ig } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="26 36" +```yaml title="Positive test num. 2 - yaml file" hl_lines="26 36" openapi: 3.0.0 info: title: Simple API overview @@ -145,7 +145,7 @@ paths: minimum: 1 ``` -```json title="Postitive test num. 3 - json file" hl_lines="43" +```json title="Positive test num. 3 - json file" hl_lines="43" { "openapi": "3.0.0", "info": { @@ -214,7 +214,7 @@ paths: } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="26" openapi: 3.0.0 @@ -258,7 +258,7 @@ paths: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="11 38" { @@ -308,7 +308,7 @@ paths: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="14 23" swagger: "2.0" diff --git a/docs/queries/openapi-queries/73c3bc54-3cc6-4c0a-b30a-e19f2abfc951.md b/docs/queries/openapi-queries/73c3bc54-3cc6-4c0a-b30a-e19f2abfc951.md index 438a0802ecd..0036c4dd9af 100644 --- a/docs/queries/openapi-queries/73c3bc54-3cc6-4c0a-b30a-e19f2abfc951.md +++ b/docs/queries/openapi-queries/73c3bc54-3cc6-4c0a-b30a-e19f2abfc951.md @@ -28,7 +28,7 @@ The Body Parameter Object should have the attribute 'schema' defined
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="16 37" +```json title="Positive test num. 1 - json file" hl_lines="16 37" { "swagger": "2.0", "info": { @@ -73,7 +73,7 @@ The Body Parameter Object should have the attribute 'schema' defined
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="26 13" +```yaml title="Positive test num. 2 - yaml file" hl_lines="26 13" swagger: '2.0' info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/750b40be-4bac-4f59-bdc4-1ca0e6c3450e.md b/docs/queries/openapi-queries/750b40be-4bac-4f59-bdc4-1ca0e6c3450e.md index 15a3894bf0e..ecb26240e1a 100644 --- a/docs/queries/openapi-queries/750b40be-4bac-4f59-bdc4-1ca0e6c3450e.md +++ b/docs/queries/openapi-queries/750b40be-4bac-4f59-bdc4-1ca0e6c3450e.md @@ -28,7 +28,7 @@ Every defined property must be unique throughout the whole API
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="33 54 57 27 60 30" +```json title="Positive test num. 1 - json file" hl_lines="33 54 57 27 60 30" { "swagger": "2.0", "info": { @@ -98,7 +98,7 @@ Every defined property must be unique throughout the whole API
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="38 40 42 22 24 26" +```yaml title="Positive test num. 2 - yaml file" hl_lines="38 40 42 22 24 26" swagger: "2.0" info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/750f6448-27c0-49f8-a153-b81735c1e19c.md b/docs/queries/openapi-queries/750f6448-27c0-49f8-a153-b81735c1e19c.md index d375fda4842..0ed5e82f54a 100644 --- a/docs/queries/openapi-queries/750f6448-27c0-49f8-a153-b81735c1e19c.md +++ b/docs/queries/openapi-queries/750f6448-27c0-49f8-a153-b81735c1e19c.md @@ -28,7 +28,7 @@ When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'fo ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="37 13" +```json title="Positive test num. 1 - json file" hl_lines="37 13" { "swagger": "2.0", "info": { @@ -79,7 +79,7 @@ When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'fo } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="10 26" +```yaml title="Positive test num. 2 - yaml file" hl_lines="10 26" swagger: '2.0' info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/77276d82-4f45-4cf1-8e2b-4d345b936228.md b/docs/queries/openapi-queries/77276d82-4f45-4cf1-8e2b-4d345b936228.md index bee05bbc5cd..cf096b418dd 100644 --- a/docs/queries/openapi-queries/77276d82-4f45-4cf1-8e2b-4d345b936228.md +++ b/docs/queries/openapi-queries/77276d82-4f45-4cf1-8e2b-4d345b936228.md @@ -28,7 +28,7 @@ A security scheme is allowing basic authentication credentials to be transported ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="51" +```json title="Positive test num. 1 - json file" hl_lines="51" { "openapi": "3.0.0", "info": { @@ -88,7 +88,7 @@ A security scheme is allowing basic authentication credentials to be transported } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="30" +```yaml title="Positive test num. 2 - yaml file" hl_lines="30" openapi: 3.0.0 info: title: Simple API overview diff --git a/docs/queries/openapi-queries/773116aa-2e6d-416f-bd85-f0301cc05d76.md b/docs/queries/openapi-queries/773116aa-2e6d-416f-bd85-f0301cc05d76.md index 7c807243c93..a7d2cf41dc6 100644 --- a/docs/queries/openapi-queries/773116aa-2e6d-416f-bd85-f0301cc05d76.md +++ b/docs/queries/openapi-queries/773116aa-2e6d-416f-bd85-f0301cc05d76.md @@ -28,7 +28,7 @@ Security Definition Object should not allow 'password' Flow in OAuth2 authentica ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="27" +```json title="Positive test num. 1 - json file" hl_lines="27" { "swagger": "2.0", "info": { @@ -62,7 +62,7 @@ Security Definition Object should not allow 'password' Flow in OAuth2 authentica } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="19" +```yaml title="Positive test num. 2 - yaml file" hl_lines="19" swagger: "2.0" info: title: Simple API overview diff --git a/docs/queries/openapi-queries/7a01dfbd-da62-4165-aed7-71349ad42ab4.md b/docs/queries/openapi-queries/7a01dfbd-da62-4165-aed7-71349ad42ab4.md index 6e8e5b5ebe5..43188d91a1e 100644 --- a/docs/queries/openapi-queries/7a01dfbd-da62-4165-aed7-71349ad42ab4.md +++ b/docs/queries/openapi-queries/7a01dfbd-da62-4165-aed7-71349ad42ab4.md @@ -28,7 +28,7 @@ Response reference should exists on components field
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="14" +```json title="Positive test num. 1 - json file" hl_lines="14" { "openapi": "3.0.0", "info": { @@ -82,7 +82,7 @@ Response reference should exists on components field
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="12" +```yaml title="Positive test num. 2 - yaml file" hl_lines="12" openapi: 3.0.0 info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/7f203940-39c4-4ea7-91ee-7aba16bca9e2.md b/docs/queries/openapi-queries/7f203940-39c4-4ea7-91ee-7aba16bca9e2.md index ddb4f7327ac..71973c5e745 100644 --- a/docs/queries/openapi-queries/7f203940-39c4-4ea7-91ee-7aba16bca9e2.md +++ b/docs/queries/openapi-queries/7f203940-39c4-4ea7-91ee-7aba16bca9e2.md @@ -28,7 +28,7 @@ Property 'allowReserved' should be only defined for query parameters
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="43 59" +```json title="Positive test num. 1 - json file" hl_lines="43 59" { "openapi": "3.0.0", "info": { @@ -103,7 +103,7 @@ Property 'allowReserved' should be only defined for query parameters
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="26 37" +```yaml title="Positive test num. 2 - yaml file" hl_lines="26 37" openapi: 3.0.0 info: title: Simple API overview @@ -149,7 +149,7 @@ paths: minimum: 1 ``` -```json title="Postitive test num. 3 - json file" hl_lines="43" +```json title="Positive test num. 3 - json file" hl_lines="43" { "openapi": "3.0.0", "info": { @@ -219,7 +219,7 @@ paths: } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="26" openapi: 3.0.0 diff --git a/docs/queries/openapi-queries/7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a.md b/docs/queries/openapi-queries/7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a.md index 3a0f825ad61..f7a0a14f38f 100644 --- a/docs/queries/openapi-queries/7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a.md +++ b/docs/queries/openapi-queries/7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a.md @@ -28,7 +28,7 @@ Operations file parameters consumes must be 'multipart/form-data', 'application/ ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="12" +```json title="Positive test num. 1 - json file" hl_lines="12" { "swagger": "2.0", "info": { @@ -79,7 +79,7 @@ Operations file parameters consumes must be 'multipart/form-data', 'application/ } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="10" +```yaml title="Positive test num. 2 - yaml file" hl_lines="10" swagger: '2.0' info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/801f0c6a-a834-4467-89c6-ddecffb46b5a.md b/docs/queries/openapi-queries/801f0c6a-a834-4467-89c6-ddecffb46b5a.md index 0f9e7b26f6b..83c0647c054 100644 --- a/docs/queries/openapi-queries/801f0c6a-a834-4467-89c6-ddecffb46b5a.md +++ b/docs/queries/openapi-queries/801f0c6a-a834-4467-89c6-ddecffb46b5a.md @@ -28,7 +28,7 @@ Link reference should exists on components field
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="26" +```json title="Positive test num. 1 - json file" hl_lines="26" { "openapi": "3.0.0", "info": { @@ -84,7 +84,7 @@ Link reference should exists on components field
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="20" +```yaml title="Positive test num. 2 - yaml file" hl_lines="20" openapi: 3.0.0 info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/815021c8-a50c-46d9-b192-24f71072c400.md b/docs/queries/openapi-queries/815021c8-a50c-46d9-b192-24f71072c400.md index 6729889534f..b13c3c48fcc 100644 --- a/docs/queries/openapi-queries/815021c8-a50c-46d9-b192-24f71072c400.md +++ b/docs/queries/openapi-queries/815021c8-a50c-46d9-b192-24f71072c400.md @@ -28,7 +28,7 @@ Paths object may be empty due to ACL constraints, meaning they are not exposedPostitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="5" swagger: "2.0" diff --git a/docs/queries/openapi-queries/84c826c9-1893-4b34-8cdd-db97645b4bf3.md b/docs/queries/openapi-queries/84c826c9-1893-4b34-8cdd-db97645b4bf3.md index f875fe53354..3d5ba4fb350 100644 --- a/docs/queries/openapi-queries/84c826c9-1893-4b34-8cdd-db97645b4bf3.md +++ b/docs/queries/openapi-queries/84c826c9-1893-4b34-8cdd-db97645b4bf3.md @@ -28,7 +28,7 @@ Path object should have at least one operation object defined
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="8" +```json title="Positive test num. 1 - json file" hl_lines="8" { "openapi": "3.0.0", "info": { @@ -41,7 +41,7 @@ Path object should have at least one operation object defined
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="6" +```yaml title="Positive test num. 2 - yaml file" hl_lines="6" openapi: 3.0.0 info: title: Simple API overview @@ -50,7 +50,7 @@ paths: "/": {} ``` -```json title="Postitive test num. 3 - json file" hl_lines="8" +```json title="Positive test num. 3 - json file" hl_lines="8" { "swagger": "2.0", "info": { @@ -63,7 +63,7 @@ paths: } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="6" swagger: "2.0" diff --git a/docs/queries/openapi-queries/86b1fa30-9790-4980-994d-a27e0f6f27c1.md b/docs/queries/openapi-queries/86b1fa30-9790-4980-994d-a27e0f6f27c1.md index 457744f3ba4..e6c3e8573dd 100644 --- a/docs/queries/openapi-queries/86b1fa30-9790-4980-994d-a27e0f6f27c1.md +++ b/docs/queries/openapi-queries/86b1fa30-9790-4980-994d-a27e0f6f27c1.md @@ -28,7 +28,7 @@ Cleartext credentials over unencrypted channel should not be accepted for the op ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="28" +```json title="Positive test num. 1 - json file" hl_lines="28" { "openapi": "3.0.0", "info": { @@ -93,7 +93,7 @@ Cleartext credentials over unencrypted channel should not be accepted for the op } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="19" +```yaml title="Positive test num. 2 - yaml file" hl_lines="19" openapi: 3.0.0 info: title: Simple API overview diff --git a/docs/queries/openapi-queries/86e3702f-c868-44b2-b61d-ea5316c18110.md b/docs/queries/openapi-queries/86e3702f-c868-44b2-b61d-ea5316c18110.md index 4ad8128b6a7..08b09e61bd3 100644 --- a/docs/queries/openapi-queries/86e3702f-c868-44b2-b61d-ea5316c18110.md +++ b/docs/queries/openapi-queries/86e3702f-c868-44b2-b61d-ea5316c18110.md @@ -28,7 +28,7 @@ Operations responses should have a default response defined
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="12" +```json title="Positive test num. 1 - json file" hl_lines="12" { "openapi": "3.0.0", "info": { @@ -70,7 +70,7 @@ Operations responses should have a default response defined
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="12 21" +```json title="Positive test num. 2 - json file" hl_lines="12 21" { "openapi": "3.0.0", "info": { @@ -121,7 +121,7 @@ Operations responses should have a default response defined
} ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="10" +```yaml title="Positive test num. 3 - yaml file" hl_lines="10" openapi: 3.0.0 info: title: Simple API @@ -148,7 +148,7 @@ components: - message ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="16 10" openapi: 3.0.0 @@ -184,7 +184,7 @@ components: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="12 21" { @@ -219,7 +219,7 @@ components: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="16 10" swagger: "2.0" diff --git a/docs/queries/openapi-queries/881a6e71-c2a7-4fe2-b9c3-dfcf08895331.md b/docs/queries/openapi-queries/881a6e71-c2a7-4fe2-b9c3-dfcf08895331.md index c6fcc27dd79..3405a1f9875 100644 --- a/docs/queries/openapi-queries/881a6e71-c2a7-4fe2-b9c3-dfcf08895331.md +++ b/docs/queries/openapi-queries/881a6e71-c2a7-4fe2-b9c3-dfcf08895331.md @@ -28,7 +28,7 @@ Examples values and fields should be compliant with the schema type
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="21" +```json title="Positive test num. 1 - json file" hl_lines="21" { "openapi": "3.0.0", "info": { @@ -87,7 +87,7 @@ Examples values and fields should be compliant with the schema type
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="18" +```yaml title="Positive test num. 2 - yaml file" hl_lines="18" openapi: 3.0.0 info: title: Simple API Overview @@ -124,7 +124,7 @@ components: summary: A sample object ``` -```json title="Postitive test num. 3 - json file" hl_lines="24" +```json title="Positive test num. 3 - json file" hl_lines="24" { "openapi": "3.0.0", "info": { @@ -174,7 +174,7 @@ components: } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="20" openapi: 3.0.0 @@ -207,7 +207,7 @@ security: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="34 20" { @@ -272,7 +272,7 @@ security: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="17 26" openapi: 3.0.0 @@ -314,7 +314,7 @@ security: ```
-
Postitive test num. 7 - json file +
Positive test num. 7 - json file ```json hl_lines="24" { @@ -364,7 +364,7 @@ security: ```
-
Postitive test num. 8 - yaml file +
Positive test num. 8 - yaml file ```yaml hl_lines="20" openapi: 3.0.0 @@ -396,7 +396,7 @@ security: ```
-
Postitive test num. 9 - json file +
Positive test num. 9 - json file ```json hl_lines="25" { @@ -445,7 +445,7 @@ security: ```
-
Postitive test num. 10 - yaml file +
Positive test num. 10 - yaml file ```yaml hl_lines="20" swagger: "2.0" @@ -471,7 +471,7 @@ paths: ```
-
Postitive test num. 11 - json file +
Positive test num. 11 - json file ```json hl_lines="44" { @@ -527,7 +527,7 @@ paths: ```
-
Postitive test num. 12 - yaml file +
Positive test num. 12 - yaml file ```yaml hl_lines="30" swagger: "2.0" diff --git a/docs/queries/openapi-queries/8aee4754-970d-4c5f-8142-a49dfe388b1a.md b/docs/queries/openapi-queries/8aee4754-970d-4c5f-8142-a49dfe388b1a.md index feb5a893bff..7064bde55be 100644 --- a/docs/queries/openapi-queries/8aee4754-970d-4c5f-8142-a49dfe388b1a.md +++ b/docs/queries/openapi-queries/8aee4754-970d-4c5f-8142-a49dfe388b1a.md @@ -28,7 +28,7 @@ Every defined Server Variable Object should be used in a Service URL.
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="38" +```json title="Positive test num. 1 - json file" hl_lines="38" { "openapi": "3.0.0", "info": { @@ -82,7 +82,7 @@ Every defined Server Variable Object should be used in a Service URL.
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="35" +```json title="Positive test num. 2 - json file" hl_lines="35" { "openapi": "3.0.0", "info": { @@ -129,7 +129,7 @@ Every defined Server Variable Object should be used in a Service URL.
} ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="30" +```yaml title="Positive test num. 3 - yaml file" hl_lines="30" openapi: 3.0.0 info: title: Simple API Overview @@ -163,7 +163,7 @@ paths: default: another ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="25" openapi: 3.0.0 diff --git a/docs/queries/openapi-queries/8af270ce-298b-4405-9922-82a10aee7a4f.md b/docs/queries/openapi-queries/8af270ce-298b-4405-9922-82a10aee7a4f.md index fe951817c03..6babc6b12a8 100644 --- a/docs/queries/openapi-queries/8af270ce-298b-4405-9922-82a10aee7a4f.md +++ b/docs/queries/openapi-queries/8af270ce-298b-4405-9922-82a10aee7a4f.md @@ -28,7 +28,7 @@ Global security field should be defined to prevent API to have insecure paths an ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="2" +```json title="Positive test num. 1 - json file" hl_lines="2" { "openapi": "3.0.0", "info": { @@ -74,7 +74,7 @@ Global security field should be defined to prevent API to have insecure paths an } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="1" +```yaml title="Positive test num. 2 - yaml file" hl_lines="1" openapi: 3.0.0 info: title: Simple API overview @@ -101,7 +101,7 @@ paths: rel: self ``` -```json title="Postitive test num. 3 - json file" hl_lines="2" +```json title="Positive test num. 3 - json file" hl_lines="2" { "swagger": "2.0", "info": { @@ -124,7 +124,7 @@ paths: } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="1" swagger: "2.0" diff --git a/docs/queries/openapi-queries/8bfed1c6-2d59-4924-bc7f-9b9d793ed0df.md b/docs/queries/openapi-queries/8bfed1c6-2d59-4924-bc7f-9b9d793ed0df.md index 3b0533e569a..5ff097311dc 100644 --- a/docs/queries/openapi-queries/8bfed1c6-2d59-4924-bc7f-9b9d793ed0df.md +++ b/docs/queries/openapi-queries/8bfed1c6-2d59-4924-bc7f-9b9d793ed0df.md @@ -28,7 +28,7 @@ The map content property of the parameter object should only contain one entryPostitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="26" openapi: 3.0.0 diff --git a/docs/queries/openapi-queries/8c81d6c0-716b-49ec-afa5-2d62da4e3f3c.md b/docs/queries/openapi-queries/8c81d6c0-716b-49ec-afa5-2d62da4e3f3c.md index 594fbab68c0..9212ef6cc4e 100644 --- a/docs/queries/openapi-queries/8c81d6c0-716b-49ec-afa5-2d62da4e3f3c.md +++ b/docs/queries/openapi-queries/8c81d6c0-716b-49ec-afa5-2d62da4e3f3c.md @@ -28,7 +28,7 @@ String schema should restrict the pattern
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="81 61" +```json title="Positive test num. 1 - json file" hl_lines="81 61" { "openapi": "3.0.0", "info": { @@ -124,7 +124,7 @@ String schema should restrict the pattern
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="30" +```json title="Positive test num. 2 - json file" hl_lines="30" { "openapi": "3.0.0", "info": { @@ -198,7 +198,7 @@ String schema should restrict the pattern
} ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="51 37" +```yaml title="Positive test num. 3 - yaml file" hl_lines="51 37" openapi: 3.0.0 info: title: Simple API Overview @@ -255,7 +255,7 @@ components: $ref: "#/components/examples/tshirt" ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="25" openapi: 3.0.0 @@ -300,7 +300,7 @@ paths: ```
-
Postitive test num. 5 - yaml file +
Positive test num. 5 - yaml file ```yaml hl_lines="26" swagger: "2.0" @@ -345,7 +345,7 @@ paths: ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="30" { diff --git a/docs/queries/openapi-queries/8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85.md b/docs/queries/openapi-queries/8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85.md index 77e7d74f7e7..aa5647e8f96 100644 --- a/docs/queries/openapi-queries/8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85.md +++ b/docs/queries/openapi-queries/8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85.md @@ -28,7 +28,7 @@ String schema should have 'maxLength' defined.
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="58 77 62" +```json title="Positive test num. 1 - json file" hl_lines="58 77 62" { "openapi": "3.0.0", "info": { @@ -115,7 +115,7 @@ String schema should have 'maxLength' defined.
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="27 31" +```json title="Positive test num. 2 - json file" hl_lines="27 31" { "openapi": "3.0.0", "info": { @@ -185,7 +185,7 @@ String schema should have 'maxLength' defined.
} ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="34 37 47" +```yaml title="Positive test num. 3 - yaml file" hl_lines="34 37 47" openapi: 3.0.0 info: title: Simple API Overview @@ -235,7 +235,7 @@ components: $ref: "#/components/schemas/GeneralError" ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="25 22" openapi: 3.0.0 @@ -278,7 +278,7 @@ paths: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="27 23" { @@ -324,7 +324,7 @@ paths: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="19 22" swagger: "2.0" diff --git a/docs/queries/openapi-queries/8c84f75e-5048-4926-a4cb-33e7b3431300.md b/docs/queries/openapi-queries/8c84f75e-5048-4926-a4cb-33e7b3431300.md index 7b10d27193b..c648e50f314 100644 --- a/docs/queries/openapi-queries/8c84f75e-5048-4926-a4cb-33e7b3431300.md +++ b/docs/queries/openapi-queries/8c84f75e-5048-4926-a4cb-33e7b3431300.md @@ -28,7 +28,7 @@ The header Parameter should not be named as 'Authorization'. If so, it will be i ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="58 43" +```json title="Positive test num. 1 - json file" hl_lines="58 43" { "openapi": "3.0.0", "info": { @@ -106,7 +106,7 @@ The header Parameter should not be named as 'Authorization'. If so, it will be i } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="26 36" +```yaml title="Positive test num. 2 - yaml file" hl_lines="26 36" openapi: 3.0.0 info: title: Simple API overview @@ -153,7 +153,7 @@ paths: description: 200 response ``` -```json title="Postitive test num. 3 - json file" hl_lines="43" +```json title="Positive test num. 3 - json file" hl_lines="43" { "openapi": "3.0.0", "info": { @@ -222,7 +222,7 @@ paths: } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="26" openapi: 3.0.0 @@ -266,7 +266,7 @@ paths: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="11 38" { @@ -316,7 +316,7 @@ paths: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="14 23" swagger: "2.0" diff --git a/docs/queries/openapi-queries/8d0921d6-4131-461f-a253-99e873f8f77e.md b/docs/queries/openapi-queries/8d0921d6-4131-461f-a253-99e873f8f77e.md index 78892a4a6be..0633fa67eb0 100644 --- a/docs/queries/openapi-queries/8d0921d6-4131-461f-a253-99e873f8f77e.md +++ b/docs/queries/openapi-queries/8d0921d6-4131-461f-a253-99e873f8f77e.md @@ -28,7 +28,7 @@ Any variable used in the Service URL should be defined in the Service Object thr ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="30" +```json title="Positive test num. 1 - json file" hl_lines="30" { "openapi": "3.0.0", "info": { @@ -71,7 +71,7 @@ Any variable used in the Service URL should be defined in the Service Object thr } ``` -```json title="Postitive test num. 2 - json file" hl_lines="32" +```json title="Positive test num. 2 - json file" hl_lines="32" { "openapi": "3.0.0", "info": { @@ -118,7 +118,7 @@ Any variable used in the Service URL should be defined in the Service Object thr } ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="24" +```yaml title="Positive test num. 3 - yaml file" hl_lines="24" openapi: 3.0.0 info: title: Simple API Overview @@ -145,7 +145,7 @@ paths: url: https://development.{server}.com/{base} ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="22" openapi: 3.0.0 diff --git a/docs/queries/openapi-queries/8db5544e-4874-4baa-9322-e9f75a2d219e.md b/docs/queries/openapi-queries/8db5544e-4874-4baa-9322-e9f75a2d219e.md index 8aa0a2bc067..bb1246c6053 100644 --- a/docs/queries/openapi-queries/8db5544e-4874-4baa-9322-e9f75a2d219e.md +++ b/docs/queries/openapi-queries/8db5544e-4874-4baa-9322-e9f75a2d219e.md @@ -28,7 +28,7 @@ Components' securityScheme field must have a valid scheme
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="2" +```json title="Positive test num. 1 - json file" hl_lines="2" { "openapi": "3.0.0", "info": { @@ -74,7 +74,7 @@ Components' securityScheme field must have a valid scheme
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="43" +```json title="Positive test num. 2 - json file" hl_lines="43" { "openapi": "3.0.0", "info": { @@ -121,7 +121,7 @@ Components' securityScheme field must have a valid scheme
} ``` -```json title="Postitive test num. 3 - json file" hl_lines="44" +```json title="Positive test num. 3 - json file" hl_lines="44" { "openapi": "3.0.0", "info": { @@ -170,7 +170,7 @@ Components' securityScheme field must have a valid scheme
} ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="1" openapi: 3.0.0 @@ -200,7 +200,7 @@ paths: ```
-
Postitive test num. 5 - yaml file +
Positive test num. 5 - yaml file ```yaml hl_lines="25" openapi: 3.0.0 @@ -231,7 +231,7 @@ components: {} ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="26" openapi: 3.0.0 diff --git a/docs/queries/openapi-queries/8fe1846f-52cc-4413-ace9-1933d7d23672.md b/docs/queries/openapi-queries/8fe1846f-52cc-4413-ace9-1933d7d23672.md index 9e8d7d67cb3..c5a4d2df00a 100644 --- a/docs/queries/openapi-queries/8fe1846f-52cc-4413-ace9-1933d7d23672.md +++ b/docs/queries/openapi-queries/8fe1846f-52cc-4413-ace9-1933d7d23672.md @@ -28,7 +28,7 @@ The Parameter Object should have the attribute 'schema' defined
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="64 11" +```json title="Positive test num. 1 - json file" hl_lines="64 11" { "openapi": "3.0.0", "info": { @@ -118,7 +118,7 @@ The Parameter Object should have the attribute 'schema' defined
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="44" +```json title="Positive test num. 2 - json file" hl_lines="44" { "openapi": "3.0.0", "info": { @@ -187,7 +187,7 @@ The Parameter Object should have the attribute 'schema' defined
} ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="10 39" +```yaml title="Positive test num. 3 - yaml file" hl_lines="10 39" openapi: 3.0.0 info: title: Simple API overview @@ -241,7 +241,7 @@ paths: externalValue: "http://foo.bar/examples/user-example.json" ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="26" openapi: 3.0.0 diff --git a/docs/queries/openapi-queries/9239c289-9e4c-4d92-8be1-9d506057c971.md b/docs/queries/openapi-queries/9239c289-9e4c-4d92-8be1-9d506057c971.md index b5920fd9e39..5dc18dfb47e 100644 --- a/docs/queries/openapi-queries/9239c289-9e4c-4d92-8be1-9d506057c971.md +++ b/docs/queries/openapi-queries/9239c289-9e4c-4d92-8be1-9d506057c971.md @@ -28,7 +28,7 @@ License Object URL should be a valid URL
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="8" +```json title="Positive test num. 1 - json file" hl_lines="8" { "openapi": "3.0.0", "info": { @@ -78,7 +78,7 @@ License Object URL should be a valid URL
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="7" +```yaml title="Positive test num. 2 - yaml file" hl_lines="7" openapi: 3.0.0 info: title: Simple API Overview @@ -108,7 +108,7 @@ paths: rel: self ``` -```json title="Postitive test num. 3 - json file" hl_lines="8" +```json title="Positive test num. 3 - json file" hl_lines="8" { "swagger": "2.0", "info": { @@ -135,7 +135,7 @@ paths: } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="7" swagger: "2.0" diff --git a/docs/queries/openapi-queries/962fa01e-b791-4dcc-b04a-4a3e7389be5e.md b/docs/queries/openapi-queries/962fa01e-b791-4dcc-b04a-4a3e7389be5e.md index 31f2d33c53d..561af97eb9f 100644 --- a/docs/queries/openapi-queries/962fa01e-b791-4dcc-b04a-4a3e7389be5e.md +++ b/docs/queries/openapi-queries/962fa01e-b791-4dcc-b04a-4a3e7389be5e.md @@ -28,7 +28,7 @@ Components schemas definitions should be referenced or removed from Open API def ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="33" +```json title="Positive test num. 1 - json file" hl_lines="33" { "openapi": "3.0.0", "info": { @@ -77,7 +77,7 @@ Components schemas definitions should be referenced or removed from Open API def } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="22" +```yaml title="Positive test num. 2 - yaml file" hl_lines="22" openapi: 3.0.0 info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/9670f240-7b4d-4955-bd93-edaa9fa38b58.md b/docs/queries/openapi-queries/9670f240-7b4d-4955-bd93-edaa9fa38b58.md index 894d2ac016b..df189ac2a71 100644 --- a/docs/queries/openapi-queries/9670f240-7b4d-4955-bd93-edaa9fa38b58.md +++ b/docs/queries/openapi-queries/9670f240-7b4d-4955-bd93-edaa9fa38b58.md @@ -28,7 +28,7 @@ The property 'url' in the Path Server Object should only allow 'HTTPS' protocols ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="18" +```json title="Positive test num. 1 - json file" hl_lines="18" { "openapi": "3.0.0", "info": { @@ -88,7 +88,7 @@ The property 'url' in the Path Server Object should only allow 'HTTPS' protocols } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="15" +```yaml title="Positive test num. 2 - yaml file" hl_lines="15" openapi: 3.0.0 info: title: Simple API overview diff --git a/docs/queries/openapi-queries/96729c6b-7400-4d9e-9807-17f00cdde4d2.md b/docs/queries/openapi-queries/96729c6b-7400-4d9e-9807-17f00cdde4d2.md index f5078518d37..e8b46ea3830 100644 --- a/docs/queries/openapi-queries/96729c6b-7400-4d9e-9807-17f00cdde4d2.md +++ b/docs/queries/openapi-queries/96729c6b-7400-4d9e-9807-17f00cdde4d2.md @@ -28,7 +28,7 @@ All paths should have security scheme, if it is omitted, global security field s ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="9" +```json title="Positive test num. 1 - json file" hl_lines="9" { "openapi": "3.0.0", "info": { @@ -74,7 +74,7 @@ All paths should have security scheme, if it is omitted, global security field s } ``` -```json title="Postitive test num. 2 - json file" hl_lines="46" +```json title="Positive test num. 2 - json file" hl_lines="46" { "openapi": "3.0.0", "info": { @@ -140,7 +140,7 @@ All paths should have security scheme, if it is omitted, global security field s } ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="7" +```yaml title="Positive test num. 3 - yaml file" hl_lines="7" openapi: 3.0.0 info: title: Simple API @@ -167,7 +167,7 @@ paths: rel: self ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="27" openapi: 3.0.0 @@ -209,7 +209,7 @@ components: ```
-
Postitive test num. 5 - yaml file +
Positive test num. 5 - yaml file ```yaml hl_lines="7" swagger: "2.0" @@ -229,7 +229,7 @@ paths: ```
-
Postitive test num. 6 - json file +
Positive test num. 6 - json file ```json hl_lines="9" { diff --git a/docs/queries/openapi-queries/96beb800-566f-49a9-a0ea-dbdf4bc80429.md b/docs/queries/openapi-queries/96beb800-566f-49a9-a0ea-dbdf4bc80429.md index a35501133f1..5788068cc8b 100644 --- a/docs/queries/openapi-queries/96beb800-566f-49a9-a0ea-dbdf4bc80429.md +++ b/docs/queries/openapi-queries/96beb800-566f-49a9-a0ea-dbdf4bc80429.md @@ -28,7 +28,7 @@ Each field on Open API specification which accepts '$ref', infers that field is ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="17" +```json title="Positive test num. 1 - json file" hl_lines="17" { "openapi": "3.0.0", "info": { @@ -74,7 +74,7 @@ Each field on Open API specification which accepts '$ref', infers that field is } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="15" +```yaml title="Positive test num. 2 - yaml file" hl_lines="15" openapi: 3.0.0 info: title: Simple API Overview @@ -103,7 +103,7 @@ components: type: string ``` -```json title="Postitive test num. 3 - json file" hl_lines="13" +```json title="Positive test num. 3 - json file" hl_lines="13" { "swagger": "2.0", "info": { @@ -146,7 +146,7 @@ components: } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="13" swagger: "2.0" diff --git a/docs/queries/openapi-queries/98295b32-ec09-4b5b-89a9-39853197f914.md b/docs/queries/openapi-queries/98295b32-ec09-4b5b-89a9-39853197f914.md index 67b722ce9b5..1475d2ecf31 100644 --- a/docs/queries/openapi-queries/98295b32-ec09-4b5b-89a9-39853197f914.md +++ b/docs/queries/openapi-queries/98295b32-ec09-4b5b-89a9-39853197f914.md @@ -28,7 +28,7 @@ Schema reference should exists on definitions field
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="15" +```json title="Positive test num. 1 - json file" hl_lines="15" { "swagger": "2.0", "info": { @@ -87,7 +87,7 @@ Schema reference should exists on definitions field
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="14" +```yaml title="Positive test num. 2 - yaml file" hl_lines="14" --- swagger: '2.0' info: diff --git a/docs/queries/openapi-queries/990eaf09-d6f1-4c3c-b174-a517b1de8917.md b/docs/queries/openapi-queries/990eaf09-d6f1-4c3c-b174-a517b1de8917.md index 1199bb13dcf..430ee11930f 100644 --- a/docs/queries/openapi-queries/990eaf09-d6f1-4c3c-b174-a517b1de8917.md +++ b/docs/queries/openapi-queries/990eaf09-d6f1-4c3c-b174-a517b1de8917.md @@ -28,7 +28,7 @@ Responses Object should not be empty
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="12" +```json title="Positive test num. 1 - json file" hl_lines="12" { "openapi": "3.0.0", "info": { @@ -47,7 +47,7 @@ Responses Object should not be empty
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="21" +```json title="Positive test num. 2 - json file" hl_lines="21" { "openapi": "3.0.0", "info": { @@ -73,7 +73,7 @@ Responses Object should not be empty
} ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="10" +```yaml title="Positive test num. 3 - yaml file" hl_lines="10" openapi: 3.0.0 info: title: Simple API overview @@ -86,7 +86,7 @@ paths: responses: ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="14" openapi: 3.0.0 @@ -106,7 +106,7 @@ components: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="12" { @@ -128,7 +128,7 @@ components: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="10" swagger: "2.0" diff --git a/docs/queries/openapi-queries/9aa6e95c-d964-4239-a3a8-9f37a3c5a31f.md b/docs/queries/openapi-queries/9aa6e95c-d964-4239-a3a8-9f37a3c5a31f.md index ec1f182d80b..2c4bb580dae 100644 --- a/docs/queries/openapi-queries/9aa6e95c-d964-4239-a3a8-9f37a3c5a31f.md +++ b/docs/queries/openapi-queries/9aa6e95c-d964-4239-a3a8-9f37a3c5a31f.md @@ -28,7 +28,7 @@ Using an scope on global security field that is undefined on 'securityDefinition ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="23" +```yaml title="Positive test num. 1 - yaml file" hl_lines="23" swagger: "2.0" info: title: Simple API Overview @@ -56,7 +56,7 @@ security: - error:api ``` -```json title="Postitive test num. 2 - json file" hl_lines="33" +```json title="Positive test num. 2 - json file" hl_lines="33" { "swagger": "2.0", "info": { diff --git a/docs/queries/openapi-queries/9c238c97-1991-4c0b-9c7d-6c7912e1dc7c.md b/docs/queries/openapi-queries/9c238c97-1991-4c0b-9c7d-6c7912e1dc7c.md index faea2be0683..38c222cf39c 100644 --- a/docs/queries/openapi-queries/9c238c97-1991-4c0b-9c7d-6c7912e1dc7c.md +++ b/docs/queries/openapi-queries/9c238c97-1991-4c0b-9c7d-6c7912e1dc7c.md @@ -28,7 +28,7 @@ API Keys should not be sent as cleartext over an unencrypted channel
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="45 46 47" +```json title="Positive test num. 1 - json file" hl_lines="45 46 47" { "openapi": "3.0.0", "info": { @@ -100,7 +100,7 @@ API Keys should not be sent as cleartext over an unencrypted channel
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="26 27 28" +```yaml title="Positive test num. 2 - yaml file" hl_lines="26 27 28" openapi: 3.0.0 info: title: Simple API Overview @@ -145,7 +145,7 @@ components: in: query ``` -```json title="Postitive test num. 3 - json file" hl_lines="22 23" +```json title="Positive test num. 3 - json file" hl_lines="22 23" { "swagger": "2.0", "info": { @@ -186,7 +186,7 @@ components: } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="14 15" swagger: "2.0" diff --git a/docs/queries/openapi-queries/9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae.md b/docs/queries/openapi-queries/9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae.md index 1349b56abaf..5667077966e 100644 --- a/docs/queries/openapi-queries/9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae.md +++ b/docs/queries/openapi-queries/9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae.md @@ -28,7 +28,7 @@ Components responses definitions should be referenced or removed from Open API d ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="50" +```json title="Positive test num. 1 - json file" hl_lines="50" { "openapi": "3.0.0", "info": { @@ -93,7 +93,7 @@ Components responses definitions should be referenced or removed from Open API d } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="33" +```yaml title="Positive test num. 2 - yaml file" hl_lines="33" openapi: 3.0.0 info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/9d967a2b-9d64-41a6-abea-dfc4960299bd.md b/docs/queries/openapi-queries/9d967a2b-9d64-41a6-abea-dfc4960299bd.md index ea26ddc78c2..b5c46b4d527 100644 --- a/docs/queries/openapi-queries/9d967a2b-9d64-41a6-abea-dfc4960299bd.md +++ b/docs/queries/openapi-queries/9d967a2b-9d64-41a6-abea-dfc4960299bd.md @@ -28,7 +28,7 @@ Schema of the JSON object should have properties defined and 'additionalProperti ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="67" +```json title="Positive test num. 1 - json file" hl_lines="67" { "openapi": "3.0.0", "info": { @@ -105,7 +105,7 @@ Schema of the JSON object should have properties defined and 'additionalProperti } ``` -```json title="Postitive test num. 2 - json file" hl_lines="16" +```json title="Positive test num. 2 - json file" hl_lines="16" { "openapi": "3.0.0", "info": { @@ -167,7 +167,7 @@ Schema of the JSON object should have properties defined and 'additionalProperti } ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="40" +```yaml title="Positive test num. 3 - yaml file" hl_lines="40" openapi: 3.0.0 info: title: Simple API Overview @@ -210,7 +210,7 @@ components: $ref: "#/components/schemas/GeneralError" ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="16" openapi: 3.0.0 @@ -250,7 +250,7 @@ components: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="16" { @@ -288,7 +288,7 @@ components: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="14" swagger: "2.0" diff --git a/docs/queries/openapi-queries/9f88c88d-824d-4d9a-b985-e22977046042.md b/docs/queries/openapi-queries/9f88c88d-824d-4d9a-b985-e22977046042.md index f04c1fdf5d0..1a1a7ec6309 100644 --- a/docs/queries/openapi-queries/9f88c88d-824d-4d9a-b985-e22977046042.md +++ b/docs/queries/openapi-queries/9f88c88d-824d-4d9a-b985-e22977046042.md @@ -28,7 +28,7 @@ Objects should not accept 'additionalProperties' if it is possible
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="24" +```json title="Positive test num. 1 - json file" hl_lines="24" { "openapi": "3.0.0", "info": { @@ -86,7 +86,7 @@ Objects should not accept 'additionalProperties' if it is possible
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="19" +```yaml title="Positive test num. 2 - yaml file" hl_lines="19" openapi: 3.0.0 info: title: Simple API Overview @@ -121,7 +121,7 @@ components: additionalProperties: 'false' ``` -```json title="Postitive test num. 3 - json file" hl_lines="34" +```json title="Positive test num. 3 - json file" hl_lines="34" { "openapi": "3.0.0", "info": { @@ -179,7 +179,7 @@ components: } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="23" openapi: 3.0.0 @@ -217,7 +217,7 @@ components: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="14" { @@ -277,7 +277,7 @@ components: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="12" openapi: 3.0.0 diff --git a/docs/queries/openapi-queries/a0bf7382-5d5a-4224-924c-3db8466026c9.md b/docs/queries/openapi-queries/a0bf7382-5d5a-4224-924c-3db8466026c9.md index fa08bec2246..0e58f68d11c 100644 --- a/docs/queries/openapi-queries/a0bf7382-5d5a-4224-924c-3db8466026c9.md +++ b/docs/queries/openapi-queries/a0bf7382-5d5a-4224-924c-3db8466026c9.md @@ -28,7 +28,7 @@ The Server URL should be an absolute URL
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="30" +```json title="Positive test num. 1 - json file" hl_lines="30" { "openapi": "3.0.0", "info": { @@ -71,7 +71,7 @@ The Server URL should be an absolute URL
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="32" +```json title="Positive test num. 2 - json file" hl_lines="32" { "openapi": "3.0.0", "info": { @@ -113,7 +113,7 @@ The Server URL should be an absolute URL
} ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="24" +```yaml title="Positive test num. 3 - yaml file" hl_lines="24" openapi: 3.0.0 info: title: Simple API Overview @@ -140,7 +140,7 @@ paths: url: /development.gigantic-server.com/v1 ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="22" openapi: 3.0.0 diff --git a/docs/queries/openapi-queries/a19c3bbd-c056-40d7-9e1c-eeb0634e320d.md b/docs/queries/openapi-queries/a19c3bbd-c056-40d7-9e1c-eeb0634e320d.md index beda970c309..49154f047d4 100644 --- a/docs/queries/openapi-queries/a19c3bbd-c056-40d7-9e1c-eeb0634e320d.md +++ b/docs/queries/openapi-queries/a19c3bbd-c056-40d7-9e1c-eeb0634e320d.md @@ -28,7 +28,7 @@ Objects should accept 'additionalProperties' if it is allOf or an object with an ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="41" +```json title="Positive test num. 1 - json file" hl_lines="41" { "openapi": "3.0.0", "info": { @@ -93,7 +93,7 @@ Objects should accept 'additionalProperties' if it is allOf or an object with an } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="25" +```yaml title="Positive test num. 2 - yaml file" hl_lines="25" openapi: 3.0.0 info: title: Simple API Overview @@ -130,7 +130,7 @@ components: additionalProperties: 'false' ``` -```json title="Postitive test num. 3 - json file" hl_lines="15" +```json title="Positive test num. 3 - json file" hl_lines="15" { "openapi": "3.0.0", "info": { @@ -195,7 +195,7 @@ components: } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="13" openapi: 3.0.0 diff --git a/docs/queries/openapi-queries/a4247b11-890b-45df-bf42-350a7a3af9be.md b/docs/queries/openapi-queries/a4247b11-890b-45df-bf42-350a7a3af9be.md index 87e20b490dc..d96f857bd1c 100644 --- a/docs/queries/openapi-queries/a4247b11-890b-45df-bf42-350a7a3af9be.md +++ b/docs/queries/openapi-queries/a4247b11-890b-45df-bf42-350a7a3af9be.md @@ -28,7 +28,7 @@ Security Scheme HTTP should not be using digest authentication
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="57" +```json title="Positive test num. 1 - json file" hl_lines="57" { "openapi": "3.0.0", "info": { @@ -92,7 +92,7 @@ Security Scheme HTTP should not be using digest authentication
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="33" +```yaml title="Positive test num. 2 - yaml file" hl_lines="33" openapi: 3.0.0 info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/a46928f1-43d7-4671-94e0-2dd99746f389.md b/docs/queries/openapi-queries/a46928f1-43d7-4671-94e0-2dd99746f389.md index 19f94355050..4c40f225e55 100644 --- a/docs/queries/openapi-queries/a46928f1-43d7-4671-94e0-2dd99746f389.md +++ b/docs/queries/openapi-queries/a46928f1-43d7-4671-94e0-2dd99746f389.md @@ -28,7 +28,7 @@ Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allow ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="13" +```json title="Positive test num. 1 - json file" hl_lines="13" { "swagger": "2.0", "info": { @@ -54,7 +54,7 @@ Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allow } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +```yaml title="Positive test num. 2 - yaml file" hl_lines="11" swagger: "2.0" info: title: Simple API overview diff --git a/docs/queries/openapi-queries/a4dd69b8-49fa-45d2-a060-c76655405b05.md b/docs/queries/openapi-queries/a4dd69b8-49fa-45d2-a060-c76655405b05.md index 6399f012b39..60c51611e5b 100644 --- a/docs/queries/openapi-queries/a4dd69b8-49fa-45d2-a060-c76655405b05.md +++ b/docs/queries/openapi-queries/a4dd69b8-49fa-45d2-a060-c76655405b05.md @@ -28,7 +28,7 @@ Property 'explode' of the encoding object should be defined when the media type ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="49" +```json title="Positive test num. 1 - json file" hl_lines="49" { "openapi": "3.0.0", "info": { @@ -106,7 +106,7 @@ Property 'explode' of the encoding object should be defined when the media type } ``` -```json title="Postitive test num. 2 - json file" hl_lines="43" +```json title="Positive test num. 2 - json file" hl_lines="43" { "openapi": "3.0.0", "info": { @@ -175,7 +175,7 @@ Property 'explode' of the encoding object should be defined when the media type } ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="31" +```yaml title="Positive test num. 3 - yaml file" hl_lines="31" openapi: 3.0.0 info: title: Simple API Overview @@ -222,7 +222,7 @@ components: explode: true ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="30" openapi: 3.0.0 diff --git a/docs/queries/openapi-queries/a5375be3-521c-43bb-9eab-e2432e368ee4.md b/docs/queries/openapi-queries/a5375be3-521c-43bb-9eab-e2432e368ee4.md index 58a1b5d8c55..4c3daf29749 100644 --- a/docs/queries/openapi-queries/a5375be3-521c-43bb-9eab-e2432e368ee4.md +++ b/docs/queries/openapi-queries/a5375be3-521c-43bb-9eab-e2432e368ee4.md @@ -28,7 +28,7 @@ The media type prefix should be set as 'application', 'audio', 'font', 'example' ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="53" +```json title="Positive test num. 1 - json file" hl_lines="53" { "openapi": "3.0.0", "info": { @@ -110,7 +110,7 @@ The media type prefix should be set as 'application', 'audio', 'font', 'example' } ``` -```json title="Postitive test num. 2 - json file" hl_lines="19" +```json title="Positive test num. 2 - json file" hl_lines="19" { "openapi": "3.0.0", "info": { @@ -162,7 +162,7 @@ The media type prefix should be set as 'application', 'audio', 'font', 'example' } ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="30" +```yaml title="Positive test num. 3 - yaml file" hl_lines="30" openapi: 3.0.0 info: title: Simple API Overview @@ -208,7 +208,7 @@ components: contentType: image/png, image/jpeg ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="14" openapi: 3.0.0 diff --git a/docs/queries/openapi-queries/a599b0d1-ff89-4cb8-9ece-9951854c06f6.md b/docs/queries/openapi-queries/a599b0d1-ff89-4cb8-9ece-9951854c06f6.md index 8116c8ee657..e9564059d5e 100644 --- a/docs/queries/openapi-queries/a599b0d1-ff89-4cb8-9ece-9951854c06f6.md +++ b/docs/queries/openapi-queries/a599b0d1-ff89-4cb8-9ece-9951854c06f6.md @@ -28,7 +28,7 @@ All security requirement objects must be defined in 'securityDefinitions'
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="33" +```json title="Positive test num. 1 - json file" hl_lines="33" { "swagger": "2.0", "info": { @@ -77,7 +77,7 @@ All security requirement objects must be defined in 'securityDefinitions'
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="21" +```yaml title="Positive test num. 2 - yaml file" hl_lines="21" swagger: "2.0" info: title: Simple API Overview @@ -108,7 +108,7 @@ securityDefinitions: in: header ``` -```json title="Postitive test num. 3 - json file" hl_lines="30" +```json title="Positive test num. 3 - json file" hl_lines="30" { "swagger": "2.0", "info": { @@ -157,7 +157,7 @@ securityDefinitions: } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="21" swagger: "2.0" diff --git a/docs/queries/openapi-queries/a6847dc6-f4ea-45ac-a81f-93291ae6c573.md b/docs/queries/openapi-queries/a6847dc6-f4ea-45ac-a81f-93291ae6c573.md index 4ec124d3481..b9fcc15bc57 100644 --- a/docs/queries/openapi-queries/a6847dc6-f4ea-45ac-a81f-93291ae6c573.md +++ b/docs/queries/openapi-queries/a6847dc6-f4ea-45ac-a81f-93291ae6c573.md @@ -28,7 +28,7 @@ The Scheme list of Operation Object should only allow 'HTTPS' protocol to ensure ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="13" +```json title="Positive test num. 1 - json file" hl_lines="13" { "swagger": "2.0", "info": { @@ -54,7 +54,7 @@ The Scheme list of Operation Object should only allow 'HTTPS' protocol to ensure } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +```yaml title="Positive test num. 2 - yaml file" hl_lines="11" swagger: "2.0" info: title: Simple API overview diff --git a/docs/queries/openapi-queries/a68da022-e95a-4bc2-97d3-481e0bd6d446.md b/docs/queries/openapi-queries/a68da022-e95a-4bc2-97d3-481e0bd6d446.md index f99723a02f0..4c8a562f7ad 100644 --- a/docs/queries/openapi-queries/a68da022-e95a-4bc2-97d3-481e0bd6d446.md +++ b/docs/queries/openapi-queries/a68da022-e95a-4bc2-97d3-481e0bd6d446.md @@ -28,7 +28,7 @@ Components headers definitions should be referenced or removed from Open API def ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="45" +```json title="Positive test num. 1 - json file" hl_lines="45" { "openapi": "3.0.0", "info": { @@ -84,7 +84,7 @@ Components headers definitions should be referenced or removed from Open API def } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="29" +```yaml title="Positive test num. 2 - yaml file" hl_lines="29" openapi: 3.0.0 info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/a8e859da-4a43-4e7f-94b8-25d6e3bf8e90.md b/docs/queries/openapi-queries/a8e859da-4a43-4e7f-94b8-25d6e3bf8e90.md index 73a4eb818f7..317ce283393 100644 --- a/docs/queries/openapi-queries/a8e859da-4a43-4e7f-94b8-25d6e3bf8e90.md +++ b/docs/queries/openapi-queries/a8e859da-4a43-4e7f-94b8-25d6e3bf8e90.md @@ -28,7 +28,7 @@ Schema/Parameter items should be defined when the schema/parameter is set to an ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="50" +```json title="Positive test num. 1 - json file" hl_lines="50" { "openapi": "3.0.0", "info": { @@ -98,7 +98,7 @@ Schema/Parameter items should be defined when the schema/parameter is set to an } ``` -```json title="Postitive test num. 2 - json file" hl_lines="22" +```json title="Positive test num. 2 - json file" hl_lines="22" { "openapi": "3.0.0", "info": { @@ -161,7 +161,7 @@ Schema/Parameter items should be defined when the schema/parameter is set to an } ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="27" +```yaml title="Positive test num. 3 - yaml file" hl_lines="27" openapi: 3.0.0 info: title: Simple API Overview @@ -200,7 +200,7 @@ components: - name ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="15" openapi: 3.0.0 @@ -238,7 +238,7 @@ paths: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="19" { @@ -289,7 +289,7 @@ paths: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="16" swagger: '2.0' diff --git a/docs/queries/openapi-queries/a9228976-10cf-4b5f-b902-9e962aad037a.md b/docs/queries/openapi-queries/a9228976-10cf-4b5f-b902-9e962aad037a.md index c1f13d6b709..30628362969 100644 --- a/docs/queries/openapi-queries/a9228976-10cf-4b5f-b902-9e962aad037a.md +++ b/docs/queries/openapi-queries/a9228976-10cf-4b5f-b902-9e962aad037a.md @@ -28,7 +28,7 @@ Schema Object define type should not use a keyword of another type
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="18 52" +```json title="Positive test num. 1 - json file" hl_lines="18 52" { "openapi": "3.0.0", "info": { @@ -100,7 +100,7 @@ Schema Object define type should not use a keyword of another type
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="18 42" +```json title="Positive test num. 2 - json file" hl_lines="18 42" { "openapi": "3.0.0", "info": { @@ -172,7 +172,7 @@ Schema Object define type should not use a keyword of another type
} ``` -```json title="Postitive test num. 3 - json file" hl_lines="18 46" +```json title="Positive test num. 3 - json file" hl_lines="18 46" { "openapi": "3.0.0", "info": { @@ -244,7 +244,7 @@ Schema Object define type should not use a keyword of another type
} ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="16 37" openapi: 3.0.0 @@ -294,7 +294,7 @@ components: ```
-
Postitive test num. 5 - yaml file +
Positive test num. 5 - yaml file ```yaml hl_lines="16 29" openapi: 3.0.0 @@ -344,7 +344,7 @@ components: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="16 37" openapi: 3.0.0 @@ -394,7 +394,7 @@ components: ```
-
Postitive test num. 7 - json file +
Positive test num. 7 - json file ```json hl_lines="41 55" { @@ -461,7 +461,7 @@ components: ```
-
Postitive test num. 8 - yaml file +
Positive test num. 8 - yaml file ```yaml hl_lines="33 42" swagger: "2.0" @@ -510,7 +510,7 @@ paths: ```
-
Postitive test num. 9 - json file +
Positive test num. 9 - json file ```json hl_lines="19" { @@ -543,7 +543,7 @@ paths: ```
-
Postitive test num. 10 - yaml file +
Positive test num. 10 - yaml file ```yaml hl_lines="17" swagger: "2.0" diff --git a/docs/queries/openapi-queries/a92be1d5-d762-484a-86d6-8cd0907ba100.md b/docs/queries/openapi-queries/a92be1d5-d762-484a-86d6-8cd0907ba100.md index 5fd66ccc739..9021b159952 100644 --- a/docs/queries/openapi-queries/a92be1d5-d762-484a-86d6-8cd0907ba100.md +++ b/docs/queries/openapi-queries/a92be1d5-d762-484a-86d6-8cd0907ba100.md @@ -28,7 +28,7 @@ If a response is not head or its code is not 204 or 304, it should have a schema ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="18" +```json title="Positive test num. 1 - json file" hl_lines="18" { "openapi": "3.0.0", "info": { @@ -84,7 +84,7 @@ If a response is not head or its code is not 204 or 304, it should have a schema } ``` -```json title="Postitive test num. 2 - json file" hl_lines="21" +```json title="Positive test num. 2 - json file" hl_lines="21" { "openapi": "3.0.0", "info": { @@ -143,7 +143,7 @@ If a response is not head or its code is not 204 or 304, it should have a schema } ``` -```json title="Postitive test num. 3 - json file" hl_lines="21 22" +```json title="Positive test num. 3 - json file" hl_lines="21 22" { "openapi": "3.0.0", "info": { @@ -219,7 +219,7 @@ If a response is not head or its code is not 204 or 304, it should have a schema } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="20" { @@ -279,7 +279,7 @@ If a response is not head or its code is not 204 or 304, it should have a schema ```
-
Postitive test num. 5 - yaml file +
Positive test num. 5 - yaml file ```yaml hl_lines="15" openapi: 3.0.0 @@ -319,7 +319,7 @@ components: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="18" openapi: 3.0.0 @@ -361,7 +361,7 @@ components: ```
-
Postitive test num. 7 - yaml file +
Positive test num. 7 - yaml file ```yaml hl_lines="18 19" openapi: 3.0.0 @@ -414,7 +414,7 @@ components: ```
-
Postitive test num. 8 - yaml file +
Positive test num. 8 - yaml file ```yaml hl_lines="17" openapi: 3.0.0 @@ -455,7 +455,7 @@ components: ```
-
Postitive test num. 9 - json file +
Positive test num. 9 - json file ```json hl_lines="18" { @@ -495,7 +495,7 @@ components: ```
-
Postitive test num. 10 - yaml file +
Positive test num. 10 - yaml file ```yaml hl_lines="15" swagger: "2.0" diff --git a/docs/queries/openapi-queries/a96bbc06-8cde-4295-ad3c-ee343a7f658e.md b/docs/queries/openapi-queries/a96bbc06-8cde-4295-ad3c-ee343a7f658e.md index 2dea582ed0e..e8f342de043 100644 --- a/docs/queries/openapi-queries/a96bbc06-8cde-4295-ad3c-ee343a7f658e.md +++ b/docs/queries/openapi-queries/a96bbc06-8cde-4295-ad3c-ee343a7f658e.md @@ -28,7 +28,7 @@ The field 'default' of Schema Object should be consistent with the schema's type ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="21" +```json title="Positive test num. 1 - json file" hl_lines="21" { "openapi": "3.0.0", "info": { @@ -62,7 +62,7 @@ The field 'default' of Schema Object should be consistent with the schema's type } ``` -```json title="Postitive test num. 2 - json file" hl_lines="22" +```json title="Positive test num. 2 - json file" hl_lines="22" { "openapi": "3.0.0", "info": { @@ -96,7 +96,7 @@ The field 'default' of Schema Object should be consistent with the schema's type } ``` -```json title="Postitive test num. 3 - json file" hl_lines="18" +```json title="Positive test num. 3 - json file" hl_lines="18" { "openapi": "3.0.0", "info": { @@ -146,7 +146,7 @@ The field 'default' of Schema Object should be consistent with the schema's type } ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="18" { @@ -185,7 +185,7 @@ The field 'default' of Schema Object should be consistent with the schema's type ```
-
Postitive test num. 5 - yaml file +
Positive test num. 5 - yaml file ```yaml hl_lines="19" openapi: 3.0.0 @@ -211,7 +211,7 @@ paths: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="20" openapi: 3.0.0 @@ -237,7 +237,7 @@ paths: ```
-
Postitive test num. 7 - yaml file +
Positive test num. 7 - yaml file ```yaml hl_lines="27" openapi: 3.0.0 @@ -271,7 +271,7 @@ paths: ```
-
Postitive test num. 8 - yaml file +
Positive test num. 8 - yaml file ```yaml hl_lines="19" openapi: 3.0.0 @@ -296,7 +296,7 @@ paths: ```
-
Postitive test num. 9 - json file +
Positive test num. 9 - json file ```json hl_lines="16" { @@ -331,7 +331,7 @@ paths: ```
-
Postitive test num. 10 - yaml file +
Positive test num. 10 - yaml file ```yaml hl_lines="17" swagger: "2.0" diff --git a/docs/queries/openapi-queries/ab1263c2-81df-46f0-9f2c-0b62fdb68419.md b/docs/queries/openapi-queries/ab1263c2-81df-46f0-9f2c-0b62fdb68419.md index a9f5b90ed31..4934c75fb95 100644 --- a/docs/queries/openapi-queries/ab1263c2-81df-46f0-9f2c-0b62fdb68419.md +++ b/docs/queries/openapi-queries/ab1263c2-81df-46f0-9f2c-0b62fdb68419.md @@ -28,7 +28,7 @@ Security field should be defined in '#/components/securitySchemes'
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="45" +```json title="Positive test num. 1 - json file" hl_lines="45" { "openapi": "3.0.0", "info": { @@ -82,7 +82,7 @@ Security field should be defined in '#/components/securitySchemes'
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="45" +```json title="Positive test num. 2 - json file" hl_lines="45" { "openapi": "3.0.0", "info": { @@ -144,7 +144,7 @@ Security field should be defined in '#/components/securitySchemes'
} ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="26" +```yaml title="Positive test num. 3 - yaml file" hl_lines="26" openapi: 3.0.0 info: title: Simple API overview @@ -175,7 +175,7 @@ security: - read:pets ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="26" openapi: 3.0.0 diff --git a/docs/queries/openapi-queries/ab2af219-cd08-4233-b5a1-a788aac88b51.md b/docs/queries/openapi-queries/ab2af219-cd08-4233-b5a1-a788aac88b51.md index 12fb5121159..93e1bfbc45c 100644 --- a/docs/queries/openapi-queries/ab2af219-cd08-4233-b5a1-a788aac88b51.md +++ b/docs/queries/openapi-queries/ab2af219-cd08-4233-b5a1-a788aac88b51.md @@ -28,7 +28,7 @@ Property defining minimum has greater value than maximum defined
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="52 71" +```json title="Positive test num. 1 - json file" hl_lines="52 71" { "openapi": "3.0.0", "info": { @@ -109,7 +109,7 @@ Property defining minimum has greater value than maximum defined
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="24" +```json title="Positive test num. 2 - json file" hl_lines="24" { "openapi": "3.0.0", "info": { @@ -170,7 +170,7 @@ Property defining minimum has greater value than maximum defined
} ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="33 47" +```yaml title="Positive test num. 3 - yaml file" hl_lines="33 47" openapi: 3.0.0 info: title: Simple API Overview @@ -220,7 +220,7 @@ components: $ref: "#/components/schemas/GeneralError" ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="21" openapi: 3.0.0 @@ -261,7 +261,7 @@ paths: ```
-
Postitive test num. 5 - yaml file +
Positive test num. 5 - yaml file ```yaml hl_lines="33 50" openapi: 3.0.0 @@ -317,7 +317,7 @@ components: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="32" openapi: 3.0.0 @@ -360,7 +360,7 @@ components: ```
-
Postitive test num. 7 - json file +
Positive test num. 7 - json file ```json hl_lines="25" { diff --git a/docs/queries/openapi-queries/ae13a37d-943b-47a7-a970-83c8598bcca3.md b/docs/queries/openapi-queries/ae13a37d-943b-47a7-a970-83c8598bcca3.md index 1e0aa80b656..05b0cb4c6b3 100644 --- a/docs/queries/openapi-queries/ae13a37d-943b-47a7-a970-83c8598bcca3.md +++ b/docs/queries/openapi-queries/ae13a37d-943b-47a7-a970-83c8598bcca3.md @@ -28,7 +28,7 @@ All path templates should not be empty
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="32" +```yaml title="Positive test num. 1 - yaml file" hl_lines="32" openapi: 3.0.0 info: title: Simple API overview @@ -75,7 +75,7 @@ paths: description: 200 response ``` -```json title="Postitive test num. 2 - json file" hl_lines="53" +```json title="Positive test num. 2 - json file" hl_lines="53" { "openapi": "3.0.0", "info": { @@ -153,7 +153,7 @@ paths: } ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="10" +```yaml title="Positive test num. 3 - yaml file" hl_lines="10" swagger: "2.0" info: title: Simple API Overview @@ -185,7 +185,7 @@ definitions: maximum: 600 ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="13" { diff --git a/docs/queries/openapi-queries/aecee30b-8ea1-4776-a99c-d6d600f0862f.md b/docs/queries/openapi-queries/aecee30b-8ea1-4776-a99c-d6d600f0862f.md index 2e2f214e8a9..d2afccd7456 100644 --- a/docs/queries/openapi-queries/aecee30b-8ea1-4776-a99c-d6d600f0862f.md +++ b/docs/queries/openapi-queries/aecee30b-8ea1-4776-a99c-d6d600f0862f.md @@ -28,7 +28,7 @@ API Keys should not be transported over network
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="45 46 47" +```json title="Positive test num. 1 - json file" hl_lines="45 46 47" { "openapi": "3.0.0", "info": { @@ -100,7 +100,7 @@ API Keys should not be transported over network
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="26 27 28" +```yaml title="Positive test num. 2 - yaml file" hl_lines="26 27 28" openapi: 3.0.0 info: title: Simple API Overview @@ -145,7 +145,7 @@ components: in: query ``` -```json title="Postitive test num. 3 - json file" hl_lines="22 23" +```json title="Positive test num. 3 - json file" hl_lines="22 23" { "swagger": "2.0", "info": { @@ -186,7 +186,7 @@ components: } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="14 15" swagger: "2.0" @@ -406,3 +406,41 @@ security: ```
+
Negative test num. 5 - yaml file + +```yaml +openapi: "3.0.1" +info: + title: "test" + version: "1.0" +servers: + - url: "https://@API-GW-ID.execute-api.us-east-1.amazonaws.com/{basePath}" + variables: + basePath: + default: "/api" + +paths: + /address: + get: + summary: test + description: test + responses: + '200': + description: test + content: + text/plain: + schema: + type: string + +security: + - authorizer: [ ] + +components: + securitySchemes: + authorizer: + type: "apiKey" + name: "authorization" + in: "header" + +``` +
diff --git a/docs/queries/openapi-queries/b05bb927-2df5-43cc-8d7b-6825c0e71625.md b/docs/queries/openapi-queries/b05bb927-2df5-43cc-8d7b-6825c0e71625.md index db02bb76f12..9af79494643 100644 --- a/docs/queries/openapi-queries/b05bb927-2df5-43cc-8d7b-6825c0e71625.md +++ b/docs/queries/openapi-queries/b05bb927-2df5-43cc-8d7b-6825c0e71625.md @@ -28,7 +28,7 @@ Components examples definitions should be referenced or removed from Open API de ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="42" +```json title="Positive test num. 1 - json file" hl_lines="42" { "openapi": "3.0.0", "info": { @@ -82,7 +82,7 @@ Components examples definitions should be referenced or removed from Open API de } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="27" +```yaml title="Positive test num. 2 - yaml file" hl_lines="27" openapi: 3.0.0 info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7.md b/docs/queries/openapi-queries/b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7.md index f4b3548cc05..4a422529460 100644 --- a/docs/queries/openapi-queries/b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7.md +++ b/docs/queries/openapi-queries/b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7.md @@ -28,7 +28,7 @@ Contact Object Email should be a valid email
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="9" +```json title="Positive test num. 1 - json file" hl_lines="9" { "openapi": "3.0.0", "info": { @@ -79,7 +79,7 @@ Contact Object Email should be a valid email
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="8" +```yaml title="Positive test num. 2 - yaml file" hl_lines="8" openapi: 3.0.0 info: title: Simple API Overview @@ -110,7 +110,7 @@ paths: rel: self ``` -```json title="Postitive test num. 3 - json file" hl_lines="9" +```json title="Positive test num. 3 - json file" hl_lines="9" { "swagger": "2.0", "info": { @@ -138,7 +138,7 @@ paths: } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="8" swagger: "2.0" diff --git a/docs/queries/openapi-queries/b2d9dbf6-539c-4374-a1fd-210ddf5563a8.md b/docs/queries/openapi-queries/b2d9dbf6-539c-4374-a1fd-210ddf5563a8.md index 7db7cf141a8..bb54de37809 100644 --- a/docs/queries/openapi-queries/b2d9dbf6-539c-4374-a1fd-210ddf5563a8.md +++ b/docs/queries/openapi-queries/b2d9dbf6-539c-4374-a1fd-210ddf5563a8.md @@ -28,7 +28,7 @@ Global External Documentation URL should be a valid URL
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="49" +```json title="Positive test num. 1 - json file" hl_lines="49" { "openapi": "3.0.0", "info": { @@ -82,7 +82,7 @@ Global External Documentation URL should be a valid URL
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="26" +```yaml title="Positive test num. 2 - yaml file" hl_lines="26" openapi: 3.0.0 info: title: Simple API Overview @@ -111,7 +111,7 @@ externalDocs: url: / ``` -```json title="Postitive test num. 3 - json file" hl_lines="26" +```json title="Positive test num. 3 - json file" hl_lines="26" { "swagger": "2.0", "info": { @@ -142,7 +142,7 @@ externalDocs: } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="14" swagger: "2.0" diff --git a/docs/queries/openapi-queries/b2f275be-7d64-4064-b418-be6b431363a7.md b/docs/queries/openapi-queries/b2f275be-7d64-4064-b418-be6b431363a7.md index 92d83b2f4dc..dffac6463b0 100644 --- a/docs/queries/openapi-queries/b2f275be-7d64-4064-b418-be6b431363a7.md +++ b/docs/queries/openapi-queries/b2f275be-7d64-4064-b418-be6b431363a7.md @@ -28,7 +28,7 @@ Get should define at least one success response (200 or 202)
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="12" +```json title="Positive test num. 1 - json file" hl_lines="12" { "swagger": "2.0", "info": { @@ -51,7 +51,7 @@ Get should define at least one success response (200 or 202)
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="10" +```yaml title="Positive test num. 2 - yaml file" hl_lines="10" swagger: "2.0" info: title: Simple API @@ -66,7 +66,7 @@ paths: description: Error ``` -```json title="Postitive test num. 3 - json file" hl_lines="12" +```json title="Positive test num. 3 - json file" hl_lines="12" { "openapi": "3.0.0", "info": { @@ -89,7 +89,7 @@ paths: } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="10" openapi: 3.0.0 diff --git a/docs/queries/openapi-queries/b30981fa-a12e-49c7-a5bb-eeafb61d0f0f.md b/docs/queries/openapi-queries/b30981fa-a12e-49c7-a5bb-eeafb61d0f0f.md index a0ff7d3ef0b..f1f1f50a265 100644 --- a/docs/queries/openapi-queries/b30981fa-a12e-49c7-a5bb-eeafb61d0f0f.md +++ b/docs/queries/openapi-queries/b30981fa-a12e-49c7-a5bb-eeafb61d0f0f.md @@ -28,7 +28,7 @@ All global parameters definitions should be in use
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="26" +```json title="Positive test num. 1 - json file" hl_lines="26" { "swagger": "2.0", "info": { @@ -67,7 +67,7 @@ All global parameters definitions should be in use
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="16" +```yaml title="Positive test num. 2 - yaml file" hl_lines="16" swagger: "2.0" info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/b3871dd8-9333-4d6c-bd52-67eb898b71ab.md b/docs/queries/openapi-queries/b3871dd8-9333-4d6c-bd52-67eb898b71ab.md index 785e2636f5f..df942d55f8c 100644 --- a/docs/queries/openapi-queries/b3871dd8-9333-4d6c-bd52-67eb898b71ab.md +++ b/docs/queries/openapi-queries/b3871dd8-9333-4d6c-bd52-67eb898b71ab.md @@ -28,7 +28,7 @@ Response Object reference must always point to '#/components/responses'
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="44" +```json title="Positive test num. 1 - json file" hl_lines="44" { "openapi": "3.0.0", "info": { @@ -81,7 +81,7 @@ Response Object reference must always point to '#/components/responses'
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="27" +```yaml title="Positive test num. 2 - yaml file" hl_lines="27" openapi: 3.0.0 info: title: Simple API overview diff --git a/docs/queries/openapi-queries/b4803607-ed72-4d60-99e2-3fa6edf471c6.md b/docs/queries/openapi-queries/b4803607-ed72-4d60-99e2-3fa6edf471c6.md index acec6e18cee..4551110df27 100644 --- a/docs/queries/openapi-queries/b4803607-ed72-4d60-99e2-3fa6edf471c6.md +++ b/docs/queries/openapi-queries/b4803607-ed72-4d60-99e2-3fa6edf471c6.md @@ -28,7 +28,7 @@ The 'basePath' value format must match the pattern '^/'
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="7" +```json title="Positive test num. 1 - json file" hl_lines="7" { "swagger": "2.0", "info": { @@ -74,7 +74,7 @@ The 'basePath' value format must match the pattern '^/'
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="5" +```yaml title="Positive test num. 2 - yaml file" hl_lines="5" swagger: "2.0" info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/b481d46c-9c61-480f-86d9-af07146dc4a4.md b/docs/queries/openapi-queries/b481d46c-9c61-480f-86d9-af07146dc4a4.md index a1a1376e310..8235cc05a1e 100644 --- a/docs/queries/openapi-queries/b481d46c-9c61-480f-86d9-af07146dc4a4.md +++ b/docs/queries/openapi-queries/b481d46c-9c61-480f-86d9-af07146dc4a4.md @@ -28,7 +28,7 @@ The discriminator property in the Schema Object should be a required property
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="18" openapi: 3.0.0 @@ -252,7 +252,7 @@ security: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="35" { @@ -296,7 +296,7 @@ security: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="16" swagger: "2.0" @@ -326,7 +326,7 @@ definitions: ```
-
Postitive test num. 7 - json file +
Positive test num. 7 - json file ```json hl_lines="16" { @@ -365,7 +365,7 @@ definitions: ```
-
Postitive test num. 8 - yaml file +
Positive test num. 8 - yaml file ```yaml hl_lines="15" swagger: "2.0" diff --git a/docs/queries/openapi-queries/b90033cf-ad9f-4fb9-acd1-1b9d6d278c87.md b/docs/queries/openapi-queries/b90033cf-ad9f-4fb9-acd1-1b9d6d278c87.md index 85eeea7e2be..5ad04b24375 100644 --- a/docs/queries/openapi-queries/b90033cf-ad9f-4fb9-acd1-1b9d6d278c87.md +++ b/docs/queries/openapi-queries/b90033cf-ad9f-4fb9-acd1-1b9d6d278c87.md @@ -28,7 +28,7 @@ Only one body parameter is allowed on operation's parameters type field
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="10" +```json title="Positive test num. 1 - json file" hl_lines="10" { "swagger": "2.0", "info": { @@ -71,7 +71,7 @@ Only one body parameter is allowed on operation's parameters type field
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="8" +```yaml title="Positive test num. 2 - yaml file" hl_lines="8" swagger: '2.0' info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/b9db8a10-020c-49ca-88c6-780e5fdb4328.md b/docs/queries/openapi-queries/b9db8a10-020c-49ca-88c6-780e5fdb4328.md index 4fb7feafba5..c0a4632c030 100644 --- a/docs/queries/openapi-queries/b9db8a10-020c-49ca-88c6-780e5fdb4328.md +++ b/docs/queries/openapi-queries/b9db8a10-020c-49ca-88c6-780e5fdb4328.md @@ -28,7 +28,7 @@ Link object reference must always point to '#/components/links'
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="52" +```json title="Positive test num. 1 - json file" hl_lines="52" { "openapi": "3.0.0", "info": { @@ -97,7 +97,7 @@ Link object reference must always point to '#/components/links'
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="27" +```json title="Positive test num. 2 - json file" hl_lines="27" { "openapi": "3.0.0", "info": { @@ -159,7 +159,7 @@ Link object reference must always point to '#/components/links'
} ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="34" +```yaml title="Positive test num. 3 - yaml file" hl_lines="34" openapi: 3.0.0 info: title: Simple API overview @@ -201,7 +201,7 @@ components: userId: $request.path.id ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="21" openapi: 3.0.0 diff --git a/docs/queries/openapi-queries/ba066cda-e808-450d-92b6-f29109754d45.md b/docs/queries/openapi-queries/ba066cda-e808-450d-92b6-f29109754d45.md index ed832b44ebd..5e330d2c5f3 100644 --- a/docs/queries/openapi-queries/ba066cda-e808-450d-92b6-f29109754d45.md +++ b/docs/queries/openapi-queries/ba066cda-e808-450d-92b6-f29109754d45.md @@ -28,7 +28,7 @@ Callback Object reference must always point to '#/components/callbacks'
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="19" +```json title="Positive test num. 1 - json file" hl_lines="19" { "openapi": "3.0.0", "info": { @@ -74,7 +74,7 @@ Callback Object reference must always point to '#/components/callbacks'
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="15" +```yaml title="Positive test num. 2 - yaml file" hl_lines="15" openapi: 3.0.0 info: title: Simple API overview diff --git a/docs/queries/openapi-queries/ba239cb9-f342-4c20-812d-7b5a2aa6969e.md b/docs/queries/openapi-queries/ba239cb9-f342-4c20-812d-7b5a2aa6969e.md index 17fecdde9cb..62b5b25cca4 100644 --- a/docs/queries/openapi-queries/ba239cb9-f342-4c20-812d-7b5a2aa6969e.md +++ b/docs/queries/openapi-queries/ba239cb9-f342-4c20-812d-7b5a2aa6969e.md @@ -28,7 +28,7 @@ If the security scheme is not of type 'oauth2', the array value must be empty
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="53" { @@ -322,7 +322,7 @@ Security object for operations should not be empty object or has any empty objec ```
-
Postitive test num. 5 - yaml file +
Positive test num. 5 - yaml file ```yaml hl_lines="10" openapi: 3.0.0 @@ -356,7 +356,7 @@ security: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="31" openapi: 3.0.0 @@ -400,7 +400,7 @@ security: ```
-
Postitive test num. 7 - yaml file +
Positive test num. 7 - yaml file ```yaml hl_lines="28" openapi: 3.0.0 @@ -443,7 +443,7 @@ security: ```
-
Postitive test num. 8 - yaml file +
Positive test num. 8 - yaml file ```yaml hl_lines="32" openapi: 3.0.0 @@ -499,7 +499,7 @@ security: ```
-
Postitive test num. 9 - yaml file +
Positive test num. 9 - yaml file ```yaml hl_lines="14" swagger: "2.0" @@ -533,7 +533,7 @@ paths: ```
-
Postitive test num. 10 - json file +
Positive test num. 10 - json file ```json hl_lines="17" { diff --git a/docs/queries/openapi-queries/bac56e3c-1f71-4a74-8ae6-2fba07efcddb.md b/docs/queries/openapi-queries/bac56e3c-1f71-4a74-8ae6-2fba07efcddb.md index b1681e55373..cd1b20265bd 100644 --- a/docs/queries/openapi-queries/bac56e3c-1f71-4a74-8ae6-2fba07efcddb.md +++ b/docs/queries/openapi-queries/bac56e3c-1f71-4a74-8ae6-2fba07efcddb.md @@ -28,7 +28,7 @@ Reference to examples should point to #/components/examples
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="77" +```json title="Positive test num. 1 - json file" hl_lines="77" { "openapi": "3.0.0", "info": { @@ -117,7 +117,7 @@ Reference to examples should point to #/components/examples
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="51" +```yaml title="Positive test num. 2 - yaml file" hl_lines="51" openapi: 3.0.0 info: title: Simple API overview diff --git a/docs/queries/openapi-queries/bccfa089-89e4-47e0-a0e5-185fe6902220.md b/docs/queries/openapi-queries/bccfa089-89e4-47e0-a0e5-185fe6902220.md index 1db9fb8bdc5..0018a190dc2 100644 --- a/docs/queries/openapi-queries/bccfa089-89e4-47e0-a0e5-185fe6902220.md +++ b/docs/queries/openapi-queries/bccfa089-89e4-47e0-a0e5-185fe6902220.md @@ -28,7 +28,7 @@ Response Object reference must always point to '#/responses'
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="14" +```json title="Positive test num. 1 - json file" hl_lines="14" { "swagger": "2.0", "info": { @@ -93,7 +93,7 @@ Response Object reference must always point to '#/responses'
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="12" +```yaml title="Positive test num. 2 - yaml file" hl_lines="12" swagger: '2.0' info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/be0e0df7-f3d9-42a1-9b6f-d425f94872c4.md b/docs/queries/openapi-queries/be0e0df7-f3d9-42a1-9b6f-d425f94872c4.md index eaf4491ecc8..1b660ad60cf 100644 --- a/docs/queries/openapi-queries/be0e0df7-f3d9-42a1-9b6f-d425f94872c4.md +++ b/docs/queries/openapi-queries/be0e0df7-f3d9-42a1-9b6f-d425f94872c4.md @@ -28,7 +28,7 @@ Schema array items type should be defined
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="65" +```json title="Positive test num. 1 - json file" hl_lines="65" { "openapi": "3.0.0", "info": { @@ -100,7 +100,7 @@ Schema array items type should be defined
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="22" +```json title="Positive test num. 2 - json file" hl_lines="22" { "openapi": "3.0.0", "info": { @@ -167,7 +167,7 @@ Schema array items type should be defined
} ``` -```json title="Postitive test num. 3 - json file" hl_lines="21" +```json title="Positive test num. 3 - json file" hl_lines="21" { "openapi": "3.0.0", "info": { @@ -241,7 +241,7 @@ Schema array items type should be defined
} ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="42" openapi: 3.0.0 @@ -289,7 +289,7 @@ components: ```
-
Postitive test num. 5 - yaml file +
Positive test num. 5 - yaml file ```yaml hl_lines="19" openapi: 3.0.0 @@ -336,7 +336,7 @@ components: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="19" openapi: 3.0.0 @@ -385,7 +385,7 @@ components: ```
-
Postitive test num. 7 - json file +
Positive test num. 7 - json file ```json hl_lines="25" { @@ -423,7 +423,7 @@ components: ```
-
Postitive test num. 8 - yaml file +
Positive test num. 8 - yaml file ```yaml hl_lines="20" swagger: "2.0" diff --git a/docs/queries/openapi-queries/be1d8733-3731-40c7-a845-734741c6871d.md b/docs/queries/openapi-queries/be1d8733-3731-40c7-a845-734741c6871d.md index 563600333be..50c0b1a00fc 100644 --- a/docs/queries/openapi-queries/be1d8733-3731-40c7-a845-734741c6871d.md +++ b/docs/queries/openapi-queries/be1d8733-3731-40c7-a845-734741c6871d.md @@ -28,7 +28,7 @@ There is a constraining keyword in a property which is already restricted by enu ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="24 49 38" +```json title="Positive test num. 1 - json file" hl_lines="24 49 38" { "swagger": "2.0", "info": { @@ -89,7 +89,7 @@ There is a constraining keyword in a property which is already restricted by enu } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="19 27 36" +```yaml title="Positive test num. 2 - yaml file" hl_lines="19 27 36" swagger: '2.0' info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/be3e170e-1572-461e-a8b6-d963def581ec.md b/docs/queries/openapi-queries/be3e170e-1572-461e-a8b6-d963def581ec.md index b57b2f5a4dc..30656d9fe45 100644 --- a/docs/queries/openapi-queries/be3e170e-1572-461e-a8b6-d963def581ec.md +++ b/docs/queries/openapi-queries/be3e170e-1572-461e-a8b6-d963def581ec.md @@ -28,7 +28,7 @@ Operation Object should have 'produces' feild defined for 'GET'operation
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="9" +```json title="Positive test num. 1 - json file" hl_lines="9" { "swagger": "2.0", "info": { @@ -85,7 +85,7 @@ Operation Object should have 'produces' feild defined for 'GET'operation
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="7" +```yaml title="Positive test num. 2 - yaml file" hl_lines="7" swagger: "2.0" info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/c19779a9-5774-4d2f-a3a1-a99831730375.md b/docs/queries/openapi-queries/c19779a9-5774-4d2f-a3a1-a99831730375.md index a3e2d9c3785..b9441598ad9 100644 --- a/docs/queries/openapi-queries/c19779a9-5774-4d2f-a3a1-a99831730375.md +++ b/docs/queries/openapi-queries/c19779a9-5774-4d2f-a3a1-a99831730375.md @@ -28,7 +28,7 @@ Components links definitions should be referenced or removed from Open API defin ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="45" +```json title="Positive test num. 1 - json file" hl_lines="45" { "openapi": "3.0.0", "info": { @@ -81,7 +81,7 @@ Components links definitions should be referenced or removed from Open API defin } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="29" +```yaml title="Positive test num. 2 - yaml file" hl_lines="29" openapi: 3.0.0 info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/c254adc4-ef25-46e1-8270-b7944adb4198.md b/docs/queries/openapi-queries/c254adc4-ef25-46e1-8270-b7944adb4198.md index 84c7e317173..af39461c888 100644 --- a/docs/queries/openapi-queries/c254adc4-ef25-46e1-8270-b7944adb4198.md +++ b/docs/queries/openapi-queries/c254adc4-ef25-46e1-8270-b7944adb4198.md @@ -28,7 +28,7 @@ OperationId should be unique when defined
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="46 15" +```json title="Positive test num. 1 - json file" hl_lines="46 15" { "openapi": "3.0.0", "info": { @@ -86,7 +86,7 @@ OperationId should be unique when defined
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="8 25" +```yaml title="Positive test num. 2 - yaml file" hl_lines="8 25" openapi: 3.0.0 info: title: Simple API overview @@ -117,7 +117,7 @@ paths: description: Created ``` -```json title="Postitive test num. 3 - json file" hl_lines="23 15" +```json title="Positive test num. 3 - json file" hl_lines="23 15" { "swagger": "2.0", "info": { @@ -152,7 +152,7 @@ paths: } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="8 13" swagger: "2.0" diff --git a/docs/queries/openapi-queries/c38d630d-a415-4e3e-bac2-65475979ba88.md b/docs/queries/openapi-queries/c38d630d-a415-4e3e-bac2-65475979ba88.md index 672725fae43..370cf79c590 100644 --- a/docs/queries/openapi-queries/c38d630d-a415-4e3e-bac2-65475979ba88.md +++ b/docs/queries/openapi-queries/c38d630d-a415-4e3e-bac2-65475979ba88.md @@ -28,7 +28,7 @@ The Body Parameter Object should only have the following properties defined - 'n ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="43 19" +```json title="Positive test num. 1 - json file" hl_lines="43 19" { "swagger": "2.0", "info": { @@ -79,7 +79,7 @@ The Body Parameter Object should only have the following properties defined - 'n } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="20 30" +```yaml title="Positive test num. 2 - yaml file" hl_lines="20 30" swagger: "2.0" info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/c3cab8c4-6c52-47a9-942b-c27f26fbd7d2.md b/docs/queries/openapi-queries/c3cab8c4-6c52-47a9-942b-c27f26fbd7d2.md index 187f9938ebf..3ddcf634048 100644 --- a/docs/queries/openapi-queries/c3cab8c4-6c52-47a9-942b-c27f26fbd7d2.md +++ b/docs/queries/openapi-queries/c3cab8c4-6c52-47a9-942b-c27f26fbd7d2.md @@ -28,7 +28,7 @@ The In field of Parameter Object must be 'formData' when type is 'file'
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="12 31" +```json title="Positive test num. 1 - json file" hl_lines="12 31" { "swagger": "2.0", "info": { @@ -69,7 +69,7 @@ The In field of Parameter Object must be 'formData' when type is 'file'
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="10 22" +```yaml title="Positive test num. 2 - yaml file" hl_lines="10 22" --- swagger: '2.0' info: diff --git a/docs/queries/openapi-queries/c5bb7461-aa57-470b-a714-3bc3d74f4669.md b/docs/queries/openapi-queries/c5bb7461-aa57-470b-a714-3bc3d74f4669.md index 8315646143f..882a1171c94 100644 --- a/docs/queries/openapi-queries/c5bb7461-aa57-470b-a714-3bc3d74f4669.md +++ b/docs/queries/openapi-queries/c5bb7461-aa57-470b-a714-3bc3d74f4669.md @@ -28,7 +28,7 @@ Link object 'OperationId' should target an existing operation object in the Open ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="71" +```json title="Positive test num. 1 - json file" hl_lines="71" { "openapi": "3.0.0", "info": { @@ -119,7 +119,7 @@ Link object 'OperationId' should target an existing operation object in the Open } ``` -```json title="Postitive test num. 2 - json file" hl_lines="28" +```json title="Positive test num. 2 - json file" hl_lines="28" { "openapi": "3.0.0", "info": { @@ -182,7 +182,7 @@ Link object 'OperationId' should target an existing operation object in the Open } ``` -```json title="Postitive test num. 3 - json file" hl_lines="68" +```json title="Positive test num. 3 - json file" hl_lines="68" { "openapi": "3.0.0", "info": { @@ -260,7 +260,7 @@ Link object 'OperationId' should target an existing operation object in the Open } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="51" openapi: 3.0.0 @@ -319,7 +319,7 @@ components: ```
-
Postitive test num. 5 - yaml file +
Positive test num. 5 - yaml file ```yaml hl_lines="21" openapi: 3.0.0 @@ -361,7 +361,7 @@ paths: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="43" openapi: 3.0.0 diff --git a/docs/queries/openapi-queries/c66ebeaa-676c-40dc-a3ff-3e49395dcd5e.md b/docs/queries/openapi-queries/c66ebeaa-676c-40dc-a3ff-3e49395dcd5e.md index 2b01455d016..edd47f44f49 100644 --- a/docs/queries/openapi-queries/c66ebeaa-676c-40dc-a3ff-3e49395dcd5e.md +++ b/docs/queries/openapi-queries/c66ebeaa-676c-40dc-a3ff-3e49395dcd5e.md @@ -28,7 +28,7 @@ The Servers array should have at least one server defined. If not, the default v ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="2" +```json title="Positive test num. 1 - json file" hl_lines="2" { "openapi": "3.0.0", "info": { @@ -74,7 +74,7 @@ The Servers array should have at least one server defined. If not, the default v } ``` -```json title="Postitive test num. 2 - json file" hl_lines="43" +```json title="Positive test num. 2 - json file" hl_lines="43" { "openapi": "3.0.0", "info": { @@ -121,7 +121,7 @@ The Servers array should have at least one server defined. If not, the default v } ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="1" +```yaml title="Positive test num. 3 - yaml file" hl_lines="1" openapi: 3.0.0 info: title: Simple API Overview @@ -148,7 +148,7 @@ paths: rel: self ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="25" openapi: 3.0.0 diff --git a/docs/queries/openapi-queries/ca02f4e8-d3ae-4832-b7db-bb037516d9e7.md b/docs/queries/openapi-queries/ca02f4e8-d3ae-4832-b7db-bb037516d9e7.md index 40441c95394..ef4988c7ed0 100644 --- a/docs/queries/openapi-queries/ca02f4e8-d3ae-4832-b7db-bb037516d9e7.md +++ b/docs/queries/openapi-queries/ca02f4e8-d3ae-4832-b7db-bb037516d9e7.md @@ -28,7 +28,7 @@ Request Body reference should exists on components field
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="18" +```json title="Positive test num. 1 - json file" hl_lines="18" { "openapi": "3.0.0", "info": { @@ -81,7 +81,7 @@ Request Body reference should exists on components field
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="14" +```yaml title="Positive test num. 2 - yaml file" hl_lines="14" openapi: 3.0.0 info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b.md b/docs/queries/openapi-queries/cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b.md index 52807280102..70ded27a767 100644 --- a/docs/queries/openapi-queries/cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b.md +++ b/docs/queries/openapi-queries/cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b.md @@ -28,7 +28,7 @@ Encoding Map Key should be set in schema defined properties
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="70" +```json title="Positive test num. 1 - json file" hl_lines="70" { "openapi": "3.0.0", "info": { @@ -110,7 +110,7 @@ Encoding Map Key should be set in schema defined properties
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="36" +```json title="Positive test num. 2 - json file" hl_lines="36" { "openapi": "3.0.0", "info": { @@ -162,7 +162,7 @@ Encoding Map Key should be set in schema defined properties
} ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="42" +```yaml title="Positive test num. 3 - yaml file" hl_lines="42" openapi: 3.0.0 info: title: Simple API Overview @@ -208,7 +208,7 @@ components: contentType: image/png, image/jpeg ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="26" openapi: 3.0.0 diff --git a/docs/queries/openapi-queries/ceefb058-8065-418f-9c4c-584a78c7e104.md b/docs/queries/openapi-queries/ceefb058-8065-418f-9c4c-584a78c7e104.md index f677cf1812f..d3b6fd56010 100644 --- a/docs/queries/openapi-queries/ceefb058-8065-418f-9c4c-584a78c7e104.md +++ b/docs/queries/openapi-queries/ceefb058-8065-418f-9c4c-584a78c7e104.md @@ -28,7 +28,7 @@ Operation Object should not use basic authentication
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="22" +```json title="Positive test num. 1 - json file" hl_lines="22" { "swagger": "2.0", "info": { @@ -65,7 +65,7 @@ Operation Object should not use basic authentication
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="16" +```yaml title="Positive test num. 2 - yaml file" hl_lines="16" swagger: "2.0" info: title: Simple API overview diff --git a/docs/queries/openapi-queries/cf4a5f45-a27b-49df-843a-9911dbfe71d4.md b/docs/queries/openapi-queries/cf4a5f45-a27b-49df-843a-9911dbfe71d4.md index 1ceba7590cc..2dd36f2c65a 100644 --- a/docs/queries/openapi-queries/cf4a5f45-a27b-49df-843a-9911dbfe71d4.md +++ b/docs/queries/openapi-queries/cf4a5f45-a27b-49df-843a-9911dbfe71d4.md @@ -28,7 +28,7 @@ The Media Type value should match the following format: /[+suffix ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="28" +```json title="Positive test num. 1 - json file" hl_lines="28" { "openapi": "3.0.0", "info": { @@ -71,7 +71,7 @@ The Media Type value should match the following format: /[+suffix } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="20" +```yaml title="Positive test num. 2 - yaml file" hl_lines="20" openapi: 3.0.0 info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/d15db953-a553-4b8a-9a14-a3d62ea3d79d.md b/docs/queries/openapi-queries/d15db953-a553-4b8a-9a14-a3d62ea3d79d.md index 70b8f9dc479..e5850aa6859 100644 --- a/docs/queries/openapi-queries/d15db953-a553-4b8a-9a14-a3d62ea3d79d.md +++ b/docs/queries/openapi-queries/d15db953-a553-4b8a-9a14-a3d62ea3d79d.md @@ -28,7 +28,7 @@ Components callbacks definitions should be referenced or removed from Open API d ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="22" +```json title="Positive test num. 1 - json file" hl_lines="22" { "openapi": "3.0.0", "info": { @@ -69,7 +69,7 @@ Components callbacks definitions should be referenced or removed from Open API d } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="15" +```yaml title="Positive test num. 2 - yaml file" hl_lines="15" openapi: 3.0.0 info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/d172a060-8569-4412-8045-3560ebd477e8.md b/docs/queries/openapi-queries/d172a060-8569-4412-8045-3560ebd477e8.md index cdb5613bf64..6666e2ae1d9 100644 --- a/docs/queries/openapi-queries/d172a060-8569-4412-8045-3560ebd477e8.md +++ b/docs/queries/openapi-queries/d172a060-8569-4412-8045-3560ebd477e8.md @@ -28,7 +28,7 @@ OpenAPI Object should contain all of its required fields
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="3" +```json title="Positive test num. 1 - json file" hl_lines="3" { "openapi": "3.0.0", "info": { @@ -43,7 +43,7 @@ OpenAPI Object should contain all of its required fields
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="2" +```yaml title="Positive test num. 2 - yaml file" hl_lines="2" openapi: 3.0.0 info: title: Simple API Overview @@ -54,7 +54,7 @@ info: paths: {} ``` -```json title="Postitive test num. 3 - json file" hl_lines="9 12" +```json title="Positive test num. 3 - json file" hl_lines="9 12" { "openapi": "3.0.0", "info": { @@ -85,7 +85,7 @@ paths: {} } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="10 7" openapi: 3.0.0 @@ -106,7 +106,7 @@ paths: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="62 65 54" { @@ -182,7 +182,7 @@ paths: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="32 36 38" openapi: 3.0.0 @@ -227,7 +227,7 @@ components: ```
-
Postitive test num. 7 - json file +
Positive test num. 7 - json file ```json hl_lines="72 27 53" { @@ -319,7 +319,7 @@ components: ```
-
Postitive test num. 8 - yaml file +
Positive test num. 8 - yaml file ```yaml hl_lines="18 42 31" openapi: 3.0.0 diff --git a/docs/queries/openapi-queries/d2361d58-361c-49f0-9e50-b957fd608b29.md b/docs/queries/openapi-queries/d2361d58-361c-49f0-9e50-b957fd608b29.md index ebbeef8a447..408bf6f1b36 100644 --- a/docs/queries/openapi-queries/d2361d58-361c-49f0-9e50-b957fd608b29.md +++ b/docs/queries/openapi-queries/d2361d58-361c-49f0-9e50-b957fd608b29.md @@ -28,7 +28,7 @@ Schema should not have both 'writeOnly' and 'readOnly' set to true
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="50" +```json title="Positive test num. 1 - json file" hl_lines="50" { "openapi": "3.0.0", "info": { @@ -106,7 +106,7 @@ Schema should not have both 'writeOnly' and 'readOnly' set to true
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="22" +```json title="Positive test num. 2 - json file" hl_lines="22" { "openapi": "3.0.0", "info": { @@ -177,7 +177,7 @@ Schema should not have both 'writeOnly' and 'readOnly' set to true
} ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="27" +```yaml title="Positive test num. 3 - yaml file" hl_lines="27" openapi: 3.0.0 info: title: Simple API Overview @@ -222,7 +222,7 @@ components: - name ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="15" openapi: 3.0.0 diff --git a/docs/queries/openapi-queries/d3ea644a-9a5c-4fee-941f-f8a6786c0470.md b/docs/queries/openapi-queries/d3ea644a-9a5c-4fee-941f-f8a6786c0470.md index 2407b9df411..ca1c505a17d 100644 --- a/docs/queries/openapi-queries/d3ea644a-9a5c-4fee-941f-f8a6786c0470.md +++ b/docs/queries/openapi-queries/d3ea644a-9a5c-4fee-941f-f8a6786c0470.md @@ -28,7 +28,7 @@ Property 'style' of the encoding object should be defined when the media type of ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="49" +```json title="Positive test num. 1 - json file" hl_lines="49" { "openapi": "3.0.0", "info": { @@ -107,7 +107,7 @@ Property 'style' of the encoding object should be defined when the media type of } ``` -```json title="Postitive test num. 2 - json file" hl_lines="43" +```json title="Positive test num. 2 - json file" hl_lines="43" { "openapi": "3.0.0", "info": { @@ -177,7 +177,7 @@ Property 'style' of the encoding object should be defined when the media type of } ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="31" +```yaml title="Positive test num. 3 - yaml file" hl_lines="31" openapi: 3.0.0 info: title: Simple API Overview @@ -225,7 +225,7 @@ components: style: simple ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="30" openapi: 3.0.0 diff --git a/docs/queries/openapi-queries/d40f27e6-15fb-4b56-90f8-fc0ff0291c51.md b/docs/queries/openapi-queries/d40f27e6-15fb-4b56-90f8-fc0ff0291c51.md index 064f7b8b0f0..5c07d8c484f 100644 --- a/docs/queries/openapi-queries/d40f27e6-15fb-4b56-90f8-fc0ff0291c51.md +++ b/docs/queries/openapi-queries/d40f27e6-15fb-4b56-90f8-fc0ff0291c51.md @@ -28,7 +28,7 @@ Parameter Object reference must always point to '#/components/parameters'
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="56 67 59" +```json title="Positive test num. 1 - json file" hl_lines="56 67 59" { "openapi": "3.0.0", "info": { @@ -104,7 +104,7 @@ Parameter Object reference must always point to '#/components/parameters'
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="41 42 46" +```yaml title="Positive test num. 2 - yaml file" hl_lines="41 42 46" openapi: 3.0.0 info: title: Simple API overview diff --git a/docs/queries/openapi-queries/d47940ca-5970-45cc-bdd1-4d81398cee1f.md b/docs/queries/openapi-queries/d47940ca-5970-45cc-bdd1-4d81398cee1f.md index 4cf2ecd4ea8..52f73b02628 100644 --- a/docs/queries/openapi-queries/d47940ca-5970-45cc-bdd1-4d81398cee1f.md +++ b/docs/queries/openapi-queries/d47940ca-5970-45cc-bdd1-4d81398cee1f.md @@ -28,7 +28,7 @@ Operation summary should be short (less than 120 characters)
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="11" +```json title="Positive test num. 1 - json file" hl_lines="11" { "swagger": "2.0", "info": { @@ -51,7 +51,7 @@ Operation summary should be short (less than 120 characters)
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="9" +```yaml title="Positive test num. 2 - yaml file" hl_lines="9" swagger: "2.0" info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd.md b/docs/queries/openapi-queries/d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd.md index 08ffdca1a0e..e223f4526e3 100644 --- a/docs/queries/openapi-queries/d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd.md +++ b/docs/queries/openapi-queries/d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd.md @@ -28,7 +28,7 @@ The Header Response should not be named as 'Content-Type', 'Authorization' or 'A ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="42" +```json title="Positive test num. 1 - json file" hl_lines="42" { "openapi": "3.0.0", "info": { @@ -109,7 +109,7 @@ The Header Response should not be named as 'Content-Type', 'Authorization' or 'A } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="28" +```yaml title="Positive test num. 2 - yaml file" hl_lines="28" openapi: 3.0.0 info: title: Simple API overview @@ -155,7 +155,7 @@ paths: rel: self ``` -```json title="Postitive test num. 3 - json file" hl_lines="32 14" +```json title="Positive test num. 3 - json file" hl_lines="32 14" { "swagger": "2.0", "info": { @@ -226,7 +226,7 @@ paths: } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="12 21" swagger: '2.0' diff --git a/docs/queries/openapi-queries/d674aea4-ba8b-454b-bb97-88a772ea33f0.md b/docs/queries/openapi-queries/d674aea4-ba8b-454b-bb97-88a772ea33f0.md index adfd2df8df0..da49ee8b919 100644 --- a/docs/queries/openapi-queries/d674aea4-ba8b-454b-bb97-88a772ea33f0.md +++ b/docs/queries/openapi-queries/d674aea4-ba8b-454b-bb97-88a772ea33f0.md @@ -28,7 +28,7 @@ Security object need to have defined rules in its array and rules should be defi ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="43" +```json title="Positive test num. 1 - json file" hl_lines="43" { "openapi": "3.0.0", "info": { @@ -75,7 +75,7 @@ Security object need to have defined rules in its array and rules should be defi } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="25" +```yaml title="Positive test num. 2 - yaml file" hl_lines="25" openapi: 3.0.0 info: title: Simple API overview @@ -103,7 +103,7 @@ paths: security: [] ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="38" +```yaml title="Positive test num. 3 - yaml file" hl_lines="38" swagger: "2.0" info: title: Simple API Overview @@ -144,7 +144,7 @@ paths: security: [] ``` -
Postitive test num. 4 - json file +
Positive test num. 4 - json file ```json hl_lines="60" { diff --git a/docs/queries/openapi-queries/d86655c0-92f6-4ffc-b4d5-5b5775804c27.md b/docs/queries/openapi-queries/d86655c0-92f6-4ffc-b4d5-5b5775804c27.md index a188494a1c1..6a9d5359465 100644 --- a/docs/queries/openapi-queries/d86655c0-92f6-4ffc-b4d5-5b5775804c27.md +++ b/docs/queries/openapi-queries/d86655c0-92f6-4ffc-b4d5-5b5775804c27.md @@ -28,7 +28,7 @@ HTTP Responses status code should be in range of [200-599]
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="13 39" +```json title="Positive test num. 1 - json file" hl_lines="13 39" { "openapi": "3.0.0", "info": { @@ -100,7 +100,7 @@ HTTP Responses status code should be in range of [200-599]
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="25 11" +```yaml title="Positive test num. 2 - yaml file" hl_lines="25 11" openapi: 3.0.0 info: title: Simple API overview @@ -141,7 +141,7 @@ paths: rel: self ``` -```json title="Postitive test num. 3 - json file" hl_lines="13 39" +```json title="Positive test num. 3 - json file" hl_lines="13 39" { "swagger": "2.0", "info": { @@ -213,7 +213,7 @@ paths: } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="25 11" swagger: "2.0" diff --git a/docs/queries/openapi-queries/d90d4e40-44c1-4125-87a0-e072c3e195b5.md b/docs/queries/openapi-queries/d90d4e40-44c1-4125-87a0-e072c3e195b5.md index 49b5ce68596..a9b694e45a1 100644 --- a/docs/queries/openapi-queries/d90d4e40-44c1-4125-87a0-e072c3e195b5.md +++ b/docs/queries/openapi-queries/d90d4e40-44c1-4125-87a0-e072c3e195b5.md @@ -28,7 +28,7 @@ API Keys should not be sent as cleartext over an unencrypted channel
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="19 20 21" +```json title="Positive test num. 1 - json file" hl_lines="19 20 21" { "openapi": "3.0.0", "info": { @@ -77,7 +77,7 @@ API Keys should not be sent as cleartext over an unencrypted channel
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="16 14 15" +```yaml title="Positive test num. 2 - yaml file" hl_lines="16 14 15" openapi: 3.0.0 info: title: Simple API overview @@ -110,7 +110,7 @@ components: in: query ``` -```json title="Postitive test num. 3 - json file" hl_lines="19 20" +```json title="Positive test num. 3 - json file" hl_lines="19 20" { "swagger": "2.0", "info": { @@ -151,7 +151,7 @@ components: } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="14 15" swagger: "2.0" diff --git a/docs/queries/openapi-queries/d929c031-078f-4241-b802-e224656ad890.md b/docs/queries/openapi-queries/d929c031-078f-4241-b802-e224656ad890.md index 766251e77f8..c36070c0305 100644 --- a/docs/queries/openapi-queries/d929c031-078f-4241-b802-e224656ad890.md +++ b/docs/queries/openapi-queries/d929c031-078f-4241-b802-e224656ad890.md @@ -28,7 +28,7 @@ The format should be valid for the type defined. For integer type must be int32 ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="33 37 14 53 61" +```json title="Positive test num. 1 - json file" hl_lines="33 37 14 53 61" { "openapi": "3.0.0", "info": { @@ -102,7 +102,7 @@ The format should be valid for the type defined. For integer type must be int32 } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="37 43 12 26 29" +```yaml title="Positive test num. 2 - yaml file" hl_lines="37 43 12 26 29" openapi: 3.0.0 info: title: Simple API Overview @@ -151,7 +151,7 @@ components: format: double ``` -```json title="Postitive test num. 3 - json file" hl_lines="42" +```json title="Positive test num. 3 - json file" hl_lines="42" { "swagger": "2.0", "info": { @@ -216,7 +216,7 @@ components: } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="33" swagger: "2.0" diff --git a/docs/queries/openapi-queries/dadc2f36-1f5a-46c0-8289-75e626583123.md b/docs/queries/openapi-queries/dadc2f36-1f5a-46c0-8289-75e626583123.md index 29971531f4c..336ab7b0a2a 100644 --- a/docs/queries/openapi-queries/dadc2f36-1f5a-46c0-8289-75e626583123.md +++ b/docs/queries/openapi-queries/dadc2f36-1f5a-46c0-8289-75e626583123.md @@ -28,7 +28,7 @@ Schema discriminator property should be a string
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="53" +```json title="Positive test num. 1 - json file" hl_lines="53" { "openapi": "3.0.0", "info": { @@ -104,7 +104,7 @@ Schema discriminator property should be a string
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="25" +```json title="Positive test num. 2 - json file" hl_lines="25" { "openapi": "3.0.0", "info": { @@ -176,7 +176,7 @@ Schema discriminator property should be a string
} ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="32" +```yaml title="Positive test num. 3 - yaml file" hl_lines="32" openapi: 3.0.0 info: title: Simple API Overview @@ -221,7 +221,7 @@ components: - petType ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="18" openapi: 3.0.0 @@ -267,7 +267,7 @@ security: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="28" { @@ -319,7 +319,7 @@ security: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="16" swagger: "2.0" @@ -351,7 +351,7 @@ definitions: ```
-
Postitive test num. 7 - json file +
Positive test num. 7 - json file ```json hl_lines="22" { @@ -401,7 +401,7 @@ definitions: ```
-
Postitive test num. 8 - yaml file +
Positive test num. 8 - yaml file ```yaml hl_lines="15" swagger: "2.0" diff --git a/docs/queries/openapi-queries/e2ffa504-d22a-4c94-b6c5-f661849d2db7.md b/docs/queries/openapi-queries/e2ffa504-d22a-4c94-b6c5-f661849d2db7.md index 839485c2e92..329227df09f 100644 --- a/docs/queries/openapi-queries/e2ffa504-d22a-4c94-b6c5-f661849d2db7.md +++ b/docs/queries/openapi-queries/e2ffa504-d22a-4c94-b6c5-f661849d2db7.md @@ -28,7 +28,7 @@ Schema of the JSON object should have 'type' defined.
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="75" +```json title="Positive test num. 1 - json file" hl_lines="75" { "openapi": "3.0.0", "info": { @@ -113,7 +113,7 @@ Schema of the JSON object should have 'type' defined.
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="16" +```json title="Positive test num. 2 - json file" hl_lines="16" { "openapi": "3.0.0", "info": { @@ -174,7 +174,7 @@ Schema of the JSON object should have 'type' defined.
} ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="45" +```yaml title="Positive test num. 3 - yaml file" hl_lines="45" openapi: 3.0.0 info: title: Simple API Overview @@ -222,7 +222,7 @@ components: $ref: "#/components/schemas/GeneralError" ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="16" openapi: 3.0.0 @@ -261,7 +261,7 @@ components: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="16" { @@ -307,7 +307,7 @@ components: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="14" swagger: "2.0" diff --git a/docs/queries/openapi-queries/e3f026e8-fdb4-4d5a-bcfd-bd94452073fe.md b/docs/queries/openapi-queries/e3f026e8-fdb4-4d5a-bcfd-bd94452073fe.md index 5b1cd05f1b2..ad5a9809092 100644 --- a/docs/queries/openapi-queries/e3f026e8-fdb4-4d5a-bcfd-bd94452073fe.md +++ b/docs/queries/openapi-queries/e3f026e8-fdb4-4d5a-bcfd-bd94452073fe.md @@ -28,7 +28,7 @@ Security Definitions Object should be set and not empty
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="2" +```json title="Positive test num. 1 - json file" hl_lines="2" { "swagger": "2.0", "info": { @@ -52,7 +52,7 @@ Security Definitions Object should be set and not empty
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="1" +```yaml title="Positive test num. 2 - yaml file" hl_lines="1" swagger: "2.0" info: title: Simple API Overview @@ -68,7 +68,7 @@ paths: securityDefinitions: {} ``` -```json title="Postitive test num. 3 - json file" hl_lines="2" +```json title="Positive test num. 3 - json file" hl_lines="2" { "swagger": "2.0", "info": { @@ -91,7 +91,7 @@ securityDefinitions: {} } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="1" swagger: "2.0" diff --git a/docs/queries/openapi-queries/e9817ad8-a8c9-4038-8a2f-db0e6e7b284b.md b/docs/queries/openapi-queries/e9817ad8-a8c9-4038-8a2f-db0e6e7b284b.md index 29dfd5a6eb5..6df7de963c5 100644 --- a/docs/queries/openapi-queries/e9817ad8-a8c9-4038-8a2f-db0e6e7b284b.md +++ b/docs/queries/openapi-queries/e9817ad8-a8c9-4038-8a2f-db0e6e7b284b.md @@ -28,7 +28,7 @@ There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecat ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="27" +```json title="Positive test num. 1 - json file" hl_lines="27" { "swagger": "2.0", "info": { @@ -66,7 +66,7 @@ There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecat } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="19" +```yaml title="Positive test num. 2 - yaml file" hl_lines="19" swagger: "2.0" info: title: Simple API overview diff --git a/docs/queries/openapi-queries/e9db5fb4-6a84-4abb-b4af-3b94fbdace6d.md b/docs/queries/openapi-queries/e9db5fb4-6a84-4abb-b4af-3b94fbdace6d.md index 3febea30f06..ded9142ed6a 100644 --- a/docs/queries/openapi-queries/e9db5fb4-6a84-4abb-b4af-3b94fbdace6d.md +++ b/docs/queries/openapi-queries/e9db5fb4-6a84-4abb-b4af-3b94fbdace6d.md @@ -28,7 +28,7 @@ Responses reference should exist on responses definition field
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="14" +```json title="Positive test num. 1 - json file" hl_lines="14" { "swagger": "2.0", "info": { @@ -77,7 +77,7 @@ Responses reference should exist on responses definition field
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="12" +```yaml title="Positive test num. 2 - yaml file" hl_lines="12" swagger: '2.0' info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/eb3f9744-d24e-4614-b1ff-2a9514eca21c.md b/docs/queries/openapi-queries/eb3f9744-d24e-4614-b1ff-2a9514eca21c.md index e59d54f0246..8f5bd057e2c 100644 --- a/docs/queries/openapi-queries/eb3f9744-d24e-4614-b1ff-2a9514eca21c.md +++ b/docs/queries/openapi-queries/eb3f9744-d24e-4614-b1ff-2a9514eca21c.md @@ -28,7 +28,7 @@ Operation object parameters should not have both 'body' and 'formatData' locatio ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="17" +```json title="Positive test num. 1 - json file" hl_lines="17" { "swagger": "2.0", "info": { @@ -76,7 +76,7 @@ Operation object parameters should not have both 'body' and 'formatData' locatio } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="13" +```yaml title="Positive test num. 2 - yaml file" hl_lines="13" swagger: "2.0" info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/ed48229d-d43e-4da7-b453-5f98d964a57a.md b/docs/queries/openapi-queries/ed48229d-d43e-4da7-b453-5f98d964a57a.md index 78d8031d971..dcb18f34184 100644 --- a/docs/queries/openapi-queries/ed48229d-d43e-4da7-b453-5f98d964a57a.md +++ b/docs/queries/openapi-queries/ed48229d-d43e-4da7-b453-5f98d964a57a.md @@ -28,7 +28,7 @@ The Body Parameter Object should have the attribute 'schema' defined
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="12 30" +```json title="Positive test num. 1 - json file" hl_lines="12 30" { "swagger": "2.0", "info": { @@ -67,7 +67,7 @@ The Body Parameter Object should have the attribute 'schema' defined
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="20 14" +```yaml title="Positive test num. 2 - yaml file" hl_lines="20 14" swagger: "2.0" info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/f2702af5-6016-46cb-bbc8-84c766032095.md b/docs/queries/openapi-queries/f2702af5-6016-46cb-bbc8-84c766032095.md index ba1c703da6d..7dd548d4741 100644 --- a/docs/queries/openapi-queries/f2702af5-6016-46cb-bbc8-84c766032095.md +++ b/docs/queries/openapi-queries/f2702af5-6016-46cb-bbc8-84c766032095.md @@ -28,7 +28,7 @@ The header Parameter should not be named as 'Accept'. If so, it will be ignored. ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="58 43" +```json title="Positive test num. 1 - json file" hl_lines="58 43" { "openapi": "3.0.0", "info": { @@ -106,7 +106,7 @@ The header Parameter should not be named as 'Accept'. If so, it will be ignored. } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="26 36" +```yaml title="Positive test num. 2 - yaml file" hl_lines="26 36" openapi: 3.0.0 info: title: Simple API overview @@ -153,7 +153,7 @@ paths: description: 200 response ``` -```json title="Postitive test num. 3 - json file" hl_lines="43" +```json title="Positive test num. 3 - json file" hl_lines="43" { "openapi": "3.0.0", "info": { @@ -222,7 +222,7 @@ paths: } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="26" openapi: 3.0.0 @@ -266,7 +266,7 @@ paths: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="11 38" { @@ -316,7 +316,7 @@ paths: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="21 14" swagger: "2.0" diff --git a/docs/queries/openapi-queries/f29904c8-6041-4bca-b043-dfa0546b8079.md b/docs/queries/openapi-queries/f29904c8-6041-4bca-b043-dfa0546b8079.md index 458ff698ea5..92b8c0618f0 100644 --- a/docs/queries/openapi-queries/f29904c8-6041-4bca-b043-dfa0546b8079.md +++ b/docs/queries/openapi-queries/f29904c8-6041-4bca-b043-dfa0546b8079.md @@ -28,7 +28,7 @@ Callback reference should exists on components field
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="19" +```json title="Positive test num. 1 - json file" hl_lines="19" { "openapi": "3.0.0", "info": { @@ -71,7 +71,7 @@ Callback reference should exists on components field
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="15" +```yaml title="Positive test num. 2 - yaml file" hl_lines="15" openapi: 3.0.0 info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/f30ee711-0082-4480-85ab-31d922d9a2b2.md b/docs/queries/openapi-queries/f30ee711-0082-4480-85ab-31d922d9a2b2.md index 07618e25137..dc65c46393f 100644 --- a/docs/queries/openapi-queries/f30ee711-0082-4480-85ab-31d922d9a2b2.md +++ b/docs/queries/openapi-queries/f30ee711-0082-4480-85ab-31d922d9a2b2.md @@ -28,7 +28,7 @@ Global Schemes should use 'https' protocol instead of 'http'
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="8" +```json title="Positive test num. 1 - json file" hl_lines="8" { "swagger": "2.0", "info": { @@ -54,7 +54,7 @@ Global Schemes should use 'https' protocol instead of 'http'
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="6" +```yaml title="Positive test num. 2 - yaml file" hl_lines="6" swagger: "2.0" info: title: Simple API overview diff --git a/docs/queries/openapi-queries/f368dd2d-9344-4146-a05b-7c6faa1269ad.md b/docs/queries/openapi-queries/f368dd2d-9344-4146-a05b-7c6faa1269ad.md index bea5120723f..497ca0d58ba 100644 --- a/docs/queries/openapi-queries/f368dd2d-9344-4146-a05b-7c6faa1269ad.md +++ b/docs/queries/openapi-queries/f368dd2d-9344-4146-a05b-7c6faa1269ad.md @@ -28,7 +28,7 @@ Post should define at least one success response (200, 201, 202 or 204)
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="12" +```json title="Positive test num. 1 - json file" hl_lines="12" { "openapi": "3.0.0", "info": { @@ -51,7 +51,7 @@ Post should define at least one success response (200, 201, 202 or 204)
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="24" +```json title="Positive test num. 2 - json file" hl_lines="24" { "openapi": "3.0.0", "info": { @@ -86,7 +86,7 @@ Post should define at least one success response (200, 201, 202 or 204)
} ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="10" +```yaml title="Positive test num. 3 - yaml file" hl_lines="10" openapi: 3.0.0 info: title: Simple API @@ -101,7 +101,7 @@ paths: description: Error ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="18" openapi: 3.0.0 @@ -127,7 +127,7 @@ paths: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="24" { @@ -165,7 +165,7 @@ paths: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="18" swagger: "2.0" diff --git a/docs/queries/openapi-queries/f42dfe7e-787d-4478-a75e-a5f3d8a2269e.md b/docs/queries/openapi-queries/f42dfe7e-787d-4478-a75e-a5f3d8a2269e.md index fe762636983..2df4de9dbe0 100644 --- a/docs/queries/openapi-queries/f42dfe7e-787d-4478-a75e-a5f3d8a2269e.md +++ b/docs/queries/openapi-queries/f42dfe7e-787d-4478-a75e-a5f3d8a2269e.md @@ -28,7 +28,7 @@ Operation Object should not use implicit flow
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="22" +```json title="Positive test num. 1 - json file" hl_lines="22" { "swagger": "2.0", "info": { @@ -71,7 +71,7 @@ Operation Object should not use implicit flow
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="16" +```yaml title="Positive test num. 2 - yaml file" hl_lines="16" swagger: "2.0" info: title: Simple API overview diff --git a/docs/queries/openapi-queries/f525cc92-9050-4c41-a75c-890dc6f64449.md b/docs/queries/openapi-queries/f525cc92-9050-4c41-a75c-890dc6f64449.md index 20c72320e22..e644f87cebc 100644 --- a/docs/queries/openapi-queries/f525cc92-9050-4c41-a75c-890dc6f64449.md +++ b/docs/queries/openapi-queries/f525cc92-9050-4c41-a75c-890dc6f64449.md @@ -28,7 +28,7 @@ Security Scheme HTTP should not be using negotiate authentication
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="57" +```json title="Positive test num. 1 - json file" hl_lines="57" { "openapi": "3.0.0", "info": { @@ -92,7 +92,7 @@ Security Scheme HTTP should not be using negotiate authentication
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="33" +```yaml title="Positive test num. 2 - yaml file" hl_lines="33" openapi: 3.0.0 info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/f5b2e6af-76f5-496d-8482-8f898c5fdb4a.md b/docs/queries/openapi-queries/f5b2e6af-76f5-496d-8482-8f898c5fdb4a.md index eb793d50f40..7f89d20c894 100644 --- a/docs/queries/openapi-queries/f5b2e6af-76f5-496d-8482-8f898c5fdb4a.md +++ b/docs/queries/openapi-queries/f5b2e6af-76f5-496d-8482-8f898c5fdb4a.md @@ -28,7 +28,7 @@ Parameters properties 'name' and 'in' should have unique combinations
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="28 37" +```json title="Positive test num. 1 - json file" hl_lines="28 37" { "openapi": "3.0.0", "info": { @@ -78,7 +78,7 @@ Parameters properties 'name' and 'in' should have unique combinations
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="25 18" +```yaml title="Positive test num. 2 - yaml file" hl_lines="25 18" openapi: 3.0.0 info: title: Simple API Overview @@ -111,7 +111,7 @@ components: type: integer ``` -```json title="Postitive test num. 3 - json file" hl_lines="21" +```json title="Positive test num. 3 - json file" hl_lines="21" { "swagger": "2.0", "info": { @@ -158,7 +158,7 @@ components: } ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="14" swagger: "2.0" diff --git a/docs/queries/openapi-queries/f79b9d26-e945-44e7-98a1-b93f0f7a68a0.md b/docs/queries/openapi-queries/f79b9d26-e945-44e7-98a1-b93f0f7a68a0.md index 2d9a296c757..29fb8447c81 100644 --- a/docs/queries/openapi-queries/f79b9d26-e945-44e7-98a1-b93f0f7a68a0.md +++ b/docs/queries/openapi-queries/f79b9d26-e945-44e7-98a1-b93f0f7a68a0.md @@ -28,7 +28,7 @@ The Media Type Object should have the attribute 'schema' defined
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="48 15" +```json title="Positive test num. 1 - json file" hl_lines="48 15" { "openapi": "3.0.0", "info": { @@ -96,7 +96,7 @@ The Media Type Object should have the attribute 'schema' defined
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="27 15" +```json title="Positive test num. 2 - json file" hl_lines="27 15" { "openapi": "3.0.0", "info": { @@ -139,7 +139,7 @@ The Media Type Object should have the attribute 'schema' defined
} ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="13 30" +```yaml title="Positive test num. 3 - yaml file" hl_lines="13 30" openapi: 3.0.0 info: title: Simple API Overview @@ -179,7 +179,7 @@ components: contentType: image/png, image/jpeg ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="19 13" openapi: 3.0.0 diff --git a/docs/queries/openapi-queries/f985a7d2-d404-4a7f-9814-f645f791e46e.md b/docs/queries/openapi-queries/f985a7d2-d404-4a7f-9814-f645f791e46e.md index 6eaf6e076b8..f0f11fb1693 100644 --- a/docs/queries/openapi-queries/f985a7d2-d404-4a7f-9814-f645f791e46e.md +++ b/docs/queries/openapi-queries/f985a7d2-d404-4a7f-9814-f645f791e46e.md @@ -28,7 +28,7 @@ The Media Type value should match the following format: /[+suffix ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="16 11" +```json title="Positive test num. 1 - json file" hl_lines="16 11" { "swagger": "2.0", "info": { @@ -59,7 +59,7 @@ The Media Type value should match the following format: /[+suffix } ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="18 14" +```yaml title="Positive test num. 2 - yaml file" hl_lines="18 14" swagger: "2.0" info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/fb7d81e7-4150-48c4-b914-92fc05da6a2f.md b/docs/queries/openapi-queries/fb7d81e7-4150-48c4-b914-92fc05da6a2f.md index e9089c35748..304b11dbef5 100644 --- a/docs/queries/openapi-queries/fb7d81e7-4150-48c4-b914-92fc05da6a2f.md +++ b/docs/queries/openapi-queries/fb7d81e7-4150-48c4-b914-92fc05da6a2f.md @@ -28,7 +28,7 @@ All properties defined in OpenAPI objects should be known
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="28 14" +```json title="Positive test num. 1 - json file" hl_lines="28 14" { "openapi": "3.0.0", "info": { @@ -72,7 +72,7 @@ All properties defined in OpenAPI objects should be known
} ``` -```json title="Postitive test num. 2 - json file" hl_lines="3 20" +```json title="Positive test num. 2 - json file" hl_lines="3 20" { "openapi": "3.0.0", "infjnjnjno": { @@ -123,7 +123,7 @@ All properties defined in OpenAPI objects should be known
} ``` -```json title="Postitive test num. 3 - json file" hl_lines="20" +```json title="Positive test num. 3 - json file" hl_lines="20" { "openapi": "3.0.0", "info": { @@ -162,7 +162,7 @@ All properties defined in OpenAPI objects should be known
} ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="17 12" openapi: 3.0.0 @@ -191,7 +191,7 @@ tags: ```
-
Postitive test num. 5 - yaml file +
Positive test num. 5 - yaml file ```yaml hl_lines="2 19" openapi: 3.0.0 @@ -227,7 +227,7 @@ paths: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="16" openapi: 3.0.0 diff --git a/docs/queries/openapi-queries/fb889ae9-2d16-40b5-b41f-9da716c5abc1.md b/docs/queries/openapi-queries/fb889ae9-2d16-40b5-b41f-9da716c5abc1.md index 009e3334293..181a9638af9 100644 --- a/docs/queries/openapi-queries/fb889ae9-2d16-40b5-b41f-9da716c5abc1.md +++ b/docs/queries/openapi-queries/fb889ae9-2d16-40b5-b41f-9da716c5abc1.md @@ -28,7 +28,7 @@ Parameter reference should exist on parameters definition field
### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="19" +```json title="Positive test num. 1 - json file" hl_lines="19" { "swagger": "2.0", "info": { @@ -88,7 +88,7 @@ Parameter reference should exist on parameters definition field
} ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="14" +```yaml title="Positive test num. 2 - yaml file" hl_lines="14" swagger: '2.0' info: title: Simple API Overview diff --git a/docs/queries/openapi-queries/fbf699b5-ef74-4542-9cf1-f6eeac379373.md b/docs/queries/openapi-queries/fbf699b5-ef74-4542-9cf1-f6eeac379373.md index d006a53baa7..0feb81a782e 100644 --- a/docs/queries/openapi-queries/fbf699b5-ef74-4542-9cf1-f6eeac379373.md +++ b/docs/queries/openapi-queries/fbf699b5-ef74-4542-9cf1-f6eeac379373.md @@ -28,7 +28,7 @@ Numeric schema (type set to 'integer' or 'number') should have 'format' defined. ### Code samples #### Code samples with security vulnerabilities -```json title="Postitive test num. 1 - json file" hl_lines="58 75" +```json title="Positive test num. 1 - json file" hl_lines="58 75" { "openapi": "3.0.0", "info": { @@ -113,7 +113,7 @@ Numeric schema (type set to 'integer' or 'number') should have 'format' defined. } ``` -```json title="Postitive test num. 2 - json file" hl_lines="27" +```json title="Positive test num. 2 - json file" hl_lines="27" { "openapi": "3.0.0", "info": { @@ -181,7 +181,7 @@ Numeric schema (type set to 'integer' or 'number') should have 'format' defined. } ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="34 46" +```yaml title="Positive test num. 3 - yaml file" hl_lines="34 46" openapi: 3.0.0 info: title: Simple API Overview @@ -230,7 +230,7 @@ components: $ref: "#/components/schemas/GeneralError" ``` -
Postitive test num. 4 - yaml file +
Positive test num. 4 - yaml file ```yaml hl_lines="22" openapi: 3.0.0 @@ -272,7 +272,7 @@ paths: ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="23" { @@ -318,7 +318,7 @@ paths: ```
-
Postitive test num. 6 - yaml file +
Positive test num. 6 - yaml file ```yaml hl_lines="20" swagger: "2.0" diff --git a/docs/queries/pulumi-queries/95588189-1abd-4df1-9588-b0a5034f9e87.md b/docs/queries/pulumi-queries/95588189-1abd-4df1-9588-b0a5034f9e87.md index d8708f36738..4266dac0e2c 100644 --- a/docs/queries/pulumi-queries/95588189-1abd-4df1-9588-b0a5034f9e87.md +++ b/docs/queries/pulumi-queries/95588189-1abd-4df1-9588-b0a5034f9e87.md @@ -28,7 +28,7 @@ Containers should be configured with AppArmor for any application to reduce its ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 25 42" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8 25 42" name: yaml-example description: Create a Pod with auto-naming runtime: yaml diff --git a/docs/queries/pulumi-queries/aws/00603add-7f72-448f-a6c0-9e456a7a3f94.md b/docs/queries/pulumi-queries/aws/00603add-7f72-448f-a6c0-9e456a7a3f94.md index 612dbde37cd..b42a9b01fe6 100644 --- a/docs/queries/pulumi-queries/aws/00603add-7f72-448f-a6c0-9e456a7a3f94.md +++ b/docs/queries/pulumi-queries/aws/00603add-7f72-448f-a6c0-9e456a7a3f94.md @@ -28,7 +28,7 @@ Amazon Elasticsearch does not have encryption for its domains enabled. To preven ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="31" +```yaml title="Positive test num. 1 - yaml file" hl_lines="31" name: aws runtime: yaml description: desc diff --git a/docs/queries/pulumi-queries/aws/2ca87964-fe7e-4cdc-899c-427f0f3525f8.md b/docs/queries/pulumi-queries/aws/2ca87964-fe7e-4cdc-899c-427f0f3525f8.md index cd37152ae0a..bd2de1547eb 100644 --- a/docs/queries/pulumi-queries/aws/2ca87964-fe7e-4cdc-899c-427f0f3525f8.md +++ b/docs/queries/pulumi-queries/aws/2ca87964-fe7e-4cdc-899c-427f0f3525f8.md @@ -28,7 +28,7 @@ DocDB logging should be enabled
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10" name: my-pulumi-project runtime: nodejs @@ -47,7 +47,7 @@ resources: preferredBackupWindow: 07:00-09:00 skipFinalSnapshot: true ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="18" +```yaml title="Positive test num. 2 - yaml file" hl_lines="18" name: my-pulumi-project runtime: nodejs @@ -68,7 +68,7 @@ resources: enabledCloudwatchLogsExports: [] ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="18" +```yaml title="Positive test num. 3 - yaml file" hl_lines="18" name: my-pulumi-project runtime: nodejs diff --git a/docs/queries/pulumi-queries/aws/327b0729-4c5c-4c44-8b5c-e476cd9c7290.md b/docs/queries/pulumi-queries/aws/327b0729-4c5c-4c44-8b5c-e476cd9c7290.md index 74c16398766..a4eb9b9e30f 100644 --- a/docs/queries/pulumi-queries/aws/327b0729-4c5c-4c44-8b5c-e476cd9c7290.md +++ b/docs/queries/pulumi-queries/aws/327b0729-4c5c-4c44-8b5c-e476cd9c7290.md @@ -28,7 +28,7 @@ It's considered a best practice to have point in time recovery enabled for Dynam ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="21 7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="21 7" name: aws-eks runtime: yaml description: An EKS cluster diff --git a/docs/queries/pulumi-queries/aws/647de8aa-5a42-41b5-9faf-22136f117380.md b/docs/queries/pulumi-queries/aws/647de8aa-5a42-41b5-9faf-22136f117380.md index 3d820c21b2c..196de636f8a 100644 --- a/docs/queries/pulumi-queries/aws/647de8aa-5a42-41b5-9faf-22136f117380.md +++ b/docs/queries/pulumi-queries/aws/647de8aa-5a42-41b5-9faf-22136f117380.md @@ -28,7 +28,7 @@ RDS must not be defined with public interface, which means the attribute 'Public ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="17" +```yaml title="Positive test num. 1 - yaml file" hl_lines="17" name: aws-rds runtime: yaml description: An RDS Instance diff --git a/docs/queries/pulumi-queries/aws/9850d621-7485-44f7-8bdd-b3cf426315cf.md b/docs/queries/pulumi-queries/aws/9850d621-7485-44f7-8bdd-b3cf426315cf.md index d24d70aa8dd..257f3623fac 100644 --- a/docs/queries/pulumi-queries/aws/9850d621-7485-44f7-8bdd-b3cf426315cf.md +++ b/docs/queries/pulumi-queries/aws/9850d621-7485-44f7-8bdd-b3cf426315cf.md @@ -28,7 +28,7 @@ IAM password should have the required minimum length
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="16 7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="16 7" name: aws-eks runtime: yaml description: An EKS cluster diff --git a/docs/queries/pulumi-queries/aws/9b18fc19-7fb8-49b1-8452-9c757c70f926.md b/docs/queries/pulumi-queries/aws/9b18fc19-7fb8-49b1-8452-9c757c70f926.md index cbdf7661393..c1405c8df54 100644 --- a/docs/queries/pulumi-queries/aws/9b18fc19-7fb8-49b1-8452-9c757c70f926.md +++ b/docs/queries/pulumi-queries/aws/9b18fc19-7fb8-49b1-8452-9c757c70f926.md @@ -28,7 +28,7 @@ ElastiCache Nodes should be created across multi az, which means 'AZMode' should ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10 18" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10 18" name: aws-eks runtime: yaml description: An EKS cluster diff --git a/docs/queries/pulumi-queries/aws/a1120ee4-a712-42d9-8fb5-22595fed643b.md b/docs/queries/pulumi-queries/aws/a1120ee4-a712-42d9-8fb5-22595fed643b.md index f7bdc88ab0c..89054bf69c1 100644 --- a/docs/queries/pulumi-queries/aws/a1120ee4-a712-42d9-8fb5-22595fed643b.md +++ b/docs/queries/pulumi-queries/aws/a1120ee4-a712-42d9-8fb5-22595fed643b.md @@ -28,7 +28,7 @@ AWS Elasticsearch should have logs enabled
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="14" +```yaml title="Positive test num. 1 - yaml file" hl_lines="14" name: aws-eks runtime: yaml description: An EKS cluster @@ -69,7 +69,7 @@ variables: resources: - arn:aws:logs:* ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="17" +```yaml title="Positive test num. 2 - yaml file" hl_lines="17" name: aws-eks runtime: yaml description: An EKS cluster @@ -108,7 +108,7 @@ variables: resources: - arn:aws:logs:* ``` -```yaml title="Postitive test num. 3 - yaml file" hl_lines="18" +```yaml title="Positive test num. 3 - yaml file" hl_lines="18" name: aws-eks runtime: yaml description: An EKS cluster diff --git a/docs/queries/pulumi-queries/aws/b6a7e0ae-aed8-4a19-a993-a95760bf8836.md b/docs/queries/pulumi-queries/aws/b6a7e0ae-aed8-4a19-a993-a95760bf8836.md index 3db2fdad0a4..21ecae5b094 100644 --- a/docs/queries/pulumi-queries/aws/b6a7e0ae-aed8-4a19-a993-a95760bf8836.md +++ b/docs/queries/pulumi-queries/aws/b6a7e0ae-aed8-4a19-a993-a95760bf8836.md @@ -28,7 +28,7 @@ AWS DynamoDB Tables should have serverSideEncryption enabled
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="17 7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="17 7" name: aws-eks runtime: yaml description: An EKS cluster diff --git a/docs/queries/pulumi-queries/aws/bccb296f-362c-4b05-9221-86d1437a1016.md b/docs/queries/pulumi-queries/aws/bccb296f-362c-4b05-9221-86d1437a1016.md index a6add5964be..19b39356cbe 100644 --- a/docs/queries/pulumi-queries/aws/bccb296f-362c-4b05-9221-86d1437a1016.md +++ b/docs/queries/pulumi-queries/aws/bccb296f-362c-4b05-9221-86d1437a1016.md @@ -28,7 +28,7 @@ Amazon DMS is publicly accessible, therefore exposing possible sensitive informa ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="44" +```yaml title="Positive test num. 1 - yaml file" hl_lines="44" name: aws-dms runtime: yaml description: amazon dms replication instance @@ -98,7 +98,7 @@ variables: - dms.amazonaws.com type: Service ``` -```yaml title="Postitive test num. 2 - yaml file" hl_lines="35" +```yaml title="Positive test num. 2 - yaml file" hl_lines="35" name: aws-dms runtime: yaml description: amazon dms replication instance diff --git a/docs/queries/pulumi-queries/aws/bf4b48b9-fc1f-4552-984a-4becdb5bf503.md b/docs/queries/pulumi-queries/aws/bf4b48b9-fc1f-4552-984a-4becdb5bf503.md index cdfaf577924..533025f097a 100644 --- a/docs/queries/pulumi-queries/aws/bf4b48b9-fc1f-4552-984a-4becdb5bf503.md +++ b/docs/queries/pulumi-queries/aws/bf4b48b9-fc1f-4552-984a-4becdb5bf503.md @@ -28,7 +28,7 @@ API Gateway should have Access Log Settings defined
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" name: aws-eks runtime: yaml description: An EKS cluster diff --git a/docs/queries/pulumi-queries/aws/d991e4ae-42ab-429b-ab43-d5e5fa9ca633.md b/docs/queries/pulumi-queries/aws/d991e4ae-42ab-429b-ab43-d5e5fa9ca633.md index de125732873..f4f5720bc81 100644 --- a/docs/queries/pulumi-queries/aws/d991e4ae-42ab-429b-ab43-d5e5fa9ca633.md +++ b/docs/queries/pulumi-queries/aws/d991e4ae-42ab-429b-ab43-d5e5fa9ca633.md @@ -28,7 +28,7 @@ It's considered a best practice for an EC2 instance to use an EBS optimized inst ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="10 18" +```yaml title="Positive test num. 1 - yaml file" hl_lines="10 18" name: aws-eks runtime: yaml description: An EKS cluster diff --git a/docs/queries/pulumi-queries/aws/daa581ef-731c-4121-832d-cf078f67759d.md b/docs/queries/pulumi-queries/aws/daa581ef-731c-4121-832d-cf078f67759d.md index 1946e5afb11..c3fd522724c 100644 --- a/docs/queries/pulumi-queries/aws/daa581ef-731c-4121-832d-cf078f67759d.md +++ b/docs/queries/pulumi-queries/aws/daa581ef-731c-4121-832d-cf078f67759d.md @@ -28,7 +28,7 @@ EC2 Instance should have detailed monitoring enabled. With detailed monitoring e ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="16 7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="16 7" name: aws-eks runtime: yaml description: An EKS cluster diff --git a/docs/queries/pulumi-queries/aws/de92dd34-1b88-43e8-b825-6e02d73c4549.md b/docs/queries/pulumi-queries/aws/de92dd34-1b88-43e8-b825-6e02d73c4549.md index 26986e49fa0..1e894230bc4 100644 --- a/docs/queries/pulumi-queries/aws/de92dd34-1b88-43e8-b825-6e02d73c4549.md +++ b/docs/queries/pulumi-queries/aws/de92dd34-1b88-43e8-b825-6e02d73c4549.md @@ -28,7 +28,7 @@ IAM Password should have at least one lowercase letter
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="16 7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="16 7" name: aws-eks runtime: yaml description: An EKS cluster diff --git a/docs/queries/pulumi-queries/aws/e93bbe63-a631-4c0f-b6ef-700d48441ff2.md b/docs/queries/pulumi-queries/aws/e93bbe63-a631-4c0f-b6ef-700d48441ff2.md index ec3561c5b43..eca18543937 100644 --- a/docs/queries/pulumi-queries/aws/e93bbe63-a631-4c0f-b6ef-700d48441ff2.md +++ b/docs/queries/pulumi-queries/aws/e93bbe63-a631-4c0f-b6ef-700d48441ff2.md @@ -28,7 +28,7 @@ ElastiCache Redis cluster should have 'snapshotRetentionLimit' higher than 0
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9 17" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9 17" name: aws-eks runtime: yaml description: An EKS cluster diff --git a/docs/queries/pulumi-queries/aws/f27791a5-e2ae-4905-8910-6f995c576d09.md b/docs/queries/pulumi-queries/aws/f27791a5-e2ae-4905-8910-6f995c576d09.md index b188609c221..53ea9ed9bbf 100644 --- a/docs/queries/pulumi-queries/aws/f27791a5-e2ae-4905-8910-6f995c576d09.md +++ b/docs/queries/pulumi-queries/aws/f27791a5-e2ae-4905-8910-6f995c576d09.md @@ -28,7 +28,7 @@ SSL Client Certificate should be defined
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" name: aws-eks runtime: yaml description: An EKS cluster diff --git a/docs/queries/pulumi-queries/azure/49e30ac8-f58e-4222-b488-3dcb90158ec1.md b/docs/queries/pulumi-queries/azure/49e30ac8-f58e-4222-b488-3dcb90158ec1.md index fd8139810cb..2a2a4afa34d 100644 --- a/docs/queries/pulumi-queries/azure/49e30ac8-f58e-4222-b488-3dcb90158ec1.md +++ b/docs/queries/pulumi-queries/azure/49e30ac8-f58e-4222-b488-3dcb90158ec1.md @@ -28,7 +28,7 @@ Redis Cache resource should not allow non-SSL connections.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8" name: azure-aks runtime: yaml description: An Aks cluster diff --git a/docs/queries/pulumi-queries/azure/cb8e4bf0-903d-45c6-a278-9a947d82a27b.md b/docs/queries/pulumi-queries/azure/cb8e4bf0-903d-45c6-a278-9a947d82a27b.md index 30428d11a6a..a82e6067498 100644 --- a/docs/queries/pulumi-queries/azure/cb8e4bf0-903d-45c6-a278-9a947d82a27b.md +++ b/docs/queries/pulumi-queries/azure/cb8e4bf0-903d-45c6-a278-9a947d82a27b.md @@ -28,7 +28,7 @@ Storage Accounts should enforce the use of HTTPS
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +```yaml title="Positive test num. 1 - yaml file" hl_lines="9" name: azure-aks runtime: yaml description: An Aks cluster diff --git a/docs/queries/pulumi-queries/ee305555-6b1d-4055-94cf-e22131143c34.md b/docs/queries/pulumi-queries/ee305555-6b1d-4055-94cf-e22131143c34.md index 9c77c2ae08e..e481d163280 100644 --- a/docs/queries/pulumi-queries/ee305555-6b1d-4055-94cf-e22131143c34.md +++ b/docs/queries/pulumi-queries/ee305555-6b1d-4055-94cf-e22131143c34.md @@ -28,7 +28,7 @@ Do not allow pod to request execution as privileged.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +```yaml title="Positive test num. 1 - yaml file" hl_lines="11" name: aws-eks runtime: yaml description: An EKS cluster diff --git a/docs/queries/pulumi-queries/gcp/48f7e44d-d1d1-44c2-b336-9f11b65c4fb0.md b/docs/queries/pulumi-queries/gcp/48f7e44d-d1d1-44c2-b336-9f11b65c4fb0.md index bf7cc3e9ff8..b837ef9968d 100644 --- a/docs/queries/pulumi-queries/gcp/48f7e44d-d1d1-44c2-b336-9f11b65c4fb0.md +++ b/docs/queries/pulumi-queries/gcp/48f7e44d-d1d1-44c2-b336-9f11b65c4fb0.md @@ -28,7 +28,7 @@ Cloud storage bucket should have logging enabled
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="7" name: aws-eks runtime: yaml description: An EKS cluster diff --git a/docs/queries/pulumi-queries/gcp/965e8830-2bec-4b9b-a7f0-24dbc200a68f.md b/docs/queries/pulumi-queries/gcp/965e8830-2bec-4b9b-a7f0-24dbc200a68f.md index dd75737670d..09c1270f480 100644 --- a/docs/queries/pulumi-queries/gcp/965e8830-2bec-4b9b-a7f0-24dbc200a68f.md +++ b/docs/queries/pulumi-queries/gcp/965e8830-2bec-4b9b-a7f0-24dbc200a68f.md @@ -28,7 +28,7 @@ This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, t ### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="16 7" +```yaml title="Positive test num. 1 - yaml file" hl_lines="16 7" name: aws-eks runtime: yaml description: An EKS cluster diff --git a/docs/queries/terraform-queries/07fc3413-e572-42f7-9877-5c8fc6fccfb5.md b/docs/queries/terraform-queries/07fc3413-e572-42f7-9877-5c8fc6fccfb5.md index 2b99417de88..3f93b574ba3 100644 --- a/docs/queries/terraform-queries/07fc3413-e572-42f7-9877-5c8fc6fccfb5.md +++ b/docs/queries/terraform-queries/07fc3413-e572-42f7-9877-5c8fc6fccfb5.md @@ -28,7 +28,7 @@ Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, lis ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="49 7" +```tf title="Positive test num. 1 - tf file" hl_lines="49 7" # Cluster Role resource "kubernetes_cluster_role" "cluster_role_name" { metadata { diff --git a/docs/queries/terraform-queries/0ad60203-c050-4115-83b6-b94bde92541d.md b/docs/queries/terraform-queries/0ad60203-c050-4115-83b6-b94bde92541d.md index 854672dd5f9..a5ae3fbfeb4 100644 --- a/docs/queries/terraform-queries/0ad60203-c050-4115-83b6-b94bde92541d.md +++ b/docs/queries/terraform-queries/0ad60203-c050-4115-83b6-b94bde92541d.md @@ -28,7 +28,7 @@ Check if a container has full access (unmasked) to the host’s /proc command, w ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8" +```tf title="Positive test num. 1 - tf file" hl_lines="8" resource "kubernetes_pod_security_policy" "example" { metadata { name = "terraform-example" diff --git a/docs/queries/terraform-queries/15d8a7fd-465a-4d15-a868-add86552f17b.md b/docs/queries/terraform-queries/15d8a7fd-465a-4d15-a868-add86552f17b.md index 3c8b236519b..a8b30fb220f 100644 --- a/docs/queries/terraform-queries/15d8a7fd-465a-4d15-a868-add86552f17b.md +++ b/docs/queries/terraform-queries/15d8a7fd-465a-4d15-a868-add86552f17b.md @@ -28,7 +28,7 @@ Repositories must be set to private, which means the attribute 'visibility' must ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 28 15" +```tf title="Positive test num. 1 - tf file" hl_lines="1 28 15" resource "github_repository" "positive1" { name = "example" description = "My awesome codebase" diff --git a/docs/queries/terraform-queries/17172bc2-56fb-4f17-916f-a014147706cd.md b/docs/queries/terraform-queries/17172bc2-56fb-4f17-916f-a014147706cd.md index a5ef2cefba3..1cf14b63f42 100644 --- a/docs/queries/terraform-queries/17172bc2-56fb-4f17-916f-a014147706cd.md +++ b/docs/queries/terraform-queries/17172bc2-56fb-4f17-916f-a014147706cd.md @@ -28,7 +28,7 @@ Ensure that the cluster-admin role is only used where required (RBAC)
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8" +```tf title="Positive test num. 1 - tf file" hl_lines="8" resource "kubernetes_cluster_role_binding" "example2" { metadata { name = "terraform-example2" diff --git a/docs/queries/terraform-queries/17e52ca3-ddd0-4610-9d56-ce107442e110.md b/docs/queries/terraform-queries/17e52ca3-ddd0-4610-9d56-ce107442e110.md index fe79e58cd88..d0abe6d4352 100644 --- a/docs/queries/terraform-queries/17e52ca3-ddd0-4610-9d56-ce107442e110.md +++ b/docs/queries/terraform-queries/17e52ca3-ddd0-4610-9d56-ce107442e110.md @@ -28,7 +28,7 @@ The Horizontal Pod Autoscaler must target a valid object
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="49 15" +```tf title="Positive test num. 1 - tf file" hl_lines="49 15" resource "kubernetes_horizontal_pod_autoscaler" "example" { metadata { name = "test" diff --git a/docs/queries/terraform-queries/21719347-d02b-497d-bda4-04a03c8e5b61.md b/docs/queries/terraform-queries/21719347-d02b-497d-bda4-04a03c8e5b61.md index 40315b3823d..5bf11015a43 100644 --- a/docs/queries/terraform-queries/21719347-d02b-497d-bda4-04a03c8e5b61.md +++ b/docs/queries/terraform-queries/21719347-d02b-497d-bda4-04a03c8e5b61.md @@ -28,7 +28,7 @@ Memory requests should be defined for each container. This allows the kubelet to ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8 105" +```tf title="Positive test num. 1 - tf file" hl_lines="8 105" resource "kubernetes_pod" "positive1" { metadata { diff --git a/docs/queries/terraform-queries/21cef75f-289f-470e-8038-c7cee0664164.md b/docs/queries/terraform-queries/21cef75f-289f-470e-8038-c7cee0664164.md index 400e5c22b99..72d8280476c 100644 --- a/docs/queries/terraform-queries/21cef75f-289f-470e-8038-c7cee0664164.md +++ b/docs/queries/terraform-queries/21cef75f-289f-470e-8038-c7cee0664164.md @@ -28,7 +28,7 @@ Sees if Kubernetes Drop Capabilities exists to ensure containers security contex ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8" +```tf title="Positive test num. 1 - tf file" hl_lines="8" resource "kubernetes_pod" "test1" { metadata { name = "terraform-example" @@ -127,7 +127,7 @@ resource "kubernetes_pod" "test1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="9" +```tf title="Positive test num. 2 - tf file" hl_lines="9" resource "kubernetes_pod" "test2" { metadata { @@ -225,7 +225,7 @@ resource "kubernetes_pod" "test2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="9" +```tf title="Positive test num. 3 - tf file" hl_lines="9" resource "kubernetes_pod" "test3" { metadata { diff --git a/docs/queries/terraform-queries/228c4c19-feeb-4c18-848c-800ac70fdfb7.md b/docs/queries/terraform-queries/228c4c19-feeb-4c18-848c-800ac70fdfb7.md index 9a5f839c0e2..b405a1bd70c 100644 --- a/docs/queries/terraform-queries/228c4c19-feeb-4c18-848c-800ac70fdfb7.md +++ b/docs/queries/terraform-queries/228c4c19-feeb-4c18-848c-800ac70fdfb7.md @@ -28,7 +28,7 @@ Images should be specified together with their digests to ensure integrity
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8 113 60" +```tf title="Positive test num. 1 - tf file" hl_lines="8 113 60" resource "kubernetes_pod" "positive1" { metadata { name = "terraform-example" diff --git a/docs/queries/terraform-queries/24b132df-5cc7-4823-8029-f898e1c50b72.md b/docs/queries/terraform-queries/24b132df-5cc7-4823-8029-f898e1c50b72.md index b58ae022fd1..cbc67a08e0c 100644 --- a/docs/queries/terraform-queries/24b132df-5cc7-4823-8029-f898e1c50b72.md +++ b/docs/queries/terraform-queries/24b132df-5cc7-4823-8029-f898e1c50b72.md @@ -28,7 +28,7 @@ A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="6" +```tf title="Positive test num. 1 - tf file" hl_lines="6" resource "kubernetes_pod" "test1" { metadata { name = "terraform-example" @@ -67,7 +67,7 @@ resource "kubernetes_pod" "test1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="6" +```tf title="Positive test num. 2 - tf file" hl_lines="6" resource "kubernetes_pod" "test2" { metadata { name = "terraform-example" @@ -110,7 +110,7 @@ resource "kubernetes_pod" "test2" { ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="36" +```tf title="Positive test num. 3 - tf file" hl_lines="36" resource "kubernetes_pod" "test3" { metadata { name = "terraform-example" diff --git a/docs/queries/terraform-queries/26b047a9-0329-48fd-8fb7-05bbe5ba80ee.md b/docs/queries/terraform-queries/26b047a9-0329-48fd-8fb7-05bbe5ba80ee.md index da84e147cd5..fec60ff70d3 100644 --- a/docs/queries/terraform-queries/26b047a9-0329-48fd-8fb7-05bbe5ba80ee.md +++ b/docs/queries/terraform-queries/26b047a9-0329-48fd-8fb7-05bbe5ba80ee.md @@ -28,7 +28,7 @@ Kubernetes Stateful Sets must have one Volume Claim template with the access mod ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="166 367" +```tf title="Positive test num. 1 - tf file" hl_lines="166 367" resource "kubernetes_stateful_set" "prometheus-1" { metadata { annotations = { diff --git a/docs/queries/terraform-queries/2a52567c-abb8-4651-a038-52fa27c77aed.md b/docs/queries/terraform-queries/2a52567c-abb8-4651-a038-52fa27c77aed.md index 514e199ed2d..4fb3da5b074 100644 --- a/docs/queries/terraform-queries/2a52567c-abb8-4651-a038-52fa27c77aed.md +++ b/docs/queries/terraform-queries/2a52567c-abb8-4651-a038-52fa27c77aed.md @@ -28,7 +28,7 @@ Service has an external load balancer, which may cause accessibility from other ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="24 4" +```tf title="Positive test num. 1 - tf file" hl_lines="24 4" resource "kubernetes_service" "example1" { metadata { name = "terraform-example1" @@ -69,7 +69,7 @@ resource "kubernetes_service" "example2" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="25 4 46" +```tf title="Positive test num. 2 - tf file" hl_lines="25 4 46" resource "kubernetes_service" "example2" { metadata { name = "terraform-example2" diff --git a/docs/queries/terraform-queries/2acb555f-f4ad-4b1b-b984-84e6588f4b05.md b/docs/queries/terraform-queries/2acb555f-f4ad-4b1b-b984-84e6588f4b05.md index 52582eb31d0..1600dfd6561 100644 --- a/docs/queries/terraform-queries/2acb555f-f4ad-4b1b-b984-84e6588f4b05.md +++ b/docs/queries/terraform-queries/2acb555f-f4ad-4b1b-b984-84e6588f4b05.md @@ -28,7 +28,7 @@ Limit capabilities for a Pod Security Policy
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="5" +```tf title="Positive test num. 1 - tf file" hl_lines="5" resource "kubernetes_pod_security_policy" "example" { metadata { name = "terraform-example" diff --git a/docs/queries/terraform-queries/2bff9906-4e9b-4f71-9346-8ebedfdf43ef.md b/docs/queries/terraform-queries/2bff9906-4e9b-4f71-9346-8ebedfdf43ef.md index 3c8a4d5a640..b52e9808c00 100644 --- a/docs/queries/terraform-queries/2bff9906-4e9b-4f71-9346-8ebedfdf43ef.md +++ b/docs/queries/terraform-queries/2bff9906-4e9b-4f71-9346-8ebedfdf43ef.md @@ -28,7 +28,7 @@ PodSecurityPolicy should not allow privilege escalation
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="50 7" +```tf title="Positive test num. 1 - tf file" hl_lines="50 7" resource "kubernetes_pod_security_policy" "example" { metadata { name = "terraform-example" diff --git a/docs/queries/terraform-queries/3360c01e-c8c0-4812-96a2-a6329b9b7f9f.md b/docs/queries/terraform-queries/3360c01e-c8c0-4812-96a2-a6329b9b7f9f.md index f8142b8b86b..a0a921fc29c 100644 --- a/docs/queries/terraform-queries/3360c01e-c8c0-4812-96a2-a6329b9b7f9f.md +++ b/docs/queries/terraform-queries/3360c01e-c8c0-4812-96a2-a6329b9b7f9f.md @@ -28,7 +28,7 @@ No role nor cluster role should bind to a default service account
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "kubernetes_role_binding" "example" { metadata { name = "terraform-example" diff --git a/docs/queries/terraform-queries/3f55386d-75cd-4e9a-ac47-167b26c04724.md b/docs/queries/terraform-queries/3f55386d-75cd-4e9a-ac47-167b26c04724.md index 5a0e29c13c8..7c921915424 100644 --- a/docs/queries/terraform-queries/3f55386d-75cd-4e9a-ac47-167b26c04724.md +++ b/docs/queries/terraform-queries/3f55386d-75cd-4e9a-ac47-167b26c04724.md @@ -28,7 +28,7 @@ Containers should not have CAP_SYS_ADMIN Linux capability
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8 113" +```tf title="Positive test num. 1 - tf file" hl_lines="8 113" resource "kubernetes_pod" "positive1" { metadata { diff --git a/docs/queries/terraform-queries/420e6360-47bb-46f6-9072-b20ed22c842d.md b/docs/queries/terraform-queries/420e6360-47bb-46f6-9072-b20ed22c842d.md index 3a14a27bfdc..013b8862b25 100644 --- a/docs/queries/terraform-queries/420e6360-47bb-46f6-9072-b20ed22c842d.md +++ b/docs/queries/terraform-queries/420e6360-47bb-46f6-9072-b20ed22c842d.md @@ -28,7 +28,7 @@ StatefulSets should have an existing headless 'serviceName'. The headless servic ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="49" +```tf title="Positive test num. 1 - tf file" hl_lines="49" resource "kubernetes_service" "example" { metadata { name = "prometheus" diff --git a/docs/queries/terraform-queries/455f2e0c-686d-4fcb-8b5f-3f953f12c43c.md b/docs/queries/terraform-queries/455f2e0c-686d-4fcb-8b5f-3f953f12c43c.md index 4685c5d8047..144b92b94c6 100644 --- a/docs/queries/terraform-queries/455f2e0c-686d-4fcb-8b5f-3f953f12c43c.md +++ b/docs/queries/terraform-queries/455f2e0c-686d-4fcb-8b5f-3f953f12c43c.md @@ -28,7 +28,7 @@ Containers should be configured with a secure Seccomp profile to restrict potent ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="2 115 348 215 184 249 58 411 284" +```tf title="Positive test num. 1 - tf file" hl_lines="2 115 348 215 184 249 58 411 284" resource "kubernetes_pod" "pod1" { metadata { name = "terraform-example" diff --git a/docs/queries/terraform-queries/461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3.md b/docs/queries/terraform-queries/461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3.md index 1c81dd0d125..5299b256618 100644 --- a/docs/queries/terraform-queries/461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3.md +++ b/docs/queries/terraform-queries/461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3.md @@ -28,7 +28,7 @@ Check if Deployment resources don't have a podAntiAffinity policy, which prevent ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="25" +```tf title="Positive test num. 1 - tf file" hl_lines="25" resource "kubernetes_deployment" "example" { metadata { name = "terraform-example" @@ -90,7 +90,7 @@ resource "kubernetes_deployment" "example" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="26" +```tf title="Positive test num. 2 - tf file" hl_lines="26" resource "kubernetes_deployment" "example2" { metadata { name = "terraform-example" @@ -168,7 +168,7 @@ resource "kubernetes_deployment" "example2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="26" +```tf title="Positive test num. 3 - tf file" hl_lines="26" resource "kubernetes_deployment" "example3" { metadata { name = "terraform-example" @@ -250,7 +250,7 @@ resource "kubernetes_deployment" "example3" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="26" resource "kubernetes_deployment" "example4" { diff --git a/docs/queries/terraform-queries/48388bd2-7201-4dcc-b56d-e8a9efa58fad.md b/docs/queries/terraform-queries/48388bd2-7201-4dcc-b56d-e8a9efa58fad.md index 9b3963b3aff..20b03799c29 100644 --- a/docs/queries/terraform-queries/48388bd2-7201-4dcc-b56d-e8a9efa58fad.md +++ b/docs/queries/terraform-queries/48388bd2-7201-4dcc-b56d-e8a9efa58fad.md @@ -28,7 +28,7 @@ PodSecurityPolicy should not have added capabilities
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="6" +```tf title="Positive test num. 1 - tf file" hl_lines="6" resource "kubernetes_pod_security_policy" "example" { metadata { name = "terraform-example" diff --git a/docs/queries/terraform-queries/4950837c-0ce5-4e42-9bee-a25eae73740b.md b/docs/queries/terraform-queries/4950837c-0ce5-4e42-9bee-a25eae73740b.md index 7bd21f47e6d..718d11ffe77 100644 --- a/docs/queries/terraform-queries/4950837c-0ce5-4e42-9bee-a25eae73740b.md +++ b/docs/queries/terraform-queries/4950837c-0ce5-4e42-9bee-a25eae73740b.md @@ -28,7 +28,7 @@ Check if Pod Security Policies allow containers to share the host network namesp ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8" +```tf title="Positive test num. 1 - tf file" hl_lines="8" resource "kubernetes_pod_security_policy" "example" { metadata { name = "terraform-example" diff --git a/docs/queries/terraform-queries/4c415497-7410-4559-90e8-f2c8ac64ee38.md b/docs/queries/terraform-queries/4c415497-7410-4559-90e8-f2c8ac64ee38.md index dbd06463d8c..cf8c2dd0ee4 100644 --- a/docs/queries/terraform-queries/4c415497-7410-4559-90e8-f2c8ac64ee38.md +++ b/docs/queries/terraform-queries/4c415497-7410-4559-90e8-f2c8ac64ee38.md @@ -28,7 +28,7 @@ Containers must not be allowed to run with root privileges, which means the attr ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="37 6 7 19 27" +```tf title="Positive test num. 1 - tf file" hl_lines="37 6 7 19 27" resource "kubernetes_pod_security_policy" "example" { metadata { name = "terraform-example" diff --git a/docs/queries/terraform-queries/4e203a65-c8d8-49a2-b749-b124d43c9dc1.md b/docs/queries/terraform-queries/4e203a65-c8d8-49a2-b749-b124d43c9dc1.md index 9b14e70cac3..11a8004ce58 100644 --- a/docs/queries/terraform-queries/4e203a65-c8d8-49a2-b749-b124d43c9dc1.md +++ b/docs/queries/terraform-queries/4e203a65-c8d8-49a2-b749-b124d43c9dc1.md @@ -28,7 +28,7 @@ Sees if Docker Daemon Socket is not exposed to Containers
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8 169 98" +```tf title="Positive test num. 1 - tf file" hl_lines="8 169 98" resource "kubernetes_pod" "test" { metadata { name = "terraform-example" diff --git a/docs/queries/terraform-queries/4e74cf4f-ff65-4c1a-885c-67ab608206ce.md b/docs/queries/terraform-queries/4e74cf4f-ff65-4c1a-885c-67ab608206ce.md index fce94916bf2..dc4cd411779 100644 --- a/docs/queries/terraform-queries/4e74cf4f-ff65-4c1a-885c-67ab608206ce.md +++ b/docs/queries/terraform-queries/4e74cf4f-ff65-4c1a-885c-67ab608206ce.md @@ -28,7 +28,7 @@ Verifies if Kubernetes workload's host port is specified
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="16" +```tf title="Positive test num. 1 - tf file" hl_lines="16" resource "kubernetes_pod" "test" { metadata { name = "terraform-example" @@ -83,7 +83,7 @@ resource "kubernetes_pod" "test" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="41" +```tf title="Positive test num. 2 - tf file" hl_lines="41" resource "kubernetes_deployment" "example" { metadata { diff --git a/docs/queries/terraform-queries/51bed0ac-a8ae-407a-895e-90c6cb0610ce.md b/docs/queries/terraform-queries/51bed0ac-a8ae-407a-895e-90c6cb0610ce.md index b76392b52fb..4ea1e0ae01e 100644 --- a/docs/queries/terraform-queries/51bed0ac-a8ae-407a-895e-90c6cb0610ce.md +++ b/docs/queries/terraform-queries/51bed0ac-a8ae-407a-895e-90c6cb0610ce.md @@ -28,7 +28,7 @@ Pod Security Policy allows containers to share the host IPC namespace
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8" +```tf title="Positive test num. 1 - tf file" hl_lines="8" resource "kubernetes_pod_security_policy" "example2" { metadata { name = "terraform-example" diff --git a/docs/queries/terraform-queries/522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba.md b/docs/queries/terraform-queries/522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba.md index f989a40d6bd..d1e64f50a30 100644 --- a/docs/queries/terraform-queries/522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba.md +++ b/docs/queries/terraform-queries/522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba.md @@ -28,7 +28,7 @@ The permission to create pods in a cluster should be restricted because it allow ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="51 67 35 13" +```tf title="Positive test num. 1 - tf file" hl_lines="51 67 35 13" resource "kubernetes_role" "example1" { metadata { name = "terraform-example1" @@ -100,7 +100,7 @@ resource "kubernetes_role" "example4" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="9 45 21 33" +```tf title="Positive test num. 2 - tf file" hl_lines="9 45 21 33" resource "kubernetes_cluster_role" "example1" { metadata { name = "terraform-example1" diff --git a/docs/queries/terraform-queries/577ac19c-6a77-46d7-9f14-e049cdd15ec2.md b/docs/queries/terraform-queries/577ac19c-6a77-46d7-9f14-e049cdd15ec2.md index a89ec2fe061..1c41e69f70b 100644 --- a/docs/queries/terraform-queries/577ac19c-6a77-46d7-9f14-e049cdd15ec2.md +++ b/docs/queries/terraform-queries/577ac19c-6a77-46d7-9f14-e049cdd15ec2.md @@ -28,7 +28,7 @@ CPU requests should be set to ensure the sum of the resource requests of the sch ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8 105" +```tf title="Positive test num. 1 - tf file" hl_lines="8 105" resource "kubernetes_pod" "positive1" { metadata { diff --git a/docs/queries/terraform-queries/587d5d82-70cf-449b-9817-f60f9bccb88c.md b/docs/queries/terraform-queries/587d5d82-70cf-449b-9817-f60f9bccb88c.md index 3748e2d25de..536e315d912 100644 --- a/docs/queries/terraform-queries/587d5d82-70cf-449b-9817-f60f9bccb88c.md +++ b/docs/queries/terraform-queries/587d5d82-70cf-449b-9817-f60f9bccb88c.md @@ -28,7 +28,7 @@ Minimize the admission of containers wishing to share the host process ID namesp ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8" +```tf title="Positive test num. 1 - tf file" hl_lines="8" resource "kubernetes_pod" "positive1" { metadata { name = "terraform-example" diff --git a/docs/queries/terraform-queries/58876b44-a690-4e9f-9214-7735fa0dd15d.md b/docs/queries/terraform-queries/58876b44-a690-4e9f-9214-7735fa0dd15d.md index debefc2b7b0..0ddd514b95f 100644 --- a/docs/queries/terraform-queries/58876b44-a690-4e9f-9214-7735fa0dd15d.md +++ b/docs/queries/terraform-queries/58876b44-a690-4e9f-9214-7735fa0dd15d.md @@ -28,7 +28,7 @@ Cronjobs must have a configured deadline, which means the attribute 'starting_de ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="5" +```tf title="Positive test num. 1 - tf file" hl_lines="5" resource "kubernetes_cron_job" "demo" { metadata { name = "demo" diff --git a/docs/queries/terraform-queries/5b6d53dd-3ba3-4269-b4d7-f82e880e43c3.md b/docs/queries/terraform-queries/5b6d53dd-3ba3-4269-b4d7-f82e880e43c3.md index fbba89370a7..dde3979c662 100644 --- a/docs/queries/terraform-queries/5b6d53dd-3ba3-4269-b4d7-f82e880e43c3.md +++ b/docs/queries/terraform-queries/5b6d53dd-3ba3-4269-b4d7-f82e880e43c3.md @@ -28,7 +28,7 @@ In case of an unresponsive container, a Liveness Probe can help your application ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="7" +```tf title="Positive test num. 1 - tf file" hl_lines="7" resource "kubernetes_pod" "test" { metadata { name = "terraform-example" @@ -68,7 +68,7 @@ resource "kubernetes_pod" "test" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="27" +```tf title="Positive test num. 2 - tf file" hl_lines="27" resource "kubernetes_deployment" "example" { metadata { diff --git a/docs/queries/terraform-queries/5c281bf8-d9bb-47f2-b909-3f6bb11874ad.md b/docs/queries/terraform-queries/5c281bf8-d9bb-47f2-b909-3f6bb11874ad.md index 2df71868c9d..7488da544d8 100644 --- a/docs/queries/terraform-queries/5c281bf8-d9bb-47f2-b909-3f6bb11874ad.md +++ b/docs/queries/terraform-queries/5c281bf8-d9bb-47f2-b909-3f6bb11874ad.md @@ -28,7 +28,7 @@ Service type should not be NodePort
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="15" +```tf title="Positive test num. 1 - tf file" hl_lines="15" resource "kubernetes_service" "example" { metadata { name = "terraform-example" diff --git a/docs/queries/terraform-queries/5f4735ce-b9ba-4d95-a089-a37a767b716f.md b/docs/queries/terraform-queries/5f4735ce-b9ba-4d95-a089-a37a767b716f.md index f9642cac319..8bbcecf8597 100644 --- a/docs/queries/terraform-queries/5f4735ce-b9ba-4d95-a089-a37a767b716f.md +++ b/docs/queries/terraform-queries/5f4735ce-b9ba-4d95-a089-a37a767b716f.md @@ -28,7 +28,7 @@ CPU limits should be set because if the system has CPU time free, a container is ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8 106" +```tf title="Positive test num. 1 - tf file" hl_lines="8 106" resource "kubernetes_pod" "positive1" { metadata { diff --git a/docs/queries/terraform-queries/60af03ff-a421-45c8-b214-6741035476fa.md b/docs/queries/terraform-queries/60af03ff-a421-45c8-b214-6741035476fa.md index 47970e50291..d5eb7e62dd4 100644 --- a/docs/queries/terraform-queries/60af03ff-a421-45c8-b214-6741035476fa.md +++ b/docs/queries/terraform-queries/60af03ff-a421-45c8-b214-6741035476fa.md @@ -28,7 +28,7 @@ Kubernetes container should have resource limitations defined such as CPU and me ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8 224 106 167" +```tf title="Positive test num. 1 - tf file" hl_lines="8 224 106 167" resource "kubernetes_pod" "positive1" { metadata { diff --git a/docs/queries/terraform-queries/6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8.md b/docs/queries/terraform-queries/6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8.md index eb42518ad06..61c90b13fa3 100644 --- a/docs/queries/terraform-queries/6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8.md +++ b/docs/queries/terraform-queries/6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8.md @@ -28,7 +28,7 @@ Container should not use secrets as environment variables
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="11 20" +```tf title="Positive test num. 1 - tf file" hl_lines="11 20" resource "kubernetes_pod" "test" { metadata { name = "terraform-example" diff --git a/docs/queries/terraform-queries/7249e3b0-9231-4af3-bc5f-5daf4988ecbf.md b/docs/queries/terraform-queries/7249e3b0-9231-4af3-bc5f-5daf4988ecbf.md index 24d2d28290c..3cba923e9ec 100644 --- a/docs/queries/terraform-queries/7249e3b0-9231-4af3-bc5f-5daf4988ecbf.md +++ b/docs/queries/terraform-queries/7249e3b0-9231-4af3-bc5f-5daf4988ecbf.md @@ -28,7 +28,7 @@ StatefulSets should be assigned with a PodDisruptionBudget to ensure high availa ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="23" +```tf title="Positive test num. 1 - tf file" hl_lines="23" resource "kubernetes_stateful_set" "prometheus" { metadata { annotations = { diff --git a/docs/queries/terraform-queries/737a0dd9-0aaa-4145-8118-f01778262b8a.md b/docs/queries/terraform-queries/737a0dd9-0aaa-4145-8118-f01778262b8a.md index ae4de72abe6..d3ebe2bc8c3 100644 --- a/docs/queries/terraform-queries/737a0dd9-0aaa-4145-8118-f01778262b8a.md +++ b/docs/queries/terraform-queries/737a0dd9-0aaa-4145-8118-f01778262b8a.md @@ -28,7 +28,7 @@ Default service accounts should not be actively used
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 12" +```tf title="Positive test num. 1 - tf file" hl_lines="1 12" resource "kubernetes_service_account" "example" { metadata { name = "default" diff --git a/docs/queries/terraform-queries/826abb30-3cd5-4e0b-a93b-67729b4f7e63.md b/docs/queries/terraform-queries/826abb30-3cd5-4e0b-a93b-67729b4f7e63.md index 8900980968e..79b99847b48 100644 --- a/docs/queries/terraform-queries/826abb30-3cd5-4e0b-a93b-67729b4f7e63.md +++ b/docs/queries/terraform-queries/826abb30-3cd5-4e0b-a93b-67729b4f7e63.md @@ -28,7 +28,7 @@ Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secret ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="48 9 27 62" +```tf title="Positive test num. 1 - tf file" hl_lines="48 9 27 62" resource "kubernetes_role" "example1" { metadata { name = "terraform-example1" diff --git a/docs/queries/terraform-queries/8657197e-3f87-4694-892b-8144701d83c1.md b/docs/queries/terraform-queries/8657197e-3f87-4694-892b-8144701d83c1.md index 29bb93394e2..ab35643f3c6 100644 --- a/docs/queries/terraform-queries/8657197e-3f87-4694-892b-8144701d83c1.md +++ b/docs/queries/terraform-queries/8657197e-3f87-4694-892b-8144701d83c1.md @@ -28,7 +28,7 @@ Check if Readiness Probe is not configured.
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="7" +```tf title="Positive test num. 1 - tf file" hl_lines="7" resource "kubernetes_pod" "test" { metadata { name = "terraform-example" diff --git a/docs/queries/terraform-queries/86a947ea-f577-4efb-a8b0-5fc00257d521.md b/docs/queries/terraform-queries/86a947ea-f577-4efb-a8b0-5fc00257d521.md index e78e88a46a2..6d535dc09ca 100644 --- a/docs/queries/terraform-queries/86a947ea-f577-4efb-a8b0-5fc00257d521.md +++ b/docs/queries/terraform-queries/86a947ea-f577-4efb-a8b0-5fc00257d521.md @@ -28,7 +28,7 @@ A non kube-system workload should not have hostPath mounted
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="113 233 53 173" +```tf title="Positive test num. 1 - tf file" hl_lines="113 233 53 173" resource "kubernetes_pod" "test" { metadata { name = "terraform-example" diff --git a/docs/queries/terraform-queries/87065ef8-de9b-40d8-9753-f4a4303e27a4.md b/docs/queries/terraform-queries/87065ef8-de9b-40d8-9753-f4a4303e27a4.md index f222605afcb..f4de6e9960a 100644 --- a/docs/queries/terraform-queries/87065ef8-de9b-40d8-9753-f4a4303e27a4.md +++ b/docs/queries/terraform-queries/87065ef8-de9b-40d8-9753-f4a4303e27a4.md @@ -28,7 +28,7 @@ Privileged containers lack essential security restrictions and should be avoided ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="108 14 47" +```tf title="Positive test num. 1 - tf file" hl_lines="108 14 47" resource "kubernetes_pod" "positive1" { metadata { diff --git a/docs/queries/terraform-queries/9aa32890-ac1a-45ee-81ca-5164e2098556.md b/docs/queries/terraform-queries/9aa32890-ac1a-45ee-81ca-5164e2098556.md index 6b12c7f49f1..9dc3ba24aa2 100644 --- a/docs/queries/terraform-queries/9aa32890-ac1a-45ee-81ca-5164e2098556.md +++ b/docs/queries/terraform-queries/9aa32890-ac1a-45ee-81ca-5164e2098556.md @@ -28,7 +28,7 @@ Containers need to have NET_RAW or All as drop capabilities
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="17" +```tf title="Positive test num. 1 - tf file" hl_lines="17" resource "kubernetes_pod_security_policy" "example" { metadata { name = "terraform-example" diff --git a/docs/queries/terraform-queries/a05331ee-1653-45cb-91e6-13637a76e4f0.md b/docs/queries/terraform-queries/a05331ee-1653-45cb-91e6-13637a76e4f0.md index 2cb869d1f20..a6aac7e146e 100644 --- a/docs/queries/terraform-queries/a05331ee-1653-45cb-91e6-13637a76e4f0.md +++ b/docs/queries/terraform-queries/a05331ee-1653-45cb-91e6-13637a76e4f0.md @@ -28,7 +28,7 @@ Deployments should be assigned with a PodDisruptionBudget to ensure high availab ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="13" +```tf title="Positive test num. 1 - tf file" hl_lines="13" resource "kubernetes_deployment" "example" { metadata { name = "terraform-example" diff --git a/docs/queries/terraform-queries/a62a99d1-8196-432f-8f80-3c100b05d62a.md b/docs/queries/terraform-queries/a62a99d1-8196-432f-8f80-3c100b05d62a.md index bff5dec8925..c0a2fbce91b 100644 --- a/docs/queries/terraform-queries/a62a99d1-8196-432f-8f80-3c100b05d62a.md +++ b/docs/queries/terraform-queries/a62a99d1-8196-432f-8f80-3c100b05d62a.md @@ -28,7 +28,7 @@ Containers can mount sensitive folders from the hosts, giving them potentially d ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8" +```tf title="Positive test num. 1 - tf file" hl_lines="8" resource "kubernetes_pod" "test" { metadata { name = "terraform-example" @@ -89,7 +89,7 @@ resource "kubernetes_pod" "test" { ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="11" +```tf title="Positive test num. 2 - tf file" hl_lines="11" resource "kubernetes_pod" "test2" { metadata { name = "terraform-example" @@ -150,7 +150,7 @@ resource "kubernetes_pod" "test2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="12" +```tf title="Positive test num. 3 - tf file" hl_lines="12" resource "kubernetes_pod" "test3" { metadata { name = "terraform-example" diff --git a/docs/queries/terraform-queries/a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9.md b/docs/queries/terraform-queries/a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9.md index 89b2eb2a79c..6dd86453670 100644 --- a/docs/queries/terraform-queries/a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9.md +++ b/docs/queries/terraform-queries/a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9.md @@ -28,7 +28,7 @@ Do not allow pod to request execution as privileged.
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="6" +```tf title="Positive test num. 1 - tf file" hl_lines="6" resource "kubernetes_pod_security_policy" "example" { metadata { name = "terraform-example" diff --git a/docs/queries/terraform-queries/a737be28-37d8-4bff-aa6d-1be8aa0a0015.md b/docs/queries/terraform-queries/a737be28-37d8-4bff-aa6d-1be8aa0a0015.md index 4c2a780b1d6..10050e1c1d9 100644 --- a/docs/queries/terraform-queries/a737be28-37d8-4bff-aa6d-1be8aa0a0015.md +++ b/docs/queries/terraform-queries/a737be28-37d8-4bff-aa6d-1be8aa0a0015.md @@ -28,7 +28,7 @@ Workload is mounting a volume with sensitive OS Directory
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="112 53" +```tf title="Positive test num. 1 - tf file" hl_lines="112 53" resource "kubernetes_pod" "test1" { metadata { name = "terraform-example1" diff --git a/docs/queries/terraform-queries/a9174d31-d526-4ad9-ace4-ce7ddbf52e03.md b/docs/queries/terraform-queries/a9174d31-d526-4ad9-ace4-ce7ddbf52e03.md index d3126d7ea13..fe69a2de2ad 100644 --- a/docs/queries/terraform-queries/a9174d31-d526-4ad9-ace4-ce7ddbf52e03.md +++ b/docs/queries/terraform-queries/a9174d31-d526-4ad9-ace4-ce7ddbf52e03.md @@ -28,7 +28,7 @@ A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="6" +```tf title="Positive test num. 1 - tf file" hl_lines="6" resource "kubernetes_pod_security_policy" "example" { metadata { name = "terraform-example" @@ -77,7 +77,7 @@ resource "kubernetes_pod_security_policy" "example" { ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="9" +```tf title="Positive test num. 2 - tf file" hl_lines="9" resource "kubernetes_pod" "test" { metadata { diff --git a/docs/queries/terraform-queries/a9a13d4f-f17a-491b-b074-f54bffffcb4a.md b/docs/queries/terraform-queries/a9a13d4f-f17a-491b-b074-f54bffffcb4a.md index be3fc827a43..a22a3bee890 100644 --- a/docs/queries/terraform-queries/a9a13d4f-f17a-491b-b074-f54bffffcb4a.md +++ b/docs/queries/terraform-queries/a9a13d4f-f17a-491b-b074-f54bffffcb4a.md @@ -28,7 +28,7 @@ Service Account Tokens are automatically mounted even if not necessary
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="88 25 162 144" +```tf title="Positive test num. 1 - tf file" hl_lines="88 25 162 144" resource "kubernetes_deployment" "example" { metadata { name = "terraform-example" diff --git a/docs/queries/terraform-queries/aa737abf-6b1d-4aba-95aa-5c160bd7f96e.md b/docs/queries/terraform-queries/aa737abf-6b1d-4aba-95aa-5c160bd7f96e.md index 5d730de5a68..00dbdeaa927 100644 --- a/docs/queries/terraform-queries/aa737abf-6b1d-4aba-95aa-5c160bd7f96e.md +++ b/docs/queries/terraform-queries/aa737abf-6b1d-4aba-95aa-5c160bd7f96e.md @@ -28,7 +28,7 @@ Image Pull Policy of the container must be defined and set to Always
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="12" +```tf title="Positive test num. 1 - tf file" hl_lines="12" resource "kubernetes_pod" "busybox" { metadata { name = "busybox-tf" @@ -48,7 +48,7 @@ resource "kubernetes_pod" "busybox" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="30" +```tf title="Positive test num. 2 - tf file" hl_lines="30" resource "kubernetes_deployment" "example" { metadata { diff --git a/docs/queries/terraform-queries/abcb818b-5af7-4d72-aba9-6dd84956b451.md b/docs/queries/terraform-queries/abcb818b-5af7-4d72-aba9-6dd84956b451.md index 9a41a1b380b..4ea69051c5f 100644 --- a/docs/queries/terraform-queries/abcb818b-5af7-4d72-aba9-6dd84956b451.md +++ b/docs/queries/terraform-queries/abcb818b-5af7-4d72-aba9-6dd84956b451.md @@ -28,7 +28,7 @@ The default namespace should not be used
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="9 4" +```tf title="Positive test num. 1 - tf file" hl_lines="9 4" resource "kubernetes_pod" "test" { metadata { name = "terraform-example" diff --git a/docs/queries/terraform-queries/ac1564a3-c324-4747-9fa1-9dfc234dace0.md b/docs/queries/terraform-queries/ac1564a3-c324-4747-9fa1-9dfc234dace0.md index 184ec4f0ac9..dfb6fd69e1b 100644 --- a/docs/queries/terraform-queries/ac1564a3-c324-4747-9fa1-9dfc234dace0.md +++ b/docs/queries/terraform-queries/ac1564a3-c324-4747-9fa1-9dfc234dace0.md @@ -28,7 +28,7 @@ Container should not share the host network namespace
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="7" +```tf title="Positive test num. 1 - tf file" hl_lines="7" resource "kubernetes_pod" "test" { metadata { name = "terraform-example" diff --git a/docs/queries/terraform-queries/ad69e38a-d92e-4357-a8da-f2f29d545883.md b/docs/queries/terraform-queries/ad69e38a-d92e-4357-a8da-f2f29d545883.md index e4e09373686..3b3047934cf 100644 --- a/docs/queries/terraform-queries/ad69e38a-d92e-4357-a8da-f2f29d545883.md +++ b/docs/queries/terraform-queries/ad69e38a-d92e-4357-a8da-f2f29d545883.md @@ -28,7 +28,7 @@ A security context defines privilege and access control settings for a Pod or Co ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="93 6 7" +```tf title="Positive test num. 1 - tf file" hl_lines="93 6 7" resource "kubernetes_pod" "positive1" { metadata { name = "terraform-example" diff --git a/docs/queries/terraform-queries/alicloud/05db341e-de7d-4972-a106-3e2bd5ee53e1.md b/docs/queries/terraform-queries/alicloud/05db341e-de7d-4972-a106-3e2bd5ee53e1.md index 71b9b13bdee..50f3cd27bf4 100644 --- a/docs/queries/terraform-queries/alicloud/05db341e-de7d-4972-a106-3e2bd5ee53e1.md +++ b/docs/queries/terraform-queries/alicloud/05db341e-de7d-4972-a106-3e2bd5ee53e1.md @@ -28,14 +28,14 @@ OSS Bucket should have logging enabled, for better visibility of resources and o ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "alicloud_oss_bucket" "bucket_logging2" { bucket = "bucket-170309-acl" acl = "public-read" } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="3" +```tf title="Positive test num. 2 - tf file" hl_lines="3" resource "alicloud_oss_bucket" "bucket_logging1" { bucket = "bucket-170309-logging" logging_isenable = false diff --git a/docs/queries/terraform-queries/alicloud/063234c0-91c0-4ab5-bbd0-47ddb5f23786.md b/docs/queries/terraform-queries/alicloud/063234c0-91c0-4ab5-bbd0-47ddb5f23786.md index 1a4ee2598c5..e3ab571c97f 100644 --- a/docs/queries/terraform-queries/alicloud/063234c0-91c0-4ab5-bbd0-47ddb5f23786.md +++ b/docs/queries/terraform-queries/alicloud/063234c0-91c0-4ab5-bbd0-47ddb5f23786.md @@ -28,7 +28,7 @@ Ram Account Password Policy should have 'require_numbers' set to true
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="5" +```tf title="Positive test num. 1 - tf file" hl_lines="5" resource "alicloud_ram_account_password_policy" "corporate" { minimum_password_length = 9 require_lowercase_characters = false diff --git a/docs/queries/terraform-queries/alicloud/140869ea-25f2-40d4-a595-0c0da135114e.md b/docs/queries/terraform-queries/alicloud/140869ea-25f2-40d4-a595-0c0da135114e.md index 2dcef39c036..3db330dde76 100644 --- a/docs/queries/terraform-queries/alicloud/140869ea-25f2-40d4-a595-0c0da135114e.md +++ b/docs/queries/terraform-queries/alicloud/140869ea-25f2-40d4-a595-0c0da135114e.md @@ -28,7 +28,7 @@ hide: ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="6" +```tf title="Positive test num. 1 - tf file" hl_lines="6" resource "alicloud_db_instance" "default" { engine = "MySQL" engine_version = "5.6" @@ -44,7 +44,7 @@ resource "alicloud_db_instance" "default" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="14" +```tf title="Positive test num. 2 - tf file" hl_lines="14" resource "alicloud_db_instance" "default" { engine = "MySQL" engine_version = "5.6" @@ -63,7 +63,7 @@ resource "alicloud_db_instance" "default" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="1" +```tf title="Positive test num. 3 - tf file" hl_lines="1" resource "alicloud_db_instance" "default" { engine = "MySQL" engine_version = "5.6" diff --git a/docs/queries/terraform-queries/alicloud/1455cb21-1d48-46d6-8ae3-cef911b71fd5.md b/docs/queries/terraform-queries/alicloud/1455cb21-1d48-46d6-8ae3-cef911b71fd5.md index c5026ad43f9..de52a2cb369 100644 --- a/docs/queries/terraform-queries/alicloud/1455cb21-1d48-46d6-8ae3-cef911b71fd5.md +++ b/docs/queries/terraform-queries/alicloud/1455cb21-1d48-46d6-8ae3-cef911b71fd5.md @@ -28,7 +28,7 @@ ECS Launch Template should have the data in the disk encrypted. To encrypt the d ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="36" +```tf title="Positive test num. 1 - tf file" hl_lines="36" data "alicloud_images" "images" { owners = "system" } @@ -88,7 +88,7 @@ resource "alicloud_launch_template" "templatepos1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="8" +```tf title="Positive test num. 2 - tf file" hl_lines="8" data "alicloud_images" "images" { owners = "system" } diff --git a/docs/queries/terraform-queries/alicloud/1b4565c0-4877-49ac-ab03-adebbccd42ae.md b/docs/queries/terraform-queries/alicloud/1b4565c0-4877-49ac-ab03-adebbccd42ae.md index 5ccf8f5cba2..1e41d15fd15 100644 --- a/docs/queries/terraform-queries/alicloud/1b4565c0-4877-49ac-ab03-adebbccd42ae.md +++ b/docs/queries/terraform-queries/alicloud/1b4565c0-4877-49ac-ab03-adebbccd42ae.md @@ -28,7 +28,7 @@ hide: ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="7" +```tf title="Positive test num. 1 - tf file" hl_lines="7" resource "alicloud_db_instance" "default" { engine = "MySQL" engine_version = "5.6" @@ -48,7 +48,7 @@ resource "alicloud_db_instance" "default" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="7" +```tf title="Positive test num. 2 - tf file" hl_lines="7" resource "alicloud_db_instance" "default" { engine = "MySQL" engine_version = "5.6" diff --git a/docs/queries/terraform-queries/alicloud/1bcdf9f0-b1aa-40a4-b8c6-cd7785836843.md b/docs/queries/terraform-queries/alicloud/1bcdf9f0-b1aa-40a4-b8c6-cd7785836843.md index 33c3a523ec1..c4f4078c363 100644 --- a/docs/queries/terraform-queries/alicloud/1bcdf9f0-b1aa-40a4-b8c6-cd7785836843.md +++ b/docs/queries/terraform-queries/alicloud/1bcdf9f0-b1aa-40a4-b8c6-cd7785836843.md @@ -28,7 +28,7 @@ API Gateway API protocol should be set to HTTPS
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="14" +```tf title="Positive test num. 1 - tf file" hl_lines="14" resource "alicloud_api_gateway_group" "apiGroup" { name = "ApiGatewayGroup" description = "description of the api group" @@ -74,7 +74,7 @@ resource "alicloud_api_gateway_api" "apiGatewayApi" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="21 14" +```tf title="Positive test num. 2 - tf file" hl_lines="21 14" resource "alicloud_api_gateway_group" "apiGroup" { name = "ApiGatewayGroup" description = "description of the api group" diff --git a/docs/queries/terraform-queries/alicloud/2ae9d554-23fb-4065-bfd1-fe43d5f7c419.md b/docs/queries/terraform-queries/alicloud/2ae9d554-23fb-4065-bfd1-fe43d5f7c419.md index 023255dcb46..9badb00166e 100644 --- a/docs/queries/terraform-queries/alicloud/2ae9d554-23fb-4065-bfd1-fe43d5f7c419.md +++ b/docs/queries/terraform-queries/alicloud/2ae9d554-23fb-4065-bfd1-fe43d5f7c419.md @@ -28,7 +28,7 @@ A sensitive port, such as port 23 or port 110, is open to the public in either T ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="10" +```tf title="Positive test num. 1 - tf file" hl_lines="10" resource "alicloud_security_group" "default" { name = "default" } @@ -45,7 +45,7 @@ resource "alicloud_security_group_rule" "allow_all_tcp" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="10" +```tf title="Positive test num. 2 - tf file" hl_lines="10" resource "alicloud_security_group" "default" { name = "default" } @@ -62,7 +62,7 @@ resource "alicloud_security_group_rule" "allow_all_tcp" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="10" +```tf title="Positive test num. 3 - tf file" hl_lines="10" resource "alicloud_security_group" "default" { name = "default" } diff --git a/docs/queries/terraform-queries/alicloud/2b13c6ff-b87a-484d-86fd-21ef6e97d426.md b/docs/queries/terraform-queries/alicloud/2b13c6ff-b87a-484d-86fd-21ef6e97d426.md index 6df46a5c7ea..46575348e2c 100644 --- a/docs/queries/terraform-queries/alicloud/2b13c6ff-b87a-484d-86fd-21ef6e97d426.md +++ b/docs/queries/terraform-queries/alicloud/2b13c6ff-b87a-484d-86fd-21ef6e97d426.md @@ -28,7 +28,7 @@ Checks if any static websties are hosted on buckets. Be aware of any website you ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="4" +```tf title="Positive test num. 1 - tf file" hl_lines="4" resource "alicloud_oss_bucket" "bucket-website1" { bucket = "bucket-1-website" diff --git a/docs/queries/terraform-queries/alicloud/2bb13841-7575-439e-8e0a-cccd9ede2fa8.md b/docs/queries/terraform-queries/alicloud/2bb13841-7575-439e-8e0a-cccd9ede2fa8.md index f0f721dc2d7..c7cfe059d5f 100644 --- a/docs/queries/terraform-queries/alicloud/2bb13841-7575-439e-8e0a-cccd9ede2fa8.md +++ b/docs/queries/terraform-queries/alicloud/2bb13841-7575-439e-8e0a-cccd9ede2fa8.md @@ -28,7 +28,7 @@ Ram Account Password Policy Password 'max_password_age' should be higher than 0 ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "alicloud_ram_account_password_policy" "corporate" { minimum_password_length = 9 require_lowercase_characters = false @@ -41,7 +41,7 @@ resource "alicloud_ram_account_password_policy" "corporate" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="8" +```tf title="Positive test num. 2 - tf file" hl_lines="8" resource "alicloud_ram_account_password_policy" "corporate" { minimum_password_length = 9 require_lowercase_characters = false @@ -55,7 +55,7 @@ resource "alicloud_ram_account_password_policy" "corporate" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="8" +```tf title="Positive test num. 3 - tf file" hl_lines="8" resource "alicloud_ram_account_password_policy" "corporate" { minimum_password_length = 9 require_lowercase_characters = false diff --git a/docs/queries/terraform-queries/alicloud/39750e32-3fe9-453b-8c33-dd277acdb2cc.md b/docs/queries/terraform-queries/alicloud/39750e32-3fe9-453b-8c33-dd277acdb2cc.md index 6ce17efee7d..650a9c50324 100644 --- a/docs/queries/terraform-queries/alicloud/39750e32-3fe9-453b-8c33-dd277acdb2cc.md +++ b/docs/queries/terraform-queries/alicloud/39750e32-3fe9-453b-8c33-dd277acdb2cc.md @@ -28,7 +28,7 @@ Disks should have encryption enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "alicloud_disk" "disk_encryption1" { # cn-beijing availability_zone = "cn-beijing-b" @@ -43,7 +43,7 @@ resource "alicloud_disk" "disk_encryption1" { ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="8" +```tf title="Positive test num. 2 - tf file" hl_lines="8" resource "alicloud_disk" "disk_encryption2" { # cn-beijing availability_zone = "cn-beijing-b" diff --git a/docs/queries/terraform-queries/alicloud/41a38329-d81b-4be4-aef4-55b2615d3282.md b/docs/queries/terraform-queries/alicloud/41a38329-d81b-4be4-aef4-55b2615d3282.md index 4d54a211a40..8ebfc85148a 100644 --- a/docs/queries/terraform-queries/alicloud/41a38329-d81b-4be4-aef4-55b2615d3282.md +++ b/docs/queries/terraform-queries/alicloud/41a38329-d81b-4be4-aef4-55b2615d3282.md @@ -28,7 +28,7 @@ RAM account password security should require at least one symbol
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="6" +```tf title="Positive test num. 1 - tf file" hl_lines="6" resource "alicloud_ram_account_password_policy" "corporate2" { minimum_password_length = 9 require_lowercase_characters = false diff --git a/docs/queries/terraform-queries/alicloud/44d434ca-a9bf-4203-8828-4c81a8d5a598.md b/docs/queries/terraform-queries/alicloud/44d434ca-a9bf-4203-8828-4c81a8d5a598.md index 69ce780e6f5..31bf6f22b42 100644 --- a/docs/queries/terraform-queries/alicloud/44d434ca-a9bf-4203-8828-4c81a8d5a598.md +++ b/docs/queries/terraform-queries/alicloud/44d434ca-a9bf-4203-8828-4c81a8d5a598.md @@ -28,7 +28,7 @@ tde_status parameter should be Enabled for supported RDS instances
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="6" +```tf title="Positive test num. 1 - tf file" hl_lines="6" resource "alicloud_db_instance" "default" { engine = "MySQL" engine_version = "5.6" @@ -45,7 +45,7 @@ resource "alicloud_db_instance" "default" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "alicloud_db_instance" "default" { engine = "MySQL" engine_version = "8" @@ -61,7 +61,7 @@ resource "alicloud_db_instance" "default" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="6" +```tf title="Positive test num. 3 - tf file" hl_lines="6" resource "alicloud_db_instance" "default" { engine = "SQLServer" engine_version = "2019_std_ha" @@ -72,7 +72,7 @@ resource "alicloud_db_instance" "default" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="1" resource "alicloud_db_instance" "default" { diff --git a/docs/queries/terraform-queries/alicloud/4bb06fa1-2114-4a00-b7b5-6aeab8b896f0.md b/docs/queries/terraform-queries/alicloud/4bb06fa1-2114-4a00-b7b5-6aeab8b896f0.md index 1a66e72a4f7..61c0a2eb1e3 100644 --- a/docs/queries/terraform-queries/alicloud/4bb06fa1-2114-4a00-b7b5-6aeab8b896f0.md +++ b/docs/queries/terraform-queries/alicloud/4bb06fa1-2114-4a00-b7b5-6aeab8b896f0.md @@ -28,7 +28,7 @@ The retain_stacks should be enabled to keep the Stack upon deleting the stack in ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 6" +```tf title="Positive test num. 1 - tf file" hl_lines="1 6" resource "alicloud_ros_stack_instance" "example" { stack_group_name = alicloud_ros_stack_group.example.stack_group_name stack_instance_account_id = "example_value" diff --git a/docs/queries/terraform-queries/alicloud/5e0fb613-ba9b-44c3-88f0-b44188466bfd.md b/docs/queries/terraform-queries/alicloud/5e0fb613-ba9b-44c3-88f0-b44188466bfd.md index 16b3fbb02e8..f7c8206563c 100644 --- a/docs/queries/terraform-queries/alicloud/5e0fb613-ba9b-44c3-88f0-b44188466bfd.md +++ b/docs/queries/terraform-queries/alicloud/5e0fb613-ba9b-44c3-88f0-b44188466bfd.md @@ -28,7 +28,7 @@ Ram Account Password Policy should have 'require_uppercase_characters' set to tr ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="4" +```tf title="Positive test num. 1 - tf file" hl_lines="4" resource "alicloud_ram_account_password_policy" "corporate" { minimum_password_length = 9 require_lowercase_characters = false diff --git a/docs/queries/terraform-queries/alicloud/5f670f9d-b1b4-4c90-8618-2288f1ab9676.md b/docs/queries/terraform-queries/alicloud/5f670f9d-b1b4-4c90-8618-2288f1ab9676.md index e4839f8031e..581b2e04d16 100644 --- a/docs/queries/terraform-queries/alicloud/5f670f9d-b1b4-4c90-8618-2288f1ab9676.md +++ b/docs/queries/terraform-queries/alicloud/5f670f9d-b1b4-4c90-8618-2288f1ab9676.md @@ -28,7 +28,7 @@ NAS File System should have encryption provided by user KMS
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 5" +```tf title="Positive test num. 1 - tf file" hl_lines="1 5" resource "alicloud_nas_file_system" "foo" { protocol_type = "NFS" storage_type = "Performance" diff --git a/docs/queries/terraform-queries/alicloud/60587dbd-6b67-432e-90f7-a8cf1892d968.md b/docs/queries/terraform-queries/alicloud/60587dbd-6b67-432e-90f7-a8cf1892d968.md index 565faf74875..fc365f608dc 100644 --- a/docs/queries/terraform-queries/alicloud/60587dbd-6b67-432e-90f7-a8cf1892d968.md +++ b/docs/queries/terraform-queries/alicloud/60587dbd-6b67-432e-90f7-a8cf1892d968.md @@ -28,7 +28,7 @@ Alicloud Security Group Rule should not allow all ports or all protocols to the ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="13" +```tf title="Positive test num. 1 - tf file" hl_lines="13" resource "alicloud_security_group" "default" { name = "default" } @@ -45,7 +45,7 @@ resource "alicloud_security_group_rule" "allow_all_tcp" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="13" +```tf title="Positive test num. 2 - tf file" hl_lines="13" resource "alicloud_security_group" "default" { name = "default" } @@ -62,7 +62,7 @@ resource "alicloud_security_group_rule" "allow_all_tcp" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="13" +```tf title="Positive test num. 3 - tf file" hl_lines="13" resource "alicloud_security_group" "default" { name = "default" } diff --git a/docs/queries/terraform-queries/alicloud/6107c530-7178-464a-88bc-df9cdd364ac8.md b/docs/queries/terraform-queries/alicloud/6107c530-7178-464a-88bc-df9cdd364ac8.md index 241789d90a5..a1afc1aff7c 100644 --- a/docs/queries/terraform-queries/alicloud/6107c530-7178-464a-88bc-df9cdd364ac8.md +++ b/docs/queries/terraform-queries/alicloud/6107c530-7178-464a-88bc-df9cdd364ac8.md @@ -28,7 +28,7 @@ OSS Bucket should have ip restricted access
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="5" +```tf title="Positive test num. 1 - tf file" hl_lines="5" resource "alicloud_oss_bucket" "bucket-policy" { bucket = "bucket-170309-policy" acl = "private" diff --git a/docs/queries/terraform-queries/alicloud/62232513-b16f-4010-83d7-51d0e1d45426.md b/docs/queries/terraform-queries/alicloud/62232513-b16f-4010-83d7-51d0e1d45426.md index 8f801a1e9d0..32c2f93c1ff 100644 --- a/docs/queries/terraform-queries/alicloud/62232513-b16f-4010-83d7-51d0e1d45426.md +++ b/docs/queries/terraform-queries/alicloud/62232513-b16f-4010-83d7-51d0e1d45426.md @@ -28,14 +28,14 @@ OSS Bucket should have public access disabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="3" +```tf title="Positive test num. 1 - tf file" hl_lines="3" resource "alicloud_oss_bucket" "bucket_public_access_enabled2" { bucket = "bucket-170309-acl" acl = "public-read" } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="3" +```tf title="Positive test num. 2 - tf file" hl_lines="3" resource "alicloud_oss_bucket" "bucket_public_access_enabled3" { bucket = "bucket-170309-acl" acl = "public-read-write" diff --git a/docs/queries/terraform-queries/alicloud/66505003-7aba-45a1-8d83-5162d5706ef5.md b/docs/queries/terraform-queries/alicloud/66505003-7aba-45a1-8d83-5162d5706ef5.md index 0894c745b2b..e2c75976525 100644 --- a/docs/queries/terraform-queries/alicloud/66505003-7aba-45a1-8d83-5162d5706ef5.md +++ b/docs/queries/terraform-queries/alicloud/66505003-7aba-45a1-8d83-5162d5706ef5.md @@ -28,7 +28,7 @@ Ram policies should not be attached to users
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="35" +```tf title="Positive test num. 1 - tf file" hl_lines="35" # Create a RAM User Policy attachment. resource "alicloud_ram_user" "user1" { name = "userName" diff --git a/docs/queries/terraform-queries/alicloud/67bfdff1-31ce-4525-b564-e94368735360.md b/docs/queries/terraform-queries/alicloud/67bfdff1-31ce-4525-b564-e94368735360.md index 951799058ee..b68dabdbea1 100644 --- a/docs/queries/terraform-queries/alicloud/67bfdff1-31ce-4525-b564-e94368735360.md +++ b/docs/queries/terraform-queries/alicloud/67bfdff1-31ce-4525-b564-e94368735360.md @@ -28,7 +28,7 @@ NAS File System must be encrypted
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 5" +```tf title="Positive test num. 1 - tf file" hl_lines="1 5" resource "alicloud_nas_file_system" "foopos" { protocol_type = "NFS" storage_type = "Performance" diff --git a/docs/queries/terraform-queries/alicloud/69b5d7da-a5db-4db9-a42e-90b65d0efb0b.md b/docs/queries/terraform-queries/alicloud/69b5d7da-a5db-4db9-a42e-90b65d0efb0b.md index 7a63ad26a81..6222df3831f 100644 --- a/docs/queries/terraform-queries/alicloud/69b5d7da-a5db-4db9-a42e-90b65d0efb0b.md +++ b/docs/queries/terraform-queries/alicloud/69b5d7da-a5db-4db9-a42e-90b65d0efb0b.md @@ -28,7 +28,7 @@ ActionTrail Trail OSS Bucket should not be publicly accessible
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="3" +```tf title="Positive test num. 1 - tf file" hl_lines="3" resource "alicloud_oss_bucket" "bucket_actiontrail3" { bucket = "bucket_actiontrail_3" acl = "public-read" @@ -44,7 +44,7 @@ resource "alicloud_actiontrail_trail" "actiontrail3" { ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="3" +```tf title="Positive test num. 2 - tf file" hl_lines="3" resource "alicloud_oss_bucket" "bucket_actiontrail4" { bucket = "bucket_actiontrail_4" acl = "public-read-write" diff --git a/docs/queries/terraform-queries/alicloud/70919c0b-2548-4e6b-8d7a-3d84ab6dabba.md b/docs/queries/terraform-queries/alicloud/70919c0b-2548-4e6b-8d7a-3d84ab6dabba.md index f3fbffb50a7..42453c8ec0c 100644 --- a/docs/queries/terraform-queries/alicloud/70919c0b-2548-4e6b-8d7a-3d84ab6dabba.md +++ b/docs/queries/terraform-queries/alicloud/70919c0b-2548-4e6b-8d7a-3d84ab6dabba.md @@ -28,7 +28,7 @@ OSS Bucket should have versioning enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="6" +```tf title="Positive test num. 1 - tf file" hl_lines="6" resource "alicloud_oss_bucket" "bucket-versioning2" { bucket = "bucket-170309-versioning" acl = "private" @@ -39,7 +39,7 @@ resource "alicloud_oss_bucket" "bucket-versioning2" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "alicloud_oss_bucket" "bucket-versioning3" { bucket = "bucket-170309-versioning" acl = "private" diff --git a/docs/queries/terraform-queries/alicloud/72ceb736-0aee-43ea-a191-3a69ab135681.md b/docs/queries/terraform-queries/alicloud/72ceb736-0aee-43ea-a191-3a69ab135681.md index 77a78d7fa5a..bbb28ccaac0 100644 --- a/docs/queries/terraform-queries/alicloud/72ceb736-0aee-43ea-a191-3a69ab135681.md +++ b/docs/queries/terraform-queries/alicloud/72ceb736-0aee-43ea-a191-3a69ab135681.md @@ -28,7 +28,7 @@ ROS Stack should have a stack policy in order to protect stack resources from an ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "alicloud_ros_stack" "pos" { stack_name = "tf-testaccstack" template_body = < ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="6" +```tf title="Positive test num. 1 - tf file" hl_lines="6" resource "alicloud_db_instance" "default" { engine = "MySQL" engine_version = "5.6" @@ -45,7 +45,7 @@ resource "alicloud_db_instance" "default" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "alicloud_db_instance" "default" { engine = "MySQL" engine_version = "5.6" diff --git a/docs/queries/terraform-queries/alicloud/7db8bd7e-9772-478c-9ec5-4bc202c5686f.md b/docs/queries/terraform-queries/alicloud/7db8bd7e-9772-478c-9ec5-4bc202c5686f.md index 22ec057f0ad..5caf97aa16e 100644 --- a/docs/queries/terraform-queries/alicloud/7db8bd7e-9772-478c-9ec5-4bc202c5686f.md +++ b/docs/queries/terraform-queries/alicloud/7db8bd7e-9772-478c-9ec5-4bc202c5686f.md @@ -28,7 +28,7 @@ OSS Bucket should have lifecycle rule enabled and set to true
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8" +```tf title="Positive test num. 1 - tf file" hl_lines="8" resource "alicloud_oss_bucket" "oss_bucket_lifecycle_enabled2" { bucket = "bucket-170309-lifecycle" acl = "public-read" @@ -54,7 +54,7 @@ resource "alicloud_oss_bucket" "oss_bucket_lifecycle_enabled2" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "alicloud_oss_bucket" "oss_bucket_lifecycle_enabled3" { bucket = "bucket-170309-versioning" acl = "private" diff --git a/docs/queries/terraform-queries/alicloud/81ce9394-013d-4731-8fcc-9d229b474073.md b/docs/queries/terraform-queries/alicloud/81ce9394-013d-4731-8fcc-9d229b474073.md index 7d9b35a17ba..c93586c2a75 100644 --- a/docs/queries/terraform-queries/alicloud/81ce9394-013d-4731-8fcc-9d229b474073.md +++ b/docs/queries/terraform-queries/alicloud/81ce9394-013d-4731-8fcc-9d229b474073.md @@ -28,7 +28,7 @@ Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This se ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "alicloud_cs_kubernetes_node_pool" "default2" { name = var.name cluster_id = alicloud_cs_managed_kubernetes.default.0.id @@ -46,7 +46,7 @@ resource "alicloud_cs_kubernetes_node_pool" "default2" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="17" +```tf title="Positive test num. 2 - tf file" hl_lines="17" resource "alicloud_cs_kubernetes_node_pool" "default3" { name = var.name cluster_id = alicloud_cs_managed_kubernetes.default.0.id @@ -71,7 +71,7 @@ resource "alicloud_cs_kubernetes_node_pool" "default3" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="16" +```tf title="Positive test num. 3 - tf file" hl_lines="16" resource "alicloud_cs_kubernetes_node_pool" "default4" { name = var.name cluster_id = alicloud_cs_managed_kubernetes.default.0.id diff --git a/docs/queries/terraform-queries/alicloud/88541597-6f88-42c8-bac6-7e0b855e8ff6.md b/docs/queries/terraform-queries/alicloud/88541597-6f88-42c8-bac6-7e0b855e8ff6.md index 47e336d44bd..b2254ad4d1f 100644 --- a/docs/queries/terraform-queries/alicloud/88541597-6f88-42c8-bac6-7e0b855e8ff6.md +++ b/docs/queries/terraform-queries/alicloud/88541597-6f88-42c8-bac6-7e0b855e8ff6.md @@ -28,7 +28,7 @@ OSS Bucket should not allow list action from all principals, as to prevent leaki ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="5" +```tf title="Positive test num. 1 - tf file" hl_lines="5" resource "alicloud_oss_bucket" "bucket-policy1" { bucket = "bucket-1-policy" acl = "private" @@ -53,7 +53,7 @@ resource "alicloud_oss_bucket" "bucket-policy1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="5" +```tf title="Positive test num. 2 - tf file" hl_lines="5" resource "alicloud_oss_bucket" "bucket-policy5" { bucket = "bucket-5-policy" acl = "private" diff --git a/docs/queries/terraform-queries/alicloud/89143358-cec6-49f5-9392-920c591c669c.md b/docs/queries/terraform-queries/alicloud/89143358-cec6-49f5-9392-920c591c669c.md index cf14d91da5b..3ec2c1ee3ad 100644 --- a/docs/queries/terraform-queries/alicloud/89143358-cec6-49f5-9392-920c591c669c.md +++ b/docs/queries/terraform-queries/alicloud/89143358-cec6-49f5-9392-920c591c669c.md @@ -28,7 +28,7 @@ Ram Account Password Policy should have 'require_lowercase_characters' set to tr ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="3" +```tf title="Positive test num. 1 - tf file" hl_lines="3" resource "alicloud_ram_account_password_policy" "corporate" { minimum_password_length = 9 require_lowercase_characters = false diff --git a/docs/queries/terraform-queries/alicloud/8c0695d8-2378-4cd6-8243-7fd5894fa574.md b/docs/queries/terraform-queries/alicloud/8c0695d8-2378-4cd6-8243-7fd5894fa574.md index 01b4ff4d444..822370b7ed7 100644 --- a/docs/queries/terraform-queries/alicloud/8c0695d8-2378-4cd6-8243-7fd5894fa574.md +++ b/docs/queries/terraform-queries/alicloud/8c0695d8-2378-4cd6-8243-7fd5894fa574.md @@ -28,7 +28,7 @@ OSS Bucket should not allow delete action from all principals, as to prevent lea ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="5" +```tf title="Positive test num. 1 - tf file" hl_lines="5" resource "alicloud_oss_bucket" "bucket-policy1" { bucket = "bucket-1-policy" acl = "private" diff --git a/docs/queries/terraform-queries/alicloud/8f98334a-99aa-4d85-b72a-1399ca010413.md b/docs/queries/terraform-queries/alicloud/8f98334a-99aa-4d85-b72a-1399ca010413.md index f0efde7b8dd..0186785b513 100644 --- a/docs/queries/terraform-queries/alicloud/8f98334a-99aa-4d85-b72a-1399ca010413.md +++ b/docs/queries/terraform-queries/alicloud/8f98334a-99aa-4d85-b72a-1399ca010413.md @@ -28,7 +28,7 @@ OSS Bucket should have transfer acceleration enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="5" +```tf title="Positive test num. 1 - tf file" hl_lines="5" resource "alicloud_oss_bucket" "bucket-accelerate" { bucket = "bucket_name" @@ -38,7 +38,7 @@ resource "alicloud_oss_bucket" "bucket-accelerate" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "alicloud_oss_bucket" "bucket-accelerate2" { bucket = "bucket_name" } diff --git a/docs/queries/terraform-queries/alicloud/9ef08939-ea40-489c-8851-667870b2ef50.md b/docs/queries/terraform-queries/alicloud/9ef08939-ea40-489c-8851-667870b2ef50.md index d93a47f5086..1f286dd29f8 100644 --- a/docs/queries/terraform-queries/alicloud/9ef08939-ea40-489c-8851-667870b2ef50.md +++ b/docs/queries/terraform-queries/alicloud/9ef08939-ea40-489c-8851-667870b2ef50.md @@ -28,7 +28,7 @@ The ROS Stack Notifications should be defined and populated to receive stack rel ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 3" +```tf title="Positive test num. 1 - tf file" hl_lines="1 3" resource "alicloud_ros_stack" "example" { stack_name = "tf-testaccstack" notification_urls = [] diff --git a/docs/queries/terraform-queries/alicloud/a597e05a-c065-44e7-9cc8-742f572a504a.md b/docs/queries/terraform-queries/alicloud/a597e05a-c065-44e7-9cc8-742f572a504a.md index bb4db1db4a8..37ee44eaf39 100644 --- a/docs/queries/terraform-queries/alicloud/a597e05a-c065-44e7-9cc8-742f572a504a.md +++ b/docs/queries/terraform-queries/alicloud/a597e05a-c065-44e7-9cc8-742f572a504a.md @@ -28,7 +28,7 @@ log_duration parameter should be set to ON for RDS instances
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="14" +```tf title="Positive test num. 1 - tf file" hl_lines="14" resource "alicloud_db_instance" "default" { engine = "MySQL" engine_version = "5.6" @@ -47,7 +47,7 @@ resource "alicloud_db_instance" "default" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="6" +```tf title="Positive test num. 2 - tf file" hl_lines="6" resource "alicloud_db_instance" "default" { engine = "MySQL" engine_version = "5.6" @@ -63,7 +63,7 @@ resource "alicloud_db_instance" "default" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="1" +```tf title="Positive test num. 3 - tf file" hl_lines="1" resource "alicloud_db_instance" "default" { engine = "MySQL" engine_version = "5.6" diff --git a/docs/queries/terraform-queries/alicloud/a8128dd2-89b0-464b-98e9-5d629041dfe0.md b/docs/queries/terraform-queries/alicloud/a8128dd2-89b0-464b-98e9-5d629041dfe0.md index 72dd088f584..afae47d018f 100644 --- a/docs/queries/terraform-queries/alicloud/a8128dd2-89b0-464b-98e9-5d629041dfe0.md +++ b/docs/queries/terraform-queries/alicloud/a8128dd2-89b0-464b-98e9-5d629041dfe0.md @@ -28,7 +28,7 @@ RAM Account Password Policy 'password_reuse_prevention' should be defined and se ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "alicloud_ram_account_password_policy" "corporate" { minimum_password_length = 9 require_lowercase_characters = false @@ -41,7 +41,7 @@ resource "alicloud_ram_account_password_policy" "corporate" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="9" +```tf title="Positive test num. 2 - tf file" hl_lines="9" resource "alicloud_ram_account_password_policy" "corporate" { minimum_password_length = 9 require_lowercase_characters = false diff --git a/docs/queries/terraform-queries/alicloud/a9dfec39-a740-4105-bbd6-721ba163c053.md b/docs/queries/terraform-queries/alicloud/a9dfec39-a740-4105-bbd6-721ba163c053.md index c83fd5df5a9..497342cc78f 100644 --- a/docs/queries/terraform-queries/alicloud/a9dfec39-a740-4105-bbd6-721ba163c053.md +++ b/docs/queries/terraform-queries/alicloud/a9dfec39-a740-4105-bbd6-721ba163c053.md @@ -28,7 +28,7 @@ Ram Account Password Policy should have 'minimum_password_length' defined and se ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="2" +```tf title="Positive test num. 1 - tf file" hl_lines="2" resource "alicloud_ram_account_password_policy" "corporate" { minimum_password_length = 9 require_lowercase_characters = false @@ -42,7 +42,7 @@ resource "alicloud_ram_account_password_policy" "corporate" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "alicloud_ram_account_password_policy" "corporate" { require_lowercase_characters = false require_uppercase_characters = false diff --git a/docs/queries/terraform-queries/alicloud/b9b7ada8-3868-4a35-854e-6100a2bb863d.md b/docs/queries/terraform-queries/alicloud/b9b7ada8-3868-4a35-854e-6100a2bb863d.md index 11707ffaa95..0235e287a35 100644 --- a/docs/queries/terraform-queries/alicloud/b9b7ada8-3868-4a35-854e-6100a2bb863d.md +++ b/docs/queries/terraform-queries/alicloud/b9b7ada8-3868-4a35-854e-6100a2bb863d.md @@ -28,7 +28,7 @@ Kubernetes Cluster should have Terway as CNI Network Plugin to configure network ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="15" +```tf title="Positive test num. 1 - tf file" hl_lines="15" terraform { required_providers { alicloud = { @@ -52,7 +52,7 @@ resource "alicloud_cs_kubernetes" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="15" +```tf title="Positive test num. 2 - tf file" hl_lines="15" terraform { required_providers { alicloud = { @@ -81,7 +81,7 @@ resource "alicloud_cs_kubernetes" "positive2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="15" +```tf title="Positive test num. 3 - tf file" hl_lines="15" terraform { required_providers { alicloud = { diff --git a/docs/queries/terraform-queries/alicloud/b9c524a4-fe76-4021-a6a2-cb978fb4fde1.md b/docs/queries/terraform-queries/alicloud/b9c524a4-fe76-4021-a6a2-cb978fb4fde1.md index a03499590c8..c5b2b65f6c9 100644 --- a/docs/queries/terraform-queries/alicloud/b9c524a4-fe76-4021-a6a2-cb978fb4fde1.md +++ b/docs/queries/terraform-queries/alicloud/b9c524a4-fe76-4021-a6a2-cb978fb4fde1.md @@ -28,7 +28,7 @@ All RDS Instance events trackers should be 'true'
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="15" +```tf title="Positive test num. 1 - tf file" hl_lines="15" resource "alicloud_log_audit" "example" { display_name = "tf-audit-test" aliuid = "12345678" @@ -138,7 +138,7 @@ resource "alicloud_log_audit" "example" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="4" +```tf title="Positive test num. 2 - tf file" hl_lines="4" resource "alicloud_log_audit" "example" { display_name = "tf-audit-test" aliuid = "12345678" diff --git a/docs/queries/terraform-queries/alicloud/c01d10de-c468-4790-b3a0-fc887a56f289.md b/docs/queries/terraform-queries/alicloud/c01d10de-c468-4790-b3a0-fc887a56f289.md index a28184f7033..89c98e1e58d 100644 --- a/docs/queries/terraform-queries/alicloud/c01d10de-c468-4790-b3a0-fc887a56f289.md +++ b/docs/queries/terraform-queries/alicloud/c01d10de-c468-4790-b3a0-fc887a56f289.md @@ -28,7 +28,7 @@ OSS Buckets should have secure transport enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="2" +```tf title="Positive test num. 1 - tf file" hl_lines="2" resource "alicloud_oss_bucket" "bucket-securetransport1"{ policy = < ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="6" +```tf title="Positive test num. 1 - tf file" hl_lines="6" resource "alicloud_actiontrail_trail" "actiontrail2" { trail_name = "action-trail" oss_write_role_arn = "acs:ram::1182725xxxxxxxxxxx" @@ -38,7 +38,7 @@ resource "alicloud_actiontrail_trail" "actiontrail2" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="5 6" +```tf title="Positive test num. 2 - tf file" hl_lines="5 6" resource "alicloud_actiontrail_trail" "actiontrail3" { trail_name = "action-trail" oss_write_role_arn = "acs:ram::1182725xxxxxxxxxxx" @@ -48,7 +48,7 @@ resource "alicloud_actiontrail_trail" "actiontrail3" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="5 6" +```tf title="Positive test num. 3 - tf file" hl_lines="5 6" resource "alicloud_actiontrail_trail" "actiontrail4" { trail_name = "action-trail" oss_write_role_arn = "acs:ram::1182725xxxxxxxxxxx" @@ -58,7 +58,7 @@ resource "alicloud_actiontrail_trail" "actiontrail4" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="6" resource "alicloud_actiontrail_trail" "actiontrail5" { @@ -71,7 +71,7 @@ resource "alicloud_actiontrail_trail" "actiontrail5" { ```
-
Postitive test num. 5 - tf file +
Positive test num. 5 - tf file ```tf hl_lines="5 6" resource "alicloud_actiontrail_trail" "actiontrail6" { @@ -84,7 +84,7 @@ resource "alicloud_actiontrail_trail" "actiontrail6" { ```
-
Postitive test num. 6 - tf file +
Positive test num. 6 - tf file ```tf hl_lines="5 6" resource "alicloud_actiontrail_trail" "actiontrail7" { @@ -97,7 +97,7 @@ resource "alicloud_actiontrail_trail" "actiontrail7" { ```
-
Postitive test num. 7 - tf file +
Positive test num. 7 - tf file ```tf hl_lines="1" resource "alicloud_actiontrail_trail" "actiontrail8" { @@ -109,7 +109,7 @@ resource "alicloud_actiontrail_trail" "actiontrail8" { ```
-
Postitive test num. 8 - tf file +
Positive test num. 8 - tf file ```tf hl_lines="1" resource "alicloud_actiontrail_trail" "actiontrail9" { @@ -121,7 +121,7 @@ resource "alicloud_actiontrail_trail" "actiontrail9" { ```
-
Postitive test num. 9 - tf file +
Positive test num. 9 - tf file ```tf hl_lines="1" resource "alicloud_actiontrail_trail" "actiontrail10" { diff --git a/docs/queries/terraform-queries/alicloud/cb319d87-b90f-485e-a7e7-f2408380f309.md b/docs/queries/terraform-queries/alicloud/cb319d87-b90f-485e-a7e7-f2408380f309.md index 05f4f693746..feab44a4ca3 100644 --- a/docs/queries/terraform-queries/alicloud/cb319d87-b90f-485e-a7e7-f2408380f309.md +++ b/docs/queries/terraform-queries/alicloud/cb319d87-b90f-485e-a7e7-f2408380f309.md @@ -28,7 +28,7 @@ KMS Key should have automatic rotation enabled and the rotation period should no ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 5 6" +```tf title="Positive test num. 1 - tf file" hl_lines="1 5 6" resource "alicloud_kms_key" "keypos1" { description = "Hello KMS" pending_window_in_days = "7" @@ -37,7 +37,7 @@ resource "alicloud_kms_key" "keypos1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="6" +```tf title="Positive test num. 2 - tf file" hl_lines="6" resource "alicloud_kms_key" "keypos1" { description = "Hello KMS" pending_window_in_days = "7" @@ -47,7 +47,7 @@ resource "alicloud_kms_key" "keypos1" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="6" +```tf title="Positive test num. 3 - tf file" hl_lines="6" resource "alicloud_kms_key" "keypos1" { description = "Hello KMS" pending_window_in_days = "7" @@ -57,7 +57,7 @@ resource "alicloud_kms_key" "keypos1" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="1" resource "alicloud_kms_key" "keypos1" { diff --git a/docs/queries/terraform-queries/alicloud/d2731f3d-a992-44ed-812e-f4f1c2747d71.md b/docs/queries/terraform-queries/alicloud/d2731f3d-a992-44ed-812e-f4f1c2747d71.md index bbd3349c46e..ad3cc4ebddc 100644 --- a/docs/queries/terraform-queries/alicloud/d2731f3d-a992-44ed-812e-f4f1c2747d71.md +++ b/docs/queries/terraform-queries/alicloud/d2731f3d-a992-44ed-812e-f4f1c2747d71.md @@ -28,7 +28,7 @@ Every VPC resource should have an associated Flow Log
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "alicloud_vpc" "main" { cidr_block = "192.168.0.0/24" name = var.name diff --git a/docs/queries/terraform-queries/alicloud/d53f4123-f8d8-4224-8cb3-f920b151cc98.md b/docs/queries/terraform-queries/alicloud/d53f4123-f8d8-4224-8cb3-f920b151cc98.md index 75479637988..97c25085224 100644 --- a/docs/queries/terraform-queries/alicloud/d53f4123-f8d8-4224-8cb3-f920b151cc98.md +++ b/docs/queries/terraform-queries/alicloud/d53f4123-f8d8-4224-8cb3-f920b151cc98.md @@ -28,7 +28,7 @@ log_disconnections parameter should be set to ON for RDS instances
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="14" +```tf title="Positive test num. 1 - tf file" hl_lines="14" resource "alicloud_db_instance" "default" { engine = "MySQL" engine_version = "5.6" @@ -47,7 +47,7 @@ resource "alicloud_db_instance" "default" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="6" +```tf title="Positive test num. 2 - tf file" hl_lines="6" resource "alicloud_db_instance" "default" { engine = "MySQL" engine_version = "5.6" @@ -63,7 +63,7 @@ resource "alicloud_db_instance" "default" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="1" +```tf title="Positive test num. 3 - tf file" hl_lines="1" resource "alicloud_db_instance" "default" { engine = "MySQL" engine_version = "5.6" diff --git a/docs/queries/terraform-queries/alicloud/dbfc834a-56e5-4750-b5da-73fda8e73f70.md b/docs/queries/terraform-queries/alicloud/dbfc834a-56e5-4750-b5da-73fda8e73f70.md index 6a7c8ac2004..7833e091425 100644 --- a/docs/queries/terraform-queries/alicloud/dbfc834a-56e5-4750-b5da-73fda8e73f70.md +++ b/docs/queries/terraform-queries/alicloud/dbfc834a-56e5-4750-b5da-73fda8e73f70.md @@ -28,7 +28,7 @@ SLB Policy should not support insecure versions of TLS protocol
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="3" +```tf title="Positive test num. 1 - tf file" hl_lines="3" resource "alicloud_slb_tls_cipher_policy" "positive" { tls_cipher_policy_name = "Test-example_value" tls_versions = ["TLSv1.1","TLSv1.2"] diff --git a/docs/queries/terraform-queries/alicloud/dc158941-28ce-481d-a7fa-dc80761edf46.md b/docs/queries/terraform-queries/alicloud/dc158941-28ce-481d-a7fa-dc80761edf46.md index a30928e78ef..fbd326cfaf8 100644 --- a/docs/queries/terraform-queries/alicloud/dc158941-28ce-481d-a7fa-dc80761edf46.md +++ b/docs/queries/terraform-queries/alicloud/dc158941-28ce-481d-a7fa-dc80761edf46.md @@ -28,7 +28,7 @@ RDS Instance SQL Retention Period should be greater than 180
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "alicloud_db_instance" "default" { engine = "MySQL" engine_version = "5.6" @@ -47,7 +47,7 @@ resource "alicloud_db_instance" "default" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1 6" +```tf title="Positive test num. 2 - tf file" hl_lines="1 6" resource "alicloud_db_instance" "default" { engine = "MySQL" engine_version = "5.6" @@ -67,7 +67,7 @@ resource "alicloud_db_instance" "default" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="1" +```tf title="Positive test num. 3 - tf file" hl_lines="1" resource "alicloud_db_instance" "default" { engine = "MySQL" engine_version = "5.6" @@ -87,7 +87,7 @@ resource "alicloud_db_instance" "default" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="7" resource "alicloud_db_instance" "default" { diff --git a/docs/queries/terraform-queries/alicloud/dcda2d32-e482-43ee-a926-75eaabeaa4e0.md b/docs/queries/terraform-queries/alicloud/dcda2d32-e482-43ee-a926-75eaabeaa4e0.md index d2afe8bfb76..f4aa2a0ba00 100644 --- a/docs/queries/terraform-queries/alicloud/dcda2d32-e482-43ee-a926-75eaabeaa4e0.md +++ b/docs/queries/terraform-queries/alicloud/dcda2d32-e482-43ee-a926-75eaabeaa4e0.md @@ -28,7 +28,7 @@ RAM Security preferences should enforce MFA login for RAM users
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="11" +```tf title="Positive test num. 1 - tf file" hl_lines="11" # Create a new RAM user. resource "alicloud_ram_user" "user1" { name = "user_test" @@ -45,7 +45,7 @@ resource "alicloud_ram_security_preference" "example1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="14" +```tf title="Positive test num. 2 - tf file" hl_lines="14" # Create a new RAM user. resource "alicloud_ram_user" "user2" { name = "user_test" @@ -63,7 +63,7 @@ resource "alicloud_ram_security_preference" "example2" { } ``` -```tf title="Postitive test num. 3 - tf file" +```tf title="Positive test num. 3 - tf file" # this file does not return any result because inside the test folder exists at least one resource "alicloud_ram_security_preference" in the samples #resource "alicloud_ram_user" "user3" { # name = "user_test" diff --git a/docs/queries/terraform-queries/alicloud/dd706080-b7a8-47dc-81fb-3e8184430ec0.md b/docs/queries/terraform-queries/alicloud/dd706080-b7a8-47dc-81fb-3e8184430ec0.md index c6229f3bd2e..5db9d2aea5c 100644 --- a/docs/queries/terraform-queries/alicloud/dd706080-b7a8-47dc-81fb-3e8184430ec0.md +++ b/docs/queries/terraform-queries/alicloud/dd706080-b7a8-47dc-81fb-3e8184430ec0.md @@ -28,7 +28,7 @@ A unknown port, such as port 24 or port 111, is open to the public in either TCP ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="10" +```tf title="Positive test num. 1 - tf file" hl_lines="10" resource "alicloud_security_group" "default" { name = "default" } @@ -45,7 +45,7 @@ resource "alicloud_security_group_rule" "allow_all_tcp" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="10" +```tf title="Positive test num. 2 - tf file" hl_lines="10" resource "alicloud_security_group" "default" { name = "default" } diff --git a/docs/queries/terraform-queries/alicloud/e76fd7ab-7333-40c6-a2d8-ea28af4a319e.md b/docs/queries/terraform-queries/alicloud/e76fd7ab-7333-40c6-a2d8-ea28af4a319e.md index 349dfa3be12..33aace1f1e3 100644 --- a/docs/queries/terraform-queries/alicloud/e76fd7ab-7333-40c6-a2d8-ea28af4a319e.md +++ b/docs/queries/terraform-queries/alicloud/e76fd7ab-7333-40c6-a2d8-ea28af4a319e.md @@ -28,7 +28,7 @@ Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 i ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="10" +```tf title="Positive test num. 1 - tf file" hl_lines="10" resource "alicloud_ram_account_password_policy" "corporate" { minimum_password_length = 9 require_lowercase_characters = false diff --git a/docs/queries/terraform-queries/alicloud/e8e62026-da63-4904-b402-65adfe3ca975.md b/docs/queries/terraform-queries/alicloud/e8e62026-da63-4904-b402-65adfe3ca975.md index f323d5fa9fe..513b1a34683 100644 --- a/docs/queries/terraform-queries/alicloud/e8e62026-da63-4904-b402-65adfe3ca975.md +++ b/docs/queries/terraform-queries/alicloud/e8e62026-da63-4904-b402-65adfe3ca975.md @@ -28,7 +28,7 @@ Ram policies with admin access should not be associated to users, groups or role ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="35" +```tf title="Positive test num. 1 - tf file" hl_lines="35" # Create a RAM User Policy attachment. resource "alicloud_ram_user" "user4" { name = "userName" @@ -69,7 +69,7 @@ resource "alicloud_ram_user_policy_attachment" "attach" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="32" +```tf title="Positive test num. 2 - tf file" hl_lines="32" # Create a RAM Group Policy attachment. resource "alicloud_ram_group" "group5" { name = "groupName" @@ -107,7 +107,7 @@ resource "alicloud_ram_group_policy_attachment" "attach" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="49" +```tf title="Positive test num. 3 - tf file" hl_lines="49" # Create a RAM Role Policy attachment. resource "alicloud_ram_role" "role6" { name = "roleName" diff --git a/docs/queries/terraform-queries/alicloud/ec62a32c-a297-41ca-a850-cab40b42094a.md b/docs/queries/terraform-queries/alicloud/ec62a32c-a297-41ca-a850-cab40b42094a.md index 48ae581f7ad..bbea8d70301 100644 --- a/docs/queries/terraform-queries/alicloud/ec62a32c-a297-41ca-a850-cab40b42094a.md +++ b/docs/queries/terraform-queries/alicloud/ec62a32c-a297-41ca-a850-cab40b42094a.md @@ -28,7 +28,7 @@ OSS Buckets should not allow all actions (wildcard) from all principals, as to p ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="5" +```tf title="Positive test num. 1 - tf file" hl_lines="5" resource "alicloud_oss_bucket" "bucket-policy1" { bucket = "bucket-1-policy" acl = "private" diff --git a/docs/queries/terraform-queries/alicloud/ed6cf6ff-9a1f-491c-9f88-e03c0807f390.md b/docs/queries/terraform-queries/alicloud/ed6cf6ff-9a1f-491c-9f88-e03c0807f390.md index 35e518937fe..494e1000cf9 100644 --- a/docs/queries/terraform-queries/alicloud/ed6cf6ff-9a1f-491c-9f88-e03c0807f390.md +++ b/docs/queries/terraform-queries/alicloud/ed6cf6ff-9a1f-491c-9f88-e03c0807f390.md @@ -28,7 +28,7 @@ OSS Log Store should have logging enabled for longer than 90 days, for better vi ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="6" +```tf title="Positive test num. 1 - tf file" hl_lines="6" resource "alicloud_log_project" "example2" { name = "tf-log" description = "created by terraform" @@ -44,7 +44,7 @@ resource "alicloud_log_store" "example2" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="9" +```tf title="Positive test num. 2 - tf file" hl_lines="9" resource "alicloud_log_project" "example4" { name = "tf-log" description = "created by terraform" diff --git a/docs/queries/terraform-queries/alicloud/ed6e3ba0-278f-47b6-a1f5-173576b40b7e.md b/docs/queries/terraform-queries/alicloud/ed6e3ba0-278f-47b6-a1f5-173576b40b7e.md index 717ff684763..6b564e28e86 100644 --- a/docs/queries/terraform-queries/alicloud/ed6e3ba0-278f-47b6-a1f5-173576b40b7e.md +++ b/docs/queries/terraform-queries/alicloud/ed6e3ba0-278f-47b6-a1f5-173576b40b7e.md @@ -28,7 +28,7 @@ Alicloud KMS must only possess usable Customer Master Keys (CMK), which means th ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "alicloud_kms_key" "key" { description = "Hello KMS" pending_window_in_days = "7" @@ -36,7 +36,7 @@ resource "alicloud_kms_key" "key" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="5" +```tf title="Positive test num. 2 - tf file" hl_lines="5" resource "alicloud_kms_key" "key" { description = "Hello KMS" pending_window_in_days = "7" diff --git a/docs/queries/terraform-queries/alicloud/ee3b1557-9fb5-4685-a95d-93f1edf2a0d7.md b/docs/queries/terraform-queries/alicloud/ee3b1557-9fb5-4685-a95d-93f1edf2a0d7.md index 81671db3061..e86e9fbf113 100644 --- a/docs/queries/terraform-queries/alicloud/ee3b1557-9fb5-4685-a95d-93f1edf2a0d7.md +++ b/docs/queries/terraform-queries/alicloud/ee3b1557-9fb5-4685-a95d-93f1edf2a0d7.md @@ -28,7 +28,7 @@ Application Load Balancer (alb) Listener should not listen on HTTP
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="3" +```tf title="Positive test num. 1 - tf file" hl_lines="3" resource "alicloud_alb_listener" "positive" { load_balancer_id = alicloud_alb_load_balancer.default_3.id listener_protocol = "HTTP" diff --git a/docs/queries/terraform-queries/alicloud/f20e97f9-4919-43f1-9be9-f203cd339cdd.md b/docs/queries/terraform-queries/alicloud/f20e97f9-4919-43f1-9be9-f203cd339cdd.md index ad9469e2430..67a1d081cef 100644 --- a/docs/queries/terraform-queries/alicloud/f20e97f9-4919-43f1-9be9-f203cd339cdd.md +++ b/docs/queries/terraform-queries/alicloud/f20e97f9-4919-43f1-9be9-f203cd339cdd.md @@ -28,7 +28,7 @@ OSS Bucket should have encryption enabled using Customer Master Key
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="5" +```tf title="Positive test num. 1 - tf file" hl_lines="5" resource "alicloud_oss_bucket" "bucket_cmk_encryption2" { bucket = "bucket-170309-sserule" acl = "private" @@ -39,7 +39,7 @@ resource "alicloud_oss_bucket" "bucket_cmk_encryption2" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "alicloud_oss_bucket" "bucket_cmk_encryption3" { bucket = "bucket-170309-sserule" acl = "private" diff --git a/docs/queries/terraform-queries/alicloud/f262118c-1ac6-4bb3-8495-cc48f1775b85.md b/docs/queries/terraform-queries/alicloud/f262118c-1ac6-4bb3-8495-cc48f1775b85.md index 9392e779680..bc28d7b4bf4 100644 --- a/docs/queries/terraform-queries/alicloud/f262118c-1ac6-4bb3-8495-cc48f1775b85.md +++ b/docs/queries/terraform-queries/alicloud/f262118c-1ac6-4bb3-8495-cc48f1775b85.md @@ -28,7 +28,7 @@ Ecs Data Disk Kms Key Id should be set
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="2" +```tf title="Positive test num. 1 - tf file" hl_lines="2" # Create a new ECS disk. resource "alicloud_disk" "ecs_disk" { # cn-beijing diff --git a/docs/queries/terraform-queries/alicloud/faaefc15-51a5-419e-bb5e-51a4b5ab3485.md b/docs/queries/terraform-queries/alicloud/faaefc15-51a5-419e-bb5e-51a4b5ab3485.md index 0873c87c617..09cc870f287 100644 --- a/docs/queries/terraform-queries/alicloud/faaefc15-51a5-419e-bb5e-51a4b5ab3485.md +++ b/docs/queries/terraform-queries/alicloud/faaefc15-51a5-419e-bb5e-51a4b5ab3485.md @@ -28,7 +28,7 @@ The field 'address' should not be set to '0.0.0.0/0'
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="10" +```tf title="Positive test num. 1 - tf file" hl_lines="10" resource "alicloud_db_instance" "example" { engine = "MySQL" engine_version = "5.6" diff --git a/docs/queries/terraform-queries/alicloud/fe286195-e75c-4359-bd58-00847c4f855a.md b/docs/queries/terraform-queries/alicloud/fe286195-e75c-4359-bd58-00847c4f855a.md index 3931231a40a..69ddfd827b2 100644 --- a/docs/queries/terraform-queries/alicloud/fe286195-e75c-4359-bd58-00847c4f855a.md +++ b/docs/queries/terraform-queries/alicloud/fe286195-e75c-4359-bd58-00847c4f855a.md @@ -28,7 +28,7 @@ OSS Bucket should not allow put action from all principals, as to prevent leakin ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="5" +```tf title="Positive test num. 1 - tf file" hl_lines="5" resource "alicloud_oss_bucket" "bucket-policy4" { bucket = "bucket-4-policy" acl = "private" @@ -53,7 +53,7 @@ resource "alicloud_oss_bucket" "bucket-policy4" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="5" +```tf title="Positive test num. 2 - tf file" hl_lines="5" resource "alicloud_oss_bucket" "bucket-policy5" { bucket = "bucket-5-policy" acl = "private" diff --git a/docs/queries/terraform-queries/aws/00e5e55e-c2ff-46b3-a757-a7a1cd802456.md b/docs/queries/terraform-queries/aws/00e5e55e-c2ff-46b3-a757-a7a1cd802456.md index 68e961f488e..54c1b9386bd 100644 --- a/docs/queries/terraform-queries/aws/00e5e55e-c2ff-46b3-a757-a7a1cd802456.md +++ b/docs/queries/terraform-queries/aws/00e5e55e-c2ff-46b3-a757-a7a1cd802456.md @@ -28,7 +28,7 @@ CloudFront Minimum Protocol version should be at least TLS 1.2
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_cloudfront_distribution" "positive1" { origin { domain_name = aws_s3_bucket.b.bucket_regional_domain_name @@ -53,7 +53,7 @@ resource "aws_cloudfront_distribution" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="25" +```tf title="Positive test num. 2 - tf file" hl_lines="25" resource "aws_cloudfront_distribution" "positive2" { origin { domain_name = aws_s3_bucket.b.bucket_regional_domain_name @@ -83,7 +83,7 @@ resource "aws_cloudfront_distribution" "positive2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="24" +```tf title="Positive test num. 3 - tf file" hl_lines="24" resource "aws_cloudfront_distribution" "positive3" { origin { domain_name = aws_s3_bucket.b.bucket_regional_domain_name @@ -112,7 +112,7 @@ resource "aws_cloudfront_distribution" "positive3" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="23" resource "aws_cloudfront_distribution" "positive4" { diff --git a/docs/queries/terraform-queries/aws/01d50b14-e933-4c99-b314-6d08cd37ad35.md b/docs/queries/terraform-queries/aws/01d50b14-e933-4c99-b314-6d08cd37ad35.md index 276badb2575..f744be8f74e 100644 --- a/docs/queries/terraform-queries/aws/01d50b14-e933-4c99-b314-6d08cd37ad35.md +++ b/docs/queries/terraform-queries/aws/01d50b14-e933-4c99-b314-6d08cd37ad35.md @@ -28,7 +28,7 @@ Glue Data Catalog Encryption Settings should have 'connection_password_encryptio ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="5" +```tf title="Positive test num. 1 - tf file" hl_lines="5" resource "aws_glue_data_catalog_encryption_settings" "positive1" { data_catalog_encryption_settings { connection_password_encryption { @@ -44,7 +44,7 @@ resource "aws_glue_data_catalog_encryption_settings" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="3" +```tf title="Positive test num. 2 - tf file" hl_lines="3" resource "aws_glue_data_catalog_encryption_settings" "positive2" { data_catalog_encryption_settings { connection_password_encryption { @@ -59,7 +59,7 @@ resource "aws_glue_data_catalog_encryption_settings" "positive2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="9" +```tf title="Positive test num. 3 - tf file" hl_lines="9" resource "aws_glue_data_catalog_encryption_settings" "positive3" { data_catalog_encryption_settings { connection_password_encryption { @@ -75,7 +75,7 @@ resource "aws_glue_data_catalog_encryption_settings" "positive3" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="8" resource "aws_glue_data_catalog_encryption_settings" "positive4" { diff --git a/docs/queries/terraform-queries/aws/030d3b18-1821-45b4-9e08-50efbe7becbb.md b/docs/queries/terraform-queries/aws/030d3b18-1821-45b4-9e08-50efbe7becbb.md index cd860d40f49..21c9b92d8d5 100644 --- a/docs/queries/terraform-queries/aws/030d3b18-1821-45b4-9e08-50efbe7becbb.md +++ b/docs/queries/terraform-queries/aws/030d3b18-1821-45b4-9e08-50efbe7becbb.md @@ -28,7 +28,7 @@ Amazon DMS is publicly accessible, therefore exposing possible sensitive informa ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="10" +```tf title="Positive test num. 1 - tf file" hl_lines="10" resource "aws_dms_replication_instance" "test" { allocated_storage = 20 apply_immediately = true diff --git a/docs/queries/terraform-queries/aws/034d0aee-620f-4bf7-b7fb-efdf661fdb9e.md b/docs/queries/terraform-queries/aws/034d0aee-620f-4bf7-b7fb-efdf661fdb9e.md index 4967fa9eb9c..69cd82a4ef7 100644 --- a/docs/queries/terraform-queries/aws/034d0aee-620f-4bf7-b7fb-efdf661fdb9e.md +++ b/docs/queries/terraform-queries/aws/034d0aee-620f-4bf7-b7fb-efdf661fdb9e.md @@ -28,7 +28,7 @@ Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:Pass ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_group" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/04c686f1-e0cd-4812-88e1-4e038410074c.md b/docs/queries/terraform-queries/aws/04c686f1-e0cd-4812-88e1-4e038410074c.md index c84af1eac92..d7b5947f7b0 100644 --- a/docs/queries/terraform-queries/aws/04c686f1-e0cd-4812-88e1-4e038410074c.md +++ b/docs/queries/terraform-queries/aws/04c686f1-e0cd-4812-88e1-4e038410074c.md @@ -28,7 +28,7 @@ Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_group" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/051f2063-2517-4295-ad8e-ba88c1bf5cfc.md b/docs/queries/terraform-queries/aws/051f2063-2517-4295-ad8e-ba88c1bf5cfc.md index 9a65b55eaa6..bc3468e3392 100644 --- a/docs/queries/terraform-queries/aws/051f2063-2517-4295-ad8e-ba88c1bf5cfc.md +++ b/docs/queries/terraform-queries/aws/051f2063-2517-4295-ad8e-ba88c1bf5cfc.md @@ -28,7 +28,7 @@ A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Am ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="84" +```tf title="Positive test num. 1 - tf file" hl_lines="84" resource "aws_vpc" "vpc" { cidr_block = "192.168.0.0/22" } @@ -172,7 +172,7 @@ resource "aws_msk_cluster" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="84" +```tf title="Positive test num. 2 - tf file" hl_lines="84" resource "aws_vpc" "vpc" { cidr_block = "192.168.0.0/22" } diff --git a/docs/queries/terraform-queries/aws/081069cb-588b-4ce1-884c-2a1ce3029fe5.md b/docs/queries/terraform-queries/aws/081069cb-588b-4ce1-884c-2a1ce3029fe5.md index 233f88e589f..e64a373e47c 100644 --- a/docs/queries/terraform-queries/aws/081069cb-588b-4ce1-884c-2a1ce3029fe5.md +++ b/docs/queries/terraform-queries/aws/081069cb-588b-4ce1-884c-2a1ce3029fe5.md @@ -28,7 +28,7 @@ Checks if CloudWatch Metrics is Enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8 18" +```tf title="Positive test num. 1 - tf file" hl_lines="8 18" #this is a problematic code where the query should report a result(s) resource "aws_api_gateway_method_settings" "positive1" { rest_api_id = aws_api_gateway_rest_api.test.id diff --git a/docs/queries/terraform-queries/aws/084c6686-2a70-4710-91b1-000393e54c12.md b/docs/queries/terraform-queries/aws/084c6686-2a70-4710-91b1-000393e54c12.md index 187c8125cef..ef6e9be3b37 100644 --- a/docs/queries/terraform-queries/aws/084c6686-2a70-4710-91b1-000393e54c12.md +++ b/docs/queries/terraform-queries/aws/084c6686-2a70-4710-91b1-000393e54c12.md @@ -28,7 +28,7 @@ AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global A ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="5" +```tf title="Positive test num. 1 - tf file" hl_lines="5" data "aws_availability_zones" "available" {} data "aws_region" "current" {} data "aws_caller_identity" "current" {} @@ -47,7 +47,7 @@ resource "aws_shield_protection" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "aws_route53_zone" "positive2" { name = "example.com" } diff --git a/docs/queries/terraform-queries/aws/08bd0760-8752-44e1-9779-7bb369b2b4e4.md b/docs/queries/terraform-queries/aws/08bd0760-8752-44e1-9779-7bb369b2b4e4.md index 1aad16f4e46..2e275e6461c 100644 --- a/docs/queries/terraform-queries/aws/08bd0760-8752-44e1-9779-7bb369b2b4e4.md +++ b/docs/queries/terraform-queries/aws/08bd0760-8752-44e1-9779-7bb369b2b4e4.md @@ -28,7 +28,7 @@ AWS DB Instance should have its storage encrypted by setting the parameter to 't ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="11 14" +```tf title="Positive test num. 1 - tf file" hl_lines="11 14" resource "aws_db_instance" "positive1" { allocated_storage = 20 storage_type = "gp2" @@ -54,7 +54,7 @@ resource "aws_db_instance" "positive2" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" module "db" { source = "terraform-aws-modules/rds/aws" version = "~> 3.0" @@ -131,7 +131,7 @@ module "db" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="11" +```tf title="Positive test num. 3 - tf file" hl_lines="11" module "db" { source = "terraform-aws-modules/rds/aws" version = "~> 3.0" diff --git a/docs/queries/terraform-queries/aws/09c35abf-5852-4622-ac7a-b987b331232e.md b/docs/queries/terraform-queries/aws/09c35abf-5852-4622-ac7a-b987b331232e.md index e1129c6f737..a04dc5d19ea 100644 --- a/docs/queries/terraform-queries/aws/09c35abf-5852-4622-ac7a-b987b331232e.md +++ b/docs/queries/terraform-queries/aws/09c35abf-5852-4622-ac7a-b987b331232e.md @@ -28,7 +28,7 @@ Cross-Account IAM Assume Role Policy should require external ID or MFA to protec ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="4" +```tf title="Positive test num. 1 - tf file" hl_lines="4" resource "aws_iam_role" "positive1" { name = "test_role" @@ -55,7 +55,7 @@ EOF } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="4" +```tf title="Positive test num. 2 - tf file" hl_lines="4" resource "aws_iam_role" "positive2" { name = "test_role" @@ -85,7 +85,7 @@ EOF } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="4" +```tf title="Positive test num. 3 - tf file" hl_lines="4" resource "aws_iam_role" "positive3" { name = "test_role" diff --git a/docs/queries/terraform-queries/aws/0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3.md b/docs/queries/terraform-queries/aws/0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3.md index d90248085c2..cfebaeca019 100644 --- a/docs/queries/terraform-queries/aws/0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3.md +++ b/docs/queries/terraform-queries/aws/0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3.md @@ -28,7 +28,7 @@ Redshift Cluster should be configured in VPC (Virtual Private Cloud)
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_redshift_cluster" "positive1" { cluster_identifier = "tf-redshift-cluster" database_name = "mydb" diff --git a/docs/queries/terraform-queries/aws/0a592060-8166-49f5-8e65-99ac6dce9871.md b/docs/queries/terraform-queries/aws/0a592060-8166-49f5-8e65-99ac6dce9871.md index 4870017b3e5..0283c062e72 100644 --- a/docs/queries/terraform-queries/aws/0a592060-8166-49f5-8e65-99ac6dce9871.md +++ b/docs/queries/terraform-queries/aws/0a592060-8166-49f5-8e65-99ac6dce9871.md @@ -28,7 +28,7 @@ Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:Pass ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_role" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0.md b/docs/queries/terraform-queries/aws/0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0.md index 0f64886161e..3d26f454311 100644 --- a/docs/queries/terraform-queries/aws/0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0.md +++ b/docs/queries/terraform-queries/aws/0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0.md @@ -28,7 +28,7 @@ Ensure a log metric filter and alarm exist for changes to NACL
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" provider "aws" { region = "us-east-2" } @@ -67,7 +67,7 @@ resource "aws_cloudwatch_log_metric_filter" "cis_changes_nacl" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" provider "aws" { region = "us-east-2" } diff --git a/docs/queries/terraform-queries/aws/0a96ce49-4163-4ee6-8169-eb3b0797d694.md b/docs/queries/terraform-queries/aws/0a96ce49-4163-4ee6-8169-eb3b0797d694.md index 86e7b2091ab..5ee272904c8 100644 --- a/docs/queries/terraform-queries/aws/0a96ce49-4163-4ee6-8169-eb3b0797d694.md +++ b/docs/queries/terraform-queries/aws/0a96ce49-4163-4ee6-8169-eb3b0797d694.md @@ -28,7 +28,7 @@ API Gateway REST API should have an API Gateway Authorizer
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8" +```tf title="Positive test num. 1 - tf file" hl_lines="8" resource "aws_api_gateway_authorizer" "demo" { name = "demo" rest_api_id = aws_api_gateway_rest_api.demo.id diff --git a/docs/queries/terraform-queries/aws/0afa6ab8-a047-48cf-be07-93a2f8c34cf7.md b/docs/queries/terraform-queries/aws/0afa6ab8-a047-48cf-be07-93a2f8c34cf7.md index 13d896678da..ffaf91d65fa 100644 --- a/docs/queries/terraform-queries/aws/0afa6ab8-a047-48cf-be07-93a2f8c34cf7.md +++ b/docs/queries/terraform-queries/aws/0afa6ab8-a047-48cf-be07-93a2f8c34cf7.md @@ -28,7 +28,7 @@ All Application Load Balancers (ALB) must be protected with Web Application Fire ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_alb" "foo" { internal = false subnets = [aws_subnet.foo.id, aws_subnet.bar.id] @@ -41,7 +41,7 @@ resource "aws_wafregional_web_acl_association" "foo_waf" { ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "aws_lb" "alb" { name = "test-lb-tf" internal = false diff --git a/docs/queries/terraform-queries/aws/0afbcfe9-d341-4b92-a64c-7e6de0543879.md b/docs/queries/terraform-queries/aws/0afbcfe9-d341-4b92-a64c-7e6de0543879.md index b1c22fe49db..73f6ade46c2 100644 --- a/docs/queries/terraform-queries/aws/0afbcfe9-d341-4b92-a64c-7e6de0543879.md +++ b/docs/queries/terraform-queries/aws/0afbcfe9-d341-4b92-a64c-7e6de0543879.md @@ -28,7 +28,7 @@ AWS CloudWatch Log groups should be encrypted using KMS
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_cloudwatch_log_group" "negative1" { name = "Yada" diff --git a/docs/queries/terraform-queries/aws/0b4869fc-a842-4597-aa00-1294df425440.md b/docs/queries/terraform-queries/aws/0b4869fc-a842-4597-aa00-1294df425440.md index 02a1fd6ce53..3ca4c675572 100644 --- a/docs/queries/terraform-queries/aws/0b4869fc-a842-4597-aa00-1294df425440.md +++ b/docs/queries/terraform-queries/aws/0b4869fc-a842-4597-aa00-1294df425440.md @@ -28,7 +28,7 @@ SSL Client Certificate should be enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_api_gateway_stage" "positive1" { stage_name = "prod" rest_api_id = aws_api_gateway_rest_api.test.id diff --git a/docs/queries/terraform-queries/aws/0b530315-0ea4-497f-b34c-4ff86268f59d.md b/docs/queries/terraform-queries/aws/0b530315-0ea4-497f-b34c-4ff86268f59d.md index 8f2043556a7..dfcce5b268a 100644 --- a/docs/queries/terraform-queries/aws/0b530315-0ea4-497f-b34c-4ff86268f59d.md +++ b/docs/queries/terraform-queries/aws/0b530315-0ea4-497f-b34c-4ff86268f59d.md @@ -28,7 +28,7 @@ AWS KMS Key should have a valid deletion window
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 18" +```tf title="Positive test num. 1 - tf file" hl_lines="1 18" resource "aws_kms_key" "positive1" { description = "KMS key 1" diff --git a/docs/queries/terraform-queries/aws/0b93729a-d882-4803-bdc3-ac429a21f158.md b/docs/queries/terraform-queries/aws/0b93729a-d882-4803-bdc3-ac429a21f158.md index b9e425e9515..efdc86f54fb 100644 --- a/docs/queries/terraform-queries/aws/0b93729a-d882-4803-bdc3-ac429a21f158.md +++ b/docs/queries/terraform-queries/aws/0b93729a-d882-4803-bdc3-ac429a21f158.md @@ -28,7 +28,7 @@ EC2 instances should use roles to be granted access to other AWS services
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="5" +```tf title="Positive test num. 1 - tf file" hl_lines="5" provider "aws" { region = "us-east-1" } @@ -54,7 +54,7 @@ EOF } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="5" +```tf title="Positive test num. 2 - tf file" hl_lines="5" provider "aws" { region = "us-east-1" } @@ -83,7 +83,7 @@ EOT } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="5" +```tf title="Positive test num. 3 - tf file" hl_lines="5" provider "aws" { region = "us-east-1" } @@ -112,7 +112,7 @@ EOT } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="5" provider "aws" { @@ -136,7 +136,7 @@ resource "aws_instance" "positive4" { ```
-
Postitive test num. 5 - tf file +
Positive test num. 5 - tf file ```tf hl_lines="5" provider "aws" { @@ -160,7 +160,7 @@ resource "aws_instance" "positive5" { ```
-
Postitive test num. 6 - tf file +
Positive test num. 6 - tf file ```tf hl_lines="5" provider "aws" { @@ -195,7 +195,7 @@ EOT ```
-
Postitive test num. 7 - tf file +
Positive test num. 7 - tf file ```tf hl_lines="13" provider "aws" { @@ -223,7 +223,7 @@ resource "aws_instance" "positive7" { ```
-
Postitive test num. 8 - tf file +
Positive test num. 8 - tf file ```tf hl_lines="13" provider "aws" { @@ -246,7 +246,7 @@ resource "aws_instance" "positive8" { ```
-
Postitive test num. 9 - tf file +
Positive test num. 9 - tf file ```tf hl_lines="13" provider "aws" { @@ -275,7 +275,7 @@ resource "aws_instance" "positive9" { ```
-
Postitive test num. 10 - tf file +
Positive test num. 10 - tf file ```tf hl_lines="1" module "ec2_instance" { @@ -307,7 +307,7 @@ EOF ```
-
Postitive test num. 11 - tf file +
Positive test num. 11 - tf file ```tf hl_lines="1" module "ec2_instance" { @@ -334,7 +334,7 @@ module "ec2_instance" { ```
-
Postitive test num. 12 - tf file +
Positive test num. 12 - tf file ```tf hl_lines="1" module "ec2_instance" { diff --git a/docs/queries/terraform-queries/aws/0bc534c5-13d1-4353-a7fe-b8665d5c1d7d.md b/docs/queries/terraform-queries/aws/0bc534c5-13d1-4353-a7fe-b8665d5c1d7d.md index 2230404614a..3b231860cba 100644 --- a/docs/queries/terraform-queries/aws/0bc534c5-13d1-4353-a7fe-b8665d5c1d7d.md +++ b/docs/queries/terraform-queries/aws/0bc534c5-13d1-4353-a7fe-b8665d5c1d7d.md @@ -28,7 +28,7 @@ Dynamodb VPC Endpoint should be associated with Route Table Association
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="31" +```tf title="Positive test num. 1 - tf file" hl_lines="31" provider "aws" { region = "us-east-1" } diff --git a/docs/queries/terraform-queries/aws/0c10d7da-85c4-4d62-b2a8-d6c104f1bd77.md b/docs/queries/terraform-queries/aws/0c10d7da-85c4-4d62-b2a8-d6c104f1bd77.md index 684380a117a..ee2cfaa506f 100644 --- a/docs/queries/terraform-queries/aws/0c10d7da-85c4-4d62-b2a8-d6c104f1bd77.md +++ b/docs/queries/terraform-queries/aws/0c10d7da-85c4-4d62-b2a8-d6c104f1bd77.md @@ -28,7 +28,7 @@ User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set t ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_user" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/0ca1017d-3b80-423e-bb9c-6cd5898d34bd.md b/docs/queries/terraform-queries/aws/0ca1017d-3b80-423e-bb9c-6cd5898d34bd.md index c6bb9884818..8ca4eb4904f 100644 --- a/docs/queries/terraform-queries/aws/0ca1017d-3b80-423e-bb9c-6cd5898d34bd.md +++ b/docs/queries/terraform-queries/aws/0ca1017d-3b80-423e-bb9c-6cd5898d34bd.md @@ -28,7 +28,7 @@ Lambda permission may be misconfigured if the action field is not filled in by ' ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8" +```tf title="Positive test num. 1 - tf file" hl_lines="8" resource "aws_iam_policy" "positive1policy" { name = "positive1policy" path = "/" @@ -53,7 +53,7 @@ resource "aws_iam_policy" "positive1policy" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="8" +```tf title="Positive test num. 2 - tf file" hl_lines="8" resource "aws_iam_policy" "positive2policy" { name = "positive2policy" path = "/" @@ -78,7 +78,7 @@ resource "aws_iam_policy" "positive2policy" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="8" +```tf title="Positive test num. 3 - tf file" hl_lines="8" resource "aws_iam_policy" "positive3policy" { name = "positive3policy" path = "/" @@ -103,7 +103,7 @@ resource "aws_iam_policy" "positive3policy" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="5" resource "aws_iam_policy" "positive4policy" { @@ -129,7 +129,7 @@ data "aws_iam_policy_document" "datapositive4policy" { ```
-
Postitive test num. 5 - tf file +
Positive test num. 5 - tf file ```tf hl_lines="8" resource "aws_iam_policy" "positive5policy" { @@ -157,7 +157,7 @@ resource "aws_iam_policy" "positive5policy" { ```
-
Postitive test num. 6 - tf file +
Positive test num. 6 - tf file ```tf hl_lines="8" resource "aws_iam_policy" "positive6policy" { diff --git a/docs/queries/terraform-queries/aws/0e32d561-4b5a-4664-a6e3-a3fa85649157.md b/docs/queries/terraform-queries/aws/0e32d561-4b5a-4664-a6e3-a3fa85649157.md index 05684f03633..8d8b5d88518 100644 --- a/docs/queries/terraform-queries/aws/0e32d561-4b5a-4664-a6e3-a3fa85649157.md +++ b/docs/queries/terraform-queries/aws/0e32d561-4b5a-4664-a6e3-a3fa85649157.md @@ -28,7 +28,7 @@ ECR repositories should be encrypted with customer-managed keys to meet stricter ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 18" +```tf title="Positive test num. 1 - tf file" hl_lines="1 18" resource "aws_ecr_repository" "foo" { name = "bar" image_tag_mutability = "IMMUTABLE" diff --git a/docs/queries/terraform-queries/aws/0e59d33e-bba2-4037-8f88-9765647ca7ad.md b/docs/queries/terraform-queries/aws/0e59d33e-bba2-4037-8f88-9765647ca7ad.md index 6ee3657d333..6a9614b12c3 100644 --- a/docs/queries/terraform-queries/aws/0e59d33e-bba2-4037-8f88-9765647ca7ad.md +++ b/docs/queries/terraform-queries/aws/0e59d33e-bba2-4037-8f88-9765647ca7ad.md @@ -28,7 +28,7 @@ A list of Kinesis resources found. Amazon Kinesis is a real-time streaming servi ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 20" +```tf title="Positive test num. 1 - tf file" hl_lines="1 20" resource "aws_kinesis_stream" "positive1" { name = "terraform-kinesis-test" shard_count = 1 diff --git a/docs/queries/terraform-queries/aws/0f6cbf69-41bb-47dc-93f3-3844640bf480.md b/docs/queries/terraform-queries/aws/0f6cbf69-41bb-47dc-93f3-3844640bf480.md index dbf4a240a03..45669ad0382 100644 --- a/docs/queries/terraform-queries/aws/0f6cbf69-41bb-47dc-93f3-3844640bf480.md +++ b/docs/queries/terraform-queries/aws/0f6cbf69-41bb-47dc-93f3-3844640bf480.md @@ -28,7 +28,7 @@ Ensure a log metric filter and alarm exist for CloudTrail configuration changes< ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_cloudwatch_log_metric_filter" "cis_cloudtrail_config_change_metric_filter" { name = "CIS-CloudTrailChanges" pattern = "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }" @@ -56,7 +56,7 @@ resource "aws_cloudwatch_metric_alarm" "cis_cloudtrail_config_change_cw_alarm" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "aws_cloudwatch_log_metric_filter" "cis_unauthorized_api_calls_metric_filter" { name = "CIS-UnauthorizedAPICalls" pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }" @@ -84,7 +84,7 @@ resource "aws_cloudwatch_metric_alarm" "cis_unauthorized_api_calls_cw_alarm" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="1" +```tf title="Positive test num. 3 - tf file" hl_lines="1" resource "aws_cloudwatch_log_metric_filter" "cis_cloudtrail_config_change_metric_filter" { name = "CIS-CloudTrailChanges" pattern = "{ ($.eventName = CreateTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }" diff --git a/docs/queries/terraform-queries/aws/0fd7d920-4711-46bd-aff2-d307d82cd8b7.md b/docs/queries/terraform-queries/aws/0fd7d920-4711-46bd-aff2-d307d82cd8b7.md index 26876208762..aff8b0606e9 100644 --- a/docs/queries/terraform-queries/aws/0fd7d920-4711-46bd-aff2-d307d82cd8b7.md +++ b/docs/queries/terraform-queries/aws/0fd7d920-4711-46bd-aff2-d307d82cd8b7.md @@ -28,7 +28,7 @@ User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_user" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/113208f2-a886-4526-9ecc-f3218600e12c.md b/docs/queries/terraform-queries/aws/113208f2-a886-4526-9ecc-f3218600e12c.md index c033079c260..e48bfde1bf1 100644 --- a/docs/queries/terraform-queries/aws/113208f2-a886-4526-9ecc-f3218600e12c.md +++ b/docs/queries/terraform-queries/aws/113208f2-a886-4526-9ecc-f3218600e12c.md @@ -28,7 +28,7 @@ User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_user" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/118281d0-6471-422e-a7c5-051bc667926e.md b/docs/queries/terraform-queries/aws/118281d0-6471-422e-a7c5-051bc667926e.md index 1b6c4149652..fad0a43b43b 100644 --- a/docs/queries/terraform-queries/aws/118281d0-6471-422e-a7c5-051bc667926e.md +++ b/docs/queries/terraform-queries/aws/118281d0-6471-422e-a7c5-051bc667926e.md @@ -28,7 +28,7 @@ Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Reso ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_role" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/126c1788-23c2-4a10-906c-ef179f4f96ec.md b/docs/queries/terraform-queries/aws/126c1788-23c2-4a10-906c-ef179f4f96ec.md index 823bed53e61..30d26a9250c 100644 --- a/docs/queries/terraform-queries/aws/126c1788-23c2-4a10-906c-ef179f4f96ec.md +++ b/docs/queries/terraform-queries/aws/126c1788-23c2-4a10-906c-ef179f4f96ec.md @@ -28,7 +28,7 @@ ELB Predefined or Custom Security Policies must not use insecure protocols, to r ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="41 30" +```tf title="Positive test num. 1 - tf file" hl_lines="41 30" #this is a problematic code where the query should report a result(s) resource "aws_elb" "positive1" { name = "wu-tang" diff --git a/docs/queries/terraform-queries/aws/12933609-c5bf-44b4-9a41-a6467c3b685b.md b/docs/queries/terraform-queries/aws/12933609-c5bf-44b4-9a41-a6467c3b685b.md index 00c4f83de9a..35e150ad414 100644 --- a/docs/queries/terraform-queries/aws/12933609-c5bf-44b4-9a41-a6467c3b685b.md +++ b/docs/queries/terraform-queries/aws/12933609-c5bf-44b4-9a41-a6467c3b685b.md @@ -28,7 +28,7 @@ A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) i ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 35 23" +```tf title="Positive test num. 1 - tf file" hl_lines="1 35 23" resource "aws_rds_cluster_instance" "cluster_instances" { count = 2 identifier = "aurora-cluster-demo-${count.index}" diff --git a/docs/queries/terraform-queries/aws/12b7e704-37f0-4d1e-911a-44bf60c48c21.md b/docs/queries/terraform-queries/aws/12b7e704-37f0-4d1e-911a-44bf60c48c21.md index ba925667082..2813f43d591 100644 --- a/docs/queries/terraform-queries/aws/12b7e704-37f0-4d1e-911a-44bf60c48c21.md +++ b/docs/queries/terraform-queries/aws/12b7e704-37f0-4d1e-911a-44bf60c48c21.md @@ -28,7 +28,7 @@ IAM role allows all services or principals to assume it
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="37" +```tf title="Positive test num. 1 - tf file" hl_lines="37" // Create a role which OpenShift instances will assume. // This role has a policy saying it can be assumed by ec2 // instances. diff --git a/docs/queries/terraform-queries/aws/132a8c31-9837-4203-9fd1-15ca210c7b73.md b/docs/queries/terraform-queries/aws/132a8c31-9837-4203-9fd1-15ca210c7b73.md index 9d99b4b0b3a..19d9e763d9f 100644 --- a/docs/queries/terraform-queries/aws/132a8c31-9837-4203-9fd1-15ca210c7b73.md +++ b/docs/queries/terraform-queries/aws/132a8c31-9837-4203-9fd1-15ca210c7b73.md @@ -28,7 +28,7 @@ SSO policies should be configured to grant limited administrative privileges, ra ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="4" +```tf title="Positive test num. 1 - tf file" hl_lines="4" resource "aws_ssoadmin_permission_set_inline_policy" "pos1" { instance_arn = aws_ssoadmin_permission_set.example.instance_arn permission_set_arn = aws_ssoadmin_permission_set.example.arn diff --git a/docs/queries/terraform-queries/aws/1402afd8-a95c-4e84-8b0b-6fb43758e6ce.md b/docs/queries/terraform-queries/aws/1402afd8-a95c-4e84-8b0b-6fb43758e6ce.md index 6fabd04cd6f..d89e5967b7a 100644 --- a/docs/queries/terraform-queries/aws/1402afd8-a95c-4e84-8b0b-6fb43758e6ce.md +++ b/docs/queries/terraform-queries/aws/1402afd8-a95c-4e84-8b0b-6fb43758e6ce.md @@ -28,7 +28,7 @@ Lambda access/secret keys should not be hardcoded
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="57 36" +```tf title="Positive test num. 1 - tf file" hl_lines="57 36" resource "aws_iam_role" "positive1" { name = "iam_for_lambda" diff --git a/docs/queries/terraform-queries/aws/1419b4c6-6d5c-4534-9cf6-6a5266085333.md b/docs/queries/terraform-queries/aws/1419b4c6-6d5c-4534-9cf6-6a5266085333.md index a2e90aa5922..852c812dd89 100644 --- a/docs/queries/terraform-queries/aws/1419b4c6-6d5c-4534-9cf6-6a5266085333.md +++ b/docs/queries/terraform-queries/aws/1419b4c6-6d5c-4534-9cf6-6a5266085333.md @@ -28,7 +28,7 @@ All AWS CloudFront distributions should be integrated with the Web Application F ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="15" +```tf title="Positive test num. 1 - tf file" hl_lines="15" module "acm" { diff --git a/docs/queries/terraform-queries/aws/151187cb-0efc-481c-babd-ad24e3c9bc22.md b/docs/queries/terraform-queries/aws/151187cb-0efc-481c-babd-ad24e3c9bc22.md index a6b253d89b0..44fbe8212f8 100644 --- a/docs/queries/terraform-queries/aws/151187cb-0efc-481c-babd-ad24e3c9bc22.md +++ b/docs/queries/terraform-queries/aws/151187cb-0efc-481c-babd-ad24e3c9bc22.md @@ -28,7 +28,7 @@ The Remote Desktop port is open to the internet in a Security Group
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 14" +```tf title="Positive test num. 1 - tf file" hl_lines="1 14" resource "aws_security_group" "positive1" { name = "rdp_positive_tcp_1" description = "Gets the remote desktop port open with the tcp protocol" diff --git a/docs/queries/terraform-queries/aws/15ccec05-5476-4890-ad19-53991eba1db8.md b/docs/queries/terraform-queries/aws/15ccec05-5476-4890-ad19-53991eba1db8.md index 593cc9cbf6a..e4838839239 100644 --- a/docs/queries/terraform-queries/aws/15ccec05-5476-4890-ad19-53991eba1db8.md +++ b/docs/queries/terraform-queries/aws/15ccec05-5476-4890-ad19-53991eba1db8.md @@ -28,7 +28,7 @@ API Gateway Method should restrict the authorization type, except for the HTTP O ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="4" +```tf title="Positive test num. 1 - tf file" hl_lines="4" resource "aws_api_gateway_method" "positive1" { rest_api_id = aws_api_gateway_rest_api.this.id resource_id = aws_api_gateway_resource.this.id diff --git a/docs/queries/terraform-queries/aws/15e6ad8c-f420-49a6-bafb-074f5eb1ec74.md b/docs/queries/terraform-queries/aws/15e6ad8c-f420-49a6-bafb-074f5eb1ec74.md index 357ab1b06ef..8f7b4cf005b 100644 --- a/docs/queries/terraform-queries/aws/15e6ad8c-f420-49a6-bafb-074f5eb1ec74.md +++ b/docs/queries/terraform-queries/aws/15e6ad8c-f420-49a6-bafb-074f5eb1ec74.md @@ -28,7 +28,7 @@ Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_group" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/15ffbacc-fa42-4f6f-a57d-2feac7365caa.md b/docs/queries/terraform-queries/aws/15ffbacc-fa42-4f6f-a57d-2feac7365caa.md index fa65513dbf4..2c8343e212c 100644 --- a/docs/queries/terraform-queries/aws/15ffbacc-fa42-4f6f-a57d-2feac7365caa.md +++ b/docs/queries/terraform-queries/aws/15ffbacc-fa42-4f6f-a57d-2feac7365caa.md @@ -28,7 +28,7 @@ Make sure Logging is enabled for Redshift Cluster
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="9 13" +```tf title="Positive test num. 1 - tf file" hl_lines="9 13" resource "aws_redshift_cluster" "positive1" { cluster_identifier = "tf-redshift-cluster" database_name = "mydb" diff --git a/docs/queries/terraform-queries/aws/16c4216a-50d3-4785-bfb2-4adb5144a8ba.md b/docs/queries/terraform-queries/aws/16c4216a-50d3-4785-bfb2-4adb5144a8ba.md index 0991a5858dc..6d909de9d42 100644 --- a/docs/queries/terraform-queries/aws/16c4216a-50d3-4785-bfb2-4adb5144a8ba.md +++ b/docs/queries/terraform-queries/aws/16c4216a-50d3-4785-bfb2-4adb5144a8ba.md @@ -28,7 +28,7 @@ Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'. ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_cloudtrail" "positive1" { name = "tf-trail-foobar" s3_bucket_name = aws_s3_bucket.foo.id diff --git a/docs/queries/terraform-queries/aws/19ffbe31-9d72-4379-9768-431195eae328.md b/docs/queries/terraform-queries/aws/19ffbe31-9d72-4379-9768-431195eae328.md index 612580c85c6..a4e7ec508ed 100644 --- a/docs/queries/terraform-queries/aws/19ffbe31-9d72-4379-9768-431195eae328.md +++ b/docs/queries/terraform-queries/aws/19ffbe31-9d72-4379-9768-431195eae328.md @@ -28,7 +28,7 @@ User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam: ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_user" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/1a4bc881-9f69-4d44-8c9a-d37d08f54c50.md b/docs/queries/terraform-queries/aws/1a4bc881-9f69-4d44-8c9a-d37d08f54c50.md index cf98986465d..59f8d62b1c3 100644 --- a/docs/queries/terraform-queries/aws/1a4bc881-9f69-4d44-8c9a-d37d08f54c50.md +++ b/docs/queries/terraform-queries/aws/1a4bc881-9f69-4d44-8c9a-d37d08f54c50.md @@ -28,7 +28,7 @@ S3 bucket allows public policy
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="9 18" +```tf title="Positive test num. 1 - tf file" hl_lines="9 18" resource "aws_s3_bucket" "positive1" { bucket = "example" } @@ -53,7 +53,7 @@ resource "aws_s3_bucket_public_access_block" "positive3" { ignore_public_acls = false } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="9" +```tf title="Positive test num. 2 - tf file" hl_lines="9" module "s3_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "3.7.0" @@ -88,7 +88,7 @@ POLICY } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="1" +```tf title="Positive test num. 3 - tf file" hl_lines="1" module "s3_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "3.7.0" diff --git a/docs/queries/terraform-queries/aws/1a690d1d-0ae7-49fa-b2db-b75ae0dd1d3e.md b/docs/queries/terraform-queries/aws/1a690d1d-0ae7-49fa-b2db-b75ae0dd1d3e.md index 8ebcee8699e..6d288e16d48 100644 --- a/docs/queries/terraform-queries/aws/1a690d1d-0ae7-49fa-b2db-b75ae0dd1d3e.md +++ b/docs/queries/terraform-queries/aws/1a690d1d-0ae7-49fa-b2db-b75ae0dd1d3e.md @@ -28,7 +28,7 @@ Amazon Aurora does not have encryption for data at rest enabled. To prevent such ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="16" +```tf title="Positive test num. 1 - tf file" hl_lines="16" provider "aws" { region = "us-west-2" # Replace with your desired AWS region } @@ -61,7 +61,7 @@ output "cluster_endpoint" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="5" +```tf title="Positive test num. 2 - tf file" hl_lines="5" provider "aws" { region = "us-west-2" # Replace with your desired AWS region } diff --git a/docs/queries/terraform-queries/aws/1afbb3fa-cf6c-4a3d-b730-95e9f4df343e.md b/docs/queries/terraform-queries/aws/1afbb3fa-cf6c-4a3d-b730-95e9f4df343e.md index 86a636068f0..2b9febb9f99 100644 --- a/docs/queries/terraform-queries/aws/1afbb3fa-cf6c-4a3d-b730-95e9f4df343e.md +++ b/docs/queries/terraform-queries/aws/1afbb3fa-cf6c-4a3d-b730-95e9f4df343e.md @@ -28,7 +28,7 @@ ElastiCache Replication Group encryption should be enabled at Transit
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_elasticache_replication_group" "example" { automatic_failover_enabled = true availability_zones = ["us-west-2a", "us-west-2b"] @@ -40,7 +40,7 @@ resource "aws_elasticache_replication_group" "example" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="9" +```tf title="Positive test num. 2 - tf file" hl_lines="9" resource "aws_elasticache_replication_group" "example" { automatic_failover_enabled = true availability_zones = ["us-west-2a", "us-west-2b"] diff --git a/docs/queries/terraform-queries/aws/1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2.md b/docs/queries/terraform-queries/aws/1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2.md index 029585d720e..3da2868661c 100644 --- a/docs/queries/terraform-queries/aws/1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2.md +++ b/docs/queries/terraform-queries/aws/1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2.md @@ -28,7 +28,7 @@ It is not advisable for AWS Lambda Functions to have privileged permissions.
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="4 23" +```tf title="Positive test num. 1 - tf file" hl_lines="4 23" resource "aws_lambda_function" "positivefunction1" { filename = "lambda_function_payload.zip" function_name = "lambda_function_name" diff --git a/docs/queries/terraform-queries/aws/1b6799eb-4a7a-4b04-9001-8cceb9999326.md b/docs/queries/terraform-queries/aws/1b6799eb-4a7a-4b04-9001-8cceb9999326.md index 20ca1149cca..57009fde36f 100644 --- a/docs/queries/terraform-queries/aws/1b6799eb-4a7a-4b04-9001-8cceb9999326.md +++ b/docs/queries/terraform-queries/aws/1b6799eb-4a7a-4b04-9001-8cceb9999326.md @@ -28,7 +28,7 @@ API Gateway should have Access Log Settings defined
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 6" +```tf title="Positive test num. 1 - tf file" hl_lines="1 6" resource "aws_api_gateway_stage" "postive1" { stage_name = "dev" rest_api_id = "id" diff --git a/docs/queries/terraform-queries/aws/1bc1c685-e593-450e-88fb-19db4c82aa1d.md b/docs/queries/terraform-queries/aws/1bc1c685-e593-450e-88fb-19db4c82aa1d.md index 485092ef911..ee20d07b9a0 100644 --- a/docs/queries/terraform-queries/aws/1bc1c685-e593-450e-88fb-19db4c82aa1d.md +++ b/docs/queries/terraform-queries/aws/1bc1c685-e593-450e-88fb-19db4c82aa1d.md @@ -28,7 +28,7 @@ IAM password should have the required minimum length
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 10" +```tf title="Positive test num. 1 - tf file" hl_lines="1 10" resource "aws_iam_account_password_policy" "positive1" { require_lowercase_characters = true require_numbers = true diff --git a/docs/queries/terraform-queries/aws/1bc367f6-901d-4870-ad0c-71d79762ef52.md b/docs/queries/terraform-queries/aws/1bc367f6-901d-4870-ad0c-71d79762ef52.md index a1cf574893d..3e60bf4ee3b 100644 --- a/docs/queries/terraform-queries/aws/1bc367f6-901d-4870-ad0c-71d79762ef52.md +++ b/docs/queries/terraform-queries/aws/1bc367f6-901d-4870-ad0c-71d79762ef52.md @@ -28,7 +28,7 @@ Content Delivery Network (CDN) service is used within an AWS account to secure a ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="11 61" +```tf title="Positive test num. 1 - tf file" hl_lines="11 61" resource "aws_cloudfront_distribution" "positive1" { origin { domain_name = aws_s3_bucket.b.bucket_regional_domain_name diff --git a/docs/queries/terraform-queries/aws/1dc73fb4-5b51-430c-8c5f-25dcf9090b02.md b/docs/queries/terraform-queries/aws/1dc73fb4-5b51-430c-8c5f-25dcf9090b02.md index 789ff733cc0..64a5854b928 100644 --- a/docs/queries/terraform-queries/aws/1dc73fb4-5b51-430c-8c5f-25dcf9090b02.md +++ b/docs/queries/terraform-queries/aws/1dc73fb4-5b51-430c-8c5f-25dcf9090b02.md @@ -28,7 +28,7 @@ Make sure the AWS RDS configuration has automatic backup configured. If the rete ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="12" +```tf title="Positive test num. 1 - tf file" hl_lines="12" //some comments (used just for resource offset) resource "aws_db_instance" "positive1" { @@ -44,7 +44,7 @@ resource "aws_db_instance" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="12" +```tf title="Positive test num. 2 - tf file" hl_lines="12" module "db" { source = "terraform-aws-modules/rds/aws" version = "~> 3.0" @@ -124,7 +124,7 @@ module "db" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="1" +```tf title="Positive test num. 3 - tf file" hl_lines="1" resource "aws_db_instance" "positive1" { allocated_storage = 20 storage_type = "gp2" @@ -137,7 +137,7 @@ resource "aws_db_instance" "positive1" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="1" module "db" { diff --git a/docs/queries/terraform-queries/aws/1df37f4b-7197-45ce-83f8-9994d2fcf885.md b/docs/queries/terraform-queries/aws/1df37f4b-7197-45ce-83f8-9994d2fcf885.md index 2fa65c67ac0..dccec9f27b8 100644 --- a/docs/queries/terraform-queries/aws/1df37f4b-7197-45ce-83f8-9994d2fcf885.md +++ b/docs/queries/terraform-queries/aws/1df37f4b-7197-45ce-83f8-9994d2fcf885.md @@ -28,7 +28,7 @@ S3 Buckets must not allow Get Action From All Principals, as to prevent leaking ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="17 42" +```tf title="Positive test num. 1 - tf file" hl_lines="17 42" resource "aws_s3_bucket" "positive1" { bucket = "my_tf_test_bucket" } @@ -81,7 +81,7 @@ resource "aws_s3_bucket_policy" "positive3" { POLICY } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="23" +```tf title="Positive test num. 2 - tf file" hl_lines="23" module "s3_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "3.7.0" diff --git a/docs/queries/terraform-queries/aws/1e0ef61b-ad85-4518-a3d3-85eaad164885.md b/docs/queries/terraform-queries/aws/1e0ef61b-ad85-4518-a3d3-85eaad164885.md index 8c828de6d97..1f467b75af2 100644 --- a/docs/queries/terraform-queries/aws/1e0ef61b-ad85-4518-a3d3-85eaad164885.md +++ b/docs/queries/terraform-queries/aws/1e0ef61b-ad85-4518-a3d3-85eaad164885.md @@ -28,7 +28,7 @@ The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="5" +```tf title="Positive test num. 1 - tf file" hl_lines="5" resource "aws_db_security_group" "positive1" { name = "rds_sg" diff --git a/docs/queries/terraform-queries/aws/1ec253ab-c220-4d63-b2de-5b40e0af9293.md b/docs/queries/terraform-queries/aws/1ec253ab-c220-4d63-b2de-5b40e0af9293.md index 52a4e827408..47286ced5a7 100644 --- a/docs/queries/terraform-queries/aws/1ec253ab-c220-4d63-b2de-5b40e0af9293.md +++ b/docs/queries/terraform-queries/aws/1ec253ab-c220-4d63-b2de-5b40e0af9293.md @@ -28,7 +28,7 @@ S3 bucket without restriction of public bucket
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="11 14" +```tf title="Positive test num. 1 - tf file" hl_lines="11 14" resource "aws_s3_bucket" "positive1" { bucket = "example" } @@ -49,7 +49,7 @@ resource "aws_s3_bucket_public_access_block" "positive3" { block_public_policy = true } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="8" +```tf title="Positive test num. 2 - tf file" hl_lines="8" module "s3_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "3.7.0" @@ -83,7 +83,7 @@ POLICY } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="1" +```tf title="Positive test num. 3 - tf file" hl_lines="1" module "s3_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "3.7.0" diff --git a/docs/queries/terraform-queries/aws/20018359-6fd7-4d05-ab26-d4dffccbdf79.md b/docs/queries/terraform-queries/aws/20018359-6fd7-4d05-ab26-d4dffccbdf79.md index eafb8845bec..c624d46ef2c 100644 --- a/docs/queries/terraform-queries/aws/20018359-6fd7-4d05-ab26-d4dffccbdf79.md +++ b/docs/queries/terraform-queries/aws/20018359-6fd7-4d05-ab26-d4dffccbdf79.md @@ -28,7 +28,7 @@ ELB should have logging enabled to help on error investigation
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="9" +```tf title="Positive test num. 1 - tf file" hl_lines="9" resource "aws_elb" "postive1" { name = "foobar-terraform-elb" availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"] @@ -75,7 +75,7 @@ resource "aws_elb" "postive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "aws_elb" "postive2" { name = "foobar-terraform-elb" availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"] @@ -115,7 +115,7 @@ resource "aws_elb" "postive2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="1" +```tf title="Positive test num. 3 - tf file" hl_lines="1" module "elb_http" { source = "terraform-aws-modules/elb/aws" version = "~> 2.0" @@ -161,7 +161,7 @@ module "elb_http" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="39" module "elb_http" { diff --git a/docs/queries/terraform-queries/aws/2134641d-30a4-4b16-8ffc-2cd4c4ffd15d.md b/docs/queries/terraform-queries/aws/2134641d-30a4-4b16-8ffc-2cd4c4ffd15d.md index 83cc2515697..7158ca4848e 100644 --- a/docs/queries/terraform-queries/aws/2134641d-30a4-4b16-8ffc-2cd4c4ffd15d.md +++ b/docs/queries/terraform-queries/aws/2134641d-30a4-4b16-8ffc-2cd4c4ffd15d.md @@ -28,7 +28,7 @@ DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="16" +```tf title="Positive test num. 1 - tf file" hl_lines="16" provider "aws" { region = "us-east-1" } diff --git a/docs/queries/terraform-queries/aws/2285e608-ddbc-47f3-ba54-ce7121e31216.md b/docs/queries/terraform-queries/aws/2285e608-ddbc-47f3-ba54-ce7121e31216.md index 269f1112bb6..03c2d40e825 100644 --- a/docs/queries/terraform-queries/aws/2285e608-ddbc-47f3-ba54-ce7121e31216.md +++ b/docs/queries/terraform-queries/aws/2285e608-ddbc-47f3-ba54-ce7121e31216.md @@ -28,7 +28,7 @@ Ensure a log metric filter and alarm exist for route table changes
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_cloudwatch_log_metric_filter" "cis_route_table_changes_metric_filter" { name = "CIS-RouteTableChanges" pattern = "{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }" @@ -55,7 +55,7 @@ resource "aws_cloudwatch_metric_alarm" "cis_route_table_changes_cw_alarm" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "aws_cloudwatch_log_metric_filter" "cis_unauthorized_api_calls_metric_filter" { name = "CIS-UnauthorizedAPICalls" pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }" @@ -83,7 +83,7 @@ resource "aws_cloudwatch_metric_alarm" "cis_unauthorized_api_calls_cw_alarm" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="1" +```tf title="Positive test num. 3 - tf file" hl_lines="1" resource "aws_cloudwatch_log_metric_filter" "cis_route_table_changes_metric_filter" { name = "CIS-RouteTableChanges" pattern = "{ ($.eventName = CreateRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }" diff --git a/docs/queries/terraform-queries/aws/22fbfeac-7b5a-421a-8a27-7a2178bb910b.md b/docs/queries/terraform-queries/aws/22fbfeac-7b5a-421a-8a27-7a2178bb910b.md index 5cd4b2e202f..1db7fa2f076 100644 --- a/docs/queries/terraform-queries/aws/22fbfeac-7b5a-421a-8a27-7a2178bb910b.md +++ b/docs/queries/terraform-queries/aws/22fbfeac-7b5a-421a-8a27-7a2178bb910b.md @@ -28,13 +28,13 @@ Customer Master Keys (CMK) must have rotation enabled, which means the attribute ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_kms_key" "positive1" { description = "KMS key 1" } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "aws_kms_key" "positive2" { description = "KMS key 2" is_enabled = true @@ -42,7 +42,7 @@ resource "aws_kms_key" "positive2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="1" +```tf title="Positive test num. 3 - tf file" hl_lines="1" resource "aws_kms_key" "positive3" { description = "KMS key 3" is_enabled = true @@ -51,7 +51,7 @@ resource "aws_kms_key" "positive3" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="1" resource "aws_kms_key" "positive4" { @@ -62,7 +62,7 @@ resource "aws_kms_key" "positive4" { ```
-
Postitive test num. 5 - tf file +
Positive test num. 5 - tf file ```tf hl_lines="1" resource "aws_kms_key" "positive5" { diff --git a/docs/queries/terraform-queries/aws/23b70e32-032e-4fa6-ba5c-82f56b9980e6.md b/docs/queries/terraform-queries/aws/23b70e32-032e-4fa6-ba5c-82f56b9980e6.md index 8c1a7330638..0e18d624702 100644 --- a/docs/queries/terraform-queries/aws/23b70e32-032e-4fa6-ba5c-82f56b9980e6.md +++ b/docs/queries/terraform-queries/aws/23b70e32-032e-4fa6-ba5c-82f56b9980e6.md @@ -28,7 +28,7 @@ EC2 Instance should have detailed monitoring enabled. With detailed monitoring e ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="17" +```tf title="Positive test num. 1 - tf file" hl_lines="17" data "aws_ami" "ubuntu" { most_recent = true @@ -55,7 +55,7 @@ resource "aws_instance" "monitoring_positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="20" +```tf title="Positive test num. 2 - tf file" hl_lines="20" data "aws_ami" "ubuntu" { most_recent = true @@ -83,7 +83,7 @@ resource "aws_instance" "monitoring_positive2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="1" +```tf title="Positive test num. 3 - tf file" hl_lines="1" module "ec2_instance" { source = "terraform-aws-modules/ec2-instance/aws" version = "~> 3.0" @@ -104,7 +104,7 @@ module "ec2_instance" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="10" module "ec2_instance" { @@ -129,7 +129,7 @@ module "ec2_instance" { ```
-
Postitive test num. 5 - json file +
Positive test num. 5 - json file ```json hl_lines="28" { diff --git a/docs/queries/terraform-queries/aws/23edf35f-7c22-4ff9-87e6-0ca74261cfbf.md b/docs/queries/terraform-queries/aws/23edf35f-7c22-4ff9-87e6-0ca74261cfbf.md index c21eeb010e2..d41999fb9f4 100644 --- a/docs/queries/terraform-queries/aws/23edf35f-7c22-4ff9-87e6-0ca74261cfbf.md +++ b/docs/queries/terraform-queries/aws/23edf35f-7c22-4ff9-87e6-0ca74261cfbf.md @@ -28,7 +28,7 @@ A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverle ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="21" +```tf title="Positive test num. 1 - tf file" hl_lines="21" resource "aws_vpc_endpoint_policy" "example" { vpc_endpoint_id = aws_vpc_endpoint.example.id policy = jsonencode({ @@ -94,7 +94,7 @@ resource "aws_dynamodb_table" "basic-dynamodb-table" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="21" +```tf title="Positive test num. 2 - tf file" hl_lines="21" resource "aws_vpc_endpoint_policy" "example2" { vpc_endpoint_id = aws_vpc_endpoint.example2.id policy = jsonencode({ @@ -160,7 +160,7 @@ resource "aws_dynamodb_table" "example2-table" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="21" +```tf title="Positive test num. 3 - tf file" hl_lines="21" resource "aws_vpc_endpoint_policy" "example3" { vpc_endpoint_id = aws_vpc_endpoint.example3.id policy = jsonencode({ @@ -226,7 +226,7 @@ resource "aws_dynamodb_table" "example3-table" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="1" resource "aws_dynamodb_table" "example3-table" { diff --git a/docs/queries/terraform-queries/aws/24e16922-4330-4e9d-be8a-caa90299466a.md b/docs/queries/terraform-queries/aws/24e16922-4330-4e9d-be8a-caa90299466a.md index 877415642e6..d5368c578f4 100644 --- a/docs/queries/terraform-queries/aws/24e16922-4330-4e9d-be8a-caa90299466a.md +++ b/docs/queries/terraform-queries/aws/24e16922-4330-4e9d-be8a-caa90299466a.md @@ -28,7 +28,7 @@ Check if ElasticSearch encryption is disabled at Rest
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 11" +```tf title="Positive test num. 1 - tf file" hl_lines="1 11" resource "aws_elasticsearch_domain" "positive1" { domain_name = "example" elasticsearch_version = "1.5" diff --git a/docs/queries/terraform-queries/aws/254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4.md b/docs/queries/terraform-queries/aws/254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4.md index 1553cf2c247..bd7684d64dd 100644 --- a/docs/queries/terraform-queries/aws/254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4.md +++ b/docs/queries/terraform-queries/aws/254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4.md @@ -28,7 +28,7 @@ Check if the redis version is compliant with the necessary AWS PCI DSS requireme ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="7" +```tf title="Positive test num. 1 - tf file" hl_lines="7" #this is a problematic code where the query should report a result(s) resource "aws_elasticache_cluster" "positive1" { cluster_id = "cluster-example" diff --git a/docs/queries/terraform-queries/aws/25d251f3-f348-4f95-845c-1090e41a615c.md b/docs/queries/terraform-queries/aws/25d251f3-f348-4f95-845c-1090e41a615c.md index eeb2917fc14..4479af7410c 100644 --- a/docs/queries/terraform-queries/aws/25d251f3-f348-4f95-845c-1090e41a615c.md +++ b/docs/queries/terraform-queries/aws/25d251f3-f348-4f95-845c-1090e41a615c.md @@ -28,7 +28,7 @@ Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CM ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_efs_file_system" "positive1" { creation_token = "my-product" encrypted = true diff --git a/docs/queries/terraform-queries/aws/25db74bf-fa3b-44da-934e-8c3e005c0453.md b/docs/queries/terraform-queries/aws/25db74bf-fa3b-44da-934e-8c3e005c0453.md index b6254019a16..1a5cdcff924 100644 --- a/docs/queries/terraform-queries/aws/25db74bf-fa3b-44da-934e-8c3e005c0453.md +++ b/docs/queries/terraform-queries/aws/25db74bf-fa3b-44da-934e-8c3e005c0453.md @@ -28,7 +28,7 @@ Check if Record is set
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8" +```tf title="Positive test num. 1 - tf file" hl_lines="8" resource "aws_route53_record" "example" { allow_overwrite = true name = "test.example.com" diff --git a/docs/queries/terraform-queries/aws/27c6a499-895a-4dc7-9617-5c485218db13.md b/docs/queries/terraform-queries/aws/27c6a499-895a-4dc7-9617-5c485218db13.md index 1381e40a44c..7b72f8945a7 100644 --- a/docs/queries/terraform-queries/aws/27c6a499-895a-4dc7-9617-5c485218db13.md +++ b/docs/queries/terraform-queries/aws/27c6a499-895a-4dc7-9617-5c485218db13.md @@ -28,7 +28,7 @@ Ensure a log metric filter and alarm exist for S3 bucket policy changes
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 3 30" +```tf title="Positive test num. 1 - tf file" hl_lines="1 3 30" resource "aws_cloudwatch_log_metric_filter" "cis_s3_bucket_policy_change_metric_filter" { name = "CIS-S3BucketPolicyChanges" pattern = "{ ($.eventSource = \"s3.amazonaws.com\") || (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }" @@ -83,7 +83,7 @@ resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="3" +```tf title="Positive test num. 2 - tf file" hl_lines="3" resource "aws_cloudwatch_log_metric_filter" "cis_s3_bucket_policy_change_metric_filter" { name = "CIS-S3BucketPolicyChanges" pattern = "{ ($.eventSource = \"s3.amazonaws.com\") && (($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }" @@ -111,7 +111,7 @@ resource "aws_cloudwatch_metric_alarm" "CIS_S3_Bucket_Policy_Change_CW_Alarm" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="3" +```tf title="Positive test num. 3 - tf file" hl_lines="3" resource "aws_cloudwatch_log_metric_filter" "cis_s3_bucket_policy_change_metric_filter" { name = "CIS-S3BucketPolicyChanges" pattern = "{ ($.eventSource = \"s3.amazonaws.com\") && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }" @@ -139,7 +139,7 @@ resource "aws_cloudwatch_metric_alarm" "CIS_S3_Bucket_Policy_Change_CW_Alarm" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="3" resource "aws_cloudwatch_log_metric_filter" "cis_s3_bucket_policy_change_metric_filter" { @@ -170,7 +170,7 @@ resource "aws_cloudwatch_metric_alarm" "CIS_S3_Bucket_Policy_Change_CW_Alarm" { ```
-
Postitive test num. 5 - tf file +
Positive test num. 5 - tf file ```tf hl_lines="4 31" resource "aws_cloudwatch_log_metric_filter" "cis_s3_bucket_policy_change_metric_filter" { diff --git a/docs/queries/terraform-queries/aws/28545147-2fc6-42d5-a1f9-cf226658e591.md b/docs/queries/terraform-queries/aws/28545147-2fc6-42d5-a1f9-cf226658e591.md index de37fa862e6..06fe6d5683e 100644 --- a/docs/queries/terraform-queries/aws/28545147-2fc6-42d5-a1f9-cf226658e591.md +++ b/docs/queries/terraform-queries/aws/28545147-2fc6-42d5-a1f9-cf226658e591.md @@ -28,14 +28,14 @@ SNS (Simple Notification Service) Topic should be encrypted
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="3" +```tf title="Positive test num. 1 - tf file" hl_lines="3" resource "aws_sns_topic" "user_updates" { name = "user-updates-topic" kms_master_key_id = "" } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="5" +```tf title="Positive test num. 2 - tf file" hl_lines="5" provider "aws" { region = "us-east-1" } diff --git a/docs/queries/terraform-queries/aws/2b3c8a6d-9856-43e6-ab1d-d651094f03b4.md b/docs/queries/terraform-queries/aws/2b3c8a6d-9856-43e6-ab1d-d651094f03b4.md index d4f16ef406f..ae4a204386b 100644 --- a/docs/queries/terraform-queries/aws/2b3c8a6d-9856-43e6-ab1d-d651094f03b4.md +++ b/docs/queries/terraform-queries/aws/2b3c8a6d-9856-43e6-ab1d-d651094f03b4.md @@ -28,7 +28,7 @@ Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (V ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_emr_cluster" "positive1" { name = "emr-test-arn" release_label = "emr-4.6.0" diff --git a/docs/queries/terraform-queries/aws/2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045.md b/docs/queries/terraform-queries/aws/2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045.md index ed6b7e11d4d..6c9c7cc59cb 100644 --- a/docs/queries/terraform-queries/aws/2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045.md +++ b/docs/queries/terraform-queries/aws/2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045.md @@ -28,7 +28,7 @@ A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an ob ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="14" +```tf title="Positive test num. 1 - tf file" hl_lines="14" provider "aws" { region = "us-east-1" } @@ -78,7 +78,7 @@ resource "aws_lb" "test3" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="14" +```tf title="Positive test num. 2 - tf file" hl_lines="14" provider "aws" { region = "us-east-1" } @@ -116,7 +116,7 @@ resource "aws_s3_bucket" "positive2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="14" +```tf title="Positive test num. 3 - tf file" hl_lines="14" provider "aws" { region = "us-east-1" } @@ -153,7 +153,7 @@ resource "aws_s3_bucket" "positive3" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="14" provider "aws" { @@ -200,7 +200,7 @@ resource "aws_s3_bucket_public_access_block" "positive4" { ```
-
Postitive test num. 5 - tf file +
Positive test num. 5 - tf file ```tf hl_lines="14" provider "aws" { @@ -247,7 +247,7 @@ resource "aws_s3_bucket_public_access_block" "positive5" { ```
-
Postitive test num. 6 - tf file +
Positive test num. 6 - tf file ```tf hl_lines="14" provider "aws" { @@ -306,7 +306,7 @@ POLICY ```
-
Postitive test num. 7 - tf file +
Positive test num. 7 - tf file ```tf hl_lines="14" provider "aws" { @@ -369,7 +369,7 @@ POLICY ```
-
Postitive test num. 8 - tf file +
Positive test num. 8 - tf file ```tf hl_lines="14" provider "aws" { @@ -446,7 +446,7 @@ POLICY ```
-
Postitive test num. 9 - tf file +
Positive test num. 9 - tf file ```tf hl_lines="14" terraform { @@ -468,7 +468,7 @@ resource "aws_s3_bucket" "positive9" { ```
-
Postitive test num. 10 - tf file +
Positive test num. 10 - tf file ```tf hl_lines="14" terraform { diff --git a/docs/queries/terraform-queries/aws/2e9e0729-66d5-4148-9d39-5e6fb4bf2a4e.md b/docs/queries/terraform-queries/aws/2e9e0729-66d5-4148-9d39-5e6fb4bf2a4e.md index 985a2ce1eb6..c27ff4e096e 100644 --- a/docs/queries/terraform-queries/aws/2e9e0729-66d5-4148-9d39-5e6fb4bf2a4e.md +++ b/docs/queries/terraform-queries/aws/2e9e0729-66d5-4148-9d39-5e6fb4bf2a4e.md @@ -28,7 +28,7 @@ Amazon Elasticsearch does not have encryption for its domains enabled. To preven ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="27" +```tf title="Positive test num. 1 - tf file" hl_lines="27" provider "aws" { region = "us-west-2" } diff --git a/docs/queries/terraform-queries/aws/2f01fb2d-828a-499d-b98e-b83747305052.md b/docs/queries/terraform-queries/aws/2f01fb2d-828a-499d-b98e-b83747305052.md index 7d1beb3e7c6..f80de3a5b7b 100644 --- a/docs/queries/terraform-queries/aws/2f01fb2d-828a-499d-b98e-b83747305052.md +++ b/docs/queries/terraform-queries/aws/2f01fb2d-828a-499d-b98e-b83747305052.md @@ -28,7 +28,7 @@ AWS CloudFormation Stack should have a stack policy in order to protect stack re ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_cloudformation_stack" "positive1" { name = "networking-stack" diff --git a/docs/queries/terraform-queries/aws/2f37c4a3-58b9-4afe-8a87-d7f1d2286f84.md b/docs/queries/terraform-queries/aws/2f37c4a3-58b9-4afe-8a87-d7f1d2286f84.md index b078c9d2773..686baf39163 100644 --- a/docs/queries/terraform-queries/aws/2f37c4a3-58b9-4afe-8a87-d7f1d2286f84.md +++ b/docs/queries/terraform-queries/aws/2f37c4a3-58b9-4afe-8a87-d7f1d2286f84.md @@ -28,7 +28,7 @@ IAM policies shouldn't allow full administrative privileges (for all resources)< ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="19 5" +```tf title="Positive test num. 1 - tf file" hl_lines="19 5" resource "aws_iam_role_policy" "positive1" { name = "apigateway-cloudwatch-logging" role = aws_iam_role.apigateway_cloudwatch_logging.id diff --git a/docs/queries/terraform-queries/aws/2f56b7ab-7fba-4e93-82f0-247e5ddeb239.md b/docs/queries/terraform-queries/aws/2f56b7ab-7fba-4e93-82f0-247e5ddeb239.md index 3917346c61b..10837a25198 100644 --- a/docs/queries/terraform-queries/aws/2f56b7ab-7fba-4e93-82f0-247e5ddeb239.md +++ b/docs/queries/terraform-queries/aws/2f56b7ab-7fba-4e93-82f0-247e5ddeb239.md @@ -28,7 +28,7 @@ Ensure MSK Cluster Logging is enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8 5 15" +```tf title="Positive test num. 1 - tf file" hl_lines="8 5 15" resource "aws_msk_cluster" "positive1" { logging_info { broker_logs { diff --git a/docs/queries/terraform-queries/aws/2f737336-b18a-4602-8ea0-b200312e1ac1.md b/docs/queries/terraform-queries/aws/2f737336-b18a-4602-8ea0-b200312e1ac1.md index c13bdae28aa..d501fc85d61 100644 --- a/docs/queries/terraform-queries/aws/2f737336-b18a-4602-8ea0-b200312e1ac1.md +++ b/docs/queries/terraform-queries/aws/2f737336-b18a-4602-8ea0-b200312e1ac1.md @@ -28,7 +28,7 @@ RDS should not run in public subnet
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="11" +```tf title="Positive test num. 1 - tf file" hl_lines="11" resource "aws_db_instance" "positive1" { allocated_storage = 10 engine = "mysql" @@ -63,7 +63,7 @@ resource "aws_subnet" "backend" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="11" +```tf title="Positive test num. 2 - tf file" hl_lines="11" resource "aws_db_instance" "positive2" { allocated_storage = 10 engine = "mysql" diff --git a/docs/queries/terraform-queries/aws/30b88745-eebe-4ecb-a3a9-5cf886e96204.md b/docs/queries/terraform-queries/aws/30b88745-eebe-4ecb-a3a9-5cf886e96204.md index be75432baf0..6b9a511a968 100644 --- a/docs/queries/terraform-queries/aws/30b88745-eebe-4ecb-a3a9-5cf886e96204.md +++ b/docs/queries/terraform-queries/aws/30b88745-eebe-4ecb-a3a9-5cf886e96204.md @@ -28,7 +28,7 @@ Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_role" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/31245f98-a6a9-4182-9fc1-45482b9d030a.md b/docs/queries/terraform-queries/aws/31245f98-a6a9-4182-9fc1-45482b9d030a.md index 89ee65bb6cf..dc5b9d5ad3c 100644 --- a/docs/queries/terraform-queries/aws/31245f98-a6a9-4182-9fc1-45482b9d030a.md +++ b/docs/queries/terraform-queries/aws/31245f98-a6a9-4182-9fc1-45482b9d030a.md @@ -28,7 +28,7 @@ Check if MQ Brokers don't have logging enabled in any of the two options possibl ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8 1 17" +```tf title="Positive test num. 1 - tf file" hl_lines="8 1 17" resource "aws_mq_broker" "positive1" { broker_name = "no-logging" } diff --git a/docs/queries/terraform-queries/aws/3199c26c-7871-4cb3-99c2-10a59244ce7f.md b/docs/queries/terraform-queries/aws/3199c26c-7871-4cb3-99c2-10a59244ce7f.md index 6aa6ade12c4..2d91123a77e 100644 --- a/docs/queries/terraform-queries/aws/3199c26c-7871-4cb3-99c2-10a59244ce7f.md +++ b/docs/queries/terraform-queries/aws/3199c26c-7871-4cb3-99c2-10a59244ce7f.md @@ -28,7 +28,7 @@ RDS Storage should be encrypted, which means the attribute 'storage_encrypted' s ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_rds_cluster" "positive1" { cluster_identifier = "aurora-cluster-demo" engine = "aurora-mysql" @@ -42,7 +42,7 @@ resource "aws_rds_cluster" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="10" +```tf title="Positive test num. 2 - tf file" hl_lines="10" resource "aws_rds_cluster" "positive3" { cluster_identifier = "cloudrail-test-non-encrypted" engine = "aurora-mysql" diff --git a/docs/queries/terraform-queries/aws/3206240f-2e87-4e58-8d24-3e19e7c83d7c.md b/docs/queries/terraform-queries/aws/3206240f-2e87-4e58-8d24-3e19e7c83d7c.md index 79e60114ca9..1c9a75d1e53 100644 --- a/docs/queries/terraform-queries/aws/3206240f-2e87-4e58-8d24-3e19e7c83d7c.md +++ b/docs/queries/terraform-queries/aws/3206240f-2e87-4e58-8d24-3e19e7c83d7c.md @@ -28,7 +28,7 @@ ECS Services must not have Admin roles, which means the attribute 'iam_role' mus ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="7" +```tf title="Positive test num. 1 - tf file" hl_lines="7" #this is a problematic code where the query should report a result(s) resource "aws_ecs_service" "positive1" { name = "mongodb" diff --git a/docs/queries/terraform-queries/aws/33627268-1445-4385-988a-318fd9d1a512.md b/docs/queries/terraform-queries/aws/33627268-1445-4385-988a-318fd9d1a512.md index edfa792bfab..8ee261b0a20 100644 --- a/docs/queries/terraform-queries/aws/33627268-1445-4385-988a-318fd9d1a512.md +++ b/docs/queries/terraform-queries/aws/33627268-1445-4385-988a-318fd9d1a512.md @@ -28,7 +28,7 @@ User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts: ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_user" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/34b921bd-90a0-402e-a0a5-dc73371fd963.md b/docs/queries/terraform-queries/aws/34b921bd-90a0-402e-a0a5-dc73371fd963.md index ca714ccbdb7..b20c42a3621 100644 --- a/docs/queries/terraform-queries/aws/34b921bd-90a0-402e-a0a5-dc73371fd963.md +++ b/docs/queries/terraform-queries/aws/34b921bd-90a0-402e-a0a5-dc73371fd963.md @@ -28,7 +28,7 @@ SES policy should not allow IAM actions to all principals
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="4" +```tf title="Positive test num. 1 - tf file" hl_lines="4" resource "aws_ses_identity_policy" "positive1" { identity = aws_ses_domain_identity.example.arn name = "example" diff --git a/docs/queries/terraform-queries/aws/35113e6f-2c6b-414d-beec-7a9482d3b2d1.md b/docs/queries/terraform-queries/aws/35113e6f-2c6b-414d-beec-7a9482d3b2d1.md index 313206dc795..73475b1075b 100644 --- a/docs/queries/terraform-queries/aws/35113e6f-2c6b-414d-beec-7a9482d3b2d1.md +++ b/docs/queries/terraform-queries/aws/35113e6f-2c6b-414d-beec-7a9482d3b2d1.md @@ -28,7 +28,7 @@ RDS must not be defined with public interface, which means the field 'publicly_a ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="10" +```tf title="Positive test num. 1 - tf file" hl_lines="10" resource "aws_db_instance" "positive1" { allocated_storage = 20 storage_type = "gp2" @@ -41,7 +41,7 @@ resource "aws_db_instance" "positive1" { publicly_accessible = true } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="11" +```tf title="Positive test num. 2 - tf file" hl_lines="11" module "db" { source = "terraform-aws-modules/rds/aws" version = "~> 3.0" diff --git a/docs/queries/terraform-queries/aws/3561130e-9c5f-485b-9e16-2764c82763e5.md b/docs/queries/terraform-queries/aws/3561130e-9c5f-485b-9e16-2764c82763e5.md index d03d8d9947e..92ad177058a 100644 --- a/docs/queries/terraform-queries/aws/3561130e-9c5f-485b-9e16-2764c82763e5.md +++ b/docs/queries/terraform-queries/aws/3561130e-9c5f-485b-9e16-2764c82763e5.md @@ -28,7 +28,7 @@ Any IAM User should not have more than one access key since it increases the ris ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="2 7" +```tf title="Positive test num. 1 - tf file" hl_lines="2 7" resource "aws_iam_access_key" "positive1" { user = aws_iam_user.lb.name pgp_key = "keybase:some_person_that_exists" diff --git a/docs/queries/terraform-queries/aws/35ccf766-0e4d-41ed-9ec4-2dab155082b4.md b/docs/queries/terraform-queries/aws/35ccf766-0e4d-41ed-9ec4-2dab155082b4.md index 509817d2195..0993acf11c3 100644 --- a/docs/queries/terraform-queries/aws/35ccf766-0e4d-41ed-9ec4-2dab155082b4.md +++ b/docs/queries/terraform-queries/aws/35ccf766-0e4d-41ed-9ec4-2dab155082b4.md @@ -28,7 +28,7 @@ Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_role" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/37304d3f-f852-40b8-ae3f-725e87a7cedf.md b/docs/queries/terraform-queries/aws/37304d3f-f852-40b8-ae3f-725e87a7cedf.md index 0a07c479f40..8754f767286 100644 --- a/docs/queries/terraform-queries/aws/37304d3f-f852-40b8-ae3f-725e87a7cedf.md +++ b/docs/queries/terraform-queries/aws/37304d3f-f852-40b8-ae3f-725e87a7cedf.md @@ -28,7 +28,7 @@ Amazon EKS control plane logging is not enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="6" +```tf title="Positive test num. 1 - tf file" hl_lines="6" variable "cluster_name" { default = "example" type = string diff --git a/docs/queries/terraform-queries/aws/381c3f2a-ef6f-4eff-99f7-b169cda3422c.md b/docs/queries/terraform-queries/aws/381c3f2a-ef6f-4eff-99f7-b169cda3422c.md index 1b297d590a2..2b94a91d3ea 100644 --- a/docs/queries/terraform-queries/aws/381c3f2a-ef6f-4eff-99f7-b169cda3422c.md +++ b/docs/queries/terraform-queries/aws/381c3f2a-ef6f-4eff-99f7-b169cda3422c.md @@ -28,7 +28,7 @@ A sensitive port, such as port 23 or port 110, is open for the whole network in ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="96 66 36 6 111 81 51 21" +```tf title="Positive test num. 1 - tf file" hl_lines="96 66 36 6 111 81 51 21" resource "aws_security_group" "positive1" { name = "allow_tls1" description = "Allow TLS inbound traffic" diff --git a/docs/queries/terraform-queries/aws/38b85c45-e772-4de8-a247-69619ca137b3.md b/docs/queries/terraform-queries/aws/38b85c45-e772-4de8-a247-69619ca137b3.md index 770931fdebd..97f4eb2352a 100644 --- a/docs/queries/terraform-queries/aws/38b85c45-e772-4de8-a247-69619ca137b3.md +++ b/docs/queries/terraform-queries/aws/38b85c45-e772-4de8-a247-69619ca137b3.md @@ -28,7 +28,7 @@ Ensure a log metric filter and alarm exist for AWS organizations changes
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" provider "aws" { region = "us-east-2" } @@ -67,7 +67,7 @@ resource "aws_cloudwatch_log_metric_filter" "cis_aws_organizations" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" provider "aws" { region = "us-east-2" } diff --git a/docs/queries/terraform-queries/aws/38c5ee0d-7f22-4260-ab72-5073048df100.md b/docs/queries/terraform-queries/aws/38c5ee0d-7f22-4260-ab72-5073048df100.md index 72085052433..ee94364d370 100644 --- a/docs/queries/terraform-queries/aws/38c5ee0d-7f22-4260-ab72-5073048df100.md +++ b/docs/queries/terraform-queries/aws/38c5ee0d-7f22-4260-ab72-5073048df100.md @@ -28,7 +28,7 @@ S3 Buckets should not be readable and writable to all users
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="15" +```tf title="Positive test num. 1 - tf file" hl_lines="15" provider "aws" { region = "us-east-1" } @@ -56,7 +56,7 @@ resource "aws_s3_bucket" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="16" +```tf title="Positive test num. 2 - tf file" hl_lines="16" provider "aws" { region = "us-east-1" } @@ -85,7 +85,7 @@ resource "aws_s3_bucket" "positive2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="6" +```tf title="Positive test num. 3 - tf file" hl_lines="6" module "s3_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "3.7.0" @@ -99,7 +99,7 @@ module "s3_bucket" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="6" module "s3_bucket" { @@ -116,7 +116,7 @@ module "s3_bucket" { ```
-
Postitive test num. 5 - tf file +
Positive test num. 5 - tf file ```tf hl_lines="20" provider "aws" { @@ -143,7 +143,7 @@ resource "aws_s3_bucket_acl" "example_bucket_acl" { ```
-
Postitive test num. 6 - tf file +
Positive test num. 6 - tf file ```tf hl_lines="20" provider "aws" { diff --git a/docs/queries/terraform-queries/aws/3a1e94df-6847-4c0e-a3b6-6c6af4e128ef.md b/docs/queries/terraform-queries/aws/3a1e94df-6847-4c0e-a3b6-6c6af4e128ef.md index 5e902d16f68..5e41cd59e89 100644 --- a/docs/queries/terraform-queries/aws/3a1e94df-6847-4c0e-a3b6-6c6af4e128ef.md +++ b/docs/queries/terraform-queries/aws/3a1e94df-6847-4c0e-a3b6-6c6af4e128ef.md @@ -28,7 +28,7 @@ CloudFront web distributions should use custom (and not default) SSL certificate ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="88 5 134" +```tf title="Positive test num. 1 - tf file" hl_lines="88 5 134" resource "aws_s3_bucket" "positive1" { # configs } diff --git a/docs/queries/terraform-queries/aws/3af7f2fd-06e6-4dab-b996-2912bea19ba4.md b/docs/queries/terraform-queries/aws/3af7f2fd-06e6-4dab-b996-2912bea19ba4.md index 0ddddc4817c..965f90ee883 100644 --- a/docs/queries/terraform-queries/aws/3af7f2fd-06e6-4dab-b996-2912bea19ba4.md +++ b/docs/queries/terraform-queries/aws/3af7f2fd-06e6-4dab-b996-2912bea19ba4.md @@ -28,7 +28,7 @@ hide: ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="30" +```tf title="Positive test num. 1 - tf file" hl_lines="30" provider "aws" { region = "us-east-1" } @@ -73,7 +73,7 @@ resource "aws_network_acl" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="22" +```tf title="Positive test num. 2 - tf file" hl_lines="22" provider "aws" { region = "us-east-1" } @@ -107,7 +107,7 @@ resource "aws_network_acl_rule" "postive2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="26" +```tf title="Positive test num. 3 - tf file" hl_lines="26" provider "aws" { region = "us-east-1" } @@ -148,7 +148,7 @@ resource "aws_network_acl" "positive3" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="14" module "vpc" { diff --git a/docs/queries/terraform-queries/aws/3b6d777b-76e3-4133-80a3-0d6f667ade7f.md b/docs/queries/terraform-queries/aws/3b6d777b-76e3-4133-80a3-0d6f667ade7f.md index a6d9b78790b..66579a18c78 100644 --- a/docs/queries/terraform-queries/aws/3b6d777b-76e3-4133-80a3-0d6f667ade7f.md +++ b/docs/queries/terraform-queries/aws/3b6d777b-76e3-4133-80a3-0d6f667ade7f.md @@ -28,7 +28,7 @@ RDS instance should have automatic minor upgrades enabled, which means the attri ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="13" +```tf title="Positive test num. 1 - tf file" hl_lines="13" resource "aws_db_instance" "positive1" { allocated_storage = 20 storage_type = "gp2" @@ -44,7 +44,7 @@ resource "aws_db_instance" "positive1" { auto_minor_version_upgrade = false } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="11" +```tf title="Positive test num. 2 - tf file" hl_lines="11" module "db" { source = "terraform-aws-modules/rds/aws" version = "~> 3.0" diff --git a/docs/queries/terraform-queries/aws/3d3f6270-546b-443c-adb4-bb6fb2187ca6.md b/docs/queries/terraform-queries/aws/3d3f6270-546b-443c-adb4-bb6fb2187ca6.md index decc70ce49f..9a0af709de4 100644 --- a/docs/queries/terraform-queries/aws/3d3f6270-546b-443c-adb4-bb6fb2187ca6.md +++ b/docs/queries/terraform-queries/aws/3d3f6270-546b-443c-adb4-bb6fb2187ca6.md @@ -28,7 +28,7 @@ EBS Encryption should be enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="2" +```tf title="Positive test num. 1 - tf file" hl_lines="2" resource "aws_ebs_encryption_by_default" "positive1" { enabled = false } diff --git a/docs/queries/terraform-queries/aws/3db3f534-e3a3-487f-88c7-0a9fbf64b702.md b/docs/queries/terraform-queries/aws/3db3f534-e3a3-487f-88c7-0a9fbf64b702.md index d0b9c067ff0..436030166ec 100644 --- a/docs/queries/terraform-queries/aws/3db3f534-e3a3-487f-88c7-0a9fbf64b702.md +++ b/docs/queries/terraform-queries/aws/3db3f534-e3a3-487f-88c7-0a9fbf64b702.md @@ -28,7 +28,7 @@ AmazonMQ Broker should have Encryption Options defined
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_mq_broker" "positive1" { broker_name = "example" diff --git a/docs/queries/terraform-queries/aws/3dd96caa-0b5f-4a85-b929-acfac4646cc2.md b/docs/queries/terraform-queries/aws/3dd96caa-0b5f-4a85-b929-acfac4646cc2.md index ed977c76ec2..01cf5bcc74a 100644 --- a/docs/queries/terraform-queries/aws/3dd96caa-0b5f-4a85-b929-acfac4646cc2.md +++ b/docs/queries/terraform-queries/aws/3dd96caa-0b5f-4a85-b929-acfac4646cc2.md @@ -28,7 +28,7 @@ Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource s ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_group" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/3ddfa124-6407-4845-a501-179f90c65097.md b/docs/queries/terraform-queries/aws/3ddfa124-6407-4845-a501-179f90c65097.md index 23f96ce1a05..762b21d5c71 100644 --- a/docs/queries/terraform-queries/aws/3ddfa124-6407-4845-a501-179f90c65097.md +++ b/docs/queries/terraform-queries/aws/3ddfa124-6407-4845-a501-179f90c65097.md @@ -28,7 +28,7 @@ Users should authenticate with MFA (Multi-factor Authentication) to ensure an ex ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="23" +```tf title="Positive test num. 1 - tf file" hl_lines="23" provider "aws" { region = "us-east-1" } @@ -71,7 +71,7 @@ EOF } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="19" +```tf title="Positive test num. 2 - tf file" hl_lines="19" provider "aws" { region = "us-east-1" } diff --git a/docs/queries/terraform-queries/aws/3deec14b-03d2-4d27-9670-7d79322e3340.md b/docs/queries/terraform-queries/aws/3deec14b-03d2-4d27-9670-7d79322e3340.md index 9516e38e6e1..fd70bed4a14 100644 --- a/docs/queries/terraform-queries/aws/3deec14b-03d2-4d27-9670-7d79322e3340.md +++ b/docs/queries/terraform-queries/aws/3deec14b-03d2-4d27-9670-7d79322e3340.md @@ -28,7 +28,7 @@ CodeBuild Project should be encrypted with customer-managed KMS keys instead of ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="35" +```tf title="Positive test num. 1 - tf file" hl_lines="35" provider "aws" { region = "us-east-1" } diff --git a/docs/queries/terraform-queries/aws/3ef8696c-e4ae-4872-92c7-520bb44dfe77.md b/docs/queries/terraform-queries/aws/3ef8696c-e4ae-4872-92c7-520bb44dfe77.md index 9f1f74ba065..54240c62445 100644 --- a/docs/queries/terraform-queries/aws/3ef8696c-e4ae-4872-92c7-520bb44dfe77.md +++ b/docs/queries/terraform-queries/aws/3ef8696c-e4ae-4872-92c7-520bb44dfe77.md @@ -28,7 +28,7 @@ Allowing to run lambda function using public API Gateway
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="9" +```tf title="Positive test num. 1 - tf file" hl_lines="9" resource "aws_lambda_permission" "apigw" { statement_id = "AllowAPIGatewayInvoke" action = "lambda:InvokeFunction" diff --git a/docs/queries/terraform-queries/aws/4003118b-046b-4640-b200-b8c7a4c8b89f.md b/docs/queries/terraform-queries/aws/4003118b-046b-4640-b200-b8c7a4c8b89f.md index 237eed2cf45..7252d755a2e 100644 --- a/docs/queries/terraform-queries/aws/4003118b-046b-4640-b200-b8c7a4c8b89f.md +++ b/docs/queries/terraform-queries/aws/4003118b-046b-4640-b200-b8c7a4c8b89f.md @@ -28,7 +28,7 @@ The use of AWS SSO for creating users may pose a security risk as it does not sy ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_identitystore_user" "example" { identity_store_id = tolist(data.aws_ssoadmin_instances.example.identity_store_ids)[0] diff --git a/docs/queries/terraform-queries/aws/41abc6cc-dde1-4217-83d3-fb5f0cc09d8f.md b/docs/queries/terraform-queries/aws/41abc6cc-dde1-4217-83d3-fb5f0cc09d8f.md index 81123fffcea..eb42b63cd86 100644 --- a/docs/queries/terraform-queries/aws/41abc6cc-dde1-4217-83d3-fb5f0cc09d8f.md +++ b/docs/queries/terraform-queries/aws/41abc6cc-dde1-4217-83d3-fb5f0cc09d8f.md @@ -28,7 +28,7 @@ Redshift should not use the default port (5439) because an attacker can easily g ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_redshift_cluster" "positive1" { cluster_identifier = "tf-redshift-cluster" database_name = "mydb" @@ -40,7 +40,7 @@ resource "aws_redshift_cluster" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="9" +```tf title="Positive test num. 2 - tf file" hl_lines="9" resource "aws_redshift_cluster" "positive2" { cluster_identifier = "tf-redshift-cluster" database_name = "mydb" diff --git a/docs/queries/terraform-queries/aws/42bb6b7f-6d54-4428-b707-666f669d94fb.md b/docs/queries/terraform-queries/aws/42bb6b7f-6d54-4428-b707-666f669d94fb.md index 1586b98e5fe..b446d4887bc 100644 --- a/docs/queries/terraform-queries/aws/42bb6b7f-6d54-4428-b707-666f669d94fb.md +++ b/docs/queries/terraform-queries/aws/42bb6b7f-6d54-4428-b707-666f669d94fb.md @@ -28,7 +28,7 @@ Checks if any static websites are hosted on buckets. Even static websites can be ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="18" +```tf title="Positive test num. 1 - tf file" hl_lines="18" provider "aws" { region = "us-east-1" } @@ -53,7 +53,7 @@ resource "aws_s3_bucket" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="12" +```tf title="Positive test num. 2 - tf file" hl_lines="12" module "s3_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "3.7.0" @@ -72,7 +72,7 @@ module "s3_bucket" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="15" +```tf title="Positive test num. 3 - tf file" hl_lines="15" terraform { required_providers { aws = { diff --git a/docs/queries/terraform-queries/aws/42f4b905-3736-4213-bfe9-c0660518cda8.md b/docs/queries/terraform-queries/aws/42f4b905-3736-4213-bfe9-c0660518cda8.md index a0770bf14d7..559772d37ac 100644 --- a/docs/queries/terraform-queries/aws/42f4b905-3736-4213-bfe9-c0660518cda8.md +++ b/docs/queries/terraform-queries/aws/42f4b905-3736-4213-bfe9-c0660518cda8.md @@ -28,7 +28,7 @@ Amazon EKS public endpoint shoud be set to false
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="7" +```tf title="Positive test num. 1 - tf file" hl_lines="7" resource "aws_eks_cluster" "positive1" { name = "example" role_arn = aws_iam_role.example.arn diff --git a/docs/queries/terraform-queries/aws/43a41523-386a-4cb1-becb-42af6b414433.md b/docs/queries/terraform-queries/aws/43a41523-386a-4cb1-becb-42af6b414433.md index 1f086d3e558..90d0b6e0015 100644 --- a/docs/queries/terraform-queries/aws/43a41523-386a-4cb1-becb-42af6b414433.md +++ b/docs/queries/terraform-queries/aws/43a41523-386a-4cb1-becb-42af6b414433.md @@ -28,7 +28,7 @@ User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Reso ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_user" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/443488f5-c734-460b-a36d-5b3f330174dc.md b/docs/queries/terraform-queries/aws/443488f5-c734-460b-a36d-5b3f330174dc.md index 30344b80c20..d45d5fffda7 100644 --- a/docs/queries/terraform-queries/aws/443488f5-c734-460b-a36d-5b3f330174dc.md +++ b/docs/queries/terraform-queries/aws/443488f5-c734-460b-a36d-5b3f330174dc.md @@ -28,7 +28,7 @@ User Data should not contain a base64 encoded private key. If so, anyone can dec ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="5" +```tf title="Positive test num. 1 - tf file" hl_lines="5" resource "aws_launch_configuration" "positive1" { image_id = data.aws_ami.ubuntu.id instance_type = "m4.large" @@ -41,7 +41,7 @@ resource "aws_launch_configuration" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="11" +```tf title="Positive test num. 2 - tf file" hl_lines="11" module "positive2" { source = "terraform-aws-modules/autoscaling/aws" version = "1.0.4" @@ -94,7 +94,7 @@ module "positive2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="11" +```tf title="Positive test num. 3 - tf file" hl_lines="11" module "positive3" { source = "terraform-aws-modules/autoscaling/aws" version = "1.0.4" diff --git a/docs/queries/terraform-queries/aws/44ceb4fa-0897-4fd2-b676-30e7a58f2933.md b/docs/queries/terraform-queries/aws/44ceb4fa-0897-4fd2-b676-30e7a58f2933.md index 9a5f7de3be0..29fd0f8249d 100644 --- a/docs/queries/terraform-queries/aws/44ceb4fa-0897-4fd2-b676-30e7a58f2933.md +++ b/docs/queries/terraform-queries/aws/44ceb4fa-0897-4fd2-b676-30e7a58f2933.md @@ -28,7 +28,7 @@ Ensure a log metric filter and alarm exist for management console sign-in withou ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_cloudwatch_log_metric_filter" "cis_unauthorized_api_calls_metric_filter" { name = "CIS-UnauthorizedAPICalls" pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }" @@ -81,7 +81,7 @@ resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "aws_cloudwatch_log_metric_filter" "cis_unauthorized_api_calls_metric_filter" { name = "CIS-UnauthorizedAPICalls" pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }" @@ -109,7 +109,7 @@ resource "aws_cloudwatch_metric_alarm" "cis_unauthorized_api_calls_cw_alarm" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="1" +```tf title="Positive test num. 3 - tf file" hl_lines="1" resource "aws_cloudwatch_log_metric_filter" "cis_no_mfa_console_signin_metric_filter" { name = "CIS-ConsoleSigninWithoutMFA" pattern = "{ $.additionalEventData.MFAUsed != \"Yes\" }" @@ -137,7 +137,7 @@ resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="1" resource "aws_cloudwatch_log_metric_filter" "cis_no_mfa_console_signin_metric_filter" { diff --git a/docs/queries/terraform-queries/aws/45cff7b6-3b80-40c1-ba7b-2cf480678bb8.md b/docs/queries/terraform-queries/aws/45cff7b6-3b80-40c1-ba7b-2cf480678bb8.md index 61242b71457..0b0e54477e9 100644 --- a/docs/queries/terraform-queries/aws/45cff7b6-3b80-40c1-ba7b-2cf480678bb8.md +++ b/docs/queries/terraform-queries/aws/45cff7b6-3b80-40c1-ba7b-2cf480678bb8.md @@ -28,7 +28,7 @@ Neptune logging should be enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_neptune_cluster" "postive1" { cluster_identifier = "neptune-cluster" engine = "neptune" @@ -40,7 +40,7 @@ resource "aws_neptune_cluster" "postive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="9" +```tf title="Positive test num. 2 - tf file" hl_lines="9" resource "aws_neptune_cluster" "postive2" { cluster_identifier = "neptune-cluster" engine = "neptune" @@ -53,7 +53,7 @@ resource "aws_neptune_cluster" "postive2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="9" +```tf title="Positive test num. 3 - tf file" hl_lines="9" resource "aws_neptune_cluster" "postive3" { cluster_identifier = "neptune-cluster" engine = "neptune" diff --git a/docs/queries/terraform-queries/aws/46883ce1-dc3e-4b17-9195-c6a601624c73.md b/docs/queries/terraform-queries/aws/46883ce1-dc3e-4b17-9195-c6a601624c73.md index c3db328f430..0452526dd27 100644 --- a/docs/queries/terraform-queries/aws/46883ce1-dc3e-4b17-9195-c6a601624c73.md +++ b/docs/queries/terraform-queries/aws/46883ce1-dc3e-4b17-9195-c6a601624c73.md @@ -28,7 +28,7 @@ Check if default security group does not restrict all inbound and outbound traff ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="24 1 13" +```tf title="Positive test num. 1 - tf file" hl_lines="24 1 13" resource "aws_default_security_group" "positive1" { vpc_id = aws_vpc.mainvpc.id diff --git a/docs/queries/terraform-queries/aws/4728cd65-a20c-49da-8b31-9c08b423e4db.md b/docs/queries/terraform-queries/aws/4728cd65-a20c-49da-8b31-9c08b423e4db.md index 56f692e3c51..44c5fc968e6 100644 --- a/docs/queries/terraform-queries/aws/4728cd65-a20c-49da-8b31-9c08b423e4db.md +++ b/docs/queries/terraform-queries/aws/4728cd65-a20c-49da-8b31-9c08b423e4db.md @@ -28,7 +28,7 @@ Security groups allow ingress from 0.0.0.0:0 and/or ::/0
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="6" +```tf title="Positive test num. 1 - tf file" hl_lines="6" resource "aws_security_group_rule" "positive1" { type = "ingress" from_port = 3306 @@ -39,7 +39,7 @@ resource "aws_security_group_rule" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="6" +```tf title="Positive test num. 2 - tf file" hl_lines="6" resource "aws_security_group" "positive2" { ingress { from_port = 3306 @@ -51,7 +51,7 @@ resource "aws_security_group" "positive2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="13" +```tf title="Positive test num. 3 - tf file" hl_lines="13" resource "aws_security_group" "positive3" { ingress { from_port = 3306 @@ -69,7 +69,7 @@ resource "aws_security_group" "positive3" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="9" module "web_server_sg" { @@ -85,7 +85,7 @@ module "web_server_sg" { ```
-
Postitive test num. 5 - tf file +
Positive test num. 5 - tf file ```tf hl_lines="9" module "web_server_sg" { @@ -101,7 +101,7 @@ module "web_server_sg" { ```
-
Postitive test num. 6 - tf file +
Positive test num. 6 - tf file ```tf hl_lines="6" resource "aws_security_group_rule" "positive6" { @@ -115,7 +115,7 @@ resource "aws_security_group_rule" "positive6" { ```
-
Postitive test num. 7 - tf file +
Positive test num. 7 - tf file ```tf hl_lines="6" resource "aws_security_group" "positive7" { @@ -130,7 +130,7 @@ resource "aws_security_group" "positive7" { ```
-
Postitive test num. 8 - tf file +
Positive test num. 8 - tf file ```tf hl_lines="13" resource "aws_security_group" "positive8" { @@ -151,7 +151,7 @@ resource "aws_security_group" "positive8" { ```
-
Postitive test num. 9 - tf file +
Positive test num. 9 - tf file ```tf hl_lines="9" module "web_server_sg" { @@ -167,7 +167,7 @@ module "web_server_sg" { ```
-
Postitive test num. 10 - tf file +
Positive test num. 10 - tf file ```tf hl_lines="9" module "web_server_sg" { diff --git a/docs/queries/terraform-queries/aws/4766d3ea-241c-4ee6-93ff-c380c996bd1a.md b/docs/queries/terraform-queries/aws/4766d3ea-241c-4ee6-93ff-c380c996bd1a.md index 19233213df0..27ae4f3f686 100644 --- a/docs/queries/terraform-queries/aws/4766d3ea-241c-4ee6-93ff-c380c996bd1a.md +++ b/docs/queries/terraform-queries/aws/4766d3ea-241c-4ee6-93ff-c380c996bd1a.md @@ -28,7 +28,7 @@ AWS DOCDB Cluster should be encrypted with a KMS encryption key
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_docdb_cluster" "docdb" { cluster_identifier = "my-docdb-cluster" engine = "docdb" diff --git a/docs/queries/terraform-queries/aws/48207659-729f-4b5c-9402-f884257d794f.md b/docs/queries/terraform-queries/aws/48207659-729f-4b5c-9402-f884257d794f.md index 74bfd1d7b62..e38ede3a4fd 100644 --- a/docs/queries/terraform-queries/aws/48207659-729f-4b5c-9402-f884257d794f.md +++ b/docs/queries/terraform-queries/aws/48207659-729f-4b5c-9402-f884257d794f.md @@ -28,7 +28,7 @@ Elastic File System (EFS) must be encrypted
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 11" +```tf title="Positive test num. 1 - tf file" hl_lines="1 11" resource "aws_efs_file_system" "positive1" { creation_token = "my-product" diff --git a/docs/queries/terraform-queries/aws/482b7d26-0bdb-4b5f-bf6f-545826c0a3dd.md b/docs/queries/terraform-queries/aws/482b7d26-0bdb-4b5f-bf6f-545826c0a3dd.md index 61f1f20fba1..c7416c0a035 100644 --- a/docs/queries/terraform-queries/aws/482b7d26-0bdb-4b5f-bf6f-545826c0a3dd.md +++ b/docs/queries/terraform-queries/aws/482b7d26-0bdb-4b5f-bf6f-545826c0a3dd.md @@ -28,7 +28,7 @@ Check if SNS topic name is set for CloudTrail
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 5" +```tf title="Positive test num. 1 - tf file" hl_lines="1 5" resource "aws_cloudtrail" "positive1" { # ... other configuration ... } diff --git a/docs/queries/terraform-queries/aws/4849211b-ac39-479e-ae78-5694d506cb24.md b/docs/queries/terraform-queries/aws/4849211b-ac39-479e-ae78-5694d506cb24.md index aa5e678b29c..df9a95ffcc1 100644 --- a/docs/queries/terraform-queries/aws/4849211b-ac39-479e-ae78-5694d506cb24.md +++ b/docs/queries/terraform-queries/aws/4849211b-ac39-479e-ae78-5694d506cb24.md @@ -28,7 +28,7 @@ Security group must be used or not declared
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8" +```tf title="Positive test num. 1 - tf file" hl_lines="8" resource "aws_lb" "test" { name = "test" load_balancer_type = "application" @@ -64,7 +64,7 @@ resource "aws_security_group" "allow_tls" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="15" +```tf title="Positive test num. 2 - tf file" hl_lines="15" # given: # - unused security group # - aws_instance @@ -104,7 +104,7 @@ resource "aws_security_group" "unused-sg" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="19" +```tf title="Positive test num. 3 - tf file" hl_lines="19" # given: # - unused security group # - used security group @@ -173,7 +173,7 @@ resource "aws_security_group" "used_sg" { ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="21" # given: diff --git a/docs/queries/terraform-queries/aws/4a800e14-c94a-442d-9067-5a2e9f6c0a4c.md b/docs/queries/terraform-queries/aws/4a800e14-c94a-442d-9067-5a2e9f6c0a4c.md index 08b666e2ecd..0c5f1cb016f 100644 --- a/docs/queries/terraform-queries/aws/4a800e14-c94a-442d-9067-5a2e9f6c0a4c.md +++ b/docs/queries/terraform-queries/aws/4a800e14-c94a-442d-9067-5a2e9f6c0a4c.md @@ -28,7 +28,7 @@ ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="41 74 63" +```tf title="Positive test num. 1 - tf file" hl_lines="41 74 63" #this is a problematic code where the query should report a result(s) resource "aws_elb" "positive1" { name = "wu-tang" diff --git a/docs/queries/terraform-queries/aws/4bb76f17-3d63-4529-bdca-2b454529d774.md b/docs/queries/terraform-queries/aws/4bb76f17-3d63-4529-bdca-2b454529d774.md index 55f2f810b27..0bf0ae0dc1b 100644 --- a/docs/queries/terraform-queries/aws/4bb76f17-3d63-4529-bdca-2b454529d774.md +++ b/docs/queries/terraform-queries/aws/4bb76f17-3d63-4529-bdca-2b454529d774.md @@ -28,7 +28,7 @@ Checks if logging is enabled for CloudTrail.
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="5" +```tf title="Positive test num. 1 - tf file" hl_lines="5" #this is a problematic code where the query should report a result(s) resource "aws_cloudtrail" "positive1" { name = "positive" diff --git a/docs/queries/terraform-queries/aws/4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9.md b/docs/queries/terraform-queries/aws/4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9.md index 3139b368be7..b79757d74ef 100644 --- a/docs/queries/terraform-queries/aws/4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9.md +++ b/docs/queries/terraform-queries/aws/4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9.md @@ -28,7 +28,7 @@ S3 Bucket policy should not accept HTTP Requests
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8" +```tf title="Positive test num. 1 - tf file" hl_lines="8" resource "aws_s3_bucket" "b" { bucket = "my-tf-test-bucket" } @@ -65,7 +65,7 @@ EOF ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="4" +```tf title="Positive test num. 2 - tf file" hl_lines="4" resource "aws_s3_bucket" "b2" { bucket = "my-tf-test-bucket" @@ -94,7 +94,7 @@ EOF } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="12" +```tf title="Positive test num. 3 - tf file" hl_lines="12" module "s3_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "3.7.0" @@ -131,7 +131,7 @@ EOF } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="32" @@ -170,7 +170,7 @@ resource "aws_s3_bucket" "pos4" { ```
-
Postitive test num. 5 - tf file +
Positive test num. 5 - tf file ```tf hl_lines="32" diff --git a/docs/queries/terraform-queries/aws/4bd15dd9-8d5e-4008-8532-27eb0c3706d3.md b/docs/queries/terraform-queries/aws/4bd15dd9-8d5e-4008-8532-27eb0c3706d3.md index d35fe06b8ac..9e756bcd3ec 100644 --- a/docs/queries/terraform-queries/aws/4bd15dd9-8d5e-4008-8532-27eb0c3706d3.md +++ b/docs/queries/terraform-queries/aws/4bd15dd9-8d5e-4008-8532-27eb0c3706d3.md @@ -28,7 +28,7 @@ ElastiCache should have Redis enabled, since it covers Compliance Certifications ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="4" +```tf title="Positive test num. 1 - tf file" hl_lines="4" #this is a problematic code where the query should report a result(s) resource "aws_elasticache_cluster" "positive1" { cluster_id = "cluster-example" diff --git a/docs/queries/terraform-queries/aws/4beaf898-9f8b-4237-89e2-5ffdc7ee6006.md b/docs/queries/terraform-queries/aws/4beaf898-9f8b-4237-89e2-5ffdc7ee6006.md index ebd2f111c60..bb64351a172 100644 --- a/docs/queries/terraform-queries/aws/4beaf898-9f8b-4237-89e2-5ffdc7ee6006.md +++ b/docs/queries/terraform-queries/aws/4beaf898-9f8b-4237-89e2-5ffdc7ee6006.md @@ -28,7 +28,7 @@ Ensure a log metric filter and alarm exist for security group changes
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_cloudwatch_log_metric_filter" "CIS_Security_Group_Changes_Metric_Filter" { name = "CIS-SecurityGroupChanges" pattern = "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)}" @@ -55,7 +55,7 @@ resource "aws_cloudwatch_metric_alarm" "CIS_Security_Group_Changes_CW_Alarm" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "aws_cloudwatch_log_metric_filter" "cis_unauthorized_api_calls_metric_filter" { name = "CIS-UnauthorizedAPICalls" pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }" @@ -83,7 +83,7 @@ resource "aws_cloudwatch_metric_alarm" "cis_unauthorized_api_calls_cw_alarm" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="1" +```tf title="Positive test num. 3 - tf file" hl_lines="1" resource "aws_cloudwatch_log_metric_filter" "CIS_Security_Group_Changes_Metric_Filter" { name = "CIS-SecurityGroupChanges" pattern = "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)}" diff --git a/docs/queries/terraform-queries/aws/4c18a45b-4ab1-4790-9f83-399ac695f1e5.md b/docs/queries/terraform-queries/aws/4c18a45b-4ab1-4790-9f83-399ac695f1e5.md index c08926c6b77..059f22e6c2f 100644 --- a/docs/queries/terraform-queries/aws/4c18a45b-4ab1-4790-9f83-399ac695f1e5.md +++ b/docs/queries/terraform-queries/aws/4c18a45b-4ab1-4790-9f83-399ac695f1e5.md @@ -28,7 +28,7 @@ Ensure a log metric filter and alarm exist for unauthorized API calls
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_cloudwatch_metric_alarm" "cis_unauthorized_api_calls_cw_alarm" { alarm_name = "CIS-3.1-UnauthorizedAPICalls" comparison_operator = "GreaterThanOrEqualToThreshold" @@ -82,7 +82,7 @@ resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "aws_cloudwatch_log_metric_filter" "cis_no_mfa_console_signin_metric_filter" { name = "CIS-ConsoleSigninWithoutMFA" pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }" @@ -110,7 +110,7 @@ resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="1" +```tf title="Positive test num. 3 - tf file" hl_lines="1" resource "aws_cloudwatch_metric_alarm" "cis_unauthorized_api_calls_cw_alarm" { alarm_name = "CIS-3.1-UnauthorizedAPICalls" comparison_operator = "GreaterThanOrEqualToThreshold" @@ -138,7 +138,7 @@ resource "aws_cloudwatch_log_metric_filter" "cis_unauthorized_api_calls_metric_f } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="1" resource "aws_cloudwatch_metric_alarm" "cis_unauthorized_api_calls_cw_alarm" { diff --git a/docs/queries/terraform-queries/aws/4d46ff3b-7160-41d1-a310-71d6d370b08f.md b/docs/queries/terraform-queries/aws/4d46ff3b-7160-41d1-a310-71d6d370b08f.md index 6439b2f4501..5e2cb9df848 100644 --- a/docs/queries/terraform-queries/aws/4d46ff3b-7160-41d1-a310-71d6d370b08f.md +++ b/docs/queries/terraform-queries/aws/4d46ff3b-7160-41d1-a310-71d6d370b08f.md @@ -28,7 +28,7 @@ Amazon ECS Task Definition does not have encryption for data at transit enabled. ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="11" +```tf title="Positive test num. 1 - tf file" hl_lines="11" resource "aws_ecs_task_definition" "service" { family = "service" container_definitions = file("task-definitions/service.json") @@ -50,7 +50,7 @@ resource "aws_ecs_task_definition" "service" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="8" +```tf title="Positive test num. 2 - tf file" hl_lines="8" resource "aws_ecs_task_definition" "service_2" { family = "service" container_definitions = file("task-definitions/service.json") @@ -71,7 +71,7 @@ resource "aws_ecs_task_definition" "service_2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="5" +```tf title="Positive test num. 3 - tf file" hl_lines="5" resource "aws_ecs_task_definition" "service_2" { family = "service" container_definitions = file("task-definitions/service.json") diff --git a/docs/queries/terraform-queries/aws/4de9de27-254e-424f-bd70-4c1e95790838.md b/docs/queries/terraform-queries/aws/4de9de27-254e-424f-bd70-4c1e95790838.md index 98e8e678c8a..357ca31c82f 100644 --- a/docs/queries/terraform-queries/aws/4de9de27-254e-424f-bd70-4c1e95790838.md +++ b/docs/queries/terraform-queries/aws/4de9de27-254e-424f-bd70-4c1e95790838.md @@ -28,7 +28,7 @@ Launch Configurations should have the data in the volumes encrypted. To encrypt ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="11 28 36" +```tf title="Positive test num. 1 - tf file" hl_lines="11 28 36" resource "aws_launch_configuration" "positive1" { image_id = data.aws_ami.ubuntu.id instance_type = "m4.large" @@ -69,7 +69,7 @@ resource "aws_launch_configuration" "positive3" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="14 23" +```tf title="Positive test num. 2 - tf file" hl_lines="14 23" module "asg" { source = "terraform-aws-modules/autoscaling/aws" version = "1.0.4" @@ -121,7 +121,7 @@ module "asg" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="24 18" +```tf title="Positive test num. 3 - tf file" hl_lines="24 18" module "asg" { source = "terraform-aws-modules/autoscaling/aws" version = "1.0.4" @@ -174,7 +174,7 @@ module "asg" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="25 14" module "asg" { diff --git a/docs/queries/terraform-queries/aws/4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b.md b/docs/queries/terraform-queries/aws/4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b.md index 5cee25c5af3..17066327062 100644 --- a/docs/queries/terraform-queries/aws/4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b.md +++ b/docs/queries/terraform-queries/aws/4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b.md @@ -28,13 +28,13 @@ API Gateway should have a Security Policy defined and use TLS 1.2.
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_api_gateway_domain_name" "example" { domain_name = "api.example.com" } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="3" +```tf title="Positive test num. 2 - tf file" hl_lines="3" resource "aws_api_gateway_domain_name" "example2" { domain_name = "api.example.com" security_policy = "TLS_1_0" diff --git a/docs/queries/terraform-queries/aws/4eb5f791-c861-4afd-9f94-f2a6a3fe49cb.md b/docs/queries/terraform-queries/aws/4eb5f791-c861-4afd-9f94-f2a6a3fe49cb.md index 3fca8ed429b..0d514de56ff 100644 --- a/docs/queries/terraform-queries/aws/4eb5f791-c861-4afd-9f94-f2a6a3fe49cb.md +++ b/docs/queries/terraform-queries/aws/4eb5f791-c861-4afd-9f94-f2a6a3fe49cb.md @@ -28,7 +28,7 @@ Check if any MQ Broker is not publicly accessible
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="19" +```tf title="Positive test num. 1 - tf file" hl_lines="19" resource "aws_mq_broker" "positive1" { broker_name = "example" diff --git a/docs/queries/terraform-queries/aws/4f615f3e-fb9c-4fad-8b70-2e9f781806ce.md b/docs/queries/terraform-queries/aws/4f615f3e-fb9c-4fad-8b70-2e9f781806ce.md index 763cce41955..6c2056ec258 100644 --- a/docs/queries/terraform-queries/aws/4f615f3e-fb9c-4fad-8b70-2e9f781806ce.md +++ b/docs/queries/terraform-queries/aws/4f615f3e-fb9c-4fad-8b70-2e9f781806ce.md @@ -28,7 +28,7 @@ The IP address in a DB Security Group must not have more than 256 hosts.
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="5" +```tf title="Positive test num. 1 - tf file" hl_lines="5" resource "aws_db_security_group" "positive1" { name = "rds_sg" diff --git a/docs/queries/terraform-queries/aws/4fa66806-0dd9-4f8d-9480-3174d39c7c91.md b/docs/queries/terraform-queries/aws/4fa66806-0dd9-4f8d-9480-3174d39c7c91.md index cb7c304c1ef..6b0b853e61f 100644 --- a/docs/queries/terraform-queries/aws/4fa66806-0dd9-4f8d-9480-3174d39c7c91.md +++ b/docs/queries/terraform-queries/aws/4fa66806-0dd9-4f8d-9480-3174d39c7c91.md @@ -28,7 +28,7 @@ S3 bucket without ignore public ACL
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="10" +```tf title="Positive test num. 1 - tf file" hl_lines="10" resource "aws_s3_bucket" "positive1" { bucket = "example" } @@ -42,7 +42,7 @@ resource "aws_s3_bucket_public_access_block" "positive2" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="7" +```tf title="Positive test num. 2 - tf file" hl_lines="7" module "s3_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "3.7.0" @@ -57,7 +57,7 @@ module "s3_bucket" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="1" +```tf title="Positive test num. 3 - tf file" hl_lines="1" module "s3_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "3.7.0" @@ -71,7 +71,7 @@ module "s3_bucket" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="5" resource "aws_s3_bucket" "positive1" { diff --git a/docs/queries/terraform-queries/aws/52f04a44-6bfa-4c41-b1d3-4ae99a2de05c.md b/docs/queries/terraform-queries/aws/52f04a44-6bfa-4c41-b1d3-4ae99a2de05c.md index 704183cfa1e..49565f62327 100644 --- a/docs/queries/terraform-queries/aws/52f04a44-6bfa-4c41-b1d3-4ae99a2de05c.md +++ b/docs/queries/terraform-queries/aws/52f04a44-6bfa-4c41-b1d3-4ae99a2de05c.md @@ -28,7 +28,7 @@ VPC Subnet should not assign public IP
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="13" +```tf title="Positive test num. 1 - tf file" hl_lines="13" resource "aws_vpc" "main" { cidr_block = "10.0.0.0/16" } @@ -45,7 +45,7 @@ resource "aws_subnet" "positive" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="11" +```tf title="Positive test num. 2 - tf file" hl_lines="11" module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "3.7.0" @@ -67,7 +67,7 @@ module "vpc" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="1" +```tf title="Positive test num. 3 - tf file" hl_lines="1" module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "3.7.0" diff --git a/docs/queries/terraform-queries/aws/52ffcfa6-6c70-4ea6-8376-d828d3961669.md b/docs/queries/terraform-queries/aws/52ffcfa6-6c70-4ea6-8376-d828d3961669.md index fde84a55c20..34b6bb59ecb 100644 --- a/docs/queries/terraform-queries/aws/52ffcfa6-6c70-4ea6-8376-d828d3961669.md +++ b/docs/queries/terraform-queries/aws/52ffcfa6-6c70-4ea6-8376-d828d3961669.md @@ -28,7 +28,7 @@ CloudTrail log file validation should be enabled to determine whether a log file ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 9" +```tf title="Positive test num. 1 - tf file" hl_lines="1 9" resource "aws_cloudtrail" "positive1" { name = "positive1" s3_bucket_name = "bucketlog1" diff --git a/docs/queries/terraform-queries/aws/54229498-850b-4f78-b3a7-218d24ef2c37.md b/docs/queries/terraform-queries/aws/54229498-850b-4f78-b3a7-218d24ef2c37.md index 90a0f29e020..b91a518d8c5 100644 --- a/docs/queries/terraform-queries/aws/54229498-850b-4f78-b3a7-218d24ef2c37.md +++ b/docs/queries/terraform-queries/aws/54229498-850b-4f78-b3a7-218d24ef2c37.md @@ -28,7 +28,7 @@ A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_elasticache_cluster" "positive1" { cluster_id = "cluster-example" engine = "memcached" @@ -44,7 +44,7 @@ resource "aws_elasticache_parameter_group" "default_1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "aws_elasticache_cluster" "positive2" { cluster_id = "cluster-example" engine = "redis" @@ -61,7 +61,7 @@ resource "aws_elasticache_parameter_group" "default_2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="33" +```tf title="Positive test num. 3 - tf file" hl_lines="33" resource "aws_security_group" "sg1" { name = "sg1" description = "sg1" @@ -105,7 +105,7 @@ resource "aws_elasticache_cluster" "positive3" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="33" resource "aws_security_group" "sg11" { @@ -152,7 +152,7 @@ resource "aws_elasticache_cluster" "positive4" { ```
-
Postitive test num. 5 - tf file +
Positive test num. 5 - tf file ```tf hl_lines="13" resource "aws_security_group" "sgg" { @@ -179,7 +179,7 @@ resource "aws_elasticache_cluster" "positive5" { ```
-
Postitive test num. 6 - tf file +
Positive test num. 6 - tf file ```tf hl_lines="13" resource "aws_security_group" "sg6" { diff --git a/docs/queries/terraform-queries/aws/54378d69-dd7c-4b08-a43e-80d563396857.md b/docs/queries/terraform-queries/aws/54378d69-dd7c-4b08-a43e-80d563396857.md index f7a7bc58d8b..1d6298755bf 100644 --- a/docs/queries/terraform-queries/aws/54378d69-dd7c-4b08-a43e-80d563396857.md +++ b/docs/queries/terraform-queries/aws/54378d69-dd7c-4b08-a43e-80d563396857.md @@ -28,7 +28,7 @@ Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="9" +```tf title="Positive test num. 1 - tf file" hl_lines="9" resource "aws_msk_cluster" "positive1" { cluster_name = "example" kafka_version = "2.7.1" diff --git a/docs/queries/terraform-queries/aws/54c417bf-c762-48b9-9d31-b3d87047e3f0.md b/docs/queries/terraform-queries/aws/54c417bf-c762-48b9-9d31-b3d87047e3f0.md index f779b061e17..9713b4543f9 100644 --- a/docs/queries/terraform-queries/aws/54c417bf-c762-48b9-9d31-b3d87047e3f0.md +++ b/docs/queries/terraform-queries/aws/54c417bf-c762-48b9-9d31-b3d87047e3f0.md @@ -28,7 +28,7 @@ Check if port 2383 on TCP is publicly accessible by checking the CIDR block rang ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="19 6" +```tf title="Positive test num. 1 - tf file" hl_lines="19 6" resource "aws_security_group" "positive1" { name = "allow_tls_1" description = "Allow TLS inbound traffic" diff --git a/docs/queries/terraform-queries/aws/55af1353-2f62-4fa0-a8e1-a210ca2708f5.md b/docs/queries/terraform-queries/aws/55af1353-2f62-4fa0-a8e1-a210ca2708f5.md index 9af4739c294..4feb98a16aa 100644 --- a/docs/queries/terraform-queries/aws/55af1353-2f62-4fa0-a8e1-a210ca2708f5.md +++ b/docs/queries/terraform-queries/aws/55af1353-2f62-4fa0-a8e1-a210ca2708f5.md @@ -28,7 +28,7 @@ Checks if the connection between CloudFront and the viewer is encrypted
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="96 27" +```tf title="Positive test num. 1 - tf file" hl_lines="96 27" #this is a problematic code where the query should report a result(s) resource "aws_cloudfront_distribution" "positive1" { origin { diff --git a/docs/queries/terraform-queries/aws/568a4d22-3517-44a6-a7ad-6a7eed88722c.md b/docs/queries/terraform-queries/aws/568a4d22-3517-44a6-a7ad-6a7eed88722c.md index fb14e243ef3..edcdac8ccc3 100644 --- a/docs/queries/terraform-queries/aws/568a4d22-3517-44a6-a7ad-6a7eed88722c.md +++ b/docs/queries/terraform-queries/aws/568a4d22-3517-44a6-a7ad-6a7eed88722c.md @@ -28,7 +28,7 @@ S3 bucket should have versioning enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="24" +```tf title="Positive test num. 1 - tf file" hl_lines="24" provider "aws" { region = "us-east-1" } @@ -57,7 +57,7 @@ resource "aws_s3_bucket" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="14" +```tf title="Positive test num. 2 - tf file" hl_lines="14" provider "aws" { region = "us-east-1" } @@ -82,7 +82,7 @@ resource "aws_s3_bucket" "positive2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="23" +```tf title="Positive test num. 3 - tf file" hl_lines="23" provider "aws" { region = "us-east-1" } @@ -111,7 +111,7 @@ resource "aws_s3_bucket" "positive3" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="10" module "s3_bucket" { @@ -130,7 +130,7 @@ module "s3_bucket" { ```
-
Postitive test num. 5 - tf file +
Positive test num. 5 - tf file ```tf hl_lines="9" module "s3_bucket" { @@ -149,7 +149,7 @@ module "s3_bucket" { ```
-
Postitive test num. 6 - tf file +
Positive test num. 6 - tf file ```tf hl_lines="1" module "s3_bucket" { @@ -164,7 +164,7 @@ module "s3_bucket" { ```
-
Postitive test num. 7 - tf file +
Positive test num. 7 - tf file ```tf hl_lines="27" terraform { @@ -199,7 +199,7 @@ resource "aws_s3_bucket_versioning" "example" { ```
-
Postitive test num. 8 - tf file +
Positive test num. 8 - tf file ```tf hl_lines="14" terraform { diff --git a/docs/queries/terraform-queries/aws/56a585f5-555c-48b2-8395-e64e4740a9cf.md b/docs/queries/terraform-queries/aws/56a585f5-555c-48b2-8395-e64e4740a9cf.md index 72b897e222b..0a3fc161fe9 100644 --- a/docs/queries/terraform-queries/aws/56a585f5-555c-48b2-8395-e64e4740a9cf.md +++ b/docs/queries/terraform-queries/aws/56a585f5-555c-48b2-8395-e64e4740a9cf.md @@ -28,7 +28,7 @@ Ensure a log metric filter and alarm exist for disabling or scheduled deletion o ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" provider "aws" { region = "us-east-2" } @@ -67,7 +67,7 @@ resource "aws_cloudwatch_log_metric_filter" "cis_disable_delete_cmk" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" provider "aws" { region = "us-east-2" } @@ -106,7 +106,7 @@ resource "aws_cloudwatch_log_metric_filter" "cis_disable_delete_cmk" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="1" +```tf title="Positive test num. 3 - tf file" hl_lines="1" provider "aws" { region = "us-east-2" } diff --git a/docs/queries/terraform-queries/aws/56f6a008-1b14-4af4-b9b2-ab7cf7e27641.md b/docs/queries/terraform-queries/aws/56f6a008-1b14-4af4-b9b2-ab7cf7e27641.md index 6b6f6b976ee..6c2b25845f7 100644 --- a/docs/queries/terraform-queries/aws/56f6a008-1b14-4af4-b9b2-ab7cf7e27641.md +++ b/docs/queries/terraform-queries/aws/56f6a008-1b14-4af4-b9b2-ab7cf7e27641.md @@ -28,7 +28,7 @@ DocDB logging should be enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_docdb_cluster" "positive1" { cluster_identifier = "my-docdb-cluster" engine = "docdb" @@ -40,7 +40,7 @@ resource "aws_docdb_cluster" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="10" +```tf title="Positive test num. 2 - tf file" hl_lines="10" resource "aws_docdb_cluster" "positive2" { cluster_identifier = "my-docdb-cluster" engine = "docdb" @@ -54,7 +54,7 @@ resource "aws_docdb_cluster" "positive2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="10" +```tf title="Positive test num. 3 - tf file" hl_lines="10" resource "aws_docdb_cluster" "positive3" { cluster_identifier = "my-docdb-cluster" engine = "docdb" @@ -68,7 +68,7 @@ resource "aws_docdb_cluster" "positive3" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="10" resource "aws_docdb_cluster" "positive4" { diff --git a/docs/queries/terraform-queries/aws/571254d8-aa6a-432e-9725-535d3ef04d69.md b/docs/queries/terraform-queries/aws/571254d8-aa6a-432e-9725-535d3ef04d69.md index dea030bdd36..9de9030c572 100644 --- a/docs/queries/terraform-queries/aws/571254d8-aa6a-432e-9725-535d3ef04d69.md +++ b/docs/queries/terraform-queries/aws/571254d8-aa6a-432e-9725-535d3ef04d69.md @@ -28,7 +28,7 @@ Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resou ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_group" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/575a2155-6af1-4026-b1af-d5bc8fe2a904.md b/docs/queries/terraform-queries/aws/575a2155-6af1-4026-b1af-d5bc8fe2a904.md index 36ef35f399c..e0f9efafaac 100644 --- a/docs/queries/terraform-queries/aws/575a2155-6af1-4026-b1af-d5bc8fe2a904.md +++ b/docs/queries/terraform-queries/aws/575a2155-6af1-4026-b1af-d5bc8fe2a904.md @@ -28,7 +28,7 @@ IAM policy should not grant full permissions to resources from the get-go, inste ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="20" +```tf title="Positive test num. 1 - tf file" hl_lines="20" resource "aws_iam_user" "positive1" { name = "${local.resource_prefix.value}-user" force_destroy = true @@ -74,7 +74,7 @@ output "secret" { ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="3" +```tf title="Positive test num. 2 - tf file" hl_lines="3" resource "aws_iam_policy" "s3-permission" { name = "s3-permission" policy = < ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="16" +```tf title="Positive test num. 1 - tf file" hl_lines="16" provider "aws" { region = "us-east-1" } @@ -53,7 +53,7 @@ resource "aws_s3_bucket" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="6" +```tf title="Positive test num. 2 - tf file" hl_lines="6" module "s3_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "3.7.0" @@ -67,7 +67,7 @@ module "s3_bucket" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="20" +```tf title="Positive test num. 3 - tf file" hl_lines="20" provider "aws" { region = "us-east-1" } diff --git a/docs/queries/terraform-queries/aws/5813ef56-fa94-406a-b35d-977d4a56ff2b.md b/docs/queries/terraform-queries/aws/5813ef56-fa94-406a-b35d-977d4a56ff2b.md index 01bec327b38..d239609760a 100644 --- a/docs/queries/terraform-queries/aws/5813ef56-fa94-406a-b35d-977d4a56ff2b.md +++ b/docs/queries/terraform-queries/aws/5813ef56-fa94-406a-b35d-977d4a56ff2b.md @@ -28,7 +28,7 @@ API Gateway should have X-Ray Tracing enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8 5" +```tf title="Positive test num. 1 - tf file" hl_lines="8 5" resource "aws_api_gateway_stage" "positive1" { stage_name = "prod" rest_api_id = aws_api_gateway_rest_api.test.id diff --git a/docs/queries/terraform-queries/aws/5864d189-ee9a-4009-ac0c-8a582e6b7919.md b/docs/queries/terraform-queries/aws/5864d189-ee9a-4009-ac0c-8a582e6b7919.md index 412a177c179..2e06709a68e 100644 --- a/docs/queries/terraform-queries/aws/5864d189-ee9a-4009-ac0c-8a582e6b7919.md +++ b/docs/queries/terraform-queries/aws/5864d189-ee9a-4009-ac0c-8a582e6b7919.md @@ -28,7 +28,7 @@ Ensure a log metric filter and alarm exist for AWS Management Console authentica ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_cloudwatch_log_metric_filter" "cis_console_authn_failure_metric_filter" { name = "CIS-ConsoleAuthenticationFailure" pattern = "{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }" @@ -81,7 +81,7 @@ resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "aws_cloudwatch_log_metric_filter" "cis_console_authn_failure_metric_filter" { name = "CIS-ConsoleAuthenticationFailure" pattern = "{ (($.eventName = ConsoleLogin)) && ($.errorMessage != \"Failed authentication\") }" @@ -108,7 +108,7 @@ resource "aws_cloudwatch_metric_alarm" "cis_console_authn_failure_cw_alarm" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="1" +```tf title="Positive test num. 3 - tf file" hl_lines="1" resource "aws_cloudwatch_log_metric_filter" "cis_console_authn_failure_metric_filter" { name = "CIS-ConsoleAuthenticationFailure" pattern = "{ $.eventName != ConsoleLogin && $.errorMessage = \"Failed authentication\" }" @@ -136,7 +136,7 @@ resource "aws_cloudwatch_metric_alarm" "cis_console_authn_failure_cw_alarm" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="1" resource "aws_cloudwatch_log_metric_filter" "cis_console_authn_failure_metric_filter" { diff --git a/docs/queries/terraform-queries/aws/58b35504-0287-4154-bf69-02c0573deab8.md b/docs/queries/terraform-queries/aws/58b35504-0287-4154-bf69-02c0573deab8.md index fc87616f5bc..ecef8405fcf 100644 --- a/docs/queries/terraform-queries/aws/58b35504-0287-4154-bf69-02c0573deab8.md +++ b/docs/queries/terraform-queries/aws/58b35504-0287-4154-bf69-02c0573deab8.md @@ -28,7 +28,7 @@ Sagemaker endpoint configuration should encrypt data
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_sagemaker_endpoint_configuration" "positive" { name = "my-endpoint-config" diff --git a/docs/queries/terraform-queries/aws/590d878b-abdc-428f-895a-e2b68a0e1998.md b/docs/queries/terraform-queries/aws/590d878b-abdc-428f-895a-e2b68a0e1998.md index 3c2e955140d..18d79dac38c 100644 --- a/docs/queries/terraform-queries/aws/590d878b-abdc-428f-895a-e2b68a0e1998.md +++ b/docs/queries/terraform-queries/aws/590d878b-abdc-428f-895a-e2b68a0e1998.md @@ -28,7 +28,7 @@ AWS Security Group should not have an unknown port exposed to the entire Interne ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="11 36" +```tf title="Positive test num. 1 - tf file" hl_lines="11 36" resource "aws_security_group" "positive1" { name = "allow_tls" description = "Allow TLS inbound traffic" diff --git a/docs/queries/terraform-queries/aws/5a2486aa-facf-477d-a5c1-b010789459ce.md b/docs/queries/terraform-queries/aws/5a2486aa-facf-477d-a5c1-b010789459ce.md index f75416e46b1..2c664d9b462 100644 --- a/docs/queries/terraform-queries/aws/5a2486aa-facf-477d-a5c1-b010789459ce.md +++ b/docs/queries/terraform-queries/aws/5a2486aa-facf-477d-a5c1-b010789459ce.md @@ -28,7 +28,7 @@ EC2 Instance should not have a public IP address.
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="17 28" +```tf title="Positive test num. 1 - tf file" hl_lines="17 28" data "aws_ami" "ubuntu1" { most_recent = true @@ -65,7 +65,7 @@ resource "aws_instance" "web3" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" module "ec2_instance" { source = "terraform-aws-modules/ec2-instance/aws" version = "~> 3.0" @@ -86,7 +86,7 @@ module "ec2_instance" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="13" +```tf title="Positive test num. 3 - tf file" hl_lines="13" module "ec2_instance" { source = "terraform-aws-modules/ec2-instance/aws" version = "~> 3.0" diff --git a/docs/queries/terraform-queries/aws/5b4d4aee-ac94-4810-9611-833636e5916d.md b/docs/queries/terraform-queries/aws/5b4d4aee-ac94-4810-9611-833636e5916d.md index 6c98b99d50e..c0840790660 100644 --- a/docs/queries/terraform-queries/aws/5b4d4aee-ac94-4810-9611-833636e5916d.md +++ b/docs/queries/terraform-queries/aws/5b4d4aee-ac94-4810-9611-833636e5916d.md @@ -28,7 +28,7 @@ Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_role" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/5b8d7527-de8e-4114-b9dd-9d988f1f418f.md b/docs/queries/terraform-queries/aws/5b8d7527-de8e-4114-b9dd-9d988f1f418f.md index 6acf6dc7207..b725bde869a 100644 --- a/docs/queries/terraform-queries/aws/5b8d7527-de8e-4114-b9dd-9d988f1f418f.md +++ b/docs/queries/terraform-queries/aws/5b8d7527-de8e-4114-b9dd-9d988f1f418f.md @@ -28,7 +28,7 @@ Ensure a log metric filter and alarm exist for AWS Config configuration changes< ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_cloudwatch_log_metric_filter" "CIS_AWS_Config_Change_Metric_Filter" { name = "CIS-AWSConfigChanges" pattern = "{ ($.eventSource = \"config.amazonaws.com\") && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }" @@ -55,7 +55,7 @@ resource "aws_cloudwatch_metric_alarm" "CIS_AWS_Config_Change_CW_Alarm" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "aws_cloudwatch_log_metric_filter" "cis_no_mfa_console_signin_metric_filter" { name = "CIS-ConsoleSigninWithoutMFA" pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }" @@ -83,7 +83,7 @@ resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="1" +```tf title="Positive test num. 3 - tf file" hl_lines="1" resource "aws_cloudwatch_log_metric_filter" "CIS_AWS_Config_Change_Metric_Filter" { name = "CIS-AWSConfigChanges" pattern = "{ ($.eventSource = \"config.amazonaws.com\") && (($.eventName=StopConfigurationRecorder)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }" @@ -110,7 +110,7 @@ resource "aws_cloudwatch_metric_alarm" "CIS_AWS_Config_Change_CW_Alarm" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="1" resource "aws_cloudwatch_log_metric_filter" "CIS_AWS_Config_Change_Metric_Filter" { diff --git a/docs/queries/terraform-queries/aws/5ba6229c-8057-433e-91d0-21cf13569ca9.md b/docs/queries/terraform-queries/aws/5ba6229c-8057-433e-91d0-21cf13569ca9.md index 7966bc9d609..b6f23e46187 100644 --- a/docs/queries/terraform-queries/aws/5ba6229c-8057-433e-91d0-21cf13569ca9.md +++ b/docs/queries/terraform-queries/aws/5ba6229c-8057-433e-91d0-21cf13569ca9.md @@ -28,7 +28,7 @@ Check if the Amazon Organizations ensure that all features are enabled to achiev ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="7" +```tf title="Positive test num. 1 - tf file" hl_lines="7" resource "aws_organizations_organization" "positive1" { aws_service_access_principals = [ "cloudtrail.amazonaws.com", diff --git a/docs/queries/terraform-queries/aws/5c0003fb-9aa0-42c1-9da3-eb0e332bef21.md b/docs/queries/terraform-queries/aws/5c0003fb-9aa0-42c1-9da3-eb0e332bef21.md index bfcb9face2b..73145247ade 100644 --- a/docs/queries/terraform-queries/aws/5c0003fb-9aa0-42c1-9da3-eb0e332bef21.md +++ b/docs/queries/terraform-queries/aws/5c0003fb-9aa0-42c1-9da3-eb0e332bef21.md @@ -28,7 +28,7 @@ Check if secure ciphers aren't used in CloudFront
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="42" +```tf title="Positive test num. 1 - tf file" hl_lines="42" #this is a problematic code where the query should report a result(s) resource "aws_cloudfront_distribution" "positive1" { origin { diff --git a/docs/queries/terraform-queries/aws/5c6dd5e7-1fe0-4cae-8f81-4c122717cef3.md b/docs/queries/terraform-queries/aws/5c6dd5e7-1fe0-4cae-8f81-4c122717cef3.md index 8c78a2829cd..448a827b973 100644 --- a/docs/queries/terraform-queries/aws/5c6dd5e7-1fe0-4cae-8f81-4c122717cef3.md +++ b/docs/queries/terraform-queries/aws/5c6dd5e7-1fe0-4cae-8f81-4c122717cef3.md @@ -28,7 +28,7 @@ AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="34 12 42 23" +```tf title="Positive test num. 1 - tf file" hl_lines="34 12 42 23" resource "aws_kinesis_firehose_delivery_stream" "positive1" { name = "${aws_s3_bucket.logs.bucket}-firehose" destination = "extended_s3" diff --git a/docs/queries/terraform-queries/aws/5d89db57-8b51-4b38-bb76-b9bd42bd40f0.md b/docs/queries/terraform-queries/aws/5d89db57-8b51-4b38-bb76-b9bd42bd40f0.md index dfacb4b47d6..cfbfccbae84 100644 --- a/docs/queries/terraform-queries/aws/5d89db57-8b51-4b38-bb76-b9bd42bd40f0.md +++ b/docs/queries/terraform-queries/aws/5d89db57-8b51-4b38-bb76-b9bd42bd40f0.md @@ -28,7 +28,7 @@ ElastiCache should not use the default port (an attacker can easily guess the po ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_elasticache_cluster" "positive1" { cluster_id = "cluster" engine = "redis" @@ -38,7 +38,7 @@ resource "aws_elasticache_cluster" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "aws_elasticache_cluster" "positive2" { cluster_id = "cluster" engine = "memcached" @@ -48,7 +48,7 @@ resource "aws_elasticache_cluster" "positive2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="7" +```tf title="Positive test num. 3 - tf file" hl_lines="7" resource "aws_elasticache_cluster" "positive3" { cluster_id = "cluster" engine = "redis" @@ -59,7 +59,7 @@ resource "aws_elasticache_cluster" "positive3" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="7" resource "aws_elasticache_cluster" "positive2" { diff --git a/docs/queries/terraform-queries/aws/5d9e3164-9265-470c-9a10-57ae454ac0c7.md b/docs/queries/terraform-queries/aws/5d9e3164-9265-470c-9a10-57ae454ac0c7.md index ac76fe9d2f7..bb063419cb6 100644 --- a/docs/queries/terraform-queries/aws/5d9e3164-9265-470c-9a10-57ae454ac0c7.md +++ b/docs/queries/terraform-queries/aws/5d9e3164-9265-470c-9a10-57ae454ac0c7.md @@ -28,7 +28,7 @@ Logs delivered by CloudTrail should be encrypted using KMS to increase security ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_cloudtrail" "positive1" { name = "npositive_1" s3_bucket_name = "bucketlog_1" diff --git a/docs/queries/terraform-queries/aws/5ea624e4-c8b1-4bb3-87a4-4235a776adcc.md b/docs/queries/terraform-queries/aws/5ea624e4-c8b1-4bb3-87a4-4235a776adcc.md index ec1149a3d0c..ca65013acaa 100644 --- a/docs/queries/terraform-queries/aws/5ea624e4-c8b1-4bb3-87a4-4235a776adcc.md +++ b/docs/queries/terraform-queries/aws/5ea624e4-c8b1-4bb3-87a4-4235a776adcc.md @@ -28,7 +28,7 @@ SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8" +```tf title="Positive test num. 1 - tf file" hl_lines="8" resource "aws_sns_topic" "positive1" { name = "my-topic-with-policy" } @@ -53,7 +53,7 @@ POLICY } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="12" +```tf title="Positive test num. 2 - tf file" hl_lines="12" module "s3_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "3.7.0" diff --git a/docs/queries/terraform-queries/aws/5fb49a69-8d46-4495-a2f8-9c8c622b2b6e.md b/docs/queries/terraform-queries/aws/5fb49a69-8d46-4495-a2f8-9c8c622b2b6e.md index 02d7a5c4732..ce49c7fdf03 100644 --- a/docs/queries/terraform-queries/aws/5fb49a69-8d46-4495-a2f8-9c8c622b2b6e.md +++ b/docs/queries/terraform-queries/aws/5fb49a69-8d46-4495-a2f8-9c8c622b2b6e.md @@ -28,7 +28,7 @@ S3 Bucket Object should have server-side encryption enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="14" +```tf title="Positive test num. 1 - tf file" hl_lines="14" resource "aws_s3_bucket" "examplebucket" { bucket = "examplebuckettftest" acl = "private" diff --git a/docs/queries/terraform-queries/aws/60224630-175a-472a-9e23-133827040766.md b/docs/queries/terraform-queries/aws/60224630-175a-472a-9e23-133827040766.md index b3c0f3d69a2..70e52936596 100644 --- a/docs/queries/terraform-queries/aws/60224630-175a-472a-9e23-133827040766.md +++ b/docs/queries/terraform-queries/aws/60224630-175a-472a-9e23-133827040766.md @@ -28,7 +28,7 @@ It's considered a best practice for an EC2 instance to use an EBS optimized inst ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="17" +```tf title="Positive test num. 1 - tf file" hl_lines="17" data "aws_ami" "ubuntu" { most_recent = true @@ -55,7 +55,7 @@ resource "aws_instance" "web" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="20" +```tf title="Positive test num. 2 - tf file" hl_lines="20" data "aws_ami" "ubuntu" { most_recent = true @@ -83,7 +83,7 @@ resource "aws_instance" "web" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="1" +```tf title="Positive test num. 3 - tf file" hl_lines="1" module "ec2_instance" { source = "terraform-aws-modules/ec2-instance/aws" version = "~> 3.0" @@ -105,7 +105,7 @@ module "ec2_instance" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="9" module "ec2_instance" { diff --git a/docs/queries/terraform-queries/aws/60263b4a-6801-4587-911d-919c37ed733b.md b/docs/queries/terraform-queries/aws/60263b4a-6801-4587-911d-919c37ed733b.md index dc9df575c43..dc48b7bdce4 100644 --- a/docs/queries/terraform-queries/aws/60263b4a-6801-4587-911d-919c37ed733b.md +++ b/docs/queries/terraform-queries/aws/60263b4a-6801-4587-911d-919c37ed733b.md @@ -28,7 +28,7 @@ Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_group" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/61cf9883-1752-4768-b18c-0d57f2737709.md b/docs/queries/terraform-queries/aws/61cf9883-1752-4768-b18c-0d57f2737709.md index 65c01b0f4c9..72e82f8fd02 100644 --- a/docs/queries/terraform-queries/aws/61cf9883-1752-4768-b18c-0d57f2737709.md +++ b/docs/queries/terraform-queries/aws/61cf9883-1752-4768-b18c-0d57f2737709.md @@ -28,7 +28,7 @@ Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0"
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8 30" +```tf title="Positive test num. 1 - tf file" hl_lines="8 30" resource "aws_eks_cluster" "positive1" { name = "example" role_arn = aws_iam_role.example.arn diff --git a/docs/queries/terraform-queries/aws/625abc0e-f980-4ac9-a775-f7519ee34296.md b/docs/queries/terraform-queries/aws/625abc0e-f980-4ac9-a775-f7519ee34296.md index 8e280581a14..17dd4100a7a 100644 --- a/docs/queries/terraform-queries/aws/625abc0e-f980-4ac9-a775-f7519ee34296.md +++ b/docs/queries/terraform-queries/aws/625abc0e-f980-4ac9-a775-f7519ee34296.md @@ -28,7 +28,7 @@ API Gateway Deployment should have access log setting defined when connected to ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_api_gateway_deployment" "examplee" { rest_api_id = "some rest api id" stage_name = "some name" @@ -44,7 +44,7 @@ resource "aws_api_gateway_stage" "example00" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "aws_api_gateway_deployment" "example3" { rest_api_id = "some rest api id" stage_name = "some name" @@ -60,7 +60,7 @@ resource "aws_api_gateway_stage" "example000" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="1" +```tf title="Positive test num. 3 - tf file" hl_lines="1" resource "aws_api_gateway_deployment" "example4" { rest_api_id = "some rest api id" stage_name = "some name" diff --git a/docs/queries/terraform-queries/aws/63ebcb19-2739-4d3f-aa5c-e8bbb9b85281.md b/docs/queries/terraform-queries/aws/63ebcb19-2739-4d3f-aa5c-e8bbb9b85281.md index 96ac700e9db..1cff3c57aec 100644 --- a/docs/queries/terraform-queries/aws/63ebcb19-2739-4d3f-aa5c-e8bbb9b85281.md +++ b/docs/queries/terraform-queries/aws/63ebcb19-2739-4d3f-aa5c-e8bbb9b85281.md @@ -28,7 +28,7 @@ EKS Cluster should be encrypted
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="6" +```tf title="Positive test num. 1 - tf file" hl_lines="6" variable "cluster_name" { default = "example" type = string @@ -40,7 +40,7 @@ resource "aws_eks_cluster" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="11" +```tf title="Positive test num. 2 - tf file" hl_lines="11" variable "cluster_name" { default = "example" type = string diff --git a/docs/queries/terraform-queries/aws/64a222aa-7793-4e40-915f-4b302c76e4d4.md b/docs/queries/terraform-queries/aws/64a222aa-7793-4e40-915f-4b302c76e4d4.md index d1f8c7b50f5..2cbc5c24e06 100644 --- a/docs/queries/terraform-queries/aws/64a222aa-7793-4e40-915f-4b302c76e4d4.md +++ b/docs/queries/terraform-queries/aws/64a222aa-7793-4e40-915f-4b302c76e4d4.md @@ -28,7 +28,7 @@ S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="16" +```tf title="Positive test num. 1 - tf file" hl_lines="16" data "aws_canonical_user_id" "current" {} resource "aws_s3_bucket" "example" { @@ -54,7 +54,7 @@ resource "aws_s3_bucket_acl" "example" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="23" +```tf title="Positive test num. 2 - tf file" hl_lines="23" data "aws_canonical_user_id" "current" {} resource "aws_s3_bucket" "example" { diff --git a/docs/queries/terraform-queries/aws/656880aa-1388-488f-a6d4-8f73c23149b2.md b/docs/queries/terraform-queries/aws/656880aa-1388-488f-a6d4-8f73c23149b2.md index d0ac4684cb8..4f3c4defda3 100644 --- a/docs/queries/terraform-queries/aws/656880aa-1388-488f-a6d4-8f73c23149b2.md +++ b/docs/queries/terraform-queries/aws/656880aa-1388-488f-a6d4-8f73c23149b2.md @@ -28,7 +28,7 @@ RDS Database Cluster Encryption should be enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_db_cluster_snapshot" "positive1" { db_cluster_identifier = aws_rds_cluster.example2.id db_cluster_snapshot_identifier = "resourcetestsnapshot1234" @@ -44,7 +44,7 @@ resource "aws_rds_cluster" "example2" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "aws_db_cluster_snapshot" "positive2" { db_cluster_identifier = aws_rds_cluster.example3.id db_cluster_snapshot_identifier = "resourcetestsnapshot1234" diff --git a/docs/queries/terraform-queries/aws/65905cec-d691-4320-b320-2000436cb696.md b/docs/queries/terraform-queries/aws/65905cec-d691-4320-b320-2000436cb696.md index 725c378bcd5..8708fa397f3 100644 --- a/docs/queries/terraform-queries/aws/65905cec-d691-4320-b320-2000436cb696.md +++ b/docs/queries/terraform-queries/aws/65905cec-d691-4320-b320-2000436cb696.md @@ -28,7 +28,7 @@ hide: ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="11" +```tf title="Positive test num. 1 - tf file" hl_lines="11" resource "aws_security_group" "positive1" { name = "allow_tls" description = "Allow TLS inbound traffic" @@ -55,7 +55,7 @@ resource "aws_security_group" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="11" +```tf title="Positive test num. 2 - tf file" hl_lines="11" resource "aws_security_group" "positive2" { name = "allow_tls" description = "Allow TLS inbound traffic" @@ -82,7 +82,7 @@ resource "aws_security_group" "positive2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="13" +```tf title="Positive test num. 3 - tf file" hl_lines="13" module "vote_service_sg" { source = "terraform-aws-modules/security-group/aws" version = "4.3.0" @@ -111,7 +111,7 @@ module "vote_service_sg" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="13" module "vote_service_sg" { diff --git a/docs/queries/terraform-queries/aws/66c6f96f-2d9e-417e-a998-9058aeeecd44.md b/docs/queries/terraform-queries/aws/66c6f96f-2d9e-417e-a998-9058aeeecd44.md index 77064471af1..2d90f183cbe 100644 --- a/docs/queries/terraform-queries/aws/66c6f96f-2d9e-417e-a998-9058aeeecd44.md +++ b/docs/queries/terraform-queries/aws/66c6f96f-2d9e-417e-a998-9058aeeecd44.md @@ -28,7 +28,7 @@ S3 Buckets must not allow List Action From All Principals, as to prevent leaking ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="4" +```tf title="Positive test num. 1 - tf file" hl_lines="4" resource "aws_s3_bucket_policy" "positive1" { bucket = aws_s3_bucket.b.id @@ -53,7 +53,7 @@ POLICY } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="4" +```tf title="Positive test num. 2 - tf file" hl_lines="4" resource "aws_s3_bucket_policy" "positive2" { bucket = aws_s3_bucket.b.id @@ -80,7 +80,7 @@ POLICY } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="12" +```tf title="Positive test num. 3 - tf file" hl_lines="12" module "s3_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "3.7.0" diff --git a/docs/queries/terraform-queries/aws/66cd88ac-9ddf-424a-b77e-e55e17630bee.md b/docs/queries/terraform-queries/aws/66cd88ac-9ddf-424a-b77e-e55e17630bee.md index c684fcce861..7e35dc8f219 100644 --- a/docs/queries/terraform-queries/aws/66cd88ac-9ddf-424a-b77e-e55e17630bee.md +++ b/docs/queries/terraform-queries/aws/66cd88ac-9ddf-424a-b77e-e55e17630bee.md @@ -28,7 +28,7 @@ Batch Job Definition should not have Privileged Container Properties
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="11" +```tf title="Positive test num. 1 - tf file" hl_lines="11" resource "aws_batch_job_definition" "positive1" { name = "tf_test_batch_job_definition" type = "container" diff --git a/docs/queries/terraform-queries/aws/66f130d9-b81d-4e8e-9b08-da74b9c891df.md b/docs/queries/terraform-queries/aws/66f130d9-b81d-4e8e-9b08-da74b9c891df.md index c5729b58a89..1ea205b43fe 100644 --- a/docs/queries/terraform-queries/aws/66f130d9-b81d-4e8e-9b08-da74b9c891df.md +++ b/docs/queries/terraform-queries/aws/66f130d9-b81d-4e8e-9b08-da74b9c891df.md @@ -28,7 +28,7 @@ Amazon EKS control plane logging don't enabled for all log types
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="9" +```tf title="Positive test num. 1 - tf file" hl_lines="9" variable "cluster_name" { default = "example" type = string diff --git a/docs/queries/terraform-queries/aws/671211c5-5d2a-4e97-8867-30fc28b02216.md b/docs/queries/terraform-queries/aws/671211c5-5d2a-4e97-8867-30fc28b02216.md index 307bfb14926..35e9aa677d4 100644 --- a/docs/queries/terraform-queries/aws/671211c5-5d2a-4e97-8867-30fc28b02216.md +++ b/docs/queries/terraform-queries/aws/671211c5-5d2a-4e97-8867-30fc28b02216.md @@ -28,7 +28,7 @@ An API Key should be required on a method request.
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 13" +```tf title="Positive test num. 1 - tf file" hl_lines="1 13" resource "aws_api_gateway_method" "positive1" { rest_api_id = aws_api_gateway_rest_api.MyDemoAPI.id resource_id = aws_api_gateway_resource.MyDemoResource.id diff --git a/docs/queries/terraform-queries/aws/6726dcc0-5ff5-459d-b473-a780bef7665c.md b/docs/queries/terraform-queries/aws/6726dcc0-5ff5-459d-b473-a780bef7665c.md index fcce355d075..ff136cc853b 100644 --- a/docs/queries/terraform-queries/aws/6726dcc0-5ff5-459d-b473-a780bef7665c.md +++ b/docs/queries/terraform-queries/aws/6726dcc0-5ff5-459d-b473-a780bef7665c.md @@ -28,7 +28,7 @@ If algorithm is AES256 then the master key is null, empty or undefined, otherwis ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="14" +```tf title="Positive test num. 1 - tf file" hl_lines="14" provider "aws" { region = "us-east-1" } @@ -57,7 +57,7 @@ resource "aws_s3_bucket" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="26" +```tf title="Positive test num. 2 - tf file" hl_lines="26" provider "aws" { region = "us-east-1" } @@ -95,7 +95,7 @@ resource "aws_s3_bucket" "positive1" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="26" +```tf title="Positive test num. 3 - tf file" hl_lines="26" provider "aws" { region = "us-east-1" } @@ -132,7 +132,7 @@ resource "aws_s3_bucket" "positive1" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="1" module "s3_bucket" { @@ -150,7 +150,7 @@ module "s3_bucket" { ```
-
Postitive test num. 5 - tf file +
Positive test num. 5 - tf file ```tf hl_lines="15" module "s3_bucket" { @@ -176,7 +176,7 @@ module "s3_bucket" { ```
-
Postitive test num. 6 - tf file +
Positive test num. 6 - tf file ```tf hl_lines="15" module "s3_bucket" { @@ -201,7 +201,7 @@ module "s3_bucket" { ```
-
Postitive test num. 7 - tf file +
Positive test num. 7 - tf file ```tf hl_lines="14" terraform { @@ -224,7 +224,7 @@ resource "aws_s3_bucket" "mybucket0" { ```
-
Postitive test num. 8 - tf file +
Positive test num. 8 - tf file ```tf hl_lines="23" terraform { @@ -257,7 +257,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "example2" { ```
-
Postitive test num. 9 - tf file +
Positive test num. 9 - tf file ```tf hl_lines="23" terraform { @@ -289,7 +289,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "example3" { ```
-
Postitive test num. 10 - tf file +
Positive test num. 10 - tf file ```tf hl_lines="21" terraform { diff --git a/docs/queries/terraform-queries/aws/68eb4bf3-f9bf-463d-b5cf-e029bb446d2e.md b/docs/queries/terraform-queries/aws/68eb4bf3-f9bf-463d-b5cf-e029bb446d2e.md index b4fcd2c34c8..5c363f1f9bc 100644 --- a/docs/queries/terraform-queries/aws/68eb4bf3-f9bf-463d-b5cf-e029bb446d2e.md +++ b/docs/queries/terraform-queries/aws/68eb4bf3-f9bf-463d-b5cf-e029bb446d2e.md @@ -28,7 +28,7 @@ It's considered a best practice for all rules in AWS Security Group to have a de ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="6 14" +```tf title="Positive test num. 1 - tf file" hl_lines="6 14" resource "aws_security_group" "allow_tls" { name = "allow_tls" description = "Allow TLS inbound traffic" @@ -56,7 +56,7 @@ resource "aws_security_group" "allow_tls" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="15" +```tf title="Positive test num. 2 - tf file" hl_lines="15" resource "aws_security_group" "positive2" { name = "${var.prefix}-external-http-https" @@ -84,7 +84,7 @@ resource "aws_security_group" "positive2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="23" +```tf title="Positive test num. 3 - tf file" hl_lines="23" resource "aws_security_group" "positive3" { name = "${var.prefix}-external-http-https" diff --git a/docs/queries/terraform-queries/aws/69e7c320-b65d-41bb-be02-d63ecc0bcc9d.md b/docs/queries/terraform-queries/aws/69e7c320-b65d-41bb-be02-d63ecc0bcc9d.md index f12f64a4053..6f59c07c9c3 100644 --- a/docs/queries/terraform-queries/aws/69e7c320-b65d-41bb-be02-d63ecc0bcc9d.md +++ b/docs/queries/terraform-queries/aws/69e7c320-b65d-41bb-be02-d63ecc0bcc9d.md @@ -28,14 +28,14 @@ ECR Repository should have Policies attached to it
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_ecr_repository" "foo" { name = "bar" } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "aws_ecr_repository" "foo2" { name = "bar" } diff --git a/docs/queries/terraform-queries/aws/6b2739db-9c49-4db7-b980-7816e0c248c1.md b/docs/queries/terraform-queries/aws/6b2739db-9c49-4db7-b980-7816e0c248c1.md index 1070f6763f8..6b2293977ff 100644 --- a/docs/queries/terraform-queries/aws/6b2739db-9c49-4db7-b980-7816e0c248c1.md +++ b/docs/queries/terraform-queries/aws/6b2739db-9c49-4db7-b980-7816e0c248c1.md @@ -28,7 +28,7 @@ The API Endpoint type in API Gateway should be set to PRIVATE so it's not expose ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="5" +```tf title="Positive test num. 1 - tf file" hl_lines="5" resource "aws_api_gateway_rest_api" "positive1" { name = "regional-example" diff --git a/docs/queries/terraform-queries/aws/6b6874fe-4c2f-4eea-8b90-7cceaa4a125e.md b/docs/queries/terraform-queries/aws/6b6874fe-4c2f-4eea-8b90-7cceaa4a125e.md index d075ccca939..37a957ca5e2 100644 --- a/docs/queries/terraform-queries/aws/6b6874fe-4c2f-4eea-8b90-7cceaa4a125e.md +++ b/docs/queries/terraform-queries/aws/6b6874fe-4c2f-4eea-8b90-7cceaa4a125e.md @@ -28,7 +28,7 @@ Ensure a log metric filter and alarm exist for network gateways changes
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_cloudwatch_log_metric_filter" "cis_network_gateway_changes_metric_filter" { name = "CIS-NetworkGatewayChanges" pattern = "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }" @@ -56,7 +56,7 @@ resource "aws_cloudwatch_metric_alarm" "cis_network_gateway_changes_cw_alarm" { ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "aws_cloudwatch_log_metric_filter" "cis_unauthorized_api_calls_metric_filter" { name = "CIS-UnauthorizedAPICalls" pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }" @@ -84,7 +84,7 @@ resource "aws_cloudwatch_metric_alarm" "cis_unauthorized_api_calls_cw_alarm" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="1" +```tf title="Positive test num. 3 - tf file" hl_lines="1" resource "aws_cloudwatch_log_metric_filter" "cis_network_gateway_changes_metric_filter" { name = "CIS-NetworkGatewayChanges" pattern = "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DetachInternetGateway) }" diff --git a/docs/queries/terraform-queries/aws/6d23d87e-1c5b-4308-b224-92624300f29b.md b/docs/queries/terraform-queries/aws/6d23d87e-1c5b-4308-b224-92624300f29b.md index cc57b997662..48f8419db62 100644 --- a/docs/queries/terraform-queries/aws/6d23d87e-1c5b-4308-b224-92624300f29b.md +++ b/docs/queries/terraform-queries/aws/6d23d87e-1c5b-4308-b224-92624300f29b.md @@ -28,7 +28,7 @@ User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource s ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_user" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/6db03a91-f933-4f13-ab38-a8b87a7de54d.md b/docs/queries/terraform-queries/aws/6db03a91-f933-4f13-ab38-a8b87a7de54d.md index 4848a817603..93b6c94a2d3 100644 --- a/docs/queries/terraform-queries/aws/6db03a91-f933-4f13-ab38-a8b87a7de54d.md +++ b/docs/queries/terraform-queries/aws/6db03a91-f933-4f13-ab38-a8b87a7de54d.md @@ -28,7 +28,7 @@ ElastiCache Nodes should be created across multi az, which means 'az_mode' shoul ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 12" +```tf title="Positive test num. 1 - tf file" hl_lines="1 12" resource "aws_elasticache_cluster" "positive1" { cluster_id = "cluster-example" engine = "memcached" diff --git a/docs/queries/terraform-queries/aws/6db52fa6-d4da-4608-908a-89f0c59e743e.md b/docs/queries/terraform-queries/aws/6db52fa6-d4da-4608-908a-89f0c59e743e.md index f7c2eba5d95..2eef3e7185e 100644 --- a/docs/queries/terraform-queries/aws/6db52fa6-d4da-4608-908a-89f0c59e743e.md +++ b/docs/queries/terraform-queries/aws/6db52fa6-d4da-4608-908a-89f0c59e743e.md @@ -28,7 +28,7 @@ Ensure MSK Cluster encryption in rest and transit is enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 26 37 14" +```tf title="Positive test num. 1 - tf file" hl_lines="1 26 37 14" resource "aws_msk_cluster" "positive1" { cluster_name = "example" kafka_version = "2.4.1" diff --git a/docs/queries/terraform-queries/aws/6deb34e2-5d9c-499a-801b-ea6d9eda894f.md b/docs/queries/terraform-queries/aws/6deb34e2-5d9c-499a-801b-ea6d9eda894f.md index 65a3dcc20e1..0f423cd54a2 100644 --- a/docs/queries/terraform-queries/aws/6deb34e2-5d9c-499a-801b-ea6d9eda894f.md +++ b/docs/queries/terraform-queries/aws/6deb34e2-5d9c-499a-801b-ea6d9eda894f.md @@ -28,7 +28,7 @@ User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_user" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97.md b/docs/queries/terraform-queries/aws/6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97.md index e6b498094fd..6266e6ffcad 100644 --- a/docs/queries/terraform-queries/aws/6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97.md +++ b/docs/queries/terraform-queries/aws/6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97.md @@ -28,7 +28,7 @@ Make sure that retain_stack is enabled to keep the Stack and it's associated res ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8 5" +```tf title="Positive test num. 1 - tf file" hl_lines="8 5" resource "aws_cloudformation_stack_set_instance" "positive1" { account_id = "123456789012" region = "us-east-1" diff --git a/docs/queries/terraform-queries/aws/6e3fd2ed-5c83-4c68-9679-7700d224d379.md b/docs/queries/terraform-queries/aws/6e3fd2ed-5c83-4c68-9679-7700d224d379.md index 62fb95990dd..a73d17629e9 100644 --- a/docs/queries/terraform-queries/aws/6e3fd2ed-5c83-4c68-9679-7700d224d379.md +++ b/docs/queries/terraform-queries/aws/6e3fd2ed-5c83-4c68-9679-7700d224d379.md @@ -28,7 +28,7 @@ It's considered a best practice when using Application Load Balancers to drop in ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 14" +```tf title="Positive test num. 1 - tf file" hl_lines="1 14" resource "aws_alb" "disabled_1" { internal = false load_balancer_type = "application" @@ -46,7 +46,7 @@ resource "aws_alb" "disabled_2" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1 14" +```tf title="Positive test num. 2 - tf file" hl_lines="1 14" resource "aws_lb" "disabled_1" { internal = false load_balancer_type = "application" @@ -64,7 +64,7 @@ resource "aws_lb" "disabled_2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="1 12" +```tf title="Positive test num. 3 - tf file" hl_lines="1 12" resource "aws_alb" "disabled_1" { internal = false name = "alb" @@ -80,7 +80,7 @@ resource "aws_lb" "disabled_2" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="8" module "alb" { @@ -143,7 +143,7 @@ module "alb" { ```
-
Postitive test num. 5 - tf file +
Positive test num. 5 - tf file ```tf hl_lines="1" module "alb" { @@ -205,7 +205,7 @@ module "alb" { ```
-
Postitive test num. 6 - tf file +
Positive test num. 6 - tf file ```tf hl_lines="1" module "alb" { diff --git a/docs/queries/terraform-queries/aws/6e8849c1-3aa7-40e3-9063-b85ee300f29f.md b/docs/queries/terraform-queries/aws/6e8849c1-3aa7-40e3-9063-b85ee300f29f.md index 79db4538696..d14f37403bb 100644 --- a/docs/queries/terraform-queries/aws/6e8849c1-3aa7-40e3-9063-b85ee300f29f.md +++ b/docs/queries/terraform-queries/aws/6e8849c1-3aa7-40e3-9063-b85ee300f29f.md @@ -28,14 +28,14 @@ Amazon Simple Queue Service (SQS) queue should protect the contents of their mes ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_sqs_queue" "positive1" { name = "terraform-example-queue" kms_data_key_reuse_period_seconds = 300 } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="3" +```tf title="Positive test num. 2 - tf file" hl_lines="3" resource "aws_sqs_queue" "positive2" { name = "terraform-example-queue" kms_master_key_id = "" @@ -44,7 +44,7 @@ resource "aws_sqs_queue" "positive2" { ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="1" +```tf title="Positive test num. 3 - tf file" hl_lines="1" resource "aws_sqs_queue" "positive3" { name = "terraform-example-queue" kms_master_key_id = null @@ -52,7 +52,7 @@ resource "aws_sqs_queue" "positive3" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="1" module "user_queue" { @@ -69,7 +69,7 @@ module "user_queue" { ```
-
Postitive test num. 5 - tf file +
Positive test num. 5 - tf file ```tf hl_lines="12" module "user_queue" { @@ -88,7 +88,7 @@ module "user_queue" { ```
-
Postitive test num. 6 - tf file +
Positive test num. 6 - tf file ```tf hl_lines="1" module "user_queue" { @@ -108,7 +108,7 @@ module "user_queue" { ```
-
Postitive test num. 7 - tf file +
Positive test num. 7 - tf file ```tf hl_lines="3" resource "aws_sqs_queue" "positive7" { diff --git a/docs/queries/terraform-queries/aws/704dadd3-54fc-48ac-b6a0-02f170011473.md b/docs/queries/terraform-queries/aws/704dadd3-54fc-48ac-b6a0-02f170011473.md index 05f35c44f3a..0b5b87b2371 100644 --- a/docs/queries/terraform-queries/aws/704dadd3-54fc-48ac-b6a0-02f170011473.md +++ b/docs/queries/terraform-queries/aws/704dadd3-54fc-48ac-b6a0-02f170011473.md @@ -28,7 +28,7 @@ Make sure that Amazon GuardDuty is Enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="2" +```tf title="Positive test num. 1 - tf file" hl_lines="2" resource "aws_guardduty_detector" "positive1" { enable = false } diff --git a/docs/queries/terraform-queries/aws/7081f85c-b94d-40fd-8b45-a4f1cac75e46.md b/docs/queries/terraform-queries/aws/7081f85c-b94d-40fd-8b45-a4f1cac75e46.md index b7dc53dc9fe..a02d3b1cf1d 100644 --- a/docs/queries/terraform-queries/aws/7081f85c-b94d-40fd-8b45-a4f1cac75e46.md +++ b/docs/queries/terraform-queries/aws/7081f85c-b94d-40fd-8b45-a4f1cac75e46.md @@ -28,7 +28,7 @@ IAM Access Key should not be active for root users
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="2 7" +```tf title="Positive test num. 1 - tf file" hl_lines="2 7" resource "aws_iam_access_key" "positive1" { user = "root" status = "Active" diff --git a/docs/queries/terraform-queries/aws/70b42736-efee-4bce-80d5-50358ed94990.md b/docs/queries/terraform-queries/aws/70b42736-efee-4bce-80d5-50358ed94990.md index 34f29b48f3f..23a4b3c537c 100644 --- a/docs/queries/terraform-queries/aws/70b42736-efee-4bce-80d5-50358ed94990.md +++ b/docs/queries/terraform-queries/aws/70b42736-efee-4bce-80d5-50358ed94990.md @@ -28,7 +28,7 @@ Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_group" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/70cb518c-d990-46f6-bc05-44a5041493d6.md b/docs/queries/terraform-queries/aws/70cb518c-d990-46f6-bc05-44a5041493d6.md index 6f70feab7fe..3a781898749 100644 --- a/docs/queries/terraform-queries/aws/70cb518c-d990-46f6-bc05-44a5041493d6.md +++ b/docs/queries/terraform-queries/aws/70cb518c-d990-46f6-bc05-44a5041493d6.md @@ -28,7 +28,7 @@ User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource se ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_user" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/730675f9-52ed-49b6-8ead-0acb5dd7df7f.md b/docs/queries/terraform-queries/aws/730675f9-52ed-49b6-8ead-0acb5dd7df7f.md index 25a5a700303..081f06389bd 100644 --- a/docs/queries/terraform-queries/aws/730675f9-52ed-49b6-8ead-0acb5dd7df7f.md +++ b/docs/queries/terraform-queries/aws/730675f9-52ed-49b6-8ead-0acb5dd7df7f.md @@ -28,7 +28,7 @@ Checks for dangerous permissions in Action statements in an SQS Queue Policy. Th ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8 64 39" +```tf title="Positive test num. 1 - tf file" hl_lines="8 64 39" resource "aws_sqs_queue" "q" { name = "examplequeue" } diff --git a/docs/queries/terraform-queries/aws/7350fa23-dcf7-4938-916d-6a60b0c73b50.md b/docs/queries/terraform-queries/aws/7350fa23-dcf7-4938-916d-6a60b0c73b50.md index 717772ba278..c98cda27716 100644 --- a/docs/queries/terraform-queries/aws/7350fa23-dcf7-4938-916d-6a60b0c73b50.md +++ b/docs/queries/terraform-queries/aws/7350fa23-dcf7-4938-916d-6a60b0c73b50.md @@ -28,7 +28,7 @@ AWS Key Management Service (KMS) must only possess usable Customer Master Keys ( ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="3" +```tf title="Positive test num. 1 - tf file" hl_lines="3" resource "aws_kms_key" "a" { description = "KMS key 1" is_enabled = false diff --git a/docs/queries/terraform-queries/aws/741f1291-47ac-4a85-a07b-3d32a9d6bd3e.md b/docs/queries/terraform-queries/aws/741f1291-47ac-4a85-a07b-3d32a9d6bd3e.md index 43f746d519e..2d2c2b4753c 100644 --- a/docs/queries/terraform-queries/aws/741f1291-47ac-4a85-a07b-3d32a9d6bd3e.md +++ b/docs/queries/terraform-queries/aws/741f1291-47ac-4a85-a07b-3d32a9d6bd3e.md @@ -28,7 +28,7 @@ It's considered a best practice to have point in time recovery enabled for Dynam ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="10" +```tf title="Positive test num. 1 - tf file" hl_lines="10" resource "aws_dynamodb_table" "basic-dynamodb-table" { name = "GameScores" billing_mode = "PROVISIONED" @@ -78,7 +78,7 @@ resource "aws_dynamodb_table" "basic-dynamodb-table" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "aws_dynamodb_table" "basic-dynamodb-table" { name = "GameScores" billing_mode = "PROVISIONED" diff --git a/docs/queries/terraform-queries/aws/75ec6890-83af-4bf1-9f16-e83726df0bd0.md b/docs/queries/terraform-queries/aws/75ec6890-83af-4bf1-9f16-e83726df0bd0.md index ca90e556009..928f6d12428 100644 --- a/docs/queries/terraform-queries/aws/75ec6890-83af-4bf1-9f16-e83726df0bd0.md +++ b/docs/queries/terraform-queries/aws/75ec6890-83af-4bf1-9f16-e83726df0bd0.md @@ -28,7 +28,7 @@ Lambda permission may be misconfigured if the action field is not filled in by ' ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="2" +```tf title="Positive test num. 1 - tf file" hl_lines="2" resource "aws_lambda_permission" "positive1" { action = "lambda:DeleteFunction" function_name = aws_lambda_function.logging.function_name diff --git a/docs/queries/terraform-queries/aws/76976de7-c7b1-4f64-a94f-90c1345914c2.md b/docs/queries/terraform-queries/aws/76976de7-c7b1-4f64-a94f-90c1345914c2.md index e7d0c58824b..1f90e1fd238 100644 --- a/docs/queries/terraform-queries/aws/76976de7-c7b1-4f64-a94f-90c1345914c2.md +++ b/docs/queries/terraform-queries/aws/76976de7-c7b1-4f64-a94f-90c1345914c2.md @@ -28,7 +28,7 @@ ElastiCache Replication Group encryption should be enabled at Rest
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_elasticache_replication_group" "example" { automatic_failover_enabled = true availability_zones = ["us-west-2a", "us-west-2b"] @@ -40,7 +40,7 @@ resource "aws_elasticache_replication_group" "example" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="9" +```tf title="Positive test num. 2 - tf file" hl_lines="9" resource "aws_elasticache_replication_group" "example2" { automatic_failover_enabled = true availability_zones = ["us-west-2a", "us-west-2b"] diff --git a/docs/queries/terraform-queries/aws/7782d4b3-e23e-432b-9742-d9528432e771.md b/docs/queries/terraform-queries/aws/7782d4b3-e23e-432b-9742-d9528432e771.md index 475a994d250..fb13ee4b22f 100644 --- a/docs/queries/terraform-queries/aws/7782d4b3-e23e-432b-9742-d9528432e771.md +++ b/docs/queries/terraform-queries/aws/7782d4b3-e23e-432b-9742-d9528432e771.md @@ -28,7 +28,7 @@ Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Res ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_group" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/78f1ec6f-5659-41ea-bd48-d0a142dce4f2.md b/docs/queries/terraform-queries/aws/78f1ec6f-5659-41ea-bd48-d0a142dce4f2.md index 2d5b20df551..bd07eb708a4 100644 --- a/docs/queries/terraform-queries/aws/78f1ec6f-5659-41ea-bd48-d0a142dce4f2.md +++ b/docs/queries/terraform-queries/aws/78f1ec6f-5659-41ea-bd48-d0a142dce4f2.md @@ -28,7 +28,7 @@ Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_group" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/7a70eed6-de3a-4da2-94da-a2bbc8fe2a48.md b/docs/queries/terraform-queries/aws/7a70eed6-de3a-4da2-94da-a2bbc8fe2a48.md index cf2a585b08e..169995ef18e 100644 --- a/docs/queries/terraform-queries/aws/7a70eed6-de3a-4da2-94da-a2bbc8fe2a48.md +++ b/docs/queries/terraform-queries/aws/7a70eed6-de3a-4da2-94da-a2bbc8fe2a48.md @@ -28,7 +28,7 @@ IAM password should have the required symbols
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="9 5" +```tf title="Positive test num. 1 - tf file" hl_lines="9 5" resource "aws_iam_account_password_policy" "positive1" { require_lowercase_characters = true require_numbers = true diff --git a/docs/queries/terraform-queries/aws/7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2.md b/docs/queries/terraform-queries/aws/7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2.md index 11ea815182e..98a29d16053 100644 --- a/docs/queries/terraform-queries/aws/7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2.md +++ b/docs/queries/terraform-queries/aws/7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2.md @@ -28,7 +28,7 @@ Check if any ElasticSearch domain isn't encrypted with KMS.
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="5" +```tf title="Positive test num. 1 - tf file" hl_lines="5" resource "aws_elasticsearch_domain" "positive1" { domain_name = "example" elasticsearch_version = "1.5" diff --git a/docs/queries/terraform-queries/aws/7af43613-6bb9-4a0e-8c4d-1314b799425e.md b/docs/queries/terraform-queries/aws/7af43613-6bb9-4a0e-8c4d-1314b799425e.md index 37485c4b8e6..0adcbc2cb8c 100644 --- a/docs/queries/terraform-queries/aws/7af43613-6bb9-4a0e-8c4d-1314b799425e.md +++ b/docs/queries/terraform-queries/aws/7af43613-6bb9-4a0e-8c4d-1314b799425e.md @@ -28,7 +28,7 @@ S3 Buckets must not allow Actions From All Principals, as to prevent leaking pri ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="4" +```tf title="Positive test num. 1 - tf file" hl_lines="4" resource "aws_s3_bucket_policy" "positive1" { bucket = aws_s3_bucket.b.id @@ -55,7 +55,7 @@ POLICY } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="12" +```tf title="Positive test num. 2 - tf file" hl_lines="12" module "s3_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "3.7.0" diff --git a/docs/queries/terraform-queries/aws/7c96920c-6fd0-449d-9a52-0aa431b6beaf.md b/docs/queries/terraform-queries/aws/7c96920c-6fd0-449d-9a52-0aa431b6beaf.md index c9b3a873ba2..7176016b977 100644 --- a/docs/queries/terraform-queries/aws/7c96920c-6fd0-449d-9a52-0aa431b6beaf.md +++ b/docs/queries/terraform-queries/aws/7c96920c-6fd0-449d-9a52-0aa431b6beaf.md @@ -28,7 +28,7 @@ Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource se ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_role" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/7d544dad-8a6c-431c-84c1-5f07fe9afc0e.md b/docs/queries/terraform-queries/aws/7d544dad-8a6c-431c-84c1-5f07fe9afc0e.md index 6c2e6d2b55c..82b959b635b 100644 --- a/docs/queries/terraform-queries/aws/7d544dad-8a6c-431c-84c1-5f07fe9afc0e.md +++ b/docs/queries/terraform-queries/aws/7d544dad-8a6c-431c-84c1-5f07fe9afc0e.md @@ -28,7 +28,7 @@ Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:Pas ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_group" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/7dbba512-e244-42dc-98bb-422339827967.md b/docs/queries/terraform-queries/aws/7dbba512-e244-42dc-98bb-422339827967.md index a16b21a8352..86f458c1c26 100644 --- a/docs/queries/terraform-queries/aws/7dbba512-e244-42dc-98bb-422339827967.md +++ b/docs/queries/terraform-queries/aws/7dbba512-e244-42dc-98bb-422339827967.md @@ -28,7 +28,7 @@ Check if CloudWatch logging is disabled for Route53 hosted zones
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 10" +```tf title="Positive test num. 1 - tf file" hl_lines="1 10" resource "aws_route53_zone" "no_query_log" { name = "example.com" } diff --git a/docs/queries/terraform-queries/aws/7e4a6e76-568d-43ef-8c4e-36dea481bff1.md b/docs/queries/terraform-queries/aws/7e4a6e76-568d-43ef-8c4e-36dea481bff1.md index c73c5c87c24..ca5701d92c7 100644 --- a/docs/queries/terraform-queries/aws/7e4a6e76-568d-43ef-8c4e-36dea481bff1.md +++ b/docs/queries/terraform-queries/aws/7e4a6e76-568d-43ef-8c4e-36dea481bff1.md @@ -28,7 +28,7 @@ EC2 Instances should not be configured under a default VPC network
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="6" +```tf title="Positive test num. 1 - tf file" hl_lines="6" resource "aws_instance" "positive1" { ami = "ami-003634241a8fcdec0" diff --git a/docs/queries/terraform-queries/aws/7ebc9038-0bde-479a-acc4-6ed7b6758899.md b/docs/queries/terraform-queries/aws/7ebc9038-0bde-479a-acc4-6ed7b6758899.md index 562948a1422..3e7d0273769 100644 --- a/docs/queries/terraform-queries/aws/7ebc9038-0bde-479a-acc4-6ed7b6758899.md +++ b/docs/queries/terraform-queries/aws/7ebc9038-0bde-479a-acc4-6ed7b6758899.md @@ -28,7 +28,7 @@ The KMS key has a policy that is too permissive, as it provides the AWS account ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="5" +```tf title="Positive test num. 1 - tf file" hl_lines="5" resource "aws_kms_key" "positive1" { description = "KMS key 1" deletion_window_in_days = 10 @@ -49,7 +49,7 @@ resource "aws_kms_key" "positive1" { POLICY } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="5" +```tf title="Positive test num. 2 - tf file" hl_lines="5" resource "aws_kms_key" "positive1" { description = "KMS key 1" deletion_window_in_days = 10 @@ -71,7 +71,7 @@ resource "aws_kms_key" "positive1" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="1" +```tf title="Positive test num. 3 - tf file" hl_lines="1" resource "aws_kms_key" "positive3" { description = "KMS key 1" deletion_window_in_days = 10 diff --git a/docs/queries/terraform-queries/aws/8055dec2-efb8-4fe6-8837-d9bed6ff202a.md b/docs/queries/terraform-queries/aws/8055dec2-efb8-4fe6-8837-d9bed6ff202a.md index 147a815d036..c26ef5c21e3 100644 --- a/docs/queries/terraform-queries/aws/8055dec2-efb8-4fe6-8837-d9bed6ff202a.md +++ b/docs/queries/terraform-queries/aws/8055dec2-efb8-4fe6-8837-d9bed6ff202a.md @@ -28,7 +28,7 @@ User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassR ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_user" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/8152e0cf-d2f0-47ad-96d5-d003a76eabd1.md b/docs/queries/terraform-queries/aws/8152e0cf-d2f0-47ad-96d5-d003a76eabd1.md index 0b12050e558..7a5de2b62f5 100644 --- a/docs/queries/terraform-queries/aws/8152e0cf-d2f0-47ad-96d5-d003a76eabd1.md +++ b/docs/queries/terraform-queries/aws/8152e0cf-d2f0-47ad-96d5-d003a76eabd1.md @@ -28,7 +28,7 @@ AWS Lambda functions should have TracingConfig enabled. For this, property 'trac ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="28 45" +```tf title="Positive test num. 1 - tf file" hl_lines="28 45" resource "aws_iam_role" "iam_for_lambda2" { name = "iam_for_lambda" diff --git a/docs/queries/terraform-queries/aws/816ea8cf-d589-442d-a917-2dd0ce0e45e3.md b/docs/queries/terraform-queries/aws/816ea8cf-d589-442d-a917-2dd0ce0e45e3.md index 24bd5d99c1a..a40c1f0d92c 100644 --- a/docs/queries/terraform-queries/aws/816ea8cf-d589-442d-a917-2dd0ce0e45e3.md +++ b/docs/queries/terraform-queries/aws/816ea8cf-d589-442d-a917-2dd0ce0e45e3.md @@ -28,7 +28,7 @@ SQS policy allows ALL (*) actions
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8" +```tf title="Positive test num. 1 - tf file" hl_lines="8" resource "aws_sqs_queue" "positive1" { name = "examplequeue" } @@ -58,7 +58,7 @@ resource "aws_sqs_queue_policy" "positive2" { POLICY } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="12" +```tf title="Positive test num. 2 - tf file" hl_lines="12" module "s3_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "3.7.0" diff --git a/docs/queries/terraform-queries/aws/8173d5eb-96b5-4aa6-a71b-ecfa153c123d.md b/docs/queries/terraform-queries/aws/8173d5eb-96b5-4aa6-a71b-ecfa153c123d.md index 43df90f4977..bb72fb8ff50 100644 --- a/docs/queries/terraform-queries/aws/8173d5eb-96b5-4aa6-a71b-ecfa153c123d.md +++ b/docs/queries/terraform-queries/aws/8173d5eb-96b5-4aa6-a71b-ecfa153c123d.md @@ -28,7 +28,7 @@ CloudTrail multi region should be enabled, which means attributes 'is_multi_regi ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="2" +```tf title="Positive test num. 1 - tf file" hl_lines="2" #this is a problematic code where the query should report a result(s) resource "aws_cloudtrail" "positive1" { name = "npositive_1" @@ -36,7 +36,7 @@ resource "aws_cloudtrail" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="4" +```tf title="Positive test num. 2 - tf file" hl_lines="4" resource "aws_cloudtrail" "positive2" { name = "npositive_2" s3_bucket_name = "bucketlog_2" @@ -44,7 +44,7 @@ resource "aws_cloudtrail" "positive2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="5" +```tf title="Positive test num. 3 - tf file" hl_lines="5" resource "aws_cloudtrail" "positive3" { name = "npositive_3" s3_bucket_name = "bucketlog_3" diff --git a/docs/queries/terraform-queries/aws/846646e3-2af1-428c-ac5d-271eccfa6faf.md b/docs/queries/terraform-queries/aws/846646e3-2af1-428c-ac5d-271eccfa6faf.md index ac810588cea..7a36df44ea6 100644 --- a/docs/queries/terraform-queries/aws/846646e3-2af1-428c-ac5d-271eccfa6faf.md +++ b/docs/queries/terraform-queries/aws/846646e3-2af1-428c-ac5d-271eccfa6faf.md @@ -28,7 +28,7 @@ Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource se ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_group" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/862fe4bf-3eec-4767-a517-40f378886b88.md b/docs/queries/terraform-queries/aws/862fe4bf-3eec-4767-a517-40f378886b88.md index 6dcc7ee6c4d..b8579288684 100644 --- a/docs/queries/terraform-queries/aws/862fe4bf-3eec-4767-a517-40f378886b88.md +++ b/docs/queries/terraform-queries/aws/862fe4bf-3eec-4767-a517-40f378886b88.md @@ -28,7 +28,7 @@ AWS Kinesis Streams and metadata should be protected with KMS
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 34 41" +```tf title="Positive test num. 1 - tf file" hl_lines="1 34 41" resource "aws_kinesis_stream" "positive1" { name = "terraform-kinesis-test" shard_count = 1 diff --git a/docs/queries/terraform-queries/aws/86571149-eef3-4280-a645-01e60df854b0.md b/docs/queries/terraform-queries/aws/86571149-eef3-4280-a645-01e60df854b0.md index 806d366dfa9..9983afdea42 100644 --- a/docs/queries/terraform-queries/aws/86571149-eef3-4280-a645-01e60df854b0.md +++ b/docs/queries/terraform-queries/aws/86571149-eef3-4280-a645-01e60df854b0.md @@ -28,7 +28,7 @@ A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an eas ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_ebs_volume" "positive1" { availability_zone = "us-west-2a" size = 40 @@ -39,7 +39,7 @@ resource "aws_ebs_volume" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "aws_ebs_volume" "positive2" { availability_zone = "us-west-2a" size = 40 diff --git a/docs/queries/terraform-queries/aws/874d68a3-bfbe-4a4b-aaa0-9e74d7da634b.md b/docs/queries/terraform-queries/aws/874d68a3-bfbe-4a4b-aaa0-9e74d7da634b.md index 3ba6c7b0b07..c690f122a90 100644 --- a/docs/queries/terraform-queries/aws/874d68a3-bfbe-4a4b-aaa0-9e74d7da634b.md +++ b/docs/queries/terraform-queries/aws/874d68a3-bfbe-4a4b-aaa0-9e74d7da634b.md @@ -28,14 +28,14 @@ The certificate should use a RSA key with a length equal to or higher than 256 b ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="2" +```tf title="Positive test num. 1 - tf file" hl_lines="2" resource "aws_api_gateway_domain_name" "example" { certificate_body = file("./rsa1024.pem") domain_name = "api.example.com" } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="3" +```tf title="Positive test num. 2 - tf file" hl_lines="3" resource "aws_iam_server_certificate" "test_cert2" { name = "some_test_cert" certificate_body = file("./rsa1024.pem") diff --git a/docs/queries/terraform-queries/aws/88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6.md b/docs/queries/terraform-queries/aws/88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6.md index c6ab5613ad2..e5f5d2edd94 100644 --- a/docs/queries/terraform-queries/aws/88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6.md +++ b/docs/queries/terraform-queries/aws/88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6.md @@ -28,7 +28,7 @@ IAM Database Auth Enabled should be configured to true when using compatible eng ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="10" +```tf title="Positive test num. 1 - tf file" hl_lines="10" resource "aws_db_instance" "positive1" { allocated_storage = 20 storage_type = "gp2" @@ -42,7 +42,7 @@ resource "aws_db_instance" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "aws_db_instance" "positive1" { allocated_storage = 20 storage_type = "gp2" @@ -55,7 +55,7 @@ resource "aws_db_instance" "positive1" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="1" +```tf title="Positive test num. 3 - tf file" hl_lines="1" module "db" { source = "terraform-aws-modules/rds/aws" version = "~> 3.0" @@ -130,7 +130,7 @@ module "db" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="17" module "db" { diff --git a/docs/queries/terraform-queries/aws/89561b03-cb35-44a9-a7e9-8356e71606f4.md b/docs/queries/terraform-queries/aws/89561b03-cb35-44a9-a7e9-8356e71606f4.md index 771b4867134..fc1c9707334 100644 --- a/docs/queries/terraform-queries/aws/89561b03-cb35-44a9-a7e9-8356e71606f4.md +++ b/docs/queries/terraform-queries/aws/89561b03-cb35-44a9-a7e9-8356e71606f4.md @@ -28,7 +28,7 @@ User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_user" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a.md b/docs/queries/terraform-queries/aws/89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a.md index f4fbd57510b..1c80343dd68 100644 --- a/docs/queries/terraform-queries/aws/89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a.md +++ b/docs/queries/terraform-queries/aws/89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a.md @@ -28,7 +28,7 @@ Check if IAM account password has the reuse password configured with 24
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="10 7" +```tf title="Positive test num. 1 - tf file" hl_lines="10 7" resource "aws_iam_account_password_policy" "positive1" { require_lowercase_characters = true require_numbers = true diff --git a/docs/queries/terraform-queries/aws/8b1b1e67-6248-4dca-bbad-93486bb181c0.md b/docs/queries/terraform-queries/aws/8b1b1e67-6248-4dca-bbad-93486bb181c0.md index 28a9eddb23f..ea0d5668009 100644 --- a/docs/queries/terraform-queries/aws/8b1b1e67-6248-4dca-bbad-93486bb181c0.md +++ b/docs/queries/terraform-queries/aws/8b1b1e67-6248-4dca-bbad-93486bb181c0.md @@ -28,7 +28,7 @@ Ensure a log metric filter and alarm exist for root acount usage
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_cloudwatch_log_metric_filter" "cis_root_account_use_metric_filter" { name = "CIS-RootAccountUsage" pattern = "{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }" @@ -83,7 +83,7 @@ resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "aws_cloudwatch_log_metric_filter" "cis_root_account_use_metric_filter" { name = "CIS-RootAccountUsage" pattern = "{ $.userIdentity.type = \"Root\" && $.eventType != \"AwsServiceEvent\" }" @@ -111,7 +111,7 @@ resource "aws_cloudwatch_metric_alarm" "cis_root_account_use_cw_alarm" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="1" +```tf title="Positive test num. 3 - tf file" hl_lines="1" resource "aws_cloudwatch_log_metric_filter" "cis_root_account_use_metric_filter" { name = "CIS-RootAccountUsage" pattern = "{ $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }" @@ -139,7 +139,7 @@ resource "aws_cloudwatch_metric_alarm" "cis_root_account_use_cw_alarm" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="1" resource "aws_cloudwatch_metric_alarm" "cis_unauthorized_api_calls_cw_alarm" { diff --git a/docs/queries/terraform-queries/aws/8bbb242f-6e38-4127-86d4-d8f0b2687ae2.md b/docs/queries/terraform-queries/aws/8bbb242f-6e38-4127-86d4-d8f0b2687ae2.md index 9ab600affbc..b93a79502cf 100644 --- a/docs/queries/terraform-queries/aws/8bbb242f-6e38-4127-86d4-d8f0b2687ae2.md +++ b/docs/queries/terraform-queries/aws/8bbb242f-6e38-4127-86d4-d8f0b2687ae2.md @@ -28,7 +28,7 @@ AWS AMI Encryption is not enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="25 29 7" +```tf title="Positive test num. 1 - tf file" hl_lines="25 29 7" resource "aws_ami" "positive1" { name = "terraform-example" diff --git a/docs/queries/terraform-queries/aws/8bfbf7ab-d5e8-4100-8618-798956e101e0.md b/docs/queries/terraform-queries/aws/8bfbf7ab-d5e8-4100-8618-798956e101e0.md index 62c84788fe6..e8c30dc988f 100644 --- a/docs/queries/terraform-queries/aws/8bfbf7ab-d5e8-4100-8618-798956e101e0.md +++ b/docs/queries/terraform-queries/aws/8bfbf7ab-d5e8-4100-8618-798956e101e0.md @@ -28,7 +28,7 @@ User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_user" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/8c849af7-a399-46f7-a34c-32d3dc96f1fc.md b/docs/queries/terraform-queries/aws/8c849af7-a399-46f7-a34c-32d3dc96f1fc.md index 2c939ffc757..89b0422f2dd 100644 --- a/docs/queries/terraform-queries/aws/8c849af7-a399-46f7-a34c-32d3dc96f1fc.md +++ b/docs/queries/terraform-queries/aws/8c849af7-a399-46f7-a34c-32d3dc96f1fc.md @@ -28,7 +28,7 @@ ElastiCache should be launched in a Virtual Private Cloud (VPC)
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_elasticache_cluster" "positive1" { cluster_id = "cluster-example" engine = "memcached" diff --git a/docs/queries/terraform-queries/aws/8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56.md b/docs/queries/terraform-queries/aws/8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56.md index 821e3bf2567..ef2fa7b6911 100644 --- a/docs/queries/terraform-queries/aws/8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56.md +++ b/docs/queries/terraform-queries/aws/8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56.md @@ -28,7 +28,7 @@ RDS does not have any kind of logger
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_db_instance" "positive1" { allocated_storage = 5 engine = "postgres" @@ -38,7 +38,7 @@ resource "aws_db_instance" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="7" +```tf title="Positive test num. 2 - tf file" hl_lines="7" resource "aws_db_instance" "positive2" { allocated_storage = 5 engine = "postgres" @@ -49,7 +49,7 @@ resource "aws_db_instance" "positive2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="1" +```tf title="Positive test num. 3 - tf file" hl_lines="1" module "db" { source = "terraform-aws-modules/rds/aws" version = "~> 3.0" @@ -126,7 +126,7 @@ module "db" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="11" module "db" { diff --git a/docs/queries/terraform-queries/aws/8e94dced-9bcc-4203-8eb7-7e41202b2505.md b/docs/queries/terraform-queries/aws/8e94dced-9bcc-4203-8eb7-7e41202b2505.md index fa4b9bf3c71..12c7bca895a 100644 --- a/docs/queries/terraform-queries/aws/8e94dced-9bcc-4203-8eb7-7e41202b2505.md +++ b/docs/queries/terraform-queries/aws/8e94dced-9bcc-4203-8eb7-7e41202b2505.md @@ -28,7 +28,7 @@ AWS Auto Scaling Groups must have associated ELBs to ensure high availability an ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_autoscaling_group" "bar" { availability_zones = ["us-east-1a"] desired_capacity = 1 @@ -43,7 +43,7 @@ resource "aws_autoscaling_group" "bar" { ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="12" +```tf title="Positive test num. 2 - tf file" hl_lines="12" resource "aws_autoscaling_group" "positive2" { availability_zones = ["us-east-1a"] desired_capacity = 1 @@ -59,7 +59,7 @@ resource "aws_autoscaling_group" "positive2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="1" +```tf title="Positive test num. 3 - tf file" hl_lines="1" module "positive3" { source = "terraform-aws-modules/autoscaling/aws" version = "~> 4.0" @@ -215,7 +215,7 @@ module "positive3" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="14" module "positive4" { @@ -375,7 +375,7 @@ module "positive4" { ```
-
Postitive test num. 5 - tf file +
Positive test num. 5 - tf file ```tf hl_lines="1" resource "aws_autoscaling_group" "foo" { @@ -396,7 +396,7 @@ resource "aws_autoscaling_group" "foo" { ```
-
Postitive test num. 6 - tf file +
Positive test num. 6 - tf file ```tf hl_lines="1" resource "aws_autoscaling_group" "foo" { diff --git a/docs/queries/terraform-queries/aws/8f3c16b3-354d-45db-8ad5-5066778a9485.md b/docs/queries/terraform-queries/aws/8f3c16b3-354d-45db-8ad5-5066778a9485.md index 3db9fbcf838..9cee1084958 100644 --- a/docs/queries/terraform-queries/aws/8f3c16b3-354d-45db-8ad5-5066778a9485.md +++ b/docs/queries/terraform-queries/aws/8f3c16b3-354d-45db-8ad5-5066778a9485.md @@ -28,7 +28,7 @@ Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_group" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/8f75840d-9ee7-42f3-b203-b40e3979eb12.md b/docs/queries/terraform-queries/aws/8f75840d-9ee7-42f3-b203-b40e3979eb12.md index a86ade85bb7..1c9521b319c 100644 --- a/docs/queries/terraform-queries/aws/8f75840d-9ee7-42f3-b203-b40e3979eb12.md +++ b/docs/queries/terraform-queries/aws/8f75840d-9ee7-42f3-b203-b40e3979eb12.md @@ -28,7 +28,7 @@ Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set t ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_role" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/8fdb08a0-a868-4fdf-9c27-ccab0237f1ab.md b/docs/queries/terraform-queries/aws/8fdb08a0-a868-4fdf-9c27-ccab0237f1ab.md index cdc4be3263e..837e63b8517 100644 --- a/docs/queries/terraform-queries/aws/8fdb08a0-a868-4fdf-9c27-ccab0237f1ab.md +++ b/docs/queries/terraform-queries/aws/8fdb08a0-a868-4fdf-9c27-ccab0237f1ab.md @@ -28,7 +28,7 @@ ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0 ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_ecs_service" "positive1" { name = "positive1" cluster = aws_ecs_cluster.example.id diff --git a/docs/queries/terraform-queries/aws/92d65c51-5d82-4507-a2a1-d252e9706855.md b/docs/queries/terraform-queries/aws/92d65c51-5d82-4507-a2a1-d252e9706855.md index 2e5d3ab319c..bf5995aa7e5 100644 --- a/docs/queries/terraform-queries/aws/92d65c51-5d82-4507-a2a1-d252e9706855.md +++ b/docs/queries/terraform-queries/aws/92d65c51-5d82-4507-a2a1-d252e9706855.md @@ -28,7 +28,7 @@ Alicloud ROS Stack should have a template defined through the attribute template ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "alicloud_ros_stack" "example" { stack_name = "tf-testaccstack" diff --git a/docs/queries/terraform-queries/aws/92fe237e-074c-4262-81a4-2077acb928c1.md b/docs/queries/terraform-queries/aws/92fe237e-074c-4262-81a4-2077acb928c1.md index 53991cf493d..c2dd84a6a77 100644 --- a/docs/queries/terraform-queries/aws/92fe237e-074c-4262-81a4-2077acb928c1.md +++ b/docs/queries/terraform-queries/aws/92fe237e-074c-4262-81a4-2077acb928c1.md @@ -28,7 +28,7 @@ A sensitive port, such as port 23 or port 110, is open for a wide private networ ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="6" +```tf title="Positive test num. 1 - tf file" hl_lines="6" resource "aws_security_group" "positive1" { name = "allow_tls1" description = "Allow TLS inbound traffic" @@ -44,7 +44,7 @@ resource "aws_security_group" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="6" +```tf title="Positive test num. 2 - tf file" hl_lines="6" resource "aws_security_group" "positive2" { name = "allow_tls2" description = "Allow TLS inbound traffic" @@ -60,7 +60,7 @@ resource "aws_security_group" "positive2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="6" +```tf title="Positive test num. 3 - tf file" hl_lines="6" resource "aws_security_group" "positive3" { name = "allow_tls3" description = "Allow TLS inbound traffic" @@ -76,7 +76,7 @@ resource "aws_security_group" "positive3" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="6" resource "aws_security_group" "positive4" { @@ -95,7 +95,7 @@ resource "aws_security_group" "positive4" { ```
-
Postitive test num. 5 - tf file +
Positive test num. 5 - tf file ```tf hl_lines="6" resource "aws_security_group" "positive5" { @@ -114,7 +114,7 @@ resource "aws_security_group" "positive5" { ```
-
Postitive test num. 6 - tf file +
Positive test num. 6 - tf file ```tf hl_lines="6" resource "aws_security_group" "positive6" { @@ -133,7 +133,7 @@ resource "aws_security_group" "positive6" { ```
-
Postitive test num. 7 - tf file +
Positive test num. 7 - tf file ```tf hl_lines="6" resource "aws_security_group" "positive7" { @@ -152,7 +152,7 @@ resource "aws_security_group" "positive7" { ```
-
Postitive test num. 8 - tf file +
Positive test num. 8 - tf file ```tf hl_lines="6" resource "aws_security_group" "positive8" { @@ -171,7 +171,7 @@ resource "aws_security_group" "positive8" { ```
-
Postitive test num. 9 - tf file +
Positive test num. 9 - tf file ```tf hl_lines="9" module "vote_service_sg" { diff --git a/docs/queries/terraform-queries/aws/94690d79-b3b0-43de-b656-84ebef5753e5.md b/docs/queries/terraform-queries/aws/94690d79-b3b0-43de-b656-84ebef5753e5.md index f04581c79d3..f8d374c7ea0 100644 --- a/docs/queries/terraform-queries/aws/94690d79-b3b0-43de-b656-84ebef5753e5.md +++ b/docs/queries/terraform-queries/aws/94690d79-b3b0-43de-b656-84ebef5753e5.md @@ -28,7 +28,7 @@ AWS CloudFront distributions should have logging enabled to collect all viewer r ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_cloudfront_distribution" "positive1" { origin { domain_name = aws_s3_bucket.b.bucket_regional_domain_name diff --git a/docs/queries/terraform-queries/aws/94fbe150-27e3-4eba-9ca6-af32865e4503.md b/docs/queries/terraform-queries/aws/94fbe150-27e3-4eba-9ca6-af32865e4503.md index 55d77915363..52051ef2aee 100644 --- a/docs/queries/terraform-queries/aws/94fbe150-27e3-4eba-9ca6-af32865e4503.md +++ b/docs/queries/terraform-queries/aws/94fbe150-27e3-4eba-9ca6-af32865e4503.md @@ -28,7 +28,7 @@ User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:Pass ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_user" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/9630336b-3fed-4096-8173-b9afdfe346a7.md b/docs/queries/terraform-queries/aws/9630336b-3fed-4096-8173-b9afdfe346a7.md index bb560a4e8e5..9da6f2c18ab 100644 --- a/docs/queries/terraform-queries/aws/9630336b-3fed-4096-8173-b9afdfe346a7.md +++ b/docs/queries/terraform-queries/aws/9630336b-3fed-4096-8173-b9afdfe346a7.md @@ -28,7 +28,7 @@ Checks if the ECR Image has been scanned
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 11" +```tf title="Positive test num. 1 - tf file" hl_lines="1 11" resource "aws_ecr_repository" "positive1" { name = "img_p_2" image_tag_mutability = "MUTABLE" diff --git a/docs/queries/terraform-queries/aws/967eb3e6-26fc-497d-8895-6428beb6e8e2.md b/docs/queries/terraform-queries/aws/967eb3e6-26fc-497d-8895-6428beb6e8e2.md index 52f63e21607..4407e1d7f29 100644 --- a/docs/queries/terraform-queries/aws/967eb3e6-26fc-497d-8895-6428beb6e8e2.md +++ b/docs/queries/terraform-queries/aws/967eb3e6-26fc-497d-8895-6428beb6e8e2.md @@ -28,7 +28,7 @@ Elasticsearch Domain encryption should be enabled node to node
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_elasticsearch_domain" "positive1" { domain_name = "example" elasticsearch_version = "1.5" @@ -47,7 +47,7 @@ resource "aws_elasticsearch_domain" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="14" +```tf title="Positive test num. 2 - tf file" hl_lines="14" resource "aws_elasticsearch_domain" "positive1" { domain_name = "example" elasticsearch_version = "1.5" diff --git a/docs/queries/terraform-queries/aws/96e8183b-e985-457b-90cd-61c0503a3369.md b/docs/queries/terraform-queries/aws/96e8183b-e985-457b-90cd-61c0503a3369.md index c96e793c9d8..598dde6dedc 100644 --- a/docs/queries/terraform-queries/aws/96e8183b-e985-457b-90cd-61c0503a3369.md +++ b/docs/queries/terraform-queries/aws/96e8183b-e985-457b-90cd-61c0503a3369.md @@ -28,7 +28,7 @@ Global Accelerator should have flow logs enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_globalaccelerator_accelerator" "positive1" { name = "Example" ip_address_type = "IPV4" @@ -36,7 +36,7 @@ resource "aws_globalaccelerator_accelerator" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="6" +```tf title="Positive test num. 2 - tf file" hl_lines="6" resource "aws_globalaccelerator_accelerator" "positive2" { name = "Example" ip_address_type = "IPV4" @@ -49,7 +49,7 @@ resource "aws_globalaccelerator_accelerator" "positive2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="7" +```tf title="Positive test num. 3 - tf file" hl_lines="7" resource "aws_globalaccelerator_accelerator" "positive3" { name = "Example" ip_address_type = "IPV4" diff --git a/docs/queries/terraform-queries/aws/96ed3526-0179-4c73-b1b2-372fde2e0d13.md b/docs/queries/terraform-queries/aws/96ed3526-0179-4c73-b1b2-372fde2e0d13.md index c12ce87b6cf..169a234a6b2 100644 --- a/docs/queries/terraform-queries/aws/96ed3526-0179-4c73-b1b2-372fde2e0d13.md +++ b/docs/queries/terraform-queries/aws/96ed3526-0179-4c73-b1b2-372fde2e0d13.md @@ -28,7 +28,7 @@ It isn't recommended to use resources in default VPC
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_default_vpc" "positive1" { tags = { Name = "Default VPC" @@ -36,7 +36,7 @@ resource "aws_default_vpc" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="14" +```tf title="Positive test num. 2 - tf file" hl_lines="14" module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "3.7.0" diff --git a/docs/queries/terraform-queries/aws/970d224d-b42a-416b-81f9-8f4dfe70c4bc.md b/docs/queries/terraform-queries/aws/970d224d-b42a-416b-81f9-8f4dfe70c4bc.md index c6dba6c1001..a7c4d23f665 100644 --- a/docs/queries/terraform-queries/aws/970d224d-b42a-416b-81f9-8f4dfe70c4bc.md +++ b/docs/queries/terraform-queries/aws/970d224d-b42a-416b-81f9-8f4dfe70c4bc.md @@ -28,7 +28,7 @@ The AWS Root Account must not have active access keys associated, which means if ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="2" +```tf title="Positive test num. 1 - tf file" hl_lines="2" #this is a problematic code where the query should report a result(s) resource "aws_iam_access_key" "positive1" { user = "root" @@ -65,7 +65,7 @@ output "secret" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="4" +```tf title="Positive test num. 2 - tf file" hl_lines="4" resource "aws_iam_access_key" "positive2" { user = "root" pgp_key = "keybase:some_person_that_exists" diff --git a/docs/queries/terraform-queries/aws/970ed7a2-0aca-4425-acf1-0453c9ecbca1.md b/docs/queries/terraform-queries/aws/970ed7a2-0aca-4425-acf1-0453c9ecbca1.md index cf80e272841..ef8ee05748a 100644 --- a/docs/queries/terraform-queries/aws/970ed7a2-0aca-4425-acf1-0453c9ecbca1.md +++ b/docs/queries/terraform-queries/aws/970ed7a2-0aca-4425-acf1-0453c9ecbca1.md @@ -28,7 +28,7 @@ Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_group" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/97cb0688-369a-4d26-b1f7-86c4c91231bc.md b/docs/queries/terraform-queries/aws/97cb0688-369a-4d26-b1f7-86c4c91231bc.md index 37863af92f6..baccfd7c844 100644 --- a/docs/queries/terraform-queries/aws/97cb0688-369a-4d26-b1f7-86c4c91231bc.md +++ b/docs/queries/terraform-queries/aws/97cb0688-369a-4d26-b1f7-86c4c91231bc.md @@ -28,7 +28,7 @@ ECS Cluster should enable container insights
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_ecs_cluster" "foo" { name = "white-hart" diff --git a/docs/queries/terraform-queries/aws/982aa526-6970-4c59-8b9b-2ce7e019fe36.md b/docs/queries/terraform-queries/aws/982aa526-6970-4c59-8b9b-2ce7e019fe36.md index 91d246d18a5..971976eb80f 100644 --- a/docs/queries/terraform-queries/aws/982aa526-6970-4c59-8b9b-2ce7e019fe36.md +++ b/docs/queries/terraform-queries/aws/982aa526-6970-4c59-8b9b-2ce7e019fe36.md @@ -28,7 +28,7 @@ AWS CloudWatch Logs for APIs should be enabled and using the naming convention d ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="14" +```tf title="Positive test num. 1 - tf file" hl_lines="14" variable "stage_name" { default = "example" type = string diff --git a/docs/queries/terraform-queries/aws/98a8f708-121b-455b-ae2f-da3fb59d17e1.md b/docs/queries/terraform-queries/aws/98a8f708-121b-455b-ae2f-da3fb59d17e1.md index b5b33b097c4..06f136380bc 100644 --- a/docs/queries/terraform-queries/aws/98a8f708-121b-455b-ae2f-da3fb59d17e1.md +++ b/docs/queries/terraform-queries/aws/98a8f708-121b-455b-ae2f-da3fb59d17e1.md @@ -28,7 +28,7 @@ If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="27" +```tf title="Positive test num. 1 - tf file" hl_lines="27" provider "aws" { region = "us-east-1" } @@ -65,7 +65,7 @@ resource "aws_s3_bucket" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="27" +```tf title="Positive test num. 2 - tf file" hl_lines="27" provider "aws" { region = "us-east-1" } @@ -102,7 +102,7 @@ resource "aws_s3_bucket" "positive2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="16" +```tf title="Positive test num. 3 - tf file" hl_lines="16" module "s3_bucket" { source = "terraform-aws-modules/s3-bucket/aws" bucket = "s3-tf-example-versioning" @@ -128,7 +128,7 @@ module "s3_bucket" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="16" module "s3_bucket" { @@ -157,7 +157,7 @@ module "s3_bucket" { ```
-
Postitive test num. 5 - tf file +
Positive test num. 5 - tf file ```tf hl_lines="26" terraform { diff --git a/docs/queries/terraform-queries/aws/98d59056-f745-4ef5-8613-32bca8d40b7e.md b/docs/queries/terraform-queries/aws/98d59056-f745-4ef5-8613-32bca8d40b7e.md index 170caac2692..98189c9de79 100644 --- a/docs/queries/terraform-queries/aws/98d59056-f745-4ef5-8613-32bca8d40b7e.md +++ b/docs/queries/terraform-queries/aws/98d59056-f745-4ef5-8613-32bca8d40b7e.md @@ -28,7 +28,7 @@ Neptune database cluster storage should have encryption enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 19" +```tf title="Positive test num. 1 - tf file" hl_lines="1 19" resource "aws_neptune_cluster" "positive1" { cluster_identifier = "neptune-cluster-demo" engine = "neptune" diff --git a/docs/queries/terraform-queries/aws/9a205ba3-0dd1-42eb-8d54-2ffec836b51a.md b/docs/queries/terraform-queries/aws/9a205ba3-0dd1-42eb-8d54-2ffec836b51a.md index c1c98dc8e28..dc82aa02c4b 100644 --- a/docs/queries/terraform-queries/aws/9a205ba3-0dd1-42eb-8d54-2ffec836b51a.md +++ b/docs/queries/terraform-queries/aws/9a205ba3-0dd1-42eb-8d54-2ffec836b51a.md @@ -28,7 +28,7 @@ Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_role" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/9a4ef195-74b9-4c58-b8ed-2b2fe4353a75.md b/docs/queries/terraform-queries/aws/9a4ef195-74b9-4c58-b8ed-2b2fe4353a75.md index f08a3dce185..ede73a3ed4d 100644 --- a/docs/queries/terraform-queries/aws/9a4ef195-74b9-4c58-b8ed-2b2fe4353a75.md +++ b/docs/queries/terraform-queries/aws/9a4ef195-74b9-4c58-b8ed-2b2fe4353a75.md @@ -28,7 +28,7 @@ Default Security Group attached to every VPC should restrict all traffic
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8 17" +```tf title="Positive test num. 1 - tf file" hl_lines="8 17" resource "aws_vpc" "mainvpc" { cidr_block = "10.1.0.0/16" } @@ -55,7 +55,7 @@ resource "aws_default_security_group" "default" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="8 18 14 23" +```tf title="Positive test num. 2 - tf file" hl_lines="8 18 14 23" resource "aws_vpc" "mainvpc3" { cidr_block = "10.1.0.0/16" } diff --git a/docs/queries/terraform-queries/aws/9b0ffadc-a61f-4c2a-b1e6-68fab60f6267.md b/docs/queries/terraform-queries/aws/9b0ffadc-a61f-4c2a-b1e6-68fab60f6267.md index 9ecec4bdc15..d361fda09bc 100644 --- a/docs/queries/terraform-queries/aws/9b0ffadc-a61f-4c2a-b1e6-68fab60f6267.md +++ b/docs/queries/terraform-queries/aws/9b0ffadc-a61f-4c2a-b1e6-68fab60f6267.md @@ -28,7 +28,7 @@ Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_group" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/9b877bd8-94b4-4c10-a060-8e0436cc09fa.md b/docs/queries/terraform-queries/aws/9b877bd8-94b4-4c10-a060-8e0436cc09fa.md index 0d544cf6241..a0f2ccafb5f 100644 --- a/docs/queries/terraform-queries/aws/9b877bd8-94b4-4c10-a060-8e0436cc09fa.md +++ b/docs/queries/terraform-queries/aws/9b877bd8-94b4-4c10-a060-8e0436cc09fa.md @@ -28,7 +28,7 @@ User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_user" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/9ba198e0-fef4-464a-8a4d-75ea55300de7.md b/docs/queries/terraform-queries/aws/9ba198e0-fef4-464a-8a4d-75ea55300de7.md index 7338b404587..e021f916958 100644 --- a/docs/queries/terraform-queries/aws/9ba198e0-fef4-464a-8a4d-75ea55300de7.md +++ b/docs/queries/terraform-queries/aws/9ba198e0-fef4-464a-8a4d-75ea55300de7.md @@ -28,7 +28,7 @@ Neptune Cluster Instance should not be publicly accessible
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="7" +```tf title="Positive test num. 1 - tf file" hl_lines="7" resource "aws_neptune_cluster_instance" "example" { count = 2 cluster_identifier = aws_neptune_cluster.default.id diff --git a/docs/queries/terraform-queries/aws/9cf718ce-46f9-430e-89ec-c456f8b469ee.md b/docs/queries/terraform-queries/aws/9cf718ce-46f9-430e-89ec-c456f8b469ee.md index 621024d9952..8bee642ba91 100644 --- a/docs/queries/terraform-queries/aws/9cf718ce-46f9-430e-89ec-c456f8b469ee.md +++ b/docs/queries/terraform-queries/aws/9cf718ce-46f9-430e-89ec-c456f8b469ee.md @@ -28,7 +28,7 @@ User Data Shell Script must be encoded
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="5" +```tf title="Positive test num. 1 - tf file" hl_lines="5" resource "aws_launch_configuration" "positive1" { image_id = data.aws_ami.ubuntu.id instance_type = "m4.large" @@ -40,7 +40,7 @@ resource "aws_launch_configuration" "positive1" { } } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="11" +```tf title="Positive test num. 2 - tf file" hl_lines="11" module "asg" { source = "terraform-aws-modules/autoscaling/aws" version = "1.0.4" diff --git a/docs/queries/terraform-queries/aws/9d0d4512-1959-43a2-a17f-72360ff06d1b.md b/docs/queries/terraform-queries/aws/9d0d4512-1959-43a2-a17f-72360ff06d1b.md index 3a1947b4466..0c29862aa1a 100644 --- a/docs/queries/terraform-queries/aws/9d0d4512-1959-43a2-a17f-72360ff06d1b.md +++ b/docs/queries/terraform-queries/aws/9d0d4512-1959-43a2-a17f-72360ff06d1b.md @@ -28,7 +28,7 @@ Ensure a log metric filter and alarm exist for VPC changes
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_cloudwatch_log_metric_filter" "CIS_VPC_Changes_Metric_Filter" { name = "CIS-VPCChanges" pattern = "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }" @@ -55,7 +55,7 @@ resource "aws_cloudwatch_metric_alarm" "CIS_VPC_Changes_CW_Alarm" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "aws_cloudwatch_log_metric_filter" "cis_no_mfa_console_signin_metric_filter" { name = "CIS-ConsoleSigninWithoutMFA" pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }" @@ -83,7 +83,7 @@ resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="1" +```tf title="Positive test num. 3 - tf file" hl_lines="1" resource "aws_cloudwatch_log_metric_filter" "CIS_VPC_Changes_Metric_Filter" { name = "CIS-VPCChanges" pattern = "{ ($.eventName = CreateVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = EnableVpcClassicLink) }" diff --git a/docs/queries/terraform-queries/aws/9ec311bf-dfd9-421f-8498-0b063c8bc552.md b/docs/queries/terraform-queries/aws/9ec311bf-dfd9-421f-8498-0b063c8bc552.md index 07f582a64ff..b49c37af952 100644 --- a/docs/queries/terraform-queries/aws/9ec311bf-dfd9-421f-8498-0b063c8bc552.md +++ b/docs/queries/terraform-queries/aws/9ec311bf-dfd9-421f-8498-0b063c8bc552.md @@ -28,7 +28,7 @@ AWS IAM Users should not have access to console
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="2" +```tf title="Positive test num. 1 - tf file" hl_lines="2" resource "aws_iam_user" "example" { name = "example" path = "/" diff --git a/docs/queries/terraform-queries/aws/9ef7d25d-9764-4224-9968-fa321c56ef76.md b/docs/queries/terraform-queries/aws/9ef7d25d-9764-4224-9968-fa321c56ef76.md index a0a0fee2c58..88a7449fae4 100644 --- a/docs/queries/terraform-queries/aws/9ef7d25d-9764-4224-9968-fa321c56ef76.md +++ b/docs/queries/terraform-queries/aws/9ef7d25d-9764-4224-9968-fa321c56ef76.md @@ -28,7 +28,7 @@ Unchangeable passwords in AWS password policy
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="12" +```tf title="Positive test num. 1 - tf file" hl_lines="12" resource "aws_sqs_queue" "positive1" { name = "examplequeue" } diff --git a/docs/queries/terraform-queries/aws/9f40c07e-699e-4410-8856-3ba0f2e3a2dd.md b/docs/queries/terraform-queries/aws/9f40c07e-699e-4410-8856-3ba0f2e3a2dd.md index 4291bdd3a39..531b90b7176 100644 --- a/docs/queries/terraform-queries/aws/9f40c07e-699e-4410-8856-3ba0f2e3a2dd.md +++ b/docs/queries/terraform-queries/aws/9f40c07e-699e-4410-8856-3ba0f2e3a2dd.md @@ -28,7 +28,7 @@ The certificate authority (CA) is the certificate that identifies the root CA at ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="12" +```tf title="Positive test num. 1 - tf file" hl_lines="12" resource "aws_db_instance" "positive1" { allocated_storage = 20 storage_type = "gp2" @@ -44,7 +44,7 @@ resource "aws_db_instance" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="11" +```tf title="Positive test num. 2 - tf file" hl_lines="11" module "db" { source = "terraform-aws-modules/rds/aws" version = "~> 3.0" diff --git a/docs/queries/terraform-queries/aws/9f4a9409-9c60-4671-be96-9716dbf63db1.md b/docs/queries/terraform-queries/aws/9f4a9409-9c60-4671-be96-9716dbf63db1.md index 41faecd97e5..3ec8d29f440 100644 --- a/docs/queries/terraform-queries/aws/9f4a9409-9c60-4671-be96-9716dbf63db1.md +++ b/docs/queries/terraform-queries/aws/9f4a9409-9c60-4671-be96-9716dbf63db1.md @@ -28,7 +28,7 @@ Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the co ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="3" +```tf title="Positive test num. 1 - tf file" hl_lines="3" resource "aws_ecs_task_definition" "positive1" { family = "service" network_mode = "none" diff --git a/docs/queries/terraform-queries/aws/a186e82c-1078-4a7b-85d8-579561fde884.md b/docs/queries/terraform-queries/aws/a186e82c-1078-4a7b-85d8-579561fde884.md index f64df975293..8895d7c578f 100644 --- a/docs/queries/terraform-queries/aws/a186e82c-1078-4a7b-85d8-579561fde884.md +++ b/docs/queries/terraform-queries/aws/a186e82c-1078-4a7b-85d8-579561fde884.md @@ -28,7 +28,7 @@ API Gateway should have WAF (Web Application Firewall) enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="75" +```tf title="Positive test num. 1 - tf file" hl_lines="75" resource "aws_wafregional_ipset" "ipset" { name = "tfIPSet" diff --git a/docs/queries/terraform-queries/aws/a20be318-cac7-457b-911d-04cc6e812c25.md b/docs/queries/terraform-queries/aws/a20be318-cac7-457b-911d-04cc6e812c25.md index cb76d73b864..23fc22ca19a 100644 --- a/docs/queries/terraform-queries/aws/a20be318-cac7-457b-911d-04cc6e812c25.md +++ b/docs/queries/terraform-queries/aws/a20be318-cac7-457b-911d-04cc6e812c25.md @@ -28,7 +28,7 @@ hide: ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="30" +```tf title="Positive test num. 1 - tf file" hl_lines="30" provider "aws" { region = "us-east-1" } @@ -73,7 +73,7 @@ resource "aws_network_acl" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="22" +```tf title="Positive test num. 2 - tf file" hl_lines="22" provider "aws" { region = "us-east-1" } @@ -107,7 +107,7 @@ resource "aws_network_acl_rule" "postive2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="26" +```tf title="Positive test num. 3 - tf file" hl_lines="26" provider "aws" { region = "us-east-1" } @@ -148,7 +148,7 @@ resource "aws_network_acl" "positive3" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="14" module "vpc" { diff --git a/docs/queries/terraform-queries/aws/a2f548f2-188c-4fff-b172-e9a6acb216bd.md b/docs/queries/terraform-queries/aws/a2f548f2-188c-4fff-b172-e9a6acb216bd.md index 16f3578b0e9..166947cc302 100644 --- a/docs/queries/terraform-queries/aws/a2f548f2-188c-4fff-b172-e9a6acb216bd.md +++ b/docs/queries/terraform-queries/aws/a2f548f2-188c-4fff-b172-e9a6acb216bd.md @@ -28,7 +28,7 @@ AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the se ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_secretsmanager_secret" "example" { name = "example" } diff --git a/docs/queries/terraform-queries/aws/a31a5a29-718a-4ff4-8001-a69e5e4d029e.md b/docs/queries/terraform-queries/aws/a31a5a29-718a-4ff4-8001-a69e5e4d029e.md index f537dedcf46..f7d4c99e2f6 100644 --- a/docs/queries/terraform-queries/aws/a31a5a29-718a-4ff4-8001-a69e5e4d029e.md +++ b/docs/queries/terraform-queries/aws/a31a5a29-718a-4ff4-8001-a69e5e4d029e.md @@ -28,7 +28,7 @@ EC2 Instances should be configured under a VPC network. AWS VPCs provide the con ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_instance" "positive1" { ami = "ami-003634241a8fcdec0" @@ -36,7 +36,7 @@ resource "aws_instance" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" module "ec2_instance" { source = "terraform-aws-modules/ec2-instance/aws" version = "~> 3.0" diff --git a/docs/queries/terraform-queries/aws/a4966c4f-9141-48b8-a564-ffe9959945bc.md b/docs/queries/terraform-queries/aws/a4966c4f-9141-48b8-a564-ffe9959945bc.md index ded22b11b6e..e137cd2bec5 100644 --- a/docs/queries/terraform-queries/aws/a4966c4f-9141-48b8-a564-ffe9959945bc.md +++ b/docs/queries/terraform-queries/aws/a4966c4f-9141-48b8-a564-ffe9959945bc.md @@ -28,7 +28,7 @@ S3 Buckets should not have all permissions, as to prevent leaking private inform ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="5" +```tf title="Positive test num. 1 - tf file" hl_lines="5" resource "aws_s3_bucket" "positive1" { bucket = "S3B_181355" acl = "private" @@ -52,7 +52,7 @@ resource "aws_s3_bucket" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="12" +```tf title="Positive test num. 2 - tf file" hl_lines="12" module "s3_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "3.7.0" diff --git a/docs/queries/terraform-queries/aws/a8fc2180-b3ac-4c93-bd0d-a55b974e4b07.md b/docs/queries/terraform-queries/aws/a8fc2180-b3ac-4c93-bd0d-a55b974e4b07.md index 8070a2ba200..7abba63a971 100644 --- a/docs/queries/terraform-queries/aws/a8fc2180-b3ac-4c93-bd0d-a55b974e4b07.md +++ b/docs/queries/terraform-queries/aws/a8fc2180-b3ac-4c93-bd0d-a55b974e4b07.md @@ -28,7 +28,7 @@ S3 Bucket object-level CloudTrail logging should be enabled for read and write e ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="9" +```tf title="Positive test num. 1 - tf file" hl_lines="9" data "aws_caller_identity" "current" {} resource "aws_cloudtrail" "example" { @@ -84,7 +84,7 @@ POLICY } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="10" +```tf title="Positive test num. 2 - tf file" hl_lines="10" data "aws_caller_identity" "current2" {} resource "aws_cloudtrail" "example2" { diff --git a/docs/queries/terraform-queries/aws/abb06e5f-ef9a-4a99-98c6-376d396bfcdf.md b/docs/queries/terraform-queries/aws/abb06e5f-ef9a-4a99-98c6-376d396bfcdf.md index 269e70e52b9..9d29b505c6b 100644 --- a/docs/queries/terraform-queries/aws/abb06e5f-ef9a-4a99-98c6-376d396bfcdf.md +++ b/docs/queries/terraform-queries/aws/abb06e5f-ef9a-4a99-98c6-376d396bfcdf.md @@ -28,7 +28,7 @@ Checks if the SQS Queue is exposed
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="4" +```tf title="Positive test num. 1 - tf file" hl_lines="4" resource "aws_sqs_queue" "positive1" { name = "examplequeue" @@ -55,7 +55,7 @@ POLICY } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="12" +```tf title="Positive test num. 2 - tf file" hl_lines="12" module "user_queue" { source = "terraform-aws-modules/sqs/aws" version = "~> 2.0" diff --git a/docs/queries/terraform-queries/aws/abdb29d4-5ca1-4e91-800b-b3569bbd788c.md b/docs/queries/terraform-queries/aws/abdb29d4-5ca1-4e91-800b-b3569bbd788c.md index ce2e88e7333..9a83afb641f 100644 --- a/docs/queries/terraform-queries/aws/abdb29d4-5ca1-4e91-800b-b3569bbd788c.md +++ b/docs/queries/terraform-queries/aws/abdb29d4-5ca1-4e91-800b-b3569bbd788c.md @@ -28,7 +28,7 @@ Check if AWS config rules do not identify Encrypted Volumes as a source.
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_config_config_rule" "positive1" { name = "some_rule" diff --git a/docs/queries/terraform-queries/aws/ac5a0bc0-a54c-45aa-90c3-15f7703b9132.md b/docs/queries/terraform-queries/aws/ac5a0bc0-a54c-45aa-90c3-15f7703b9132.md index 5a2021b4244..8ebce28ccbe 100644 --- a/docs/queries/terraform-queries/aws/ac5a0bc0-a54c-45aa-90c3-15f7703b9132.md +++ b/docs/queries/terraform-queries/aws/ac5a0bc0-a54c-45aa-90c3-15f7703b9132.md @@ -28,7 +28,7 @@ AWS Config Configuration Aggregator All Regions must be set to True
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="16 4" +```tf title="Positive test num. 1 - tf file" hl_lines="16 4" resource "aws_config_configuration_aggregator" "positive1" { name = "example" diff --git a/docs/queries/terraform-queries/aws/acb6b4e2-a086-4f35-aefd-4db6ea51ada2.md b/docs/queries/terraform-queries/aws/acb6b4e2-a086-4f35-aefd-4db6ea51ada2.md index dfb8ddb5643..9265901a457 100644 --- a/docs/queries/terraform-queries/aws/acb6b4e2-a086-4f35-aefd-4db6ea51ada2.md +++ b/docs/queries/terraform-queries/aws/acb6b4e2-a086-4f35-aefd-4db6ea51ada2.md @@ -28,7 +28,7 @@ AWS Elasticsearch should have logs enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="6" +```tf title="Positive test num. 1 - tf file" hl_lines="6" resource "aws_elasticsearch_domain" "positive1" { log_publishing_options { @@ -39,7 +39,7 @@ resource "aws_elasticsearch_domain" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "aws_elasticsearch_domain" "positive2" { domain_name = "example" elasticsearch_version = "1.5" diff --git a/docs/queries/terraform-queries/aws/ad296c0d-8131-4d6b-b030-1b0e73a99ad3.md b/docs/queries/terraform-queries/aws/ad296c0d-8131-4d6b-b030-1b0e73a99ad3.md index b14901d6edc..d67d20ec09a 100644 --- a/docs/queries/terraform-queries/aws/ad296c0d-8131-4d6b-b030-1b0e73a99ad3.md +++ b/docs/queries/terraform-queries/aws/ad296c0d-8131-4d6b-b030-1b0e73a99ad3.md @@ -28,7 +28,7 @@ Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_group" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/ad5b4e97-2850-4adf-be17-1d293e0b85ee.md b/docs/queries/terraform-queries/aws/ad5b4e97-2850-4adf-be17-1d293e0b85ee.md index 9c9920d8701..7a26e633f17 100644 --- a/docs/queries/terraform-queries/aws/ad5b4e97-2850-4adf-be17-1d293e0b85ee.md +++ b/docs/queries/terraform-queries/aws/ad5b4e97-2850-4adf-be17-1d293e0b85ee.md @@ -28,7 +28,7 @@ Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="5" +```tf title="Positive test num. 1 - tf file" hl_lines="5" resource "aws_glue_security_configuration" "positive1" { name = "example" @@ -50,7 +50,7 @@ resource "aws_glue_security_configuration" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="11" +```tf title="Positive test num. 2 - tf file" hl_lines="11" resource "aws_glue_security_configuration" "positive2" { name = "example" @@ -73,7 +73,7 @@ resource "aws_glue_security_configuration" "positive2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="10" +```tf title="Positive test num. 3 - tf file" hl_lines="10" resource "aws_glue_security_configuration" "positive2" { name = "example" diff --git a/docs/queries/terraform-queries/aws/ad9dabc7-7839-4bae-a957-aa9120013f39.md b/docs/queries/terraform-queries/aws/ad9dabc7-7839-4bae-a957-aa9120013f39.md index 5211d69ca83..0c7e3fbbfb0 100644 --- a/docs/queries/terraform-queries/aws/ad9dabc7-7839-4bae-a957-aa9120013f39.md +++ b/docs/queries/terraform-queries/aws/ad9dabc7-7839-4bae-a957-aa9120013f39.md @@ -28,7 +28,7 @@ The attribute 'action' should not have wildcard
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="35" +```tf title="Positive test num. 1 - tf file" hl_lines="35" provider "aws" { region = "us-east-1" } diff --git a/docs/queries/terraform-queries/aws/af173fde-95ea-4584-b904-bb3923ac4bda.md b/docs/queries/terraform-queries/aws/af173fde-95ea-4584-b904-bb3923ac4bda.md index 0f3e28d8dc8..2ab918e4601 100644 --- a/docs/queries/terraform-queries/aws/af173fde-95ea-4584-b904-bb3923ac4bda.md +++ b/docs/queries/terraform-queries/aws/af173fde-95ea-4584-b904-bb3923ac4bda.md @@ -28,7 +28,7 @@ AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_access ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 17" +```tf title="Positive test num. 1 - tf file" hl_lines="1 17" resource "aws_redshift_cluster" "positive1" { cluster_identifier = "tf-redshift-cluster" database_name = "mydb" diff --git a/docs/queries/terraform-queries/aws/afecd1f1-6378-4f7e-bb3b-60c35801fdd4.md b/docs/queries/terraform-queries/aws/afecd1f1-6378-4f7e-bb3b-60c35801fdd4.md index db0eca56856..df7abfc5dba 100644 --- a/docs/queries/terraform-queries/aws/afecd1f1-6378-4f7e-bb3b-60c35801fdd4.md +++ b/docs/queries/terraform-queries/aws/afecd1f1-6378-4f7e-bb3b-60c35801fdd4.md @@ -28,7 +28,7 @@ Application Load Balancer should have deletion protection enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="7" +```tf title="Positive test num. 1 - tf file" hl_lines="7" resource "aws_alb" "positive1" { name = "test-lb-tf" internal = false @@ -43,7 +43,7 @@ resource "aws_alb" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "aws_alb" "positive2" { name = "test-lb-tf" internal = false @@ -57,7 +57,7 @@ resource "aws_alb" "positive2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="7" +```tf title="Positive test num. 3 - tf file" hl_lines="7" resource "aws_lb" "positive3" { name = "test-lb-tf" internal = false @@ -72,7 +72,7 @@ resource "aws_lb" "positive3" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="1" resource "aws_lb" "positive4" { @@ -88,7 +88,7 @@ resource "aws_lb" "positive4" { ```
-
Postitive test num. 5 - tf file +
Positive test num. 5 - tf file ```tf hl_lines="9" module "alb" { @@ -152,7 +152,7 @@ module "alb" { ```
-
Postitive test num. 6 - tf file +
Positive test num. 6 - tf file ```tf hl_lines="1" module "alb" { diff --git a/docs/queries/terraform-queries/aws/b0d3ef3f-845d-4b1b-83d6-63a5a380375f.md b/docs/queries/terraform-queries/aws/b0d3ef3f-845d-4b1b-83d6-63a5a380375f.md index 033f7ec907a..47723e010a0 100644 --- a/docs/queries/terraform-queries/aws/b0d3ef3f-845d-4b1b-83d6-63a5a380375f.md +++ b/docs/queries/terraform-queries/aws/b0d3ef3f-845d-4b1b-83d6-63a5a380375f.md @@ -28,14 +28,14 @@ Secrets Manager secret should be encrypted with customer-managed KMS keys instea ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="3" +```tf title="Positive test num. 1 - tf file" hl_lines="3" resource "aws_secretsmanager_secret" "test2" { name = "test-cloudrail-1" kms_key_id = "alias/aws/secretsmanager" } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="11" +```tf title="Positive test num. 2 - tf file" hl_lines="11" provider "aws" { region = "us-east-1" } diff --git a/docs/queries/terraform-queries/aws/b161c11b-a59b-4431-9a29-4e19f63e6b27.md b/docs/queries/terraform-queries/aws/b161c11b-a59b-4431-9a29-4e19f63e6b27.md index d2e2cc19b04..131139ef440 100644 --- a/docs/queries/terraform-queries/aws/b161c11b-a59b-4431-9a29-4e19f63e6b27.md +++ b/docs/queries/terraform-queries/aws/b161c11b-a59b-4431-9a29-4e19f63e6b27.md @@ -28,7 +28,7 @@ REST API policy should avoid wildcard in 'Action' and 'Principal'
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="15" +```tf title="Positive test num. 1 - tf file" hl_lines="15" provider "aws" { region = "us-east-1" } diff --git a/docs/queries/terraform-queries/aws/b1a72f66-2236-4f3b-87ba-0da1b366956f.md b/docs/queries/terraform-queries/aws/b1a72f66-2236-4f3b-87ba-0da1b366956f.md index e5bb9ddb4b2..64dba5d5beb 100644 --- a/docs/queries/terraform-queries/aws/b1a72f66-2236-4f3b-87ba-0da1b366956f.md +++ b/docs/queries/terraform-queries/aws/b1a72f66-2236-4f3b-87ba-0da1b366956f.md @@ -28,14 +28,14 @@ SNS (Simple Notification Service) Topic should be encrypted with customer-manage ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="3" +```tf title="Positive test num. 1 - tf file" hl_lines="3" resource "aws_sns_topic" "user_updates" { name = "user-updates-topic" kms_master_key_id = "alias/aws/sns" } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="11" +```tf title="Positive test num. 2 - tf file" hl_lines="11" provider "aws" { region = "us-east-1" } diff --git a/docs/queries/terraform-queries/aws/b1ffa705-19a3-4b73-b9d0-0c97d0663842.md b/docs/queries/terraform-queries/aws/b1ffa705-19a3-4b73-b9d0-0c97d0663842.md index 0383b81c66b..532697583f8 100644 --- a/docs/queries/terraform-queries/aws/b1ffa705-19a3-4b73-b9d0-0c97d0663842.md +++ b/docs/queries/terraform-queries/aws/b1ffa705-19a3-4b73-b9d0-0c97d0663842.md @@ -28,7 +28,7 @@ IAM role policy that allow full administrative privileges (for all resources)
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="5" +```tf title="Positive test num. 1 - tf file" hl_lines="5" resource "aws_s3_bucket" "hoge" { bucket = "hoge" } diff --git a/docs/queries/terraform-queries/aws/b26d2b7e-60f6-413d-a3a1-a57db24aa2b3.md b/docs/queries/terraform-queries/aws/b26d2b7e-60f6-413d-a3a1-a57db24aa2b3.md index c5d804d85d1..fa843fc981d 100644 --- a/docs/queries/terraform-queries/aws/b26d2b7e-60f6-413d-a3a1-a57db24aa2b3.md +++ b/docs/queries/terraform-queries/aws/b26d2b7e-60f6-413d-a3a1-a57db24aa2b3.md @@ -28,7 +28,7 @@ SNS Topic Policy should not allow any principal to access
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="2" +```tf title="Positive test num. 1 - tf file" hl_lines="2" resource "aws_sns_topic" "positive1" { policy = < ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="118" +```tf title="Positive test num. 1 - tf file" hl_lines="118" terraform { required_providers { aws = { @@ -177,7 +177,7 @@ resource "aws_route_table_association" "private_route_table_association" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="132" +```tf title="Positive test num. 2 - tf file" hl_lines="132" terraform { required_providers { aws = { @@ -322,7 +322,7 @@ resource "aws_route_table_association" "private_route_table_association" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="118" +```tf title="Positive test num. 3 - tf file" hl_lines="118" terraform { required_providers { aws = { diff --git a/docs/queries/terraform-queries/aws/b3a59b8e-94a3-403e-b6e2-527abaf12034.md b/docs/queries/terraform-queries/aws/b3a59b8e-94a3-403e-b6e2-527abaf12034.md index 2d6d3a9ca35..49443598564 100644 --- a/docs/queries/terraform-queries/aws/b3a59b8e-94a3-403e-b6e2-527abaf12034.md +++ b/docs/queries/terraform-queries/aws/b3a59b8e-94a3-403e-b6e2-527abaf12034.md @@ -28,7 +28,7 @@ API Gateway Deployment should have API Gateway UsagePlan defined and associated. ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 9" +```tf title="Positive test num. 1 - tf file" hl_lines="1 9" resource "aws_api_gateway_deployment" "positive1" { rest_api_id = "some rest api id" stage_name = "some name" @@ -54,7 +54,7 @@ resource "aws_api_gateway_usage_plan" "positive3" { } ``` -```json title="Postitive test num. 2 - json file" hl_lines="14 31" +```json title="Positive test num. 2 - json file" hl_lines="14 31" { "format_version": "0.2", "terraform_version": "1.0.5", diff --git a/docs/queries/terraform-queries/aws/b4378389-a9aa-44ee-91e7-ef183f11079e.md b/docs/queries/terraform-queries/aws/b4378389-a9aa-44ee-91e7-ef183f11079e.md index 7fa86ef588e..1fb68a58317 100644 --- a/docs/queries/terraform-queries/aws/b4378389-a9aa-44ee-91e7-ef183f11079e.md +++ b/docs/queries/terraform-queries/aws/b4378389-a9aa-44ee-91e7-ef183f11079e.md @@ -28,7 +28,7 @@ IAM policies should be attached only to groups or roles
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="18" +```tf title="Positive test num. 1 - tf file" hl_lines="18" resource "aws_iam_user" "positive1_1" { name = "${local.resource_prefix.value}-user" force_destroy = true @@ -77,7 +77,7 @@ output "secret" { ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="18" +```tf title="Positive test num. 2 - tf file" hl_lines="18" resource "aws_iam_user" "positive2_1" { name = "${local.resource_prefix.value}-user" force_destroy = true @@ -126,7 +126,7 @@ output "secret" { ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="27" +```tf title="Positive test num. 3 - tf file" hl_lines="27" resource "aws_iam_user" "user" { name = "test-user" } diff --git a/docs/queries/terraform-queries/aws/b5681959-6c09-4f55-b42b-c40fa12d03ec.md b/docs/queries/terraform-queries/aws/b5681959-6c09-4f55-b42b-c40fa12d03ec.md index b02e03d19ce..1346c46a6e7 100644 --- a/docs/queries/terraform-queries/aws/b5681959-6c09-4f55-b42b-c40fa12d03ec.md +++ b/docs/queries/terraform-queries/aws/b5681959-6c09-4f55-b42b-c40fa12d03ec.md @@ -28,7 +28,7 @@ Check if the root user is authenticated with MFA
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="18" +```tf title="Positive test num. 1 - tf file" hl_lines="18" resource "aws_iam_user" "positive1" { name = "root" path = "/system/" diff --git a/docs/queries/terraform-queries/aws/b592ffd4-0577-44b6-bd35-8c5ee81b5918.md b/docs/queries/terraform-queries/aws/b592ffd4-0577-44b6-bd35-8c5ee81b5918.md index 8f4285edbec..cf3e8a5483b 100644 --- a/docs/queries/terraform-queries/aws/b592ffd4-0577-44b6-bd35-8c5ee81b5918.md +++ b/docs/queries/terraform-queries/aws/b592ffd4-0577-44b6-bd35-8c5ee81b5918.md @@ -28,7 +28,7 @@ IAM password policies should be set through the password minimum length and rese ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="5 16 23 30 31" +```tf title="Positive test num. 1 - tf file" hl_lines="5 16 23 30 31" resource "aws_iam_user_login_profile" "positive2" { user = aws_iam_user.example.name pgp_key = "keybase:some_person_that_exists" diff --git a/docs/queries/terraform-queries/aws/b69247e5-7e73-464e-ba74-ec9b715c6e12.md b/docs/queries/terraform-queries/aws/b69247e5-7e73-464e-ba74-ec9b715c6e12.md index 9490cbed686..d48e6f6ef02 100644 --- a/docs/queries/terraform-queries/aws/b69247e5-7e73-464e-ba74-ec9b715c6e12.md +++ b/docs/queries/terraform-queries/aws/b69247e5-7e73-464e-ba74-ec9b715c6e12.md @@ -28,7 +28,7 @@ User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resour ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_user" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/b72d0026-f649-4c91-a9ea-15d8f681ac09.md b/docs/queries/terraform-queries/aws/b72d0026-f649-4c91-a9ea-15d8f681ac09.md index 90d804266c9..fd873bd4e49 100644 --- a/docs/queries/terraform-queries/aws/b72d0026-f649-4c91-a9ea-15d8f681ac09.md +++ b/docs/queries/terraform-queries/aws/b72d0026-f649-4c91-a9ea-15d8f681ac09.md @@ -28,7 +28,7 @@ AWS CloudFormation should have stack notifications enabled to be notified when a ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_cloudformation_stack" "positive1" { name = "networking-stack" diff --git a/docs/queries/terraform-queries/aws/b7c9a40c-23e4-4a2d-8d39-a3352f10f288.md b/docs/queries/terraform-queries/aws/b7c9a40c-23e4-4a2d-8d39-a3352f10f288.md index 29b3ff6a274..4d87c0e13ba 100644 --- a/docs/queries/terraform-queries/aws/b7c9a40c-23e4-4a2d-8d39-a3352f10f288.md +++ b/docs/queries/terraform-queries/aws/b7c9a40c-23e4-4a2d-8d39-a3352f10f288.md @@ -28,7 +28,7 @@ API Gateway Method Settings Cache should be encrypted
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="40 48" +```tf title="Positive test num. 1 - tf file" hl_lines="40 48" resource "aws_api_gateway_rest_api" "example" { body = jsonencode({ openapi = "3.0.1" diff --git a/docs/queries/terraform-queries/aws/b8a31292-509d-4b61-bc40-13b167db7e9c.md b/docs/queries/terraform-queries/aws/b8a31292-509d-4b61-bc40-13b167db7e9c.md index 7360dfd37e2..1479fe67266 100644 --- a/docs/queries/terraform-queries/aws/b8a31292-509d-4b61-bc40-13b167db7e9c.md +++ b/docs/queries/terraform-queries/aws/b8a31292-509d-4b61-bc40-13b167db7e9c.md @@ -28,7 +28,7 @@ Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_role" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/b9033580-6886-401a-8631-5f19f5bb24c7.md b/docs/queries/terraform-queries/aws/b9033580-6886-401a-8631-5f19f5bb24c7.md index 6b1ce57da98..41a1e49a382 100644 --- a/docs/queries/terraform-queries/aws/b9033580-6886-401a-8631-5f19f5bb24c7.md +++ b/docs/queries/terraform-queries/aws/b9033580-6886-401a-8631-5f19f5bb24c7.md @@ -28,7 +28,7 @@ AWS Workspaces Workspace data stored in volumes should be encrypted
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="11" +```tf title="Positive test num. 1 - tf file" hl_lines="11" resource "aws_workspaces_workspace" "example" { directory_id = aws_workspaces_directory.example.id bundle_id = data.aws_workspaces_bundle.value_windows_10.id @@ -51,7 +51,7 @@ resource "aws_workspaces_workspace" "example" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="12" +```tf title="Positive test num. 2 - tf file" hl_lines="12" resource "aws_workspaces_workspace" "example_2" { directory_id = aws_workspaces_directory.example.id bundle_id = data.aws_workspaces_bundle.value_windows_10.id @@ -74,7 +74,7 @@ resource "aws_workspaces_workspace" "example_2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="10 11" +```tf title="Positive test num. 3 - tf file" hl_lines="10 11" resource "aws_workspaces_workspace" "example_3" { directory_id = aws_workspaces_directory.example.id bundle_id = data.aws_workspaces_bundle.value_windows_10.id @@ -96,7 +96,7 @@ resource "aws_workspaces_workspace" "example_3" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="6 7" resource "aws_workspaces_workspace" "example_4" { diff --git a/docs/queries/terraform-queries/aws/ba40ace1-a047-483c-8a8d-bc2d3a67a82d.md b/docs/queries/terraform-queries/aws/ba40ace1-a047-483c-8a8d-bc2d3a67a82d.md index 51bed6a940d..362b7c89789 100644 --- a/docs/queries/terraform-queries/aws/ba40ace1-a047-483c-8a8d-bc2d3a67a82d.md +++ b/docs/queries/terraform-queries/aws/ba40ace1-a047-483c-8a8d-bc2d3a67a82d.md @@ -28,7 +28,7 @@ EKS node group remote access is disabled when 'SourceSecurityGroups' is missing< ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="13" +```tf title="Positive test num. 1 - tf file" hl_lines="13" resource "aws_eks_node_group" "positive" { cluster_name = aws_eks_cluster.example.name node_group_name = "example" diff --git a/docs/queries/terraform-queries/aws/ba48df05-eaa1-4d64-905e-4a4b051e7587.md b/docs/queries/terraform-queries/aws/ba48df05-eaa1-4d64-905e-4a4b051e7587.md index 59a43215b12..b6927a97bf3 100644 --- a/docs/queries/terraform-queries/aws/ba48df05-eaa1-4d64-905e-4a4b051e7587.md +++ b/docs/queries/terraform-queries/aws/ba48df05-eaa1-4d64-905e-4a4b051e7587.md @@ -28,7 +28,7 @@ Autoscaling groups should supply tags to configurate
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_autoscaling_group" "positive1" { name = "foobar3-terraform-test" max_size = 5 @@ -38,7 +38,7 @@ resource "aws_autoscaling_group" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" module "asg" { source = "terraform-aws-modules/autoscaling/aws" version = "~> 4.0" diff --git a/docs/queries/terraform-queries/aws/ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698.md b/docs/queries/terraform-queries/aws/ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698.md index dd6c9aeaf8f..dea01f8d61b 100644 --- a/docs/queries/terraform-queries/aws/ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698.md +++ b/docs/queries/terraform-queries/aws/ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698.md @@ -28,7 +28,7 @@ Limits access to AWS AMIs by checking if more than one account is using the same ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="11 3" +```tf title="Positive test num. 1 - tf file" hl_lines="11 3" resource "aws_ami_launch_permission" "positive1" { image_id = "ami-1235678" diff --git a/docs/queries/terraform-queries/aws/baecd2da-492a-4d59-b9dc-29540a1398e0.md b/docs/queries/terraform-queries/aws/baecd2da-492a-4d59-b9dc-29540a1398e0.md index 2e6ca6cb155..6fd01b6a878 100644 --- a/docs/queries/terraform-queries/aws/baecd2da-492a-4d59-b9dc-29540a1398e0.md +++ b/docs/queries/terraform-queries/aws/baecd2da-492a-4d59-b9dc-29540a1398e0.md @@ -28,7 +28,7 @@ A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_sqs_queue" "positive1" { name = "terraform-example-queue" delay_seconds = 90 @@ -67,7 +67,7 @@ POLICY } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "aws_sqs_queue" "positive2" { name = "terraform-example-queue" delay_seconds = 90 @@ -111,7 +111,7 @@ POLICY } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="1" +```tf title="Positive test num. 3 - tf file" hl_lines="1" resource "aws_sqs_queue" "positive3" { name = "terraform-example-queue" delay_seconds = 90 @@ -145,7 +145,7 @@ POLICY } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="1" resource "aws_sqs_queue" "positive4" { @@ -187,7 +187,7 @@ POLICY ```
-
Postitive test num. 5 - tf file +
Positive test num. 5 - tf file ```tf hl_lines="1" resource "aws_sqs_queue" "positive5" { diff --git a/docs/queries/terraform-queries/aws/bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9.md b/docs/queries/terraform-queries/aws/bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9.md index cb3533388d4..c57d8eda3d2 100644 --- a/docs/queries/terraform-queries/aws/bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9.md +++ b/docs/queries/terraform-queries/aws/bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9.md @@ -28,7 +28,7 @@ IAM Password should have at least one lowercase letter
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="9 2" +```tf title="Positive test num. 1 - tf file" hl_lines="9 2" resource "aws_iam_account_password_policy" "positive1" { require_lowercase_characters = false require_numbers = true diff --git a/docs/queries/terraform-queries/aws/bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54.md b/docs/queries/terraform-queries/aws/bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54.md index c2477bdbd88..724d2596f24 100644 --- a/docs/queries/terraform-queries/aws/bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54.md +++ b/docs/queries/terraform-queries/aws/bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54.md @@ -28,7 +28,7 @@ All policies, except IAM identity-based policies, should have the 'Principal' el ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="9" +```tf title="Positive test num. 1 - tf file" hl_lines="9" provider "aws" { region = "us-east-1" } diff --git a/docs/queries/terraform-queries/aws/bc1f9009-84a0-490f-ae09-3e0ea6d74ad6.md b/docs/queries/terraform-queries/aws/bc1f9009-84a0-490f-ae09-3e0ea6d74ad6.md index 2dbd06cac97..cd6755f6a41 100644 --- a/docs/queries/terraform-queries/aws/bc1f9009-84a0-490f-ae09-3e0ea6d74ad6.md +++ b/docs/queries/terraform-queries/aws/bc1f9009-84a0-490f-ae09-3e0ea6d74ad6.md @@ -28,7 +28,7 @@ AWS DOCDB Cluster storage should be encrypted
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 19" +```tf title="Positive test num. 1 - tf file" hl_lines="1 19" resource "aws_docdb_cluster" "docdb" { cluster_identifier = "my-docdb-cluster" engine = "docdb" diff --git a/docs/queries/terraform-queries/aws/bca7cc4d-b3a4-4345-9461-eb69c68fcd26.md b/docs/queries/terraform-queries/aws/bca7cc4d-b3a4-4345-9461-eb69c68fcd26.md index 8d05a17e0ad..2bf19b8061c 100644 --- a/docs/queries/terraform-queries/aws/bca7cc4d-b3a4-4345-9461-eb69c68fcd26.md +++ b/docs/queries/terraform-queries/aws/bca7cc4d-b3a4-4345-9461-eb69c68fcd26.md @@ -28,7 +28,7 @@ RDS should not use the default port (an attacker can easily guess the port). For ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="11" +```tf title="Positive test num. 1 - tf file" hl_lines="11" resource "aws_db_instance" "positive1" { allocated_storage = 10 engine = "mysql" @@ -43,7 +43,7 @@ resource "aws_db_instance" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="10" +```tf title="Positive test num. 2 - tf file" hl_lines="10" resource "aws_db_instance" "positive2" { allocated_storage = 10 engine = "postgres" @@ -57,7 +57,7 @@ resource "aws_db_instance" "positive2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="10" +```tf title="Positive test num. 3 - tf file" hl_lines="10" resource "aws_db_instance" "positive3" { allocated_storage = 10 engine = "oracle-ee" @@ -71,7 +71,7 @@ resource "aws_db_instance" "positive3" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="10" resource "aws_db_instance" "positive4" { diff --git a/docs/queries/terraform-queries/aws/bcdcbdc6-a350-4855-ae7c-d1e6436f7c97.md b/docs/queries/terraform-queries/aws/bcdcbdc6-a350-4855-ae7c-d1e6436f7c97.md index 7d8cb2ffeff..7fc793400b6 100644 --- a/docs/queries/terraform-queries/aws/bcdcbdc6-a350-4855-ae7c-d1e6436f7c97.md +++ b/docs/queries/terraform-queries/aws/bcdcbdc6-a350-4855-ae7c-d1e6436f7c97.md @@ -28,7 +28,7 @@ IAM Policy should not grant 'AssumeRole' permission across all services.
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="70 7" +```tf title="Positive test num. 1 - tf file" hl_lines="70 7" // Create a role which OpenShift instances will assume. // This role has a policy saying it can be assumed by ec2 // instances. diff --git a/docs/queries/terraform-queries/aws/bd0088a5-c133-4b20-b129-ec9968b16ef3.md b/docs/queries/terraform-queries/aws/bd0088a5-c133-4b20-b129-ec9968b16ef3.md index 31c5576d877..c26fad49859 100644 --- a/docs/queries/terraform-queries/aws/bd0088a5-c133-4b20-b129-ec9968b16ef3.md +++ b/docs/queries/terraform-queries/aws/bd0088a5-c133-4b20-b129-ec9968b16ef3.md @@ -28,7 +28,7 @@ CloudTrail Log Files S3 Bucket should not be publicly accessible
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="25" +```tf title="Positive test num. 1 - tf file" hl_lines="25" provider "aws" { region = "us-east-1" } @@ -62,7 +62,7 @@ resource "aws_s3_bucket" "b" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="23" +```tf title="Positive test num. 2 - tf file" hl_lines="23" variable "aws_access_key" {} variable "aws_secret_key" {} variable "private_key_path" {} @@ -89,7 +89,7 @@ module "s3_bucket" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="24" +```tf title="Positive test num. 3 - tf file" hl_lines="24" terraform { required_providers { aws = { diff --git a/docs/queries/terraform-queries/aws/be2aa235-bd93-4b68-978a-1cc65d49082f.md b/docs/queries/terraform-queries/aws/be2aa235-bd93-4b68-978a-1cc65d49082f.md index 855c865224a..2cfe064a2dc 100644 --- a/docs/queries/terraform-queries/aws/be2aa235-bd93-4b68-978a-1cc65d49082f.md +++ b/docs/queries/terraform-queries/aws/be2aa235-bd93-4b68-978a-1cc65d49082f.md @@ -28,7 +28,7 @@ Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam: ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_role" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/bf878b1a-7418-4de3-b13c-3a86cf894920.md b/docs/queries/terraform-queries/aws/bf878b1a-7418-4de3-b13c-3a86cf894920.md index 8ffc1868315..28aa3e077a1 100644 --- a/docs/queries/terraform-queries/aws/bf878b1a-7418-4de3-b13c-3a86cf894920.md +++ b/docs/queries/terraform-queries/aws/bf878b1a-7418-4de3-b13c-3a86cf894920.md @@ -28,7 +28,7 @@ S3 bucket public access is overridden by S3 bucket Public Access Block when the ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="16" +```tf title="Positive test num. 1 - tf file" hl_lines="16" provider "aws" { region = "us-east-1" } @@ -56,7 +56,7 @@ resource "aws_s3_bucket_public_access_block" "block_public_bucket_3" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="7" +```tf title="Positive test num. 2 - tf file" hl_lines="7" module "s3_bucket" { source = "terraform-aws-modules/s3-bucket/aws" @@ -77,7 +77,7 @@ module "s3_bucket" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="20" +```tf title="Positive test num. 3 - tf file" hl_lines="20" terraform { required_providers { aws = { diff --git a/docs/queries/terraform-queries/aws/bf9d42c7-c2f9-4dfe-942c-c8cc8249a081.md b/docs/queries/terraform-queries/aws/bf9d42c7-c2f9-4dfe-942c-c8cc8249a081.md index 4df1bd70c09..7c727862142 100644 --- a/docs/queries/terraform-queries/aws/bf9d42c7-c2f9-4dfe-942c-c8cc8249a081.md +++ b/docs/queries/terraform-queries/aws/bf9d42c7-c2f9-4dfe-942c-c8cc8249a081.md @@ -28,7 +28,7 @@ User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_user" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/c0c1e744-0f37-445e-924a-1846f0839f69.md b/docs/queries/terraform-queries/aws/c0c1e744-0f37-445e-924a-1846f0839f69.md index 5258aa5a480..d5bbf665686 100644 --- a/docs/queries/terraform-queries/aws/c0c1e744-0f37-445e-924a-1846f0839f69.md +++ b/docs/queries/terraform-queries/aws/c0c1e744-0f37-445e-924a-1846f0839f69.md @@ -28,7 +28,7 @@ Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_group" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6.md b/docs/queries/terraform-queries/aws/c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6.md index 6ecfa9e3ca6..18de7517f14 100644 --- a/docs/queries/terraform-queries/aws/c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6.md +++ b/docs/queries/terraform-queries/aws/c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6.md @@ -28,7 +28,7 @@ Expired SSL/TLS certificates should be removed
### Code samples #### Code samples with security vulnerabilities -```yaml title="Postitive test num. 1 - yaml file" hl_lines="2" +```yaml title="Positive test num. 1 - yaml file" hl_lines="2" - name: upload a self-signed certificate community.aws.aws_acm: certificate: "{{ lookup('file', 'expiredCertificate.pem' ) }}" @@ -37,7 +37,7 @@ Expired SSL/TLS certificates should be removed
region: ap-southeast-2 ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="2" +```tf title="Positive test num. 2 - tf file" hl_lines="2" resource "aws_api_gateway_domain_name" "example2" { certificate_body = file("expiredCertificate.pem") domain_name = "api.example.com" diff --git a/docs/queries/terraform-queries/aws/c53c7a89-f9d7-4c7b-8b66-8a555be99593.md b/docs/queries/terraform-queries/aws/c53c7a89-f9d7-4c7b-8b66-8a555be99593.md index 24aeb806885..fa04c8db1fa 100644 --- a/docs/queries/terraform-queries/aws/c53c7a89-f9d7-4c7b-8b66-8a555be99593.md +++ b/docs/queries/terraform-queries/aws/c53c7a89-f9d7-4c7b-8b66-8a555be99593.md @@ -28,7 +28,7 @@ Public and private EC2 istances should not share the same role.
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="103" +```tf title="Positive test num. 1 - tf file" hl_lines="103" provider "aws" { region = "us-east-1" } @@ -143,7 +143,7 @@ resource "aws_instance" "priv_ins" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="38" +```tf title="Positive test num. 2 - tf file" hl_lines="38" module "vpc" { source = "terraform-aws-modules/vpc/aws" diff --git a/docs/queries/terraform-queries/aws/c583f0f9-7dfd-476b-a056-f47c62b47b46.md b/docs/queries/terraform-queries/aws/c583f0f9-7dfd-476b-a056-f47c62b47b46.md index d1b23b0387a..11caf570bac 100644 --- a/docs/queries/terraform-queries/aws/c583f0f9-7dfd-476b-a056-f47c62b47b46.md +++ b/docs/queries/terraform-queries/aws/c583f0f9-7dfd-476b-a056-f47c62b47b46.md @@ -28,7 +28,7 @@ Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resour ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_role" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/c5b31ab9-0f26-4a49-b8aa-4cc064392f4d.md b/docs/queries/terraform-queries/aws/c5b31ab9-0f26-4a49-b8aa-4cc064392f4d.md index c6e170a492d..1e04f1ed535 100644 --- a/docs/queries/terraform-queries/aws/c5b31ab9-0f26-4a49-b8aa-4cc064392f4d.md +++ b/docs/queries/terraform-queries/aws/c5b31ab9-0f26-4a49-b8aa-4cc064392f4d.md @@ -28,7 +28,7 @@ S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terra ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="14" +```tf title="Positive test num. 1 - tf file" hl_lines="14" provider "aws" { region = "us-east-1" } @@ -53,7 +53,7 @@ resource "aws_s3_bucket" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="23" +```tf title="Positive test num. 2 - tf file" hl_lines="23" provider "aws" { region = "us-east-1" } @@ -82,7 +82,7 @@ resource "aws_s3_bucket" "positive2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="25" +```tf title="Positive test num. 3 - tf file" hl_lines="25" provider "aws" { region = "us-east-1" } @@ -112,7 +112,7 @@ resource "aws_s3_bucket" "positive3" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="24 23" provider "aws" { @@ -144,7 +144,7 @@ resource "aws_s3_bucket" "positive3" { ```
-
Postitive test num. 5 - tf file +
Positive test num. 5 - tf file ```tf hl_lines="1" module "s3_bucket" { @@ -157,7 +157,7 @@ module "s3_bucket" { ```
-
Postitive test num. 6 - tf file +
Positive test num. 6 - tf file ```tf hl_lines="8" module "s3_bucket" { @@ -174,7 +174,7 @@ module "s3_bucket" { ```
-
Postitive test num. 7 - tf file +
Positive test num. 7 - tf file ```tf hl_lines="10" module "s3_bucket" { @@ -192,7 +192,7 @@ module "s3_bucket" { ```
-
Postitive test num. 8 - tf file +
Positive test num. 8 - tf file ```tf hl_lines="8 9" module "s3_bucket" { @@ -209,7 +209,7 @@ module "s3_bucket" { ```
-
Postitive test num. 9 - tf file +
Positive test num. 9 - tf file ```tf hl_lines="28" terraform { @@ -245,7 +245,7 @@ resource "aws_s3_bucket_versioning" "example2" { ```
-
Postitive test num. 10 - tf file +
Positive test num. 10 - tf file ```tf hl_lines="27" terraform { diff --git a/docs/queries/terraform-queries/aws/c5ff7bc9-d8ea-46dd-81cb-8286f3222249.md b/docs/queries/terraform-queries/aws/c5ff7bc9-d8ea-46dd-81cb-8286f3222249.md index c47b25af570..845688eb653 100644 --- a/docs/queries/terraform-queries/aws/c5ff7bc9-d8ea-46dd-81cb-8286f3222249.md +++ b/docs/queries/terraform-queries/aws/c5ff7bc9-d8ea-46dd-81cb-8286f3222249.md @@ -28,7 +28,7 @@ IAM password should have at least one uppercase letter
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="9 4" +```tf title="Positive test num. 1 - tf file" hl_lines="9 4" resource "aws_iam_account_password_policy" "positive1" { require_lowercase_characters = true require_numbers = true diff --git a/docs/queries/terraform-queries/aws/c91d7ea0-d4d1-403b-8fe1-c9961ac082c5.md b/docs/queries/terraform-queries/aws/c91d7ea0-d4d1-403b-8fe1-c9961ac082c5.md index 21a17f4f787..94b5611ec16 100644 --- a/docs/queries/terraform-queries/aws/c91d7ea0-d4d1-403b-8fe1-c9961ac082c5.md +++ b/docs/queries/terraform-queries/aws/c91d7ea0-d4d1-403b-8fe1-c9961ac082c5.md @@ -28,7 +28,7 @@ Neptune Cluster should have IAM Database Authentication enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 17" +```tf title="Positive test num. 1 - tf file" hl_lines="1 17" resource "aws_neptune_cluster" "positive1" { cluster_identifier = "neptune-cluster-demo" engine = "neptune" diff --git a/docs/queries/terraform-queries/aws/c999cf62-0920-40f8-8dda-0caccd66ed7e.md b/docs/queries/terraform-queries/aws/c999cf62-0920-40f8-8dda-0caccd66ed7e.md index 4fe003e0da3..cd5cb077c74 100644 --- a/docs/queries/terraform-queries/aws/c999cf62-0920-40f8-8dda-0caccd66ed7e.md +++ b/docs/queries/terraform-queries/aws/c999cf62-0920-40f8-8dda-0caccd66ed7e.md @@ -28,7 +28,7 @@ API Gateway Stage should have API Gateway UsagePlan defined and associated.
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 10" +```tf title="Positive test num. 1 - tf file" hl_lines="1 10" resource "aws_api_gateway_stage" "positive1" { rest_api_id = "some deployment id" deployment_id = "some rest api id" diff --git a/docs/queries/terraform-queries/aws/cb3f5ed6-0d18-40de-a93d-b3538db31e8c.md b/docs/queries/terraform-queries/aws/cb3f5ed6-0d18-40de-a93d-b3538db31e8c.md index 5ca566443c3..de75a72c25b 100644 --- a/docs/queries/terraform-queries/aws/cb3f5ed6-0d18-40de-a93d-b3538db31e8c.md +++ b/docs/queries/terraform-queries/aws/cb3f5ed6-0d18-40de-a93d-b3538db31e8c.md @@ -28,7 +28,7 @@ It's considered a best practice for AWS Security Group to have a description
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_security_group" "allow_tls" { name = "allow_tls" vpc_id = aws_vpc.main.id diff --git a/docs/queries/terraform-queries/aws/cc997676-481b-4e93-aa81-d19f8c5e9b12.md b/docs/queries/terraform-queries/aws/cc997676-481b-4e93-aa81-d19f8c5e9b12.md index 787097d1947..af0d6005be8 100644 --- a/docs/queries/terraform-queries/aws/cc997676-481b-4e93-aa81-d19f8c5e9b12.md +++ b/docs/queries/terraform-queries/aws/cc997676-481b-4e93-aa81-d19f8c5e9b12.md @@ -28,7 +28,7 @@ EBS volumes should be encrypted
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="4" +```tf title="Positive test num. 1 - tf file" hl_lines="4" resource "aws_ebs_volume" "positive1" { availability_zone = "us-west-2a" size = 40 @@ -40,7 +40,7 @@ resource "aws_ebs_volume" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "aws_ebs_volume" "positive2" { availability_zone = "us-west-2a" size = 40 diff --git a/docs/queries/terraform-queries/aws/ce089fd4-1406-47bd-8aad-c259772bb294.md b/docs/queries/terraform-queries/aws/ce089fd4-1406-47bd-8aad-c259772bb294.md index aea81d8ab82..88862505912 100644 --- a/docs/queries/terraform-queries/aws/ce089fd4-1406-47bd-8aad-c259772bb294.md +++ b/docs/queries/terraform-queries/aws/ce089fd4-1406-47bd-8aad-c259772bb294.md @@ -28,7 +28,7 @@ AWS DynamoDB Tables should have server-side encryption
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 30" +```tf title="Positive test num. 1 - tf file" hl_lines="1 30" resource "aws_dynamodb_table" "example" { name = "example" hash_key = "TestTableHashKey" diff --git a/docs/queries/terraform-queries/aws/ce60cc6b-6831-4bd7-84a2-cc7f8ee71433.md b/docs/queries/terraform-queries/aws/ce60cc6b-6831-4bd7-84a2-cc7f8ee71433.md index a8e8fa50f62..86a424a764a 100644 --- a/docs/queries/terraform-queries/aws/ce60cc6b-6831-4bd7-84a2-cc7f8ee71433.md +++ b/docs/queries/terraform-queries/aws/ce60cc6b-6831-4bd7-84a2-cc7f8ee71433.md @@ -28,7 +28,7 @@ SSM Session should be encrypted in transit
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="5" +```tf title="Positive test num. 1 - tf file" hl_lines="5" resource "aws_ssm_document" "positive1" { name = "test_document" document_type = "Session" @@ -42,7 +42,7 @@ DOC } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="5" +```tf title="Positive test num. 2 - tf file" hl_lines="5" resource "aws_ssm_document" "positive2" { name = "test_document" document_type = "Session" diff --git a/docs/queries/terraform-queries/aws/ce60d060-efb8-4bfd-9cf7-ff8945d00d90.md b/docs/queries/terraform-queries/aws/ce60d060-efb8-4bfd-9cf7-ff8945d00d90.md index ff9be428ff3..6da809bff78 100644 --- a/docs/queries/terraform-queries/aws/ce60d060-efb8-4bfd-9cf7-ff8945d00d90.md +++ b/docs/queries/terraform-queries/aws/ce60d060-efb8-4bfd-9cf7-ff8945d00d90.md @@ -28,7 +28,7 @@ No password expiration policy
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8 12" +```tf title="Positive test num. 1 - tf file" hl_lines="8 12" resource "aws_iam_account_password_policy" "positive1" { minimum_password_length = 8 require_lowercase_characters = true diff --git a/docs/queries/terraform-queries/aws/ce9dfce0-5fc8-433b-944a-3b16153111a8.md b/docs/queries/terraform-queries/aws/ce9dfce0-5fc8-433b-944a-3b16153111a8.md index 3f9d3ec8cbe..192b01fb74e 100644 --- a/docs/queries/terraform-queries/aws/ce9dfce0-5fc8-433b-944a-3b16153111a8.md +++ b/docs/queries/terraform-queries/aws/ce9dfce0-5fc8-433b-944a-3b16153111a8.md @@ -28,7 +28,7 @@ SSO permissions should be configured to limit user sessions to no longer than 1 ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="6 14" +```tf title="Positive test num. 1 - tf file" hl_lines="6 14" resource "aws_ssoadmin_permission_set" "example3" { name = "Example" description = "An example" diff --git a/docs/queries/terraform-queries/aws/cfdcabb0-fc06-427c-865b-c59f13e898ce.md b/docs/queries/terraform-queries/aws/cfdcabb0-fc06-427c-865b-c59f13e898ce.md index 7f7d884619e..77d429053a2 100644 --- a/docs/queries/terraform-queries/aws/cfdcabb0-fc06-427c-865b-c59f13e898ce.md +++ b/docs/queries/terraform-queries/aws/cfdcabb0-fc06-427c-865b-c59f13e898ce.md @@ -28,7 +28,7 @@ AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 17" +```tf title="Positive test num. 1 - tf file" hl_lines="1 17" resource "aws_redshift_cluster" "positive1" { cluster_identifier = "tf-redshift-cluster" database_name = "mydb" diff --git a/docs/queries/terraform-queries/aws/d0cc8694-fcad-43ff-ac86-32331d7e867f.md b/docs/queries/terraform-queries/aws/d0cc8694-fcad-43ff-ac86-32331d7e867f.md index b67582a64e0..ac6974c6854 100644 --- a/docs/queries/terraform-queries/aws/d0cc8694-fcad-43ff-ac86-32331d7e867f.md +++ b/docs/queries/terraform-queries/aws/d0cc8694-fcad-43ff-ac86-32331d7e867f.md @@ -28,7 +28,7 @@ S3 bucket allows public ACL
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8 18" +```tf title="Positive test num. 1 - tf file" hl_lines="8 18" resource "aws_s3_bucket" "positive1" { bucket = "example" } @@ -53,7 +53,7 @@ resource "aws_s3_bucket_public_access_block" "positive3" { ignore_public_acls = false } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="8" +```tf title="Positive test num. 2 - tf file" hl_lines="8" module "s3_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "3.7.0" @@ -87,7 +87,7 @@ POLICY } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="1" +```tf title="Positive test num. 3 - tf file" hl_lines="1" module "s3_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "3.7.0" diff --git a/docs/queries/terraform-queries/aws/d1846b12-20c5-4d45-8798-fc35b79268eb.md b/docs/queries/terraform-queries/aws/d1846b12-20c5-4d45-8798-fc35b79268eb.md index 8809451ce44..d73f0dd09c9 100644 --- a/docs/queries/terraform-queries/aws/d1846b12-20c5-4d45-8798-fc35b79268eb.md +++ b/docs/queries/terraform-queries/aws/d1846b12-20c5-4d45-8798-fc35b79268eb.md @@ -28,7 +28,7 @@ ECR should have an image tag be immutable. This prevents image tags from being o ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="10 3" +```tf title="Positive test num. 1 - tf file" hl_lines="10 3" resource "aws_ecr_repository" "foo2" { name = "bar" image_tag_mutability = "MUTABLE" diff --git a/docs/queries/terraform-queries/aws/d24c0755-c028-44b1-b503-8e719c898832.md b/docs/queries/terraform-queries/aws/d24c0755-c028-44b1-b503-8e719c898832.md index c98497ef999..2f0e0535fc5 100644 --- a/docs/queries/terraform-queries/aws/d24c0755-c028-44b1-b503-8e719c898832.md +++ b/docs/queries/terraform-queries/aws/d24c0755-c028-44b1-b503-8e719c898832.md @@ -28,7 +28,7 @@ S3 Buckets must not allow Put Action From All Principals, as to prevent leaking ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="4" +```tf title="Positive test num. 1 - tf file" hl_lines="4" resource "aws_s3_bucket_policy" "positive1" { bucket = aws_s3_bucket.b.id @@ -53,7 +53,7 @@ POLICY } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="5" +```tf title="Positive test num. 2 - tf file" hl_lines="5" resource "aws_s3_bucket_policy" "positive2" { bucket = aws_s3_bucket.b.id @@ -81,7 +81,7 @@ POLICY } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="12" +```tf title="Positive test num. 3 - tf file" hl_lines="12" module "s3_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "3.7.0" diff --git a/docs/queries/terraform-queries/aws/d25edb51-07fb-4a73-97d4-41cecdc53a22.md b/docs/queries/terraform-queries/aws/d25edb51-07fb-4a73-97d4-41cecdc53a22.md index 18a3762f1c8..dd3ae8c1944 100644 --- a/docs/queries/terraform-queries/aws/d25edb51-07fb-4a73-97d4-41cecdc53a22.md +++ b/docs/queries/terraform-queries/aws/d25edb51-07fb-4a73-97d4-41cecdc53a22.md @@ -28,7 +28,7 @@ Glue policy should avoid wildcard in 'principals' and 'actions'
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="15" +```tf title="Positive test num. 1 - tf file" hl_lines="15" data "aws_iam_policy_document" "glue-example-policy" { statement { actions = [ diff --git a/docs/queries/terraform-queries/aws/d364984a-a222-4b5f-a8b0-e23ab19ebff3.md b/docs/queries/terraform-queries/aws/d364984a-a222-4b5f-a8b0-e23ab19ebff3.md index 0b81b586c65..d67a231c78f 100644 --- a/docs/queries/terraform-queries/aws/d364984a-a222-4b5f-a8b0-e23ab19ebff3.md +++ b/docs/queries/terraform-queries/aws/d364984a-a222-4b5f-a8b0-e23ab19ebff3.md @@ -28,7 +28,7 @@ Athena Workgroup query results should be encrypted, for all queries that run in ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8 1 21" +```tf title="Positive test num. 1 - tf file" hl_lines="8 1 21" resource "aws_athena_workgroup" "example" { name = "example" } diff --git a/docs/queries/terraform-queries/aws/d40210ea-64b9-4cce-a4fb-e8604f3c062c.md b/docs/queries/terraform-queries/aws/d40210ea-64b9-4cce-a4fb-e8604f3c062c.md index 6d47f22d17a..9770505fe82 100644 --- a/docs/queries/terraform-queries/aws/d40210ea-64b9-4cce-a4fb-e8604f3c062c.md +++ b/docs/queries/terraform-queries/aws/d40210ea-64b9-4cce-a4fb-e8604f3c062c.md @@ -28,7 +28,7 @@ It's not recommended to use plaintext environment variables for sensitive inform ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="30" +```tf title="Positive test num. 1 - tf file" hl_lines="30" resource "aws_ecs_task_definition" "positive1" { family = "service" container_definitions = < ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="13" +```tf title="Positive test num. 1 - tf file" hl_lines="13" module "ec2_instance" { source = "terraform-aws-modules/ec2-instance/aws" version = "~> 3.0" @@ -50,7 +50,7 @@ module "ec2_instance" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="5" +```tf title="Positive test num. 2 - tf file" hl_lines="5" resource "aws_instance" "positive1" { ami = data.aws_ami.ubuntu.id instance_type = "t3.micro" diff --git a/docs/queries/terraform-queries/aws/db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8.md b/docs/queries/terraform-queries/aws/db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8.md index bfa8f509173..d145cbc843a 100644 --- a/docs/queries/terraform-queries/aws/db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8.md +++ b/docs/queries/terraform-queries/aws/db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8.md @@ -28,7 +28,7 @@ CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'ac ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="22" +```tf title="Positive test num. 1 - tf file" hl_lines="22" data "aws_iam_policy_document" "test_destination_policy" { statement { effect = "Allow" diff --git a/docs/queries/terraform-queries/aws/db78d14b-10e5-4e6e-84b1-dace6327b1ec.md b/docs/queries/terraform-queries/aws/db78d14b-10e5-4e6e-84b1-dace6327b1ec.md index f6d4ebaf020..2a095a27373 100644 --- a/docs/queries/terraform-queries/aws/db78d14b-10e5-4e6e-84b1-dace6327b1ec.md +++ b/docs/queries/terraform-queries/aws/db78d14b-10e5-4e6e-84b1-dace6327b1ec.md @@ -28,7 +28,7 @@ Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource s ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_group" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/de7f5e83-da88-4046-871f-ea18504b1d43.md b/docs/queries/terraform-queries/aws/de7f5e83-da88-4046-871f-ea18504b1d43.md index c78c1c2b787..2e4c647dd33 100644 --- a/docs/queries/terraform-queries/aws/de7f5e83-da88-4046-871f-ea18504b1d43.md +++ b/docs/queries/terraform-queries/aws/de7f5e83-da88-4046-871f-ea18504b1d43.md @@ -28,7 +28,7 @@ AWS Application Load Balancer (alb) should not listen on HTTP
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="9" +```tf title="Positive test num. 1 - tf file" hl_lines="9" resource "aws_lb_listener" "listener5" { load_balancer_arn = aws_lb.test3.arn port = 80 @@ -51,7 +51,7 @@ resource "aws_lb" "test3" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="70" +```tf title="Positive test num. 2 - tf file" hl_lines="70" provider "aws" { profile = "default" region = "us-west-2" diff --git a/docs/queries/terraform-queries/aws/e08ed7eb-f3ef-494d-9d22-2e3db756a347.md b/docs/queries/terraform-queries/aws/e08ed7eb-f3ef-494d-9d22-2e3db756a347.md index 52e0a4e85e6..80d2382f061 100644 --- a/docs/queries/terraform-queries/aws/e08ed7eb-f3ef-494d-9d22-2e3db756a347.md +++ b/docs/queries/terraform-queries/aws/e08ed7eb-f3ef-494d-9d22-2e3db756a347.md @@ -28,7 +28,7 @@ Lambda Permission Principal should not contain a wildcard.
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="5" +```tf title="Positive test num. 1 - tf file" hl_lines="5" resource "aws_lambda_permission" "positive1" { statement_id = "AllowExecutionFromCloudWatch" action = "lambda:InvokeFunction" diff --git a/docs/queries/terraform-queries/aws/e227091e-2228-4b40-b046-fc13650d8e88.md b/docs/queries/terraform-queries/aws/e227091e-2228-4b40-b046-fc13650d8e88.md index bd2e725c2f3..7ea7dd6952b 100644 --- a/docs/queries/terraform-queries/aws/e227091e-2228-4b40-b046-fc13650d8e88.md +++ b/docs/queries/terraform-queries/aws/e227091e-2228-4b40-b046-fc13650d8e88.md @@ -28,7 +28,7 @@ User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource se ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_user" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/e35c16a2-d54e-419d-8546-a804d8e024d0.md b/docs/queries/terraform-queries/aws/e35c16a2-d54e-419d-8546-a804d8e024d0.md index 8f27ec1ea6e..dce0b3b7e26 100644 --- a/docs/queries/terraform-queries/aws/e35c16a2-d54e-419d-8546-a804d8e024d0.md +++ b/docs/queries/terraform-queries/aws/e35c16a2-d54e-419d-8546-a804d8e024d0.md @@ -28,7 +28,7 @@ A sensitive port, such as port 23 or port 110, is open for a small public networ ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="96 66 36 6 111 81 51 21" +```tf title="Positive test num. 1 - tf file" hl_lines="96 66 36 6 111 81 51 21" resource "aws_security_group" "positive1" { name = "allow_tls1" description = "Allow TLS inbound traffic" diff --git a/docs/queries/terraform-queries/aws/e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10.md b/docs/queries/terraform-queries/aws/e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10.md index 37995ecbb6c..aa04f4bb188 100644 --- a/docs/queries/terraform-queries/aws/e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10.md +++ b/docs/queries/terraform-queries/aws/e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10.md @@ -28,7 +28,7 @@ AWS services resource tags are an essential part of managing components. As a be ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 14" +```tf title="Positive test num. 1 - tf file" hl_lines="1 14" resource "aws_acm_certificate" "cert" { domain_name = "example.com" validation_method = "DNS" diff --git a/docs/queries/terraform-queries/aws/e39bee8c-fe54-4a3f-824d-e5e2d1cca40a.md b/docs/queries/terraform-queries/aws/e39bee8c-fe54-4a3f-824d-e5e2d1cca40a.md index e77bc3b19d9..accf5e4df1d 100644 --- a/docs/queries/terraform-queries/aws/e39bee8c-fe54-4a3f-824d-e5e2d1cca40a.md +++ b/docs/queries/terraform-queries/aws/e39bee8c-fe54-4a3f-824d-e5e2d1cca40a.md @@ -28,7 +28,7 @@ Using the iam:passrole action with wildcards (*) in the resource can be overly p ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="5" +```tf title="Positive test num. 1 - tf file" hl_lines="5" resource "aws_iam_role_policy" "test_policy" { name = "test_policy" role = aws_iam_role.test_role.id diff --git a/docs/queries/terraform-queries/aws/e542bd46-58c4-4e0f-a52a-1fb4f9548e02.md b/docs/queries/terraform-queries/aws/e542bd46-58c4-4e0f-a52a-1fb4f9548e02.md index 84311e61ee0..788da723a6b 100644 --- a/docs/queries/terraform-queries/aws/e542bd46-58c4-4e0f-a52a-1fb4f9548e02.md +++ b/docs/queries/terraform-queries/aws/e542bd46-58c4-4e0f-a52a-1fb4f9548e02.md @@ -28,7 +28,7 @@ RDS Cluster backup retention period should be specifically defined
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_rds_cluster" "postgresql" { cluster_identifier = "aurora-cluster-demo" engine = "aurora-postgresql" diff --git a/docs/queries/terraform-queries/aws/e592a0c5-5bdb-414c-9066-5dba7cdea370.md b/docs/queries/terraform-queries/aws/e592a0c5-5bdb-414c-9066-5dba7cdea370.md index b94aee7cba8..96f05447ded 100644 --- a/docs/queries/terraform-queries/aws/e592a0c5-5bdb-414c-9066-5dba7cdea370.md +++ b/docs/queries/terraform-queries/aws/e592a0c5-5bdb-414c-9066-5dba7cdea370.md @@ -28,7 +28,7 @@ IAM Access Analyzer should be enabled and configured to continuously monitor res ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_organizations_organization" "example2" { aws_service_access_principals = ["access-analyzer.amazonaws.com"] } diff --git a/docs/queries/terraform-queries/aws/e6b4b943-6883-47a9-9739-7ada9568f8ca.md b/docs/queries/terraform-queries/aws/e6b4b943-6883-47a9-9739-7ada9568f8ca.md index 842459fadf3..770d92b742b 100644 --- a/docs/queries/terraform-queries/aws/e6b4b943-6883-47a9-9739-7ada9568f8ca.md +++ b/docs/queries/terraform-queries/aws/e6b4b943-6883-47a9-9739-7ada9568f8ca.md @@ -28,7 +28,7 @@ The value on AWS EBS Volume Snapshot Encryptation must be true
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="4" +```tf title="Positive test num. 1 - tf file" hl_lines="4" resource "aws_ebs_volume" "positive1" { availability_zone = "us-west-2a" size = 40 @@ -47,7 +47,7 @@ resource "aws_ebs_snapshot" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="10" +```tf title="Positive test num. 2 - tf file" hl_lines="10" resource "aws_ebs_volume" "positive2" { availability_zone = "us-west-2a" size = 40 diff --git a/docs/queries/terraform-queries/aws/e7530c3c-b7cf-4149-8db9-d037a0b5268e.md b/docs/queries/terraform-queries/aws/e7530c3c-b7cf-4149-8db9-d037a0b5268e.md index addb16aac0d..71514be82b5 100644 --- a/docs/queries/terraform-queries/aws/e7530c3c-b7cf-4149-8db9-d037a0b5268e.md +++ b/docs/queries/terraform-queries/aws/e7530c3c-b7cf-4149-8db9-d037a0b5268e.md @@ -28,7 +28,7 @@ AWS Elasticsearch should ensure IAM Authentication
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_elasticsearch_domain" "example" { domain_name = "tf-test" elasticsearch_version = "2.3" @@ -56,7 +56,7 @@ POLICIES } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "aws_elasticsearch_domain" "example2" { domain_name = "tf-test" elasticsearch_version = "2.3" diff --git a/docs/queries/terraform-queries/aws/e77c89f6-9c85-49ea-b95b-5f960fe5be92.md b/docs/queries/terraform-queries/aws/e77c89f6-9c85-49ea-b95b-5f960fe5be92.md index d08a738ce7a..334423a573e 100644 --- a/docs/queries/terraform-queries/aws/e77c89f6-9c85-49ea-b95b-5f960fe5be92.md +++ b/docs/queries/terraform-queries/aws/e77c89f6-9c85-49ea-b95b-5f960fe5be92.md @@ -28,7 +28,7 @@ Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_group" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/e86e26fc-489e-44f0-9bcd-97305e4ba69a.md b/docs/queries/terraform-queries/aws/e86e26fc-489e-44f0-9bcd-97305e4ba69a.md index 48c2784471a..da5bd005476 100644 --- a/docs/queries/terraform-queries/aws/e86e26fc-489e-44f0-9bcd-97305e4ba69a.md +++ b/docs/queries/terraform-queries/aws/e86e26fc-489e-44f0-9bcd-97305e4ba69a.md @@ -28,7 +28,7 @@ Amazon ECR image repositories shouldn't have public access
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8" +```tf title="Positive test num. 1 - tf file" hl_lines="8" resource "aws_ecr_repository" "positive1" { name = "bar" } diff --git a/docs/queries/terraform-queries/aws/e979fcbc-df6c-422d-9458-c33d65e71c45.md b/docs/queries/terraform-queries/aws/e979fcbc-df6c-422d-9458-c33d65e71c45.md index 0db98d4ef10..240c93744c9 100644 --- a/docs/queries/terraform-queries/aws/e979fcbc-df6c-422d-9458-c33d65e71c45.md +++ b/docs/queries/terraform-queries/aws/e979fcbc-df6c-422d-9458-c33d65e71c45.md @@ -28,7 +28,7 @@ Ensure that AWS Elasticsearch enables support for slow logs
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="4" +```tf title="Positive test num. 1 - tf file" hl_lines="4" resource "aws_elasticsearch_domain" "positive1" { log_publishing_options { cloudwatch_log_group_arn = aws_cloudwatch_log_group.example.arn diff --git a/docs/queries/terraform-queries/aws/e9b7acf9-9ba0-4837-a744-31e7df1e434d.md b/docs/queries/terraform-queries/aws/e9b7acf9-9ba0-4837-a744-31e7df1e434d.md index 1f0f7a66205..ea9033d165c 100644 --- a/docs/queries/terraform-queries/aws/e9b7acf9-9ba0-4837-a744-31e7df1e434d.md +++ b/docs/queries/terraform-queries/aws/e9b7acf9-9ba0-4837-a744-31e7df1e434d.md @@ -28,7 +28,7 @@ SQS VPC Endpoint should have DNS resolution enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="95" +```tf title="Positive test num. 1 - tf file" hl_lines="95" locals { region = "us-east-1" cidr_block = "172.16.0.0/16" @@ -140,7 +140,7 @@ resource "aws_internet_gateway" "igw" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="13" +```tf title="Positive test num. 2 - tf file" hl_lines="13" module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "3.7.0" diff --git a/docs/queries/terraform-queries/aws/eaaba502-2f94-411a-a3c2-83d63cc1776d.md b/docs/queries/terraform-queries/aws/eaaba502-2f94-411a-a3c2-83d63cc1776d.md index 9b63372feb1..ec4052b64fc 100644 --- a/docs/queries/terraform-queries/aws/eaaba502-2f94-411a-a3c2-83d63cc1776d.md +++ b/docs/queries/terraform-queries/aws/eaaba502-2f94-411a-a3c2-83d63cc1776d.md @@ -28,7 +28,7 @@ Ensure a log metric filter and alarm exist for IAM policy changes
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" provider "aws" { region = "us-east-2" } @@ -67,7 +67,7 @@ resource "aws_cloudwatch_log_metric_filter" "cis_iam_policy_change" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" provider "aws" { region = "us-east-2" } diff --git a/docs/queries/terraform-queries/aws/eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7.md b/docs/queries/terraform-queries/aws/eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7.md index dd2abd4245f..6413bb369b9 100644 --- a/docs/queries/terraform-queries/aws/eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7.md +++ b/docs/queries/terraform-queries/aws/eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7.md @@ -28,7 +28,7 @@ Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set t ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_role" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/ec28bf61-a474-4dbe-b414-6dd3a067d6f0.md b/docs/queries/terraform-queries/aws/ec28bf61-a474-4dbe-b414-6dd3a067d6f0.md index 407d27be0e8..ee803195766 100644 --- a/docs/queries/terraform-queries/aws/ec28bf61-a474-4dbe-b414-6dd3a067d6f0.md +++ b/docs/queries/terraform-queries/aws/ec28bf61-a474-4dbe-b414-6dd3a067d6f0.md @@ -28,7 +28,7 @@ AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to us ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="16 1 32" +```tf title="Positive test num. 1 - tf file" hl_lines="16 1 32" resource "aws_cognito_user_pool" "positive1" { # ... other configuration ... diff --git a/docs/queries/terraform-queries/aws/ec49cbfd-fae4-45f3-81b1-860526d66e3f.md b/docs/queries/terraform-queries/aws/ec49cbfd-fae4-45f3-81b1-860526d66e3f.md index 0fb80473875..c8949b8b690 100644 --- a/docs/queries/terraform-queries/aws/ec49cbfd-fae4-45f3-81b1-860526d66e3f.md +++ b/docs/queries/terraform-queries/aws/ec49cbfd-fae4-45f3-81b1-860526d66e3f.md @@ -28,7 +28,7 @@ Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resourc ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_group" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/eccc4d59-74b9-4974-86f1-74386e0c7f33.md b/docs/queries/terraform-queries/aws/eccc4d59-74b9-4974-86f1-74386e0c7f33.md index 04d493eb5cd..1b1f060f2b2 100644 --- a/docs/queries/terraform-queries/aws/eccc4d59-74b9-4974-86f1-74386e0c7f33.md +++ b/docs/queries/terraform-queries/aws/eccc4d59-74b9-4974-86f1-74386e0c7f33.md @@ -28,13 +28,13 @@ A list of SNS resources specified. Amazon Simple Notification Service (Amazon SN ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_sns_topic" "positive1" { name = "user-updates-topic" } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "aws_sns_topic" "positive2" { name = "user-updates-topic" } @@ -63,7 +63,7 @@ EOF } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="1" +```tf title="Positive test num. 3 - tf file" hl_lines="1" resource "aws_sns_topic" "positive3" { name = "user-updates-topic" } @@ -95,7 +95,7 @@ EOF } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="1" resource "aws_sns_topic" "positive4" { @@ -123,7 +123,7 @@ EOF ```
-
Postitive test num. 5 - tf file +
Positive test num. 5 - tf file ```tf hl_lines="1" resource "aws_sns_topic" "positive5" { diff --git a/docs/queries/terraform-queries/aws/ed35928e-195c-4405-a252-98ccb664ab7b.md b/docs/queries/terraform-queries/aws/ed35928e-195c-4405-a252-98ccb664ab7b.md index 6abfc06153a..790ffae903e 100644 --- a/docs/queries/terraform-queries/aws/ed35928e-195c-4405-a252-98ccb664ab7b.md +++ b/docs/queries/terraform-queries/aws/ed35928e-195c-4405-a252-98ccb664ab7b.md @@ -28,7 +28,7 @@ API Gateway should have valid compression, which means attribute 'minimum_compre ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 28 17" +```tf title="Positive test num. 1 - tf file" hl_lines="1 28 17" resource "aws_api_gateway_rest_api" "positive1" { name = "regional-example" diff --git a/docs/queries/terraform-queries/aws/eda48c88-2b7d-4e34-b6ca-04c0194aee17.md b/docs/queries/terraform-queries/aws/eda48c88-2b7d-4e34-b6ca-04c0194aee17.md index a79e9abc5bc..f51157b8f91 100644 --- a/docs/queries/terraform-queries/aws/eda48c88-2b7d-4e34-b6ca-04c0194aee17.md +++ b/docs/queries/terraform-queries/aws/eda48c88-2b7d-4e34-b6ca-04c0194aee17.md @@ -28,7 +28,7 @@ Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_role" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/ee49557d-750c-4cc1-aa95-94ab36cbefde.md b/docs/queries/terraform-queries/aws/ee49557d-750c-4cc1-aa95-94ab36cbefde.md index d70c0b29220..491c59a3f8a 100644 --- a/docs/queries/terraform-queries/aws/ee49557d-750c-4cc1-aa95-94ab36cbefde.md +++ b/docs/queries/terraform-queries/aws/ee49557d-750c-4cc1-aa95-94ab36cbefde.md @@ -28,7 +28,7 @@ Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_role" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4.md b/docs/queries/terraform-queries/aws/ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4.md index 1db85156e64..4f0e95538de 100644 --- a/docs/queries/terraform-queries/aws/ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4.md +++ b/docs/queries/terraform-queries/aws/ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4.md @@ -28,7 +28,7 @@ CloudTrail Log Files S3 Bucket should have 'logging' enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="23" +```tf title="Positive test num. 1 - tf file" hl_lines="23" provider "aws" { region = "us-east-1" } @@ -88,7 +88,7 @@ POLICY } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" module "foo" { source = "terraform-aws-modules/s3-bucket/aws" version = "0.0.1" @@ -143,7 +143,7 @@ resource "aws_cloudtrail" "foobar" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="21" +```tf title="Positive test num. 3 - tf file" hl_lines="21" terraform { required_providers { aws = { diff --git a/docs/queries/terraform-queries/aws/eeb4d37a-3c59-4789-a00c-1509bc3af1e5.md b/docs/queries/terraform-queries/aws/eeb4d37a-3c59-4789-a00c-1509bc3af1e5.md index 4aa37254446..fa304f1ef20 100644 --- a/docs/queries/terraform-queries/aws/eeb4d37a-3c59-4789-a00c-1509bc3af1e5.md +++ b/docs/queries/terraform-queries/aws/eeb4d37a-3c59-4789-a00c-1509bc3af1e5.md @@ -28,7 +28,7 @@ User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set t ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_user" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/ef0b316a-211e-42f1-888e-64efe172b755.md b/docs/queries/terraform-queries/aws/ef0b316a-211e-42f1-888e-64efe172b755.md index c7cc2f41adb..64de324dcb2 100644 --- a/docs/queries/terraform-queries/aws/ef0b316a-211e-42f1-888e-64efe172b755.md +++ b/docs/queries/terraform-queries/aws/ef0b316a-211e-42f1-888e-64efe172b755.md @@ -28,7 +28,7 @@ AWS CloudWatch Log groups should have retention days specified
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 18" +```tf title="Positive test num. 1 - tf file" hl_lines="1 18" resource "aws_cloudwatch_log_group" "positive1" { name = "Yada" diff --git a/docs/queries/terraform-queries/aws/f0d8781f-99bf-4958-9917-d39283b168a0.md b/docs/queries/terraform-queries/aws/f0d8781f-99bf-4958-9917-d39283b168a0.md index 82bd4c3be0c..4855d2109b5 100644 --- a/docs/queries/terraform-queries/aws/f0d8781f-99bf-4958-9917-d39283b168a0.md +++ b/docs/queries/terraform-queries/aws/f0d8781f-99bf-4958-9917-d39283b168a0.md @@ -28,7 +28,7 @@ The CIDR IP should not be a public interface
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="5" +```tf title="Positive test num. 1 - tf file" hl_lines="5" resource "aws_db_security_group" "positive1" { name = "rds_sg" @@ -38,7 +38,7 @@ resource "aws_db_security_group" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="9" +```tf title="Positive test num. 2 - tf file" hl_lines="9" resource "aws_db_security_group" "positive1" { name = "rds_sg" diff --git a/docs/queries/terraform-queries/aws/f1173d8c-3264-4148-9fdb-61181e031b51.md b/docs/queries/terraform-queries/aws/f1173d8c-3264-4148-9fdb-61181e031b51.md index dc0a837bc23..a84c08e5b33 100644 --- a/docs/queries/terraform-queries/aws/f1173d8c-3264-4148-9fdb-61181e031b51.md +++ b/docs/queries/terraform-queries/aws/f1173d8c-3264-4148-9fdb-61181e031b51.md @@ -28,7 +28,7 @@ Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts: ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_role" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/f11aec39-858f-4b6f-b946-0a1bf46c0c87.md b/docs/queries/terraform-queries/aws/f11aec39-858f-4b6f-b946-0a1bf46c0c87.md index 82032b76ead..873120b0b42 100644 --- a/docs/queries/terraform-queries/aws/f11aec39-858f-4b6f-b946-0a1bf46c0c87.md +++ b/docs/queries/terraform-queries/aws/f11aec39-858f-4b6f-b946-0a1bf46c0c87.md @@ -28,7 +28,7 @@ AWS DAX Cluster should have server-side encryption at rest
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 14 25" +```tf title="Positive test num. 1 - tf file" hl_lines="1 14 25" resource "aws_dax_cluster" "bar_1" { cluster_name = "cluster-example" iam_role_arn = data.aws_iam_role.example.arn diff --git a/docs/queries/terraform-queries/aws/f1adc521-f79a-4d71-b55b-a68294687432.md b/docs/queries/terraform-queries/aws/f1adc521-f79a-4d71-b55b-a68294687432.md index bee04a07622..d4086046cec 100644 --- a/docs/queries/terraform-queries/aws/f1adc521-f79a-4d71-b55b-a68294687432.md +++ b/docs/queries/terraform-queries/aws/f1adc521-f79a-4d71-b55b-a68294687432.md @@ -28,7 +28,7 @@ EC2 instances should not use default security group(s)
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="9" +```tf title="Positive test num. 1 - tf file" hl_lines="9" resource "aws_instance" "positive1" { ami = data.aws_ami.ubuntu.id instance_type = "t3.micro" @@ -41,7 +41,7 @@ resource "aws_instance" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="6" +```tf title="Positive test num. 2 - tf file" hl_lines="6" resource "aws_instance" "positive2" { ami = "ami-003634241a8fcdec0" diff --git a/docs/queries/terraform-queries/aws/f3674e0c-f6be-43fa-b71c-bf346d1aed99.md b/docs/queries/terraform-queries/aws/f3674e0c-f6be-43fa-b71c-bf346d1aed99.md index 566cdec84cb..eb339c6146c 100644 --- a/docs/queries/terraform-queries/aws/f3674e0c-f6be-43fa-b71c-bf346d1aed99.md +++ b/docs/queries/terraform-queries/aws/f3674e0c-f6be-43fa-b71c-bf346d1aed99.md @@ -28,7 +28,7 @@ AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_sagemaker_notebook_instance" "ni" { name = "my-notebook-instance" role_arn = aws_iam_role.role.arn diff --git a/docs/queries/terraform-queries/aws/f465fff1-0a0f-457d-aa4d-1bddb6f204ff.md b/docs/queries/terraform-queries/aws/f465fff1-0a0f-457d-aa4d-1bddb6f204ff.md index e578e3a4307..1ee506761f7 100644 --- a/docs/queries/terraform-queries/aws/f465fff1-0a0f-457d-aa4d-1bddb6f204ff.md +++ b/docs/queries/terraform-queries/aws/f465fff1-0a0f-457d-aa4d-1bddb6f204ff.md @@ -28,7 +28,7 @@ Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource se ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_role" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/f53f16d6-46a9-4277-9fbe-617b1e24cdca.md b/docs/queries/terraform-queries/aws/f53f16d6-46a9-4277-9fbe-617b1e24cdca.md index 46ba110e361..3d7e82a6c60 100644 --- a/docs/queries/terraform-queries/aws/f53f16d6-46a9-4277-9fbe-617b1e24cdca.md +++ b/docs/queries/terraform-queries/aws/f53f16d6-46a9-4277-9fbe-617b1e24cdca.md @@ -28,7 +28,7 @@ A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatic ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_efs_file_system" "positive1" { creation_token = "my-product" encrypted = true @@ -39,7 +39,7 @@ resource "aws_efs_file_system" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "aws_efs_file_system" "positive2" { creation_token = "my-product" encrypted = true diff --git a/docs/queries/terraform-queries/aws/f83121ea-03da-434f-9277-9cd247ab3047.md b/docs/queries/terraform-queries/aws/f83121ea-03da-434f-9277-9cd247ab3047.md index a9189bd3829..7f863925dc3 100644 --- a/docs/queries/terraform-queries/aws/f83121ea-03da-434f-9277-9cd247ab3047.md +++ b/docs/queries/terraform-queries/aws/f83121ea-03da-434f-9277-9cd247ab3047.md @@ -28,7 +28,7 @@ Every VPC resource should have an associated Flow Log
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="5" +```tf title="Positive test num. 1 - tf file" hl_lines="5" resource "aws_vpc" "main" { cidr_block = "10.0.0.0/16" } @@ -47,7 +47,7 @@ resource "aws_flow_log" "example1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "aws_vpc" "main" { cidr_block = "10.0.0.0/16" } @@ -67,7 +67,7 @@ resource "aws_flow_log" "example2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="14" +```tf title="Positive test num. 3 - tf file" hl_lines="14" module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "3.7.0" @@ -90,7 +90,7 @@ module "vpc" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="1" module "vpc" { diff --git a/docs/queries/terraform-queries/aws/f861041c-8c9f-4156-acfc-5e6e524f5884.md b/docs/queries/terraform-queries/aws/f861041c-8c9f-4156-acfc-5e6e524f5884.md index c1edfddd27b..4aa56cf7a74 100644 --- a/docs/queries/terraform-queries/aws/f861041c-8c9f-4156-acfc-5e6e524f5884.md +++ b/docs/queries/terraform-queries/aws/f861041c-8c9f-4156-acfc-5e6e524f5884.md @@ -28,7 +28,7 @@ Server Access Logging should be enabled on S3 Buckets so that all changes are lo ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="14" +```tf title="Positive test num. 1 - tf file" hl_lines="14" provider "aws" { region = "us-east-1" } @@ -57,7 +57,7 @@ resource "aws_s3_bucket" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" module "s3_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "3.7.0" @@ -71,7 +71,7 @@ module "s3_bucket" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="14" +```tf title="Positive test num. 3 - tf file" hl_lines="14" terraform { required_providers { aws = { diff --git a/docs/queries/terraform-queries/aws/f906113d-cdc0-415a-ba60-609cc6daaf4d.md b/docs/queries/terraform-queries/aws/f906113d-cdc0-415a-ba60-609cc6daaf4d.md index e8d065a61b7..0bca495c6ab 100644 --- a/docs/queries/terraform-queries/aws/f906113d-cdc0-415a-ba60-609cc6daaf4d.md +++ b/docs/queries/terraform-queries/aws/f906113d-cdc0-415a-ba60-609cc6daaf4d.md @@ -28,7 +28,7 @@ Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource s ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_role" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/fa00ce45-386d-4718-8392-fb485e1f3c5b.md b/docs/queries/terraform-queries/aws/fa00ce45-386d-4718-8392-fb485e1f3c5b.md index 6654cf83ab6..237ffad7d52 100644 --- a/docs/queries/terraform-queries/aws/fa00ce45-386d-4718-8392-fb485e1f3c5b.md +++ b/docs/queries/terraform-queries/aws/fa00ce45-386d-4718-8392-fb485e1f3c5b.md @@ -28,7 +28,7 @@ Secrets Manager policy should avoid wildcard in 'Principal' and 'Action'
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="12" +```tf title="Positive test num. 1 - tf file" hl_lines="12" provider "aws" { region = "us-east-1" } diff --git a/docs/queries/terraform-queries/aws/fa62ac4f-f5b9-45b9-97c1-625c8b6253ca.md b/docs/queries/terraform-queries/aws/fa62ac4f-f5b9-45b9-97c1-625c8b6253ca.md index 1f4a665cf33..7d738af4395 100644 --- a/docs/queries/terraform-queries/aws/fa62ac4f-f5b9-45b9-97c1-625c8b6253ca.md +++ b/docs/queries/terraform-queries/aws/fa62ac4f-f5b9-45b9-97c1-625c8b6253ca.md @@ -28,7 +28,7 @@ Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassR ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_iam_role" "cosmic" { name = "cosmic" } diff --git a/docs/queries/terraform-queries/aws/fae52418-bb8b-4ac2-b287-0b9082d6a3fd.md b/docs/queries/terraform-queries/aws/fae52418-bb8b-4ac2-b287-0b9082d6a3fd.md index e644ddf92c8..6e27f7d9921 100644 --- a/docs/queries/terraform-queries/aws/fae52418-bb8b-4ac2-b287-0b9082d6a3fd.md +++ b/docs/queries/terraform-queries/aws/fae52418-bb8b-4ac2-b287-0b9082d6a3fd.md @@ -28,7 +28,7 @@ EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principa ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="16" +```tf title="Positive test num. 1 - tf file" hl_lines="16" provider "aws" { region = "us-east-1" } diff --git a/docs/queries/terraform-queries/aws/fc101ca7-c9dd-4198-a1eb-0fbe92e80044.md b/docs/queries/terraform-queries/aws/fc101ca7-c9dd-4198-a1eb-0fbe92e80044.md index de407558cba..3353a481215 100644 --- a/docs/queries/terraform-queries/aws/fc101ca7-c9dd-4198-a1eb-0fbe92e80044.md +++ b/docs/queries/terraform-queries/aws/fc101ca7-c9dd-4198-a1eb-0fbe92e80044.md @@ -28,7 +28,7 @@ IAM Group should have at least one user associated
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="33 12" +```tf title="Positive test num. 1 - tf file" hl_lines="33 12" resource "aws_iam_group_membership" "team2" { name = "tf-testing-group-membership" diff --git a/docs/queries/terraform-queries/aws/fcb1b388-f558-4b7f-9b6e-f4e98abb7380.md b/docs/queries/terraform-queries/aws/fcb1b388-f558-4b7f-9b6e-f4e98abb7380.md index bae99804a94..3cc12ccc85d 100644 --- a/docs/queries/terraform-queries/aws/fcb1b388-f558-4b7f-9b6e-f4e98abb7380.md +++ b/docs/queries/terraform-queries/aws/fcb1b388-f558-4b7f-9b6e-f4e98abb7380.md @@ -28,7 +28,7 @@ A list of MQ resources found. Amazon MQ is a managed message broker service for ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_mq_broker" "positive1" { broker_name = "example" @@ -49,7 +49,7 @@ resource "aws_mq_broker" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "aws_mq_broker" "positive2" { broker_name = "example" diff --git a/docs/queries/terraform-queries/aws/fd632aaf-b8a1-424d-a4d1-0de22fd3247a.md b/docs/queries/terraform-queries/aws/fd632aaf-b8a1-424d-a4d1-0de22fd3247a.md index 43095af6cbe..3a98d34494c 100644 --- a/docs/queries/terraform-queries/aws/fd632aaf-b8a1-424d-a4d1-0de22fd3247a.md +++ b/docs/queries/terraform-queries/aws/fd632aaf-b8a1-424d-a4d1-0de22fd3247a.md @@ -28,7 +28,7 @@ VPC should have a Network Firewall associated
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "aws_vpc" "positive" { cidr_block = "10.0.0.0/16" } diff --git a/docs/queries/terraform-queries/aws/ffac8a12-322e-42c1-b9b9-81ff85c39ef7.md b/docs/queries/terraform-queries/aws/ffac8a12-322e-42c1-b9b9-81ff85c39ef7.md index c3b9bd9fc00..b95ee8b7e7b 100644 --- a/docs/queries/terraform-queries/aws/ffac8a12-322e-42c1-b9b9-81ff85c39ef7.md +++ b/docs/queries/terraform-queries/aws/ffac8a12-322e-42c1-b9b9-81ff85c39ef7.md @@ -28,7 +28,7 @@ The HTTP port is open to the internet in a Security Group
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 14" +```tf title="Positive test num. 1 - tf file" hl_lines="1 14" resource "aws_security_group" "positive1" { name = "http_positive_tcp_1" description = "Gets the HTTP port open with the tcp protocol" diff --git a/docs/queries/terraform-queries/aws/ffdf4b37-7703-4dfe-a682-9d2e99bc6c09.md b/docs/queries/terraform-queries/aws/ffdf4b37-7703-4dfe-a682-9d2e99bc6c09.md index 7950981f18c..f459c08247f 100644 --- a/docs/queries/terraform-queries/aws/ffdf4b37-7703-4dfe-a682-9d2e99bc6c09.md +++ b/docs/queries/terraform-queries/aws/ffdf4b37-7703-4dfe-a682-9d2e99bc6c09.md @@ -28,7 +28,7 @@ S3 Buckets must not allow Delete Action From All Principals, as to prevent leaki ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="4" +```tf title="Positive test num. 1 - tf file" hl_lines="4" resource "aws_s3_bucket_policy" "positive1" { bucket = aws_s3_bucket.b.id @@ -53,7 +53,7 @@ POLICY } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="4" +```tf title="Positive test num. 2 - tf file" hl_lines="4" resource "aws_s3_bucket_policy" "positive2" { bucket = aws_s3_bucket.b.id @@ -80,7 +80,7 @@ POLICY } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="12" +```tf title="Positive test num. 3 - tf file" hl_lines="12" module "s3_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "3.7.0" diff --git a/docs/queries/terraform-queries/azure/0437633b-daa6-4bbc-8526-c0d2443b946e.md b/docs/queries/terraform-queries/azure/0437633b-daa6-4bbc-8526-c0d2443b946e.md index 05676d491fe..e576157ea6a 100644 --- a/docs/queries/terraform-queries/azure/0437633b-daa6-4bbc-8526-c0d2443b946e.md +++ b/docs/queries/terraform-queries/azure/0437633b-daa6-4bbc-8526-c0d2443b946e.md @@ -28,7 +28,7 @@ Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="15" +```tf title="Positive test num. 1 - tf file" hl_lines="15" resource "azurerm_mariadb_server" "positive1" { name = "example-mariadb-server" location = azurerm_resource_group.example.location @@ -49,7 +49,7 @@ resource "azurerm_mariadb_server" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "azurerm_mariadb_server" "positive2" { name = "example-mariadb-server" location = azurerm_resource_group.example.location diff --git a/docs/queries/terraform-queries/azure/11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe.md b/docs/queries/terraform-queries/azure/11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe.md index 5447a19ae21..6e65177febc 100644 --- a/docs/queries/terraform-queries/azure/11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe.md +++ b/docs/queries/terraform-queries/azure/11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe.md @@ -28,7 +28,7 @@ Web app should only accept HTTPS traffic in Azure Web App Service.
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="28 37" +```tf title="Positive test num. 1 - tf file" hl_lines="28 37" resource "azurerm_resource_group" "example" { name = "example-resources" location = "West Europe" diff --git a/docs/queries/terraform-queries/azure/12944ec4-1fa0-47be-8b17-42a034f937c2.md b/docs/queries/terraform-queries/azure/12944ec4-1fa0-47be-8b17-42a034f937c2.md index 04f15cb48bd..72c72b59190 100644 --- a/docs/queries/terraform-queries/azure/12944ec4-1fa0-47be-8b17-42a034f937c2.md +++ b/docs/queries/terraform-queries/azure/12944ec4-1fa0-47be-8b17-42a034f937c2.md @@ -28,7 +28,7 @@ Storage Accounts should enforce the use of HTTPS
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="10 7" +```tf title="Positive test num. 1 - tf file" hl_lines="10 7" resource "azurerm_storage_account" "positive1" { name = "example1" resource_group_name = data.azurerm_resource_group.example.name diff --git a/docs/queries/terraform-queries/azure/16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f.md b/docs/queries/terraform-queries/azure/16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f.md index 0d964fa81cb..859ccd49dc4 100644 --- a/docs/queries/terraform-queries/azure/16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f.md +++ b/docs/queries/terraform-queries/azure/16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f.md @@ -28,7 +28,7 @@ Make sure that for PostgreSQL Database, server parameter 'log_duration' is set t ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="20 13 6" +```tf title="Positive test num. 1 - tf file" hl_lines="20 13 6" #this is a problematic code where the query should report a result(s) resource "azurerm_postgresql_configuration" "positive1" { name = "log_duration" diff --git a/docs/queries/terraform-queries/azure/17f75827-0684-48f4-8747-61129c7e4198.md b/docs/queries/terraform-queries/azure/17f75827-0684-48f4-8747-61129c7e4198.md index 01075ef29e2..e0fbf697bfb 100644 --- a/docs/queries/terraform-queries/azure/17f75827-0684-48f4-8747-61129c7e4198.md +++ b/docs/queries/terraform-queries/azure/17f75827-0684-48f4-8747-61129c7e4198.md @@ -28,7 +28,7 @@ Storage Account should not be public to grant the principle of least privileges< ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="48 43 11 28" +```tf title="Positive test num. 1 - tf file" hl_lines="48 43 11 28" resource "azurerm_storage_account" "positive1" { name = "storageaccountname" resource_group_name = azurerm_resource_group.example.name @@ -85,7 +85,7 @@ resource "azurerm_storage_account_network_rules" "positive4" { bypass = ["Metrics"] } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="8" +```tf title="Positive test num. 2 - tf file" hl_lines="8" resource "azurerm_storage_account" "positive5" { name = "storageaccountname" resource_group_name = azurerm_resource_group.example.name diff --git a/docs/queries/terraform-queries/azure/25c0ea09-f1c5-4380-b055-3b83863f2bb8.md b/docs/queries/terraform-queries/azure/25c0ea09-f1c5-4380-b055-3b83863f2bb8.md index f4292fe0b66..d51726b0c28 100644 --- a/docs/queries/terraform-queries/azure/25c0ea09-f1c5-4380-b055-3b83863f2bb8.md +++ b/docs/queries/terraform-queries/azure/25c0ea09-f1c5-4380-b055-3b83863f2bb8.md @@ -28,7 +28,7 @@ Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="5" +```tf title="Positive test num. 1 - tf file" hl_lines="5" resource "azurerm_postgresql_configuration" "positive1" { name = "log_retention_days" resource_group_name = azurerm_resource_group.example.name diff --git a/docs/queries/terraform-queries/azure/2ab6de9a-0136-415c-be92-79d2e4fd750f.md b/docs/queries/terraform-queries/azure/2ab6de9a-0136-415c-be92-79d2e4fd750f.md index 07999af8afb..6854601b763 100644 --- a/docs/queries/terraform-queries/azure/2ab6de9a-0136-415c-be92-79d2e4fd750f.md +++ b/docs/queries/terraform-queries/azure/2ab6de9a-0136-415c-be92-79d2e4fd750f.md @@ -28,7 +28,7 @@ Azure SQL Server's Admin account login must avoid using names like 'Admin', that ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="40 20" +```tf title="Positive test num. 1 - tf file" hl_lines="40 20" #this is a problematic code where the query should report a result(s) resource "azurerm_resource_group" "positive1" { name = "database-rg" diff --git a/docs/queries/terraform-queries/azure/2b3c671f-1b76-4741-8789-ed1fe0785dc4.md b/docs/queries/terraform-queries/azure/2b3c671f-1b76-4741-8789-ed1fe0785dc4.md index b2980deb9b1..0121b8bd8b3 100644 --- a/docs/queries/terraform-queries/azure/2b3c671f-1b76-4741-8789-ed1fe0785dc4.md +++ b/docs/queries/terraform-queries/azure/2b3c671f-1b76-4741-8789-ed1fe0785dc4.md @@ -28,7 +28,7 @@ Ensure that Connection Throttling is set for the PostgreSQL server
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="19 12 5" +```tf title="Positive test num. 1 - tf file" hl_lines="19 12 5" resource "azurerm_postgresql_configuration" "positive1" { name = "connection_throttling" resource_group_name = data.azurerm_resource_group.example.name diff --git a/docs/queries/terraform-queries/azure/2b856bf9-8e8c-4005-875f-303a8cba3918.md b/docs/queries/terraform-queries/azure/2b856bf9-8e8c-4005-875f-303a8cba3918.md index 61942088ee3..a888e47b4e3 100644 --- a/docs/queries/terraform-queries/azure/2b856bf9-8e8c-4005-875f-303a8cba3918.md +++ b/docs/queries/terraform-queries/azure/2b856bf9-8e8c-4005-875f-303a8cba3918.md @@ -28,7 +28,7 @@ Ensure that Activity Log Retention is set 365 days or greater
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="64 41 20" +```tf title="Positive test num. 1 - tf file" hl_lines="64 41 20" resource "azurerm_monitor_log_profile" "positive1" { name = "default" diff --git a/docs/queries/terraform-queries/azure/2bc626a8-0751-446f-975d-8139214fc790.md b/docs/queries/terraform-queries/azure/2bc626a8-0751-446f-975d-8139214fc790.md index f194e5ec249..5f8b56e80ec 100644 --- a/docs/queries/terraform-queries/azure/2bc626a8-0751-446f-975d-8139214fc790.md +++ b/docs/queries/terraform-queries/azure/2bc626a8-0751-446f-975d-8139214fc790.md @@ -28,7 +28,7 @@ There is a role assignment for guest user
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="3" +```tf title="Positive test num. 1 - tf file" hl_lines="3" resource "azurerm_role_assignment" "positive1" { scope = data.azurerm_subscription.primary.id role_definition_name = "Guest" diff --git a/docs/queries/terraform-queries/azure/2e48d91c-50e4-45c8-9312-27b625868a72.md b/docs/queries/terraform-queries/azure/2e48d91c-50e4-45c8-9312-27b625868a72.md index d22e5ebfed9..b89a166f597 100644 --- a/docs/queries/terraform-queries/azure/2e48d91c-50e4-45c8-9312-27b625868a72.md +++ b/docs/queries/terraform-queries/azure/2e48d91c-50e4-45c8-9312-27b625868a72.md @@ -28,7 +28,7 @@ Check if Web Application Firewall is disabled or not configured for Azure's Appl ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="11 7" +```tf title="Positive test num. 1 - tf file" hl_lines="11 7" resource "azurerm_application_gateway" "positive1" { name = "example-appgateway" resource_group_name = azurerm_resource_group.example.name diff --git a/docs/queries/terraform-queries/azure/34664094-59e0-4524-b69f-deaa1a68cce3.md b/docs/queries/terraform-queries/azure/34664094-59e0-4524-b69f-deaa1a68cce3.md index 6ee3e1deca9..4e77945baa1 100644 --- a/docs/queries/terraform-queries/azure/34664094-59e0-4524-b69f-deaa1a68cce3.md +++ b/docs/queries/terraform-queries/azure/34664094-59e0-4524-b69f-deaa1a68cce3.md @@ -28,7 +28,7 @@ Security Contact Email should be defined
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "azurerm_security_center_contact" "positive" { phone = "+1-555-555-5555" diff --git a/docs/queries/terraform-queries/azure/3790d386-be81-4dcf-9850-eaa7df6c10d9.md b/docs/queries/terraform-queries/azure/3790d386-be81-4dcf-9850-eaa7df6c10d9.md index 46eaa3deb6d..b7dcefa33e9 100644 --- a/docs/queries/terraform-queries/azure/3790d386-be81-4dcf-9850-eaa7df6c10d9.md +++ b/docs/queries/terraform-queries/azure/3790d386-be81-4dcf-9850-eaa7df6c10d9.md @@ -28,7 +28,7 @@ Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is s ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="19 12 5" +```tf title="Positive test num. 1 - tf file" hl_lines="19 12 5" resource "azurerm_postgresql_configuration" "positive1" { name = "log_checkpoints" resource_group_name = data.azurerm_resource_group.example.name diff --git a/docs/queries/terraform-queries/azure/38c71c00-c177-4cd7-8d36-cd1007cdb190.md b/docs/queries/terraform-queries/azure/38c71c00-c177-4cd7-8d36-cd1007cdb190.md index 0c952202567..7b3db09be8d 100644 --- a/docs/queries/terraform-queries/azure/38c71c00-c177-4cd7-8d36-cd1007cdb190.md +++ b/docs/queries/terraform-queries/azure/38c71c00-c177-4cd7-8d36-cd1007cdb190.md @@ -28,7 +28,7 @@ Ensure that logging for Azure KeyVault is 'Enabled'
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="16" +```tf title="Positive test num. 1 - tf file" hl_lines="16" provider "azurerm" { features { key_vault { diff --git a/docs/queries/terraform-queries/azure/3ac3e75c-6374-4a32-8ba0-6ed69bda404e.md b/docs/queries/terraform-queries/azure/3ac3e75c-6374-4a32-8ba0-6ed69bda404e.md index 136b59185d7..e8a3cbec839 100644 --- a/docs/queries/terraform-queries/azure/3ac3e75c-6374-4a32-8ba0-6ed69bda404e.md +++ b/docs/queries/terraform-queries/azure/3ac3e75c-6374-4a32-8ba0-6ed69bda404e.md @@ -28,7 +28,7 @@ Azure Storage Table should not allow all ACL (Access Control List) permissions - ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8" +```tf title="Positive test num. 1 - tf file" hl_lines="8" resource "azurerm_storage_table" "table_resource" { name = "my_table_name" storage_account_name = "mystoragexxx" diff --git a/docs/queries/terraform-queries/azure/3e3c175e-aadf-4e2b-a464-3fdac5748d24.md b/docs/queries/terraform-queries/azure/3e3c175e-aadf-4e2b-a464-3fdac5748d24.md index 4aa37bae241..79f584d163f 100644 --- a/docs/queries/terraform-queries/azure/3e3c175e-aadf-4e2b-a464-3fdac5748d24.md +++ b/docs/queries/terraform-queries/azure/3e3c175e-aadf-4e2b-a464-3fdac5748d24.md @@ -28,7 +28,7 @@ Port 22 (SSH) is exposed to the internet
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="64 36 134 8 106 78 50 22 120 92" +```tf title="Positive test num. 1 - tf file" hl_lines="64 36 134 8 106 78 50 22 120 92" resource "azurerm_network_security_rule" "positive1" { name = "example" priority = 100 diff --git a/docs/queries/terraform-queries/azure/3fa5900f-9aac-4982-96b2-a6143d9c99fb.md b/docs/queries/terraform-queries/azure/3fa5900f-9aac-4982-96b2-a6143d9c99fb.md index 6b570844ac1..90544c8e8b9 100644 --- a/docs/queries/terraform-queries/azure/3fa5900f-9aac-4982-96b2-a6143d9c99fb.md +++ b/docs/queries/terraform-queries/azure/3fa5900f-9aac-4982-96b2-a6143d9c99fb.md @@ -28,7 +28,7 @@ Role Definition should not allow custom role creation (Microsoft.Authorization/r ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="7" +```tf title="Positive test num. 1 - tf file" hl_lines="7" resource "azurerm_role_definition" "example2" { role_definition_id = "00000000-0000-0000-0000-000000000000" name = "my-custom-role-definition" @@ -41,7 +41,7 @@ resource "azurerm_role_definition" "example2" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="7" +```tf title="Positive test num. 2 - tf file" hl_lines="7" resource "azurerm_role_definition" "example" { name = "my-custom-role" scope = data.azurerm_subscription.primary.id diff --git a/docs/queries/terraform-queries/azure/4216ebac-d74c-4423-b437-35025cb88af5.md b/docs/queries/terraform-queries/azure/4216ebac-d74c-4423-b437-35025cb88af5.md index 3c649e1d8b3..50db2100174 100644 --- a/docs/queries/terraform-queries/azure/4216ebac-d74c-4423-b437-35025cb88af5.md +++ b/docs/queries/terraform-queries/azure/4216ebac-d74c-4423-b437-35025cb88af5.md @@ -28,7 +28,7 @@ Network Interfaces IP Forwarding should be disabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="12" +```tf title="Positive test num. 1 - tf file" hl_lines="12" resource "azurerm_network_interface" "positive" { name = "example-nic" location = azurerm_resource_group.example.location diff --git a/docs/queries/terraform-queries/azure/43789711-161b-4708-b5bb-9d1c626f7492.md b/docs/queries/terraform-queries/azure/43789711-161b-4708-b5bb-9d1c626f7492.md index 18bf7a85920..0f5976f2cc3 100644 --- a/docs/queries/terraform-queries/azure/43789711-161b-4708-b5bb-9d1c626f7492.md +++ b/docs/queries/terraform-queries/azure/43789711-161b-4708-b5bb-9d1c626f7492.md @@ -28,7 +28,7 @@ Azure Container Service (AKS) should use Azure Policies Add-On
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="11" +```tf title="Positive test num. 1 - tf file" hl_lines="11" resource "azurerm_kubernetes_cluster" "positive1" { name = "example-aks1" location = azurerm_resource_group.example.location @@ -47,7 +47,7 @@ resource "azurerm_kubernetes_cluster" "positive1" { ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="7" +```tf title="Positive test num. 2 - tf file" hl_lines="7" resource "azurerm_kubernetes_cluster" "positive2" { name = "example-aks1" location = azurerm_resource_group.example.location @@ -58,7 +58,7 @@ resource "azurerm_kubernetes_cluster" "positive2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="7" +```tf title="Positive test num. 3 - tf file" hl_lines="7" resource "azurerm_kubernetes_cluster" "positive3" { name = "example-aks1" location = azurerm_resource_group.example.location @@ -69,7 +69,7 @@ resource "azurerm_kubernetes_cluster" "positive3" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="1" resource "azurerm_kubernetes_cluster" "positive4" { diff --git a/docs/queries/terraform-queries/azure/45fc717a-bd86-415c-bdd8-677901be1aa6.md b/docs/queries/terraform-queries/azure/45fc717a-bd86-415c-bdd8-677901be1aa6.md index 457a4c19173..968c23b507d 100644 --- a/docs/queries/terraform-queries/azure/45fc717a-bd86-415c-bdd8-677901be1aa6.md +++ b/docs/queries/terraform-queries/azure/45fc717a-bd86-415c-bdd8-677901be1aa6.md @@ -28,7 +28,7 @@ Ensure Function App is using the latest version of TLS encryption
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="12" +```tf title="Positive test num. 1 - tf file" hl_lines="12" resource "azurerm_function_app" "positive1" { name = "test-azure-functions" location = azurerm_resource_group.example.location @@ -45,7 +45,7 @@ resource "azurerm_function_app" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="12" +```tf title="Positive test num. 2 - tf file" hl_lines="12" resource "azurerm_function_app" "positive2" { name = "test-azure-functions" location = azurerm_resource_group.example.location diff --git a/docs/queries/terraform-queries/azure/48bbe0fd-57e4-4678-a4a1-119e79c90fc3.md b/docs/queries/terraform-queries/azure/48bbe0fd-57e4-4678-a4a1-119e79c90fc3.md index 8814f749665..6f0f7c2234b 100644 --- a/docs/queries/terraform-queries/azure/48bbe0fd-57e4-4678-a4a1-119e79c90fc3.md +++ b/docs/queries/terraform-queries/azure/48bbe0fd-57e4-4678-a4a1-119e79c90fc3.md @@ -28,7 +28,7 @@ Azure Storage Share File should not allow all ACL (Access Control List) permissi ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="10" +```tf title="Positive test num. 1 - tf file" hl_lines="10" resource "azurerm_storage_share" "example" { name = "sharename" storage_account_name = azurerm_storage_account.example.name diff --git a/docs/queries/terraform-queries/azure/4a9e0f00-0765-4f72-a0d4-d31110b78279.md b/docs/queries/terraform-queries/azure/4a9e0f00-0765-4f72-a0d4-d31110b78279.md index ab0f7748c1f..cbb2277c02d 100644 --- a/docs/queries/terraform-queries/azure/4a9e0f00-0765-4f72-a0d4-d31110b78279.md +++ b/docs/queries/terraform-queries/azure/4a9e0f00-0765-4f72-a0d4-d31110b78279.md @@ -28,7 +28,7 @@ Public Network Access should be disabled for Azure Cognitive Search
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="6" +```tf title="Positive test num. 1 - tf file" hl_lines="6" resource "azurerm_search_service" "positive1" { name = "example-search-service" resource_group_name = azurerm_resource_group.example.name @@ -38,7 +38,7 @@ resource "azurerm_search_service" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "azurerm_search_service" "positive2" { name = "example-search-service" resource_group_name = azurerm_resource_group.example.name diff --git a/docs/queries/terraform-queries/azure/4d080822-5ee2-49a4-8984-68f3d4c890fc.md b/docs/queries/terraform-queries/azure/4d080822-5ee2-49a4-8984-68f3d4c890fc.md index dbbebde6bd7..d3891280f17 100644 --- a/docs/queries/terraform-queries/azure/4d080822-5ee2-49a4-8984-68f3d4c890fc.md +++ b/docs/queries/terraform-queries/azure/4d080822-5ee2-49a4-8984-68f3d4c890fc.md @@ -28,7 +28,7 @@ Make sure that for all keys the expiration date is set
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "azurerm_key_vault_key" "positive1" { name = "generated-certificate" key_vault_id = azurerm_key_vault.example.id diff --git a/docs/queries/terraform-queries/azure/5089d055-53ff-421b-9482-a5267bdce629.md b/docs/queries/terraform-queries/azure/5089d055-53ff-421b-9482-a5267bdce629.md index 01f46e1795f..b99af660d0a 100644 --- a/docs/queries/terraform-queries/azure/5089d055-53ff-421b-9482-a5267bdce629.md +++ b/docs/queries/terraform-queries/azure/5089d055-53ff-421b-9482-a5267bdce629.md @@ -28,7 +28,7 @@ Firewall rule allowing unrestricted access to Redis from other Azure sources
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="22" +```tf title="Positive test num. 1 - tf file" hl_lines="22" resource "azurerm_redis_cache" "positive1" { name = "redis${random_id.server.hex}" location = azurerm_resource_group.example.location diff --git a/docs/queries/terraform-queries/azure/525b53be-62ed-4244-b4df-41aecfcb4071.md b/docs/queries/terraform-queries/azure/525b53be-62ed-4244-b4df-41aecfcb4071.md index 796188afdbd..57ee35949b0 100644 --- a/docs/queries/terraform-queries/azure/525b53be-62ed-4244-b4df-41aecfcb4071.md +++ b/docs/queries/terraform-queries/azure/525b53be-62ed-4244-b4df-41aecfcb4071.md @@ -28,7 +28,7 @@ App Service should have 'http2_enabled' enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "azurerm_app_service" "positive1" { name = "example-app-service" location = azurerm_resource_group.example.location @@ -47,7 +47,7 @@ resource "azurerm_app_service" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="17" +```tf title="Positive test num. 2 - tf file" hl_lines="17" resource "azurerm_app_service" "positive2" { name = "example-app-service" location = azurerm_resource_group.example.location @@ -72,7 +72,7 @@ resource "azurerm_app_service" "positive2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="21" +```tf title="Positive test num. 3 - tf file" hl_lines="21" resource "azurerm_app_service" "positive3" { name = "example-app-service" location = azurerm_resource_group.example.location diff --git a/docs/queries/terraform-queries/azure/5400f379-a347-4bdd-a032-446465fdcc6f.md b/docs/queries/terraform-queries/azure/5400f379-a347-4bdd-a032-446465fdcc6f.md index bfe4f00068d..8ffa226f234 100644 --- a/docs/queries/terraform-queries/azure/5400f379-a347-4bdd-a032-446465fdcc6f.md +++ b/docs/queries/terraform-queries/azure/5400f379-a347-4bdd-a032-446465fdcc6f.md @@ -28,7 +28,7 @@ Trusted Microsoft Services should be enabled for Storage Account access
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8 21" +```tf title="Positive test num. 1 - tf file" hl_lines="8 21" resource "azurerm_storage_account_network_rules" "positive1" { resource_group_name = azurerm_resource_group.test.name storage_account_name = azurerm_storage_account.test.name diff --git a/docs/queries/terraform-queries/azure/55975007-f6e7-4134-83c3-298f1fe4b519.md b/docs/queries/terraform-queries/azure/55975007-f6e7-4134-83c3-298f1fe4b519.md index 9d5b9a5c1ff..b4489b5ce1d 100644 --- a/docs/queries/terraform-queries/azure/55975007-f6e7-4134-83c3-298f1fe4b519.md +++ b/docs/queries/terraform-queries/azure/55975007-f6e7-4134-83c3-298f1fe4b519.md @@ -28,7 +28,7 @@ SQL Server alert email should be enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "azurerm_mssql_server_security_alert_policy" "positive1" { resource_group_name = azurerm_resource_group.example.name server_name = azurerm_sql_server.example.name @@ -43,7 +43,7 @@ resource "azurerm_mssql_server_security_alert_policy" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="12" +```tf title="Positive test num. 2 - tf file" hl_lines="12" resource "azurerm_mssql_server_security_alert_policy" "positive2" { resource_group_name = azurerm_resource_group.example.name server_name = azurerm_sql_server.example.name diff --git a/docs/queries/terraform-queries/azure/56dad03e-e94f-4dd6-93a4-c253a03ff7a0.md b/docs/queries/terraform-queries/azure/56dad03e-e94f-4dd6-93a4-c253a03ff7a0.md index dd2ffdbb181..78d97b82781 100644 --- a/docs/queries/terraform-queries/azure/56dad03e-e94f-4dd6-93a4-c253a03ff7a0.md +++ b/docs/queries/terraform-queries/azure/56dad03e-e94f-4dd6-93a4-c253a03ff7a0.md @@ -28,7 +28,7 @@ Cosmos DB Account must have a mapping of tags.
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "azurerm_cosmosdb_account" "positive1" { name = "tfex-cosmos-db-${random_integer.ri.result}" location = azurerm_resource_group.rg.location diff --git a/docs/queries/terraform-queries/azure/594c198b-4d79-41b8-9b36-fde13348b619.md b/docs/queries/terraform-queries/azure/594c198b-4d79-41b8-9b36-fde13348b619.md index 2888929d7a7..c6321742af8 100644 --- a/docs/queries/terraform-queries/azure/594c198b-4d79-41b8-9b36-fde13348b619.md +++ b/docs/queries/terraform-queries/azure/594c198b-4d79-41b8-9b36-fde13348b619.md @@ -28,7 +28,7 @@ A sensitive port, such as port 23 or port 110, is open for the whole network in ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="64 36 134 8 106 78 50 22 120 92" +```tf title="Positive test num. 1 - tf file" hl_lines="64 36 134 8 106 78 50 22 120 92" resource "azurerm_network_security_rule" "positive1" { name = "example" priority = 100 diff --git a/docs/queries/terraform-queries/azure/599318f2-6653-4569-9e21-041d06c63a89.md b/docs/queries/terraform-queries/azure/599318f2-6653-4569-9e21-041d06c63a89.md index 807b8ff08ee..384aa1a5507 100644 --- a/docs/queries/terraform-queries/azure/599318f2-6653-4569-9e21-041d06c63a89.md +++ b/docs/queries/terraform-queries/azure/599318f2-6653-4569-9e21-041d06c63a89.md @@ -28,7 +28,7 @@ Azure Kubernetes Service (AKS) API should not be exposed to the internet
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="7" +```tf title="Positive test num. 1 - tf file" hl_lines="7" resource "azurerm_kubernetes_cluster" "positive1" { name = "example-aks1" location = azurerm_resource_group.example.location @@ -39,7 +39,7 @@ resource "azurerm_kubernetes_cluster" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "azurerm_kubernetes_cluster" "positive2" { name = "example-aks1" location = azurerm_resource_group.example.location diff --git a/docs/queries/terraform-queries/azure/59acb56b-2b10-4c2c-ba38-f2223c3f5cfc.md b/docs/queries/terraform-queries/azure/59acb56b-2b10-4c2c-ba38-f2223c3f5cfc.md index 6c7570edb49..7a2f6cbf127 100644 --- a/docs/queries/terraform-queries/azure/59acb56b-2b10-4c2c-ba38-f2223c3f5cfc.md +++ b/docs/queries/terraform-queries/azure/59acb56b-2b10-4c2c-ba38-f2223c3f5cfc.md @@ -28,7 +28,7 @@ Make sure for SQL Servers that Auditing Retention is greater than 90 days
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="66 28 46 7" +```tf title="Positive test num. 1 - tf file" hl_lines="66 28 46 7" resource "azurerm_sql_database" "positive1" { name = "myexamplesqldatabase" resource_group_name = azurerm_resource_group.example.name diff --git a/docs/queries/terraform-queries/azure/5c822443-e1ea-46b8-84eb-758ec602e844.md b/docs/queries/terraform-queries/azure/5c822443-e1ea-46b8-84eb-758ec602e844.md index 882ab900779..b2f302b1228 100644 --- a/docs/queries/terraform-queries/azure/5c822443-e1ea-46b8-84eb-758ec602e844.md +++ b/docs/queries/terraform-queries/azure/5c822443-e1ea-46b8-84eb-758ec602e844.md @@ -28,7 +28,7 @@ Azure Virtual Network subnet must be configured with a Network Security Group, w ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="21 7" +```tf title="Positive test num. 1 - tf file" hl_lines="21 7" #this is a problematic code where the query should report a result(s) resource "azure_virtual_network" "positive1" { name = "test-network" diff --git a/docs/queries/terraform-queries/azure/609839ae-bd81-4375-9910-5bce72ae7b92.md b/docs/queries/terraform-queries/azure/609839ae-bd81-4375-9910-5bce72ae7b92.md index 3b9fef30422..86d6487711b 100644 --- a/docs/queries/terraform-queries/azure/609839ae-bd81-4375-9910-5bce72ae7b92.md +++ b/docs/queries/terraform-queries/azure/609839ae-bd81-4375-9910-5bce72ae7b92.md @@ -28,7 +28,7 @@ Make sure that for MSSQL Servers, that 'Auditing' is set to 'On'
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "azurerm_mssql_server" "positive1" { name = "mssqlserver" resource_group_name = azurerm_resource_group.example.name diff --git a/docs/queries/terraform-queries/azure/61c3cb8b-0715-47e4-b788-86dde40dd2db.md b/docs/queries/terraform-queries/azure/61c3cb8b-0715-47e4-b788-86dde40dd2db.md index 64330599732..30f6d336989 100644 --- a/docs/queries/terraform-queries/azure/61c3cb8b-0715-47e4-b788-86dde40dd2db.md +++ b/docs/queries/terraform-queries/azure/61c3cb8b-0715-47e4-b788-86dde40dd2db.md @@ -28,7 +28,7 @@ Check if the Kubernetes Dashboard is enabled.
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="23" +```tf title="Positive test num. 1 - tf file" hl_lines="23" resource "azurerm_kubernetes_cluster" "positive1" { name = "example-aks1" location = azurerm_resource_group.example.location diff --git a/docs/queries/terraform-queries/azure/6425c98b-ca4e-41fe-896a-c78772c131f8.md b/docs/queries/terraform-queries/azure/6425c98b-ca4e-41fe-896a-c78772c131f8.md index b0cb5030357..b7d15fc2bcb 100644 --- a/docs/queries/terraform-queries/azure/6425c98b-ca4e-41fe-896a-c78772c131f8.md +++ b/docs/queries/terraform-queries/azure/6425c98b-ca4e-41fe-896a-c78772c131f8.md @@ -28,7 +28,7 @@ PostgreSQL Server Infrastructure Encryption should be enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="21" +```tf title="Positive test num. 1 - tf file" hl_lines="21" resource "azurerm_postgresql_server" "positive1" { name = "example-psqlserver" location = azurerm_resource_group.example.location @@ -53,7 +53,7 @@ resource "azurerm_postgresql_server" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "azurerm_postgresql_server" "positive2" { name = "example-psqlserver" location = azurerm_resource_group.example.location diff --git a/docs/queries/terraform-queries/azure/73e42469-3a86-4f39-ad78-098f325b4e9f.md b/docs/queries/terraform-queries/azure/73e42469-3a86-4f39-ad78-098f325b4e9f.md index 21c307ceb43..bc7d9785e64 100644 --- a/docs/queries/terraform-queries/azure/73e42469-3a86-4f39-ad78-098f325b4e9f.md +++ b/docs/queries/terraform-queries/azure/73e42469-3a86-4f39-ad78-098f325b4e9f.md @@ -28,7 +28,7 @@ Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="16 1" +```tf title="Positive test num. 1 - tf file" hl_lines="16 1" resource "azurerm_mariadb_server" "positive" { name = "example-mariadb-server" location = azurerm_resource_group.example.location diff --git a/docs/queries/terraform-queries/azure/819d50fd-1cdf-45c3-9936-be408aaad93e.md b/docs/queries/terraform-queries/azure/819d50fd-1cdf-45c3-9936-be408aaad93e.md index eec86190513..48e0ee4985a 100644 --- a/docs/queries/terraform-queries/azure/819d50fd-1cdf-45c3-9936-be408aaad93e.md +++ b/docs/queries/terraform-queries/azure/819d50fd-1cdf-45c3-9936-be408aaad93e.md @@ -28,7 +28,7 @@ Make sure that the 'Standard' pricing tiers were selected.
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="2" +```tf title="Positive test num. 1 - tf file" hl_lines="2" resource "azurerm_security_center_subscription_pricing" "positive1" { tier = "Free" } diff --git a/docs/queries/terraform-queries/azure/8263f146-5e03-43e0-9cfe-db960d56d1e7.md b/docs/queries/terraform-queries/azure/8263f146-5e03-43e0-9cfe-db960d56d1e7.md index af2416d8492..f87f048d71b 100644 --- a/docs/queries/terraform-queries/azure/8263f146-5e03-43e0-9cfe-db960d56d1e7.md +++ b/docs/queries/terraform-queries/azure/8263f146-5e03-43e0-9cfe-db960d56d1e7.md @@ -28,7 +28,7 @@ Ensure Storage Account is using the latest version of TLS encryption
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="7" +```tf title="Positive test num. 1 - tf file" hl_lines="7" resource "azurerm_storage_account" "positive2" { name = "storageaccountname" resource_group_name = azurerm_resource_group.example.name diff --git a/docs/queries/terraform-queries/azure/835a4f2f-df43-437d-9943-545ccfc55961.md b/docs/queries/terraform-queries/azure/835a4f2f-df43-437d-9943-545ccfc55961.md index ca9260a5a94..e48b1c4dced 100644 --- a/docs/queries/terraform-queries/azure/835a4f2f-df43-437d-9943-545ccfc55961.md +++ b/docs/queries/terraform-queries/azure/835a4f2f-df43-437d-9943-545ccfc55961.md @@ -28,7 +28,7 @@ Azure Front Door WAF should be enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="38" +```tf title="Positive test num. 1 - tf file" hl_lines="38" resource "azurerm_frontdoor" "positive" { name = "example-FrontDoor" resource_group_name = azurerm_resource_group.example.name diff --git a/docs/queries/terraform-queries/azure/83a229ba-483e-47c6-8db7-dc96969bce5a.md b/docs/queries/terraform-queries/azure/83a229ba-483e-47c6-8db7-dc96969bce5a.md index 5ffc1749421..312be979a22 100644 --- a/docs/queries/terraform-queries/azure/83a229ba-483e-47c6-8db7-dc96969bce5a.md +++ b/docs/queries/terraform-queries/azure/83a229ba-483e-47c6-8db7-dc96969bce5a.md @@ -28,7 +28,7 @@ Ensure that 'Threat Detection' is enabled for Azure SQL Database
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="50 34" +```tf title="Positive test num. 1 - tf file" hl_lines="50 34" resource "azurerm_resource_group" "positive1" { name = "acceptanceTestResourceGroup1" location = "West US" diff --git a/docs/queries/terraform-queries/azure/85da374f-b00f-4832-9d44-84a1ca1e89f8.md b/docs/queries/terraform-queries/azure/85da374f-b00f-4832-9d44-84a1ca1e89f8.md index 19a94ecbfb1..87a2bbdb4fb 100644 --- a/docs/queries/terraform-queries/azure/85da374f-b00f-4832-9d44-84a1ca1e89f8.md +++ b/docs/queries/terraform-queries/azure/85da374f-b00f-4832-9d44-84a1ca1e89f8.md @@ -28,7 +28,7 @@ Azure App Service should only enforce FTPS when 'ftps_state' is enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="10" +```tf title="Positive test num. 1 - tf file" hl_lines="10" resource "azurerm_app_service" "positive1" { name = "example-app-service" location = azurerm_resource_group.example.location diff --git a/docs/queries/terraform-queries/azure/86f92117-eed8-4614-9c6c-b26da20ff37f.md b/docs/queries/terraform-queries/azure/86f92117-eed8-4614-9c6c-b26da20ff37f.md index 28b0541b527..cc254788991 100644 --- a/docs/queries/terraform-queries/azure/86f92117-eed8-4614-9c6c-b26da20ff37f.md +++ b/docs/queries/terraform-queries/azure/86f92117-eed8-4614-9c6c-b26da20ff37f.md @@ -28,7 +28,7 @@ Azure Container Service (AKS) instance should have role-based access control (RB ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="35 7" +```tf title="Positive test num. 1 - tf file" hl_lines="35 7" resource "azurerm_kubernetes_cluster" "positive1" { name = "example-aks1" location = azurerm_resource_group.example.location diff --git a/docs/queries/terraform-queries/azure/8b042c30-e441-453f-b162-7696982ebc58.md b/docs/queries/terraform-queries/azure/8b042c30-e441-453f-b162-7696982ebc58.md index b7358cc49c6..110a307bc55 100644 --- a/docs/queries/terraform-queries/azure/8b042c30-e441-453f-b162-7696982ebc58.md +++ b/docs/queries/terraform-queries/azure/8b042c30-e441-453f-b162-7696982ebc58.md @@ -28,7 +28,7 @@ Make sure that on PostgreSQL Geo Redundant Backups is enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="2 31" +```tf title="Positive test num. 1 - tf file" hl_lines="2 31" resource "azurerm_postgresql_server" "positive1" { name = "dbserver" diff --git a/docs/queries/terraform-queries/azure/8e75e431-449f-49e9-b56a-c8f1378025cf.md b/docs/queries/terraform-queries/azure/8e75e431-449f-49e9-b56a-c8f1378025cf.md index 728674af655..1aaca55534d 100644 --- a/docs/queries/terraform-queries/azure/8e75e431-449f-49e9-b56a-c8f1378025cf.md +++ b/docs/queries/terraform-queries/azure/8e75e431-449f-49e9-b56a-c8f1378025cf.md @@ -28,7 +28,7 @@ Role Assignment should limit guest user permissions
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="20" +```tf title="Positive test num. 1 - tf file" hl_lines="20" resource "azurerm_role_definition" "example" { name = "my-custom-role" scope = data.azurerm_subscription.primary.id diff --git a/docs/queries/terraform-queries/azure/96fe318e-d631-4156-99fa-9080d57280ae.md b/docs/queries/terraform-queries/azure/96fe318e-d631-4156-99fa-9080d57280ae.md index 7d4940976b8..9e2de9d8fe0 100644 --- a/docs/queries/terraform-queries/azure/96fe318e-d631-4156-99fa-9080d57280ae.md +++ b/docs/queries/terraform-queries/azure/96fe318e-d631-4156-99fa-9080d57280ae.md @@ -28,7 +28,7 @@ Periodically newer versions are released for PHP software either due to security ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="11" +```tf title="Positive test num. 1 - tf file" hl_lines="11" resource "azurerm_app_service" "example4" { name = "example4-app-service" location = azurerm_resource_group.example.location @@ -54,7 +54,7 @@ resource "azurerm_app_service" "example4" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="25" +```tf title="Positive test num. 2 - tf file" hl_lines="25" provider "azurerm" { features {} } @@ -85,7 +85,7 @@ resource "azurerm_windows_web_app" "example5" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="26" +```tf title="Positive test num. 3 - tf file" hl_lines="26" provider "azurerm" { features {} } diff --git a/docs/queries/terraform-queries/azure/9bb3c639-5edf-458c-8ee5-30c17c7d671d.md b/docs/queries/terraform-queries/azure/9bb3c639-5edf-458c-8ee5-30c17c7d671d.md index 28eaed2d713..4533ae83502 100644 --- a/docs/queries/terraform-queries/azure/9bb3c639-5edf-458c-8ee5-30c17c7d671d.md +++ b/docs/queries/terraform-queries/azure/9bb3c639-5edf-458c-8ee5-30c17c7d671d.md @@ -28,7 +28,7 @@ Azure Function App should have 'client_cert_mode' set to required
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "azurerm_function_app" "positive1" { name = "test-azure-functions" location = azurerm_resource_group.example.location @@ -39,7 +39,7 @@ resource "azurerm_function_app" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="9" +```tf title="Positive test num. 2 - tf file" hl_lines="9" resource "azurerm_function_app" "positive2" { name = "test-azure-functions" location = azurerm_resource_group.example.location diff --git a/docs/queries/terraform-queries/azure/9c301481-e6ec-44f7-8a49-8ec63e2969ea.md b/docs/queries/terraform-queries/azure/9c301481-e6ec-44f7-8a49-8ec63e2969ea.md index 527bc0ec9a8..2be0cb49f93 100644 --- a/docs/queries/terraform-queries/azure/9c301481-e6ec-44f7-8a49-8ec63e2969ea.md +++ b/docs/queries/terraform-queries/azure/9c301481-e6ec-44f7-8a49-8ec63e2969ea.md @@ -28,7 +28,7 @@ Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days< ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="67 11 29 47" +```tf title="Positive test num. 1 - tf file" hl_lines="67 11 29 47" resource "azurerm_mssql_database" "positive1" { name = "myexamplesqldatabase" resource_group_name = azurerm_resource_group.example.name diff --git a/docs/queries/terraform-queries/azure/9dab0179-433d-4dff-af8f-0091025691df.md b/docs/queries/terraform-queries/azure/9dab0179-433d-4dff-af8f-0091025691df.md index b2da9250f46..9ee9ff9079d 100644 --- a/docs/queries/terraform-queries/azure/9dab0179-433d-4dff-af8f-0091025691df.md +++ b/docs/queries/terraform-queries/azure/9dab0179-433d-4dff-af8f-0091025691df.md @@ -28,7 +28,7 @@ Azure Function App should only enforce FTPS when 'ftps_state' is enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="11" +```tf title="Positive test num. 1 - tf file" hl_lines="11" resource "azurerm_function_app" "positive1" { name = "test-azure-functions" location = azurerm_resource_group.example.location @@ -44,7 +44,7 @@ resource "azurerm_function_app" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="9" +```tf title="Positive test num. 2 - tf file" hl_lines="9" resource "azurerm_function_app" "positive2" { name = "test-azure-functions" location = azurerm_resource_group.example.location diff --git a/docs/queries/terraform-queries/azure/9db38e87-f6aa-4b5e-a1ec-7266df259409.md b/docs/queries/terraform-queries/azure/9db38e87-f6aa-4b5e-a1ec-7266df259409.md index c68eca6a8c4..c098f5c48e7 100644 --- a/docs/queries/terraform-queries/azure/9db38e87-f6aa-4b5e-a1ec-7266df259409.md +++ b/docs/queries/terraform-queries/azure/9db38e87-f6aa-4b5e-a1ec-7266df259409.md @@ -28,7 +28,7 @@ Make sure that alerts notifications are set to 'On' in the Azure Security Center ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="4" +```tf title="Positive test num. 1 - tf file" hl_lines="4" resource "azurerm_security_center_contact" "positive1" { email = "contact@example.com" phone = "+1-555-555-5555" diff --git a/docs/queries/terraform-queries/azure/a187ac47-8163-42ce-8a63-c115236be6fb.md b/docs/queries/terraform-queries/azure/a187ac47-8163-42ce-8a63-c115236be6fb.md index de8d9f6e4f7..10414daee80 100644 --- a/docs/queries/terraform-queries/azure/a187ac47-8163-42ce-8a63-c115236be6fb.md +++ b/docs/queries/terraform-queries/azure/a187ac47-8163-42ce-8a63-c115236be6fb.md @@ -28,7 +28,7 @@ Azurerm Container Registry should contain associated locks, which means 'azurerm ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "azurerm_container_registry" "acr" { name = "containerRegistry1" resource_group_name = azurerm_resource_group.rg.name diff --git a/docs/queries/terraform-queries/azure/a21c8da9-41bf-40cf-941d-330cf0d11fc7.md b/docs/queries/terraform-queries/azure/a21c8da9-41bf-40cf-941d-330cf0d11fc7.md index ac11fecc04e..b4fa1d4344e 100644 --- a/docs/queries/terraform-queries/azure/a21c8da9-41bf-40cf-941d-330cf0d11fc7.md +++ b/docs/queries/terraform-queries/azure/a21c8da9-41bf-40cf-941d-330cf0d11fc7.md @@ -28,7 +28,7 @@ Azure Active Directory must be used for authentication for Service Fabric
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="19" +```tf title="Positive test num. 1 - tf file" hl_lines="19" resource "azurerm_service_fabric_cluster" "positive1" { name = "example-servicefabric" resource_group_name = azurerm_resource_group.example.name @@ -54,7 +54,7 @@ resource "azurerm_service_fabric_cluster" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "azurerm_service_fabric_cluster" "positive2" { name = "example-servicefabric" resource_group_name = azurerm_resource_group.example.name diff --git a/docs/queries/terraform-queries/azure/a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b.md b/docs/queries/terraform-queries/azure/a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b.md index 453735fc033..5e07264dc80 100644 --- a/docs/queries/terraform-queries/azure/a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b.md +++ b/docs/queries/terraform-queries/azure/a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b.md @@ -28,7 +28,7 @@ The Active Directory Administrator is not configured for a SQL server
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="6" +```tf title="Positive test num. 1 - tf file" hl_lines="6" resource "azurerm_resource_group" "positive1" { name = "acceptanceTestResourceGroup1" location = "West US" diff --git a/docs/queries/terraform-queries/azure/a5613650-32ec-4975-a305-31af783153ea.md b/docs/queries/terraform-queries/azure/a5613650-32ec-4975-a305-31af783153ea.md index e29d152f1e4..07462a12d51 100644 --- a/docs/queries/terraform-queries/azure/a5613650-32ec-4975-a305-31af783153ea.md +++ b/docs/queries/terraform-queries/azure/a5613650-32ec-4975-a305-31af783153ea.md @@ -28,7 +28,7 @@ Default Azure Storage Account network access should be set to Deny
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="30" +```tf title="Positive test num. 1 - tf file" hl_lines="30" resource "azurerm_resource_group" "example" { name = "positive1-resources" location = "West Europe" @@ -69,7 +69,7 @@ resource "azurerm_storage_account" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="38" +```tf title="Positive test num. 2 - tf file" hl_lines="38" resource "azurerm_resource_group" "example" { name = "positive2-resources" location = "West Europe" @@ -114,7 +114,7 @@ resource "azurerm_storage_account_network_rules" "positive2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="12" +```tf title="Positive test num. 3 - tf file" hl_lines="12" resource "azurerm_resource_group" "example" { name = "example-resources" location = "West Europe" @@ -133,7 +133,7 @@ resource "azurerm_storage_account" "positive3" { } } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="6" resource "azurerm_resource_group" "example" { diff --git a/docs/queries/terraform-queries/azure/a81573f9-3691-4d83-88a0-7d4af63e17a3.md b/docs/queries/terraform-queries/azure/a81573f9-3691-4d83-88a0-7d4af63e17a3.md index 98358afa51b..1e7b88582f2 100644 --- a/docs/queries/terraform-queries/azure/a81573f9-3691-4d83-88a0-7d4af63e17a3.md +++ b/docs/queries/terraform-queries/azure/a81573f9-3691-4d83-88a0-7d4af63e17a3.md @@ -28,7 +28,7 @@ Azure App Service client certificate should be enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "azurerm_app_service" "positive1" { name = "example-app-service" location = azurerm_resource_group.example.location @@ -52,7 +52,7 @@ resource "azurerm_app_service" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="16" +```tf title="Positive test num. 2 - tf file" hl_lines="16" resource "azurerm_app_service" "positive2" { name = "example-app-service" location = azurerm_resource_group.example.location diff --git a/docs/queries/terraform-queries/azure/a829b715-cf75-4e92-b645-54c9b739edfb.md b/docs/queries/terraform-queries/azure/a829b715-cf75-4e92-b645-54c9b739edfb.md index 9e624e0150c..17e7f33332f 100644 --- a/docs/queries/terraform-queries/azure/a829b715-cf75-4e92-b645-54c9b739edfb.md +++ b/docs/queries/terraform-queries/azure/a829b715-cf75-4e92-b645-54c9b739edfb.md @@ -28,7 +28,7 @@ Check if any firewall rule allows too many hosts to access Redis Cache
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="5" +```tf title="Positive test num. 1 - tf file" hl_lines="5" resource "azurerm_redis_firewall_rule" "positive1" { name = "someIPrange" redis_cache_name = azurerm_redis_cache.example.name diff --git a/docs/queries/terraform-queries/azure/a99130ab-4c0e-43aa-97f8-78d4fcb30024.md b/docs/queries/terraform-queries/azure/a99130ab-4c0e-43aa-97f8-78d4fcb30024.md index 41101d82328..6f2891d018f 100644 --- a/docs/queries/terraform-queries/azure/a99130ab-4c0e-43aa-97f8-78d4fcb30024.md +++ b/docs/queries/terraform-queries/azure/a99130ab-4c0e-43aa-97f8-78d4fcb30024.md @@ -28,7 +28,7 @@ Ensure that the encryption is active on the disk
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="10 18" +```tf title="Positive test num. 1 - tf file" hl_lines="10 18" resource "azurerm_managed_disk" "positive1" { name = "acctestmd" location = "West US 2" diff --git a/docs/queries/terraform-queries/azure/ace823d1-4432-4dee-945b-cdf11a5a6bd0.md b/docs/queries/terraform-queries/azure/ace823d1-4432-4dee-945b-cdf11a5a6bd0.md index 37b35832ae0..124c37583f2 100644 --- a/docs/queries/terraform-queries/azure/ace823d1-4432-4dee-945b-cdf11a5a6bd0.md +++ b/docs/queries/terraform-queries/azure/ace823d1-4432-4dee-945b-cdf11a5a6bd0.md @@ -28,7 +28,7 @@ Function App should have 'http2_enabled' enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "azurerm_function_app" "positive1" { name = "test-azure-functions" location = azurerm_resource_group.example.location @@ -39,7 +39,7 @@ resource "azurerm_function_app" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="9" +```tf title="Positive test num. 2 - tf file" hl_lines="9" resource "azurerm_function_app" "positive2" { name = "test-azure-functions" location = azurerm_resource_group.example.location @@ -56,7 +56,7 @@ resource "azurerm_function_app" "positive2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="13" +```tf title="Positive test num. 3 - tf file" hl_lines="13" resource "azurerm_function_app" "positive3" { name = "test-azure-functions" location = azurerm_resource_group.example.location diff --git a/docs/queries/terraform-queries/azure/ade36cf4-329f-4830-a83d-9db72c800507.md b/docs/queries/terraform-queries/azure/ade36cf4-329f-4830-a83d-9db72c800507.md index 7780643f1c7..1907d81d57a 100644 --- a/docs/queries/terraform-queries/azure/ade36cf4-329f-4830-a83d-9db72c800507.md +++ b/docs/queries/terraform-queries/azure/ade36cf4-329f-4830-a83d-9db72c800507.md @@ -28,7 +28,7 @@ MSSQL Server public network access should be disabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "azurerm_mssql_server" "positive1" { name = "mssqlserver" resource_group_name = azurerm_resource_group.example.name @@ -46,7 +46,7 @@ resource "azurerm_mssql_server" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="16" +```tf title="Positive test num. 2 - tf file" hl_lines="16" resource "azurerm_mssql_server" "positive2" { name = "mssqlserver" resource_group_name = azurerm_resource_group.example.name diff --git a/docs/queries/terraform-queries/azure/b17d8bb8-4c08-4785-867e-cb9e62a622aa.md b/docs/queries/terraform-queries/azure/b17d8bb8-4c08-4785-867e-cb9e62a622aa.md index 007d9c484b1..884a2ac61e4 100644 --- a/docs/queries/terraform-queries/azure/b17d8bb8-4c08-4785-867e-cb9e62a622aa.md +++ b/docs/queries/terraform-queries/azure/b17d8bb8-4c08-4785-867e-cb9e62a622aa.md @@ -28,7 +28,7 @@ Azure Container Service (AKS) should use Disk Encryption Set ID in supported typ ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "azurerm_kubernetes_cluster" "positive" { name = "example-aks1" location = azurerm_resource_group.example.location diff --git a/docs/queries/terraform-queries/azure/b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a.md b/docs/queries/terraform-queries/azure/b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a.md index 3793d2a2345..5188763bf6e 100644 --- a/docs/queries/terraform-queries/azure/b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a.md +++ b/docs/queries/terraform-queries/azure/b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a.md @@ -28,7 +28,7 @@ Virtual Network should have DDoS Protection Plan enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="18" +```tf title="Positive test num. 1 - tf file" hl_lines="18" resource "azurerm_resource_group" "example" { name = "example-resources" location = "West Europe" @@ -75,7 +75,7 @@ resource "azurerm_virtual_network" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="27" +```tf title="Positive test num. 2 - tf file" hl_lines="27" resource "azurerm_resource_group" "example" { name = "example-resources" location = "West Europe" diff --git a/docs/queries/terraform-queries/azure/b61cce4b-0cc4-472b-8096-15617a6d769b.md b/docs/queries/terraform-queries/azure/b61cce4b-0cc4-472b-8096-15617a6d769b.md index 3a5632d9ba0..3463fe5a234 100644 --- a/docs/queries/terraform-queries/azure/b61cce4b-0cc4-472b-8096-15617a6d769b.md +++ b/docs/queries/terraform-queries/azure/b61cce4b-0cc4-472b-8096-15617a6d769b.md @@ -28,7 +28,7 @@ Azure App Service should have managed identity enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "azurerm_app_service" "positive1" { name = "example-app-service" location = azurerm_resource_group.example.location diff --git a/docs/queries/terraform-queries/azure/b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643.md b/docs/queries/terraform-queries/azure/b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643.md index 2c27af93f43..b08b62c6e4b 100644 --- a/docs/queries/terraform-queries/azure/b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643.md +++ b/docs/queries/terraform-queries/azure/b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643.md @@ -28,7 +28,7 @@ Ensure App Service is using the latest version of TLS encryption
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="10" +```tf title="Positive test num. 1 - tf file" hl_lines="10" resource "azurerm_app_service" "positive1" { name = "example-app-service" location = azurerm_resource_group.example.location diff --git a/docs/queries/terraform-queries/azure/b897dfbf-322c-45a8-b67c-1e698beeaa51.md b/docs/queries/terraform-queries/azure/b897dfbf-322c-45a8-b67c-1e698beeaa51.md index 1ef0e3e9d72..ea204a4cc83 100644 --- a/docs/queries/terraform-queries/azure/b897dfbf-322c-45a8-b67c-1e698beeaa51.md +++ b/docs/queries/terraform-queries/azure/b897dfbf-322c-45a8-b67c-1e698beeaa51.md @@ -28,7 +28,7 @@ Admin user is enabled for Container Registry
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="11" +```tf title="Positive test num. 1 - tf file" hl_lines="11" resource "azurerm_resource_group" "positive1" { name = "resourceGroup1" location = "West US" diff --git a/docs/queries/terraform-queries/azure/b90842e5-6779-44d4-9760-972f4c03ba1c.md b/docs/queries/terraform-queries/azure/b90842e5-6779-44d4-9760-972f4c03ba1c.md index 0aeb0c9b1b5..04dc3148730 100644 --- a/docs/queries/terraform-queries/azure/b90842e5-6779-44d4-9760-972f4c03ba1c.md +++ b/docs/queries/terraform-queries/azure/b90842e5-6779-44d4-9760-972f4c03ba1c.md @@ -28,7 +28,7 @@ Check if enable field in the resource azurerm_network_watcher_flow_log is false. ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="7" +```tf title="Positive test num. 1 - tf file" hl_lines="7" resource "azurerm_network_watcher_flow_log" "positive1" { network_watcher_name = azurerm_network_watcher.test.name resource_group_name = azurerm_resource_group.test.name diff --git a/docs/queries/terraform-queries/azure/b947809d-dd2f-4de9-b724-04d101c515aa.md b/docs/queries/terraform-queries/azure/b947809d-dd2f-4de9-b724-04d101c515aa.md index 8fcf68606bc..b47f81c5c6b 100644 --- a/docs/queries/terraform-queries/azure/b947809d-dd2f-4de9-b724-04d101c515aa.md +++ b/docs/queries/terraform-queries/azure/b947809d-dd2f-4de9-b724-04d101c515aa.md @@ -28,7 +28,7 @@ Redis Cache is not configured to be updated regularly with security and operatio ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "azurerm_redis_cache" "positive1" { name = "timeout-redis" location = "West Europe" diff --git a/docs/queries/terraform-queries/azure/bbf6b3df-4b65-4f87-82cc-da9f30f8c033.md b/docs/queries/terraform-queries/azure/bbf6b3df-4b65-4f87-82cc-da9f30f8c033.md index 612a0c9afa1..5be020c35f6 100644 --- a/docs/queries/terraform-queries/azure/bbf6b3df-4b65-4f87-82cc-da9f30f8c033.md +++ b/docs/queries/terraform-queries/azure/bbf6b3df-4b65-4f87-82cc-da9f30f8c033.md @@ -28,7 +28,7 @@ No Network Security Group is attached to the Virtual Machine
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="5" +```tf title="Positive test num. 1 - tf file" hl_lines="5" resource "azurerm_virtual_machine" "positive1" { name = "${var.prefix}-vm" location = azurerm_resource_group.main.location diff --git a/docs/queries/terraform-queries/azure/bcd3fc01-5902-4f2a-b05a-227f9bbf5450.md b/docs/queries/terraform-queries/azure/bcd3fc01-5902-4f2a-b05a-227f9bbf5450.md index eafb4c8b803..b653902e2c0 100644 --- a/docs/queries/terraform-queries/azure/bcd3fc01-5902-4f2a-b05a-227f9bbf5450.md +++ b/docs/queries/terraform-queries/azure/bcd3fc01-5902-4f2a-b05a-227f9bbf5450.md @@ -28,7 +28,7 @@ Azure SQL Server must avoid using predictable Active Directory Administrator Acc ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="29 21" +```tf title="Positive test num. 1 - tf file" hl_lines="29 21" #this is a problematic code where the query should report a result(s) data "azurerm_client_config" "current" {} diff --git a/docs/queries/terraform-queries/azure/c1573577-e494-4417-8854-7e119368dc8b.md b/docs/queries/terraform-queries/azure/c1573577-e494-4417-8854-7e119368dc8b.md index a57e0a6de42..36a3b37a3aa 100644 --- a/docs/queries/terraform-queries/azure/c1573577-e494-4417-8854-7e119368dc8b.md +++ b/docs/queries/terraform-queries/azure/c1573577-e494-4417-8854-7e119368dc8b.md @@ -28,7 +28,7 @@ Network Interfaces should not be exposed with a public IP address. If configured ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="10" +```tf title="Positive test num. 1 - tf file" hl_lines="10" resource "azurerm_network_interface" "positive" { name = "example-nic" location = azurerm_resource_group.example.location diff --git a/docs/queries/terraform-queries/azure/c2a3efb6-8a58-481c-82f2-bfddf34bb4b7.md b/docs/queries/terraform-queries/azure/c2a3efb6-8a58-481c-82f2-bfddf34bb4b7.md index 3ac17deab12..b04c6f2f641 100644 --- a/docs/queries/terraform-queries/azure/c2a3efb6-8a58-481c-82f2-bfddf34bb4b7.md +++ b/docs/queries/terraform-queries/azure/c2a3efb6-8a58-481c-82f2-bfddf34bb4b7.md @@ -28,7 +28,7 @@ The IP range filter should be defined to secure the data stored
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "azurerm_cosmosdb_account" "positive1" { name = "example" is_virtual_network_filter_enabled = true diff --git a/docs/queries/terraform-queries/azure/c407c3cf-c409-4b29-b590-db5f4138d332.md b/docs/queries/terraform-queries/azure/c407c3cf-c409-4b29-b590-db5f4138d332.md index 1965fbdf889..ba47ecb077d 100644 --- a/docs/queries/terraform-queries/azure/c407c3cf-c409-4b29-b590-db5f4138d332.md +++ b/docs/queries/terraform-queries/azure/c407c3cf-c409-4b29-b590-db5f4138d332.md @@ -28,7 +28,7 @@ PostgreSQL Server Threat Detection Policy should be enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="22" +```tf title="Positive test num. 1 - tf file" hl_lines="22" resource "azurerm_postgresql_server" "positive1" { name = "example-psqlserver" location = azurerm_resource_group.example.location @@ -55,7 +55,7 @@ resource "azurerm_postgresql_server" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "azurerm_postgresql_server" "positive2" { name = "example-psqlserver" location = azurerm_resource_group.example.location diff --git a/docs/queries/terraform-queries/azure/c640d783-10c5-4071-b6c1-23507300d333.md b/docs/queries/terraform-queries/azure/c640d783-10c5-4071-b6c1-23507300d333.md index 32fe2472857..f5ff3aaf0e6 100644 --- a/docs/queries/terraform-queries/azure/c640d783-10c5-4071-b6c1-23507300d333.md +++ b/docs/queries/terraform-queries/azure/c640d783-10c5-4071-b6c1-23507300d333.md @@ -28,7 +28,7 @@ Make sure that for PostgreSQL Database, server parameter 'log_connections' is se ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="19 12 5" +```tf title="Positive test num. 1 - tf file" hl_lines="19 12 5" resource "azurerm_postgresql_configuration" "positive1" { name = "log_connections" resource_group_name = data.azurerm_resource_group.example.name diff --git a/docs/queries/terraform-queries/azure/c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e.md b/docs/queries/terraform-queries/azure/c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e.md index d1176d1247e..b1f603dea6f 100644 --- a/docs/queries/terraform-queries/azure/c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e.md +++ b/docs/queries/terraform-queries/azure/c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e.md @@ -28,7 +28,7 @@ A sensitive port, such as port 23 or port 110, is open for wide private network ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="64 36 134 8 106 78 50 22 120 92" +```tf title="Positive test num. 1 - tf file" hl_lines="64 36 134 8 106 78 50 22 120 92" resource "azurerm_network_security_rule" "positive1" { name = "example" priority = 100 diff --git a/docs/queries/terraform-queries/azure/c7fc1481-2899-4490-bbd8-544a3a61a2f3.md b/docs/queries/terraform-queries/azure/c7fc1481-2899-4490-bbd8-544a3a61a2f3.md index d3864fed86b..18747aba035 100644 --- a/docs/queries/terraform-queries/azure/c7fc1481-2899-4490-bbd8-544a3a61a2f3.md +++ b/docs/queries/terraform-queries/azure/c7fc1481-2899-4490-bbd8-544a3a61a2f3.md @@ -28,7 +28,7 @@ Azure App Service authentication settings should be enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "azurerm_app_service" "positive1" { name = "example-app-service" location = azurerm_resource_group.example.location @@ -52,7 +52,7 @@ resource "azurerm_app_service" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="17" +```tf title="Positive test num. 2 - tf file" hl_lines="17" resource "azurerm_app_service" "positive2" { name = "example-app-service" location = azurerm_resource_group.example.location diff --git a/docs/queries/terraform-queries/azure/c87749b3-ff10-41f5-9df2-c421e8151759.md b/docs/queries/terraform-queries/azure/c87749b3-ff10-41f5-9df2-c421e8151759.md index f34dcce6e1f..093d3179724 100644 --- a/docs/queries/terraform-queries/azure/c87749b3-ff10-41f5-9df2-c421e8151759.md +++ b/docs/queries/terraform-queries/azure/c87749b3-ff10-41f5-9df2-c421e8151759.md @@ -28,7 +28,7 @@ Azure Function App should have managed identity enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "azurerm_function_app" "positive1" { name = "test-azure-functions" location = azurerm_resource_group.example.location diff --git a/docs/queries/terraform-queries/azure/cc4aaa9d-1070-461a-b519-04e00f42db8a.md b/docs/queries/terraform-queries/azure/cc4aaa9d-1070-461a-b519-04e00f42db8a.md index d268aa7ab9c..fa860aca033 100644 --- a/docs/queries/terraform-queries/azure/cc4aaa9d-1070-461a-b519-04e00f42db8a.md +++ b/docs/queries/terraform-queries/azure/cc4aaa9d-1070-461a-b519-04e00f42db8a.md @@ -28,7 +28,7 @@ Periodically, newer versions are released for Python software either due to secu ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="11" +```tf title="Positive test num. 1 - tf file" hl_lines="11" resource "azurerm_app_service" "example4" { name = "example4-app-service" location = azurerm_resource_group.example.location @@ -54,7 +54,7 @@ resource "azurerm_app_service" "example4" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="25" +```tf title="Positive test num. 2 - tf file" hl_lines="25" provider "azurerm" { features {} } @@ -85,7 +85,7 @@ resource "azurerm_windows_web_app" "example5" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="26" +```tf title="Positive test num. 3 - tf file" hl_lines="26" provider "azurerm" { features {} } diff --git a/docs/queries/terraform-queries/azure/d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28.md b/docs/queries/terraform-queries/azure/d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28.md index 0d19d4af934..e6515ba3f70 100644 --- a/docs/queries/terraform-queries/azure/d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28.md +++ b/docs/queries/terraform-queries/azure/d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28.md @@ -28,7 +28,7 @@ Azure SQL Server Accessibility should be set to a minimal address range to grant ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="27 19" +```tf title="Positive test num. 1 - tf file" hl_lines="27 19" resource "azurerm_resource_group" "positive1" { name = "acceptanceTestResourceGroup1" location = "West US" diff --git a/docs/queries/terraform-queries/azure/dafe30ec-325d-4516-85d1-e8e6776f012c.md b/docs/queries/terraform-queries/azure/dafe30ec-325d-4516-85d1-e8e6776f012c.md index fd3ddc56e92..9e5447d81ff 100644 --- a/docs/queries/terraform-queries/azure/dafe30ec-325d-4516-85d1-e8e6776f012c.md +++ b/docs/queries/terraform-queries/azure/dafe30ec-325d-4516-85d1-e8e6776f012c.md @@ -28,7 +28,7 @@ Azure Instances should use SSH Key instead of basic authentication
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "azurerm_virtual_machine" "positive1" { name = "${var.prefix}-vm" location = azurerm_resource_group.main.location @@ -42,7 +42,7 @@ resource "azurerm_virtual_machine" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="1" +```tf title="Positive test num. 2 - tf file" hl_lines="1" resource "azurerm_linux_virtual_machine" "positive1" { name = "${var.prefix}-vm" location = azurerm_resource_group.main.location diff --git a/docs/queries/terraform-queries/azure/dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299.md b/docs/queries/terraform-queries/azure/dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299.md index 985c6842afd..504dcbe86c1 100644 --- a/docs/queries/terraform-queries/azure/dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299.md +++ b/docs/queries/terraform-queries/azure/dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299.md @@ -28,7 +28,7 @@ Anonymous, public read access to a container and its blobs are enabled in Azure ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="4" +```tf title="Positive test num. 1 - tf file" hl_lines="4" resource "azurerm_storage_container" "positive1" { name = "vhds" storage_account_name = azurerm_storage_account.example.name diff --git a/docs/queries/terraform-queries/azure/dfa20ffa-f476-428f-a490-424b41e91c7f.md b/docs/queries/terraform-queries/azure/dfa20ffa-f476-428f-a490-424b41e91c7f.md index 6543ead4f9f..7b17f5685f7 100644 --- a/docs/queries/terraform-queries/azure/dfa20ffa-f476-428f-a490-424b41e91c7f.md +++ b/docs/queries/terraform-queries/azure/dfa20ffa-f476-428f-a490-424b41e91c7f.md @@ -28,7 +28,7 @@ Make sure that for all secrets the expiration date is set
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "azurerm_key_vault_secret" "positive1" { name = "secret-sauce" value = "szechuan" diff --git a/docs/queries/terraform-queries/azure/e29a75e6-aba3-4896-b42d-b87818c16b58.md b/docs/queries/terraform-queries/azure/e29a75e6-aba3-4896-b42d-b87818c16b58.md index 3ee45ad7ea6..68d680d4760 100644 --- a/docs/queries/terraform-queries/azure/e29a75e6-aba3-4896-b42d-b87818c16b58.md +++ b/docs/queries/terraform-queries/azure/e29a75e6-aba3-4896-b42d-b87818c16b58.md @@ -28,7 +28,7 @@ Redis Cache resources should not allow non-SSL connections
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8" +```tf title="Positive test num. 1 - tf file" hl_lines="8" resource "azurerm_redis_cache" "positive1" { name = "example-cache" location = azurerm_resource_group.example.location diff --git a/docs/queries/terraform-queries/azure/e65a0733-94a0-4826-82f4-df529f4c593f.md b/docs/queries/terraform-queries/azure/e65a0733-94a0-4826-82f4-df529f4c593f.md index 345049fafcd..733f2bbe2d3 100644 --- a/docs/queries/terraform-queries/azure/e65a0733-94a0-4826-82f4-df529f4c593f.md +++ b/docs/queries/terraform-queries/azure/e65a0733-94a0-4826-82f4-df529f4c593f.md @@ -28,7 +28,7 @@ Azure Function App authentication settings should be enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "azurerm_function_app" "positive1" { name = "test-azure-functions" location = azurerm_resource_group.example.location @@ -39,7 +39,7 @@ resource "azurerm_function_app" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="10" +```tf title="Positive test num. 2 - tf file" hl_lines="10" resource "azurerm_function_app" "positive2" { name = "test-azure-functions" location = azurerm_resource_group.example.location diff --git a/docs/queries/terraform-queries/azure/e9dee01f-2505-4df2-b9bf-7804d1fd9082.md b/docs/queries/terraform-queries/azure/e9dee01f-2505-4df2-b9bf-7804d1fd9082.md index 29bdbfb7d67..61c24b2c454 100644 --- a/docs/queries/terraform-queries/azure/e9dee01f-2505-4df2-b9bf-7804d1fd9082.md +++ b/docs/queries/terraform-queries/azure/e9dee01f-2505-4df2-b9bf-7804d1fd9082.md @@ -28,7 +28,7 @@ A sensitive port, such as port 23 or port 110, is open for small public network ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="64 36 134 8 106 78 50 22 120 92" +```tf title="Positive test num. 1 - tf file" hl_lines="64 36 134 8 106 78 50 22 120 92" resource "azurerm_network_security_rule" "positive1" { name = "example" priority = 100 diff --git a/docs/queries/terraform-queries/azure/efbf6449-5ec5-4cfe-8f15-acc51e0d787c.md b/docs/queries/terraform-queries/azure/efbf6449-5ec5-4cfe-8f15-acc51e0d787c.md index c24e1a36c9c..24c38790332 100644 --- a/docs/queries/terraform-queries/azure/efbf6449-5ec5-4cfe-8f15-acc51e0d787c.md +++ b/docs/queries/terraform-queries/azure/efbf6449-5ec5-4cfe-8f15-acc51e0d787c.md @@ -28,7 +28,7 @@ Port 3389 (Remote Desktop) is exposed to the internet
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="64 36 134 8 106 78 50 22 120 92" +```tf title="Positive test num. 1 - tf file" hl_lines="64 36 134 8 106 78 50 22 120 92" resource "azurerm_network_security_rule" "positive1" { name = "example" priority = 100 diff --git a/docs/queries/terraform-queries/azure/f118890b-2468-42b1-9ce9-af35146b425b.md b/docs/queries/terraform-queries/azure/f118890b-2468-42b1-9ce9-af35146b425b.md index a736f1109c8..afcab6963ee 100644 --- a/docs/queries/terraform-queries/azure/f118890b-2468-42b1-9ce9-af35146b425b.md +++ b/docs/queries/terraform-queries/azure/f118890b-2468-42b1-9ce9-af35146b425b.md @@ -28,7 +28,7 @@ MySQL Server public access should be disabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "azurerm_mysql_server" "positive1" { name = "example-mysqlserver" location = azurerm_resource_group.example.location @@ -50,7 +50,7 @@ resource "azurerm_mysql_server" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="17" +```tf title="Positive test num. 2 - tf file" hl_lines="17" resource "azurerm_mysql_server" "positive2" { name = "example-mysqlserver" location = azurerm_resource_group.example.location diff --git a/docs/queries/terraform-queries/azure/f5342045-b935-402d-adf1-8dbbd09c0eef.md b/docs/queries/terraform-queries/azure/f5342045-b935-402d-adf1-8dbbd09c0eef.md index ab2c557584c..8256c274502 100644 --- a/docs/queries/terraform-queries/azure/f5342045-b935-402d-adf1-8dbbd09c0eef.md +++ b/docs/queries/terraform-queries/azure/f5342045-b935-402d-adf1-8dbbd09c0eef.md @@ -28,7 +28,7 @@ Azure Kubernetes Service should have the proper network policy configuration to ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="26 69 21" +```tf title="Positive test num. 1 - tf file" hl_lines="26 69 21" resource "azurerm_kubernetes_cluster" "positive1" { name = "example-aks1" location = azurerm_resource_group.example.location diff --git a/docs/queries/terraform-queries/azure/f7e296b0-6660-4bc5-8f87-22ac4a815edf.md b/docs/queries/terraform-queries/azure/f7e296b0-6660-4bc5-8f87-22ac4a815edf.md index 2d94d733fe7..56fa4ee5012 100644 --- a/docs/queries/terraform-queries/azure/f7e296b0-6660-4bc5-8f87-22ac4a815edf.md +++ b/docs/queries/terraform-queries/azure/f7e296b0-6660-4bc5-8f87-22ac4a815edf.md @@ -28,7 +28,7 @@ Make sure that for SQL Servers, 'Auditing' is set to 'On'
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "azurerm_sql_server" "positive1" { name = "mssqlserver" resource_group_name = azurerm_resource_group.example.name diff --git a/docs/queries/terraform-queries/azure/f8e08a38-fc6e-4915-abbe-a7aadf1d59ef.md b/docs/queries/terraform-queries/azure/f8e08a38-fc6e-4915-abbe-a7aadf1d59ef.md index 493090f10e6..cb0fafc8fba 100644 --- a/docs/queries/terraform-queries/azure/f8e08a38-fc6e-4915-abbe-a7aadf1d59ef.md +++ b/docs/queries/terraform-queries/azure/f8e08a38-fc6e-4915-abbe-a7aadf1d59ef.md @@ -28,7 +28,7 @@ Key Vault Secrets should have set Content Type
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "azurerm_key_vault_secret" "positive" { name = "secret-sauce" value = "szechuan" diff --git a/docs/queries/terraform-queries/azure/fd8da341-6760-4450-b26c-9f6d8850575e.md b/docs/queries/terraform-queries/azure/fd8da341-6760-4450-b26c-9f6d8850575e.md index d4b6e2a7f60..b4e70d47c5d 100644 --- a/docs/queries/terraform-queries/azure/fd8da341-6760-4450-b26c-9f6d8850575e.md +++ b/docs/queries/terraform-queries/azure/fd8da341-6760-4450-b26c-9f6d8850575e.md @@ -28,7 +28,7 @@ Firewall rule allowing unrestricted access to Redis from the Internet
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="22" +```tf title="Positive test num. 1 - tf file" hl_lines="22" resource "azurerm_redis_cache" "positive1" { name = "redis${random_id.server.hex}" location = azurerm_resource_group.example.location diff --git a/docs/queries/terraform-queries/azure/ffb02aca-0d12-475e-b77c-a726f7aeff4b.md b/docs/queries/terraform-queries/azure/ffb02aca-0d12-475e-b77c-a726f7aeff4b.md index af5dc379e2f..a87768c62f2 100644 --- a/docs/queries/terraform-queries/azure/ffb02aca-0d12-475e-b77c-a726f7aeff4b.md +++ b/docs/queries/terraform-queries/azure/ffb02aca-0d12-475e-b77c-a726f7aeff4b.md @@ -28,7 +28,7 @@ Make sure that for PostgreSQL Database, server parameter 'log_retention' is set ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="19 12 5" +```tf title="Positive test num. 1 - tf file" hl_lines="19 12 5" resource "azurerm_postgresql_configuration" "positive1" { name = "log_retention" resource_group_name = data.azurerm_resource_group.example.name diff --git a/docs/queries/terraform-queries/b80b14c6-aaa2-4876-b651-8a48b6c32fbf.md b/docs/queries/terraform-queries/b80b14c6-aaa2-4876-b651-8a48b6c32fbf.md index 220886d30f5..863ad368fb7 100644 --- a/docs/queries/terraform-queries/b80b14c6-aaa2-4876-b651-8a48b6c32fbf.md +++ b/docs/queries/terraform-queries/b80b14c6-aaa2-4876-b651-8a48b6c32fbf.md @@ -28,7 +28,7 @@ Check if any network policy is not targeting any pod.
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="14" +```tf title="Positive test num. 1 - tf file" hl_lines="14" resource "kubernetes_network_policy" "example" { metadata { name = "terraform-example-network-policy" diff --git a/docs/queries/terraform-queries/bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e.md b/docs/queries/terraform-queries/bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e.md index 8ec60e95fe4..99a4036d557 100644 --- a/docs/queries/terraform-queries/bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e.md +++ b/docs/queries/terraform-queries/bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e.md @@ -28,7 +28,7 @@ Check if any label in the metadata is invalid.
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="5" +```tf title="Positive test num. 1 - tf file" hl_lines="5" resource "kubernetes_pod" "test" { metadata { name = "terraform-example" diff --git a/docs/queries/terraform-queries/bd6bd46c-57db-4887-956d-d372f21291b6.md b/docs/queries/terraform-queries/bd6bd46c-57db-4887-956d-d372f21291b6.md index 15addf25b10..57658c76a9c 100644 --- a/docs/queries/terraform-queries/bd6bd46c-57db-4887-956d-d372f21291b6.md +++ b/docs/queries/terraform-queries/bd6bd46c-57db-4887-956d-d372f21291b6.md @@ -28,7 +28,7 @@ Containers should be configured with AppArmor for any application to reduce its ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="58 4" +```tf title="Positive test num. 1 - tf file" hl_lines="58 4" resource "kubernetes_pod" "example1" { metadata { name = "terraform-example1" diff --git a/docs/queries/terraform-queries/c878abb4-cca5-4724-92b9-289be68bd47c.md b/docs/queries/terraform-queries/c878abb4-cca5-4724-92b9-289be68bd47c.md index afe96784e6b..b4a1fc8e3b3 100644 --- a/docs/queries/terraform-queries/c878abb4-cca5-4724-92b9-289be68bd47c.md +++ b/docs/queries/terraform-queries/c878abb4-cca5-4724-92b9-289be68bd47c.md @@ -28,7 +28,7 @@ Containers should not run with allowPrivilegeEscalation in order to prevent them ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="108 14 47" +```tf title="Positive test num. 1 - tf file" hl_lines="108 14 47" resource "kubernetes_pod" "positive1" { metadata { diff --git a/docs/queries/terraform-queries/ca2fba76-c1a7-4afd-be67-5249f861cb0e.md b/docs/queries/terraform-queries/ca2fba76-c1a7-4afd-be67-5249f861cb0e.md index 1eaefa776dc..bceae749b00 100644 --- a/docs/queries/terraform-queries/ca2fba76-c1a7-4afd-be67-5249f861cb0e.md +++ b/docs/queries/terraform-queries/ca2fba76-c1a7-4afd-be67-5249f861cb0e.md @@ -28,7 +28,7 @@ Check if Tiller is deployed.
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="3 103 8 200 175" +```tf title="Positive test num. 1 - tf file" hl_lines="3 103 8 200 175" resource "kubernetes_pod" "positive1" { metadata { diff --git a/docs/queries/terraform-queries/ce7c874e-1b88-450b-a5e4-cb76ada3c8a9.md b/docs/queries/terraform-queries/ce7c874e-1b88-450b-a5e4-cb76ada3c8a9.md index 98fd454469d..695b188e4ea 100644 --- a/docs/queries/terraform-queries/ce7c874e-1b88-450b-a5e4-cb76ada3c8a9.md +++ b/docs/queries/terraform-queries/ce7c874e-1b88-450b-a5e4-cb76ada3c8a9.md @@ -28,7 +28,7 @@ Check if insecure SSL is being used in the GitHub organization webhooks
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="7" +```tf title="Positive test num. 1 - tf file" hl_lines="7" resource "github_organization_webhook" "positive1" { name = "web" diff --git a/docs/queries/terraform-queries/common/1e434b25-8763-4b00-a5ca-ca03b7abbb66.md b/docs/queries/terraform-queries/common/1e434b25-8763-4b00-a5ca-ca03b7abbb66.md index dac321186cb..e761f432c98 100644 --- a/docs/queries/terraform-queries/common/1e434b25-8763-4b00-a5ca-ca03b7abbb66.md +++ b/docs/queries/terraform-queries/common/1e434b25-8763-4b00-a5ca-ca03b7abbb66.md @@ -28,7 +28,7 @@ All names should follow snake case pattern.
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="7" +```tf title="Positive test num. 1 - tf file" hl_lines="7" variable "cluster_name" { default = "example" description = "cluster name" @@ -55,7 +55,7 @@ module "acm" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="14" +```tf title="Positive test num. 2 - tf file" hl_lines="14" variable "cluster_name" { default = "example" description = "cluster name" diff --git a/docs/queries/terraform-queries/common/23c3067a-8cc9-480c-b645-7c1e0ad4bf60.md b/docs/queries/terraform-queries/common/23c3067a-8cc9-480c-b645-7c1e0ad4bf60.md new file mode 100644 index 00000000000..24abc6e935f --- /dev/null +++ b/docs/queries/terraform-queries/common/23c3067a-8cc9-480c-b645-7c1e0ad4bf60.md @@ -0,0 +1,107 @@ +--- +title: Databricks Group Without User Or Instance Profile +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 23c3067a-8cc9-480c-b645-7c1e0ad4bf60 +- **Query name:** Databricks Group Without User Or Instance Profile +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/databricks/group_without_user_or_instance_profile) + +### Description +Databricks Group should have at least one user or one instance profile associated
+[Documentation](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/group) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Positive test num. 1 - tf file" hl_lines="16" +resource "databricks_group" "positive_group" { + display_name = "Some Group" + allow_cluster_create = true + allow_instance_pool_create = true +} + +resource "databricks_user" "positive_user" { + user_name = "someone@example.com" +} + +resource "databricks_group_member" "positive_member" { + group_id = databricks_group.positive_group.id + member_id = databricks_user.positive_user.id +} + +resource "databricks_group" "positive_group_2" { + display_name = "Some Group" + allow_cluster_create = true + allow_instance_pool_create = true +} + +``` +```tf title="Positive test num. 2 - tf file" hl_lines="14" +resource "databricks_instance_profile" "positive_instance_profile" { + instance_profile_arn = "my_instance_profile_arn" +} + +resource "databricks_group" "positive_group" { + display_name = "my_group_name" +} + +resource "databricks_group_instance_profile" "my_group_instance_profile" { + group_id = databricks_group.positive_group.id + instance_profile_id = databricks_instance_profile.positive_instance_profile.id +} + +resource "databricks_group" "positive_group2" { + display_name = "my_group_name" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "databricks_group" "negative1_group" { + display_name = "Some Group" + allow_cluster_create = true + allow_instance_pool_create = true +} + +resource "databricks_user" "negative1_user" { + user_name = "someone@example.com" +} + +resource "databricks_group_member" "negative1_member" { + group_id = databricks_group.negative1_group.id + member_id = databricks_user.negative1_user.id +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "databricks_instance_profile" "negative2_instance_profile" { + instance_profile_arn = "my_instance_profile_arn" +} + +resource "databricks_group" "negative2_group" { + display_name = "my_group_name" +} + +resource "databricks_group_instance_profile" "negative2_group_instance_profile" { + group_id = databricks_group.negative2_group.id + instance_profile_id = databricks_instance_profile.negative2_instance_profile.id +} + +``` diff --git a/docs/queries/terraform-queries/common/23e1f5f0-12b7-4d7e-9087-f60f42ccd514.md b/docs/queries/terraform-queries/common/23e1f5f0-12b7-4d7e-9087-f60f42ccd514.md new file mode 100644 index 00000000000..c0456bf2d08 --- /dev/null +++ b/docs/queries/terraform-queries/common/23e1f5f0-12b7-4d7e-9087-f60f42ccd514.md @@ -0,0 +1,50 @@ +--- +title: Indefinitely Databricks OBO Token Lifetime +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 23e1f5f0-12b7-4d7e-9087-f60f42ccd514 +- **Query name:** Indefinitely Databricks OBO Token Lifetime +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Defaults +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/databricks/indefinitely_obo_token) + +### Description +OBO Token has an indefinitely lifetime
+[Documentation](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/obo_token) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Positive test num. 1 - tf file" hl_lines="1" +resource "databricks_obo_token" "positive" { + depends_on = [databricks_group_member.this] + application_id = databricks_service_principal.this.application_id + comment = "PAT on behalf of ${databricks_service_principal.this.display_name}" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "databricks_obo_token" "negative" { + depends_on = [databricks_group_member.this] + application_id = databricks_service_principal.this.application_id + comment = "PAT on behalf of ${databricks_service_principal.this.display_name}" + lifetime_seconds = 3600 +} + +``` diff --git a/docs/queries/terraform-queries/common/2a153952-2544-4687-bcc9-cc8fea814a9b.md b/docs/queries/terraform-queries/common/2a153952-2544-4687-bcc9-cc8fea814a9b.md index 0b3af81d783..76aeec70c1f 100644 --- a/docs/queries/terraform-queries/common/2a153952-2544-4687-bcc9-cc8fea814a9b.md +++ b/docs/queries/terraform-queries/common/2a153952-2544-4687-bcc9-cc8fea814a9b.md @@ -28,7 +28,7 @@ All variables should contain a valid description.
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" variable "cluster_name" { default = "example" type = string @@ -40,7 +40,7 @@ resource "aws_eks_cluster" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="4" +```tf title="Positive test num. 2 - tf file" hl_lines="4" variable "cluster_name" { default = "example" type = string @@ -53,7 +53,7 @@ resource "aws_eks_cluster" "positive1" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="4" +```tf title="Positive test num. 3 - tf file" hl_lines="4" variable "cluster_name" { default = "example" type = string diff --git a/docs/queries/terraform-queries/common/2c4fe4a9-f44b-4c70-b09b-5b75cd251805.md b/docs/queries/terraform-queries/common/2c4fe4a9-f44b-4c70-b09b-5b75cd251805.md new file mode 100644 index 00000000000..b111901b385 --- /dev/null +++ b/docs/queries/terraform-queries/common/2c4fe4a9-f44b-4c70-b09b-5b75cd251805.md @@ -0,0 +1,87 @@ +--- +title: Unrestricted Databricks ACL +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2c4fe4a9-f44b-4c70-b09b-5b75cd251805 +- **Query name:** Unrestricted Databricks ACL +- **Platform:** Terraform +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/databricks/unrestricted_acl) + +### Description +ACL allow ingress from 0.0.0.0/0 and/or ::/0
+[Documentation](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/ip_access_list) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Positive test num. 1 - tf file" hl_lines="10" +resource "databricks_workspace_conf" "positive1" { + custom_config = { + "enableIpAccessLists" : true + } +} + +resource "databricks_ip_access_list" "positive1" { + label = "allow_in" + list_type = "ALLOW" + ip_addresses = [ + "0.0.0.0/0", + "1.2.5.0/24" + ] + depends_on = [databricks_workspace_conf.positive1] +} + +``` +```tf title="Positive test num. 2 - tf file" hl_lines="10" +resource "databricks_workspace_conf" "positive2" { + custom_config = { + "enableIpAccessLists" : true + } +} + +resource "databricks_ip_access_list" "positive2" { + label = "allow_in" + list_type = "ALLOW" + ip_addresses = [ + "::/0", + "1.2.5.0/24" + ] + depends_on = [databricks_workspace_conf.positive2] +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "databricks_workspace_conf" "negative" { + custom_config = { + "enableIpAccessLists" : true + } +} + +resource "databricks_ip_access_list" "negative" { + label = "allow_in" + list_type = "ALLOW" + ip_addresses = [ + "1.2.3.0/24", + "1.2.5.0/24" + ] + depends_on = [databricks_workspace_conf.negative] +} + +``` diff --git a/docs/queries/terraform-queries/common/375cdab9-3f94-4ae0-b1e3-8fbdf9cdf4d7.md b/docs/queries/terraform-queries/common/375cdab9-3f94-4ae0-b1e3-8fbdf9cdf4d7.md new file mode 100644 index 00000000000..42ca8032908 --- /dev/null +++ b/docs/queries/terraform-queries/common/375cdab9-3f94-4ae0-b1e3-8fbdf9cdf4d7.md @@ -0,0 +1,209 @@ +--- +title: Job's Task is Legacy (spark_submit_task) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 375cdab9-3f94-4ae0-b1e3-8fbdf9cdf4d7 +- **Query name:** Job's Task is Legacy (spark_submit_task) +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/databricks/use_spark_submit_task) + +### Description +Job's Task Is spark_submit_task
+[Documentation](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/job#spark_submit_task-configuration-block) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Positive test num. 1 - tf file" hl_lines="36" +resource "databricks_job" "positive" { + name = "Job with multiple tasks" + + job_cluster { + job_cluster_key = "j" + new_cluster { + num_workers = 2 + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + } + } + + task { + task_key = "a" + + new_cluster { + num_workers = 1 + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + } + + notebook_task { + notebook_path = databricks_notebook.this.path + } + } + + task { + task_key = "b" + //this task will only run after task a + depends_on { + task_key = "a" + } + + existing_cluster_id = databricks_cluster.shared.id + + spark_submit_task { + main_class_name = "com.acme.data.Main" + } + } + + task { + task_key = "c" + + job_cluster_key = "j" + + notebook_task { + notebook_path = databricks_notebook.this.path + } + } + //this task starts a Delta Live Tables pipline update + task { + task_key = "d" + + pipeline_task { + pipeline_id = databricks_pipeline.this.id + } + } +} + +``` +```tf title="Positive test num. 2 - tf file" hl_lines="18" +resource "databricks_job" "positive" { + name = "Job with multiple tasks" + + job_cluster { + job_cluster_key = "j" + new_cluster { + num_workers = 2 + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + } + } + + task { + task_key = "a" + + existing_cluster_id = databricks_cluster.shared.id + + spark_submit_task { + main_class_name = "com.acme.data.Main" + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "databricks_job" "negative1" { + name = "Job with multiple tasks" + + job_cluster { + job_cluster_key = "j" + new_cluster { + num_workers = 2 + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + } + } + + task { + task_key = "a" + + new_cluster { + num_workers = 1 + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + } + + notebook_task { + notebook_path = databricks_notebook.this.path + } + } + + task { + task_key = "b" + //this task will only run after task a + depends_on { + task_key = "a" + } + + existing_cluster_id = databricks_cluster.shared.id + + spark_jar_task { + main_class_name = "com.acme.data.Main" + } + } + + task { + task_key = "c" + + job_cluster_key = "j" + + notebook_task { + notebook_path = databricks_notebook.this.path + } + } + //this task starts a Delta Live Tables pipline update + task { + task_key = "d" + + pipeline_task { + pipeline_id = databricks_pipeline.this.id + } + } +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "databricks_job" "negative1" { + name = "Job with multiple tasks" + + job_cluster { + job_cluster_key = "j" + new_cluster { + num_workers = 2 + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + } + } + + task { + task_key = "a" + + new_cluster { + num_workers = 1 + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + } + + notebook_task { + notebook_path = databricks_notebook.this.path + } + } +} + +``` diff --git a/docs/queries/terraform-queries/common/38028698-e663-4ef7-aa92-773fef0ca86f.md b/docs/queries/terraform-queries/common/38028698-e663-4ef7-aa92-773fef0ca86f.md new file mode 100644 index 00000000000..53fe132f92c --- /dev/null +++ b/docs/queries/terraform-queries/common/38028698-e663-4ef7-aa92-773fef0ca86f.md @@ -0,0 +1,105 @@ +--- +title: Check Databricks Cluster Azure Attribute Best Practices +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 38028698-e663-4ef7-aa92-773fef0ca86f +- **Query name:** Check Databricks Cluster Azure Attribute Best Practices +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/databricks/cluster_azure_attributes) + +### Description +One or some Databricks Cluster Azure Attribute Best Practices are not respected
+[Documentation](https://docs.databricks.com/clusters/cluster-config-best-practices.html) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Positive test num. 1 - tf file" hl_lines="11" +resource "databricks_cluster" "positive1" { + cluster_name = "data" + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + autotermination_minutes = 20 + autoscale { + min_workers = 1 + max_workers = 50 + } + azure_attributes { + availability = "SPOT_AZURE" + first_on_demand = 1 + spot_bid_price_percent = 100 + } +} + +``` +```tf title="Positive test num. 2 - tf file" hl_lines="12" +resource "databricks_cluster" "positive2" { + cluster_name = "data" + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + autotermination_minutes = 20 + autoscale { + min_workers = 1 + max_workers = 50 + } + azure_attributes { + availability = "SPOT_WITH_FALLBACK_AZURE" + first_on_demand = 0 + spot_bid_price_percent = 100 + } +} + +``` +```tf title="Positive test num. 3 - tf file" hl_lines="10" +resource "databricks_cluster" "positive3" { + cluster_name = "data" + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + autotermination_minutes = 20 + autoscale { + min_workers = 1 + max_workers = 50 + } + azure_attributes { + availability = "SPOT_WITH_FALLBACK_AZURE" + zone_id = "auto" + spot_bid_price_percent = 100 + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "databricks_cluster" "negative" { + cluster_name = "Shared Autoscaling" + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + autotermination_minutes = 20 + autoscale { + min_workers = 1 + max_workers = 50 + } + azure_attributes { + availability = "SPOT_WITH_FALLBACK_AZURE" + first_on_demand = 1 + spot_bid_price_percent = 100 + } +} + +``` diff --git a/docs/queries/terraform-queries/common/3a81fc06-566f-492a-91dd-7448e409e2cd.md b/docs/queries/terraform-queries/common/3a81fc06-566f-492a-91dd-7448e409e2cd.md index f43bf40f82d..c9d98352c58 100644 --- a/docs/queries/terraform-queries/common/3a81fc06-566f-492a-91dd-7448e409e2cd.md +++ b/docs/queries/terraform-queries/common/3a81fc06-566f-492a-91dd-7448e409e2cd.md @@ -28,7 +28,7 @@ All generic git repositories should reference a revision.
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8" +```tf title="Positive test num. 1 - tf file" hl_lines="8" variable "cluster_name" { default = "example" description = "cluster name" diff --git a/docs/queries/terraform-queries/common/539e4557-d2b5-4d57-a001-cb01140a4e2d.md b/docs/queries/terraform-queries/common/539e4557-d2b5-4d57-a001-cb01140a4e2d.md new file mode 100644 index 00000000000..2f7e9b75732 --- /dev/null +++ b/docs/queries/terraform-queries/common/539e4557-d2b5-4d57-a001-cb01140a4e2d.md @@ -0,0 +1,69 @@ +--- +title: Check Databricks Cluster GCP Attribute Best Practices +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 539e4557-d2b5-4d57-a001-cb01140a4e2d +- **Query name:** Check Databricks Cluster GCP Attribute Best Practices +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/databricks/cluster_gcp_attributes) + +### Description +One or some Databricks Cluster GCP Attribute Best Practices are not respected
+[Documentation](https://docs.databricks.com/clusters/cluster-config-best-practices.html) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Positive test num. 1 - tf file" hl_lines="11" +resource "databricks_cluster" "positive" { + cluster_name = "data" + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + autotermination_minutes = 20 + autoscale { + min_workers = 1 + max_workers = 50 + } + gcp_attributes { + availability = "PREEMPTIBLE_GCP" + zone_id = "AUTO" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "databricks_cluster" "negative" { + cluster_name = "Shared Autoscaling" + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + autotermination_minutes = 20 + autoscale { + min_workers = 1 + max_workers = 50 + } + gcp_attributes { + availability = "PREEMPTIBLE_WITH_FALLBACK_GCP" + zone_id = "auto" + first_on_demand = 1 + spot_bid_price_percent = 100 + } +} + +``` diff --git a/docs/queries/terraform-queries/common/59312e8a-a64e-41e7-a252-618533dd1ea8.md b/docs/queries/terraform-queries/common/59312e8a-a64e-41e7-a252-618533dd1ea8.md index 7c1ee9eca35..24dd0104771 100644 --- a/docs/queries/terraform-queries/common/59312e8a-a64e-41e7-a252-618533dd1ea8.md +++ b/docs/queries/terraform-queries/common/59312e8a-a64e-41e7-a252-618533dd1ea8.md @@ -28,7 +28,7 @@ All outputs should contain a valid description.
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" output "cluster_name" { value = "example" } @@ -38,7 +38,7 @@ resource "aws_eks_cluster" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="3" +```tf title="Positive test num. 2 - tf file" hl_lines="3" output "cluster_name" { value = "example" description = " " @@ -49,7 +49,7 @@ resource "aws_eks_cluster" "positive1" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="3" +```tf title="Positive test num. 3 - tf file" hl_lines="3" output "cluster_name" { value = "example" description = "" diff --git a/docs/queries/terraform-queries/common/5a627dfa-a4dd-4020-a4c6-5f3caf4abcd6.md b/docs/queries/terraform-queries/common/5a627dfa-a4dd-4020-a4c6-5f3caf4abcd6.md new file mode 100644 index 00000000000..967bfb4ee34 --- /dev/null +++ b/docs/queries/terraform-queries/common/5a627dfa-a4dd-4020-a4c6-5f3caf4abcd6.md @@ -0,0 +1,150 @@ +--- +title: Check use no LTS Spark Version +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5a627dfa-a4dd-4020-a4c6-5f3caf4abcd6 +- **Query name:** Check use no LTS Spark Version +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/databricks/use_lts_spark_version) + +### Description +Spark Version is not a Long-term Support
+[Documentation](https://registry.terraform.io/providers/databricks/databricks/latest/docs/data-sources/spark_version) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Positive test num. 1 - tf file" hl_lines="8" +data "databricks_node_type" "postive1_with_gpu" { + local_disk = true + min_cores = 16 + gb_per_core = 1 + min_gpus = 1 +} + +data "databricks_spark_version" "postive1_gpu_ml" { + gpu = true + ml = true +} + +resource "databricks_cluster" "positive1_research" { + cluster_name = "Research Cluster" + spark_version = data.databricks_spark_version.postive1_gpu_ml.id + node_type_id = data.databricks_node_type.postive1_with_gpu.id + autotermination_minutes = 20 + autoscale { + min_workers = 1 + max_workers = 50 + } +} + +``` +```tf title="Positive test num. 2 - tf file" hl_lines="11" +data "databricks_node_type" "positive2_with_gpu" { + local_disk = true + min_cores = 16 + gb_per_core = 1 + min_gpus = 1 +} + +data "databricks_spark_version" "positive2_gpu_ml" { + gpu = true + ml = true + long_term_support = false +} + +resource "databricks_cluster" "positive2_research" { + cluster_name = "Research Cluster" + spark_version = data.databricks_spark_version.positive2_gpu_ml.id + node_type_id = data.databricks_node_type.positive2_with_gpu.id + autotermination_minutes = 20 + autoscale { + min_workers = 1 + max_workers = 50 + } +} + +``` +```tf title="Positive test num. 3 - tf file" hl_lines="10" +data "databricks_node_type" "positive3_with_gpu" { + local_disk = true + min_cores = 16 + gb_per_core = 1 + min_gpus = 1 +} + +resource "databricks_cluster" "positive3_research" { + cluster_name = "Research Cluster" + spark_version = "3.3.1" + node_type_id = data.databricks_node_type.positive2_with_gpu.id + autotermination_minutes = 20 + autoscale { + min_workers = 1 + max_workers = 50 + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +data "databricks_node_type" "negative1_with_gpu" { + local_disk = true + min_cores = 16 + gb_per_core = 1 + min_gpus = 1 +} + +data "databricks_spark_version" "negative1_gpu_ml" { + gpu = true + ml = true + long_term_support = true +} + +resource "databricks_cluster" "negative1_research" { + cluster_name = "Research Cluster" + spark_version = data.databricks_spark_version.negative1_gpu_ml.id + node_type_id = data.databricks_node_type.negative1_with_gpu.id + autotermination_minutes = 20 + autoscale { + min_workers = 1 + max_workers = 50 + } +} + +``` +```tf title="Negative test num. 2 - tf file" +data "databricks_node_type" "negative2_with_gpu" { + local_disk = true + min_cores = 16 + gb_per_core = 1 + min_gpus = 1 +} + +resource "databricks_cluster" "negative2_research" { + cluster_name = "Research Cluster" + spark_version = "3.2.1" + node_type_id = data.databricks_node_type.negative2_with_gpu.id + autotermination_minutes = 20 + autoscale { + min_workers = 1 + max_workers = 50 + } +} + +``` diff --git a/docs/queries/terraform-queries/common/7d05ca25-91b4-42ee-b6f6-b06611a87ce8.md b/docs/queries/terraform-queries/common/7d05ca25-91b4-42ee-b6f6-b06611a87ce8.md new file mode 100644 index 00000000000..281e3dbba4c --- /dev/null +++ b/docs/queries/terraform-queries/common/7d05ca25-91b4-42ee-b6f6-b06611a87ce8.md @@ -0,0 +1,49 @@ +--- +title: Indefinitely Databricks Token Lifetime +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7d05ca25-91b4-42ee-b6f6-b06611a87ce8 +- **Query name:** Indefinitely Databricks Token Lifetime +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Defaults +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/databricks/indefinitely_token) + +### Description +Token has an indefinitely lifetime
+[Documentation](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/token) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Positive test num. 1 - tf file" hl_lines="1" +resource "databricks_token" "positive" { + provider = databricks.created_workspace + comment = "Terraform Provisioning" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "databricks_token" "negative" { + provider = databricks.created_workspace + comment = "Terraform Provisioning" + // 100 day token + lifetime_seconds = 8640000 +} + +``` diff --git a/docs/queries/terraform-queries/common/953c0cc6-5f30-44cb-a803-bf4ef2571be8.md b/docs/queries/terraform-queries/common/953c0cc6-5f30-44cb-a803-bf4ef2571be8.md new file mode 100644 index 00000000000..ba7e7a029f3 --- /dev/null +++ b/docs/queries/terraform-queries/common/953c0cc6-5f30-44cb-a803-bf4ef2571be8.md @@ -0,0 +1,88 @@ +--- +title: Databricks Autoscale Badly Setup +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 953c0cc6-5f30-44cb-a803-bf4ef2571be8 +- **Query name:** Databricks Autoscale Badly Setup +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/databricks/autoscale_badly_setup) + +### Description +Databricks should have min and max worker setup for autoscale
+[Documentation](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/cluster) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Positive test num. 1 - tf file" hl_lines="6" +resource "databricks_cluster" "positive1" { + cluster_name = "Shared Autoscaling" + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + autotermination_minutes = 20 + autoscale { + min_workers = 1 + } + aws_attributes { + availability = "SPOT" + zone_id = "us-east-1" + first_on_demand = 1 + spot_bid_price_percent = 100 + } +} + +``` +```tf title="Positive test num. 2 - tf file" hl_lines="6" +resource "databricks_cluster" "positive2" { + cluster_name = "Shared Autoscaling" + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + autotermination_minutes = 20 + autoscale { + max_workers = 50 + } + aws_attributes { + availability = "SPOT" + zone_id = "us-east-1" + first_on_demand = 1 + spot_bid_price_percent = 100 + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "databricks_cluster" "negative" { + cluster_name = "Shared Autoscaling" + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + autotermination_minutes = 20 + autoscale { + min_workers = 1 + max_workers = 50 + } + aws_attributes { + availability = "SPOT_WITH_FALLBACK" + zone_id = "auto" + first_on_demand = 1 + spot_bid_price_percent = 100 + } +} + +``` diff --git a/docs/queries/terraform-queries/common/a4edb7e1-c0e0-4f7f-9d7c-d1b603e81ad5.md b/docs/queries/terraform-queries/common/a4edb7e1-c0e0-4f7f-9d7c-d1b603e81ad5.md new file mode 100644 index 00000000000..39b31fa9220 --- /dev/null +++ b/docs/queries/terraform-queries/common/a4edb7e1-c0e0-4f7f-9d7c-d1b603e81ad5.md @@ -0,0 +1,301 @@ +--- +title: Databricks Cluster or Job With None Or Insecure Permission(s) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a4edb7e1-c0e0-4f7f-9d7c-d1b603e81ad5 +- **Query name:** Databricks Cluster or Job With None Or Insecure Permission(s) +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/databricks/databricks_permissions) + +### Description +Databricks Cluster and Job must have restricted permissions
+[Documentation](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/permissions) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Positive test num. 1 - tf file" hl_lines="16" +resource "databricks_job" "positive1" { + name = "Featurization" + max_concurrent_runs = 1 + + new_cluster { + num_workers = 300 + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + } + + notebook_task { + notebook_path = "/Production/MakeFeatures" + } +} + +resource "databricks_job" "positive1_error" { + name = "Featurization" + max_concurrent_runs = 1 + + new_cluster { + num_workers = 300 + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + } + + notebook_task { + notebook_path = "/Production/MakeFeatures" + } +} + +resource "databricks_permissions" "positive1" { + job_id = databricks_job.positive1.id + + access_control { + group_name = "users" + permission_level = "CAN_VIEW" + } + + access_control { + group_name = databricks_group.auto.display_name + permission_level = "CAN_MANAGE_RUN" + } + + access_control { + group_name = databricks_group.eng.display_name + permission_level = "CAN_MANAGE" + } + + access_control { + service_principal_name = databricks_service_principal.aws_principal.application_id + permission_level = "IS_OWNER" + } +} + +``` +```tf title="Positive test num. 2 - tf file" hl_lines="12" +resource "databricks_cluster" "positive2" { + cluster_name = "Shared Autoscaling" + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + autotermination_minutes = 60 + autoscale { + min_workers = 1 + max_workers = 10 + } +} + +resource "databricks_cluster" "positive2_error" { + cluster_name = "Shared Autoscaling" + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + autotermination_minutes = 60 + autoscale { + min_workers = 1 + max_workers = 10 + } +} + +resource "databricks_permissions" "positive2" { + cluster_id = databricks_cluster.positive2.id + + access_control { + group_name = databricks_group.auto.display_name + permission_level = "CAN_ATTACH_TO" + } + + access_control { + group_name = databricks_group.eng.display_name + permission_level = "CAN_RESTART" + } + + access_control { + group_name = databricks_group.ds.display_name + permission_level = "CAN_MANAGE" + } +} + +``` +```tf title="Positive test num. 3 - tf file" hl_lines="16" +resource "databricks_job" "positive3" { + name = "Featurization" + max_concurrent_runs = 1 + + new_cluster { + num_workers = 300 + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + } + + notebook_task { + notebook_path = "/Production/MakeFeatures" + } +} + +resource "databricks_permissions" "positive3" { + job_id = databricks_job.positive3.id + + access_control { + group_name = "users" + permission_level = "CAN_VIEW" + } + + access_control { + group_name = databricks_group.auto.display_name + permission_level = "CAN_MANAGE_RUN" + } + + access_control { + group_name = databricks_group.eng.display_name + permission_level = "CAN_MANAGE" + } + + access_control { + group_name = databricks_group.eng.display_name + permission_level = "IS_OWNER" + } +} + +``` +
Positive test num. 4 - tf file + +```tf hl_lines="16" +resource "databricks_job" "positive4" { + name = "Featurization" + max_concurrent_runs = 1 + + new_cluster { + num_workers = 300 + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + } + + notebook_task { + notebook_path = "/Production/MakeFeatures" + } +} + +resource "databricks_permissions" "positive4" { + job_id = databricks_job.positive4.id + + access_control { + group_name = databricks_group.eng.display_name + permission_level = "IS_OWNER" + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "databricks_job" "negative1" { + name = "Featurization" + max_concurrent_runs = 1 + + new_cluster { + num_workers = 300 + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + } + + notebook_task { + notebook_path = "/Production/MakeFeatures" + } +} + +resource "databricks_permissions" "negative1" { + job_id = databricks_job.negative1.id + + access_control { + group_name = "users" + permission_level = "CAN_VIEW" + } + + access_control { + group_name = databricks_group.auto.display_name + permission_level = "CAN_MANAGE_RUN" + } + + access_control { + group_name = databricks_group.eng.display_name + permission_level = "CAN_MANAGE" + } + + access_control { + service_principal_name = databricks_service_principal.aws_principal.application_id + permission_level = "IS_OWNER" + } +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "databricks_cluster" "negative2" { + cluster_name = "Shared Autoscaling" + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + autotermination_minutes = 60 + autoscale { + min_workers = 1 + max_workers = 10 + } +} + +resource "databricks_permissions" "negative2" { + cluster_id = databricks_cluster.negative2.id + + access_control { + group_name = databricks_group.auto.display_name + permission_level = "CAN_ATTACH_TO" + } + + access_control { + group_name = databricks_group.eng.display_name + permission_level = "CAN_RESTART" + } + + access_control { + group_name = databricks_group.ds.display_name + permission_level = "CAN_MANAGE" + } +} + +``` +```tf title="Negative test num. 3 - tf file" +resource "databricks_job" "negative3" { + name = "Featurization" + max_concurrent_runs = 1 + + new_cluster { + num_workers = 300 + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + } + + notebook_task { + notebook_path = "/Production/MakeFeatures" + } +} + +resource "databricks_permissions" "negative3" { + job_id = databricks_job.negative3.id + + access_control { + service_principal_name = databricks_service_principal.aws_principal.application_id + permission_level = "IS_OWNER" + } +} + +``` diff --git a/docs/queries/terraform-queries/common/b0749c53-e3ff-4d09-bbe4-dca94e2e7a38.md b/docs/queries/terraform-queries/common/b0749c53-e3ff-4d09-bbe4-dca94e2e7a38.md new file mode 100644 index 00000000000..1d88aabda93 --- /dev/null +++ b/docs/queries/terraform-queries/common/b0749c53-e3ff-4d09-bbe4-dca94e2e7a38.md @@ -0,0 +1,130 @@ +--- +title: Check Databricks Cluster AWS Attribute Best Practices +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b0749c53-e3ff-4d09-bbe4-dca94e2e7a38 +- **Query name:** Check Databricks Cluster AWS Attribute Best Practices +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/databricks/cluster_aws_attributes) + +### Description +One or some Databricks Cluster AWS Attribute Best Practices are not respected
+[Documentation](https://docs.databricks.com/clusters/cluster-config-best-practices.html) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Positive test num. 1 - tf file" hl_lines="11" +resource "databricks_cluster" "positive1" { + cluster_name = "data" + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + autotermination_minutes = 20 + autoscale { + min_workers = 1 + max_workers = 50 + } + aws_attributes { + availability = "SPOT" + zone_id = "auto" + first_on_demand = 1 + spot_bid_price_percent = 100 + } +} + +``` +```tf title="Positive test num. 2 - tf file" hl_lines="13" +resource "databricks_cluster" "positive2" { + cluster_name = "data" + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + autotermination_minutes = 20 + autoscale { + min_workers = 1 + max_workers = 50 + } + aws_attributes { + availability = "SPOT_WITH_FALLBACK" + zone_id = "auto" + first_on_demand = 0 + spot_bid_price_percent = 100 + } +} + +``` +```tf title="Positive test num. 3 - tf file" hl_lines="10" +resource "databricks_cluster" "positive3" { + cluster_name = "data" + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + autotermination_minutes = 20 + autoscale { + min_workers = 1 + max_workers = 50 + } + aws_attributes { + availability = "SPOT_WITH_FALLBACK" + zone_id = "auto" + spot_bid_price_percent = 100 + } +} + +``` +
Positive test num. 4 - tf file + +```tf hl_lines="12" +resource "databricks_cluster" "positive4" { + cluster_name = "data" + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + autotermination_minutes = 20 + autoscale { + min_workers = 1 + max_workers = 50 + } + aws_attributes { + availability = "SPOT_WITH_FALLBACK" + zone_id = "us-west-2a" + first_on_demand = 1 + spot_bid_price_percent = 100 + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "databricks_cluster" "negative" { + cluster_name = "Shared Autoscaling" + spark_version = data.databricks_spark_version.latest.id + node_type_id = data.databricks_node_type.smallest.id + autotermination_minutes = 20 + autoscale { + min_workers = 1 + max_workers = 50 + } + aws_attributes { + availability = "SPOT_WITH_FALLBACK" + zone_id = "auto" + first_on_demand = 1 + spot_bid_price_percent = 100 + } +} + +``` diff --git a/docs/queries/terraform-queries/common/fc5109bf-01fd-49fb-8bde-4492b543c34a.md b/docs/queries/terraform-queries/common/fc5109bf-01fd-49fb-8bde-4492b543c34a.md index 9e2277c660e..fc16d48df67 100644 --- a/docs/queries/terraform-queries/common/fc5109bf-01fd-49fb-8bde-4492b543c34a.md +++ b/docs/queries/terraform-queries/common/fc5109bf-01fd-49fb-8bde-4492b543c34a.md @@ -28,7 +28,7 @@ All variables should contain a valid type.
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" variable "cluster_name" { default = "example" description = "test" @@ -40,7 +40,7 @@ resource "aws_eks_cluster" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="3" +```tf title="Positive test num. 2 - tf file" hl_lines="3" variable "cluster_name" { default = "example" type = " " @@ -53,7 +53,7 @@ resource "aws_eks_cluster" "positive1" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="3" +```tf title="Positive test num. 3 - tf file" hl_lines="3" variable "cluster_name" { default = "example" type = "" diff --git a/docs/queries/terraform-queries/d532566b-8d9d-4f3b-80bd-361fe802f9c2.md b/docs/queries/terraform-queries/d532566b-8d9d-4f3b-80bd-361fe802f9c2.md index 923787244a0..862a48549f3 100644 --- a/docs/queries/terraform-queries/d532566b-8d9d-4f3b-80bd-361fe802f9c2.md +++ b/docs/queries/terraform-queries/d532566b-8d9d-4f3b-80bd-361fe802f9c2.md @@ -28,7 +28,7 @@ Check if the root container filesystem is not being mounted as read-only.
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="44 14 103" +```tf title="Positive test num. 1 - tf file" hl_lines="44 14 103" resource "kubernetes_pod" "positive1" { metadata { diff --git a/docs/queries/terraform-queries/e2c83c1f-84d7-4467-966c-ed41fd015bb9.md b/docs/queries/terraform-queries/e2c83c1f-84d7-4467-966c-ed41fd015bb9.md index 417f9c661ef..be9952567df 100644 --- a/docs/queries/terraform-queries/e2c83c1f-84d7-4467-966c-ed41fd015bb9.md +++ b/docs/queries/terraform-queries/e2c83c1f-84d7-4467-966c-ed41fd015bb9.md @@ -28,7 +28,7 @@ Ingress Controllers should not expose workload in order to avoid vulnerabilities ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="28" +```tf title="Positive test num. 1 - tf file" hl_lines="28" resource "kubernetes_service" "example" { metadata { name = "ingress-service" @@ -67,7 +67,7 @@ resource "kubernetes_ingress" "example" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="32" +```tf title="Positive test num. 2 - tf file" hl_lines="32" resource "kubernetes_service" "MyApp2" { metadata { name = "ingress-service-2" @@ -125,7 +125,7 @@ resource "kubernetes_ingress" "example-ingress-2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="28" +```tf title="Positive test num. 3 - tf file" hl_lines="28" resource "kubernetes_service" "example-4" { metadata { name = "ingress-service-4" diff --git a/docs/queries/terraform-queries/e5587d53-a673-4a6b-b3f2-ba07ec274def.md b/docs/queries/terraform-queries/e5587d53-a673-4a6b-b3f2-ba07ec274def.md index 2e0a2748ce2..58c476ffcd6 100644 --- a/docs/queries/terraform-queries/e5587d53-a673-4a6b-b3f2-ba07ec274def.md +++ b/docs/queries/terraform-queries/e5587d53-a673-4a6b-b3f2-ba07ec274def.md @@ -28,7 +28,7 @@ Containers should drop 'ALL' or at least 'NET_RAW' capabilities
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8 140" +```tf title="Positive test num. 1 - tf file" hl_lines="8 140" resource "kubernetes_pod" "positive1" { metadata { diff --git a/docs/queries/terraform-queries/e76cca7c-c3f9-4fc9-884c-b2831168ebd8.md b/docs/queries/terraform-queries/e76cca7c-c3f9-4fc9-884c-b2831168ebd8.md index efeda588cd3..935bb9ae2bb 100644 --- a/docs/queries/terraform-queries/e76cca7c-c3f9-4fc9-884c-b2831168ebd8.md +++ b/docs/queries/terraform-queries/e76cca7c-c3f9-4fc9-884c-b2831168ebd8.md @@ -28,7 +28,7 @@ Image must be defined and not be empty or equal to latest.
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8 113 60" +```tf title="Positive test num. 1 - tf file" hl_lines="8 113 60" resource "kubernetes_pod" "positive1" { metadata { name = "terraform-example" diff --git a/docs/queries/terraform-queries/e94d3121-c2d1-4e34-a295-139bfeb73ea3.md b/docs/queries/terraform-queries/e94d3121-c2d1-4e34-a295-139bfeb73ea3.md index 37bff44415c..190f0bf279b 100644 --- a/docs/queries/terraform-queries/e94d3121-c2d1-4e34-a295-139bfeb73ea3.md +++ b/docs/queries/terraform-queries/e94d3121-c2d1-4e34-a295-139bfeb73ea3.md @@ -28,7 +28,7 @@ Container should not share the host IPC namespace
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8" +```tf title="Positive test num. 1 - tf file" hl_lines="8" resource "kubernetes_pod" "positive1" { metadata { name = "terraform-example" diff --git a/docs/queries/terraform-queries/f74b9c43-161a-4799-bc95-0b0ec81801b9.md b/docs/queries/terraform-queries/f74b9c43-161a-4799-bc95-0b0ec81801b9.md index 920959ca97a..b8b9e4f86f7 100644 --- a/docs/queries/terraform-queries/f74b9c43-161a-4799-bc95-0b0ec81801b9.md +++ b/docs/queries/terraform-queries/f74b9c43-161a-4799-bc95-0b0ec81801b9.md @@ -28,7 +28,7 @@ A Service Account token is shared between workloads
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="46" +```tf title="Positive test num. 1 - tf file" hl_lines="46" resource "kubernetes_pod" "with_pod_affinity" { metadata { name = "with-pod-affinity" diff --git a/docs/queries/terraform-queries/fcc2612a-1dfe-46e4-8ce6-0320959f0040.md b/docs/queries/terraform-queries/fcc2612a-1dfe-46e4-8ce6-0320959f0040.md index 5c11f5158b9..065cbbc5518 100644 --- a/docs/queries/terraform-queries/fcc2612a-1dfe-46e4-8ce6-0320959f0040.md +++ b/docs/queries/terraform-queries/fcc2612a-1dfe-46e4-8ce6-0320959f0040.md @@ -28,7 +28,7 @@ A StatefulSet requests volume storage.
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="177" +```tf title="Positive test num. 1 - tf file" hl_lines="177" resource "kubernetes_stateful_set" "prometheus" { metadata { annotations = { diff --git a/docs/queries/terraform-queries/fd097ed0-7fe6-4f58-8b71-fef9f0820a21.md b/docs/queries/terraform-queries/fd097ed0-7fe6-4f58-8b71-fef9f0820a21.md index 31fc9cb4719..d21481834fb 100644 --- a/docs/queries/terraform-queries/fd097ed0-7fe6-4f58-8b71-fef9f0820a21.md +++ b/docs/queries/terraform-queries/fd097ed0-7fe6-4f58-8b71-fef9f0820a21.md @@ -28,7 +28,7 @@ Memory limits should be defined for each container. This prevents potential reso ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8 106" +```tf title="Positive test num. 1 - tf file" hl_lines="8 106" resource "kubernetes_pod" "positive1" { metadata { diff --git a/docs/queries/terraform-queries/fe771ff7-ba15-4f8f-ad7a-8aa232b49a28.md b/docs/queries/terraform-queries/fe771ff7-ba15-4f8f-ad7a-8aa232b49a28.md index f3542bb1174..2c6dc9ba425 100644 --- a/docs/queries/terraform-queries/fe771ff7-ba15-4f8f-ad7a-8aa232b49a28.md +++ b/docs/queries/terraform-queries/fe771ff7-ba15-4f8f-ad7a-8aa232b49a28.md @@ -28,7 +28,7 @@ Containers should not have extra capabilities allowed
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8 113" +```tf title="Positive test num. 1 - tf file" hl_lines="8 113" resource "kubernetes_pod" "positive1" { metadata { diff --git a/docs/queries/terraform-queries/gcp/02474449-71aa-40a1-87ae-e14497747b00.md b/docs/queries/terraform-queries/gcp/02474449-71aa-40a1-87ae-e14497747b00.md index b2de804860d..cdd78fe83df 100644 --- a/docs/queries/terraform-queries/gcp/02474449-71aa-40a1-87ae-e14497747b00.md +++ b/docs/queries/terraform-queries/gcp/02474449-71aa-40a1-87ae-e14497747b00.md @@ -28,7 +28,7 @@ Cloud SQL Database Instance should have SLL enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="24 9 44" +```tf title="Positive test num. 1 - tf file" hl_lines="24 9 44" resource "google_sql_database_instance" "positive1" { provider = google-beta diff --git a/docs/queries/terraform-queries/gcp/11e7550e-c4b6-472e-adff-c698f157cdd7.md b/docs/queries/terraform-queries/gcp/11e7550e-c4b6-472e-adff-c698f157cdd7.md index 40b224b9717..a5eb926f1cf 100644 --- a/docs/queries/terraform-queries/gcp/11e7550e-c4b6-472e-adff-c698f157cdd7.md +++ b/docs/queries/terraform-queries/gcp/11e7550e-c4b6-472e-adff-c698f157cdd7.md @@ -28,7 +28,7 @@ Kubernetes Engine Clusters must have Network Policy enabled, meaning that the at ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="2 16 48 86 30 63" +```tf title="Positive test num. 1 - tf file" hl_lines="2 16 48 86 30 63" #this is a problematic code where the query should report a result(s) resource "google_container_cluster" "positive1" { name = "marcellus-wallace" diff --git a/docs/queries/terraform-queries/gcp/128df7ec-f185-48bc-8913-ce756a3ccb85.md b/docs/queries/terraform-queries/gcp/128df7ec-f185-48bc-8913-ce756a3ccb85.md index 8a5438b6288..7eab230655a 100644 --- a/docs/queries/terraform-queries/gcp/128df7ec-f185-48bc-8913-ce756a3ccb85.md +++ b/docs/queries/terraform-queries/gcp/128df7ec-f185-48bc-8913-ce756a3ccb85.md @@ -28,7 +28,7 @@ Running outdated versions of Google Kubernetes Engine (GKE) can expose it to kno ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="25 2" +```tf title="Positive test num. 1 - tf file" hl_lines="25 2" #this code is a correct code for which the query should not find any result resource "google_container_cluster" "positive1" { name = "marcellus-wallace" diff --git a/docs/queries/terraform-queries/gcp/14a457f0-473d-4d1d-9e37-6d99b355b336.md b/docs/queries/terraform-queries/gcp/14a457f0-473d-4d1d-9e37-6d99b355b336.md index f96e56d5227..dd0b445d8dd 100644 --- a/docs/queries/terraform-queries/gcp/14a457f0-473d-4d1d-9e37-6d99b355b336.md +++ b/docs/queries/terraform-queries/gcp/14a457f0-473d-4d1d-9e37-6d99b355b336.md @@ -28,7 +28,7 @@ This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, t ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8 3" +```tf title="Positive test num. 1 - tf file" hl_lines="8 3" resource "google_compute_ssl_policy" "positive1" { name = "custom-ssl-policy" min_tls_version = "TLS_1_1" diff --git a/docs/queries/terraform-queries/gcp/16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5.md b/docs/queries/terraform-queries/gcp/16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5.md index bbbcd5f0aaf..94a81df5e52 100644 --- a/docs/queries/terraform-queries/gcp/16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5.md +++ b/docs/queries/terraform-queries/gcp/16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5.md @@ -28,7 +28,7 @@ KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="24" +```tf title="Positive test num. 1 - tf file" hl_lines="24" resource "google_kms_key_ring" "positive1" { name = "keyring-example" location = "global" @@ -56,7 +56,7 @@ resource "google_kms_crypto_key_iam_policy" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="24" +```tf title="Positive test num. 2 - tf file" hl_lines="24" resource "google_kms_key_ring" "positive2" { name = "keyring-example" location = "global" diff --git a/docs/queries/terraform-queries/gcp/1b44e234-3d73-41a8-9954-0b154135280e.md b/docs/queries/terraform-queries/gcp/1b44e234-3d73-41a8-9954-0b154135280e.md index c682bf18d98..d29ec1b2faa 100644 --- a/docs/queries/terraform-queries/gcp/1b44e234-3d73-41a8-9954-0b154135280e.md +++ b/docs/queries/terraform-queries/gcp/1b44e234-3d73-41a8-9954-0b154135280e.md @@ -28,7 +28,7 @@ Compute instances must be launched with Shielded VM enabled, which means the att ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="2 38 10 60 49 19 28" +```tf title="Positive test num. 1 - tf file" hl_lines="2 38 10 60 49 19 28" #this is a problematic code where the query should report a result(s) data "google_compute_instance" "appserver1" { name = "primary-application-server" diff --git a/docs/queries/terraform-queries/gcp/1c8eef02-17b1-4a3e-b01d-dcc3292d2c38.md b/docs/queries/terraform-queries/gcp/1c8eef02-17b1-4a3e-b01d-dcc3292d2c38.md index e9f28639e74..dfe00704d1e 100644 --- a/docs/queries/terraform-queries/gcp/1c8eef02-17b1-4a3e-b01d-dcc3292d2c38.md +++ b/docs/queries/terraform-queries/gcp/1c8eef02-17b1-4a3e-b01d-dcc3292d2c38.md @@ -28,7 +28,7 @@ Kubernetes Engine Clusters should not be configured to use the default service a ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="7" +```tf title="Positive test num. 1 - tf file" hl_lines="7" resource "google_container_cluster" "positive1" { name = "my-gke-cluster" location = "us-central1" @@ -51,7 +51,7 @@ resource "google_container_cluster" "positive1" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="8" +```tf title="Positive test num. 2 - tf file" hl_lines="8" resource "google_container_cluster" "positive2" { name = "my-gke-cluster" location = "us-central1" diff --git a/docs/queries/terraform-queries/gcp/22ef1d26-80f8-4a6c-8c15-f35aab3cac78.md b/docs/queries/terraform-queries/gcp/22ef1d26-80f8-4a6c-8c15-f35aab3cac78.md index e8e99ea3ad1..36397312c7c 100644 --- a/docs/queries/terraform-queries/gcp/22ef1d26-80f8-4a6c-8c15-f35aab3cac78.md +++ b/docs/queries/terraform-queries/gcp/22ef1d26-80f8-4a6c-8c15-f35aab3cac78.md @@ -28,7 +28,7 @@ Google Compute Network should not use a firewall rule that allows all ports
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="17" +```tf title="Positive test num. 1 - tf file" hl_lines="17" resource "google_compute_firewall" "positive1" { name = "test-firewall" network = google_compute_network.positive1.name diff --git a/docs/queries/terraform-queries/gcp/2f06d22c-56bd-4f73-8a51-db001fcf2150.md b/docs/queries/terraform-queries/gcp/2f06d22c-56bd-4f73-8a51-db001fcf2150.md index ae09aea6693..1a66a059e13 100644 --- a/docs/queries/terraform-queries/gcp/2f06d22c-56bd-4f73-8a51-db001fcf2150.md +++ b/docs/queries/terraform-queries/gcp/2f06d22c-56bd-4f73-8a51-db001fcf2150.md @@ -28,7 +28,7 @@ A list of Storage Bucket resources found. Buckets are the basic containers that ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="35 21 7" +```tf title="Positive test num. 1 - tf file" hl_lines="35 21 7" resource "google_storage_bucket_access_control" "public_rule" { bucket = google_storage_bucket.bucket.name role = "READER" diff --git a/docs/queries/terraform-queries/gcp/30e8dfd2-3591-4d19-8d11-79e93106c93d.md b/docs/queries/terraform-queries/gcp/30e8dfd2-3591-4d19-8d11-79e93106c93d.md index e67d712917d..ed8f6cff87e 100644 --- a/docs/queries/terraform-queries/gcp/30e8dfd2-3591-4d19-8d11-79e93106c93d.md +++ b/docs/queries/terraform-queries/gcp/30e8dfd2-3591-4d19-8d11-79e93106c93d.md @@ -28,7 +28,7 @@ Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="18 6" +```tf title="Positive test num. 1 - tf file" hl_lines="18 6" #this is a problematic code where the query should report a result(s) resource "google_container_cluster" "positive1" { name = "marcellus-wallace" diff --git a/docs/queries/terraform-queries/gcp/32ecd6eb-0711-421f-9627-1a28d9eff217.md b/docs/queries/terraform-queries/gcp/32ecd6eb-0711-421f-9627-1a28d9eff217.md index 3bf200b2054..1584ccc52c4 100644 --- a/docs/queries/terraform-queries/gcp/32ecd6eb-0711-421f-9627-1a28d9eff217.md +++ b/docs/queries/terraform-queries/gcp/32ecd6eb-0711-421f-9627-1a28d9eff217.md @@ -28,7 +28,7 @@ Verifies that the OSLogin is enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8 3" +```tf title="Positive test num. 1 - tf file" hl_lines="8 3" resource "google_compute_project_metadata" "positive1" { metadata = { enable-oslogin = false diff --git a/docs/queries/terraform-queries/gcp/3cb4af0b-056d-4fb1-8b95-fdc4593625ff.md b/docs/queries/terraform-queries/gcp/3cb4af0b-056d-4fb1-8b95-fdc4593625ff.md index 27cd4e72b88..11aed185a5d 100644 --- a/docs/queries/terraform-queries/gcp/3cb4af0b-056d-4fb1-8b95-fdc4593625ff.md +++ b/docs/queries/terraform-queries/gcp/3cb4af0b-056d-4fb1-8b95-fdc4593625ff.md @@ -28,7 +28,7 @@ Instances should not be configured to use the Default Service Account, that has ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="2 100 73 46 127" +```tf title="Positive test num. 1 - tf file" hl_lines="2 100 73 46 127" #this is a problematic code where the query should report a result(s) resource "google_compute_instance" "positive1" { name = "test" diff --git a/docs/queries/terraform-queries/gcp/3e4d5ce6-3280-4027-8010-c26eeea1ec01.md b/docs/queries/terraform-queries/gcp/3e4d5ce6-3280-4027-8010-c26eeea1ec01.md index 77623583700..0a229da2002 100644 --- a/docs/queries/terraform-queries/gcp/3e4d5ce6-3280-4027-8010-c26eeea1ec01.md +++ b/docs/queries/terraform-queries/gcp/3e4d5ce6-3280-4027-8010-c26eeea1ec01.md @@ -28,7 +28,7 @@ VM Instance should block project-wide SSH keys
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="29 39" +```tf title="Positive test num. 1 - tf file" hl_lines="29 39" resource "google_compute_instance" "positive1" { name = "test" machine_type = "e2-medium" diff --git a/docs/queries/terraform-queries/gcp/40430747-442d-450a-a34f-dc57149f4609.md b/docs/queries/terraform-queries/gcp/40430747-442d-450a-a34f-dc57149f4609.md index 4f3dd47b34e..ae026382e7c 100644 --- a/docs/queries/terraform-queries/gcp/40430747-442d-450a-a34f-dc57149f4609.md +++ b/docs/queries/terraform-queries/gcp/40430747-442d-450a-a34f-dc57149f4609.md @@ -28,7 +28,7 @@ This query checks if logs are enabled for a Google Compute Subnetwork resource.< ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "google_compute_subnetwork" "positive1" { name = "log-test-subnetwork" ip_cidr_range = "10.2.0.0/16" diff --git a/docs/queries/terraform-queries/gcp/40abce54-95b1-478c-8e5f-ea0bf0bb0e33.md b/docs/queries/terraform-queries/gcp/40abce54-95b1-478c-8e5f-ea0bf0bb0e33.md index e7a5bacdf8b..951b891c239 100644 --- a/docs/queries/terraform-queries/gcp/40abce54-95b1-478c-8e5f-ea0bf0bb0e33.md +++ b/docs/queries/terraform-queries/gcp/40abce54-95b1-478c-8e5f-ea0bf0bb0e33.md @@ -28,7 +28,7 @@ Google Compute Network should not use default firewall rule
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="6" +```tf title="Positive test num. 1 - tf file" hl_lines="6" resource "google_compute_firewall" "positive1" { name = "default" network = google_compute_network.positive1.name diff --git a/docs/queries/terraform-queries/gcp/4b82202a-b18e-4891-a1eb-a0989850bbb3.md b/docs/queries/terraform-queries/gcp/4b82202a-b18e-4891-a1eb-a0989850bbb3.md index 9dfa55a478c..abe2a975802 100644 --- a/docs/queries/terraform-queries/gcp/4b82202a-b18e-4891-a1eb-a0989850bbb3.md +++ b/docs/queries/terraform-queries/gcp/4b82202a-b18e-4891-a1eb-a0989850bbb3.md @@ -28,7 +28,7 @@ A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide re ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="34 44 54 39" +```tf title="Positive test num. 1 - tf file" hl_lines="34 44 54 39" resource "google_pubsub_topic_iam_binding" "binding" { project = google_pubsub_topic.example.project topic = google_pubsub_topic.example1.name diff --git a/docs/queries/terraform-queries/gcp/4c7ebcb2-eae2-461e-bc83-456ee2d4f694.md b/docs/queries/terraform-queries/gcp/4c7ebcb2-eae2-461e-bc83-456ee2d4f694.md index b9634643009..15a67c6e7af 100644 --- a/docs/queries/terraform-queries/gcp/4c7ebcb2-eae2-461e-bc83-456ee2d4f694.md +++ b/docs/queries/terraform-queries/gcp/4c7ebcb2-eae2-461e-bc83-456ee2d4f694.md @@ -28,7 +28,7 @@ Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means th ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="18 6" +```tf title="Positive test num. 1 - tf file" hl_lines="18 6" #this is a problematic code where the query should report a result(s) resource "google_container_cluster" "positive1" { name = "marcellus-wallace" diff --git a/docs/queries/terraform-queries/gcp/579a0727-9c29-4d58-8195-fc5802a8bdb4.md b/docs/queries/terraform-queries/gcp/579a0727-9c29-4d58-8195-fc5802a8bdb4.md index 7d10619c989..651a6374e9a 100644 --- a/docs/queries/terraform-queries/gcp/579a0727-9c29-4d58-8195-fc5802a8bdb4.md +++ b/docs/queries/terraform-queries/gcp/579a0727-9c29-4d58-8195-fc5802a8bdb4.md @@ -28,7 +28,7 @@ GKE cluster nodes must be launched with Shielded VM enabled, which means the att ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="4" +```tf title="Positive test num. 1 - tf file" hl_lines="4" resource "google_container_cluster" "false" { name = "my-gke-cluster" location = "us-central1" diff --git a/docs/queries/terraform-queries/gcp/59571246-3f62-4965-a96f-c7d97e269351.md b/docs/queries/terraform-queries/gcp/59571246-3f62-4965-a96f-c7d97e269351.md index 2abcdde73f2..9a519644d4e 100644 --- a/docs/queries/terraform-queries/gcp/59571246-3f62-4965-a96f-c7d97e269351.md +++ b/docs/queries/terraform-queries/gcp/59571246-3f62-4965-a96f-c7d97e269351.md @@ -28,7 +28,7 @@ Verifies if the Google Project Auto Create Network is Disabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="8 5" +```tf title="Positive test num. 1 - tf file" hl_lines="8 5" resource "google_project" "positive1" { name = "My Project" project_id = "your-project-id" diff --git a/docs/queries/terraform-queries/gcp/5baa92d2-d8ee-4c75-88a4-52d9d8bb8067.md b/docs/queries/terraform-queries/gcp/5baa92d2-d8ee-4c75-88a4-52d9d8bb8067.md index 177993b257c..46666f3b171 100644 --- a/docs/queries/terraform-queries/gcp/5baa92d2-d8ee-4c75-88a4-52d9d8bb8067.md +++ b/docs/queries/terraform-queries/gcp/5baa92d2-d8ee-4c75-88a4-52d9d8bb8067.md @@ -28,7 +28,7 @@ Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="6" +```tf title="Positive test num. 1 - tf file" hl_lines="6" #this is a problematic code where the query should report a result(s) resource "google_container_cluster" "positive1" { name = "marcellus-wallace" diff --git a/docs/queries/terraform-queries/gcp/5ef61c88-bbb4-4725-b1df-55d23c9676bb.md b/docs/queries/terraform-queries/gcp/5ef61c88-bbb4-4725-b1df-55d23c9676bb.md index ce9235fc347..f5d7e9a17b3 100644 --- a/docs/queries/terraform-queries/gcp/5ef61c88-bbb4-4725-b1df-55d23c9676bb.md +++ b/docs/queries/terraform-queries/gcp/5ef61c88-bbb4-4725-b1df-55d23c9676bb.md @@ -28,7 +28,7 @@ DNSSEC must be enabled for Cloud DNS
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="10" +```tf title="Positive test num. 1 - tf file" hl_lines="10" // comment // comment // comment diff --git a/docs/queries/terraform-queries/gcp/617ef6ff-711e-4bd7-94ae-e965911b1b40.md b/docs/queries/terraform-queries/gcp/617ef6ff-711e-4bd7-94ae-e965911b1b40.md index b04ac4fe0e5..9b7b65d26eb 100644 --- a/docs/queries/terraform-queries/gcp/617ef6ff-711e-4bd7-94ae-e965911b1b40.md +++ b/docs/queries/terraform-queries/gcp/617ef6ff-711e-4bd7-94ae-e965911b1b40.md @@ -28,7 +28,7 @@ Verifies if Google Project IAM Binding Service Account doesn't have an Account U ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="19 29 3 13" +```tf title="Positive test num. 1 - tf file" hl_lines="19 29 3 13" resource "google_project_iam_binding" "positive1" { project = "your-project-id" role = "roles/iam.serviceAccountTokenCreator" diff --git a/docs/queries/terraform-queries/gcp/65c1bc7a-4835-4ac4-a2b6-13d310b0648d.md b/docs/queries/terraform-queries/gcp/65c1bc7a-4835-4ac4-a2b6-13d310b0648d.md index bb5b3c02691..08db1d283ca 100644 --- a/docs/queries/terraform-queries/gcp/65c1bc7a-4835-4ac4-a2b6-13d310b0648d.md +++ b/docs/queries/terraform-queries/gcp/65c1bc7a-4835-4ac4-a2b6-13d310b0648d.md @@ -28,7 +28,7 @@ Kubernetes Clusters must be configured with labels, which means the attribute 'r ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="2" +```tf title="Positive test num. 1 - tf file" hl_lines="2" #this is a problematic code where the query should report a result(s) resource "google_container_cluster" "positive1" { name = "marcellus-wallace" diff --git a/docs/queries/terraform-queries/gcp/678fd659-96f2-454a-a2a0-c2571f83a4a3.md b/docs/queries/terraform-queries/gcp/678fd659-96f2-454a-a2a0-c2571f83a4a3.md index 88e94345144..a51076f4aa9 100644 --- a/docs/queries/terraform-queries/gcp/678fd659-96f2-454a-a2a0-c2571f83a4a3.md +++ b/docs/queries/terraform-queries/gcp/678fd659-96f2-454a-a2a0-c2571f83a4a3.md @@ -28,7 +28,7 @@ Check if the Google compute firewall allows unrestricted RDP access. Allowed por ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="25 12 36" +```tf title="Positive test num. 1 - tf file" hl_lines="25 12 36" resource "google_compute_firewall" "positive1" { name = "test-firewall" network = google_compute_network.default.name diff --git a/docs/queries/terraform-queries/gcp/6ccb85d7-0420-4907-9380-50313f80946b.md b/docs/queries/terraform-queries/gcp/6ccb85d7-0420-4907-9380-50313f80946b.md index 600725777a1..304cfc672ad 100644 --- a/docs/queries/terraform-queries/gcp/6ccb85d7-0420-4907-9380-50313f80946b.md +++ b/docs/queries/terraform-queries/gcp/6ccb85d7-0420-4907-9380-50313f80946b.md @@ -28,7 +28,7 @@ Kubernetes Clusters must be created with Private Clusters enabled, meaning the ' ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 73 44 16 88 58 30" +```tf title="Positive test num. 1 - tf file" hl_lines="1 73 44 16 88 58 30" resource "google_container_cluster" "positive1" { name = "marcellus-wallace" location = "us-central1-a" diff --git a/docs/queries/terraform-queries/gcp/704fcc44-a58f-4af5-82e2-93f2a58ef918.md b/docs/queries/terraform-queries/gcp/704fcc44-a58f-4af5-82e2-93f2a58ef918.md index 304df6f8941..c931f9ceff3 100644 --- a/docs/queries/terraform-queries/gcp/704fcc44-a58f-4af5-82e2-93f2a58ef918.md +++ b/docs/queries/terraform-queries/gcp/704fcc44-a58f-4af5-82e2-93f2a58ef918.md @@ -28,7 +28,7 @@ As a best practice, it is better to assign an IAM Role to a group than to a user ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="3" +```tf title="Positive test num. 1 - tf file" hl_lines="3" data "google_iam_policy" "positive" { binding { role = "roles/apigee.runtimeAgent" @@ -40,7 +40,7 @@ data "google_iam_policy" "positive" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="18 3" +```tf title="Positive test num. 2 - tf file" hl_lines="18 3" resource "google_project_iam_binding" "positive2" { project = "your-project-id" role = "roles/container.admin" diff --git a/docs/queries/terraform-queries/gcp/73fb21a1-b19a-45b1-b648-b47b1678681e.md b/docs/queries/terraform-queries/gcp/73fb21a1-b19a-45b1-b648-b47b1678681e.md index 393fc5fa97d..6a455af9b76 100644 --- a/docs/queries/terraform-queries/gcp/73fb21a1-b19a-45b1-b648-b47b1678681e.md +++ b/docs/queries/terraform-queries/gcp/73fb21a1-b19a-45b1-b648-b47b1678681e.md @@ -28,7 +28,7 @@ Kubernetes Clusters must use the default OAuth authentication, which means 'mast ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="24 7" +```tf title="Positive test num. 1 - tf file" hl_lines="24 7" #this is a problematic code where the query should report a result(s) resource "google_container_cluster" "positive1" { name = "marcellus-wallace" diff --git a/docs/queries/terraform-queries/gcp/84d36481-fd63-48cb-838e-635c44806ec2.md b/docs/queries/terraform-queries/gcp/84d36481-fd63-48cb-838e-635c44806ec2.md index a202f636a66..12081e2a080 100644 --- a/docs/queries/terraform-queries/gcp/84d36481-fd63-48cb-838e-635c44806ec2.md +++ b/docs/queries/terraform-queries/gcp/84d36481-fd63-48cb-838e-635c44806ec2.md @@ -28,7 +28,7 @@ Verifies that Google Project IAM Member Service Account doesn't have an Admin Ro ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="9 3" +```tf title="Positive test num. 1 - tf file" hl_lines="9 3" resource "google_project_iam_member" "positive1" { project = "your-project-id" role = "roles/iam.serviceAccountAdmin" diff --git a/docs/queries/terraform-queries/gcp/895ed0d9-6fec-4567-8614-d7a74b599a53.md b/docs/queries/terraform-queries/gcp/895ed0d9-6fec-4567-8614-d7a74b599a53.md index 3b004a8625d..0d2563e9da6 100644 --- a/docs/queries/terraform-queries/gcp/895ed0d9-6fec-4567-8614-d7a74b599a53.md +++ b/docs/queries/terraform-queries/gcp/895ed0d9-6fec-4567-8614-d7a74b599a53.md @@ -28,7 +28,7 @@ A list of Dataflow resources found. Unified stream and batch data processing tha ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 17" +```tf title="Positive test num. 1 - tf file" hl_lines="1 17" resource "google_dataflow_job" "pubsub_stream" { name = "tf-test-dataflow-job1" template_gcs_path = "gs://my-bucket/templates/template_file" diff --git a/docs/queries/terraform-queries/gcp/89fe890f-b480-460c-8b6b-7d8b1468adb4.md b/docs/queries/terraform-queries/gcp/89fe890f-b480-460c-8b6b-7d8b1468adb4.md index 028c8b7437a..4bb6f229fb2 100644 --- a/docs/queries/terraform-queries/gcp/89fe890f-b480-460c-8b6b-7d8b1468adb4.md +++ b/docs/queries/terraform-queries/gcp/89fe890f-b480-460c-8b6b-7d8b1468adb4.md @@ -28,7 +28,7 @@ Audit Logging Configuration is defective
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="19 9 3 23" +```tf title="Positive test num. 1 - tf file" hl_lines="19 9 3 23" resource "google_project_iam_audit_config" "positive1" { project = "your-project-id" service = "some_specific_service" diff --git a/docs/queries/terraform-queries/gcp/8a893e46-e267-485a-8690-51f39951de58.md b/docs/queries/terraform-queries/gcp/8a893e46-e267-485a-8690-51f39951de58.md index 9e0ecc4447c..eed10821fcd 100644 --- a/docs/queries/terraform-queries/gcp/8a893e46-e267-485a-8690-51f39951de58.md +++ b/docs/queries/terraform-queries/gcp/8a893e46-e267-485a-8690-51f39951de58.md @@ -28,7 +28,7 @@ The node image should be Container-Optimized OS(COS)
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="16" +```tf title="Positive test num. 1 - tf file" hl_lines="16" resource "google_container_cluster" "positive1" { name = "my-gke-cluster" location = "us-central1" diff --git a/docs/queries/terraform-queries/gcp/9192e0f9-eca5-4056-9282-ae2a736a4088.md b/docs/queries/terraform-queries/gcp/9192e0f9-eca5-4056-9282-ae2a736a4088.md index c9e3bc5a6b0..9df6b0779f7 100644 --- a/docs/queries/terraform-queries/gcp/9192e0f9-eca5-4056-9282-ae2a736a4088.md +++ b/docs/queries/terraform-queries/gcp/9192e0f9-eca5-4056-9282-ae2a736a4088.md @@ -28,7 +28,7 @@ Kubernetes Clusters must have Pod Security Policy controller enabled, which mean ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="2 18" +```tf title="Positive test num. 1 - tf file" hl_lines="2 18" #this is a problematic code where the query should report a result(s) resource "google_container_cluster" "positive1" { name = "marcellus-wallace" diff --git a/docs/queries/terraform-queries/gcp/92e4464a-4139-4d57-8742-b5acc0347680.md b/docs/queries/terraform-queries/gcp/92e4464a-4139-4d57-8742-b5acc0347680.md index 9f7f547ffad..bf9280d2568 100644 --- a/docs/queries/terraform-queries/gcp/92e4464a-4139-4d57-8742-b5acc0347680.md +++ b/docs/queries/terraform-queries/gcp/92e4464a-4139-4d57-8742-b5acc0347680.md @@ -28,7 +28,7 @@ Google Project IAM Policy should not assign a KMS admin role and CryptoKey role ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="3" +```tf title="Positive test num. 1 - tf file" hl_lines="3" resource "google_project_iam_policy" "positive1" { project = "your-project-id" policy_data = data.google_iam_policy.positive1.policy_data diff --git a/docs/queries/terraform-queries/gcp/9356962e-4a4f-4d06-ac59-dc8008775eaa.md b/docs/queries/terraform-queries/gcp/9356962e-4a4f-4d06-ac59-dc8008775eaa.md index 68d827b4140..2bb0ec8326d 100644 --- a/docs/queries/terraform-queries/gcp/9356962e-4a4f-4d06-ac59-dc8008775eaa.md +++ b/docs/queries/terraform-queries/gcp/9356962e-4a4f-4d06-ac59-dc8008775eaa.md @@ -28,7 +28,7 @@ Gmail accounts are being used instead of corporate credentials
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="6" +```tf title="Positive test num. 1 - tf file" hl_lines="6" resource "google_project_iam_binding" "positive1" { project = "your-project-id" role = "roles/editor" diff --git a/docs/queries/terraform-queries/gcp/97fa667a-d05b-4f16-9071-58b939f34751.md b/docs/queries/terraform-queries/gcp/97fa667a-d05b-4f16-9071-58b939f34751.md index 1250763da56..ff65f449f25 100644 --- a/docs/queries/terraform-queries/gcp/97fa667a-d05b-4f16-9071-58b939f34751.md +++ b/docs/queries/terraform-queries/gcp/97fa667a-d05b-4f16-9071-58b939f34751.md @@ -28,7 +28,7 @@ Google Compute Engine VM instances should not enable serial ports. When enabled, ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="26 44 38" +```tf title="Positive test num. 1 - tf file" hl_lines="26 44 38" resource "google_compute_instance" "positive1" { name = "test" machine_type = "e2-medium" diff --git a/docs/queries/terraform-queries/gcp/a6cd52a1-3056-4910-96a5-894de9f3f3b3.md b/docs/queries/terraform-queries/gcp/a6cd52a1-3056-4910-96a5-894de9f3f3b3.md index a5e0713efa4..c7312c0ffbe 100644 --- a/docs/queries/terraform-queries/gcp/a6cd52a1-3056-4910-96a5-894de9f3f3b3.md +++ b/docs/queries/terraform-queries/gcp/a6cd52a1-3056-4910-96a5-894de9f3f3b3.md @@ -28,7 +28,7 @@ Cloud Storage Buckets must not be anonymously or publicly accessible, which mean ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="17 11 5" +```tf title="Positive test num. 1 - tf file" hl_lines="17 11 5" #this is a problematic code where the query should report a result(s) resource "google_storage_bucket_iam_binding" "positive1" { bucket = google_storage_bucket.default.name diff --git a/docs/queries/terraform-queries/gcp/acfdbec6-4a17-471f-b412-169d77553332.md b/docs/queries/terraform-queries/gcp/acfdbec6-4a17-471f-b412-169d77553332.md index af68d47bc84..656bcafb295 100644 --- a/docs/queries/terraform-queries/gcp/acfdbec6-4a17-471f-b412-169d77553332.md +++ b/docs/queries/terraform-queries/gcp/acfdbec6-4a17-471f-b412-169d77553332.md @@ -28,7 +28,7 @@ Google Container Node Pool Auto Repair should be enabled. This service periodica ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="19 15" +```tf title="Positive test num. 1 - tf file" hl_lines="19 15" resource "google_container_cluster" "positive1" { name = "my-gke-cluster" location = "us-central1" diff --git a/docs/queries/terraform-queries/gcp/b139213e-7d24-49c2-8025-c18faa21ecaa.md b/docs/queries/terraform-queries/gcp/b139213e-7d24-49c2-8025-c18faa21ecaa.md index e3e147a0ffe..639c7794f68 100644 --- a/docs/queries/terraform-queries/gcp/b139213e-7d24-49c2-8025-c18faa21ecaa.md +++ b/docs/queries/terraform-queries/gcp/b139213e-7d24-49c2-8025-c18faa21ecaa.md @@ -28,7 +28,7 @@ Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upg ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 19 36" +```tf title="Positive test num. 1 - tf file" hl_lines="1 19 36" resource "google_container_node_pool" "positive1" { name = "my-node-pool" location = "us-central1-a" diff --git a/docs/queries/terraform-queries/gcp/b187edca-b81e-4fdc-aff4-aab57db45edb.md b/docs/queries/terraform-queries/gcp/b187edca-b81e-4fdc-aff4-aab57db45edb.md index 2d6d2308006..a6de48c7662 100644 --- a/docs/queries/terraform-queries/gcp/b187edca-b81e-4fdc-aff4-aab57db45edb.md +++ b/docs/queries/terraform-queries/gcp/b187edca-b81e-4fdc-aff4-aab57db45edb.md @@ -28,7 +28,7 @@ Cloud SQL instances should not be publicly accessible.
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="24 41 56 6" +```tf title="Positive test num. 1 - tf file" hl_lines="24 41 56 6" resource "google_sql_database_instance" "positive1" { name = "master-instance" database_version = "POSTGRES_11" diff --git a/docs/queries/terraform-queries/gcp/b1d51728-7270-4991-ac2f-fc26e2695b38.md b/docs/queries/terraform-queries/gcp/b1d51728-7270-4991-ac2f-fc26e2695b38.md index 3d0f80391ce..fea7c815b1b 100644 --- a/docs/queries/terraform-queries/gcp/b1d51728-7270-4991-ac2f-fc26e2695b38.md +++ b/docs/queries/terraform-queries/gcp/b1d51728-7270-4991-ac2f-fc26e2695b38.md @@ -28,7 +28,7 @@ VM disks for critical VMs must be encrypted with Customer Supplied Encryption Ke ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 22" +```tf title="Positive test num. 1 - tf file" hl_lines="1 22" resource "google_compute_disk" "positive1" { name = "test-disk" type = "pd-ssd" @@ -56,7 +56,7 @@ resource "google_compute_disk" "positive2" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="12" +```tf title="Positive test num. 2 - tf file" hl_lines="12" resource "google_compute_disk" "positive3" { name = "test-disk" type = "pd-ssd" @@ -74,7 +74,7 @@ resource "google_compute_disk" "positive3" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="12" +```tf title="Positive test num. 3 - tf file" hl_lines="12" resource "google_compute_disk" "positive4" { name = "test-disk" type = "pd-ssd" diff --git a/docs/queries/terraform-queries/gcp/bb0db090-5509-4853-a827-75ced0b3caa0.md b/docs/queries/terraform-queries/gcp/bb0db090-5509-4853-a827-75ced0b3caa0.md index b4996c0ab95..4a21f7f3e4f 100644 --- a/docs/queries/terraform-queries/gcp/bb0db090-5509-4853-a827-75ced0b3caa0.md +++ b/docs/queries/terraform-queries/gcp/bb0db090-5509-4853-a827-75ced0b3caa0.md @@ -28,7 +28,7 @@ Google Storage Bucket Level Access should be enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="20 6" +```tf title="Positive test num. 1 - tf file" hl_lines="20 6" resource "google_storage_bucket" "positive1" { name = "image-store.com" location = "EU" diff --git a/docs/queries/terraform-queries/gcp/bc280331-27b9-4acb-a010-018e8098aa5d.md b/docs/queries/terraform-queries/gcp/bc280331-27b9-4acb-a010-018e8098aa5d.md index ccae8a1450a..cc213b98e12 100644 --- a/docs/queries/terraform-queries/gcp/bc280331-27b9-4acb-a010-018e8098aa5d.md +++ b/docs/queries/terraform-queries/gcp/bc280331-27b9-4acb-a010-018e8098aa5d.md @@ -28,7 +28,7 @@ A VM instance is configured to use the default service account with full access ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="20" +```tf title="Positive test num. 1 - tf file" hl_lines="20" resource "google_compute_instance" "positive1" { name = "test" machine_type = "e2-medium" diff --git a/docs/queries/terraform-queries/gcp/bc75ce52-a60a-4660-b533-bce837a5019b.md b/docs/queries/terraform-queries/gcp/bc75ce52-a60a-4660-b533-bce837a5019b.md index 1533bca91be..40d9e461c2a 100644 --- a/docs/queries/terraform-queries/gcp/bc75ce52-a60a-4660-b533-bce837a5019b.md +++ b/docs/queries/terraform-queries/gcp/bc75ce52-a60a-4660-b533-bce837a5019b.md @@ -28,7 +28,7 @@ A list of Redis Instance resources found. Memorystore for Redis is a fully manag ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 20" +```tf title="Positive test num. 1 - tf file" hl_lines="1 20" resource "google_redis_instance" "cache" { name = "memory-cache" memory_size_gb = 1 diff --git a/docs/queries/terraform-queries/gcp/c010082c-76e0-4b91-91d9-6e8439e455dd.md b/docs/queries/terraform-queries/gcp/c010082c-76e0-4b91-91d9-6e8439e455dd.md index 56bda431c2b..ce7022d64bc 100644 --- a/docs/queries/terraform-queries/gcp/c010082c-76e0-4b91-91d9-6e8439e455dd.md +++ b/docs/queries/terraform-queries/gcp/c010082c-76e0-4b91-91d9-6e8439e455dd.md @@ -28,7 +28,7 @@ Cloud Storage Bucket is anonymously or publicly accessible
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="17 4" +```tf title="Positive test num. 1 - tf file" hl_lines="17 4" resource "google_storage_bucket_iam_member" "positive1" { bucket = google_storage_bucket.default.name role = "roles/storage.admin" diff --git a/docs/queries/terraform-queries/gcp/c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0.md b/docs/queries/terraform-queries/gcp/c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0.md index ee53144d82c..a07d5365379 100644 --- a/docs/queries/terraform-queries/gcp/c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0.md +++ b/docs/queries/terraform-queries/gcp/c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0.md @@ -28,7 +28,7 @@ Google Firewall should not allow SSH access (port 22) from the Internet (public ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="43 13 31" +```tf title="Positive test num. 1 - tf file" hl_lines="43 13 31" resource "google_compute_firewall" "positive1" { name = "test-firewall" network = google_compute_network.default.name diff --git a/docs/queries/terraform-queries/gcp/c606ba1d-d736-43eb-ac24-e16108f3a9e0.md b/docs/queries/terraform-queries/gcp/c606ba1d-d736-43eb-ac24-e16108f3a9e0.md index f161bc3e85c..53225497659 100644 --- a/docs/queries/terraform-queries/gcp/c606ba1d-d736-43eb-ac24-e16108f3a9e0.md +++ b/docs/queries/terraform-queries/gcp/c606ba1d-d736-43eb-ac24-e16108f3a9e0.md @@ -28,7 +28,7 @@ Kubernetes Clusters must be created with Alias IP ranges enabled, which means th ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="2 26 13" +```tf title="Positive test num. 1 - tf file" hl_lines="2 26 13" #this is a problematic code where the query should report a result(s) resource "google_container_cluster" "positive1" { name = "marcellus-wallace" diff --git a/docs/queries/terraform-queries/gcp/c68b4e6d-4e01-4ca1-b256-1e18e875785c.md b/docs/queries/terraform-queries/gcp/c68b4e6d-4e01-4ca1-b256-1e18e875785c.md index 587307d903b..3097b5f9da7 100644 --- a/docs/queries/terraform-queries/gcp/c68b4e6d-4e01-4ca1-b256-1e18e875785c.md +++ b/docs/queries/terraform-queries/gcp/c68b4e6d-4e01-4ca1-b256-1e18e875785c.md @@ -28,7 +28,7 @@ Verifies if Google Poject IAM Member Service Account doesn't have a Account User ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="9 3" +```tf title="Positive test num. 1 - tf file" hl_lines="9 3" resource "google_project_iam_member" "positive1" { project = "your-project-id" role = "roles/iam.serviceAccountTokenCreator" diff --git a/docs/queries/terraform-queries/gcp/c9d81239-c818-4869-9917-1570c62b81fd.md b/docs/queries/terraform-queries/gcp/c9d81239-c818-4869-9917-1570c62b81fd.md index ef3d070ec99..4783a822219 100644 --- a/docs/queries/terraform-queries/gcp/c9d81239-c818-4869-9917-1570c62b81fd.md +++ b/docs/queries/terraform-queries/gcp/c9d81239-c818-4869-9917-1570c62b81fd.md @@ -28,7 +28,7 @@ A list of Filestore Instance resources found. Filestore instances are fully mana ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="32 1 59" +```tf title="Positive test num. 1 - tf file" hl_lines="32 1 59" resource "google_filestore_instance" "instance" { name = "test-instance" location = "us-central1-b" diff --git a/docs/queries/terraform-queries/gcp/ccc3100c-0fdd-4a5e-9908-c10107291860.md b/docs/queries/terraform-queries/gcp/ccc3100c-0fdd-4a5e-9908-c10107291860.md index cb642e369f3..3a2e1141fc2 100644 --- a/docs/queries/terraform-queries/gcp/ccc3100c-0fdd-4a5e-9908-c10107291860.md +++ b/docs/queries/terraform-queries/gcp/ccc3100c-0fdd-4a5e-9908-c10107291860.md @@ -28,7 +28,7 @@ DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_ ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="11" +```tf title="Positive test num. 1 - tf file" hl_lines="11" resource "google_dns_managed_zone" "positive1" { name = "example-zone" dns_name = "example-${random_id.rnd.hex}.com." diff --git a/docs/queries/terraform-queries/gcp/cefdad16-0dd5-4ac5-8ed2-a37502c78672.md b/docs/queries/terraform-queries/gcp/cefdad16-0dd5-4ac5-8ed2-a37502c78672.md index 97a343fd6f9..16ced747dcf 100644 --- a/docs/queries/terraform-queries/gcp/cefdad16-0dd5-4ac5-8ed2-a37502c78672.md +++ b/docs/queries/terraform-queries/gcp/cefdad16-0dd5-4ac5-8ed2-a37502c78672.md @@ -28,7 +28,7 @@ Service account should not have improper privileges like admin, editor, owner, o ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="3" +```tf title="Positive test num. 1 - tf file" hl_lines="3" data "google_iam_policy" "admin" { binding { role = "roles/editor" @@ -40,7 +40,7 @@ data "google_iam_policy" "admin" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="18 3" +```tf title="Positive test num. 2 - tf file" hl_lines="18 3" resource "google_project_iam_binding" "project1" { project = "your-project-id" role = "roles/container.admin" @@ -63,7 +63,7 @@ resource "google_project_iam_member" "project2" { } ``` -```tf title="Postitive test num. 3 - tf file" hl_lines="10" +```tf title="Positive test num. 3 - tf file" hl_lines="10" data "google_iam_policy" "admin" { binding { role = "roles/compute.imageUser" @@ -81,7 +81,7 @@ data "google_iam_policy" "admin" { } ``` -
Postitive test num. 4 - tf file +
Positive test num. 4 - tf file ```tf hl_lines="9 3" data "google_iam_policy" "admin" { diff --git a/docs/queries/terraform-queries/gcp/cf3c7631-cd1e-42f3-8801-a561214a6e79.md b/docs/queries/terraform-queries/gcp/cf3c7631-cd1e-42f3-8801-a561214a6e79.md index 3e107a4e138..41e39f702f4 100644 --- a/docs/queries/terraform-queries/gcp/cf3c7631-cd1e-42f3-8801-a561214a6e79.md +++ b/docs/queries/terraform-queries/gcp/cf3c7631-cd1e-42f3-8801-a561214a6e79.md @@ -28,7 +28,7 @@ Checks if backup configuration is enabled for all Cloud SQL Database instances ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="30" +```tf title="Positive test num. 1 - tf file" hl_lines="30" resource "google_compute_instance" "positive1" { name = "test" machine_type = "e2-medium" diff --git a/docs/queries/terraform-queries/gcp/d6cabc3a-d57e-48c2-b341-bf3dd4f4a120.md b/docs/queries/terraform-queries/gcp/d6cabc3a-d57e-48c2-b341-bf3dd4f4a120.md index e3d72db2410..7db18b8b03e 100644 --- a/docs/queries/terraform-queries/gcp/d6cabc3a-d57e-48c2-b341-bf3dd4f4a120.md +++ b/docs/queries/terraform-queries/gcp/d6cabc3a-d57e-48c2-b341-bf3dd4f4a120.md @@ -28,7 +28,7 @@ Cloud storage bucket should have logging enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "google_storage_bucket" "positive1" { name = "auto-expiring-bucket" location = "US" diff --git a/docs/queries/terraform-queries/gcp/d8c57c4e-bf6f-4e32-a2bf-8643532de77b.md b/docs/queries/terraform-queries/gcp/d8c57c4e-bf6f-4e32-a2bf-8643532de77b.md index 93430da9b18..fbe88e4256c 100644 --- a/docs/queries/terraform-queries/gcp/d8c57c4e-bf6f-4e32-a2bf-8643532de77b.md +++ b/docs/queries/terraform-queries/gcp/d8c57c4e-bf6f-4e32-a2bf-8643532de77b.md @@ -28,7 +28,7 @@ KMS encryption keys should be rotated every 90 days or less. A short lifetime of ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="10 4" +```tf title="Positive test num. 1 - tf file" hl_lines="10 4" resource "google_kms_crypto_key" "positive1" { name = "crypto-key-example" key_ring = google_kms_key_ring.keyring.id diff --git a/docs/queries/terraform-queries/gcp/dd7d70aa-a6ec-460d-b5d2-38b40253b16f.md b/docs/queries/terraform-queries/gcp/dd7d70aa-a6ec-460d-b5d2-38b40253b16f.md index cac61f5269c..871899933a0 100644 --- a/docs/queries/terraform-queries/gcp/dd7d70aa-a6ec-460d-b5d2-38b40253b16f.md +++ b/docs/queries/terraform-queries/gcp/dd7d70aa-a6ec-460d-b5d2-38b40253b16f.md @@ -28,7 +28,7 @@ A list of Persistent Disk resources found. Persistent Disk is Google's local dur ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1 12 44 60 76 28" +```tf title="Positive test num. 1 - tf file" hl_lines="1 12 44 60 76 28" resource "google_compute_disk" "positive1" { name = "test-disk" type = "pd-ssd" diff --git a/docs/queries/terraform-queries/gcp/e576ce44-dd03-4022-a8c0-3906acca2ab4.md b/docs/queries/terraform-queries/gcp/e576ce44-dd03-4022-a8c0-3906acca2ab4.md index 224de73902b..058af813957 100644 --- a/docs/queries/terraform-queries/gcp/e576ce44-dd03-4022-a8c0-3906acca2ab4.md +++ b/docs/queries/terraform-queries/gcp/e576ce44-dd03-4022-a8c0-3906acca2ab4.md @@ -28,7 +28,7 @@ BigQuery dataset is anonymously or publicly accessible
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="14" +```tf title="Positive test num. 1 - tf file" hl_lines="14" resource "google_bigquery_dataset" "positive1" { dataset_id = "example_dataset" friendly_name = "test" diff --git a/docs/queries/terraform-queries/gcp/e6f61c37-106b-449f-a5bb-81bfcaceb8b4.md b/docs/queries/terraform-queries/gcp/e6f61c37-106b-449f-a5bb-81bfcaceb8b4.md index 88b62e73ca8..c3bc2b334f2 100644 --- a/docs/queries/terraform-queries/gcp/e6f61c37-106b-449f-a5bb-81bfcaceb8b4.md +++ b/docs/queries/terraform-queries/gcp/e6f61c37-106b-449f-a5bb-81bfcaceb8b4.md @@ -28,7 +28,7 @@ Google Compute Network should not use a firewall rule that allows port range
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="17" +```tf title="Positive test num. 1 - tf file" hl_lines="17" resource "google_compute_firewall" "positive1" { name = "test-firewall" network = google_compute_network.positive1.name diff --git a/docs/queries/terraform-queries/gcp/e7e961ac-d17e-4413-84bc-8a1fbe242944.md b/docs/queries/terraform-queries/gcp/e7e961ac-d17e-4413-84bc-8a1fbe242944.md index 2ab42f3ff7c..e4ef550c1cc 100644 --- a/docs/queries/terraform-queries/gcp/e7e961ac-d17e-4413-84bc-8a1fbe242944.md +++ b/docs/queries/terraform-queries/gcp/e7e961ac-d17e-4413-84bc-8a1fbe242944.md @@ -28,7 +28,7 @@ Cloud Storage Bucket should have versioning enabled
### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="10 6" +```tf title="Positive test num. 1 - tf file" hl_lines="10 6" resource "google_storage_bucket" "positive1" { name = "foo" location = "EU" diff --git a/docs/queries/terraform-queries/gcp/ee7b93c1-b3f8-4a3b-9588-146d481814f5.md b/docs/queries/terraform-queries/gcp/ee7b93c1-b3f8-4a3b-9588-146d481814f5.md index eef2a40795b..e7459a5df30 100644 --- a/docs/queries/terraform-queries/gcp/ee7b93c1-b3f8-4a3b-9588-146d481814f5.md +++ b/docs/queries/terraform-queries/gcp/ee7b93c1-b3f8-4a3b-9588-146d481814f5.md @@ -28,7 +28,7 @@ Google Compute Subnetwork should have Private Google Access enabled, which means ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "google_compute_subnetwork" "positive1" { name = "test-subnetwork" ip_cidr_range = "10.2.0.0/16" @@ -46,7 +46,7 @@ resource "google_compute_network" "custom-test" { } ``` -```tf title="Postitive test num. 2 - tf file" hl_lines="10" +```tf title="Positive test num. 2 - tf file" hl_lines="10" resource "google_compute_subnetwork" "positive2" { name = "test-subnetwork" ip_cidr_range = "10.2.0.0/16" diff --git a/docs/queries/terraform-queries/gcp/f34c0c25-47b4-41eb-9c79-249b4dd47b89.md b/docs/queries/terraform-queries/gcp/f34c0c25-47b4-41eb-9c79-249b4dd47b89.md index 66f4a3dd2d3..7716bce8dbc 100644 --- a/docs/queries/terraform-queries/gcp/f34c0c25-47b4-41eb-9c79-249b4dd47b89.md +++ b/docs/queries/terraform-queries/gcp/f34c0c25-47b4-41eb-9c79-249b4dd47b89.md @@ -28,7 +28,7 @@ Instances must not have IP forwarding enabled, which means the attribute 'can_ip ### Code samples #### Code samples with security vulnerabilities -```tf title="Postitive test num. 1 - tf file" hl_lines="4" +```tf title="Positive test num. 1 - tf file" hl_lines="4" resource "google_compute_instance" "appserver" { name = "primary-application-server" machine_type = "e2-medium" diff --git a/docs/queries/terraform-queries/nifcloud/df58dd45-8009-43c2-90f7-c90eb9d53ed9.md b/docs/queries/terraform-queries/nifcloud/df58dd45-8009-43c2-90f7-c90eb9d53ed9.md new file mode 100644 index 00000000000..1400f0a67f6 --- /dev/null +++ b/docs/queries/terraform-queries/nifcloud/df58dd45-8009-43c2-90f7-c90eb9d53ed9.md @@ -0,0 +1,66 @@ +--- +title: Nifcloud Computing Has Common Private Network +hide: + toc: true + navigation: true +--- + + + +- **Query id:** df58dd45-8009-43c2-90f7-c90eb9d53ed9 +- **Query name:** Nifcloud Computing Has Common Private Network +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/nifcloud/computing_instance_has_common_private) + +### Description +The instance has common private network
+[Documentation](https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/instance#network_id) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Positive test num. 1 - tf file" hl_lines="1" +resource "nifcloud_instance" "positive" { + image_id = data.nifcloud_image.ubuntu.id + security_group = nifcloud_security_group.example.group_name + network_interface { + network_id = "net-COMMON_PRIVATE" + } +} + +``` +```tf title="Positive test num. 2 - tf file" hl_lines="1" +resource "nifcloud_instance" "positive" { + image_id = data.nifcloud_image.ubuntu.id + security_group = nifcloud_security_group.example.group_name + network_interface { + network_id = "net-COMMON_GLOBAL" + } + network_interface { + network_id = "net-COMMON_PRIVATE" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "nifcloud_instance" "negative" { + image_id = data.nifcloud_image.ubuntu.id + security_group = nifcloud_security_group.example.group_name + network_interface { + network_id = nifcloud_private_lan.main.id + } +} + +``` From 1a4323f173744c0ec9d3ae2c892917b5fb97434c Mon Sep 17 00:00:00 2001 From: liorj-orca <96177663+liorj-orca@users.noreply.github.com> Date: Wed, 22 Nov 2023 16:07:20 +0200 Subject: [PATCH 287/379] fix(converter): Improve checkDynamicKnownTypes function --- pkg/parser/terraform/converter/default.go | 19 ++++- .../terraform/converter/default_test.go | 81 +++++++++++++++++++ 2 files changed, 99 insertions(+), 1 deletion(-) diff --git a/pkg/parser/terraform/converter/default.go b/pkg/parser/terraform/converter/default.go index baf9cb17c19..3be15cdd0d1 100644 --- a/pkg/parser/terraform/converter/default.go +++ b/pkg/parser/terraform/converter/default.go @@ -267,11 +267,28 @@ func (c *converter) convertExpression(expr hclsyntax.Expression) (interface{}, e } } +func checkValue(val cty.Value) bool { + if val.Type().HasDynamicTypes() || !val.IsKnown() { + return true + } + if !val.Type().IsPrimitiveType() && checkDynamicKnownTypes(val) { + return true + } + return false +} + func checkDynamicKnownTypes(valueConverted cty.Value) bool { if !valueConverted.Type().HasDynamicTypes() && valueConverted.IsKnown() { if valueConverted.Type().FriendlyName() == "tuple" { for _, val := range valueConverted.AsValueSlice() { - if val.Type().HasDynamicTypes() || !val.IsKnown() { + if checkValue(val) { + return true + } + } + } + if valueConverted.Type().FriendlyName() == "object" { + for _, val := range valueConverted.AsValueMap() { + if checkValue(val) { return true } } diff --git a/pkg/parser/terraform/converter/default_test.go b/pkg/parser/terraform/converter/default_test.go index c65c7627968..242ce3f00e6 100644 --- a/pkg/parser/terraform/converter/default_test.go +++ b/pkg/parser/terraform/converter/default_test.go @@ -452,6 +452,87 @@ block "label_one" { } } } +`, + wantErr: false, + }, + { + name: "should evaluate without problems (3)", + input: `variable "namespaces" { + type = list(string) + default = ["string1", "string2", "string3"] +} +locals { + namespace_secrets = { for n in var.namespaces : "${n}_default" => { + "roles/secretmanager.secretAccessor" = [ + "serviceAccount:${module.test[local.name].email}", + ] + } + } +} +`, + want: ` + { + "variable": { + "namespaces": { + "type": "${list(string)}", + "default": [ + "string1", + "string2", + "string3" + ], + "_kics_lines": { + "_kics__default": { + "_kics_line": 1 + }, + "_kics_default": { + "_kics_line": 3, + "_kics_arr": [ + { + "_kics__default": { + "_kics_line": 3 + } + }, + { + "_kics__default": { + "_kics_line": 3 + } + }, + { + "_kics__default": { + "_kics_line": 3 + } + } + ] + }, + "_kics_type": { + "_kics_line": 2 + } + } + } + }, + "locals": { + "namespace_secrets": "${{ for n in var.namespaces : \"${n}_default\" => {\n \"roles/secretmanager.secretAccessor\" = [\n \"serviceAccount:${module.test[local.name].email}\",\n ]\n }\n }}", + "_kics_lines": { + "_kics__default": { + "_kics_line": 5 + }, + "_kics_namespace_secrets": { + "_kics_line": 6 + } + } + }, + "_kics_lines": { + "_kics__default": { + "_kics_line": 0 + }, + "_kics_locals": { + "_kics_line": 5 + }, + "_kics_variable": { + "_kics_line": 1 + } + } +} `, wantErr: false, }, From 793c4f16fe703c0b51e5cb8689cf9c3a3c876970 Mon Sep 17 00:00:00 2001 From: Lior Jacobian Date: Thu, 23 Nov 2023 15:54:50 +0200 Subject: [PATCH 288/379] fix(converter): Improve checkDynamicKnownTypes function - fix relevant UT --- .../terraform/converter/default_test.go | 55 ++----------------- 1 file changed, 5 insertions(+), 50 deletions(-) diff --git a/pkg/parser/terraform/converter/default_test.go b/pkg/parser/terraform/converter/default_test.go index 242ce3f00e6..3a85be49968 100644 --- a/pkg/parser/terraform/converter/default_test.go +++ b/pkg/parser/terraform/converter/default_test.go @@ -457,12 +457,8 @@ block "label_one" { }, { name: "should evaluate without problems (3)", - input: `variable "namespaces" { - type = list(string) - default = ["string1", "string2", "string3"] -} -locals { - namespace_secrets = { for n in var.namespaces : "${n}_default" => { + input: `locals { + namespace_secrets = { for n in ["string1", "string2", "string3"] : "${n}_default" => { "roles/secretmanager.secretAccessor" = [ "serviceAccount:${module.test[local.name].email}", ] @@ -472,52 +468,14 @@ locals { `, want: ` { - "variable": { - "namespaces": { - "type": "${list(string)}", - "default": [ - "string1", - "string2", - "string3" - ], - "_kics_lines": { - "_kics__default": { - "_kics_line": 1 - }, - "_kics_default": { - "_kics_line": 3, - "_kics_arr": [ - { - "_kics__default": { - "_kics_line": 3 - } - }, - { - "_kics__default": { - "_kics_line": 3 - } - }, - { - "_kics__default": { - "_kics_line": 3 - } - } - ] - }, - "_kics_type": { - "_kics_line": 2 - } - } - } - }, "locals": { - "namespace_secrets": "${{ for n in var.namespaces : \"${n}_default\" => {\n \"roles/secretmanager.secretAccessor\" = [\n \"serviceAccount:${module.test[local.name].email}\",\n ]\n }\n }}", + "namespace_secrets": "${{ for n in [\"string1\", \"string2\", \"string3\"] : \"${n}_default\" => {\n \"roles/secretmanager.secretAccessor\" = [\n \"serviceAccount:${module.test[local.name].email}\",\n ]\n }\n }}", "_kics_lines": { "_kics__default": { - "_kics_line": 5 + "_kics_line": 1 }, "_kics_namespace_secrets": { - "_kics_line": 6 + "_kics_line": 2 } } }, @@ -526,9 +484,6 @@ locals { "_kics_line": 0 }, "_kics_locals": { - "_kics_line": 5 - }, - "_kics_variable": { "_kics_line": 1 } } From cfe6426150151c51e9952926379829a85748a79c Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Thu, 23 Nov 2023 15:58:22 +0000 Subject: [PATCH 289/379] improve detection of ansible host files --- e2e/fixtures/E2E_CLI_075_RESULT.json | 69 +++++++++++++++++++ .../e2e-cli-075_ansible_host_detected.go | 27 ++++++++ pkg/analyzer/analyzer.go | 22 +++++- pkg/analyzer/analyzer_test.go | 45 ++++++++++-- .../ansiblehost.yaml | 33 +++++++++ .../ansiblehost2.yaml | 22 ++++++ .../e2e/positive1.ini | 14 ++++ .../e2e/positive2.yaml | 33 +++++++++ 8 files changed, 257 insertions(+), 8 deletions(-) create mode 100644 e2e/fixtures/E2E_CLI_075_RESULT.json create mode 100644 e2e/testcases/e2e-cli-075_ansible_host_detected.go create mode 100644 test/fixtures/analyzer_test_ansible_host/ansiblehost.yaml create mode 100644 test/fixtures/analyzer_test_ansible_host/ansiblehost2.yaml create mode 100644 test/fixtures/analyzer_test_ansible_host/e2e/positive1.ini create mode 100644 test/fixtures/analyzer_test_ansible_host/e2e/positive2.yaml diff --git a/e2e/fixtures/E2E_CLI_075_RESULT.json b/e2e/fixtures/E2E_CLI_075_RESULT.json new file mode 100644 index 00000000000..b466515b650 --- /dev/null +++ b/e2e/fixtures/E2E_CLI_075_RESULT.json @@ -0,0 +1,69 @@ +{ + "kics_version": "development", + "files_scanned": 2, + "lines_scanned": 48, + "files_parsed": 2, + "lines_parsed": 48, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 2, + "TRACE": 0 + }, + "total_counter": 2, + "total_bom_resources": 0, + "start": "2023-11-23T15:54:44.1211396Z", + "end": "2023-11-23T15:54:45.914525Z", + "paths": [ + "/path/test/fixtures/analyzer_test_ansible_host/e2e" + ], + "queries": [ + { + "query_name": "Ansible Tower Exposed To Internet", + "query_id": "1b2bf3ff-31e9-460e-bbfb-45e48f4f20cc", + "query_url": "https://docs.ansible.com/ansible-tower/latest/html/administration/security_best_practices.html#understand-the-architecture-of-ansible-and-tower", + "severity": "MEDIUM", + "platform": "Ansible", + "cloud_provider": "COMMON", + "category": "Best Practices", + "experimental": false, + "description": "Avoid exposing Ansible Tower to the public internet, effectively reducing the potential attack surface of your deployment", + "description_id": "657a8b1d", + "files": [ + { + "file_name": "path\\test\\fixtures\\analyzer_test_ansible_host\\e2e\\positive2.yaml", + "similarity_id": "7b9574422b2f0a1a2eb467c930f7d52fb727d0b8839703d668531c1362d09c4b", + "line": 24, + "resource_type": "n/a", + "resource_name": "children", + "issue_type": "IncorrectValue", + "search_key": "all.children.tower.hosts", + "search_line": -1, + "search_value": "", + "expected_value": "Ansible Tower IP should be private", + "actual_value": "Ansible Tower IP is public" + }, + { + "file_name": "path\\test\\fixtures\\analyzer_test_ansible_host\\e2e\\positive1.ini", + "similarity_id": "9cb04742c227f8da30d5e3f0ed823fd05334179f79dbe2435ba146af79317c45", + "line": 1, + "resource_type": "n/a", + "resource_name": "children", + "issue_type": "IncorrectValue", + "search_key": "[tower]", + "search_line": -1, + "search_value": "", + "expected_value": "Ansible Tower IP should be private", + "actual_value": "Ansible Tower IP is public" + } + ] + } + ] +} diff --git a/e2e/testcases/e2e-cli-075_ansible_host_detected.go b/e2e/testcases/e2e-cli-075_ansible_host_detected.go new file mode 100644 index 00000000000..62b73c2086f --- /dev/null +++ b/e2e/testcases/e2e-cli-075_ansible_host_detected.go @@ -0,0 +1,27 @@ +package testcases + +// E2E-CLI-075 - KICS scan +// should perform the scan successfully detect ansible and return result 20 +func init() { //nolint + testSample := TestCase{ + Name: "should perform a valid scan and and detect ansible [E2E-CLI-075]", + Args: args{ + Args: []cmdArgs{ + []string{"scan", "-o", "/path/e2e/output", + "--output-name", "E2E_CLI_074_RESULT", + "-p", "\"/path/test/fixtures/analyzer_test_ansible_host/e2e\"", + "-i", "1b2bf3ff-31e9-460e-bbfb-45e48f4f20cc", + }, + }, + ExpectedResult: []ResultsValidation{ + { + ResultsFile: "E2E_CLI_075_RESULT", + ResultsFormats: []string{"json"}, + }, + }, + }, + WantStatus: []int{20}, + } + + Tests = append(Tests, testSample) +} diff --git a/pkg/analyzer/analyzer.go b/pkg/analyzer/analyzer.go index 5326c782681..e983e63435b 100644 --- a/pkg/analyzer/analyzer.go +++ b/pkg/analyzer/analyzer.go @@ -104,7 +104,9 @@ var ( listKeywordsAnsible = []string{"name", "gather_facts", "hosts", "tasks", "become", "with_items", "with_dict", "when", "become_pass", "become_exe", "become_flags"} - playBooks = "playbooks" + playBooks = "playbooks" + ansibleHost = "all" + listKeywordsAnsibleHots = []string{"hosts", "children"} ) const ( @@ -552,6 +554,10 @@ func checkYamlPlatform(content []byte, path string) string { if checkForAnsible(yamlContent) { return ansible } + // check if the file contains some keywords related with Ansible Host + if checkForAnsibleHost(yamlContent) { + return ansible + } return "" } @@ -574,6 +580,20 @@ func checkForAnsible(yamlContent model.Document) bool { return isAnsible } +func checkForAnsibleHost(yamlContent model.Document) bool { + isAnsible := false + if hosts := yamlContent[ansibleHost]; hosts != nil { + if listHosts, ok := hosts.(map[string]interface{}); ok { + for _, value := range listKeywordsAnsibleHots { + if host := listHosts[value]; host != nil { + isAnsible = true + } + } + } + } + return isAnsible +} + // computeValues computes expected Lines of Code to be scanned from locCount channel // and creates the types and unwanted slices from the channels removing any duplicates func computeValues(types, unwanted chan string, locCount chan int, done chan bool) (typesS, unwantedS []string, locTotal int) { diff --git a/pkg/analyzer/analyzer_test.go b/pkg/analyzer/analyzer_test.go index 62ad13a89bf..1bc2d1a7011 100644 --- a/pkg/analyzer/analyzer_test.go +++ b/pkg/analyzer/analyzer_test.go @@ -53,7 +53,8 @@ func TestAnalyzer_Analyze(t *testing.T) { name: "analyze_test_multiple_path", paths: []string{ filepath.FromSlash("../../test/fixtures/analyzer_test/Dockerfile"), - filepath.FromSlash("../../test/fixtures/analyzer_test/terraform.tf")}, + filepath.FromSlash("../../test/fixtures/analyzer_test/terraform.tf"), + }, wantTypes: []string{"dockerfile", "terraform"}, wantExclude: []string{}, typesFromFlag: []string{""}, @@ -66,7 +67,8 @@ func TestAnalyzer_Analyze(t *testing.T) { { name: "analyze_test_multi_checks_path", paths: []string{ - filepath.FromSlash("../../test/fixtures/analyzer_test/openAPI_test")}, + filepath.FromSlash("../../test/fixtures/analyzer_test/openAPI_test"), + }, wantTypes: []string{"openapi"}, wantExclude: []string{}, typesFromFlag: []string{""}, @@ -79,7 +81,8 @@ func TestAnalyzer_Analyze(t *testing.T) { { name: "analyze_test_not_openapi", paths: []string{ - filepath.FromSlash("../../test/fixtures/analyzer_test/not_openapi.json")}, + filepath.FromSlash("../../test/fixtures/analyzer_test/not_openapi.json"), + }, wantTypes: []string{}, wantExclude: []string{filepath.FromSlash("../../test/fixtures/analyzer_test/not_openapi.json")}, typesFromFlag: []string{""}, @@ -139,7 +142,8 @@ func TestAnalyzer_Analyze(t *testing.T) { wantTypes: []string{"kubernetes"}, wantExclude: []string{filepath.FromSlash("../../test/fixtures/gitignore/positive.dockerfile"), filepath.FromSlash("../../test/fixtures/gitignore/secrets.tf"), - filepath.FromSlash("../../test/fixtures/gitignore/gitignore")}, + filepath.FromSlash("../../test/fixtures/gitignore/gitignore"), + }, typesFromFlag: []string{""}, excludeTypesFromFlag: []string{""}, wantLOC: 13, @@ -225,7 +229,8 @@ func TestAnalyzer_Analyze(t *testing.T) { filepath.FromSlash("../../test/fixtures/analyzer_test/openAPI_test/openAPI.yaml"), filepath.FromSlash("../../test/fixtures/analyzer_test/pnpm-lock.yaml"), filepath.FromSlash("../../test/fixtures/analyzer_test/undetected.yaml"), - filepath.FromSlash("../../test/fixtures/analyzer_test/github.yaml")}, + filepath.FromSlash("../../test/fixtures/analyzer_test/github.yaml"), + }, typesFromFlag: []string{"ansible", "pulumi"}, excludeTypesFromFlag: []string{""}, wantLOC: 374, @@ -242,7 +247,8 @@ func TestAnalyzer_Analyze(t *testing.T) { filepath.FromSlash("../../test/fixtures/analyzer_test/not_openapi.json"), filepath.FromSlash("../../test/fixtures/analyzer_test/undetected.yaml"), filepath.FromSlash("../../test/fixtures/analyzer_test/pnpm-lock.yaml"), - filepath.FromSlash("../../test/fixtures/analyzer_test/dead_symlink")}, + filepath.FromSlash("../../test/fixtures/analyzer_test/dead_symlink"), + }, typesFromFlag: []string{""}, excludeTypesFromFlag: []string{"ansible", "pulumi"}, wantLOC: 576, @@ -258,7 +264,8 @@ func TestAnalyzer_Analyze(t *testing.T) { filepath.FromSlash("../../test/fixtures/analyzer_test/pnpm-lock.yaml"), filepath.FromSlash("../../test/fixtures/analyzer_test/not_openapi.json"), filepath.FromSlash("../../test/fixtures/analyzer_test/dead_symlink"), - filepath.FromSlash("../../test/fixtures/analyzer_test/undetected.yaml")}, + filepath.FromSlash("../../test/fixtures/analyzer_test/undetected.yaml"), + }, typesFromFlag: []string{""}, excludeTypesFromFlag: []string{""}, wantLOC: 834, @@ -331,6 +338,30 @@ func TestAnalyzer_Analyze(t *testing.T) { gitIgnoreFileName: "", excludeGitIgnore: false, }, + { + name: "ansible_host", + paths: []string{filepath.FromSlash("../../test/fixtures/analyzer_test_ansible_host/ansiblehost.yaml")}, + wantTypes: []string{"ansible"}, + wantExclude: []string{}, + typesFromFlag: []string{""}, + excludeTypesFromFlag: []string{""}, + wantLOC: 33, + wantErr: false, + gitIgnoreFileName: "", + excludeGitIgnore: false, + }, + { + name: "ansible_host_other", + paths: []string{filepath.FromSlash("../../test/fixtures/analyzer_test_ansible_host/ansiblehost2.yaml")}, + wantTypes: []string{"ansible"}, + wantExclude: []string{}, + typesFromFlag: []string{""}, + excludeTypesFromFlag: []string{""}, + wantLOC: 22, + wantErr: false, + gitIgnoreFileName: "", + excludeGitIgnore: false, + }, } for _, tt := range tests { diff --git a/test/fixtures/analyzer_test_ansible_host/ansiblehost.yaml b/test/fixtures/analyzer_test_ansible_host/ansiblehost.yaml new file mode 100644 index 00000000000..27ed6335a8b --- /dev/null +++ b/test/fixtures/analyzer_test_ansible_host/ansiblehost.yaml @@ -0,0 +1,33 @@ +all: + children: + automationhub: + hosts: + automationhub.acme.org: + admin_password: + pg_database: awx + pg_host: database-01.acme.org + pg_password: + pg_port: '5432' + pg_sslmode: prefer + pg_username: awx + database: + hosts: + database-01.acme.org: + admin_password: + pg_database: awx + pg_host: database-01.acme.org + pg_password: + pg_port: '5432' + pg_sslmode: prefer + pg_username: awx + tower: + hosts: + 172.27.0.5: + admin_password: + pg_database: awx + pg_host: database-01.acme.org + pg_password: + pg_port: '5432' + pg_sslmode: prefer + pg_username: awx + ungrouped: {} diff --git a/test/fixtures/analyzer_test_ansible_host/ansiblehost2.yaml b/test/fixtures/analyzer_test_ansible_host/ansiblehost2.yaml new file mode 100644 index 00000000000..6fd920e5a22 --- /dev/null +++ b/test/fixtures/analyzer_test_ansible_host/ansiblehost2.yaml @@ -0,0 +1,22 @@ +--- +all: + children: + webservers: + hosts: + webserver1: null + webserver2: null + databases: + hosts: + dbserver1: + ansible_host: 192.168.1.103 + ansible_user: postgres + dbserver2: + ansible_host: 192.168.1.104 + ansible_user: mysql + hosts: + webserver1: + ansible_host: 192.168.1.101 + ansible_user: ubuntu + webserver2: + ansible_host: 192.168.1.102 + ansible_user: centos diff --git a/test/fixtures/analyzer_test_ansible_host/e2e/positive1.ini b/test/fixtures/analyzer_test_ansible_host/e2e/positive1.ini new file mode 100644 index 00000000000..e113b9e51b8 --- /dev/null +++ b/test/fixtures/analyzer_test_ansible_host/e2e/positive1.ini @@ -0,0 +1,14 @@ +[tower] +150.50.1.1 +[automationhub] +automationhub.acme.org +[database] +database-01.acme.org +[all:vars] +admin_password='' +pg_host='database-01.acme.org' +pg_port='5432' +pg_database='awx' +pg_username='awx' +pg_password='' +pg_sslmode='prefer' \ No newline at end of file diff --git a/test/fixtures/analyzer_test_ansible_host/e2e/positive2.yaml b/test/fixtures/analyzer_test_ansible_host/e2e/positive2.yaml new file mode 100644 index 00000000000..051721f224c --- /dev/null +++ b/test/fixtures/analyzer_test_ansible_host/e2e/positive2.yaml @@ -0,0 +1,33 @@ +all: + children: + automationhub: + hosts: + automationhub.acme.org: + admin_password: + pg_database: awx + pg_host: database-01.acme.org + pg_password: + pg_port: '5432' + pg_sslmode: prefer + pg_username: awx + database: + hosts: + database-01.acme.org: + admin_password: + pg_database: awx + pg_host: database-01.acme.org + pg_password: + pg_port: '5432' + pg_sslmode: prefer + pg_username: awx + tower: + hosts: + 139.50.1.1: + admin_password: + pg_database: awx + pg_host: database-01.acme.org + pg_password: + pg_port: '5432' + pg_sslmode: prefer + pg_username: awx + ungrouped: {} From 4ff1ece864fbe0c8e481cee8cd5a01276d65848a Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Thu, 23 Nov 2023 16:18:04 +0000 Subject: [PATCH 290/379] correct e2e --- e2e/testcases/e2e-cli-075_ansible_host_detected.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/e2e/testcases/e2e-cli-075_ansible_host_detected.go b/e2e/testcases/e2e-cli-075_ansible_host_detected.go index 62b73c2086f..ad4ce24018e 100644 --- a/e2e/testcases/e2e-cli-075_ansible_host_detected.go +++ b/e2e/testcases/e2e-cli-075_ansible_host_detected.go @@ -1,7 +1,7 @@ package testcases // E2E-CLI-075 - KICS scan -// should perform the scan successfully detect ansible and return result 20 +// should perform the scan successfully detect ansible and return result 40 func init() { //nolint testSample := TestCase{ Name: "should perform a valid scan and and detect ansible [E2E-CLI-075]", @@ -20,7 +20,7 @@ func init() { //nolint }, }, }, - WantStatus: []int{20}, + WantStatus: []int{40}, } Tests = append(Tests, testSample) From 1bfbd50b93cc09016b080593a8da6e303a5903c0 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Fri, 24 Nov 2023 08:30:22 +0000 Subject: [PATCH 291/379] fix test --- e2e/testcases/e2e-cli-075_ansible_host_detected.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/e2e/testcases/e2e-cli-075_ansible_host_detected.go b/e2e/testcases/e2e-cli-075_ansible_host_detected.go index ad4ce24018e..241bf3a7d21 100644 --- a/e2e/testcases/e2e-cli-075_ansible_host_detected.go +++ b/e2e/testcases/e2e-cli-075_ansible_host_detected.go @@ -8,7 +8,7 @@ func init() { //nolint Args: args{ Args: []cmdArgs{ []string{"scan", "-o", "/path/e2e/output", - "--output-name", "E2E_CLI_074_RESULT", + "--output-name", "E2E_CLI_075_RESULT", "-p", "\"/path/test/fixtures/analyzer_test_ansible_host/e2e\"", "-i", "1b2bf3ff-31e9-460e-bbfb-45e48f4f20cc", }, From 590dae5f608bb29eada6230e31e458b78f1c0562 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Fri, 24 Nov 2023 16:34:26 +0000 Subject: [PATCH 292/379] add test to check ansible by host --- pkg/analyzer/analyzer_test.go | 14 +++++++++++++- .../analyzer_test_ansible_host/ansiblehost3.yaml | 9 +++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 test/fixtures/analyzer_test_ansible_host/ansiblehost3.yaml diff --git a/pkg/analyzer/analyzer_test.go b/pkg/analyzer/analyzer_test.go index 1bc2d1a7011..e352b5b57c7 100644 --- a/pkg/analyzer/analyzer_test.go +++ b/pkg/analyzer/analyzer_test.go @@ -351,7 +351,7 @@ func TestAnalyzer_Analyze(t *testing.T) { excludeGitIgnore: false, }, { - name: "ansible_host_other", + name: "ansible_by_children", paths: []string{filepath.FromSlash("../../test/fixtures/analyzer_test_ansible_host/ansiblehost2.yaml")}, wantTypes: []string{"ansible"}, wantExclude: []string{}, @@ -362,6 +362,18 @@ func TestAnalyzer_Analyze(t *testing.T) { gitIgnoreFileName: "", excludeGitIgnore: false, }, + { + name: "ansible_by_host", + paths: []string{filepath.FromSlash("../../test/fixtures/analyzer_test_ansible_host/ansiblehost3.yaml")}, + wantTypes: []string{"ansible"}, + wantExclude: []string{}, + typesFromFlag: []string{""}, + excludeTypesFromFlag: []string{""}, + wantLOC: 9, + wantErr: false, + gitIgnoreFileName: "", + excludeGitIgnore: false, + }, } for _, tt := range tests { diff --git a/test/fixtures/analyzer_test_ansible_host/ansiblehost3.yaml b/test/fixtures/analyzer_test_ansible_host/ansiblehost3.yaml new file mode 100644 index 00000000000..373d1d62c4a --- /dev/null +++ b/test/fixtures/analyzer_test_ansible_host/ansiblehost3.yaml @@ -0,0 +1,9 @@ +--- +all: + hosts: + webserver1: + ansible_host: 192.168.1.101 + ansible_user: ubuntu + webserver2: + ansible_host: 192.168.1.102 + ansible_user: centos From c1ab235f32d15e9c95f98f7a6512143e2bfa5d05 Mon Sep 17 00:00:00 2001 From: Lior Kaplan Date: Sun, 26 Nov 2023 10:44:31 +0200 Subject: [PATCH 293/379] Docs: Remove discord badge --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 0ca93f65188..fc036d2b2cc 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,6 @@ [![Docker Pulls](https://img.shields.io/docker/pulls/checkmarx/kics)](https://hub.docker.com/r/checkmarx/kics) [![Documentation](https://img.shields.io/badge/docs-viewdocs-blue.svg?style=flat-square "Viewdocs")](https://docs.kics.io/) [![GitHub Discussions](https://img.shields.io/badge/chat-discussions-blue.svg?logo=github&style=flat-square)](https://github.com/Checkmarx/kics/discussions) -[![Discord Server](https://img.shields.io/discord/1116626376674521169?logo=discord&style=flat-square)](https://discord.gg/nzryxFup6Z) [![checkmarx](https://img.shields.io/endpoint?url=https://pgp36n22ol.execute-api.eu-west-1.amazonaws.com/dev/cxflowcache-results?style=plastic&logoWidth=20&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAACXBIWXMAAA7EAAAOxAGVKw4bAAADbklEQVRYhc2XTWidRRSGn3MJl1AkZFFcFCkFIYKCYMEgIhZEMtNS2kHBvxYbl1kUIqELQXHhQigtCK266EIoSt0YplbsTJGqaFFahC6yiiJFUIJ2IUGClJLj4vvu/X7uTC7cJOoLH5eZM3Ped37OOXPhP4akOl20XeAQsB+YAsZH9H8HuAVcAxa9CStDBbhgDyKcAfaMSJoVo8pZEd7wJqwNCHDRdlSZF+H0FhO3cR3FeBv+BOjUDM8InEZhm79pFT5w0Xb6Aly0Eyjvb+OqGxBVBzwJMAaA8jLCTrQ3olRbHNBv5TcKxoCH6e10z6cKKMeAr8ZKwsN94r5MABaAd7wJ6yMKwEU7A8SG/+J3Gqo78GBi7tXNkpf4giIUG1CYBOiUl2FHYuLNLSAH1SnQXQnDbYBOlkTZNHmRU+QbkG7bJsi3UF3CQbRS1OFoxwSeRplEuOpN+D1LHO048DbKfNJ3gXPQzANZuGh3CHyNchm4gPKji/axzNgp4BrKfN6jnvU23KwJSMhsds2iPF5rT6jqJy7ae2vEHRftUVR/QNm7wXoCIid6jTIMhYEc0BRzf/9ISpuI7EK54KI1qoyrckZgdsBXfTHCe8Cr3oQ7PdfVEQjNOG3mhC8z454CzolwQ4TZDeavIjwPHK+TVzswHJ+jfIhwNGGbHTL3e+CIN+HnlDF/B2rwJqwjzAFLw5RW0HXgJLAvRw79HUi8S1qavAl/uWifBb0BMjGEfQXkmDfhSr2zLHr3ACveFvknH4YJTd6EZUVe2ZBauQI8UicvI+Qt4A+EXxH9zkV7XyUgVbczuGjCIsqpxJy7wAmE/Ymn1wzK6yjdYqxMA+9C/wiq2ltbSR7Cayi7FZ4rZulPKnLkognXM7uyL9H3BPR2QGSwFEv+eLwJdxFeFOEBhEcReShLXvjrtkoxSFEIe2G4BkzWRWjxGs6iLGLLG42p+5ImOcCaN2G9J2AJaJRMgQMu2peAj0cty2WpfwE4kDAvQZWILgEzrQEd4CNgwUXzS/OM2ncm294N2bpwqS7gvMKbAjsTA/eCtJy0Y3RYuwlVbotwHspL6E1YFWXuX3iSg4LAnDdhtS+gFL2oxSN0eyEsICxWzRZctAfL0rpnK3kVbolw3JvwWVNPAi7aLsohZNN/Tv8GllEuI3zaLsX/C/wDM7pjD59N2pkAAAAASUVORK5CYII=)](https://sast.checkmarx.net/cxwebclient/portal#/projectState/702/Summary) [![Codacy Badge](https://app.codacy.com/project/badge/Grade/ceddb5b1b37d4edfa56440842c6248a4)](https://www.codacy.com/gh/Checkmarx/kics/dashboard?utm_source=github.com&utm_medium=referral&utm_content=Checkmarx/kics&utm_campaign=Badge_Grade) From e2e00a5ab1bf1ae41df0fd01647d5ade5ecc3af4 Mon Sep 17 00:00:00 2001 From: Dima Steklar Date: Thu, 16 Nov 2023 14:24:15 +0200 Subject: [PATCH 294/379] feat(CLI): added platfrom field for sarif format --- pkg/report/model/sarif.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/pkg/report/model/sarif.go b/pkg/report/model/sarif.go index b0cc8a9b61f..2182cbe62c9 100644 --- a/pkg/report/model/sarif.go +++ b/pkg/report/model/sarif.go @@ -42,6 +42,7 @@ type ruleCISMetadata struct { type sarifMessage struct { Text string `json:"text"` + MessageProperties sarifProperties `json:"properties,omitempty"` } type sarifComponentReference struct { @@ -294,7 +295,10 @@ func (sr *sarifReport) BuildSarifIssue(issue *model.QueryResult) { ResultRuleID: issue.QueryID, ResultRuleIndex: ruleIndex, ResultKind: kind, - ResultMessage: sarifMessage{Text: issue.Files[idx].KeyActualValue}, + ResultMessage: sarifMessage{ + Text: issue.Files[idx].KeyActualValue, + MessageProperties: sarifProperties{"platform": issue.Platform}, + }, ResultLocations: []sarifLocation{ { PhysicalLocation: sarifPhysicalLocation{ From 177a2152f39dba5a13d122e4d0c21a7217cfced1 Mon Sep 17 00:00:00 2001 From: Dima Steklar Date: Thu, 16 Nov 2023 15:16:48 +0200 Subject: [PATCH 295/379] fixed tests --- pkg/report/model/sarif_test.go | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/pkg/report/model/sarif_test.go b/pkg/report/model/sarif_test.go index 094bf6cbddb..e17297f8f3e 100644 --- a/pkg/report/model/sarif_test.go +++ b/pkg/report/model/sarif_test.go @@ -89,7 +89,7 @@ var sarifTests = []sarifTest{ ResultRuleID: "1", ResultRuleIndex: 0, ResultKind: "fail", - ResultMessage: sarifMessage{Text: "test"}, + ResultMessage: sarifMessage{Text: "test", MessageProperties: sarifProperties{"platform": ""}}, ResultLocations: []sarifLocation{ { PhysicalLocation: sarifPhysicalLocation{ @@ -193,7 +193,10 @@ var sarifTests = []sarifTest{ ResultRuleID: "1", ResultRuleIndex: 0, ResultKind: "fail", - ResultMessage: sarifMessage{Text: "test"}, + ResultMessage: sarifMessage{ + Text: "test", + MessageProperties: sarifProperties{"platform": ""}, + }, ResultLocations: []sarifLocation{ { PhysicalLocation: sarifPhysicalLocation{ @@ -207,7 +210,10 @@ var sarifTests = []sarifTest{ ResultRuleID: "1", ResultRuleIndex: 0, ResultKind: "fail", - ResultMessage: sarifMessage{Text: "test"}, + ResultMessage: sarifMessage{ + Text: "test", + MessageProperties: sarifProperties{"platform": ""}, + }, ResultLocations: []sarifLocation{ { PhysicalLocation: sarifPhysicalLocation{ @@ -221,7 +227,10 @@ var sarifTests = []sarifTest{ ResultRuleID: "2", ResultRuleIndex: 1, ResultKind: "informational", - ResultMessage: sarifMessage{Text: "test"}, + ResultMessage: sarifMessage{ + Text: "test", + MessageProperties: sarifProperties{"platform": ""}, + }, ResultLocations: []sarifLocation{ { PhysicalLocation: sarifPhysicalLocation{ From cecfa1b66e582a27f62188dbd476a5b1413994f1 Mon Sep 17 00:00:00 2001 From: Dima Steklar Date: Thu, 16 Nov 2023 15:22:34 +0200 Subject: [PATCH 296/379] added spaces --- pkg/report/model/sarif.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/report/model/sarif.go b/pkg/report/model/sarif.go index 2182cbe62c9..67ddadcce89 100644 --- a/pkg/report/model/sarif.go +++ b/pkg/report/model/sarif.go @@ -41,7 +41,7 @@ type ruleCISMetadata struct { } type sarifMessage struct { - Text string `json:"text"` + Text string `json:"text"` MessageProperties sarifProperties `json:"properties,omitempty"` } @@ -295,8 +295,8 @@ func (sr *sarifReport) BuildSarifIssue(issue *model.QueryResult) { ResultRuleID: issue.QueryID, ResultRuleIndex: ruleIndex, ResultKind: kind, - ResultMessage: sarifMessage{ - Text: issue.Files[idx].KeyActualValue, + ResultMessage: sarifMessage{ + Text: issue.Files[idx].KeyActualValue, MessageProperties: sarifProperties{"platform": issue.Platform}, }, ResultLocations: []sarifLocation{ From d8b66c56a0a7229b6a44650fd82d0c52de3864cf Mon Sep 17 00:00:00 2001 From: Dima Steklar Date: Tue, 28 Nov 2023 11:20:11 +0200 Subject: [PATCH 297/379] fixed e2e tests --- e2e/fixtures/schemas/result-sarif-required.json | 10 +++++++++- e2e/fixtures/schemas/result-sarif.json | 10 +++++++++- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/e2e/fixtures/schemas/result-sarif-required.json b/e2e/fixtures/schemas/result-sarif-required.json index 4d25cfce2d5..6e343b63fed 100644 --- a/e2e/fixtures/schemas/result-sarif-required.json +++ b/e2e/fixtures/schemas/result-sarif-required.json @@ -206,7 +206,15 @@ ] }, "message": { - "$ref": "#/definitions/text_object" + "type": "object", + "additionalProperties": true, + "required": ["text"], + "properties": { + "text": { + "type": "string", + "minLength": 1 + } + } }, "locations": { "type": "array", diff --git a/e2e/fixtures/schemas/result-sarif.json b/e2e/fixtures/schemas/result-sarif.json index 697d44a82eb..27da23cfe53 100644 --- a/e2e/fixtures/schemas/result-sarif.json +++ b/e2e/fixtures/schemas/result-sarif.json @@ -217,7 +217,15 @@ ] }, "message": { - "$ref": "#/definitions/text_object" + "type": "object", + "additionalProperties": true, + "required": ["text"], + "properties": { + "text": { + "type": "string", + "minLength": 1 + } + } }, "locations": { "type": "array", From fda2fb39b30c811ad57823e1ec3e5e7102b57d69 Mon Sep 17 00:00:00 2001 From: Brie Carranza Date: Wed, 29 Nov 2023 18:25:34 -0500 Subject: [PATCH 298/379] Use 'SSL' not 'SLL' --- .../gcp/sql_db_instance_with_ssl_disabled/metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/metadata.json b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/metadata.json index 92390e4fc81..b0289ef723b 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/metadata.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/metadata.json @@ -3,7 +3,7 @@ "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", "category": "Encryption", - "descriptionText": "Cloud SQL Database Instance should have SLL enabled", + "descriptionText": "Cloud SQL Database Instance should have SSL enabled", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance#require_ssl", "platform": "Terraform", "descriptionID": "8983549e", From 84c590a84dead716599f62a1ae258eaf62f22d74 Mon Sep 17 00:00:00 2001 From: Brie Carranza Date: Wed, 29 Nov 2023 18:27:37 -0500 Subject: [PATCH 299/379] Use 'SSL' not 'SLL' --- .../ansible/gcp/sql_db_instance_with_ssl_disabled/metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/ansible/gcp/sql_db_instance_with_ssl_disabled/metadata.json b/assets/queries/ansible/gcp/sql_db_instance_with_ssl_disabled/metadata.json index 8ea100dac34..e43217ee4ca 100644 --- a/assets/queries/ansible/gcp/sql_db_instance_with_ssl_disabled/metadata.json +++ b/assets/queries/ansible/gcp/sql_db_instance_with_ssl_disabled/metadata.json @@ -3,7 +3,7 @@ "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", "category": "Encryption", - "descriptionText": "Cloud SQL Database Instance should have SLL enabled", + "descriptionText": "Cloud SQL Database Instance should have SSL enabled", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/ip_configuration/require_ssl", "platform": "Ansible", "descriptionID": "50bb06d6", From 120422ddd5eec7d61a69484f9fc984f7972f85db Mon Sep 17 00:00:00 2001 From: Brie Carranza Date: Wed, 29 Nov 2023 18:29:00 -0500 Subject: [PATCH 300/379] Use 'SSL' not 'SLL' --- .../gcp/sql_db_instance_with_ssl_disabled/metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/googleDeploymentManager/gcp/sql_db_instance_with_ssl_disabled/metadata.json b/assets/queries/googleDeploymentManager/gcp/sql_db_instance_with_ssl_disabled/metadata.json index ac36440e288..e9ba27827b8 100644 --- a/assets/queries/googleDeploymentManager/gcp/sql_db_instance_with_ssl_disabled/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/sql_db_instance_with_ssl_disabled/metadata.json @@ -3,7 +3,7 @@ "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", "category": "Encryption", - "descriptionText": "Cloud SQL Database Instance should have SLL enabled", + "descriptionText": "Cloud SQL Database Instance should have SSL enabled", "descriptionUrl": "https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/instances", "platform": "GoogleDeploymentManager", "descriptionID": "b42ee5a9", From f271be415fc4ea946373a996920c8596716afaba Mon Sep 17 00:00:00 2001 From: "i.merzlyakov" Date: Thu, 16 Nov 2023 14:31:25 +0700 Subject: [PATCH 301/379] fix(parser): reduce complexity of initializeJSONLine --- pkg/parser/json/json_line.go | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/pkg/parser/json/json_line.go b/pkg/parser/json/json_line.go index 4d468e3d48a..e39b7728f7a 100644 --- a/pkg/parser/json/json_line.go +++ b/pkg/parser/json/json_line.go @@ -46,6 +46,9 @@ func initializeJSONLine(doc []byte) *jsonLine { parent: "", } + line := 1 + prevInputOffset := 0 + // for each token inside JSON for { tok, err := dec.Token() @@ -80,15 +83,14 @@ func initializeJSONLine(doc []byte) *jsonLine { continue } - line := 1 // get the correct line based on byte offset - for i, val := range doc { - if i == int(dec.InputOffset()) { - break - } else if val == byte('\n') { + currentInputOffset := int(dec.InputOffset()) + for i := prevInputOffset; i < currentInputOffset; i++ { + if doc[i] == byte('\n') { line++ } } + prevInputOffset = currentInputOffset // insert into line information map if _, ok := newMap[tokStringRepresentation]; !ok { From a8bf26d7fd015942ee20b703ed2d06b5da442d06 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Dec 2023 23:20:22 +0000 Subject: [PATCH 302/379] ci(deps): bump golang from 1.21.0-alpine to 1.21.5-alpine Bumps golang from 1.21.0-alpine to 1.21.5-alpine. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index b79e429be81..38975235202 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.21.0-alpine as build_env +FROM golang:1.21.5-alpine as build_env # Copy the source from the current directory to the Working Directory inside the container WORKDIR /app From d7ed6e5f0cd540377dec5bace6cea0b59917902e Mon Sep 17 00:00:00 2001 From: gabriel-cx Date: Thu, 30 Nov 2023 14:14:07 +0000 Subject: [PATCH 303/379] docs(queries): update queries catalog --- docs/queries/all-queries.md | 3066 +++++++++-------- docs/queries/ansible-queries.md | 330 +- .../d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb.md | 2 +- docs/queries/azureresourcemanager-queries.md | 34 +- docs/queries/cicd-queries.md | 2 +- docs/queries/cloudformation-queries.md | 322 +- docs/queries/crossplane-queries.md | 30 +- docs/queries/dockercompose-queries.md | 18 +- docs/queries/dockerfile-queries.md | 50 +- .../googledeploymentmanager-queries.md | 42 +- .../660360d3-9ca7-46d1-b147-3acc4002953f.md | 2 +- docs/queries/kubernetes-queries.md | 138 +- docs/queries/openapi-queries.md | 334 +- docs/queries/pulumi-queries.md | 24 +- docs/queries/serverlessfw-queries.md | 4 +- docs/queries/terraform-queries.md | 892 ++--- .../02474449-71aa-40a1-87ae-e14497747b00.md | 2 +- 17 files changed, 2666 insertions(+), 2626 deletions(-) diff --git a/docs/queries/all-queries.md b/docs/queries/all-queries.md index 7968f06858d..53eda1b970c 100644 --- a/docs/queries/all-queries.md +++ b/docs/queries/all-queries.md @@ -3,1029 +3,67 @@ This page contains all queries. | Query |Platform|Severity|Category|Description|Help| |-----------------------------|---|---|---|---|---| -|Script Block Injection
62ff6823-927a-427f-acf9-f1ea2932d616|CICD|High|Insecure Configurations|GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event. (read more)|Documentation
| -|Run Block Injection
20f14e1a-a899-4e79-9f09-b6a84cd4649b|CICD|High|Insecure Configurations|GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event. (read more)|Documentation
| -|Unsecured Commands
60fd272d-15f4-4d8f-afe4-77d9c6cc0453|CICD|Medium|Insecure Configurations|There are deprecated set-env and add-path commands that can be explicitly enabled by a user via setting the ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable as true. Depending on the use of the environment variable, this could enable an attacker to, at worst, modify the system path to run a different command than intended, resulting in arbitrary code execution. (read more)|Documentation
| -|Unpinned Actions Full Length Commit SHA
555ab8f9-2001-455e-a077-f2d0f41e2fb9|CICD|Medium|Supply-Chain|Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork. (read more)|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|Terraform|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| -|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|Terraform|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible (read more)|Documentation
| -|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|Terraform|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)|Documentation
| -|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|Terraform|High|Access Control|BigQuery dataset is anonymously or publicly accessible (read more)|Documentation
| -|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|Terraform|High|Access Control|Verifies that the OSLogin is enabled (read more)|Documentation
| -|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|Terraform|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| -|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|Terraform|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members' (read more)|Documentation
| -|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|Terraform|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad. (read more)|Documentation
| -|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|Terraform|High|Encryption|Cloud SQL Database Instance should have SLL enabled (read more)|Documentation
| -|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE (read more)|Documentation
| -|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)|Documentation
| -|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true (read more)|Documentation
| -|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|Terraform|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials (read more)|Documentation
| -|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true (read more)|Documentation
| -|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|Terraform|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true (read more)|Documentation
| -|Legacy Client Certificate Auth Enabled
73fb21a1-b19a-45b1-b648-b47b1678681e|Terraform|High|Insecure Configurations|Kubernetes Clusters must use the default OAuth authentication, which means 'master_auth' must either be undefined or have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to false (read more)|Documentation
| -|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|Terraform|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible. (read more)|Documentation
| -|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|Terraform|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)|Documentation
| -|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must either be undefined or set to 'logging.googleapis.com/kubernetes' (read more)|Documentation
| -|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|Terraform|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| -|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|Terraform|High|Observability|Audit Logging Configuration is defective (read more)|Documentation
| -|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must either be undefined or set to 'monitoring.googleapis.com/kubernetes' (read more)|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|Terraform|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| -|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|Terraform|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)|Documentation
| -|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Terraform|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated (read more)|Documentation
| -|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Terraform|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated (read more)|Documentation
| -|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Terraform|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated (read more)|Documentation
| -|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Terraform|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member (read more)|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Terraform|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| -|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Terraform|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)|Documentation
| -|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Terraform|Medium|Insecure Configurations|Check if any VM instance disables OSLogin (read more)|Documentation
| -|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Terraform|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| -|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Terraform|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled (read more)|Documentation
| -|Shielded GKE Nodes Disabled
579a0727-9c29-4d58-8195-fc5802a8bdb4|Terraform|Medium|Insecure Configurations|GKE cluster nodes must be launched with Shielded VM enabled, which means the attribute 'enable_shielded_nodes' must be set to 'true'. (read more)|Documentation
| -|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Terraform|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)|Documentation
| -|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Terraform|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled (read more)|Documentation
| -|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Terraform|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| -|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Terraform|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| -|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Terraform|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account (read more)|Documentation
| -|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Terraform|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account. (read more)|Documentation
| -|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Terraform|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Terraform|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports (read more)|Documentation
| -|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Terraform|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| -|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Terraform|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| -|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Terraform|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)|Documentation
| -|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Terraform|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)|Documentation
| -|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Terraform|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource. (read more)|Documentation
| -|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Terraform|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles (read more)|Documentation
| -|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Terraform|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Terraform|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| -|Outdated GKE Version
128df7ec-f185-48bc-8913-ce756a3ccb85|Terraform|Low|Best Practices|Running outdated versions of Google Kubernetes Engine (GKE) can expose it to known vulnerabilities and attacks. To reduce these risks, it is recommended to ensure that GKE is always running the latest version. (read more)|Documentation
| -|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Terraform|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user (read more)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Terraform|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| -|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Terraform|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true (read more)|Documentation
| -|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|Terraform|High|Insecure Configurations|Check if Tiller is deployed. (read more)|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|Terraform|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace. (read more)|Documentation
| -|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|Terraform|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false (read more)|Documentation
| -|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|Terraform|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined. (read more)|Documentation
| -|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|Terraform|High|Insecure Configurations|Limit capabilities for a Pod Security Policy (read more)|Documentation
| -|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|Terraform|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process (read more)|Documentation
| -|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|Terraform|High|Insecure Defaults|No role nor cluster role should bind to a default service account (read more)|Documentation
| -|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Terraform|Medium|Access Control|A non kube-system workload should not have hostPath mounted (read more)|Documentation
| -|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Terraform|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more)|Documentation
| -|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Terraform|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation. (read more)|Documentation
| -|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Terraform|Medium|Availability|Check if Readiness Probe is not configured. (read more)|Documentation
| -|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Terraform|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden (read more)|Documentation
| -|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Terraform|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' (read more)|Documentation
| -|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Terraform|Medium|Insecure Configurations|Containers should not have extra capabilities allowed (read more)|Documentation
| -|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Terraform|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls (read more)|Documentation
| -|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Terraform|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| -|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Terraform|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace (read more)|Documentation
| -|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities (read more)|Documentation
| -|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Terraform|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more)|Documentation
| -|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation (read more)|Documentation
| -|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Terraform|Medium|Insecure Configurations|Default service accounts should not be actively used (read more)|Documentation
| -|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Terraform|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace (read more)|Documentation
| -|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Terraform|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory (read more)|Documentation
| -|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Terraform|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities (read more)|Documentation
| -|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Terraform|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities (read more)|Documentation
| -|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Terraform|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory (read more)|Documentation
| -|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Terraform|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more)|Documentation
| -|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Terraform|Medium|Insecure Configurations|The default namespace should not be used (read more)|Documentation
| -|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Terraform|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability (read more)|Documentation
| -|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Terraform|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty. (read more)|Documentation
| -|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Terraform|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary (read more)|Documentation
| -|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Terraform|Medium|Networking and Firewall|Check if any network policy is not targeting any pod. (read more)|Documentation
| -|Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Terraform|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet (read more)|Documentation
| -|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Terraform|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| -|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Terraform|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more)|Documentation
| -|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Terraform|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more)|Documentation
| -|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Terraform|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| -|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Terraform|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| -|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Terraform|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more)|Documentation
| -|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Terraform|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| -|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Terraform|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs (read more)|Documentation
| -|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Terraform|Medium|Secret Management|A Service Account token is shared between workloads (read more)|Documentation
| -|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Terraform|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC) (read more)|Documentation
| -|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Terraform|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack (read more)|Documentation
| -|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Terraform|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers (read more)|Documentation
| -|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Terraform|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more)|Documentation
| -|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Terraform|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it (read more)|Documentation
| -|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Terraform|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| -|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Terraform|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| -|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Terraform|Low|Availability|The Horizontal Pod Autoscaler must target a valid object (read more)|Documentation
| -|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Terraform|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context (read more)|Documentation
| -|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Terraform|Low|Best Practices|Check if any label in the metadata is invalid. (read more)|Documentation
| -|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Terraform|Low|Build Process|Check if the root container filesystem is not being mounted as read-only. (read more)|Documentation
| -|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Terraform|Low|Build Process|A StatefulSet requests volume storage. (read more)|Documentation
| -|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Terraform|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always (read more)|Documentation
| -|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Terraform|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container (read more)|Documentation
| -|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Terraform|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity (read more)|Documentation
| -|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Terraform|Low|Networking and Firewall|Service type should not be NodePort (read more)|Documentation
| -|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Terraform|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified (read more)|Documentation
| -|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Terraform|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined (read more)|Documentation
| -|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Terraform|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| -|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Terraform|Low|Secret Management|Container should not use secrets as environment variables (read more)|Documentation
| -|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Terraform|Low|Supply-Chain|Image must be defined and not be empty or equal to latest. (read more)|Documentation
| -|Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|Terraform|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage (read more)|Documentation
| -|Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|Terraform|High|Access Control|Role Assignment should limit guest user permissions (read more)|Documentation
| -|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|Terraform|High|Access Control|There is a role assignment for guest user (read more)|Documentation
| -|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|Terraform|High|Access Control|Admin user is enabled for Container Registry (read more)|Documentation
| -|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|Terraform|High|Access Control|Storage Account should not be public to grant the principle of least privileges (read more)|Documentation
| -|Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|Terraform|High|Access Control|Azure Function App authentication settings should be enabled (read more)|Documentation
| -|Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|Terraform|High|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled (read more)|Documentation
| -|Azure Instance Using Basic Authentication
dafe30ec-325d-4516-85d1-e8e6776f012c|Terraform|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| -|App Service Not Using Latest TLS Encryption Version
b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643|Terraform|High|Encryption|Ensure App Service is using the latest version of TLS encryption (read more)|Documentation
| -|Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6|Terraform|High|Encryption|Ensure Function App is using the latest version of TLS encryption (read more)|Documentation
| -|MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|Terraform|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more)|Documentation
| -|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|Terraform|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' (read more)|Documentation
| -|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|Terraform|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| -|Function App FTPS Enforce Disabled
9dab0179-433d-4dff-af8f-0091025691df|Terraform|High|Insecure Configurations|Azure Function App should only enforce FTPS when 'ftps_state' is enabled (read more)|Documentation
| -|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|Terraform|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine (read more)|Documentation
| -|AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|Terraform|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server (read more)|Documentation
| -|Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|Terraform|High|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false. (read more)|Documentation
| -|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|Terraform|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service. (read more)|Documentation
| -|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|Terraform|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry' (read more)|Documentation
| -|Azure App Service Client Certificate Disabled
a81573f9-3691-4d83-88a0-7d4af63e17a3|Terraform|High|Insecure Configurations|Azure App Service client certificate should be enabled (read more)|Documentation
| -|App Service FTPS Enforce Disabled
85da374f-b00f-4832-9d44-84a1ca1e89f8|Terraform|High|Insecure Configurations|Azure App Service should only enforce FTPS when 'ftps_state' is enabled (read more)|Documentation
| -|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|Terraform|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates (read more)|Documentation
| -|AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|Terraform|High|Insecure Configurations|Azure Kubernetes Service (AKS) API should not be exposed to the internet (read more)|Documentation
| -|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|Terraform|High|Networking and Firewall|The IP range filter should be defined to secure the data stored (read more)|Documentation
| -|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources (read more)|Documentation
| -|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|Terraform|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| -|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet (read more)|Documentation
| -|SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|Terraform|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet (read more)|Documentation
| -|MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|Terraform|High|Networking and Firewall|MSSQL Server public network access should be disabled (read more)|Documentation
| -|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|Terraform|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more)|Documentation
| -|Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| -|RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|Terraform|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet (read more)|Documentation
| -|MySQL Server Public Access Enabled
f118890b-2468-42b1-9ce9-af35146b425b|Terraform|High|Networking and Firewall|MySQL Server public access should be disabled (read more)|Documentation
| -|Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|Terraform|High|Observability|Ensure that logging for Azure KeyVault is 'Enabled' (read more)|Documentation
| -|PostgreSQL Server Threat Detection Policy Disabled
c407c3cf-c409-4b29-b590-db5f4138d332|Terraform|High|Resource Management|PostgreSQL Server Threat Detection Policy should be enabled (read more)|Documentation
| -|SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a|Terraform|High|Resource Management|Ensure that 'Threat Detection' is enabled for Azure SQL Database (read more)|Documentation
| -|App Service Managed Identity Disabled
b61cce4b-0cc4-472b-8096-15617a6d769b|Terraform|High|Resource Management|Azure App Service should have managed identity enabled (read more)|Documentation
| -|Key Expiration Not Set
4d080822-5ee2-49a4-8984-68f3d4c890fc|Terraform|High|Secret Management|Make sure that for all keys the expiration date is set (read more)|Documentation
| -|Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|Terraform|High|Secret Management|Make sure that for all secrets the expiration date is set (read more)|Documentation
| -|Storage Share File Allows All ACL Permissions
48bbe0fd-57e4-4678-a4a1-119e79c90fc3|Terraform|Medium|Access Control|Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list). (read more)|Documentation
| -|Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e|Terraform|Medium|Access Control|Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list). (read more)|Documentation
| -|AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Terraform|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| -|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Terraform|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more)|Documentation
| -|Virtual Network with DDoS Protection Plan disabled
b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a|Terraform|Medium|Availability|Virtual Network should have DDoS Protection Plan enabled (read more)|Documentation
| -|SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Terraform|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict (read more)|Documentation
| -|Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Terraform|Medium|Best Practices|Security Contact Email should be defined (read more)|Documentation
| -|SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Terraform|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict (read more)|Documentation
| -|Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Terraform|Medium|Build Process|Cosmos DB Account must have a mapping of tags. (read more)|Documentation
| -|AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Terraform|Medium|Encryption|Azure Container Service (AKS) should use Disk Encryption Set ID in supported types of disk (read more)|Documentation
| -|Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Terraform|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption (read more)|Documentation
| -|Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Terraform|Medium|Encryption|Ensure that the encryption is active on the disk (read more)|Documentation
| -|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Terraform|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections (read more)|Documentation
| -|Function App Managed Identity Disabled
c87749b3-ff10-41f5-9df2-c421e8151759|Terraform|Medium|Insecure Configurations|Azure Function App should have managed identity enabled (read more)|Documentation
| -|Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Terraform|Medium|Insecure Configurations|Azure Function App should have 'client_cert_mode' set to required (read more)|Documentation
| -|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Terraform|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected. (read more)|Documentation
| -|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Terraform|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty (read more)|Documentation
| -|Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Terraform|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches (read more)|Documentation
| -|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Terraform|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined (read more)|Documentation
| -|Default Azure Storage Account Network Access Is Too Permissive
a5613650-32ec-4975-a305-31af783153ea|Terraform|Medium|Insecure Defaults|Default Azure Storage Account network access should be set to Deny (read more)|Documentation
| -|Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Terraform|Medium|Networking and Firewall|Public Network Access should be disabled for Azure Cognitive Search (read more)|Documentation
| -|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Terraform|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'. (read more)|Documentation
| -|MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Terraform|Medium|Networking and Firewall|MariaDB Server Public Network Access should be disabled (read more)|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol (read more)|Documentation
| -|Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b|Terraform|Medium|Networking and Firewall|Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline) (read more)|Documentation
| -|WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Terraform|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. (read more)|Documentation
| -|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Terraform|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache (read more)|Documentation
| -|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Terraform|Medium|Networking and Firewall|Network Interfaces IP Forwarding should be disabled (read more)|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol (read more)|Documentation
| -|PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Terraform|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server (read more)|Documentation
| -|PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Terraform|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more)|Documentation
| -|PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' (read more)|Documentation
| -|PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' (read more)|Documentation
| -|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Terraform|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days (read more)|Documentation
| -|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more)|Documentation
| -|MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Terraform|Medium|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On' (read more)|Documentation
| -|Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Terraform|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater (read more)|Documentation
| -|Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Terraform|Medium|Observability|Make sure for SQL Servers that Auditing Retention is greater than 90 days (read more)|Documentation
| -|PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more)|Documentation
| -|Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Terraform|Medium|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days (read more)|Documentation
| -|Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Terraform|Medium|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact (read more)|Documentation
| -|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Terraform|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On' (read more)|Documentation
| -|Azure Active Directory Authentication
a21c8da9-41bf-40cf-941d-330cf0d11fc7|Terraform|Low|Access Control|Azure Active Directory must be used for authentication for Service Fabric (read more)|Documentation
| -|MariaDB Server Geo-redundant Backup Disabled
0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1|Terraform|Low|Backup|MariaDB Server Geo-redundant Backup should be enabled (read more)|Documentation
| -|AKS Uses Azure Policies Add-On Disabled
43789711-161b-4708-b5bb-9d1c626f7492|Terraform|Low|Best Practices|Azure Container Service (AKS) should use Azure Policies Add-On (read more)|Documentation
| -|Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Terraform|Low|Best Practices|Key Vault Secrets should have set Content Type (read more)|Documentation
| -|App Service Without Latest PHP Version
96fe318e-d631-4156-99fa-9080d57280ae|Terraform|Low|Best Practices|Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. (read more)|Documentation
| -|App Service Without Latest Python Version
cc4aaa9d-1070-461a-b519-04e00f42db8a|Terraform|Low|Best Practices|Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. (read more)|Documentation
| -|PostgreSQL Server Infrastructure Encryption Disabled
6425c98b-ca4e-41fe-896a-c78772c131f8|Terraform|Low|Encryption|PostgreSQL Server Infrastructure Encryption should be enabled (read more)|Documentation
| -|Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Terraform|Low|Insecure Configurations|Check if the Kubernetes Dashboard is enabled. (read more)|Documentation
| -|App Service HTTP2 Disabled
525b53be-62ed-4244-b4df-41aecfcb4071|Terraform|Low|Insecure Configurations|App Service should have 'http2_enabled' enabled (read more)|Documentation
| -|Function App HTTP2 Disabled
ace823d1-4432-4dee-945b-cdf11a5a6bd0|Terraform|Low|Insecure Configurations|Function App should have 'http2_enabled' enabled (read more)|Documentation
| -|Azure Front Door WAF Disabled
835a4f2f-df43-437d-9943-545ccfc55961|Terraform|Low|Networking and Firewall|Azure Front Door WAF should be enabled (read more)|Documentation
| -|App Service Authentication Disabled
c7fc1481-2899-4490-bbd8-544a3a61a2f3|Terraform|Info|Access Control|Azure App Service authentication settings should be enabled (read more)|Documentation
| -|SQL Server Alert Email Disabled
55975007-f6e7-4134-83c3-298f1fe4b519|Terraform|Info|Best Practices|SQL Server alert email should be enabled (read more)|Documentation
| -|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|Terraform|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| -|SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|Terraform|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| -|Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|Terraform|High|Access Control|Neptune Cluster Instance should not be publicly accessible (read more)|Documentation
| -|MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857|Terraform|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible (read more)|Documentation
| -|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|Terraform|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more)|Documentation
| -|S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4|Terraform|High|Access Control|S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket. (read more)|Documentation
| -|Amazon DMS Replication Instance Is Publicly Accessible
030d3b18-1821-45b4-9e08-50efbe7becbb|Terraform|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| -|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|Terraform|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| -|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|Terraform|High|Access Control|S3 bucket allows public policy (read more)|Documentation
| -|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|Terraform|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|Terraform|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| -|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|Terraform|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|Terraform|High|Access Control|S3 Buckets should not be readable and writable to all users (read more)|Documentation
| -|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|Terraform|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals (read more)|Documentation
| -|EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|Terraform|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'. (read more)|Documentation
| -|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|Terraform|High|Access Control|IAM role policy that allow full administrative privileges (for all resources) (read more)|Documentation
| -|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|Terraform|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role (read more)|Documentation
| -|SSO Policy with full privileges
132a8c31-9837-4203-9fd1-15ca210c7b73|Terraform|High|Access Control|SSO policies should be configured to grant limited administrative privileges, rather than full access to all resources. This approach allows for better security and control over the resources being accessed. (read more)|Documentation
| -|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|Terraform|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|Terraform|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| -|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|Terraform|High|Access Control|Checks if the SQS Queue is exposed (read more)|Documentation
| -|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|Terraform|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| -|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|Terraform|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted (read more)|Documentation
| -|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|Terraform|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| -|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|Terraform|High|Encryption|AWS DAX Cluster should have server-side encryption at rest (read more)|Documentation
| -|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| -|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|Terraform|High|Encryption|S3 Bucket Object should have server-side encryption enabled (read more)|Documentation
| -|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|Terraform|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| -|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|Terraform|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| -|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|Terraform|High|Encryption|AWS AMI Encryption is not enabled (read more)|Documentation
| -|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|Terraform|High|Encryption|The certificate authority (CA) is the certificate that identifies the root CA at the top of the certificate chain. The CA certificate identifier must be one provided by Amazon RDS. (read more)|Documentation
| -|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|Terraform|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| -|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|Terraform|High|Encryption|API Gateway Method Settings Cache should be encrypted (read more)|Documentation
| -|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|Terraform|High|Encryption|Amazon ECS Task Definition does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'transit_encryption' (read more)|Documentation
| -|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|Terraform|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| -|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|Terraform|High|Encryption|Sagemaker endpoint configuration should encrypt data (read more)|Documentation
| -|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|Terraform|High|Encryption|EKS Cluster should be encrypted (read more)|Documentation
| -|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|Terraform|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true (read more)|Documentation
| -|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|Terraform|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled (read more)|Documentation
| -|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|Terraform|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more)|Documentation
| -|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|Terraform|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup (read more)|Documentation
| -|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|Terraform|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| -|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|Terraform|High|Encryption|EBS Encryption should be enabled (read more)|Documentation
| -|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|Terraform|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS (read more)|Documentation
| -|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|Terraform|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key (read more)|Documentation
| -|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|Terraform|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume (read more)|Documentation
| -|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|Terraform|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled (read more)|Documentation
| -|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|Terraform|High|Encryption|AWS Athena Database data in S3 should be encrypted (read more)|Documentation
| -|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|Terraform|High|Encryption|RDS Database Cluster Encryption should be enabled (read more)|Documentation
| -|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|Terraform|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) (read more)|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|Terraform|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| -|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|Terraform|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| -|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|Terraform|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled (read more)|Documentation
| -|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|Terraform|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| -|EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|Terraform|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| -|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| -|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|Terraform|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS (read more)|Documentation
| -|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|Terraform|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more)|Documentation
| -|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|Terraform|High|Encryption|AWS DOCDB Cluster storage should be encrypted (read more)|Documentation
| -|Aurora With Disabled at Rest Encryption
1a690d1d-0ae7-49fa-b2db-b75ae0dd1d3e|Terraform|High|Encryption|Amazon Aurora does not have encryption for data at rest enabled. To prevent such a scenario, update the attribute 'StorageEncrypted' to 'true'. (read more)|Documentation
| -|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|Terraform|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled (read more)|Documentation
| -|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|Terraform|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true' (read more)|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|Terraform|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| -|Lambda Function With Privileged Role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|Terraform|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions. (read more)|Documentation
| -|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|Terraform|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| -|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|Terraform|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| -|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|Terraform|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| -|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|Terraform|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2. (read more)|Documentation
| -|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|Terraform|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| -|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|Terraform|High|Insecure Configurations|S3 bucket without restriction of public bucket (read more)|Documentation
| -|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|Terraform|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true) (read more)|Documentation
| -|KMS Key With Full Permissions
7ebc9038-0bde-479a-acc4-6ed7b6758899|Terraform|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| -|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|Terraform|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes (read more)|Documentation
| -|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|Terraform|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations (read more)|Documentation
| -|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|Terraform|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| -|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|Terraform|High|Insecure Configurations|Check if the root user is authenticated with MFA (read more)|Documentation
| -|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|Terraform|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|Terraform|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). (read more)|Documentation
| -|Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|Terraform|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| -|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL (read more)|Documentation
| -|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|Terraform|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| -|Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|Terraform|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| -|VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|Terraform|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic (read more)|Documentation
| -|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|Terraform|High|Networking and Firewall|Check if Record is set (read more)|Documentation
| -|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|Terraform|High|Networking and Firewall|EC2 Instance should not have a public IP address. (read more)|Documentation
| -|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|Terraform|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| -|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|Terraform|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL (read more)|Documentation
| -|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|Terraform|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0 and/or ::/0 (read more)|Documentation
| -|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|Terraform|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| -|HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|Terraform|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| -|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| -|VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|Terraform|High|Networking and Firewall|VPC Peering Route Table should restrict CIDR (read more)|Documentation
| -|Elasticsearch with HTTPS disabled
2e9e0729-66d5-4148-9d39-5e6fb4bf2a4e|Terraform|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| -|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|Terraform|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| -|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| -|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|Terraform|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0" (read more)|Documentation
| -|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|Terraform|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| -|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|Terraform|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing (read more)|Documentation
| -|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|Terraform|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| -|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|Terraform|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes (read more)|Documentation
| -|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible (read more)|Documentation
| -|CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|Terraform|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls (read more)|Documentation
| -|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|Terraform|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| -|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled (read more)|Documentation
| -|CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|Terraform|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| -|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|Terraform|High|Observability|Ensure a log metric filter and alarm exist for root acount usage (read more)|Documentation
| -|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|Terraform|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA (read more)|Documentation
| -|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|Terraform|High|Observability|AWS KMS Key should have a valid deletion window (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Terraform|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| -|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Terraform|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Terraform|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'. (read more)|Documentation
| -|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Terraform|Medium|Access Control|IAM Access Key should not be active for root users (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Terraform|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Terraform|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Terraform|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Terraform|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Terraform|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Terraform|Medium|Access Control|AWS IAM Users should not have access to console (read more)|Documentation
| -|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Terraform|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|SSO Permission With Inadequate User Session Duration
ce9dfce0-5fc8-433b-944a-3b16153111a8|Terraform|Medium|Access Control|SSO permissions should be configured to limit user sessions to no longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized access or session hijacking. This is a best practice for security and should be implemented in SSO permission settings. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Terraform|Medium|Access Control|Public and private EC2 istances should not share the same role. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Terraform|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| -|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Terraform|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action' (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Terraform|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| -|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Terraform|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| -|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Terraform|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions' (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Terraform|Medium|Access Control|SQS policy allows ALL (*) actions (read more)|Documentation
| -|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Terraform|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Terraform|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Terraform|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Terraform|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. (read more)|Documentation
| -|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Terraform|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal' (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Terraform|Medium|Access Control|Expired SSL/TLS certificates should be removed (read more)|Documentation
| -|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Terraform|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Terraform|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions' (read more)|Documentation
| -|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Terraform|Medium|Access Control|SES policy should not allow IAM actions to all principals (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Terraform|Medium|Access Control|An API Key should be required on a method request. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Terraform|Medium|Access Control|S3 bucket allows public ACL (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Terraform|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| -|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Terraform|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Terraform|Medium|Access Control|The attribute 'action' should not have wildcard (read more)|Documentation
| -|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Terraform|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication (read more)|Documentation
| -|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Terraform|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| -|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Terraform|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| -|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Terraform|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true (read more)|Documentation
| -|Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Terraform|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. (read more)|Documentation
| -|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Terraform|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0 (read more)|Documentation
| -|RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Terraform|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| -|Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Terraform|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| -|Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Terraform|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24 (read more)|Documentation
| -|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Terraform|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields (read more)|Documentation
| -|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Terraform|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| -|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Terraform|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined (read more)|Documentation
| -|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Terraform|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| -|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Terraform|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| -|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Terraform|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more)|Documentation
| -|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Terraform|Medium|Best Practices|No password expiration policy (read more)|Documentation
| -|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Terraform|Medium|Best Practices|IAM password should have the required symbols (read more)|Documentation
| -|Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Terraform|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body (read more)|Documentation
| -|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| -|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Terraform|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| -|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Terraform|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| -|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Terraform|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760. (read more)|Documentation
| -|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Terraform|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption (read more)|Documentation
| -|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Terraform|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| -|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Terraform|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined (read more)|Documentation
| -|Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Terraform|Medium|Encryption|ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html' (read more)|Documentation
| -|CloudWatch Log Group Without KMS
0afbcfe9-d341-4b92-a64c-7e6de0543879|Terraform|Medium|Encryption|AWS CloudWatch Log groups should be encrypted using KMS (read more)|Documentation
| -|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Terraform|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests (read more)|Documentation
| -|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Terraform|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS. (read more)|Documentation
| -|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest (read more)|Documentation
| -|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Terraform|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret (read more)|Documentation
| -|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Terraform|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| -|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Terraform|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest (read more)|Documentation
| -|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Terraform|Medium|Encryption|SSM Session should be encrypted in transit (read more)|Documentation
| -|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted (read more)|Documentation
| -|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Terraform|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node (read more)|Documentation
| -|DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Terraform|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| -|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Terraform|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| -|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Terraform|Medium|Encryption|Checks if the ECR Image has been scanned (read more)|Documentation
| -|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit (read more)|Documentation
| -|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Terraform|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs). (read more)|Documentation
| -|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Terraform|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy (read more)|Documentation
| -|EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Terraform|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false (read more)|Documentation
| -|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Terraform|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible (read more)|Documentation
| -|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Terraform|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| -|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Terraform|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| -|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Terraform|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes (read more)|Documentation
| -|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Terraform|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| -|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Terraform|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud) (read more)|Documentation
| -|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Terraform|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials (read more)|Documentation
| -|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Terraform|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more)|Documentation
| -|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Terraform|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service (read more)|Documentation
| -|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Terraform|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more)|Documentation
| -|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Terraform|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled (read more)|Documentation
| -|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Terraform|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol (read more)|Documentation
| -|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Terraform|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| -|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Terraform|Medium|Networking and Firewall|VPC should have a Network Firewall associated (read more)|Documentation
| -|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Terraform|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association (read more)|Documentation
| -|VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Terraform|Medium|Networking and Firewall|VPC Subnet should not assign public IP (read more)|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol (read more)|Documentation
| -|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Terraform|Medium|Observability|Make sure Logging is enabled for Redshift Cluster (read more)|Documentation
| -|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes (read more)|Documentation
| -|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Terraform|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled (read more)|Documentation
| -|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Terraform|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| -|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (read more)|Documentation
| -|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes (read more)|Documentation
| -|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Terraform|Medium|Observability|ELB should have logging enabled to help on error investigation (read more)|Documentation
| -|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Terraform|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| -|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Terraform|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| -|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Terraform|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| -|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Terraform|Medium|Observability|API Gateway should have Access Log Settings defined (read more)|Documentation
| -|ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Terraform|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs (read more)|Documentation
| -|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Terraform|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| -|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Terraform|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). (read more)|Documentation
| -|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Terraform|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation (read more)|Documentation
| -|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Terraform|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones (read more)|Documentation
| -|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Terraform|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| -|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Terraform|Medium|Observability|It isn't recommended to use resources in default VPC (read more)|Documentation
| -|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Terraform|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| -|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Terraform|Medium|Observability|Make sure that Amazon GuardDuty is Enabled (read more)|Documentation
| -|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK (read more)|Documentation
| -|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Terraform|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| -|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Terraform|Medium|Observability|AWS CloudWatch Log groups should have retention days specified (read more)|Documentation
| -|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes (read more)|Documentation
| -|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes (read more)|Documentation
| -|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Terraform|Medium|Observability|Ensure MSK Cluster Logging is enabled (read more)|Documentation
| -|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Terraform|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined (read more)|Documentation
| -|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Terraform|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. (read more)|Documentation
| -|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Terraform|Medium|Observability|Checks if CloudWatch Metrics is Enabled (read more)|Documentation
| -|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Terraform|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events (read more)|Documentation
| -|No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Terraform|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions (read more)|Documentation
| -|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Terraform|Medium|Secret Management|AWS Access Key should not be hardcoded (read more)|Documentation
| -|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Terraform|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| -|SSO Identity User Unsafe Creation
4003118b-046b-4640-b200-b8c7a4c8b89f|Terraform|Low|Access Control|The use of AWS SSO for creating users may pose a security risk as it does not synchronize with external Identity Providers (IdP) or Active Directory (AD). This can lead to inconsistencies and potential unauthorized access to resources. It is recommended to review and update user creation processes to ensure proper security protocols are in place. (read more)|Documentation
| -|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Terraform|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| -|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Terraform|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Terraform|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| -|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Terraform|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services (read more)|Documentation
| -|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Terraform|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| -|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Terraform|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets' (read more)|Documentation
| -|Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Terraform|Low|Availability|Autoscaling groups should supply tags to configurate (read more)|Documentation
| -|Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| -|Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| -|ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Terraform|Low|Best Practices|ECR Repository should have Policies attached to it (read more)|Documentation
| -|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Terraform|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. (read more)|Documentation
| -|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Terraform|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| -|IAM Access Analyzer Not Enabled
e592a0c5-5bdb-414c-9066-5dba7cdea370|Terraform|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions (read more)|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Terraform|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| -|ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Terraform|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation (read more)|Documentation
| -|ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Terraform|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled (read more)|Documentation
| -|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Terraform|Low|Insecure Configurations|S3 bucket without ignore public ACL (read more)|Documentation
| -|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Terraform|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| -|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Terraform|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| -|EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Terraform|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| -|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Terraform|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| -|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Terraform|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| -|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Terraform|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more)|Documentation
| -|Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Terraform|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| -|RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Terraform|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| -|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Terraform|Low|Observability|Amazon EKS control plane logging is not enabled (read more)|Documentation
| -|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL (read more)|Documentation
| -|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes (read more)|Documentation
| -|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Terraform|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active' (read more)|Documentation
| -|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| -|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes (read more)|Documentation
| -|ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Terraform|Low|Observability|ECS Cluster should enable container insights (read more)|Documentation
| -|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Terraform|Low|Observability|Global Accelerator should have flow logs enabled (read more)|Documentation
| -|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for route table changes (read more)|Documentation
| -|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Terraform|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| -|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes (read more)|Documentation
| -|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Terraform|Low|Observability|Amazon EKS control plane logging don't enabled for all log types (read more)|Documentation
| -|API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Terraform|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| -|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Terraform|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| -|API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Terraform|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| -|Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Terraform|Info|Access Control|Security group must be used or not declared (read more)|Documentation
| -|Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Terraform|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description (read more)|Documentation
| -|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Terraform|Info|Best Practices|AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name' (read more)|Documentation
| -|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Terraform|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more)|Documentation
| -|EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Terraform|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| -|Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Terraform|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description (read more)|Documentation
| -|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Terraform|Info|Observability|RDS does not have any kind of logger (read more)|Documentation
| -|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Terraform|Info|Observability|Neptune logging should be enabled (read more)|Documentation
| -|EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Terraform|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| -|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Terraform|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks (read more)|Documentation
| -|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Terraform|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)|Documentation
| -|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Terraform|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). (read more)|Documentation
| -|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Terraform|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)|Documentation
| -|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Terraform|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more)|Documentation
| -|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Terraform|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS. (read more)|Documentation
| -|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Terraform|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more)|Documentation
| -|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Terraform|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more)|Documentation
| -|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Terraform|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)|Documentation
| -|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Terraform|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more)|Documentation
| -|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Terraform|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more)|Documentation
| -|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Terraform|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)|Documentation
| -|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Terraform|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)|Documentation
| -|OSS Bucket Allows Delete Action From All Principals
8c0695d8-2378-4cd6-8243-7fd5894fa574|Terraform|High|Access Control|OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals. (read more)|Documentation
| -|OSS Bucket Allows List Action From All Principals
88541597-6f88-42c8-bac6-7e0b855e8ff6|Terraform|High|Access Control|OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals. (read more)|Documentation
| -|OSS Bucket Allows All Actions From All Principals
ec62a32c-a297-41ca-a850-cab40b42094a|Terraform|High|Access Control|OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals. (read more)|Documentation
| -|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|Terraform|High|Access Control|RAM Security preferences should enforce MFA login for RAM users (read more)|Documentation
| -|OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|Terraform|High|Access Control|OSS Bucket should have public access disabled (read more)|Documentation
| -|OSS Bucket Allows Put Action From All Principals
fe286195-e75c-4359-bd58-00847c4f855a|Terraform|High|Access Control|OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals. (read more)|Documentation
| -|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|Terraform|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles (read more)|Documentation
| -|Launch Template Is Not Encrypted
1455cb21-1d48-46d6-8ae3-cef911b71fd5|Terraform|High|Encryption|ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true. (read more)|Documentation
| -|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|Terraform|High|Encryption|Ecs Data Disk Kms Key Id should be set (read more)|Documentation
| -|NAS File System Not Encrypted
67bfdff1-31ce-4525-b564-e94368735360|Terraform|High|Encryption|NAS File System must be encrypted (read more)|Documentation
| -|RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|Terraform|High|Encryption|tde_status parameter should be Enabled for supported RDS instances (read more)|Documentation
| -|NAS File System Without KMS
5f670f9d-b1b4-4c90-8618-2288f1ab9676|Terraform|High|Encryption|NAS File System should have encryption provided by user KMS (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
faaefc15-51a5-419e-bb5e-51a4b5ab3485|Terraform|High|Insecure Configurations|The field 'address' should not be set to '0.0.0.0/0' (read more)|Documentation
| -|OSS Bucket Has Static Website
2b13c6ff-b87a-484d-86fd-21ef6e97d426|Terraform|High|Insecure Configurations|Checks if any static websties are hosted on buckets. Be aware of any website you are running. (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|Terraform|High|Insecure Configurations|'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list (read more)|Documentation
| -|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|Terraform|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public (read more)|Documentation
| -|ALB Listening on HTTP
ee3b1557-9fb5-4685-a95d-93f1edf2a0d7|Terraform|High|Networking and Firewall|Application Load Balancer (alb) Listener should not listen on HTTP (read more)|Documentation
| -|RDS Instance SSL Action Disabled
7a1ee8a9-71be-4b11-bb70-efb62d16863b|Terraform|High|Networking and Firewall|ssl_action parameter should be set to Open for RDS instances (read more)|Documentation
| -|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|Terraform|High|Networking and Firewall|OSS Bucket should have ip restricted access (read more)|Documentation
| -|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|Terraform|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS (read more)|Documentation
| -|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|Terraform|High|Networking and Firewall|OSS Buckets should have secure transport enabled (read more)|Documentation
| -|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol (read more)|Documentation
| -|ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|Terraform|High|Observability|ActionTrail Trail OSS Bucket should not be publicly accessible (read more)|Documentation
| -|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|Terraform|High|Observability|All RDS Instance events trackers should be 'true' (read more)|Documentation
| -|Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|Terraform|High|Secret Management|Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts (read more)|Documentation
| -|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|Terraform|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above (read more)|Documentation
| -|Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Terraform|Medium|Access Control|Ram policies should not be attached to users (read more)|Documentation
| -|CMK Is Unusable
ed6e3ba0-278f-47b6-a1f5-173576b40b7e|Terraform|Medium|Availability|Alicloud KMS must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true (read more)|Documentation
| -|ROS Stack Retention Disabled
4bb06fa1-2114-4a00-b7b5-6aeab8b896f0|Terraform|Medium|Backup|The retain_stacks should be enabled to keep the Stack upon deleting the stack instance from the stack group (read more)|Documentation
| -|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Terraform|Medium|Backup|OSS Bucket should have versioning enabled (read more)|Documentation
| -|ROS Stack Without Template
92d65c51-5d82-4507-a2a1-d252e9706855|Terraform|Medium|Build Process|Alicloud ROS Stack should have a template defined through the attribute template_url or attribute template_body (read more)|Documentation
| -|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Terraform|Medium|Encryption|Disks should have encryption enabled (read more)|Documentation
| -|OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Terraform|Medium|Encryption|OSS Bucket should have encryption enabled using Customer Master Key (read more)|Documentation
| -|SLB Policy With Insecure TLS Version In Use
dbfc834a-56e5-4750-b5da-73fda8e73f70|Terraform|Medium|Encryption|SLB Policy should not support insecure versions of TLS protocol (read more)|Documentation
| -|CS Kubernetes Node Pool Auto Repair Disabled
81ce9394-013d-4731-8fcc-9d229b474073|Terraform|Medium|Insecure Configurations|Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| -|Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Terraform|Medium|Networking and Firewall|A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned (read more)|Documentation
| -|Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Terraform|Medium|Networking and Firewall|Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies (read more)|Documentation
| -|ROS Stack Notifications Disabled
9ef08939-ea40-489c-8851-667870b2ef50|Terraform|Medium|Observability|The ROS Stack Notifications should be defined and populated to receive stack related events (read more)|Documentation
| -|Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Terraform|Medium|Observability|Action Trail Logging for all regions should be enabled (read more)|Documentation
| -|Log Retention Is Not Greater Than 90 Days
ed6cf6ff-9a1f-491c-9f88-e03c0807f390|Terraform|Medium|Observability|OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects. (read more)|Documentation
| -|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Terraform|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180 (read more)|Documentation
| -|OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Terraform|Medium|Observability|OSS Bucket should have logging enabled, for better visibility of resources and objects. (read more)|Documentation
| -|No ROS Stack Policy
72ceb736-0aee-43ea-a191-3a69ab135681|Terraform|Medium|Resource Management|ROS Stack should have a stack policy in order to protect stack resources from and during update actions (read more)|Documentation
| -|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Terraform|Medium|Secret Management|RAM account password security should require at least one symbol (read more)|Documentation
| -|High KMS Key Rotation Period
cb319d87-b90f-485e-a7e7-f2408380f309|Terraform|Medium|Secret Management|KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year (read more)|Documentation
| -|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true (read more)|Documentation
| -|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true (read more)|Documentation
| -|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Terraform|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less (read more)|Documentation
| -|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true (read more)|Documentation
| -|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Terraform|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91 (read more)|Documentation
| -|OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Terraform|Low|Availability|OSS Bucket should have transfer acceleration enabled (read more)|Documentation
| -|OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Terraform|Low|Backup|OSS Bucket should have lifecycle rule enabled and set to true (read more)|Documentation
| -|RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Terraform|Low|Observability|log_disconnections parameter should be set to ON for RDS instances (read more)|Documentation
| -|VPC Flow Logs Disabled
d2731f3d-a992-44ed-812e-f4f1c2747d71|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| -|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Terraform|Low|Observability|'log_connections' parameter should be set to ON for RDS instances (read more)|Documentation
| -|RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Terraform|Low|Observability|log_duration parameter should be set to ON for RDS instances (read more)|Documentation
| -|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Terraform|Info|Best Practices|All variables should contain a valid type. (read more)|Documentation
| -|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Terraform|Info|Best Practices|All generic git repositories should reference a revision. (read more)|Documentation
| -|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Terraform|Info|Best Practices|All outputs should contain a valid description. (read more)|Documentation
| -|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Terraform|Info|Best Practices|All variables should contain a valid description. (read more)|Documentation
| -|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Terraform|Info|Best Practices|All names should follow snake case pattern. (read more)|Documentation
| -|BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Terraform|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more)|Documentation
| -|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Terraform|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more)|Documentation
| -|BOM - GCP Redis
bc75ce52-a60a-4660-b533-bce837a5019b|Terraform|Trace|Bill Of Materials|A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments. (read more)|Documentation
| -|BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Terraform|Trace|Bill Of Materials|A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime. (read more)|Documentation
| -|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Terraform|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more)|Documentation
| -|BOM - GCP Dataflow
895ed0d9-6fec-4567-8614-d7a74b599a53|Terraform|Trace|Bill Of Materials|A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective. (read more)|Documentation
| -|Serverless Role With Full Privileges
59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd|ServerlessFW|High|Access Control|Roles defined in Serverless files should not have policies granting full administrative privileges. (read more)|Documentation
| -|Serverless Function Environment Variables Not Encrypted
4495bc5d-4d1e-4a26-ae92-152d18195648|ServerlessFW|High|Encryption|Serverless Function should encrypt environment variables (read more)|Documentation
| -|Serverless API Without Content Encoding
d5d1fe08-89db-440c-8725-b93223387309|ServerlessFW|Medium|Encryption|Serverless should have API Gateway with Content Encoding enabled through the attribute 'minimumCompressionSize'. This value should be greater than -1 and smaller than 10485760 (read more)|Documentation
| -|Serverless Function Without Unique IAM Role
165aae3b-a56a-48f3-b76d-d2b5083f5b8f|ServerlessFW|Medium|Insecure Configurations|Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| -|Serverless Function Without Tags
f99d3482-fa8c-4f79-bad9-35212dded164|ServerlessFW|Medium|Insecure Configurations|Serverless Function should be have associated tags (read more)|Documentation
| -|Serverless API Endpoint Config Not Private
4d424558-c6d1-453c-be98-9a7f877abd9a|ServerlessFW|Medium|Networking and Firewall|Serverless should have endpointType set to 'PRIVATE'. This way, it's not exposed to the public internet (read more)|Documentation
| -|Serverless API X-Ray Tracing Disabled
434945e5-4dfd-41b1-aba1-47075ccd9265|ServerlessFW|Medium|Observability|Serverless API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| -|Serverless API Access Logging Setting Undefined
a4d32883-aac7-42e1-b403-9415af0f3846|ServerlessFW|Medium|Observability|Serverless FW API should have HTTP Access Logging enabled (read more)|Documentation
| -|Serverless Function Without Dead Letter Queue
dec7bc85-d156-4f64-9a33-96ed3d9f3fed|ServerlessFW|Low|Insecure Configurations|Serverless Function should be configured for a Dead Letter Queue(DLQ). A Dead Letter Queue(DLQ) can be set up in 'onError' config parameter (read more)|Documentation
| -|Serverless Function Without X-Ray Tracing
0d7ef70f-e176-44e6-bdba-add3e429788d|ServerlessFW|Low|Observability|Serverless Function should have Tracing enabled. For this, property 'tracing' should have the value 'Active' (read more)|Documentation
| -|Run Using apt
a1bc27c6-7115-48d8-bf9d-5a7e836845ba|Buildah|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache (read more)|Documentation
| -|Enum Name Not CamelCase
daaace5f-c0dc-4835-b526-7a116b7f4b4e|GRPC|Low|Best Practices|All Enum Names should follow CamelCase and start with Capital Letter (read more)|Documentation
| -|UNIX Ports Out Of Range
71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e|Dockerfile|High|Availability|Exposing UNIX ports out of range from 0 to 65535 (read more)|Documentation
| -|Copy With More Than Two Arguments Not Ending With Slash
6db6e0c2-32a3-4a2e-93b5-72c35f4119db|Dockerfile|High|Build Process|When a COPY command has more than two arguments, the last one should end with a slash (read more)|Documentation
| -|WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|Dockerfile|High|Build Process|For clarity and reliability, you should always use absolute paths for your WORKDIR (read more)|Documentation
| -|Same Alias In Different Froms
f2daed12-c802-49cd-afed-fe41d0b82fed|Dockerfile|High|Build Process|Different FROMS cant have the same alias defined (read more)|Documentation
| -|Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f|Dockerfile|High|Build Process|A user should be specified in the dockerfile, otherwise the image will run as root (read more)|Documentation
| -|COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b|Dockerfile|High|Build Process|COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself (read more)|Documentation
| -|Multiple ENTRYPOINT Instructions Listed
6938958b-3f1a-451c-909b-baeee14bdc97|Dockerfile|High|Build Process|There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect (read more)|Documentation
| -|Run Using Sudo
8ada6e80-0ade-439e-b176-0b28f6bce35a|Dockerfile|High|Insecure Configurations|Avoid RUN with sudo command as it leads to unpredictable behavior (read more)|Documentation
| -|Vulnerable OpenSSL Version
5fa731ea-e844-47a6-a1e8-abc25e95847e|Dockerfile|High|Supply-Chain|OpenSSL versions from 3.0.0 to 3.0.5 are affected by a critical vulnerability (read more)|Documentation
| -|Changing Default Shell Using RUN Command
8a301064-c291-4b20-adcb-403fe7fd95fd|Dockerfile|Medium|Best Practices|Using the command RUN to override the default shell instead of the SHELL command leads to inefficiencies. It also does not make sense since Docker provides the SHELL command for this exact purpose. (read more)|Documentation
| -|Last User Is 'root'
67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae|Dockerfile|Medium|Best Practices|Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges (read more)|Documentation
| -|Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79|Dockerfile|Medium|Build Process|Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments (read more)|Documentation
| -|Multiple CMD Instructions Listed
41c195f4-fc31-4a5c-8a1b-90605538d49f|Dockerfile|Medium|Build Process|There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect (read more)|Documentation
| -|Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd|Dockerfile|Medium|Build Process|Instruction 'RUN update' should always be followed by ' install' in the same RUN statement (read more)|Documentation
| -|RUN Instruction Using 'cd' Instead of WORKDIR
f4a6bcd3-e231-4acf-993c-aa027be50d2e|Dockerfile|Medium|Build Process|When using RUN command 'cd' should only be used for full path. For relative path make use of WORKDIR command instead. (read more)|Documentation
| -|Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22|Dockerfile|Medium|Insecure Defaults|Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o). (read more)|Documentation
| -|Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Dockerfile|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache (read more)|Documentation
| -|Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944|Dockerfile|Medium|Supply-Chain|Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input (read more)|Documentation
| -|NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5|Dockerfile|Medium|Supply-Chain|Check if packages installed by npm are pinning a specific version. (read more)|Documentation
| -|APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Dockerfile|Medium|Supply-Chain|Check if apt-get calls use the flag -y to avoid user manual input. (read more)|Documentation
| -|Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118|Dockerfile|Medium|Supply-Chain|When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller (read more)|Documentation
| -|Add Instead of Copy
9513a694-aa0d-41d8-be61-3271e056f36b|Dockerfile|Medium|Supply-Chain|Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script. (read more)|Documentation
| -|Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more)|Documentation
| -|Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9|Dockerfile|Medium|Supply-Chain|Don't use '--platform' flag with FROM (read more)|Documentation
| -|Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8|Dockerfile|Medium|Supply-Chain|The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input. (read more)|Documentation
| -|Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313|Dockerfile|Medium|Supply-Chain|Reduce layer and image size by deleting unneeded caches after running zypper (read more)|Documentation
| -|Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03|Dockerfile|Medium|Supply-Chain|Need to use -y to avoid manual input 'yum install -y ' (read more)|Documentation
| -|Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1|Dockerfile|Medium|Supply-Chain|Specifying a package version allows to reduce failures due to unanticipated changes in required packages. (read more)|Documentation
| -|Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd|Dockerfile|Medium|Supply-Chain|Always tag the version of an image explicitly (read more)|Documentation
| -|Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages (read more)|Documentation
| -|Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341|Dockerfile|Medium|Supply-Chain|Instead of 'gem install ' we should use 'gem install :' (read more)|Documentation
| -|Yum install Without Version
6452c424-1d92-4deb-bb18-a03e95d579c4|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages (read more)|Documentation
| -|Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more)|Documentation
| -|Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Dockerfile|Medium|Supply-Chain|Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect (read more)|Documentation
| -|Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37|Dockerfile|Medium|Supply-Chain|Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size (read more)|Documentation
| -|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Dockerfile|Medium|Supply-Chain|When installing a package, its pin version should be defined (read more)|Documentation
| -|Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0|Dockerfile|Medium|Supply-Chain|Cached package data should be cleaned after installation to reduce image size (read more)|Documentation
| -|Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067|Dockerfile|Medium|Supply-Chain|When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag (read more)|Documentation
| -|Chown Flag Exists
aa93e17f-b6db-4162-9334-c70334e7ac28|Dockerfile|Low|Best Practices|It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership (read more)|Documentation
| -|Multiple RUN, ADD, COPY, Instructions Listed
0008c003-79aa-42d8-95b8-1c2fe37dbfe6|Dockerfile|Low|Best Practices|Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers. (read more)|Documentation
| -|Curl or Wget Instead of Add
4b410d24-1cbe-4430-a632-62c9a931cf1c|Dockerfile|Low|Best Practices|Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged (read more)|Documentation
| -|MAINTAINER Instruction Being Used
99614418-f82b-4852-a9ae-5051402b741c|Dockerfile|Low|Best Practices|The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily (read more)|Documentation
| -|Exposing Port 22 (SSH)
5907595b-5b6d-4142-b173-dbb0e73fbff8|Dockerfile|Low|Best Practices|Expose only the ports that your application needs and avoid exposing ports like SSH (22) (read more)|Documentation
| -|Using Unnamed Build Stages
68a51e22-ae5a-4d48-8e87-b01a323605c9|Dockerfile|Low|Build Process| This query is used to ensure that build stages are named. This way even if the Dockerfile is re-ordered, the COPY instruction doesn’t break. (read more)|Documentation
| -|Healthcheck Instruction Missing
b03a748a-542d-44f4-bb86-9199ab4fd2d5|Dockerfile|Low|Insecure Configurations|Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working (read more)|Documentation
| -|Apk Add Using Local Cache Path
ae9c56a6-3ed1-4ac0-9b54-31267f51151d|Dockerfile|Info|Supply-Chain|When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*' (read more)|Documentation
| -|Run Utilities And POSIX Commands
9b6b0f38-92a2-41f9-b881-3a1083d99f1b|Dockerfile|Info|Supply-Chain|Some POSIX commands and interactive utilities shouldn't run inside a Docker Container (read more)|Documentation
| -|APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c|Dockerfile|Info|Supply-Chain|Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages. (read more)|Documentation
| -|Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c|Dockerfile|Info|Supply-Chain|After using apt-get install, it is needed to delete apt-get lists (read more)|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
48f7e44d-d1d1-44c2-b336-9f11b65c4fb0|Pulumi|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
965e8830-2bec-4b9b-a7f0-24dbc200a68f|Pulumi|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| -|PSP Set To Privileged
ee305555-6b1d-4055-94cf-e22131143c34|Pulumi|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| -|Missing App Armor Config
95588189-1abd-4df1-9588-b0a5034f9e87|Pulumi|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack (read more)|Documentation
| -|Storage Account Not Forcing HTTPS
cb8e4bf0-903d-45c6-a278-9a947d82a27b|Pulumi|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| -|Redis Cache Allows Non SSL Connections
49e30ac8-f58e-4222-b488-3dcb90158ec1|Pulumi|Medium|Encryption|Redis Cache resource should not allow non-SSL connections. (read more)|Documentation
| -|Amazon DMS Replication Instance Is Publicly Accessible
bccb296f-362c-4b05-9221-86d1437a1016|Pulumi|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
647de8aa-5a42-41b5-9faf-22136f117380|Pulumi|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false. (read more)|Documentation
| -|Elasticsearch with HTTPS disabled
00603add-7f72-448f-a6c0-9e456a7a3f94|Pulumi|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| -|ElastiCache Nodes Not Created Across Multi AZ
9b18fc19-7fb8-49b1-8452-9c757c70f926|Pulumi|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| -|ElastiCache Redis Cluster Without Backup
e93bbe63-a631-4c0f-b6ef-700d48441ff2|Pulumi|Medium|Backup|ElastiCache Redis cluster should have 'snapshotRetentionLimit' higher than 0 (read more)|Documentation
| -|IAM Password Without Minimum Length
9850d621-7485-44f7-8bdd-b3cf426315cf|Pulumi|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| -|IAM Password Without Lowercase Letter
de92dd34-1b88-43e8-b825-6e02d73c4549|Pulumi|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| -|DynamoDB Table Not Encrypted
b6a7e0ae-aed8-4a19-a993-a95760bf8836|Pulumi|Medium|Encryption|AWS DynamoDB Tables should have serverSideEncryption enabled (read more)|Documentation
| -|API Gateway Without SSL Certificate
f27791a5-e2ae-4905-8910-6f995c576d09|Pulumi|Medium|Insecure Configurations|SSL Client Certificate should be defined (read more)|Documentation
| -|Elasticsearch Logs Disabled
a1120ee4-a712-42d9-8fb5-22595fed643b|Pulumi|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| -|API Gateway Access Logging Disabled
bf4b48b9-fc1f-4552-984a-4becdb5bf503|Pulumi|Medium|Observability|API Gateway should have Access Log Settings defined (read more)|Documentation
| -|DocDB Logging Is Disabled
2ca87964-fe7e-4cdc-899c-427f0f3525f8|Pulumi|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| -|DynamoDB Table Point In Time Recovery Disabled
327b0729-4c5c-4c44-8b5c-e476cd9c7290|Pulumi|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more)|Documentation
| -|EC2 Not EBS Optimized
d991e4ae-42ab-429b-ab43-d5e5fa9ca633|Pulumi|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| -|EC2 Instance Monitoring Disabled
daa581ef-731c-4121-832d-cf078f67759d|Pulumi|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2|Ansible|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| -|VM With Full Cloud Access
bc20bbc6-0697-4568-9a73-85af1dd97bdd|Ansible|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)|Documentation
| -|BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2|Ansible|High|Access Control|BigQuery dataset is anonymously or publicly accessible (read more)|Documentation
| -|SQL DB Instance Backup Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8|Ansible|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| -|DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a|Ansible|High|Encryption|DNSSEC should not use the RSASHA1 algorithm (read more)|Documentation
| -|SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|Ansible|High|Encryption|Cloud SQL Database Instance should have SLL enabled (read more)|Documentation
| -|MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c|Ansible|High|Insecure Configurations|MySQL Instance should not have Local Infile On (read more)|Documentation
| -|Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true (read more)|Documentation
| -|IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'. (read more)|Documentation
| -|GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1|Ansible|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty (read more)|Documentation
| -|Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)|Documentation
| -|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|Ansible|High|Insecure Configurations|SQL Instance should not have Contained Database Authentication On (read more)|Documentation
| -|Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true. (read more)|Documentation
| -|GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false. (read more)|Documentation
| -|Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty (read more)|Documentation
| -|SQL DB Instance Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b|Ansible|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible. (read more)|Documentation
| -|PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514|Ansible|High|Insecure Configurations|PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1' (read more)|Documentation
| -|Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7|Ansible|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)|Documentation
| -|Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f|Ansible|High|Insecure Configurations|GCP SQL Instance should not have Cross DB Ownership Chaining On (read more)|Documentation
| -|GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83|Ansible|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters (read more)|Documentation
| -|Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82|Ansible|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet. (read more)|Documentation
| -|PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b|Ansible|High|Observability|PostgreSQL database 'log_temp_files' flag isn't set to '0' (read more)|Documentation
| -|Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none' (read more)|Documentation
| -|Cloud Storage Bucket Versioning Disabled
7814ddda-e758-4a56-8be3-289a81ded929|Ansible|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| -|PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317|Ansible|High|Observability|PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on' (read more)|Documentation
| -|Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none' (read more)|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd|Ansible|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| -|Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf|Ansible|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Ansible|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| -|Disk Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3|Ansible|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)|Documentation
| -|OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Ansible|Medium|Insecure Configurations|VM instance should have OSLogin enabled (read more)|Documentation
| -|Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Ansible|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)|Documentation
| -|Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03|Ansible|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| -|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Ansible|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| -|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Ansible|Medium|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account. (read more)|Documentation
| -|Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Ansible|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| -|GKE Using Default Service Account
dc126833-125a-40fb-905a-ce5f2afde240|Ansible|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account (read more)|Documentation
| -|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Ansible|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)|Documentation
| -|SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Ansible|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows All Ports
3602d273-3290-47b2-80fa-720162b1a8af|Ansible|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports (read more)|Documentation
| -|RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77|Ansible|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| -|Google Compute Network Using Default Firewall Rule
29b8224a-60e9-4011-8ac2-7916a659841f|Ansible|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| -|IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Ansible|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)|Documentation
| -|PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Ansible|Medium|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value (read more)|Documentation
| -|PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Ansible|Medium|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on' (read more)|Documentation
| -|High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Ansible|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Ansible|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| -|Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b|Ansible|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes (read more)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows Port Range
7289eebd-a477-4064-8ad4-3c044bd70b00|Ansible|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| -|Ansible Tower Exposed To Internet
1b2bf3ff-31e9-460e-bbfb-45e48f4f20cc|Ansible|Medium|Best Practices|Avoid exposing Ansible Tower to the public internet, effectively reducing the potential attack surface of your deployment (read more)|Documentation
| -|Storage Container Is Publicly Accessible
4d3817db-dd35-4de4-a80d-3867157e7f7f|Ansible|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage (read more)|Documentation
| -|Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|Ansible|High|Access Control|Admin user is enabled for Container Registry (read more)|Documentation
| -|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|Ansible|High|Access Control|Storage Account should not be public to grant the principle of least privileges (read more)|Documentation
| -|Azure Instance Using Basic Authentication
e2d834b7-8b25-4935-af53-4a60668dcbe0|Ansible|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| -|MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|Ansible|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more)|Documentation
| -|SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555|Ansible|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' (read more)|Documentation
| -|Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|Ansible|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| -|VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|Ansible|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine (read more)|Documentation
| -|AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|Ansible|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server (read more)|Documentation
| -|Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91|Ansible|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service. (read more)|Documentation
| -|Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|Ansible|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined (read more)|Documentation
| -|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|Ansible|High|Networking and Firewall|The IP range filter should be defined to secure the data stored (read more)|Documentation
| -|Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources (read more)|Documentation
| -|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|Ansible|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| -|Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet (read more)|Documentation
| -|SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|Ansible|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more)|Documentation
| -|Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|Ansible|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| -|Default Azure Storage Account Network Access Is Too Permissive
ca4df748-613a-4fbf-9c76-f02cbd580307|Ansible|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it. (read more)|Documentation
| -|AKS RBAC Disabled
149fa56c-4404-4f90-9e25-d34b676d5b39|Ansible|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| -|Role Definition Allows Custom Role Creation
5c80db8e-03f5-43a2-b4af-1f3f87018157|Ansible|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more)|Documentation
| -|Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854|Ansible|Medium|Backup|Make sure Soft Delete is enabled for Key Vault (read more)|Documentation
| -|SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40|Ansible|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict (read more)|Documentation
| -|SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308|Ansible|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict (read more)|Documentation
| -|Cosmos DB Account Without Tags
23a4dc83-4959-4d99-8056-8e051a82bc1e|Ansible|Medium|Build Process|Cosmos DB Account must have a mapping of tags. (read more)|Documentation
| -|Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee|Ansible|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption (read more)|Documentation
| -|Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Ansible|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections (read more)|Documentation
| -|Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Ansible|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty (read more)|Documentation
| -|AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Ansible|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined (read more)|Documentation
| -|Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Ansible|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0' (read more)|Documentation
| -|WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Ansible|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. (read more)|Documentation
| -|Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Ansible|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache. (read more)|Documentation
| -|PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a|Ansible|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server (read more)|Documentation
| -|PostgreSQL Log Checkpoints Disabled
7ab33ac0-e4a3-418f-a673-50da4e34df21|Ansible|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more)|Documentation
| -|PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' (read more)|Documentation
| -|PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' (read more)|Documentation
| -|Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more)|Documentation
| -|AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e|Ansible|Medium|Observability|Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring (read more)|Documentation
| -|Small Activity Log Retention Period
37fafbea-dedb-4e0d-852e-d16ee0589326|Ansible|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater (read more)|Documentation
| -|PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more)|Documentation
| -|Monitoring Log Profile Without All Activities
89f84a1e-75f8-47c5-83b5-bee8e2de4168|Ansible|Medium|Observability|Monitoring log profile captures all the activities (Action, Write, Delete) (read more)|Documentation
| -|S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|Ansible|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| -|SNS Topic is Publicly Accessible
905f4741-f965-45c1-98db-f7a00a0e5c73|Ansible|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| -|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|Ansible|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more)|Documentation
| -|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|Ansible|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| -|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|Ansible|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|Ansible|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| -|IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|Ansible|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| -|S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|Ansible|High|Access Control|S3 Buckets should not be readable to all users (read more)|Documentation
| -|S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a|Ansible|High|Access Control|Checks if the S3 bucket is accessible for all users (read more)|Documentation
| -|ECS Service Admin Role Is Present
7db727c1-1720-468e-b80e-06697f71e09e|Ansible|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role (read more)|Documentation
| -|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|Ansible|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674|Ansible|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| -|SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a|Ansible|High|Access Control|Checks if the SQS Queue is exposed (read more)|Documentation
| -|S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|Ansible|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| -|User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|Ansible|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| -|ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| -|ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|Ansible|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| -|AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|Ansible|High|Encryption|AWS AMI Encryption is not enabled (read more)|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76|Ansible|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| -|CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|Ansible|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'. (read more)|Documentation
| -|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|Ansible|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| -|Secure Ciphers Disabled
218413a0-c716-4b94-9e08-0bb70d854709|Ansible|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| -|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|Ansible|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more)|Documentation
| -|S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4|Ansible|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| -|Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7|Ansible|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS (read more)|Documentation
| -|Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a|Ansible|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume (read more)|Documentation
| -|S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571|Ansible|High|Encryption|AWS S3 Storage should be protected with SSE (Server-Side Encryption) (read more)|Documentation
| -|Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|Ansible|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) (read more)|Documentation
| -|EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|Ansible|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| -|User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|Ansible|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| -|EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|Ansible|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| -|ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| -|DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|Ansible|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more)|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67|Ansible|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| -|Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|Ansible|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| -|Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f|Ansible|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| -|S3 Bucket with Unsecured CORS Rule
3505094c-f77c-4ba0-95da-f83db712f86c|Ansible|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| -|Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|Ansible|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true (default is false) (read more)|Documentation
| -|KMS Key With Full Permissions
5b9d237a-57d5-4177-be0e-71434b0fef47|Ansible|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| -|ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f|Ansible|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| -|EC2 Group Has Public Interface
5330b503-3319-44ff-9b1c-00ee873f728a|Ansible|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209|Ansible|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). (read more)|Documentation
| -|Vulnerable Default SSL Certificate
fb8f8929-afeb-4c46-99f0-a6cf410f7df4|Ansible|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| -|Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|Ansible|High|Networking and Firewall|AWS Security Group should restrict ingress access (read more)|Documentation
| -|ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|Ansible|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| -|Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4|Ansible|High|Networking and Firewall|Route53 Record should have a list of records (read more)|Documentation
| -|EC2 Instance Has Public IP
a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1|Ansible|High|Networking and Firewall|EC2 Instance should not have a public IP address. (read more)|Documentation
| -|RDS Associated with Public Subnet
16732649-4ff6-4cd2-8746-e72c13fae4b8|Ansible|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| -|Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2|Ansible|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0/0 (read more)|Documentation
| -|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|Ansible|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| -|Remote Desktop Port Open To Internet
eda7301d-1f3e-47cf-8d4e-976debc64341|Ansible|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| -|Elasticsearch with HTTPS disabled
d6c2d06f-43c1-488a-9ba1-8d75b40fc62d|Ansible|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| -|Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b|Ansible|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| -|Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|Ansible|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| -|HTTP Port Open To Internet
a14ad534-acbe-4a8e-9404-2f7e1045646e|Ansible|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| -|Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|Ansible|High|Networking and Firewall|AWS Security Group should not have public port wide (read more)|Documentation
| -|DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640|Ansible|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| -|Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|Ansible|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| -|CloudTrail Logging Disabled
d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5|Ansible|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| -|CMK Rotation Disabled
af96d737-0818-4162-8c41-40d969bd65d1|Ansible|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| -|Lambda Permission Principal Is Wildcard
1d972c56-8ec2-48c1-a578-887adb09c57a|Ansible|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| -|IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060|Ansible|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| -|IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Ansible|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root' (read more)|Documentation
| -|AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f|Ansible|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image (read more)|Documentation
| -|SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10|Ansible|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| -|S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9|Ansible|Medium|Access Control|S3 Bucket allows public access (read more)|Documentation
| -|ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd|Ansible|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
af167837-9636-4086-b815-c239186b9dda|Ansible|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| -|API Gateway Without Configured Authorizer
b16cdb37-ce15-4ab2-8401-d42b05d123fc|Ansible|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| -|SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4|Ansible|Medium|Access Control|SQS policy allows ALL (*) actions (read more)|Documentation
| -|Certificate Has Expired
5a443297-19d4-4381-9e5b-24faf947ec22|Ansible|Medium|Access Control|Expired SSL/TLS certificates should be removed (read more)|Documentation
| -|SES Policy With Allowed IAM Actions
8ed0bfce-f780-46d4-b086-21c3628f09ad|Ansible|Medium|Access Control|SES policy should not allow IAM actions to all principals (read more)|Documentation
| -|Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Ansible|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| -|ECS Service Without Running Tasks
f5c45127-1d28-4b49-a692-0b97da1c3a84|Ansible|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| -|CMK Is Unusable
133fee21-37ef-45df-a563-4d07edc169f4|Ansible|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined. (read more)|Documentation
| -|Auto Scaling Group With No Associated ELB
050f085f-a8db-4072-9010-2cca235cc02f|Ansible|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. (read more)|Documentation
| -|RDS With Backup Disabled
e69890e6-fce5-461d-98ad-cb98318dfc96|Ansible|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| -|Stack Retention Disabled
17d5ba1d-7667-4729-b1a6-b11fde3db7f7|Ansible|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| -|Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c|Ansible|Medium|Best Practices|Password policy `password_reuse_prevention` doesn't exist or is equal to 0 (read more)|Documentation
| -|IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Ansible|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| -|IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Ansible|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| -|IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354|Ansible|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| -|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Ansible|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number (read more)|Documentation
| -|Misconfigured Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9|Ansible|Medium|Best Practices|No password expiration policy (read more)|Documentation
| -|Stack Without Template
32d31f1f-0f83-4721-b7ec-1e6948c60145|Ansible|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body (read more)|Documentation
| -|Config Rule For Encrypted Volumes Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84|Ansible|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| -|SQS With SSE Disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Ansible|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| -|Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89|Ansible|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache (read more)|Documentation
| -|CodeBuild Not Encrypted
a1423864-2fbc-4f46-bfe1-fbbf125c71c9|Ansible|Medium|Encryption|CodeBuild Project should be encrypted (read more)|Documentation
| -|EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Ansible|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| -|AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472|Ansible|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy (read more)|Documentation
| -|Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f|Ansible|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| -|ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Ansible|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| -|Certificate RSA Key Bytes Lower Than 256
d5ec2080-340a-4259-b885-f833c4ea6a31|Ansible|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes (read more)|Documentation
| -|API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33|Ansible|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| -|Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5|Ansible|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags. (read more)|Documentation
| -|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Ansible|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more)|Documentation
| -|API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215|Ansible|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| -|API Gateway without WAF
f5f38943-664b-4acc-ab11-f292fa10ed0b|Ansible|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| -|CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Ansible|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'is_multi_region_trail' should be set to true (read more)|Documentation
| -|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Ansible|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| -|CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3|Ansible|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| -|CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Ansible|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| -|S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Ansible|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| -|API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Ansible|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled (read more)|Documentation
| -|Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Ansible|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| -|S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|Ansible|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| -|API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f|Ansible|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| -|CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Ansible|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more)|Documentation
| -|CloudFront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Ansible|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' should be defined with 'enabled' set to true (read more)|Documentation
| -|No Stack Policy
ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9|Ansible|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions (read more)|Documentation
| -|Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Ansible|Medium|Secret Management|AWS Access Key should not be hardcoded (read more)|Documentation
| -|Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645|Ansible|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| -|IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd|Ansible|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| -|IAM Group Without Users
f509931b-bbb0-443c-bd9b-10e92ecf2193|Ansible|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Ansible|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| -|EC2 Instance Using Default Security Group
8d03993b-8384-419b-a681-d1f55149397c|Ansible|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| -|Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520|Ansible|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| -|Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|Ansible|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. (read more)|Documentation
| -|CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6|Ansible|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| -|EFS Without Tags
b8a9852c-9943-4973-b8d5-77dae9352851|Ansible|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated (read more)|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
f5587077-3f57-4370-9b4e-4eb5b1bac85b|Ansible|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| -|CloudFront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Ansible|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| -|EC2 Instance Using Default VPC
8833f180-96f1-46f4-9147-849aafa56029|Ansible|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| -|ElastiCache Without VPC
5527dcfc-94f9-4bf6-b7d4-1b78850cf41f|Ansible|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| -|ElastiCache Using Default Port
7cc6c791-5f68-4816-a564-b9b699f9d26e|Ansible|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| -|Redshift Using Default Port
e01de151-a7bd-4db4-b49b-3c4775a5e881|Ansible|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| -|RDS Using Default Port
2cb674f6-32f9-40be-97f2-62c0dc38f0d5|Ansible|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| -|Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Ansible|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active' (read more)|Documentation
| -|CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Ansible|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| -|EC2 Not EBS Optimized
338b6cab-961d-4998-bb49-e5b6a11c9a5c|Ansible|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| -|Privilege Escalation Using Become Plugin
0e75052f-cc02-41b8-ac39-a78017527e95|Ansible|Medium|Access Control|In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true' (read more)|Documentation
| -|Communication Over HTTP
2e8d4922-8362-4606-8c14-aa10466a1ce3|Ansible|Medium|Insecure Configurations|Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks (read more)|Documentation
| -|Logging of Sensitive Data
59029ddf-e651-412b-ae7b-ff6d403184bc|Ansible|Low|Best Practices|To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True (read more)|Documentation
| -|Insecure Relative Path Resolution
8d22ae91-6ac1-459f-95be-d37bd373f244|Ansible|Low|Best Practices|Using relative paths can lead to unexpected behavior as the path is resolved relative to the current working directory, which can change. (read more)|Documentation
| -|Unpinned Package Version
c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8|Ansible|Low|Supply-Chain|Setting state to latest performs an update and installs additional packages possibly resulting in performance degradation or loss of service (read more)|Documentation
| -|Risky File Permissions
88841d5c-d22d-4b7e-a6a0-89ca50e44b9f|Ansible|Info|Supply-Chain|Some modules could end up creating new files on disk with permissions that might be too open or unpredictable (read more)|Documentation
| -|Allow Unsafe Lookups Enabled
86b97bb4-85c9-462d-8635-cbc057c5c8c5|Ansible|High|Insecure Configurations|When enabled, this option allows lookup plugins to return data that is not marked 'unsafe'. (read more)|Documentation
| -|Privilege Escalation Using Become Plugin
404908b6-4954-4611-98f0-e8ceacdabcb1|Ansible|Medium|Access Control|In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true' (read more)|Documentation
| -|Communication over HTTP
d7dc9350-74bc-485b-8c85-fed22d276c43|Ansible|Medium|Insecure Configurations|Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks (read more)|Documentation
| -|Logging of Sensitive Data
c6473dae-8477-4119-88b7-b909b435ce7b|Ansible|Low|Best Practices|To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True (read more)|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
6c2d627c-de0f-45fb-b33d-dad9bffbb421|Crossplane|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| -|Google Container Node Pool Auto Repair Disabled
b4f65d13-a609-4dc1-af7c-63d2e08bffe9|Crossplane|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| -|AKS RBAC Disabled
b2418936-cd47-4ea2-8346-623c0bdb87bd|Crossplane|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| -|Redis Cache Allows Non SSL Connections
6c7cfec3-c686-4ed2-bf58-a1ec054b63fc|Crossplane|Medium|Encryption|Redis Cache resource should not allow non-SSL connections. (read more)|Documentation
| -|ELB Using Weak Ciphers
a507daa5-0795-4380-960b-dd7bb7c56661|Crossplane|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| -|EFS Without KMS
bdecd6db-2600-47dd-a10c-72c97cf17ae9|Crossplane|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| -|EFS Not Encrypted
72840c35-3876-48be-900d-f21b2f0c2ea1|Crossplane|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| -|DB Instance Storage Not Encrypted
e50eb68a-a4af-4048-8bbe-8ec324421469|Crossplane|High|Encryption|RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'. (read more)|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
255b0fcc-9f82-41fe-9229-01b163e3376b|Crossplane|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| -|DB Security Group Has Public Interface
dd667399-8d9d-4a8d-bbb4-e49ab53b2f52|Crossplane|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
d9dc6429-5140-498a-8f55-a10daac5f000|Crossplane|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false and neither dbSubnetGroupName' subnets being part of a VPC that has an Internet gateway attached to it (read more)|Documentation
| -|Neptune Database Cluster Encryption Disabled
83bf5aca-138a-498e-b9cd-ad5bc5e117b4|Crossplane|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| -|SQS With SSE Disabled
9296f1cc-7a40-45de-bd41-f31745488a0e|Crossplane|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| -|CloudWatch Without Retention Period Specified
934613fe-b12c-4e5a-95f5-c1dcdffac1ff|Crossplane|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more)|Documentation
| -|CloudFront Logging Disabled
7b590235-1ff4-421b-b9ff-5227134be9bb|Crossplane|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true (read more)|Documentation
| -|CloudFront Without WAF
6d19ce0f-b3d8-4128-ac3d-1064e0f00494|Crossplane|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| -|DocDB Logging Is Disabled
e6cd49ba-77ed-417f-9bca-4f5303554308|Crossplane|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| -|Serving Revision Spec Without Timeout Seconds
e8bb41e4-2f24-4e84-8bea-8c7c070cf93d|Knative|Info|Insecure Configurations|Serving Revision Spec should have Timeout Seconds defined to avoid Denial of Service (read more)|Documentation
| |Security Definitions Undefined or Empty
e3f026e8-fdb4-4d5a-bcfd-bd94452073fe|OpenAPI|High|Access Control|Security Definitions Object should be set and not empty (read more)|Documentation
| |Security Requirement Not Defined In Security Definition
a599b0d1-ff89-4cb8-9ece-9951854c06f6|OpenAPI|High|Structure and Semantics|All security requirement objects must be defined in 'securityDefinitions' (read more)|Documentation
| |Non OAuth2 Security Requirement Defining OAuth2 Scopes
ba239cb9-f342-4c20-812d-7b5a2aa6969e|OpenAPI|High|Structure and Semantics|If the security scheme is not of type 'oauth2', the array value must be empty (read more)|Documentation
| -|Global Security Using Password Flow
2da46be4-4317-4650-9285-56d7103c4f93|OpenAPI|Medium|Access Control|Security should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| -|Operation Using Password Flow
2e44e632-d617-43cb-b294-6bfe72a08938|OpenAPI|Medium|Access Control|Operation Object should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| |Invalid OAuth2 Authorization URL (v2)
33d96c65-977d-4c33-943f-440baca49185|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| +|Implicit Flow in OAuth2 (v2)
e9817ad8-a8c9-4038-8a2f-db0e6e7b284b|OpenAPI|Medium|Access Control|There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| +|Operation Using Password Flow
2e44e632-d617-43cb-b294-6bfe72a08938|OpenAPI|Medium|Access Control|Operation Object should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| +|Global Security Using Password Flow
2da46be4-4317-4650-9285-56d7103c4f93|OpenAPI|Medium|Access Control|Security should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| |Security Definitions Allows Password Flow
773116aa-2e6d-416f-bd85-f0301cc05d76|OpenAPI|Medium|Access Control|Security Definition Object should not allow 'password' Flow in OAuth2 authentication (read more)|Documentation
| |Invalid OAuth2 Token URL (v2)
274f910a-0665-4f08-b66d-7058fe927dba|OpenAPI|Medium|Access Control|OAuth2 security definition flow requires a valid URL in the tokenUrl field (read more)|Documentation
| -|Implicit Flow in OAuth2 (v2)
e9817ad8-a8c9-4038-8a2f-db0e6e7b284b|OpenAPI|Medium|Access Control|There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| -|Schemes Uses HTTP
a46928f1-43d7-4671-94e0-2dd99746f389|OpenAPI|Medium|Encryption|Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials (read more)|Documentation
| -|Global Schemes Uses HTTP
f30ee711-0082-4480-85ab-31d922d9a2b2|OpenAPI|Medium|Encryption|Global Schemes should use 'https' protocol instead of 'http' (read more)|Documentation
| |Path Scheme Accepts HTTP (v2)
a6847dc6-f4ea-45ac-a81f-93291ae6c573|OpenAPI|Medium|Encryption|The Scheme list of Operation Object should only allow 'HTTPS' protocol to ensure an encrypted connection (read more)|Documentation
| -|Operation Object Without 'produces'
be3e170e-1572-461e-a8b6-d963def581ec|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'produces' feild defined for 'GET'operation (read more)|Documentation
| +|Global Schemes Uses HTTP
f30ee711-0082-4480-85ab-31d922d9a2b2|OpenAPI|Medium|Encryption|Global Schemes should use 'https' protocol instead of 'http' (read more)|Documentation
| +|Schemes Uses HTTP
a46928f1-43d7-4671-94e0-2dd99746f389|OpenAPI|Medium|Encryption|Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials (read more)|Documentation
| |Operation Object Without 'consumes'
0c79e50e-b3cf-490c-b8f6-587c644d4d0c|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations (read more)|Documentation
| -|Security Definitions Using Basic Auth
221015a8-aa2a-43f5-b00b-ad7d2b1d47a8|OpenAPI|Low|Access Control|Security Definition Object should not use basic authentication (read more)|Documentation
| -|Operation Using Implicit Flow
f42dfe7e-787d-4478-a75e-a5f3d8a2269e|OpenAPI|Low|Access Control|Operation Object should not use implicit flow (read more)|Documentation
| -|Operation Using Basic Auth
ceefb058-8065-418f-9c4c-584a78c7e104|OpenAPI|Low|Access Control|Operation Object should not use basic authentication (read more)|Documentation
| -|Undefined Scope 'securityDefinition' On 'security' Field On Operations
3847280c-9193-40bc-8009-76168e822ce2|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| +|Operation Object Without 'produces'
be3e170e-1572-461e-a8b6-d963def581ec|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'produces' feild defined for 'GET'operation (read more)|Documentation
| |Undefined Scope 'securityDefinition' On Global 'security' Field
9aa6e95c-d964-4239-a3a8-9f37a3c5a31f|OpenAPI|Low|Access Control|Using an scope on global security field that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| +|Undefined Scope 'securityDefinition' On 'security' Field On Operations
3847280c-9193-40bc-8009-76168e822ce2|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| +|Operation Using Basic Auth
ceefb058-8065-418f-9c4c-584a78c7e104|OpenAPI|Low|Access Control|Operation Object should not use basic authentication (read more)|Documentation
| +|Operation Using Implicit Flow
f42dfe7e-787d-4478-a75e-a5f3d8a2269e|OpenAPI|Low|Access Control|Operation Object should not use implicit flow (read more)|Documentation
| +|Security Definitions Using Basic Auth
221015a8-aa2a-43f5-b00b-ad7d2b1d47a8|OpenAPI|Low|Access Control|Security Definition Object should not use basic authentication (read more)|Documentation
| |Operation Summary Too Long
d47940ca-5970-45cc-bdd1-4d81398cee1f|OpenAPI|Low|Best Practices|Operation summary should be short (less than 120 characters) (read more)|Documentation
| -|Unknown Prefix (v2)
3b615f00-c443-4ba9-acc4-7c308716917d|OpenAPI|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| -|Invalid Media Type Value (v2)
f985a7d2-d404-4a7f-9814-f645f791e46e|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| -|Global Parameter Definition Not Being Used
b30981fa-a12e-49c7-a5bb-eeafb61d0f0f|OpenAPI|Info|Best Practices|All global parameters definitions should be in use (read more)|Documentation
| |Global Responses Definition Not Being Used
0b76d993-ee52-43e0-8b39-3787d2ddabf1|OpenAPI|Info|Best Practices|All global responses definitions should be in use (read more)|Documentation
| -|Schema with 'additionalProperties' set as Boolean
3a01790c-ebee-4da6-8fd3-e78657383b75|OpenAPI|Info|Best Practices|The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it (read more)|Documentation
| |Global Schema Definition Not Being Used
6d2e0790-cc3d-4c74-b973-d4e8b09f4455|OpenAPI|Info|Best Practices|All global schemas definitions should be in use (read more)|Documentation
| |Constraining Enum Property
be1d8733-3731-40c7-a845-734741c6871d|OpenAPI|Info|Best Practices|There is a constraining keyword in a property which is already restricted by enum values (read more)|Documentation
| +|Global Parameter Definition Not Being Used
b30981fa-a12e-49c7-a5bb-eeafb61d0f0f|OpenAPI|Info|Best Practices|All global parameters definitions should be in use (read more)|Documentation
| +|Unknown Prefix (v2)
3b615f00-c443-4ba9-acc4-7c308716917d|OpenAPI|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| +|Invalid Media Type Value (v2)
f985a7d2-d404-4a7f-9814-f645f791e46e|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| +|Schema with 'additionalProperties' set as Boolean
3a01790c-ebee-4da6-8fd3-e78657383b75|OpenAPI|Info|Best Practices|The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it (read more)|Documentation
| |Schema Object Incorrect Ref (v2)
0220e1c5-65d1-49dd-b7c2-cef6d6cb5283|OpenAPI|Info|Structure and Semantics|Schema Object reference must always point to '#/definitions' (read more)|Documentation
| -|Non Body Parameter Without Schema
73c3bc54-3cc6-4c0a-b30a-e19f2abfc951|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| -|BasePath With Wrong Format
b4803607-ed72-4d60-99e2-3fa6edf471c6|OpenAPI|Info|Structure and Semantics|The 'basePath' value format must match the pattern '^/' (read more)|Documentation
| -|Responses JSON Reference Does Not Exists (v2)
e9db5fb4-6a84-4abb-b4af-3b94fbdace6d|OpenAPI|Info|Structure and Semantics|Responses reference should exist on responses definition field (read more)|Documentation
| -|Operation Object Parameters With 'body' And 'formatData' locations
eb3f9744-d24e-4614-b1ff-2a9514eca21c|OpenAPI|Info|Structure and Semantics|Operation object parameters should not have both 'body' and 'formatData' locations (read more)|Documentation
| +|Parameter File Type Not In 'formData'
c3cab8c4-6c52-47a9-942b-c27f26fbd7d2|OpenAPI|Info|Structure and Semantics|The In field of Parameter Object must be 'formData' when type is 'file' (read more)|Documentation
| +|Host With Invalid Pattern
3d7d7b6c-fb0a-475e-8a28-c125e30d15f0|OpenAPI|Info|Structure and Semantics|Host field should be an IP or a valid host name (read more)|Documentation
| |Response Object With Incorrect Ref (v2)
bccfa089-89e4-47e0-a0e5-185fe6902220|OpenAPI|Info|Structure and Semantics|Response Object reference must always point to '#/responses' (read more)|Documentation
| -|Object Without Required Property (v2)
5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275|OpenAPI|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| -|Multiple Body Parameters In The Same Operation
b90033cf-ad9f-4fb9-acd1-1b9d6d278c87|OpenAPI|Info|Structure and Semantics|Only one body parameter is allowed on operation's parameters type field (read more)|Documentation
| |Multi 'collectionformat' Not Valid For 'in' Parameter
750f6448-27c0-49f8-a153-b81735c1e19c|OpenAPI|Info|Structure and Semantics|When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'formData' (read more)|Documentation
| -|Parameter File Type Not In 'formData'
c3cab8c4-6c52-47a9-942b-c27f26fbd7d2|OpenAPI|Info|Structure and Semantics|The In field of Parameter Object must be 'formData' when type is 'file' (read more)|Documentation
| +|Operation Object Parameters With 'body' And 'formatData' locations
eb3f9744-d24e-4614-b1ff-2a9514eca21c|OpenAPI|Info|Structure and Semantics|Operation object parameters should not have both 'body' and 'formatData' locations (read more)|Documentation
| +|BasePath With Wrong Format
b4803607-ed72-4d60-99e2-3fa6edf471c6|OpenAPI|Info|Structure and Semantics|The 'basePath' value format must match the pattern '^/' (read more)|Documentation
| +|File Parameter With Wrong Consumes Property
7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a|OpenAPI|Info|Structure and Semantics|Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both (read more)|Documentation
| +|Unknown Property (v2)
429b2106-ba37-43ba-9727-7f699cc611e1|OpenAPI|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| |Property Not Unique
750b40be-4bac-4f59-bdc4-1ca0e6c3450e|OpenAPI|Info|Structure and Semantics|Every defined property must be unique throughout the whole API (read more)|Documentation
| -|Schema JSON Reference Does Not Exists (v2)
98295b32-ec09-4b5b-89a9-39853197f914|OpenAPI|Info|Structure and Semantics|Schema reference should exists on definitions field (read more)|Documentation
| -|Body Parameter Without Schema
ed48229d-d43e-4da7-b453-5f98d964a57a|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| -|Operation Example Mismatch Produces MimeType
2cf35b40-ded3-43d6-9633-c8dcc8bcc822|OpenAPI|Info|Structure and Semantics|Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces' (read more)|Documentation
| -|Body Parameter With Wrong Property
c38d630d-a415-4e3e-bac2-65475979ba88|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema' (read more)|Documentation
| -|Host With Invalid Pattern
3d7d7b6c-fb0a-475e-8a28-c125e30d15f0|OpenAPI|Info|Structure and Semantics|Host field should be an IP or a valid host name (read more)|Documentation
| +|Responses JSON Reference Does Not Exists (v2)
e9db5fb4-6a84-4abb-b4af-3b94fbdace6d|OpenAPI|Info|Structure and Semantics|Responses reference should exist on responses definition field (read more)|Documentation
| |Parameter JSON Reference Does Not Exists (v2)
fb889ae9-2d16-40b5-b41f-9da716c5abc1|OpenAPI|Info|Structure and Semantics|Parameter reference should exist on parameters definition field (read more)|Documentation
| -|Unknown Property (v2)
429b2106-ba37-43ba-9727-7f699cc611e1|OpenAPI|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| -|File Parameter With Wrong Consumes Property
7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a|OpenAPI|Info|Structure and Semantics|Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both (read more)|Documentation
| |Parameter Object With Incorrect Ref (v2)
2596545e-1757-4ff7-a15a-8a9a180a42f3|OpenAPI|Info|Structure and Semantics|Parameter Object reference must always point to '#/parameters' (read more)|Documentation
| -|No Global And Operation Security Defined (v2)
586abcee-9653-462d-ad7b-2638a32bd6e6|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| -|No Global And Operation Security Defined (v3)
96729c6b-7400-4d9e-9807-17f00cdde4d2|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined (read more)|Documentation
| +|Body Parameter With Wrong Property
c38d630d-a415-4e3e-bac2-65475979ba88|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema' (read more)|Documentation
| +|Operation Example Mismatch Produces MimeType
2cf35b40-ded3-43d6-9633-c8dcc8bcc822|OpenAPI|Info|Structure and Semantics|Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces' (read more)|Documentation
| +|Multiple Body Parameters In The Same Operation
b90033cf-ad9f-4fb9-acd1-1b9d6d278c87|OpenAPI|Info|Structure and Semantics|Only one body parameter is allowed on operation's parameters type field (read more)|Documentation
| +|Object Without Required Property (v2)
5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275|OpenAPI|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| +|Non Body Parameter Without Schema
73c3bc54-3cc6-4c0a-b30a-e19f2abfc951|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| +|Body Parameter Without Schema
ed48229d-d43e-4da7-b453-5f98d964a57a|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| +|Schema JSON Reference Does Not Exists (v2)
98295b32-ec09-4b5b-89a9-39853197f914|OpenAPI|Info|Structure and Semantics|Schema reference should exists on definitions field (read more)|Documentation
| +|Global Security Field Is Undefined (v2)
74703c89-0ea2-49ab-a7db-bf04f19f5a57|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securityDefinitions|Documentation
| +|Global Security Field Is Undefined (v3)
8af270ce-298b-4405-9922-82a10aee7a4f|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes (read more)|Documentation
| |Security Field On Operations Has An Empty Array (v2)
5d29effc-5d68-481f-9721-d74e5919226b|OpenAPI|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error|Documentation
| |Security Field On Operations Has An Empty Array (v3)
663c442d-f918-4f62-b096-0bf5dcbeb655|OpenAPI|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error (read more)|Documentation
| -|Global Security Field Has An Empty Array (v2)
da31d54b-ad54-41dc-95eb-8b3828629213|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| -|Global Security Field Has An Empty Array (v3)
d674aea4-ba8b-454b-bb97-88a772ea33f0|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme (read more)|Documentation
| -|Global security field has an empty object (v2)
292919fb-7b26-4454-bee9-ce29094768dd|OpenAPI|High|Access Control|Global security definition must not have empty objects|Documentation
| -|Global security field has an empty object (v3)
543e38f4-1eee-479e-8eb0-15257013aa0a|OpenAPI|High|Access Control|Global security definition must not have empty objects (read more)|Documentation
| |Cleartext API Key In Operation Security (v2)
99733b39-6413-4ed8-8acf-dc7cdc9b4e51|OpenAPI|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| |Cleartext API Key In Operation Security (v3)
d90d4e40-44c1-4125-87a0-e072c3e195b5|OpenAPI|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel (read more)|Documentation
| -|Global Security Field Is Undefined (v2)
74703c89-0ea2-49ab-a7db-bf04f19f5a57|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securityDefinitions|Documentation
| -|Global Security Field Is Undefined (v3)
8af270ce-298b-4405-9922-82a10aee7a4f|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes (read more)|Documentation
| |Security Field On Operations Has An Empty Object Definition (v2)
74581e3b-1d55-4323-a139-5959a7b3abc5|OpenAPI|High|Access Control|Security object for operations should not be empty object or has any empty object definition|Documentation
| |Security Field On Operations Has An Empty Object Definition (v3)
baade968-7467-41e4-bf22-83ca222f5800|OpenAPI|High|Access Control|Security object for operations should not be empty object or has any empty object definition (read more)|Documentation
| +|Global security field has an empty object (v2)
292919fb-7b26-4454-bee9-ce29094768dd|OpenAPI|High|Access Control|Global security definition must not have empty objects|Documentation
| +|Global security field has an empty object (v3)
543e38f4-1eee-479e-8eb0-15257013aa0a|OpenAPI|High|Access Control|Global security definition must not have empty objects (read more)|Documentation
| +|Global Security Field Has An Empty Array (v2)
da31d54b-ad54-41dc-95eb-8b3828629213|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| +|Global Security Field Has An Empty Array (v3)
d674aea4-ba8b-454b-bb97-88a772ea33f0|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme (read more)|Documentation
| +|No Global And Operation Security Defined (v2)
586abcee-9653-462d-ad7b-2638a32bd6e6|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| +|No Global And Operation Security Defined (v3)
96729c6b-7400-4d9e-9807-17f00cdde4d2|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined (read more)|Documentation
| |Array Without Maximum Number of Items (v2)
99eb2c95-2040-4104-9e7c-e16f7474d218|OpenAPI|High|Insecure Configurations|Array schema/parameter should have the field 'maxItems' set|Documentation
| |Array Without Maximum Number of Items (v3)
6998389e-66b2-473d-8d05-c8d71ac4d04d|OpenAPI|High|Insecure Configurations|Array schema should have the field 'maxItems' set (read more)|Documentation
| |Array Items Has No Type (v2)
8697a1a4-82c6-4603-8ac8-57529756744e|OpenAPI|High|Insecure Configurations|Schema/Parameter array items type should be defined|Documentation
| @@ -1034,728 +72,1702 @@ This page contains all queries. |Cleartext API Key In Global Security (v3)
9c238c97-1991-4c0b-9c7d-6c7912e1dc7c|OpenAPI|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel (read more)|Documentation
| |API Key Exposed In Global Security (v2)
533a0d13-6e89-4551-ae33-bce14e5849c1|OpenAPI|Medium|Access Control|API Keys should not be transported over network|Documentation
| |API Key Exposed In Global Security (v3)
aecee30b-8ea1-4776-a99c-d6d600f0862f|OpenAPI|Medium|Access Control|API Keys should not be transported over network (read more)|Documentation
| -|String Schema with Broad Pattern (v2)
e4a019f0-9af3-49c8-bf68-1939a6ff240d|OpenAPI|Medium|Insecure Configurations|String schema should restrict the pattern|Documentation
| -|String Schema with Broad Pattern (v3)
8c81d6c0-716b-49ec-afa5-2d62da4e3f3c|OpenAPI|Medium|Insecure Configurations|String schema should restrict the pattern (read more)|Documentation
| -|JSON Object Schema Without Properties (v2)
3d28f751-bc18-4f83-ace0-216b6086410b|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false.|Documentation
| -|JSON Object Schema Without Properties (v3)
9d967a2b-9d64-41a6-abea-dfc4960299bd|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false. (read more)|Documentation
| -|Pattern Undefined (v2)
afde15cf-9444-4126-8c62-41cd79db1d1d|OpenAPI|Medium|Insecure Configurations|String schema/parameter/header should have 'pattern' defined.|Documentation
| -|Pattern Undefined (v3)
00b78adf-b83f-419c-8ed8-c6018441dd3a|OpenAPI|Medium|Insecure Configurations|String schema should have 'pattern' defined. (read more)|Documentation
| -|Numeric Schema Without Format (v2)
3ed8fc82-c2bb-49e0-811f-c53923674c49|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined.|Documentation
| -|Numeric Schema Without Format (v3)
fbf699b5-ef74-4542-9cf1-f6eeac379373|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined. (read more)|Documentation
| -|Numeric Schema Without Maximum (v2)
203eee11-15b6-4d47-b888-4c7f534967ee|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined.|Documentation
| -|Numeric Schema Without Maximum (v3)
2ea04bef-c769-409e-9179-ee3a50b5c0ac|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined. (read more)|Documentation
| -|Schema Object is Empty (v2)
967575e5-eb44-4c24-aadb-7e33608ed30a|OpenAPI|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values|Documentation
| -|Schema Object is Empty (v3)
500ce696-d501-41dd-86eb-eceb011a386f|OpenAPI|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values (read more)|Documentation
| -|Numeric Schema Without Minimum (v2)
efd1dfc8-da91-4909-a3f3-c23abc5ec799|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined.|Documentation
| -|Numeric Schema Without Minimum (v3)
181bd815-767e-4e95-a24d-bb3c87328e19|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined. (read more)|Documentation
| |JSON Object Schema Without Type (v2)
62d52544-82ef-4b75-8308-cad49d50212b|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined.|Documentation
| |JSON Object Schema Without Type (v3)
e2ffa504-d22a-4c94-b6c5-f661849d2db7|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined. (read more)|Documentation
| +|Schema Object is Empty (v2)
967575e5-eb44-4c24-aadb-7e33608ed30a|OpenAPI|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values|Documentation
| +|Schema Object is Empty (v3)
500ce696-d501-41dd-86eb-eceb011a386f|OpenAPI|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values (read more)|Documentation
| |Maximum Length Undefined (v2)
2ec86e48-ab90-4cb6-a131-0502afd1f442|OpenAPI|Medium|Insecure Configurations|String schema/parameter/header should have 'maxLength' defined.|Documentation
| |Maximum Length Undefined (v3)
8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85|OpenAPI|Medium|Insecure Configurations|String schema should have 'maxLength' defined. (read more)|Documentation
| -|Success Response Code Undefined for Patch Operation (v2)
f36e87cc-a209-4f37-8571-66833e4aead7|OpenAPI|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Patch Operation (v3)
1908a8ee-927d-4166-8f18-241152170cc1|OpenAPI|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|Success Response Code Undefined for Head Operation (v2)
4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a|OpenAPI|Medium|Networking and Firewall|Head should define at least one success response (200 or 202)|Documentation
| -|Success Response Code Undefined for Head Operation (v3)
3b066059-f411-4554-ac8d-96f32bff90da|OpenAPI|Medium|Networking and Firewall|Head should define at least one success response (200 or 202) (read more)|Documentation
| -|Success Response Code Undefined for Get Operation (v2)
9b633f3b-c94b-4fbb-a65b-1a4e9134fb63|OpenAPI|Medium|Networking and Firewall|Get should define at least one success response (200 or 202)|Documentation
| -|Success Response Code Undefined for Get Operation (v3)
b2f275be-7d64-4064-b418-be6b431363a7|OpenAPI|Medium|Networking and Firewall|Get should define at least one success response (200 or 202) (read more)|Documentation
| -|Response Code Missing (v2)
6e96ed39-bf45-4089-99ba-f1fe7cf6966f|OpenAPI|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined.|Documentation
| -|Response Code Missing (v3)
6c35d2c6-09f2-4e5c-a094-e0e91327071d|OpenAPI|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined. (read more)|Documentation
| +|Numeric Schema Without Minimum (v2)
efd1dfc8-da91-4909-a3f3-c23abc5ec799|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined.|Documentation
| +|Numeric Schema Without Minimum (v3)
181bd815-767e-4e95-a24d-bb3c87328e19|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined. (read more)|Documentation
| +|Pattern Undefined (v2)
afde15cf-9444-4126-8c62-41cd79db1d1d|OpenAPI|Medium|Insecure Configurations|String schema/parameter/header should have 'pattern' defined.|Documentation
| +|Pattern Undefined (v3)
00b78adf-b83f-419c-8ed8-c6018441dd3a|OpenAPI|Medium|Insecure Configurations|String schema should have 'pattern' defined. (read more)|Documentation
| +|JSON Object Schema Without Properties (v2)
3d28f751-bc18-4f83-ace0-216b6086410b|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false.|Documentation
| +|JSON Object Schema Without Properties (v3)
9d967a2b-9d64-41a6-abea-dfc4960299bd|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false. (read more)|Documentation
| +|String Schema with Broad Pattern (v2)
e4a019f0-9af3-49c8-bf68-1939a6ff240d|OpenAPI|Medium|Insecure Configurations|String schema should restrict the pattern|Documentation
| +|String Schema with Broad Pattern (v3)
8c81d6c0-716b-49ec-afa5-2d62da4e3f3c|OpenAPI|Medium|Insecure Configurations|String schema should restrict the pattern (read more)|Documentation
| +|Numeric Schema Without Maximum (v2)
203eee11-15b6-4d47-b888-4c7f534967ee|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined.|Documentation
| +|Numeric Schema Without Maximum (v3)
2ea04bef-c769-409e-9179-ee3a50b5c0ac|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined. (read more)|Documentation
| +|Numeric Schema Without Format (v2)
3ed8fc82-c2bb-49e0-811f-c53923674c49|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined.|Documentation
| +|Numeric Schema Without Format (v3)
fbf699b5-ef74-4542-9cf1-f6eeac379373|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined. (read more)|Documentation
| |Success Response Code Undefined for Put Operation (v2)
965a043f-5f3c-4d0a-be72-d9ce12fdb4d6|OpenAPI|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204)|Documentation
| |Success Response Code Undefined for Put Operation (v3)
60b5f56b-66ff-4e1c-9b62-5753e16825bc|OpenAPI|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|Success Response Code Undefined for Post Operation (v2)
9fedee41-2e6d-4091-b011-4a16b4c18c70|OpenAPI|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Post Operation (v3)
f368dd2d-9344-4146-a05b-7c6faa1269ad|OpenAPI|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|Response on operations that should not have a body has declared content (v2)
268defd2-2839-4e15-8cbc-de86eb38c231|OpenAPI|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a schema defined|Documentation
| -|Response on operations that should not have a body has declared content (v3)
12a7210b-f4b4-47d0-acac-0a819e2a0ca3|OpenAPI|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a content defined (read more)|Documentation
| |Default Response Undefined On Operations (v2)
5f34c7ae-4f3f-4cbb-8fe3-a11d6961062f|OpenAPI|Medium|Networking and Firewall|Operations responses should have a default response defined|Documentation
| |Default Response Undefined On Operations (v3)
86e3702f-c868-44b2-b61d-ea5316c18110|OpenAPI|Medium|Networking and Firewall|Operations responses should have a default response defined (read more)|Documentation
| |Response on operations that should have a body has undefined schema (v2)
31afbcb7-70e0-48bb-a31a-3374f95cf859|OpenAPI|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined|Documentation
| |Response on operations that should have a body has undefined schema (v3)
a92be1d5-d762-484a-86d6-8cd0907ba100|OpenAPI|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined (read more)|Documentation
| +|Success Response Code Undefined for Post Operation (v2)
9fedee41-2e6d-4091-b011-4a16b4c18c70|OpenAPI|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Post Operation (v3)
f368dd2d-9344-4146-a05b-7c6faa1269ad|OpenAPI|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| |Success Response Code Undefined for Delete Operation (v2)
ad432855-b7fb-4429-92a3-93b5ce34f0b1|OpenAPI|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204)|Documentation
| |Success Response Code Undefined for Delete Operation (v3)
3b497874-ae59-46dd-8d72-1868a3b8f150|OpenAPI|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| +|Success Response Code Undefined for Head Operation (v2)
4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a|OpenAPI|Medium|Networking and Firewall|Head should define at least one success response (200 or 202)|Documentation
| +|Success Response Code Undefined for Head Operation (v3)
3b066059-f411-4554-ac8d-96f32bff90da|OpenAPI|Medium|Networking and Firewall|Head should define at least one success response (200 or 202) (read more)|Documentation
| +|Response Code Missing (v2)
6e96ed39-bf45-4089-99ba-f1fe7cf6966f|OpenAPI|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined.|Documentation
| +|Response Code Missing (v3)
6c35d2c6-09f2-4e5c-a094-e0e91327071d|OpenAPI|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined. (read more)|Documentation
| +|Success Response Code Undefined for Patch Operation (v2)
f36e87cc-a209-4f37-8571-66833e4aead7|OpenAPI|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Patch Operation (v3)
1908a8ee-927d-4166-8f18-241152170cc1|OpenAPI|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| +|Response on operations that should not have a body has declared content (v2)
268defd2-2839-4e15-8cbc-de86eb38c231|OpenAPI|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a schema defined|Documentation
| +|Response on operations that should not have a body has declared content (v3)
12a7210b-f4b4-47d0-acac-0a819e2a0ca3|OpenAPI|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a content defined (read more)|Documentation
| +|Success Response Code Undefined for Get Operation (v2)
9b633f3b-c94b-4fbb-a65b-1a4e9134fb63|OpenAPI|Medium|Networking and Firewall|Get should define at least one success response (200 or 202)|Documentation
| +|Success Response Code Undefined for Get Operation (v3)
b2f275be-7d64-4064-b418-be6b431363a7|OpenAPI|Medium|Networking and Firewall|Get should define at least one success response (200 or 202) (read more)|Documentation
| |API Key Exposed In Operation Security (v2)
392599e4-a4e2-403d-bc56-3fe05755782d|OpenAPI|Low|Access Control|API Keys should not be transported over network|Documentation
| |API Key Exposed In Operation Security (v3)
281b8071-6226-4a43-911d-fec246d422c2|OpenAPI|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| |Invalid Format (v2)
caf1793e-95dd-4b18-8d90-8f3c0ab5bddf|OpenAPI|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double|Documentation
| |Invalid Format (v3)
d929c031-078f-4241-b802-e224656ad890|OpenAPI|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double (read more)|Documentation
| -|Header Parameter Named as 'Content-Type' (v2)
51978067-3b22-4c29-aaf3-96bf0bc28897|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored.|Documentation
| -|Header Parameter Named as 'Content-Type' (v3)
72d259ca-9741-48dd-9f62-eb11f2936b37|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored. (read more)|Documentation
| -|Invalid License URL (v2)
de2b4910-8484-46d6-a055-dc1e793ee3ff|OpenAPI|Info|Best Practices|License Object URL should be a valid URL|Documentation
| -|Invalid License URL (v3)
9239c289-9e4c-4d92-8be1-9d506057c971|OpenAPI|Info|Best Practices|License Object URL should be a valid URL (read more)|Documentation
| +|Header Parameter Named as 'Authorization' (v2)
e2e00c97-7171-4fb4-b461-d631df9a711c|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored.|Documentation
| +|Header Parameter Named as 'Authorization' (v3)
8c84f75e-5048-4926-a4cb-33e7b3431300|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored. (read more)|Documentation
| +|Invalid Schema External Documentation URL (v2)
f7fa95b7-d819-484c-9a2b-665dd1bba25e|OpenAPI|Info|Best Practices|Schema External Documentation URL should be a valid URL|Documentation
| +|Invalid Schema External Documentation URL (v3)
6952a7e0-6e48-4285-bbc1-27c64e60f888|OpenAPI|Info|Best Practices|Schema External Documentation URL should be a valid URL (read more)|Documentation
| +|Header Parameter Named as 'Accept' (v2)
3ddd74cc-6582-486c-8b0c-2b48cb38e0a3|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored.|Documentation
| +|Header Parameter Named as 'Accept' (v3)
f2702af5-6016-46cb-bbc8-84c766032095|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored. (read more)|Documentation
| |Invalid Global External Documentation URL (v2)
46d3b74d-9fe9-45bf-9e9e-efb7f701ee28|OpenAPI|Info|Best Practices|Global External Documentation URL should be a valid URL|Documentation
| |Invalid Global External Documentation URL (v3)
b2d9dbf6-539c-4374-a1fd-210ddf5563a8|OpenAPI|Info|Best Practices|Global External Documentation URL should be a valid URL (read more)|Documentation
| +|Object Using Enum With Keyword (v2)
7f15962a-d862-451c-ac9b-84ec13747aa6|OpenAPI|Info|Best Practices|Schema/Parameter/Header Object properties should not contain 'enum' and schema keywords|Documentation
| +|Object Using Enum With Keyword (v3)
2e9b6612-8f69-42e0-a5b8-ed17739c2f3a|OpenAPI|Info|Best Practices|Schema Object properties should not contain 'enum' and schema keywords (read more)|Documentation
| |Header Response Name Is Invalid (v2)
86733e01-a435-4bd5-a8b0-5108be9dc1e4|OpenAPI|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored.|Documentation
| |Header Response Name Is Invalid (v3)
d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd|OpenAPI|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored. (read more)|Documentation
| -|Path Without Operation (v2)
609cd557-66b4-41fa-8edd-2abc6c7cfd08|OpenAPI|Info|Best Practices|Path object should have at least one operation object defined|Documentation
| -|Path Without Operation (v3)
84c826c9-1893-4b34-8cdd-db97645b4bf3|OpenAPI|Info|Best Practices|Path object should have at least one operation object defined (read more)|Documentation
| +|Operation Without Successful HTTP Status Code (v2)
a1ee6ebe-3877-42ec-b9a6-e524e7d06aa2|OpenAPI|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined|Documentation
| +|Operation Without Successful HTTP Status Code (v3)
48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd|OpenAPI|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined (read more)|Documentation
| |Invalid Contact URL (v2)
c7000383-16d0-4509-8cd3-585e5ea2e2f2|OpenAPI|Info|Best Practices|Contact Object URL should be a valid URL|Documentation
| |Invalid Contact URL (v3)
332cf2ad-380d-4b90-b436-46f8e635cf38|OpenAPI|Info|Best Practices|Contact Object URL should be a valid URL (read more)|Documentation
| -|Invalid Contact Email (v2)
d83bebc8-4e5e-4241-b783-cba9fb5a1c9a|OpenAPI|Info|Best Practices|Contact Object Email should be a valid email|Documentation
| -|Invalid Contact Email (v3)
b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7|OpenAPI|Info|Best Practices|Contact Object Email should be a valid email (read more)|Documentation
| -|Invalid Operation External Documentation URL (v2)
25635c31-ee32-4708-88e5-fced87516f51|OpenAPI|Info|Best Practices|Operation External Documentation URL should be a valid URL|Documentation
| -|Invalid Operation External Documentation URL (v3)
5ea61624-3733-4a3a-8ca4-b96fec9c5aeb|OpenAPI|Info|Best Practices|Operation External Documentation URL should be a valid URL (read more)|Documentation
| -|Invalid Tag External Documentation URL (v2)
b4a7d925-738b-4219-99d9-87d6ee262a03|OpenAPI|Info|Best Practices|Tag External Documentation URL should be a valid URL|Documentation
| -|Invalid Tag External Documentation URL (v3)
5aea1d7e-b834-4749-b143-2c7ec3bd5922|OpenAPI|Info|Best Practices|Tag External Documentation URL should be a valid URL (read more)|Documentation
| -|Header Parameter Named as 'Authorization' (v2)
e2e00c97-7171-4fb4-b461-d631df9a711c|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored.|Documentation
| -|Header Parameter Named as 'Authorization' (v3)
8c84f75e-5048-4926-a4cb-33e7b3431300|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored. (read more)|Documentation
| -|Object Using Enum With Keyword (v2)
7f15962a-d862-451c-ac9b-84ec13747aa6|OpenAPI|Info|Best Practices|Schema/Parameter/Header Object properties should not contain 'enum' and schema keywords|Documentation
| -|Object Using Enum With Keyword (v3)
2e9b6612-8f69-42e0-a5b8-ed17739c2f3a|OpenAPI|Info|Best Practices|Schema Object properties should not contain 'enum' and schema keywords (read more)|Documentation
| |Example Not Compliant With Schema Type (v2)
448db771-06ea-4dee-b48c-1689cbfb4b43|OpenAPI|Info|Best Practices|Examples values and fields should be compliant with the schema type|Documentation
| |Example Not Compliant With Schema Type (v3)
881a6e71-c2a7-4fe2-b9c3-dfcf08895331|OpenAPI|Info|Best Practices|Examples values and fields should be compliant with the schema type (read more)|Documentation
| +|Invalid License URL (v2)
de2b4910-8484-46d6-a055-dc1e793ee3ff|OpenAPI|Info|Best Practices|License Object URL should be a valid URL|Documentation
| +|Invalid License URL (v3)
9239c289-9e4c-4d92-8be1-9d506057c971|OpenAPI|Info|Best Practices|License Object URL should be a valid URL (read more)|Documentation
| +|Header Parameter Named as 'Content-Type' (v2)
51978067-3b22-4c29-aaf3-96bf0bc28897|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored.|Documentation
| +|Header Parameter Named as 'Content-Type' (v3)
72d259ca-9741-48dd-9f62-eb11f2936b37|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored. (read more)|Documentation
| +|Invalid Tag External Documentation URL (v2)
b4a7d925-738b-4219-99d9-87d6ee262a03|OpenAPI|Info|Best Practices|Tag External Documentation URL should be a valid URL|Documentation
| +|Invalid Tag External Documentation URL (v3)
5aea1d7e-b834-4749-b143-2c7ec3bd5922|OpenAPI|Info|Best Practices|Tag External Documentation URL should be a valid URL (read more)|Documentation
| |Required Property With Default Value (v2)
f7ab6c83-ef89-40e1-8a99-32e2599fb665|OpenAPI|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value|Documentation
| |Required Property With Default Value (v3)
013bdb4b-9246-4248-b0c3-7fb0fee42a29|OpenAPI|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value (read more)|Documentation
| -|Header Parameter Named as 'Accept' (v2)
3ddd74cc-6582-486c-8b0c-2b48cb38e0a3|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored.|Documentation
| -|Header Parameter Named as 'Accept' (v3)
f2702af5-6016-46cb-bbc8-84c766032095|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored. (read more)|Documentation
| -|Operation Without Successful HTTP Status Code (v2)
a1ee6ebe-3877-42ec-b9a6-e524e7d06aa2|OpenAPI|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined|Documentation
| -|Operation Without Successful HTTP Status Code (v3)
48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd|OpenAPI|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined (read more)|Documentation
| -|Invalid Schema External Documentation URL (v2)
f7fa95b7-d819-484c-9a2b-665dd1bba25e|OpenAPI|Info|Best Practices|Schema External Documentation URL should be a valid URL|Documentation
| -|Invalid Schema External Documentation URL (v3)
6952a7e0-6e48-4285-bbc1-27c64e60f888|OpenAPI|Info|Best Practices|Schema External Documentation URL should be a valid URL (read more)|Documentation
| +|Invalid Contact Email (v2)
d83bebc8-4e5e-4241-b783-cba9fb5a1c9a|OpenAPI|Info|Best Practices|Contact Object Email should be a valid email|Documentation
| +|Invalid Contact Email (v3)
b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7|OpenAPI|Info|Best Practices|Contact Object Email should be a valid email (read more)|Documentation
| |JSON '$ref' alongside other properties (v2)
f34c1c68-4773-4df0-a103-6e2ca32e585f|OpenAPI|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key|Documentation
| |JSON '$ref' alongside other properties (v3)
96beb800-566f-49a9-a0ea-dbdf4bc80429|OpenAPI|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key (read more)|Documentation
| -|Parameters Name In Combination Not Unique (v2)
ab871897-ec02-4835-9818-702536ee1dda|OpenAPI|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations|Documentation
| -|Parameters Name In Combination Not Unique (v3)
f5b2e6af-76f5-496d-8482-8f898c5fdb4a|OpenAPI|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations (read more)|Documentation
| +|Invalid Operation External Documentation URL (v2)
25635c31-ee32-4708-88e5-fced87516f51|OpenAPI|Info|Best Practices|Operation External Documentation URL should be a valid URL|Documentation
| +|Invalid Operation External Documentation URL (v3)
5ea61624-3733-4a3a-8ca4-b96fec9c5aeb|OpenAPI|Info|Best Practices|Operation External Documentation URL should be a valid URL (read more)|Documentation
| +|Path Without Operation (v2)
609cd557-66b4-41fa-8edd-2abc6c7cfd08|OpenAPI|Info|Best Practices|Path object should have at least one operation object defined|Documentation
| +|Path Without Operation (v3)
84c826c9-1893-4b34-8cdd-db97645b4bf3|OpenAPI|Info|Best Practices|Path object should have at least one operation object defined (read more)|Documentation
| |Property 'allowEmptyValue' Improperly Defined (v2)
0bc1477d-0922-478b-ae16-674a7634a1a8|OpenAPI|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters|Documentation
| |Property 'allowEmptyValue' Improperly Defined (v3)
4bcbcd52-3028-469f-bc14-02c7dbba2df2|OpenAPI|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters (read more)|Documentation
| -|Property Defining Minimum Greater Than Maximum (v2)
b5102ea9-6527-4bb7-94fc-9b4076150e55|OpenAPI|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined|Documentation
| -|Property Defining Minimum Greater Than Maximum (v3)
ab2af219-cd08-4233-b5a1-a788aac88b51|OpenAPI|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined (read more)|Documentation
| -|Path Parameter With No Corresponding Template Path (v2)
194ef1f8-360e-4c14-8ed2-e83e2bafa142|OpenAPI|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation|Documentation
| -|Path Parameter With No Corresponding Template Path (v3)
69d7aefd-149d-47b8-8d89-1c2181a8067b|OpenAPI|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation (read more)|Documentation
| -|Path Template is Empty (v2)
c201b7ad-6173-4598-a407-5edb04a1bcd7|OpenAPI|Info|Structure and Semantics|All path templates should not be empty|Documentation
| -|Path Template is Empty (v3)
ae13a37d-943b-47a7-a970-83c8598bcca3|OpenAPI|Info|Structure and Semantics|All path templates should not be empty (read more)|Documentation
| -|Items Undefined (v2)
3e4d34d2-36cf-4449-976d-6c256db8fc49|OpenAPI|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array.|Documentation
| -|Items Undefined (v3)
a8e859da-4a43-4e7f-94b8-25d6e3bf8e90|OpenAPI|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array. (read more)|Documentation
| -|Template Path With No Corresponding Path Parameter (v2)
e7656d8d-7288-4bbe-b07b-22b389be75ce|OpenAPI|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation|Documentation
| -|Template Path With No Corresponding Path Parameter (v3)
561710b1-b845-4562-95ce-2397a05ccef4|OpenAPI|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation (read more)|Documentation
| -|Schema Object With Circular Ref (v2)
cbff2508-85c9-4448-a8b3-770070edf5ca|OpenAPI|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties|Documentation
| -|Schema Object With Circular Ref (v3)
1a1aea94-745b-40a7-b860-0702ea6ee636|OpenAPI|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties (read more)|Documentation
| +|Paths Object is Empty (v2)
3e6c7b1c-8a8d-43ab-98b9-65159f44db4a|OpenAPI|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed|Documentation
| +|Paths Object is Empty (v3)
815021c8-a50c-46d9-b192-24f71072c400|OpenAPI|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed (read more)|Documentation
| |Schema Enum Invalid (v2)
8fe6d18a-ad4c-4397-8884-e3a9da57f4c9|OpenAPI|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type|Documentation
| |Schema Enum Invalid (v3)
03856cb2-e46c-4daf-bfbf-214ec93c882b|OpenAPI|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type (read more)|Documentation
| -|Path Parameter Not Required (v2)
ccd0613f-cb77-4684-a892-183bd2674d12|OpenAPI|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.|Documentation
| -|Path Parameter Not Required (v3)
0de50145-e845-47f4-9a15-23bcf2125710|OpenAPI|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true. (read more)|Documentation
| |Schema Discriminator Not Required (v2)
be6a3722-af60-438c-b1b9-2a03e2958ab7|OpenAPI|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property|Documentation
| |Schema Discriminator Not Required (v3)
b481d46c-9c61-480f-86d9-af07146dc4a4|OpenAPI|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property (read more)|Documentation
| -|Properties Missing Required Property (v2)
71beb6ab-8b70-4816-a9ac-a0ff1fb22a62|OpenAPI|Info|Structure and Semantics|Schema Object should have all required properties defined|Documentation
| -|Properties Missing Required Property (v3)
3fb03214-25d4-4bd4-867c-c2d8d708a483|OpenAPI|Info|Structure and Semantics|Schema Object should have all required properties defined (read more)|Documentation
| -|Parameter Objects Headers With Duplicated Name (v2)
bd2cbef5-62c4-40f1-af07-4b7f9ced6616|OpenAPI|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.|Documentation
| -|Parameter Objects Headers With Duplicated Name (v3)
05505192-ba2c-4a81-9b25-dcdbcc973746|OpenAPI|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive. (read more)|Documentation
| -|Responses With Wrong HTTP Status Code (v2)
069a5378-2091-43f0-aa3b-ee8f20996e99|OpenAPI|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599]|Documentation
| -|Responses With Wrong HTTP Status Code (v3)
d86655c0-92f6-4ffc-b4d5-5b5775804c27|OpenAPI|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599] (read more)|Documentation
| -|Non-Array Schema With Items (v2)
9d47956b-29cd-43b1-9e6e-b39a4d484353|OpenAPI|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| -|Non-Array Schema With Items (v3)
20cb3159-b219-496b-8dac-54ae3ab2021a|OpenAPI|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined (read more)|Documentation
| -|Path Is Ambiguous (v2)
b2468463-3ac4-4930-890c-f35b2bf4485d|OpenAPI|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object|Documentation
| -|Path Is Ambiguous (v3)
237402e2-c2f0-46c9-9cf5-286160cf7bfc|OpenAPI|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object (read more)|Documentation
| -|Schema Discriminator Mismatch Defined Properties (v2)
addc0eab-27f6-4c26-8526-d2ccd3732662|OpenAPI|Info|Structure and Semantics|Schema discriminator values should match defined properties.|Documentation
| -|Schema Discriminator Mismatch Defined Properties (v3)
40d3df21-c170-4dbe-9c02-4289b51f994f|OpenAPI|Info|Structure and Semantics|Schema discriminator values should match defined properties. (read more)|Documentation
| -|Schema Object Properties With Duplicated Keys (v2)
ded017bf-fb13-4f8d-868b-84aebcc572ad|OpenAPI|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties'|Documentation
| -|Schema Object Properties With Duplicated Keys (v3)
10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa|OpenAPI|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties' (read more)|Documentation
| -|Type Has Invalid Keyword (v2)
492c6cbb-f3f8-4807-aa4f-42b8b1c46b59|OpenAPI|Info|Structure and Semantics|Schema/Parameter/Header Object define type should not use a keyword of another type|Documentation
| -|Type Has Invalid Keyword (v3)
a9228976-10cf-4b5f-b902-9e962aad037a|OpenAPI|Info|Structure and Semantics|Schema Object define type should not use a keyword of another type (read more)|Documentation
| |Schema Discriminator Property Not String (v2)
949376f1-f560-4c6d-a016-63424ca931bb|OpenAPI|Info|Structure and Semantics|Schema discriminator property should be a string|Documentation
| |Schema Discriminator Property Not String (v3)
dadc2f36-1f5a-46c0-8289-75e626583123|OpenAPI|Info|Structure and Semantics|Schema discriminator property should be a string (read more)|Documentation
| -|Default Invalid (v2)
78dfd8f0-a6ee-48ec-af8c-e4d9b3292a07|OpenAPI|Info|Structure and Semantics|The field 'default' of Schema/Parameter/Header Object should be consistent with the schema's/parameter's/header's type|Documentation
| -|Default Invalid (v3)
a96bbc06-8cde-4295-ad3c-ee343a7f658e|OpenAPI|Info|Structure and Semantics|The field 'default' of Schema Object should be consistent with the schema's type (read more)|Documentation
| +|Type Has Invalid Keyword (v2)
492c6cbb-f3f8-4807-aa4f-42b8b1c46b59|OpenAPI|Info|Structure and Semantics|Schema/Parameter/Header Object define type should not use a keyword of another type|Documentation
| +|Type Has Invalid Keyword (v3)
a9228976-10cf-4b5f-b902-9e962aad037a|OpenAPI|Info|Structure and Semantics|Schema Object define type should not use a keyword of another type (read more)|Documentation
| +|Path Is Ambiguous (v2)
b2468463-3ac4-4930-890c-f35b2bf4485d|OpenAPI|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object|Documentation
| +|Path Is Ambiguous (v3)
237402e2-c2f0-46c9-9cf5-286160cf7bfc|OpenAPI|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object (read more)|Documentation
| +|Non-Array Schema With Items (v2)
9d47956b-29cd-43b1-9e6e-b39a4d484353|OpenAPI|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| +|Non-Array Schema With Items (v3)
20cb3159-b219-496b-8dac-54ae3ab2021a|OpenAPI|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined (read more)|Documentation
| +|Template Path With No Corresponding Path Parameter (v2)
e7656d8d-7288-4bbe-b07b-22b389be75ce|OpenAPI|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation|Documentation
| +|Template Path With No Corresponding Path Parameter (v3)
561710b1-b845-4562-95ce-2397a05ccef4|OpenAPI|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation (read more)|Documentation
| |Responses Object Is Empty (v2)
6172e7ab-d2b7-45f8-a7db-1603931d8ba3|OpenAPI|Info|Structure and Semantics|Responses Object should not be empty|Documentation
| |Responses Object Is Empty (v3)
990eaf09-d6f1-4c3c-b174-a517b1de8917|OpenAPI|Info|Structure and Semantics|Responses Object should not be empty (read more)|Documentation
| +|Default Invalid (v2)
78dfd8f0-a6ee-48ec-af8c-e4d9b3292a07|OpenAPI|Info|Structure and Semantics|The field 'default' of Schema/Parameter/Header Object should be consistent with the schema's/parameter's/header's type|Documentation
| +|Default Invalid (v3)
a96bbc06-8cde-4295-ad3c-ee343a7f658e|OpenAPI|Info|Structure and Semantics|The field 'default' of Schema Object should be consistent with the schema's type (read more)|Documentation
| +|Properties Missing Required Property (v2)
71beb6ab-8b70-4816-a9ac-a0ff1fb22a62|OpenAPI|Info|Structure and Semantics|Schema Object should have all required properties defined|Documentation
| +|Properties Missing Required Property (v3)
3fb03214-25d4-4bd4-867c-c2d8d708a483|OpenAPI|Info|Structure and Semantics|Schema Object should have all required properties defined (read more)|Documentation
| +|Schema Object Properties With Duplicated Keys (v2)
ded017bf-fb13-4f8d-868b-84aebcc572ad|OpenAPI|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties'|Documentation
| +|Schema Object Properties With Duplicated Keys (v3)
10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa|OpenAPI|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties' (read more)|Documentation
| |OperationId Not Unique (v2)
21245007-91c4-40e5-964e-40c85d1e5aa6|OpenAPI|Info|Structure and Semantics|OperationId should be unique when defined|Documentation
| |OperationId Not Unique (v3)
c254adc4-ef25-46e1-8270-b7944adb4198|OpenAPI|Info|Structure and Semantics|OperationId should be unique when defined (read more)|Documentation
| +|Schema Object With Circular Ref (v2)
cbff2508-85c9-4448-a8b3-770070edf5ca|OpenAPI|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties|Documentation
| +|Schema Object With Circular Ref (v3)
1a1aea94-745b-40a7-b860-0702ea6ee636|OpenAPI|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties (read more)|Documentation
| +|Path Parameter Not Required (v2)
ccd0613f-cb77-4684-a892-183bd2674d12|OpenAPI|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.|Documentation
| +|Path Parameter Not Required (v3)
0de50145-e845-47f4-9a15-23bcf2125710|OpenAPI|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true. (read more)|Documentation
| |Schema Has A Required Property Undefined (v2)
811762c8-2e99-4f70-88f9-a63875a953b1|OpenAPI|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties|Documentation
| |Schema Has A Required Property Undefined (v3)
2bd608ae-8a1f-457f-b710-c237883cb313|OpenAPI|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties (read more)|Documentation
| -|Paths Object is Empty (v2)
3e6c7b1c-8a8d-43ab-98b9-65159f44db4a|OpenAPI|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed|Documentation
| -|Paths Object is Empty (v3)
815021c8-a50c-46d9-b192-24f71072c400|OpenAPI|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed (read more)|Documentation
| +|Responses With Wrong HTTP Status Code (v2)
069a5378-2091-43f0-aa3b-ee8f20996e99|OpenAPI|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599]|Documentation
| +|Responses With Wrong HTTP Status Code (v3)
d86655c0-92f6-4ffc-b4d5-5b5775804c27|OpenAPI|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599] (read more)|Documentation
| +|Items Undefined (v2)
3e4d34d2-36cf-4449-976d-6c256db8fc49|OpenAPI|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array.|Documentation
| +|Items Undefined (v3)
a8e859da-4a43-4e7f-94b8-25d6e3bf8e90|OpenAPI|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array. (read more)|Documentation
| +|Schema Discriminator Mismatch Defined Properties (v2)
addc0eab-27f6-4c26-8526-d2ccd3732662|OpenAPI|Info|Structure and Semantics|Schema discriminator values should match defined properties.|Documentation
| +|Schema Discriminator Mismatch Defined Properties (v3)
40d3df21-c170-4dbe-9c02-4289b51f994f|OpenAPI|Info|Structure and Semantics|Schema discriminator values should match defined properties. (read more)|Documentation
| +|Path Parameter With No Corresponding Template Path (v2)
194ef1f8-360e-4c14-8ed2-e83e2bafa142|OpenAPI|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation|Documentation
| +|Path Parameter With No Corresponding Template Path (v3)
69d7aefd-149d-47b8-8d89-1c2181a8067b|OpenAPI|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation (read more)|Documentation
| +|Property Defining Minimum Greater Than Maximum (v2)
b5102ea9-6527-4bb7-94fc-9b4076150e55|OpenAPI|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined|Documentation
| +|Property Defining Minimum Greater Than Maximum (v3)
ab2af219-cd08-4233-b5a1-a788aac88b51|OpenAPI|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined (read more)|Documentation
| +|Parameters Name In Combination Not Unique (v2)
ab871897-ec02-4835-9818-702536ee1dda|OpenAPI|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations|Documentation
| +|Parameters Name In Combination Not Unique (v3)
f5b2e6af-76f5-496d-8482-8f898c5fdb4a|OpenAPI|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations (read more)|Documentation
| +|Path Template is Empty (v2)
c201b7ad-6173-4598-a407-5edb04a1bcd7|OpenAPI|Info|Structure and Semantics|All path templates should not be empty|Documentation
| +|Path Template is Empty (v3)
ae13a37d-943b-47a7-a970-83c8598bcca3|OpenAPI|Info|Structure and Semantics|All path templates should not be empty (read more)|Documentation
| +|Parameter Objects Headers With Duplicated Name (v2)
bd2cbef5-62c4-40f1-af07-4b7f9ced6616|OpenAPI|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.|Documentation
| +|Parameter Objects Headers With Duplicated Name (v3)
05505192-ba2c-4a81-9b25-dcdbcc973746|OpenAPI|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive. (read more)|Documentation
| |Field 'securityScheme' On Components Is Undefined
8db5544e-4874-4baa-9322-e9f75a2d219e|OpenAPI|High|Access Control|Components' securityScheme field must have a valid scheme (read more)|Documentation
| |Cleartext Credentials With Basic Authentication For Operation
86b1fa30-9790-4980-994d-a27e0f6f27c1|OpenAPI|High|Access Control|Cleartext credentials over unencrypted channel should not be accepted for the operation (read more)|Documentation
| -|Security Scheme Using HTTP Digest
a4247b11-890b-45df-bf42-350a7a3af9be|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using digest authentication (read more)|Documentation
| -|Invalid OAuth2 Authorization URL (v3)
52c0d841-60d6-4a81-88dd-c35fef36d315|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| -|Security Scheme Using HTTP Negotiate
f525cc92-9050-4c41-a75c-890dc6f64449|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using negotiate authentication (read more)|Documentation
| -|Invalid OAuth2 Token URL (v3)
3ba0cca1-b815-47bf-ac62-1e584eb64a05|OpenAPI|Medium|Access Control|OAuth2 security scheme flow requires a valid URL in the tokenUrl field (read more)|Documentation
| |OAuth2 With Implicit Flow
39cb32f2-3a42-4af0-8037-82a7a9654b6c|OpenAPI|Medium|Access Control|OAuth2 implicit flow is vulnerable to access token leakage and access token replay (read more)|Documentation
| -|OAuth2 With Password Flow
3979b0a4-532c-4ea7-86e4-34c090eaa4f2|OpenAPI|Medium|Access Control|OAuth2 password flow insecurely exposes the credentials of the resource owner to the client (read more)|Documentation
| -|Security Scheme HTTP Unknown Scheme
06764426-3c56-407e-981f-caa25db1c149|OpenAPI|Medium|Access Control|Security Scheme HTTP scheme should be registered in the IANA Authentication Scheme registry (read more)|Documentation
| -|Security Scheme Using HTTP Basic
68e5fcac-390c-4939-a373-6074b7be7c71|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using basic authentication (read more)|Documentation
| +|Invalid OAuth2 Authorization URL (v3)
52c0d841-60d6-4a81-88dd-c35fef36d315|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| |Implicit Flow in OAuth2 (v3)
4a1f3d75-ab73-41b2-83e7-06a93dc3a75a|OpenAPI|Medium|Access Control|There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| -|Path Server Object Uses HTTP (v3)
9670f240-7b4d-4955-bd93-edaa9fa38b58|OpenAPI|Medium|Encryption|The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection (read more)|Documentation
| +|Security Scheme Using HTTP Basic
68e5fcac-390c-4939-a373-6074b7be7c71|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using basic authentication (read more)|Documentation
| +|Security Scheme HTTP Unknown Scheme
06764426-3c56-407e-981f-caa25db1c149|OpenAPI|Medium|Access Control|Security Scheme HTTP scheme should be registered in the IANA Authentication Scheme registry (read more)|Documentation
| +|OAuth2 With Password Flow
3979b0a4-532c-4ea7-86e4-34c090eaa4f2|OpenAPI|Medium|Access Control|OAuth2 password flow insecurely exposes the credentials of the resource owner to the client (read more)|Documentation
| +|Invalid OAuth2 Token URL (v3)
3ba0cca1-b815-47bf-ac62-1e584eb64a05|OpenAPI|Medium|Access Control|OAuth2 security scheme flow requires a valid URL in the tokenUrl field (read more)|Documentation
| +|Security Scheme Using HTTP Negotiate
f525cc92-9050-4c41-a75c-890dc6f64449|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using negotiate authentication (read more)|Documentation
| +|Security Scheme Using HTTP Digest
a4247b11-890b-45df-bf42-350a7a3af9be|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using digest authentication (read more)|Documentation
| |Global Server Object Uses HTTP
2d8c175a-6d90-412b-8b0e-e034ea49a1fe|OpenAPI|Medium|Encryption|Global server object URL should use 'https' protocol instead of 'http' (read more)|Documentation
| -|Parameter Object Without Schema
8fe1846f-52cc-4413-ace9-1933d7d23672|OpenAPI|Medium|Insecure Configurations|The Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| +|Path Server Object Uses HTTP (v3)
9670f240-7b4d-4955-bd93-edaa9fa38b58|OpenAPI|Medium|Encryption|The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection (read more)|Documentation
| |Media Type Object Without Schema
f79b9d26-e945-44e7-98a1-b93f0f7a68a0|OpenAPI|Medium|Insecure Configurations|The Media Type Object should have the attribute 'schema' defined (read more)|Documentation
| |Additional Properties Too Permissive
9f88c88d-824d-4d9a-b985-e22977046042|OpenAPI|Medium|Insecure Configurations|Objects should not accept 'additionalProperties' if it is possible (read more)|Documentation
| |Additional Properties Too Restrictive
a19c3bbd-c056-40d7-9e1c-eeb0634e320d|OpenAPI|Medium|Insecure Configurations|Objects should accept 'additionalProperties' if it is allOf or an object with anyOf or oneOf (read more)|Documentation
| +|Parameter Object Without Schema
8fe1846f-52cc-4413-ace9-1933d7d23672|OpenAPI|Medium|Insecure Configurations|The Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| |Success Response Code Undefined for Trace Operation
105e20dd-8449-4d71-95c6-d5dac96639af|OpenAPI|Medium|Networking and Firewall|Trace should define the '200' successful code (read more)|Documentation
| |Header Object Without Schema
50de3b5b-6465-4e06-a9b0-b4c2ba34326b|OpenAPI|Medium|Networking and Firewall|The header object should have schema defined (read more)|Documentation
| -|Security Scheme Using Oauth 1.0
1bc3205c-0d60-44e6-84f3-44fbf4dac5b3|OpenAPI|Low|Access Control|Oauth 1.0 is deprecated, OAuth2 should be used instead (read more)|Documentation
| -|Global Security Scheme Using Basic Authentication
77276d82-4f45-4cf1-8e2b-4d345b936228|OpenAPI|Low|Access Control|A security scheme is allowing basic authentication credentials to be transported over network (read more)|Documentation
| -|Undefined Scope 'securityScheme' On 'security' Field On Operations
462d6a1d-fed9-4d75-bb9e-3de902f35e6e|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| |Undefined Scope 'securityScheme' On Global 'security' Field
23a9e2d9-8738-4556-a71c-2802b6ffa022|OpenAPI|Low|Access Control|Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| +|Undefined Scope 'securityScheme' On 'security' Field On Operations
462d6a1d-fed9-4d75-bb9e-3de902f35e6e|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| |API Key Exposed In Global Security Scheme
40e1d1bf-11a9-4f63-a3a2-a8b84c602839|OpenAPI|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| -|Components Schema Definition Is Unused
962fa01e-b791-4dcc-b04a-4a3e7389be5e|OpenAPI|Info|Best Practices|Components schemas definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Link Definition Is Unused
c19779a9-5774-4d2f-a3a1-a99831730375|OpenAPI|Info|Best Practices|Components links definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Request Body Definition Is Unused
6b76f589-9713-44ab-97f5-59a3dba1a285|OpenAPI|Info|Best Practices|Components request bodies definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Global Security Scheme Using Basic Authentication
77276d82-4f45-4cf1-8e2b-4d345b936228|OpenAPI|Low|Access Control|A security scheme is allowing basic authentication credentials to be transported over network (read more)|Documentation
| +|Security Scheme Using Oauth 1.0
1bc3205c-0d60-44e6-84f3-44fbf4dac5b3|OpenAPI|Low|Access Control|Oauth 1.0 is deprecated, OAuth2 should be used instead (read more)|Documentation
| +|Components Callback Definition Is Unused
d15db953-a553-4b8a-9a14-a3d62ea3d79d|OpenAPI|Info|Best Practices|Components callbacks definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Property 'explode' of Encoding Object Ignored
a4dd69b8-49fa-45d2-a060-c76655405b05|OpenAPI|Info|Best Practices|Property 'explode' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| |Unknown Prefix (v3)
a5375be3-521c-43bb-9eab-e2432e368ee4|OpenAPI|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| -|Invalid Media Type Value (v3)
cf4a5f45-a27b-49df-843a-9911dbfe71d4|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| |Property 'style' of Encoding Object Ignored
d3ea644a-9a5c-4fee-941f-f8a6786c0470|OpenAPI|Info|Best Practices|Property 'style' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| -|Components Callback Definition Is Unused
d15db953-a553-4b8a-9a14-a3d62ea3d79d|OpenAPI|Info|Best Practices|Components callbacks definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Schema Definition Is Unused
962fa01e-b791-4dcc-b04a-4a3e7389be5e|OpenAPI|Info|Best Practices|Components schemas definitions should be referenced or removed from Open API definition (read more)|Documentation
| |Components Response Definition Is Unused
9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae|OpenAPI|Info|Best Practices|Components responses definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Invalid Media Type Value (v3)
cf4a5f45-a27b-49df-843a-9911dbfe71d4|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| +|Components Link Definition Is Unused
c19779a9-5774-4d2f-a3a1-a99831730375|OpenAPI|Info|Best Practices|Components links definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Header Definition Is Unused
a68da022-e95a-4bc2-97d3-481e0bd6d446|OpenAPI|Info|Best Practices|Components headers definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Example Definition Is Unused
b05bb927-2df5-43cc-8d7b-6825c0e71625|OpenAPI|Info|Best Practices|Components examples definitions should be referenced or removed from Open API definition (read more)|Documentation
| |Encoding Header 'Content-Type' Improperly Defined
4cd8de87-b595-48b6-ab3c-1904567135ab|OpenAPI|Info|Best Practices|Encoding Map Key should not define a 'Content-Type' in the 'headers' field. If so, it will be ignored. (read more)|Documentation
| -|Property 'allowReserved' of Encoding Object Ignored
4190dda7-af03-4cf0-a128-70ac1661ca09|OpenAPI|Info|Best Practices|Property 'allowReserved' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| |Property 'allowEmptyValue' Ignored
59c2f769-7cc2-49c8-a3de-4e211135cfab|OpenAPI|Info|Best Practices|Property 'allowEmptyValue' is ignored in the following cases: {"sytle": "simple", "explode": false}, {"sytle": "simple", "explode": true}, {"sytle": "spaceDelimited", "explode": false}, {"sytle": "pipeDelimited", "explode": false}, and {"sytle": "deepObject", "explode": true} (read more)|Documentation
| -|Components Example Definition Is Unused
b05bb927-2df5-43cc-8d7b-6825c0e71625|OpenAPI|Info|Best Practices|Components examples definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Property 'explode' of Encoding Object Ignored
a4dd69b8-49fa-45d2-a060-c76655405b05|OpenAPI|Info|Best Practices|Property 'explode' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| +|Components Request Body Definition Is Unused
6b76f589-9713-44ab-97f5-59a3dba1a285|OpenAPI|Info|Best Practices|Components request bodies definitions should be referenced or removed from Open API definition (read more)|Documentation
| |Components Parameter Definition Is Unused
698a464e-bb3e-4ba8-ab5e-e6599b7644a0|OpenAPI|Info|Best Practices|Components parameters definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Header Definition Is Unused
a68da022-e95a-4bc2-97d3-481e0bd6d446|OpenAPI|Info|Best Practices|Components headers definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Property 'allowReserved' of Encoding Object Ignored
4190dda7-af03-4cf0-a128-70ac1661ca09|OpenAPI|Info|Best Practices|Property 'allowReserved' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| |Schema Object Incorrect Ref (v3)
4cac7ace-b0fb-477d-830d-65395d9109d9|OpenAPI|Info|Structure and Semantics|Schema Object reference must always point to '#/components/schemas' (read more)|Documentation
| -|Callback Object With Incorrect Ref
ba066cda-e808-450d-92b6-f29109754d45|OpenAPI|Info|Structure and Semantics|Callback Object reference must always point to '#/components/callbacks' (read more)|Documentation
| -|Request Body JSON Reference Does Not Exists
ca02f4e8-d3ae-4832-b7db-bb037516d9e7|OpenAPI|Info|Structure and Semantics|Request Body reference should exists on components field (read more)|Documentation
| -|Server URL Not Absolute
a0bf7382-5d5a-4224-924c-3db8466026c9|OpenAPI|Info|Structure and Semantics|The Server URL should be an absolute URL (read more)|Documentation
| +|Schema With Both ReadOnly And WriteOnly
d2361d58-361c-49f0-9e50-b957fd608b29|OpenAPI|Info|Structure and Semantics|Schema should not have both 'writeOnly' and 'readOnly' set to true (read more)|Documentation
| +|Link JSON Reference Does Not Exists
801f0c6a-a834-4467-89c6-ddecffb46b5a|OpenAPI|Info|Structure and Semantics|Link reference should exists on components field (read more)|Documentation
| +|Security Operation Field Undefined
20a482d5-c5d9-4a7a-b7a4-60d0805047b4|OpenAPI|Info|Structure and Semantics|Security operation field should be defined in '#/components/securitySchemes' (read more)|Documentation
| |Header Object With Incorrect Ref
2d6646f4-2946-420f-8c14-3232d49ae0cb|OpenAPI|Info|Structure and Semantics|Header Object reference must always point to '#/components/headers' (read more)|Documentation
| +|Request Body JSON Reference Does Not Exists
ca02f4e8-d3ae-4832-b7db-bb037516d9e7|OpenAPI|Info|Structure and Semantics|Request Body reference should exists on components field (read more)|Documentation
| +|Response Object With Incorrect Ref (v3)
b3871dd8-9333-4d6c-bd52-67eb898b71ab|OpenAPI|Info|Structure and Semantics|Response Object reference must always point to '#/components/responses' (read more)|Documentation
| |Parameter Object With Schema And Content
31dd6fc0-f274-493b-9614-e063086c19fc|OpenAPI|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive (read more)|Documentation
| -|Parameter Object With Undefined Type
46facedc-f243-4108-ab33-583b807d50b0|OpenAPI|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property (read more)|Documentation
| -|Response JSON Reference Does Not Exists (v3)
7a01dfbd-da62-4165-aed7-71349ad42ab4|OpenAPI|Info|Structure and Semantics|Response reference should exists on components field (read more)|Documentation
| -|Example JSON Reference Outside Components Examples
bac56e3c-1f71-4a74-8ae6-2fba07efcddb|OpenAPI|Info|Structure and Semantics|Reference to examples should point to #/components/examples (read more)|Documentation
| -|Link Object OperationId Does Not Target Operation Object
c5bb7461-aa57-470b-a714-3bc3d74f4669|OpenAPI|Info|Structure and Semantics|Link object 'OperationId' should target an existing operation object in the OpenAPI definition (read more)|Documentation
| +|Request Body With Incorrect Ref
0f6cd0ab-c366-4595-84fc-fbd8b9901e4d|OpenAPI|Info|Structure and Semantics|Request Body reference must always point to '#/components/RequestBodies' (read more)|Documentation
| +|Property 'allowReserved' Improperly Defined
7f203940-39c4-4ea7-91ee-7aba16bca9e2|OpenAPI|Info|Structure and Semantics|Property 'allowReserved' should be only defined for query parameters (read more)|Documentation
| +|Server URL Not Absolute
a0bf7382-5d5a-4224-924c-3db8466026c9|OpenAPI|Info|Structure and Semantics|The Server URL should be an absolute URL (read more)|Documentation
| |Invalid Content Type For Multiple Files Upload
26f06397-36d8-4ce7-b993-17711261d777|OpenAPI|Info|Structure and Semantics|Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array) (read more)|Documentation
| |Link Object With Both 'operationId' And 'operationRef'
60fb6621-9f02-473b-9424-ba9a825747d3|OpenAPI|Info|Structure and Semantics|Link object 'OperationId' should not have both 'operationId' and 'operationRef' defined since they are mutually exclusive. (read more)|Documentation
| -|Security Operation Field Undefined
20a482d5-c5d9-4a7a-b7a4-60d0805047b4|OpenAPI|Info|Structure and Semantics|Security operation field should be defined in '#/components/securitySchemes' (read more)|Documentation
| -|Response Object With Incorrect Ref (v3)
b3871dd8-9333-4d6c-bd52-67eb898b71ab|OpenAPI|Info|Structure and Semantics|Response Object reference must always point to '#/components/responses' (read more)|Documentation
| -|Object Without Required Property (v3)
d172a060-8569-4412-8045-3560ebd477e8|OpenAPI|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| -|Parameter Object Content With Multiple Entries
8bfed1c6-2d59-4924-bc7f-9b9d793ed0df|OpenAPI|Info|Structure and Semantics|The map content property of the parameter object should only contain one entry (read more)|Documentation
| -|Security Requirement Object With Wrong Scopes
37140f7f-724a-4c87-a536-e9cee1d61533|OpenAPI|Info|Structure and Semantics|Security Requirement Object should only have scopes defined for security schemes of type 'oauth2' and 'openIdConnect' (read more)|Documentation
| -|Link JSON Reference Does Not Exists
801f0c6a-a834-4467-89c6-ddecffb46b5a|OpenAPI|Info|Structure and Semantics|Link reference should exists on components field (read more)|Documentation
| -|Callback JSON Reference Does Not Exists
f29904c8-6041-4bca-b043-dfa0546b8079|OpenAPI|Info|Structure and Semantics|Callback reference should exists on components field (read more)|Documentation
| -|Property 'allowReserved' Improperly Defined
7f203940-39c4-4ea7-91ee-7aba16bca9e2|OpenAPI|Info|Structure and Semantics|Property 'allowReserved' should be only defined for query parameters (read more)|Documentation
| -|Request Body Object With Incorrect Media Type
58f06434-a88c-4f74-826c-db7e10cc7def|OpenAPI|Info|Structure and Semantics|The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set. (read more)|Documentation
| -|Server URL Uses Undefined Variables
8d0921d6-4131-461f-a253-99e873f8f77e|OpenAPI|Info|Structure and Semantics|Any variable used in the Service URL should be defined in the Service Object through 'variables'. (read more)|Documentation
| |Security Field Undefined
ab1263c2-81df-46f0-9f2c-0b62fdb68419|OpenAPI|Info|Structure and Semantics|Security field should be defined in '#/components/securitySchemes' (read more)|Documentation
| -|Schema JSON Reference Does Not Exists (v3)
015eac96-6313-43c0-84e5-81b1374fa637|OpenAPI|Info|Structure and Semantics|Schema reference should exists on components field (read more)|Documentation
| -|Request Body With Incorrect Ref
0f6cd0ab-c366-4595-84fc-fbd8b9901e4d|OpenAPI|Info|Structure and Semantics|Request Body reference must always point to '#/components/RequestBodies' (read more)|Documentation
| -|Schema With Both ReadOnly And WriteOnly
d2361d58-361c-49f0-9e50-b957fd608b29|OpenAPI|Info|Structure and Semantics|Schema should not have both 'writeOnly' and 'readOnly' set to true (read more)|Documentation
| -|Servers Array Undefined
c66ebeaa-676c-40dc-a3ff-3e49395dcd5e|OpenAPI|Info|Structure and Semantics|The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'. (read more)|Documentation
| -|Empty Array
5915c20f-dffa-4cee-b5d4-f457ddc0151a|OpenAPI|Info|Structure and Semantics|All array fields should not be empty (read more)|Documentation
| +|Callback Object With Incorrect Ref
ba066cda-e808-450d-92b6-f29109754d45|OpenAPI|Info|Structure and Semantics|Callback Object reference must always point to '#/components/callbacks' (read more)|Documentation
| |Link Object Incorrect Ref
b9db8a10-020c-49ca-88c6-780e5fdb4328|OpenAPI|Info|Structure and Semantics|Link object reference must always point to '#/components/links' (read more)|Documentation
| -|Server Object Variable Not Used
8aee4754-970d-4c5f-8142-a49dfe388b1a|OpenAPI|Info|Structure and Semantics|Every defined Server Variable Object should be used in a Service URL. (read more)|Documentation
| -|Parameter JSON Reference Does Not Exists (v3)
2e275f16-b627-4d3f-ae73-a6153a23ae8f|OpenAPI|Info|Structure and Semantics|Parameter reference should exists on components field (read more)|Documentation
| |Unknown Property (v3)
fb7d81e7-4150-48c4-b914-92fc05da6a2f|OpenAPI|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| -|Header JSON Reference Does Not Exists
376c9390-7e9e-4cb8-a067-fd31c05451fd|OpenAPI|Info|Structure and Semantics|Header reference should exists on components field (read more)|Documentation
| -|Encoding Map Key Mismatch Schema Defined Properties
cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b|OpenAPI|Info|Structure and Semantics|Encoding Map Key should be set in schema defined properties (read more)|Documentation
| +|Server URL Uses Undefined Variables
8d0921d6-4131-461f-a253-99e873f8f77e|OpenAPI|Info|Structure and Semantics|Any variable used in the Service URL should be defined in the Service Object through 'variables'. (read more)|Documentation
| +|Response JSON Reference Does Not Exists (v3)
7a01dfbd-da62-4165-aed7-71349ad42ab4|OpenAPI|Info|Structure and Semantics|Response reference should exists on components field (read more)|Documentation
| +|Parameter JSON Reference Does Not Exists (v3)
2e275f16-b627-4d3f-ae73-a6153a23ae8f|OpenAPI|Info|Structure and Semantics|Parameter reference should exists on components field (read more)|Documentation
| +|Parameter Object With Undefined Type
46facedc-f243-4108-ab33-583b807d50b0|OpenAPI|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property (read more)|Documentation
| |Example JSON Reference Does Not Exists
6a2c219f-da5e-4745-941e-5ea8cde23356|OpenAPI|Info|Structure and Semantics|Example reference should exists on components field (read more)|Documentation
| +|Callback JSON Reference Does Not Exists
f29904c8-6041-4bca-b043-dfa0546b8079|OpenAPI|Info|Structure and Semantics|Callback reference should exists on components field (read more)|Documentation
| |Parameter Object With Incorrect Ref (v3)
d40f27e6-15fb-4b56-90f8-fc0ff0291c51|OpenAPI|Info|Structure and Semantics|Parameter Object reference must always point to '#/components/parameters' (read more)|Documentation
| |Components Object Fixed Field Key Improperly Named
151331e2-11f4-4bb6-bd35-9a005e695087|OpenAPI|Info|Structure and Semantics|Components object fixed fields (schemas, responses, parameters, examples, requestBodies, headers, securitySchemes, links, and callbacks) should use keys that match the following REGEX: `^[a-zA-Z0-9\.\-_]+$` (read more)|Documentation
| -|Client Certificate Authentication Not Setup Properly
e0e00aba-5f1c-4981-a542-9a9563c0ee20|Kubernetes|High|Access Control|Client Certificate Authentication should be Setup with a .pem or .crt file (read more)|Documentation
| -|Token Auth File Is Set
32ecd76e-7bbf-402e-bf48-8b9485749558|Kubernetes|High|Access Control|When using kube-apiserver command, the 'token-auth-file' flag should not be set (read more)|Documentation
| -|Always Admit Admission Control Plugin Set
ce30e584-b33f-4c7d-b418-a3d7027f8f60|Kubernetes|High|Access Control|When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin (read more)|Documentation
| -|Node Restriction Admission Control Plugin Not Set
33fc6923-6553-4fe6-9d3a-4efa51eb874b|Kubernetes|High|Access Control|When using kube-apiserver command, the --enable-admission-plugins flag should have 'NodeRestriction' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| -|RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e|Kubernetes|High|Access Control|Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least privilege recommends to specify only the set of needed objects and actions (read more)|Documentation
| -|Use Service Account Credentials Not Set To True
1acd93f1-5a37-45c0-aaac-82ece818be7d|Kubernetes|High|Access Control|When using kube-controller-manager commands, the '--use-service-account-credentials' should be set to true (read more)|Documentation
| -|Service Account Lookup Set To False
a5530bd7-225a-48f9-91bb-f40b04200165|Kubernetes|High|Access Control|When using kube-apiserver command, the '--service-account-lookup' flag should be set to true (read more)|Documentation
| -|Basic Auth File Is Set
5da47109-f8d6-4585-9e2b-96a8958a12f5|Kubernetes|High|Access Control|When using kube-apiserver command, the 'basic-auth-file' flag should not be set (read more)|Documentation
| -|Pod Security Policy Admission Control Plugin Not Set
afa36afb-39fe-4d94-b9b6-afb236f7a03d|Kubernetes|High|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'PodSecurityPolicy' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| -|Service Account Private Key File Not Defined
ccc98ff7-68a7-436e-9218-185cb0b0b780|Kubernetes|High|Encryption|When using kube-controller-manager commands, the '--service-account-private-key-file' should be defined (read more)|Documentation
| -|Tiller (Helm v2) Is Deployed
6d173be7-545a-46c6-a81d-2ae52ed1605d|Kubernetes|High|Insecure Configurations|Check if Tiller is deployed. (read more)|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b|Kubernetes|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace. (read more)|Documentation
| -|Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d|Kubernetes|High|Insecure Configurations|Container should not share the host process ID namespace (read more)|Documentation
| -|Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609|Kubernetes|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false (read more)|Documentation
| -|Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad|Kubernetes|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined. (read more)|Documentation
| -|Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032|Kubernetes|High|Insecure Configurations|Limit capabilities for a Pod Security Policy (read more)|Documentation
| -|Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d|Kubernetes|High|Insecure Configurations|Check if there is any Tiller Service present (read more)|Documentation
| -|Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d|Kubernetes|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process (read more)|Documentation
| -|Role Binding To Default Service Account
1e749bc9-fde8-471c-af0c-8254efd2dee5|Kubernetes|High|Insecure Defaults|No role nor cluster role should bind to a default service account (read more)|Documentation
| -|TSL Connection Certificate Not Setup
fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f|Kubernetes|High|Networking and Firewall|TSL Connection Certificate files should be Setup (read more)|Documentation
| -|Etcd Peer TLS Certificate Files Not Properly Set
09bb9e96-8da3-4736-b89a-b36814acca60|Kubernetes|High|Networking and Firewall|When using etcd commands, the '--peer-cert-file' and '--peer-key-file' should be defined (read more)|Documentation
| -|Etcd TLS Certificate Not Properly Configured
895a5a95-3756-4b04-9924-2f3bc93181bd|Kubernetes|High|Networking and Firewall|When using kube-apiserver commands, the '--etcd-certfile' and '--etcd-keyfile' flags should be defined (read more)|Documentation
| -|Insecure Bind Address Set
b9380fd3-5ffe-4d10-9290-13e18e71eee1|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-bind-address' flag should not be set (read more)|Documentation
| -|Secure Port Set To Zero
3d24b204-b73d-42cb-b0bf-1a5438c5f71e|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the --secure-port flag should not be 0 (read more)|Documentation
| -|Kubelet HTTPS Set To False
cdc8b54e-6b16-4538-a1b0-35849dbe29cf|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--kubelet-https' flag should not be set to false (read more)|Documentation
| -|Etcd TLS Certificate Files Not Properly Set
075ca296-6768-4322-aea2-ba5063b969a9|Kubernetes|High|Networking and Firewall|When using etcd commands, the '--cert-file' and '--key-file' should be defined (read more)|Documentation
| -|Tiller Deployment Is Accessible From Within The Cluster
e17fa86a-6222-4584-a914-56e8f6c87e06|Kubernetes|High|Networking and Firewall|Check if any Tiller Deployment container allows access from within the cluster. (read more)|Documentation
| -|Insecure Port Not Properly Set
fa4def8c-1898-4a35-a139-7b76b1acdef0|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-port' flag should be defined and set to 0 (read more)|Documentation
| -|Bind Address Not Properly Set
46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2|Kubernetes|High|Networking and Firewall|When using kube-controller-manager or kube-scheduler commands, the '--bind-address' should not be set to 127.0.0.1 (read more)|Documentation
| -|PSP With Unrestricted Access to Host Path
de4421f1-4e35-43b4-9783-737dd4e4a47e|Kubernetes|High|Resource Management|PodSecurityPolicy should set 'readOnly' to true in every host path allowed (read more)|Documentation
| -|Peer Auto TLS Set To True
ae8827e2-4af9-4baa-9998-87539ae0d6f0|Kubernetes|High|Secret Management|When using etcd commands, the '--peer-auto-tls' should be set to false (read more)|Documentation
| -|Auto TLS Set To True
98ce8b81-7707-4734-aa39-627c6db3d84b|Kubernetes|High|Secret Management|When using etcd commands, the '--auto-tls' should be set to false (read more)|Documentation
| -|RBAC Roles with Impersonate Permission
9f85c3f6-26fd-4007-938a-2e0cb0100980|Kubernetes|Medium|Access Control|Roles or ClusterRoles with the permission 'impersonate' allow subjects to assume the rights of other users, groups, or service accounts. In case of compromise, attackers may abuse this sudo-like functionality to achieve privilege escalation (read more)|Documentation
| -|RBAC Roles with Exec Permission
c589f42c-7924-4871-aee2-1cede9bc7cbc|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to run commands in containers via 'kubectl exec' could be abused by attackers to execute malicious code in case of compromise. To prevent this, the 'pods/exec' verb should not be used in production environments (read more)|Documentation
| -|RBAC Roles Allow Privilege Escalation
8320826e-7a9c-4b0b-9535-578333193432|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions 'bind' or 'escalate' allow subjects to create new bindings with other roles. This is dangerous, as users with these privileges can bind to roles that may exceed their own privileges (read more)|Documentation
| -|Service Account Admission Control Plugin Disabled
9587c890-0524-40c2-9ce2-663af7c2f063|Kubernetes|Medium|Access Control|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'ServiceAccount' plugin (read more)|Documentation
| -|Authorization Mode RBAC Not Set
1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e|Kubernetes|Medium|Access Control|When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode (read more)|Documentation
| -|RBAC Roles with Attach Permission
d45330fd-f58d-45fb-a682-6481477a0f84|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to attach to containers via 'kubectl attach' could be abused by attackers to read log output (stdout, stderr) and send input data (stdin) to running processes. Additionally, it would allow a malicious user to attach to a privileged container resulting in a privilege escalation attack. To prevent this, the 'pods/attach' verb should not be used in production environments (read more)|Documentation
| -|Non Kube System Pod With Host Mount
aa8f7a35-9923-4cad-bd61-a19b7f6aac91|Kubernetes|Medium|Access Control|A non kube-system workload should not have hostPath mounted (read more)|Documentation
| -|RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14|Kubernetes|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more)|Documentation
| -|Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942|Kubernetes|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation. (read more)|Documentation
| -|Anonymous Auth Is Not Set To False
1de5cc51-f376-4638-a940-20f2e85ae238|Kubernetes|Medium|Access Control|When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag should be set to false (--anonymous-auth=false) (read more)|Documentation
| -|Authorization Mode Set To Always Allow
f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5|Kubernetes|Medium|Access Control|When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode (read more)|Documentation
| -|RBAC Roles with Port-Forwarding Permission
38fa11ef-dbcc-4da8-9680-7e1fd855b6fb|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to port-forward into pods can open socket-level communication channels to containers. In case of compromise, attackers may abuse this for direct communication that bypasses network security restrictions (read more)|Documentation
| -|Request Timeout Not Properly Set
d89a15bb-8dba-4c71-9529-bef6729b9c09|Kubernetes|Medium|Availability|When using kube-apiserver command, the '--request-timeout' flag value should not be too long (read more)|Documentation
| -|Terminated Pod Garbage Collector Threshold Not Properly Set
49113af4-29ca-458e-b8d4-724c01a4a24f|Kubernetes|Medium|Availability|When using kube-controller-manager commands, the '--terminated-pod-gc-threshold' should be set between 0 and 12501 (read more)|Documentation
| -|Readiness Probe Is Not Configured
a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3|Kubernetes|Medium|Availability|Check if Readiness Probe is not configured. (read more)|Documentation
| -|Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660|Kubernetes|Medium|Best Practices|Check if containers are running with low UID, which might cause conflicts with the host's user table. (read more)|Documentation
| -|Container Running As Root
cf34805e-3872-4c08-bf92-6ff7bb0cfadb|Kubernetes|Medium|Best Practices|Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise (read more)|Documentation
| -|Root Containers Admitted
e3aa0612-4351-4a0d-983f-aefea25cf203|Kubernetes|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden (read more)|Documentation
| -|Always Pull Images Admission Control Plugin Not Set
a77f4d07-c6e0-4a48-8b35-0eeb51576f4f|Kubernetes|Medium|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'AlwaysPullImages' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| -|Incorrect Volume Claim Access Mode ReadWriteOnce
3878dc92-8e5d-47cf-9cdd-7590f71d21b9|Kubernetes|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' (read more)|Documentation
| -|Encryption Provider Not Properly Configured
10efce34-5af6-4d83-b414-9e096d5a06a9|Kubernetes|Medium|Encryption|The EncryptionConfiguration should be configured to have at least one 'aescbc', 'kms' or 'secretbox' provider (read more)|Documentation
| -|Encryption Provider Config Is Not Defined
cbd2db69-0b21-4c14-8a40-7710a50571a9|Kubernetes|Medium|Encryption|When using kube-apiserver commands, the '--encryption-provider-config' flag should be defined and the encryption should be correctly configured in Encryption Configuration file (read more)|Documentation
| -|Root CA File Not Defined
05fb986f-ac73-4ebb-a5b2-7faafa93d882|Kubernetes|Medium|Encryption|When using kube-controller-manager commands, the '--root-ca-file' should be defined (read more)|Documentation
| -|Weak TLS Cipher Suites
510d5810-9a30-443a-817d-5c1fa527b110|Kubernetes|Medium|Encryption|TLS Connection should use strong Cipher Suites (read more)|Documentation
| -|Not Limited Capabilities For Container
2f1a0619-b12b-48a0-825f-993bb6f01d58|Kubernetes|Medium|Insecure Configurations|Limit the capabilities for a Container. (read more)|Documentation
| -|Kubelet Protect Kernel Defaults Set To False
6cf42c97-facd-4fda-b8af-ea4529123355|Kubernetes|Medium|Insecure Configurations|--protect-kernel-defaults should be set to true (read more)|Documentation
| -|Using Unrecommended Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6|Kubernetes|Medium|Insecure Configurations|Namespaces like 'default', 'kube-system' or 'kube-public' should not be used (read more)|Documentation
| -|PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91|Kubernetes|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| -|Authorization Mode Node Not Set
4d7ee40f-fc5d-427d-8cac-dffbe22d42d1|Kubernetes|Medium|Insecure Configurations|When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode (read more)|Documentation
| -|PSP Allows Sharing Host IPC
80f93444-b240-4ebb-a4c6-5c40b76c04ea|Kubernetes|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace (read more)|Documentation
| -|Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40|Kubernetes|Medium|Insecure Configurations|Containers should not have extra capabilities allowed (read more)|Documentation
| -|PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9|Kubernetes|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host process ID namespace (read more)|Documentation
| -|PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities (read more)|Documentation
| -|Security Context Deny Admission Control Plugin Not Set
6a68bebe-c021-492e-8ddb-55b0567fb768|Kubernetes|Medium|Insecure Configurations|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set (read more)|Documentation
| -|Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b|Kubernetes|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more)|Documentation
| -|PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation (read more)|Documentation
| -|Seccomp Profile Is Not Configured
f377b83e-bd07-4f48-a591-60c82b14a78b|Kubernetes|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls (read more)|Documentation
| -|NET_RAW Capabilities Not Being Dropped
dbbc6705-d541-43b0-b166-dd4be8208b54|Kubernetes|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities (read more)|Documentation
| -|NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648|Kubernetes|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities (read more)|Documentation
| -|Workload Mounting With Sensitive OS Directory
5308a7a8-06f8-45ac-bf10-791fe21de46e|Kubernetes|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory (read more)|Documentation
| -|Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3|Kubernetes|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more)|Documentation
| -|Containers With Sys Admin Capabilities
235236ee-ad78-4065-bd29-61b061f28ce0|Kubernetes|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability (read more)|Documentation
| -|Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9|Kubernetes|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty. (read more)|Documentation
| -|Service Account Token Automount Not Disabled
48471392-d4d0-47c0-b135-cdec95eb3eef|Kubernetes|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary (read more)|Documentation
| -|CNI Plugin Does Not Support Network Policies
03aabc8c-35d6-481e-9c85-20139cf72d23|Kubernetes|Medium|Networking and Firewall|Ensure the use of CNI Plugin that support Network Policies. If the CNI Plugin in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster (read more)|Documentation
| -|Kubelet Read Only Port Is Not Set To Zero
2940d48a-dc5e-4178-a3f8-bfbd80720b41|Kubernetes|Medium|Networking and Firewall|When using the kubelet command, the read-only port should be set to zero (--read-only-port=0) (read more)|Documentation
| -|Kubelet Not Managing Ip Tables
5f89001f-6dd9-49ff-9b15-d8cd71b617f4|Kubernetes|Medium|Networking and Firewall|Kubelet argument --make-iptables-util-chains should be true (read more)|Documentation
| -|Kubelet Streaming Connection Timeout Disabled
ed89b97d-04e9-4fd4-919f-ee5b27e555e9|Kubernetes|Medium|Networking and Firewall|The flag --streaming-connection-idle-timeout should not be set to 0 (read more)|Documentation
| -|Network Policy Is Not Targeting Any Pod
85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3|Kubernetes|Medium|Networking and Firewall|Check if any network policy is not targeting any pod. (read more)|Documentation
| -|Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be|Kubernetes|Medium|Networking and Firewall|Check if any pod is not being targeted by a proper network policy. (read more)|Documentation
| -|Service With External Load Balancer
26763a1c-5dda-4772-b507-5fca7fb5f165|Kubernetes|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet (read more)|Documentation
| -|Audit Policy File Not Defined
13a49a2e-488e-4309-a7c0-d6b05577a5fb|Kubernetes|Medium|Observability|When using kube-apiserver command, the '--audit-policy-file' flag should be defined (read more)|Documentation
| -|Audit Log Path Not Set
73e251f0-363d-4e53-86e2-0a93592437eb|Kubernetes|Medium|Observability|When using kube-apiserver command, the 'audit-log-path' flag should be defined (read more)|Documentation
| -|Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536|Kubernetes|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| -|Volume Mount With OS Directory Write Permissions
b7652612-de4e-4466-a0bf-1cd81f0c6063|Kubernetes|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more)|Documentation
| -|Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded|Kubernetes|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more)|Documentation
| -|Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9|Kubernetes|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| -|Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a|Kubernetes|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| -|CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a|Kubernetes|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more)|Documentation
| -|CPU Limits Not Set
4ac0e2b7-d2d2-4af7-8799-e8de6721ccda|Kubernetes|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| -|Kubelet Client Periodic Certificate Switch Disabled
52d70f2e-3257-474c-b3dc-8ad9ba6a061a|Kubernetes|Medium|Secret Management|Kubelet argument --rotate-certificates should be true (read more)|Documentation
| -|Kubelet Certificate Authority Not Set
ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set (read more)|Documentation
| -|Service Account Key File Not Properly Set
dab4ec72-ce2e-4732-b7c3-1757dcce01a1|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the '--service-account-key-file' flag should be defined (read more)|Documentation
| -|Rotate Kubelet Server Certificate Not Active
1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2|Kubernetes|Medium|Secret Management|The RotateKubeletServerCertificate argument should be true (read more)|Documentation
| -|Etcd Client Certificate Authentication Set To False
9391103a-d8d7-4671-ac5d-606ba7ccb0ac|Kubernetes|Medium|Secret Management|When using etcd commands, the '--client-cert-auth' flag should be defined (read more)|Documentation
| -|Etcd Peer Client Certificate Authentication Set To False
b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff|Kubernetes|Medium|Secret Management|When using etcd commands, the '--peer-client-cert-auth' flag should be set to true (read more)|Documentation
| -|Kubelet Client Certificate Or Key Not Set
36a27826-1bf5-49da-aeb0-a60a30c0e834|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-client-key' and 'kubelet-client-certificate' flags should be set (read more)|Documentation
| -|ServiceAccount Allows Access Secrets
056ac60e-fe07-4acc-9b34-8e1d51716ab9|Kubernetes|Medium|Secret Management|Roles and ClusterRoles when binded, should not use get, list or watch as verbs (read more)|Documentation
| -|Shared Service Account
c1032cf7-3628-44e2-bd53-38c17cf31b6b|Kubernetes|Medium|Secret Management|A Service Account token is shared between workloads (read more)|Documentation
| -|Etcd Client Certificate File Not Defined
3f5ff8a7-5ad6-4d02-86f5-666307da1b20|Kubernetes|Medium|Secret Management|When using kube-apiserver commands, the '--etcd-cafile' flag should be defined (read more)|Documentation
| -|Not Unique Certificate Authority
cb7e695d-6a85-495c-b15f-23aed2519303|Kubernetes|Medium|Secret Management|Certificate Authority should be unique for etcd (read more)|Documentation
| -|Cluster Admin Rolebinding With Superuser Permissions
249328b8-5f0f-409f-b1dd-029f07882e11|Kubernetes|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC) (read more)|Documentation
| -|Missing AppArmor Profile
8b36775e-183d-4d46-b0f7-96a6f34a723f|Kubernetes|Low|Access Control|Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources (read more)|Documentation
| -|Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828|Kubernetes|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers (read more)|Documentation
| -|StatefulSet Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0|Kubernetes|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more)|Documentation
| -|Liveness Probe Is Not Defined
ade74944-a674-4e00-859e-c6eab5bde441|Kubernetes|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it (read more)|Documentation
| -|Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678|Kubernetes|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| -|Event Rate Limit Admission Control Plugin Not Set
e0099af2-fe17-411f-9991-0de28fe15f3c|Kubernetes|Low|Availability|When using kube-apiserver command, the --enable-admission-plugins flag should have 'EventRateLimit' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| -|HPA Targeted Deployments With Configured Replica Count
5744cbb8-5946-4b75-a196-ade44449525b|Kubernetes|Low|Availability|Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set (read more)|Documentation
| -|StatefulSet Without PodDisruptionBudget
1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5|Kubernetes|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| -|HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca|Kubernetes|Low|Availability|The Horizontal Pod Autoscaler must target a valid object (read more)|Documentation
| -|Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645|Kubernetes|Low|Best Practices|Kubernetes APIs evolve over time and are sometimes removed with newer releases. To prevent incompatibilities when upgrading Kubernetes, deprecated APIs should be replaced with newer and more stable API versions. (read more)|Documentation
| -|No Drop Capabilities for Containers
268ca686-7fb7-4ae9-b129-955a2a89064e|Kubernetes|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context (read more)|Documentation
| -|Metadata Label Is Invalid
1123031a-f921-4c5b-bd86-ef354ecfd37a|Kubernetes|Low|Best Practices|Check if any label in the metadata is invalid. (read more)|Documentation
| -|Root Container Not Mounted Read-only
a9c2f49d-0671-4fc9-9ece-f4e261e128d0|Kubernetes|Low|Build Process|Check if the root container filesystem is not being mounted read-only. (read more)|Documentation
| -|Image Policy Webhook Admission Control Plugin Not Set
14abda69-8e91-4acb-9931-76e2bee90284|Kubernetes|Low|Build Process|When using kube-apiserver command, the --enable-admission-plugins flag should have 'ImagePolicyWebhook' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| -|Namespace Lifecycle Admission Control Plugin Disabled
1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37|Kubernetes|Low|Build Process|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'NamespaceLifecycle' plugin (read more)|Documentation
| -|StatefulSet Requests Storage
8cf4671a-cf3d-46fc-8389-21e7405063a2|Kubernetes|Low|Build Process|A StatefulSet requests volume storage. (read more)|Documentation
| -|Pod or Container Without ResourceQuota
48a5beba-e4c0-4584-a2aa-e6894e4cf424|Kubernetes|Low|Insecure Configurations|Each namespace should have a ResourceQuota policy associated to limit the total amount of resources Pods, Containers and PersistentVolumeClaims can consume (read more)|Documentation
| -|Kubelet Hostname Override Is Set
bf36b900-b5ef-4828-adb7-70eb543b7cfb|Kubernetes|Low|Insecure Configurations|Hostnames should not be overrided (read more)|Documentation
| -|Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b|Kubernetes|Low|Insecure Configurations|If not needed, disabling the dashboard can prevent from being used as an attack vector (read more)|Documentation
| -|Service Does Not Target Pod
3ca03a61-3249-4c16-8427-6f8e47dda729|Kubernetes|Low|Insecure Configurations|Service should Target a Pod (read more)|Documentation
| -|Pod or Container Without LimitRange
4a20ebac-1060-4c81-95d1-1f7f620e983b|Kubernetes|Low|Insecure Configurations|Each namespace should have a LimitRange policy associated to ensure that resource allocations of Pods, Containers and PersistentVolumeClaims do not exceed the defined boundaries (read more)|Documentation
| -|Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2|Kubernetes|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always (read more)|Documentation
| -|Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995|Kubernetes|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container (read more)|Documentation
| -|Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678|Kubernetes|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity (read more)|Documentation
| -|Service Type is NodePort
845acfbe-3e10-4b8e-b656-3b404d36dfb2|Kubernetes|Low|Networking and Firewall|Service type should not be NodePort (read more)|Documentation
| -|Workload Host Port Not Specified
2b1836f1-dcce-416e-8e16-da8c71920633|Kubernetes|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified (read more)|Documentation
| -|Profiling Not Set To False
2f491173-6375-4a84-b28e-a4e2b9a58a69|Kubernetes|Low|Observability|When using kube-apiserver or kube-controller-manager or kube-scheduler command, the '--profiling' flag should be defined and set to false (read more)|Documentation
| -|Audit Log Maxbackup Not Properly Set
768aab52-2504-4a2f-a3e3-329d5a679848|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxbackup' flag should be defined and set to 10 or more files (read more)|Documentation
| -|Audit Log Maxsize Not Properly Set
35c0a471-f7c8-4993-aa2c-503a3c712a66|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxsize' flag should be defined and set to 100 or more MegaBytes (read more)|Documentation
| -|Audit Policy Not Cover Key Security Concerns
1828a670-5957-4bc5-9974-47da228f75e2|Kubernetes|Low|Observability|Audit Policy should cover key security concerns about the sensitive data logged in Kubernetes audit policies (read more)|Documentation
| -|Audit Log Maxage Not Properly Set
da9f3aa8-fbfb-472f-b5a1-576127944218|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxage' flag should be defined and set to 30 or more days (read more)|Documentation
| -|Kubelet Event QPS Not Properly Set
1a07a446-8e61-4e4d-bc16-b0781fcb8211|Kubernetes|Low|Observability|When using the kubelet command, the '--event-qps' should be set to 0 (read more)|Documentation
| -|StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e|Kubernetes|Low|Resource Management|Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| -|Container Memory Requests Not Equal To It's Limits
aafa7d94-62de-4fbf-8838-b69ee217b0e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined. (read more)|Documentation
| -|CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3|Kubernetes|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined (read more)|Documentation
| -|Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46|Kubernetes|Low|Resource Management|Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively (read more)|Documentation
| -|Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined. (read more)|Documentation
| -|Deployment Has No PodAntiAffinity
a31b7b82-d994-48c4-bd21-3bab6c31827a|Kubernetes|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| -|Secrets As Environment Variables
3d658f8b-d988-41a0-a841-40043121de1e|Kubernetes|Low|Secret Management|Container should not use secrets as environment variables (read more)|Documentation
| -|Invalid Image Tag
583053b7-e632-46f0-b989-f81ff8045385|Kubernetes|Low|Supply-Chain|Image tag must be defined and not be empty or equal to latest. (read more)|Documentation
| -|Ensure Administrative Boundaries Between Resources
e84eaf4d-2f45-47b2-abe8-e581b06deb66|Kubernetes|Info|Access Control|As a best practice, ensure that is made the correct use of namespaces to adequately administer your resources. Kubernetes Authorization plugins can also be used to create policies that segregate user access to namespaces. (read more)|Documentation
| -|Using Kubernetes Native Secret Management
b9c83569-459b-4110-8f79-6305aa33cb37|Kubernetes|Info|Secret Management|Kubernetes External Secret Storage and Management System usage should be considered if you have more complex secret management needs, rather than using Kubernetes Secrets directly. Additionally, ensure that access to secrets is carefully limited (read more)|Documentation
| +|Encoding Map Key Mismatch Schema Defined Properties
cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b|OpenAPI|Info|Structure and Semantics|Encoding Map Key should be set in schema defined properties (read more)|Documentation
| +|Request Body Object With Incorrect Media Type
58f06434-a88c-4f74-826c-db7e10cc7def|OpenAPI|Info|Structure and Semantics|The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set. (read more)|Documentation
| +|Security Requirement Object With Wrong Scopes
37140f7f-724a-4c87-a536-e9cee1d61533|OpenAPI|Info|Structure and Semantics|Security Requirement Object should only have scopes defined for security schemes of type 'oauth2' and 'openIdConnect' (read more)|Documentation
| +|Header JSON Reference Does Not Exists
376c9390-7e9e-4cb8-a067-fd31c05451fd|OpenAPI|Info|Structure and Semantics|Header reference should exists on components field (read more)|Documentation
| +|Empty Array
5915c20f-dffa-4cee-b5d4-f457ddc0151a|OpenAPI|Info|Structure and Semantics|All array fields should not be empty (read more)|Documentation
| +|Parameter Object Content With Multiple Entries
8bfed1c6-2d59-4924-bc7f-9b9d793ed0df|OpenAPI|Info|Structure and Semantics|The map content property of the parameter object should only contain one entry (read more)|Documentation
| +|Example JSON Reference Outside Components Examples
bac56e3c-1f71-4a74-8ae6-2fba07efcddb|OpenAPI|Info|Structure and Semantics|Reference to examples should point to #/components/examples (read more)|Documentation
| +|Object Without Required Property (v3)
d172a060-8569-4412-8045-3560ebd477e8|OpenAPI|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| +|Servers Array Undefined
c66ebeaa-676c-40dc-a3ff-3e49395dcd5e|OpenAPI|Info|Structure and Semantics|The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'. (read more)|Documentation
| +|Server Object Variable Not Used
8aee4754-970d-4c5f-8142-a49dfe388b1a|OpenAPI|Info|Structure and Semantics|Every defined Server Variable Object should be used in a Service URL. (read more)|Documentation
| +|Schema JSON Reference Does Not Exists (v3)
015eac96-6313-43c0-84e5-81b1374fa637|OpenAPI|Info|Structure and Semantics|Schema reference should exists on components field (read more)|Documentation
| +|Link Object OperationId Does Not Target Operation Object
c5bb7461-aa57-470b-a714-3bc3d74f4669|OpenAPI|Info|Structure and Semantics|Link object 'OperationId' should target an existing operation object in the OpenAPI definition (read more)|Documentation
| +|Key Vault Not Recoverable
7c25f361-7c66-44bf-9b69-022acd5eb4bd|AzureResourceManager|High|Backup|Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true (read more)|Documentation
| +|Azure Instance Using Basic Authentication
6797f581-0433-4768-ae3e-7ceb2f8b138e|AzureResourceManager|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| +|Secret Without Expiration Date
cff9c3f7-e8f0-455f-9fb4-5f72326da96e|AzureResourceManager|High|Best Practices|All Secrets must have an expiration date defined (read more)|Documentation
| +|Web App Not Using TLS Last Version
b5c851d5-00f1-43dc-a8de-3218fd6f71be|AzureResourceManager|High|Encryption|Resources of type 'Microsoft.Web/sites' should define 'properties.siteConfig.minTlsVersion' with '1.2' (read more)|Documentation
| +|Storage Account Allows Unsecure Transfer
1367dd13-2c90-4020-80b7-e4339a3dc2c4|AzureResourceManager|High|Encryption|'Microsoft.Storage/storageAccounts' should force the use of HTTPS (read more)|Documentation
| +|Azure Managed Disk Without Encryption
350f3955-b5be-436f-afaa-3d2be2fa6cdd|AzureResourceManager|High|Encryption|Azure Disk Encryption should be enabled (read more)|Documentation
| +|Website Not Forcing HTTPS
488847ff-6031-487c-bf42-98fd6ac5c9a0|AzureResourceManager|High|Insecure Configurations|'Microsoft.Web/sites' should force the use of HTTPS (read more)|Documentation
| +|Network Security Group With Unrestricted Access To RDP
59cb3da7-f206-4ae6-b827-7abf0a9cab9d|AzureResourceManager|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the Internet (read more)|Documentation
| +|Website with Client Certificate Auth Disabled
92302b47-b0cc-46cb-a28f-5610ecda140b|AzureResourceManager|High|Networking and Firewall|'Microsoft.Web/sites' should have client certificate authentication enabled (read more)|Documentation
| +|SQL Database Server Firewall Allows All IPS
6a3201a5-1630-494b-b294-3129d06b0eca|AzureResourceManager|High|Networking and Firewall|SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS (read more)|Documentation
| +|Network Security Group With Unrestricted Access To SSH
2ade1579-4b2c-4590-bebb-f99bf597f612|AzureResourceManager|High|Networking and Firewall|Port 22 (SSH) is exposed to the Internet (read more)|Documentation
| +|PostgreSQL Database Server SSL Disabled
bf500309-da53-4dd3-bcf7-95f7974545a5|AzureResourceManager|High|Networking and Firewall|Microsoft.DBforPostgreSQL/servers sslEnforcement property should be set to 'Enabled' (read more)|Documentation
| +|Storage Blob Service Container With Public Access
a0ab985d-660b-41f7-ac81-70957ee8e627|AzureResourceManager|High|Networking and Firewall|Storage Blob Service Container should not publicly accessible (read more)|Documentation
| +|MySQL Server SSL Enforcement Disabled
90120147-f2e7-4fda-bb21-6fa9109afd63|AzureResourceManager|High|Networking and Firewall|'Microsoft.DBforMySQL/servers' should enforce SSL (read more)|Documentation
| +|Trusted Microsoft Services Not Enabled
e25b56cd-a4d6-498f-ab92-e6296a082097|AzureResourceManager|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| +|Role Definitions Allow Custom Subscription Role Creation
8fa9ceea-881f-4ef0-b0b8-728f589699a7|AzureResourceManager|Medium|Access Control|Role Definitions should not allow custom subscription role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write') (read more)|Documentation
| +|Default Azure Storage Account Network Access Is Too Permissive
d855ced8-6157-448f-9f1d-f05a41d046f7|AzureResourceManager|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it. (read more)|Documentation
| +|AKS Cluster RBAC Disabled
9307a2ed-35c2-413d-94de-a1a0682c2158|AzureResourceManager|Medium|Access Control|Microsoft.ContainerService/managedClusters should have enableRBAC set to true (read more)|Documentation
| +|SQL Server Database With Alerts Disabled
574e8d82-1db2-4b9c-b526-e320ede9a9ff|AzureResourceManager|Medium|Best Practices|All Alerts should be enabled in SQL Database Server SecurityAlerts Policy Properties (read more)|Documentation
| +|AKS Cluster Network Policy Not Configured
25c0228e-4444-459b-a2df-93c7df40b7ed|AzureResourceManager|Medium|Insecure Configurations|Azure Kubernetes Service must have a network policy defined. (read more)|Documentation
| +|Standard Price Is Not Selected
2081c7d6-2851-4cce-bda5-cb49d462da42|AzureResourceManager|Medium|Networking and Firewall|Azure Security Center provides more features for standard pricing mode, so it must be activated. (read more)|Documentation
| +|PostgreSQL Database Server Log Checkpoints Disabled
f9112910-c7bb-4864-9f5e-2059ba413bb7|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' property set to 'on' (read more)|Documentation
| +|AKS With Authorized IP Ranges Disabled
2583fab1-953b-4fae-bd02-4a136a6c21f9|AzureResourceManager|Medium|Networking and Firewall|Azure Kubernetes Service must have an authorized IP range for API Services enabled (read more)|Documentation
| +|PostgresSQL Database Server Connection Throttling Disabled
a6d774b6-d9ea-4bf4-8433-217bf15d2fb8|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttling' property set to 'on' (read more)|Documentation
| +|PostgreSQL Database Server Log Connections Disabled
e69bda39-e1e2-47ca-b9ee-b6531b23aedd|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' property set to 'on' (read more)|Documentation
| +|SQL Server Database With Unrecommended Retention Days
c09cdac2-7670-458a-bf6c-efad6880973a|AzureResourceManager|Medium|Observability|SQL Server Database Auditing Settings should keep the audit logs in the storage account for at least 90 days (read more)|Documentation
| +|Storage Logging For Read Write And Delete Requests Disabled
43f6e60c-9cdb-4e77-864d-a66595d26518|AzureResourceManager|Medium|Observability|Storage Logging should be enabled for read, write and delete methods (read more)|Documentation
| +|SQL Server Database Without Auditing
e055285c-bc01-48b4-8aa5-8a54acdd29df|AzureResourceManager|Medium|Observability|Every 'Microsoft.Sql/servers/databases' resource should have Auditing Enabled (read more)|Documentation
| +|Unrecommended Log Profile Retention Policy
25684eac-daaa-4c2c-94b4-8d2dbb627909|AzureResourceManager|Medium|Observability|Log Profile Retention Policy should be enabled and the recommended number of days for the retention should be higher than 365 or 0 (0 will retain the events indefinitely) (read more)|Documentation
| +|AKS Logging To Azure Monitoring Is Disabled
9b09dee1-f09b-4013-91d2-158fa4695f4b|AzureResourceManager|Medium|Observability|Azure Kubernetes Service should have logging to Azure Monitoring enabled. (read more)|Documentation
| +|Unrecommended Network Watcher Flow Log Retention Policy
564b70f8-41cd-4690-aff8-bb53add86bc9|AzureResourceManager|Medium|Observability|Network Watcher Flow Log Retention Policy should be enabled and the recommended number of days for the retention should be higher than 90 (read more)|Documentation
| +|Log Profile Incorrect Category
4d522e7b-f938-4d51-a3b1-974ada528bd3|AzureResourceManager|Medium|Observability|Log Profile Categories should be set to 'Write', 'Delete', and/or 'Action' (read more)|Documentation
| +|Hardcoded SecureString Parameter Default Value
4d2cf896-c053-4be5-9c95-8b4771112f29|AzureResourceManager|Medium|Secret Management|Secure parameters should not have hardcoded default value (read more)|Documentation
| +|Website Azure Active Directory Disabled
e9c133e5-c2dd-4b7b-8fff-40f2de367b56|AzureResourceManager|Low|Access Control|WebApp should have Azure Active Directory enabled with 'identity.type' set to 'SystemAssigned' or 'userAssignedIdentities' set to 'true' (read more)|Documentation
| +|Phone Number Not Set For Security Contacts
3e9fcc67-1f64-405f-b2f9-0a6be17598f0|AzureResourceManager|Low|Best Practices|Microsoft.Security securityContacts should have a phone number defined (read more)|Documentation
| +|AKS Dashboard Is Enabled
c62d3b92-9a11-4ffd-b7b7-6faaae83faed|AzureResourceManager|Low|Insecure Configurations|Azure Kubernetes Service should have the Kubernetes dashboard disabled. (read more)|Documentation
| +|Storage Account Allows Default Network Access
9073f073-5d60-4b46-b569-0d6baa80ed95|AzureResourceManager|Low|Networking and Firewall|'Microsoft.Storage/storageAccounts' should force the use of HTTPS (read more)|Documentation
| +|Website with 'Http20Enabled' Disabled
70111098-7f85-48f0-b1b4-e4261cf5f61b|AzureResourceManager|Low|Networking and Firewall|'Microsoft.Web/sites' should have 'Http20Enabled' enabled (read more)|Documentation
| +|App Service Authentication Is Not Set
83130a07-235b-4a80-918b-a370e53f0bd9|AzureResourceManager|Info|Access Control|Azure App Service should have App Service Authentication set (read more)|Documentation
| +|Account Admins Not Notified By Email
a8852cc0-fd4b-4fc7-9372-1e43fad0732e|AzureResourceManager|Info|Best Practices|Account admins should be notified by email in the event of security alerts (read more)|Documentation
| +|SQL Alert Policy Without Emails
89b79fe5-49bd-4d39-84ce-55f5fc6f7764|AzureResourceManager|Info|Best Practices|SQL Database Server should contain emails to be notified in the event of a Security Alert (read more)|Documentation
| +|Email Notifications Disabled
79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92|AzureResourceManager|Info|Networking and Firewall|Email notifications about new security alerts, should be set to 'On', and be sent to persons with specific RBAC roles on the subscription (read more)|Documentation
| +|OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|Terraform|High|Access Control|OSS Bucket should have public access disabled (read more)|Documentation
| +|OSS Bucket Allows All Actions From All Principals
ec62a32c-a297-41ca-a850-cab40b42094a|Terraform|High|Access Control|OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals. (read more)|Documentation
| +|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|Terraform|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles (read more)|Documentation
| +|OSS Bucket Allows Delete Action From All Principals
8c0695d8-2378-4cd6-8243-7fd5894fa574|Terraform|High|Access Control|OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals. (read more)|Documentation
| +|OSS Bucket Allows List Action From All Principals
88541597-6f88-42c8-bac6-7e0b855e8ff6|Terraform|High|Access Control|OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals. (read more)|Documentation
| +|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|Terraform|High|Access Control|RAM Security preferences should enforce MFA login for RAM users (read more)|Documentation
| +|OSS Bucket Allows Put Action From All Principals
fe286195-e75c-4359-bd58-00847c4f855a|Terraform|High|Access Control|OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals. (read more)|Documentation
| +|RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|Terraform|High|Encryption|tde_status parameter should be Enabled for supported RDS instances (read more)|Documentation
| +|Launch Template Is Not Encrypted
1455cb21-1d48-46d6-8ae3-cef911b71fd5|Terraform|High|Encryption|ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true. (read more)|Documentation
| +|NAS File System Without KMS
5f670f9d-b1b4-4c90-8618-2288f1ab9676|Terraform|High|Encryption|NAS File System should have encryption provided by user KMS (read more)|Documentation
| +|NAS File System Not Encrypted
67bfdff1-31ce-4525-b564-e94368735360|Terraform|High|Encryption|NAS File System must be encrypted (read more)|Documentation
| +|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|Terraform|High|Encryption|Ecs Data Disk Kms Key Id should be set (read more)|Documentation
| +|RDS DB Instance Publicly Accessible
faaefc15-51a5-419e-bb5e-51a4b5ab3485|Terraform|High|Insecure Configurations|The field 'address' should not be set to '0.0.0.0/0' (read more)|Documentation
| +|OSS Bucket Has Static Website
2b13c6ff-b87a-484d-86fd-21ef6e97d426|Terraform|High|Insecure Configurations|Checks if any static websties are hosted on buckets. Be aware of any website you are running. (read more)|Documentation
| +|RDS DB Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|Terraform|High|Insecure Configurations|'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list (read more)|Documentation
| +|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol (read more)|Documentation
| +|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|Terraform|High|Networking and Firewall|OSS Buckets should have secure transport enabled (read more)|Documentation
| +|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|Terraform|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS (read more)|Documentation
| +|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|Terraform|High|Networking and Firewall|OSS Bucket should have ip restricted access (read more)|Documentation
| +|ALB Listening on HTTP
ee3b1557-9fb5-4685-a95d-93f1edf2a0d7|Terraform|High|Networking and Firewall|Application Load Balancer (alb) Listener should not listen on HTTP (read more)|Documentation
| +|RDS Instance SSL Action Disabled
7a1ee8a9-71be-4b11-bb70-efb62d16863b|Terraform|High|Networking and Firewall|ssl_action parameter should be set to Open for RDS instances (read more)|Documentation
| +|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|Terraform|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public (read more)|Documentation
| +|ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|Terraform|High|Observability|ActionTrail Trail OSS Bucket should not be publicly accessible (read more)|Documentation
| +|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|Terraform|High|Observability|All RDS Instance events trackers should be 'true' (read more)|Documentation
| +|Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|Terraform|High|Secret Management|Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts (read more)|Documentation
| +|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|Terraform|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above (read more)|Documentation
| +|Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Terraform|Medium|Access Control|Ram policies should not be attached to users (read more)|Documentation
| +|CMK Is Unusable
ed6e3ba0-278f-47b6-a1f5-173576b40b7e|Terraform|Medium|Availability|Alicloud KMS must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true (read more)|Documentation
| +|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Terraform|Medium|Backup|OSS Bucket should have versioning enabled (read more)|Documentation
| +|ROS Stack Retention Disabled
4bb06fa1-2114-4a00-b7b5-6aeab8b896f0|Terraform|Medium|Backup|The retain_stacks should be enabled to keep the Stack upon deleting the stack instance from the stack group (read more)|Documentation
| +|ROS Stack Without Template
92d65c51-5d82-4507-a2a1-d252e9706855|Terraform|Medium|Build Process|Alicloud ROS Stack should have a template defined through the attribute template_url or attribute template_body (read more)|Documentation
| +|SLB Policy With Insecure TLS Version In Use
dbfc834a-56e5-4750-b5da-73fda8e73f70|Terraform|Medium|Encryption|SLB Policy should not support insecure versions of TLS protocol (read more)|Documentation
| +|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Terraform|Medium|Encryption|Disks should have encryption enabled (read more)|Documentation
| +|OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Terraform|Medium|Encryption|OSS Bucket should have encryption enabled using Customer Master Key (read more)|Documentation
| +|CS Kubernetes Node Pool Auto Repair Disabled
81ce9394-013d-4731-8fcc-9d229b474073|Terraform|Medium|Insecure Configurations|Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| +|Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Terraform|Medium|Networking and Firewall|Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies (read more)|Documentation
| +|Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Terraform|Medium|Networking and Firewall|A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned (read more)|Documentation
| +|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Terraform|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180 (read more)|Documentation
| +|ROS Stack Notifications Disabled
9ef08939-ea40-489c-8851-667870b2ef50|Terraform|Medium|Observability|The ROS Stack Notifications should be defined and populated to receive stack related events (read more)|Documentation
| +|Log Retention Is Not Greater Than 90 Days
ed6cf6ff-9a1f-491c-9f88-e03c0807f390|Terraform|Medium|Observability|OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects. (read more)|Documentation
| +|OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Terraform|Medium|Observability|OSS Bucket should have logging enabled, for better visibility of resources and objects. (read more)|Documentation
| +|Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Terraform|Medium|Observability|Action Trail Logging for all regions should be enabled (read more)|Documentation
| +|No ROS Stack Policy
72ceb736-0aee-43ea-a191-3a69ab135681|Terraform|Medium|Resource Management|ROS Stack should have a stack policy in order to protect stack resources from and during update actions (read more)|Documentation
| +|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true (read more)|Documentation
| +|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true (read more)|Documentation
| +|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true (read more)|Documentation
| +|High KMS Key Rotation Period
cb319d87-b90f-485e-a7e7-f2408380f309|Terraform|Medium|Secret Management|KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year (read more)|Documentation
| +|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Terraform|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less (read more)|Documentation
| +|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Terraform|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91 (read more)|Documentation
| +|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Terraform|Medium|Secret Management|RAM account password security should require at least one symbol (read more)|Documentation
| +|OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Terraform|Low|Availability|OSS Bucket should have transfer acceleration enabled (read more)|Documentation
| +|OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Terraform|Low|Backup|OSS Bucket should have lifecycle rule enabled and set to true (read more)|Documentation
| +|RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Terraform|Low|Observability|log_duration parameter should be set to ON for RDS instances (read more)|Documentation
| +|VPC Flow Logs Disabled
d2731f3d-a992-44ed-812e-f4f1c2747d71|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| +|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Terraform|Low|Observability|'log_connections' parameter should be set to ON for RDS instances (read more)|Documentation
| +|RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Terraform|Low|Observability|log_disconnections parameter should be set to ON for RDS instances (read more)|Documentation
| +|Databricks Cluster or Job With None Or Insecure Permission(s)
a4edb7e1-c0e0-4f7f-9d7c-d1b603e81ad5|Terraform|High|Insecure Configurations|Databricks Cluster and Job must have restricted permissions (read more)|Documentation
| +|Unrestricted Databricks ACL
2c4fe4a9-f44b-4c70-b09b-5b75cd251805|Terraform|High|Networking and Firewall|ACL allow ingress from 0.0.0.0/0 and/or ::/0 (read more)|Documentation
| +|Check Databricks Cluster Azure Attribute Best Practices
38028698-e663-4ef7-aa92-773fef0ca86f|Terraform|Medium|Best Practices|One or some Databricks Cluster Azure Attribute Best Practices are not respected (read more)|Documentation
| +|Job's Task is Legacy (spark_submit_task)
375cdab9-3f94-4ae0-b1e3-8fbdf9cdf4d7|Terraform|Medium|Best Practices|Job's Task Is spark_submit_task (read more)|Documentation
| +|Check use no LTS Spark Version
5a627dfa-a4dd-4020-a4c6-5f3caf4abcd6|Terraform|Medium|Best Practices|Spark Version is not a Long-term Support (read more)|Documentation
| +|Check Databricks Cluster AWS Attribute Best Practices
b0749c53-e3ff-4d09-bbe4-dca94e2e7a38|Terraform|Medium|Best Practices|One or some Databricks Cluster AWS Attribute Best Practices are not respected (read more)|Documentation
| +|Check Databricks Cluster GCP Attribute Best Practices
539e4557-d2b5-4d57-a001-cb01140a4e2d|Terraform|Medium|Best Practices|One or some Databricks Cluster GCP Attribute Best Practices are not respected (read more)|Documentation
| +|Indefinitely Databricks Token Lifetime
7d05ca25-91b4-42ee-b6f6-b06611a87ce8|Terraform|Medium|Insecure Defaults|Token has an indefinitely lifetime (read more)|Documentation
| +|Indefinitely Databricks OBO Token Lifetime
23e1f5f0-12b7-4d7e-9087-f60f42ccd514|Terraform|Medium|Insecure Defaults|OBO Token has an indefinitely lifetime (read more)|Documentation
| +|Databricks Autoscale Badly Setup
953c0cc6-5f30-44cb-a803-bf4ef2571be8|Terraform|Medium|Resource Management|Databricks should have min and max worker setup for autoscale (read more)|Documentation
| +|Databricks Group Without User Or Instance Profile
23c3067a-8cc9-480c-b645-7c1e0ad4bf60|Terraform|Low|Access Control|Databricks Group should have at least one user or one instance profile associated (read more)|Documentation
| +|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Terraform|Info|Best Practices|All variables should contain a valid description. (read more)|Documentation
| +|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Terraform|Info|Best Practices|All names should follow snake case pattern. (read more)|Documentation
| +|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Terraform|Info|Best Practices|All variables should contain a valid type. (read more)|Documentation
| +|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Terraform|Info|Best Practices|All outputs should contain a valid description. (read more)|Documentation
| +|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Terraform|Info|Best Practices|All generic git repositories should reference a revision. (read more)|Documentation
| +|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|Terraform|High|Insecure Configurations|Check if Tiller is deployed. (read more)|Documentation
| +|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|Terraform|High|Insecure Configurations|Limit capabilities for a Pod Security Policy (read more)|Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|Terraform|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace. (read more)|Documentation
| +|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|Terraform|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false (read more)|Documentation
| +|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|Terraform|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined. (read more)|Documentation
| +|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|Terraform|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process (read more)|Documentation
| +|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|Terraform|High|Insecure Defaults|No role nor cluster role should bind to a default service account (read more)|Documentation
| +|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Terraform|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more)|Documentation
| +|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Terraform|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation. (read more)|Documentation
| +|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Terraform|Medium|Access Control|A non kube-system workload should not have hostPath mounted (read more)|Documentation
| +|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Terraform|Medium|Availability|Check if Readiness Probe is not configured. (read more)|Documentation
| +|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Terraform|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden (read more)|Documentation
| +|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Terraform|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' (read more)|Documentation
| +|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Terraform|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace (read more)|Documentation
| +|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Terraform|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace (read more)|Documentation
| +|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Terraform|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| +|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Terraform|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory (read more)|Documentation
| +|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Terraform|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities (read more)|Documentation
| +|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Terraform|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability (read more)|Documentation
| +|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Terraform|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more)|Documentation
| +|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation (read more)|Documentation
| +|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Terraform|Medium|Insecure Configurations|Containers should not have extra capabilities allowed (read more)|Documentation
| +|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Terraform|Medium|Insecure Configurations|Default service accounts should not be actively used (read more)|Documentation
| +|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Terraform|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory (read more)|Documentation
| +|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Terraform|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more)|Documentation
| +|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities (read more)|Documentation
| +|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Terraform|Medium|Insecure Configurations|The default namespace should not be used (read more)|Documentation
| +|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Terraform|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities (read more)|Documentation
| +|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Terraform|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls (read more)|Documentation
| +|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Terraform|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty. (read more)|Documentation
| +|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Terraform|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary (read more)|Documentation
| +|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Terraform|Medium|Networking and Firewall|Check if any network policy is not targeting any pod. (read more)|Documentation
| +|Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Terraform|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet (read more)|Documentation
| +|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Terraform|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| +|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Terraform|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| +|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Terraform|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more)|Documentation
| +|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Terraform|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| +|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Terraform|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| +|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Terraform|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more)|Documentation
| +|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Terraform|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more)|Documentation
| +|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Terraform|Medium|Secret Management|A Service Account token is shared between workloads (read more)|Documentation
| +|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Terraform|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs (read more)|Documentation
| +|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Terraform|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC) (read more)|Documentation
| +|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Terraform|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers (read more)|Documentation
| +|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Terraform|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack (read more)|Documentation
| +|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Terraform|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it (read more)|Documentation
| +|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Terraform|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more)|Documentation
| +|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Terraform|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| +|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Terraform|Low|Availability|The Horizontal Pod Autoscaler must target a valid object (read more)|Documentation
| +|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Terraform|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| +|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Terraform|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context (read more)|Documentation
| +|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Terraform|Low|Best Practices|Check if any label in the metadata is invalid. (read more)|Documentation
| +|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Terraform|Low|Build Process|Check if the root container filesystem is not being mounted as read-only. (read more)|Documentation
| +|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Terraform|Low|Build Process|A StatefulSet requests volume storage. (read more)|Documentation
| +|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Terraform|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity (read more)|Documentation
| +|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Terraform|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always (read more)|Documentation
| +|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Terraform|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container (read more)|Documentation
| +|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Terraform|Low|Networking and Firewall|Service type should not be NodePort (read more)|Documentation
| +|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Terraform|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified (read more)|Documentation
| +|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Terraform|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined (read more)|Documentation
| +|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Terraform|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| +|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Terraform|Low|Secret Management|Container should not use secrets as environment variables (read more)|Documentation
| +|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Terraform|Low|Supply-Chain|Image must be defined and not be empty or equal to latest. (read more)|Documentation
| +|BOM - GCP Redis
bc75ce52-a60a-4660-b533-bce837a5019b|Terraform|Trace|Bill Of Materials|A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments. (read more)|Documentation
| +|BOM - GCP Dataflow
895ed0d9-6fec-4567-8614-d7a74b599a53|Terraform|Trace|Bill Of Materials|A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective. (read more)|Documentation
| +|BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Terraform|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more)|Documentation
| +|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Terraform|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more)|Documentation
| +|BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Terraform|Trace|Bill Of Materials|A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime. (read more)|Documentation
| +|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Terraform|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more)|Documentation
| +|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|Terraform|High|Access Control|There is a role assignment for guest user (read more)|Documentation
| +|Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|Terraform|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage (read more)|Documentation
| +|Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|Terraform|High|Access Control|Role Assignment should limit guest user permissions (read more)|Documentation
| +|Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|Terraform|High|Access Control|Azure Function App authentication settings should be enabled (read more)|Documentation
| +|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|Terraform|High|Access Control|Admin user is enabled for Container Registry (read more)|Documentation
| +|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|Terraform|High|Access Control|Storage Account should not be public to grant the principle of least privileges (read more)|Documentation
| +|Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|Terraform|High|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled (read more)|Documentation
| +|Azure Instance Using Basic Authentication
dafe30ec-325d-4516-85d1-e8e6776f012c|Terraform|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| +|App Service Not Using Latest TLS Encryption Version
b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643|Terraform|High|Encryption|Ensure App Service is using the latest version of TLS encryption (read more)|Documentation
| +|Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6|Terraform|High|Encryption|Ensure Function App is using the latest version of TLS encryption (read more)|Documentation
| +|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|Terraform|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' (read more)|Documentation
| +|MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|Terraform|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more)|Documentation
| +|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|Terraform|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| +|AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|Terraform|High|Insecure Configurations|Azure Kubernetes Service (AKS) API should not be exposed to the internet (read more)|Documentation
| +|Function App FTPS Enforce Disabled
9dab0179-433d-4dff-af8f-0091025691df|Terraform|High|Insecure Configurations|Azure Function App should only enforce FTPS when 'ftps_state' is enabled (read more)|Documentation
| +|App Service FTPS Enforce Disabled
85da374f-b00f-4832-9d44-84a1ca1e89f8|Terraform|High|Insecure Configurations|Azure App Service should only enforce FTPS when 'ftps_state' is enabled (read more)|Documentation
| +|AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|Terraform|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server (read more)|Documentation
| +|Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|Terraform|High|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false. (read more)|Documentation
| +|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|Terraform|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry' (read more)|Documentation
| +|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|Terraform|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine (read more)|Documentation
| +|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|Terraform|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service. (read more)|Documentation
| +|Azure App Service Client Certificate Disabled
a81573f9-3691-4d83-88a0-7d4af63e17a3|Terraform|High|Insecure Configurations|Azure App Service client certificate should be enabled (read more)|Documentation
| +|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|Terraform|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates (read more)|Documentation
| +|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|Terraform|High|Networking and Firewall|The IP range filter should be defined to secure the data stored (read more)|Documentation
| +|SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|Terraform|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet (read more)|Documentation
| +|MySQL Server Public Access Enabled
f118890b-2468-42b1-9ce9-af35146b425b|Terraform|High|Networking and Firewall|MySQL Server public access should be disabled (read more)|Documentation
| +|Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| +|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet (read more)|Documentation
| +|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources (read more)|Documentation
| +|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|Terraform|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more)|Documentation
| +|MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|Terraform|High|Networking and Firewall|MSSQL Server public network access should be disabled (read more)|Documentation
| +|RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|Terraform|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet (read more)|Documentation
| +|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|Terraform|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| +|Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|Terraform|High|Observability|Ensure that logging for Azure KeyVault is 'Enabled' (read more)|Documentation
| +|SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a|Terraform|High|Resource Management|Ensure that 'Threat Detection' is enabled for Azure SQL Database (read more)|Documentation
| +|App Service Managed Identity Disabled
b61cce4b-0cc4-472b-8096-15617a6d769b|Terraform|High|Resource Management|Azure App Service should have managed identity enabled (read more)|Documentation
| +|PostgreSQL Server Threat Detection Policy Disabled
c407c3cf-c409-4b29-b590-db5f4138d332|Terraform|High|Resource Management|PostgreSQL Server Threat Detection Policy should be enabled (read more)|Documentation
| +|Key Expiration Not Set
4d080822-5ee2-49a4-8984-68f3d4c890fc|Terraform|High|Secret Management|Make sure that for all keys the expiration date is set (read more)|Documentation
| +|Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|Terraform|High|Secret Management|Make sure that for all secrets the expiration date is set (read more)|Documentation
| +|Storage Share File Allows All ACL Permissions
48bbe0fd-57e4-4678-a4a1-119e79c90fc3|Terraform|Medium|Access Control|Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list). (read more)|Documentation
| +|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Terraform|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more)|Documentation
| +|Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e|Terraform|Medium|Access Control|Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list). (read more)|Documentation
| +|AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Terraform|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| +|Virtual Network with DDoS Protection Plan disabled
b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a|Terraform|Medium|Availability|Virtual Network should have DDoS Protection Plan enabled (read more)|Documentation
| +|SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Terraform|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict (read more)|Documentation
| +|SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Terraform|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict (read more)|Documentation
| +|Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Terraform|Medium|Best Practices|Security Contact Email should be defined (read more)|Documentation
| +|Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Terraform|Medium|Build Process|Cosmos DB Account must have a mapping of tags. (read more)|Documentation
| +|AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Terraform|Medium|Encryption|Azure Container Service (AKS) should use Disk Encryption Set ID in supported types of disk (read more)|Documentation
| +|Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Terraform|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption (read more)|Documentation
| +|Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Terraform|Medium|Encryption|Ensure that the encryption is active on the disk (read more)|Documentation
| +|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Terraform|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections (read more)|Documentation
| +|Function App Managed Identity Disabled
c87749b3-ff10-41f5-9df2-c421e8151759|Terraform|Medium|Insecure Configurations|Azure Function App should have managed identity enabled (read more)|Documentation
| +|Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Terraform|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches (read more)|Documentation
| +|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Terraform|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined (read more)|Documentation
| +|Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Terraform|Medium|Insecure Configurations|Azure Function App should have 'client_cert_mode' set to required (read more)|Documentation
| +|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Terraform|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty (read more)|Documentation
| +|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Terraform|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected. (read more)|Documentation
| +|Default Azure Storage Account Network Access Is Too Permissive
a5613650-32ec-4975-a305-31af783153ea|Terraform|Medium|Insecure Defaults|Default Azure Storage Account network access should be set to Deny (read more)|Documentation
| +|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Terraform|Medium|Networking and Firewall|Network Interfaces IP Forwarding should be disabled (read more)|Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol (read more)|Documentation
| +|Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b|Terraform|Medium|Networking and Firewall|Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline) (read more)|Documentation
| +|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Terraform|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache (read more)|Documentation
| +|MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Terraform|Medium|Networking and Firewall|MariaDB Server Public Network Access should be disabled (read more)|Documentation
| +|WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Terraform|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. (read more)|Documentation
| +|Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Terraform|Medium|Networking and Firewall|Public Network Access should be disabled for Azure Cognitive Search (read more)|Documentation
| +|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Terraform|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'. (read more)|Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol (read more)|Documentation
| +|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more)|Documentation
| +|PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Terraform|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more)|Documentation
| +|MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Terraform|Medium|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On' (read more)|Documentation
| +|PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' (read more)|Documentation
| +|PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more)|Documentation
| +|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Terraform|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On' (read more)|Documentation
| +|Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Terraform|Medium|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact (read more)|Documentation
| +|PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' (read more)|Documentation
| +|PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Terraform|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server (read more)|Documentation
| +|Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Terraform|Medium|Observability|Make sure for SQL Servers that Auditing Retention is greater than 90 days (read more)|Documentation
| +|Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Terraform|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater (read more)|Documentation
| +|Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Terraform|Medium|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days (read more)|Documentation
| +|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Terraform|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days (read more)|Documentation
| +|Azure Active Directory Authentication
a21c8da9-41bf-40cf-941d-330cf0d11fc7|Terraform|Low|Access Control|Azure Active Directory must be used for authentication for Service Fabric (read more)|Documentation
| +|MariaDB Server Geo-redundant Backup Disabled
0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1|Terraform|Low|Backup|MariaDB Server Geo-redundant Backup should be enabled (read more)|Documentation
| +|AKS Uses Azure Policies Add-On Disabled
43789711-161b-4708-b5bb-9d1c626f7492|Terraform|Low|Best Practices|Azure Container Service (AKS) should use Azure Policies Add-On (read more)|Documentation
| +|Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Terraform|Low|Best Practices|Key Vault Secrets should have set Content Type (read more)|Documentation
| +|App Service Without Latest PHP Version
96fe318e-d631-4156-99fa-9080d57280ae|Terraform|Low|Best Practices|Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. (read more)|Documentation
| +|App Service Without Latest Python Version
cc4aaa9d-1070-461a-b519-04e00f42db8a|Terraform|Low|Best Practices|Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. (read more)|Documentation
| +|PostgreSQL Server Infrastructure Encryption Disabled
6425c98b-ca4e-41fe-896a-c78772c131f8|Terraform|Low|Encryption|PostgreSQL Server Infrastructure Encryption should be enabled (read more)|Documentation
| +|App Service HTTP2 Disabled
525b53be-62ed-4244-b4df-41aecfcb4071|Terraform|Low|Insecure Configurations|App Service should have 'http2_enabled' enabled (read more)|Documentation
| +|Function App HTTP2 Disabled
ace823d1-4432-4dee-945b-cdf11a5a6bd0|Terraform|Low|Insecure Configurations|Function App should have 'http2_enabled' enabled (read more)|Documentation
| +|Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Terraform|Low|Insecure Configurations|Check if the Kubernetes Dashboard is enabled. (read more)|Documentation
| +|Azure Front Door WAF Disabled
835a4f2f-df43-437d-9943-545ccfc55961|Terraform|Low|Networking and Firewall|Azure Front Door WAF should be enabled (read more)|Documentation
| +|App Service Authentication Disabled
c7fc1481-2899-4490-bbd8-544a3a61a2f3|Terraform|Info|Access Control|Azure App Service authentication settings should be enabled (read more)|Documentation
| +|SQL Server Alert Email Disabled
55975007-f6e7-4134-83c3-298f1fe4b519|Terraform|Info|Best Practices|SQL Server alert email should be enabled (read more)|Documentation
| +|Nifcloud Computing Has Common Private Network
df58dd45-8009-43c2-90f7-c90eb9d53ed9|Terraform|Low|Networking and Firewall|The instance has common private network (read more)|Documentation
| +|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|Terraform|High|Access Control|IAM role policy that allow full administrative privileges (for all resources) (read more)|Documentation
| +|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|Terraform|High|Access Control|S3 Buckets should not be readable and writable to all users (read more)|Documentation
| +|SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|Terraform|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| +|S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4|Terraform|High|Access Control|S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket. (read more)|Documentation
| +|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|Terraform|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|Terraform|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| +|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|Terraform|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role (read more)|Documentation
| +|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|Terraform|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| +|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|Terraform|High|Access Control|S3 bucket allows public policy (read more)|Documentation
| +|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|Terraform|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more)|Documentation
| +|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|Terraform|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals (read more)|Documentation
| +|EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|Terraform|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'. (read more)|Documentation
| +|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|Terraform|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| +|Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|Terraform|High|Access Control|Neptune Cluster Instance should not be publicly accessible (read more)|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|Terraform|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| +|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|Terraform|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| +|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|Terraform|High|Access Control|Checks if the SQS Queue is exposed (read more)|Documentation
| +|MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857|Terraform|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible (read more)|Documentation
| +|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|Terraform|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| +|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|Terraform|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| +|SSO Policy with full privileges
132a8c31-9837-4203-9fd1-15ca210c7b73|Terraform|High|Access Control|SSO policies should be configured to grant limited administrative privileges, rather than full access to all resources. This approach allows for better security and control over the resources being accessed. (read more)|Documentation
| +|Amazon DMS Replication Instance Is Publicly Accessible
030d3b18-1821-45b4-9e08-50efbe7becbb|Terraform|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| +|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|Terraform|High|Encryption|EBS Encryption should be enabled (read more)|Documentation
| +|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|Terraform|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| +|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|Terraform|High|Encryption|AWS Athena Database data in S3 should be encrypted (read more)|Documentation
| +|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|Terraform|High|Encryption|The certificate authority (CA) is the certificate that identifies the root CA at the top of the certificate chain. The CA certificate identifier must be one provided by Amazon RDS. (read more)|Documentation
| +|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|Terraform|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup (read more)|Documentation
| +|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|Terraform|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| +|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|Terraform|High|Encryption|AWS DAX Cluster should have server-side encryption at rest (read more)|Documentation
| +|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|Terraform|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true' (read more)|Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|Terraform|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| +|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|Terraform|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| +|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|Terraform|High|Encryption|AWS AMI Encryption is not enabled (read more)|Documentation
| +|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|Terraform|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| +|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|Terraform|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| +|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|Terraform|High|Encryption|API Gateway Method Settings Cache should be encrypted (read more)|Documentation
| +|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|Terraform|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more)|Documentation
| +|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|Terraform|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS (read more)|Documentation
| +|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|Terraform|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key (read more)|Documentation
| +|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|Terraform|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) (read more)|Documentation
| +|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|Terraform|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS (read more)|Documentation
| +|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| +|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|Terraform|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled (read more)|Documentation
| +|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|Terraform|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more)|Documentation
| +|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|Terraform|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled (read more)|Documentation
| +|Aurora With Disabled at Rest Encryption
1a690d1d-0ae7-49fa-b2db-b75ae0dd1d3e|Terraform|High|Encryption|Amazon Aurora does not have encryption for data at rest enabled. To prevent such a scenario, update the attribute 'StorageEncrypted' to 'true'. (read more)|Documentation
| +|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|Terraform|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted (read more)|Documentation
| +|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|Terraform|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled (read more)|Documentation
| +|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|Terraform|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| +|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|Terraform|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume (read more)|Documentation
| +|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|Terraform|High|Encryption|Amazon ECS Task Definition does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'transit_encryption' (read more)|Documentation
| +|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|Terraform|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| +|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|Terraform|High|Encryption|S3 Bucket Object should have server-side encryption enabled (read more)|Documentation
| +|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|Terraform|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled (read more)|Documentation
| +|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|Terraform|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| +|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|Terraform|High|Encryption|Sagemaker endpoint configuration should encrypt data (read more)|Documentation
| +|EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|Terraform|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| +|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|Terraform|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true (read more)|Documentation
| +|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|Terraform|High|Encryption|EKS Cluster should be encrypted (read more)|Documentation
| +|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|Terraform|High|Encryption|AWS DOCDB Cluster storage should be encrypted (read more)|Documentation
| +|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|Terraform|High|Encryption|RDS Database Cluster Encryption should be enabled (read more)|Documentation
| +|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| +|KMS Key With Full Permissions
7ebc9038-0bde-479a-acc4-6ed7b6758899|Terraform|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| +|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|Terraform|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| +|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|Terraform|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| +|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|Terraform|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes (read more)|Documentation
| +|RDS DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|Terraform|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). (read more)|Documentation
| +|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|Terraform|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| +|Lambda Function With Privileged Role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|Terraform|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions. (read more)|Documentation
| +|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|Terraform|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2. (read more)|Documentation
| +|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|Terraform|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more)|Documentation
| +|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|Terraform|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|Terraform|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| +|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|Terraform|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations (read more)|Documentation
| +|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|Terraform|High|Insecure Configurations|S3 bucket without restriction of public bucket (read more)|Documentation
| +|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|Terraform|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| +|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|Terraform|High|Insecure Configurations|Check if the root user is authenticated with MFA (read more)|Documentation
| +|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|Terraform|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true) (read more)|Documentation
| +|Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|Terraform|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| +|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|Terraform|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| +|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|Terraform|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0 and/or ::/0 (read more)|Documentation
| +|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|Terraform|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing (read more)|Documentation
| +|Elasticsearch with HTTPS disabled
2e9e0729-66d5-4148-9d39-5e6fb4bf2a4e|Terraform|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| +|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|Terraform|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0" (read more)|Documentation
| +|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|Terraform|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| +|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|Terraform|High|Networking and Firewall|EC2 Instance should not have a public IP address. (read more)|Documentation
| +|VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|Terraform|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic (read more)|Documentation
| +|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|Terraform|High|Networking and Firewall|Check if Record is set (read more)|Documentation
| +|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| +|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|Terraform|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| +|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|Terraform|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| +|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|Terraform|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| +|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL (read more)|Documentation
| +|HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|Terraform|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| +|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| +|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|Terraform|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL (read more)|Documentation
| +|Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|Terraform|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| +|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|Terraform|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| +|VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|Terraform|High|Networking and Firewall|VPC Peering Route Table should restrict CIDR (read more)|Documentation
| +|CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|Terraform|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls (read more)|Documentation
| +|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|Terraform|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| +|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|Terraform|High|Observability|AWS KMS Key should have a valid deletion window (read more)|Documentation
| +|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|Terraform|High|Observability|Ensure a log metric filter and alarm exist for root acount usage (read more)|Documentation
| +|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled (read more)|Documentation
| +|CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|Terraform|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| +|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|Terraform|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes (read more)|Documentation
| +|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible (read more)|Documentation
| +|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|Terraform|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Terraform|Medium|Access Control|S3 bucket allows public ACL (read more)|Documentation
| +|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Terraform|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal' (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Terraform|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Terraform|Medium|Access Control|An API Key should be required on a method request. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Terraform|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| +|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Terraform|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Terraform|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Terraform|Medium|Access Control|IAM Access Key should not be active for root users (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Terraform|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Terraform|Medium|Access Control|SES policy should not allow IAM actions to all principals (read more)|Documentation
| +|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Terraform|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined (read more)|Documentation
| +|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Terraform|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action' (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Terraform|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Terraform|Medium|Access Control|SQS policy allows ALL (*) actions (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Terraform|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| +|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Terraform|Medium|Access Control|Public and private EC2 istances should not share the same role. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Terraform|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Terraform|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions' (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Terraform|Medium|Access Control|The attribute 'action' should not have wildcard (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Terraform|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Terraform|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Terraform|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| +|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Terraform|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| +|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Terraform|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| +|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Terraform|Medium|Access Control|Expired SSL/TLS certificates should be removed (read more)|Documentation
| +|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Terraform|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image (read more)|Documentation
| +|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Terraform|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Terraform|Medium|Access Control|AWS IAM Users should not have access to console (read more)|Documentation
| +|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|SSO Permission With Inadequate User Session Duration
ce9dfce0-5fc8-433b-944a-3b16153111a8|Terraform|Medium|Access Control|SSO permissions should be configured to limit user sessions to no longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized access or session hijacking. This is a best practice for security and should be implemented in SSO permission settings. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Terraform|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Terraform|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Terraform|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions' (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Terraform|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Terraform|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'. (read more)|Documentation
| +|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Terraform|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| +|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Terraform|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| +|Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Terraform|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. (read more)|Documentation
| +|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Terraform|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true (read more)|Documentation
| +|RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Terraform|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| +|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Terraform|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0 (read more)|Documentation
| +|Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Terraform|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| +|Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Terraform|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24 (read more)|Documentation
| +|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Terraform|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| +|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Terraform|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more)|Documentation
| +|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Terraform|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields (read more)|Documentation
| +|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Terraform|Medium|Best Practices|No password expiration policy (read more)|Documentation
| +|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Terraform|Medium|Best Practices|IAM password should have the required symbols (read more)|Documentation
| +|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Terraform|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| +|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Terraform|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined (read more)|Documentation
| +|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Terraform|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| +|Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Terraform|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body (read more)|Documentation
| +|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Terraform|Medium|Encryption|Checks if the ECR Image has been scanned (read more)|Documentation
| +|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Terraform|Medium|Encryption|SSM Session should be encrypted in transit (read more)|Documentation
| +|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Terraform|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| +|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| +|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Terraform|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS. (read more)|Documentation
| +|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Terraform|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret (read more)|Documentation
| +|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Terraform|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption (read more)|Documentation
| +|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit (read more)|Documentation
| +|DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Terraform|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| +|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Terraform|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| +|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Terraform|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760. (read more)|Documentation
| +|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Terraform|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest (read more)|Documentation
| +|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted (read more)|Documentation
| +|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Terraform|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined (read more)|Documentation
| +|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Terraform|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests (read more)|Documentation
| +|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Terraform|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| +|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest (read more)|Documentation
| +|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Terraform|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| +|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Terraform|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| +|CloudWatch Log Group Without KMS
0afbcfe9-d341-4b92-a64c-7e6de0543879|Terraform|Medium|Encryption|AWS CloudWatch Log groups should be encrypted using KMS (read more)|Documentation
| +|Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Terraform|Medium|Encryption|ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html' (read more)|Documentation
| +|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Terraform|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node (read more)|Documentation
| +|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Terraform|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy (read more)|Documentation
| +|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Terraform|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more)|Documentation
| +|EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Terraform|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false (read more)|Documentation
| +|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Terraform|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible (read more)|Documentation
| +|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Terraform|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes (read more)|Documentation
| +|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Terraform|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| +|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Terraform|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud) (read more)|Documentation
| +|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Terraform|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials (read more)|Documentation
| +|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Terraform|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs). (read more)|Documentation
| +|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Terraform|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| +|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Terraform|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol (read more)|Documentation
| +|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Terraform|Medium|Networking and Firewall|VPC should have a Network Firewall associated (read more)|Documentation
| +|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Terraform|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| +|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Terraform|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| +|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Terraform|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association (read more)|Documentation
| +|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Terraform|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service (read more)|Documentation
| +|VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Terraform|Medium|Networking and Firewall|VPC Subnet should not assign public IP (read more)|Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Terraform|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more)|Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol (read more)|Documentation
| +|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Terraform|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled (read more)|Documentation
| +|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Terraform|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| +|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Terraform|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). (read more)|Documentation
| +|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes (read more)|Documentation
| +|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Terraform|Medium|Observability|Ensure MSK Cluster Logging is enabled (read more)|Documentation
| +|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Terraform|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| +|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Terraform|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| +|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes (read more)|Documentation
| +|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK (read more)|Documentation
| +|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Terraform|Medium|Observability|API Gateway should have Access Log Settings defined (read more)|Documentation
| +|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Terraform|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events (read more)|Documentation
| +|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes (read more)|Documentation
| +|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Terraform|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| +|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Terraform|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined (read more)|Documentation
| +|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Terraform|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| +|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Terraform|Medium|Observability|Make sure that Amazon GuardDuty is Enabled (read more)|Documentation
| +|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Terraform|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| +|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Terraform|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation (read more)|Documentation
| +|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (read more)|Documentation
| +|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Terraform|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| +|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Terraform|Medium|Observability|Checks if CloudWatch Metrics is Enabled (read more)|Documentation
| +|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Terraform|Medium|Observability|AWS CloudWatch Log groups should have retention days specified (read more)|Documentation
| +|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Terraform|Medium|Observability|ELB should have logging enabled to help on error investigation (read more)|Documentation
| +|ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Terraform|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs (read more)|Documentation
| +|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes (read more)|Documentation
| +|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Terraform|Medium|Observability|It isn't recommended to use resources in default VPC (read more)|Documentation
| +|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Terraform|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| +|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Terraform|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled (read more)|Documentation
| +|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Terraform|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. (read more)|Documentation
| +|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Terraform|Medium|Observability|Make sure Logging is enabled for Redshift Cluster (read more)|Documentation
| +|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Terraform|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones (read more)|Documentation
| +|No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Terraform|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions (read more)|Documentation
| +|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Terraform|Medium|Secret Management|AWS Access Key should not be hardcoded (read more)|Documentation
| +|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Terraform|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| +|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Terraform|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| +|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Terraform|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Terraform|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| +|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Terraform|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services (read more)|Documentation
| +|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Terraform|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| +|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Terraform|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets' (read more)|Documentation
| +|SSO Identity User Unsafe Creation
4003118b-046b-4640-b200-b8c7a4c8b89f|Terraform|Low|Access Control|The use of AWS SSO for creating users may pose a security risk as it does not synchronize with external Identity Providers (IdP) or Active Directory (AD). This can lead to inconsistencies and potential unauthorized access to resources. It is recommended to review and update user creation processes to ensure proper security protocols are in place. (read more)|Documentation
| +|Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Terraform|Low|Availability|Autoscaling groups should supply tags to configurate (read more)|Documentation
| +|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Terraform|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| +|IAM Access Analyzer Not Enabled
e592a0c5-5bdb-414c-9066-5dba7cdea370|Terraform|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions (read more)|Documentation
| +|Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| +|Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| +|ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Terraform|Low|Best Practices|ECR Repository should have Policies attached to it (read more)|Documentation
| +|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Terraform|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. (read more)|Documentation
| +|ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Terraform|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation (read more)|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Terraform|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| +|ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Terraform|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled (read more)|Documentation
| +|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Terraform|Low|Insecure Configurations|S3 bucket without ignore public ACL (read more)|Documentation
| +|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Terraform|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| +|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Terraform|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Terraform|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| +|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Terraform|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Terraform|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| +|RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Terraform|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| +|Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Terraform|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| +|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Terraform|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more)|Documentation
| +|API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Terraform|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| +|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes (read more)|Documentation
| +|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| +|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes (read more)|Documentation
| +|ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Terraform|Low|Observability|ECS Cluster should enable container insights (read more)|Documentation
| +|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Terraform|Low|Observability|Amazon EKS control plane logging don't enabled for all log types (read more)|Documentation
| +|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL (read more)|Documentation
| +|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Terraform|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active' (read more)|Documentation
| +|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for route table changes (read more)|Documentation
| +|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes (read more)|Documentation
| +|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Terraform|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| +|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Terraform|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| +|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Terraform|Low|Observability|Global Accelerator should have flow logs enabled (read more)|Documentation
| +|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Terraform|Low|Observability|Amazon EKS control plane logging is not enabled (read more)|Documentation
| +|API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Terraform|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| +|Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Terraform|Info|Access Control|Security group must be used or not declared (read more)|Documentation
| +|Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Terraform|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description (read more)|Documentation
| +|EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Terraform|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| +|Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Terraform|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description (read more)|Documentation
| +|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Terraform|Info|Best Practices|AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name' (read more)|Documentation
| +|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Terraform|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more)|Documentation
| +|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Terraform|Info|Observability|Neptune logging should be enabled (read more)|Documentation
| +|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Terraform|Info|Observability|RDS does not have any kind of logger (read more)|Documentation
| +|EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Terraform|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| +|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Terraform|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)|Documentation
| +|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Terraform|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). (read more)|Documentation
| +|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Terraform|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS. (read more)|Documentation
| +|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Terraform|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)|Documentation
| +|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Terraform|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)|Documentation
| +|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Terraform|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more)|Documentation
| +|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Terraform|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more)|Documentation
| +|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Terraform|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more)|Documentation
| +|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Terraform|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)|Documentation
| +|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Terraform|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more)|Documentation
| +|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Terraform|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more)|Documentation
| +|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Terraform|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks (read more)|Documentation
| +|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Terraform|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|Terraform|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| +|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|Terraform|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible (read more)|Documentation
| +|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|Terraform|High|Access Control|Verifies that the OSLogin is enabled (read more)|Documentation
| +|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|Terraform|High|Access Control|BigQuery dataset is anonymously or publicly accessible (read more)|Documentation
| +|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|Terraform|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)|Documentation
| +|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|Terraform|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| +|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|Terraform|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members' (read more)|Documentation
| +|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|Terraform|High|Encryption|Cloud SQL Database Instance should have SSL enabled (read more)|Documentation
| +|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|Terraform|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad. (read more)|Documentation
| +|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE (read more)|Documentation
| +|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true (read more)|Documentation
| +|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|Terraform|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true (read more)|Documentation
| +|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|Terraform|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials (read more)|Documentation
| +|Legacy Client Certificate Auth Enabled
73fb21a1-b19a-45b1-b648-b47b1678681e|Terraform|High|Insecure Configurations|Kubernetes Clusters must use the default OAuth authentication, which means 'master_auth' must either be undefined or have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to false (read more)|Documentation
| +|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|Terraform|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible. (read more)|Documentation
| +|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true (read more)|Documentation
| +|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|Terraform|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)|Documentation
| +|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)|Documentation
| +|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|Terraform|High|Observability|Audit Logging Configuration is defective (read more)|Documentation
| +|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must either be undefined or set to 'monitoring.googleapis.com/kubernetes' (read more)|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|Terraform|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| +|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must either be undefined or set to 'logging.googleapis.com/kubernetes' (read more)|Documentation
| +|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|Terraform|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| +|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|Terraform|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)|Documentation
| +|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Terraform|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated (read more)|Documentation
| +|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Terraform|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated (read more)|Documentation
| +|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Terraform|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated (read more)|Documentation
| +|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Terraform|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member (read more)|Documentation
| +|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Terraform|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Terraform|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| +|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Terraform|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| +|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Terraform|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| +|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Terraform|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| +|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Terraform|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled (read more)|Documentation
| +|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Terraform|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)|Documentation
| +|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Terraform|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled (read more)|Documentation
| +|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Terraform|Medium|Insecure Configurations|Check if any VM instance disables OSLogin (read more)|Documentation
| +|Shielded GKE Nodes Disabled
579a0727-9c29-4d58-8195-fc5802a8bdb4|Terraform|Medium|Insecure Configurations|GKE cluster nodes must be launched with Shielded VM enabled, which means the attribute 'enable_shielded_nodes' must be set to 'true'. (read more)|Documentation
| +|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Terraform|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account. (read more)|Documentation
| +|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Terraform|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account (read more)|Documentation
| +|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Terraform|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)|Documentation
| +|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Terraform|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)|Documentation
| +|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Terraform|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| +|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Terraform|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| +|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Terraform|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Terraform|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports (read more)|Documentation
| +|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Terraform|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource. (read more)|Documentation
| +|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Terraform|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles (read more)|Documentation
| +|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Terraform|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Terraform|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| +|Outdated GKE Version
128df7ec-f185-48bc-8913-ce756a3ccb85|Terraform|Low|Best Practices|Running outdated versions of Google Kubernetes Engine (GKE) can expose it to known vulnerabilities and attacks. To reduce these risks, it is recommended to ensure that GKE is always running the latest version. (read more)|Documentation
| +|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Terraform|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user (read more)|Documentation
| +|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Terraform|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true (read more)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Terraform|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| +|Passwords And Secrets
a88baa34-e2ad-44ea-ad6f-8cac87bc7c71|Common|High|Secret Management|Query to find passwords and secrets in infrastructure code. (read more)|Documentation
| +|Enum Name Not CamelCase
daaace5f-c0dc-4835-b526-7a116b7f4b4e|GRPC|Low|Best Practices|All Enum Names should follow CamelCase and start with Capital Letter (read more)|Documentation
| +|Run Using apt
a1bc27c6-7115-48d8-bf9d-5a7e836845ba|Buildah|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache (read more)|Documentation
| +|Volume Has Sensitive Host Directory
1c1325ff-831d-43a1-973e-839ae57dfcc0|DockerCompose|High|Build Process|Container has sensitive host directory mounted as a volume (read more)|Documentation
| +|Docker Socket Mounted In Container
d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b|DockerCompose|High|Build Process|Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands. (read more)|Documentation
| +|Volume Mounted In Multiple Containers
baa452f0-1f21-4a25-ace5-844e7a5f410d|DockerCompose|High|Build Process|Volume mounts should not be shared, which means that 'propagation' should not be set to 'shared', 'rshared', 'slave', or 'rslave' (read more)|Documentation
| +|No New Privileges Not Set
27fcc7d6-c49b-46e0-98f1-6c082a6a2750|DockerCompose|High|Resource Management|Ensuring the process does not gain any new privileges lessens the risk associated with many operations. (read more)|Documentation
| +|Privileged Containers Enabled
ae5b6871-7f45-42e0-bb4c-ab300c4d2026|DockerCompose|High|Resource Management|Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker. (read more)|Documentation
| +|Healthcheck Not Set
698ed579-b239-4f8f-a388-baa4bcb13ef8|DockerCompose|Medium|Availability|Check containers periodically to see if they are running properly. (read more)|Documentation
| +|Restart Policy On Failure Not Set To 5
2fc99041-ddad-49d5-853f-e35e70a48391|DockerCompose|Medium|Build Process|Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used. (read more)|Documentation
| +|Cgroup Not Default
4d9f44c6-2f4a-4317-9bb5-267adbea0232|DockerCompose|Medium|Build Process|Control groups restrict the access processes and containers have to system resources such as CPU, RAM, IOPS and network. Not having a cgroup well configured may prove to be a security fault. (read more)|Documentation
| +|Networks Not Set
ce14a68b-1668-41a0-ab7d-facd9f784742|DockerCompose|Medium|Networking and Firewall|Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers. (read more)|Documentation
| +|Container Traffic Not Bound To Host Interface
451d79dc-0588-476a-ad03-3c7f0320abb3|DockerCompose|Medium|Networking and Firewall|Incoming container traffic should be bound to a specific host interface (read more)|Documentation
| +|Privileged Ports Mapped In Container
bc2908f3-f73c-40a9-8793-c1b7d5544f79|DockerCompose|Medium|Networking and Firewall|Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind_service linux capability from the container unless you absolutely need to use priviledged ports. (read more)|Documentation
| +|Shared Host Network Namespace
071a71ff-f868-47a4-ac0b-3c59e4ab5443|DockerCompose|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| +|Pids Limit Not Set
221e0658-cb2a-44e3-b08a-db96a341d6fa|DockerCompose|Medium|Resource Management|'pids_limit' should be set and different than -1 (read more)|Documentation
| +|Default Seccomp Profile Disabled
404fde2c-bc4b-4371-9747-7054132ac953|DockerCompose|Medium|Resource Management|Seccomp offers a whitelist of common system calls, blocking all others. Having less kernel exposed to an app then increases security. (read more)|Documentation
| +|Security Opt Not Set
610e266e-6c12-4bca-9925-1ed0cd29742b|DockerCompose|Medium|Resource Management|Attribute 'security_opt' should be defined. (read more)|Documentation
| +|Shared Host IPC Namespace
baa3890f-bed7-46f5-ab8f-1da8fc91c729|DockerCompose|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| +|Memory Not Limited
bb9ac4f7-e13b-423d-a010-c74a1bfbe492|DockerCompose|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| +|Host Namespace is Shared
4f31dd9f-2cc3-4751-9b53-67e4af83dac0|DockerCompose|Medium|Resource Management|The hosts process namespace should not be shared by containers (read more)|Documentation
| +|Shared Host User Namespace
8af7162d-6c98-482f-868e-0d33fb675ca8|DockerCompose|Medium|Resource Management|The host's user namespace should not be shared. (read more)|Documentation
| +|Cpus Not Limited
6b610c50-99fb-4ef0-a5f3-e312fd945bc3|DockerCompose|Low|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| +|Container Capabilities Unrestricted
ce76b7d0-9e77-464d-b86f-c5c48e03e22d|DockerCompose|Low|Resource Management|Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well. (read more)|Documentation
| +|AKS RBAC Disabled
b2418936-cd47-4ea2-8346-623c0bdb87bd|Crossplane|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| +|Redis Cache Allows Non SSL Connections
6c7cfec3-c686-4ed2-bf58-a1ec054b63fc|Crossplane|Medium|Encryption|Redis Cache resource should not allow non-SSL connections. (read more)|Documentation
| +|DB Instance Storage Not Encrypted
e50eb68a-a4af-4048-8bbe-8ec324421469|Crossplane|High|Encryption|RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'. (read more)|Documentation
| +|ELB Using Weak Ciphers
a507daa5-0795-4380-960b-dd7bb7c56661|Crossplane|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| +|EFS Without KMS
bdecd6db-2600-47dd-a10c-72c97cf17ae9|Crossplane|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| +|EFS Not Encrypted
72840c35-3876-48be-900d-f21b2f0c2ea1|Crossplane|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| +|RDS DB Instance Publicly Accessible
d9dc6429-5140-498a-8f55-a10daac5f000|Crossplane|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false and neither dbSubnetGroupName' subnets being part of a VPC that has an Internet gateway attached to it (read more)|Documentation
| +|DB Security Group Has Public Interface
dd667399-8d9d-4a8d-bbb4-e49ab53b2f52|Crossplane|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
255b0fcc-9f82-41fe-9229-01b163e3376b|Crossplane|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| +|SQS With SSE Disabled
9296f1cc-7a40-45de-bd41-f31745488a0e|Crossplane|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| +|Neptune Database Cluster Encryption Disabled
83bf5aca-138a-498e-b9cd-ad5bc5e117b4|Crossplane|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| +|CloudFront Logging Disabled
7b590235-1ff4-421b-b9ff-5227134be9bb|Crossplane|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true (read more)|Documentation
| +|CloudWatch Without Retention Period Specified
934613fe-b12c-4e5a-95f5-c1dcdffac1ff|Crossplane|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more)|Documentation
| +|CloudFront Without WAF
6d19ce0f-b3d8-4128-ac3d-1064e0f00494|Crossplane|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| +|DocDB Logging Is Disabled
e6cd49ba-77ed-417f-9bca-4f5303554308|Crossplane|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
6c2d627c-de0f-45fb-b33d-dad9bffbb421|Crossplane|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| +|Google Container Node Pool Auto Repair Disabled
b4f65d13-a609-4dc1-af7c-63d2e08bffe9|Crossplane|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| +|Serving Revision Spec Without Timeout Seconds
e8bb41e4-2f24-4e84-8bea-8c7c070cf93d|Knative|Info|Insecure Configurations|Serving Revision Spec should have Timeout Seconds defined to avoid Denial of Service (read more)|Documentation
| +|PSP Set To Privileged
ee305555-6b1d-4055-94cf-e22131143c34|Pulumi|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| +|Missing App Armor Config
95588189-1abd-4df1-9588-b0a5034f9e87|Pulumi|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack (read more)|Documentation
| +|Storage Account Not Forcing HTTPS
cb8e4bf0-903d-45c6-a278-9a947d82a27b|Pulumi|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| +|Redis Cache Allows Non SSL Connections
49e30ac8-f58e-4222-b488-3dcb90158ec1|Pulumi|Medium|Encryption|Redis Cache resource should not allow non-SSL connections. (read more)|Documentation
| +|Amazon DMS Replication Instance Is Publicly Accessible
bccb296f-362c-4b05-9221-86d1437a1016|Pulumi|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| +|RDS DB Instance Publicly Accessible
647de8aa-5a42-41b5-9faf-22136f117380|Pulumi|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false. (read more)|Documentation
| +|Elasticsearch with HTTPS disabled
00603add-7f72-448f-a6c0-9e456a7a3f94|Pulumi|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| +|ElastiCache Nodes Not Created Across Multi AZ
9b18fc19-7fb8-49b1-8452-9c757c70f926|Pulumi|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| +|ElastiCache Redis Cluster Without Backup
e93bbe63-a631-4c0f-b6ef-700d48441ff2|Pulumi|Medium|Backup|ElastiCache Redis cluster should have 'snapshotRetentionLimit' higher than 0 (read more)|Documentation
| +|IAM Password Without Lowercase Letter
de92dd34-1b88-43e8-b825-6e02d73c4549|Pulumi|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| +|IAM Password Without Minimum Length
9850d621-7485-44f7-8bdd-b3cf426315cf|Pulumi|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| +|DynamoDB Table Not Encrypted
b6a7e0ae-aed8-4a19-a993-a95760bf8836|Pulumi|Medium|Encryption|AWS DynamoDB Tables should have serverSideEncryption enabled (read more)|Documentation
| +|API Gateway Without SSL Certificate
f27791a5-e2ae-4905-8910-6f995c576d09|Pulumi|Medium|Insecure Configurations|SSL Client Certificate should be defined (read more)|Documentation
| +|Elasticsearch Logs Disabled
a1120ee4-a712-42d9-8fb5-22595fed643b|Pulumi|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| +|API Gateway Access Logging Disabled
bf4b48b9-fc1f-4552-984a-4becdb5bf503|Pulumi|Medium|Observability|API Gateway should have Access Log Settings defined (read more)|Documentation
| +|DocDB Logging Is Disabled
2ca87964-fe7e-4cdc-899c-427f0f3525f8|Pulumi|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| +|EC2 Not EBS Optimized
d991e4ae-42ab-429b-ab43-d5e5fa9ca633|Pulumi|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| +|DynamoDB Table Point In Time Recovery Disabled
327b0729-4c5c-4c44-8b5c-e476cd9c7290|Pulumi|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more)|Documentation
| +|EC2 Instance Monitoring Disabled
daa581ef-731c-4121-832d-cf078f67759d|Pulumi|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
48f7e44d-d1d1-44c2-b336-9f11b65c4fb0|Pulumi|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
965e8830-2bec-4b9b-a7f0-24dbc200a68f|Pulumi|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| +|Run Block Injection
20f14e1a-a899-4e79-9f09-b6a84cd4649b|CICD|High|Insecure Configurations|GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event. (read more)|Documentation
| +|Script Block Injection
62ff6823-927a-427f-acf9-f1ea2932d616|CICD|High|Insecure Configurations|GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event. (read more)|Documentation
| +|Unsecured Commands
60fd272d-15f4-4d8f-afe4-77d9c6cc0453|CICD|Medium|Insecure Configurations|There are deprecated set-env and add-path commands that can be explicitly enabled by a user via setting the ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable as true. Depending on the use of the environment variable, this could enable an attacker to, at worst, modify the system path to run a different command than intended, resulting in arbitrary code execution. (read more)|Documentation
| +|Unpinned Actions Full Length Commit SHA
555ab8f9-2001-455e-a077-f2d0f41e2fb9|CICD|Medium|Supply-Chain|Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork. (read more)|Documentation
| +|UNIX Ports Out Of Range
71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e|Dockerfile|High|Availability|Exposing UNIX ports out of range from 0 to 65535 (read more)|Documentation
| +|Same Alias In Different Froms
f2daed12-c802-49cd-afed-fe41d0b82fed|Dockerfile|High|Build Process|Different FROMS cant have the same alias defined (read more)|Documentation
| +|COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b|Dockerfile|High|Build Process|COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself (read more)|Documentation
| +|Copy With More Than Two Arguments Not Ending With Slash
6db6e0c2-32a3-4a2e-93b5-72c35f4119db|Dockerfile|High|Build Process|When a COPY command has more than two arguments, the last one should end with a slash (read more)|Documentation
| +|Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f|Dockerfile|High|Build Process|A user should be specified in the dockerfile, otherwise the image will run as root (read more)|Documentation
| +|Multiple ENTRYPOINT Instructions Listed
6938958b-3f1a-451c-909b-baeee14bdc97|Dockerfile|High|Build Process|There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect (read more)|Documentation
| +|WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|Dockerfile|High|Build Process|For clarity and reliability, you should always use absolute paths for your WORKDIR (read more)|Documentation
| +|Run Using Sudo
8ada6e80-0ade-439e-b176-0b28f6bce35a|Dockerfile|High|Insecure Configurations|Avoid RUN with sudo command as it leads to unpredictable behavior (read more)|Documentation
| +|Vulnerable OpenSSL Version
5fa731ea-e844-47a6-a1e8-abc25e95847e|Dockerfile|High|Supply-Chain|OpenSSL versions from 3.0.0 to 3.0.5 are affected by a critical vulnerability (read more)|Documentation
| +|Last User Is 'root'
67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae|Dockerfile|Medium|Best Practices|Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges (read more)|Documentation
| +|Changing Default Shell Using RUN Command
8a301064-c291-4b20-adcb-403fe7fd95fd|Dockerfile|Medium|Best Practices|Using the command RUN to override the default shell instead of the SHELL command leads to inefficiencies. It also does not make sense since Docker provides the SHELL command for this exact purpose. (read more)|Documentation
| +|Multiple CMD Instructions Listed
41c195f4-fc31-4a5c-8a1b-90605538d49f|Dockerfile|Medium|Build Process|There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect (read more)|Documentation
| +|Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79|Dockerfile|Medium|Build Process|Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments (read more)|Documentation
| +|RUN Instruction Using 'cd' Instead of WORKDIR
f4a6bcd3-e231-4acf-993c-aa027be50d2e|Dockerfile|Medium|Build Process|When using RUN command 'cd' should only be used for full path. For relative path make use of WORKDIR command instead. (read more)|Documentation
| +|Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd|Dockerfile|Medium|Build Process|Instruction 'RUN update' should always be followed by ' install' in the same RUN statement (read more)|Documentation
| +|Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22|Dockerfile|Medium|Insecure Defaults|Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o). (read more)|Documentation
| +|Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages (read more)|Documentation
| +|Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Dockerfile|Medium|Supply-Chain|Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect (read more)|Documentation
| +|Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03|Dockerfile|Medium|Supply-Chain|Need to use -y to avoid manual input 'yum install -y ' (read more)|Documentation
| +|Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313|Dockerfile|Medium|Supply-Chain|Reduce layer and image size by deleting unneeded caches after running zypper (read more)|Documentation
| +|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Dockerfile|Medium|Supply-Chain|When installing a package, its pin version should be defined (read more)|Documentation
| +|Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341|Dockerfile|Medium|Supply-Chain|Instead of 'gem install ' we should use 'gem install :' (read more)|Documentation
| +|NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5|Dockerfile|Medium|Supply-Chain|Check if packages installed by npm are pinning a specific version. (read more)|Documentation
| +|Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067|Dockerfile|Medium|Supply-Chain|When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag (read more)|Documentation
| +|Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118|Dockerfile|Medium|Supply-Chain|When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller (read more)|Documentation
| +|Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Dockerfile|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache (read more)|Documentation
| +|Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944|Dockerfile|Medium|Supply-Chain|Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input (read more)|Documentation
| +|Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9|Dockerfile|Medium|Supply-Chain|Don't use '--platform' flag with FROM (read more)|Documentation
| +|Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more)|Documentation
| +|Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37|Dockerfile|Medium|Supply-Chain|Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size (read more)|Documentation
| +|Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd|Dockerfile|Medium|Supply-Chain|Always tag the version of an image explicitly (read more)|Documentation
| +|APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Dockerfile|Medium|Supply-Chain|Check if apt-get calls use the flag -y to avoid user manual input. (read more)|Documentation
| +|Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1|Dockerfile|Medium|Supply-Chain|Specifying a package version allows to reduce failures due to unanticipated changes in required packages. (read more)|Documentation
| +|Add Instead of Copy
9513a694-aa0d-41d8-be61-3271e056f36b|Dockerfile|Medium|Supply-Chain|Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script. (read more)|Documentation
| +|Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8|Dockerfile|Medium|Supply-Chain|The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input. (read more)|Documentation
| +|Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0|Dockerfile|Medium|Supply-Chain|Cached package data should be cleaned after installation to reduce image size (read more)|Documentation
| +|Yum install Without Version
6452c424-1d92-4deb-bb18-a03e95d579c4|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages (read more)|Documentation
| +|Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more)|Documentation
| +|MAINTAINER Instruction Being Used
99614418-f82b-4852-a9ae-5051402b741c|Dockerfile|Low|Best Practices|The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily (read more)|Documentation
| +|Multiple RUN, ADD, COPY, Instructions Listed
0008c003-79aa-42d8-95b8-1c2fe37dbfe6|Dockerfile|Low|Best Practices|Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers. (read more)|Documentation
| +|Curl or Wget Instead of Add
4b410d24-1cbe-4430-a632-62c9a931cf1c|Dockerfile|Low|Best Practices|Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged (read more)|Documentation
| +|Chown Flag Exists
aa93e17f-b6db-4162-9334-c70334e7ac28|Dockerfile|Low|Best Practices|It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership (read more)|Documentation
| +|Exposing Port 22 (SSH)
5907595b-5b6d-4142-b173-dbb0e73fbff8|Dockerfile|Low|Best Practices|Expose only the ports that your application needs and avoid exposing ports like SSH (22) (read more)|Documentation
| +|Using Unnamed Build Stages
68a51e22-ae5a-4d48-8e87-b01a323605c9|Dockerfile|Low|Build Process| This query is used to ensure that build stages are named. This way even if the Dockerfile is re-ordered, the COPY instruction doesn’t break. (read more)|Documentation
| +|Healthcheck Instruction Missing
b03a748a-542d-44f4-bb86-9199ab4fd2d5|Dockerfile|Low|Insecure Configurations|Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working (read more)|Documentation
| +|Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c|Dockerfile|Info|Supply-Chain|After using apt-get install, it is needed to delete apt-get lists (read more)|Documentation
| +|APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c|Dockerfile|Info|Supply-Chain|Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages. (read more)|Documentation
| +|Apk Add Using Local Cache Path
ae9c56a6-3ed1-4ac0-9b54-31267f51151d|Dockerfile|Info|Supply-Chain|When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*' (read more)|Documentation
| +|Run Utilities And POSIX Commands
9b6b0f38-92a2-41f9-b881-3a1083d99f1b|Dockerfile|Info|Supply-Chain|Some POSIX commands and interactive utilities shouldn't run inside a Docker Container (read more)|Documentation
| +|Serverless Role With Full Privileges
59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd|ServerlessFW|High|Access Control|Roles defined in Serverless files should not have policies granting full administrative privileges. (read more)|Documentation
| +|Serverless Function Environment Variables Not Encrypted
4495bc5d-4d1e-4a26-ae92-152d18195648|ServerlessFW|High|Encryption|Serverless Function should encrypt environment variables (read more)|Documentation
| +|Serverless API Without Content Encoding
d5d1fe08-89db-440c-8725-b93223387309|ServerlessFW|Medium|Encryption|Serverless should have API Gateway with Content Encoding enabled through the attribute 'minimumCompressionSize'. This value should be greater than -1 and smaller than 10485760 (read more)|Documentation
| +|Serverless Function Without Tags
f99d3482-fa8c-4f79-bad9-35212dded164|ServerlessFW|Medium|Insecure Configurations|Serverless Function should be have associated tags (read more)|Documentation
| +|Serverless Function Without Unique IAM Role
165aae3b-a56a-48f3-b76d-d2b5083f5b8f|ServerlessFW|Medium|Insecure Configurations|Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| +|Serverless API Endpoint Config Not Private
4d424558-c6d1-453c-be98-9a7f877abd9a|ServerlessFW|Medium|Networking and Firewall|Serverless should have endpointType set to 'PRIVATE'. This way, it's not exposed to the public internet (read more)|Documentation
| +|Serverless API Access Logging Setting Undefined
a4d32883-aac7-42e1-b403-9415af0f3846|ServerlessFW|Medium|Observability|Serverless FW API should have HTTP Access Logging enabled (read more)|Documentation
| +|Serverless API X-Ray Tracing Disabled
434945e5-4dfd-41b1-aba1-47075ccd9265|ServerlessFW|Medium|Observability|Serverless API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| +|Serverless Function Without Dead Letter Queue
dec7bc85-d156-4f64-9a33-96ed3d9f3fed|ServerlessFW|Low|Insecure Configurations|Serverless Function should be configured for a Dead Letter Queue(DLQ). A Dead Letter Queue(DLQ) can be set up in 'onError' config parameter (read more)|Documentation
| +|Serverless Function Without X-Ray Tracing
0d7ef70f-e176-44e6-bdba-add3e429788d|ServerlessFW|Low|Observability|Serverless Function should have Tracing enabled. For this, property 'tracing' should have the value 'Active' (read more)|Documentation
| +|Privilege Escalation Using Become Plugin
0e75052f-cc02-41b8-ac39-a78017527e95|Ansible|Medium|Access Control|In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true' (read more)|Documentation
| +|Communication Over HTTP
2e8d4922-8362-4606-8c14-aa10466a1ce3|Ansible|Medium|Insecure Configurations|Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks (read more)|Documentation
| +|Insecure Relative Path Resolution
8d22ae91-6ac1-459f-95be-d37bd373f244|Ansible|Low|Best Practices|Using relative paths can lead to unexpected behavior as the path is resolved relative to the current working directory, which can change. (read more)|Documentation
| +|Logging of Sensitive Data
59029ddf-e651-412b-ae7b-ff6d403184bc|Ansible|Low|Best Practices|To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True (read more)|Documentation
| +|Unpinned Package Version
c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8|Ansible|Low|Supply-Chain|Setting state to latest performs an update and installs additional packages possibly resulting in performance degradation or loss of service (read more)|Documentation
| +|Risky File Permissions
88841d5c-d22d-4b7e-a6a0-89ca50e44b9f|Ansible|Info|Supply-Chain|Some modules could end up creating new files on disk with permissions that might be too open or unpredictable (read more)|Documentation
| +|Storage Container Is Publicly Accessible
4d3817db-dd35-4de4-a80d-3867157e7f7f|Ansible|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage (read more)|Documentation
| +|Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|Ansible|High|Access Control|Admin user is enabled for Container Registry (read more)|Documentation
| +|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|Ansible|High|Access Control|Storage Account should not be public to grant the principle of least privileges (read more)|Documentation
| +|Azure Instance Using Basic Authentication
e2d834b7-8b25-4935-af53-4a60668dcbe0|Ansible|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| +|SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555|Ansible|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' (read more)|Documentation
| +|MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|Ansible|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more)|Documentation
| +|Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|Ansible|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| +|AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|Ansible|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server (read more)|Documentation
| +|Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|Ansible|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined (read more)|Documentation
| +|VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|Ansible|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine (read more)|Documentation
| +|Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91|Ansible|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service. (read more)|Documentation
| +|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|Ansible|High|Networking and Firewall|The IP range filter should be defined to secure the data stored (read more)|Documentation
| +|Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|Ansible|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| +|Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet (read more)|Documentation
| +|Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources (read more)|Documentation
| +|SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|Ansible|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more)|Documentation
| +|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|Ansible|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| +|Role Definition Allows Custom Role Creation
5c80db8e-03f5-43a2-b4af-1f3f87018157|Ansible|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more)|Documentation
| +|Default Azure Storage Account Network Access Is Too Permissive
ca4df748-613a-4fbf-9c76-f02cbd580307|Ansible|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it. (read more)|Documentation
| +|AKS RBAC Disabled
149fa56c-4404-4f90-9e25-d34b676d5b39|Ansible|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| +|Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854|Ansible|Medium|Backup|Make sure Soft Delete is enabled for Key Vault (read more)|Documentation
| +|SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40|Ansible|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict (read more)|Documentation
| +|SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308|Ansible|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict (read more)|Documentation
| +|Cosmos DB Account Without Tags
23a4dc83-4959-4d99-8056-8e051a82bc1e|Ansible|Medium|Build Process|Cosmos DB Account must have a mapping of tags. (read more)|Documentation
| +|Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee|Ansible|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption (read more)|Documentation
| +|Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Ansible|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections (read more)|Documentation
| +|AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Ansible|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined (read more)|Documentation
| +|Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Ansible|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty (read more)|Documentation
| +|Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Ansible|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache. (read more)|Documentation
| +|WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Ansible|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. (read more)|Documentation
| +|Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Ansible|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0' (read more)|Documentation
| +|Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more)|Documentation
| +|PostgreSQL Log Checkpoints Disabled
7ab33ac0-e4a3-418f-a673-50da4e34df21|Ansible|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more)|Documentation
| +|PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' (read more)|Documentation
| +|PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more)|Documentation
| +|Monitoring Log Profile Without All Activities
89f84a1e-75f8-47c5-83b5-bee8e2de4168|Ansible|Medium|Observability|Monitoring log profile captures all the activities (Action, Write, Delete) (read more)|Documentation
| +|PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' (read more)|Documentation
| +|AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e|Ansible|Medium|Observability|Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring (read more)|Documentation
| +|PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a|Ansible|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server (read more)|Documentation
| +|Small Activity Log Retention Period
37fafbea-dedb-4e0d-852e-d16ee0589326|Ansible|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater (read more)|Documentation
| +|Allow Unsafe Lookups Enabled
86b97bb4-85c9-462d-8635-cbc057c5c8c5|Ansible|High|Insecure Configurations|When enabled, this option allows lookup plugins to return data that is not marked 'unsafe'. (read more)|Documentation
| +|Privilege Escalation Using Become Plugin
404908b6-4954-4611-98f0-e8ceacdabcb1|Ansible|Medium|Access Control|In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true' (read more)|Documentation
| +|Communication over HTTP
d7dc9350-74bc-485b-8c85-fed22d276c43|Ansible|Medium|Insecure Configurations|Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks (read more)|Documentation
| +|Logging of Sensitive Data
c6473dae-8477-4119-88b7-b909b435ce7b|Ansible|Low|Best Practices|To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True (read more)|Documentation
| +|Ansible Tower Exposed To Internet
1b2bf3ff-31e9-460e-bbfb-45e48f4f20cc|Ansible|Medium|Best Practices|Avoid exposing Ansible Tower to the public internet, effectively reducing the potential attack surface of your deployment (read more)|Documentation
| +|S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|Ansible|High|Access Control|S3 Buckets should not be readable to all users (read more)|Documentation
| +|SNS Topic is Publicly Accessible
905f4741-f965-45c1-98db-f7a00a0e5c73|Ansible|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| +|IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|Ansible|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|Ansible|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| +|ECS Service Admin Role Is Present
7db727c1-1720-468e-b80e-06697f71e09e|Ansible|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role (read more)|Documentation
| +|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|Ansible|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| +|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|Ansible|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more)|Documentation
| +|S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a|Ansible|High|Access Control|Checks if the S3 bucket is accessible for all users (read more)|Documentation
| +|S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|Ansible|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674|Ansible|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| +|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|Ansible|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| +|SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a|Ansible|High|Access Control|Checks if the SQS Queue is exposed (read more)|Documentation
| +|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|Ansible|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| +|S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|Ansible|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| +|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|Ansible|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| +|CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|Ansible|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'. (read more)|Documentation
| +|Secure Ciphers Disabled
218413a0-c716-4b94-9e08-0bb70d854709|Ansible|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| +|AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|Ansible|High|Encryption|AWS AMI Encryption is not enabled (read more)|Documentation
| +|ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|Ansible|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| +|User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|Ansible|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| +|DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|Ansible|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more)|Documentation
| +|Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7|Ansible|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS (read more)|Documentation
| +|S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571|Ansible|High|Encryption|AWS S3 Storage should be protected with SSE (Server-Side Encryption) (read more)|Documentation
| +|Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|Ansible|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) (read more)|Documentation
| +|ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| +|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|Ansible|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more)|Documentation
| +|User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|Ansible|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| +|Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a|Ansible|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume (read more)|Documentation
| +|S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4|Ansible|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| +|EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|Ansible|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76|Ansible|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| +|EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|Ansible|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| +|ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| +|KMS Key With Full Permissions
5b9d237a-57d5-4177-be0e-71434b0fef47|Ansible|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| +|Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|Ansible|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| +|ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f|Ansible|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| +|RDS DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209|Ansible|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). (read more)|Documentation
| +|S3 Bucket with Unsecured CORS Rule
3505094c-f77c-4ba0-95da-f83db712f86c|Ansible|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67|Ansible|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| +|EC2 Group Has Public Interface
5330b503-3319-44ff-9b1c-00ee873f728a|Ansible|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| +|Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f|Ansible|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| +|Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|Ansible|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true (default is false) (read more)|Documentation
| +|Vulnerable Default SSL Certificate
fb8f8929-afeb-4c46-99f0-a6cf410f7df4|Ansible|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| +|Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|Ansible|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| +|Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|Ansible|High|Networking and Firewall|AWS Security Group should restrict ingress access (read more)|Documentation
| +|Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2|Ansible|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0/0 (read more)|Documentation
| +|Elasticsearch with HTTPS disabled
d6c2d06f-43c1-488a-9ba1-8d75b40fc62d|Ansible|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| +|HTTP Port Open To Internet
a14ad534-acbe-4a8e-9404-2f7e1045646e|Ansible|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| +|DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640|Ansible|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| +|Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|Ansible|High|Networking and Firewall|AWS Security Group should not have public port wide (read more)|Documentation
| +|EC2 Instance Has Public IP
a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1|Ansible|High|Networking and Firewall|EC2 Instance should not have a public IP address. (read more)|Documentation
| +|Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4|Ansible|High|Networking and Firewall|Route53 Record should have a list of records (read more)|Documentation
| +|Remote Desktop Port Open To Internet
eda7301d-1f3e-47cf-8d4e-976debc64341|Ansible|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| +|ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|Ansible|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| +|Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b|Ansible|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| +|RDS Associated with Public Subnet
16732649-4ff6-4cd2-8746-e72c13fae4b8|Ansible|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| +|Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|Ansible|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| +|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|Ansible|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| +|CloudTrail Logging Disabled
d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5|Ansible|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| +|CMK Rotation Disabled
af96d737-0818-4162-8c41-40d969bd65d1|Ansible|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| +|Lambda Permission Principal Is Wildcard
1d972c56-8ec2-48c1-a578-887adb09c57a|Ansible|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| +|ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd|Ansible|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| +|IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Ansible|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root' (read more)|Documentation
| +|SES Policy With Allowed IAM Actions
8ed0bfce-f780-46d4-b086-21c3628f09ad|Ansible|Medium|Access Control|SES policy should not allow IAM actions to all principals (read more)|Documentation
| +|SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4|Ansible|Medium|Access Control|SQS policy allows ALL (*) actions (read more)|Documentation
| +|API Gateway Without Configured Authorizer
b16cdb37-ce15-4ab2-8401-d42b05d123fc|Ansible|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
af167837-9636-4086-b815-c239186b9dda|Ansible|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| +|IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060|Ansible|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| +|Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Ansible|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| +|SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10|Ansible|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| +|Certificate Has Expired
5a443297-19d4-4381-9e5b-24faf947ec22|Ansible|Medium|Access Control|Expired SSL/TLS certificates should be removed (read more)|Documentation
| +|AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f|Ansible|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image (read more)|Documentation
| +|S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9|Ansible|Medium|Access Control|S3 Bucket allows public access (read more)|Documentation
| +|ECS Service Without Running Tasks
f5c45127-1d28-4b49-a692-0b97da1c3a84|Ansible|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| +|Auto Scaling Group With No Associated ELB
050f085f-a8db-4072-9010-2cca235cc02f|Ansible|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. (read more)|Documentation
| +|CMK Is Unusable
133fee21-37ef-45df-a563-4d07edc169f4|Ansible|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined. (read more)|Documentation
| +|RDS With Backup Disabled
e69890e6-fce5-461d-98ad-cb98318dfc96|Ansible|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| +|Stack Retention Disabled
17d5ba1d-7667-4729-b1a6-b11fde3db7f7|Ansible|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| +|Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c|Ansible|Medium|Best Practices|Password policy `password_reuse_prevention` doesn't exist or is equal to 0 (read more)|Documentation
| +|IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354|Ansible|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| +|Misconfigured Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9|Ansible|Medium|Best Practices|No password expiration policy (read more)|Documentation
| +|IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Ansible|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| +|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Ansible|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number (read more)|Documentation
| +|IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Ansible|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| +|Stack Without Template
32d31f1f-0f83-4721-b7ec-1e6948c60145|Ansible|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body (read more)|Documentation
| +|EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Ansible|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| +|Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89|Ansible|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache (read more)|Documentation
| +|SQS With SSE Disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Ansible|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| +|Config Rule For Encrypted Volumes Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84|Ansible|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| +|CodeBuild Not Encrypted
a1423864-2fbc-4f46-bfe1-fbbf125c71c9|Ansible|Medium|Encryption|CodeBuild Project should be encrypted (read more)|Documentation
| +|AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472|Ansible|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy (read more)|Documentation
| +|Certificate RSA Key Bytes Lower Than 256
d5ec2080-340a-4259-b885-f833c4ea6a31|Ansible|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes (read more)|Documentation
| +|API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33|Ansible|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| +|Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5|Ansible|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags. (read more)|Documentation
| +|Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f|Ansible|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| +|ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Ansible|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| +|API Gateway without WAF
f5f38943-664b-4acc-ab11-f292fa10ed0b|Ansible|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| +|API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215|Ansible|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Ansible|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more)|Documentation
| +|S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|Ansible|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| +|API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f|Ansible|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| +|CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3|Ansible|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| +|CloudFront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Ansible|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' should be defined with 'enabled' set to true (read more)|Documentation
| +|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Ansible|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| +|Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Ansible|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| +|API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Ansible|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled (read more)|Documentation
| +|CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Ansible|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| +|CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Ansible|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more)|Documentation
| +|S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Ansible|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| +|CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Ansible|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'is_multi_region_trail' should be set to true (read more)|Documentation
| +|No Stack Policy
ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9|Ansible|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions (read more)|Documentation
| +|Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Ansible|Medium|Secret Management|AWS Access Key should not be hardcoded (read more)|Documentation
| +|Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645|Ansible|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| +|IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd|Ansible|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| +|EC2 Instance Using Default Security Group
8d03993b-8384-419b-a681-d1f55149397c|Ansible|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Ansible|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| +|IAM Group Without Users
f509931b-bbb0-443c-bd9b-10e92ecf2193|Ansible|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| +|CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6|Ansible|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| +|Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520|Ansible|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| +|Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|Ansible|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. (read more)|Documentation
| +|EFS Without Tags
b8a9852c-9943-4973-b8d5-77dae9352851|Ansible|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated (read more)|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
f5587077-3f57-4370-9b4e-4eb5b1bac85b|Ansible|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| +|ElastiCache Using Default Port
7cc6c791-5f68-4816-a564-b9b699f9d26e|Ansible|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| +|ElastiCache Without VPC
5527dcfc-94f9-4bf6-b7d4-1b78850cf41f|Ansible|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|EC2 Instance Using Default VPC
8833f180-96f1-46f4-9147-849aafa56029|Ansible|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| +|CloudFront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Ansible|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| +|RDS Using Default Port
2cb674f6-32f9-40be-97f2-62c0dc38f0d5|Ansible|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| +|Redshift Using Default Port
e01de151-a7bd-4db4-b49b-3c4775a5e881|Ansible|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| +|Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Ansible|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active' (read more)|Documentation
| +|CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Ansible|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| +|EC2 Not EBS Optimized
338b6cab-961d-4998-bb49-e5b6a11c9a5c|Ansible|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2|Ansible|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| +|BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2|Ansible|High|Access Control|BigQuery dataset is anonymously or publicly accessible (read more)|Documentation
| +|VM With Full Cloud Access
bc20bbc6-0697-4568-9a73-85af1dd97bdd|Ansible|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)|Documentation
| +|SQL DB Instance Backup Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8|Ansible|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| +|SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|Ansible|High|Encryption|Cloud SQL Database Instance should have SSL enabled (read more)|Documentation
| +|DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a|Ansible|High|Encryption|DNSSEC should not use the RSASHA1 algorithm (read more)|Documentation
| +|MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c|Ansible|High|Insecure Configurations|MySQL Instance should not have Local Infile On (read more)|Documentation
| +|IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'. (read more)|Documentation
| +|GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false. (read more)|Documentation
| +|PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514|Ansible|High|Insecure Configurations|PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1' (read more)|Documentation
| +|Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f|Ansible|High|Insecure Configurations|GCP SQL Instance should not have Cross DB Ownership Chaining On (read more)|Documentation
| +|GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1|Ansible|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty (read more)|Documentation
| +|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|Ansible|High|Insecure Configurations|SQL Instance should not have Contained Database Authentication On (read more)|Documentation
| +|Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty (read more)|Documentation
| +|Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true (read more)|Documentation
| +|SQL DB Instance Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b|Ansible|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible. (read more)|Documentation
| +|Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true. (read more)|Documentation
| +|Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7|Ansible|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)|Documentation
| +|Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)|Documentation
| +|GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83|Ansible|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters (read more)|Documentation
| +|Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82|Ansible|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet. (read more)|Documentation
| +|PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317|Ansible|High|Observability|PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on' (read more)|Documentation
| +|Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none' (read more)|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd|Ansible|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| +|Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none' (read more)|Documentation
| +|PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b|Ansible|High|Observability|PostgreSQL database 'log_temp_files' flag isn't set to '0' (read more)|Documentation
| +|Cloud Storage Bucket Versioning Disabled
7814ddda-e758-4a56-8be3-289a81ded929|Ansible|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| +|Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf|Ansible|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)|Documentation
| +|Disk Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3|Ansible|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Ansible|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| +|Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Ansible|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| +|Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03|Ansible|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| +|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Ansible|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| +|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Ansible|Medium|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account. (read more)|Documentation
| +|Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Ansible|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)|Documentation
| +|OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Ansible|Medium|Insecure Configurations|VM instance should have OSLogin enabled (read more)|Documentation
| +|GKE Using Default Service Account
dc126833-125a-40fb-905a-ce5f2afde240|Ansible|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account (read more)|Documentation
| +|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Ansible|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)|Documentation
| +|IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Ansible|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)|Documentation
| +|SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Ansible|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| +|RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77|Ansible|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| +|Google Compute Network Using Default Firewall Rule
29b8224a-60e9-4011-8ac2-7916a659841f|Ansible|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows All Ports
3602d273-3290-47b2-80fa-720162b1a8af|Ansible|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports (read more)|Documentation
| +|PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Ansible|Medium|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value (read more)|Documentation
| +|PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Ansible|Medium|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on' (read more)|Documentation
| +|High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Ansible|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Ansible|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| +|Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b|Ansible|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes (read more)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows Port Range
7289eebd-a477-4064-8ad4-3c044bd70b00|Ansible|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| +|BOM - GCP PST
9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more)|Documentation
| +|BOM - GCP SB
c7781feb-a955-4f9f-b9cf-0d7c6f54bb59|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more)|Documentation
| +|BOM - GCP PD
268c65a8-58ad-43e4-9019-1a9bbc56749f|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more)|Documentation
| |Cloud Storage Anonymous or Publicly Accessible
63ae3638-a38c-4ff4-b616-6e1f72a31a6a|GoogleDeploymentManager|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| |Cloud Storage Bucket Is Publicly Accessible
77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc|GoogleDeploymentManager|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible (read more)|Documentation
| |BigQuery Dataset Is Public
83103dff-d57f-42a8-bd81-40abab64c1a7|GoogleDeploymentManager|High|Access Control|BigQuery dataset is anonymously or publicly accessible. Attribute access.specialGroup should not contain 'allAuthenticatedUsers' (read more)|Documentation
| |SQL DB Instance Backup Disabled
a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01|GoogleDeploymentManager|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| +|SQL DB Instance With SSL Disabled
660360d3-9ca7-46d1-b147-3acc4002953f|GoogleDeploymentManager|High|Encryption|Cloud SQL Database Instance should have SSL enabled (read more)|Documentation
| |DNSSEC Using RSASHA1
6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35|GoogleDeploymentManager|High|Encryption|DNSSEC should not use the RSASHA1 algorithm (read more)|Documentation
| -|SQL DB Instance With SSL Disabled
660360d3-9ca7-46d1-b147-3acc4002953f|GoogleDeploymentManager|High|Encryption|Cloud SQL Database Instance should have SLL enabled (read more)|Documentation
| |MySQL Instance With Local Infile On
c759d6f2-4dd3-4160-82d3-89202ef10d87|GoogleDeploymentManager|High|Insecure Configurations|MySQL Instance should not have Local Infile On (read more)|Documentation
| -|Client Certificate Disabled
dd690686-2bf9-4012-a821-f61912dd77be|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'masterAuth' must have 'clientCertificateConfig' with the attribute 'issueClientCertificate' equal to true (read more)|Documentation
| |IP Aliasing Disabled
28727987-e398-49b8-aef1-8a3e7789d111|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ipAllocationPolicy' must be defined and the subattribute 'useIpAliases' must be set to 'true'. (read more)|Documentation
| -|Network Policy Disabled
c47f90e8-4a19-43f0-8413-cc434d286c4e|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'networkPolicy.enabled' must be true and the attribute 'addonsConfig.networkPolicyConfig.disabled' must be false (read more)|Documentation
| -|Private Cluster Disabled
48c61fbd-09c9-46cc-a521-012e0c325412|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true. (read more)|Documentation
| -|Not Proper Email Account In Use
a21b8df3-c840-4b3d-a41a-10fb2afda171|GoogleDeploymentManager|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials (read more)|Documentation
| |GKE Legacy Authorization Enabled
df58d46c-783b-43e0-bdd0-d99164f712ee|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false. (read more)|Documentation
| -|Cluster Master Authentication Disabled
7ef7d141-9fbb-4679-a977-fd0883436906|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'masterAuth' must have the subattributes 'username' and 'password' defined and not empty (read more)|Documentation
| -|Cluster Labels Disabled
8810968b-4b15-421d-918b-d91eb4bb8d1d|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resourceLabels' must be defined (read more)|Documentation
| -|GKE Master Authorized Networks Disabled
62c8cf50-87f0-4295-a974-8184ed78fe02|GoogleDeploymentManager|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters (read more)|Documentation
| -|Compute Instance Is Publicly Accessible
8212e2d7-e683-49bc-bf78-d6799075c5a7|GoogleDeploymentManager|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet. (read more)|Documentation
| -|Stackdriver Logging Disabled
95601b9a-7fe8-4aee-9b58-d36fd9382dfc|GoogleDeploymentManager|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'loggingService' must be defined and different from 'none' (read more)|Documentation
| -|Cloud Storage Bucket Versioning Disabled
ad0875c1-0b39-4890-9149-173158ba3bba|GoogleDeploymentManager|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| -|Stackdriver Monitoring Disabled
bbfc97ab-e92a-4a7b-954c-e88cec815011|GoogleDeploymentManager|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoringService' must be defined and different than 'none' (read more)|Documentation
| -|Node Auto Upgrade Disabled
dc5c5fee-6c53-43b0-ab11-4c660e064aaf|GoogleDeploymentManager|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means the attribute 'nodePools' must be defined and the subattribute 'managment' must be defined and have the attribute 'autoUpgrade' set to true (read more)|Documentation
| -|Disk Encryption Disabled
fc040fb6-4c23-4c0d-b12a-39edac35debb|GoogleDeploymentManager|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined (read more)|Documentation
| -|OSLogin Is Disabled In VM Instance
e66e1b71-c810-4b4e-a737-0ab59e7f5e41|GoogleDeploymentManager|Medium|Insecure Configurations|VM instance should have OSLogin enabled (read more)|Documentation
| -|Shielded VM Disabled
9038b526-4c19-4928-bca2-c03d503bdb79|GoogleDeploymentManager|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true (read more)|Documentation
| -|Cloud DNS Without DNSSEC
313d6deb-3b67-4948-b41d-35b699c2492e|GoogleDeploymentManager|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| -|Google Storage Bucket Level Access Disabled
1239f54b-33de-482a-8132-faebe288e6a6|GoogleDeploymentManager|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled (read more)|Documentation
| -|COS Node Image Not Used
dbe058d7-b82e-430b-8426-992b2e4677e7|GoogleDeploymentManager|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| -|SSH Access Is Not Restricted
dee21308-2a7a-49de-8ff7-c9b87e188575|GoogleDeploymentManager|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| -|RDP Access Is Not Restricted
50cb6c3b-c878-4b88-b50e-d1421bada9e8|GoogleDeploymentManager|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| -|IP Forwarding Enabled
7c98538a-81c6-444b-bf04-e60bc3ceeec0|GoogleDeploymentManager|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true (read more)|Documentation
| -|Bucket Without Versioning
227c2f58-70c6-4432-8e9a-a89c1a548cf5|GoogleDeploymentManager|Medium|Observability|Bucket should have versioning enabled (read more)|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
6e2b1ec1-1eca-4eb7-9d4d-2882680b4811|GoogleDeploymentManager|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| -|BOM - GCP PST
9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more)|Documentation
| -|BOM - GCP PD
268c65a8-58ad-43e4-9019-1a9bbc56749f|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more)|Documentation
| -|BOM - GCP SB
c7781feb-a955-4f9f-b9cf-0d7c6f54bb59|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more)|Documentation
| -|Key Vault Not Recoverable
7c25f361-7c66-44bf-9b69-022acd5eb4bd|AzureResourceManager|High|Backup|Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true (read more)|Documentation
| -|Secret Without Expiration Date
cff9c3f7-e8f0-455f-9fb4-5f72326da96e|AzureResourceManager|High|Best Practices|All Secrets must have an expiration date defined (read more)|Documentation
| -|Azure Instance Using Basic Authentication
6797f581-0433-4768-ae3e-7ceb2f8b138e|AzureResourceManager|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| -|Azure Managed Disk Without Encryption
350f3955-b5be-436f-afaa-3d2be2fa6cdd|AzureResourceManager|High|Encryption|Azure Disk Encryption should be enabled (read more)|Documentation
| -|Storage Account Allows Unsecure Transfer
1367dd13-2c90-4020-80b7-e4339a3dc2c4|AzureResourceManager|High|Encryption|'Microsoft.Storage/storageAccounts' should force the use of HTTPS (read more)|Documentation
| -|Web App Not Using TLS Last Version
b5c851d5-00f1-43dc-a8de-3218fd6f71be|AzureResourceManager|High|Encryption|Resources of type 'Microsoft.Web/sites' should define 'properties.siteConfig.minTlsVersion' with '1.2' (read more)|Documentation
| -|Website Not Forcing HTTPS
488847ff-6031-487c-bf42-98fd6ac5c9a0|AzureResourceManager|High|Insecure Configurations|'Microsoft.Web/sites' should force the use of HTTPS (read more)|Documentation
| -|Storage Blob Service Container With Public Access
a0ab985d-660b-41f7-ac81-70957ee8e627|AzureResourceManager|High|Networking and Firewall|Storage Blob Service Container should not publicly accessible (read more)|Documentation
| -|Trusted Microsoft Services Not Enabled
e25b56cd-a4d6-498f-ab92-e6296a082097|AzureResourceManager|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| -|MySQL Server SSL Enforcement Disabled
90120147-f2e7-4fda-bb21-6fa9109afd63|AzureResourceManager|High|Networking and Firewall|'Microsoft.DBforMySQL/servers' should enforce SSL (read more)|Documentation
| -|SQL Database Server Firewall Allows All IPS
6a3201a5-1630-494b-b294-3129d06b0eca|AzureResourceManager|High|Networking and Firewall|SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS (read more)|Documentation
| -|Website with Client Certificate Auth Disabled
92302b47-b0cc-46cb-a28f-5610ecda140b|AzureResourceManager|High|Networking and Firewall|'Microsoft.Web/sites' should have client certificate authentication enabled (read more)|Documentation
| -|PostgreSQL Database Server SSL Disabled
bf500309-da53-4dd3-bcf7-95f7974545a5|AzureResourceManager|High|Networking and Firewall|Microsoft.DBforPostgreSQL/servers sslEnforcement property should be set to 'Enabled' (read more)|Documentation
| -|Network Security Group With Unrestricted Access To RDP
59cb3da7-f206-4ae6-b827-7abf0a9cab9d|AzureResourceManager|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the Internet (read more)|Documentation
| -|Network Security Group With Unrestricted Access To SSH
2ade1579-4b2c-4590-bebb-f99bf597f612|AzureResourceManager|High|Networking and Firewall|Port 22 (SSH) is exposed to the Internet (read more)|Documentation
| -|Default Azure Storage Account Network Access Is Too Permissive
d855ced8-6157-448f-9f1d-f05a41d046f7|AzureResourceManager|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it. (read more)|Documentation
| -|AKS Cluster RBAC Disabled
9307a2ed-35c2-413d-94de-a1a0682c2158|AzureResourceManager|Medium|Access Control|Microsoft.ContainerService/managedClusters should have enableRBAC set to true (read more)|Documentation
| -|Role Definitions Allow Custom Subscription Role Creation
8fa9ceea-881f-4ef0-b0b8-728f589699a7|AzureResourceManager|Medium|Access Control|Role Definitions should not allow custom subscription role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write') (read more)|Documentation
| -|SQL Server Database With Alerts Disabled
574e8d82-1db2-4b9c-b526-e320ede9a9ff|AzureResourceManager|Medium|Best Practices|All Alerts should be enabled in SQL Database Server SecurityAlerts Policy Properties (read more)|Documentation
| -|AKS Cluster Network Policy Not Configured
25c0228e-4444-459b-a2df-93c7df40b7ed|AzureResourceManager|Medium|Insecure Configurations|Azure Kubernetes Service must have a network policy defined. (read more)|Documentation
| -|PostgresSQL Database Server Connection Throttling Disabled
a6d774b6-d9ea-4bf4-8433-217bf15d2fb8|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttling' property set to 'on' (read more)|Documentation
| -|Standard Price Is Not Selected
2081c7d6-2851-4cce-bda5-cb49d462da42|AzureResourceManager|Medium|Networking and Firewall|Azure Security Center provides more features for standard pricing mode, so it must be activated. (read more)|Documentation
| -|AKS With Authorized IP Ranges Disabled
2583fab1-953b-4fae-bd02-4a136a6c21f9|AzureResourceManager|Medium|Networking and Firewall|Azure Kubernetes Service must have an authorized IP range for API Services enabled (read more)|Documentation
| -|PostgreSQL Database Server Log Connections Disabled
e69bda39-e1e2-47ca-b9ee-b6531b23aedd|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' property set to 'on' (read more)|Documentation
| -|PostgreSQL Database Server Log Checkpoints Disabled
f9112910-c7bb-4864-9f5e-2059ba413bb7|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' property set to 'on' (read more)|Documentation
| -|Log Profile Incorrect Category
4d522e7b-f938-4d51-a3b1-974ada528bd3|AzureResourceManager|Medium|Observability|Log Profile Categories should be set to 'Write', 'Delete', and/or 'Action' (read more)|Documentation
| -|SQL Server Database Without Auditing
e055285c-bc01-48b4-8aa5-8a54acdd29df|AzureResourceManager|Medium|Observability|Every 'Microsoft.Sql/servers/databases' resource should have Auditing Enabled (read more)|Documentation
| -|AKS Logging To Azure Monitoring Is Disabled
9b09dee1-f09b-4013-91d2-158fa4695f4b|AzureResourceManager|Medium|Observability|Azure Kubernetes Service should have logging to Azure Monitoring enabled. (read more)|Documentation
| -|SQL Server Database With Unrecommended Retention Days
c09cdac2-7670-458a-bf6c-efad6880973a|AzureResourceManager|Medium|Observability|SQL Server Database Auditing Settings should keep the audit logs in the storage account for at least 90 days (read more)|Documentation
| -|Unrecommended Log Profile Retention Policy
25684eac-daaa-4c2c-94b4-8d2dbb627909|AzureResourceManager|Medium|Observability|Log Profile Retention Policy should be enabled and the recommended number of days for the retention should be higher than 365 or 0 (0 will retain the events indefinitely) (read more)|Documentation
| -|Unrecommended Network Watcher Flow Log Retention Policy
564b70f8-41cd-4690-aff8-bb53add86bc9|AzureResourceManager|Medium|Observability|Network Watcher Flow Log Retention Policy should be enabled and the recommended number of days for the retention should be higher than 90 (read more)|Documentation
| -|Storage Logging For Read Write And Delete Requests Disabled
43f6e60c-9cdb-4e77-864d-a66595d26518|AzureResourceManager|Medium|Observability|Storage Logging should be enabled for read, write and delete methods (read more)|Documentation
| -|Hardcoded SecureString Parameter Default Value
4d2cf896-c053-4be5-9c95-8b4771112f29|AzureResourceManager|Medium|Secret Management|Secure parameters should not have hardcoded default value (read more)|Documentation
| -|Website Azure Active Directory Disabled
e9c133e5-c2dd-4b7b-8fff-40f2de367b56|AzureResourceManager|Low|Access Control|WebApp should have Azure Active Directory enabled with 'identity.type' set to 'SystemAssigned' or 'userAssignedIdentities' set to 'true' (read more)|Documentation
| -|Phone Number Not Set For Security Contacts
3e9fcc67-1f64-405f-b2f9-0a6be17598f0|AzureResourceManager|Low|Best Practices|Microsoft.Security securityContacts should have a phone number defined (read more)|Documentation
| -|AKS Dashboard Is Enabled
c62d3b92-9a11-4ffd-b7b7-6faaae83faed|AzureResourceManager|Low|Insecure Configurations|Azure Kubernetes Service should have the Kubernetes dashboard disabled. (read more)|Documentation
| -|Storage Account Allows Default Network Access
9073f073-5d60-4b46-b569-0d6baa80ed95|AzureResourceManager|Low|Networking and Firewall|'Microsoft.Storage/storageAccounts' should force the use of HTTPS (read more)|Documentation
| -|Website with 'Http20Enabled' Disabled
70111098-7f85-48f0-b1b4-e4261cf5f61b|AzureResourceManager|Low|Networking and Firewall|'Microsoft.Web/sites' should have 'Http20Enabled' enabled (read more)|Documentation
| -|App Service Authentication Is Not Set
83130a07-235b-4a80-918b-a370e53f0bd9|AzureResourceManager|Info|Access Control|Azure App Service should have App Service Authentication set (read more)|Documentation
| -|SQL Alert Policy Without Emails
89b79fe5-49bd-4d39-84ce-55f5fc6f7764|AzureResourceManager|Info|Best Practices|SQL Database Server should contain emails to be notified in the event of a Security Alert (read more)|Documentation
| -|Account Admins Not Notified By Email
a8852cc0-fd4b-4fc7-9372-1e43fad0732e|AzureResourceManager|Info|Best Practices|Account admins should be notified by email in the event of security alerts (read more)|Documentation
| -|Email Notifications Disabled
79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92|AzureResourceManager|Info|Networking and Firewall|Email notifications about new security alerts, should be set to 'On', and be sent to persons with specific RBAC roles on the subscription (read more)|Documentation
| +|Not Proper Email Account In Use
a21b8df3-c840-4b3d-a41a-10fb2afda171|GoogleDeploymentManager|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials (read more)|Documentation
| +|Cluster Master Authentication Disabled
7ef7d141-9fbb-4679-a977-fd0883436906|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'masterAuth' must have the subattributes 'username' and 'password' defined and not empty (read more)|Documentation
| +|Client Certificate Disabled
dd690686-2bf9-4012-a821-f61912dd77be|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'masterAuth' must have 'clientCertificateConfig' with the attribute 'issueClientCertificate' equal to true (read more)|Documentation
| +|Private Cluster Disabled
48c61fbd-09c9-46cc-a521-012e0c325412|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true. (read more)|Documentation
| +|Cluster Labels Disabled
8810968b-4b15-421d-918b-d91eb4bb8d1d|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resourceLabels' must be defined (read more)|Documentation
| +|Network Policy Disabled
c47f90e8-4a19-43f0-8413-cc434d286c4e|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'networkPolicy.enabled' must be true and the attribute 'addonsConfig.networkPolicyConfig.disabled' must be false (read more)|Documentation
| +|GKE Master Authorized Networks Disabled
62c8cf50-87f0-4295-a974-8184ed78fe02|GoogleDeploymentManager|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters (read more)|Documentation
| +|Compute Instance Is Publicly Accessible
8212e2d7-e683-49bc-bf78-d6799075c5a7|GoogleDeploymentManager|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet. (read more)|Documentation
| +|Stackdriver Monitoring Disabled
bbfc97ab-e92a-4a7b-954c-e88cec815011|GoogleDeploymentManager|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoringService' must be defined and different than 'none' (read more)|Documentation
| +|Stackdriver Logging Disabled
95601b9a-7fe8-4aee-9b58-d36fd9382dfc|GoogleDeploymentManager|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'loggingService' must be defined and different from 'none' (read more)|Documentation
| +|Cloud Storage Bucket Versioning Disabled
ad0875c1-0b39-4890-9149-173158ba3bba|GoogleDeploymentManager|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| +|Node Auto Upgrade Disabled
dc5c5fee-6c53-43b0-ab11-4c660e064aaf|GoogleDeploymentManager|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means the attribute 'nodePools' must be defined and the subattribute 'managment' must be defined and have the attribute 'autoUpgrade' set to true (read more)|Documentation
| +|Disk Encryption Disabled
fc040fb6-4c23-4c0d-b12a-39edac35debb|GoogleDeploymentManager|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined (read more)|Documentation
| +|Cloud DNS Without DNSSEC
313d6deb-3b67-4948-b41d-35b699c2492e|GoogleDeploymentManager|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| +|COS Node Image Not Used
dbe058d7-b82e-430b-8426-992b2e4677e7|GoogleDeploymentManager|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| +|Shielded VM Disabled
9038b526-4c19-4928-bca2-c03d503bdb79|GoogleDeploymentManager|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true (read more)|Documentation
| +|Google Storage Bucket Level Access Disabled
1239f54b-33de-482a-8132-faebe288e6a6|GoogleDeploymentManager|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled (read more)|Documentation
| +|OSLogin Is Disabled In VM Instance
e66e1b71-c810-4b4e-a737-0ab59e7f5e41|GoogleDeploymentManager|Medium|Insecure Configurations|VM instance should have OSLogin enabled (read more)|Documentation
| +|IP Forwarding Enabled
7c98538a-81c6-444b-bf04-e60bc3ceeec0|GoogleDeploymentManager|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true (read more)|Documentation
| +|SSH Access Is Not Restricted
dee21308-2a7a-49de-8ff7-c9b87e188575|GoogleDeploymentManager|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| +|RDP Access Is Not Restricted
50cb6c3b-c878-4b88-b50e-d1421bada9e8|GoogleDeploymentManager|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| +|Bucket Without Versioning
227c2f58-70c6-4432-8e9a-a89c1a548cf5|GoogleDeploymentManager|Medium|Observability|Bucket should have versioning enabled (read more)|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
6e2b1ec1-1eca-4eb7-9d4d-2882680b4811|GoogleDeploymentManager|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| |Serverless Function Environment Variables Not Encrypted
a7f8ac28-eed1-483d-87c8-4c325f022572|CloudFormation|High|Encryption|AWS Serverless Function should encrypt environment variables (read more)|Documentation
| |Serverless API Without Content Encoding
a2f2800e-614b-4bc8-89e6-fec8afd24800|CloudFormation|Medium|Encryption|AWS Serverless API should enable Content Encoding through the attribute 'MinimumCompressionSize'. This value should be greater than -1 and smaller than 10485760 (read more)|Documentation
| -|Serverless Function Without Unique IAM Role
4ba74f01-aba5-4be2-83bc-be79ff1a3b92|CloudFormation|Medium|Insecure Configurations|AWS Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| |Serverless Function Without Tags
a71ecabe-03b6-456a-b3bc-d1a39aa20c98|CloudFormation|Medium|Insecure Configurations|AWS Serverless Function should have associated tags (read more)|Documentation
| +|Serverless Function Without Unique IAM Role
4ba74f01-aba5-4be2-83bc-be79ff1a3b92|CloudFormation|Medium|Insecure Configurations|AWS Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| |Serverless API Endpoint Config Not Private
6b5b0313-771b-4319-ad7a-122ee78700ef|CloudFormation|Medium|Networking and Firewall|AWS Serverless API should set API Endpoint Config type to 'PRIVATE'. This way, it's not exposed to the public internet (read more)|Documentation
| -|Serverless API X-Ray Tracing Disabled
c757c6a3-ac87-4b9d-b28d-e5a5add6a315|CloudFormation|Medium|Observability|AWS Serverless API should have X-Ray Tracing enabled (read more)|Documentation
| |Serverless API Access Logging Setting Undefined
0a994e04-c6dc-471d-817e-d37451d18a3b|CloudFormation|Medium|Observability|AWS Serverless API/AWS Serverless HTTP API should have Access Logging Setting(s) defined (read more)|Documentation
| -|Serverless API Cache Cluster Disabled
60a05ede-0a68-4d0d-a58f-f538cf55ff79|CloudFormation|Low|Insecure Configurations|AWS Serverless API should have cache clustering enabled (read more)|Documentation
| +|Serverless API X-Ray Tracing Disabled
c757c6a3-ac87-4b9d-b28d-e5a5add6a315|CloudFormation|Medium|Observability|AWS Serverless API should have X-Ray Tracing enabled (read more)|Documentation
| |Serverless Function Without Dead Letter Queue
cb2f612b-ed42-4ff5-9fb9-255c73d39a18|CloudFormation|Low|Insecure Configurations|AWS Serverless Function should be configured for a Dead Letter Queue(DLQ) (read more)|Documentation
| +|Serverless API Cache Cluster Disabled
60a05ede-0a68-4d0d-a58f-f538cf55ff79|CloudFormation|Low|Insecure Configurations|AWS Serverless API should have cache clustering enabled (read more)|Documentation
| |Serverless Function Without X-Ray Tracing
dc1ab429-1481-4540-9b1d-280e3f15f1f8|CloudFormation|Low|Observability|AWS Serverless Function should have Tracing enabled. For this, property 'Tracing' should have the value 'Active' (read more)|Documentation
| +|S3 Bucket ACL Allows Read Or Write to All Users
07dda8de-d90d-469e-9b37-1aca53526ced|CloudFormation|High|Access Control|S3 Buckets should not be readable and writable to all users (read more)|Documentation
| +|S3 Bucket ACL Allows Read to All Users
219f4c95-aa50-44e0-97de-cf71f4641170|CloudFormation|High|Access Control|S3 Buckets should not be readable to all users (read more)|Documentation
| |SNS Topic is Publicly Accessible
ae53ce91-42b5-46bf-a84f-9a13366a4f13|CloudFormation|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
acc78859-765e-4011-a229-a65ea57db252|CloudFormation|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| -|MSK Broker Is Publicly Accessible
0ce1ba20-8ba8-4364-836f-40c24b8cb0ab|CloudFormation|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible (read more)|Documentation
| -|Amazon DMS Replication Instance Is Publicly Accessible
5864fb39-d719-4182-80e2-89dbe627be63|CloudFormation|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| -|IAM Policies With Full Privileges
953b3cdb-ce13-428a-aa12-318726506661|CloudFormation|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| -|S3 Bucket Allows Public Policy
860ba89b-b8de-4e72-af54-d6aee4138a69|CloudFormation|High|Access Control|S3 bucket allows public policy (read more)|Documentation
| +|Lambda Functions With Full Privileges
a0ae0a4e-712b-4115-8112-51b9eeed9d69|CloudFormation|High|Access Control|AWS Lambda Functions should not have roles with policies granting full administrative privileges. (read more)|Documentation
| |S3 Bucket Allows Get Action From All Principals
f97b7d23-568f-4bcc-9ac9-02df0d57fbba|CloudFormation|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| |IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368|CloudFormation|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
07dda8de-d90d-469e-9b37-1aca53526ced|CloudFormation|High|Access Control|S3 Buckets should not be readable and writable to all users (read more)|Documentation
| -|S3 Bucket ACL Allows Read to All Users
219f4c95-aa50-44e0-97de-cf71f4641170|CloudFormation|High|Access Control|S3 Buckets should not be readable to all users (read more)|Documentation
| -|S3 Bucket Access to Any Principal
7772bb8c-c0f3-42d4-8e4e-f1b8939ad085|CloudFormation|High|Access Control|The S3 Bucket should not be associated with a policy statement that grants access to any principal (read more)|Documentation
| |ECS Service Admin Role Is Present
01986452-bdd8-4aaa-b5df-d6bf61d616ff|CloudFormation|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role (read more)|Documentation
| -|Lambda Functions With Full Privileges
a0ae0a4e-712b-4115-8112-51b9eeed9d69|CloudFormation|High|Access Control|AWS Lambda Functions should not have roles with policies granting full administrative privileges. (read more)|Documentation
| -|S3 Bucket Allows List Action From All Principals
faa8fddf-c0aa-4b2d-84ff-e993e233ebe9|CloudFormation|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| -|S3 Bucket Allows Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0|CloudFormation|High|Access Control|S3 Buckets must not allow Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Restore, for all Principals. (read more)|Documentation
| +|IAM Policies With Full Privileges
953b3cdb-ce13-428a-aa12-318726506661|CloudFormation|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| +|S3 Bucket Allows Public Policy
860ba89b-b8de-4e72-af54-d6aee4138a69|CloudFormation|High|Access Control|S3 bucket allows public policy (read more)|Documentation
| +|S3 Bucket Access to Any Principal
7772bb8c-c0f3-42d4-8e4e-f1b8939ad085|CloudFormation|High|Access Control|The S3 Bucket should not be associated with a policy statement that grants access to any principal (read more)|Documentation
| +|S3 Bucket With All Permissions
4ae8af91-5108-42cb-9471-3bdbe596eac9|CloudFormation|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| |S3 Bucket Allows Put Action From All Principals
f6397a20-4cf1-4540-a997-1d363c25ef58|CloudFormation|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
acc78859-765e-4011-a229-a65ea57db252|CloudFormation|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| |S3 Bucket ACL Allows Read to Any Authenticated User
835d5497-a526-4aea-a23f-98a9afd1635f|CloudFormation|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| -|S3 Bucket With All Permissions
4ae8af91-5108-42cb-9471-3bdbe596eac9|CloudFormation|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| -|CMK Unencrypted Storage
ffee2785-c347-451e-89f3-11aeb08e5c84|CloudFormation|High|Encryption|Ensure that storage is encrypted. (read more)|Documentation
| -|User Data Contains Encoded Private Key
568cc372-ca64-420d-9015-ee347d00d288|CloudFormation|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| -|ElastiCache With Disabled at Rest Encryption
e4ee3903-9225-4b6a-bdfb-e62dbadef821|CloudFormation|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled (read more)|Documentation
| -|ELB Using Weak Ciphers
809f77f8-d10e-4842-a84f-3be7b6ff1190|CloudFormation|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| -|Redshift Cluster Without KMS CMK
de76a0d6-66d5-45c9-9022-f05545b85c78|CloudFormation|High|Encryption|AWS Redshift Cluster should have KMS CMK defined (read more)|Documentation
| -|ECS Task Definition Container With Plaintext Password
f9b10cdb-eaab-4e39-9793-e12b94a582ad|CloudFormation|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| -|DynamoDB With Aws Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac|CloudFormation|High|Encryption|AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false. (read more)|Documentation
| -|S3 Bucket Without Server-side-encryption
b2e8752c-3497-4255-98d2-e4ae5b46bbf5|CloudFormation|High|Encryption|S3 Buckets should have server-side encryption at rest enabled to protect sensitive data (read more)|Documentation
| -|S3 Bucket Without SSL In Write Actions
38c64e76-c71e-4d92-a337-60174d1de1c9|CloudFormation|High|Encryption|S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL) (read more)|Documentation
| +|S3 Bucket Allows Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0|CloudFormation|High|Access Control|S3 Buckets must not allow Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Restore, for all Principals. (read more)|Documentation
| +|S3 Bucket Allows List Action From All Principals
faa8fddf-c0aa-4b2d-84ff-e993e233ebe9|CloudFormation|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| +|MSK Broker Is Publicly Accessible
0ce1ba20-8ba8-4364-836f-40c24b8cb0ab|CloudFormation|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible (read more)|Documentation
| +|Amazon DMS Replication Instance Is Publicly Accessible
5864fb39-d719-4182-80e2-89dbe627be63|CloudFormation|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| +|EFS Volume With Disabled Transit Encryption
c1282e03-b285-4637-aee7-eefe3a7bb658|CloudFormation|High|Encryption|Amazon EFS volume does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'TransitEncryption' (read more)|Documentation
| |IAM Database Auth Not Enabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184|CloudFormation|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| -|ECS Cluster Not Encrypted At Rest
6c131358-c54d-419b-9dd6-1f7dd41d180c|CloudFormation|High|Encryption|Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems. (read more)|Documentation
| +|ELB Without Secure Protocol
80908a75-586b-4c61-ab04-490f4f4525b8|CloudFormation|High|Encryption|Check if the ELB is setup with SSL or HTTPS for secure communication (read more)|Documentation
| +|RDS Storage Not Encrypted
5beacce3-4020-4a3d-9e1d-a36f953df630|CloudFormation|High|Encryption|RDS Storage should be encrypted, which means the attribute 'StorageEncrypted' should be set to 'true' (read more)|Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
31733ee2-fef0-4e87-9778-65da22a8ecf1|CloudFormation|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| |Secure Ciphers Disabled
be96849c-3df6-49c2-bc16-778a7be2519c|CloudFormation|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| -|MSK Cluster Encryption Disabled
a976d63f-af0e-46e8-b714-8c1a9c4bf768|CloudFormation|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled (read more)|Documentation
| -|S3 Bucket SSE Disabled
64ab651b-f5b2-4af0-8c89-ddd03c4d0e61|CloudFormation|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| -|CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db|CloudFormation|High|Encryption|Specifying credentials in the template itself is probably not safe to do. (read more)|Documentation
| +|S3 Bucket Without SSL In Write Actions
38c64e76-c71e-4d92-a337-60174d1de1c9|CloudFormation|High|Encryption|S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL) (read more)|Documentation
| +|ECS Task Definition Container With Plaintext Password
f9b10cdb-eaab-4e39-9793-e12b94a582ad|CloudFormation|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| +|User Data Contains Encoded Private Key
568cc372-ca64-420d-9015-ee347d00d288|CloudFormation|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| +|S3 Bucket Without Server-side-encryption
b2e8752c-3497-4255-98d2-e4ae5b46bbf5|CloudFormation|High|Encryption|S3 Buckets should have server-side encryption at rest enabled to protect sensitive data (read more)|Documentation
| |ElastiCache With Disabled Transit Encryption
3b02569b-fc6f-4153-b3a3-ba91022fed68|CloudFormation|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled (read more)|Documentation
| -|Connection Between CloudFront Origin Not Encrypted
a5366a50-932f-4085-896b-41402714a388|CloudFormation|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted (read more)|Documentation
| -|Kinesis SSE Not Configured
7f65be75-90ab-4036-8c2a-410aef7bb650|CloudFormation|High|Encryption|AWS Kinesis Stream should have SSE (Server Side Encryption) defined (read more)|Documentation
| -|ELB Without Secure Protocol
80908a75-586b-4c61-ab04-490f4f4525b8|CloudFormation|High|Encryption|Check if the ELB is setup with SSL or HTTPS for secure communication (read more)|Documentation
| -|API Gateway Cache Encrypted Disabled
37cca703-b74c-48ba-ac81-595b53398e9b|CloudFormation|High|Encryption|'API::Gateway::Deployment' should have 'CacheDataEncrypted' enabled when 'CachingEnabled' is set to true (read more)|Documentation
| +|Redshift Cluster Without KMS CMK
de76a0d6-66d5-45c9-9022-f05545b85c78|CloudFormation|High|Encryption|AWS Redshift Cluster should have KMS CMK defined (read more)|Documentation
| |Redshift Not Encrypted
3b316b05-564c-44a7-9c3f-405bb95e211e|CloudFormation|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'Encrypted' field is false or undefined (default is false) (read more)|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
31733ee2-fef0-4e87-9778-65da22a8ecf1|CloudFormation|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| +|ELB Using Weak Ciphers
809f77f8-d10e-4842-a84f-3be7b6ff1190|CloudFormation|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| +|MSK Cluster Encryption Disabled
a976d63f-af0e-46e8-b714-8c1a9c4bf768|CloudFormation|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled (read more)|Documentation
| +|CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db|CloudFormation|High|Encryption|Specifying credentials in the template itself is probably not safe to do. (read more)|Documentation
| |SageMaker Data Encryption Disabled
709e6da6-fa1f-44cc-8f17-7f25f96dadbe|CloudFormation|High|Encryption|Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, which means the attribute 'KmsKeyId' must be defined not empty or null. (read more)|Documentation
| -|EFS Without KMS
6d087495-2a42-4735-abf7-02ef5660a7e6|CloudFormation|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| +|CMK Unencrypted Storage
ffee2785-c347-451e-89f3-11aeb08e5c84|CloudFormation|High|Encryption|Ensure that storage is encrypted. (read more)|Documentation
| +|DynamoDB With Aws Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac|CloudFormation|High|Encryption|AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false. (read more)|Documentation
| |User Data Shell Script Is Encoded
48c3bc58-6959-4f27-b647-4fedeace23be|CloudFormation|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| +|ElastiCache With Disabled at Rest Encryption
e4ee3903-9225-4b6a-bdfb-e62dbadef821|CloudFormation|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled (read more)|Documentation
| +|S3 Bucket SSE Disabled
64ab651b-f5b2-4af0-8c89-ddd03c4d0e61|CloudFormation|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| +|API Gateway Cache Encrypted Disabled
37cca703-b74c-48ba-ac81-595b53398e9b|CloudFormation|High|Encryption|'API::Gateway::Deployment' should have 'CacheDataEncrypted' enabled when 'CachingEnabled' is set to true (read more)|Documentation
| +|Kinesis SSE Not Configured
7f65be75-90ab-4036-8c2a-410aef7bb650|CloudFormation|High|Encryption|AWS Kinesis Stream should have SSE (Server Side Encryption) defined (read more)|Documentation
| +|EFS Without KMS
6d087495-2a42-4735-abf7-02ef5660a7e6|CloudFormation|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| +|Connection Between CloudFront Origin Not Encrypted
a5366a50-932f-4085-896b-41402714a388|CloudFormation|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted (read more)|Documentation
| |EFS Not Encrypted
2ff8e83c-90e1-4d68-a300-6d652112e622|CloudFormation|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| +|ECS Cluster Not Encrypted At Rest
6c131358-c54d-419b-9dd6-1f7dd41d180c|CloudFormation|High|Encryption|Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems. (read more)|Documentation
| |ELB Using Insecure Protocols
61a94903-3cd3-4780-88ec-fc918819b9c8|CloudFormation|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| -|EFS Volume With Disabled Transit Encryption
c1282e03-b285-4637-aee7-eefe3a7bb658|CloudFormation|High|Encryption|Amazon EFS volume does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'TransitEncryption' (read more)|Documentation
| -|RDS Storage Not Encrypted
5beacce3-4020-4a3d-9e1d-a36f953df630|CloudFormation|High|Encryption|RDS Storage should be encrypted, which means the attribute 'StorageEncrypted' should be set to 'true' (read more)|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
dc17ee4b-ddf2-4e23-96e8-7a36abad1303|CloudFormation|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| +|KMS Key With Full Permissions
da905474-7454-43c0-b8d2-5756ab951aba|CloudFormation|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| |Root Account Has Active Access Keys
4c137350-7307-4803-8c04-17c09a7a9fcf|CloudFormation|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| -|Batch Job Definition With Privileged Container Properties
76ddf32c-85b1-4808-8935-7eef8030ab36|CloudFormation|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| -|API Gateway Without Security Policy
8275fab0-68ec-4705-bbf4-86975edb170e|CloudFormation|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2. (read more)|Documentation
| +|ECS Task Definition Network Mode Not Recommended
027a4b7a-8a59-4938-a04f-ed532512cf45|CloudFormation|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| +|RDS DB Instance Publicly Accessible
de38e1d5-54cb-4111-a868-6f7722695007|CloudFormation|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false. (read more)|Documentation
| |S3 Bucket With Unsecured CORS Rule
3609d27c-3698-483a-9402-13af6ae80583|CloudFormation|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| +|API Gateway Without Security Policy
8275fab0-68ec-4705-bbf4-86975edb170e|CloudFormation|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2. (read more)|Documentation
| +|S3 Static Website Host Enabled
90501b1b-cded-4cc1-9e8b-206b85cda317|CloudFormation|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more)|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
dc17ee4b-ddf2-4e23-96e8-7a36abad1303|CloudFormation|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| |S3 Bucket Without Restriction Of Public Bucket
350cd468-0e2c-44ef-9d22-cfb73a62523c|CloudFormation|High|Insecure Configurations|S3 bucket without restriction of public bucket (read more)|Documentation
| +|Batch Job Definition With Privileged Container Properties
76ddf32c-85b1-4808-8935-7eef8030ab36|CloudFormation|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| |Redshift Publicly Accessible
bdf8dcb4-75df-4370-92c4-606e4ae6c4d3|CloudFormation|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false (read more)|Documentation
| -|KMS Key With Full Permissions
da905474-7454-43c0-b8d2-5756ab951aba|CloudFormation|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| -|ECS Task Definition Network Mode Not Recommended
027a4b7a-8a59-4938-a04f-ed532512cf45|CloudFormation|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| -|S3 Static Website Host Enabled
90501b1b-cded-4cc1-9e8b-206b85cda317|CloudFormation|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
de38e1d5-54cb-4111-a868-6f7722695007|CloudFormation|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false. (read more)|Documentation
| |Vulnerable Default SSL Certificate
b4d9c12b-bfba-4aeb-9cb8-2358546d8041|CloudFormation|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| |Permissive Web ACL Default Action
6d64f311-3da6-45f3-80f1-14db9771ea40|CloudFormation|High|Insecure Defaults|WebAcl DefaultAction should not be ALLOW (read more)|Documentation
| -|Security Groups With Exposed Admin Ports
cdbb0467-2957-4a77-9992-7b55b29df7b7|CloudFormation|High|Networking and Firewall|Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389) (read more)|Documentation
| -|EKS node group remote access
73d59e76-a12c-4b74-a3d8-d3e1e19c25b3|CloudFormation|High|Networking and Firewall|Ensure Amazon EKS Node group has implict SSH access (read more)|Documentation
| |Security Group With Unrestricted Access To SSH
6e856af2-62d7-4ba2-adc1-73b62cef9cc1|CloudFormation|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| -|ALB Listening on HTTP
275a3217-ca37-40c1-a6cf-bb57d245ab32|CloudFormation|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| -|Security Group Unrestricted Access To RDP
3ae83918-7ec7-4cb8-80db-b91ef0f94002|CloudFormation|High|Networking and Firewall|Security Groups does not allow 0.0.0.0/0 for rdp (port:3389) (read more)|Documentation
| -|Remote Desktop Port Open To Internet
c9846969-d066-431f-9b34-8c4abafe422a|CloudFormation|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| -|Route53 Record Undefined
24d932e1-91f0-46ea-836f-fdbd81694151|CloudFormation|High|Networking and Firewall|Route53 HostedZone must have the Record Set defined. (read more)|Documentation
| -|RDS Associated with Public Subnet
4e88adee-a8eb-4605-a78d-9fb1096e3091|CloudFormation|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| -|Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c|CloudFormation|High|Networking and Firewall|No security group should allow unrestricted egress access (read more)|Documentation
| +|Default Security Groups With Unrestricted Traffic
ea33fcf7-394b-4d11-a228-985c5d08f205|CloudFormation|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| |Unrestricted Security Group Ingress
4a1e6b34-1008-4e61-a5f2-1f7c276f8d14|CloudFormation|High|Networking and Firewall|AWS Security Group Ingress CIDR should not be open to the world (read more)|Documentation
| +|Elasticsearch with HTTPS disabled
4cdc88e6-c0c8-4081-a639-bb3a557cbedf|CloudFormation|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| |EC2 Public Instance Exposed Through Subnet
c44c95fc-ae92-4bb8-bdf8-bb9bc412004a|CloudFormation|High|Networking and Firewall|EC2 instances with public IP addresses shouldn't allow for unrestricted traffic to their subnets (read more)|Documentation
| -|DB Security Group With Public Scope
9564406d-e761-4e61-b8d7-5926e3ab8e79|CloudFormation|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| +|Security Groups With Exposed Admin Ports
cdbb0467-2957-4a77-9992-7b55b29df7b7|CloudFormation|High|Networking and Firewall|Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389) (read more)|Documentation
| +|SageMaker Notebook Not Placed In VPC
9c7028d9-04c2-45be-b8b2-1188ccaefb36|CloudFormation|High|Networking and Firewall|SageMaker Notebook must be placed in a VPC (read more)|Documentation
| +|DB Security Group Open To Large Scope
0104165b-02d5-426f-abc9-91fb48189899|CloudFormation|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| +|Security Group Unrestricted Access To RDP
3ae83918-7ec7-4cb8-80db-b91ef0f94002|CloudFormation|High|Networking and Firewall|Security Groups does not allow 0.0.0.0/0 for rdp (port:3389) (read more)|Documentation
| |EC2 Instance Subnet Has Public IP Mapping On Launch
b3de4e4c-14be-4159-b99d-9ad194365e4c|CloudFormation|High|Networking and Firewall|EC2 Instance Subnet should not have MapPublicIpOnLaunch set to true (read more)|Documentation
| |ELB Sensitive Port Is Exposed To Entire Network
78055456-f670-4d2e-94d5-392d1cf4f5e4|CloudFormation|High|Networking and Firewall|The load balancer of the application with a sensitive port connection is exposed to the entire internet. (read more)|Documentation
| -|HTTP Port Open To Internet
ddfc4eaa-af23-409f-b96c-bf5c45dc4daa|CloudFormation|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| -|Elasticsearch with HTTPS disabled
4cdc88e6-c0c8-4081-a639-bb3a557cbedf|CloudFormation|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| -|Unknown Port Exposed To Internet
829ce3b8-065c-41a3-ad57-e0accfea82d2|CloudFormation|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| -|EC2 Sensitive Port Is Publicly Exposed
494b03d3-bf40-4464-8524-7c56ad0700ed|CloudFormation|High|Networking and Firewall|The EC2 instance has a sensitive port connection exposed to the entire network (read more)|Documentation
| +|Route53 Record Undefined
24d932e1-91f0-46ea-836f-fdbd81694151|CloudFormation|High|Networking and Firewall|Route53 HostedZone must have the Record Set defined. (read more)|Documentation
| |Fully Open Ingress
e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5|CloudFormation|High|Networking and Firewall|ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses (read more)|Documentation
| -|SageMaker Notebook Not Placed In VPC
9c7028d9-04c2-45be-b8b2-1188ccaefb36|CloudFormation|High|Networking and Firewall|SageMaker Notebook must be placed in a VPC (read more)|Documentation
| +|EKS node group remote access
73d59e76-a12c-4b74-a3d8-d3e1e19c25b3|CloudFormation|High|Networking and Firewall|Ensure Amazon EKS Node group has implict SSH access (read more)|Documentation
| +|ALB Listening on HTTP
275a3217-ca37-40c1-a6cf-bb57d245ab32|CloudFormation|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| +|EC2 Sensitive Port Is Publicly Exposed
494b03d3-bf40-4464-8524-7c56ad0700ed|CloudFormation|High|Networking and Firewall|The EC2 instance has a sensitive port connection exposed to the entire network (read more)|Documentation
| +|Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c|CloudFormation|High|Networking and Firewall|No security group should allow unrestricted egress access (read more)|Documentation
| +|Unknown Port Exposed To Internet
829ce3b8-065c-41a3-ad57-e0accfea82d2|CloudFormation|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| +|RDS Associated with Public Subnet
4e88adee-a8eb-4605-a78d-9fb1096e3091|CloudFormation|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| +|HTTP Port Open To Internet
ddfc4eaa-af23-409f-b96c-bf5c45dc4daa|CloudFormation|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| |Security Groups With Meta IP
adcd0082-e90b-4b63-862b-21899f6e6a48|CloudFormation|High|Networking and Firewall|Security Groups allows 0.0.0.0/0 for all ports and protocols. (read more)|Documentation
| +|Remote Desktop Port Open To Internet
c9846969-d066-431f-9b34-8c4abafe422a|CloudFormation|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| +|DB Security Group With Public Scope
9564406d-e761-4e61-b8d7-5926e3ab8e79|CloudFormation|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| |EC2 Network ACL Overlapping Ports
77b6f1e2-bde4-4a6a-ae7e-a40659ff1576|CloudFormation|High|Networking and Firewall|NetworkACL Entries are reusing or overlapping ports which may create ineffective rules (read more)|Documentation
| -|DB Security Group Open To Large Scope
0104165b-02d5-426f-abc9-91fb48189899|CloudFormation|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| -|Default Security Groups With Unrestricted Traffic
ea33fcf7-394b-4d11-a228-985c5d08f205|CloudFormation|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| |CloudTrail Logging Disabled
5c0b06d5-b7a4-484c-aeb0-75a836269ff0|CloudFormation|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| |CMK Rotation Disabled
1c07bfaf-663c-4f6f-b22b-8e2d481e4df5|CloudFormation|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'EnableKeyRotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| |S3 Bucket CloudTrail Logging Disabled
c3ce69fd-e3df-49c6-be78-1db3f802261c|CloudFormation|High|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable when the Service used is CloudTrail (read more)|Documentation
| +|SQS Queue Policy Allows NotPrincipal
4a8fc9a2-2b2f-4b3f-aa8d-401425872034|CloudFormation|Medium|Access Control|Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using `NotPrincipal` in the same policy statement as `"Effect": "Allow"`. (read more)|Documentation
| +|S3 Bucket Allows Public ACL
48f100d9-f499-4c6d-b2b8-deafe47ffb26|CloudFormation|Medium|Access Control|S3 bucket allows public ACL (read more)|Documentation
| +|EC2 Instance Has No IAM Role
f914357d-8386-4d56-9ba6-456e5723f9a6|CloudFormation|Medium|Access Control|Check if an EC2 instance refers to an IAM profile, which represents an IAM Role. (read more)|Documentation
| +|Neptune Cluster With IAM Database Authentication Disabled
a3aa0087-8228-4e7e-b202-dc9036972d02|CloudFormation|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled (read more)|Documentation
| +|API Gateway Method Does Not Contains An API Key
3641d5b4-d339-4bc2-bfb9-208fe8d3477f|CloudFormation|Medium|Access Control|An API Key should be required on a method request. (read more)|Documentation
| |Lambda Permission Principal Is Wildcard
1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7|CloudFormation|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| -|IAM Policies Attached To User
edc95c10-7366-4f30-9b4b-f995c84eceb5|CloudFormation|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| -|IAM Policy On User
e4239438-e639-44aa-adb8-866e400e3ade|CloudFormation|Medium|Access Control|IAM policies should be applied to groups and not to users (read more)|Documentation
| -|IoT Policy Allows Action as Wildcard
4d32780f-43a4-424a-a06d-943c543576a5|CloudFormation|Medium|Access Control|IoT Policy should not allow Action to be set as * (read more)|Documentation
| +|ECR Repository Is Publicly Accessible
75be209d-1948-41f6-a8c8-e22dd0121134|CloudFormation|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| +|Elasticsearch Without IAM Authentication
5c666ed9-b586-49ab-9873-c495a833b705|CloudFormation|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication (read more)|Documentation
| +|SQS Queue Policy Allows NotAction
4fbfee74-8186-40d5-a24e-4baa76a855de|CloudFormation|Medium|Access Control|AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited (read more)|Documentation
| |EC2 Network ACL Ineffective Denied Traffic
2623d682-dccb-44cd-99d0-54d9fd62f8f2|CloudFormation|Medium|Access Control|Ineffective deny rules. A deny rule should be applied to all IP addresses. (read more)|Documentation
| +|API Gateway Without Configured Authorizer
7fd0d461-5b8c-4815-898c-f2b4b117eb28|CloudFormation|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7|CloudFormation|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| +|IAM Policies Attached To User
edc95c10-7366-4f30-9b4b-f995c84eceb5|CloudFormation|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| +|Public Lambda via API Gateway
57b12981-3816-4c31-b190-a1e614361dd2|CloudFormation|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| |SQS Policy With Public Access
9b6a3f5b-5fd6-40ee-9bc0-ed604911212d|CloudFormation|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| |KMS Allows Wildcard Principal
f6049677-ec4a-43af-8779-5190b6d03cba|CloudFormation|Medium|Access Control|KMS Should not allow Principal parameter to be set as * (read more)|Documentation
| -|EC2 Instance Has No IAM Role
f914357d-8386-4d56-9ba6-456e5723f9a6|CloudFormation|Medium|Access Control|Check if an EC2 instance refers to an IAM profile, which represents an IAM Role. (read more)|Documentation
| -|SQS Queue Policy Allows NotAction
4fbfee74-8186-40d5-a24e-4baa76a855de|CloudFormation|Medium|Access Control|AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited (read more)|Documentation
| -|ECR Repository Is Publicly Accessible
75be209d-1948-41f6-a8c8-e22dd0121134|CloudFormation|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7|CloudFormation|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| -|API Gateway Without Configured Authorizer
7fd0d461-5b8c-4815-898c-f2b4b117eb28|CloudFormation|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| |SNS Topic Publicity Has Allow and NotAction Simultaneously
818f38ed-8446-4132-9c03-474d49e10195|CloudFormation|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. (read more)|Documentation
| +|IoT Policy Allows Action as Wildcard
4d32780f-43a4-424a-a06d-943c543576a5|CloudFormation|Medium|Access Control|IoT Policy should not allow Action to be set as * (read more)|Documentation
| |Empty Roles For ECS Cluster Task Definitions
7f384a5f-b5a2-4d84-8ca3-ee0a5247becb|CloudFormation|Medium|Access Control|Check if any ECS cluster has not defined proper roles for services' task definitions. (read more)|Documentation
| -|Neptune Cluster With IAM Database Authentication Disabled
a3aa0087-8228-4e7e-b202-dc9036972d02|CloudFormation|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled (read more)|Documentation
| -|SQS Queue Policy Allows NotPrincipal
4a8fc9a2-2b2f-4b3f-aa8d-401425872034|CloudFormation|Medium|Access Control|Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using `NotPrincipal` in the same policy statement as `"Effect": "Allow"`. (read more)|Documentation
| -|API Gateway Method Does Not Contains An API Key
3641d5b4-d339-4bc2-bfb9-208fe8d3477f|CloudFormation|Medium|Access Control|An API Key should be required on a method request. (read more)|Documentation
| -|S3 Bucket Allows Public ACL
48f100d9-f499-4c6d-b2b8-deafe47ffb26|CloudFormation|Medium|Access Control|S3 bucket allows public ACL (read more)|Documentation
| -|Public Lambda via API Gateway
57b12981-3816-4c31-b190-a1e614361dd2|CloudFormation|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| |IoT Policy Allows Wildcard Resource
be5b230d-4371-4a28-a441-85dc760e2aa3|CloudFormation|Medium|Access Control|IoT Policy should not allow Resource to be set as * (read more)|Documentation
| -|Elasticsearch Without IAM Authentication
5c666ed9-b586-49ab-9873-c495a833b705|CloudFormation|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication (read more)|Documentation
| -|ECS Service Without Running Tasks
79d745f0-d5f3-46db-9504-bef73e9fd528|CloudFormation|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| +|IAM Policy On User
e4239438-e639-44aa-adb8-866e400e3ade|CloudFormation|Medium|Access Control|IAM policies should be applied to groups and not to users (read more)|Documentation
| |ElastiCache Nodes Not Created Across Multi AZ
cfdef2e5-1fe4-4ef4-bea8-c56e08963150|CloudFormation|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| +|ECS Service Without Running Tasks
79d745f0-d5f3-46db-9504-bef73e9fd528|CloudFormation|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| |EBS Volume Not Attached To Instances
1819ac03-542b-4026-976b-f37addd59f3b|CloudFormation|Medium|Availability|EBS Volumes that are unattached to instances may contain sensitive data (read more)|Documentation
| -|CMK Is Unusable
2844c749-bd78-4cd1-90e8-b179df827602|CloudFormation|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined. (read more)|Documentation
| |Auto Scaling Group With No Associated ELB
ad21e616-5026-4b9d-990d-5b007bfe679c|CloudFormation|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty. (read more)|Documentation
| +|CMK Is Unusable
2844c749-bd78-4cd1-90e8-b179df827602|CloudFormation|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined. (read more)|Documentation
| +|RDS With Backup Disabled
8c415f6f-7b90-4a27-a44a-51047e1506f9|CloudFormation|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| |RDS Multi-AZ Deployment Disabled
2b1d4935-9acf-48a7-8466-10d18bf51a69|CloudFormation|Medium|Backup|AWS RDS Instance should have a multi-az deployment (read more)|Documentation
| |Low RDS Backup Retention Period
e649a218-d099-4550-86a4-1231e1fcb60d|CloudFormation|Medium|Backup|AWS RDS backup retention policy should be at least 7 days (read more)|Documentation
| -|RDS With Backup Disabled
8c415f6f-7b90-4a27-a44a-51047e1506f9|CloudFormation|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| |Stack Retention Disabled
fe974ae9-858e-4991-bbd5-e040a834679f|CloudFormation|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| -|IAM Password Without Minimum Length
b1b20ae3-8fa7-4af5-a74d-a2145920fcb1|CloudFormation|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| -|IAM User Without Password Reset
a964d6e3-8e1e-4d93-8120-61fa640dd55a|CloudFormation|Medium|Best Practices|IAM User Login Profile should exist and have PasswordResetRequired property set to true (read more)|Documentation
| -|ECS No Load Balancer Attached
fb2b0ecf-1492-491a-a70d-ba1df579175d|CloudFormation|Medium|Best Practices|Amazon ECS service should be configured to use Load Balancing to distribute traffic evenly across the tasks, which means there must exist at least one LoadBalancer. (read more)|Documentation
| -|IAM Password Without Lowercase Letter
f4cf35d6-da92-48de-ab70-57be2b2e6497|CloudFormation|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| |IAM Password Without Uppercase Letter
445020f6-b69e-4484-847f-02d4b7768902|CloudFormation|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| |Cognito UserPool Without MFA
74a18d1a-cf02-4a31-8791-ed0967ad7fdc|CloudFormation|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more)|Documentation
| -|IAM Password Without Number
839f238f-2e3a-4a72-b945-8abdf91af955|CloudFormation|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number (read more)|Documentation
| |IAM Managed Policy Applied to a User
0e5872b4-19a0-4165-8b2f-56d9e14b909f|CloudFormation|Medium|Best Practices|Make sure that any managed IAM policies are implemented in a group and not in a user. (read more)|Documentation
| +|IAM User Without Password Reset
a964d6e3-8e1e-4d93-8120-61fa640dd55a|CloudFormation|Medium|Best Practices|IAM User Login Profile should exist and have PasswordResetRequired property set to true (read more)|Documentation
| +|ECS No Load Balancer Attached
fb2b0ecf-1492-491a-a70d-ba1df579175d|CloudFormation|Medium|Best Practices|Amazon ECS service should be configured to use Load Balancing to distribute traffic evenly across the tasks, which means there must exist at least one LoadBalancer. (read more)|Documentation
| |IAM Password Without Symbol
d72a7869-e8b9-4e12-bcd2-e8be10b39fa7|CloudFormation|Medium|Best Practices|IAM password should have the required symbols (read more)|Documentation
| -|Neptune Database Cluster Encryption Disabled
bf4473f1-c8a2-4b1b-8134-bd32efabab93|CloudFormation|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| -|API Gateway With Invalid Compression
d6653eee-2d4d-4e6a-976f-6794a497999a|CloudFormation|Medium|Encryption|API Gateway should have valid compression, which means attribute 'MinimumCompressionSize' should be set and its value should be greater than -1 and smaller than 10485760. (read more)|Documentation
| +|IAM Password Without Lowercase Letter
f4cf35d6-da92-48de-ab70-57be2b2e6497|CloudFormation|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| +|IAM Password Without Number
839f238f-2e3a-4a72-b945-8abdf91af955|CloudFormation|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number (read more)|Documentation
| +|IAM Password Without Minimum Length
b1b20ae3-8fa7-4af5-a74d-a2145920fcb1|CloudFormation|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| +|Unscanned ECR Image
9025b2b3-e554-4842-ba87-db7aeec36d35|CloudFormation|Medium|Encryption|Checks if the ECR Image has been scanned (read more)|Documentation
| +|EBS Volume Encryption Disabled
80b7ac3f-d2b7-4577-9b10-df7913497162|CloudFormation|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| +|SageMaker EndPoint Config Should Specify KmsKeyId Attribute
44034eda-1c3f-486a-831d-e09a7dd94354|CloudFormation|Medium|Encryption|KmsKeyId attribute should be defined (read more)|Documentation
| |DynamoDB Table Not Encrypted
4bd21e68-38c1-4d58-acdc-6a14b203237f|CloudFormation|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption (read more)|Documentation
| +|API Gateway With Invalid Compression
d6653eee-2d4d-4e6a-976f-6794a497999a|CloudFormation|Medium|Encryption|API Gateway should have valid compression, which means attribute 'MinimumCompressionSize' should be set and its value should be greater than -1 and smaller than 10485760. (read more)|Documentation
| +|ElasticSearch Not Encrypted At Rest
86a248ab-0e01-4564-a82a-878303e253bb|CloudFormation|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest (read more)|Documentation
| +|RDS Storage Encryption Disabled
65844ba3-03a1-40a8-b3dd-919f122e8c95|CloudFormation|Medium|Encryption|RDS DBCluster should have storage encrypted set to true (read more)|Documentation
| |Default KMS Key Usage
e52395b4-250b-4c60-81d5-2e58c1d37abc|CloudFormation|Medium|Encryption|When `StorageEncrypted` is set to true, `KmsKeyId` should be defined, to avoid the use of the default KMS Key (read more)|Documentation
| -|AmazonMQ Broker Encryption Disabled
316278b3-87ac-444c-8f8f-a733a28da60f|CloudFormation|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined (read more)|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85|CloudFormation|Medium|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| +|Config Rule For Encrypted Volumes Disabled
1b6322d9-c755-4f8c-b804-32c19250f2d9|CloudFormation|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| |Workspace Without Encryption
89827c57-5a8a-49eb-9731-976a606d70db|CloudFormation|Medium|Encryption|Workspaces should have encryption enabled (read more)|Documentation
| +|AmazonMQ Broker Encryption Disabled
316278b3-87ac-444c-8f8f-a733a28da60f|CloudFormation|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined (read more)|Documentation
| |EMR Security Configuration Encryption Disabled
5b033ec8-f079-4323-b5c8-99d4620433a9|CloudFormation|Medium|Encryption|EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit. (read more)|Documentation
| -|IAM Group Inline Policies
a58d1a2d-4078-4b80-855b-84cc3f7f4540|CloudFormation|Medium|Encryption|IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted (read more)|Documentation
| -|Config Rule For Encrypted Volumes Disabled
1b6322d9-c755-4f8c-b804-32c19250f2d9|CloudFormation|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| +|Memcached Disabled
dd0971a6-09c3-4168-8474-a7ef8fbfd99d|CloudFormation|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache (read more)|Documentation
| |SQS With SSE Disabled
12726829-93ed-4d51-9cbe-13423f4299e1|CloudFormation|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| -|ElasticSearch Not Encrypted At Rest
86a248ab-0e01-4564-a82a-878303e253bb|CloudFormation|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest (read more)|Documentation
| +|IAM Group Inline Policies
a58d1a2d-4078-4b80-855b-84cc3f7f4540|CloudFormation|Medium|Encryption|IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted (read more)|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85|CloudFormation|Medium|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| |Alexa Skill Plaintext Client Secret Exposed
3c3b7a58-b018-4d07-9444-d9ee7156e111|CloudFormation|Medium|Encryption|Alexa skills' client secrets should not be defined as a plaintext string. It should either use 'AWS Systems Manager Parameter Store' or 'AWS Secrets Manager' to retrieve sensitive information (read more)|Documentation
| -|RDS Storage Encryption Disabled
65844ba3-03a1-40a8-b3dd-919f122e8c95|CloudFormation|Medium|Encryption|RDS DBCluster should have storage encrypted set to true (read more)|Documentation
| -|ElasticSearch Encryption With KMS Disabled
d926aa95-0a04-4abc-b20c-acf54afe38a1|CloudFormation|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS. (read more)|Documentation
| -|Memcached Disabled
dd0971a6-09c3-4168-8474-a7ef8fbfd99d|CloudFormation|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache (read more)|Documentation
| |KMS Key Rotation Disabled
235ca980-eb71-48f4-9030-df0c371029eb|CloudFormation|Medium|Encryption|EnableKeyRotation should not be false or undefined (read more)|Documentation
| -|SageMaker EndPoint Config Should Specify KmsKeyId Attribute
44034eda-1c3f-486a-831d-e09a7dd94354|CloudFormation|Medium|Encryption|KmsKeyId attribute should be defined (read more)|Documentation
| |CodeBuild Not Encrypted
d7467bb6-3ed1-4c82-8095-5e7a818d0aad|CloudFormation|Medium|Encryption|CodeBuild Project should be encrypted, which means 'EncryptionKey' should be defined (read more)|Documentation
| -|EBS Volume Encryption Disabled
80b7ac3f-d2b7-4577-9b10-df7913497162|CloudFormation|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| -|Unscanned ECR Image
9025b2b3-e554-4842-ba87-db7aeec36d35|CloudFormation|Medium|Encryption|Checks if the ECR Image has been scanned (read more)|Documentation
| -|EMR Cluster Without Security Configuration
48af92a5-c89b-4936-bc62-1086fe2bab23|CloudFormation|Medium|Insecure Configurations|EMR Cluster should have security configuration defined. (read more)|Documentation
| +|Neptune Database Cluster Encryption Disabled
bf4473f1-c8a2-4b1b-8134-bd32efabab93|CloudFormation|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| +|ElasticSearch Encryption With KMS Disabled
d926aa95-0a04-4abc-b20c-acf54afe38a1|CloudFormation|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS. (read more)|Documentation
| +|API Gateway With Open Access
1056dfbb-5802-4762-bf2b-8b9b9684b1b0|CloudFormation|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more)|Documentation
| +|GitHub Repository Set To Public
5906092d-5f74-490d-9a03-78febe0f65e1|CloudFormation|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)|Documentation
| +|MQ Broker Is Publicly Accessible
68b6a789-82f8-4cfd-85de-e95332fe6a61|CloudFormation|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible (read more)|Documentation
| |SageMaker Enabling Internet Access
88d55d94-315d-4564-beee-d2d725feab11|CloudFormation|Medium|Insecure Configurations|SageMaker must have disabled internet access and root access for Creating Notebook Instances. (read more)|Documentation
| +|API Gateway Without SSL Certificate
ed4c48b8-eccc-4881-95c1-09fdae23db25|CloudFormation|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| +|Lambda Function Without Tags
8df8e857-bd59-44fa-9f4c-d77594b95b46|CloudFormation|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags. (read more)|Documentation
| |Lambda Functions Without Unique IAM Roles
ae03f542-1423-402f-9cef-c834e7ee9583|CloudFormation|Medium|Insecure Configurations|AWS Lambda Functions should not share IAM roles to ensure they will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| -|MQ Broker Is Publicly Accessible
68b6a789-82f8-4cfd-85de-e95332fe6a61|CloudFormation|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible (read more)|Documentation
| +|IAM User Has Too Many Access Keys
48677914-6fdf-40ec-80c4-2b0e94079f54|CloudFormation|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials (read more)|Documentation
| +|Inline Policies Are Attached To ECS Service
9e8c89b3-7997-4d15-93e4-7911b9db99fd|CloudFormation|Medium|Insecure Configurations|Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies. (read more)|Documentation
| |Instance With No VPC
8a6d36cd-0bc6-42b7-92c4-67acc8576861|CloudFormation|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| |ECR Image Tag Not Immutable
33f41d31-86b1-46a4-81f7-9c9a671f59ac|CloudFormation|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| +|EMR Cluster Without Security Configuration
48af92a5-c89b-4936-bc62-1086fe2bab23|CloudFormation|Medium|Insecure Configurations|EMR Cluster should have security configuration defined. (read more)|Documentation
| |IAM User LoginProfile Password Is In Plaintext
06adef8c-c284-4de7-aad2-af43b07a8ca1|CloudFormation|Medium|Insecure Configurations|IAM User LoginProfile Password must not be a plaintext string (read more)|Documentation
| -|API Gateway Without SSL Certificate
ed4c48b8-eccc-4881-95c1-09fdae23db25|CloudFormation|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| -|GitHub Repository Set To Public
5906092d-5f74-490d-9a03-78febe0f65e1|CloudFormation|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)|Documentation
| -|Inline Policies Are Attached To ECS Service
9e8c89b3-7997-4d15-93e4-7911b9db99fd|CloudFormation|Medium|Insecure Configurations|Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies. (read more)|Documentation
| -|IAM User Has Too Many Access Keys
48677914-6fdf-40ec-80c4-2b0e94079f54|CloudFormation|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials (read more)|Documentation
| -|API Gateway With Open Access
1056dfbb-5802-4762-bf2b-8b9b9684b1b0|CloudFormation|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more)|Documentation
| -|Lambda Function Without Tags
8df8e857-bd59-44fa-9f4c-d77594b95b46|CloudFormation|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags. (read more)|Documentation
| |S3 Bucket Should Have Bucket Policy
37fa8188-738b-42c8-bf82-6334ea567738|CloudFormation|Medium|Insecure Defaults|Checks if S3 Bucket has the same name as a Bucket Policy, if it has, S3 Bucket has a Bucket Policy associated (read more)|Documentation
| |RouterTable with Default Routing
4f0908b9-eb66-433f-9145-134274e1e944|CloudFormation|Medium|Insecure Defaults|NAT gateways are recommended, and not the default route which permits all traffic, in Route Tables. (read more)|Documentation
| -|ALB Is Not Integrated With WAF
105ba098-1e34-48cd-b0f2-a8a43a51bf9b|CloudFormation|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service (read more)|Documentation
| -|Security Groups Without VPC Attached
493d9591-6249-47bf-8dc0-5c10161cc558|CloudFormation|Medium|Networking and Firewall|Security Groups must have a VPC. (read more)|Documentation
| -|ELB With Security Group Without Outbound Rules
01d5a458-a6c4-452a-ac50-054d59275b7c|CloudFormation|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more)|Documentation
| -|TCP/UDP Protocol Network ACL Entry Allows All Ports
f57f849c-883b-4cb7-85e7-f7b199dff163|CloudFormation|Medium|Networking and Firewall|TCP/UDP protocol AWS Network ACL Entry should not allow all ports (read more)|Documentation
| -|Security Group Ingress With Port Range
87482183-a8e7-4e42-a566-7a23ec231c16|CloudFormation|Medium|Networking and Firewall|AWS Security Group Ingress should have a single port (read more)|Documentation
| |Security Group Egress CIDR Open To World
1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a|CloudFormation|Medium|Networking and Firewall|AWS Security Group Egress CIDR should not be open to the world (read more)|Documentation
| -|API Gateway Endpoint Config is Not Private
4a8daf95-709d-4a36-9132-d3e19878fa34|CloudFormation|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| -|EC2 Permissive Network ACL Protocols
03879981-efa2-47a0-a818-c843e1441b88|CloudFormation|Medium|Networking and Firewall|To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code). (read more)|Documentation
| +|VPC Without Network Firewall
3e293410-d5b8-411f-85fd-7d26294f20c9|CloudFormation|Medium|Networking and Firewall|VPC should have a Network Firewall associated (read more)|Documentation
| |API Gateway without WAF
fcbf9019-566c-4832-a65c-af00d8137d2b|CloudFormation|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| +|TCP/UDP Protocol Network ACL Entry Allows All Ports
f57f849c-883b-4cb7-85e7-f7b199dff163|CloudFormation|Medium|Networking and Firewall|TCP/UDP protocol AWS Network ACL Entry should not allow all ports (read more)|Documentation
| |Security Group Ingress With All Protocols
1a427b25-2e9e-4298-9530-0499a55e736b|CloudFormation|Medium|Networking and Firewall|AWS Security Group Ingress should not specify all protocols to prevent allow traffic on all ports (read more)|Documentation
| -|ELB With Security Group Without Inbound Rules
e200a6f3-c589-49ec-9143-7421d4a2c845|CloudFormation|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more)|Documentation
| -|VPC Without Network Firewall
3e293410-d5b8-411f-85fd-7d26294f20c9|CloudFormation|Medium|Networking and Firewall|VPC should have a Network Firewall associated (read more)|Documentation
| -|GameLift Fleet EC2 InboundPermissions With Port Range
43356255-495d-4148-ad8d-f6af5eac09dd|CloudFormation|Medium|Networking and Firewall|AWS GameLift Fleet EC2InboundPermissions should have a single port (read more)|Documentation
| +|API Gateway Endpoint Config is Not Private
4a8daf95-709d-4a36-9132-d3e19878fa34|CloudFormation|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| |Security Group Egress With Port Range
dae9c373-8287-462f-8746-6f93dad93610|CloudFormation|Medium|Networking and Firewall|AWS Security Group Egress should have a single port (read more)|Documentation
| +|ALB Is Not Integrated With WAF
105ba098-1e34-48cd-b0f2-a8a43a51bf9b|CloudFormation|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service (read more)|Documentation
| +|ELB With Security Group Without Outbound Rules
01d5a458-a6c4-452a-ac50-054d59275b7c|CloudFormation|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more)|Documentation
| +|Security Groups Without VPC Attached
493d9591-6249-47bf-8dc0-5c10161cc558|CloudFormation|Medium|Networking and Firewall|Security Groups must have a VPC. (read more)|Documentation
| +|EC2 Permissive Network ACL Protocols
03879981-efa2-47a0-a818-c843e1441b88|CloudFormation|Medium|Networking and Firewall|To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code). (read more)|Documentation
| +|GameLift Fleet EC2 InboundPermissions With Port Range
43356255-495d-4148-ad8d-f6af5eac09dd|CloudFormation|Medium|Networking and Firewall|AWS GameLift Fleet EC2InboundPermissions should have a single port (read more)|Documentation
| +|ELB With Security Group Without Inbound Rules
e200a6f3-c589-49ec-9143-7421d4a2c845|CloudFormation|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more)|Documentation
| +|Security Group Ingress With Port Range
87482183-a8e7-4e42-a566-7a23ec231c16|CloudFormation|Medium|Networking and Firewall|AWS Security Group Ingress should have a single port (read more)|Documentation
| |Security Group Egress With All Protocols
ee464fc2-54a6-4e22-b10a-c6dcd2474d0c|CloudFormation|Medium|Networking and Firewall|AWS Security Group Egress should not specify all protocols to prevent allow traffic on all ports (read more)|Documentation
| -|Redshift Cluster Logging Disabled
3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6|CloudFormation|Medium|Observability|Make sure Logging is enabled for Redshift Cluster (read more)|Documentation
| -|CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7|CloudFormation|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'IsMultiRegionTrail' should be set to true (read more)|Documentation
| +|S3 Bucket Without Versioning
a227ec01-f97a-4084-91a4-47b350c1db54|CloudFormation|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| +|MQ Broker Logging Disabled
e519ed6a-8328-4b69-8eb7-8fa549ac3050|CloudFormation|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). (read more)|Documentation
| +|ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621|CloudFormation|Medium|Observability|ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer. (read more)|Documentation
| +|MSK Cluster Logging Disabled
fc7c2c15-f5d0-4b80-adb2-c89019f8f62b|CloudFormation|Medium|Observability|Ensure MSK Cluster Logging is enabled (read more)|Documentation
| +|Elasticsearch Logs Disabled
edbd62d4-8700-41de-b000-b3cfebb5e996|CloudFormation|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| +|API Gateway X-Ray Disabled
4ab10c48-bedb-4deb-8f3b-ff12783b61de|CloudFormation|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| +|CloudTrail Not Integrated With CloudWatch
65d07da5-9af5-44df-8983-52d2e6f24c44|CloudFormation|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| +|CloudFront Logging Disabled
de77cd9f-0e8b-46cc-b4a4-b6b436838642|CloudFormation|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'DistributionConfig.Logging' should be defined (read more)|Documentation
| |API Gateway Stage Access Logging Settings Not Defined
80d45af4-4920-4236-a56e-b7ef419d1941|CloudFormation|Medium|Observability|API Gateway Stage should have Access Logging Settings defined (read more)|Documentation
| -|Elasticsearch Logs Disabled
edbd62d4-8700-41de-b000-b3cfebb5e996|CloudFormation|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| |Configuration Aggregator to All Regions Disabled
9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d|CloudFormation|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| -|CloudTrail Not Integrated With CloudWatch
65d07da5-9af5-44df-8983-52d2e6f24c44|CloudFormation|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| +|GuardDuty Detector Disabled
a25cd877-375c-4121-a640-730929936fac|CloudFormation|Medium|Observability|Make sure that Amazon GuardDuty is Enabled (read more)|Documentation
| +|Stack Notifications Disabled
837e033c-4717-40bd-807e-6abaa30161b7|CloudFormation|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| |CloudTrail SNS Topic Name Undefined
3e09413f-471e-40f3-8626-990c79ae63f3|CloudFormation|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| +|CloudWatch Metrics Disabled
5d3c1807-acb3-4bb0-be4e-0440230feeaf|CloudFormation|Medium|Observability|Checks if CloudWatch Metrics is Enabled (read more)|Documentation
| |ElasticSearch Without Slow Logs
086ea2eb-14a6-4fd4-914b-38e0bc8703e8|CloudFormation|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs (read more)|Documentation
| -|ELB Access Log Disabled
ee12ad32-2863-4c0f-b13f-28272d115028|CloudFormation|Medium|Observability|ELB should have access log enabled (read more)|Documentation
| |S3 Bucket Logging Disabled
4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c|CloudFormation|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| -|MQ Broker Logging Disabled
e519ed6a-8328-4b69-8eb7-8fa549ac3050|CloudFormation|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). (read more)|Documentation
| -|CloudWatch Logging Disabled
0f0fb06b-0f2f-4374-8588-f2c7c348c7a0|CloudFormation|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones (read more)|Documentation
| -|Stack Notifications Disabled
837e033c-4717-40bd-807e-6abaa30161b7|CloudFormation|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| -|S3 Bucket Without Versioning
a227ec01-f97a-4084-91a4-47b350c1db54|CloudFormation|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| -|GuardDuty Detector Disabled
a25cd877-375c-4121-a640-730929936fac|CloudFormation|Medium|Observability|Make sure that Amazon GuardDuty is Enabled (read more)|Documentation
| -|API Gateway X-Ray Disabled
4ab10c48-bedb-4deb-8f3b-ff12783b61de|CloudFormation|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| -|MSK Cluster Logging Disabled
fc7c2c15-f5d0-4b80-adb2-c89019f8f62b|CloudFormation|Medium|Observability|Ensure MSK Cluster Logging is enabled (read more)|Documentation
| -|CloudFront Logging Disabled
de77cd9f-0e8b-46cc-b4a4-b6b436838642|CloudFormation|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'DistributionConfig.Logging' should be defined (read more)|Documentation
| +|CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7|CloudFormation|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'IsMultiRegionTrail' should be set to true (read more)|Documentation
| +|ELB Access Log Disabled
ee12ad32-2863-4c0f-b13f-28272d115028|CloudFormation|Medium|Observability|ELB should have access log enabled (read more)|Documentation
| |API Gateway Deployment Without Access Log Setting
06ec63e3-9f72-4fe2-a218-2eb9200b8db5|CloudFormation|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. (read more)|Documentation
| -|CloudWatch Metrics Disabled
5d3c1807-acb3-4bb0-be4e-0440230feeaf|CloudFormation|Medium|Observability|Checks if CloudWatch Metrics is Enabled (read more)|Documentation
| -|ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621|CloudFormation|Medium|Observability|ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer. (read more)|Documentation
| -|High Access Key Rotation Period
800fa019-49dd-421b-9042-7331fdd83fa2|CloudFormation|Medium|Secret Management|ConfigRule should enforce access keys to be rotated within 90 days. (read more)|Documentation
| -|Amplify Branch Basic Auth Config Password Exposed
dfb56e5d-ee68-446e-b32a-657b62befe69|CloudFormation|Medium|Secret Management|Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|EBS Volume Without KmsKeyId
b7063015-6c31-4658-a8e7-14f98f37fd42|CloudFormation|Medium|Secret Management|EBS Volume should specify a KmsKeyId value (read more)|Documentation
| -|Amplify App OAuth Token Exposed
03b38885-8f4e-480c-a0e4-12c1affd15db|CloudFormation|Medium|Secret Management|Amplify App OAuth Token must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|DMS Endpoint Password Exposed
5f700072-b7ce-4e84-b3f3-497bf1c24a4d|CloudFormation|Medium|Secret Management|DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|Redshift Cluster Logging Disabled
3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6|CloudFormation|Medium|Observability|Make sure Logging is enabled for Redshift Cluster (read more)|Documentation
| +|CloudWatch Logging Disabled
0f0fb06b-0f2f-4374-8588-f2c7c348c7a0|CloudFormation|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones (read more)|Documentation
| |Directory Service Microsoft AD Password Set to Plaintext or Default Ref
06b9f52a-8cd5-459b-bdc6-21a22521e1be|CloudFormation|Medium|Secret Management|Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|DMS Endpoint Password Exposed
5f700072-b7ce-4e84-b3f3-497bf1c24a4d|CloudFormation|Medium|Secret Management|DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|Amplify App Basic Auth Config Password Exposed
71493c8b-3014-404c-9802-078b74496fb7|CloudFormation|Medium|Secret Management|Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| |SNS Topic Without KmsMasterKeyId
9d13b150-a2ab-42a1-b6f4-142e41f81e52|CloudFormation|Medium|Secret Management|KmsMasterKeyId attribute should not be undefined (read more)|Documentation
| +|Amplify Branch Basic Auth Config Password Exposed
dfb56e5d-ee68-446e-b32a-657b62befe69|CloudFormation|Medium|Secret Management|Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| |Secrets Manager Should Specify KmsKeyId
c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22|CloudFormation|Medium|Secret Management|Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the secret to be shared cross-account (read more)|Documentation
| -|Amplify App Access Token Exposed
73980e43-f399-4fcc-a373-658228f7adf7|CloudFormation|Medium|Secret Management|Amplify App Access Token must not be in a plain text string or referenced in a parameter as a default value. (read more)|Documentation
| -|Directory Service Simple AD Password Exposed
6685d912-d81f-4cfa-95ad-e316ea31c989|CloudFormation|Medium|Secret Management|DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|DMS Endpoint MongoDB Settings Password Exposed
f988a17f-1139-46a3-8928-f27eafd8b024|CloudFormation|Medium|Secret Management|DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| |Hardcoded AWS Access Key In Lambda
2564172f-c92b-4261-9acd-464aed511696|CloudFormation|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| +|EBS Volume Without KmsKeyId
b7063015-6c31-4658-a8e7-14f98f37fd42|CloudFormation|Medium|Secret Management|EBS Volume should specify a KmsKeyId value (read more)|Documentation
| |DocDB Cluster Master Password In Plaintext
39423ce4-9011-46cd-b6b1-009edcd9385d|CloudFormation|Medium|Secret Management|DocDB DB Cluster master user password must not be in a plain text string or referenced in a parameter as a default value. (read more)|Documentation
| +|Amplify App OAuth Token Exposed
03b38885-8f4e-480c-a0e4-12c1affd15db|CloudFormation|Medium|Secret Management|Amplify App OAuth Token must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|DMS Endpoint MongoDB Settings Password Exposed
f988a17f-1139-46a3-8928-f27eafd8b024|CloudFormation|Medium|Secret Management|DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|Directory Service Simple AD Password Exposed
6685d912-d81f-4cfa-95ad-e316ea31c989|CloudFormation|Medium|Secret Management|DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|High Access Key Rotation Period
800fa019-49dd-421b-9042-7331fdd83fa2|CloudFormation|Medium|Secret Management|ConfigRule should enforce access keys to be rotated within 90 days. (read more)|Documentation
| |RefreshToken Is Exposed
5b48c507-0d1f-41b0-a630-76817c6b4189|CloudFormation|Medium|Secret Management|Alexa ASK Skill AuthenticationConfiguration RefreshToken should not be a plaintext string (read more)|Documentation
| -|Amplify App Basic Auth Config Password Exposed
71493c8b-3014-404c-9802-078b74496fb7|CloudFormation|Medium|Secret Management|Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|Amplify App Access Token Exposed
73980e43-f399-4fcc-a373-658228f7adf7|CloudFormation|Medium|Secret Management|Amplify App Access Token must not be in a plain text string or referenced in a parameter as a default value. (read more)|Documentation
| |IAM Role Allows All Principals To Assume
f80e3aa7-7b34-4185-954e-440a6894dde6|CloudFormation|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| -|IAM Group Without Users
8f957abd-9703-413d-87d3-c578950a753c|CloudFormation|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| -|Support Has No Role Associated
d71b5fd7-9020-4b2d-9ec8-b3839faa2744|CloudFormation|Low|Access Control|Check if any AWS Support policy does not have any role and users and group associated, which means that is not being managed. (read more)|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
e835bd0d-65da-49f7-b6d1-b646da8727e6|CloudFormation|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| |EC2 Instance Using Default Security Group
08b81bb3-0985-4023-8602-b606ad81d279|CloudFormation|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
e835bd0d-65da-49f7-b6d1-b646da8727e6|CloudFormation|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| +|Support Has No Role Associated
d71b5fd7-9020-4b2d-9ec8-b3839faa2744|CloudFormation|Low|Access Control|Check if any AWS Support policy does not have any role and users and group associated, which means that is not being managed. (read more)|Documentation
| +|IAM Group Without Users
8f957abd-9703-413d-87d3-c578950a753c|CloudFormation|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| |IAM User With No Group
06933df4-0ea7-461c-b9b5-104d27390e0e|CloudFormation|Low|Access Control|A IAM user should belong to a group (read more)|Documentation
| |VPC Attached With Too Many Gateways
97e94d17-e2c7-4109-a53b-6536ac1bb64e|CloudFormation|Low|Availability|The number of gateways attached should not approach or go beyond the limit of 3, in a particular VPC (read more)|Documentation
| |RDS DB Instance With Deletion Protection Disabled
2c161e58-cb52-454f-abea-6470c37b5e6e|CloudFormation|Low|Backup|RDS DBInstance should have deletion protection set to true (read more)|Documentation
| -|Geo Restriction Disabled
7f8843f0-9ea5-42b4-a02b-753055113195|CloudFormation|Low|Best Practices|Geo Restriction feature should be enabled, to restrict or allow users in specific locations accessing web application content (read more)|Documentation
| +|CDN Configuration Is Missing
e4f54ff4-d352-40e8-a096-5141073c37a2|CloudFormation|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| +|Security Group Ingress Has CIDR Not Recommended
a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd|CloudFormation|Low|Best Practices|AWS Security Group Ingress CIDR should not be /32 in case of IPV4 or /128 in case of IPV6 (read more)|Documentation
| +|IAM Access Analyzer Not Enabled
8d29754a-2a18-460d-a1ba-9509f8d359da|CloudFormation|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions (read more)|Documentation
| |IAM Policies Without Groups
5e7acff5-095b-40ac-9073-ac2e4ad8a512|CloudFormation|Low|Best Practices|IAM policy should not apply directly to users, should be with a group (read more)|Documentation
| +|Geo Restriction Disabled
7f8843f0-9ea5-42b4-a02b-753055113195|CloudFormation|Low|Best Practices|Geo Restriction feature should be enabled, to restrict or allow users in specific locations accessing web application content (read more)|Documentation
| |Lambda Permission Misconfigured
9b83114b-b2a1-4534-990d-06da015e47aa|CloudFormation|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| -|Security Group Ingress Has CIDR Not Recommended
a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd|CloudFormation|Low|Best Practices|AWS Security Group Ingress CIDR should not be /32 in case of IPV4 or /128 in case of IPV6 (read more)|Documentation
| |Automatic Minor Upgrades Disabled
f0104061-8bfc-4b45-8a7d-630eb502f281|CloudFormation|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'AutoMinorVersionUpgrade' must be set to true. (read more)|Documentation
| -|CDN Configuration Is Missing
e4f54ff4-d352-40e8-a096-5141073c37a2|CloudFormation|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| -|IAM Access Analyzer Not Enabled
8d29754a-2a18-460d-a1ba-9509f8d359da|CloudFormation|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions (read more)|Documentation
| |DynamoDB With Not Recommented Table Billing Mode
c333e906-8d8b-4275-b999-78b6318f8dc6|CloudFormation|Low|Build Process|Checks if DynamoDB Table Billing Mode is set to either PAY_PER_REQUEST or PROVISIONED (read more)|Documentation
| |EFS Without Tags
08e39832-5e42-4304-98a0-aa5b43393162|CloudFormation|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated (read more)|Documentation
| |S3 Bucket Without Ignore Public ACL
6c8d51af-218d-4bfb-94a9-94eabaa0703a|CloudFormation|Low|Insecure Configurations|S3 bucket without ignore public ACL (read more)|Documentation
| +|Wildcard In ACM Certificate Domain Name
cc8b294f-006f-4f8f-b5bb-0a9140c33131|CloudFormation|Low|Insecure Configurations|ACM Certificate should not use wildcards (*) in the domain name (read more)|Documentation
| |API Gateway Cache Cluster Disabled
52790cad-d60d-41d5-8483-146f9f21208d|CloudFormation|Low|Insecure Configurations|AWS API Gateway should have cache clustering enabled (read more)|Documentation
| |Lambda Function Without Dead Letter Queue
c2eae442-d3ba-4cb1-84ca-1db4f80eae3d|CloudFormation|Low|Insecure Configurations|AWS Lambda Function should be configured for a Dead Letter Queue(DLQ) (read more)|Documentation
| -|Wildcard In ACM Certificate Domain Name
cc8b294f-006f-4f8f-b5bb-0a9140c33131|CloudFormation|Low|Insecure Configurations|ACM Certificate should not use wildcards (*) in the domain name (read more)|Documentation
| -|CloudFront Without WAF
0f139403-303f-467c-96bd-e717e6cfd62d|CloudFormation|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| -|EMR Without VPC
bf89373a-be40-4c04-99f5-746742dfd7f3|CloudFormation|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| -|EC2 Instance Using Default VPC
e42a3ef0-5325-4667-84bf-075ba1c9d58e|CloudFormation|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| +|ElastiCache Using Default Port
323db967-c68e-44e6-916c-a777f95af34b|CloudFormation|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| |ElastiCache Without VPC
ba766c53-fe71-4bbb-be35-b6803f2ef13e|CloudFormation|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|EC2 Instance Using Default VPC
e42a3ef0-5325-4667-84bf-075ba1c9d58e|CloudFormation|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| +|EMR Without VPC
bf89373a-be40-4c04-99f5-746742dfd7f3|CloudFormation|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|CloudFront Without WAF
0f139403-303f-467c-96bd-e717e6cfd62d|CloudFormation|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| |EC2 Network ACL Duplicate Rule
045ddb54-cfc5-4abb-9e05-e427b2bc96fe|CloudFormation|Low|Networking and Firewall|A Network ACL's rule numbers cannot be repeated unless one is egress and the other is ingress (read more)|Documentation
| -|ElastiCache Using Default Port
323db967-c68e-44e6-916c-a777f95af34b|CloudFormation|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| -|Shield Advanced Not In Use
ad7444cf-817a-4765-a79e-2145f7981faf|CloudFormation|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more)|Documentation
| -|Redshift Using Default Port
a478af30-8c3a-404d-aa64-0b673cee509a|CloudFormation|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| |RDS Using Default Port
1fe9d958-ddce-4228-a124-05265a959a8b|CloudFormation|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| -|Lambda Functions Without X-Ray Tracing
9488c451-074e-4cd3-aee3-7db6104f542c|CloudFormation|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracingConfig.mode' should have the value 'Active' (read more)|Documentation
| +|Redshift Using Default Port
a478af30-8c3a-404d-aa64-0b673cee509a|CloudFormation|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| +|Shield Advanced Not In Use
ad7444cf-817a-4765-a79e-2145f7981faf|CloudFormation|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more)|Documentation
| +|API Gateway Deployment Without API Gateway UsagePlan Associated
783860a3-6dca-4c8b-81d0-7b62769ccbca|CloudFormation|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| |VPC FlowLogs Disabled
f6d299d2-21eb-41cc-b1e1-fe12d857500b|CloudFormation|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| -|ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd|CloudFormation|Low|Observability|Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks (read more)|Documentation
| +|Lambda Functions Without X-Ray Tracing
9488c451-074e-4cd3-aee3-7db6104f542c|CloudFormation|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracingConfig.mode' should have the value 'Active' (read more)|Documentation
| |DocDB Logging Is Disabled
1bf3b3d4-f373-4d7c-afbb-7d85948a67a5|CloudFormation|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| -|API Gateway Deployment Without API Gateway UsagePlan Associated
783860a3-6dca-4c8b-81d0-7b62769ccbca|CloudFormation|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| |CloudTrail Log File Validation Disabled
2a3560fe-52ca-4443-b34f-bf0ed5eb74c8|CloudFormation|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| +|ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd|CloudFormation|Low|Observability|Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks (read more)|Documentation
| |SDB Domain Declared As A Resource
6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d|CloudFormation|Low|Resource Management|SimpleDB Domain resource should not be declared (read more)|Documentation
| +|API Gateway Stage Without API Gateway UsagePlan Associated
7f8f1b60-43df-4c28-aa21-fb836dbd8071|CloudFormation|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| |VPC Without Attached Subnet
3b3b4411-ad1f-40e7-b257-a78a6bb9673a|CloudFormation|Low|Resource Management|VPCs without attached subnets may indicate that they are not being used (read more)|Documentation
| |ECS Task Definition Invalid CPU or Memory
f4c9b5f5-68b8-491f-9e48-4f96644a1d51|CloudFormation|Low|Resource Management|In ECS Task Definition of FARGATE launch type if you specify an invalid CPU or Memory value, you will receive an error (read more)|Documentation
| -|API Gateway Stage Without API Gateway UsagePlan Associated
7f8f1b60-43df-4c28-aa21-fb836dbd8071|CloudFormation|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| |Security Group Rule Without Description
5e6c9c68-8a82-408e-8749-ddad78cbb9c5|CloudFormation|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description (read more)|Documentation
| |EC2 Not EBS Optimized
8dd0ff1f-0da4-48df-9bb3-7f338ae36a40|CloudFormation|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| |EC2 Instance Monitoring Disabled
0264093f-6791-4475-af34-4b8102dcbcd0|CloudFormation|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| -|BOM - AWS Cassandra
124b173b-e06d-48a6-8acd-f889443d97a4|CloudFormation|Trace|Bill Of Materials|A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance (read more)|Documentation
| +|BOM - AWS MSK
2730c169-51d7-4ae7-99b5-584379eff1bb|CloudFormation|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)|Documentation
| |BOM - AWS EBS
0b0556ea-9cd9-476f-862e-20679dda752b|CloudFormation|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). (read more)|Documentation
| -|BOM - AWS EFS
ef05a925-8568-4054-8ff1-f5ba82631c16|CloudFormation|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)|Documentation
| -|BOM - AWS DynamoDB
4e67c0ae-38a0-47f4-a50c-f0c9b75826df|CloudFormation|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more)|Documentation
| |BOM - AWS MQ
209189f3-c879-48a7-9703-fbcfa96d0cef|CloudFormation|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS. (read more)|Documentation
| +|BOM - AWS SNS
42e7dca3-8cce-4325-8df0-108888259136|CloudFormation|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)|Documentation
| +|BOM - AWS Cassandra
124b173b-e06d-48a6-8acd-f889443d97a4|CloudFormation|Trace|Bill Of Materials|A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance (read more)|Documentation
| +|BOM - AWS EFS
ef05a925-8568-4054-8ff1-f5ba82631c16|CloudFormation|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)|Documentation
| |BOM - AWS Elasticache
c689f51b-9203-43b3-9d8b-caed123f706c|CloudFormation|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more)|Documentation
| -|BOM - AWS Kinesis
d53323be-dde6-4457-9a43-42df737e71d2|CloudFormation|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more)|Documentation
| -|BOM - AWS SQS
59a849c2-1127-4023-85a5-ef906dcd458c|CloudFormation|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)|Documentation
| |BOM - AWS RDS
6ef03ff6-a2bd-483c-851f-631f248bc0ea|CloudFormation|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more)|Documentation
| |BOM - AWS S3 Buckets
b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83|CloudFormation|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more)|Documentation
| -|BOM - AWS MSK
2730c169-51d7-4ae7-99b5-584379eff1bb|CloudFormation|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)|Documentation
| -|BOM - AWS SNS
42e7dca3-8cce-4325-8df0-108888259136|CloudFormation|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)|Documentation
| -|Passwords And Secrets
a88baa34-e2ad-44ea-ad6f-8cac87bc7c71|Common|High|Secret Management|Query to find passwords and secrets in infrastructure code. (read more)|Documentation
| -|Volume Mounted In Multiple Containers
baa452f0-1f21-4a25-ace5-844e7a5f410d|DockerCompose|High|Build Process|Volume mounts should not be shared, which means that 'propagation' should not be set to 'shared', 'rshared', 'slave', or 'rslave' (read more)|Documentation
| -|Docker Socket Mounted In Container
d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b|DockerCompose|High|Build Process|Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands. (read more)|Documentation
| -|Volume Has Sensitive Host Directory
1c1325ff-831d-43a1-973e-839ae57dfcc0|DockerCompose|High|Build Process|Container has sensitive host directory mounted as a volume (read more)|Documentation
| -|No New Privileges Not Set
27fcc7d6-c49b-46e0-98f1-6c082a6a2750|DockerCompose|High|Resource Management|Ensuring the process does not gain any new privileges lessens the risk associated with many operations. (read more)|Documentation
| -|Privileged Containers Enabled
ae5b6871-7f45-42e0-bb4c-ab300c4d2026|DockerCompose|High|Resource Management|Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker. (read more)|Documentation
| -|Healthcheck Not Set
698ed579-b239-4f8f-a388-baa4bcb13ef8|DockerCompose|Medium|Availability|Check containers periodically to see if they are running properly. (read more)|Documentation
| -|Cgroup Not Default
4d9f44c6-2f4a-4317-9bb5-267adbea0232|DockerCompose|Medium|Build Process|Control groups restrict the access processes and containers have to system resources such as CPU, RAM, IOPS and network. Not having a cgroup well configured may prove to be a security fault. (read more)|Documentation
| -|Restart Policy On Failure Not Set To 5
2fc99041-ddad-49d5-853f-e35e70a48391|DockerCompose|Medium|Build Process|Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used. (read more)|Documentation
| -|Container Traffic Not Bound To Host Interface
451d79dc-0588-476a-ad03-3c7f0320abb3|DockerCompose|Medium|Networking and Firewall|Incoming container traffic should be bound to a specific host interface (read more)|Documentation
| -|Privileged Ports Mapped In Container
bc2908f3-f73c-40a9-8793-c1b7d5544f79|DockerCompose|Medium|Networking and Firewall|Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind_service linux capability from the container unless you absolutely need to use priviledged ports. (read more)|Documentation
| -|Networks Not Set
ce14a68b-1668-41a0-ab7d-facd9f784742|DockerCompose|Medium|Networking and Firewall|Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers. (read more)|Documentation
| -|Host Namespace is Shared
4f31dd9f-2cc3-4751-9b53-67e4af83dac0|DockerCompose|Medium|Resource Management|The hosts process namespace should not be shared by containers (read more)|Documentation
| -|Shared Host IPC Namespace
baa3890f-bed7-46f5-ab8f-1da8fc91c729|DockerCompose|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| -|Memory Not Limited
bb9ac4f7-e13b-423d-a010-c74a1bfbe492|DockerCompose|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| -|Security Opt Not Set
610e266e-6c12-4bca-9925-1ed0cd29742b|DockerCompose|Medium|Resource Management|Attribute 'security_opt' should be defined. (read more)|Documentation
| -|Pids Limit Not Set
221e0658-cb2a-44e3-b08a-db96a341d6fa|DockerCompose|Medium|Resource Management|'pids_limit' should be set and different than -1 (read more)|Documentation
| -|Shared Host Network Namespace
071a71ff-f868-47a4-ac0b-3c59e4ab5443|DockerCompose|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| -|Default Seccomp Profile Disabled
404fde2c-bc4b-4371-9747-7054132ac953|DockerCompose|Medium|Resource Management|Seccomp offers a whitelist of common system calls, blocking all others. Having less kernel exposed to an app then increases security. (read more)|Documentation
| -|Shared Host User Namespace
8af7162d-6c98-482f-868e-0d33fb675ca8|DockerCompose|Medium|Resource Management|The host's user namespace should not be shared. (read more)|Documentation
| -|Cpus Not Limited
6b610c50-99fb-4ef0-a5f3-e312fd945bc3|DockerCompose|Low|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| -|Container Capabilities Unrestricted
ce76b7d0-9e77-464d-b86f-c5c48e03e22d|DockerCompose|Low|Resource Management|Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well. (read more)|Documentation
| +|BOM - AWS SQS
59a849c2-1127-4023-85a5-ef906dcd458c|CloudFormation|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)|Documentation
| +|BOM - AWS Kinesis
d53323be-dde6-4457-9a43-42df737e71d2|CloudFormation|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more)|Documentation
| +|BOM - AWS DynamoDB
4e67c0ae-38a0-47f4-a50c-f0c9b75826df|CloudFormation|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more)|Documentation
| +|Client Certificate Authentication Not Setup Properly
e0e00aba-5f1c-4981-a542-9a9563c0ee20|Kubernetes|High|Access Control|Client Certificate Authentication should be Setup with a .pem or .crt file (read more)|Documentation
| +|Token Auth File Is Set
32ecd76e-7bbf-402e-bf48-8b9485749558|Kubernetes|High|Access Control|When using kube-apiserver command, the 'token-auth-file' flag should not be set (read more)|Documentation
| +|Basic Auth File Is Set
5da47109-f8d6-4585-9e2b-96a8958a12f5|Kubernetes|High|Access Control|When using kube-apiserver command, the 'basic-auth-file' flag should not be set (read more)|Documentation
| +|Always Admit Admission Control Plugin Set
ce30e584-b33f-4c7d-b418-a3d7027f8f60|Kubernetes|High|Access Control|When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin (read more)|Documentation
| +|Use Service Account Credentials Not Set To True
1acd93f1-5a37-45c0-aaac-82ece818be7d|Kubernetes|High|Access Control|When using kube-controller-manager commands, the '--use-service-account-credentials' should be set to true (read more)|Documentation
| +|RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e|Kubernetes|High|Access Control|Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least privilege recommends to specify only the set of needed objects and actions (read more)|Documentation
| +|Service Account Lookup Set To False
a5530bd7-225a-48f9-91bb-f40b04200165|Kubernetes|High|Access Control|When using kube-apiserver command, the '--service-account-lookup' flag should be set to true (read more)|Documentation
| +|Node Restriction Admission Control Plugin Not Set
33fc6923-6553-4fe6-9d3a-4efa51eb874b|Kubernetes|High|Access Control|When using kube-apiserver command, the --enable-admission-plugins flag should have 'NodeRestriction' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| +|Pod Security Policy Admission Control Plugin Not Set
afa36afb-39fe-4d94-b9b6-afb236f7a03d|Kubernetes|High|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'PodSecurityPolicy' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| +|Service Account Private Key File Not Defined
ccc98ff7-68a7-436e-9218-185cb0b0b780|Kubernetes|High|Encryption|When using kube-controller-manager commands, the '--service-account-private-key-file' should be defined (read more)|Documentation
| +|Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d|Kubernetes|High|Insecure Configurations|Check if there is any Tiller Service present (read more)|Documentation
| +|Tiller (Helm v2) Is Deployed
6d173be7-545a-46c6-a81d-2ae52ed1605d|Kubernetes|High|Insecure Configurations|Check if Tiller is deployed. (read more)|Documentation
| +|Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032|Kubernetes|High|Insecure Configurations|Limit capabilities for a Pod Security Policy (read more)|Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b|Kubernetes|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace. (read more)|Documentation
| +|Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d|Kubernetes|High|Insecure Configurations|Container should not share the host process ID namespace (read more)|Documentation
| +|Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609|Kubernetes|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false (read more)|Documentation
| +|Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad|Kubernetes|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined. (read more)|Documentation
| +|Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d|Kubernetes|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process (read more)|Documentation
| +|Role Binding To Default Service Account
1e749bc9-fde8-471c-af0c-8254efd2dee5|Kubernetes|High|Insecure Defaults|No role nor cluster role should bind to a default service account (read more)|Documentation
| +|Insecure Bind Address Set
b9380fd3-5ffe-4d10-9290-13e18e71eee1|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-bind-address' flag should not be set (read more)|Documentation
| +|TSL Connection Certificate Not Setup
fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f|Kubernetes|High|Networking and Firewall|TSL Connection Certificate files should be Setup (read more)|Documentation
| +|Etcd TLS Certificate Not Properly Configured
895a5a95-3756-4b04-9924-2f3bc93181bd|Kubernetes|High|Networking and Firewall|When using kube-apiserver commands, the '--etcd-certfile' and '--etcd-keyfile' flags should be defined (read more)|Documentation
| +|Insecure Port Not Properly Set
fa4def8c-1898-4a35-a139-7b76b1acdef0|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-port' flag should be defined and set to 0 (read more)|Documentation
| +|Etcd TLS Certificate Files Not Properly Set
075ca296-6768-4322-aea2-ba5063b969a9|Kubernetes|High|Networking and Firewall|When using etcd commands, the '--cert-file' and '--key-file' should be defined (read more)|Documentation
| +|Bind Address Not Properly Set
46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2|Kubernetes|High|Networking and Firewall|When using kube-controller-manager or kube-scheduler commands, the '--bind-address' should not be set to 127.0.0.1 (read more)|Documentation
| +|Secure Port Set To Zero
3d24b204-b73d-42cb-b0bf-1a5438c5f71e|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the --secure-port flag should not be 0 (read more)|Documentation
| +|Etcd Peer TLS Certificate Files Not Properly Set
09bb9e96-8da3-4736-b89a-b36814acca60|Kubernetes|High|Networking and Firewall|When using etcd commands, the '--peer-cert-file' and '--peer-key-file' should be defined (read more)|Documentation
| +|Tiller Deployment Is Accessible From Within The Cluster
e17fa86a-6222-4584-a914-56e8f6c87e06|Kubernetes|High|Networking and Firewall|Check if any Tiller Deployment container allows access from within the cluster. (read more)|Documentation
| +|Kubelet HTTPS Set To False
cdc8b54e-6b16-4538-a1b0-35849dbe29cf|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--kubelet-https' flag should not be set to false (read more)|Documentation
| +|PSP With Unrestricted Access to Host Path
de4421f1-4e35-43b4-9783-737dd4e4a47e|Kubernetes|High|Resource Management|PodSecurityPolicy should set 'readOnly' to true in every host path allowed (read more)|Documentation
| +|Auto TLS Set To True
98ce8b81-7707-4734-aa39-627c6db3d84b|Kubernetes|High|Secret Management|When using etcd commands, the '--auto-tls' should be set to false (read more)|Documentation
| +|Peer Auto TLS Set To True
ae8827e2-4af9-4baa-9998-87539ae0d6f0|Kubernetes|High|Secret Management|When using etcd commands, the '--peer-auto-tls' should be set to false (read more)|Documentation
| +|RBAC Roles with Exec Permission
c589f42c-7924-4871-aee2-1cede9bc7cbc|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to run commands in containers via 'kubectl exec' could be abused by attackers to execute malicious code in case of compromise. To prevent this, the 'pods/exec' verb should not be used in production environments (read more)|Documentation
| +|RBAC Roles with Impersonate Permission
9f85c3f6-26fd-4007-938a-2e0cb0100980|Kubernetes|Medium|Access Control|Roles or ClusterRoles with the permission 'impersonate' allow subjects to assume the rights of other users, groups, or service accounts. In case of compromise, attackers may abuse this sudo-like functionality to achieve privilege escalation (read more)|Documentation
| +|RBAC Roles with Port-Forwarding Permission
38fa11ef-dbcc-4da8-9680-7e1fd855b6fb|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to port-forward into pods can open socket-level communication channels to containers. In case of compromise, attackers may abuse this for direct communication that bypasses network security restrictions (read more)|Documentation
| +|RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14|Kubernetes|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more)|Documentation
| +|Anonymous Auth Is Not Set To False
1de5cc51-f376-4638-a940-20f2e85ae238|Kubernetes|Medium|Access Control|When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag should be set to false (--anonymous-auth=false) (read more)|Documentation
| +|Service Account Admission Control Plugin Disabled
9587c890-0524-40c2-9ce2-663af7c2f063|Kubernetes|Medium|Access Control|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'ServiceAccount' plugin (read more)|Documentation
| +|Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942|Kubernetes|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation. (read more)|Documentation
| +|RBAC Roles Allow Privilege Escalation
8320826e-7a9c-4b0b-9535-578333193432|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions 'bind' or 'escalate' allow subjects to create new bindings with other roles. This is dangerous, as users with these privileges can bind to roles that may exceed their own privileges (read more)|Documentation
| +|Authorization Mode RBAC Not Set
1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e|Kubernetes|Medium|Access Control|When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode (read more)|Documentation
| +|Authorization Mode Set To Always Allow
f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5|Kubernetes|Medium|Access Control|When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode (read more)|Documentation
| +|RBAC Roles with Attach Permission
d45330fd-f58d-45fb-a682-6481477a0f84|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to attach to containers via 'kubectl attach' could be abused by attackers to read log output (stdout, stderr) and send input data (stdin) to running processes. Additionally, it would allow a malicious user to attach to a privileged container resulting in a privilege escalation attack. To prevent this, the 'pods/attach' verb should not be used in production environments (read more)|Documentation
| +|Non Kube System Pod With Host Mount
aa8f7a35-9923-4cad-bd61-a19b7f6aac91|Kubernetes|Medium|Access Control|A non kube-system workload should not have hostPath mounted (read more)|Documentation
| +|Request Timeout Not Properly Set
d89a15bb-8dba-4c71-9529-bef6729b9c09|Kubernetes|Medium|Availability|When using kube-apiserver command, the '--request-timeout' flag value should not be too long (read more)|Documentation
| +|Readiness Probe Is Not Configured
a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3|Kubernetes|Medium|Availability|Check if Readiness Probe is not configured. (read more)|Documentation
| +|Terminated Pod Garbage Collector Threshold Not Properly Set
49113af4-29ca-458e-b8d4-724c01a4a24f|Kubernetes|Medium|Availability|When using kube-controller-manager commands, the '--terminated-pod-gc-threshold' should be set between 0 and 12501 (read more)|Documentation
| +|Root Containers Admitted
e3aa0612-4351-4a0d-983f-aefea25cf203|Kubernetes|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden (read more)|Documentation
| +|Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660|Kubernetes|Medium|Best Practices|Check if containers are running with low UID, which might cause conflicts with the host's user table. (read more)|Documentation
| +|Container Running As Root
cf34805e-3872-4c08-bf92-6ff7bb0cfadb|Kubernetes|Medium|Best Practices|Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise (read more)|Documentation
| +|Incorrect Volume Claim Access Mode ReadWriteOnce
3878dc92-8e5d-47cf-9cdd-7590f71d21b9|Kubernetes|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' (read more)|Documentation
| +|Always Pull Images Admission Control Plugin Not Set
a77f4d07-c6e0-4a48-8b35-0eeb51576f4f|Kubernetes|Medium|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'AlwaysPullImages' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| +|Weak TLS Cipher Suites
510d5810-9a30-443a-817d-5c1fa527b110|Kubernetes|Medium|Encryption|TLS Connection should use strong Cipher Suites (read more)|Documentation
| +|Root CA File Not Defined
05fb986f-ac73-4ebb-a5b2-7faafa93d882|Kubernetes|Medium|Encryption|When using kube-controller-manager commands, the '--root-ca-file' should be defined (read more)|Documentation
| +|Encryption Provider Not Properly Configured
10efce34-5af6-4d83-b414-9e096d5a06a9|Kubernetes|Medium|Encryption|The EncryptionConfiguration should be configured to have at least one 'aescbc', 'kms' or 'secretbox' provider (read more)|Documentation
| +|Encryption Provider Config Is Not Defined
cbd2db69-0b21-4c14-8a40-7710a50571a9|Kubernetes|Medium|Encryption|When using kube-apiserver commands, the '--encryption-provider-config' flag should be defined and the encryption should be correctly configured in Encryption Configuration file (read more)|Documentation
| +|PSP Allows Sharing Host IPC
80f93444-b240-4ebb-a4c6-5c40b76c04ea|Kubernetes|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace (read more)|Documentation
| +|Security Context Deny Admission Control Plugin Not Set
6a68bebe-c021-492e-8ddb-55b0567fb768|Kubernetes|Medium|Insecure Configurations|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set (read more)|Documentation
| +|Seccomp Profile Is Not Configured
f377b83e-bd07-4f48-a591-60c82b14a78b|Kubernetes|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls (read more)|Documentation
| +|PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91|Kubernetes|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| +|Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40|Kubernetes|Medium|Insecure Configurations|Containers should not have extra capabilities allowed (read more)|Documentation
| +|NET_RAW Capabilities Not Being Dropped
dbbc6705-d541-43b0-b166-dd4be8208b54|Kubernetes|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities (read more)|Documentation
| +|Kubelet Protect Kernel Defaults Set To False
6cf42c97-facd-4fda-b8af-ea4529123355|Kubernetes|Medium|Insecure Configurations|--protect-kernel-defaults should be set to true (read more)|Documentation
| +|Containers With Sys Admin Capabilities
235236ee-ad78-4065-bd29-61b061f28ce0|Kubernetes|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability (read more)|Documentation
| +|Authorization Mode Node Not Set
4d7ee40f-fc5d-427d-8cac-dffbe22d42d1|Kubernetes|Medium|Insecure Configurations|When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode (read more)|Documentation
| +|Not Limited Capabilities For Container
2f1a0619-b12b-48a0-825f-993bb6f01d58|Kubernetes|Medium|Insecure Configurations|Limit the capabilities for a Container. (read more)|Documentation
| +|Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3|Kubernetes|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more)|Documentation
| +|PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation (read more)|Documentation
| +|Workload Mounting With Sensitive OS Directory
5308a7a8-06f8-45ac-bf10-791fe21de46e|Kubernetes|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory (read more)|Documentation
| +|PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9|Kubernetes|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host process ID namespace (read more)|Documentation
| +|Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b|Kubernetes|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more)|Documentation
| +|PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities (read more)|Documentation
| +|NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648|Kubernetes|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities (read more)|Documentation
| +|Using Unrecommended Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6|Kubernetes|Medium|Insecure Configurations|Namespaces like 'default', 'kube-system' or 'kube-public' should not be used (read more)|Documentation
| +|Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9|Kubernetes|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty. (read more)|Documentation
| +|Service Account Token Automount Not Disabled
48471392-d4d0-47c0-b135-cdec95eb3eef|Kubernetes|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary (read more)|Documentation
| +|Kubelet Streaming Connection Timeout Disabled
ed89b97d-04e9-4fd4-919f-ee5b27e555e9|Kubernetes|Medium|Networking and Firewall|The flag --streaming-connection-idle-timeout should not be set to 0 (read more)|Documentation
| +|Kubelet Not Managing Ip Tables
5f89001f-6dd9-49ff-9b15-d8cd71b617f4|Kubernetes|Medium|Networking and Firewall|Kubelet argument --make-iptables-util-chains should be true (read more)|Documentation
| +|CNI Plugin Does Not Support Network Policies
03aabc8c-35d6-481e-9c85-20139cf72d23|Kubernetes|Medium|Networking and Firewall|Ensure the use of CNI Plugin that support Network Policies. If the CNI Plugin in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster (read more)|Documentation
| +|Network Policy Is Not Targeting Any Pod
85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3|Kubernetes|Medium|Networking and Firewall|Check if any network policy is not targeting any pod. (read more)|Documentation
| +|Kubelet Read Only Port Is Not Set To Zero
2940d48a-dc5e-4178-a3f8-bfbd80720b41|Kubernetes|Medium|Networking and Firewall|When using the kubelet command, the read-only port should be set to zero (--read-only-port=0) (read more)|Documentation
| +|Service With External Load Balancer
26763a1c-5dda-4772-b507-5fca7fb5f165|Kubernetes|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet (read more)|Documentation
| +|Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be|Kubernetes|Medium|Networking and Firewall|Check if any pod is not being targeted by a proper network policy. (read more)|Documentation
| +|Audit Log Path Not Set
73e251f0-363d-4e53-86e2-0a93592437eb|Kubernetes|Medium|Observability|When using kube-apiserver command, the 'audit-log-path' flag should be defined (read more)|Documentation
| +|Audit Policy File Not Defined
13a49a2e-488e-4309-a7c0-d6b05577a5fb|Kubernetes|Medium|Observability|When using kube-apiserver command, the '--audit-policy-file' flag should be defined (read more)|Documentation
| +|Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a|Kubernetes|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| +|Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9|Kubernetes|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| +|Volume Mount With OS Directory Write Permissions
b7652612-de4e-4466-a0bf-1cd81f0c6063|Kubernetes|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more)|Documentation
| +|CPU Limits Not Set
4ac0e2b7-d2d2-4af7-8799-e8de6721ccda|Kubernetes|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| +|Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536|Kubernetes|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| +|CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a|Kubernetes|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more)|Documentation
| +|Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded|Kubernetes|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more)|Documentation
| +|Kubelet Client Periodic Certificate Switch Disabled
52d70f2e-3257-474c-b3dc-8ad9ba6a061a|Kubernetes|Medium|Secret Management|Kubelet argument --rotate-certificates should be true (read more)|Documentation
| +|Etcd Peer Client Certificate Authentication Set To False
b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff|Kubernetes|Medium|Secret Management|When using etcd commands, the '--peer-client-cert-auth' flag should be set to true (read more)|Documentation
| +|Etcd Client Certificate File Not Defined
3f5ff8a7-5ad6-4d02-86f5-666307da1b20|Kubernetes|Medium|Secret Management|When using kube-apiserver commands, the '--etcd-cafile' flag should be defined (read more)|Documentation
| +|Not Unique Certificate Authority
cb7e695d-6a85-495c-b15f-23aed2519303|Kubernetes|Medium|Secret Management|Certificate Authority should be unique for etcd (read more)|Documentation
| +|Rotate Kubelet Server Certificate Not Active
1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2|Kubernetes|Medium|Secret Management|The RotateKubeletServerCertificate argument should be true (read more)|Documentation
| +|Service Account Key File Not Properly Set
dab4ec72-ce2e-4732-b7c3-1757dcce01a1|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the '--service-account-key-file' flag should be defined (read more)|Documentation
| +|Etcd Client Certificate Authentication Set To False
9391103a-d8d7-4671-ac5d-606ba7ccb0ac|Kubernetes|Medium|Secret Management|When using etcd commands, the '--client-cert-auth' flag should be defined (read more)|Documentation
| +|Kubelet Certificate Authority Not Set
ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set (read more)|Documentation
| +|Shared Service Account
c1032cf7-3628-44e2-bd53-38c17cf31b6b|Kubernetes|Medium|Secret Management|A Service Account token is shared between workloads (read more)|Documentation
| +|Kubelet Client Certificate Or Key Not Set
36a27826-1bf5-49da-aeb0-a60a30c0e834|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-client-key' and 'kubelet-client-certificate' flags should be set (read more)|Documentation
| +|ServiceAccount Allows Access Secrets
056ac60e-fe07-4acc-9b34-8e1d51716ab9|Kubernetes|Medium|Secret Management|Roles and ClusterRoles when binded, should not use get, list or watch as verbs (read more)|Documentation
| +|Cluster Admin Rolebinding With Superuser Permissions
249328b8-5f0f-409f-b1dd-029f07882e11|Kubernetes|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC) (read more)|Documentation
| +|Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828|Kubernetes|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers (read more)|Documentation
| +|Missing AppArmor Profile
8b36775e-183d-4d46-b0f7-96a6f34a723f|Kubernetes|Low|Access Control|Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources (read more)|Documentation
| +|Liveness Probe Is Not Defined
ade74944-a674-4e00-859e-c6eab5bde441|Kubernetes|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it (read more)|Documentation
| +|StatefulSet Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0|Kubernetes|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more)|Documentation
| +|StatefulSet Without PodDisruptionBudget
1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5|Kubernetes|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| +|Event Rate Limit Admission Control Plugin Not Set
e0099af2-fe17-411f-9991-0de28fe15f3c|Kubernetes|Low|Availability|When using kube-apiserver command, the --enable-admission-plugins flag should have 'EventRateLimit' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| +|HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca|Kubernetes|Low|Availability|The Horizontal Pod Autoscaler must target a valid object (read more)|Documentation
| +|HPA Targeted Deployments With Configured Replica Count
5744cbb8-5946-4b75-a196-ade44449525b|Kubernetes|Low|Availability|Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set (read more)|Documentation
| +|Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678|Kubernetes|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| +|Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645|Kubernetes|Low|Best Practices|Kubernetes APIs evolve over time and are sometimes removed with newer releases. To prevent incompatibilities when upgrading Kubernetes, deprecated APIs should be replaced with newer and more stable API versions. (read more)|Documentation
| +|No Drop Capabilities for Containers
268ca686-7fb7-4ae9-b129-955a2a89064e|Kubernetes|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context (read more)|Documentation
| +|Metadata Label Is Invalid
1123031a-f921-4c5b-bd86-ef354ecfd37a|Kubernetes|Low|Best Practices|Check if any label in the metadata is invalid. (read more)|Documentation
| +|Root Container Not Mounted Read-only
a9c2f49d-0671-4fc9-9ece-f4e261e128d0|Kubernetes|Low|Build Process|Check if the root container filesystem is not being mounted read-only. (read more)|Documentation
| +|StatefulSet Requests Storage
8cf4671a-cf3d-46fc-8389-21e7405063a2|Kubernetes|Low|Build Process|A StatefulSet requests volume storage. (read more)|Documentation
| +|Image Policy Webhook Admission Control Plugin Not Set
14abda69-8e91-4acb-9931-76e2bee90284|Kubernetes|Low|Build Process|When using kube-apiserver command, the --enable-admission-plugins flag should have 'ImagePolicyWebhook' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| +|Namespace Lifecycle Admission Control Plugin Disabled
1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37|Kubernetes|Low|Build Process|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'NamespaceLifecycle' plugin (read more)|Documentation
| +|Pod or Container Without ResourceQuota
48a5beba-e4c0-4584-a2aa-e6894e4cf424|Kubernetes|Low|Insecure Configurations|Each namespace should have a ResourceQuota policy associated to limit the total amount of resources Pods, Containers and PersistentVolumeClaims can consume (read more)|Documentation
| +|Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678|Kubernetes|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity (read more)|Documentation
| +|Service Does Not Target Pod
3ca03a61-3249-4c16-8427-6f8e47dda729|Kubernetes|Low|Insecure Configurations|Service should Target a Pod (read more)|Documentation
| +|Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2|Kubernetes|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always (read more)|Documentation
| +|Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995|Kubernetes|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container (read more)|Documentation
| +|Pod or Container Without LimitRange
4a20ebac-1060-4c81-95d1-1f7f620e983b|Kubernetes|Low|Insecure Configurations|Each namespace should have a LimitRange policy associated to ensure that resource allocations of Pods, Containers and PersistentVolumeClaims do not exceed the defined boundaries (read more)|Documentation
| +|Kubelet Hostname Override Is Set
bf36b900-b5ef-4828-adb7-70eb543b7cfb|Kubernetes|Low|Insecure Configurations|Hostnames should not be overrided (read more)|Documentation
| +|Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b|Kubernetes|Low|Insecure Configurations|If not needed, disabling the dashboard can prevent from being used as an attack vector (read more)|Documentation
| +|Service Type is NodePort
845acfbe-3e10-4b8e-b656-3b404d36dfb2|Kubernetes|Low|Networking and Firewall|Service type should not be NodePort (read more)|Documentation
| +|Workload Host Port Not Specified
2b1836f1-dcce-416e-8e16-da8c71920633|Kubernetes|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified (read more)|Documentation
| +|Audit Log Maxsize Not Properly Set
35c0a471-f7c8-4993-aa2c-503a3c712a66|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxsize' flag should be defined and set to 100 or more MegaBytes (read more)|Documentation
| +|Audit Log Maxage Not Properly Set
da9f3aa8-fbfb-472f-b5a1-576127944218|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxage' flag should be defined and set to 30 or more days (read more)|Documentation
| +|Audit Log Maxbackup Not Properly Set
768aab52-2504-4a2f-a3e3-329d5a679848|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxbackup' flag should be defined and set to 10 or more files (read more)|Documentation
| +|Kubelet Event QPS Not Properly Set
1a07a446-8e61-4e4d-bc16-b0781fcb8211|Kubernetes|Low|Observability|When using the kubelet command, the '--event-qps' should be set to 0 (read more)|Documentation
| +|Audit Policy Not Cover Key Security Concerns
1828a670-5957-4bc5-9974-47da228f75e2|Kubernetes|Low|Observability|Audit Policy should cover key security concerns about the sensitive data logged in Kubernetes audit policies (read more)|Documentation
| +|Profiling Not Set To False
2f491173-6375-4a84-b28e-a4e2b9a58a69|Kubernetes|Low|Observability|When using kube-apiserver or kube-controller-manager or kube-scheduler command, the '--profiling' flag should be defined and set to false (read more)|Documentation
| +|Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined. (read more)|Documentation
| +|Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46|Kubernetes|Low|Resource Management|Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively (read more)|Documentation
| +|StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e|Kubernetes|Low|Resource Management|Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| +|CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3|Kubernetes|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined (read more)|Documentation
| +|Container Memory Requests Not Equal To It's Limits
aafa7d94-62de-4fbf-8838-b69ee217b0e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined. (read more)|Documentation
| +|Deployment Has No PodAntiAffinity
a31b7b82-d994-48c4-bd21-3bab6c31827a|Kubernetes|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| +|Secrets As Environment Variables
3d658f8b-d988-41a0-a841-40043121de1e|Kubernetes|Low|Secret Management|Container should not use secrets as environment variables (read more)|Documentation
| +|Invalid Image Tag
583053b7-e632-46f0-b989-f81ff8045385|Kubernetes|Low|Supply-Chain|Image tag must be defined and not be empty or equal to latest. (read more)|Documentation
| +|Ensure Administrative Boundaries Between Resources
e84eaf4d-2f45-47b2-abe8-e581b06deb66|Kubernetes|Info|Access Control|As a best practice, ensure that is made the correct use of namespaces to adequately administer your resources. Kubernetes Authorization plugins can also be used to create policies that segregate user access to namespaces. (read more)|Documentation
| +|Using Kubernetes Native Secret Management
b9c83569-459b-4110-8f79-6305aa33cb37|Kubernetes|Info|Secret Management|Kubernetes External Secret Storage and Management System usage should be considered if you have more complex secret management needs, rather than using Kubernetes Secrets directly. Additionally, ensure that access to secrets is carefully limited (read more)|Documentation
| diff --git a/docs/queries/ansible-queries.md b/docs/queries/ansible-queries.md index e33bb2405f6..e32477b7285 100644 --- a/docs/queries/ansible-queries.md +++ b/docs/queries/ansible-queries.md @@ -1,71 +1,19 @@ ## Ansible Queries List This page contains all queries from Ansible. -### GCP -Bellow are listed queries related with Ansible GCP: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| -|VM With Full Cloud Access
bc20bbc6-0697-4568-9a73-85af1dd97bdd|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)|Documentation
| -|BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2|High|Access Control|BigQuery dataset is anonymously or publicly accessible (read more)|Documentation
| -|SQL DB Instance Backup Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| -|DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a|High|Encryption|DNSSEC should not use the RSASHA1 algorithm (read more)|Documentation
| -|SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|High|Encryption|Cloud SQL Database Instance should have SLL enabled (read more)|Documentation
| -|MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c|High|Insecure Configurations|MySQL Instance should not have Local Infile On (read more)|Documentation
| -|Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true (read more)|Documentation
| -|IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'. (read more)|Documentation
| -|GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty (read more)|Documentation
| -|Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)|Documentation
| -|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|High|Insecure Configurations|SQL Instance should not have Contained Database Authentication On (read more)|Documentation
| -|Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true. (read more)|Documentation
| -|GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false. (read more)|Documentation
| -|Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty (read more)|Documentation
| -|SQL DB Instance Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible. (read more)|Documentation
| -|PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514|High|Insecure Configurations|PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1' (read more)|Documentation
| -|Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)|Documentation
| -|Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f|High|Insecure Configurations|GCP SQL Instance should not have Cross DB Ownership Chaining On (read more)|Documentation
| -|GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters (read more)|Documentation
| -|Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet. (read more)|Documentation
| -|PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b|High|Observability|PostgreSQL database 'log_temp_files' flag isn't set to '0' (read more)|Documentation
| -|Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none' (read more)|Documentation
| -|Cloud Storage Bucket Versioning Disabled
7814ddda-e758-4a56-8be3-289a81ded929|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| -|PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317|High|Observability|PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on' (read more)|Documentation
| -|Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none' (read more)|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| -|Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| -|Disk Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)|Documentation
| -|OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Medium|Insecure Configurations|VM instance should have OSLogin enabled (read more)|Documentation
| -|Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)|Documentation
| -|Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| -|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| -|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Medium|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account. (read more)|Documentation
| -|Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| -|GKE Using Default Service Account
dc126833-125a-40fb-905a-ce5f2afde240|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account (read more)|Documentation
| -|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)|Documentation
| -|SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows All Ports
3602d273-3290-47b2-80fa-720162b1a8af|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports (read more)|Documentation
| -|RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| -|Google Compute Network Using Default Firewall Rule
29b8224a-60e9-4011-8ac2-7916a659841f|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| -|IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)|Documentation
| -|PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Medium|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value (read more)|Documentation
| -|PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Medium|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on' (read more)|Documentation
| -|High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| -|Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes (read more)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows Port Range
7289eebd-a477-4064-8ad4-3c044bd70b00|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| - -### HOSTS -Bellow are listed queries related with Ansible HOSTS: +### SHARED (V2/V3) +Bellow are listed queries related with Ansible SHARED (V2/V3): | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Ansible Tower Exposed To Internet
1b2bf3ff-31e9-460e-bbfb-45e48f4f20cc|Medium|Best Practices|Avoid exposing Ansible Tower to the public internet, effectively reducing the potential attack surface of your deployment (read more)|Documentation
| +|Privilege Escalation Using Become Plugin
0e75052f-cc02-41b8-ac39-a78017527e95|Medium|Access Control|In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true' (read more)|Documentation
| +|Communication Over HTTP
2e8d4922-8362-4606-8c14-aa10466a1ce3|Medium|Insecure Configurations|Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks (read more)|Documentation
| +|Insecure Relative Path Resolution
8d22ae91-6ac1-459f-95be-d37bd373f244|Low|Best Practices|Using relative paths can lead to unexpected behavior as the path is resolved relative to the current working directory, which can change. (read more)|Documentation
| +|Logging of Sensitive Data
59029ddf-e651-412b-ae7b-ff6d403184bc|Low|Best Practices|To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True (read more)|Documentation
| +|Unpinned Package Version
c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8|Low|Supply-Chain|Setting state to latest performs an update and installs additional packages possibly resulting in performance degradation or loss of service (read more)|Documentation
| +|Risky File Permissions
88841d5c-d22d-4b7e-a6a0-89ca50e44b9f|Info|Supply-Chain|Some modules could end up creating new files on disk with permissions that might be too open or unpredictable (read more)|Documentation
| ### AZURE Bellow are listed queries related with Ansible AZURE: @@ -78,42 +26,63 @@ Bellow are listed queries related with Ansible AZURE: |Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|High|Access Control|Admin user is enabled for Container Registry (read more)|Documentation
| |Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|High|Access Control|Storage Account should not be public to grant the principle of least privileges (read more)|Documentation
| |Azure Instance Using Basic Authentication
e2d834b7-8b25-4935-af53-4a60668dcbe0|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| -|MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more)|Documentation
| |SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' (read more)|Documentation
| +|MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more)|Documentation
| |Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| -|VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine (read more)|Documentation
| |AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server (read more)|Documentation
| -|Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service. (read more)|Documentation
| |Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined (read more)|Documentation
| +|VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine (read more)|Documentation
| +|Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service. (read more)|Documentation
| |CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|High|Networking and Firewall|The IP range filter should be defined to secure the data stored (read more)|Documentation
| -|Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources (read more)|Documentation
| -|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| +|Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| |Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet (read more)|Documentation
| +|Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources (read more)|Documentation
| |SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more)|Documentation
| -|Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| +|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| +|Role Definition Allows Custom Role Creation
5c80db8e-03f5-43a2-b4af-1f3f87018157|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more)|Documentation
| |Default Azure Storage Account Network Access Is Too Permissive
ca4df748-613a-4fbf-9c76-f02cbd580307|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it. (read more)|Documentation
| |AKS RBAC Disabled
149fa56c-4404-4f90-9e25-d34b676d5b39|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| -|Role Definition Allows Custom Role Creation
5c80db8e-03f5-43a2-b4af-1f3f87018157|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more)|Documentation
| |Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854|Medium|Backup|Make sure Soft Delete is enabled for Key Vault (read more)|Documentation
| |SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict (read more)|Documentation
| |SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict (read more)|Documentation
| |Cosmos DB Account Without Tags
23a4dc83-4959-4d99-8056-8e051a82bc1e|Medium|Build Process|Cosmos DB Account must have a mapping of tags. (read more)|Documentation
| |Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption (read more)|Documentation
| |Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections (read more)|Documentation
| -|Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty (read more)|Documentation
| |AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined (read more)|Documentation
| -|Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0' (read more)|Documentation
| -|WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. (read more)|Documentation
| +|Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty (read more)|Documentation
| |Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache. (read more)|Documentation
| -|PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server (read more)|Documentation
| +|WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. (read more)|Documentation
| +|Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0' (read more)|Documentation
| +|Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more)|Documentation
| |PostgreSQL Log Checkpoints Disabled
7ab33ac0-e4a3-418f-a673-50da4e34df21|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more)|Documentation
| |PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' (read more)|Documentation
| +|PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more)|Documentation
| +|Monitoring Log Profile Without All Activities
89f84a1e-75f8-47c5-83b5-bee8e2de4168|Medium|Observability|Monitoring log profile captures all the activities (Action, Write, Delete) (read more)|Documentation
| |PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' (read more)|Documentation
| -|Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more)|Documentation
| |AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e|Medium|Observability|Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring (read more)|Documentation
| +|PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server (read more)|Documentation
| |Small Activity Log Retention Period
37fafbea-dedb-4e0d-852e-d16ee0589326|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater (read more)|Documentation
| -|PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more)|Documentation
| -|Monitoring Log Profile Without All Activities
89f84a1e-75f8-47c5-83b5-bee8e2de4168|Medium|Observability|Monitoring log profile captures all the activities (Action, Write, Delete) (read more)|Documentation
| + +### CONFIG +Bellow are listed queries related with Ansible CONFIG: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|Allow Unsafe Lookups Enabled
86b97bb4-85c9-462d-8635-cbc057c5c8c5|High|Insecure Configurations|When enabled, this option allows lookup plugins to return data that is not marked 'unsafe'. (read more)|Documentation
| +|Privilege Escalation Using Become Plugin
404908b6-4954-4611-98f0-e8ceacdabcb1|Medium|Access Control|In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true' (read more)|Documentation
| +|Communication over HTTP
d7dc9350-74bc-485b-8c85-fed22d276c43|Medium|Insecure Configurations|Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks (read more)|Documentation
| +|Logging of Sensitive Data
c6473dae-8477-4119-88b7-b909b435ce7b|Low|Best Practices|To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True (read more)|Documentation
| + +### HOSTS +Bellow are listed queries related with Ansible HOSTS: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|Ansible Tower Exposed To Internet
1b2bf3ff-31e9-460e-bbfb-45e48f4f20cc|Medium|Best Practices|Avoid exposing Ansible Tower to the public internet, effectively reducing the potential attack surface of your deployment (read more)|Documentation
| ### AWS Bellow are listed queries related with Ansible AWS: @@ -122,160 +91,191 @@ Bellow are listed queries related with Ansible AWS: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| +|S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|High|Access Control|S3 Buckets should not be readable to all users (read more)|Documentation
| |SNS Topic is Publicly Accessible
905f4741-f965-45c1-98db-f7a00a0e5c73|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| -|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more)|Documentation
| -|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| -|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| |IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| -|S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|High|Access Control|S3 Buckets should not be readable to all users (read more)|Documentation
| -|S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a|High|Access Control|Checks if the S3 bucket is accessible for all users (read more)|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| |ECS Service Admin Role Is Present
7db727c1-1720-468e-b80e-06697f71e09e|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role (read more)|Documentation
| -|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| +|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| +|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more)|Documentation
| +|S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a|High|Access Control|Checks if the S3 bucket is accessible for all users (read more)|Documentation
| +|S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| |S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| +|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| |SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a|High|Access Control|Checks if the SQS Queue is exposed (read more)|Documentation
| -|S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| -|User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| -|ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| -|ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| -|AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|High|Encryption|AWS AMI Encryption is not enabled (read more)|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| -|CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'. (read more)|Documentation
| +|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| +|S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| |IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| +|CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'. (read more)|Documentation
| |Secure Ciphers Disabled
218413a0-c716-4b94-9e08-0bb70d854709|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| -|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more)|Documentation
| -|S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| +|AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|High|Encryption|AWS AMI Encryption is not enabled (read more)|Documentation
| +|ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| +|User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| +|DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more)|Documentation
| |Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS (read more)|Documentation
| -|Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume (read more)|Documentation
| |S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571|High|Encryption|AWS S3 Storage should be protected with SSE (Server-Side Encryption) (read more)|Documentation
| |Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) (read more)|Documentation
| -|EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| +|ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| +|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more)|Documentation
| |User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| +|Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume (read more)|Documentation
| +|S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| +|EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| |EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| |ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| -|DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more)|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| -|Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| -|Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| -|S3 Bucket with Unsecured CORS Rule
3505094c-f77c-4ba0-95da-f83db712f86c|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| -|Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true (default is false) (read more)|Documentation
| |KMS Key With Full Permissions
5b9d237a-57d5-4177-be0e-71434b0fef47|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| +|Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| |ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| -|EC2 Group Has Public Interface
5330b503-3319-44ff-9b1c-00ee873f728a|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| |RDS DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). (read more)|Documentation
| +|S3 Bucket with Unsecured CORS Rule
3505094c-f77c-4ba0-95da-f83db712f86c|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| +|EC2 Group Has Public Interface
5330b503-3319-44ff-9b1c-00ee873f728a|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| +|Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| +|Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true (default is false) (read more)|Documentation
| |Vulnerable Default SSL Certificate
fb8f8929-afeb-4c46-99f0-a6cf410f7df4|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| +|Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| |Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|High|Networking and Firewall|AWS Security Group should restrict ingress access (read more)|Documentation
| -|ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| -|Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4|High|Networking and Firewall|Route53 Record should have a list of records (read more)|Documentation
| -|EC2 Instance Has Public IP
a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1|High|Networking and Firewall|EC2 Instance should not have a public IP address. (read more)|Documentation
| -|RDS Associated with Public Subnet
16732649-4ff6-4cd2-8746-e72c13fae4b8|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| |Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0/0 (read more)|Documentation
| -|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| -|Remote Desktop Port Open To Internet
eda7301d-1f3e-47cf-8d4e-976debc64341|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| |Elasticsearch with HTTPS disabled
d6c2d06f-43c1-488a-9ba1-8d75b40fc62d|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| -|Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| -|Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| |HTTP Port Open To Internet
a14ad534-acbe-4a8e-9404-2f7e1045646e|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| -|Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|High|Networking and Firewall|AWS Security Group should not have public port wide (read more)|Documentation
| |DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| -|Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| +|Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|High|Networking and Firewall|AWS Security Group should not have public port wide (read more)|Documentation
| +|EC2 Instance Has Public IP
a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1|High|Networking and Firewall|EC2 Instance should not have a public IP address. (read more)|Documentation
| +|Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4|High|Networking and Firewall|Route53 Record should have a list of records (read more)|Documentation
| +|Remote Desktop Port Open To Internet
eda7301d-1f3e-47cf-8d4e-976debc64341|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| +|ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| +|Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| +|RDS Associated with Public Subnet
16732649-4ff6-4cd2-8746-e72c13fae4b8|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| +|Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| +|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| |CloudTrail Logging Disabled
d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| |CMK Rotation Disabled
af96d737-0818-4162-8c41-40d969bd65d1|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| |Lambda Permission Principal Is Wildcard
1d972c56-8ec2-48c1-a578-887adb09c57a|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| -|IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| -|IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root' (read more)|Documentation
| -|AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image (read more)|Documentation
| -|SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| -|S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9|Medium|Access Control|S3 Bucket allows public access (read more)|Documentation
| |ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
af167837-9636-4086-b815-c239186b9dda|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| -|API Gateway Without Configured Authorizer
b16cdb37-ce15-4ab2-8401-d42b05d123fc|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| -|SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4|Medium|Access Control|SQS policy allows ALL (*) actions (read more)|Documentation
| -|Certificate Has Expired
5a443297-19d4-4381-9e5b-24faf947ec22|Medium|Access Control|Expired SSL/TLS certificates should be removed (read more)|Documentation
| +|IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root' (read more)|Documentation
| |SES Policy With Allowed IAM Actions
8ed0bfce-f780-46d4-b086-21c3628f09ad|Medium|Access Control|SES policy should not allow IAM actions to all principals (read more)|Documentation
| +|SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4|Medium|Access Control|SQS policy allows ALL (*) actions (read more)|Documentation
| +|API Gateway Without Configured Authorizer
b16cdb37-ce15-4ab2-8401-d42b05d123fc|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
af167837-9636-4086-b815-c239186b9dda|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| +|IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| |Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| +|SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| +|Certificate Has Expired
5a443297-19d4-4381-9e5b-24faf947ec22|Medium|Access Control|Expired SSL/TLS certificates should be removed (read more)|Documentation
| +|AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image (read more)|Documentation
| +|S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9|Medium|Access Control|S3 Bucket allows public access (read more)|Documentation
| |ECS Service Without Running Tasks
f5c45127-1d28-4b49-a692-0b97da1c3a84|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| -|CMK Is Unusable
133fee21-37ef-45df-a563-4d07edc169f4|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined. (read more)|Documentation
| |Auto Scaling Group With No Associated ELB
050f085f-a8db-4072-9010-2cca235cc02f|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. (read more)|Documentation
| +|CMK Is Unusable
133fee21-37ef-45df-a563-4d07edc169f4|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined. (read more)|Documentation
| |RDS With Backup Disabled
e69890e6-fce5-461d-98ad-cb98318dfc96|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| |Stack Retention Disabled
17d5ba1d-7667-4729-b1a6-b11fde3db7f7|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| |Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c|Medium|Best Practices|Password policy `password_reuse_prevention` doesn't exist or is equal to 0 (read more)|Documentation
| -|IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| -|IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| |IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| -|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number (read more)|Documentation
| |Misconfigured Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9|Medium|Best Practices|No password expiration policy (read more)|Documentation
| +|IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| +|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number (read more)|Documentation
| +|IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| |Stack Without Template
32d31f1f-0f83-4721-b7ec-1e6948c60145|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body (read more)|Documentation
| -|Config Rule For Encrypted Volumes Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| -|SQS With SSE Disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| +|EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| |Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache (read more)|Documentation
| +|SQS With SSE Disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| +|Config Rule For Encrypted Volumes Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| |CodeBuild Not Encrypted
a1423864-2fbc-4f46-bfe1-fbbf125c71c9|Medium|Encryption|CodeBuild Project should be encrypted (read more)|Documentation
| -|EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| |AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy (read more)|Documentation
| -|Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| -|ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| |Certificate RSA Key Bytes Lower Than 256
d5ec2080-340a-4259-b885-f833c4ea6a31|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes (read more)|Documentation
| |API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| |Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags. (read more)|Documentation
| -|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more)|Documentation
| -|API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| +|Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| +|ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| |API Gateway without WAF
f5f38943-664b-4acc-ab11-f292fa10ed0b|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| -|CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'is_multi_region_trail' should be set to true (read more)|Documentation
| -|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| -|CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| -|CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| -|S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| -|API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled (read more)|Documentation
| -|Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| +|API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more)|Documentation
| |S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| |API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| -|CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more)|Documentation
| +|CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| |CloudFront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' should be defined with 'enabled' set to true (read more)|Documentation
| +|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| +|Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| +|API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled (read more)|Documentation
| +|CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| +|CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more)|Documentation
| +|S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| +|CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'is_multi_region_trail' should be set to true (read more)|Documentation
| |No Stack Policy
ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions (read more)|Documentation
| |Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Medium|Secret Management|AWS Access Key should not be hardcoded (read more)|Documentation
| |Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| |IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| -|IAM Group Without Users
f509931b-bbb0-443c-bd9b-10e92ecf2193|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| |EC2 Instance Using Default Security Group
8d03993b-8384-419b-a681-d1f55149397c|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| +|IAM Group Without Users
f509931b-bbb0-443c-bd9b-10e92ecf2193|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| +|CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| |Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| |Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. (read more)|Documentation
| -|CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| |EFS Without Tags
b8a9852c-9943-4973-b8d5-77dae9352851|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated (read more)|Documentation
| |CloudTrail Log Files Not Encrypted With KMS
f5587077-3f57-4370-9b4e-4eb5b1bac85b|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| -|CloudFront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| -|EC2 Instance Using Default VPC
8833f180-96f1-46f4-9147-849aafa56029|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| -|ElastiCache Without VPC
5527dcfc-94f9-4bf6-b7d4-1b78850cf41f|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| |ElastiCache Using Default Port
7cc6c791-5f68-4816-a564-b9b699f9d26e|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| -|Redshift Using Default Port
e01de151-a7bd-4db4-b49b-3c4775a5e881|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| +|ElastiCache Without VPC
5527dcfc-94f9-4bf6-b7d4-1b78850cf41f|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|EC2 Instance Using Default VPC
8833f180-96f1-46f4-9147-849aafa56029|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| +|CloudFront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| |RDS Using Default Port
2cb674f6-32f9-40be-97f2-62c0dc38f0d5|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| +|Redshift Using Default Port
e01de151-a7bd-4db4-b49b-3c4775a5e881|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| |Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active' (read more)|Documentation
| |CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| |EC2 Not EBS Optimized
338b6cab-961d-4998-bb49-e5b6a11c9a5c|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| -### SHARED (V2/V3) -Bellow are listed queries related with Ansible SHARED (V2/V3): - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Privilege Escalation Using Become Plugin
0e75052f-cc02-41b8-ac39-a78017527e95|Medium|Access Control|In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true' (read more)|Documentation
| -|Communication Over HTTP
2e8d4922-8362-4606-8c14-aa10466a1ce3|Medium|Insecure Configurations|Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks (read more)|Documentation
| -|Logging of Sensitive Data
59029ddf-e651-412b-ae7b-ff6d403184bc|Low|Best Practices|To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True (read more)|Documentation
| -|Insecure Relative Path Resolution
8d22ae91-6ac1-459f-95be-d37bd373f244|Low|Best Practices|Using relative paths can lead to unexpected behavior as the path is resolved relative to the current working directory, which can change. (read more)|Documentation
| -|Unpinned Package Version
c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8|Low|Supply-Chain|Setting state to latest performs an update and installs additional packages possibly resulting in performance degradation or loss of service (read more)|Documentation
| -|Risky File Permissions
88841d5c-d22d-4b7e-a6a0-89ca50e44b9f|Info|Supply-Chain|Some modules could end up creating new files on disk with permissions that might be too open or unpredictable (read more)|Documentation
| - -### CONFIG -Bellow are listed queries related with Ansible CONFIG: +### GCP +Bellow are listed queries related with Ansible GCP: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Allow Unsafe Lookups Enabled
86b97bb4-85c9-462d-8635-cbc057c5c8c5|High|Insecure Configurations|When enabled, this option allows lookup plugins to return data that is not marked 'unsafe'. (read more)|Documentation
| -|Privilege Escalation Using Become Plugin
404908b6-4954-4611-98f0-e8ceacdabcb1|Medium|Access Control|In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true' (read more)|Documentation
| -|Communication over HTTP
d7dc9350-74bc-485b-8c85-fed22d276c43|Medium|Insecure Configurations|Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks (read more)|Documentation
| -|Logging of Sensitive Data
c6473dae-8477-4119-88b7-b909b435ce7b|Low|Best Practices|To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True (read more)|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| +|BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2|High|Access Control|BigQuery dataset is anonymously or publicly accessible (read more)|Documentation
| +|VM With Full Cloud Access
bc20bbc6-0697-4568-9a73-85af1dd97bdd|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)|Documentation
| +|SQL DB Instance Backup Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| +|SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|High|Encryption|Cloud SQL Database Instance should have SSL enabled (read more)|Documentation
| +|DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a|High|Encryption|DNSSEC should not use the RSASHA1 algorithm (read more)|Documentation
| +|MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c|High|Insecure Configurations|MySQL Instance should not have Local Infile On (read more)|Documentation
| +|IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'. (read more)|Documentation
| +|GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false. (read more)|Documentation
| +|PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514|High|Insecure Configurations|PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1' (read more)|Documentation
| +|Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f|High|Insecure Configurations|GCP SQL Instance should not have Cross DB Ownership Chaining On (read more)|Documentation
| +|GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty (read more)|Documentation
| +|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|High|Insecure Configurations|SQL Instance should not have Contained Database Authentication On (read more)|Documentation
| +|Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty (read more)|Documentation
| +|Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true (read more)|Documentation
| +|SQL DB Instance Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible. (read more)|Documentation
| +|Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true. (read more)|Documentation
| +|Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)|Documentation
| +|Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)|Documentation
| +|GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters (read more)|Documentation
| +|Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet. (read more)|Documentation
| +|PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317|High|Observability|PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on' (read more)|Documentation
| +|Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none' (read more)|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| +|Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none' (read more)|Documentation
| +|PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b|High|Observability|PostgreSQL database 'log_temp_files' flag isn't set to '0' (read more)|Documentation
| +|Cloud Storage Bucket Versioning Disabled
7814ddda-e758-4a56-8be3-289a81ded929|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| +|Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)|Documentation
| +|Disk Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| +|Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| +|Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| +|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| +|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Medium|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account. (read more)|Documentation
| +|Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)|Documentation
| +|OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Medium|Insecure Configurations|VM instance should have OSLogin enabled (read more)|Documentation
| +|GKE Using Default Service Account
dc126833-125a-40fb-905a-ce5f2afde240|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account (read more)|Documentation
| +|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)|Documentation
| +|IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)|Documentation
| +|SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| +|RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| +|Google Compute Network Using Default Firewall Rule
29b8224a-60e9-4011-8ac2-7916a659841f|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows All Ports
3602d273-3290-47b2-80fa-720162b1a8af|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports (read more)|Documentation
| +|PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Medium|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value (read more)|Documentation
| +|PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Medium|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on' (read more)|Documentation
| +|High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| +|Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes (read more)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows Port Range
7289eebd-a477-4064-8ad4-3c044bd70b00|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| diff --git a/docs/queries/ansible-queries/gcp/d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb.md b/docs/queries/ansible-queries/gcp/d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb.md index 7fa085088cd..548ea162622 100644 --- a/docs/queries/ansible-queries/gcp/d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb.md +++ b/docs/queries/ansible-queries/gcp/d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb.md @@ -23,7 +23,7 @@ hide: - **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/sql_db_instance_with_ssl_disabled) ### Description -Cloud SQL Database Instance should have SLL enabled
+Cloud SQL Database Instance should have SSL enabled
[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/ip_configuration/require_ssl) ### Code samples diff --git a/docs/queries/azureresourcemanager-queries.md b/docs/queries/azureresourcemanager-queries.md index e6d1c27225f..e279506c87a 100644 --- a/docs/queries/azureresourcemanager-queries.md +++ b/docs/queries/azureresourcemanager-queries.md @@ -4,37 +4,37 @@ This page contains all queries from AzureResourceManager. | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| |Key Vault Not Recoverable
7c25f361-7c66-44bf-9b69-022acd5eb4bd|High|Backup|Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true (read more)|Documentation
| -|Secret Without Expiration Date
cff9c3f7-e8f0-455f-9fb4-5f72326da96e|High|Best Practices|All Secrets must have an expiration date defined (read more)|Documentation
| |Azure Instance Using Basic Authentication
6797f581-0433-4768-ae3e-7ceb2f8b138e|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| -|Azure Managed Disk Without Encryption
350f3955-b5be-436f-afaa-3d2be2fa6cdd|High|Encryption|Azure Disk Encryption should be enabled (read more)|Documentation
| -|Storage Account Allows Unsecure Transfer
1367dd13-2c90-4020-80b7-e4339a3dc2c4|High|Encryption|'Microsoft.Storage/storageAccounts' should force the use of HTTPS (read more)|Documentation
| +|Secret Without Expiration Date
cff9c3f7-e8f0-455f-9fb4-5f72326da96e|High|Best Practices|All Secrets must have an expiration date defined (read more)|Documentation
| |Web App Not Using TLS Last Version
b5c851d5-00f1-43dc-a8de-3218fd6f71be|High|Encryption|Resources of type 'Microsoft.Web/sites' should define 'properties.siteConfig.minTlsVersion' with '1.2' (read more)|Documentation
| +|Storage Account Allows Unsecure Transfer
1367dd13-2c90-4020-80b7-e4339a3dc2c4|High|Encryption|'Microsoft.Storage/storageAccounts' should force the use of HTTPS (read more)|Documentation
| +|Azure Managed Disk Without Encryption
350f3955-b5be-436f-afaa-3d2be2fa6cdd|High|Encryption|Azure Disk Encryption should be enabled (read more)|Documentation
| |Website Not Forcing HTTPS
488847ff-6031-487c-bf42-98fd6ac5c9a0|High|Insecure Configurations|'Microsoft.Web/sites' should force the use of HTTPS (read more)|Documentation
| -|Storage Blob Service Container With Public Access
a0ab985d-660b-41f7-ac81-70957ee8e627|High|Networking and Firewall|Storage Blob Service Container should not publicly accessible (read more)|Documentation
| -|Trusted Microsoft Services Not Enabled
e25b56cd-a4d6-498f-ab92-e6296a082097|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| -|MySQL Server SSL Enforcement Disabled
90120147-f2e7-4fda-bb21-6fa9109afd63|High|Networking and Firewall|'Microsoft.DBforMySQL/servers' should enforce SSL (read more)|Documentation
| -|SQL Database Server Firewall Allows All IPS
6a3201a5-1630-494b-b294-3129d06b0eca|High|Networking and Firewall|SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS (read more)|Documentation
| -|Website with Client Certificate Auth Disabled
92302b47-b0cc-46cb-a28f-5610ecda140b|High|Networking and Firewall|'Microsoft.Web/sites' should have client certificate authentication enabled (read more)|Documentation
| -|PostgreSQL Database Server SSL Disabled
bf500309-da53-4dd3-bcf7-95f7974545a5|High|Networking and Firewall|Microsoft.DBforPostgreSQL/servers sslEnforcement property should be set to 'Enabled' (read more)|Documentation
| |Network Security Group With Unrestricted Access To RDP
59cb3da7-f206-4ae6-b827-7abf0a9cab9d|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the Internet (read more)|Documentation
| +|Website with Client Certificate Auth Disabled
92302b47-b0cc-46cb-a28f-5610ecda140b|High|Networking and Firewall|'Microsoft.Web/sites' should have client certificate authentication enabled (read more)|Documentation
| +|SQL Database Server Firewall Allows All IPS
6a3201a5-1630-494b-b294-3129d06b0eca|High|Networking and Firewall|SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS (read more)|Documentation
| |Network Security Group With Unrestricted Access To SSH
2ade1579-4b2c-4590-bebb-f99bf597f612|High|Networking and Firewall|Port 22 (SSH) is exposed to the Internet (read more)|Documentation
| +|PostgreSQL Database Server SSL Disabled
bf500309-da53-4dd3-bcf7-95f7974545a5|High|Networking and Firewall|Microsoft.DBforPostgreSQL/servers sslEnforcement property should be set to 'Enabled' (read more)|Documentation
| +|Storage Blob Service Container With Public Access
a0ab985d-660b-41f7-ac81-70957ee8e627|High|Networking and Firewall|Storage Blob Service Container should not publicly accessible (read more)|Documentation
| +|MySQL Server SSL Enforcement Disabled
90120147-f2e7-4fda-bb21-6fa9109afd63|High|Networking and Firewall|'Microsoft.DBforMySQL/servers' should enforce SSL (read more)|Documentation
| +|Trusted Microsoft Services Not Enabled
e25b56cd-a4d6-498f-ab92-e6296a082097|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| +|Role Definitions Allow Custom Subscription Role Creation
8fa9ceea-881f-4ef0-b0b8-728f589699a7|Medium|Access Control|Role Definitions should not allow custom subscription role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write') (read more)|Documentation
| |Default Azure Storage Account Network Access Is Too Permissive
d855ced8-6157-448f-9f1d-f05a41d046f7|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it. (read more)|Documentation
| |AKS Cluster RBAC Disabled
9307a2ed-35c2-413d-94de-a1a0682c2158|Medium|Access Control|Microsoft.ContainerService/managedClusters should have enableRBAC set to true (read more)|Documentation
| -|Role Definitions Allow Custom Subscription Role Creation
8fa9ceea-881f-4ef0-b0b8-728f589699a7|Medium|Access Control|Role Definitions should not allow custom subscription role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write') (read more)|Documentation
| |SQL Server Database With Alerts Disabled
574e8d82-1db2-4b9c-b526-e320ede9a9ff|Medium|Best Practices|All Alerts should be enabled in SQL Database Server SecurityAlerts Policy Properties (read more)|Documentation
| |AKS Cluster Network Policy Not Configured
25c0228e-4444-459b-a2df-93c7df40b7ed|Medium|Insecure Configurations|Azure Kubernetes Service must have a network policy defined. (read more)|Documentation
| -|PostgresSQL Database Server Connection Throttling Disabled
a6d774b6-d9ea-4bf4-8433-217bf15d2fb8|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttling' property set to 'on' (read more)|Documentation
| |Standard Price Is Not Selected
2081c7d6-2851-4cce-bda5-cb49d462da42|Medium|Networking and Firewall|Azure Security Center provides more features for standard pricing mode, so it must be activated. (read more)|Documentation
| +|PostgreSQL Database Server Log Checkpoints Disabled
f9112910-c7bb-4864-9f5e-2059ba413bb7|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' property set to 'on' (read more)|Documentation
| |AKS With Authorized IP Ranges Disabled
2583fab1-953b-4fae-bd02-4a136a6c21f9|Medium|Networking and Firewall|Azure Kubernetes Service must have an authorized IP range for API Services enabled (read more)|Documentation
| +|PostgresSQL Database Server Connection Throttling Disabled
a6d774b6-d9ea-4bf4-8433-217bf15d2fb8|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttling' property set to 'on' (read more)|Documentation
| |PostgreSQL Database Server Log Connections Disabled
e69bda39-e1e2-47ca-b9ee-b6531b23aedd|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' property set to 'on' (read more)|Documentation
| -|PostgreSQL Database Server Log Checkpoints Disabled
f9112910-c7bb-4864-9f5e-2059ba413bb7|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' property set to 'on' (read more)|Documentation
| -|Log Profile Incorrect Category
4d522e7b-f938-4d51-a3b1-974ada528bd3|Medium|Observability|Log Profile Categories should be set to 'Write', 'Delete', and/or 'Action' (read more)|Documentation
| -|SQL Server Database Without Auditing
e055285c-bc01-48b4-8aa5-8a54acdd29df|Medium|Observability|Every 'Microsoft.Sql/servers/databases' resource should have Auditing Enabled (read more)|Documentation
| -|AKS Logging To Azure Monitoring Is Disabled
9b09dee1-f09b-4013-91d2-158fa4695f4b|Medium|Observability|Azure Kubernetes Service should have logging to Azure Monitoring enabled. (read more)|Documentation
| |SQL Server Database With Unrecommended Retention Days
c09cdac2-7670-458a-bf6c-efad6880973a|Medium|Observability|SQL Server Database Auditing Settings should keep the audit logs in the storage account for at least 90 days (read more)|Documentation
| +|Storage Logging For Read Write And Delete Requests Disabled
43f6e60c-9cdb-4e77-864d-a66595d26518|Medium|Observability|Storage Logging should be enabled for read, write and delete methods (read more)|Documentation
| +|SQL Server Database Without Auditing
e055285c-bc01-48b4-8aa5-8a54acdd29df|Medium|Observability|Every 'Microsoft.Sql/servers/databases' resource should have Auditing Enabled (read more)|Documentation
| |Unrecommended Log Profile Retention Policy
25684eac-daaa-4c2c-94b4-8d2dbb627909|Medium|Observability|Log Profile Retention Policy should be enabled and the recommended number of days for the retention should be higher than 365 or 0 (0 will retain the events indefinitely) (read more)|Documentation
| +|AKS Logging To Azure Monitoring Is Disabled
9b09dee1-f09b-4013-91d2-158fa4695f4b|Medium|Observability|Azure Kubernetes Service should have logging to Azure Monitoring enabled. (read more)|Documentation
| |Unrecommended Network Watcher Flow Log Retention Policy
564b70f8-41cd-4690-aff8-bb53add86bc9|Medium|Observability|Network Watcher Flow Log Retention Policy should be enabled and the recommended number of days for the retention should be higher than 90 (read more)|Documentation
| -|Storage Logging For Read Write And Delete Requests Disabled
43f6e60c-9cdb-4e77-864d-a66595d26518|Medium|Observability|Storage Logging should be enabled for read, write and delete methods (read more)|Documentation
| +|Log Profile Incorrect Category
4d522e7b-f938-4d51-a3b1-974ada528bd3|Medium|Observability|Log Profile Categories should be set to 'Write', 'Delete', and/or 'Action' (read more)|Documentation
| |Hardcoded SecureString Parameter Default Value
4d2cf896-c053-4be5-9c95-8b4771112f29|Medium|Secret Management|Secure parameters should not have hardcoded default value (read more)|Documentation
| |Website Azure Active Directory Disabled
e9c133e5-c2dd-4b7b-8fff-40f2de367b56|Low|Access Control|WebApp should have Azure Active Directory enabled with 'identity.type' set to 'SystemAssigned' or 'userAssignedIdentities' set to 'true' (read more)|Documentation
| |Phone Number Not Set For Security Contacts
3e9fcc67-1f64-405f-b2f9-0a6be17598f0|Low|Best Practices|Microsoft.Security securityContacts should have a phone number defined (read more)|Documentation
| @@ -42,6 +42,6 @@ This page contains all queries from AzureResourceManager. |Storage Account Allows Default Network Access
9073f073-5d60-4b46-b569-0d6baa80ed95|Low|Networking and Firewall|'Microsoft.Storage/storageAccounts' should force the use of HTTPS (read more)|Documentation
| |Website with 'Http20Enabled' Disabled
70111098-7f85-48f0-b1b4-e4261cf5f61b|Low|Networking and Firewall|'Microsoft.Web/sites' should have 'Http20Enabled' enabled (read more)|Documentation
| |App Service Authentication Is Not Set
83130a07-235b-4a80-918b-a370e53f0bd9|Info|Access Control|Azure App Service should have App Service Authentication set (read more)|Documentation
| -|SQL Alert Policy Without Emails
89b79fe5-49bd-4d39-84ce-55f5fc6f7764|Info|Best Practices|SQL Database Server should contain emails to be notified in the event of a Security Alert (read more)|Documentation
| |Account Admins Not Notified By Email
a8852cc0-fd4b-4fc7-9372-1e43fad0732e|Info|Best Practices|Account admins should be notified by email in the event of security alerts (read more)|Documentation
| +|SQL Alert Policy Without Emails
89b79fe5-49bd-4d39-84ce-55f5fc6f7764|Info|Best Practices|SQL Database Server should contain emails to be notified in the event of a Security Alert (read more)|Documentation
| |Email Notifications Disabled
79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92|Info|Networking and Firewall|Email notifications about new security alerts, should be set to 'On', and be sent to persons with specific RBAC roles on the subscription (read more)|Documentation
| diff --git a/docs/queries/cicd-queries.md b/docs/queries/cicd-queries.md index dfd54946f88..23320065552 100644 --- a/docs/queries/cicd-queries.md +++ b/docs/queries/cicd-queries.md @@ -8,7 +8,7 @@ Bellow are listed queries related with CICD GITHUB: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Script Block Injection
62ff6823-927a-427f-acf9-f1ea2932d616|High|Insecure Configurations|GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event. (read more)|Documentation
| |Run Block Injection
20f14e1a-a899-4e79-9f09-b6a84cd4649b|High|Insecure Configurations|GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event. (read more)|Documentation
| +|Script Block Injection
62ff6823-927a-427f-acf9-f1ea2932d616|High|Insecure Configurations|GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event. (read more)|Documentation
| |Unsecured Commands
60fd272d-15f4-4d8f-afe4-77d9c6cc0453|Medium|Insecure Configurations|There are deprecated set-env and add-path commands that can be explicitly enabled by a user via setting the ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable as true. Depending on the use of the environment variable, this could enable an attacker to, at worst, modify the system path to run a different command than intended, resulting in arbitrary code execution. (read more)|Documentation
| |Unpinned Actions Full Length Commit SHA
555ab8f9-2001-455e-a077-f2d0f41e2fb9|Medium|Supply-Chain|Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork. (read more)|Documentation
| diff --git a/docs/queries/cloudformation-queries.md b/docs/queries/cloudformation-queries.md index ac8c47486c5..c4f82b36316 100644 --- a/docs/queries/cloudformation-queries.md +++ b/docs/queries/cloudformation-queries.md @@ -10,13 +10,13 @@ Bellow are listed queries related with CloudFormation AWS_SAM: |------------------------------|--------|--------|-----------|----| |Serverless Function Environment Variables Not Encrypted
a7f8ac28-eed1-483d-87c8-4c325f022572|High|Encryption|AWS Serverless Function should encrypt environment variables (read more)|Documentation
| |Serverless API Without Content Encoding
a2f2800e-614b-4bc8-89e6-fec8afd24800|Medium|Encryption|AWS Serverless API should enable Content Encoding through the attribute 'MinimumCompressionSize'. This value should be greater than -1 and smaller than 10485760 (read more)|Documentation
| -|Serverless Function Without Unique IAM Role
4ba74f01-aba5-4be2-83bc-be79ff1a3b92|Medium|Insecure Configurations|AWS Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| |Serverless Function Without Tags
a71ecabe-03b6-456a-b3bc-d1a39aa20c98|Medium|Insecure Configurations|AWS Serverless Function should have associated tags (read more)|Documentation
| +|Serverless Function Without Unique IAM Role
4ba74f01-aba5-4be2-83bc-be79ff1a3b92|Medium|Insecure Configurations|AWS Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| |Serverless API Endpoint Config Not Private
6b5b0313-771b-4319-ad7a-122ee78700ef|Medium|Networking and Firewall|AWS Serverless API should set API Endpoint Config type to 'PRIVATE'. This way, it's not exposed to the public internet (read more)|Documentation
| -|Serverless API X-Ray Tracing Disabled
c757c6a3-ac87-4b9d-b28d-e5a5add6a315|Medium|Observability|AWS Serverless API should have X-Ray Tracing enabled (read more)|Documentation
| |Serverless API Access Logging Setting Undefined
0a994e04-c6dc-471d-817e-d37451d18a3b|Medium|Observability|AWS Serverless API/AWS Serverless HTTP API should have Access Logging Setting(s) defined (read more)|Documentation
| -|Serverless API Cache Cluster Disabled
60a05ede-0a68-4d0d-a58f-f538cf55ff79|Low|Insecure Configurations|AWS Serverless API should have cache clustering enabled (read more)|Documentation
| +|Serverless API X-Ray Tracing Disabled
c757c6a3-ac87-4b9d-b28d-e5a5add6a315|Medium|Observability|AWS Serverless API should have X-Ray Tracing enabled (read more)|Documentation
| |Serverless Function Without Dead Letter Queue
cb2f612b-ed42-4ff5-9fb9-255c73d39a18|Low|Insecure Configurations|AWS Serverless Function should be configured for a Dead Letter Queue(DLQ) (read more)|Documentation
| +|Serverless API Cache Cluster Disabled
60a05ede-0a68-4d0d-a58f-f538cf55ff79|Low|Insecure Configurations|AWS Serverless API should have cache clustering enabled (read more)|Documentation
| |Serverless Function Without X-Ray Tracing
dc1ab429-1481-4540-9b1d-280e3f15f1f8|Low|Observability|AWS Serverless Function should have Tracing enabled. For this, property 'Tracing' should have the value 'Active' (read more)|Documentation
| ### AWS @@ -26,259 +26,259 @@ Bellow are listed queries related with CloudFormation AWS: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| +|S3 Bucket ACL Allows Read Or Write to All Users
07dda8de-d90d-469e-9b37-1aca53526ced|High|Access Control|S3 Buckets should not be readable and writable to all users (read more)|Documentation
| +|S3 Bucket ACL Allows Read to All Users
219f4c95-aa50-44e0-97de-cf71f4641170|High|Access Control|S3 Buckets should not be readable to all users (read more)|Documentation
| |SNS Topic is Publicly Accessible
ae53ce91-42b5-46bf-a84f-9a13366a4f13|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
acc78859-765e-4011-a229-a65ea57db252|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| -|MSK Broker Is Publicly Accessible
0ce1ba20-8ba8-4364-836f-40c24b8cb0ab|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible (read more)|Documentation
| -|Amazon DMS Replication Instance Is Publicly Accessible
5864fb39-d719-4182-80e2-89dbe627be63|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| -|IAM Policies With Full Privileges
953b3cdb-ce13-428a-aa12-318726506661|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| -|S3 Bucket Allows Public Policy
860ba89b-b8de-4e72-af54-d6aee4138a69|High|Access Control|S3 bucket allows public policy (read more)|Documentation
| +|Lambda Functions With Full Privileges
a0ae0a4e-712b-4115-8112-51b9eeed9d69|High|Access Control|AWS Lambda Functions should not have roles with policies granting full administrative privileges. (read more)|Documentation
| |S3 Bucket Allows Get Action From All Principals
f97b7d23-568f-4bcc-9ac9-02df0d57fbba|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| |IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
07dda8de-d90d-469e-9b37-1aca53526ced|High|Access Control|S3 Buckets should not be readable and writable to all users (read more)|Documentation
| -|S3 Bucket ACL Allows Read to All Users
219f4c95-aa50-44e0-97de-cf71f4641170|High|Access Control|S3 Buckets should not be readable to all users (read more)|Documentation
| -|S3 Bucket Access to Any Principal
7772bb8c-c0f3-42d4-8e4e-f1b8939ad085|High|Access Control|The S3 Bucket should not be associated with a policy statement that grants access to any principal (read more)|Documentation
| |ECS Service Admin Role Is Present
01986452-bdd8-4aaa-b5df-d6bf61d616ff|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role (read more)|Documentation
| -|Lambda Functions With Full Privileges
a0ae0a4e-712b-4115-8112-51b9eeed9d69|High|Access Control|AWS Lambda Functions should not have roles with policies granting full administrative privileges. (read more)|Documentation
| -|S3 Bucket Allows List Action From All Principals
faa8fddf-c0aa-4b2d-84ff-e993e233ebe9|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| -|S3 Bucket Allows Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0|High|Access Control|S3 Buckets must not allow Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Restore, for all Principals. (read more)|Documentation
| +|IAM Policies With Full Privileges
953b3cdb-ce13-428a-aa12-318726506661|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| +|S3 Bucket Allows Public Policy
860ba89b-b8de-4e72-af54-d6aee4138a69|High|Access Control|S3 bucket allows public policy (read more)|Documentation
| +|S3 Bucket Access to Any Principal
7772bb8c-c0f3-42d4-8e4e-f1b8939ad085|High|Access Control|The S3 Bucket should not be associated with a policy statement that grants access to any principal (read more)|Documentation
| +|S3 Bucket With All Permissions
4ae8af91-5108-42cb-9471-3bdbe596eac9|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| |S3 Bucket Allows Put Action From All Principals
f6397a20-4cf1-4540-a997-1d363c25ef58|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
acc78859-765e-4011-a229-a65ea57db252|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| |S3 Bucket ACL Allows Read to Any Authenticated User
835d5497-a526-4aea-a23f-98a9afd1635f|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| -|S3 Bucket With All Permissions
4ae8af91-5108-42cb-9471-3bdbe596eac9|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| -|CMK Unencrypted Storage
ffee2785-c347-451e-89f3-11aeb08e5c84|High|Encryption|Ensure that storage is encrypted. (read more)|Documentation
| -|User Data Contains Encoded Private Key
568cc372-ca64-420d-9015-ee347d00d288|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| -|ElastiCache With Disabled at Rest Encryption
e4ee3903-9225-4b6a-bdfb-e62dbadef821|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled (read more)|Documentation
| -|ELB Using Weak Ciphers
809f77f8-d10e-4842-a84f-3be7b6ff1190|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| -|Redshift Cluster Without KMS CMK
de76a0d6-66d5-45c9-9022-f05545b85c78|High|Encryption|AWS Redshift Cluster should have KMS CMK defined (read more)|Documentation
| -|ECS Task Definition Container With Plaintext Password
f9b10cdb-eaab-4e39-9793-e12b94a582ad|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| -|DynamoDB With Aws Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac|High|Encryption|AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false. (read more)|Documentation
| -|S3 Bucket Without Server-side-encryption
b2e8752c-3497-4255-98d2-e4ae5b46bbf5|High|Encryption|S3 Buckets should have server-side encryption at rest enabled to protect sensitive data (read more)|Documentation
| -|S3 Bucket Without SSL In Write Actions
38c64e76-c71e-4d92-a337-60174d1de1c9|High|Encryption|S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL) (read more)|Documentation
| +|S3 Bucket Allows Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0|High|Access Control|S3 Buckets must not allow Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Restore, for all Principals. (read more)|Documentation
| +|S3 Bucket Allows List Action From All Principals
faa8fddf-c0aa-4b2d-84ff-e993e233ebe9|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| +|MSK Broker Is Publicly Accessible
0ce1ba20-8ba8-4364-836f-40c24b8cb0ab|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible (read more)|Documentation
| +|Amazon DMS Replication Instance Is Publicly Accessible
5864fb39-d719-4182-80e2-89dbe627be63|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| +|EFS Volume With Disabled Transit Encryption
c1282e03-b285-4637-aee7-eefe3a7bb658|High|Encryption|Amazon EFS volume does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'TransitEncryption' (read more)|Documentation
| |IAM Database Auth Not Enabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| -|ECS Cluster Not Encrypted At Rest
6c131358-c54d-419b-9dd6-1f7dd41d180c|High|Encryption|Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems. (read more)|Documentation
| +|ELB Without Secure Protocol
80908a75-586b-4c61-ab04-490f4f4525b8|High|Encryption|Check if the ELB is setup with SSL or HTTPS for secure communication (read more)|Documentation
| +|RDS Storage Not Encrypted
5beacce3-4020-4a3d-9e1d-a36f953df630|High|Encryption|RDS Storage should be encrypted, which means the attribute 'StorageEncrypted' should be set to 'true' (read more)|Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
31733ee2-fef0-4e87-9778-65da22a8ecf1|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| |Secure Ciphers Disabled
be96849c-3df6-49c2-bc16-778a7be2519c|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| -|MSK Cluster Encryption Disabled
a976d63f-af0e-46e8-b714-8c1a9c4bf768|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled (read more)|Documentation
| -|S3 Bucket SSE Disabled
64ab651b-f5b2-4af0-8c89-ddd03c4d0e61|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| -|CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db|High|Encryption|Specifying credentials in the template itself is probably not safe to do. (read more)|Documentation
| +|S3 Bucket Without SSL In Write Actions
38c64e76-c71e-4d92-a337-60174d1de1c9|High|Encryption|S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL) (read more)|Documentation
| +|ECS Task Definition Container With Plaintext Password
f9b10cdb-eaab-4e39-9793-e12b94a582ad|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| +|User Data Contains Encoded Private Key
568cc372-ca64-420d-9015-ee347d00d288|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| +|S3 Bucket Without Server-side-encryption
b2e8752c-3497-4255-98d2-e4ae5b46bbf5|High|Encryption|S3 Buckets should have server-side encryption at rest enabled to protect sensitive data (read more)|Documentation
| |ElastiCache With Disabled Transit Encryption
3b02569b-fc6f-4153-b3a3-ba91022fed68|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled (read more)|Documentation
| -|Connection Between CloudFront Origin Not Encrypted
a5366a50-932f-4085-896b-41402714a388|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted (read more)|Documentation
| -|Kinesis SSE Not Configured
7f65be75-90ab-4036-8c2a-410aef7bb650|High|Encryption|AWS Kinesis Stream should have SSE (Server Side Encryption) defined (read more)|Documentation
| -|ELB Without Secure Protocol
80908a75-586b-4c61-ab04-490f4f4525b8|High|Encryption|Check if the ELB is setup with SSL or HTTPS for secure communication (read more)|Documentation
| -|API Gateway Cache Encrypted Disabled
37cca703-b74c-48ba-ac81-595b53398e9b|High|Encryption|'API::Gateway::Deployment' should have 'CacheDataEncrypted' enabled when 'CachingEnabled' is set to true (read more)|Documentation
| +|Redshift Cluster Without KMS CMK
de76a0d6-66d5-45c9-9022-f05545b85c78|High|Encryption|AWS Redshift Cluster should have KMS CMK defined (read more)|Documentation
| |Redshift Not Encrypted
3b316b05-564c-44a7-9c3f-405bb95e211e|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'Encrypted' field is false or undefined (default is false) (read more)|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
31733ee2-fef0-4e87-9778-65da22a8ecf1|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| +|ELB Using Weak Ciphers
809f77f8-d10e-4842-a84f-3be7b6ff1190|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| +|MSK Cluster Encryption Disabled
a976d63f-af0e-46e8-b714-8c1a9c4bf768|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled (read more)|Documentation
| +|CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db|High|Encryption|Specifying credentials in the template itself is probably not safe to do. (read more)|Documentation
| |SageMaker Data Encryption Disabled
709e6da6-fa1f-44cc-8f17-7f25f96dadbe|High|Encryption|Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, which means the attribute 'KmsKeyId' must be defined not empty or null. (read more)|Documentation
| -|EFS Without KMS
6d087495-2a42-4735-abf7-02ef5660a7e6|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| +|CMK Unencrypted Storage
ffee2785-c347-451e-89f3-11aeb08e5c84|High|Encryption|Ensure that storage is encrypted. (read more)|Documentation
| +|DynamoDB With Aws Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac|High|Encryption|AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false. (read more)|Documentation
| |User Data Shell Script Is Encoded
48c3bc58-6959-4f27-b647-4fedeace23be|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| +|ElastiCache With Disabled at Rest Encryption
e4ee3903-9225-4b6a-bdfb-e62dbadef821|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled (read more)|Documentation
| +|S3 Bucket SSE Disabled
64ab651b-f5b2-4af0-8c89-ddd03c4d0e61|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| +|API Gateway Cache Encrypted Disabled
37cca703-b74c-48ba-ac81-595b53398e9b|High|Encryption|'API::Gateway::Deployment' should have 'CacheDataEncrypted' enabled when 'CachingEnabled' is set to true (read more)|Documentation
| +|Kinesis SSE Not Configured
7f65be75-90ab-4036-8c2a-410aef7bb650|High|Encryption|AWS Kinesis Stream should have SSE (Server Side Encryption) defined (read more)|Documentation
| +|EFS Without KMS
6d087495-2a42-4735-abf7-02ef5660a7e6|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| +|Connection Between CloudFront Origin Not Encrypted
a5366a50-932f-4085-896b-41402714a388|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted (read more)|Documentation
| |EFS Not Encrypted
2ff8e83c-90e1-4d68-a300-6d652112e622|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| +|ECS Cluster Not Encrypted At Rest
6c131358-c54d-419b-9dd6-1f7dd41d180c|High|Encryption|Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems. (read more)|Documentation
| |ELB Using Insecure Protocols
61a94903-3cd3-4780-88ec-fc918819b9c8|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| -|EFS Volume With Disabled Transit Encryption
c1282e03-b285-4637-aee7-eefe3a7bb658|High|Encryption|Amazon EFS volume does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'TransitEncryption' (read more)|Documentation
| -|RDS Storage Not Encrypted
5beacce3-4020-4a3d-9e1d-a36f953df630|High|Encryption|RDS Storage should be encrypted, which means the attribute 'StorageEncrypted' should be set to 'true' (read more)|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
dc17ee4b-ddf2-4e23-96e8-7a36abad1303|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| +|KMS Key With Full Permissions
da905474-7454-43c0-b8d2-5756ab951aba|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| |Root Account Has Active Access Keys
4c137350-7307-4803-8c04-17c09a7a9fcf|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| -|Batch Job Definition With Privileged Container Properties
76ddf32c-85b1-4808-8935-7eef8030ab36|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| -|API Gateway Without Security Policy
8275fab0-68ec-4705-bbf4-86975edb170e|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2. (read more)|Documentation
| +|ECS Task Definition Network Mode Not Recommended
027a4b7a-8a59-4938-a04f-ed532512cf45|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| +|RDS DB Instance Publicly Accessible
de38e1d5-54cb-4111-a868-6f7722695007|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false. (read more)|Documentation
| |S3 Bucket With Unsecured CORS Rule
3609d27c-3698-483a-9402-13af6ae80583|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| +|API Gateway Without Security Policy
8275fab0-68ec-4705-bbf4-86975edb170e|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2. (read more)|Documentation
| +|S3 Static Website Host Enabled
90501b1b-cded-4cc1-9e8b-206b85cda317|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more)|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
dc17ee4b-ddf2-4e23-96e8-7a36abad1303|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| |S3 Bucket Without Restriction Of Public Bucket
350cd468-0e2c-44ef-9d22-cfb73a62523c|High|Insecure Configurations|S3 bucket without restriction of public bucket (read more)|Documentation
| +|Batch Job Definition With Privileged Container Properties
76ddf32c-85b1-4808-8935-7eef8030ab36|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| |Redshift Publicly Accessible
bdf8dcb4-75df-4370-92c4-606e4ae6c4d3|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false (read more)|Documentation
| -|KMS Key With Full Permissions
da905474-7454-43c0-b8d2-5756ab951aba|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| -|ECS Task Definition Network Mode Not Recommended
027a4b7a-8a59-4938-a04f-ed532512cf45|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| -|S3 Static Website Host Enabled
90501b1b-cded-4cc1-9e8b-206b85cda317|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
de38e1d5-54cb-4111-a868-6f7722695007|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false. (read more)|Documentation
| |Vulnerable Default SSL Certificate
b4d9c12b-bfba-4aeb-9cb8-2358546d8041|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| |Permissive Web ACL Default Action
6d64f311-3da6-45f3-80f1-14db9771ea40|High|Insecure Defaults|WebAcl DefaultAction should not be ALLOW (read more)|Documentation
| -|Security Groups With Exposed Admin Ports
cdbb0467-2957-4a77-9992-7b55b29df7b7|High|Networking and Firewall|Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389) (read more)|Documentation
| -|EKS node group remote access
73d59e76-a12c-4b74-a3d8-d3e1e19c25b3|High|Networking and Firewall|Ensure Amazon EKS Node group has implict SSH access (read more)|Documentation
| |Security Group With Unrestricted Access To SSH
6e856af2-62d7-4ba2-adc1-73b62cef9cc1|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| -|ALB Listening on HTTP
275a3217-ca37-40c1-a6cf-bb57d245ab32|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| -|Security Group Unrestricted Access To RDP
3ae83918-7ec7-4cb8-80db-b91ef0f94002|High|Networking and Firewall|Security Groups does not allow 0.0.0.0/0 for rdp (port:3389) (read more)|Documentation
| -|Remote Desktop Port Open To Internet
c9846969-d066-431f-9b34-8c4abafe422a|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| -|Route53 Record Undefined
24d932e1-91f0-46ea-836f-fdbd81694151|High|Networking and Firewall|Route53 HostedZone must have the Record Set defined. (read more)|Documentation
| -|RDS Associated with Public Subnet
4e88adee-a8eb-4605-a78d-9fb1096e3091|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| -|Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c|High|Networking and Firewall|No security group should allow unrestricted egress access (read more)|Documentation
| +|Default Security Groups With Unrestricted Traffic
ea33fcf7-394b-4d11-a228-985c5d08f205|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| |Unrestricted Security Group Ingress
4a1e6b34-1008-4e61-a5f2-1f7c276f8d14|High|Networking and Firewall|AWS Security Group Ingress CIDR should not be open to the world (read more)|Documentation
| +|Elasticsearch with HTTPS disabled
4cdc88e6-c0c8-4081-a639-bb3a557cbedf|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| |EC2 Public Instance Exposed Through Subnet
c44c95fc-ae92-4bb8-bdf8-bb9bc412004a|High|Networking and Firewall|EC2 instances with public IP addresses shouldn't allow for unrestricted traffic to their subnets (read more)|Documentation
| -|DB Security Group With Public Scope
9564406d-e761-4e61-b8d7-5926e3ab8e79|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| +|Security Groups With Exposed Admin Ports
cdbb0467-2957-4a77-9992-7b55b29df7b7|High|Networking and Firewall|Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389) (read more)|Documentation
| +|SageMaker Notebook Not Placed In VPC
9c7028d9-04c2-45be-b8b2-1188ccaefb36|High|Networking and Firewall|SageMaker Notebook must be placed in a VPC (read more)|Documentation
| +|DB Security Group Open To Large Scope
0104165b-02d5-426f-abc9-91fb48189899|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| +|Security Group Unrestricted Access To RDP
3ae83918-7ec7-4cb8-80db-b91ef0f94002|High|Networking and Firewall|Security Groups does not allow 0.0.0.0/0 for rdp (port:3389) (read more)|Documentation
| |EC2 Instance Subnet Has Public IP Mapping On Launch
b3de4e4c-14be-4159-b99d-9ad194365e4c|High|Networking and Firewall|EC2 Instance Subnet should not have MapPublicIpOnLaunch set to true (read more)|Documentation
| |ELB Sensitive Port Is Exposed To Entire Network
78055456-f670-4d2e-94d5-392d1cf4f5e4|High|Networking and Firewall|The load balancer of the application with a sensitive port connection is exposed to the entire internet. (read more)|Documentation
| -|HTTP Port Open To Internet
ddfc4eaa-af23-409f-b96c-bf5c45dc4daa|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| -|Elasticsearch with HTTPS disabled
4cdc88e6-c0c8-4081-a639-bb3a557cbedf|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| -|Unknown Port Exposed To Internet
829ce3b8-065c-41a3-ad57-e0accfea82d2|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| -|EC2 Sensitive Port Is Publicly Exposed
494b03d3-bf40-4464-8524-7c56ad0700ed|High|Networking and Firewall|The EC2 instance has a sensitive port connection exposed to the entire network (read more)|Documentation
| +|Route53 Record Undefined
24d932e1-91f0-46ea-836f-fdbd81694151|High|Networking and Firewall|Route53 HostedZone must have the Record Set defined. (read more)|Documentation
| |Fully Open Ingress
e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5|High|Networking and Firewall|ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses (read more)|Documentation
| -|SageMaker Notebook Not Placed In VPC
9c7028d9-04c2-45be-b8b2-1188ccaefb36|High|Networking and Firewall|SageMaker Notebook must be placed in a VPC (read more)|Documentation
| +|EKS node group remote access
73d59e76-a12c-4b74-a3d8-d3e1e19c25b3|High|Networking and Firewall|Ensure Amazon EKS Node group has implict SSH access (read more)|Documentation
| +|ALB Listening on HTTP
275a3217-ca37-40c1-a6cf-bb57d245ab32|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| +|EC2 Sensitive Port Is Publicly Exposed
494b03d3-bf40-4464-8524-7c56ad0700ed|High|Networking and Firewall|The EC2 instance has a sensitive port connection exposed to the entire network (read more)|Documentation
| +|Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c|High|Networking and Firewall|No security group should allow unrestricted egress access (read more)|Documentation
| +|Unknown Port Exposed To Internet
829ce3b8-065c-41a3-ad57-e0accfea82d2|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| +|RDS Associated with Public Subnet
4e88adee-a8eb-4605-a78d-9fb1096e3091|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| +|HTTP Port Open To Internet
ddfc4eaa-af23-409f-b96c-bf5c45dc4daa|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| |Security Groups With Meta IP
adcd0082-e90b-4b63-862b-21899f6e6a48|High|Networking and Firewall|Security Groups allows 0.0.0.0/0 for all ports and protocols. (read more)|Documentation
| +|Remote Desktop Port Open To Internet
c9846969-d066-431f-9b34-8c4abafe422a|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| +|DB Security Group With Public Scope
9564406d-e761-4e61-b8d7-5926e3ab8e79|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| |EC2 Network ACL Overlapping Ports
77b6f1e2-bde4-4a6a-ae7e-a40659ff1576|High|Networking and Firewall|NetworkACL Entries are reusing or overlapping ports which may create ineffective rules (read more)|Documentation
| -|DB Security Group Open To Large Scope
0104165b-02d5-426f-abc9-91fb48189899|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| -|Default Security Groups With Unrestricted Traffic
ea33fcf7-394b-4d11-a228-985c5d08f205|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| |CloudTrail Logging Disabled
5c0b06d5-b7a4-484c-aeb0-75a836269ff0|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| |CMK Rotation Disabled
1c07bfaf-663c-4f6f-b22b-8e2d481e4df5|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'EnableKeyRotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| |S3 Bucket CloudTrail Logging Disabled
c3ce69fd-e3df-49c6-be78-1db3f802261c|High|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable when the Service used is CloudTrail (read more)|Documentation
| +|SQS Queue Policy Allows NotPrincipal
4a8fc9a2-2b2f-4b3f-aa8d-401425872034|Medium|Access Control|Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using `NotPrincipal` in the same policy statement as `"Effect": "Allow"`. (read more)|Documentation
| +|S3 Bucket Allows Public ACL
48f100d9-f499-4c6d-b2b8-deafe47ffb26|Medium|Access Control|S3 bucket allows public ACL (read more)|Documentation
| +|EC2 Instance Has No IAM Role
f914357d-8386-4d56-9ba6-456e5723f9a6|Medium|Access Control|Check if an EC2 instance refers to an IAM profile, which represents an IAM Role. (read more)|Documentation
| +|Neptune Cluster With IAM Database Authentication Disabled
a3aa0087-8228-4e7e-b202-dc9036972d02|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled (read more)|Documentation
| +|API Gateway Method Does Not Contains An API Key
3641d5b4-d339-4bc2-bfb9-208fe8d3477f|Medium|Access Control|An API Key should be required on a method request. (read more)|Documentation
| |Lambda Permission Principal Is Wildcard
1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| -|IAM Policies Attached To User
edc95c10-7366-4f30-9b4b-f995c84eceb5|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| -|IAM Policy On User
e4239438-e639-44aa-adb8-866e400e3ade|Medium|Access Control|IAM policies should be applied to groups and not to users (read more)|Documentation
| -|IoT Policy Allows Action as Wildcard
4d32780f-43a4-424a-a06d-943c543576a5|Medium|Access Control|IoT Policy should not allow Action to be set as * (read more)|Documentation
| +|ECR Repository Is Publicly Accessible
75be209d-1948-41f6-a8c8-e22dd0121134|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| +|Elasticsearch Without IAM Authentication
5c666ed9-b586-49ab-9873-c495a833b705|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication (read more)|Documentation
| +|SQS Queue Policy Allows NotAction
4fbfee74-8186-40d5-a24e-4baa76a855de|Medium|Access Control|AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited (read more)|Documentation
| |EC2 Network ACL Ineffective Denied Traffic
2623d682-dccb-44cd-99d0-54d9fd62f8f2|Medium|Access Control|Ineffective deny rules. A deny rule should be applied to all IP addresses. (read more)|Documentation
| +|API Gateway Without Configured Authorizer
7fd0d461-5b8c-4815-898c-f2b4b117eb28|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| +|IAM Policies Attached To User
edc95c10-7366-4f30-9b4b-f995c84eceb5|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| +|Public Lambda via API Gateway
57b12981-3816-4c31-b190-a1e614361dd2|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| |SQS Policy With Public Access
9b6a3f5b-5fd6-40ee-9bc0-ed604911212d|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| |KMS Allows Wildcard Principal
f6049677-ec4a-43af-8779-5190b6d03cba|Medium|Access Control|KMS Should not allow Principal parameter to be set as * (read more)|Documentation
| -|EC2 Instance Has No IAM Role
f914357d-8386-4d56-9ba6-456e5723f9a6|Medium|Access Control|Check if an EC2 instance refers to an IAM profile, which represents an IAM Role. (read more)|Documentation
| -|SQS Queue Policy Allows NotAction
4fbfee74-8186-40d5-a24e-4baa76a855de|Medium|Access Control|AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited (read more)|Documentation
| -|ECR Repository Is Publicly Accessible
75be209d-1948-41f6-a8c8-e22dd0121134|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| -|API Gateway Without Configured Authorizer
7fd0d461-5b8c-4815-898c-f2b4b117eb28|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| |SNS Topic Publicity Has Allow and NotAction Simultaneously
818f38ed-8446-4132-9c03-474d49e10195|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. (read more)|Documentation
| +|IoT Policy Allows Action as Wildcard
4d32780f-43a4-424a-a06d-943c543576a5|Medium|Access Control|IoT Policy should not allow Action to be set as * (read more)|Documentation
| |Empty Roles For ECS Cluster Task Definitions
7f384a5f-b5a2-4d84-8ca3-ee0a5247becb|Medium|Access Control|Check if any ECS cluster has not defined proper roles for services' task definitions. (read more)|Documentation
| -|Neptune Cluster With IAM Database Authentication Disabled
a3aa0087-8228-4e7e-b202-dc9036972d02|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled (read more)|Documentation
| -|SQS Queue Policy Allows NotPrincipal
4a8fc9a2-2b2f-4b3f-aa8d-401425872034|Medium|Access Control|Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using `NotPrincipal` in the same policy statement as `"Effect": "Allow"`. (read more)|Documentation
| -|API Gateway Method Does Not Contains An API Key
3641d5b4-d339-4bc2-bfb9-208fe8d3477f|Medium|Access Control|An API Key should be required on a method request. (read more)|Documentation
| -|S3 Bucket Allows Public ACL
48f100d9-f499-4c6d-b2b8-deafe47ffb26|Medium|Access Control|S3 bucket allows public ACL (read more)|Documentation
| -|Public Lambda via API Gateway
57b12981-3816-4c31-b190-a1e614361dd2|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| |IoT Policy Allows Wildcard Resource
be5b230d-4371-4a28-a441-85dc760e2aa3|Medium|Access Control|IoT Policy should not allow Resource to be set as * (read more)|Documentation
| -|Elasticsearch Without IAM Authentication
5c666ed9-b586-49ab-9873-c495a833b705|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication (read more)|Documentation
| -|ECS Service Without Running Tasks
79d745f0-d5f3-46db-9504-bef73e9fd528|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| +|IAM Policy On User
e4239438-e639-44aa-adb8-866e400e3ade|Medium|Access Control|IAM policies should be applied to groups and not to users (read more)|Documentation
| |ElastiCache Nodes Not Created Across Multi AZ
cfdef2e5-1fe4-4ef4-bea8-c56e08963150|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| +|ECS Service Without Running Tasks
79d745f0-d5f3-46db-9504-bef73e9fd528|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| |EBS Volume Not Attached To Instances
1819ac03-542b-4026-976b-f37addd59f3b|Medium|Availability|EBS Volumes that are unattached to instances may contain sensitive data (read more)|Documentation
| -|CMK Is Unusable
2844c749-bd78-4cd1-90e8-b179df827602|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined. (read more)|Documentation
| |Auto Scaling Group With No Associated ELB
ad21e616-5026-4b9d-990d-5b007bfe679c|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty. (read more)|Documentation
| +|CMK Is Unusable
2844c749-bd78-4cd1-90e8-b179df827602|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined. (read more)|Documentation
| +|RDS With Backup Disabled
8c415f6f-7b90-4a27-a44a-51047e1506f9|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| |RDS Multi-AZ Deployment Disabled
2b1d4935-9acf-48a7-8466-10d18bf51a69|Medium|Backup|AWS RDS Instance should have a multi-az deployment (read more)|Documentation
| |Low RDS Backup Retention Period
e649a218-d099-4550-86a4-1231e1fcb60d|Medium|Backup|AWS RDS backup retention policy should be at least 7 days (read more)|Documentation
| -|RDS With Backup Disabled
8c415f6f-7b90-4a27-a44a-51047e1506f9|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| |Stack Retention Disabled
fe974ae9-858e-4991-bbd5-e040a834679f|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| -|IAM Password Without Minimum Length
b1b20ae3-8fa7-4af5-a74d-a2145920fcb1|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| -|IAM User Without Password Reset
a964d6e3-8e1e-4d93-8120-61fa640dd55a|Medium|Best Practices|IAM User Login Profile should exist and have PasswordResetRequired property set to true (read more)|Documentation
| -|ECS No Load Balancer Attached
fb2b0ecf-1492-491a-a70d-ba1df579175d|Medium|Best Practices|Amazon ECS service should be configured to use Load Balancing to distribute traffic evenly across the tasks, which means there must exist at least one LoadBalancer. (read more)|Documentation
| -|IAM Password Without Lowercase Letter
f4cf35d6-da92-48de-ab70-57be2b2e6497|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| |IAM Password Without Uppercase Letter
445020f6-b69e-4484-847f-02d4b7768902|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| |Cognito UserPool Without MFA
74a18d1a-cf02-4a31-8791-ed0967ad7fdc|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more)|Documentation
| -|IAM Password Without Number
839f238f-2e3a-4a72-b945-8abdf91af955|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number (read more)|Documentation
| |IAM Managed Policy Applied to a User
0e5872b4-19a0-4165-8b2f-56d9e14b909f|Medium|Best Practices|Make sure that any managed IAM policies are implemented in a group and not in a user. (read more)|Documentation
| +|IAM User Without Password Reset
a964d6e3-8e1e-4d93-8120-61fa640dd55a|Medium|Best Practices|IAM User Login Profile should exist and have PasswordResetRequired property set to true (read more)|Documentation
| +|ECS No Load Balancer Attached
fb2b0ecf-1492-491a-a70d-ba1df579175d|Medium|Best Practices|Amazon ECS service should be configured to use Load Balancing to distribute traffic evenly across the tasks, which means there must exist at least one LoadBalancer. (read more)|Documentation
| |IAM Password Without Symbol
d72a7869-e8b9-4e12-bcd2-e8be10b39fa7|Medium|Best Practices|IAM password should have the required symbols (read more)|Documentation
| -|Neptune Database Cluster Encryption Disabled
bf4473f1-c8a2-4b1b-8134-bd32efabab93|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| -|API Gateway With Invalid Compression
d6653eee-2d4d-4e6a-976f-6794a497999a|Medium|Encryption|API Gateway should have valid compression, which means attribute 'MinimumCompressionSize' should be set and its value should be greater than -1 and smaller than 10485760. (read more)|Documentation
| +|IAM Password Without Lowercase Letter
f4cf35d6-da92-48de-ab70-57be2b2e6497|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| +|IAM Password Without Number
839f238f-2e3a-4a72-b945-8abdf91af955|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number (read more)|Documentation
| +|IAM Password Without Minimum Length
b1b20ae3-8fa7-4af5-a74d-a2145920fcb1|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| +|Unscanned ECR Image
9025b2b3-e554-4842-ba87-db7aeec36d35|Medium|Encryption|Checks if the ECR Image has been scanned (read more)|Documentation
| +|EBS Volume Encryption Disabled
80b7ac3f-d2b7-4577-9b10-df7913497162|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| +|SageMaker EndPoint Config Should Specify KmsKeyId Attribute
44034eda-1c3f-486a-831d-e09a7dd94354|Medium|Encryption|KmsKeyId attribute should be defined (read more)|Documentation
| |DynamoDB Table Not Encrypted
4bd21e68-38c1-4d58-acdc-6a14b203237f|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption (read more)|Documentation
| +|API Gateway With Invalid Compression
d6653eee-2d4d-4e6a-976f-6794a497999a|Medium|Encryption|API Gateway should have valid compression, which means attribute 'MinimumCompressionSize' should be set and its value should be greater than -1 and smaller than 10485760. (read more)|Documentation
| +|ElasticSearch Not Encrypted At Rest
86a248ab-0e01-4564-a82a-878303e253bb|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest (read more)|Documentation
| +|RDS Storage Encryption Disabled
65844ba3-03a1-40a8-b3dd-919f122e8c95|Medium|Encryption|RDS DBCluster should have storage encrypted set to true (read more)|Documentation
| |Default KMS Key Usage
e52395b4-250b-4c60-81d5-2e58c1d37abc|Medium|Encryption|When `StorageEncrypted` is set to true, `KmsKeyId` should be defined, to avoid the use of the default KMS Key (read more)|Documentation
| -|AmazonMQ Broker Encryption Disabled
316278b3-87ac-444c-8f8f-a733a28da60f|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined (read more)|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85|Medium|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| +|Config Rule For Encrypted Volumes Disabled
1b6322d9-c755-4f8c-b804-32c19250f2d9|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| |Workspace Without Encryption
89827c57-5a8a-49eb-9731-976a606d70db|Medium|Encryption|Workspaces should have encryption enabled (read more)|Documentation
| +|AmazonMQ Broker Encryption Disabled
316278b3-87ac-444c-8f8f-a733a28da60f|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined (read more)|Documentation
| |EMR Security Configuration Encryption Disabled
5b033ec8-f079-4323-b5c8-99d4620433a9|Medium|Encryption|EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit. (read more)|Documentation
| -|IAM Group Inline Policies
a58d1a2d-4078-4b80-855b-84cc3f7f4540|Medium|Encryption|IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted (read more)|Documentation
| -|Config Rule For Encrypted Volumes Disabled
1b6322d9-c755-4f8c-b804-32c19250f2d9|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| +|Memcached Disabled
dd0971a6-09c3-4168-8474-a7ef8fbfd99d|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache (read more)|Documentation
| |SQS With SSE Disabled
12726829-93ed-4d51-9cbe-13423f4299e1|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| -|ElasticSearch Not Encrypted At Rest
86a248ab-0e01-4564-a82a-878303e253bb|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest (read more)|Documentation
| +|IAM Group Inline Policies
a58d1a2d-4078-4b80-855b-84cc3f7f4540|Medium|Encryption|IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted (read more)|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85|Medium|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| |Alexa Skill Plaintext Client Secret Exposed
3c3b7a58-b018-4d07-9444-d9ee7156e111|Medium|Encryption|Alexa skills' client secrets should not be defined as a plaintext string. It should either use 'AWS Systems Manager Parameter Store' or 'AWS Secrets Manager' to retrieve sensitive information (read more)|Documentation
| -|RDS Storage Encryption Disabled
65844ba3-03a1-40a8-b3dd-919f122e8c95|Medium|Encryption|RDS DBCluster should have storage encrypted set to true (read more)|Documentation
| -|ElasticSearch Encryption With KMS Disabled
d926aa95-0a04-4abc-b20c-acf54afe38a1|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS. (read more)|Documentation
| -|Memcached Disabled
dd0971a6-09c3-4168-8474-a7ef8fbfd99d|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache (read more)|Documentation
| |KMS Key Rotation Disabled
235ca980-eb71-48f4-9030-df0c371029eb|Medium|Encryption|EnableKeyRotation should not be false or undefined (read more)|Documentation
| -|SageMaker EndPoint Config Should Specify KmsKeyId Attribute
44034eda-1c3f-486a-831d-e09a7dd94354|Medium|Encryption|KmsKeyId attribute should be defined (read more)|Documentation
| |CodeBuild Not Encrypted
d7467bb6-3ed1-4c82-8095-5e7a818d0aad|Medium|Encryption|CodeBuild Project should be encrypted, which means 'EncryptionKey' should be defined (read more)|Documentation
| -|EBS Volume Encryption Disabled
80b7ac3f-d2b7-4577-9b10-df7913497162|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| -|Unscanned ECR Image
9025b2b3-e554-4842-ba87-db7aeec36d35|Medium|Encryption|Checks if the ECR Image has been scanned (read more)|Documentation
| -|EMR Cluster Without Security Configuration
48af92a5-c89b-4936-bc62-1086fe2bab23|Medium|Insecure Configurations|EMR Cluster should have security configuration defined. (read more)|Documentation
| +|Neptune Database Cluster Encryption Disabled
bf4473f1-c8a2-4b1b-8134-bd32efabab93|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| +|ElasticSearch Encryption With KMS Disabled
d926aa95-0a04-4abc-b20c-acf54afe38a1|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS. (read more)|Documentation
| +|API Gateway With Open Access
1056dfbb-5802-4762-bf2b-8b9b9684b1b0|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more)|Documentation
| +|GitHub Repository Set To Public
5906092d-5f74-490d-9a03-78febe0f65e1|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)|Documentation
| +|MQ Broker Is Publicly Accessible
68b6a789-82f8-4cfd-85de-e95332fe6a61|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible (read more)|Documentation
| |SageMaker Enabling Internet Access
88d55d94-315d-4564-beee-d2d725feab11|Medium|Insecure Configurations|SageMaker must have disabled internet access and root access for Creating Notebook Instances. (read more)|Documentation
| +|API Gateway Without SSL Certificate
ed4c48b8-eccc-4881-95c1-09fdae23db25|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| +|Lambda Function Without Tags
8df8e857-bd59-44fa-9f4c-d77594b95b46|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags. (read more)|Documentation
| |Lambda Functions Without Unique IAM Roles
ae03f542-1423-402f-9cef-c834e7ee9583|Medium|Insecure Configurations|AWS Lambda Functions should not share IAM roles to ensure they will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| -|MQ Broker Is Publicly Accessible
68b6a789-82f8-4cfd-85de-e95332fe6a61|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible (read more)|Documentation
| +|IAM User Has Too Many Access Keys
48677914-6fdf-40ec-80c4-2b0e94079f54|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials (read more)|Documentation
| +|Inline Policies Are Attached To ECS Service
9e8c89b3-7997-4d15-93e4-7911b9db99fd|Medium|Insecure Configurations|Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies. (read more)|Documentation
| |Instance With No VPC
8a6d36cd-0bc6-42b7-92c4-67acc8576861|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| |ECR Image Tag Not Immutable
33f41d31-86b1-46a4-81f7-9c9a671f59ac|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| +|EMR Cluster Without Security Configuration
48af92a5-c89b-4936-bc62-1086fe2bab23|Medium|Insecure Configurations|EMR Cluster should have security configuration defined. (read more)|Documentation
| |IAM User LoginProfile Password Is In Plaintext
06adef8c-c284-4de7-aad2-af43b07a8ca1|Medium|Insecure Configurations|IAM User LoginProfile Password must not be a plaintext string (read more)|Documentation
| -|API Gateway Without SSL Certificate
ed4c48b8-eccc-4881-95c1-09fdae23db25|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| -|GitHub Repository Set To Public
5906092d-5f74-490d-9a03-78febe0f65e1|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)|Documentation
| -|Inline Policies Are Attached To ECS Service
9e8c89b3-7997-4d15-93e4-7911b9db99fd|Medium|Insecure Configurations|Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies. (read more)|Documentation
| -|IAM User Has Too Many Access Keys
48677914-6fdf-40ec-80c4-2b0e94079f54|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials (read more)|Documentation
| -|API Gateway With Open Access
1056dfbb-5802-4762-bf2b-8b9b9684b1b0|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more)|Documentation
| -|Lambda Function Without Tags
8df8e857-bd59-44fa-9f4c-d77594b95b46|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags. (read more)|Documentation
| |S3 Bucket Should Have Bucket Policy
37fa8188-738b-42c8-bf82-6334ea567738|Medium|Insecure Defaults|Checks if S3 Bucket has the same name as a Bucket Policy, if it has, S3 Bucket has a Bucket Policy associated (read more)|Documentation
| |RouterTable with Default Routing
4f0908b9-eb66-433f-9145-134274e1e944|Medium|Insecure Defaults|NAT gateways are recommended, and not the default route which permits all traffic, in Route Tables. (read more)|Documentation
| -|ALB Is Not Integrated With WAF
105ba098-1e34-48cd-b0f2-a8a43a51bf9b|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service (read more)|Documentation
| -|Security Groups Without VPC Attached
493d9591-6249-47bf-8dc0-5c10161cc558|Medium|Networking and Firewall|Security Groups must have a VPC. (read more)|Documentation
| -|ELB With Security Group Without Outbound Rules
01d5a458-a6c4-452a-ac50-054d59275b7c|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more)|Documentation
| -|TCP/UDP Protocol Network ACL Entry Allows All Ports
f57f849c-883b-4cb7-85e7-f7b199dff163|Medium|Networking and Firewall|TCP/UDP protocol AWS Network ACL Entry should not allow all ports (read more)|Documentation
| -|Security Group Ingress With Port Range
87482183-a8e7-4e42-a566-7a23ec231c16|Medium|Networking and Firewall|AWS Security Group Ingress should have a single port (read more)|Documentation
| |Security Group Egress CIDR Open To World
1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a|Medium|Networking and Firewall|AWS Security Group Egress CIDR should not be open to the world (read more)|Documentation
| -|API Gateway Endpoint Config is Not Private
4a8daf95-709d-4a36-9132-d3e19878fa34|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| -|EC2 Permissive Network ACL Protocols
03879981-efa2-47a0-a818-c843e1441b88|Medium|Networking and Firewall|To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code). (read more)|Documentation
| +|VPC Without Network Firewall
3e293410-d5b8-411f-85fd-7d26294f20c9|Medium|Networking and Firewall|VPC should have a Network Firewall associated (read more)|Documentation
| |API Gateway without WAF
fcbf9019-566c-4832-a65c-af00d8137d2b|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| +|TCP/UDP Protocol Network ACL Entry Allows All Ports
f57f849c-883b-4cb7-85e7-f7b199dff163|Medium|Networking and Firewall|TCP/UDP protocol AWS Network ACL Entry should not allow all ports (read more)|Documentation
| |Security Group Ingress With All Protocols
1a427b25-2e9e-4298-9530-0499a55e736b|Medium|Networking and Firewall|AWS Security Group Ingress should not specify all protocols to prevent allow traffic on all ports (read more)|Documentation
| -|ELB With Security Group Without Inbound Rules
e200a6f3-c589-49ec-9143-7421d4a2c845|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more)|Documentation
| -|VPC Without Network Firewall
3e293410-d5b8-411f-85fd-7d26294f20c9|Medium|Networking and Firewall|VPC should have a Network Firewall associated (read more)|Documentation
| -|GameLift Fleet EC2 InboundPermissions With Port Range
43356255-495d-4148-ad8d-f6af5eac09dd|Medium|Networking and Firewall|AWS GameLift Fleet EC2InboundPermissions should have a single port (read more)|Documentation
| +|API Gateway Endpoint Config is Not Private
4a8daf95-709d-4a36-9132-d3e19878fa34|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| |Security Group Egress With Port Range
dae9c373-8287-462f-8746-6f93dad93610|Medium|Networking and Firewall|AWS Security Group Egress should have a single port (read more)|Documentation
| +|ALB Is Not Integrated With WAF
105ba098-1e34-48cd-b0f2-a8a43a51bf9b|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service (read more)|Documentation
| +|ELB With Security Group Without Outbound Rules
01d5a458-a6c4-452a-ac50-054d59275b7c|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more)|Documentation
| +|Security Groups Without VPC Attached
493d9591-6249-47bf-8dc0-5c10161cc558|Medium|Networking and Firewall|Security Groups must have a VPC. (read more)|Documentation
| +|EC2 Permissive Network ACL Protocols
03879981-efa2-47a0-a818-c843e1441b88|Medium|Networking and Firewall|To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code). (read more)|Documentation
| +|GameLift Fleet EC2 InboundPermissions With Port Range
43356255-495d-4148-ad8d-f6af5eac09dd|Medium|Networking and Firewall|AWS GameLift Fleet EC2InboundPermissions should have a single port (read more)|Documentation
| +|ELB With Security Group Without Inbound Rules
e200a6f3-c589-49ec-9143-7421d4a2c845|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more)|Documentation
| +|Security Group Ingress With Port Range
87482183-a8e7-4e42-a566-7a23ec231c16|Medium|Networking and Firewall|AWS Security Group Ingress should have a single port (read more)|Documentation
| |Security Group Egress With All Protocols
ee464fc2-54a6-4e22-b10a-c6dcd2474d0c|Medium|Networking and Firewall|AWS Security Group Egress should not specify all protocols to prevent allow traffic on all ports (read more)|Documentation
| -|Redshift Cluster Logging Disabled
3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6|Medium|Observability|Make sure Logging is enabled for Redshift Cluster (read more)|Documentation
| -|CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'IsMultiRegionTrail' should be set to true (read more)|Documentation
| -|API Gateway Stage Access Logging Settings Not Defined
80d45af4-4920-4236-a56e-b7ef419d1941|Medium|Observability|API Gateway Stage should have Access Logging Settings defined (read more)|Documentation
| +|S3 Bucket Without Versioning
a227ec01-f97a-4084-91a4-47b350c1db54|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| +|MQ Broker Logging Disabled
e519ed6a-8328-4b69-8eb7-8fa549ac3050|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). (read more)|Documentation
| +|ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621|Medium|Observability|ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer. (read more)|Documentation
| +|MSK Cluster Logging Disabled
fc7c2c15-f5d0-4b80-adb2-c89019f8f62b|Medium|Observability|Ensure MSK Cluster Logging is enabled (read more)|Documentation
| |Elasticsearch Logs Disabled
edbd62d4-8700-41de-b000-b3cfebb5e996|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| -|Configuration Aggregator to All Regions Disabled
9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| +|API Gateway X-Ray Disabled
4ab10c48-bedb-4deb-8f3b-ff12783b61de|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| |CloudTrail Not Integrated With CloudWatch
65d07da5-9af5-44df-8983-52d2e6f24c44|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| +|CloudFront Logging Disabled
de77cd9f-0e8b-46cc-b4a4-b6b436838642|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'DistributionConfig.Logging' should be defined (read more)|Documentation
| +|API Gateway Stage Access Logging Settings Not Defined
80d45af4-4920-4236-a56e-b7ef419d1941|Medium|Observability|API Gateway Stage should have Access Logging Settings defined (read more)|Documentation
| +|Configuration Aggregator to All Regions Disabled
9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| +|GuardDuty Detector Disabled
a25cd877-375c-4121-a640-730929936fac|Medium|Observability|Make sure that Amazon GuardDuty is Enabled (read more)|Documentation
| +|Stack Notifications Disabled
837e033c-4717-40bd-807e-6abaa30161b7|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| |CloudTrail SNS Topic Name Undefined
3e09413f-471e-40f3-8626-990c79ae63f3|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| +|CloudWatch Metrics Disabled
5d3c1807-acb3-4bb0-be4e-0440230feeaf|Medium|Observability|Checks if CloudWatch Metrics is Enabled (read more)|Documentation
| |ElasticSearch Without Slow Logs
086ea2eb-14a6-4fd4-914b-38e0bc8703e8|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs (read more)|Documentation
| -|ELB Access Log Disabled
ee12ad32-2863-4c0f-b13f-28272d115028|Medium|Observability|ELB should have access log enabled (read more)|Documentation
| |S3 Bucket Logging Disabled
4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| -|MQ Broker Logging Disabled
e519ed6a-8328-4b69-8eb7-8fa549ac3050|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). (read more)|Documentation
| -|CloudWatch Logging Disabled
0f0fb06b-0f2f-4374-8588-f2c7c348c7a0|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones (read more)|Documentation
| -|Stack Notifications Disabled
837e033c-4717-40bd-807e-6abaa30161b7|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| -|S3 Bucket Without Versioning
a227ec01-f97a-4084-91a4-47b350c1db54|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| -|GuardDuty Detector Disabled
a25cd877-375c-4121-a640-730929936fac|Medium|Observability|Make sure that Amazon GuardDuty is Enabled (read more)|Documentation
| -|API Gateway X-Ray Disabled
4ab10c48-bedb-4deb-8f3b-ff12783b61de|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| -|MSK Cluster Logging Disabled
fc7c2c15-f5d0-4b80-adb2-c89019f8f62b|Medium|Observability|Ensure MSK Cluster Logging is enabled (read more)|Documentation
| -|CloudFront Logging Disabled
de77cd9f-0e8b-46cc-b4a4-b6b436838642|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'DistributionConfig.Logging' should be defined (read more)|Documentation
| +|CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'IsMultiRegionTrail' should be set to true (read more)|Documentation
| +|ELB Access Log Disabled
ee12ad32-2863-4c0f-b13f-28272d115028|Medium|Observability|ELB should have access log enabled (read more)|Documentation
| |API Gateway Deployment Without Access Log Setting
06ec63e3-9f72-4fe2-a218-2eb9200b8db5|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. (read more)|Documentation
| -|CloudWatch Metrics Disabled
5d3c1807-acb3-4bb0-be4e-0440230feeaf|Medium|Observability|Checks if CloudWatch Metrics is Enabled (read more)|Documentation
| -|ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621|Medium|Observability|ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer. (read more)|Documentation
| -|High Access Key Rotation Period
800fa019-49dd-421b-9042-7331fdd83fa2|Medium|Secret Management|ConfigRule should enforce access keys to be rotated within 90 days. (read more)|Documentation
| -|Amplify Branch Basic Auth Config Password Exposed
dfb56e5d-ee68-446e-b32a-657b62befe69|Medium|Secret Management|Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|EBS Volume Without KmsKeyId
b7063015-6c31-4658-a8e7-14f98f37fd42|Medium|Secret Management|EBS Volume should specify a KmsKeyId value (read more)|Documentation
| -|Amplify App OAuth Token Exposed
03b38885-8f4e-480c-a0e4-12c1affd15db|Medium|Secret Management|Amplify App OAuth Token must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|DMS Endpoint Password Exposed
5f700072-b7ce-4e84-b3f3-497bf1c24a4d|Medium|Secret Management|DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|Redshift Cluster Logging Disabled
3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6|Medium|Observability|Make sure Logging is enabled for Redshift Cluster (read more)|Documentation
| +|CloudWatch Logging Disabled
0f0fb06b-0f2f-4374-8588-f2c7c348c7a0|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones (read more)|Documentation
| |Directory Service Microsoft AD Password Set to Plaintext or Default Ref
06b9f52a-8cd5-459b-bdc6-21a22521e1be|Medium|Secret Management|Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|DMS Endpoint Password Exposed
5f700072-b7ce-4e84-b3f3-497bf1c24a4d|Medium|Secret Management|DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|Amplify App Basic Auth Config Password Exposed
71493c8b-3014-404c-9802-078b74496fb7|Medium|Secret Management|Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| |SNS Topic Without KmsMasterKeyId
9d13b150-a2ab-42a1-b6f4-142e41f81e52|Medium|Secret Management|KmsMasterKeyId attribute should not be undefined (read more)|Documentation
| +|Amplify Branch Basic Auth Config Password Exposed
dfb56e5d-ee68-446e-b32a-657b62befe69|Medium|Secret Management|Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| |Secrets Manager Should Specify KmsKeyId
c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22|Medium|Secret Management|Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the secret to be shared cross-account (read more)|Documentation
| -|Amplify App Access Token Exposed
73980e43-f399-4fcc-a373-658228f7adf7|Medium|Secret Management|Amplify App Access Token must not be in a plain text string or referenced in a parameter as a default value. (read more)|Documentation
| -|Directory Service Simple AD Password Exposed
6685d912-d81f-4cfa-95ad-e316ea31c989|Medium|Secret Management|DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|DMS Endpoint MongoDB Settings Password Exposed
f988a17f-1139-46a3-8928-f27eafd8b024|Medium|Secret Management|DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| |Hardcoded AWS Access Key In Lambda
2564172f-c92b-4261-9acd-464aed511696|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| +|EBS Volume Without KmsKeyId
b7063015-6c31-4658-a8e7-14f98f37fd42|Medium|Secret Management|EBS Volume should specify a KmsKeyId value (read more)|Documentation
| |DocDB Cluster Master Password In Plaintext
39423ce4-9011-46cd-b6b1-009edcd9385d|Medium|Secret Management|DocDB DB Cluster master user password must not be in a plain text string or referenced in a parameter as a default value. (read more)|Documentation
| +|Amplify App OAuth Token Exposed
03b38885-8f4e-480c-a0e4-12c1affd15db|Medium|Secret Management|Amplify App OAuth Token must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|DMS Endpoint MongoDB Settings Password Exposed
f988a17f-1139-46a3-8928-f27eafd8b024|Medium|Secret Management|DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|Directory Service Simple AD Password Exposed
6685d912-d81f-4cfa-95ad-e316ea31c989|Medium|Secret Management|DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|High Access Key Rotation Period
800fa019-49dd-421b-9042-7331fdd83fa2|Medium|Secret Management|ConfigRule should enforce access keys to be rotated within 90 days. (read more)|Documentation
| |RefreshToken Is Exposed
5b48c507-0d1f-41b0-a630-76817c6b4189|Medium|Secret Management|Alexa ASK Skill AuthenticationConfiguration RefreshToken should not be a plaintext string (read more)|Documentation
| -|Amplify App Basic Auth Config Password Exposed
71493c8b-3014-404c-9802-078b74496fb7|Medium|Secret Management|Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|Amplify App Access Token Exposed
73980e43-f399-4fcc-a373-658228f7adf7|Medium|Secret Management|Amplify App Access Token must not be in a plain text string or referenced in a parameter as a default value. (read more)|Documentation
| |IAM Role Allows All Principals To Assume
f80e3aa7-7b34-4185-954e-440a6894dde6|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| -|IAM Group Without Users
8f957abd-9703-413d-87d3-c578950a753c|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| -|Support Has No Role Associated
d71b5fd7-9020-4b2d-9ec8-b3839faa2744|Low|Access Control|Check if any AWS Support policy does not have any role and users and group associated, which means that is not being managed. (read more)|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
e835bd0d-65da-49f7-b6d1-b646da8727e6|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| |EC2 Instance Using Default Security Group
08b81bb3-0985-4023-8602-b606ad81d279|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
e835bd0d-65da-49f7-b6d1-b646da8727e6|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| +|Support Has No Role Associated
d71b5fd7-9020-4b2d-9ec8-b3839faa2744|Low|Access Control|Check if any AWS Support policy does not have any role and users and group associated, which means that is not being managed. (read more)|Documentation
| +|IAM Group Without Users
8f957abd-9703-413d-87d3-c578950a753c|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| |IAM User With No Group
06933df4-0ea7-461c-b9b5-104d27390e0e|Low|Access Control|A IAM user should belong to a group (read more)|Documentation
| |VPC Attached With Too Many Gateways
97e94d17-e2c7-4109-a53b-6536ac1bb64e|Low|Availability|The number of gateways attached should not approach or go beyond the limit of 3, in a particular VPC (read more)|Documentation
| |RDS DB Instance With Deletion Protection Disabled
2c161e58-cb52-454f-abea-6470c37b5e6e|Low|Backup|RDS DBInstance should have deletion protection set to true (read more)|Documentation
| -|Geo Restriction Disabled
7f8843f0-9ea5-42b4-a02b-753055113195|Low|Best Practices|Geo Restriction feature should be enabled, to restrict or allow users in specific locations accessing web application content (read more)|Documentation
| +|CDN Configuration Is Missing
e4f54ff4-d352-40e8-a096-5141073c37a2|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| +|Security Group Ingress Has CIDR Not Recommended
a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd|Low|Best Practices|AWS Security Group Ingress CIDR should not be /32 in case of IPV4 or /128 in case of IPV6 (read more)|Documentation
| +|IAM Access Analyzer Not Enabled
8d29754a-2a18-460d-a1ba-9509f8d359da|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions (read more)|Documentation
| |IAM Policies Without Groups
5e7acff5-095b-40ac-9073-ac2e4ad8a512|Low|Best Practices|IAM policy should not apply directly to users, should be with a group (read more)|Documentation
| +|Geo Restriction Disabled
7f8843f0-9ea5-42b4-a02b-753055113195|Low|Best Practices|Geo Restriction feature should be enabled, to restrict or allow users in specific locations accessing web application content (read more)|Documentation
| |Lambda Permission Misconfigured
9b83114b-b2a1-4534-990d-06da015e47aa|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| -|Security Group Ingress Has CIDR Not Recommended
a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd|Low|Best Practices|AWS Security Group Ingress CIDR should not be /32 in case of IPV4 or /128 in case of IPV6 (read more)|Documentation
| |Automatic Minor Upgrades Disabled
f0104061-8bfc-4b45-8a7d-630eb502f281|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'AutoMinorVersionUpgrade' must be set to true. (read more)|Documentation
| -|CDN Configuration Is Missing
e4f54ff4-d352-40e8-a096-5141073c37a2|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| -|IAM Access Analyzer Not Enabled
8d29754a-2a18-460d-a1ba-9509f8d359da|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions (read more)|Documentation
| |DynamoDB With Not Recommented Table Billing Mode
c333e906-8d8b-4275-b999-78b6318f8dc6|Low|Build Process|Checks if DynamoDB Table Billing Mode is set to either PAY_PER_REQUEST or PROVISIONED (read more)|Documentation
| |EFS Without Tags
08e39832-5e42-4304-98a0-aa5b43393162|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated (read more)|Documentation
| |S3 Bucket Without Ignore Public ACL
6c8d51af-218d-4bfb-94a9-94eabaa0703a|Low|Insecure Configurations|S3 bucket without ignore public ACL (read more)|Documentation
| +|Wildcard In ACM Certificate Domain Name
cc8b294f-006f-4f8f-b5bb-0a9140c33131|Low|Insecure Configurations|ACM Certificate should not use wildcards (*) in the domain name (read more)|Documentation
| |API Gateway Cache Cluster Disabled
52790cad-d60d-41d5-8483-146f9f21208d|Low|Insecure Configurations|AWS API Gateway should have cache clustering enabled (read more)|Documentation
| |Lambda Function Without Dead Letter Queue
c2eae442-d3ba-4cb1-84ca-1db4f80eae3d|Low|Insecure Configurations|AWS Lambda Function should be configured for a Dead Letter Queue(DLQ) (read more)|Documentation
| -|Wildcard In ACM Certificate Domain Name
cc8b294f-006f-4f8f-b5bb-0a9140c33131|Low|Insecure Configurations|ACM Certificate should not use wildcards (*) in the domain name (read more)|Documentation
| -|CloudFront Without WAF
0f139403-303f-467c-96bd-e717e6cfd62d|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| -|EMR Without VPC
bf89373a-be40-4c04-99f5-746742dfd7f3|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| -|EC2 Instance Using Default VPC
e42a3ef0-5325-4667-84bf-075ba1c9d58e|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| +|ElastiCache Using Default Port
323db967-c68e-44e6-916c-a777f95af34b|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| |ElastiCache Without VPC
ba766c53-fe71-4bbb-be35-b6803f2ef13e|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|EC2 Instance Using Default VPC
e42a3ef0-5325-4667-84bf-075ba1c9d58e|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| +|EMR Without VPC
bf89373a-be40-4c04-99f5-746742dfd7f3|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|CloudFront Without WAF
0f139403-303f-467c-96bd-e717e6cfd62d|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| |EC2 Network ACL Duplicate Rule
045ddb54-cfc5-4abb-9e05-e427b2bc96fe|Low|Networking and Firewall|A Network ACL's rule numbers cannot be repeated unless one is egress and the other is ingress (read more)|Documentation
| -|ElastiCache Using Default Port
323db967-c68e-44e6-916c-a777f95af34b|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| -|Shield Advanced Not In Use
ad7444cf-817a-4765-a79e-2145f7981faf|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more)|Documentation
| -|Redshift Using Default Port
a478af30-8c3a-404d-aa64-0b673cee509a|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| |RDS Using Default Port
1fe9d958-ddce-4228-a124-05265a959a8b|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| -|Lambda Functions Without X-Ray Tracing
9488c451-074e-4cd3-aee3-7db6104f542c|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracingConfig.mode' should have the value 'Active' (read more)|Documentation
| +|Redshift Using Default Port
a478af30-8c3a-404d-aa64-0b673cee509a|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| +|Shield Advanced Not In Use
ad7444cf-817a-4765-a79e-2145f7981faf|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more)|Documentation
| +|API Gateway Deployment Without API Gateway UsagePlan Associated
783860a3-6dca-4c8b-81d0-7b62769ccbca|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| |VPC FlowLogs Disabled
f6d299d2-21eb-41cc-b1e1-fe12d857500b|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| -|ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd|Low|Observability|Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks (read more)|Documentation
| +|Lambda Functions Without X-Ray Tracing
9488c451-074e-4cd3-aee3-7db6104f542c|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracingConfig.mode' should have the value 'Active' (read more)|Documentation
| |DocDB Logging Is Disabled
1bf3b3d4-f373-4d7c-afbb-7d85948a67a5|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| -|API Gateway Deployment Without API Gateway UsagePlan Associated
783860a3-6dca-4c8b-81d0-7b62769ccbca|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| |CloudTrail Log File Validation Disabled
2a3560fe-52ca-4443-b34f-bf0ed5eb74c8|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| +|ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd|Low|Observability|Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks (read more)|Documentation
| |SDB Domain Declared As A Resource
6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d|Low|Resource Management|SimpleDB Domain resource should not be declared (read more)|Documentation
| +|API Gateway Stage Without API Gateway UsagePlan Associated
7f8f1b60-43df-4c28-aa21-fb836dbd8071|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| |VPC Without Attached Subnet
3b3b4411-ad1f-40e7-b257-a78a6bb9673a|Low|Resource Management|VPCs without attached subnets may indicate that they are not being used (read more)|Documentation
| |ECS Task Definition Invalid CPU or Memory
f4c9b5f5-68b8-491f-9e48-4f96644a1d51|Low|Resource Management|In ECS Task Definition of FARGATE launch type if you specify an invalid CPU or Memory value, you will receive an error (read more)|Documentation
| -|API Gateway Stage Without API Gateway UsagePlan Associated
7f8f1b60-43df-4c28-aa21-fb836dbd8071|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| |Security Group Rule Without Description
5e6c9c68-8a82-408e-8749-ddad78cbb9c5|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description (read more)|Documentation
| |EC2 Not EBS Optimized
8dd0ff1f-0da4-48df-9bb3-7f338ae36a40|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| |EC2 Instance Monitoring Disabled
0264093f-6791-4475-af34-4b8102dcbcd0|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| @@ -290,15 +290,15 @@ Bellow are listed queries related with CloudFormation AWS_BOM: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|BOM - AWS Cassandra
124b173b-e06d-48a6-8acd-f889443d97a4|Trace|Bill Of Materials|A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance (read more)|Documentation
| +|BOM - AWS MSK
2730c169-51d7-4ae7-99b5-584379eff1bb|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)|Documentation
| |BOM - AWS EBS
0b0556ea-9cd9-476f-862e-20679dda752b|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). (read more)|Documentation
| -|BOM - AWS EFS
ef05a925-8568-4054-8ff1-f5ba82631c16|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)|Documentation
| -|BOM - AWS DynamoDB
4e67c0ae-38a0-47f4-a50c-f0c9b75826df|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more)|Documentation
| |BOM - AWS MQ
209189f3-c879-48a7-9703-fbcfa96d0cef|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS. (read more)|Documentation
| +|BOM - AWS SNS
42e7dca3-8cce-4325-8df0-108888259136|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)|Documentation
| +|BOM - AWS Cassandra
124b173b-e06d-48a6-8acd-f889443d97a4|Trace|Bill Of Materials|A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance (read more)|Documentation
| +|BOM - AWS EFS
ef05a925-8568-4054-8ff1-f5ba82631c16|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)|Documentation
| |BOM - AWS Elasticache
c689f51b-9203-43b3-9d8b-caed123f706c|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more)|Documentation
| -|BOM - AWS Kinesis
d53323be-dde6-4457-9a43-42df737e71d2|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more)|Documentation
| -|BOM - AWS SQS
59a849c2-1127-4023-85a5-ef906dcd458c|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)|Documentation
| |BOM - AWS RDS
6ef03ff6-a2bd-483c-851f-631f248bc0ea|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more)|Documentation
| |BOM - AWS S3 Buckets
b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more)|Documentation
| -|BOM - AWS MSK
2730c169-51d7-4ae7-99b5-584379eff1bb|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)|Documentation
| -|BOM - AWS SNS
42e7dca3-8cce-4325-8df0-108888259136|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)|Documentation
| +|BOM - AWS SQS
59a849c2-1127-4023-85a5-ef906dcd458c|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)|Documentation
| +|BOM - AWS Kinesis
d53323be-dde6-4457-9a43-42df737e71d2|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more)|Documentation
| +|BOM - AWS DynamoDB
4e67c0ae-38a0-47f4-a50c-f0c9b75826df|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more)|Documentation
| diff --git a/docs/queries/crossplane-queries.md b/docs/queries/crossplane-queries.md index d264598b2e2..10a9be6afd9 100644 --- a/docs/queries/crossplane-queries.md +++ b/docs/queries/crossplane-queries.md @@ -1,16 +1,6 @@ ## Crossplane Queries List This page contains all queries from Crossplane. -### GCP -Bellow are listed queries related with Crossplane GCP: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Cloud Storage Bucket Logging Not Enabled
6c2d627c-de0f-45fb-b33d-dad9bffbb421|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| -|Google Container Node Pool Auto Repair Disabled
b4f65d13-a609-4dc1-af7c-63d2e08bffe9|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| - ### AZURE Bellow are listed queries related with Crossplane AZURE: @@ -28,16 +18,26 @@ Bellow are listed queries related with Crossplane AWS: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| +|DB Instance Storage Not Encrypted
e50eb68a-a4af-4048-8bbe-8ec324421469|High|Encryption|RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'. (read more)|Documentation
| |ELB Using Weak Ciphers
a507daa5-0795-4380-960b-dd7bb7c56661|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| |EFS Without KMS
bdecd6db-2600-47dd-a10c-72c97cf17ae9|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| |EFS Not Encrypted
72840c35-3876-48be-900d-f21b2f0c2ea1|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| -|DB Instance Storage Not Encrypted
e50eb68a-a4af-4048-8bbe-8ec324421469|High|Encryption|RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'. (read more)|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
255b0fcc-9f82-41fe-9229-01b163e3376b|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| -|DB Security Group Has Public Interface
dd667399-8d9d-4a8d-bbb4-e49ab53b2f52|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| |RDS DB Instance Publicly Accessible
d9dc6429-5140-498a-8f55-a10daac5f000|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false and neither dbSubnetGroupName' subnets being part of a VPC that has an Internet gateway attached to it (read more)|Documentation
| -|Neptune Database Cluster Encryption Disabled
83bf5aca-138a-498e-b9cd-ad5bc5e117b4|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| +|DB Security Group Has Public Interface
dd667399-8d9d-4a8d-bbb4-e49ab53b2f52|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
255b0fcc-9f82-41fe-9229-01b163e3376b|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| |SQS With SSE Disabled
9296f1cc-7a40-45de-bd41-f31745488a0e|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| -|CloudWatch Without Retention Period Specified
934613fe-b12c-4e5a-95f5-c1dcdffac1ff|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more)|Documentation
| +|Neptune Database Cluster Encryption Disabled
83bf5aca-138a-498e-b9cd-ad5bc5e117b4|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| |CloudFront Logging Disabled
7b590235-1ff4-421b-b9ff-5227134be9bb|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true (read more)|Documentation
| +|CloudWatch Without Retention Period Specified
934613fe-b12c-4e5a-95f5-c1dcdffac1ff|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more)|Documentation
| |CloudFront Without WAF
6d19ce0f-b3d8-4128-ac3d-1064e0f00494|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| |DocDB Logging Is Disabled
e6cd49ba-77ed-417f-9bca-4f5303554308|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| + +### GCP +Bellow are listed queries related with Crossplane GCP: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|Cloud Storage Bucket Logging Not Enabled
6c2d627c-de0f-45fb-b33d-dad9bffbb421|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| +|Google Container Node Pool Auto Repair Disabled
b4f65d13-a609-4dc1-af7c-63d2e08bffe9|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| diff --git a/docs/queries/dockercompose-queries.md b/docs/queries/dockercompose-queries.md index 61ff8c0a568..fbd83ce66cd 100644 --- a/docs/queries/dockercompose-queries.md +++ b/docs/queries/dockercompose-queries.md @@ -3,24 +3,24 @@ This page contains all queries from DockerCompose. | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Volume Mounted In Multiple Containers
baa452f0-1f21-4a25-ace5-844e7a5f410d|High|Build Process|Volume mounts should not be shared, which means that 'propagation' should not be set to 'shared', 'rshared', 'slave', or 'rslave' (read more)|Documentation
| -|Docker Socket Mounted In Container
d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b|High|Build Process|Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands. (read more)|Documentation
| |Volume Has Sensitive Host Directory
1c1325ff-831d-43a1-973e-839ae57dfcc0|High|Build Process|Container has sensitive host directory mounted as a volume (read more)|Documentation
| +|Docker Socket Mounted In Container
d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b|High|Build Process|Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands. (read more)|Documentation
| +|Volume Mounted In Multiple Containers
baa452f0-1f21-4a25-ace5-844e7a5f410d|High|Build Process|Volume mounts should not be shared, which means that 'propagation' should not be set to 'shared', 'rshared', 'slave', or 'rslave' (read more)|Documentation
| |No New Privileges Not Set
27fcc7d6-c49b-46e0-98f1-6c082a6a2750|High|Resource Management|Ensuring the process does not gain any new privileges lessens the risk associated with many operations. (read more)|Documentation
| |Privileged Containers Enabled
ae5b6871-7f45-42e0-bb4c-ab300c4d2026|High|Resource Management|Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker. (read more)|Documentation
| |Healthcheck Not Set
698ed579-b239-4f8f-a388-baa4bcb13ef8|Medium|Availability|Check containers periodically to see if they are running properly. (read more)|Documentation
| -|Cgroup Not Default
4d9f44c6-2f4a-4317-9bb5-267adbea0232|Medium|Build Process|Control groups restrict the access processes and containers have to system resources such as CPU, RAM, IOPS and network. Not having a cgroup well configured may prove to be a security fault. (read more)|Documentation
| |Restart Policy On Failure Not Set To 5
2fc99041-ddad-49d5-853f-e35e70a48391|Medium|Build Process|Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used. (read more)|Documentation
| +|Cgroup Not Default
4d9f44c6-2f4a-4317-9bb5-267adbea0232|Medium|Build Process|Control groups restrict the access processes and containers have to system resources such as CPU, RAM, IOPS and network. Not having a cgroup well configured may prove to be a security fault. (read more)|Documentation
| +|Networks Not Set
ce14a68b-1668-41a0-ab7d-facd9f784742|Medium|Networking and Firewall|Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers. (read more)|Documentation
| |Container Traffic Not Bound To Host Interface
451d79dc-0588-476a-ad03-3c7f0320abb3|Medium|Networking and Firewall|Incoming container traffic should be bound to a specific host interface (read more)|Documentation
| |Privileged Ports Mapped In Container
bc2908f3-f73c-40a9-8793-c1b7d5544f79|Medium|Networking and Firewall|Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind_service linux capability from the container unless you absolutely need to use priviledged ports. (read more)|Documentation
| -|Networks Not Set
ce14a68b-1668-41a0-ab7d-facd9f784742|Medium|Networking and Firewall|Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers. (read more)|Documentation
| -|Host Namespace is Shared
4f31dd9f-2cc3-4751-9b53-67e4af83dac0|Medium|Resource Management|The hosts process namespace should not be shared by containers (read more)|Documentation
| -|Shared Host IPC Namespace
baa3890f-bed7-46f5-ab8f-1da8fc91c729|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| -|Memory Not Limited
bb9ac4f7-e13b-423d-a010-c74a1bfbe492|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| -|Security Opt Not Set
610e266e-6c12-4bca-9925-1ed0cd29742b|Medium|Resource Management|Attribute 'security_opt' should be defined. (read more)|Documentation
| -|Pids Limit Not Set
221e0658-cb2a-44e3-b08a-db96a341d6fa|Medium|Resource Management|'pids_limit' should be set and different than -1 (read more)|Documentation
| |Shared Host Network Namespace
071a71ff-f868-47a4-ac0b-3c59e4ab5443|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| +|Pids Limit Not Set
221e0658-cb2a-44e3-b08a-db96a341d6fa|Medium|Resource Management|'pids_limit' should be set and different than -1 (read more)|Documentation
| |Default Seccomp Profile Disabled
404fde2c-bc4b-4371-9747-7054132ac953|Medium|Resource Management|Seccomp offers a whitelist of common system calls, blocking all others. Having less kernel exposed to an app then increases security. (read more)|Documentation
| +|Security Opt Not Set
610e266e-6c12-4bca-9925-1ed0cd29742b|Medium|Resource Management|Attribute 'security_opt' should be defined. (read more)|Documentation
| +|Shared Host IPC Namespace
baa3890f-bed7-46f5-ab8f-1da8fc91c729|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| +|Memory Not Limited
bb9ac4f7-e13b-423d-a010-c74a1bfbe492|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| +|Host Namespace is Shared
4f31dd9f-2cc3-4751-9b53-67e4af83dac0|Medium|Resource Management|The hosts process namespace should not be shared by containers (read more)|Documentation
| |Shared Host User Namespace
8af7162d-6c98-482f-868e-0d33fb675ca8|Medium|Resource Management|The host's user namespace should not be shared. (read more)|Documentation
| |Cpus Not Limited
6b610c50-99fb-4ef0-a5f3-e312fd945bc3|Low|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| |Container Capabilities Unrestricted
ce76b7d0-9e77-464d-b86f-c5c48e03e22d|Low|Resource Management|Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well. (read more)|Documentation
| diff --git a/docs/queries/dockerfile-queries.md b/docs/queries/dockerfile-queries.md index 4de9205fbaa..14a740794a2 100644 --- a/docs/queries/dockerfile-queries.md +++ b/docs/queries/dockerfile-queries.md @@ -4,51 +4,51 @@ This page contains all queries from Dockerfile. | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| |UNIX Ports Out Of Range
71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e|High|Availability|Exposing UNIX ports out of range from 0 to 65535 (read more)|Documentation
| -|Copy With More Than Two Arguments Not Ending With Slash
6db6e0c2-32a3-4a2e-93b5-72c35f4119db|High|Build Process|When a COPY command has more than two arguments, the last one should end with a slash (read more)|Documentation
| -|WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|High|Build Process|For clarity and reliability, you should always use absolute paths for your WORKDIR (read more)|Documentation
| |Same Alias In Different Froms
f2daed12-c802-49cd-afed-fe41d0b82fed|High|Build Process|Different FROMS cant have the same alias defined (read more)|Documentation
| -|Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f|High|Build Process|A user should be specified in the dockerfile, otherwise the image will run as root (read more)|Documentation
| |COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b|High|Build Process|COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself (read more)|Documentation
| +|Copy With More Than Two Arguments Not Ending With Slash
6db6e0c2-32a3-4a2e-93b5-72c35f4119db|High|Build Process|When a COPY command has more than two arguments, the last one should end with a slash (read more)|Documentation
| +|Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f|High|Build Process|A user should be specified in the dockerfile, otherwise the image will run as root (read more)|Documentation
| |Multiple ENTRYPOINT Instructions Listed
6938958b-3f1a-451c-909b-baeee14bdc97|High|Build Process|There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect (read more)|Documentation
| +|WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|High|Build Process|For clarity and reliability, you should always use absolute paths for your WORKDIR (read more)|Documentation
| |Run Using Sudo
8ada6e80-0ade-439e-b176-0b28f6bce35a|High|Insecure Configurations|Avoid RUN with sudo command as it leads to unpredictable behavior (read more)|Documentation
| |Vulnerable OpenSSL Version
5fa731ea-e844-47a6-a1e8-abc25e95847e|High|Supply-Chain|OpenSSL versions from 3.0.0 to 3.0.5 are affected by a critical vulnerability (read more)|Documentation
| -|Changing Default Shell Using RUN Command
8a301064-c291-4b20-adcb-403fe7fd95fd|Medium|Best Practices|Using the command RUN to override the default shell instead of the SHELL command leads to inefficiencies. It also does not make sense since Docker provides the SHELL command for this exact purpose. (read more)|Documentation
| |Last User Is 'root'
67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae|Medium|Best Practices|Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges (read more)|Documentation
| -|Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79|Medium|Build Process|Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments (read more)|Documentation
| +|Changing Default Shell Using RUN Command
8a301064-c291-4b20-adcb-403fe7fd95fd|Medium|Best Practices|Using the command RUN to override the default shell instead of the SHELL command leads to inefficiencies. It also does not make sense since Docker provides the SHELL command for this exact purpose. (read more)|Documentation
| |Multiple CMD Instructions Listed
41c195f4-fc31-4a5c-8a1b-90605538d49f|Medium|Build Process|There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect (read more)|Documentation
| -|Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd|Medium|Build Process|Instruction 'RUN update' should always be followed by ' install' in the same RUN statement (read more)|Documentation
| +|Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79|Medium|Build Process|Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments (read more)|Documentation
| |RUN Instruction Using 'cd' Instead of WORKDIR
f4a6bcd3-e231-4acf-993c-aa027be50d2e|Medium|Build Process|When using RUN command 'cd' should only be used for full path. For relative path make use of WORKDIR command instead. (read more)|Documentation
| +|Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd|Medium|Build Process|Instruction 'RUN update' should always be followed by ' install' in the same RUN statement (read more)|Documentation
| |Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22|Medium|Insecure Defaults|Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o). (read more)|Documentation
| +|Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages (read more)|Documentation
| +|Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Medium|Supply-Chain|Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect (read more)|Documentation
| +|Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03|Medium|Supply-Chain|Need to use -y to avoid manual input 'yum install -y ' (read more)|Documentation
| +|Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313|Medium|Supply-Chain|Reduce layer and image size by deleting unneeded caches after running zypper (read more)|Documentation
| +|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Medium|Supply-Chain|When installing a package, its pin version should be defined (read more)|Documentation
| +|Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341|Medium|Supply-Chain|Instead of 'gem install ' we should use 'gem install :' (read more)|Documentation
| +|NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5|Medium|Supply-Chain|Check if packages installed by npm are pinning a specific version. (read more)|Documentation
| +|Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067|Medium|Supply-Chain|When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag (read more)|Documentation
| +|Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118|Medium|Supply-Chain|When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller (read more)|Documentation
| |Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache (read more)|Documentation
| |Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944|Medium|Supply-Chain|Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input (read more)|Documentation
| -|NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5|Medium|Supply-Chain|Check if packages installed by npm are pinning a specific version. (read more)|Documentation
| +|Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9|Medium|Supply-Chain|Don't use '--platform' flag with FROM (read more)|Documentation
| +|Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more)|Documentation
| +|Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37|Medium|Supply-Chain|Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size (read more)|Documentation
| +|Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd|Medium|Supply-Chain|Always tag the version of an image explicitly (read more)|Documentation
| |APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Medium|Supply-Chain|Check if apt-get calls use the flag -y to avoid user manual input. (read more)|Documentation
| -|Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118|Medium|Supply-Chain|When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller (read more)|Documentation
| +|Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1|Medium|Supply-Chain|Specifying a package version allows to reduce failures due to unanticipated changes in required packages. (read more)|Documentation
| |Add Instead of Copy
9513a694-aa0d-41d8-be61-3271e056f36b|Medium|Supply-Chain|Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script. (read more)|Documentation
| -|Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more)|Documentation
| -|Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9|Medium|Supply-Chain|Don't use '--platform' flag with FROM (read more)|Documentation
| |Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8|Medium|Supply-Chain|The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input. (read more)|Documentation
| -|Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313|Medium|Supply-Chain|Reduce layer and image size by deleting unneeded caches after running zypper (read more)|Documentation
| -|Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03|Medium|Supply-Chain|Need to use -y to avoid manual input 'yum install -y ' (read more)|Documentation
| -|Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1|Medium|Supply-Chain|Specifying a package version allows to reduce failures due to unanticipated changes in required packages. (read more)|Documentation
| -|Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd|Medium|Supply-Chain|Always tag the version of an image explicitly (read more)|Documentation
| -|Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages (read more)|Documentation
| -|Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341|Medium|Supply-Chain|Instead of 'gem install ' we should use 'gem install :' (read more)|Documentation
| +|Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0|Medium|Supply-Chain|Cached package data should be cleaned after installation to reduce image size (read more)|Documentation
| |Yum install Without Version
6452c424-1d92-4deb-bb18-a03e95d579c4|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages (read more)|Documentation
| |Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more)|Documentation
| -|Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Medium|Supply-Chain|Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect (read more)|Documentation
| -|Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37|Medium|Supply-Chain|Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size (read more)|Documentation
| -|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Medium|Supply-Chain|When installing a package, its pin version should be defined (read more)|Documentation
| -|Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0|Medium|Supply-Chain|Cached package data should be cleaned after installation to reduce image size (read more)|Documentation
| -|Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067|Medium|Supply-Chain|When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag (read more)|Documentation
| -|Chown Flag Exists
aa93e17f-b6db-4162-9334-c70334e7ac28|Low|Best Practices|It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership (read more)|Documentation
| +|MAINTAINER Instruction Being Used
99614418-f82b-4852-a9ae-5051402b741c|Low|Best Practices|The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily (read more)|Documentation
| |Multiple RUN, ADD, COPY, Instructions Listed
0008c003-79aa-42d8-95b8-1c2fe37dbfe6|Low|Best Practices|Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers. (read more)|Documentation
| |Curl or Wget Instead of Add
4b410d24-1cbe-4430-a632-62c9a931cf1c|Low|Best Practices|Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged (read more)|Documentation
| -|MAINTAINER Instruction Being Used
99614418-f82b-4852-a9ae-5051402b741c|Low|Best Practices|The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily (read more)|Documentation
| +|Chown Flag Exists
aa93e17f-b6db-4162-9334-c70334e7ac28|Low|Best Practices|It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership (read more)|Documentation
| |Exposing Port 22 (SSH)
5907595b-5b6d-4142-b173-dbb0e73fbff8|Low|Best Practices|Expose only the ports that your application needs and avoid exposing ports like SSH (22) (read more)|Documentation
| |Using Unnamed Build Stages
68a51e22-ae5a-4d48-8e87-b01a323605c9|Low|Build Process| This query is used to ensure that build stages are named. This way even if the Dockerfile is re-ordered, the COPY instruction doesn’t break. (read more)|Documentation
| |Healthcheck Instruction Missing
b03a748a-542d-44f4-bb86-9199ab4fd2d5|Low|Insecure Configurations|Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working (read more)|Documentation
| +|Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c|Info|Supply-Chain|After using apt-get install, it is needed to delete apt-get lists (read more)|Documentation
| +|APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c|Info|Supply-Chain|Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages. (read more)|Documentation
| |Apk Add Using Local Cache Path
ae9c56a6-3ed1-4ac0-9b54-31267f51151d|Info|Supply-Chain|When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*' (read more)|Documentation
| |Run Utilities And POSIX Commands
9b6b0f38-92a2-41f9-b881-3a1083d99f1b|Info|Supply-Chain|Some POSIX commands and interactive utilities shouldn't run inside a Docker Container (read more)|Documentation
| -|APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c|Info|Supply-Chain|Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages. (read more)|Documentation
| -|Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c|Info|Supply-Chain|After using apt-get install, it is needed to delete apt-get lists (read more)|Documentation
| diff --git a/docs/queries/googledeploymentmanager-queries.md b/docs/queries/googledeploymentmanager-queries.md index 0e7ad570762..5f768b5476e 100644 --- a/docs/queries/googledeploymentmanager-queries.md +++ b/docs/queries/googledeploymentmanager-queries.md @@ -1,6 +1,17 @@ ## GoogleDeploymentManager Queries List This page contains all queries from GoogleDeploymentManager. +### GCP_BOM +Bellow are listed queries related with GoogleDeploymentManager GCP_BOM: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|BOM - GCP PST
9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more)|Documentation
| +|BOM - GCP SB
c7781feb-a955-4f9f-b9cf-0d7c6f54bb59|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more)|Documentation
| +|BOM - GCP PD
268c65a8-58ad-43e4-9019-1a9bbc56749f|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more)|Documentation
| + ### GCP Bellow are listed queries related with GoogleDeploymentManager GCP: @@ -12,42 +23,31 @@ Bellow are listed queries related with GoogleDeploymentManager GCP: |Cloud Storage Bucket Is Publicly Accessible
77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible (read more)|Documentation
| |BigQuery Dataset Is Public
83103dff-d57f-42a8-bd81-40abab64c1a7|High|Access Control|BigQuery dataset is anonymously or publicly accessible. Attribute access.specialGroup should not contain 'allAuthenticatedUsers' (read more)|Documentation
| |SQL DB Instance Backup Disabled
a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| +|SQL DB Instance With SSL Disabled
660360d3-9ca7-46d1-b147-3acc4002953f|High|Encryption|Cloud SQL Database Instance should have SSL enabled (read more)|Documentation
| |DNSSEC Using RSASHA1
6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35|High|Encryption|DNSSEC should not use the RSASHA1 algorithm (read more)|Documentation
| -|SQL DB Instance With SSL Disabled
660360d3-9ca7-46d1-b147-3acc4002953f|High|Encryption|Cloud SQL Database Instance should have SLL enabled (read more)|Documentation
| |MySQL Instance With Local Infile On
c759d6f2-4dd3-4160-82d3-89202ef10d87|High|Insecure Configurations|MySQL Instance should not have Local Infile On (read more)|Documentation
| -|Client Certificate Disabled
dd690686-2bf9-4012-a821-f61912dd77be|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'masterAuth' must have 'clientCertificateConfig' with the attribute 'issueClientCertificate' equal to true (read more)|Documentation
| |IP Aliasing Disabled
28727987-e398-49b8-aef1-8a3e7789d111|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ipAllocationPolicy' must be defined and the subattribute 'useIpAliases' must be set to 'true'. (read more)|Documentation
| -|Network Policy Disabled
c47f90e8-4a19-43f0-8413-cc434d286c4e|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'networkPolicy.enabled' must be true and the attribute 'addonsConfig.networkPolicyConfig.disabled' must be false (read more)|Documentation
| -|Private Cluster Disabled
48c61fbd-09c9-46cc-a521-012e0c325412|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true. (read more)|Documentation
| -|Not Proper Email Account In Use
a21b8df3-c840-4b3d-a41a-10fb2afda171|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials (read more)|Documentation
| |GKE Legacy Authorization Enabled
df58d46c-783b-43e0-bdd0-d99164f712ee|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false. (read more)|Documentation
| +|Not Proper Email Account In Use
a21b8df3-c840-4b3d-a41a-10fb2afda171|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials (read more)|Documentation
| |Cluster Master Authentication Disabled
7ef7d141-9fbb-4679-a977-fd0883436906|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'masterAuth' must have the subattributes 'username' and 'password' defined and not empty (read more)|Documentation
| +|Client Certificate Disabled
dd690686-2bf9-4012-a821-f61912dd77be|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'masterAuth' must have 'clientCertificateConfig' with the attribute 'issueClientCertificate' equal to true (read more)|Documentation
| +|Private Cluster Disabled
48c61fbd-09c9-46cc-a521-012e0c325412|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true. (read more)|Documentation
| |Cluster Labels Disabled
8810968b-4b15-421d-918b-d91eb4bb8d1d|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resourceLabels' must be defined (read more)|Documentation
| +|Network Policy Disabled
c47f90e8-4a19-43f0-8413-cc434d286c4e|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'networkPolicy.enabled' must be true and the attribute 'addonsConfig.networkPolicyConfig.disabled' must be false (read more)|Documentation
| |GKE Master Authorized Networks Disabled
62c8cf50-87f0-4295-a974-8184ed78fe02|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters (read more)|Documentation
| |Compute Instance Is Publicly Accessible
8212e2d7-e683-49bc-bf78-d6799075c5a7|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet. (read more)|Documentation
| +|Stackdriver Monitoring Disabled
bbfc97ab-e92a-4a7b-954c-e88cec815011|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoringService' must be defined and different than 'none' (read more)|Documentation
| |Stackdriver Logging Disabled
95601b9a-7fe8-4aee-9b58-d36fd9382dfc|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'loggingService' must be defined and different from 'none' (read more)|Documentation
| |Cloud Storage Bucket Versioning Disabled
ad0875c1-0b39-4890-9149-173158ba3bba|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| -|Stackdriver Monitoring Disabled
bbfc97ab-e92a-4a7b-954c-e88cec815011|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoringService' must be defined and different than 'none' (read more)|Documentation
| |Node Auto Upgrade Disabled
dc5c5fee-6c53-43b0-ab11-4c660e064aaf|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means the attribute 'nodePools' must be defined and the subattribute 'managment' must be defined and have the attribute 'autoUpgrade' set to true (read more)|Documentation
| |Disk Encryption Disabled
fc040fb6-4c23-4c0d-b12a-39edac35debb|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined (read more)|Documentation
| -|OSLogin Is Disabled In VM Instance
e66e1b71-c810-4b4e-a737-0ab59e7f5e41|Medium|Insecure Configurations|VM instance should have OSLogin enabled (read more)|Documentation
| -|Shielded VM Disabled
9038b526-4c19-4928-bca2-c03d503bdb79|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true (read more)|Documentation
| |Cloud DNS Without DNSSEC
313d6deb-3b67-4948-b41d-35b699c2492e|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| -|Google Storage Bucket Level Access Disabled
1239f54b-33de-482a-8132-faebe288e6a6|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled (read more)|Documentation
| |COS Node Image Not Used
dbe058d7-b82e-430b-8426-992b2e4677e7|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| +|Shielded VM Disabled
9038b526-4c19-4928-bca2-c03d503bdb79|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true (read more)|Documentation
| +|Google Storage Bucket Level Access Disabled
1239f54b-33de-482a-8132-faebe288e6a6|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled (read more)|Documentation
| +|OSLogin Is Disabled In VM Instance
e66e1b71-c810-4b4e-a737-0ab59e7f5e41|Medium|Insecure Configurations|VM instance should have OSLogin enabled (read more)|Documentation
| +|IP Forwarding Enabled
7c98538a-81c6-444b-bf04-e60bc3ceeec0|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true (read more)|Documentation
| |SSH Access Is Not Restricted
dee21308-2a7a-49de-8ff7-c9b87e188575|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| |RDP Access Is Not Restricted
50cb6c3b-c878-4b88-b50e-d1421bada9e8|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| -|IP Forwarding Enabled
7c98538a-81c6-444b-bf04-e60bc3ceeec0|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true (read more)|Documentation
| |Bucket Without Versioning
227c2f58-70c6-4432-8e9a-a89c1a548cf5|Medium|Observability|Bucket should have versioning enabled (read more)|Documentation
| |Project-wide SSH Keys Are Enabled In VM Instances
6e2b1ec1-1eca-4eb7-9d4d-2882680b4811|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| - -### GCP_BOM -Bellow are listed queries related with GoogleDeploymentManager GCP_BOM: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|BOM - GCP PST
9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more)|Documentation
| -|BOM - GCP PD
268c65a8-58ad-43e4-9019-1a9bbc56749f|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more)|Documentation
| -|BOM - GCP SB
c7781feb-a955-4f9f-b9cf-0d7c6f54bb59|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more)|Documentation
| diff --git a/docs/queries/googledeploymentmanager-queries/gcp/660360d3-9ca7-46d1-b147-3acc4002953f.md b/docs/queries/googledeploymentmanager-queries/gcp/660360d3-9ca7-46d1-b147-3acc4002953f.md index 7abae728cb9..41d14ee8bc2 100644 --- a/docs/queries/googledeploymentmanager-queries/gcp/660360d3-9ca7-46d1-b147-3acc4002953f.md +++ b/docs/queries/googledeploymentmanager-queries/gcp/660360d3-9ca7-46d1-b147-3acc4002953f.md @@ -23,7 +23,7 @@ hide: - **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/googleDeploymentManager/gcp/sql_db_instance_with_ssl_disabled) ### Description -Cloud SQL Database Instance should have SLL enabled
+Cloud SQL Database Instance should have SSL enabled
[Documentation](https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/instances) ### Code samples diff --git a/docs/queries/kubernetes-queries.md b/docs/queries/kubernetes-queries.md index ff270dbc356..875ff2d7f30 100644 --- a/docs/queries/kubernetes-queries.md +++ b/docs/queries/kubernetes-queries.md @@ -5,145 +5,145 @@ This page contains all queries from Kubernetes. |------------------------------|--------|--------|-----------|----| |Client Certificate Authentication Not Setup Properly
e0e00aba-5f1c-4981-a542-9a9563c0ee20|High|Access Control|Client Certificate Authentication should be Setup with a .pem or .crt file (read more)|Documentation
| |Token Auth File Is Set
32ecd76e-7bbf-402e-bf48-8b9485749558|High|Access Control|When using kube-apiserver command, the 'token-auth-file' flag should not be set (read more)|Documentation
| +|Basic Auth File Is Set
5da47109-f8d6-4585-9e2b-96a8958a12f5|High|Access Control|When using kube-apiserver command, the 'basic-auth-file' flag should not be set (read more)|Documentation
| |Always Admit Admission Control Plugin Set
ce30e584-b33f-4c7d-b418-a3d7027f8f60|High|Access Control|When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin (read more)|Documentation
| -|Node Restriction Admission Control Plugin Not Set
33fc6923-6553-4fe6-9d3a-4efa51eb874b|High|Access Control|When using kube-apiserver command, the --enable-admission-plugins flag should have 'NodeRestriction' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| -|RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e|High|Access Control|Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least privilege recommends to specify only the set of needed objects and actions (read more)|Documentation
| |Use Service Account Credentials Not Set To True
1acd93f1-5a37-45c0-aaac-82ece818be7d|High|Access Control|When using kube-controller-manager commands, the '--use-service-account-credentials' should be set to true (read more)|Documentation
| +|RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e|High|Access Control|Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least privilege recommends to specify only the set of needed objects and actions (read more)|Documentation
| |Service Account Lookup Set To False
a5530bd7-225a-48f9-91bb-f40b04200165|High|Access Control|When using kube-apiserver command, the '--service-account-lookup' flag should be set to true (read more)|Documentation
| -|Basic Auth File Is Set
5da47109-f8d6-4585-9e2b-96a8958a12f5|High|Access Control|When using kube-apiserver command, the 'basic-auth-file' flag should not be set (read more)|Documentation
| +|Node Restriction Admission Control Plugin Not Set
33fc6923-6553-4fe6-9d3a-4efa51eb874b|High|Access Control|When using kube-apiserver command, the --enable-admission-plugins flag should have 'NodeRestriction' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| |Pod Security Policy Admission Control Plugin Not Set
afa36afb-39fe-4d94-b9b6-afb236f7a03d|High|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'PodSecurityPolicy' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| |Service Account Private Key File Not Defined
ccc98ff7-68a7-436e-9218-185cb0b0b780|High|Encryption|When using kube-controller-manager commands, the '--service-account-private-key-file' should be defined (read more)|Documentation
| +|Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d|High|Insecure Configurations|Check if there is any Tiller Service present (read more)|Documentation
| |Tiller (Helm v2) Is Deployed
6d173be7-545a-46c6-a81d-2ae52ed1605d|High|Insecure Configurations|Check if Tiller is deployed. (read more)|Documentation
| +|Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032|High|Insecure Configurations|Limit capabilities for a Pod Security Policy (read more)|Documentation
| |PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace. (read more)|Documentation
| |Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d|High|Insecure Configurations|Container should not share the host process ID namespace (read more)|Documentation
| |Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false (read more)|Documentation
| |Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined. (read more)|Documentation
| -|Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032|High|Insecure Configurations|Limit capabilities for a Pod Security Policy (read more)|Documentation
| -|Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d|High|Insecure Configurations|Check if there is any Tiller Service present (read more)|Documentation
| |Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process (read more)|Documentation
| |Role Binding To Default Service Account
1e749bc9-fde8-471c-af0c-8254efd2dee5|High|Insecure Defaults|No role nor cluster role should bind to a default service account (read more)|Documentation
| +|Insecure Bind Address Set
b9380fd3-5ffe-4d10-9290-13e18e71eee1|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-bind-address' flag should not be set (read more)|Documentation
| |TSL Connection Certificate Not Setup
fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f|High|Networking and Firewall|TSL Connection Certificate files should be Setup (read more)|Documentation
| -|Etcd Peer TLS Certificate Files Not Properly Set
09bb9e96-8da3-4736-b89a-b36814acca60|High|Networking and Firewall|When using etcd commands, the '--peer-cert-file' and '--peer-key-file' should be defined (read more)|Documentation
| |Etcd TLS Certificate Not Properly Configured
895a5a95-3756-4b04-9924-2f3bc93181bd|High|Networking and Firewall|When using kube-apiserver commands, the '--etcd-certfile' and '--etcd-keyfile' flags should be defined (read more)|Documentation
| -|Insecure Bind Address Set
b9380fd3-5ffe-4d10-9290-13e18e71eee1|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-bind-address' flag should not be set (read more)|Documentation
| -|Secure Port Set To Zero
3d24b204-b73d-42cb-b0bf-1a5438c5f71e|High|Networking and Firewall|When using kube-apiserver command, the --secure-port flag should not be 0 (read more)|Documentation
| -|Kubelet HTTPS Set To False
cdc8b54e-6b16-4538-a1b0-35849dbe29cf|High|Networking and Firewall|When using kube-apiserver command, the '--kubelet-https' flag should not be set to false (read more)|Documentation
| -|Etcd TLS Certificate Files Not Properly Set
075ca296-6768-4322-aea2-ba5063b969a9|High|Networking and Firewall|When using etcd commands, the '--cert-file' and '--key-file' should be defined (read more)|Documentation
| -|Tiller Deployment Is Accessible From Within The Cluster
e17fa86a-6222-4584-a914-56e8f6c87e06|High|Networking and Firewall|Check if any Tiller Deployment container allows access from within the cluster. (read more)|Documentation
| |Insecure Port Not Properly Set
fa4def8c-1898-4a35-a139-7b76b1acdef0|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-port' flag should be defined and set to 0 (read more)|Documentation
| +|Etcd TLS Certificate Files Not Properly Set
075ca296-6768-4322-aea2-ba5063b969a9|High|Networking and Firewall|When using etcd commands, the '--cert-file' and '--key-file' should be defined (read more)|Documentation
| |Bind Address Not Properly Set
46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2|High|Networking and Firewall|When using kube-controller-manager or kube-scheduler commands, the '--bind-address' should not be set to 127.0.0.1 (read more)|Documentation
| +|Secure Port Set To Zero
3d24b204-b73d-42cb-b0bf-1a5438c5f71e|High|Networking and Firewall|When using kube-apiserver command, the --secure-port flag should not be 0 (read more)|Documentation
| +|Etcd Peer TLS Certificate Files Not Properly Set
09bb9e96-8da3-4736-b89a-b36814acca60|High|Networking and Firewall|When using etcd commands, the '--peer-cert-file' and '--peer-key-file' should be defined (read more)|Documentation
| +|Tiller Deployment Is Accessible From Within The Cluster
e17fa86a-6222-4584-a914-56e8f6c87e06|High|Networking and Firewall|Check if any Tiller Deployment container allows access from within the cluster. (read more)|Documentation
| +|Kubelet HTTPS Set To False
cdc8b54e-6b16-4538-a1b0-35849dbe29cf|High|Networking and Firewall|When using kube-apiserver command, the '--kubelet-https' flag should not be set to false (read more)|Documentation
| |PSP With Unrestricted Access to Host Path
de4421f1-4e35-43b4-9783-737dd4e4a47e|High|Resource Management|PodSecurityPolicy should set 'readOnly' to true in every host path allowed (read more)|Documentation
| -|Peer Auto TLS Set To True
ae8827e2-4af9-4baa-9998-87539ae0d6f0|High|Secret Management|When using etcd commands, the '--peer-auto-tls' should be set to false (read more)|Documentation
| |Auto TLS Set To True
98ce8b81-7707-4734-aa39-627c6db3d84b|High|Secret Management|When using etcd commands, the '--auto-tls' should be set to false (read more)|Documentation
| -|RBAC Roles with Impersonate Permission
9f85c3f6-26fd-4007-938a-2e0cb0100980|Medium|Access Control|Roles or ClusterRoles with the permission 'impersonate' allow subjects to assume the rights of other users, groups, or service accounts. In case of compromise, attackers may abuse this sudo-like functionality to achieve privilege escalation (read more)|Documentation
| +|Peer Auto TLS Set To True
ae8827e2-4af9-4baa-9998-87539ae0d6f0|High|Secret Management|When using etcd commands, the '--peer-auto-tls' should be set to false (read more)|Documentation
| |RBAC Roles with Exec Permission
c589f42c-7924-4871-aee2-1cede9bc7cbc|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to run commands in containers via 'kubectl exec' could be abused by attackers to execute malicious code in case of compromise. To prevent this, the 'pods/exec' verb should not be used in production environments (read more)|Documentation
| -|RBAC Roles Allow Privilege Escalation
8320826e-7a9c-4b0b-9535-578333193432|Medium|Access Control|Roles or ClusterRoles with RBAC permissions 'bind' or 'escalate' allow subjects to create new bindings with other roles. This is dangerous, as users with these privileges can bind to roles that may exceed their own privileges (read more)|Documentation
| +|RBAC Roles with Impersonate Permission
9f85c3f6-26fd-4007-938a-2e0cb0100980|Medium|Access Control|Roles or ClusterRoles with the permission 'impersonate' allow subjects to assume the rights of other users, groups, or service accounts. In case of compromise, attackers may abuse this sudo-like functionality to achieve privilege escalation (read more)|Documentation
| +|RBAC Roles with Port-Forwarding Permission
38fa11ef-dbcc-4da8-9680-7e1fd855b6fb|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to port-forward into pods can open socket-level communication channels to containers. In case of compromise, attackers may abuse this for direct communication that bypasses network security restrictions (read more)|Documentation
| +|RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more)|Documentation
| +|Anonymous Auth Is Not Set To False
1de5cc51-f376-4638-a940-20f2e85ae238|Medium|Access Control|When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag should be set to false (--anonymous-auth=false) (read more)|Documentation
| |Service Account Admission Control Plugin Disabled
9587c890-0524-40c2-9ce2-663af7c2f063|Medium|Access Control|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'ServiceAccount' plugin (read more)|Documentation
| +|Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation. (read more)|Documentation
| +|RBAC Roles Allow Privilege Escalation
8320826e-7a9c-4b0b-9535-578333193432|Medium|Access Control|Roles or ClusterRoles with RBAC permissions 'bind' or 'escalate' allow subjects to create new bindings with other roles. This is dangerous, as users with these privileges can bind to roles that may exceed their own privileges (read more)|Documentation
| |Authorization Mode RBAC Not Set
1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e|Medium|Access Control|When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode (read more)|Documentation
| +|Authorization Mode Set To Always Allow
f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5|Medium|Access Control|When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode (read more)|Documentation
| |RBAC Roles with Attach Permission
d45330fd-f58d-45fb-a682-6481477a0f84|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to attach to containers via 'kubectl attach' could be abused by attackers to read log output (stdout, stderr) and send input data (stdin) to running processes. Additionally, it would allow a malicious user to attach to a privileged container resulting in a privilege escalation attack. To prevent this, the 'pods/attach' verb should not be used in production environments (read more)|Documentation
| |Non Kube System Pod With Host Mount
aa8f7a35-9923-4cad-bd61-a19b7f6aac91|Medium|Access Control|A non kube-system workload should not have hostPath mounted (read more)|Documentation
| -|RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more)|Documentation
| -|Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation. (read more)|Documentation
| -|Anonymous Auth Is Not Set To False
1de5cc51-f376-4638-a940-20f2e85ae238|Medium|Access Control|When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag should be set to false (--anonymous-auth=false) (read more)|Documentation
| -|Authorization Mode Set To Always Allow
f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5|Medium|Access Control|When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode (read more)|Documentation
| -|RBAC Roles with Port-Forwarding Permission
38fa11ef-dbcc-4da8-9680-7e1fd855b6fb|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to port-forward into pods can open socket-level communication channels to containers. In case of compromise, attackers may abuse this for direct communication that bypasses network security restrictions (read more)|Documentation
| |Request Timeout Not Properly Set
d89a15bb-8dba-4c71-9529-bef6729b9c09|Medium|Availability|When using kube-apiserver command, the '--request-timeout' flag value should not be too long (read more)|Documentation
| -|Terminated Pod Garbage Collector Threshold Not Properly Set
49113af4-29ca-458e-b8d4-724c01a4a24f|Medium|Availability|When using kube-controller-manager commands, the '--terminated-pod-gc-threshold' should be set between 0 and 12501 (read more)|Documentation
| |Readiness Probe Is Not Configured
a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3|Medium|Availability|Check if Readiness Probe is not configured. (read more)|Documentation
| +|Terminated Pod Garbage Collector Threshold Not Properly Set
49113af4-29ca-458e-b8d4-724c01a4a24f|Medium|Availability|When using kube-controller-manager commands, the '--terminated-pod-gc-threshold' should be set between 0 and 12501 (read more)|Documentation
| +|Root Containers Admitted
e3aa0612-4351-4a0d-983f-aefea25cf203|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden (read more)|Documentation
| |Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660|Medium|Best Practices|Check if containers are running with low UID, which might cause conflicts with the host's user table. (read more)|Documentation
| |Container Running As Root
cf34805e-3872-4c08-bf92-6ff7bb0cfadb|Medium|Best Practices|Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise (read more)|Documentation
| -|Root Containers Admitted
e3aa0612-4351-4a0d-983f-aefea25cf203|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden (read more)|Documentation
| -|Always Pull Images Admission Control Plugin Not Set
a77f4d07-c6e0-4a48-8b35-0eeb51576f4f|Medium|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'AlwaysPullImages' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| |Incorrect Volume Claim Access Mode ReadWriteOnce
3878dc92-8e5d-47cf-9cdd-7590f71d21b9|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' (read more)|Documentation
| +|Always Pull Images Admission Control Plugin Not Set
a77f4d07-c6e0-4a48-8b35-0eeb51576f4f|Medium|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'AlwaysPullImages' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| +|Weak TLS Cipher Suites
510d5810-9a30-443a-817d-5c1fa527b110|Medium|Encryption|TLS Connection should use strong Cipher Suites (read more)|Documentation
| +|Root CA File Not Defined
05fb986f-ac73-4ebb-a5b2-7faafa93d882|Medium|Encryption|When using kube-controller-manager commands, the '--root-ca-file' should be defined (read more)|Documentation
| |Encryption Provider Not Properly Configured
10efce34-5af6-4d83-b414-9e096d5a06a9|Medium|Encryption|The EncryptionConfiguration should be configured to have at least one 'aescbc', 'kms' or 'secretbox' provider (read more)|Documentation
| |Encryption Provider Config Is Not Defined
cbd2db69-0b21-4c14-8a40-7710a50571a9|Medium|Encryption|When using kube-apiserver commands, the '--encryption-provider-config' flag should be defined and the encryption should be correctly configured in Encryption Configuration file (read more)|Documentation
| -|Root CA File Not Defined
05fb986f-ac73-4ebb-a5b2-7faafa93d882|Medium|Encryption|When using kube-controller-manager commands, the '--root-ca-file' should be defined (read more)|Documentation
| -|Weak TLS Cipher Suites
510d5810-9a30-443a-817d-5c1fa527b110|Medium|Encryption|TLS Connection should use strong Cipher Suites (read more)|Documentation
| -|Not Limited Capabilities For Container
2f1a0619-b12b-48a0-825f-993bb6f01d58|Medium|Insecure Configurations|Limit the capabilities for a Container. (read more)|Documentation
| -|Kubelet Protect Kernel Defaults Set To False
6cf42c97-facd-4fda-b8af-ea4529123355|Medium|Insecure Configurations|--protect-kernel-defaults should be set to true (read more)|Documentation
| -|Using Unrecommended Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6|Medium|Insecure Configurations|Namespaces like 'default', 'kube-system' or 'kube-public' should not be used (read more)|Documentation
| -|PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| -|Authorization Mode Node Not Set
4d7ee40f-fc5d-427d-8cac-dffbe22d42d1|Medium|Insecure Configurations|When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode (read more)|Documentation
| |PSP Allows Sharing Host IPC
80f93444-b240-4ebb-a4c6-5c40b76c04ea|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace (read more)|Documentation
| -|Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40|Medium|Insecure Configurations|Containers should not have extra capabilities allowed (read more)|Documentation
| -|PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host process ID namespace (read more)|Documentation
| -|PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities (read more)|Documentation
| |Security Context Deny Admission Control Plugin Not Set
6a68bebe-c021-492e-8ddb-55b0567fb768|Medium|Insecure Configurations|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set (read more)|Documentation
| -|Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more)|Documentation
| -|PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation (read more)|Documentation
| |Seccomp Profile Is Not Configured
f377b83e-bd07-4f48-a591-60c82b14a78b|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls (read more)|Documentation
| +|PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| +|Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40|Medium|Insecure Configurations|Containers should not have extra capabilities allowed (read more)|Documentation
| |NET_RAW Capabilities Not Being Dropped
dbbc6705-d541-43b0-b166-dd4be8208b54|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities (read more)|Documentation
| -|NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities (read more)|Documentation
| -|Workload Mounting With Sensitive OS Directory
5308a7a8-06f8-45ac-bf10-791fe21de46e|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory (read more)|Documentation
| -|Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more)|Documentation
| +|Kubelet Protect Kernel Defaults Set To False
6cf42c97-facd-4fda-b8af-ea4529123355|Medium|Insecure Configurations|--protect-kernel-defaults should be set to true (read more)|Documentation
| |Containers With Sys Admin Capabilities
235236ee-ad78-4065-bd29-61b061f28ce0|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability (read more)|Documentation
| +|Authorization Mode Node Not Set
4d7ee40f-fc5d-427d-8cac-dffbe22d42d1|Medium|Insecure Configurations|When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode (read more)|Documentation
| +|Not Limited Capabilities For Container
2f1a0619-b12b-48a0-825f-993bb6f01d58|Medium|Insecure Configurations|Limit the capabilities for a Container. (read more)|Documentation
| +|Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more)|Documentation
| +|PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation (read more)|Documentation
| +|Workload Mounting With Sensitive OS Directory
5308a7a8-06f8-45ac-bf10-791fe21de46e|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory (read more)|Documentation
| +|PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host process ID namespace (read more)|Documentation
| +|Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more)|Documentation
| +|PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities (read more)|Documentation
| +|NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities (read more)|Documentation
| +|Using Unrecommended Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6|Medium|Insecure Configurations|Namespaces like 'default', 'kube-system' or 'kube-public' should not be used (read more)|Documentation
| |Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty. (read more)|Documentation
| |Service Account Token Automount Not Disabled
48471392-d4d0-47c0-b135-cdec95eb3eef|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary (read more)|Documentation
| -|CNI Plugin Does Not Support Network Policies
03aabc8c-35d6-481e-9c85-20139cf72d23|Medium|Networking and Firewall|Ensure the use of CNI Plugin that support Network Policies. If the CNI Plugin in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster (read more)|Documentation
| -|Kubelet Read Only Port Is Not Set To Zero
2940d48a-dc5e-4178-a3f8-bfbd80720b41|Medium|Networking and Firewall|When using the kubelet command, the read-only port should be set to zero (--read-only-port=0) (read more)|Documentation
| -|Kubelet Not Managing Ip Tables
5f89001f-6dd9-49ff-9b15-d8cd71b617f4|Medium|Networking and Firewall|Kubelet argument --make-iptables-util-chains should be true (read more)|Documentation
| |Kubelet Streaming Connection Timeout Disabled
ed89b97d-04e9-4fd4-919f-ee5b27e555e9|Medium|Networking and Firewall|The flag --streaming-connection-idle-timeout should not be set to 0 (read more)|Documentation
| +|Kubelet Not Managing Ip Tables
5f89001f-6dd9-49ff-9b15-d8cd71b617f4|Medium|Networking and Firewall|Kubelet argument --make-iptables-util-chains should be true (read more)|Documentation
| +|CNI Plugin Does Not Support Network Policies
03aabc8c-35d6-481e-9c85-20139cf72d23|Medium|Networking and Firewall|Ensure the use of CNI Plugin that support Network Policies. If the CNI Plugin in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster (read more)|Documentation
| |Network Policy Is Not Targeting Any Pod
85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3|Medium|Networking and Firewall|Check if any network policy is not targeting any pod. (read more)|Documentation
| -|Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be|Medium|Networking and Firewall|Check if any pod is not being targeted by a proper network policy. (read more)|Documentation
| +|Kubelet Read Only Port Is Not Set To Zero
2940d48a-dc5e-4178-a3f8-bfbd80720b41|Medium|Networking and Firewall|When using the kubelet command, the read-only port should be set to zero (--read-only-port=0) (read more)|Documentation
| |Service With External Load Balancer
26763a1c-5dda-4772-b507-5fca7fb5f165|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet (read more)|Documentation
| -|Audit Policy File Not Defined
13a49a2e-488e-4309-a7c0-d6b05577a5fb|Medium|Observability|When using kube-apiserver command, the '--audit-policy-file' flag should be defined (read more)|Documentation
| +|Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be|Medium|Networking and Firewall|Check if any pod is not being targeted by a proper network policy. (read more)|Documentation
| |Audit Log Path Not Set
73e251f0-363d-4e53-86e2-0a93592437eb|Medium|Observability|When using kube-apiserver command, the 'audit-log-path' flag should be defined (read more)|Documentation
| -|Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| -|Volume Mount With OS Directory Write Permissions
b7652612-de4e-4466-a0bf-1cd81f0c6063|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more)|Documentation
| -|Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more)|Documentation
| -|Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| +|Audit Policy File Not Defined
13a49a2e-488e-4309-a7c0-d6b05577a5fb|Medium|Observability|When using kube-apiserver command, the '--audit-policy-file' flag should be defined (read more)|Documentation
| |Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| -|CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more)|Documentation
| +|Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| +|Volume Mount With OS Directory Write Permissions
b7652612-de4e-4466-a0bf-1cd81f0c6063|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more)|Documentation
| |CPU Limits Not Set
4ac0e2b7-d2d2-4af7-8799-e8de6721ccda|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| +|Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| +|CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more)|Documentation
| +|Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more)|Documentation
| |Kubelet Client Periodic Certificate Switch Disabled
52d70f2e-3257-474c-b3dc-8ad9ba6a061a|Medium|Secret Management|Kubelet argument --rotate-certificates should be true (read more)|Documentation
| -|Kubelet Certificate Authority Not Set
ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set (read more)|Documentation
| -|Service Account Key File Not Properly Set
dab4ec72-ce2e-4732-b7c3-1757dcce01a1|Medium|Secret Management|When using kube-apiserver command, the '--service-account-key-file' flag should be defined (read more)|Documentation
| +|Etcd Peer Client Certificate Authentication Set To False
b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff|Medium|Secret Management|When using etcd commands, the '--peer-client-cert-auth' flag should be set to true (read more)|Documentation
| +|Etcd Client Certificate File Not Defined
3f5ff8a7-5ad6-4d02-86f5-666307da1b20|Medium|Secret Management|When using kube-apiserver commands, the '--etcd-cafile' flag should be defined (read more)|Documentation
| +|Not Unique Certificate Authority
cb7e695d-6a85-495c-b15f-23aed2519303|Medium|Secret Management|Certificate Authority should be unique for etcd (read more)|Documentation
| |Rotate Kubelet Server Certificate Not Active
1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2|Medium|Secret Management|The RotateKubeletServerCertificate argument should be true (read more)|Documentation
| +|Service Account Key File Not Properly Set
dab4ec72-ce2e-4732-b7c3-1757dcce01a1|Medium|Secret Management|When using kube-apiserver command, the '--service-account-key-file' flag should be defined (read more)|Documentation
| |Etcd Client Certificate Authentication Set To False
9391103a-d8d7-4671-ac5d-606ba7ccb0ac|Medium|Secret Management|When using etcd commands, the '--client-cert-auth' flag should be defined (read more)|Documentation
| -|Etcd Peer Client Certificate Authentication Set To False
b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff|Medium|Secret Management|When using etcd commands, the '--peer-client-cert-auth' flag should be set to true (read more)|Documentation
| +|Kubelet Certificate Authority Not Set
ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set (read more)|Documentation
| +|Shared Service Account
c1032cf7-3628-44e2-bd53-38c17cf31b6b|Medium|Secret Management|A Service Account token is shared between workloads (read more)|Documentation
| |Kubelet Client Certificate Or Key Not Set
36a27826-1bf5-49da-aeb0-a60a30c0e834|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-client-key' and 'kubelet-client-certificate' flags should be set (read more)|Documentation
| |ServiceAccount Allows Access Secrets
056ac60e-fe07-4acc-9b34-8e1d51716ab9|Medium|Secret Management|Roles and ClusterRoles when binded, should not use get, list or watch as verbs (read more)|Documentation
| -|Shared Service Account
c1032cf7-3628-44e2-bd53-38c17cf31b6b|Medium|Secret Management|A Service Account token is shared between workloads (read more)|Documentation
| -|Etcd Client Certificate File Not Defined
3f5ff8a7-5ad6-4d02-86f5-666307da1b20|Medium|Secret Management|When using kube-apiserver commands, the '--etcd-cafile' flag should be defined (read more)|Documentation
| -|Not Unique Certificate Authority
cb7e695d-6a85-495c-b15f-23aed2519303|Medium|Secret Management|Certificate Authority should be unique for etcd (read more)|Documentation
| |Cluster Admin Rolebinding With Superuser Permissions
249328b8-5f0f-409f-b1dd-029f07882e11|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC) (read more)|Documentation
| -|Missing AppArmor Profile
8b36775e-183d-4d46-b0f7-96a6f34a723f|Low|Access Control|Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources (read more)|Documentation
| |Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers (read more)|Documentation
| -|StatefulSet Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more)|Documentation
| +|Missing AppArmor Profile
8b36775e-183d-4d46-b0f7-96a6f34a723f|Low|Access Control|Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources (read more)|Documentation
| |Liveness Probe Is Not Defined
ade74944-a674-4e00-859e-c6eab5bde441|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it (read more)|Documentation
| -|Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| -|Event Rate Limit Admission Control Plugin Not Set
e0099af2-fe17-411f-9991-0de28fe15f3c|Low|Availability|When using kube-apiserver command, the --enable-admission-plugins flag should have 'EventRateLimit' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| -|HPA Targeted Deployments With Configured Replica Count
5744cbb8-5946-4b75-a196-ade44449525b|Low|Availability|Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set (read more)|Documentation
| +|StatefulSet Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more)|Documentation
| |StatefulSet Without PodDisruptionBudget
1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| +|Event Rate Limit Admission Control Plugin Not Set
e0099af2-fe17-411f-9991-0de28fe15f3c|Low|Availability|When using kube-apiserver command, the --enable-admission-plugins flag should have 'EventRateLimit' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| |HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca|Low|Availability|The Horizontal Pod Autoscaler must target a valid object (read more)|Documentation
| +|HPA Targeted Deployments With Configured Replica Count
5744cbb8-5946-4b75-a196-ade44449525b|Low|Availability|Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set (read more)|Documentation
| +|Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| |Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645|Low|Best Practices|Kubernetes APIs evolve over time and are sometimes removed with newer releases. To prevent incompatibilities when upgrading Kubernetes, deprecated APIs should be replaced with newer and more stable API versions. (read more)|Documentation
| |No Drop Capabilities for Containers
268ca686-7fb7-4ae9-b129-955a2a89064e|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context (read more)|Documentation
| |Metadata Label Is Invalid
1123031a-f921-4c5b-bd86-ef354ecfd37a|Low|Best Practices|Check if any label in the metadata is invalid. (read more)|Documentation
| |Root Container Not Mounted Read-only
a9c2f49d-0671-4fc9-9ece-f4e261e128d0|Low|Build Process|Check if the root container filesystem is not being mounted read-only. (read more)|Documentation
| +|StatefulSet Requests Storage
8cf4671a-cf3d-46fc-8389-21e7405063a2|Low|Build Process|A StatefulSet requests volume storage. (read more)|Documentation
| |Image Policy Webhook Admission Control Plugin Not Set
14abda69-8e91-4acb-9931-76e2bee90284|Low|Build Process|When using kube-apiserver command, the --enable-admission-plugins flag should have 'ImagePolicyWebhook' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| |Namespace Lifecycle Admission Control Plugin Disabled
1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37|Low|Build Process|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'NamespaceLifecycle' plugin (read more)|Documentation
| -|StatefulSet Requests Storage
8cf4671a-cf3d-46fc-8389-21e7405063a2|Low|Build Process|A StatefulSet requests volume storage. (read more)|Documentation
| |Pod or Container Without ResourceQuota
48a5beba-e4c0-4584-a2aa-e6894e4cf424|Low|Insecure Configurations|Each namespace should have a ResourceQuota policy associated to limit the total amount of resources Pods, Containers and PersistentVolumeClaims can consume (read more)|Documentation
| -|Kubelet Hostname Override Is Set
bf36b900-b5ef-4828-adb7-70eb543b7cfb|Low|Insecure Configurations|Hostnames should not be overrided (read more)|Documentation
| -|Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b|Low|Insecure Configurations|If not needed, disabling the dashboard can prevent from being used as an attack vector (read more)|Documentation
| +|Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity (read more)|Documentation
| |Service Does Not Target Pod
3ca03a61-3249-4c16-8427-6f8e47dda729|Low|Insecure Configurations|Service should Target a Pod (read more)|Documentation
| -|Pod or Container Without LimitRange
4a20ebac-1060-4c81-95d1-1f7f620e983b|Low|Insecure Configurations|Each namespace should have a LimitRange policy associated to ensure that resource allocations of Pods, Containers and PersistentVolumeClaims do not exceed the defined boundaries (read more)|Documentation
| |Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always (read more)|Documentation
| |Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container (read more)|Documentation
| -|Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity (read more)|Documentation
| +|Pod or Container Without LimitRange
4a20ebac-1060-4c81-95d1-1f7f620e983b|Low|Insecure Configurations|Each namespace should have a LimitRange policy associated to ensure that resource allocations of Pods, Containers and PersistentVolumeClaims do not exceed the defined boundaries (read more)|Documentation
| +|Kubelet Hostname Override Is Set
bf36b900-b5ef-4828-adb7-70eb543b7cfb|Low|Insecure Configurations|Hostnames should not be overrided (read more)|Documentation
| +|Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b|Low|Insecure Configurations|If not needed, disabling the dashboard can prevent from being used as an attack vector (read more)|Documentation
| |Service Type is NodePort
845acfbe-3e10-4b8e-b656-3b404d36dfb2|Low|Networking and Firewall|Service type should not be NodePort (read more)|Documentation
| |Workload Host Port Not Specified
2b1836f1-dcce-416e-8e16-da8c71920633|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified (read more)|Documentation
| -|Profiling Not Set To False
2f491173-6375-4a84-b28e-a4e2b9a58a69|Low|Observability|When using kube-apiserver or kube-controller-manager or kube-scheduler command, the '--profiling' flag should be defined and set to false (read more)|Documentation
| -|Audit Log Maxbackup Not Properly Set
768aab52-2504-4a2f-a3e3-329d5a679848|Low|Observability|When using kube-apiserver command, the '--audit-log-maxbackup' flag should be defined and set to 10 or more files (read more)|Documentation
| |Audit Log Maxsize Not Properly Set
35c0a471-f7c8-4993-aa2c-503a3c712a66|Low|Observability|When using kube-apiserver command, the '--audit-log-maxsize' flag should be defined and set to 100 or more MegaBytes (read more)|Documentation
| -|Audit Policy Not Cover Key Security Concerns
1828a670-5957-4bc5-9974-47da228f75e2|Low|Observability|Audit Policy should cover key security concerns about the sensitive data logged in Kubernetes audit policies (read more)|Documentation
| |Audit Log Maxage Not Properly Set
da9f3aa8-fbfb-472f-b5a1-576127944218|Low|Observability|When using kube-apiserver command, the '--audit-log-maxage' flag should be defined and set to 30 or more days (read more)|Documentation
| +|Audit Log Maxbackup Not Properly Set
768aab52-2504-4a2f-a3e3-329d5a679848|Low|Observability|When using kube-apiserver command, the '--audit-log-maxbackup' flag should be defined and set to 10 or more files (read more)|Documentation
| |Kubelet Event QPS Not Properly Set
1a07a446-8e61-4e4d-bc16-b0781fcb8211|Low|Observability|When using the kubelet command, the '--event-qps' should be set to 0 (read more)|Documentation
| +|Audit Policy Not Cover Key Security Concerns
1828a670-5957-4bc5-9974-47da228f75e2|Low|Observability|Audit Policy should cover key security concerns about the sensitive data logged in Kubernetes audit policies (read more)|Documentation
| +|Profiling Not Set To False
2f491173-6375-4a84-b28e-a4e2b9a58a69|Low|Observability|When using kube-apiserver or kube-controller-manager or kube-scheduler command, the '--profiling' flag should be defined and set to false (read more)|Documentation
| +|Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Low|Resource Management|A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined. (read more)|Documentation
| +|Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46|Low|Resource Management|Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively (read more)|Documentation
| |StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e|Low|Resource Management|Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| -|Container Memory Requests Not Equal To It's Limits
aafa7d94-62de-4fbf-8838-b69ee217b0e6|Low|Resource Management|A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined. (read more)|Documentation
| |CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined (read more)|Documentation
| -|Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46|Low|Resource Management|Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively (read more)|Documentation
| -|Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Low|Resource Management|A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined. (read more)|Documentation
| +|Container Memory Requests Not Equal To It's Limits
aafa7d94-62de-4fbf-8838-b69ee217b0e6|Low|Resource Management|A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined. (read more)|Documentation
| |Deployment Has No PodAntiAffinity
a31b7b82-d994-48c4-bd21-3bab6c31827a|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| |Secrets As Environment Variables
3d658f8b-d988-41a0-a841-40043121de1e|Low|Secret Management|Container should not use secrets as environment variables (read more)|Documentation
| |Invalid Image Tag
583053b7-e632-46f0-b989-f81ff8045385|Low|Supply-Chain|Image tag must be defined and not be empty or equal to latest. (read more)|Documentation
| diff --git a/docs/queries/openapi-queries.md b/docs/queries/openapi-queries.md index 55add2f0b27..578cae3e2c1 100644 --- a/docs/queries/openapi-queries.md +++ b/docs/queries/openapi-queries.md @@ -11,50 +11,50 @@ Bellow are listed queries related with OpenAPI 2.0: |Security Definitions Undefined or Empty
e3f026e8-fdb4-4d5a-bcfd-bd94452073fe|High|Access Control|Security Definitions Object should be set and not empty (read more)|Documentation
| |Security Requirement Not Defined In Security Definition
a599b0d1-ff89-4cb8-9ece-9951854c06f6|High|Structure and Semantics|All security requirement objects must be defined in 'securityDefinitions' (read more)|Documentation
| |Non OAuth2 Security Requirement Defining OAuth2 Scopes
ba239cb9-f342-4c20-812d-7b5a2aa6969e|High|Structure and Semantics|If the security scheme is not of type 'oauth2', the array value must be empty (read more)|Documentation
| -|Global Security Using Password Flow
2da46be4-4317-4650-9285-56d7103c4f93|Medium|Access Control|Security should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| -|Operation Using Password Flow
2e44e632-d617-43cb-b294-6bfe72a08938|Medium|Access Control|Operation Object should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| |Invalid OAuth2 Authorization URL (v2)
33d96c65-977d-4c33-943f-440baca49185|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| +|Implicit Flow in OAuth2 (v2)
e9817ad8-a8c9-4038-8a2f-db0e6e7b284b|Medium|Access Control|There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| +|Operation Using Password Flow
2e44e632-d617-43cb-b294-6bfe72a08938|Medium|Access Control|Operation Object should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| +|Global Security Using Password Flow
2da46be4-4317-4650-9285-56d7103c4f93|Medium|Access Control|Security should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| |Security Definitions Allows Password Flow
773116aa-2e6d-416f-bd85-f0301cc05d76|Medium|Access Control|Security Definition Object should not allow 'password' Flow in OAuth2 authentication (read more)|Documentation
| |Invalid OAuth2 Token URL (v2)
274f910a-0665-4f08-b66d-7058fe927dba|Medium|Access Control|OAuth2 security definition flow requires a valid URL in the tokenUrl field (read more)|Documentation
| -|Implicit Flow in OAuth2 (v2)
e9817ad8-a8c9-4038-8a2f-db0e6e7b284b|Medium|Access Control|There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| -|Schemes Uses HTTP
a46928f1-43d7-4671-94e0-2dd99746f389|Medium|Encryption|Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials (read more)|Documentation
| -|Global Schemes Uses HTTP
f30ee711-0082-4480-85ab-31d922d9a2b2|Medium|Encryption|Global Schemes should use 'https' protocol instead of 'http' (read more)|Documentation
| |Path Scheme Accepts HTTP (v2)
a6847dc6-f4ea-45ac-a81f-93291ae6c573|Medium|Encryption|The Scheme list of Operation Object should only allow 'HTTPS' protocol to ensure an encrypted connection (read more)|Documentation
| -|Operation Object Without 'produces'
be3e170e-1572-461e-a8b6-d963def581ec|Medium|Insecure Configurations|Operation Object should have 'produces' feild defined for 'GET'operation (read more)|Documentation
| +|Global Schemes Uses HTTP
f30ee711-0082-4480-85ab-31d922d9a2b2|Medium|Encryption|Global Schemes should use 'https' protocol instead of 'http' (read more)|Documentation
| +|Schemes Uses HTTP
a46928f1-43d7-4671-94e0-2dd99746f389|Medium|Encryption|Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials (read more)|Documentation
| |Operation Object Without 'consumes'
0c79e50e-b3cf-490c-b8f6-587c644d4d0c|Medium|Insecure Configurations|Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations (read more)|Documentation
| -|Security Definitions Using Basic Auth
221015a8-aa2a-43f5-b00b-ad7d2b1d47a8|Low|Access Control|Security Definition Object should not use basic authentication (read more)|Documentation
| -|Operation Using Implicit Flow
f42dfe7e-787d-4478-a75e-a5f3d8a2269e|Low|Access Control|Operation Object should not use implicit flow (read more)|Documentation
| -|Operation Using Basic Auth
ceefb058-8065-418f-9c4c-584a78c7e104|Low|Access Control|Operation Object should not use basic authentication (read more)|Documentation
| -|Undefined Scope 'securityDefinition' On 'security' Field On Operations
3847280c-9193-40bc-8009-76168e822ce2|Low|Access Control|Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| +|Operation Object Without 'produces'
be3e170e-1572-461e-a8b6-d963def581ec|Medium|Insecure Configurations|Operation Object should have 'produces' feild defined for 'GET'operation (read more)|Documentation
| |Undefined Scope 'securityDefinition' On Global 'security' Field
9aa6e95c-d964-4239-a3a8-9f37a3c5a31f|Low|Access Control|Using an scope on global security field that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| +|Undefined Scope 'securityDefinition' On 'security' Field On Operations
3847280c-9193-40bc-8009-76168e822ce2|Low|Access Control|Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| +|Operation Using Basic Auth
ceefb058-8065-418f-9c4c-584a78c7e104|Low|Access Control|Operation Object should not use basic authentication (read more)|Documentation
| +|Operation Using Implicit Flow
f42dfe7e-787d-4478-a75e-a5f3d8a2269e|Low|Access Control|Operation Object should not use implicit flow (read more)|Documentation
| +|Security Definitions Using Basic Auth
221015a8-aa2a-43f5-b00b-ad7d2b1d47a8|Low|Access Control|Security Definition Object should not use basic authentication (read more)|Documentation
| |Operation Summary Too Long
d47940ca-5970-45cc-bdd1-4d81398cee1f|Low|Best Practices|Operation summary should be short (less than 120 characters) (read more)|Documentation
| -|Unknown Prefix (v2)
3b615f00-c443-4ba9-acc4-7c308716917d|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| -|Invalid Media Type Value (v2)
f985a7d2-d404-4a7f-9814-f645f791e46e|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| -|Global Parameter Definition Not Being Used
b30981fa-a12e-49c7-a5bb-eeafb61d0f0f|Info|Best Practices|All global parameters definitions should be in use (read more)|Documentation
| |Global Responses Definition Not Being Used
0b76d993-ee52-43e0-8b39-3787d2ddabf1|Info|Best Practices|All global responses definitions should be in use (read more)|Documentation
| -|Schema with 'additionalProperties' set as Boolean
3a01790c-ebee-4da6-8fd3-e78657383b75|Info|Best Practices|The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it (read more)|Documentation
| |Global Schema Definition Not Being Used
6d2e0790-cc3d-4c74-b973-d4e8b09f4455|Info|Best Practices|All global schemas definitions should be in use (read more)|Documentation
| |Constraining Enum Property
be1d8733-3731-40c7-a845-734741c6871d|Info|Best Practices|There is a constraining keyword in a property which is already restricted by enum values (read more)|Documentation
| +|Global Parameter Definition Not Being Used
b30981fa-a12e-49c7-a5bb-eeafb61d0f0f|Info|Best Practices|All global parameters definitions should be in use (read more)|Documentation
| +|Unknown Prefix (v2)
3b615f00-c443-4ba9-acc4-7c308716917d|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| +|Invalid Media Type Value (v2)
f985a7d2-d404-4a7f-9814-f645f791e46e|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| +|Schema with 'additionalProperties' set as Boolean
3a01790c-ebee-4da6-8fd3-e78657383b75|Info|Best Practices|The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it (read more)|Documentation
| |Schema Object Incorrect Ref (v2)
0220e1c5-65d1-49dd-b7c2-cef6d6cb5283|Info|Structure and Semantics|Schema Object reference must always point to '#/definitions' (read more)|Documentation
| -|Non Body Parameter Without Schema
73c3bc54-3cc6-4c0a-b30a-e19f2abfc951|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| -|BasePath With Wrong Format
b4803607-ed72-4d60-99e2-3fa6edf471c6|Info|Structure and Semantics|The 'basePath' value format must match the pattern '^/' (read more)|Documentation
| -|Responses JSON Reference Does Not Exists (v2)
e9db5fb4-6a84-4abb-b4af-3b94fbdace6d|Info|Structure and Semantics|Responses reference should exist on responses definition field (read more)|Documentation
| -|Operation Object Parameters With 'body' And 'formatData' locations
eb3f9744-d24e-4614-b1ff-2a9514eca21c|Info|Structure and Semantics|Operation object parameters should not have both 'body' and 'formatData' locations (read more)|Documentation
| +|Parameter File Type Not In 'formData'
c3cab8c4-6c52-47a9-942b-c27f26fbd7d2|Info|Structure and Semantics|The In field of Parameter Object must be 'formData' when type is 'file' (read more)|Documentation
| +|Host With Invalid Pattern
3d7d7b6c-fb0a-475e-8a28-c125e30d15f0|Info|Structure and Semantics|Host field should be an IP or a valid host name (read more)|Documentation
| |Response Object With Incorrect Ref (v2)
bccfa089-89e4-47e0-a0e5-185fe6902220|Info|Structure and Semantics|Response Object reference must always point to '#/responses' (read more)|Documentation
| -|Object Without Required Property (v2)
5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| -|Multiple Body Parameters In The Same Operation
b90033cf-ad9f-4fb9-acd1-1b9d6d278c87|Info|Structure and Semantics|Only one body parameter is allowed on operation's parameters type field (read more)|Documentation
| |Multi 'collectionformat' Not Valid For 'in' Parameter
750f6448-27c0-49f8-a153-b81735c1e19c|Info|Structure and Semantics|When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'formData' (read more)|Documentation
| -|Parameter File Type Not In 'formData'
c3cab8c4-6c52-47a9-942b-c27f26fbd7d2|Info|Structure and Semantics|The In field of Parameter Object must be 'formData' when type is 'file' (read more)|Documentation
| +|Operation Object Parameters With 'body' And 'formatData' locations
eb3f9744-d24e-4614-b1ff-2a9514eca21c|Info|Structure and Semantics|Operation object parameters should not have both 'body' and 'formatData' locations (read more)|Documentation
| +|BasePath With Wrong Format
b4803607-ed72-4d60-99e2-3fa6edf471c6|Info|Structure and Semantics|The 'basePath' value format must match the pattern '^/' (read more)|Documentation
| +|File Parameter With Wrong Consumes Property
7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a|Info|Structure and Semantics|Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both (read more)|Documentation
| +|Unknown Property (v2)
429b2106-ba37-43ba-9727-7f699cc611e1|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| |Property Not Unique
750b40be-4bac-4f59-bdc4-1ca0e6c3450e|Info|Structure and Semantics|Every defined property must be unique throughout the whole API (read more)|Documentation
| -|Schema JSON Reference Does Not Exists (v2)
98295b32-ec09-4b5b-89a9-39853197f914|Info|Structure and Semantics|Schema reference should exists on definitions field (read more)|Documentation
| -|Body Parameter Without Schema
ed48229d-d43e-4da7-b453-5f98d964a57a|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| -|Operation Example Mismatch Produces MimeType
2cf35b40-ded3-43d6-9633-c8dcc8bcc822|Info|Structure and Semantics|Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces' (read more)|Documentation
| -|Body Parameter With Wrong Property
c38d630d-a415-4e3e-bac2-65475979ba88|Info|Structure and Semantics|The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema' (read more)|Documentation
| -|Host With Invalid Pattern
3d7d7b6c-fb0a-475e-8a28-c125e30d15f0|Info|Structure and Semantics|Host field should be an IP or a valid host name (read more)|Documentation
| +|Responses JSON Reference Does Not Exists (v2)
e9db5fb4-6a84-4abb-b4af-3b94fbdace6d|Info|Structure and Semantics|Responses reference should exist on responses definition field (read more)|Documentation
| |Parameter JSON Reference Does Not Exists (v2)
fb889ae9-2d16-40b5-b41f-9da716c5abc1|Info|Structure and Semantics|Parameter reference should exist on parameters definition field (read more)|Documentation
| -|Unknown Property (v2)
429b2106-ba37-43ba-9727-7f699cc611e1|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| -|File Parameter With Wrong Consumes Property
7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a|Info|Structure and Semantics|Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both (read more)|Documentation
| |Parameter Object With Incorrect Ref (v2)
2596545e-1757-4ff7-a15a-8a9a180a42f3|Info|Structure and Semantics|Parameter Object reference must always point to '#/parameters' (read more)|Documentation
| +|Body Parameter With Wrong Property
c38d630d-a415-4e3e-bac2-65475979ba88|Info|Structure and Semantics|The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema' (read more)|Documentation
| +|Operation Example Mismatch Produces MimeType
2cf35b40-ded3-43d6-9633-c8dcc8bcc822|Info|Structure and Semantics|Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces' (read more)|Documentation
| +|Multiple Body Parameters In The Same Operation
b90033cf-ad9f-4fb9-acd1-1b9d6d278c87|Info|Structure and Semantics|Only one body parameter is allowed on operation's parameters type field (read more)|Documentation
| +|Object Without Required Property (v2)
5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| +|Non Body Parameter Without Schema
73c3bc54-3cc6-4c0a-b30a-e19f2abfc951|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| +|Body Parameter Without Schema
ed48229d-d43e-4da7-b453-5f98d964a57a|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| +|Schema JSON Reference Does Not Exists (v2)
98295b32-ec09-4b5b-89a9-39853197f914|Info|Structure and Semantics|Schema reference should exists on definitions field (read more)|Documentation
| ### SHARED (V2/V3) Bellow are listed queries related with OpenAPI SHARED (V2/V3): @@ -63,20 +63,20 @@ Bellow are listed queries related with OpenAPI SHARED (V2/V3): | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|No Global And Operation Security Defined (v2)
586abcee-9653-462d-ad7b-2638a32bd6e6|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| -|No Global And Operation Security Defined (v3)
96729c6b-7400-4d9e-9807-17f00cdde4d2|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined (read more)|Documentation
| +|Global Security Field Is Undefined (v2)
74703c89-0ea2-49ab-a7db-bf04f19f5a57|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securityDefinitions|Documentation
| +|Global Security Field Is Undefined (v3)
8af270ce-298b-4405-9922-82a10aee7a4f|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes (read more)|Documentation
| |Security Field On Operations Has An Empty Array (v2)
5d29effc-5d68-481f-9721-d74e5919226b|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error|Documentation
| |Security Field On Operations Has An Empty Array (v3)
663c442d-f918-4f62-b096-0bf5dcbeb655|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error (read more)|Documentation
| -|Global Security Field Has An Empty Array (v2)
da31d54b-ad54-41dc-95eb-8b3828629213|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| -|Global Security Field Has An Empty Array (v3)
d674aea4-ba8b-454b-bb97-88a772ea33f0|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme (read more)|Documentation
| -|Global security field has an empty object (v2)
292919fb-7b26-4454-bee9-ce29094768dd|High|Access Control|Global security definition must not have empty objects|Documentation
| -|Global security field has an empty object (v3)
543e38f4-1eee-479e-8eb0-15257013aa0a|High|Access Control|Global security definition must not have empty objects (read more)|Documentation
| |Cleartext API Key In Operation Security (v2)
99733b39-6413-4ed8-8acf-dc7cdc9b4e51|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| |Cleartext API Key In Operation Security (v3)
d90d4e40-44c1-4125-87a0-e072c3e195b5|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel (read more)|Documentation
| -|Global Security Field Is Undefined (v2)
74703c89-0ea2-49ab-a7db-bf04f19f5a57|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securityDefinitions|Documentation
| -|Global Security Field Is Undefined (v3)
8af270ce-298b-4405-9922-82a10aee7a4f|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes (read more)|Documentation
| |Security Field On Operations Has An Empty Object Definition (v2)
74581e3b-1d55-4323-a139-5959a7b3abc5|High|Access Control|Security object for operations should not be empty object or has any empty object definition|Documentation
| |Security Field On Operations Has An Empty Object Definition (v3)
baade968-7467-41e4-bf22-83ca222f5800|High|Access Control|Security object for operations should not be empty object or has any empty object definition (read more)|Documentation
| +|Global security field has an empty object (v2)
292919fb-7b26-4454-bee9-ce29094768dd|High|Access Control|Global security definition must not have empty objects|Documentation
| +|Global security field has an empty object (v3)
543e38f4-1eee-479e-8eb0-15257013aa0a|High|Access Control|Global security definition must not have empty objects (read more)|Documentation
| +|Global Security Field Has An Empty Array (v2)
da31d54b-ad54-41dc-95eb-8b3828629213|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| +|Global Security Field Has An Empty Array (v3)
d674aea4-ba8b-454b-bb97-88a772ea33f0|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme (read more)|Documentation
| +|No Global And Operation Security Defined (v2)
586abcee-9653-462d-ad7b-2638a32bd6e6|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| +|No Global And Operation Security Defined (v3)
96729c6b-7400-4d9e-9807-17f00cdde4d2|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined (read more)|Documentation
| |Array Without Maximum Number of Items (v2)
99eb2c95-2040-4104-9e7c-e16f7474d218|High|Insecure Configurations|Array schema/parameter should have the field 'maxItems' set|Documentation
| |Array Without Maximum Number of Items (v3)
6998389e-66b2-473d-8d05-c8d71ac4d04d|High|Insecure Configurations|Array schema should have the field 'maxItems' set (read more)|Documentation
| |Array Items Has No Type (v2)
8697a1a4-82c6-4603-8ac8-57529756744e|High|Insecure Configurations|Schema/Parameter array items type should be defined|Documentation
| @@ -85,132 +85,132 @@ Bellow are listed queries related with OpenAPI SHARED (V2/V3): |Cleartext API Key In Global Security (v3)
9c238c97-1991-4c0b-9c7d-6c7912e1dc7c|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel (read more)|Documentation
| |API Key Exposed In Global Security (v2)
533a0d13-6e89-4551-ae33-bce14e5849c1|Medium|Access Control|API Keys should not be transported over network|Documentation
| |API Key Exposed In Global Security (v3)
aecee30b-8ea1-4776-a99c-d6d600f0862f|Medium|Access Control|API Keys should not be transported over network (read more)|Documentation
| -|String Schema with Broad Pattern (v2)
e4a019f0-9af3-49c8-bf68-1939a6ff240d|Medium|Insecure Configurations|String schema should restrict the pattern|Documentation
| -|String Schema with Broad Pattern (v3)
8c81d6c0-716b-49ec-afa5-2d62da4e3f3c|Medium|Insecure Configurations|String schema should restrict the pattern (read more)|Documentation
| -|JSON Object Schema Without Properties (v2)
3d28f751-bc18-4f83-ace0-216b6086410b|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false.|Documentation
| -|JSON Object Schema Without Properties (v3)
9d967a2b-9d64-41a6-abea-dfc4960299bd|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false. (read more)|Documentation
| -|Pattern Undefined (v2)
afde15cf-9444-4126-8c62-41cd79db1d1d|Medium|Insecure Configurations|String schema/parameter/header should have 'pattern' defined.|Documentation
| -|Pattern Undefined (v3)
00b78adf-b83f-419c-8ed8-c6018441dd3a|Medium|Insecure Configurations|String schema should have 'pattern' defined. (read more)|Documentation
| -|Numeric Schema Without Format (v2)
3ed8fc82-c2bb-49e0-811f-c53923674c49|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined.|Documentation
| -|Numeric Schema Without Format (v3)
fbf699b5-ef74-4542-9cf1-f6eeac379373|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined. (read more)|Documentation
| -|Numeric Schema Without Maximum (v2)
203eee11-15b6-4d47-b888-4c7f534967ee|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined.|Documentation
| -|Numeric Schema Without Maximum (v3)
2ea04bef-c769-409e-9179-ee3a50b5c0ac|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined. (read more)|Documentation
| -|Schema Object is Empty (v2)
967575e5-eb44-4c24-aadb-7e33608ed30a|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values|Documentation
| -|Schema Object is Empty (v3)
500ce696-d501-41dd-86eb-eceb011a386f|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values (read more)|Documentation
| -|Numeric Schema Without Minimum (v2)
efd1dfc8-da91-4909-a3f3-c23abc5ec799|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined.|Documentation
| -|Numeric Schema Without Minimum (v3)
181bd815-767e-4e95-a24d-bb3c87328e19|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined. (read more)|Documentation
| |JSON Object Schema Without Type (v2)
62d52544-82ef-4b75-8308-cad49d50212b|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined.|Documentation
| |JSON Object Schema Without Type (v3)
e2ffa504-d22a-4c94-b6c5-f661849d2db7|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined. (read more)|Documentation
| +|Schema Object is Empty (v2)
967575e5-eb44-4c24-aadb-7e33608ed30a|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values|Documentation
| +|Schema Object is Empty (v3)
500ce696-d501-41dd-86eb-eceb011a386f|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values (read more)|Documentation
| |Maximum Length Undefined (v2)
2ec86e48-ab90-4cb6-a131-0502afd1f442|Medium|Insecure Configurations|String schema/parameter/header should have 'maxLength' defined.|Documentation
| |Maximum Length Undefined (v3)
8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85|Medium|Insecure Configurations|String schema should have 'maxLength' defined. (read more)|Documentation
| -|Success Response Code Undefined for Patch Operation (v2)
f36e87cc-a209-4f37-8571-66833e4aead7|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Patch Operation (v3)
1908a8ee-927d-4166-8f18-241152170cc1|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|Success Response Code Undefined for Head Operation (v2)
4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a|Medium|Networking and Firewall|Head should define at least one success response (200 or 202)|Documentation
| -|Success Response Code Undefined for Head Operation (v3)
3b066059-f411-4554-ac8d-96f32bff90da|Medium|Networking and Firewall|Head should define at least one success response (200 or 202) (read more)|Documentation
| -|Success Response Code Undefined for Get Operation (v2)
9b633f3b-c94b-4fbb-a65b-1a4e9134fb63|Medium|Networking and Firewall|Get should define at least one success response (200 or 202)|Documentation
| -|Success Response Code Undefined for Get Operation (v3)
b2f275be-7d64-4064-b418-be6b431363a7|Medium|Networking and Firewall|Get should define at least one success response (200 or 202) (read more)|Documentation
| -|Response Code Missing (v2)
6e96ed39-bf45-4089-99ba-f1fe7cf6966f|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined.|Documentation
| -|Response Code Missing (v3)
6c35d2c6-09f2-4e5c-a094-e0e91327071d|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined. (read more)|Documentation
| +|Numeric Schema Without Minimum (v2)
efd1dfc8-da91-4909-a3f3-c23abc5ec799|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined.|Documentation
| +|Numeric Schema Without Minimum (v3)
181bd815-767e-4e95-a24d-bb3c87328e19|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined. (read more)|Documentation
| +|Pattern Undefined (v2)
afde15cf-9444-4126-8c62-41cd79db1d1d|Medium|Insecure Configurations|String schema/parameter/header should have 'pattern' defined.|Documentation
| +|Pattern Undefined (v3)
00b78adf-b83f-419c-8ed8-c6018441dd3a|Medium|Insecure Configurations|String schema should have 'pattern' defined. (read more)|Documentation
| +|JSON Object Schema Without Properties (v2)
3d28f751-bc18-4f83-ace0-216b6086410b|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false.|Documentation
| +|JSON Object Schema Without Properties (v3)
9d967a2b-9d64-41a6-abea-dfc4960299bd|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false. (read more)|Documentation
| +|String Schema with Broad Pattern (v2)
e4a019f0-9af3-49c8-bf68-1939a6ff240d|Medium|Insecure Configurations|String schema should restrict the pattern|Documentation
| +|String Schema with Broad Pattern (v3)
8c81d6c0-716b-49ec-afa5-2d62da4e3f3c|Medium|Insecure Configurations|String schema should restrict the pattern (read more)|Documentation
| +|Numeric Schema Without Maximum (v2)
203eee11-15b6-4d47-b888-4c7f534967ee|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined.|Documentation
| +|Numeric Schema Without Maximum (v3)
2ea04bef-c769-409e-9179-ee3a50b5c0ac|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined. (read more)|Documentation
| +|Numeric Schema Without Format (v2)
3ed8fc82-c2bb-49e0-811f-c53923674c49|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined.|Documentation
| +|Numeric Schema Without Format (v3)
fbf699b5-ef74-4542-9cf1-f6eeac379373|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined. (read more)|Documentation
| |Success Response Code Undefined for Put Operation (v2)
965a043f-5f3c-4d0a-be72-d9ce12fdb4d6|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204)|Documentation
| |Success Response Code Undefined for Put Operation (v3)
60b5f56b-66ff-4e1c-9b62-5753e16825bc|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|Success Response Code Undefined for Post Operation (v2)
9fedee41-2e6d-4091-b011-4a16b4c18c70|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Post Operation (v3)
f368dd2d-9344-4146-a05b-7c6faa1269ad|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|Response on operations that should not have a body has declared content (v2)
268defd2-2839-4e15-8cbc-de86eb38c231|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a schema defined|Documentation
| -|Response on operations that should not have a body has declared content (v3)
12a7210b-f4b4-47d0-acac-0a819e2a0ca3|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a content defined (read more)|Documentation
| |Default Response Undefined On Operations (v2)
5f34c7ae-4f3f-4cbb-8fe3-a11d6961062f|Medium|Networking and Firewall|Operations responses should have a default response defined|Documentation
| |Default Response Undefined On Operations (v3)
86e3702f-c868-44b2-b61d-ea5316c18110|Medium|Networking and Firewall|Operations responses should have a default response defined (read more)|Documentation
| |Response on operations that should have a body has undefined schema (v2)
31afbcb7-70e0-48bb-a31a-3374f95cf859|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined|Documentation
| |Response on operations that should have a body has undefined schema (v3)
a92be1d5-d762-484a-86d6-8cd0907ba100|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined (read more)|Documentation
| +|Success Response Code Undefined for Post Operation (v2)
9fedee41-2e6d-4091-b011-4a16b4c18c70|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Post Operation (v3)
f368dd2d-9344-4146-a05b-7c6faa1269ad|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| |Success Response Code Undefined for Delete Operation (v2)
ad432855-b7fb-4429-92a3-93b5ce34f0b1|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204)|Documentation
| |Success Response Code Undefined for Delete Operation (v3)
3b497874-ae59-46dd-8d72-1868a3b8f150|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| +|Success Response Code Undefined for Head Operation (v2)
4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a|Medium|Networking and Firewall|Head should define at least one success response (200 or 202)|Documentation
| +|Success Response Code Undefined for Head Operation (v3)
3b066059-f411-4554-ac8d-96f32bff90da|Medium|Networking and Firewall|Head should define at least one success response (200 or 202) (read more)|Documentation
| +|Response Code Missing (v2)
6e96ed39-bf45-4089-99ba-f1fe7cf6966f|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined.|Documentation
| +|Response Code Missing (v3)
6c35d2c6-09f2-4e5c-a094-e0e91327071d|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined. (read more)|Documentation
| +|Success Response Code Undefined for Patch Operation (v2)
f36e87cc-a209-4f37-8571-66833e4aead7|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Patch Operation (v3)
1908a8ee-927d-4166-8f18-241152170cc1|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| +|Response on operations that should not have a body has declared content (v2)
268defd2-2839-4e15-8cbc-de86eb38c231|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a schema defined|Documentation
| +|Response on operations that should not have a body has declared content (v3)
12a7210b-f4b4-47d0-acac-0a819e2a0ca3|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a content defined (read more)|Documentation
| +|Success Response Code Undefined for Get Operation (v2)
9b633f3b-c94b-4fbb-a65b-1a4e9134fb63|Medium|Networking and Firewall|Get should define at least one success response (200 or 202)|Documentation
| +|Success Response Code Undefined for Get Operation (v3)
b2f275be-7d64-4064-b418-be6b431363a7|Medium|Networking and Firewall|Get should define at least one success response (200 or 202) (read more)|Documentation
| |API Key Exposed In Operation Security (v2)
392599e4-a4e2-403d-bc56-3fe05755782d|Low|Access Control|API Keys should not be transported over network|Documentation
| |API Key Exposed In Operation Security (v3)
281b8071-6226-4a43-911d-fec246d422c2|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| |Invalid Format (v2)
caf1793e-95dd-4b18-8d90-8f3c0ab5bddf|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double|Documentation
| |Invalid Format (v3)
d929c031-078f-4241-b802-e224656ad890|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double (read more)|Documentation
| -|Header Parameter Named as 'Content-Type' (v2)
51978067-3b22-4c29-aaf3-96bf0bc28897|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored.|Documentation
| -|Header Parameter Named as 'Content-Type' (v3)
72d259ca-9741-48dd-9f62-eb11f2936b37|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored. (read more)|Documentation
| -|Invalid License URL (v2)
de2b4910-8484-46d6-a055-dc1e793ee3ff|Info|Best Practices|License Object URL should be a valid URL|Documentation
| -|Invalid License URL (v3)
9239c289-9e4c-4d92-8be1-9d506057c971|Info|Best Practices|License Object URL should be a valid URL (read more)|Documentation
| +|Header Parameter Named as 'Authorization' (v2)
e2e00c97-7171-4fb4-b461-d631df9a711c|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored.|Documentation
| +|Header Parameter Named as 'Authorization' (v3)
8c84f75e-5048-4926-a4cb-33e7b3431300|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored. (read more)|Documentation
| +|Invalid Schema External Documentation URL (v2)
f7fa95b7-d819-484c-9a2b-665dd1bba25e|Info|Best Practices|Schema External Documentation URL should be a valid URL|Documentation
| +|Invalid Schema External Documentation URL (v3)
6952a7e0-6e48-4285-bbc1-27c64e60f888|Info|Best Practices|Schema External Documentation URL should be a valid URL (read more)|Documentation
| +|Header Parameter Named as 'Accept' (v2)
3ddd74cc-6582-486c-8b0c-2b48cb38e0a3|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored.|Documentation
| +|Header Parameter Named as 'Accept' (v3)
f2702af5-6016-46cb-bbc8-84c766032095|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored. (read more)|Documentation
| |Invalid Global External Documentation URL (v2)
46d3b74d-9fe9-45bf-9e9e-efb7f701ee28|Info|Best Practices|Global External Documentation URL should be a valid URL|Documentation
| |Invalid Global External Documentation URL (v3)
b2d9dbf6-539c-4374-a1fd-210ddf5563a8|Info|Best Practices|Global External Documentation URL should be a valid URL (read more)|Documentation
| +|Object Using Enum With Keyword (v2)
7f15962a-d862-451c-ac9b-84ec13747aa6|Info|Best Practices|Schema/Parameter/Header Object properties should not contain 'enum' and schema keywords|Documentation
| +|Object Using Enum With Keyword (v3)
2e9b6612-8f69-42e0-a5b8-ed17739c2f3a|Info|Best Practices|Schema Object properties should not contain 'enum' and schema keywords (read more)|Documentation
| |Header Response Name Is Invalid (v2)
86733e01-a435-4bd5-a8b0-5108be9dc1e4|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored.|Documentation
| |Header Response Name Is Invalid (v3)
d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored. (read more)|Documentation
| -|Path Without Operation (v2)
609cd557-66b4-41fa-8edd-2abc6c7cfd08|Info|Best Practices|Path object should have at least one operation object defined|Documentation
| -|Path Without Operation (v3)
84c826c9-1893-4b34-8cdd-db97645b4bf3|Info|Best Practices|Path object should have at least one operation object defined (read more)|Documentation
| +|Operation Without Successful HTTP Status Code (v2)
a1ee6ebe-3877-42ec-b9a6-e524e7d06aa2|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined|Documentation
| +|Operation Without Successful HTTP Status Code (v3)
48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined (read more)|Documentation
| |Invalid Contact URL (v2)
c7000383-16d0-4509-8cd3-585e5ea2e2f2|Info|Best Practices|Contact Object URL should be a valid URL|Documentation
| |Invalid Contact URL (v3)
332cf2ad-380d-4b90-b436-46f8e635cf38|Info|Best Practices|Contact Object URL should be a valid URL (read more)|Documentation
| -|Invalid Contact Email (v2)
d83bebc8-4e5e-4241-b783-cba9fb5a1c9a|Info|Best Practices|Contact Object Email should be a valid email|Documentation
| -|Invalid Contact Email (v3)
b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7|Info|Best Practices|Contact Object Email should be a valid email (read more)|Documentation
| -|Invalid Operation External Documentation URL (v2)
25635c31-ee32-4708-88e5-fced87516f51|Info|Best Practices|Operation External Documentation URL should be a valid URL|Documentation
| -|Invalid Operation External Documentation URL (v3)
5ea61624-3733-4a3a-8ca4-b96fec9c5aeb|Info|Best Practices|Operation External Documentation URL should be a valid URL (read more)|Documentation
| -|Invalid Tag External Documentation URL (v2)
b4a7d925-738b-4219-99d9-87d6ee262a03|Info|Best Practices|Tag External Documentation URL should be a valid URL|Documentation
| -|Invalid Tag External Documentation URL (v3)
5aea1d7e-b834-4749-b143-2c7ec3bd5922|Info|Best Practices|Tag External Documentation URL should be a valid URL (read more)|Documentation
| -|Header Parameter Named as 'Authorization' (v2)
e2e00c97-7171-4fb4-b461-d631df9a711c|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored.|Documentation
| -|Header Parameter Named as 'Authorization' (v3)
8c84f75e-5048-4926-a4cb-33e7b3431300|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored. (read more)|Documentation
| -|Object Using Enum With Keyword (v2)
7f15962a-d862-451c-ac9b-84ec13747aa6|Info|Best Practices|Schema/Parameter/Header Object properties should not contain 'enum' and schema keywords|Documentation
| -|Object Using Enum With Keyword (v3)
2e9b6612-8f69-42e0-a5b8-ed17739c2f3a|Info|Best Practices|Schema Object properties should not contain 'enum' and schema keywords (read more)|Documentation
| |Example Not Compliant With Schema Type (v2)
448db771-06ea-4dee-b48c-1689cbfb4b43|Info|Best Practices|Examples values and fields should be compliant with the schema type|Documentation
| |Example Not Compliant With Schema Type (v3)
881a6e71-c2a7-4fe2-b9c3-dfcf08895331|Info|Best Practices|Examples values and fields should be compliant with the schema type (read more)|Documentation
| +|Invalid License URL (v2)
de2b4910-8484-46d6-a055-dc1e793ee3ff|Info|Best Practices|License Object URL should be a valid URL|Documentation
| +|Invalid License URL (v3)
9239c289-9e4c-4d92-8be1-9d506057c971|Info|Best Practices|License Object URL should be a valid URL (read more)|Documentation
| +|Header Parameter Named as 'Content-Type' (v2)
51978067-3b22-4c29-aaf3-96bf0bc28897|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored.|Documentation
| +|Header Parameter Named as 'Content-Type' (v3)
72d259ca-9741-48dd-9f62-eb11f2936b37|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored. (read more)|Documentation
| +|Invalid Tag External Documentation URL (v2)
b4a7d925-738b-4219-99d9-87d6ee262a03|Info|Best Practices|Tag External Documentation URL should be a valid URL|Documentation
| +|Invalid Tag External Documentation URL (v3)
5aea1d7e-b834-4749-b143-2c7ec3bd5922|Info|Best Practices|Tag External Documentation URL should be a valid URL (read more)|Documentation
| |Required Property With Default Value (v2)
f7ab6c83-ef89-40e1-8a99-32e2599fb665|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value|Documentation
| |Required Property With Default Value (v3)
013bdb4b-9246-4248-b0c3-7fb0fee42a29|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value (read more)|Documentation
| -|Header Parameter Named as 'Accept' (v2)
3ddd74cc-6582-486c-8b0c-2b48cb38e0a3|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored.|Documentation
| -|Header Parameter Named as 'Accept' (v3)
f2702af5-6016-46cb-bbc8-84c766032095|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored. (read more)|Documentation
| -|Operation Without Successful HTTP Status Code (v2)
a1ee6ebe-3877-42ec-b9a6-e524e7d06aa2|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined|Documentation
| -|Operation Without Successful HTTP Status Code (v3)
48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined (read more)|Documentation
| -|Invalid Schema External Documentation URL (v2)
f7fa95b7-d819-484c-9a2b-665dd1bba25e|Info|Best Practices|Schema External Documentation URL should be a valid URL|Documentation
| -|Invalid Schema External Documentation URL (v3)
6952a7e0-6e48-4285-bbc1-27c64e60f888|Info|Best Practices|Schema External Documentation URL should be a valid URL (read more)|Documentation
| +|Invalid Contact Email (v2)
d83bebc8-4e5e-4241-b783-cba9fb5a1c9a|Info|Best Practices|Contact Object Email should be a valid email|Documentation
| +|Invalid Contact Email (v3)
b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7|Info|Best Practices|Contact Object Email should be a valid email (read more)|Documentation
| |JSON '$ref' alongside other properties (v2)
f34c1c68-4773-4df0-a103-6e2ca32e585f|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key|Documentation
| |JSON '$ref' alongside other properties (v3)
96beb800-566f-49a9-a0ea-dbdf4bc80429|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key (read more)|Documentation
| -|Parameters Name In Combination Not Unique (v2)
ab871897-ec02-4835-9818-702536ee1dda|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations|Documentation
| -|Parameters Name In Combination Not Unique (v3)
f5b2e6af-76f5-496d-8482-8f898c5fdb4a|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations (read more)|Documentation
| +|Invalid Operation External Documentation URL (v2)
25635c31-ee32-4708-88e5-fced87516f51|Info|Best Practices|Operation External Documentation URL should be a valid URL|Documentation
| +|Invalid Operation External Documentation URL (v3)
5ea61624-3733-4a3a-8ca4-b96fec9c5aeb|Info|Best Practices|Operation External Documentation URL should be a valid URL (read more)|Documentation
| +|Path Without Operation (v2)
609cd557-66b4-41fa-8edd-2abc6c7cfd08|Info|Best Practices|Path object should have at least one operation object defined|Documentation
| +|Path Without Operation (v3)
84c826c9-1893-4b34-8cdd-db97645b4bf3|Info|Best Practices|Path object should have at least one operation object defined (read more)|Documentation
| |Property 'allowEmptyValue' Improperly Defined (v2)
0bc1477d-0922-478b-ae16-674a7634a1a8|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters|Documentation
| |Property 'allowEmptyValue' Improperly Defined (v3)
4bcbcd52-3028-469f-bc14-02c7dbba2df2|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters (read more)|Documentation
| -|Property Defining Minimum Greater Than Maximum (v2)
b5102ea9-6527-4bb7-94fc-9b4076150e55|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined|Documentation
| -|Property Defining Minimum Greater Than Maximum (v3)
ab2af219-cd08-4233-b5a1-a788aac88b51|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined (read more)|Documentation
| -|Path Parameter With No Corresponding Template Path (v2)
194ef1f8-360e-4c14-8ed2-e83e2bafa142|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation|Documentation
| -|Path Parameter With No Corresponding Template Path (v3)
69d7aefd-149d-47b8-8d89-1c2181a8067b|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation (read more)|Documentation
| -|Path Template is Empty (v2)
c201b7ad-6173-4598-a407-5edb04a1bcd7|Info|Structure and Semantics|All path templates should not be empty|Documentation
| -|Path Template is Empty (v3)
ae13a37d-943b-47a7-a970-83c8598bcca3|Info|Structure and Semantics|All path templates should not be empty (read more)|Documentation
| -|Items Undefined (v2)
3e4d34d2-36cf-4449-976d-6c256db8fc49|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array.|Documentation
| -|Items Undefined (v3)
a8e859da-4a43-4e7f-94b8-25d6e3bf8e90|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array. (read more)|Documentation
| -|Template Path With No Corresponding Path Parameter (v2)
e7656d8d-7288-4bbe-b07b-22b389be75ce|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation|Documentation
| -|Template Path With No Corresponding Path Parameter (v3)
561710b1-b845-4562-95ce-2397a05ccef4|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation (read more)|Documentation
| -|Schema Object With Circular Ref (v2)
cbff2508-85c9-4448-a8b3-770070edf5ca|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties|Documentation
| -|Schema Object With Circular Ref (v3)
1a1aea94-745b-40a7-b860-0702ea6ee636|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties (read more)|Documentation
| +|Paths Object is Empty (v2)
3e6c7b1c-8a8d-43ab-98b9-65159f44db4a|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed|Documentation
| +|Paths Object is Empty (v3)
815021c8-a50c-46d9-b192-24f71072c400|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed (read more)|Documentation
| |Schema Enum Invalid (v2)
8fe6d18a-ad4c-4397-8884-e3a9da57f4c9|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type|Documentation
| |Schema Enum Invalid (v3)
03856cb2-e46c-4daf-bfbf-214ec93c882b|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type (read more)|Documentation
| -|Path Parameter Not Required (v2)
ccd0613f-cb77-4684-a892-183bd2674d12|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.|Documentation
| -|Path Parameter Not Required (v3)
0de50145-e845-47f4-9a15-23bcf2125710|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true. (read more)|Documentation
| |Schema Discriminator Not Required (v2)
be6a3722-af60-438c-b1b9-2a03e2958ab7|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property|Documentation
| |Schema Discriminator Not Required (v3)
b481d46c-9c61-480f-86d9-af07146dc4a4|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property (read more)|Documentation
| -|Properties Missing Required Property (v2)
71beb6ab-8b70-4816-a9ac-a0ff1fb22a62|Info|Structure and Semantics|Schema Object should have all required properties defined|Documentation
| -|Properties Missing Required Property (v3)
3fb03214-25d4-4bd4-867c-c2d8d708a483|Info|Structure and Semantics|Schema Object should have all required properties defined (read more)|Documentation
| -|Parameter Objects Headers With Duplicated Name (v2)
bd2cbef5-62c4-40f1-af07-4b7f9ced6616|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.|Documentation
| -|Parameter Objects Headers With Duplicated Name (v3)
05505192-ba2c-4a81-9b25-dcdbcc973746|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive. (read more)|Documentation
| -|Responses With Wrong HTTP Status Code (v2)
069a5378-2091-43f0-aa3b-ee8f20996e99|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599]|Documentation
| -|Responses With Wrong HTTP Status Code (v3)
d86655c0-92f6-4ffc-b4d5-5b5775804c27|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599] (read more)|Documentation
| -|Non-Array Schema With Items (v2)
9d47956b-29cd-43b1-9e6e-b39a4d484353|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| -|Non-Array Schema With Items (v3)
20cb3159-b219-496b-8dac-54ae3ab2021a|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined (read more)|Documentation
| -|Path Is Ambiguous (v2)
b2468463-3ac4-4930-890c-f35b2bf4485d|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object|Documentation
| -|Path Is Ambiguous (v3)
237402e2-c2f0-46c9-9cf5-286160cf7bfc|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object (read more)|Documentation
| -|Schema Discriminator Mismatch Defined Properties (v2)
addc0eab-27f6-4c26-8526-d2ccd3732662|Info|Structure and Semantics|Schema discriminator values should match defined properties.|Documentation
| -|Schema Discriminator Mismatch Defined Properties (v3)
40d3df21-c170-4dbe-9c02-4289b51f994f|Info|Structure and Semantics|Schema discriminator values should match defined properties. (read more)|Documentation
| -|Schema Object Properties With Duplicated Keys (v2)
ded017bf-fb13-4f8d-868b-84aebcc572ad|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties'|Documentation
| -|Schema Object Properties With Duplicated Keys (v3)
10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties' (read more)|Documentation
| -|Type Has Invalid Keyword (v2)
492c6cbb-f3f8-4807-aa4f-42b8b1c46b59|Info|Structure and Semantics|Schema/Parameter/Header Object define type should not use a keyword of another type|Documentation
| -|Type Has Invalid Keyword (v3)
a9228976-10cf-4b5f-b902-9e962aad037a|Info|Structure and Semantics|Schema Object define type should not use a keyword of another type (read more)|Documentation
| |Schema Discriminator Property Not String (v2)
949376f1-f560-4c6d-a016-63424ca931bb|Info|Structure and Semantics|Schema discriminator property should be a string|Documentation
| |Schema Discriminator Property Not String (v3)
dadc2f36-1f5a-46c0-8289-75e626583123|Info|Structure and Semantics|Schema discriminator property should be a string (read more)|Documentation
| -|Default Invalid (v2)
78dfd8f0-a6ee-48ec-af8c-e4d9b3292a07|Info|Structure and Semantics|The field 'default' of Schema/Parameter/Header Object should be consistent with the schema's/parameter's/header's type|Documentation
| -|Default Invalid (v3)
a96bbc06-8cde-4295-ad3c-ee343a7f658e|Info|Structure and Semantics|The field 'default' of Schema Object should be consistent with the schema's type (read more)|Documentation
| +|Type Has Invalid Keyword (v2)
492c6cbb-f3f8-4807-aa4f-42b8b1c46b59|Info|Structure and Semantics|Schema/Parameter/Header Object define type should not use a keyword of another type|Documentation
| +|Type Has Invalid Keyword (v3)
a9228976-10cf-4b5f-b902-9e962aad037a|Info|Structure and Semantics|Schema Object define type should not use a keyword of another type (read more)|Documentation
| +|Path Is Ambiguous (v2)
b2468463-3ac4-4930-890c-f35b2bf4485d|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object|Documentation
| +|Path Is Ambiguous (v3)
237402e2-c2f0-46c9-9cf5-286160cf7bfc|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object (read more)|Documentation
| +|Non-Array Schema With Items (v2)
9d47956b-29cd-43b1-9e6e-b39a4d484353|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| +|Non-Array Schema With Items (v3)
20cb3159-b219-496b-8dac-54ae3ab2021a|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined (read more)|Documentation
| +|Template Path With No Corresponding Path Parameter (v2)
e7656d8d-7288-4bbe-b07b-22b389be75ce|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation|Documentation
| +|Template Path With No Corresponding Path Parameter (v3)
561710b1-b845-4562-95ce-2397a05ccef4|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation (read more)|Documentation
| |Responses Object Is Empty (v2)
6172e7ab-d2b7-45f8-a7db-1603931d8ba3|Info|Structure and Semantics|Responses Object should not be empty|Documentation
| |Responses Object Is Empty (v3)
990eaf09-d6f1-4c3c-b174-a517b1de8917|Info|Structure and Semantics|Responses Object should not be empty (read more)|Documentation
| +|Default Invalid (v2)
78dfd8f0-a6ee-48ec-af8c-e4d9b3292a07|Info|Structure and Semantics|The field 'default' of Schema/Parameter/Header Object should be consistent with the schema's/parameter's/header's type|Documentation
| +|Default Invalid (v3)
a96bbc06-8cde-4295-ad3c-ee343a7f658e|Info|Structure and Semantics|The field 'default' of Schema Object should be consistent with the schema's type (read more)|Documentation
| +|Properties Missing Required Property (v2)
71beb6ab-8b70-4816-a9ac-a0ff1fb22a62|Info|Structure and Semantics|Schema Object should have all required properties defined|Documentation
| +|Properties Missing Required Property (v3)
3fb03214-25d4-4bd4-867c-c2d8d708a483|Info|Structure and Semantics|Schema Object should have all required properties defined (read more)|Documentation
| +|Schema Object Properties With Duplicated Keys (v2)
ded017bf-fb13-4f8d-868b-84aebcc572ad|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties'|Documentation
| +|Schema Object Properties With Duplicated Keys (v3)
10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties' (read more)|Documentation
| |OperationId Not Unique (v2)
21245007-91c4-40e5-964e-40c85d1e5aa6|Info|Structure and Semantics|OperationId should be unique when defined|Documentation
| |OperationId Not Unique (v3)
c254adc4-ef25-46e1-8270-b7944adb4198|Info|Structure and Semantics|OperationId should be unique when defined (read more)|Documentation
| +|Schema Object With Circular Ref (v2)
cbff2508-85c9-4448-a8b3-770070edf5ca|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties|Documentation
| +|Schema Object With Circular Ref (v3)
1a1aea94-745b-40a7-b860-0702ea6ee636|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties (read more)|Documentation
| +|Path Parameter Not Required (v2)
ccd0613f-cb77-4684-a892-183bd2674d12|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.|Documentation
| +|Path Parameter Not Required (v3)
0de50145-e845-47f4-9a15-23bcf2125710|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true. (read more)|Documentation
| |Schema Has A Required Property Undefined (v2)
811762c8-2e99-4f70-88f9-a63875a953b1|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties|Documentation
| |Schema Has A Required Property Undefined (v3)
2bd608ae-8a1f-457f-b710-c237883cb313|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties (read more)|Documentation
| -|Paths Object is Empty (v2)
3e6c7b1c-8a8d-43ab-98b9-65159f44db4a|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed|Documentation
| -|Paths Object is Empty (v3)
815021c8-a50c-46d9-b192-24f71072c400|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed (read more)|Documentation
| +|Responses With Wrong HTTP Status Code (v2)
069a5378-2091-43f0-aa3b-ee8f20996e99|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599]|Documentation
| +|Responses With Wrong HTTP Status Code (v3)
d86655c0-92f6-4ffc-b4d5-5b5775804c27|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599] (read more)|Documentation
| +|Items Undefined (v2)
3e4d34d2-36cf-4449-976d-6c256db8fc49|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array.|Documentation
| +|Items Undefined (v3)
a8e859da-4a43-4e7f-94b8-25d6e3bf8e90|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array. (read more)|Documentation
| +|Schema Discriminator Mismatch Defined Properties (v2)
addc0eab-27f6-4c26-8526-d2ccd3732662|Info|Structure and Semantics|Schema discriminator values should match defined properties.|Documentation
| +|Schema Discriminator Mismatch Defined Properties (v3)
40d3df21-c170-4dbe-9c02-4289b51f994f|Info|Structure and Semantics|Schema discriminator values should match defined properties. (read more)|Documentation
| +|Path Parameter With No Corresponding Template Path (v2)
194ef1f8-360e-4c14-8ed2-e83e2bafa142|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation|Documentation
| +|Path Parameter With No Corresponding Template Path (v3)
69d7aefd-149d-47b8-8d89-1c2181a8067b|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation (read more)|Documentation
| +|Property Defining Minimum Greater Than Maximum (v2)
b5102ea9-6527-4bb7-94fc-9b4076150e55|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined|Documentation
| +|Property Defining Minimum Greater Than Maximum (v3)
ab2af219-cd08-4233-b5a1-a788aac88b51|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined (read more)|Documentation
| +|Parameters Name In Combination Not Unique (v2)
ab871897-ec02-4835-9818-702536ee1dda|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations|Documentation
| +|Parameters Name In Combination Not Unique (v3)
f5b2e6af-76f5-496d-8482-8f898c5fdb4a|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations (read more)|Documentation
| +|Path Template is Empty (v2)
c201b7ad-6173-4598-a407-5edb04a1bcd7|Info|Structure and Semantics|All path templates should not be empty|Documentation
| +|Path Template is Empty (v3)
ae13a37d-943b-47a7-a970-83c8598bcca3|Info|Structure and Semantics|All path templates should not be empty (read more)|Documentation
| +|Parameter Objects Headers With Duplicated Name (v2)
bd2cbef5-62c4-40f1-af07-4b7f9ced6616|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.|Documentation
| +|Parameter Objects Headers With Duplicated Name (v3)
05505192-ba2c-4a81-9b25-dcdbcc973746|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive. (read more)|Documentation
| ### 3.0 Bellow are listed queries related with OpenAPI 3.0: @@ -221,77 +221,77 @@ Bellow are listed queries related with OpenAPI 3.0: |------------------------------|--------|--------|-----------|----| |Field 'securityScheme' On Components Is Undefined
8db5544e-4874-4baa-9322-e9f75a2d219e|High|Access Control|Components' securityScheme field must have a valid scheme (read more)|Documentation
| |Cleartext Credentials With Basic Authentication For Operation
86b1fa30-9790-4980-994d-a27e0f6f27c1|High|Access Control|Cleartext credentials over unencrypted channel should not be accepted for the operation (read more)|Documentation
| -|Security Scheme Using HTTP Digest
a4247b11-890b-45df-bf42-350a7a3af9be|Medium|Access Control|Security Scheme HTTP should not be using digest authentication (read more)|Documentation
| -|Invalid OAuth2 Authorization URL (v3)
52c0d841-60d6-4a81-88dd-c35fef36d315|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| -|Security Scheme Using HTTP Negotiate
f525cc92-9050-4c41-a75c-890dc6f64449|Medium|Access Control|Security Scheme HTTP should not be using negotiate authentication (read more)|Documentation
| -|Invalid OAuth2 Token URL (v3)
3ba0cca1-b815-47bf-ac62-1e584eb64a05|Medium|Access Control|OAuth2 security scheme flow requires a valid URL in the tokenUrl field (read more)|Documentation
| |OAuth2 With Implicit Flow
39cb32f2-3a42-4af0-8037-82a7a9654b6c|Medium|Access Control|OAuth2 implicit flow is vulnerable to access token leakage and access token replay (read more)|Documentation
| -|OAuth2 With Password Flow
3979b0a4-532c-4ea7-86e4-34c090eaa4f2|Medium|Access Control|OAuth2 password flow insecurely exposes the credentials of the resource owner to the client (read more)|Documentation
| -|Security Scheme HTTP Unknown Scheme
06764426-3c56-407e-981f-caa25db1c149|Medium|Access Control|Security Scheme HTTP scheme should be registered in the IANA Authentication Scheme registry (read more)|Documentation
| -|Security Scheme Using HTTP Basic
68e5fcac-390c-4939-a373-6074b7be7c71|Medium|Access Control|Security Scheme HTTP should not be using basic authentication (read more)|Documentation
| +|Invalid OAuth2 Authorization URL (v3)
52c0d841-60d6-4a81-88dd-c35fef36d315|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| |Implicit Flow in OAuth2 (v3)
4a1f3d75-ab73-41b2-83e7-06a93dc3a75a|Medium|Access Control|There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| -|Path Server Object Uses HTTP (v3)
9670f240-7b4d-4955-bd93-edaa9fa38b58|Medium|Encryption|The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection (read more)|Documentation
| +|Security Scheme Using HTTP Basic
68e5fcac-390c-4939-a373-6074b7be7c71|Medium|Access Control|Security Scheme HTTP should not be using basic authentication (read more)|Documentation
| +|Security Scheme HTTP Unknown Scheme
06764426-3c56-407e-981f-caa25db1c149|Medium|Access Control|Security Scheme HTTP scheme should be registered in the IANA Authentication Scheme registry (read more)|Documentation
| +|OAuth2 With Password Flow
3979b0a4-532c-4ea7-86e4-34c090eaa4f2|Medium|Access Control|OAuth2 password flow insecurely exposes the credentials of the resource owner to the client (read more)|Documentation
| +|Invalid OAuth2 Token URL (v3)
3ba0cca1-b815-47bf-ac62-1e584eb64a05|Medium|Access Control|OAuth2 security scheme flow requires a valid URL in the tokenUrl field (read more)|Documentation
| +|Security Scheme Using HTTP Negotiate
f525cc92-9050-4c41-a75c-890dc6f64449|Medium|Access Control|Security Scheme HTTP should not be using negotiate authentication (read more)|Documentation
| +|Security Scheme Using HTTP Digest
a4247b11-890b-45df-bf42-350a7a3af9be|Medium|Access Control|Security Scheme HTTP should not be using digest authentication (read more)|Documentation
| |Global Server Object Uses HTTP
2d8c175a-6d90-412b-8b0e-e034ea49a1fe|Medium|Encryption|Global server object URL should use 'https' protocol instead of 'http' (read more)|Documentation
| -|Parameter Object Without Schema
8fe1846f-52cc-4413-ace9-1933d7d23672|Medium|Insecure Configurations|The Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| +|Path Server Object Uses HTTP (v3)
9670f240-7b4d-4955-bd93-edaa9fa38b58|Medium|Encryption|The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection (read more)|Documentation
| |Media Type Object Without Schema
f79b9d26-e945-44e7-98a1-b93f0f7a68a0|Medium|Insecure Configurations|The Media Type Object should have the attribute 'schema' defined (read more)|Documentation
| |Additional Properties Too Permissive
9f88c88d-824d-4d9a-b985-e22977046042|Medium|Insecure Configurations|Objects should not accept 'additionalProperties' if it is possible (read more)|Documentation
| |Additional Properties Too Restrictive
a19c3bbd-c056-40d7-9e1c-eeb0634e320d|Medium|Insecure Configurations|Objects should accept 'additionalProperties' if it is allOf or an object with anyOf or oneOf (read more)|Documentation
| +|Parameter Object Without Schema
8fe1846f-52cc-4413-ace9-1933d7d23672|Medium|Insecure Configurations|The Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| |Success Response Code Undefined for Trace Operation
105e20dd-8449-4d71-95c6-d5dac96639af|Medium|Networking and Firewall|Trace should define the '200' successful code (read more)|Documentation
| |Header Object Without Schema
50de3b5b-6465-4e06-a9b0-b4c2ba34326b|Medium|Networking and Firewall|The header object should have schema defined (read more)|Documentation
| -|Security Scheme Using Oauth 1.0
1bc3205c-0d60-44e6-84f3-44fbf4dac5b3|Low|Access Control|Oauth 1.0 is deprecated, OAuth2 should be used instead (read more)|Documentation
| -|Global Security Scheme Using Basic Authentication
77276d82-4f45-4cf1-8e2b-4d345b936228|Low|Access Control|A security scheme is allowing basic authentication credentials to be transported over network (read more)|Documentation
| -|Undefined Scope 'securityScheme' On 'security' Field On Operations
462d6a1d-fed9-4d75-bb9e-3de902f35e6e|Low|Access Control|Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| |Undefined Scope 'securityScheme' On Global 'security' Field
23a9e2d9-8738-4556-a71c-2802b6ffa022|Low|Access Control|Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| +|Undefined Scope 'securityScheme' On 'security' Field On Operations
462d6a1d-fed9-4d75-bb9e-3de902f35e6e|Low|Access Control|Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| |API Key Exposed In Global Security Scheme
40e1d1bf-11a9-4f63-a3a2-a8b84c602839|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| -|Components Schema Definition Is Unused
962fa01e-b791-4dcc-b04a-4a3e7389be5e|Info|Best Practices|Components schemas definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Link Definition Is Unused
c19779a9-5774-4d2f-a3a1-a99831730375|Info|Best Practices|Components links definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Request Body Definition Is Unused
6b76f589-9713-44ab-97f5-59a3dba1a285|Info|Best Practices|Components request bodies definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Global Security Scheme Using Basic Authentication
77276d82-4f45-4cf1-8e2b-4d345b936228|Low|Access Control|A security scheme is allowing basic authentication credentials to be transported over network (read more)|Documentation
| +|Security Scheme Using Oauth 1.0
1bc3205c-0d60-44e6-84f3-44fbf4dac5b3|Low|Access Control|Oauth 1.0 is deprecated, OAuth2 should be used instead (read more)|Documentation
| +|Components Callback Definition Is Unused
d15db953-a553-4b8a-9a14-a3d62ea3d79d|Info|Best Practices|Components callbacks definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Property 'explode' of Encoding Object Ignored
a4dd69b8-49fa-45d2-a060-c76655405b05|Info|Best Practices|Property 'explode' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| |Unknown Prefix (v3)
a5375be3-521c-43bb-9eab-e2432e368ee4|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| -|Invalid Media Type Value (v3)
cf4a5f45-a27b-49df-843a-9911dbfe71d4|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| |Property 'style' of Encoding Object Ignored
d3ea644a-9a5c-4fee-941f-f8a6786c0470|Info|Best Practices|Property 'style' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| -|Components Callback Definition Is Unused
d15db953-a553-4b8a-9a14-a3d62ea3d79d|Info|Best Practices|Components callbacks definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Schema Definition Is Unused
962fa01e-b791-4dcc-b04a-4a3e7389be5e|Info|Best Practices|Components schemas definitions should be referenced or removed from Open API definition (read more)|Documentation
| |Components Response Definition Is Unused
9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae|Info|Best Practices|Components responses definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Invalid Media Type Value (v3)
cf4a5f45-a27b-49df-843a-9911dbfe71d4|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| +|Components Link Definition Is Unused
c19779a9-5774-4d2f-a3a1-a99831730375|Info|Best Practices|Components links definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Header Definition Is Unused
a68da022-e95a-4bc2-97d3-481e0bd6d446|Info|Best Practices|Components headers definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Example Definition Is Unused
b05bb927-2df5-43cc-8d7b-6825c0e71625|Info|Best Practices|Components examples definitions should be referenced or removed from Open API definition (read more)|Documentation
| |Encoding Header 'Content-Type' Improperly Defined
4cd8de87-b595-48b6-ab3c-1904567135ab|Info|Best Practices|Encoding Map Key should not define a 'Content-Type' in the 'headers' field. If so, it will be ignored. (read more)|Documentation
| -|Property 'allowReserved' of Encoding Object Ignored
4190dda7-af03-4cf0-a128-70ac1661ca09|Info|Best Practices|Property 'allowReserved' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| |Property 'allowEmptyValue' Ignored
59c2f769-7cc2-49c8-a3de-4e211135cfab|Info|Best Practices|Property 'allowEmptyValue' is ignored in the following cases: {"sytle": "simple", "explode": false}, {"sytle": "simple", "explode": true}, {"sytle": "spaceDelimited", "explode": false}, {"sytle": "pipeDelimited", "explode": false}, and {"sytle": "deepObject", "explode": true} (read more)|Documentation
| -|Components Example Definition Is Unused
b05bb927-2df5-43cc-8d7b-6825c0e71625|Info|Best Practices|Components examples definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Property 'explode' of Encoding Object Ignored
a4dd69b8-49fa-45d2-a060-c76655405b05|Info|Best Practices|Property 'explode' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| +|Components Request Body Definition Is Unused
6b76f589-9713-44ab-97f5-59a3dba1a285|Info|Best Practices|Components request bodies definitions should be referenced or removed from Open API definition (read more)|Documentation
| |Components Parameter Definition Is Unused
698a464e-bb3e-4ba8-ab5e-e6599b7644a0|Info|Best Practices|Components parameters definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Header Definition Is Unused
a68da022-e95a-4bc2-97d3-481e0bd6d446|Info|Best Practices|Components headers definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Property 'allowReserved' of Encoding Object Ignored
4190dda7-af03-4cf0-a128-70ac1661ca09|Info|Best Practices|Property 'allowReserved' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| |Schema Object Incorrect Ref (v3)
4cac7ace-b0fb-477d-830d-65395d9109d9|Info|Structure and Semantics|Schema Object reference must always point to '#/components/schemas' (read more)|Documentation
| -|Callback Object With Incorrect Ref
ba066cda-e808-450d-92b6-f29109754d45|Info|Structure and Semantics|Callback Object reference must always point to '#/components/callbacks' (read more)|Documentation
| -|Request Body JSON Reference Does Not Exists
ca02f4e8-d3ae-4832-b7db-bb037516d9e7|Info|Structure and Semantics|Request Body reference should exists on components field (read more)|Documentation
| -|Server URL Not Absolute
a0bf7382-5d5a-4224-924c-3db8466026c9|Info|Structure and Semantics|The Server URL should be an absolute URL (read more)|Documentation
| +|Schema With Both ReadOnly And WriteOnly
d2361d58-361c-49f0-9e50-b957fd608b29|Info|Structure and Semantics|Schema should not have both 'writeOnly' and 'readOnly' set to true (read more)|Documentation
| +|Link JSON Reference Does Not Exists
801f0c6a-a834-4467-89c6-ddecffb46b5a|Info|Structure and Semantics|Link reference should exists on components field (read more)|Documentation
| +|Security Operation Field Undefined
20a482d5-c5d9-4a7a-b7a4-60d0805047b4|Info|Structure and Semantics|Security operation field should be defined in '#/components/securitySchemes' (read more)|Documentation
| |Header Object With Incorrect Ref
2d6646f4-2946-420f-8c14-3232d49ae0cb|Info|Structure and Semantics|Header Object reference must always point to '#/components/headers' (read more)|Documentation
| +|Request Body JSON Reference Does Not Exists
ca02f4e8-d3ae-4832-b7db-bb037516d9e7|Info|Structure and Semantics|Request Body reference should exists on components field (read more)|Documentation
| +|Response Object With Incorrect Ref (v3)
b3871dd8-9333-4d6c-bd52-67eb898b71ab|Info|Structure and Semantics|Response Object reference must always point to '#/components/responses' (read more)|Documentation
| |Parameter Object With Schema And Content
31dd6fc0-f274-493b-9614-e063086c19fc|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive (read more)|Documentation
| -|Parameter Object With Undefined Type
46facedc-f243-4108-ab33-583b807d50b0|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property (read more)|Documentation
| -|Response JSON Reference Does Not Exists (v3)
7a01dfbd-da62-4165-aed7-71349ad42ab4|Info|Structure and Semantics|Response reference should exists on components field (read more)|Documentation
| -|Example JSON Reference Outside Components Examples
bac56e3c-1f71-4a74-8ae6-2fba07efcddb|Info|Structure and Semantics|Reference to examples should point to #/components/examples (read more)|Documentation
| -|Link Object OperationId Does Not Target Operation Object
c5bb7461-aa57-470b-a714-3bc3d74f4669|Info|Structure and Semantics|Link object 'OperationId' should target an existing operation object in the OpenAPI definition (read more)|Documentation
| +|Request Body With Incorrect Ref
0f6cd0ab-c366-4595-84fc-fbd8b9901e4d|Info|Structure and Semantics|Request Body reference must always point to '#/components/RequestBodies' (read more)|Documentation
| +|Property 'allowReserved' Improperly Defined
7f203940-39c4-4ea7-91ee-7aba16bca9e2|Info|Structure and Semantics|Property 'allowReserved' should be only defined for query parameters (read more)|Documentation
| +|Server URL Not Absolute
a0bf7382-5d5a-4224-924c-3db8466026c9|Info|Structure and Semantics|The Server URL should be an absolute URL (read more)|Documentation
| |Invalid Content Type For Multiple Files Upload
26f06397-36d8-4ce7-b993-17711261d777|Info|Structure and Semantics|Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array) (read more)|Documentation
| |Link Object With Both 'operationId' And 'operationRef'
60fb6621-9f02-473b-9424-ba9a825747d3|Info|Structure and Semantics|Link object 'OperationId' should not have both 'operationId' and 'operationRef' defined since they are mutually exclusive. (read more)|Documentation
| -|Security Operation Field Undefined
20a482d5-c5d9-4a7a-b7a4-60d0805047b4|Info|Structure and Semantics|Security operation field should be defined in '#/components/securitySchemes' (read more)|Documentation
| -|Response Object With Incorrect Ref (v3)
b3871dd8-9333-4d6c-bd52-67eb898b71ab|Info|Structure and Semantics|Response Object reference must always point to '#/components/responses' (read more)|Documentation
| -|Object Without Required Property (v3)
d172a060-8569-4412-8045-3560ebd477e8|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| -|Parameter Object Content With Multiple Entries
8bfed1c6-2d59-4924-bc7f-9b9d793ed0df|Info|Structure and Semantics|The map content property of the parameter object should only contain one entry (read more)|Documentation
| -|Security Requirement Object With Wrong Scopes
37140f7f-724a-4c87-a536-e9cee1d61533|Info|Structure and Semantics|Security Requirement Object should only have scopes defined for security schemes of type 'oauth2' and 'openIdConnect' (read more)|Documentation
| -|Link JSON Reference Does Not Exists
801f0c6a-a834-4467-89c6-ddecffb46b5a|Info|Structure and Semantics|Link reference should exists on components field (read more)|Documentation
| -|Callback JSON Reference Does Not Exists
f29904c8-6041-4bca-b043-dfa0546b8079|Info|Structure and Semantics|Callback reference should exists on components field (read more)|Documentation
| -|Property 'allowReserved' Improperly Defined
7f203940-39c4-4ea7-91ee-7aba16bca9e2|Info|Structure and Semantics|Property 'allowReserved' should be only defined for query parameters (read more)|Documentation
| -|Request Body Object With Incorrect Media Type
58f06434-a88c-4f74-826c-db7e10cc7def|Info|Structure and Semantics|The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set. (read more)|Documentation
| -|Server URL Uses Undefined Variables
8d0921d6-4131-461f-a253-99e873f8f77e|Info|Structure and Semantics|Any variable used in the Service URL should be defined in the Service Object through 'variables'. (read more)|Documentation
| |Security Field Undefined
ab1263c2-81df-46f0-9f2c-0b62fdb68419|Info|Structure and Semantics|Security field should be defined in '#/components/securitySchemes' (read more)|Documentation
| -|Schema JSON Reference Does Not Exists (v3)
015eac96-6313-43c0-84e5-81b1374fa637|Info|Structure and Semantics|Schema reference should exists on components field (read more)|Documentation
| -|Request Body With Incorrect Ref
0f6cd0ab-c366-4595-84fc-fbd8b9901e4d|Info|Structure and Semantics|Request Body reference must always point to '#/components/RequestBodies' (read more)|Documentation
| -|Schema With Both ReadOnly And WriteOnly
d2361d58-361c-49f0-9e50-b957fd608b29|Info|Structure and Semantics|Schema should not have both 'writeOnly' and 'readOnly' set to true (read more)|Documentation
| -|Servers Array Undefined
c66ebeaa-676c-40dc-a3ff-3e49395dcd5e|Info|Structure and Semantics|The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'. (read more)|Documentation
| -|Empty Array
5915c20f-dffa-4cee-b5d4-f457ddc0151a|Info|Structure and Semantics|All array fields should not be empty (read more)|Documentation
| +|Callback Object With Incorrect Ref
ba066cda-e808-450d-92b6-f29109754d45|Info|Structure and Semantics|Callback Object reference must always point to '#/components/callbacks' (read more)|Documentation
| |Link Object Incorrect Ref
b9db8a10-020c-49ca-88c6-780e5fdb4328|Info|Structure and Semantics|Link object reference must always point to '#/components/links' (read more)|Documentation
| -|Server Object Variable Not Used
8aee4754-970d-4c5f-8142-a49dfe388b1a|Info|Structure and Semantics|Every defined Server Variable Object should be used in a Service URL. (read more)|Documentation
| -|Parameter JSON Reference Does Not Exists (v3)
2e275f16-b627-4d3f-ae73-a6153a23ae8f|Info|Structure and Semantics|Parameter reference should exists on components field (read more)|Documentation
| |Unknown Property (v3)
fb7d81e7-4150-48c4-b914-92fc05da6a2f|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| -|Header JSON Reference Does Not Exists
376c9390-7e9e-4cb8-a067-fd31c05451fd|Info|Structure and Semantics|Header reference should exists on components field (read more)|Documentation
| -|Encoding Map Key Mismatch Schema Defined Properties
cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b|Info|Structure and Semantics|Encoding Map Key should be set in schema defined properties (read more)|Documentation
| +|Server URL Uses Undefined Variables
8d0921d6-4131-461f-a253-99e873f8f77e|Info|Structure and Semantics|Any variable used in the Service URL should be defined in the Service Object through 'variables'. (read more)|Documentation
| +|Response JSON Reference Does Not Exists (v3)
7a01dfbd-da62-4165-aed7-71349ad42ab4|Info|Structure and Semantics|Response reference should exists on components field (read more)|Documentation
| +|Parameter JSON Reference Does Not Exists (v3)
2e275f16-b627-4d3f-ae73-a6153a23ae8f|Info|Structure and Semantics|Parameter reference should exists on components field (read more)|Documentation
| +|Parameter Object With Undefined Type
46facedc-f243-4108-ab33-583b807d50b0|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property (read more)|Documentation
| |Example JSON Reference Does Not Exists
6a2c219f-da5e-4745-941e-5ea8cde23356|Info|Structure and Semantics|Example reference should exists on components field (read more)|Documentation
| +|Callback JSON Reference Does Not Exists
f29904c8-6041-4bca-b043-dfa0546b8079|Info|Structure and Semantics|Callback reference should exists on components field (read more)|Documentation
| |Parameter Object With Incorrect Ref (v3)
d40f27e6-15fb-4b56-90f8-fc0ff0291c51|Info|Structure and Semantics|Parameter Object reference must always point to '#/components/parameters' (read more)|Documentation
| |Components Object Fixed Field Key Improperly Named
151331e2-11f4-4bb6-bd35-9a005e695087|Info|Structure and Semantics|Components object fixed fields (schemas, responses, parameters, examples, requestBodies, headers, securitySchemes, links, and callbacks) should use keys that match the following REGEX: `^[a-zA-Z0-9\.\-_]+$` (read more)|Documentation
| +|Encoding Map Key Mismatch Schema Defined Properties
cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b|Info|Structure and Semantics|Encoding Map Key should be set in schema defined properties (read more)|Documentation
| +|Request Body Object With Incorrect Media Type
58f06434-a88c-4f74-826c-db7e10cc7def|Info|Structure and Semantics|The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set. (read more)|Documentation
| +|Security Requirement Object With Wrong Scopes
37140f7f-724a-4c87-a536-e9cee1d61533|Info|Structure and Semantics|Security Requirement Object should only have scopes defined for security schemes of type 'oauth2' and 'openIdConnect' (read more)|Documentation
| +|Header JSON Reference Does Not Exists
376c9390-7e9e-4cb8-a067-fd31c05451fd|Info|Structure and Semantics|Header reference should exists on components field (read more)|Documentation
| +|Empty Array
5915c20f-dffa-4cee-b5d4-f457ddc0151a|Info|Structure and Semantics|All array fields should not be empty (read more)|Documentation
| +|Parameter Object Content With Multiple Entries
8bfed1c6-2d59-4924-bc7f-9b9d793ed0df|Info|Structure and Semantics|The map content property of the parameter object should only contain one entry (read more)|Documentation
| +|Example JSON Reference Outside Components Examples
bac56e3c-1f71-4a74-8ae6-2fba07efcddb|Info|Structure and Semantics|Reference to examples should point to #/components/examples (read more)|Documentation
| +|Object Without Required Property (v3)
d172a060-8569-4412-8045-3560ebd477e8|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| +|Servers Array Undefined
c66ebeaa-676c-40dc-a3ff-3e49395dcd5e|Info|Structure and Semantics|The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'. (read more)|Documentation
| +|Server Object Variable Not Used
8aee4754-970d-4c5f-8142-a49dfe388b1a|Info|Structure and Semantics|Every defined Server Variable Object should be used in a Service URL. (read more)|Documentation
| +|Schema JSON Reference Does Not Exists (v3)
015eac96-6313-43c0-84e5-81b1374fa637|Info|Structure and Semantics|Schema reference should exists on components field (read more)|Documentation
| +|Link Object OperationId Does Not Target Operation Object
c5bb7461-aa57-470b-a714-3bc3d74f4669|Info|Structure and Semantics|Link object 'OperationId' should target an existing operation object in the OpenAPI definition (read more)|Documentation
| diff --git a/docs/queries/pulumi-queries.md b/docs/queries/pulumi-queries.md index 6cdee433906..2a388b9bd9e 100644 --- a/docs/queries/pulumi-queries.md +++ b/docs/queries/pulumi-queries.md @@ -1,16 +1,6 @@ ## Pulumi Queries List This page contains all queries from Pulumi. -### GCP -Bellow are listed queries related with Pulumi GCP: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Cloud Storage Bucket Logging Not Enabled
48f7e44d-d1d1-44c2-b336-9f11b65c4fb0|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
965e8830-2bec-4b9b-a7f0-24dbc200a68f|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| - ### KUBERNETES Bellow are listed queries related with Pulumi KUBERNETES: @@ -43,13 +33,23 @@ Bellow are listed queries related with Pulumi AWS: |Elasticsearch with HTTPS disabled
00603add-7f72-448f-a6c0-9e456a7a3f94|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| |ElastiCache Nodes Not Created Across Multi AZ
9b18fc19-7fb8-49b1-8452-9c757c70f926|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| |ElastiCache Redis Cluster Without Backup
e93bbe63-a631-4c0f-b6ef-700d48441ff2|Medium|Backup|ElastiCache Redis cluster should have 'snapshotRetentionLimit' higher than 0 (read more)|Documentation
| -|IAM Password Without Minimum Length
9850d621-7485-44f7-8bdd-b3cf426315cf|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| |IAM Password Without Lowercase Letter
de92dd34-1b88-43e8-b825-6e02d73c4549|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| +|IAM Password Without Minimum Length
9850d621-7485-44f7-8bdd-b3cf426315cf|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| |DynamoDB Table Not Encrypted
b6a7e0ae-aed8-4a19-a993-a95760bf8836|Medium|Encryption|AWS DynamoDB Tables should have serverSideEncryption enabled (read more)|Documentation
| |API Gateway Without SSL Certificate
f27791a5-e2ae-4905-8910-6f995c576d09|Medium|Insecure Configurations|SSL Client Certificate should be defined (read more)|Documentation
| |Elasticsearch Logs Disabled
a1120ee4-a712-42d9-8fb5-22595fed643b|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| |API Gateway Access Logging Disabled
bf4b48b9-fc1f-4552-984a-4becdb5bf503|Medium|Observability|API Gateway should have Access Log Settings defined (read more)|Documentation
| |DocDB Logging Is Disabled
2ca87964-fe7e-4cdc-899c-427f0f3525f8|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| -|DynamoDB Table Point In Time Recovery Disabled
327b0729-4c5c-4c44-8b5c-e476cd9c7290|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more)|Documentation
| |EC2 Not EBS Optimized
d991e4ae-42ab-429b-ab43-d5e5fa9ca633|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| +|DynamoDB Table Point In Time Recovery Disabled
327b0729-4c5c-4c44-8b5c-e476cd9c7290|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more)|Documentation
| |EC2 Instance Monitoring Disabled
daa581ef-731c-4121-832d-cf078f67759d|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| + +### GCP +Bellow are listed queries related with Pulumi GCP: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|Cloud Storage Bucket Logging Not Enabled
48f7e44d-d1d1-44c2-b336-9f11b65c4fb0|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
965e8830-2bec-4b9b-a7f0-24dbc200a68f|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| diff --git a/docs/queries/serverlessfw-queries.md b/docs/queries/serverlessfw-queries.md index ede01692de5..47b140b0098 100644 --- a/docs/queries/serverlessfw-queries.md +++ b/docs/queries/serverlessfw-queries.md @@ -6,10 +6,10 @@ This page contains all queries from ServerlessFW. |Serverless Role With Full Privileges
59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd|High|Access Control|Roles defined in Serverless files should not have policies granting full administrative privileges. (read more)|Documentation
| |Serverless Function Environment Variables Not Encrypted
4495bc5d-4d1e-4a26-ae92-152d18195648|High|Encryption|Serverless Function should encrypt environment variables (read more)|Documentation
| |Serverless API Without Content Encoding
d5d1fe08-89db-440c-8725-b93223387309|Medium|Encryption|Serverless should have API Gateway with Content Encoding enabled through the attribute 'minimumCompressionSize'. This value should be greater than -1 and smaller than 10485760 (read more)|Documentation
| -|Serverless Function Without Unique IAM Role
165aae3b-a56a-48f3-b76d-d2b5083f5b8f|Medium|Insecure Configurations|Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| |Serverless Function Without Tags
f99d3482-fa8c-4f79-bad9-35212dded164|Medium|Insecure Configurations|Serverless Function should be have associated tags (read more)|Documentation
| +|Serverless Function Without Unique IAM Role
165aae3b-a56a-48f3-b76d-d2b5083f5b8f|Medium|Insecure Configurations|Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| |Serverless API Endpoint Config Not Private
4d424558-c6d1-453c-be98-9a7f877abd9a|Medium|Networking and Firewall|Serverless should have endpointType set to 'PRIVATE'. This way, it's not exposed to the public internet (read more)|Documentation
| -|Serverless API X-Ray Tracing Disabled
434945e5-4dfd-41b1-aba1-47075ccd9265|Medium|Observability|Serverless API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| |Serverless API Access Logging Setting Undefined
a4d32883-aac7-42e1-b403-9415af0f3846|Medium|Observability|Serverless FW API should have HTTP Access Logging enabled (read more)|Documentation
| +|Serverless API X-Ray Tracing Disabled
434945e5-4dfd-41b1-aba1-47075ccd9265|Medium|Observability|Serverless API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| |Serverless Function Without Dead Letter Queue
dec7bc85-d156-4f64-9a33-96ed3d9f3fed|Low|Insecure Configurations|Serverless Function should be configured for a Dead Letter Queue(DLQ). A Dead Letter Queue(DLQ) can be set up in 'onError' config parameter (read more)|Documentation
| |Serverless Function Without X-Ray Tracing
0d7ef70f-e176-44e6-bdba-add3e429788d|Low|Observability|Serverless Function should have Tracing enabled. For this, property 'tracing' should have the value 'Active' (read more)|Documentation
| diff --git a/docs/queries/terraform-queries.md b/docs/queries/terraform-queries.md index 6f7042845a2..a383e387626 100644 --- a/docs/queries/terraform-queries.md +++ b/docs/queries/terraform-queries.md @@ -1,67 +1,101 @@ ## Terraform Queries List This page contains all queries from Terraform. -### GCP -Bellow are listed queries related with Terraform GCP: +### ALICLOUD +Bellow are listed queries related with Terraform ALICLOUD: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| -|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible (read more)|Documentation
| -|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)|Documentation
| -|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|High|Access Control|BigQuery dataset is anonymously or publicly accessible (read more)|Documentation
| -|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|High|Access Control|Verifies that the OSLogin is enabled (read more)|Documentation
| -|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| -|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members' (read more)|Documentation
| -|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad. (read more)|Documentation
| -|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|High|Encryption|Cloud SQL Database Instance should have SLL enabled (read more)|Documentation
| -|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE (read more)|Documentation
| -|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)|Documentation
| -|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true (read more)|Documentation
| -|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials (read more)|Documentation
| -|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true (read more)|Documentation
| -|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true (read more)|Documentation
| -|Legacy Client Certificate Auth Enabled
73fb21a1-b19a-45b1-b648-b47b1678681e|High|Insecure Configurations|Kubernetes Clusters must use the default OAuth authentication, which means 'master_auth' must either be undefined or have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to false (read more)|Documentation
| -|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible. (read more)|Documentation
| -|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)|Documentation
| -|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must either be undefined or set to 'logging.googleapis.com/kubernetes' (read more)|Documentation
| -|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| -|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|High|Observability|Audit Logging Configuration is defective (read more)|Documentation
| -|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must either be undefined or set to 'monitoring.googleapis.com/kubernetes' (read more)|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| -|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)|Documentation
| -|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated (read more)|Documentation
| -|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated (read more)|Documentation
| -|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated (read more)|Documentation
| -|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member (read more)|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| -|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)|Documentation
| -|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Medium|Insecure Configurations|Check if any VM instance disables OSLogin (read more)|Documentation
| -|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| -|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled (read more)|Documentation
| -|Shielded GKE Nodes Disabled
579a0727-9c29-4d58-8195-fc5802a8bdb4|Medium|Insecure Configurations|GKE cluster nodes must be launched with Shielded VM enabled, which means the attribute 'enable_shielded_nodes' must be set to 'true'. (read more)|Documentation
| -|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)|Documentation
| -|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled (read more)|Documentation
| -|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| -|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| -|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account (read more)|Documentation
| -|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account. (read more)|Documentation
| -|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports (read more)|Documentation
| -|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| -|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| -|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)|Documentation
| -|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)|Documentation
| -|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource. (read more)|Documentation
| -|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles (read more)|Documentation
| -|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| -|Outdated GKE Version
128df7ec-f185-48bc-8913-ce756a3ccb85|Low|Best Practices|Running outdated versions of Google Kubernetes Engine (GKE) can expose it to known vulnerabilities and attacks. To reduce these risks, it is recommended to ensure that GKE is always running the latest version. (read more)|Documentation
| -|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user (read more)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| -|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true (read more)|Documentation
| +|OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|High|Access Control|OSS Bucket should have public access disabled (read more)|Documentation
| +|OSS Bucket Allows All Actions From All Principals
ec62a32c-a297-41ca-a850-cab40b42094a|High|Access Control|OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals. (read more)|Documentation
| +|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles (read more)|Documentation
| +|OSS Bucket Allows Delete Action From All Principals
8c0695d8-2378-4cd6-8243-7fd5894fa574|High|Access Control|OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals. (read more)|Documentation
| +|OSS Bucket Allows List Action From All Principals
88541597-6f88-42c8-bac6-7e0b855e8ff6|High|Access Control|OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals. (read more)|Documentation
| +|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|High|Access Control|RAM Security preferences should enforce MFA login for RAM users (read more)|Documentation
| +|OSS Bucket Allows Put Action From All Principals
fe286195-e75c-4359-bd58-00847c4f855a|High|Access Control|OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals. (read more)|Documentation
| +|RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|High|Encryption|tde_status parameter should be Enabled for supported RDS instances (read more)|Documentation
| +|Launch Template Is Not Encrypted
1455cb21-1d48-46d6-8ae3-cef911b71fd5|High|Encryption|ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true. (read more)|Documentation
| +|NAS File System Without KMS
5f670f9d-b1b4-4c90-8618-2288f1ab9676|High|Encryption|NAS File System should have encryption provided by user KMS (read more)|Documentation
| +|NAS File System Not Encrypted
67bfdff1-31ce-4525-b564-e94368735360|High|Encryption|NAS File System must be encrypted (read more)|Documentation
| +|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|High|Encryption|Ecs Data Disk Kms Key Id should be set (read more)|Documentation
| +|RDS DB Instance Publicly Accessible
faaefc15-51a5-419e-bb5e-51a4b5ab3485|High|Insecure Configurations|The field 'address' should not be set to '0.0.0.0/0' (read more)|Documentation
| +|OSS Bucket Has Static Website
2b13c6ff-b87a-484d-86fd-21ef6e97d426|High|Insecure Configurations|Checks if any static websties are hosted on buckets. Be aware of any website you are running. (read more)|Documentation
| +|RDS DB Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|High|Insecure Configurations|'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list (read more)|Documentation
| +|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol (read more)|Documentation
| +|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|High|Networking and Firewall|OSS Buckets should have secure transport enabled (read more)|Documentation
| +|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS (read more)|Documentation
| +|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|High|Networking and Firewall|OSS Bucket should have ip restricted access (read more)|Documentation
| +|ALB Listening on HTTP
ee3b1557-9fb5-4685-a95d-93f1edf2a0d7|High|Networking and Firewall|Application Load Balancer (alb) Listener should not listen on HTTP (read more)|Documentation
| +|RDS Instance SSL Action Disabled
7a1ee8a9-71be-4b11-bb70-efb62d16863b|High|Networking and Firewall|ssl_action parameter should be set to Open for RDS instances (read more)|Documentation
| +|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public (read more)|Documentation
| +|ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|High|Observability|ActionTrail Trail OSS Bucket should not be publicly accessible (read more)|Documentation
| +|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|High|Observability|All RDS Instance events trackers should be 'true' (read more)|Documentation
| +|Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|High|Secret Management|Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts (read more)|Documentation
| +|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above (read more)|Documentation
| +|Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Medium|Access Control|Ram policies should not be attached to users (read more)|Documentation
| +|CMK Is Unusable
ed6e3ba0-278f-47b6-a1f5-173576b40b7e|Medium|Availability|Alicloud KMS must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true (read more)|Documentation
| +|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Medium|Backup|OSS Bucket should have versioning enabled (read more)|Documentation
| +|ROS Stack Retention Disabled
4bb06fa1-2114-4a00-b7b5-6aeab8b896f0|Medium|Backup|The retain_stacks should be enabled to keep the Stack upon deleting the stack instance from the stack group (read more)|Documentation
| +|ROS Stack Without Template
92d65c51-5d82-4507-a2a1-d252e9706855|Medium|Build Process|Alicloud ROS Stack should have a template defined through the attribute template_url or attribute template_body (read more)|Documentation
| +|SLB Policy With Insecure TLS Version In Use
dbfc834a-56e5-4750-b5da-73fda8e73f70|Medium|Encryption|SLB Policy should not support insecure versions of TLS protocol (read more)|Documentation
| +|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Medium|Encryption|Disks should have encryption enabled (read more)|Documentation
| +|OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Medium|Encryption|OSS Bucket should have encryption enabled using Customer Master Key (read more)|Documentation
| +|CS Kubernetes Node Pool Auto Repair Disabled
81ce9394-013d-4731-8fcc-9d229b474073|Medium|Insecure Configurations|Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| +|Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Medium|Networking and Firewall|Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies (read more)|Documentation
| +|Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Medium|Networking and Firewall|A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned (read more)|Documentation
| +|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180 (read more)|Documentation
| +|ROS Stack Notifications Disabled
9ef08939-ea40-489c-8851-667870b2ef50|Medium|Observability|The ROS Stack Notifications should be defined and populated to receive stack related events (read more)|Documentation
| +|Log Retention Is Not Greater Than 90 Days
ed6cf6ff-9a1f-491c-9f88-e03c0807f390|Medium|Observability|OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects. (read more)|Documentation
| +|OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Medium|Observability|OSS Bucket should have logging enabled, for better visibility of resources and objects. (read more)|Documentation
| +|Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Medium|Observability|Action Trail Logging for all regions should be enabled (read more)|Documentation
| +|No ROS Stack Policy
72ceb736-0aee-43ea-a191-3a69ab135681|Medium|Resource Management|ROS Stack should have a stack policy in order to protect stack resources from and during update actions (read more)|Documentation
| +|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true (read more)|Documentation
| +|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true (read more)|Documentation
| +|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true (read more)|Documentation
| +|High KMS Key Rotation Period
cb319d87-b90f-485e-a7e7-f2408380f309|Medium|Secret Management|KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year (read more)|Documentation
| +|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less (read more)|Documentation
| +|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91 (read more)|Documentation
| +|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Medium|Secret Management|RAM account password security should require at least one symbol (read more)|Documentation
| +|OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Low|Availability|OSS Bucket should have transfer acceleration enabled (read more)|Documentation
| +|OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Low|Backup|OSS Bucket should have lifecycle rule enabled and set to true (read more)|Documentation
| +|RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Low|Observability|log_duration parameter should be set to ON for RDS instances (read more)|Documentation
| +|VPC Flow Logs Disabled
d2731f3d-a992-44ed-812e-f4f1c2747d71|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| +|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Low|Observability|'log_connections' parameter should be set to ON for RDS instances (read more)|Documentation
| +|RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Low|Observability|log_disconnections parameter should be set to ON for RDS instances (read more)|Documentation
| + +### DATABRICKS +Bellow are listed queries related with Terraform DATABRICKS: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|Databricks Cluster or Job With None Or Insecure Permission(s)
a4edb7e1-c0e0-4f7f-9d7c-d1b603e81ad5|High|Insecure Configurations|Databricks Cluster and Job must have restricted permissions (read more)|Documentation
| +|Unrestricted Databricks ACL
2c4fe4a9-f44b-4c70-b09b-5b75cd251805|High|Networking and Firewall|ACL allow ingress from 0.0.0.0/0 and/or ::/0 (read more)|Documentation
| +|Check Databricks Cluster Azure Attribute Best Practices
38028698-e663-4ef7-aa92-773fef0ca86f|Medium|Best Practices|One or some Databricks Cluster Azure Attribute Best Practices are not respected (read more)|Documentation
| +|Job's Task is Legacy (spark_submit_task)
375cdab9-3f94-4ae0-b1e3-8fbdf9cdf4d7|Medium|Best Practices|Job's Task Is spark_submit_task (read more)|Documentation
| +|Check use no LTS Spark Version
5a627dfa-a4dd-4020-a4c6-5f3caf4abcd6|Medium|Best Practices|Spark Version is not a Long-term Support (read more)|Documentation
| +|Check Databricks Cluster AWS Attribute Best Practices
b0749c53-e3ff-4d09-bbe4-dca94e2e7a38|Medium|Best Practices|One or some Databricks Cluster AWS Attribute Best Practices are not respected (read more)|Documentation
| +|Check Databricks Cluster GCP Attribute Best Practices
539e4557-d2b5-4d57-a001-cb01140a4e2d|Medium|Best Practices|One or some Databricks Cluster GCP Attribute Best Practices are not respected (read more)|Documentation
| +|Indefinitely Databricks Token Lifetime
7d05ca25-91b4-42ee-b6f6-b06611a87ce8|Medium|Insecure Defaults|Token has an indefinitely lifetime (read more)|Documentation
| +|Indefinitely Databricks OBO Token Lifetime
23e1f5f0-12b7-4d7e-9087-f60f42ccd514|Medium|Insecure Defaults|OBO Token has an indefinitely lifetime (read more)|Documentation
| +|Databricks Autoscale Badly Setup
953c0cc6-5f30-44cb-a803-bf4ef2571be8|Medium|Resource Management|Databricks should have min and max worker setup for autoscale (read more)|Documentation
| +|Databricks Group Without User Or Instance Profile
23c3067a-8cc9-480c-b645-7c1e0ad4bf60|Low|Access Control|Databricks Group should have at least one user or one instance profile associated (read more)|Documentation
| + +### SHARED (V2/V3) +Bellow are listed queries related with Terraform SHARED (V2/V3): + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Info|Best Practices|All variables should contain a valid description. (read more)|Documentation
| +|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Info|Best Practices|All names should follow snake case pattern. (read more)|Documentation
| +|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Info|Best Practices|All variables should contain a valid type. (read more)|Documentation
| +|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Info|Best Practices|All outputs should contain a valid description. (read more)|Documentation
| +|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Info|Best Practices|All generic git repositories should reference a revision. (read more)|Documentation
| ### KUBERNETES Bellow are listed queries related with Terraform KUBERNETES: @@ -71,62 +105,62 @@ Bellow are listed queries related with Terraform KUBERNETES: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| |Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|High|Insecure Configurations|Check if Tiller is deployed. (read more)|Documentation
| +|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|High|Insecure Configurations|Limit capabilities for a Pod Security Policy (read more)|Documentation
| |PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace. (read more)|Documentation
| |Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false (read more)|Documentation
| |Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined. (read more)|Documentation
| -|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|High|Insecure Configurations|Limit capabilities for a Pod Security Policy (read more)|Documentation
| |Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process (read more)|Documentation
| |Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|High|Insecure Defaults|No role nor cluster role should bind to a default service account (read more)|Documentation
| -|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Medium|Access Control|A non kube-system workload should not have hostPath mounted (read more)|Documentation
| |RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more)|Documentation
| |Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation. (read more)|Documentation
| +|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Medium|Access Control|A non kube-system workload should not have hostPath mounted (read more)|Documentation
| |Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Medium|Availability|Check if Readiness Probe is not configured. (read more)|Documentation
| |Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden (read more)|Documentation
| |Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' (read more)|Documentation
| -|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Medium|Insecure Configurations|Containers should not have extra capabilities allowed (read more)|Documentation
| -|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls (read more)|Documentation
| -|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| |PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace (read more)|Documentation
| -|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities (read more)|Documentation
| -|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more)|Documentation
| -|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation (read more)|Documentation
| -|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Medium|Insecure Configurations|Default service accounts should not be actively used (read more)|Documentation
| |Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace (read more)|Documentation
| +|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| |Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory (read more)|Documentation
| |NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities (read more)|Documentation
| -|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities (read more)|Documentation
| -|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory (read more)|Documentation
| +|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability (read more)|Documentation
| |Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more)|Documentation
| +|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation (read more)|Documentation
| +|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Medium|Insecure Configurations|Containers should not have extra capabilities allowed (read more)|Documentation
| +|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Medium|Insecure Configurations|Default service accounts should not be actively used (read more)|Documentation
| +|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory (read more)|Documentation
| +|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more)|Documentation
| +|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities (read more)|Documentation
| |Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Medium|Insecure Configurations|The default namespace should not be used (read more)|Documentation
| -|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability (read more)|Documentation
| +|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities (read more)|Documentation
| +|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls (read more)|Documentation
| |Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty. (read more)|Documentation
| |Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary (read more)|Documentation
| |Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Medium|Networking and Firewall|Check if any network policy is not targeting any pod. (read more)|Documentation
| |Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet (read more)|Documentation
| -|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| -|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more)|Documentation
| -|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more)|Documentation
| -|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| |Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| -|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more)|Documentation
| +|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| +|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more)|Documentation
| |CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| -|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs (read more)|Documentation
| +|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| +|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more)|Documentation
| +|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more)|Documentation
| |Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Medium|Secret Management|A Service Account token is shared between workloads (read more)|Documentation
| +|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs (read more)|Documentation
| |Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC) (read more)|Documentation
| -|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack (read more)|Documentation
| |Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers (read more)|Documentation
| -|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more)|Documentation
| +|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack (read more)|Documentation
| |Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it (read more)|Documentation
| -|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| +|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more)|Documentation
| |StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| |HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Low|Availability|The Horizontal Pod Autoscaler must target a valid object (read more)|Documentation
| +|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| |No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context (read more)|Documentation
| |Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Low|Best Practices|Check if any label in the metadata is invalid. (read more)|Documentation
| |Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Low|Build Process|Check if the root container filesystem is not being mounted as read-only. (read more)|Documentation
| |StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Low|Build Process|A StatefulSet requests volume storage. (read more)|Documentation
| +|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity (read more)|Documentation
| |Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always (read more)|Documentation
| |Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container (read more)|Documentation
| -|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity (read more)|Documentation
| |Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Low|Networking and Firewall|Service type should not be NodePort (read more)|Documentation
| |Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified (read more)|Documentation
| |CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined (read more)|Documentation
| @@ -134,6 +168,20 @@ Bellow are listed queries related with Terraform KUBERNETES: |Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Low|Secret Management|Container should not use secrets as environment variables (read more)|Documentation
| |Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Low|Supply-Chain|Image must be defined and not be empty or equal to latest. (read more)|Documentation
| +### GCP_BOM +Bellow are listed queries related with Terraform GCP_BOM: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|BOM - GCP Redis
bc75ce52-a60a-4660-b533-bce837a5019b|Trace|Bill Of Materials|A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments. (read more)|Documentation
| +|BOM - GCP Dataflow
895ed0d9-6fec-4567-8614-d7a74b599a53|Trace|Bill Of Materials|A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective. (read more)|Documentation
| +|BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more)|Documentation
| +|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more)|Documentation
| +|BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Trace|Bill Of Materials|A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime. (read more)|Documentation
| +|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more)|Documentation
| + ### AZURE Bellow are listed queries related with Terraform AZURE: @@ -141,87 +189,87 @@ Bellow are listed queries related with Terraform AZURE: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| +|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|High|Access Control|There is a role assignment for guest user (read more)|Documentation
| |Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage (read more)|Documentation
| |Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|High|Access Control|Role Assignment should limit guest user permissions (read more)|Documentation
| -|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|High|Access Control|There is a role assignment for guest user (read more)|Documentation
| +|Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|High|Access Control|Azure Function App authentication settings should be enabled (read more)|Documentation
| |Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|High|Access Control|Admin user is enabled for Container Registry (read more)|Documentation
| |Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|High|Access Control|Storage Account should not be public to grant the principle of least privileges (read more)|Documentation
| -|Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|High|Access Control|Azure Function App authentication settings should be enabled (read more)|Documentation
| |Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|High|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled (read more)|Documentation
| |Azure Instance Using Basic Authentication
dafe30ec-325d-4516-85d1-e8e6776f012c|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| |App Service Not Using Latest TLS Encryption Version
b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643|High|Encryption|Ensure App Service is using the latest version of TLS encryption (read more)|Documentation
| |Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6|High|Encryption|Ensure Function App is using the latest version of TLS encryption (read more)|Documentation
| -|MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more)|Documentation
| |SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' (read more)|Documentation
| +|MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more)|Documentation
| |Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| +|AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|High|Insecure Configurations|Azure Kubernetes Service (AKS) API should not be exposed to the internet (read more)|Documentation
| |Function App FTPS Enforce Disabled
9dab0179-433d-4dff-af8f-0091025691df|High|Insecure Configurations|Azure Function App should only enforce FTPS when 'ftps_state' is enabled (read more)|Documentation
| -|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine (read more)|Documentation
| +|App Service FTPS Enforce Disabled
85da374f-b00f-4832-9d44-84a1ca1e89f8|High|Insecure Configurations|Azure App Service should only enforce FTPS when 'ftps_state' is enabled (read more)|Documentation
| |AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server (read more)|Documentation
| |Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|High|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false. (read more)|Documentation
| -|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service. (read more)|Documentation
| |Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry' (read more)|Documentation
| +|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine (read more)|Documentation
| +|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service. (read more)|Documentation
| |Azure App Service Client Certificate Disabled
a81573f9-3691-4d83-88a0-7d4af63e17a3|High|Insecure Configurations|Azure App Service client certificate should be enabled (read more)|Documentation
| -|App Service FTPS Enforce Disabled
85da374f-b00f-4832-9d44-84a1ca1e89f8|High|Insecure Configurations|Azure App Service should only enforce FTPS when 'ftps_state' is enabled (read more)|Documentation
| |Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates (read more)|Documentation
| -|AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|High|Insecure Configurations|Azure Kubernetes Service (AKS) API should not be exposed to the internet (read more)|Documentation
| |CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|High|Networking and Firewall|The IP range filter should be defined to secure the data stored (read more)|Documentation
| -|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources (read more)|Documentation
| -|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| -|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet (read more)|Documentation
| |SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet (read more)|Documentation
| -|MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|High|Networking and Firewall|MSSQL Server public network access should be disabled (read more)|Documentation
| -|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more)|Documentation
| +|MySQL Server Public Access Enabled
f118890b-2468-42b1-9ce9-af35146b425b|High|Networking and Firewall|MySQL Server public access should be disabled (read more)|Documentation
| |Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| +|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet (read more)|Documentation
| +|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources (read more)|Documentation
| +|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more)|Documentation
| +|MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|High|Networking and Firewall|MSSQL Server public network access should be disabled (read more)|Documentation
| |RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet (read more)|Documentation
| -|MySQL Server Public Access Enabled
f118890b-2468-42b1-9ce9-af35146b425b|High|Networking and Firewall|MySQL Server public access should be disabled (read more)|Documentation
| +|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| |Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|High|Observability|Ensure that logging for Azure KeyVault is 'Enabled' (read more)|Documentation
| -|PostgreSQL Server Threat Detection Policy Disabled
c407c3cf-c409-4b29-b590-db5f4138d332|High|Resource Management|PostgreSQL Server Threat Detection Policy should be enabled (read more)|Documentation
| |SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a|High|Resource Management|Ensure that 'Threat Detection' is enabled for Azure SQL Database (read more)|Documentation
| |App Service Managed Identity Disabled
b61cce4b-0cc4-472b-8096-15617a6d769b|High|Resource Management|Azure App Service should have managed identity enabled (read more)|Documentation
| +|PostgreSQL Server Threat Detection Policy Disabled
c407c3cf-c409-4b29-b590-db5f4138d332|High|Resource Management|PostgreSQL Server Threat Detection Policy should be enabled (read more)|Documentation
| |Key Expiration Not Set
4d080822-5ee2-49a4-8984-68f3d4c890fc|High|Secret Management|Make sure that for all keys the expiration date is set (read more)|Documentation
| |Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|High|Secret Management|Make sure that for all secrets the expiration date is set (read more)|Documentation
| |Storage Share File Allows All ACL Permissions
48bbe0fd-57e4-4678-a4a1-119e79c90fc3|Medium|Access Control|Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list). (read more)|Documentation
| +|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more)|Documentation
| |Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e|Medium|Access Control|Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list). (read more)|Documentation
| |AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| -|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more)|Documentation
| |Virtual Network with DDoS Protection Plan disabled
b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a|Medium|Availability|Virtual Network should have DDoS Protection Plan enabled (read more)|Documentation
| |SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict (read more)|Documentation
| -|Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Medium|Best Practices|Security Contact Email should be defined (read more)|Documentation
| |SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict (read more)|Documentation
| +|Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Medium|Best Practices|Security Contact Email should be defined (read more)|Documentation
| |Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Medium|Build Process|Cosmos DB Account must have a mapping of tags. (read more)|Documentation
| |AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Medium|Encryption|Azure Container Service (AKS) should use Disk Encryption Set ID in supported types of disk (read more)|Documentation
| |Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption (read more)|Documentation
| |Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Medium|Encryption|Ensure that the encryption is active on the disk (read more)|Documentation
| |Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections (read more)|Documentation
| |Function App Managed Identity Disabled
c87749b3-ff10-41f5-9df2-c421e8151759|Medium|Insecure Configurations|Azure Function App should have managed identity enabled (read more)|Documentation
| -|Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Medium|Insecure Configurations|Azure Function App should have 'client_cert_mode' set to required (read more)|Documentation
| -|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected. (read more)|Documentation
| -|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty (read more)|Documentation
| |Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches (read more)|Documentation
| |AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined (read more)|Documentation
| +|Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Medium|Insecure Configurations|Azure Function App should have 'client_cert_mode' set to required (read more)|Documentation
| +|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty (read more)|Documentation
| +|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected. (read more)|Documentation
| |Default Azure Storage Account Network Access Is Too Permissive
a5613650-32ec-4975-a305-31af783153ea|Medium|Insecure Defaults|Default Azure Storage Account network access should be set to Deny (read more)|Documentation
| +|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Medium|Networking and Firewall|Network Interfaces IP Forwarding should be disabled (read more)|Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol (read more)|Documentation
| +|Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b|Medium|Networking and Firewall|Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline) (read more)|Documentation
| +|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache (read more)|Documentation
| +|MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Medium|Networking and Firewall|MariaDB Server Public Network Access should be disabled (read more)|Documentation
| +|WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. (read more)|Documentation
| |Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Medium|Networking and Firewall|Public Network Access should be disabled for Azure Cognitive Search (read more)|Documentation
| |Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'. (read more)|Documentation
| -|MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Medium|Networking and Firewall|MariaDB Server Public Network Access should be disabled (read more)|Documentation
| |Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol (read more)|Documentation
| -|Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b|Medium|Networking and Firewall|Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline) (read more)|Documentation
| -|WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. (read more)|Documentation
| -|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache (read more)|Documentation
| -|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Medium|Networking and Firewall|Network Interfaces IP Forwarding should be disabled (read more)|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol (read more)|Documentation
| -|PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server (read more)|Documentation
| +|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more)|Documentation
| |PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more)|Documentation
| +|MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Medium|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On' (read more)|Documentation
| |PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' (read more)|Documentation
| +|PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more)|Documentation
| +|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On' (read more)|Documentation
| +|Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Medium|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact (read more)|Documentation
| |PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' (read more)|Documentation
| -|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days (read more)|Documentation
| -|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more)|Documentation
| -|MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Medium|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On' (read more)|Documentation
| -|Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater (read more)|Documentation
| +|PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server (read more)|Documentation
| |Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Medium|Observability|Make sure for SQL Servers that Auditing Retention is greater than 90 days (read more)|Documentation
| -|PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more)|Documentation
| +|Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater (read more)|Documentation
| |Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Medium|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days (read more)|Documentation
| -|Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Medium|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact (read more)|Documentation
| -|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On' (read more)|Documentation
| +|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days (read more)|Documentation
| |Azure Active Directory Authentication
a21c8da9-41bf-40cf-941d-330cf0d11fc7|Low|Access Control|Azure Active Directory must be used for authentication for Service Fabric (read more)|Documentation
| |MariaDB Server Geo-redundant Backup Disabled
0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1|Low|Backup|MariaDB Server Geo-redundant Backup should be enabled (read more)|Documentation
| |AKS Uses Azure Policies Add-On Disabled
43789711-161b-4708-b5bb-9d1c626f7492|Low|Best Practices|Azure Container Service (AKS) should use Azure Policies Add-On (read more)|Documentation
| @@ -229,13 +277,22 @@ Bellow are listed queries related with Terraform AZURE: |App Service Without Latest PHP Version
96fe318e-d631-4156-99fa-9080d57280ae|Low|Best Practices|Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. (read more)|Documentation
| |App Service Without Latest Python Version
cc4aaa9d-1070-461a-b519-04e00f42db8a|Low|Best Practices|Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. (read more)|Documentation
| |PostgreSQL Server Infrastructure Encryption Disabled
6425c98b-ca4e-41fe-896a-c78772c131f8|Low|Encryption|PostgreSQL Server Infrastructure Encryption should be enabled (read more)|Documentation
| -|Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Low|Insecure Configurations|Check if the Kubernetes Dashboard is enabled. (read more)|Documentation
| |App Service HTTP2 Disabled
525b53be-62ed-4244-b4df-41aecfcb4071|Low|Insecure Configurations|App Service should have 'http2_enabled' enabled (read more)|Documentation
| |Function App HTTP2 Disabled
ace823d1-4432-4dee-945b-cdf11a5a6bd0|Low|Insecure Configurations|Function App should have 'http2_enabled' enabled (read more)|Documentation
| +|Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Low|Insecure Configurations|Check if the Kubernetes Dashboard is enabled. (read more)|Documentation
| |Azure Front Door WAF Disabled
835a4f2f-df43-437d-9943-545ccfc55961|Low|Networking and Firewall|Azure Front Door WAF should be enabled (read more)|Documentation
| |App Service Authentication Disabled
c7fc1481-2899-4490-bbd8-544a3a61a2f3|Info|Access Control|Azure App Service authentication settings should be enabled (read more)|Documentation
| |SQL Server Alert Email Disabled
55975007-f6e7-4134-83c3-298f1fe4b519|Info|Best Practices|SQL Server alert email should be enabled (read more)|Documentation
| +### NIFCLOUD +Bellow are listed queries related with Terraform NIFCLOUD: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|Nifcloud Computing Has Common Private Network
df58dd45-8009-43c2-90f7-c90eb9d53ed9|Low|Networking and Firewall|The instance has common private network (read more)|Documentation
| + ### AWS Bellow are listed queries related with Terraform AWS: @@ -243,353 +300,343 @@ Bellow are listed queries related with Terraform AWS: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| +|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|High|Access Control|IAM role policy that allow full administrative privileges (for all resources) (read more)|Documentation
| +|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|High|Access Control|S3 Buckets should not be readable and writable to all users (read more)|Documentation
| |SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| -|Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|High|Access Control|Neptune Cluster Instance should not be publicly accessible (read more)|Documentation
| -|MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible (read more)|Documentation
| -|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more)|Documentation
| |S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4|High|Access Control|S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket. (read more)|Documentation
| -|Amazon DMS Replication Instance Is Publicly Accessible
030d3b18-1821-45b4-9e08-50efbe7becbb|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| +|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| +|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role (read more)|Documentation
| |IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| |S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|High|Access Control|S3 bucket allows public policy (read more)|Documentation
| -|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| -|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|High|Access Control|S3 Buckets should not be readable and writable to all users (read more)|Documentation
| +|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more)|Documentation
| |S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals (read more)|Documentation
| |EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'. (read more)|Documentation
| -|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|High|Access Control|IAM role policy that allow full administrative privileges (for all resources) (read more)|Documentation
| -|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role (read more)|Documentation
| -|SSO Policy with full privileges
132a8c31-9837-4203-9fd1-15ca210c7b73|High|Access Control|SSO policies should be configured to grant limited administrative privileges, rather than full access to all resources. This approach allows for better security and control over the resources being accessed. (read more)|Documentation
| -|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| +|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| +|Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|High|Access Control|Neptune Cluster Instance should not be publicly accessible (read more)|Documentation
| |S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| +|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| |SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|High|Access Control|Checks if the SQS Queue is exposed (read more)|Documentation
| -|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| -|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted (read more)|Documentation
| -|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| -|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|High|Encryption|AWS DAX Cluster should have server-side encryption at rest (read more)|Documentation
| -|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| -|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|High|Encryption|S3 Bucket Object should have server-side encryption enabled (read more)|Documentation
| -|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| +|MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible (read more)|Documentation
| +|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| +|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| +|SSO Policy with full privileges
132a8c31-9837-4203-9fd1-15ca210c7b73|High|Access Control|SSO policies should be configured to grant limited administrative privileges, rather than full access to all resources. This approach allows for better security and control over the resources being accessed. (read more)|Documentation
| +|Amazon DMS Replication Instance Is Publicly Accessible
030d3b18-1821-45b4-9e08-50efbe7becbb|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| +|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|High|Encryption|EBS Encryption should be enabled (read more)|Documentation
| +|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| +|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|High|Encryption|AWS Athena Database data in S3 should be encrypted (read more)|Documentation
| +|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|High|Encryption|The certificate authority (CA) is the certificate that identifies the root CA at the top of the certificate chain. The CA certificate identifier must be one provided by Amazon RDS. (read more)|Documentation
| +|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup (read more)|Documentation
| |CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| +|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|High|Encryption|AWS DAX Cluster should have server-side encryption at rest (read more)|Documentation
| +|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true' (read more)|Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| +|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| |AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|High|Encryption|AWS AMI Encryption is not enabled (read more)|Documentation
| -|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|High|Encryption|The certificate authority (CA) is the certificate that identifies the root CA at the top of the certificate chain. The CA certificate identifier must be one provided by Amazon RDS. (read more)|Documentation
| -|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| +|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| +|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| |API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|High|Encryption|API Gateway Method Settings Cache should be encrypted (read more)|Documentation
| -|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|High|Encryption|Amazon ECS Task Definition does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'transit_encryption' (read more)|Documentation
| -|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| -|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|High|Encryption|Sagemaker endpoint configuration should encrypt data (read more)|Documentation
| -|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|High|Encryption|EKS Cluster should be encrypted (read more)|Documentation
| -|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true (read more)|Documentation
| -|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled (read more)|Documentation
| -|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more)|Documentation
| -|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup (read more)|Documentation
| -|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| -|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|High|Encryption|EBS Encryption should be enabled (read more)|Documentation
| +|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more)|Documentation
| |Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS (read more)|Documentation
| |DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key (read more)|Documentation
| -|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume (read more)|Documentation
| -|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled (read more)|Documentation
| -|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|High|Encryption|AWS Athena Database data in S3 should be encrypted (read more)|Documentation
| -|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|High|Encryption|RDS Database Cluster Encryption should be enabled (read more)|Documentation
| |Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) (read more)|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| -|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| +|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS (read more)|Documentation
| +|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| |Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled (read more)|Documentation
| +|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more)|Documentation
| +|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled (read more)|Documentation
| +|Aurora With Disabled at Rest Encryption
1a690d1d-0ae7-49fa-b2db-b75ae0dd1d3e|High|Encryption|Amazon Aurora does not have encryption for data at rest enabled. To prevent such a scenario, update the attribute 'StorageEncrypted' to 'true'. (read more)|Documentation
| +|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted (read more)|Documentation
| +|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled (read more)|Documentation
| |User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| +|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume (read more)|Documentation
| +|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|High|Encryption|Amazon ECS Task Definition does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'transit_encryption' (read more)|Documentation
| +|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| +|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|High|Encryption|S3 Bucket Object should have server-side encryption enabled (read more)|Documentation
| +|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled (read more)|Documentation
| +|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| +|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|High|Encryption|Sagemaker endpoint configuration should encrypt data (read more)|Documentation
| |EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| -|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| -|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS (read more)|Documentation
| -|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more)|Documentation
| +|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true (read more)|Documentation
| +|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|High|Encryption|EKS Cluster should be encrypted (read more)|Documentation
| |DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|High|Encryption|AWS DOCDB Cluster storage should be encrypted (read more)|Documentation
| -|Aurora With Disabled at Rest Encryption
1a690d1d-0ae7-49fa-b2db-b75ae0dd1d3e|High|Encryption|Amazon Aurora does not have encryption for data at rest enabled. To prevent such a scenario, update the attribute 'StorageEncrypted' to 'true'. (read more)|Documentation
| -|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled (read more)|Documentation
| -|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true' (read more)|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| -|Lambda Function With Privileged Role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions. (read more)|Documentation
| -|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| -|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| -|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| -|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2. (read more)|Documentation
| -|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| -|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|High|Insecure Configurations|S3 bucket without restriction of public bucket (read more)|Documentation
| -|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true) (read more)|Documentation
| +|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|High|Encryption|RDS Database Cluster Encryption should be enabled (read more)|Documentation
| +|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| |KMS Key With Full Permissions
7ebc9038-0bde-479a-acc4-6ed7b6758899|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| +|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| +|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| |No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes (read more)|Documentation
| +|RDS DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). (read more)|Documentation
| +|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| +|Lambda Function With Privileged Role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions. (read more)|Documentation
| +|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2. (read more)|Documentation
| +|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more)|Documentation
| +|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| |S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations (read more)|Documentation
| -|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| +|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|High|Insecure Configurations|S3 bucket without restriction of public bucket (read more)|Documentation
| +|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| |IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|High|Insecure Configurations|Check if the root user is authenticated with MFA (read more)|Documentation
| -|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). (read more)|Documentation
| +|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true) (read more)|Documentation
| |Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| -|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL (read more)|Documentation
| -|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| -|Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| +|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| +|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0 and/or ::/0 (read more)|Documentation
| +|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing (read more)|Documentation
| +|Elasticsearch with HTTPS disabled
2e9e0729-66d5-4148-9d39-5e6fb4bf2a4e|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| +|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0" (read more)|Documentation
| +|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| +|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|High|Networking and Firewall|EC2 Instance should not have a public IP address. (read more)|Documentation
| |VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic (read more)|Documentation
| |Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|High|Networking and Firewall|Check if Record is set (read more)|Documentation
| -|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|High|Networking and Firewall|EC2 Instance should not have a public IP address. (read more)|Documentation
| +|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| +|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| +|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| |RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| +|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL (read more)|Documentation
| +|HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| +|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| |Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL (read more)|Documentation
| -|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0 and/or ::/0 (read more)|Documentation
| +|Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| |DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| -|HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| -|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| |VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|High|Networking and Firewall|VPC Peering Route Table should restrict CIDR (read more)|Documentation
| -|Elasticsearch with HTTPS disabled
2e9e0729-66d5-4148-9d39-5e6fb4bf2a4e|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| -|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| -|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| -|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0" (read more)|Documentation
| -|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| -|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing (read more)|Documentation
| -|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| -|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes (read more)|Documentation
| -|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible (read more)|Documentation
| |CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls (read more)|Documentation
| |CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| +|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|High|Observability|AWS KMS Key should have a valid deletion window (read more)|Documentation
| +|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|High|Observability|Ensure a log metric filter and alarm exist for root acount usage (read more)|Documentation
| |CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled (read more)|Documentation
| |CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| -|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|High|Observability|Ensure a log metric filter and alarm exist for root acount usage (read more)|Documentation
| +|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes (read more)|Documentation
| +|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible (read more)|Documentation
| |CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA (read more)|Documentation
| -|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|High|Observability|AWS KMS Key should have a valid deletion window (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Medium|Access Control|S3 bucket allows public ACL (read more)|Documentation
| +|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal' (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Medium|Access Control|An API Key should be required on a method request. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| -|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'. (read more)|Documentation
| |IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Medium|Access Control|IAM Access Key should not be active for root users (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Medium|Access Control|SES policy should not allow IAM actions to all principals (read more)|Documentation
| +|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined (read more)|Documentation
| +|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action' (read more)|Documentation
| |User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Medium|Access Control|AWS IAM Users should not have access to console (read more)|Documentation
| -|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|SSO Permission With Inadequate User Session Duration
ce9dfce0-5fc8-433b-944a-3b16153111a8|Medium|Access Control|SSO permissions should be configured to limit user sessions to no longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized access or session hijacking. This is a best practice for security and should be implemented in SSO permission settings. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Medium|Access Control|SQS policy allows ALL (*) actions (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| +|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Medium|Access Control|Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Medium|Access Control|Public and private EC2 istances should not share the same role. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions' (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Medium|Access Control|The attribute 'action' should not have wildcard (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| +|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| +|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| +|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Medium|Access Control|Expired SSL/TLS certificates should be removed (read more)|Documentation
| +|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image (read more)|Documentation
| +|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Medium|Access Control|AWS IAM Users should not have access to console (read more)|Documentation
| +|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action' (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| -|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| -|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions' (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Medium|Access Control|SQS policy allows ALL (*) actions (read more)|Documentation
| -|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|SSO Permission With Inadequate User Session Duration
ce9dfce0-5fc8-433b-944a-3b16153111a8|Medium|Access Control|SSO permissions should be configured to limit user sessions to no longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized access or session hijacking. This is a best practice for security and should be implemented in SSO permission settings. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources (read more)|Documentation
| |Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. (read more)|Documentation
| -|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal' (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Medium|Access Control|Expired SSL/TLS certificates should be removed (read more)|Documentation
| -|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions' (read more)|Documentation
| -|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Medium|Access Control|SES policy should not allow IAM actions to all principals (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Medium|Access Control|An API Key should be required on a method request. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Medium|Access Control|S3 bucket allows public ACL (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| -|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Medium|Access Control|The attribute 'action' should not have wildcard (read more)|Documentation
| -|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication (read more)|Documentation
| -|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'. (read more)|Documentation
| |ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| -|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true (read more)|Documentation
| +|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| |Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. (read more)|Documentation
| -|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0 (read more)|Documentation
| +|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true (read more)|Documentation
| |RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| +|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0 (read more)|Documentation
| |Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| |Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24 (read more)|Documentation
| -|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields (read more)|Documentation
| -|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| -|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined (read more)|Documentation
| -|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| |IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| |Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more)|Documentation
| +|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields (read more)|Documentation
| |Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Medium|Best Practices|No password expiration policy (read more)|Documentation
| |IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Medium|Best Practices|IAM password should have the required symbols (read more)|Documentation
| +|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| +|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined (read more)|Documentation
| +|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| |Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body (read more)|Documentation
| +|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Medium|Encryption|Checks if the ECR Image has been scanned (read more)|Documentation
| +|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Medium|Encryption|SSM Session should be encrypted in transit (read more)|Documentation
| +|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| |SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| -|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| -|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| -|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760. (read more)|Documentation
| +|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS. (read more)|Documentation
| +|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret (read more)|Documentation
| |DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption (read more)|Documentation
| +|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit (read more)|Documentation
| +|DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| |Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| +|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760. (read more)|Documentation
| +|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest (read more)|Documentation
| +|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted (read more)|Documentation
| |AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined (read more)|Documentation
| -|Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Medium|Encryption|ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html' (read more)|Documentation
| -|CloudWatch Log Group Without KMS
0afbcfe9-d341-4b92-a64c-7e6de0543879|Medium|Encryption|AWS CloudWatch Log groups should be encrypted using KMS (read more)|Documentation
| |S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests (read more)|Documentation
| -|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS. (read more)|Documentation
| -|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest (read more)|Documentation
| -|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret (read more)|Documentation
| |SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| -|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest (read more)|Documentation
| -|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Medium|Encryption|SSM Session should be encrypted in transit (read more)|Documentation
| -|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted (read more)|Documentation
| +|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest (read more)|Documentation
| +|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| +|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| +|CloudWatch Log Group Without KMS
0afbcfe9-d341-4b92-a64c-7e6de0543879|Medium|Encryption|AWS CloudWatch Log groups should be encrypted using KMS (read more)|Documentation
| +|Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Medium|Encryption|ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html' (read more)|Documentation
| |Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node (read more)|Documentation
| -|DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| -|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| -|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Medium|Encryption|Checks if the ECR Image has been scanned (read more)|Documentation
| -|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit (read more)|Documentation
| -|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs). (read more)|Documentation
| |AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy (read more)|Documentation
| +|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more)|Documentation
| |EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false (read more)|Documentation
| |MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible (read more)|Documentation
| -|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| -|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| |Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes (read more)|Documentation
| |API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| |Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud) (read more)|Documentation
| |IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials (read more)|Documentation
| -|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more)|Documentation
| -|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service (read more)|Documentation
| -|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more)|Documentation
| -|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled (read more)|Documentation
| -|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol (read more)|Documentation
| -|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| +|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs). (read more)|Documentation
| +|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| +|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol (read more)|Documentation
| |VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Medium|Networking and Firewall|VPC should have a Network Firewall associated (read more)|Documentation
| +|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| +|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| |Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association (read more)|Documentation
| +|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service (read more)|Documentation
| |VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Medium|Networking and Firewall|VPC Subnet should not assign public IP (read more)|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol (read more)|Documentation
| -|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Medium|Observability|Make sure Logging is enabled for Redshift Cluster (read more)|Documentation
| -|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes (read more)|Documentation
| -|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled (read more)|Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more)|Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol (read more)|Documentation
| +|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled (read more)|Documentation
| +|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| +|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). (read more)|Documentation
| +|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes (read more)|Documentation
| +|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Medium|Observability|Ensure MSK Cluster Logging is enabled (read more)|Documentation
| |Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| -|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (read more)|Documentation
| +|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| |Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes (read more)|Documentation
| -|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Medium|Observability|ELB should have logging enabled to help on error investigation (read more)|Documentation
| -|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| +|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK (read more)|Documentation
| +|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Medium|Observability|API Gateway should have Access Log Settings defined (read more)|Documentation
| +|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events (read more)|Documentation
| +|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes (read more)|Documentation
| |CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| +|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined (read more)|Documentation
| +|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| +|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Medium|Observability|Make sure that Amazon GuardDuty is Enabled (read more)|Documentation
| +|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| +|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation (read more)|Documentation
| +|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (read more)|Documentation
| |CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| -|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Medium|Observability|API Gateway should have Access Log Settings defined (read more)|Documentation
| +|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Medium|Observability|Checks if CloudWatch Metrics is Enabled (read more)|Documentation
| +|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Medium|Observability|AWS CloudWatch Log groups should have retention days specified (read more)|Documentation
| +|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Medium|Observability|ELB should have logging enabled to help on error investigation (read more)|Documentation
| |ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs (read more)|Documentation
| -|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| -|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). (read more)|Documentation
| -|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation (read more)|Documentation
| -|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones (read more)|Documentation
| -|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| +|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes (read more)|Documentation
| |Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Medium|Observability|It isn't recommended to use resources in default VPC (read more)|Documentation
| -|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| -|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Medium|Observability|Make sure that Amazon GuardDuty is Enabled (read more)|Documentation
| -|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK (read more)|Documentation
| -|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| -|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Medium|Observability|AWS CloudWatch Log groups should have retention days specified (read more)|Documentation
| -|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes (read more)|Documentation
| -|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes (read more)|Documentation
| -|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Medium|Observability|Ensure MSK Cluster Logging is enabled (read more)|Documentation
| -|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined (read more)|Documentation
| +|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| +|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled (read more)|Documentation
| |API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. (read more)|Documentation
| -|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Medium|Observability|Checks if CloudWatch Metrics is Enabled (read more)|Documentation
| -|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events (read more)|Documentation
| +|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Medium|Observability|Make sure Logging is enabled for Redshift Cluster (read more)|Documentation
| +|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones (read more)|Documentation
| |No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions (read more)|Documentation
| |Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Medium|Secret Management|AWS Access Key should not be hardcoded (read more)|Documentation
| |Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| -|SSO Identity User Unsafe Creation
4003118b-046b-4640-b200-b8c7a4c8b89f|Low|Access Control|The use of AWS SSO for creating users may pose a security risk as it does not synchronize with external Identity Providers (IdP) or Active Directory (AD). This can lead to inconsistencies and potential unauthorized access to resources. It is recommended to review and update user creation processes to ensure proper security protocols are in place. (read more)|Documentation
| |IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| -|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| +|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| |IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| |EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services (read more)|Documentation
| -|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| +|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| |S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets' (read more)|Documentation
| +|SSO Identity User Unsafe Creation
4003118b-046b-4640-b200-b8c7a4c8b89f|Low|Access Control|The use of AWS SSO for creating users may pose a security risk as it does not synchronize with external Identity Providers (IdP) or Active Directory (AD). This can lead to inconsistencies and potential unauthorized access to resources. It is recommended to review and update user creation processes to ensure proper security protocols are in place. (read more)|Documentation
| |Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Low|Availability|Autoscaling groups should supply tags to configurate (read more)|Documentation
| +|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| +|IAM Access Analyzer Not Enabled
e592a0c5-5bdb-414c-9066-5dba7cdea370|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions (read more)|Documentation
| |Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| |Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| |ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Low|Best Practices|ECR Repository should have Policies attached to it (read more)|Documentation
| |Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. (read more)|Documentation
| -|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| -|IAM Access Analyzer Not Enabled
e592a0c5-5bdb-414c-9066-5dba7cdea370|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions (read more)|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| |ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation (read more)|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| |ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled (read more)|Documentation
| |S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Low|Insecure Configurations|S3 bucket without ignore public ACL (read more)|Documentation
| +|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| +|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| |EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| |CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| -|EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| -|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| -|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| -|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more)|Documentation
| -|Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| |RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| -|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Low|Observability|Amazon EKS control plane logging is not enabled (read more)|Documentation
| -|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL (read more)|Documentation
| -|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes (read more)|Documentation
| -|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active' (read more)|Documentation
| +|Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| +|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more)|Documentation
| +|API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| +|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes (read more)|Documentation
| |VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| -|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes (read more)|Documentation
| +|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes (read more)|Documentation
| |ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Low|Observability|ECS Cluster should enable container insights (read more)|Documentation
| -|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Low|Observability|Global Accelerator should have flow logs enabled (read more)|Documentation
| +|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Low|Observability|Amazon EKS control plane logging don't enabled for all log types (read more)|Documentation
| +|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL (read more)|Documentation
| +|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active' (read more)|Documentation
| |CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Low|Observability|Ensure a log metric filter and alarm exist for route table changes (read more)|Documentation
| +|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes (read more)|Documentation
| |DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| -|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes (read more)|Documentation
| -|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Low|Observability|Amazon EKS control plane logging don't enabled for all log types (read more)|Documentation
| -|API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| |CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| +|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Low|Observability|Global Accelerator should have flow logs enabled (read more)|Documentation
| +|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Low|Observability|Amazon EKS control plane logging is not enabled (read more)|Documentation
| |API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| |Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Info|Access Control|Security group must be used or not declared (read more)|Documentation
| |Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description (read more)|Documentation
| -|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Info|Best Practices|AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name' (read more)|Documentation
| -|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more)|Documentation
| |EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| |Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description (read more)|Documentation
| -|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Info|Observability|RDS does not have any kind of logger (read more)|Documentation
| +|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Info|Best Practices|AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name' (read more)|Documentation
| +|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more)|Documentation
| |Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Info|Observability|Neptune logging should be enabled (read more)|Documentation
| +|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Info|Observability|RDS does not have any kind of logger (read more)|Documentation
| |EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| -### GITHUB -Bellow are listed queries related with Terraform GITHUB: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks (read more)|Documentation
| -|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)|Documentation
| - ### AWS_BOM Bellow are listed queries related with Terraform AWS_BOM: @@ -597,105 +644,86 @@ Bellow are listed queries related with Terraform AWS_BOM: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| +|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)|Documentation
| |BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). (read more)|Documentation
| -|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)|Documentation
| -|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more)|Documentation
| |BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS. (read more)|Documentation
| +|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)|Documentation
| +|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)|Documentation
| |BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more)|Documentation
| -|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more)|Documentation
| -|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)|Documentation
| |BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more)|Documentation
| |BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more)|Documentation
| -|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)|Documentation
| -|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)|Documentation
| - -### ALICLOUD -Bellow are listed queries related with Terraform ALICLOUD: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|OSS Bucket Allows Delete Action From All Principals
8c0695d8-2378-4cd6-8243-7fd5894fa574|High|Access Control|OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals. (read more)|Documentation
| -|OSS Bucket Allows List Action From All Principals
88541597-6f88-42c8-bac6-7e0b855e8ff6|High|Access Control|OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals. (read more)|Documentation
| -|OSS Bucket Allows All Actions From All Principals
ec62a32c-a297-41ca-a850-cab40b42094a|High|Access Control|OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals. (read more)|Documentation
| -|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|High|Access Control|RAM Security preferences should enforce MFA login for RAM users (read more)|Documentation
| -|OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|High|Access Control|OSS Bucket should have public access disabled (read more)|Documentation
| -|OSS Bucket Allows Put Action From All Principals
fe286195-e75c-4359-bd58-00847c4f855a|High|Access Control|OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals. (read more)|Documentation
| -|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles (read more)|Documentation
| -|Launch Template Is Not Encrypted
1455cb21-1d48-46d6-8ae3-cef911b71fd5|High|Encryption|ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true. (read more)|Documentation
| -|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|High|Encryption|Ecs Data Disk Kms Key Id should be set (read more)|Documentation
| -|NAS File System Not Encrypted
67bfdff1-31ce-4525-b564-e94368735360|High|Encryption|NAS File System must be encrypted (read more)|Documentation
| -|RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|High|Encryption|tde_status parameter should be Enabled for supported RDS instances (read more)|Documentation
| -|NAS File System Without KMS
5f670f9d-b1b4-4c90-8618-2288f1ab9676|High|Encryption|NAS File System should have encryption provided by user KMS (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
faaefc15-51a5-419e-bb5e-51a4b5ab3485|High|Insecure Configurations|The field 'address' should not be set to '0.0.0.0/0' (read more)|Documentation
| -|OSS Bucket Has Static Website
2b13c6ff-b87a-484d-86fd-21ef6e97d426|High|Insecure Configurations|Checks if any static websties are hosted on buckets. Be aware of any website you are running. (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|High|Insecure Configurations|'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list (read more)|Documentation
| -|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public (read more)|Documentation
| -|ALB Listening on HTTP
ee3b1557-9fb5-4685-a95d-93f1edf2a0d7|High|Networking and Firewall|Application Load Balancer (alb) Listener should not listen on HTTP (read more)|Documentation
| -|RDS Instance SSL Action Disabled
7a1ee8a9-71be-4b11-bb70-efb62d16863b|High|Networking and Firewall|ssl_action parameter should be set to Open for RDS instances (read more)|Documentation
| -|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|High|Networking and Firewall|OSS Bucket should have ip restricted access (read more)|Documentation
| -|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS (read more)|Documentation
| -|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|High|Networking and Firewall|OSS Buckets should have secure transport enabled (read more)|Documentation
| -|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol (read more)|Documentation
| -|ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|High|Observability|ActionTrail Trail OSS Bucket should not be publicly accessible (read more)|Documentation
| -|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|High|Observability|All RDS Instance events trackers should be 'true' (read more)|Documentation
| -|Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|High|Secret Management|Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts (read more)|Documentation
| -|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above (read more)|Documentation
| -|Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Medium|Access Control|Ram policies should not be attached to users (read more)|Documentation
| -|CMK Is Unusable
ed6e3ba0-278f-47b6-a1f5-173576b40b7e|Medium|Availability|Alicloud KMS must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true (read more)|Documentation
| -|ROS Stack Retention Disabled
4bb06fa1-2114-4a00-b7b5-6aeab8b896f0|Medium|Backup|The retain_stacks should be enabled to keep the Stack upon deleting the stack instance from the stack group (read more)|Documentation
| -|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Medium|Backup|OSS Bucket should have versioning enabled (read more)|Documentation
| -|ROS Stack Without Template
92d65c51-5d82-4507-a2a1-d252e9706855|Medium|Build Process|Alicloud ROS Stack should have a template defined through the attribute template_url or attribute template_body (read more)|Documentation
| -|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Medium|Encryption|Disks should have encryption enabled (read more)|Documentation
| -|OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Medium|Encryption|OSS Bucket should have encryption enabled using Customer Master Key (read more)|Documentation
| -|SLB Policy With Insecure TLS Version In Use
dbfc834a-56e5-4750-b5da-73fda8e73f70|Medium|Encryption|SLB Policy should not support insecure versions of TLS protocol (read more)|Documentation
| -|CS Kubernetes Node Pool Auto Repair Disabled
81ce9394-013d-4731-8fcc-9d229b474073|Medium|Insecure Configurations|Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| -|Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Medium|Networking and Firewall|A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned (read more)|Documentation
| -|Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Medium|Networking and Firewall|Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies (read more)|Documentation
| -|ROS Stack Notifications Disabled
9ef08939-ea40-489c-8851-667870b2ef50|Medium|Observability|The ROS Stack Notifications should be defined and populated to receive stack related events (read more)|Documentation
| -|Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Medium|Observability|Action Trail Logging for all regions should be enabled (read more)|Documentation
| -|Log Retention Is Not Greater Than 90 Days
ed6cf6ff-9a1f-491c-9f88-e03c0807f390|Medium|Observability|OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects. (read more)|Documentation
| -|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180 (read more)|Documentation
| -|OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Medium|Observability|OSS Bucket should have logging enabled, for better visibility of resources and objects. (read more)|Documentation
| -|No ROS Stack Policy
72ceb736-0aee-43ea-a191-3a69ab135681|Medium|Resource Management|ROS Stack should have a stack policy in order to protect stack resources from and during update actions (read more)|Documentation
| -|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Medium|Secret Management|RAM account password security should require at least one symbol (read more)|Documentation
| -|High KMS Key Rotation Period
cb319d87-b90f-485e-a7e7-f2408380f309|Medium|Secret Management|KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year (read more)|Documentation
| -|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true (read more)|Documentation
| -|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true (read more)|Documentation
| -|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less (read more)|Documentation
| -|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true (read more)|Documentation
| -|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91 (read more)|Documentation
| -|OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Low|Availability|OSS Bucket should have transfer acceleration enabled (read more)|Documentation
| -|OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Low|Backup|OSS Bucket should have lifecycle rule enabled and set to true (read more)|Documentation
| -|RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Low|Observability|log_disconnections parameter should be set to ON for RDS instances (read more)|Documentation
| -|VPC Flow Logs Disabled
d2731f3d-a992-44ed-812e-f4f1c2747d71|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| -|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Low|Observability|'log_connections' parameter should be set to ON for RDS instances (read more)|Documentation
| -|RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Low|Observability|log_duration parameter should be set to ON for RDS instances (read more)|Documentation
| +|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)|Documentation
| +|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more)|Documentation
| +|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more)|Documentation
| -### SHARED (V2/V3) -Bellow are listed queries related with Terraform SHARED (V2/V3): +### GITHUB +Bellow are listed queries related with Terraform GITHUB: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Info|Best Practices|All variables should contain a valid type. (read more)|Documentation
| -|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Info|Best Practices|All generic git repositories should reference a revision. (read more)|Documentation
| -|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Info|Best Practices|All outputs should contain a valid description. (read more)|Documentation
| -|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Info|Best Practices|All variables should contain a valid description. (read more)|Documentation
| -|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Info|Best Practices|All names should follow snake case pattern. (read more)|Documentation
| +|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks (read more)|Documentation
| +|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)|Documentation
| -### GCP_BOM -Bellow are listed queries related with Terraform GCP_BOM: +### GCP +Bellow are listed queries related with Terraform GCP: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more)|Documentation
| -|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more)|Documentation
| -|BOM - GCP Redis
bc75ce52-a60a-4660-b533-bce837a5019b|Trace|Bill Of Materials|A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments. (read more)|Documentation
| -|BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Trace|Bill Of Materials|A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime. (read more)|Documentation
| -|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more)|Documentation
| -|BOM - GCP Dataflow
895ed0d9-6fec-4567-8614-d7a74b599a53|Trace|Bill Of Materials|A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective. (read more)|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| +|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible (read more)|Documentation
| +|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|High|Access Control|Verifies that the OSLogin is enabled (read more)|Documentation
| +|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|High|Access Control|BigQuery dataset is anonymously or publicly accessible (read more)|Documentation
| +|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)|Documentation
| +|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| +|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members' (read more)|Documentation
| +|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|High|Encryption|Cloud SQL Database Instance should have SSL enabled (read more)|Documentation
| +|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad. (read more)|Documentation
| +|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE (read more)|Documentation
| +|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true (read more)|Documentation
| +|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true (read more)|Documentation
| +|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials (read more)|Documentation
| +|Legacy Client Certificate Auth Enabled
73fb21a1-b19a-45b1-b648-b47b1678681e|High|Insecure Configurations|Kubernetes Clusters must use the default OAuth authentication, which means 'master_auth' must either be undefined or have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to false (read more)|Documentation
| +|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible. (read more)|Documentation
| +|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true (read more)|Documentation
| +|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)|Documentation
| +|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)|Documentation
| +|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|High|Observability|Audit Logging Configuration is defective (read more)|Documentation
| +|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must either be undefined or set to 'monitoring.googleapis.com/kubernetes' (read more)|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| +|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must either be undefined or set to 'logging.googleapis.com/kubernetes' (read more)|Documentation
| +|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| +|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)|Documentation
| +|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated (read more)|Documentation
| +|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated (read more)|Documentation
| +|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated (read more)|Documentation
| +|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member (read more)|Documentation
| +|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| +|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| +|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| +|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| +|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled (read more)|Documentation
| +|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)|Documentation
| +|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled (read more)|Documentation
| +|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Medium|Insecure Configurations|Check if any VM instance disables OSLogin (read more)|Documentation
| +|Shielded GKE Nodes Disabled
579a0727-9c29-4d58-8195-fc5802a8bdb4|Medium|Insecure Configurations|GKE cluster nodes must be launched with Shielded VM enabled, which means the attribute 'enable_shielded_nodes' must be set to 'true'. (read more)|Documentation
| +|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account. (read more)|Documentation
| +|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account (read more)|Documentation
| +|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)|Documentation
| +|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)|Documentation
| +|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| +|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| +|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports (read more)|Documentation
| +|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource. (read more)|Documentation
| +|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles (read more)|Documentation
| +|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| +|Outdated GKE Version
128df7ec-f185-48bc-8913-ce756a3ccb85|Low|Best Practices|Running outdated versions of Google Kubernetes Engine (GKE) can expose it to known vulnerabilities and attacks. To reduce these risks, it is recommended to ensure that GKE is always running the latest version. (read more)|Documentation
| +|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user (read more)|Documentation
| +|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true (read more)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| diff --git a/docs/queries/terraform-queries/gcp/02474449-71aa-40a1-87ae-e14497747b00.md b/docs/queries/terraform-queries/gcp/02474449-71aa-40a1-87ae-e14497747b00.md index cdd78fe83df..e439dfeb838 100644 --- a/docs/queries/terraform-queries/gcp/02474449-71aa-40a1-87ae-e14497747b00.md +++ b/docs/queries/terraform-queries/gcp/02474449-71aa-40a1-87ae-e14497747b00.md @@ -23,7 +23,7 @@ hide: - **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled) ### Description -Cloud SQL Database Instance should have SLL enabled
+Cloud SQL Database Instance should have SSL enabled
[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance#require_ssl) ### Code samples From fba51729eb4828fd4185935fe638930e2cdfb402 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Tue, 12 Dec 2023 16:33:27 +0000 Subject: [PATCH 304/379] update --- e2e/fixtures/assets/scan_help | 22 ++++----- internal/console/assets/scan-flags.json | 15 ++++-- internal/console/flags/scan_flags.go | 65 +++++++++++++------------ internal/console/pre_scan.go | 2 + internal/console/scan.go | 3 +- pkg/scan/client.go | 3 +- 6 files changed, 59 insertions(+), 51 deletions(-) diff --git a/e2e/fixtures/assets/scan_help b/e2e/fixtures/assets/scan_help index 9ccfa537f0f..343cbc2ded4 100644 --- a/e2e/fixtures/assets/scan_help +++ b/e2e/fixtures/assets/scan_help @@ -3,10 +3,11 @@ Usage: Flags: -m, --bom include bill of materials (BoM) in results output - --cloud-provider strings list of cloud providers to scan (alicloud, aws, azure, gcp) + --cloud-provider strings list of cloud providers to scan (alicloud, aws, azure, gcp, nifcloud) --config string path to configuration file --disable-full-descriptions disable request for full descriptions and use default vulnerability descriptions --disable-secrets disable secrets scanning + --enable-openapi-refs resolve the file reference, on OpenAPI files --exclude-categories strings exclude categories by providing its name cannot be provided with query inclusion flags can be provided multiple times or as a comma separated string @@ -25,13 +26,10 @@ Flags: --exclude-severities strings exclude results by providing the severity of a result can be provided multiple times or as a comma separated string example: 'info,low' - --exclude-type strings case insensitive list of platform types not to scan - (Ansible, AzureResourceManager, Buildah, CICD, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Pulumi, ServerlessFW, Terraform) - cannot be provided with type inclusion flags - --experimental-queries strings include experimental queries (queries not yet thoroughly reviewed) by providing the path of the queries folder - can be provided multiple times or as a comma-separated string (platform/cloudProvider or platform) - example: 'terraform/databricks' - possible values found in: '/assets/utils/experimental-queries.json' + --exclude-type strings case insensitive list of platform types not to scan + (Ansible, AzureResourceManager, Buildah, CICD, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Pulumi, ServerlessFW, Terraform) + cannot be provided with type inclusion flags + --experimental-queries include experimental queries (queries not yet thoroughly reviewed) --fail-on strings which kind of results should return an exit code different from 0 accepts: high, medium, low and info example: "high,low" (default [high,medium,low,info]) @@ -45,7 +43,7 @@ Flags: example: 'e69890e6-fce5-461d-98ad-cb98318dfc96,4728cd65-a20c-49da-8b31-9c08b423e4db' --input-data string path to query input data files -b, --libraries-path string path to directory with libraries (default "./assets/libraries") - --max-file-size int max file size that allowed to scan in MB (default 5) + --max-file-size int max file size that is allowed to be scanned, in MB (default 5) --minimal-ui simplified version of CLI output --no-progress hides the progress bar --output-name string name used on report creations (default "results") @@ -60,9 +58,9 @@ Flags: -r, --secrets-regexes-path string path to secrets regex rules configuration file --terraform-vars-path string path where terraform variables are present --timeout int number of seconds the query has to execute before being canceled (default 60) - -t, --type strings case insensitive list of platform types to scan - (Ansible, AzureResourceManager, Buildah, CICD, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Pulumi, ServerlessFW, Terraform) - cannot be provided with type exclusion flags + -t, --type strings case insensitive list of platform types to scan + (Ansible, AzureResourceManager, Buildah, CICD, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Pulumi, ServerlessFW, Terraform) + cannot be provided with type exclusion flags Global Flags: --ci display only log messages to CLI output (mutually exclusive with silent) diff --git a/internal/console/assets/scan-flags.json b/internal/console/assets/scan-flags.json index ce2780d8884..a25ded32ad2 100644 --- a/internal/console/assets/scan-flags.json +++ b/internal/console/assets/scan-flags.json @@ -60,11 +60,10 @@ "usage": "include bill of materials (BoM) in results output" }, "experimental-queries": { - "flagType": "multiStr", + "flagType": "bool", "shorthandFlag": "", - "defaultValue": null, - "usage": "include experimental queries (queries not yet thoroughly reviewed) by providing the path of the queries folder\ncan be provided multiple times or as a comma-separated string (platform/cloudProvider or platform)\nexample: 'terraform/databricks'\npossible values found in: '/assets/utils/experimental-queries.json'", - "validation": "validateMultiStr" + "defaultValue": "false", + "usage": "include experimental queries (queries not yet thoroughly reviewed)" }, "fail-on": { "flagType": "multiStr", @@ -203,10 +202,16 @@ "defaultValue": "false", "usage": "disables the exclusion of paths specified within .gitignore file" }, + "enable-openapi-refs": { + "flagType": "bool", + "shorthandFlag": "", + "defaultValue": "false", + "usage": "resolve the file reference, on OpenAPI files" + }, "max-file-size": { "flagType": "int", "shorthandFlag": "", "defaultValue": "5", - "usage": "max file size that allowed to scan in MB" + "usage": "max file size that is allowed to be scanned, in MB" } } diff --git a/internal/console/flags/scan_flags.go b/internal/console/flags/scan_flags.go index e123eb02d8e..3a9a9c4677b 100644 --- a/internal/console/flags/scan_flags.go +++ b/internal/console/flags/scan_flags.go @@ -2,37 +2,38 @@ package flags // Flags constants for scan const ( - BomFlag = "bom" - CloudProviderFlag = "cloud-provider" - ConfigFlag = "config" - DisableFullDescFlag = "disable-full-descriptions" - ExcludeCategoriesFlag = "exclude-categories" - ExcludePathsFlag = "exclude-paths" - ExcludeQueriesFlag = "exclude-queries" - ExcludeResultsFlag = "exclude-results" - ExcludeSeveritiesFlag = "exclude-severities" + BomFlag = "bom" + CloudProviderFlag = "cloud-provider" + ConfigFlag = "config" + DisableFullDescFlag = "disable-full-descriptions" + ExcludeCategoriesFlag = "exclude-categories" + ExcludePathsFlag = "exclude-paths" + ExcludeQueriesFlag = "exclude-queries" + ExcludeResultsFlag = "exclude-results" + ExcludeSeveritiesFlag = "exclude-severities" ExperimentalQueriesFlag = "experimental-queries" - IncludeQueriesFlag = "include-queries" - InputDataFlag = "input-data" - FailOnFlag = "fail-on" - IgnoreOnExitFlag = "ignore-on-exit" - MinimalUIFlag = "minimal-ui" - NoProgressFlag = "no-progress" - OutputNameFlag = "output-name" - OutputPathFlag = "output-path" - PathFlag = "path" - PayloadPathFlag = "payload-path" - PreviewLinesFlag = "preview-lines" - QueriesPath = "queries-path" - LibrariesPath = "libraries-path" - ReportFormatsFlag = "report-formats" - TypeFlag = "type" - ExcludeTypeFlag = "exclude-type" - TerraformVarsPathFlag = "terraform-vars-path" - QueryExecTimeoutFlag = "timeout" - LineInfoPayloadFlag = "payload-lines" - DisableSecretsFlag = "disable-secrets" - SecretsRegexesPathFlag = "secrets-regexes-path" //nolint:gosec - ExcludeGitIgnore = "exclude-gitignore" - MaxFileSizeFlag = "max-file-size" // orca-specifics + IncludeQueriesFlag = "include-queries" + InputDataFlag = "input-data" + FailOnFlag = "fail-on" + IgnoreOnExitFlag = "ignore-on-exit" + MinimalUIFlag = "minimal-ui" + NoProgressFlag = "no-progress" + OutputNameFlag = "output-name" + OutputPathFlag = "output-path" + PathFlag = "path" + PayloadPathFlag = "payload-path" + PreviewLinesFlag = "preview-lines" + QueriesPath = "queries-path" + LibrariesPath = "libraries-path" + ReportFormatsFlag = "report-formats" + TypeFlag = "type" + ExcludeTypeFlag = "exclude-type" + TerraformVarsPathFlag = "terraform-vars-path" + QueryExecTimeoutFlag = "timeout" + LineInfoPayloadFlag = "payload-lines" + DisableSecretsFlag = "disable-secrets" + SecretsRegexesPathFlag = "secrets-regexes-path" //nolint:gosec + ExcludeGitIgnore = "exclude-gitignore" + OpenAPIReferencesFlag = "enable-openapi-refs" + MaxFileSizeFlag = "max-file-size" ) diff --git a/internal/console/pre_scan.go b/internal/console/pre_scan.go index d86afada3cc..7d9c7d344fb 100644 --- a/internal/console/pre_scan.go +++ b/internal/console/pre_scan.go @@ -157,6 +157,8 @@ func (console *console) preScan() { cpu := consoleHelpers.GetNumCPU() log.Info().Msgf("CPU: %.1f", cpu) + log.Info().Msgf("Max file size: %d Mb", flags.GetIntFlag(flags.MaxFileSizeFlag)) + noProgress := flags.GetBoolFlag(flags.NoProgressFlag) if strings.EqualFold(flags.GetStrFlag(flags.LogLevelFlag), "debug") { noProgress = true diff --git a/internal/console/scan.go b/internal/console/scan.go index 9048457cd41..ae4fe9191eb 100644 --- a/internal/console/scan.go +++ b/internal/console/scan.go @@ -116,7 +116,7 @@ func getScanParameters(changedDefaultQueryPath, changedDefaultLibrariesPath bool ExcludeQueries: flags.GetMultiStrFlag(flags.ExcludeQueriesFlag), ExcludeResults: flags.GetMultiStrFlag(flags.ExcludeResultsFlag), ExcludeSeverities: flags.GetMultiStrFlag(flags.ExcludeSeveritiesFlag), - ExperimentalQueries: flags.GetMultiStrFlag(flags.ExperimentalQueriesFlag), + ExperimentalQueries: flags.GetBoolFlag(flags.ExperimentalQueriesFlag), IncludeQueries: flags.GetMultiStrFlag(flags.IncludeQueriesFlag), InputData: flags.GetStrFlag(flags.InputDataFlag), OutputName: flags.GetStrFlag(flags.OutputNameFlag), @@ -139,6 +139,7 @@ func getScanParameters(changedDefaultQueryPath, changedDefaultLibrariesPath bool ChangedDefaultQueryPath: changedDefaultQueryPath, BillOfMaterials: flags.GetBoolFlag(flags.BomFlag), ExcludeGitIgnore: flags.GetBoolFlag(flags.ExcludeGitIgnore), + OpenAPIResolveReferences: flags.GetBoolFlag(flags.OpenAPIReferencesFlag), MaxFileSizeFlag: flags.GetIntFlag(flags.MaxFileSizeFlag), } diff --git a/pkg/scan/client.go b/pkg/scan/client.go index 54f89c2e65b..4b82d5bf375 100644 --- a/pkg/scan/client.go +++ b/pkg/scan/client.go @@ -21,7 +21,7 @@ type Parameters struct { ExcludeQueries []string ExcludeResults []string ExcludeSeverities []string - ExperimentalQueries []string + ExperimentalQueries bool IncludeQueries []string InputData string OutputName string @@ -44,6 +44,7 @@ type Parameters struct { ScanID string BillOfMaterials bool ExcludeGitIgnore bool + OpenAPIResolveReferences bool MaxFileSizeFlag int } From 05f13b8d9521ae9c8adce28401f0af6b82bc3067 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Wed, 13 Dec 2023 09:42:56 +0000 Subject: [PATCH 305/379] update commands.md --- docs/commands.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/commands.md b/docs/commands.md index ad6f93af765..c7bee35cdd6 100644 --- a/docs/commands.md +++ b/docs/commands.md @@ -84,6 +84,7 @@ Flags: example: 'e69890e6-fce5-461d-98ad-cb98318dfc96,4728cd65-a20c-49da-8b31-9c08b423e4db' --input-data string path to query input data files -b, --libraries-path string path to directory with libraries (default "./assets/libraries") + --max-file-size int max file size that is allowed to be scanned, in MB (default 5) --minimal-ui simplified version of CLI output --no-progress hides the progress bar --output-name string name used on report creations (default "results") From 212dd423efd03db15f5bf242979b12482ed3669b Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Wed, 13 Dec 2023 19:56:09 +0000 Subject: [PATCH 306/379] fix text --- internal/console/pre_scan.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/console/pre_scan.go b/internal/console/pre_scan.go index 7d9c7d344fb..6ee4d2426c6 100644 --- a/internal/console/pre_scan.go +++ b/internal/console/pre_scan.go @@ -157,7 +157,7 @@ func (console *console) preScan() { cpu := consoleHelpers.GetNumCPU() log.Info().Msgf("CPU: %.1f", cpu) - log.Info().Msgf("Max file size: %d Mb", flags.GetIntFlag(flags.MaxFileSizeFlag)) + log.Info().Msgf("Max file size permitted for scanning: %d MB", flags.GetIntFlag(flags.MaxFileSizeFlag)) noProgress := flags.GetBoolFlag(flags.NoProgressFlag) if strings.EqualFold(flags.GetStrFlag(flags.LogLevelFlag), "debug") { From b9e88ba4103eaaf5708a37c52b9dfdb73b0f0c83 Mon Sep 17 00:00:00 2001 From: Gabriel Date: Thu, 14 Dec 2023 09:45:58 +0000 Subject: [PATCH 307/379] Update docs/commands.md --- docs/commands.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/commands.md b/docs/commands.md index 0797ef2e45c..78f05dec229 100644 --- a/docs/commands.md +++ b/docs/commands.md @@ -83,7 +83,7 @@ Flags: example: 'e69890e6-fce5-461d-98ad-cb98318dfc96,4728cd65-a20c-49da-8b31-9c08b423e4db' --input-data string path to query input data files -b, --libraries-path string path to directory with libraries (default "./assets/libraries") - --max-file-size int max file size that is allowed to be scanned, in MB (default 5) + --max-file-size int max file size permitted for scanning, in MB (default 5) --minimal-ui simplified version of CLI output --no-progress hides the progress bar --output-name string name used on report creations (default "results") From 7fa23f2cc3358ebe91e5c25ce2fc65c51721e550 Mon Sep 17 00:00:00 2001 From: Gabriel Date: Thu, 14 Dec 2023 09:46:13 +0000 Subject: [PATCH 308/379] Update e2e/fixtures/assets/scan_help --- e2e/fixtures/assets/scan_help | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/e2e/fixtures/assets/scan_help b/e2e/fixtures/assets/scan_help index 343cbc2ded4..20994503386 100644 --- a/e2e/fixtures/assets/scan_help +++ b/e2e/fixtures/assets/scan_help @@ -43,7 +43,7 @@ Flags: example: 'e69890e6-fce5-461d-98ad-cb98318dfc96,4728cd65-a20c-49da-8b31-9c08b423e4db' --input-data string path to query input data files -b, --libraries-path string path to directory with libraries (default "./assets/libraries") - --max-file-size int max file size that is allowed to be scanned, in MB (default 5) + --max-file-size int max file size permitted for scanning, in MB (default 5) --minimal-ui simplified version of CLI output --no-progress hides the progress bar --output-name string name used on report creations (default "results") From a75f041c55726829a121d464abd183904370da73 Mon Sep 17 00:00:00 2001 From: Gabriel Date: Thu, 14 Dec 2023 09:46:32 +0000 Subject: [PATCH 309/379] Update internal/console/assets/scan-flags.json --- internal/console/assets/scan-flags.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/console/assets/scan-flags.json b/internal/console/assets/scan-flags.json index a25ded32ad2..6807a0ab05c 100644 --- a/internal/console/assets/scan-flags.json +++ b/internal/console/assets/scan-flags.json @@ -212,6 +212,6 @@ "flagType": "int", "shorthandFlag": "", "defaultValue": "5", - "usage": "max file size that is allowed to be scanned, in MB" + "usage": "max file size permitted for scanning, in MB" } } From 42de4ada5d918175407aa7e96e58555270750a92 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Fri, 15 Dec 2023 17:37:34 +0000 Subject: [PATCH 310/379] CWE item added into queries metadata.json --- .../aws/alb_listening_on_http/metadata.json | 5 ++-- .../aws/ami_not_encrypted/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/api_gateway_without_waf/metadata.json | 5 ++-- .../api_gateway_xray_disabled/metadata.json | 5 ++-- .../authentication_without_mfa/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/certificate_has_expired/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../cloudfront_logging_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/cloudfront_without_waf/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../cloudtrail_logging_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../ansible/aws/cmk_is_unusable/metadata.json | 5 ++-- .../aws/cmk_rotation_disabled/metadata.json | 5 ++-- .../aws/codebuild_not_encrypted/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../ec2_instance_has_public_ip/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/ec2_not_ebs_optimized/metadata.json | 5 ++-- .../ecr_image_tag_not_immutable/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/efs_not_encrypted/metadata.json | 5 ++-- .../ansible/aws/efs_without_kms/metadata.json | 5 ++-- .../aws/efs_without_tags/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/elasticache_without_vpc/metadata.json | 5 ++-- .../metadata.json | 22 +++++++++--------- .../metadata.json | 5 ++-- .../aws/elb_using_weak_ciphers/metadata.json | 5 ++-- .../hardcoded_aws_access_key/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../http_port_open_to_internet/metadata.json | 5 ++-- .../iam_access_key_is_exposed/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/iam_group_without_users/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../iam_password_without_number/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/instance_with_no_vpc/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/memcached_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../ansible/aws/no_stack_policy/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/public_port_wide/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/rds_using_default_port/metadata.json | 5 ++-- .../rds_with_backup_disabled/metadata.json | 5 ++-- .../aws/redis_not_compliant/metadata.json | 5 ++-- .../aws/redshift_not_encrypted/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../redshift_using_default_port/metadata.json | 5 ++-- .../remote_desktop_port_open/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../route53_record_undefined/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../s3_bucket_logging_disabled/metadata.json | 5 ++-- .../aws/s3_bucket_sse_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/secure_ciphers_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/sqs_queue_exposed/metadata.json | 5 ++-- .../aws/sqs_with_sse_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../stack_retention_disabled/metadata.json | 5 ++-- .../aws/stack_without_template/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../azure/aks_rbac_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 3 ++- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../log_retention_is_not_set/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../public_storage_account/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../redis_entirely_accessible/metadata.json | 5 ++-- .../redis_publicly_accessible/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../ssl_enforce_is_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../vm_not_attached_to_network/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 22 +++++++++--------- .../communication_over_http/metadata.json | 21 +++++++++-------- .../logging_of_sensitive_data/metadata.json | 22 +++++++++--------- .../metadata.json | 22 +++++++++--------- .../bigquery_dataset_is_public/metadata.json | 5 ++-- .../client_certificate_disabled/metadata.json | 5 ++-- .../cloud_dns_without_dnnsec/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../gcp/cluster_labels_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../gcp/cos_node_image_not_used/metadata.json | 5 ++-- .../disk_encryption_disabled/metadata.json | 5 ++-- .../gcp/dnssec_using_rsasha1/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../gcp/ip_aliasing_disabled/metadata.json | 5 ++-- .../gcp/ip_forwarding_enabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../gcp/network_policy_disabled/metadata.json | 5 ++-- .../node_auto_upgrade_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../private_cluster_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../gcp/shielded_vm_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../vm_with_full_cloud_access/metadata.json | 5 ++-- .../communication_over_http/metadata.json | 22 +++++++++--------- .../metadata.json | 21 +++++++++-------- .../logging_of_sensitive_data/metadata.json | 22 +++++++++--------- .../metadata.json | 22 +++++++++--------- .../risky_file_permissions/metadata.json | 21 +++++++++-------- .../unpinned_package_version/metadata.json | 22 +++++++++--------- .../metadata.json | 22 +++++++++--------- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aks_cluster_rbac_disabled/metadata.json | 5 ++-- .../aks_dashboard_enabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 3 ++- .../metadata.json | 5 ++-- .../key_vault_not_recoverable/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../standard_price_not_selected/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../website_not_forcing_https/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../buildah/run_using_apt/metadata.json | 5 ++-- .../github/run_block_injection/metadata.json | 5 ++-- .../script_block_injection/metadata.json | 19 +++++++-------- .../metadata.json | 5 ++-- .../github/unsecured_commands/metadata.json | 22 +++++++++--------- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/alb_listening_on_http/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 21 +++++++++-------- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/api_gateway_without_waf/metadata.json | 9 ++++---- .../api_gateway_xray_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../cloudfront_logging_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/cloudfront_without_waf/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../cloudtrail_logging_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../cloudwatch_logging_disabled/metadata.json | 5 ++-- .../cloudwatch_metrics_disabled/metadata.json | 5 ++-- .../aws/cmk_is_unusable/metadata.json | 5 ++-- .../aws/cmk_rotation_disabled/metadata.json | 5 ++-- .../aws/cmk_unencrypted_storage/metadata.json | 5 ++-- .../aws/codebuild_not_encrypted/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/default_kms_key_usage/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/docdb_logging_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../dynamodb_with_aws_owned_cmk/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/ec2_not_ebs_optimized/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../ecr_image_tag_not_immutable/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/efs_not_encrypted/metadata.json | 5 ++-- .../metadata.json | 22 +++++++++--------- .../aws/efs_without_kms/metadata.json | 5 ++-- .../aws/efs_without_tags/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/elasticache_without_vpc/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../elasticsearch_logs_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 22 +++++++++--------- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/elb_access_log_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/elb_using_weak_ciphers/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 7 +++--- .../metadata.json | 7 +++--- .../elb_without_secure_protocol/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/emr_wihout_vpc/metadata.json | 5 ++-- .../aws/fully_open_ingress/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../geo_restriction_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../guardduty_detector_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/http_port_open/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/iam_group_without_users/metadata.json | 5 ++-- .../iam_groups_inline_policies/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../iam_password_without_number/metadata.json | 5 ++-- .../iam_password_without_symbol/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../iam_policies_without_groups/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/iam_policy_on_user/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/iam_user_with_no_group/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/instance_with_no_vpc/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../kinesis_sse_not_configured/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/memcached_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../mq_broker_logging_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../rds_storage_not_encrypted/metadata.json | 5 ++-- .../aws/rds_using_default_port/metadata.json | 5 ++-- .../rds_with_backup_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/redshift_not_encrypted/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../redshift_using_default_port/metadata.json | 5 ++-- .../refresh_token_is_exposed/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../route53_record_undefined/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../s3_bucket_allows_public_acl/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../s3_bucket_logging_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/s3_bucket_sse_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/secure_ciphers_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../shield_advanced_not_in_use/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/sqs_with_sse_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../stack_retention_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/unscanned_ecr_image/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/vpc_flowlogs_disabled/metadata.json | 5 ++-- .../vpc_without_attached_subnet/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../webacl_allow_defaultaction/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws_bom/cassandra/metadata.json | 22 +++++++++--------- .../aws_bom/dynamo/metadata.json | 22 +++++++++--------- .../cloudFormation/aws_bom/ebs/metadata.json | 5 ++-- .../cloudFormation/aws_bom/efs/metadata.json | 5 ++-- .../aws_bom/elasticache/metadata.json | 5 ++-- .../aws_bom/kinesis/metadata.json | 7 +++--- .../cloudFormation/aws_bom/mq/metadata.json | 5 ++-- .../cloudFormation/aws_bom/msk/metadata.json | 5 ++-- .../cloudFormation/aws_bom/rds/metadata.json | 21 +++++++++-------- .../aws_bom/s3_bucket/metadata.json | 5 ++-- .../cloudFormation/aws_bom/sns/metadata.json | 5 ++-- .../cloudFormation/aws_bom/sqs/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../passwords_and_secrets/metadata.json | 5 ++-- .../cloudfront_logging_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/cloudfront_without_waf/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/docdb_logging_disabled/metadata.json | 5 ++-- .../aws/efs_not_encrypted/metadata.json | 5 ++-- .../aws/efs_without_kms/metadata.json | 5 ++-- .../aws/elb_using_weak_ciphers/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 21 +++++++++-------- .../aws/sqs_with_sse_disabled/metadata.json | 5 ++-- .../azure/aks_rbac_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../cgroup_not_default/metadata.json | 5 ++-- .../metadata.json | 19 +++++++-------- .../metadata.json | 5 ++-- .../cpus_not_limited/metadata.json | 19 +++++++-------- .../metadata.json | 5 ++-- .../metadata.json | 19 +++++++-------- .../healthcheck_not_set/metadata.json | 19 +++++++-------- .../host_namespace_is_shared/metadata.json | 19 +++++++-------- .../memory_not_limited/metadata.json | 19 +++++++-------- .../networks_not_set/metadata.json | 5 ++-- .../no_new_privileges_not_set/metadata.json | 19 +++++++-------- .../pids_limit_not_set/metadata.json | 5 ++-- .../metadata.json | 19 +++++++-------- .../metadata.json | 19 +++++++-------- .../metadata.json | 19 +++++++-------- .../security_opt_not_set/metadata.json | 19 +++++++-------- .../shared_host_ipc_namespace/metadata.json | 5 ++-- .../metadata.json | 19 +++++++-------- .../shared_host_user_namespace/metadata.json | 19 +++++++-------- .../metadata.json | 19 +++++++-------- .../metadata.json | 5 ++-- .../add_instead_of_copy/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../chown_flag_exists/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../curl_or_wget_instead_of_add/metadata.json | 5 ++-- .../dockerfile/exposing_port_22/metadata.json | 5 ++-- .../gem_install_without_version/metadata.json | 7 +++--- .../metadata.json | 5 ++-- .../image_version_not_explicit/metadata.json | 5 ++-- .../image_version_using_latest/metadata.json | 5 ++-- .../last_user_is_root/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../missing_dnf_clean_all/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../missing_user_instruction/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../missing_zypper_clean/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../dockerfile/run_using_apt/metadata.json | 5 ++-- .../dockerfile/run_using_sudo/metadata.json | 5 ++-- .../run_using_wget_and_curl/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../unix_ports_out_of_range/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../update_instruction_alone/metadata.json | 7 +++--- .../using_platform_with_from/metadata.json | 5 ++-- .../using_unnamed_build_stages/metadata.json | 5 ++-- .../vulnerable_openssl_version/metadata.json | 5 ++-- .../workdir_path_not_absolute/metadata.json | 5 ++-- .../yum_clean_all_missing/metadata.json | 5 ++-- .../metadata.json | 7 +++--- .../yum_install_without_version/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../bigquery_database_is_public/metadata.json | 5 ++-- .../bucket_without_versioning/metadata.json | 5 ++-- .../client_certificate_disabled/metadata.json | 5 ++-- .../cloud_dns_without_dnnsec/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../gcp/cluster_labels_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../gcp/cos_node_image_not_used/metadata.json | 5 ++-- .../disk_encryption_disabled/metadata.json | 5 ++-- .../gcp/dnssec_using_rsasha1/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../gcp/ip_aliasing_disabled/metadata.json | 5 ++-- .../gcp/ip_forwarding_enabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../gcp/network_policy_disabled/metadata.json | 5 ++-- .../node_auto_upgrade_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../private_cluster_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../gcp/shielded_vm_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../gcp_bom/pd/metadata.json | 22 +++++++++--------- .../gcp_bom/pst/metadata.json | 5 ++-- .../gcp_bom/sb/metadata.json | 22 +++++++++--------- .../enum_name_not_camel_case/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 3 ++- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../k8s/audit_log_path_not_set/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 3 ++- .../k8s/auto_tls_set_to_true/metadata.json | 5 ++-- .../k8s/basic_auth_file_is_set/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 19 +++++++-------- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../k8s/container_is_privileged/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../k8s/container_runs_unmasked/metadata.json | 7 +++--- .../containers_run_with_low_uid/metadata.json | 5 ++-- .../containers_running_as_root/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../k8s/cpu_limits_not_set/metadata.json | 5 ++-- .../k8s/cpu_requests_not_set/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../k8s/dashboard_is_enabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 20 ++++++++-------- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../hpa_targets_invalid_object/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../k8s/image_without_digest/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../insecure_bind_address_set/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../queries/k8s/invalid_image/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 19 +++++++-------- .../metadata.json | 20 ++++++++-------- .../metadata.json | 19 +++++++-------- .../kubelet_https_set_to_false/metadata.json | 5 ++-- .../metadata.json | 19 +++++++-------- .../metadata.json | 20 ++++++++-------- .../metadata.json | 3 ++- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../memory_limits_not_defined/metadata.json | 5 ++-- .../memory_requests_not_defined/metadata.json | 5 ++-- .../metadata_label_is_invalid/metadata.json | 5 ++-- .../missing_app_armor_config/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 20 ++++++++-------- .../metadata.json | 5 ++-- .../peer_auto_tls_set_to_true/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../profiling_not_set_to_false/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../psp_allows_sharing_host_ipc/metadata.json | 5 ++-- .../psp_allows_sharing_host_pid/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../k8s/psp_set_to_privileged/metadata.json | 5 ++-- .../psp_with_added_capabilities/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../k8s/rbac_wildcard_in_rule/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../root_ca_file_not_defined/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../root_containers_admitted/metadata.json | 5 ++-- .../metadata.json | 19 +++++++-------- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../k8s/secure_port_set_to_zero/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../service_does_not_target_pod/metadata.json | 5 ++-- .../service_type_is_nodeport/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../shared_host_ipc_namespace/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../shared_host_pid_namespace/metadata.json | 5 ++-- .../k8s/shared_service_account/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../k8s/tiller_is_deployed/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 20 ++++++++-------- .../k8s/token_auth_file_is_set/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../k8s/weak_tls_cipher_suites/metadata.json | 19 +++++++-------- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../basepath_with_wrong_format/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../constraining_enum_property/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../global_schemes_uses_http/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../host_with_invalid_pattern/metadata.json | 5 ++-- .../2.0/implicit_flow_oauth2/metadata.json | 5 ++-- .../invalid_media_type_value/metadata.json | 7 +++--- .../invalid_oauth2_token_url/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../operation_summary_too_long/metadata.json | 5 ++-- .../operation_using_basic_auth/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../path_scheme_accepts_http/metadata.json | 5 ++-- .../2.0/property_not_unique/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../schema_object_incorrect_ref/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../2.0/schemes_uses_http copy/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../openAPI/2.0/unknown_prefix/metadata.json | 5 ++-- .../2.0/unknown_property/metadata.json | 5 ++-- .../unused_parameter_definition/metadata.json | 5 ++-- .../unused_response_definition/metadata.json | 5 ++-- .../unused_schema_definition/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../openAPI/3.0/empty_array/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../3.0/global_server_uses_http/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../3.0/implicit_flow_oauth2/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../invalid_media_type_value/metadata.json | 7 +++--- .../invalid_oauth2_token_url/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../link_object_incorrect_ref/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../oauth2_with_implicit_flow/metadata.json | 5 ++-- .../oauth2_with_password_flow/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../3.0/path_server_uses_http/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../request_body_incorrect_ref/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../schema_object_incorrect_ref/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../security_field_undefined/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../security_scheme_undefined/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../3.0/server_url_not_absolute/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../3.0/servers_undefined/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../openAPI/3.0/unknown_prefix/metadata.json | 5 ++-- .../3.0/unknown_property/metadata.json | 5 ++-- .../metadata.json | 21 +++++++++-------- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/docdb_logging_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/ec2_not_ebs_optimized/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../elasticsearch_logs_disabled/metadata.json | 5 ++-- .../metadata.json | 22 +++++++++--------- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../missing_app_armor_config/metadata.json | 5 ++-- .../psp_set_to_privileged/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../alb_listening_on_http/metadata.json | 5 ++-- .../metadata.json | 22 +++++++++--------- .../alicloud/cmk_is_unusable/metadata.json | 5 ++-- .../metadata.json | 6 ++--- .../disk_encryption_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 21 +++++++++-------- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../nas_file_system_without_kms/metadata.json | 5 ++-- .../no_ros_stack_policy/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 21 +++++++++-------- .../metadata.json | 21 +++++++++-------- .../metadata.json | 21 +++++++++-------- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 21 +++++++++-------- .../oss_bucket_logging_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 21 +++++++++-------- .../metadata.json | 21 +++++++++-------- .../metadata.json | 21 +++++++++-------- .../metadata.json | 21 +++++++++-------- .../metadata.json | 21 +++++++++-------- .../metadata.json | 21 +++++++++-------- .../metadata.json | 21 +++++++++-------- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 21 +++++++++-------- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../ram_policy_attached_to_user/metadata.json | 21 +++++++++-------- .../metadata.json | 21 +++++++++-------- .../metadata.json | 5 ++-- .../metadata.json | 21 +++++++++-------- .../metadata.json | 21 +++++++++-------- .../metadata.json | 21 +++++++++-------- .../metadata.json | 21 +++++++++-------- .../metadata.json | 21 +++++++++-------- .../metadata.json | 21 +++++++++-------- .../metadata.json | 21 +++++++++-------- .../metadata.json | 21 +++++++++-------- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../ros_stack_without_template/metadata.json | 6 ++--- .../metadata.json | 5 ++-- .../vpc_flow_logs_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/alb_listening_on_http/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 21 +++++++++-------- .../metadata.json | 5 ++-- .../aws/ami_not_encrypted/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/api_gateway_without_waf/metadata.json | 21 +++++++++-------- .../api_gateway_xray_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../authentication_without_mfa/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/certificate_has_expired/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../cloudfront_logging_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/cloudfront_without_waf/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../cloudtrail_logging_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../cloudwatch_logging_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../cloudwatch_metrics_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/cmk_is_unusable/metadata.json | 5 ++-- .../aws/cmk_rotation_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../dax_cluster_not_encrypted/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/default_vpc_exists/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../docdb_cluster_not_encrypted/metadata.json | 5 ++-- .../docdb_cluster_without_kms/metadata.json | 5 ++-- .../aws/docdb_logging_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../ec2_instance_has_public_ip/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../ec2_instance_using_api_keys/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/ec2_not_ebs_optimized/metadata.json | 5 ++-- .../ecr_image_tag_not_immutable/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 3 ++- .../metadata.json | 7 +++--- .../aws/efs_not_encrypted/metadata.json | 5 ++-- .../efs_with_vulnerable_policy/metadata.json | 5 ++-- .../aws/efs_without_kms/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../eks_cluster_log_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/elasticache_without_vpc/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../elasticsearch_logs_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 22 +++++++++--------- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../elb_access_logging_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/elb_using_weak_ciphers/metadata.json | 5 ++-- .../aws/emr_without_vpc/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../glue_with_vulnerable_policy/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../guardduty_detector_disabled/metadata.json | 5 ++-- .../hardcoded_aws_access_key/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/http_port_open/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../iam_access_key_is_exposed/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/iam_group_without_users/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../iam_password_without_symbol/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../iam_user_policy_without_mfa/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/instance_with_no_vpc/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../kinesis_sse_not_configured/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 21 +++++++++-------- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../missing_cluster_log_types/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../mq_broker_logging_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../neptune_logging_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../no_password_policy_enabled/metadata.json | 5 ++-- .../aws/no_stack_policy/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../policy_without_principal/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../rds_storage_not_encrypted/metadata.json | 5 ++-- .../aws/rds_using_default_port/metadata.json | 5 ++-- .../rds_with_backup_disabled/metadata.json | 5 ++-- .../aws/rds_without_logging/metadata.json | 5 ++-- .../aws/redis_disabled/metadata.json | 5 ++-- .../aws/redis_not_compliant/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/redshift_not_encrypted/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../redshift_using_default_port/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/resource_not_using_tags/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../route53_record_undefined/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../s3_bucket_allows_public_acl/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../s3_bucket_logging_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/s3_bucket_sse_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 7 +++--- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/secure_ciphers_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../security_groups_not_used/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../shield_advanced_not_in_use/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/sns_topic_not_encrypted/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/sqs_queue_exposed/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/sqs_with_sse_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../stack_retention_disabled/metadata.json | 5 ++-- .../aws/stack_without_template/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/unscanned_ecr_image/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../aws/vpc_flowlogs_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../terraform/aws_bom/dynamo/metadata.json | 5 ++-- .../terraform/aws_bom/ebs/metadata.json | 5 ++-- .../terraform/aws_bom/efs/metadata.json | 5 ++-- .../aws_bom/elasticache/metadata.json | 5 ++-- .../terraform/aws_bom/kinesis/metadata.json | 5 ++-- .../terraform/aws_bom/mq/metadata.json | 5 ++-- .../terraform/aws_bom/msk/metadata.json | 5 ++-- .../terraform/aws_bom/rds/metadata.json | 5 ++-- .../terraform/aws_bom/s3_bucket/metadata.json | 5 ++-- .../terraform/aws_bom/sns/metadata.json | 5 ++-- .../terraform/aws_bom/sqs/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../azure/aks_rbac_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../app_service_http2_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../azure/dashboard_is_enabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../azure/email_alerts_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../function_app_http2_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../geo_redundancy_is_disabled/metadata.json | 5 ++-- .../key_expiration_not_set/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../log_retention_is_not_set/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../public_storage_account/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../redis_entirely_accessible/metadata.json | 5 ++-- .../redis_not_updated_regularly/metadata.json | 5 ++-- .../redis_publicly_accessible/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../secret_expiration_not_set/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../security_contact_email/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../sql_database_audit_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../ssl_enforce_is_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../vault_auditing_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../vm_not_attached_to_network/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../autoscale_badly_setup/metadata.json | 7 +++--- .../cluster_aws_attributes/metadata.json | 7 +++--- .../cluster_azure_attributes/metadata.json | 7 +++--- .../cluster_gcp_attributes/metadata.json | 7 +++--- .../databricks_permissions/metadata.json | 5 ++-- .../metadata.json | 7 +++--- .../indefinitely_obo_token/metadata.json | 7 +++--- .../indefinitely_token/metadata.json | 7 +++--- .../databricks/unrestricted_acl/metadata.json | 7 +++--- .../use_lts_spark_version/metadata.json | 7 +++--- .../use_spark_submit_task/metadata.json | 7 +++--- .../bigquery_dataset_is_public/metadata.json | 5 ++-- .../cloud_dns_without_dnssec/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../gcp/cluster_labels_disabled/metadata.json | 5 ++-- .../gcp/cos_node_image_not_used/metadata.json | 5 ++-- .../disk_encryption_disabled/metadata.json | 5 ++-- .../gcp/dnssec_using_rsasha1/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../gcp/ip_aliasing_disabled/metadata.json | 5 ++-- .../gcp/ip_forwarding_enabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../gcp/network_policy_disabled/metadata.json | 5 ++-- .../node_auto_upgrade_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../gcp/os_login_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../gcp/outdated_gke_version/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../private_cluster_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../shielded_gke_nodes_disabled/metadata.json | 7 +++--- .../gcp/shielded_vm_disabled/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../gcp/user_with_iam_role/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../vm_with_full_cloud_access/metadata.json | 5 ++-- .../terraform/gcp_bom/dataflow/metadata.json | 22 +++++++++--------- .../terraform/gcp_bom/fi/metadata.json | 22 +++++++++--------- .../terraform/gcp_bom/pd/metadata.json | 22 +++++++++--------- .../terraform/gcp_bom/pst/metadata.json | 22 +++++++++--------- .../terraform/gcp_bom/redis/metadata.json | 22 +++++++++--------- .../terraform/gcp_bom/sb/metadata.json | 22 +++++++++--------- .../metadata.json | 5 ++-- .../name_is_not_snake_case/metadata.json | 5 ++-- .../output_without_description/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../variable_without_type/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../container_host_pid_is_true/metadata.json | 5 ++-- .../container_is_privileged/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../container_runs_unmasked/metadata.json | 7 +++--- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../cpu_limits_not_set/metadata.json | 5 ++-- .../cpu_requests_not_set/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../hpa_targets_invalid_object/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../image_without_digest/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../kubernetes/invalid_image/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../memory_limits_not_defined/metadata.json | 5 ++-- .../memory_requests_not_defined/metadata.json | 5 ++-- .../metadata_label_is_invalid/metadata.json | 5 ++-- .../missing_app_armor_config/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../psp_allows_sharing_host_ipc/metadata.json | 5 ++-- .../psp_set_to_privileged/metadata.json | 5 ++-- .../psp_with_added_capabilities/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../root_containers_admitted/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../service_type_is_nodeport/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../shared_host_ipc_namespace/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../shared_service_account/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../tiller_is_deployed/metadata.json | 5 ++-- .../using_default_namespace/metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 5 ++-- .../metadata.json | 23 ++++++++++--------- 1607 files changed, 5495 insertions(+), 3920 deletions(-) diff --git a/assets/queries/ansible/aws/alb_listening_on_http/metadata.json b/assets/queries/ansible/aws/alb_listening_on_http/metadata.json index 3b48cff42d8..04c04603422 100644 --- a/assets/queries/ansible/aws/alb_listening_on_http/metadata.json +++ b/assets/queries/ansible/aws/alb_listening_on_http/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/elb_application_lb_module.html", "platform": "Ansible", "descriptionID": "3a7576e5", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/ami_not_encrypted/metadata.json b/assets/queries/ansible/aws/ami_not_encrypted/metadata.json index 7cc85862db4..ce8db33b963 100644 --- a/assets/queries/ansible/aws/ami_not_encrypted/metadata.json +++ b/assets/queries/ansible/aws/ami_not_encrypted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_ami_module.html", "platform": "Ansible", "descriptionID": "a4342f08", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/ami_shared_with_multiple_accounts/metadata.json b/assets/queries/ansible/aws/ami_shared_with_multiple_accounts/metadata.json index 7c001489046..95ed84d76e3 100644 --- a/assets/queries/ansible/aws/ami_shared_with_multiple_accounts/metadata.json +++ b/assets/queries/ansible/aws/ami_shared_with_multiple_accounts/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_ami_module.html", "platform": "Ansible", "descriptionID": "2117f1c7", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/api_gateway_endpoint_config_is_not_private/metadata.json b/assets/queries/ansible/aws/api_gateway_endpoint_config_is_not_private/metadata.json index 31a8c30a6c0..7930abe4108 100644 --- a/assets/queries/ansible/aws/api_gateway_endpoint_config_is_not_private/metadata.json +++ b/assets/queries/ansible/aws/api_gateway_endpoint_config_is_not_private/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/aws_api_gateway_module.html", "platform": "Ansible", "descriptionID": "42fabc16", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/api_gateway_with_cloudwatch_logging_disabled/metadata.json b/assets/queries/ansible/aws/api_gateway_with_cloudwatch_logging_disabled/metadata.json index 2f81747cc5b..0d77961cdb3 100644 --- a/assets/queries/ansible/aws/api_gateway_with_cloudwatch_logging_disabled/metadata.json +++ b/assets/queries/ansible/aws/api_gateway_with_cloudwatch_logging_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/cloudwatchlogs_log_group_module.html#ansible-collections-community-aws-cloudwatchlogs-log-group-module", "platform": "Ansible", "descriptionID": "313709e8", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/api_gateway_without_configured_authorizer/metadata.json b/assets/queries/ansible/aws/api_gateway_without_configured_authorizer/metadata.json index 3d43847d877..191bc05ae7b 100644 --- a/assets/queries/ansible/aws/api_gateway_without_configured_authorizer/metadata.json +++ b/assets/queries/ansible/aws/api_gateway_without_configured_authorizer/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/aws_api_gateway_module.html", "platform": "Ansible", "descriptionID": "e7b28671", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/api_gateway_without_ssl_certificate/metadata.json b/assets/queries/ansible/aws/api_gateway_without_ssl_certificate/metadata.json index b08ce2588a3..d24dc0c4fa8 100644 --- a/assets/queries/ansible/aws/api_gateway_without_ssl_certificate/metadata.json +++ b/assets/queries/ansible/aws/api_gateway_without_ssl_certificate/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/2.8/modules/aws_api_gateway_module.html", "platform": "Ansible", "descriptionID": "82608f36", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/api_gateway_without_waf/metadata.json b/assets/queries/ansible/aws/api_gateway_without_waf/metadata.json index f343b610d6b..8159297c200 100644 --- a/assets/queries/ansible/aws/api_gateway_without_waf/metadata.json +++ b/assets/queries/ansible/aws/api_gateway_without_waf/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/wafv2_resources_module.html#parameter-arn", "platform": "Ansible", "descriptionID": "8e789062", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/api_gateway_xray_disabled/metadata.json b/assets/queries/ansible/aws/api_gateway_xray_disabled/metadata.json index b920b5ef0c2..b6349e7d7ec 100644 --- a/assets/queries/ansible/aws/api_gateway_xray_disabled/metadata.json +++ b/assets/queries/ansible/aws/api_gateway_xray_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/aws_api_gateway_module.html#parameter-tracing_enabled", "platform": "Ansible", "descriptionID": "57da10ee", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/authentication_without_mfa/metadata.json b/assets/queries/ansible/aws/authentication_without_mfa/metadata.json index eeb7e7e9b3e..8b91424eb1b 100644 --- a/assets/queries/ansible/aws/authentication_without_mfa/metadata.json +++ b/assets/queries/ansible/aws/authentication_without_mfa/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_mfa_device_info_module.html", "platform": "Ansible", "descriptionID": "36040ce0", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/auto_scaling_group_with_no_associated_elb/metadata.json b/assets/queries/ansible/aws/auto_scaling_group_with_no_associated_elb/metadata.json index dca1b81bc89..da9571d4a38 100644 --- a/assets/queries/ansible/aws/auto_scaling_group_with_no_associated_elb/metadata.json +++ b/assets/queries/ansible/aws/auto_scaling_group_with_no_associated_elb/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/ec2_asg_module.html#parameter-load_balancers", "platform": "Ansible", "descriptionID": "57b5fbca", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/automatic_minor_upgrades_disabled/metadata.json b/assets/queries/ansible/aws/automatic_minor_upgrades_disabled/metadata.json index bcde6d9876c..87173d6d32b 100644 --- a/assets/queries/ansible/aws/automatic_minor_upgrades_disabled/metadata.json +++ b/assets/queries/ansible/aws/automatic_minor_upgrades_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html#parameter-auto_minor_version_upgrade", "platform": "Ansible", "descriptionID": "7734a8b1", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/aws_password_policy_with_unchangeable_passwords/metadata.json b/assets/queries/ansible/aws/aws_password_policy_with_unchangeable_passwords/metadata.json index 670fceba000..2e9ba08a9e4 100644 --- a/assets/queries/ansible/aws/aws_password_policy_with_unchangeable_passwords/metadata.json +++ b/assets/queries/ansible/aws/aws_password_policy_with_unchangeable_passwords/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html", "platform": "Ansible", "descriptionID": "5a7cf92f", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/batch_job_definition_with_privileged_container_properties/metadata.json b/assets/queries/ansible/aws/batch_job_definition_with_privileged_container_properties/metadata.json index 8ef1e4d0ee7..8f0718c7dce 100644 --- a/assets/queries/ansible/aws/batch_job_definition_with_privileged_container_properties/metadata.json +++ b/assets/queries/ansible/aws/batch_job_definition_with_privileged_container_properties/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/aws_batch_job_definition_module.html", "platform": "Ansible", "descriptionID": "9683e81a", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/ca_certificate_identifier_is_outdated/metadata.json b/assets/queries/ansible/aws/ca_certificate_identifier_is_outdated/metadata.json index fefbaad69f4..a272f6f095e 100644 --- a/assets/queries/ansible/aws/ca_certificate_identifier_is_outdated/metadata.json +++ b/assets/queries/ansible/aws/ca_certificate_identifier_is_outdated/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html#parameter-ca_certificate_identifier", "platform": "Ansible", "descriptionID": "d92aa922", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/cdn_configuration_is_missing/metadata.json b/assets/queries/ansible/aws/cdn_configuration_is_missing/metadata.json index b84c15527d5..7808be108af 100644 --- a/assets/queries/ansible/aws/cdn_configuration_is_missing/metadata.json +++ b/assets/queries/ansible/aws/cdn_configuration_is_missing/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/cloudfront_distribution_module.html", "platform": "Ansible", "descriptionID": "c8ae0f38", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/certificate_has_expired/metadata.json b/assets/queries/ansible/aws/certificate_has_expired/metadata.json index 17a0b4950f5..8d81ce09ea8 100644 --- a/assets/queries/ansible/aws/certificate_has_expired/metadata.json +++ b/assets/queries/ansible/aws/certificate_has_expired/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/2.10/collections/community/aws/aws_acm_module.html", "platform": "Ansible", "descriptionID": "3f6a85e8", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/certificate_rsa_key_bytes_lower_than_256/metadata.json b/assets/queries/ansible/aws/certificate_rsa_key_bytes_lower_than_256/metadata.json index ec600fea522..32f22021ded 100644 --- a/assets/queries/ansible/aws/certificate_rsa_key_bytes_lower_than_256/metadata.json +++ b/assets/queries/ansible/aws/certificate_rsa_key_bytes_lower_than_256/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/2.10/collections/community/aws/aws_acm_module.html", "platform": "Ansible", "descriptionID": "97dc7eba", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/cloudfront_logging_disabled/metadata.json b/assets/queries/ansible/aws/cloudfront_logging_disabled/metadata.json index 7a74e24b33b..9465f68171b 100644 --- a/assets/queries/ansible/aws/cloudfront_logging_disabled/metadata.json +++ b/assets/queries/ansible/aws/cloudfront_logging_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/cloudfront_distribution_module.html", "platform": "Ansible", "descriptionID": "1bfc2dfd", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/cloudfront_without_minimum_protocol_tls_1.2/metadata.json b/assets/queries/ansible/aws/cloudfront_without_minimum_protocol_tls_1.2/metadata.json index b8080c2abde..e1ce0c74c97 100644 --- a/assets/queries/ansible/aws/cloudfront_without_minimum_protocol_tls_1.2/metadata.json +++ b/assets/queries/ansible/aws/cloudfront_without_minimum_protocol_tls_1.2/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/cloudfront_distribution_module.html#parameter-viewer_certificate/minimum_protocol_version", "platform": "Ansible", "descriptionID": "b0a58f2f", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/cloudfront_without_waf/metadata.json b/assets/queries/ansible/aws/cloudfront_without_waf/metadata.json index a909c6446ea..0266c2a061d 100644 --- a/assets/queries/ansible/aws/cloudfront_without_waf/metadata.json +++ b/assets/queries/ansible/aws/cloudfront_without_waf/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/cloudfront_distribution_module.html", "platform": "Ansible", "descriptionID": "7fd7e5c0", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/cloudtrail_log_file_validation_disabled/metadata.json b/assets/queries/ansible/aws/cloudtrail_log_file_validation_disabled/metadata.json index 94e8a8ebb46..8a4624261f4 100644 --- a/assets/queries/ansible/aws/cloudtrail_log_file_validation_disabled/metadata.json +++ b/assets/queries/ansible/aws/cloudtrail_log_file_validation_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/cloudtrail_module.html", "platform": "Ansible", "descriptionID": "04302074", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/metadata.json b/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/metadata.json index 278507aa982..5b98c7d61fd 100644 --- a/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/metadata.json +++ b/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/cloudtrail_module.html", "platform": "Ansible", "descriptionID": "d3b81fde", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/cloudtrail_logging_disabled/metadata.json b/assets/queries/ansible/aws/cloudtrail_logging_disabled/metadata.json index f90f873542c..31267eda8be 100644 --- a/assets/queries/ansible/aws/cloudtrail_logging_disabled/metadata.json +++ b/assets/queries/ansible/aws/cloudtrail_logging_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/cloudtrail_module.html#parameter-enable_logging", "platform": "Ansible", "descriptionID": "c29f6786", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/cloudtrail_multi_region_disabled/metadata.json b/assets/queries/ansible/aws/cloudtrail_multi_region_disabled/metadata.json index baa62d0b795..2293e270f47 100644 --- a/assets/queries/ansible/aws/cloudtrail_multi_region_disabled/metadata.json +++ b/assets/queries/ansible/aws/cloudtrail_multi_region_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/cloudtrail_module.html#parameter-is_multi_region_trail", "platform": "Ansible", "descriptionID": "8c4873bf", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch/metadata.json b/assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch/metadata.json index d14e07c3f7b..5d97b3c13bd 100644 --- a/assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch/metadata.json +++ b/assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/cloudtrail_module.html", "platform": "Ansible", "descriptionID": "fbc987a2", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/metadata.json b/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/metadata.json index a15980000d2..70fa0a0c1fb 100644 --- a/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/metadata.json +++ b/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/cloudtrail_module.html", "platform": "Ansible", "descriptionID": "de97fa1a", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/cloudwatch_without_retention_period_specified/metadata.json b/assets/queries/ansible/aws/cloudwatch_without_retention_period_specified/metadata.json index 5d0e6599117..93db0d3a5b5 100644 --- a/assets/queries/ansible/aws/cloudwatch_without_retention_period_specified/metadata.json +++ b/assets/queries/ansible/aws/cloudwatch_without_retention_period_specified/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/cloudwatchlogs_log_group_module.html", "platform": "Ansible", "descriptionID": "c48a227e", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/cmk_is_unusable/metadata.json b/assets/queries/ansible/aws/cmk_is_unusable/metadata.json index 50ceecfbe1c..1c0a9e3d653 100644 --- a/assets/queries/ansible/aws/cmk_is_unusable/metadata.json +++ b/assets/queries/ansible/aws/cmk_is_unusable/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/aws_kms_module.html#parameter-enabled", "platform": "Ansible", "descriptionID": "cb70e349", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/cmk_rotation_disabled/metadata.json b/assets/queries/ansible/aws/cmk_rotation_disabled/metadata.json index 400eb895df7..ee818a007a5 100644 --- a/assets/queries/ansible/aws/cmk_rotation_disabled/metadata.json +++ b/assets/queries/ansible/aws/cmk_rotation_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/aws_kms_module.html#parameter-enable_key_rotation", "platform": "Ansible", "descriptionID": "177ee908", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/codebuild_not_encrypted/metadata.json b/assets/queries/ansible/aws/codebuild_not_encrypted/metadata.json index 6290325dc83..06fdabf30bf 100644 --- a/assets/queries/ansible/aws/codebuild_not_encrypted/metadata.json +++ b/assets/queries/ansible/aws/codebuild_not_encrypted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/aws_codebuild_module.html", "platform": "Ansible", "descriptionID": "7d51416a", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/config_configuration_aggregator_to_all_regions_disabled/metadata.json b/assets/queries/ansible/aws/config_configuration_aggregator_to_all_regions_disabled/metadata.json index 479fe2ab254..82225ef2680 100644 --- a/assets/queries/ansible/aws/config_configuration_aggregator_to_all_regions_disabled/metadata.json +++ b/assets/queries/ansible/aws/config_configuration_aggregator_to_all_regions_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/aws_config_aggregator_module.html#parameter-organization_source", "platform": "Ansible", "descriptionID": "c6e4ac23", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/config_rule_for_encrypted_volumes_is_disabled/metadata.json b/assets/queries/ansible/aws/config_rule_for_encrypted_volumes_is_disabled/metadata.json index 61c6b91a6c0..c9c621c8d15 100644 --- a/assets/queries/ansible/aws/config_rule_for_encrypted_volumes_is_disabled/metadata.json +++ b/assets/queries/ansible/aws/config_rule_for_encrypted_volumes_is_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/aws_config_rule_module.html#parameter-source/identifier", "platform": "Ansible", "descriptionID": "5b434d3f", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/metadata.json b/assets/queries/ansible/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/metadata.json index 44a16e3e530..c39bbdb5aef 100644 --- a/assets/queries/ansible/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/metadata.json +++ b/assets/queries/ansible/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_role_module.html#parameter-assume_role_policy_document", "platform": "Ansible", "descriptionID": "54f0a7dd", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/db_instance_storage_not_encrypted/metadata.json b/assets/queries/ansible/aws/db_instance_storage_not_encrypted/metadata.json index eb259b24bed..73f3d7c0e6b 100644 --- a/assets/queries/ansible/aws/db_instance_storage_not_encrypted/metadata.json +++ b/assets/queries/ansible/aws/db_instance_storage_not_encrypted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html", "platform": "Ansible", "descriptionID": "575cc1f4", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/db_security_group_open_to_large_scope/metadata.json b/assets/queries/ansible/aws/db_security_group_open_to_large_scope/metadata.json index 8d11beedfcf..ee75cc5283a 100644 --- a/assets/queries/ansible/aws/db_security_group_open_to_large_scope/metadata.json +++ b/assets/queries/ansible/aws/db_security_group_open_to_large_scope/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html#ansible-collections-amazon-aws-ec2-group-module", "platform": "Ansible", "descriptionID": "c7f9cb9f", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/db_security_group_with_public_scope/metadata.json b/assets/queries/ansible/aws/db_security_group_with_public_scope/metadata.json index b20d3cfa30b..966cddc1b3f 100644 --- a/assets/queries/ansible/aws/db_security_group_with_public_scope/metadata.json +++ b/assets/queries/ansible/aws/db_security_group_with_public_scope/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html", "platform": "Ansible", "descriptionID": "47a14ee4", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/default_security_groups_with_unrestricted_traffic/metadata.json b/assets/queries/ansible/aws/default_security_groups_with_unrestricted_traffic/metadata.json index f6546aa04be..4add33f0861 100644 --- a/assets/queries/ansible/aws/default_security_groups_with_unrestricted_traffic/metadata.json +++ b/assets/queries/ansible/aws/default_security_groups_with_unrestricted_traffic/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html", "platform": "Ansible", "descriptionID": "6fd8f0e1", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/ebs_volume_encryption_disabled/metadata.json b/assets/queries/ansible/aws/ebs_volume_encryption_disabled/metadata.json index a77bf3a070b..5565b529c51 100644 --- a/assets/queries/ansible/aws/ebs_volume_encryption_disabled/metadata.json +++ b/assets/queries/ansible/aws/ebs_volume_encryption_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_vol_module.html#parameter-encrypted", "platform": "Ansible", "descriptionID": "06f72385", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/ec2_group_has_public_interface/metadata.json b/assets/queries/ansible/aws/ec2_group_has_public_interface/metadata.json index 424f445b060..a214121b40d 100644 --- a/assets/queries/ansible/aws/ec2_group_has_public_interface/metadata.json +++ b/assets/queries/ansible/aws/ec2_group_has_public_interface/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html", "platform": "Ansible", "descriptionID": "506f9dd8", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/ec2_instance_has_public_ip/metadata.json b/assets/queries/ansible/aws/ec2_instance_has_public_ip/metadata.json index 11ca4f2dd04..aa0e8d03b85 100644 --- a/assets/queries/ansible/aws/ec2_instance_has_public_ip/metadata.json +++ b/assets/queries/ansible/aws/ec2_instance_has_public_ip/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_module.html#parameter-assign_public_ip", "platform": "Ansible", "descriptionID": "f32c5d88", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/ec2_instance_using_default_security_group/metadata.json b/assets/queries/ansible/aws/ec2_instance_using_default_security_group/metadata.json index 92a2f450b8e..e1d9192484e 100644 --- a/assets/queries/ansible/aws/ec2_instance_using_default_security_group/metadata.json +++ b/assets/queries/ansible/aws/ec2_instance_using_default_security_group/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_module.html#parameter-group", "platform": "Ansible", "descriptionID": "cc323109", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/ec2_instance_using_default_vpc/metadata.json b/assets/queries/ansible/aws/ec2_instance_using_default_vpc/metadata.json index 04ef4b4cc8c..3f7a634754a 100644 --- a/assets/queries/ansible/aws/ec2_instance_using_default_vpc/metadata.json +++ b/assets/queries/ansible/aws/ec2_instance_using_default_vpc/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_module.html#parameter-vpc_subnet_id", "platform": "Ansible", "descriptionID": "701b1c92", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/ec2_not_ebs_optimized/metadata.json b/assets/queries/ansible/aws/ec2_not_ebs_optimized/metadata.json index b94c619cc2b..7aa7cb9f423 100644 --- a/assets/queries/ansible/aws/ec2_not_ebs_optimized/metadata.json +++ b/assets/queries/ansible/aws/ec2_not_ebs_optimized/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_module.html#parameter-ebs_optimized", "platform": "Ansible", "descriptionID": "a99c1fe0", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/ecr_image_tag_not_immutable/metadata.json b/assets/queries/ansible/aws/ecr_image_tag_not_immutable/metadata.json index 82a1946b417..054533550fd 100644 --- a/assets/queries/ansible/aws/ecr_image_tag_not_immutable/metadata.json +++ b/assets/queries/ansible/aws/ecr_image_tag_not_immutable/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/ecs_ecr_module.html", "platform": "Ansible", "descriptionID": "a9bdce24", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/ecr_repository_is_publicly_accessible/metadata.json b/assets/queries/ansible/aws/ecr_repository_is_publicly_accessible/metadata.json index 4b8714ee1bd..5c41010283c 100644 --- a/assets/queries/ansible/aws/ecr_repository_is_publicly_accessible/metadata.json +++ b/assets/queries/ansible/aws/ecr_repository_is_publicly_accessible/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/ecs_ecr_module.html#parameter-policy", "platform": "Ansible", "descriptionID": "060d624f", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/ecs_service_admin_role_is_present/metadata.json b/assets/queries/ansible/aws/ecs_service_admin_role_is_present/metadata.json index 742fa569d4f..6a2a921f470 100644 --- a/assets/queries/ansible/aws/ecs_service_admin_role_is_present/metadata.json +++ b/assets/queries/ansible/aws/ecs_service_admin_role_is_present/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/ecs_service_module.html", "platform": "Ansible", "descriptionID": "32e74c18", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/ecs_service_without_running_tasks/metadata.json b/assets/queries/ansible/aws/ecs_service_without_running_tasks/metadata.json index 0c426551c1e..532a1ff75af 100644 --- a/assets/queries/ansible/aws/ecs_service_without_running_tasks/metadata.json +++ b/assets/queries/ansible/aws/ecs_service_without_running_tasks/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/ecs_service_module.html#ansible-collections-community-aws-ecs-service-module", "platform": "Ansible", "descriptionID": "dce30fcb", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/ecs_task_definition_network_mode_not_recommended/metadata.json b/assets/queries/ansible/aws/ecs_task_definition_network_mode_not_recommended/metadata.json index 3043e4b57b6..97cf3add06e 100644 --- a/assets/queries/ansible/aws/ecs_task_definition_network_mode_not_recommended/metadata.json +++ b/assets/queries/ansible/aws/ecs_task_definition_network_mode_not_recommended/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/ecs_taskdefinition_module.html#parameter-network_mode", "platform": "Ansible", "descriptionID": "5424397d", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/ecs_task_definition_with_plaintext_password/metadata.json b/assets/queries/ansible/aws/ecs_task_definition_with_plaintext_password/metadata.json index eceb062a0f3..28b578d5bbf 100644 --- a/assets/queries/ansible/aws/ecs_task_definition_with_plaintext_password/metadata.json +++ b/assets/queries/ansible/aws/ecs_task_definition_with_plaintext_password/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#container_definition_environment", "platform": "Ansible", "descriptionID": "a6c6fa9c", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/efs_not_encrypted/metadata.json b/assets/queries/ansible/aws/efs_not_encrypted/metadata.json index 680ed23a0e6..281f937a7dc 100644 --- a/assets/queries/ansible/aws/efs_not_encrypted/metadata.json +++ b/assets/queries/ansible/aws/efs_not_encrypted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/efs_module.html#parameter-encrypt", "platform": "Ansible", "descriptionID": "f4c8801c", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/efs_without_kms/metadata.json b/assets/queries/ansible/aws/efs_without_kms/metadata.json index 2ae721665ea..83e5c88e5d4 100644 --- a/assets/queries/ansible/aws/efs_without_kms/metadata.json +++ b/assets/queries/ansible/aws/efs_without_kms/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/efs_module.html#parameter-kms_key_id", "platform": "Ansible", "descriptionID": "a01870d5", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/efs_without_tags/metadata.json b/assets/queries/ansible/aws/efs_without_tags/metadata.json index b8a7955250e..c1a3861fd8b 100644 --- a/assets/queries/ansible/aws/efs_without_tags/metadata.json +++ b/assets/queries/ansible/aws/efs_without_tags/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/efs_module.html", "platform": "Ansible", "descriptionID": "1e03284b", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/elasticache_using_default_port/metadata.json b/assets/queries/ansible/aws/elasticache_using_default_port/metadata.json index b2417c76ae4..b9b0ca55dbd 100644 --- a/assets/queries/ansible/aws/elasticache_using_default_port/metadata.json +++ b/assets/queries/ansible/aws/elasticache_using_default_port/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/elasticache_module.html#parameter-cache_port", "platform": "Ansible", "descriptionID": "be73fca3", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/elasticache_without_vpc/metadata.json b/assets/queries/ansible/aws/elasticache_without_vpc/metadata.json index 95fd4d84bca..ff81ab00dc2 100644 --- a/assets/queries/ansible/aws/elasticache_without_vpc/metadata.json +++ b/assets/queries/ansible/aws/elasticache_without_vpc/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/elasticache_module.html#parameter-cache_subnet_group", "platform": "Ansible", "descriptionID": "c9bde487", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/elasticsearch_with_https_disabled/metadata.json b/assets/queries/ansible/aws/elasticsearch_with_https_disabled/metadata.json index 9e9cb755096..62f9476038b 100644 --- a/assets/queries/ansible/aws/elasticsearch_with_https_disabled/metadata.json +++ b/assets/queries/ansible/aws/elasticsearch_with_https_disabled/metadata.json @@ -1,12 +1,12 @@ { - "id": "d6c2d06f-43c1-488a-9ba1-8d75b40fc62d", - "queryName": "Elasticsearch with HTTPS disabled", - "severity": "HIGH", - "category": "Networking and Firewall", - "descriptionText": "Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true.", - "descriptionUrl": "https://docs.ansible.com/ansible/devel/collections/community/aws/opensearch_module.html", - "platform": "Ansible", - "descriptionID": "4beff10d", - "cloudProvider": "aws" - } - \ No newline at end of file + "id": "d6c2d06f-43c1-488a-9ba1-8d75b40fc62d", + "queryName": "Elasticsearch with HTTPS disabled", + "severity": "HIGH", + "category": "Networking and Firewall", + "descriptionText": "Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true.", + "descriptionUrl": "https://docs.ansible.com/ansible/devel/collections/community/aws/opensearch_module.html", + "platform": "Ansible", + "descriptionID": "4beff10d", + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/elb_using_insecure_protocols/metadata.json b/assets/queries/ansible/aws/elb_using_insecure_protocols/metadata.json index 1ed7cf2ff2e..a45c9be3a87 100644 --- a/assets/queries/ansible/aws/elb_using_insecure_protocols/metadata.json +++ b/assets/queries/ansible/aws/elb_using_insecure_protocols/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/elb_application_lb_module.html", "platform": "Ansible", "descriptionID": "8a2e6f3b", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/elb_using_weak_ciphers/metadata.json b/assets/queries/ansible/aws/elb_using_weak_ciphers/metadata.json index 44fd6e94e9f..f7206cc6949 100644 --- a/assets/queries/ansible/aws/elb_using_weak_ciphers/metadata.json +++ b/assets/queries/ansible/aws/elb_using_weak_ciphers/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/elb_application_lb_module.html", "platform": "Ansible", "descriptionID": "ab5b4a0b", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/hardcoded_aws_access_key/metadata.json b/assets/queries/ansible/aws/hardcoded_aws_access_key/metadata.json index c987346effd..a3603dbf03a 100644 --- a/assets/queries/ansible/aws/hardcoded_aws_access_key/metadata.json +++ b/assets/queries/ansible/aws/hardcoded_aws_access_key/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/ec2_instance_module.html", "platform": "Ansible", "descriptionID": "d764256e", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/hardcoded_aws_access_key_in_lambda/metadata.json b/assets/queries/ansible/aws/hardcoded_aws_access_key_in_lambda/metadata.json index 22297c51666..5b1a4b453fb 100644 --- a/assets/queries/ansible/aws/hardcoded_aws_access_key_in_lambda/metadata.json +++ b/assets/queries/ansible/aws/hardcoded_aws_access_key_in_lambda/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/lambda_module.html", "platform": "Ansible", "descriptionID": "fc78f6de", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/http_port_open_to_internet/metadata.json b/assets/queries/ansible/aws/http_port_open_to_internet/metadata.json index 1332cd2ebba..7938556d1b8 100644 --- a/assets/queries/ansible/aws/http_port_open_to_internet/metadata.json +++ b/assets/queries/ansible/aws/http_port_open_to_internet/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html#ansible-collections-amazon-aws-ec2-group-module", "platform": "Ansible", "descriptionID": "8c6031b8", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/iam_access_key_is_exposed/metadata.json b/assets/queries/ansible/aws/iam_access_key_is_exposed/metadata.json index b97d2636159..8d5b468b64b 100644 --- a/assets/queries/ansible/aws/iam_access_key_is_exposed/metadata.json +++ b/assets/queries/ansible/aws/iam_access_key_is_exposed/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_module.html", "platform": "Ansible", "descriptionID": "d8bc01a5", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/iam_database_auth_not_enabled/metadata.json b/assets/queries/ansible/aws/iam_database_auth_not_enabled/metadata.json index c9062e59bcb..c59a1008205 100644 --- a/assets/queries/ansible/aws/iam_database_auth_not_enabled/metadata.json +++ b/assets/queries/ansible/aws/iam_database_auth_not_enabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html", "platform": "Ansible", "descriptionID": "952e08fc", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/iam_group_without_users/metadata.json b/assets/queries/ansible/aws/iam_group_without_users/metadata.json index 184bf733d44..dee97f10907 100644 --- a/assets/queries/ansible/aws/iam_group_without_users/metadata.json +++ b/assets/queries/ansible/aws/iam_group_without_users/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_group_module.html", "platform": "Ansible", "descriptionID": "082a1e01", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/iam_password_without_lowercase_letter/metadata.json b/assets/queries/ansible/aws/iam_password_without_lowercase_letter/metadata.json index 18a42f0de5a..099aca96993 100644 --- a/assets/queries/ansible/aws/iam_password_without_lowercase_letter/metadata.json +++ b/assets/queries/ansible/aws/iam_password_without_lowercase_letter/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html", "platform": "Ansible", "descriptionID": "e229f4bd", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/iam_password_without_minimum_length/metadata.json b/assets/queries/ansible/aws/iam_password_without_minimum_length/metadata.json index 7d1b68344fd..9accc5f09b0 100644 --- a/assets/queries/ansible/aws/iam_password_without_minimum_length/metadata.json +++ b/assets/queries/ansible/aws/iam_password_without_minimum_length/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html", "platform": "Ansible", "descriptionID": "b1066765", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/iam_password_without_number/metadata.json b/assets/queries/ansible/aws/iam_password_without_number/metadata.json index 88eda94101c..05fcb056c29 100644 --- a/assets/queries/ansible/aws/iam_password_without_number/metadata.json +++ b/assets/queries/ansible/aws/iam_password_without_number/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html", "platform": "Ansible", "descriptionID": "c4ca592e", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/iam_password_without_uppercase_letter/metadata.json b/assets/queries/ansible/aws/iam_password_without_uppercase_letter/metadata.json index 90813ed27af..1ee291acaa7 100644 --- a/assets/queries/ansible/aws/iam_password_without_uppercase_letter/metadata.json +++ b/assets/queries/ansible/aws/iam_password_without_uppercase_letter/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html", "platform": "Ansible", "descriptionID": "ab3484ee", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/iam_policies_attached_to_user/metadata.json b/assets/queries/ansible/aws/iam_policies_attached_to_user/metadata.json index 8389e5ed076..3643c0e3084 100644 --- a/assets/queries/ansible/aws/iam_policies_attached_to_user/metadata.json +++ b/assets/queries/ansible/aws/iam_policies_attached_to_user/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_policy_module.html", "platform": "Ansible", "descriptionID": "cd4d500d", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/iam_policies_with_full_privileges/metadata.json b/assets/queries/ansible/aws/iam_policies_with_full_privileges/metadata.json index b16d51ac6b5..76d4ed29fe7 100644 --- a/assets/queries/ansible/aws/iam_policies_with_full_privileges/metadata.json +++ b/assets/queries/ansible/aws/iam_policies_with_full_privileges/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_managed_policy_module.html", "platform": "Ansible", "descriptionID": "3827a620", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/iam_policy_grants_assumerole_permission_across_all_services/metadata.json b/assets/queries/ansible/aws/iam_policy_grants_assumerole_permission_across_all_services/metadata.json index e3299f0444a..dcd869ea030 100644 --- a/assets/queries/ansible/aws/iam_policy_grants_assumerole_permission_across_all_services/metadata.json +++ b/assets/queries/ansible/aws/iam_policy_grants_assumerole_permission_across_all_services/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_managed_policy_module.html", "platform": "Ansible", "descriptionID": "860cc010", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/iam_policy_grants_full_permissions/metadata.json b/assets/queries/ansible/aws/iam_policy_grants_full_permissions/metadata.json index cdca61d90fd..da42f182a6a 100644 --- a/assets/queries/ansible/aws/iam_policy_grants_full_permissions/metadata.json +++ b/assets/queries/ansible/aws/iam_policy_grants_full_permissions/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_managed_policy_module.html", "platform": "Ansible", "descriptionID": "97b2a82d", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/metadata.json b/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/metadata.json index a1ab37bc48e..876bce1f327 100644 --- a/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/metadata.json +++ b/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_managed_policy_module.html", "platform": "Ansible", "descriptionID": "58219ae0", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/instance_with_no_vpc/metadata.json b/assets/queries/ansible/aws/instance_with_no_vpc/metadata.json index 13e0be92697..f42586972d6 100644 --- a/assets/queries/ansible/aws/instance_with_no_vpc/metadata.json +++ b/assets/queries/ansible/aws/instance_with_no_vpc/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_module.html", "platform": "Ansible", "descriptionID": "27754eca", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/kinesis_not_encrypted_with_kms/metadata.json b/assets/queries/ansible/aws/kinesis_not_encrypted_with_kms/metadata.json index 8c058e25ded..21f5f887bd9 100644 --- a/assets/queries/ansible/aws/kinesis_not_encrypted_with_kms/metadata.json +++ b/assets/queries/ansible/aws/kinesis_not_encrypted_with_kms/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/kinesis_stream_module.html", "platform": "Ansible", "descriptionID": "017319a7", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/kms_key_with_full_permissions/metadata.json b/assets/queries/ansible/aws/kms_key_with_full_permissions/metadata.json index f7b5e54cde3..227c07f4474 100644 --- a/assets/queries/ansible/aws/kms_key_with_full_permissions/metadata.json +++ b/assets/queries/ansible/aws/kms_key_with_full_permissions/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/aws_kms_module.html", "platform": "Ansible", "descriptionID": "a1f47164", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/lambda_function_without_tags/metadata.json b/assets/queries/ansible/aws/lambda_function_without_tags/metadata.json index fd863f496c5..9ddf14a5e4d 100644 --- a/assets/queries/ansible/aws/lambda_function_without_tags/metadata.json +++ b/assets/queries/ansible/aws/lambda_function_without_tags/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/lambda_module.html", "platform": "Ansible", "descriptionID": "45d5ac61", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/lambda_functions_without_x-ray_tracing/metadata.json b/assets/queries/ansible/aws/lambda_functions_without_x-ray_tracing/metadata.json index 876cf6a7e16..244c34ebbc3 100644 --- a/assets/queries/ansible/aws/lambda_functions_without_x-ray_tracing/metadata.json +++ b/assets/queries/ansible/aws/lambda_functions_without_x-ray_tracing/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/lambda_module.html", "platform": "Ansible", "descriptionID": "bff4deb9", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/lambda_permission_misconfigured/metadata.json b/assets/queries/ansible/aws/lambda_permission_misconfigured/metadata.json index 26b4da58fed..3c4036e9905 100644 --- a/assets/queries/ansible/aws/lambda_permission_misconfigured/metadata.json +++ b/assets/queries/ansible/aws/lambda_permission_misconfigured/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/lambda_policy_module.html", "platform": "Ansible", "descriptionID": "9f8d2402", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/lambda_permission_principal_is_wildcard/metadata.json b/assets/queries/ansible/aws/lambda_permission_principal_is_wildcard/metadata.json index 855743530c3..239a199bff6 100644 --- a/assets/queries/ansible/aws/lambda_permission_principal_is_wildcard/metadata.json +++ b/assets/queries/ansible/aws/lambda_permission_principal_is_wildcard/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/lambda_policy_module.html", "platform": "Ansible", "descriptionID": "1740275a", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/launch_configuration_is_not_encrypted/metadata.json b/assets/queries/ansible/aws/launch_configuration_is_not_encrypted/metadata.json index c62fee995e8..6eb1a1018e4 100644 --- a/assets/queries/ansible/aws/launch_configuration_is_not_encrypted/metadata.json +++ b/assets/queries/ansible/aws/launch_configuration_is_not_encrypted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/ec2_lc_module.html", "platform": "Ansible", "descriptionID": "57b9aee0", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/memcached_disabled/metadata.json b/assets/queries/ansible/aws/memcached_disabled/metadata.json index 5e5616525e7..6cf9906ad3b 100644 --- a/assets/queries/ansible/aws/memcached_disabled/metadata.json +++ b/assets/queries/ansible/aws/memcached_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/elasticache_module.html#parameter-engine", "platform": "Ansible", "descriptionID": "1ff6d082", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/misconfigured_password_policy_expiration/metadata.json b/assets/queries/ansible/aws/misconfigured_password_policy_expiration/metadata.json index 06274069f50..e980a0b1ccc 100644 --- a/assets/queries/ansible/aws/misconfigured_password_policy_expiration/metadata.json +++ b/assets/queries/ansible/aws/misconfigured_password_policy_expiration/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html", "platform": "Ansible", "descriptionID": "80db60d5", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/no_stack_policy/metadata.json b/assets/queries/ansible/aws/no_stack_policy/metadata.json index 4df75bfd504..37da0686920 100644 --- a/assets/queries/ansible/aws/no_stack_policy/metadata.json +++ b/assets/queries/ansible/aws/no_stack_policy/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/cloudformation_module.html", "platform": "Ansible", "descriptionID": "327969ac", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/password_without_reuse_prevention/metadata.json b/assets/queries/ansible/aws/password_without_reuse_prevention/metadata.json index 34178fcb506..839754e2cae 100644 --- a/assets/queries/ansible/aws/password_without_reuse_prevention/metadata.json +++ b/assets/queries/ansible/aws/password_without_reuse_prevention/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html#parameter-pw_reuse_prevent", "platform": "Ansible", "descriptionID": "ad12d750", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/public_lambda_via_api_gateway/metadata.json b/assets/queries/ansible/aws/public_lambda_via_api_gateway/metadata.json index b28aa2e0119..869ca8e3ddd 100644 --- a/assets/queries/ansible/aws/public_lambda_via_api_gateway/metadata.json +++ b/assets/queries/ansible/aws/public_lambda_via_api_gateway/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/2.4/lambda_policy_module.html", "platform": "Ansible", "descriptionID": "50e0d3f5", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/public_port_wide/metadata.json b/assets/queries/ansible/aws/public_port_wide/metadata.json index 77324a04b29..fdda341840c 100644 --- a/assets/queries/ansible/aws/public_port_wide/metadata.json +++ b/assets/queries/ansible/aws/public_port_wide/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html", "platform": "Ansible", "descriptionID": "be17d13e", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/rds_associated_with_public_subnet/metadata.json b/assets/queries/ansible/aws/rds_associated_with_public_subnet/metadata.json index 4605f07f500..06540616b59 100644 --- a/assets/queries/ansible/aws/rds_associated_with_public_subnet/metadata.json +++ b/assets/queries/ansible/aws/rds_associated_with_public_subnet/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html#parameter-db_subnet_group_name", "platform": "Ansible", "descriptionID": "89ed6e35", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/rds_db_instance_publicly_accessible/metadata.json b/assets/queries/ansible/aws/rds_db_instance_publicly_accessible/metadata.json index 872cf9b4861..578ed0e38d0 100644 --- a/assets/queries/ansible/aws/rds_db_instance_publicly_accessible/metadata.json +++ b/assets/queries/ansible/aws/rds_db_instance_publicly_accessible/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html#parameter-auto_minor_version_upgrade", "platform": "Ansible", "descriptionID": "e1b53fb6", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/rds_using_default_port/metadata.json b/assets/queries/ansible/aws/rds_using_default_port/metadata.json index 9d1b2fd5925..de18ae7f57c 100644 --- a/assets/queries/ansible/aws/rds_using_default_port/metadata.json +++ b/assets/queries/ansible/aws/rds_using_default_port/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html#parameter-port", "platform": "Ansible", "descriptionID": "4e928197", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/rds_with_backup_disabled/metadata.json b/assets/queries/ansible/aws/rds_with_backup_disabled/metadata.json index ddcfbdb9f3b..d9d5ad35382 100644 --- a/assets/queries/ansible/aws/rds_with_backup_disabled/metadata.json +++ b/assets/queries/ansible/aws/rds_with_backup_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html#parameter-backup_retention_period", "platform": "Ansible", "descriptionID": "51f94eee", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/redis_not_compliant/metadata.json b/assets/queries/ansible/aws/redis_not_compliant/metadata.json index c874a6c7804..1052045bb0c 100644 --- a/assets/queries/ansible/aws/redis_not_compliant/metadata.json +++ b/assets/queries/ansible/aws/redis_not_compliant/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/elasticache_module.html#parameter-cache_engine_version", "platform": "Ansible", "descriptionID": "99b5ec71", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/redshift_not_encrypted/metadata.json b/assets/queries/ansible/aws/redshift_not_encrypted/metadata.json index bf1abb1fca8..9eb8ac199ac 100644 --- a/assets/queries/ansible/aws/redshift_not_encrypted/metadata.json +++ b/assets/queries/ansible/aws/redshift_not_encrypted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_cluster#encrypted", "platform": "Ansible", "descriptionID": "85cddbf3", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/redshift_publicly_accessible/metadata.json b/assets/queries/ansible/aws/redshift_publicly_accessible/metadata.json index 4fec1247ac2..7a64185182d 100644 --- a/assets/queries/ansible/aws/redshift_publicly_accessible/metadata.json +++ b/assets/queries/ansible/aws/redshift_publicly_accessible/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/redshift_module.html", "platform": "Ansible", "descriptionID": "ffdc02cc", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/redshift_using_default_port/metadata.json b/assets/queries/ansible/aws/redshift_using_default_port/metadata.json index 84ba23ba731..d75a1940a9f 100644 --- a/assets/queries/ansible/aws/redshift_using_default_port/metadata.json +++ b/assets/queries/ansible/aws/redshift_using_default_port/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/redshift_module.html#parameter-port", "platform": "Ansible", "descriptionID": "64fe28a7", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/remote_desktop_port_open/metadata.json b/assets/queries/ansible/aws/remote_desktop_port_open/metadata.json index 7bcdeefbc05..17c3abd3c52 100644 --- a/assets/queries/ansible/aws/remote_desktop_port_open/metadata.json +++ b/assets/queries/ansible/aws/remote_desktop_port_open/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html#ansible-collections-amazon-aws-ec2-group-module", "platform": "Ansible", "descriptionID": "d644276b", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/root_account_has_active_access_keys/metadata.json b/assets/queries/ansible/aws/root_account_has_active_access_keys/metadata.json index d9909f0b9ac..3c6e01d9e39 100644 --- a/assets/queries/ansible/aws/root_account_has_active_access_keys/metadata.json +++ b/assets/queries/ansible/aws/root_account_has_active_access_keys/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_module.html", "platform": "Ansible", "descriptionID": "6cd5514d", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/route53_record_undefined/metadata.json b/assets/queries/ansible/aws/route53_record_undefined/metadata.json index 46557c8d95b..bb8028908b5 100644 --- a/assets/queries/ansible/aws/route53_record_undefined/metadata.json +++ b/assets/queries/ansible/aws/route53_record_undefined/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/route53_module.html#parameter-value", "platform": "Ansible", "descriptionID": "2b699de7", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_access_to_any_principal/metadata.json b/assets/queries/ansible/aws/s3_bucket_access_to_any_principal/metadata.json index b867b141ad0..27470bf9d48 100644 --- a/assets/queries/ansible/aws/s3_bucket_access_to_any_principal/metadata.json +++ b/assets/queries/ansible/aws/s3_bucket_access_to_any_principal/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html#ansible-collections-amazon-aws-s3-bucket-module", "platform": "Ansible", "descriptionID": "25111d64", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/metadata.json b/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/metadata.json index a965c0fa9af..17917eeb9e9 100644 --- a/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/metadata.json +++ b/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/aws_s3_module.html#parameter-permission", "platform": "Ansible", "descriptionID": "446af0d8", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/metadata.json b/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/metadata.json index 47a45752e2d..2beb1d4810a 100644 --- a/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/metadata.json +++ b/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/aws_s3_module.html#parameter-permission", "platform": "Ansible", "descriptionID": "e9e4ca47", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals/metadata.json b/assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals/metadata.json index adec66726e5..e0d88185d36 100644 --- a/assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals/metadata.json +++ b/assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html", "platform": "Ansible", "descriptionID": "7c11444e", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals/metadata.json b/assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals/metadata.json index b187d4b868e..0c3df13b994 100644 --- a/assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals/metadata.json +++ b/assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html", "platform": "Ansible", "descriptionID": "de0687eb", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals/metadata.json b/assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals/metadata.json index f0ae224fa25..deb510beb0e 100644 --- a/assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals/metadata.json +++ b/assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html", "platform": "Ansible", "descriptionID": "8232deb2", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals/metadata.json b/assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals/metadata.json index 4ab3918092d..e759279f971 100644 --- a/assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals/metadata.json +++ b/assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html", "platform": "Ansible", "descriptionID": "772b17ca", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_logging_disabled/metadata.json b/assets/queries/ansible/aws/s3_bucket_logging_disabled/metadata.json index 59baf204543..97a73f29537 100644 --- a/assets/queries/ansible/aws/s3_bucket_logging_disabled/metadata.json +++ b/assets/queries/ansible/aws/s3_bucket_logging_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html#parameter-debug_botocore_endpoint_logs", "platform": "Ansible", "descriptionID": "2b508aee", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_sse_disabled/metadata.json b/assets/queries/ansible/aws/s3_bucket_sse_disabled/metadata.json index 5c425fbb4ca..cbf30976661 100644 --- a/assets/queries/ansible/aws/s3_bucket_sse_disabled/metadata.json +++ b/assets/queries/ansible/aws/s3_bucket_sse_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html#parameter-encryption_key_id", "platform": "Ansible", "descriptionID": "4008dca4", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_with_all_permissions/metadata.json b/assets/queries/ansible/aws/s3_bucket_with_all_permissions/metadata.json index adb7aae5f6a..6b9db38a1b9 100644 --- a/assets/queries/ansible/aws/s3_bucket_with_all_permissions/metadata.json +++ b/assets/queries/ansible/aws/s3_bucket_with_all_permissions/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html#parameter-policy", "platform": "Ansible", "descriptionID": "21fc95f2", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_with_public_access/metadata.json b/assets/queries/ansible/aws/s3_bucket_with_public_access/metadata.json index cb94bcfb80f..bf7c9f06c8f 100644 --- a/assets/queries/ansible/aws/s3_bucket_with_public_access/metadata.json +++ b/assets/queries/ansible/aws/s3_bucket_with_public_access/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/aws_s3_module.html#parameter-permission", "platform": "Ansible", "descriptionID": "d7a19b7e", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_with_unsecured_cors_rule/metadata.json b/assets/queries/ansible/aws/s3_bucket_with_unsecured_cors_rule/metadata.json index afe24028cba..ea54843ea4a 100644 --- a/assets/queries/ansible/aws/s3_bucket_with_unsecured_cors_rule/metadata.json +++ b/assets/queries/ansible/aws/s3_bucket_with_unsecured_cors_rule/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/aws_s3_cors_module.html#parameter-rules", "platform": "Ansible", "descriptionID": "c700f52b", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_without_server-side_encryption/metadata.json b/assets/queries/ansible/aws/s3_bucket_without_server-side_encryption/metadata.json index cf25282d066..86b40a6915c 100644 --- a/assets/queries/ansible/aws/s3_bucket_without_server-side_encryption/metadata.json +++ b/assets/queries/ansible/aws/s3_bucket_without_server-side_encryption/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html", "platform": "Ansible", "descriptionID": "c0dc5aae", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_without_versioning/metadata.json b/assets/queries/ansible/aws/s3_bucket_without_versioning/metadata.json index 5cb15f584e9..969279773fe 100644 --- a/assets/queries/ansible/aws/s3_bucket_without_versioning/metadata.json +++ b/assets/queries/ansible/aws/s3_bucket_without_versioning/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html#parameter-versioning", "platform": "Ansible", "descriptionID": "622e4c8e", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/secure_ciphers_disabled/metadata.json b/assets/queries/ansible/aws/secure_ciphers_disabled/metadata.json index 73165a1f12f..1c273f691a1 100644 --- a/assets/queries/ansible/aws/secure_ciphers_disabled/metadata.json +++ b/assets/queries/ansible/aws/secure_ciphers_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/cloudfront_distribution_module.html", "platform": "Ansible", "descriptionID": "bc106b2e", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/security_group_ingress_not_restricted/metadata.json b/assets/queries/ansible/aws/security_group_ingress_not_restricted/metadata.json index 08fecf883d2..acacdef9202 100644 --- a/assets/queries/ansible/aws/security_group_ingress_not_restricted/metadata.json +++ b/assets/queries/ansible/aws/security_group_ingress_not_restricted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html", "platform": "Ansible", "descriptionID": "7e47368a", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/security_group_with_unrestricted_access_to_ssh/metadata.json b/assets/queries/ansible/aws/security_group_with_unrestricted_access_to_ssh/metadata.json index 9092a332dc5..b739c147b97 100644 --- a/assets/queries/ansible/aws/security_group_with_unrestricted_access_to_ssh/metadata.json +++ b/assets/queries/ansible/aws/security_group_with_unrestricted_access_to_ssh/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html", "platform": "Ansible", "descriptionID": "ea2f2c57", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/ses_policy_with_allowed_iam_actions/metadata.json b/assets/queries/ansible/aws/ses_policy_with_allowed_iam_actions/metadata.json index e013a20405a..7f457c1724a 100644 --- a/assets/queries/ansible/aws/ses_policy_with_allowed_iam_actions/metadata.json +++ b/assets/queries/ansible/aws/ses_policy_with_allowed_iam_actions/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/aws_ses_identity_policy_module.html#parameter-policy", "platform": "Ansible", "descriptionID": "89d6e6fd", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/metadata.json b/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/metadata.json index e6c992dd090..df659f5158c 100644 --- a/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/metadata.json +++ b/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/sns_topic_module.html", "platform": "Ansible", "descriptionID": "956322cf", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/metadata.json b/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/metadata.json index e31ba266268..8ec93677f60 100644 --- a/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/metadata.json +++ b/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html", "platform": "Ansible", "descriptionID": "69176b78", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/sqs_policy_allows_all_actions/metadata.json b/assets/queries/ansible/aws/sqs_policy_allows_all_actions/metadata.json index c8a6649aafa..634f0ad1095 100644 --- a/assets/queries/ansible/aws/sqs_policy_allows_all_actions/metadata.json +++ b/assets/queries/ansible/aws/sqs_policy_allows_all_actions/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/sqs_queue_module.html", "platform": "Ansible", "descriptionID": "7e78a2e9", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/sqs_policy_with_public_access/metadata.json b/assets/queries/ansible/aws/sqs_policy_with_public_access/metadata.json index 414f7d47a5c..8a3fba94616 100644 --- a/assets/queries/ansible/aws/sqs_policy_with_public_access/metadata.json +++ b/assets/queries/ansible/aws/sqs_policy_with_public_access/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/sqs_queue_module.html", "platform": "Ansible", "descriptionID": "dd40b568", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/sqs_queue_exposed/metadata.json b/assets/queries/ansible/aws/sqs_queue_exposed/metadata.json index 5c479cce6cc..7187f874b69 100644 --- a/assets/queries/ansible/aws/sqs_queue_exposed/metadata.json +++ b/assets/queries/ansible/aws/sqs_queue_exposed/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/sqs_queue_module.html#parameter-policy", "platform": "Ansible", "descriptionID": "a835b707", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/sqs_with_sse_disabled/metadata.json b/assets/queries/ansible/aws/sqs_with_sse_disabled/metadata.json index 2872f5d8bce..b93321fd55e 100644 --- a/assets/queries/ansible/aws/sqs_with_sse_disabled/metadata.json +++ b/assets/queries/ansible/aws/sqs_with_sse_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/sqs_queue_module.html#ansible-collections-community-aws-sqs-queue-module", "platform": "Ansible", "descriptionID": "7825cf30", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/stack_notifications_disabled/metadata.json b/assets/queries/ansible/aws/stack_notifications_disabled/metadata.json index 74e8bc6e445..11d59b06f9b 100644 --- a/assets/queries/ansible/aws/stack_notifications_disabled/metadata.json +++ b/assets/queries/ansible/aws/stack_notifications_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/cloudformation_module.html#parameter-notification_arns", "platform": "Ansible", "descriptionID": "59f8905d", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/stack_retention_disabled/metadata.json b/assets/queries/ansible/aws/stack_retention_disabled/metadata.json index 796406e8afd..994aa335168 100644 --- a/assets/queries/ansible/aws/stack_retention_disabled/metadata.json +++ b/assets/queries/ansible/aws/stack_retention_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/cloudformation_stack_set_module.html#parameter-purge_stacks", "platform": "Ansible", "descriptionID": "78d78b74", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/stack_without_template/metadata.json b/assets/queries/ansible/aws/stack_without_template/metadata.json index 3b321f4bbd8..05f4e69c748 100644 --- a/assets/queries/ansible/aws/stack_without_template/metadata.json +++ b/assets/queries/ansible/aws/stack_without_template/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/cloudformation_module.html", "platform": "Ansible", "descriptionID": "de8347bd", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/unknown_port_exposed_to_internet/metadata.json b/assets/queries/ansible/aws/unknown_port_exposed_to_internet/metadata.json index 9225d0a4af7..3f2db0ba926 100644 --- a/assets/queries/ansible/aws/unknown_port_exposed_to_internet/metadata.json +++ b/assets/queries/ansible/aws/unknown_port_exposed_to_internet/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html", "platform": "Ansible", "descriptionID": "f6437a28", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/unrestricted_security_group_ingress/metadata.json b/assets/queries/ansible/aws/unrestricted_security_group_ingress/metadata.json index b3f27340681..0b57439db1d 100644 --- a/assets/queries/ansible/aws/unrestricted_security_group_ingress/metadata.json +++ b/assets/queries/ansible/aws/unrestricted_security_group_ingress/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html", "platform": "Ansible", "descriptionID": "015995bb", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/user_data_contains_encoded_private_key/metadata.json b/assets/queries/ansible/aws/user_data_contains_encoded_private_key/metadata.json index e73e9196832..51a19bcae30 100644 --- a/assets/queries/ansible/aws/user_data_contains_encoded_private_key/metadata.json +++ b/assets/queries/ansible/aws/user_data_contains_encoded_private_key/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/ec2_lc_module.html", "platform": "Ansible", "descriptionID": "45cb51c3", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/user_data_shell_script_is_encoded/metadata.json b/assets/queries/ansible/aws/user_data_shell_script_is_encoded/metadata.json index cb87b743a6e..5339fb15a1f 100644 --- a/assets/queries/ansible/aws/user_data_shell_script_is_encoded/metadata.json +++ b/assets/queries/ansible/aws/user_data_shell_script_is_encoded/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/ec2_lc_module.html", "platform": "Ansible", "descriptionID": "062f28ff", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/viewer_protocol_policy_allows_http/metadata.json b/assets/queries/ansible/aws/viewer_protocol_policy_allows_http/metadata.json index 3cb84e5279b..505ba90d3e8 100644 --- a/assets/queries/ansible/aws/viewer_protocol_policy_allows_http/metadata.json +++ b/assets/queries/ansible/aws/viewer_protocol_policy_allows_http/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/cloudfront_distribution_module.html", "platform": "Ansible", "descriptionID": "5dd1ca8b", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/vulnerable_default_ssl_certificate/metadata.json b/assets/queries/ansible/aws/vulnerable_default_ssl_certificate/metadata.json index 8101de3d455..5ad88736bb4 100644 --- a/assets/queries/ansible/aws/vulnerable_default_ssl_certificate/metadata.json +++ b/assets/queries/ansible/aws/vulnerable_default_ssl_certificate/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/cloudfront_distribution_module.html", "platform": "Ansible", "descriptionID": "324e63d7", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/ad_admin_not_configured_for_sql_server/metadata.json b/assets/queries/ansible/azure/ad_admin_not_configured_for_sql_server/metadata.json index 57fefb6e03d..a69873143df 100644 --- a/assets/queries/ansible/azure/ad_admin_not_configured_for_sql_server/metadata.json +++ b/assets/queries/ansible/azure/ad_admin_not_configured_for_sql_server/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_sqlserver_module.html#parameter-ad_user", "platform": "Ansible", "descriptionID": "afa96f09", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/admin_user_enabled_for_container_registry/metadata.json b/assets/queries/ansible/azure/admin_user_enabled_for_container_registry/metadata.json index ee7f9affb86..28fc9656d6c 100644 --- a/assets/queries/ansible/azure/admin_user_enabled_for_container_registry/metadata.json +++ b/assets/queries/ansible/azure/admin_user_enabled_for_container_registry/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_containerregistry_module.html", "platform": "Ansible", "descriptionID": "d8ca5381", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/aks_monitoring_logging_disabled/metadata.json b/assets/queries/ansible/azure/aks_monitoring_logging_disabled/metadata.json index ff31f05b2af..8961dccb439 100644 --- a/assets/queries/ansible/azure/aks_monitoring_logging_disabled/metadata.json +++ b/assets/queries/ansible/azure/aks_monitoring_logging_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_aks_module.html", "platform": "Ansible", "descriptionID": "6d8d362e", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/aks_network_policy_misconfigured/metadata.json b/assets/queries/ansible/azure/aks_network_policy_misconfigured/metadata.json index b49c65f969b..e682f7aec7b 100644 --- a/assets/queries/ansible/azure/aks_network_policy_misconfigured/metadata.json +++ b/assets/queries/ansible/azure/aks_network_policy_misconfigured/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_aks_module.html#parameter-network_profile/network_policy", "platform": "Ansible", "descriptionID": "75bbf826", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/aks_rbac_disabled/metadata.json b/assets/queries/ansible/azure/aks_rbac_disabled/metadata.json index 92944aee8af..3f1c21141dc 100644 --- a/assets/queries/ansible/azure/aks_rbac_disabled/metadata.json +++ b/assets/queries/ansible/azure/aks_rbac_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_aks_module.html", "platform": "Ansible", "descriptionID": "16276251", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/azure_container_registry_with_no_locks/metadata.json b/assets/queries/ansible/azure/azure_container_registry_with_no_locks/metadata.json index 6793022e3f1..10e481bc824 100644 --- a/assets/queries/ansible/azure/azure_container_registry_with_no_locks/metadata.json +++ b/assets/queries/ansible/azure/azure_container_registry_with_no_locks/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_lock_module.html", "platform": "Ansible", "descriptionID": "7489a85f", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/azure_instance_using_basic_authentication/metadata.json b/assets/queries/ansible/azure/azure_instance_using_basic_authentication/metadata.json index cb8fb726e9b..4b9db106941 100644 --- a/assets/queries/ansible/azure/azure_instance_using_basic_authentication/metadata.json +++ b/assets/queries/ansible/azure/azure_instance_using_basic_authentication/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_virtualmachine_module.html#parameter-linux_config/disable_password_authentication", "platform": "Ansible", "descriptionID": "e2d834b7", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/cosmosdb_account_ip_range_filter_not_set/metadata.json b/assets/queries/ansible/azure/cosmosdb_account_ip_range_filter_not_set/metadata.json index 698ebf500fd..38095f3b07c 100644 --- a/assets/queries/ansible/azure/cosmosdb_account_ip_range_filter_not_set/metadata.json +++ b/assets/queries/ansible/azure/cosmosdb_account_ip_range_filter_not_set/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_cosmosdbaccount_module.html#parameter-ip_range_filter", "platform": "Ansible", "descriptionID": "7cb8bdbe", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/cosmosdb_account_without_tags/metadata.json b/assets/queries/ansible/azure/cosmosdb_account_without_tags/metadata.json index 948e2cb0726..b80286e9994 100644 --- a/assets/queries/ansible/azure/cosmosdb_account_without_tags/metadata.json +++ b/assets/queries/ansible/azure/cosmosdb_account_without_tags/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_cosmosdbaccount_module.html", "platform": "Ansible", "descriptionID": "8469d3ac", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/default_azure_storage_account_network_access_is_too_permissive/metadata.json b/assets/queries/ansible/azure/default_azure_storage_account_network_access_is_too_permissive/metadata.json index a8f667b5eeb..b630030f647 100644 --- a/assets/queries/ansible/azure/default_azure_storage_account_network_access_is_too_permissive/metadata.json +++ b/assets/queries/ansible/azure/default_azure_storage_account_network_access_is_too_permissive/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_storageaccount_module.html#parameter-public_network_access", "platform": "Ansible", "descriptionID": "ca4df748", - "cloudProvider": "azure" + "cloudProvider": "azure", + "CWE": "" } \ No newline at end of file diff --git a/assets/queries/ansible/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/metadata.json b/assets/queries/ansible/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/metadata.json index 8e344ce3c60..013437babd5 100644 --- a/assets/queries/ansible/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/metadata.json +++ b/assets/queries/ansible/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_rediscachefirewallrule_module.html", "platform": "Ansible", "descriptionID": "99f14985", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/key_vault_soft_delete_is_disabled/metadata.json b/assets/queries/ansible/azure/key_vault_soft_delete_is_disabled/metadata.json index 1803de77748..a262d8e0d6c 100644 --- a/assets/queries/ansible/azure/key_vault_soft_delete_is_disabled/metadata.json +++ b/assets/queries/ansible/azure/key_vault_soft_delete_is_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_keyvault_module.html#parameter-enable_soft_delete", "platform": "Ansible", "descriptionID": "ca1a9cde", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/log_retention_is_not_set/metadata.json b/assets/queries/ansible/azure/log_retention_is_not_set/metadata.json index 6c5b7b7b6d8..7d4628f218c 100644 --- a/assets/queries/ansible/azure/log_retention_is_not_set/metadata.json +++ b/assets/queries/ansible/azure/log_retention_is_not_set/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_postgresqlconfiguration_module.html", "platform": "Ansible", "descriptionID": "bf371036", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/monitoring_log_profile_without_all_activities/metadata.json b/assets/queries/ansible/azure/monitoring_log_profile_without_all_activities/metadata.json index 914ebaa5184..9f8e11376b7 100644 --- a/assets/queries/ansible/azure/monitoring_log_profile_without_all_activities/metadata.json +++ b/assets/queries/ansible/azure/monitoring_log_profile_without_all_activities/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_monitorlogprofile_module.html", "platform": "Ansible", "descriptionID": "cb93f630", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/mysql_ssl_connection_disabled/metadata.json b/assets/queries/ansible/azure/mysql_ssl_connection_disabled/metadata.json index 9a3cc102333..d6a6c6ae42c 100644 --- a/assets/queries/ansible/azure/mysql_ssl_connection_disabled/metadata.json +++ b/assets/queries/ansible/azure/mysql_ssl_connection_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_mysqlserver_module.html", "platform": "Ansible", "descriptionID": "9709164b", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/postgre_sql_log_checkpoints_disabled/metadata.json b/assets/queries/ansible/azure/postgre_sql_log_checkpoints_disabled/metadata.json index 5ef33dd3146..7b2ee1b03ea 100644 --- a/assets/queries/ansible/azure/postgre_sql_log_checkpoints_disabled/metadata.json +++ b/assets/queries/ansible/azure/postgre_sql_log_checkpoints_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_postgresqlconfiguration_module.html", "platform": "Ansible", "descriptionID": "ddcfea46", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/postgre_sql_log_connections_not_set/metadata.json b/assets/queries/ansible/azure/postgre_sql_log_connections_not_set/metadata.json index f8218f840d7..bb8ae3cc16b 100644 --- a/assets/queries/ansible/azure/postgre_sql_log_connections_not_set/metadata.json +++ b/assets/queries/ansible/azure/postgre_sql_log_connections_not_set/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_postgresqlconfiguration_module.html", "platform": "Ansible", "descriptionID": "774a65e4", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/postgre_sql_log_duration_not_set/metadata.json b/assets/queries/ansible/azure/postgre_sql_log_duration_not_set/metadata.json index dbcbb274c20..d30961a7381 100644 --- a/assets/queries/ansible/azure/postgre_sql_log_duration_not_set/metadata.json +++ b/assets/queries/ansible/azure/postgre_sql_log_duration_not_set/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_postgresqlconfiguration_module.html", "platform": "Ansible", "descriptionID": "a30f009d", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/postgre_sql_server_without_connection_throttling/metadata.json b/assets/queries/ansible/azure/postgre_sql_server_without_connection_throttling/metadata.json index 510d4da4a1a..227d096e408 100644 --- a/assets/queries/ansible/azure/postgre_sql_server_without_connection_throttling/metadata.json +++ b/assets/queries/ansible/azure/postgre_sql_server_without_connection_throttling/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_postgresqlconfiguration_module.html", "platform": "Ansible", "descriptionID": "47504c54", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/postgresql_log_disconnections_not_set/metadata.json b/assets/queries/ansible/azure/postgresql_log_disconnections_not_set/metadata.json index 9619fab3425..f2af790dd22 100644 --- a/assets/queries/ansible/azure/postgresql_log_disconnections_not_set/metadata.json +++ b/assets/queries/ansible/azure/postgresql_log_disconnections_not_set/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_postgresqlconfiguration_module.html", "platform": "Ansible", "descriptionID": "8d159e5e", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/public_storage_account/metadata.json b/assets/queries/ansible/azure/public_storage_account/metadata.json index 1b424dc9260..5cd7f51409f 100644 --- a/assets/queries/ansible/azure/public_storage_account/metadata.json +++ b/assets/queries/ansible/azure/public_storage_account/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_storageaccount_module.html#parameter-network_acls", "platform": "Ansible", "descriptionID": "78d2c5b3", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections/metadata.json b/assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections/metadata.json index 4d06f0a94d8..47c23bb874e 100644 --- a/assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections/metadata.json +++ b/assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_rediscache_module.html", "platform": "Ansible", "descriptionID": "31e56819", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/redis_entirely_accessible/metadata.json b/assets/queries/ansible/azure/redis_entirely_accessible/metadata.json index b89a38883b6..8cf4357dba3 100644 --- a/assets/queries/ansible/azure/redis_entirely_accessible/metadata.json +++ b/assets/queries/ansible/azure/redis_entirely_accessible/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_rediscachefirewallrule_module.html#parameter-start_ip_address", "platform": "Ansible", "descriptionID": "30a0bdeb", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/redis_publicly_accessible/metadata.json b/assets/queries/ansible/azure/redis_publicly_accessible/metadata.json index d265017905f..e381d1abca6 100644 --- a/assets/queries/ansible/azure/redis_publicly_accessible/metadata.json +++ b/assets/queries/ansible/azure/redis_publicly_accessible/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_rediscachefirewallrule_module.html#parameter-start_ip_address", "platform": "Ansible", "descriptionID": "140392b3", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/role_definition_allows_custom_role_creation/metadata.json b/assets/queries/ansible/azure/role_definition_allows_custom_role_creation/metadata.json index d85824d5437..eff59f179c4 100644 --- a/assets/queries/ansible/azure/role_definition_allows_custom_role_creation/metadata.json +++ b/assets/queries/ansible/azure/role_definition_allows_custom_role_creation/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_roledefinition_module.html#parameter-permissions/actions", "platform": "Ansible", "descriptionID": "6296166a", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/security_group_is_not_configured/metadata.json b/assets/queries/ansible/azure/security_group_is_not_configured/metadata.json index 4682f64a4c9..7b3a30b4955 100644 --- a/assets/queries/ansible/azure/security_group_is_not_configured/metadata.json +++ b/assets/queries/ansible/azure/security_group_is_not_configured/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_subnet_module.html", "platform": "Ansible", "descriptionID": "381f57a0", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/small_activity_log_retention_period/metadata.json b/assets/queries/ansible/azure/small_activity_log_retention_period/metadata.json index cfc5cd6b3bf..a294d74c868 100644 --- a/assets/queries/ansible/azure/small_activity_log_retention_period/metadata.json +++ b/assets/queries/ansible/azure/small_activity_log_retention_period/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_monitorlogprofile_module.html", "platform": "Ansible", "descriptionID": "5bad8aed", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/sql_server_ingress_from_any_ip/metadata.json b/assets/queries/ansible/azure/sql_server_ingress_from_any_ip/metadata.json index 371712aea02..cd492532550 100644 --- a/assets/queries/ansible/azure/sql_server_ingress_from_any_ip/metadata.json +++ b/assets/queries/ansible/azure/sql_server_ingress_from_any_ip/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_sqlfirewallrule_module.html", "platform": "Ansible", "descriptionID": "ea086cca", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/sql_server_predictable_active_directory_admin_account_name/metadata.json b/assets/queries/ansible/azure/sql_server_predictable_active_directory_admin_account_name/metadata.json index 35ed89cef87..ada11caf927 100644 --- a/assets/queries/ansible/azure/sql_server_predictable_active_directory_admin_account_name/metadata.json +++ b/assets/queries/ansible/azure/sql_server_predictable_active_directory_admin_account_name/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_adserviceprincipal_module.html", "platform": "Ansible", "descriptionID": "f9f40edb", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/sql_server_predictable_admin_account_name/metadata.json b/assets/queries/ansible/azure/sql_server_predictable_admin_account_name/metadata.json index 4c8b97da8cc..02dcd788aa2 100644 --- a/assets/queries/ansible/azure/sql_server_predictable_admin_account_name/metadata.json +++ b/assets/queries/ansible/azure/sql_server_predictable_admin_account_name/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_sqlserver_module.html", "platform": "Ansible", "descriptionID": "8526646e", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/ssl_enforce_is_disabled/metadata.json b/assets/queries/ansible/azure/ssl_enforce_is_disabled/metadata.json index 964ba9afb91..15593f863e9 100644 --- a/assets/queries/ansible/azure/ssl_enforce_is_disabled/metadata.json +++ b/assets/queries/ansible/azure/ssl_enforce_is_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_postgresqlserver_module.html#parameter-enforce_ssl", "platform": "Ansible", "descriptionID": "b4bcb2d1", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/storage_account_not_forcing_https/metadata.json b/assets/queries/ansible/azure/storage_account_not_forcing_https/metadata.json index 4d57e3a1a0f..49d6d7eac4c 100644 --- a/assets/queries/ansible/azure/storage_account_not_forcing_https/metadata.json +++ b/assets/queries/ansible/azure/storage_account_not_forcing_https/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_storageaccount_module.html#parameter-https_only", "platform": "Ansible", "descriptionID": "bc830876", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/storage_account_not_using_latest_tls_encryption_version/metadata.json b/assets/queries/ansible/azure/storage_account_not_using_latest_tls_encryption_version/metadata.json index a2663a868cc..9be4c3b8029 100644 --- a/assets/queries/ansible/azure/storage_account_not_using_latest_tls_encryption_version/metadata.json +++ b/assets/queries/ansible/azure/storage_account_not_using_latest_tls_encryption_version/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_storageaccount_module.html#parameter-minimum_tls_version", "platform": "Ansible", "descriptionID": "f050a4f3", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/storage_container_is_publicly_accessible/metadata.json b/assets/queries/ansible/azure/storage_container_is_publicly_accessible/metadata.json index a89e780058f..bcca750472d 100644 --- a/assets/queries/ansible/azure/storage_container_is_publicly_accessible/metadata.json +++ b/assets/queries/ansible/azure/storage_container_is_publicly_accessible/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_storageblob_module.html#parameter-public_access", "platform": "Ansible", "descriptionID": "30144827", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/trusted_microsoft_services_not_enabled/metadata.json b/assets/queries/ansible/azure/trusted_microsoft_services_not_enabled/metadata.json index d5d95e1a0df..98f9b4fd2d8 100644 --- a/assets/queries/ansible/azure/trusted_microsoft_services_not_enabled/metadata.json +++ b/assets/queries/ansible/azure/trusted_microsoft_services_not_enabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_storageaccount_module.html#parameter-network_acls/bypass", "platform": "Ansible", "descriptionID": "e86db9c1", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/unrestricted_sql_server_acess/metadata.json b/assets/queries/ansible/azure/unrestricted_sql_server_acess/metadata.json index 2f4174bddbe..2893079c4a4 100644 --- a/assets/queries/ansible/azure/unrestricted_sql_server_acess/metadata.json +++ b/assets/queries/ansible/azure/unrestricted_sql_server_acess/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_sqlfirewallrule_module.html", "platform": "Ansible", "descriptionID": "03235d5d", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/vm_not_attached_to_network/metadata.json b/assets/queries/ansible/azure/vm_not_attached_to_network/metadata.json index 378e007988f..1cdb77fc6e0 100644 --- a/assets/queries/ansible/azure/vm_not_attached_to_network/metadata.json +++ b/assets/queries/ansible/azure/vm_not_attached_to_network/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_virtualmachine_module.html#parameter-network_interface_names", "platform": "Ansible", "descriptionID": "33a5e5ec", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/waf_is_disabled_for_azure_application_gateway/metadata.json b/assets/queries/ansible/azure/waf_is_disabled_for_azure_application_gateway/metadata.json index a9f0afb30af..ad2f36d3263 100644 --- a/assets/queries/ansible/azure/waf_is_disabled_for_azure_application_gateway/metadata.json +++ b/assets/queries/ansible/azure/waf_is_disabled_for_azure_application_gateway/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_appgateway_module.html", "platform": "Ansible", "descriptionID": "eda7b816", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/web_app_accepting_traffic_other_than_https/metadata.json b/assets/queries/ansible/azure/web_app_accepting_traffic_other_than_https/metadata.json index 883c1149b01..1e5799ea60f 100644 --- a/assets/queries/ansible/azure/web_app_accepting_traffic_other_than_https/metadata.json +++ b/assets/queries/ansible/azure/web_app_accepting_traffic_other_than_https/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_webapp_module.html#parameter-https_only", "platform": "Ansible", "descriptionID": "c518b2f2", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/config/allow_unsafe_lookups_enabled/metadata.json b/assets/queries/ansible/config/allow_unsafe_lookups_enabled/metadata.json index c3fc4d243dd..e4e9c5ff0da 100644 --- a/assets/queries/ansible/config/allow_unsafe_lookups_enabled/metadata.json +++ b/assets/queries/ansible/config/allow_unsafe_lookups_enabled/metadata.json @@ -1,12 +1,12 @@ { - "id": "86b97bb4-85c9-462d-8635-cbc057c5c8c5", - "queryName": "Allow Unsafe Lookups Enabled", - "severity": "HIGH", - "category": "Insecure Configurations", - "descriptionText": "When enabled, this option allows lookup plugins to return data that is not marked 'unsafe'.", - "descriptionUrl": "https://docs.ansible.com/ansible/latest/reference_appendices/config.html#default-allow-unsafe-lookups", - "platform": "Ansible", - "descriptionID": "0d491461", - "cloudProvider": "common" - } - \ No newline at end of file + "id": "86b97bb4-85c9-462d-8635-cbc057c5c8c5", + "queryName": "Allow Unsafe Lookups Enabled", + "severity": "HIGH", + "category": "Insecure Configurations", + "descriptionText": "When enabled, this option allows lookup plugins to return data that is not marked 'unsafe'.", + "descriptionUrl": "https://docs.ansible.com/ansible/latest/reference_appendices/config.html#default-allow-unsafe-lookups", + "platform": "Ansible", + "descriptionID": "0d491461", + "cloudProvider": "common", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/config/communication_over_http/metadata.json b/assets/queries/ansible/config/communication_over_http/metadata.json index ee06ad1e7a2..ede9126d7c0 100644 --- a/assets/queries/ansible/config/communication_over_http/metadata.json +++ b/assets/queries/ansible/config/communication_over_http/metadata.json @@ -1,11 +1,12 @@ { - "id": "d7dc9350-74bc-485b-8c85-fed22d276c43", - "queryName": "Communication over HTTP", - "severity": "MEDIUM", - "category": "Insecure Configurations", - "descriptionText": "Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks", - "descriptionUrl": "https://docs.ansible.com/ansible/latest/plugins/httpapi.html", - "platform": "Ansible", - "descriptionID": "8c03b0c0", - "cloudProvider": "common" -} + "id": "d7dc9350-74bc-485b-8c85-fed22d276c43", + "queryName": "Communication over HTTP", + "severity": "MEDIUM", + "category": "Insecure Configurations", + "descriptionText": "Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks", + "descriptionUrl": "https://docs.ansible.com/ansible/latest/plugins/httpapi.html", + "platform": "Ansible", + "descriptionID": "8c03b0c0", + "cloudProvider": "common", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/config/logging_of_sensitive_data/metadata.json b/assets/queries/ansible/config/logging_of_sensitive_data/metadata.json index 0510840411b..72ae35c670b 100644 --- a/assets/queries/ansible/config/logging_of_sensitive_data/metadata.json +++ b/assets/queries/ansible/config/logging_of_sensitive_data/metadata.json @@ -1,12 +1,12 @@ { - "id": "c6473dae-8477-4119-88b7-b909b435ce7b", - "queryName": "Logging of Sensitive Data", - "severity": "LOW", - "category": "Best Practices", - "descriptionText": "To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True", - "descriptionUrl": "https://docs.ansible.com/ansible/latest/reference_appendices/logging.html#protecting-sensitive-data-with-no-log", - "platform": "Ansible", - "descriptionID": "0eca35f3", - "cloudProvider": "common" - } - \ No newline at end of file + "id": "c6473dae-8477-4119-88b7-b909b435ce7b", + "queryName": "Logging of Sensitive Data", + "severity": "LOW", + "category": "Best Practices", + "descriptionText": "To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True", + "descriptionUrl": "https://docs.ansible.com/ansible/latest/reference_appendices/logging.html#protecting-sensitive-data-with-no-log", + "platform": "Ansible", + "descriptionID": "0eca35f3", + "cloudProvider": "common", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/config/privilege_escalation_using_become_plugin/metadata.json b/assets/queries/ansible/config/privilege_escalation_using_become_plugin/metadata.json index 8cccef5911b..d2fcaadebc8 100644 --- a/assets/queries/ansible/config/privilege_escalation_using_become_plugin/metadata.json +++ b/assets/queries/ansible/config/privilege_escalation_using_become_plugin/metadata.json @@ -1,12 +1,12 @@ { - "id": "404908b6-4954-4611-98f0-e8ceacdabcb1", - "queryName": "Privilege Escalation Using Become Plugin", - "severity": "MEDIUM", - "category": "Access Control", - "descriptionText": "In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true'", - "descriptionUrl": "https://docs.ansible.com/ansible/latest/plugins/become.html", - "platform": "Ansible", - "descriptionID": "00396668", - "cloudProvider": "common" - } - \ No newline at end of file + "id": "404908b6-4954-4611-98f0-e8ceacdabcb1", + "queryName": "Privilege Escalation Using Become Plugin", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true'", + "descriptionUrl": "https://docs.ansible.com/ansible/latest/plugins/become.html", + "platform": "Ansible", + "descriptionID": "00396668", + "cloudProvider": "common", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/bigquery_dataset_is_public/metadata.json b/assets/queries/ansible/gcp/bigquery_dataset_is_public/metadata.json index 193bf23956c..66ab095d2d8 100644 --- a/assets/queries/ansible/gcp/bigquery_dataset_is_public/metadata.json +++ b/assets/queries/ansible/gcp/bigquery_dataset_is_public/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_bigquery_dataset_module.html#parameter-access/special_group", "platform": "Ansible", "descriptionID": "72ba0b75", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/client_certificate_disabled/metadata.json b/assets/queries/ansible/gcp/client_certificate_disabled/metadata.json index 165d6743c4c..0b25091fe8b 100644 --- a/assets/queries/ansible/gcp/client_certificate_disabled/metadata.json +++ b/assets/queries/ansible/gcp/client_certificate_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html", "platform": "Ansible", "descriptionID": "53a8ab26", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/cloud_dns_without_dnnsec/metadata.json b/assets/queries/ansible/gcp/cloud_dns_without_dnnsec/metadata.json index 0131d2a36ed..b0141be5b7b 100644 --- a/assets/queries/ansible/gcp/cloud_dns_without_dnnsec/metadata.json +++ b/assets/queries/ansible/gcp/cloud_dns_without_dnnsec/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_dns_managed_zone_module.html#return-dnssecConfig/state", "platform": "Ansible", "descriptionID": "1797efc5", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/cloud_sql_instance_with_contained_database_authentication_on/metadata.json b/assets/queries/ansible/gcp/cloud_sql_instance_with_contained_database_authentication_on/metadata.json index 5608393b93d..0efe0763a8c 100644 --- a/assets/queries/ansible/gcp/cloud_sql_instance_with_contained_database_authentication_on/metadata.json +++ b/assets/queries/ansible/gcp/cloud_sql_instance_with_contained_database_authentication_on/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/database_flags", "platform": "Ansible", "descriptionID": "b1a5b8f0", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/cloud_sql_instance_with_cross_db_ownership_chaining_on/metadata.json b/assets/queries/ansible/gcp/cloud_sql_instance_with_cross_db_ownership_chaining_on/metadata.json index dbade6b5f41..b83d65ff9c4 100644 --- a/assets/queries/ansible/gcp/cloud_sql_instance_with_cross_db_ownership_chaining_on/metadata.json +++ b/assets/queries/ansible/gcp/cloud_sql_instance_with_cross_db_ownership_chaining_on/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/database_flags", "platform": "Ansible", "descriptionID": "2a2f1164", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/cloud_storage_anonymous_or_publicly_accessible/metadata.json b/assets/queries/ansible/gcp/cloud_storage_anonymous_or_publicly_accessible/metadata.json index 3badc55532d..13d06d92868 100644 --- a/assets/queries/ansible/gcp/cloud_storage_anonymous_or_publicly_accessible/metadata.json +++ b/assets/queries/ansible/gcp/cloud_storage_anonymous_or_publicly_accessible/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_storage_bucket_module.html", "platform": "Ansible", "descriptionID": "bdebc5b5", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json b/assets/queries/ansible/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json index 413e63a1bc6..2fa0e9fa8b1 100644 --- a/assets/queries/ansible/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json +++ b/assets/queries/ansible/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_storage_bucket_module.html#parameter-logging", "platform": "Ansible", "descriptionID": "ba5af65f", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/metadata.json b/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/metadata.json index 810fe6a351b..e298b862aef 100644 --- a/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/metadata.json +++ b/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_storage_bucket_module.html#parameter-versioning", "platform": "Ansible", "descriptionID": "2d791672", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/cluster_labels_disabled/metadata.json b/assets/queries/ansible/gcp/cluster_labels_disabled/metadata.json index 3bc70d6478c..096c44efea3 100644 --- a/assets/queries/ansible/gcp/cluster_labels_disabled/metadata.json +++ b/assets/queries/ansible/gcp/cluster_labels_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html", "platform": "Ansible", "descriptionID": "dc1b3288", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/cluster_master_authentication_disabled/metadata.json b/assets/queries/ansible/gcp/cluster_master_authentication_disabled/metadata.json index 8230baade85..148e6026c62 100644 --- a/assets/queries/ansible/gcp/cluster_master_authentication_disabled/metadata.json +++ b/assets/queries/ansible/gcp/cluster_master_authentication_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html", "platform": "Ansible", "descriptionID": "6452ea1e", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/compute_instance_is_publicly_accessible/metadata.json b/assets/queries/ansible/gcp/compute_instance_is_publicly_accessible/metadata.json index ef255d64f95..da28c93b8f0 100644 --- a/assets/queries/ansible/gcp/compute_instance_is_publicly_accessible/metadata.json +++ b/assets/queries/ansible/gcp/compute_instance_is_publicly_accessible/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html#parameter-network_interfaces/access_configs", "platform": "Ansible", "descriptionID": "ef20d5fb", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/cos_node_image_not_used/metadata.json b/assets/queries/ansible/gcp/cos_node_image_not_used/metadata.json index ec15a5dcbd5..64c91fc3b9f 100644 --- a/assets/queries/ansible/gcp/cos_node_image_not_used/metadata.json +++ b/assets/queries/ansible/gcp/cos_node_image_not_used/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_node_pool_module.html#parameter-config/image_type", "platform": "Ansible", "descriptionID": "1bcc90d0", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/disk_encryption_disabled/metadata.json b/assets/queries/ansible/gcp/disk_encryption_disabled/metadata.json index 131a47c74eb..90356fc6095 100644 --- a/assets/queries/ansible/gcp/disk_encryption_disabled/metadata.json +++ b/assets/queries/ansible/gcp/disk_encryption_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_disk_module.html", "platform": "Ansible", "descriptionID": "1272593c", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/dnssec_using_rsasha1/metadata.json b/assets/queries/ansible/gcp/dnssec_using_rsasha1/metadata.json index cc1e1784aa8..4cfe5ad56fd 100644 --- a/assets/queries/ansible/gcp/dnssec_using_rsasha1/metadata.json +++ b/assets/queries/ansible/gcp/dnssec_using_rsasha1/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_dns_managed_zone_module.html#return-dnssecConfig/defaultKeySpecs/algorithm", "platform": "Ansible", "descriptionID": "e6a4b99b", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/gke_basic_authentication_enabled/metadata.json b/assets/queries/ansible/gcp/gke_basic_authentication_enabled/metadata.json index 4b6f6fdbec1..24dfccf9f77 100644 --- a/assets/queries/ansible/gcp/gke_basic_authentication_enabled/metadata.json +++ b/assets/queries/ansible/gcp/gke_basic_authentication_enabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html", "platform": "Ansible", "descriptionID": "d49df828", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/gke_legacy_authorization_enabled/metadata.json b/assets/queries/ansible/gcp/gke_legacy_authorization_enabled/metadata.json index 32e7ba98658..cf7fc53efa5 100644 --- a/assets/queries/ansible/gcp/gke_legacy_authorization_enabled/metadata.json +++ b/assets/queries/ansible/gcp/gke_legacy_authorization_enabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html", "platform": "Ansible", "descriptionID": "f26d0d51", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/gke_master_authorized_networks_disabled/metadata.json b/assets/queries/ansible/gcp/gke_master_authorized_networks_disabled/metadata.json index e6a8e2350d1..27e530c389a 100644 --- a/assets/queries/ansible/gcp/gke_master_authorized_networks_disabled/metadata.json +++ b/assets/queries/ansible/gcp/gke_master_authorized_networks_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html#parameter-master_authorized_networks_config/enabled", "platform": "Ansible", "descriptionID": "67294baa", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/gke_using_default_service_account/metadata.json b/assets/queries/ansible/gcp/gke_using_default_service_account/metadata.json index 7ecb1c662a4..f83201634dc 100644 --- a/assets/queries/ansible/gcp/gke_using_default_service_account/metadata.json +++ b/assets/queries/ansible/gcp/gke_using_default_service_account/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html#parameter-node_config/service_account", "platform": "Ansible", "descriptionID": "d6e87258", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/google_compute_network_using_default_firewall_rule/metadata.json b/assets/queries/ansible/gcp/google_compute_network_using_default_firewall_rule/metadata.json index 037dc3035c5..a7541308b5a 100644 --- a/assets/queries/ansible/gcp/google_compute_network_using_default_firewall_rule/metadata.json +++ b/assets/queries/ansible/gcp/google_compute_network_using_default_firewall_rule/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_firewall_module.html#parameter-name", "platform": "Ansible", "descriptionID": "1c9178bb", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/google_compute_network_using_firewall_allows_port_range/metadata.json b/assets/queries/ansible/gcp/google_compute_network_using_firewall_allows_port_range/metadata.json index 324d7ede215..b6833f7b71e 100644 --- a/assets/queries/ansible/gcp/google_compute_network_using_firewall_allows_port_range/metadata.json +++ b/assets/queries/ansible/gcp/google_compute_network_using_firewall_allows_port_range/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_firewall_module.html#parameter-allowed", "platform": "Ansible", "descriptionID": "2b7880b0", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/google_compute_network_using_firewall_rule_allows_all_ports/metadata.json b/assets/queries/ansible/gcp/google_compute_network_using_firewall_rule_allows_all_ports/metadata.json index accfc53659a..b4651c3c303 100644 --- a/assets/queries/ansible/gcp/google_compute_network_using_firewall_rule_allows_all_ports/metadata.json +++ b/assets/queries/ansible/gcp/google_compute_network_using_firewall_rule_allows_all_ports/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_firewall_module.html#parameter-allowed", "platform": "Ansible", "descriptionID": "da7c0346", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/google_compute_ssl_policy_weak_cipher_in_use/metadata.json b/assets/queries/ansible/gcp/google_compute_ssl_policy_weak_cipher_in_use/metadata.json index 61cb6ac2aee..ac3b2364049 100644 --- a/assets/queries/ansible/gcp/google_compute_ssl_policy_weak_cipher_in_use/metadata.json +++ b/assets/queries/ansible/gcp/google_compute_ssl_policy_weak_cipher_in_use/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_ssl_policy_module.html", "platform": "Ansible", "descriptionID": "bb785f44", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/google_compute_subnetwork_with_private_google_access_disabled/metadata.json b/assets/queries/ansible/gcp/google_compute_subnetwork_with_private_google_access_disabled/metadata.json index 1f65b5966bd..b430b13f01c 100644 --- a/assets/queries/ansible/gcp/google_compute_subnetwork_with_private_google_access_disabled/metadata.json +++ b/assets/queries/ansible/gcp/google_compute_subnetwork_with_private_google_access_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_subnetwork_module.html#parameter-private_ip_google_access", "platform": "Ansible", "descriptionID": "f5dece39", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/google_container_node_pool_auto_repair_disabled/metadata.json b/assets/queries/ansible/gcp/google_container_node_pool_auto_repair_disabled/metadata.json index a3ce6845090..c7dab059979 100644 --- a/assets/queries/ansible/gcp/google_container_node_pool_auto_repair_disabled/metadata.json +++ b/assets/queries/ansible/gcp/google_container_node_pool_auto_repair_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_node_pool_module.html", "platform": "Ansible", "descriptionID": "14cf26ed", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/high_google_kms_crypto_key_rotation_period/metadata.json b/assets/queries/ansible/gcp/high_google_kms_crypto_key_rotation_period/metadata.json index f66baa6aeae..6ae19590614 100644 --- a/assets/queries/ansible/gcp/high_google_kms_crypto_key_rotation_period/metadata.json +++ b/assets/queries/ansible/gcp/high_google_kms_crypto_key_rotation_period/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_kms_crypto_key_module.html", "platform": "Ansible", "descriptionID": "9072f426", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/ip_aliasing_disabled/metadata.json b/assets/queries/ansible/gcp/ip_aliasing_disabled/metadata.json index 22a4694d99e..a1b244cdada 100644 --- a/assets/queries/ansible/gcp/ip_aliasing_disabled/metadata.json +++ b/assets/queries/ansible/gcp/ip_aliasing_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html", "platform": "Ansible", "descriptionID": "a4ad3884", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/ip_forwarding_enabled/metadata.json b/assets/queries/ansible/gcp/ip_forwarding_enabled/metadata.json index e939790f88b..ac5b606e0c6 100644 --- a/assets/queries/ansible/gcp/ip_forwarding_enabled/metadata.json +++ b/assets/queries/ansible/gcp/ip_forwarding_enabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html", "platform": "Ansible", "descriptionID": "bd405766", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/mysql_instance_with_local_infile_on/metadata.json b/assets/queries/ansible/gcp/mysql_instance_with_local_infile_on/metadata.json index 02ad1f343a4..e75086f3072 100644 --- a/assets/queries/ansible/gcp/mysql_instance_with_local_infile_on/metadata.json +++ b/assets/queries/ansible/gcp/mysql_instance_with_local_infile_on/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/database_flags", "platform": "Ansible", "descriptionID": "16bc53a4", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/network_policy_disabled/metadata.json b/assets/queries/ansible/gcp/network_policy_disabled/metadata.json index d6b2a54b632..abe87e843f1 100644 --- a/assets/queries/ansible/gcp/network_policy_disabled/metadata.json +++ b/assets/queries/ansible/gcp/network_policy_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html", "platform": "Ansible", "descriptionID": "6fc9b7a0", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/node_auto_upgrade_disabled/metadata.json b/assets/queries/ansible/gcp/node_auto_upgrade_disabled/metadata.json index 4958659c3fa..2ac8f5ce671 100644 --- a/assets/queries/ansible/gcp/node_auto_upgrade_disabled/metadata.json +++ b/assets/queries/ansible/gcp/node_auto_upgrade_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_node_pool_module.html#parameter-management/auto_upgrade", "platform": "Ansible", "descriptionID": "4b200606", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/oslogin_is_disabled_for_vm_instance/metadata.json b/assets/queries/ansible/gcp/oslogin_is_disabled_for_vm_instance/metadata.json index f01185c56e1..30946c780c4 100644 --- a/assets/queries/ansible/gcp/oslogin_is_disabled_for_vm_instance/metadata.json +++ b/assets/queries/ansible/gcp/oslogin_is_disabled_for_vm_instance/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html", "platform": "Ansible", "descriptionID": "2cc130e4", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/postgresql_log_checkpoints_flag_not_set_to_on/metadata.json b/assets/queries/ansible/gcp/postgresql_log_checkpoints_flag_not_set_to_on/metadata.json index 202b4484f96..b8034fd5f07 100644 --- a/assets/queries/ansible/gcp/postgresql_log_checkpoints_flag_not_set_to_on/metadata.json +++ b/assets/queries/ansible/gcp/postgresql_log_checkpoints_flag_not_set_to_on/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/database_flags", "platform": "Ansible", "descriptionID": "4cdc64c3", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/postgresql_log_connections_disabled/metadata.json b/assets/queries/ansible/gcp/postgresql_log_connections_disabled/metadata.json index 123bb1dd198..4a7185ef20e 100644 --- a/assets/queries/ansible/gcp/postgresql_log_connections_disabled/metadata.json +++ b/assets/queries/ansible/gcp/postgresql_log_connections_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/database_flags", "platform": "Ansible", "descriptionID": "f22853f8", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/postgresql_logging_of_temporary_files_disabled/metadata.json b/assets/queries/ansible/gcp/postgresql_logging_of_temporary_files_disabled/metadata.json index 6a3a449931b..104c53d6b85 100644 --- a/assets/queries/ansible/gcp/postgresql_logging_of_temporary_files_disabled/metadata.json +++ b/assets/queries/ansible/gcp/postgresql_logging_of_temporary_files_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/database_flags", "platform": "Ansible", "descriptionID": "764f0b06", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/postgresql_misconfigured_log_messages_flag/metadata.json b/assets/queries/ansible/gcp/postgresql_misconfigured_log_messages_flag/metadata.json index 50ce81140b0..7ed9dfc881d 100644 --- a/assets/queries/ansible/gcp/postgresql_misconfigured_log_messages_flag/metadata.json +++ b/assets/queries/ansible/gcp/postgresql_misconfigured_log_messages_flag/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/database_flags", "platform": "Ansible", "descriptionID": "339b0278", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/postgresql_misconfigured_logging_duration_flag/metadata.json b/assets/queries/ansible/gcp/postgresql_misconfigured_logging_duration_flag/metadata.json index b9d03f7d29a..381e040c9f5 100644 --- a/assets/queries/ansible/gcp/postgresql_misconfigured_logging_duration_flag/metadata.json +++ b/assets/queries/ansible/gcp/postgresql_misconfigured_logging_duration_flag/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/database_flags", "platform": "Ansible", "descriptionID": "17fbbbd2", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/private_cluster_disabled/metadata.json b/assets/queries/ansible/gcp/private_cluster_disabled/metadata.json index 8b4eebee831..e4e87dd18d1 100644 --- a/assets/queries/ansible/gcp/private_cluster_disabled/metadata.json +++ b/assets/queries/ansible/gcp/private_cluster_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html", "platform": "Ansible", "descriptionID": "7b4c3b32", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/metadata.json b/assets/queries/ansible/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/metadata.json index 582e883371e..bb3ef5d599e 100644 --- a/assets/queries/ansible/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/metadata.json +++ b/assets/queries/ansible/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html", "platform": "Ansible", "descriptionID": "bf6076f0", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/rdp_access_is_not_restricted/metadata.json b/assets/queries/ansible/gcp/rdp_access_is_not_restricted/metadata.json index 1ea4af954d8..b03be095cae 100644 --- a/assets/queries/ansible/gcp/rdp_access_is_not_restricted/metadata.json +++ b/assets/queries/ansible/gcp/rdp_access_is_not_restricted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_firewall_module.html", "platform": "Ansible", "descriptionID": "23f68cd6", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/serial_ports_enabled_for_vm_instances/metadata.json b/assets/queries/ansible/gcp/serial_ports_enabled_for_vm_instances/metadata.json index deac7ec96b4..4173a6fee16 100644 --- a/assets/queries/ansible/gcp/serial_ports_enabled_for_vm_instances/metadata.json +++ b/assets/queries/ansible/gcp/serial_ports_enabled_for_vm_instances/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html", "platform": "Ansible", "descriptionID": "7f8ab7a4", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/shielded_vm_disabled/metadata.json b/assets/queries/ansible/gcp/shielded_vm_disabled/metadata.json index 6e881d56ea7..ab795639dd6 100644 --- a/assets/queries/ansible/gcp/shielded_vm_disabled/metadata.json +++ b/assets/queries/ansible/gcp/shielded_vm_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html", "platform": "Ansible", "descriptionID": "096b3fbe", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/sql_db_instance_backup_disabled/metadata.json b/assets/queries/ansible/gcp/sql_db_instance_backup_disabled/metadata.json index 874d62b989c..07562d7b451 100644 --- a/assets/queries/ansible/gcp/sql_db_instance_backup_disabled/metadata.json +++ b/assets/queries/ansible/gcp/sql_db_instance_backup_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/backup_configuration/enabled", "platform": "Ansible", "descriptionID": "006274d4", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/sql_db_instance_is_publicly_accessible/metadata.json b/assets/queries/ansible/gcp/sql_db_instance_is_publicly_accessible/metadata.json index a0b875c59e0..053fd323bce 100644 --- a/assets/queries/ansible/gcp/sql_db_instance_is_publicly_accessible/metadata.json +++ b/assets/queries/ansible/gcp/sql_db_instance_is_publicly_accessible/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html", "platform": "Ansible", "descriptionID": "c1bb13ce", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/sql_db_instance_with_ssl_disabled/metadata.json b/assets/queries/ansible/gcp/sql_db_instance_with_ssl_disabled/metadata.json index e43217ee4ca..36dc69a449c 100644 --- a/assets/queries/ansible/gcp/sql_db_instance_with_ssl_disabled/metadata.json +++ b/assets/queries/ansible/gcp/sql_db_instance_with_ssl_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/ip_configuration/require_ssl", "platform": "Ansible", "descriptionID": "50bb06d6", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/ssh_access_is_not_restricted/metadata.json b/assets/queries/ansible/gcp/ssh_access_is_not_restricted/metadata.json index 16f66ee3471..7b1e0a33164 100644 --- a/assets/queries/ansible/gcp/ssh_access_is_not_restricted/metadata.json +++ b/assets/queries/ansible/gcp/ssh_access_is_not_restricted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_firewall_module.html", "platform": "Ansible", "descriptionID": "1b0564ad", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/stackdriver_logging_disabled/metadata.json b/assets/queries/ansible/gcp/stackdriver_logging_disabled/metadata.json index 3ec8e469bdf..3b7f824cc03 100644 --- a/assets/queries/ansible/gcp/stackdriver_logging_disabled/metadata.json +++ b/assets/queries/ansible/gcp/stackdriver_logging_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html", "platform": "Ansible", "descriptionID": "aad4eec4", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/stackdriver_monitoring_disabled/metadata.json b/assets/queries/ansible/gcp/stackdriver_monitoring_disabled/metadata.json index ed736d10fb9..ae30370e236 100644 --- a/assets/queries/ansible/gcp/stackdriver_monitoring_disabled/metadata.json +++ b/assets/queries/ansible/gcp/stackdriver_monitoring_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html", "platform": "Ansible", "descriptionID": "212e4955", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/using_default_service_account/metadata.json b/assets/queries/ansible/gcp/using_default_service_account/metadata.json index 3587520b9da..c25e4d103b7 100644 --- a/assets/queries/ansible/gcp/using_default_service_account/metadata.json +++ b/assets/queries/ansible/gcp/using_default_service_account/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html", "platform": "Ansible", "descriptionID": "a5896260", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/gcp/vm_with_full_cloud_access/metadata.json b/assets/queries/ansible/gcp/vm_with_full_cloud_access/metadata.json index 8c1e8dee09b..1ab3e9acf5e 100644 --- a/assets/queries/ansible/gcp/vm_with_full_cloud_access/metadata.json +++ b/assets/queries/ansible/gcp/vm_with_full_cloud_access/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html#parameter-service_accounts/scopes", "platform": "Ansible", "descriptionID": "5eba6fad", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/general/communication_over_http/metadata.json b/assets/queries/ansible/general/communication_over_http/metadata.json index 1b1f54c6b8a..f9bcdedd9db 100644 --- a/assets/queries/ansible/general/communication_over_http/metadata.json +++ b/assets/queries/ansible/general/communication_over_http/metadata.json @@ -1,12 +1,12 @@ { - "id": "2e8d4922-8362-4606-8c14-aa10466a1ce3", - "queryName": "Communication Over HTTP", - "severity": "MEDIUM", - "category": "Insecure Configurations", - "descriptionText": "Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks", - "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/ansible/builtin/uri_module.html#parameter-url", - "platform": "Ansible", - "descriptionID": "04892b9b", - "cloudProvider": "common" - } - \ No newline at end of file + "id": "2e8d4922-8362-4606-8c14-aa10466a1ce3", + "queryName": "Communication Over HTTP", + "severity": "MEDIUM", + "category": "Insecure Configurations", + "descriptionText": "Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks", + "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/ansible/builtin/uri_module.html#parameter-url", + "platform": "Ansible", + "descriptionID": "04892b9b", + "cloudProvider": "common", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/general/insecure_relative_path_resolution/metadata.json b/assets/queries/ansible/general/insecure_relative_path_resolution/metadata.json index f517f45b9b0..d21ec625cbd 100644 --- a/assets/queries/ansible/general/insecure_relative_path_resolution/metadata.json +++ b/assets/queries/ansible/general/insecure_relative_path_resolution/metadata.json @@ -1,11 +1,12 @@ { - "id": "8d22ae91-6ac1-459f-95be-d37bd373f244", - "queryName": "Insecure Relative Path Resolution", - "severity": "LOW", - "category": "Best Practices", - "descriptionText": "Using relative paths can lead to unexpected behavior as the path is resolved relative to the current working directory, which can change.", - "descriptionUrl": "https://ansible.readthedocs.io/projects/lint/rules/no-relative-paths/", - "platform": "Ansible", - "descriptionID": "84ea91c8", - "cloudProvider": "common" -} + "id": "8d22ae91-6ac1-459f-95be-d37bd373f244", + "queryName": "Insecure Relative Path Resolution", + "severity": "LOW", + "category": "Best Practices", + "descriptionText": "Using relative paths can lead to unexpected behavior as the path is resolved relative to the current working directory, which can change.", + "descriptionUrl": "https://ansible.readthedocs.io/projects/lint/rules/no-relative-paths/", + "platform": "Ansible", + "descriptionID": "84ea91c8", + "cloudProvider": "common", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/general/logging_of_sensitive_data/metadata.json b/assets/queries/ansible/general/logging_of_sensitive_data/metadata.json index cdba736fa5c..446875e9298 100644 --- a/assets/queries/ansible/general/logging_of_sensitive_data/metadata.json +++ b/assets/queries/ansible/general/logging_of_sensitive_data/metadata.json @@ -1,12 +1,12 @@ { - "id": "59029ddf-e651-412b-ae7b-ff6d403184bc", - "queryName": "Logging of Sensitive Data", - "severity": "LOW", - "category": "Best Practices", - "descriptionText": "To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True", - "descriptionUrl": "https://ansible.readthedocs.io/projects/lint/rules/no-log-password/", - "platform": "Ansible", - "descriptionID": "a700e724", - "cloudProvider": "common" - } - \ No newline at end of file + "id": "59029ddf-e651-412b-ae7b-ff6d403184bc", + "queryName": "Logging of Sensitive Data", + "severity": "LOW", + "category": "Best Practices", + "descriptionText": "To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True", + "descriptionUrl": "https://ansible.readthedocs.io/projects/lint/rules/no-log-password/", + "platform": "Ansible", + "descriptionID": "a700e724", + "cloudProvider": "common", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/metadata.json b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/metadata.json index a2654f1389a..a2daa37b09b 100644 --- a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/metadata.json +++ b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/metadata.json @@ -1,12 +1,12 @@ { - "id": "0e75052f-cc02-41b8-ac39-a78017527e95", - "queryName": "Privilege Escalation Using Become Plugin", - "severity": "MEDIUM", - "category": "Access Control", - "descriptionText": "In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true'", - "descriptionUrl": "https://ansible.readthedocs.io/projects/lint/rules/partial-become/#problematic-code", - "platform": "Ansible", - "descriptionID": "11502e38", - "cloudProvider": "common" - } - \ No newline at end of file + "id": "0e75052f-cc02-41b8-ac39-a78017527e95", + "queryName": "Privilege Escalation Using Become Plugin", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true'", + "descriptionUrl": "https://ansible.readthedocs.io/projects/lint/rules/partial-become/#problematic-code", + "platform": "Ansible", + "descriptionID": "11502e38", + "cloudProvider": "common", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/general/risky_file_permissions/metadata.json b/assets/queries/ansible/general/risky_file_permissions/metadata.json index bc5741d4e0f..b6a75036edb 100644 --- a/assets/queries/ansible/general/risky_file_permissions/metadata.json +++ b/assets/queries/ansible/general/risky_file_permissions/metadata.json @@ -1,11 +1,12 @@ { - "id": "88841d5c-d22d-4b7e-a6a0-89ca50e44b9f", - "queryName": "Risky File Permissions", - "severity": "INFO", - "category": "Supply-Chain", - "descriptionText": "Some modules could end up creating new files on disk with permissions that might be too open or unpredictable", - "descriptionUrl": "https://ansible.readthedocs.io/projects/lint/rules/risky-file-permissions/", - "platform": "Ansible", - "descriptionID": "1f0e1485", - "cloudProvider": "common" - } \ No newline at end of file + "id": "88841d5c-d22d-4b7e-a6a0-89ca50e44b9f", + "queryName": "Risky File Permissions", + "severity": "INFO", + "category": "Supply-Chain", + "descriptionText": "Some modules could end up creating new files on disk with permissions that might be too open or unpredictable", + "descriptionUrl": "https://ansible.readthedocs.io/projects/lint/rules/risky-file-permissions/", + "platform": "Ansible", + "descriptionID": "1f0e1485", + "cloudProvider": "common", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/general/unpinned_package_version/metadata.json b/assets/queries/ansible/general/unpinned_package_version/metadata.json index ff87c4e7fe4..b9d7ccad716 100644 --- a/assets/queries/ansible/general/unpinned_package_version/metadata.json +++ b/assets/queries/ansible/general/unpinned_package_version/metadata.json @@ -1,12 +1,12 @@ { - "id": "c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8", - "queryName": "Unpinned Package Version", - "severity": "LOW", - "category": "Supply-Chain", - "descriptionText": "Setting state to latest performs an update and installs additional packages possibly resulting in performance degradation or loss of service", - "descriptionUrl": "https://ansible.readthedocs.io/projects/lint/rules/package-latest/", - "platform": "Ansible", - "descriptionID": "43e877b3", - "cloudProvider": "common" - } - \ No newline at end of file + "id": "c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8", + "queryName": "Unpinned Package Version", + "severity": "LOW", + "category": "Supply-Chain", + "descriptionText": "Setting state to latest performs an update and installs additional packages possibly resulting in performance degradation or loss of service", + "descriptionUrl": "https://ansible.readthedocs.io/projects/lint/rules/package-latest/", + "platform": "Ansible", + "descriptionID": "43e877b3", + "cloudProvider": "common", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/ansible/hosts/ansible_tower_exposed_to_internet/metadata.json b/assets/queries/ansible/hosts/ansible_tower_exposed_to_internet/metadata.json index 682d942ff44..adec50d6188 100644 --- a/assets/queries/ansible/hosts/ansible_tower_exposed_to_internet/metadata.json +++ b/assets/queries/ansible/hosts/ansible_tower_exposed_to_internet/metadata.json @@ -1,12 +1,12 @@ { - "id": "1b2bf3ff-31e9-460e-bbfb-45e48f4f20cc", - "queryName": "Ansible Tower Exposed To Internet", - "severity": "MEDIUM", - "category": "Best Practices", - "descriptionText": "Avoid exposing Ansible Tower to the public internet, effectively reducing the potential attack surface of your deployment", - "descriptionUrl": "https://docs.ansible.com/ansible-tower/latest/html/administration/security_best_practices.html#understand-the-architecture-of-ansible-and-tower", - "platform": "Ansible", - "cloudProvider": "common", - "descriptionID": "657a8b1d" - } - \ No newline at end of file + "id": "1b2bf3ff-31e9-460e-bbfb-45e48f4f20cc", + "queryName": "Ansible Tower Exposed To Internet", + "severity": "MEDIUM", + "category": "Best Practices", + "descriptionText": "Avoid exposing Ansible Tower to the public internet, effectively reducing the potential attack surface of your deployment", + "descriptionUrl": "https://docs.ansible.com/ansible-tower/latest/html/administration/security_best_practices.html#understand-the-architecture-of-ansible-and-tower", + "platform": "Ansible", + "descriptionID": "657a8b1d", + "cloudProvider": "common", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/account_admins_not_notified_by_email/metadata.json b/assets/queries/azureResourceManager/account_admins_not_notified_by_email/metadata.json index 8e70f1132ca..e2cc48b494f 100644 --- a/assets/queries/azureResourceManager/account_admins_not_notified_by_email/metadata.json +++ b/assets/queries/azureResourceManager/account_admins_not_notified_by_email/metadata.json @@ -6,6 +6,7 @@ "descriptionText": "Account admins should be notified by email in the event of security alerts", "descriptionUrl": "https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2017-03-01-preview/servers/securityalertpolicies?tabs=json", "platform": "AzureResourceManager", + "descriptionID": "f7c29c0d", "cloudProvider": "azure", - "descriptionID": "f7c29c0d" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/aks_cluster_network_policy_not_configured/metadata.json b/assets/queries/azureResourceManager/aks_cluster_network_policy_not_configured/metadata.json index 486ae507669..a9d696be4ab 100644 --- a/assets/queries/azureResourceManager/aks_cluster_network_policy_not_configured/metadata.json +++ b/assets/queries/azureResourceManager/aks_cluster_network_policy_not_configured/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.microsoft.com/en-us/azure/templates/microsoft.containerservice/managedclusters?tabs=json#containerservicenetworkprofile-object", "platform": "AzureResourceManager", "descriptionID": "25c0df8e", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/aks_cluster_rbac_disabled/metadata.json b/assets/queries/azureResourceManager/aks_cluster_rbac_disabled/metadata.json index 25d0db9a40d..e002d6b1c25 100644 --- a/assets/queries/azureResourceManager/aks_cluster_rbac_disabled/metadata.json +++ b/assets/queries/azureResourceManager/aks_cluster_rbac_disabled/metadata.json @@ -6,6 +6,7 @@ "descriptionText": "Microsoft.ContainerService/managedClusters should have enableRBAC set to true", "descriptionUrl": "https://docs.microsoft.com/en-us/azure/templates/microsoft.containerservice/managedclusters?tabs=json", "platform": "AzureResourceManager", + "descriptionID": "b07ac0d6", "cloudProvider": "azure", - "descriptionID": "b07ac0d6" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/aks_dashboard_enabled/metadata.json b/assets/queries/azureResourceManager/aks_dashboard_enabled/metadata.json index 8bfe1d9fa64..f011157fe4c 100644 --- a/assets/queries/azureResourceManager/aks_dashboard_enabled/metadata.json +++ b/assets/queries/azureResourceManager/aks_dashboard_enabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.microsoft.com/en-us/azure/templates/microsoft.containerservice/managedclusters?tabs=json#managedclusteraddonprofile", "platform": "AzureResourceManager", "descriptionID": "c12d3b42", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/aks_logging_azure_monitoring_disabled/metadata.json b/assets/queries/azureResourceManager/aks_logging_azure_monitoring_disabled/metadata.json index 91d8cdfe9ee..254a43784dd 100644 --- a/assets/queries/azureResourceManager/aks_logging_azure_monitoring_disabled/metadata.json +++ b/assets/queries/azureResourceManager/aks_logging_azure_monitoring_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.microsoft.com/en-us/azure/templates/microsoft.containerservice/managedclusters?tabs=json#managedclusteraddonprofile", "platform": "AzureResourceManager", "descriptionID": "9b09c3e1", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/aks_with_authorized_ip_ranges_disabled/metadata.json b/assets/queries/azureResourceManager/aks_with_authorized_ip_ranges_disabled/metadata.json index 64dfa5ef8b0..c6e4ffe0a0d 100644 --- a/assets/queries/azureResourceManager/aks_with_authorized_ip_ranges_disabled/metadata.json +++ b/assets/queries/azureResourceManager/aks_with_authorized_ip_ranges_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.microsoft.com/en-us/azure/templates/microsoft.containerservice/managedclusters?tabs=json#managedclusterapiserveraccessprofile-object", "platform": "AzureResourceManager", "descriptionID": "258efab1", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/app_service_authentication_not_set/metadata.json b/assets/queries/azureResourceManager/app_service_authentication_not_set/metadata.json index 0b67e49180b..8484767120d 100644 --- a/assets/queries/azureResourceManager/app_service_authentication_not_set/metadata.json +++ b/assets/queries/azureResourceManager/app_service_authentication_not_set/metadata.json @@ -6,6 +6,7 @@ "descriptionText": "Azure App Service should have App Service Authentication set", "descriptionUrl": "https://docs.microsoft.com/en-us/azure/templates/microsoft.web/sites/config-web?tabs=json", "platform": "AzureResourceManager", + "descriptionID": "831efa07", "cloudProvider": "azure", - "descriptionID": "831efa07" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/azure_instance_using_basic_authentication/metadata.json b/assets/queries/azureResourceManager/azure_instance_using_basic_authentication/metadata.json index ad8e8d1475c..4718f22df80 100644 --- a/assets/queries/azureResourceManager/azure_instance_using_basic_authentication/metadata.json +++ b/assets/queries/azureResourceManager/azure_instance_using_basic_authentication/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.microsoft.com/en-us/azure/templates/microsoft.compute/virtualmachines?tabs=json#linuxconfiguration-object", "platform": "AzureResourceManager", "descriptionID": "98ba05ca", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/azure_managed_disk_without_encryption/metadata.json b/assets/queries/azureResourceManager/azure_managed_disk_without_encryption/metadata.json index b627b5d9957..099bcd6c6f2 100644 --- a/assets/queries/azureResourceManager/azure_managed_disk_without_encryption/metadata.json +++ b/assets/queries/azureResourceManager/azure_managed_disk_without_encryption/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.microsoft.com/en-us/azure/templates/microsoft.compute/disks?tabs=json#encryptionsettingscollection-object", "platform": "AzureResourceManager", "descriptionID": "e2fa6cda", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/default_azure_storage_account_network_access_is_too_permissive/metadata.json b/assets/queries/azureResourceManager/default_azure_storage_account_network_access_is_too_permissive/metadata.json index 62566a01e93..0705d63fabf 100644 --- a/assets/queries/azureResourceManager/default_azure_storage_account_network_access_is_too_permissive/metadata.json +++ b/assets/queries/azureResourceManager/default_azure_storage_account_network_access_is_too_permissive/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://learn.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts", "platform": "AzureResourceManager", "descriptionID": "d855ced8", - "cloudProvider": "azure" + "cloudProvider": "azure", + "CWE": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/hardcoded_securestring_parameter_default_value/metadata.json b/assets/queries/azureResourceManager/hardcoded_securestring_parameter_default_value/metadata.json index 9fdc1848c4c..6f7b978e5ce 100644 --- a/assets/queries/azureResourceManager/hardcoded_securestring_parameter_default_value/metadata.json +++ b/assets/queries/azureResourceManager/hardcoded_securestring_parameter_default_value/metadata.json @@ -6,6 +6,7 @@ "descriptionText": "Secure parameters should not have hardcoded default value", "descriptionUrl": "https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-test-cases#secure-parameters-cant-have-hardcoded-default", "platform": "AzureResourceManager", + "descriptionID": "a7bb7cb1", "cloudProvider": "azure", - "descriptionID": "a7bb7cb1" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/key_vault_not_recoverable/metadata.json b/assets/queries/azureResourceManager/key_vault_not_recoverable/metadata.json index 61c039587b3..e3bf022a367 100644 --- a/assets/queries/azureResourceManager/key_vault_not_recoverable/metadata.json +++ b/assets/queries/azureResourceManager/key_vault_not_recoverable/metadata.json @@ -6,6 +6,7 @@ "descriptionText": "Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true", "descriptionUrl": "https://docs.microsoft.com/en-us/azure/templates/microsoft.keyvault/2019-09-01/vaults?tabs=json#vaultproperties-object", "platform": "AzureResourceManager", + "descriptionID": "8e3ca202", "cloudProvider": "azure", - "descriptionID": "8e3ca202" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/log_profile_incorrect_category/metadata.json b/assets/queries/azureResourceManager/log_profile_incorrect_category/metadata.json index 994ade17cdb..633578eee64 100644 --- a/assets/queries/azureResourceManager/log_profile_incorrect_category/metadata.json +++ b/assets/queries/azureResourceManager/log_profile_incorrect_category/metadata.json @@ -6,6 +6,7 @@ "descriptionText": "Log Profile Categories should be set to 'Write', 'Delete', and/or 'Action'", "descriptionUrl": "https://docs.microsoft.com/en-us/azure/templates/microsoft.insights/2016-03-01/logprofiles?tabs=json#logprofileproperties-object", "platform": "AzureResourceManager", + "descriptionID": "ead4e0f2", "cloudProvider": "azure", - "descriptionID": "ead4e0f2" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/mysql_server_ssl_enforcement_disabled/metadata.json b/assets/queries/azureResourceManager/mysql_server_ssl_enforcement_disabled/metadata.json index 05b76118dbf..0215b6204a7 100644 --- a/assets/queries/azureResourceManager/mysql_server_ssl_enforcement_disabled/metadata.json +++ b/assets/queries/azureResourceManager/mysql_server_ssl_enforcement_disabled/metadata.json @@ -6,6 +6,7 @@ "descriptionText": "'Microsoft.DBforMySQL/servers' should enforce SSL", "descriptionUrl": "https://docs.microsoft.com/en-us/azure/templates/microsoft.dbformysql/servers?tabs=json#serverpropertiesforcreate-object", "platform": "AzureResourceManager", + "descriptionID": "69fea5b1", "cloudProvider": "azure", - "descriptionID": "69fea5b1" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_rdp/metadata.json b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_rdp/metadata.json index 9af65c7e96b..81ea8bbfdd6 100644 --- a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_rdp/metadata.json +++ b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_rdp/metadata.json @@ -6,6 +6,7 @@ "descriptionText": "Port 3389 (Remote Desktop) is exposed to the Internet", "descriptionUrl": "https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2020-07-01/networksecuritygroups?tabs=json#securityrulepropertiesformat-object", "platform": "AzureResourceManager", + "descriptionID": "e09bde32", "cloudProvider": "azure", - "descriptionID": "e09bde32" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/metadata.json b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/metadata.json index 4879b98c6af..994943917ce 100644 --- a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/metadata.json +++ b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/metadata.json @@ -6,6 +6,7 @@ "descriptionText": "Port 22 (SSH) is exposed to the Internet", "descriptionUrl": "https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2020-07-01/networksecuritygroups?tabs=json#securityrulepropertiesformat-object", "platform": "AzureResourceManager", + "descriptionID": "97b6233c", "cloudProvider": "azure", - "descriptionID": "97b6233c" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/phone_number_not_set_security_contacts/metadata.json b/assets/queries/azureResourceManager/phone_number_not_set_security_contacts/metadata.json index 13558d3f432..521a8e296ca 100644 --- a/assets/queries/azureResourceManager/phone_number_not_set_security_contacts/metadata.json +++ b/assets/queries/azureResourceManager/phone_number_not_set_security_contacts/metadata.json @@ -6,6 +6,7 @@ "descriptionText": "Microsoft.Security securityContacts should have a phone number defined", "descriptionUrl": "https://docs.microsoft.com/en-us/azure/templates/microsoft.security/securitycontacts?tabs=json", "platform": "AzureResourceManager", + "descriptionID": "8b9ef792", "cloudProvider": "azure", - "descriptionID": "8b9ef792" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/postgres_sql_database_server_connection_throttling_disabled/metadata.json b/assets/queries/azureResourceManager/postgres_sql_database_server_connection_throttling_disabled/metadata.json index dce35b59824..eb1c36c7e5a 100644 --- a/assets/queries/azureResourceManager/postgres_sql_database_server_connection_throttling_disabled/metadata.json +++ b/assets/queries/azureResourceManager/postgres_sql_database_server_connection_throttling_disabled/metadata.json @@ -6,6 +6,7 @@ "descriptionText": "Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttling' property set to 'on'", "descriptionUrl": "https://docs.microsoft.com/en-us/azure/templates/microsoft.dbforpostgresql/servers/configurations?tabs=json", "platform": "AzureResourceManager", + "descriptionID": "2eb0e3a8", "cloudProvider": "azure", - "descriptionID": "2eb0e3a8" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/postgres_sql_server_log_checkpoint_disabled/metadata.json b/assets/queries/azureResourceManager/postgres_sql_server_log_checkpoint_disabled/metadata.json index dc3c08a26e1..756d56acb12 100644 --- a/assets/queries/azureResourceManager/postgres_sql_server_log_checkpoint_disabled/metadata.json +++ b/assets/queries/azureResourceManager/postgres_sql_server_log_checkpoint_disabled/metadata.json @@ -6,6 +6,7 @@ "descriptionText": "Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' property set to 'on'", "descriptionUrl": "https://docs.microsoft.com/en-us/azure/templates/microsoft.dbforpostgresql/2017-12-01/servers/configurations?tabs=json", "platform": "AzureResourceManager", + "descriptionID": "be873a2e", "cloudProvider": "azure", - "descriptionID": "be873a2e" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/postgres_sql_server_log_connections_disabled/metadata.json b/assets/queries/azureResourceManager/postgres_sql_server_log_connections_disabled/metadata.json index c812e7bfde9..0a27fcc2d1d 100644 --- a/assets/queries/azureResourceManager/postgres_sql_server_log_connections_disabled/metadata.json +++ b/assets/queries/azureResourceManager/postgres_sql_server_log_connections_disabled/metadata.json @@ -6,6 +6,7 @@ "descriptionText": "Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' property set to 'on'", "descriptionUrl": "https://docs.microsoft.com/en-us/azure/templates/microsoft.dbforpostgresql/servers/configurations?tabs=json#configurationproperties-object", "platform": "AzureResourceManager", + "descriptionID": "3769181b", "cloudProvider": "azure", - "descriptionID": "3769181b" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/postgres_sql_server_ssl_disabled/metadata.json b/assets/queries/azureResourceManager/postgres_sql_server_ssl_disabled/metadata.json index 10e6f0c20dd..28955ff8832 100644 --- a/assets/queries/azureResourceManager/postgres_sql_server_ssl_disabled/metadata.json +++ b/assets/queries/azureResourceManager/postgres_sql_server_ssl_disabled/metadata.json @@ -6,6 +6,7 @@ "descriptionText": "Microsoft.DBforPostgreSQL/servers sslEnforcement property should be set to 'Enabled'", "descriptionUrl": "https://docs.microsoft.com/en-us/azure/templates/microsoft.dbforpostgresql/2017-12-01/servers?tabs=json", "platform": "AzureResourceManager", + "descriptionID": "67cfaa3b", "cloudProvider": "azure", - "descriptionID": "67cfaa3b" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/role_definitions_allow_custom_subscription_role_creation/metadata.json b/assets/queries/azureResourceManager/role_definitions_allow_custom_subscription_role_creation/metadata.json index 2bf149f425f..e82a5539d35 100644 --- a/assets/queries/azureResourceManager/role_definitions_allow_custom_subscription_role_creation/metadata.json +++ b/assets/queries/azureResourceManager/role_definitions_allow_custom_subscription_role_creation/metadata.json @@ -6,6 +6,7 @@ "descriptionText": "Role Definitions should not allow custom subscription role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')", "descriptionUrl": "https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/roledefinitions?tabs=json#permission-object", "platform": "AzureResourceManager", + "descriptionID": "7d8860a5", "cloudProvider": "azure", - "descriptionID": "7d8860a5" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/secret_without_expiration_date/metadata.json b/assets/queries/azureResourceManager/secret_without_expiration_date/metadata.json index 64911d3fced..fa88135793c 100644 --- a/assets/queries/azureResourceManager/secret_without_expiration_date/metadata.json +++ b/assets/queries/azureResourceManager/secret_without_expiration_date/metadata.json @@ -6,6 +6,7 @@ "descriptionText": "All Secrets must have an expiration date defined", "descriptionUrl": "https://docs.microsoft.com/en-us/azure/templates/microsoft.keyvault/vaults/secrets?tabs=json#SecretAttributes", "platform": "AzureResourceManager", + "descriptionID": "bb5f96a2", "cloudProvider": "azure", - "descriptionID": "bb5f96a2" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/sql_alert_policy_without_emails/metadata.json b/assets/queries/azureResourceManager/sql_alert_policy_without_emails/metadata.json index 923507e6674..c9a6beb0890 100644 --- a/assets/queries/azureResourceManager/sql_alert_policy_without_emails/metadata.json +++ b/assets/queries/azureResourceManager/sql_alert_policy_without_emails/metadata.json @@ -6,6 +6,7 @@ "descriptionText": "SQL Database Server should contain emails to be notified in the event of a Security Alert", "descriptionUrl": "https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/servers/databases/securityalertpolicies?tabs=json", "platform": "AzureResourceManager", + "descriptionID": "3b84ba2d", "cloudProvider": "azure", - "descriptionID": "3b84ba2d" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/sql_database_server_firewall_allows_all_ips/metadata.json b/assets/queries/azureResourceManager/sql_database_server_firewall_allows_all_ips/metadata.json index 7f5c21f2335..56525962d5a 100644 --- a/assets/queries/azureResourceManager/sql_database_server_firewall_allows_all_ips/metadata.json +++ b/assets/queries/azureResourceManager/sql_database_server_firewall_allows_all_ips/metadata.json @@ -6,6 +6,7 @@ "descriptionText": "SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS", "descriptionUrl": "https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2014-04-01/servers/firewallrules?tabs=json", "platform": "AzureResourceManager", + "descriptionID": "6664d4d6", "cloudProvider": "azure", - "descriptionID": "6664d4d6" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/sql_server_database_with_alerts_disabled/metadata.json b/assets/queries/azureResourceManager/sql_server_database_with_alerts_disabled/metadata.json index e70480e4df7..6fe2cfb962e 100644 --- a/assets/queries/azureResourceManager/sql_server_database_with_alerts_disabled/metadata.json +++ b/assets/queries/azureResourceManager/sql_server_database_with_alerts_disabled/metadata.json @@ -6,6 +6,7 @@ "descriptionText": "All Alerts should be enabled in SQL Database Server SecurityAlerts Policy Properties", "descriptionUrl": "https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/servers/databases/securityalertpolicies?tabs=json", "platform": "AzureResourceManager", + "descriptionID": "e8a4e321", "cloudProvider": "azure", - "descriptionID": "e8a4e321" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/sql_server_database_with_low_retention_days/metadata.json b/assets/queries/azureResourceManager/sql_server_database_with_low_retention_days/metadata.json index 57db4fa3947..1ebd726a3b2 100644 --- a/assets/queries/azureResourceManager/sql_server_database_with_low_retention_days/metadata.json +++ b/assets/queries/azureResourceManager/sql_server_database_with_low_retention_days/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/servers/databases/auditingsettings?tabs=json", "platform": "AzureResourceManager", "descriptionID": "7867ae74", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/sql_server_database_without_auditing/metadata.json b/assets/queries/azureResourceManager/sql_server_database_without_auditing/metadata.json index d05b05435e6..d182df789c0 100644 --- a/assets/queries/azureResourceManager/sql_server_database_without_auditing/metadata.json +++ b/assets/queries/azureResourceManager/sql_server_database_without_auditing/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/servers/databases/auditingsettings", "platform": "AzureResourceManager", "descriptionID": "16d077a1", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/standard_price_not_selected/metadata.json b/assets/queries/azureResourceManager/standard_price_not_selected/metadata.json index 21e372df3ac..5fcb1fc6ff4 100644 --- a/assets/queries/azureResourceManager/standard_price_not_selected/metadata.json +++ b/assets/queries/azureResourceManager/standard_price_not_selected/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.microsoft.com/en-us/azure/templates/microsoft.security/pricings?tabs=json#pricingproperties-object", "platform": "AzureResourceManager", "descriptionID": "2081c7dc", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/storage_account_allows_network_default_access/metadata.json b/assets/queries/azureResourceManager/storage_account_allows_network_default_access/metadata.json index d8d3475d9c1..4d70d21504e 100644 --- a/assets/queries/azureResourceManager/storage_account_allows_network_default_access/metadata.json +++ b/assets/queries/azureResourceManager/storage_account_allows_network_default_access/metadata.json @@ -6,6 +6,7 @@ "descriptionText": "'Microsoft.Storage/storageAccounts' should force the use of HTTPS", "descriptionUrl": "https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts?tabs=json#storageaccountpropertiescreateparameters-object", "platform": "AzureResourceManager", + "descriptionID": "6ae0507e", "cloudProvider": "azure", - "descriptionID": "6ae0507e" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/storage_account_allows_unsecure_transfer/metadata.json b/assets/queries/azureResourceManager/storage_account_allows_unsecure_transfer/metadata.json index 122b6c9a785..f2bb666cf21 100644 --- a/assets/queries/azureResourceManager/storage_account_allows_unsecure_transfer/metadata.json +++ b/assets/queries/azureResourceManager/storage_account_allows_unsecure_transfer/metadata.json @@ -6,6 +6,7 @@ "descriptionText": "'Microsoft.Storage/storageAccounts' should force the use of HTTPS", "descriptionUrl": "https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts?tabs=json#storageaccountpropertiescreateparameters-object", "platform": "AzureResourceManager", + "descriptionID": "f87b26ea", "cloudProvider": "azure", - "descriptionID": "f87b26ea" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/metadata.json b/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/metadata.json index 3a6193b0c8b..f7bb20e5529 100644 --- a/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/metadata.json +++ b/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/metadata.json @@ -6,6 +6,7 @@ "descriptionText": "Storage Blob Service Container should not publicly accessible", "descriptionUrl": "https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts/blobservices/containers?tabs=json#containerproperties-object", "platform": "AzureResourceManager", + "descriptionID": "49e52e15", "cloudProvider": "azure", - "descriptionID": "49e52e15" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/metadata.json b/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/metadata.json index 4d75611f38b..95d0a39ccfc 100644 --- a/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/metadata.json +++ b/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/metadata.json @@ -6,6 +6,7 @@ "descriptionText": "Storage Logging should be enabled for read, write and delete methods", "descriptionUrl": "https://docs.microsoft.com/pt-pt/azure/azure-monitor/essentials/resource-manager-diagnostic-settings#diagnostic-setting-for-azure-storage", "platform": "AzureResourceManager", + "descriptionID": "83fa7bb6", "cloudProvider": "azure", - "descriptionID": "83fa7bb6" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/trusted_microsoft_services_not_enabled/metadata.json b/assets/queries/azureResourceManager/trusted_microsoft_services_not_enabled/metadata.json index 90b63d6e66d..bd40462266a 100644 --- a/assets/queries/azureResourceManager/trusted_microsoft_services_not_enabled/metadata.json +++ b/assets/queries/azureResourceManager/trusted_microsoft_services_not_enabled/metadata.json @@ -6,6 +6,7 @@ "descriptionText": "Trusted Microsoft Services should be enabled for Storage Account access", "descriptionUrl": "https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts?tabs=json#networkruleset", "platform": "AzureResourceManager", + "descriptionID": "88ca11b3", "cloudProvider": "azure", - "descriptionID": "88ca11b3" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/unrecommended_log_profile_retention_policy/metadata.json b/assets/queries/azureResourceManager/unrecommended_log_profile_retention_policy/metadata.json index 5c4372a969d..15ed9859167 100644 --- a/assets/queries/azureResourceManager/unrecommended_log_profile_retention_policy/metadata.json +++ b/assets/queries/azureResourceManager/unrecommended_log_profile_retention_policy/metadata.json @@ -6,6 +6,7 @@ "descriptionText": "Log Profile Retention Policy should be enabled and the recommended number of days for the retention should be higher than 365 or 0 (0 will retain the events indefinitely)", "descriptionUrl": "https://docs.microsoft.com/en-us/azure/templates/microsoft.insights/2016-03-01/logprofiles?tabs=json#retentionpolicy-object", "platform": "AzureResourceManager", + "descriptionID": "f5d9a1fc", "cloudProvider": "azure", - "descriptionID": "f5d9a1fc" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/unrecommended_network_watcher_flow_log_retention_policy/metadata.json b/assets/queries/azureResourceManager/unrecommended_network_watcher_flow_log_retention_policy/metadata.json index 2fd21c00c1c..3eb3a587f27 100644 --- a/assets/queries/azureResourceManager/unrecommended_network_watcher_flow_log_retention_policy/metadata.json +++ b/assets/queries/azureResourceManager/unrecommended_network_watcher_flow_log_retention_policy/metadata.json @@ -6,6 +6,7 @@ "descriptionText": "Network Watcher Flow Log Retention Policy should be enabled and the recommended number of days for the retention should be higher than 90", "descriptionUrl": "https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2019-11-01/networkwatchers/flowlogs?tabs=json#retentionpolicyparameters-object", "platform": "AzureResourceManager", + "descriptionID": "71ce9f8c", "cloudProvider": "azure", - "descriptionID": "71ce9f8c" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/web_app_not_using_tls_last_version/metadata.json b/assets/queries/azureResourceManager/web_app_not_using_tls_last_version/metadata.json index ee68a582eb4..9a5ce9853e9 100644 --- a/assets/queries/azureResourceManager/web_app_not_using_tls_last_version/metadata.json +++ b/assets/queries/azureResourceManager/web_app_not_using_tls_last_version/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.microsoft.com/en-us/azure/templates/microsoft.web/sites?tabs=json#siteconfig-object", "platform": "AzureResourceManager", "descriptionID": "1a442064", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/website_azure_active_directory_disabled/metadata.json b/assets/queries/azureResourceManager/website_azure_active_directory_disabled/metadata.json index 13fd90079aa..780479f6d2e 100644 --- a/assets/queries/azureResourceManager/website_azure_active_directory_disabled/metadata.json +++ b/assets/queries/azureResourceManager/website_azure_active_directory_disabled/metadata.json @@ -6,6 +6,7 @@ "descriptionText": "WebApp should have Azure Active Directory enabled with 'identity.type' set to 'SystemAssigned' or 'userAssignedIdentities' set to 'true'", "descriptionUrl": "https://learn.microsoft.com/en-us/azure/templates/microsoft.web/sites?pivots=deployment-language-arm-template", "platform": "AzureResourceManager", + "descriptionID": "f50ec4cb", "cloudProvider": "azure", - "descriptionID": "f50ec4cb" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/website_not_forcing_https/metadata.json b/assets/queries/azureResourceManager/website_not_forcing_https/metadata.json index 2e2412eda1d..5685bb6d88e 100644 --- a/assets/queries/azureResourceManager/website_not_forcing_https/metadata.json +++ b/assets/queries/azureResourceManager/website_not_forcing_https/metadata.json @@ -6,6 +6,7 @@ "descriptionText": "'Microsoft.Web/sites' should force the use of HTTPS", "descriptionUrl": "https://docs.microsoft.com/en-us/azure/templates/microsoft.web/sites?tabs=json#siteproperties-object", "platform": "AzureResourceManager", + "descriptionID": "3af52329", "cloudProvider": "azure", - "descriptionID": "3af52329" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/metadata.json b/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/metadata.json index 18c15f41940..09f2ea154d8 100644 --- a/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/metadata.json +++ b/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/metadata.json @@ -6,6 +6,7 @@ "descriptionText": "'Microsoft.Web/sites' should have client certificate authentication enabled", "descriptionUrl": "https://docs.microsoft.com/en-us/azure/templates/microsoft.web/sites?tabs=json#siteproperties-object", "platform": "AzureResourceManager", + "descriptionID": "1b3c50da", "cloudProvider": "azure", - "descriptionID": "1b3c50da" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/website_with_http20enabled_disabled/metadata.json b/assets/queries/azureResourceManager/website_with_http20enabled_disabled/metadata.json index 07e7c38b1e7..d293e781885 100644 --- a/assets/queries/azureResourceManager/website_with_http20enabled_disabled/metadata.json +++ b/assets/queries/azureResourceManager/website_with_http20enabled_disabled/metadata.json @@ -6,6 +6,7 @@ "descriptionText": "'Microsoft.Web/sites' should have 'Http20Enabled' enabled", "descriptionUrl": "https://docs.microsoft.com/en-us/azure/templates/microsoft.web/sites?tabs=json#siteproperties-object", "platform": "AzureResourceManager", + "descriptionID": "e0cdbc75", "cloudProvider": "azure", - "descriptionID": "e0cdbc75" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/buildah/run_using_apt/metadata.json b/assets/queries/buildah/run_using_apt/metadata.json index c9924e464ef..36f91167742 100644 --- a/assets/queries/buildah/run_using_apt/metadata.json +++ b/assets/queries/buildah/run_using_apt/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache", "descriptionUrl": "https://github.com/containers/buildah/blob/main/docs/buildah-run.1.md", "platform": "Buildah", - "descriptionID": "eb58fa0b" -} + "descriptionID": "eb58fa0b", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cicd/github/run_block_injection/metadata.json b/assets/queries/cicd/github/run_block_injection/metadata.json index c2716ad0a84..e8d7d6cab11 100644 --- a/assets/queries/cicd/github/run_block_injection/metadata.json +++ b/assets/queries/cicd/github/run_block_injection/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://securitylab.github.com/research/github-actions-untrusted-input/", "platform": "CICD", "descriptionID": "02044a75", - "cloudProvider": "common" -} + "cloudProvider": "common", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cicd/github/script_block_injection/metadata.json b/assets/queries/cicd/github/script_block_injection/metadata.json index 43c8838d142..9a9effb1738 100644 --- a/assets/queries/cicd/github/script_block_injection/metadata.json +++ b/assets/queries/cicd/github/script_block_injection/metadata.json @@ -1,11 +1,12 @@ { - "id": "62ff6823-927a-427f-acf9-f1ea2932d616", - "queryName": "Script Block Injection", - "severity": "HIGH", - "category": "Insecure Configurations", - "descriptionText": "GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event.", - "descriptionUrl": "https://securitylab.github.com/research/github-actions-untrusted-input/", - "platform": "CICD", - "descriptionID": "63e215f4", - "cloudProvider": "common" + "id": "62ff6823-927a-427f-acf9-f1ea2932d616", + "queryName": "Script Block Injection", + "severity": "HIGH", + "category": "Insecure Configurations", + "descriptionText": "GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event.", + "descriptionUrl": "https://securitylab.github.com/research/github-actions-untrusted-input/", + "platform": "CICD", + "descriptionID": "63e215f4", + "cloudProvider": "common", + "CWE": "" } \ No newline at end of file diff --git a/assets/queries/cicd/github/unpinned_actions_full_length_commit_sha/metadata.json b/assets/queries/cicd/github/unpinned_actions_full_length_commit_sha/metadata.json index f12836613f2..fdda3bcfa08 100644 --- a/assets/queries/cicd/github/unpinned_actions_full_length_commit_sha/metadata.json +++ b/assets/queries/cicd/github/unpinned_actions_full_length_commit_sha/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions", "platform": "CICD", "descriptionID": "9cb8402d", - "cloudProvider": "common" -} + "cloudProvider": "common", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cicd/github/unsecured_commands/metadata.json b/assets/queries/cicd/github/unsecured_commands/metadata.json index 4ba71545e45..52c587c7420 100644 --- a/assets/queries/cicd/github/unsecured_commands/metadata.json +++ b/assets/queries/cicd/github/unsecured_commands/metadata.json @@ -1,12 +1,12 @@ { - "id": "60fd272d-15f4-4d8f-afe4-77d9c6cc0453", - "queryName": "Unsecured Commands", - "severity": "MEDIUM", - "category": "Insecure Configurations", - "descriptionText": "There are deprecated set-env and add-path commands that can be explicitly enabled by a user via setting the ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable as true. Depending on the use of the environment variable, this could enable an attacker to, at worst, modify the system path to run a different command than intended, resulting in arbitrary code execution.", - "descriptionUrl": "https://0xn3va.gitbook.io/cheat-sheets/ci-cd/github/actions#misuse-of-the-events-related-to-incoming-prs", - "platform": "CICD", - "descriptionID": "44751f79", - "cloudProvider": "common" - } - \ No newline at end of file + "id": "60fd272d-15f4-4d8f-afe4-77d9c6cc0453", + "queryName": "Unsecured Commands", + "severity": "MEDIUM", + "category": "Insecure Configurations", + "descriptionText": "There are deprecated set-env and add-path commands that can be explicitly enabled by a user via setting the ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable as true. Depending on the use of the environment variable, this could enable an attacker to, at worst, modify the system path to run a different command than intended, resulting in arbitrary code execution.", + "descriptionUrl": "https://0xn3va.gitbook.io/cheat-sheets/ci-cd/github/actions#misuse-of-the-events-related-to-incoming-prs", + "platform": "CICD", + "descriptionID": "44751f79", + "cloudProvider": "common", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/access_key_not_rotated_within_90_days/metadata.json b/assets/queries/cloudFormation/aws/access_key_not_rotated_within_90_days/metadata.json index 1d1e35352f9..654d2996a8d 100644 --- a/assets/queries/cloudFormation/aws/access_key_not_rotated_within_90_days/metadata.json +++ b/assets/queries/cloudFormation/aws/access_key_not_rotated_within_90_days/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.amazonaws.cn/en_us/config/latest/developerguide/access-keys-rotated.html", "platform": "CloudFormation", "descriptionID": "148d40cb", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf/metadata.json b/assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf/metadata.json index 049ed08e5ac..ac93ec93c9f 100644 --- a/assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf/metadata.json +++ b/assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafregional-webaclassociation.html", "platform": "CloudFormation", "descriptionID": "2cad71a7", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/alb_listening_on_http/metadata.json b/assets/queries/cloudFormation/aws/alb_listening_on_http/metadata.json index 8287ddeb661..76d87c1fcf7 100644 --- a/assets/queries/cloudFormation/aws/alb_listening_on_http/metadata.json +++ b/assets/queries/cloudFormation/aws/alb_listening_on_http/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-elb-listener.html#cfn-ec2-elb-listener-protocol", "platform": "CloudFormation", "descriptionID": "55f05412", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/alexa_skill_plaintext_client_secret_exposed/metadata.json b/assets/queries/cloudFormation/aws/alexa_skill_plaintext_client_secret_exposed/metadata.json index d84a39b2d3a..a150cafc0d1 100644 --- a/assets/queries/cloudFormation/aws/alexa_skill_plaintext_client_secret_exposed/metadata.json +++ b/assets/queries/cloudFormation/aws/alexa_skill_plaintext_client_secret_exposed/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ask-skill.html#cfn-ask-skill-authenticationconfiguration", "platform": "CloudFormation", "descriptionID": "cd21865c", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/amazon_dms_replication_instance_is_publicly_accessible/metadata.json b/assets/queries/cloudFormation/aws/amazon_dms_replication_instance_is_publicly_accessible/metadata.json index 04812a621cd..cbbc7774fde 100644 --- a/assets/queries/cloudFormation/aws/amazon_dms_replication_instance_is_publicly_accessible/metadata.json +++ b/assets/queries/cloudFormation/aws/amazon_dms_replication_instance_is_publicly_accessible/metadata.json @@ -1,11 +1,12 @@ { - "id": "5864fb39-d719-4182-80e2-89dbe627be63", - "queryName": "Amazon DMS Replication Instance Is Publicly Accessible", - "severity": "HIGH", - "category": "Access Control", - "descriptionText": "Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false.", - "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dms-replicationinstance.html", - "platform": "CloudFormation", - "descriptionID": "bc97aed1", - "cloudProvider": "aws" - } \ No newline at end of file + "id": "5864fb39-d719-4182-80e2-89dbe627be63", + "queryName": "Amazon DMS Replication Instance Is Publicly Accessible", + "severity": "HIGH", + "category": "Access Control", + "descriptionText": "Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false.", + "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dms-replicationinstance.html", + "platform": "CloudFormation", + "descriptionID": "bc97aed1", + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/amazon_mq_broker_encryption_disabled/metadata.json b/assets/queries/cloudFormation/aws/amazon_mq_broker_encryption_disabled/metadata.json index d60e0b880e1..e6a52659c9c 100644 --- a/assets/queries/cloudFormation/aws/amazon_mq_broker_encryption_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/amazon_mq_broker_encryption_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-amazonmq-broker.html#cfn-amazonmq-broker-encryptionoptions", "platform": "CloudFormation", "descriptionID": "c5d562da", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/amplify_app_access_token_exposed/metadata.json b/assets/queries/cloudFormation/aws/amplify_app_access_token_exposed/metadata.json index d3650812f68..5f58455de46 100644 --- a/assets/queries/cloudFormation/aws/amplify_app_access_token_exposed/metadata.json +++ b/assets/queries/cloudFormation/aws/amplify_app_access_token_exposed/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-amplify-app.html", "platform": "CloudFormation", "descriptionID": "40717425", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed/metadata.json b/assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed/metadata.json index 8f71ec32c87..fab7f44f603 100644 --- a/assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed/metadata.json +++ b/assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-amplify-app-basicauthconfig.html", "platform": "CloudFormation", "descriptionID": "20573b94", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/amplify_app_oauth_token_exposed/metadata.json b/assets/queries/cloudFormation/aws/amplify_app_oauth_token_exposed/metadata.json index 9b60ee3343d..989fce14748 100644 --- a/assets/queries/cloudFormation/aws/amplify_app_oauth_token_exposed/metadata.json +++ b/assets/queries/cloudFormation/aws/amplify_app_oauth_token_exposed/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-amplify-app-basicauthconfig.html", "platform": "CloudFormation", "descriptionID": "c9abb2c8", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed/metadata.json b/assets/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed/metadata.json index f32bf20e425..5d4ca0426c5 100644 --- a/assets/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed/metadata.json +++ b/assets/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-amplify-branch.html#cfn-amplify-branch-basicauthconfig", "platform": "CloudFormation", "descriptionID": "f68a0ad6", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/metadata.json b/assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/metadata.json index aac75ae45a7..d5acc74149f 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-stage.html#cfn-apigateway-stage-cacheclusterenabled", "platform": "CloudFormation", "descriptionID": "c5c1c902", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_cache_encrypted_disabled/metadata.json b/assets/queries/cloudFormation/aws/api_gateway_cache_encrypted_disabled/metadata.json index 2ededa78fb4..127ee38280a 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_cache_encrypted_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/api_gateway_cache_encrypted_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigateway-deployment-stagedescription.html", "platform": "CloudFormation", "descriptionID": "16f89b5d", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_deployment_without_access_log_setting/metadata.json b/assets/queries/cloudFormation/aws/api_gateway_deployment_without_access_log_setting/metadata.json index 5252b639175..582d97d4861 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_deployment_without_access_log_setting/metadata.json +++ b/assets/queries/cloudFormation/aws/api_gateway_deployment_without_access_log_setting/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-deployment.html", "platform": "CloudFormation", "descriptionID": "9587628c", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/metadata.json b/assets/queries/cloudFormation/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/metadata.json index f4628bd3497..4ef0a95be8f 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/metadata.json +++ b/assets/queries/cloudFormation/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-deployment.html", "platform": "CloudFormation", "descriptionID": "8161e665", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_endpoint_config_is_not_private/metadata.json b/assets/queries/cloudFormation/aws/api_gateway_endpoint_config_is_not_private/metadata.json index 3b2b9d869b8..d8d7ee3de8f 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_endpoint_config_is_not_private/metadata.json +++ b/assets/queries/cloudFormation/aws/api_gateway_endpoint_config_is_not_private/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigateway-restapi-endpointconfiguration.html#cfn-apigateway-restapi-endpointconfiguration-types", "platform": "CloudFormation", "descriptionID": "f370d030", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_method_does_not_contains_an_api_key/metadata.json b/assets/queries/cloudFormation/aws/api_gateway_method_does_not_contains_an_api_key/metadata.json index c8d02badad9..24fc2100773 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_method_does_not_contains_an_api_key/metadata.json +++ b/assets/queries/cloudFormation/aws/api_gateway_method_does_not_contains_an_api_key/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-method.html", "platform": "CloudFormation", "descriptionID": "43a06e88", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/metadata.json b/assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/metadata.json index 110667000c8..3ed29e7f8a3 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/metadata.json +++ b/assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigatewayv2-stage.html#cfn-apigatewayv2-stage-accesslogsettings", "platform": "CloudFormation", "descriptionID": "2a69fc63", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/metadata.json b/assets/queries/cloudFormation/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/metadata.json index a9a28613164..016fb29c8f2 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/metadata.json +++ b/assets/queries/cloudFormation/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-stage.html", "platform": "CloudFormation", "descriptionID": "ad012827", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/metadata.json b/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/metadata.json index 6db6be98a6c..c4caf409647 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/metadata.json +++ b/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-restapi.html", "platform": "CloudFormation", "descriptionID": "de76ae0f", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_with_open_access/metadata.json b/assets/queries/cloudFormation/aws/api_gateway_with_open_access/metadata.json index 4495ad48b36..903ee123318 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_with_open_access/metadata.json +++ b/assets/queries/cloudFormation/aws/api_gateway_with_open_access/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-method.html", "platform": "CloudFormation", "descriptionID": "d8d6ab46", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_without_configured_authorizer/metadata.json b/assets/queries/cloudFormation/aws/api_gateway_without_configured_authorizer/metadata.json index 1f7d5cbb812..0f0770d9846 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_without_configured_authorizer/metadata.json +++ b/assets/queries/cloudFormation/aws/api_gateway_without_configured_authorizer/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-authorizer.html", "platform": "CloudFormation", "descriptionID": "5734fbc7", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_without_security_policy/metadata.json b/assets/queries/cloudFormation/aws/api_gateway_without_security_policy/metadata.json index f52ec43877f..4b91674295c 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_without_security_policy/metadata.json +++ b/assets/queries/cloudFormation/aws/api_gateway_without_security_policy/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainname.html#cfn-apigateway-domainname-securitypolicy", "platform": "CloudFormation", "descriptionID": "92418e29", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_without_ssl_certificate/metadata.json b/assets/queries/cloudFormation/aws/api_gateway_without_ssl_certificate/metadata.json index 88999d886e6..ce7fb1e9998 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_without_ssl_certificate/metadata.json +++ b/assets/queries/cloudFormation/aws/api_gateway_without_ssl_certificate/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-stage.html", "platform": "CloudFormation", "descriptionID": "95c8b13a", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_without_waf/metadata.json b/assets/queries/cloudFormation/aws/api_gateway_without_waf/metadata.json index 611ded38ce4..4e1ecb10004 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_without_waf/metadata.json +++ b/assets/queries/cloudFormation/aws/api_gateway_without_waf/metadata.json @@ -1,11 +1,12 @@ { "id": "fcbf9019-566c-4832-a65c-af00d8137d2b", "queryName": "API Gateway without WAF", - "severity": "MEDIUM", + "severity": "MEDIUM", "category": "Networking and Firewall", - "descriptionText": "API Gateway should have WAF (Web Application Firewall) enabled", + "descriptionText": "API Gateway should have WAF (Web Application Firewall) enabled", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webaclassociation.html#cfn-wafv2-webaclassociation-resourcearn", "platform": "CloudFormation", "descriptionID": "774d759c", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/metadata.json b/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/metadata.json index 99b70ede84a..c00355cf12b 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-stage.html#cfn-apigateway-stage-tracingenabled", "platform": "CloudFormation", "descriptionID": "7db1d7b0", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/auto_scaling_group_with_no_associated_elb/metadata.json b/assets/queries/cloudFormation/aws/auto_scaling_group_with_no_associated_elb/metadata.json index aaf291f4d36..bdd5dfb2da4 100644 --- a/assets/queries/cloudFormation/aws/auto_scaling_group_with_no_associated_elb/metadata.json +++ b/assets/queries/cloudFormation/aws/auto_scaling_group_with_no_associated_elb/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-as-group.html", "platform": "CloudFormation", "descriptionID": "99966f58", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/automatic_minor_upgrades_disabled/metadata.json b/assets/queries/cloudFormation/aws/automatic_minor_upgrades_disabled/metadata.json index 9ad5fb7d06c..794f4bdea7f 100644 --- a/assets/queries/cloudFormation/aws/automatic_minor_upgrades_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/automatic_minor_upgrades_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html", "platform": "CloudFormation", "descriptionID": "e2908402", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/batch_job_definition_with_privileged_container_properties/metadata.json b/assets/queries/cloudFormation/aws/batch_job_definition_with_privileged_container_properties/metadata.json index 9526f99967f..58bea4a4dd1 100644 --- a/assets/queries/cloudFormation/aws/batch_job_definition_with_privileged_container_properties/metadata.json +++ b/assets/queries/cloudFormation/aws/batch_job_definition_with_privileged_container_properties/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-batch-jobdefinition.html", "platform": "CloudFormation", "descriptionID": "c8983ada", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cdn_configuration_is_missing/metadata.json b/assets/queries/cloudFormation/aws/cdn_configuration_is_missing/metadata.json index 4e37634143e..df9dd9bcf27 100644 --- a/assets/queries/cloudFormation/aws/cdn_configuration_is_missing/metadata.json +++ b/assets/queries/cloudFormation/aws/cdn_configuration_is_missing/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-distributionconfig.html", "platform": "CloudFormation", "descriptionID": "6a8090b9", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudformation_specifying_credentials_not_safe/metadata.json b/assets/queries/cloudFormation/aws/cloudformation_specifying_credentials_not_safe/metadata.json index d8fb487ce78..85e13227e88 100644 --- a/assets/queries/cloudFormation/aws/cloudformation_specifying_credentials_not_safe/metadata.json +++ b/assets/queries/cloudFormation/aws/cloudformation_specifying_credentials_not_safe/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-authentication.html", "platform": "CloudFormation", "descriptionID": "694c6fa8", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/metadata.json b/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/metadata.json index bda727c8f9c..57ec89e1328 100644 --- a/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/logging-and-monitoring.html", "platform": "CloudFormation", "descriptionID": "3254d6d0", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudfront_viewer_protocol_policy_allows_http/metadata.json b/assets/queries/cloudFormation/aws/cloudfront_viewer_protocol_policy_allows_http/metadata.json index 58e4c3c75dc..03d11c9dcde 100644 --- a/assets/queries/cloudFormation/aws/cloudfront_viewer_protocol_policy_allows_http/metadata.json +++ b/assets/queries/cloudFormation/aws/cloudfront_viewer_protocol_policy_allows_http/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-distribution.html", "platform": "CloudFormation", "descriptionID": "bf860aba", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/metadata.json b/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/metadata.json index 17a31076743..92039945cf3 100644 --- a/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/metadata.json +++ b/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-distribution.html", "platform": "CloudFormation", "descriptionID": "e86728bc", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudfront_without_waf/metadata.json b/assets/queries/cloudFormation/aws/cloudfront_without_waf/metadata.json index d7ce60c7c42..77dbe922da6 100644 --- a/assets/queries/cloudFormation/aws/cloudfront_without_waf/metadata.json +++ b/assets/queries/cloudFormation/aws/cloudfront_without_waf/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-distributionconfig.html#cfn-cloudfront-distribution-distributionconfig-webaclid", "platform": "CloudFormation", "descriptionID": "fae904ce", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/metadata.json b/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/metadata.json index 0bb7e7e4074..b6e4651b425 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html#cfn-cloudtrail-trail-enablelogfilevalidation", "platform": "CloudFormation", "descriptionID": "66ab1b20", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/metadata.json b/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/metadata.json index 3eaeae40352..702f9a9af2f 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/metadata.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html#cfn-cloudtrail-trail-kmskeyid", "platform": "CloudFormation", "descriptionID": "cdc07a23", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudtrail_logging_disabled/metadata.json b/assets/queries/cloudFormation/aws/cloudtrail_logging_disabled/metadata.json index 70a536536f5..76345a92337 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_logging_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_logging_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html#cfn-cloudtrail-trail-islogging", "platform": "CloudFormation", "descriptionID": "8cabc568", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudtrail_multi_region_disabled/metadata.json b/assets/queries/cloudFormation/aws/cloudtrail_multi_region_disabled/metadata.json index 653fe058c9e..f42b65a2236 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_multi_region_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_multi_region_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html#cfn-cloudtrail-trail-ismultiregiontrail", "platform": "CloudFormation", "descriptionID": "34ddc2cb", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudtrail_not_integrated_with_cloudwatch/metadata.json b/assets/queries/cloudFormation/aws/cloudtrail_not_integrated_with_cloudwatch/metadata.json index d03b8b9509e..969bd83511b 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_not_integrated_with_cloudwatch/metadata.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_not_integrated_with_cloudwatch/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html", "platform": "CloudFormation", "descriptionID": "f43ba695", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/metadata.json b/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/metadata.json index ef338b00a9d..678ead1bdee 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/metadata.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html#cfn-cloudtrail-trail-snstopicname", "platform": "CloudFormation", "descriptionID": "69327f38", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudwatch_logging_disabled/metadata.json b/assets/queries/cloudFormation/aws/cloudwatch_logging_disabled/metadata.json index 4a0198be1e5..7f68d11abe6 100644 --- a/assets/queries/cloudFormation/aws/cloudwatch_logging_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/cloudwatch_logging_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-route53-hostedzone.html#cfn-route53-hostedzone-queryloggingconfig", "platform": "CloudFormation", "descriptionID": "617aba8a", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudwatch_metrics_disabled/metadata.json b/assets/queries/cloudFormation/aws/cloudwatch_metrics_disabled/metadata.json index 1504260df9b..8e589bd5c28 100644 --- a/assets/queries/cloudFormation/aws/cloudwatch_metrics_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/cloudwatch_metrics_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cw-alarm.html", "platform": "CloudFormation", "descriptionID": "72a550b1", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cmk_is_unusable/metadata.json b/assets/queries/cloudFormation/aws/cmk_is_unusable/metadata.json index d40ef5fe705..d75fde082d3 100644 --- a/assets/queries/cloudFormation/aws/cmk_is_unusable/metadata.json +++ b/assets/queries/cloudFormation/aws/cmk_is_unusable/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html", "platform": "CloudFormation", "descriptionID": "2e00cfbb", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cmk_rotation_disabled/metadata.json b/assets/queries/cloudFormation/aws/cmk_rotation_disabled/metadata.json index a6ef26fec83..2bc104567b5 100644 --- a/assets/queries/cloudFormation/aws/cmk_rotation_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/cmk_rotation_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html", "platform": "CloudFormation", "descriptionID": "64ffeb9f", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cmk_unencrypted_storage/metadata.json b/assets/queries/cloudFormation/aws/cmk_unencrypted_storage/metadata.json index 53ace56bff2..262558b302b 100644 --- a/assets/queries/cloudFormation/aws/cmk_unencrypted_storage/metadata.json +++ b/assets/queries/cloudFormation/aws/cmk_unencrypted_storage/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html", "platform": "CloudFormation", "descriptionID": "ba38e42e", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/codebuild_not_encrypted/metadata.json b/assets/queries/cloudFormation/aws/codebuild_not_encrypted/metadata.json index 977cf772a05..5b3257d5422 100644 --- a/assets/queries/cloudFormation/aws/codebuild_not_encrypted/metadata.json +++ b/assets/queries/cloudFormation/aws/codebuild_not_encrypted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-codebuild-project.html", "platform": "CloudFormation", "descriptionID": "3e1306b1", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cognito_userpool_without_mfa/metadata.json b/assets/queries/cloudFormation/aws/cognito_userpool_without_mfa/metadata.json index d0bd1f342dc..32426fe9126 100644 --- a/assets/queries/cloudFormation/aws/cognito_userpool_without_mfa/metadata.json +++ b/assets/queries/cloudFormation/aws/cognito_userpool_without_mfa/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html", "platform": "CloudFormation", "descriptionID": "32d91e4e", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/config_configuration_aggregator_to_all_regions_disabled/metadata.json b/assets/queries/cloudFormation/aws/config_configuration_aggregator_to_all_regions_disabled/metadata.json index 1473646fd77..82406245f5a 100644 --- a/assets/queries/cloudFormation/aws/config_configuration_aggregator_to_all_regions_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/config_configuration_aggregator_to_all_regions_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-configurationaggregator.html", "platform": "CloudFormation", "descriptionID": "fb6e5346", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/config_rule_for_encryption_volumes_disabled/metadata.json b/assets/queries/cloudFormation/aws/config_rule_for_encryption_volumes_disabled/metadata.json index 7581d3fee50..3f4fef6f728 100644 --- a/assets/queries/cloudFormation/aws/config_rule_for_encryption_volumes_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/config_rule_for_encryption_volumes_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-configrule.html#cfn-config-configrule-source", "platform": "CloudFormation", "descriptionID": "d0026f39", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/connection_between_cloudfront_origin_not_encrypted/metadata.json b/assets/queries/cloudFormation/aws/connection_between_cloudfront_origin_not_encrypted/metadata.json index d5a773f1d59..fe44684d91f 100644 --- a/assets/queries/cloudFormation/aws/connection_between_cloudfront_origin_not_encrypted/metadata.json +++ b/assets/queries/cloudFormation/aws/connection_between_cloudfront_origin_not_encrypted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-distribution.html", "platform": "CloudFormation", "descriptionID": "5e31354c", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/metadata.json b/assets/queries/cloudFormation/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/metadata.json index f45e9aed697..c9e1345c283 100644 --- a/assets/queries/cloudFormation/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/metadata.json +++ b/assets/queries/cloudFormation/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-assumerolepolicydocument", "platform": "CloudFormation", "descriptionID": "8fca679f", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/metadata.json b/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/metadata.json index aa8f827522b..9f308c96934 100644 --- a/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/metadata.json +++ b/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html", "platform": "CloudFormation", "descriptionID": "feeb965a", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/metadata.json b/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/metadata.json index a6ceb3c3716..9d7d5e91363 100644 --- a/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/metadata.json +++ b/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html", "platform": "CloudFormation", "descriptionID": "3ddca0cc", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/default_kms_key_usage/metadata.json b/assets/queries/cloudFormation/aws/default_kms_key_usage/metadata.json index dc8a808b368..c51cca7fcc1 100644 --- a/assets/queries/cloudFormation/aws/default_kms_key_usage/metadata.json +++ b/assets/queries/cloudFormation/aws/default_kms_key_usage/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html", "platform": "CloudFormation", "descriptionID": "d479130b", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/default_security_groups_with_unrestricted_traffic/metadata.json b/assets/queries/cloudFormation/aws/default_security_groups_with_unrestricted_traffic/metadata.json index 71d5678856b..d30f7120116 100644 --- a/assets/queries/cloudFormation/aws/default_security_groups_with_unrestricted_traffic/metadata.json +++ b/assets/queries/cloudFormation/aws/default_security_groups_with_unrestricted_traffic/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html", "platform": "CloudFormation", "descriptionID": "50b0269e", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/directory_service_microsoft_ad_password_set_to_plaintext_or_default_ref/metadata.json b/assets/queries/cloudFormation/aws/directory_service_microsoft_ad_password_set_to_plaintext_or_default_ref/metadata.json index c33383569fc..deccef94030 100644 --- a/assets/queries/cloudFormation/aws/directory_service_microsoft_ad_password_set_to_plaintext_or_default_ref/metadata.json +++ b/assets/queries/cloudFormation/aws/directory_service_microsoft_ad_password_set_to_plaintext_or_default_ref/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-directoryservice-microsoftad.html", "platform": "CloudFormation", "descriptionID": "98a72cac", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/directory_service_simple_ad_password_exposed/metadata.json b/assets/queries/cloudFormation/aws/directory_service_simple_ad_password_exposed/metadata.json index a4e56aa0089..5f7255b1f99 100644 --- a/assets/queries/cloudFormation/aws/directory_service_simple_ad_password_exposed/metadata.json +++ b/assets/queries/cloudFormation/aws/directory_service_simple_ad_password_exposed/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-directoryservice-simplead.html", "platform": "CloudFormation", "descriptionID": "fc2c7fb8", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/dms_endpoint_mongo_db_settings_password_exposed/metadata.json b/assets/queries/cloudFormation/aws/dms_endpoint_mongo_db_settings_password_exposed/metadata.json index 397d7cde2f0..83f1a92b129 100644 --- a/assets/queries/cloudFormation/aws/dms_endpoint_mongo_db_settings_password_exposed/metadata.json +++ b/assets/queries/cloudFormation/aws/dms_endpoint_mongo_db_settings_password_exposed/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-dms-endpoint-mongodbsettings.html", "platform": "CloudFormation", "descriptionID": "6f895308", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/dms_endpoint_password_exposed/metadata.json b/assets/queries/cloudFormation/aws/dms_endpoint_password_exposed/metadata.json index a95f4a15d0a..b2fcf59e9ef 100644 --- a/assets/queries/cloudFormation/aws/dms_endpoint_password_exposed/metadata.json +++ b/assets/queries/cloudFormation/aws/dms_endpoint_password_exposed/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dms-endpoint.html", "platform": "CloudFormation", "descriptionID": "a48ba75f", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/docdb_cluster_master_password_in_plaintext/metadata.json b/assets/queries/cloudFormation/aws/docdb_cluster_master_password_in_plaintext/metadata.json index 6628510e429..e697227ca7c 100644 --- a/assets/queries/cloudFormation/aws/docdb_cluster_master_password_in_plaintext/metadata.json +++ b/assets/queries/cloudFormation/aws/docdb_cluster_master_password_in_plaintext/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-docdb-dbcluster.html", "platform": "CloudFormation", "descriptionID": "37fb585f", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/docdb_logging_disabled/metadata.json b/assets/queries/cloudFormation/aws/docdb_logging_disabled/metadata.json index 0b992fb6674..88ecf4d8abe 100644 --- a/assets/queries/cloudFormation/aws/docdb_logging_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/docdb_logging_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-docdb-dbcluster.html#cfn-docdb-dbcluster-enablecloudwatchlogsexports", "platform": "CloudFormation", "descriptionID": "4818ceaf", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/dynamodb_table_not_encrypted/metadata.json b/assets/queries/cloudFormation/aws/dynamodb_table_not_encrypted/metadata.json index 7010aff621f..78d94c24ec4 100644 --- a/assets/queries/cloudFormation/aws/dynamodb_table_not_encrypted/metadata.json +++ b/assets/queries/cloudFormation/aws/dynamodb_table_not_encrypted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-dynamodb-table-ssespecification.html", "platform": "CloudFormation", "descriptionID": "92975bc8", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/dynamodb_with_aws_owned_cmk/metadata.json b/assets/queries/cloudFormation/aws/dynamodb_with_aws_owned_cmk/metadata.json index f7e9813d00c..9ae96dca4a9 100644 --- a/assets/queries/cloudFormation/aws/dynamodb_with_aws_owned_cmk/metadata.json +++ b/assets/queries/cloudFormation/aws/dynamodb_with_aws_owned_cmk/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-dynamodb-table-ssespecification.html", "platform": "CloudFormation", "descriptionID": "a71d0c61", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/dynamodb_with_table_billing_mode_not_recommended/metadata.json b/assets/queries/cloudFormation/aws/dynamodb_with_table_billing_mode_not_recommended/metadata.json index 08afd5b848b..b867ed747ea 100644 --- a/assets/queries/cloudFormation/aws/dynamodb_with_table_billing_mode_not_recommended/metadata.json +++ b/assets/queries/cloudFormation/aws/dynamodb_with_table_billing_mode_not_recommended/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dynamodb-table.html#cfn-dynamodb-table-attributedef", "platform": "CloudFormation", "descriptionID": "2a9dc4de", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ebs_volume_encryption_disabled/metadata.json b/assets/queries/cloudFormation/aws/ebs_volume_encryption_disabled/metadata.json index 20eee22dba4..5e5cb2a349c 100644 --- a/assets/queries/cloudFormation/aws/ebs_volume_encryption_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/ebs_volume_encryption_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-ebs-volume.html", "platform": "CloudFormation", "descriptionID": "8a51c141", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ebs_volume_not_attached_to_instances/metadata.json b/assets/queries/cloudFormation/aws/ebs_volume_not_attached_to_instances/metadata.json index acbfbb3d320..1f1cee0c0b7 100644 --- a/assets/queries/cloudFormation/aws/ebs_volume_not_attached_to_instances/metadata.json +++ b/assets/queries/cloudFormation/aws/ebs_volume_not_attached_to_instances/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-ebs-volumeattachment.html", "platform": "CloudFormation", "descriptionID": "33e2f7f6", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ebs_volume_without_kms_key_id/metadata.json b/assets/queries/cloudFormation/aws/ebs_volume_without_kms_key_id/metadata.json index dbe9813edf3..648276902d2 100644 --- a/assets/queries/cloudFormation/aws/ebs_volume_without_kms_key_id/metadata.json +++ b/assets/queries/cloudFormation/aws/ebs_volume_without_kms_key_id/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-ebs-volume.html", "platform": "CloudFormation", "descriptionID": "a10e872a", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_instance_has_no_iam_role/metadata.json b/assets/queries/cloudFormation/aws/ec2_instance_has_no_iam_role/metadata.json index aedf331c0e2..19eda6b8e01 100644 --- a/assets/queries/cloudFormation/aws/ec2_instance_has_no_iam_role/metadata.json +++ b/assets/queries/cloudFormation/aws/ec2_instance_has_no_iam_role/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html", "platform": "CloudFormation", "descriptionID": "bf34b145", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_instance_monitoring_disabled/metadata.json b/assets/queries/cloudFormation/aws/ec2_instance_monitoring_disabled/metadata.json index 1c74edda895..0bb037a18af 100644 --- a/assets/queries/cloudFormation/aws/ec2_instance_monitoring_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/ec2_instance_monitoring_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html#cfn-ec2-instance-monitoring", "platform": "CloudFormation", "descriptionID": "81e4f520", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_instance_subnet_has_public_ip_mapping_on_launch/metadata.json b/assets/queries/cloudFormation/aws/ec2_instance_subnet_has_public_ip_mapping_on_launch/metadata.json index fa4e1e087e6..f40bccffbb0 100644 --- a/assets/queries/cloudFormation/aws/ec2_instance_subnet_has_public_ip_mapping_on_launch/metadata.json +++ b/assets/queries/cloudFormation/aws/ec2_instance_subnet_has_public_ip_mapping_on_launch/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-subnet.html#cfn-ec2-subnet-mappubliciponlaunch", "platform": "CloudFormation", "descriptionID": "22e3d598", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_instance_using_default_security_group/metadata.json b/assets/queries/cloudFormation/aws/ec2_instance_using_default_security_group/metadata.json index 47b6bb2a7ef..066a5a97e07 100644 --- a/assets/queries/cloudFormation/aws/ec2_instance_using_default_security_group/metadata.json +++ b/assets/queries/cloudFormation/aws/ec2_instance_using_default_security_group/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html#cfn-ec2-instance-securitygroups", "platform": "CloudFormation", "descriptionID": "de993e1a", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_instance_using_default_vpc/metadata.json b/assets/queries/cloudFormation/aws/ec2_instance_using_default_vpc/metadata.json index 4390bc4400a..675bb5cf87c 100644 --- a/assets/queries/cloudFormation/aws/ec2_instance_using_default_vpc/metadata.json +++ b/assets/queries/cloudFormation/aws/ec2_instance_using_default_vpc/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html#cfn-ec2-instance-subnetid", "platform": "CloudFormation", "descriptionID": "8dd9abf5", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_network_acl_duplicate_rule/metadata.json b/assets/queries/cloudFormation/aws/ec2_network_acl_duplicate_rule/metadata.json index cb1e875823d..00421a78029 100644 --- a/assets/queries/cloudFormation/aws/ec2_network_acl_duplicate_rule/metadata.json +++ b/assets/queries/cloudFormation/aws/ec2_network_acl_duplicate_rule/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-network-acl-entry.html#cfn-ec2-networkaclentry-rulenumber", "platform": "CloudFormation", "descriptionID": "27e96b39", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_network_acl_ineffective_denied_traffic/metadata.json b/assets/queries/cloudFormation/aws/ec2_network_acl_ineffective_denied_traffic/metadata.json index fd4e911ac8a..e55d8fbe07b 100644 --- a/assets/queries/cloudFormation/aws/ec2_network_acl_ineffective_denied_traffic/metadata.json +++ b/assets/queries/cloudFormation/aws/ec2_network_acl_ineffective_denied_traffic/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-network-acl-entry.html", "platform": "CloudFormation", "descriptionID": "e8c34905", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_network_acl_overlapping_ports/metadata.json b/assets/queries/cloudFormation/aws/ec2_network_acl_overlapping_ports/metadata.json index b794b1abd8f..807631af030 100644 --- a/assets/queries/cloudFormation/aws/ec2_network_acl_overlapping_ports/metadata.json +++ b/assets/queries/cloudFormation/aws/ec2_network_acl_overlapping_ports/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-networkaclentry-portrange.html", "platform": "CloudFormation", "descriptionID": "cb7c8980", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_not_ebs_optimized/metadata.json b/assets/queries/cloudFormation/aws/ec2_not_ebs_optimized/metadata.json index 14a3e9cb942..332a465316c 100644 --- a/assets/queries/cloudFormation/aws/ec2_not_ebs_optimized/metadata.json +++ b/assets/queries/cloudFormation/aws/ec2_not_ebs_optimized/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html#cfn-ec2-instance-ebsoptimized", "platform": "CloudFormation", "descriptionID": "4d5e32ad", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_permissive_network_acl_protocols/metadata.json b/assets/queries/cloudFormation/aws/ec2_permissive_network_acl_protocols/metadata.json index 4b1f5e67f16..3e07a1e88db 100644 --- a/assets/queries/cloudFormation/aws/ec2_permissive_network_acl_protocols/metadata.json +++ b/assets/queries/cloudFormation/aws/ec2_permissive_network_acl_protocols/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-network-acl-entry.html", "platform": "CloudFormation", "descriptionID": "397e89de", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_public_instance_exposed_through_subnet/metadata.json b/assets/queries/cloudFormation/aws/ec2_public_instance_exposed_through_subnet/metadata.json index 1bccbcf5dae..1a20d0d3aa5 100644 --- a/assets/queries/cloudFormation/aws/ec2_public_instance_exposed_through_subnet/metadata.json +++ b/assets/queries/cloudFormation/aws/ec2_public_instance_exposed_through_subnet/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-route.html", "platform": "CloudFormation", "descriptionID": "163e9a52", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/metadata.json b/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/metadata.json index f43e9d7aa24..8784ed3bf06 100644 --- a/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/metadata.json +++ b/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecr-repository.html", "platform": "CloudFormation", "descriptionID": "a4ed2a4f", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ecr_repository_is_publicly_accessible/metadata.json b/assets/queries/cloudFormation/aws/ecr_repository_is_publicly_accessible/metadata.json index 9aef674cad9..4d5a44c4aa6 100644 --- a/assets/queries/cloudFormation/aws/ecr_repository_is_publicly_accessible/metadata.json +++ b/assets/queries/cloudFormation/aws/ecr_repository_is_publicly_accessible/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecr-repository.html", "platform": "CloudFormation", "descriptionID": "a85a7099", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/metadata.json b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/metadata.json index 6640308dfa2..98d96f1f66a 100644 --- a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/metadata.json +++ b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-taskdefinition.html", "platform": "CloudFormation", "descriptionID": "512ea20d", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ecs_no_load_balancer_attached/metadata.json b/assets/queries/cloudFormation/aws/ecs_no_load_balancer_attached/metadata.json index 94bad80a66e..9949da95004 100644 --- a/assets/queries/cloudFormation/aws/ecs_no_load_balancer_attached/metadata.json +++ b/assets/queries/cloudFormation/aws/ecs_no_load_balancer_attached/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html", "platform": "CloudFormation", "descriptionID": "2f3ec772", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ecs_service_admin_role_is_present/metadata.json b/assets/queries/cloudFormation/aws/ecs_service_admin_role_is_present/metadata.json index 7a841fd3594..ab437dd234c 100644 --- a/assets/queries/cloudFormation/aws/ecs_service_admin_role_is_present/metadata.json +++ b/assets/queries/cloudFormation/aws/ecs_service_admin_role_is_present/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html", "platform": "CloudFormation", "descriptionID": "756701f8", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ecs_service_without_running_tasks/metadata.json b/assets/queries/cloudFormation/aws/ecs_service_without_running_tasks/metadata.json index 7fa19bf2036..9803339553b 100644 --- a/assets/queries/cloudFormation/aws/ecs_service_without_running_tasks/metadata.json +++ b/assets/queries/cloudFormation/aws/ecs_service_without_running_tasks/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html#cfn-ecs-service-deploymentconfiguration", "platform": "CloudFormation", "descriptionID": "cd242bdd", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ecs_task_definition_healthcheck_missing/metadata.json b/assets/queries/cloudFormation/aws/ecs_task_definition_healthcheck_missing/metadata.json index bed6864a8a4..5b77574faf1 100644 --- a/assets/queries/cloudFormation/aws/ecs_task_definition_healthcheck_missing/metadata.json +++ b/assets/queries/cloudFormation/aws/ecs_task_definition_healthcheck_missing/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskdefinition-healthcheck.html", "platform": "CloudFormation", "descriptionID": "e2e3a50a", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ecs_task_definition_invalid_cpu_or_memory/metadata.json b/assets/queries/cloudFormation/aws/ecs_task_definition_invalid_cpu_or_memory/metadata.json index cfb0e96a4c1..65ae07689f5 100644 --- a/assets/queries/cloudFormation/aws/ecs_task_definition_invalid_cpu_or_memory/metadata.json +++ b/assets/queries/cloudFormation/aws/ecs_task_definition_invalid_cpu_or_memory/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-cpu-memory-error.html", "platform": "CloudFormation", "descriptionID": "8fa43a9a", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ecs_task_definition_network_mode_not_recommended/metadata.json b/assets/queries/cloudFormation/aws/ecs_task_definition_network_mode_not_recommended/metadata.json index 8928b19cb53..bab5c984b4e 100644 --- a/assets/queries/cloudFormation/aws/ecs_task_definition_network_mode_not_recommended/metadata.json +++ b/assets/queries/cloudFormation/aws/ecs_task_definition_network_mode_not_recommended/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-taskdefinition.html#cfn-ecs-taskdefinition-networkmode", "platform": "CloudFormation", "descriptionID": "bded2e99", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ecs_task_definition_with_plaintext_password/metadata.json b/assets/queries/cloudFormation/aws/ecs_task_definition_with_plaintext_password/metadata.json index b1f33131fd1..e97a69397e9 100644 --- a/assets/queries/cloudFormation/aws/ecs_task_definition_with_plaintext_password/metadata.json +++ b/assets/queries/cloudFormation/aws/ecs_task_definition_with_plaintext_password/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskdefinition-containerdefinitions.html#cfn-ecs-taskdefinition-containerdefinition-environment", "platform": "CloudFormation", "descriptionID": "a763eedb", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/efs_not_encrypted/metadata.json b/assets/queries/cloudFormation/aws/efs_not_encrypted/metadata.json index b527e6f9c6b..a01bb1246bc 100644 --- a/assets/queries/cloudFormation/aws/efs_not_encrypted/metadata.json +++ b/assets/queries/cloudFormation/aws/efs_not_encrypted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-efs-filesystem.html", "platform": "CloudFormation", "descriptionID": "e168cb44", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/metadata.json b/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/metadata.json index 1bbe397e4c2..cc90431b11d 100644 --- a/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/metadata.json +++ b/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/metadata.json @@ -1,12 +1,12 @@ { - "id": "c1282e03-b285-4637-aee7-eefe3a7bb658", - "queryName": "EFS Volume With Disabled Transit Encryption", - "severity": "HIGH", - "category": "Encryption", - "descriptionText": "Amazon EFS volume does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'TransitEncryption'", - "descriptionUrl": "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/efs-volumes.html", - "platform": "CloudFormation", - "descriptionID": "99f92ea6", - "cloudProvider": "aws" - } - \ No newline at end of file + "id": "c1282e03-b285-4637-aee7-eefe3a7bb658", + "queryName": "EFS Volume With Disabled Transit Encryption", + "severity": "HIGH", + "category": "Encryption", + "descriptionText": "Amazon EFS volume does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'TransitEncryption'", + "descriptionUrl": "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/efs-volumes.html", + "platform": "CloudFormation", + "descriptionID": "99f92ea6", + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/efs_without_kms/metadata.json b/assets/queries/cloudFormation/aws/efs_without_kms/metadata.json index 13ccc6978d5..e247eee33d3 100644 --- a/assets/queries/cloudFormation/aws/efs_without_kms/metadata.json +++ b/assets/queries/cloudFormation/aws/efs_without_kms/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-efs-filesystem.html", "platform": "CloudFormation", "descriptionID": "f5a9536a", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/efs_without_tags/metadata.json b/assets/queries/cloudFormation/aws/efs_without_tags/metadata.json index 6c4ef8d7084..b9baaa68bb2 100644 --- a/assets/queries/cloudFormation/aws/efs_without_tags/metadata.json +++ b/assets/queries/cloudFormation/aws/efs_without_tags/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-efs-filesystem.html", "platform": "CloudFormation", "descriptionID": "a7eb7aff", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/eks_node_group_remote_access/metadata.json b/assets/queries/cloudFormation/aws/eks_node_group_remote_access/metadata.json index b00bed6d716..e0457cc22d3 100644 --- a/assets/queries/cloudFormation/aws/eks_node_group_remote_access/metadata.json +++ b/assets/queries/cloudFormation/aws/eks_node_group_remote_access/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-nodegroup.html", "platform": "CloudFormation", "descriptionID": "b3ebf24c", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticache_nodes_not_created_across_multi_az/metadata.json b/assets/queries/cloudFormation/aws/elasticache_nodes_not_created_across_multi_az/metadata.json index c280ecfb1f5..52e6aa89b23 100644 --- a/assets/queries/cloudFormation/aws/elasticache_nodes_not_created_across_multi_az/metadata.json +++ b/assets/queries/cloudFormation/aws/elasticache_nodes_not_created_across_multi_az/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticache-cache-cluster.html", "platform": "CloudFormation", "descriptionID": "35f94973", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticache_using_default_port/metadata.json b/assets/queries/cloudFormation/aws/elasticache_using_default_port/metadata.json index b076dbb6e26..784d4940caa 100644 --- a/assets/queries/cloudFormation/aws/elasticache_using_default_port/metadata.json +++ b/assets/queries/cloudFormation/aws/elasticache_using_default_port/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticache-replicationgroup.html#cfn-elasticache-replicationgroup-port", "platform": "CloudFormation", "descriptionID": "5aef27fd", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticache_with_disabled_at_rest_encryption/metadata.json b/assets/queries/cloudFormation/aws/elasticache_with_disabled_at_rest_encryption/metadata.json index 902ca80acf9..9607918e11e 100644 --- a/assets/queries/cloudFormation/aws/elasticache_with_disabled_at_rest_encryption/metadata.json +++ b/assets/queries/cloudFormation/aws/elasticache_with_disabled_at_rest_encryption/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticache-replicationgroup.html#cfn-elasticache-replicationgroup-atrestencryptionenabled", "platform": "CloudFormation", "descriptionID": "86353328", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticache_with_disabled_transit_encryption/metadata.json b/assets/queries/cloudFormation/aws/elasticache_with_disabled_transit_encryption/metadata.json index e6d870f16cd..19f76afbe4b 100644 --- a/assets/queries/cloudFormation/aws/elasticache_with_disabled_transit_encryption/metadata.json +++ b/assets/queries/cloudFormation/aws/elasticache_with_disabled_transit_encryption/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticache-replicationgroup.html", "platform": "CloudFormation", "descriptionID": "b1ce0b9f", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticache_without_vpc/metadata.json b/assets/queries/cloudFormation/aws/elasticache_without_vpc/metadata.json index 8f38c561464..69216752ea2 100644 --- a/assets/queries/cloudFormation/aws/elasticache_without_vpc/metadata.json +++ b/assets/queries/cloudFormation/aws/elasticache_without_vpc/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticache-cache-cluster.html#cfn-elasticache-cachecluster-cachesubnetgroupname", "platform": "CloudFormation", "descriptionID": "68db93b8", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticsearch_domain_encryption_with_kms_disabled/metadata.json b/assets/queries/cloudFormation/aws/elasticsearch_domain_encryption_with_kms_disabled/metadata.json index 2e13a11ccbf..58f7e998528 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_domain_encryption_with_kms_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_domain_encryption_with_kms_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticsearch-domain.html#cfn-elasticsearch-domain-encryptionatrestoptions", "platform": "CloudFormation", "descriptionID": "6700680a", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticsearch_logs_disabled/metadata.json b/assets/queries/cloudFormation/aws/elasticsearch_logs_disabled/metadata.json index 6e93ab457fc..c7d5a4ec3c2 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_logs_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_logs_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticsearch-domain.html#cfn-elasticsearch-domain-logpublishingoptions", "platform": "CloudFormation", "descriptionID": "e2451952", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticsearch_not_encrypted_at_rest/metadata.json b/assets/queries/cloudFormation/aws/elasticsearch_not_encrypted_at_rest/metadata.json index c78256a06df..e2dcf9c4a5c 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_not_encrypted_at_rest/metadata.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_not_encrypted_at_rest/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticsearch-domain.html#cfn-elasticsearch-domain-encryptionatrestoptions", "platform": "CloudFormation", "descriptionID": "645512cb", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticsearch_with_https_disabled/metadata.json b/assets/queries/cloudFormation/aws/elasticsearch_with_https_disabled/metadata.json index 9ee20a394bc..92764029e3f 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_with_https_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_with_https_disabled/metadata.json @@ -1,12 +1,12 @@ { - "id": "4cdc88e6-c0c8-4081-a639-bb3a557cbedf", - "queryName": "Elasticsearch with HTTPS disabled", - "severity": "HIGH", - "category": "Networking and Firewall", - "descriptionText": "Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true.", - "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticsearch-domain-domainendpointoptions.html", - "platform": "CloudFormation", - "descriptionID": "8575a1d7", - "cloudProvider": "aws" - } - \ No newline at end of file + "id": "4cdc88e6-c0c8-4081-a639-bb3a557cbedf", + "queryName": "Elasticsearch with HTTPS disabled", + "severity": "HIGH", + "category": "Networking and Firewall", + "descriptionText": "Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true.", + "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticsearch-domain-domainendpointoptions.html", + "platform": "CloudFormation", + "descriptionID": "8575a1d7", + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticsearch_without_iam_authentication/metadata.json b/assets/queries/cloudFormation/aws/elasticsearch_without_iam_authentication/metadata.json index b43e6899fe6..3516386c4c4 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_without_iam_authentication/metadata.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_without_iam_authentication/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticsearch-domain.html#cfn-elasticsearch-domain-accesspolicies", "platform": "CloudFormation", "descriptionID": "af727c29", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/metadata.json b/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/metadata.json index b9ece32a547..2c0c22cb9a1 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/metadata.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticsearch-domain.html#cfn-elasticsearch-domain-logpublishingoptions", "platform": "CloudFormation", "descriptionID": "72d32380", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elb_access_log_disabled/metadata.json b/assets/queries/cloudFormation/aws/elb_access_log_disabled/metadata.json index 11d7195c309..2bf87bb663b 100644 --- a/assets/queries/cloudFormation/aws/elb_access_log_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/elb_access_log_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-elb-accessloggingpolicy.html", "platform": "CloudFormation", "descriptionID": "8f49cae7", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elb_using_insecure_protocols/metadata.json b/assets/queries/cloudFormation/aws/elb_using_insecure_protocols/metadata.json index 031411edbe7..16389218a5d 100644 --- a/assets/queries/cloudFormation/aws/elb_using_insecure_protocols/metadata.json +++ b/assets/queries/cloudFormation/aws/elb_using_insecure_protocols/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-elb.html", "platform": "CloudFormation", "descriptionID": "cd6bbd85", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elb_using_weak_ciphers/metadata.json b/assets/queries/cloudFormation/aws/elb_using_weak_ciphers/metadata.json index a804d2bb439..6722ffa0d7a 100644 --- a/assets/queries/cloudFormation/aws/elb_using_weak_ciphers/metadata.json +++ b/assets/queries/cloudFormation/aws/elb_using_weak_ciphers/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-elb.html", "platform": "CloudFormation", "descriptionID": "94a91040", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elb_v2_alb_access_log_disabled/metadata.json b/assets/queries/cloudFormation/aws/elb_v2_alb_access_log_disabled/metadata.json index 9c9d07e816d..ac7b2307aa6 100644 --- a/assets/queries/cloudFormation/aws/elb_v2_alb_access_log_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/elb_v2_alb_access_log_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticloadbalancingv2-loadbalancer-loadbalancerattributes.html#cfn-elasticloadbalancingv2-loadbalancer-loadbalancerattributes-key", "platform": "CloudFormation", "descriptionID": "1b941e35", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/metadata.json b/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/metadata.json index dc90900fd09..2d4b13f60e2 100644 --- a/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/metadata.json +++ b/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/metadata.json @@ -3,9 +3,10 @@ "queryName": "ELB With Security Group Without Inbound Rules", "severity": "MEDIUM", "category": "Networking and Firewall", - "descriptionText": "An AWS Elastic Load Balancer (ELB) shouldn\u00b4t have security groups without outbound rules", + "descriptionText": "An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html#cfn-ec2-securitygroup-securitygroupingress", "platform": "CloudFormation", "descriptionID": "3ccdd7d2", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elb_with_security_group_without_outbound_rules/metadata.json b/assets/queries/cloudFormation/aws/elb_with_security_group_without_outbound_rules/metadata.json index e1a28a8ac64..5678c88d343 100644 --- a/assets/queries/cloudFormation/aws/elb_with_security_group_without_outbound_rules/metadata.json +++ b/assets/queries/cloudFormation/aws/elb_with_security_group_without_outbound_rules/metadata.json @@ -3,9 +3,10 @@ "queryName": "ELB With Security Group Without Outbound Rules", "severity": "MEDIUM", "category": "Networking and Firewall", - "descriptionText": "An AWS Elastic Load Balancer (ELB) shouldn\u00b4t have security groups without outbound rules", + "descriptionText": "An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html#cfn-ec2-securitygroup-securitygroupegress", "platform": "CloudFormation", "descriptionID": "7b876844", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elb_without_secure_protocol/metadata.json b/assets/queries/cloudFormation/aws/elb_without_secure_protocol/metadata.json index 9494ec837c1..1b27906de16 100644 --- a/assets/queries/cloudFormation/aws/elb_without_secure_protocol/metadata.json +++ b/assets/queries/cloudFormation/aws/elb_without_secure_protocol/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-elb.html", "platform": "CloudFormation", "descriptionID": "0cbd1ac7", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/metadata.json b/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/metadata.json index 098208e2641..4435e263994 100644 --- a/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/metadata.json +++ b/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html", "platform": "CloudFormation", "descriptionID": "b47b42b2", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/emr_cluster_without_security_configuration/metadata.json b/assets/queries/cloudFormation/aws/emr_cluster_without_security_configuration/metadata.json index 01de85d8a7b..1aa65c19ce1 100644 --- a/assets/queries/cloudFormation/aws/emr_cluster_without_security_configuration/metadata.json +++ b/assets/queries/cloudFormation/aws/emr_cluster_without_security_configuration/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticmapreduce-cluster.html#cfn-elasticmapreduce-cluster-securityconfiguration", "platform": "CloudFormation", "descriptionID": "17e140e2", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/emr_security_configuration_encryptions_enabled/metadata.json b/assets/queries/cloudFormation/aws/emr_security_configuration_encryptions_enabled/metadata.json index 17b489550d9..5491ae84c31 100644 --- a/assets/queries/cloudFormation/aws/emr_security_configuration_encryptions_enabled/metadata.json +++ b/assets/queries/cloudFormation/aws/emr_security_configuration_encryptions_enabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-emr-securityconfiguration.html", "platform": "CloudFormation", "descriptionID": "672bc6a7", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/emr_wihout_vpc/metadata.json b/assets/queries/cloudFormation/aws/emr_wihout_vpc/metadata.json index 531325e40d6..c426ce70c76 100644 --- a/assets/queries/cloudFormation/aws/emr_wihout_vpc/metadata.json +++ b/assets/queries/cloudFormation/aws/emr_wihout_vpc/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticmapreduce-cluster-jobflowinstancesconfig.html#cfn-elasticmapreduce-cluster-jobflowinstancesconfig-ec2subnetid", "platform": "CloudFormation", "descriptionID": "26800d21", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/fully_open_ingress/metadata.json b/assets/queries/cloudFormation/aws/fully_open_ingress/metadata.json index 1d6faf052a0..0bcff3ca314 100644 --- a/assets/queries/cloudFormation/aws/fully_open_ingress/metadata.json +++ b/assets/queries/cloudFormation/aws/fully_open_ingress/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/get-set-up-for-amazon-ecs.html#create-a-base-security-group", "platform": "CloudFormation", "descriptionID": "747f49ac", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/gamelift_fleet_ec2_inbound_permissions_with_port_range/metadata.json b/assets/queries/cloudFormation/aws/gamelift_fleet_ec2_inbound_permissions_with_port_range/metadata.json index 0a601e343d0..82db797a23f 100644 --- a/assets/queries/cloudFormation/aws/gamelift_fleet_ec2_inbound_permissions_with_port_range/metadata.json +++ b/assets/queries/cloudFormation/aws/gamelift_fleet_ec2_inbound_permissions_with_port_range/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-gamelift-fleet.html", "platform": "CloudFormation", "descriptionID": "2f59d790", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/geo_restriction_disabled/metadata.json b/assets/queries/cloudFormation/aws/geo_restriction_disabled/metadata.json index c95cd138474..9fc7e8c7a96 100644 --- a/assets/queries/cloudFormation/aws/geo_restriction_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/geo_restriction_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/georestrictions.html", "platform": "CloudFormation", "descriptionID": "18f149b3", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/github_repository_set_to_public/metadata.json b/assets/queries/cloudFormation/aws/github_repository_set_to_public/metadata.json index 7dbd14233df..654b109f203 100644 --- a/assets/queries/cloudFormation/aws/github_repository_set_to_public/metadata.json +++ b/assets/queries/cloudFormation/aws/github_repository_set_to_public/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-codestar-githubrepository.html", "platform": "CloudFormation", "descriptionID": "76e2bdab", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/guardduty_detector_disabled/metadata.json b/assets/queries/cloudFormation/aws/guardduty_detector_disabled/metadata.json index ac87814e9f1..f2c4d38b855 100644 --- a/assets/queries/cloudFormation/aws/guardduty_detector_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/guardduty_detector_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-guardduty-detector.html", "platform": "CloudFormation", "descriptionID": "cae19394", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/metadata.json b/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/metadata.json index 9774521d2d9..694acc377f0 100644 --- a/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/metadata.json +++ b/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html#cfn-lambda-function-environment", "platform": "CloudFormation", "descriptionID": "ff065e3b", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/http_port_open/metadata.json b/assets/queries/cloudFormation/aws/http_port_open/metadata.json index 6ac286304af..0c31fa66a09 100644 --- a/assets/queries/cloudFormation/aws/http_port_open/metadata.json +++ b/assets/queries/cloudFormation/aws/http_port_open/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html", "platform": "CloudFormation", "descriptionID": "a39efd21", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/metadata.json b/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/metadata.json index 1cb0ccfe695..2e5b26d702a 100644 --- a/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.amazonaws.cn/en_us/AWSCloudFormation/latest/UserGuide/aws-resource-accessanalyzer-analyzer.html", "platform": "CloudFormation", "descriptionID": "24a6978e", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_database_auth_not_enabled/metadata.json b/assets/queries/cloudFormation/aws/iam_database_auth_not_enabled/metadata.json index 03b6e5bc175..792bf2e4c3d 100644 --- a/assets/queries/cloudFormation/aws/iam_database_auth_not_enabled/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_database_auth_not_enabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-enableiamdatabaseauthentication", "platform": "CloudFormation", "descriptionID": "e4c2c085", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_group_without_users/metadata.json b/assets/queries/cloudFormation/aws/iam_group_without_users/metadata.json index aa2ca08e8a2..65dd31455e8 100644 --- a/assets/queries/cloudFormation/aws/iam_group_without_users/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_group_without_users/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html", "platform": "CloudFormation", "descriptionID": "c23dca47", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_groups_inline_policies/metadata.json b/assets/queries/cloudFormation/aws/iam_groups_inline_policies/metadata.json index cd44e7e4208..9c7cc1e7c27 100644 --- a/assets/queries/cloudFormation/aws/iam_groups_inline_policies/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_groups_inline_policies/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html", "platform": "CloudFormation", "descriptionID": "e89236a1", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_managed_policy_applied_to_a_user/metadata.json b/assets/queries/cloudFormation/aws/iam_managed_policy_applied_to_a_user/metadata.json index 5bcdca58b6d..dfe7e1a18b1 100644 --- a/assets/queries/cloudFormation/aws/iam_managed_policy_applied_to_a_user/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_managed_policy_applied_to_a_user/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-groups", "platform": "CloudFormation", "descriptionID": "e7fa1d68", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_password_without_lowercase_letter/metadata.json b/assets/queries/cloudFormation/aws/iam_password_without_lowercase_letter/metadata.json index 33fee65c69a..28fd0ff7b02 100644 --- a/assets/queries/cloudFormation/aws/iam_password_without_lowercase_letter/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_password_without_lowercase_letter/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user", "platform": "CloudFormation", "descriptionID": "b98bf93c", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_password_without_minimum_length/metadata.json b/assets/queries/cloudFormation/aws/iam_password_without_minimum_length/metadata.json index ccd371468e9..19334d99ef6 100644 --- a/assets/queries/cloudFormation/aws/iam_password_without_minimum_length/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_password_without_minimum_length/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user", "platform": "CloudFormation", "descriptionID": "46859482", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_password_without_number/metadata.json b/assets/queries/cloudFormation/aws/iam_password_without_number/metadata.json index 00ad338b9a4..c8f8d1450c1 100644 --- a/assets/queries/cloudFormation/aws/iam_password_without_number/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_password_without_number/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user", "platform": "CloudFormation", "descriptionID": "cb1d65ca", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_password_without_symbol/metadata.json b/assets/queries/cloudFormation/aws/iam_password_without_symbol/metadata.json index 95cc5ca686f..7afb1217ff4 100644 --- a/assets/queries/cloudFormation/aws/iam_password_without_symbol/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_password_without_symbol/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user", "platform": "CloudFormation", "descriptionID": "7ec4df0d", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_password_without_uppercase_letter/metadata.json b/assets/queries/cloudFormation/aws/iam_password_without_uppercase_letter/metadata.json index 24512b7e9c3..31fc17bb4af 100644 --- a/assets/queries/cloudFormation/aws/iam_password_without_uppercase_letter/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_password_without_uppercase_letter/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user", "platform": "CloudFormation", "descriptionID": "9d55d1e4", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_policies_attached_to_user/metadata.json b/assets/queries/cloudFormation/aws/iam_policies_attached_to_user/metadata.json index 16fad677ac0..6d0713b504a 100644 --- a/assets/queries/cloudFormation/aws/iam_policies_attached_to_user/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_policies_attached_to_user/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html", "platform": "CloudFormation", "descriptionID": "c1857bae", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_policies_with_full_privileges/metadata.json b/assets/queries/cloudFormation/aws/iam_policies_with_full_privileges/metadata.json index 6f50831f469..8c8beb18518 100644 --- a/assets/queries/cloudFormation/aws/iam_policies_with_full_privileges/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_policies_with_full_privileges/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html", "platform": "CloudFormation", "descriptionID": "faa72156", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_policies_without_groups/metadata.json b/assets/queries/cloudFormation/aws/iam_policies_without_groups/metadata.json index 647c6d85f32..31bd10ad9c0 100644 --- a/assets/queries/cloudFormation/aws/iam_policies_without_groups/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_policies_without_groups/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-policy", "platform": "CloudFormation", "descriptionID": "d9bcf74d", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_policy_grants_assumerole_permission_across_all_services/metadata.json b/assets/queries/cloudFormation/aws/iam_policy_grants_assumerole_permission_across_all_services/metadata.json index 90ccbc509c8..2d9bb3bfd39 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_grants_assumerole_permission_across_all_services/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_policy_grants_assumerole_permission_across_all_services/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html", "platform": "CloudFormation", "descriptionID": "eba1aa1b", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_policy_grants_full_permissions/metadata.json b/assets/queries/cloudFormation/aws/iam_policy_grants_full_permissions/metadata.json index a9c899c25d9..2fc9efa9319 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_grants_full_permissions/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_policy_grants_full_permissions/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html", "platform": "CloudFormation", "descriptionID": "d4158e76", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_policy_on_user/metadata.json b/assets/queries/cloudFormation/aws/iam_policy_on_user/metadata.json index c64ca505e3d..933e51d471c 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_on_user/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_policy_on_user/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html", "platform": "CloudFormation", "descriptionID": "50f7785d", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_role_allows_all_principals_to_assume/metadata.json b/assets/queries/cloudFormation/aws/iam_role_allows_all_principals_to_assume/metadata.json index 6a31a54790a..0b0a1d1aaf4 100644 --- a/assets/queries/cloudFormation/aws/iam_role_allows_all_principals_to_assume/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_role_allows_all_principals_to_assume/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-assumerolepolicydocument", "platform": "CloudFormation", "descriptionID": "13e52bb7", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_user_login_profile_password_is_in_plaintext/metadata.json b/assets/queries/cloudFormation/aws/iam_user_login_profile_password_is_in_plaintext/metadata.json index ac8ea84352e..64eedbd0949 100644 --- a/assets/queries/cloudFormation/aws/iam_user_login_profile_password_is_in_plaintext/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_user_login_profile_password_is_in_plaintext/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html", "platform": "CloudFormation", "descriptionID": "0dc817e6", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_user_too_many_access_keys/metadata.json b/assets/queries/cloudFormation/aws/iam_user_too_many_access_keys/metadata.json index 44469830d1b..7e630a9453b 100644 --- a/assets/queries/cloudFormation/aws/iam_user_too_many_access_keys/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_user_too_many_access_keys/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html", "platform": "CloudFormation", "descriptionID": "90135931", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_user_with_no_group/metadata.json b/assets/queries/cloudFormation/aws/iam_user_with_no_group/metadata.json index b059ca22110..91732d03198 100644 --- a/assets/queries/cloudFormation/aws/iam_user_with_no_group/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_user_with_no_group/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-policy", "platform": "CloudFormation", "descriptionID": "d7e9b179", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/inline_policies_are_attached_to_ecs_service/metadata.json b/assets/queries/cloudFormation/aws/inline_policies_are_attached_to_ecs_service/metadata.json index b4163684162..04e2f7018bd 100644 --- a/assets/queries/cloudFormation/aws/inline_policies_are_attached_to_ecs_service/metadata.json +++ b/assets/queries/cloudFormation/aws/inline_policies_are_attached_to_ecs_service/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html", "platform": "CloudFormation", "descriptionID": "4706b78f", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/instance_with_no_vpc/metadata.json b/assets/queries/cloudFormation/aws/instance_with_no_vpc/metadata.json index 3d954af5bb2..8002b4e7213 100644 --- a/assets/queries/cloudFormation/aws/instance_with_no_vpc/metadata.json +++ b/assets/queries/cloudFormation/aws/instance_with_no_vpc/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-vpc.html", "platform": "CloudFormation", "descriptionID": "c2bb3a56", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iot_policy_allows_action_as_wildcard/metadata.json b/assets/queries/cloudFormation/aws/iot_policy_allows_action_as_wildcard/metadata.json index 7acfdf36bb7..46e3ef4b796 100644 --- a/assets/queries/cloudFormation/aws/iot_policy_allows_action_as_wildcard/metadata.json +++ b/assets/queries/cloudFormation/aws/iot_policy_allows_action_as_wildcard/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iot-policy.html", "platform": "CloudFormation", "descriptionID": "e4417496", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iot_policy_allows_wildcard_resource/metadata.json b/assets/queries/cloudFormation/aws/iot_policy_allows_wildcard_resource/metadata.json index d5e5b2efdaf..400ffe3f33b 100644 --- a/assets/queries/cloudFormation/aws/iot_policy_allows_wildcard_resource/metadata.json +++ b/assets/queries/cloudFormation/aws/iot_policy_allows_wildcard_resource/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iot-policy.html", "platform": "CloudFormation", "descriptionID": "d5e52bc7", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/kinesis_sse_not_configured/metadata.json b/assets/queries/cloudFormation/aws/kinesis_sse_not_configured/metadata.json index dcff6e85f1e..c50b957eb06 100644 --- a/assets/queries/cloudFormation/aws/kinesis_sse_not_configured/metadata.json +++ b/assets/queries/cloudFormation/aws/kinesis_sse_not_configured/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kinesis-stream.html", "platform": "CloudFormation", "descriptionID": "a8238dc8", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/kms_allows_wildcard_principal/metadata.json b/assets/queries/cloudFormation/aws/kms_allows_wildcard_principal/metadata.json index 35c5f2c9473..6d64b6398ac 100644 --- a/assets/queries/cloudFormation/aws/kms_allows_wildcard_principal/metadata.json +++ b/assets/queries/cloudFormation/aws/kms_allows_wildcard_principal/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html", "platform": "CloudFormation", "descriptionID": "0b89626d", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/metadata.json b/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/metadata.json index 80361368f8f..11c9ed51ecd 100644 --- a/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html", "platform": "CloudFormation", "descriptionID": "323313bc", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/kms_key_with_full_permissions/metadata.json b/assets/queries/cloudFormation/aws/kms_key_with_full_permissions/metadata.json index c3f9a0f0c98..17ba7052108 100644 --- a/assets/queries/cloudFormation/aws/kms_key_with_full_permissions/metadata.json +++ b/assets/queries/cloudFormation/aws/kms_key_with_full_permissions/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html#cfn-kms-key-keypolicy", "platform": "CloudFormation", "descriptionID": "1f88b704", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/lambda_function_without_dead_letter_queue/metadata.json b/assets/queries/cloudFormation/aws/lambda_function_without_dead_letter_queue/metadata.json index 1008a183eb0..7341582342f 100644 --- a/assets/queries/cloudFormation/aws/lambda_function_without_dead_letter_queue/metadata.json +++ b/assets/queries/cloudFormation/aws/lambda_function_without_dead_letter_queue/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html#cfn-lambda-function-deadletterconfig", "platform": "CloudFormation", "descriptionID": "d5d9d047", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/lambda_function_without_tags/metadata.json b/assets/queries/cloudFormation/aws/lambda_function_without_tags/metadata.json index 78b31ce8034..a8ae753d815 100644 --- a/assets/queries/cloudFormation/aws/lambda_function_without_tags/metadata.json +++ b/assets/queries/cloudFormation/aws/lambda_function_without_tags/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html", "platform": "CloudFormation", "descriptionID": "664675e7", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/lambda_functions_with_full_privileges/metadata.json b/assets/queries/cloudFormation/aws/lambda_functions_with_full_privileges/metadata.json index 311f2316734..f8d6268fdb8 100644 --- a/assets/queries/cloudFormation/aws/lambda_functions_with_full_privileges/metadata.json +++ b/assets/queries/cloudFormation/aws/lambda_functions_with_full_privileges/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html", "platform": "CloudFormation", "descriptionID": "48d30c57", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/lambda_functions_without_unique_iam_roles/metadata.json b/assets/queries/cloudFormation/aws/lambda_functions_without_unique_iam_roles/metadata.json index db369c80dbd..dbfc6b5c482 100644 --- a/assets/queries/cloudFormation/aws/lambda_functions_without_unique_iam_roles/metadata.json +++ b/assets/queries/cloudFormation/aws/lambda_functions_without_unique_iam_roles/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html", "platform": "CloudFormation", "descriptionID": "f919ad7e", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/lambda_functions_without_x-ray_tracing/metadata.json b/assets/queries/cloudFormation/aws/lambda_functions_without_x-ray_tracing/metadata.json index 6db056c2b6a..7f9a3f54b32 100644 --- a/assets/queries/cloudFormation/aws/lambda_functions_without_x-ray_tracing/metadata.json +++ b/assets/queries/cloudFormation/aws/lambda_functions_without_x-ray_tracing/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-function-tracingconfig.html", "platform": "CloudFormation", "descriptionID": "26afaa67", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/lambda_permission_misconfigured/metadata.json b/assets/queries/cloudFormation/aws/lambda_permission_misconfigured/metadata.json index eb1cddf936a..dadb302d277 100644 --- a/assets/queries/cloudFormation/aws/lambda_permission_misconfigured/metadata.json +++ b/assets/queries/cloudFormation/aws/lambda_permission_misconfigured/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/pt_br/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html", "platform": "CloudFormation", "descriptionID": "dec6dd24", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/lambda_permission_principal_is_wildcard/metadata.json b/assets/queries/cloudFormation/aws/lambda_permission_principal_is_wildcard/metadata.json index 50d6e770117..8a5f78b5669 100644 --- a/assets/queries/cloudFormation/aws/lambda_permission_principal_is_wildcard/metadata.json +++ b/assets/queries/cloudFormation/aws/lambda_permission_principal_is_wildcard/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html", "platform": "CloudFormation", "descriptionID": "cfa9120c", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/low_rds_backup_retention_period/metadata.json b/assets/queries/cloudFormation/aws/low_rds_backup_retention_period/metadata.json index 8f127498efc..f86a172777c 100644 --- a/assets/queries/cloudFormation/aws/low_rds_backup_retention_period/metadata.json +++ b/assets/queries/cloudFormation/aws/low_rds_backup_retention_period/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbcluster.html", "platform": "CloudFormation", "descriptionID": "55094eb2", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/memcached_disabled/metadata.json b/assets/queries/cloudFormation/aws/memcached_disabled/metadata.json index 7c58bc882b4..4ba15a4e48b 100644 --- a/assets/queries/cloudFormation/aws/memcached_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/memcached_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticache-cache-cluster.html#cfn-elasticache-cachecluster-engine", "platform": "CloudFormation", "descriptionID": "470e2a53", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/mq_broker_is_publicly_accessible/metadata.json b/assets/queries/cloudFormation/aws/mq_broker_is_publicly_accessible/metadata.json index 99d95449e20..c2cdb1201c3 100644 --- a/assets/queries/cloudFormation/aws/mq_broker_is_publicly_accessible/metadata.json +++ b/assets/queries/cloudFormation/aws/mq_broker_is_publicly_accessible/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-amazonmq-broker.html#cfn-amazonmq-broker-publiclyaccessible", "platform": "CloudFormation", "descriptionID": "59b368a9", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/mq_broker_logging_disabled/metadata.json b/assets/queries/cloudFormation/aws/mq_broker_logging_disabled/metadata.json index 8d726a105f5..9f33e1702cf 100644 --- a/assets/queries/cloudFormation/aws/mq_broker_logging_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/mq_broker_logging_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-amazonmq-broker.html#cfn-amazonmq-broker-logs", "platform": "CloudFormation", "descriptionID": "3799829c", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/msk_broker_is_publicly_accessible/metadata.json b/assets/queries/cloudFormation/aws/msk_broker_is_publicly_accessible/metadata.json index 06b5ec67f47..21865f7b712 100644 --- a/assets/queries/cloudFormation/aws/msk_broker_is_publicly_accessible/metadata.json +++ b/assets/queries/cloudFormation/aws/msk_broker_is_publicly_accessible/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-msk-cluster-publicaccess.html", "platform": "CloudFormation", "descriptionID": "dcf6ab9f", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/metadata.json b/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/metadata.json index a3f7db1a0c0..843f2ac1c43 100644 --- a/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-msk-cluster.html", "platform": "CloudFormation", "descriptionID": "c8e65b67", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/msk_cluster_logging_disabled/metadata.json b/assets/queries/cloudFormation/aws/msk_cluster_logging_disabled/metadata.json index abc99fdfcd9..b3ea335d39c 100644 --- a/assets/queries/cloudFormation/aws/msk_cluster_logging_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/msk_cluster_logging_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-msk-cluster.html", "platform": "CloudFormation", "descriptionID": "1d9a0a75", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/neptune_cluster_with_iam_database_authentication_disabled/metadata.json b/assets/queries/cloudFormation/aws/neptune_cluster_with_iam_database_authentication_disabled/metadata.json index 639cd9aafcf..d7f458d4aa7 100644 --- a/assets/queries/cloudFormation/aws/neptune_cluster_with_iam_database_authentication_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/neptune_cluster_with_iam_database_authentication_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-neptune-dbcluster.html#cfn-neptune-dbcluster-iamauthenabled", "platform": "CloudFormation", "descriptionID": "39cddadb", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/neptune_database_cluster_encryption_disabled/metadata.json b/assets/queries/cloudFormation/aws/neptune_database_cluster_encryption_disabled/metadata.json index 42bebdbe32a..979ccc8d551 100644 --- a/assets/queries/cloudFormation/aws/neptune_database_cluster_encryption_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/neptune_database_cluster_encryption_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-neptune-dbcluster.html", "platform": "CloudFormation", "descriptionID": "b2c5f5dd", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/public_lambda_via_api_gateway/metadata.json b/assets/queries/cloudFormation/aws/public_lambda_via_api_gateway/metadata.json index ce452b12227..608ea0ae510 100644 --- a/assets/queries/cloudFormation/aws/public_lambda_via_api_gateway/metadata.json +++ b/assets/queries/cloudFormation/aws/public_lambda_via_api_gateway/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html", "platform": "CloudFormation", "descriptionID": "32ccc415", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/rds_associated_with_public_subnet/metadata.json b/assets/queries/cloudFormation/aws/rds_associated_with_public_subnet/metadata.json index 9ac2adbafd3..5c7c9711bf2 100644 --- a/assets/queries/cloudFormation/aws/rds_associated_with_public_subnet/metadata.json +++ b/assets/queries/cloudFormation/aws/rds_associated_with_public_subnet/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-dbsubnetgroupname", "platform": "CloudFormation", "descriptionID": "be2d1742", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/rds_db_instance_publicly_accessible/metadata.json b/assets/queries/cloudFormation/aws/rds_db_instance_publicly_accessible/metadata.json index 03dde7743fe..033aecdf2a1 100644 --- a/assets/queries/cloudFormation/aws/rds_db_instance_publicly_accessible/metadata.json +++ b/assets/queries/cloudFormation/aws/rds_db_instance_publicly_accessible/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html", "platform": "CloudFormation", "descriptionID": "dae1e8ab", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/rds_db_instance_with_deletion_protection_disabled/metadata.json b/assets/queries/cloudFormation/aws/rds_db_instance_with_deletion_protection_disabled/metadata.json index d7bb056e78d..647525dd87a 100644 --- a/assets/queries/cloudFormation/aws/rds_db_instance_with_deletion_protection_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/rds_db_instance_with_deletion_protection_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-deletionprotection", "platform": "CloudFormation", "descriptionID": "606a0602", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/rds_multi_az_deployment_disabled/metadata.json b/assets/queries/cloudFormation/aws/rds_multi_az_deployment_disabled/metadata.json index 046a5167ba3..f7f6c2f6a20 100644 --- a/assets/queries/cloudFormation/aws/rds_multi_az_deployment_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/rds_multi_az_deployment_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html", "platform": "CloudFormation", "descriptionID": "4bdb6677", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/rds_storage_encryption_disabled/metadata.json b/assets/queries/cloudFormation/aws/rds_storage_encryption_disabled/metadata.json index 50c1eef1b1b..c56e01f68f4 100644 --- a/assets/queries/cloudFormation/aws/rds_storage_encryption_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/rds_storage_encryption_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbcluster.html#cfn-rds-dbcluster-storageencrypted", "platform": "CloudFormation", "descriptionID": "654ec248", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/rds_storage_not_encrypted/metadata.json b/assets/queries/cloudFormation/aws/rds_storage_not_encrypted/metadata.json index c5b41d4f5df..3b1443e43da 100644 --- a/assets/queries/cloudFormation/aws/rds_storage_not_encrypted/metadata.json +++ b/assets/queries/cloudFormation/aws/rds_storage_not_encrypted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html", "platform": "CloudFormation", "descriptionID": "f052de92", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/rds_using_default_port/metadata.json b/assets/queries/cloudFormation/aws/rds_using_default_port/metadata.json index 26e37642079..29208ebf17d 100644 --- a/assets/queries/cloudFormation/aws/rds_using_default_port/metadata.json +++ b/assets/queries/cloudFormation/aws/rds_using_default_port/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-port", "platform": "CloudFormation", "descriptionID": "b5d8d0b5", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/rds_with_backup_disabled/metadata.json b/assets/queries/cloudFormation/aws/rds_with_backup_disabled/metadata.json index bb494645ffd..3c6f5d70952 100644 --- a/assets/queries/cloudFormation/aws/rds_with_backup_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/rds_with_backup_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html", "platform": "CloudFormation", "descriptionID": "4ebe02ca", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/redshift_cluster_logging_disabled/metadata.json b/assets/queries/cloudFormation/aws/redshift_cluster_logging_disabled/metadata.json index 702e74c9413..2a5be059162 100644 --- a/assets/queries/cloudFormation/aws/redshift_cluster_logging_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/redshift_cluster_logging_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html#cfn-redshift-cluster-loggingproperties", "platform": "CloudFormation", "descriptionID": "b84206ae", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/redshift_cluster_without_kms_cmk/metadata.json b/assets/queries/cloudFormation/aws/redshift_cluster_without_kms_cmk/metadata.json index 062576b6e8d..9cd80dd01a6 100644 --- a/assets/queries/cloudFormation/aws/redshift_cluster_without_kms_cmk/metadata.json +++ b/assets/queries/cloudFormation/aws/redshift_cluster_without_kms_cmk/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html", "platform": "CloudFormation", "descriptionID": "e460a7a7", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/redshift_not_encrypted/metadata.json b/assets/queries/cloudFormation/aws/redshift_not_encrypted/metadata.json index 58cd0f18d50..42eb437a3e9 100644 --- a/assets/queries/cloudFormation/aws/redshift_not_encrypted/metadata.json +++ b/assets/queries/cloudFormation/aws/redshift_not_encrypted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html", "platform": "CloudFormation", "descriptionID": "5605695c", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/redshift_publicly_accessible/metadata.json b/assets/queries/cloudFormation/aws/redshift_publicly_accessible/metadata.json index 4e0af1c8731..a2406613815 100644 --- a/assets/queries/cloudFormation/aws/redshift_publicly_accessible/metadata.json +++ b/assets/queries/cloudFormation/aws/redshift_publicly_accessible/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html", "platform": "CloudFormation", "descriptionID": "407e0863", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/redshift_using_default_port/metadata.json b/assets/queries/cloudFormation/aws/redshift_using_default_port/metadata.json index 804b43fccf4..64eb55f2dd3 100644 --- a/assets/queries/cloudFormation/aws/redshift_using_default_port/metadata.json +++ b/assets/queries/cloudFormation/aws/redshift_using_default_port/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html#cfn-redshift-cluster-port", "platform": "CloudFormation", "descriptionID": "e2aa0fb8", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/refresh_token_is_exposed/metadata.json b/assets/queries/cloudFormation/aws/refresh_token_is_exposed/metadata.json index 08657e2a3b1..7d6aea01c4a 100644 --- a/assets/queries/cloudFormation/aws/refresh_token_is_exposed/metadata.json +++ b/assets/queries/cloudFormation/aws/refresh_token_is_exposed/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ask-skill.html#cfn-ask-skill-authenticationconfiguration", "platform": "CloudFormation", "descriptionID": "c752c5a6", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/remote_desktop_port_open_to_internet/metadata.json b/assets/queries/cloudFormation/aws/remote_desktop_port_open_to_internet/metadata.json index 327ccb5e5ca..71567cfd739 100644 --- a/assets/queries/cloudFormation/aws/remote_desktop_port_open_to_internet/metadata.json +++ b/assets/queries/cloudFormation/aws/remote_desktop_port_open_to_internet/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html", "platform": "CloudFormation", "descriptionID": "2e4ef03f", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/root_account_has_active_access_keys/metadata.json b/assets/queries/cloudFormation/aws/root_account_has_active_access_keys/metadata.json index bcb023a5fba..c1c941a0cdb 100644 --- a/assets/queries/cloudFormation/aws/root_account_has_active_access_keys/metadata.json +++ b/assets/queries/cloudFormation/aws/root_account_has_active_access_keys/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html", "platform": "CloudFormation", "descriptionID": "195ebcdb", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/route53_record_undefined/metadata.json b/assets/queries/cloudFormation/aws/route53_record_undefined/metadata.json index 16f0c271d74..7c0ef877cc9 100644 --- a/assets/queries/cloudFormation/aws/route53_record_undefined/metadata.json +++ b/assets/queries/cloudFormation/aws/route53_record_undefined/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-route53-hostedzone.html", "platform": "CloudFormation", "descriptionID": "268f1d77", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/routertable_with_default_routing/metadata.json b/assets/queries/cloudFormation/aws/routertable_with_default_routing/metadata.json index 6dc7a222f0f..b1ccd9bf90b 100644 --- a/assets/queries/cloudFormation/aws/routertable_with_default_routing/metadata.json +++ b/assets/queries/cloudFormation/aws/routertable_with_default_routing/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-route-table.html", "platform": "CloudFormation", "descriptionID": "1f341247", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/metadata.json index 61fd1ae12bc..c4810e82606 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html", "platform": "CloudFormation", "descriptionID": "9a57423d", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_or_write_to_all_users/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_or_write_to_all_users/metadata.json index aa8a974fe77..8fef9bbe6bd 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_or_write_to_all_users/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_or_write_to_all_users/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html", "platform": "CloudFormation", "descriptionID": "68456465", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_all_users/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_all_users/metadata.json index fd1a21f9ac9..f2d04774e1f 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_all_users/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_all_users/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html", "platform": "CloudFormation", "descriptionID": "cfd67020", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/metadata.json index 14d7c0af022..98402a884d6 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html", "platform": "CloudFormation", "descriptionID": "25d149a4", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_delete_actions_from_all_principals/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_delete_actions_from_all_principals/metadata.json index 2fd15659044..33ca173e438 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_delete_actions_from_all_principals/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_delete_actions_from_all_principals/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html", "platform": "CloudFormation", "descriptionID": "0a34aa34", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_get_actions_from_all_principals/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_get_actions_from_all_principals/metadata.json index 55a28bc5497..8f9201ba5fa 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_get_actions_from_all_principals/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_get_actions_from_all_principals/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html", "platform": "CloudFormation", "descriptionID": "5d8cf376", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_list_actions_from_all_principals/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_list_actions_from_all_principals/metadata.json index 694d0f6442c..de9b3e7b08f 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_list_actions_from_all_principals/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_list_actions_from_all_principals/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html", "platform": "CloudFormation", "descriptionID": "755801fc", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_public_acl/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_public_acl/metadata.json index 3febabb2cd6..83b6da1f3a5 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_public_acl/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_public_acl/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-publicaccessblockconfiguration.html", "platform": "CloudFormation", "descriptionID": "f962a2d5", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_put_actions_from_all_principals/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_put_actions_from_all_principals/metadata.json index c27040fea18..a066ca6eaff 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_put_actions_from_all_principals/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_put_actions_from_all_principals/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html", "platform": "CloudFormation", "descriptionID": "9d094f81", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_restore_actions_from_all_principals/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_restore_actions_from_all_principals/metadata.json index 5df7d1e5d8e..93e4437750a 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_restore_actions_from_all_principals/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_restore_actions_from_all_principals/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html", "platform": "CloudFormation", "descriptionID": "0a41482e", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_cloudtrail_logging_disabled/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_cloudtrail_logging_disabled/metadata.json index 376e10888f0..28d5107a12d 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_cloudtrail_logging_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_cloudtrail_logging_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html#cfn-s3-bucket-loggingconfig", "platform": "CloudFormation", "descriptionID": "00649261", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_logging_disabled/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_logging_disabled/metadata.json index 3b61aaa2494..e8b9cb146ea 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_logging_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_logging_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html#cfn-s3-bucket-loggingconfig", "platform": "CloudFormation", "descriptionID": "ce3728e6", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_should_have_bucket_policy/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_should_have_bucket_policy/metadata.json index 2d08d02eb5a..eafce5a5a89 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_should_have_bucket_policy/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_should_have_bucket_policy/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html", "platform": "CloudFormation", "descriptionID": "2b429546", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_sse_disabled/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_sse_disabled/metadata.json index a99083e5366..a8e1d507d24 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_sse_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_sse_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-serversideencryptionbydefault.html", "platform": "CloudFormation", "descriptionID": "42fd2930", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_with_all_permissions/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_with_all_permissions/metadata.json index 4d7e6270709..72e01ad11cd 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_with_all_permissions/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_with_all_permissions/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html", "platform": "CloudFormation", "descriptionID": "65883f5a", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_with_public_policy/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_with_public_policy/metadata.json index e189f253e78..c1a4d1dcdc4 100755 --- a/assets/queries/cloudFormation/aws/s3_bucket_with_public_policy/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_with_public_policy/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-publicaccessblockconfiguration.html", "platform": "CloudFormation", "descriptionID": "bfe99abf", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_with_unsecured_cors_rule/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_with_unsecured_cors_rule/metadata.json index f810d51fa07..d2fddfac8f6 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_with_unsecured_cors_rule/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_with_unsecured_cors_rule/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-cors.html", "platform": "CloudFormation", "descriptionID": "f616509e", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_without_ignore_public_acl/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_without_ignore_public_acl/metadata.json index be118d6f8b0..d566b737c32 100755 --- a/assets/queries/cloudFormation/aws/s3_bucket_without_ignore_public_acl/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_without_ignore_public_acl/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-publicaccessblockconfiguration.html", "platform": "CloudFormation", "descriptionID": "74146c20", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_without_restriction_of_public_bucket/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_without_restriction_of_public_bucket/metadata.json index 6dc82413ff3..cf76cadffe7 100755 --- a/assets/queries/cloudFormation/aws/s3_bucket_without_restriction_of_public_bucket/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_without_restriction_of_public_bucket/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-publicaccessblockconfiguration.html", "platform": "CloudFormation", "descriptionID": "f9a4d93a", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_without_server_side_encryption/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_without_server_side_encryption/metadata.json index 84ce8346a2a..84c8db4c5cd 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_without_server_side_encryption/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_without_server_side_encryption/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html", "platform": "CloudFormation", "descriptionID": "314a460b", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_without_ssl_in_write_actions/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_without_ssl_in_write_actions/metadata.json index da07476d7af..1f61b5ea153 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_without_ssl_in_write_actions/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_without_ssl_in_write_actions/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html", "platform": "CloudFormation", "descriptionID": "907676d7", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_without_versioning/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_without_versioning/metadata.json index 80adfc9a335..d9b0c3dcc25 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_without_versioning/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_without_versioning/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html", "platform": "CloudFormation", "descriptionID": "fe2c56b9", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_static_website_host_enabled/metadata.json b/assets/queries/cloudFormation/aws/s3_static_website_host_enabled/metadata.json index deabf128a5d..790746e84ad 100644 --- a/assets/queries/cloudFormation/aws/s3_static_website_host_enabled/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_static_website_host_enabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-websiteconfiguration.html", "platform": "CloudFormation", "descriptionID": "b50aab99", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/sagemaker_data_encryption_disabled/metadata.json b/assets/queries/cloudFormation/aws/sagemaker_data_encryption_disabled/metadata.json index da9fd0c4b87..00b125c16b3 100644 --- a/assets/queries/cloudFormation/aws/sagemaker_data_encryption_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/sagemaker_data_encryption_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sagemaker-notebookinstance.html", "platform": "CloudFormation", "descriptionID": "41b14673", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/sagemaker_enabling_internet_access/metadata.json b/assets/queries/cloudFormation/aws/sagemaker_enabling_internet_access/metadata.json index 5a58e10bbb0..b8e646c7dd3 100644 --- a/assets/queries/cloudFormation/aws/sagemaker_enabling_internet_access/metadata.json +++ b/assets/queries/cloudFormation/aws/sagemaker_enabling_internet_access/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/sagemaker/latest/dg/security_iam_id-based-policy-examples.html#sagemaker-condition-nbi-lockdown", "platform": "CloudFormation", "descriptionID": "6e8543a2", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/sagemaker_endpoint_config_should_specify_kms_key_id_attribute/metadata.json b/assets/queries/cloudFormation/aws/sagemaker_endpoint_config_should_specify_kms_key_id_attribute/metadata.json index 94f5cb1c82a..e953588874c 100644 --- a/assets/queries/cloudFormation/aws/sagemaker_endpoint_config_should_specify_kms_key_id_attribute/metadata.json +++ b/assets/queries/cloudFormation/aws/sagemaker_endpoint_config_should_specify_kms_key_id_attribute/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sagemaker-endpointconfig.html", "platform": "CloudFormation", "descriptionID": "7c9fa4bf", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/sagemaker_notebook_not_placed_in_vpc/metadata.json b/assets/queries/cloudFormation/aws/sagemaker_notebook_not_placed_in_vpc/metadata.json index 8fbb35a082d..e96e85333b5 100644 --- a/assets/queries/cloudFormation/aws/sagemaker_notebook_not_placed_in_vpc/metadata.json +++ b/assets/queries/cloudFormation/aws/sagemaker_notebook_not_placed_in_vpc/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/sagemaker/latest/dg/security_iam_id-based-policy-examples.html#sagemaker-condition-nbi-lockdown", "platform": "CloudFormation", "descriptionID": "d062ca53", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/sdb_domain_declared_as_a_resource/metadata.json b/assets/queries/cloudFormation/aws/sdb_domain_declared_as_a_resource/metadata.json index c143b277348..87e11ed72d2 100644 --- a/assets/queries/cloudFormation/aws/sdb_domain_declared_as_a_resource/metadata.json +++ b/assets/queries/cloudFormation/aws/sdb_domain_declared_as_a_resource/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-simpledb.html", "platform": "CloudFormation", "descriptionID": "e6c6a7cf", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/secrets_manager_should_specify_kms_key_id/metadata.json b/assets/queries/cloudFormation/aws/secrets_manager_should_specify_kms_key_id/metadata.json index 785da4cde45..0c533272a31 100644 --- a/assets/queries/cloudFormation/aws/secrets_manager_should_specify_kms_key_id/metadata.json +++ b/assets/queries/cloudFormation/aws/secrets_manager_should_specify_kms_key_id/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html", "platform": "CloudFormation", "descriptionID": "d78bb871", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/secure_ciphers_disabled/metadata.json b/assets/queries/cloudFormation/aws/secure_ciphers_disabled/metadata.json index a46072027c0..04fa755a27e 100644 --- a/assets/queries/cloudFormation/aws/secure_ciphers_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/secure_ciphers_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-viewercertificate.html", "platform": "CloudFormation", "descriptionID": "9ce51226", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_group_egress_cidr_open_to_world/metadata.json b/assets/queries/cloudFormation/aws/security_group_egress_cidr_open_to_world/metadata.json index 0f6805609fd..6ae7d8414d4 100644 --- a/assets/queries/cloudFormation/aws/security_group_egress_cidr_open_to_world/metadata.json +++ b/assets/queries/cloudFormation/aws/security_group_egress_cidr_open_to_world/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-security-group-egress.html", "platform": "CloudFormation", "descriptionID": "ec506916", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_group_egress_with_all_protocols/metadata.json b/assets/queries/cloudFormation/aws/security_group_egress_with_all_protocols/metadata.json index bd0aee26403..21b33862759 100644 --- a/assets/queries/cloudFormation/aws/security_group_egress_with_all_protocols/metadata.json +++ b/assets/queries/cloudFormation/aws/security_group_egress_with_all_protocols/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-security-group-egress.html", "platform": "CloudFormation", "descriptionID": "b3e66493", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_group_egress_with_port_range/metadata.json b/assets/queries/cloudFormation/aws/security_group_egress_with_port_range/metadata.json index bc3bcbdfaf6..293be048bd7 100644 --- a/assets/queries/cloudFormation/aws/security_group_egress_with_port_range/metadata.json +++ b/assets/queries/cloudFormation/aws/security_group_egress_with_port_range/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-security-group-egress.html", "platform": "CloudFormation", "descriptionID": "af27e909", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_group_ingress_has_cidr_not_recommended/metadata.json b/assets/queries/cloudFormation/aws/security_group_ingress_has_cidr_not_recommended/metadata.json index 3fdd70cac2c..77c97f4e98f 100644 --- a/assets/queries/cloudFormation/aws/security_group_ingress_has_cidr_not_recommended/metadata.json +++ b/assets/queries/cloudFormation/aws/security_group_ingress_has_cidr_not_recommended/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-ingress.html", "platform": "CloudFormation", "descriptionID": "443ba8e1", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_group_ingress_with_all_protocols/metadata.json b/assets/queries/cloudFormation/aws/security_group_ingress_with_all_protocols/metadata.json index dd842bd96e7..f2d82d7d482 100644 --- a/assets/queries/cloudFormation/aws/security_group_ingress_with_all_protocols/metadata.json +++ b/assets/queries/cloudFormation/aws/security_group_ingress_with_all_protocols/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-ingress.html", "platform": "CloudFormation", "descriptionID": "c067ceb5", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_group_ingress_with_port_range/metadata.json b/assets/queries/cloudFormation/aws/security_group_ingress_with_port_range/metadata.json index fe9ae2abd90..46f779166ec 100644 --- a/assets/queries/cloudFormation/aws/security_group_ingress_with_port_range/metadata.json +++ b/assets/queries/cloudFormation/aws/security_group_ingress_with_port_range/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-ingress.html", "platform": "CloudFormation", "descriptionID": "5f2b65f3", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_group_rule_without_description/metadata.json b/assets/queries/cloudFormation/aws/security_group_rule_without_description/metadata.json index 8dd2e884ecd..622e208316b 100644 --- a/assets/queries/cloudFormation/aws/security_group_rule_without_description/metadata.json +++ b/assets/queries/cloudFormation/aws/security_group_rule_without_description/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html", "platform": "CloudFormation", "descriptionID": "f7c62b11", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_groups_allows_unrestricted_outbound_traffic/metadata.json b/assets/queries/cloudFormation/aws/security_groups_allows_unrestricted_outbound_traffic/metadata.json index 2f108843284..1b0db14a4a5 100644 --- a/assets/queries/cloudFormation/aws/security_groups_allows_unrestricted_outbound_traffic/metadata.json +++ b/assets/queries/cloudFormation/aws/security_groups_allows_unrestricted_outbound_traffic/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html", "platform": "CloudFormation", "descriptionID": "05891eb1", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_groups_unrestricted_access_to_rdp/metadata.json b/assets/queries/cloudFormation/aws/security_groups_unrestricted_access_to_rdp/metadata.json index 346a8f762db..6abda37f2a0 100644 --- a/assets/queries/cloudFormation/aws/security_groups_unrestricted_access_to_rdp/metadata.json +++ b/assets/queries/cloudFormation/aws/security_groups_unrestricted_access_to_rdp/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html", "platform": "CloudFormation", "descriptionID": "ee6a21e3", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_groups_with_exhibited_admin_ports/metadata.json b/assets/queries/cloudFormation/aws/security_groups_with_exhibited_admin_ports/metadata.json index 8b1054716de..00852ec33b2 100644 --- a/assets/queries/cloudFormation/aws/security_groups_with_exhibited_admin_ports/metadata.json +++ b/assets/queries/cloudFormation/aws/security_groups_with_exhibited_admin_ports/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html", "platform": "CloudFormation", "descriptionID": "e14121d4", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_groups_with_meta_ip/metadata.json b/assets/queries/cloudFormation/aws/security_groups_with_meta_ip/metadata.json index 02529217c13..403c9f01a2a 100644 --- a/assets/queries/cloudFormation/aws/security_groups_with_meta_ip/metadata.json +++ b/assets/queries/cloudFormation/aws/security_groups_with_meta_ip/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html", "platform": "CloudFormation", "descriptionID": "868a9ec5", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/metadata.json b/assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/metadata.json index f1a241fb205..3f36a25273f 100644 --- a/assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/metadata.json +++ b/assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html", "platform": "CloudFormation", "descriptionID": "d515d6dc", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_groups_without_vpc_attached/metadata.json b/assets/queries/cloudFormation/aws/security_groups_without_vpc_attached/metadata.json index 24d74bb890f..71cd011b328 100644 --- a/assets/queries/cloudFormation/aws/security_groups_without_vpc_attached/metadata.json +++ b/assets/queries/cloudFormation/aws/security_groups_without_vpc_attached/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html", "platform": "CloudFormation", "descriptionID": "8664bd98", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/shield_advanced_not_in_use/metadata.json b/assets/queries/cloudFormation/aws/shield_advanced_not_in_use/metadata.json index 80cd8fde52e..926a3518b50 100644 --- a/assets/queries/cloudFormation/aws/shield_advanced_not_in_use/metadata.json +++ b/assets/queries/cloudFormation/aws/shield_advanced_not_in_use/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-fms-policy.html", "platform": "CloudFormation", "descriptionID": "ae5e799c", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/sns_topic_is_publicly_accessible/metadata.json b/assets/queries/cloudFormation/aws/sns_topic_is_publicly_accessible/metadata.json index c70082b9eda..83419e20a99 100644 --- a/assets/queries/cloudFormation/aws/sns_topic_is_publicly_accessible/metadata.json +++ b/assets/queries/cloudFormation/aws/sns_topic_is_publicly_accessible/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sns-policy.html", "platform": "CloudFormation", "descriptionID": "93100b84", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/metadata.json b/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/metadata.json index 42092e5376d..bbb593c97a0 100644 --- a/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/metadata.json +++ b/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-sns-policy", "platform": "CloudFormation", "descriptionID": "a4bd80b0", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/sns_topic_without_kms_master_key_id/metadata.json b/assets/queries/cloudFormation/aws/sns_topic_without_kms_master_key_id/metadata.json index 3e608e6727d..8379a8df9de 100644 --- a/assets/queries/cloudFormation/aws/sns_topic_without_kms_master_key_id/metadata.json +++ b/assets/queries/cloudFormation/aws/sns_topic_without_kms_master_key_id/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sns-topic.html", "platform": "CloudFormation", "descriptionID": "a8a19ba3", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/sqs_policy_with_public_access/metadata.json b/assets/queries/cloudFormation/aws/sqs_policy_with_public_access/metadata.json index fff00bfac2e..42be86a3d34 100644 --- a/assets/queries/cloudFormation/aws/sqs_policy_with_public_access/metadata.json +++ b/assets/queries/cloudFormation/aws/sqs_policy_with_public_access/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-policy.html", "platform": "CloudFormation", "descriptionID": "a232933e", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_action/metadata.json b/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_action/metadata.json index 33286fb004e..a4560ef440a 100644 --- a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_action/metadata.json +++ b/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_action/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notaction.html", "platform": "CloudFormation", "descriptionID": "6caa1d1d", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal/metadata.json b/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal/metadata.json index bbcca76d8ac..91f724e09c1 100644 --- a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal/metadata.json +++ b/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-policy.html", "platform": "CloudFormation", "descriptionID": "78666d87", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/metadata.json b/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/metadata.json index 835557cd5dc..4bf1d336fb4 100644 --- a/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-queues.html#aws-sqs-queue-kmsmasterkeyid", "platform": "CloudFormation", "descriptionID": "7c3c1b44", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/stack_notifications_disabled/metadata.json b/assets/queries/cloudFormation/aws/stack_notifications_disabled/metadata.json index 7a4c21f28b7..14964e381a7 100644 --- a/assets/queries/cloudFormation/aws/stack_notifications_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/stack_notifications_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stack.html", "platform": "CloudFormation", "descriptionID": "1e12925e", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/stack_retention_disabled/metadata.json b/assets/queries/cloudFormation/aws/stack_retention_disabled/metadata.json index 8ceb2fc7e8a..57711533301 100644 --- a/assets/queries/cloudFormation/aws/stack_retention_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/stack_retention_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudformation-stackset-autodeployment.html#cfn-cloudformation-stackset-autodeployment-retainstacksonaccountremoval", "platform": "CloudFormation", "descriptionID": "2f8bf223", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/support_has_no_role_associated/metadata.json b/assets/queries/cloudFormation/aws/support_has_no_role_associated/metadata.json index 0281d2fd28a..1fefe6e4772 100644 --- a/assets/queries/cloudFormation/aws/support_has_no_role_associated/metadata.json +++ b/assets/queries/cloudFormation/aws/support_has_no_role_associated/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html", "platform": "CloudFormation", "descriptionID": "42d28f69", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/tcp_or_udp_protocol_network_acl_entry_allows_all_ports/metadata.json b/assets/queries/cloudFormation/aws/tcp_or_udp_protocol_network_acl_entry_allows_all_ports/metadata.json index 216a5b5a664..2b50856b180 100644 --- a/assets/queries/cloudFormation/aws/tcp_or_udp_protocol_network_acl_entry_allows_all_ports/metadata.json +++ b/assets/queries/cloudFormation/aws/tcp_or_udp_protocol_network_acl_entry_allows_all_ports/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-network-acl-entry.html#cfn-ec2-networkaclentry-portrange", "platform": "CloudFormation", "descriptionID": "51ad2aeb", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/unknown_port_exposed_to_internet/metadata.json b/assets/queries/cloudFormation/aws/unknown_port_exposed_to_internet/metadata.json index 5bbaef1e0c1..f4e4a828106 100644 --- a/assets/queries/cloudFormation/aws/unknown_port_exposed_to_internet/metadata.json +++ b/assets/queries/cloudFormation/aws/unknown_port_exposed_to_internet/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html", "platform": "CloudFormation", "descriptionID": "0cc0a902", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/unrestricted_security_group_ingress/metadata.json b/assets/queries/cloudFormation/aws/unrestricted_security_group_ingress/metadata.json index ceea247899c..f9ac29bddcf 100644 --- a/assets/queries/cloudFormation/aws/unrestricted_security_group_ingress/metadata.json +++ b/assets/queries/cloudFormation/aws/unrestricted_security_group_ingress/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-ingress.html", "platform": "CloudFormation", "descriptionID": "08256d31", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/unscanned_ecr_image/metadata.json b/assets/queries/cloudFormation/aws/unscanned_ecr_image/metadata.json index 0fdd610060b..d03c48cc5b4 100644 --- a/assets/queries/cloudFormation/aws/unscanned_ecr_image/metadata.json +++ b/assets/queries/cloudFormation/aws/unscanned_ecr_image/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecr-repository.html#cfn-ecr-repository-imagescanningconfiguration", "platform": "CloudFormation", "descriptionID": "f3f139c0", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/user_data_contains_encoded_private_key/metadata.json b/assets/queries/cloudFormation/aws/user_data_contains_encoded_private_key/metadata.json index 17afeb65119..dc19f5e594d 100644 --- a/assets/queries/cloudFormation/aws/user_data_contains_encoded_private_key/metadata.json +++ b/assets/queries/cloudFormation/aws/user_data_contains_encoded_private_key/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-as-launchconfig.html", "platform": "CloudFormation", "descriptionID": "b8212287", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/user_data_shell_script_is_encoded/metadata.json b/assets/queries/cloudFormation/aws/user_data_shell_script_is_encoded/metadata.json index 0b7f13f00b1..7624cf677ef 100644 --- a/assets/queries/cloudFormation/aws/user_data_shell_script_is_encoded/metadata.json +++ b/assets/queries/cloudFormation/aws/user_data_shell_script_is_encoded/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-launchtemplatedata.html#cfn-ec2-launchtemplate-launchtemplatedata-userdata", "platform": "CloudFormation", "descriptionID": "f951996f", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/user_iam_missing_password_reset_required/metadata.json b/assets/queries/cloudFormation/aws/user_iam_missing_password_reset_required/metadata.json index cbd11bdac8b..2ee8eb76ff2 100644 --- a/assets/queries/cloudFormation/aws/user_iam_missing_password_reset_required/metadata.json +++ b/assets/queries/cloudFormation/aws/user_iam_missing_password_reset_required/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user-loginprofile.html", "platform": "CloudFormation", "descriptionID": "a44edc48", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/vpc_attached_with_too_many_gateways/metadata.json b/assets/queries/cloudFormation/aws/vpc_attached_with_too_many_gateways/metadata.json index d5e20338aa9..cb486ce6831 100644 --- a/assets/queries/cloudFormation/aws/vpc_attached_with_too_many_gateways/metadata.json +++ b/assets/queries/cloudFormation/aws/vpc_attached_with_too_many_gateways/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpc-gateway-attachment.html", "platform": "CloudFormation", "descriptionID": "1370ae52", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/metadata.json b/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/metadata.json index 14e3a5da997..c98cae632eb 100644 --- a/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-flowlog.html", "platform": "CloudFormation", "descriptionID": "0fb02ca5", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/vpc_without_attached_subnet/metadata.json b/assets/queries/cloudFormation/aws/vpc_without_attached_subnet/metadata.json index 8ceda5cff6f..15d3b5492ad 100644 --- a/assets/queries/cloudFormation/aws/vpc_without_attached_subnet/metadata.json +++ b/assets/queries/cloudFormation/aws/vpc_without_attached_subnet/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-subnet.html", "platform": "CloudFormation", "descriptionID": "23dfbed0", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/vpc_without_network_firewall/metadata.json b/assets/queries/cloudFormation/aws/vpc_without_network_firewall/metadata.json index bd313c362e6..71e6da72e0c 100644 --- a/assets/queries/cloudFormation/aws/vpc_without_network_firewall/metadata.json +++ b/assets/queries/cloudFormation/aws/vpc_without_network_firewall/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-firewall.html#cfn-networkfirewall-firewall-vpcid", "platform": "CloudFormation", "descriptionID": "f090ffd2", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/metadata.json b/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/metadata.json index 89d65299158..53f741eaa63 100644 --- a/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/metadata.json +++ b/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-distribution.html", "platform": "CloudFormation", "descriptionID": "ee3b82bc", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/webacl_allow_defaultaction/metadata.json b/assets/queries/cloudFormation/aws/webacl_allow_defaultaction/metadata.json index 9e04b6a1df8..edb1f8d644c 100644 --- a/assets/queries/cloudFormation/aws/webacl_allow_defaultaction/metadata.json +++ b/assets/queries/cloudFormation/aws/webacl_allow_defaultaction/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-waf-webacl.html", "platform": "CloudFormation", "descriptionID": "e4327168", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/wildcard_in_acm_certificate_domain_name/metadata.json b/assets/queries/cloudFormation/aws/wildcard_in_acm_certificate_domain_name/metadata.json index e26bf39da41..3d354529d5d 100644 --- a/assets/queries/cloudFormation/aws/wildcard_in_acm_certificate_domain_name/metadata.json +++ b/assets/queries/cloudFormation/aws/wildcard_in_acm_certificate_domain_name/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html", "platform": "CloudFormation", "descriptionID": "0affe61c", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/workspace_without_encryption/metadata.json b/assets/queries/cloudFormation/aws/workspace_without_encryption/metadata.json index 3c3f242e27e..0d48ab370eb 100644 --- a/assets/queries/cloudFormation/aws/workspace_without_encryption/metadata.json +++ b/assets/queries/cloudFormation/aws/workspace_without_encryption/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-workspaces-workspace.html", "platform": "CloudFormation", "descriptionID": "ed0be490", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_bom/cassandra/metadata.json b/assets/queries/cloudFormation/aws_bom/cassandra/metadata.json index abeeef547a3..99835003d75 100644 --- a/assets/queries/cloudFormation/aws_bom/cassandra/metadata.json +++ b/assets/queries/cloudFormation/aws_bom/cassandra/metadata.json @@ -1,12 +1,12 @@ { - "id": "124b173b-e06d-48a6-8acd-f889443d97a4", - "queryName": "BOM - AWS Cassandra", - "severity": "TRACE", - "category": "Bill Of Materials", - "descriptionText": "A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance", - "descriptionUrl": "https://kics.io", - "platform": "CloudFormation", - "descriptionID": "bd2db07c", - "cloudProvider": "aws" - } - \ No newline at end of file + "id": "124b173b-e06d-48a6-8acd-f889443d97a4", + "queryName": "BOM - AWS Cassandra", + "severity": "TRACE", + "category": "Bill Of Materials", + "descriptionText": "A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance", + "descriptionUrl": "https://kics.io", + "platform": "CloudFormation", + "descriptionID": "bd2db07c", + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_bom/dynamo/metadata.json b/assets/queries/cloudFormation/aws_bom/dynamo/metadata.json index f913cfabeaa..8379d15adb3 100644 --- a/assets/queries/cloudFormation/aws_bom/dynamo/metadata.json +++ b/assets/queries/cloudFormation/aws_bom/dynamo/metadata.json @@ -1,12 +1,12 @@ { - "id": "4e67c0ae-38a0-47f4-a50c-f0c9b75826df", - "queryName": "BOM - AWS DynamoDB", - "severity": "TRACE", - "category": "Bill Of Materials", - "descriptionText": "A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.", - "descriptionUrl": "https://kics.io", - "platform": "CloudFormation", - "descriptionID": "b0d40495", - "cloudProvider": "aws" - } - \ No newline at end of file + "id": "4e67c0ae-38a0-47f4-a50c-f0c9b75826df", + "queryName": "BOM - AWS DynamoDB", + "severity": "TRACE", + "category": "Bill Of Materials", + "descriptionText": "A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.", + "descriptionUrl": "https://kics.io", + "platform": "CloudFormation", + "descriptionID": "b0d40495", + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_bom/ebs/metadata.json b/assets/queries/cloudFormation/aws_bom/ebs/metadata.json index b2997c2e64c..6e994c7c18c 100644 --- a/assets/queries/cloudFormation/aws_bom/ebs/metadata.json +++ b/assets/queries/cloudFormation/aws_bom/ebs/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://kics.io", "platform": "CloudFormation", "descriptionID": "6869b929", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_bom/efs/metadata.json b/assets/queries/cloudFormation/aws_bom/efs/metadata.json index ba78c688eec..689c2a28980 100644 --- a/assets/queries/cloudFormation/aws_bom/efs/metadata.json +++ b/assets/queries/cloudFormation/aws_bom/efs/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://kics.io", "platform": "CloudFormation", "descriptionID": "f6d4e4b8", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_bom/elasticache/metadata.json b/assets/queries/cloudFormation/aws_bom/elasticache/metadata.json index 7502707d09c..3692219ff72 100644 --- a/assets/queries/cloudFormation/aws_bom/elasticache/metadata.json +++ b/assets/queries/cloudFormation/aws_bom/elasticache/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://kics.io", "platform": "CloudFormation", "descriptionID": "deea2b5c", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_bom/kinesis/metadata.json b/assets/queries/cloudFormation/aws_bom/kinesis/metadata.json index c93d41a7b27..a9247949b04 100644 --- a/assets/queries/cloudFormation/aws_bom/kinesis/metadata.json +++ b/assets/queries/cloudFormation/aws_bom/kinesis/metadata.json @@ -3,9 +3,10 @@ "queryName": "BOM - AWS Kinesis", "severity": "TRACE", "category": "Bill Of Materials", - "descriptionText": "A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time", + "descriptionText": "A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time", "descriptionUrl": "https://kics.io", "platform": "CloudFormation", "descriptionID": "4b8f3b90", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_bom/mq/metadata.json b/assets/queries/cloudFormation/aws_bom/mq/metadata.json index cb1f87f4a6f..caa3823ced3 100644 --- a/assets/queries/cloudFormation/aws_bom/mq/metadata.json +++ b/assets/queries/cloudFormation/aws_bom/mq/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://kics.io", "platform": "CloudFormation", "descriptionID": "93a9e162", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_bom/msk/metadata.json b/assets/queries/cloudFormation/aws_bom/msk/metadata.json index 4360e23cd97..b3204773ffa 100644 --- a/assets/queries/cloudFormation/aws_bom/msk/metadata.json +++ b/assets/queries/cloudFormation/aws_bom/msk/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://kics.io", "platform": "CloudFormation", "descriptionID": "7413f967", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_bom/rds/metadata.json b/assets/queries/cloudFormation/aws_bom/rds/metadata.json index f2d507cdd6d..5b03d2b0121 100644 --- a/assets/queries/cloudFormation/aws_bom/rds/metadata.json +++ b/assets/queries/cloudFormation/aws_bom/rds/metadata.json @@ -1,11 +1,12 @@ { - "id": "6ef03ff6-a2bd-483c-851f-631f248bc0ea", - "queryName": "BOM - AWS RDS", - "severity": "TRACE", - "category": "Bill Of Materials", - "descriptionText": "A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.", - "descriptionUrl": "https://kics.io", - "platform": "CloudFormation", - "descriptionID": "77215b57", - "cloudProvider": "aws" - } + "id": "6ef03ff6-a2bd-483c-851f-631f248bc0ea", + "queryName": "BOM - AWS RDS", + "severity": "TRACE", + "category": "Bill Of Materials", + "descriptionText": "A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.", + "descriptionUrl": "https://kics.io", + "platform": "CloudFormation", + "descriptionID": "77215b57", + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_bom/s3_bucket/metadata.json b/assets/queries/cloudFormation/aws_bom/s3_bucket/metadata.json index 6f1a0b69322..2da7e7fb739 100644 --- a/assets/queries/cloudFormation/aws_bom/s3_bucket/metadata.json +++ b/assets/queries/cloudFormation/aws_bom/s3_bucket/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://kics.io", "platform": "CloudFormation", "descriptionID": "a46851fb", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_bom/sns/metadata.json b/assets/queries/cloudFormation/aws_bom/sns/metadata.json index 605992ec7b0..a443324b360 100644 --- a/assets/queries/cloudFormation/aws_bom/sns/metadata.json +++ b/assets/queries/cloudFormation/aws_bom/sns/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://kics.io", "platform": "CloudFormation", "descriptionID": "3cd7a815", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_bom/sqs/metadata.json b/assets/queries/cloudFormation/aws_bom/sqs/metadata.json index b8bb56a829c..51d529ec708 100644 --- a/assets/queries/cloudFormation/aws_bom/sqs/metadata.json +++ b/assets/queries/cloudFormation/aws_bom/sqs/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://kics.io", "platform": "CloudFormation", "descriptionID": "c57e306b", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_sam/serverless_api_access_logging_setting_undefined/metadata.json b/assets/queries/cloudFormation/aws_sam/serverless_api_access_logging_setting_undefined/metadata.json index 97c75191958..f86d3ec9784 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_api_access_logging_setting_undefined/metadata.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_api_access_logging_setting_undefined/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigateway-stage-accesslogsetting.html", "platform": "CloudFormation", "descriptionID": "b2bb4961", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_sam/serverless_api_cache_cluster_disabled/metadata.json b/assets/queries/cloudFormation/aws_sam/serverless_api_cache_cluster_disabled/metadata.json index e91f463e9e9..f6fcd2fdd68 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_api_cache_cluster_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_api_cache_cluster_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-api.html#sam-api-cacheclusterenabled", "platform": "CloudFormation", "descriptionID": "1ce59cab", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_sam/serverless_api_endpoint_config_not_private/metadata.json b/assets/queries/cloudFormation/aws_sam/serverless_api_endpoint_config_not_private/metadata.json index 38ad835940d..f7a93af32e7 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_api_endpoint_config_not_private/metadata.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_api_endpoint_config_not_private/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-api.html#sam-api-endpointconfiguration", "platform": "CloudFormation", "descriptionID": "f86c03cc", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/metadata.json b/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/metadata.json index 6a7785da8a2..615e201524a 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/metadata.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-api.html#sam-api-minimumcompressionsize", "platform": "CloudFormation", "descriptionID": "745a11d2", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_sam/serverless_api_xray_tracing_disabled/metadata.json b/assets/queries/cloudFormation/aws_sam/serverless_api_xray_tracing_disabled/metadata.json index 79dfa300902..e81d88902fd 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_api_xray_tracing_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_api_xray_tracing_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-api.html#sam-api-tracingenabled", "platform": "CloudFormation", "descriptionID": "ba685b50", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_sam/serverless_function_environment_variables_not_encrypted/metadata.json b/assets/queries/cloudFormation/aws_sam/serverless_function_environment_variables_not_encrypted/metadata.json index c7a41b369f1..d8e6d081d6a 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_function_environment_variables_not_encrypted/metadata.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_function_environment_variables_not_encrypted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html#sam-function-kmskeyarn", "platform": "CloudFormation", "descriptionID": "f218e4bc", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_sam/serverless_function_without_dead_letter_queue/metadata.json b/assets/queries/cloudFormation/aws_sam/serverless_function_without_dead_letter_queue/metadata.json index 6c46195d325..b845a92b3a9 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_function_without_dead_letter_queue/metadata.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_function_without_dead_letter_queue/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html#sam-function-deadletterqueue", "platform": "CloudFormation", "descriptionID": "1142bb9f", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_sam/serverless_function_without_tags/metadata.json b/assets/queries/cloudFormation/aws_sam/serverless_function_without_tags/metadata.json index 0884a37260e..e257163e7ce 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_function_without_tags/metadata.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_function_without_tags/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html#sam-function-tags", "platform": "CloudFormation", "descriptionID": "fa1b224c", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_sam/serverless_function_without_unique_iam_role/metadata.json b/assets/queries/cloudFormation/aws_sam/serverless_function_without_unique_iam_role/metadata.json index 804ab489a89..b03bb972c57 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_function_without_unique_iam_role/metadata.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_function_without_unique_iam_role/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html#sam-function-role", "platform": "CloudFormation", "descriptionID": "50e760ce", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_sam/serverless_function_without_x-ray_tracing/metadata.json b/assets/queries/cloudFormation/aws_sam/serverless_function_without_x-ray_tracing/metadata.json index bba38cd347d..53acfed5ae8 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_function_without_x-ray_tracing/metadata.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_function_without_x-ray_tracing/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html#sam-function-tracing", "platform": "CloudFormation", "descriptionID": "b0a83f52", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/common/passwords_and_secrets/metadata.json b/assets/queries/common/passwords_and_secrets/metadata.json index e8768bb0534..5c67ba11bd7 100644 --- a/assets/queries/common/passwords_and_secrets/metadata.json +++ b/assets/queries/common/passwords_and_secrets/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.kics.io/latest/secrets/", "platform": "Common", "descriptionID": "d69d8a89", - "cloudProvider": "common" -} + "cloudProvider": "common", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/crossplane/aws/cloudfront_logging_disabled/metadata.json b/assets/queries/crossplane/aws/cloudfront_logging_disabled/metadata.json index ec896563442..5409fa1cb5f 100644 --- a/assets/queries/crossplane/aws/cloudfront_logging_disabled/metadata.json +++ b/assets/queries/crossplane/aws/cloudfront_logging_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://doc.crds.dev/github.com/crossplane/provider-aws/cloudfront.aws.crossplane.io/Distribution/v1alpha1@v0.29.0#spec-forProvider-distributionConfig-logging", "platform": "Crossplane", "descriptionID": "48cd0b5a", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/metadata.json b/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/metadata.json index d1ac056351f..33c7fb5246d 100644 --- a/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/metadata.json +++ b/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://doc.crds.dev/github.com/crossplane/provider-aws/cloudfront.aws.crossplane.io/Distribution/v1alpha1@v0.29.0#spec-forProvider-distributionConfig-viewerCertificate-minimumProtocolVersion", "platform": "Crossplane", "descriptionID": "11cca65a", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/crossplane/aws/cloudfront_without_waf/metadata.json b/assets/queries/crossplane/aws/cloudfront_without_waf/metadata.json index 849196bdd87..339c2605a6d 100644 --- a/assets/queries/crossplane/aws/cloudfront_without_waf/metadata.json +++ b/assets/queries/crossplane/aws/cloudfront_without_waf/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://doc.crds.dev/github.com/crossplane/provider-aws/cloudfront.aws.crossplane.io/Distribution/v1alpha1@v0.29.0#spec-forProvider-distributionConfig-webACLID", "platform": "Crossplane", "descriptionID": "c5493606", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/metadata.json b/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/metadata.json index 20c67c3a750..895d60f5662 100644 --- a/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/metadata.json +++ b/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://doc.crds.dev/github.com/crossplane/provider-aws/cloudwatchlogs.aws.crossplane.io/LogGroup/v1alpha1@v0.29.0#spec-forProvider-retentionInDays", "platform": "Crossplane", "descriptionID": "9ce0c6f8", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/metadata.json b/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/metadata.json index 72cf178dd7f..05b56465f05 100644 --- a/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/metadata.json +++ b/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://doc.crds.dev/github.com/crossplane/provider-aws/database.aws.crossplane.io/RDSInstance/v1beta1@v0.29.0#spec-forProvider-storageEncrypted", "platform": "Crossplane", "descriptionID": "e40c8a7e", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/crossplane/aws/db_security_group_has_public_interface/metadata.json b/assets/queries/crossplane/aws/db_security_group_has_public_interface/metadata.json index 2fea48396d3..8ad2d2ed495 100644 --- a/assets/queries/crossplane/aws/db_security_group_has_public_interface/metadata.json +++ b/assets/queries/crossplane/aws/db_security_group_has_public_interface/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://doc.crds.dev/github.com/crossplane/provider-aws/ec2.aws.crossplane.io/SecurityGroup/v1beta1@v0.29.0#spec-forProvider-ingress-ipRanges-cidrIp", "platform": "Crossplane", "descriptionID": "c26de1ff", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/crossplane/aws/docdb_logging_disabled/metadata.json b/assets/queries/crossplane/aws/docdb_logging_disabled/metadata.json index 8a7c8c69f8b..88c48349e59 100644 --- a/assets/queries/crossplane/aws/docdb_logging_disabled/metadata.json +++ b/assets/queries/crossplane/aws/docdb_logging_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://doc.crds.dev/github.com/crossplane/provider-aws/docdb.aws.crossplane.io/DBCluster/v1alpha1@v0.21.1#status-atProvider-enabledCloudwatchLogsExports", "platform": "Crossplane", "descriptionID": "60b6794e", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/crossplane/aws/efs_not_encrypted/metadata.json b/assets/queries/crossplane/aws/efs_not_encrypted/metadata.json index c8e6975af7b..7ecfbdfd78c 100644 --- a/assets/queries/crossplane/aws/efs_not_encrypted/metadata.json +++ b/assets/queries/crossplane/aws/efs_not_encrypted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://doc.crds.dev/github.com/crossplane/provider-aws/efs.aws.crossplane.io/FileSystem/v1alpha1@v0.29.0#spec-forProvider-encrypted", "platform": "Crossplane", "descriptionID": "de7bf263", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/crossplane/aws/efs_without_kms/metadata.json b/assets/queries/crossplane/aws/efs_without_kms/metadata.json index 9cab7aaa885..a98fd7abd2f 100644 --- a/assets/queries/crossplane/aws/efs_without_kms/metadata.json +++ b/assets/queries/crossplane/aws/efs_without_kms/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://doc.crds.dev/github.com/crossplane/provider-aws/efs.aws.crossplane.io/FileSystem/v1alpha1@v0.29.0#spec-forProvider-kmsKeyID", "platform": "Crossplane", "descriptionID": "2643a873", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/crossplane/aws/elb_using_weak_ciphers/metadata.json b/assets/queries/crossplane/aws/elb_using_weak_ciphers/metadata.json index e03460f4aa8..a4cfe8726d8 100644 --- a/assets/queries/crossplane/aws/elb_using_weak_ciphers/metadata.json +++ b/assets/queries/crossplane/aws/elb_using_weak_ciphers/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://doc.crds.dev/github.com/crossplane/provider-aws/elbv2.aws.crossplane.io/Listener/v1alpha1@v0.29.0#spec-forProvider-sslPolicy", "platform": "Crossplane", "descriptionID": "53318133", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/metadata.json b/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/metadata.json index 0af17b56f4c..b165af8ee3a 100644 --- a/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/metadata.json +++ b/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://doc.crds.dev/github.com/crossplane/provider-aws/neptune.aws.crossplane.io/DBCluster/v1alpha1@v0.29.0#spec-forProvider-storageEncrypted", "platform": "Crossplane", "descriptionID": "f7998100", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/metadata.json b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/metadata.json index 4d317a55939..2cafe8a5691 100644 --- a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/metadata.json +++ b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/metadata.json @@ -1,11 +1,12 @@ { - "id": "d9dc6429-5140-498a-8f55-a10daac5f000", - "queryName": "RDS DB Instance Publicly Accessible", - "severity": "HIGH", - "category": "Insecure Configurations", - "descriptionText": "RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false and neither dbSubnetGroupName' subnets being part of a VPC that has an Internet gateway attached to it", - "descriptionUrl": "https://doc.crds.dev/github.com/crossplane/provider-aws/database.aws.crossplane.io/RDSInstance/v1beta1@v0.17.0", - "platform": "Crossplane", - "descriptionID": "d7566b63", - "cloudProvider": "aws" - } \ No newline at end of file + "id": "d9dc6429-5140-498a-8f55-a10daac5f000", + "queryName": "RDS DB Instance Publicly Accessible", + "severity": "HIGH", + "category": "Insecure Configurations", + "descriptionText": "RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false and neither dbSubnetGroupName' subnets being part of a VPC that has an Internet gateway attached to it", + "descriptionUrl": "https://doc.crds.dev/github.com/crossplane/provider-aws/database.aws.crossplane.io/RDSInstance/v1beta1@v0.17.0", + "platform": "Crossplane", + "descriptionID": "d7566b63", + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/crossplane/aws/sqs_with_sse_disabled/metadata.json b/assets/queries/crossplane/aws/sqs_with_sse_disabled/metadata.json index 31a6d51b2e6..8d4f2071f6d 100644 --- a/assets/queries/crossplane/aws/sqs_with_sse_disabled/metadata.json +++ b/assets/queries/crossplane/aws/sqs_with_sse_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://doc.crds.dev/github.com/crossplane/provider-aws/sqs.aws.crossplane.io/Queue/v1beta1@v0.29.0#spec-forProvider-kmsMasterKeyId", "platform": "Crossplane", "descriptionID": "ed3868e0", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/crossplane/azure/aks_rbac_disabled/metadata.json b/assets/queries/crossplane/azure/aks_rbac_disabled/metadata.json index ece8c2ca661..c8c217d5ee7 100644 --- a/assets/queries/crossplane/azure/aks_rbac_disabled/metadata.json +++ b/assets/queries/crossplane/azure/aks_rbac_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://doc.crds.dev/github.com/crossplane/provider-azure/compute.azure.crossplane.io/AKSCluster/v1alpha3@v0.19.0#spec-disableRBAC", "platform": "Crossplane", "descriptionID": "b9f4440e", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/metadata.json b/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/metadata.json index a0fa3173e8f..065150f04a8 100644 --- a/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/metadata.json +++ b/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://doc.crds.dev/github.com/crossplane/provider-azure/cache.azure.crossplane.io/Redis/v1beta1@v0.19.0#spec-forProvider-enableNonSslPort", "platform": "Crossplane", "descriptionID": "d7cbff51", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json b/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json index 3113aecef89..448d9606f15 100644 --- a/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json +++ b/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://doc.crds.dev/github.com/crossplane/provider-gcp/storage.gcp.crossplane.io/Bucket/v1alpha3@v0.21.0#spec-logging", "platform": "Crossplane", "descriptionID": "49295adb", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/metadata.json b/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/metadata.json index befe46586e3..334aaa15fda 100644 --- a/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/metadata.json +++ b/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://doc.crds.dev/github.com/crossplane/provider-gcp/container.gcp.crossplane.io/NodePool/v1beta1@v0.21.0#spec-forProvider-management-autoRepair", "platform": "Crossplane", "descriptionID": "bc1c198b", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerCompose/cgroup_not_default/metadata.json b/assets/queries/dockerCompose/cgroup_not_default/metadata.json index 0b98fb1b427..1f2acf12817 100644 --- a/assets/queries/dockerCompose/cgroup_not_default/metadata.json +++ b/assets/queries/dockerCompose/cgroup_not_default/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Control groups restrict the access processes and containers have to system resources such as CPU, RAM, IOPS and network. Not having a cgroup well configured may prove to be a security fault.", "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#cgroup_parent", "platform": "DockerCompose", - "descriptionID": "b3657456" -} + "descriptionID": "b3657456", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerCompose/container_capabilities_unrestricted/metadata.json b/assets/queries/dockerCompose/container_capabilities_unrestricted/metadata.json index e02eb6fddf9..9d6cfeff1d6 100644 --- a/assets/queries/dockerCompose/container_capabilities_unrestricted/metadata.json +++ b/assets/queries/dockerCompose/container_capabilities_unrestricted/metadata.json @@ -1,10 +1,11 @@ { - "id": "ce76b7d0-9e77-464d-b86f-c5c48e03e22d", - "queryName": "Container Capabilities Unrestricted", - "severity": "LOW", - "category": "Resource Management", - "descriptionText": "Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.", - "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#cap_add-cap_drop", - "platform": "DockerCompose", - "descriptionID": "1ddab108" - } + "id": "ce76b7d0-9e77-464d-b86f-c5c48e03e22d", + "queryName": "Container Capabilities Unrestricted", + "severity": "LOW", + "category": "Resource Management", + "descriptionText": "Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.", + "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#cap_add-cap_drop", + "platform": "DockerCompose", + "descriptionID": "1ddab108", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/metadata.json b/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/metadata.json index bb49059986e..cb944ac4d17 100644 --- a/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/metadata.json +++ b/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Incoming container traffic should be bound to a specific host interface", "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#ports", "platform": "DockerCompose", - "descriptionID": "909d1bcd" -} + "descriptionID": "909d1bcd", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerCompose/cpus_not_limited/metadata.json b/assets/queries/dockerCompose/cpus_not_limited/metadata.json index 85d702c70db..9fc417f87e8 100644 --- a/assets/queries/dockerCompose/cpus_not_limited/metadata.json +++ b/assets/queries/dockerCompose/cpus_not_limited/metadata.json @@ -1,10 +1,11 @@ { - "id": "6b610c50-99fb-4ef0-a5f3-e312fd945bc3", - "queryName": "Cpus Not Limited", - "severity": "LOW", - "category": "Resource Management", - "descriptionText": "CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests", - "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#resources", - "platform": "DockerCompose", - "descriptionID": "d58d94a1" -} + "id": "6b610c50-99fb-4ef0-a5f3-e312fd945bc3", + "queryName": "Cpus Not Limited", + "severity": "LOW", + "category": "Resource Management", + "descriptionText": "CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests", + "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#resources", + "platform": "DockerCompose", + "descriptionID": "d58d94a1", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerCompose/default_seccomp_profile_disabled/metadata.json b/assets/queries/dockerCompose/default_seccomp_profile_disabled/metadata.json index a4f7ae10edc..abc13516acf 100644 --- a/assets/queries/dockerCompose/default_seccomp_profile_disabled/metadata.json +++ b/assets/queries/dockerCompose/default_seccomp_profile_disabled/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Seccomp offers a whitelist of common system calls, blocking all others. Having less kernel exposed to an app then increases security.", "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#security_opt", "platform": "DockerCompose", - "descriptionID": "3702d7fb" -} + "descriptionID": "3702d7fb", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerCompose/docker_socket_mounted_in_container/metadata.json b/assets/queries/dockerCompose/docker_socket_mounted_in_container/metadata.json index 5e0d6641473..16770ac7cbd 100644 --- a/assets/queries/dockerCompose/docker_socket_mounted_in_container/metadata.json +++ b/assets/queries/dockerCompose/docker_socket_mounted_in_container/metadata.json @@ -1,10 +1,11 @@ { - "id": "d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b", - "queryName": "Docker Socket Mounted In Container", - "severity": "HIGH", - "category": "Build Process", - "descriptionText": "Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands.", - "descriptionUrl": "https://docs.docker.com/compose/compose-file/#volumes", - "platform": "DockerCompose", - "descriptionID": "8acc9d24" -} + "id": "d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b", + "queryName": "Docker Socket Mounted In Container", + "severity": "HIGH", + "category": "Build Process", + "descriptionText": "Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands.", + "descriptionUrl": "https://docs.docker.com/compose/compose-file/#volumes", + "platform": "DockerCompose", + "descriptionID": "8acc9d24", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerCompose/healthcheck_not_set/metadata.json b/assets/queries/dockerCompose/healthcheck_not_set/metadata.json index 3b4e2487bcf..ca0980c93f9 100644 --- a/assets/queries/dockerCompose/healthcheck_not_set/metadata.json +++ b/assets/queries/dockerCompose/healthcheck_not_set/metadata.json @@ -1,10 +1,11 @@ { - "id": "698ed579-b239-4f8f-a388-baa4bcb13ef8", - "queryName": "Healthcheck Not Set", - "severity": "MEDIUM", - "category": "Availability", - "descriptionText": "Check containers periodically to see if they are running properly.", - "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#healthcheck", - "platform": "DockerCompose", - "descriptionID": "449b7c5c" -} + "id": "698ed579-b239-4f8f-a388-baa4bcb13ef8", + "queryName": "Healthcheck Not Set", + "severity": "MEDIUM", + "category": "Availability", + "descriptionText": "Check containers periodically to see if they are running properly.", + "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#healthcheck", + "platform": "DockerCompose", + "descriptionID": "449b7c5c", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerCompose/host_namespace_is_shared/metadata.json b/assets/queries/dockerCompose/host_namespace_is_shared/metadata.json index ed7e2ebeacd..a83b567edb9 100644 --- a/assets/queries/dockerCompose/host_namespace_is_shared/metadata.json +++ b/assets/queries/dockerCompose/host_namespace_is_shared/metadata.json @@ -1,10 +1,11 @@ { - "id": "4f31dd9f-2cc3-4751-9b53-67e4af83dac0", - "queryName": "Host Namespace is Shared", - "severity": "MEDIUM", - "category": "Resource Management", - "descriptionText": "The hosts process namespace should not be shared by containers", - "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#pid", - "platform": "DockerCompose", - "descriptionID": "39a43177" -} + "id": "4f31dd9f-2cc3-4751-9b53-67e4af83dac0", + "queryName": "Host Namespace is Shared", + "severity": "MEDIUM", + "category": "Resource Management", + "descriptionText": "The hosts process namespace should not be shared by containers", + "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#pid", + "platform": "DockerCompose", + "descriptionID": "39a43177", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerCompose/memory_not_limited/metadata.json b/assets/queries/dockerCompose/memory_not_limited/metadata.json index a54da35adfd..aa797c1bfbe 100644 --- a/assets/queries/dockerCompose/memory_not_limited/metadata.json +++ b/assets/queries/dockerCompose/memory_not_limited/metadata.json @@ -1,10 +1,11 @@ { - "id": "bb9ac4f7-e13b-423d-a010-c74a1bfbe492", - "queryName": "Memory Not Limited", - "severity": "MEDIUM", - "category": "Resource Management", - "descriptionText": "Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory", - "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#resources", - "platform": "DockerCompose", - "descriptionID": "8fcb9f7d" -} + "id": "bb9ac4f7-e13b-423d-a010-c74a1bfbe492", + "queryName": "Memory Not Limited", + "severity": "MEDIUM", + "category": "Resource Management", + "descriptionText": "Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory", + "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#resources", + "platform": "DockerCompose", + "descriptionID": "8fcb9f7d", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerCompose/networks_not_set/metadata.json b/assets/queries/dockerCompose/networks_not_set/metadata.json index 3f0f79b3ae8..eb4fd068519 100644 --- a/assets/queries/dockerCompose/networks_not_set/metadata.json +++ b/assets/queries/dockerCompose/networks_not_set/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers.", "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#networks", "platform": "DockerCompose", - "descriptionID": "3743a217" -} + "descriptionID": "3743a217", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerCompose/no_new_privileges_not_set/metadata.json b/assets/queries/dockerCompose/no_new_privileges_not_set/metadata.json index 3dc7c569e4d..6890825be11 100644 --- a/assets/queries/dockerCompose/no_new_privileges_not_set/metadata.json +++ b/assets/queries/dockerCompose/no_new_privileges_not_set/metadata.json @@ -1,10 +1,11 @@ { - "id": "27fcc7d6-c49b-46e0-98f1-6c082a6a2750", - "queryName": "No New Privileges Not Set", - "severity": "HIGH", - "category": "Resource Management", - "descriptionText": "Ensuring the process does not gain any new privileges lessens the risk associated with many operations.", - "descriptionUrl": "https://docs.docker.com/engine/reference/run/#security-configuration", - "platform": "DockerCompose", - "descriptionID": "be48e182" -} + "id": "27fcc7d6-c49b-46e0-98f1-6c082a6a2750", + "queryName": "No New Privileges Not Set", + "severity": "HIGH", + "category": "Resource Management", + "descriptionText": "Ensuring the process does not gain any new privileges lessens the risk associated with many operations.", + "descriptionUrl": "https://docs.docker.com/engine/reference/run/#security-configuration", + "platform": "DockerCompose", + "descriptionID": "be48e182", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerCompose/pids_limit_not_set/metadata.json b/assets/queries/dockerCompose/pids_limit_not_set/metadata.json index 70b2c3940bc..7773f8e938d 100644 --- a/assets/queries/dockerCompose/pids_limit_not_set/metadata.json +++ b/assets/queries/dockerCompose/pids_limit_not_set/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "'pids_limit' should be set and different than -1", "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir", "platform": "DockerCompose", - "descriptionID": "2d241407" -} + "descriptionID": "2d241407", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerCompose/privileged_containers_enabled/metadata.json b/assets/queries/dockerCompose/privileged_containers_enabled/metadata.json index 7492b2900cb..fcfb9c0f74a 100644 --- a/assets/queries/dockerCompose/privileged_containers_enabled/metadata.json +++ b/assets/queries/dockerCompose/privileged_containers_enabled/metadata.json @@ -1,10 +1,11 @@ { - "id": "ae5b6871-7f45-42e0-bb4c-ab300c4d2026", - "queryName": "Privileged Containers Enabled", - "severity": "HIGH", - "category": "Resource Management", - "descriptionText": "Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker.", - "descriptionUrl": "https://docs.docker.com/compose/compose-file/#privileged", - "platform": "DockerCompose", - "descriptionID": "029f6145" - } + "id": "ae5b6871-7f45-42e0-bb4c-ab300c4d2026", + "queryName": "Privileged Containers Enabled", + "severity": "HIGH", + "category": "Resource Management", + "descriptionText": "Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker.", + "descriptionUrl": "https://docs.docker.com/compose/compose-file/#privileged", + "platform": "DockerCompose", + "descriptionID": "029f6145", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerCompose/privileged_ports_mapped_in_container/metadata.json b/assets/queries/dockerCompose/privileged_ports_mapped_in_container/metadata.json index 35aa77526c3..581f054c69f 100644 --- a/assets/queries/dockerCompose/privileged_ports_mapped_in_container/metadata.json +++ b/assets/queries/dockerCompose/privileged_ports_mapped_in_container/metadata.json @@ -1,10 +1,11 @@ { - "id": "bc2908f3-f73c-40a9-8793-c1b7d5544f79", - "queryName": "Privileged Ports Mapped In Container", - "severity": "MEDIUM", - "category": "Networking and Firewall", - "descriptionText": "Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind_service linux capability from the container unless you absolutely need to use priviledged ports.", - "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#cap_add-cap_drop", - "platform": "DockerCompose", - "descriptionID": "686dd55f" - } + "id": "bc2908f3-f73c-40a9-8793-c1b7d5544f79", + "queryName": "Privileged Ports Mapped In Container", + "severity": "MEDIUM", + "category": "Networking and Firewall", + "descriptionText": "Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind_service linux capability from the container unless you absolutely need to use priviledged ports.", + "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#cap_add-cap_drop", + "platform": "DockerCompose", + "descriptionID": "686dd55f", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/metadata.json b/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/metadata.json index 1598649024f..cd1a569f4ec 100644 --- a/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/metadata.json +++ b/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/metadata.json @@ -1,10 +1,11 @@ { - "id": "2fc99041-ddad-49d5-853f-e35e70a48391", - "queryName": "Restart Policy On Failure Not Set To 5", - "severity": "MEDIUM", - "category": "Build Process", - "descriptionText": "Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used.", - "descriptionUrl": "https://docs.docker.com/config/containers/start-containers-automatically/#use-a-restart-policy", - "platform": "DockerCompose", - "descriptionID": "d21fff2e" - } + "id": "2fc99041-ddad-49d5-853f-e35e70a48391", + "queryName": "Restart Policy On Failure Not Set To 5", + "severity": "MEDIUM", + "category": "Build Process", + "descriptionText": "Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used.", + "descriptionUrl": "https://docs.docker.com/config/containers/start-containers-automatically/#use-a-restart-policy", + "platform": "DockerCompose", + "descriptionID": "d21fff2e", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerCompose/security_opt_not_set/metadata.json b/assets/queries/dockerCompose/security_opt_not_set/metadata.json index cea63c2c10d..bc0c70fbeed 100644 --- a/assets/queries/dockerCompose/security_opt_not_set/metadata.json +++ b/assets/queries/dockerCompose/security_opt_not_set/metadata.json @@ -1,10 +1,11 @@ { - "id": "610e266e-6c12-4bca-9925-1ed0cd29742b", - "queryName": "Security Opt Not Set", - "severity": "MEDIUM", - "category": "Resource Management", - "descriptionText": "Attribute 'security_opt' should be defined.", - "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#security_opt", - "platform": "DockerCompose", - "descriptionID": "83fb7a65" - } + "id": "610e266e-6c12-4bca-9925-1ed0cd29742b", + "queryName": "Security Opt Not Set", + "severity": "MEDIUM", + "category": "Resource Management", + "descriptionText": "Attribute 'security_opt' should be defined.", + "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#security_opt", + "platform": "DockerCompose", + "descriptionID": "83fb7a65", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerCompose/shared_host_ipc_namespace/metadata.json b/assets/queries/dockerCompose/shared_host_ipc_namespace/metadata.json index 0b2e053f79b..e01edae2b8c 100644 --- a/assets/queries/dockerCompose/shared_host_ipc_namespace/metadata.json +++ b/assets/queries/dockerCompose/shared_host_ipc_namespace/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Container should not share the host IPC namespace", "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir", "platform": "DockerCompose", - "descriptionID": "987dc2d7" -} + "descriptionID": "987dc2d7", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerCompose/shared_host_network_namespace/metadata.json b/assets/queries/dockerCompose/shared_host_network_namespace/metadata.json index ba01b9c9ed6..01f26ea99c1 100644 --- a/assets/queries/dockerCompose/shared_host_network_namespace/metadata.json +++ b/assets/queries/dockerCompose/shared_host_network_namespace/metadata.json @@ -1,10 +1,11 @@ { - "id": "071a71ff-f868-47a4-ac0b-3c59e4ab5443", - "queryName": "Shared Host Network Namespace", - "severity": "MEDIUM", - "category": "Resource Management", - "descriptionText": "Container should not share the host network namespace", - "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#network_mode", - "platform": "DockerCompose", - "descriptionID": "25acba10" -} + "id": "071a71ff-f868-47a4-ac0b-3c59e4ab5443", + "queryName": "Shared Host Network Namespace", + "severity": "MEDIUM", + "category": "Resource Management", + "descriptionText": "Container should not share the host network namespace", + "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#network_mode", + "platform": "DockerCompose", + "descriptionID": "25acba10", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerCompose/shared_host_user_namespace/metadata.json b/assets/queries/dockerCompose/shared_host_user_namespace/metadata.json index 119621ad2d3..9d824625eba 100644 --- a/assets/queries/dockerCompose/shared_host_user_namespace/metadata.json +++ b/assets/queries/dockerCompose/shared_host_user_namespace/metadata.json @@ -1,10 +1,11 @@ { - "id": "8af7162d-6c98-482f-868e-0d33fb675ca8", - "queryName": "Shared Host User Namespace", - "severity": "MEDIUM", - "category": "Resource Management", - "descriptionText": "The host's user namespace should not be shared.", - "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#userns_mode", - "platform": "DockerCompose", - "descriptionID": "b7859ec8" -} + "id": "8af7162d-6c98-482f-868e-0d33fb675ca8", + "queryName": "Shared Host User Namespace", + "severity": "MEDIUM", + "category": "Resource Management", + "descriptionText": "The host's user namespace should not be shared.", + "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#userns_mode", + "platform": "DockerCompose", + "descriptionID": "b7859ec8", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerCompose/volume_has_sensitive_host_directory/metadata.json b/assets/queries/dockerCompose/volume_has_sensitive_host_directory/metadata.json index b8dd6193ade..47cee5063d7 100644 --- a/assets/queries/dockerCompose/volume_has_sensitive_host_directory/metadata.json +++ b/assets/queries/dockerCompose/volume_has_sensitive_host_directory/metadata.json @@ -1,10 +1,11 @@ { - "id": "1c1325ff-831d-43a1-973e-839ae57dfcc0", - "queryName": "Volume Has Sensitive Host Directory", - "severity": "HIGH", - "category": "Build Process", - "descriptionText": "Container has sensitive host directory mounted as a volume", - "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#volume-configuration-reference", - "platform": "DockerCompose", - "descriptionID": "8361cc0a" -} + "id": "1c1325ff-831d-43a1-973e-839ae57dfcc0", + "queryName": "Volume Has Sensitive Host Directory", + "severity": "HIGH", + "category": "Build Process", + "descriptionText": "Container has sensitive host directory mounted as a volume", + "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#volume-configuration-reference", + "platform": "DockerCompose", + "descriptionID": "8361cc0a", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerCompose/volume_mounted_in_multiple_containers/metadata.json b/assets/queries/dockerCompose/volume_mounted_in_multiple_containers/metadata.json index 967b56a5adf..4f3b167abbe 100644 --- a/assets/queries/dockerCompose/volume_mounted_in_multiple_containers/metadata.json +++ b/assets/queries/dockerCompose/volume_mounted_in_multiple_containers/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Volume mounts should not be shared, which means that 'propagation' should not be set to 'shared', 'rshared', 'slave', or 'rslave'", "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#volumes", "platform": "DockerCompose", - "descriptionID": "1c7ca167" -} + "descriptionID": "1c7ca167", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/add_instead_of_copy/metadata.json b/assets/queries/dockerfile/add_instead_of_copy/metadata.json index b6ba730e2f6..c4e47aa4474 100644 --- a/assets/queries/dockerfile/add_instead_of_copy/metadata.json +++ b/assets/queries/dockerfile/add_instead_of_copy/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script.", "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#add", "platform": "Dockerfile", - "descriptionID": "0aedd324" -} + "descriptionID": "0aedd324", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/apk_add_using_local_cache_path/metadata.json b/assets/queries/dockerfile/apk_add_using_local_cache_path/metadata.json index b55d42bd18c..903ef925e26 100644 --- a/assets/queries/dockerfile/apk_add_using_local_cache_path/metadata.json +++ b/assets/queries/dockerfile/apk_add_using_local_cache_path/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*'", "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#run", "platform": "Dockerfile", - "descriptionID": "d44503b8" -} + "descriptionID": "d44503b8", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/metadata.json b/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/metadata.json index 32d55ab2c81..93334597e0b 100644 --- a/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/metadata.json +++ b/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "After using apt-get install, it is needed to delete apt-get lists", "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "platform": "Dockerfile", - "descriptionID": "4236a50c" -} + "descriptionID": "4236a50c", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/metadata.json b/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/metadata.json index cc654770341..b1223ca2273 100644 --- a/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/metadata.json +++ b/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When installing a package, its pin version should be defined", "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "platform": "Dockerfile", - "descriptionID": "e0e1edad" -} + "descriptionID": "e0e1edad", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/metadata.json b/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/metadata.json index 559b3f4be55..6585017cf67 100644 --- a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/metadata.json +++ b/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Check if apt-get calls use the flag -y to avoid user manual input.", "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#run", "platform": "Dockerfile", - "descriptionID": "2064113b" -} + "descriptionID": "2064113b", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/metadata.json b/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/metadata.json index ab84dae4624..bb0942fb133 100644 --- a/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/metadata.json +++ b/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages.", "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#run", "platform": "Dockerfile", - "descriptionID": "2e92d18c" -} + "descriptionID": "2e92d18c", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/changing_default_shell_using_run_command/metadata.json b/assets/queries/dockerfile/changing_default_shell_using_run_command/metadata.json index 0714beb7ec5..f4714067bd6 100644 --- a/assets/queries/dockerfile/changing_default_shell_using_run_command/metadata.json +++ b/assets/queries/dockerfile/changing_default_shell_using_run_command/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Using the command RUN to override the default shell instead of the SHELL command leads to inefficiencies. It also does not make sense since Docker provides the SHELL command for this exact purpose.", "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#shell", "platform": "Dockerfile", - "descriptionID": "d859b2eb" -} + "descriptionID": "d859b2eb", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/chown_flag_exists/metadata.json b/assets/queries/dockerfile/chown_flag_exists/metadata.json index d39b30bf68d..af1874ed881 100644 --- a/assets/queries/dockerfile/chown_flag_exists/metadata.json +++ b/assets/queries/dockerfile/chown_flag_exists/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership", "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "platform": "Dockerfile", - "descriptionID": "ba0a34dc" -} + "descriptionID": "ba0a34dc", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/copy_from_references_current_from_alias/metadata.json b/assets/queries/dockerfile/copy_from_references_current_from_alias/metadata.json index d57bc9e117f..e61c09dd84c 100644 --- a/assets/queries/dockerfile/copy_from_references_current_from_alias/metadata.json +++ b/assets/queries/dockerfile/copy_from_references_current_from_alias/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself", "descriptionUrl": "https://docs.docker.com/develop/develop-images/multistage-build/", "platform": "Dockerfile", - "descriptionID": "a248d89e" -} + "descriptionID": "a248d89e", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/metadata.json b/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/metadata.json index 2473f73bb45..90c220808ba 100644 --- a/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/metadata.json +++ b/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When a COPY command has more than two arguments, the last one should end with a slash", "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#copy", "platform": "Dockerfile", - "descriptionID": "bab38efd" -} + "descriptionID": "bab38efd", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/curl_or_wget_instead_of_add/metadata.json b/assets/queries/dockerfile/curl_or_wget_instead_of_add/metadata.json index 98a08aa80ce..de19483c861 100644 --- a/assets/queries/dockerfile/curl_or_wget_instead_of_add/metadata.json +++ b/assets/queries/dockerfile/curl_or_wget_instead_of_add/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged", "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "platform": "Dockerfile", - "descriptionID": "29e8216b" -} + "descriptionID": "29e8216b", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/exposing_port_22/metadata.json b/assets/queries/dockerfile/exposing_port_22/metadata.json index ea4b35c7f6e..cf4ca11708b 100644 --- a/assets/queries/dockerfile/exposing_port_22/metadata.json +++ b/assets/queries/dockerfile/exposing_port_22/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Expose only the ports that your application needs and avoid exposing ports like SSH (22)", "descriptionUrl": "https://sysdig.com/blog/dockerfile-best-practices/", "platform": "Dockerfile", - "descriptionID": "79731185" -} + "descriptionID": "79731185", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/gem_install_without_version/metadata.json b/assets/queries/dockerfile/gem_install_without_version/metadata.json index 5446d9dea0b..b656622fe58 100644 --- a/assets/queries/dockerfile/gem_install_without_version/metadata.json +++ b/assets/queries/dockerfile/gem_install_without_version/metadata.json @@ -3,8 +3,9 @@ "queryName": "Gem Install Without Version", "severity": "MEDIUM", "category": "Supply-Chain", - "descriptionText": "Instead of 'gem install ' we should use 'gem install :'", + "descriptionText": "Instead of 'gem install \u003cgem\u003e' we should use 'gem install \u003cgem\u003e:\u003cversion\u003e'", "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run", "platform": "Dockerfile", - "descriptionID": "0586ed55" -} + "descriptionID": "0586ed55", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/healthcheck_instruction_missing/metadata.json b/assets/queries/dockerfile/healthcheck_instruction_missing/metadata.json index 44925751242..1ca99a99b3e 100644 --- a/assets/queries/dockerfile/healthcheck_instruction_missing/metadata.json +++ b/assets/queries/dockerfile/healthcheck_instruction_missing/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working", "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#healthcheck", "platform": "Dockerfile", - "descriptionID": "426121ee" -} + "descriptionID": "426121ee", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/image_version_not_explicit/metadata.json b/assets/queries/dockerfile/image_version_not_explicit/metadata.json index 64019ba4267..1b7b4e29693 100644 --- a/assets/queries/dockerfile/image_version_not_explicit/metadata.json +++ b/assets/queries/dockerfile/image_version_not_explicit/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Always tag the version of an image explicitly", "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#from", "platform": "Dockerfile", - "descriptionID": "4f469f06" -} + "descriptionID": "4f469f06", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/image_version_using_latest/metadata.json b/assets/queries/dockerfile/image_version_using_latest/metadata.json index 9518b45978c..d25b47df15d 100644 --- a/assets/queries/dockerfile/image_version_using_latest/metadata.json +++ b/assets/queries/dockerfile/image_version_using_latest/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag", "descriptionUrl": "https://docs.docker.com/develop/dev-best-practices/", "platform": "Dockerfile", - "descriptionID": "22f535ec" -} + "descriptionID": "22f535ec", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/last_user_is_root/metadata.json b/assets/queries/dockerfile/last_user_is_root/metadata.json index 3b8cfb99a3b..76116dda6cd 100644 --- a/assets/queries/dockerfile/last_user_is_root/metadata.json +++ b/assets/queries/dockerfile/last_user_is_root/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges", "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#user", "platform": "Dockerfile", - "descriptionID": "f445bd25" -} + "descriptionID": "f445bd25", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/maintainer_instruction_being_used/metadata.json b/assets/queries/dockerfile/maintainer_instruction_being_used/metadata.json index 5f81ebe2382..e7ad0503c06 100644 --- a/assets/queries/dockerfile/maintainer_instruction_being_used/metadata.json +++ b/assets/queries/dockerfile/maintainer_instruction_being_used/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily", "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#maintainer-deprecated", "platform": "Dockerfile", - "descriptionID": "9d9cbf83" -} + "descriptionID": "9d9cbf83", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/missing_dnf_clean_all/metadata.json b/assets/queries/dockerfile/missing_dnf_clean_all/metadata.json index 6cd7efce8c9..168aa053df4 100644 --- a/assets/queries/dockerfile/missing_dnf_clean_all/metadata.json +++ b/assets/queries/dockerfile/missing_dnf_clean_all/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Cached package data should be cleaned after installation to reduce image size", "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "platform": "Dockerfile", - "descriptionID": "8f8497d7" -} + "descriptionID": "8f8497d7", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/missing_flag_from_dnf_install/metadata.json b/assets/queries/dockerfile/missing_flag_from_dnf_install/metadata.json index 0f608fe8543..18adef23c78 100644 --- a/assets/queries/dockerfile/missing_flag_from_dnf_install/metadata.json +++ b/assets/queries/dockerfile/missing_flag_from_dnf_install/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input.", "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run", "platform": "Dockerfile", - "descriptionID": "efc680ea" -} + "descriptionID": "efc680ea", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/missing_user_instruction/metadata.json b/assets/queries/dockerfile/missing_user_instruction/metadata.json index 006066c49e5..7509191e332 100644 --- a/assets/queries/dockerfile/missing_user_instruction/metadata.json +++ b/assets/queries/dockerfile/missing_user_instruction/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "A user should be specified in the dockerfile, otherwise the image will run as root", "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#user", "platform": "Dockerfile", - "descriptionID": "eb49caf6" -} + "descriptionID": "eb49caf6", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/missing_version_specification_in_dnf_install/metadata.json b/assets/queries/dockerfile/missing_version_specification_in_dnf_install/metadata.json index 6aa84bc0bca..b9a5cd284a0 100644 --- a/assets/queries/dockerfile/missing_version_specification_in_dnf_install/metadata.json +++ b/assets/queries/dockerfile/missing_version_specification_in_dnf_install/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Specifying a package version allows to reduce failures due to unanticipated changes in required packages.", "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "platform": "Dockerfile", - "descriptionID": "0ab4ed7e" -} + "descriptionID": "0ab4ed7e", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/missing_zypper_clean/metadata.json b/assets/queries/dockerfile/missing_zypper_clean/metadata.json index 3b3cf3402db..ee40b33a252 100644 --- a/assets/queries/dockerfile/missing_zypper_clean/metadata.json +++ b/assets/queries/dockerfile/missing_zypper_clean/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Reduce layer and image size by deleting unneeded caches after running zypper", "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run", "platform": "Dockerfile", - "descriptionID": "a95b2646" -} + "descriptionID": "a95b2646", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/missing_zypper_non_interactive_switch/metadata.json b/assets/queries/dockerfile/missing_zypper_non_interactive_switch/metadata.json index e61e19d9c34..28ad5c552f2 100644 --- a/assets/queries/dockerfile/missing_zypper_non_interactive_switch/metadata.json +++ b/assets/queries/dockerfile/missing_zypper_non_interactive_switch/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input", "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run", "platform": "Dockerfile", - "descriptionID": "b3efa689" -} + "descriptionID": "b3efa689", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/multiple_cmd_instructions_listed/metadata.json b/assets/queries/dockerfile/multiple_cmd_instructions_listed/metadata.json index 45eabc93917..82a747360c6 100644 --- a/assets/queries/dockerfile/multiple_cmd_instructions_listed/metadata.json +++ b/assets/queries/dockerfile/multiple_cmd_instructions_listed/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect", "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#cmd", "platform": "Dockerfile", - "descriptionID": "96f59ca3" -} + "descriptionID": "96f59ca3", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/metadata.json b/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/metadata.json index 190e3909d80..88bce687f83 100644 --- a/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/metadata.json +++ b/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect", "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#entrypoint", "platform": "Dockerfile", - "descriptionID": "03be1867" -} + "descriptionID": "03be1867", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/metadata.json b/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/metadata.json index 3c920a10af8..8d9754b7edf 100644 --- a/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/metadata.json +++ b/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers.", "descriptionUrl": "https://sysdig.com/blog/dockerfile-best-practices/", "platform": "Dockerfile", - "descriptionID": "29bd3a34" -} + "descriptionID": "29bd3a34", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/metadata.json b/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/metadata.json index 8aeb29555fc..21a17e759dc 100644 --- a/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/metadata.json +++ b/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments", "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#entrypoint", "platform": "Dockerfile", - "descriptionID": "070b84da" -} + "descriptionID": "070b84da", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/npm_install_without_pinned_version/metadata.json b/assets/queries/dockerfile/npm_install_without_pinned_version/metadata.json index ecaf462212f..23f7f6e5fa7 100644 --- a/assets/queries/dockerfile/npm_install_without_pinned_version/metadata.json +++ b/assets/queries/dockerfile/npm_install_without_pinned_version/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Check if packages installed by npm are pinning a specific version.", "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#run", "platform": "Dockerfile", - "descriptionID": "8bd60033" -} + "descriptionID": "8bd60033", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/pip_install_keeping_cached_packages/metadata.json b/assets/queries/dockerfile/pip_install_keeping_cached_packages/metadata.json index f0ad6ddd386..e14a66349d6 100644 --- a/assets/queries/dockerfile/pip_install_keeping_cached_packages/metadata.json +++ b/assets/queries/dockerfile/pip_install_keeping_cached_packages/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller", "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "platform": "Dockerfile", - "descriptionID": "a6eb5f34" -} + "descriptionID": "a6eb5f34", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/run_command_cd_instead_of_workdir/metadata.json b/assets/queries/dockerfile/run_command_cd_instead_of_workdir/metadata.json index 20ad068fe88..6b57764288b 100644 --- a/assets/queries/dockerfile/run_command_cd_instead_of_workdir/metadata.json +++ b/assets/queries/dockerfile/run_command_cd_instead_of_workdir/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using RUN command 'cd' should only be used for full path. For relative path make use of WORKDIR command instead.", "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#workdir", "platform": "Dockerfile", - "descriptionID": "edd9f7d3" -} + "descriptionID": "edd9f7d3", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/run_using_apt/metadata.json b/assets/queries/dockerfile/run_using_apt/metadata.json index 4da23ffeaf4..76a168bb17e 100644 --- a/assets/queries/dockerfile/run_using_apt/metadata.json +++ b/assets/queries/dockerfile/run_using_apt/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache", "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run", "platform": "Dockerfile", - "descriptionID": "6cb53718" -} + "descriptionID": "6cb53718", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/run_using_sudo/metadata.json b/assets/queries/dockerfile/run_using_sudo/metadata.json index 46a554ca499..cf83ac3d5c6 100644 --- a/assets/queries/dockerfile/run_using_sudo/metadata.json +++ b/assets/queries/dockerfile/run_using_sudo/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Avoid RUN with sudo command as it leads to unpredictable behavior", "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#run", "platform": "Dockerfile", - "descriptionID": "c4f2e24a" -} + "descriptionID": "c4f2e24a", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/run_using_wget_and_curl/metadata.json b/assets/queries/dockerfile/run_using_wget_and_curl/metadata.json index 3232b11cabd..817af6880b0 100644 --- a/assets/queries/dockerfile/run_using_wget_and_curl/metadata.json +++ b/assets/queries/dockerfile/run_using_wget_and_curl/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect", "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run", "platform": "Dockerfile", - "descriptionID": "22261deb" -} + "descriptionID": "22261deb", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/run_utilities_and_posix_commands/metadata.json b/assets/queries/dockerfile/run_utilities_and_posix_commands/metadata.json index 31f84dea826..f1caa600186 100644 --- a/assets/queries/dockerfile/run_utilities_and_posix_commands/metadata.json +++ b/assets/queries/dockerfile/run_utilities_and_posix_commands/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Some POSIX commands and interactive utilities shouldn't run inside a Docker Container", "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#run", "platform": "Dockerfile", - "descriptionID": "677fa9a6" -} + "descriptionID": "677fa9a6", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/same_alias_in_different_froms/metadata.json b/assets/queries/dockerfile/same_alias_in_different_froms/metadata.json index f297acde141..5c6680ed0d6 100644 --- a/assets/queries/dockerfile/same_alias_in_different_froms/metadata.json +++ b/assets/queries/dockerfile/same_alias_in_different_froms/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Different FROMS cant have the same alias defined", "descriptionUrl": "https://docs.docker.com/develop/develop-images/multistage-build/", "platform": "Dockerfile", - "descriptionID": "c923ad4b" -} + "descriptionID": "c923ad4b", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/metadata.json b/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/metadata.json index 3177b662b65..3ef64a92feb 100644 --- a/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/metadata.json +++ b/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o).", "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#run", "platform": "Dockerfile", - "descriptionID": "26810b44" -} + "descriptionID": "26810b44", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/unix_ports_out_of_range/metadata.json b/assets/queries/dockerfile/unix_ports_out_of_range/metadata.json index 356c5a12a1e..0185bb57213 100644 --- a/assets/queries/dockerfile/unix_ports_out_of_range/metadata.json +++ b/assets/queries/dockerfile/unix_ports_out_of_range/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Exposing UNIX ports out of range from 0 to 65535", "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#expose", "platform": "Dockerfile", - "descriptionID": "fed3d812" -} + "descriptionID": "fed3d812", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/unpinned_package_version_in_apk_add/metadata.json b/assets/queries/dockerfile/unpinned_package_version_in_apk_add/metadata.json index 3664b179d55..795ae091e4b 100644 --- a/assets/queries/dockerfile/unpinned_package_version_in_apk_add/metadata.json +++ b/assets/queries/dockerfile/unpinned_package_version_in_apk_add/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes", "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "platform": "Dockerfile", - "descriptionID": "adb9d5d5" -} + "descriptionID": "adb9d5d5", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/metadata.json b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/metadata.json index 7f3f6fe0613..cfdc89fcf1e 100644 --- a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/metadata.json +++ b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes", "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "platform": "Dockerfile", - "descriptionID": "37db3a53" -} + "descriptionID": "37db3a53", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/update_instruction_alone/metadata.json b/assets/queries/dockerfile/update_instruction_alone/metadata.json index 971cdae6bc5..7ab36690a3a 100644 --- a/assets/queries/dockerfile/update_instruction_alone/metadata.json +++ b/assets/queries/dockerfile/update_instruction_alone/metadata.json @@ -3,8 +3,9 @@ "queryName": "Update Instruction Alone", "severity": "MEDIUM", "category": "Build Process", - "descriptionText": "Instruction 'RUN update' should always be followed by ' install' in the same RUN statement", + "descriptionText": "Instruction 'RUN \u003cpackage-manager\u003e update' should always be followed by '\u003cpackage-manager\u003e install' in the same RUN statement", "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run", "platform": "Dockerfile", - "descriptionID": "3785203d" -} + "descriptionID": "3785203d", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/using_platform_with_from/metadata.json b/assets/queries/dockerfile/using_platform_with_from/metadata.json index 0a05f26e1b0..7e2d96c84fe 100644 --- a/assets/queries/dockerfile/using_platform_with_from/metadata.json +++ b/assets/queries/dockerfile/using_platform_with_from/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Don't use '--platform' flag with FROM", "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#from", "platform": "Dockerfile", - "descriptionID": "5bd0baab" -} + "descriptionID": "5bd0baab", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/using_unnamed_build_stages/metadata.json b/assets/queries/dockerfile/using_unnamed_build_stages/metadata.json index a86ba7ad0e7..ed7dc34c428 100644 --- a/assets/queries/dockerfile/using_unnamed_build_stages/metadata.json +++ b/assets/queries/dockerfile/using_unnamed_build_stages/metadata.json @@ -6,5 +6,6 @@ "descriptionText": " This query is used to ensure that build stages are named. This way even if the Dockerfile is re-ordered, the COPY instruction doesn’t break.", "descriptionUrl": "https://docs.docker.com/develop/develop-images/multistage-build/", "platform": "Dockerfile", - "descriptionID": "dea09829" -} + "descriptionID": "dea09829", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/vulnerable_openssl_version/metadata.json b/assets/queries/dockerfile/vulnerable_openssl_version/metadata.json index ecbeb04582d..3c0675c62c5 100644 --- a/assets/queries/dockerfile/vulnerable_openssl_version/metadata.json +++ b/assets/queries/dockerfile/vulnerable_openssl_version/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "OpenSSL versions from 3.0.0 to 3.0.5 are affected by a critical vulnerability", "descriptionUrl": "https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html", "platform": "Dockerfile", - "descriptionID": "e0d6ef5e" -} + "descriptionID": "e0d6ef5e", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/workdir_path_not_absolute/metadata.json b/assets/queries/dockerfile/workdir_path_not_absolute/metadata.json index 5a5011359fb..fc296d85782 100644 --- a/assets/queries/dockerfile/workdir_path_not_absolute/metadata.json +++ b/assets/queries/dockerfile/workdir_path_not_absolute/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "For clarity and reliability, you should always use absolute paths for your WORKDIR", "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#workdir", "platform": "Dockerfile", - "descriptionID": "bfe0be8b" -} + "descriptionID": "bfe0be8b", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/yum_clean_all_missing/metadata.json b/assets/queries/dockerfile/yum_clean_all_missing/metadata.json index 39de0959afb..c6f9004d762 100644 --- a/assets/queries/dockerfile/yum_clean_all_missing/metadata.json +++ b/assets/queries/dockerfile/yum_clean_all_missing/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size", "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run", "platform": "Dockerfile", - "descriptionID": "714267a2" -} + "descriptionID": "714267a2", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/yum_install_allows_manual_input/metadata.json b/assets/queries/dockerfile/yum_install_allows_manual_input/metadata.json index f78a14d926c..de3c0c9bf93 100644 --- a/assets/queries/dockerfile/yum_install_allows_manual_input/metadata.json +++ b/assets/queries/dockerfile/yum_install_allows_manual_input/metadata.json @@ -3,8 +3,9 @@ "queryName": "Yum Install Allows Manual Input", "severity": "MEDIUM", "category": "Supply-Chain", - "descriptionText": "Need to use -y to avoid manual input 'yum install -y '", + "descriptionText": "Need to use -y to avoid manual input 'yum install -y \u003cpackage\u003e'", "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#run", "platform": "Dockerfile", - "descriptionID": "f17a245a" -} + "descriptionID": "f17a245a", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/yum_install_without_version/metadata.json b/assets/queries/dockerfile/yum_install_without_version/metadata.json index 85124653395..f07bc7d3f7d 100644 --- a/assets/queries/dockerfile/yum_install_without_version/metadata.json +++ b/assets/queries/dockerfile/yum_install_without_version/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Not specifying the package version can cause failures due to unanticipated changes in required packages", "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run", "platform": "Dockerfile", - "descriptionID": "19d4cfc7" -} + "descriptionID": "19d4cfc7", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/dockerfile/zypper_install_without_version/metadata.json b/assets/queries/dockerfile/zypper_install_without_version/metadata.json index 463e14bfb2e..520d5ba08d1 100644 --- a/assets/queries/dockerfile/zypper_install_without_version/metadata.json +++ b/assets/queries/dockerfile/zypper_install_without_version/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Not specifying the package version can cause failures due to unanticipated changes in required packages", "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run", "platform": "Dockerfile", - "descriptionID": "42d36068" -} + "descriptionID": "42d36068", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/bigquery_database_is_public/metadata.json b/assets/queries/googleDeploymentManager/gcp/bigquery_database_is_public/metadata.json index 7a7f00c5541..f3371102534 100644 --- a/assets/queries/googleDeploymentManager/gcp/bigquery_database_is_public/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/bigquery_database_is_public/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://cloud.google.com/bigquery/docs/reference/rest/v2/datasets", "platform": "GoogleDeploymentManager", "descriptionID": "6737ca8f", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/bucket_without_versioning/metadata.json b/assets/queries/googleDeploymentManager/gcp/bucket_without_versioning/metadata.json index bb48a9c4fa8..ebdaf4f2fd7 100644 --- a/assets/queries/googleDeploymentManager/gcp/bucket_without_versioning/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/bucket_without_versioning/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://cloud.google.com/storage/docs/json_api/v1/buckets", "platform": "GoogleDeploymentManager", "descriptionID": "97c49cde", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/client_certificate_disabled/metadata.json b/assets/queries/googleDeploymentManager/gcp/client_certificate_disabled/metadata.json index 7a04b010668..e94e776dc3e 100644 --- a/assets/queries/googleDeploymentManager/gcp/client_certificate_disabled/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/client_certificate_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.zones.clusters", "platform": "GoogleDeploymentManager", "descriptionID": "e74562aa", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/cloud_dns_without_dnnsec/metadata.json b/assets/queries/googleDeploymentManager/gcp/cloud_dns_without_dnnsec/metadata.json index 6cced359474..149e9c7a344 100644 --- a/assets/queries/googleDeploymentManager/gcp/cloud_dns_without_dnnsec/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/cloud_dns_without_dnnsec/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://cloud.google.com/dns/docs/reference/v1/managedZones", "platform": "GoogleDeploymentManager", "descriptionID": "d926ffb6", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/cloud_storage_anonymous_or_publicly_accessible/metadata.json b/assets/queries/googleDeploymentManager/gcp/cloud_storage_anonymous_or_publicly_accessible/metadata.json index b7b5d4f3795..c184093563b 100644 --- a/assets/queries/googleDeploymentManager/gcp/cloud_storage_anonymous_or_publicly_accessible/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/cloud_storage_anonymous_or_publicly_accessible/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://cloud.google.com/storage/docs/json_api/v1/buckets", "platform": "GoogleDeploymentManager", "descriptionID": "2146c969", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_is_publicly_accessible/metadata.json b/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_is_publicly_accessible/metadata.json index 2a9eb7b36d7..fc21d25ae11 100644 --- a/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_is_publicly_accessible/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_is_publicly_accessible/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://cloud.google.com/storage/docs/json_api/v1/bucketAccessControls", "platform": "GoogleDeploymentManager", "descriptionID": "f767772d", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/metadata.json b/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/metadata.json index ca547dfd732..4988a450a55 100644 --- a/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://cloud.google.com/storage/docs/json_api/v1/buckets", "platform": "GoogleDeploymentManager", "descriptionID": "9b7ba7de", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/cluster_labels_disabled/metadata.json b/assets/queries/googleDeploymentManager/gcp/cluster_labels_disabled/metadata.json index 0ba353105c6..c2680e026c6 100644 --- a/assets/queries/googleDeploymentManager/gcp/cluster_labels_disabled/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/cluster_labels_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.zones.clusters", "platform": "GoogleDeploymentManager", "descriptionID": "8c094804", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/cluster_master_authentication_disabled/metadata.json b/assets/queries/googleDeploymentManager/gcp/cluster_master_authentication_disabled/metadata.json index 7f04cf21ce7..333ef3fbc54 100644 --- a/assets/queries/googleDeploymentManager/gcp/cluster_master_authentication_disabled/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/cluster_master_authentication_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.locations.clusters", "platform": "GoogleDeploymentManager", "descriptionID": "4a9cd0c6", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/compute_instance_is_publicly_accessible/metadata.json b/assets/queries/googleDeploymentManager/gcp/compute_instance_is_publicly_accessible/metadata.json index 4ec77195c59..c8b0202084e 100644 --- a/assets/queries/googleDeploymentManager/gcp/compute_instance_is_publicly_accessible/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/compute_instance_is_publicly_accessible/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://cloud.google.com/compute/docs/reference/rest/v1/instances", "platform": "GoogleDeploymentManager", "descriptionID": "9f60c421", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/cos_node_image_not_used/metadata.json b/assets/queries/googleDeploymentManager/gcp/cos_node_image_not_used/metadata.json index 096639bccc1..a54796b0eb8 100644 --- a/assets/queries/googleDeploymentManager/gcp/cos_node_image_not_used/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/cos_node_image_not_used/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.zones.clusters.nodePools", "platform": "GoogleDeploymentManager", "descriptionID": "5915a575", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/metadata.json b/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/metadata.json index 71e481c4b05..cd172b20266 100644 --- a/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://cloud.google.com/compute/docs/reference/rest/v1/instances", "platform": "GoogleDeploymentManager", "descriptionID": "107eb8fb", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/dnssec_using_rsasha1/metadata.json b/assets/queries/googleDeploymentManager/gcp/dnssec_using_rsasha1/metadata.json index 2b1d626682a..c7eb295a9bc 100644 --- a/assets/queries/googleDeploymentManager/gcp/dnssec_using_rsasha1/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/dnssec_using_rsasha1/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://cloud.google.com/dns/docs/reference/v1/managedZones", "platform": "GoogleDeploymentManager", "descriptionID": "7f322f20", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/gke_legacy_authorization_enabled/metadata.json b/assets/queries/googleDeploymentManager/gcp/gke_legacy_authorization_enabled/metadata.json index 19269a79dd1..01ce2ef4308 100644 --- a/assets/queries/googleDeploymentManager/gcp/gke_legacy_authorization_enabled/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/gke_legacy_authorization_enabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.locations.clusters#Cluster.LegacyAbac", "platform": "GoogleDeploymentManager", "descriptionID": "3de820a0", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/gke_master_authorized_networks_disabled/metadata.json b/assets/queries/googleDeploymentManager/gcp/gke_master_authorized_networks_disabled/metadata.json index b41ff8f5cfe..ebfb6c1fbd9 100644 --- a/assets/queries/googleDeploymentManager/gcp/gke_master_authorized_networks_disabled/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/gke_master_authorized_networks_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.zones.clusters", "platform": "GoogleDeploymentManager", "descriptionID": "be3364b4", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/google_storage_bucket_level_access_disabled/metadata.json b/assets/queries/googleDeploymentManager/gcp/google_storage_bucket_level_access_disabled/metadata.json index 9edd01cc6d6..ecebd6953e5 100644 --- a/assets/queries/googleDeploymentManager/gcp/google_storage_bucket_level_access_disabled/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/google_storage_bucket_level_access_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://cloud.google.com/storage/docs/json_api/v1/buckets", "platform": "GoogleDeploymentManager", "descriptionID": "d9594b64", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/ip_aliasing_disabled/metadata.json b/assets/queries/googleDeploymentManager/gcp/ip_aliasing_disabled/metadata.json index c816adeeb59..da7daa672fe 100644 --- a/assets/queries/googleDeploymentManager/gcp/ip_aliasing_disabled/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/ip_aliasing_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.locations.clusters", "platform": "GoogleDeploymentManager", "descriptionID": "34473a24", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/ip_forwarding_enabled/metadata.json b/assets/queries/googleDeploymentManager/gcp/ip_forwarding_enabled/metadata.json index 87a01fa59cf..d3ad194d807 100644 --- a/assets/queries/googleDeploymentManager/gcp/ip_forwarding_enabled/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/ip_forwarding_enabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://cloud.google.com/compute/docs/reference/rest/v1/instances", "platform": "GoogleDeploymentManager", "descriptionID": "dc6dbaa9", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/mysql_instance_with_local_infile_on/metadata.json b/assets/queries/googleDeploymentManager/gcp/mysql_instance_with_local_infile_on/metadata.json index 1bd2c62dba6..c491d6f4f6e 100644 --- a/assets/queries/googleDeploymentManager/gcp/mysql_instance_with_local_infile_on/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/mysql_instance_with_local_infile_on/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/instances", "platform": "GoogleDeploymentManager", "descriptionID": "66f8ba25", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/metadata.json b/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/metadata.json index 5ca8b5510ab..9df79578bf1 100644 --- a/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.zones.clusters", "platform": "GoogleDeploymentManager", "descriptionID": "e28f5312", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/metadata.json b/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/metadata.json index 491a536aaa2..670494467a8 100644 --- a/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.zones.clusters", "platform": "GoogleDeploymentManager", "descriptionID": "40051d4a", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/not_proper_email_account_in_use/metadata.json b/assets/queries/googleDeploymentManager/gcp/not_proper_email_account_in_use/metadata.json index 03e965d6a84..419fc79d31b 100644 --- a/assets/queries/googleDeploymentManager/gcp/not_proper_email_account_in_use/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/not_proper_email_account_in_use/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://cloud.google.com/deployment-manager/docs/configuration/set-access-control-resources", "platform": "GoogleDeploymentManager", "descriptionID": "a21b8df4", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/os_login_is_disabled_for_vm_instance/metadata.json b/assets/queries/googleDeploymentManager/gcp/os_login_is_disabled_for_vm_instance/metadata.json index 5ae912df5eb..dbab6fcccaf 100644 --- a/assets/queries/googleDeploymentManager/gcp/os_login_is_disabled_for_vm_instance/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/os_login_is_disabled_for_vm_instance/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://cloud.google.com/compute/docs/reference/rest/v1/instances", "platform": "GoogleDeploymentManager", "descriptionID": "0908cbc4", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/metadata.json b/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/metadata.json index b99a0d8d93f..cf0710ccfb9 100644 --- a/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.zones.clusters", "platform": "GoogleDeploymentManager", "descriptionID": "c65a868d", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/metadata.json b/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/metadata.json index 3d81656af6c..27d620ccaf8 100644 --- a/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://cloud.google.com/compute/docs/reference/rest/v1/instances", "platform": "GoogleDeploymentManager", "descriptionID": "5e36c46d", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/metadata.json b/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/metadata.json index dc50c3411ee..02510e423ae 100644 --- a/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://cloud.google.com/compute/docs/reference/rest/v1/firewalls", "platform": "GoogleDeploymentManager", "descriptionID": "cae2eeea", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/shielded_vm_disabled/metadata.json b/assets/queries/googleDeploymentManager/gcp/shielded_vm_disabled/metadata.json index d40c74c9f22..8e3c630c825 100644 --- a/assets/queries/googleDeploymentManager/gcp/shielded_vm_disabled/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/shielded_vm_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://cloud.google.com/compute/docs/reference/rest/v1/instances", "platform": "GoogleDeploymentManager", "descriptionID": "c67722e8", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/sql_db_instance_backup_disabled/metadata.json b/assets/queries/googleDeploymentManager/gcp/sql_db_instance_backup_disabled/metadata.json index bf6824fa14d..c35ac960785 100644 --- a/assets/queries/googleDeploymentManager/gcp/sql_db_instance_backup_disabled/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/sql_db_instance_backup_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/instances", "platform": "GoogleDeploymentManager", "descriptionID": "45790b7e", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/sql_db_instance_with_ssl_disabled/metadata.json b/assets/queries/googleDeploymentManager/gcp/sql_db_instance_with_ssl_disabled/metadata.json index e9ba27827b8..ccd8532c6ab 100644 --- a/assets/queries/googleDeploymentManager/gcp/sql_db_instance_with_ssl_disabled/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/sql_db_instance_with_ssl_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/instances", "platform": "GoogleDeploymentManager", "descriptionID": "b42ee5a9", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/metadata.json b/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/metadata.json index f235bf2c023..90717ac259a 100644 --- a/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://cloud.google.com/compute/docs/reference/rest/v1/firewalls", "platform": "GoogleDeploymentManager", "descriptionID": "10629ac9", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/stackdriver_logging_disabled/metadata.json b/assets/queries/googleDeploymentManager/gcp/stackdriver_logging_disabled/metadata.json index bfda2d15d65..0b5c33f3852 100644 --- a/assets/queries/googleDeploymentManager/gcp/stackdriver_logging_disabled/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/stackdriver_logging_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.zones.clusters", "platform": "GoogleDeploymentManager", "descriptionID": "ba92577c", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/stackdriver_monitoring_disabled/metadata.json b/assets/queries/googleDeploymentManager/gcp/stackdriver_monitoring_disabled/metadata.json index ca37189661d..fb3a3577189 100644 --- a/assets/queries/googleDeploymentManager/gcp/stackdriver_monitoring_disabled/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/stackdriver_monitoring_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.zones.clusters", "platform": "GoogleDeploymentManager", "descriptionID": "c1eb34ef", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp_bom/pd/metadata.json b/assets/queries/googleDeploymentManager/gcp_bom/pd/metadata.json index 49582ee5e7e..021e687c3e6 100644 --- a/assets/queries/googleDeploymentManager/gcp_bom/pd/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp_bom/pd/metadata.json @@ -1,12 +1,12 @@ { - "id": "268c65a8-58ad-43e4-9019-1a9bbc56749f", - "queryName": "BOM - GCP PD", - "severity": "TRACE", - "category": "Bill Of Materials", - "descriptionText": "A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.", - "descriptionUrl": "https://kics.io", - "platform": "GoogleDeploymentManager", - "descriptionID": "3db91dc6", - "cloudProvider": "gcp" - } - \ No newline at end of file + "id": "268c65a8-58ad-43e4-9019-1a9bbc56749f", + "queryName": "BOM - GCP PD", + "severity": "TRACE", + "category": "Bill Of Materials", + "descriptionText": "A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.", + "descriptionUrl": "https://kics.io", + "platform": "GoogleDeploymentManager", + "descriptionID": "3db91dc6", + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp_bom/pst/metadata.json b/assets/queries/googleDeploymentManager/gcp_bom/pst/metadata.json index f4d72f75a64..9169bb082d9 100644 --- a/assets/queries/googleDeploymentManager/gcp_bom/pst/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp_bom/pst/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://kics.io", "platform": "GoogleDeploymentManager", "descriptionID": "e96debd4", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp_bom/sb/metadata.json b/assets/queries/googleDeploymentManager/gcp_bom/sb/metadata.json index 138cd3960d0..242303e2814 100644 --- a/assets/queries/googleDeploymentManager/gcp_bom/sb/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp_bom/sb/metadata.json @@ -1,12 +1,12 @@ { - "id": "c7781feb-a955-4f9f-b9cf-0d7c6f54bb59", - "queryName": "BOM - GCP SB", - "severity": "TRACE", - "category": "Bill Of Materials", - "descriptionText": "A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.", - "descriptionUrl": "https://kics.io", - "platform": "GoogleDeploymentManager", - "descriptionID": "7f40edaa", - "cloudProvider": "gcp" - } - \ No newline at end of file + "id": "c7781feb-a955-4f9f-b9cf-0d7c6f54bb59", + "queryName": "BOM - GCP SB", + "severity": "TRACE", + "category": "Bill Of Materials", + "descriptionText": "A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.", + "descriptionUrl": "https://kics.io", + "platform": "GoogleDeploymentManager", + "descriptionID": "7f40edaa", + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/grpc/enum_name_not_camel_case/metadata.json b/assets/queries/grpc/enum_name_not_camel_case/metadata.json index 2fe632c6778..b8cf0e8bb75 100644 --- a/assets/queries/grpc/enum_name_not_camel_case/metadata.json +++ b/assets/queries/grpc/enum_name_not_camel_case/metadata.json @@ -5,6 +5,7 @@ "category": "Best Practices", "descriptionText": "All Enum Names should follow CamelCase and start with Capital Letter", "descriptionUrl": "https://developers.google.com/protocol-buffers/docs/reference/proto3-spec#enum_definition", + "platform": "GRPC", "descriptionID": "a780a54d", - "platform": "GRPC" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/always_admit_admission_control_plugin_set/metadata.json b/assets/queries/k8s/always_admit_admission_control_plugin_set/metadata.json index 8558f38ae1f..4a5a02f3e11 100644 --- a/assets/queries/k8s/always_admit_admission_control_plugin_set/metadata.json +++ b/assets/queries/k8s/always_admit_admission_control_plugin_set/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin", "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", - "descriptionID": "782a8f84" -} + "descriptionID": "782a8f84", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/always_pull_images_admission_control_plugin_not_set/metadata.json b/assets/queries/k8s/always_pull_images_admission_control_plugin_not_set/metadata.json index 6d089d7859d..a4e83b456b6 100644 --- a/assets/queries/k8s/always_pull_images_admission_control_plugin_not_set/metadata.json +++ b/assets/queries/k8s/always_pull_images_admission_control_plugin_not_set/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'AlwaysPullImages' plugin and the plugin should be correctly configured in AdmissionControl Config file", "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", - "descriptionID": "503bf412" -} + "descriptionID": "503bf412", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/anonymous_auth_is_not_set_to_false/metadata.json b/assets/queries/k8s/anonymous_auth_is_not_set_to_false/metadata.json index 42601b812ac..716251ee596 100644 --- a/assets/queries/k8s/anonymous_auth_is_not_set_to_false/metadata.json +++ b/assets/queries/k8s/anonymous_auth_is_not_set_to_false/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag should be set to false (--anonymous-auth=false)", "descriptionUrl": "https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/", "platform": "Kubernetes", - "descriptionID": "2e5b19cc" + "descriptionID": "2e5b19cc", + "CWE": "" } \ No newline at end of file diff --git a/assets/queries/k8s/audit_log_maxage_not_properly_set/metadata.json b/assets/queries/k8s/audit_log_maxage_not_properly_set/metadata.json index 4bc435f4663..103e0a53674 100644 --- a/assets/queries/k8s/audit_log_maxage_not_properly_set/metadata.json +++ b/assets/queries/k8s/audit_log_maxage_not_properly_set/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using kube-apiserver command, the '--audit-log-maxage' flag should be defined and set to 30 or more days", "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", - "descriptionID": "a5bc6d07" -} + "descriptionID": "a5bc6d07", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/audit_log_maxbackup_not_properly_set/metadata.json b/assets/queries/k8s/audit_log_maxbackup_not_properly_set/metadata.json index 04e99900ae3..15b0014d762 100644 --- a/assets/queries/k8s/audit_log_maxbackup_not_properly_set/metadata.json +++ b/assets/queries/k8s/audit_log_maxbackup_not_properly_set/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using kube-apiserver command, the '--audit-log-maxbackup' flag should be defined and set to 10 or more files", "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", - "descriptionID": "eb8a6c2a" -} + "descriptionID": "eb8a6c2a", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/audit_log_maxsize_not_properly_set/metadata.json b/assets/queries/k8s/audit_log_maxsize_not_properly_set/metadata.json index 53234e59a12..c0eccdacf0e 100644 --- a/assets/queries/k8s/audit_log_maxsize_not_properly_set/metadata.json +++ b/assets/queries/k8s/audit_log_maxsize_not_properly_set/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using kube-apiserver command, the '--audit-log-maxsize' flag should be defined and set to 100 or more MegaBytes", "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", - "descriptionID": "9609fc23" -} + "descriptionID": "9609fc23", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/audit_log_path_not_set/metadata.json b/assets/queries/k8s/audit_log_path_not_set/metadata.json index 3857eec6295..1882fbcd477 100644 --- a/assets/queries/k8s/audit_log_path_not_set/metadata.json +++ b/assets/queries/k8s/audit_log_path_not_set/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using kube-apiserver command, the 'audit-log-path' flag should be defined", "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", - "descriptionID": "21d0f732" -} + "descriptionID": "21d0f732", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/audit_policy_file_not_defined/metadata.json b/assets/queries/k8s/audit_policy_file_not_defined/metadata.json index 94ab0233ffe..65d684d6876 100644 --- a/assets/queries/k8s/audit_policy_file_not_defined/metadata.json +++ b/assets/queries/k8s/audit_policy_file_not_defined/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using kube-apiserver command, the '--audit-policy-file' flag should be defined", "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", - "descriptionID": "7ae0f3cb" -} + "descriptionID": "7ae0f3cb", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/metadata.json b/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/metadata.json index d49d18b65e8..e36e0bce2bf 100644 --- a/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/metadata.json +++ b/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Audit Policy should cover key security concerns about the sensitive data logged in Kubernetes audit policies", "descriptionUrl": "https://kubernetes.io/docs/tasks/debug-application-cluster/audit/", "platform": "Kubernetes", - "descriptionID": "4a720a0c" -} + "descriptionID": "4a720a0c", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/authorization_mode_node_not_set/metadata.json b/assets/queries/k8s/authorization_mode_node_not_set/metadata.json index d34f556a738..4b4d6023b92 100644 --- a/assets/queries/k8s/authorization_mode_node_not_set/metadata.json +++ b/assets/queries/k8s/authorization_mode_node_not_set/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode", "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", - "descriptionID": "1d944481" -} + "descriptionID": "1d944481", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/authorization_mode_rbac_not_set/metadata.json b/assets/queries/k8s/authorization_mode_rbac_not_set/metadata.json index 521ae0abb51..00835242f5d 100644 --- a/assets/queries/k8s/authorization_mode_rbac_not_set/metadata.json +++ b/assets/queries/k8s/authorization_mode_rbac_not_set/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode", "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", - "descriptionID": "5298aafe" -} + "descriptionID": "5298aafe", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/authorization_mode_set_to_always_allow/metadata.json b/assets/queries/k8s/authorization_mode_set_to_always_allow/metadata.json index d781ad569e2..a59043ef1e3 100644 --- a/assets/queries/k8s/authorization_mode_set_to_always_allow/metadata.json +++ b/assets/queries/k8s/authorization_mode_set_to_always_allow/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode", "descriptionUrl": "https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/", "platform": "Kubernetes", - "descriptionID": "f5c66471" + "descriptionID": "f5c66471", + "CWE": "" } \ No newline at end of file diff --git a/assets/queries/k8s/auto_tls_set_to_true/metadata.json b/assets/queries/k8s/auto_tls_set_to_true/metadata.json index 8a804507a48..370938222e0 100644 --- a/assets/queries/k8s/auto_tls_set_to_true/metadata.json +++ b/assets/queries/k8s/auto_tls_set_to_true/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using etcd commands, the '--auto-tls' should be set to false", "descriptionUrl": "https://etcd.io/docs/v3.4/op-guide/security/", "platform": "Kubernetes", - "descriptionID": "81883f01" -} + "descriptionID": "81883f01", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/basic_auth_file_is_set/metadata.json b/assets/queries/k8s/basic_auth_file_is_set/metadata.json index 9b1ec8276f3..45c3a674933 100644 --- a/assets/queries/k8s/basic_auth_file_is_set/metadata.json +++ b/assets/queries/k8s/basic_auth_file_is_set/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using kube-apiserver command, the 'basic-auth-file' flag should not be set", "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", - "descriptionID": "e021b84c" -} + "descriptionID": "e021b84c", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/bind_address_not_properly_set/metadata.json b/assets/queries/k8s/bind_address_not_properly_set/metadata.json index 541e51831b1..3ab48c3eea9 100644 --- a/assets/queries/k8s/bind_address_not_properly_set/metadata.json +++ b/assets/queries/k8s/bind_address_not_properly_set/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using kube-controller-manager or kube-scheduler commands, the '--bind-address' should not be set to 127.0.0.1", "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", - "descriptionID": "b52844f2" -} + "descriptionID": "b52844f2", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/client_certificate_authentication_not_setup_properly/metadata.json b/assets/queries/k8s/client_certificate_authentication_not_setup_properly/metadata.json index b34a071900e..57b6deb4911 100644 --- a/assets/queries/k8s/client_certificate_authentication_not_setup_properly/metadata.json +++ b/assets/queries/k8s/client_certificate_authentication_not_setup_properly/metadata.json @@ -1,10 +1,11 @@ { - "id": "e0e00aba-5f1c-4981-a542-9a9563c0ee20", - "queryName": "Client Certificate Authentication Not Setup Properly", - "severity": "HIGH", - "category": "Access Control", - "descriptionText": "Client Certificate Authentication should be Setup with a .pem or .crt file", - "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/", - "platform": "Kubernetes", - "descriptionID": "78c11e53" - } + "id": "e0e00aba-5f1c-4981-a542-9a9563c0ee20", + "queryName": "Client Certificate Authentication Not Setup Properly", + "severity": "HIGH", + "category": "Access Control", + "descriptionText": "Client Certificate Authentication should be Setup with a .pem or .crt file", + "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/", + "platform": "Kubernetes", + "descriptionID": "78c11e53", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/cluster_admin_role_binding_with_super_user_permissions/metadata.json b/assets/queries/k8s/cluster_admin_role_binding_with_super_user_permissions/metadata.json index dd03cf2aba0..fd32b52317b 100644 --- a/assets/queries/k8s/cluster_admin_role_binding_with_super_user_permissions/metadata.json +++ b/assets/queries/k8s/cluster_admin_role_binding_with_super_user_permissions/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Ensure that the cluster-admin role is only used where required (RBAC)", "descriptionUrl": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles", "platform": "Kubernetes", - "descriptionID": "567eee7e" -} + "descriptionID": "567eee7e", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/cluster_allows_unsafe_sysctls/metadata.json b/assets/queries/k8s/cluster_allows_unsafe_sysctls/metadata.json index d764c8ced83..1047b4ba793 100644 --- a/assets/queries/k8s/cluster_allows_unsafe_sysctls/metadata.json +++ b/assets/queries/k8s/cluster_allows_unsafe_sysctls/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined.", "descriptionUrl": "https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/", "platform": "Kubernetes", - "descriptionID": "6eb994bc" -} + "descriptionID": "6eb994bc", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/cni_plugin_does_not_support_network_policies/metadata.json b/assets/queries/k8s/cni_plugin_does_not_support_network_policies/metadata.json index 97cf45f060f..a2d6906143c 100644 --- a/assets/queries/k8s/cni_plugin_does_not_support_network_policies/metadata.json +++ b/assets/queries/k8s/cni_plugin_does_not_support_network_policies/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Ensure the use of CNI Plugin that support Network Policies. If the CNI Plugin in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster", "descriptionUrl": "https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/", "platform": "Kubernetes", - "descriptionID": "0e8d122c" -} + "descriptionID": "0e8d122c", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/metadata.json b/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/metadata.json index 6d0d5cd1571..6f01433ce6e 100644 --- a/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/metadata.json +++ b/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined.", "descriptionUrl": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", "platform": "Kubernetes", - "descriptionID": "3e1c6d16" -} + "descriptionID": "3e1c6d16", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/container_is_privileged/metadata.json b/assets/queries/k8s/container_is_privileged/metadata.json index cf76355b3b7..756b66c7db0 100644 --- a/assets/queries/k8s/container_is_privileged/metadata.json +++ b/assets/queries/k8s/container_is_privileged/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false", "descriptionUrl": "https://kubernetes.io/docs/concepts/workloads/pods/#privileged-mode-for-containers", "platform": "Kubernetes", - "descriptionID": "55f59030" -} + "descriptionID": "55f59030", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/metadata.json b/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/metadata.json index ff825302272..efcc8724070 100644 --- a/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/metadata.json +++ b/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined.", "descriptionUrl": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", "platform": "Kubernetes", - "descriptionID": "0c15063c" -} + "descriptionID": "0c15063c", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/container_requests_not_equal_to_its_limits/metadata.json b/assets/queries/k8s/container_requests_not_equal_to_its_limits/metadata.json index 46b48c0aebb..8f2482e2bd1 100644 --- a/assets/queries/k8s/container_requests_not_equal_to_its_limits/metadata.json +++ b/assets/queries/k8s/container_requests_not_equal_to_its_limits/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively", "descriptionUrl": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", "platform": "Kubernetes", - "descriptionID": "39aeed84" -} + "descriptionID": "39aeed84", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/container_runs_unmasked/metadata.json b/assets/queries/k8s/container_runs_unmasked/metadata.json index ede56fb8554..88963d55400 100644 --- a/assets/queries/k8s/container_runs_unmasked/metadata.json +++ b/assets/queries/k8s/container_runs_unmasked/metadata.json @@ -3,8 +3,9 @@ "queryName": "Container Runs Unmasked", "severity": "MEDIUM", "category": "Insecure Configurations", - "descriptionText": "Check if a container has full access (unmasked) to the host\u2019s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.", + "descriptionText": "Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.", "descriptionUrl": "https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes", "platform": "Kubernetes", - "descriptionID": "50caf90a" -} + "descriptionID": "50caf90a", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/containers_run_with_low_uid/metadata.json b/assets/queries/k8s/containers_run_with_low_uid/metadata.json index da7488b5cdd..849d9b1e03d 100644 --- a/assets/queries/k8s/containers_run_with_low_uid/metadata.json +++ b/assets/queries/k8s/containers_run_with_low_uid/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Check if containers are running with low UID, which might cause conflicts with the host's user table.", "descriptionUrl": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/", "platform": "Kubernetes", - "descriptionID": "fc2c11f9" -} + "descriptionID": "fc2c11f9", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/containers_running_as_root/metadata.json b/assets/queries/k8s/containers_running_as_root/metadata.json index 7508c3233c0..f9589b81d86 100644 --- a/assets/queries/k8s/containers_running_as_root/metadata.json +++ b/assets/queries/k8s/containers_running_as_root/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise", "descriptionUrl": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/", "platform": "Kubernetes", - "descriptionID": "9d5b1d16" -} + "descriptionID": "9d5b1d16", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/containers_with_added_capabilities/metadata.json b/assets/queries/k8s/containers_with_added_capabilities/metadata.json index dcaae1ca22f..1f43bf31d17 100644 --- a/assets/queries/k8s/containers_with_added_capabilities/metadata.json +++ b/assets/queries/k8s/containers_with_added_capabilities/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Containers should not have extra capabilities allowed", "descriptionUrl": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/", "platform": "Kubernetes", - "descriptionID": "719acefd" -} + "descriptionID": "719acefd", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/containers_with_sys_admin_capabilities/metadata.json b/assets/queries/k8s/containers_with_sys_admin_capabilities/metadata.json index 5f7cfef1b32..765c84c6144 100644 --- a/assets/queries/k8s/containers_with_sys_admin_capabilities/metadata.json +++ b/assets/queries/k8s/containers_with_sys_admin_capabilities/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Containers should not have CAP_SYS_ADMIN Linux capability", "descriptionUrl": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/", "platform": "Kubernetes", - "descriptionID": "029aeb1d" -} + "descriptionID": "029aeb1d", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/cpu_limits_not_set/metadata.json b/assets/queries/k8s/cpu_limits_not_set/metadata.json index 896f16a3837..caf62dddeb9 100644 --- a/assets/queries/k8s/cpu_limits_not_set/metadata.json +++ b/assets/queries/k8s/cpu_limits_not_set/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests", "descriptionUrl": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", "platform": "Kubernetes", - "descriptionID": "9a2ef763" -} + "descriptionID": "9a2ef763", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/cpu_requests_not_set/metadata.json b/assets/queries/k8s/cpu_requests_not_set/metadata.json index 83885df4e3d..ea61c11ad80 100644 --- a/assets/queries/k8s/cpu_requests_not_set/metadata.json +++ b/assets/queries/k8s/cpu_requests_not_set/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node", "descriptionUrl": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#", "platform": "Kubernetes", - "descriptionID": "ac7ad5df" -} + "descriptionID": "ac7ad5df", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/cronjob_deadline_not_configured/metadata.json b/assets/queries/k8s/cronjob_deadline_not_configured/metadata.json index b759800ab52..01d8addaee4 100644 --- a/assets/queries/k8s/cronjob_deadline_not_configured/metadata.json +++ b/assets/queries/k8s/cronjob_deadline_not_configured/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined", "descriptionUrl": "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "platform": "Kubernetes", - "descriptionID": "285952e5" -} + "descriptionID": "285952e5", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/dashboard_is_enabled/metadata.json b/assets/queries/k8s/dashboard_is_enabled/metadata.json index 5f0208822b5..ff62a6f5cc0 100644 --- a/assets/queries/k8s/dashboard_is_enabled/metadata.json +++ b/assets/queries/k8s/dashboard_is_enabled/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "If not needed, disabling the dashboard can prevent from being used as an attack vector", "descriptionUrl": "https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/", "platform": "Kubernetes", - "descriptionID": "ad0e6a8d" -} + "descriptionID": "ad0e6a8d", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/deployment_has_no_pod_anti_affinity/metadata.json b/assets/queries/k8s/deployment_has_no_pod_anti_affinity/metadata.json index 1ff174ba975..075234d9737 100644 --- a/assets/queries/k8s/deployment_has_no_pod_anti_affinity/metadata.json +++ b/assets/queries/k8s/deployment_has_no_pod_anti_affinity/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.", "descriptionUrl": "https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/", "platform": "Kubernetes", - "descriptionID": "22146f41" -} + "descriptionID": "22146f41", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/deployment_without_pod_disruption_budget/metadata.json b/assets/queries/k8s/deployment_without_pod_disruption_budget/metadata.json index 029587701c3..8419f30f610 100644 --- a/assets/queries/k8s/deployment_without_pod_disruption_budget/metadata.json +++ b/assets/queries/k8s/deployment_without_pod_disruption_budget/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Deployments should be assigned with a PodDisruptionBudget to ensure high availability", "descriptionUrl": "https://kubernetes.io/docs/tasks/run-application/configure-pdb/", "platform": "Kubernetes", - "descriptionID": "df941cb9" -} + "descriptionID": "df941cb9", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/metadata.json b/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/metadata.json index 2db31b03c79..588da242a33 100644 --- a/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/metadata.json +++ b/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Sees if Docker Daemon Socket is not exposed to Containers", "descriptionUrl": "https://kubernetes.io/docs/concepts/storage/volumes/", "platform": "Kubernetes", - "descriptionID": "0865e6f6" -} + "descriptionID": "0865e6f6", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/encryption_provider_config_is_not_defined/metadata.json b/assets/queries/k8s/encryption_provider_config_is_not_defined/metadata.json index ff05872117f..681470c175b 100644 --- a/assets/queries/k8s/encryption_provider_config_is_not_defined/metadata.json +++ b/assets/queries/k8s/encryption_provider_config_is_not_defined/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using kube-apiserver commands, the '--encryption-provider-config' flag should be defined and the encryption should be correctly configured in Encryption Configuration file", "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", - "descriptionID": "c018594c" -} + "descriptionID": "c018594c", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/encryption_provider_not_properly_configured/metadata.json b/assets/queries/k8s/encryption_provider_not_properly_configured/metadata.json index f2380a45d37..b01da8b3eb3 100644 --- a/assets/queries/k8s/encryption_provider_not_properly_configured/metadata.json +++ b/assets/queries/k8s/encryption_provider_not_properly_configured/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "The EncryptionConfiguration should be configured to have at least one 'aescbc', 'kms' or 'secretbox' provider", "descriptionUrl": "https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#understanding-the-encryption-at-rest-configuration", "platform": "Kubernetes", - "descriptionID": "c60a5ece" -} + "descriptionID": "c60a5ece", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/ensure_administrative_boundaries_between_resources/metadata.json b/assets/queries/k8s/ensure_administrative_boundaries_between_resources/metadata.json index b26e1100cb4..36e24592d4a 100644 --- a/assets/queries/k8s/ensure_administrative_boundaries_between_resources/metadata.json +++ b/assets/queries/k8s/ensure_administrative_boundaries_between_resources/metadata.json @@ -1,11 +1,11 @@ { - "id": "e84eaf4d-2f45-47b2-abe8-e581b06deb66", - "queryName": "Ensure Administrative Boundaries Between Resources", - "severity": "INFO", - "category": "Access Control", - "descriptionText": "As a best practice, ensure that is made the correct use of namespaces to adequately administer your resources. Kubernetes Authorization plugins can also be used to create policies that segregate user access to namespaces.", - "descriptionUrl": "https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/", - "platform": "Kubernetes", - "descriptionID": "8182d7cf" - } - \ No newline at end of file + "id": "e84eaf4d-2f45-47b2-abe8-e581b06deb66", + "queryName": "Ensure Administrative Boundaries Between Resources", + "severity": "INFO", + "category": "Access Control", + "descriptionText": "As a best practice, ensure that is made the correct use of namespaces to adequately administer your resources. Kubernetes Authorization plugins can also be used to create policies that segregate user access to namespaces.", + "descriptionUrl": "https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/", + "platform": "Kubernetes", + "descriptionID": "8182d7cf", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/etcd_client_certificate_authentication_set_to_false/metadata.json b/assets/queries/k8s/etcd_client_certificate_authentication_set_to_false/metadata.json index c7b7217e2e3..086f587007a 100644 --- a/assets/queries/k8s/etcd_client_certificate_authentication_set_to_false/metadata.json +++ b/assets/queries/k8s/etcd_client_certificate_authentication_set_to_false/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using etcd commands, the '--client-cert-auth' flag should be defined", "descriptionUrl": "https://etcd.io/docs/v3.4/op-guide/security/", "platform": "Kubernetes", - "descriptionID": "e79812fb" -} + "descriptionID": "e79812fb", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/etcd_client_certificate_file_not_defined/metadata.json b/assets/queries/k8s/etcd_client_certificate_file_not_defined/metadata.json index 11036396719..c34a0ca2991 100644 --- a/assets/queries/k8s/etcd_client_certificate_file_not_defined/metadata.json +++ b/assets/queries/k8s/etcd_client_certificate_file_not_defined/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using kube-apiserver commands, the '--etcd-cafile' flag should be defined", "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", - "descriptionID": "f385527b" -} + "descriptionID": "f385527b", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/etcd_peer_client_certificate_authentication_set_to_false/metadata.json b/assets/queries/k8s/etcd_peer_client_certificate_authentication_set_to_false/metadata.json index a595f0508e7..461308089bd 100644 --- a/assets/queries/k8s/etcd_peer_client_certificate_authentication_set_to_false/metadata.json +++ b/assets/queries/k8s/etcd_peer_client_certificate_authentication_set_to_false/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using etcd commands, the '--peer-client-cert-auth' flag should be set to true", "descriptionUrl": "https://etcd.io/docs/v3.4/op-guide/security/", "platform": "Kubernetes", - "descriptionID": "00b0e7f2" -} + "descriptionID": "00b0e7f2", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/etcd_peer_tls_certificate_files_not_properly_set/metadata.json b/assets/queries/k8s/etcd_peer_tls_certificate_files_not_properly_set/metadata.json index 0aaa49b50c7..6c94279a0a7 100644 --- a/assets/queries/k8s/etcd_peer_tls_certificate_files_not_properly_set/metadata.json +++ b/assets/queries/k8s/etcd_peer_tls_certificate_files_not_properly_set/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using etcd commands, the '--peer-cert-file' and '--peer-key-file' should be defined", "descriptionUrl": "https://etcd.io/docs/v3.4/op-guide/security/", "platform": "Kubernetes", - "descriptionID": "f3bb5a8e" -} + "descriptionID": "f3bb5a8e", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/etcd_tls_certificate_files_not_properly_set/metadata.json b/assets/queries/k8s/etcd_tls_certificate_files_not_properly_set/metadata.json index 354f1020a51..ea5084700cd 100644 --- a/assets/queries/k8s/etcd_tls_certificate_files_not_properly_set/metadata.json +++ b/assets/queries/k8s/etcd_tls_certificate_files_not_properly_set/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using etcd commands, the '--cert-file' and '--key-file' should be defined", "descriptionUrl": "https://etcd.io/docs/v3.4/op-guide/security/", "platform": "Kubernetes", - "descriptionID": "3c8aae35" -} + "descriptionID": "3c8aae35", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/etcd_tls_certificate_not_properly_configured/metadata.json b/assets/queries/k8s/etcd_tls_certificate_not_properly_configured/metadata.json index c919de7d466..3b316c80cbc 100644 --- a/assets/queries/k8s/etcd_tls_certificate_not_properly_configured/metadata.json +++ b/assets/queries/k8s/etcd_tls_certificate_not_properly_configured/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using kube-apiserver commands, the '--etcd-certfile' and '--etcd-keyfile' flags should be defined", "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", - "descriptionID": "073667d8" -} + "descriptionID": "073667d8", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/event_rate_limit_admission_control_plugin_not_set/metadata.json b/assets/queries/k8s/event_rate_limit_admission_control_plugin_not_set/metadata.json index 884bb33eec9..82ce291e647 100644 --- a/assets/queries/k8s/event_rate_limit_admission_control_plugin_not_set/metadata.json +++ b/assets/queries/k8s/event_rate_limit_admission_control_plugin_not_set/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using kube-apiserver command, the --enable-admission-plugins flag should have 'EventRateLimit' plugin and the plugin should be correctly configured in AdmissionControl Config file", "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", - "descriptionID": "3cc9eca8" -} + "descriptionID": "3cc9eca8", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/hpa_targeted_deployments_with_configured_replica_count/metadata.json b/assets/queries/k8s/hpa_targeted_deployments_with_configured_replica_count/metadata.json index 3b3ca480c96..fb8a1161abf 100644 --- a/assets/queries/k8s/hpa_targeted_deployments_with_configured_replica_count/metadata.json +++ b/assets/queries/k8s/hpa_targeted_deployments_with_configured_replica_count/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set", "descriptionUrl": "https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/", "platform": "Kubernetes", - "descriptionID": "3ccc5d6c" -} + "descriptionID": "3ccc5d6c", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/hpa_targets_invalid_object/metadata.json b/assets/queries/k8s/hpa_targets_invalid_object/metadata.json index c3be2db4552..e017926a63d 100644 --- a/assets/queries/k8s/hpa_targets_invalid_object/metadata.json +++ b/assets/queries/k8s/hpa_targets_invalid_object/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "The Horizontal Pod Autoscaler must target a valid object", "descriptionUrl": "https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/", "platform": "Kubernetes", - "descriptionID": "450f7251" -} + "descriptionID": "450f7251", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/image_policy_webhook_admission_control_plugin_not_set/metadata.json b/assets/queries/k8s/image_policy_webhook_admission_control_plugin_not_set/metadata.json index 3e2277541ab..60a7db72266 100644 --- a/assets/queries/k8s/image_policy_webhook_admission_control_plugin_not_set/metadata.json +++ b/assets/queries/k8s/image_policy_webhook_admission_control_plugin_not_set/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using kube-apiserver command, the --enable-admission-plugins flag should have 'ImagePolicyWebhook' plugin and the plugin should be correctly configured in AdmissionControl Config file", "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", - "descriptionID": "7e7fe5b6" -} + "descriptionID": "7e7fe5b6", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/image_pull_policy_of_container_is_not_always/metadata.json b/assets/queries/k8s/image_pull_policy_of_container_is_not_always/metadata.json index 250fb3d7be0..d0d5bd97bb1 100644 --- a/assets/queries/k8s/image_pull_policy_of_container_is_not_always/metadata.json +++ b/assets/queries/k8s/image_pull_policy_of_container_is_not_always/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Image Pull Policy of the container must be defined and set to Always", "descriptionUrl": "https://kubernetes.io/docs/concepts/containers/images/#updating-images", "platform": "Kubernetes", - "descriptionID": "201e3c8d" -} + "descriptionID": "201e3c8d", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/image_without_digest/metadata.json b/assets/queries/k8s/image_without_digest/metadata.json index 16b31ea4272..868808d12c5 100644 --- a/assets/queries/k8s/image_without_digest/metadata.json +++ b/assets/queries/k8s/image_without_digest/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Images should be specified together with their digests to ensure integrity", "descriptionUrl": "https://kubernetes.io/docs/concepts/containers/images/#updating-images", "platform": "Kubernetes", - "descriptionID": "3f9f8d78" -} + "descriptionID": "3f9f8d78", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/incorrect_volume_claim_access_mode_read_write_once/metadata.json b/assets/queries/k8s/incorrect_volume_claim_access_mode_read_write_once/metadata.json index a37522ce747..b1cec521a9c 100644 --- a/assets/queries/k8s/incorrect_volume_claim_access_mode_read_write_once/metadata.json +++ b/assets/queries/k8s/incorrect_volume_claim_access_mode_read_write_once/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'", "descriptionUrl": "https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/", "platform": "Kubernetes", - "descriptionID": "f4e48914" -} + "descriptionID": "f4e48914", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/ingress_controller_exposes_workload/metadata.json b/assets/queries/k8s/ingress_controller_exposes_workload/metadata.json index 21d064f79a7..678242b36cf 100644 --- a/assets/queries/k8s/ingress_controller_exposes_workload/metadata.json +++ b/assets/queries/k8s/ingress_controller_exposes_workload/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks", "descriptionUrl": "https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/", "platform": "Kubernetes", - "descriptionID": "7db90ca7" -} + "descriptionID": "7db90ca7", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/insecure_bind_address_set/metadata.json b/assets/queries/k8s/insecure_bind_address_set/metadata.json index 1807ef2f2d0..afe5cce2ad9 100644 --- a/assets/queries/k8s/insecure_bind_address_set/metadata.json +++ b/assets/queries/k8s/insecure_bind_address_set/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using kube-apiserver command, the '--insecure-bind-address' flag should not be set", "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", - "descriptionID": "5b1eb26c" -} + "descriptionID": "5b1eb26c", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/insecure_port_not_properly_set/metadata.json b/assets/queries/k8s/insecure_port_not_properly_set/metadata.json index e4da0a6ed63..824f7e9298c 100644 --- a/assets/queries/k8s/insecure_port_not_properly_set/metadata.json +++ b/assets/queries/k8s/insecure_port_not_properly_set/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using kube-apiserver command, the '--insecure-port' flag should be defined and set to 0", "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", - "descriptionID": "d9e178b1" -} + "descriptionID": "d9e178b1", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/invalid_image/metadata.json b/assets/queries/k8s/invalid_image/metadata.json index 6de282f2cd9..bc3b83da91c 100644 --- a/assets/queries/k8s/invalid_image/metadata.json +++ b/assets/queries/k8s/invalid_image/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Image tag must be defined and not be empty or equal to latest.", "descriptionUrl": "https://kubernetes.io/docs/concepts/containers/images/#updating-images", "platform": "Kubernetes", - "descriptionID": "30154626" -} + "descriptionID": "30154626", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/kubelet_certificate_authority_not_set/metadata.json b/assets/queries/k8s/kubelet_certificate_authority_not_set/metadata.json index 838393aad55..e7aa26d0104 100644 --- a/assets/queries/k8s/kubelet_certificate_authority_not_set/metadata.json +++ b/assets/queries/k8s/kubelet_certificate_authority_not_set/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set", "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", - "descriptionID": "ce08eb5d" -} + "descriptionID": "ce08eb5d", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/kubelet_client_certificate_or_key_not_set/metadata.json b/assets/queries/k8s/kubelet_client_certificate_or_key_not_set/metadata.json index f712bfb0d04..7471911f2d9 100644 --- a/assets/queries/k8s/kubelet_client_certificate_or_key_not_set/metadata.json +++ b/assets/queries/k8s/kubelet_client_certificate_or_key_not_set/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using kube-apiserver command, the 'kubelet-client-key' and 'kubelet-client-certificate' flags should be set", "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", - "descriptionID": "0f0e2ae7" -} + "descriptionID": "0f0e2ae7", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/metadata.json b/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/metadata.json index 174bb9b8d43..9ec6ab8ba3c 100644 --- a/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/metadata.json +++ b/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/metadata.json @@ -1,10 +1,11 @@ { - "id": "52d70f2e-3257-474c-b3dc-8ad9ba6a061a", - "queryName": "Kubelet Client Periodic Certificate Switch Disabled", - "severity": "MEDIUM", - "category": "Secret Management", - "descriptionText": "Kubelet argument --rotate-certificates should be true", - "descriptionUrl": "https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/", - "platform": "Kubernetes", - "descriptionID": "1a17c91a" -} + "id": "52d70f2e-3257-474c-b3dc-8ad9ba6a061a", + "queryName": "Kubelet Client Periodic Certificate Switch Disabled", + "severity": "MEDIUM", + "category": "Secret Management", + "descriptionText": "Kubelet argument --rotate-certificates should be true", + "descriptionUrl": "https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/", + "platform": "Kubernetes", + "descriptionID": "1a17c91a", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/kubelet_event_qps_not_properly_set/metadata.json b/assets/queries/k8s/kubelet_event_qps_not_properly_set/metadata.json index 934c96c7a92..b63b6d1e8a9 100644 --- a/assets/queries/k8s/kubelet_event_qps_not_properly_set/metadata.json +++ b/assets/queries/k8s/kubelet_event_qps_not_properly_set/metadata.json @@ -1,11 +1,11 @@ { - "id": "1a07a446-8e61-4e4d-bc16-b0781fcb8211", - "queryName": "Kubelet Event QPS Not Properly Set", - "severity": "LOW", - "category": "Observability", - "descriptionText": "When using the kubelet command, the '--event-qps' should be set to 0", - "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/", - "platform": "Kubernetes", - "descriptionID": "3163b76e" - } - \ No newline at end of file + "id": "1a07a446-8e61-4e4d-bc16-b0781fcb8211", + "queryName": "Kubelet Event QPS Not Properly Set", + "severity": "LOW", + "category": "Observability", + "descriptionText": "When using the kubelet command, the '--event-qps' should be set to 0", + "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/", + "platform": "Kubernetes", + "descriptionID": "3163b76e", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/kubelet_hostname_override_is_set/metadata.json b/assets/queries/k8s/kubelet_hostname_override_is_set/metadata.json index c6a79b86a68..d48b92867eb 100644 --- a/assets/queries/k8s/kubelet_hostname_override_is_set/metadata.json +++ b/assets/queries/k8s/kubelet_hostname_override_is_set/metadata.json @@ -1,10 +1,11 @@ { - "id": "bf36b900-b5ef-4828-adb7-70eb543b7cfb", - "queryName": "Kubelet Hostname Override Is Set", - "severity": "LOW", - "category": "Insecure Configurations", - "descriptionText": "Hostnames should not be overrided", - "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/", - "platform": "Kubernetes", - "descriptionID": "a3adb557" - } + "id": "bf36b900-b5ef-4828-adb7-70eb543b7cfb", + "queryName": "Kubelet Hostname Override Is Set", + "severity": "LOW", + "category": "Insecure Configurations", + "descriptionText": "Hostnames should not be overrided", + "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/", + "platform": "Kubernetes", + "descriptionID": "a3adb557", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/kubelet_https_set_to_false/metadata.json b/assets/queries/k8s/kubelet_https_set_to_false/metadata.json index d8c395b92ee..b5527387325 100644 --- a/assets/queries/k8s/kubelet_https_set_to_false/metadata.json +++ b/assets/queries/k8s/kubelet_https_set_to_false/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using kube-apiserver command, the '--kubelet-https' flag should not be set to false", "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", - "descriptionID": "754a303a" -} + "descriptionID": "754a303a", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/kubelet_not_managing_ip_tables/metadata.json b/assets/queries/k8s/kubelet_not_managing_ip_tables/metadata.json index f58d421cc57..a2af61475cd 100644 --- a/assets/queries/k8s/kubelet_not_managing_ip_tables/metadata.json +++ b/assets/queries/k8s/kubelet_not_managing_ip_tables/metadata.json @@ -1,10 +1,11 @@ { - "id": "5f89001f-6dd9-49ff-9b15-d8cd71b617f4", - "queryName": "Kubelet Not Managing Ip Tables", - "severity": "MEDIUM", - "category": "Networking and Firewall", - "descriptionText": "Kubelet argument --make-iptables-util-chains should be true", - "descriptionUrl": "https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/", - "platform": "Kubernetes", - "descriptionID": "1bd198ea" - } + "id": "5f89001f-6dd9-49ff-9b15-d8cd71b617f4", + "queryName": "Kubelet Not Managing Ip Tables", + "severity": "MEDIUM", + "category": "Networking and Firewall", + "descriptionText": "Kubelet argument --make-iptables-util-chains should be true", + "descriptionUrl": "https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/", + "platform": "Kubernetes", + "descriptionID": "1bd198ea", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/metadata.json b/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/metadata.json index 08fe95ba947..855bb2c5d23 100644 --- a/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/metadata.json +++ b/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/metadata.json @@ -1,11 +1,11 @@ { - "id": "6cf42c97-facd-4fda-b8af-ea4529123355", - "queryName": "Kubelet Protect Kernel Defaults Set To False", - "severity": "MEDIUM", - "category": "Insecure Configurations", - "descriptionText": "--protect-kernel-defaults should be set to true", - "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/", - "platform": "Kubernetes", - "descriptionID": "e3a4b35d" - } - \ No newline at end of file + "id": "6cf42c97-facd-4fda-b8af-ea4529123355", + "queryName": "Kubelet Protect Kernel Defaults Set To False", + "severity": "MEDIUM", + "category": "Insecure Configurations", + "descriptionText": "--protect-kernel-defaults should be set to true", + "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/", + "platform": "Kubernetes", + "descriptionID": "e3a4b35d", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/metadata.json b/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/metadata.json index 40f31d0998c..496daeeb65f 100644 --- a/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/metadata.json +++ b/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using the kubelet command, the read-only port should be set to zero (--read-only-port=0)", "descriptionUrl": "https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/", "platform": "Kubernetes", - "descriptionID": "8cedc17d" + "descriptionID": "8cedc17d", + "CWE": "" } \ No newline at end of file diff --git a/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/metadata.json b/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/metadata.json index 9ecc4ceb6b4..24e7813bddf 100644 --- a/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/metadata.json +++ b/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "The flag --streaming-connection-idle-timeout should not be set to 0", "descriptionUrl": "https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/", "platform": "Kubernetes", - "descriptionID": "f0a2431d" -} + "descriptionID": "f0a2431d", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/liveness_probe_is_not_defined/metadata.json b/assets/queries/k8s/liveness_probe_is_not_defined/metadata.json index 6128452f7f6..70ce4bf0fed 100644 --- a/assets/queries/k8s/liveness_probe_is_not_defined/metadata.json +++ b/assets/queries/k8s/liveness_probe_is_not_defined/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it", "descriptionUrl": "https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#when-should-you-use-a-liveness-probe", "platform": "Kubernetes", - "descriptionID": "f724fa60" -} + "descriptionID": "f724fa60", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/memory_limits_not_defined/metadata.json b/assets/queries/k8s/memory_limits_not_defined/metadata.json index 88f9522cbac..dcc8892de58 100644 --- a/assets/queries/k8s/memory_limits_not_defined/metadata.json +++ b/assets/queries/k8s/memory_limits_not_defined/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory", "descriptionUrl": "https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/", "platform": "Kubernetes", - "descriptionID": "e0ba95cc" -} + "descriptionID": "e0ba95cc", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/memory_requests_not_defined/metadata.json b/assets/queries/k8s/memory_requests_not_defined/metadata.json index 7350d0c5763..0bc9dfcf3a1 100644 --- a/assets/queries/k8s/memory_requests_not_defined/metadata.json +++ b/assets/queries/k8s/memory_requests_not_defined/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes", "descriptionUrl": "https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/", "platform": "Kubernetes", - "descriptionID": "3dcbd683" -} + "descriptionID": "3dcbd683", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/metadata_label_is_invalid/metadata.json b/assets/queries/k8s/metadata_label_is_invalid/metadata.json index 8f0c98420c4..6c3b5c7f9f0 100644 --- a/assets/queries/k8s/metadata_label_is_invalid/metadata.json +++ b/assets/queries/k8s/metadata_label_is_invalid/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Check if any label in the metadata is invalid.", "descriptionUrl": "https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/", "platform": "Kubernetes", - "descriptionID": "a6921416" -} + "descriptionID": "a6921416", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/missing_app_armor_config/metadata.json b/assets/queries/k8s/missing_app_armor_config/metadata.json index 7f7ce922179..424e96f05de 100644 --- a/assets/queries/k8s/missing_app_armor_config/metadata.json +++ b/assets/queries/k8s/missing_app_armor_config/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources", "descriptionUrl": "https://kubernetes.io/docs/tutorials/clusters/apparmor/", "platform": "Kubernetes", - "descriptionID": "59c17c0a" -} + "descriptionID": "59c17c0a", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/namespace_lifecycle_admission_control_plugin_disabled/metadata.json b/assets/queries/k8s/namespace_lifecycle_admission_control_plugin_disabled/metadata.json index 14c2d55e8f0..a0dd7a8fece 100644 --- a/assets/queries/k8s/namespace_lifecycle_admission_control_plugin_disabled/metadata.json +++ b/assets/queries/k8s/namespace_lifecycle_admission_control_plugin_disabled/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'NamespaceLifecycle' plugin", "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", - "descriptionID": "13e94c89" -} + "descriptionID": "13e94c89", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/net_raw_capabilities_disabled_for_psp/metadata.json b/assets/queries/k8s/net_raw_capabilities_disabled_for_psp/metadata.json index 2deadf104fa..c0ab5687044 100644 --- a/assets/queries/k8s/net_raw_capabilities_disabled_for_psp/metadata.json +++ b/assets/queries/k8s/net_raw_capabilities_disabled_for_psp/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Containers need to have NET_RAW or All as drop capabilities", "descriptionUrl": "https://kubernetes.io/docs/concepts/policy/pod-security-policy/", "platform": "Kubernetes", - "descriptionID": "e72d5579" -} + "descriptionID": "e72d5579", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/net_raw_capabilities_not_being_dropped/metadata.json b/assets/queries/k8s/net_raw_capabilities_not_being_dropped/metadata.json index 7f0d7a9c8c4..27d836ba6e5 100644 --- a/assets/queries/k8s/net_raw_capabilities_not_being_dropped/metadata.json +++ b/assets/queries/k8s/net_raw_capabilities_not_being_dropped/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Containers should drop 'ALL' or at least 'NET_RAW' capabilities", "descriptionUrl": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/", "platform": "Kubernetes", - "descriptionID": "e9790956" -} + "descriptionID": "e9790956", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/network_policy_is_not_targeting_any_pod/metadata.json b/assets/queries/k8s/network_policy_is_not_targeting_any_pod/metadata.json index dacced89f52..8efead59d30 100644 --- a/assets/queries/k8s/network_policy_is_not_targeting_any_pod/metadata.json +++ b/assets/queries/k8s/network_policy_is_not_targeting_any_pod/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Check if any network policy is not targeting any pod.", "descriptionUrl": "https://kubernetes.io/docs/concepts/services-networking/network-policies/", "platform": "Kubernetes", - "descriptionID": "be3c67e3" -} + "descriptionID": "be3c67e3", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/no_drop_capabilities_for_containers/metadata.json b/assets/queries/k8s/no_drop_capabilities_for_containers/metadata.json index 954607da33e..05faf4a4d24 100644 --- a/assets/queries/k8s/no_drop_capabilities_for_containers/metadata.json +++ b/assets/queries/k8s/no_drop_capabilities_for_containers/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Sees if Kubernetes Drop Capabilities exists to ensure containers security context", "descriptionUrl": "https://kubernetes.io/docs/concepts/workloads/pods/init-containers/", "platform": "Kubernetes", - "descriptionID": "9d3ca6db" -} + "descriptionID": "9d3ca6db", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/node_restriction_admission_control_plugin_not_set/metadata.json b/assets/queries/k8s/node_restriction_admission_control_plugin_not_set/metadata.json index 7ab057bcf90..5658f3ce7d2 100644 --- a/assets/queries/k8s/node_restriction_admission_control_plugin_not_set/metadata.json +++ b/assets/queries/k8s/node_restriction_admission_control_plugin_not_set/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using kube-apiserver command, the --enable-admission-plugins flag should have 'NodeRestriction' plugin and the plugin should be correctly configured in AdmissionControl Config file", "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", - "descriptionID": "2a03f1ec" -} + "descriptionID": "2a03f1ec", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/non_kube_system_pod_with_host_mount/metadata.json b/assets/queries/k8s/non_kube_system_pod_with_host_mount/metadata.json index 5033112769d..5640bbda2c5 100644 --- a/assets/queries/k8s/non_kube_system_pod_with_host_mount/metadata.json +++ b/assets/queries/k8s/non_kube_system_pod_with_host_mount/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "A non kube-system workload should not have hostPath mounted", "descriptionUrl": "https://kubernetes.io/docs/concepts/storage/volumes/", "platform": "Kubernetes", - "descriptionID": "e8553157" -} + "descriptionID": "e8553157", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/not_limited_capabilities_for_container/metadata.json b/assets/queries/k8s/not_limited_capabilities_for_container/metadata.json index 0d0b0fb6d68..dea32b34615 100644 --- a/assets/queries/k8s/not_limited_capabilities_for_container/metadata.json +++ b/assets/queries/k8s/not_limited_capabilities_for_container/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Limit the capabilities for a Container.", "descriptionUrl": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/", "platform": "Kubernetes", - "descriptionID": "2d839019" -} + "descriptionID": "2d839019", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/not_limited_capabilities_for_pod_security_policy/metadata.json b/assets/queries/k8s/not_limited_capabilities_for_pod_security_policy/metadata.json index d315ad1396e..7bdb9127aef 100644 --- a/assets/queries/k8s/not_limited_capabilities_for_pod_security_policy/metadata.json +++ b/assets/queries/k8s/not_limited_capabilities_for_pod_security_policy/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Limit capabilities for a Pod Security Policy", "descriptionUrl": "https://kubernetes.io/docs/concepts/policy/pod-security-policy/", "platform": "Kubernetes", - "descriptionID": "eaf6d4ba" -} + "descriptionID": "eaf6d4ba", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/not_unique_certificate_authority/metadata.json b/assets/queries/k8s/not_unique_certificate_authority/metadata.json index dc1c7d25d71..df77c2c83dc 100644 --- a/assets/queries/k8s/not_unique_certificate_authority/metadata.json +++ b/assets/queries/k8s/not_unique_certificate_authority/metadata.json @@ -1,11 +1,11 @@ { - "id": "cb7e695d-6a85-495c-b15f-23aed2519303", - "queryName": "Not Unique Certificate Authority", - "severity": "MEDIUM", - "category": "Secret Management", - "descriptionText": "Certificate Authority should be unique for etcd", - "descriptionUrl": "https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/", - "platform": "Kubernetes", - "descriptionID": "d2c6c9e8" - } - \ No newline at end of file + "id": "cb7e695d-6a85-495c-b15f-23aed2519303", + "queryName": "Not Unique Certificate Authority", + "severity": "MEDIUM", + "category": "Secret Management", + "descriptionText": "Certificate Authority should be unique for etcd", + "descriptionUrl": "https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/", + "platform": "Kubernetes", + "descriptionID": "d2c6c9e8", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/object_is_using_a_deprecated_api_version/metadata.json b/assets/queries/k8s/object_is_using_a_deprecated_api_version/metadata.json index 6b040eb9b59..3719b74be2f 100644 --- a/assets/queries/k8s/object_is_using_a_deprecated_api_version/metadata.json +++ b/assets/queries/k8s/object_is_using_a_deprecated_api_version/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Kubernetes APIs evolve over time and are sometimes removed with newer releases. To prevent incompatibilities when upgrading Kubernetes, deprecated APIs should be replaced with newer and more stable API versions.", "descriptionUrl": "https://kubernetes.io/docs/reference/using-api/deprecation-guide/", "platform": "Kubernetes", - "descriptionID": "d5c30c5b" -} + "descriptionID": "d5c30c5b", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/peer_auto_tls_set_to_true/metadata.json b/assets/queries/k8s/peer_auto_tls_set_to_true/metadata.json index 04ddf89f450..26bbb29e6c4 100644 --- a/assets/queries/k8s/peer_auto_tls_set_to_true/metadata.json +++ b/assets/queries/k8s/peer_auto_tls_set_to_true/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using etcd commands, the '--peer-auto-tls' should be set to false", "descriptionUrl": "https://etcd.io/docs/v3.4/op-guide/security/", "platform": "Kubernetes", - "descriptionID": "02a0a4d9" -} + "descriptionID": "02a0a4d9", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/permissive_access_to_create_pods/metadata.json b/assets/queries/k8s/permissive_access_to_create_pods/metadata.json index c25f7064383..60ea8dc428e 100644 --- a/assets/queries/k8s/permissive_access_to_create_pods/metadata.json +++ b/assets/queries/k8s/permissive_access_to_create_pods/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "The permission to create pods in a cluster should be restricted because it allows privilege escalation.", "descriptionUrl": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping", "platform": "Kubernetes", - "descriptionID": "c78cb1a7" -} + "descriptionID": "c78cb1a7", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/pod_misconfigured_network_policy/metadata.json b/assets/queries/k8s/pod_misconfigured_network_policy/metadata.json index ff752aa812a..245fd6e6ee4 100644 --- a/assets/queries/k8s/pod_misconfigured_network_policy/metadata.json +++ b/assets/queries/k8s/pod_misconfigured_network_policy/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Check if any pod is not being targeted by a proper network policy.", "descriptionUrl": "https://kubernetes.io/docs/concepts/services-networking/network-policies/", "platform": "Kubernetes", - "descriptionID": "20500552" -} + "descriptionID": "20500552", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/pod_or_container_without_limit_range/metadata.json b/assets/queries/k8s/pod_or_container_without_limit_range/metadata.json index fa6e880f365..676f70a56dd 100644 --- a/assets/queries/k8s/pod_or_container_without_limit_range/metadata.json +++ b/assets/queries/k8s/pod_or_container_without_limit_range/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Each namespace should have a LimitRange policy associated to ensure that resource allocations of Pods, Containers and PersistentVolumeClaims do not exceed the defined boundaries", "descriptionUrl": "https://kubernetes.io/docs/concepts/policy/limit-range/", "platform": "Kubernetes", - "descriptionID": "142ed21f" -} + "descriptionID": "142ed21f", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/pod_or_container_without_resource_quota/metadata.json b/assets/queries/k8s/pod_or_container_without_resource_quota/metadata.json index b21dc26ae6c..84097fb5aa4 100644 --- a/assets/queries/k8s/pod_or_container_without_resource_quota/metadata.json +++ b/assets/queries/k8s/pod_or_container_without_resource_quota/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Each namespace should have a ResourceQuota policy associated to limit the total amount of resources Pods, Containers and PersistentVolumeClaims can consume", "descriptionUrl": "https://kubernetes.io/docs/concepts/policy/resource-quotas/", "platform": "Kubernetes", - "descriptionID": "86499ed5" -} + "descriptionID": "86499ed5", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/pod_or_container_without_security_context/metadata.json b/assets/queries/k8s/pod_or_container_without_security_context/metadata.json index 269527b8f21..293725bb389 100644 --- a/assets/queries/k8s/pod_or_container_without_security_context/metadata.json +++ b/assets/queries/k8s/pod_or_container_without_security_context/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "A security context defines privilege and access control settings for a Pod or Container", "descriptionUrl": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/", "platform": "Kubernetes", - "descriptionID": "68a1650b" -} + "descriptionID": "68a1650b", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/pod_security_policy_admission_control_plugin_not_set/metadata.json b/assets/queries/k8s/pod_security_policy_admission_control_plugin_not_set/metadata.json index 73a877af433..800f40947fc 100644 --- a/assets/queries/k8s/pod_security_policy_admission_control_plugin_not_set/metadata.json +++ b/assets/queries/k8s/pod_security_policy_admission_control_plugin_not_set/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'PodSecurityPolicy' plugin and the plugin should be correctly configured in AdmissionControl Config file", "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", - "descriptionID": "5b3d44e9" -} + "descriptionID": "5b3d44e9", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/privilege_escalation_allowed/metadata.json b/assets/queries/k8s/privilege_escalation_allowed/metadata.json index d5f2402a981..95d09456ac6 100644 --- a/assets/queries/k8s/privilege_escalation_allowed/metadata.json +++ b/assets/queries/k8s/privilege_escalation_allowed/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process", "descriptionUrl": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/", "platform": "Kubernetes", - "descriptionID": "525fccf4" -} + "descriptionID": "525fccf4", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/profiling_not_set_to_false/metadata.json b/assets/queries/k8s/profiling_not_set_to_false/metadata.json index 86688c4a853..48048aecbfd 100644 --- a/assets/queries/k8s/profiling_not_set_to_false/metadata.json +++ b/assets/queries/k8s/profiling_not_set_to_false/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using kube-apiserver or kube-controller-manager or kube-scheduler command, the '--profiling' flag should be defined and set to false", "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", - "descriptionID": "622a1db7" -} + "descriptionID": "622a1db7", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/psp_allows_privilege_escalation/metadata.json b/assets/queries/k8s/psp_allows_privilege_escalation/metadata.json index 8d527d1d623..ce8b21b0d2a 100644 --- a/assets/queries/k8s/psp_allows_privilege_escalation/metadata.json +++ b/assets/queries/k8s/psp_allows_privilege_escalation/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "PodSecurityPolicy should not allow privilege escalation", "descriptionUrl": "https://kubernetes.io/docs/concepts/policy/pod-security-policy/", "platform": "Kubernetes", - "descriptionID": "d7c5e3ad" -} + "descriptionID": "d7c5e3ad", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/psp_allows_sharing_host_ipc/metadata.json b/assets/queries/k8s/psp_allows_sharing_host_ipc/metadata.json index 2d8576a6461..5d043e8a2a9 100644 --- a/assets/queries/k8s/psp_allows_sharing_host_ipc/metadata.json +++ b/assets/queries/k8s/psp_allows_sharing_host_ipc/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Pod Security Policy allows containers to share the host IPC namespace", "descriptionUrl": "https://kubernetes.io/docs/concepts/policy/pod-security-policy/", "platform": "Kubernetes", - "descriptionID": "329be51b" -} + "descriptionID": "329be51b", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/psp_allows_sharing_host_pid/metadata.json b/assets/queries/k8s/psp_allows_sharing_host_pid/metadata.json index 0a7d818924a..85afc5539a0 100644 --- a/assets/queries/k8s/psp_allows_sharing_host_pid/metadata.json +++ b/assets/queries/k8s/psp_allows_sharing_host_pid/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Pod Security Policy allows containers to share the host process ID namespace", "descriptionUrl": "https://kubernetes.io/docs/concepts/policy/pod-security-policy/", "platform": "Kubernetes", - "descriptionID": "980c2b40" -} + "descriptionID": "980c2b40", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/psp_containers_share_host_network_namespace/metadata.json b/assets/queries/k8s/psp_containers_share_host_network_namespace/metadata.json index 50abde54d6f..9d8d4192324 100644 --- a/assets/queries/k8s/psp_containers_share_host_network_namespace/metadata.json +++ b/assets/queries/k8s/psp_containers_share_host_network_namespace/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Check if Pod Security Policies allow containers to share the host network namespace.", "descriptionUrl": "https://kubernetes.io/docs/concepts/policy/pod-security-policy/", "platform": "Kubernetes", - "descriptionID": "4b468f08" -} + "descriptionID": "4b468f08", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/psp_set_to_privileged/metadata.json b/assets/queries/k8s/psp_set_to_privileged/metadata.json index 7d5d367ee1b..65f1ddfcfef 100644 --- a/assets/queries/k8s/psp_set_to_privileged/metadata.json +++ b/assets/queries/k8s/psp_set_to_privileged/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Do not allow pod to request execution as privileged.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#privileged", "platform": "Kubernetes", - "descriptionID": "11a8da07" -} + "descriptionID": "11a8da07", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/psp_with_added_capabilities/metadata.json b/assets/queries/k8s/psp_with_added_capabilities/metadata.json index 7f9c85be4c6..3a31fe6b690 100644 --- a/assets/queries/k8s/psp_with_added_capabilities/metadata.json +++ b/assets/queries/k8s/psp_with_added_capabilities/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "PodSecurityPolicy should not have added capabilities", "descriptionUrl": "https://kubernetes.io/docs/concepts/policy/pod-security-policy/", "platform": "Kubernetes", - "descriptionID": "2889da19" -} + "descriptionID": "2889da19", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/psp_with_unrestricted_access_to_host_path/metadata.json b/assets/queries/k8s/psp_with_unrestricted_access_to_host_path/metadata.json index 05769776b5e..c092df4ea44 100644 --- a/assets/queries/k8s/psp_with_unrestricted_access_to_host_path/metadata.json +++ b/assets/queries/k8s/psp_with_unrestricted_access_to_host_path/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "PodSecurityPolicy should set 'readOnly' to true in every host path allowed", "descriptionUrl": "https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems", "platform": "Kubernetes", - "descriptionID": "fc4b7215" -} + "descriptionID": "fc4b7215", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/rbac_roles_allow_privilege_escalation/metadata.json b/assets/queries/k8s/rbac_roles_allow_privilege_escalation/metadata.json index 68c3044d768..781311c0444 100644 --- a/assets/queries/k8s/rbac_roles_allow_privilege_escalation/metadata.json +++ b/assets/queries/k8s/rbac_roles_allow_privilege_escalation/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Roles or ClusterRoles with RBAC permissions 'bind' or 'escalate' allow subjects to create new bindings with other roles. This is dangerous, as users with these privileges can bind to roles that may exceed their own privileges", "descriptionUrl": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/#restrictions-on-role-binding-creation-or-update", "platform": "Kubernetes", - "descriptionID": "8320826e" -} + "descriptionID": "8320826e", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/rbac_roles_with_attach_permission/metadata.json b/assets/queries/k8s/rbac_roles_with_attach_permission/metadata.json index c63ae2dc5e4..0ce9731aa7c 100644 --- a/assets/queries/k8s/rbac_roles_with_attach_permission/metadata.json +++ b/assets/queries/k8s/rbac_roles_with_attach_permission/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Roles or ClusterRoles with RBAC permissions to attach to containers via 'kubectl attach' could be abused by attackers to read log output (stdout, stderr) and send input data (stdin) to running processes. Additionally, it would allow a malicious user to attach to a privileged container resulting in a privilege escalation attack. To prevent this, the 'pods/attach' verb should not be used in production environments", "descriptionUrl": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", "platform": "Kubernetes", - "descriptionID": "d45330fd" -} + "descriptionID": "d45330fd", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/rbac_roles_with_exec_permission/metadata.json b/assets/queries/k8s/rbac_roles_with_exec_permission/metadata.json index af1eeb66e11..2055159d383 100644 --- a/assets/queries/k8s/rbac_roles_with_exec_permission/metadata.json +++ b/assets/queries/k8s/rbac_roles_with_exec_permission/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Roles or ClusterRoles with RBAC permissions to run commands in containers via 'kubectl exec' could be abused by attackers to execute malicious code in case of compromise. To prevent this, the 'pods/exec' verb should not be used in production environments", "descriptionUrl": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", "platform": "Kubernetes", - "descriptionID": "c589f42c" -} + "descriptionID": "c589f42c", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/rbac_roles_with_impersonate_permission/metadata.json b/assets/queries/k8s/rbac_roles_with_impersonate_permission/metadata.json index 4000152bfd6..03b70f7b98a 100644 --- a/assets/queries/k8s/rbac_roles_with_impersonate_permission/metadata.json +++ b/assets/queries/k8s/rbac_roles_with_impersonate_permission/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Roles or ClusterRoles with the permission 'impersonate' allow subjects to assume the rights of other users, groups, or service accounts. In case of compromise, attackers may abuse this sudo-like functionality to achieve privilege escalation", "descriptionUrl": "https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation", "platform": "Kubernetes", - "descriptionID": "9f85c3f6" -} + "descriptionID": "9f85c3f6", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/rbac_roles_with_portforwarding_permissions/metadata.json b/assets/queries/k8s/rbac_roles_with_portforwarding_permissions/metadata.json index afea388f930..34784320ce8 100644 --- a/assets/queries/k8s/rbac_roles_with_portforwarding_permissions/metadata.json +++ b/assets/queries/k8s/rbac_roles_with_portforwarding_permissions/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Roles or ClusterRoles with RBAC permissions to port-forward into pods can open socket-level communication channels to containers. In case of compromise, attackers may abuse this for direct communication that bypasses network security restrictions", "descriptionUrl": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", "platform": "Kubernetes", - "descriptionID": "38fa11ef" -} + "descriptionID": "38fa11ef", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/rbac_roles_with_read_secrets_permissions/metadata.json b/assets/queries/k8s/rbac_roles_with_read_secrets_permissions/metadata.json index 157c86fc1d9..de4dcf7edf9 100644 --- a/assets/queries/k8s/rbac_roles_with_read_secrets_permissions/metadata.json +++ b/assets/queries/k8s/rbac_roles_with_read_secrets_permissions/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys", "descriptionUrl": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", "platform": "Kubernetes", - "descriptionID": "ca97f029" -} + "descriptionID": "ca97f029", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/rbac_wildcard_in_rule/metadata.json b/assets/queries/k8s/rbac_wildcard_in_rule/metadata.json index 5d1f3a290e4..e12e907a637 100644 --- a/assets/queries/k8s/rbac_wildcard_in_rule/metadata.json +++ b/assets/queries/k8s/rbac_wildcard_in_rule/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least privilege recommends to specify only the set of needed objects and actions", "descriptionUrl": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", "platform": "Kubernetes", - "descriptionID": "ccf4e279" -} + "descriptionID": "ccf4e279", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/readiness_probe_is_not_configured/metadata.json b/assets/queries/k8s/readiness_probe_is_not_configured/metadata.json index f83414ceb8d..0582a3ff02e 100644 --- a/assets/queries/k8s/readiness_probe_is_not_configured/metadata.json +++ b/assets/queries/k8s/readiness_probe_is_not_configured/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Check if Readiness Probe is not configured.", "descriptionUrl": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes", "platform": "Kubernetes", - "descriptionID": "28c0498a" -} + "descriptionID": "28c0498a", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/request_timeout_not_properly_set/metadata.json b/assets/queries/k8s/request_timeout_not_properly_set/metadata.json index dd995c8b8a9..bb7cbaea82e 100644 --- a/assets/queries/k8s/request_timeout_not_properly_set/metadata.json +++ b/assets/queries/k8s/request_timeout_not_properly_set/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using kube-apiserver command, the '--request-timeout' flag value should not be too long", "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", - "descriptionID": "592c7cba" -} + "descriptionID": "592c7cba", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/role_binding_to_default_service_account/metadata.json b/assets/queries/k8s/role_binding_to_default_service_account/metadata.json index 481d4a7c471..5c36a0a7e2a 100644 --- a/assets/queries/k8s/role_binding_to_default_service_account/metadata.json +++ b/assets/queries/k8s/role_binding_to_default_service_account/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "No role nor cluster role should bind to a default service account", "descriptionUrl": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/", "platform": "Kubernetes", - "descriptionID": "9879e8c2" -} + "descriptionID": "9879e8c2", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/root_ca_file_not_defined/metadata.json b/assets/queries/k8s/root_ca_file_not_defined/metadata.json index 10574fcd780..8b86d40d3b4 100644 --- a/assets/queries/k8s/root_ca_file_not_defined/metadata.json +++ b/assets/queries/k8s/root_ca_file_not_defined/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using kube-controller-manager commands, the '--root-ca-file' should be defined", "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/", "platform": "Kubernetes", - "descriptionID": "7d439960" -} + "descriptionID": "7d439960", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/root_container_not_mounted_as_read_only/metadata.json b/assets/queries/k8s/root_container_not_mounted_as_read_only/metadata.json index 928fbd06efc..779f7af4035 100644 --- a/assets/queries/k8s/root_container_not_mounted_as_read_only/metadata.json +++ b/assets/queries/k8s/root_container_not_mounted_as_read_only/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Check if the root container filesystem is not being mounted read-only.", "descriptionUrl": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/", "platform": "Kubernetes", - "descriptionID": "0d2df1e5" -} + "descriptionID": "0d2df1e5", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/root_containers_admitted/metadata.json b/assets/queries/k8s/root_containers_admitted/metadata.json index ee604391ba8..71b3b48d02b 100644 --- a/assets/queries/k8s/root_containers_admitted/metadata.json +++ b/assets/queries/k8s/root_containers_admitted/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden", "descriptionUrl": "https://kubernetes.io/docs/concepts/policy/pod-security-policy/", "platform": "Kubernetes", - "descriptionID": "2fe54446" -} + "descriptionID": "2fe54446", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/metadata.json b/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/metadata.json index 89095752b6e..aef148f126a 100644 --- a/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/metadata.json +++ b/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/metadata.json @@ -1,10 +1,11 @@ { - "id": "1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2", - "queryName": "Rotate Kubelet Server Certificate Not Active", - "severity": "MEDIUM", - "category": "Secret Management", - "descriptionText": "The RotateKubeletServerCertificate argument should be true", - "descriptionUrl": "https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/", - "platform": "Kubernetes", - "descriptionID": "a4f48785" -} + "id": "1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2", + "queryName": "Rotate Kubelet Server Certificate Not Active", + "severity": "MEDIUM", + "category": "Secret Management", + "descriptionText": "The RotateKubeletServerCertificate argument should be true", + "descriptionUrl": "https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/", + "platform": "Kubernetes", + "descriptionID": "a4f48785", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/seccomp_profile_is_not_configured/metadata.json b/assets/queries/k8s/seccomp_profile_is_not_configured/metadata.json index 4c3f1cf6cd4..321f4dd63f2 100644 --- a/assets/queries/k8s/seccomp_profile_is_not_configured/metadata.json +++ b/assets/queries/k8s/seccomp_profile_is_not_configured/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls", "descriptionUrl": "https://kubernetes.io/docs/tutorials/security/seccomp/#create-pod-that-uses-the-container-runtime-default-seccomp-profile", "platform": "Kubernetes", - "descriptionID": "d943c7e7" -} + "descriptionID": "d943c7e7", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/secrets_as_environment_variables/metadata.json b/assets/queries/k8s/secrets_as_environment_variables/metadata.json index 431cfeada48..eb6f65c8e0c 100644 --- a/assets/queries/k8s/secrets_as_environment_variables/metadata.json +++ b/assets/queries/k8s/secrets_as_environment_variables/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Container should not use secrets as environment variables", "descriptionUrl": "https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables", "platform": "Kubernetes", - "descriptionID": "99365a7d" -} + "descriptionID": "99365a7d", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/secure_port_set_to_zero/metadata.json b/assets/queries/k8s/secure_port_set_to_zero/metadata.json index 2a82f271eab..9a29b8e97b9 100644 --- a/assets/queries/k8s/secure_port_set_to_zero/metadata.json +++ b/assets/queries/k8s/secure_port_set_to_zero/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using kube-apiserver command, the --secure-port flag should not be 0", "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", - "descriptionID": "adf24d20" -} + "descriptionID": "adf24d20", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/security_context_deny_admission_control_plugin_not_set/metadata.json b/assets/queries/k8s/security_context_deny_admission_control_plugin_not_set/metadata.json index b4e8e025a49..18401b2489a 100644 --- a/assets/queries/k8s/security_context_deny_admission_control_plugin_not_set/metadata.json +++ b/assets/queries/k8s/security_context_deny_admission_control_plugin_not_set/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set", "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", - "descriptionID": "571f15ee" -} + "descriptionID": "571f15ee", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/service_account_admission_control_plugin_disabled/metadata.json b/assets/queries/k8s/service_account_admission_control_plugin_disabled/metadata.json index 43bb3c81d59..1f9336b7ba5 100644 --- a/assets/queries/k8s/service_account_admission_control_plugin_disabled/metadata.json +++ b/assets/queries/k8s/service_account_admission_control_plugin_disabled/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'ServiceAccount' plugin", "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", - "descriptionID": "3649a726" -} + "descriptionID": "3649a726", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/service_account_allows_access_secrets/metadata.json b/assets/queries/k8s/service_account_allows_access_secrets/metadata.json index 2a7aeba3517..dc62fff8495 100644 --- a/assets/queries/k8s/service_account_allows_access_secrets/metadata.json +++ b/assets/queries/k8s/service_account_allows_access_secrets/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Roles and ClusterRoles when binded, should not use get, list or watch as verbs", "descriptionUrl": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", "platform": "Kubernetes", - "descriptionID": "79619280" -} + "descriptionID": "79619280", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/service_account_key_file_not_properly_set/metadata.json b/assets/queries/k8s/service_account_key_file_not_properly_set/metadata.json index 53252e391a3..f5f5885dfd5 100644 --- a/assets/queries/k8s/service_account_key_file_not_properly_set/metadata.json +++ b/assets/queries/k8s/service_account_key_file_not_properly_set/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using kube-apiserver command, the '--service-account-key-file' flag should be defined", "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", - "descriptionID": "2f3224e8" -} + "descriptionID": "2f3224e8", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/service_account_lookup_set_to_false/metadata.json b/assets/queries/k8s/service_account_lookup_set_to_false/metadata.json index de4eb55488e..d86a7cd52bc 100644 --- a/assets/queries/k8s/service_account_lookup_set_to_false/metadata.json +++ b/assets/queries/k8s/service_account_lookup_set_to_false/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using kube-apiserver command, the '--service-account-lookup' flag should be set to true", "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", - "descriptionID": "c957c855" -} + "descriptionID": "c957c855", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/service_account_name_undefined_or_empty/metadata.json b/assets/queries/k8s/service_account_name_undefined_or_empty/metadata.json index 3ce7aa1db5c..4e10154a213 100644 --- a/assets/queries/k8s/service_account_name_undefined_or_empty/metadata.json +++ b/assets/queries/k8s/service_account_name_undefined_or_empty/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty.", "descriptionUrl": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/", "platform": "Kubernetes", - "descriptionID": "2940f843" -} + "descriptionID": "2940f843", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/service_account_private_key_file_not_defined/metadata.json b/assets/queries/k8s/service_account_private_key_file_not_defined/metadata.json index fe4f86b2196..67f342f7aff 100644 --- a/assets/queries/k8s/service_account_private_key_file_not_defined/metadata.json +++ b/assets/queries/k8s/service_account_private_key_file_not_defined/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using kube-controller-manager commands, the '--service-account-private-key-file' should be defined", "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/", "platform": "Kubernetes", - "descriptionID": "b2fc61b4" -} + "descriptionID": "b2fc61b4", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/service_account_token_automount_not_disabled/metadata.json b/assets/queries/k8s/service_account_token_automount_not_disabled/metadata.json index 0bd8c6817b9..b1f2e7106f8 100644 --- a/assets/queries/k8s/service_account_token_automount_not_disabled/metadata.json +++ b/assets/queries/k8s/service_account_token_automount_not_disabled/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Service Account Tokens are automatically mounted even if not necessary", "descriptionUrl": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server", "platform": "Kubernetes", - "descriptionID": "51cade0f" -} + "descriptionID": "51cade0f", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/service_does_not_target_pod/metadata.json b/assets/queries/k8s/service_does_not_target_pod/metadata.json index 517d7f7e3e9..2bbbae812ad 100644 --- a/assets/queries/k8s/service_does_not_target_pod/metadata.json +++ b/assets/queries/k8s/service_does_not_target_pod/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Service should Target a Pod", "descriptionUrl": "https://kubernetes.io/docs/concepts/services-networking/service/", "platform": "Kubernetes", - "descriptionID": "e7c26645" -} + "descriptionID": "e7c26645", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/service_type_is_nodeport/metadata.json b/assets/queries/k8s/service_type_is_nodeport/metadata.json index 0d397838af8..096ab192564 100644 --- a/assets/queries/k8s/service_type_is_nodeport/metadata.json +++ b/assets/queries/k8s/service_type_is_nodeport/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Service type should not be NodePort", "descriptionUrl": "https://kubernetes.io/docs/concepts/services-networking/service/", "platform": "Kubernetes", - "descriptionID": "4744714e" -} + "descriptionID": "4744714e", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/service_with_external_load_balancer/metadata.json b/assets/queries/k8s/service_with_external_load_balancer/metadata.json index 15c0fee3618..6318e62b43d 100644 --- a/assets/queries/k8s/service_with_external_load_balancer/metadata.json +++ b/assets/queries/k8s/service_with_external_load_balancer/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Service has an external load balancer, which may cause accessibility from other networks and the Internet", "descriptionUrl": "https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/", "platform": "Kubernetes", - "descriptionID": "2e090344" -} + "descriptionID": "2e090344", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/shared_host_ipc_namespace/metadata.json b/assets/queries/k8s/shared_host_ipc_namespace/metadata.json index 7bd0484d7c2..d6bd1ebff73 100644 --- a/assets/queries/k8s/shared_host_ipc_namespace/metadata.json +++ b/assets/queries/k8s/shared_host_ipc_namespace/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Container should not share the host IPC namespace", "descriptionUrl": "https://kubernetes.io/docs/concepts/policy/pod-security-policy/", "platform": "Kubernetes", - "descriptionID": "1ef1fe71" -} + "descriptionID": "1ef1fe71", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/shared_host_network_namespace/metadata.json b/assets/queries/k8s/shared_host_network_namespace/metadata.json index ebb9c7ab72a..3273fb56374 100644 --- a/assets/queries/k8s/shared_host_network_namespace/metadata.json +++ b/assets/queries/k8s/shared_host_network_namespace/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Container should not share the host network namespace", "descriptionUrl": "https://kubernetes.io/docs/concepts/policy/pod-security-policy/", "platform": "Kubernetes", - "descriptionID": "50e5de80" -} + "descriptionID": "50e5de80", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/shared_host_pid_namespace/metadata.json b/assets/queries/k8s/shared_host_pid_namespace/metadata.json index 12c1d8acb99..e951d0aec19 100644 --- a/assets/queries/k8s/shared_host_pid_namespace/metadata.json +++ b/assets/queries/k8s/shared_host_pid_namespace/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Container should not share the host process ID namespace", "descriptionUrl": "https://kubernetes.io/docs/concepts/policy/pod-security-policy/", "platform": "Kubernetes", - "descriptionID": "c34092eb" -} + "descriptionID": "c34092eb", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/shared_service_account/metadata.json b/assets/queries/k8s/shared_service_account/metadata.json index fe59dd1dcc1..585a66c1012 100644 --- a/assets/queries/k8s/shared_service_account/metadata.json +++ b/assets/queries/k8s/shared_service_account/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "A Service Account token is shared between workloads", "descriptionUrl": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/", "platform": "Kubernetes", - "descriptionID": "f1c94544" -} + "descriptionID": "f1c94544", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/statefulset_has_no_pod_anti_affinity/metadata.json b/assets/queries/k8s/statefulset_has_no_pod_anti_affinity/metadata.json index 36526d7088c..720b0b65965 100644 --- a/assets/queries/k8s/statefulset_has_no_pod_anti_affinity/metadata.json +++ b/assets/queries/k8s/statefulset_has_no_pod_anti_affinity/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.", "descriptionUrl": "https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/", "platform": "Kubernetes", - "descriptionID": "f0d30dd9" -} + "descriptionID": "f0d30dd9", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/statefulset_requests_storage/metadata.json b/assets/queries/k8s/statefulset_requests_storage/metadata.json index 345c3356764..9d2d1023498 100644 --- a/assets/queries/k8s/statefulset_requests_storage/metadata.json +++ b/assets/queries/k8s/statefulset_requests_storage/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "A StatefulSet requests volume storage.", "descriptionUrl": "https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/", "platform": "Kubernetes", - "descriptionID": "6210afe6" -} + "descriptionID": "6210afe6", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/statefulset_without_pod_disruption_budget/metadata.json b/assets/queries/k8s/statefulset_without_pod_disruption_budget/metadata.json index 0d9c6df5112..bcc31164486 100644 --- a/assets/queries/k8s/statefulset_without_pod_disruption_budget/metadata.json +++ b/assets/queries/k8s/statefulset_without_pod_disruption_budget/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability", "descriptionUrl": "https://kubernetes.io/docs/tasks/run-application/configure-pdb/", "platform": "Kubernetes", - "descriptionID": "f3c77130" -} + "descriptionID": "f3c77130", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/statefulset_without_service_name/metadata.json b/assets/queries/k8s/statefulset_without_service_name/metadata.json index f7874fcffd6..9937edb1b9f 100644 --- a/assets/queries/k8s/statefulset_without_service_name/metadata.json +++ b/assets/queries/k8s/statefulset_without_service_name/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.", "descriptionUrl": "https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/", "platform": "Kubernetes", - "descriptionID": "2ce554f2" -} + "descriptionID": "2ce554f2", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/terminated_pod_garbage_collector_threshold_not_properly_set/metadata.json b/assets/queries/k8s/terminated_pod_garbage_collector_threshold_not_properly_set/metadata.json index 3f317c697d9..d3c25d6bc46 100644 --- a/assets/queries/k8s/terminated_pod_garbage_collector_threshold_not_properly_set/metadata.json +++ b/assets/queries/k8s/terminated_pod_garbage_collector_threshold_not_properly_set/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using kube-controller-manager commands, the '--terminated-pod-gc-threshold' should be set between 0 and 12501", "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/", "platform": "Kubernetes", - "descriptionID": "19ea96ee" -} + "descriptionID": "19ea96ee", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/tiller_deployment_is_accessible_from_within_the_cluster/metadata.json b/assets/queries/k8s/tiller_deployment_is_accessible_from_within_the_cluster/metadata.json index a600ebca2ed..8eb921a6712 100644 --- a/assets/queries/k8s/tiller_deployment_is_accessible_from_within_the_cluster/metadata.json +++ b/assets/queries/k8s/tiller_deployment_is_accessible_from_within_the_cluster/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Check if any Tiller Deployment container allows access from within the cluster.", "descriptionUrl": "https://kubernetes.io/docs/concepts/containers/images/", "platform": "Kubernetes", - "descriptionID": "615614b8" -} + "descriptionID": "615614b8", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/tiller_is_deployed/metadata.json b/assets/queries/k8s/tiller_is_deployed/metadata.json index 2eac923ede7..f017d282164 100644 --- a/assets/queries/k8s/tiller_is_deployed/metadata.json +++ b/assets/queries/k8s/tiller_is_deployed/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Check if Tiller is deployed.", "descriptionUrl": "https://kubernetes.io/docs/concepts/containers/images/", "platform": "Kubernetes", - "descriptionID": "b0a009b5" -} + "descriptionID": "b0a009b5", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/tiller_service_is_not_deleted/metadata.json b/assets/queries/k8s/tiller_service_is_not_deleted/metadata.json index 7ec03ba7916..fd403b1a5d1 100644 --- a/assets/queries/k8s/tiller_service_is_not_deleted/metadata.json +++ b/assets/queries/k8s/tiller_service_is_not_deleted/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Check if there is any Tiller Service present", "descriptionUrl": "https://kubernetes.io/docs/concepts/services-networking/service", "platform": "Kubernetes", - "descriptionID": "4e704117" -} + "descriptionID": "4e704117", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/tls_connection_certificate_not_setup/metadata.json b/assets/queries/k8s/tls_connection_certificate_not_setup/metadata.json index 4bd3c393316..414fc764216 100644 --- a/assets/queries/k8s/tls_connection_certificate_not_setup/metadata.json +++ b/assets/queries/k8s/tls_connection_certificate_not_setup/metadata.json @@ -1,11 +1,11 @@ { - "id": "fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f", - "queryName": "TSL Connection Certificate Not Setup", - "severity": "HIGH", - "category": "Networking and Firewall", - "descriptionText": "TSL Connection Certificate files should be Setup", - "descriptionUrl": "https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/", - "platform": "Kubernetes", - "descriptionID": "c8b75f30" - } - \ No newline at end of file + "id": "fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f", + "queryName": "TSL Connection Certificate Not Setup", + "severity": "HIGH", + "category": "Networking and Firewall", + "descriptionText": "TSL Connection Certificate files should be Setup", + "descriptionUrl": "https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/", + "platform": "Kubernetes", + "descriptionID": "c8b75f30", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/token_auth_file_is_set/metadata.json b/assets/queries/k8s/token_auth_file_is_set/metadata.json index 300c916d18b..f074d85a15b 100644 --- a/assets/queries/k8s/token_auth_file_is_set/metadata.json +++ b/assets/queries/k8s/token_auth_file_is_set/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using kube-apiserver command, the 'token-auth-file' flag should not be set", "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", - "descriptionID": "5aa79e60" -} + "descriptionID": "5aa79e60", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/use_service_account_credentials_not_set_to_true/metadata.json b/assets/queries/k8s/use_service_account_credentials_not_set_to_true/metadata.json index 039bbdcc3ed..781035c97c0 100644 --- a/assets/queries/k8s/use_service_account_credentials_not_set_to_true/metadata.json +++ b/assets/queries/k8s/use_service_account_credentials_not_set_to_true/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When using kube-controller-manager commands, the '--use-service-account-credentials' should be set to true", "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/", "platform": "Kubernetes", - "descriptionID": "f6b4d617" -} + "descriptionID": "f6b4d617", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/using_kubernetes_native_secret_management/metadata.json b/assets/queries/k8s/using_kubernetes_native_secret_management/metadata.json index 0d60303761c..99a3b036a60 100644 --- a/assets/queries/k8s/using_kubernetes_native_secret_management/metadata.json +++ b/assets/queries/k8s/using_kubernetes_native_secret_management/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Kubernetes External Secret Storage and Management System usage should be considered if you have more complex secret management needs, rather than using Kubernetes Secrets directly. Additionally, ensure that access to secrets is carefully limited", "descriptionUrl": "https://kubernetes.io/docs/concepts/configuration/secret/", "platform": "Kubernetes", - "descriptionID": "3d7b569c" -} + "descriptionID": "3d7b569c", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/using_unrecommended_namespace/metadata.json b/assets/queries/k8s/using_unrecommended_namespace/metadata.json index b79dc88d67c..4615b0976ec 100644 --- a/assets/queries/k8s/using_unrecommended_namespace/metadata.json +++ b/assets/queries/k8s/using_unrecommended_namespace/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Namespaces like 'default', 'kube-system' or 'kube-public' should not be used", "descriptionUrl": "https://kubernetes.io/docs/concepts/overview/working-with-objects/kubernetes-objects/", "platform": "Kubernetes", - "descriptionID": "29549ea9" -} + "descriptionID": "29549ea9", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/metadata.json b/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/metadata.json index 77eea967f83..23b7bdc502a 100644 --- a/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/metadata.json +++ b/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.", "descriptionUrl": "https://kubernetes.io/docs/concepts/storage/volumes/", "platform": "Kubernetes", - "descriptionID": "e42b7901" -} + "descriptionID": "e42b7901", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/weak_tls_cipher_suites/metadata.json b/assets/queries/k8s/weak_tls_cipher_suites/metadata.json index ce15fefaea5..ef6a9e4b4f5 100644 --- a/assets/queries/k8s/weak_tls_cipher_suites/metadata.json +++ b/assets/queries/k8s/weak_tls_cipher_suites/metadata.json @@ -1,10 +1,11 @@ { - "id": "510d5810-9a30-443a-817d-5c1fa527b110", - "queryName": "Weak TLS Cipher Suites", - "severity": "MEDIUM", - "category": "Encryption", - "descriptionText": "TLS Connection should use strong Cipher Suites", - "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/", - "platform": "Kubernetes", - "descriptionID": "cbb6cab8" - } + "id": "510d5810-9a30-443a-817d-5c1fa527b110", + "queryName": "Weak TLS Cipher Suites", + "severity": "MEDIUM", + "category": "Encryption", + "descriptionText": "TLS Connection should use strong Cipher Suites", + "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/", + "platform": "Kubernetes", + "descriptionID": "cbb6cab8", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/workload_host_port_not_specified/metadata.json b/assets/queries/k8s/workload_host_port_not_specified/metadata.json index 5a7ae853a87..86d5e8001fe 100644 --- a/assets/queries/k8s/workload_host_port_not_specified/metadata.json +++ b/assets/queries/k8s/workload_host_port_not_specified/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Verifies if Kubernetes workload's host port is specified", "descriptionUrl": "https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/#exposing-the-service", "platform": "Kubernetes", - "descriptionID": "dba41ddb" -} + "descriptionID": "dba41ddb", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/k8s/workload_mounting_with_sensitive_os_directory/metadata.json b/assets/queries/k8s/workload_mounting_with_sensitive_os_directory/metadata.json index 24765f4b757..d959d89b445 100644 --- a/assets/queries/k8s/workload_mounting_with_sensitive_os_directory/metadata.json +++ b/assets/queries/k8s/workload_mounting_with_sensitive_os_directory/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Workload is mounting a volume with sensitive OS Directory", "descriptionUrl": "https://kubernetes.io/docs/concepts/policy/pod-security-policy/", "platform": "Kubernetes", - "descriptionID": "73339cde" -} + "descriptionID": "73339cde", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/knative/serving_revision_spec_without_timeout_settings/metadata.json b/assets/queries/knative/serving_revision_spec_without_timeout_settings/metadata.json index 4f69dc23da3..5f6e5cfc501 100644 --- a/assets/queries/knative/serving_revision_spec_without_timeout_settings/metadata.json +++ b/assets/queries/knative/serving_revision_spec_without_timeout_settings/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Serving Revision Spec should have Timeout Seconds defined to avoid Denial of Service", "descriptionUrl": "https://knative.dev/docs/reference/api/serving-api/#serving.knative.dev/v1.RevisionSpec", "platform": "Knative", - "descriptionID": "0b6ca133" -} + "descriptionID": "0b6ca133", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/basepath_with_wrong_format/metadata.json b/assets/queries/openAPI/2.0/basepath_with_wrong_format/metadata.json index 7c398cbd155..683b31995ee 100644 --- a/assets/queries/openAPI/2.0/basepath_with_wrong_format/metadata.json +++ b/assets/queries/openAPI/2.0/basepath_with_wrong_format/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "The 'basePath' value format must match the pattern '^/'", "descriptionUrl": "https://swagger.io/specification/v2/#schema", "platform": "OpenAPI", - "descriptionID": "c97fafa0" -} + "descriptionID": "c97fafa0", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/body_parameter_with_wrong_property/metadata.json b/assets/queries/openAPI/2.0/body_parameter_with_wrong_property/metadata.json index 02f723d3d87..632ac7ecbe9 100644 --- a/assets/queries/openAPI/2.0/body_parameter_with_wrong_property/metadata.json +++ b/assets/queries/openAPI/2.0/body_parameter_with_wrong_property/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema'", "descriptionUrl": "https://swagger.io/specification/v2/#parameterObject", "platform": "OpenAPI", - "descriptionID": "93b15115" -} + "descriptionID": "93b15115", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/body_parameter_without_schema/metadata.json b/assets/queries/openAPI/2.0/body_parameter_without_schema/metadata.json index 884a657c7a3..a094c35e16e 100644 --- a/assets/queries/openAPI/2.0/body_parameter_without_schema/metadata.json +++ b/assets/queries/openAPI/2.0/body_parameter_without_schema/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "The Body Parameter Object should have the attribute 'schema' defined", "descriptionUrl": "https://swagger.io/specification/v2/#parameterObject", "platform": "OpenAPI", - "descriptionID": "3074f818" -} + "descriptionID": "3074f818", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/constraining_enum_property/metadata.json b/assets/queries/openAPI/2.0/constraining_enum_property/metadata.json index aaf17fb0b7d..b3d27169f57 100644 --- a/assets/queries/openAPI/2.0/constraining_enum_property/metadata.json +++ b/assets/queries/openAPI/2.0/constraining_enum_property/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "There is a constraining keyword in a property which is already restricted by enum values", "descriptionUrl": "https://swagger.io/specification/v2/#schemaObject", "platform": "OpenAPI", - "descriptionID": "63cd2785" -} + "descriptionID": "63cd2785", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/file_parameter_with_wrong_consumes_property/metadata.json b/assets/queries/openAPI/2.0/file_parameter_with_wrong_consumes_property/metadata.json index 9ac5167a047..c099e941be6 100644 --- a/assets/queries/openAPI/2.0/file_parameter_with_wrong_consumes_property/metadata.json +++ b/assets/queries/openAPI/2.0/file_parameter_with_wrong_consumes_property/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both", "descriptionUrl": "https://swagger.io/specification/v2/#operation-object", "platform": "OpenAPI", - "descriptionID": "f6b7b31a" -} + "descriptionID": "f6b7b31a", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/global_schemes_uses_http/metadata.json b/assets/queries/openAPI/2.0/global_schemes_uses_http/metadata.json index 46c79f9c7a4..1af3f4465e7 100644 --- a/assets/queries/openAPI/2.0/global_schemes_uses_http/metadata.json +++ b/assets/queries/openAPI/2.0/global_schemes_uses_http/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Global Schemes should use 'https' protocol instead of 'http'", "descriptionUrl": "https://swagger.io/specification/v2/#swaggerObject", "platform": "OpenAPI", - "descriptionID": "11bb39ad" -} + "descriptionID": "11bb39ad", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/global_security_using_password_flow/metadata.json b/assets/queries/openAPI/2.0/global_security_using_password_flow/metadata.json index 30a9db6528f..4ea791619a0 100644 --- a/assets/queries/openAPI/2.0/global_security_using_password_flow/metadata.json +++ b/assets/queries/openAPI/2.0/global_security_using_password_flow/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Security should not use 'password' Flow in OAuth2 authentication", "descriptionUrl": "https://swagger.io/specification/v2/#securityRequirementObject", "platform": "OpenAPI", - "descriptionID": "14a00e4a" -} + "descriptionID": "14a00e4a", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/host_with_invalid_pattern/metadata.json b/assets/queries/openAPI/2.0/host_with_invalid_pattern/metadata.json index db2a1039dd5..b0686194816 100644 --- a/assets/queries/openAPI/2.0/host_with_invalid_pattern/metadata.json +++ b/assets/queries/openAPI/2.0/host_with_invalid_pattern/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Host field should be an IP or a valid host name", "descriptionUrl": "https://swagger.io/specification/v2/#swagger-object", "platform": "OpenAPI", - "descriptionID": "d11c994c" -} + "descriptionID": "d11c994c", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/implicit_flow_oauth2/metadata.json b/assets/queries/openAPI/2.0/implicit_flow_oauth2/metadata.json index 2b65de3577d..bc05f4668d1 100644 --- a/assets/queries/openAPI/2.0/implicit_flow_oauth2/metadata.json +++ b/assets/queries/openAPI/2.0/implicit_flow_oauth2/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated", "descriptionUrl": "https://swagger.io/specification/v2/#securitySchemeObject", "platform": "OpenAPI", - "descriptionID": "a879610a" -} + "descriptionID": "a879610a", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/invalid_media_type_value/metadata.json b/assets/queries/openAPI/2.0/invalid_media_type_value/metadata.json index 9ea36cfdc95..0bb2f210d13 100644 --- a/assets/queries/openAPI/2.0/invalid_media_type_value/metadata.json +++ b/assets/queries/openAPI/2.0/invalid_media_type_value/metadata.json @@ -3,8 +3,9 @@ "queryName": "Invalid Media Type Value (v2)", "severity": "INFO", "category": "Best Practices", - "descriptionText": "The Media Type value should match the following format: /[+suffix][;parameters]", + "descriptionText": "The Media Type value should match the following format: \u003ctype\u003e/\u003csubtype\u003e[+suffix][;parameters]", "descriptionUrl": "https://swagger.io/specification/#media-type-object", "platform": "OpenAPI", - "descriptionID": "bde04b9d" -} + "descriptionID": "bde04b9d", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/invalid_oauth2_token_url/metadata.json b/assets/queries/openAPI/2.0/invalid_oauth2_token_url/metadata.json index 06248c69f0f..064df0f401c 100644 --- a/assets/queries/openAPI/2.0/invalid_oauth2_token_url/metadata.json +++ b/assets/queries/openAPI/2.0/invalid_oauth2_token_url/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "OAuth2 security definition flow requires a valid URL in the tokenUrl field", "descriptionUrl": "https://swagger.io/specification/v2/#security-scheme-object", "platform": "OpenAPI", - "descriptionID": "d6163b1e" -} + "descriptionID": "d6163b1e", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/invalid_oauth_authorization_url/metadata.json b/assets/queries/openAPI/2.0/invalid_oauth_authorization_url/metadata.json index 787b4dcec3c..e4f8dd56e53 100644 --- a/assets/queries/openAPI/2.0/invalid_oauth_authorization_url/metadata.json +++ b/assets/queries/openAPI/2.0/invalid_oauth_authorization_url/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL", "descriptionUrl": "https://swagger.io/specification/v2/#securitySchemeObject", "platform": "OpenAPI", - "descriptionID": "720629e5" -} + "descriptionID": "720629e5", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/json_reference_does_not_exists_parameter/metadata.json b/assets/queries/openAPI/2.0/json_reference_does_not_exists_parameter/metadata.json index a479d73b0b6..a61186c9db8 100644 --- a/assets/queries/openAPI/2.0/json_reference_does_not_exists_parameter/metadata.json +++ b/assets/queries/openAPI/2.0/json_reference_does_not_exists_parameter/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Parameter reference should exist on parameters definition field", "descriptionUrl": "https://swagger.io/specification/v2/#parameterObject", "platform": "OpenAPI", - "descriptionID": "7260680f" -} + "descriptionID": "7260680f", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/json_reference_does_not_exists_response/metadata.json b/assets/queries/openAPI/2.0/json_reference_does_not_exists_response/metadata.json index 83d2d617c00..4067d8e0fc0 100644 --- a/assets/queries/openAPI/2.0/json_reference_does_not_exists_response/metadata.json +++ b/assets/queries/openAPI/2.0/json_reference_does_not_exists_response/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Responses reference should exist on responses definition field", "descriptionUrl": "https://swagger.io/specification/v2/#responsesDefinitionsObject", "platform": "OpenAPI", - "descriptionID": "213a6df0" -} + "descriptionID": "213a6df0", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/json_reference_does_not_exists_schema/metadata.json b/assets/queries/openAPI/2.0/json_reference_does_not_exists_schema/metadata.json index 619996e5df8..b94d80c10f5 100644 --- a/assets/queries/openAPI/2.0/json_reference_does_not_exists_schema/metadata.json +++ b/assets/queries/openAPI/2.0/json_reference_does_not_exists_schema/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Schema reference should exists on definitions field", "descriptionUrl": "https://swagger.io/specification/v2/#definitionsObject", "platform": "OpenAPI", - "descriptionID": "6da8f0da" -} + "descriptionID": "6da8f0da", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/multi_body_parameters_same_operation/metadata.json b/assets/queries/openAPI/2.0/multi_body_parameters_same_operation/metadata.json index 48ba56a7d23..c06e1b79391 100644 --- a/assets/queries/openAPI/2.0/multi_body_parameters_same_operation/metadata.json +++ b/assets/queries/openAPI/2.0/multi_body_parameters_same_operation/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Only one body parameter is allowed on operation's parameters type field", "descriptionUrl": "https://swagger.io/specification/v2/#parameterObject", "platform": "OpenAPI", - "descriptionID": "817fa38a" -} + "descriptionID": "817fa38a", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/multi_collectionformat_not_valid_in_parameter/metadata.json b/assets/queries/openAPI/2.0/multi_collectionformat_not_valid_in_parameter/metadata.json index da49d23572e..e579390c88a 100644 --- a/assets/queries/openAPI/2.0/multi_collectionformat_not_valid_in_parameter/metadata.json +++ b/assets/queries/openAPI/2.0/multi_collectionformat_not_valid_in_parameter/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'formData'", "descriptionUrl": "https://swagger.io/specification/v2/#parameterObject", "platform": "OpenAPI", - "descriptionID": "e0b264a9" -} + "descriptionID": "e0b264a9", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/non_body_parameter_with_schema/metadata.json b/assets/queries/openAPI/2.0/non_body_parameter_with_schema/metadata.json index 57fa222ddd1..386a580d846 100644 --- a/assets/queries/openAPI/2.0/non_body_parameter_with_schema/metadata.json +++ b/assets/queries/openAPI/2.0/non_body_parameter_with_schema/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "The Body Parameter Object should have the attribute 'schema' defined", "descriptionUrl": "https://swagger.io/specification/v2/#parameterObject", "platform": "OpenAPI", - "descriptionID": "e135be5b" -} + "descriptionID": "e135be5b", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/non_oauth2_security_requirement_defining_oauth2_scopes/metadata.json b/assets/queries/openAPI/2.0/non_oauth2_security_requirement_defining_oauth2_scopes/metadata.json index 6a00d3896f0..5d029e1be43 100644 --- a/assets/queries/openAPI/2.0/non_oauth2_security_requirement_defining_oauth2_scopes/metadata.json +++ b/assets/queries/openAPI/2.0/non_oauth2_security_requirement_defining_oauth2_scopes/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "If the security scheme is not of type 'oauth2', the array value must be empty", "descriptionUrl": "https://swagger.io/specification/v2/#securityRequirementObject", "platform": "OpenAPI", - "descriptionID": "33e1e674" -} + "descriptionID": "33e1e674", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/object_without_required_property/metadata.json b/assets/queries/openAPI/2.0/object_without_required_property/metadata.json index 472246507e5..8ef714f9f85 100644 --- a/assets/queries/openAPI/2.0/object_without_required_property/metadata.json +++ b/assets/queries/openAPI/2.0/object_without_required_property/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "OpenAPI Object should contain all of its required fields", "descriptionUrl": "https://swagger.io/specification/v2/", "platform": "OpenAPI", - "descriptionID": "0bc1b81e" -} + "descriptionID": "0bc1b81e", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/operation_example_mismatch_produces_mediatype/metadata.json b/assets/queries/openAPI/2.0/operation_example_mismatch_produces_mediatype/metadata.json index 44e31534f13..34346974e8a 100644 --- a/assets/queries/openAPI/2.0/operation_example_mismatch_produces_mediatype/metadata.json +++ b/assets/queries/openAPI/2.0/operation_example_mismatch_produces_mediatype/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces'", "descriptionUrl": "https://swagger.io/specification/v2/#exampleObject", "platform": "OpenAPI", - "descriptionID": "77f2d405" -} + "descriptionID": "77f2d405", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/operation_object_parameters_with_body_and_formatdata/metadata.json b/assets/queries/openAPI/2.0/operation_object_parameters_with_body_and_formatdata/metadata.json index aa0e6efb76c..10743a952c8 100644 --- a/assets/queries/openAPI/2.0/operation_object_parameters_with_body_and_formatdata/metadata.json +++ b/assets/queries/openAPI/2.0/operation_object_parameters_with_body_and_formatdata/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Operation object parameters should not have both 'body' and 'formatData' locations", "descriptionUrl": "https://swagger.io/specification/v2/#parameterObject", "platform": "OpenAPI", - "descriptionID": "007c8e83" -} + "descriptionID": "007c8e83", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/operation_object_without_consumes/metadata.json b/assets/queries/openAPI/2.0/operation_object_without_consumes/metadata.json index 3d1df7a76e5..73ced949f95 100644 --- a/assets/queries/openAPI/2.0/operation_object_without_consumes/metadata.json +++ b/assets/queries/openAPI/2.0/operation_object_without_consumes/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations", "descriptionUrl": "https://swagger.io/specification/v2/#operation-object", "platform": "OpenAPI", - "descriptionID": "de859594" -} + "descriptionID": "de859594", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/operation_object_without_produces/metadata.json b/assets/queries/openAPI/2.0/operation_object_without_produces/metadata.json index 9a3d2569e27..3d45118da55 100644 --- a/assets/queries/openAPI/2.0/operation_object_without_produces/metadata.json +++ b/assets/queries/openAPI/2.0/operation_object_without_produces/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Operation Object should have 'produces' feild defined for 'GET'operation", "descriptionUrl": "https://swagger.io/specification/v2/#operation-object", "platform": "OpenAPI", - "descriptionID": "1736226c" -} + "descriptionID": "1736226c", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/operation_summary_too_long/metadata.json b/assets/queries/openAPI/2.0/operation_summary_too_long/metadata.json index 786636cacc9..023b7076287 100644 --- a/assets/queries/openAPI/2.0/operation_summary_too_long/metadata.json +++ b/assets/queries/openAPI/2.0/operation_summary_too_long/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Operation summary should be short (less than 120 characters)", "descriptionUrl": "https://swagger.io/specification/v2/#operation-object", "platform": "OpenAPI", - "descriptionID": "60a0b99e" -} + "descriptionID": "60a0b99e", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/operation_using_basic_auth/metadata.json b/assets/queries/openAPI/2.0/operation_using_basic_auth/metadata.json index 54c67445984..c9217ef6153 100644 --- a/assets/queries/openAPI/2.0/operation_using_basic_auth/metadata.json +++ b/assets/queries/openAPI/2.0/operation_using_basic_auth/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Operation Object should not use basic authentication", "descriptionUrl": "https://swagger.io/specification/v2/#operation-object", "platform": "OpenAPI", - "descriptionID": "bb3bb0b3" -} + "descriptionID": "bb3bb0b3", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/operation_using_implicit_flow/metadata.json b/assets/queries/openAPI/2.0/operation_using_implicit_flow/metadata.json index beca87f2dab..5cd33ecdc5a 100644 --- a/assets/queries/openAPI/2.0/operation_using_implicit_flow/metadata.json +++ b/assets/queries/openAPI/2.0/operation_using_implicit_flow/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Operation Object should not use implicit flow", "descriptionUrl": "https://swagger.io/specification/v2/#operation-object", "platform": "OpenAPI", - "descriptionID": "5f7dafc1" -} + "descriptionID": "5f7dafc1", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/operation_using_password_flow/metadata.json b/assets/queries/openAPI/2.0/operation_using_password_flow/metadata.json index a193b8a5349..384fa30167c 100644 --- a/assets/queries/openAPI/2.0/operation_using_password_flow/metadata.json +++ b/assets/queries/openAPI/2.0/operation_using_password_flow/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Operation Object should not use 'password' Flow in OAuth2 authentication", "descriptionUrl": "https://swagger.io/specification/v2/#operation-object", "platform": "OpenAPI", - "descriptionID": "e0279bb3" -} + "descriptionID": "e0279bb3", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/parameter_file_type_not_in_formdata/metadata.json b/assets/queries/openAPI/2.0/parameter_file_type_not_in_formdata/metadata.json index f57df05ea1b..1fa652575c2 100644 --- a/assets/queries/openAPI/2.0/parameter_file_type_not_in_formdata/metadata.json +++ b/assets/queries/openAPI/2.0/parameter_file_type_not_in_formdata/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "The In field of Parameter Object must be 'formData' when type is 'file'", "descriptionUrl": "https://swagger.io/specification/v2/#parameterObject", "platform": "OpenAPI", - "descriptionID": "e8a62738" -} + "descriptionID": "e8a62738", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/parameter_object_incorrect_ref/metadata.json b/assets/queries/openAPI/2.0/parameter_object_incorrect_ref/metadata.json index 00a9066a432..dcacaf9e670 100644 --- a/assets/queries/openAPI/2.0/parameter_object_incorrect_ref/metadata.json +++ b/assets/queries/openAPI/2.0/parameter_object_incorrect_ref/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Parameter Object reference must always point to '#/parameters'", "descriptionUrl": "https://swagger.io/specification/v2/#parameter-object", "platform": "OpenAPI", - "descriptionID": "9b33f092" -} + "descriptionID": "9b33f092", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/path_scheme_accepts_http/metadata.json b/assets/queries/openAPI/2.0/path_scheme_accepts_http/metadata.json index 6e18cc79c4f..82d0e24222c 100644 --- a/assets/queries/openAPI/2.0/path_scheme_accepts_http/metadata.json +++ b/assets/queries/openAPI/2.0/path_scheme_accepts_http/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "The Scheme list of Operation Object should only allow 'HTTPS' protocol to ensure an encrypted connection", "descriptionUrl": "https://swagger.io/specification/v2/#operationObject", "platform": "OpenAPI", - "descriptionID": "4ac6f671" -} + "descriptionID": "4ac6f671", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/property_not_unique/metadata.json b/assets/queries/openAPI/2.0/property_not_unique/metadata.json index 238df7a5637..8507502114f 100644 --- a/assets/queries/openAPI/2.0/property_not_unique/metadata.json +++ b/assets/queries/openAPI/2.0/property_not_unique/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Every defined property must be unique throughout the whole API", "descriptionUrl": "https://swagger.io/specification/v2/#schemaObject", "platform": "OpenAPI", - "descriptionID": "eb2e14e6" -} + "descriptionID": "eb2e14e6", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/response_object_incorrect_ref/metadata.json b/assets/queries/openAPI/2.0/response_object_incorrect_ref/metadata.json index 1ec86a704dc..b7f3de714fc 100644 --- a/assets/queries/openAPI/2.0/response_object_incorrect_ref/metadata.json +++ b/assets/queries/openAPI/2.0/response_object_incorrect_ref/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Response Object reference must always point to '#/responses'", "descriptionUrl": "https://swagger.io/specification/v2/#responses-object", "platform": "OpenAPI", - "descriptionID": "7a486064" -} + "descriptionID": "7a486064", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/schema_object_incorrect_ref/metadata.json b/assets/queries/openAPI/2.0/schema_object_incorrect_ref/metadata.json index 9fa72237043..c32d0875df9 100644 --- a/assets/queries/openAPI/2.0/schema_object_incorrect_ref/metadata.json +++ b/assets/queries/openAPI/2.0/schema_object_incorrect_ref/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Schema Object reference must always point to '#/definitions'", "descriptionUrl": "https://swagger.io/specification/v2/#schema-object", "platform": "OpenAPI", - "descriptionID": "8389f514" -} + "descriptionID": "8389f514", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/schema_with_additional_properties_set_as_boolean/metadata.json b/assets/queries/openAPI/2.0/schema_with_additional_properties_set_as_boolean/metadata.json index 6b76584f668..34ea1e39507 100644 --- a/assets/queries/openAPI/2.0/schema_with_additional_properties_set_as_boolean/metadata.json +++ b/assets/queries/openAPI/2.0/schema_with_additional_properties_set_as_boolean/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it", "descriptionUrl": "https://swagger.io/specification/v2/#schema-object", "platform": "OpenAPI", - "descriptionID": "2509db0d" -} + "descriptionID": "2509db0d", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/schemes_uses_http copy/metadata.json b/assets/queries/openAPI/2.0/schemes_uses_http copy/metadata.json index e8047905a39..654c5f8bcf0 100644 --- a/assets/queries/openAPI/2.0/schemes_uses_http copy/metadata.json +++ b/assets/queries/openAPI/2.0/schemes_uses_http copy/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials", "descriptionUrl": "https://swagger.io/specification/v2/#swaggerObject", "platform": "OpenAPI", - "descriptionID": "34948b49" -} + "descriptionID": "34948b49", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/security_definitions_allows_password_flow/metadata.json b/assets/queries/openAPI/2.0/security_definitions_allows_password_flow/metadata.json index 1d22ac03e7e..c154c1ad41d 100644 --- a/assets/queries/openAPI/2.0/security_definitions_allows_password_flow/metadata.json +++ b/assets/queries/openAPI/2.0/security_definitions_allows_password_flow/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Security Definition Object should not allow 'password' Flow in OAuth2 authentication", "descriptionUrl": "https://swagger.io/specification/v2/#securitySchemeObject", "platform": "OpenAPI", - "descriptionID": "7b681b12" -} + "descriptionID": "7b681b12", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/metadata.json b/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/metadata.json index ce93b919e4d..b63a93918d8 100644 --- a/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/metadata.json +++ b/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Security Definitions Object should be set and not empty", "descriptionUrl": "https://swagger.io/specification/v2/#securityDefinitionsObject", "platform": "OpenAPI", - "descriptionID": "170dbeca" -} + "descriptionID": "170dbeca", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/security_definitions_using_basic_auth/metadata.json b/assets/queries/openAPI/2.0/security_definitions_using_basic_auth/metadata.json index 4f51c5f3326..9f4410ec361 100644 --- a/assets/queries/openAPI/2.0/security_definitions_using_basic_auth/metadata.json +++ b/assets/queries/openAPI/2.0/security_definitions_using_basic_auth/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Security Definition Object should not use basic authentication", "descriptionUrl": "https://swagger.io/specification/v2/#securitySchemeObject", "platform": "OpenAPI", - "descriptionID": "80ec8e6a" -} + "descriptionID": "80ec8e6a", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/undefined_security_scope_global_security/metadata.json b/assets/queries/openAPI/2.0/undefined_security_scope_global_security/metadata.json index efa31d9ac1d..4bf1b8ce2d1 100644 --- a/assets/queries/openAPI/2.0/undefined_security_scope_global_security/metadata.json +++ b/assets/queries/openAPI/2.0/undefined_security_scope_global_security/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Using an scope on global security field that is undefined on 'securityDefinitions' can be defined by an attacker", "descriptionUrl": "https://swagger.io/specification/v2/#security-scheme-object", "platform": "OpenAPI", - "descriptionID": "13115433" -} + "descriptionID": "13115433", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/metadata.json b/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/metadata.json index df63335c208..677891d476f 100644 --- a/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/metadata.json +++ b/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker", "descriptionUrl": "https://swagger.io/specification/v2/#security-scheme-object", "platform": "OpenAPI", - "descriptionID": "c5094b21" -} + "descriptionID": "c5094b21", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/unknown_prefix/metadata.json b/assets/queries/openAPI/2.0/unknown_prefix/metadata.json index 0a36157c6e9..da3d4d36825 100644 --- a/assets/queries/openAPI/2.0/unknown_prefix/metadata.json +++ b/assets/queries/openAPI/2.0/unknown_prefix/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video'", "descriptionUrl": "https://swagger.io/specification/v2/#swagger-object", "platform": "OpenAPI", - "descriptionID": "3ac339ab" -} + "descriptionID": "3ac339ab", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/unknown_property/metadata.json b/assets/queries/openAPI/2.0/unknown_property/metadata.json index 5694dcdaa3f..547b5c244c2 100644 --- a/assets/queries/openAPI/2.0/unknown_property/metadata.json +++ b/assets/queries/openAPI/2.0/unknown_property/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "All properties defined in OpenAPI objects should be known", "descriptionUrl": "https://swagger.io/specification/v2/", "platform": "OpenAPI", - "descriptionID": "546047b9" -} + "descriptionID": "546047b9", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/unused_parameter_definition/metadata.json b/assets/queries/openAPI/2.0/unused_parameter_definition/metadata.json index 977090d7c2b..cbfe9694b14 100644 --- a/assets/queries/openAPI/2.0/unused_parameter_definition/metadata.json +++ b/assets/queries/openAPI/2.0/unused_parameter_definition/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "All global parameters definitions should be in use", "descriptionUrl": "https://swagger.io/specification/v2/#parametersDefinitionsObject", "platform": "OpenAPI", - "descriptionID": "9850673a" -} + "descriptionID": "9850673a", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/unused_response_definition/metadata.json b/assets/queries/openAPI/2.0/unused_response_definition/metadata.json index 3eb794e4b6e..29cf35c107f 100644 --- a/assets/queries/openAPI/2.0/unused_response_definition/metadata.json +++ b/assets/queries/openAPI/2.0/unused_response_definition/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "All global responses definitions should be in use", "descriptionUrl": "https://swagger.io/specification/v2/#responsesDefinitionsObject", "platform": "OpenAPI", - "descriptionID": "a2cfcc90" -} + "descriptionID": "a2cfcc90", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/unused_schema_definition/metadata.json b/assets/queries/openAPI/2.0/unused_schema_definition/metadata.json index 3f05359cae5..e8425fafe0d 100644 --- a/assets/queries/openAPI/2.0/unused_schema_definition/metadata.json +++ b/assets/queries/openAPI/2.0/unused_schema_definition/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "All global schemas definitions should be in use", "descriptionUrl": "https://swagger.io/specification/v2/#definitionsObject", "platform": "OpenAPI", - "descriptionID": "70f940b4" -} + "descriptionID": "70f940b4", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/additional_properties_too_permissive/metadata.json b/assets/queries/openAPI/3.0/additional_properties_too_permissive/metadata.json index 74e823f5f55..34e8a2953cb 100644 --- a/assets/queries/openAPI/3.0/additional_properties_too_permissive/metadata.json +++ b/assets/queries/openAPI/3.0/additional_properties_too_permissive/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Objects should not accept 'additionalProperties' if it is possible", "descriptionUrl": "https://swagger.io/specification/#schema-object", "platform": "OpenAPI", - "descriptionID": "3623f181" -} + "descriptionID": "3623f181", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/additional_properties_too_restrective/metadata.json b/assets/queries/openAPI/3.0/additional_properties_too_restrective/metadata.json index 0b1ccf1ece1..a8a3490843c 100644 --- a/assets/queries/openAPI/3.0/additional_properties_too_restrective/metadata.json +++ b/assets/queries/openAPI/3.0/additional_properties_too_restrective/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Objects should accept 'additionalProperties' if it is allOf or an object with anyOf or oneOf", "descriptionUrl": "https://swagger.io/specification/#schema-object", "platform": "OpenAPI", - "descriptionID": "d470a878" -} + "descriptionID": "d470a878", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/metadata.json b/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/metadata.json index 4cd84f4a746..62b4fa3e297 100644 --- a/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/metadata.json +++ b/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "API Keys should not be transported over network", "descriptionUrl": "https://swagger.io/specification/#security-scheme-object", "platform": "OpenAPI", - "descriptionID": "bcb4b221" -} + "descriptionID": "bcb4b221", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/callback_object_incorrect_ref/metadata.json b/assets/queries/openAPI/3.0/callback_object_incorrect_ref/metadata.json index 84d6515e3ea..8c3a3b070ba 100644 --- a/assets/queries/openAPI/3.0/callback_object_incorrect_ref/metadata.json +++ b/assets/queries/openAPI/3.0/callback_object_incorrect_ref/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Callback Object reference must always point to '#/components/callbacks'", "descriptionUrl": "https://swagger.io/specification/#callback-object", "platform": "OpenAPI", - "descriptionID": "ac521411" -} + "descriptionID": "ac521411", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/cleartext_credentials_with_basic_auth_for_operation/metadata.json b/assets/queries/openAPI/3.0/cleartext_credentials_with_basic_auth_for_operation/metadata.json index e397de458f4..45ffebc0cca 100644 --- a/assets/queries/openAPI/3.0/cleartext_credentials_with_basic_auth_for_operation/metadata.json +++ b/assets/queries/openAPI/3.0/cleartext_credentials_with_basic_auth_for_operation/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Cleartext credentials over unencrypted channel should not be accepted for the operation", "descriptionUrl": "https://swagger.io/specification/#operation-object", "platform": "OpenAPI", - "descriptionID": "dc667769" -} + "descriptionID": "dc667769", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/components_callback_definition_unused/metadata.json b/assets/queries/openAPI/3.0/components_callback_definition_unused/metadata.json index 3579bb98351..61b47260bc9 100644 --- a/assets/queries/openAPI/3.0/components_callback_definition_unused/metadata.json +++ b/assets/queries/openAPI/3.0/components_callback_definition_unused/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Components callbacks definitions should be referenced or removed from Open API definition", "descriptionUrl": "https://swagger.io/specification/#components-object", "platform": "OpenAPI", - "descriptionID": "f8826fb7" -} + "descriptionID": "f8826fb7", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/components_example_definition_unused/metadata.json b/assets/queries/openAPI/3.0/components_example_definition_unused/metadata.json index 06706cb4868..ae76875082b 100644 --- a/assets/queries/openAPI/3.0/components_example_definition_unused/metadata.json +++ b/assets/queries/openAPI/3.0/components_example_definition_unused/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Components examples definitions should be referenced or removed from Open API definition", "descriptionUrl": "https://swagger.io/specification/#components-object", "platform": "OpenAPI", - "descriptionID": "127b7b89" -} + "descriptionID": "127b7b89", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/components_header_definition_unused/metadata.json b/assets/queries/openAPI/3.0/components_header_definition_unused/metadata.json index d5551b67db3..71566296646 100644 --- a/assets/queries/openAPI/3.0/components_header_definition_unused/metadata.json +++ b/assets/queries/openAPI/3.0/components_header_definition_unused/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Components headers definitions should be referenced or removed from Open API definition", "descriptionUrl": "https://swagger.io/specification/#components-object", "platform": "OpenAPI", - "descriptionID": "cc73d7db" -} + "descriptionID": "cc73d7db", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/components_link_definition_unused/metadata.json b/assets/queries/openAPI/3.0/components_link_definition_unused/metadata.json index cb4afb8c22e..d9fddc3407a 100644 --- a/assets/queries/openAPI/3.0/components_link_definition_unused/metadata.json +++ b/assets/queries/openAPI/3.0/components_link_definition_unused/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Components links definitions should be referenced or removed from Open API definition", "descriptionUrl": "https://swagger.io/specification/#components-object", "platform": "OpenAPI", - "descriptionID": "3e317e78" -} + "descriptionID": "3e317e78", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/components_object_fixed_field_key_improperly_named/metadata.json b/assets/queries/openAPI/3.0/components_object_fixed_field_key_improperly_named/metadata.json index 01548f4104f..17e4d8105a1 100644 --- a/assets/queries/openAPI/3.0/components_object_fixed_field_key_improperly_named/metadata.json +++ b/assets/queries/openAPI/3.0/components_object_fixed_field_key_improperly_named/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Components object fixed fields (schemas, responses, parameters, examples, requestBodies, headers, securitySchemes, links, and callbacks) should use keys that match the following REGEX: `^[a-zA-Z0-9\\.\\-_]+$`", "descriptionUrl": "https://swagger.io/specification/#components-object", "platform": "OpenAPI", - "descriptionID": "a6f85ed4" -} + "descriptionID": "a6f85ed4", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/components_parameter_definition_unused/metadata.json b/assets/queries/openAPI/3.0/components_parameter_definition_unused/metadata.json index acf5ea5ffd0..e780433405b 100644 --- a/assets/queries/openAPI/3.0/components_parameter_definition_unused/metadata.json +++ b/assets/queries/openAPI/3.0/components_parameter_definition_unused/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Components parameters definitions should be referenced or removed from Open API definition", "descriptionUrl": "https://swagger.io/specification/#components-object", "platform": "OpenAPI", - "descriptionID": "09b78a83" -} + "descriptionID": "09b78a83", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/components_request_body_definition_unused/metadata.json b/assets/queries/openAPI/3.0/components_request_body_definition_unused/metadata.json index 18553095143..55627383e64 100644 --- a/assets/queries/openAPI/3.0/components_request_body_definition_unused/metadata.json +++ b/assets/queries/openAPI/3.0/components_request_body_definition_unused/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Components request bodies definitions should be referenced or removed from Open API definition", "descriptionUrl": "https://swagger.io/specification/#components-object", "platform": "OpenAPI", - "descriptionID": "f3414d1a" -} + "descriptionID": "f3414d1a", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/components_response_definition_unused/metadata.json b/assets/queries/openAPI/3.0/components_response_definition_unused/metadata.json index 75ee971c014..aad7d143a99 100644 --- a/assets/queries/openAPI/3.0/components_response_definition_unused/metadata.json +++ b/assets/queries/openAPI/3.0/components_response_definition_unused/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Components responses definitions should be referenced or removed from Open API definition", "descriptionUrl": "https://swagger.io/specification/#components-object", "platform": "OpenAPI", - "descriptionID": "549f320c" -} + "descriptionID": "549f320c", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/components_schema_definition_unused/metadata.json b/assets/queries/openAPI/3.0/components_schema_definition_unused/metadata.json index 332091d43af..a051b32f801 100644 --- a/assets/queries/openAPI/3.0/components_schema_definition_unused/metadata.json +++ b/assets/queries/openAPI/3.0/components_schema_definition_unused/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Components schemas definitions should be referenced or removed from Open API definition", "descriptionUrl": "https://swagger.io/specification/#components-object", "platform": "OpenAPI", - "descriptionID": "5cdc0f3b" -} + "descriptionID": "5cdc0f3b", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/empty_array/metadata.json b/assets/queries/openAPI/3.0/empty_array/metadata.json index 40cc471ae18..e5de342484f 100644 --- a/assets/queries/openAPI/3.0/empty_array/metadata.json +++ b/assets/queries/openAPI/3.0/empty_array/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "All array fields should not be empty", "descriptionUrl": "https://swagger.io/specification/", "platform": "OpenAPI", - "descriptionID": "84f9722b" -} + "descriptionID": "84f9722b", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/encoding_header_content_type_improperly_defined/metadata.json b/assets/queries/openAPI/3.0/encoding_header_content_type_improperly_defined/metadata.json index 9abccd82234..b7a5896c9a9 100644 --- a/assets/queries/openAPI/3.0/encoding_header_content_type_improperly_defined/metadata.json +++ b/assets/queries/openAPI/3.0/encoding_header_content_type_improperly_defined/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Encoding Map Key should not define a 'Content-Type' in the 'headers' field. If so, it will be ignored.", "descriptionUrl": "https://swagger.io/specification/#media-type-object", "platform": "OpenAPI", - "descriptionID": "61185041" -} + "descriptionID": "61185041", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/encoding_map_key_mismatch_schema_defined_properties/metadata.json b/assets/queries/openAPI/3.0/encoding_map_key_mismatch_schema_defined_properties/metadata.json index daabddf3021..ffd4ec97c40 100644 --- a/assets/queries/openAPI/3.0/encoding_map_key_mismatch_schema_defined_properties/metadata.json +++ b/assets/queries/openAPI/3.0/encoding_map_key_mismatch_schema_defined_properties/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Encoding Map Key should be set in schema defined properties", "descriptionUrl": "https://swagger.io/specification/#media-type-object", "platform": "OpenAPI", - "descriptionID": "f929aa5c" -} + "descriptionID": "f929aa5c", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/example_json_reference_outside_components_examples/metadata.json b/assets/queries/openAPI/3.0/example_json_reference_outside_components_examples/metadata.json index 9d147558cc3..8638b3400fa 100644 --- a/assets/queries/openAPI/3.0/example_json_reference_outside_components_examples/metadata.json +++ b/assets/queries/openAPI/3.0/example_json_reference_outside_components_examples/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Reference to examples should point to #/components/examples", "descriptionUrl": "https://swagger.io/specification/#reference-object", "platform": "OpenAPI", - "descriptionID": "8984393e" -} + "descriptionID": "8984393e", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/global_security_scheme_using_basic_authentication/metadata.json b/assets/queries/openAPI/3.0/global_security_scheme_using_basic_authentication/metadata.json index 71f9c27f28e..f69bfad982b 100644 --- a/assets/queries/openAPI/3.0/global_security_scheme_using_basic_authentication/metadata.json +++ b/assets/queries/openAPI/3.0/global_security_scheme_using_basic_authentication/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "A security scheme is allowing basic authentication credentials to be transported over network", "descriptionUrl": "https://swagger.io/specification/#security-scheme-object", "platform": "OpenAPI", - "descriptionID": "f29b5719" -} + "descriptionID": "f29b5719", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/global_server_uses_http/metadata.json b/assets/queries/openAPI/3.0/global_server_uses_http/metadata.json index 871cda04e2c..33494bbbddf 100644 --- a/assets/queries/openAPI/3.0/global_server_uses_http/metadata.json +++ b/assets/queries/openAPI/3.0/global_server_uses_http/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Global server object URL should use 'https' protocol instead of 'http'", "descriptionUrl": "https://swagger.io/specification/#server-object", "platform": "OpenAPI", - "descriptionID": "6b568693" -} + "descriptionID": "6b568693", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/header_object_with_incorrect_ref/metadata.json b/assets/queries/openAPI/3.0/header_object_with_incorrect_ref/metadata.json index 325b5d97fd7..b8191d06976 100644 --- a/assets/queries/openAPI/3.0/header_object_with_incorrect_ref/metadata.json +++ b/assets/queries/openAPI/3.0/header_object_with_incorrect_ref/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Header Object reference must always point to '#/components/headers'", "descriptionUrl": "https://swagger.io/specification/#responses-object", "platform": "OpenAPI", - "descriptionID": "c3f2fe74" -} + "descriptionID": "c3f2fe74", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/header_object_without_schema/metadata.json b/assets/queries/openAPI/3.0/header_object_without_schema/metadata.json index 742b92fe11f..52edffc9cf9 100644 --- a/assets/queries/openAPI/3.0/header_object_without_schema/metadata.json +++ b/assets/queries/openAPI/3.0/header_object_without_schema/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "The header object should have schema defined", "descriptionUrl": "https://swagger.io/specification/#header-object", "platform": "OpenAPI", - "descriptionID": "c1c481e4" -} + "descriptionID": "c1c481e4", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/implicit_flow_oauth2/metadata.json b/assets/queries/openAPI/3.0/implicit_flow_oauth2/metadata.json index f4d63efa20d..38e6f111175 100644 --- a/assets/queries/openAPI/3.0/implicit_flow_oauth2/metadata.json +++ b/assets/queries/openAPI/3.0/implicit_flow_oauth2/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated", "descriptionUrl": "https://swagger.io/specification/#oauth-flow-object", "platform": "OpenAPI", - "descriptionID": "94ccaa01" -} + "descriptionID": "94ccaa01", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/invalid_content_type_for_multiple_files_upload/metadata.json b/assets/queries/openAPI/3.0/invalid_content_type_for_multiple_files_upload/metadata.json index 18d6413a4ab..9fe9a7aaadb 100644 --- a/assets/queries/openAPI/3.0/invalid_content_type_for_multiple_files_upload/metadata.json +++ b/assets/queries/openAPI/3.0/invalid_content_type_for_multiple_files_upload/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array)", "descriptionUrl": "https://swagger.io/docs/specification/describing-request-body/file-upload/", "platform": "OpenAPI", - "descriptionID": "d74b6525" -} + "descriptionID": "d74b6525", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/invalid_media_type_value/metadata.json b/assets/queries/openAPI/3.0/invalid_media_type_value/metadata.json index 13cba33242a..10ae0f5ff70 100644 --- a/assets/queries/openAPI/3.0/invalid_media_type_value/metadata.json +++ b/assets/queries/openAPI/3.0/invalid_media_type_value/metadata.json @@ -3,8 +3,9 @@ "queryName": "Invalid Media Type Value (v3)", "severity": "INFO", "category": "Best Practices", - "descriptionText": "The Media Type value should match the following format: /[+suffix][;parameters]", + "descriptionText": "The Media Type value should match the following format: \u003ctype\u003e/\u003csubtype\u003e[+suffix][;parameters]", "descriptionUrl": "https://swagger.io/specification/#media-type-object", "platform": "OpenAPI", - "descriptionID": "6d641994" -} + "descriptionID": "6d641994", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/invalid_oauth2_token_url/metadata.json b/assets/queries/openAPI/3.0/invalid_oauth2_token_url/metadata.json index 2fab48b20c0..c597562400a 100644 --- a/assets/queries/openAPI/3.0/invalid_oauth2_token_url/metadata.json +++ b/assets/queries/openAPI/3.0/invalid_oauth2_token_url/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "OAuth2 security scheme flow requires a valid URL in the tokenUrl field", "descriptionUrl": "https://swagger.io/specification/#oauth-flow-object", "platform": "OpenAPI", - "descriptionID": "78304c48" -} + "descriptionID": "78304c48", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/invalid_oauth_authorization_url/metadata.json b/assets/queries/openAPI/3.0/invalid_oauth_authorization_url/metadata.json index 8917f3ea741..092e677ac7f 100644 --- a/assets/queries/openAPI/3.0/invalid_oauth_authorization_url/metadata.json +++ b/assets/queries/openAPI/3.0/invalid_oauth_authorization_url/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL", "descriptionUrl": "https://swagger.io/specification/#oauth-flow-object", "platform": "OpenAPI", - "descriptionID": "92051404" -} + "descriptionID": "92051404", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_callback/metadata.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_callback/metadata.json index a7a3bff2841..c1fe96b5b33 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_callback/metadata.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_callback/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Callback reference should exists on components field", "descriptionUrl": "https://swagger.io/specification/#components-object", "platform": "OpenAPI", - "descriptionID": "9fb67487" -} + "descriptionID": "9fb67487", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_example/metadata.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_example/metadata.json index ffd9f7f0248..20bfc4fadec 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_example/metadata.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_example/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Example reference should exists on components field", "descriptionUrl": "https://swagger.io/specification/#components-object", "platform": "OpenAPI", - "descriptionID": "026db32d" -} + "descriptionID": "026db32d", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_header/metadata.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_header/metadata.json index 9fa0f170738..7628a71b884 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_header/metadata.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_header/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Header reference should exists on components field", "descriptionUrl": "https://swagger.io/specification/#components-object", "platform": "OpenAPI", - "descriptionID": "c90bc259" -} + "descriptionID": "c90bc259", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_link/metadata.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_link/metadata.json index 213486c910e..c0b8466dd62 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_link/metadata.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_link/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Link reference should exists on components field", "descriptionUrl": "https://swagger.io/specification/#components-object", "platform": "OpenAPI", - "descriptionID": "5d9af338" -} + "descriptionID": "5d9af338", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_parameter/metadata.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_parameter/metadata.json index 0444a3aee8c..5da2ae1d3ab 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_parameter/metadata.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_parameter/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Parameter reference should exists on components field", "descriptionUrl": "https://swagger.io/specification/#components-object", "platform": "OpenAPI", - "descriptionID": "a4f776da" -} + "descriptionID": "a4f776da", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_request_body/metadata.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_request_body/metadata.json index e5e80b662e2..344cc5eb4b6 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_request_body/metadata.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_request_body/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Request Body reference should exists on components field", "descriptionUrl": "https://swagger.io/specification/#components-object", "platform": "OpenAPI", - "descriptionID": "b33e0ccc" -} + "descriptionID": "b33e0ccc", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_response/metadata.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_response/metadata.json index 830b8f76425..ce0baaf43a9 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_response/metadata.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_response/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Response reference should exists on components field", "descriptionUrl": "https://swagger.io/specification/#components-object", "platform": "OpenAPI", - "descriptionID": "e443a03e" -} + "descriptionID": "e443a03e", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_schema/metadata.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_schema/metadata.json index 6051c9b804a..3817dfe90bb 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_schema/metadata.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_schema/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Schema reference should exists on components field", "descriptionUrl": "https://swagger.io/specification/#components-object", "platform": "OpenAPI", - "descriptionID": "5d8202a1" -} + "descriptionID": "5d8202a1", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/link_object_incorrect_ref/metadata.json b/assets/queries/openAPI/3.0/link_object_incorrect_ref/metadata.json index c25e94be8c4..664730a2461 100644 --- a/assets/queries/openAPI/3.0/link_object_incorrect_ref/metadata.json +++ b/assets/queries/openAPI/3.0/link_object_incorrect_ref/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Link object reference must always point to '#/components/links'", "descriptionUrl": "https://swagger.io/specification/#link-object", "platform": "OpenAPI", - "descriptionID": "d32809e9" -} + "descriptionID": "d32809e9", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/link_object_operation_id_does_not_target_an_operation_object/metadata.json b/assets/queries/openAPI/3.0/link_object_operation_id_does_not_target_an_operation_object/metadata.json index 9b9e39d9247..a28ac2c382e 100644 --- a/assets/queries/openAPI/3.0/link_object_operation_id_does_not_target_an_operation_object/metadata.json +++ b/assets/queries/openAPI/3.0/link_object_operation_id_does_not_target_an_operation_object/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Link object 'OperationId' should target an existing operation object in the OpenAPI definition", "descriptionUrl": "https://swagger.io/specification/#link-object", "platform": "OpenAPI", - "descriptionID": "0a18f076" -} + "descriptionID": "0a18f076", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/link_object_with_both_operation_id_and_operation_ref/metadata.json b/assets/queries/openAPI/3.0/link_object_with_both_operation_id_and_operation_ref/metadata.json index 4bb956de69d..29333bb84eb 100644 --- a/assets/queries/openAPI/3.0/link_object_with_both_operation_id_and_operation_ref/metadata.json +++ b/assets/queries/openAPI/3.0/link_object_with_both_operation_id_and_operation_ref/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Link object 'OperationId' should not have both 'operationId' and 'operationRef' defined since they are mutually exclusive.", "descriptionUrl": "https://swagger.io/specification/#link-object", "platform": "OpenAPI", - "descriptionID": "bddcb8cd" -} + "descriptionID": "bddcb8cd", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/media_type_object_without_schema/metadata.json b/assets/queries/openAPI/3.0/media_type_object_without_schema/metadata.json index 81042f86c99..e84e0795069 100644 --- a/assets/queries/openAPI/3.0/media_type_object_without_schema/metadata.json +++ b/assets/queries/openAPI/3.0/media_type_object_without_schema/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "The Media Type Object should have the attribute 'schema' defined", "descriptionUrl": "https://swagger.io/specification/#media-type-object", "platform": "OpenAPI", - "descriptionID": "a7ffc444" -} + "descriptionID": "a7ffc444", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/metadata.json b/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/metadata.json index 2ff14c2147f..a5d323145d0 100644 --- a/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/metadata.json +++ b/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "OAuth2 implicit flow is vulnerable to access token leakage and access token replay", "descriptionUrl": "https://swagger.io/specification/#oauth-flows-object", "platform": "OpenAPI", - "descriptionID": "9bce0305" -} + "descriptionID": "9bce0305", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/oauth2_with_password_flow/metadata.json b/assets/queries/openAPI/3.0/oauth2_with_password_flow/metadata.json index e5339e501db..b1de9915013 100644 --- a/assets/queries/openAPI/3.0/oauth2_with_password_flow/metadata.json +++ b/assets/queries/openAPI/3.0/oauth2_with_password_flow/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "OAuth2 password flow insecurely exposes the credentials of the resource owner to the client", "descriptionUrl": "https://swagger.io/specification/#oauth-flows-object", "platform": "OpenAPI", - "descriptionID": "dd7818af" -} + "descriptionID": "dd7818af", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/object_without_required_property/metadata.json b/assets/queries/openAPI/3.0/object_without_required_property/metadata.json index 3c01924c64e..00952d29a9c 100644 --- a/assets/queries/openAPI/3.0/object_without_required_property/metadata.json +++ b/assets/queries/openAPI/3.0/object_without_required_property/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "OpenAPI Object should contain all of its required fields", "descriptionUrl": "https://swagger.io/specification/", "platform": "OpenAPI", - "descriptionID": "a6b935a6" -} + "descriptionID": "a6b935a6", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/parameter_object_content_with_multiple_entries/metadata.json b/assets/queries/openAPI/3.0/parameter_object_content_with_multiple_entries/metadata.json index 60539391bc4..06da2377885 100644 --- a/assets/queries/openAPI/3.0/parameter_object_content_with_multiple_entries/metadata.json +++ b/assets/queries/openAPI/3.0/parameter_object_content_with_multiple_entries/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "The map content property of the parameter object should only contain one entry", "descriptionUrl": "https://swagger.io/specification/#parameter-object", "platform": "OpenAPI", - "descriptionID": "be33f7a9" -} + "descriptionID": "be33f7a9", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/parameter_object_incorrect_ref/metadata.json b/assets/queries/openAPI/3.0/parameter_object_incorrect_ref/metadata.json index 6ed4c7baa13..aa93f60ce22 100644 --- a/assets/queries/openAPI/3.0/parameter_object_incorrect_ref/metadata.json +++ b/assets/queries/openAPI/3.0/parameter_object_incorrect_ref/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Parameter Object reference must always point to '#/components/parameters'", "descriptionUrl": "https://swagger.io/specification/#parameter-object", "platform": "OpenAPI", - "descriptionID": "52e1f1a5" -} + "descriptionID": "52e1f1a5", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/parameter_object_schema_content/metadata.json b/assets/queries/openAPI/3.0/parameter_object_schema_content/metadata.json index 8a4250bbf95..d833a0ba289 100644 --- a/assets/queries/openAPI/3.0/parameter_object_schema_content/metadata.json +++ b/assets/queries/openAPI/3.0/parameter_object_schema_content/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive", "descriptionUrl": "https://swagger.io/specification/#parameter-object", "platform": "OpenAPI", - "descriptionID": "379a120d" -} + "descriptionID": "379a120d", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/parameter_object_undefined_type/metadata.json b/assets/queries/openAPI/3.0/parameter_object_undefined_type/metadata.json index 3871a2b8468..f4d1bba9ce1 100644 --- a/assets/queries/openAPI/3.0/parameter_object_undefined_type/metadata.json +++ b/assets/queries/openAPI/3.0/parameter_object_undefined_type/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "A Parameter Object must contain either a 'schema' property, or a 'content' property", "descriptionUrl": "https://swagger.io/specification/#parameter-object", "platform": "OpenAPI", - "descriptionID": "4bbd104f" -} + "descriptionID": "4bbd104f", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/parameter_object_without_schema/metadata.json b/assets/queries/openAPI/3.0/parameter_object_without_schema/metadata.json index dbbd19b5367..56901760271 100644 --- a/assets/queries/openAPI/3.0/parameter_object_without_schema/metadata.json +++ b/assets/queries/openAPI/3.0/parameter_object_without_schema/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "The Parameter Object should have the attribute 'schema' defined", "descriptionUrl": "https://swagger.io/specification/#parameter-object", "platform": "OpenAPI", - "descriptionID": "de40b141" -} + "descriptionID": "de40b141", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/path_server_uses_http/metadata.json b/assets/queries/openAPI/3.0/path_server_uses_http/metadata.json index 8a9de755698..8414d23f6d6 100644 --- a/assets/queries/openAPI/3.0/path_server_uses_http/metadata.json +++ b/assets/queries/openAPI/3.0/path_server_uses_http/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection", "descriptionUrl": "https://swagger.io/specification/#server-object", "platform": "OpenAPI", - "descriptionID": "da49b13c" -} + "descriptionID": "da49b13c", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/property_allow_empty_value_ignored/metadata.json b/assets/queries/openAPI/3.0/property_allow_empty_value_ignored/metadata.json index e4a37e4625a..ade4ba1ac43 100644 --- a/assets/queries/openAPI/3.0/property_allow_empty_value_ignored/metadata.json +++ b/assets/queries/openAPI/3.0/property_allow_empty_value_ignored/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Property 'allowEmptyValue' is ignored in the following cases: {\"sytle\": \"simple\", \"explode\": false}, {\"sytle\": \"simple\", \"explode\": true}, {\"sytle\": \"spaceDelimited\", \"explode\": false}, {\"sytle\": \"pipeDelimited\", \"explode\": false}, and {\"sytle\": \"deepObject\", \"explode\": true}", "descriptionUrl": "https://swagger.io/specification/#parameter-object", "platform": "OpenAPI", - "descriptionID": "91d0af2c" -} + "descriptionID": "91d0af2c", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/property_allow_reserved_encoding_object_ignored/metadata.json b/assets/queries/openAPI/3.0/property_allow_reserved_encoding_object_ignored/metadata.json index 3aad8899bae..a92277ab434 100644 --- a/assets/queries/openAPI/3.0/property_allow_reserved_encoding_object_ignored/metadata.json +++ b/assets/queries/openAPI/3.0/property_allow_reserved_encoding_object_ignored/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Property 'allowReserved' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored.", "descriptionUrl": "https://swagger.io/specification/#encoding-object", "platform": "OpenAPI", - "descriptionID": "951a3c73" -} + "descriptionID": "951a3c73", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/property_allow_reserved_improperly_defined/metadata.json b/assets/queries/openAPI/3.0/property_allow_reserved_improperly_defined/metadata.json index d4ee43b9c64..dc25c5126ed 100644 --- a/assets/queries/openAPI/3.0/property_allow_reserved_improperly_defined/metadata.json +++ b/assets/queries/openAPI/3.0/property_allow_reserved_improperly_defined/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Property 'allowReserved' should be only defined for query parameters", "descriptionUrl": "https://swagger.io/specification/#parameter-object", "platform": "OpenAPI", - "descriptionID": "a23029a8" -} + "descriptionID": "a23029a8", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/property_explode_encoding_object_ignored/metadata.json b/assets/queries/openAPI/3.0/property_explode_encoding_object_ignored/metadata.json index 07960ccc2f3..20e89dc7f80 100644 --- a/assets/queries/openAPI/3.0/property_explode_encoding_object_ignored/metadata.json +++ b/assets/queries/openAPI/3.0/property_explode_encoding_object_ignored/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Property 'explode' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored.", "descriptionUrl": "https://swagger.io/specification/#encoding-object", "platform": "OpenAPI", - "descriptionID": "927e421b" -} + "descriptionID": "927e421b", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/property_type_encoding_object_ignored/metadata.json b/assets/queries/openAPI/3.0/property_type_encoding_object_ignored/metadata.json index 0b7a7877ab0..577be0a842f 100644 --- a/assets/queries/openAPI/3.0/property_type_encoding_object_ignored/metadata.json +++ b/assets/queries/openAPI/3.0/property_type_encoding_object_ignored/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Property 'style' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored.", "descriptionUrl": "https://swagger.io/specification/#encoding-object", "platform": "OpenAPI", - "descriptionID": "66497e8a" -} + "descriptionID": "66497e8a", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/request_body_incorrect_ref/metadata.json b/assets/queries/openAPI/3.0/request_body_incorrect_ref/metadata.json index 6784cf850c9..557648cb207 100644 --- a/assets/queries/openAPI/3.0/request_body_incorrect_ref/metadata.json +++ b/assets/queries/openAPI/3.0/request_body_incorrect_ref/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Request Body reference must always point to '#/components/RequestBodies'", "descriptionUrl": "https://swagger.io/specification/#request-body-object", "platform": "OpenAPI", - "descriptionID": "1b450a4b" -} + "descriptionID": "1b450a4b", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/request_body_object_with_incorrect_media_type/metadata.json b/assets/queries/openAPI/3.0/request_body_object_with_incorrect_media_type/metadata.json index 4d33e484007..02e8aa4b85a 100644 --- a/assets/queries/openAPI/3.0/request_body_object_with_incorrect_media_type/metadata.json +++ b/assets/queries/openAPI/3.0/request_body_object_with_incorrect_media_type/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set.", "descriptionUrl": "https://swagger.io/specification/#media-type-object", "platform": "OpenAPI", - "descriptionID": "0963c67c" -} + "descriptionID": "0963c67c", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/response_object_incorrect_ref/metadata.json b/assets/queries/openAPI/3.0/response_object_incorrect_ref/metadata.json index dcf88b4815d..f4c72b38f4b 100644 --- a/assets/queries/openAPI/3.0/response_object_incorrect_ref/metadata.json +++ b/assets/queries/openAPI/3.0/response_object_incorrect_ref/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Response Object reference must always point to '#/components/responses'", "descriptionUrl": "https://swagger.io/specification/#responses-object", "platform": "OpenAPI", - "descriptionID": "2959ac6f" -} + "descriptionID": "2959ac6f", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/schema_object_incorrect_ref/metadata.json b/assets/queries/openAPI/3.0/schema_object_incorrect_ref/metadata.json index 3bb6ba9c323..1cdc9fa8f31 100644 --- a/assets/queries/openAPI/3.0/schema_object_incorrect_ref/metadata.json +++ b/assets/queries/openAPI/3.0/schema_object_incorrect_ref/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Schema Object reference must always point to '#/components/schemas'", "descriptionUrl": "https://swagger.io/specification/#schema-object", "platform": "OpenAPI", - "descriptionID": "9f6a14ba" -} + "descriptionID": "9f6a14ba", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/schema_with_both_read_only_and_write_only/metadata.json b/assets/queries/openAPI/3.0/schema_with_both_read_only_and_write_only/metadata.json index aeccfa72d79..bcf35c8a7e2 100644 --- a/assets/queries/openAPI/3.0/schema_with_both_read_only_and_write_only/metadata.json +++ b/assets/queries/openAPI/3.0/schema_with_both_read_only_and_write_only/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Schema should not have both 'writeOnly' and 'readOnly' set to true", "descriptionUrl": "https://swagger.io/specification/#schema-object", "platform": "OpenAPI", - "descriptionID": "adb56e0b" -} + "descriptionID": "adb56e0b", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/security_field_undefined/metadata.json b/assets/queries/openAPI/3.0/security_field_undefined/metadata.json index a116760bf69..db7438f5ead 100644 --- a/assets/queries/openAPI/3.0/security_field_undefined/metadata.json +++ b/assets/queries/openAPI/3.0/security_field_undefined/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Security field should be defined in '#/components/securitySchemes'", "descriptionUrl": "https://swagger.io/specification/#security-requirement-object", "platform": "OpenAPI", - "descriptionID": "2d06cd16" -} + "descriptionID": "2d06cd16", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/security_operation_field_undefined/metadata.json b/assets/queries/openAPI/3.0/security_operation_field_undefined/metadata.json index e5222573979..8daedacb1ad 100644 --- a/assets/queries/openAPI/3.0/security_operation_field_undefined/metadata.json +++ b/assets/queries/openAPI/3.0/security_operation_field_undefined/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Security operation field should be defined in '#/components/securitySchemes'", "descriptionUrl": "https://swagger.io/specification/#operation-object", "platform": "OpenAPI", - "descriptionID": "5ece1b91" -} + "descriptionID": "5ece1b91", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/security_requirement_object_with_wrong_scopes/metadata.json b/assets/queries/openAPI/3.0/security_requirement_object_with_wrong_scopes/metadata.json index 402275058c7..b9d7f0c14f8 100644 --- a/assets/queries/openAPI/3.0/security_requirement_object_with_wrong_scopes/metadata.json +++ b/assets/queries/openAPI/3.0/security_requirement_object_with_wrong_scopes/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Security Requirement Object should only have scopes defined for security schemes of type 'oauth2' and 'openIdConnect'", "descriptionUrl": "https://swagger.io/specification/#security-requirement-object", "platform": "OpenAPI", - "descriptionID": "34997c77" -} + "descriptionID": "34997c77", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/security_scheme_undefined/metadata.json b/assets/queries/openAPI/3.0/security_scheme_undefined/metadata.json index 7c2cbb48953..3d6126ffc79 100644 --- a/assets/queries/openAPI/3.0/security_scheme_undefined/metadata.json +++ b/assets/queries/openAPI/3.0/security_scheme_undefined/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Components' securityScheme field must have a valid scheme", "descriptionUrl": "https://swagger.io/specification/#security-scheme-object", "platform": "OpenAPI", - "descriptionID": "61dba06b" -} + "descriptionID": "61dba06b", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/security_scheme_using_http_basic/metadata.json b/assets/queries/openAPI/3.0/security_scheme_using_http_basic/metadata.json index d6582e79efe..410f8d2fcc4 100644 --- a/assets/queries/openAPI/3.0/security_scheme_using_http_basic/metadata.json +++ b/assets/queries/openAPI/3.0/security_scheme_using_http_basic/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Security Scheme HTTP should not be using basic authentication", "descriptionUrl": "https://swagger.io/specification/#security-scheme-object", "platform": "OpenAPI", - "descriptionID": "2aa53f7c" -} + "descriptionID": "2aa53f7c", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/security_scheme_using_http_digest/metadata.json b/assets/queries/openAPI/3.0/security_scheme_using_http_digest/metadata.json index 63049cac3ea..218badc0fcb 100644 --- a/assets/queries/openAPI/3.0/security_scheme_using_http_digest/metadata.json +++ b/assets/queries/openAPI/3.0/security_scheme_using_http_digest/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Security Scheme HTTP should not be using digest authentication", "descriptionUrl": "https://swagger.io/specification/#security-scheme-object", "platform": "OpenAPI", - "descriptionID": "2e962b5c" -} + "descriptionID": "2e962b5c", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/security_scheme_using_http_negotiate/metadata.json b/assets/queries/openAPI/3.0/security_scheme_using_http_negotiate/metadata.json index 4dee1eba7e1..cc6c3ceb236 100644 --- a/assets/queries/openAPI/3.0/security_scheme_using_http_negotiate/metadata.json +++ b/assets/queries/openAPI/3.0/security_scheme_using_http_negotiate/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Security Scheme HTTP should not be using negotiate authentication", "descriptionUrl": "https://swagger.io/specification/#security-scheme-object", "platform": "OpenAPI", - "descriptionID": "2fe8fccb" -} + "descriptionID": "2fe8fccb", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/security_schemes_http_unknown_scheme/metadata.json b/assets/queries/openAPI/3.0/security_schemes_http_unknown_scheme/metadata.json index b6528ce4bf5..f29b19c00c2 100644 --- a/assets/queries/openAPI/3.0/security_schemes_http_unknown_scheme/metadata.json +++ b/assets/queries/openAPI/3.0/security_schemes_http_unknown_scheme/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Security Scheme HTTP scheme should be registered in the IANA Authentication Scheme registry", "descriptionUrl": "https://swagger.io/specification/#security-scheme-object", "platform": "OpenAPI", - "descriptionID": "e8060d48" -} + "descriptionID": "e8060d48", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/security_schemes_using_oauth/metadata.json b/assets/queries/openAPI/3.0/security_schemes_using_oauth/metadata.json index 7c6ce6518ae..55b52af0347 100644 --- a/assets/queries/openAPI/3.0/security_schemes_using_oauth/metadata.json +++ b/assets/queries/openAPI/3.0/security_schemes_using_oauth/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Oauth 1.0 is deprecated, OAuth2 should be used instead", "descriptionUrl": "https://swagger.io/specification/#security-scheme-object", "platform": "OpenAPI", - "descriptionID": "8cff8206" -} + "descriptionID": "8cff8206", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/server_object_variable_not_used/metadata.json b/assets/queries/openAPI/3.0/server_object_variable_not_used/metadata.json index 242f38980e4..7df560157e1 100644 --- a/assets/queries/openAPI/3.0/server_object_variable_not_used/metadata.json +++ b/assets/queries/openAPI/3.0/server_object_variable_not_used/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Every defined Server Variable Object should be used in a Service URL.", "descriptionUrl": "https://swagger.io/specification/#server-variable-object", "platform": "OpenAPI", - "descriptionID": "d1b765db" -} + "descriptionID": "d1b765db", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/server_url_not_absolute/metadata.json b/assets/queries/openAPI/3.0/server_url_not_absolute/metadata.json index dba7129d32f..40f1c9897e4 100644 --- a/assets/queries/openAPI/3.0/server_url_not_absolute/metadata.json +++ b/assets/queries/openAPI/3.0/server_url_not_absolute/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "The Server URL should be an absolute URL", "descriptionUrl": "https://swagger.io/specification/#server-object", "platform": "OpenAPI", - "descriptionID": "2dd5856c" -} + "descriptionID": "2dd5856c", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/server_url_uses_undefined_variables/metadata.json b/assets/queries/openAPI/3.0/server_url_uses_undefined_variables/metadata.json index 902fe808c9f..2bc2bdfc5f7 100644 --- a/assets/queries/openAPI/3.0/server_url_uses_undefined_variables/metadata.json +++ b/assets/queries/openAPI/3.0/server_url_uses_undefined_variables/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Any variable used in the Service URL should be defined in the Service Object through 'variables'.", "descriptionUrl": "https://swagger.io/specification/#server-object", "platform": "OpenAPI", - "descriptionID": "c8a70e31" -} + "descriptionID": "c8a70e31", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/servers_undefined/metadata.json b/assets/queries/openAPI/3.0/servers_undefined/metadata.json index 403df550b16..ed7815411fe 100644 --- a/assets/queries/openAPI/3.0/servers_undefined/metadata.json +++ b/assets/queries/openAPI/3.0/servers_undefined/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'.", "descriptionUrl": "https://swagger.io/specification/#server-object", "platform": "OpenAPI", - "descriptionID": "890ee1bd" -} + "descriptionID": "890ee1bd", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/metadata.json b/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/metadata.json index 30b81274f44..01830fa2ea8 100644 --- a/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/metadata.json +++ b/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Trace should define the '200' successful code", "descriptionUrl": "https://swagger.io/specification/#operation-object", "platform": "OpenAPI", - "descriptionID": "d3325ec2" -} + "descriptionID": "d3325ec2", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/undefined_security_scope_global_security/metadata.json b/assets/queries/openAPI/3.0/undefined_security_scope_global_security/metadata.json index 1959a8f65d0..96ebfe4bd8f 100644 --- a/assets/queries/openAPI/3.0/undefined_security_scope_global_security/metadata.json +++ b/assets/queries/openAPI/3.0/undefined_security_scope_global_security/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker", "descriptionUrl": "https://swagger.io/specification/#oauth-flow-object", "platform": "OpenAPI", - "descriptionID": "ef926b66" -} + "descriptionID": "ef926b66", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/metadata.json b/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/metadata.json index dd10e1cd410..6286025f0ad 100644 --- a/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/metadata.json +++ b/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker", "descriptionUrl": "https://swagger.io/specification/#oauth-flow-object", "platform": "OpenAPI", - "descriptionID": "31fb94e2" -} + "descriptionID": "31fb94e2", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/unknown_prefix/metadata.json b/assets/queries/openAPI/3.0/unknown_prefix/metadata.json index e97ce7ca9f2..3589a5edc20 100644 --- a/assets/queries/openAPI/3.0/unknown_prefix/metadata.json +++ b/assets/queries/openAPI/3.0/unknown_prefix/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video'", "descriptionUrl": "https://swagger.io/specification/#media-type-object", "platform": "OpenAPI", - "descriptionID": "18c553ae" -} + "descriptionID": "18c553ae", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/unknown_property/metadata.json b/assets/queries/openAPI/3.0/unknown_property/metadata.json index 38dcf5d457d..249e95f0fff 100644 --- a/assets/queries/openAPI/3.0/unknown_property/metadata.json +++ b/assets/queries/openAPI/3.0/unknown_property/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "All properties defined in OpenAPI objects should be known", "descriptionUrl": "https://swagger.io/specification/", "platform": "OpenAPI", - "descriptionID": "44e287cd" -} + "descriptionID": "44e287cd", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/metadata.json b/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/metadata.json index 4927160fbab..074ec13787a 100644 --- a/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/metadata.json +++ b/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/metadata.json @@ -1,11 +1,12 @@ { - "id": "bccb296f-362c-4b05-9221-86d1437a1016", - "queryName": "Amazon DMS Replication Instance Is Publicly Accessible", - "severity": "HIGH", - "category": "Access Control", - "descriptionText": "Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false.", - "descriptionUrl": "https://www.pulumi.com/registry/packages/aws/api-docs/dms/replicationinstance/", - "platform": "Pulumi", - "descriptionID": "fdd6a212", - "cloudProvider": "aws" - } \ No newline at end of file + "id": "bccb296f-362c-4b05-9221-86d1437a1016", + "queryName": "Amazon DMS Replication Instance Is Publicly Accessible", + "severity": "HIGH", + "category": "Access Control", + "descriptionText": "Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false.", + "descriptionUrl": "https://www.pulumi.com/registry/packages/aws/api-docs/dms/replicationinstance/", + "platform": "Pulumi", + "descriptionID": "fdd6a212", + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/metadata.json b/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/metadata.json index 3b8e21ccc3e..fd7b1ed59d1 100644 --- a/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/metadata.json +++ b/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://www.pulumi.com/registry/packages/aws/api-docs/apigatewayv2/stage/#accesslogsettings_yaml", "platform": "Pulumi", "descriptionID": "5feb747f", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/metadata.json b/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/metadata.json index 7b4de3a1979..39caa0a3a7a 100644 --- a/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/metadata.json +++ b/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://www.pulumi.com/registry/packages/aws/api-docs/apigatewayv2/stage/#clientcertificateid_yaml", "platform": "Pulumi", "descriptionID": "f7ced1f3", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/pulumi/aws/docdb_logging_disabled/metadata.json b/assets/queries/pulumi/aws/docdb_logging_disabled/metadata.json index 986818c3a93..dd4d37c9c3c 100644 --- a/assets/queries/pulumi/aws/docdb_logging_disabled/metadata.json +++ b/assets/queries/pulumi/aws/docdb_logging_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://www.pulumi.com/registry/packages/aws/api-docs/docdb/cluster/#enabledcloudwatchlogsexports_yaml", "platform": "Pulumi", "descriptionID": "c5bd58cd", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/pulumi/aws/dynamodb_table_not_encrypted/metadata.json b/assets/queries/pulumi/aws/dynamodb_table_not_encrypted/metadata.json index 2a331dd6f16..80f344a1544 100644 --- a/assets/queries/pulumi/aws/dynamodb_table_not_encrypted/metadata.json +++ b/assets/queries/pulumi/aws/dynamodb_table_not_encrypted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://www.pulumi.com/registry/packages/aws/api-docs/dynamodb/table/#serversideencryption_yaml", "platform": "Pulumi", "descriptionID": "fb6a0c51", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled/metadata.json b/assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled/metadata.json index f0ffa9bb8e6..871c9b00b06 100644 --- a/assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled/metadata.json +++ b/assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://www.pulumi.com/registry/packages/aws/api-docs/dynamodb/table/#pointintimerecovery_yaml", "platform": "Pulumi", "descriptionID": "6ff56c6e", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/pulumi/aws/ec2_instance_monitoring_disabled/metadata.json b/assets/queries/pulumi/aws/ec2_instance_monitoring_disabled/metadata.json index fb883cce032..884f8846668 100644 --- a/assets/queries/pulumi/aws/ec2_instance_monitoring_disabled/metadata.json +++ b/assets/queries/pulumi/aws/ec2_instance_monitoring_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://www.pulumi.com/registry/packages/aws/api-docs/ec2/instance/#monitoring_yaml", "platform": "Pulumi", "descriptionID": "7f96d3ac", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/pulumi/aws/ec2_not_ebs_optimized/metadata.json b/assets/queries/pulumi/aws/ec2_not_ebs_optimized/metadata.json index 81bd0013ab6..3b693193aa6 100644 --- a/assets/queries/pulumi/aws/ec2_not_ebs_optimized/metadata.json +++ b/assets/queries/pulumi/aws/ec2_not_ebs_optimized/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://www.pulumi.com/registry/packages/aws/api-docs/ec2/instance/#ebsoptimized_yaml", "platform": "Pulumi", "descriptionID": "81a001dd", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/metadata.json b/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/metadata.json index c380c74db5d..61d242e1449 100644 --- a/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/metadata.json +++ b/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://www.pulumi.com/registry/packages/aws/api-docs/elasticache/cluster/#azmode_yaml", "platform": "Pulumi", "descriptionID": "149de780", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/metadata.json b/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/metadata.json index 1ca50f29a24..594aa1450ca 100644 --- a/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/metadata.json +++ b/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://www.pulumi.com/registry/packages/aws/api-docs/elasticache/cluster/#snapshotretentionlimit_yaml", "platform": "Pulumi", "descriptionID": "ff8bf6c0", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/pulumi/aws/elasticsearch_logs_disabled/metadata.json b/assets/queries/pulumi/aws/elasticsearch_logs_disabled/metadata.json index 179130abb0b..99b8de69d88 100644 --- a/assets/queries/pulumi/aws/elasticsearch_logs_disabled/metadata.json +++ b/assets/queries/pulumi/aws/elasticsearch_logs_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://www.pulumi.com/registry/packages/aws/api-docs/elasticsearch/domain/#logpublishingoptions_yaml", "platform": "Pulumi", "descriptionID": "55b7425d", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/metadata.json b/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/metadata.json index 089dc14f160..19cc71573e3 100644 --- a/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/metadata.json +++ b/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/metadata.json @@ -1,12 +1,12 @@ { - "id": "00603add-7f72-448f-a6c0-9e456a7a3f94", - "queryName": "Elasticsearch with HTTPS disabled", - "severity": "HIGH", - "category": "Networking and Firewall", - "descriptionText": "Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true.", - "descriptionUrl": "https://www.pulumi.com/registry/packages/aws/api-docs/elasticsearch/domain/#enforcehttps_yaml", - "platform": "Pulumi", - "descriptionID": "831d28f3", - "cloudProvider": "aws" - } - \ No newline at end of file + "id": "00603add-7f72-448f-a6c0-9e456a7a3f94", + "queryName": "Elasticsearch with HTTPS disabled", + "severity": "HIGH", + "category": "Networking and Firewall", + "descriptionText": "Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true.", + "descriptionUrl": "https://www.pulumi.com/registry/packages/aws/api-docs/elasticsearch/domain/#enforcehttps_yaml", + "platform": "Pulumi", + "descriptionID": "831d28f3", + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/pulumi/aws/iam_password_without_lowercase_letter/metadata.json b/assets/queries/pulumi/aws/iam_password_without_lowercase_letter/metadata.json index e7238b1f336..3e42db7cabb 100644 --- a/assets/queries/pulumi/aws/iam_password_without_lowercase_letter/metadata.json +++ b/assets/queries/pulumi/aws/iam_password_without_lowercase_letter/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://www.pulumi.com/registry/packages/aws/api-docs/iam/accountpasswordpolicy/#requirelowercasecharacters_yaml", "platform": "Pulumi", "descriptionID": "602b7e6a", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/pulumi/aws/iam_password_without_minimum_length/metadata.json b/assets/queries/pulumi/aws/iam_password_without_minimum_length/metadata.json index 8c86f7ed92a..758ac74f3c3 100644 --- a/assets/queries/pulumi/aws/iam_password_without_minimum_length/metadata.json +++ b/assets/queries/pulumi/aws/iam_password_without_minimum_length/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://www.pulumi.com/registry/packages/aws/api-docs/iam/accountpasswordpolicy/#minimumpasswordlength_yaml", "platform": "Pulumi", "descriptionID": "5e46720a", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/metadata.json b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/metadata.json index eab7bccdd2d..f34cd10949c 100644 --- a/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/metadata.json +++ b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://www.pulumi.com/registry/packages/aws/api-docs/rds/instance/#publiclyaccessible_yaml", "platform": "Pulumi", "descriptionID": "be6d13f0", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/metadata.json b/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/metadata.json index 929b536d5bf..6c0c8fd3a19 100644 --- a/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/metadata.json +++ b/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://www.pulumi.com/registry/packages/azure-native/api-docs/cache/redis/#enablenonsslport_yaml", "platform": "Pulumi", "descriptionID": "64acf7a6", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/pulumi/azure/storage_account_not_forcing_https/metadata.json b/assets/queries/pulumi/azure/storage_account_not_forcing_https/metadata.json index 1cb021cff90..c20d0b5eaa2 100644 --- a/assets/queries/pulumi/azure/storage_account_not_forcing_https/metadata.json +++ b/assets/queries/pulumi/azure/storage_account_not_forcing_https/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://www.pulumi.com/registry/packages/azure-native/api-docs/storage/storageaccount/#enablehttpstrafficonly_yaml", "platform": "Pulumi", "descriptionID": "406540e1", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/pulumi/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json b/assets/queries/pulumi/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json index 0b9800ac9f5..f64bf39f851 100644 --- a/assets/queries/pulumi/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json +++ b/assets/queries/pulumi/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://www.pulumi.com/registry/packages/gcp/api-docs/storage/bucket/#logging_yaml", "platform": "Pulumi", "descriptionID": "cc15c4d8", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/pulumi/gcp/google_compute_ssl_policy_weak_cipher_in_use/metadata.json b/assets/queries/pulumi/gcp/google_compute_ssl_policy_weak_cipher_in_use/metadata.json index af96835c2eb..aa138cbd644 100644 --- a/assets/queries/pulumi/gcp/google_compute_ssl_policy_weak_cipher_in_use/metadata.json +++ b/assets/queries/pulumi/gcp/google_compute_ssl_policy_weak_cipher_in_use/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://www.pulumi.com/registry/packages/gcp/api-docs/compute/sslpolicy/#mintlsversion_yaml", "platform": "Pulumi", "descriptionID": "58a27cbf", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/pulumi/kubernetes/missing_app_armor_config/metadata.json b/assets/queries/pulumi/kubernetes/missing_app_armor_config/metadata.json index 03b37447eb4..634bbcf596b 100644 --- a/assets/queries/pulumi/kubernetes/missing_app_armor_config/metadata.json +++ b/assets/queries/pulumi/kubernetes/missing_app_armor_config/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Containers should be configured with AppArmor for any application to reduce its potential attack", "descriptionUrl": "https://www.pulumi.com/registry/packages/kubernetes/api-docs/core/v1/pod/#objectmeta", "platform": "Pulumi", - "descriptionID": "15676623" -} + "descriptionID": "15676623", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/pulumi/kubernetes/psp_set_to_privileged/metadata.json b/assets/queries/pulumi/kubernetes/psp_set_to_privileged/metadata.json index 5206561f6b1..65508d83589 100644 --- a/assets/queries/pulumi/kubernetes/psp_set_to_privileged/metadata.json +++ b/assets/queries/pulumi/kubernetes/psp_set_to_privileged/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Do not allow pod to request execution as privileged.", "descriptionUrl": "https://www.pulumi.com/registry/packages/kubernetes/api-docs/policy/v1beta1/podsecuritypolicy/#privileged_yaml", "platform": "Pulumi", - "descriptionID": "7a6c8b70" -} + "descriptionID": "7a6c8b70", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/serverlessFW/serverless_api_access_logging_setting_undefined/metadata.json b/assets/queries/serverlessFW/serverless_api_access_logging_setting_undefined/metadata.json index da18288ecdb..085d266064c 100644 --- a/assets/queries/serverlessFW/serverless_api_access_logging_setting_undefined/metadata.json +++ b/assets/queries/serverlessFW/serverless_api_access_logging_setting_undefined/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Serverless FW API should have HTTP Access Logging enabled", "descriptionUrl": "https://www.serverless.com/framework/docs/providers/aws/guide/serverless.yml#logs", "platform": "ServerlessFW", - "descriptionID": "15262598" -} + "descriptionID": "15262598", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/serverlessFW/serverless_api_endpoint_config_not_private/metadata.json b/assets/queries/serverlessFW/serverless_api_endpoint_config_not_private/metadata.json index 0938124522b..9ea02bc949d 100644 --- a/assets/queries/serverlessFW/serverless_api_endpoint_config_not_private/metadata.json +++ b/assets/queries/serverlessFW/serverless_api_endpoint_config_not_private/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Serverless should have endpointType set to 'PRIVATE'. This way, it's not exposed to the public internet", "descriptionUrl": "https://www.serverless.com/framework/docs/providers/aws/events/apigateway#configuring-endpoint-types", "platform": "ServerlessFW", - "descriptionID": "7837a4b9" -} + "descriptionID": "7837a4b9", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/serverlessFW/serverless_api_without_content_encoding/metadata.json b/assets/queries/serverlessFW/serverless_api_without_content_encoding/metadata.json index 83eec2a91f9..48c00decf21 100644 --- a/assets/queries/serverlessFW/serverless_api_without_content_encoding/metadata.json +++ b/assets/queries/serverlessFW/serverless_api_without_content_encoding/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Serverless should have API Gateway with Content Encoding enabled through the attribute 'minimumCompressionSize'. This value should be greater than -1 and smaller than 10485760", "descriptionUrl": "https://www.serverless.com/framework/docs/providers/aws/events/apigateway#compression", "platform": "ServerlessFW", - "descriptionID": "2a9e728c" -} + "descriptionID": "2a9e728c", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/serverlessFW/serverless_api_xray_tracing_disabled/metadata.json b/assets/queries/serverlessFW/serverless_api_xray_tracing_disabled/metadata.json index dc5f7b77bc0..30bd175e759 100644 --- a/assets/queries/serverlessFW/serverless_api_xray_tracing_disabled/metadata.json +++ b/assets/queries/serverlessFW/serverless_api_xray_tracing_disabled/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Serverless API Gateway should have X-Ray Tracing enabled", "descriptionUrl": "https://www.serverless.com/framework/docs/providers/aws/events/apigateway#aws-x-ray-tracing", "platform": "ServerlessFW", - "descriptionID": "4af7c06f" -} + "descriptionID": "4af7c06f", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/serverlessFW/serverless_function_environment_variables_not_encrypted/metadata.json b/assets/queries/serverlessFW/serverless_function_environment_variables_not_encrypted/metadata.json index ba5281e7273..d069c1edcc5 100644 --- a/assets/queries/serverlessFW/serverless_function_environment_variables_not_encrypted/metadata.json +++ b/assets/queries/serverlessFW/serverless_function_environment_variables_not_encrypted/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Serverless Function should encrypt environment variables", "descriptionUrl": "https://www.serverless.com/framework/docs/providers/aws/guide/functions#kms-keys", "platform": "ServerlessFW", - "descriptionID": "d900c253" -} + "descriptionID": "d900c253", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/serverlessFW/serverless_function_without_dead_letter_queue/metadata.json b/assets/queries/serverlessFW/serverless_function_without_dead_letter_queue/metadata.json index 019faff6ffb..6f2f36ed8d4 100644 --- a/assets/queries/serverlessFW/serverless_function_without_dead_letter_queue/metadata.json +++ b/assets/queries/serverlessFW/serverless_function_without_dead_letter_queue/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Serverless Function should be configured for a Dead Letter Queue(DLQ). A Dead Letter Queue(DLQ) can be set up in 'onError' config parameter", "descriptionUrl": "https://www.serverless.com/framework/docs/providers/aws/guide/functions#dead-letter-queue-dlq", "platform": "ServerlessFW", - "descriptionID": "0bd85f63" -} + "descriptionID": "0bd85f63", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/serverlessFW/serverless_function_without_tags/metadata.json b/assets/queries/serverlessFW/serverless_function_without_tags/metadata.json index 9922c70637f..0a3f977789f 100644 --- a/assets/queries/serverlessFW/serverless_function_without_tags/metadata.json +++ b/assets/queries/serverlessFW/serverless_function_without_tags/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Serverless Function should be have associated tags", "descriptionUrl": "https://www.serverless.com/framework/docs/providers/aws/guide/functions#tags", "platform": "ServerlessFW", - "descriptionID": "39d4d6d2" -} + "descriptionID": "39d4d6d2", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/metadata.json b/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/metadata.json index 37998502d03..60491fb35ce 100644 --- a/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/metadata.json +++ b/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks", "descriptionUrl": "https://www.serverless.com/framework/docs/providers/aws/guide/serverless.yml#functions", "platform": "ServerlessFW", - "descriptionID": "071f8656" -} + "descriptionID": "071f8656", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/serverlessFW/serverless_function_without_x-ray_tracing/metadata.json b/assets/queries/serverlessFW/serverless_function_without_x-ray_tracing/metadata.json index 64eb2a7eb6e..e019ca19102 100644 --- a/assets/queries/serverlessFW/serverless_function_without_x-ray_tracing/metadata.json +++ b/assets/queries/serverlessFW/serverless_function_without_x-ray_tracing/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Serverless Function should have Tracing enabled. For this, property 'tracing' should have the value 'Active'", "descriptionUrl": "https://www.serverless.com/framework/docs/providers/aws/guide/functions#aws-x-ray-tracing", "platform": "ServerlessFW", - "descriptionID": "f3f93ff6" -} + "descriptionID": "f3f93ff6", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/serverlessFW/serverless_role_with_full_privileges/metadata.json b/assets/queries/serverlessFW/serverless_role_with_full_privileges/metadata.json index 5bef9ffa270..282d682ec1a 100644 --- a/assets/queries/serverlessFW/serverless_role_with_full_privileges/metadata.json +++ b/assets/queries/serverlessFW/serverless_role_with_full_privileges/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Roles defined in Serverless files should not have policies granting full administrative privileges.", "descriptionUrl": "https://www.serverless.com/framework/docs/providers/aws/guide/iam", "platform": "ServerlessFW", - "descriptionID": "0907f0e7" -} + "descriptionID": "0907f0e7", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/metadata.json b/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/metadata.json index 37f5744b2bf..f7df1ad2117 100644 --- a/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/metadata.json +++ b/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/actiontrail_trail#trail_region", "platform": "Terraform", "descriptionID": "72180b32", - "cloudProvider": "alicloud" -} + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/metadata.json b/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/metadata.json index 226dd63f929..a2cd7f23849 100644 --- a/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/metadata.json +++ b/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/actiontrail_trail", "platform": "Terraform", "descriptionID": "0b91a8b5", - "cloudProvider": "alicloud" -} + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/alb_listening_on_http/metadata.json b/assets/queries/terraform/alicloud/alb_listening_on_http/metadata.json index 7dd1ca3d3b3..8944c3f569b 100644 --- a/assets/queries/terraform/alicloud/alb_listening_on_http/metadata.json +++ b/assets/queries/terraform/alicloud/alb_listening_on_http/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/alb_listener", "platform": "Terraform", "descriptionID": "75d71dc8", - "cloudProvider": "alicloud" -} + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/api_gateway_api_protocol_not_https/metadata.json b/assets/queries/terraform/alicloud/api_gateway_api_protocol_not_https/metadata.json index 1b06431f2a4..a31eee6f6ba 100644 --- a/assets/queries/terraform/alicloud/api_gateway_api_protocol_not_https/metadata.json +++ b/assets/queries/terraform/alicloud/api_gateway_api_protocol_not_https/metadata.json @@ -1,12 +1,12 @@ { - "id": "1bcdf9f0-b1aa-40a4-b8c6-cd7785836843", - "queryName": "API Gateway API Protocol Not HTTPS", - "severity": "HIGH", - "category": "Networking and Firewall", - "descriptionText": "API Gateway API protocol should be set to HTTPS", - "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/api_gateway_api#protocol", - "platform": "Terraform", - "descriptionID": "31f4c870", - "cloudProvider": "alicloud" - } - \ No newline at end of file + "id": "1bcdf9f0-b1aa-40a4-b8c6-cd7785836843", + "queryName": "API Gateway API Protocol Not HTTPS", + "severity": "HIGH", + "category": "Networking and Firewall", + "descriptionText": "API Gateway API protocol should be set to HTTPS", + "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/api_gateway_api#protocol", + "platform": "Terraform", + "descriptionID": "31f4c870", + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/cmk_is_unusable/metadata.json b/assets/queries/terraform/alicloud/cmk_is_unusable/metadata.json index f4ccd8df544..a4175d37a50 100644 --- a/assets/queries/terraform/alicloud/cmk_is_unusable/metadata.json +++ b/assets/queries/terraform/alicloud/cmk_is_unusable/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/kms_key#is_enabled", "platform": "Terraform", "descriptionID": "52a5ea7c", - "cloudProvider": "alicloud" -} + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/metadata.json b/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/metadata.json index 262768fe42e..49106007fcb 100644 --- a/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/metadata.json +++ b/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/metadata.json @@ -7,6 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/cs_kubernetes_node_pool#auto_repair", "platform": "Terraform", "descriptionID": "3096639c", - "cloudProvider": "alicloud" -} - \ No newline at end of file + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/disk_encryption_disabled/metadata.json b/assets/queries/terraform/alicloud/disk_encryption_disabled/metadata.json index c75b99cc3b9..193ecb7c1c0 100644 --- a/assets/queries/terraform/alicloud/disk_encryption_disabled/metadata.json +++ b/assets/queries/terraform/alicloud/disk_encryption_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/disk#encrypted", "platform": "Terraform", "descriptionID": "68bbdfee", - "cloudProvider": "alicloud" -} + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ecs_data_disk_kms_key_id_undefined/metadata.json b/assets/queries/terraform/alicloud/ecs_data_disk_kms_key_id_undefined/metadata.json index 4f14e8a00ea..b546b1f72cf 100644 --- a/assets/queries/terraform/alicloud/ecs_data_disk_kms_key_id_undefined/metadata.json +++ b/assets/queries/terraform/alicloud/ecs_data_disk_kms_key_id_undefined/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/disk#kms_key_id", "platform": "Terraform", "descriptionID": "04c57e20", - "cloudProvider": "alicloud" -} + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/high_kms_key_rotation_period/metadata.json b/assets/queries/terraform/alicloud/high_kms_key_rotation_period/metadata.json index 094ee096bb2..5a4588a5ba9 100644 --- a/assets/queries/terraform/alicloud/high_kms_key_rotation_period/metadata.json +++ b/assets/queries/terraform/alicloud/high_kms_key_rotation_period/metadata.json @@ -1,11 +1,12 @@ { - "id": "cb319d87-b90f-485e-a7e7-f2408380f309", - "queryName": "High KMS Key Rotation Period", - "severity": "MEDIUM", - "category": "Secret Management", - "descriptionText": "KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year", - "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/kms_key", - "platform": "Terraform", - "descriptionID": "7961c2d3", - "cloudProvider": "alicloud" - } + "id": "cb319d87-b90f-485e-a7e7-f2408380f309", + "queryName": "High KMS Key Rotation Period", + "severity": "MEDIUM", + "category": "Secret Management", + "descriptionText": "KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year", + "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/kms_key", + "platform": "Terraform", + "descriptionID": "7961c2d3", + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/metadata.json b/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/metadata.json index dd979496b02..ce7a8c001a2 100644 --- a/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/metadata.json +++ b/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/cs_kubernetes#cluster_network_type", "platform": "Terraform", "descriptionID": "7c27643e", - "cloudProvider": "alicloud" -} + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/metadata.json b/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/metadata.json index 0cb8e65bae7..ba757ccb6dc 100644 --- a/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/metadata.json +++ b/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/launch_template#encrypted", "platform": "Terraform", "descriptionID": "e9336717", - "cloudProvider": "alicloud" -} + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/log_retention_is_not_greater_than_90_days/metadata.json b/assets/queries/terraform/alicloud/log_retention_is_not_greater_than_90_days/metadata.json index effd2a26865..a0a981e9978 100644 --- a/assets/queries/terraform/alicloud/log_retention_is_not_greater_than_90_days/metadata.json +++ b/assets/queries/terraform/alicloud/log_retention_is_not_greater_than_90_days/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/log_store#retention_period", "platform": "Terraform", "descriptionID": "11d4fc85", - "cloudProvider": "alicloud" -} + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/metadata.json b/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/metadata.json index ef3499d756b..8ade6d50335 100644 --- a/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/metadata.json +++ b/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/nas_file_system#encrypt_type", "platform": "Terraform", "descriptionID": "fb3675d5", - "cloudProvider": "alicloud" -} + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/nas_file_system_without_kms/metadata.json b/assets/queries/terraform/alicloud/nas_file_system_without_kms/metadata.json index 8445d65c175..a9e70357f76 100644 --- a/assets/queries/terraform/alicloud/nas_file_system_without_kms/metadata.json +++ b/assets/queries/terraform/alicloud/nas_file_system_without_kms/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/nas_file_system#kms_key_id", "platform": "Terraform", "descriptionID": "5fb1326b", - "cloudProvider": "alicloud" -} + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/no_ros_stack_policy/metadata.json b/assets/queries/terraform/alicloud/no_ros_stack_policy/metadata.json index ebda3252dd3..ee70ec30ccb 100644 --- a/assets/queries/terraform/alicloud/no_ros_stack_policy/metadata.json +++ b/assets/queries/terraform/alicloud/no_ros_stack_policy/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ros_stack", "platform": "Terraform", "descriptionID": "199b3f61", - "cloudProvider": "alicloud" -} + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/oss_bucket_allows_all_actions_from_all_principals/metadata.json b/assets/queries/terraform/alicloud/oss_bucket_allows_all_actions_from_all_principals/metadata.json index b9d2361e4de..c087f2764c4 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_allows_all_actions_from_all_principals/metadata.json +++ b/assets/queries/terraform/alicloud/oss_bucket_allows_all_actions_from_all_principals/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#policy", "platform": "Terraform", "descriptionID": "5507d429", - "cloudProvider": "alicloud" -} + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/oss_bucket_allows_delete_from_all_principals/metadata.json b/assets/queries/terraform/alicloud/oss_bucket_allows_delete_from_all_principals/metadata.json index e51fa937a6d..c38f183a539 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_allows_delete_from_all_principals/metadata.json +++ b/assets/queries/terraform/alicloud/oss_bucket_allows_delete_from_all_principals/metadata.json @@ -1,11 +1,12 @@ { - "id": "8c0695d8-2378-4cd6-8243-7fd5894fa574", - "queryName": "OSS Bucket Allows Delete Action From All Principals", - "severity": "HIGH", - "category": "Access Control", - "descriptionText": "OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals.", - "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#policy", - "platform": "Terraform", - "descriptionID": "ee07e6f5", - "cloudProvider": "alicloud" - } + "id": "8c0695d8-2378-4cd6-8243-7fd5894fa574", + "queryName": "OSS Bucket Allows Delete Action From All Principals", + "severity": "HIGH", + "category": "Access Control", + "descriptionText": "OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals.", + "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#policy", + "platform": "Terraform", + "descriptionID": "ee07e6f5", + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/oss_bucket_allows_list_action_from_all_principals/metadata.json b/assets/queries/terraform/alicloud/oss_bucket_allows_list_action_from_all_principals/metadata.json index 221a3e5e433..80f1e4df20f 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_allows_list_action_from_all_principals/metadata.json +++ b/assets/queries/terraform/alicloud/oss_bucket_allows_list_action_from_all_principals/metadata.json @@ -1,11 +1,12 @@ { - "id": "88541597-6f88-42c8-bac6-7e0b855e8ff6", - "queryName": "OSS Bucket Allows List Action From All Principals", - "severity": "HIGH", - "category": "Access Control", - "descriptionText": "OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals.", - "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#policy", - "platform": "Terraform", - "descriptionID": "b22a7d83", - "cloudProvider": "alicloud" - } + "id": "88541597-6f88-42c8-bac6-7e0b855e8ff6", + "queryName": "OSS Bucket Allows List Action From All Principals", + "severity": "HIGH", + "category": "Access Control", + "descriptionText": "OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals.", + "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#policy", + "platform": "Terraform", + "descriptionID": "b22a7d83", + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/oss_bucket_allows_put_action_from_all_principals/metadata.json b/assets/queries/terraform/alicloud/oss_bucket_allows_put_action_from_all_principals/metadata.json index 12c1e41ac7e..aee8a561b81 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_allows_put_action_from_all_principals/metadata.json +++ b/assets/queries/terraform/alicloud/oss_bucket_allows_put_action_from_all_principals/metadata.json @@ -1,11 +1,12 @@ { - "id": "fe286195-e75c-4359-bd58-00847c4f855a", - "queryName": "OSS Bucket Allows Put Action From All Principals", - "severity": "HIGH", - "category": "Access Control", - "descriptionText": "OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals.", - "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#policy", - "platform": "Terraform", - "descriptionID": "14d65676", - "cloudProvider": "alicloud" -} + "id": "fe286195-e75c-4359-bd58-00847c4f855a", + "queryName": "OSS Bucket Allows Put Action From All Principals", + "severity": "HIGH", + "category": "Access Control", + "descriptionText": "OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals.", + "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#policy", + "platform": "Terraform", + "descriptionID": "14d65676", + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/oss_bucket_cmk_encryption_disabled/metadata.json b/assets/queries/terraform/alicloud/oss_bucket_cmk_encryption_disabled/metadata.json index 2135a5a2305..f1ac789a1a9 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_cmk_encryption_disabled/metadata.json +++ b/assets/queries/terraform/alicloud/oss_bucket_cmk_encryption_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#server_side_encryption_rule", "platform": "Terraform", "descriptionID": "5907ee8c", - "cloudProvider": "alicloud" -} + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/oss_bucket_has_static_website/metadata.json b/assets/queries/terraform/alicloud/oss_bucket_has_static_website/metadata.json index 83bb7914b62..e2466673305 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_has_static_website/metadata.json +++ b/assets/queries/terraform/alicloud/oss_bucket_has_static_website/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#website", "platform": "Terraform", "descriptionID": "4c0903ce", - "cloudProvider": "alicloud" -} + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/oss_bucket_ip_restriction_disabled/metadata.json b/assets/queries/terraform/alicloud/oss_bucket_ip_restriction_disabled/metadata.json index 0decb738a8d..823b6322fd3 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_ip_restriction_disabled/metadata.json +++ b/assets/queries/terraform/alicloud/oss_bucket_ip_restriction_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#policy", "platform": "Terraform", "descriptionID": "93cebe21", - "cloudProvider": "alicloud" -} + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/oss_bucket_lifecycle_disabled/metadata.json b/assets/queries/terraform/alicloud/oss_bucket_lifecycle_disabled/metadata.json index 18739fcba4f..64e05de79aa 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_lifecycle_disabled/metadata.json +++ b/assets/queries/terraform/alicloud/oss_bucket_lifecycle_disabled/metadata.json @@ -1,11 +1,12 @@ { - "id": "7db8bd7e-9772-478c-9ec5-4bc202c5686f", - "queryName": "OSS Bucket Lifecycle Rule Disabled", - "severity": "LOW", - "category": "Backup", - "descriptionText": "OSS Bucket should have lifecycle rule enabled and set to true", - "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#lifecycle_rule", - "platform": "Terraform", - "descriptionID": "66609561", - "cloudProvider": "alicloud" - } + "id": "7db8bd7e-9772-478c-9ec5-4bc202c5686f", + "queryName": "OSS Bucket Lifecycle Rule Disabled", + "severity": "LOW", + "category": "Backup", + "descriptionText": "OSS Bucket should have lifecycle rule enabled and set to true", + "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#lifecycle_rule", + "platform": "Terraform", + "descriptionID": "66609561", + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/oss_bucket_logging_disabled/metadata.json b/assets/queries/terraform/alicloud/oss_bucket_logging_disabled/metadata.json index 030711a056c..f2ed03d803f 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_logging_disabled/metadata.json +++ b/assets/queries/terraform/alicloud/oss_bucket_logging_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#logging", "platform": "Terraform", "descriptionID": "c4a5fdbb", - "cloudProvider": "alicloud" -} + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/metadata.json b/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/metadata.json index af4579708d2..c305ba14ae8 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/metadata.json +++ b/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#acl", "platform": "Terraform", "descriptionID": "d8096622", - "cloudProvider": "alicloud" -} + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/oss_bucket_transfer_acceleration_disabled/metadata.json b/assets/queries/terraform/alicloud/oss_bucket_transfer_acceleration_disabled/metadata.json index 4cf7b1cdf2b..8a6a52a38f2 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_transfer_acceleration_disabled/metadata.json +++ b/assets/queries/terraform/alicloud/oss_bucket_transfer_acceleration_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#transfer_acceleration", "platform": "Terraform", "descriptionID": "19899aaa", - "cloudProvider": "alicloud" -} + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/metadata.json b/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/metadata.json index 9731e9355b8..7fa698e2d57 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/metadata.json +++ b/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/metadata.json @@ -1,11 +1,12 @@ { - "id": "70919c0b-2548-4e6b-8d7a-3d84ab6dabba", - "queryName": "OSS Bucket Versioning Disabled", - "severity": "MEDIUM", - "category": "Backup", - "descriptionText": "OSS Bucket should have versioning enabled", - "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#versioning", - "platform": "Terraform", - "descriptionID": "749f1287", - "cloudProvider": "alicloud" - } + "id": "70919c0b-2548-4e6b-8d7a-3d84ab6dabba", + "queryName": "OSS Bucket Versioning Disabled", + "severity": "MEDIUM", + "category": "Backup", + "descriptionText": "OSS Bucket should have versioning enabled", + "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#versioning", + "platform": "Terraform", + "descriptionID": "749f1287", + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/oss_buckets_securetransport_disabled/metadata.json b/assets/queries/terraform/alicloud/oss_buckets_securetransport_disabled/metadata.json index bece63d9338..8d891033c4d 100644 --- a/assets/queries/terraform/alicloud/oss_buckets_securetransport_disabled/metadata.json +++ b/assets/queries/terraform/alicloud/oss_buckets_securetransport_disabled/metadata.json @@ -1,11 +1,12 @@ { - "id": "c01d10de-c468-4790-b3a0-fc887a56f289", - "queryName": "OSS Buckets Secure Transport Disabled", - "severity": "HIGH", - "category": "Networking and Firewall", - "descriptionText": "OSS Buckets should have secure transport enabled", - "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#policy", - "platform": "Terraform", - "descriptionID": "2b43b0a7", - "cloudProvider": "alicloud" - } + "id": "c01d10de-c468-4790-b3a0-fc887a56f289", + "queryName": "OSS Buckets Secure Transport Disabled", + "severity": "HIGH", + "category": "Networking and Firewall", + "descriptionText": "OSS Buckets should have secure transport enabled", + "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#policy", + "platform": "Terraform", + "descriptionID": "2b43b0a7", + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/public_security_group_rule_all_ports_or_protocols/metadata.json b/assets/queries/terraform/alicloud/public_security_group_rule_all_ports_or_protocols/metadata.json index e0290b3cdae..f2cee87e26f 100644 --- a/assets/queries/terraform/alicloud/public_security_group_rule_all_ports_or_protocols/metadata.json +++ b/assets/queries/terraform/alicloud/public_security_group_rule_all_ports_or_protocols/metadata.json @@ -1,11 +1,12 @@ { - "id": "60587dbd-6b67-432e-90f7-a8cf1892d968", - "queryName": "Public Security Group Rule All Ports or Protocols", - "severity": "HIGH", - "category": "Networking and Firewall", - "descriptionText": "Alicloud Security Group Rule should not allow all ports or all protocols to the public", - "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/security_group_rule#cidr_ip", - "platform": "Terraform", - "descriptionID": "6dcb70e8", - "cloudProvider": "alicloud" - } + "id": "60587dbd-6b67-432e-90f7-a8cf1892d968", + "queryName": "Public Security Group Rule All Ports or Protocols", + "severity": "HIGH", + "category": "Networking and Firewall", + "descriptionText": "Alicloud Security Group Rule should not allow all ports or all protocols to the public", + "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/security_group_rule#cidr_ip", + "platform": "Terraform", + "descriptionID": "6dcb70e8", + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/public_security_group_rule_unknown_port/metadata.json b/assets/queries/terraform/alicloud/public_security_group_rule_unknown_port/metadata.json index bbd49efcb27..5bff281d3aa 100644 --- a/assets/queries/terraform/alicloud/public_security_group_rule_unknown_port/metadata.json +++ b/assets/queries/terraform/alicloud/public_security_group_rule_unknown_port/metadata.json @@ -1,11 +1,12 @@ { - "id": "dd706080-b7a8-47dc-81fb-3e8184430ec0", - "queryName": "Public Security Group Rule Unknown Port", - "severity": "MEDIUM", - "category": "Networking and Firewall", - "descriptionText": "A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned", - "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/security_group_rule#port_range", - "platform": "Terraform", - "descriptionID": "a2097952", - "cloudProvider": "alicloud" - } + "id": "dd706080-b7a8-47dc-81fb-3e8184430ec0", + "queryName": "Public Security Group Rule Unknown Port", + "severity": "MEDIUM", + "category": "Networking and Firewall", + "descriptionText": "A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned", + "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/security_group_rule#port_range", + "platform": "Terraform", + "descriptionID": "a2097952", + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_max_login_attempts_unrecommended/metadata.json b/assets/queries/terraform/alicloud/ram_account_password_policy_max_login_attempts_unrecommended/metadata.json index cfe23bf3f04..d30f32031d8 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_max_login_attempts_unrecommended/metadata.json +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_max_login_attempts_unrecommended/metadata.json @@ -1,11 +1,12 @@ { - "id": "e76fd7ab-7333-40c6-a2d8-ea28af4a319e", - "queryName": "Ram Account Password Policy Max Login Attempts Unrecommended", - "severity": "HIGH", - "category": "Secret Management", - "descriptionText": "Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts", - "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_account_password_policy#max_login_attempts", - "platform": "Terraform", - "descriptionID": "6a2e9c34", - "cloudProvider": "alicloud" - } + "id": "e76fd7ab-7333-40c6-a2d8-ea28af4a319e", + "queryName": "Ram Account Password Policy Max Login Attempts Unrecommended", + "severity": "HIGH", + "category": "Secret Management", + "descriptionText": "Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts", + "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_account_password_policy#max_login_attempts", + "platform": "Terraform", + "descriptionID": "6a2e9c34", + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/metadata.json b/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/metadata.json index a3d9b5a732e..f132100cfb8 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/metadata.json +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/metadata.json @@ -1,11 +1,12 @@ { - "id": "2bb13841-7575-439e-8e0a-cccd9ede2fa8", - "queryName": "Ram Account Password Policy Max Password Age Unrecommended", - "severity": "MEDIUM", - "category": "Secret Management", - "descriptionText": "Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91", - "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_account_password_policy#max_password_age", - "platform": "Terraform", - "descriptionID": "6056f5ca", - "cloudProvider": "alicloud" - } + "id": "2bb13841-7575-439e-8e0a-cccd9ede2fa8", + "queryName": "Ram Account Password Policy Max Password Age Unrecommended", + "severity": "MEDIUM", + "category": "Secret Management", + "descriptionText": "Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91", + "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_account_password_policy#max_password_age", + "platform": "Terraform", + "descriptionID": "6056f5ca", + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_minimum_length/metadata.json b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_minimum_length/metadata.json index 64893ff499d..ca87a9c8aee 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_minimum_length/metadata.json +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_minimum_length/metadata.json @@ -1,11 +1,12 @@ { - "id": "a9dfec39-a740-4105-bbd6-721ba163c053", - "queryName": "Ram Account Password Policy Not Required Minimum Length", - "severity": "HIGH", - "category": "Secret Management", - "descriptionText": "Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above", - "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_account_password_policy#minimum_password_length", - "platform": "Terraform", - "descriptionID": "a8b47743", - "cloudProvider": "alicloud" - } + "id": "a9dfec39-a740-4105-bbd6-721ba163c053", + "queryName": "Ram Account Password Policy Not Required Minimum Length", + "severity": "HIGH", + "category": "Secret Management", + "descriptionText": "Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above", + "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_account_password_policy#minimum_password_length", + "platform": "Terraform", + "descriptionID": "a8b47743", + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_numbers/metadata.json b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_numbers/metadata.json index 0a935ee9821..46a9d37afcd 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_numbers/metadata.json +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_numbers/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_account_password_policy#require_numbers", "platform": "Terraform", "descriptionID": "0ee40b1d", - "cloudProvider": "alicloud" -} + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_symbols/metadata.json b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_symbols/metadata.json index d8e6669bb99..d4465a82c7e 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_symbols/metadata.json +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_symbols/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_account_password_policy#require_symbols", "platform": "Terraform", "descriptionID": "f3616c34", - "cloudProvider": "alicloud" -} + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/metadata.json b/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/metadata.json index 83a0f831abe..b83952c32c0 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/metadata.json +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/metadata.json @@ -1,11 +1,12 @@ { - "id": "a8128dd2-89b0-464b-98e9-5d629041dfe0", - "queryName": "RAM Account Password Policy without Reuse Prevention", - "severity": "MEDIUM", - "category": "Secret Management", - "descriptionText": "RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less", - "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_account_password_policy#password_reuse_prevention", - "platform": "Terraform", - "descriptionID": "2210f1f7", - "cloudProvider": "alicloud" - } + "id": "a8128dd2-89b0-464b-98e9-5d629041dfe0", + "queryName": "RAM Account Password Policy without Reuse Prevention", + "severity": "MEDIUM", + "category": "Secret Management", + "descriptionText": "RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less", + "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_account_password_policy#password_reuse_prevention", + "platform": "Terraform", + "descriptionID": "2210f1f7", + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_lowercase_character/metadata.json b/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_lowercase_character/metadata.json index 923043bd7d8..debd65095ef 100644 --- a/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_lowercase_character/metadata.json +++ b/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_lowercase_character/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_account_password_policy#require_lowercase_characters", "platform": "Terraform", "descriptionID": "b482b843", - "cloudProvider": "alicloud" -} + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_uppercase_character/metadata.json b/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_uppercase_character/metadata.json index dc9f9af7325..25534fb0a5a 100644 --- a/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_uppercase_character/metadata.json +++ b/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_uppercase_character/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_account_password_policy#require_uppercase_characters", "platform": "Terraform", "descriptionID": "5adbc73e", - "cloudProvider": "alicloud" -} + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ram_policy_admin_access_not_attached_to_users_groups_roles/metadata.json b/assets/queries/terraform/alicloud/ram_policy_admin_access_not_attached_to_users_groups_roles/metadata.json index 2467d68537d..1e9837f67c5 100644 --- a/assets/queries/terraform/alicloud/ram_policy_admin_access_not_attached_to_users_groups_roles/metadata.json +++ b/assets/queries/terraform/alicloud/ram_policy_admin_access_not_attached_to_users_groups_roles/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_policy", "platform": "Terraform", "descriptionID": "d529825f", - "cloudProvider": "alicloud" -} + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ram_policy_attached_to_user/metadata.json b/assets/queries/terraform/alicloud/ram_policy_attached_to_user/metadata.json index 549e97e72a1..06b2c4c6503 100644 --- a/assets/queries/terraform/alicloud/ram_policy_attached_to_user/metadata.json +++ b/assets/queries/terraform/alicloud/ram_policy_attached_to_user/metadata.json @@ -1,11 +1,12 @@ { - "id": "66505003-7aba-45a1-8d83-5162d5706ef5", - "queryName": "Ram Policy Attached to User", - "severity": "MEDIUM", - "category": "Access Control", - "descriptionText": "Ram policies should not be attached to users", - "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_user_policy_attachment", - "platform": "Terraform", - "descriptionID": "c3be65a4", - "cloudProvider": "alicloud" - } + "id": "66505003-7aba-45a1-8d83-5162d5706ef5", + "queryName": "Ram Policy Attached to User", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Ram policies should not be attached to users", + "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_user_policy_attachment", + "platform": "Terraform", + "descriptionID": "c3be65a4", + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/metadata.json b/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/metadata.json index 5671c25d903..ba2b06d03a4 100644 --- a/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/metadata.json +++ b/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/metadata.json @@ -1,11 +1,12 @@ { - "id": "dcda2d32-e482-43ee-a926-75eaabeaa4e0", - "queryName": "RAM Security Preference Not Enforce MFA Login", - "severity": "HIGH", - "category": "Access Control", - "descriptionText": "RAM Security preferences should enforce MFA login for RAM users", - "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_security_preference#enforce_mfa_for_login", - "platform": "Terraform", - "descriptionID": "6131e90d", - "cloudProvider": "alicloud" - } + "id": "dcda2d32-e482-43ee-a926-75eaabeaa4e0", + "queryName": "RAM Security Preference Not Enforce MFA Login", + "severity": "HIGH", + "category": "Access Control", + "descriptionText": "RAM Security preferences should enforce MFA login for RAM users", + "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_security_preference#enforce_mfa_for_login", + "platform": "Terraform", + "descriptionID": "6131e90d", + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/metadata.json b/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/metadata.json index de3e308bc4b..d6591e6aa75 100644 --- a/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/metadata.json +++ b/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#address", "platform": "Terraform", "descriptionID": "d23dc3f9", - "cloudProvider": "alicloud" -} + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/rds_instance_events_not_logged/metadata.json b/assets/queries/terraform/alicloud/rds_instance_events_not_logged/metadata.json index 02d5a279312..d9a92000cbb 100644 --- a/assets/queries/terraform/alicloud/rds_instance_events_not_logged/metadata.json +++ b/assets/queries/terraform/alicloud/rds_instance_events_not_logged/metadata.json @@ -1,11 +1,12 @@ { - "id": "b9c524a4-fe76-4021-a6a2-cb978fb4fde1", - "queryName": "RDS Instance Events Not Logged", - "severity": "HIGH", - "category": "Observability", - "descriptionText": "All RDS Instance events trackers should be 'true'", - "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/log_audit", - "platform": "Terraform", - "descriptionID": "c731d8ad", - "cloudProvider": "alicloud" - } + "id": "b9c524a4-fe76-4021-a6a2-cb978fb4fde1", + "queryName": "RDS Instance Events Not Logged", + "severity": "HIGH", + "category": "Observability", + "descriptionText": "All RDS Instance events trackers should be 'true'", + "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/log_audit", + "platform": "Terraform", + "descriptionID": "c731d8ad", + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/metadata.json b/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/metadata.json index 26cf29b5a9a..58f95133c40 100644 --- a/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/metadata.json +++ b/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/metadata.json @@ -1,11 +1,12 @@ { - "id": "140869ea-25f2-40d4-a595-0c0da135114e", - "queryName": "RDS Instance Log Connections Disabled", - "severity": "LOW", - "category": "Observability", - "descriptionText": "'log_connections' parameter should be set to ON for RDS instances", - "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#parameters", - "platform": "Terraform", - "descriptionID": "0a96bec0", - "cloudProvider": "alicloud" - } + "id": "140869ea-25f2-40d4-a595-0c0da135114e", + "queryName": "RDS Instance Log Connections Disabled", + "severity": "LOW", + "category": "Observability", + "descriptionText": "'log_connections' parameter should be set to ON for RDS instances", + "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#parameters", + "platform": "Terraform", + "descriptionID": "0a96bec0", + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/metadata.json b/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/metadata.json index 4795694f48a..be25f2583d8 100644 --- a/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/metadata.json +++ b/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/metadata.json @@ -1,11 +1,12 @@ { - "id": "d53f4123-f8d8-4224-8cb3-f920b151cc98", - "queryName": "RDS Instance Log Disconnections Disabled", - "severity": "LOW", - "category": "Observability", - "descriptionText": "log_disconnections parameter should be set to ON for RDS instances", - "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#parameters", - "platform": "Terraform", - "descriptionID": "67ec659b", - "cloudProvider": "alicloud" - } + "id": "d53f4123-f8d8-4224-8cb3-f920b151cc98", + "queryName": "RDS Instance Log Disconnections Disabled", + "severity": "LOW", + "category": "Observability", + "descriptionText": "log_disconnections parameter should be set to ON for RDS instances", + "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#parameters", + "platform": "Terraform", + "descriptionID": "67ec659b", + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/metadata.json b/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/metadata.json index 5fe1a306e95..090e1bcd34e 100644 --- a/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/metadata.json +++ b/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/metadata.json @@ -1,11 +1,12 @@ { - "id": "a597e05a-c065-44e7-9cc8-742f572a504a", - "queryName": "RDS Instance Log Duration Disabled", - "severity": "LOW", - "category": "Observability", - "descriptionText": "log_duration parameter should be set to ON for RDS instances", - "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#parameters", - "platform": "Terraform", - "descriptionID": "c4027901", - "cloudProvider": "alicloud" - } + "id": "a597e05a-c065-44e7-9cc8-742f572a504a", + "queryName": "RDS Instance Log Duration Disabled", + "severity": "LOW", + "category": "Observability", + "descriptionText": "log_duration parameter should be set to ON for RDS instances", + "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#parameters", + "platform": "Terraform", + "descriptionID": "c4027901", + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/rds_instance_publicly_accessible/metadata.json b/assets/queries/terraform/alicloud/rds_instance_publicly_accessible/metadata.json index 4c659f130f8..53f58779211 100644 --- a/assets/queries/terraform/alicloud/rds_instance_publicly_accessible/metadata.json +++ b/assets/queries/terraform/alicloud/rds_instance_publicly_accessible/metadata.json @@ -1,11 +1,12 @@ { - "id": "1b4565c0-4877-49ac-ab03-adebbccd42ae", - "queryName": "RDS DB Instance Publicly Accessible", - "severity": "HIGH", - "category": "Insecure Configurations", - "descriptionText": "'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list", - "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#security_ips", - "platform": "Terraform", - "descriptionID": "aac97545", - "cloudProvider": "alicloud" - } + "id": "1b4565c0-4877-49ac-ab03-adebbccd42ae", + "queryName": "RDS DB Instance Publicly Accessible", + "severity": "HIGH", + "category": "Insecure Configurations", + "descriptionText": "'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list", + "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#security_ips", + "platform": "Terraform", + "descriptionID": "aac97545", + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/metadata.json b/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/metadata.json index 81697866ca5..61bb6e0c066 100644 --- a/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/metadata.json +++ b/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/metadata.json @@ -1,11 +1,12 @@ { - "id": "dc158941-28ce-481d-a7fa-dc80761edf46", - "queryName": "RDS Instance Retention Period Not Recommended", - "severity": "MEDIUM", - "category": "Observability", - "descriptionText": "RDS Instance SQL Retention Period should be greater than 180", - "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#sql_collector_config_value", - "platform": "Terraform", - "descriptionID": "243a4fb4", - "cloudProvider": "alicloud" - } + "id": "dc158941-28ce-481d-a7fa-dc80761edf46", + "queryName": "RDS Instance Retention Period Not Recommended", + "severity": "MEDIUM", + "category": "Observability", + "descriptionText": "RDS Instance SQL Retention Period should be greater than 180", + "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#sql_collector_config_value", + "platform": "Terraform", + "descriptionID": "243a4fb4", + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/metadata.json b/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/metadata.json index d72017c18ff..2ac88b9c125 100644 --- a/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/metadata.json +++ b/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/metadata.json @@ -1,11 +1,12 @@ { - "id": "7a1ee8a9-71be-4b11-bb70-efb62d16863b", - "queryName": "RDS Instance SSL Action Disabled", - "severity": "HIGH", - "category": "Networking and Firewall", - "descriptionText": "ssl_action parameter should be set to Open for RDS instances", - "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#ssl_action", - "platform": "Terraform", - "descriptionID": "4a568dd7", - "cloudProvider": "alicloud" - } + "id": "7a1ee8a9-71be-4b11-bb70-efb62d16863b", + "queryName": "RDS Instance SSL Action Disabled", + "severity": "HIGH", + "category": "Networking and Firewall", + "descriptionText": "ssl_action parameter should be set to Open for RDS instances", + "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#ssl_action", + "platform": "Terraform", + "descriptionID": "4a568dd7", + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/rds_instance_tde_status_disabled/metadata.json b/assets/queries/terraform/alicloud/rds_instance_tde_status_disabled/metadata.json index aa10110baad..dd1c3d5923e 100644 --- a/assets/queries/terraform/alicloud/rds_instance_tde_status_disabled/metadata.json +++ b/assets/queries/terraform/alicloud/rds_instance_tde_status_disabled/metadata.json @@ -1,11 +1,12 @@ { - "id": "44d434ca-a9bf-4203-8828-4c81a8d5a598", - "queryName": "RDS Instance TDE Status Disabled", - "severity": "HIGH", - "category": "Encryption", - "descriptionText": "tde_status parameter should be Enabled for supported RDS instances", - "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#tde_status", - "platform": "Terraform", - "descriptionID": "ae8fb315", - "cloudProvider": "alicloud" - } + "id": "44d434ca-a9bf-4203-8828-4c81a8d5a598", + "queryName": "RDS Instance TDE Status Disabled", + "severity": "HIGH", + "category": "Encryption", + "descriptionText": "tde_status parameter should be Enabled for supported RDS instances", + "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#tde_status", + "platform": "Terraform", + "descriptionID": "ae8fb315", + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ros_stack_notifications_disabled/metadata.json b/assets/queries/terraform/alicloud/ros_stack_notifications_disabled/metadata.json index 23568bddfcd..d14d9aaa362 100644 --- a/assets/queries/terraform/alicloud/ros_stack_notifications_disabled/metadata.json +++ b/assets/queries/terraform/alicloud/ros_stack_notifications_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ros_stack#notification_urls", "platform": "Terraform", "descriptionID": "9552bb69", - "cloudProvider": "alicloud" -} + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ros_stack_retention_disabled/metadata.json b/assets/queries/terraform/alicloud/ros_stack_retention_disabled/metadata.json index 3728cd73260..ec3ab63d49c 100644 --- a/assets/queries/terraform/alicloud/ros_stack_retention_disabled/metadata.json +++ b/assets/queries/terraform/alicloud/ros_stack_retention_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ros_stack_instance#retain_stacks", "platform": "Terraform", "descriptionID": "7d4885db", - "cloudProvider": "alicloud" -} + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ros_stack_without_template/metadata.json b/assets/queries/terraform/alicloud/ros_stack_without_template/metadata.json index 26ce8835700..38def4fba57 100644 --- a/assets/queries/terraform/alicloud/ros_stack_without_template/metadata.json +++ b/assets/queries/terraform/alicloud/ros_stack_without_template/metadata.json @@ -7,6 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ros_stack", "platform": "Terraform", "descriptionID": "29378f62", - "cloudProvider": "aws" -} - \ No newline at end of file + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/slb_policy_with_insecure_tls_version_in_use/metadata.json b/assets/queries/terraform/alicloud/slb_policy_with_insecure_tls_version_in_use/metadata.json index 20a1a911fdd..82128f5fa2e 100644 --- a/assets/queries/terraform/alicloud/slb_policy_with_insecure_tls_version_in_use/metadata.json +++ b/assets/queries/terraform/alicloud/slb_policy_with_insecure_tls_version_in_use/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/slb_tls_cipher_policy", "platform": "Terraform", "descriptionID": "dcc71406", - "cloudProvider": "alicloud" -} + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/vpc_flow_logs_disabled/metadata.json b/assets/queries/terraform/alicloud/vpc_flow_logs_disabled/metadata.json index c8c39504f64..b342976a285 100644 --- a/assets/queries/terraform/alicloud/vpc_flow_logs_disabled/metadata.json +++ b/assets/queries/terraform/alicloud/vpc_flow_logs_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/vpc_flow_log", "platform": "Terraform", "descriptionID": "2841dac6", - "cloudProvider": "alicloud" -} + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/alb_deletion_protection_disabled/metadata.json b/assets/queries/terraform/aws/alb_deletion_protection_disabled/metadata.json index 5fdd5ab468b..dc937ad9fef 100644 --- a/assets/queries/terraform/aws/alb_deletion_protection_disabled/metadata.json +++ b/assets/queries/terraform/aws/alb_deletion_protection_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#enable_deletion_protection", "platform": "Terraform", "descriptionID": "224b3c6f", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/metadata.json b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/metadata.json index d1da7b48890..a44f1959883 100644 --- a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/metadata.json +++ b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafregional_web_acl_association", "platform": "Terraform", "descriptionID": "4e4c668d", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/alb_listening_on_http/metadata.json b/assets/queries/terraform/aws/alb_listening_on_http/metadata.json index 94cd2402ab3..fe8a28f53bd 100644 --- a/assets/queries/terraform/aws/alb_listening_on_http/metadata.json +++ b/assets/queries/terraform/aws/alb_listening_on_http/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener", "platform": "Terraform", "descriptionID": "47a8608d", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/alb_not_dropping_invalid_headers/metadata.json b/assets/queries/terraform/aws/alb_not_dropping_invalid_headers/metadata.json index 073383792f2..f1aae97390a 100644 --- a/assets/queries/terraform/aws/alb_not_dropping_invalid_headers/metadata.json +++ b/assets/queries/terraform/aws/alb_not_dropping_invalid_headers/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#drop_invalid_header_fields", "platform": "Terraform", "descriptionID": "7560e4d2", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/amazon_dms_replication_instance_is_publicly_accessible/metadata.json b/assets/queries/terraform/aws/amazon_dms_replication_instance_is_publicly_accessible/metadata.json index 91dd32331d0..1be85a76f09 100644 --- a/assets/queries/terraform/aws/amazon_dms_replication_instance_is_publicly_accessible/metadata.json +++ b/assets/queries/terraform/aws/amazon_dms_replication_instance_is_publicly_accessible/metadata.json @@ -1,11 +1,12 @@ { - "id": "030d3b18-1821-45b4-9e08-50efbe7becbb", - "queryName": "Amazon DMS Replication Instance Is Publicly Accessible", - "severity": "HIGH", - "category": "Access Control", - "descriptionText": "Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false.", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dms_replication_instance", - "platform": "Terraform", - "descriptionID": "e9791a4b", - "cloudProvider": "aws" - } \ No newline at end of file + "id": "030d3b18-1821-45b4-9e08-50efbe7becbb", + "queryName": "Amazon DMS Replication Instance Is Publicly Accessible", + "severity": "HIGH", + "category": "Access Control", + "descriptionText": "Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dms_replication_instance", + "platform": "Terraform", + "descriptionID": "e9791a4b", + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/amazon_mq_broker_encryption_disabled/metadata.json b/assets/queries/terraform/aws/amazon_mq_broker_encryption_disabled/metadata.json index 6ed082b5fa3..ec9dd586139 100644 --- a/assets/queries/terraform/aws/amazon_mq_broker_encryption_disabled/metadata.json +++ b/assets/queries/terraform/aws/amazon_mq_broker_encryption_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/mq_broker", "platform": "Terraform", "descriptionID": "81fb6220", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/ami_not_encrypted/metadata.json b/assets/queries/terraform/aws/ami_not_encrypted/metadata.json index 187fcab5d2e..0e599e28344 100644 --- a/assets/queries/terraform/aws/ami_not_encrypted/metadata.json +++ b/assets/queries/terraform/aws/ami_not_encrypted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami", "platform": "Terraform", "descriptionID": "248fe368", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/ami_shared_with_multiple_accounts/metadata.json b/assets/queries/terraform/aws/ami_shared_with_multiple_accounts/metadata.json index b8cacc464f2..cba5b701fa3 100644 --- a/assets/queries/terraform/aws/ami_shared_with_multiple_accounts/metadata.json +++ b/assets/queries/terraform/aws/ami_shared_with_multiple_accounts/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ami_launch_permission", "platform": "Terraform", "descriptionID": "3dfbf99b", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_access_logging_disabled/metadata.json b/assets/queries/terraform/aws/api_gateway_access_logging_disabled/metadata.json index b267f3d4141..47916437831 100644 --- a/assets/queries/terraform/aws/api_gateway_access_logging_disabled/metadata.json +++ b/assets/queries/terraform/aws/api_gateway_access_logging_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_stage#access_log_settings", "platform": "Terraform", "descriptionID": "e03531bf", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_deployment_without_access_log_setting/metadata.json b/assets/queries/terraform/aws/api_gateway_deployment_without_access_log_setting/metadata.json index eaf2be1028e..201a131b0b4 100644 --- a/assets/queries/terraform/aws/api_gateway_deployment_without_access_log_setting/metadata.json +++ b/assets/queries/terraform/aws/api_gateway_deployment_without_access_log_setting/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_deployment", "platform": "Terraform", "descriptionID": "e28c5797", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/metadata.json b/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/metadata.json index 9bfbfa711e1..90aef312b84 100644 --- a/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/metadata.json +++ b/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_deployment", "platform": "Terraform", "descriptionID": "a5480b6e", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_endpoint_config_is_not_private/metadata.json b/assets/queries/terraform/aws/api_gateway_endpoint_config_is_not_private/metadata.json index 896ff35c62f..247c16b8380 100644 --- a/assets/queries/terraform/aws/api_gateway_endpoint_config_is_not_private/metadata.json +++ b/assets/queries/terraform/aws/api_gateway_endpoint_config_is_not_private/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_rest_api", "platform": "Terraform", "descriptionID": "baf9a6d6", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_method_does_not_contains_an_api_key/metadata.json b/assets/queries/terraform/aws/api_gateway_method_does_not_contains_an_api_key/metadata.json index 8c458d57ebb..32a0f0e54c3 100644 --- a/assets/queries/terraform/aws/api_gateway_method_does_not_contains_an_api_key/metadata.json +++ b/assets/queries/terraform/aws/api_gateway_method_does_not_contains_an_api_key/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method", "platform": "Terraform", "descriptionID": "f133fed2", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_method_settings_cache_not_encrypted/metadata.json b/assets/queries/terraform/aws/api_gateway_method_settings_cache_not_encrypted/metadata.json index dc122a47db5..9f1c133c8f8 100644 --- a/assets/queries/terraform/aws/api_gateway_method_settings_cache_not_encrypted/metadata.json +++ b/assets/queries/terraform/aws/api_gateway_method_settings_cache_not_encrypted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method_settings#cache_data_encrypted", "platform": "Terraform", "descriptionID": "ceabd70f", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/metadata.json b/assets/queries/terraform/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/metadata.json index 45cce01cd6e..4d475de51f7 100644 --- a/assets/queries/terraform/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/metadata.json +++ b/assets/queries/terraform/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_stage", "platform": "Terraform", "descriptionID": "72d08d94", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/metadata.json b/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/metadata.json index 7b5bfe1611f..d869b7d90ed 100644 --- a/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/metadata.json +++ b/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_stage#managing-the-api-logging-cloudwatch-log-group", "platform": "Terraform", "descriptionID": "48b9d186", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_with_invalid_compression/metadata.json b/assets/queries/terraform/aws/api_gateway_with_invalid_compression/metadata.json index 5ea617de65b..f8c8b597879 100644 --- a/assets/queries/terraform/aws/api_gateway_with_invalid_compression/metadata.json +++ b/assets/queries/terraform/aws/api_gateway_with_invalid_compression/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_rest_api", "platform": "Terraform", "descriptionID": "fc02b8db", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_with_open_access/metadata.json b/assets/queries/terraform/aws/api_gateway_with_open_access/metadata.json index ca274c90f11..b30ef7263bd 100644 --- a/assets/queries/terraform/aws/api_gateway_with_open_access/metadata.json +++ b/assets/queries/terraform/aws/api_gateway_with_open_access/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method", "platform": "Terraform", "descriptionID": "1a1dc17c", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_without_configured_authorizer/metadata.json b/assets/queries/terraform/aws/api_gateway_without_configured_authorizer/metadata.json index 9ae518886c1..02e8cd4cfc4 100644 --- a/assets/queries/terraform/aws/api_gateway_without_configured_authorizer/metadata.json +++ b/assets/queries/terraform/aws/api_gateway_without_configured_authorizer/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_authorizer", "platform": "Terraform", "descriptionID": "c1eed330", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_without_security_policy/metadata.json b/assets/queries/terraform/aws/api_gateway_without_security_policy/metadata.json index 56ea80a7190..44d32d7ab5a 100644 --- a/assets/queries/terraform/aws/api_gateway_without_security_policy/metadata.json +++ b/assets/queries/terraform/aws/api_gateway_without_security_policy/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_domain_name#security_policy", "platform": "Terraform", "descriptionID": "b78cd4cb", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_without_ssl_certificate/metadata.json b/assets/queries/terraform/aws/api_gateway_without_ssl_certificate/metadata.json index c50568853fa..0129f502828 100644 --- a/assets/queries/terraform/aws/api_gateway_without_ssl_certificate/metadata.json +++ b/assets/queries/terraform/aws/api_gateway_without_ssl_certificate/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_stage#client_certificate_id", "platform": "Terraform", "descriptionID": "6d4941dc", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_without_waf/metadata.json b/assets/queries/terraform/aws/api_gateway_without_waf/metadata.json index a45b66163a8..1f34950c27a 100644 --- a/assets/queries/terraform/aws/api_gateway_without_waf/metadata.json +++ b/assets/queries/terraform/aws/api_gateway_without_waf/metadata.json @@ -1,11 +1,12 @@ { - "id": "a186e82c-1078-4a7b-85d8-579561fde884", - "queryName": "API Gateway without WAF", - "severity": "MEDIUM", - "category": "Networking and Firewall", - "descriptionText": "API Gateway should have WAF (Web Application Firewall) enabled", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafregional_web_acl_association#resource_arn", - "platform": "Terraform", - "descriptionID": "bfefa118", - "cloudProvider": "aws" -} + "id": "a186e82c-1078-4a7b-85d8-579561fde884", + "queryName": "API Gateway without WAF", + "severity": "MEDIUM", + "category": "Networking and Firewall", + "descriptionText": "API Gateway should have WAF (Web Application Firewall) enabled", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafregional_web_acl_association#resource_arn", + "platform": "Terraform", + "descriptionID": "bfefa118", + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_xray_disabled/metadata.json b/assets/queries/terraform/aws/api_gateway_xray_disabled/metadata.json index a15fda3a0a3..0cfbf758b68 100644 --- a/assets/queries/terraform/aws/api_gateway_xray_disabled/metadata.json +++ b/assets/queries/terraform/aws/api_gateway_xray_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_stage#xray_tracing_enabled", "platform": "Terraform", "descriptionID": "21e236a0", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/athena_database_not_encrypted/metadata.json b/assets/queries/terraform/aws/athena_database_not_encrypted/metadata.json index f4a0d00b0b2..c4b6d6375c1 100644 --- a/assets/queries/terraform/aws/athena_database_not_encrypted/metadata.json +++ b/assets/queries/terraform/aws/athena_database_not_encrypted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/athena_database#encryption_configuration", "platform": "Terraform", "descriptionID": "c90feea8", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/athena_workgroup_not_encrypted/metadata.json b/assets/queries/terraform/aws/athena_workgroup_not_encrypted/metadata.json index 81f8b5102fc..6ec5c47000b 100644 --- a/assets/queries/terraform/aws/athena_workgroup_not_encrypted/metadata.json +++ b/assets/queries/terraform/aws/athena_workgroup_not_encrypted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/athena_workgroup#encryption_configuration", "platform": "Terraform", "descriptionID": "8eb1d650", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/aurora_with_disabled_at_rest_encryption/metadata.json b/assets/queries/terraform/aws/aurora_with_disabled_at_rest_encryption/metadata.json index 6d48fb224d1..8b5bc06858f 100644 --- a/assets/queries/terraform/aws/aurora_with_disabled_at_rest_encryption/metadata.json +++ b/assets/queries/terraform/aws/aurora_with_disabled_at_rest_encryption/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#storage_encrypted", "platform": "Terraform", "descriptionID": "3e7eea78", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/authentication_without_mfa/metadata.json b/assets/queries/terraform/aws/authentication_without_mfa/metadata.json index 5f2dd39fd1b..99b226933a6 100644 --- a/assets/queries/terraform/aws/authentication_without_mfa/metadata.json +++ b/assets/queries/terraform/aws/authentication_without_mfa/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy", "platform": "Terraform", "descriptionID": "0db1a4b2", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/metadata.json b/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/metadata.json index 56bb4f4a4b7..06005dc1b7f 100644 --- a/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/metadata.json +++ b/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group#load_balancers", "platform": "Terraform", "descriptionID": "268307dd", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/automatic_minor_upgrades_disabled/metadata.json b/assets/queries/terraform/aws/automatic_minor_upgrades_disabled/metadata.json index 419d39c423c..4b8badfaf5a 100644 --- a/assets/queries/terraform/aws/automatic_minor_upgrades_disabled/metadata.json +++ b/assets/queries/terraform/aws/automatic_minor_upgrades_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#auto_minor_version_upgrade", "platform": "Terraform", "descriptionID": "240cddcc", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/autoscaling_groups_supply_tags/metadata.json b/assets/queries/terraform/aws/autoscaling_groups_supply_tags/metadata.json index f3f7a8e9f77..8b21ab45208 100644 --- a/assets/queries/terraform/aws/autoscaling_groups_supply_tags/metadata.json +++ b/assets/queries/terraform/aws/autoscaling_groups_supply_tags/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group#tag-and-tags", "platform": "Terraform", "descriptionID": "83cb6386", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/aws_password_policy_with_unchangeable_passwords/metadata.json b/assets/queries/terraform/aws/aws_password_policy_with_unchangeable_passwords/metadata.json index a201682560a..19e15a910aa 100644 --- a/assets/queries/terraform/aws/aws_password_policy_with_unchangeable_passwords/metadata.json +++ b/assets/queries/terraform/aws/aws_password_policy_with_unchangeable_passwords/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy", "platform": "Terraform", "descriptionID": "8163d3cf", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/batch_job_definition_with_privileged_container_properties/metadata.json b/assets/queries/terraform/aws/batch_job_definition_with_privileged_container_properties/metadata.json index 23b646839ee..4788013e275 100644 --- a/assets/queries/terraform/aws/batch_job_definition_with_privileged_container_properties/metadata.json +++ b/assets/queries/terraform/aws/batch_job_definition_with_privileged_container_properties/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/batch_job_definition", "platform": "Terraform", "descriptionID": "71dab2d1", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/metadata.json b/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/metadata.json index 329726d62b0..abeaa12a472 100644 --- a/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/metadata.json +++ b/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html", "platform": "Terraform", "descriptionID": "09935963", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/cdn_configuration_is_missing/metadata.json b/assets/queries/terraform/aws/cdn_configuration_is_missing/metadata.json index 1ff4c177420..03f05bfa724 100644 --- a/assets/queries/terraform/aws/cdn_configuration_is_missing/metadata.json +++ b/assets/queries/terraform/aws/cdn_configuration_is_missing/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution", "platform": "Terraform", "descriptionID": "1b311401", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/certificate_has_expired/metadata.json b/assets/queries/terraform/aws/certificate_has_expired/metadata.json index b9b39035114..d76b692e85f 100644 --- a/assets/queries/terraform/aws/certificate_has_expired/metadata.json +++ b/assets/queries/terraform/aws/certificate_has_expired/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_rest_api", "platform": "Terraform", "descriptionID": "998f52fe", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_256/metadata.json b/assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_256/metadata.json index 51bf4c67bd3..b1521b7fe11 100644 --- a/assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_256/metadata.json +++ b/assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_256/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_rest_api", "platform": "Terraform", "descriptionID": "ec305dde", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudfront_logging_disabled/metadata.json b/assets/queries/terraform/aws/cloudfront_logging_disabled/metadata.json index 8d5c13c19da..c074ccc2afb 100644 --- a/assets/queries/terraform/aws/cloudfront_logging_disabled/metadata.json +++ b/assets/queries/terraform/aws/cloudfront_logging_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution", "platform": "Terraform", "descriptionID": "9cf96455", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudfront_viewer_protocol_policy_allows_http/metadata.json b/assets/queries/terraform/aws/cloudfront_viewer_protocol_policy_allows_http/metadata.json index 760cdc91637..49c0b4ecd6a 100644 --- a/assets/queries/terraform/aws/cloudfront_viewer_protocol_policy_allows_http/metadata.json +++ b/assets/queries/terraform/aws/cloudfront_viewer_protocol_policy_allows_http/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution", "platform": "Terraform", "descriptionID": "3547cd5a", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/metadata.json b/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/metadata.json index 1dc8bfe8d20..a8247971a67 100644 --- a/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/metadata.json +++ b/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution", "platform": "Terraform", "descriptionID": "0b620722", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudfront_without_waf/metadata.json b/assets/queries/terraform/aws/cloudfront_without_waf/metadata.json index e24a1dee196..0cb5a94b062 100755 --- a/assets/queries/terraform/aws/cloudfront_without_waf/metadata.json +++ b/assets/queries/terraform/aws/cloudfront_without_waf/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution", "platform": "Terraform", "descriptionID": "8fa5ef1b", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudtrail_log_file_validation_disabled/metadata.json b/assets/queries/terraform/aws/cloudtrail_log_file_validation_disabled/metadata.json index 2c3aa75b918..bbe44db249c 100644 --- a/assets/queries/terraform/aws/cloudtrail_log_file_validation_disabled/metadata.json +++ b/assets/queries/terraform/aws/cloudtrail_log_file_validation_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#enable_log_file_validation", "platform": "Terraform", "descriptionID": "1d528dfd", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/metadata.json b/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/metadata.json index c5d98161478..fd5604b177e 100644 --- a/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/metadata.json +++ b/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#kms_key_id", "platform": "Terraform", "descriptionID": "ee8a4d47", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_is_publicly_accessible/metadata.json b/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_is_publicly_accessible/metadata.json index ef7e8b39284..d719dbeaad8 100644 --- a/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_is_publicly_accessible/metadata.json +++ b/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_is_publicly_accessible/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#s3_bucket_name", "platform": "Terraform", "descriptionID": "2f7c6ca4", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_with_logging_disabled/metadata.json b/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_with_logging_disabled/metadata.json index 402a6b45855..80d1a3635e7 100644 --- a/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_with_logging_disabled/metadata.json +++ b/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_with_logging_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#s3_bucket_name", "platform": "Terraform", "descriptionID": "7ccceef5", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudtrail_logging_disabled/metadata.json b/assets/queries/terraform/aws/cloudtrail_logging_disabled/metadata.json index cc0da3035ac..04968fea44a 100644 --- a/assets/queries/terraform/aws/cloudtrail_logging_disabled/metadata.json +++ b/assets/queries/terraform/aws/cloudtrail_logging_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#enable_logging", "platform": "Terraform", "descriptionID": "d0aecc8d", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudtrail_multi_region_disabled/metadata.json b/assets/queries/terraform/aws/cloudtrail_multi_region_disabled/metadata.json index 2e6db3846ab..13292e882fe 100644 --- a/assets/queries/terraform/aws/cloudtrail_multi_region_disabled/metadata.json +++ b/assets/queries/terraform/aws/cloudtrail_multi_region_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#is_multi_region_trail", "platform": "Terraform", "descriptionID": "feb82a62", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudtrail_not_integrated_with_cloudwatch/metadata.json b/assets/queries/terraform/aws/cloudtrail_not_integrated_with_cloudwatch/metadata.json index fcfaf09c86b..31bab98ae84 100644 --- a/assets/queries/terraform/aws/cloudtrail_not_integrated_with_cloudwatch/metadata.json +++ b/assets/queries/terraform/aws/cloudtrail_not_integrated_with_cloudwatch/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail", "platform": "Terraform", "descriptionID": "11653439", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudtrail_sns_topic_name_undefined/metadata.json b/assets/queries/terraform/aws/cloudtrail_sns_topic_name_undefined/metadata.json index ec9af22596c..57eee6243af 100644 --- a/assets/queries/terraform/aws/cloudtrail_sns_topic_name_undefined/metadata.json +++ b/assets/queries/terraform/aws/cloudtrail_sns_topic_name_undefined/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail", "platform": "Terraform", "descriptionID": "a9eb3c6c", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/metadata.json b/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/metadata.json index 23f7e34ca4f..66f37a390ec 100644 --- a/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern", "platform": "Terraform", "descriptionID": "698457eb", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/metadata.json b/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/metadata.json index a9594a76161..06f61bb5e86 100644 --- a/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern", "platform": "Terraform", "descriptionID": "38b85c45", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/metadata.json b/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/metadata.json index 2632e32f08e..0cb8bbf89d6 100644 --- a/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern", "platform": "Terraform", "descriptionID": "0a8e8dc5", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/metadata.json b/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/metadata.json index bbeb215cfdd..4abbf7706aa 100644 --- a/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern", "platform": "Terraform", "descriptionID": "feffbd73", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/metadata.json b/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/metadata.json index e1d655cc8cc..72c817bb2a5 100644 --- a/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern", "platform": "Terraform", "descriptionID": "56a585f5", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/metadata.json b/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/metadata.json index 6406d1c2618..36c6c5f7816 100644 --- a/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern", "platform": "Terraform", "descriptionID": "eaaba502", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_log_group_not_encrypted/metadata.json b/assets/queries/terraform/aws/cloudwatch_log_group_not_encrypted/metadata.json index 03695a366e6..088d74f686a 100644 --- a/assets/queries/terraform/aws/cloudwatch_log_group_not_encrypted/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_log_group_not_encrypted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group", "platform": "Terraform", "descriptionID": "4258abe6", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_logging_disabled/metadata.json b/assets/queries/terraform/aws/cloudwatch_logging_disabled/metadata.json index 98e6cac55e9..e45e45a4c3e 100644 --- a/assets/queries/terraform/aws/cloudwatch_logging_disabled/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_logging_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_query_log", "platform": "Terraform", "descriptionID": "b4a8c275", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_logs_destination_with_vulnerable_policy/metadata.json b/assets/queries/terraform/aws/cloudwatch_logs_destination_with_vulnerable_policy/metadata.json index 26506b21814..9b6141d5494 100644 --- a/assets/queries/terraform/aws/cloudwatch_logs_destination_with_vulnerable_policy/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_logs_destination_with_vulnerable_policy/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_destination_policy#access_policy", "platform": "Terraform", "descriptionID": "0f0cc4cf", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/metadata.json b/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/metadata.json index 31367e40fcd..6ceef067eae 100644 --- a/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern", "platform": "Terraform", "descriptionID": "9166fdbf", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/metadata.json b/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/metadata.json index 5581afb78e4..120c88494ed 100644 --- a/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern", "platform": "Terraform", "descriptionID": "901439fb", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_metrics_disabled/metadata.json b/assets/queries/terraform/aws/cloudwatch_metrics_disabled/metadata.json index af19d5fdeff..5c4a75a40cd 100644 --- a/assets/queries/terraform/aws/cloudwatch_metrics_disabled/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_metrics_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method_settings#metrics_enabled", "platform": "Terraform", "descriptionID": "f7414ebe", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/metadata.json b/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/metadata.json index 307182c67ec..5903cc53f05 100644 --- a/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern", "platform": "Terraform", "descriptionID": "aa3e331d", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/metadata.json b/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/metadata.json index 570a3b08b01..e1bdf351244 100644 --- a/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern", "platform": "Terraform", "descriptionID": "4de23f97", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/metadata.json b/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/metadata.json index ea16ad7dc6c..871e7a7a748 100644 --- a/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern", "platform": "Terraform", "descriptionID": "de601959", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/metadata.json b/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/metadata.json index f4805ed0ebb..2669550bb02 100644 --- a/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern", "platform": "Terraform", "descriptionID": "cf5226f8", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/metadata.json b/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/metadata.json index e1d5d520ff3..4ae4a3d364f 100644 --- a/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern", "platform": "Terraform", "descriptionID": "7ed6edfe", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/metadata.json b/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/metadata.json index 7ab9f29ba5a..464d0062125 100644 --- a/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern", "platform": "Terraform", "descriptionID": "244b5c19", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/metadata.json b/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/metadata.json index 9dc128ba4df..8810bc4cb5c 100644 --- a/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern", "platform": "Terraform", "descriptionID": "6159556d", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_without_retention_period_specified/metadata.json b/assets/queries/terraform/aws/cloudwatch_without_retention_period_specified/metadata.json index 627048c2e66..122422373f5 100644 --- a/assets/queries/terraform/aws/cloudwatch_without_retention_period_specified/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_without_retention_period_specified/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group", "platform": "Terraform", "descriptionID": "64f08509", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/cmk_is_unusable/metadata.json b/assets/queries/terraform/aws/cmk_is_unusable/metadata.json index 5dc1839aa39..8952aae9f6b 100644 --- a/assets/queries/terraform/aws/cmk_is_unusable/metadata.json +++ b/assets/queries/terraform/aws/cmk_is_unusable/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key#is_enabled", "platform": "Terraform", "descriptionID": "261d4fc3", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/cmk_rotation_disabled/metadata.json b/assets/queries/terraform/aws/cmk_rotation_disabled/metadata.json index 6a9221f3b9e..2ba7baa6de2 100644 --- a/assets/queries/terraform/aws/cmk_rotation_disabled/metadata.json +++ b/assets/queries/terraform/aws/cmk_rotation_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key#enable_key_rotation", "platform": "Terraform", "descriptionID": "64cfa70f", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/metadata.json b/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/metadata.json index 44830800145..ed2c25bf1e9 100644 --- a/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/metadata.json +++ b/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project#encryption_key", "platform": "Terraform", "descriptionID": "1034fb5a", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/cognito_userpool_without_mfa/metadata.json b/assets/queries/terraform/aws/cognito_userpool_without_mfa/metadata.json index 40e4a9d98a0..dd65aa8e42c 100644 --- a/assets/queries/terraform/aws/cognito_userpool_without_mfa/metadata.json +++ b/assets/queries/terraform/aws/cognito_userpool_without_mfa/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_user_pool", "platform": "Terraform", "descriptionID": "17f77319", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/config_configuration_aggregator_to_all_regions_disabled/metadata.json b/assets/queries/terraform/aws/config_configuration_aggregator_to_all_regions_disabled/metadata.json index fb2225d02af..9d3215f1ab8 100644 --- a/assets/queries/terraform/aws/config_configuration_aggregator_to_all_regions_disabled/metadata.json +++ b/assets/queries/terraform/aws/config_configuration_aggregator_to_all_regions_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_configuration_aggregator#all_regions", "platform": "Terraform", "descriptionID": "9e82278d", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/config_rule_for_encrypted_volumes_is_disabled/metadata.json b/assets/queries/terraform/aws/config_rule_for_encrypted_volumes_is_disabled/metadata.json index 490722c2ae4..a25c651834c 100644 --- a/assets/queries/terraform/aws/config_rule_for_encrypted_volumes_is_disabled/metadata.json +++ b/assets/queries/terraform/aws/config_rule_for_encrypted_volumes_is_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_config_rule", "platform": "Terraform", "descriptionID": "fb93ace4", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/metadata.json b/assets/queries/terraform/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/metadata.json index 7aff62a5c6b..66d5df987d6 100644 --- a/assets/queries/terraform/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/metadata.json +++ b/assets/queries/terraform/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role#assume_role_policy", "platform": "Terraform", "descriptionID": "18c64b43", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/dax_cluster_not_encrypted/metadata.json b/assets/queries/terraform/aws/dax_cluster_not_encrypted/metadata.json index 1cbcc3a6a19..c60cb727d64 100644 --- a/assets/queries/terraform/aws/dax_cluster_not_encrypted/metadata.json +++ b/assets/queries/terraform/aws/dax_cluster_not_encrypted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dax_cluster#enabled", "platform": "Terraform", "descriptionID": "28ef11a5", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/db_instance_storage_not_encrypted/metadata.json b/assets/queries/terraform/aws/db_instance_storage_not_encrypted/metadata.json index dc359792c32..42317cf36ee 100644 --- a/assets/queries/terraform/aws/db_instance_storage_not_encrypted/metadata.json +++ b/assets/queries/terraform/aws/db_instance_storage_not_encrypted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#storage_encrypted", "platform": "Terraform", "descriptionID": "88ca11bc", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/db_security_group_has_public_interface/metadata.json b/assets/queries/terraform/aws/db_security_group_has_public_interface/metadata.json index c752d2f7d43..d485abb7b12 100644 --- a/assets/queries/terraform/aws/db_security_group_has_public_interface/metadata.json +++ b/assets/queries/terraform/aws/db_security_group_has_public_interface/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_security_group", "platform": "Terraform", "descriptionID": "ddaf8c0b", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/db_security_group_open_to_large_scope/metadata.json b/assets/queries/terraform/aws/db_security_group_open_to_large_scope/metadata.json index 4be11bd5ec7..4fceff08e15 100644 --- a/assets/queries/terraform/aws/db_security_group_open_to_large_scope/metadata.json +++ b/assets/queries/terraform/aws/db_security_group_open_to_large_scope/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_security_group", "platform": "Terraform", "descriptionID": "cd091033", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/db_security_group_with_public_scope/metadata.json b/assets/queries/terraform/aws/db_security_group_with_public_scope/metadata.json index ab5ac78123a..1b8c6ee90fc 100644 --- a/assets/queries/terraform/aws/db_security_group_with_public_scope/metadata.json +++ b/assets/queries/terraform/aws/db_security_group_with_public_scope/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_security_group", "platform": "Terraform", "descriptionID": "97108586", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/default_security_groups_with_unrestricted_traffic/metadata.json b/assets/queries/terraform/aws/default_security_groups_with_unrestricted_traffic/metadata.json index 5e788e97a5b..487b5482fe3 100644 --- a/assets/queries/terraform/aws/default_security_groups_with_unrestricted_traffic/metadata.json +++ b/assets/queries/terraform/aws/default_security_groups_with_unrestricted_traffic/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group", "platform": "Terraform", "descriptionID": "d218356d", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/default_vpc_exists/metadata.json b/assets/queries/terraform/aws/default_vpc_exists/metadata.json index 40ecb2acabc..45d91335768 100644 --- a/assets/queries/terraform/aws/default_vpc_exists/metadata.json +++ b/assets/queries/terraform/aws/default_vpc_exists/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_vpc", "platform": "Terraform", "descriptionID": "d4f171f3", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/docdb_cluster_encrypted_with_aws_managed_key/metadata.json b/assets/queries/terraform/aws/docdb_cluster_encrypted_with_aws_managed_key/metadata.json index 568cb8d5f86..4ec7e7785e1 100644 --- a/assets/queries/terraform/aws/docdb_cluster_encrypted_with_aws_managed_key/metadata.json +++ b/assets/queries/terraform/aws/docdb_cluster_encrypted_with_aws_managed_key/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#kms_key_id", "platform": "Terraform", "descriptionID": "984ebbd4", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/docdb_cluster_not_encrypted/metadata.json b/assets/queries/terraform/aws/docdb_cluster_not_encrypted/metadata.json index f1587c5ffc9..3ce09ed1133 100644 --- a/assets/queries/terraform/aws/docdb_cluster_not_encrypted/metadata.json +++ b/assets/queries/terraform/aws/docdb_cluster_not_encrypted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#storage_encrypted", "platform": "Terraform", "descriptionID": "aaec5c7c", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/docdb_cluster_without_kms/metadata.json b/assets/queries/terraform/aws/docdb_cluster_without_kms/metadata.json index 6b3c35621f8..8a34b993b83 100644 --- a/assets/queries/terraform/aws/docdb_cluster_without_kms/metadata.json +++ b/assets/queries/terraform/aws/docdb_cluster_without_kms/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#kms_key_id", "platform": "Terraform", "descriptionID": "35efd407", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/docdb_logging_disabled/metadata.json b/assets/queries/terraform/aws/docdb_logging_disabled/metadata.json index a97d987f5b6..52dcb8881f2 100644 --- a/assets/queries/terraform/aws/docdb_logging_disabled/metadata.json +++ b/assets/queries/terraform/aws/docdb_logging_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#enabled_cloudwatch_logs_exports", "platform": "Terraform", "descriptionID": "7a864a61", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/dynamodb_table_not_encrypted/metadata.json b/assets/queries/terraform/aws/dynamodb_table_not_encrypted/metadata.json index 2ea06db9ae4..e2cc2632b6d 100644 --- a/assets/queries/terraform/aws/dynamodb_table_not_encrypted/metadata.json +++ b/assets/queries/terraform/aws/dynamodb_table_not_encrypted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table#server_side_encryption", "platform": "Terraform", "descriptionID": "a4233398", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled/metadata.json b/assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled/metadata.json index 201d04ea4a7..0f6f3db10b1 100644 --- a/assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled/metadata.json +++ b/assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table#point_in_time_recovery", "platform": "Terraform", "descriptionID": "205ac3d1", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/dynamodb_vpc_endpoint_wihout_route_table_association/metadata.json b/assets/queries/terraform/aws/dynamodb_vpc_endpoint_wihout_route_table_association/metadata.json index bd7852c273b..78a9051d9af 100644 --- a/assets/queries/terraform/aws/dynamodb_vpc_endpoint_wihout_route_table_association/metadata.json +++ b/assets/queries/terraform/aws/dynamodb_vpc_endpoint_wihout_route_table_association/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint#vpc_id", "platform": "Terraform", "descriptionID": "e4334087", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/ebs_default_encryption_disabled/metadata.json b/assets/queries/terraform/aws/ebs_default_encryption_disabled/metadata.json index 28f70bc8b48..542c6f06f4d 100644 --- a/assets/queries/terraform/aws/ebs_default_encryption_disabled/metadata.json +++ b/assets/queries/terraform/aws/ebs_default_encryption_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_encryption_by_default", "platform": "Terraform", "descriptionID": "2990583f", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/ebs_volume_encryption_disabled/metadata.json b/assets/queries/terraform/aws/ebs_volume_encryption_disabled/metadata.json index cdd2954b942..2968adbe801 100644 --- a/assets/queries/terraform/aws/ebs_volume_encryption_disabled/metadata.json +++ b/assets/queries/terraform/aws/ebs_volume_encryption_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume#encrypted", "platform": "Terraform", "descriptionID": "977695a1", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/ebs_volume_snapshot_not_encrypted/metadata.json b/assets/queries/terraform/aws/ebs_volume_snapshot_not_encrypted/metadata.json index 22ea727f0b9..551db9dc86d 100644 --- a/assets/queries/terraform/aws/ebs_volume_snapshot_not_encrypted/metadata.json +++ b/assets/queries/terraform/aws/ebs_volume_snapshot_not_encrypted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_snapshot#encrypted", "platform": "Terraform", "descriptionID": "b36765a7", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/ec2_instance_has_public_ip/metadata.json b/assets/queries/terraform/aws/ec2_instance_has_public_ip/metadata.json index f972d79eb02..b8402f8b007 100644 --- a/assets/queries/terraform/aws/ec2_instance_has_public_ip/metadata.json +++ b/assets/queries/terraform/aws/ec2_instance_has_public_ip/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#associate_public_ip_address", "platform": "Terraform", "descriptionID": "c6f1d1f4", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/metadata.json b/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/metadata.json index 6cd8ae2838b..a80dac259f0 100644 --- a/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/metadata.json +++ b/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#monitoring", "platform": "Terraform", "descriptionID": "0d5413e6", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/ec2_instance_using_api_keys/metadata.json b/assets/queries/terraform/aws/ec2_instance_using_api_keys/metadata.json index 7ba6efe46d2..0afcee6af13 100644 --- a/assets/queries/terraform/aws/ec2_instance_using_api_keys/metadata.json +++ b/assets/queries/terraform/aws/ec2_instance_using_api_keys/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#iam_instance_profile", "platform": "Terraform", "descriptionID": "ffd8ce80", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/ec2_instance_using_default_security_group/metadata.json b/assets/queries/terraform/aws/ec2_instance_using_default_security_group/metadata.json index 35f90e9b83a..9c4ec543d2b 100644 --- a/assets/queries/terraform/aws/ec2_instance_using_default_security_group/metadata.json +++ b/assets/queries/terraform/aws/ec2_instance_using_default_security_group/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#security_groups", "platform": "Terraform", "descriptionID": "d263cf13", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/ec2_instance_using_default_vpc/metadata.json b/assets/queries/terraform/aws/ec2_instance_using_default_vpc/metadata.json index 009be508773..474553259fe 100644 --- a/assets/queries/terraform/aws/ec2_instance_using_default_vpc/metadata.json +++ b/assets/queries/terraform/aws/ec2_instance_using_default_vpc/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#subnet_id", "platform": "Terraform", "descriptionID": "7e2909e5", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/ec2_not_ebs_optimized/metadata.json b/assets/queries/terraform/aws/ec2_not_ebs_optimized/metadata.json index 10277eb8bdb..3bcbf0226ec 100644 --- a/assets/queries/terraform/aws/ec2_not_ebs_optimized/metadata.json +++ b/assets/queries/terraform/aws/ec2_not_ebs_optimized/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#ebs_optimized", "platform": "Terraform", "descriptionID": "ddce4bd9", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/ecr_image_tag_not_immutable/metadata.json b/assets/queries/terraform/aws/ecr_image_tag_not_immutable/metadata.json index 4b3afb516e3..9b6e003bd38 100644 --- a/assets/queries/terraform/aws/ecr_image_tag_not_immutable/metadata.json +++ b/assets/queries/terraform/aws/ecr_image_tag_not_immutable/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository", "platform": "Terraform", "descriptionID": "1cc5d4e2", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/ecr_repository_is_publicly_accessible/metadata.json b/assets/queries/terraform/aws/ecr_repository_is_publicly_accessible/metadata.json index 4034156ee02..781ecd84db5 100644 --- a/assets/queries/terraform/aws/ecr_repository_is_publicly_accessible/metadata.json +++ b/assets/queries/terraform/aws/ecr_repository_is_publicly_accessible/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy", "platform": "Terraform", "descriptionID": "5a3ad5ce", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/ecr_repository_not_encrypted/metadata.json b/assets/queries/terraform/aws/ecr_repository_not_encrypted/metadata.json index e0d5089116b..82d7c388098 100644 --- a/assets/queries/terraform/aws/ecr_repository_not_encrypted/metadata.json +++ b/assets/queries/terraform/aws/ecr_repository_not_encrypted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#encryption_configuration", "platform": "Terraform", "descriptionID": "e96d149c", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/ecr_repository_without_policy/metadata.json b/assets/queries/terraform/aws/ecr_repository_without_policy/metadata.json index 3c1679b79eb..0f70b5b43c2 100644 --- a/assets/queries/terraform/aws/ecr_repository_without_policy/metadata.json +++ b/assets/queries/terraform/aws/ecr_repository_without_policy/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy", "platform": "Terraform", "descriptionID": "cb9636f6", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/ecs_cluster_container_insights_disabled/metadata.json b/assets/queries/terraform/aws/ecs_cluster_container_insights_disabled/metadata.json index b773e3cf9d2..63f35945356 100644 --- a/assets/queries/terraform/aws/ecs_cluster_container_insights_disabled/metadata.json +++ b/assets/queries/terraform/aws/ecs_cluster_container_insights_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_cluster#setting", "platform": "Terraform", "descriptionID": "b48a7a70", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/ecs_service_admin_role_is_present/metadata.json b/assets/queries/terraform/aws/ecs_service_admin_role_is_present/metadata.json index e8f009c9e5d..6f625a5b78e 100644 --- a/assets/queries/terraform/aws/ecs_service_admin_role_is_present/metadata.json +++ b/assets/queries/terraform/aws/ecs_service_admin_role_is_present/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service", "platform": "Terraform", "descriptionID": "0503dc3c", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/ecs_service_without_running_tasks/metadata.json b/assets/queries/terraform/aws/ecs_service_without_running_tasks/metadata.json index ef8c7907fab..5a02ead1ec3 100644 --- a/assets/queries/terraform/aws/ecs_service_without_running_tasks/metadata.json +++ b/assets/queries/terraform/aws/ecs_service_without_running_tasks/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service", "platform": "Terraform", "descriptionID": "8bcc00c2", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/ecs_task_definition_network_mode_not_recommended/metadata.json b/assets/queries/terraform/aws/ecs_task_definition_network_mode_not_recommended/metadata.json index 8eacd54d32d..b034d988a82 100644 --- a/assets/queries/terraform/aws/ecs_task_definition_network_mode_not_recommended/metadata.json +++ b/assets/queries/terraform/aws/ecs_task_definition_network_mode_not_recommended/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition#network_mode", "platform": "Terraform", "descriptionID": "61f295c5", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/ecs_task_definition_volume_not_encrypted/metadata.json b/assets/queries/terraform/aws/ecs_task_definition_volume_not_encrypted/metadata.json index dd941d163b1..6449b392991 100644 --- a/assets/queries/terraform/aws/ecs_task_definition_volume_not_encrypted/metadata.json +++ b/assets/queries/terraform/aws/ecs_task_definition_volume_not_encrypted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition#transit_encryption", "platform": "Terraform", "descriptionID": "b01e131b", - "cloudProvider": "aws" + "cloudProvider": "aws", + "CWE": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/ecs_task_definition_with_plaintext_password/metadata.json b/assets/queries/terraform/aws/ecs_task_definition_with_plaintext_password/metadata.json index 7b914d79a86..405130ebf56 100644 --- a/assets/queries/terraform/aws/ecs_task_definition_with_plaintext_password/metadata.json +++ b/assets/queries/terraform/aws/ecs_task_definition_with_plaintext_password/metadata.json @@ -1,11 +1,12 @@ { "id": "d40210ea-64b9-4cce-a4fb-e8604f3c062c", "queryName": "ECS Task Definition Container With Plaintext Password", - "category": "Encryption", "severity": "HIGH", + "category": "Encryption", "descriptionText": "It's not recommended to use plaintext environment variables for sensitive information, such as credential data.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition", "platform": "Terraform", "descriptionID": "b2503e42", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/efs_not_encrypted/metadata.json b/assets/queries/terraform/aws/efs_not_encrypted/metadata.json index 9ce166c2099..e06c16238a3 100644 --- a/assets/queries/terraform/aws/efs_not_encrypted/metadata.json +++ b/assets/queries/terraform/aws/efs_not_encrypted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system#encrypted", "platform": "Terraform", "descriptionID": "e4ced70d", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/efs_with_vulnerable_policy/metadata.json b/assets/queries/terraform/aws/efs_with_vulnerable_policy/metadata.json index 9389692f177..a0db937866c 100644 --- a/assets/queries/terraform/aws/efs_with_vulnerable_policy/metadata.json +++ b/assets/queries/terraform/aws/efs_with_vulnerable_policy/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system_policy#policy", "platform": "Terraform", "descriptionID": "d2017b69", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/efs_without_kms/metadata.json b/assets/queries/terraform/aws/efs_without_kms/metadata.json index b05108360c5..b5844dc0f21 100644 --- a/assets/queries/terraform/aws/efs_without_kms/metadata.json +++ b/assets/queries/terraform/aws/efs_without_kms/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system#kms_key_id", "platform": "Terraform", "descriptionID": "c5dfddad", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/eks_cluster_encryption_disabled/metadata.json b/assets/queries/terraform/aws/eks_cluster_encryption_disabled/metadata.json index ab96e822cb1..2245e8a9789 100644 --- a/assets/queries/terraform/aws/eks_cluster_encryption_disabled/metadata.json +++ b/assets/queries/terraform/aws/eks_cluster_encryption_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#encryption_config", "platform": "Terraform", "descriptionID": "0a928b22", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/eks_cluster_has_public_access/metadata.json b/assets/queries/terraform/aws/eks_cluster_has_public_access/metadata.json index 3bd2f2258c5..68c768a9b2b 100644 --- a/assets/queries/terraform/aws/eks_cluster_has_public_access/metadata.json +++ b/assets/queries/terraform/aws/eks_cluster_has_public_access/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster", "platform": "Terraform", "descriptionID": "653e0650", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/eks_cluster_has_public_access_cidrs/metadata.json b/assets/queries/terraform/aws/eks_cluster_has_public_access_cidrs/metadata.json index 3e9e2e7f0d5..02332556b04 100644 --- a/assets/queries/terraform/aws/eks_cluster_has_public_access_cidrs/metadata.json +++ b/assets/queries/terraform/aws/eks_cluster_has_public_access_cidrs/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster", "platform": "Terraform", "descriptionID": "9579b0ff", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/eks_cluster_log_disabled/metadata.json b/assets/queries/terraform/aws/eks_cluster_log_disabled/metadata.json index 76115269f80..6a883aefe7f 100644 --- a/assets/queries/terraform/aws/eks_cluster_log_disabled/metadata.json +++ b/assets/queries/terraform/aws/eks_cluster_log_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#enabled_cluster_log_types", "platform": "Terraform", "descriptionID": "80a41f88", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/eks_node_group_remote_access_disabled/metadata.json b/assets/queries/terraform/aws/eks_node_group_remote_access_disabled/metadata.json index 65ef3d1cf47..3cbd62033aa 100644 --- a/assets/queries/terraform/aws/eks_node_group_remote_access_disabled/metadata.json +++ b/assets/queries/terraform/aws/eks_node_group_remote_access_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_node_group#remote_access", "platform": "Terraform", "descriptionID": "6d42a06d", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticache_nodes_not_created_across_multi_az/metadata.json b/assets/queries/terraform/aws/elasticache_nodes_not_created_across_multi_az/metadata.json index 034b9e5675e..5be21dd4868 100644 --- a/assets/queries/terraform/aws/elasticache_nodes_not_created_across_multi_az/metadata.json +++ b/assets/queries/terraform/aws/elasticache_nodes_not_created_across_multi_az/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_cluster", "platform": "Terraform", "descriptionID": "1bbfe45b", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticache_redis_cluster_without_backup/metadata.json b/assets/queries/terraform/aws/elasticache_redis_cluster_without_backup/metadata.json index ba5b4e4abbe..a4e50c46bde 100644 --- a/assets/queries/terraform/aws/elasticache_redis_cluster_without_backup/metadata.json +++ b/assets/queries/terraform/aws/elasticache_redis_cluster_without_backup/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_cluster#snapshot_retention_limit", "platform": "Terraform", "descriptionID": "0ebd9005", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_rest/metadata.json b/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_rest/metadata.json index 7097b99eb18..d8ae3e48a02 100644 --- a/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_rest/metadata.json +++ b/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_rest/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_replication_group#at_rest_encryption_enabled", "platform": "Terraform", "descriptionID": "b4d49d59", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_transit/metadata.json b/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_transit/metadata.json index 0376a27a697..f6f986d0708 100644 --- a/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_transit/metadata.json +++ b/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_transit/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_replication_group#transit_encryption_enabled", "platform": "Terraform", "descriptionID": "40f92e86", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticache_using_default_port/metadata.json b/assets/queries/terraform/aws/elasticache_using_default_port/metadata.json index 9f4abf4764c..7826ebdd5a1 100644 --- a/assets/queries/terraform/aws/elasticache_using_default_port/metadata.json +++ b/assets/queries/terraform/aws/elasticache_using_default_port/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_cluster#port", "platform": "Terraform", "descriptionID": "86cc0d57", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticache_without_vpc/metadata.json b/assets/queries/terraform/aws/elasticache_without_vpc/metadata.json index 0ecb161651d..9a5c1944e92 100644 --- a/assets/queries/terraform/aws/elasticache_without_vpc/metadata.json +++ b/assets/queries/terraform/aws/elasticache_without_vpc/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_cluster#subnet_group_name", "platform": "Terraform", "descriptionID": "cf79a8df", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticsearch_domain_not_encrypted_node_to_node/metadata.json b/assets/queries/terraform/aws/elasticsearch_domain_not_encrypted_node_to_node/metadata.json index 52ec0d91555..5c6189d7a71 100644 --- a/assets/queries/terraform/aws/elasticsearch_domain_not_encrypted_node_to_node/metadata.json +++ b/assets/queries/terraform/aws/elasticsearch_domain_not_encrypted_node_to_node/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain#node_to_node_encryption", "platform": "Terraform", "descriptionID": "e3dc1b2d", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticsearch_domain_with_vulnerable_policy/metadata.json b/assets/queries/terraform/aws/elasticsearch_domain_with_vulnerable_policy/metadata.json index 6def6321b0f..42df22646b3 100644 --- a/assets/queries/terraform/aws/elasticsearch_domain_with_vulnerable_policy/metadata.json +++ b/assets/queries/terraform/aws/elasticsearch_domain_with_vulnerable_policy/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain_policy#access_policies", "platform": "Terraform", "descriptionID": "265f06df", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticsearch_encryption_with_kms_is_disabled/metadata.json b/assets/queries/terraform/aws/elasticsearch_encryption_with_kms_is_disabled/metadata.json index f2aabdf844f..d0448bacfbd 100644 --- a/assets/queries/terraform/aws/elasticsearch_encryption_with_kms_is_disabled/metadata.json +++ b/assets/queries/terraform/aws/elasticsearch_encryption_with_kms_is_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain", "platform": "Terraform", "descriptionID": "65a94cf1", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticsearch_logs_disabled/metadata.json b/assets/queries/terraform/aws/elasticsearch_logs_disabled/metadata.json index e05d9130cc4..d75db3a04de 100644 --- a/assets/queries/terraform/aws/elasticsearch_logs_disabled/metadata.json +++ b/assets/queries/terraform/aws/elasticsearch_logs_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain#log_publishing_options", "platform": "Terraform", "descriptionID": "e0526e1b", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticsearch_not_encrypted_at_rest/metadata.json b/assets/queries/terraform/aws/elasticsearch_not_encrypted_at_rest/metadata.json index 3dcf18da909..9d9e0cb41df 100644 --- a/assets/queries/terraform/aws/elasticsearch_not_encrypted_at_rest/metadata.json +++ b/assets/queries/terraform/aws/elasticsearch_not_encrypted_at_rest/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain", "platform": "Terraform", "descriptionID": "c402717e", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticsearch_with_https_disabled/metadata.json b/assets/queries/terraform/aws/elasticsearch_with_https_disabled/metadata.json index 149c46da1a2..2b29cc46055 100644 --- a/assets/queries/terraform/aws/elasticsearch_with_https_disabled/metadata.json +++ b/assets/queries/terraform/aws/elasticsearch_with_https_disabled/metadata.json @@ -1,12 +1,12 @@ { - "id": "2e9e0729-66d5-4148-9d39-5e6fb4bf2a4e", - "queryName": "Elasticsearch with HTTPS disabled", - "severity": "HIGH", - "category": "Networking and Firewall", - "descriptionText": "Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true.", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain#enforce_https", - "platform": "Terraform", - "descriptionID": "069080cd", - "cloudProvider": "aws" - } - \ No newline at end of file + "id": "2e9e0729-66d5-4148-9d39-5e6fb4bf2a4e", + "queryName": "Elasticsearch with HTTPS disabled", + "severity": "HIGH", + "category": "Networking and Firewall", + "descriptionText": "Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain#enforce_https", + "platform": "Terraform", + "descriptionID": "069080cd", + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticsearch_without_iam_authentication/metadata.json b/assets/queries/terraform/aws/elasticsearch_without_iam_authentication/metadata.json index 8aac637843e..a41d06b71cd 100644 --- a/assets/queries/terraform/aws/elasticsearch_without_iam_authentication/metadata.json +++ b/assets/queries/terraform/aws/elasticsearch_without_iam_authentication/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain", "platform": "Terraform", "descriptionID": "7677c71c", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticsearch_without_slow_logs/metadata.json b/assets/queries/terraform/aws/elasticsearch_without_slow_logs/metadata.json index ebd1bc076fd..1ea3ed2a396 100644 --- a/assets/queries/terraform/aws/elasticsearch_without_slow_logs/metadata.json +++ b/assets/queries/terraform/aws/elasticsearch_without_slow_logs/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain#log_publishing_options", "platform": "Terraform", "descriptionID": "7430bf37", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/elb_access_logging_disabled/metadata.json b/assets/queries/terraform/aws/elb_access_logging_disabled/metadata.json index f21b11cfa90..038e914fba1 100644 --- a/assets/queries/terraform/aws/elb_access_logging_disabled/metadata.json +++ b/assets/queries/terraform/aws/elb_access_logging_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elb#enabled", "platform": "Terraform", "descriptionID": "c745bca6", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/elb_using_insecure_protocols/metadata.json b/assets/queries/terraform/aws/elb_using_insecure_protocols/metadata.json index c25b1db640a..6a8f94ee2a5 100644 --- a/assets/queries/terraform/aws/elb_using_insecure_protocols/metadata.json +++ b/assets/queries/terraform/aws/elb_using_insecure_protocols/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/load_balancer_policy", "platform": "Terraform", "descriptionID": "88f4d79a", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/elb_using_weak_ciphers/metadata.json b/assets/queries/terraform/aws/elb_using_weak_ciphers/metadata.json index 4c980023957..ccb83da75e4 100644 --- a/assets/queries/terraform/aws/elb_using_weak_ciphers/metadata.json +++ b/assets/queries/terraform/aws/elb_using_weak_ciphers/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/load_balancer_policy", "platform": "Terraform", "descriptionID": "546bf472", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/emr_without_vpc/metadata.json b/assets/queries/terraform/aws/emr_without_vpc/metadata.json index 068d40c2b00..5f2b4e7288f 100644 --- a/assets/queries/terraform/aws/emr_without_vpc/metadata.json +++ b/assets/queries/terraform/aws/emr_without_vpc/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/emr_cluster#subnet_id", "platform": "Terraform", "descriptionID": "741aebff", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/global_accelerator_flow_logs_disabled/metadata.json b/assets/queries/terraform/aws/global_accelerator_flow_logs_disabled/metadata.json index e5240406c7b..708f3ba6781 100644 --- a/assets/queries/terraform/aws/global_accelerator_flow_logs_disabled/metadata.json +++ b/assets/queries/terraform/aws/global_accelerator_flow_logs_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/globalaccelerator_accelerator#flow_logs_enabled", "platform": "Terraform", "descriptionID": "3670731d", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/glue_data_catalog_encryption_disabled/metadata.json b/assets/queries/terraform/aws/glue_data_catalog_encryption_disabled/metadata.json index 6b7e5670667..6fc8eda0130 100644 --- a/assets/queries/terraform/aws/glue_data_catalog_encryption_disabled/metadata.json +++ b/assets/queries/terraform/aws/glue_data_catalog_encryption_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/glue_data_catalog_encryption_settings#data_catalog_encryption_settings", "platform": "Terraform", "descriptionID": "c6b6fc2e", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/glue_security_configuration_encryption_disabled/metadata.json b/assets/queries/terraform/aws/glue_security_configuration_encryption_disabled/metadata.json index b6d8acea730..b94b5e16c23 100644 --- a/assets/queries/terraform/aws/glue_security_configuration_encryption_disabled/metadata.json +++ b/assets/queries/terraform/aws/glue_security_configuration_encryption_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/glue_security_configuration#encryption_configuration", "platform": "Terraform", "descriptionID": "839261d5", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/glue_with_vulnerable_policy/metadata.json b/assets/queries/terraform/aws/glue_with_vulnerable_policy/metadata.json index c27c6f89c7b..a5b392dffe1 100644 --- a/assets/queries/terraform/aws/glue_with_vulnerable_policy/metadata.json +++ b/assets/queries/terraform/aws/glue_with_vulnerable_policy/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/glue_resource_policy#policy", "platform": "Terraform", "descriptionID": "61db62a1", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json index 2d6cc1ec5b1..0832f4dc878 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "10f17e18", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json index 7d9f988341a..f8d4d96a1df 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "576ba016", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json index b08ee0642f3..90a742e6e60 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "e42aec0c", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json index a8b182da843..54502372fa6 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "5e39f36b", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json index 08ee41d46b6..598f47e9bb6 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "25a0ad8b", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json index b20a91fef32..992e1c714d8 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "5182dbde", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json index 63a62419fde..24f9c403dfd 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "13604723", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json index f2da59ecb59..e05b95ecd80 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "04f8f6ca", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json index f77d0c8fedc..531ef2bd1cf 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "b02d4e3c", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json index 5984e33c9b8..b397e1d2fae 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "e6e9e8eb", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json index cd3d066d7eb..2a676a6070e 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "59598729", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/metadata.json index d6fe3ecaaa4..d925e80cf73 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "2a7afde0", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json index d0354ecc9f6..d6e713fd267 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "6ee8a28a", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json index 6f1fcbbe40d..1787e0d6813 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "3a6914a5", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json index d6e76815c71..ab141055227 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "fdfe7031", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json index 1e9d44bfc7f..ef1897b9784 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "2be560bc", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json index 309b76a97d3..683b84a19e8 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "7fec1740", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json index 23616a2faa7..b69824e54a7 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "06985b1b", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json index 1c1aa0148cc..29c273d7287 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "1a80fe5c", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/guardduty_detector_disabled/metadata.json b/assets/queries/terraform/aws/guardduty_detector_disabled/metadata.json index 7ff0ac5b55d..859020e9ca2 100644 --- a/assets/queries/terraform/aws/guardduty_detector_disabled/metadata.json +++ b/assets/queries/terraform/aws/guardduty_detector_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_detector#example-usage", "platform": "Terraform", "descriptionID": "0a3448be", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/hardcoded_aws_access_key/metadata.json b/assets/queries/terraform/aws/hardcoded_aws_access_key/metadata.json index e959064e9bd..a1a8c9ce5d8 100644 --- a/assets/queries/terraform/aws/hardcoded_aws_access_key/metadata.json +++ b/assets/queries/terraform/aws/hardcoded_aws_access_key/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance", "platform": "Terraform", "descriptionID": "9e8cbdfb", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/hardcoded_aws_access_key_in_lambda/metadata.json b/assets/queries/terraform/aws/hardcoded_aws_access_key_in_lambda/metadata.json index 465154f3cb5..4babd9db155 100644 --- a/assets/queries/terraform/aws/hardcoded_aws_access_key_in_lambda/metadata.json +++ b/assets/queries/terraform/aws/hardcoded_aws_access_key_in_lambda/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function", "platform": "Terraform", "descriptionID": "63935af4", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/http_port_open/metadata.json b/assets/queries/terraform/aws/http_port_open/metadata.json index 8894b927a0d..b428b2d0702 100644 --- a/assets/queries/terraform/aws/http_port_open/metadata.json +++ b/assets/queries/terraform/aws/http_port_open/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group", "platform": "Terraform", "descriptionID": "a829609b", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_access_analyzer_not_enabled/metadata.json b/assets/queries/terraform/aws/iam_access_analyzer_not_enabled/metadata.json index 853a766829c..9e51f8a97b9 100644 --- a/assets/queries/terraform/aws/iam_access_analyzer_not_enabled/metadata.json +++ b/assets/queries/terraform/aws/iam_access_analyzer_not_enabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/accessanalyzer_analyzer", "platform": "Terraform", "descriptionID": "d03e85ae", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_access_key_is_exposed/metadata.json b/assets/queries/terraform/aws/iam_access_key_is_exposed/metadata.json index eda6df5606a..d19aaf12529 100644 --- a/assets/queries/terraform/aws/iam_access_key_is_exposed/metadata.json +++ b/assets/queries/terraform/aws/iam_access_key_is_exposed/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key", "platform": "Terraform", "descriptionID": "99b02242", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_database_auth_not_enabled/metadata.json b/assets/queries/terraform/aws/iam_database_auth_not_enabled/metadata.json index 0f9cda868f7..de0c3acc6f5 100644 --- a/assets/queries/terraform/aws/iam_database_auth_not_enabled/metadata.json +++ b/assets/queries/terraform/aws/iam_database_auth_not_enabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#iam_database_authentication_enabled", "platform": "Terraform", "descriptionID": "12b1c8aa", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_group_without_users/metadata.json b/assets/queries/terraform/aws/iam_group_without_users/metadata.json index 568d766033f..b854a140272 100644 --- a/assets/queries/terraform/aws/iam_group_without_users/metadata.json +++ b/assets/queries/terraform/aws/iam_group_without_users/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_membership#users", "platform": "Terraform", "descriptionID": "c5730db9", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_password_without_lowercase_letter/metadata.json b/assets/queries/terraform/aws/iam_password_without_lowercase_letter/metadata.json index 67a90b02e27..02099af8218 100644 --- a/assets/queries/terraform/aws/iam_password_without_lowercase_letter/metadata.json +++ b/assets/queries/terraform/aws/iam_password_without_lowercase_letter/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy", "platform": "Terraform", "descriptionID": "726cd448", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_password_without_minimum_length/metadata.json b/assets/queries/terraform/aws/iam_password_without_minimum_length/metadata.json index 346d6e50fca..7f2fdd0fc6f 100644 --- a/assets/queries/terraform/aws/iam_password_without_minimum_length/metadata.json +++ b/assets/queries/terraform/aws/iam_password_without_minimum_length/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy", "platform": "Terraform", "descriptionID": "594a6a8e", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_password_without_symbol/metadata.json b/assets/queries/terraform/aws/iam_password_without_symbol/metadata.json index 54d812ba2d6..a97528cdb35 100644 --- a/assets/queries/terraform/aws/iam_password_without_symbol/metadata.json +++ b/assets/queries/terraform/aws/iam_password_without_symbol/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy", "platform": "Terraform", "descriptionID": "aaadddd1", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_password_without_uppercase_letter/metadata.json b/assets/queries/terraform/aws/iam_password_without_uppercase_letter/metadata.json index 92192fe5dce..98ad3d3580b 100644 --- a/assets/queries/terraform/aws/iam_password_without_uppercase_letter/metadata.json +++ b/assets/queries/terraform/aws/iam_password_without_uppercase_letter/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy", "platform": "Terraform", "descriptionID": "4e96ea27", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_policies_attached_to_user/metadata.json b/assets/queries/terraform/aws/iam_policies_attached_to_user/metadata.json index e971b609456..c36aa44d527 100755 --- a/assets/queries/terraform/aws/iam_policies_attached_to_user/metadata.json +++ b/assets/queries/terraform/aws/iam_policies_attached_to_user/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment", "platform": "Terraform", "descriptionID": "32ec58ec", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_policies_with_full_privileges/metadata.json b/assets/queries/terraform/aws/iam_policies_with_full_privileges/metadata.json index 1a2ca738354..a8ab0cc6b07 100644 --- a/assets/queries/terraform/aws/iam_policies_with_full_privileges/metadata.json +++ b/assets/queries/terraform/aws/iam_policies_with_full_privileges/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy", "platform": "Terraform", "descriptionID": "7f603399", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_policy_grants_assumerole_permission_across_all_services/metadata.json b/assets/queries/terraform/aws/iam_policy_grants_assumerole_permission_across_all_services/metadata.json index e63b475ffce..7cdcbb52557 100644 --- a/assets/queries/terraform/aws/iam_policy_grants_assumerole_permission_across_all_services/metadata.json +++ b/assets/queries/terraform/aws/iam_policy_grants_assumerole_permission_across_all_services/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role", "platform": "Terraform", "descriptionID": "948aa2ac", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_policy_grants_full_permissions/metadata.json b/assets/queries/terraform/aws/iam_policy_grants_full_permissions/metadata.json index d2bc8f92998..fc5d880c616 100644 --- a/assets/queries/terraform/aws/iam_policy_grants_full_permissions/metadata.json +++ b/assets/queries/terraform/aws/iam_policy_grants_full_permissions/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy", "platform": "Terraform", "descriptionID": "f20cf2cf", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_role_allows_all_principals_to_assume/metadata.json b/assets/queries/terraform/aws/iam_role_allows_all_principals_to_assume/metadata.json index 8b175b880b4..e994527138d 100644 --- a/assets/queries/terraform/aws/iam_role_allows_all_principals_to_assume/metadata.json +++ b/assets/queries/terraform/aws/iam_role_allows_all_principals_to_assume/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role", "platform": "Terraform", "descriptionID": "a54d0d27", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_role_policy_passrole_allows_all/metadata.json b/assets/queries/terraform/aws/iam_role_policy_passrole_allows_all/metadata.json index ea48ce41517..13b3aaa079d 100644 --- a/assets/queries/terraform/aws/iam_role_policy_passrole_allows_all/metadata.json +++ b/assets/queries/terraform/aws/iam_role_policy_passrole_allows_all/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-security-warning-pass-role-with-star-in-resource", "platform": "Terraform", "descriptionID": "380dd3f7", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_role_with_full_privileges/metadata.json b/assets/queries/terraform/aws/iam_role_with_full_privileges/metadata.json index 6540f5e90b1..c841e5ca5f7 100644 --- a/assets/queries/terraform/aws/iam_role_with_full_privileges/metadata.json +++ b/assets/queries/terraform/aws/iam_role_with_full_privileges/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role", "platform": "Terraform", "descriptionID": "81321ef4", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_user_policy_without_mfa/metadata.json b/assets/queries/terraform/aws/iam_user_policy_without_mfa/metadata.json index 73c6621fc00..d858bdb3b0e 100644 --- a/assets/queries/terraform/aws/iam_user_policy_without_mfa/metadata.json +++ b/assets/queries/terraform/aws/iam_user_policy_without_mfa/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html", "platform": "Terraform", "descriptionID": "3e905f71", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_user_too_many_access_keys/metadata.json b/assets/queries/terraform/aws/iam_user_too_many_access_keys/metadata.json index bb781cde39a..0df73e2a3d3 100644 --- a/assets/queries/terraform/aws/iam_user_too_many_access_keys/metadata.json +++ b/assets/queries/terraform/aws/iam_user_too_many_access_keys/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key#user", "platform": "Terraform", "descriptionID": "387e9522", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_user_with_access_to_console/metadata.json b/assets/queries/terraform/aws/iam_user_with_access_to_console/metadata.json index 449d70ece36..f7f29a67ca4 100644 --- a/assets/queries/terraform/aws/iam_user_with_access_to_console/metadata.json +++ b/assets/queries/terraform/aws/iam_user_with_access_to_console/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_login_profile", "platform": "Terraform", "descriptionID": "28422817", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/instance_with_no_vpc/metadata.json b/assets/queries/terraform/aws/instance_with_no_vpc/metadata.json index 5d1f961f37e..6c2b407b79a 100644 --- a/assets/queries/terraform/aws/instance_with_no_vpc/metadata.json +++ b/assets/queries/terraform/aws/instance_with_no_vpc/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance", "platform": "Terraform", "descriptionID": "225a9f30", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/kinesis_not_encrypted_with_kms/metadata.json b/assets/queries/terraform/aws/kinesis_not_encrypted_with_kms/metadata.json index ed4d5712263..9f6da0193cb 100644 --- a/assets/queries/terraform/aws/kinesis_not_encrypted_with_kms/metadata.json +++ b/assets/queries/terraform/aws/kinesis_not_encrypted_with_kms/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_stream", "platform": "Terraform", "descriptionID": "e154bb5e", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/kinesis_sse_not_configured/metadata.json b/assets/queries/terraform/aws/kinesis_sse_not_configured/metadata.json index fe586de9ad4..33880d2516e 100644 --- a/assets/queries/terraform/aws/kinesis_sse_not_configured/metadata.json +++ b/assets/queries/terraform/aws/kinesis_sse_not_configured/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_firehose_delivery_stream#server_side_encryption", "platform": "Terraform", "descriptionID": "fce3b812", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/kms_key_with_full_permissions/metadata.json b/assets/queries/terraform/aws/kms_key_with_full_permissions/metadata.json index 5914c8c147d..dd50a65a602 100644 --- a/assets/queries/terraform/aws/kms_key_with_full_permissions/metadata.json +++ b/assets/queries/terraform/aws/kms_key_with_full_permissions/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key", "platform": "Terraform", "descriptionID": "32b2985e", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/kms_key_with_no_deletion_window/metadata.json b/assets/queries/terraform/aws/kms_key_with_no_deletion_window/metadata.json index 46c68187716..cd6ca97ab0e 100644 --- a/assets/queries/terraform/aws/kms_key_with_no_deletion_window/metadata.json +++ b/assets/queries/terraform/aws/kms_key_with_no_deletion_window/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key", "platform": "Terraform", "descriptionID": "5652d05c", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/lambda_function_with_privileged_role/metadata.json b/assets/queries/terraform/aws/lambda_function_with_privileged_role/metadata.json index 565e3d6c7f8..b351dec435b 100644 --- a/assets/queries/terraform/aws/lambda_function_with_privileged_role/metadata.json +++ b/assets/queries/terraform/aws/lambda_function_with_privileged_role/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function", "platform": "Terraform", "descriptionID": "1b3af2f9", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/lambda_functions_without_x-ray_tracing/metadata.json b/assets/queries/terraform/aws/lambda_functions_without_x-ray_tracing/metadata.json index 45ad8ba9ff6..1d5ad9006d1 100644 --- a/assets/queries/terraform/aws/lambda_functions_without_x-ray_tracing/metadata.json +++ b/assets/queries/terraform/aws/lambda_functions_without_x-ray_tracing/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function#tracing_config", "platform": "Terraform", "descriptionID": "2f90e1e9", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/metadata.json b/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/metadata.json index 79a5c8b356c..bac8296b9da 100644 --- a/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/metadata.json +++ b/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/metadata.json @@ -1,11 +1,12 @@ { - "id": "0ca1017d-3b80-423e-bb9c-6cd5898d34bd", - "queryName": "Lambda IAM InvokeFunction Misconfigured", - "severity": "LOW", - "category": "Best Practices", - "descriptionText": "Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission", - "platform": "Terraform", - "descriptionID": "0ca1017d", - "cloudProvider": "aws" -} + "id": "0ca1017d-3b80-423e-bb9c-6cd5898d34bd", + "queryName": "Lambda IAM InvokeFunction Misconfigured", + "severity": "LOW", + "category": "Best Practices", + "descriptionText": "Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission", + "platform": "Terraform", + "descriptionID": "0ca1017d", + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/lambda_permission_misconfigured/metadata.json b/assets/queries/terraform/aws/lambda_permission_misconfigured/metadata.json index d257b0fb8b9..c63e351f3fb 100644 --- a/assets/queries/terraform/aws/lambda_permission_misconfigured/metadata.json +++ b/assets/queries/terraform/aws/lambda_permission_misconfigured/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission", "platform": "Terraform", "descriptionID": "8fb6f06e", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/lambda_permission_principal_is_wildcard/metadata.json b/assets/queries/terraform/aws/lambda_permission_principal_is_wildcard/metadata.json index 15adde55f2d..3565ef851f5 100644 --- a/assets/queries/terraform/aws/lambda_permission_principal_is_wildcard/metadata.json +++ b/assets/queries/terraform/aws/lambda_permission_principal_is_wildcard/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/lambda_policy_module.html", "platform": "Terraform", "descriptionID": "b443babe", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/lambda_with_vulnerable_policy/metadata.json b/assets/queries/terraform/aws/lambda_with_vulnerable_policy/metadata.json index f9e386862a2..774294c9795 100644 --- a/assets/queries/terraform/aws/lambda_with_vulnerable_policy/metadata.json +++ b/assets/queries/terraform/aws/lambda_with_vulnerable_policy/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission#action", "platform": "Terraform", "descriptionID": "5db376a3", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/launch_configuration_is_not_encrypted/metadata.json b/assets/queries/terraform/aws/launch_configuration_is_not_encrypted/metadata.json index fc8952d8df3..f12574b1981 100644 --- a/assets/queries/terraform/aws/launch_configuration_is_not_encrypted/metadata.json +++ b/assets/queries/terraform/aws/launch_configuration_is_not_encrypted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#encrypted", "platform": "Terraform", "descriptionID": "d11b3649", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/misconfigured_password_policy_expiration/metadata.json b/assets/queries/terraform/aws/misconfigured_password_policy_expiration/metadata.json index cb2846c3e5f..0a8460506fb 100644 --- a/assets/queries/terraform/aws/misconfigured_password_policy_expiration/metadata.json +++ b/assets/queries/terraform/aws/misconfigured_password_policy_expiration/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy", "platform": "Terraform", "descriptionID": "23788841", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/missing_cluster_log_types/metadata.json b/assets/queries/terraform/aws/missing_cluster_log_types/metadata.json index f92bb0f949e..1a4e55b406d 100755 --- a/assets/queries/terraform/aws/missing_cluster_log_types/metadata.json +++ b/assets/queries/terraform/aws/missing_cluster_log_types/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://www.terraform.io/docs/providers/aws/r/eks_cluster.html", "platform": "Terraform", "descriptionID": "e89d4ffb", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/mq_broker_is_publicly_accessible/metadata.json b/assets/queries/terraform/aws/mq_broker_is_publicly_accessible/metadata.json index 67871fb29fc..6bc32925a49 100644 --- a/assets/queries/terraform/aws/mq_broker_is_publicly_accessible/metadata.json +++ b/assets/queries/terraform/aws/mq_broker_is_publicly_accessible/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/mq_broker", "platform": "Terraform", "descriptionID": "8ac7fe7e", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/mq_broker_logging_disabled/metadata.json b/assets/queries/terraform/aws/mq_broker_logging_disabled/metadata.json index 7199b626b85..bd996bbd9a3 100644 --- a/assets/queries/terraform/aws/mq_broker_logging_disabled/metadata.json +++ b/assets/queries/terraform/aws/mq_broker_logging_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/mq_broker", "platform": "Terraform", "descriptionID": "cdf2b416", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/msk_broker_is_publicly_accessible/metadata.json b/assets/queries/terraform/aws/msk_broker_is_publicly_accessible/metadata.json index 77d8a84e2fd..7a021b4d5d1 100644 --- a/assets/queries/terraform/aws/msk_broker_is_publicly_accessible/metadata.json +++ b/assets/queries/terraform/aws/msk_broker_is_publicly_accessible/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/msk_cluster#public_access", "platform": "Terraform", "descriptionID": "6ad9c2af", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/msk_cluster_encryption_disabled/metadata.json b/assets/queries/terraform/aws/msk_cluster_encryption_disabled/metadata.json index 915a31b76b2..1614daca410 100644 --- a/assets/queries/terraform/aws/msk_cluster_encryption_disabled/metadata.json +++ b/assets/queries/terraform/aws/msk_cluster_encryption_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/msk_cluster#encryption_info", "platform": "Terraform", "descriptionID": "343faf8d", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/msk_cluster_logging_disabled/metadata.json b/assets/queries/terraform/aws/msk_cluster_logging_disabled/metadata.json index 248eedbab47..a9b721b47c3 100644 --- a/assets/queries/terraform/aws/msk_cluster_logging_disabled/metadata.json +++ b/assets/queries/terraform/aws/msk_cluster_logging_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/msk_cluster#broker_logs", "platform": "Terraform", "descriptionID": "816831cc", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/neptune_cluster_instance_is_publicly_accessible/metadata.json b/assets/queries/terraform/aws/neptune_cluster_instance_is_publicly_accessible/metadata.json index 77096860487..ce4ae36b804 100644 --- a/assets/queries/terraform/aws/neptune_cluster_instance_is_publicly_accessible/metadata.json +++ b/assets/queries/terraform/aws/neptune_cluster_instance_is_publicly_accessible/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/neptune_cluster_instance#publicly_accessible", "platform": "Terraform", "descriptionID": "ac4d6034", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/neptune_cluster_with_iam_database_authentication_disabled/metadata.json b/assets/queries/terraform/aws/neptune_cluster_with_iam_database_authentication_disabled/metadata.json index 59c08aa9b8e..494d810fb94 100644 --- a/assets/queries/terraform/aws/neptune_cluster_with_iam_database_authentication_disabled/metadata.json +++ b/assets/queries/terraform/aws/neptune_cluster_with_iam_database_authentication_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/neptune_cluster#storage_encrypted", "platform": "Terraform", "descriptionID": "88b26e61", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/metadata.json b/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/metadata.json index 9836773c0f5..92525e40d22 100644 --- a/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/metadata.json +++ b/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/neptune_cluster#storage_encrypted", "platform": "Terraform", "descriptionID": "06036045", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/neptune_logging_disabled/metadata.json b/assets/queries/terraform/aws/neptune_logging_disabled/metadata.json index 3e6c84b67d0..42b1a032502 100644 --- a/assets/queries/terraform/aws/neptune_logging_disabled/metadata.json +++ b/assets/queries/terraform/aws/neptune_logging_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/neptune_cluster#enable_cloudwatch_logs_exports", "platform": "Terraform", "descriptionID": "eb6f1a3b", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_rdp/metadata.json b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_rdp/metadata.json index 01a75a5a6be..2230d4738bd 100644 --- a/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_rdp/metadata.json +++ b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_rdp/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl", "platform": "Terraform", "descriptionID": "ed220e0d", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/metadata.json b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/metadata.json index 67364e30c2a..89432c0a9f3 100644 --- a/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/metadata.json +++ b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl", "platform": "Terraform", "descriptionID": "215ffb15", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/no_password_policy_enabled/metadata.json b/assets/queries/terraform/aws/no_password_policy_enabled/metadata.json index 771692f1a4b..738aada0511 100644 --- a/assets/queries/terraform/aws/no_password_policy_enabled/metadata.json +++ b/assets/queries/terraform/aws/no_password_policy_enabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_login_profile", "platform": "Terraform", "descriptionID": "fc3e0d4f", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/no_stack_policy/metadata.json b/assets/queries/terraform/aws/no_stack_policy/metadata.json index c57247d78b4..e5483526347 100644 --- a/assets/queries/terraform/aws/no_stack_policy/metadata.json +++ b/assets/queries/terraform/aws/no_stack_policy/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack", "platform": "Terraform", "descriptionID": "7ad97901", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/password_without_reuse_prevention/metadata.json b/assets/queries/terraform/aws/password_without_reuse_prevention/metadata.json index 7cb112ebd27..fcadf693097 100644 --- a/assets/queries/terraform/aws/password_without_reuse_prevention/metadata.json +++ b/assets/queries/terraform/aws/password_without_reuse_prevention/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy#password_reuse_prevention", "platform": "Terraform", "descriptionID": "37be9529", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/policy_without_principal/metadata.json b/assets/queries/terraform/aws/policy_without_principal/metadata.json index 2c25352d20b..0d8a51cf6cc 100644 --- a/assets/queries/terraform/aws/policy_without_principal/metadata.json +++ b/assets/queries/terraform/aws/policy_without_principal/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html", "platform": "Terraform", "descriptionID": "954ac1bf", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/public_and_private_ec2_share_role/metadata.json b/assets/queries/terraform/aws/public_and_private_ec2_share_role/metadata.json index 331de454f0f..ec075a209d7 100644 --- a/assets/queries/terraform/aws/public_and_private_ec2_share_role/metadata.json +++ b/assets/queries/terraform/aws/public_and_private_ec2_share_role/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#iam_instance_profile", "platform": "Terraform", "descriptionID": "4639db5f", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/public_lambda_via_api_gateway/metadata.json b/assets/queries/terraform/aws/public_lambda_via_api_gateway/metadata.json index a6dc778cf4d..9260008e313 100644 --- a/assets/queries/terraform/aws/public_lambda_via_api_gateway/metadata.json +++ b/assets/queries/terraform/aws/public_lambda_via_api_gateway/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission", "platform": "Terraform", "descriptionID": "1f20399a", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/rds_associated_with_public_subnet/metadata.json b/assets/queries/terraform/aws/rds_associated_with_public_subnet/metadata.json index 4ff451c7b8f..3dc328d59d1 100644 --- a/assets/queries/terraform/aws/rds_associated_with_public_subnet/metadata.json +++ b/assets/queries/terraform/aws/rds_associated_with_public_subnet/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#db_subnet_group_name", "platform": "Terraform", "descriptionID": "425d310e", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/rds_cluster_with_backup_disabled/metadata.json b/assets/queries/terraform/aws/rds_cluster_with_backup_disabled/metadata.json index 6735fc31a34..60f95d93603 100644 --- a/assets/queries/terraform/aws/rds_cluster_with_backup_disabled/metadata.json +++ b/assets/queries/terraform/aws/rds_cluster_with_backup_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#backup_retention_period", "platform": "Terraform", "descriptionID": "cce2787f", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/rds_database_cluster_not_encrypted/metadata.json b/assets/queries/terraform/aws/rds_database_cluster_not_encrypted/metadata.json index 70aeee37a1c..da813979fc7 100644 --- a/assets/queries/terraform/aws/rds_database_cluster_not_encrypted/metadata.json +++ b/assets/queries/terraform/aws/rds_database_cluster_not_encrypted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_cluster_snapshot", "platform": "Terraform", "descriptionID": "c88d0255", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/metadata.json b/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/metadata.json index 9d0507bb425..c68a3901026 100644 --- a/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/metadata.json +++ b/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#publicly_accessible", "platform": "Terraform", "descriptionID": "c145a47f", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/rds_storage_not_encrypted/metadata.json b/assets/queries/terraform/aws/rds_storage_not_encrypted/metadata.json index cb6f6dc8434..ffc6d33ff9e 100644 --- a/assets/queries/terraform/aws/rds_storage_not_encrypted/metadata.json +++ b/assets/queries/terraform/aws/rds_storage_not_encrypted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#storage_encrypted", "platform": "Terraform", "descriptionID": "54288d64", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/rds_using_default_port/metadata.json b/assets/queries/terraform/aws/rds_using_default_port/metadata.json index 4ab7132a937..9a4191f21cb 100644 --- a/assets/queries/terraform/aws/rds_using_default_port/metadata.json +++ b/assets/queries/terraform/aws/rds_using_default_port/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#port", "platform": "Terraform", "descriptionID": "6cbad3f4", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/rds_with_backup_disabled/metadata.json b/assets/queries/terraform/aws/rds_with_backup_disabled/metadata.json index 3f51ec5b746..719d3fe7f65 100644 --- a/assets/queries/terraform/aws/rds_with_backup_disabled/metadata.json +++ b/assets/queries/terraform/aws/rds_with_backup_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance", "platform": "Terraform", "descriptionID": "73fdfe55", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/rds_without_logging/metadata.json b/assets/queries/terraform/aws/rds_without_logging/metadata.json index 751cf4090ac..64aad53fdce 100644 --- a/assets/queries/terraform/aws/rds_without_logging/metadata.json +++ b/assets/queries/terraform/aws/rds_without_logging/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#enabled_cloudwatch_logs_exports", "platform": "Terraform", "descriptionID": "c499a58c", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/redis_disabled/metadata.json b/assets/queries/terraform/aws/redis_disabled/metadata.json index 950faf01e92..88d160ab98a 100644 --- a/assets/queries/terraform/aws/redis_disabled/metadata.json +++ b/assets/queries/terraform/aws/redis_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_cluster#engine", "platform": "Terraform", "descriptionID": "68984bf2", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/redis_not_compliant/metadata.json b/assets/queries/terraform/aws/redis_not_compliant/metadata.json index 60f786cfe3d..4ee592c1b48 100644 --- a/assets/queries/terraform/aws/redis_not_compliant/metadata.json +++ b/assets/queries/terraform/aws/redis_not_compliant/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_cluster#engine_version", "platform": "Terraform", "descriptionID": "f9e5dc62", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/redshift_cluster_logging_disabled/metadata.json b/assets/queries/terraform/aws/redshift_cluster_logging_disabled/metadata.json index 5b70ffd1a18..9c5288c8aae 100644 --- a/assets/queries/terraform/aws/redshift_cluster_logging_disabled/metadata.json +++ b/assets/queries/terraform/aws/redshift_cluster_logging_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_cluster#enable", "platform": "Terraform", "descriptionID": "458fe7a3", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/redshift_cluster_without_vpc/metadata.json b/assets/queries/terraform/aws/redshift_cluster_without_vpc/metadata.json index 4c393a1104e..be56c4a18ee 100644 --- a/assets/queries/terraform/aws/redshift_cluster_without_vpc/metadata.json +++ b/assets/queries/terraform/aws/redshift_cluster_without_vpc/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_cluster#vpc_security_group_ids", "platform": "Terraform", "descriptionID": "6fd531fa", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/redshift_not_encrypted/metadata.json b/assets/queries/terraform/aws/redshift_not_encrypted/metadata.json index 40ee349b8fa..65224ca10e8 100644 --- a/assets/queries/terraform/aws/redshift_not_encrypted/metadata.json +++ b/assets/queries/terraform/aws/redshift_not_encrypted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_cluster#encrypted", "platform": "Terraform", "descriptionID": "2bee4895", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/redshift_publicly_accessible/metadata.json b/assets/queries/terraform/aws/redshift_publicly_accessible/metadata.json index f73f562bfb0..a6919358aa3 100644 --- a/assets/queries/terraform/aws/redshift_publicly_accessible/metadata.json +++ b/assets/queries/terraform/aws/redshift_publicly_accessible/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_cluster", "platform": "Terraform", "descriptionID": "9a581503", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/redshift_using_default_port/metadata.json b/assets/queries/terraform/aws/redshift_using_default_port/metadata.json index 96fd8b28416..06aef79a345 100644 --- a/assets/queries/terraform/aws/redshift_using_default_port/metadata.json +++ b/assets/queries/terraform/aws/redshift_using_default_port/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_cluster#port", "platform": "Terraform", "descriptionID": "e2e48d27", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/metadata.json b/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/metadata.json index 285a6630b69..ce72e8f27f9 100644 --- a/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/metadata.json +++ b/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group", "platform": "Terraform", "descriptionID": "aea02d46", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/resource_not_using_tags/metadata.json b/assets/queries/terraform/aws/resource_not_using_tags/metadata.json index 28f61107893..6dcf4c411aa 100644 --- a/assets/queries/terraform/aws/resource_not_using_tags/metadata.json +++ b/assets/queries/terraform/aws/resource_not_using_tags/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/guides/resource-tagging", "platform": "Terraform", "descriptionID": "09db2d52", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/rest_api_with_vulnerable_policy/metadata.json b/assets/queries/terraform/aws/rest_api_with_vulnerable_policy/metadata.json index 6493120d50b..a71ce6f23ec 100644 --- a/assets/queries/terraform/aws/rest_api_with_vulnerable_policy/metadata.json +++ b/assets/queries/terraform/aws/rest_api_with_vulnerable_policy/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_rest_api_policy#policy", "platform": "Terraform", "descriptionID": "fb6080ac", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json index c7d38a2fc23..f2df1db6ac5 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "bff18777", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json index d7a44efd71b..9306574612a 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "058bc100", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json index 9fa743550b3..eaa89dcc9fa 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "54b22492", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json index bf7518ffdb8..150608e7c55 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "aaf96d6e", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json index 335bf7a690c..8040ae3f93c 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "4efcf3e9", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json index 7d6e098c1ae..2921b8f5706 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "0d94441c", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json index e9800a053d0..a4840e0d8f3 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "0e9af0ce", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json index 93f37d8d144..50ab62ff780 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "fe987a1d", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json index 742a4b28370..7a550c06aea 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "779be66e", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json index 3c089a73438..3e8366421f4 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "b3d6f7cf", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json index c64c4274e40..214e41198af 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "0bc279fe", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/metadata.json index 8d4ace67046..86cd5311e60 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "628b0909", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json index 241b0f1c0bf..ea657871ac6 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "ce1bbaeb", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json index 68c8554b602..0dc169ce17b 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "2d361444", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json index 08a8fcc557f..d303c411e9b 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "48764f87", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json index d8af02498a2..e67fc22d282 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "a0ddfb38", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json index d6635954e02..d1eff98c6b6 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "2d747022", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json index aa71439baa9..fe7a69db2af 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "8bf480db", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json index bee58e3cd80..a036dabeba8 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "d6861f3e", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/root_account_has_active_access_keys/metadata.json b/assets/queries/terraform/aws/root_account_has_active_access_keys/metadata.json index fee3d195f30..f301ab887d7 100644 --- a/assets/queries/terraform/aws/root_account_has_active_access_keys/metadata.json +++ b/assets/queries/terraform/aws/root_account_has_active_access_keys/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key", "platform": "Terraform", "descriptionID": "f0795485", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/route53_record_undefined/metadata.json b/assets/queries/terraform/aws/route53_record_undefined/metadata.json index a70d6fa100e..5784252bf58 100644 --- a/assets/queries/terraform/aws/route53_record_undefined/metadata.json +++ b/assets/queries/terraform/aws/route53_record_undefined/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record", "platform": "Terraform", "descriptionID": "91562f39", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_access_to_any_principal/metadata.json b/assets/queries/terraform/aws/s3_bucket_access_to_any_principal/metadata.json index 7188671569b..a773ca9fee1 100644 --- a/assets/queries/terraform/aws/s3_bucket_access_to_any_principal/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_access_to_any_principal/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy", "platform": "Terraform", "descriptionID": "4f884b47", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/metadata.json b/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/metadata.json index bbed2be1f08..9eb98a58f85 100644 --- a/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket", "platform": "Terraform", "descriptionID": "d535387f", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/metadata.json b/assets/queries/terraform/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/metadata.json index 9d0310ab3eb..1ee2f799823 100644 --- a/assets/queries/terraform/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#acl", "platform": "Terraform", "descriptionID": "a63624e5", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_acl_grants_write_acp_permission/metadata.json b/assets/queries/terraform/aws/s3_bucket_acl_grants_write_acp_permission/metadata.json index 17d5d5f924b..e4946045e12 100644 --- a/assets/queries/terraform/aws/s3_bucket_acl_grants_write_acp_permission/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_acl_grants_write_acp_permission/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl", "platform": "Terraform", "descriptionID": "addee63f", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/metadata.json b/assets/queries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/metadata.json index 77c5fa1c0f7..5aef0c8bd4f 100644 --- a/assets/queries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy", "platform": "Terraform", "descriptionID": "8dc6c718", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_allows_get_action_from_all_principals/metadata.json b/assets/queries/terraform/aws/s3_bucket_allows_get_action_from_all_principals/metadata.json index b69947720a1..cde44af64f6 100644 --- a/assets/queries/terraform/aws/s3_bucket_allows_get_action_from_all_principals/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_allows_get_action_from_all_principals/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy", "platform": "Terraform", "descriptionID": "2ac6911f", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_allows_list_action_from_all_principals/metadata.json b/assets/queries/terraform/aws/s3_bucket_allows_list_action_from_all_principals/metadata.json index 2e2c0212280..03bf842e126 100644 --- a/assets/queries/terraform/aws/s3_bucket_allows_list_action_from_all_principals/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_allows_list_action_from_all_principals/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy", "platform": "Terraform", "descriptionID": "5f5c9e38", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_allows_public_acl/metadata.json b/assets/queries/terraform/aws/s3_bucket_allows_public_acl/metadata.json index cda647ced2f..5899cbfa59a 100644 --- a/assets/queries/terraform/aws/s3_bucket_allows_public_acl/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_allows_public_acl/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block", "platform": "Terraform", "descriptionID": "7b8886c1", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_allows_put_action_from_all_principals/metadata.json b/assets/queries/terraform/aws/s3_bucket_allows_put_action_from_all_principals/metadata.json index 0d67a6d9811..fe2e1fd436a 100644 --- a/assets/queries/terraform/aws/s3_bucket_allows_put_action_from_all_principals/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_allows_put_action_from_all_principals/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy", "platform": "Terraform", "descriptionID": "c38a18db", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_logging_disabled/metadata.json b/assets/queries/terraform/aws/s3_bucket_logging_disabled/metadata.json index aeca67427cb..f95090bf4ee 100644 --- a/assets/queries/terraform/aws/s3_bucket_logging_disabled/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_logging_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket", "platform": "Terraform", "descriptionID": "fa5c7c72", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_object_level_cloudtrail_logging_disabled/metadata.json b/assets/queries/terraform/aws/s3_bucket_object_level_cloudtrail_logging_disabled/metadata.json index acadc596be7..8ef0c77bf59 100644 --- a/assets/queries/terraform/aws/s3_bucket_object_level_cloudtrail_logging_disabled/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_object_level_cloudtrail_logging_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#event_selector", "platform": "Terraform", "descriptionID": "e80b4f8a", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_object_not_encrypted/metadata.json b/assets/queries/terraform/aws/s3_bucket_object_not_encrypted/metadata.json index 7b54cd7a5fa..4a89ede66ff 100644 --- a/assets/queries/terraform/aws/s3_bucket_object_not_encrypted/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_object_not_encrypted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_object#server_side_encryption", "platform": "Terraform", "descriptionID": "e6b92744", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_policy_accepts_http_requests/metadata.json b/assets/queries/terraform/aws/s3_bucket_policy_accepts_http_requests/metadata.json index bee5fed4baf..1e7c97b0315 100644 --- a/assets/queries/terraform/aws/s3_bucket_policy_accepts_http_requests/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_policy_accepts_http_requests/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy#policy", "platform": "Terraform", "descriptionID": "edbcd7bc", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_public_acl_overridden_by_public_access_block/metadata.json b/assets/queries/terraform/aws/s3_bucket_public_acl_overridden_by_public_access_block/metadata.json index 3c618e92770..0661edda73f 100644 --- a/assets/queries/terraform/aws/s3_bucket_public_acl_overridden_by_public_access_block/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_public_acl_overridden_by_public_access_block/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket", "platform": "Terraform", "descriptionID": "aa9967ef", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_sse_disabled/metadata.json b/assets/queries/terraform/aws/s3_bucket_sse_disabled/metadata.json index 069d6b3b128..fd9e59a04d8 100644 --- a/assets/queries/terraform/aws/s3_bucket_sse_disabled/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_sse_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#server_side_encryption_configuration", "platform": "Terraform", "descriptionID": "b386c506", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_with_all_permissions/metadata.json b/assets/queries/terraform/aws/s3_bucket_with_all_permissions/metadata.json index e5f5efecb7f..4d12a8a06bf 100644 --- a/assets/queries/terraform/aws/s3_bucket_with_all_permissions/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_with_all_permissions/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket", "platform": "Terraform", "descriptionID": "aec8fae9", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_with_public_policy/metadata.json b/assets/queries/terraform/aws/s3_bucket_with_public_policy/metadata.json index 83fec75706a..9207fc1b6c8 100755 --- a/assets/queries/terraform/aws/s3_bucket_with_public_policy/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_with_public_policy/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block", "platform": "Terraform", "descriptionID": "a8924b3b", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_with_unsecured_cors_rule/metadata.json b/assets/queries/terraform/aws/s3_bucket_with_unsecured_cors_rule/metadata.json index 075da117e0e..a0419ae9c64 100644 --- a/assets/queries/terraform/aws/s3_bucket_with_unsecured_cors_rule/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_with_unsecured_cors_rule/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#cors_rule", "platform": "Terraform", "descriptionID": "28051a7f", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/metadata.json b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/metadata.json index 9f901d1dd7c..a91423a66d7 100755 --- a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/metadata.json @@ -3,9 +3,10 @@ "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "HIGH", "category": "Insecure Configurations", - "descriptionText": "S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations", + "descriptionText": "S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket=\u003cBUCKET_NAME\u003e --mfa=\u003cMFA_SERIAL_NUMBER\u003e'. Please, also notice that MFA delete can not be used with lifecycle configurations", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#mfa_delete", "platform": "Terraform", "descriptionID": "e1699d08", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_without_ignore_public_acl/metadata.json b/assets/queries/terraform/aws/s3_bucket_without_ignore_public_acl/metadata.json index 3c6176a3776..934d8c74701 100755 --- a/assets/queries/terraform/aws/s3_bucket_without_ignore_public_acl/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_without_ignore_public_acl/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block", "platform": "Terraform", "descriptionID": "28aa7150", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/metadata.json b/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/metadata.json index 7fd761c1c41..aebaa80738e 100755 --- a/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block", "platform": "Terraform", "descriptionID": "a6e86c32", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_without_versioning/metadata.json b/assets/queries/terraform/aws/s3_bucket_without_versioning/metadata.json index d7604a4d12e..6321ca4659a 100755 --- a/assets/queries/terraform/aws/s3_bucket_without_versioning/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_without_versioning/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning", "platform": "Terraform", "descriptionID": "7614ce3b", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_static_website_host_enabled/metadata.json b/assets/queries/terraform/aws/s3_static_website_host_enabled/metadata.json index 7f7885a2058..7c9c37e5a8e 100644 --- a/assets/queries/terraform/aws/s3_static_website_host_enabled/metadata.json +++ b/assets/queries/terraform/aws/s3_static_website_host_enabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#website", "platform": "Terraform", "descriptionID": "4db5c45a", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/sagemaker_endpoint_configuration_encryption_disabled/metadata.json b/assets/queries/terraform/aws/sagemaker_endpoint_configuration_encryption_disabled/metadata.json index ff50e697e13..54864b00f93 100644 --- a/assets/queries/terraform/aws/sagemaker_endpoint_configuration_encryption_disabled/metadata.json +++ b/assets/queries/terraform/aws/sagemaker_endpoint_configuration_encryption_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sagemaker_endpoint_configuration#kms_key_arn", "platform": "Terraform", "descriptionID": "570f99ac", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/sagemaker_notebook_instance_without_kms/metadata.json b/assets/queries/terraform/aws/sagemaker_notebook_instance_without_kms/metadata.json index 857904bd7c5..ff8704953b0 100644 --- a/assets/queries/terraform/aws/sagemaker_notebook_instance_without_kms/metadata.json +++ b/assets/queries/terraform/aws/sagemaker_notebook_instance_without_kms/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sagemaker_notebook_instance#kms_key_id", "platform": "Terraform", "descriptionID": "4ad34dae", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/secrets_manager_with_vulnerable_policy/metadata.json b/assets/queries/terraform/aws/secrets_manager_with_vulnerable_policy/metadata.json index 6e18f20589c..0914a7da432 100644 --- a/assets/queries/terraform/aws/secrets_manager_with_vulnerable_policy/metadata.json +++ b/assets/queries/terraform/aws/secrets_manager_with_vulnerable_policy/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_policy#policy", "platform": "Terraform", "descriptionID": "d348a5e7", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/secretsmanager_secret_encrypted_with_aws_managed_key/metadata.json b/assets/queries/terraform/aws/secretsmanager_secret_encrypted_with_aws_managed_key/metadata.json index 892205c313e..7590371f4d2 100644 --- a/assets/queries/terraform/aws/secretsmanager_secret_encrypted_with_aws_managed_key/metadata.json +++ b/assets/queries/terraform/aws/secretsmanager_secret_encrypted_with_aws_managed_key/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret#kms_key_id", "platform": "Terraform", "descriptionID": "f2d67513", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/secretsmanager_secret_without_kms/metadata.json b/assets/queries/terraform/aws/secretsmanager_secret_without_kms/metadata.json index 365428182bf..36a012d9232 100644 --- a/assets/queries/terraform/aws/secretsmanager_secret_without_kms/metadata.json +++ b/assets/queries/terraform/aws/secretsmanager_secret_without_kms/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret#kms_key_id", "platform": "Terraform", "descriptionID": "c9c95b59", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/secure_ciphers_disabled/metadata.json b/assets/queries/terraform/aws/secure_ciphers_disabled/metadata.json index 28cb92f9a4c..363ff20ed2d 100644 --- a/assets/queries/terraform/aws/secure_ciphers_disabled/metadata.json +++ b/assets/queries/terraform/aws/secure_ciphers_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution", "platform": "Terraform", "descriptionID": "72ee1fe2", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/security_group_rules_without_description/metadata.json b/assets/queries/terraform/aws/security_group_rules_without_description/metadata.json index 43df330d7dd..62f37eb26ae 100644 --- a/assets/queries/terraform/aws/security_group_rules_without_description/metadata.json +++ b/assets/queries/terraform/aws/security_group_rules_without_description/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group#description", "platform": "Terraform", "descriptionID": "cee242dd", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/security_group_with_unrestricted_access_to_ssh/metadata.json b/assets/queries/terraform/aws/security_group_with_unrestricted_access_to_ssh/metadata.json index 5106acc7c90..faefce4f96d 100644 --- a/assets/queries/terraform/aws/security_group_with_unrestricted_access_to_ssh/metadata.json +++ b/assets/queries/terraform/aws/security_group_with_unrestricted_access_to_ssh/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group", "platform": "Terraform", "descriptionID": "51e59188", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/security_group_without_description/metadata.json b/assets/queries/terraform/aws/security_group_without_description/metadata.json index 3bf33c50f4e..e522afe85f2 100644 --- a/assets/queries/terraform/aws/security_group_without_description/metadata.json +++ b/assets/queries/terraform/aws/security_group_without_description/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group#description", "platform": "Terraform", "descriptionID": "bc535d27", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/security_groups_not_used/metadata.json b/assets/queries/terraform/aws/security_groups_not_used/metadata.json index 5df60868cbf..3f9c6d59589 100644 --- a/assets/queries/terraform/aws/security_groups_not_used/metadata.json +++ b/assets/queries/terraform/aws/security_groups_not_used/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group", "platform": "Terraform", "descriptionID": "eff2383a", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/service_control_policies_disabled/metadata.json b/assets/queries/terraform/aws/service_control_policies_disabled/metadata.json index a67a93a1420..b99be84d80f 100644 --- a/assets/queries/terraform/aws/service_control_policies_disabled/metadata.json +++ b/assets/queries/terraform/aws/service_control_policies_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy", "platform": "Terraform", "descriptionID": "0fbcc152", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/ses_policy_with_allowed_iam_actions/metadata.json b/assets/queries/terraform/aws/ses_policy_with_allowed_iam_actions/metadata.json index 6fe2f8e0cb8..db13e5416cc 100644 --- a/assets/queries/terraform/aws/ses_policy_with_allowed_iam_actions/metadata.json +++ b/assets/queries/terraform/aws/ses_policy_with_allowed_iam_actions/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ses_identity_policy#policy", "platform": "Terraform", "descriptionID": "3b263662", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/shield_advanced_not_in_use/metadata.json b/assets/queries/terraform/aws/shield_advanced_not_in_use/metadata.json index 6f5118d9cc9..731540a2e40 100644 --- a/assets/queries/terraform/aws/shield_advanced_not_in_use/metadata.json +++ b/assets/queries/terraform/aws/shield_advanced_not_in_use/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/shield_protection#resource_arn", "platform": "Terraform", "descriptionID": "e09b31c7", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/sns_topic_encrypted_with_aws_managed_key/metadata.json b/assets/queries/terraform/aws/sns_topic_encrypted_with_aws_managed_key/metadata.json index 9594805ea7b..4f6f6ae0fc7 100644 --- a/assets/queries/terraform/aws/sns_topic_encrypted_with_aws_managed_key/metadata.json +++ b/assets/queries/terraform/aws/sns_topic_encrypted_with_aws_managed_key/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic#kms_master_key_id", "platform": "Terraform", "descriptionID": "ecb127ec", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/metadata.json b/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/metadata.json index c18c59ef855..be8b08516c8 100644 --- a/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/metadata.json +++ b/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic", "platform": "Terraform", "descriptionID": "52e85de5", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/sns_topic_not_encrypted/metadata.json b/assets/queries/terraform/aws/sns_topic_not_encrypted/metadata.json index d7fc44be3e4..6b3b6998fd0 100644 --- a/assets/queries/terraform/aws/sns_topic_not_encrypted/metadata.json +++ b/assets/queries/terraform/aws/sns_topic_not_encrypted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic#kms_master_key_id", "platform": "Terraform", "descriptionID": "2f15b2d0", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/metadata.json b/assets/queries/terraform/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/metadata.json index 44801640879..9d5c9c98884 100644 --- a/assets/queries/terraform/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/metadata.json +++ b/assets/queries/terraform/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy", "platform": "Terraform", "descriptionID": "ddd0f677", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/sql_analysis_services_port_2383_is_publicly_accessible/metadata.json b/assets/queries/terraform/aws/sql_analysis_services_port_2383_is_publicly_accessible/metadata.json index 16069612995..f8c71a45c68 100644 --- a/assets/queries/terraform/aws/sql_analysis_services_port_2383_is_publicly_accessible/metadata.json +++ b/assets/queries/terraform/aws/sql_analysis_services_port_2383_is_publicly_accessible/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group", "platform": "Terraform", "descriptionID": "37ce6c0d", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/sqs_policy_allows_all_actions/metadata.json b/assets/queries/terraform/aws/sqs_policy_allows_all_actions/metadata.json index 406b1ca1cf8..f3eda901c01 100644 --- a/assets/queries/terraform/aws/sqs_policy_allows_all_actions/metadata.json +++ b/assets/queries/terraform/aws/sqs_policy_allows_all_actions/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy", "platform": "Terraform", "descriptionID": "afcb58e6", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/sqs_policy_with_public_access/metadata.json b/assets/queries/terraform/aws/sqs_policy_with_public_access/metadata.json index dc982571553..d65cea95c6e 100644 --- a/assets/queries/terraform/aws/sqs_policy_with_public_access/metadata.json +++ b/assets/queries/terraform/aws/sqs_policy_with_public_access/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy", "platform": "Terraform", "descriptionID": "534fb194", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/sqs_queue_exposed/metadata.json b/assets/queries/terraform/aws/sqs_queue_exposed/metadata.json index 75978680374..e7e5a2a9602 100644 --- a/assets/queries/terraform/aws/sqs_queue_exposed/metadata.json +++ b/assets/queries/terraform/aws/sqs_queue_exposed/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue#policy", "platform": "Terraform", "descriptionID": "59f958c0", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/sqs_vpc_endpoint_without_dns_resolution/metadata.json b/assets/queries/terraform/aws/sqs_vpc_endpoint_without_dns_resolution/metadata.json index 98210088ffb..058946ec568 100644 --- a/assets/queries/terraform/aws/sqs_vpc_endpoint_without_dns_resolution/metadata.json +++ b/assets/queries/terraform/aws/sqs_vpc_endpoint_without_dns_resolution/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc#enable_dns_support", "platform": "Terraform", "descriptionID": "3ab3c05c", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/sqs_with_sse_disabled/metadata.json b/assets/queries/terraform/aws/sqs_with_sse_disabled/metadata.json index 8b86e608c30..0eb81035cdf 100644 --- a/assets/queries/terraform/aws/sqs_with_sse_disabled/metadata.json +++ b/assets/queries/terraform/aws/sqs_with_sse_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue", "platform": "Terraform", "descriptionID": "e478b54b", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/ssm_session_transit_encryption_disabled/metadata.json b/assets/queries/terraform/aws/ssm_session_transit_encryption_disabled/metadata.json index 04272880bc4..8395b62f959 100644 --- a/assets/queries/terraform/aws/ssm_session_transit_encryption_disabled/metadata.json +++ b/assets/queries/terraform/aws/ssm_session_transit_encryption_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_document#content", "platform": "Terraform", "descriptionID": "8b30849b", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/sso_permission_with_inadequate_user_session_duration/metadata.json b/assets/queries/terraform/aws/sso_permission_with_inadequate_user_session_duration/metadata.json index 3fdda6f11ea..ac546702312 100644 --- a/assets/queries/terraform/aws/sso_permission_with_inadequate_user_session_duration/metadata.json +++ b/assets/queries/terraform/aws/sso_permission_with_inadequate_user_session_duration/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set", "platform": "Terraform", "descriptionID": "755ecfdf", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/sso_policy_with_full_priveleges copy/metadata.json b/assets/queries/terraform/aws/sso_policy_with_full_priveleges copy/metadata.json index 0310c15e2cc..1cb82db191a 100644 --- a/assets/queries/terraform/aws/sso_policy_with_full_priveleges copy/metadata.json +++ b/assets/queries/terraform/aws/sso_policy_with_full_priveleges copy/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/identitystore_user", "platform": "Terraform", "descriptionID": "a30fa3d3", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/sso_policy_with_full_priveleges/metadata.json b/assets/queries/terraform/aws/sso_policy_with_full_priveleges/metadata.json index 151469abf4b..6cc4e6e0a40 100644 --- a/assets/queries/terraform/aws/sso_policy_with_full_priveleges/metadata.json +++ b/assets/queries/terraform/aws/sso_policy_with_full_priveleges/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set_inline_policy", "platform": "Terraform", "descriptionID": "cae7c4fc", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/stack_notifications_disabled/metadata.json b/assets/queries/terraform/aws/stack_notifications_disabled/metadata.json index 2e069be6af4..4ecb8997c34 100644 --- a/assets/queries/terraform/aws/stack_notifications_disabled/metadata.json +++ b/assets/queries/terraform/aws/stack_notifications_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack", "platform": "Terraform", "descriptionID": "f9826281", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/stack_retention_disabled/metadata.json b/assets/queries/terraform/aws/stack_retention_disabled/metadata.json index e84590c0b46..a603f7a819c 100644 --- a/assets/queries/terraform/aws/stack_retention_disabled/metadata.json +++ b/assets/queries/terraform/aws/stack_retention_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance#stack_set_name", "platform": "Terraform", "descriptionID": "fc66d737", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/stack_without_template/metadata.json b/assets/queries/terraform/aws/stack_without_template/metadata.json index 5600ec2c895..74b9d1e9e04 100644 --- a/assets/queries/terraform/aws/stack_without_template/metadata.json +++ b/assets/queries/terraform/aws/stack_without_template/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack", "platform": "Terraform", "descriptionID": "e925d0ee", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/unknown_port_exposed_to_internet/metadata.json b/assets/queries/terraform/aws/unknown_port_exposed_to_internet/metadata.json index 69da215f91e..c909f3ac171 100644 --- a/assets/queries/terraform/aws/unknown_port_exposed_to_internet/metadata.json +++ b/assets/queries/terraform/aws/unknown_port_exposed_to_internet/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group", "platform": "Terraform", "descriptionID": "e55e747f", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/unrestricted_security_group_ingress/metadata.json b/assets/queries/terraform/aws/unrestricted_security_group_ingress/metadata.json index b933f8e3dcd..a0cf37bec95 100644 --- a/assets/queries/terraform/aws/unrestricted_security_group_ingress/metadata.json +++ b/assets/queries/terraform/aws/unrestricted_security_group_ingress/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://www.terraform.io/docs/providers/aws/r/security_group.html", "platform": "Terraform", "descriptionID": "ce3ee5e0", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/unscanned_ecr_image/metadata.json b/assets/queries/terraform/aws/unscanned_ecr_image/metadata.json index 764aa1062f3..b10b023e4b7 100644 --- a/assets/queries/terraform/aws/unscanned_ecr_image/metadata.json +++ b/assets/queries/terraform/aws/unscanned_ecr_image/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#scan_on_push", "platform": "Terraform", "descriptionID": "791b37b8", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_data_contains_encoded_private_key/metadata.json b/assets/queries/terraform/aws/user_data_contains_encoded_private_key/metadata.json index 28d82ad25fc..652bb90fa07 100644 --- a/assets/queries/terraform/aws/user_data_contains_encoded_private_key/metadata.json +++ b/assets/queries/terraform/aws/user_data_contains_encoded_private_key/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#user_data_base64", "platform": "Terraform", "descriptionID": "e3b3b5c1", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_data_shell_script_is_encoded/metadata.json b/assets/queries/terraform/aws/user_data_shell_script_is_encoded/metadata.json index 197151507e6..472cfe10529 100644 --- a/assets/queries/terraform/aws/user_data_shell_script_is_encoded/metadata.json +++ b/assets/queries/terraform/aws/user_data_shell_script_is_encoded/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#user_data_base64", "platform": "Terraform", "descriptionID": "c1d49ed2", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json index c8ed06faa0c..3e5bdb05c42 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "1a48ac37", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json index d884ca9756e..21294c5a5a2 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "b201d168", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json index 02e1f959e46..d1ca89dc7af 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "9f22319f", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json index 3b1b0a923a1..5381e1e3b7d 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "a33a40e2", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json index 345e1809133..2f59977ac1f 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "98aa676c", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json index 9689aab8c99..311e8f241ac 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "29b987f3", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json index 81e03d1806e..ce66ee59bcc 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "43ba4982", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json index 673afac2bb6..0ba4e8f4914 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "e894d408", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json index 1f05798663e..86cd2dfcbdb 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "c878232c", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json index 0c6f533728c..94e898f3197 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "05f5544f", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json index a7f3c3f8d1c..da3f3e7acd5 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "8d9e01f1", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/metadata.json index 136683b819e..79f4a393c78 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "da252d8a", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json index d5543976726..7bf63760f6c 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "024a2d0d", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json index b7452c7fe20..e2f04e1e2e0 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "367257fe", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json index 1bad1d3ac1c..a2d9a10bcbc 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "b99501af", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json index 7bcb5321fd6..d79568533ca 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "85e8d749", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json index b9b48531b80..6e6419b98c0 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "7ab86e7e", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json index 99a7cd32378..f63898c8b69 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "559f74f0", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json index e78c79470e0..1c4b82d42ab 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "f5d372a0", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/vpc_default_security_group_accepts_all_traffic/metadata.json b/assets/queries/terraform/aws/vpc_default_security_group_accepts_all_traffic/metadata.json index 2f427d881e6..d89465e5139 100644 --- a/assets/queries/terraform/aws/vpc_default_security_group_accepts_all_traffic/metadata.json +++ b/assets/queries/terraform/aws/vpc_default_security_group_accepts_all_traffic/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group", "platform": "Terraform", "descriptionID": "d79243b5", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/vpc_flowlogs_disabled/metadata.json b/assets/queries/terraform/aws/vpc_flowlogs_disabled/metadata.json index 002c9ae34ee..bb27af08b06 100644 --- a/assets/queries/terraform/aws/vpc_flowlogs_disabled/metadata.json +++ b/assets/queries/terraform/aws/vpc_flowlogs_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc", "platform": "Terraform", "descriptionID": "cdbdeb30", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/metadata.json b/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/metadata.json index eb6fa9e9df3..c715265fde8 100644 --- a/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/metadata.json +++ b/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route", "platform": "Terraform", "descriptionID": "3a60c60e", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/vpc_subnet_assigns_public_ip/metadata.json b/assets/queries/terraform/aws/vpc_subnet_assigns_public_ip/metadata.json index 9f0a94df33b..d99057a83ff 100644 --- a/assets/queries/terraform/aws/vpc_subnet_assigns_public_ip/metadata.json +++ b/assets/queries/terraform/aws/vpc_subnet_assigns_public_ip/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet#map_public_ip_on_launch", "platform": "Terraform", "descriptionID": "2b7ea60d", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/vpc_without_network_firewall/metadata.json b/assets/queries/terraform/aws/vpc_without_network_firewall/metadata.json index 922ca7e94a9..13425346e41 100644 --- a/assets/queries/terraform/aws/vpc_without_network_firewall/metadata.json +++ b/assets/queries/terraform/aws/vpc_without_network_firewall/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_firewall#vpc_id", "platform": "Terraform", "descriptionID": "2e7d55e6", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/vulnerable_default_ssl_certificate/metadata.json b/assets/queries/terraform/aws/vulnerable_default_ssl_certificate/metadata.json index 62c04f13ae4..ff8fe052c68 100644 --- a/assets/queries/terraform/aws/vulnerable_default_ssl_certificate/metadata.json +++ b/assets/queries/terraform/aws/vulnerable_default_ssl_certificate/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution", "platform": "Terraform", "descriptionID": "38579a53", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws_bom/dynamo/metadata.json b/assets/queries/terraform/aws_bom/dynamo/metadata.json index 161ad05f5a8..8ca678d716b 100644 --- a/assets/queries/terraform/aws_bom/dynamo/metadata.json +++ b/assets/queries/terraform/aws_bom/dynamo/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://kics.io", "platform": "Terraform", "descriptionID": "c9007e7c", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws_bom/ebs/metadata.json b/assets/queries/terraform/aws_bom/ebs/metadata.json index 2eb3bc21959..ca232705db0 100644 --- a/assets/queries/terraform/aws_bom/ebs/metadata.json +++ b/assets/queries/terraform/aws_bom/ebs/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://kics.io", "platform": "Terraform", "descriptionID": "fd141699", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws_bom/efs/metadata.json b/assets/queries/terraform/aws_bom/efs/metadata.json index b11c69f2553..4220c603046 100644 --- a/assets/queries/terraform/aws_bom/efs/metadata.json +++ b/assets/queries/terraform/aws_bom/efs/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://kics.io", "platform": "Terraform", "descriptionID": "5522243f", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws_bom/elasticache/metadata.json b/assets/queries/terraform/aws_bom/elasticache/metadata.json index 969decdafe7..9bd2969a9ca 100644 --- a/assets/queries/terraform/aws_bom/elasticache/metadata.json +++ b/assets/queries/terraform/aws_bom/elasticache/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://kics.io", "platform": "Terraform", "descriptionID": "34559ecd", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws_bom/kinesis/metadata.json b/assets/queries/terraform/aws_bom/kinesis/metadata.json index f1ba5e01080..b6aa9b53927 100644 --- a/assets/queries/terraform/aws_bom/kinesis/metadata.json +++ b/assets/queries/terraform/aws_bom/kinesis/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://kics.io", "platform": "Terraform", "descriptionID": "45271dee", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws_bom/mq/metadata.json b/assets/queries/terraform/aws_bom/mq/metadata.json index 4b65b767d95..74795986384 100644 --- a/assets/queries/terraform/aws_bom/mq/metadata.json +++ b/assets/queries/terraform/aws_bom/mq/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://kics.io", "platform": "Terraform", "descriptionID": "5f5ba9bc", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws_bom/msk/metadata.json b/assets/queries/terraform/aws_bom/msk/metadata.json index 4632652cea4..90e53e2e9ba 100644 --- a/assets/queries/terraform/aws_bom/msk/metadata.json +++ b/assets/queries/terraform/aws_bom/msk/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://kics.io", "platform": "Terraform", "descriptionID": "cf7ae008", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws_bom/rds/metadata.json b/assets/queries/terraform/aws_bom/rds/metadata.json index e19ac83a4d0..4279d37c3f9 100644 --- a/assets/queries/terraform/aws_bom/rds/metadata.json +++ b/assets/queries/terraform/aws_bom/rds/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://kics.io", "platform": "Terraform", "descriptionID": "b621abbb", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws_bom/s3_bucket/metadata.json b/assets/queries/terraform/aws_bom/s3_bucket/metadata.json index 87c0d541a23..e79ad2c504f 100644 --- a/assets/queries/terraform/aws_bom/s3_bucket/metadata.json +++ b/assets/queries/terraform/aws_bom/s3_bucket/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://kics.io", "platform": "Terraform", "descriptionID": "0bdf2341", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws_bom/sns/metadata.json b/assets/queries/terraform/aws_bom/sns/metadata.json index eff3ac223e9..6867d3caf6a 100644 --- a/assets/queries/terraform/aws_bom/sns/metadata.json +++ b/assets/queries/terraform/aws_bom/sns/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://kics.io", "platform": "Terraform", "descriptionID": "4c016c6f", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws_bom/sqs/metadata.json b/assets/queries/terraform/aws_bom/sqs/metadata.json index 0982c474f37..98ec0f187fb 100644 --- a/assets/queries/terraform/aws_bom/sqs/metadata.json +++ b/assets/queries/terraform/aws_bom/sqs/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://kics.io", "platform": "Terraform", "descriptionID": "63fc27c2", - "cloudProvider": "aws" -} + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/ad_admin_not_configured_for_sql_server/metadata.json b/assets/queries/terraform/azure/ad_admin_not_configured_for_sql_server/metadata.json index 6d3d51120a4..4801d2197f4 100644 --- a/assets/queries/terraform/azure/ad_admin_not_configured_for_sql_server/metadata.json +++ b/assets/queries/terraform/azure/ad_admin_not_configured_for_sql_server/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_active_directory_administrator", "platform": "Terraform", "descriptionID": "bccbda19", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/admin_user_enabled_for_container_registry/metadata.json b/assets/queries/terraform/azure/admin_user_enabled_for_container_registry/metadata.json index 7b681958f51..0478efc787e 100644 --- a/assets/queries/terraform/azure/admin_user_enabled_for_container_registry/metadata.json +++ b/assets/queries/terraform/azure/admin_user_enabled_for_container_registry/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://www.terraform.io/docs/providers/azurerm/r/container_registry.html", "platform": "Terraform", "descriptionID": "5250257b", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/aks_disk_encryption_set_id_undefined/metadata.json b/assets/queries/terraform/azure/aks_disk_encryption_set_id_undefined/metadata.json index 00b3d16c15e..acc49976cf2 100644 --- a/assets/queries/terraform/azure/aks_disk_encryption_set_id_undefined/metadata.json +++ b/assets/queries/terraform/azure/aks_disk_encryption_set_id_undefined/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#disk_encryption_set_id", "platform": "Terraform", "descriptionID": "4eddeb5c", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/aks_network_policy_misconfigured/metadata.json b/assets/queries/terraform/azure/aks_network_policy_misconfigured/metadata.json index 73342e577bd..db116f3bb86 100644 --- a/assets/queries/terraform/azure/aks_network_policy_misconfigured/metadata.json +++ b/assets/queries/terraform/azure/aks_network_policy_misconfigured/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/kubernetes_cluster", "platform": "Terraform", "descriptionID": "7708dadb", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/aks_private_cluster_disabled/metadata.json b/assets/queries/terraform/azure/aks_private_cluster_disabled/metadata.json index e853d163b98..ef179cdad53 100644 --- a/assets/queries/terraform/azure/aks_private_cluster_disabled/metadata.json +++ b/assets/queries/terraform/azure/aks_private_cluster_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#private_cluster_enabled", "platform": "Terraform", "descriptionID": "3ec5eed5", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/aks_rbac_disabled/metadata.json b/assets/queries/terraform/azure/aks_rbac_disabled/metadata.json index 5bb94115523..293fb296263 100644 --- a/assets/queries/terraform/azure/aks_rbac_disabled/metadata.json +++ b/assets/queries/terraform/azure/aks_rbac_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#role_based_access_control", "platform": "Terraform", "descriptionID": "d27166a7", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/aks_uses_azure_policies_addon_disabled/metadata.json b/assets/queries/terraform/azure/aks_uses_azure_policies_addon_disabled/metadata.json index 0cb5d9e0468..61474d746cb 100644 --- a/assets/queries/terraform/azure/aks_uses_azure_policies_addon_disabled/metadata.json +++ b/assets/queries/terraform/azure/aks_uses_azure_policies_addon_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#azure_policy", "platform": "Terraform", "descriptionID": "df6d2dcb", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/app_service_authentication_disabled/metadata.json b/assets/queries/terraform/azure/app_service_authentication_disabled/metadata.json index 9c6f86d4662..fe2399259c0 100644 --- a/assets/queries/terraform/azure/app_service_authentication_disabled/metadata.json +++ b/assets/queries/terraform/azure/app_service_authentication_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#enabled", "platform": "Terraform", "descriptionID": "ec37a064", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/app_service_ftps_enforce_disabled/metadata.json b/assets/queries/terraform/azure/app_service_ftps_enforce_disabled/metadata.json index 632a3494a29..f1bcf7874ac 100644 --- a/assets/queries/terraform/azure/app_service_ftps_enforce_disabled/metadata.json +++ b/assets/queries/terraform/azure/app_service_ftps_enforce_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#ftps_state", "platform": "Terraform", "descriptionID": "a1ada318", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/app_service_http2_disabled/metadata.json b/assets/queries/terraform/azure/app_service_http2_disabled/metadata.json index 405e1bd277b..faa67da0616 100644 --- a/assets/queries/terraform/azure/app_service_http2_disabled/metadata.json +++ b/assets/queries/terraform/azure/app_service_http2_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#http2_enabled", "platform": "Terraform", "descriptionID": "dee0c164", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/app_service_managed_identity_disabled/metadata.json b/assets/queries/terraform/azure/app_service_managed_identity_disabled/metadata.json index 47761651cb2..dd4badd9114 100644 --- a/assets/queries/terraform/azure/app_service_managed_identity_disabled/metadata.json +++ b/assets/queries/terraform/azure/app_service_managed_identity_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#identity", "platform": "Terraform", "descriptionID": "c8096e2d", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/metadata.json b/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/metadata.json index 4ca74564c1d..1b930e38a18 100644 --- a/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/metadata.json +++ b/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#min_tls_version", "platform": "Terraform", "descriptionID": "63399f46", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/app_service_without_latest_php_version/metadata.json b/assets/queries/terraform/azure/app_service_without_latest_php_version/metadata.json index e5d02dad5f5..628070dfbf4 100644 --- a/assets/queries/terraform/azure/app_service_without_latest_php_version/metadata.json +++ b/assets/queries/terraform/azure/app_service_without_latest_php_version/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#php_version", "platform": "Terraform", "descriptionID": "0054cbe3", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/app_service_without_latest_python_version/metadata.json b/assets/queries/terraform/azure/app_service_without_latest_python_version/metadata.json index 4f745507ed8..b63d9e72a84 100644 --- a/assets/queries/terraform/azure/app_service_without_latest_python_version/metadata.json +++ b/assets/queries/terraform/azure/app_service_without_latest_python_version/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#python_version", "platform": "Terraform", "descriptionID": "848bf695", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/azure_active_directory_authentication/metadata.json b/assets/queries/terraform/azure/azure_active_directory_authentication/metadata.json index 03ad23759cf..2311ae05a84 100644 --- a/assets/queries/terraform/azure/azure_active_directory_authentication/metadata.json +++ b/assets/queries/terraform/azure/azure_active_directory_authentication/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/service_fabric_cluster#tenant_id", "platform": "Terraform", "descriptionID": "2c27e24e", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/metadata.json b/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/metadata.json index 2cfa34f2e60..88dc7f390ac 100644 --- a/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/metadata.json +++ b/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#client_cert_enabled", "platform": "Terraform", "descriptionID": "7beaf18e", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/metadata.json b/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/metadata.json index 9f0306e2a6e..30bff6313ea 100644 --- a/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/metadata.json +++ b/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/search_service#public_network_access_enabled", "platform": "Terraform", "descriptionID": "d4766039", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/azure_container_registry_with_no_locks/metadata.json b/assets/queries/terraform/azure/azure_container_registry_with_no_locks/metadata.json index b8fffdd0897..364516b8a13 100644 --- a/assets/queries/terraform/azure/azure_container_registry_with_no_locks/metadata.json +++ b/assets/queries/terraform/azure/azure_container_registry_with_no_locks/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/container_registry", "platform": "Terraform", "descriptionID": "adb235b6", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/azure_front_door_waf_disabled/metadata.json b/assets/queries/terraform/azure/azure_front_door_waf_disabled/metadata.json index 08638f39e22..ce4559c84f0 100644 --- a/assets/queries/terraform/azure/azure_front_door_waf_disabled/metadata.json +++ b/assets/queries/terraform/azure/azure_front_door_waf_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/frontdoor#web_application_firewall_policy_link_id", "platform": "Terraform", "descriptionID": "a84ac10d", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/azure_instance_using_basic_authentication/metadata.json b/assets/queries/terraform/azure/azure_instance_using_basic_authentication/metadata.json index ed8e235249d..6d58fc9c033 100644 --- a/assets/queries/terraform/azure/azure_instance_using_basic_authentication/metadata.json +++ b/assets/queries/terraform/azure/azure_instance_using_basic_authentication/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_virtual_machine#admin_ssh_key", "platform": "Terraform", "descriptionID": "dafe30ec", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/cosmos_db_account_without_tags/metadata.json b/assets/queries/terraform/azure/cosmos_db_account_without_tags/metadata.json index 17fa5408f6a..24909f22058 100644 --- a/assets/queries/terraform/azure/cosmos_db_account_without_tags/metadata.json +++ b/assets/queries/terraform/azure/cosmos_db_account_without_tags/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_account", "platform": "Terraform", "descriptionID": "f0bce814", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/cosmosdb_account_ip_range_filter_not_set/metadata.json b/assets/queries/terraform/azure/cosmosdb_account_ip_range_filter_not_set/metadata.json index 3f49a626b9a..32ebdf83ea7 100644 --- a/assets/queries/terraform/azure/cosmosdb_account_ip_range_filter_not_set/metadata.json +++ b/assets/queries/terraform/azure/cosmosdb_account_ip_range_filter_not_set/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_account#ip_range_filter", "platform": "Terraform", "descriptionID": "fd34a2d6", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/dashboard_is_enabled/metadata.json b/assets/queries/terraform/azure/dashboard_is_enabled/metadata.json index a0ed1876147..bde4d8c12d5 100644 --- a/assets/queries/terraform/azure/dashboard_is_enabled/metadata.json +++ b/assets/queries/terraform/azure/dashboard_is_enabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster", "platform": "Terraform", "descriptionID": "3f384e51", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/metadata.json b/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/metadata.json index 82238dbe20c..89cd75e6b03 100644 --- a/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/metadata.json +++ b/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#default_action", "platform": "Terraform", "descriptionID": "a5613650", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/email_alerts_disabled/metadata.json b/assets/queries/terraform/azure/email_alerts_disabled/metadata.json index a84699b4584..0442534c2eb 100644 --- a/assets/queries/terraform/azure/email_alerts_disabled/metadata.json +++ b/assets/queries/terraform/azure/email_alerts_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/security_center_contact", "platform": "Terraform", "descriptionID": "23aadb20", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/metadata.json b/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/metadata.json index ebaeafe4683..a90060a657e 100644 --- a/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/metadata.json +++ b/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/managed_disk#encryption_settings", "platform": "Terraform", "descriptionID": "8f6e1fa8", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/metadata.json b/assets/queries/terraform/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/metadata.json index 0d160a35bfe..fed619db2df 100644 --- a/assets/queries/terraform/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/metadata.json +++ b/assets/queries/terraform/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/redis_firewall_rule", "platform": "Terraform", "descriptionID": "6ac1bc00", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/function_app_authentication_disabled/metadata.json b/assets/queries/terraform/azure/function_app_authentication_disabled/metadata.json index 01466db2c0d..195ef8dc966 100644 --- a/assets/queries/terraform/azure/function_app_authentication_disabled/metadata.json +++ b/assets/queries/terraform/azure/function_app_authentication_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#auth_settings", "platform": "Terraform", "descriptionID": "7526dc36", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/metadata.json b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/metadata.json index 8ebffa7d802..b788596dd5a 100644 --- a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/metadata.json +++ b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#client_cert_mode", "platform": "Terraform", "descriptionID": "436752d7", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/metadata.json b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/metadata.json index ff7a9b5bbbb..c891568eb21 100644 --- a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/metadata.json +++ b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#ftps_state", "platform": "Terraform", "descriptionID": "2144ef13", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/function_app_http2_disabled/metadata.json b/assets/queries/terraform/azure/function_app_http2_disabled/metadata.json index 31621f22fd6..e7e187d398c 100644 --- a/assets/queries/terraform/azure/function_app_http2_disabled/metadata.json +++ b/assets/queries/terraform/azure/function_app_http2_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#http2_enabled", "platform": "Terraform", "descriptionID": "7c364a67", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/function_app_managed_identity_disabled/metadata.json b/assets/queries/terraform/azure/function_app_managed_identity_disabled/metadata.json index 3184e83a079..819f169f5f1 100644 --- a/assets/queries/terraform/azure/function_app_managed_identity_disabled/metadata.json +++ b/assets/queries/terraform/azure/function_app_managed_identity_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#identity", "platform": "Terraform", "descriptionID": "37e5ef3f", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/metadata.json b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/metadata.json index 6bb0323d30d..1f2ebbd58ce 100644 --- a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/metadata.json +++ b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#min_tls_version", "platform": "Terraform", "descriptionID": "69753abf", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/geo_redundancy_is_disabled/metadata.json b/assets/queries/terraform/azure/geo_redundancy_is_disabled/metadata.json index fa925fc2e7a..5ecf0d1a356 100644 --- a/assets/queries/terraform/azure/geo_redundancy_is_disabled/metadata.json +++ b/assets/queries/terraform/azure/geo_redundancy_is_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_server", "platform": "Terraform", "descriptionID": "4646e954", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/key_expiration_not_set/metadata.json b/assets/queries/terraform/azure/key_expiration_not_set/metadata.json index be93c7f3427..0defbb913d8 100644 --- a/assets/queries/terraform/azure/key_expiration_not_set/metadata.json +++ b/assets/queries/terraform/azure/key_expiration_not_set/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_key", "platform": "Terraform", "descriptionID": "bb99ceb7", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/key_vault_secrets_content_type_undefined/metadata.json b/assets/queries/terraform/azure/key_vault_secrets_content_type_undefined/metadata.json index 51aaa02341e..59c311ab9c0 100644 --- a/assets/queries/terraform/azure/key_vault_secrets_content_type_undefined/metadata.json +++ b/assets/queries/terraform/azure/key_vault_secrets_content_type_undefined/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret#content_type", "platform": "Terraform", "descriptionID": "4aacc07b", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/log_retention_is_not_set/metadata.json b/assets/queries/terraform/azure/log_retention_is_not_set/metadata.json index c289107e774..fb4d4c5d0fe 100644 --- a/assets/queries/terraform/azure/log_retention_is_not_set/metadata.json +++ b/assets/queries/terraform/azure/log_retention_is_not_set/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_configuration", "platform": "Terraform", "descriptionID": "e14a3a02", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/mariadb_public_network_access_enabled/metadata.json b/assets/queries/terraform/azure/mariadb_public_network_access_enabled/metadata.json index 3be29c583e9..e2472ab204b 100644 --- a/assets/queries/terraform/azure/mariadb_public_network_access_enabled/metadata.json +++ b/assets/queries/terraform/azure/mariadb_public_network_access_enabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mariadb_server#public_network_access_enabled", "platform": "Terraform", "descriptionID": "e1decb5e", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/mariadb_server_georedundant_backup_disabled/metadata.json b/assets/queries/terraform/azure/mariadb_server_georedundant_backup_disabled/metadata.json index a5199d7094c..8772b2319f0 100644 --- a/assets/queries/terraform/azure/mariadb_server_georedundant_backup_disabled/metadata.json +++ b/assets/queries/terraform/azure/mariadb_server_georedundant_backup_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mariadb_server#geo_redundant_backup_enabled", "platform": "Terraform", "descriptionID": "f9f97af4", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/mssql_server_auditing_disabled/metadata.json b/assets/queries/terraform/azure/mssql_server_auditing_disabled/metadata.json index edbdd842ed0..7f50cd71c2e 100644 --- a/assets/queries/terraform/azure/mssql_server_auditing_disabled/metadata.json +++ b/assets/queries/terraform/azure/mssql_server_auditing_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_database_extended_auditing_policy", "platform": "Terraform", "descriptionID": "f0be3ea8", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/mssql_server_public_network_access_enabled/metadata.json b/assets/queries/terraform/azure/mssql_server_public_network_access_enabled/metadata.json index fec8ddabc1b..68a7c56051b 100644 --- a/assets/queries/terraform/azure/mssql_server_public_network_access_enabled/metadata.json +++ b/assets/queries/terraform/azure/mssql_server_public_network_access_enabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_server#public_network_access_enabled", "platform": "Terraform", "descriptionID": "d1ee9c09", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/mysql_server_public_access_enabled/metadata.json b/assets/queries/terraform/azure/mysql_server_public_access_enabled/metadata.json index 6a27828c78a..0669bd2d532 100644 --- a/assets/queries/terraform/azure/mysql_server_public_access_enabled/metadata.json +++ b/assets/queries/terraform/azure/mysql_server_public_access_enabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_server#public_network_access_enabled", "platform": "Terraform", "descriptionID": "e5c71632", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/mysql_ssl_connection_disabled/metadata.json b/assets/queries/terraform/azure/mysql_ssl_connection_disabled/metadata.json index 1d1f51cbde4..ba20015d74c 100644 --- a/assets/queries/terraform/azure/mysql_ssl_connection_disabled/metadata.json +++ b/assets/queries/terraform/azure/mysql_ssl_connection_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_server", "platform": "Terraform", "descriptionID": "81500787", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/network_interfaces_dont_use_public_ip/metadata.json b/assets/queries/terraform/azure/network_interfaces_dont_use_public_ip/metadata.json index b3ba0415b0c..fd1c43ad9ba 100644 --- a/assets/queries/terraform/azure/network_interfaces_dont_use_public_ip/metadata.json +++ b/assets/queries/terraform/azure/network_interfaces_dont_use_public_ip/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface#public_ip_address_id", "platform": "Terraform", "descriptionID": "49907665", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/network_interfaces_ip_forwarding_enabled/metadata.json b/assets/queries/terraform/azure/network_interfaces_ip_forwarding_enabled/metadata.json index 78ddae749e7..9a7fa272bf5 100644 --- a/assets/queries/terraform/azure/network_interfaces_ip_forwarding_enabled/metadata.json +++ b/assets/queries/terraform/azure/network_interfaces_ip_forwarding_enabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface#enable_ip_forwarding", "platform": "Terraform", "descriptionID": "890cf9a4", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/network_watcher_flow_disabled/metadata.json b/assets/queries/terraform/azure/network_watcher_flow_disabled/metadata.json index c9ea77fb8b3..974108dd26d 100644 --- a/assets/queries/terraform/azure/network_watcher_flow_disabled/metadata.json +++ b/assets/queries/terraform/azure/network_watcher_flow_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_watcher_flow_log", "platform": "Terraform", "descriptionID": "fd29818c", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/postgre_sql_log_checkpoints_disabled/metadata.json b/assets/queries/terraform/azure/postgre_sql_log_checkpoints_disabled/metadata.json index 8a793b62f2d..7a70657591a 100644 --- a/assets/queries/terraform/azure/postgre_sql_log_checkpoints_disabled/metadata.json +++ b/assets/queries/terraform/azure/postgre_sql_log_checkpoints_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_configuration", "platform": "Terraform", "descriptionID": "06d14345", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/postgre_sql_log_connections_not_set/metadata.json b/assets/queries/terraform/azure/postgre_sql_log_connections_not_set/metadata.json index 80d51030cfa..71182ed4562 100644 --- a/assets/queries/terraform/azure/postgre_sql_log_connections_not_set/metadata.json +++ b/assets/queries/terraform/azure/postgre_sql_log_connections_not_set/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_configuration", "platform": "Terraform", "descriptionID": "743324e3", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/postgre_sql_log_duration_not_set/metadata.json b/assets/queries/terraform/azure/postgre_sql_log_duration_not_set/metadata.json index 7fd887b9f23..a9f65ddb313 100644 --- a/assets/queries/terraform/azure/postgre_sql_log_duration_not_set/metadata.json +++ b/assets/queries/terraform/azure/postgre_sql_log_duration_not_set/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_configuration", "platform": "Terraform", "descriptionID": "2961eac3", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/postgre_sql_server_infrastructure_encryption_disabled/metadata.json b/assets/queries/terraform/azure/postgre_sql_server_infrastructure_encryption_disabled/metadata.json index 7e18de33eb1..95f4d2261a1 100644 --- a/assets/queries/terraform/azure/postgre_sql_server_infrastructure_encryption_disabled/metadata.json +++ b/assets/queries/terraform/azure/postgre_sql_server_infrastructure_encryption_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_server#infrastructure_encryption_enabled", "platform": "Terraform", "descriptionID": "b982dca0", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/postgre_sql_server_without_connection_throttling/metadata.json b/assets/queries/terraform/azure/postgre_sql_server_without_connection_throttling/metadata.json index d385049078c..d4547f2fe00 100644 --- a/assets/queries/terraform/azure/postgre_sql_server_without_connection_throttling/metadata.json +++ b/assets/queries/terraform/azure/postgre_sql_server_without_connection_throttling/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_configuration", "platform": "Terraform", "descriptionID": "6f6649db", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/postgresql_log_disconnections_not_set/metadata.json b/assets/queries/terraform/azure/postgresql_log_disconnections_not_set/metadata.json index 4578afd5b79..38fe2706abe 100644 --- a/assets/queries/terraform/azure/postgresql_log_disconnections_not_set/metadata.json +++ b/assets/queries/terraform/azure/postgresql_log_disconnections_not_set/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_configuration", "platform": "Terraform", "descriptionID": "d183d853", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/metadata.json b/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/metadata.json index 74c61170315..81078b6c5ca 100644 --- a/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/metadata.json +++ b/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_server#threat_detection_policy", "platform": "Terraform", "descriptionID": "ed803b39", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/public_storage_account/metadata.json b/assets/queries/terraform/azure/public_storage_account/metadata.json index ebfef6da0f2..21992868be5 100644 --- a/assets/queries/terraform/azure/public_storage_account/metadata.json +++ b/assets/queries/terraform/azure/public_storage_account/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account", "platform": "Terraform", "descriptionID": "88948514", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/rdp_is_exposed_to_the_internet/metadata.json b/assets/queries/terraform/azure/rdp_is_exposed_to_the_internet/metadata.json index 3a538f1795c..69c44d182c2 100644 --- a/assets/queries/terraform/azure/rdp_is_exposed_to_the_internet/metadata.json +++ b/assets/queries/terraform/azure/rdp_is_exposed_to_the_internet/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule", "platform": "Terraform", "descriptionID": "21b8be3f", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/metadata.json b/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/metadata.json index 21a2f58b413..5155693adf4 100644 --- a/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/metadata.json +++ b/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/redis_cache", "platform": "Terraform", "descriptionID": "b7160c8c", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/redis_entirely_accessible/metadata.json b/assets/queries/terraform/azure/redis_entirely_accessible/metadata.json index fd730508feb..5f618229908 100644 --- a/assets/queries/terraform/azure/redis_entirely_accessible/metadata.json +++ b/assets/queries/terraform/azure/redis_entirely_accessible/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/redis_firewall_rule", "platform": "Terraform", "descriptionID": "d18de348", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/redis_not_updated_regularly/metadata.json b/assets/queries/terraform/azure/redis_not_updated_regularly/metadata.json index 1c649135691..98ac374347c 100644 --- a/assets/queries/terraform/azure/redis_not_updated_regularly/metadata.json +++ b/assets/queries/terraform/azure/redis_not_updated_regularly/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/redis_cache#patch_schedule", "platform": "Terraform", "descriptionID": "a9726898", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/redis_publicly_accessible/metadata.json b/assets/queries/terraform/azure/redis_publicly_accessible/metadata.json index 899c1e7971c..b12c30931cf 100644 --- a/assets/queries/terraform/azure/redis_publicly_accessible/metadata.json +++ b/assets/queries/terraform/azure/redis_publicly_accessible/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/redis_firewall_rule", "platform": "Terraform", "descriptionID": "0017c1c6", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/role_assignment_not_limit_guest_users_permissions/metadata.json b/assets/queries/terraform/azure/role_assignment_not_limit_guest_users_permissions/metadata.json index b90493eaaf8..eb5e9b7ed77 100644 --- a/assets/queries/terraform/azure/role_assignment_not_limit_guest_users_permissions/metadata.json +++ b/assets/queries/terraform/azure/role_assignment_not_limit_guest_users_permissions/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment", "platform": "Terraform", "descriptionID": "a827491d", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/role_assignment_of_guest_users/metadata.json b/assets/queries/terraform/azure/role_assignment_of_guest_users/metadata.json index 78965514ce7..6345ddf45c3 100644 --- a/assets/queries/terraform/azure/role_assignment_of_guest_users/metadata.json +++ b/assets/queries/terraform/azure/role_assignment_of_guest_users/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment", "platform": "Terraform", "descriptionID": "fa055646", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/metadata.json b/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/metadata.json index 59f6ec0a4bc..6d1bbb970d9 100644 --- a/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/metadata.json +++ b/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition#actions", "platform": "Terraform", "descriptionID": "a96dc1b9", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/secret_expiration_not_set/metadata.json b/assets/queries/terraform/azure/secret_expiration_not_set/metadata.json index 77e7a75e181..db7ddd01567 100644 --- a/assets/queries/terraform/azure/secret_expiration_not_set/metadata.json +++ b/assets/queries/terraform/azure/secret_expiration_not_set/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret", "platform": "Terraform", "descriptionID": "172cf4e6", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/security_center_pricing_tier_is_not_standard/metadata.json b/assets/queries/terraform/azure/security_center_pricing_tier_is_not_standard/metadata.json index fdc6c3891ec..ec46a1323ea 100644 --- a/assets/queries/terraform/azure/security_center_pricing_tier_is_not_standard/metadata.json +++ b/assets/queries/terraform/azure/security_center_pricing_tier_is_not_standard/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/security_center_subscription_pricing", "platform": "Terraform", "descriptionID": "6a9ab071", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/security_contact_email/metadata.json b/assets/queries/terraform/azure/security_contact_email/metadata.json index 6f61bef2a92..02aaf6f0063 100644 --- a/assets/queries/terraform/azure/security_contact_email/metadata.json +++ b/assets/queries/terraform/azure/security_contact_email/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/security_center_contact#email", "platform": "Terraform", "descriptionID": "8632da7c", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/security_group_is_not_configured/metadata.json b/assets/queries/terraform/azure/security_group_is_not_configured/metadata.json index 9932b56556b..eeeb5ef5703 100644 --- a/assets/queries/terraform/azure/security_group_is_not_configured/metadata.json +++ b/assets/queries/terraform/azure/security_group_is_not_configured/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://www.terraform.io/docs/providers/azure/r/virtual_network.html", "platform": "Terraform", "descriptionID": "e64d2982", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/small_activity_log_retention_period/metadata.json b/assets/queries/terraform/azure/small_activity_log_retention_period/metadata.json index f37e2d07be7..107fa5514aa 100644 --- a/assets/queries/terraform/azure/small_activity_log_retention_period/metadata.json +++ b/assets/queries/terraform/azure/small_activity_log_retention_period/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_log_profile", "platform": "Terraform", "descriptionID": "224ff4f9", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/small_flow_logs_retention_period/metadata.json b/assets/queries/terraform/azure/small_flow_logs_retention_period/metadata.json index 98c0b002c81..28b06392af7 100644 --- a/assets/queries/terraform/azure/small_flow_logs_retention_period/metadata.json +++ b/assets/queries/terraform/azure/small_flow_logs_retention_period/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_watcher_flow_log", "platform": "Terraform", "descriptionID": "02e10365", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/small_msql_server_audit_retention/metadata.json b/assets/queries/terraform/azure/small_msql_server_audit_retention/metadata.json index e340ee7bdfb..66c856194da 100644 --- a/assets/queries/terraform/azure/small_msql_server_audit_retention/metadata.json +++ b/assets/queries/terraform/azure/small_msql_server_audit_retention/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_server", "platform": "Terraform", "descriptionID": "96124822", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/small_mssql_audit_retention_period/metadata.json b/assets/queries/terraform/azure/small_mssql_audit_retention_period/metadata.json index 2577450c614..0681fd010a1 100644 --- a/assets/queries/terraform/azure/small_mssql_audit_retention_period/metadata.json +++ b/assets/queries/terraform/azure/small_mssql_audit_retention_period/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_server", "platform": "Terraform", "descriptionID": "ecd42771", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/small_postgresql_db_server_log_retention_period/metadata.json b/assets/queries/terraform/azure/small_postgresql_db_server_log_retention_period/metadata.json index fe9cde4eb93..90f390588f5 100644 --- a/assets/queries/terraform/azure/small_postgresql_db_server_log_retention_period/metadata.json +++ b/assets/queries/terraform/azure/small_postgresql_db_server_log_retention_period/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_configuration", "platform": "Terraform", "descriptionID": "1ec96250", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/sql_database_audit_disabled/metadata.json b/assets/queries/terraform/azure/sql_database_audit_disabled/metadata.json index d4700e35489..a1059ded475 100644 --- a/assets/queries/terraform/azure/sql_database_audit_disabled/metadata.json +++ b/assets/queries/terraform/azure/sql_database_audit_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://www.terraform.io/docs/providers/azurerm/r/sql_database.html", "platform": "Terraform", "descriptionID": "8f1137db", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/sql_server_alert_email_disabled/metadata.json b/assets/queries/terraform/azure/sql_server_alert_email_disabled/metadata.json index f0eb85912f9..a896b08cbde 100644 --- a/assets/queries/terraform/azure/sql_server_alert_email_disabled/metadata.json +++ b/assets/queries/terraform/azure/sql_server_alert_email_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_server_security_alert_policy#email_account_admins", "platform": "Terraform", "descriptionID": "4eb880dd", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/sql_server_auditing_disabled/metadata.json b/assets/queries/terraform/azure/sql_server_auditing_disabled/metadata.json index 1be07c57c80..f21878ef0a1 100644 --- a/assets/queries/terraform/azure/sql_server_auditing_disabled/metadata.json +++ b/assets/queries/terraform/azure/sql_server_auditing_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_server", "platform": "Terraform", "descriptionID": "609638cc", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/metadata.json b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/metadata.json index bb57ef2e8ab..0ec5f0fc8c3 100644 --- a/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/metadata.json +++ b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_firewall_rule", "platform": "Terraform", "descriptionID": "eb6d3eca", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/sql_server_predictable_active_directory_admin_account_name/metadata.json b/assets/queries/terraform/azure/sql_server_predictable_active_directory_admin_account_name/metadata.json index 058b83d5975..4b024f5a2b1 100644 --- a/assets/queries/terraform/azure/sql_server_predictable_active_directory_admin_account_name/metadata.json +++ b/assets/queries/terraform/azure/sql_server_predictable_active_directory_admin_account_name/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_active_directory_administrator", "platform": "Terraform", "descriptionID": "6ed21e26", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/sql_server_predictable_admin_account_name/metadata.json b/assets/queries/terraform/azure/sql_server_predictable_admin_account_name/metadata.json index 63356f2fcb7..f6acba7d1cb 100644 --- a/assets/queries/terraform/azure/sql_server_predictable_admin_account_name/metadata.json +++ b/assets/queries/terraform/azure/sql_server_predictable_admin_account_name/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_server", "platform": "Terraform", "descriptionID": "d0bed58e", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/ssh_is_exposed_to_the_internet/metadata.json b/assets/queries/terraform/azure/ssh_is_exposed_to_the_internet/metadata.json index f1d1d2423e7..dabc39de58b 100644 --- a/assets/queries/terraform/azure/ssh_is_exposed_to_the_internet/metadata.json +++ b/assets/queries/terraform/azure/ssh_is_exposed_to_the_internet/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule", "platform": "Terraform", "descriptionID": "f98cf1dc", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/ssl_enforce_is_disabled/metadata.json b/assets/queries/terraform/azure/ssl_enforce_is_disabled/metadata.json index c11f5de8d99..82785d30add 100644 --- a/assets/queries/terraform/azure/ssl_enforce_is_disabled/metadata.json +++ b/assets/queries/terraform/azure/ssl_enforce_is_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_server", "platform": "Terraform", "descriptionID": "9549423a", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/storage_account_not_forcing_https/metadata.json b/assets/queries/terraform/azure/storage_account_not_forcing_https/metadata.json index 6baefe5dd8f..13b0fd14723 100644 --- a/assets/queries/terraform/azure/storage_account_not_forcing_https/metadata.json +++ b/assets/queries/terraform/azure/storage_account_not_forcing_https/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account", "platform": "Terraform", "descriptionID": "ab6688ca", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/storage_account_not_using_latest_tls_encryption_version/metadata.json b/assets/queries/terraform/azure/storage_account_not_using_latest_tls_encryption_version/metadata.json index 6bb89b002cb..0235a64675d 100644 --- a/assets/queries/terraform/azure/storage_account_not_using_latest_tls_encryption_version/metadata.json +++ b/assets/queries/terraform/azure/storage_account_not_using_latest_tls_encryption_version/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account", "platform": "Terraform", "descriptionID": "a38872a7", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/storage_container_is_publicly_accessible/metadata.json b/assets/queries/terraform/azure/storage_container_is_publicly_accessible/metadata.json index 79d2cf57050..6a0203c7c01 100644 --- a/assets/queries/terraform/azure/storage_container_is_publicly_accessible/metadata.json +++ b/assets/queries/terraform/azure/storage_container_is_publicly_accessible/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container#container_access_type", "platform": "Terraform", "descriptionID": "a9e178f3", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/storage_share_file_allows_all_acl_permissions/metadata.json b/assets/queries/terraform/azure/storage_share_file_allows_all_acl_permissions/metadata.json index 76ea07c838c..3a409c0a66b 100644 --- a/assets/queries/terraform/azure/storage_share_file_allows_all_acl_permissions/metadata.json +++ b/assets/queries/terraform/azure/storage_share_file_allows_all_acl_permissions/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_share_file", "platform": "Terraform", "descriptionID": "33aa1747", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/storage_table_allows_all_acl_permissions/metadata.json b/assets/queries/terraform/azure/storage_table_allows_all_acl_permissions/metadata.json index 395cbf878c3..e93918b959e 100644 --- a/assets/queries/terraform/azure/storage_table_allows_all_acl_permissions/metadata.json +++ b/assets/queries/terraform/azure/storage_table_allows_all_acl_permissions/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_table#permissions", "platform": "Terraform", "descriptionID": "01751e5a", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/metadata.json b/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/metadata.json index e20415ea7e3..8399bfad275 100644 --- a/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/metadata.json +++ b/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#bypass", "platform": "Terraform", "descriptionID": "2d2af667", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/unrestricted_sql_server_access/metadata.json b/assets/queries/terraform/azure/unrestricted_sql_server_access/metadata.json index e1c2122d678..d90691e4957 100644 --- a/assets/queries/terraform/azure/unrestricted_sql_server_access/metadata.json +++ b/assets/queries/terraform/azure/unrestricted_sql_server_access/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_firewall_rule", "platform": "Terraform", "descriptionID": "837de8dd", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/vault_auditing_disabled/metadata.json b/assets/queries/terraform/azure/vault_auditing_disabled/metadata.json index 7977a31ff9f..c5a8575511b 100644 --- a/assets/queries/terraform/azure/vault_auditing_disabled/metadata.json +++ b/assets/queries/terraform/azure/vault_auditing_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://www.terraform.io/docs/providers/azurerm/r/key_vault.html", "platform": "Terraform", "descriptionID": "047ab315", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/virtual_network_with_ddos_protection_plan_disabled/metadata.json b/assets/queries/terraform/azure/virtual_network_with_ddos_protection_plan_disabled/metadata.json index 31391b17198..fae764968f9 100644 --- a/assets/queries/terraform/azure/virtual_network_with_ddos_protection_plan_disabled/metadata.json +++ b/assets/queries/terraform/azure/virtual_network_with_ddos_protection_plan_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network#ddos_protection_plan", "platform": "Terraform", "descriptionID": "c08cb91b", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/vm_not_attached_to_network/metadata.json b/assets/queries/terraform/azure/vm_not_attached_to_network/metadata.json index 4e35945dfc0..0dadc556319 100644 --- a/assets/queries/terraform/azure/vm_not_attached_to_network/metadata.json +++ b/assets/queries/terraform/azure/vm_not_attached_to_network/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_machine#network_interface_ids", "platform": "Terraform", "descriptionID": "9f51f6b1", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/waf_is_disabled_for_azure_application_gateway/metadata.json b/assets/queries/terraform/azure/waf_is_disabled_for_azure_application_gateway/metadata.json index ff0768534d0..8dd9b48d5c3 100644 --- a/assets/queries/terraform/azure/waf_is_disabled_for_azure_application_gateway/metadata.json +++ b/assets/queries/terraform/azure/waf_is_disabled_for_azure_application_gateway/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/application_gateway", "platform": "Terraform", "descriptionID": "97c222ec", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/metadata.json b/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/metadata.json index f94ca28cd56..3bee4055688 100644 --- a/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/metadata.json +++ b/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#https_only", "platform": "Terraform", "descriptionID": "74140c3d", - "cloudProvider": "azure" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/databricks/autoscale_badly_setup/metadata.json b/assets/queries/terraform/databricks/autoscale_badly_setup/metadata.json index 9a944688909..e0873f5ba6d 100644 --- a/assets/queries/terraform/databricks/autoscale_badly_setup/metadata.json +++ b/assets/queries/terraform/databricks/autoscale_badly_setup/metadata.json @@ -5,8 +5,9 @@ "category": "Resource Management", "descriptionText": "Databricks should have min and max worker setup for autoscale", "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/cluster", - "descriptionID": "e6eabd3e", "platform": "Terraform", + "descriptionID": "e6eabd3e", "cloudProvider": "common", - "experimental": "true" -} + "experimental": "true", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/databricks/cluster_aws_attributes/metadata.json b/assets/queries/terraform/databricks/cluster_aws_attributes/metadata.json index 940ae115e3c..4fac6fe0bb1 100644 --- a/assets/queries/terraform/databricks/cluster_aws_attributes/metadata.json +++ b/assets/queries/terraform/databricks/cluster_aws_attributes/metadata.json @@ -5,8 +5,9 @@ "category": "Best Practices", "descriptionText": "One or some Databricks Cluster AWS Attribute Best Practices are not respected", "descriptionUrl": "https://docs.databricks.com/clusters/cluster-config-best-practices.html", - "descriptionID": "b6345aa6", "platform": "Terraform", + "descriptionID": "b6345aa6", "cloudProvider": "common", - "experimental": "true" -} + "experimental": "true", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/databricks/cluster_azure_attributes/metadata.json b/assets/queries/terraform/databricks/cluster_azure_attributes/metadata.json index 55261d56011..099c27c3082 100644 --- a/assets/queries/terraform/databricks/cluster_azure_attributes/metadata.json +++ b/assets/queries/terraform/databricks/cluster_azure_attributes/metadata.json @@ -5,8 +5,9 @@ "category": "Best Practices", "descriptionText": "One or some Databricks Cluster Azure Attribute Best Practices are not respected", "descriptionUrl": "https://docs.databricks.com/clusters/cluster-config-best-practices.html", - "descriptionID": "bb2e4c81", "platform": "Terraform", + "descriptionID": "bb2e4c81", "cloudProvider": "common", - "experimental": "true" -} + "experimental": "true", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/databricks/cluster_gcp_attributes/metadata.json b/assets/queries/terraform/databricks/cluster_gcp_attributes/metadata.json index 4a98480a439..80f214aa8f0 100644 --- a/assets/queries/terraform/databricks/cluster_gcp_attributes/metadata.json +++ b/assets/queries/terraform/databricks/cluster_gcp_attributes/metadata.json @@ -5,8 +5,9 @@ "category": "Best Practices", "descriptionText": "One or some Databricks Cluster GCP Attribute Best Practices are not respected", "descriptionUrl": "https://docs.databricks.com/clusters/cluster-config-best-practices.html", - "descriptionID": "c1fe1954", "platform": "Terraform", + "descriptionID": "c1fe1954", "cloudProvider": "common", - "experimental": "true" -} + "experimental": "true", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/databricks/databricks_permissions/metadata.json b/assets/queries/terraform/databricks/databricks_permissions/metadata.json index bfef6689a7d..e9c50d65eaa 100755 --- a/assets/queries/terraform/databricks/databricks_permissions/metadata.json +++ b/assets/queries/terraform/databricks/databricks_permissions/metadata.json @@ -8,5 +8,6 @@ "platform": "Terraform", "descriptionID": "66b9bc6e", "cloudProvider": "common", - "experimental": "true" -} + "experimental": "true", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/databricks/group_without_user_or_instance_profile/metadata.json b/assets/queries/terraform/databricks/group_without_user_or_instance_profile/metadata.json index 881b6bdfa68..a4295e0e76c 100644 --- a/assets/queries/terraform/databricks/group_without_user_or_instance_profile/metadata.json +++ b/assets/queries/terraform/databricks/group_without_user_or_instance_profile/metadata.json @@ -5,8 +5,9 @@ "category": "Access Control", "descriptionText": "Databricks Group should have at least one user or one instance profile associated", "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/group", - "descriptionID": "4bb78f12", "platform": "Terraform", + "descriptionID": "4bb78f12", "cloudProvider": "common", - "experimental": "true" -} + "experimental": "true", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/databricks/indefinitely_obo_token/metadata.json b/assets/queries/terraform/databricks/indefinitely_obo_token/metadata.json index 5b270a1f597..a0304a2bbdf 100644 --- a/assets/queries/terraform/databricks/indefinitely_obo_token/metadata.json +++ b/assets/queries/terraform/databricks/indefinitely_obo_token/metadata.json @@ -5,8 +5,9 @@ "category": "Insecure Defaults", "descriptionText": "OBO Token has an indefinitely lifetime", "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/obo_token", - "descriptionID": "df3aa7ed", "platform": "Terraform", + "descriptionID": "df3aa7ed", "cloudProvider": "common", - "experimental": "true" -} + "experimental": "true", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/databricks/indefinitely_token/metadata.json b/assets/queries/terraform/databricks/indefinitely_token/metadata.json index 59c51288f96..f01449e13bd 100644 --- a/assets/queries/terraform/databricks/indefinitely_token/metadata.json +++ b/assets/queries/terraform/databricks/indefinitely_token/metadata.json @@ -5,8 +5,9 @@ "category": "Insecure Defaults", "descriptionText": "Token has an indefinitely lifetime", "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/token", - "descriptionID": "79759163", "platform": "Terraform", + "descriptionID": "79759163", "cloudProvider": "common", - "experimental": "true" -} + "experimental": "true", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/databricks/unrestricted_acl/metadata.json b/assets/queries/terraform/databricks/unrestricted_acl/metadata.json index 673c13da8e3..bfc358751cc 100644 --- a/assets/queries/terraform/databricks/unrestricted_acl/metadata.json +++ b/assets/queries/terraform/databricks/unrestricted_acl/metadata.json @@ -5,8 +5,9 @@ "category": "Networking and Firewall", "descriptionText": "ACL allow ingress from 0.0.0.0/0 and/or ::/0", "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/ip_access_list", - "descriptionID": "9670a9f6", "platform": "Terraform", + "descriptionID": "9670a9f6", "cloudProvider": "common", - "experimental": "true" -} + "experimental": "true", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/databricks/use_lts_spark_version/metadata.json b/assets/queries/terraform/databricks/use_lts_spark_version/metadata.json index 3455ce2187b..d13bbcafab7 100644 --- a/assets/queries/terraform/databricks/use_lts_spark_version/metadata.json +++ b/assets/queries/terraform/databricks/use_lts_spark_version/metadata.json @@ -5,8 +5,9 @@ "category": "Best Practices", "descriptionText": "Spark Version is not a Long-term Support", "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/data-sources/spark_version", - "descriptionID": "fdaa059f", "platform": "Terraform", + "descriptionID": "fdaa059f", "cloudProvider": "common", - "experimental": "true" -} + "experimental": "true", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/databricks/use_spark_submit_task/metadata.json b/assets/queries/terraform/databricks/use_spark_submit_task/metadata.json index eca898e51a0..ee1ad1ec901 100644 --- a/assets/queries/terraform/databricks/use_spark_submit_task/metadata.json +++ b/assets/queries/terraform/databricks/use_spark_submit_task/metadata.json @@ -5,8 +5,9 @@ "category": "Best Practices", "descriptionText": "Job's Task Is spark_submit_task", "descriptionUrl": "https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/job#spark_submit_task-configuration-block", - "descriptionID": "fcfdfbd3", "platform": "Terraform", + "descriptionID": "fcfdfbd3", "cloudProvider": "common", - "experimental": "true" -} + "experimental": "true", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/bigquery_dataset_is_public/metadata.json b/assets/queries/terraform/gcp/bigquery_dataset_is_public/metadata.json index 2eec92e94f8..d0cd8396e25 100644 --- a/assets/queries/terraform/gcp/bigquery_dataset_is_public/metadata.json +++ b/assets/queries/terraform/gcp/bigquery_dataset_is_public/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://www.terraform.io/docs/providers/google/r/bigquery_dataset.html", "platform": "Terraform", "descriptionID": "cb5081a0", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/cloud_dns_without_dnssec/metadata.json b/assets/queries/terraform/gcp/cloud_dns_without_dnssec/metadata.json index 6a1dfa04b31..56368287eb2 100755 --- a/assets/queries/terraform/gcp/cloud_dns_without_dnssec/metadata.json +++ b/assets/queries/terraform/gcp/cloud_dns_without_dnssec/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://www.terraform.io/docs/providers/google/d/dns_managed_zone.html", "platform": "Terraform", "descriptionID": "5598ed06", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/cloud_storage_anonymous_or_publicly_accessible/metadata.json b/assets/queries/terraform/gcp/cloud_storage_anonymous_or_publicly_accessible/metadata.json index c4427df68cb..e659873e0e1 100644 --- a/assets/queries/terraform/gcp/cloud_storage_anonymous_or_publicly_accessible/metadata.json +++ b/assets/queries/terraform/gcp/cloud_storage_anonymous_or_publicly_accessible/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam#google_storage_bucket_iam_binding", "platform": "Terraform", "descriptionID": "fd990360", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/cloud_storage_bucket_is_publicly_accessible/metadata.json b/assets/queries/terraform/gcp/cloud_storage_bucket_is_publicly_accessible/metadata.json index a0329df7a0e..1285e24d1be 100644 --- a/assets/queries/terraform/gcp/cloud_storage_bucket_is_publicly_accessible/metadata.json +++ b/assets/queries/terraform/gcp/cloud_storage_bucket_is_publicly_accessible/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam#member/members", "platform": "Terraform", "descriptionID": "7a54f7e2", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json b/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json index e8d0e8dabb5..095d76d0800 100644 --- a/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json +++ b/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket#log_bucket", "platform": "Terraform", "descriptionID": "9e9984aa", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/cloud_storage_bucket_versioning_disabled/metadata.json b/assets/queries/terraform/gcp/cloud_storage_bucket_versioning_disabled/metadata.json index 925e75bead9..c826ad2ccf3 100644 --- a/assets/queries/terraform/gcp/cloud_storage_bucket_versioning_disabled/metadata.json +++ b/assets/queries/terraform/gcp/cloud_storage_bucket_versioning_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket#enabled", "platform": "Terraform", "descriptionID": "9fda4554", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/cluster_labels_disabled/metadata.json b/assets/queries/terraform/gcp/cluster_labels_disabled/metadata.json index e12a4abe2fa..8c50d97c5c4 100644 --- a/assets/queries/terraform/gcp/cluster_labels_disabled/metadata.json +++ b/assets/queries/terraform/gcp/cluster_labels_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster", "platform": "Terraform", "descriptionID": "947385a5", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/cos_node_image_not_used/metadata.json b/assets/queries/terraform/gcp/cos_node_image_not_used/metadata.json index cfeef39e3b0..12a926e131b 100644 --- a/assets/queries/terraform/gcp/cos_node_image_not_used/metadata.json +++ b/assets/queries/terraform/gcp/cos_node_image_not_used/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool#node_config", "platform": "Terraform", "descriptionID": "4bdfef01", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/disk_encryption_disabled/metadata.json b/assets/queries/terraform/gcp/disk_encryption_disabled/metadata.json index 166972c65a2..77b21cf4f02 100644 --- a/assets/queries/terraform/gcp/disk_encryption_disabled/metadata.json +++ b/assets/queries/terraform/gcp/disk_encryption_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_disk", "platform": "Terraform", "descriptionID": "33fb7fa7", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/dnssec_using_rsasha1/metadata.json b/assets/queries/terraform/gcp/dnssec_using_rsasha1/metadata.json index 0fee6a59919..4679dfe9928 100644 --- a/assets/queries/terraform/gcp/dnssec_using_rsasha1/metadata.json +++ b/assets/queries/terraform/gcp/dnssec_using_rsasha1/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_managed_zone#algorithm", "platform": "Terraform", "descriptionID": "07664c32", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/gke_legacy_authorization_enabled/metadata.json b/assets/queries/terraform/gcp/gke_legacy_authorization_enabled/metadata.json index 812fde2ebf3..931d2c2cb30 100644 --- a/assets/queries/terraform/gcp/gke_legacy_authorization_enabled/metadata.json +++ b/assets/queries/terraform/gcp/gke_legacy_authorization_enabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster", "platform": "Terraform", "descriptionID": "a2e814bc", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/gke_using_default_service_account/metadata.json b/assets/queries/terraform/gcp/gke_using_default_service_account/metadata.json index 2e3dec8a2f7..5f91ae009f8 100644 --- a/assets/queries/terraform/gcp/gke_using_default_service_account/metadata.json +++ b/assets/queries/terraform/gcp/gke_using_default_service_account/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#node_config", "platform": "Terraform", "descriptionID": "efe7e7b0", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/google_compute_network_using_default_firewall_rule/metadata.json b/assets/queries/terraform/gcp/google_compute_network_using_default_firewall_rule/metadata.json index e2b44124f90..9329707e9a7 100644 --- a/assets/queries/terraform/gcp/google_compute_network_using_default_firewall_rule/metadata.json +++ b/assets/queries/terraform/gcp/google_compute_network_using_default_firewall_rule/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall#name", "platform": "Terraform", "descriptionID": "68898cf7", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_all_ports/metadata.json b/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_all_ports/metadata.json index 2ef5475ae24..f56632ffa86 100644 --- a/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_all_ports/metadata.json +++ b/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_all_ports/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall#allow", "platform": "Terraform", "descriptionID": "20fce4e9", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_port_range/metadata.json b/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_port_range/metadata.json index 8bbeb7ec2e5..c3f797e0e4f 100644 --- a/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_port_range/metadata.json +++ b/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_port_range/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall#allow", "platform": "Terraform", "descriptionID": "7289eebd", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/google_compute_ssl_policy_weak_cipher_in_use/metadata.json b/assets/queries/terraform/gcp/google_compute_ssl_policy_weak_cipher_in_use/metadata.json index e0b53266402..dc94d7b9885 100644 --- a/assets/queries/terraform/gcp/google_compute_ssl_policy_weak_cipher_in_use/metadata.json +++ b/assets/queries/terraform/gcp/google_compute_ssl_policy_weak_cipher_in_use/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_ssl_policy", "platform": "Terraform", "descriptionID": "27c7da5e", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/google_compute_subnetwork_logging_disabled/metadata.json b/assets/queries/terraform/gcp/google_compute_subnetwork_logging_disabled/metadata.json index adb58ed456e..0ee5a985b50 100644 --- a/assets/queries/terraform/gcp/google_compute_subnetwork_logging_disabled/metadata.json +++ b/assets/queries/terraform/gcp/google_compute_subnetwork_logging_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_subnetwork", "platform": "Terraform", "descriptionID": "689ef05b", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/metadata.json b/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/metadata.json index 4649345f003..b32b9aae010 100644 --- a/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/metadata.json +++ b/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_subnetwork#private_ip_google_access", "platform": "Terraform", "descriptionID": "87e8a4f7", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/metadata.json b/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/metadata.json index accef8e9077..5cd75198987 100644 --- a/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/metadata.json +++ b/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool", "platform": "Terraform", "descriptionID": "39487293", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/metadata.json b/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/metadata.json index 2a5f4eff275..f6d3fe049fd 100644 --- a/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/metadata.json +++ b/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project", "platform": "Terraform", "descriptionID": "9bcdbe82", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/google_project_iam_binding_service_account_has_token_creator_or_account_user_role/metadata.json b/assets/queries/terraform/gcp/google_project_iam_binding_service_account_has_token_creator_or_account_user_role/metadata.json index 560ec84af4b..c4d5e0f0722 100644 --- a/assets/queries/terraform/gcp/google_project_iam_binding_service_account_has_token_creator_or_account_user_role/metadata.json +++ b/assets/queries/terraform/gcp/google_project_iam_binding_service_account_has_token_creator_or_account_user_role/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_binding", "platform": "Terraform", "descriptionID": "2b311b42", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_admin_role/metadata.json b/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_admin_role/metadata.json index 043eb634e95..03e82a3f3ff 100644 --- a/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_admin_role/metadata.json +++ b/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_admin_role/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_member", "platform": "Terraform", "descriptionID": "965c0d1c", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_token_creator_or_account_user_role/metadata.json b/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_token_creator_or_account_user_role/metadata.json index dc65c1b5325..bcbe5a5dab8 100644 --- a/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_token_creator_or_account_user_role/metadata.json +++ b/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_token_creator_or_account_user_role/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_member", "platform": "Terraform", "descriptionID": "beb4558c", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/google_storage_bucket_level_access_disabled/metadata.json b/assets/queries/terraform/gcp/google_storage_bucket_level_access_disabled/metadata.json index 56769eaef12..a8dac4019ed 100644 --- a/assets/queries/terraform/gcp/google_storage_bucket_level_access_disabled/metadata.json +++ b/assets/queries/terraform/gcp/google_storage_bucket_level_access_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket", "platform": "Terraform", "descriptionID": "6a48f2c6", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/high_google_kms_crypto_key_rotation_period/metadata.json b/assets/queries/terraform/gcp/high_google_kms_crypto_key_rotation_period/metadata.json index 409f00e54f9..6dfaba671b0 100644 --- a/assets/queries/terraform/gcp/high_google_kms_crypto_key_rotation_period/metadata.json +++ b/assets/queries/terraform/gcp/high_google_kms_crypto_key_rotation_period/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/kms_crypto_key", "platform": "Terraform", "descriptionID": "d43302d0", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/iam_audit_not_properly_configured/metadata.json b/assets/queries/terraform/gcp/iam_audit_not_properly_configured/metadata.json index 791b887da28..ee505ee25d3 100644 --- a/assets/queries/terraform/gcp/iam_audit_not_properly_configured/metadata.json +++ b/assets/queries/terraform/gcp/iam_audit_not_properly_configured/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_audit_config", "platform": "Terraform", "descriptionID": "dd31f3ec", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/ip_aliasing_disabled/metadata.json b/assets/queries/terraform/gcp/ip_aliasing_disabled/metadata.json index e93602d7129..2375ca90fae 100644 --- a/assets/queries/terraform/gcp/ip_aliasing_disabled/metadata.json +++ b/assets/queries/terraform/gcp/ip_aliasing_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster", "platform": "Terraform", "descriptionID": "e7d9862a", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/ip_forwarding_enabled/metadata.json b/assets/queries/terraform/gcp/ip_forwarding_enabled/metadata.json index 9de1c277194..11661e853c4 100644 --- a/assets/queries/terraform/gcp/ip_forwarding_enabled/metadata.json +++ b/assets/queries/terraform/gcp/ip_forwarding_enabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_instance", "platform": "Terraform", "descriptionID": "2c1a3242", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/kms_admin_and_crypto_key_roles_in_use/metadata.json b/assets/queries/terraform/gcp/kms_admin_and_crypto_key_roles_in_use/metadata.json index fb997d4fd38..51d5a3a7d23 100644 --- a/assets/queries/terraform/gcp/kms_admin_and_crypto_key_roles_in_use/metadata.json +++ b/assets/queries/terraform/gcp/kms_admin_and_crypto_key_roles_in_use/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#policy_data", "platform": "Terraform", "descriptionID": "36d82ecd", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/kms_crypto_key_publicly_accessible/metadata.json b/assets/queries/terraform/gcp/kms_crypto_key_publicly_accessible/metadata.json index 44b9780c387..804a9ba0e61 100644 --- a/assets/queries/terraform/gcp/kms_crypto_key_publicly_accessible/metadata.json +++ b/assets/queries/terraform/gcp/kms_crypto_key_publicly_accessible/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_kms_crypto_key_iam#google_kms_crypto_key_iam_policy", "platform": "Terraform", "descriptionID": "b1146d1f", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/legacy_client_certificate_auth_enabled/metadata.json b/assets/queries/terraform/gcp/legacy_client_certificate_auth_enabled/metadata.json index 09b5c714635..c7b9bb2b95c 100644 --- a/assets/queries/terraform/gcp/legacy_client_certificate_auth_enabled/metadata.json +++ b/assets/queries/terraform/gcp/legacy_client_certificate_auth_enabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster", "platform": "Terraform", "descriptionID": "94728b0c", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/network_policy_disabled/metadata.json b/assets/queries/terraform/gcp/network_policy_disabled/metadata.json index 1a06a1e91e8..e8ec1d1a598 100644 --- a/assets/queries/terraform/gcp/network_policy_disabled/metadata.json +++ b/assets/queries/terraform/gcp/network_policy_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster", "platform": "Terraform", "descriptionID": "afcf7c4b", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/node_auto_upgrade_disabled/metadata.json b/assets/queries/terraform/gcp/node_auto_upgrade_disabled/metadata.json index d86413fb069..6312be77b09 100644 --- a/assets/queries/terraform/gcp/node_auto_upgrade_disabled/metadata.json +++ b/assets/queries/terraform/gcp/node_auto_upgrade_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool#auto_upgrade", "platform": "Terraform", "descriptionID": "46e4c29f", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/not_proper_email_account_in_use/metadata.json b/assets/queries/terraform/gcp/not_proper_email_account_in_use/metadata.json index 58db05bf36a..5685d352cdf 100644 --- a/assets/queries/terraform/gcp/not_proper_email_account_in_use/metadata.json +++ b/assets/queries/terraform/gcp/not_proper_email_account_in_use/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_binding", "platform": "Terraform", "descriptionID": "55ff1131", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/os_login_disabled/metadata.json b/assets/queries/terraform/gcp/os_login_disabled/metadata.json index 5fea0c64db4..4c25386f297 100644 --- a/assets/queries/terraform/gcp/os_login_disabled/metadata.json +++ b/assets/queries/terraform/gcp/os_login_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_project_metadata#metadata", "platform": "Terraform", "descriptionID": "3ed07bfa", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/os_login_is_disabled_for_vm_instance/metadata.json b/assets/queries/terraform/gcp/os_login_is_disabled_for_vm_instance/metadata.json index cabb4119159..5d8ac06eeac 100644 --- a/assets/queries/terraform/gcp/os_login_is_disabled_for_vm_instance/metadata.json +++ b/assets/queries/terraform/gcp/os_login_is_disabled_for_vm_instance/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance", "platform": "Terraform", "descriptionID": "a0cc649c", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/outdated_gke_version/metadata.json b/assets/queries/terraform/gcp/outdated_gke_version/metadata.json index cf2da6ebde2..a84ee4f79e9 100644 --- a/assets/queries/terraform/gcp/outdated_gke_version/metadata.json +++ b/assets/queries/terraform/gcp/outdated_gke_version/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#master_version", "platform": "Terraform", "descriptionID": "65a3bf94", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/pod_security_policy_disabled/metadata.json b/assets/queries/terraform/gcp/pod_security_policy_disabled/metadata.json index 14894fd667e..571ea769f02 100644 --- a/assets/queries/terraform/gcp/pod_security_policy_disabled/metadata.json +++ b/assets/queries/terraform/gcp/pod_security_policy_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster", "platform": "Terraform", "descriptionID": "546c4012", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/private_cluster_disabled/metadata.json b/assets/queries/terraform/gcp/private_cluster_disabled/metadata.json index 1244ec6d487..4ddde817caf 100644 --- a/assets/queries/terraform/gcp/private_cluster_disabled/metadata.json +++ b/assets/queries/terraform/gcp/private_cluster_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster", "platform": "Terraform", "descriptionID": "e9bbb09e", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/metadata.json b/assets/queries/terraform/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/metadata.json index c716eb0b5d2..641649d6f7f 100644 --- a/assets/queries/terraform/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/metadata.json +++ b/assets/queries/terraform/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance", "platform": "Terraform", "descriptionID": "4b9307cd", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/rdp_access_is_not_restricted/metadata.json b/assets/queries/terraform/gcp/rdp_access_is_not_restricted/metadata.json index 0ff79ff59e3..2d91feaf80e 100644 --- a/assets/queries/terraform/gcp/rdp_access_is_not_restricted/metadata.json +++ b/assets/queries/terraform/gcp/rdp_access_is_not_restricted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall", "platform": "Terraform", "descriptionID": "f8156d3b", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/service_account_with_improper_privileges/metadata.json b/assets/queries/terraform/gcp/service_account_with_improper_privileges/metadata.json index c80fed10762..e595c07dcd3 100644 --- a/assets/queries/terraform/gcp/service_account_with_improper_privileges/metadata.json +++ b/assets/queries/terraform/gcp/service_account_with_improper_privileges/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/iam_policy#role", "platform": "Terraform", "descriptionID": "1b2dbbea", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/shielded_gke_nodes_disabled/metadata.json b/assets/queries/terraform/gcp/shielded_gke_nodes_disabled/metadata.json index 9164148fff0..355b3c98675 100644 --- a/assets/queries/terraform/gcp/shielded_gke_nodes_disabled/metadata.json +++ b/assets/queries/terraform/gcp/shielded_gke_nodes_disabled/metadata.json @@ -5,7 +5,8 @@ "category": "Insecure Configurations", "descriptionText": "GKE cluster nodes must be launched with Shielded VM enabled, which means the attribute 'enable_shielded_nodes' must be set to 'true'.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#enable_shielded_nodes", - "descriptionID": "579a0727", "platform": "Terraform", - "cloudProvider": "gcp" -} + "descriptionID": "579a0727", + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/shielded_vm_disabled/metadata.json b/assets/queries/terraform/gcp/shielded_vm_disabled/metadata.json index 55464199e63..6ff650a91b6 100644 --- a/assets/queries/terraform/gcp/shielded_vm_disabled/metadata.json +++ b/assets/queries/terraform/gcp/shielded_vm_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#shielded_instance_config", "platform": "Terraform", "descriptionID": "3a0a17c4", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/metadata.json b/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/metadata.json index 39590529930..266f3632bc1 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/metadata.json +++ b/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance", "platform": "Terraform", "descriptionID": "ab1d4131", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/metadata.json b/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/metadata.json index 8c8557ba195..6a677ec2649 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/metadata.json +++ b/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance", "platform": "Terraform", "descriptionID": "9beef444", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/metadata.json b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/metadata.json index b0289ef723b..b76d8c884e2 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/metadata.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance#require_ssl", "platform": "Terraform", "descriptionID": "8983549e", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/ssh_access_is_not_restricted/metadata.json b/assets/queries/terraform/gcp/ssh_access_is_not_restricted/metadata.json index 992fbc8ed95..4f830471416 100644 --- a/assets/queries/terraform/gcp/ssh_access_is_not_restricted/metadata.json +++ b/assets/queries/terraform/gcp/ssh_access_is_not_restricted/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall", "platform": "Terraform", "descriptionID": "c0e4fb6f", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/stackdriver_logging_disabled/metadata.json b/assets/queries/terraform/gcp/stackdriver_logging_disabled/metadata.json index 2c9b92d5744..4de7b2af176 100644 --- a/assets/queries/terraform/gcp/stackdriver_logging_disabled/metadata.json +++ b/assets/queries/terraform/gcp/stackdriver_logging_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#logging_service", "platform": "Terraform", "descriptionID": "b292106d", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/stackdriver_monitoring_disabled/metadata.json b/assets/queries/terraform/gcp/stackdriver_monitoring_disabled/metadata.json index e00d04ca8e3..8f59dd7b439 100644 --- a/assets/queries/terraform/gcp/stackdriver_monitoring_disabled/metadata.json +++ b/assets/queries/terraform/gcp/stackdriver_monitoring_disabled/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#monitoring_service", "platform": "Terraform", "descriptionID": "97635f79", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/user_with_iam_role/metadata.json b/assets/queries/terraform/gcp/user_with_iam_role/metadata.json index 676b1531067..b39aebd0566 100644 --- a/assets/queries/terraform/gcp/user_with_iam_role/metadata.json +++ b/assets/queries/terraform/gcp/user_with_iam_role/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/iam_policy#role", "platform": "Terraform", "descriptionID": "256939e9", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/using_default_service_account/metadata.json b/assets/queries/terraform/gcp/using_default_service_account/metadata.json index 77fecd8e5f6..622bf883b8b 100644 --- a/assets/queries/terraform/gcp/using_default_service_account/metadata.json +++ b/assets/queries/terraform/gcp/using_default_service_account/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance", "platform": "Terraform", "descriptionID": "5c3e219f", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/metadata.json b/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/metadata.json index 5176c6da976..999d501a200 100644 --- a/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/metadata.json +++ b/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance", "platform": "Terraform", "descriptionID": "2967cde6", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/vm_with_full_cloud_access/metadata.json b/assets/queries/terraform/gcp/vm_with_full_cloud_access/metadata.json index ef6ddedaf18..10f6a348e5e 100644 --- a/assets/queries/terraform/gcp/vm_with_full_cloud_access/metadata.json +++ b/assets/queries/terraform/gcp/vm_with_full_cloud_access/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#scopes", "platform": "Terraform", "descriptionID": "a0c651be", - "cloudProvider": "gcp" -} + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp_bom/dataflow/metadata.json b/assets/queries/terraform/gcp_bom/dataflow/metadata.json index 18d85e00fe7..e777a363e46 100644 --- a/assets/queries/terraform/gcp_bom/dataflow/metadata.json +++ b/assets/queries/terraform/gcp_bom/dataflow/metadata.json @@ -1,12 +1,12 @@ { - "id": "895ed0d9-6fec-4567-8614-d7a74b599a53", - "queryName": "BOM - GCP Dataflow", - "severity": "TRACE", - "category": "Bill Of Materials", - "descriptionText": "A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective.", - "descriptionUrl": "https://kics.io", - "platform": "Terraform", - "descriptionID": "5d614ad5", - "cloudProvider": "gcp" - } - \ No newline at end of file + "id": "895ed0d9-6fec-4567-8614-d7a74b599a53", + "queryName": "BOM - GCP Dataflow", + "severity": "TRACE", + "category": "Bill Of Materials", + "descriptionText": "A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective.", + "descriptionUrl": "https://kics.io", + "platform": "Terraform", + "descriptionID": "5d614ad5", + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp_bom/fi/metadata.json b/assets/queries/terraform/gcp_bom/fi/metadata.json index 4bcc4020e05..9ac9f71b17d 100644 --- a/assets/queries/terraform/gcp_bom/fi/metadata.json +++ b/assets/queries/terraform/gcp_bom/fi/metadata.json @@ -1,12 +1,12 @@ { - "id": "c9d81239-c818-4869-9917-1570c62b81fd", - "queryName": "BOM - GCP FI", - "severity": "TRACE", - "category": "Bill Of Materials", - "descriptionText": "A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime.", - "descriptionUrl": "https://kics.io", - "platform": "Terraform", - "descriptionID": "4a45b126", - "cloudProvider": "gcp" - } - \ No newline at end of file + "id": "c9d81239-c818-4869-9917-1570c62b81fd", + "queryName": "BOM - GCP FI", + "severity": "TRACE", + "category": "Bill Of Materials", + "descriptionText": "A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime.", + "descriptionUrl": "https://kics.io", + "platform": "Terraform", + "descriptionID": "4a45b126", + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp_bom/pd/metadata.json b/assets/queries/terraform/gcp_bom/pd/metadata.json index a7a4d143e04..a6f07023251 100644 --- a/assets/queries/terraform/gcp_bom/pd/metadata.json +++ b/assets/queries/terraform/gcp_bom/pd/metadata.json @@ -1,12 +1,12 @@ { - "id": "dd7d70aa-a6ec-460d-b5d2-38b40253b16f", - "queryName": "BOM - GCP PD", - "severity": "TRACE", - "category": "Bill Of Materials", - "descriptionText": "A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.", - "descriptionUrl": "https://kics.io", - "platform": "Terraform", - "descriptionID": "4b72e52d", - "cloudProvider": "gcp" - } - \ No newline at end of file + "id": "dd7d70aa-a6ec-460d-b5d2-38b40253b16f", + "queryName": "BOM - GCP PD", + "severity": "TRACE", + "category": "Bill Of Materials", + "descriptionText": "A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.", + "descriptionUrl": "https://kics.io", + "platform": "Terraform", + "descriptionID": "4b72e52d", + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp_bom/pst/metadata.json b/assets/queries/terraform/gcp_bom/pst/metadata.json index 75af0c21deb..fef9c86170e 100644 --- a/assets/queries/terraform/gcp_bom/pst/metadata.json +++ b/assets/queries/terraform/gcp_bom/pst/metadata.json @@ -1,12 +1,12 @@ { - "id": "4b82202a-b18e-4891-a1eb-a0989850bbb3", - "queryName": "BOM - GCP PST", - "severity": "TRACE", - "category": "Bill Of Materials", - "descriptionText": "A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.", - "descriptionUrl": "https://kics.io", - "platform": "Terraform", - "descriptionID": "aa371a3b", - "cloudProvider": "gcp" - } - \ No newline at end of file + "id": "4b82202a-b18e-4891-a1eb-a0989850bbb3", + "queryName": "BOM - GCP PST", + "severity": "TRACE", + "category": "Bill Of Materials", + "descriptionText": "A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.", + "descriptionUrl": "https://kics.io", + "platform": "Terraform", + "descriptionID": "aa371a3b", + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp_bom/redis/metadata.json b/assets/queries/terraform/gcp_bom/redis/metadata.json index 53e4e53d27d..bff175aeb5f 100644 --- a/assets/queries/terraform/gcp_bom/redis/metadata.json +++ b/assets/queries/terraform/gcp_bom/redis/metadata.json @@ -1,12 +1,12 @@ { - "id": "bc75ce52-a60a-4660-b533-bce837a5019b", - "queryName": "BOM - GCP Redis", - "severity": "TRACE", - "category": "Bill Of Materials", - "descriptionText": "A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments.", - "descriptionUrl": "https://kics.io", - "platform": "Terraform", - "descriptionID": "1db9d01f", - "cloudProvider": "gcp" - } - \ No newline at end of file + "id": "bc75ce52-a60a-4660-b533-bce837a5019b", + "queryName": "BOM - GCP Redis", + "severity": "TRACE", + "category": "Bill Of Materials", + "descriptionText": "A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments.", + "descriptionUrl": "https://kics.io", + "platform": "Terraform", + "descriptionID": "1db9d01f", + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp_bom/sb/metadata.json b/assets/queries/terraform/gcp_bom/sb/metadata.json index e19cf3d9221..4768d2b93ea 100644 --- a/assets/queries/terraform/gcp_bom/sb/metadata.json +++ b/assets/queries/terraform/gcp_bom/sb/metadata.json @@ -1,12 +1,12 @@ { - "id": "2f06d22c-56bd-4f73-8a51-db001fcf2150", - "queryName": "BOM - GCP SB", - "severity": "TRACE", - "category": "Bill Of Materials", - "descriptionText": "A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.", - "descriptionUrl": "https://kics.io", - "platform": "Terraform", - "descriptionID": "38a18539", - "cloudProvider": "gcp" - } - \ No newline at end of file + "id": "2f06d22c-56bd-4f73-8a51-db001fcf2150", + "queryName": "BOM - GCP SB", + "severity": "TRACE", + "category": "Bill Of Materials", + "descriptionText": "A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.", + "descriptionUrl": "https://kics.io", + "platform": "Terraform", + "descriptionID": "38a18539", + "cloudProvider": "gcp", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/general/generic_git_module_without_revision/metadata.json b/assets/queries/terraform/general/generic_git_module_without_revision/metadata.json index 49cdcabed4c..8965c7ca5e8 100644 --- a/assets/queries/terraform/general/generic_git_module_without_revision/metadata.json +++ b/assets/queries/terraform/general/generic_git_module_without_revision/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://www.terraform.io/docs/language/modules/sources.html#selecting-a-revision", "platform": "Terraform", "descriptionID": "2ee26fd1", - "cloudProvider": "common" -} + "cloudProvider": "common", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/general/name_is_not_snake_case/metadata.json b/assets/queries/terraform/general/name_is_not_snake_case/metadata.json index ddb6ed47060..5b1d77e5a98 100644 --- a/assets/queries/terraform/general/name_is_not_snake_case/metadata.json +++ b/assets/queries/terraform/general/name_is_not_snake_case/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://www.terraform.io/docs/extend/best-practices/naming.html#naming", "platform": "Terraform", "descriptionID": "ac707cad", - "cloudProvider": "common" -} + "cloudProvider": "common", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/general/output_without_description/metadata.json b/assets/queries/terraform/general/output_without_description/metadata.json index 174144fa3e6..67f35651e35 100644 --- a/assets/queries/terraform/general/output_without_description/metadata.json +++ b/assets/queries/terraform/general/output_without_description/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://www.terraform.io/docs/language/values/outputs.html#description-output-value-documentation", "platform": "Terraform", "descriptionID": "81535d16", - "cloudProvider": "common" -} + "cloudProvider": "common", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/general/variable_without_description/metadata.json b/assets/queries/terraform/general/variable_without_description/metadata.json index 1756d100670..62842c6726a 100644 --- a/assets/queries/terraform/general/variable_without_description/metadata.json +++ b/assets/queries/terraform/general/variable_without_description/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://www.terraform.io/docs/language/values/variables.html#input-variable-documentation", "platform": "Terraform", "descriptionID": "b44986be", - "cloudProvider": "common" -} + "cloudProvider": "common", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/general/variable_without_type/metadata.json b/assets/queries/terraform/general/variable_without_type/metadata.json index 34f5abee3f2..b00f286c2dc 100644 --- a/assets/queries/terraform/general/variable_without_type/metadata.json +++ b/assets/queries/terraform/general/variable_without_type/metadata.json @@ -7,5 +7,6 @@ "descriptionUrl": "https://www.terraform.io/docs/language/values/variables.html#input-variable-documentation", "platform": "Terraform", "descriptionID": "bba696eb", - "cloudProvider": "common" -} + "cloudProvider": "common", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/github/github_organization_webhook_with_ssl_disabled/metadata.json b/assets/queries/terraform/github/github_organization_webhook_with_ssl_disabled/metadata.json index e990dafd36f..19d1203a330 100644 --- a/assets/queries/terraform/github/github_organization_webhook_with_ssl_disabled/metadata.json +++ b/assets/queries/terraform/github/github_organization_webhook_with_ssl_disabled/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Check if insecure SSL is being used in the GitHub organization webhooks", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/github/latest/docs/resources/organization_webhook", "platform": "Terraform", - "descriptionID": "5def6580" -} + "descriptionID": "5def6580", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/github/github_repository_set_to_public/metadata.json b/assets/queries/terraform/github/github_repository_set_to_public/metadata.json index 7a612fabe81..c05cfbbc48c 100644 --- a/assets/queries/terraform/github/github_repository_set_to_public/metadata.json +++ b/assets/queries/terraform/github/github_repository_set_to_public/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')", "descriptionUrl": "https://www.terraform.io/docs/providers/github/r/repository.html", "platform": "Terraform", - "descriptionID": "4df8b842" -} + "descriptionID": "4df8b842", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/cluster_admin_role_binding_with_super_user_permissions/metadata.json b/assets/queries/terraform/kubernetes/cluster_admin_role_binding_with_super_user_permissions/metadata.json index 3aca2d696bd..5be0dec32ed 100644 --- a/assets/queries/terraform/kubernetes/cluster_admin_role_binding_with_super_user_permissions/metadata.json +++ b/assets/queries/terraform/kubernetes/cluster_admin_role_binding_with_super_user_permissions/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Ensure that the cluster-admin role is only used where required (RBAC)", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding#name", "platform": "Terraform", - "descriptionID": "3cfeabe4" -} + "descriptionID": "3cfeabe4", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/cluster_allows_unsafe_sysctls/metadata.json b/assets/queries/terraform/kubernetes/cluster_allows_unsafe_sysctls/metadata.json index ba992b1f60c..18487b73ea5 100644 --- a/assets/queries/terraform/kubernetes/cluster_allows_unsafe_sysctls/metadata.json +++ b/assets/queries/terraform/kubernetes/cluster_allows_unsafe_sysctls/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#allowed_unsafe_sysctls", "platform": "Terraform", - "descriptionID": "21547beb" -} + "descriptionID": "21547beb", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/container_host_pid_is_true/metadata.json b/assets/queries/terraform/kubernetes/container_host_pid_is_true/metadata.json index e8508e28679..2bbfcda52b6 100644 --- a/assets/queries/terraform/kubernetes/container_host_pid_is_true/metadata.json +++ b/assets/queries/terraform/kubernetes/container_host_pid_is_true/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Minimize the admission of containers wishing to share the host process ID namespace", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_pid", "platform": "Terraform", - "descriptionID": "74aa164e" -} + "descriptionID": "74aa164e", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/container_is_privileged/metadata.json b/assets/queries/terraform/kubernetes/container_is_privileged/metadata.json index afaa0cd5011..aab5b551f0c 100644 --- a/assets/queries/terraform/kubernetes/container_is_privileged/metadata.json +++ b/assets/queries/terraform/kubernetes/container_is_privileged/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#privileged", "platform": "Terraform", - "descriptionID": "e2be4ab9" -} + "descriptionID": "e2be4ab9", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/container_resources_limits_undefined/metadata.json b/assets/queries/terraform/kubernetes/container_resources_limits_undefined/metadata.json index 65cd3a59035..6ca4c8cdee5 100644 --- a/assets/queries/terraform/kubernetes/container_resources_limits_undefined/metadata.json +++ b/assets/queries/terraform/kubernetes/container_resources_limits_undefined/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Kubernetes container should have resource limitations defined such as CPU and memory", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod", "platform": "Terraform", - "descriptionID": "36651cdf" -} + "descriptionID": "36651cdf", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/container_runs_unmasked/metadata.json b/assets/queries/terraform/kubernetes/container_runs_unmasked/metadata.json index 3fcaf263367..fa6854c52bb 100644 --- a/assets/queries/terraform/kubernetes/container_runs_unmasked/metadata.json +++ b/assets/queries/terraform/kubernetes/container_runs_unmasked/metadata.json @@ -3,8 +3,9 @@ "queryName": "Container Runs Unmasked", "severity": "MEDIUM", "category": "Insecure Configurations", - "descriptionText": "Check if a container has full access (unmasked) to the host\u2019s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.", + "descriptionText": "Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#allowed_proc_mount_types", "platform": "Terraform", - "descriptionID": "bbb3aa40" -} + "descriptionID": "bbb3aa40", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/container_with_added_capabilities/metadata.json b/assets/queries/terraform/kubernetes/container_with_added_capabilities/metadata.json index 18d6b3124dd..68bee79ab10 100644 --- a/assets/queries/terraform/kubernetes/container_with_added_capabilities/metadata.json +++ b/assets/queries/terraform/kubernetes/container_with_added_capabilities/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Containers should not have extra capabilities allowed", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#capabilities-1", "platform": "Terraform", - "descriptionID": "4422c052" -} + "descriptionID": "4422c052", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/metadata.json b/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/metadata.json index 97cfa9e7945..c1a08d0cf92 100644 --- a/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/metadata.json +++ b/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Containers should not have CAP_SYS_ADMIN Linux capability", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#capabilities-1", "platform": "Terraform", - "descriptionID": "03622ad2" -} + "descriptionID": "03622ad2", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/cpu_limits_not_set/metadata.json b/assets/queries/terraform/kubernetes/cpu_limits_not_set/metadata.json index 674b60f90cf..0db0064bbef 100644 --- a/assets/queries/terraform/kubernetes/cpu_limits_not_set/metadata.json +++ b/assets/queries/terraform/kubernetes/cpu_limits_not_set/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#limits", "platform": "Terraform", - "descriptionID": "9dd8e356" -} + "descriptionID": "9dd8e356", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/cpu_requests_not_set/metadata.json b/assets/queries/terraform/kubernetes/cpu_requests_not_set/metadata.json index 9d0d5952897..9517dfefd66 100644 --- a/assets/queries/terraform/kubernetes/cpu_requests_not_set/metadata.json +++ b/assets/queries/terraform/kubernetes/cpu_requests_not_set/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#requests", "platform": "Terraform", - "descriptionID": "957f09a7" -} + "descriptionID": "957f09a7", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/cronjob_deadline_not_configured/metadata.json b/assets/queries/terraform/kubernetes/cronjob_deadline_not_configured/metadata.json index 64b32d97bd6..9a342a5b9d8 100644 --- a/assets/queries/terraform/kubernetes/cronjob_deadline_not_configured/metadata.json +++ b/assets/queries/terraform/kubernetes/cronjob_deadline_not_configured/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cron_job#starting_deadline_seconds", "platform": "Terraform", - "descriptionID": "030edc62" -} + "descriptionID": "030edc62", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/default_service_account_in_use/metadata.json b/assets/queries/terraform/kubernetes/default_service_account_in_use/metadata.json index 31b0c567134..763f73789ac 100644 --- a/assets/queries/terraform/kubernetes/default_service_account_in_use/metadata.json +++ b/assets/queries/terraform/kubernetes/default_service_account_in_use/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Default service accounts should not be actively used", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account#automount_service_account_token", "platform": "Terraform", - "descriptionID": "b0822187" -} + "descriptionID": "b0822187", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/metadata.json b/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/metadata.json index a4251d5d325..25bb497adf9 100644 --- a/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/metadata.json +++ b/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/deployment#affinity", "platform": "Terraform", - "descriptionID": "4a5ad90d" -} + "descriptionID": "4a5ad90d", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/deployment_without_pod_disruption_budget/metadata.json b/assets/queries/terraform/kubernetes/deployment_without_pod_disruption_budget/metadata.json index 70981936eee..d5365b0da32 100644 --- a/assets/queries/terraform/kubernetes/deployment_without_pod_disruption_budget/metadata.json +++ b/assets/queries/terraform/kubernetes/deployment_without_pod_disruption_budget/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Deployments should be assigned with a PodDisruptionBudget to ensure high availability", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/deployment#selector", "platform": "Terraform", - "descriptionID": "add58c0c" -} + "descriptionID": "add58c0c", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/metadata.json b/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/metadata.json index 628194663bf..882cde53690 100644 --- a/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/metadata.json +++ b/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Sees if Docker Daemon Socket is not exposed to Containers", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_path", "platform": "Terraform", - "descriptionID": "836d927e" -} + "descriptionID": "836d927e", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/metadata.json b/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/metadata.json index 4e5687b1fa0..e5facde244f 100644 --- a/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/metadata.json +++ b/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "The Horizontal Pod Autoscaler must target a valid object", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/horizontal_pod_autoscaler#metric", "platform": "Terraform", - "descriptionID": "f4d95aa4" -} + "descriptionID": "f4d95aa4", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/metadata.json b/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/metadata.json index 7bc7ada2930..15228f00ca9 100644 --- a/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/metadata.json +++ b/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Image Pull Policy of the container must be defined and set to Always", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#image_pull_policy", "platform": "Terraform", - "descriptionID": "d2abf21b" -} + "descriptionID": "d2abf21b", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/image_without_digest/metadata.json b/assets/queries/terraform/kubernetes/image_without_digest/metadata.json index 652bf8df7b5..79732753f93 100644 --- a/assets/queries/terraform/kubernetes/image_without_digest/metadata.json +++ b/assets/queries/terraform/kubernetes/image_without_digest/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Images should be specified together with their digests to ensure integrity", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#image", "platform": "Terraform", - "descriptionID": "fec9b353" -} + "descriptionID": "fec9b353", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/incorrect_volume_claim_access_mode_read_write_once/metadata.json b/assets/queries/terraform/kubernetes/incorrect_volume_claim_access_mode_read_write_once/metadata.json index 30ff1519c59..fe5fdfda322 100644 --- a/assets/queries/terraform/kubernetes/incorrect_volume_claim_access_mode_read_write_once/metadata.json +++ b/assets/queries/terraform/kubernetes/incorrect_volume_claim_access_mode_read_write_once/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/stateful_set#volume_claim_template", "platform": "Terraform", - "descriptionID": "02756212" -} + "descriptionID": "02756212", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/metadata.json b/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/metadata.json index 49a31e33327..d991aedee6f 100644 --- a/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/metadata.json +++ b/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/ingress#http", "platform": "Terraform", - "descriptionID": "88c1dfb2" -} + "descriptionID": "88c1dfb2", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/invalid_image/metadata.json b/assets/queries/terraform/kubernetes/invalid_image/metadata.json index 1588cd899ec..53531e895ec 100644 --- a/assets/queries/terraform/kubernetes/invalid_image/metadata.json +++ b/assets/queries/terraform/kubernetes/invalid_image/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Image must be defined and not be empty or equal to latest.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#image", "platform": "Terraform", - "descriptionID": "56713716" -} + "descriptionID": "56713716", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/metadata.json b/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/metadata.json index 2f2e9817987..a48e80565eb 100644 --- a/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/metadata.json +++ b/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#liveness_probe", "platform": "Terraform", - "descriptionID": "e5105a57" -} + "descriptionID": "e5105a57", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/memory_limits_not_defined/metadata.json b/assets/queries/terraform/kubernetes/memory_limits_not_defined/metadata.json index ec252726f84..bcf9f3aaba8 100644 --- a/assets/queries/terraform/kubernetes/memory_limits_not_defined/metadata.json +++ b/assets/queries/terraform/kubernetes/memory_limits_not_defined/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#limits", "platform": "Terraform", - "descriptionID": "c957affa" -} + "descriptionID": "c957affa", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/memory_requests_not_defined/metadata.json b/assets/queries/terraform/kubernetes/memory_requests_not_defined/metadata.json index 0483f7537aa..6539d2f340a 100644 --- a/assets/queries/terraform/kubernetes/memory_requests_not_defined/metadata.json +++ b/assets/queries/terraform/kubernetes/memory_requests_not_defined/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#requests", "platform": "Terraform", - "descriptionID": "a77e5da7" -} + "descriptionID": "a77e5da7", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/metadata_label_is_invalid/metadata.json b/assets/queries/terraform/kubernetes/metadata_label_is_invalid/metadata.json index 4bc2aafbced..4120de6ff1f 100644 --- a/assets/queries/terraform/kubernetes/metadata_label_is_invalid/metadata.json +++ b/assets/queries/terraform/kubernetes/metadata_label_is_invalid/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Check if any label in the metadata is invalid.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#labels", "platform": "Terraform", - "descriptionID": "5448851e" -} + "descriptionID": "5448851e", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/missing_app_armor_config/metadata.json b/assets/queries/terraform/kubernetes/missing_app_armor_config/metadata.json index 6c3a7c5bfd1..41c085fb39b 100644 --- a/assets/queries/terraform/kubernetes/missing_app_armor_config/metadata.json +++ b/assets/queries/terraform/kubernetes/missing_app_armor_config/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Containers should be configured with AppArmor for any application to reduce its potential attack", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#annotations", "platform": "Terraform", - "descriptionID": "ba36908b" -} + "descriptionID": "ba36908b", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/metadata.json b/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/metadata.json index 3dc448325b0..b33a2837c9c 100644 --- a/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/metadata.json +++ b/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Containers need to have NET_RAW or All as drop capabilities", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#required_drop_capabilities", "platform": "Terraform", - "descriptionID": "631e9c61" -} + "descriptionID": "631e9c61", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/metadata.json b/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/metadata.json index 22d3e920f1e..96ec0413f43 100644 --- a/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/metadata.json +++ b/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Containers should drop 'ALL' or at least 'NET_RAW' capabilities", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#drop", "platform": "Terraform", - "descriptionID": "548d4eac" -} + "descriptionID": "548d4eac", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/network_policy_is_not_targeting_any_pod/metadata.json b/assets/queries/terraform/kubernetes/network_policy_is_not_targeting_any_pod/metadata.json index b89c4d8367e..6d0f7653dc4 100644 --- a/assets/queries/terraform/kubernetes/network_policy_is_not_targeting_any_pod/metadata.json +++ b/assets/queries/terraform/kubernetes/network_policy_is_not_targeting_any_pod/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Check if any network policy is not targeting any pod.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy#match_labels", "platform": "Terraform", - "descriptionID": "1598c368" -} + "descriptionID": "1598c368", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/metadata.json b/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/metadata.json index 21d51aff211..cef5cb0aa58 100644 --- a/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/metadata.json +++ b/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Sees if Kubernetes Drop Capabilities exists to ensure containers security context", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#drop", "platform": "Terraform", - "descriptionID": "f547f3d7" -} + "descriptionID": "f547f3d7", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/metadata.json b/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/metadata.json index 0601c10d6da..020adc57530 100644 --- a/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/metadata.json +++ b/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "A non kube-system workload should not have hostPath mounted", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod", "platform": "Terraform", - "descriptionID": "5b17fdb1" -} + "descriptionID": "5b17fdb1", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/not_limited_capabilities_for_pod_security_policy/metadata.json b/assets/queries/terraform/kubernetes/not_limited_capabilities_for_pod_security_policy/metadata.json index 7a7770b2741..2ac32b34a36 100644 --- a/assets/queries/terraform/kubernetes/not_limited_capabilities_for_pod_security_policy/metadata.json +++ b/assets/queries/terraform/kubernetes/not_limited_capabilities_for_pod_security_policy/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Limit capabilities for a Pod Security Policy", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#required_drop_capabilities", "platform": "Terraform", - "descriptionID": "c42b1890" -} + "descriptionID": "c42b1890", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/metadata.json b/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/metadata.json index 691899ef68b..5536c8e9154 100644 --- a/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/metadata.json +++ b/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "The permission to create pods in a cluster should be restricted because it allows privilege escalation.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role#rule", "platform": "Terraform", - "descriptionID": "cca5f42d" -} + "descriptionID": "cca5f42d", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/metadata.json b/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/metadata.json index 9bb4f72e1ea..98912b8138a 100644 --- a/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/metadata.json +++ b/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "A security context defines privilege and access control settings for a Pod or Container", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#security_context", "platform": "Terraform", - "descriptionID": "a465ab52" -} + "descriptionID": "a465ab52", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/privilege_escalation_allowed/metadata.json b/assets/queries/terraform/kubernetes/privilege_escalation_allowed/metadata.json index cd2e11fb110..ca2b38ec322 100644 --- a/assets/queries/terraform/kubernetes/privilege_escalation_allowed/metadata.json +++ b/assets/queries/terraform/kubernetes/privilege_escalation_allowed/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#allow_privilege_escalation", "platform": "Terraform", - "descriptionID": "e693ddd6" -} + "descriptionID": "e693ddd6", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/psp_allows_containers_to_share_the_host_network_namespace/metadata.json b/assets/queries/terraform/kubernetes/psp_allows_containers_to_share_the_host_network_namespace/metadata.json index 100a3c20e1e..459d91e9139 100644 --- a/assets/queries/terraform/kubernetes/psp_allows_containers_to_share_the_host_network_namespace/metadata.json +++ b/assets/queries/terraform/kubernetes/psp_allows_containers_to_share_the_host_network_namespace/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Check if Pod Security Policies allow containers to share the host network namespace.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#host_network", "platform": "Terraform", - "descriptionID": "531152cf" -} + "descriptionID": "531152cf", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/metadata.json b/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/metadata.json index 689f2b9fc67..756dc0c5480 100644 --- a/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/metadata.json +++ b/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "PodSecurityPolicy should not allow privilege escalation", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#allow_privilege_escalation", "platform": "Terraform", - "descriptionID": "1cdd3f21" -} + "descriptionID": "1cdd3f21", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/metadata.json b/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/metadata.json index cd7889d5ce8..cefe701107f 100644 --- a/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/metadata.json +++ b/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Pod Security Policy allows containers to share the host IPC namespace", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#host_ipc", "platform": "Terraform", - "descriptionID": "45566e38" -} + "descriptionID": "45566e38", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/psp_set_to_privileged/metadata.json b/assets/queries/terraform/kubernetes/psp_set_to_privileged/metadata.json index 503b20f3b34..df6fe782fa6 100644 --- a/assets/queries/terraform/kubernetes/psp_set_to_privileged/metadata.json +++ b/assets/queries/terraform/kubernetes/psp_set_to_privileged/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Do not allow pod to request execution as privileged.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#privileged", "platform": "Terraform", - "descriptionID": "5ca96212" -} + "descriptionID": "5ca96212", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/psp_with_added_capabilities/metadata.json b/assets/queries/terraform/kubernetes/psp_with_added_capabilities/metadata.json index c2b41a46ffe..c14b9323c68 100644 --- a/assets/queries/terraform/kubernetes/psp_with_added_capabilities/metadata.json +++ b/assets/queries/terraform/kubernetes/psp_with_added_capabilities/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "PodSecurityPolicy should not have added capabilities", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#allowed_capabilities", "platform": "Terraform", - "descriptionID": "f3ad2d09" -} + "descriptionID": "f3ad2d09", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/metadata.json b/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/metadata.json index fcc7b68dfa2..6884176c976 100644 --- a/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/metadata.json +++ b/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role#rule", "platform": "Terraform", - "descriptionID": "a4fb7558" -} + "descriptionID": "a4fb7558", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/metadata.json b/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/metadata.json index add1a0adf69..11b2c92066b 100644 --- a/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/metadata.json +++ b/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Check if Readiness Probe is not configured.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#readiness_probe", "platform": "Terraform", - "descriptionID": "a333fe96" -} + "descriptionID": "a333fe96", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/role_binding_to_default_service_account/metadata.json b/assets/queries/terraform/kubernetes/role_binding_to_default_service_account/metadata.json index 3a307dd95df..f28f29a872b 100644 --- a/assets/queries/terraform/kubernetes/role_binding_to_default_service_account/metadata.json +++ b/assets/queries/terraform/kubernetes/role_binding_to_default_service_account/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "No role nor cluster role should bind to a default service account", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding#subject", "platform": "Terraform", - "descriptionID": "a90a96ca" -} + "descriptionID": "a90a96ca", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/metadata.json b/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/metadata.json index 3b402dbed93..c7bbb9aa135 100644 --- a/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/metadata.json +++ b/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Check if the root container filesystem is not being mounted as read-only.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#read_only_root_filesystem", "platform": "Terraform", - "descriptionID": "b7afed50" -} + "descriptionID": "b7afed50", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/root_containers_admitted/metadata.json b/assets/queries/terraform/kubernetes/root_containers_admitted/metadata.json index 9ddbd255c63..c63e2c46f3c 100644 --- a/assets/queries/terraform/kubernetes/root_containers_admitted/metadata.json +++ b/assets/queries/terraform/kubernetes/root_containers_admitted/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#run_as_user", "platform": "Terraform", - "descriptionID": "aa6d70b9" -} + "descriptionID": "aa6d70b9", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/metadata.json b/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/metadata.json index 4c4001f0157..eb5a13cdbec 100644 --- a/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/metadata.json +++ b/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#annotations", "platform": "Terraform", - "descriptionID": "ad5436a1" -} + "descriptionID": "ad5436a1", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/secrets_as_environment_variables/metadata.json b/assets/queries/terraform/kubernetes/secrets_as_environment_variables/metadata.json index 7e739eec299..e7b38fda4ff 100644 --- a/assets/queries/terraform/kubernetes/secrets_as_environment_variables/metadata.json +++ b/assets/queries/terraform/kubernetes/secrets_as_environment_variables/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Container should not use secrets as environment variables", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#secret_key_ref", "platform": "Terraform", - "descriptionID": "f5c43d1e" -} + "descriptionID": "f5c43d1e", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/service_account_allows_access_secrets/metadata.json b/assets/queries/terraform/kubernetes/service_account_allows_access_secrets/metadata.json index 78b6ec58f38..7bf86e067ca 100644 --- a/assets/queries/terraform/kubernetes/service_account_allows_access_secrets/metadata.json +++ b/assets/queries/terraform/kubernetes/service_account_allows_access_secrets/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding#subject", "platform": "Terraform", - "descriptionID": "93294320" -} + "descriptionID": "93294320", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/metadata.json b/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/metadata.json index 9f825dc1066..e1516267688 100644 --- a/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/metadata.json +++ b/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#service_account_name", "platform": "Terraform", - "descriptionID": "ce3648b0" -} + "descriptionID": "ce3648b0", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/metadata.json b/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/metadata.json index 8339cece214..86d6aaca72f 100644 --- a/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/metadata.json +++ b/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Service Account Tokens are automatically mounted even if not necessary", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#automount_service_account_token", "platform": "Terraform", - "descriptionID": "9674e7f6" -} + "descriptionID": "9674e7f6", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/service_type_is_nodeport/metadata.json b/assets/queries/terraform/kubernetes/service_type_is_nodeport/metadata.json index 0c42cc01cb7..22cd1f396c2 100644 --- a/assets/queries/terraform/kubernetes/service_type_is_nodeport/metadata.json +++ b/assets/queries/terraform/kubernetes/service_type_is_nodeport/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Service type should not be NodePort", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service#type", "platform": "Terraform", - "descriptionID": "50e2c36f" -} + "descriptionID": "50e2c36f", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/service_with_external_load_balancer/metadata.json b/assets/queries/terraform/kubernetes/service_with_external_load_balancer/metadata.json index 3e4393dc5ef..c3e555a4abe 100644 --- a/assets/queries/terraform/kubernetes/service_with_external_load_balancer/metadata.json +++ b/assets/queries/terraform/kubernetes/service_with_external_load_balancer/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Service has an external load balancer, which may cause accessibility from other networks and the Internet", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service", "platform": "Terraform", - "descriptionID": "18a78d03" -} + "descriptionID": "18a78d03", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/metadata.json b/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/metadata.json index 06a40dc1a25..20d08c0d960 100644 --- a/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/metadata.json +++ b/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Container should not share the host IPC namespace", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_ipc", "platform": "Terraform", - "descriptionID": "e76243f6" -} + "descriptionID": "e76243f6", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/shared_host_network_namespace/metadata.json b/assets/queries/terraform/kubernetes/shared_host_network_namespace/metadata.json index 5b33ced16ff..c9775ccb3e7 100644 --- a/assets/queries/terraform/kubernetes/shared_host_network_namespace/metadata.json +++ b/assets/queries/terraform/kubernetes/shared_host_network_namespace/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Container should not share the host network namespace", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_network", "platform": "Terraform", - "descriptionID": "bf155ca7" -} + "descriptionID": "bf155ca7", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/shared_service_account/metadata.json b/assets/queries/terraform/kubernetes/shared_service_account/metadata.json index ef6e53c651a..9f5511ca0d7 100644 --- a/assets/queries/terraform/kubernetes/shared_service_account/metadata.json +++ b/assets/queries/terraform/kubernetes/shared_service_account/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "A Service Account token is shared between workloads", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#service_account_name", "platform": "Terraform", - "descriptionID": "a13adbaa" -} + "descriptionID": "a13adbaa", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/statefulset_requests_storage/metadata.json b/assets/queries/terraform/kubernetes/statefulset_requests_storage/metadata.json index 2a74661e302..6e1b24ece0e 100644 --- a/assets/queries/terraform/kubernetes/statefulset_requests_storage/metadata.json +++ b/assets/queries/terraform/kubernetes/statefulset_requests_storage/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "A StatefulSet requests volume storage.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/stateful_set#volume_claim_template", "platform": "Terraform", - "descriptionID": "3a82ccdb" -} + "descriptionID": "3a82ccdb", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/statefulset_without_pod_disruption_budget/metadata.json b/assets/queries/terraform/kubernetes/statefulset_without_pod_disruption_budget/metadata.json index 1af221e9c54..ff6aa8f16be 100644 --- a/assets/queries/terraform/kubernetes/statefulset_without_pod_disruption_budget/metadata.json +++ b/assets/queries/terraform/kubernetes/statefulset_without_pod_disruption_budget/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/stateful_set#selector", "platform": "Terraform", - "descriptionID": "efa415db" -} + "descriptionID": "efa415db", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/statefulset_without_service_name/metadata.json b/assets/queries/terraform/kubernetes/statefulset_without_service_name/metadata.json index dc292597ae4..99d2736b2bb 100644 --- a/assets/queries/terraform/kubernetes/statefulset_without_service_name/metadata.json +++ b/assets/queries/terraform/kubernetes/statefulset_without_service_name/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/stateful_set#selector", "platform": "Terraform", - "descriptionID": "a0d17b18" -} + "descriptionID": "a0d17b18", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/tiller_is_deployed/metadata.json b/assets/queries/terraform/kubernetes/tiller_is_deployed/metadata.json index 489ce3735ae..6c8c6f868f7 100644 --- a/assets/queries/terraform/kubernetes/tiller_is_deployed/metadata.json +++ b/assets/queries/terraform/kubernetes/tiller_is_deployed/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Check if Tiller is deployed.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#image", "platform": "Terraform", - "descriptionID": "bf1b3f30" -} + "descriptionID": "bf1b3f30", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/using_default_namespace/metadata.json b/assets/queries/terraform/kubernetes/using_default_namespace/metadata.json index cceac67b469..5d67db853af 100644 --- a/assets/queries/terraform/kubernetes/using_default_namespace/metadata.json +++ b/assets/queries/terraform/kubernetes/using_default_namespace/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "The default namespace should not be used", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#namespace", "platform": "Terraform", - "descriptionID": "4d26d672" -} + "descriptionID": "4d26d672", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/metadata.json b/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/metadata.json index 8172c0b549d..88c4414f814 100644 --- a/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/metadata.json +++ b/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#volume_mount", "platform": "Terraform", - "descriptionID": "48833ef2" -} + "descriptionID": "48833ef2", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/workload_host_port_not_specified/metadata.json b/assets/queries/terraform/kubernetes/workload_host_port_not_specified/metadata.json index 86753edf13b..04ead903d00 100644 --- a/assets/queries/terraform/kubernetes/workload_host_port_not_specified/metadata.json +++ b/assets/queries/terraform/kubernetes/workload_host_port_not_specified/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Verifies if Kubernetes workload's host port is specified", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_port", "platform": "Terraform", - "descriptionID": "b7ddd063" -} + "descriptionID": "b7ddd063", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/workload_mounting_with_sensitive_os_directory/metadata.json b/assets/queries/terraform/kubernetes/workload_mounting_with_sensitive_os_directory/metadata.json index f2c8631de38..29f2cad9864 100644 --- a/assets/queries/terraform/kubernetes/workload_mounting_with_sensitive_os_directory/metadata.json +++ b/assets/queries/terraform/kubernetes/workload_mounting_with_sensitive_os_directory/metadata.json @@ -6,5 +6,6 @@ "descriptionText": "Workload is mounting a volume with sensitive OS Directory", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_path", "platform": "Terraform", - "descriptionID": "2047253f" -} + "descriptionID": "2047253f", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/nifcloud/computing_instance_has_common_private/metadata.json b/assets/queries/terraform/nifcloud/computing_instance_has_common_private/metadata.json index cee4410a22a..32f8a8d5f13 100644 --- a/assets/queries/terraform/nifcloud/computing_instance_has_common_private/metadata.json +++ b/assets/queries/terraform/nifcloud/computing_instance_has_common_private/metadata.json @@ -1,12 +1,13 @@ { - "id": "df58dd45-8009-43c2-90f7-c90eb9d53ed9", - "queryName": "Nifcloud Computing Has Common Private Network", - "severity": "LOW", - "category": "Networking and Firewall", - "descriptionText": "The instance has common private network", - "descriptionUrl": "https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/instance#network_id", - "platform": "Terraform", - "descriptionID": "c5065d3a", - "cloudProvider": "nifcloud", - "experimental": "true" -} + "id": "df58dd45-8009-43c2-90f7-c90eb9d53ed9", + "queryName": "Nifcloud Computing Has Common Private Network", + "severity": "LOW", + "category": "Networking and Firewall", + "descriptionText": "The instance has common private network", + "descriptionUrl": "https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/instance#network_id", + "platform": "Terraform", + "descriptionID": "c5065d3a", + "cloudProvider": "nifcloud", + "experimental": "true", + "CWE": "" +} \ No newline at end of file From 46f5a7409c3850459f00a10644e8e147dbd8d2c6 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Mon, 18 Dec 2023 11:38:08 +0000 Subject: [PATCH 311/379] CWE field added into queries metadata.json --- .../metadata.json | 5 ++-- .../email_notifications_set_off/metadata.json | 7 +++--- .../metadata.json | 7 +++--- .../metadata.json | 7 +++--- .../metadata.json | 5 ++-- .../metadata.json | 10 ++++---- .../metadata.json | 10 ++++---- .../array_items_has_no_type/metadata.json | 11 +++++---- .../metadata.json | 11 +++++---- .../metadata.json | 10 ++++---- .../metadata.json | 10 ++++---- .../general/default_invalid/metadata.json | 11 +++++---- .../metadata.json | 10 ++++---- .../metadata.json | 10 ++++---- .../metadata.json | 11 +++++---- .../metadata.json | 10 ++++---- .../metadata.json | 10 ++++---- .../metadata.json | 10 ++++---- .../metadata.json | 10 ++++---- .../invalid_contact_email/metadata.json | 10 ++++---- .../general/invalid_contact_url/metadata.json | 10 ++++---- .../general/invalid_format/metadata.json | 10 ++++---- .../metadata.json | 10 ++++---- .../general/invalid_license_url/metadata.json | 10 ++++---- .../metadata.json | 10 ++++---- .../metadata.json | 10 ++++---- .../metadata.json | 10 ++++---- .../general/items_undefined/metadata.json | 10 ++++---- .../metadata.json | 10 ++++---- .../metadata.json | 10 ++++---- .../metadata.json | 10 ++++---- .../maximum_length_undefined/metadata.json | 11 +++++---- .../metadata.json | 10 ++++---- .../non_array_schema_with_items/metadata.json | 10 ++++---- .../metadata.json | 10 ++++---- .../metadata.json | 10 ++++---- .../metadata.json | 10 ++++---- .../metadata.json | 11 +++++---- .../operation_id_not_unique/metadata.json | 10 ++++---- .../metadata.json | 10 ++++---- .../metadata.json | 10 ++++---- .../metadata.json | 10 ++++---- .../general/path_ambiguous/metadata.json | 10 ++++---- .../path_parameter_not_required/metadata.json | 10 ++++---- .../metadata.json | 8 ++++--- .../general/path_template_empty/metadata.json | 10 ++++---- .../path_without_operation/metadata.json | 10 ++++---- .../general/paths_object_empty/metadata.json | 10 ++++---- .../general/pattern_undefined/metadata.json | 11 +++++---- .../metadata.json | 10 ++++---- .../metadata.json | 10 ++++---- .../metadata.json | 10 ++++---- .../metadata.json | 10 ++++---- .../response_code_missing/metadata.json | 10 ++++---- .../metadata.json | 7 +++--- .../metadata.json | 10 ++++---- .../responses_object_is_empty/metadata.json | 10 ++++---- .../metadata.json | 10 ++++---- .../metadata.json | 10 ++++---- .../metadata.json | 10 ++++---- .../metadata.json | 10 ++++---- .../general/schema_enum_invalid/metadata.json | 10 ++++---- .../general/schema_object_empty/metadata.json | 10 ++++---- .../metadata.json | 10 ++++---- .../metadata.json | 10 ++++---- .../metadata.json | 10 ++++---- .../security_empty_array/metadata.json | 10 ++++---- .../metadata.json | 10 ++++---- .../metadata.json | 10 ++++---- .../metadata.json | 10 ++++---- .../metadata.json | 10 ++++---- .../metadata.json | 10 ++++---- .../metadata.json | 10 ++++---- .../metadata.json | 10 ++++---- .../metadata.json | 10 ++++---- .../metadata.json | 10 ++++---- .../metadata.json | 10 ++++---- .../metadata.json | 10 ++++---- .../type_has_invalid_keyword/metadata.json | 11 +++++---- .../metadata.json | 23 ++++++++++--------- .../metadata.json | 7 +++--- .../metadata.json | 7 +++--- .../metadata.json | 7 +++--- .../metadata.json | 7 +++--- .../metadata.json | 7 +++--- .../metadata.json | 7 +++--- .../metadata.json | 7 +++--- 87 files changed, 499 insertions(+), 347 deletions(-) diff --git a/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/metadata.json b/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/metadata.json index 3b288299a55..9e6378e9b75 100644 --- a/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/metadata.json +++ b/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/metadata.json @@ -7,6 +7,7 @@ "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_securitygroup_module.html#parameter-rules", "platform": "Ansible", "descriptionID": "33745204", + "aggregation": 62, "cloudProvider": "azure", - "aggregation": 62 -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/email_notifications_set_off/metadata.json b/assets/queries/azureResourceManager/email_notifications_set_off/metadata.json index e668e9414ba..282a580e1c5 100644 --- a/assets/queries/azureResourceManager/email_notifications_set_off/metadata.json +++ b/assets/queries/azureResourceManager/email_notifications_set_off/metadata.json @@ -6,7 +6,8 @@ "descriptionText": "Email notifications about new security alerts, should be set to 'On', and be sent to persons with specific RBAC roles on the subscription", "descriptionUrl": "https://docs.microsoft.com/en-us/azure/templates/microsoft.security/securitycontacts", "platform": "AzureResourceManager", - "cloudProvider": "azure", + "descriptionID": "7f5b9ef4", "aggregation": 2, - "descriptionID": "7f5b9ef4" -} + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/metadata.json b/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/metadata.json index fe4e1eb35ea..b9009b22c6d 100644 --- a/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/metadata.json +++ b/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/metadata.json @@ -6,7 +6,8 @@ "descriptionText": "The EC2 instance has a sensitive port connection exposed to the entire network", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html", "platform": "CloudFormation", - "aggregation": 61, "descriptionID": "680b7e89", - "cloudProvider": "aws" -} + "aggregation": 61, + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/metadata.json b/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/metadata.json index abe5360cd42..41298fe3114 100644 --- a/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/metadata.json +++ b/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/metadata.json @@ -6,7 +6,8 @@ "descriptionText": "The load balancer of the application with a sensitive port connection is exposed to the entire internet.", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-elb.html", "platform": "CloudFormation", - "aggregation": 183, "descriptionID": "f26797b1", - "cloudProvider": "aws" -} + "aggregation": 183, + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/security_requirement_not_defined_in_security_definition/metadata.json b/assets/queries/openAPI/2.0/security_requirement_not_defined_in_security_definition/metadata.json index 05b61574598..dc774e181e6 100644 --- a/assets/queries/openAPI/2.0/security_requirement_not_defined_in_security_definition/metadata.json +++ b/assets/queries/openAPI/2.0/security_requirement_not_defined_in_security_definition/metadata.json @@ -6,6 +6,7 @@ "descriptionText": "All security requirement objects must be defined in 'securityDefinitions'", "descriptionUrl": "https://swagger.io/specification/v2/#securityRequirementObject", "platform": "OpenAPI", + "descriptionID": "44fec7d0", "aggregation": 2, - "descriptionID": "44fec7d0" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/api_key_exposed_in_global_security/metadata.json b/assets/queries/openAPI/general/api_key_exposed_in_global_security/metadata.json index 97fe4b49744..599989c573f 100644 --- a/assets/queries/openAPI/general/api_key_exposed_in_global_security/metadata.json +++ b/assets/queries/openAPI/general/api_key_exposed_in_global_security/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "API Keys should not be transported over network", "descriptionUrl": "https://swagger.io/specification/#security-scheme-object", "platform": "OpenAPI", + "descriptionID": "f7f6e7fb", + "aggregation": 2, "override": { "2.0": { "id": "533a0d13-6e89-4551-ae33-bce14e5849c1", "queryName": "API Key Exposed In Global Security (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#securityDefinitionsObject" + "descriptionUrl": "https://swagger.io/specification/v2/#securityDefinitionsObject", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "f7f6e7fb" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/api_key_exposed_in_operation_security/metadata.json b/assets/queries/openAPI/general/api_key_exposed_in_operation_security/metadata.json index a5d09f5de87..106fdfbdde6 100644 --- a/assets/queries/openAPI/general/api_key_exposed_in_operation_security/metadata.json +++ b/assets/queries/openAPI/general/api_key_exposed_in_operation_security/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "API Keys should not be transported over network", "descriptionUrl": "https://swagger.io/specification/#security-scheme-object", "platform": "OpenAPI", + "descriptionID": "812604ac", + "aggregation": 2, "override": { "2.0": { "id": "392599e4-a4e2-403d-bc56-3fe05755782d", "queryName": "API Key Exposed In Operation Security (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#securityDefinitionsObject" + "descriptionUrl": "https://swagger.io/specification/v2/#securityDefinitionsObject", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "812604ac" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/array_items_has_no_type/metadata.json b/assets/queries/openAPI/general/array_items_has_no_type/metadata.json index db195c960ae..af9f26049de 100644 --- a/assets/queries/openAPI/general/array_items_has_no_type/metadata.json +++ b/assets/queries/openAPI/general/array_items_has_no_type/metadata.json @@ -6,14 +6,15 @@ "descriptionText": "Schema array items type should be defined", "descriptionUrl": "https://swagger.io/docs/specification/data-models/data-types/#string", "platform": "OpenAPI", + "descriptionID": "5d19ade0", + "aggregation": 2, "override": { "2.0": { "id": "8697a1a4-82c6-4603-8ac8-57529756744e", "queryName": "Array Items Has No Type (v2)", - "descriptionText": "Schema/Parameter array items type should be defined", - "descriptionUrl": "https://swagger.io/specification/v2/#format" + "descriptionUrl": "https://swagger.io/specification/v2/#format", + "descriptionText": "Schema/Parameter array items type should be defined" } }, - "aggregation": 2, - "descriptionID": "5d19ade0" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/array_without_maximum_number_items/metadata.json b/assets/queries/openAPI/general/array_without_maximum_number_items/metadata.json index d677264038a..bf7d603d7f3 100644 --- a/assets/queries/openAPI/general/array_without_maximum_number_items/metadata.json +++ b/assets/queries/openAPI/general/array_without_maximum_number_items/metadata.json @@ -6,14 +6,15 @@ "descriptionText": "Array schema should have the field 'maxItems' set", "descriptionUrl": "https://swagger.io/specification/#schema-object", "platform": "OpenAPI", + "descriptionID": "7389106d", + "aggregation": 2, "override": { "2.0": { "id": "99eb2c95-2040-4104-9e7c-e16f7474d218", "queryName": "Array Without Maximum Number of Items (v2)", - "descriptionText": "Array schema/parameter should have the field 'maxItems' set", - "descriptionUrl": "https://swagger.io/specification/v2/#parameterObject" + "descriptionUrl": "https://swagger.io/specification/v2/#parameterObject", + "descriptionText": "Array schema/parameter should have the field 'maxItems' set" } }, - "aggregation": 2, - "descriptionID": "7389106d" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/cleartext_api_key_in_global_security/metadata.json b/assets/queries/openAPI/general/cleartext_api_key_in_global_security/metadata.json index d83a37535d2..4ca5817eb89 100644 --- a/assets/queries/openAPI/general/cleartext_api_key_in_global_security/metadata.json +++ b/assets/queries/openAPI/general/cleartext_api_key_in_global_security/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "API Keys should not be sent as cleartext over an unencrypted channel", "descriptionUrl": "https://swagger.io/specification/#security-scheme-object", "platform": "OpenAPI", + "descriptionID": "ecaad37f", + "aggregation": 2, "override": { "2.0": { "id": "70d3873e-d537-46e5-ac3b-4e48fbdd29b4", "queryName": "Cleartext API Key In Global Security (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#securityDefinitionsObject" + "descriptionUrl": "https://swagger.io/specification/v2/#securityDefinitionsObject", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "ecaad37f" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/cleartext_api_key_in_operation_security/metadata.json b/assets/queries/openAPI/general/cleartext_api_key_in_operation_security/metadata.json index 4c4ed5f0c8b..8e7d7b524e0 100644 --- a/assets/queries/openAPI/general/cleartext_api_key_in_operation_security/metadata.json +++ b/assets/queries/openAPI/general/cleartext_api_key_in_operation_security/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "API Keys should not be sent as cleartext over an unencrypted channel", "descriptionUrl": "https://swagger.io/specification/#security-scheme-object", "platform": "OpenAPI", + "descriptionID": "bc86897e", + "aggregation": 2, "override": { "2.0": { "id": "99733b39-6413-4ed8-8acf-dc7cdc9b4e51", "queryName": "Cleartext API Key In Operation Security (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#securityDefinitionsObject" + "descriptionUrl": "https://swagger.io/specification/v2/#securityDefinitionsObject", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "bc86897e" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/default_invalid/metadata.json b/assets/queries/openAPI/general/default_invalid/metadata.json index 9f3176669bd..c50bf0d81a4 100644 --- a/assets/queries/openAPI/general/default_invalid/metadata.json +++ b/assets/queries/openAPI/general/default_invalid/metadata.json @@ -6,14 +6,15 @@ "descriptionText": "The field 'default' of Schema Object should be consistent with the schema's type", "descriptionUrl": "https://swagger.io/specification/#schema-object", "platform": "OpenAPI", + "descriptionID": "18b2fb98", + "aggregation": 2, "override": { "2.0": { "id": "78dfd8f0-a6ee-48ec-af8c-e4d9b3292a07", "queryName": "Default Invalid (v2)", - "descriptionText": "The field 'default' of Schema/Parameter/Header Object should be consistent with the schema's/parameter's/header's type", - "descriptionUrl": "https://swagger.io/specification/v2/#schemaObject" + "descriptionUrl": "https://swagger.io/specification/v2/#schemaObject", + "descriptionText": "The field 'default' of Schema/Parameter/Header Object should be consistent with the schema's/parameter's/header's type" } }, - "aggregation": 2, - "descriptionID": "18b2fb98" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/default_response_undefined_operations/metadata.json b/assets/queries/openAPI/general/default_response_undefined_operations/metadata.json index 5bb8da2bee6..8f2a74179d5 100644 --- a/assets/queries/openAPI/general/default_response_undefined_operations/metadata.json +++ b/assets/queries/openAPI/general/default_response_undefined_operations/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "Operations responses should have a default response defined", "descriptionUrl": "https://swagger.io/specification/#responses-object", "platform": "OpenAPI", + "descriptionID": "fcdbb44e", + "aggregation": 2, "override": { "2.0": { "id": "5f34c7ae-4f3f-4cbb-8fe3-a11d6961062f", "queryName": "Default Response Undefined On Operations (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#responses-object" + "descriptionUrl": "https://swagger.io/specification/v2/#responses-object", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "fcdbb44e" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/example_not_compliant_with_schema_type/metadata.json b/assets/queries/openAPI/general/example_not_compliant_with_schema_type/metadata.json index cf5e65f0618..a786c557f06 100644 --- a/assets/queries/openAPI/general/example_not_compliant_with_schema_type/metadata.json +++ b/assets/queries/openAPI/general/example_not_compliant_with_schema_type/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "Examples values and fields should be compliant with the schema type", "descriptionUrl": "https://swagger.io/specification/#example-object", "platform": "OpenAPI", + "descriptionID": "484f0373", + "aggregation": 2, "override": { "2.0": { "id": "448db771-06ea-4dee-b48c-1689cbfb4b43", "queryName": "Example Not Compliant With Schema Type (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#example-object" + "descriptionUrl": "https://swagger.io/specification/v2/#example-object", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "484f0373" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/global_security_field_undefined/metadata.json b/assets/queries/openAPI/general/global_security_field_undefined/metadata.json index cf4dccd376d..526384b5f5e 100644 --- a/assets/queries/openAPI/general/global_security_field_undefined/metadata.json +++ b/assets/queries/openAPI/general/global_security_field_undefined/metadata.json @@ -6,14 +6,15 @@ "descriptionText": "Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes", "descriptionUrl": "https://swagger.io/specification/#security-requirement-object", "platform": "OpenAPI", + "descriptionID": "25b129f1", + "aggregation": 2, "override": { "2.0": { "id": "74703c89-0ea2-49ab-a7db-bf04f19f5a57", "queryName": "Global Security Field Is Undefined (v2)", - "descriptionText": "Global security field should be defined to prevent API to have insecure paths and have this rules defined on securityDefinitions", - "descriptionUrl": "https://swagger.io/specification/v2/#securityRequirementObject" + "descriptionUrl": "https://swagger.io/specification/v2/#securityRequirementObject", + "descriptionText": "Global security field should be defined to prevent API to have insecure paths and have this rules defined on securityDefinitions" } }, - "aggregation": 2, - "descriptionID": "25b129f1" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/header_parameter_named_as_accept/metadata.json b/assets/queries/openAPI/general/header_parameter_named_as_accept/metadata.json index 5ff1a0697e0..b390ceafd40 100644 --- a/assets/queries/openAPI/general/header_parameter_named_as_accept/metadata.json +++ b/assets/queries/openAPI/general/header_parameter_named_as_accept/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "The header Parameter should not be named as 'Accept'. If so, it will be ignored.", "descriptionUrl": "https://swagger.io/specification/#parameter-object", "platform": "OpenAPI", + "descriptionID": "4067b4c1", + "aggregation": 2, "override": { "2.0": { "id": "3ddd74cc-6582-486c-8b0c-2b48cb38e0a3", "queryName": "Header Parameter Named as 'Accept' (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#parameterObject" + "descriptionUrl": "https://swagger.io/specification/v2/#parameterObject", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "4067b4c1" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/header_parameter_named_as_authorization/metadata.json b/assets/queries/openAPI/general/header_parameter_named_as_authorization/metadata.json index 3c9e8af3f9f..6607affb111 100644 --- a/assets/queries/openAPI/general/header_parameter_named_as_authorization/metadata.json +++ b/assets/queries/openAPI/general/header_parameter_named_as_authorization/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "The header Parameter should not be named as 'Authorization'. If so, it will be ignored.", "descriptionUrl": "https://swagger.io/specification/#parameter-object", "platform": "OpenAPI", + "descriptionID": "daeb6e7b", + "aggregation": 2, "override": { "2.0": { "id": "e2e00c97-7171-4fb4-b461-d631df9a711c", "queryName": "Header Parameter Named as 'Authorization' (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#parameterObject" + "descriptionUrl": "https://swagger.io/specification/v2/#parameterObject", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "daeb6e7b" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/header_parameter_named_as_content_type/metadata.json b/assets/queries/openAPI/general/header_parameter_named_as_content_type/metadata.json index 6556f595cfe..28a7e89b654 100644 --- a/assets/queries/openAPI/general/header_parameter_named_as_content_type/metadata.json +++ b/assets/queries/openAPI/general/header_parameter_named_as_content_type/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "The header Parameter should not be named as 'Content-Type'. If so, it will be ignored.", "descriptionUrl": "https://swagger.io/specification/#parameter-object", "platform": "OpenAPI", + "descriptionID": "abd35d94", + "aggregation": 2, "override": { "2.0": { "id": "51978067-3b22-4c29-aaf3-96bf0bc28897", "queryName": "Header Parameter Named as 'Content-Type' (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#parameterObject" + "descriptionUrl": "https://swagger.io/specification/v2/#parameterObject", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "abd35d94" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/header_response_name_is_invalid/metadata.json b/assets/queries/openAPI/general/header_response_name_is_invalid/metadata.json index eeb3edcbbab..0a84e0dbfd9 100644 --- a/assets/queries/openAPI/general/header_response_name_is_invalid/metadata.json +++ b/assets/queries/openAPI/general/header_response_name_is_invalid/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored.", "descriptionUrl": "https://swagger.io/specification/#response-object", "platform": "OpenAPI", + "descriptionID": "a92faac1", + "aggregation": 2, "override": { "2.0": { "id": "86733e01-a435-4bd5-a8b0-5108be9dc1e4", "queryName": "Header Response Name Is Invalid (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#response-object" + "descriptionUrl": "https://swagger.io/specification/v2/#response-object", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "a92faac1" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/invalid_contact_email/metadata.json b/assets/queries/openAPI/general/invalid_contact_email/metadata.json index f646bcd9500..193efd8900a 100644 --- a/assets/queries/openAPI/general/invalid_contact_email/metadata.json +++ b/assets/queries/openAPI/general/invalid_contact_email/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "Contact Object Email should be a valid email", "descriptionUrl": "https://swagger.io/specification/#contact-object", "platform": "OpenAPI", + "descriptionID": "3380be54", + "aggregation": 2, "override": { "2.0": { "id": "d83bebc8-4e5e-4241-b783-cba9fb5a1c9a", "queryName": "Invalid Contact Email (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#contactObject" + "descriptionUrl": "https://swagger.io/specification/v2/#contactObject", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "3380be54" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/invalid_contact_url/metadata.json b/assets/queries/openAPI/general/invalid_contact_url/metadata.json index 417e1ea2042..5a5a16694db 100644 --- a/assets/queries/openAPI/general/invalid_contact_url/metadata.json +++ b/assets/queries/openAPI/general/invalid_contact_url/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "Contact Object URL should be a valid URL", "descriptionUrl": "https://swagger.io/specification/#contact-object", "platform": "OpenAPI", + "descriptionID": "f3097573", + "aggregation": 2, "override": { "2.0": { "id": "c7000383-16d0-4509-8cd3-585e5ea2e2f2", "queryName": "Invalid Contact URL (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#contactObject" + "descriptionUrl": "https://swagger.io/specification/v2/#contactObject", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "f3097573" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/invalid_format/metadata.json b/assets/queries/openAPI/general/invalid_format/metadata.json index 16c49c97c50..9e72b5afe5d 100644 --- a/assets/queries/openAPI/general/invalid_format/metadata.json +++ b/assets/queries/openAPI/general/invalid_format/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double", "descriptionUrl": "https://swagger.io/docs/specification/data-models/data-types/", "platform": "OpenAPI", + "descriptionID": "b8284333", + "aggregation": 2, "override": { "2.0": { "id": "caf1793e-95dd-4b18-8d90-8f3c0ab5bddf", "queryName": "Invalid Format (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/" + "descriptionUrl": "https://swagger.io/specification/v2/", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "b8284333" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/invalid_global_external_documentation_url/metadata.json b/assets/queries/openAPI/general/invalid_global_external_documentation_url/metadata.json index 4e977b8a34b..193686eee0d 100644 --- a/assets/queries/openAPI/general/invalid_global_external_documentation_url/metadata.json +++ b/assets/queries/openAPI/general/invalid_global_external_documentation_url/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "Global External Documentation URL should be a valid URL", "descriptionUrl": "https://swagger.io/specification/#external-documentation-object", "platform": "OpenAPI", + "descriptionID": "7223516f", + "aggregation": 2, "override": { "2.0": { "id": "46d3b74d-9fe9-45bf-9e9e-efb7f701ee28", "queryName": "Invalid Global External Documentation URL (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#externalDocumentationObject" + "descriptionUrl": "https://swagger.io/specification/v2/#externalDocumentationObject", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "7223516f" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/invalid_license_url/metadata.json b/assets/queries/openAPI/general/invalid_license_url/metadata.json index df97c72be90..12f668227e4 100644 --- a/assets/queries/openAPI/general/invalid_license_url/metadata.json +++ b/assets/queries/openAPI/general/invalid_license_url/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "License Object URL should be a valid URL", "descriptionUrl": "https://swagger.io/specification/#license-object", "platform": "OpenAPI", + "descriptionID": "d5d073df", + "aggregation": 2, "override": { "2.0": { "id": "de2b4910-8484-46d6-a055-dc1e793ee3ff", "queryName": "Invalid License URL (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#licenseObject" + "descriptionUrl": "https://swagger.io/specification/v2/#licenseObject", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "d5d073df" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/invalid_operation_external_documentation_url/metadata.json b/assets/queries/openAPI/general/invalid_operation_external_documentation_url/metadata.json index d5b6d8e78ce..7cb2ad64cb9 100644 --- a/assets/queries/openAPI/general/invalid_operation_external_documentation_url/metadata.json +++ b/assets/queries/openAPI/general/invalid_operation_external_documentation_url/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "Operation External Documentation URL should be a valid URL", "descriptionUrl": "https://swagger.io/specification/#external-documentation-object", "platform": "OpenAPI", + "descriptionID": "c705f09e", + "aggregation": 2, "override": { "2.0": { "id": "25635c31-ee32-4708-88e5-fced87516f51", "queryName": "Invalid Operation External Documentation URL (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#externalDocumentationObject" + "descriptionUrl": "https://swagger.io/specification/v2/#externalDocumentationObject", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "c705f09e" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/invalid_schema_external_documentation_url/metadata.json b/assets/queries/openAPI/general/invalid_schema_external_documentation_url/metadata.json index a71ed8ef765..1d112c40fdd 100644 --- a/assets/queries/openAPI/general/invalid_schema_external_documentation_url/metadata.json +++ b/assets/queries/openAPI/general/invalid_schema_external_documentation_url/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "Schema External Documentation URL should be a valid URL", "descriptionUrl": "https://swagger.io/specification/#external-documentation-object", "platform": "OpenAPI", + "descriptionID": "1628e080", + "aggregation": 2, "override": { "2.0": { "id": "f7fa95b7-d819-484c-9a2b-665dd1bba25e", "queryName": "Invalid Schema External Documentation URL (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#externalDocumentationObject" + "descriptionUrl": "https://swagger.io/specification/v2/#externalDocumentationObject", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "1628e080" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/invalid_tag_external_documentation_url/metadata.json b/assets/queries/openAPI/general/invalid_tag_external_documentation_url/metadata.json index d7747396c1e..51e81c1ad99 100644 --- a/assets/queries/openAPI/general/invalid_tag_external_documentation_url/metadata.json +++ b/assets/queries/openAPI/general/invalid_tag_external_documentation_url/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "Tag External Documentation URL should be a valid URL", "descriptionUrl": "https://swagger.io/specification/#external-documentation-object", "platform": "OpenAPI", + "descriptionID": "921192fd", + "aggregation": 2, "override": { "2.0": { "id": "b4a7d925-738b-4219-99d9-87d6ee262a03", "queryName": "Invalid Tag External Documentation URL (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#externalDocumentationObject" + "descriptionUrl": "https://swagger.io/specification/v2/#externalDocumentationObject", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "921192fd" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/items_undefined/metadata.json b/assets/queries/openAPI/general/items_undefined/metadata.json index 659ad1e40f9..23a8df82c71 100644 --- a/assets/queries/openAPI/general/items_undefined/metadata.json +++ b/assets/queries/openAPI/general/items_undefined/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "Schema/Parameter items should be defined when the schema/parameter is set to an array.", "descriptionUrl": "https://swagger.io/specification/#schema-object", "platform": "OpenAPI", + "descriptionID": "0d3d1672", + "aggregation": 2, "override": { "2.0": { "id": "3e4d34d2-36cf-4449-976d-6c256db8fc49", "queryName": "Items Undefined (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#schema-object" + "descriptionUrl": "https://swagger.io/specification/v2/#schema-object", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "0d3d1672" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/json_object_schema_without_properties/metadata.json b/assets/queries/openAPI/general/json_object_schema_without_properties/metadata.json index aabb8fca7f7..2a37d95f89d 100644 --- a/assets/queries/openAPI/general/json_object_schema_without_properties/metadata.json +++ b/assets/queries/openAPI/general/json_object_schema_without_properties/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "Schema of the JSON object should have properties defined and 'additionalProperties' set to false.", "descriptionUrl": "https://swagger.io/specification/#schema-object", "platform": "OpenAPI", + "descriptionID": "1778714d", + "aggregation": 2, "override": { "2.0": { "id": "3d28f751-bc18-4f83-ace0-216b6086410b", "queryName": "JSON Object Schema Without Properties (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#schemaObject" + "descriptionUrl": "https://swagger.io/specification/v2/#schemaObject", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "1778714d" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/json_object_schema_without_type/metadata.json b/assets/queries/openAPI/general/json_object_schema_without_type/metadata.json index 511f2927807..47aeec27b2c 100644 --- a/assets/queries/openAPI/general/json_object_schema_without_type/metadata.json +++ b/assets/queries/openAPI/general/json_object_schema_without_type/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "Schema of the JSON object should have 'type' defined.", "descriptionUrl": "https://swagger.io/specification/#schema-object", "platform": "OpenAPI", + "descriptionID": "1822e1a7", + "aggregation": 2, "override": { "2.0": { "id": "62d52544-82ef-4b75-8308-cad49d50212b", "queryName": "JSON Object Schema Without Type (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#schemaObject" + "descriptionUrl": "https://swagger.io/specification/v2/#schemaObject", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "1822e1a7" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/json_ref_alongside_properties/metadata.json b/assets/queries/openAPI/general/json_ref_alongside_properties/metadata.json index e6144c48209..6afa9921d39 100644 --- a/assets/queries/openAPI/general/json_ref_alongside_properties/metadata.json +++ b/assets/queries/openAPI/general/json_ref_alongside_properties/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key", "descriptionUrl": "https://swagger.io/specification/#reference-object", "platform": "OpenAPI", + "descriptionID": "5616ac69", + "aggregation": 2, "override": { "2.0": { "id": "f34c1c68-4773-4df0-a103-6e2ca32e585f", "queryName": "JSON '$ref' alongside other properties (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#referenceObject" + "descriptionUrl": "https://swagger.io/specification/v2/#referenceObject", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "5616ac69" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/maximum_length_undefined/metadata.json b/assets/queries/openAPI/general/maximum_length_undefined/metadata.json index 82c25a759da..a2adf667bc4 100644 --- a/assets/queries/openAPI/general/maximum_length_undefined/metadata.json +++ b/assets/queries/openAPI/general/maximum_length_undefined/metadata.json @@ -6,14 +6,15 @@ "descriptionText": "String schema should have 'maxLength' defined.", "descriptionUrl": "https://swagger.io/specification/#schema-object", "platform": "OpenAPI", + "descriptionID": "e470e664", + "aggregation": 2, "override": { "2.0": { "id": "2ec86e48-ab90-4cb6-a131-0502afd1f442", "queryName": "Maximum Length Undefined (v2)", - "descriptionText": "String schema/parameter/header should have 'maxLength' defined.", - "descriptionUrl": "https://swagger.io/specification/v2/#schemaObject" + "descriptionUrl": "https://swagger.io/specification/v2/#schemaObject", + "descriptionText": "String schema/parameter/header should have 'maxLength' defined." } }, - "aggregation": 2, - "descriptionID": "e470e664" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/no_global_and_operation_security_defined/metadata.json b/assets/queries/openAPI/general/no_global_and_operation_security_defined/metadata.json index 629517577d2..52ea8e6f172 100644 --- a/assets/queries/openAPI/general/no_global_and_operation_security_defined/metadata.json +++ b/assets/queries/openAPI/general/no_global_and_operation_security_defined/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "All paths should have security scheme, if it is omitted, global security field should be defined", "descriptionUrl": "https://swagger.io/specification/#security-requirement-object", "platform": "OpenAPI", + "descriptionID": "8ecf5376", + "aggregation": 2, "override": { "2.0": { "id": "586abcee-9653-462d-ad7b-2638a32bd6e6", "queryName": "No Global And Operation Security Defined (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#security-requirement-object" + "descriptionUrl": "https://swagger.io/specification/v2/#security-requirement-object", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "8ecf5376" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/non_array_schema_with_items/metadata.json b/assets/queries/openAPI/general/non_array_schema_with_items/metadata.json index 9b61693cd70..a8bab6c2118 100644 --- a/assets/queries/openAPI/general/non_array_schema_with_items/metadata.json +++ b/assets/queries/openAPI/general/non_array_schema_with_items/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "Non-Array Schema should not have 'items' defined", "descriptionUrl": "https://swagger.io/specification/#schema-object", "platform": "OpenAPI", + "descriptionID": "b07dd27a", + "aggregation": 2, "override": { "2.0": { "id": "9d47956b-29cd-43b1-9e6e-b39a4d484353", "queryName": "Non-Array Schema With Items (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#schema-object" + "descriptionUrl": "https://swagger.io/specification/v2/#schema-object", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "b07dd27a" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/numeric_schema_without_format/metadata.json b/assets/queries/openAPI/general/numeric_schema_without_format/metadata.json index b2ccd121417..a68125d259c 100644 --- a/assets/queries/openAPI/general/numeric_schema_without_format/metadata.json +++ b/assets/queries/openAPI/general/numeric_schema_without_format/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "Numeric schema (type set to 'integer' or 'number') should have 'format' defined.", "descriptionUrl": "https://swagger.io/specification/#schema-object", "platform": "OpenAPI", + "descriptionID": "7fe69742", + "aggregation": 2, "override": { "2.0": { "id": "3ed8fc82-c2bb-49e0-811f-c53923674c49", "queryName": "Numeric Schema Without Format (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#schemaObject" + "descriptionUrl": "https://swagger.io/specification/v2/#schemaObject", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "7fe69742" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/numeric_schema_without_maximum/metadata.json b/assets/queries/openAPI/general/numeric_schema_without_maximum/metadata.json index 501d7e59ad6..204a2d0ed58 100644 --- a/assets/queries/openAPI/general/numeric_schema_without_maximum/metadata.json +++ b/assets/queries/openAPI/general/numeric_schema_without_maximum/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined.", "descriptionUrl": "https://swagger.io/specification/#schema-object", "platform": "OpenAPI", + "descriptionID": "a18053cd", + "aggregation": 2, "override": { "2.0": { "id": "203eee11-15b6-4d47-b888-4c7f534967ee", "queryName": "Numeric Schema Without Maximum (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#schemaObject" + "descriptionUrl": "https://swagger.io/specification/v2/#schemaObject", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "a18053cd" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/numeric_schema_without_minimum/metadata.json b/assets/queries/openAPI/general/numeric_schema_without_minimum/metadata.json index db27217d3ff..a36504b4f52 100644 --- a/assets/queries/openAPI/general/numeric_schema_without_minimum/metadata.json +++ b/assets/queries/openAPI/general/numeric_schema_without_minimum/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined.", "descriptionUrl": "https://swagger.io/specification/#schema-object", "platform": "OpenAPI", + "descriptionID": "c89c33d1", + "aggregation": 2, "override": { "2.0": { "id": "efd1dfc8-da91-4909-a3f3-c23abc5ec799", "queryName": "Numeric Schema Without Minimum (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#schemaObject" + "descriptionUrl": "https://swagger.io/specification/v2/#schemaObject", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "c89c33d1" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/object_using_enum_with_keyword/metadata.json b/assets/queries/openAPI/general/object_using_enum_with_keyword/metadata.json index 4031e00b2bb..ef7ef9378d3 100644 --- a/assets/queries/openAPI/general/object_using_enum_with_keyword/metadata.json +++ b/assets/queries/openAPI/general/object_using_enum_with_keyword/metadata.json @@ -6,14 +6,15 @@ "descriptionText": "Schema Object properties should not contain 'enum' and schema keywords", "descriptionUrl": "https://swagger.io/specification/#schema-object", "platform": "OpenAPI", + "descriptionID": "96b60dc9", + "aggregation": 2, "override": { "2.0": { "id": "7f15962a-d862-451c-ac9b-84ec13747aa6", "queryName": "Object Using Enum With Keyword (v2)", - "descriptionText": "Schema/Parameter/Header Object properties should not contain 'enum' and schema keywords", - "descriptionUrl": "https://swagger.io/specification/v2/#schemaObject" + "descriptionUrl": "https://swagger.io/specification/v2/#schemaObject", + "descriptionText": "Schema/Parameter/Header Object properties should not contain 'enum' and schema keywords" } }, - "aggregation": 2, - "descriptionID": "96b60dc9" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/operation_id_not_unique/metadata.json b/assets/queries/openAPI/general/operation_id_not_unique/metadata.json index 7775c5c0ac1..af82a567d22 100644 --- a/assets/queries/openAPI/general/operation_id_not_unique/metadata.json +++ b/assets/queries/openAPI/general/operation_id_not_unique/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "OperationId should be unique when defined", "descriptionUrl": "https://swagger.io/specification/#operation-object", "platform": "OpenAPI", + "descriptionID": "940820bd", + "aggregation": 2, "override": { "2.0": { "id": "21245007-91c4-40e5-964e-40c85d1e5aa6", "queryName": "OperationId Not Unique (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#operationObject" + "descriptionUrl": "https://swagger.io/specification/v2/#operationObject", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "940820bd" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/operation_without_successful_http_status_code/metadata.json b/assets/queries/openAPI/general/operation_without_successful_http_status_code/metadata.json index 70cd262714d..3487264d57e 100644 --- a/assets/queries/openAPI/general/operation_without_successful_http_status_code/metadata.json +++ b/assets/queries/openAPI/general/operation_without_successful_http_status_code/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "Operation Object should have at least one successful HTTP status code defined", "descriptionUrl": "https://swagger.io/specification/#operation-object", "platform": "OpenAPI", + "descriptionID": "a452c68a", + "aggregation": 2, "override": { "2.0": { "id": "a1ee6ebe-3877-42ec-b9a6-e524e7d06aa2", "queryName": "Operation Without Successful HTTP Status Code (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#operationObject" + "descriptionUrl": "https://swagger.io/specification/v2/#operationObject", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "a452c68a" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/parameter_objects_headers_dup_name/metadata.json b/assets/queries/openAPI/general/parameter_objects_headers_dup_name/metadata.json index 2b64cd85f37..2261fe1d6db 100644 --- a/assets/queries/openAPI/general/parameter_objects_headers_dup_name/metadata.json +++ b/assets/queries/openAPI/general/parameter_objects_headers_dup_name/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.", "descriptionUrl": "https://swagger.io/specification/#parameter-object", "platform": "OpenAPI", + "descriptionID": "0e053155", + "aggregation": 2, "override": { "2.0": { "id": "bd2cbef5-62c4-40f1-af07-4b7f9ced6616", "queryName": "Parameter Objects Headers With Duplicated Name (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#parameterObject" + "descriptionUrl": "https://swagger.io/specification/v2/#parameterObject", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "0e053155" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/parameters_name_in_not_unique/metadata.json b/assets/queries/openAPI/general/parameters_name_in_not_unique/metadata.json index ca9078497b2..23bd949beb1 100644 --- a/assets/queries/openAPI/general/parameters_name_in_not_unique/metadata.json +++ b/assets/queries/openAPI/general/parameters_name_in_not_unique/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "Parameters properties 'name' and 'in' should have unique combinations", "descriptionUrl": "https://swagger.io/specification/#parameters-object", "platform": "OpenAPI", + "descriptionID": "c55d0bc8", + "aggregation": 2, "override": { "2.0": { "id": "ab871897-ec02-4835-9818-702536ee1dda", "queryName": "Parameters Name In Combination Not Unique (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#parameterObject" + "descriptionUrl": "https://swagger.io/specification/v2/#parameterObject", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "c55d0bc8" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/path_ambiguous/metadata.json b/assets/queries/openAPI/general/path_ambiguous/metadata.json index 149259a3c25..a51f12443d6 100644 --- a/assets/queries/openAPI/general/path_ambiguous/metadata.json +++ b/assets/queries/openAPI/general/path_ambiguous/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "All path should be unique, if has more than one operation, all operations should be part of same Path Object", "descriptionUrl": "https://swagger.io/specification/#path-item-object", "platform": "OpenAPI", + "descriptionID": "41e6873a", + "aggregation": 2, "override": { "2.0": { "id": "b2468463-3ac4-4930-890c-f35b2bf4485d", "queryName": "Path Is Ambiguous (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#pathItemObject" + "descriptionUrl": "https://swagger.io/specification/v2/#pathItemObject", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "41e6873a" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/path_parameter_not_required/metadata.json b/assets/queries/openAPI/general/path_parameter_not_required/metadata.json index 4252d158a20..83935d85f5b 100644 --- a/assets/queries/openAPI/general/path_parameter_not_required/metadata.json +++ b/assets/queries/openAPI/general/path_parameter_not_required/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.", "descriptionUrl": "https://swagger.io/specification/#parameter-object", "platform": "OpenAPI", + "descriptionID": "977266c3", + "aggregation": 2, "override": { "2.0": { "id": "ccd0613f-cb77-4684-a892-183bd2674d12", "queryName": "Path Parameter Not Required (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#parameterObject" + "descriptionUrl": "https://swagger.io/specification/v2/#parameterObject", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "977266c3" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/path_parameter_with_no_corresponding_template_path/metadata.json b/assets/queries/openAPI/general/path_parameter_with_no_corresponding_template_path/metadata.json index 8cb2d9b31d7..719d75100a6 100644 --- a/assets/queries/openAPI/general/path_parameter_with_no_corresponding_template_path/metadata.json +++ b/assets/queries/openAPI/general/path_parameter_with_no_corresponding_template_path/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "The path parameter must have a corresponding template path for a given operation", "descriptionUrl": "https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.2.md#pathTemplating", "platform": "OpenAPI", + "descriptionID": "c005cfeb", "aggregation": 2, "override": { "2.0": { "id": "194ef1f8-360e-4c14-8ed2-e83e2bafa142", "queryName": "Path Parameter With No Corresponding Template Path (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#pathTemplating" + "descriptionUrl": "https://swagger.io/specification/v2/#pathTemplating", + "descriptionText": "" } }, - "descriptionID": "c005cfeb" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/path_template_empty/metadata.json b/assets/queries/openAPI/general/path_template_empty/metadata.json index 7927c946a2a..f82a6128db8 100644 --- a/assets/queries/openAPI/general/path_template_empty/metadata.json +++ b/assets/queries/openAPI/general/path_template_empty/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "All path templates should not be empty", "descriptionUrl": "https://swagger.io/specification/#paths-object", "platform": "OpenAPI", + "descriptionID": "f4529c1f", + "aggregation": 2, "override": { "2.0": { "id": "c201b7ad-6173-4598-a407-5edb04a1bcd7", "queryName": "Path Template is Empty (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#pathsObject" + "descriptionUrl": "https://swagger.io/specification/v2/#pathsObject", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "f4529c1f" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/path_without_operation/metadata.json b/assets/queries/openAPI/general/path_without_operation/metadata.json index 9453e17b340..6789dd15db6 100644 --- a/assets/queries/openAPI/general/path_without_operation/metadata.json +++ b/assets/queries/openAPI/general/path_without_operation/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "Path object should have at least one operation object defined", "descriptionUrl": "https://swagger.io/specification/#path-item-object", "platform": "OpenAPI", + "descriptionID": "089453e7", + "aggregation": 2, "override": { "2.0": { "id": "609cd557-66b4-41fa-8edd-2abc6c7cfd08", "queryName": "Path Without Operation (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#pathItemObject" + "descriptionUrl": "https://swagger.io/specification/v2/#pathItemObject", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "089453e7" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/paths_object_empty/metadata.json b/assets/queries/openAPI/general/paths_object_empty/metadata.json index 25a333ee7f1..ef6ac1ff77b 100644 --- a/assets/queries/openAPI/general/paths_object_empty/metadata.json +++ b/assets/queries/openAPI/general/paths_object_empty/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "Paths object may be empty due to ACL constraints, meaning they are not exposed", "descriptionUrl": "https://swagger.io/specification/#paths-object", "platform": "OpenAPI", + "descriptionID": "0fee068b", + "aggregation": 2, "override": { "2.0": { "id": "3e6c7b1c-8a8d-43ab-98b9-65159f44db4a", "queryName": "Paths Object is Empty (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#pathsObject" + "descriptionUrl": "https://swagger.io/specification/v2/#pathsObject", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "0fee068b" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/pattern_undefined/metadata.json b/assets/queries/openAPI/general/pattern_undefined/metadata.json index 4b8b89e4059..00593ebc0f6 100644 --- a/assets/queries/openAPI/general/pattern_undefined/metadata.json +++ b/assets/queries/openAPI/general/pattern_undefined/metadata.json @@ -6,14 +6,15 @@ "descriptionText": "String schema should have 'pattern' defined.", "descriptionUrl": "https://swagger.io/specification/#schema-object", "platform": "OpenAPI", + "descriptionID": "16f07413", + "aggregation": 2, "override": { "2.0": { "id": "afde15cf-9444-4126-8c62-41cd79db1d1d", "queryName": "Pattern Undefined (v2)", - "descriptionText": "String schema/parameter/header should have 'pattern' defined.", - "descriptionUrl": "https://swagger.io/specification/v2/#schemaObject" + "descriptionUrl": "https://swagger.io/specification/v2/#schemaObject", + "descriptionText": "String schema/parameter/header should have 'pattern' defined." } }, - "aggregation": 2, - "descriptionID": "16f07413" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/properties_missing_required_property/metadata.json b/assets/queries/openAPI/general/properties_missing_required_property/metadata.json index b7c542dc75a..4c9165ff761 100644 --- a/assets/queries/openAPI/general/properties_missing_required_property/metadata.json +++ b/assets/queries/openAPI/general/properties_missing_required_property/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "Schema Object should have all required properties defined", "descriptionUrl": "https://swagger.io/specification/#schema-object", "platform": "OpenAPI", + "descriptionID": "c5c91b2f", + "aggregation": 2, "override": { "2.0": { "id": "71beb6ab-8b70-4816-a9ac-a0ff1fb22a62", "queryName": "Properties Missing Required Property (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#schemaObject" + "descriptionUrl": "https://swagger.io/specification/v2/#schemaObject", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "c5c91b2f" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/property_allow_empty_value_improperly_defined/metadata.json b/assets/queries/openAPI/general/property_allow_empty_value_improperly_defined/metadata.json index 251abb17c8e..8c3d2e44d3f 100644 --- a/assets/queries/openAPI/general/property_allow_empty_value_improperly_defined/metadata.json +++ b/assets/queries/openAPI/general/property_allow_empty_value_improperly_defined/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "Property 'allowEmptyValue' should be only defined for query parameters and formData parameters", "descriptionUrl": "https://swagger.io/specification/#parameter-object", "platform": "OpenAPI", + "descriptionID": "37e0c585", + "aggregation": 2, "override": { "2.0": { "id": "0bc1477d-0922-478b-ae16-674a7634a1a8", "queryName": "Property 'allowEmptyValue' Improperly Defined (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#parameterObject" + "descriptionUrl": "https://swagger.io/specification/v2/#parameterObject", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "37e0c585" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/property_defining_maximum_not_greater_than_minimum/metadata.json b/assets/queries/openAPI/general/property_defining_maximum_not_greater_than_minimum/metadata.json index f22cb1784f2..7b1dabdeef7 100644 --- a/assets/queries/openAPI/general/property_defining_maximum_not_greater_than_minimum/metadata.json +++ b/assets/queries/openAPI/general/property_defining_maximum_not_greater_than_minimum/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "Property defining minimum has greater value than maximum defined", "descriptionUrl": "https://swagger.io/specification/#schema-object", "platform": "OpenAPI", + "descriptionID": "48eeea37", + "aggregation": 2, "override": { "2.0": { "id": "b5102ea9-6527-4bb7-94fc-9b4076150e55", "queryName": "Property Defining Minimum Greater Than Maximum (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#schemaObject" + "descriptionUrl": "https://swagger.io/specification/v2/#schemaObject", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "48eeea37" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/required_property_default_value/metadata.json b/assets/queries/openAPI/general/required_property_default_value/metadata.json index 989b80c3ad8..15093dd3135 100644 --- a/assets/queries/openAPI/general/required_property_default_value/metadata.json +++ b/assets/queries/openAPI/general/required_property_default_value/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "Required properties receive value from requests, which makes unnecessary declare a default value", "descriptionUrl": "https://swagger.io/specification/#schema-object", "platform": "OpenAPI", + "descriptionID": "84476388", + "aggregation": 2, "override": { "2.0": { "id": "f7ab6c83-ef89-40e1-8a99-32e2599fb665", "queryName": "Required Property With Default Value (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#schemaObject" + "descriptionUrl": "https://swagger.io/specification/v2/#schemaObject", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "84476388" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/response_code_missing/metadata.json b/assets/queries/openAPI/general/response_code_missing/metadata.json index fd1316bc853..fca65e3b83f 100644 --- a/assets/queries/openAPI/general/response_code_missing/metadata.json +++ b/assets/queries/openAPI/general/response_code_missing/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined.", "descriptionUrl": "https://swagger.io/specification/#operation-object", "platform": "OpenAPI", + "descriptionID": "dbf15009", + "aggregation": 16, "override": { "2.0": { "id": "6e96ed39-bf45-4089-99ba-f1fe7cf6966f", "queryName": "Response Code Missing (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#operation-object" + "descriptionUrl": "https://swagger.io/specification/v2/#operation-object", + "descriptionText": "" } }, - "aggregation": 16, - "descriptionID": "dbf15009" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/metadata.json b/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/metadata.json index 68359f2794e..36625b9f88d 100644 --- a/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/metadata.json +++ b/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/metadata.json @@ -6,6 +6,8 @@ "descriptionText": "If a response is head or its code is 204 or 304, it shouldn't have a content defined", "descriptionUrl": "https://swagger.io/docs/specification/describing-responses/", "platform": "OpenAPI", + "descriptionID": "309e8e76", + "aggregation": 2, "override": { "2.0": { "id": "268defd2-2839-4e15-8cbc-de86eb38c231", @@ -14,6 +16,5 @@ "descriptionText": "If a response is head or its code is 204 or 304, it shouldn't have a schema defined" } }, - "aggregation": 2, - "descriptionID": "309e8e76" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/response_operations_body_schema_undefined/metadata.json b/assets/queries/openAPI/general/response_operations_body_schema_undefined/metadata.json index 2a910f83525..4bb9a9bcf04 100644 --- a/assets/queries/openAPI/general/response_operations_body_schema_undefined/metadata.json +++ b/assets/queries/openAPI/general/response_operations_body_schema_undefined/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "If a response is not head or its code is not 204 or 304, it should have a schema defined", "descriptionUrl": "https://swagger.io/docs/specification/describing-responses/", "platform": "OpenAPI", + "descriptionID": "eaff445e", + "aggregation": 2, "override": { "2.0": { "id": "31afbcb7-70e0-48bb-a31a-3374f95cf859", "queryName": "Response on operations that should have a body has undefined schema (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#responses-object" + "descriptionUrl": "https://swagger.io/specification/v2/#responses-object", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "eaff445e" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/responses_object_is_empty/metadata.json b/assets/queries/openAPI/general/responses_object_is_empty/metadata.json index 94309f2d326..eca497b1a33 100644 --- a/assets/queries/openAPI/general/responses_object_is_empty/metadata.json +++ b/assets/queries/openAPI/general/responses_object_is_empty/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "Responses Object should not be empty", "descriptionUrl": "https://swagger.io/specification/#responses-object", "platform": "OpenAPI", + "descriptionID": "5c40b3e8", + "aggregation": 2, "override": { "2.0": { "id": "6172e7ab-d2b7-45f8-a7db-1603931d8ba3", "queryName": "Responses Object Is Empty (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#responsesObject" + "descriptionUrl": "https://swagger.io/specification/v2/#responsesObject", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "5c40b3e8" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/responses_wrong_http_status_code/metadata.json b/assets/queries/openAPI/general/responses_wrong_http_status_code/metadata.json index c9876f0db5b..ac42b2d32b6 100644 --- a/assets/queries/openAPI/general/responses_wrong_http_status_code/metadata.json +++ b/assets/queries/openAPI/general/responses_wrong_http_status_code/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "HTTP Responses status code should be in range of [200-599]", "descriptionUrl": "https://swagger.io/specification/#responses-object", "platform": "OpenAPI", + "descriptionID": "66f7a90d", + "aggregation": 2, "override": { "2.0": { "id": "069a5378-2091-43f0-aa3b-ee8f20996e99", "queryName": "Responses With Wrong HTTP Status Code (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#parameterObject" + "descriptionUrl": "https://swagger.io/specification/v2/#parameterObject", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "66f7a90d" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/schema_discriminator_mismatch_defined_properties/metadata.json b/assets/queries/openAPI/general/schema_discriminator_mismatch_defined_properties/metadata.json index 6f10ff8647e..a50973c752c 100644 --- a/assets/queries/openAPI/general/schema_discriminator_mismatch_defined_properties/metadata.json +++ b/assets/queries/openAPI/general/schema_discriminator_mismatch_defined_properties/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "Schema discriminator values should match defined properties.", "descriptionUrl": "https://swagger.io/specification/#schema-object", "platform": "OpenAPI", + "descriptionID": "f075e83d", + "aggregation": 2, "override": { "2.0": { "id": "addc0eab-27f6-4c26-8526-d2ccd3732662", "queryName": "Schema Discriminator Mismatch Defined Properties (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#schema-object" + "descriptionUrl": "https://swagger.io/specification/v2/#schema-object", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "f075e83d" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/schema_discriminator_not_required/metadata.json b/assets/queries/openAPI/general/schema_discriminator_not_required/metadata.json index 863821d1fe8..29274f76e02 100644 --- a/assets/queries/openAPI/general/schema_discriminator_not_required/metadata.json +++ b/assets/queries/openAPI/general/schema_discriminator_not_required/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "The discriminator property in the Schema Object should be a required property", "descriptionUrl": "https://swagger.io/specification/#schema-object", "platform": "OpenAPI", + "descriptionID": "ad9474eb", + "aggregation": 2, "override": { "2.0": { "id": "be6a3722-af60-438c-b1b9-2a03e2958ab7", "queryName": "Schema Discriminator Not Required (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#schema-object" + "descriptionUrl": "https://swagger.io/specification/v2/#schema-object", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "ad9474eb" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/schema_discriminator_property_not_string/metadata.json b/assets/queries/openAPI/general/schema_discriminator_property_not_string/metadata.json index b1c46afe393..516a83224da 100644 --- a/assets/queries/openAPI/general/schema_discriminator_property_not_string/metadata.json +++ b/assets/queries/openAPI/general/schema_discriminator_property_not_string/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "Schema discriminator property should be a string", "descriptionUrl": "https://swagger.io/specification/#discriminator-object", "platform": "OpenAPI", + "descriptionID": "201104fd", + "aggregation": 2, "override": { "2.0": { "id": "949376f1-f560-4c6d-a016-63424ca931bb", "queryName": "Schema Discriminator Property Not String (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#schema-object" + "descriptionUrl": "https://swagger.io/specification/v2/#schema-object", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "201104fd" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/schema_enum_invalid/metadata.json b/assets/queries/openAPI/general/schema_enum_invalid/metadata.json index fa49899bf0e..7c938359bc4 100644 --- a/assets/queries/openAPI/general/schema_enum_invalid/metadata.json +++ b/assets/queries/openAPI/general/schema_enum_invalid/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "The field 'enum' of Schema Object should be consistent with the schema's type", "descriptionUrl": "https://swagger.io/specification/#schema-object", "platform": "OpenAPI", + "descriptionID": "b8ac8ff9", + "aggregation": 2, "override": { "2.0": { "id": "8fe6d18a-ad4c-4397-8884-e3a9da57f4c9", "queryName": "Schema Enum Invalid (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#schema-object" + "descriptionUrl": "https://swagger.io/specification/v2/#schema-object", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "b8ac8ff9" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/schema_object_empty/metadata.json b/assets/queries/openAPI/general/schema_object_empty/metadata.json index a0fb24f5ed2..5903175cc12 100644 --- a/assets/queries/openAPI/general/schema_object_empty/metadata.json +++ b/assets/queries/openAPI/general/schema_object_empty/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "The Schema Object should not be empty to avoid accepting any JSON values", "descriptionUrl": "https://swagger.io/specification/#schema-object", "platform": "OpenAPI", + "descriptionID": "561c9140", + "aggregation": 2, "override": { "2.0": { "id": "967575e5-eb44-4c24-aadb-7e33608ed30a", "queryName": "Schema Object is Empty (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#schemaObject" + "descriptionUrl": "https://swagger.io/specification/v2/#schemaObject", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "561c9140" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/schema_object_properties_with_duplicated_keys/metadata.json b/assets/queries/openAPI/general/schema_object_properties_with_duplicated_keys/metadata.json index a0457a888ff..7ab49bfb2d7 100644 --- a/assets/queries/openAPI/general/schema_object_properties_with_duplicated_keys/metadata.json +++ b/assets/queries/openAPI/general/schema_object_properties_with_duplicated_keys/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties'", "descriptionUrl": "https://swagger.io/specification/#schema-object", "platform": "OpenAPI", + "descriptionID": "898b0e0a", + "aggregation": 2, "override": { "2.0": { "id": "ded017bf-fb13-4f8d-868b-84aebcc572ad", "queryName": "Schema Object Properties With Duplicated Keys (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#schemaObject" + "descriptionUrl": "https://swagger.io/specification/v2/#schemaObject", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "898b0e0a" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/schema_object_with_circular_ref/metadata.json b/assets/queries/openAPI/general/schema_object_with_circular_ref/metadata.json index caa7083a7a4..964a74fa5e9 100644 --- a/assets/queries/openAPI/general/schema_object_with_circular_ref/metadata.json +++ b/assets/queries/openAPI/general/schema_object_with_circular_ref/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties", "descriptionUrl": "https://swagger.io/specification/#schema-object", "platform": "OpenAPI", + "descriptionID": "f95d553b", + "aggregation": 2, "override": { "2.0": { "id": "cbff2508-85c9-4448-a8b3-770070edf5ca", "queryName": "Schema Object With Circular Ref (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#definitionsObject" + "descriptionUrl": "https://swagger.io/specification/v2/#definitionsObject", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "f95d553b" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/schema_required_property_undefined/metadata.json b/assets/queries/openAPI/general/schema_required_property_undefined/metadata.json index b66094db471..46afa431b69 100644 --- a/assets/queries/openAPI/general/schema_required_property_undefined/metadata.json +++ b/assets/queries/openAPI/general/schema_required_property_undefined/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "Schema Object should not be have a required property that is not defined on properties", "descriptionUrl": "https://swagger.io/specification/#schema-object", "platform": "OpenAPI", + "descriptionID": "35016950", + "aggregation": 2, "override": { "2.0": { "id": "811762c8-2e99-4f70-88f9-a63875a953b1", "queryName": "Schema Has A Required Property Undefined (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#schemaObject" + "descriptionUrl": "https://swagger.io/specification/v2/#schemaObject", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "35016950" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/security_empty_array/metadata.json b/assets/queries/openAPI/general/security_empty_array/metadata.json index 9448cd64349..945ab55ceeb 100644 --- a/assets/queries/openAPI/general/security_empty_array/metadata.json +++ b/assets/queries/openAPI/general/security_empty_array/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "Security object need to have defined rules in its array and rules should be defined on securityScheme", "descriptionUrl": "https://swagger.io/specification/#security-requirement-object", "platform": "OpenAPI", + "descriptionID": "28d95589", + "aggregation": 2, "override": { "2.0": { "id": "da31d54b-ad54-41dc-95eb-8b3828629213", "queryName": "Global Security Field Has An Empty Array (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#security-requirement-object" + "descriptionUrl": "https://swagger.io/specification/v2/#security-requirement-object", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "28d95589" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/security_empty_object_definition/metadata.json b/assets/queries/openAPI/general/security_empty_object_definition/metadata.json index c27ac47f071..8645bbedb25 100644 --- a/assets/queries/openAPI/general/security_empty_object_definition/metadata.json +++ b/assets/queries/openAPI/general/security_empty_object_definition/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "Global security definition must not have empty objects", "descriptionUrl": "https://swagger.io/specification/#security-requirement-object", "platform": "OpenAPI", + "descriptionID": "e2c89bd7", + "aggregation": 2, "override": { "2.0": { "id": "292919fb-7b26-4454-bee9-ce29094768dd", "queryName": "Global security field has an empty object (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#security-requirement-object" + "descriptionUrl": "https://swagger.io/specification/v2/#security-requirement-object", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "e2c89bd7" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/security_operations_empty_array/metadata.json b/assets/queries/openAPI/general/security_operations_empty_array/metadata.json index f80b1b5cbca..a2d39b58b02 100644 --- a/assets/queries/openAPI/general/security_operations_empty_array/metadata.json +++ b/assets/queries/openAPI/general/security_operations_empty_array/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error", "descriptionUrl": "https://swagger.io/specification/#operation-object", "platform": "OpenAPI", + "descriptionID": "f2d6f7fc", + "aggregation": 2, "override": { "2.0": { "id": "5d29effc-5d68-481f-9721-d74e5919226b", "queryName": "Security Field On Operations Has An Empty Array (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#operation-object" + "descriptionUrl": "https://swagger.io/specification/v2/#operation-object", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "f2d6f7fc" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/security_operations_empty_object_definition/metadata.json b/assets/queries/openAPI/general/security_operations_empty_object_definition/metadata.json index 12064f89247..83c97df484e 100644 --- a/assets/queries/openAPI/general/security_operations_empty_object_definition/metadata.json +++ b/assets/queries/openAPI/general/security_operations_empty_object_definition/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "Security object for operations should not be empty object or has any empty object definition", "descriptionUrl": "https://swagger.io/specification/#operation-object", "platform": "OpenAPI", + "descriptionID": "05dcdd12", + "aggregation": 2, "override": { "2.0": { "id": "74581e3b-1d55-4323-a139-5959a7b3abc5", "queryName": "Security Field On Operations Has An Empty Object Definition (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#operation-object" + "descriptionUrl": "https://swagger.io/specification/v2/#operation-object", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "05dcdd12" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/string_schema_with_broad_pattern/metadata.json b/assets/queries/openAPI/general/string_schema_with_broad_pattern/metadata.json index 53836b06517..aeebe4a29e2 100644 --- a/assets/queries/openAPI/general/string_schema_with_broad_pattern/metadata.json +++ b/assets/queries/openAPI/general/string_schema_with_broad_pattern/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "String schema should restrict the pattern", "descriptionUrl": "https://swagger.io/specification/#schema-object", "platform": "OpenAPI", + "descriptionID": "b1ea7a03", + "aggregation": 2, "override": { "2.0": { "id": "e4a019f0-9af3-49c8-bf68-1939a6ff240d", "queryName": "String Schema with Broad Pattern (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#schema-object" + "descriptionUrl": "https://swagger.io/specification/v2/#schema-object", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "b1ea7a03" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/metadata.json b/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/metadata.json index 6261225f147..45564a3f8ad 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/metadata.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "Delete should define at least one success response (200, 201, 202 or 204)", "descriptionUrl": "https://swagger.io/specification/#operation-object", "platform": "OpenAPI", + "descriptionID": "b24ceff4", + "aggregation": 2, "override": { "2.0": { "id": "ad432855-b7fb-4429-92a3-93b5ce34f0b1", "queryName": "Success Response Code Undefined for Delete Operation (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#operation-object" + "descriptionUrl": "https://swagger.io/specification/v2/#operation-object", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "b24ceff4" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/success_response_code_undefined_get_operation/metadata.json b/assets/queries/openAPI/general/success_response_code_undefined_get_operation/metadata.json index 853229ce547..12919c771f7 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_get_operation/metadata.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_get_operation/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "Get should define at least one success response (200 or 202)", "descriptionUrl": "https://swagger.io/specification/#operation-object", "platform": "OpenAPI", + "descriptionID": "dd31a235", + "aggregation": 2, "override": { "2.0": { "id": "9b633f3b-c94b-4fbb-a65b-1a4e9134fb63", "queryName": "Success Response Code Undefined for Get Operation (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#operation-object" + "descriptionUrl": "https://swagger.io/specification/v2/#operation-object", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "dd31a235" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/success_response_code_undefined_head_operation/metadata.json b/assets/queries/openAPI/general/success_response_code_undefined_head_operation/metadata.json index 885ce08da9d..d6fcbf26514 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_head_operation/metadata.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_head_operation/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "Head should define at least one success response (200 or 202)", "descriptionUrl": "https://swagger.io/specification/#operation-object", "platform": "OpenAPI", + "descriptionID": "854a1fe4", + "aggregation": 2, "override": { "2.0": { "id": "4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a", "queryName": "Success Response Code Undefined for Head Operation (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#operation-object" + "descriptionUrl": "https://swagger.io/specification/v2/#operation-object", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "854a1fe4" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/metadata.json b/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/metadata.json index 0d15cdd9397..c3804058f82 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/metadata.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "Patch should define at least one success response (200, 201, 202 or 204)", "descriptionUrl": "https://swagger.io/specification/#operation-object", "platform": "OpenAPI", + "descriptionID": "6e740836", + "aggregation": 2, "override": { "2.0": { "id": "f36e87cc-a209-4f37-8571-66833e4aead7", "queryName": "Success Response Code Undefined for Patch Operation (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#operation-object" + "descriptionUrl": "https://swagger.io/specification/v2/#operation-object", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "6e740836" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/success_response_code_undefined_post_operation/metadata.json b/assets/queries/openAPI/general/success_response_code_undefined_post_operation/metadata.json index 072d403e484..8cebc20ad4c 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_post_operation/metadata.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_post_operation/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "Post should define at least one success response (200, 201, 202 or 204)", "descriptionUrl": "https://swagger.io/specification/#operation-object", "platform": "OpenAPI", + "descriptionID": "a268f2bd", + "aggregation": 2, "override": { "2.0": { "id": "9fedee41-2e6d-4091-b011-4a16b4c18c70", "queryName": "Success Response Code Undefined for Post Operation (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#operation-object" + "descriptionUrl": "https://swagger.io/specification/v2/#operation-object", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "a268f2bd" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/success_response_code_undefined_put_operation/metadata.json b/assets/queries/openAPI/general/success_response_code_undefined_put_operation/metadata.json index df5c7ff2538..8867fb6ac74 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_put_operation/metadata.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_put_operation/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "Put should define at least one success response (200, 201, 202 or 204)", "descriptionUrl": "https://swagger.io/specification/#operation-object", "platform": "OpenAPI", + "descriptionID": "4929871f", + "aggregation": 2, "override": { "2.0": { "id": "965a043f-5f3c-4d0a-be72-d9ce12fdb4d6", "queryName": "Success Response Code Undefined for Put Operation (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#operation-object" + "descriptionUrl": "https://swagger.io/specification/v2/#operation-object", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "4929871f" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/template_path_parameter_with_no_corresponding_path_parameter/metadata.json b/assets/queries/openAPI/general/template_path_parameter_with_no_corresponding_path_parameter/metadata.json index d08b4d508a9..9c70e9ecd2c 100644 --- a/assets/queries/openAPI/general/template_path_parameter_with_no_corresponding_path_parameter/metadata.json +++ b/assets/queries/openAPI/general/template_path_parameter_with_no_corresponding_path_parameter/metadata.json @@ -6,13 +6,15 @@ "descriptionText": "The template path must have a corresponding path parameter for a given operation", "descriptionUrl": "https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.2.md#pathTemplating", "platform": "OpenAPI", + "descriptionID": "e6368373", + "aggregation": 2, "override": { "2.0": { "id": "e7656d8d-7288-4bbe-b07b-22b389be75ce", "queryName": "Template Path With No Corresponding Path Parameter (v2)", - "descriptionUrl": "https://github.com/OAI/OpenAPI-Specification/blob/main/versions/2.0.md#path-templating" + "descriptionUrl": "https://github.com/OAI/OpenAPI-Specification/blob/main/versions/2.0.md#path-templating", + "descriptionText": "" } }, - "aggregation": 2, - "descriptionID": "e6368373" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/openAPI/general/type_has_invalid_keyword/metadata.json b/assets/queries/openAPI/general/type_has_invalid_keyword/metadata.json index 7e33d1e0e7a..92780718c0e 100644 --- a/assets/queries/openAPI/general/type_has_invalid_keyword/metadata.json +++ b/assets/queries/openAPI/general/type_has_invalid_keyword/metadata.json @@ -6,14 +6,15 @@ "descriptionText": "Schema Object define type should not use a keyword of another type", "descriptionUrl": "https://swagger.io/specification/#schema-object", "platform": "OpenAPI", + "descriptionID": "d7b8c860", + "aggregation": 4, "override": { "2.0": { "id": "492c6cbb-f3f8-4807-aa4f-42b8b1c46b59", "queryName": "Type Has Invalid Keyword (v2)", - "descriptionText": "Schema/Parameter/Header Object define type should not use a keyword of another type", - "descriptionUrl": "https://swagger.io/specification/v2/#schemaObject" + "descriptionUrl": "https://swagger.io/specification/v2/#schemaObject", + "descriptionText": "Schema/Parameter/Header Object define type should not use a keyword of another type" } }, - "aggregation": 4, - "descriptionID": "d7b8c860" -} + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/public_security_group_rule_sensitive_port/metadata.json b/assets/queries/terraform/alicloud/public_security_group_rule_sensitive_port/metadata.json index c2740f7046f..4711e8f5254 100644 --- a/assets/queries/terraform/alicloud/public_security_group_rule_sensitive_port/metadata.json +++ b/assets/queries/terraform/alicloud/public_security_group_rule_sensitive_port/metadata.json @@ -1,12 +1,13 @@ { - "id": "2ae9d554-23fb-4065-bfd1-fe43d5f7c419", - "queryName": "Public Security Group Rule Sensitive Port", - "severity": "HIGH", - "category": "Networking and Firewall", - "descriptionText": "A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol", - "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/security_group_rule#port_range", - "platform": "Terraform", - "aggregation": 63, - "descriptionID": "717c49e0", - "cloudProvider": "alicloud" - } + "id": "2ae9d554-23fb-4065-bfd1-fe43d5f7c419", + "queryName": "Public Security Group Rule Sensitive Port", + "severity": "HIGH", + "category": "Networking and Firewall", + "descriptionText": "A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol", + "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/security_group_rule#port_range", + "platform": "Terraform", + "descriptionID": "717c49e0", + "aggregation": 63, + "cloudProvider": "alicloud", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/metadata.json b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/metadata.json index 83ceb1c1f2c..07e02c99e14 100644 --- a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/metadata.json +++ b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/metadata.json @@ -6,7 +6,8 @@ "descriptionText": "A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group", "platform": "Terraform", - "aggregation": 63, "descriptionID": "5be78364", - "cloudProvider": "aws" -} + "aggregation": 63, + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/metadata.json b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/metadata.json index c50ed182ded..e4914f0d324 100644 --- a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/metadata.json +++ b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/metadata.json @@ -6,7 +6,8 @@ "descriptionText": "A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group", "platform": "Terraform", - "aggregation": 63, "descriptionID": "9ea13a71", - "cloudProvider": "aws" -} + "aggregation": 63, + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/metadata.json b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/metadata.json index 6cd8e6133df..f6aea9628cc 100644 --- a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/metadata.json +++ b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/metadata.json @@ -6,7 +6,8 @@ "descriptionText": "A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group", "platform": "Terraform", - "aggregation": 63, "descriptionID": "127a32be", - "cloudProvider": "aws" -} + "aggregation": 63, + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/workspaces_workspace_volume_not_encrypted/metadata.json b/assets/queries/terraform/aws/workspaces_workspace_volume_not_encrypted/metadata.json index 197b15447ff..300b11c96d0 100644 --- a/assets/queries/terraform/aws/workspaces_workspace_volume_not_encrypted/metadata.json +++ b/assets/queries/terraform/aws/workspaces_workspace_volume_not_encrypted/metadata.json @@ -6,7 +6,8 @@ "descriptionText": "AWS Workspaces Workspace data stored in volumes should be encrypted", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/workspaces_workspace#root_volume_encryption_enabled", "platform": "Terraform", - "aggregation": 2, "descriptionID": "e3f9c7a9", - "cloudProvider": "aws" -} + "aggregation": 2, + "cloudProvider": "aws", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/metadata.json b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/metadata.json index cd773f44184..3d85b107a05 100644 --- a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/metadata.json +++ b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/metadata.json @@ -6,7 +6,8 @@ "descriptionText": "A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule", "platform": "Terraform", - "aggregation": 63, "descriptionID": "a5d60df9", - "cloudProvider": "azure" -} + "aggregation": 63, + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/metadata.json b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/metadata.json index 2a181f230de..6e8c66ce1bc 100644 --- a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/metadata.json +++ b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/metadata.json @@ -6,7 +6,8 @@ "descriptionText": "A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule", "platform": "Terraform", - "aggregation": 63, "descriptionID": "c09ca1eb", - "cloudProvider": "azure" -} + "aggregation": 63, + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/metadata.json b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/metadata.json index 6b01748b7d3..448c27dbbec 100644 --- a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/metadata.json +++ b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/metadata.json @@ -6,7 +6,8 @@ "descriptionText": "A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule", "platform": "Terraform", - "aggregation": 63, "descriptionID": "6b1bfbd5", - "cloudProvider": "azure" -} + "aggregation": 63, + "cloudProvider": "azure", + "CWE": "" +} \ No newline at end of file From bf724cc3f6527033a66fa916ec9bd28e0b4c4d92 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Mon, 18 Dec 2023 11:50:24 +0000 Subject: [PATCH 312/379] Fix metrics script, add buildah and cicd --- .github/scripts/metrics/get_metrics.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/scripts/metrics/get_metrics.py b/.github/scripts/metrics/get_metrics.py index 5c6b1428edf..7dff453976e 100644 --- a/.github/scripts/metrics/get_metrics.py +++ b/.github/scripts/metrics/get_metrics.py @@ -9,6 +9,8 @@ queries_path = { 'ansible': os.path.join(queries_basepath, 'ansible', '**', '*'), 'azureresourcemanager': os.path.join(queries_basepath, 'azureResourceManager', '*'), + 'buildah': os.path.join(queries_basepath, 'buildah', '*'), + 'cicd': os.path.join(queries_basepath, 'cicd', '**', '*'), 'cloudformation': os.path.join(queries_basepath, 'cloudFormation', '**', '*'), 'openapi': os.path.join(queries_basepath, 'openAPI', '**', '*'), 'crossplane': os.path.join(queries_basepath, 'crossplane',"**" ,'*'), @@ -22,10 +24,12 @@ 'dockerCompose': os.path.join(queries_basepath, 'dockerCompose', '*'), 'pulumi': os.path.join(queries_basepath, 'pulumi', "**", '*'), 'serverlessFW': os.path.join(queries_basepath, 'serverlessFW', '*'), - } + samples_ext = { 'azureresourcemanager': ['json'], + 'buildah': ['sh'], + 'cicd': ['yaml'], 'cloudformation': ['yaml', 'json'], 'crossplane': ['yaml'], 'openapi': ['yaml', 'json'], From 12836be31c12daac5e879af5645ff883ce100e2b Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Mon, 18 Dec 2023 15:16:16 +0000 Subject: [PATCH 313/379] Added CWE item to metadata-schema properties --- .github/scripts/queries-validator/metadata-schema.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/scripts/queries-validator/metadata-schema.json b/.github/scripts/queries-validator/metadata-schema.json index d9c0f517802..2fc0e1c20e1 100644 --- a/.github/scripts/queries-validator/metadata-schema.json +++ b/.github/scripts/queries-validator/metadata-schema.json @@ -146,6 +146,9 @@ "enum": [ "true" ] + }, + "CWE": { + "type": "string" } } } From bf21d82f36e32682610f13f882c10a4dd5090640 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Tue, 19 Dec 2023 11:46:50 +0000 Subject: [PATCH 314/379] Fixed typo with CWE capitalization on metadata.json and metadata-schema.json --- .github/scripts/queries-validator/metadata-schema.json | 2 +- assets/queries/ansible/aws/alb_listening_on_http/metadata.json | 2 +- assets/queries/ansible/aws/ami_not_encrypted/metadata.json | 2 +- .../ansible/aws/ami_shared_with_multiple_accounts/metadata.json | 2 +- .../api_gateway_endpoint_config_is_not_private/metadata.json | 2 +- .../api_gateway_with_cloudwatch_logging_disabled/metadata.json | 2 +- .../aws/api_gateway_without_configured_authorizer/metadata.json | 2 +- .../aws/api_gateway_without_ssl_certificate/metadata.json | 2 +- .../queries/ansible/aws/api_gateway_without_waf/metadata.json | 2 +- .../queries/ansible/aws/api_gateway_xray_disabled/metadata.json | 2 +- .../ansible/aws/authentication_without_mfa/metadata.json | 2 +- .../aws/auto_scaling_group_with_no_associated_elb/metadata.json | 2 +- .../ansible/aws/automatic_minor_upgrades_disabled/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../aws/ca_certificate_identifier_is_outdated/metadata.json | 2 +- .../ansible/aws/cdn_configuration_is_missing/metadata.json | 2 +- .../queries/ansible/aws/certificate_has_expired/metadata.json | 2 +- .../aws/certificate_rsa_key_bytes_lower_than_256/metadata.json | 2 +- .../ansible/aws/cloudfront_logging_disabled/metadata.json | 2 +- .../cloudfront_without_minimum_protocol_tls_1.2/metadata.json | 2 +- assets/queries/ansible/aws/cloudfront_without_waf/metadata.json | 2 +- .../aws/cloudtrail_log_file_validation_disabled/metadata.json | 2 +- .../cloudtrail_log_files_not_encrypted_with_kms/metadata.json | 2 +- .../ansible/aws/cloudtrail_logging_disabled/metadata.json | 2 +- .../ansible/aws/cloudtrail_multi_region_disabled/metadata.json | 2 +- .../aws/cloudtrail_not_integrated_with_cloudwatch/metadata.json | 2 +- .../aws/cloudtrail_sns_topic_name_undefined/metadata.json | 2 +- .../cloudwatch_without_retention_period_specified/metadata.json | 2 +- assets/queries/ansible/aws/cmk_is_unusable/metadata.json | 2 +- assets/queries/ansible/aws/cmk_rotation_disabled/metadata.json | 2 +- .../queries/ansible/aws/codebuild_not_encrypted/metadata.json | 2 +- .../metadata.json | 2 +- .../config_rule_for_encrypted_volumes_is_disabled/metadata.json | 2 +- .../metadata.json | 2 +- .../ansible/aws/db_instance_storage_not_encrypted/metadata.json | 2 +- .../aws/db_security_group_open_to_large_scope/metadata.json | 2 +- .../aws/db_security_group_with_public_scope/metadata.json | 2 +- .../metadata.json | 2 +- .../ansible/aws/ebs_volume_encryption_disabled/metadata.json | 2 +- .../ansible/aws/ec2_group_has_public_interface/metadata.json | 2 +- .../ansible/aws/ec2_instance_has_public_ip/metadata.json | 2 +- .../aws/ec2_instance_using_default_security_group/metadata.json | 2 +- .../ansible/aws/ec2_instance_using_default_vpc/metadata.json | 2 +- assets/queries/ansible/aws/ec2_not_ebs_optimized/metadata.json | 2 +- .../ansible/aws/ecr_image_tag_not_immutable/metadata.json | 2 +- .../aws/ecr_repository_is_publicly_accessible/metadata.json | 2 +- .../ansible/aws/ecs_service_admin_role_is_present/metadata.json | 2 +- .../ansible/aws/ecs_service_without_running_tasks/metadata.json | 2 +- .../metadata.json | 2 +- .../ecs_task_definition_with_plaintext_password/metadata.json | 2 +- assets/queries/ansible/aws/efs_not_encrypted/metadata.json | 2 +- assets/queries/ansible/aws/efs_without_kms/metadata.json | 2 +- assets/queries/ansible/aws/efs_without_tags/metadata.json | 2 +- .../ansible/aws/elasticache_using_default_port/metadata.json | 2 +- .../queries/ansible/aws/elasticache_without_vpc/metadata.json | 2 +- .../ansible/aws/elasticsearch_with_https_disabled/metadata.json | 2 +- .../ansible/aws/elb_using_insecure_protocols/metadata.json | 2 +- assets/queries/ansible/aws/elb_using_weak_ciphers/metadata.json | 2 +- .../queries/ansible/aws/hardcoded_aws_access_key/metadata.json | 2 +- .../aws/hardcoded_aws_access_key_in_lambda/metadata.json | 2 +- .../ansible/aws/http_port_open_to_internet/metadata.json | 2 +- .../queries/ansible/aws/iam_access_key_is_exposed/metadata.json | 2 +- .../ansible/aws/iam_database_auth_not_enabled/metadata.json | 2 +- .../queries/ansible/aws/iam_group_without_users/metadata.json | 2 +- .../aws/iam_password_without_lowercase_letter/metadata.json | 2 +- .../aws/iam_password_without_minimum_length/metadata.json | 2 +- .../ansible/aws/iam_password_without_number/metadata.json | 2 +- .../aws/iam_password_without_uppercase_letter/metadata.json | 2 +- .../ansible/aws/iam_policies_attached_to_user/metadata.json | 2 +- .../ansible/aws/iam_policies_with_full_privileges/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/iam_policy_grants_full_permissions/metadata.json | 2 +- .../aws/iam_role_allows_all_principals_to_assume/metadata.json | 2 +- assets/queries/ansible/aws/instance_with_no_vpc/metadata.json | 2 +- .../ansible/aws/kinesis_not_encrypted_with_kms/metadata.json | 2 +- .../ansible/aws/kms_key_with_full_permissions/metadata.json | 2 +- .../ansible/aws/lambda_function_without_tags/metadata.json | 2 +- .../aws/lambda_functions_without_x-ray_tracing/metadata.json | 2 +- .../ansible/aws/lambda_permission_misconfigured/metadata.json | 2 +- .../aws/lambda_permission_principal_is_wildcard/metadata.json | 2 +- .../aws/launch_configuration_is_not_encrypted/metadata.json | 2 +- assets/queries/ansible/aws/memcached_disabled/metadata.json | 2 +- .../aws/misconfigured_password_policy_expiration/metadata.json | 2 +- assets/queries/ansible/aws/no_stack_policy/metadata.json | 2 +- .../ansible/aws/password_without_reuse_prevention/metadata.json | 2 +- .../ansible/aws/public_lambda_via_api_gateway/metadata.json | 2 +- assets/queries/ansible/aws/public_port_wide/metadata.json | 2 +- .../ansible/aws/rds_associated_with_public_subnet/metadata.json | 2 +- .../aws/rds_db_instance_publicly_accessible/metadata.json | 2 +- assets/queries/ansible/aws/rds_using_default_port/metadata.json | 2 +- .../queries/ansible/aws/rds_with_backup_disabled/metadata.json | 2 +- assets/queries/ansible/aws/redis_not_compliant/metadata.json | 2 +- assets/queries/ansible/aws/redshift_not_encrypted/metadata.json | 2 +- .../ansible/aws/redshift_publicly_accessible/metadata.json | 2 +- .../ansible/aws/redshift_using_default_port/metadata.json | 2 +- .../queries/ansible/aws/remote_desktop_port_open/metadata.json | 2 +- .../aws/root_account_has_active_access_keys/metadata.json | 2 +- .../queries/ansible/aws/route53_record_undefined/metadata.json | 2 +- .../ansible/aws/s3_bucket_access_to_any_principal/metadata.json | 2 +- .../aws/s3_bucket_acl_allows_read_to_all_users/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../ansible/aws/s3_bucket_logging_disabled/metadata.json | 2 +- assets/queries/ansible/aws/s3_bucket_sse_disabled/metadata.json | 2 +- .../ansible/aws/s3_bucket_with_all_permissions/metadata.json | 2 +- .../ansible/aws/s3_bucket_with_public_access/metadata.json | 2 +- .../aws/s3_bucket_with_unsecured_cors_rule/metadata.json | 2 +- .../aws/s3_bucket_without_server-side_encryption/metadata.json | 2 +- .../ansible/aws/s3_bucket_without_versioning/metadata.json | 2 +- .../queries/ansible/aws/secure_ciphers_disabled/metadata.json | 2 +- .../aws/security_group_ingress_not_restricted/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/ses_policy_with_allowed_iam_actions/metadata.json | 2 +- .../ansible/aws/sns_topic_is_publicly_accessible/metadata.json | 2 +- .../metadata.json | 2 +- .../ansible/aws/sqs_policy_allows_all_actions/metadata.json | 2 +- .../ansible/aws/sqs_policy_with_public_access/metadata.json | 2 +- assets/queries/ansible/aws/sqs_queue_exposed/metadata.json | 2 +- assets/queries/ansible/aws/sqs_with_sse_disabled/metadata.json | 2 +- .../ansible/aws/stack_notifications_disabled/metadata.json | 2 +- .../queries/ansible/aws/stack_retention_disabled/metadata.json | 2 +- assets/queries/ansible/aws/stack_without_template/metadata.json | 2 +- .../ansible/aws/unknown_port_exposed_to_internet/metadata.json | 2 +- .../aws/unrestricted_security_group_ingress/metadata.json | 2 +- .../aws/user_data_contains_encoded_private_key/metadata.json | 2 +- .../ansible/aws/user_data_shell_script_is_encoded/metadata.json | 2 +- .../aws/viewer_protocol_policy_allows_http/metadata.json | 2 +- .../aws/vulnerable_default_ssl_certificate/metadata.json | 2 +- .../azure/ad_admin_not_configured_for_sql_server/metadata.json | 2 +- .../admin_user_enabled_for_container_registry/metadata.json | 2 +- .../ansible/azure/aks_monitoring_logging_disabled/metadata.json | 2 +- .../azure/aks_network_policy_misconfigured/metadata.json | 2 +- assets/queries/ansible/azure/aks_rbac_disabled/metadata.json | 2 +- .../azure/azure_container_registry_with_no_locks/metadata.json | 2 +- .../azure_instance_using_basic_authentication/metadata.json | 2 +- .../cosmosdb_account_ip_range_filter_not_set/metadata.json | 2 +- .../ansible/azure/cosmosdb_account_without_tags/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../azure/key_vault_soft_delete_is_disabled/metadata.json | 2 +- .../ansible/azure/log_retention_is_not_set/metadata.json | 2 +- .../monitoring_log_profile_without_all_activities/metadata.json | 2 +- .../ansible/azure/mysql_ssl_connection_disabled/metadata.json | 2 +- .../azure/postgre_sql_log_checkpoints_disabled/metadata.json | 2 +- .../azure/postgre_sql_log_connections_not_set/metadata.json | 2 +- .../azure/postgre_sql_log_duration_not_set/metadata.json | 2 +- .../metadata.json | 2 +- .../azure/postgresql_log_disconnections_not_set/metadata.json | 2 +- .../queries/ansible/azure/public_storage_account/metadata.json | 2 +- .../azure/redis_cache_allows_non_ssl_connections/metadata.json | 2 +- .../ansible/azure/redis_entirely_accessible/metadata.json | 2 +- .../ansible/azure/redis_publicly_accessible/metadata.json | 2 +- .../role_definition_allows_custom_role_creation/metadata.json | 2 +- .../azure/security_group_is_not_configured/metadata.json | 2 +- .../sensitive_port_is_exposed_to_entire_network/metadata.json | 2 +- .../azure/small_activity_log_retention_period/metadata.json | 2 +- .../ansible/azure/sql_server_ingress_from_any_ip/metadata.json | 2 +- .../metadata.json | 2 +- .../sql_server_predictable_admin_account_name/metadata.json | 2 +- .../queries/ansible/azure/ssl_enforce_is_disabled/metadata.json | 2 +- .../azure/storage_account_not_forcing_https/metadata.json | 2 +- .../metadata.json | 2 +- .../storage_container_is_publicly_accessible/metadata.json | 2 +- .../azure/trusted_microsoft_services_not_enabled/metadata.json | 2 +- .../ansible/azure/unrestricted_sql_server_acess/metadata.json | 2 +- .../ansible/azure/vm_not_attached_to_network/metadata.json | 2 +- .../waf_is_disabled_for_azure_application_gateway/metadata.json | 2 +- .../web_app_accepting_traffic_other_than_https/metadata.json | 2 +- .../ansible/config/allow_unsafe_lookups_enabled/metadata.json | 2 +- .../ansible/config/communication_over_http/metadata.json | 2 +- .../ansible/config/logging_of_sensitive_data/metadata.json | 2 +- .../privilege_escalation_using_become_plugin/metadata.json | 2 +- .../ansible/gcp/bigquery_dataset_is_public/metadata.json | 2 +- .../ansible/gcp/client_certificate_disabled/metadata.json | 2 +- .../queries/ansible/gcp/cloud_dns_without_dnnsec/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../gcp/cloud_storage_bucket_logging_not_enabled/metadata.json | 2 +- .../gcp/cloud_storage_bucket_versioning_disabled/metadata.json | 2 +- .../queries/ansible/gcp/cluster_labels_disabled/metadata.json | 2 +- .../gcp/cluster_master_authentication_disabled/metadata.json | 2 +- .../gcp/compute_instance_is_publicly_accessible/metadata.json | 2 +- .../queries/ansible/gcp/cos_node_image_not_used/metadata.json | 2 +- .../queries/ansible/gcp/disk_encryption_disabled/metadata.json | 2 +- assets/queries/ansible/gcp/dnssec_using_rsasha1/metadata.json | 2 +- .../ansible/gcp/gke_basic_authentication_enabled/metadata.json | 2 +- .../ansible/gcp/gke_legacy_authorization_enabled/metadata.json | 2 +- .../gcp/gke_master_authorized_networks_disabled/metadata.json | 2 +- .../ansible/gcp/gke_using_default_service_account/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../google_compute_ssl_policy_weak_cipher_in_use/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../high_google_kms_crypto_key_rotation_period/metadata.json | 2 +- assets/queries/ansible/gcp/ip_aliasing_disabled/metadata.json | 2 +- assets/queries/ansible/gcp/ip_forwarding_enabled/metadata.json | 2 +- .../gcp/mysql_instance_with_local_infile_on/metadata.json | 2 +- .../queries/ansible/gcp/network_policy_disabled/metadata.json | 2 +- .../ansible/gcp/node_auto_upgrade_disabled/metadata.json | 2 +- .../gcp/oslogin_is_disabled_for_vm_instance/metadata.json | 2 +- .../postgresql_log_checkpoints_flag_not_set_to_on/metadata.json | 2 +- .../gcp/postgresql_log_connections_disabled/metadata.json | 2 +- .../metadata.json | 2 +- .../postgresql_misconfigured_log_messages_flag/metadata.json | 2 +- .../metadata.json | 2 +- .../queries/ansible/gcp/private_cluster_disabled/metadata.json | 2 +- .../metadata.json | 2 +- .../ansible/gcp/rdp_access_is_not_restricted/metadata.json | 2 +- .../gcp/serial_ports_enabled_for_vm_instances/metadata.json | 2 +- assets/queries/ansible/gcp/shielded_vm_disabled/metadata.json | 2 +- .../ansible/gcp/sql_db_instance_backup_disabled/metadata.json | 2 +- .../gcp/sql_db_instance_is_publicly_accessible/metadata.json | 2 +- .../ansible/gcp/sql_db_instance_with_ssl_disabled/metadata.json | 2 +- .../ansible/gcp/ssh_access_is_not_restricted/metadata.json | 2 +- .../ansible/gcp/stackdriver_logging_disabled/metadata.json | 2 +- .../ansible/gcp/stackdriver_monitoring_disabled/metadata.json | 2 +- .../ansible/gcp/using_default_service_account/metadata.json | 2 +- .../queries/ansible/gcp/vm_with_full_cloud_access/metadata.json | 2 +- .../ansible/general/communication_over_http/metadata.json | 2 +- .../general/insecure_relative_path_resolution/metadata.json | 2 +- .../ansible/general/logging_of_sensitive_data/metadata.json | 2 +- .../privilege_escalation_using_become_plugin/metadata.json | 2 +- .../ansible/general/risky_file_permissions/metadata.json | 2 +- .../ansible/general/unpinned_package_version/metadata.json | 2 +- .../hosts/ansible_tower_exposed_to_internet/metadata.json | 2 +- .../account_admins_not_notified_by_email/metadata.json | 2 +- .../aks_cluster_network_policy_not_configured/metadata.json | 2 +- .../aks_cluster_rbac_disabled/metadata.json | 2 +- .../azureResourceManager/aks_dashboard_enabled/metadata.json | 2 +- .../aks_logging_azure_monitoring_disabled/metadata.json | 2 +- .../aks_with_authorized_ip_ranges_disabled/metadata.json | 2 +- .../app_service_authentication_not_set/metadata.json | 2 +- .../azure_instance_using_basic_authentication/metadata.json | 2 +- .../azure_managed_disk_without_encryption/metadata.json | 2 +- .../metadata.json | 2 +- .../email_notifications_set_off/metadata.json | 2 +- .../metadata.json | 2 +- .../key_vault_not_recoverable/metadata.json | 2 +- .../log_profile_incorrect_category/metadata.json | 2 +- .../mysql_server_ssl_enforcement_disabled/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../phone_number_not_set_security_contacts/metadata.json | 2 +- .../metadata.json | 2 +- .../postgres_sql_server_log_checkpoint_disabled/metadata.json | 2 +- .../postgres_sql_server_log_connections_disabled/metadata.json | 2 +- .../postgres_sql_server_ssl_disabled/metadata.json | 2 +- .../metadata.json | 2 +- .../secret_without_expiration_date/metadata.json | 2 +- .../sql_alert_policy_without_emails/metadata.json | 2 +- .../sql_database_server_firewall_allows_all_ips/metadata.json | 2 +- .../sql_server_database_with_alerts_disabled/metadata.json | 2 +- .../sql_server_database_with_low_retention_days/metadata.json | 2 +- .../sql_server_database_without_auditing/metadata.json | 2 +- .../standard_price_not_selected/metadata.json | 2 +- .../storage_account_allows_network_default_access/metadata.json | 2 +- .../storage_account_allows_unsecure_transfer/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../trusted_microsoft_services_not_enabled/metadata.json | 2 +- .../unrecommended_log_profile_retention_policy/metadata.json | 2 +- .../metadata.json | 2 +- .../web_app_not_using_tls_last_version/metadata.json | 2 +- .../website_azure_active_directory_disabled/metadata.json | 2 +- .../website_not_forcing_https/metadata.json | 2 +- .../website_with_client_certificate_auth_disabled/metadata.json | 2 +- .../website_with_http20enabled_disabled/metadata.json | 2 +- assets/queries/buildah/run_using_apt/metadata.json | 2 +- assets/queries/cicd/github/run_block_injection/metadata.json | 2 +- assets/queries/cicd/github/script_block_injection/metadata.json | 2 +- .../unpinned_actions_full_length_commit_sha/metadata.json | 2 +- assets/queries/cicd/github/unsecured_commands/metadata.json | 2 +- .../aws/access_key_not_rotated_within_90_days/metadata.json | 2 +- .../aws/alb_is_not_integrated_with_waf/metadata.json | 2 +- .../cloudFormation/aws/alb_listening_on_http/metadata.json | 2 +- .../alexa_skill_plaintext_client_secret_exposed/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/amazon_mq_broker_encryption_disabled/metadata.json | 2 +- .../aws/amplify_app_access_token_exposed/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/amplify_app_oauth_token_exposed/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/api_gateway_cache_cluster_disabled/metadata.json | 2 +- .../aws/api_gateway_cache_encrypted_disabled/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../api_gateway_endpoint_config_is_not_private/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../aws/api_gateway_with_invalid_compression/metadata.json | 2 +- .../aws/api_gateway_with_open_access/metadata.json | 2 +- .../aws/api_gateway_without_configured_authorizer/metadata.json | 2 +- .../aws/api_gateway_without_security_policy/metadata.json | 2 +- .../aws/api_gateway_without_ssl_certificate/metadata.json | 2 +- .../cloudFormation/aws/api_gateway_without_waf/metadata.json | 2 +- .../cloudFormation/aws/api_gateway_xray_disabled/metadata.json | 2 +- .../aws/auto_scaling_group_with_no_associated_elb/metadata.json | 2 +- .../aws/automatic_minor_upgrades_disabled/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/cdn_configuration_is_missing/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/cloudfront_logging_disabled/metadata.json | 2 +- .../cloudfront_viewer_protocol_policy_allows_http/metadata.json | 2 +- .../cloudfront_without_minimum_protocol_tls_1.2/metadata.json | 2 +- .../cloudFormation/aws/cloudfront_without_waf/metadata.json | 2 +- .../aws/cloudtrail_log_file_validation_disabled/metadata.json | 2 +- .../cloudtrail_log_files_not_encrypted_with_kms/metadata.json | 2 +- .../aws/cloudtrail_logging_disabled/metadata.json | 2 +- .../aws/cloudtrail_multi_region_disabled/metadata.json | 2 +- .../aws/cloudtrail_not_integrated_with_cloudwatch/metadata.json | 2 +- .../aws/cloudtrail_sns_topic_name_undefined/metadata.json | 2 +- .../aws/cloudwatch_logging_disabled/metadata.json | 2 +- .../aws/cloudwatch_metrics_disabled/metadata.json | 2 +- assets/queries/cloudFormation/aws/cmk_is_unusable/metadata.json | 2 +- .../cloudFormation/aws/cmk_rotation_disabled/metadata.json | 2 +- .../cloudFormation/aws/cmk_unencrypted_storage/metadata.json | 2 +- .../cloudFormation/aws/codebuild_not_encrypted/metadata.json | 2 +- .../aws/cognito_userpool_without_mfa/metadata.json | 2 +- .../metadata.json | 2 +- .../config_rule_for_encryption_volumes_disabled/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../aws/db_security_group_open_to_large_scope/metadata.json | 2 +- .../aws/db_security_group_with_public_scope/metadata.json | 2 +- .../cloudFormation/aws/default_kms_key_usage/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../directory_service_simple_ad_password_exposed/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/dms_endpoint_password_exposed/metadata.json | 2 +- .../docdb_cluster_master_password_in_plaintext/metadata.json | 2 +- .../cloudFormation/aws/docdb_logging_disabled/metadata.json | 2 +- .../aws/dynamodb_table_not_encrypted/metadata.json | 2 +- .../aws/dynamodb_with_aws_owned_cmk/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/ebs_volume_encryption_disabled/metadata.json | 2 +- .../aws/ebs_volume_not_attached_to_instances/metadata.json | 2 +- .../aws/ebs_volume_without_kms_key_id/metadata.json | 2 +- .../aws/ec2_instance_has_no_iam_role/metadata.json | 2 +- .../aws/ec2_instance_monitoring_disabled/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/ec2_instance_using_default_security_group/metadata.json | 2 +- .../aws/ec2_instance_using_default_vpc/metadata.json | 2 +- .../aws/ec2_network_acl_duplicate_rule/metadata.json | 2 +- .../ec2_network_acl_ineffective_denied_traffic/metadata.json | 2 +- .../aws/ec2_network_acl_overlapping_ports/metadata.json | 2 +- .../cloudFormation/aws/ec2_not_ebs_optimized/metadata.json | 2 +- .../aws/ec2_permissive_network_acl_protocols/metadata.json | 2 +- .../ec2_public_instance_exposed_through_subnet/metadata.json | 2 +- .../aws/ec2_sensitive_port_is_publicly_exposed/metadata.json | 2 +- .../aws/ecr_image_tag_not_immutable/metadata.json | 2 +- .../aws/ecr_repository_is_publicly_accessible/metadata.json | 2 +- .../aws/ecs_cluster_not_encrypted_at_rest/metadata.json | 2 +- .../aws/ecs_no_load_balancer_attached/metadata.json | 2 +- .../aws/ecs_service_admin_role_is_present/metadata.json | 2 +- .../aws/ecs_service_without_running_tasks/metadata.json | 2 +- .../aws/ecs_task_definition_healthcheck_missing/metadata.json | 2 +- .../aws/ecs_task_definition_invalid_cpu_or_memory/metadata.json | 2 +- .../metadata.json | 2 +- .../ecs_task_definition_with_plaintext_password/metadata.json | 2 +- .../queries/cloudFormation/aws/efs_not_encrypted/metadata.json | 2 +- .../efs_volume_with_disabled_transit_encryption/metadata.json | 2 +- assets/queries/cloudFormation/aws/efs_without_kms/metadata.json | 2 +- .../queries/cloudFormation/aws/efs_without_tags/metadata.json | 2 +- .../aws/eks_node_group_remote_access/metadata.json | 2 +- .../elasticache_nodes_not_created_across_multi_az/metadata.json | 2 +- .../aws/elasticache_using_default_port/metadata.json | 2 +- .../elasticache_with_disabled_at_rest_encryption/metadata.json | 2 +- .../elasticache_with_disabled_transit_encryption/metadata.json | 2 +- .../cloudFormation/aws/elasticache_without_vpc/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/elasticsearch_logs_disabled/metadata.json | 2 +- .../aws/elasticsearch_not_encrypted_at_rest/metadata.json | 2 +- .../aws/elasticsearch_with_https_disabled/metadata.json | 2 +- .../aws/elasticsearch_without_iam_authentication/metadata.json | 2 +- .../aws/elasticsearch_without_slow_logs/metadata.json | 2 +- .../cloudFormation/aws/elb_access_log_disabled/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/elb_using_insecure_protocols/metadata.json | 2 +- .../cloudFormation/aws/elb_using_weak_ciphers/metadata.json | 2 +- .../aws/elb_v2_alb_access_log_disabled/metadata.json | 2 +- .../elb_with_security_group_without_inbound_rules/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/elb_without_secure_protocol/metadata.json | 2 +- .../empty_roles_for_ecs_cluster_task_definitions/metadata.json | 2 +- .../emr_cluster_without_security_configuration/metadata.json | 2 +- .../metadata.json | 2 +- assets/queries/cloudFormation/aws/emr_wihout_vpc/metadata.json | 2 +- .../queries/cloudFormation/aws/fully_open_ingress/metadata.json | 2 +- .../metadata.json | 2 +- .../cloudFormation/aws/geo_restriction_disabled/metadata.json | 2 +- .../aws/github_repository_set_to_public/metadata.json | 2 +- .../aws/guardduty_detector_disabled/metadata.json | 2 +- .../aws/hardcoded_aws_access_key_in_lambda/metadata.json | 2 +- assets/queries/cloudFormation/aws/http_port_open/metadata.json | 2 +- .../aws/iam_access_analyzer_not_enabled/metadata.json | 2 +- .../aws/iam_database_auth_not_enabled/metadata.json | 2 +- .../cloudFormation/aws/iam_group_without_users/metadata.json | 2 +- .../cloudFormation/aws/iam_groups_inline_policies/metadata.json | 2 +- .../aws/iam_managed_policy_applied_to_a_user/metadata.json | 2 +- .../aws/iam_password_without_lowercase_letter/metadata.json | 2 +- .../aws/iam_password_without_minimum_length/metadata.json | 2 +- .../aws/iam_password_without_number/metadata.json | 2 +- .../aws/iam_password_without_symbol/metadata.json | 2 +- .../aws/iam_password_without_uppercase_letter/metadata.json | 2 +- .../aws/iam_policies_attached_to_user/metadata.json | 2 +- .../aws/iam_policies_with_full_privileges/metadata.json | 2 +- .../aws/iam_policies_without_groups/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/iam_policy_grants_full_permissions/metadata.json | 2 +- .../queries/cloudFormation/aws/iam_policy_on_user/metadata.json | 2 +- .../aws/iam_role_allows_all_principals_to_assume/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/iam_user_too_many_access_keys/metadata.json | 2 +- .../cloudFormation/aws/iam_user_with_no_group/metadata.json | 2 +- .../inline_policies_are_attached_to_ecs_service/metadata.json | 2 +- .../cloudFormation/aws/instance_with_no_vpc/metadata.json | 2 +- .../aws/iot_policy_allows_action_as_wildcard/metadata.json | 2 +- .../aws/iot_policy_allows_wildcard_resource/metadata.json | 2 +- .../cloudFormation/aws/kinesis_sse_not_configured/metadata.json | 2 +- .../aws/kms_allows_wildcard_principal/metadata.json | 2 +- .../aws/kms_enable_key_rotation_disabled/metadata.json | 2 +- .../aws/kms_key_with_full_permissions/metadata.json | 2 +- .../aws/lambda_function_without_dead_letter_queue/metadata.json | 2 +- .../aws/lambda_function_without_tags/metadata.json | 2 +- .../aws/lambda_functions_with_full_privileges/metadata.json | 2 +- .../aws/lambda_functions_without_unique_iam_roles/metadata.json | 2 +- .../aws/lambda_functions_without_x-ray_tracing/metadata.json | 2 +- .../aws/lambda_permission_misconfigured/metadata.json | 2 +- .../aws/lambda_permission_principal_is_wildcard/metadata.json | 2 +- .../aws/low_rds_backup_retention_period/metadata.json | 2 +- .../queries/cloudFormation/aws/memcached_disabled/metadata.json | 2 +- .../aws/mq_broker_is_publicly_accessible/metadata.json | 2 +- .../cloudFormation/aws/mq_broker_logging_disabled/metadata.json | 2 +- .../aws/msk_broker_is_publicly_accessible/metadata.json | 2 +- .../aws/msk_cluster_encryption_disabled/metadata.json | 2 +- .../aws/msk_cluster_logging_disabled/metadata.json | 2 +- .../metadata.json | 2 +- .../neptune_database_cluster_encryption_disabled/metadata.json | 2 +- .../aws/public_lambda_via_api_gateway/metadata.json | 2 +- .../aws/rds_associated_with_public_subnet/metadata.json | 2 +- .../aws/rds_db_instance_publicly_accessible/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/rds_multi_az_deployment_disabled/metadata.json | 2 +- .../aws/rds_storage_encryption_disabled/metadata.json | 2 +- .../cloudFormation/aws/rds_storage_not_encrypted/metadata.json | 2 +- .../cloudFormation/aws/rds_using_default_port/metadata.json | 2 +- .../cloudFormation/aws/rds_with_backup_disabled/metadata.json | 2 +- .../aws/redshift_cluster_logging_disabled/metadata.json | 2 +- .../aws/redshift_cluster_without_kms_cmk/metadata.json | 2 +- .../cloudFormation/aws/redshift_not_encrypted/metadata.json | 2 +- .../aws/redshift_publicly_accessible/metadata.json | 2 +- .../aws/redshift_using_default_port/metadata.json | 2 +- .../cloudFormation/aws/refresh_token_is_exposed/metadata.json | 2 +- .../aws/remote_desktop_port_open_to_internet/metadata.json | 2 +- .../aws/root_account_has_active_access_keys/metadata.json | 2 +- .../cloudFormation/aws/route53_record_undefined/metadata.json | 2 +- .../aws/routertable_with_default_routing/metadata.json | 2 +- .../aws/s3_bucket_access_to_any_principal/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/s3_bucket_acl_allows_read_to_all_users/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../aws/s3_bucket_allows_public_acl/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../aws/s3_bucket_cloudtrail_logging_disabled/metadata.json | 2 +- .../cloudFormation/aws/s3_bucket_logging_disabled/metadata.json | 2 +- .../aws/s3_bucket_should_have_bucket_policy/metadata.json | 2 +- .../cloudFormation/aws/s3_bucket_sse_disabled/metadata.json | 2 +- .../aws/s3_bucket_with_all_permissions/metadata.json | 2 +- .../aws/s3_bucket_with_public_policy/metadata.json | 2 +- .../aws/s3_bucket_with_unsecured_cors_rule/metadata.json | 2 +- .../aws/s3_bucket_without_ignore_public_acl/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/s3_bucket_without_server_side_encryption/metadata.json | 2 +- .../aws/s3_bucket_without_ssl_in_write_actions/metadata.json | 2 +- .../aws/s3_bucket_without_versioning/metadata.json | 2 +- .../aws/s3_static_website_host_enabled/metadata.json | 2 +- .../aws/sagemaker_data_encryption_disabled/metadata.json | 2 +- .../aws/sagemaker_enabling_internet_access/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/sagemaker_notebook_not_placed_in_vpc/metadata.json | 2 +- .../aws/sdb_domain_declared_as_a_resource/metadata.json | 2 +- .../aws/secrets_manager_should_specify_kms_key_id/metadata.json | 2 +- .../cloudFormation/aws/secure_ciphers_disabled/metadata.json | 2 +- .../aws/security_group_egress_cidr_open_to_world/metadata.json | 2 +- .../aws/security_group_egress_with_all_protocols/metadata.json | 2 +- .../aws/security_group_egress_with_port_range/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/security_group_ingress_with_all_protocols/metadata.json | 2 +- .../aws/security_group_ingress_with_port_range/metadata.json | 2 +- .../aws/security_group_rule_without_description/metadata.json | 2 +- .../metadata.json | 2 +- .../security_groups_unrestricted_access_to_rdp/metadata.json | 2 +- .../security_groups_with_exhibited_admin_ports/metadata.json | 2 +- .../aws/security_groups_with_meta_ip/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/security_groups_without_vpc_attached/metadata.json | 2 +- .../cloudFormation/aws/shield_advanced_not_in_use/metadata.json | 2 +- .../aws/sns_topic_is_publicly_accessible/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/sns_topic_without_kms_master_key_id/metadata.json | 2 +- .../aws/sqs_policy_with_public_access/metadata.json | 2 +- .../aws/sqs_queue_policy_allows_not_action/metadata.json | 2 +- .../aws/sqs_queue_policy_allows_not_principal/metadata.json | 2 +- .../cloudFormation/aws/sqs_with_sse_disabled/metadata.json | 2 +- .../aws/stack_notifications_disabled/metadata.json | 2 +- .../cloudFormation/aws/stack_retention_disabled/metadata.json | 2 +- .../aws/support_has_no_role_associated/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/unknown_port_exposed_to_internet/metadata.json | 2 +- .../aws/unrestricted_security_group_ingress/metadata.json | 2 +- .../cloudFormation/aws/unscanned_ecr_image/metadata.json | 2 +- .../aws/user_data_contains_encoded_private_key/metadata.json | 2 +- .../aws/user_data_shell_script_is_encoded/metadata.json | 2 +- .../aws/user_iam_missing_password_reset_required/metadata.json | 2 +- .../aws/vpc_attached_with_too_many_gateways/metadata.json | 2 +- .../cloudFormation/aws/vpc_flowlogs_disabled/metadata.json | 2 +- .../aws/vpc_without_attached_subnet/metadata.json | 2 +- .../aws/vpc_without_network_firewall/metadata.json | 2 +- .../aws/vulnerable_default_ssl_certificate/metadata.json | 2 +- .../cloudFormation/aws/webacl_allow_defaultaction/metadata.json | 2 +- .../aws/wildcard_in_acm_certificate_domain_name/metadata.json | 2 +- .../aws/workspace_without_encryption/metadata.json | 2 +- assets/queries/cloudFormation/aws_bom/cassandra/metadata.json | 2 +- assets/queries/cloudFormation/aws_bom/dynamo/metadata.json | 2 +- assets/queries/cloudFormation/aws_bom/ebs/metadata.json | 2 +- assets/queries/cloudFormation/aws_bom/efs/metadata.json | 2 +- assets/queries/cloudFormation/aws_bom/elasticache/metadata.json | 2 +- assets/queries/cloudFormation/aws_bom/kinesis/metadata.json | 2 +- assets/queries/cloudFormation/aws_bom/mq/metadata.json | 2 +- assets/queries/cloudFormation/aws_bom/msk/metadata.json | 2 +- assets/queries/cloudFormation/aws_bom/rds/metadata.json | 2 +- assets/queries/cloudFormation/aws_bom/s3_bucket/metadata.json | 2 +- assets/queries/cloudFormation/aws_bom/sns/metadata.json | 2 +- assets/queries/cloudFormation/aws_bom/sqs/metadata.json | 2 +- .../metadata.json | 2 +- .../aws_sam/serverless_api_cache_cluster_disabled/metadata.json | 2 +- .../serverless_api_endpoint_config_not_private/metadata.json | 2 +- .../serverless_api_without_content_encoding/metadata.json | 2 +- .../aws_sam/serverless_api_xray_tracing_disabled/metadata.json | 2 +- .../metadata.json | 2 +- .../serverless_function_without_dead_letter_queue/metadata.json | 2 +- .../aws_sam/serverless_function_without_tags/metadata.json | 2 +- .../serverless_function_without_unique_iam_role/metadata.json | 2 +- .../serverless_function_without_x-ray_tracing/metadata.json | 2 +- assets/queries/common/passwords_and_secrets/metadata.json | 2 +- .../crossplane/aws/cloudfront_logging_disabled/metadata.json | 2 +- .../cloudfront_without_minimum_protocol_tls_1.2/metadata.json | 2 +- .../queries/crossplane/aws/cloudfront_without_waf/metadata.json | 2 +- .../cloudwatch_without_retention_period_specified/metadata.json | 2 +- .../aws/db_instance_storage_not_encrypted/metadata.json | 2 +- .../aws/db_security_group_has_public_interface/metadata.json | 2 +- .../queries/crossplane/aws/docdb_logging_disabled/metadata.json | 2 +- assets/queries/crossplane/aws/efs_not_encrypted/metadata.json | 2 +- assets/queries/crossplane/aws/efs_without_kms/metadata.json | 2 +- .../queries/crossplane/aws/elb_using_weak_ciphers/metadata.json | 2 +- .../neptune_database_cluster_encryption_disabled/metadata.json | 2 +- .../aws/rds_db_instance_publicly_accessible/metadata.json | 2 +- .../queries/crossplane/aws/sqs_with_sse_disabled/metadata.json | 2 +- assets/queries/crossplane/azure/aks_rbac_disabled/metadata.json | 2 +- .../azure/redis_cache_allows_non_ssl_connections/metadata.json | 2 +- .../gcp/cloud_storage_bucket_logging_not_enabled/metadata.json | 2 +- .../metadata.json | 2 +- assets/queries/dockerCompose/cgroup_not_default/metadata.json | 2 +- .../container_capabilities_unrestricted/metadata.json | 2 +- .../container_traffic_not_bound_to_host_interface/metadata.json | 2 +- assets/queries/dockerCompose/cpus_not_limited/metadata.json | 2 +- .../default_seccomp_profile_disabled/metadata.json | 2 +- .../docker_socket_mounted_in_container/metadata.json | 2 +- assets/queries/dockerCompose/healthcheck_not_set/metadata.json | 2 +- .../dockerCompose/host_namespace_is_shared/metadata.json | 2 +- assets/queries/dockerCompose/memory_not_limited/metadata.json | 2 +- assets/queries/dockerCompose/networks_not_set/metadata.json | 2 +- .../dockerCompose/no_new_privileges_not_set/metadata.json | 2 +- assets/queries/dockerCompose/pids_limit_not_set/metadata.json | 2 +- .../dockerCompose/privileged_containers_enabled/metadata.json | 2 +- .../privileged_ports_mapped_in_container/metadata.json | 2 +- .../restart_policy_on_failure_not_set_to_5/metadata.json | 2 +- assets/queries/dockerCompose/security_opt_not_set/metadata.json | 2 +- .../dockerCompose/shared_host_ipc_namespace/metadata.json | 2 +- .../dockerCompose/shared_host_network_namespace/metadata.json | 2 +- .../dockerCompose/shared_host_user_namespace/metadata.json | 2 +- .../volume_has_sensitive_host_directory/metadata.json | 2 +- .../volume_mounted_in_multiple_containers/metadata.json | 2 +- assets/queries/dockerfile/add_instead_of_copy/metadata.json | 2 +- .../dockerfile/apk_add_using_local_cache_path/metadata.json | 2 +- .../apt_get_install_lists_were_not_deleted/metadata.json | 2 +- .../apt_get_install_pin_version_not_defined/metadata.json | 2 +- .../metadata.json | 2 +- .../apt_get_not_avoiding_additional_packages/metadata.json | 2 +- .../changing_default_shell_using_run_command/metadata.json | 2 +- assets/queries/dockerfile/chown_flag_exists/metadata.json | 2 +- .../copy_from_references_current_from_alias/metadata.json | 2 +- .../metadata.json | 2 +- .../dockerfile/curl_or_wget_instead_of_add/metadata.json | 2 +- assets/queries/dockerfile/exposing_port_22/metadata.json | 2 +- .../dockerfile/gem_install_without_version/metadata.json | 2 +- .../dockerfile/healthcheck_instruction_missing/metadata.json | 2 +- .../queries/dockerfile/image_version_not_explicit/metadata.json | 2 +- .../queries/dockerfile/image_version_using_latest/metadata.json | 2 +- assets/queries/dockerfile/last_user_is_root/metadata.json | 2 +- .../dockerfile/maintainer_instruction_being_used/metadata.json | 2 +- assets/queries/dockerfile/missing_dnf_clean_all/metadata.json | 2 +- .../dockerfile/missing_flag_from_dnf_install/metadata.json | 2 +- .../queries/dockerfile/missing_user_instruction/metadata.json | 2 +- .../missing_version_specification_in_dnf_install/metadata.json | 2 +- assets/queries/dockerfile/missing_zypper_clean/metadata.json | 2 +- .../missing_zypper_non_interactive_switch/metadata.json | 2 +- .../dockerfile/multiple_cmd_instructions_listed/metadata.json | 2 +- .../multiple_entrypoint_instructions_listed/metadata.json | 2 +- .../multiple_run_add_copy_instructions_listed/metadata.json | 2 +- .../metadata.json | 2 +- .../dockerfile/npm_install_without_pinned_version/metadata.json | 2 +- .../pip_install_keeping_cached_packages/metadata.json | 2 +- .../dockerfile/run_command_cd_instead_of_workdir/metadata.json | 2 +- assets/queries/dockerfile/run_using_apt/metadata.json | 2 +- assets/queries/dockerfile/run_using_sudo/metadata.json | 2 +- assets/queries/dockerfile/run_using_wget_and_curl/metadata.json | 2 +- .../dockerfile/run_utilities_and_posix_commands/metadata.json | 2 +- .../dockerfile/same_alias_in_different_froms/metadata.json | 2 +- .../shell_running_a_pipe_without_pipefail_flag/metadata.json | 2 +- assets/queries/dockerfile/unix_ports_out_of_range/metadata.json | 2 +- .../unpinned_package_version_in_apk_add/metadata.json | 2 +- .../unpinned_package_version_in_pip_install/metadata.json | 2 +- .../queries/dockerfile/update_instruction_alone/metadata.json | 2 +- .../queries/dockerfile/using_platform_with_from/metadata.json | 2 +- .../queries/dockerfile/using_unnamed_build_stages/metadata.json | 2 +- .../queries/dockerfile/vulnerable_openssl_version/metadata.json | 2 +- .../queries/dockerfile/workdir_path_not_absolute/metadata.json | 2 +- assets/queries/dockerfile/yum_clean_all_missing/metadata.json | 2 +- .../dockerfile/yum_install_allows_manual_input/metadata.json | 2 +- .../dockerfile/yum_install_without_version/metadata.json | 2 +- .../dockerfile/zypper_install_without_version/metadata.json | 2 +- .../gcp/bigquery_database_is_public/metadata.json | 2 +- .../gcp/bucket_without_versioning/metadata.json | 2 +- .../gcp/client_certificate_disabled/metadata.json | 2 +- .../gcp/cloud_dns_without_dnnsec/metadata.json | 2 +- .../metadata.json | 2 +- .../cloud_storage_bucket_is_publicly_accessible/metadata.json | 2 +- .../gcp/cloud_storage_bucket_versioning_disabled/metadata.json | 2 +- .../gcp/cluster_labels_disabled/metadata.json | 2 +- .../gcp/cluster_master_authentication_disabled/metadata.json | 2 +- .../gcp/compute_instance_is_publicly_accessible/metadata.json | 2 +- .../gcp/cos_node_image_not_used/metadata.json | 2 +- .../gcp/disk_encryption_disabled/metadata.json | 2 +- .../gcp/dnssec_using_rsasha1/metadata.json | 2 +- .../gcp/gke_legacy_authorization_enabled/metadata.json | 2 +- .../gcp/gke_master_authorized_networks_disabled/metadata.json | 2 +- .../google_storage_bucket_level_access_disabled/metadata.json | 2 +- .../gcp/ip_aliasing_disabled/metadata.json | 2 +- .../gcp/ip_forwarding_enabled/metadata.json | 2 +- .../gcp/mysql_instance_with_local_infile_on/metadata.json | 2 +- .../gcp/network_policy_disabled/metadata.json | 2 +- .../gcp/node_auto_upgrade_disabled/metadata.json | 2 +- .../gcp/not_proper_email_account_in_use/metadata.json | 2 +- .../gcp/os_login_is_disabled_for_vm_instance/metadata.json | 2 +- .../gcp/private_cluster_disabled/metadata.json | 2 +- .../metadata.json | 2 +- .../gcp/rdp_access_is_not_restricted/metadata.json | 2 +- .../gcp/shielded_vm_disabled/metadata.json | 2 +- .../gcp/sql_db_instance_backup_disabled/metadata.json | 2 +- .../gcp/sql_db_instance_with_ssl_disabled/metadata.json | 2 +- .../gcp/ssh_access_is_not_restricted/metadata.json | 2 +- .../gcp/stackdriver_logging_disabled/metadata.json | 2 +- .../gcp/stackdriver_monitoring_disabled/metadata.json | 2 +- assets/queries/googleDeploymentManager/gcp_bom/pd/metadata.json | 2 +- .../queries/googleDeploymentManager/gcp_bom/pst/metadata.json | 2 +- assets/queries/googleDeploymentManager/gcp_bom/sb/metadata.json | 2 +- assets/queries/grpc/enum_name_not_camel_case/metadata.json | 2 +- .../k8s/always_admit_admission_control_plugin_set/metadata.json | 2 +- .../metadata.json | 2 +- .../k8s/anonymous_auth_is_not_set_to_false/metadata.json | 2 +- .../queries/k8s/audit_log_maxage_not_properly_set/metadata.json | 2 +- .../k8s/audit_log_maxbackup_not_properly_set/metadata.json | 2 +- .../k8s/audit_log_maxsize_not_properly_set/metadata.json | 2 +- assets/queries/k8s/audit_log_path_not_set/metadata.json | 2 +- assets/queries/k8s/audit_policy_file_not_defined/metadata.json | 2 +- .../audit_policy_not_cover_key_security_concerns/metadata.json | 2 +- .../queries/k8s/authorization_mode_node_not_set/metadata.json | 2 +- .../queries/k8s/authorization_mode_rbac_not_set/metadata.json | 2 +- .../k8s/authorization_mode_set_to_always_allow/metadata.json | 2 +- assets/queries/k8s/auto_tls_set_to_true/metadata.json | 2 +- assets/queries/k8s/basic_auth_file_is_set/metadata.json | 2 +- assets/queries/k8s/bind_address_not_properly_set/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- assets/queries/k8s/cluster_allows_unsafe_sysctls/metadata.json | 2 +- .../cni_plugin_does_not_support_network_policies/metadata.json | 2 +- .../metadata.json | 2 +- assets/queries/k8s/container_is_privileged/metadata.json | 2 +- .../metadata.json | 2 +- .../container_requests_not_equal_to_its_limits/metadata.json | 2 +- assets/queries/k8s/container_runs_unmasked/metadata.json | 2 +- assets/queries/k8s/containers_run_with_low_uid/metadata.json | 2 +- assets/queries/k8s/containers_running_as_root/metadata.json | 2 +- .../k8s/containers_with_added_capabilities/metadata.json | 2 +- .../k8s/containers_with_sys_admin_capabilities/metadata.json | 2 +- assets/queries/k8s/cpu_limits_not_set/metadata.json | 2 +- assets/queries/k8s/cpu_requests_not_set/metadata.json | 2 +- .../queries/k8s/cronjob_deadline_not_configured/metadata.json | 2 +- assets/queries/k8s/dashboard_is_enabled/metadata.json | 2 +- .../k8s/deployment_has_no_pod_anti_affinity/metadata.json | 2 +- .../k8s/deployment_without_pod_disruption_budget/metadata.json | 2 +- .../docker_daemon_socket_is_exposed_to_containers/metadata.json | 2 +- .../k8s/encryption_provider_config_is_not_defined/metadata.json | 2 +- .../encryption_provider_not_properly_configured/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../k8s/etcd_client_certificate_file_not_defined/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../etcd_tls_certificate_files_not_properly_set/metadata.json | 2 +- .../etcd_tls_certificate_not_properly_configured/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- assets/queries/k8s/hpa_targets_invalid_object/metadata.json | 2 +- .../metadata.json | 2 +- .../image_pull_policy_of_container_is_not_always/metadata.json | 2 +- assets/queries/k8s/image_without_digest/metadata.json | 2 +- .../metadata.json | 2 +- .../k8s/ingress_controller_exposes_workload/metadata.json | 2 +- assets/queries/k8s/insecure_bind_address_set/metadata.json | 2 +- assets/queries/k8s/insecure_port_not_properly_set/metadata.json | 2 +- assets/queries/k8s/invalid_image/metadata.json | 2 +- .../k8s/kubelet_certificate_authority_not_set/metadata.json | 2 +- .../k8s/kubelet_client_certificate_or_key_not_set/metadata.json | 2 +- .../metadata.json | 2 +- .../k8s/kubelet_event_qps_not_properly_set/metadata.json | 2 +- .../queries/k8s/kubelet_hostname_override_is_set/metadata.json | 2 +- assets/queries/k8s/kubelet_https_set_to_false/metadata.json | 2 +- assets/queries/k8s/kubelet_not_managing_ip_tables/metadata.json | 2 +- .../kubelet_protect_kernel_defaults_set_to_false/metadata.json | 2 +- .../k8s/kubelet_read_only_port_is_not_set_to_zero/metadata.json | 2 +- .../kubelet_streaming_connection_timeout_disabled/metadata.json | 2 +- assets/queries/k8s/liveness_probe_is_not_defined/metadata.json | 2 +- assets/queries/k8s/memory_limits_not_defined/metadata.json | 2 +- assets/queries/k8s/memory_requests_not_defined/metadata.json | 2 +- assets/queries/k8s/metadata_label_is_invalid/metadata.json | 2 +- assets/queries/k8s/missing_app_armor_config/metadata.json | 2 +- .../metadata.json | 2 +- .../k8s/net_raw_capabilities_disabled_for_psp/metadata.json | 2 +- .../k8s/net_raw_capabilities_not_being_dropped/metadata.json | 2 +- .../k8s/network_policy_is_not_targeting_any_pod/metadata.json | 2 +- .../k8s/no_drop_capabilities_for_containers/metadata.json | 2 +- .../metadata.json | 2 +- .../k8s/non_kube_system_pod_with_host_mount/metadata.json | 2 +- .../k8s/not_limited_capabilities_for_container/metadata.json | 2 +- .../metadata.json | 2 +- .../queries/k8s/not_unique_certificate_authority/metadata.json | 2 +- .../k8s/object_is_using_a_deprecated_api_version/metadata.json | 2 +- assets/queries/k8s/peer_auto_tls_set_to_true/metadata.json | 2 +- .../queries/k8s/permissive_access_to_create_pods/metadata.json | 2 +- .../queries/k8s/pod_misconfigured_network_policy/metadata.json | 2 +- .../k8s/pod_or_container_without_limit_range/metadata.json | 2 +- .../k8s/pod_or_container_without_resource_quota/metadata.json | 2 +- .../k8s/pod_or_container_without_security_context/metadata.json | 2 +- .../metadata.json | 2 +- assets/queries/k8s/privilege_escalation_allowed/metadata.json | 2 +- assets/queries/k8s/profiling_not_set_to_false/metadata.json | 2 +- .../queries/k8s/psp_allows_privilege_escalation/metadata.json | 2 +- assets/queries/k8s/psp_allows_sharing_host_ipc/metadata.json | 2 +- assets/queries/k8s/psp_allows_sharing_host_pid/metadata.json | 2 +- .../psp_containers_share_host_network_namespace/metadata.json | 2 +- assets/queries/k8s/psp_set_to_privileged/metadata.json | 2 +- assets/queries/k8s/psp_with_added_capabilities/metadata.json | 2 +- .../k8s/psp_with_unrestricted_access_to_host_path/metadata.json | 2 +- .../k8s/rbac_roles_allow_privilege_escalation/metadata.json | 2 +- .../queries/k8s/rbac_roles_with_attach_permission/metadata.json | 2 +- .../queries/k8s/rbac_roles_with_exec_permission/metadata.json | 2 +- .../k8s/rbac_roles_with_impersonate_permission/metadata.json | 2 +- .../rbac_roles_with_portforwarding_permissions/metadata.json | 2 +- .../k8s/rbac_roles_with_read_secrets_permissions/metadata.json | 2 +- assets/queries/k8s/rbac_wildcard_in_rule/metadata.json | 2 +- .../queries/k8s/readiness_probe_is_not_configured/metadata.json | 2 +- .../queries/k8s/request_timeout_not_properly_set/metadata.json | 2 +- .../k8s/role_binding_to_default_service_account/metadata.json | 2 +- assets/queries/k8s/root_ca_file_not_defined/metadata.json | 2 +- .../k8s/root_container_not_mounted_as_read_only/metadata.json | 2 +- assets/queries/k8s/root_containers_admitted/metadata.json | 2 +- .../rotate_kubelet_server_certificate_not_active/metadata.json | 2 +- .../queries/k8s/seccomp_profile_is_not_configured/metadata.json | 2 +- .../queries/k8s/secrets_as_environment_variables/metadata.json | 2 +- assets/queries/k8s/secure_port_set_to_zero/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../k8s/service_account_allows_access_secrets/metadata.json | 2 +- .../k8s/service_account_key_file_not_properly_set/metadata.json | 2 +- .../k8s/service_account_lookup_set_to_false/metadata.json | 2 +- .../k8s/service_account_name_undefined_or_empty/metadata.json | 2 +- .../service_account_private_key_file_not_defined/metadata.json | 2 +- .../service_account_token_automount_not_disabled/metadata.json | 2 +- assets/queries/k8s/service_does_not_target_pod/metadata.json | 2 +- assets/queries/k8s/service_type_is_nodeport/metadata.json | 2 +- .../k8s/service_with_external_load_balancer/metadata.json | 2 +- assets/queries/k8s/shared_host_ipc_namespace/metadata.json | 2 +- assets/queries/k8s/shared_host_network_namespace/metadata.json | 2 +- assets/queries/k8s/shared_host_pid_namespace/metadata.json | 2 +- assets/queries/k8s/shared_service_account/metadata.json | 2 +- .../k8s/statefulset_has_no_pod_anti_affinity/metadata.json | 2 +- assets/queries/k8s/statefulset_requests_storage/metadata.json | 2 +- .../k8s/statefulset_without_pod_disruption_budget/metadata.json | 2 +- .../queries/k8s/statefulset_without_service_name/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- assets/queries/k8s/tiller_is_deployed/metadata.json | 2 +- assets/queries/k8s/tiller_service_is_not_deleted/metadata.json | 2 +- .../k8s/tls_connection_certificate_not_setup/metadata.json | 2 +- assets/queries/k8s/token_auth_file_is_set/metadata.json | 2 +- .../metadata.json | 2 +- .../k8s/using_kubernetes_native_secret_management/metadata.json | 2 +- assets/queries/k8s/using_unrecommended_namespace/metadata.json | 2 +- .../metadata.json | 2 +- assets/queries/k8s/weak_tls_cipher_suites/metadata.json | 2 +- .../queries/k8s/workload_host_port_not_specified/metadata.json | 2 +- .../workload_mounting_with_sensitive_os_directory/metadata.json | 2 +- .../metadata.json | 2 +- .../openAPI/2.0/basepath_with_wrong_format/metadata.json | 2 +- .../2.0/body_parameter_with_wrong_property/metadata.json | 2 +- .../openAPI/2.0/body_parameter_without_schema/metadata.json | 2 +- .../openAPI/2.0/constraining_enum_property/metadata.json | 2 +- .../file_parameter_with_wrong_consumes_property/metadata.json | 2 +- .../queries/openAPI/2.0/global_schemes_uses_http/metadata.json | 2 +- .../2.0/global_security_using_password_flow/metadata.json | 2 +- .../queries/openAPI/2.0/host_with_invalid_pattern/metadata.json | 2 +- assets/queries/openAPI/2.0/implicit_flow_oauth2/metadata.json | 2 +- .../queries/openAPI/2.0/invalid_media_type_value/metadata.json | 2 +- .../queries/openAPI/2.0/invalid_oauth2_token_url/metadata.json | 2 +- .../openAPI/2.0/invalid_oauth_authorization_url/metadata.json | 2 +- .../2.0/json_reference_does_not_exists_parameter/metadata.json | 2 +- .../2.0/json_reference_does_not_exists_response/metadata.json | 2 +- .../2.0/json_reference_does_not_exists_schema/metadata.json | 2 +- .../2.0/multi_body_parameters_same_operation/metadata.json | 2 +- .../multi_collectionformat_not_valid_in_parameter/metadata.json | 2 +- .../openAPI/2.0/non_body_parameter_with_schema/metadata.json | 2 +- .../metadata.json | 2 +- .../openAPI/2.0/object_without_required_property/metadata.json | 2 +- .../operation_example_mismatch_produces_mediatype/metadata.json | 2 +- .../metadata.json | 2 +- .../openAPI/2.0/operation_object_without_consumes/metadata.json | 2 +- .../openAPI/2.0/operation_object_without_produces/metadata.json | 2 +- .../openAPI/2.0/operation_summary_too_long/metadata.json | 2 +- .../openAPI/2.0/operation_using_basic_auth/metadata.json | 2 +- .../openAPI/2.0/operation_using_implicit_flow/metadata.json | 2 +- .../openAPI/2.0/operation_using_password_flow/metadata.json | 2 +- .../2.0/parameter_file_type_not_in_formdata/metadata.json | 2 +- .../openAPI/2.0/parameter_object_incorrect_ref/metadata.json | 2 +- .../queries/openAPI/2.0/path_scheme_accepts_http/metadata.json | 2 +- assets/queries/openAPI/2.0/property_not_unique/metadata.json | 2 +- .../openAPI/2.0/response_object_incorrect_ref/metadata.json | 2 +- .../openAPI/2.0/schema_object_incorrect_ref/metadata.json | 2 +- .../metadata.json | 2 +- assets/queries/openAPI/2.0/schemes_uses_http copy/metadata.json | 2 +- .../2.0/security_definitions_allows_password_flow/metadata.json | 2 +- .../2.0/security_definitions_undefined_or_empty/metadata.json | 2 +- .../2.0/security_definitions_using_basic_auth/metadata.json | 2 +- .../metadata.json | 2 +- .../2.0/undefined_security_scope_global_security/metadata.json | 2 +- .../undefined_security_scope_security_operations/metadata.json | 2 +- assets/queries/openAPI/2.0/unknown_prefix/metadata.json | 2 +- assets/queries/openAPI/2.0/unknown_property/metadata.json | 2 +- .../openAPI/2.0/unused_parameter_definition/metadata.json | 2 +- .../openAPI/2.0/unused_response_definition/metadata.json | 2 +- .../queries/openAPI/2.0/unused_schema_definition/metadata.json | 2 +- .../3.0/additional_properties_too_permissive/metadata.json | 2 +- .../3.0/additional_properties_too_restrective/metadata.json | 2 +- .../3.0/api_key_exposed_in_global_security_scheme/metadata.json | 2 +- .../openAPI/3.0/callback_object_incorrect_ref/metadata.json | 2 +- .../metadata.json | 2 +- .../3.0/components_callback_definition_unused/metadata.json | 2 +- .../3.0/components_example_definition_unused/metadata.json | 2 +- .../3.0/components_header_definition_unused/metadata.json | 2 +- .../openAPI/3.0/components_link_definition_unused/metadata.json | 2 +- .../metadata.json | 2 +- .../3.0/components_parameter_definition_unused/metadata.json | 2 +- .../3.0/components_request_body_definition_unused/metadata.json | 2 +- .../3.0/components_response_definition_unused/metadata.json | 2 +- .../3.0/components_schema_definition_unused/metadata.json | 2 +- assets/queries/openAPI/3.0/empty_array/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../queries/openAPI/3.0/global_server_uses_http/metadata.json | 2 +- .../openAPI/3.0/header_object_with_incorrect_ref/metadata.json | 2 +- .../openAPI/3.0/header_object_without_schema/metadata.json | 2 +- assets/queries/openAPI/3.0/implicit_flow_oauth2/metadata.json | 2 +- .../metadata.json | 2 +- .../queries/openAPI/3.0/invalid_media_type_value/metadata.json | 2 +- .../queries/openAPI/3.0/invalid_oauth2_token_url/metadata.json | 2 +- .../openAPI/3.0/invalid_oauth_authorization_url/metadata.json | 2 +- .../3.0/json_reference_does_not_exists_callback/metadata.json | 2 +- .../3.0/json_reference_does_not_exists_example/metadata.json | 2 +- .../3.0/json_reference_does_not_exists_header/metadata.json | 2 +- .../3.0/json_reference_does_not_exists_link/metadata.json | 2 +- .../3.0/json_reference_does_not_exists_parameter/metadata.json | 2 +- .../json_reference_does_not_exists_request_body/metadata.json | 2 +- .../3.0/json_reference_does_not_exists_response/metadata.json | 2 +- .../3.0/json_reference_does_not_exists_schema/metadata.json | 2 +- .../queries/openAPI/3.0/link_object_incorrect_ref/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../openAPI/3.0/media_type_object_without_schema/metadata.json | 2 +- .../queries/openAPI/3.0/oauth2_with_implicit_flow/metadata.json | 2 +- .../queries/openAPI/3.0/oauth2_with_password_flow/metadata.json | 2 +- .../openAPI/3.0/object_without_required_property/metadata.json | 2 +- .../metadata.json | 2 +- .../openAPI/3.0/parameter_object_incorrect_ref/metadata.json | 2 +- .../openAPI/3.0/parameter_object_schema_content/metadata.json | 2 +- .../openAPI/3.0/parameter_object_undefined_type/metadata.json | 2 +- .../openAPI/3.0/parameter_object_without_schema/metadata.json | 2 +- assets/queries/openAPI/3.0/path_server_uses_http/metadata.json | 2 +- .../3.0/property_allow_empty_value_ignored/metadata.json | 2 +- .../metadata.json | 2 +- .../property_allow_reserved_improperly_defined/metadata.json | 2 +- .../3.0/property_explode_encoding_object_ignored/metadata.json | 2 +- .../3.0/property_type_encoding_object_ignored/metadata.json | 2 +- .../openAPI/3.0/request_body_incorrect_ref/metadata.json | 2 +- .../request_body_object_with_incorrect_media_type/metadata.json | 2 +- .../openAPI/3.0/response_object_incorrect_ref/metadata.json | 2 +- .../openAPI/3.0/schema_object_incorrect_ref/metadata.json | 2 +- .../3.0/schema_with_both_read_only_and_write_only/metadata.json | 2 +- .../queries/openAPI/3.0/security_field_undefined/metadata.json | 2 +- .../3.0/security_operation_field_undefined/metadata.json | 2 +- .../security_requirement_object_with_wrong_scopes/metadata.json | 2 +- .../queries/openAPI/3.0/security_scheme_undefined/metadata.json | 2 +- .../openAPI/3.0/security_scheme_using_http_basic/metadata.json | 2 +- .../openAPI/3.0/security_scheme_using_http_digest/metadata.json | 2 +- .../3.0/security_scheme_using_http_negotiate/metadata.json | 2 +- .../3.0/security_schemes_http_unknown_scheme/metadata.json | 2 +- .../openAPI/3.0/security_schemes_using_oauth/metadata.json | 2 +- .../openAPI/3.0/server_object_variable_not_used/metadata.json | 2 +- .../queries/openAPI/3.0/server_url_not_absolute/metadata.json | 2 +- .../3.0/server_url_uses_undefined_variables/metadata.json | 2 +- assets/queries/openAPI/3.0/servers_undefined/metadata.json | 2 +- .../metadata.json | 2 +- .../3.0/undefined_security_scope_global_security/metadata.json | 2 +- .../undefined_security_scope_security_operations/metadata.json | 2 +- assets/queries/openAPI/3.0/unknown_prefix/metadata.json | 2 +- assets/queries/openAPI/3.0/unknown_property/metadata.json | 2 +- .../general/api_key_exposed_in_global_security/metadata.json | 2 +- .../general/api_key_exposed_in_operation_security/metadata.json | 2 +- .../openAPI/general/array_items_has_no_type/metadata.json | 2 +- .../general/array_without_maximum_number_items/metadata.json | 2 +- .../general/cleartext_api_key_in_global_security/metadata.json | 2 +- .../cleartext_api_key_in_operation_security/metadata.json | 2 +- assets/queries/openAPI/general/default_invalid/metadata.json | 2 +- .../general/default_response_undefined_operations/metadata.json | 2 +- .../example_not_compliant_with_schema_type/metadata.json | 2 +- .../general/global_security_field_undefined/metadata.json | 2 +- .../general/header_parameter_named_as_accept/metadata.json | 2 +- .../header_parameter_named_as_authorization/metadata.json | 2 +- .../header_parameter_named_as_content_type/metadata.json | 2 +- .../general/header_response_name_is_invalid/metadata.json | 2 +- .../queries/openAPI/general/invalid_contact_email/metadata.json | 2 +- .../queries/openAPI/general/invalid_contact_url/metadata.json | 2 +- assets/queries/openAPI/general/invalid_format/metadata.json | 2 +- .../invalid_global_external_documentation_url/metadata.json | 2 +- .../queries/openAPI/general/invalid_license_url/metadata.json | 2 +- .../invalid_operation_external_documentation_url/metadata.json | 2 +- .../invalid_schema_external_documentation_url/metadata.json | 2 +- .../invalid_tag_external_documentation_url/metadata.json | 2 +- assets/queries/openAPI/general/items_undefined/metadata.json | 2 +- .../general/json_object_schema_without_properties/metadata.json | 2 +- .../general/json_object_schema_without_type/metadata.json | 2 +- .../openAPI/general/json_ref_alongside_properties/metadata.json | 2 +- .../openAPI/general/maximum_length_undefined/metadata.json | 2 +- .../no_global_and_operation_security_defined/metadata.json | 2 +- .../openAPI/general/non_array_schema_with_items/metadata.json | 2 +- .../openAPI/general/numeric_schema_without_format/metadata.json | 2 +- .../general/numeric_schema_without_maximum/metadata.json | 2 +- .../general/numeric_schema_without_minimum/metadata.json | 2 +- .../general/object_using_enum_with_keyword/metadata.json | 2 +- .../openAPI/general/operation_id_not_unique/metadata.json | 2 +- .../operation_without_successful_http_status_code/metadata.json | 2 +- .../general/parameter_objects_headers_dup_name/metadata.json | 2 +- .../openAPI/general/parameters_name_in_not_unique/metadata.json | 2 +- assets/queries/openAPI/general/path_ambiguous/metadata.json | 2 +- .../openAPI/general/path_parameter_not_required/metadata.json | 2 +- .../metadata.json | 2 +- .../queries/openAPI/general/path_template_empty/metadata.json | 2 +- .../openAPI/general/path_without_operation/metadata.json | 2 +- assets/queries/openAPI/general/paths_object_empty/metadata.json | 2 +- assets/queries/openAPI/general/pattern_undefined/metadata.json | 2 +- .../general/properties_missing_required_property/metadata.json | 2 +- .../property_allow_empty_value_improperly_defined/metadata.json | 2 +- .../metadata.json | 2 +- .../general/required_property_default_value/metadata.json | 2 +- .../queries/openAPI/general/response_code_missing/metadata.json | 2 +- .../metadata.json | 2 +- .../response_operations_body_schema_undefined/metadata.json | 2 +- .../openAPI/general/responses_object_is_empty/metadata.json | 2 +- .../general/responses_wrong_http_status_code/metadata.json | 2 +- .../metadata.json | 2 +- .../general/schema_discriminator_not_required/metadata.json | 2 +- .../schema_discriminator_property_not_string/metadata.json | 2 +- .../queries/openAPI/general/schema_enum_invalid/metadata.json | 2 +- .../queries/openAPI/general/schema_object_empty/metadata.json | 2 +- .../schema_object_properties_with_duplicated_keys/metadata.json | 2 +- .../general/schema_object_with_circular_ref/metadata.json | 2 +- .../general/schema_required_property_undefined/metadata.json | 2 +- .../queries/openAPI/general/security_empty_array/metadata.json | 2 +- .../general/security_empty_object_definition/metadata.json | 2 +- .../general/security_operations_empty_array/metadata.json | 2 +- .../security_operations_empty_object_definition/metadata.json | 2 +- .../general/string_schema_with_broad_pattern/metadata.json | 2 +- .../metadata.json | 2 +- .../success_response_code_undefined_get_operation/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../success_response_code_undefined_put_operation/metadata.json | 2 +- .../metadata.json | 2 +- .../openAPI/general/type_has_invalid_keyword/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/api_gateway_access_logging_disabled/metadata.json | 2 +- .../aws/api_gateway_without_ssl_certificate/metadata.json | 2 +- assets/queries/pulumi/aws/docdb_logging_disabled/metadata.json | 2 +- .../pulumi/aws/dynamodb_table_not_encrypted/metadata.json | 2 +- .../metadata.json | 2 +- .../pulumi/aws/ec2_instance_monitoring_disabled/metadata.json | 2 +- assets/queries/pulumi/aws/ec2_not_ebs_optimized/metadata.json | 2 +- .../elasticache_nodes_not_created_across_multi_az/metadata.json | 2 +- .../aws/elasticache_redis_cluster_without_backup/metadata.json | 2 +- .../pulumi/aws/elasticsearch_logs_disabled/metadata.json | 2 +- .../pulumi/aws/elasticsearch_with_https_disabled/metadata.json | 2 +- .../aws/iam_password_without_lowercase_letter/metadata.json | 2 +- .../aws/iam_password_without_minimum_length/metadata.json | 2 +- .../aws/rds_db_instance_publicly_accessible/metadata.json | 2 +- .../azure/redis_cache_allows_non_ssl_connections/metadata.json | 2 +- .../azure/storage_account_not_forcing_https/metadata.json | 2 +- .../gcp/cloud_storage_bucket_logging_not_enabled/metadata.json | 2 +- .../google_compute_ssl_policy_weak_cipher_in_use/metadata.json | 2 +- .../pulumi/kubernetes/missing_app_armor_config/metadata.json | 2 +- .../pulumi/kubernetes/psp_set_to_privileged/metadata.json | 2 +- .../metadata.json | 2 +- .../serverless_api_endpoint_config_not_private/metadata.json | 2 +- .../serverless_api_without_content_encoding/metadata.json | 2 +- .../serverless_api_xray_tracing_disabled/metadata.json | 2 +- .../metadata.json | 2 +- .../serverless_function_without_dead_letter_queue/metadata.json | 2 +- .../serverlessFW/serverless_function_without_tags/metadata.json | 2 +- .../serverless_function_without_unique_iam_role/metadata.json | 2 +- .../serverless_function_without_x-ray_tracing/metadata.json | 2 +- .../serverless_role_with_full_privileges/metadata.json | 2 +- .../action_trail_logging_all_regions_disabled/metadata.json | 2 +- .../metadata.json | 2 +- .../terraform/alicloud/alb_listening_on_http/metadata.json | 2 +- .../alicloud/api_gateway_api_protocol_not_https/metadata.json | 2 +- assets/queries/terraform/alicloud/cmk_is_unusable/metadata.json | 2 +- .../cs_kubernetes_node_pool_auto_repair_disabled/metadata.json | 2 +- .../terraform/alicloud/disk_encryption_disabled/metadata.json | 2 +- .../alicloud/ecs_data_disk_kms_key_id_undefined/metadata.json | 2 +- .../alicloud/high_kms_key_rotation_period/metadata.json | 2 +- .../metadata.json | 2 +- .../alicloud/launch_template_is_not_encrypted/metadata.json | 2 +- .../log_retention_is_not_greater_than_90_days/metadata.json | 2 +- .../alicloud/nas_file_system_not_encrypted/metadata.json | 2 +- .../alicloud/nas_file_system_without_kms/metadata.json | 2 +- .../terraform/alicloud/no_ros_stack_policy/metadata.json | 2 +- .../metadata.json | 2 +- .../oss_bucket_allows_delete_from_all_principals/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../alicloud/oss_bucket_cmk_encryption_disabled/metadata.json | 2 +- .../alicloud/oss_bucket_has_static_website/metadata.json | 2 +- .../alicloud/oss_bucket_ip_restriction_disabled/metadata.json | 2 +- .../alicloud/oss_bucket_lifecycle_disabled/metadata.json | 2 +- .../alicloud/oss_bucket_logging_disabled/metadata.json | 2 +- .../alicloud/oss_bucket_public_access_enabled/metadata.json | 2 +- .../oss_bucket_transfer_acceleration_disabled/metadata.json | 2 +- .../alicloud/oss_bucket_versioning_disabled/metadata.json | 2 +- .../alicloud/oss_buckets_securetransport_disabled/metadata.json | 2 +- .../metadata.json | 2 +- .../public_security_group_rule_sensitive_port/metadata.json | 2 +- .../public_security_group_rule_unknown_port/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../alicloud/ram_policy_attached_to_user/metadata.json | 2 +- .../ram_security_preference_not_enforce_mfa/metadata.json | 2 +- .../rds_instance_address_publicly_accessible/metadata.json | 2 +- .../alicloud/rds_instance_events_not_logged/metadata.json | 2 +- .../rds_instance_log_connections_disabled/metadata.json | 2 +- .../rds_instance_log_disconnections_disabled/metadata.json | 2 +- .../alicloud/rds_instance_log_duration_disabled/metadata.json | 2 +- .../alicloud/rds_instance_publicly_accessible/metadata.json | 2 +- .../rds_instance_retention_not_recommended/metadata.json | 2 +- .../alicloud/rds_instance_ssl_action_disabled/metadata.json | 2 +- .../alicloud/rds_instance_tde_status_disabled/metadata.json | 2 +- .../alicloud/ros_stack_notifications_disabled/metadata.json | 2 +- .../alicloud/ros_stack_retention_disabled/metadata.json | 2 +- .../terraform/alicloud/ros_stack_without_template/metadata.json | 2 +- .../slb_policy_with_insecure_tls_version_in_use/metadata.json | 2 +- .../terraform/alicloud/vpc_flow_logs_disabled/metadata.json | 2 +- .../aws/alb_deletion_protection_disabled/metadata.json | 2 +- .../terraform/aws/alb_is_not_integrated_with_waf/metadata.json | 2 +- .../queries/terraform/aws/alb_listening_on_http/metadata.json | 2 +- .../aws/alb_not_dropping_invalid_headers/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/amazon_mq_broker_encryption_disabled/metadata.json | 2 +- assets/queries/terraform/aws/ami_not_encrypted/metadata.json | 2 +- .../aws/ami_shared_with_multiple_accounts/metadata.json | 2 +- .../aws/api_gateway_access_logging_disabled/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../api_gateway_endpoint_config_is_not_private/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../api_gateway_with_cloudwatch_logging_disabled/metadata.json | 2 +- .../aws/api_gateway_with_invalid_compression/metadata.json | 2 +- .../terraform/aws/api_gateway_with_open_access/metadata.json | 2 +- .../aws/api_gateway_without_configured_authorizer/metadata.json | 2 +- .../aws/api_gateway_without_security_policy/metadata.json | 2 +- .../aws/api_gateway_without_ssl_certificate/metadata.json | 2 +- .../queries/terraform/aws/api_gateway_without_waf/metadata.json | 2 +- .../terraform/aws/api_gateway_xray_disabled/metadata.json | 2 +- .../terraform/aws/athena_database_not_encrypted/metadata.json | 2 +- .../terraform/aws/athena_workgroup_not_encrypted/metadata.json | 2 +- .../aws/aurora_with_disabled_at_rest_encryption/metadata.json | 2 +- .../terraform/aws/authentication_without_mfa/metadata.json | 2 +- .../aws/auto_scaling_group_with_no_associated_elb/metadata.json | 2 +- .../aws/automatic_minor_upgrades_disabled/metadata.json | 2 +- .../terraform/aws/autoscaling_groups_supply_tags/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../aws/ca_certificate_identifier_is_outdated/metadata.json | 2 +- .../terraform/aws/cdn_configuration_is_missing/metadata.json | 2 +- .../queries/terraform/aws/certificate_has_expired/metadata.json | 2 +- .../aws/certificate_rsa_key_bytes_lower_than_256/metadata.json | 2 +- .../terraform/aws/cloudfront_logging_disabled/metadata.json | 2 +- .../cloudfront_viewer_protocol_policy_allows_http/metadata.json | 2 +- .../cloudfront_without_minimum_protocol_tls_1.2/metadata.json | 2 +- .../queries/terraform/aws/cloudfront_without_waf/metadata.json | 2 +- .../aws/cloudtrail_log_file_validation_disabled/metadata.json | 2 +- .../cloudtrail_log_files_not_encrypted_with_kms/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../terraform/aws/cloudtrail_logging_disabled/metadata.json | 2 +- .../aws/cloudtrail_multi_region_disabled/metadata.json | 2 +- .../aws/cloudtrail_not_integrated_with_cloudwatch/metadata.json | 2 +- .../aws/cloudtrail_sns_topic_name_undefined/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../aws/cloudwatch_changes_to_nacl_alarm_missing/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../cloudwatch_iam_policy_changes_alarm_missing/metadata.json | 2 +- .../aws/cloudwatch_log_group_not_encrypted/metadata.json | 2 +- .../terraform/aws/cloudwatch_logging_disabled/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../terraform/aws/cloudwatch_metrics_disabled/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/cloudwatch_root_account_use_alarm_missing/metadata.json | 2 +- .../cloudwatch_route_table_changes_alarm_missing/metadata.json | 2 +- .../aws/cloudwatch_s3_policy_change_alarm_missing/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../aws/cloudwatch_vpc_changes_alarm_missing/metadata.json | 2 +- .../cloudwatch_without_retention_period_specified/metadata.json | 2 +- assets/queries/terraform/aws/cmk_is_unusable/metadata.json | 2 +- .../queries/terraform/aws/cmk_rotation_disabled/metadata.json | 2 +- .../metadata.json | 2 +- .../terraform/aws/cognito_userpool_without_mfa/metadata.json | 2 +- .../metadata.json | 2 +- .../config_rule_for_encrypted_volumes_is_disabled/metadata.json | 2 +- .../metadata.json | 2 +- .../terraform/aws/dax_cluster_not_encrypted/metadata.json | 2 +- .../aws/db_instance_storage_not_encrypted/metadata.json | 2 +- .../aws/db_security_group_has_public_interface/metadata.json | 2 +- .../aws/db_security_group_open_to_large_scope/metadata.json | 2 +- .../aws/db_security_group_with_public_scope/metadata.json | 2 +- .../metadata.json | 2 +- assets/queries/terraform/aws/default_vpc_exists/metadata.json | 2 +- .../docdb_cluster_encrypted_with_aws_managed_key/metadata.json | 2 +- .../terraform/aws/docdb_cluster_not_encrypted/metadata.json | 2 +- .../terraform/aws/docdb_cluster_without_kms/metadata.json | 2 +- .../queries/terraform/aws/docdb_logging_disabled/metadata.json | 2 +- .../terraform/aws/dynamodb_table_not_encrypted/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../terraform/aws/ebs_default_encryption_disabled/metadata.json | 2 +- .../terraform/aws/ebs_volume_encryption_disabled/metadata.json | 2 +- .../aws/ebs_volume_snapshot_not_encrypted/metadata.json | 2 +- .../terraform/aws/ec2_instance_has_public_ip/metadata.json | 2 +- .../aws/ec2_instance_monitoring_disabled/metadata.json | 2 +- .../terraform/aws/ec2_instance_using_api_keys/metadata.json | 2 +- .../aws/ec2_instance_using_default_security_group/metadata.json | 2 +- .../terraform/aws/ec2_instance_using_default_vpc/metadata.json | 2 +- .../queries/terraform/aws/ec2_not_ebs_optimized/metadata.json | 2 +- .../terraform/aws/ecr_image_tag_not_immutable/metadata.json | 2 +- .../aws/ecr_repository_is_publicly_accessible/metadata.json | 2 +- .../terraform/aws/ecr_repository_not_encrypted/metadata.json | 2 +- .../terraform/aws/ecr_repository_without_policy/metadata.json | 2 +- .../aws/ecs_cluster_container_insights_disabled/metadata.json | 2 +- .../aws/ecs_service_admin_role_is_present/metadata.json | 2 +- .../aws/ecs_service_without_running_tasks/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/ecs_task_definition_volume_not_encrypted/metadata.json | 2 +- .../ecs_task_definition_with_plaintext_password/metadata.json | 2 +- assets/queries/terraform/aws/efs_not_encrypted/metadata.json | 2 +- .../terraform/aws/efs_with_vulnerable_policy/metadata.json | 2 +- assets/queries/terraform/aws/efs_without_kms/metadata.json | 2 +- .../terraform/aws/eks_cluster_encryption_disabled/metadata.json | 2 +- .../terraform/aws/eks_cluster_has_public_access/metadata.json | 2 +- .../aws/eks_cluster_has_public_access_cidrs/metadata.json | 2 +- .../terraform/aws/eks_cluster_log_disabled/metadata.json | 2 +- .../aws/eks_node_group_remote_access_disabled/metadata.json | 2 +- .../elasticache_nodes_not_created_across_multi_az/metadata.json | 2 +- .../aws/elasticache_redis_cluster_without_backup/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../terraform/aws/elasticache_using_default_port/metadata.json | 2 +- .../queries/terraform/aws/elasticache_without_vpc/metadata.json | 2 +- .../metadata.json | 2 +- .../elasticsearch_domain_with_vulnerable_policy/metadata.json | 2 +- .../elasticsearch_encryption_with_kms_is_disabled/metadata.json | 2 +- .../terraform/aws/elasticsearch_logs_disabled/metadata.json | 2 +- .../aws/elasticsearch_not_encrypted_at_rest/metadata.json | 2 +- .../aws/elasticsearch_with_https_disabled/metadata.json | 2 +- .../aws/elasticsearch_without_iam_authentication/metadata.json | 2 +- .../terraform/aws/elasticsearch_without_slow_logs/metadata.json | 2 +- .../terraform/aws/elb_access_logging_disabled/metadata.json | 2 +- .../terraform/aws/elb_using_insecure_protocols/metadata.json | 2 +- .../queries/terraform/aws/elb_using_weak_ciphers/metadata.json | 2 +- assets/queries/terraform/aws/emr_without_vpc/metadata.json | 2 +- .../aws/global_accelerator_flow_logs_disabled/metadata.json | 2 +- .../aws/glue_data_catalog_encryption_disabled/metadata.json | 2 +- .../metadata.json | 2 +- .../terraform/aws/glue_with_vulnerable_policy/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../terraform/aws/guardduty_detector_disabled/metadata.json | 2 +- .../terraform/aws/hardcoded_aws_access_key/metadata.json | 2 +- .../aws/hardcoded_aws_access_key_in_lambda/metadata.json | 2 +- assets/queries/terraform/aws/http_port_open/metadata.json | 2 +- .../terraform/aws/iam_access_analyzer_not_enabled/metadata.json | 2 +- .../terraform/aws/iam_access_key_is_exposed/metadata.json | 2 +- .../terraform/aws/iam_database_auth_not_enabled/metadata.json | 2 +- .../queries/terraform/aws/iam_group_without_users/metadata.json | 2 +- .../aws/iam_password_without_lowercase_letter/metadata.json | 2 +- .../aws/iam_password_without_minimum_length/metadata.json | 2 +- .../terraform/aws/iam_password_without_symbol/metadata.json | 2 +- .../aws/iam_password_without_uppercase_letter/metadata.json | 2 +- .../terraform/aws/iam_policies_attached_to_user/metadata.json | 2 +- .../aws/iam_policies_with_full_privileges/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/iam_policy_grants_full_permissions/metadata.json | 2 +- .../aws/iam_role_allows_all_principals_to_assume/metadata.json | 2 +- .../aws/iam_role_policy_passrole_allows_all/metadata.json | 2 +- .../terraform/aws/iam_role_with_full_privileges/metadata.json | 2 +- .../terraform/aws/iam_user_policy_without_mfa/metadata.json | 2 +- .../terraform/aws/iam_user_too_many_access_keys/metadata.json | 2 +- .../terraform/aws/iam_user_with_access_to_console/metadata.json | 2 +- assets/queries/terraform/aws/instance_with_no_vpc/metadata.json | 2 +- .../terraform/aws/kinesis_not_encrypted_with_kms/metadata.json | 2 +- .../terraform/aws/kinesis_sse_not_configured/metadata.json | 2 +- .../terraform/aws/kms_key_with_full_permissions/metadata.json | 2 +- .../terraform/aws/kms_key_with_no_deletion_window/metadata.json | 2 +- .../aws/lambda_function_with_privileged_role/metadata.json | 2 +- .../aws/lambda_functions_without_x-ray_tracing/metadata.json | 2 +- .../aws/lambda_iam_invokefunction_misconfigured/metadata.json | 2 +- .../terraform/aws/lambda_permission_misconfigured/metadata.json | 2 +- .../aws/lambda_permission_principal_is_wildcard/metadata.json | 2 +- .../terraform/aws/lambda_with_vulnerable_policy/metadata.json | 2 +- .../aws/launch_configuration_is_not_encrypted/metadata.json | 2 +- .../aws/misconfigured_password_policy_expiration/metadata.json | 2 +- .../terraform/aws/missing_cluster_log_types/metadata.json | 2 +- .../aws/mq_broker_is_publicly_accessible/metadata.json | 2 +- .../terraform/aws/mq_broker_logging_disabled/metadata.json | 2 +- .../aws/msk_broker_is_publicly_accessible/metadata.json | 2 +- .../terraform/aws/msk_cluster_encryption_disabled/metadata.json | 2 +- .../terraform/aws/msk_cluster_logging_disabled/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../neptune_database_cluster_encryption_disabled/metadata.json | 2 +- .../terraform/aws/neptune_logging_disabled/metadata.json | 2 +- .../network_acl_with_unrestricted_access_to_rdp/metadata.json | 2 +- .../network_acl_with_unrestricted_access_to_ssh/metadata.json | 2 +- .../terraform/aws/no_password_policy_enabled/metadata.json | 2 +- assets/queries/terraform/aws/no_stack_policy/metadata.json | 2 +- .../aws/password_without_reuse_prevention/metadata.json | 2 +- .../terraform/aws/policy_without_principal/metadata.json | 2 +- .../aws/public_and_private_ec2_share_role/metadata.json | 2 +- .../terraform/aws/public_lambda_via_api_gateway/metadata.json | 2 +- .../aws/rds_associated_with_public_subnet/metadata.json | 2 +- .../aws/rds_cluster_with_backup_disabled/metadata.json | 2 +- .../aws/rds_database_cluster_not_encrypted/metadata.json | 2 +- .../aws/rds_db_instance_publicly_accessible/metadata.json | 2 +- .../terraform/aws/rds_storage_not_encrypted/metadata.json | 2 +- .../queries/terraform/aws/rds_using_default_port/metadata.json | 2 +- .../terraform/aws/rds_with_backup_disabled/metadata.json | 2 +- assets/queries/terraform/aws/rds_without_logging/metadata.json | 2 +- assets/queries/terraform/aws/redis_disabled/metadata.json | 2 +- assets/queries/terraform/aws/redis_not_compliant/metadata.json | 2 +- .../aws/redshift_cluster_logging_disabled/metadata.json | 2 +- .../terraform/aws/redshift_cluster_without_vpc/metadata.json | 2 +- .../queries/terraform/aws/redshift_not_encrypted/metadata.json | 2 +- .../terraform/aws/redshift_publicly_accessible/metadata.json | 2 +- .../terraform/aws/redshift_using_default_port/metadata.json | 2 +- .../aws/remote_desktop_port_open_to_internet/metadata.json | 2 +- .../queries/terraform/aws/resource_not_using_tags/metadata.json | 2 +- .../terraform/aws/rest_api_with_vulnerable_policy/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../aws/root_account_has_active_access_keys/metadata.json | 2 +- .../terraform/aws/route53_record_undefined/metadata.json | 2 +- .../aws/s3_bucket_access_to_any_principal/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../aws/s3_bucket_acl_grants_write_acp_permission/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../terraform/aws/s3_bucket_allows_public_acl/metadata.json | 2 +- .../metadata.json | 2 +- .../terraform/aws/s3_bucket_logging_disabled/metadata.json | 2 +- .../metadata.json | 2 +- .../terraform/aws/s3_bucket_object_not_encrypted/metadata.json | 2 +- .../aws/s3_bucket_policy_accepts_http_requests/metadata.json | 2 +- .../metadata.json | 2 +- .../queries/terraform/aws/s3_bucket_sse_disabled/metadata.json | 2 +- .../terraform/aws/s3_bucket_with_all_permissions/metadata.json | 2 +- .../terraform/aws/s3_bucket_with_public_policy/metadata.json | 2 +- .../aws/s3_bucket_with_unsecured_cors_rule/metadata.json | 2 +- .../aws/s3_bucket_without_enabled_mfa_delete/metadata.json | 2 +- .../aws/s3_bucket_without_ignore_public_acl/metadata.json | 2 +- .../metadata.json | 2 +- .../terraform/aws/s3_bucket_without_versioning/metadata.json | 2 +- .../terraform/aws/s3_static_website_host_enabled/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/sagemaker_notebook_instance_without_kms/metadata.json | 2 +- .../aws/secrets_manager_with_vulnerable_policy/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/secretsmanager_secret_without_kms/metadata.json | 2 +- .../queries/terraform/aws/secure_ciphers_disabled/metadata.json | 2 +- .../aws/security_group_rules_without_description/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/security_group_without_description/metadata.json | 2 +- .../terraform/aws/security_groups_not_used/metadata.json | 2 +- .../sensitive_port_is_exposed_to_entire_network/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../aws/service_control_policies_disabled/metadata.json | 2 +- .../aws/ses_policy_with_allowed_iam_actions/metadata.json | 2 +- .../terraform/aws/shield_advanced_not_in_use/metadata.json | 2 +- .../aws/sns_topic_encrypted_with_aws_managed_key/metadata.json | 2 +- .../aws/sns_topic_is_publicly_accessible/metadata.json | 2 +- .../queries/terraform/aws/sns_topic_not_encrypted/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../terraform/aws/sqs_policy_allows_all_actions/metadata.json | 2 +- .../terraform/aws/sqs_policy_with_public_access/metadata.json | 2 +- assets/queries/terraform/aws/sqs_queue_exposed/metadata.json | 2 +- .../aws/sqs_vpc_endpoint_without_dns_resolution/metadata.json | 2 +- .../queries/terraform/aws/sqs_with_sse_disabled/metadata.json | 2 +- .../aws/ssm_session_transit_encryption_disabled/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/sso_policy_with_full_priveleges copy/metadata.json | 2 +- .../terraform/aws/sso_policy_with_full_priveleges/metadata.json | 2 +- .../terraform/aws/stack_notifications_disabled/metadata.json | 2 +- .../terraform/aws/stack_retention_disabled/metadata.json | 2 +- .../queries/terraform/aws/stack_without_template/metadata.json | 2 +- .../aws/unknown_port_exposed_to_internet/metadata.json | 2 +- .../aws/unrestricted_security_group_ingress/metadata.json | 2 +- assets/queries/terraform/aws/unscanned_ecr_image/metadata.json | 2 +- .../aws/user_data_contains_encoded_private_key/metadata.json | 2 +- .../aws/user_data_shell_script_is_encoded/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../queries/terraform/aws/vpc_flowlogs_disabled/metadata.json | 2 +- .../metadata.json | 2 +- .../terraform/aws/vpc_subnet_assigns_public_ip/metadata.json | 2 +- .../terraform/aws/vpc_without_network_firewall/metadata.json | 2 +- .../aws/vulnerable_default_ssl_certificate/metadata.json | 2 +- .../aws/workspaces_workspace_volume_not_encrypted/metadata.json | 2 +- assets/queries/terraform/aws_bom/dynamo/metadata.json | 2 +- assets/queries/terraform/aws_bom/ebs/metadata.json | 2 +- assets/queries/terraform/aws_bom/efs/metadata.json | 2 +- assets/queries/terraform/aws_bom/elasticache/metadata.json | 2 +- assets/queries/terraform/aws_bom/kinesis/metadata.json | 2 +- assets/queries/terraform/aws_bom/mq/metadata.json | 2 +- assets/queries/terraform/aws_bom/msk/metadata.json | 2 +- assets/queries/terraform/aws_bom/rds/metadata.json | 2 +- assets/queries/terraform/aws_bom/s3_bucket/metadata.json | 2 +- assets/queries/terraform/aws_bom/sns/metadata.json | 2 +- assets/queries/terraform/aws_bom/sqs/metadata.json | 2 +- .../azure/ad_admin_not_configured_for_sql_server/metadata.json | 2 +- .../admin_user_enabled_for_container_registry/metadata.json | 2 +- .../azure/aks_disk_encryption_set_id_undefined/metadata.json | 2 +- .../azure/aks_network_policy_misconfigured/metadata.json | 2 +- .../terraform/azure/aks_private_cluster_disabled/metadata.json | 2 +- assets/queries/terraform/azure/aks_rbac_disabled/metadata.json | 2 +- .../azure/aks_uses_azure_policies_addon_disabled/metadata.json | 2 +- .../azure/app_service_authentication_disabled/metadata.json | 2 +- .../azure/app_service_ftps_enforce_disabled/metadata.json | 2 +- .../terraform/azure/app_service_http2_disabled/metadata.json | 2 +- .../azure/app_service_managed_identity_disabled/metadata.json | 2 +- .../metadata.json | 2 +- .../azure/app_service_without_latest_php_version/metadata.json | 2 +- .../app_service_without_latest_python_version/metadata.json | 2 +- .../azure/azure_active_directory_authentication/metadata.json | 2 +- .../azure_app_service_client_certificate_disabled/metadata.json | 2 +- .../metadata.json | 2 +- .../azure/azure_container_registry_with_no_locks/metadata.json | 2 +- .../terraform/azure/azure_front_door_waf_disabled/metadata.json | 2 +- .../azure_instance_using_basic_authentication/metadata.json | 2 +- .../azure/cosmos_db_account_without_tags/metadata.json | 2 +- .../cosmosdb_account_ip_range_filter_not_set/metadata.json | 2 +- .../queries/terraform/azure/dashboard_is_enabled/metadata.json | 2 +- .../metadata.json | 2 +- .../queries/terraform/azure/email_alerts_disabled/metadata.json | 2 +- .../azure/encryption_on_managed_disk_disabled/metadata.json | 2 +- .../metadata.json | 2 +- .../azure/function_app_authentication_disabled/metadata.json | 2 +- .../function_app_client_certificates_unrequired/metadata.json | 2 +- .../azure/function_app_ftps_enforce_disabled/metadata.json | 2 +- .../terraform/azure/function_app_http2_disabled/metadata.json | 2 +- .../azure/function_app_managed_identity_disabled/metadata.json | 2 +- .../metadata.json | 2 +- .../terraform/azure/geo_redundancy_is_disabled/metadata.json | 2 +- .../terraform/azure/key_expiration_not_set/metadata.json | 2 +- .../key_vault_secrets_content_type_undefined/metadata.json | 2 +- .../terraform/azure/log_retention_is_not_set/metadata.json | 2 +- .../azure/mariadb_public_network_access_enabled/metadata.json | 2 +- .../mariadb_server_georedundant_backup_disabled/metadata.json | 2 +- .../azure/mssql_server_auditing_disabled/metadata.json | 2 +- .../mssql_server_public_network_access_enabled/metadata.json | 2 +- .../azure/mysql_server_public_access_enabled/metadata.json | 2 +- .../terraform/azure/mysql_ssl_connection_disabled/metadata.json | 2 +- .../azure/network_interfaces_dont_use_public_ip/metadata.json | 2 +- .../network_interfaces_ip_forwarding_enabled/metadata.json | 2 +- .../terraform/azure/network_watcher_flow_disabled/metadata.json | 2 +- .../azure/postgre_sql_log_checkpoints_disabled/metadata.json | 2 +- .../azure/postgre_sql_log_connections_not_set/metadata.json | 2 +- .../azure/postgre_sql_log_duration_not_set/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../azure/postgresql_log_disconnections_not_set/metadata.json | 2 +- .../metadata.json | 2 +- .../terraform/azure/public_storage_account/metadata.json | 2 +- .../azure/rdp_is_exposed_to_the_internet/metadata.json | 2 +- .../azure/redis_cache_allows_non_ssl_connections/metadata.json | 2 +- .../terraform/azure/redis_entirely_accessible/metadata.json | 2 +- .../terraform/azure/redis_not_updated_regularly/metadata.json | 2 +- .../terraform/azure/redis_publicly_accessible/metadata.json | 2 +- .../metadata.json | 2 +- .../azure/role_assignment_of_guest_users/metadata.json | 2 +- .../role_definition_allows_custom_role_creation/metadata.json | 2 +- .../terraform/azure/secret_expiration_not_set/metadata.json | 2 +- .../security_center_pricing_tier_is_not_standard/metadata.json | 2 +- .../terraform/azure/security_contact_email/metadata.json | 2 +- .../azure/security_group_is_not_configured/metadata.json | 2 +- .../sensitive_port_is_exposed_to_entire_network/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../azure/small_activity_log_retention_period/metadata.json | 2 +- .../azure/small_flow_logs_retention_period/metadata.json | 2 +- .../azure/small_msql_server_audit_retention/metadata.json | 2 +- .../azure/small_mssql_audit_retention_period/metadata.json | 2 +- .../metadata.json | 2 +- .../terraform/azure/sql_database_audit_disabled/metadata.json | 2 +- .../azure/sql_server_alert_email_disabled/metadata.json | 2 +- .../terraform/azure/sql_server_auditing_disabled/metadata.json | 2 +- .../azure/sql_server_ingress_from_any_ip/metadata.json | 2 +- .../metadata.json | 2 +- .../sql_server_predictable_admin_account_name/metadata.json | 2 +- .../azure/ssh_is_exposed_to_the_internet/metadata.json | 2 +- .../terraform/azure/ssl_enforce_is_disabled/metadata.json | 2 +- .../azure/storage_account_not_forcing_https/metadata.json | 2 +- .../metadata.json | 2 +- .../storage_container_is_publicly_accessible/metadata.json | 2 +- .../storage_share_file_allows_all_acl_permissions/metadata.json | 2 +- .../storage_table_allows_all_acl_permissions/metadata.json | 2 +- .../azure/trusted_microsoft_services_not_enabled/metadata.json | 2 +- .../azure/unrestricted_sql_server_access/metadata.json | 2 +- .../terraform/azure/vault_auditing_disabled/metadata.json | 2 +- .../metadata.json | 2 +- .../terraform/azure/vm_not_attached_to_network/metadata.json | 2 +- .../waf_is_disabled_for_azure_application_gateway/metadata.json | 2 +- .../web_app_accepting_traffic_other_than_https/metadata.json | 2 +- .../terraform/databricks/autoscale_badly_setup/metadata.json | 2 +- .../terraform/databricks/cluster_aws_attributes/metadata.json | 2 +- .../terraform/databricks/cluster_azure_attributes/metadata.json | 2 +- .../terraform/databricks/cluster_gcp_attributes/metadata.json | 2 +- .../terraform/databricks/databricks_permissions/metadata.json | 2 +- .../group_without_user_or_instance_profile/metadata.json | 2 +- .../terraform/databricks/indefinitely_obo_token/metadata.json | 2 +- .../terraform/databricks/indefinitely_token/metadata.json | 2 +- .../queries/terraform/databricks/unrestricted_acl/metadata.json | 2 +- .../terraform/databricks/use_lts_spark_version/metadata.json | 2 +- .../terraform/databricks/use_spark_submit_task/metadata.json | 2 +- .../terraform/gcp/bigquery_dataset_is_public/metadata.json | 2 +- .../terraform/gcp/cloud_dns_without_dnssec/metadata.json | 2 +- .../metadata.json | 2 +- .../cloud_storage_bucket_is_publicly_accessible/metadata.json | 2 +- .../gcp/cloud_storage_bucket_logging_not_enabled/metadata.json | 2 +- .../gcp/cloud_storage_bucket_versioning_disabled/metadata.json | 2 +- .../queries/terraform/gcp/cluster_labels_disabled/metadata.json | 2 +- .../queries/terraform/gcp/cos_node_image_not_used/metadata.json | 2 +- .../terraform/gcp/disk_encryption_disabled/metadata.json | 2 +- assets/queries/terraform/gcp/dnssec_using_rsasha1/metadata.json | 2 +- .../gcp/gke_legacy_authorization_enabled/metadata.json | 2 +- .../gcp/gke_using_default_service_account/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../google_compute_ssl_policy_weak_cipher_in_use/metadata.json | 2 +- .../google_compute_subnetwork_logging_disabled/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../google_project_auto_create_network_disabled/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../google_storage_bucket_level_access_disabled/metadata.json | 2 +- .../high_google_kms_crypto_key_rotation_period/metadata.json | 2 +- .../gcp/iam_audit_not_properly_configured/metadata.json | 2 +- assets/queries/terraform/gcp/ip_aliasing_disabled/metadata.json | 2 +- .../queries/terraform/gcp/ip_forwarding_enabled/metadata.json | 2 +- .../gcp/kms_admin_and_crypto_key_roles_in_use/metadata.json | 2 +- .../gcp/kms_crypto_key_publicly_accessible/metadata.json | 2 +- .../gcp/legacy_client_certificate_auth_enabled/metadata.json | 2 +- .../queries/terraform/gcp/network_policy_disabled/metadata.json | 2 +- .../terraform/gcp/node_auto_upgrade_disabled/metadata.json | 2 +- .../terraform/gcp/not_proper_email_account_in_use/metadata.json | 2 +- assets/queries/terraform/gcp/os_login_disabled/metadata.json | 2 +- .../gcp/os_login_is_disabled_for_vm_instance/metadata.json | 2 +- assets/queries/terraform/gcp/outdated_gke_version/metadata.json | 2 +- .../terraform/gcp/pod_security_policy_disabled/metadata.json | 2 +- .../terraform/gcp/private_cluster_disabled/metadata.json | 2 +- .../metadata.json | 2 +- .../terraform/gcp/rdp_access_is_not_restricted/metadata.json | 2 +- .../gcp/service_account_with_improper_privileges/metadata.json | 2 +- .../terraform/gcp/shielded_gke_nodes_disabled/metadata.json | 2 +- assets/queries/terraform/gcp/shielded_vm_disabled/metadata.json | 2 +- .../terraform/gcp/sql_db_instance_backup_disabled/metadata.json | 2 +- .../gcp/sql_db_instance_is_publicly_accessible/metadata.json | 2 +- .../gcp/sql_db_instance_with_ssl_disabled/metadata.json | 2 +- .../terraform/gcp/ssh_access_is_not_restricted/metadata.json | 2 +- .../terraform/gcp/stackdriver_logging_disabled/metadata.json | 2 +- .../terraform/gcp/stackdriver_monitoring_disabled/metadata.json | 2 +- assets/queries/terraform/gcp/user_with_iam_role/metadata.json | 2 +- .../terraform/gcp/using_default_service_account/metadata.json | 2 +- .../vm_serial_ports_are_enabled_for_vm_instances/metadata.json | 2 +- .../terraform/gcp/vm_with_full_cloud_access/metadata.json | 2 +- assets/queries/terraform/gcp_bom/dataflow/metadata.json | 2 +- assets/queries/terraform/gcp_bom/fi/metadata.json | 2 +- assets/queries/terraform/gcp_bom/pd/metadata.json | 2 +- assets/queries/terraform/gcp_bom/pst/metadata.json | 2 +- assets/queries/terraform/gcp_bom/redis/metadata.json | 2 +- assets/queries/terraform/gcp_bom/sb/metadata.json | 2 +- .../general/generic_git_module_without_revision/metadata.json | 2 +- .../terraform/general/name_is_not_snake_case/metadata.json | 2 +- .../terraform/general/output_without_description/metadata.json | 2 +- .../general/variable_without_description/metadata.json | 2 +- .../terraform/general/variable_without_type/metadata.json | 2 +- .../github_organization_webhook_with_ssl_disabled/metadata.json | 2 +- .../github/github_repository_set_to_public/metadata.json | 2 +- .../metadata.json | 2 +- .../kubernetes/cluster_allows_unsafe_sysctls/metadata.json | 2 +- .../kubernetes/container_host_pid_is_true/metadata.json | 2 +- .../terraform/kubernetes/container_is_privileged/metadata.json | 2 +- .../container_resources_limits_undefined/metadata.json | 2 +- .../terraform/kubernetes/container_runs_unmasked/metadata.json | 2 +- .../kubernetes/container_with_added_capabilities/metadata.json | 2 +- .../containers_with_sys_admin_capabilities/metadata.json | 2 +- .../terraform/kubernetes/cpu_limits_not_set/metadata.json | 2 +- .../terraform/kubernetes/cpu_requests_not_set/metadata.json | 2 +- .../kubernetes/cronjob_deadline_not_configured/metadata.json | 2 +- .../kubernetes/default_service_account_in_use/metadata.json | 2 +- .../deployment_has_no_pod_anti_affinity/metadata.json | 2 +- .../deployment_without_pod_disruption_budget/metadata.json | 2 +- .../docker_daemon_socket_is_exposed_to_containers/metadata.json | 2 +- .../kubernetes/hpa_targets_invalid_object/metadata.json | 2 +- .../image_pull_policy_of_container_is_not_always/metadata.json | 2 +- .../terraform/kubernetes/image_without_digest/metadata.json | 2 +- .../metadata.json | 2 +- .../ingress_controller_exposes_workload/metadata.json | 2 +- assets/queries/terraform/kubernetes/invalid_image/metadata.json | 2 +- .../kubernetes/liveness_probe_is_not_defined/metadata.json | 2 +- .../kubernetes/memory_limits_not_defined/metadata.json | 2 +- .../kubernetes/memory_requests_not_defined/metadata.json | 2 +- .../kubernetes/metadata_label_is_invalid/metadata.json | 2 +- .../terraform/kubernetes/missing_app_armor_config/metadata.json | 2 +- .../net_raw_capabilities_disabled_for_psp/metadata.json | 2 +- .../net_raw_capabilities_not_being_dropped/metadata.json | 2 +- .../network_policy_is_not_targeting_any_pod/metadata.json | 2 +- .../no_drop_capabilities_for_containers/metadata.json | 2 +- .../non_kube_system_pod_with_host_mount/metadata.json | 2 +- .../metadata.json | 2 +- .../kubernetes/permissive_access_to_create_pods/metadata.json | 2 +- .../pod_or_container_without_security_context/metadata.json | 2 +- .../kubernetes/privilege_escalation_allowed/metadata.json | 2 +- .../metadata.json | 2 +- .../kubernetes/psp_allows_privilege_escalation/metadata.json | 2 +- .../kubernetes/psp_allows_sharing_host_ipc/metadata.json | 2 +- .../terraform/kubernetes/psp_set_to_privileged/metadata.json | 2 +- .../kubernetes/psp_with_added_capabilities/metadata.json | 2 +- .../rbac_roles_with_read_secrets_permissions/metadata.json | 2 +- .../kubernetes/readiness_probe_is_not_configured/metadata.json | 2 +- .../role_binding_to_default_service_account/metadata.json | 2 +- .../root_container_not_mounted_as_read_only/metadata.json | 2 +- .../terraform/kubernetes/root_containers_admitted/metadata.json | 2 +- .../kubernetes/secoomp_profile_is_not_configured/metadata.json | 2 +- .../kubernetes/secrets_as_environment_variables/metadata.json | 2 +- .../service_account_allows_access_secrets/metadata.json | 2 +- .../service_account_name_undefined_or_empty/metadata.json | 2 +- .../service_account_token_automount_not_disabled/metadata.json | 2 +- .../terraform/kubernetes/service_type_is_nodeport/metadata.json | 2 +- .../service_with_external_load_balancer/metadata.json | 2 +- .../kubernetes/shared_host_ipc_namespace/metadata.json | 2 +- .../kubernetes/shared_host_network_namespace/metadata.json | 2 +- .../terraform/kubernetes/shared_service_account/metadata.json | 2 +- .../kubernetes/statefulset_requests_storage/metadata.json | 2 +- .../statefulset_without_pod_disruption_budget/metadata.json | 2 +- .../kubernetes/statefulset_without_service_name/metadata.json | 2 +- .../terraform/kubernetes/tiller_is_deployed/metadata.json | 2 +- .../terraform/kubernetes/using_default_namespace/metadata.json | 2 +- .../metadata.json | 2 +- .../kubernetes/workload_host_port_not_specified/metadata.json | 2 +- .../workload_mounting_with_sensitive_os_directory/metadata.json | 2 +- .../computing_instance_has_common_private/metadata.json | 2 +- 1695 files changed, 1695 insertions(+), 1695 deletions(-) diff --git a/.github/scripts/queries-validator/metadata-schema.json b/.github/scripts/queries-validator/metadata-schema.json index 2fc0e1c20e1..9602168ef41 100644 --- a/.github/scripts/queries-validator/metadata-schema.json +++ b/.github/scripts/queries-validator/metadata-schema.json @@ -147,7 +147,7 @@ "true" ] }, - "CWE": { + "cwe": { "type": "string" } } diff --git a/assets/queries/ansible/aws/alb_listening_on_http/metadata.json b/assets/queries/ansible/aws/alb_listening_on_http/metadata.json index 04c04603422..66cc6c05d46 100644 --- a/assets/queries/ansible/aws/alb_listening_on_http/metadata.json +++ b/assets/queries/ansible/aws/alb_listening_on_http/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "3a7576e5", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/ami_not_encrypted/metadata.json b/assets/queries/ansible/aws/ami_not_encrypted/metadata.json index ce8db33b963..97e9e77f15f 100644 --- a/assets/queries/ansible/aws/ami_not_encrypted/metadata.json +++ b/assets/queries/ansible/aws/ami_not_encrypted/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "a4342f08", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/ami_shared_with_multiple_accounts/metadata.json b/assets/queries/ansible/aws/ami_shared_with_multiple_accounts/metadata.json index 95ed84d76e3..a5d3117a2f2 100644 --- a/assets/queries/ansible/aws/ami_shared_with_multiple_accounts/metadata.json +++ b/assets/queries/ansible/aws/ami_shared_with_multiple_accounts/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "2117f1c7", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/api_gateway_endpoint_config_is_not_private/metadata.json b/assets/queries/ansible/aws/api_gateway_endpoint_config_is_not_private/metadata.json index 7930abe4108..5950d5649cb 100644 --- a/assets/queries/ansible/aws/api_gateway_endpoint_config_is_not_private/metadata.json +++ b/assets/queries/ansible/aws/api_gateway_endpoint_config_is_not_private/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "42fabc16", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/api_gateway_with_cloudwatch_logging_disabled/metadata.json b/assets/queries/ansible/aws/api_gateway_with_cloudwatch_logging_disabled/metadata.json index 0d77961cdb3..9a085599da8 100644 --- a/assets/queries/ansible/aws/api_gateway_with_cloudwatch_logging_disabled/metadata.json +++ b/assets/queries/ansible/aws/api_gateway_with_cloudwatch_logging_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "313709e8", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/api_gateway_without_configured_authorizer/metadata.json b/assets/queries/ansible/aws/api_gateway_without_configured_authorizer/metadata.json index 191bc05ae7b..e217f65793f 100644 --- a/assets/queries/ansible/aws/api_gateway_without_configured_authorizer/metadata.json +++ b/assets/queries/ansible/aws/api_gateway_without_configured_authorizer/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "e7b28671", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/api_gateway_without_ssl_certificate/metadata.json b/assets/queries/ansible/aws/api_gateway_without_ssl_certificate/metadata.json index d24dc0c4fa8..d0f1eda2374 100644 --- a/assets/queries/ansible/aws/api_gateway_without_ssl_certificate/metadata.json +++ b/assets/queries/ansible/aws/api_gateway_without_ssl_certificate/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "82608f36", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/api_gateway_without_waf/metadata.json b/assets/queries/ansible/aws/api_gateway_without_waf/metadata.json index 8159297c200..c467430cdb5 100644 --- a/assets/queries/ansible/aws/api_gateway_without_waf/metadata.json +++ b/assets/queries/ansible/aws/api_gateway_without_waf/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "8e789062", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/api_gateway_xray_disabled/metadata.json b/assets/queries/ansible/aws/api_gateway_xray_disabled/metadata.json index b6349e7d7ec..d1362fe7d7d 100644 --- a/assets/queries/ansible/aws/api_gateway_xray_disabled/metadata.json +++ b/assets/queries/ansible/aws/api_gateway_xray_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "57da10ee", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/authentication_without_mfa/metadata.json b/assets/queries/ansible/aws/authentication_without_mfa/metadata.json index 8b91424eb1b..2cda64806c9 100644 --- a/assets/queries/ansible/aws/authentication_without_mfa/metadata.json +++ b/assets/queries/ansible/aws/authentication_without_mfa/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "36040ce0", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/auto_scaling_group_with_no_associated_elb/metadata.json b/assets/queries/ansible/aws/auto_scaling_group_with_no_associated_elb/metadata.json index da9571d4a38..28697086369 100644 --- a/assets/queries/ansible/aws/auto_scaling_group_with_no_associated_elb/metadata.json +++ b/assets/queries/ansible/aws/auto_scaling_group_with_no_associated_elb/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "57b5fbca", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/automatic_minor_upgrades_disabled/metadata.json b/assets/queries/ansible/aws/automatic_minor_upgrades_disabled/metadata.json index 87173d6d32b..31b7cda9222 100644 --- a/assets/queries/ansible/aws/automatic_minor_upgrades_disabled/metadata.json +++ b/assets/queries/ansible/aws/automatic_minor_upgrades_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "7734a8b1", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/aws_password_policy_with_unchangeable_passwords/metadata.json b/assets/queries/ansible/aws/aws_password_policy_with_unchangeable_passwords/metadata.json index 2e9ba08a9e4..5591dbc5307 100644 --- a/assets/queries/ansible/aws/aws_password_policy_with_unchangeable_passwords/metadata.json +++ b/assets/queries/ansible/aws/aws_password_policy_with_unchangeable_passwords/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "5a7cf92f", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/batch_job_definition_with_privileged_container_properties/metadata.json b/assets/queries/ansible/aws/batch_job_definition_with_privileged_container_properties/metadata.json index 8f0718c7dce..795569ddaf8 100644 --- a/assets/queries/ansible/aws/batch_job_definition_with_privileged_container_properties/metadata.json +++ b/assets/queries/ansible/aws/batch_job_definition_with_privileged_container_properties/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "9683e81a", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/ca_certificate_identifier_is_outdated/metadata.json b/assets/queries/ansible/aws/ca_certificate_identifier_is_outdated/metadata.json index a272f6f095e..2023bc69c90 100644 --- a/assets/queries/ansible/aws/ca_certificate_identifier_is_outdated/metadata.json +++ b/assets/queries/ansible/aws/ca_certificate_identifier_is_outdated/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "d92aa922", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/cdn_configuration_is_missing/metadata.json b/assets/queries/ansible/aws/cdn_configuration_is_missing/metadata.json index 7808be108af..0428e93eb0c 100644 --- a/assets/queries/ansible/aws/cdn_configuration_is_missing/metadata.json +++ b/assets/queries/ansible/aws/cdn_configuration_is_missing/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "c8ae0f38", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/certificate_has_expired/metadata.json b/assets/queries/ansible/aws/certificate_has_expired/metadata.json index 8d81ce09ea8..f6021ba6440 100644 --- a/assets/queries/ansible/aws/certificate_has_expired/metadata.json +++ b/assets/queries/ansible/aws/certificate_has_expired/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "3f6a85e8", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/certificate_rsa_key_bytes_lower_than_256/metadata.json b/assets/queries/ansible/aws/certificate_rsa_key_bytes_lower_than_256/metadata.json index 32f22021ded..9915e7a2b2c 100644 --- a/assets/queries/ansible/aws/certificate_rsa_key_bytes_lower_than_256/metadata.json +++ b/assets/queries/ansible/aws/certificate_rsa_key_bytes_lower_than_256/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "97dc7eba", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/cloudfront_logging_disabled/metadata.json b/assets/queries/ansible/aws/cloudfront_logging_disabled/metadata.json index 9465f68171b..e0916971a6f 100644 --- a/assets/queries/ansible/aws/cloudfront_logging_disabled/metadata.json +++ b/assets/queries/ansible/aws/cloudfront_logging_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "1bfc2dfd", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/cloudfront_without_minimum_protocol_tls_1.2/metadata.json b/assets/queries/ansible/aws/cloudfront_without_minimum_protocol_tls_1.2/metadata.json index e1ce0c74c97..c9bf227da50 100644 --- a/assets/queries/ansible/aws/cloudfront_without_minimum_protocol_tls_1.2/metadata.json +++ b/assets/queries/ansible/aws/cloudfront_without_minimum_protocol_tls_1.2/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "b0a58f2f", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/cloudfront_without_waf/metadata.json b/assets/queries/ansible/aws/cloudfront_without_waf/metadata.json index 0266c2a061d..bb80931491a 100644 --- a/assets/queries/ansible/aws/cloudfront_without_waf/metadata.json +++ b/assets/queries/ansible/aws/cloudfront_without_waf/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "7fd7e5c0", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/cloudtrail_log_file_validation_disabled/metadata.json b/assets/queries/ansible/aws/cloudtrail_log_file_validation_disabled/metadata.json index 8a4624261f4..18dbd623592 100644 --- a/assets/queries/ansible/aws/cloudtrail_log_file_validation_disabled/metadata.json +++ b/assets/queries/ansible/aws/cloudtrail_log_file_validation_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "04302074", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/metadata.json b/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/metadata.json index 5b98c7d61fd..e05e0287d9d 100644 --- a/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/metadata.json +++ b/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "d3b81fde", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/cloudtrail_logging_disabled/metadata.json b/assets/queries/ansible/aws/cloudtrail_logging_disabled/metadata.json index 31267eda8be..d97d4a210b6 100644 --- a/assets/queries/ansible/aws/cloudtrail_logging_disabled/metadata.json +++ b/assets/queries/ansible/aws/cloudtrail_logging_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "c29f6786", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/cloudtrail_multi_region_disabled/metadata.json b/assets/queries/ansible/aws/cloudtrail_multi_region_disabled/metadata.json index 2293e270f47..e501f6f816c 100644 --- a/assets/queries/ansible/aws/cloudtrail_multi_region_disabled/metadata.json +++ b/assets/queries/ansible/aws/cloudtrail_multi_region_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "8c4873bf", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch/metadata.json b/assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch/metadata.json index 5d97b3c13bd..a5ad5b81ae9 100644 --- a/assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch/metadata.json +++ b/assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "fbc987a2", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/metadata.json b/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/metadata.json index 70fa0a0c1fb..d631e0a95c7 100644 --- a/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/metadata.json +++ b/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "de97fa1a", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/cloudwatch_without_retention_period_specified/metadata.json b/assets/queries/ansible/aws/cloudwatch_without_retention_period_specified/metadata.json index 93db0d3a5b5..5056bd3c6b5 100644 --- a/assets/queries/ansible/aws/cloudwatch_without_retention_period_specified/metadata.json +++ b/assets/queries/ansible/aws/cloudwatch_without_retention_period_specified/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "c48a227e", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/cmk_is_unusable/metadata.json b/assets/queries/ansible/aws/cmk_is_unusable/metadata.json index 1c0a9e3d653..ce30c2f0d41 100644 --- a/assets/queries/ansible/aws/cmk_is_unusable/metadata.json +++ b/assets/queries/ansible/aws/cmk_is_unusable/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "cb70e349", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/cmk_rotation_disabled/metadata.json b/assets/queries/ansible/aws/cmk_rotation_disabled/metadata.json index ee818a007a5..e8c74676044 100644 --- a/assets/queries/ansible/aws/cmk_rotation_disabled/metadata.json +++ b/assets/queries/ansible/aws/cmk_rotation_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "177ee908", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/codebuild_not_encrypted/metadata.json b/assets/queries/ansible/aws/codebuild_not_encrypted/metadata.json index 06fdabf30bf..4136eab8f01 100644 --- a/assets/queries/ansible/aws/codebuild_not_encrypted/metadata.json +++ b/assets/queries/ansible/aws/codebuild_not_encrypted/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "7d51416a", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/config_configuration_aggregator_to_all_regions_disabled/metadata.json b/assets/queries/ansible/aws/config_configuration_aggregator_to_all_regions_disabled/metadata.json index 82225ef2680..d9f758ae3cc 100644 --- a/assets/queries/ansible/aws/config_configuration_aggregator_to_all_regions_disabled/metadata.json +++ b/assets/queries/ansible/aws/config_configuration_aggregator_to_all_regions_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "c6e4ac23", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/config_rule_for_encrypted_volumes_is_disabled/metadata.json b/assets/queries/ansible/aws/config_rule_for_encrypted_volumes_is_disabled/metadata.json index c9c621c8d15..0dc41e4b7e4 100644 --- a/assets/queries/ansible/aws/config_rule_for_encrypted_volumes_is_disabled/metadata.json +++ b/assets/queries/ansible/aws/config_rule_for_encrypted_volumes_is_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "5b434d3f", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/metadata.json b/assets/queries/ansible/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/metadata.json index c39bbdb5aef..919ce0f8350 100644 --- a/assets/queries/ansible/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/metadata.json +++ b/assets/queries/ansible/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "54f0a7dd", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/db_instance_storage_not_encrypted/metadata.json b/assets/queries/ansible/aws/db_instance_storage_not_encrypted/metadata.json index 73f3d7c0e6b..855ea277a6e 100644 --- a/assets/queries/ansible/aws/db_instance_storage_not_encrypted/metadata.json +++ b/assets/queries/ansible/aws/db_instance_storage_not_encrypted/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "575cc1f4", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/db_security_group_open_to_large_scope/metadata.json b/assets/queries/ansible/aws/db_security_group_open_to_large_scope/metadata.json index ee75cc5283a..2f439c26715 100644 --- a/assets/queries/ansible/aws/db_security_group_open_to_large_scope/metadata.json +++ b/assets/queries/ansible/aws/db_security_group_open_to_large_scope/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "c7f9cb9f", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/db_security_group_with_public_scope/metadata.json b/assets/queries/ansible/aws/db_security_group_with_public_scope/metadata.json index 966cddc1b3f..e5cb8be21db 100644 --- a/assets/queries/ansible/aws/db_security_group_with_public_scope/metadata.json +++ b/assets/queries/ansible/aws/db_security_group_with_public_scope/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "47a14ee4", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/default_security_groups_with_unrestricted_traffic/metadata.json b/assets/queries/ansible/aws/default_security_groups_with_unrestricted_traffic/metadata.json index 4add33f0861..bb5ff639a46 100644 --- a/assets/queries/ansible/aws/default_security_groups_with_unrestricted_traffic/metadata.json +++ b/assets/queries/ansible/aws/default_security_groups_with_unrestricted_traffic/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "6fd8f0e1", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/ebs_volume_encryption_disabled/metadata.json b/assets/queries/ansible/aws/ebs_volume_encryption_disabled/metadata.json index 5565b529c51..92262704e2c 100644 --- a/assets/queries/ansible/aws/ebs_volume_encryption_disabled/metadata.json +++ b/assets/queries/ansible/aws/ebs_volume_encryption_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "06f72385", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/ec2_group_has_public_interface/metadata.json b/assets/queries/ansible/aws/ec2_group_has_public_interface/metadata.json index a214121b40d..88871ec45df 100644 --- a/assets/queries/ansible/aws/ec2_group_has_public_interface/metadata.json +++ b/assets/queries/ansible/aws/ec2_group_has_public_interface/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "506f9dd8", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/ec2_instance_has_public_ip/metadata.json b/assets/queries/ansible/aws/ec2_instance_has_public_ip/metadata.json index aa0e8d03b85..16613db2dc9 100644 --- a/assets/queries/ansible/aws/ec2_instance_has_public_ip/metadata.json +++ b/assets/queries/ansible/aws/ec2_instance_has_public_ip/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "f32c5d88", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/ec2_instance_using_default_security_group/metadata.json b/assets/queries/ansible/aws/ec2_instance_using_default_security_group/metadata.json index e1d9192484e..8378b006dd1 100644 --- a/assets/queries/ansible/aws/ec2_instance_using_default_security_group/metadata.json +++ b/assets/queries/ansible/aws/ec2_instance_using_default_security_group/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "cc323109", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/ec2_instance_using_default_vpc/metadata.json b/assets/queries/ansible/aws/ec2_instance_using_default_vpc/metadata.json index 3f7a634754a..f745c797b14 100644 --- a/assets/queries/ansible/aws/ec2_instance_using_default_vpc/metadata.json +++ b/assets/queries/ansible/aws/ec2_instance_using_default_vpc/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "701b1c92", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/ec2_not_ebs_optimized/metadata.json b/assets/queries/ansible/aws/ec2_not_ebs_optimized/metadata.json index 7aa7cb9f423..92c07b2a7ff 100644 --- a/assets/queries/ansible/aws/ec2_not_ebs_optimized/metadata.json +++ b/assets/queries/ansible/aws/ec2_not_ebs_optimized/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "a99c1fe0", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/ecr_image_tag_not_immutable/metadata.json b/assets/queries/ansible/aws/ecr_image_tag_not_immutable/metadata.json index 054533550fd..470a590c346 100644 --- a/assets/queries/ansible/aws/ecr_image_tag_not_immutable/metadata.json +++ b/assets/queries/ansible/aws/ecr_image_tag_not_immutable/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "a9bdce24", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/ecr_repository_is_publicly_accessible/metadata.json b/assets/queries/ansible/aws/ecr_repository_is_publicly_accessible/metadata.json index 5c41010283c..c7a6e1e1de1 100644 --- a/assets/queries/ansible/aws/ecr_repository_is_publicly_accessible/metadata.json +++ b/assets/queries/ansible/aws/ecr_repository_is_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "060d624f", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/ecs_service_admin_role_is_present/metadata.json b/assets/queries/ansible/aws/ecs_service_admin_role_is_present/metadata.json index 6a2a921f470..07bfa4c88f4 100644 --- a/assets/queries/ansible/aws/ecs_service_admin_role_is_present/metadata.json +++ b/assets/queries/ansible/aws/ecs_service_admin_role_is_present/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "32e74c18", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/ecs_service_without_running_tasks/metadata.json b/assets/queries/ansible/aws/ecs_service_without_running_tasks/metadata.json index 532a1ff75af..575384a21fe 100644 --- a/assets/queries/ansible/aws/ecs_service_without_running_tasks/metadata.json +++ b/assets/queries/ansible/aws/ecs_service_without_running_tasks/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "dce30fcb", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/ecs_task_definition_network_mode_not_recommended/metadata.json b/assets/queries/ansible/aws/ecs_task_definition_network_mode_not_recommended/metadata.json index 97cf3add06e..f1bbf9ec8d5 100644 --- a/assets/queries/ansible/aws/ecs_task_definition_network_mode_not_recommended/metadata.json +++ b/assets/queries/ansible/aws/ecs_task_definition_network_mode_not_recommended/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "5424397d", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/ecs_task_definition_with_plaintext_password/metadata.json b/assets/queries/ansible/aws/ecs_task_definition_with_plaintext_password/metadata.json index 28b578d5bbf..26af58a8af0 100644 --- a/assets/queries/ansible/aws/ecs_task_definition_with_plaintext_password/metadata.json +++ b/assets/queries/ansible/aws/ecs_task_definition_with_plaintext_password/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "a6c6fa9c", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/efs_not_encrypted/metadata.json b/assets/queries/ansible/aws/efs_not_encrypted/metadata.json index 281f937a7dc..56489bc33ac 100644 --- a/assets/queries/ansible/aws/efs_not_encrypted/metadata.json +++ b/assets/queries/ansible/aws/efs_not_encrypted/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "f4c8801c", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/efs_without_kms/metadata.json b/assets/queries/ansible/aws/efs_without_kms/metadata.json index 83e5c88e5d4..f9cd0ad299d 100644 --- a/assets/queries/ansible/aws/efs_without_kms/metadata.json +++ b/assets/queries/ansible/aws/efs_without_kms/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "a01870d5", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/efs_without_tags/metadata.json b/assets/queries/ansible/aws/efs_without_tags/metadata.json index c1a3861fd8b..d8e93a48a5e 100644 --- a/assets/queries/ansible/aws/efs_without_tags/metadata.json +++ b/assets/queries/ansible/aws/efs_without_tags/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "1e03284b", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/elasticache_using_default_port/metadata.json b/assets/queries/ansible/aws/elasticache_using_default_port/metadata.json index b9b0ca55dbd..ea906b61468 100644 --- a/assets/queries/ansible/aws/elasticache_using_default_port/metadata.json +++ b/assets/queries/ansible/aws/elasticache_using_default_port/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "be73fca3", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/elasticache_without_vpc/metadata.json b/assets/queries/ansible/aws/elasticache_without_vpc/metadata.json index ff81ab00dc2..3d4fbea685c 100644 --- a/assets/queries/ansible/aws/elasticache_without_vpc/metadata.json +++ b/assets/queries/ansible/aws/elasticache_without_vpc/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "c9bde487", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/elasticsearch_with_https_disabled/metadata.json b/assets/queries/ansible/aws/elasticsearch_with_https_disabled/metadata.json index 62f9476038b..d841d09799a 100644 --- a/assets/queries/ansible/aws/elasticsearch_with_https_disabled/metadata.json +++ b/assets/queries/ansible/aws/elasticsearch_with_https_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "4beff10d", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/elb_using_insecure_protocols/metadata.json b/assets/queries/ansible/aws/elb_using_insecure_protocols/metadata.json index a45c9be3a87..7272f16f988 100644 --- a/assets/queries/ansible/aws/elb_using_insecure_protocols/metadata.json +++ b/assets/queries/ansible/aws/elb_using_insecure_protocols/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "8a2e6f3b", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/elb_using_weak_ciphers/metadata.json b/assets/queries/ansible/aws/elb_using_weak_ciphers/metadata.json index f7206cc6949..3cf1ead6518 100644 --- a/assets/queries/ansible/aws/elb_using_weak_ciphers/metadata.json +++ b/assets/queries/ansible/aws/elb_using_weak_ciphers/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "ab5b4a0b", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/hardcoded_aws_access_key/metadata.json b/assets/queries/ansible/aws/hardcoded_aws_access_key/metadata.json index a3603dbf03a..22bee4886ec 100644 --- a/assets/queries/ansible/aws/hardcoded_aws_access_key/metadata.json +++ b/assets/queries/ansible/aws/hardcoded_aws_access_key/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "d764256e", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/hardcoded_aws_access_key_in_lambda/metadata.json b/assets/queries/ansible/aws/hardcoded_aws_access_key_in_lambda/metadata.json index 5b1a4b453fb..bfc8ffd84c4 100644 --- a/assets/queries/ansible/aws/hardcoded_aws_access_key_in_lambda/metadata.json +++ b/assets/queries/ansible/aws/hardcoded_aws_access_key_in_lambda/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "fc78f6de", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/http_port_open_to_internet/metadata.json b/assets/queries/ansible/aws/http_port_open_to_internet/metadata.json index 7938556d1b8..5b39d43a02e 100644 --- a/assets/queries/ansible/aws/http_port_open_to_internet/metadata.json +++ b/assets/queries/ansible/aws/http_port_open_to_internet/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "8c6031b8", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/iam_access_key_is_exposed/metadata.json b/assets/queries/ansible/aws/iam_access_key_is_exposed/metadata.json index 8d5b468b64b..508dd1dcc3c 100644 --- a/assets/queries/ansible/aws/iam_access_key_is_exposed/metadata.json +++ b/assets/queries/ansible/aws/iam_access_key_is_exposed/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "d8bc01a5", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/iam_database_auth_not_enabled/metadata.json b/assets/queries/ansible/aws/iam_database_auth_not_enabled/metadata.json index c59a1008205..883a1caf855 100644 --- a/assets/queries/ansible/aws/iam_database_auth_not_enabled/metadata.json +++ b/assets/queries/ansible/aws/iam_database_auth_not_enabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "952e08fc", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/iam_group_without_users/metadata.json b/assets/queries/ansible/aws/iam_group_without_users/metadata.json index dee97f10907..b821286d0a9 100644 --- a/assets/queries/ansible/aws/iam_group_without_users/metadata.json +++ b/assets/queries/ansible/aws/iam_group_without_users/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "082a1e01", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/iam_password_without_lowercase_letter/metadata.json b/assets/queries/ansible/aws/iam_password_without_lowercase_letter/metadata.json index 099aca96993..c3904d185f9 100644 --- a/assets/queries/ansible/aws/iam_password_without_lowercase_letter/metadata.json +++ b/assets/queries/ansible/aws/iam_password_without_lowercase_letter/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "e229f4bd", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/iam_password_without_minimum_length/metadata.json b/assets/queries/ansible/aws/iam_password_without_minimum_length/metadata.json index 9accc5f09b0..effca8f4286 100644 --- a/assets/queries/ansible/aws/iam_password_without_minimum_length/metadata.json +++ b/assets/queries/ansible/aws/iam_password_without_minimum_length/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "b1066765", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/iam_password_without_number/metadata.json b/assets/queries/ansible/aws/iam_password_without_number/metadata.json index 05fcb056c29..5281977f8dc 100644 --- a/assets/queries/ansible/aws/iam_password_without_number/metadata.json +++ b/assets/queries/ansible/aws/iam_password_without_number/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "c4ca592e", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/iam_password_without_uppercase_letter/metadata.json b/assets/queries/ansible/aws/iam_password_without_uppercase_letter/metadata.json index 1ee291acaa7..1a77826a9eb 100644 --- a/assets/queries/ansible/aws/iam_password_without_uppercase_letter/metadata.json +++ b/assets/queries/ansible/aws/iam_password_without_uppercase_letter/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "ab3484ee", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/iam_policies_attached_to_user/metadata.json b/assets/queries/ansible/aws/iam_policies_attached_to_user/metadata.json index 3643c0e3084..dc1ea700469 100644 --- a/assets/queries/ansible/aws/iam_policies_attached_to_user/metadata.json +++ b/assets/queries/ansible/aws/iam_policies_attached_to_user/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "cd4d500d", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/iam_policies_with_full_privileges/metadata.json b/assets/queries/ansible/aws/iam_policies_with_full_privileges/metadata.json index 76d4ed29fe7..5f2f982ba09 100644 --- a/assets/queries/ansible/aws/iam_policies_with_full_privileges/metadata.json +++ b/assets/queries/ansible/aws/iam_policies_with_full_privileges/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "3827a620", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/iam_policy_grants_assumerole_permission_across_all_services/metadata.json b/assets/queries/ansible/aws/iam_policy_grants_assumerole_permission_across_all_services/metadata.json index dcd869ea030..ec217f0740f 100644 --- a/assets/queries/ansible/aws/iam_policy_grants_assumerole_permission_across_all_services/metadata.json +++ b/assets/queries/ansible/aws/iam_policy_grants_assumerole_permission_across_all_services/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "860cc010", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/iam_policy_grants_full_permissions/metadata.json b/assets/queries/ansible/aws/iam_policy_grants_full_permissions/metadata.json index da42f182a6a..b0230e9f4fd 100644 --- a/assets/queries/ansible/aws/iam_policy_grants_full_permissions/metadata.json +++ b/assets/queries/ansible/aws/iam_policy_grants_full_permissions/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "97b2a82d", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/metadata.json b/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/metadata.json index 876bce1f327..92056e0c1f3 100644 --- a/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/metadata.json +++ b/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "58219ae0", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/instance_with_no_vpc/metadata.json b/assets/queries/ansible/aws/instance_with_no_vpc/metadata.json index f42586972d6..334568e2dc1 100644 --- a/assets/queries/ansible/aws/instance_with_no_vpc/metadata.json +++ b/assets/queries/ansible/aws/instance_with_no_vpc/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "27754eca", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/kinesis_not_encrypted_with_kms/metadata.json b/assets/queries/ansible/aws/kinesis_not_encrypted_with_kms/metadata.json index 21f5f887bd9..35067dd1c8a 100644 --- a/assets/queries/ansible/aws/kinesis_not_encrypted_with_kms/metadata.json +++ b/assets/queries/ansible/aws/kinesis_not_encrypted_with_kms/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "017319a7", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/kms_key_with_full_permissions/metadata.json b/assets/queries/ansible/aws/kms_key_with_full_permissions/metadata.json index 227c07f4474..6431bdf99fc 100644 --- a/assets/queries/ansible/aws/kms_key_with_full_permissions/metadata.json +++ b/assets/queries/ansible/aws/kms_key_with_full_permissions/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "a1f47164", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/lambda_function_without_tags/metadata.json b/assets/queries/ansible/aws/lambda_function_without_tags/metadata.json index 9ddf14a5e4d..b0e33ccb096 100644 --- a/assets/queries/ansible/aws/lambda_function_without_tags/metadata.json +++ b/assets/queries/ansible/aws/lambda_function_without_tags/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "45d5ac61", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/lambda_functions_without_x-ray_tracing/metadata.json b/assets/queries/ansible/aws/lambda_functions_without_x-ray_tracing/metadata.json index 244c34ebbc3..3c90f90519f 100644 --- a/assets/queries/ansible/aws/lambda_functions_without_x-ray_tracing/metadata.json +++ b/assets/queries/ansible/aws/lambda_functions_without_x-ray_tracing/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "bff4deb9", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/lambda_permission_misconfigured/metadata.json b/assets/queries/ansible/aws/lambda_permission_misconfigured/metadata.json index 3c4036e9905..5827d288d9d 100644 --- a/assets/queries/ansible/aws/lambda_permission_misconfigured/metadata.json +++ b/assets/queries/ansible/aws/lambda_permission_misconfigured/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "9f8d2402", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/lambda_permission_principal_is_wildcard/metadata.json b/assets/queries/ansible/aws/lambda_permission_principal_is_wildcard/metadata.json index 239a199bff6..80a5cc0a71b 100644 --- a/assets/queries/ansible/aws/lambda_permission_principal_is_wildcard/metadata.json +++ b/assets/queries/ansible/aws/lambda_permission_principal_is_wildcard/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "1740275a", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/launch_configuration_is_not_encrypted/metadata.json b/assets/queries/ansible/aws/launch_configuration_is_not_encrypted/metadata.json index 6eb1a1018e4..aec4309a390 100644 --- a/assets/queries/ansible/aws/launch_configuration_is_not_encrypted/metadata.json +++ b/assets/queries/ansible/aws/launch_configuration_is_not_encrypted/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "57b9aee0", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/memcached_disabled/metadata.json b/assets/queries/ansible/aws/memcached_disabled/metadata.json index 6cf9906ad3b..356cde74aff 100644 --- a/assets/queries/ansible/aws/memcached_disabled/metadata.json +++ b/assets/queries/ansible/aws/memcached_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "1ff6d082", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/misconfigured_password_policy_expiration/metadata.json b/assets/queries/ansible/aws/misconfigured_password_policy_expiration/metadata.json index e980a0b1ccc..353120b258b 100644 --- a/assets/queries/ansible/aws/misconfigured_password_policy_expiration/metadata.json +++ b/assets/queries/ansible/aws/misconfigured_password_policy_expiration/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "80db60d5", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/no_stack_policy/metadata.json b/assets/queries/ansible/aws/no_stack_policy/metadata.json index 37da0686920..fc5d2bc4abf 100644 --- a/assets/queries/ansible/aws/no_stack_policy/metadata.json +++ b/assets/queries/ansible/aws/no_stack_policy/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "327969ac", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/password_without_reuse_prevention/metadata.json b/assets/queries/ansible/aws/password_without_reuse_prevention/metadata.json index 839754e2cae..2af446381c0 100644 --- a/assets/queries/ansible/aws/password_without_reuse_prevention/metadata.json +++ b/assets/queries/ansible/aws/password_without_reuse_prevention/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "ad12d750", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/public_lambda_via_api_gateway/metadata.json b/assets/queries/ansible/aws/public_lambda_via_api_gateway/metadata.json index 869ca8e3ddd..8a1b72e47f2 100644 --- a/assets/queries/ansible/aws/public_lambda_via_api_gateway/metadata.json +++ b/assets/queries/ansible/aws/public_lambda_via_api_gateway/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "50e0d3f5", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/public_port_wide/metadata.json b/assets/queries/ansible/aws/public_port_wide/metadata.json index fdda341840c..1bad007faa4 100644 --- a/assets/queries/ansible/aws/public_port_wide/metadata.json +++ b/assets/queries/ansible/aws/public_port_wide/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "be17d13e", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/rds_associated_with_public_subnet/metadata.json b/assets/queries/ansible/aws/rds_associated_with_public_subnet/metadata.json index 06540616b59..504b06f34c8 100644 --- a/assets/queries/ansible/aws/rds_associated_with_public_subnet/metadata.json +++ b/assets/queries/ansible/aws/rds_associated_with_public_subnet/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "89ed6e35", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/rds_db_instance_publicly_accessible/metadata.json b/assets/queries/ansible/aws/rds_db_instance_publicly_accessible/metadata.json index 578ed0e38d0..a460e7d806f 100644 --- a/assets/queries/ansible/aws/rds_db_instance_publicly_accessible/metadata.json +++ b/assets/queries/ansible/aws/rds_db_instance_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "e1b53fb6", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/rds_using_default_port/metadata.json b/assets/queries/ansible/aws/rds_using_default_port/metadata.json index de18ae7f57c..853bfb2972b 100644 --- a/assets/queries/ansible/aws/rds_using_default_port/metadata.json +++ b/assets/queries/ansible/aws/rds_using_default_port/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "4e928197", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/rds_with_backup_disabled/metadata.json b/assets/queries/ansible/aws/rds_with_backup_disabled/metadata.json index d9d5ad35382..1e062da68fd 100644 --- a/assets/queries/ansible/aws/rds_with_backup_disabled/metadata.json +++ b/assets/queries/ansible/aws/rds_with_backup_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "51f94eee", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/redis_not_compliant/metadata.json b/assets/queries/ansible/aws/redis_not_compliant/metadata.json index 1052045bb0c..e83c2f25363 100644 --- a/assets/queries/ansible/aws/redis_not_compliant/metadata.json +++ b/assets/queries/ansible/aws/redis_not_compliant/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "99b5ec71", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/redshift_not_encrypted/metadata.json b/assets/queries/ansible/aws/redshift_not_encrypted/metadata.json index 9eb8ac199ac..848efcadc4b 100644 --- a/assets/queries/ansible/aws/redshift_not_encrypted/metadata.json +++ b/assets/queries/ansible/aws/redshift_not_encrypted/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "85cddbf3", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/redshift_publicly_accessible/metadata.json b/assets/queries/ansible/aws/redshift_publicly_accessible/metadata.json index 7a64185182d..7f6f1a30654 100644 --- a/assets/queries/ansible/aws/redshift_publicly_accessible/metadata.json +++ b/assets/queries/ansible/aws/redshift_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "ffdc02cc", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/redshift_using_default_port/metadata.json b/assets/queries/ansible/aws/redshift_using_default_port/metadata.json index d75a1940a9f..440f27f3fc7 100644 --- a/assets/queries/ansible/aws/redshift_using_default_port/metadata.json +++ b/assets/queries/ansible/aws/redshift_using_default_port/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "64fe28a7", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/remote_desktop_port_open/metadata.json b/assets/queries/ansible/aws/remote_desktop_port_open/metadata.json index 17c3abd3c52..83d178a3aac 100644 --- a/assets/queries/ansible/aws/remote_desktop_port_open/metadata.json +++ b/assets/queries/ansible/aws/remote_desktop_port_open/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "d644276b", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/root_account_has_active_access_keys/metadata.json b/assets/queries/ansible/aws/root_account_has_active_access_keys/metadata.json index 3c6e01d9e39..a82f34d8db1 100644 --- a/assets/queries/ansible/aws/root_account_has_active_access_keys/metadata.json +++ b/assets/queries/ansible/aws/root_account_has_active_access_keys/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "6cd5514d", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/route53_record_undefined/metadata.json b/assets/queries/ansible/aws/route53_record_undefined/metadata.json index bb8028908b5..a652753d467 100644 --- a/assets/queries/ansible/aws/route53_record_undefined/metadata.json +++ b/assets/queries/ansible/aws/route53_record_undefined/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "2b699de7", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_access_to_any_principal/metadata.json b/assets/queries/ansible/aws/s3_bucket_access_to_any_principal/metadata.json index 27470bf9d48..c5f59950b1b 100644 --- a/assets/queries/ansible/aws/s3_bucket_access_to_any_principal/metadata.json +++ b/assets/queries/ansible/aws/s3_bucket_access_to_any_principal/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "25111d64", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/metadata.json b/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/metadata.json index 17917eeb9e9..4f9ac43d75a 100644 --- a/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/metadata.json +++ b/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "446af0d8", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/metadata.json b/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/metadata.json index 2beb1d4810a..9022273d650 100644 --- a/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/metadata.json +++ b/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "e9e4ca47", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals/metadata.json b/assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals/metadata.json index e0d88185d36..d38959ef6c9 100644 --- a/assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals/metadata.json +++ b/assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "7c11444e", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals/metadata.json b/assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals/metadata.json index 0c3df13b994..9e61fce512a 100644 --- a/assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals/metadata.json +++ b/assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "de0687eb", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals/metadata.json b/assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals/metadata.json index deb510beb0e..06db019a4ce 100644 --- a/assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals/metadata.json +++ b/assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "8232deb2", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals/metadata.json b/assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals/metadata.json index e759279f971..79ca2d397df 100644 --- a/assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals/metadata.json +++ b/assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "772b17ca", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_logging_disabled/metadata.json b/assets/queries/ansible/aws/s3_bucket_logging_disabled/metadata.json index 97a73f29537..c4fa0b10fa7 100644 --- a/assets/queries/ansible/aws/s3_bucket_logging_disabled/metadata.json +++ b/assets/queries/ansible/aws/s3_bucket_logging_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "2b508aee", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_sse_disabled/metadata.json b/assets/queries/ansible/aws/s3_bucket_sse_disabled/metadata.json index cbf30976661..b8a387ae985 100644 --- a/assets/queries/ansible/aws/s3_bucket_sse_disabled/metadata.json +++ b/assets/queries/ansible/aws/s3_bucket_sse_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "4008dca4", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_with_all_permissions/metadata.json b/assets/queries/ansible/aws/s3_bucket_with_all_permissions/metadata.json index 6b9db38a1b9..51802175fd3 100644 --- a/assets/queries/ansible/aws/s3_bucket_with_all_permissions/metadata.json +++ b/assets/queries/ansible/aws/s3_bucket_with_all_permissions/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "21fc95f2", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_with_public_access/metadata.json b/assets/queries/ansible/aws/s3_bucket_with_public_access/metadata.json index bf7c9f06c8f..62adbcec4e5 100644 --- a/assets/queries/ansible/aws/s3_bucket_with_public_access/metadata.json +++ b/assets/queries/ansible/aws/s3_bucket_with_public_access/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "d7a19b7e", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_with_unsecured_cors_rule/metadata.json b/assets/queries/ansible/aws/s3_bucket_with_unsecured_cors_rule/metadata.json index ea54843ea4a..5901c7d397b 100644 --- a/assets/queries/ansible/aws/s3_bucket_with_unsecured_cors_rule/metadata.json +++ b/assets/queries/ansible/aws/s3_bucket_with_unsecured_cors_rule/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "c700f52b", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_without_server-side_encryption/metadata.json b/assets/queries/ansible/aws/s3_bucket_without_server-side_encryption/metadata.json index 86b40a6915c..2569a431999 100644 --- a/assets/queries/ansible/aws/s3_bucket_without_server-side_encryption/metadata.json +++ b/assets/queries/ansible/aws/s3_bucket_without_server-side_encryption/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "c0dc5aae", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_without_versioning/metadata.json b/assets/queries/ansible/aws/s3_bucket_without_versioning/metadata.json index 969279773fe..79f6f62dece 100644 --- a/assets/queries/ansible/aws/s3_bucket_without_versioning/metadata.json +++ b/assets/queries/ansible/aws/s3_bucket_without_versioning/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "622e4c8e", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/secure_ciphers_disabled/metadata.json b/assets/queries/ansible/aws/secure_ciphers_disabled/metadata.json index 1c273f691a1..7e688f90ca0 100644 --- a/assets/queries/ansible/aws/secure_ciphers_disabled/metadata.json +++ b/assets/queries/ansible/aws/secure_ciphers_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "bc106b2e", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/security_group_ingress_not_restricted/metadata.json b/assets/queries/ansible/aws/security_group_ingress_not_restricted/metadata.json index acacdef9202..54c36f4fc1a 100644 --- a/assets/queries/ansible/aws/security_group_ingress_not_restricted/metadata.json +++ b/assets/queries/ansible/aws/security_group_ingress_not_restricted/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "7e47368a", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/security_group_with_unrestricted_access_to_ssh/metadata.json b/assets/queries/ansible/aws/security_group_with_unrestricted_access_to_ssh/metadata.json index b739c147b97..20391d2cb03 100644 --- a/assets/queries/ansible/aws/security_group_with_unrestricted_access_to_ssh/metadata.json +++ b/assets/queries/ansible/aws/security_group_with_unrestricted_access_to_ssh/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "ea2f2c57", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/ses_policy_with_allowed_iam_actions/metadata.json b/assets/queries/ansible/aws/ses_policy_with_allowed_iam_actions/metadata.json index 7f457c1724a..9e265090544 100644 --- a/assets/queries/ansible/aws/ses_policy_with_allowed_iam_actions/metadata.json +++ b/assets/queries/ansible/aws/ses_policy_with_allowed_iam_actions/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "89d6e6fd", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/metadata.json b/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/metadata.json index df659f5158c..1248fc5b1ba 100644 --- a/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/metadata.json +++ b/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "956322cf", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/metadata.json b/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/metadata.json index 8ec93677f60..601dbc464a5 100644 --- a/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/metadata.json +++ b/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "69176b78", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/sqs_policy_allows_all_actions/metadata.json b/assets/queries/ansible/aws/sqs_policy_allows_all_actions/metadata.json index 634f0ad1095..10cef80b0f6 100644 --- a/assets/queries/ansible/aws/sqs_policy_allows_all_actions/metadata.json +++ b/assets/queries/ansible/aws/sqs_policy_allows_all_actions/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "7e78a2e9", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/sqs_policy_with_public_access/metadata.json b/assets/queries/ansible/aws/sqs_policy_with_public_access/metadata.json index 8a3fba94616..7cc2b8a93b2 100644 --- a/assets/queries/ansible/aws/sqs_policy_with_public_access/metadata.json +++ b/assets/queries/ansible/aws/sqs_policy_with_public_access/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "dd40b568", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/sqs_queue_exposed/metadata.json b/assets/queries/ansible/aws/sqs_queue_exposed/metadata.json index 7187f874b69..ff419d2d866 100644 --- a/assets/queries/ansible/aws/sqs_queue_exposed/metadata.json +++ b/assets/queries/ansible/aws/sqs_queue_exposed/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "a835b707", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/sqs_with_sse_disabled/metadata.json b/assets/queries/ansible/aws/sqs_with_sse_disabled/metadata.json index b93321fd55e..f97ebe39697 100644 --- a/assets/queries/ansible/aws/sqs_with_sse_disabled/metadata.json +++ b/assets/queries/ansible/aws/sqs_with_sse_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "7825cf30", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/stack_notifications_disabled/metadata.json b/assets/queries/ansible/aws/stack_notifications_disabled/metadata.json index 11d59b06f9b..162f0bf8759 100644 --- a/assets/queries/ansible/aws/stack_notifications_disabled/metadata.json +++ b/assets/queries/ansible/aws/stack_notifications_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "59f8905d", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/stack_retention_disabled/metadata.json b/assets/queries/ansible/aws/stack_retention_disabled/metadata.json index 994aa335168..37f09aac8ee 100644 --- a/assets/queries/ansible/aws/stack_retention_disabled/metadata.json +++ b/assets/queries/ansible/aws/stack_retention_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "78d78b74", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/stack_without_template/metadata.json b/assets/queries/ansible/aws/stack_without_template/metadata.json index 05f4e69c748..fe3e1507867 100644 --- a/assets/queries/ansible/aws/stack_without_template/metadata.json +++ b/assets/queries/ansible/aws/stack_without_template/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "de8347bd", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/unknown_port_exposed_to_internet/metadata.json b/assets/queries/ansible/aws/unknown_port_exposed_to_internet/metadata.json index 3f2db0ba926..4414a9c84bf 100644 --- a/assets/queries/ansible/aws/unknown_port_exposed_to_internet/metadata.json +++ b/assets/queries/ansible/aws/unknown_port_exposed_to_internet/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "f6437a28", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/unrestricted_security_group_ingress/metadata.json b/assets/queries/ansible/aws/unrestricted_security_group_ingress/metadata.json index 0b57439db1d..406ea56fd0b 100644 --- a/assets/queries/ansible/aws/unrestricted_security_group_ingress/metadata.json +++ b/assets/queries/ansible/aws/unrestricted_security_group_ingress/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "015995bb", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/user_data_contains_encoded_private_key/metadata.json b/assets/queries/ansible/aws/user_data_contains_encoded_private_key/metadata.json index 51a19bcae30..07af36aa3a5 100644 --- a/assets/queries/ansible/aws/user_data_contains_encoded_private_key/metadata.json +++ b/assets/queries/ansible/aws/user_data_contains_encoded_private_key/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "45cb51c3", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/user_data_shell_script_is_encoded/metadata.json b/assets/queries/ansible/aws/user_data_shell_script_is_encoded/metadata.json index 5339fb15a1f..89c16e4f682 100644 --- a/assets/queries/ansible/aws/user_data_shell_script_is_encoded/metadata.json +++ b/assets/queries/ansible/aws/user_data_shell_script_is_encoded/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "062f28ff", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/viewer_protocol_policy_allows_http/metadata.json b/assets/queries/ansible/aws/viewer_protocol_policy_allows_http/metadata.json index 505ba90d3e8..8f52d585428 100644 --- a/assets/queries/ansible/aws/viewer_protocol_policy_allows_http/metadata.json +++ b/assets/queries/ansible/aws/viewer_protocol_policy_allows_http/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "5dd1ca8b", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/aws/vulnerable_default_ssl_certificate/metadata.json b/assets/queries/ansible/aws/vulnerable_default_ssl_certificate/metadata.json index 5ad88736bb4..7060a59a23d 100644 --- a/assets/queries/ansible/aws/vulnerable_default_ssl_certificate/metadata.json +++ b/assets/queries/ansible/aws/vulnerable_default_ssl_certificate/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "324e63d7", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/azure/ad_admin_not_configured_for_sql_server/metadata.json b/assets/queries/ansible/azure/ad_admin_not_configured_for_sql_server/metadata.json index a69873143df..a7e750492be 100644 --- a/assets/queries/ansible/azure/ad_admin_not_configured_for_sql_server/metadata.json +++ b/assets/queries/ansible/azure/ad_admin_not_configured_for_sql_server/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "afa96f09", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/azure/admin_user_enabled_for_container_registry/metadata.json b/assets/queries/ansible/azure/admin_user_enabled_for_container_registry/metadata.json index 28fc9656d6c..070da15328b 100644 --- a/assets/queries/ansible/azure/admin_user_enabled_for_container_registry/metadata.json +++ b/assets/queries/ansible/azure/admin_user_enabled_for_container_registry/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "d8ca5381", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/azure/aks_monitoring_logging_disabled/metadata.json b/assets/queries/ansible/azure/aks_monitoring_logging_disabled/metadata.json index 8961dccb439..cd2218fe9ff 100644 --- a/assets/queries/ansible/azure/aks_monitoring_logging_disabled/metadata.json +++ b/assets/queries/ansible/azure/aks_monitoring_logging_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "6d8d362e", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/azure/aks_network_policy_misconfigured/metadata.json b/assets/queries/ansible/azure/aks_network_policy_misconfigured/metadata.json index e682f7aec7b..43684ebfff9 100644 --- a/assets/queries/ansible/azure/aks_network_policy_misconfigured/metadata.json +++ b/assets/queries/ansible/azure/aks_network_policy_misconfigured/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "75bbf826", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/azure/aks_rbac_disabled/metadata.json b/assets/queries/ansible/azure/aks_rbac_disabled/metadata.json index 3f1c21141dc..a1af514aa55 100644 --- a/assets/queries/ansible/azure/aks_rbac_disabled/metadata.json +++ b/assets/queries/ansible/azure/aks_rbac_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "16276251", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/azure/azure_container_registry_with_no_locks/metadata.json b/assets/queries/ansible/azure/azure_container_registry_with_no_locks/metadata.json index 10e481bc824..73c1eab9ac1 100644 --- a/assets/queries/ansible/azure/azure_container_registry_with_no_locks/metadata.json +++ b/assets/queries/ansible/azure/azure_container_registry_with_no_locks/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "7489a85f", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/azure/azure_instance_using_basic_authentication/metadata.json b/assets/queries/ansible/azure/azure_instance_using_basic_authentication/metadata.json index 4b9db106941..5f0f1bc1826 100644 --- a/assets/queries/ansible/azure/azure_instance_using_basic_authentication/metadata.json +++ b/assets/queries/ansible/azure/azure_instance_using_basic_authentication/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "e2d834b7", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/azure/cosmosdb_account_ip_range_filter_not_set/metadata.json b/assets/queries/ansible/azure/cosmosdb_account_ip_range_filter_not_set/metadata.json index 38095f3b07c..536eb713ee3 100644 --- a/assets/queries/ansible/azure/cosmosdb_account_ip_range_filter_not_set/metadata.json +++ b/assets/queries/ansible/azure/cosmosdb_account_ip_range_filter_not_set/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "7cb8bdbe", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/azure/cosmosdb_account_without_tags/metadata.json b/assets/queries/ansible/azure/cosmosdb_account_without_tags/metadata.json index b80286e9994..fcefc3d33b8 100644 --- a/assets/queries/ansible/azure/cosmosdb_account_without_tags/metadata.json +++ b/assets/queries/ansible/azure/cosmosdb_account_without_tags/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "8469d3ac", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/azure/default_azure_storage_account_network_access_is_too_permissive/metadata.json b/assets/queries/ansible/azure/default_azure_storage_account_network_access_is_too_permissive/metadata.json index b630030f647..2db5e3d36ff 100644 --- a/assets/queries/ansible/azure/default_azure_storage_account_network_access_is_too_permissive/metadata.json +++ b/assets/queries/ansible/azure/default_azure_storage_account_network_access_is_too_permissive/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "ca4df748", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/metadata.json b/assets/queries/ansible/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/metadata.json index 013437babd5..c93a54f7587 100644 --- a/assets/queries/ansible/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/metadata.json +++ b/assets/queries/ansible/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "99f14985", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/azure/key_vault_soft_delete_is_disabled/metadata.json b/assets/queries/ansible/azure/key_vault_soft_delete_is_disabled/metadata.json index a262d8e0d6c..4e5955c4f5b 100644 --- a/assets/queries/ansible/azure/key_vault_soft_delete_is_disabled/metadata.json +++ b/assets/queries/ansible/azure/key_vault_soft_delete_is_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "ca1a9cde", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/azure/log_retention_is_not_set/metadata.json b/assets/queries/ansible/azure/log_retention_is_not_set/metadata.json index 7d4628f218c..1a122ba5964 100644 --- a/assets/queries/ansible/azure/log_retention_is_not_set/metadata.json +++ b/assets/queries/ansible/azure/log_retention_is_not_set/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "bf371036", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/azure/monitoring_log_profile_without_all_activities/metadata.json b/assets/queries/ansible/azure/monitoring_log_profile_without_all_activities/metadata.json index 9f8e11376b7..90cb29234de 100644 --- a/assets/queries/ansible/azure/monitoring_log_profile_without_all_activities/metadata.json +++ b/assets/queries/ansible/azure/monitoring_log_profile_without_all_activities/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "cb93f630", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/azure/mysql_ssl_connection_disabled/metadata.json b/assets/queries/ansible/azure/mysql_ssl_connection_disabled/metadata.json index d6a6c6ae42c..98347d717bb 100644 --- a/assets/queries/ansible/azure/mysql_ssl_connection_disabled/metadata.json +++ b/assets/queries/ansible/azure/mysql_ssl_connection_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "9709164b", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/azure/postgre_sql_log_checkpoints_disabled/metadata.json b/assets/queries/ansible/azure/postgre_sql_log_checkpoints_disabled/metadata.json index 7b2ee1b03ea..aed419236e6 100644 --- a/assets/queries/ansible/azure/postgre_sql_log_checkpoints_disabled/metadata.json +++ b/assets/queries/ansible/azure/postgre_sql_log_checkpoints_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "ddcfea46", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/azure/postgre_sql_log_connections_not_set/metadata.json b/assets/queries/ansible/azure/postgre_sql_log_connections_not_set/metadata.json index bb8ae3cc16b..e559a01ede8 100644 --- a/assets/queries/ansible/azure/postgre_sql_log_connections_not_set/metadata.json +++ b/assets/queries/ansible/azure/postgre_sql_log_connections_not_set/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "774a65e4", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/azure/postgre_sql_log_duration_not_set/metadata.json b/assets/queries/ansible/azure/postgre_sql_log_duration_not_set/metadata.json index d30961a7381..53608edb9c4 100644 --- a/assets/queries/ansible/azure/postgre_sql_log_duration_not_set/metadata.json +++ b/assets/queries/ansible/azure/postgre_sql_log_duration_not_set/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "a30f009d", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/azure/postgre_sql_server_without_connection_throttling/metadata.json b/assets/queries/ansible/azure/postgre_sql_server_without_connection_throttling/metadata.json index 227d096e408..f0d344cd3e2 100644 --- a/assets/queries/ansible/azure/postgre_sql_server_without_connection_throttling/metadata.json +++ b/assets/queries/ansible/azure/postgre_sql_server_without_connection_throttling/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "47504c54", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/azure/postgresql_log_disconnections_not_set/metadata.json b/assets/queries/ansible/azure/postgresql_log_disconnections_not_set/metadata.json index f2af790dd22..3783e95303f 100644 --- a/assets/queries/ansible/azure/postgresql_log_disconnections_not_set/metadata.json +++ b/assets/queries/ansible/azure/postgresql_log_disconnections_not_set/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "8d159e5e", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/azure/public_storage_account/metadata.json b/assets/queries/ansible/azure/public_storage_account/metadata.json index 5cd7f51409f..2021afc4d4d 100644 --- a/assets/queries/ansible/azure/public_storage_account/metadata.json +++ b/assets/queries/ansible/azure/public_storage_account/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "78d2c5b3", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections/metadata.json b/assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections/metadata.json index 47c23bb874e..b9b7233d14c 100644 --- a/assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections/metadata.json +++ b/assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "31e56819", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/azure/redis_entirely_accessible/metadata.json b/assets/queries/ansible/azure/redis_entirely_accessible/metadata.json index 8cf4357dba3..766dc467bff 100644 --- a/assets/queries/ansible/azure/redis_entirely_accessible/metadata.json +++ b/assets/queries/ansible/azure/redis_entirely_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "30a0bdeb", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/azure/redis_publicly_accessible/metadata.json b/assets/queries/ansible/azure/redis_publicly_accessible/metadata.json index e381d1abca6..be447df4d7c 100644 --- a/assets/queries/ansible/azure/redis_publicly_accessible/metadata.json +++ b/assets/queries/ansible/azure/redis_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "140392b3", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/azure/role_definition_allows_custom_role_creation/metadata.json b/assets/queries/ansible/azure/role_definition_allows_custom_role_creation/metadata.json index eff59f179c4..c5773078691 100644 --- a/assets/queries/ansible/azure/role_definition_allows_custom_role_creation/metadata.json +++ b/assets/queries/ansible/azure/role_definition_allows_custom_role_creation/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "6296166a", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/azure/security_group_is_not_configured/metadata.json b/assets/queries/ansible/azure/security_group_is_not_configured/metadata.json index 7b3a30b4955..5b8004228b7 100644 --- a/assets/queries/ansible/azure/security_group_is_not_configured/metadata.json +++ b/assets/queries/ansible/azure/security_group_is_not_configured/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "381f57a0", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/metadata.json b/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/metadata.json index 9e6378e9b75..2d4568bf03c 100644 --- a/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/metadata.json +++ b/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/metadata.json @@ -9,5 +9,5 @@ "descriptionID": "33745204", "aggregation": 62, "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/azure/small_activity_log_retention_period/metadata.json b/assets/queries/ansible/azure/small_activity_log_retention_period/metadata.json index a294d74c868..6f41a16fa32 100644 --- a/assets/queries/ansible/azure/small_activity_log_retention_period/metadata.json +++ b/assets/queries/ansible/azure/small_activity_log_retention_period/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "5bad8aed", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/azure/sql_server_ingress_from_any_ip/metadata.json b/assets/queries/ansible/azure/sql_server_ingress_from_any_ip/metadata.json index cd492532550..3467011a7fb 100644 --- a/assets/queries/ansible/azure/sql_server_ingress_from_any_ip/metadata.json +++ b/assets/queries/ansible/azure/sql_server_ingress_from_any_ip/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "ea086cca", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/azure/sql_server_predictable_active_directory_admin_account_name/metadata.json b/assets/queries/ansible/azure/sql_server_predictable_active_directory_admin_account_name/metadata.json index ada11caf927..5f2815fe40c 100644 --- a/assets/queries/ansible/azure/sql_server_predictable_active_directory_admin_account_name/metadata.json +++ b/assets/queries/ansible/azure/sql_server_predictable_active_directory_admin_account_name/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "f9f40edb", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/azure/sql_server_predictable_admin_account_name/metadata.json b/assets/queries/ansible/azure/sql_server_predictable_admin_account_name/metadata.json index 02dcd788aa2..bd311676aa6 100644 --- a/assets/queries/ansible/azure/sql_server_predictable_admin_account_name/metadata.json +++ b/assets/queries/ansible/azure/sql_server_predictable_admin_account_name/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "8526646e", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/azure/ssl_enforce_is_disabled/metadata.json b/assets/queries/ansible/azure/ssl_enforce_is_disabled/metadata.json index 15593f863e9..4db9b7ddc80 100644 --- a/assets/queries/ansible/azure/ssl_enforce_is_disabled/metadata.json +++ b/assets/queries/ansible/azure/ssl_enforce_is_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "b4bcb2d1", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/azure/storage_account_not_forcing_https/metadata.json b/assets/queries/ansible/azure/storage_account_not_forcing_https/metadata.json index 49d6d7eac4c..9752682c468 100644 --- a/assets/queries/ansible/azure/storage_account_not_forcing_https/metadata.json +++ b/assets/queries/ansible/azure/storage_account_not_forcing_https/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "bc830876", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/azure/storage_account_not_using_latest_tls_encryption_version/metadata.json b/assets/queries/ansible/azure/storage_account_not_using_latest_tls_encryption_version/metadata.json index 9be4c3b8029..7e8f1d9b682 100644 --- a/assets/queries/ansible/azure/storage_account_not_using_latest_tls_encryption_version/metadata.json +++ b/assets/queries/ansible/azure/storage_account_not_using_latest_tls_encryption_version/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "f050a4f3", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/azure/storage_container_is_publicly_accessible/metadata.json b/assets/queries/ansible/azure/storage_container_is_publicly_accessible/metadata.json index bcca750472d..e0da60b9d8e 100644 --- a/assets/queries/ansible/azure/storage_container_is_publicly_accessible/metadata.json +++ b/assets/queries/ansible/azure/storage_container_is_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "30144827", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/azure/trusted_microsoft_services_not_enabled/metadata.json b/assets/queries/ansible/azure/trusted_microsoft_services_not_enabled/metadata.json index 98f9b4fd2d8..f05a282764c 100644 --- a/assets/queries/ansible/azure/trusted_microsoft_services_not_enabled/metadata.json +++ b/assets/queries/ansible/azure/trusted_microsoft_services_not_enabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "e86db9c1", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/azure/unrestricted_sql_server_acess/metadata.json b/assets/queries/ansible/azure/unrestricted_sql_server_acess/metadata.json index 2893079c4a4..2993d45f579 100644 --- a/assets/queries/ansible/azure/unrestricted_sql_server_acess/metadata.json +++ b/assets/queries/ansible/azure/unrestricted_sql_server_acess/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "03235d5d", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/azure/vm_not_attached_to_network/metadata.json b/assets/queries/ansible/azure/vm_not_attached_to_network/metadata.json index 1cdb77fc6e0..d8290cd06ce 100644 --- a/assets/queries/ansible/azure/vm_not_attached_to_network/metadata.json +++ b/assets/queries/ansible/azure/vm_not_attached_to_network/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "33a5e5ec", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/azure/waf_is_disabled_for_azure_application_gateway/metadata.json b/assets/queries/ansible/azure/waf_is_disabled_for_azure_application_gateway/metadata.json index ad2f36d3263..35c557784f9 100644 --- a/assets/queries/ansible/azure/waf_is_disabled_for_azure_application_gateway/metadata.json +++ b/assets/queries/ansible/azure/waf_is_disabled_for_azure_application_gateway/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "eda7b816", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/azure/web_app_accepting_traffic_other_than_https/metadata.json b/assets/queries/ansible/azure/web_app_accepting_traffic_other_than_https/metadata.json index 1e5799ea60f..770dadb1837 100644 --- a/assets/queries/ansible/azure/web_app_accepting_traffic_other_than_https/metadata.json +++ b/assets/queries/ansible/azure/web_app_accepting_traffic_other_than_https/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "c518b2f2", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/config/allow_unsafe_lookups_enabled/metadata.json b/assets/queries/ansible/config/allow_unsafe_lookups_enabled/metadata.json index e4e9c5ff0da..93e71c49fc5 100644 --- a/assets/queries/ansible/config/allow_unsafe_lookups_enabled/metadata.json +++ b/assets/queries/ansible/config/allow_unsafe_lookups_enabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "0d491461", "cloudProvider": "common", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/config/communication_over_http/metadata.json b/assets/queries/ansible/config/communication_over_http/metadata.json index ede9126d7c0..a1229d1c860 100644 --- a/assets/queries/ansible/config/communication_over_http/metadata.json +++ b/assets/queries/ansible/config/communication_over_http/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "8c03b0c0", "cloudProvider": "common", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/config/logging_of_sensitive_data/metadata.json b/assets/queries/ansible/config/logging_of_sensitive_data/metadata.json index 72ae35c670b..0ea09689441 100644 --- a/assets/queries/ansible/config/logging_of_sensitive_data/metadata.json +++ b/assets/queries/ansible/config/logging_of_sensitive_data/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "0eca35f3", "cloudProvider": "common", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/config/privilege_escalation_using_become_plugin/metadata.json b/assets/queries/ansible/config/privilege_escalation_using_become_plugin/metadata.json index d2fcaadebc8..4d95927a0f6 100644 --- a/assets/queries/ansible/config/privilege_escalation_using_become_plugin/metadata.json +++ b/assets/queries/ansible/config/privilege_escalation_using_become_plugin/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "00396668", "cloudProvider": "common", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/bigquery_dataset_is_public/metadata.json b/assets/queries/ansible/gcp/bigquery_dataset_is_public/metadata.json index 66ab095d2d8..bf8b30adaad 100644 --- a/assets/queries/ansible/gcp/bigquery_dataset_is_public/metadata.json +++ b/assets/queries/ansible/gcp/bigquery_dataset_is_public/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "72ba0b75", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/client_certificate_disabled/metadata.json b/assets/queries/ansible/gcp/client_certificate_disabled/metadata.json index 0b25091fe8b..0e375fe1b38 100644 --- a/assets/queries/ansible/gcp/client_certificate_disabled/metadata.json +++ b/assets/queries/ansible/gcp/client_certificate_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "53a8ab26", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/cloud_dns_without_dnnsec/metadata.json b/assets/queries/ansible/gcp/cloud_dns_without_dnnsec/metadata.json index b0141be5b7b..9edb6564270 100644 --- a/assets/queries/ansible/gcp/cloud_dns_without_dnnsec/metadata.json +++ b/assets/queries/ansible/gcp/cloud_dns_without_dnnsec/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "1797efc5", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/cloud_sql_instance_with_contained_database_authentication_on/metadata.json b/assets/queries/ansible/gcp/cloud_sql_instance_with_contained_database_authentication_on/metadata.json index 0efe0763a8c..48e0e45b89a 100644 --- a/assets/queries/ansible/gcp/cloud_sql_instance_with_contained_database_authentication_on/metadata.json +++ b/assets/queries/ansible/gcp/cloud_sql_instance_with_contained_database_authentication_on/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "b1a5b8f0", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/cloud_sql_instance_with_cross_db_ownership_chaining_on/metadata.json b/assets/queries/ansible/gcp/cloud_sql_instance_with_cross_db_ownership_chaining_on/metadata.json index b83d65ff9c4..9b3233fa985 100644 --- a/assets/queries/ansible/gcp/cloud_sql_instance_with_cross_db_ownership_chaining_on/metadata.json +++ b/assets/queries/ansible/gcp/cloud_sql_instance_with_cross_db_ownership_chaining_on/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "2a2f1164", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/cloud_storage_anonymous_or_publicly_accessible/metadata.json b/assets/queries/ansible/gcp/cloud_storage_anonymous_or_publicly_accessible/metadata.json index 13d06d92868..bda52c48ca7 100644 --- a/assets/queries/ansible/gcp/cloud_storage_anonymous_or_publicly_accessible/metadata.json +++ b/assets/queries/ansible/gcp/cloud_storage_anonymous_or_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "bdebc5b5", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json b/assets/queries/ansible/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json index 2fa0e9fa8b1..6cad1f9bdd2 100644 --- a/assets/queries/ansible/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json +++ b/assets/queries/ansible/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "ba5af65f", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/metadata.json b/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/metadata.json index e298b862aef..f0dabc23bac 100644 --- a/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/metadata.json +++ b/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "2d791672", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/cluster_labels_disabled/metadata.json b/assets/queries/ansible/gcp/cluster_labels_disabled/metadata.json index 096c44efea3..499f9f5a3de 100644 --- a/assets/queries/ansible/gcp/cluster_labels_disabled/metadata.json +++ b/assets/queries/ansible/gcp/cluster_labels_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "dc1b3288", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/cluster_master_authentication_disabled/metadata.json b/assets/queries/ansible/gcp/cluster_master_authentication_disabled/metadata.json index 148e6026c62..7d99ade3f2b 100644 --- a/assets/queries/ansible/gcp/cluster_master_authentication_disabled/metadata.json +++ b/assets/queries/ansible/gcp/cluster_master_authentication_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "6452ea1e", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/compute_instance_is_publicly_accessible/metadata.json b/assets/queries/ansible/gcp/compute_instance_is_publicly_accessible/metadata.json index da28c93b8f0..c869e0f2eed 100644 --- a/assets/queries/ansible/gcp/compute_instance_is_publicly_accessible/metadata.json +++ b/assets/queries/ansible/gcp/compute_instance_is_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "ef20d5fb", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/cos_node_image_not_used/metadata.json b/assets/queries/ansible/gcp/cos_node_image_not_used/metadata.json index 64c91fc3b9f..bc0e34eca21 100644 --- a/assets/queries/ansible/gcp/cos_node_image_not_used/metadata.json +++ b/assets/queries/ansible/gcp/cos_node_image_not_used/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "1bcc90d0", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/disk_encryption_disabled/metadata.json b/assets/queries/ansible/gcp/disk_encryption_disabled/metadata.json index 90356fc6095..8cafbca8df1 100644 --- a/assets/queries/ansible/gcp/disk_encryption_disabled/metadata.json +++ b/assets/queries/ansible/gcp/disk_encryption_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "1272593c", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/dnssec_using_rsasha1/metadata.json b/assets/queries/ansible/gcp/dnssec_using_rsasha1/metadata.json index 4cfe5ad56fd..ba445e3b2ee 100644 --- a/assets/queries/ansible/gcp/dnssec_using_rsasha1/metadata.json +++ b/assets/queries/ansible/gcp/dnssec_using_rsasha1/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "e6a4b99b", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/gke_basic_authentication_enabled/metadata.json b/assets/queries/ansible/gcp/gke_basic_authentication_enabled/metadata.json index 24dfccf9f77..778001b0176 100644 --- a/assets/queries/ansible/gcp/gke_basic_authentication_enabled/metadata.json +++ b/assets/queries/ansible/gcp/gke_basic_authentication_enabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "d49df828", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/gke_legacy_authorization_enabled/metadata.json b/assets/queries/ansible/gcp/gke_legacy_authorization_enabled/metadata.json index cf7fc53efa5..b67d5c7a8e7 100644 --- a/assets/queries/ansible/gcp/gke_legacy_authorization_enabled/metadata.json +++ b/assets/queries/ansible/gcp/gke_legacy_authorization_enabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "f26d0d51", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/gke_master_authorized_networks_disabled/metadata.json b/assets/queries/ansible/gcp/gke_master_authorized_networks_disabled/metadata.json index 27e530c389a..8c0ee67e31b 100644 --- a/assets/queries/ansible/gcp/gke_master_authorized_networks_disabled/metadata.json +++ b/assets/queries/ansible/gcp/gke_master_authorized_networks_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "67294baa", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/gke_using_default_service_account/metadata.json b/assets/queries/ansible/gcp/gke_using_default_service_account/metadata.json index f83201634dc..7bb95c01ddf 100644 --- a/assets/queries/ansible/gcp/gke_using_default_service_account/metadata.json +++ b/assets/queries/ansible/gcp/gke_using_default_service_account/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "d6e87258", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/google_compute_network_using_default_firewall_rule/metadata.json b/assets/queries/ansible/gcp/google_compute_network_using_default_firewall_rule/metadata.json index a7541308b5a..d96fd846741 100644 --- a/assets/queries/ansible/gcp/google_compute_network_using_default_firewall_rule/metadata.json +++ b/assets/queries/ansible/gcp/google_compute_network_using_default_firewall_rule/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "1c9178bb", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/google_compute_network_using_firewall_allows_port_range/metadata.json b/assets/queries/ansible/gcp/google_compute_network_using_firewall_allows_port_range/metadata.json index b6833f7b71e..e86bf4dcb8c 100644 --- a/assets/queries/ansible/gcp/google_compute_network_using_firewall_allows_port_range/metadata.json +++ b/assets/queries/ansible/gcp/google_compute_network_using_firewall_allows_port_range/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "2b7880b0", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/google_compute_network_using_firewall_rule_allows_all_ports/metadata.json b/assets/queries/ansible/gcp/google_compute_network_using_firewall_rule_allows_all_ports/metadata.json index b4651c3c303..c4dda51b2f0 100644 --- a/assets/queries/ansible/gcp/google_compute_network_using_firewall_rule_allows_all_ports/metadata.json +++ b/assets/queries/ansible/gcp/google_compute_network_using_firewall_rule_allows_all_ports/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "da7c0346", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/google_compute_ssl_policy_weak_cipher_in_use/metadata.json b/assets/queries/ansible/gcp/google_compute_ssl_policy_weak_cipher_in_use/metadata.json index ac3b2364049..e2e5d8898e5 100644 --- a/assets/queries/ansible/gcp/google_compute_ssl_policy_weak_cipher_in_use/metadata.json +++ b/assets/queries/ansible/gcp/google_compute_ssl_policy_weak_cipher_in_use/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "bb785f44", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/google_compute_subnetwork_with_private_google_access_disabled/metadata.json b/assets/queries/ansible/gcp/google_compute_subnetwork_with_private_google_access_disabled/metadata.json index b430b13f01c..4511be36ad4 100644 --- a/assets/queries/ansible/gcp/google_compute_subnetwork_with_private_google_access_disabled/metadata.json +++ b/assets/queries/ansible/gcp/google_compute_subnetwork_with_private_google_access_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "f5dece39", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/google_container_node_pool_auto_repair_disabled/metadata.json b/assets/queries/ansible/gcp/google_container_node_pool_auto_repair_disabled/metadata.json index c7dab059979..8954b4e8707 100644 --- a/assets/queries/ansible/gcp/google_container_node_pool_auto_repair_disabled/metadata.json +++ b/assets/queries/ansible/gcp/google_container_node_pool_auto_repair_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "14cf26ed", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/high_google_kms_crypto_key_rotation_period/metadata.json b/assets/queries/ansible/gcp/high_google_kms_crypto_key_rotation_period/metadata.json index 6ae19590614..329904f3c72 100644 --- a/assets/queries/ansible/gcp/high_google_kms_crypto_key_rotation_period/metadata.json +++ b/assets/queries/ansible/gcp/high_google_kms_crypto_key_rotation_period/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "9072f426", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/ip_aliasing_disabled/metadata.json b/assets/queries/ansible/gcp/ip_aliasing_disabled/metadata.json index a1b244cdada..872d66678ec 100644 --- a/assets/queries/ansible/gcp/ip_aliasing_disabled/metadata.json +++ b/assets/queries/ansible/gcp/ip_aliasing_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "a4ad3884", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/ip_forwarding_enabled/metadata.json b/assets/queries/ansible/gcp/ip_forwarding_enabled/metadata.json index ac5b606e0c6..33f97072cc3 100644 --- a/assets/queries/ansible/gcp/ip_forwarding_enabled/metadata.json +++ b/assets/queries/ansible/gcp/ip_forwarding_enabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "bd405766", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/mysql_instance_with_local_infile_on/metadata.json b/assets/queries/ansible/gcp/mysql_instance_with_local_infile_on/metadata.json index e75086f3072..b140ce0a97e 100644 --- a/assets/queries/ansible/gcp/mysql_instance_with_local_infile_on/metadata.json +++ b/assets/queries/ansible/gcp/mysql_instance_with_local_infile_on/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "16bc53a4", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/network_policy_disabled/metadata.json b/assets/queries/ansible/gcp/network_policy_disabled/metadata.json index abe87e843f1..6e19085c4fb 100644 --- a/assets/queries/ansible/gcp/network_policy_disabled/metadata.json +++ b/assets/queries/ansible/gcp/network_policy_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "6fc9b7a0", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/node_auto_upgrade_disabled/metadata.json b/assets/queries/ansible/gcp/node_auto_upgrade_disabled/metadata.json index 2ac8f5ce671..26405804662 100644 --- a/assets/queries/ansible/gcp/node_auto_upgrade_disabled/metadata.json +++ b/assets/queries/ansible/gcp/node_auto_upgrade_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "4b200606", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/oslogin_is_disabled_for_vm_instance/metadata.json b/assets/queries/ansible/gcp/oslogin_is_disabled_for_vm_instance/metadata.json index 30946c780c4..5c5fa450922 100644 --- a/assets/queries/ansible/gcp/oslogin_is_disabled_for_vm_instance/metadata.json +++ b/assets/queries/ansible/gcp/oslogin_is_disabled_for_vm_instance/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "2cc130e4", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/postgresql_log_checkpoints_flag_not_set_to_on/metadata.json b/assets/queries/ansible/gcp/postgresql_log_checkpoints_flag_not_set_to_on/metadata.json index b8034fd5f07..c4024f42644 100644 --- a/assets/queries/ansible/gcp/postgresql_log_checkpoints_flag_not_set_to_on/metadata.json +++ b/assets/queries/ansible/gcp/postgresql_log_checkpoints_flag_not_set_to_on/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "4cdc64c3", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/postgresql_log_connections_disabled/metadata.json b/assets/queries/ansible/gcp/postgresql_log_connections_disabled/metadata.json index 4a7185ef20e..ab4375607fd 100644 --- a/assets/queries/ansible/gcp/postgresql_log_connections_disabled/metadata.json +++ b/assets/queries/ansible/gcp/postgresql_log_connections_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "f22853f8", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/postgresql_logging_of_temporary_files_disabled/metadata.json b/assets/queries/ansible/gcp/postgresql_logging_of_temporary_files_disabled/metadata.json index 104c53d6b85..585ed12d553 100644 --- a/assets/queries/ansible/gcp/postgresql_logging_of_temporary_files_disabled/metadata.json +++ b/assets/queries/ansible/gcp/postgresql_logging_of_temporary_files_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "764f0b06", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/postgresql_misconfigured_log_messages_flag/metadata.json b/assets/queries/ansible/gcp/postgresql_misconfigured_log_messages_flag/metadata.json index 7ed9dfc881d..804f9a6e241 100644 --- a/assets/queries/ansible/gcp/postgresql_misconfigured_log_messages_flag/metadata.json +++ b/assets/queries/ansible/gcp/postgresql_misconfigured_log_messages_flag/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "339b0278", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/postgresql_misconfigured_logging_duration_flag/metadata.json b/assets/queries/ansible/gcp/postgresql_misconfigured_logging_duration_flag/metadata.json index 381e040c9f5..8e5ef45ef23 100644 --- a/assets/queries/ansible/gcp/postgresql_misconfigured_logging_duration_flag/metadata.json +++ b/assets/queries/ansible/gcp/postgresql_misconfigured_logging_duration_flag/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "17fbbbd2", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/private_cluster_disabled/metadata.json b/assets/queries/ansible/gcp/private_cluster_disabled/metadata.json index e4e87dd18d1..802acfe6ab1 100644 --- a/assets/queries/ansible/gcp/private_cluster_disabled/metadata.json +++ b/assets/queries/ansible/gcp/private_cluster_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "7b4c3b32", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/metadata.json b/assets/queries/ansible/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/metadata.json index bb3ef5d599e..f831c6c7d85 100644 --- a/assets/queries/ansible/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/metadata.json +++ b/assets/queries/ansible/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "bf6076f0", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/rdp_access_is_not_restricted/metadata.json b/assets/queries/ansible/gcp/rdp_access_is_not_restricted/metadata.json index b03be095cae..9a62ed31a0f 100644 --- a/assets/queries/ansible/gcp/rdp_access_is_not_restricted/metadata.json +++ b/assets/queries/ansible/gcp/rdp_access_is_not_restricted/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "23f68cd6", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/serial_ports_enabled_for_vm_instances/metadata.json b/assets/queries/ansible/gcp/serial_ports_enabled_for_vm_instances/metadata.json index 4173a6fee16..8daeedb0a66 100644 --- a/assets/queries/ansible/gcp/serial_ports_enabled_for_vm_instances/metadata.json +++ b/assets/queries/ansible/gcp/serial_ports_enabled_for_vm_instances/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "7f8ab7a4", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/shielded_vm_disabled/metadata.json b/assets/queries/ansible/gcp/shielded_vm_disabled/metadata.json index ab795639dd6..d68d721aadf 100644 --- a/assets/queries/ansible/gcp/shielded_vm_disabled/metadata.json +++ b/assets/queries/ansible/gcp/shielded_vm_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "096b3fbe", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/sql_db_instance_backup_disabled/metadata.json b/assets/queries/ansible/gcp/sql_db_instance_backup_disabled/metadata.json index 07562d7b451..4ba9c41e748 100644 --- a/assets/queries/ansible/gcp/sql_db_instance_backup_disabled/metadata.json +++ b/assets/queries/ansible/gcp/sql_db_instance_backup_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "006274d4", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/sql_db_instance_is_publicly_accessible/metadata.json b/assets/queries/ansible/gcp/sql_db_instance_is_publicly_accessible/metadata.json index 053fd323bce..5daa569bb4f 100644 --- a/assets/queries/ansible/gcp/sql_db_instance_is_publicly_accessible/metadata.json +++ b/assets/queries/ansible/gcp/sql_db_instance_is_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "c1bb13ce", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/sql_db_instance_with_ssl_disabled/metadata.json b/assets/queries/ansible/gcp/sql_db_instance_with_ssl_disabled/metadata.json index 36dc69a449c..bc64bbe0f4c 100644 --- a/assets/queries/ansible/gcp/sql_db_instance_with_ssl_disabled/metadata.json +++ b/assets/queries/ansible/gcp/sql_db_instance_with_ssl_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "50bb06d6", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/ssh_access_is_not_restricted/metadata.json b/assets/queries/ansible/gcp/ssh_access_is_not_restricted/metadata.json index 7b1e0a33164..62e0b655a8f 100644 --- a/assets/queries/ansible/gcp/ssh_access_is_not_restricted/metadata.json +++ b/assets/queries/ansible/gcp/ssh_access_is_not_restricted/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "1b0564ad", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/stackdriver_logging_disabled/metadata.json b/assets/queries/ansible/gcp/stackdriver_logging_disabled/metadata.json index 3b7f824cc03..cab7e715e3c 100644 --- a/assets/queries/ansible/gcp/stackdriver_logging_disabled/metadata.json +++ b/assets/queries/ansible/gcp/stackdriver_logging_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "aad4eec4", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/stackdriver_monitoring_disabled/metadata.json b/assets/queries/ansible/gcp/stackdriver_monitoring_disabled/metadata.json index ae30370e236..93b483667a6 100644 --- a/assets/queries/ansible/gcp/stackdriver_monitoring_disabled/metadata.json +++ b/assets/queries/ansible/gcp/stackdriver_monitoring_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "212e4955", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/using_default_service_account/metadata.json b/assets/queries/ansible/gcp/using_default_service_account/metadata.json index c25e4d103b7..b861c0b163d 100644 --- a/assets/queries/ansible/gcp/using_default_service_account/metadata.json +++ b/assets/queries/ansible/gcp/using_default_service_account/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "a5896260", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/gcp/vm_with_full_cloud_access/metadata.json b/assets/queries/ansible/gcp/vm_with_full_cloud_access/metadata.json index 1ab3e9acf5e..f084b33c83a 100644 --- a/assets/queries/ansible/gcp/vm_with_full_cloud_access/metadata.json +++ b/assets/queries/ansible/gcp/vm_with_full_cloud_access/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "5eba6fad", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/general/communication_over_http/metadata.json b/assets/queries/ansible/general/communication_over_http/metadata.json index f9bcdedd9db..9ed18af297c 100644 --- a/assets/queries/ansible/general/communication_over_http/metadata.json +++ b/assets/queries/ansible/general/communication_over_http/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "04892b9b", "cloudProvider": "common", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/general/insecure_relative_path_resolution/metadata.json b/assets/queries/ansible/general/insecure_relative_path_resolution/metadata.json index d21ec625cbd..e11a5a5b8f7 100644 --- a/assets/queries/ansible/general/insecure_relative_path_resolution/metadata.json +++ b/assets/queries/ansible/general/insecure_relative_path_resolution/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "84ea91c8", "cloudProvider": "common", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/general/logging_of_sensitive_data/metadata.json b/assets/queries/ansible/general/logging_of_sensitive_data/metadata.json index 446875e9298..c57657608af 100644 --- a/assets/queries/ansible/general/logging_of_sensitive_data/metadata.json +++ b/assets/queries/ansible/general/logging_of_sensitive_data/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "a700e724", "cloudProvider": "common", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/metadata.json b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/metadata.json index a2daa37b09b..8779ac20f63 100644 --- a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/metadata.json +++ b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "11502e38", "cloudProvider": "common", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/general/risky_file_permissions/metadata.json b/assets/queries/ansible/general/risky_file_permissions/metadata.json index b6a75036edb..99805f1c4fc 100644 --- a/assets/queries/ansible/general/risky_file_permissions/metadata.json +++ b/assets/queries/ansible/general/risky_file_permissions/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "1f0e1485", "cloudProvider": "common", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/general/unpinned_package_version/metadata.json b/assets/queries/ansible/general/unpinned_package_version/metadata.json index b9d7ccad716..0372ba63881 100644 --- a/assets/queries/ansible/general/unpinned_package_version/metadata.json +++ b/assets/queries/ansible/general/unpinned_package_version/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "43e877b3", "cloudProvider": "common", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/ansible/hosts/ansible_tower_exposed_to_internet/metadata.json b/assets/queries/ansible/hosts/ansible_tower_exposed_to_internet/metadata.json index adec50d6188..b1d97233142 100644 --- a/assets/queries/ansible/hosts/ansible_tower_exposed_to_internet/metadata.json +++ b/assets/queries/ansible/hosts/ansible_tower_exposed_to_internet/metadata.json @@ -8,5 +8,5 @@ "platform": "Ansible", "descriptionID": "657a8b1d", "cloudProvider": "common", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/account_admins_not_notified_by_email/metadata.json b/assets/queries/azureResourceManager/account_admins_not_notified_by_email/metadata.json index e2cc48b494f..1fdb448a6c1 100644 --- a/assets/queries/azureResourceManager/account_admins_not_notified_by_email/metadata.json +++ b/assets/queries/azureResourceManager/account_admins_not_notified_by_email/metadata.json @@ -8,5 +8,5 @@ "platform": "AzureResourceManager", "descriptionID": "f7c29c0d", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/aks_cluster_network_policy_not_configured/metadata.json b/assets/queries/azureResourceManager/aks_cluster_network_policy_not_configured/metadata.json index a9d696be4ab..bb7758861a5 100644 --- a/assets/queries/azureResourceManager/aks_cluster_network_policy_not_configured/metadata.json +++ b/assets/queries/azureResourceManager/aks_cluster_network_policy_not_configured/metadata.json @@ -8,5 +8,5 @@ "platform": "AzureResourceManager", "descriptionID": "25c0df8e", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/aks_cluster_rbac_disabled/metadata.json b/assets/queries/azureResourceManager/aks_cluster_rbac_disabled/metadata.json index e002d6b1c25..eefaaf62f87 100644 --- a/assets/queries/azureResourceManager/aks_cluster_rbac_disabled/metadata.json +++ b/assets/queries/azureResourceManager/aks_cluster_rbac_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "AzureResourceManager", "descriptionID": "b07ac0d6", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/aks_dashboard_enabled/metadata.json b/assets/queries/azureResourceManager/aks_dashboard_enabled/metadata.json index f011157fe4c..4cc14b5ff0b 100644 --- a/assets/queries/azureResourceManager/aks_dashboard_enabled/metadata.json +++ b/assets/queries/azureResourceManager/aks_dashboard_enabled/metadata.json @@ -8,5 +8,5 @@ "platform": "AzureResourceManager", "descriptionID": "c12d3b42", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/aks_logging_azure_monitoring_disabled/metadata.json b/assets/queries/azureResourceManager/aks_logging_azure_monitoring_disabled/metadata.json index 254a43784dd..f8628ff49a0 100644 --- a/assets/queries/azureResourceManager/aks_logging_azure_monitoring_disabled/metadata.json +++ b/assets/queries/azureResourceManager/aks_logging_azure_monitoring_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "AzureResourceManager", "descriptionID": "9b09c3e1", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/aks_with_authorized_ip_ranges_disabled/metadata.json b/assets/queries/azureResourceManager/aks_with_authorized_ip_ranges_disabled/metadata.json index c6e4ffe0a0d..0fb2a51b367 100644 --- a/assets/queries/azureResourceManager/aks_with_authorized_ip_ranges_disabled/metadata.json +++ b/assets/queries/azureResourceManager/aks_with_authorized_ip_ranges_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "AzureResourceManager", "descriptionID": "258efab1", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/app_service_authentication_not_set/metadata.json b/assets/queries/azureResourceManager/app_service_authentication_not_set/metadata.json index 8484767120d..e8d24713f1c 100644 --- a/assets/queries/azureResourceManager/app_service_authentication_not_set/metadata.json +++ b/assets/queries/azureResourceManager/app_service_authentication_not_set/metadata.json @@ -8,5 +8,5 @@ "platform": "AzureResourceManager", "descriptionID": "831efa07", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/azure_instance_using_basic_authentication/metadata.json b/assets/queries/azureResourceManager/azure_instance_using_basic_authentication/metadata.json index 4718f22df80..29eff2093fd 100644 --- a/assets/queries/azureResourceManager/azure_instance_using_basic_authentication/metadata.json +++ b/assets/queries/azureResourceManager/azure_instance_using_basic_authentication/metadata.json @@ -8,5 +8,5 @@ "platform": "AzureResourceManager", "descriptionID": "98ba05ca", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/azure_managed_disk_without_encryption/metadata.json b/assets/queries/azureResourceManager/azure_managed_disk_without_encryption/metadata.json index 099bcd6c6f2..434804d37eb 100644 --- a/assets/queries/azureResourceManager/azure_managed_disk_without_encryption/metadata.json +++ b/assets/queries/azureResourceManager/azure_managed_disk_without_encryption/metadata.json @@ -8,5 +8,5 @@ "platform": "AzureResourceManager", "descriptionID": "e2fa6cda", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/default_azure_storage_account_network_access_is_too_permissive/metadata.json b/assets/queries/azureResourceManager/default_azure_storage_account_network_access_is_too_permissive/metadata.json index 0705d63fabf..4c4579f6bbc 100644 --- a/assets/queries/azureResourceManager/default_azure_storage_account_network_access_is_too_permissive/metadata.json +++ b/assets/queries/azureResourceManager/default_azure_storage_account_network_access_is_too_permissive/metadata.json @@ -8,5 +8,5 @@ "platform": "AzureResourceManager", "descriptionID": "d855ced8", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/email_notifications_set_off/metadata.json b/assets/queries/azureResourceManager/email_notifications_set_off/metadata.json index 282a580e1c5..df5f10b41d3 100644 --- a/assets/queries/azureResourceManager/email_notifications_set_off/metadata.json +++ b/assets/queries/azureResourceManager/email_notifications_set_off/metadata.json @@ -9,5 +9,5 @@ "descriptionID": "7f5b9ef4", "aggregation": 2, "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/hardcoded_securestring_parameter_default_value/metadata.json b/assets/queries/azureResourceManager/hardcoded_securestring_parameter_default_value/metadata.json index 6f7b978e5ce..c88b8470790 100644 --- a/assets/queries/azureResourceManager/hardcoded_securestring_parameter_default_value/metadata.json +++ b/assets/queries/azureResourceManager/hardcoded_securestring_parameter_default_value/metadata.json @@ -8,5 +8,5 @@ "platform": "AzureResourceManager", "descriptionID": "a7bb7cb1", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/key_vault_not_recoverable/metadata.json b/assets/queries/azureResourceManager/key_vault_not_recoverable/metadata.json index e3bf022a367..0065871ee44 100644 --- a/assets/queries/azureResourceManager/key_vault_not_recoverable/metadata.json +++ b/assets/queries/azureResourceManager/key_vault_not_recoverable/metadata.json @@ -8,5 +8,5 @@ "platform": "AzureResourceManager", "descriptionID": "8e3ca202", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/log_profile_incorrect_category/metadata.json b/assets/queries/azureResourceManager/log_profile_incorrect_category/metadata.json index 633578eee64..678313ef6f5 100644 --- a/assets/queries/azureResourceManager/log_profile_incorrect_category/metadata.json +++ b/assets/queries/azureResourceManager/log_profile_incorrect_category/metadata.json @@ -8,5 +8,5 @@ "platform": "AzureResourceManager", "descriptionID": "ead4e0f2", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/mysql_server_ssl_enforcement_disabled/metadata.json b/assets/queries/azureResourceManager/mysql_server_ssl_enforcement_disabled/metadata.json index 0215b6204a7..7834d6de221 100644 --- a/assets/queries/azureResourceManager/mysql_server_ssl_enforcement_disabled/metadata.json +++ b/assets/queries/azureResourceManager/mysql_server_ssl_enforcement_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "AzureResourceManager", "descriptionID": "69fea5b1", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_rdp/metadata.json b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_rdp/metadata.json index 81ea8bbfdd6..96626feb9bb 100644 --- a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_rdp/metadata.json +++ b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_rdp/metadata.json @@ -8,5 +8,5 @@ "platform": "AzureResourceManager", "descriptionID": "e09bde32", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/metadata.json b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/metadata.json index 994943917ce..643bc906d5e 100644 --- a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/metadata.json +++ b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/metadata.json @@ -8,5 +8,5 @@ "platform": "AzureResourceManager", "descriptionID": "97b6233c", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/phone_number_not_set_security_contacts/metadata.json b/assets/queries/azureResourceManager/phone_number_not_set_security_contacts/metadata.json index 521a8e296ca..e1277aa90c2 100644 --- a/assets/queries/azureResourceManager/phone_number_not_set_security_contacts/metadata.json +++ b/assets/queries/azureResourceManager/phone_number_not_set_security_contacts/metadata.json @@ -8,5 +8,5 @@ "platform": "AzureResourceManager", "descriptionID": "8b9ef792", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/postgres_sql_database_server_connection_throttling_disabled/metadata.json b/assets/queries/azureResourceManager/postgres_sql_database_server_connection_throttling_disabled/metadata.json index eb1c36c7e5a..3c6b7edcc46 100644 --- a/assets/queries/azureResourceManager/postgres_sql_database_server_connection_throttling_disabled/metadata.json +++ b/assets/queries/azureResourceManager/postgres_sql_database_server_connection_throttling_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "AzureResourceManager", "descriptionID": "2eb0e3a8", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/postgres_sql_server_log_checkpoint_disabled/metadata.json b/assets/queries/azureResourceManager/postgres_sql_server_log_checkpoint_disabled/metadata.json index 756d56acb12..7daf22d4659 100644 --- a/assets/queries/azureResourceManager/postgres_sql_server_log_checkpoint_disabled/metadata.json +++ b/assets/queries/azureResourceManager/postgres_sql_server_log_checkpoint_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "AzureResourceManager", "descriptionID": "be873a2e", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/postgres_sql_server_log_connections_disabled/metadata.json b/assets/queries/azureResourceManager/postgres_sql_server_log_connections_disabled/metadata.json index 0a27fcc2d1d..77418c6d773 100644 --- a/assets/queries/azureResourceManager/postgres_sql_server_log_connections_disabled/metadata.json +++ b/assets/queries/azureResourceManager/postgres_sql_server_log_connections_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "AzureResourceManager", "descriptionID": "3769181b", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/postgres_sql_server_ssl_disabled/metadata.json b/assets/queries/azureResourceManager/postgres_sql_server_ssl_disabled/metadata.json index 28955ff8832..09f7ec1c1e2 100644 --- a/assets/queries/azureResourceManager/postgres_sql_server_ssl_disabled/metadata.json +++ b/assets/queries/azureResourceManager/postgres_sql_server_ssl_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "AzureResourceManager", "descriptionID": "67cfaa3b", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/role_definitions_allow_custom_subscription_role_creation/metadata.json b/assets/queries/azureResourceManager/role_definitions_allow_custom_subscription_role_creation/metadata.json index e82a5539d35..508d4317b60 100644 --- a/assets/queries/azureResourceManager/role_definitions_allow_custom_subscription_role_creation/metadata.json +++ b/assets/queries/azureResourceManager/role_definitions_allow_custom_subscription_role_creation/metadata.json @@ -8,5 +8,5 @@ "platform": "AzureResourceManager", "descriptionID": "7d8860a5", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/secret_without_expiration_date/metadata.json b/assets/queries/azureResourceManager/secret_without_expiration_date/metadata.json index fa88135793c..67c6043d182 100644 --- a/assets/queries/azureResourceManager/secret_without_expiration_date/metadata.json +++ b/assets/queries/azureResourceManager/secret_without_expiration_date/metadata.json @@ -8,5 +8,5 @@ "platform": "AzureResourceManager", "descriptionID": "bb5f96a2", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/sql_alert_policy_without_emails/metadata.json b/assets/queries/azureResourceManager/sql_alert_policy_without_emails/metadata.json index c9a6beb0890..6a00031c278 100644 --- a/assets/queries/azureResourceManager/sql_alert_policy_without_emails/metadata.json +++ b/assets/queries/azureResourceManager/sql_alert_policy_without_emails/metadata.json @@ -8,5 +8,5 @@ "platform": "AzureResourceManager", "descriptionID": "3b84ba2d", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/sql_database_server_firewall_allows_all_ips/metadata.json b/assets/queries/azureResourceManager/sql_database_server_firewall_allows_all_ips/metadata.json index 56525962d5a..81361ab99ae 100644 --- a/assets/queries/azureResourceManager/sql_database_server_firewall_allows_all_ips/metadata.json +++ b/assets/queries/azureResourceManager/sql_database_server_firewall_allows_all_ips/metadata.json @@ -8,5 +8,5 @@ "platform": "AzureResourceManager", "descriptionID": "6664d4d6", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/sql_server_database_with_alerts_disabled/metadata.json b/assets/queries/azureResourceManager/sql_server_database_with_alerts_disabled/metadata.json index 6fe2cfb962e..0c992a4c26f 100644 --- a/assets/queries/azureResourceManager/sql_server_database_with_alerts_disabled/metadata.json +++ b/assets/queries/azureResourceManager/sql_server_database_with_alerts_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "AzureResourceManager", "descriptionID": "e8a4e321", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/sql_server_database_with_low_retention_days/metadata.json b/assets/queries/azureResourceManager/sql_server_database_with_low_retention_days/metadata.json index 1ebd726a3b2..3b4fd0d06bd 100644 --- a/assets/queries/azureResourceManager/sql_server_database_with_low_retention_days/metadata.json +++ b/assets/queries/azureResourceManager/sql_server_database_with_low_retention_days/metadata.json @@ -8,5 +8,5 @@ "platform": "AzureResourceManager", "descriptionID": "7867ae74", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/sql_server_database_without_auditing/metadata.json b/assets/queries/azureResourceManager/sql_server_database_without_auditing/metadata.json index d182df789c0..9fec0054fd8 100644 --- a/assets/queries/azureResourceManager/sql_server_database_without_auditing/metadata.json +++ b/assets/queries/azureResourceManager/sql_server_database_without_auditing/metadata.json @@ -8,5 +8,5 @@ "platform": "AzureResourceManager", "descriptionID": "16d077a1", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/standard_price_not_selected/metadata.json b/assets/queries/azureResourceManager/standard_price_not_selected/metadata.json index 5fcb1fc6ff4..c004df47d5f 100644 --- a/assets/queries/azureResourceManager/standard_price_not_selected/metadata.json +++ b/assets/queries/azureResourceManager/standard_price_not_selected/metadata.json @@ -8,5 +8,5 @@ "platform": "AzureResourceManager", "descriptionID": "2081c7dc", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/storage_account_allows_network_default_access/metadata.json b/assets/queries/azureResourceManager/storage_account_allows_network_default_access/metadata.json index 4d70d21504e..45f8cafdb6d 100644 --- a/assets/queries/azureResourceManager/storage_account_allows_network_default_access/metadata.json +++ b/assets/queries/azureResourceManager/storage_account_allows_network_default_access/metadata.json @@ -8,5 +8,5 @@ "platform": "AzureResourceManager", "descriptionID": "6ae0507e", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/storage_account_allows_unsecure_transfer/metadata.json b/assets/queries/azureResourceManager/storage_account_allows_unsecure_transfer/metadata.json index f2bb666cf21..4cfc51fbff7 100644 --- a/assets/queries/azureResourceManager/storage_account_allows_unsecure_transfer/metadata.json +++ b/assets/queries/azureResourceManager/storage_account_allows_unsecure_transfer/metadata.json @@ -8,5 +8,5 @@ "platform": "AzureResourceManager", "descriptionID": "f87b26ea", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/metadata.json b/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/metadata.json index f7bb20e5529..6d47e227179 100644 --- a/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/metadata.json +++ b/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/metadata.json @@ -8,5 +8,5 @@ "platform": "AzureResourceManager", "descriptionID": "49e52e15", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/metadata.json b/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/metadata.json index 95d0a39ccfc..0f985498cda 100644 --- a/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/metadata.json +++ b/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "AzureResourceManager", "descriptionID": "83fa7bb6", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/trusted_microsoft_services_not_enabled/metadata.json b/assets/queries/azureResourceManager/trusted_microsoft_services_not_enabled/metadata.json index bd40462266a..c896cbcb93c 100644 --- a/assets/queries/azureResourceManager/trusted_microsoft_services_not_enabled/metadata.json +++ b/assets/queries/azureResourceManager/trusted_microsoft_services_not_enabled/metadata.json @@ -8,5 +8,5 @@ "platform": "AzureResourceManager", "descriptionID": "88ca11b3", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/unrecommended_log_profile_retention_policy/metadata.json b/assets/queries/azureResourceManager/unrecommended_log_profile_retention_policy/metadata.json index 15ed9859167..2a87bb5e8e5 100644 --- a/assets/queries/azureResourceManager/unrecommended_log_profile_retention_policy/metadata.json +++ b/assets/queries/azureResourceManager/unrecommended_log_profile_retention_policy/metadata.json @@ -8,5 +8,5 @@ "platform": "AzureResourceManager", "descriptionID": "f5d9a1fc", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/unrecommended_network_watcher_flow_log_retention_policy/metadata.json b/assets/queries/azureResourceManager/unrecommended_network_watcher_flow_log_retention_policy/metadata.json index 3eb3a587f27..8509278802f 100644 --- a/assets/queries/azureResourceManager/unrecommended_network_watcher_flow_log_retention_policy/metadata.json +++ b/assets/queries/azureResourceManager/unrecommended_network_watcher_flow_log_retention_policy/metadata.json @@ -8,5 +8,5 @@ "platform": "AzureResourceManager", "descriptionID": "71ce9f8c", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/web_app_not_using_tls_last_version/metadata.json b/assets/queries/azureResourceManager/web_app_not_using_tls_last_version/metadata.json index 9a5ce9853e9..8996bec61b7 100644 --- a/assets/queries/azureResourceManager/web_app_not_using_tls_last_version/metadata.json +++ b/assets/queries/azureResourceManager/web_app_not_using_tls_last_version/metadata.json @@ -8,5 +8,5 @@ "platform": "AzureResourceManager", "descriptionID": "1a442064", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/website_azure_active_directory_disabled/metadata.json b/assets/queries/azureResourceManager/website_azure_active_directory_disabled/metadata.json index 780479f6d2e..63869add594 100644 --- a/assets/queries/azureResourceManager/website_azure_active_directory_disabled/metadata.json +++ b/assets/queries/azureResourceManager/website_azure_active_directory_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "AzureResourceManager", "descriptionID": "f50ec4cb", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/website_not_forcing_https/metadata.json b/assets/queries/azureResourceManager/website_not_forcing_https/metadata.json index 5685bb6d88e..b5a496eccdb 100644 --- a/assets/queries/azureResourceManager/website_not_forcing_https/metadata.json +++ b/assets/queries/azureResourceManager/website_not_forcing_https/metadata.json @@ -8,5 +8,5 @@ "platform": "AzureResourceManager", "descriptionID": "3af52329", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/metadata.json b/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/metadata.json index 09f2ea154d8..74fb13b80b1 100644 --- a/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/metadata.json +++ b/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "AzureResourceManager", "descriptionID": "1b3c50da", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/azureResourceManager/website_with_http20enabled_disabled/metadata.json b/assets/queries/azureResourceManager/website_with_http20enabled_disabled/metadata.json index d293e781885..81dbfe45e99 100644 --- a/assets/queries/azureResourceManager/website_with_http20enabled_disabled/metadata.json +++ b/assets/queries/azureResourceManager/website_with_http20enabled_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "AzureResourceManager", "descriptionID": "e0cdbc75", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/buildah/run_using_apt/metadata.json b/assets/queries/buildah/run_using_apt/metadata.json index 36f91167742..6a2098d3c84 100644 --- a/assets/queries/buildah/run_using_apt/metadata.json +++ b/assets/queries/buildah/run_using_apt/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://github.com/containers/buildah/blob/main/docs/buildah-run.1.md", "platform": "Buildah", "descriptionID": "eb58fa0b", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cicd/github/run_block_injection/metadata.json b/assets/queries/cicd/github/run_block_injection/metadata.json index e8d7d6cab11..c4bab9f1167 100644 --- a/assets/queries/cicd/github/run_block_injection/metadata.json +++ b/assets/queries/cicd/github/run_block_injection/metadata.json @@ -8,5 +8,5 @@ "platform": "CICD", "descriptionID": "02044a75", "cloudProvider": "common", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cicd/github/script_block_injection/metadata.json b/assets/queries/cicd/github/script_block_injection/metadata.json index 9a9effb1738..9d3804b732c 100644 --- a/assets/queries/cicd/github/script_block_injection/metadata.json +++ b/assets/queries/cicd/github/script_block_injection/metadata.json @@ -8,5 +8,5 @@ "platform": "CICD", "descriptionID": "63e215f4", "cloudProvider": "common", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cicd/github/unpinned_actions_full_length_commit_sha/metadata.json b/assets/queries/cicd/github/unpinned_actions_full_length_commit_sha/metadata.json index fdda3bcfa08..9238aad2a92 100644 --- a/assets/queries/cicd/github/unpinned_actions_full_length_commit_sha/metadata.json +++ b/assets/queries/cicd/github/unpinned_actions_full_length_commit_sha/metadata.json @@ -8,5 +8,5 @@ "platform": "CICD", "descriptionID": "9cb8402d", "cloudProvider": "common", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cicd/github/unsecured_commands/metadata.json b/assets/queries/cicd/github/unsecured_commands/metadata.json index 52c587c7420..35e8abba232 100644 --- a/assets/queries/cicd/github/unsecured_commands/metadata.json +++ b/assets/queries/cicd/github/unsecured_commands/metadata.json @@ -8,5 +8,5 @@ "platform": "CICD", "descriptionID": "44751f79", "cloudProvider": "common", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/access_key_not_rotated_within_90_days/metadata.json b/assets/queries/cloudFormation/aws/access_key_not_rotated_within_90_days/metadata.json index 654d2996a8d..a80a67ffe7d 100644 --- a/assets/queries/cloudFormation/aws/access_key_not_rotated_within_90_days/metadata.json +++ b/assets/queries/cloudFormation/aws/access_key_not_rotated_within_90_days/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "148d40cb", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf/metadata.json b/assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf/metadata.json index ac93ec93c9f..417c0b43328 100644 --- a/assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf/metadata.json +++ b/assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "2cad71a7", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/alb_listening_on_http/metadata.json b/assets/queries/cloudFormation/aws/alb_listening_on_http/metadata.json index 76d87c1fcf7..a374a64e191 100644 --- a/assets/queries/cloudFormation/aws/alb_listening_on_http/metadata.json +++ b/assets/queries/cloudFormation/aws/alb_listening_on_http/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "55f05412", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/alexa_skill_plaintext_client_secret_exposed/metadata.json b/assets/queries/cloudFormation/aws/alexa_skill_plaintext_client_secret_exposed/metadata.json index a150cafc0d1..363b9276287 100644 --- a/assets/queries/cloudFormation/aws/alexa_skill_plaintext_client_secret_exposed/metadata.json +++ b/assets/queries/cloudFormation/aws/alexa_skill_plaintext_client_secret_exposed/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "cd21865c", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/amazon_dms_replication_instance_is_publicly_accessible/metadata.json b/assets/queries/cloudFormation/aws/amazon_dms_replication_instance_is_publicly_accessible/metadata.json index cbbc7774fde..7c5b9075f58 100644 --- a/assets/queries/cloudFormation/aws/amazon_dms_replication_instance_is_publicly_accessible/metadata.json +++ b/assets/queries/cloudFormation/aws/amazon_dms_replication_instance_is_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "bc97aed1", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/amazon_mq_broker_encryption_disabled/metadata.json b/assets/queries/cloudFormation/aws/amazon_mq_broker_encryption_disabled/metadata.json index e6a52659c9c..1d28add1f00 100644 --- a/assets/queries/cloudFormation/aws/amazon_mq_broker_encryption_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/amazon_mq_broker_encryption_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "c5d562da", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/amplify_app_access_token_exposed/metadata.json b/assets/queries/cloudFormation/aws/amplify_app_access_token_exposed/metadata.json index 5f58455de46..ca252eaecfe 100644 --- a/assets/queries/cloudFormation/aws/amplify_app_access_token_exposed/metadata.json +++ b/assets/queries/cloudFormation/aws/amplify_app_access_token_exposed/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "40717425", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed/metadata.json b/assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed/metadata.json index fab7f44f603..9283444f6ca 100644 --- a/assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed/metadata.json +++ b/assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "20573b94", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/amplify_app_oauth_token_exposed/metadata.json b/assets/queries/cloudFormation/aws/amplify_app_oauth_token_exposed/metadata.json index 989fce14748..dcca341aa34 100644 --- a/assets/queries/cloudFormation/aws/amplify_app_oauth_token_exposed/metadata.json +++ b/assets/queries/cloudFormation/aws/amplify_app_oauth_token_exposed/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "c9abb2c8", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed/metadata.json b/assets/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed/metadata.json index 5d4ca0426c5..888998c58f7 100644 --- a/assets/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed/metadata.json +++ b/assets/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "f68a0ad6", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/metadata.json b/assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/metadata.json index d5acc74149f..975377a772b 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "c5c1c902", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_cache_encrypted_disabled/metadata.json b/assets/queries/cloudFormation/aws/api_gateway_cache_encrypted_disabled/metadata.json index 127ee38280a..e8ead2b1865 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_cache_encrypted_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/api_gateway_cache_encrypted_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "16f89b5d", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_deployment_without_access_log_setting/metadata.json b/assets/queries/cloudFormation/aws/api_gateway_deployment_without_access_log_setting/metadata.json index 582d97d4861..54ac21232fe 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_deployment_without_access_log_setting/metadata.json +++ b/assets/queries/cloudFormation/aws/api_gateway_deployment_without_access_log_setting/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "9587628c", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/metadata.json b/assets/queries/cloudFormation/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/metadata.json index 4ef0a95be8f..465aaf30345 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/metadata.json +++ b/assets/queries/cloudFormation/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "8161e665", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_endpoint_config_is_not_private/metadata.json b/assets/queries/cloudFormation/aws/api_gateway_endpoint_config_is_not_private/metadata.json index d8d7ee3de8f..4515db6534a 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_endpoint_config_is_not_private/metadata.json +++ b/assets/queries/cloudFormation/aws/api_gateway_endpoint_config_is_not_private/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "f370d030", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_method_does_not_contains_an_api_key/metadata.json b/assets/queries/cloudFormation/aws/api_gateway_method_does_not_contains_an_api_key/metadata.json index 24fc2100773..b348049087e 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_method_does_not_contains_an_api_key/metadata.json +++ b/assets/queries/cloudFormation/aws/api_gateway_method_does_not_contains_an_api_key/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "43a06e88", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/metadata.json b/assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/metadata.json index 3ed29e7f8a3..57dad70cc26 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/metadata.json +++ b/assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "2a69fc63", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/metadata.json b/assets/queries/cloudFormation/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/metadata.json index 016fb29c8f2..d21c5a34fea 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/metadata.json +++ b/assets/queries/cloudFormation/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "ad012827", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/metadata.json b/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/metadata.json index c4caf409647..9df69ad2fd9 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/metadata.json +++ b/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "de76ae0f", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_with_open_access/metadata.json b/assets/queries/cloudFormation/aws/api_gateway_with_open_access/metadata.json index 903ee123318..e99012bde88 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_with_open_access/metadata.json +++ b/assets/queries/cloudFormation/aws/api_gateway_with_open_access/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "d8d6ab46", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_without_configured_authorizer/metadata.json b/assets/queries/cloudFormation/aws/api_gateway_without_configured_authorizer/metadata.json index 0f0770d9846..50bdf7232fa 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_without_configured_authorizer/metadata.json +++ b/assets/queries/cloudFormation/aws/api_gateway_without_configured_authorizer/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "5734fbc7", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_without_security_policy/metadata.json b/assets/queries/cloudFormation/aws/api_gateway_without_security_policy/metadata.json index 4b91674295c..c76fd3403e9 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_without_security_policy/metadata.json +++ b/assets/queries/cloudFormation/aws/api_gateway_without_security_policy/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "92418e29", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_without_ssl_certificate/metadata.json b/assets/queries/cloudFormation/aws/api_gateway_without_ssl_certificate/metadata.json index ce7fb1e9998..41ac31ec595 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_without_ssl_certificate/metadata.json +++ b/assets/queries/cloudFormation/aws/api_gateway_without_ssl_certificate/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "95c8b13a", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_without_waf/metadata.json b/assets/queries/cloudFormation/aws/api_gateway_without_waf/metadata.json index 4e1ecb10004..403e932234d 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_without_waf/metadata.json +++ b/assets/queries/cloudFormation/aws/api_gateway_without_waf/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "774d759c", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/metadata.json b/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/metadata.json index c00355cf12b..f3a5d97ead8 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "7db1d7b0", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/auto_scaling_group_with_no_associated_elb/metadata.json b/assets/queries/cloudFormation/aws/auto_scaling_group_with_no_associated_elb/metadata.json index bdd5dfb2da4..58bb765c59b 100644 --- a/assets/queries/cloudFormation/aws/auto_scaling_group_with_no_associated_elb/metadata.json +++ b/assets/queries/cloudFormation/aws/auto_scaling_group_with_no_associated_elb/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "99966f58", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/automatic_minor_upgrades_disabled/metadata.json b/assets/queries/cloudFormation/aws/automatic_minor_upgrades_disabled/metadata.json index 794f4bdea7f..3bbac06ea1a 100644 --- a/assets/queries/cloudFormation/aws/automatic_minor_upgrades_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/automatic_minor_upgrades_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "e2908402", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/batch_job_definition_with_privileged_container_properties/metadata.json b/assets/queries/cloudFormation/aws/batch_job_definition_with_privileged_container_properties/metadata.json index 58bea4a4dd1..ec66a61e155 100644 --- a/assets/queries/cloudFormation/aws/batch_job_definition_with_privileged_container_properties/metadata.json +++ b/assets/queries/cloudFormation/aws/batch_job_definition_with_privileged_container_properties/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "c8983ada", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cdn_configuration_is_missing/metadata.json b/assets/queries/cloudFormation/aws/cdn_configuration_is_missing/metadata.json index df9dd9bcf27..90541a2cd6d 100644 --- a/assets/queries/cloudFormation/aws/cdn_configuration_is_missing/metadata.json +++ b/assets/queries/cloudFormation/aws/cdn_configuration_is_missing/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "6a8090b9", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudformation_specifying_credentials_not_safe/metadata.json b/assets/queries/cloudFormation/aws/cloudformation_specifying_credentials_not_safe/metadata.json index 85e13227e88..dd838bba6bd 100644 --- a/assets/queries/cloudFormation/aws/cloudformation_specifying_credentials_not_safe/metadata.json +++ b/assets/queries/cloudFormation/aws/cloudformation_specifying_credentials_not_safe/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "694c6fa8", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/metadata.json b/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/metadata.json index 57ec89e1328..351eff1bb0d 100644 --- a/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "3254d6d0", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudfront_viewer_protocol_policy_allows_http/metadata.json b/assets/queries/cloudFormation/aws/cloudfront_viewer_protocol_policy_allows_http/metadata.json index 03d11c9dcde..cfab0dc3ae7 100644 --- a/assets/queries/cloudFormation/aws/cloudfront_viewer_protocol_policy_allows_http/metadata.json +++ b/assets/queries/cloudFormation/aws/cloudfront_viewer_protocol_policy_allows_http/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "bf860aba", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/metadata.json b/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/metadata.json index 92039945cf3..4df9e0c9a2c 100644 --- a/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/metadata.json +++ b/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "e86728bc", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudfront_without_waf/metadata.json b/assets/queries/cloudFormation/aws/cloudfront_without_waf/metadata.json index 77dbe922da6..5d6c79399eb 100644 --- a/assets/queries/cloudFormation/aws/cloudfront_without_waf/metadata.json +++ b/assets/queries/cloudFormation/aws/cloudfront_without_waf/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "fae904ce", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/metadata.json b/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/metadata.json index b6e4651b425..351d5e47f76 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "66ab1b20", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/metadata.json b/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/metadata.json index 702f9a9af2f..560cec04deb 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/metadata.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "cdc07a23", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudtrail_logging_disabled/metadata.json b/assets/queries/cloudFormation/aws/cloudtrail_logging_disabled/metadata.json index 76345a92337..98019976098 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_logging_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_logging_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "8cabc568", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudtrail_multi_region_disabled/metadata.json b/assets/queries/cloudFormation/aws/cloudtrail_multi_region_disabled/metadata.json index f42b65a2236..0ed2a5e4e09 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_multi_region_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_multi_region_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "34ddc2cb", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudtrail_not_integrated_with_cloudwatch/metadata.json b/assets/queries/cloudFormation/aws/cloudtrail_not_integrated_with_cloudwatch/metadata.json index 969bd83511b..52156dc8af6 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_not_integrated_with_cloudwatch/metadata.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_not_integrated_with_cloudwatch/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "f43ba695", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/metadata.json b/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/metadata.json index 678ead1bdee..68acbc3b394 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/metadata.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "69327f38", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudwatch_logging_disabled/metadata.json b/assets/queries/cloudFormation/aws/cloudwatch_logging_disabled/metadata.json index 7f68d11abe6..78a30999339 100644 --- a/assets/queries/cloudFormation/aws/cloudwatch_logging_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/cloudwatch_logging_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "617aba8a", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudwatch_metrics_disabled/metadata.json b/assets/queries/cloudFormation/aws/cloudwatch_metrics_disabled/metadata.json index 8e589bd5c28..158972137ac 100644 --- a/assets/queries/cloudFormation/aws/cloudwatch_metrics_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/cloudwatch_metrics_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "72a550b1", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cmk_is_unusable/metadata.json b/assets/queries/cloudFormation/aws/cmk_is_unusable/metadata.json index d75fde082d3..1617ac66ca3 100644 --- a/assets/queries/cloudFormation/aws/cmk_is_unusable/metadata.json +++ b/assets/queries/cloudFormation/aws/cmk_is_unusable/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "2e00cfbb", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cmk_rotation_disabled/metadata.json b/assets/queries/cloudFormation/aws/cmk_rotation_disabled/metadata.json index 2bc104567b5..3c31a6595a6 100644 --- a/assets/queries/cloudFormation/aws/cmk_rotation_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/cmk_rotation_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "64ffeb9f", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cmk_unencrypted_storage/metadata.json b/assets/queries/cloudFormation/aws/cmk_unencrypted_storage/metadata.json index 262558b302b..78c162fdfdd 100644 --- a/assets/queries/cloudFormation/aws/cmk_unencrypted_storage/metadata.json +++ b/assets/queries/cloudFormation/aws/cmk_unencrypted_storage/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "ba38e42e", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/codebuild_not_encrypted/metadata.json b/assets/queries/cloudFormation/aws/codebuild_not_encrypted/metadata.json index 5b3257d5422..f6fa4f0ad07 100644 --- a/assets/queries/cloudFormation/aws/codebuild_not_encrypted/metadata.json +++ b/assets/queries/cloudFormation/aws/codebuild_not_encrypted/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "3e1306b1", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cognito_userpool_without_mfa/metadata.json b/assets/queries/cloudFormation/aws/cognito_userpool_without_mfa/metadata.json index 32426fe9126..c5888d44996 100644 --- a/assets/queries/cloudFormation/aws/cognito_userpool_without_mfa/metadata.json +++ b/assets/queries/cloudFormation/aws/cognito_userpool_without_mfa/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "32d91e4e", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/config_configuration_aggregator_to_all_regions_disabled/metadata.json b/assets/queries/cloudFormation/aws/config_configuration_aggregator_to_all_regions_disabled/metadata.json index 82406245f5a..3f1e18eeed3 100644 --- a/assets/queries/cloudFormation/aws/config_configuration_aggregator_to_all_regions_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/config_configuration_aggregator_to_all_regions_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "fb6e5346", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/config_rule_for_encryption_volumes_disabled/metadata.json b/assets/queries/cloudFormation/aws/config_rule_for_encryption_volumes_disabled/metadata.json index 3f4fef6f728..7868562b417 100644 --- a/assets/queries/cloudFormation/aws/config_rule_for_encryption_volumes_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/config_rule_for_encryption_volumes_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "d0026f39", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/connection_between_cloudfront_origin_not_encrypted/metadata.json b/assets/queries/cloudFormation/aws/connection_between_cloudfront_origin_not_encrypted/metadata.json index fe44684d91f..37fc8124822 100644 --- a/assets/queries/cloudFormation/aws/connection_between_cloudfront_origin_not_encrypted/metadata.json +++ b/assets/queries/cloudFormation/aws/connection_between_cloudfront_origin_not_encrypted/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "5e31354c", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/metadata.json b/assets/queries/cloudFormation/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/metadata.json index c9e1345c283..3e8054fb9e0 100644 --- a/assets/queries/cloudFormation/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/metadata.json +++ b/assets/queries/cloudFormation/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "8fca679f", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/metadata.json b/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/metadata.json index 9f308c96934..da782457c9a 100644 --- a/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/metadata.json +++ b/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "feeb965a", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/metadata.json b/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/metadata.json index 9d7d5e91363..9d35ce173f8 100644 --- a/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/metadata.json +++ b/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "3ddca0cc", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/default_kms_key_usage/metadata.json b/assets/queries/cloudFormation/aws/default_kms_key_usage/metadata.json index c51cca7fcc1..0396226d3a3 100644 --- a/assets/queries/cloudFormation/aws/default_kms_key_usage/metadata.json +++ b/assets/queries/cloudFormation/aws/default_kms_key_usage/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "d479130b", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/default_security_groups_with_unrestricted_traffic/metadata.json b/assets/queries/cloudFormation/aws/default_security_groups_with_unrestricted_traffic/metadata.json index d30f7120116..dd3782dbd23 100644 --- a/assets/queries/cloudFormation/aws/default_security_groups_with_unrestricted_traffic/metadata.json +++ b/assets/queries/cloudFormation/aws/default_security_groups_with_unrestricted_traffic/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "50b0269e", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/directory_service_microsoft_ad_password_set_to_plaintext_or_default_ref/metadata.json b/assets/queries/cloudFormation/aws/directory_service_microsoft_ad_password_set_to_plaintext_or_default_ref/metadata.json index deccef94030..bde7d91fd2e 100644 --- a/assets/queries/cloudFormation/aws/directory_service_microsoft_ad_password_set_to_plaintext_or_default_ref/metadata.json +++ b/assets/queries/cloudFormation/aws/directory_service_microsoft_ad_password_set_to_plaintext_or_default_ref/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "98a72cac", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/directory_service_simple_ad_password_exposed/metadata.json b/assets/queries/cloudFormation/aws/directory_service_simple_ad_password_exposed/metadata.json index 5f7255b1f99..7cedd63125c 100644 --- a/assets/queries/cloudFormation/aws/directory_service_simple_ad_password_exposed/metadata.json +++ b/assets/queries/cloudFormation/aws/directory_service_simple_ad_password_exposed/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "fc2c7fb8", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/dms_endpoint_mongo_db_settings_password_exposed/metadata.json b/assets/queries/cloudFormation/aws/dms_endpoint_mongo_db_settings_password_exposed/metadata.json index 83f1a92b129..f54b8affb22 100644 --- a/assets/queries/cloudFormation/aws/dms_endpoint_mongo_db_settings_password_exposed/metadata.json +++ b/assets/queries/cloudFormation/aws/dms_endpoint_mongo_db_settings_password_exposed/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "6f895308", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/dms_endpoint_password_exposed/metadata.json b/assets/queries/cloudFormation/aws/dms_endpoint_password_exposed/metadata.json index b2fcf59e9ef..9c7f449efd9 100644 --- a/assets/queries/cloudFormation/aws/dms_endpoint_password_exposed/metadata.json +++ b/assets/queries/cloudFormation/aws/dms_endpoint_password_exposed/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "a48ba75f", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/docdb_cluster_master_password_in_plaintext/metadata.json b/assets/queries/cloudFormation/aws/docdb_cluster_master_password_in_plaintext/metadata.json index e697227ca7c..5fcead651a3 100644 --- a/assets/queries/cloudFormation/aws/docdb_cluster_master_password_in_plaintext/metadata.json +++ b/assets/queries/cloudFormation/aws/docdb_cluster_master_password_in_plaintext/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "37fb585f", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/docdb_logging_disabled/metadata.json b/assets/queries/cloudFormation/aws/docdb_logging_disabled/metadata.json index 88ecf4d8abe..f3c4e81c162 100644 --- a/assets/queries/cloudFormation/aws/docdb_logging_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/docdb_logging_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "4818ceaf", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/dynamodb_table_not_encrypted/metadata.json b/assets/queries/cloudFormation/aws/dynamodb_table_not_encrypted/metadata.json index 78d94c24ec4..afd00cb085f 100644 --- a/assets/queries/cloudFormation/aws/dynamodb_table_not_encrypted/metadata.json +++ b/assets/queries/cloudFormation/aws/dynamodb_table_not_encrypted/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "92975bc8", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/dynamodb_with_aws_owned_cmk/metadata.json b/assets/queries/cloudFormation/aws/dynamodb_with_aws_owned_cmk/metadata.json index 9ae96dca4a9..f738bff2f1d 100644 --- a/assets/queries/cloudFormation/aws/dynamodb_with_aws_owned_cmk/metadata.json +++ b/assets/queries/cloudFormation/aws/dynamodb_with_aws_owned_cmk/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "a71d0c61", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/dynamodb_with_table_billing_mode_not_recommended/metadata.json b/assets/queries/cloudFormation/aws/dynamodb_with_table_billing_mode_not_recommended/metadata.json index b867ed747ea..5baf41641c3 100644 --- a/assets/queries/cloudFormation/aws/dynamodb_with_table_billing_mode_not_recommended/metadata.json +++ b/assets/queries/cloudFormation/aws/dynamodb_with_table_billing_mode_not_recommended/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "2a9dc4de", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ebs_volume_encryption_disabled/metadata.json b/assets/queries/cloudFormation/aws/ebs_volume_encryption_disabled/metadata.json index 5e5cb2a349c..8fb742a053d 100644 --- a/assets/queries/cloudFormation/aws/ebs_volume_encryption_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/ebs_volume_encryption_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "8a51c141", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ebs_volume_not_attached_to_instances/metadata.json b/assets/queries/cloudFormation/aws/ebs_volume_not_attached_to_instances/metadata.json index 1f1cee0c0b7..74cda48f59f 100644 --- a/assets/queries/cloudFormation/aws/ebs_volume_not_attached_to_instances/metadata.json +++ b/assets/queries/cloudFormation/aws/ebs_volume_not_attached_to_instances/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "33e2f7f6", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ebs_volume_without_kms_key_id/metadata.json b/assets/queries/cloudFormation/aws/ebs_volume_without_kms_key_id/metadata.json index 648276902d2..a07fa40a30d 100644 --- a/assets/queries/cloudFormation/aws/ebs_volume_without_kms_key_id/metadata.json +++ b/assets/queries/cloudFormation/aws/ebs_volume_without_kms_key_id/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "a10e872a", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_instance_has_no_iam_role/metadata.json b/assets/queries/cloudFormation/aws/ec2_instance_has_no_iam_role/metadata.json index 19eda6b8e01..7dcc969ac45 100644 --- a/assets/queries/cloudFormation/aws/ec2_instance_has_no_iam_role/metadata.json +++ b/assets/queries/cloudFormation/aws/ec2_instance_has_no_iam_role/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "bf34b145", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_instance_monitoring_disabled/metadata.json b/assets/queries/cloudFormation/aws/ec2_instance_monitoring_disabled/metadata.json index 0bb037a18af..027d8d1faae 100644 --- a/assets/queries/cloudFormation/aws/ec2_instance_monitoring_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/ec2_instance_monitoring_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "81e4f520", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_instance_subnet_has_public_ip_mapping_on_launch/metadata.json b/assets/queries/cloudFormation/aws/ec2_instance_subnet_has_public_ip_mapping_on_launch/metadata.json index f40bccffbb0..b47e01a7648 100644 --- a/assets/queries/cloudFormation/aws/ec2_instance_subnet_has_public_ip_mapping_on_launch/metadata.json +++ b/assets/queries/cloudFormation/aws/ec2_instance_subnet_has_public_ip_mapping_on_launch/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "22e3d598", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_instance_using_default_security_group/metadata.json b/assets/queries/cloudFormation/aws/ec2_instance_using_default_security_group/metadata.json index 066a5a97e07..c5619554618 100644 --- a/assets/queries/cloudFormation/aws/ec2_instance_using_default_security_group/metadata.json +++ b/assets/queries/cloudFormation/aws/ec2_instance_using_default_security_group/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "de993e1a", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_instance_using_default_vpc/metadata.json b/assets/queries/cloudFormation/aws/ec2_instance_using_default_vpc/metadata.json index 675bb5cf87c..5f448b7f402 100644 --- a/assets/queries/cloudFormation/aws/ec2_instance_using_default_vpc/metadata.json +++ b/assets/queries/cloudFormation/aws/ec2_instance_using_default_vpc/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "8dd9abf5", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_network_acl_duplicate_rule/metadata.json b/assets/queries/cloudFormation/aws/ec2_network_acl_duplicate_rule/metadata.json index 00421a78029..125e7d83999 100644 --- a/assets/queries/cloudFormation/aws/ec2_network_acl_duplicate_rule/metadata.json +++ b/assets/queries/cloudFormation/aws/ec2_network_acl_duplicate_rule/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "27e96b39", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_network_acl_ineffective_denied_traffic/metadata.json b/assets/queries/cloudFormation/aws/ec2_network_acl_ineffective_denied_traffic/metadata.json index e55d8fbe07b..fd74626bf59 100644 --- a/assets/queries/cloudFormation/aws/ec2_network_acl_ineffective_denied_traffic/metadata.json +++ b/assets/queries/cloudFormation/aws/ec2_network_acl_ineffective_denied_traffic/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "e8c34905", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_network_acl_overlapping_ports/metadata.json b/assets/queries/cloudFormation/aws/ec2_network_acl_overlapping_ports/metadata.json index 807631af030..3f6523b2fc2 100644 --- a/assets/queries/cloudFormation/aws/ec2_network_acl_overlapping_ports/metadata.json +++ b/assets/queries/cloudFormation/aws/ec2_network_acl_overlapping_ports/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "cb7c8980", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_not_ebs_optimized/metadata.json b/assets/queries/cloudFormation/aws/ec2_not_ebs_optimized/metadata.json index 332a465316c..aad2a514e46 100644 --- a/assets/queries/cloudFormation/aws/ec2_not_ebs_optimized/metadata.json +++ b/assets/queries/cloudFormation/aws/ec2_not_ebs_optimized/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "4d5e32ad", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_permissive_network_acl_protocols/metadata.json b/assets/queries/cloudFormation/aws/ec2_permissive_network_acl_protocols/metadata.json index 3e07a1e88db..930d1054f1e 100644 --- a/assets/queries/cloudFormation/aws/ec2_permissive_network_acl_protocols/metadata.json +++ b/assets/queries/cloudFormation/aws/ec2_permissive_network_acl_protocols/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "397e89de", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_public_instance_exposed_through_subnet/metadata.json b/assets/queries/cloudFormation/aws/ec2_public_instance_exposed_through_subnet/metadata.json index 1a20d0d3aa5..9b00b78163b 100644 --- a/assets/queries/cloudFormation/aws/ec2_public_instance_exposed_through_subnet/metadata.json +++ b/assets/queries/cloudFormation/aws/ec2_public_instance_exposed_through_subnet/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "163e9a52", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/metadata.json b/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/metadata.json index b9009b22c6d..91e113e70f8 100644 --- a/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/metadata.json +++ b/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/metadata.json @@ -9,5 +9,5 @@ "descriptionID": "680b7e89", "aggregation": 61, "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/metadata.json b/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/metadata.json index 8784ed3bf06..f39b24e6613 100644 --- a/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/metadata.json +++ b/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "a4ed2a4f", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ecr_repository_is_publicly_accessible/metadata.json b/assets/queries/cloudFormation/aws/ecr_repository_is_publicly_accessible/metadata.json index 4d5a44c4aa6..d0b6ec183c7 100644 --- a/assets/queries/cloudFormation/aws/ecr_repository_is_publicly_accessible/metadata.json +++ b/assets/queries/cloudFormation/aws/ecr_repository_is_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "a85a7099", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/metadata.json b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/metadata.json index 98d96f1f66a..ce39d26abcc 100644 --- a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/metadata.json +++ b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "512ea20d", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ecs_no_load_balancer_attached/metadata.json b/assets/queries/cloudFormation/aws/ecs_no_load_balancer_attached/metadata.json index 9949da95004..f03e7721150 100644 --- a/assets/queries/cloudFormation/aws/ecs_no_load_balancer_attached/metadata.json +++ b/assets/queries/cloudFormation/aws/ecs_no_load_balancer_attached/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "2f3ec772", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ecs_service_admin_role_is_present/metadata.json b/assets/queries/cloudFormation/aws/ecs_service_admin_role_is_present/metadata.json index ab437dd234c..e98cdf0dfb6 100644 --- a/assets/queries/cloudFormation/aws/ecs_service_admin_role_is_present/metadata.json +++ b/assets/queries/cloudFormation/aws/ecs_service_admin_role_is_present/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "756701f8", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ecs_service_without_running_tasks/metadata.json b/assets/queries/cloudFormation/aws/ecs_service_without_running_tasks/metadata.json index 9803339553b..2eafa18099e 100644 --- a/assets/queries/cloudFormation/aws/ecs_service_without_running_tasks/metadata.json +++ b/assets/queries/cloudFormation/aws/ecs_service_without_running_tasks/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "cd242bdd", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ecs_task_definition_healthcheck_missing/metadata.json b/assets/queries/cloudFormation/aws/ecs_task_definition_healthcheck_missing/metadata.json index 5b77574faf1..5b24a9c32a4 100644 --- a/assets/queries/cloudFormation/aws/ecs_task_definition_healthcheck_missing/metadata.json +++ b/assets/queries/cloudFormation/aws/ecs_task_definition_healthcheck_missing/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "e2e3a50a", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ecs_task_definition_invalid_cpu_or_memory/metadata.json b/assets/queries/cloudFormation/aws/ecs_task_definition_invalid_cpu_or_memory/metadata.json index 65ae07689f5..f1f5b8331af 100644 --- a/assets/queries/cloudFormation/aws/ecs_task_definition_invalid_cpu_or_memory/metadata.json +++ b/assets/queries/cloudFormation/aws/ecs_task_definition_invalid_cpu_or_memory/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "8fa43a9a", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ecs_task_definition_network_mode_not_recommended/metadata.json b/assets/queries/cloudFormation/aws/ecs_task_definition_network_mode_not_recommended/metadata.json index bab5c984b4e..a3764a11764 100644 --- a/assets/queries/cloudFormation/aws/ecs_task_definition_network_mode_not_recommended/metadata.json +++ b/assets/queries/cloudFormation/aws/ecs_task_definition_network_mode_not_recommended/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "bded2e99", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ecs_task_definition_with_plaintext_password/metadata.json b/assets/queries/cloudFormation/aws/ecs_task_definition_with_plaintext_password/metadata.json index e97a69397e9..f16ce23301e 100644 --- a/assets/queries/cloudFormation/aws/ecs_task_definition_with_plaintext_password/metadata.json +++ b/assets/queries/cloudFormation/aws/ecs_task_definition_with_plaintext_password/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "a763eedb", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/efs_not_encrypted/metadata.json b/assets/queries/cloudFormation/aws/efs_not_encrypted/metadata.json index a01bb1246bc..e8c1bf2ed49 100644 --- a/assets/queries/cloudFormation/aws/efs_not_encrypted/metadata.json +++ b/assets/queries/cloudFormation/aws/efs_not_encrypted/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "e168cb44", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/metadata.json b/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/metadata.json index cc90431b11d..40131b349e3 100644 --- a/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/metadata.json +++ b/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "99f92ea6", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/efs_without_kms/metadata.json b/assets/queries/cloudFormation/aws/efs_without_kms/metadata.json index e247eee33d3..c55cd858691 100644 --- a/assets/queries/cloudFormation/aws/efs_without_kms/metadata.json +++ b/assets/queries/cloudFormation/aws/efs_without_kms/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "f5a9536a", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/efs_without_tags/metadata.json b/assets/queries/cloudFormation/aws/efs_without_tags/metadata.json index b9baaa68bb2..1ce98430f3f 100644 --- a/assets/queries/cloudFormation/aws/efs_without_tags/metadata.json +++ b/assets/queries/cloudFormation/aws/efs_without_tags/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "a7eb7aff", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/eks_node_group_remote_access/metadata.json b/assets/queries/cloudFormation/aws/eks_node_group_remote_access/metadata.json index e0457cc22d3..a7fee539f20 100644 --- a/assets/queries/cloudFormation/aws/eks_node_group_remote_access/metadata.json +++ b/assets/queries/cloudFormation/aws/eks_node_group_remote_access/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "b3ebf24c", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticache_nodes_not_created_across_multi_az/metadata.json b/assets/queries/cloudFormation/aws/elasticache_nodes_not_created_across_multi_az/metadata.json index 52e6aa89b23..cc88cc1bab2 100644 --- a/assets/queries/cloudFormation/aws/elasticache_nodes_not_created_across_multi_az/metadata.json +++ b/assets/queries/cloudFormation/aws/elasticache_nodes_not_created_across_multi_az/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "35f94973", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticache_using_default_port/metadata.json b/assets/queries/cloudFormation/aws/elasticache_using_default_port/metadata.json index 784d4940caa..263c3adbe7c 100644 --- a/assets/queries/cloudFormation/aws/elasticache_using_default_port/metadata.json +++ b/assets/queries/cloudFormation/aws/elasticache_using_default_port/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "5aef27fd", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticache_with_disabled_at_rest_encryption/metadata.json b/assets/queries/cloudFormation/aws/elasticache_with_disabled_at_rest_encryption/metadata.json index 9607918e11e..73be69b3f1a 100644 --- a/assets/queries/cloudFormation/aws/elasticache_with_disabled_at_rest_encryption/metadata.json +++ b/assets/queries/cloudFormation/aws/elasticache_with_disabled_at_rest_encryption/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "86353328", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticache_with_disabled_transit_encryption/metadata.json b/assets/queries/cloudFormation/aws/elasticache_with_disabled_transit_encryption/metadata.json index 19f76afbe4b..ce144c2c92a 100644 --- a/assets/queries/cloudFormation/aws/elasticache_with_disabled_transit_encryption/metadata.json +++ b/assets/queries/cloudFormation/aws/elasticache_with_disabled_transit_encryption/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "b1ce0b9f", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticache_without_vpc/metadata.json b/assets/queries/cloudFormation/aws/elasticache_without_vpc/metadata.json index 69216752ea2..42fb06c191e 100644 --- a/assets/queries/cloudFormation/aws/elasticache_without_vpc/metadata.json +++ b/assets/queries/cloudFormation/aws/elasticache_without_vpc/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "68db93b8", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticsearch_domain_encryption_with_kms_disabled/metadata.json b/assets/queries/cloudFormation/aws/elasticsearch_domain_encryption_with_kms_disabled/metadata.json index 58f7e998528..47cb1fec93b 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_domain_encryption_with_kms_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_domain_encryption_with_kms_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "6700680a", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticsearch_logs_disabled/metadata.json b/assets/queries/cloudFormation/aws/elasticsearch_logs_disabled/metadata.json index c7d5a4ec3c2..3393e51188a 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_logs_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_logs_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "e2451952", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticsearch_not_encrypted_at_rest/metadata.json b/assets/queries/cloudFormation/aws/elasticsearch_not_encrypted_at_rest/metadata.json index e2dcf9c4a5c..f570e51e2e7 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_not_encrypted_at_rest/metadata.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_not_encrypted_at_rest/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "645512cb", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticsearch_with_https_disabled/metadata.json b/assets/queries/cloudFormation/aws/elasticsearch_with_https_disabled/metadata.json index 92764029e3f..ca2dc593c07 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_with_https_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_with_https_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "8575a1d7", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticsearch_without_iam_authentication/metadata.json b/assets/queries/cloudFormation/aws/elasticsearch_without_iam_authentication/metadata.json index 3516386c4c4..3f96766d346 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_without_iam_authentication/metadata.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_without_iam_authentication/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "af727c29", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/metadata.json b/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/metadata.json index 2c0c22cb9a1..0f37630b664 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/metadata.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "72d32380", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elb_access_log_disabled/metadata.json b/assets/queries/cloudFormation/aws/elb_access_log_disabled/metadata.json index 2bf87bb663b..0ae77985030 100644 --- a/assets/queries/cloudFormation/aws/elb_access_log_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/elb_access_log_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "8f49cae7", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/metadata.json b/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/metadata.json index 41298fe3114..d4221ea7aed 100644 --- a/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/metadata.json +++ b/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/metadata.json @@ -9,5 +9,5 @@ "descriptionID": "f26797b1", "aggregation": 183, "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elb_using_insecure_protocols/metadata.json b/assets/queries/cloudFormation/aws/elb_using_insecure_protocols/metadata.json index 16389218a5d..f90cf57cfd6 100644 --- a/assets/queries/cloudFormation/aws/elb_using_insecure_protocols/metadata.json +++ b/assets/queries/cloudFormation/aws/elb_using_insecure_protocols/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "cd6bbd85", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elb_using_weak_ciphers/metadata.json b/assets/queries/cloudFormation/aws/elb_using_weak_ciphers/metadata.json index 6722ffa0d7a..013d00f6224 100644 --- a/assets/queries/cloudFormation/aws/elb_using_weak_ciphers/metadata.json +++ b/assets/queries/cloudFormation/aws/elb_using_weak_ciphers/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "94a91040", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elb_v2_alb_access_log_disabled/metadata.json b/assets/queries/cloudFormation/aws/elb_v2_alb_access_log_disabled/metadata.json index ac7b2307aa6..8515fa6818a 100644 --- a/assets/queries/cloudFormation/aws/elb_v2_alb_access_log_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/elb_v2_alb_access_log_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "1b941e35", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/metadata.json b/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/metadata.json index 2d4b13f60e2..1d5b25857af 100644 --- a/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/metadata.json +++ b/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "3ccdd7d2", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elb_with_security_group_without_outbound_rules/metadata.json b/assets/queries/cloudFormation/aws/elb_with_security_group_without_outbound_rules/metadata.json index 5678c88d343..f3a7731710c 100644 --- a/assets/queries/cloudFormation/aws/elb_with_security_group_without_outbound_rules/metadata.json +++ b/assets/queries/cloudFormation/aws/elb_with_security_group_without_outbound_rules/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "7b876844", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/elb_without_secure_protocol/metadata.json b/assets/queries/cloudFormation/aws/elb_without_secure_protocol/metadata.json index 1b27906de16..71ff57cf735 100644 --- a/assets/queries/cloudFormation/aws/elb_without_secure_protocol/metadata.json +++ b/assets/queries/cloudFormation/aws/elb_without_secure_protocol/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "0cbd1ac7", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/metadata.json b/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/metadata.json index 4435e263994..35f8f2e5e30 100644 --- a/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/metadata.json +++ b/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "b47b42b2", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/emr_cluster_without_security_configuration/metadata.json b/assets/queries/cloudFormation/aws/emr_cluster_without_security_configuration/metadata.json index 1aa65c19ce1..e9ee2b6652a 100644 --- a/assets/queries/cloudFormation/aws/emr_cluster_without_security_configuration/metadata.json +++ b/assets/queries/cloudFormation/aws/emr_cluster_without_security_configuration/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "17e140e2", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/emr_security_configuration_encryptions_enabled/metadata.json b/assets/queries/cloudFormation/aws/emr_security_configuration_encryptions_enabled/metadata.json index 5491ae84c31..823c1488796 100644 --- a/assets/queries/cloudFormation/aws/emr_security_configuration_encryptions_enabled/metadata.json +++ b/assets/queries/cloudFormation/aws/emr_security_configuration_encryptions_enabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "672bc6a7", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/emr_wihout_vpc/metadata.json b/assets/queries/cloudFormation/aws/emr_wihout_vpc/metadata.json index c426ce70c76..69c7f3f4c19 100644 --- a/assets/queries/cloudFormation/aws/emr_wihout_vpc/metadata.json +++ b/assets/queries/cloudFormation/aws/emr_wihout_vpc/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "26800d21", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/fully_open_ingress/metadata.json b/assets/queries/cloudFormation/aws/fully_open_ingress/metadata.json index 0bcff3ca314..55a36422ef3 100644 --- a/assets/queries/cloudFormation/aws/fully_open_ingress/metadata.json +++ b/assets/queries/cloudFormation/aws/fully_open_ingress/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "747f49ac", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/gamelift_fleet_ec2_inbound_permissions_with_port_range/metadata.json b/assets/queries/cloudFormation/aws/gamelift_fleet_ec2_inbound_permissions_with_port_range/metadata.json index 82db797a23f..4cc4046a1f3 100644 --- a/assets/queries/cloudFormation/aws/gamelift_fleet_ec2_inbound_permissions_with_port_range/metadata.json +++ b/assets/queries/cloudFormation/aws/gamelift_fleet_ec2_inbound_permissions_with_port_range/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "2f59d790", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/geo_restriction_disabled/metadata.json b/assets/queries/cloudFormation/aws/geo_restriction_disabled/metadata.json index 9fc7e8c7a96..dacade84c72 100644 --- a/assets/queries/cloudFormation/aws/geo_restriction_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/geo_restriction_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "18f149b3", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/github_repository_set_to_public/metadata.json b/assets/queries/cloudFormation/aws/github_repository_set_to_public/metadata.json index 654b109f203..a94d1cd54f6 100644 --- a/assets/queries/cloudFormation/aws/github_repository_set_to_public/metadata.json +++ b/assets/queries/cloudFormation/aws/github_repository_set_to_public/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "76e2bdab", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/guardduty_detector_disabled/metadata.json b/assets/queries/cloudFormation/aws/guardduty_detector_disabled/metadata.json index f2c4d38b855..0bbb1156fff 100644 --- a/assets/queries/cloudFormation/aws/guardduty_detector_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/guardduty_detector_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "cae19394", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/metadata.json b/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/metadata.json index 694acc377f0..b4385877756 100644 --- a/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/metadata.json +++ b/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "ff065e3b", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/http_port_open/metadata.json b/assets/queries/cloudFormation/aws/http_port_open/metadata.json index 0c31fa66a09..fdf07d27151 100644 --- a/assets/queries/cloudFormation/aws/http_port_open/metadata.json +++ b/assets/queries/cloudFormation/aws/http_port_open/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "a39efd21", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/metadata.json b/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/metadata.json index 2e5b26d702a..14567ede9ab 100644 --- a/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "24a6978e", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_database_auth_not_enabled/metadata.json b/assets/queries/cloudFormation/aws/iam_database_auth_not_enabled/metadata.json index 792bf2e4c3d..b739b6863cd 100644 --- a/assets/queries/cloudFormation/aws/iam_database_auth_not_enabled/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_database_auth_not_enabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "e4c2c085", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_group_without_users/metadata.json b/assets/queries/cloudFormation/aws/iam_group_without_users/metadata.json index 65dd31455e8..3dc4227d43b 100644 --- a/assets/queries/cloudFormation/aws/iam_group_without_users/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_group_without_users/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "c23dca47", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_groups_inline_policies/metadata.json b/assets/queries/cloudFormation/aws/iam_groups_inline_policies/metadata.json index 9c7cc1e7c27..71ce2b1bf3e 100644 --- a/assets/queries/cloudFormation/aws/iam_groups_inline_policies/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_groups_inline_policies/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "e89236a1", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_managed_policy_applied_to_a_user/metadata.json b/assets/queries/cloudFormation/aws/iam_managed_policy_applied_to_a_user/metadata.json index dfe7e1a18b1..fa667f682e7 100644 --- a/assets/queries/cloudFormation/aws/iam_managed_policy_applied_to_a_user/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_managed_policy_applied_to_a_user/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "e7fa1d68", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_password_without_lowercase_letter/metadata.json b/assets/queries/cloudFormation/aws/iam_password_without_lowercase_letter/metadata.json index 28fd0ff7b02..dd3d00ef7fa 100644 --- a/assets/queries/cloudFormation/aws/iam_password_without_lowercase_letter/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_password_without_lowercase_letter/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "b98bf93c", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_password_without_minimum_length/metadata.json b/assets/queries/cloudFormation/aws/iam_password_without_minimum_length/metadata.json index 19334d99ef6..8defc9ea9ca 100644 --- a/assets/queries/cloudFormation/aws/iam_password_without_minimum_length/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_password_without_minimum_length/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "46859482", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_password_without_number/metadata.json b/assets/queries/cloudFormation/aws/iam_password_without_number/metadata.json index c8f8d1450c1..228aabaf7b2 100644 --- a/assets/queries/cloudFormation/aws/iam_password_without_number/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_password_without_number/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "cb1d65ca", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_password_without_symbol/metadata.json b/assets/queries/cloudFormation/aws/iam_password_without_symbol/metadata.json index 7afb1217ff4..8b50e85b08c 100644 --- a/assets/queries/cloudFormation/aws/iam_password_without_symbol/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_password_without_symbol/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "7ec4df0d", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_password_without_uppercase_letter/metadata.json b/assets/queries/cloudFormation/aws/iam_password_without_uppercase_letter/metadata.json index 31fc17bb4af..a34fc44f548 100644 --- a/assets/queries/cloudFormation/aws/iam_password_without_uppercase_letter/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_password_without_uppercase_letter/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "9d55d1e4", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_policies_attached_to_user/metadata.json b/assets/queries/cloudFormation/aws/iam_policies_attached_to_user/metadata.json index 6d0713b504a..e43a6ce2f92 100644 --- a/assets/queries/cloudFormation/aws/iam_policies_attached_to_user/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_policies_attached_to_user/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "c1857bae", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_policies_with_full_privileges/metadata.json b/assets/queries/cloudFormation/aws/iam_policies_with_full_privileges/metadata.json index 8c8beb18518..a5b7acb0018 100644 --- a/assets/queries/cloudFormation/aws/iam_policies_with_full_privileges/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_policies_with_full_privileges/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "faa72156", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_policies_without_groups/metadata.json b/assets/queries/cloudFormation/aws/iam_policies_without_groups/metadata.json index 31bd10ad9c0..b9ec6913b3b 100644 --- a/assets/queries/cloudFormation/aws/iam_policies_without_groups/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_policies_without_groups/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "d9bcf74d", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_policy_grants_assumerole_permission_across_all_services/metadata.json b/assets/queries/cloudFormation/aws/iam_policy_grants_assumerole_permission_across_all_services/metadata.json index 2d9bb3bfd39..ea6543af9b3 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_grants_assumerole_permission_across_all_services/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_policy_grants_assumerole_permission_across_all_services/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "eba1aa1b", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_policy_grants_full_permissions/metadata.json b/assets/queries/cloudFormation/aws/iam_policy_grants_full_permissions/metadata.json index 2fc9efa9319..fd08923a7e5 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_grants_full_permissions/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_policy_grants_full_permissions/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "d4158e76", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_policy_on_user/metadata.json b/assets/queries/cloudFormation/aws/iam_policy_on_user/metadata.json index 933e51d471c..840ab00a807 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_on_user/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_policy_on_user/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "50f7785d", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_role_allows_all_principals_to_assume/metadata.json b/assets/queries/cloudFormation/aws/iam_role_allows_all_principals_to_assume/metadata.json index 0b0a1d1aaf4..9e0b7e97ef9 100644 --- a/assets/queries/cloudFormation/aws/iam_role_allows_all_principals_to_assume/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_role_allows_all_principals_to_assume/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "13e52bb7", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_user_login_profile_password_is_in_plaintext/metadata.json b/assets/queries/cloudFormation/aws/iam_user_login_profile_password_is_in_plaintext/metadata.json index 64eedbd0949..58cab5636ed 100644 --- a/assets/queries/cloudFormation/aws/iam_user_login_profile_password_is_in_plaintext/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_user_login_profile_password_is_in_plaintext/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "0dc817e6", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_user_too_many_access_keys/metadata.json b/assets/queries/cloudFormation/aws/iam_user_too_many_access_keys/metadata.json index 7e630a9453b..cfb13ccc3cb 100644 --- a/assets/queries/cloudFormation/aws/iam_user_too_many_access_keys/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_user_too_many_access_keys/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "90135931", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iam_user_with_no_group/metadata.json b/assets/queries/cloudFormation/aws/iam_user_with_no_group/metadata.json index 91732d03198..69bd98db189 100644 --- a/assets/queries/cloudFormation/aws/iam_user_with_no_group/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_user_with_no_group/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "d7e9b179", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/inline_policies_are_attached_to_ecs_service/metadata.json b/assets/queries/cloudFormation/aws/inline_policies_are_attached_to_ecs_service/metadata.json index 04e2f7018bd..ce601f58445 100644 --- a/assets/queries/cloudFormation/aws/inline_policies_are_attached_to_ecs_service/metadata.json +++ b/assets/queries/cloudFormation/aws/inline_policies_are_attached_to_ecs_service/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "4706b78f", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/instance_with_no_vpc/metadata.json b/assets/queries/cloudFormation/aws/instance_with_no_vpc/metadata.json index 8002b4e7213..74e6ca10af9 100644 --- a/assets/queries/cloudFormation/aws/instance_with_no_vpc/metadata.json +++ b/assets/queries/cloudFormation/aws/instance_with_no_vpc/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "c2bb3a56", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iot_policy_allows_action_as_wildcard/metadata.json b/assets/queries/cloudFormation/aws/iot_policy_allows_action_as_wildcard/metadata.json index 46e3ef4b796..571ba84e706 100644 --- a/assets/queries/cloudFormation/aws/iot_policy_allows_action_as_wildcard/metadata.json +++ b/assets/queries/cloudFormation/aws/iot_policy_allows_action_as_wildcard/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "e4417496", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/iot_policy_allows_wildcard_resource/metadata.json b/assets/queries/cloudFormation/aws/iot_policy_allows_wildcard_resource/metadata.json index 400ffe3f33b..db41eff55d6 100644 --- a/assets/queries/cloudFormation/aws/iot_policy_allows_wildcard_resource/metadata.json +++ b/assets/queries/cloudFormation/aws/iot_policy_allows_wildcard_resource/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "d5e52bc7", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/kinesis_sse_not_configured/metadata.json b/assets/queries/cloudFormation/aws/kinesis_sse_not_configured/metadata.json index c50b957eb06..4e7c43dd8d0 100644 --- a/assets/queries/cloudFormation/aws/kinesis_sse_not_configured/metadata.json +++ b/assets/queries/cloudFormation/aws/kinesis_sse_not_configured/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "a8238dc8", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/kms_allows_wildcard_principal/metadata.json b/assets/queries/cloudFormation/aws/kms_allows_wildcard_principal/metadata.json index 6d64b6398ac..e5266e615ff 100644 --- a/assets/queries/cloudFormation/aws/kms_allows_wildcard_principal/metadata.json +++ b/assets/queries/cloudFormation/aws/kms_allows_wildcard_principal/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "0b89626d", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/metadata.json b/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/metadata.json index 11c9ed51ecd..5e8c0040b61 100644 --- a/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "323313bc", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/kms_key_with_full_permissions/metadata.json b/assets/queries/cloudFormation/aws/kms_key_with_full_permissions/metadata.json index 17ba7052108..b85d372d7aa 100644 --- a/assets/queries/cloudFormation/aws/kms_key_with_full_permissions/metadata.json +++ b/assets/queries/cloudFormation/aws/kms_key_with_full_permissions/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "1f88b704", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/lambda_function_without_dead_letter_queue/metadata.json b/assets/queries/cloudFormation/aws/lambda_function_without_dead_letter_queue/metadata.json index 7341582342f..a4a7d9904be 100644 --- a/assets/queries/cloudFormation/aws/lambda_function_without_dead_letter_queue/metadata.json +++ b/assets/queries/cloudFormation/aws/lambda_function_without_dead_letter_queue/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "d5d9d047", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/lambda_function_without_tags/metadata.json b/assets/queries/cloudFormation/aws/lambda_function_without_tags/metadata.json index a8ae753d815..5317be007b7 100644 --- a/assets/queries/cloudFormation/aws/lambda_function_without_tags/metadata.json +++ b/assets/queries/cloudFormation/aws/lambda_function_without_tags/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "664675e7", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/lambda_functions_with_full_privileges/metadata.json b/assets/queries/cloudFormation/aws/lambda_functions_with_full_privileges/metadata.json index f8d6268fdb8..3ef4826feea 100644 --- a/assets/queries/cloudFormation/aws/lambda_functions_with_full_privileges/metadata.json +++ b/assets/queries/cloudFormation/aws/lambda_functions_with_full_privileges/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "48d30c57", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/lambda_functions_without_unique_iam_roles/metadata.json b/assets/queries/cloudFormation/aws/lambda_functions_without_unique_iam_roles/metadata.json index dbfc6b5c482..798b98c5c36 100644 --- a/assets/queries/cloudFormation/aws/lambda_functions_without_unique_iam_roles/metadata.json +++ b/assets/queries/cloudFormation/aws/lambda_functions_without_unique_iam_roles/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "f919ad7e", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/lambda_functions_without_x-ray_tracing/metadata.json b/assets/queries/cloudFormation/aws/lambda_functions_without_x-ray_tracing/metadata.json index 7f9a3f54b32..bdf156e6f56 100644 --- a/assets/queries/cloudFormation/aws/lambda_functions_without_x-ray_tracing/metadata.json +++ b/assets/queries/cloudFormation/aws/lambda_functions_without_x-ray_tracing/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "26afaa67", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/lambda_permission_misconfigured/metadata.json b/assets/queries/cloudFormation/aws/lambda_permission_misconfigured/metadata.json index dadb302d277..e6c294f5ada 100644 --- a/assets/queries/cloudFormation/aws/lambda_permission_misconfigured/metadata.json +++ b/assets/queries/cloudFormation/aws/lambda_permission_misconfigured/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "dec6dd24", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/lambda_permission_principal_is_wildcard/metadata.json b/assets/queries/cloudFormation/aws/lambda_permission_principal_is_wildcard/metadata.json index 8a5f78b5669..7ddc9f7dba3 100644 --- a/assets/queries/cloudFormation/aws/lambda_permission_principal_is_wildcard/metadata.json +++ b/assets/queries/cloudFormation/aws/lambda_permission_principal_is_wildcard/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "cfa9120c", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/low_rds_backup_retention_period/metadata.json b/assets/queries/cloudFormation/aws/low_rds_backup_retention_period/metadata.json index f86a172777c..1579d991814 100644 --- a/assets/queries/cloudFormation/aws/low_rds_backup_retention_period/metadata.json +++ b/assets/queries/cloudFormation/aws/low_rds_backup_retention_period/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "55094eb2", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/memcached_disabled/metadata.json b/assets/queries/cloudFormation/aws/memcached_disabled/metadata.json index 4ba15a4e48b..20c55c2e79d 100644 --- a/assets/queries/cloudFormation/aws/memcached_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/memcached_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "470e2a53", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/mq_broker_is_publicly_accessible/metadata.json b/assets/queries/cloudFormation/aws/mq_broker_is_publicly_accessible/metadata.json index c2cdb1201c3..6bf7e1bdd8b 100644 --- a/assets/queries/cloudFormation/aws/mq_broker_is_publicly_accessible/metadata.json +++ b/assets/queries/cloudFormation/aws/mq_broker_is_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "59b368a9", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/mq_broker_logging_disabled/metadata.json b/assets/queries/cloudFormation/aws/mq_broker_logging_disabled/metadata.json index 9f33e1702cf..dd4e6d5f097 100644 --- a/assets/queries/cloudFormation/aws/mq_broker_logging_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/mq_broker_logging_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "3799829c", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/msk_broker_is_publicly_accessible/metadata.json b/assets/queries/cloudFormation/aws/msk_broker_is_publicly_accessible/metadata.json index 21865f7b712..5930ad53e0d 100644 --- a/assets/queries/cloudFormation/aws/msk_broker_is_publicly_accessible/metadata.json +++ b/assets/queries/cloudFormation/aws/msk_broker_is_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "dcf6ab9f", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/metadata.json b/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/metadata.json index 843f2ac1c43..83ebc6e8034 100644 --- a/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "c8e65b67", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/msk_cluster_logging_disabled/metadata.json b/assets/queries/cloudFormation/aws/msk_cluster_logging_disabled/metadata.json index b3ea335d39c..0df10c00a43 100644 --- a/assets/queries/cloudFormation/aws/msk_cluster_logging_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/msk_cluster_logging_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "1d9a0a75", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/neptune_cluster_with_iam_database_authentication_disabled/metadata.json b/assets/queries/cloudFormation/aws/neptune_cluster_with_iam_database_authentication_disabled/metadata.json index d7f458d4aa7..d1562a24b58 100644 --- a/assets/queries/cloudFormation/aws/neptune_cluster_with_iam_database_authentication_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/neptune_cluster_with_iam_database_authentication_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "39cddadb", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/neptune_database_cluster_encryption_disabled/metadata.json b/assets/queries/cloudFormation/aws/neptune_database_cluster_encryption_disabled/metadata.json index 979ccc8d551..161d1082d18 100644 --- a/assets/queries/cloudFormation/aws/neptune_database_cluster_encryption_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/neptune_database_cluster_encryption_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "b2c5f5dd", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/public_lambda_via_api_gateway/metadata.json b/assets/queries/cloudFormation/aws/public_lambda_via_api_gateway/metadata.json index 608ea0ae510..987427b0fdb 100644 --- a/assets/queries/cloudFormation/aws/public_lambda_via_api_gateway/metadata.json +++ b/assets/queries/cloudFormation/aws/public_lambda_via_api_gateway/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "32ccc415", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/rds_associated_with_public_subnet/metadata.json b/assets/queries/cloudFormation/aws/rds_associated_with_public_subnet/metadata.json index 5c7c9711bf2..070f21eb1c6 100644 --- a/assets/queries/cloudFormation/aws/rds_associated_with_public_subnet/metadata.json +++ b/assets/queries/cloudFormation/aws/rds_associated_with_public_subnet/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "be2d1742", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/rds_db_instance_publicly_accessible/metadata.json b/assets/queries/cloudFormation/aws/rds_db_instance_publicly_accessible/metadata.json index 033aecdf2a1..341ea56b9b6 100644 --- a/assets/queries/cloudFormation/aws/rds_db_instance_publicly_accessible/metadata.json +++ b/assets/queries/cloudFormation/aws/rds_db_instance_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "dae1e8ab", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/rds_db_instance_with_deletion_protection_disabled/metadata.json b/assets/queries/cloudFormation/aws/rds_db_instance_with_deletion_protection_disabled/metadata.json index 647525dd87a..986502d7792 100644 --- a/assets/queries/cloudFormation/aws/rds_db_instance_with_deletion_protection_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/rds_db_instance_with_deletion_protection_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "606a0602", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/rds_multi_az_deployment_disabled/metadata.json b/assets/queries/cloudFormation/aws/rds_multi_az_deployment_disabled/metadata.json index f7f6c2f6a20..ea95757bab3 100644 --- a/assets/queries/cloudFormation/aws/rds_multi_az_deployment_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/rds_multi_az_deployment_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "4bdb6677", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/rds_storage_encryption_disabled/metadata.json b/assets/queries/cloudFormation/aws/rds_storage_encryption_disabled/metadata.json index c56e01f68f4..12dfb37ff94 100644 --- a/assets/queries/cloudFormation/aws/rds_storage_encryption_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/rds_storage_encryption_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "654ec248", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/rds_storage_not_encrypted/metadata.json b/assets/queries/cloudFormation/aws/rds_storage_not_encrypted/metadata.json index 3b1443e43da..aee5118756b 100644 --- a/assets/queries/cloudFormation/aws/rds_storage_not_encrypted/metadata.json +++ b/assets/queries/cloudFormation/aws/rds_storage_not_encrypted/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "f052de92", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/rds_using_default_port/metadata.json b/assets/queries/cloudFormation/aws/rds_using_default_port/metadata.json index 29208ebf17d..b156801d81c 100644 --- a/assets/queries/cloudFormation/aws/rds_using_default_port/metadata.json +++ b/assets/queries/cloudFormation/aws/rds_using_default_port/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "b5d8d0b5", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/rds_with_backup_disabled/metadata.json b/assets/queries/cloudFormation/aws/rds_with_backup_disabled/metadata.json index 3c6f5d70952..85cbd7d34bf 100644 --- a/assets/queries/cloudFormation/aws/rds_with_backup_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/rds_with_backup_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "4ebe02ca", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/redshift_cluster_logging_disabled/metadata.json b/assets/queries/cloudFormation/aws/redshift_cluster_logging_disabled/metadata.json index 2a5be059162..c844017ca0b 100644 --- a/assets/queries/cloudFormation/aws/redshift_cluster_logging_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/redshift_cluster_logging_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "b84206ae", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/redshift_cluster_without_kms_cmk/metadata.json b/assets/queries/cloudFormation/aws/redshift_cluster_without_kms_cmk/metadata.json index 9cd80dd01a6..3de0e2d357c 100644 --- a/assets/queries/cloudFormation/aws/redshift_cluster_without_kms_cmk/metadata.json +++ b/assets/queries/cloudFormation/aws/redshift_cluster_without_kms_cmk/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "e460a7a7", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/redshift_not_encrypted/metadata.json b/assets/queries/cloudFormation/aws/redshift_not_encrypted/metadata.json index 42eb437a3e9..0658761aa1f 100644 --- a/assets/queries/cloudFormation/aws/redshift_not_encrypted/metadata.json +++ b/assets/queries/cloudFormation/aws/redshift_not_encrypted/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "5605695c", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/redshift_publicly_accessible/metadata.json b/assets/queries/cloudFormation/aws/redshift_publicly_accessible/metadata.json index a2406613815..4061d7e4321 100644 --- a/assets/queries/cloudFormation/aws/redshift_publicly_accessible/metadata.json +++ b/assets/queries/cloudFormation/aws/redshift_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "407e0863", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/redshift_using_default_port/metadata.json b/assets/queries/cloudFormation/aws/redshift_using_default_port/metadata.json index 64eb55f2dd3..47fd792308d 100644 --- a/assets/queries/cloudFormation/aws/redshift_using_default_port/metadata.json +++ b/assets/queries/cloudFormation/aws/redshift_using_default_port/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "e2aa0fb8", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/refresh_token_is_exposed/metadata.json b/assets/queries/cloudFormation/aws/refresh_token_is_exposed/metadata.json index 7d6aea01c4a..4649f4df2e5 100644 --- a/assets/queries/cloudFormation/aws/refresh_token_is_exposed/metadata.json +++ b/assets/queries/cloudFormation/aws/refresh_token_is_exposed/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "c752c5a6", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/remote_desktop_port_open_to_internet/metadata.json b/assets/queries/cloudFormation/aws/remote_desktop_port_open_to_internet/metadata.json index 71567cfd739..26f621d583f 100644 --- a/assets/queries/cloudFormation/aws/remote_desktop_port_open_to_internet/metadata.json +++ b/assets/queries/cloudFormation/aws/remote_desktop_port_open_to_internet/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "2e4ef03f", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/root_account_has_active_access_keys/metadata.json b/assets/queries/cloudFormation/aws/root_account_has_active_access_keys/metadata.json index c1c941a0cdb..f6f584c7b72 100644 --- a/assets/queries/cloudFormation/aws/root_account_has_active_access_keys/metadata.json +++ b/assets/queries/cloudFormation/aws/root_account_has_active_access_keys/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "195ebcdb", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/route53_record_undefined/metadata.json b/assets/queries/cloudFormation/aws/route53_record_undefined/metadata.json index 7c0ef877cc9..3183d0894d6 100644 --- a/assets/queries/cloudFormation/aws/route53_record_undefined/metadata.json +++ b/assets/queries/cloudFormation/aws/route53_record_undefined/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "268f1d77", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/routertable_with_default_routing/metadata.json b/assets/queries/cloudFormation/aws/routertable_with_default_routing/metadata.json index b1ccd9bf90b..6a48275e13c 100644 --- a/assets/queries/cloudFormation/aws/routertable_with_default_routing/metadata.json +++ b/assets/queries/cloudFormation/aws/routertable_with_default_routing/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "1f341247", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/metadata.json index c4810e82606..5fcbde0c344 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "9a57423d", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_or_write_to_all_users/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_or_write_to_all_users/metadata.json index 8fef9bbe6bd..0fc94452901 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_or_write_to_all_users/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_or_write_to_all_users/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "68456465", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_all_users/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_all_users/metadata.json index f2d04774e1f..f3e81e65695 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_all_users/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_all_users/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "cfd67020", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/metadata.json index 98402a884d6..b905d2dc2f6 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "25d149a4", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_delete_actions_from_all_principals/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_delete_actions_from_all_principals/metadata.json index 33ca173e438..5d9cae43f3f 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_delete_actions_from_all_principals/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_delete_actions_from_all_principals/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "0a34aa34", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_get_actions_from_all_principals/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_get_actions_from_all_principals/metadata.json index 8f9201ba5fa..a3acc3c74c9 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_get_actions_from_all_principals/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_get_actions_from_all_principals/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "5d8cf376", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_list_actions_from_all_principals/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_list_actions_from_all_principals/metadata.json index de9b3e7b08f..cafee939c32 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_list_actions_from_all_principals/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_list_actions_from_all_principals/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "755801fc", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_public_acl/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_public_acl/metadata.json index 83b6da1f3a5..4b05c7961f1 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_public_acl/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_public_acl/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "f962a2d5", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_put_actions_from_all_principals/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_put_actions_from_all_principals/metadata.json index a066ca6eaff..1854167e597 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_put_actions_from_all_principals/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_put_actions_from_all_principals/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "9d094f81", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_restore_actions_from_all_principals/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_restore_actions_from_all_principals/metadata.json index 93e4437750a..0b51a6ac54d 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_restore_actions_from_all_principals/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_restore_actions_from_all_principals/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "0a41482e", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_cloudtrail_logging_disabled/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_cloudtrail_logging_disabled/metadata.json index 28d5107a12d..ba52913b555 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_cloudtrail_logging_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_cloudtrail_logging_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "00649261", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_logging_disabled/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_logging_disabled/metadata.json index e8b9cb146ea..849918c97ed 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_logging_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_logging_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "ce3728e6", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_should_have_bucket_policy/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_should_have_bucket_policy/metadata.json index eafce5a5a89..ddd1da441ee 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_should_have_bucket_policy/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_should_have_bucket_policy/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "2b429546", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_sse_disabled/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_sse_disabled/metadata.json index a8e1d507d24..6b439b4618b 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_sse_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_sse_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "42fd2930", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_with_all_permissions/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_with_all_permissions/metadata.json index 72e01ad11cd..71c6ced8acf 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_with_all_permissions/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_with_all_permissions/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "65883f5a", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_with_public_policy/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_with_public_policy/metadata.json index c1a4d1dcdc4..c893ece6f64 100755 --- a/assets/queries/cloudFormation/aws/s3_bucket_with_public_policy/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_with_public_policy/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "bfe99abf", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_with_unsecured_cors_rule/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_with_unsecured_cors_rule/metadata.json index d2fddfac8f6..d4a6ace00a5 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_with_unsecured_cors_rule/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_with_unsecured_cors_rule/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "f616509e", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_without_ignore_public_acl/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_without_ignore_public_acl/metadata.json index d566b737c32..62bb7661cca 100755 --- a/assets/queries/cloudFormation/aws/s3_bucket_without_ignore_public_acl/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_without_ignore_public_acl/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "74146c20", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_without_restriction_of_public_bucket/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_without_restriction_of_public_bucket/metadata.json index cf76cadffe7..6915e2dca83 100755 --- a/assets/queries/cloudFormation/aws/s3_bucket_without_restriction_of_public_bucket/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_without_restriction_of_public_bucket/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "f9a4d93a", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_without_server_side_encryption/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_without_server_side_encryption/metadata.json index 84c8db4c5cd..faab71247df 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_without_server_side_encryption/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_without_server_side_encryption/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "314a460b", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_without_ssl_in_write_actions/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_without_ssl_in_write_actions/metadata.json index 1f61b5ea153..bd2164a0cb0 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_without_ssl_in_write_actions/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_without_ssl_in_write_actions/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "907676d7", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_without_versioning/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_without_versioning/metadata.json index d9b0c3dcc25..190ab58609a 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_without_versioning/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_without_versioning/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "fe2c56b9", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_static_website_host_enabled/metadata.json b/assets/queries/cloudFormation/aws/s3_static_website_host_enabled/metadata.json index 790746e84ad..762e864da3f 100644 --- a/assets/queries/cloudFormation/aws/s3_static_website_host_enabled/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_static_website_host_enabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "b50aab99", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/sagemaker_data_encryption_disabled/metadata.json b/assets/queries/cloudFormation/aws/sagemaker_data_encryption_disabled/metadata.json index 00b125c16b3..da776bca78b 100644 --- a/assets/queries/cloudFormation/aws/sagemaker_data_encryption_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/sagemaker_data_encryption_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "41b14673", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/sagemaker_enabling_internet_access/metadata.json b/assets/queries/cloudFormation/aws/sagemaker_enabling_internet_access/metadata.json index b8e646c7dd3..df379d8e707 100644 --- a/assets/queries/cloudFormation/aws/sagemaker_enabling_internet_access/metadata.json +++ b/assets/queries/cloudFormation/aws/sagemaker_enabling_internet_access/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "6e8543a2", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/sagemaker_endpoint_config_should_specify_kms_key_id_attribute/metadata.json b/assets/queries/cloudFormation/aws/sagemaker_endpoint_config_should_specify_kms_key_id_attribute/metadata.json index e953588874c..8ce87b0005f 100644 --- a/assets/queries/cloudFormation/aws/sagemaker_endpoint_config_should_specify_kms_key_id_attribute/metadata.json +++ b/assets/queries/cloudFormation/aws/sagemaker_endpoint_config_should_specify_kms_key_id_attribute/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "7c9fa4bf", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/sagemaker_notebook_not_placed_in_vpc/metadata.json b/assets/queries/cloudFormation/aws/sagemaker_notebook_not_placed_in_vpc/metadata.json index e96e85333b5..96ae9633586 100644 --- a/assets/queries/cloudFormation/aws/sagemaker_notebook_not_placed_in_vpc/metadata.json +++ b/assets/queries/cloudFormation/aws/sagemaker_notebook_not_placed_in_vpc/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "d062ca53", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/sdb_domain_declared_as_a_resource/metadata.json b/assets/queries/cloudFormation/aws/sdb_domain_declared_as_a_resource/metadata.json index 87e11ed72d2..4a84566f484 100644 --- a/assets/queries/cloudFormation/aws/sdb_domain_declared_as_a_resource/metadata.json +++ b/assets/queries/cloudFormation/aws/sdb_domain_declared_as_a_resource/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "e6c6a7cf", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/secrets_manager_should_specify_kms_key_id/metadata.json b/assets/queries/cloudFormation/aws/secrets_manager_should_specify_kms_key_id/metadata.json index 0c533272a31..ef3e91fa7cd 100644 --- a/assets/queries/cloudFormation/aws/secrets_manager_should_specify_kms_key_id/metadata.json +++ b/assets/queries/cloudFormation/aws/secrets_manager_should_specify_kms_key_id/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "d78bb871", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/secure_ciphers_disabled/metadata.json b/assets/queries/cloudFormation/aws/secure_ciphers_disabled/metadata.json index 04fa755a27e..b8a4cc66b2c 100644 --- a/assets/queries/cloudFormation/aws/secure_ciphers_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/secure_ciphers_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "9ce51226", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_group_egress_cidr_open_to_world/metadata.json b/assets/queries/cloudFormation/aws/security_group_egress_cidr_open_to_world/metadata.json index 6ae7d8414d4..ef6b9ad3076 100644 --- a/assets/queries/cloudFormation/aws/security_group_egress_cidr_open_to_world/metadata.json +++ b/assets/queries/cloudFormation/aws/security_group_egress_cidr_open_to_world/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "ec506916", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_group_egress_with_all_protocols/metadata.json b/assets/queries/cloudFormation/aws/security_group_egress_with_all_protocols/metadata.json index 21b33862759..4097626bd8c 100644 --- a/assets/queries/cloudFormation/aws/security_group_egress_with_all_protocols/metadata.json +++ b/assets/queries/cloudFormation/aws/security_group_egress_with_all_protocols/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "b3e66493", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_group_egress_with_port_range/metadata.json b/assets/queries/cloudFormation/aws/security_group_egress_with_port_range/metadata.json index 293be048bd7..9abc01e64b1 100644 --- a/assets/queries/cloudFormation/aws/security_group_egress_with_port_range/metadata.json +++ b/assets/queries/cloudFormation/aws/security_group_egress_with_port_range/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "af27e909", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_group_ingress_has_cidr_not_recommended/metadata.json b/assets/queries/cloudFormation/aws/security_group_ingress_has_cidr_not_recommended/metadata.json index 77c97f4e98f..745234f2ec2 100644 --- a/assets/queries/cloudFormation/aws/security_group_ingress_has_cidr_not_recommended/metadata.json +++ b/assets/queries/cloudFormation/aws/security_group_ingress_has_cidr_not_recommended/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "443ba8e1", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_group_ingress_with_all_protocols/metadata.json b/assets/queries/cloudFormation/aws/security_group_ingress_with_all_protocols/metadata.json index f2d82d7d482..a6569aea7d8 100644 --- a/assets/queries/cloudFormation/aws/security_group_ingress_with_all_protocols/metadata.json +++ b/assets/queries/cloudFormation/aws/security_group_ingress_with_all_protocols/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "c067ceb5", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_group_ingress_with_port_range/metadata.json b/assets/queries/cloudFormation/aws/security_group_ingress_with_port_range/metadata.json index 46f779166ec..e7981e4a023 100644 --- a/assets/queries/cloudFormation/aws/security_group_ingress_with_port_range/metadata.json +++ b/assets/queries/cloudFormation/aws/security_group_ingress_with_port_range/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "5f2b65f3", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_group_rule_without_description/metadata.json b/assets/queries/cloudFormation/aws/security_group_rule_without_description/metadata.json index 622e208316b..a247f4c3882 100644 --- a/assets/queries/cloudFormation/aws/security_group_rule_without_description/metadata.json +++ b/assets/queries/cloudFormation/aws/security_group_rule_without_description/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "f7c62b11", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_groups_allows_unrestricted_outbound_traffic/metadata.json b/assets/queries/cloudFormation/aws/security_groups_allows_unrestricted_outbound_traffic/metadata.json index 1b0db14a4a5..2ef236ab2ec 100644 --- a/assets/queries/cloudFormation/aws/security_groups_allows_unrestricted_outbound_traffic/metadata.json +++ b/assets/queries/cloudFormation/aws/security_groups_allows_unrestricted_outbound_traffic/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "05891eb1", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_groups_unrestricted_access_to_rdp/metadata.json b/assets/queries/cloudFormation/aws/security_groups_unrestricted_access_to_rdp/metadata.json index 6abda37f2a0..d9a1ac8c09c 100644 --- a/assets/queries/cloudFormation/aws/security_groups_unrestricted_access_to_rdp/metadata.json +++ b/assets/queries/cloudFormation/aws/security_groups_unrestricted_access_to_rdp/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "ee6a21e3", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_groups_with_exhibited_admin_ports/metadata.json b/assets/queries/cloudFormation/aws/security_groups_with_exhibited_admin_ports/metadata.json index 00852ec33b2..500db42ccca 100644 --- a/assets/queries/cloudFormation/aws/security_groups_with_exhibited_admin_ports/metadata.json +++ b/assets/queries/cloudFormation/aws/security_groups_with_exhibited_admin_ports/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "e14121d4", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_groups_with_meta_ip/metadata.json b/assets/queries/cloudFormation/aws/security_groups_with_meta_ip/metadata.json index 403c9f01a2a..01881403139 100644 --- a/assets/queries/cloudFormation/aws/security_groups_with_meta_ip/metadata.json +++ b/assets/queries/cloudFormation/aws/security_groups_with_meta_ip/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "868a9ec5", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/metadata.json b/assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/metadata.json index 3f36a25273f..76a6af9cea6 100644 --- a/assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/metadata.json +++ b/assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "d515d6dc", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/security_groups_without_vpc_attached/metadata.json b/assets/queries/cloudFormation/aws/security_groups_without_vpc_attached/metadata.json index 71cd011b328..15760fd1e92 100644 --- a/assets/queries/cloudFormation/aws/security_groups_without_vpc_attached/metadata.json +++ b/assets/queries/cloudFormation/aws/security_groups_without_vpc_attached/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "8664bd98", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/shield_advanced_not_in_use/metadata.json b/assets/queries/cloudFormation/aws/shield_advanced_not_in_use/metadata.json index 926a3518b50..5dd67aff3f1 100644 --- a/assets/queries/cloudFormation/aws/shield_advanced_not_in_use/metadata.json +++ b/assets/queries/cloudFormation/aws/shield_advanced_not_in_use/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "ae5e799c", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/sns_topic_is_publicly_accessible/metadata.json b/assets/queries/cloudFormation/aws/sns_topic_is_publicly_accessible/metadata.json index 83419e20a99..42d3383021a 100644 --- a/assets/queries/cloudFormation/aws/sns_topic_is_publicly_accessible/metadata.json +++ b/assets/queries/cloudFormation/aws/sns_topic_is_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "93100b84", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/metadata.json b/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/metadata.json index bbb593c97a0..74a5b8685fc 100644 --- a/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/metadata.json +++ b/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "a4bd80b0", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/sns_topic_without_kms_master_key_id/metadata.json b/assets/queries/cloudFormation/aws/sns_topic_without_kms_master_key_id/metadata.json index 8379a8df9de..e7c859656e5 100644 --- a/assets/queries/cloudFormation/aws/sns_topic_without_kms_master_key_id/metadata.json +++ b/assets/queries/cloudFormation/aws/sns_topic_without_kms_master_key_id/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "a8a19ba3", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/sqs_policy_with_public_access/metadata.json b/assets/queries/cloudFormation/aws/sqs_policy_with_public_access/metadata.json index 42be86a3d34..0db55208ef7 100644 --- a/assets/queries/cloudFormation/aws/sqs_policy_with_public_access/metadata.json +++ b/assets/queries/cloudFormation/aws/sqs_policy_with_public_access/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "a232933e", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_action/metadata.json b/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_action/metadata.json index a4560ef440a..ece84d4ed07 100644 --- a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_action/metadata.json +++ b/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_action/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "6caa1d1d", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal/metadata.json b/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal/metadata.json index 91f724e09c1..a09903eee16 100644 --- a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal/metadata.json +++ b/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "78666d87", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/metadata.json b/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/metadata.json index 4bf1d336fb4..85538edb654 100644 --- a/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "7c3c1b44", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/stack_notifications_disabled/metadata.json b/assets/queries/cloudFormation/aws/stack_notifications_disabled/metadata.json index 14964e381a7..0a73d9edd4f 100644 --- a/assets/queries/cloudFormation/aws/stack_notifications_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/stack_notifications_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "1e12925e", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/stack_retention_disabled/metadata.json b/assets/queries/cloudFormation/aws/stack_retention_disabled/metadata.json index 57711533301..7840c35d17c 100644 --- a/assets/queries/cloudFormation/aws/stack_retention_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/stack_retention_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "2f8bf223", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/support_has_no_role_associated/metadata.json b/assets/queries/cloudFormation/aws/support_has_no_role_associated/metadata.json index 1fefe6e4772..34f3c19eded 100644 --- a/assets/queries/cloudFormation/aws/support_has_no_role_associated/metadata.json +++ b/assets/queries/cloudFormation/aws/support_has_no_role_associated/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "42d28f69", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/tcp_or_udp_protocol_network_acl_entry_allows_all_ports/metadata.json b/assets/queries/cloudFormation/aws/tcp_or_udp_protocol_network_acl_entry_allows_all_ports/metadata.json index 2b50856b180..e5d96b952a8 100644 --- a/assets/queries/cloudFormation/aws/tcp_or_udp_protocol_network_acl_entry_allows_all_ports/metadata.json +++ b/assets/queries/cloudFormation/aws/tcp_or_udp_protocol_network_acl_entry_allows_all_ports/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "51ad2aeb", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/unknown_port_exposed_to_internet/metadata.json b/assets/queries/cloudFormation/aws/unknown_port_exposed_to_internet/metadata.json index f4e4a828106..788b8608881 100644 --- a/assets/queries/cloudFormation/aws/unknown_port_exposed_to_internet/metadata.json +++ b/assets/queries/cloudFormation/aws/unknown_port_exposed_to_internet/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "0cc0a902", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/unrestricted_security_group_ingress/metadata.json b/assets/queries/cloudFormation/aws/unrestricted_security_group_ingress/metadata.json index f9ac29bddcf..573e715f4b5 100644 --- a/assets/queries/cloudFormation/aws/unrestricted_security_group_ingress/metadata.json +++ b/assets/queries/cloudFormation/aws/unrestricted_security_group_ingress/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "08256d31", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/unscanned_ecr_image/metadata.json b/assets/queries/cloudFormation/aws/unscanned_ecr_image/metadata.json index d03c48cc5b4..4166b3926a3 100644 --- a/assets/queries/cloudFormation/aws/unscanned_ecr_image/metadata.json +++ b/assets/queries/cloudFormation/aws/unscanned_ecr_image/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "f3f139c0", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/user_data_contains_encoded_private_key/metadata.json b/assets/queries/cloudFormation/aws/user_data_contains_encoded_private_key/metadata.json index dc19f5e594d..e2c3fc40e1a 100644 --- a/assets/queries/cloudFormation/aws/user_data_contains_encoded_private_key/metadata.json +++ b/assets/queries/cloudFormation/aws/user_data_contains_encoded_private_key/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "b8212287", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/user_data_shell_script_is_encoded/metadata.json b/assets/queries/cloudFormation/aws/user_data_shell_script_is_encoded/metadata.json index 7624cf677ef..08b68b9750b 100644 --- a/assets/queries/cloudFormation/aws/user_data_shell_script_is_encoded/metadata.json +++ b/assets/queries/cloudFormation/aws/user_data_shell_script_is_encoded/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "f951996f", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/user_iam_missing_password_reset_required/metadata.json b/assets/queries/cloudFormation/aws/user_iam_missing_password_reset_required/metadata.json index 2ee8eb76ff2..448f1c94e46 100644 --- a/assets/queries/cloudFormation/aws/user_iam_missing_password_reset_required/metadata.json +++ b/assets/queries/cloudFormation/aws/user_iam_missing_password_reset_required/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "a44edc48", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/vpc_attached_with_too_many_gateways/metadata.json b/assets/queries/cloudFormation/aws/vpc_attached_with_too_many_gateways/metadata.json index cb486ce6831..886d338fa7b 100644 --- a/assets/queries/cloudFormation/aws/vpc_attached_with_too_many_gateways/metadata.json +++ b/assets/queries/cloudFormation/aws/vpc_attached_with_too_many_gateways/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "1370ae52", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/metadata.json b/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/metadata.json index c98cae632eb..555506e5af6 100644 --- a/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "0fb02ca5", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/vpc_without_attached_subnet/metadata.json b/assets/queries/cloudFormation/aws/vpc_without_attached_subnet/metadata.json index 15d3b5492ad..1ca1e6d6156 100644 --- a/assets/queries/cloudFormation/aws/vpc_without_attached_subnet/metadata.json +++ b/assets/queries/cloudFormation/aws/vpc_without_attached_subnet/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "23dfbed0", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/vpc_without_network_firewall/metadata.json b/assets/queries/cloudFormation/aws/vpc_without_network_firewall/metadata.json index 71e6da72e0c..1599c804e90 100644 --- a/assets/queries/cloudFormation/aws/vpc_without_network_firewall/metadata.json +++ b/assets/queries/cloudFormation/aws/vpc_without_network_firewall/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "f090ffd2", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/metadata.json b/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/metadata.json index 53f741eaa63..7488c488c39 100644 --- a/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/metadata.json +++ b/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "ee3b82bc", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/webacl_allow_defaultaction/metadata.json b/assets/queries/cloudFormation/aws/webacl_allow_defaultaction/metadata.json index edb1f8d644c..a4cd2797a28 100644 --- a/assets/queries/cloudFormation/aws/webacl_allow_defaultaction/metadata.json +++ b/assets/queries/cloudFormation/aws/webacl_allow_defaultaction/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "e4327168", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/wildcard_in_acm_certificate_domain_name/metadata.json b/assets/queries/cloudFormation/aws/wildcard_in_acm_certificate_domain_name/metadata.json index 3d354529d5d..90cf2b9e243 100644 --- a/assets/queries/cloudFormation/aws/wildcard_in_acm_certificate_domain_name/metadata.json +++ b/assets/queries/cloudFormation/aws/wildcard_in_acm_certificate_domain_name/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "0affe61c", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/workspace_without_encryption/metadata.json b/assets/queries/cloudFormation/aws/workspace_without_encryption/metadata.json index 0d48ab370eb..95d9b5307ea 100644 --- a/assets/queries/cloudFormation/aws/workspace_without_encryption/metadata.json +++ b/assets/queries/cloudFormation/aws/workspace_without_encryption/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "ed0be490", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_bom/cassandra/metadata.json b/assets/queries/cloudFormation/aws_bom/cassandra/metadata.json index 99835003d75..e60d1750fb8 100644 --- a/assets/queries/cloudFormation/aws_bom/cassandra/metadata.json +++ b/assets/queries/cloudFormation/aws_bom/cassandra/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "bd2db07c", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_bom/dynamo/metadata.json b/assets/queries/cloudFormation/aws_bom/dynamo/metadata.json index 8379d15adb3..f5759298d7e 100644 --- a/assets/queries/cloudFormation/aws_bom/dynamo/metadata.json +++ b/assets/queries/cloudFormation/aws_bom/dynamo/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "b0d40495", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_bom/ebs/metadata.json b/assets/queries/cloudFormation/aws_bom/ebs/metadata.json index 6e994c7c18c..cd09b96f3d7 100644 --- a/assets/queries/cloudFormation/aws_bom/ebs/metadata.json +++ b/assets/queries/cloudFormation/aws_bom/ebs/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "6869b929", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_bom/efs/metadata.json b/assets/queries/cloudFormation/aws_bom/efs/metadata.json index 689c2a28980..2b42e242649 100644 --- a/assets/queries/cloudFormation/aws_bom/efs/metadata.json +++ b/assets/queries/cloudFormation/aws_bom/efs/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "f6d4e4b8", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_bom/elasticache/metadata.json b/assets/queries/cloudFormation/aws_bom/elasticache/metadata.json index 3692219ff72..d42939392e9 100644 --- a/assets/queries/cloudFormation/aws_bom/elasticache/metadata.json +++ b/assets/queries/cloudFormation/aws_bom/elasticache/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "deea2b5c", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_bom/kinesis/metadata.json b/assets/queries/cloudFormation/aws_bom/kinesis/metadata.json index a9247949b04..b8c4b514850 100644 --- a/assets/queries/cloudFormation/aws_bom/kinesis/metadata.json +++ b/assets/queries/cloudFormation/aws_bom/kinesis/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "4b8f3b90", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_bom/mq/metadata.json b/assets/queries/cloudFormation/aws_bom/mq/metadata.json index caa3823ced3..908e2e7f23c 100644 --- a/assets/queries/cloudFormation/aws_bom/mq/metadata.json +++ b/assets/queries/cloudFormation/aws_bom/mq/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "93a9e162", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_bom/msk/metadata.json b/assets/queries/cloudFormation/aws_bom/msk/metadata.json index b3204773ffa..a43bf5f63e9 100644 --- a/assets/queries/cloudFormation/aws_bom/msk/metadata.json +++ b/assets/queries/cloudFormation/aws_bom/msk/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "7413f967", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_bom/rds/metadata.json b/assets/queries/cloudFormation/aws_bom/rds/metadata.json index 5b03d2b0121..d4de5916a61 100644 --- a/assets/queries/cloudFormation/aws_bom/rds/metadata.json +++ b/assets/queries/cloudFormation/aws_bom/rds/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "77215b57", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_bom/s3_bucket/metadata.json b/assets/queries/cloudFormation/aws_bom/s3_bucket/metadata.json index 2da7e7fb739..9b3a98dd2e3 100644 --- a/assets/queries/cloudFormation/aws_bom/s3_bucket/metadata.json +++ b/assets/queries/cloudFormation/aws_bom/s3_bucket/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "a46851fb", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_bom/sns/metadata.json b/assets/queries/cloudFormation/aws_bom/sns/metadata.json index a443324b360..f083d84a9ce 100644 --- a/assets/queries/cloudFormation/aws_bom/sns/metadata.json +++ b/assets/queries/cloudFormation/aws_bom/sns/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "3cd7a815", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_bom/sqs/metadata.json b/assets/queries/cloudFormation/aws_bom/sqs/metadata.json index 51d529ec708..5b26719029d 100644 --- a/assets/queries/cloudFormation/aws_bom/sqs/metadata.json +++ b/assets/queries/cloudFormation/aws_bom/sqs/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "c57e306b", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_sam/serverless_api_access_logging_setting_undefined/metadata.json b/assets/queries/cloudFormation/aws_sam/serverless_api_access_logging_setting_undefined/metadata.json index f86d3ec9784..667787125be 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_api_access_logging_setting_undefined/metadata.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_api_access_logging_setting_undefined/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "b2bb4961", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_sam/serverless_api_cache_cluster_disabled/metadata.json b/assets/queries/cloudFormation/aws_sam/serverless_api_cache_cluster_disabled/metadata.json index f6fcd2fdd68..12ad0d645d3 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_api_cache_cluster_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_api_cache_cluster_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "1ce59cab", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_sam/serverless_api_endpoint_config_not_private/metadata.json b/assets/queries/cloudFormation/aws_sam/serverless_api_endpoint_config_not_private/metadata.json index f7a93af32e7..613ec5cd1e2 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_api_endpoint_config_not_private/metadata.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_api_endpoint_config_not_private/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "f86c03cc", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/metadata.json b/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/metadata.json index 615e201524a..73c488af32a 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/metadata.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "745a11d2", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_sam/serverless_api_xray_tracing_disabled/metadata.json b/assets/queries/cloudFormation/aws_sam/serverless_api_xray_tracing_disabled/metadata.json index e81d88902fd..a403d6f1909 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_api_xray_tracing_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_api_xray_tracing_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "ba685b50", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_sam/serverless_function_environment_variables_not_encrypted/metadata.json b/assets/queries/cloudFormation/aws_sam/serverless_function_environment_variables_not_encrypted/metadata.json index d8e6d081d6a..8344a6fca1b 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_function_environment_variables_not_encrypted/metadata.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_function_environment_variables_not_encrypted/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "f218e4bc", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_sam/serverless_function_without_dead_letter_queue/metadata.json b/assets/queries/cloudFormation/aws_sam/serverless_function_without_dead_letter_queue/metadata.json index b845a92b3a9..ca5a8671543 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_function_without_dead_letter_queue/metadata.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_function_without_dead_letter_queue/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "1142bb9f", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_sam/serverless_function_without_tags/metadata.json b/assets/queries/cloudFormation/aws_sam/serverless_function_without_tags/metadata.json index e257163e7ce..a3a4e37083b 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_function_without_tags/metadata.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_function_without_tags/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "fa1b224c", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_sam/serverless_function_without_unique_iam_role/metadata.json b/assets/queries/cloudFormation/aws_sam/serverless_function_without_unique_iam_role/metadata.json index b03bb972c57..d56ae8151df 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_function_without_unique_iam_role/metadata.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_function_without_unique_iam_role/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "50e760ce", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_sam/serverless_function_without_x-ray_tracing/metadata.json b/assets/queries/cloudFormation/aws_sam/serverless_function_without_x-ray_tracing/metadata.json index 53acfed5ae8..fa6a9b45046 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_function_without_x-ray_tracing/metadata.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_function_without_x-ray_tracing/metadata.json @@ -8,5 +8,5 @@ "platform": "CloudFormation", "descriptionID": "b0a83f52", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/common/passwords_and_secrets/metadata.json b/assets/queries/common/passwords_and_secrets/metadata.json index 5c67ba11bd7..0a5c7bcf0cc 100644 --- a/assets/queries/common/passwords_and_secrets/metadata.json +++ b/assets/queries/common/passwords_and_secrets/metadata.json @@ -8,5 +8,5 @@ "platform": "Common", "descriptionID": "d69d8a89", "cloudProvider": "common", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/crossplane/aws/cloudfront_logging_disabled/metadata.json b/assets/queries/crossplane/aws/cloudfront_logging_disabled/metadata.json index 5409fa1cb5f..f65591bcd9f 100644 --- a/assets/queries/crossplane/aws/cloudfront_logging_disabled/metadata.json +++ b/assets/queries/crossplane/aws/cloudfront_logging_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Crossplane", "descriptionID": "48cd0b5a", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/metadata.json b/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/metadata.json index 33c7fb5246d..0676a745a94 100644 --- a/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/metadata.json +++ b/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/metadata.json @@ -8,5 +8,5 @@ "platform": "Crossplane", "descriptionID": "11cca65a", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/crossplane/aws/cloudfront_without_waf/metadata.json b/assets/queries/crossplane/aws/cloudfront_without_waf/metadata.json index 339c2605a6d..0577a10cd60 100644 --- a/assets/queries/crossplane/aws/cloudfront_without_waf/metadata.json +++ b/assets/queries/crossplane/aws/cloudfront_without_waf/metadata.json @@ -8,5 +8,5 @@ "platform": "Crossplane", "descriptionID": "c5493606", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/metadata.json b/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/metadata.json index 895d60f5662..4502a5e1cfe 100644 --- a/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/metadata.json +++ b/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/metadata.json @@ -8,5 +8,5 @@ "platform": "Crossplane", "descriptionID": "9ce0c6f8", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/metadata.json b/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/metadata.json index 05b56465f05..2bdaff601e0 100644 --- a/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/metadata.json +++ b/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/metadata.json @@ -8,5 +8,5 @@ "platform": "Crossplane", "descriptionID": "e40c8a7e", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/crossplane/aws/db_security_group_has_public_interface/metadata.json b/assets/queries/crossplane/aws/db_security_group_has_public_interface/metadata.json index 8ad2d2ed495..df07f5a179a 100644 --- a/assets/queries/crossplane/aws/db_security_group_has_public_interface/metadata.json +++ b/assets/queries/crossplane/aws/db_security_group_has_public_interface/metadata.json @@ -8,5 +8,5 @@ "platform": "Crossplane", "descriptionID": "c26de1ff", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/crossplane/aws/docdb_logging_disabled/metadata.json b/assets/queries/crossplane/aws/docdb_logging_disabled/metadata.json index 88c48349e59..6301cf328d7 100644 --- a/assets/queries/crossplane/aws/docdb_logging_disabled/metadata.json +++ b/assets/queries/crossplane/aws/docdb_logging_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Crossplane", "descriptionID": "60b6794e", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/crossplane/aws/efs_not_encrypted/metadata.json b/assets/queries/crossplane/aws/efs_not_encrypted/metadata.json index 7ecfbdfd78c..72fb751aa42 100644 --- a/assets/queries/crossplane/aws/efs_not_encrypted/metadata.json +++ b/assets/queries/crossplane/aws/efs_not_encrypted/metadata.json @@ -8,5 +8,5 @@ "platform": "Crossplane", "descriptionID": "de7bf263", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/crossplane/aws/efs_without_kms/metadata.json b/assets/queries/crossplane/aws/efs_without_kms/metadata.json index a98fd7abd2f..25a5665a4d8 100644 --- a/assets/queries/crossplane/aws/efs_without_kms/metadata.json +++ b/assets/queries/crossplane/aws/efs_without_kms/metadata.json @@ -8,5 +8,5 @@ "platform": "Crossplane", "descriptionID": "2643a873", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/crossplane/aws/elb_using_weak_ciphers/metadata.json b/assets/queries/crossplane/aws/elb_using_weak_ciphers/metadata.json index a4cfe8726d8..27a13f236cc 100644 --- a/assets/queries/crossplane/aws/elb_using_weak_ciphers/metadata.json +++ b/assets/queries/crossplane/aws/elb_using_weak_ciphers/metadata.json @@ -8,5 +8,5 @@ "platform": "Crossplane", "descriptionID": "53318133", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/metadata.json b/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/metadata.json index b165af8ee3a..a5abd4b1293 100644 --- a/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/metadata.json +++ b/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Crossplane", "descriptionID": "f7998100", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/metadata.json b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/metadata.json index 2cafe8a5691..1004c30f453 100644 --- a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/metadata.json +++ b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "Crossplane", "descriptionID": "d7566b63", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/crossplane/aws/sqs_with_sse_disabled/metadata.json b/assets/queries/crossplane/aws/sqs_with_sse_disabled/metadata.json index 8d4f2071f6d..006e1898535 100644 --- a/assets/queries/crossplane/aws/sqs_with_sse_disabled/metadata.json +++ b/assets/queries/crossplane/aws/sqs_with_sse_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Crossplane", "descriptionID": "ed3868e0", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/crossplane/azure/aks_rbac_disabled/metadata.json b/assets/queries/crossplane/azure/aks_rbac_disabled/metadata.json index c8c217d5ee7..97c12c9c90b 100644 --- a/assets/queries/crossplane/azure/aks_rbac_disabled/metadata.json +++ b/assets/queries/crossplane/azure/aks_rbac_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Crossplane", "descriptionID": "b9f4440e", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/metadata.json b/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/metadata.json index 065150f04a8..02f94330109 100644 --- a/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/metadata.json +++ b/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/metadata.json @@ -8,5 +8,5 @@ "platform": "Crossplane", "descriptionID": "d7cbff51", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json b/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json index 448d9606f15..00659ab815b 100644 --- a/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json +++ b/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Crossplane", "descriptionID": "49295adb", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/metadata.json b/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/metadata.json index 334aaa15fda..a7f0b9e3acd 100644 --- a/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/metadata.json +++ b/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Crossplane", "descriptionID": "bc1c198b", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerCompose/cgroup_not_default/metadata.json b/assets/queries/dockerCompose/cgroup_not_default/metadata.json index 1f2acf12817..3a1631dcfae 100644 --- a/assets/queries/dockerCompose/cgroup_not_default/metadata.json +++ b/assets/queries/dockerCompose/cgroup_not_default/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#cgroup_parent", "platform": "DockerCompose", "descriptionID": "b3657456", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerCompose/container_capabilities_unrestricted/metadata.json b/assets/queries/dockerCompose/container_capabilities_unrestricted/metadata.json index 9d6cfeff1d6..450bfc737ea 100644 --- a/assets/queries/dockerCompose/container_capabilities_unrestricted/metadata.json +++ b/assets/queries/dockerCompose/container_capabilities_unrestricted/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#cap_add-cap_drop", "platform": "DockerCompose", "descriptionID": "1ddab108", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/metadata.json b/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/metadata.json index cb944ac4d17..26eaf9bbd79 100644 --- a/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/metadata.json +++ b/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#ports", "platform": "DockerCompose", "descriptionID": "909d1bcd", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerCompose/cpus_not_limited/metadata.json b/assets/queries/dockerCompose/cpus_not_limited/metadata.json index 9fc417f87e8..206c9a605bd 100644 --- a/assets/queries/dockerCompose/cpus_not_limited/metadata.json +++ b/assets/queries/dockerCompose/cpus_not_limited/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#resources", "platform": "DockerCompose", "descriptionID": "d58d94a1", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerCompose/default_seccomp_profile_disabled/metadata.json b/assets/queries/dockerCompose/default_seccomp_profile_disabled/metadata.json index abc13516acf..7ab7002b41c 100644 --- a/assets/queries/dockerCompose/default_seccomp_profile_disabled/metadata.json +++ b/assets/queries/dockerCompose/default_seccomp_profile_disabled/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#security_opt", "platform": "DockerCompose", "descriptionID": "3702d7fb", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerCompose/docker_socket_mounted_in_container/metadata.json b/assets/queries/dockerCompose/docker_socket_mounted_in_container/metadata.json index 16770ac7cbd..fffebee05ab 100644 --- a/assets/queries/dockerCompose/docker_socket_mounted_in_container/metadata.json +++ b/assets/queries/dockerCompose/docker_socket_mounted_in_container/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/compose/compose-file/#volumes", "platform": "DockerCompose", "descriptionID": "8acc9d24", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerCompose/healthcheck_not_set/metadata.json b/assets/queries/dockerCompose/healthcheck_not_set/metadata.json index ca0980c93f9..5f08f8af6f5 100644 --- a/assets/queries/dockerCompose/healthcheck_not_set/metadata.json +++ b/assets/queries/dockerCompose/healthcheck_not_set/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#healthcheck", "platform": "DockerCompose", "descriptionID": "449b7c5c", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerCompose/host_namespace_is_shared/metadata.json b/assets/queries/dockerCompose/host_namespace_is_shared/metadata.json index a83b567edb9..8472f349703 100644 --- a/assets/queries/dockerCompose/host_namespace_is_shared/metadata.json +++ b/assets/queries/dockerCompose/host_namespace_is_shared/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#pid", "platform": "DockerCompose", "descriptionID": "39a43177", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerCompose/memory_not_limited/metadata.json b/assets/queries/dockerCompose/memory_not_limited/metadata.json index aa797c1bfbe..199db339da3 100644 --- a/assets/queries/dockerCompose/memory_not_limited/metadata.json +++ b/assets/queries/dockerCompose/memory_not_limited/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#resources", "platform": "DockerCompose", "descriptionID": "8fcb9f7d", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerCompose/networks_not_set/metadata.json b/assets/queries/dockerCompose/networks_not_set/metadata.json index eb4fd068519..f0bdb445523 100644 --- a/assets/queries/dockerCompose/networks_not_set/metadata.json +++ b/assets/queries/dockerCompose/networks_not_set/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#networks", "platform": "DockerCompose", "descriptionID": "3743a217", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerCompose/no_new_privileges_not_set/metadata.json b/assets/queries/dockerCompose/no_new_privileges_not_set/metadata.json index 6890825be11..028313eee6f 100644 --- a/assets/queries/dockerCompose/no_new_privileges_not_set/metadata.json +++ b/assets/queries/dockerCompose/no_new_privileges_not_set/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/engine/reference/run/#security-configuration", "platform": "DockerCompose", "descriptionID": "be48e182", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerCompose/pids_limit_not_set/metadata.json b/assets/queries/dockerCompose/pids_limit_not_set/metadata.json index 7773f8e938d..37d222ac53b 100644 --- a/assets/queries/dockerCompose/pids_limit_not_set/metadata.json +++ b/assets/queries/dockerCompose/pids_limit_not_set/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir", "platform": "DockerCompose", "descriptionID": "2d241407", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerCompose/privileged_containers_enabled/metadata.json b/assets/queries/dockerCompose/privileged_containers_enabled/metadata.json index fcfb9c0f74a..0599b5d334b 100644 --- a/assets/queries/dockerCompose/privileged_containers_enabled/metadata.json +++ b/assets/queries/dockerCompose/privileged_containers_enabled/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/compose/compose-file/#privileged", "platform": "DockerCompose", "descriptionID": "029f6145", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerCompose/privileged_ports_mapped_in_container/metadata.json b/assets/queries/dockerCompose/privileged_ports_mapped_in_container/metadata.json index 581f054c69f..625c13a4310 100644 --- a/assets/queries/dockerCompose/privileged_ports_mapped_in_container/metadata.json +++ b/assets/queries/dockerCompose/privileged_ports_mapped_in_container/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#cap_add-cap_drop", "platform": "DockerCompose", "descriptionID": "686dd55f", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/metadata.json b/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/metadata.json index cd1a569f4ec..639a741f33d 100644 --- a/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/metadata.json +++ b/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/config/containers/start-containers-automatically/#use-a-restart-policy", "platform": "DockerCompose", "descriptionID": "d21fff2e", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerCompose/security_opt_not_set/metadata.json b/assets/queries/dockerCompose/security_opt_not_set/metadata.json index bc0c70fbeed..2a74d57f16e 100644 --- a/assets/queries/dockerCompose/security_opt_not_set/metadata.json +++ b/assets/queries/dockerCompose/security_opt_not_set/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#security_opt", "platform": "DockerCompose", "descriptionID": "83fb7a65", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerCompose/shared_host_ipc_namespace/metadata.json b/assets/queries/dockerCompose/shared_host_ipc_namespace/metadata.json index e01edae2b8c..e7da49791c0 100644 --- a/assets/queries/dockerCompose/shared_host_ipc_namespace/metadata.json +++ b/assets/queries/dockerCompose/shared_host_ipc_namespace/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir", "platform": "DockerCompose", "descriptionID": "987dc2d7", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerCompose/shared_host_network_namespace/metadata.json b/assets/queries/dockerCompose/shared_host_network_namespace/metadata.json index 01f26ea99c1..3ccf62ec2c3 100644 --- a/assets/queries/dockerCompose/shared_host_network_namespace/metadata.json +++ b/assets/queries/dockerCompose/shared_host_network_namespace/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#network_mode", "platform": "DockerCompose", "descriptionID": "25acba10", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerCompose/shared_host_user_namespace/metadata.json b/assets/queries/dockerCompose/shared_host_user_namespace/metadata.json index 9d824625eba..ead1b10fc13 100644 --- a/assets/queries/dockerCompose/shared_host_user_namespace/metadata.json +++ b/assets/queries/dockerCompose/shared_host_user_namespace/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#userns_mode", "platform": "DockerCompose", "descriptionID": "b7859ec8", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerCompose/volume_has_sensitive_host_directory/metadata.json b/assets/queries/dockerCompose/volume_has_sensitive_host_directory/metadata.json index 47cee5063d7..8d278dfdcd3 100644 --- a/assets/queries/dockerCompose/volume_has_sensitive_host_directory/metadata.json +++ b/assets/queries/dockerCompose/volume_has_sensitive_host_directory/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#volume-configuration-reference", "platform": "DockerCompose", "descriptionID": "8361cc0a", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerCompose/volume_mounted_in_multiple_containers/metadata.json b/assets/queries/dockerCompose/volume_mounted_in_multiple_containers/metadata.json index 4f3b167abbe..a1da1dc5096 100644 --- a/assets/queries/dockerCompose/volume_mounted_in_multiple_containers/metadata.json +++ b/assets/queries/dockerCompose/volume_mounted_in_multiple_containers/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#volumes", "platform": "DockerCompose", "descriptionID": "1c7ca167", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/add_instead_of_copy/metadata.json b/assets/queries/dockerfile/add_instead_of_copy/metadata.json index c4e47aa4474..5c090ca98a0 100644 --- a/assets/queries/dockerfile/add_instead_of_copy/metadata.json +++ b/assets/queries/dockerfile/add_instead_of_copy/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#add", "platform": "Dockerfile", "descriptionID": "0aedd324", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/apk_add_using_local_cache_path/metadata.json b/assets/queries/dockerfile/apk_add_using_local_cache_path/metadata.json index 903ef925e26..f8e125fb3d4 100644 --- a/assets/queries/dockerfile/apk_add_using_local_cache_path/metadata.json +++ b/assets/queries/dockerfile/apk_add_using_local_cache_path/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#run", "platform": "Dockerfile", "descriptionID": "d44503b8", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/metadata.json b/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/metadata.json index 93334597e0b..16ffe7d7d51 100644 --- a/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/metadata.json +++ b/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "platform": "Dockerfile", "descriptionID": "4236a50c", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/metadata.json b/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/metadata.json index b1223ca2273..3d3ab30ca52 100644 --- a/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/metadata.json +++ b/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "platform": "Dockerfile", "descriptionID": "e0e1edad", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/metadata.json b/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/metadata.json index 6585017cf67..91a63af2cd4 100644 --- a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/metadata.json +++ b/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#run", "platform": "Dockerfile", "descriptionID": "2064113b", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/metadata.json b/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/metadata.json index bb0942fb133..eb900cf4376 100644 --- a/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/metadata.json +++ b/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#run", "platform": "Dockerfile", "descriptionID": "2e92d18c", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/changing_default_shell_using_run_command/metadata.json b/assets/queries/dockerfile/changing_default_shell_using_run_command/metadata.json index f4714067bd6..24a8cde10e0 100644 --- a/assets/queries/dockerfile/changing_default_shell_using_run_command/metadata.json +++ b/assets/queries/dockerfile/changing_default_shell_using_run_command/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#shell", "platform": "Dockerfile", "descriptionID": "d859b2eb", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/chown_flag_exists/metadata.json b/assets/queries/dockerfile/chown_flag_exists/metadata.json index af1874ed881..0027657401c 100644 --- a/assets/queries/dockerfile/chown_flag_exists/metadata.json +++ b/assets/queries/dockerfile/chown_flag_exists/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "platform": "Dockerfile", "descriptionID": "ba0a34dc", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/copy_from_references_current_from_alias/metadata.json b/assets/queries/dockerfile/copy_from_references_current_from_alias/metadata.json index e61c09dd84c..3aeed17a294 100644 --- a/assets/queries/dockerfile/copy_from_references_current_from_alias/metadata.json +++ b/assets/queries/dockerfile/copy_from_references_current_from_alias/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/develop/develop-images/multistage-build/", "platform": "Dockerfile", "descriptionID": "a248d89e", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/metadata.json b/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/metadata.json index 90c220808ba..80695e02633 100644 --- a/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/metadata.json +++ b/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#copy", "platform": "Dockerfile", "descriptionID": "bab38efd", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/curl_or_wget_instead_of_add/metadata.json b/assets/queries/dockerfile/curl_or_wget_instead_of_add/metadata.json index de19483c861..25172db3211 100644 --- a/assets/queries/dockerfile/curl_or_wget_instead_of_add/metadata.json +++ b/assets/queries/dockerfile/curl_or_wget_instead_of_add/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "platform": "Dockerfile", "descriptionID": "29e8216b", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/exposing_port_22/metadata.json b/assets/queries/dockerfile/exposing_port_22/metadata.json index cf4ca11708b..45ef18f391b 100644 --- a/assets/queries/dockerfile/exposing_port_22/metadata.json +++ b/assets/queries/dockerfile/exposing_port_22/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://sysdig.com/blog/dockerfile-best-practices/", "platform": "Dockerfile", "descriptionID": "79731185", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/gem_install_without_version/metadata.json b/assets/queries/dockerfile/gem_install_without_version/metadata.json index b656622fe58..4709c8c2aa0 100644 --- a/assets/queries/dockerfile/gem_install_without_version/metadata.json +++ b/assets/queries/dockerfile/gem_install_without_version/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run", "platform": "Dockerfile", "descriptionID": "0586ed55", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/healthcheck_instruction_missing/metadata.json b/assets/queries/dockerfile/healthcheck_instruction_missing/metadata.json index 1ca99a99b3e..5b94f1fdd4a 100644 --- a/assets/queries/dockerfile/healthcheck_instruction_missing/metadata.json +++ b/assets/queries/dockerfile/healthcheck_instruction_missing/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#healthcheck", "platform": "Dockerfile", "descriptionID": "426121ee", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/image_version_not_explicit/metadata.json b/assets/queries/dockerfile/image_version_not_explicit/metadata.json index 1b7b4e29693..70aafe7766a 100644 --- a/assets/queries/dockerfile/image_version_not_explicit/metadata.json +++ b/assets/queries/dockerfile/image_version_not_explicit/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#from", "platform": "Dockerfile", "descriptionID": "4f469f06", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/image_version_using_latest/metadata.json b/assets/queries/dockerfile/image_version_using_latest/metadata.json index d25b47df15d..1629bd4f4bd 100644 --- a/assets/queries/dockerfile/image_version_using_latest/metadata.json +++ b/assets/queries/dockerfile/image_version_using_latest/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/develop/dev-best-practices/", "platform": "Dockerfile", "descriptionID": "22f535ec", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/last_user_is_root/metadata.json b/assets/queries/dockerfile/last_user_is_root/metadata.json index 76116dda6cd..457295dd5f0 100644 --- a/assets/queries/dockerfile/last_user_is_root/metadata.json +++ b/assets/queries/dockerfile/last_user_is_root/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#user", "platform": "Dockerfile", "descriptionID": "f445bd25", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/maintainer_instruction_being_used/metadata.json b/assets/queries/dockerfile/maintainer_instruction_being_used/metadata.json index e7ad0503c06..1be4459314c 100644 --- a/assets/queries/dockerfile/maintainer_instruction_being_used/metadata.json +++ b/assets/queries/dockerfile/maintainer_instruction_being_used/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#maintainer-deprecated", "platform": "Dockerfile", "descriptionID": "9d9cbf83", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/missing_dnf_clean_all/metadata.json b/assets/queries/dockerfile/missing_dnf_clean_all/metadata.json index 168aa053df4..4a6b0000f9d 100644 --- a/assets/queries/dockerfile/missing_dnf_clean_all/metadata.json +++ b/assets/queries/dockerfile/missing_dnf_clean_all/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "platform": "Dockerfile", "descriptionID": "8f8497d7", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/missing_flag_from_dnf_install/metadata.json b/assets/queries/dockerfile/missing_flag_from_dnf_install/metadata.json index 18adef23c78..09a666717fc 100644 --- a/assets/queries/dockerfile/missing_flag_from_dnf_install/metadata.json +++ b/assets/queries/dockerfile/missing_flag_from_dnf_install/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run", "platform": "Dockerfile", "descriptionID": "efc680ea", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/missing_user_instruction/metadata.json b/assets/queries/dockerfile/missing_user_instruction/metadata.json index 7509191e332..4e4747c1f47 100644 --- a/assets/queries/dockerfile/missing_user_instruction/metadata.json +++ b/assets/queries/dockerfile/missing_user_instruction/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#user", "platform": "Dockerfile", "descriptionID": "eb49caf6", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/missing_version_specification_in_dnf_install/metadata.json b/assets/queries/dockerfile/missing_version_specification_in_dnf_install/metadata.json index b9a5cd284a0..819ed8e2c83 100644 --- a/assets/queries/dockerfile/missing_version_specification_in_dnf_install/metadata.json +++ b/assets/queries/dockerfile/missing_version_specification_in_dnf_install/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "platform": "Dockerfile", "descriptionID": "0ab4ed7e", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/missing_zypper_clean/metadata.json b/assets/queries/dockerfile/missing_zypper_clean/metadata.json index ee40b33a252..460b3819a3e 100644 --- a/assets/queries/dockerfile/missing_zypper_clean/metadata.json +++ b/assets/queries/dockerfile/missing_zypper_clean/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run", "platform": "Dockerfile", "descriptionID": "a95b2646", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/missing_zypper_non_interactive_switch/metadata.json b/assets/queries/dockerfile/missing_zypper_non_interactive_switch/metadata.json index 28ad5c552f2..5606eae0b8b 100644 --- a/assets/queries/dockerfile/missing_zypper_non_interactive_switch/metadata.json +++ b/assets/queries/dockerfile/missing_zypper_non_interactive_switch/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run", "platform": "Dockerfile", "descriptionID": "b3efa689", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/multiple_cmd_instructions_listed/metadata.json b/assets/queries/dockerfile/multiple_cmd_instructions_listed/metadata.json index 82a747360c6..8770c78447e 100644 --- a/assets/queries/dockerfile/multiple_cmd_instructions_listed/metadata.json +++ b/assets/queries/dockerfile/multiple_cmd_instructions_listed/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#cmd", "platform": "Dockerfile", "descriptionID": "96f59ca3", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/metadata.json b/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/metadata.json index 88bce687f83..1fc5bb3350b 100644 --- a/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/metadata.json +++ b/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#entrypoint", "platform": "Dockerfile", "descriptionID": "03be1867", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/metadata.json b/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/metadata.json index 8d9754b7edf..ec552209bb2 100644 --- a/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/metadata.json +++ b/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://sysdig.com/blog/dockerfile-best-practices/", "platform": "Dockerfile", "descriptionID": "29bd3a34", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/metadata.json b/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/metadata.json index 21a17e759dc..f13ee68f7e7 100644 --- a/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/metadata.json +++ b/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#entrypoint", "platform": "Dockerfile", "descriptionID": "070b84da", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/npm_install_without_pinned_version/metadata.json b/assets/queries/dockerfile/npm_install_without_pinned_version/metadata.json index 23f7f6e5fa7..c7f63846335 100644 --- a/assets/queries/dockerfile/npm_install_without_pinned_version/metadata.json +++ b/assets/queries/dockerfile/npm_install_without_pinned_version/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#run", "platform": "Dockerfile", "descriptionID": "8bd60033", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/pip_install_keeping_cached_packages/metadata.json b/assets/queries/dockerfile/pip_install_keeping_cached_packages/metadata.json index e14a66349d6..f42609b8728 100644 --- a/assets/queries/dockerfile/pip_install_keeping_cached_packages/metadata.json +++ b/assets/queries/dockerfile/pip_install_keeping_cached_packages/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "platform": "Dockerfile", "descriptionID": "a6eb5f34", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/run_command_cd_instead_of_workdir/metadata.json b/assets/queries/dockerfile/run_command_cd_instead_of_workdir/metadata.json index 6b57764288b..d2851644eba 100644 --- a/assets/queries/dockerfile/run_command_cd_instead_of_workdir/metadata.json +++ b/assets/queries/dockerfile/run_command_cd_instead_of_workdir/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#workdir", "platform": "Dockerfile", "descriptionID": "edd9f7d3", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/run_using_apt/metadata.json b/assets/queries/dockerfile/run_using_apt/metadata.json index 76a168bb17e..d140ae27108 100644 --- a/assets/queries/dockerfile/run_using_apt/metadata.json +++ b/assets/queries/dockerfile/run_using_apt/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run", "platform": "Dockerfile", "descriptionID": "6cb53718", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/run_using_sudo/metadata.json b/assets/queries/dockerfile/run_using_sudo/metadata.json index cf83ac3d5c6..8e0c111c04b 100644 --- a/assets/queries/dockerfile/run_using_sudo/metadata.json +++ b/assets/queries/dockerfile/run_using_sudo/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#run", "platform": "Dockerfile", "descriptionID": "c4f2e24a", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/run_using_wget_and_curl/metadata.json b/assets/queries/dockerfile/run_using_wget_and_curl/metadata.json index 817af6880b0..abac95852b0 100644 --- a/assets/queries/dockerfile/run_using_wget_and_curl/metadata.json +++ b/assets/queries/dockerfile/run_using_wget_and_curl/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run", "platform": "Dockerfile", "descriptionID": "22261deb", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/run_utilities_and_posix_commands/metadata.json b/assets/queries/dockerfile/run_utilities_and_posix_commands/metadata.json index f1caa600186..24a359e4066 100644 --- a/assets/queries/dockerfile/run_utilities_and_posix_commands/metadata.json +++ b/assets/queries/dockerfile/run_utilities_and_posix_commands/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#run", "platform": "Dockerfile", "descriptionID": "677fa9a6", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/same_alias_in_different_froms/metadata.json b/assets/queries/dockerfile/same_alias_in_different_froms/metadata.json index 5c6680ed0d6..82d87f55ad1 100644 --- a/assets/queries/dockerfile/same_alias_in_different_froms/metadata.json +++ b/assets/queries/dockerfile/same_alias_in_different_froms/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/develop/develop-images/multistage-build/", "platform": "Dockerfile", "descriptionID": "c923ad4b", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/metadata.json b/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/metadata.json index 3ef64a92feb..54770ab0f59 100644 --- a/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/metadata.json +++ b/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#run", "platform": "Dockerfile", "descriptionID": "26810b44", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/unix_ports_out_of_range/metadata.json b/assets/queries/dockerfile/unix_ports_out_of_range/metadata.json index 0185bb57213..11be6dbedd1 100644 --- a/assets/queries/dockerfile/unix_ports_out_of_range/metadata.json +++ b/assets/queries/dockerfile/unix_ports_out_of_range/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#expose", "platform": "Dockerfile", "descriptionID": "fed3d812", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/unpinned_package_version_in_apk_add/metadata.json b/assets/queries/dockerfile/unpinned_package_version_in_apk_add/metadata.json index 795ae091e4b..ad075112cb6 100644 --- a/assets/queries/dockerfile/unpinned_package_version_in_apk_add/metadata.json +++ b/assets/queries/dockerfile/unpinned_package_version_in_apk_add/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "platform": "Dockerfile", "descriptionID": "adb9d5d5", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/metadata.json b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/metadata.json index cfdc89fcf1e..8f575a9cb6e 100644 --- a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/metadata.json +++ b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "platform": "Dockerfile", "descriptionID": "37db3a53", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/update_instruction_alone/metadata.json b/assets/queries/dockerfile/update_instruction_alone/metadata.json index 7ab36690a3a..5ff8a0d2226 100644 --- a/assets/queries/dockerfile/update_instruction_alone/metadata.json +++ b/assets/queries/dockerfile/update_instruction_alone/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run", "platform": "Dockerfile", "descriptionID": "3785203d", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/using_platform_with_from/metadata.json b/assets/queries/dockerfile/using_platform_with_from/metadata.json index 7e2d96c84fe..bc8a848807d 100644 --- a/assets/queries/dockerfile/using_platform_with_from/metadata.json +++ b/assets/queries/dockerfile/using_platform_with_from/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#from", "platform": "Dockerfile", "descriptionID": "5bd0baab", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/using_unnamed_build_stages/metadata.json b/assets/queries/dockerfile/using_unnamed_build_stages/metadata.json index ed7dc34c428..b950768d0c6 100644 --- a/assets/queries/dockerfile/using_unnamed_build_stages/metadata.json +++ b/assets/queries/dockerfile/using_unnamed_build_stages/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/develop/develop-images/multistage-build/", "platform": "Dockerfile", "descriptionID": "dea09829", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/vulnerable_openssl_version/metadata.json b/assets/queries/dockerfile/vulnerable_openssl_version/metadata.json index 3c0675c62c5..45de575f4b2 100644 --- a/assets/queries/dockerfile/vulnerable_openssl_version/metadata.json +++ b/assets/queries/dockerfile/vulnerable_openssl_version/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html", "platform": "Dockerfile", "descriptionID": "e0d6ef5e", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/workdir_path_not_absolute/metadata.json b/assets/queries/dockerfile/workdir_path_not_absolute/metadata.json index fc296d85782..f667911fd15 100644 --- a/assets/queries/dockerfile/workdir_path_not_absolute/metadata.json +++ b/assets/queries/dockerfile/workdir_path_not_absolute/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#workdir", "platform": "Dockerfile", "descriptionID": "bfe0be8b", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/yum_clean_all_missing/metadata.json b/assets/queries/dockerfile/yum_clean_all_missing/metadata.json index c6f9004d762..97f5a466bc5 100644 --- a/assets/queries/dockerfile/yum_clean_all_missing/metadata.json +++ b/assets/queries/dockerfile/yum_clean_all_missing/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run", "platform": "Dockerfile", "descriptionID": "714267a2", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/yum_install_allows_manual_input/metadata.json b/assets/queries/dockerfile/yum_install_allows_manual_input/metadata.json index de3c0c9bf93..97a2b5ca63e 100644 --- a/assets/queries/dockerfile/yum_install_allows_manual_input/metadata.json +++ b/assets/queries/dockerfile/yum_install_allows_manual_input/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#run", "platform": "Dockerfile", "descriptionID": "f17a245a", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/yum_install_without_version/metadata.json b/assets/queries/dockerfile/yum_install_without_version/metadata.json index f07bc7d3f7d..7732995e337 100644 --- a/assets/queries/dockerfile/yum_install_without_version/metadata.json +++ b/assets/queries/dockerfile/yum_install_without_version/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run", "platform": "Dockerfile", "descriptionID": "19d4cfc7", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/dockerfile/zypper_install_without_version/metadata.json b/assets/queries/dockerfile/zypper_install_without_version/metadata.json index 520d5ba08d1..4c42a7027f9 100644 --- a/assets/queries/dockerfile/zypper_install_without_version/metadata.json +++ b/assets/queries/dockerfile/zypper_install_without_version/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run", "platform": "Dockerfile", "descriptionID": "42d36068", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/bigquery_database_is_public/metadata.json b/assets/queries/googleDeploymentManager/gcp/bigquery_database_is_public/metadata.json index f3371102534..ec1c5bcf5ad 100644 --- a/assets/queries/googleDeploymentManager/gcp/bigquery_database_is_public/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/bigquery_database_is_public/metadata.json @@ -8,5 +8,5 @@ "platform": "GoogleDeploymentManager", "descriptionID": "6737ca8f", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/bucket_without_versioning/metadata.json b/assets/queries/googleDeploymentManager/gcp/bucket_without_versioning/metadata.json index ebdaf4f2fd7..3cd3cceda06 100644 --- a/assets/queries/googleDeploymentManager/gcp/bucket_without_versioning/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/bucket_without_versioning/metadata.json @@ -8,5 +8,5 @@ "platform": "GoogleDeploymentManager", "descriptionID": "97c49cde", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/client_certificate_disabled/metadata.json b/assets/queries/googleDeploymentManager/gcp/client_certificate_disabled/metadata.json index e94e776dc3e..b9c02fa82e8 100644 --- a/assets/queries/googleDeploymentManager/gcp/client_certificate_disabled/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/client_certificate_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "GoogleDeploymentManager", "descriptionID": "e74562aa", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/cloud_dns_without_dnnsec/metadata.json b/assets/queries/googleDeploymentManager/gcp/cloud_dns_without_dnnsec/metadata.json index 149e9c7a344..e2e168add96 100644 --- a/assets/queries/googleDeploymentManager/gcp/cloud_dns_without_dnnsec/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/cloud_dns_without_dnnsec/metadata.json @@ -8,5 +8,5 @@ "platform": "GoogleDeploymentManager", "descriptionID": "d926ffb6", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/cloud_storage_anonymous_or_publicly_accessible/metadata.json b/assets/queries/googleDeploymentManager/gcp/cloud_storage_anonymous_or_publicly_accessible/metadata.json index c184093563b..2a84d3450e4 100644 --- a/assets/queries/googleDeploymentManager/gcp/cloud_storage_anonymous_or_publicly_accessible/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/cloud_storage_anonymous_or_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "GoogleDeploymentManager", "descriptionID": "2146c969", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_is_publicly_accessible/metadata.json b/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_is_publicly_accessible/metadata.json index fc21d25ae11..80f74b565f0 100644 --- a/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_is_publicly_accessible/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_is_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "GoogleDeploymentManager", "descriptionID": "f767772d", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/metadata.json b/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/metadata.json index 4988a450a55..baa46edeec1 100644 --- a/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "GoogleDeploymentManager", "descriptionID": "9b7ba7de", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/cluster_labels_disabled/metadata.json b/assets/queries/googleDeploymentManager/gcp/cluster_labels_disabled/metadata.json index c2680e026c6..bcbb253cd9c 100644 --- a/assets/queries/googleDeploymentManager/gcp/cluster_labels_disabled/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/cluster_labels_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "GoogleDeploymentManager", "descriptionID": "8c094804", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/cluster_master_authentication_disabled/metadata.json b/assets/queries/googleDeploymentManager/gcp/cluster_master_authentication_disabled/metadata.json index 333ef3fbc54..1268e287219 100644 --- a/assets/queries/googleDeploymentManager/gcp/cluster_master_authentication_disabled/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/cluster_master_authentication_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "GoogleDeploymentManager", "descriptionID": "4a9cd0c6", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/compute_instance_is_publicly_accessible/metadata.json b/assets/queries/googleDeploymentManager/gcp/compute_instance_is_publicly_accessible/metadata.json index c8b0202084e..7d988e3f1e3 100644 --- a/assets/queries/googleDeploymentManager/gcp/compute_instance_is_publicly_accessible/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/compute_instance_is_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "GoogleDeploymentManager", "descriptionID": "9f60c421", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/cos_node_image_not_used/metadata.json b/assets/queries/googleDeploymentManager/gcp/cos_node_image_not_used/metadata.json index a54796b0eb8..9dfe20b3422 100644 --- a/assets/queries/googleDeploymentManager/gcp/cos_node_image_not_used/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/cos_node_image_not_used/metadata.json @@ -8,5 +8,5 @@ "platform": "GoogleDeploymentManager", "descriptionID": "5915a575", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/metadata.json b/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/metadata.json index cd172b20266..3893225d1c3 100644 --- a/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "GoogleDeploymentManager", "descriptionID": "107eb8fb", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/dnssec_using_rsasha1/metadata.json b/assets/queries/googleDeploymentManager/gcp/dnssec_using_rsasha1/metadata.json index c7eb295a9bc..3e36ce5eb05 100644 --- a/assets/queries/googleDeploymentManager/gcp/dnssec_using_rsasha1/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/dnssec_using_rsasha1/metadata.json @@ -8,5 +8,5 @@ "platform": "GoogleDeploymentManager", "descriptionID": "7f322f20", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/gke_legacy_authorization_enabled/metadata.json b/assets/queries/googleDeploymentManager/gcp/gke_legacy_authorization_enabled/metadata.json index 01ce2ef4308..ad890ca5914 100644 --- a/assets/queries/googleDeploymentManager/gcp/gke_legacy_authorization_enabled/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/gke_legacy_authorization_enabled/metadata.json @@ -8,5 +8,5 @@ "platform": "GoogleDeploymentManager", "descriptionID": "3de820a0", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/gke_master_authorized_networks_disabled/metadata.json b/assets/queries/googleDeploymentManager/gcp/gke_master_authorized_networks_disabled/metadata.json index ebfb6c1fbd9..193f5e1ccf0 100644 --- a/assets/queries/googleDeploymentManager/gcp/gke_master_authorized_networks_disabled/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/gke_master_authorized_networks_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "GoogleDeploymentManager", "descriptionID": "be3364b4", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/google_storage_bucket_level_access_disabled/metadata.json b/assets/queries/googleDeploymentManager/gcp/google_storage_bucket_level_access_disabled/metadata.json index ecebd6953e5..9e2df263f29 100644 --- a/assets/queries/googleDeploymentManager/gcp/google_storage_bucket_level_access_disabled/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/google_storage_bucket_level_access_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "GoogleDeploymentManager", "descriptionID": "d9594b64", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/ip_aliasing_disabled/metadata.json b/assets/queries/googleDeploymentManager/gcp/ip_aliasing_disabled/metadata.json index da7daa672fe..a70802f28f3 100644 --- a/assets/queries/googleDeploymentManager/gcp/ip_aliasing_disabled/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/ip_aliasing_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "GoogleDeploymentManager", "descriptionID": "34473a24", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/ip_forwarding_enabled/metadata.json b/assets/queries/googleDeploymentManager/gcp/ip_forwarding_enabled/metadata.json index d3ad194d807..8dd7bbca452 100644 --- a/assets/queries/googleDeploymentManager/gcp/ip_forwarding_enabled/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/ip_forwarding_enabled/metadata.json @@ -8,5 +8,5 @@ "platform": "GoogleDeploymentManager", "descriptionID": "dc6dbaa9", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/mysql_instance_with_local_infile_on/metadata.json b/assets/queries/googleDeploymentManager/gcp/mysql_instance_with_local_infile_on/metadata.json index c491d6f4f6e..15156fcf873 100644 --- a/assets/queries/googleDeploymentManager/gcp/mysql_instance_with_local_infile_on/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/mysql_instance_with_local_infile_on/metadata.json @@ -8,5 +8,5 @@ "platform": "GoogleDeploymentManager", "descriptionID": "66f8ba25", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/metadata.json b/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/metadata.json index 9df79578bf1..8b0c1afa28b 100644 --- a/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "GoogleDeploymentManager", "descriptionID": "e28f5312", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/metadata.json b/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/metadata.json index 670494467a8..d1555f33531 100644 --- a/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "GoogleDeploymentManager", "descriptionID": "40051d4a", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/not_proper_email_account_in_use/metadata.json b/assets/queries/googleDeploymentManager/gcp/not_proper_email_account_in_use/metadata.json index 419fc79d31b..84ebcb88ee3 100644 --- a/assets/queries/googleDeploymentManager/gcp/not_proper_email_account_in_use/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/not_proper_email_account_in_use/metadata.json @@ -8,5 +8,5 @@ "platform": "GoogleDeploymentManager", "descriptionID": "a21b8df4", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/os_login_is_disabled_for_vm_instance/metadata.json b/assets/queries/googleDeploymentManager/gcp/os_login_is_disabled_for_vm_instance/metadata.json index dbab6fcccaf..a813c506783 100644 --- a/assets/queries/googleDeploymentManager/gcp/os_login_is_disabled_for_vm_instance/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/os_login_is_disabled_for_vm_instance/metadata.json @@ -8,5 +8,5 @@ "platform": "GoogleDeploymentManager", "descriptionID": "0908cbc4", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/metadata.json b/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/metadata.json index cf0710ccfb9..fe9b86f8940 100644 --- a/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "GoogleDeploymentManager", "descriptionID": "c65a868d", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/metadata.json b/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/metadata.json index 27d620ccaf8..e1f23c58ff4 100644 --- a/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/metadata.json @@ -8,5 +8,5 @@ "platform": "GoogleDeploymentManager", "descriptionID": "5e36c46d", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/metadata.json b/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/metadata.json index 02510e423ae..5befd7eeddb 100644 --- a/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/metadata.json @@ -8,5 +8,5 @@ "platform": "GoogleDeploymentManager", "descriptionID": "cae2eeea", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/shielded_vm_disabled/metadata.json b/assets/queries/googleDeploymentManager/gcp/shielded_vm_disabled/metadata.json index 8e3c630c825..8d82b7e9904 100644 --- a/assets/queries/googleDeploymentManager/gcp/shielded_vm_disabled/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/shielded_vm_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "GoogleDeploymentManager", "descriptionID": "c67722e8", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/sql_db_instance_backup_disabled/metadata.json b/assets/queries/googleDeploymentManager/gcp/sql_db_instance_backup_disabled/metadata.json index c35ac960785..e07784c0fc2 100644 --- a/assets/queries/googleDeploymentManager/gcp/sql_db_instance_backup_disabled/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/sql_db_instance_backup_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "GoogleDeploymentManager", "descriptionID": "45790b7e", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/sql_db_instance_with_ssl_disabled/metadata.json b/assets/queries/googleDeploymentManager/gcp/sql_db_instance_with_ssl_disabled/metadata.json index ccd8532c6ab..16ccb41716a 100644 --- a/assets/queries/googleDeploymentManager/gcp/sql_db_instance_with_ssl_disabled/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/sql_db_instance_with_ssl_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "GoogleDeploymentManager", "descriptionID": "b42ee5a9", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/metadata.json b/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/metadata.json index 90717ac259a..c52767c9f5a 100644 --- a/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/metadata.json @@ -8,5 +8,5 @@ "platform": "GoogleDeploymentManager", "descriptionID": "10629ac9", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/stackdriver_logging_disabled/metadata.json b/assets/queries/googleDeploymentManager/gcp/stackdriver_logging_disabled/metadata.json index 0b5c33f3852..87432c43ae5 100644 --- a/assets/queries/googleDeploymentManager/gcp/stackdriver_logging_disabled/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/stackdriver_logging_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "GoogleDeploymentManager", "descriptionID": "ba92577c", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp/stackdriver_monitoring_disabled/metadata.json b/assets/queries/googleDeploymentManager/gcp/stackdriver_monitoring_disabled/metadata.json index fb3a3577189..5d6ce367025 100644 --- a/assets/queries/googleDeploymentManager/gcp/stackdriver_monitoring_disabled/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/stackdriver_monitoring_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "GoogleDeploymentManager", "descriptionID": "c1eb34ef", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp_bom/pd/metadata.json b/assets/queries/googleDeploymentManager/gcp_bom/pd/metadata.json index 021e687c3e6..a22a23a88df 100644 --- a/assets/queries/googleDeploymentManager/gcp_bom/pd/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp_bom/pd/metadata.json @@ -8,5 +8,5 @@ "platform": "GoogleDeploymentManager", "descriptionID": "3db91dc6", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp_bom/pst/metadata.json b/assets/queries/googleDeploymentManager/gcp_bom/pst/metadata.json index 9169bb082d9..8b027402733 100644 --- a/assets/queries/googleDeploymentManager/gcp_bom/pst/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp_bom/pst/metadata.json @@ -8,5 +8,5 @@ "platform": "GoogleDeploymentManager", "descriptionID": "e96debd4", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/googleDeploymentManager/gcp_bom/sb/metadata.json b/assets/queries/googleDeploymentManager/gcp_bom/sb/metadata.json index 242303e2814..4d2ab977db3 100644 --- a/assets/queries/googleDeploymentManager/gcp_bom/sb/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp_bom/sb/metadata.json @@ -8,5 +8,5 @@ "platform": "GoogleDeploymentManager", "descriptionID": "7f40edaa", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/grpc/enum_name_not_camel_case/metadata.json b/assets/queries/grpc/enum_name_not_camel_case/metadata.json index b8cf0e8bb75..57ce0e1494b 100644 --- a/assets/queries/grpc/enum_name_not_camel_case/metadata.json +++ b/assets/queries/grpc/enum_name_not_camel_case/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://developers.google.com/protocol-buffers/docs/reference/proto3-spec#enum_definition", "platform": "GRPC", "descriptionID": "a780a54d", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/always_admit_admission_control_plugin_set/metadata.json b/assets/queries/k8s/always_admit_admission_control_plugin_set/metadata.json index 4a5a02f3e11..adafbdabdbc 100644 --- a/assets/queries/k8s/always_admit_admission_control_plugin_set/metadata.json +++ b/assets/queries/k8s/always_admit_admission_control_plugin_set/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", "descriptionID": "782a8f84", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/always_pull_images_admission_control_plugin_not_set/metadata.json b/assets/queries/k8s/always_pull_images_admission_control_plugin_not_set/metadata.json index a4e83b456b6..4571503c406 100644 --- a/assets/queries/k8s/always_pull_images_admission_control_plugin_not_set/metadata.json +++ b/assets/queries/k8s/always_pull_images_admission_control_plugin_not_set/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", "descriptionID": "503bf412", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/anonymous_auth_is_not_set_to_false/metadata.json b/assets/queries/k8s/anonymous_auth_is_not_set_to_false/metadata.json index 716251ee596..84481d37d89 100644 --- a/assets/queries/k8s/anonymous_auth_is_not_set_to_false/metadata.json +++ b/assets/queries/k8s/anonymous_auth_is_not_set_to_false/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/", "platform": "Kubernetes", "descriptionID": "2e5b19cc", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/audit_log_maxage_not_properly_set/metadata.json b/assets/queries/k8s/audit_log_maxage_not_properly_set/metadata.json index 103e0a53674..12af9a7d731 100644 --- a/assets/queries/k8s/audit_log_maxage_not_properly_set/metadata.json +++ b/assets/queries/k8s/audit_log_maxage_not_properly_set/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", "descriptionID": "a5bc6d07", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/audit_log_maxbackup_not_properly_set/metadata.json b/assets/queries/k8s/audit_log_maxbackup_not_properly_set/metadata.json index 15b0014d762..38bcb1fd7d1 100644 --- a/assets/queries/k8s/audit_log_maxbackup_not_properly_set/metadata.json +++ b/assets/queries/k8s/audit_log_maxbackup_not_properly_set/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", "descriptionID": "eb8a6c2a", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/audit_log_maxsize_not_properly_set/metadata.json b/assets/queries/k8s/audit_log_maxsize_not_properly_set/metadata.json index c0eccdacf0e..7abf1e1bf88 100644 --- a/assets/queries/k8s/audit_log_maxsize_not_properly_set/metadata.json +++ b/assets/queries/k8s/audit_log_maxsize_not_properly_set/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", "descriptionID": "9609fc23", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/audit_log_path_not_set/metadata.json b/assets/queries/k8s/audit_log_path_not_set/metadata.json index 1882fbcd477..89a7e6672c8 100644 --- a/assets/queries/k8s/audit_log_path_not_set/metadata.json +++ b/assets/queries/k8s/audit_log_path_not_set/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", "descriptionID": "21d0f732", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/audit_policy_file_not_defined/metadata.json b/assets/queries/k8s/audit_policy_file_not_defined/metadata.json index 65d684d6876..283030cf66a 100644 --- a/assets/queries/k8s/audit_policy_file_not_defined/metadata.json +++ b/assets/queries/k8s/audit_policy_file_not_defined/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", "descriptionID": "7ae0f3cb", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/metadata.json b/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/metadata.json index e36e0bce2bf..75490088e97 100644 --- a/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/metadata.json +++ b/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/tasks/debug-application-cluster/audit/", "platform": "Kubernetes", "descriptionID": "4a720a0c", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/authorization_mode_node_not_set/metadata.json b/assets/queries/k8s/authorization_mode_node_not_set/metadata.json index 4b4d6023b92..5019aefcf21 100644 --- a/assets/queries/k8s/authorization_mode_node_not_set/metadata.json +++ b/assets/queries/k8s/authorization_mode_node_not_set/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", "descriptionID": "1d944481", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/authorization_mode_rbac_not_set/metadata.json b/assets/queries/k8s/authorization_mode_rbac_not_set/metadata.json index 00835242f5d..4fc9f9ebd80 100644 --- a/assets/queries/k8s/authorization_mode_rbac_not_set/metadata.json +++ b/assets/queries/k8s/authorization_mode_rbac_not_set/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", "descriptionID": "5298aafe", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/authorization_mode_set_to_always_allow/metadata.json b/assets/queries/k8s/authorization_mode_set_to_always_allow/metadata.json index a59043ef1e3..fc47ca20572 100644 --- a/assets/queries/k8s/authorization_mode_set_to_always_allow/metadata.json +++ b/assets/queries/k8s/authorization_mode_set_to_always_allow/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/", "platform": "Kubernetes", "descriptionID": "f5c66471", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/auto_tls_set_to_true/metadata.json b/assets/queries/k8s/auto_tls_set_to_true/metadata.json index 370938222e0..09323126de6 100644 --- a/assets/queries/k8s/auto_tls_set_to_true/metadata.json +++ b/assets/queries/k8s/auto_tls_set_to_true/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://etcd.io/docs/v3.4/op-guide/security/", "platform": "Kubernetes", "descriptionID": "81883f01", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/basic_auth_file_is_set/metadata.json b/assets/queries/k8s/basic_auth_file_is_set/metadata.json index 45c3a674933..6f43e3758dd 100644 --- a/assets/queries/k8s/basic_auth_file_is_set/metadata.json +++ b/assets/queries/k8s/basic_auth_file_is_set/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", "descriptionID": "e021b84c", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/bind_address_not_properly_set/metadata.json b/assets/queries/k8s/bind_address_not_properly_set/metadata.json index 3ab48c3eea9..eebad4980f1 100644 --- a/assets/queries/k8s/bind_address_not_properly_set/metadata.json +++ b/assets/queries/k8s/bind_address_not_properly_set/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", "descriptionID": "b52844f2", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/client_certificate_authentication_not_setup_properly/metadata.json b/assets/queries/k8s/client_certificate_authentication_not_setup_properly/metadata.json index 57b6deb4911..f59f402ac9f 100644 --- a/assets/queries/k8s/client_certificate_authentication_not_setup_properly/metadata.json +++ b/assets/queries/k8s/client_certificate_authentication_not_setup_properly/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/", "platform": "Kubernetes", "descriptionID": "78c11e53", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/cluster_admin_role_binding_with_super_user_permissions/metadata.json b/assets/queries/k8s/cluster_admin_role_binding_with_super_user_permissions/metadata.json index fd32b52317b..ba2eadbdfeb 100644 --- a/assets/queries/k8s/cluster_admin_role_binding_with_super_user_permissions/metadata.json +++ b/assets/queries/k8s/cluster_admin_role_binding_with_super_user_permissions/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles", "platform": "Kubernetes", "descriptionID": "567eee7e", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/cluster_allows_unsafe_sysctls/metadata.json b/assets/queries/k8s/cluster_allows_unsafe_sysctls/metadata.json index 1047b4ba793..6138d0145f8 100644 --- a/assets/queries/k8s/cluster_allows_unsafe_sysctls/metadata.json +++ b/assets/queries/k8s/cluster_allows_unsafe_sysctls/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/", "platform": "Kubernetes", "descriptionID": "6eb994bc", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/cni_plugin_does_not_support_network_policies/metadata.json b/assets/queries/k8s/cni_plugin_does_not_support_network_policies/metadata.json index a2d6906143c..20fbff33f58 100644 --- a/assets/queries/k8s/cni_plugin_does_not_support_network_policies/metadata.json +++ b/assets/queries/k8s/cni_plugin_does_not_support_network_policies/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/", "platform": "Kubernetes", "descriptionID": "0e8d122c", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/metadata.json b/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/metadata.json index 6f01433ce6e..0e77c1f5eb5 100644 --- a/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/metadata.json +++ b/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", "platform": "Kubernetes", "descriptionID": "3e1c6d16", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/container_is_privileged/metadata.json b/assets/queries/k8s/container_is_privileged/metadata.json index 756b66c7db0..a130656e0ea 100644 --- a/assets/queries/k8s/container_is_privileged/metadata.json +++ b/assets/queries/k8s/container_is_privileged/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/workloads/pods/#privileged-mode-for-containers", "platform": "Kubernetes", "descriptionID": "55f59030", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/metadata.json b/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/metadata.json index efcc8724070..a625a0dd2eb 100644 --- a/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/metadata.json +++ b/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", "platform": "Kubernetes", "descriptionID": "0c15063c", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/container_requests_not_equal_to_its_limits/metadata.json b/assets/queries/k8s/container_requests_not_equal_to_its_limits/metadata.json index 8f2482e2bd1..18dca86d8e9 100644 --- a/assets/queries/k8s/container_requests_not_equal_to_its_limits/metadata.json +++ b/assets/queries/k8s/container_requests_not_equal_to_its_limits/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", "platform": "Kubernetes", "descriptionID": "39aeed84", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/container_runs_unmasked/metadata.json b/assets/queries/k8s/container_runs_unmasked/metadata.json index 88963d55400..f87f06c0553 100644 --- a/assets/queries/k8s/container_runs_unmasked/metadata.json +++ b/assets/queries/k8s/container_runs_unmasked/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes", "platform": "Kubernetes", "descriptionID": "50caf90a", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/containers_run_with_low_uid/metadata.json b/assets/queries/k8s/containers_run_with_low_uid/metadata.json index 849d9b1e03d..e41eecd0b5d 100644 --- a/assets/queries/k8s/containers_run_with_low_uid/metadata.json +++ b/assets/queries/k8s/containers_run_with_low_uid/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/", "platform": "Kubernetes", "descriptionID": "fc2c11f9", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/containers_running_as_root/metadata.json b/assets/queries/k8s/containers_running_as_root/metadata.json index f9589b81d86..76438a7ebfc 100644 --- a/assets/queries/k8s/containers_running_as_root/metadata.json +++ b/assets/queries/k8s/containers_running_as_root/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/", "platform": "Kubernetes", "descriptionID": "9d5b1d16", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/containers_with_added_capabilities/metadata.json b/assets/queries/k8s/containers_with_added_capabilities/metadata.json index 1f43bf31d17..c6b8d00a84d 100644 --- a/assets/queries/k8s/containers_with_added_capabilities/metadata.json +++ b/assets/queries/k8s/containers_with_added_capabilities/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/", "platform": "Kubernetes", "descriptionID": "719acefd", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/containers_with_sys_admin_capabilities/metadata.json b/assets/queries/k8s/containers_with_sys_admin_capabilities/metadata.json index 765c84c6144..d36995ec616 100644 --- a/assets/queries/k8s/containers_with_sys_admin_capabilities/metadata.json +++ b/assets/queries/k8s/containers_with_sys_admin_capabilities/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/", "platform": "Kubernetes", "descriptionID": "029aeb1d", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/cpu_limits_not_set/metadata.json b/assets/queries/k8s/cpu_limits_not_set/metadata.json index caf62dddeb9..58c7c35ac37 100644 --- a/assets/queries/k8s/cpu_limits_not_set/metadata.json +++ b/assets/queries/k8s/cpu_limits_not_set/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", "platform": "Kubernetes", "descriptionID": "9a2ef763", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/cpu_requests_not_set/metadata.json b/assets/queries/k8s/cpu_requests_not_set/metadata.json index ea61c11ad80..7e1a786749e 100644 --- a/assets/queries/k8s/cpu_requests_not_set/metadata.json +++ b/assets/queries/k8s/cpu_requests_not_set/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#", "platform": "Kubernetes", "descriptionID": "ac7ad5df", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/cronjob_deadline_not_configured/metadata.json b/assets/queries/k8s/cronjob_deadline_not_configured/metadata.json index 01d8addaee4..95afa7992ca 100644 --- a/assets/queries/k8s/cronjob_deadline_not_configured/metadata.json +++ b/assets/queries/k8s/cronjob_deadline_not_configured/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "platform": "Kubernetes", "descriptionID": "285952e5", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/dashboard_is_enabled/metadata.json b/assets/queries/k8s/dashboard_is_enabled/metadata.json index ff62a6f5cc0..678827c9bce 100644 --- a/assets/queries/k8s/dashboard_is_enabled/metadata.json +++ b/assets/queries/k8s/dashboard_is_enabled/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/", "platform": "Kubernetes", "descriptionID": "ad0e6a8d", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/deployment_has_no_pod_anti_affinity/metadata.json b/assets/queries/k8s/deployment_has_no_pod_anti_affinity/metadata.json index 075234d9737..27a0e9ae82c 100644 --- a/assets/queries/k8s/deployment_has_no_pod_anti_affinity/metadata.json +++ b/assets/queries/k8s/deployment_has_no_pod_anti_affinity/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/", "platform": "Kubernetes", "descriptionID": "22146f41", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/deployment_without_pod_disruption_budget/metadata.json b/assets/queries/k8s/deployment_without_pod_disruption_budget/metadata.json index 8419f30f610..4664515472a 100644 --- a/assets/queries/k8s/deployment_without_pod_disruption_budget/metadata.json +++ b/assets/queries/k8s/deployment_without_pod_disruption_budget/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/tasks/run-application/configure-pdb/", "platform": "Kubernetes", "descriptionID": "df941cb9", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/metadata.json b/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/metadata.json index 588da242a33..4559876e613 100644 --- a/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/metadata.json +++ b/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/storage/volumes/", "platform": "Kubernetes", "descriptionID": "0865e6f6", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/encryption_provider_config_is_not_defined/metadata.json b/assets/queries/k8s/encryption_provider_config_is_not_defined/metadata.json index 681470c175b..96b5145a8a7 100644 --- a/assets/queries/k8s/encryption_provider_config_is_not_defined/metadata.json +++ b/assets/queries/k8s/encryption_provider_config_is_not_defined/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", "descriptionID": "c018594c", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/encryption_provider_not_properly_configured/metadata.json b/assets/queries/k8s/encryption_provider_not_properly_configured/metadata.json index b01da8b3eb3..14b6dcb33aa 100644 --- a/assets/queries/k8s/encryption_provider_not_properly_configured/metadata.json +++ b/assets/queries/k8s/encryption_provider_not_properly_configured/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#understanding-the-encryption-at-rest-configuration", "platform": "Kubernetes", "descriptionID": "c60a5ece", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/ensure_administrative_boundaries_between_resources/metadata.json b/assets/queries/k8s/ensure_administrative_boundaries_between_resources/metadata.json index 36e24592d4a..fcf44f4af25 100644 --- a/assets/queries/k8s/ensure_administrative_boundaries_between_resources/metadata.json +++ b/assets/queries/k8s/ensure_administrative_boundaries_between_resources/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/", "platform": "Kubernetes", "descriptionID": "8182d7cf", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/etcd_client_certificate_authentication_set_to_false/metadata.json b/assets/queries/k8s/etcd_client_certificate_authentication_set_to_false/metadata.json index 086f587007a..8a9a1317371 100644 --- a/assets/queries/k8s/etcd_client_certificate_authentication_set_to_false/metadata.json +++ b/assets/queries/k8s/etcd_client_certificate_authentication_set_to_false/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://etcd.io/docs/v3.4/op-guide/security/", "platform": "Kubernetes", "descriptionID": "e79812fb", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/etcd_client_certificate_file_not_defined/metadata.json b/assets/queries/k8s/etcd_client_certificate_file_not_defined/metadata.json index c34a0ca2991..3db625c5c3a 100644 --- a/assets/queries/k8s/etcd_client_certificate_file_not_defined/metadata.json +++ b/assets/queries/k8s/etcd_client_certificate_file_not_defined/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", "descriptionID": "f385527b", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/etcd_peer_client_certificate_authentication_set_to_false/metadata.json b/assets/queries/k8s/etcd_peer_client_certificate_authentication_set_to_false/metadata.json index 461308089bd..1a0e9e42b10 100644 --- a/assets/queries/k8s/etcd_peer_client_certificate_authentication_set_to_false/metadata.json +++ b/assets/queries/k8s/etcd_peer_client_certificate_authentication_set_to_false/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://etcd.io/docs/v3.4/op-guide/security/", "platform": "Kubernetes", "descriptionID": "00b0e7f2", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/etcd_peer_tls_certificate_files_not_properly_set/metadata.json b/assets/queries/k8s/etcd_peer_tls_certificate_files_not_properly_set/metadata.json index 6c94279a0a7..8c10d1be5de 100644 --- a/assets/queries/k8s/etcd_peer_tls_certificate_files_not_properly_set/metadata.json +++ b/assets/queries/k8s/etcd_peer_tls_certificate_files_not_properly_set/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://etcd.io/docs/v3.4/op-guide/security/", "platform": "Kubernetes", "descriptionID": "f3bb5a8e", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/etcd_tls_certificate_files_not_properly_set/metadata.json b/assets/queries/k8s/etcd_tls_certificate_files_not_properly_set/metadata.json index ea5084700cd..5cc32aba7ed 100644 --- a/assets/queries/k8s/etcd_tls_certificate_files_not_properly_set/metadata.json +++ b/assets/queries/k8s/etcd_tls_certificate_files_not_properly_set/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://etcd.io/docs/v3.4/op-guide/security/", "platform": "Kubernetes", "descriptionID": "3c8aae35", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/etcd_tls_certificate_not_properly_configured/metadata.json b/assets/queries/k8s/etcd_tls_certificate_not_properly_configured/metadata.json index 3b316c80cbc..058cb98cbb0 100644 --- a/assets/queries/k8s/etcd_tls_certificate_not_properly_configured/metadata.json +++ b/assets/queries/k8s/etcd_tls_certificate_not_properly_configured/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", "descriptionID": "073667d8", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/event_rate_limit_admission_control_plugin_not_set/metadata.json b/assets/queries/k8s/event_rate_limit_admission_control_plugin_not_set/metadata.json index 82ce291e647..ebe979e5d4a 100644 --- a/assets/queries/k8s/event_rate_limit_admission_control_plugin_not_set/metadata.json +++ b/assets/queries/k8s/event_rate_limit_admission_control_plugin_not_set/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", "descriptionID": "3cc9eca8", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/hpa_targeted_deployments_with_configured_replica_count/metadata.json b/assets/queries/k8s/hpa_targeted_deployments_with_configured_replica_count/metadata.json index fb8a1161abf..3a3c31a6d28 100644 --- a/assets/queries/k8s/hpa_targeted_deployments_with_configured_replica_count/metadata.json +++ b/assets/queries/k8s/hpa_targeted_deployments_with_configured_replica_count/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/", "platform": "Kubernetes", "descriptionID": "3ccc5d6c", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/hpa_targets_invalid_object/metadata.json b/assets/queries/k8s/hpa_targets_invalid_object/metadata.json index e017926a63d..f0e0d12b480 100644 --- a/assets/queries/k8s/hpa_targets_invalid_object/metadata.json +++ b/assets/queries/k8s/hpa_targets_invalid_object/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/", "platform": "Kubernetes", "descriptionID": "450f7251", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/image_policy_webhook_admission_control_plugin_not_set/metadata.json b/assets/queries/k8s/image_policy_webhook_admission_control_plugin_not_set/metadata.json index 60a7db72266..14a0e742f02 100644 --- a/assets/queries/k8s/image_policy_webhook_admission_control_plugin_not_set/metadata.json +++ b/assets/queries/k8s/image_policy_webhook_admission_control_plugin_not_set/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", "descriptionID": "7e7fe5b6", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/image_pull_policy_of_container_is_not_always/metadata.json b/assets/queries/k8s/image_pull_policy_of_container_is_not_always/metadata.json index d0d5bd97bb1..787c30dfff5 100644 --- a/assets/queries/k8s/image_pull_policy_of_container_is_not_always/metadata.json +++ b/assets/queries/k8s/image_pull_policy_of_container_is_not_always/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/containers/images/#updating-images", "platform": "Kubernetes", "descriptionID": "201e3c8d", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/image_without_digest/metadata.json b/assets/queries/k8s/image_without_digest/metadata.json index 868808d12c5..5506b5dd7f5 100644 --- a/assets/queries/k8s/image_without_digest/metadata.json +++ b/assets/queries/k8s/image_without_digest/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/containers/images/#updating-images", "platform": "Kubernetes", "descriptionID": "3f9f8d78", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/incorrect_volume_claim_access_mode_read_write_once/metadata.json b/assets/queries/k8s/incorrect_volume_claim_access_mode_read_write_once/metadata.json index b1cec521a9c..631407918f1 100644 --- a/assets/queries/k8s/incorrect_volume_claim_access_mode_read_write_once/metadata.json +++ b/assets/queries/k8s/incorrect_volume_claim_access_mode_read_write_once/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/", "platform": "Kubernetes", "descriptionID": "f4e48914", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/ingress_controller_exposes_workload/metadata.json b/assets/queries/k8s/ingress_controller_exposes_workload/metadata.json index 678242b36cf..3b867f74144 100644 --- a/assets/queries/k8s/ingress_controller_exposes_workload/metadata.json +++ b/assets/queries/k8s/ingress_controller_exposes_workload/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/", "platform": "Kubernetes", "descriptionID": "7db90ca7", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/insecure_bind_address_set/metadata.json b/assets/queries/k8s/insecure_bind_address_set/metadata.json index afe5cce2ad9..f42d855967c 100644 --- a/assets/queries/k8s/insecure_bind_address_set/metadata.json +++ b/assets/queries/k8s/insecure_bind_address_set/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", "descriptionID": "5b1eb26c", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/insecure_port_not_properly_set/metadata.json b/assets/queries/k8s/insecure_port_not_properly_set/metadata.json index 824f7e9298c..f61d70836e6 100644 --- a/assets/queries/k8s/insecure_port_not_properly_set/metadata.json +++ b/assets/queries/k8s/insecure_port_not_properly_set/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", "descriptionID": "d9e178b1", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/invalid_image/metadata.json b/assets/queries/k8s/invalid_image/metadata.json index bc3b83da91c..2fe210d3bae 100644 --- a/assets/queries/k8s/invalid_image/metadata.json +++ b/assets/queries/k8s/invalid_image/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/containers/images/#updating-images", "platform": "Kubernetes", "descriptionID": "30154626", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/kubelet_certificate_authority_not_set/metadata.json b/assets/queries/k8s/kubelet_certificate_authority_not_set/metadata.json index e7aa26d0104..d671a0ae080 100644 --- a/assets/queries/k8s/kubelet_certificate_authority_not_set/metadata.json +++ b/assets/queries/k8s/kubelet_certificate_authority_not_set/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", "descriptionID": "ce08eb5d", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/kubelet_client_certificate_or_key_not_set/metadata.json b/assets/queries/k8s/kubelet_client_certificate_or_key_not_set/metadata.json index 7471911f2d9..87a6f35779d 100644 --- a/assets/queries/k8s/kubelet_client_certificate_or_key_not_set/metadata.json +++ b/assets/queries/k8s/kubelet_client_certificate_or_key_not_set/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", "descriptionID": "0f0e2ae7", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/metadata.json b/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/metadata.json index 9ec6ab8ba3c..56e486ec617 100644 --- a/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/metadata.json +++ b/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/", "platform": "Kubernetes", "descriptionID": "1a17c91a", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/kubelet_event_qps_not_properly_set/metadata.json b/assets/queries/k8s/kubelet_event_qps_not_properly_set/metadata.json index b63b6d1e8a9..bbaf8d150d6 100644 --- a/assets/queries/k8s/kubelet_event_qps_not_properly_set/metadata.json +++ b/assets/queries/k8s/kubelet_event_qps_not_properly_set/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/", "platform": "Kubernetes", "descriptionID": "3163b76e", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/kubelet_hostname_override_is_set/metadata.json b/assets/queries/k8s/kubelet_hostname_override_is_set/metadata.json index d48b92867eb..5310f3e07e5 100644 --- a/assets/queries/k8s/kubelet_hostname_override_is_set/metadata.json +++ b/assets/queries/k8s/kubelet_hostname_override_is_set/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/", "platform": "Kubernetes", "descriptionID": "a3adb557", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/kubelet_https_set_to_false/metadata.json b/assets/queries/k8s/kubelet_https_set_to_false/metadata.json index b5527387325..fbfdd02a93e 100644 --- a/assets/queries/k8s/kubelet_https_set_to_false/metadata.json +++ b/assets/queries/k8s/kubelet_https_set_to_false/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", "descriptionID": "754a303a", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/kubelet_not_managing_ip_tables/metadata.json b/assets/queries/k8s/kubelet_not_managing_ip_tables/metadata.json index a2af61475cd..07ee03bf7fb 100644 --- a/assets/queries/k8s/kubelet_not_managing_ip_tables/metadata.json +++ b/assets/queries/k8s/kubelet_not_managing_ip_tables/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/", "platform": "Kubernetes", "descriptionID": "1bd198ea", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/metadata.json b/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/metadata.json index 855bb2c5d23..422ff1a2a22 100644 --- a/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/metadata.json +++ b/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/", "platform": "Kubernetes", "descriptionID": "e3a4b35d", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/metadata.json b/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/metadata.json index 496daeeb65f..1925af0b2cc 100644 --- a/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/metadata.json +++ b/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/", "platform": "Kubernetes", "descriptionID": "8cedc17d", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/metadata.json b/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/metadata.json index 24e7813bddf..f9f16ed8b4b 100644 --- a/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/metadata.json +++ b/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/", "platform": "Kubernetes", "descriptionID": "f0a2431d", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/liveness_probe_is_not_defined/metadata.json b/assets/queries/k8s/liveness_probe_is_not_defined/metadata.json index 70ce4bf0fed..25179478a33 100644 --- a/assets/queries/k8s/liveness_probe_is_not_defined/metadata.json +++ b/assets/queries/k8s/liveness_probe_is_not_defined/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#when-should-you-use-a-liveness-probe", "platform": "Kubernetes", "descriptionID": "f724fa60", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/memory_limits_not_defined/metadata.json b/assets/queries/k8s/memory_limits_not_defined/metadata.json index dcc8892de58..96d5f38e39e 100644 --- a/assets/queries/k8s/memory_limits_not_defined/metadata.json +++ b/assets/queries/k8s/memory_limits_not_defined/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/", "platform": "Kubernetes", "descriptionID": "e0ba95cc", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/memory_requests_not_defined/metadata.json b/assets/queries/k8s/memory_requests_not_defined/metadata.json index 0bc9dfcf3a1..687665254f9 100644 --- a/assets/queries/k8s/memory_requests_not_defined/metadata.json +++ b/assets/queries/k8s/memory_requests_not_defined/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/", "platform": "Kubernetes", "descriptionID": "3dcbd683", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/metadata_label_is_invalid/metadata.json b/assets/queries/k8s/metadata_label_is_invalid/metadata.json index 6c3b5c7f9f0..3ff5c7cb2e0 100644 --- a/assets/queries/k8s/metadata_label_is_invalid/metadata.json +++ b/assets/queries/k8s/metadata_label_is_invalid/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/", "platform": "Kubernetes", "descriptionID": "a6921416", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/missing_app_armor_config/metadata.json b/assets/queries/k8s/missing_app_armor_config/metadata.json index 424e96f05de..5e5a955b025 100644 --- a/assets/queries/k8s/missing_app_armor_config/metadata.json +++ b/assets/queries/k8s/missing_app_armor_config/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/tutorials/clusters/apparmor/", "platform": "Kubernetes", "descriptionID": "59c17c0a", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/namespace_lifecycle_admission_control_plugin_disabled/metadata.json b/assets/queries/k8s/namespace_lifecycle_admission_control_plugin_disabled/metadata.json index a0dd7a8fece..f805db2db65 100644 --- a/assets/queries/k8s/namespace_lifecycle_admission_control_plugin_disabled/metadata.json +++ b/assets/queries/k8s/namespace_lifecycle_admission_control_plugin_disabled/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", "descriptionID": "13e94c89", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/net_raw_capabilities_disabled_for_psp/metadata.json b/assets/queries/k8s/net_raw_capabilities_disabled_for_psp/metadata.json index c0ab5687044..76ab29786ac 100644 --- a/assets/queries/k8s/net_raw_capabilities_disabled_for_psp/metadata.json +++ b/assets/queries/k8s/net_raw_capabilities_disabled_for_psp/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/policy/pod-security-policy/", "platform": "Kubernetes", "descriptionID": "e72d5579", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/net_raw_capabilities_not_being_dropped/metadata.json b/assets/queries/k8s/net_raw_capabilities_not_being_dropped/metadata.json index 27d836ba6e5..1d3bcaa1dbd 100644 --- a/assets/queries/k8s/net_raw_capabilities_not_being_dropped/metadata.json +++ b/assets/queries/k8s/net_raw_capabilities_not_being_dropped/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/", "platform": "Kubernetes", "descriptionID": "e9790956", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/network_policy_is_not_targeting_any_pod/metadata.json b/assets/queries/k8s/network_policy_is_not_targeting_any_pod/metadata.json index 8efead59d30..ba2de883080 100644 --- a/assets/queries/k8s/network_policy_is_not_targeting_any_pod/metadata.json +++ b/assets/queries/k8s/network_policy_is_not_targeting_any_pod/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/services-networking/network-policies/", "platform": "Kubernetes", "descriptionID": "be3c67e3", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/no_drop_capabilities_for_containers/metadata.json b/assets/queries/k8s/no_drop_capabilities_for_containers/metadata.json index 05faf4a4d24..00ac4ab97a7 100644 --- a/assets/queries/k8s/no_drop_capabilities_for_containers/metadata.json +++ b/assets/queries/k8s/no_drop_capabilities_for_containers/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/workloads/pods/init-containers/", "platform": "Kubernetes", "descriptionID": "9d3ca6db", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/node_restriction_admission_control_plugin_not_set/metadata.json b/assets/queries/k8s/node_restriction_admission_control_plugin_not_set/metadata.json index 5658f3ce7d2..443f9501b4e 100644 --- a/assets/queries/k8s/node_restriction_admission_control_plugin_not_set/metadata.json +++ b/assets/queries/k8s/node_restriction_admission_control_plugin_not_set/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", "descriptionID": "2a03f1ec", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/non_kube_system_pod_with_host_mount/metadata.json b/assets/queries/k8s/non_kube_system_pod_with_host_mount/metadata.json index 5640bbda2c5..c30244cd857 100644 --- a/assets/queries/k8s/non_kube_system_pod_with_host_mount/metadata.json +++ b/assets/queries/k8s/non_kube_system_pod_with_host_mount/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/storage/volumes/", "platform": "Kubernetes", "descriptionID": "e8553157", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/not_limited_capabilities_for_container/metadata.json b/assets/queries/k8s/not_limited_capabilities_for_container/metadata.json index dea32b34615..5dc43cd24ec 100644 --- a/assets/queries/k8s/not_limited_capabilities_for_container/metadata.json +++ b/assets/queries/k8s/not_limited_capabilities_for_container/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/", "platform": "Kubernetes", "descriptionID": "2d839019", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/not_limited_capabilities_for_pod_security_policy/metadata.json b/assets/queries/k8s/not_limited_capabilities_for_pod_security_policy/metadata.json index 7bdb9127aef..816675df910 100644 --- a/assets/queries/k8s/not_limited_capabilities_for_pod_security_policy/metadata.json +++ b/assets/queries/k8s/not_limited_capabilities_for_pod_security_policy/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/policy/pod-security-policy/", "platform": "Kubernetes", "descriptionID": "eaf6d4ba", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/not_unique_certificate_authority/metadata.json b/assets/queries/k8s/not_unique_certificate_authority/metadata.json index df77c2c83dc..aec91b01c71 100644 --- a/assets/queries/k8s/not_unique_certificate_authority/metadata.json +++ b/assets/queries/k8s/not_unique_certificate_authority/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/", "platform": "Kubernetes", "descriptionID": "d2c6c9e8", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/object_is_using_a_deprecated_api_version/metadata.json b/assets/queries/k8s/object_is_using_a_deprecated_api_version/metadata.json index 3719b74be2f..9732ac263b2 100644 --- a/assets/queries/k8s/object_is_using_a_deprecated_api_version/metadata.json +++ b/assets/queries/k8s/object_is_using_a_deprecated_api_version/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/using-api/deprecation-guide/", "platform": "Kubernetes", "descriptionID": "d5c30c5b", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/peer_auto_tls_set_to_true/metadata.json b/assets/queries/k8s/peer_auto_tls_set_to_true/metadata.json index 26bbb29e6c4..a1cc80d1094 100644 --- a/assets/queries/k8s/peer_auto_tls_set_to_true/metadata.json +++ b/assets/queries/k8s/peer_auto_tls_set_to_true/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://etcd.io/docs/v3.4/op-guide/security/", "platform": "Kubernetes", "descriptionID": "02a0a4d9", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/permissive_access_to_create_pods/metadata.json b/assets/queries/k8s/permissive_access_to_create_pods/metadata.json index 60ea8dc428e..8edd32e8b4a 100644 --- a/assets/queries/k8s/permissive_access_to_create_pods/metadata.json +++ b/assets/queries/k8s/permissive_access_to_create_pods/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping", "platform": "Kubernetes", "descriptionID": "c78cb1a7", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/pod_misconfigured_network_policy/metadata.json b/assets/queries/k8s/pod_misconfigured_network_policy/metadata.json index 245fd6e6ee4..94758b58714 100644 --- a/assets/queries/k8s/pod_misconfigured_network_policy/metadata.json +++ b/assets/queries/k8s/pod_misconfigured_network_policy/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/services-networking/network-policies/", "platform": "Kubernetes", "descriptionID": "20500552", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/pod_or_container_without_limit_range/metadata.json b/assets/queries/k8s/pod_or_container_without_limit_range/metadata.json index 676f70a56dd..f2dff7cda6f 100644 --- a/assets/queries/k8s/pod_or_container_without_limit_range/metadata.json +++ b/assets/queries/k8s/pod_or_container_without_limit_range/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/policy/limit-range/", "platform": "Kubernetes", "descriptionID": "142ed21f", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/pod_or_container_without_resource_quota/metadata.json b/assets/queries/k8s/pod_or_container_without_resource_quota/metadata.json index 84097fb5aa4..d09ed8185b6 100644 --- a/assets/queries/k8s/pod_or_container_without_resource_quota/metadata.json +++ b/assets/queries/k8s/pod_or_container_without_resource_quota/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/policy/resource-quotas/", "platform": "Kubernetes", "descriptionID": "86499ed5", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/pod_or_container_without_security_context/metadata.json b/assets/queries/k8s/pod_or_container_without_security_context/metadata.json index 293725bb389..12b570428ae 100644 --- a/assets/queries/k8s/pod_or_container_without_security_context/metadata.json +++ b/assets/queries/k8s/pod_or_container_without_security_context/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/", "platform": "Kubernetes", "descriptionID": "68a1650b", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/pod_security_policy_admission_control_plugin_not_set/metadata.json b/assets/queries/k8s/pod_security_policy_admission_control_plugin_not_set/metadata.json index 800f40947fc..981ed27d238 100644 --- a/assets/queries/k8s/pod_security_policy_admission_control_plugin_not_set/metadata.json +++ b/assets/queries/k8s/pod_security_policy_admission_control_plugin_not_set/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", "descriptionID": "5b3d44e9", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/privilege_escalation_allowed/metadata.json b/assets/queries/k8s/privilege_escalation_allowed/metadata.json index 95d09456ac6..2ad1753f73d 100644 --- a/assets/queries/k8s/privilege_escalation_allowed/metadata.json +++ b/assets/queries/k8s/privilege_escalation_allowed/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/", "platform": "Kubernetes", "descriptionID": "525fccf4", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/profiling_not_set_to_false/metadata.json b/assets/queries/k8s/profiling_not_set_to_false/metadata.json index 48048aecbfd..44bb31663ed 100644 --- a/assets/queries/k8s/profiling_not_set_to_false/metadata.json +++ b/assets/queries/k8s/profiling_not_set_to_false/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", "descriptionID": "622a1db7", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/psp_allows_privilege_escalation/metadata.json b/assets/queries/k8s/psp_allows_privilege_escalation/metadata.json index ce8b21b0d2a..0304e292d3e 100644 --- a/assets/queries/k8s/psp_allows_privilege_escalation/metadata.json +++ b/assets/queries/k8s/psp_allows_privilege_escalation/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/policy/pod-security-policy/", "platform": "Kubernetes", "descriptionID": "d7c5e3ad", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/psp_allows_sharing_host_ipc/metadata.json b/assets/queries/k8s/psp_allows_sharing_host_ipc/metadata.json index 5d043e8a2a9..7bd02df5a15 100644 --- a/assets/queries/k8s/psp_allows_sharing_host_ipc/metadata.json +++ b/assets/queries/k8s/psp_allows_sharing_host_ipc/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/policy/pod-security-policy/", "platform": "Kubernetes", "descriptionID": "329be51b", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/psp_allows_sharing_host_pid/metadata.json b/assets/queries/k8s/psp_allows_sharing_host_pid/metadata.json index 85afc5539a0..30c875fe3a4 100644 --- a/assets/queries/k8s/psp_allows_sharing_host_pid/metadata.json +++ b/assets/queries/k8s/psp_allows_sharing_host_pid/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/policy/pod-security-policy/", "platform": "Kubernetes", "descriptionID": "980c2b40", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/psp_containers_share_host_network_namespace/metadata.json b/assets/queries/k8s/psp_containers_share_host_network_namespace/metadata.json index 9d8d4192324..067cf8cf147 100644 --- a/assets/queries/k8s/psp_containers_share_host_network_namespace/metadata.json +++ b/assets/queries/k8s/psp_containers_share_host_network_namespace/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/policy/pod-security-policy/", "platform": "Kubernetes", "descriptionID": "4b468f08", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/psp_set_to_privileged/metadata.json b/assets/queries/k8s/psp_set_to_privileged/metadata.json index 65f1ddfcfef..1bb683fd801 100644 --- a/assets/queries/k8s/psp_set_to_privileged/metadata.json +++ b/assets/queries/k8s/psp_set_to_privileged/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#privileged", "platform": "Kubernetes", "descriptionID": "11a8da07", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/psp_with_added_capabilities/metadata.json b/assets/queries/k8s/psp_with_added_capabilities/metadata.json index 3a31fe6b690..814978488c4 100644 --- a/assets/queries/k8s/psp_with_added_capabilities/metadata.json +++ b/assets/queries/k8s/psp_with_added_capabilities/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/policy/pod-security-policy/", "platform": "Kubernetes", "descriptionID": "2889da19", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/psp_with_unrestricted_access_to_host_path/metadata.json b/assets/queries/k8s/psp_with_unrestricted_access_to_host_path/metadata.json index c092df4ea44..afcc4e17a5c 100644 --- a/assets/queries/k8s/psp_with_unrestricted_access_to_host_path/metadata.json +++ b/assets/queries/k8s/psp_with_unrestricted_access_to_host_path/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems", "platform": "Kubernetes", "descriptionID": "fc4b7215", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/rbac_roles_allow_privilege_escalation/metadata.json b/assets/queries/k8s/rbac_roles_allow_privilege_escalation/metadata.json index 781311c0444..404f9095fc5 100644 --- a/assets/queries/k8s/rbac_roles_allow_privilege_escalation/metadata.json +++ b/assets/queries/k8s/rbac_roles_allow_privilege_escalation/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/#restrictions-on-role-binding-creation-or-update", "platform": "Kubernetes", "descriptionID": "8320826e", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/rbac_roles_with_attach_permission/metadata.json b/assets/queries/k8s/rbac_roles_with_attach_permission/metadata.json index 0ce9731aa7c..f9601752036 100644 --- a/assets/queries/k8s/rbac_roles_with_attach_permission/metadata.json +++ b/assets/queries/k8s/rbac_roles_with_attach_permission/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", "platform": "Kubernetes", "descriptionID": "d45330fd", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/rbac_roles_with_exec_permission/metadata.json b/assets/queries/k8s/rbac_roles_with_exec_permission/metadata.json index 2055159d383..a561ba130c5 100644 --- a/assets/queries/k8s/rbac_roles_with_exec_permission/metadata.json +++ b/assets/queries/k8s/rbac_roles_with_exec_permission/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", "platform": "Kubernetes", "descriptionID": "c589f42c", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/rbac_roles_with_impersonate_permission/metadata.json b/assets/queries/k8s/rbac_roles_with_impersonate_permission/metadata.json index 03b70f7b98a..aad87cb211b 100644 --- a/assets/queries/k8s/rbac_roles_with_impersonate_permission/metadata.json +++ b/assets/queries/k8s/rbac_roles_with_impersonate_permission/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation", "platform": "Kubernetes", "descriptionID": "9f85c3f6", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/rbac_roles_with_portforwarding_permissions/metadata.json b/assets/queries/k8s/rbac_roles_with_portforwarding_permissions/metadata.json index 34784320ce8..2aa19c28e68 100644 --- a/assets/queries/k8s/rbac_roles_with_portforwarding_permissions/metadata.json +++ b/assets/queries/k8s/rbac_roles_with_portforwarding_permissions/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", "platform": "Kubernetes", "descriptionID": "38fa11ef", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/rbac_roles_with_read_secrets_permissions/metadata.json b/assets/queries/k8s/rbac_roles_with_read_secrets_permissions/metadata.json index de4dcf7edf9..efdfc0b7e28 100644 --- a/assets/queries/k8s/rbac_roles_with_read_secrets_permissions/metadata.json +++ b/assets/queries/k8s/rbac_roles_with_read_secrets_permissions/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", "platform": "Kubernetes", "descriptionID": "ca97f029", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/rbac_wildcard_in_rule/metadata.json b/assets/queries/k8s/rbac_wildcard_in_rule/metadata.json index e12e907a637..0068d6b35ba 100644 --- a/assets/queries/k8s/rbac_wildcard_in_rule/metadata.json +++ b/assets/queries/k8s/rbac_wildcard_in_rule/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", "platform": "Kubernetes", "descriptionID": "ccf4e279", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/readiness_probe_is_not_configured/metadata.json b/assets/queries/k8s/readiness_probe_is_not_configured/metadata.json index 0582a3ff02e..6e601c8fc82 100644 --- a/assets/queries/k8s/readiness_probe_is_not_configured/metadata.json +++ b/assets/queries/k8s/readiness_probe_is_not_configured/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes", "platform": "Kubernetes", "descriptionID": "28c0498a", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/request_timeout_not_properly_set/metadata.json b/assets/queries/k8s/request_timeout_not_properly_set/metadata.json index bb7cbaea82e..6d09f4edb80 100644 --- a/assets/queries/k8s/request_timeout_not_properly_set/metadata.json +++ b/assets/queries/k8s/request_timeout_not_properly_set/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", "descriptionID": "592c7cba", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/role_binding_to_default_service_account/metadata.json b/assets/queries/k8s/role_binding_to_default_service_account/metadata.json index 5c36a0a7e2a..2a0d58046ea 100644 --- a/assets/queries/k8s/role_binding_to_default_service_account/metadata.json +++ b/assets/queries/k8s/role_binding_to_default_service_account/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/", "platform": "Kubernetes", "descriptionID": "9879e8c2", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/root_ca_file_not_defined/metadata.json b/assets/queries/k8s/root_ca_file_not_defined/metadata.json index 8b86d40d3b4..a9f542b7b6f 100644 --- a/assets/queries/k8s/root_ca_file_not_defined/metadata.json +++ b/assets/queries/k8s/root_ca_file_not_defined/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/", "platform": "Kubernetes", "descriptionID": "7d439960", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/root_container_not_mounted_as_read_only/metadata.json b/assets/queries/k8s/root_container_not_mounted_as_read_only/metadata.json index 779f7af4035..a61e5811ba4 100644 --- a/assets/queries/k8s/root_container_not_mounted_as_read_only/metadata.json +++ b/assets/queries/k8s/root_container_not_mounted_as_read_only/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/", "platform": "Kubernetes", "descriptionID": "0d2df1e5", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/root_containers_admitted/metadata.json b/assets/queries/k8s/root_containers_admitted/metadata.json index 71b3b48d02b..d36908c1fd4 100644 --- a/assets/queries/k8s/root_containers_admitted/metadata.json +++ b/assets/queries/k8s/root_containers_admitted/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/policy/pod-security-policy/", "platform": "Kubernetes", "descriptionID": "2fe54446", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/metadata.json b/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/metadata.json index aef148f126a..54535359123 100644 --- a/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/metadata.json +++ b/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/", "platform": "Kubernetes", "descriptionID": "a4f48785", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/seccomp_profile_is_not_configured/metadata.json b/assets/queries/k8s/seccomp_profile_is_not_configured/metadata.json index 321f4dd63f2..a191c80d192 100644 --- a/assets/queries/k8s/seccomp_profile_is_not_configured/metadata.json +++ b/assets/queries/k8s/seccomp_profile_is_not_configured/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/tutorials/security/seccomp/#create-pod-that-uses-the-container-runtime-default-seccomp-profile", "platform": "Kubernetes", "descriptionID": "d943c7e7", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/secrets_as_environment_variables/metadata.json b/assets/queries/k8s/secrets_as_environment_variables/metadata.json index eb6f65c8e0c..a1febee3e68 100644 --- a/assets/queries/k8s/secrets_as_environment_variables/metadata.json +++ b/assets/queries/k8s/secrets_as_environment_variables/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables", "platform": "Kubernetes", "descriptionID": "99365a7d", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/secure_port_set_to_zero/metadata.json b/assets/queries/k8s/secure_port_set_to_zero/metadata.json index 9a29b8e97b9..47ed9880f59 100644 --- a/assets/queries/k8s/secure_port_set_to_zero/metadata.json +++ b/assets/queries/k8s/secure_port_set_to_zero/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", "descriptionID": "adf24d20", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/security_context_deny_admission_control_plugin_not_set/metadata.json b/assets/queries/k8s/security_context_deny_admission_control_plugin_not_set/metadata.json index 18401b2489a..130d78f848f 100644 --- a/assets/queries/k8s/security_context_deny_admission_control_plugin_not_set/metadata.json +++ b/assets/queries/k8s/security_context_deny_admission_control_plugin_not_set/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", "descriptionID": "571f15ee", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/service_account_admission_control_plugin_disabled/metadata.json b/assets/queries/k8s/service_account_admission_control_plugin_disabled/metadata.json index 1f9336b7ba5..d763f86eb12 100644 --- a/assets/queries/k8s/service_account_admission_control_plugin_disabled/metadata.json +++ b/assets/queries/k8s/service_account_admission_control_plugin_disabled/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", "descriptionID": "3649a726", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/service_account_allows_access_secrets/metadata.json b/assets/queries/k8s/service_account_allows_access_secrets/metadata.json index dc62fff8495..a1cc1c3d10f 100644 --- a/assets/queries/k8s/service_account_allows_access_secrets/metadata.json +++ b/assets/queries/k8s/service_account_allows_access_secrets/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", "platform": "Kubernetes", "descriptionID": "79619280", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/service_account_key_file_not_properly_set/metadata.json b/assets/queries/k8s/service_account_key_file_not_properly_set/metadata.json index f5f5885dfd5..c4ac5ef1dd0 100644 --- a/assets/queries/k8s/service_account_key_file_not_properly_set/metadata.json +++ b/assets/queries/k8s/service_account_key_file_not_properly_set/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", "descriptionID": "2f3224e8", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/service_account_lookup_set_to_false/metadata.json b/assets/queries/k8s/service_account_lookup_set_to_false/metadata.json index d86a7cd52bc..7612189006a 100644 --- a/assets/queries/k8s/service_account_lookup_set_to_false/metadata.json +++ b/assets/queries/k8s/service_account_lookup_set_to_false/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", "descriptionID": "c957c855", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/service_account_name_undefined_or_empty/metadata.json b/assets/queries/k8s/service_account_name_undefined_or_empty/metadata.json index 4e10154a213..35cb8628652 100644 --- a/assets/queries/k8s/service_account_name_undefined_or_empty/metadata.json +++ b/assets/queries/k8s/service_account_name_undefined_or_empty/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/", "platform": "Kubernetes", "descriptionID": "2940f843", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/service_account_private_key_file_not_defined/metadata.json b/assets/queries/k8s/service_account_private_key_file_not_defined/metadata.json index 67f342f7aff..7542f1e13bf 100644 --- a/assets/queries/k8s/service_account_private_key_file_not_defined/metadata.json +++ b/assets/queries/k8s/service_account_private_key_file_not_defined/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/", "platform": "Kubernetes", "descriptionID": "b2fc61b4", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/service_account_token_automount_not_disabled/metadata.json b/assets/queries/k8s/service_account_token_automount_not_disabled/metadata.json index b1f2e7106f8..1272461aaab 100644 --- a/assets/queries/k8s/service_account_token_automount_not_disabled/metadata.json +++ b/assets/queries/k8s/service_account_token_automount_not_disabled/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server", "platform": "Kubernetes", "descriptionID": "51cade0f", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/service_does_not_target_pod/metadata.json b/assets/queries/k8s/service_does_not_target_pod/metadata.json index 2bbbae812ad..e538360d81f 100644 --- a/assets/queries/k8s/service_does_not_target_pod/metadata.json +++ b/assets/queries/k8s/service_does_not_target_pod/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/services-networking/service/", "platform": "Kubernetes", "descriptionID": "e7c26645", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/service_type_is_nodeport/metadata.json b/assets/queries/k8s/service_type_is_nodeport/metadata.json index 096ab192564..1b8489b2e52 100644 --- a/assets/queries/k8s/service_type_is_nodeport/metadata.json +++ b/assets/queries/k8s/service_type_is_nodeport/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/services-networking/service/", "platform": "Kubernetes", "descriptionID": "4744714e", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/service_with_external_load_balancer/metadata.json b/assets/queries/k8s/service_with_external_load_balancer/metadata.json index 6318e62b43d..6d495506374 100644 --- a/assets/queries/k8s/service_with_external_load_balancer/metadata.json +++ b/assets/queries/k8s/service_with_external_load_balancer/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/", "platform": "Kubernetes", "descriptionID": "2e090344", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/shared_host_ipc_namespace/metadata.json b/assets/queries/k8s/shared_host_ipc_namespace/metadata.json index d6bd1ebff73..a21a1ff6f1d 100644 --- a/assets/queries/k8s/shared_host_ipc_namespace/metadata.json +++ b/assets/queries/k8s/shared_host_ipc_namespace/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/policy/pod-security-policy/", "platform": "Kubernetes", "descriptionID": "1ef1fe71", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/shared_host_network_namespace/metadata.json b/assets/queries/k8s/shared_host_network_namespace/metadata.json index 3273fb56374..3b40f958b8b 100644 --- a/assets/queries/k8s/shared_host_network_namespace/metadata.json +++ b/assets/queries/k8s/shared_host_network_namespace/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/policy/pod-security-policy/", "platform": "Kubernetes", "descriptionID": "50e5de80", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/shared_host_pid_namespace/metadata.json b/assets/queries/k8s/shared_host_pid_namespace/metadata.json index e951d0aec19..83470980460 100644 --- a/assets/queries/k8s/shared_host_pid_namespace/metadata.json +++ b/assets/queries/k8s/shared_host_pid_namespace/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/policy/pod-security-policy/", "platform": "Kubernetes", "descriptionID": "c34092eb", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/shared_service_account/metadata.json b/assets/queries/k8s/shared_service_account/metadata.json index 585a66c1012..065041ce83b 100644 --- a/assets/queries/k8s/shared_service_account/metadata.json +++ b/assets/queries/k8s/shared_service_account/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/", "platform": "Kubernetes", "descriptionID": "f1c94544", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/statefulset_has_no_pod_anti_affinity/metadata.json b/assets/queries/k8s/statefulset_has_no_pod_anti_affinity/metadata.json index 720b0b65965..5fe84676227 100644 --- a/assets/queries/k8s/statefulset_has_no_pod_anti_affinity/metadata.json +++ b/assets/queries/k8s/statefulset_has_no_pod_anti_affinity/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/", "platform": "Kubernetes", "descriptionID": "f0d30dd9", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/statefulset_requests_storage/metadata.json b/assets/queries/k8s/statefulset_requests_storage/metadata.json index 9d2d1023498..fd50e54d59c 100644 --- a/assets/queries/k8s/statefulset_requests_storage/metadata.json +++ b/assets/queries/k8s/statefulset_requests_storage/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/", "platform": "Kubernetes", "descriptionID": "6210afe6", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/statefulset_without_pod_disruption_budget/metadata.json b/assets/queries/k8s/statefulset_without_pod_disruption_budget/metadata.json index bcc31164486..5ce8de04fce 100644 --- a/assets/queries/k8s/statefulset_without_pod_disruption_budget/metadata.json +++ b/assets/queries/k8s/statefulset_without_pod_disruption_budget/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/tasks/run-application/configure-pdb/", "platform": "Kubernetes", "descriptionID": "f3c77130", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/statefulset_without_service_name/metadata.json b/assets/queries/k8s/statefulset_without_service_name/metadata.json index 9937edb1b9f..6c41674552c 100644 --- a/assets/queries/k8s/statefulset_without_service_name/metadata.json +++ b/assets/queries/k8s/statefulset_without_service_name/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/", "platform": "Kubernetes", "descriptionID": "2ce554f2", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/terminated_pod_garbage_collector_threshold_not_properly_set/metadata.json b/assets/queries/k8s/terminated_pod_garbage_collector_threshold_not_properly_set/metadata.json index d3c25d6bc46..cf80ff631ae 100644 --- a/assets/queries/k8s/terminated_pod_garbage_collector_threshold_not_properly_set/metadata.json +++ b/assets/queries/k8s/terminated_pod_garbage_collector_threshold_not_properly_set/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/", "platform": "Kubernetes", "descriptionID": "19ea96ee", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/tiller_deployment_is_accessible_from_within_the_cluster/metadata.json b/assets/queries/k8s/tiller_deployment_is_accessible_from_within_the_cluster/metadata.json index 8eb921a6712..83744337ccb 100644 --- a/assets/queries/k8s/tiller_deployment_is_accessible_from_within_the_cluster/metadata.json +++ b/assets/queries/k8s/tiller_deployment_is_accessible_from_within_the_cluster/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/containers/images/", "platform": "Kubernetes", "descriptionID": "615614b8", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/tiller_is_deployed/metadata.json b/assets/queries/k8s/tiller_is_deployed/metadata.json index f017d282164..8b76cc83f67 100644 --- a/assets/queries/k8s/tiller_is_deployed/metadata.json +++ b/assets/queries/k8s/tiller_is_deployed/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/containers/images/", "platform": "Kubernetes", "descriptionID": "b0a009b5", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/tiller_service_is_not_deleted/metadata.json b/assets/queries/k8s/tiller_service_is_not_deleted/metadata.json index fd403b1a5d1..7096e1e68cc 100644 --- a/assets/queries/k8s/tiller_service_is_not_deleted/metadata.json +++ b/assets/queries/k8s/tiller_service_is_not_deleted/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/services-networking/service", "platform": "Kubernetes", "descriptionID": "4e704117", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/tls_connection_certificate_not_setup/metadata.json b/assets/queries/k8s/tls_connection_certificate_not_setup/metadata.json index 414fc764216..bb06da4f2c7 100644 --- a/assets/queries/k8s/tls_connection_certificate_not_setup/metadata.json +++ b/assets/queries/k8s/tls_connection_certificate_not_setup/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/", "platform": "Kubernetes", "descriptionID": "c8b75f30", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/token_auth_file_is_set/metadata.json b/assets/queries/k8s/token_auth_file_is_set/metadata.json index f074d85a15b..786b975223b 100644 --- a/assets/queries/k8s/token_auth_file_is_set/metadata.json +++ b/assets/queries/k8s/token_auth_file_is_set/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", "platform": "Kubernetes", "descriptionID": "5aa79e60", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/use_service_account_credentials_not_set_to_true/metadata.json b/assets/queries/k8s/use_service_account_credentials_not_set_to_true/metadata.json index 781035c97c0..e6b75be2f1f 100644 --- a/assets/queries/k8s/use_service_account_credentials_not_set_to_true/metadata.json +++ b/assets/queries/k8s/use_service_account_credentials_not_set_to_true/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/", "platform": "Kubernetes", "descriptionID": "f6b4d617", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/using_kubernetes_native_secret_management/metadata.json b/assets/queries/k8s/using_kubernetes_native_secret_management/metadata.json index 99a3b036a60..3d15e2d5e81 100644 --- a/assets/queries/k8s/using_kubernetes_native_secret_management/metadata.json +++ b/assets/queries/k8s/using_kubernetes_native_secret_management/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/configuration/secret/", "platform": "Kubernetes", "descriptionID": "3d7b569c", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/using_unrecommended_namespace/metadata.json b/assets/queries/k8s/using_unrecommended_namespace/metadata.json index 4615b0976ec..5d50f2e67b5 100644 --- a/assets/queries/k8s/using_unrecommended_namespace/metadata.json +++ b/assets/queries/k8s/using_unrecommended_namespace/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/overview/working-with-objects/kubernetes-objects/", "platform": "Kubernetes", "descriptionID": "29549ea9", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/metadata.json b/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/metadata.json index 23b7bdc502a..525b2e66c20 100644 --- a/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/metadata.json +++ b/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/storage/volumes/", "platform": "Kubernetes", "descriptionID": "e42b7901", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/weak_tls_cipher_suites/metadata.json b/assets/queries/k8s/weak_tls_cipher_suites/metadata.json index ef6a9e4b4f5..9a4bb7df726 100644 --- a/assets/queries/k8s/weak_tls_cipher_suites/metadata.json +++ b/assets/queries/k8s/weak_tls_cipher_suites/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/", "platform": "Kubernetes", "descriptionID": "cbb6cab8", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/workload_host_port_not_specified/metadata.json b/assets/queries/k8s/workload_host_port_not_specified/metadata.json index 86d5e8001fe..746a9e9bbc1 100644 --- a/assets/queries/k8s/workload_host_port_not_specified/metadata.json +++ b/assets/queries/k8s/workload_host_port_not_specified/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/#exposing-the-service", "platform": "Kubernetes", "descriptionID": "dba41ddb", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/k8s/workload_mounting_with_sensitive_os_directory/metadata.json b/assets/queries/k8s/workload_mounting_with_sensitive_os_directory/metadata.json index d959d89b445..f9eb11a3443 100644 --- a/assets/queries/k8s/workload_mounting_with_sensitive_os_directory/metadata.json +++ b/assets/queries/k8s/workload_mounting_with_sensitive_os_directory/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://kubernetes.io/docs/concepts/policy/pod-security-policy/", "platform": "Kubernetes", "descriptionID": "73339cde", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/knative/serving_revision_spec_without_timeout_settings/metadata.json b/assets/queries/knative/serving_revision_spec_without_timeout_settings/metadata.json index 5f6e5cfc501..73aceeb7db7 100644 --- a/assets/queries/knative/serving_revision_spec_without_timeout_settings/metadata.json +++ b/assets/queries/knative/serving_revision_spec_without_timeout_settings/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://knative.dev/docs/reference/api/serving-api/#serving.knative.dev/v1.RevisionSpec", "platform": "Knative", "descriptionID": "0b6ca133", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/basepath_with_wrong_format/metadata.json b/assets/queries/openAPI/2.0/basepath_with_wrong_format/metadata.json index 683b31995ee..64b013a1aaf 100644 --- a/assets/queries/openAPI/2.0/basepath_with_wrong_format/metadata.json +++ b/assets/queries/openAPI/2.0/basepath_with_wrong_format/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#schema", "platform": "OpenAPI", "descriptionID": "c97fafa0", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/body_parameter_with_wrong_property/metadata.json b/assets/queries/openAPI/2.0/body_parameter_with_wrong_property/metadata.json index 632ac7ecbe9..f92f5f57824 100644 --- a/assets/queries/openAPI/2.0/body_parameter_with_wrong_property/metadata.json +++ b/assets/queries/openAPI/2.0/body_parameter_with_wrong_property/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#parameterObject", "platform": "OpenAPI", "descriptionID": "93b15115", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/body_parameter_without_schema/metadata.json b/assets/queries/openAPI/2.0/body_parameter_without_schema/metadata.json index a094c35e16e..cb80ff79559 100644 --- a/assets/queries/openAPI/2.0/body_parameter_without_schema/metadata.json +++ b/assets/queries/openAPI/2.0/body_parameter_without_schema/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#parameterObject", "platform": "OpenAPI", "descriptionID": "3074f818", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/constraining_enum_property/metadata.json b/assets/queries/openAPI/2.0/constraining_enum_property/metadata.json index b3d27169f57..2ac41879b49 100644 --- a/assets/queries/openAPI/2.0/constraining_enum_property/metadata.json +++ b/assets/queries/openAPI/2.0/constraining_enum_property/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#schemaObject", "platform": "OpenAPI", "descriptionID": "63cd2785", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/file_parameter_with_wrong_consumes_property/metadata.json b/assets/queries/openAPI/2.0/file_parameter_with_wrong_consumes_property/metadata.json index c099e941be6..1ea3b82c906 100644 --- a/assets/queries/openAPI/2.0/file_parameter_with_wrong_consumes_property/metadata.json +++ b/assets/queries/openAPI/2.0/file_parameter_with_wrong_consumes_property/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#operation-object", "platform": "OpenAPI", "descriptionID": "f6b7b31a", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/global_schemes_uses_http/metadata.json b/assets/queries/openAPI/2.0/global_schemes_uses_http/metadata.json index 1af3f4465e7..971f23d7562 100644 --- a/assets/queries/openAPI/2.0/global_schemes_uses_http/metadata.json +++ b/assets/queries/openAPI/2.0/global_schemes_uses_http/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#swaggerObject", "platform": "OpenAPI", "descriptionID": "11bb39ad", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/global_security_using_password_flow/metadata.json b/assets/queries/openAPI/2.0/global_security_using_password_flow/metadata.json index 4ea791619a0..36204b9d4a3 100644 --- a/assets/queries/openAPI/2.0/global_security_using_password_flow/metadata.json +++ b/assets/queries/openAPI/2.0/global_security_using_password_flow/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#securityRequirementObject", "platform": "OpenAPI", "descriptionID": "14a00e4a", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/host_with_invalid_pattern/metadata.json b/assets/queries/openAPI/2.0/host_with_invalid_pattern/metadata.json index b0686194816..a5991ff0406 100644 --- a/assets/queries/openAPI/2.0/host_with_invalid_pattern/metadata.json +++ b/assets/queries/openAPI/2.0/host_with_invalid_pattern/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#swagger-object", "platform": "OpenAPI", "descriptionID": "d11c994c", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/implicit_flow_oauth2/metadata.json b/assets/queries/openAPI/2.0/implicit_flow_oauth2/metadata.json index bc05f4668d1..31ed0ae0f6f 100644 --- a/assets/queries/openAPI/2.0/implicit_flow_oauth2/metadata.json +++ b/assets/queries/openAPI/2.0/implicit_flow_oauth2/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#securitySchemeObject", "platform": "OpenAPI", "descriptionID": "a879610a", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/invalid_media_type_value/metadata.json b/assets/queries/openAPI/2.0/invalid_media_type_value/metadata.json index 0bb2f210d13..175675af9aa 100644 --- a/assets/queries/openAPI/2.0/invalid_media_type_value/metadata.json +++ b/assets/queries/openAPI/2.0/invalid_media_type_value/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#media-type-object", "platform": "OpenAPI", "descriptionID": "bde04b9d", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/invalid_oauth2_token_url/metadata.json b/assets/queries/openAPI/2.0/invalid_oauth2_token_url/metadata.json index 064df0f401c..0d39079061f 100644 --- a/assets/queries/openAPI/2.0/invalid_oauth2_token_url/metadata.json +++ b/assets/queries/openAPI/2.0/invalid_oauth2_token_url/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#security-scheme-object", "platform": "OpenAPI", "descriptionID": "d6163b1e", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/invalid_oauth_authorization_url/metadata.json b/assets/queries/openAPI/2.0/invalid_oauth_authorization_url/metadata.json index e4f8dd56e53..042ba4b2a13 100644 --- a/assets/queries/openAPI/2.0/invalid_oauth_authorization_url/metadata.json +++ b/assets/queries/openAPI/2.0/invalid_oauth_authorization_url/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#securitySchemeObject", "platform": "OpenAPI", "descriptionID": "720629e5", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/json_reference_does_not_exists_parameter/metadata.json b/assets/queries/openAPI/2.0/json_reference_does_not_exists_parameter/metadata.json index a61186c9db8..1484986a4f5 100644 --- a/assets/queries/openAPI/2.0/json_reference_does_not_exists_parameter/metadata.json +++ b/assets/queries/openAPI/2.0/json_reference_does_not_exists_parameter/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#parameterObject", "platform": "OpenAPI", "descriptionID": "7260680f", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/json_reference_does_not_exists_response/metadata.json b/assets/queries/openAPI/2.0/json_reference_does_not_exists_response/metadata.json index 4067d8e0fc0..ef152a3870a 100644 --- a/assets/queries/openAPI/2.0/json_reference_does_not_exists_response/metadata.json +++ b/assets/queries/openAPI/2.0/json_reference_does_not_exists_response/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#responsesDefinitionsObject", "platform": "OpenAPI", "descriptionID": "213a6df0", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/json_reference_does_not_exists_schema/metadata.json b/assets/queries/openAPI/2.0/json_reference_does_not_exists_schema/metadata.json index b94d80c10f5..c45772bc703 100644 --- a/assets/queries/openAPI/2.0/json_reference_does_not_exists_schema/metadata.json +++ b/assets/queries/openAPI/2.0/json_reference_does_not_exists_schema/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#definitionsObject", "platform": "OpenAPI", "descriptionID": "6da8f0da", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/multi_body_parameters_same_operation/metadata.json b/assets/queries/openAPI/2.0/multi_body_parameters_same_operation/metadata.json index c06e1b79391..3a65b4a8849 100644 --- a/assets/queries/openAPI/2.0/multi_body_parameters_same_operation/metadata.json +++ b/assets/queries/openAPI/2.0/multi_body_parameters_same_operation/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#parameterObject", "platform": "OpenAPI", "descriptionID": "817fa38a", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/multi_collectionformat_not_valid_in_parameter/metadata.json b/assets/queries/openAPI/2.0/multi_collectionformat_not_valid_in_parameter/metadata.json index e579390c88a..a79b4f501a1 100644 --- a/assets/queries/openAPI/2.0/multi_collectionformat_not_valid_in_parameter/metadata.json +++ b/assets/queries/openAPI/2.0/multi_collectionformat_not_valid_in_parameter/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#parameterObject", "platform": "OpenAPI", "descriptionID": "e0b264a9", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/non_body_parameter_with_schema/metadata.json b/assets/queries/openAPI/2.0/non_body_parameter_with_schema/metadata.json index 386a580d846..5709045106b 100644 --- a/assets/queries/openAPI/2.0/non_body_parameter_with_schema/metadata.json +++ b/assets/queries/openAPI/2.0/non_body_parameter_with_schema/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#parameterObject", "platform": "OpenAPI", "descriptionID": "e135be5b", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/non_oauth2_security_requirement_defining_oauth2_scopes/metadata.json b/assets/queries/openAPI/2.0/non_oauth2_security_requirement_defining_oauth2_scopes/metadata.json index 5d029e1be43..f3264fb1d19 100644 --- a/assets/queries/openAPI/2.0/non_oauth2_security_requirement_defining_oauth2_scopes/metadata.json +++ b/assets/queries/openAPI/2.0/non_oauth2_security_requirement_defining_oauth2_scopes/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#securityRequirementObject", "platform": "OpenAPI", "descriptionID": "33e1e674", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/object_without_required_property/metadata.json b/assets/queries/openAPI/2.0/object_without_required_property/metadata.json index 8ef714f9f85..5b5160e4af2 100644 --- a/assets/queries/openAPI/2.0/object_without_required_property/metadata.json +++ b/assets/queries/openAPI/2.0/object_without_required_property/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/", "platform": "OpenAPI", "descriptionID": "0bc1b81e", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/operation_example_mismatch_produces_mediatype/metadata.json b/assets/queries/openAPI/2.0/operation_example_mismatch_produces_mediatype/metadata.json index 34346974e8a..e7b8eafdd1f 100644 --- a/assets/queries/openAPI/2.0/operation_example_mismatch_produces_mediatype/metadata.json +++ b/assets/queries/openAPI/2.0/operation_example_mismatch_produces_mediatype/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#exampleObject", "platform": "OpenAPI", "descriptionID": "77f2d405", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/operation_object_parameters_with_body_and_formatdata/metadata.json b/assets/queries/openAPI/2.0/operation_object_parameters_with_body_and_formatdata/metadata.json index 10743a952c8..b15ab4089e6 100644 --- a/assets/queries/openAPI/2.0/operation_object_parameters_with_body_and_formatdata/metadata.json +++ b/assets/queries/openAPI/2.0/operation_object_parameters_with_body_and_formatdata/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#parameterObject", "platform": "OpenAPI", "descriptionID": "007c8e83", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/operation_object_without_consumes/metadata.json b/assets/queries/openAPI/2.0/operation_object_without_consumes/metadata.json index 73ced949f95..462d74b61bf 100644 --- a/assets/queries/openAPI/2.0/operation_object_without_consumes/metadata.json +++ b/assets/queries/openAPI/2.0/operation_object_without_consumes/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#operation-object", "platform": "OpenAPI", "descriptionID": "de859594", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/operation_object_without_produces/metadata.json b/assets/queries/openAPI/2.0/operation_object_without_produces/metadata.json index 3d45118da55..38b33292ecd 100644 --- a/assets/queries/openAPI/2.0/operation_object_without_produces/metadata.json +++ b/assets/queries/openAPI/2.0/operation_object_without_produces/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#operation-object", "platform": "OpenAPI", "descriptionID": "1736226c", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/operation_summary_too_long/metadata.json b/assets/queries/openAPI/2.0/operation_summary_too_long/metadata.json index 023b7076287..ca8a2b25a15 100644 --- a/assets/queries/openAPI/2.0/operation_summary_too_long/metadata.json +++ b/assets/queries/openAPI/2.0/operation_summary_too_long/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#operation-object", "platform": "OpenAPI", "descriptionID": "60a0b99e", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/operation_using_basic_auth/metadata.json b/assets/queries/openAPI/2.0/operation_using_basic_auth/metadata.json index c9217ef6153..87e6df14b1e 100644 --- a/assets/queries/openAPI/2.0/operation_using_basic_auth/metadata.json +++ b/assets/queries/openAPI/2.0/operation_using_basic_auth/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#operation-object", "platform": "OpenAPI", "descriptionID": "bb3bb0b3", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/operation_using_implicit_flow/metadata.json b/assets/queries/openAPI/2.0/operation_using_implicit_flow/metadata.json index 5cd33ecdc5a..cfa30dc0ad7 100644 --- a/assets/queries/openAPI/2.0/operation_using_implicit_flow/metadata.json +++ b/assets/queries/openAPI/2.0/operation_using_implicit_flow/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#operation-object", "platform": "OpenAPI", "descriptionID": "5f7dafc1", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/operation_using_password_flow/metadata.json b/assets/queries/openAPI/2.0/operation_using_password_flow/metadata.json index 384fa30167c..a37460a30b5 100644 --- a/assets/queries/openAPI/2.0/operation_using_password_flow/metadata.json +++ b/assets/queries/openAPI/2.0/operation_using_password_flow/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#operation-object", "platform": "OpenAPI", "descriptionID": "e0279bb3", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/parameter_file_type_not_in_formdata/metadata.json b/assets/queries/openAPI/2.0/parameter_file_type_not_in_formdata/metadata.json index 1fa652575c2..cd68f6c451b 100644 --- a/assets/queries/openAPI/2.0/parameter_file_type_not_in_formdata/metadata.json +++ b/assets/queries/openAPI/2.0/parameter_file_type_not_in_formdata/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#parameterObject", "platform": "OpenAPI", "descriptionID": "e8a62738", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/parameter_object_incorrect_ref/metadata.json b/assets/queries/openAPI/2.0/parameter_object_incorrect_ref/metadata.json index dcacaf9e670..fd320a4aa64 100644 --- a/assets/queries/openAPI/2.0/parameter_object_incorrect_ref/metadata.json +++ b/assets/queries/openAPI/2.0/parameter_object_incorrect_ref/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#parameter-object", "platform": "OpenAPI", "descriptionID": "9b33f092", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/path_scheme_accepts_http/metadata.json b/assets/queries/openAPI/2.0/path_scheme_accepts_http/metadata.json index 82d0e24222c..30525e19391 100644 --- a/assets/queries/openAPI/2.0/path_scheme_accepts_http/metadata.json +++ b/assets/queries/openAPI/2.0/path_scheme_accepts_http/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#operationObject", "platform": "OpenAPI", "descriptionID": "4ac6f671", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/property_not_unique/metadata.json b/assets/queries/openAPI/2.0/property_not_unique/metadata.json index 8507502114f..6859f540711 100644 --- a/assets/queries/openAPI/2.0/property_not_unique/metadata.json +++ b/assets/queries/openAPI/2.0/property_not_unique/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#schemaObject", "platform": "OpenAPI", "descriptionID": "eb2e14e6", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/response_object_incorrect_ref/metadata.json b/assets/queries/openAPI/2.0/response_object_incorrect_ref/metadata.json index b7f3de714fc..523657e9459 100644 --- a/assets/queries/openAPI/2.0/response_object_incorrect_ref/metadata.json +++ b/assets/queries/openAPI/2.0/response_object_incorrect_ref/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#responses-object", "platform": "OpenAPI", "descriptionID": "7a486064", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/schema_object_incorrect_ref/metadata.json b/assets/queries/openAPI/2.0/schema_object_incorrect_ref/metadata.json index c32d0875df9..4ce9940ed13 100644 --- a/assets/queries/openAPI/2.0/schema_object_incorrect_ref/metadata.json +++ b/assets/queries/openAPI/2.0/schema_object_incorrect_ref/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#schema-object", "platform": "OpenAPI", "descriptionID": "8389f514", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/schema_with_additional_properties_set_as_boolean/metadata.json b/assets/queries/openAPI/2.0/schema_with_additional_properties_set_as_boolean/metadata.json index 34ea1e39507..e5c92ddbbce 100644 --- a/assets/queries/openAPI/2.0/schema_with_additional_properties_set_as_boolean/metadata.json +++ b/assets/queries/openAPI/2.0/schema_with_additional_properties_set_as_boolean/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#schema-object", "platform": "OpenAPI", "descriptionID": "2509db0d", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/schemes_uses_http copy/metadata.json b/assets/queries/openAPI/2.0/schemes_uses_http copy/metadata.json index 654c5f8bcf0..02cbaabe5fd 100644 --- a/assets/queries/openAPI/2.0/schemes_uses_http copy/metadata.json +++ b/assets/queries/openAPI/2.0/schemes_uses_http copy/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#swaggerObject", "platform": "OpenAPI", "descriptionID": "34948b49", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/security_definitions_allows_password_flow/metadata.json b/assets/queries/openAPI/2.0/security_definitions_allows_password_flow/metadata.json index c154c1ad41d..10c5a0d4dc2 100644 --- a/assets/queries/openAPI/2.0/security_definitions_allows_password_flow/metadata.json +++ b/assets/queries/openAPI/2.0/security_definitions_allows_password_flow/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#securitySchemeObject", "platform": "OpenAPI", "descriptionID": "7b681b12", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/metadata.json b/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/metadata.json index b63a93918d8..66f6307d774 100644 --- a/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/metadata.json +++ b/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#securityDefinitionsObject", "platform": "OpenAPI", "descriptionID": "170dbeca", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/security_definitions_using_basic_auth/metadata.json b/assets/queries/openAPI/2.0/security_definitions_using_basic_auth/metadata.json index 9f4410ec361..d0a035075cb 100644 --- a/assets/queries/openAPI/2.0/security_definitions_using_basic_auth/metadata.json +++ b/assets/queries/openAPI/2.0/security_definitions_using_basic_auth/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#securitySchemeObject", "platform": "OpenAPI", "descriptionID": "80ec8e6a", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/security_requirement_not_defined_in_security_definition/metadata.json b/assets/queries/openAPI/2.0/security_requirement_not_defined_in_security_definition/metadata.json index dc774e181e6..d1f16b8a820 100644 --- a/assets/queries/openAPI/2.0/security_requirement_not_defined_in_security_definition/metadata.json +++ b/assets/queries/openAPI/2.0/security_requirement_not_defined_in_security_definition/metadata.json @@ -8,5 +8,5 @@ "platform": "OpenAPI", "descriptionID": "44fec7d0", "aggregation": 2, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/undefined_security_scope_global_security/metadata.json b/assets/queries/openAPI/2.0/undefined_security_scope_global_security/metadata.json index 4bf1b8ce2d1..db320999ef8 100644 --- a/assets/queries/openAPI/2.0/undefined_security_scope_global_security/metadata.json +++ b/assets/queries/openAPI/2.0/undefined_security_scope_global_security/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#security-scheme-object", "platform": "OpenAPI", "descriptionID": "13115433", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/metadata.json b/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/metadata.json index 677891d476f..afd4a4c867b 100644 --- a/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/metadata.json +++ b/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#security-scheme-object", "platform": "OpenAPI", "descriptionID": "c5094b21", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/unknown_prefix/metadata.json b/assets/queries/openAPI/2.0/unknown_prefix/metadata.json index da3d4d36825..43c1084327e 100644 --- a/assets/queries/openAPI/2.0/unknown_prefix/metadata.json +++ b/assets/queries/openAPI/2.0/unknown_prefix/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#swagger-object", "platform": "OpenAPI", "descriptionID": "3ac339ab", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/unknown_property/metadata.json b/assets/queries/openAPI/2.0/unknown_property/metadata.json index 547b5c244c2..178d9dea793 100644 --- a/assets/queries/openAPI/2.0/unknown_property/metadata.json +++ b/assets/queries/openAPI/2.0/unknown_property/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/", "platform": "OpenAPI", "descriptionID": "546047b9", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/unused_parameter_definition/metadata.json b/assets/queries/openAPI/2.0/unused_parameter_definition/metadata.json index cbfe9694b14..8bae7bcd063 100644 --- a/assets/queries/openAPI/2.0/unused_parameter_definition/metadata.json +++ b/assets/queries/openAPI/2.0/unused_parameter_definition/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#parametersDefinitionsObject", "platform": "OpenAPI", "descriptionID": "9850673a", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/unused_response_definition/metadata.json b/assets/queries/openAPI/2.0/unused_response_definition/metadata.json index 29cf35c107f..af4a55feeac 100644 --- a/assets/queries/openAPI/2.0/unused_response_definition/metadata.json +++ b/assets/queries/openAPI/2.0/unused_response_definition/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#responsesDefinitionsObject", "platform": "OpenAPI", "descriptionID": "a2cfcc90", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/2.0/unused_schema_definition/metadata.json b/assets/queries/openAPI/2.0/unused_schema_definition/metadata.json index e8425fafe0d..766ce0991af 100644 --- a/assets/queries/openAPI/2.0/unused_schema_definition/metadata.json +++ b/assets/queries/openAPI/2.0/unused_schema_definition/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/v2/#definitionsObject", "platform": "OpenAPI", "descriptionID": "70f940b4", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/additional_properties_too_permissive/metadata.json b/assets/queries/openAPI/3.0/additional_properties_too_permissive/metadata.json index 34e8a2953cb..48a28812bb7 100644 --- a/assets/queries/openAPI/3.0/additional_properties_too_permissive/metadata.json +++ b/assets/queries/openAPI/3.0/additional_properties_too_permissive/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#schema-object", "platform": "OpenAPI", "descriptionID": "3623f181", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/additional_properties_too_restrective/metadata.json b/assets/queries/openAPI/3.0/additional_properties_too_restrective/metadata.json index a8a3490843c..ed16a58ca11 100644 --- a/assets/queries/openAPI/3.0/additional_properties_too_restrective/metadata.json +++ b/assets/queries/openAPI/3.0/additional_properties_too_restrective/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#schema-object", "platform": "OpenAPI", "descriptionID": "d470a878", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/metadata.json b/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/metadata.json index 62b4fa3e297..5e870d07e3d 100644 --- a/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/metadata.json +++ b/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#security-scheme-object", "platform": "OpenAPI", "descriptionID": "bcb4b221", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/callback_object_incorrect_ref/metadata.json b/assets/queries/openAPI/3.0/callback_object_incorrect_ref/metadata.json index 8c3a3b070ba..ac120bf7ff8 100644 --- a/assets/queries/openAPI/3.0/callback_object_incorrect_ref/metadata.json +++ b/assets/queries/openAPI/3.0/callback_object_incorrect_ref/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#callback-object", "platform": "OpenAPI", "descriptionID": "ac521411", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/cleartext_credentials_with_basic_auth_for_operation/metadata.json b/assets/queries/openAPI/3.0/cleartext_credentials_with_basic_auth_for_operation/metadata.json index 45ffebc0cca..1f8e3d1c110 100644 --- a/assets/queries/openAPI/3.0/cleartext_credentials_with_basic_auth_for_operation/metadata.json +++ b/assets/queries/openAPI/3.0/cleartext_credentials_with_basic_auth_for_operation/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#operation-object", "platform": "OpenAPI", "descriptionID": "dc667769", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/components_callback_definition_unused/metadata.json b/assets/queries/openAPI/3.0/components_callback_definition_unused/metadata.json index 61b47260bc9..96353363732 100644 --- a/assets/queries/openAPI/3.0/components_callback_definition_unused/metadata.json +++ b/assets/queries/openAPI/3.0/components_callback_definition_unused/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#components-object", "platform": "OpenAPI", "descriptionID": "f8826fb7", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/components_example_definition_unused/metadata.json b/assets/queries/openAPI/3.0/components_example_definition_unused/metadata.json index ae76875082b..5a99e193036 100644 --- a/assets/queries/openAPI/3.0/components_example_definition_unused/metadata.json +++ b/assets/queries/openAPI/3.0/components_example_definition_unused/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#components-object", "platform": "OpenAPI", "descriptionID": "127b7b89", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/components_header_definition_unused/metadata.json b/assets/queries/openAPI/3.0/components_header_definition_unused/metadata.json index 71566296646..68f02531a88 100644 --- a/assets/queries/openAPI/3.0/components_header_definition_unused/metadata.json +++ b/assets/queries/openAPI/3.0/components_header_definition_unused/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#components-object", "platform": "OpenAPI", "descriptionID": "cc73d7db", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/components_link_definition_unused/metadata.json b/assets/queries/openAPI/3.0/components_link_definition_unused/metadata.json index d9fddc3407a..44e1206fb21 100644 --- a/assets/queries/openAPI/3.0/components_link_definition_unused/metadata.json +++ b/assets/queries/openAPI/3.0/components_link_definition_unused/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#components-object", "platform": "OpenAPI", "descriptionID": "3e317e78", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/components_object_fixed_field_key_improperly_named/metadata.json b/assets/queries/openAPI/3.0/components_object_fixed_field_key_improperly_named/metadata.json index 17e4d8105a1..891a304ba63 100644 --- a/assets/queries/openAPI/3.0/components_object_fixed_field_key_improperly_named/metadata.json +++ b/assets/queries/openAPI/3.0/components_object_fixed_field_key_improperly_named/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#components-object", "platform": "OpenAPI", "descriptionID": "a6f85ed4", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/components_parameter_definition_unused/metadata.json b/assets/queries/openAPI/3.0/components_parameter_definition_unused/metadata.json index e780433405b..81ed1272e57 100644 --- a/assets/queries/openAPI/3.0/components_parameter_definition_unused/metadata.json +++ b/assets/queries/openAPI/3.0/components_parameter_definition_unused/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#components-object", "platform": "OpenAPI", "descriptionID": "09b78a83", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/components_request_body_definition_unused/metadata.json b/assets/queries/openAPI/3.0/components_request_body_definition_unused/metadata.json index 55627383e64..2d5aea00511 100644 --- a/assets/queries/openAPI/3.0/components_request_body_definition_unused/metadata.json +++ b/assets/queries/openAPI/3.0/components_request_body_definition_unused/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#components-object", "platform": "OpenAPI", "descriptionID": "f3414d1a", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/components_response_definition_unused/metadata.json b/assets/queries/openAPI/3.0/components_response_definition_unused/metadata.json index aad7d143a99..7b0ca27b85d 100644 --- a/assets/queries/openAPI/3.0/components_response_definition_unused/metadata.json +++ b/assets/queries/openAPI/3.0/components_response_definition_unused/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#components-object", "platform": "OpenAPI", "descriptionID": "549f320c", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/components_schema_definition_unused/metadata.json b/assets/queries/openAPI/3.0/components_schema_definition_unused/metadata.json index a051b32f801..c9ea75022b7 100644 --- a/assets/queries/openAPI/3.0/components_schema_definition_unused/metadata.json +++ b/assets/queries/openAPI/3.0/components_schema_definition_unused/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#components-object", "platform": "OpenAPI", "descriptionID": "5cdc0f3b", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/empty_array/metadata.json b/assets/queries/openAPI/3.0/empty_array/metadata.json index e5de342484f..f428e97f5f0 100644 --- a/assets/queries/openAPI/3.0/empty_array/metadata.json +++ b/assets/queries/openAPI/3.0/empty_array/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/", "platform": "OpenAPI", "descriptionID": "84f9722b", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/encoding_header_content_type_improperly_defined/metadata.json b/assets/queries/openAPI/3.0/encoding_header_content_type_improperly_defined/metadata.json index b7a5896c9a9..b4ffd7a5eed 100644 --- a/assets/queries/openAPI/3.0/encoding_header_content_type_improperly_defined/metadata.json +++ b/assets/queries/openAPI/3.0/encoding_header_content_type_improperly_defined/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#media-type-object", "platform": "OpenAPI", "descriptionID": "61185041", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/encoding_map_key_mismatch_schema_defined_properties/metadata.json b/assets/queries/openAPI/3.0/encoding_map_key_mismatch_schema_defined_properties/metadata.json index ffd4ec97c40..8f859a36d2d 100644 --- a/assets/queries/openAPI/3.0/encoding_map_key_mismatch_schema_defined_properties/metadata.json +++ b/assets/queries/openAPI/3.0/encoding_map_key_mismatch_schema_defined_properties/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#media-type-object", "platform": "OpenAPI", "descriptionID": "f929aa5c", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/example_json_reference_outside_components_examples/metadata.json b/assets/queries/openAPI/3.0/example_json_reference_outside_components_examples/metadata.json index 8638b3400fa..313be6642ba 100644 --- a/assets/queries/openAPI/3.0/example_json_reference_outside_components_examples/metadata.json +++ b/assets/queries/openAPI/3.0/example_json_reference_outside_components_examples/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#reference-object", "platform": "OpenAPI", "descriptionID": "8984393e", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/global_security_scheme_using_basic_authentication/metadata.json b/assets/queries/openAPI/3.0/global_security_scheme_using_basic_authentication/metadata.json index f69bfad982b..f4d067c933c 100644 --- a/assets/queries/openAPI/3.0/global_security_scheme_using_basic_authentication/metadata.json +++ b/assets/queries/openAPI/3.0/global_security_scheme_using_basic_authentication/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#security-scheme-object", "platform": "OpenAPI", "descriptionID": "f29b5719", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/global_server_uses_http/metadata.json b/assets/queries/openAPI/3.0/global_server_uses_http/metadata.json index 33494bbbddf..93932e572ca 100644 --- a/assets/queries/openAPI/3.0/global_server_uses_http/metadata.json +++ b/assets/queries/openAPI/3.0/global_server_uses_http/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#server-object", "platform": "OpenAPI", "descriptionID": "6b568693", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/header_object_with_incorrect_ref/metadata.json b/assets/queries/openAPI/3.0/header_object_with_incorrect_ref/metadata.json index b8191d06976..cac0311252f 100644 --- a/assets/queries/openAPI/3.0/header_object_with_incorrect_ref/metadata.json +++ b/assets/queries/openAPI/3.0/header_object_with_incorrect_ref/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#responses-object", "platform": "OpenAPI", "descriptionID": "c3f2fe74", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/header_object_without_schema/metadata.json b/assets/queries/openAPI/3.0/header_object_without_schema/metadata.json index 52edffc9cf9..cad48aad430 100644 --- a/assets/queries/openAPI/3.0/header_object_without_schema/metadata.json +++ b/assets/queries/openAPI/3.0/header_object_without_schema/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#header-object", "platform": "OpenAPI", "descriptionID": "c1c481e4", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/implicit_flow_oauth2/metadata.json b/assets/queries/openAPI/3.0/implicit_flow_oauth2/metadata.json index 38e6f111175..0c9ca9b558d 100644 --- a/assets/queries/openAPI/3.0/implicit_flow_oauth2/metadata.json +++ b/assets/queries/openAPI/3.0/implicit_flow_oauth2/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#oauth-flow-object", "platform": "OpenAPI", "descriptionID": "94ccaa01", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/invalid_content_type_for_multiple_files_upload/metadata.json b/assets/queries/openAPI/3.0/invalid_content_type_for_multiple_files_upload/metadata.json index 9fe9a7aaadb..3187424e6ae 100644 --- a/assets/queries/openAPI/3.0/invalid_content_type_for_multiple_files_upload/metadata.json +++ b/assets/queries/openAPI/3.0/invalid_content_type_for_multiple_files_upload/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/docs/specification/describing-request-body/file-upload/", "platform": "OpenAPI", "descriptionID": "d74b6525", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/invalid_media_type_value/metadata.json b/assets/queries/openAPI/3.0/invalid_media_type_value/metadata.json index 10ae0f5ff70..59883b882c8 100644 --- a/assets/queries/openAPI/3.0/invalid_media_type_value/metadata.json +++ b/assets/queries/openAPI/3.0/invalid_media_type_value/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#media-type-object", "platform": "OpenAPI", "descriptionID": "6d641994", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/invalid_oauth2_token_url/metadata.json b/assets/queries/openAPI/3.0/invalid_oauth2_token_url/metadata.json index c597562400a..c867940e693 100644 --- a/assets/queries/openAPI/3.0/invalid_oauth2_token_url/metadata.json +++ b/assets/queries/openAPI/3.0/invalid_oauth2_token_url/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#oauth-flow-object", "platform": "OpenAPI", "descriptionID": "78304c48", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/invalid_oauth_authorization_url/metadata.json b/assets/queries/openAPI/3.0/invalid_oauth_authorization_url/metadata.json index 092e677ac7f..330c7c6e5dd 100644 --- a/assets/queries/openAPI/3.0/invalid_oauth_authorization_url/metadata.json +++ b/assets/queries/openAPI/3.0/invalid_oauth_authorization_url/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#oauth-flow-object", "platform": "OpenAPI", "descriptionID": "92051404", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_callback/metadata.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_callback/metadata.json index c1fe96b5b33..088a08356b7 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_callback/metadata.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_callback/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#components-object", "platform": "OpenAPI", "descriptionID": "9fb67487", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_example/metadata.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_example/metadata.json index 20bfc4fadec..7d8b0c7649e 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_example/metadata.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_example/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#components-object", "platform": "OpenAPI", "descriptionID": "026db32d", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_header/metadata.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_header/metadata.json index 7628a71b884..637eb1d67a7 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_header/metadata.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_header/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#components-object", "platform": "OpenAPI", "descriptionID": "c90bc259", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_link/metadata.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_link/metadata.json index c0b8466dd62..70cf74da3cd 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_link/metadata.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_link/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#components-object", "platform": "OpenAPI", "descriptionID": "5d9af338", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_parameter/metadata.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_parameter/metadata.json index 5da2ae1d3ab..bb94f59ba5e 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_parameter/metadata.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_parameter/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#components-object", "platform": "OpenAPI", "descriptionID": "a4f776da", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_request_body/metadata.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_request_body/metadata.json index 344cc5eb4b6..980a468771f 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_request_body/metadata.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_request_body/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#components-object", "platform": "OpenAPI", "descriptionID": "b33e0ccc", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_response/metadata.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_response/metadata.json index ce0baaf43a9..2f59080215b 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_response/metadata.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_response/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#components-object", "platform": "OpenAPI", "descriptionID": "e443a03e", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_schema/metadata.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_schema/metadata.json index 3817dfe90bb..e9f30d7a5d5 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_schema/metadata.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_schema/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#components-object", "platform": "OpenAPI", "descriptionID": "5d8202a1", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/link_object_incorrect_ref/metadata.json b/assets/queries/openAPI/3.0/link_object_incorrect_ref/metadata.json index 664730a2461..1f623149335 100644 --- a/assets/queries/openAPI/3.0/link_object_incorrect_ref/metadata.json +++ b/assets/queries/openAPI/3.0/link_object_incorrect_ref/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#link-object", "platform": "OpenAPI", "descriptionID": "d32809e9", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/link_object_operation_id_does_not_target_an_operation_object/metadata.json b/assets/queries/openAPI/3.0/link_object_operation_id_does_not_target_an_operation_object/metadata.json index a28ac2c382e..9d09395dcd7 100644 --- a/assets/queries/openAPI/3.0/link_object_operation_id_does_not_target_an_operation_object/metadata.json +++ b/assets/queries/openAPI/3.0/link_object_operation_id_does_not_target_an_operation_object/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#link-object", "platform": "OpenAPI", "descriptionID": "0a18f076", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/link_object_with_both_operation_id_and_operation_ref/metadata.json b/assets/queries/openAPI/3.0/link_object_with_both_operation_id_and_operation_ref/metadata.json index 29333bb84eb..d0d684e1163 100644 --- a/assets/queries/openAPI/3.0/link_object_with_both_operation_id_and_operation_ref/metadata.json +++ b/assets/queries/openAPI/3.0/link_object_with_both_operation_id_and_operation_ref/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#link-object", "platform": "OpenAPI", "descriptionID": "bddcb8cd", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/media_type_object_without_schema/metadata.json b/assets/queries/openAPI/3.0/media_type_object_without_schema/metadata.json index e84e0795069..0dcc743b1e6 100644 --- a/assets/queries/openAPI/3.0/media_type_object_without_schema/metadata.json +++ b/assets/queries/openAPI/3.0/media_type_object_without_schema/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#media-type-object", "platform": "OpenAPI", "descriptionID": "a7ffc444", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/metadata.json b/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/metadata.json index a5d323145d0..15fd58a1217 100644 --- a/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/metadata.json +++ b/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#oauth-flows-object", "platform": "OpenAPI", "descriptionID": "9bce0305", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/oauth2_with_password_flow/metadata.json b/assets/queries/openAPI/3.0/oauth2_with_password_flow/metadata.json index b1de9915013..5dee4aa323f 100644 --- a/assets/queries/openAPI/3.0/oauth2_with_password_flow/metadata.json +++ b/assets/queries/openAPI/3.0/oauth2_with_password_flow/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#oauth-flows-object", "platform": "OpenAPI", "descriptionID": "dd7818af", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/object_without_required_property/metadata.json b/assets/queries/openAPI/3.0/object_without_required_property/metadata.json index 00952d29a9c..8f4766d5f52 100644 --- a/assets/queries/openAPI/3.0/object_without_required_property/metadata.json +++ b/assets/queries/openAPI/3.0/object_without_required_property/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/", "platform": "OpenAPI", "descriptionID": "a6b935a6", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/parameter_object_content_with_multiple_entries/metadata.json b/assets/queries/openAPI/3.0/parameter_object_content_with_multiple_entries/metadata.json index 06da2377885..5eefd4e8c37 100644 --- a/assets/queries/openAPI/3.0/parameter_object_content_with_multiple_entries/metadata.json +++ b/assets/queries/openAPI/3.0/parameter_object_content_with_multiple_entries/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#parameter-object", "platform": "OpenAPI", "descriptionID": "be33f7a9", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/parameter_object_incorrect_ref/metadata.json b/assets/queries/openAPI/3.0/parameter_object_incorrect_ref/metadata.json index aa93f60ce22..512caf54503 100644 --- a/assets/queries/openAPI/3.0/parameter_object_incorrect_ref/metadata.json +++ b/assets/queries/openAPI/3.0/parameter_object_incorrect_ref/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#parameter-object", "platform": "OpenAPI", "descriptionID": "52e1f1a5", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/parameter_object_schema_content/metadata.json b/assets/queries/openAPI/3.0/parameter_object_schema_content/metadata.json index d833a0ba289..57e58ce5c66 100644 --- a/assets/queries/openAPI/3.0/parameter_object_schema_content/metadata.json +++ b/assets/queries/openAPI/3.0/parameter_object_schema_content/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#parameter-object", "platform": "OpenAPI", "descriptionID": "379a120d", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/parameter_object_undefined_type/metadata.json b/assets/queries/openAPI/3.0/parameter_object_undefined_type/metadata.json index f4d1bba9ce1..0c7b0be610b 100644 --- a/assets/queries/openAPI/3.0/parameter_object_undefined_type/metadata.json +++ b/assets/queries/openAPI/3.0/parameter_object_undefined_type/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#parameter-object", "platform": "OpenAPI", "descriptionID": "4bbd104f", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/parameter_object_without_schema/metadata.json b/assets/queries/openAPI/3.0/parameter_object_without_schema/metadata.json index 56901760271..8b16792df7c 100644 --- a/assets/queries/openAPI/3.0/parameter_object_without_schema/metadata.json +++ b/assets/queries/openAPI/3.0/parameter_object_without_schema/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#parameter-object", "platform": "OpenAPI", "descriptionID": "de40b141", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/path_server_uses_http/metadata.json b/assets/queries/openAPI/3.0/path_server_uses_http/metadata.json index 8414d23f6d6..51e609e7925 100644 --- a/assets/queries/openAPI/3.0/path_server_uses_http/metadata.json +++ b/assets/queries/openAPI/3.0/path_server_uses_http/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#server-object", "platform": "OpenAPI", "descriptionID": "da49b13c", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/property_allow_empty_value_ignored/metadata.json b/assets/queries/openAPI/3.0/property_allow_empty_value_ignored/metadata.json index ade4ba1ac43..b27500b1d0f 100644 --- a/assets/queries/openAPI/3.0/property_allow_empty_value_ignored/metadata.json +++ b/assets/queries/openAPI/3.0/property_allow_empty_value_ignored/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#parameter-object", "platform": "OpenAPI", "descriptionID": "91d0af2c", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/property_allow_reserved_encoding_object_ignored/metadata.json b/assets/queries/openAPI/3.0/property_allow_reserved_encoding_object_ignored/metadata.json index a92277ab434..bebcaafc91e 100644 --- a/assets/queries/openAPI/3.0/property_allow_reserved_encoding_object_ignored/metadata.json +++ b/assets/queries/openAPI/3.0/property_allow_reserved_encoding_object_ignored/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#encoding-object", "platform": "OpenAPI", "descriptionID": "951a3c73", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/property_allow_reserved_improperly_defined/metadata.json b/assets/queries/openAPI/3.0/property_allow_reserved_improperly_defined/metadata.json index dc25c5126ed..3d46177bb4e 100644 --- a/assets/queries/openAPI/3.0/property_allow_reserved_improperly_defined/metadata.json +++ b/assets/queries/openAPI/3.0/property_allow_reserved_improperly_defined/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#parameter-object", "platform": "OpenAPI", "descriptionID": "a23029a8", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/property_explode_encoding_object_ignored/metadata.json b/assets/queries/openAPI/3.0/property_explode_encoding_object_ignored/metadata.json index 20e89dc7f80..f3838a358a2 100644 --- a/assets/queries/openAPI/3.0/property_explode_encoding_object_ignored/metadata.json +++ b/assets/queries/openAPI/3.0/property_explode_encoding_object_ignored/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#encoding-object", "platform": "OpenAPI", "descriptionID": "927e421b", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/property_type_encoding_object_ignored/metadata.json b/assets/queries/openAPI/3.0/property_type_encoding_object_ignored/metadata.json index 577be0a842f..1eeac57d522 100644 --- a/assets/queries/openAPI/3.0/property_type_encoding_object_ignored/metadata.json +++ b/assets/queries/openAPI/3.0/property_type_encoding_object_ignored/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#encoding-object", "platform": "OpenAPI", "descriptionID": "66497e8a", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/request_body_incorrect_ref/metadata.json b/assets/queries/openAPI/3.0/request_body_incorrect_ref/metadata.json index 557648cb207..783bd7c4cd3 100644 --- a/assets/queries/openAPI/3.0/request_body_incorrect_ref/metadata.json +++ b/assets/queries/openAPI/3.0/request_body_incorrect_ref/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#request-body-object", "platform": "OpenAPI", "descriptionID": "1b450a4b", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/request_body_object_with_incorrect_media_type/metadata.json b/assets/queries/openAPI/3.0/request_body_object_with_incorrect_media_type/metadata.json index 02e8aa4b85a..90fea000cd9 100644 --- a/assets/queries/openAPI/3.0/request_body_object_with_incorrect_media_type/metadata.json +++ b/assets/queries/openAPI/3.0/request_body_object_with_incorrect_media_type/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#media-type-object", "platform": "OpenAPI", "descriptionID": "0963c67c", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/response_object_incorrect_ref/metadata.json b/assets/queries/openAPI/3.0/response_object_incorrect_ref/metadata.json index f4c72b38f4b..48ee0dadf20 100644 --- a/assets/queries/openAPI/3.0/response_object_incorrect_ref/metadata.json +++ b/assets/queries/openAPI/3.0/response_object_incorrect_ref/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#responses-object", "platform": "OpenAPI", "descriptionID": "2959ac6f", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/schema_object_incorrect_ref/metadata.json b/assets/queries/openAPI/3.0/schema_object_incorrect_ref/metadata.json index 1cdc9fa8f31..252f1fc5143 100644 --- a/assets/queries/openAPI/3.0/schema_object_incorrect_ref/metadata.json +++ b/assets/queries/openAPI/3.0/schema_object_incorrect_ref/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#schema-object", "platform": "OpenAPI", "descriptionID": "9f6a14ba", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/schema_with_both_read_only_and_write_only/metadata.json b/assets/queries/openAPI/3.0/schema_with_both_read_only_and_write_only/metadata.json index bcf35c8a7e2..c32dd36d835 100644 --- a/assets/queries/openAPI/3.0/schema_with_both_read_only_and_write_only/metadata.json +++ b/assets/queries/openAPI/3.0/schema_with_both_read_only_and_write_only/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#schema-object", "platform": "OpenAPI", "descriptionID": "adb56e0b", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/security_field_undefined/metadata.json b/assets/queries/openAPI/3.0/security_field_undefined/metadata.json index db7438f5ead..3c03fa5acdf 100644 --- a/assets/queries/openAPI/3.0/security_field_undefined/metadata.json +++ b/assets/queries/openAPI/3.0/security_field_undefined/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#security-requirement-object", "platform": "OpenAPI", "descriptionID": "2d06cd16", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/security_operation_field_undefined/metadata.json b/assets/queries/openAPI/3.0/security_operation_field_undefined/metadata.json index 8daedacb1ad..74f4552714c 100644 --- a/assets/queries/openAPI/3.0/security_operation_field_undefined/metadata.json +++ b/assets/queries/openAPI/3.0/security_operation_field_undefined/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#operation-object", "platform": "OpenAPI", "descriptionID": "5ece1b91", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/security_requirement_object_with_wrong_scopes/metadata.json b/assets/queries/openAPI/3.0/security_requirement_object_with_wrong_scopes/metadata.json index b9d7f0c14f8..5baff8710c3 100644 --- a/assets/queries/openAPI/3.0/security_requirement_object_with_wrong_scopes/metadata.json +++ b/assets/queries/openAPI/3.0/security_requirement_object_with_wrong_scopes/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#security-requirement-object", "platform": "OpenAPI", "descriptionID": "34997c77", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/security_scheme_undefined/metadata.json b/assets/queries/openAPI/3.0/security_scheme_undefined/metadata.json index 3d6126ffc79..b5560652178 100644 --- a/assets/queries/openAPI/3.0/security_scheme_undefined/metadata.json +++ b/assets/queries/openAPI/3.0/security_scheme_undefined/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#security-scheme-object", "platform": "OpenAPI", "descriptionID": "61dba06b", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/security_scheme_using_http_basic/metadata.json b/assets/queries/openAPI/3.0/security_scheme_using_http_basic/metadata.json index 410f8d2fcc4..4dbbd55d4c4 100644 --- a/assets/queries/openAPI/3.0/security_scheme_using_http_basic/metadata.json +++ b/assets/queries/openAPI/3.0/security_scheme_using_http_basic/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#security-scheme-object", "platform": "OpenAPI", "descriptionID": "2aa53f7c", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/security_scheme_using_http_digest/metadata.json b/assets/queries/openAPI/3.0/security_scheme_using_http_digest/metadata.json index 218badc0fcb..03059a37951 100644 --- a/assets/queries/openAPI/3.0/security_scheme_using_http_digest/metadata.json +++ b/assets/queries/openAPI/3.0/security_scheme_using_http_digest/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#security-scheme-object", "platform": "OpenAPI", "descriptionID": "2e962b5c", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/security_scheme_using_http_negotiate/metadata.json b/assets/queries/openAPI/3.0/security_scheme_using_http_negotiate/metadata.json index cc6c3ceb236..9d6e629c697 100644 --- a/assets/queries/openAPI/3.0/security_scheme_using_http_negotiate/metadata.json +++ b/assets/queries/openAPI/3.0/security_scheme_using_http_negotiate/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#security-scheme-object", "platform": "OpenAPI", "descriptionID": "2fe8fccb", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/security_schemes_http_unknown_scheme/metadata.json b/assets/queries/openAPI/3.0/security_schemes_http_unknown_scheme/metadata.json index f29b19c00c2..54b6c609aee 100644 --- a/assets/queries/openAPI/3.0/security_schemes_http_unknown_scheme/metadata.json +++ b/assets/queries/openAPI/3.0/security_schemes_http_unknown_scheme/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#security-scheme-object", "platform": "OpenAPI", "descriptionID": "e8060d48", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/security_schemes_using_oauth/metadata.json b/assets/queries/openAPI/3.0/security_schemes_using_oauth/metadata.json index 55b52af0347..2aad0be468e 100644 --- a/assets/queries/openAPI/3.0/security_schemes_using_oauth/metadata.json +++ b/assets/queries/openAPI/3.0/security_schemes_using_oauth/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#security-scheme-object", "platform": "OpenAPI", "descriptionID": "8cff8206", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/server_object_variable_not_used/metadata.json b/assets/queries/openAPI/3.0/server_object_variable_not_used/metadata.json index 7df560157e1..b6c95b249f7 100644 --- a/assets/queries/openAPI/3.0/server_object_variable_not_used/metadata.json +++ b/assets/queries/openAPI/3.0/server_object_variable_not_used/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#server-variable-object", "platform": "OpenAPI", "descriptionID": "d1b765db", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/server_url_not_absolute/metadata.json b/assets/queries/openAPI/3.0/server_url_not_absolute/metadata.json index 40f1c9897e4..55284293d5a 100644 --- a/assets/queries/openAPI/3.0/server_url_not_absolute/metadata.json +++ b/assets/queries/openAPI/3.0/server_url_not_absolute/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#server-object", "platform": "OpenAPI", "descriptionID": "2dd5856c", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/server_url_uses_undefined_variables/metadata.json b/assets/queries/openAPI/3.0/server_url_uses_undefined_variables/metadata.json index 2bc2bdfc5f7..0db8df3ca20 100644 --- a/assets/queries/openAPI/3.0/server_url_uses_undefined_variables/metadata.json +++ b/assets/queries/openAPI/3.0/server_url_uses_undefined_variables/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#server-object", "platform": "OpenAPI", "descriptionID": "c8a70e31", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/servers_undefined/metadata.json b/assets/queries/openAPI/3.0/servers_undefined/metadata.json index ed7815411fe..dca63fade7d 100644 --- a/assets/queries/openAPI/3.0/servers_undefined/metadata.json +++ b/assets/queries/openAPI/3.0/servers_undefined/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#server-object", "platform": "OpenAPI", "descriptionID": "890ee1bd", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/metadata.json b/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/metadata.json index 01830fa2ea8..09984365f88 100644 --- a/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/metadata.json +++ b/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#operation-object", "platform": "OpenAPI", "descriptionID": "d3325ec2", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/undefined_security_scope_global_security/metadata.json b/assets/queries/openAPI/3.0/undefined_security_scope_global_security/metadata.json index 96ebfe4bd8f..45cd9430c94 100644 --- a/assets/queries/openAPI/3.0/undefined_security_scope_global_security/metadata.json +++ b/assets/queries/openAPI/3.0/undefined_security_scope_global_security/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#oauth-flow-object", "platform": "OpenAPI", "descriptionID": "ef926b66", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/metadata.json b/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/metadata.json index 6286025f0ad..83008e244e3 100644 --- a/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/metadata.json +++ b/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#oauth-flow-object", "platform": "OpenAPI", "descriptionID": "31fb94e2", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/unknown_prefix/metadata.json b/assets/queries/openAPI/3.0/unknown_prefix/metadata.json index 3589a5edc20..16609603d52 100644 --- a/assets/queries/openAPI/3.0/unknown_prefix/metadata.json +++ b/assets/queries/openAPI/3.0/unknown_prefix/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/#media-type-object", "platform": "OpenAPI", "descriptionID": "18c553ae", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/unknown_property/metadata.json b/assets/queries/openAPI/3.0/unknown_property/metadata.json index 249e95f0fff..104c4b6d749 100644 --- a/assets/queries/openAPI/3.0/unknown_property/metadata.json +++ b/assets/queries/openAPI/3.0/unknown_property/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://swagger.io/specification/", "platform": "OpenAPI", "descriptionID": "44e287cd", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/api_key_exposed_in_global_security/metadata.json b/assets/queries/openAPI/general/api_key_exposed_in_global_security/metadata.json index 599989c573f..cb567c71719 100644 --- a/assets/queries/openAPI/general/api_key_exposed_in_global_security/metadata.json +++ b/assets/queries/openAPI/general/api_key_exposed_in_global_security/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/api_key_exposed_in_operation_security/metadata.json b/assets/queries/openAPI/general/api_key_exposed_in_operation_security/metadata.json index 106fdfbdde6..06b57f7c7d7 100644 --- a/assets/queries/openAPI/general/api_key_exposed_in_operation_security/metadata.json +++ b/assets/queries/openAPI/general/api_key_exposed_in_operation_security/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/array_items_has_no_type/metadata.json b/assets/queries/openAPI/general/array_items_has_no_type/metadata.json index af9f26049de..5381807135e 100644 --- a/assets/queries/openAPI/general/array_items_has_no_type/metadata.json +++ b/assets/queries/openAPI/general/array_items_has_no_type/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "Schema/Parameter array items type should be defined" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/array_without_maximum_number_items/metadata.json b/assets/queries/openAPI/general/array_without_maximum_number_items/metadata.json index bf7d603d7f3..611403ccd3c 100644 --- a/assets/queries/openAPI/general/array_without_maximum_number_items/metadata.json +++ b/assets/queries/openAPI/general/array_without_maximum_number_items/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "Array schema/parameter should have the field 'maxItems' set" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/cleartext_api_key_in_global_security/metadata.json b/assets/queries/openAPI/general/cleartext_api_key_in_global_security/metadata.json index 4ca5817eb89..b71b81f8e49 100644 --- a/assets/queries/openAPI/general/cleartext_api_key_in_global_security/metadata.json +++ b/assets/queries/openAPI/general/cleartext_api_key_in_global_security/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/cleartext_api_key_in_operation_security/metadata.json b/assets/queries/openAPI/general/cleartext_api_key_in_operation_security/metadata.json index 8e7d7b524e0..11763e73b45 100644 --- a/assets/queries/openAPI/general/cleartext_api_key_in_operation_security/metadata.json +++ b/assets/queries/openAPI/general/cleartext_api_key_in_operation_security/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/default_invalid/metadata.json b/assets/queries/openAPI/general/default_invalid/metadata.json index c50bf0d81a4..f2b96067e66 100644 --- a/assets/queries/openAPI/general/default_invalid/metadata.json +++ b/assets/queries/openAPI/general/default_invalid/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "The field 'default' of Schema/Parameter/Header Object should be consistent with the schema's/parameter's/header's type" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/default_response_undefined_operations/metadata.json b/assets/queries/openAPI/general/default_response_undefined_operations/metadata.json index 8f2a74179d5..f887c9a41e0 100644 --- a/assets/queries/openAPI/general/default_response_undefined_operations/metadata.json +++ b/assets/queries/openAPI/general/default_response_undefined_operations/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/example_not_compliant_with_schema_type/metadata.json b/assets/queries/openAPI/general/example_not_compliant_with_schema_type/metadata.json index a786c557f06..7f19180517d 100644 --- a/assets/queries/openAPI/general/example_not_compliant_with_schema_type/metadata.json +++ b/assets/queries/openAPI/general/example_not_compliant_with_schema_type/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/global_security_field_undefined/metadata.json b/assets/queries/openAPI/general/global_security_field_undefined/metadata.json index 526384b5f5e..297e7fd0d4b 100644 --- a/assets/queries/openAPI/general/global_security_field_undefined/metadata.json +++ b/assets/queries/openAPI/general/global_security_field_undefined/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "Global security field should be defined to prevent API to have insecure paths and have this rules defined on securityDefinitions" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/header_parameter_named_as_accept/metadata.json b/assets/queries/openAPI/general/header_parameter_named_as_accept/metadata.json index b390ceafd40..a4e20585014 100644 --- a/assets/queries/openAPI/general/header_parameter_named_as_accept/metadata.json +++ b/assets/queries/openAPI/general/header_parameter_named_as_accept/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/header_parameter_named_as_authorization/metadata.json b/assets/queries/openAPI/general/header_parameter_named_as_authorization/metadata.json index 6607affb111..a3277cd4881 100644 --- a/assets/queries/openAPI/general/header_parameter_named_as_authorization/metadata.json +++ b/assets/queries/openAPI/general/header_parameter_named_as_authorization/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/header_parameter_named_as_content_type/metadata.json b/assets/queries/openAPI/general/header_parameter_named_as_content_type/metadata.json index 28a7e89b654..13276cec352 100644 --- a/assets/queries/openAPI/general/header_parameter_named_as_content_type/metadata.json +++ b/assets/queries/openAPI/general/header_parameter_named_as_content_type/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/header_response_name_is_invalid/metadata.json b/assets/queries/openAPI/general/header_response_name_is_invalid/metadata.json index 0a84e0dbfd9..f4c562f68a9 100644 --- a/assets/queries/openAPI/general/header_response_name_is_invalid/metadata.json +++ b/assets/queries/openAPI/general/header_response_name_is_invalid/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/invalid_contact_email/metadata.json b/assets/queries/openAPI/general/invalid_contact_email/metadata.json index 193efd8900a..126c6783cb2 100644 --- a/assets/queries/openAPI/general/invalid_contact_email/metadata.json +++ b/assets/queries/openAPI/general/invalid_contact_email/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/invalid_contact_url/metadata.json b/assets/queries/openAPI/general/invalid_contact_url/metadata.json index 5a5a16694db..33d0366adfc 100644 --- a/assets/queries/openAPI/general/invalid_contact_url/metadata.json +++ b/assets/queries/openAPI/general/invalid_contact_url/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/invalid_format/metadata.json b/assets/queries/openAPI/general/invalid_format/metadata.json index 9e72b5afe5d..d6af844d962 100644 --- a/assets/queries/openAPI/general/invalid_format/metadata.json +++ b/assets/queries/openAPI/general/invalid_format/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/invalid_global_external_documentation_url/metadata.json b/assets/queries/openAPI/general/invalid_global_external_documentation_url/metadata.json index 193686eee0d..c6b7b006d25 100644 --- a/assets/queries/openAPI/general/invalid_global_external_documentation_url/metadata.json +++ b/assets/queries/openAPI/general/invalid_global_external_documentation_url/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/invalid_license_url/metadata.json b/assets/queries/openAPI/general/invalid_license_url/metadata.json index 12f668227e4..ab92d85f9e8 100644 --- a/assets/queries/openAPI/general/invalid_license_url/metadata.json +++ b/assets/queries/openAPI/general/invalid_license_url/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/invalid_operation_external_documentation_url/metadata.json b/assets/queries/openAPI/general/invalid_operation_external_documentation_url/metadata.json index 7cb2ad64cb9..85775fb0332 100644 --- a/assets/queries/openAPI/general/invalid_operation_external_documentation_url/metadata.json +++ b/assets/queries/openAPI/general/invalid_operation_external_documentation_url/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/invalid_schema_external_documentation_url/metadata.json b/assets/queries/openAPI/general/invalid_schema_external_documentation_url/metadata.json index 1d112c40fdd..7f7cd46168f 100644 --- a/assets/queries/openAPI/general/invalid_schema_external_documentation_url/metadata.json +++ b/assets/queries/openAPI/general/invalid_schema_external_documentation_url/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/invalid_tag_external_documentation_url/metadata.json b/assets/queries/openAPI/general/invalid_tag_external_documentation_url/metadata.json index 51e81c1ad99..b19320d55c3 100644 --- a/assets/queries/openAPI/general/invalid_tag_external_documentation_url/metadata.json +++ b/assets/queries/openAPI/general/invalid_tag_external_documentation_url/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/items_undefined/metadata.json b/assets/queries/openAPI/general/items_undefined/metadata.json index 23a8df82c71..1660ac84cb1 100644 --- a/assets/queries/openAPI/general/items_undefined/metadata.json +++ b/assets/queries/openAPI/general/items_undefined/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/json_object_schema_without_properties/metadata.json b/assets/queries/openAPI/general/json_object_schema_without_properties/metadata.json index 2a37d95f89d..bb4909056d3 100644 --- a/assets/queries/openAPI/general/json_object_schema_without_properties/metadata.json +++ b/assets/queries/openAPI/general/json_object_schema_without_properties/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/json_object_schema_without_type/metadata.json b/assets/queries/openAPI/general/json_object_schema_without_type/metadata.json index 47aeec27b2c..e37141802d0 100644 --- a/assets/queries/openAPI/general/json_object_schema_without_type/metadata.json +++ b/assets/queries/openAPI/general/json_object_schema_without_type/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/json_ref_alongside_properties/metadata.json b/assets/queries/openAPI/general/json_ref_alongside_properties/metadata.json index 6afa9921d39..29a11e6a6f4 100644 --- a/assets/queries/openAPI/general/json_ref_alongside_properties/metadata.json +++ b/assets/queries/openAPI/general/json_ref_alongside_properties/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/maximum_length_undefined/metadata.json b/assets/queries/openAPI/general/maximum_length_undefined/metadata.json index a2adf667bc4..da3b13b455b 100644 --- a/assets/queries/openAPI/general/maximum_length_undefined/metadata.json +++ b/assets/queries/openAPI/general/maximum_length_undefined/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "String schema/parameter/header should have 'maxLength' defined." } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/no_global_and_operation_security_defined/metadata.json b/assets/queries/openAPI/general/no_global_and_operation_security_defined/metadata.json index 52ea8e6f172..3f38736cfea 100644 --- a/assets/queries/openAPI/general/no_global_and_operation_security_defined/metadata.json +++ b/assets/queries/openAPI/general/no_global_and_operation_security_defined/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/non_array_schema_with_items/metadata.json b/assets/queries/openAPI/general/non_array_schema_with_items/metadata.json index a8bab6c2118..2622da04a08 100644 --- a/assets/queries/openAPI/general/non_array_schema_with_items/metadata.json +++ b/assets/queries/openAPI/general/non_array_schema_with_items/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/numeric_schema_without_format/metadata.json b/assets/queries/openAPI/general/numeric_schema_without_format/metadata.json index a68125d259c..4885ab98d3b 100644 --- a/assets/queries/openAPI/general/numeric_schema_without_format/metadata.json +++ b/assets/queries/openAPI/general/numeric_schema_without_format/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/numeric_schema_without_maximum/metadata.json b/assets/queries/openAPI/general/numeric_schema_without_maximum/metadata.json index 204a2d0ed58..a79a8207472 100644 --- a/assets/queries/openAPI/general/numeric_schema_without_maximum/metadata.json +++ b/assets/queries/openAPI/general/numeric_schema_without_maximum/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/numeric_schema_without_minimum/metadata.json b/assets/queries/openAPI/general/numeric_schema_without_minimum/metadata.json index a36504b4f52..dda5b5d8e93 100644 --- a/assets/queries/openAPI/general/numeric_schema_without_minimum/metadata.json +++ b/assets/queries/openAPI/general/numeric_schema_without_minimum/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/object_using_enum_with_keyword/metadata.json b/assets/queries/openAPI/general/object_using_enum_with_keyword/metadata.json index ef7ef9378d3..30230aaf766 100644 --- a/assets/queries/openAPI/general/object_using_enum_with_keyword/metadata.json +++ b/assets/queries/openAPI/general/object_using_enum_with_keyword/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "Schema/Parameter/Header Object properties should not contain 'enum' and schema keywords" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/operation_id_not_unique/metadata.json b/assets/queries/openAPI/general/operation_id_not_unique/metadata.json index af82a567d22..2874e56fcdc 100644 --- a/assets/queries/openAPI/general/operation_id_not_unique/metadata.json +++ b/assets/queries/openAPI/general/operation_id_not_unique/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/operation_without_successful_http_status_code/metadata.json b/assets/queries/openAPI/general/operation_without_successful_http_status_code/metadata.json index 3487264d57e..cffb40603b9 100644 --- a/assets/queries/openAPI/general/operation_without_successful_http_status_code/metadata.json +++ b/assets/queries/openAPI/general/operation_without_successful_http_status_code/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/parameter_objects_headers_dup_name/metadata.json b/assets/queries/openAPI/general/parameter_objects_headers_dup_name/metadata.json index 2261fe1d6db..f155f452a11 100644 --- a/assets/queries/openAPI/general/parameter_objects_headers_dup_name/metadata.json +++ b/assets/queries/openAPI/general/parameter_objects_headers_dup_name/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/parameters_name_in_not_unique/metadata.json b/assets/queries/openAPI/general/parameters_name_in_not_unique/metadata.json index 23bd949beb1..f6971c946db 100644 --- a/assets/queries/openAPI/general/parameters_name_in_not_unique/metadata.json +++ b/assets/queries/openAPI/general/parameters_name_in_not_unique/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/path_ambiguous/metadata.json b/assets/queries/openAPI/general/path_ambiguous/metadata.json index a51f12443d6..92c3511f491 100644 --- a/assets/queries/openAPI/general/path_ambiguous/metadata.json +++ b/assets/queries/openAPI/general/path_ambiguous/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/path_parameter_not_required/metadata.json b/assets/queries/openAPI/general/path_parameter_not_required/metadata.json index 83935d85f5b..a0e89a94730 100644 --- a/assets/queries/openAPI/general/path_parameter_not_required/metadata.json +++ b/assets/queries/openAPI/general/path_parameter_not_required/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/path_parameter_with_no_corresponding_template_path/metadata.json b/assets/queries/openAPI/general/path_parameter_with_no_corresponding_template_path/metadata.json index 719d75100a6..543740c1dd2 100644 --- a/assets/queries/openAPI/general/path_parameter_with_no_corresponding_template_path/metadata.json +++ b/assets/queries/openAPI/general/path_parameter_with_no_corresponding_template_path/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/path_template_empty/metadata.json b/assets/queries/openAPI/general/path_template_empty/metadata.json index f82a6128db8..d2a624f3683 100644 --- a/assets/queries/openAPI/general/path_template_empty/metadata.json +++ b/assets/queries/openAPI/general/path_template_empty/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/path_without_operation/metadata.json b/assets/queries/openAPI/general/path_without_operation/metadata.json index 6789dd15db6..52aaed75200 100644 --- a/assets/queries/openAPI/general/path_without_operation/metadata.json +++ b/assets/queries/openAPI/general/path_without_operation/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/paths_object_empty/metadata.json b/assets/queries/openAPI/general/paths_object_empty/metadata.json index ef6ac1ff77b..5a11b9baa81 100644 --- a/assets/queries/openAPI/general/paths_object_empty/metadata.json +++ b/assets/queries/openAPI/general/paths_object_empty/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/pattern_undefined/metadata.json b/assets/queries/openAPI/general/pattern_undefined/metadata.json index 00593ebc0f6..fae71b888ab 100644 --- a/assets/queries/openAPI/general/pattern_undefined/metadata.json +++ b/assets/queries/openAPI/general/pattern_undefined/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "String schema/parameter/header should have 'pattern' defined." } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/properties_missing_required_property/metadata.json b/assets/queries/openAPI/general/properties_missing_required_property/metadata.json index 4c9165ff761..416aceeefd1 100644 --- a/assets/queries/openAPI/general/properties_missing_required_property/metadata.json +++ b/assets/queries/openAPI/general/properties_missing_required_property/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/property_allow_empty_value_improperly_defined/metadata.json b/assets/queries/openAPI/general/property_allow_empty_value_improperly_defined/metadata.json index 8c3d2e44d3f..5d12789e93b 100644 --- a/assets/queries/openAPI/general/property_allow_empty_value_improperly_defined/metadata.json +++ b/assets/queries/openAPI/general/property_allow_empty_value_improperly_defined/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/property_defining_maximum_not_greater_than_minimum/metadata.json b/assets/queries/openAPI/general/property_defining_maximum_not_greater_than_minimum/metadata.json index 7b1dabdeef7..263c3e6c982 100644 --- a/assets/queries/openAPI/general/property_defining_maximum_not_greater_than_minimum/metadata.json +++ b/assets/queries/openAPI/general/property_defining_maximum_not_greater_than_minimum/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/required_property_default_value/metadata.json b/assets/queries/openAPI/general/required_property_default_value/metadata.json index 15093dd3135..e2ca0989a49 100644 --- a/assets/queries/openAPI/general/required_property_default_value/metadata.json +++ b/assets/queries/openAPI/general/required_property_default_value/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/response_code_missing/metadata.json b/assets/queries/openAPI/general/response_code_missing/metadata.json index fca65e3b83f..e414f5feb9c 100644 --- a/assets/queries/openAPI/general/response_code_missing/metadata.json +++ b/assets/queries/openAPI/general/response_code_missing/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/metadata.json b/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/metadata.json index 36625b9f88d..af435846de7 100644 --- a/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/metadata.json +++ b/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "If a response is head or its code is 204 or 304, it shouldn't have a schema defined" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/response_operations_body_schema_undefined/metadata.json b/assets/queries/openAPI/general/response_operations_body_schema_undefined/metadata.json index 4bb9a9bcf04..4a852f086e0 100644 --- a/assets/queries/openAPI/general/response_operations_body_schema_undefined/metadata.json +++ b/assets/queries/openAPI/general/response_operations_body_schema_undefined/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/responses_object_is_empty/metadata.json b/assets/queries/openAPI/general/responses_object_is_empty/metadata.json index eca497b1a33..f900850bf2b 100644 --- a/assets/queries/openAPI/general/responses_object_is_empty/metadata.json +++ b/assets/queries/openAPI/general/responses_object_is_empty/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/responses_wrong_http_status_code/metadata.json b/assets/queries/openAPI/general/responses_wrong_http_status_code/metadata.json index ac42b2d32b6..993f2b2db97 100644 --- a/assets/queries/openAPI/general/responses_wrong_http_status_code/metadata.json +++ b/assets/queries/openAPI/general/responses_wrong_http_status_code/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/schema_discriminator_mismatch_defined_properties/metadata.json b/assets/queries/openAPI/general/schema_discriminator_mismatch_defined_properties/metadata.json index a50973c752c..3a8b7da4b38 100644 --- a/assets/queries/openAPI/general/schema_discriminator_mismatch_defined_properties/metadata.json +++ b/assets/queries/openAPI/general/schema_discriminator_mismatch_defined_properties/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/schema_discriminator_not_required/metadata.json b/assets/queries/openAPI/general/schema_discriminator_not_required/metadata.json index 29274f76e02..07a8d1b3e79 100644 --- a/assets/queries/openAPI/general/schema_discriminator_not_required/metadata.json +++ b/assets/queries/openAPI/general/schema_discriminator_not_required/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/schema_discriminator_property_not_string/metadata.json b/assets/queries/openAPI/general/schema_discriminator_property_not_string/metadata.json index 516a83224da..27606b572f5 100644 --- a/assets/queries/openAPI/general/schema_discriminator_property_not_string/metadata.json +++ b/assets/queries/openAPI/general/schema_discriminator_property_not_string/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/schema_enum_invalid/metadata.json b/assets/queries/openAPI/general/schema_enum_invalid/metadata.json index 7c938359bc4..5e0534f63ed 100644 --- a/assets/queries/openAPI/general/schema_enum_invalid/metadata.json +++ b/assets/queries/openAPI/general/schema_enum_invalid/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/schema_object_empty/metadata.json b/assets/queries/openAPI/general/schema_object_empty/metadata.json index 5903175cc12..aa8d5d3c295 100644 --- a/assets/queries/openAPI/general/schema_object_empty/metadata.json +++ b/assets/queries/openAPI/general/schema_object_empty/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/schema_object_properties_with_duplicated_keys/metadata.json b/assets/queries/openAPI/general/schema_object_properties_with_duplicated_keys/metadata.json index 7ab49bfb2d7..eb62a108051 100644 --- a/assets/queries/openAPI/general/schema_object_properties_with_duplicated_keys/metadata.json +++ b/assets/queries/openAPI/general/schema_object_properties_with_duplicated_keys/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/schema_object_with_circular_ref/metadata.json b/assets/queries/openAPI/general/schema_object_with_circular_ref/metadata.json index 964a74fa5e9..e1612fbd90b 100644 --- a/assets/queries/openAPI/general/schema_object_with_circular_ref/metadata.json +++ b/assets/queries/openAPI/general/schema_object_with_circular_ref/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/schema_required_property_undefined/metadata.json b/assets/queries/openAPI/general/schema_required_property_undefined/metadata.json index 46afa431b69..9583bfbff4f 100644 --- a/assets/queries/openAPI/general/schema_required_property_undefined/metadata.json +++ b/assets/queries/openAPI/general/schema_required_property_undefined/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/security_empty_array/metadata.json b/assets/queries/openAPI/general/security_empty_array/metadata.json index 945ab55ceeb..a34951bbd11 100644 --- a/assets/queries/openAPI/general/security_empty_array/metadata.json +++ b/assets/queries/openAPI/general/security_empty_array/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/security_empty_object_definition/metadata.json b/assets/queries/openAPI/general/security_empty_object_definition/metadata.json index 8645bbedb25..c5e1c707964 100644 --- a/assets/queries/openAPI/general/security_empty_object_definition/metadata.json +++ b/assets/queries/openAPI/general/security_empty_object_definition/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/security_operations_empty_array/metadata.json b/assets/queries/openAPI/general/security_operations_empty_array/metadata.json index a2d39b58b02..d8780450e4c 100644 --- a/assets/queries/openAPI/general/security_operations_empty_array/metadata.json +++ b/assets/queries/openAPI/general/security_operations_empty_array/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/security_operations_empty_object_definition/metadata.json b/assets/queries/openAPI/general/security_operations_empty_object_definition/metadata.json index 83c97df484e..756a939f4bb 100644 --- a/assets/queries/openAPI/general/security_operations_empty_object_definition/metadata.json +++ b/assets/queries/openAPI/general/security_operations_empty_object_definition/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/string_schema_with_broad_pattern/metadata.json b/assets/queries/openAPI/general/string_schema_with_broad_pattern/metadata.json index aeebe4a29e2..3f9a0affb15 100644 --- a/assets/queries/openAPI/general/string_schema_with_broad_pattern/metadata.json +++ b/assets/queries/openAPI/general/string_schema_with_broad_pattern/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/metadata.json b/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/metadata.json index 45564a3f8ad..96392d7a566 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/metadata.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/success_response_code_undefined_get_operation/metadata.json b/assets/queries/openAPI/general/success_response_code_undefined_get_operation/metadata.json index 12919c771f7..132f79e1e56 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_get_operation/metadata.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_get_operation/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/success_response_code_undefined_head_operation/metadata.json b/assets/queries/openAPI/general/success_response_code_undefined_head_operation/metadata.json index d6fcbf26514..68ed8533d26 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_head_operation/metadata.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_head_operation/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/metadata.json b/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/metadata.json index c3804058f82..ad0dd348ccd 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/metadata.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/success_response_code_undefined_post_operation/metadata.json b/assets/queries/openAPI/general/success_response_code_undefined_post_operation/metadata.json index 8cebc20ad4c..a6229113eaa 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_post_operation/metadata.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_post_operation/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/success_response_code_undefined_put_operation/metadata.json b/assets/queries/openAPI/general/success_response_code_undefined_put_operation/metadata.json index 8867fb6ac74..fd99d640789 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_put_operation/metadata.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_put_operation/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/template_path_parameter_with_no_corresponding_path_parameter/metadata.json b/assets/queries/openAPI/general/template_path_parameter_with_no_corresponding_path_parameter/metadata.json index 9c70e9ecd2c..da438958b35 100644 --- a/assets/queries/openAPI/general/template_path_parameter_with_no_corresponding_path_parameter/metadata.json +++ b/assets/queries/openAPI/general/template_path_parameter_with_no_corresponding_path_parameter/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/openAPI/general/type_has_invalid_keyword/metadata.json b/assets/queries/openAPI/general/type_has_invalid_keyword/metadata.json index 92780718c0e..5834c4756c3 100644 --- a/assets/queries/openAPI/general/type_has_invalid_keyword/metadata.json +++ b/assets/queries/openAPI/general/type_has_invalid_keyword/metadata.json @@ -16,5 +16,5 @@ "descriptionText": "Schema/Parameter/Header Object define type should not use a keyword of another type" } }, - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/metadata.json b/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/metadata.json index 074ec13787a..5bf4756a206 100644 --- a/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/metadata.json +++ b/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "Pulumi", "descriptionID": "fdd6a212", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/metadata.json b/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/metadata.json index fd7b1ed59d1..78fe95468e7 100644 --- a/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/metadata.json +++ b/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Pulumi", "descriptionID": "5feb747f", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/metadata.json b/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/metadata.json index 39caa0a3a7a..f6c6e3eaefe 100644 --- a/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/metadata.json +++ b/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/metadata.json @@ -8,5 +8,5 @@ "platform": "Pulumi", "descriptionID": "f7ced1f3", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/pulumi/aws/docdb_logging_disabled/metadata.json b/assets/queries/pulumi/aws/docdb_logging_disabled/metadata.json index dd4d37c9c3c..abb8c3746d9 100644 --- a/assets/queries/pulumi/aws/docdb_logging_disabled/metadata.json +++ b/assets/queries/pulumi/aws/docdb_logging_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Pulumi", "descriptionID": "c5bd58cd", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/pulumi/aws/dynamodb_table_not_encrypted/metadata.json b/assets/queries/pulumi/aws/dynamodb_table_not_encrypted/metadata.json index 80f344a1544..af842d45a16 100644 --- a/assets/queries/pulumi/aws/dynamodb_table_not_encrypted/metadata.json +++ b/assets/queries/pulumi/aws/dynamodb_table_not_encrypted/metadata.json @@ -8,5 +8,5 @@ "platform": "Pulumi", "descriptionID": "fb6a0c51", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled/metadata.json b/assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled/metadata.json index 871c9b00b06..d1793ba1271 100644 --- a/assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled/metadata.json +++ b/assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Pulumi", "descriptionID": "6ff56c6e", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/pulumi/aws/ec2_instance_monitoring_disabled/metadata.json b/assets/queries/pulumi/aws/ec2_instance_monitoring_disabled/metadata.json index 884f8846668..6308b095d68 100644 --- a/assets/queries/pulumi/aws/ec2_instance_monitoring_disabled/metadata.json +++ b/assets/queries/pulumi/aws/ec2_instance_monitoring_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Pulumi", "descriptionID": "7f96d3ac", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/pulumi/aws/ec2_not_ebs_optimized/metadata.json b/assets/queries/pulumi/aws/ec2_not_ebs_optimized/metadata.json index 3b693193aa6..edb4a927633 100644 --- a/assets/queries/pulumi/aws/ec2_not_ebs_optimized/metadata.json +++ b/assets/queries/pulumi/aws/ec2_not_ebs_optimized/metadata.json @@ -8,5 +8,5 @@ "platform": "Pulumi", "descriptionID": "81a001dd", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/metadata.json b/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/metadata.json index 61d242e1449..5ccbe26ea83 100644 --- a/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/metadata.json +++ b/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/metadata.json @@ -8,5 +8,5 @@ "platform": "Pulumi", "descriptionID": "149de780", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/metadata.json b/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/metadata.json index 594aa1450ca..41e5a1f5fdb 100644 --- a/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/metadata.json +++ b/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/metadata.json @@ -8,5 +8,5 @@ "platform": "Pulumi", "descriptionID": "ff8bf6c0", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/pulumi/aws/elasticsearch_logs_disabled/metadata.json b/assets/queries/pulumi/aws/elasticsearch_logs_disabled/metadata.json index 99b8de69d88..5bf614e8810 100644 --- a/assets/queries/pulumi/aws/elasticsearch_logs_disabled/metadata.json +++ b/assets/queries/pulumi/aws/elasticsearch_logs_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Pulumi", "descriptionID": "55b7425d", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/metadata.json b/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/metadata.json index 19cc71573e3..b9a52f8b4c1 100644 --- a/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/metadata.json +++ b/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Pulumi", "descriptionID": "831d28f3", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/pulumi/aws/iam_password_without_lowercase_letter/metadata.json b/assets/queries/pulumi/aws/iam_password_without_lowercase_letter/metadata.json index 3e42db7cabb..1fdf97deb1d 100644 --- a/assets/queries/pulumi/aws/iam_password_without_lowercase_letter/metadata.json +++ b/assets/queries/pulumi/aws/iam_password_without_lowercase_letter/metadata.json @@ -8,5 +8,5 @@ "platform": "Pulumi", "descriptionID": "602b7e6a", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/pulumi/aws/iam_password_without_minimum_length/metadata.json b/assets/queries/pulumi/aws/iam_password_without_minimum_length/metadata.json index 758ac74f3c3..eca537265c2 100644 --- a/assets/queries/pulumi/aws/iam_password_without_minimum_length/metadata.json +++ b/assets/queries/pulumi/aws/iam_password_without_minimum_length/metadata.json @@ -8,5 +8,5 @@ "platform": "Pulumi", "descriptionID": "5e46720a", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/metadata.json b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/metadata.json index f34cd10949c..3b00c95a628 100644 --- a/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/metadata.json +++ b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "Pulumi", "descriptionID": "be6d13f0", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/metadata.json b/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/metadata.json index 6c0c8fd3a19..121375da5f6 100644 --- a/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/metadata.json +++ b/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/metadata.json @@ -8,5 +8,5 @@ "platform": "Pulumi", "descriptionID": "64acf7a6", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/pulumi/azure/storage_account_not_forcing_https/metadata.json b/assets/queries/pulumi/azure/storage_account_not_forcing_https/metadata.json index c20d0b5eaa2..c502c049c40 100644 --- a/assets/queries/pulumi/azure/storage_account_not_forcing_https/metadata.json +++ b/assets/queries/pulumi/azure/storage_account_not_forcing_https/metadata.json @@ -8,5 +8,5 @@ "platform": "Pulumi", "descriptionID": "406540e1", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/pulumi/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json b/assets/queries/pulumi/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json index f64bf39f851..a139cd3d7fa 100644 --- a/assets/queries/pulumi/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json +++ b/assets/queries/pulumi/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Pulumi", "descriptionID": "cc15c4d8", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/pulumi/gcp/google_compute_ssl_policy_weak_cipher_in_use/metadata.json b/assets/queries/pulumi/gcp/google_compute_ssl_policy_weak_cipher_in_use/metadata.json index aa138cbd644..cacf6946a84 100644 --- a/assets/queries/pulumi/gcp/google_compute_ssl_policy_weak_cipher_in_use/metadata.json +++ b/assets/queries/pulumi/gcp/google_compute_ssl_policy_weak_cipher_in_use/metadata.json @@ -8,5 +8,5 @@ "platform": "Pulumi", "descriptionID": "58a27cbf", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/pulumi/kubernetes/missing_app_armor_config/metadata.json b/assets/queries/pulumi/kubernetes/missing_app_armor_config/metadata.json index 634bbcf596b..0bfe4d89cd1 100644 --- a/assets/queries/pulumi/kubernetes/missing_app_armor_config/metadata.json +++ b/assets/queries/pulumi/kubernetes/missing_app_armor_config/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://www.pulumi.com/registry/packages/kubernetes/api-docs/core/v1/pod/#objectmeta", "platform": "Pulumi", "descriptionID": "15676623", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/pulumi/kubernetes/psp_set_to_privileged/metadata.json b/assets/queries/pulumi/kubernetes/psp_set_to_privileged/metadata.json index 65508d83589..6025117eb53 100644 --- a/assets/queries/pulumi/kubernetes/psp_set_to_privileged/metadata.json +++ b/assets/queries/pulumi/kubernetes/psp_set_to_privileged/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://www.pulumi.com/registry/packages/kubernetes/api-docs/policy/v1beta1/podsecuritypolicy/#privileged_yaml", "platform": "Pulumi", "descriptionID": "7a6c8b70", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/serverlessFW/serverless_api_access_logging_setting_undefined/metadata.json b/assets/queries/serverlessFW/serverless_api_access_logging_setting_undefined/metadata.json index 085d266064c..c763d5ab0c4 100644 --- a/assets/queries/serverlessFW/serverless_api_access_logging_setting_undefined/metadata.json +++ b/assets/queries/serverlessFW/serverless_api_access_logging_setting_undefined/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://www.serverless.com/framework/docs/providers/aws/guide/serverless.yml#logs", "platform": "ServerlessFW", "descriptionID": "15262598", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/serverlessFW/serverless_api_endpoint_config_not_private/metadata.json b/assets/queries/serverlessFW/serverless_api_endpoint_config_not_private/metadata.json index 9ea02bc949d..1041bd9e018 100644 --- a/assets/queries/serverlessFW/serverless_api_endpoint_config_not_private/metadata.json +++ b/assets/queries/serverlessFW/serverless_api_endpoint_config_not_private/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://www.serverless.com/framework/docs/providers/aws/events/apigateway#configuring-endpoint-types", "platform": "ServerlessFW", "descriptionID": "7837a4b9", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/serverlessFW/serverless_api_without_content_encoding/metadata.json b/assets/queries/serverlessFW/serverless_api_without_content_encoding/metadata.json index 48c00decf21..0a6a8662c6e 100644 --- a/assets/queries/serverlessFW/serverless_api_without_content_encoding/metadata.json +++ b/assets/queries/serverlessFW/serverless_api_without_content_encoding/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://www.serverless.com/framework/docs/providers/aws/events/apigateway#compression", "platform": "ServerlessFW", "descriptionID": "2a9e728c", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/serverlessFW/serverless_api_xray_tracing_disabled/metadata.json b/assets/queries/serverlessFW/serverless_api_xray_tracing_disabled/metadata.json index 30bd175e759..d1427815f3f 100644 --- a/assets/queries/serverlessFW/serverless_api_xray_tracing_disabled/metadata.json +++ b/assets/queries/serverlessFW/serverless_api_xray_tracing_disabled/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://www.serverless.com/framework/docs/providers/aws/events/apigateway#aws-x-ray-tracing", "platform": "ServerlessFW", "descriptionID": "4af7c06f", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/serverlessFW/serverless_function_environment_variables_not_encrypted/metadata.json b/assets/queries/serverlessFW/serverless_function_environment_variables_not_encrypted/metadata.json index d069c1edcc5..24ecf9007d5 100644 --- a/assets/queries/serverlessFW/serverless_function_environment_variables_not_encrypted/metadata.json +++ b/assets/queries/serverlessFW/serverless_function_environment_variables_not_encrypted/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://www.serverless.com/framework/docs/providers/aws/guide/functions#kms-keys", "platform": "ServerlessFW", "descriptionID": "d900c253", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/serverlessFW/serverless_function_without_dead_letter_queue/metadata.json b/assets/queries/serverlessFW/serverless_function_without_dead_letter_queue/metadata.json index 6f2f36ed8d4..593976578d4 100644 --- a/assets/queries/serverlessFW/serverless_function_without_dead_letter_queue/metadata.json +++ b/assets/queries/serverlessFW/serverless_function_without_dead_letter_queue/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://www.serverless.com/framework/docs/providers/aws/guide/functions#dead-letter-queue-dlq", "platform": "ServerlessFW", "descriptionID": "0bd85f63", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/serverlessFW/serverless_function_without_tags/metadata.json b/assets/queries/serverlessFW/serverless_function_without_tags/metadata.json index 0a3f977789f..1a7ee62d301 100644 --- a/assets/queries/serverlessFW/serverless_function_without_tags/metadata.json +++ b/assets/queries/serverlessFW/serverless_function_without_tags/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://www.serverless.com/framework/docs/providers/aws/guide/functions#tags", "platform": "ServerlessFW", "descriptionID": "39d4d6d2", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/metadata.json b/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/metadata.json index 60491fb35ce..61c2d8c8f1a 100644 --- a/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/metadata.json +++ b/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://www.serverless.com/framework/docs/providers/aws/guide/serverless.yml#functions", "platform": "ServerlessFW", "descriptionID": "071f8656", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/serverlessFW/serverless_function_without_x-ray_tracing/metadata.json b/assets/queries/serverlessFW/serverless_function_without_x-ray_tracing/metadata.json index e019ca19102..6a07e6a180a 100644 --- a/assets/queries/serverlessFW/serverless_function_without_x-ray_tracing/metadata.json +++ b/assets/queries/serverlessFW/serverless_function_without_x-ray_tracing/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://www.serverless.com/framework/docs/providers/aws/guide/functions#aws-x-ray-tracing", "platform": "ServerlessFW", "descriptionID": "f3f93ff6", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/serverlessFW/serverless_role_with_full_privileges/metadata.json b/assets/queries/serverlessFW/serverless_role_with_full_privileges/metadata.json index 282d682ec1a..7db6f3771de 100644 --- a/assets/queries/serverlessFW/serverless_role_with_full_privileges/metadata.json +++ b/assets/queries/serverlessFW/serverless_role_with_full_privileges/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://www.serverless.com/framework/docs/providers/aws/guide/iam", "platform": "ServerlessFW", "descriptionID": "0907f0e7", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/metadata.json b/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/metadata.json index f7df1ad2117..d6eabbe1363 100644 --- a/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/metadata.json +++ b/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "72180b32", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/metadata.json b/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/metadata.json index a2cd7f23849..2f01e806d1e 100644 --- a/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/metadata.json +++ b/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "0b91a8b5", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/alb_listening_on_http/metadata.json b/assets/queries/terraform/alicloud/alb_listening_on_http/metadata.json index 8944c3f569b..a7c38695101 100644 --- a/assets/queries/terraform/alicloud/alb_listening_on_http/metadata.json +++ b/assets/queries/terraform/alicloud/alb_listening_on_http/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "75d71dc8", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/api_gateway_api_protocol_not_https/metadata.json b/assets/queries/terraform/alicloud/api_gateway_api_protocol_not_https/metadata.json index a31eee6f6ba..679dd305bcc 100644 --- a/assets/queries/terraform/alicloud/api_gateway_api_protocol_not_https/metadata.json +++ b/assets/queries/terraform/alicloud/api_gateway_api_protocol_not_https/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "31f4c870", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/cmk_is_unusable/metadata.json b/assets/queries/terraform/alicloud/cmk_is_unusable/metadata.json index a4175d37a50..89c2cd374b7 100644 --- a/assets/queries/terraform/alicloud/cmk_is_unusable/metadata.json +++ b/assets/queries/terraform/alicloud/cmk_is_unusable/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "52a5ea7c", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/metadata.json b/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/metadata.json index 49106007fcb..bff6ae841c9 100644 --- a/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/metadata.json +++ b/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "3096639c", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/disk_encryption_disabled/metadata.json b/assets/queries/terraform/alicloud/disk_encryption_disabled/metadata.json index 193ecb7c1c0..ee52616493f 100644 --- a/assets/queries/terraform/alicloud/disk_encryption_disabled/metadata.json +++ b/assets/queries/terraform/alicloud/disk_encryption_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "68bbdfee", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ecs_data_disk_kms_key_id_undefined/metadata.json b/assets/queries/terraform/alicloud/ecs_data_disk_kms_key_id_undefined/metadata.json index b546b1f72cf..ce8883f76ac 100644 --- a/assets/queries/terraform/alicloud/ecs_data_disk_kms_key_id_undefined/metadata.json +++ b/assets/queries/terraform/alicloud/ecs_data_disk_kms_key_id_undefined/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "04c57e20", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/high_kms_key_rotation_period/metadata.json b/assets/queries/terraform/alicloud/high_kms_key_rotation_period/metadata.json index 5a4588a5ba9..0820f9217ef 100644 --- a/assets/queries/terraform/alicloud/high_kms_key_rotation_period/metadata.json +++ b/assets/queries/terraform/alicloud/high_kms_key_rotation_period/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "7961c2d3", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/metadata.json b/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/metadata.json index ce7a8c001a2..e164ec8ea53 100644 --- a/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/metadata.json +++ b/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "7c27643e", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/metadata.json b/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/metadata.json index ba757ccb6dc..6a1ae9eb7ef 100644 --- a/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/metadata.json +++ b/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "e9336717", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/log_retention_is_not_greater_than_90_days/metadata.json b/assets/queries/terraform/alicloud/log_retention_is_not_greater_than_90_days/metadata.json index a0a981e9978..26413490324 100644 --- a/assets/queries/terraform/alicloud/log_retention_is_not_greater_than_90_days/metadata.json +++ b/assets/queries/terraform/alicloud/log_retention_is_not_greater_than_90_days/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "11d4fc85", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/metadata.json b/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/metadata.json index 8ade6d50335..1e8c6f49979 100644 --- a/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/metadata.json +++ b/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "fb3675d5", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/nas_file_system_without_kms/metadata.json b/assets/queries/terraform/alicloud/nas_file_system_without_kms/metadata.json index a9e70357f76..704adfb6d38 100644 --- a/assets/queries/terraform/alicloud/nas_file_system_without_kms/metadata.json +++ b/assets/queries/terraform/alicloud/nas_file_system_without_kms/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "5fb1326b", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/no_ros_stack_policy/metadata.json b/assets/queries/terraform/alicloud/no_ros_stack_policy/metadata.json index ee70ec30ccb..b11b35b3ea0 100644 --- a/assets/queries/terraform/alicloud/no_ros_stack_policy/metadata.json +++ b/assets/queries/terraform/alicloud/no_ros_stack_policy/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "199b3f61", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/oss_bucket_allows_all_actions_from_all_principals/metadata.json b/assets/queries/terraform/alicloud/oss_bucket_allows_all_actions_from_all_principals/metadata.json index c087f2764c4..222638fb058 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_allows_all_actions_from_all_principals/metadata.json +++ b/assets/queries/terraform/alicloud/oss_bucket_allows_all_actions_from_all_principals/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "5507d429", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/oss_bucket_allows_delete_from_all_principals/metadata.json b/assets/queries/terraform/alicloud/oss_bucket_allows_delete_from_all_principals/metadata.json index c38f183a539..b73f0b553d8 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_allows_delete_from_all_principals/metadata.json +++ b/assets/queries/terraform/alicloud/oss_bucket_allows_delete_from_all_principals/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "ee07e6f5", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/oss_bucket_allows_list_action_from_all_principals/metadata.json b/assets/queries/terraform/alicloud/oss_bucket_allows_list_action_from_all_principals/metadata.json index 80f1e4df20f..2ea5c26a607 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_allows_list_action_from_all_principals/metadata.json +++ b/assets/queries/terraform/alicloud/oss_bucket_allows_list_action_from_all_principals/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "b22a7d83", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/oss_bucket_allows_put_action_from_all_principals/metadata.json b/assets/queries/terraform/alicloud/oss_bucket_allows_put_action_from_all_principals/metadata.json index aee8a561b81..46228635216 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_allows_put_action_from_all_principals/metadata.json +++ b/assets/queries/terraform/alicloud/oss_bucket_allows_put_action_from_all_principals/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "14d65676", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/oss_bucket_cmk_encryption_disabled/metadata.json b/assets/queries/terraform/alicloud/oss_bucket_cmk_encryption_disabled/metadata.json index f1ac789a1a9..f2322a80469 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_cmk_encryption_disabled/metadata.json +++ b/assets/queries/terraform/alicloud/oss_bucket_cmk_encryption_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "5907ee8c", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/oss_bucket_has_static_website/metadata.json b/assets/queries/terraform/alicloud/oss_bucket_has_static_website/metadata.json index e2466673305..9335d85c6d7 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_has_static_website/metadata.json +++ b/assets/queries/terraform/alicloud/oss_bucket_has_static_website/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "4c0903ce", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/oss_bucket_ip_restriction_disabled/metadata.json b/assets/queries/terraform/alicloud/oss_bucket_ip_restriction_disabled/metadata.json index 823b6322fd3..93142752d51 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_ip_restriction_disabled/metadata.json +++ b/assets/queries/terraform/alicloud/oss_bucket_ip_restriction_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "93cebe21", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/oss_bucket_lifecycle_disabled/metadata.json b/assets/queries/terraform/alicloud/oss_bucket_lifecycle_disabled/metadata.json index 64e05de79aa..46834891939 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_lifecycle_disabled/metadata.json +++ b/assets/queries/terraform/alicloud/oss_bucket_lifecycle_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "66609561", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/oss_bucket_logging_disabled/metadata.json b/assets/queries/terraform/alicloud/oss_bucket_logging_disabled/metadata.json index f2ed03d803f..1ee3c6d5002 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_logging_disabled/metadata.json +++ b/assets/queries/terraform/alicloud/oss_bucket_logging_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "c4a5fdbb", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/metadata.json b/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/metadata.json index c305ba14ae8..ac20f7ce3cf 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/metadata.json +++ b/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "d8096622", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/oss_bucket_transfer_acceleration_disabled/metadata.json b/assets/queries/terraform/alicloud/oss_bucket_transfer_acceleration_disabled/metadata.json index 8a6a52a38f2..ef26639d3c0 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_transfer_acceleration_disabled/metadata.json +++ b/assets/queries/terraform/alicloud/oss_bucket_transfer_acceleration_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "19899aaa", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/metadata.json b/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/metadata.json index 7fa698e2d57..43f9f2eac8b 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/metadata.json +++ b/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "749f1287", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/oss_buckets_securetransport_disabled/metadata.json b/assets/queries/terraform/alicloud/oss_buckets_securetransport_disabled/metadata.json index 8d891033c4d..bdfd4a26be3 100644 --- a/assets/queries/terraform/alicloud/oss_buckets_securetransport_disabled/metadata.json +++ b/assets/queries/terraform/alicloud/oss_buckets_securetransport_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "2b43b0a7", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/public_security_group_rule_all_ports_or_protocols/metadata.json b/assets/queries/terraform/alicloud/public_security_group_rule_all_ports_or_protocols/metadata.json index f2cee87e26f..32230cfd13a 100644 --- a/assets/queries/terraform/alicloud/public_security_group_rule_all_ports_or_protocols/metadata.json +++ b/assets/queries/terraform/alicloud/public_security_group_rule_all_ports_or_protocols/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "6dcb70e8", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/public_security_group_rule_sensitive_port/metadata.json b/assets/queries/terraform/alicloud/public_security_group_rule_sensitive_port/metadata.json index 4711e8f5254..629b5d65f9d 100644 --- a/assets/queries/terraform/alicloud/public_security_group_rule_sensitive_port/metadata.json +++ b/assets/queries/terraform/alicloud/public_security_group_rule_sensitive_port/metadata.json @@ -9,5 +9,5 @@ "descriptionID": "717c49e0", "aggregation": 63, "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/public_security_group_rule_unknown_port/metadata.json b/assets/queries/terraform/alicloud/public_security_group_rule_unknown_port/metadata.json index 5bff281d3aa..993d339cf34 100644 --- a/assets/queries/terraform/alicloud/public_security_group_rule_unknown_port/metadata.json +++ b/assets/queries/terraform/alicloud/public_security_group_rule_unknown_port/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "a2097952", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_max_login_attempts_unrecommended/metadata.json b/assets/queries/terraform/alicloud/ram_account_password_policy_max_login_attempts_unrecommended/metadata.json index d30f32031d8..dfddaddb448 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_max_login_attempts_unrecommended/metadata.json +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_max_login_attempts_unrecommended/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "6a2e9c34", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/metadata.json b/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/metadata.json index f132100cfb8..4db6b82f743 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/metadata.json +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "6056f5ca", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_minimum_length/metadata.json b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_minimum_length/metadata.json index ca87a9c8aee..e8da97c35f8 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_minimum_length/metadata.json +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_minimum_length/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "a8b47743", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_numbers/metadata.json b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_numbers/metadata.json index 46a9d37afcd..b94663d7959 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_numbers/metadata.json +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_numbers/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "0ee40b1d", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_symbols/metadata.json b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_symbols/metadata.json index d4465a82c7e..02f0521fa71 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_symbols/metadata.json +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_symbols/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "f3616c34", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/metadata.json b/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/metadata.json index b83952c32c0..de40783d764 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/metadata.json +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "2210f1f7", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_lowercase_character/metadata.json b/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_lowercase_character/metadata.json index debd65095ef..d385d8d2e0a 100644 --- a/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_lowercase_character/metadata.json +++ b/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_lowercase_character/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "b482b843", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_uppercase_character/metadata.json b/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_uppercase_character/metadata.json index 25534fb0a5a..0dbbbb7461c 100644 --- a/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_uppercase_character/metadata.json +++ b/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_uppercase_character/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "5adbc73e", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ram_policy_admin_access_not_attached_to_users_groups_roles/metadata.json b/assets/queries/terraform/alicloud/ram_policy_admin_access_not_attached_to_users_groups_roles/metadata.json index 1e9837f67c5..7e2425f0efa 100644 --- a/assets/queries/terraform/alicloud/ram_policy_admin_access_not_attached_to_users_groups_roles/metadata.json +++ b/assets/queries/terraform/alicloud/ram_policy_admin_access_not_attached_to_users_groups_roles/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "d529825f", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ram_policy_attached_to_user/metadata.json b/assets/queries/terraform/alicloud/ram_policy_attached_to_user/metadata.json index 06b2c4c6503..789e169bea9 100644 --- a/assets/queries/terraform/alicloud/ram_policy_attached_to_user/metadata.json +++ b/assets/queries/terraform/alicloud/ram_policy_attached_to_user/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "c3be65a4", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/metadata.json b/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/metadata.json index ba2b06d03a4..61153875333 100644 --- a/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/metadata.json +++ b/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "6131e90d", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/metadata.json b/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/metadata.json index d6591e6aa75..8925e349ce0 100644 --- a/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/metadata.json +++ b/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "d23dc3f9", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/rds_instance_events_not_logged/metadata.json b/assets/queries/terraform/alicloud/rds_instance_events_not_logged/metadata.json index d9a92000cbb..7ccd8ecf01f 100644 --- a/assets/queries/terraform/alicloud/rds_instance_events_not_logged/metadata.json +++ b/assets/queries/terraform/alicloud/rds_instance_events_not_logged/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "c731d8ad", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/metadata.json b/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/metadata.json index 58f95133c40..d6682075e22 100644 --- a/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/metadata.json +++ b/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "0a96bec0", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/metadata.json b/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/metadata.json index be25f2583d8..0c797ce33d7 100644 --- a/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/metadata.json +++ b/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "67ec659b", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/metadata.json b/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/metadata.json index 090e1bcd34e..2ec687a7a71 100644 --- a/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/metadata.json +++ b/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "c4027901", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/rds_instance_publicly_accessible/metadata.json b/assets/queries/terraform/alicloud/rds_instance_publicly_accessible/metadata.json index 53f58779211..560724da2d1 100644 --- a/assets/queries/terraform/alicloud/rds_instance_publicly_accessible/metadata.json +++ b/assets/queries/terraform/alicloud/rds_instance_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "aac97545", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/metadata.json b/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/metadata.json index 61bb6e0c066..1ea18805c6a 100644 --- a/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/metadata.json +++ b/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "243a4fb4", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/metadata.json b/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/metadata.json index 2ac88b9c125..0cb502bdeef 100644 --- a/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/metadata.json +++ b/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "4a568dd7", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/rds_instance_tde_status_disabled/metadata.json b/assets/queries/terraform/alicloud/rds_instance_tde_status_disabled/metadata.json index dd1c3d5923e..5b21144dcbe 100644 --- a/assets/queries/terraform/alicloud/rds_instance_tde_status_disabled/metadata.json +++ b/assets/queries/terraform/alicloud/rds_instance_tde_status_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "ae8fb315", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ros_stack_notifications_disabled/metadata.json b/assets/queries/terraform/alicloud/ros_stack_notifications_disabled/metadata.json index d14d9aaa362..c83df9e4a9d 100644 --- a/assets/queries/terraform/alicloud/ros_stack_notifications_disabled/metadata.json +++ b/assets/queries/terraform/alicloud/ros_stack_notifications_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "9552bb69", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ros_stack_retention_disabled/metadata.json b/assets/queries/terraform/alicloud/ros_stack_retention_disabled/metadata.json index ec3ab63d49c..f67503b89e7 100644 --- a/assets/queries/terraform/alicloud/ros_stack_retention_disabled/metadata.json +++ b/assets/queries/terraform/alicloud/ros_stack_retention_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "7d4885db", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/ros_stack_without_template/metadata.json b/assets/queries/terraform/alicloud/ros_stack_without_template/metadata.json index 38def4fba57..4e3b1c23f86 100644 --- a/assets/queries/terraform/alicloud/ros_stack_without_template/metadata.json +++ b/assets/queries/terraform/alicloud/ros_stack_without_template/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "29378f62", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/slb_policy_with_insecure_tls_version_in_use/metadata.json b/assets/queries/terraform/alicloud/slb_policy_with_insecure_tls_version_in_use/metadata.json index 82128f5fa2e..79357f8d672 100644 --- a/assets/queries/terraform/alicloud/slb_policy_with_insecure_tls_version_in_use/metadata.json +++ b/assets/queries/terraform/alicloud/slb_policy_with_insecure_tls_version_in_use/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "dcc71406", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/vpc_flow_logs_disabled/metadata.json b/assets/queries/terraform/alicloud/vpc_flow_logs_disabled/metadata.json index b342976a285..b00436511aa 100644 --- a/assets/queries/terraform/alicloud/vpc_flow_logs_disabled/metadata.json +++ b/assets/queries/terraform/alicloud/vpc_flow_logs_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "2841dac6", "cloudProvider": "alicloud", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/alb_deletion_protection_disabled/metadata.json b/assets/queries/terraform/aws/alb_deletion_protection_disabled/metadata.json index dc937ad9fef..cd3cba626ba 100644 --- a/assets/queries/terraform/aws/alb_deletion_protection_disabled/metadata.json +++ b/assets/queries/terraform/aws/alb_deletion_protection_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "224b3c6f", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/metadata.json b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/metadata.json index a44f1959883..bba483e3cd5 100644 --- a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/metadata.json +++ b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "4e4c668d", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/alb_listening_on_http/metadata.json b/assets/queries/terraform/aws/alb_listening_on_http/metadata.json index fe8a28f53bd..45083e68509 100644 --- a/assets/queries/terraform/aws/alb_listening_on_http/metadata.json +++ b/assets/queries/terraform/aws/alb_listening_on_http/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "47a8608d", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/alb_not_dropping_invalid_headers/metadata.json b/assets/queries/terraform/aws/alb_not_dropping_invalid_headers/metadata.json index f1aae97390a..637886f340f 100644 --- a/assets/queries/terraform/aws/alb_not_dropping_invalid_headers/metadata.json +++ b/assets/queries/terraform/aws/alb_not_dropping_invalid_headers/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "7560e4d2", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/amazon_dms_replication_instance_is_publicly_accessible/metadata.json b/assets/queries/terraform/aws/amazon_dms_replication_instance_is_publicly_accessible/metadata.json index 1be85a76f09..3b5f6d7df15 100644 --- a/assets/queries/terraform/aws/amazon_dms_replication_instance_is_publicly_accessible/metadata.json +++ b/assets/queries/terraform/aws/amazon_dms_replication_instance_is_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "e9791a4b", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/amazon_mq_broker_encryption_disabled/metadata.json b/assets/queries/terraform/aws/amazon_mq_broker_encryption_disabled/metadata.json index ec9dd586139..150b7797ee4 100644 --- a/assets/queries/terraform/aws/amazon_mq_broker_encryption_disabled/metadata.json +++ b/assets/queries/terraform/aws/amazon_mq_broker_encryption_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "81fb6220", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/ami_not_encrypted/metadata.json b/assets/queries/terraform/aws/ami_not_encrypted/metadata.json index 0e599e28344..d56d0599eb1 100644 --- a/assets/queries/terraform/aws/ami_not_encrypted/metadata.json +++ b/assets/queries/terraform/aws/ami_not_encrypted/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "248fe368", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/ami_shared_with_multiple_accounts/metadata.json b/assets/queries/terraform/aws/ami_shared_with_multiple_accounts/metadata.json index cba5b701fa3..fbbb9dd17ac 100644 --- a/assets/queries/terraform/aws/ami_shared_with_multiple_accounts/metadata.json +++ b/assets/queries/terraform/aws/ami_shared_with_multiple_accounts/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "3dfbf99b", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_access_logging_disabled/metadata.json b/assets/queries/terraform/aws/api_gateway_access_logging_disabled/metadata.json index 47916437831..702e34b7591 100644 --- a/assets/queries/terraform/aws/api_gateway_access_logging_disabled/metadata.json +++ b/assets/queries/terraform/aws/api_gateway_access_logging_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "e03531bf", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_deployment_without_access_log_setting/metadata.json b/assets/queries/terraform/aws/api_gateway_deployment_without_access_log_setting/metadata.json index 201a131b0b4..5e2f515775e 100644 --- a/assets/queries/terraform/aws/api_gateway_deployment_without_access_log_setting/metadata.json +++ b/assets/queries/terraform/aws/api_gateway_deployment_without_access_log_setting/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "e28c5797", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/metadata.json b/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/metadata.json index 90aef312b84..d5ad4c584af 100644 --- a/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/metadata.json +++ b/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "a5480b6e", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_endpoint_config_is_not_private/metadata.json b/assets/queries/terraform/aws/api_gateway_endpoint_config_is_not_private/metadata.json index 247c16b8380..af47ddba072 100644 --- a/assets/queries/terraform/aws/api_gateway_endpoint_config_is_not_private/metadata.json +++ b/assets/queries/terraform/aws/api_gateway_endpoint_config_is_not_private/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "baf9a6d6", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_method_does_not_contains_an_api_key/metadata.json b/assets/queries/terraform/aws/api_gateway_method_does_not_contains_an_api_key/metadata.json index 32a0f0e54c3..8dc233841aa 100644 --- a/assets/queries/terraform/aws/api_gateway_method_does_not_contains_an_api_key/metadata.json +++ b/assets/queries/terraform/aws/api_gateway_method_does_not_contains_an_api_key/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "f133fed2", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_method_settings_cache_not_encrypted/metadata.json b/assets/queries/terraform/aws/api_gateway_method_settings_cache_not_encrypted/metadata.json index 9f1c133c8f8..6980b4f2dfe 100644 --- a/assets/queries/terraform/aws/api_gateway_method_settings_cache_not_encrypted/metadata.json +++ b/assets/queries/terraform/aws/api_gateway_method_settings_cache_not_encrypted/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "ceabd70f", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/metadata.json b/assets/queries/terraform/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/metadata.json index 4d475de51f7..dadc736bf91 100644 --- a/assets/queries/terraform/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/metadata.json +++ b/assets/queries/terraform/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "72d08d94", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/metadata.json b/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/metadata.json index d869b7d90ed..eba014b53ed 100644 --- a/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/metadata.json +++ b/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "48b9d186", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_with_invalid_compression/metadata.json b/assets/queries/terraform/aws/api_gateway_with_invalid_compression/metadata.json index f8c8b597879..c68d3377832 100644 --- a/assets/queries/terraform/aws/api_gateway_with_invalid_compression/metadata.json +++ b/assets/queries/terraform/aws/api_gateway_with_invalid_compression/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "fc02b8db", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_with_open_access/metadata.json b/assets/queries/terraform/aws/api_gateway_with_open_access/metadata.json index b30ef7263bd..ea88bd5c842 100644 --- a/assets/queries/terraform/aws/api_gateway_with_open_access/metadata.json +++ b/assets/queries/terraform/aws/api_gateway_with_open_access/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "1a1dc17c", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_without_configured_authorizer/metadata.json b/assets/queries/terraform/aws/api_gateway_without_configured_authorizer/metadata.json index 02e8cd4cfc4..927f24b4e7b 100644 --- a/assets/queries/terraform/aws/api_gateway_without_configured_authorizer/metadata.json +++ b/assets/queries/terraform/aws/api_gateway_without_configured_authorizer/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "c1eed330", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_without_security_policy/metadata.json b/assets/queries/terraform/aws/api_gateway_without_security_policy/metadata.json index 44d32d7ab5a..6a21d2ea88d 100644 --- a/assets/queries/terraform/aws/api_gateway_without_security_policy/metadata.json +++ b/assets/queries/terraform/aws/api_gateway_without_security_policy/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "b78cd4cb", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_without_ssl_certificate/metadata.json b/assets/queries/terraform/aws/api_gateway_without_ssl_certificate/metadata.json index 0129f502828..eda66d4c609 100644 --- a/assets/queries/terraform/aws/api_gateway_without_ssl_certificate/metadata.json +++ b/assets/queries/terraform/aws/api_gateway_without_ssl_certificate/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "6d4941dc", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_without_waf/metadata.json b/assets/queries/terraform/aws/api_gateway_without_waf/metadata.json index 1f34950c27a..f6609674a42 100644 --- a/assets/queries/terraform/aws/api_gateway_without_waf/metadata.json +++ b/assets/queries/terraform/aws/api_gateway_without_waf/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "bfefa118", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_xray_disabled/metadata.json b/assets/queries/terraform/aws/api_gateway_xray_disabled/metadata.json index 0cfbf758b68..c8e2c90a63e 100644 --- a/assets/queries/terraform/aws/api_gateway_xray_disabled/metadata.json +++ b/assets/queries/terraform/aws/api_gateway_xray_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "21e236a0", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/athena_database_not_encrypted/metadata.json b/assets/queries/terraform/aws/athena_database_not_encrypted/metadata.json index c4b6d6375c1..3d1118a9acd 100644 --- a/assets/queries/terraform/aws/athena_database_not_encrypted/metadata.json +++ b/assets/queries/terraform/aws/athena_database_not_encrypted/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "c90feea8", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/athena_workgroup_not_encrypted/metadata.json b/assets/queries/terraform/aws/athena_workgroup_not_encrypted/metadata.json index 6ec5c47000b..8b3bfeebee0 100644 --- a/assets/queries/terraform/aws/athena_workgroup_not_encrypted/metadata.json +++ b/assets/queries/terraform/aws/athena_workgroup_not_encrypted/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "8eb1d650", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/aurora_with_disabled_at_rest_encryption/metadata.json b/assets/queries/terraform/aws/aurora_with_disabled_at_rest_encryption/metadata.json index 8b5bc06858f..ee58e8d9b7f 100644 --- a/assets/queries/terraform/aws/aurora_with_disabled_at_rest_encryption/metadata.json +++ b/assets/queries/terraform/aws/aurora_with_disabled_at_rest_encryption/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "3e7eea78", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/authentication_without_mfa/metadata.json b/assets/queries/terraform/aws/authentication_without_mfa/metadata.json index 99b226933a6..026fef6ad46 100644 --- a/assets/queries/terraform/aws/authentication_without_mfa/metadata.json +++ b/assets/queries/terraform/aws/authentication_without_mfa/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "0db1a4b2", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/metadata.json b/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/metadata.json index 06005dc1b7f..cf66975bd09 100644 --- a/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/metadata.json +++ b/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "268307dd", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/automatic_minor_upgrades_disabled/metadata.json b/assets/queries/terraform/aws/automatic_minor_upgrades_disabled/metadata.json index 4b8badfaf5a..14885bc3bec 100644 --- a/assets/queries/terraform/aws/automatic_minor_upgrades_disabled/metadata.json +++ b/assets/queries/terraform/aws/automatic_minor_upgrades_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "240cddcc", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/autoscaling_groups_supply_tags/metadata.json b/assets/queries/terraform/aws/autoscaling_groups_supply_tags/metadata.json index 8b21ab45208..e93a7635d33 100644 --- a/assets/queries/terraform/aws/autoscaling_groups_supply_tags/metadata.json +++ b/assets/queries/terraform/aws/autoscaling_groups_supply_tags/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "83cb6386", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/aws_password_policy_with_unchangeable_passwords/metadata.json b/assets/queries/terraform/aws/aws_password_policy_with_unchangeable_passwords/metadata.json index 19e15a910aa..2a12b9b795f 100644 --- a/assets/queries/terraform/aws/aws_password_policy_with_unchangeable_passwords/metadata.json +++ b/assets/queries/terraform/aws/aws_password_policy_with_unchangeable_passwords/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "8163d3cf", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/batch_job_definition_with_privileged_container_properties/metadata.json b/assets/queries/terraform/aws/batch_job_definition_with_privileged_container_properties/metadata.json index 4788013e275..489ccc87338 100644 --- a/assets/queries/terraform/aws/batch_job_definition_with_privileged_container_properties/metadata.json +++ b/assets/queries/terraform/aws/batch_job_definition_with_privileged_container_properties/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "71dab2d1", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/metadata.json b/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/metadata.json index abeaa12a472..3fb2dab6754 100644 --- a/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/metadata.json +++ b/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "09935963", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/cdn_configuration_is_missing/metadata.json b/assets/queries/terraform/aws/cdn_configuration_is_missing/metadata.json index 03f05bfa724..7884063ee34 100644 --- a/assets/queries/terraform/aws/cdn_configuration_is_missing/metadata.json +++ b/assets/queries/terraform/aws/cdn_configuration_is_missing/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "1b311401", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/certificate_has_expired/metadata.json b/assets/queries/terraform/aws/certificate_has_expired/metadata.json index d76b692e85f..fe761806b43 100644 --- a/assets/queries/terraform/aws/certificate_has_expired/metadata.json +++ b/assets/queries/terraform/aws/certificate_has_expired/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "998f52fe", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_256/metadata.json b/assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_256/metadata.json index b1521b7fe11..577be4addb9 100644 --- a/assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_256/metadata.json +++ b/assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_256/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "ec305dde", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudfront_logging_disabled/metadata.json b/assets/queries/terraform/aws/cloudfront_logging_disabled/metadata.json index c074ccc2afb..c6f7093999b 100644 --- a/assets/queries/terraform/aws/cloudfront_logging_disabled/metadata.json +++ b/assets/queries/terraform/aws/cloudfront_logging_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "9cf96455", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudfront_viewer_protocol_policy_allows_http/metadata.json b/assets/queries/terraform/aws/cloudfront_viewer_protocol_policy_allows_http/metadata.json index 49c0b4ecd6a..149c31dedf4 100644 --- a/assets/queries/terraform/aws/cloudfront_viewer_protocol_policy_allows_http/metadata.json +++ b/assets/queries/terraform/aws/cloudfront_viewer_protocol_policy_allows_http/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "3547cd5a", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/metadata.json b/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/metadata.json index a8247971a67..0a9bf839289 100644 --- a/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/metadata.json +++ b/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "0b620722", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudfront_without_waf/metadata.json b/assets/queries/terraform/aws/cloudfront_without_waf/metadata.json index 0cb5a94b062..5d3f76e84f4 100755 --- a/assets/queries/terraform/aws/cloudfront_without_waf/metadata.json +++ b/assets/queries/terraform/aws/cloudfront_without_waf/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "8fa5ef1b", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudtrail_log_file_validation_disabled/metadata.json b/assets/queries/terraform/aws/cloudtrail_log_file_validation_disabled/metadata.json index bbe44db249c..f84a9e91c2a 100644 --- a/assets/queries/terraform/aws/cloudtrail_log_file_validation_disabled/metadata.json +++ b/assets/queries/terraform/aws/cloudtrail_log_file_validation_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "1d528dfd", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/metadata.json b/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/metadata.json index fd5604b177e..169e5cda4a6 100644 --- a/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/metadata.json +++ b/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "ee8a4d47", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_is_publicly_accessible/metadata.json b/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_is_publicly_accessible/metadata.json index d719dbeaad8..3b4d471e038 100644 --- a/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_is_publicly_accessible/metadata.json +++ b/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_is_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "2f7c6ca4", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_with_logging_disabled/metadata.json b/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_with_logging_disabled/metadata.json index 80d1a3635e7..32d744b0f57 100644 --- a/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_with_logging_disabled/metadata.json +++ b/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_with_logging_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "7ccceef5", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudtrail_logging_disabled/metadata.json b/assets/queries/terraform/aws/cloudtrail_logging_disabled/metadata.json index 04968fea44a..3a6fadcb70e 100644 --- a/assets/queries/terraform/aws/cloudtrail_logging_disabled/metadata.json +++ b/assets/queries/terraform/aws/cloudtrail_logging_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "d0aecc8d", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudtrail_multi_region_disabled/metadata.json b/assets/queries/terraform/aws/cloudtrail_multi_region_disabled/metadata.json index 13292e882fe..a43188d265a 100644 --- a/assets/queries/terraform/aws/cloudtrail_multi_region_disabled/metadata.json +++ b/assets/queries/terraform/aws/cloudtrail_multi_region_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "feb82a62", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudtrail_not_integrated_with_cloudwatch/metadata.json b/assets/queries/terraform/aws/cloudtrail_not_integrated_with_cloudwatch/metadata.json index 31bab98ae84..22b51d22838 100644 --- a/assets/queries/terraform/aws/cloudtrail_not_integrated_with_cloudwatch/metadata.json +++ b/assets/queries/terraform/aws/cloudtrail_not_integrated_with_cloudwatch/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "11653439", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudtrail_sns_topic_name_undefined/metadata.json b/assets/queries/terraform/aws/cloudtrail_sns_topic_name_undefined/metadata.json index 57eee6243af..81e31ebffb3 100644 --- a/assets/queries/terraform/aws/cloudtrail_sns_topic_name_undefined/metadata.json +++ b/assets/queries/terraform/aws/cloudtrail_sns_topic_name_undefined/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "a9eb3c6c", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/metadata.json b/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/metadata.json index 66f37a390ec..349a9c6d63c 100644 --- a/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "698457eb", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/metadata.json b/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/metadata.json index 06f61bb5e86..86db892c4fe 100644 --- a/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "38b85c45", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/metadata.json b/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/metadata.json index 0cb8bbf89d6..6ca0de1d284 100644 --- a/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "0a8e8dc5", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/metadata.json b/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/metadata.json index 4abbf7706aa..28ed443a317 100644 --- a/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "feffbd73", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/metadata.json b/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/metadata.json index 72c817bb2a5..e73ae7542e4 100644 --- a/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "56a585f5", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/metadata.json b/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/metadata.json index 36c6c5f7816..db2072c26f3 100644 --- a/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "eaaba502", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_log_group_not_encrypted/metadata.json b/assets/queries/terraform/aws/cloudwatch_log_group_not_encrypted/metadata.json index 088d74f686a..b9c8f67931b 100644 --- a/assets/queries/terraform/aws/cloudwatch_log_group_not_encrypted/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_log_group_not_encrypted/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "4258abe6", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_logging_disabled/metadata.json b/assets/queries/terraform/aws/cloudwatch_logging_disabled/metadata.json index e45e45a4c3e..42b558c3407 100644 --- a/assets/queries/terraform/aws/cloudwatch_logging_disabled/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_logging_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "b4a8c275", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_logs_destination_with_vulnerable_policy/metadata.json b/assets/queries/terraform/aws/cloudwatch_logs_destination_with_vulnerable_policy/metadata.json index 9b6141d5494..d02f9e2208a 100644 --- a/assets/queries/terraform/aws/cloudwatch_logs_destination_with_vulnerable_policy/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_logs_destination_with_vulnerable_policy/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "0f0cc4cf", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/metadata.json b/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/metadata.json index 6ceef067eae..9d38cd2b138 100644 --- a/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "9166fdbf", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/metadata.json b/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/metadata.json index 120c88494ed..4ce5caab89a 100644 --- a/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "901439fb", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_metrics_disabled/metadata.json b/assets/queries/terraform/aws/cloudwatch_metrics_disabled/metadata.json index 5c4a75a40cd..031d7f00c2b 100644 --- a/assets/queries/terraform/aws/cloudwatch_metrics_disabled/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_metrics_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "f7414ebe", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/metadata.json b/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/metadata.json index 5903cc53f05..bfa48ec80ca 100644 --- a/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "aa3e331d", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/metadata.json b/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/metadata.json index e1bdf351244..5324267a574 100644 --- a/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "4de23f97", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/metadata.json b/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/metadata.json index 871e7a7a748..13db282bc12 100644 --- a/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "de601959", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/metadata.json b/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/metadata.json index 2669550bb02..6be7e624155 100644 --- a/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "cf5226f8", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/metadata.json b/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/metadata.json index 4ae4a3d364f..001b38e045c 100644 --- a/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "7ed6edfe", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/metadata.json b/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/metadata.json index 464d0062125..2cc42e13b8e 100644 --- a/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "244b5c19", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/metadata.json b/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/metadata.json index 8810bc4cb5c..29f91b2f0ee 100644 --- a/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "6159556d", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_without_retention_period_specified/metadata.json b/assets/queries/terraform/aws/cloudwatch_without_retention_period_specified/metadata.json index 122422373f5..d72dd39d9b4 100644 --- a/assets/queries/terraform/aws/cloudwatch_without_retention_period_specified/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_without_retention_period_specified/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "64f08509", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/cmk_is_unusable/metadata.json b/assets/queries/terraform/aws/cmk_is_unusable/metadata.json index 8952aae9f6b..fdc56a512d1 100644 --- a/assets/queries/terraform/aws/cmk_is_unusable/metadata.json +++ b/assets/queries/terraform/aws/cmk_is_unusable/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "261d4fc3", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/cmk_rotation_disabled/metadata.json b/assets/queries/terraform/aws/cmk_rotation_disabled/metadata.json index 2ba7baa6de2..ec807b74b8b 100644 --- a/assets/queries/terraform/aws/cmk_rotation_disabled/metadata.json +++ b/assets/queries/terraform/aws/cmk_rotation_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "64cfa70f", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/metadata.json b/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/metadata.json index ed2c25bf1e9..c08129a71b8 100644 --- a/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/metadata.json +++ b/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "1034fb5a", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/cognito_userpool_without_mfa/metadata.json b/assets/queries/terraform/aws/cognito_userpool_without_mfa/metadata.json index dd65aa8e42c..1f1e396ec40 100644 --- a/assets/queries/terraform/aws/cognito_userpool_without_mfa/metadata.json +++ b/assets/queries/terraform/aws/cognito_userpool_without_mfa/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "17f77319", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/config_configuration_aggregator_to_all_regions_disabled/metadata.json b/assets/queries/terraform/aws/config_configuration_aggregator_to_all_regions_disabled/metadata.json index 9d3215f1ab8..8d11286e66d 100644 --- a/assets/queries/terraform/aws/config_configuration_aggregator_to_all_regions_disabled/metadata.json +++ b/assets/queries/terraform/aws/config_configuration_aggregator_to_all_regions_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "9e82278d", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/config_rule_for_encrypted_volumes_is_disabled/metadata.json b/assets/queries/terraform/aws/config_rule_for_encrypted_volumes_is_disabled/metadata.json index a25c651834c..fb176472c27 100644 --- a/assets/queries/terraform/aws/config_rule_for_encrypted_volumes_is_disabled/metadata.json +++ b/assets/queries/terraform/aws/config_rule_for_encrypted_volumes_is_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "fb93ace4", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/metadata.json b/assets/queries/terraform/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/metadata.json index 66d5df987d6..4482624f940 100644 --- a/assets/queries/terraform/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/metadata.json +++ b/assets/queries/terraform/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "18c64b43", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/dax_cluster_not_encrypted/metadata.json b/assets/queries/terraform/aws/dax_cluster_not_encrypted/metadata.json index c60cb727d64..ada25a86d37 100644 --- a/assets/queries/terraform/aws/dax_cluster_not_encrypted/metadata.json +++ b/assets/queries/terraform/aws/dax_cluster_not_encrypted/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "28ef11a5", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/db_instance_storage_not_encrypted/metadata.json b/assets/queries/terraform/aws/db_instance_storage_not_encrypted/metadata.json index 42317cf36ee..7a19edb618a 100644 --- a/assets/queries/terraform/aws/db_instance_storage_not_encrypted/metadata.json +++ b/assets/queries/terraform/aws/db_instance_storage_not_encrypted/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "88ca11bc", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/db_security_group_has_public_interface/metadata.json b/assets/queries/terraform/aws/db_security_group_has_public_interface/metadata.json index d485abb7b12..cb907488dde 100644 --- a/assets/queries/terraform/aws/db_security_group_has_public_interface/metadata.json +++ b/assets/queries/terraform/aws/db_security_group_has_public_interface/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "ddaf8c0b", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/db_security_group_open_to_large_scope/metadata.json b/assets/queries/terraform/aws/db_security_group_open_to_large_scope/metadata.json index 4fceff08e15..02666d8d482 100644 --- a/assets/queries/terraform/aws/db_security_group_open_to_large_scope/metadata.json +++ b/assets/queries/terraform/aws/db_security_group_open_to_large_scope/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "cd091033", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/db_security_group_with_public_scope/metadata.json b/assets/queries/terraform/aws/db_security_group_with_public_scope/metadata.json index 1b8c6ee90fc..b738b04273f 100644 --- a/assets/queries/terraform/aws/db_security_group_with_public_scope/metadata.json +++ b/assets/queries/terraform/aws/db_security_group_with_public_scope/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "97108586", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/default_security_groups_with_unrestricted_traffic/metadata.json b/assets/queries/terraform/aws/default_security_groups_with_unrestricted_traffic/metadata.json index 487b5482fe3..68e287af960 100644 --- a/assets/queries/terraform/aws/default_security_groups_with_unrestricted_traffic/metadata.json +++ b/assets/queries/terraform/aws/default_security_groups_with_unrestricted_traffic/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "d218356d", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/default_vpc_exists/metadata.json b/assets/queries/terraform/aws/default_vpc_exists/metadata.json index 45d91335768..88d252ee8be 100644 --- a/assets/queries/terraform/aws/default_vpc_exists/metadata.json +++ b/assets/queries/terraform/aws/default_vpc_exists/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "d4f171f3", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/docdb_cluster_encrypted_with_aws_managed_key/metadata.json b/assets/queries/terraform/aws/docdb_cluster_encrypted_with_aws_managed_key/metadata.json index 4ec7e7785e1..620d102ed77 100644 --- a/assets/queries/terraform/aws/docdb_cluster_encrypted_with_aws_managed_key/metadata.json +++ b/assets/queries/terraform/aws/docdb_cluster_encrypted_with_aws_managed_key/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "984ebbd4", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/docdb_cluster_not_encrypted/metadata.json b/assets/queries/terraform/aws/docdb_cluster_not_encrypted/metadata.json index 3ce09ed1133..83e322a0b2e 100644 --- a/assets/queries/terraform/aws/docdb_cluster_not_encrypted/metadata.json +++ b/assets/queries/terraform/aws/docdb_cluster_not_encrypted/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "aaec5c7c", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/docdb_cluster_without_kms/metadata.json b/assets/queries/terraform/aws/docdb_cluster_without_kms/metadata.json index 8a34b993b83..d41bb7cdab4 100644 --- a/assets/queries/terraform/aws/docdb_cluster_without_kms/metadata.json +++ b/assets/queries/terraform/aws/docdb_cluster_without_kms/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "35efd407", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/docdb_logging_disabled/metadata.json b/assets/queries/terraform/aws/docdb_logging_disabled/metadata.json index 52dcb8881f2..67771bf0fcf 100644 --- a/assets/queries/terraform/aws/docdb_logging_disabled/metadata.json +++ b/assets/queries/terraform/aws/docdb_logging_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "7a864a61", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/dynamodb_table_not_encrypted/metadata.json b/assets/queries/terraform/aws/dynamodb_table_not_encrypted/metadata.json index e2cc2632b6d..2ab2634c1ba 100644 --- a/assets/queries/terraform/aws/dynamodb_table_not_encrypted/metadata.json +++ b/assets/queries/terraform/aws/dynamodb_table_not_encrypted/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "a4233398", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled/metadata.json b/assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled/metadata.json index 0f6f3db10b1..4325975f8f9 100644 --- a/assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled/metadata.json +++ b/assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "205ac3d1", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/dynamodb_vpc_endpoint_wihout_route_table_association/metadata.json b/assets/queries/terraform/aws/dynamodb_vpc_endpoint_wihout_route_table_association/metadata.json index 78a9051d9af..68944334db5 100644 --- a/assets/queries/terraform/aws/dynamodb_vpc_endpoint_wihout_route_table_association/metadata.json +++ b/assets/queries/terraform/aws/dynamodb_vpc_endpoint_wihout_route_table_association/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "e4334087", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/ebs_default_encryption_disabled/metadata.json b/assets/queries/terraform/aws/ebs_default_encryption_disabled/metadata.json index 542c6f06f4d..406645bcd78 100644 --- a/assets/queries/terraform/aws/ebs_default_encryption_disabled/metadata.json +++ b/assets/queries/terraform/aws/ebs_default_encryption_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "2990583f", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/ebs_volume_encryption_disabled/metadata.json b/assets/queries/terraform/aws/ebs_volume_encryption_disabled/metadata.json index 2968adbe801..4a90bfd71d6 100644 --- a/assets/queries/terraform/aws/ebs_volume_encryption_disabled/metadata.json +++ b/assets/queries/terraform/aws/ebs_volume_encryption_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "977695a1", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/ebs_volume_snapshot_not_encrypted/metadata.json b/assets/queries/terraform/aws/ebs_volume_snapshot_not_encrypted/metadata.json index 551db9dc86d..8c452f80319 100644 --- a/assets/queries/terraform/aws/ebs_volume_snapshot_not_encrypted/metadata.json +++ b/assets/queries/terraform/aws/ebs_volume_snapshot_not_encrypted/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "b36765a7", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/ec2_instance_has_public_ip/metadata.json b/assets/queries/terraform/aws/ec2_instance_has_public_ip/metadata.json index b8402f8b007..b12572d2cef 100644 --- a/assets/queries/terraform/aws/ec2_instance_has_public_ip/metadata.json +++ b/assets/queries/terraform/aws/ec2_instance_has_public_ip/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "c6f1d1f4", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/metadata.json b/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/metadata.json index a80dac259f0..894b623292c 100644 --- a/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/metadata.json +++ b/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "0d5413e6", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/ec2_instance_using_api_keys/metadata.json b/assets/queries/terraform/aws/ec2_instance_using_api_keys/metadata.json index 0afcee6af13..698a306237d 100644 --- a/assets/queries/terraform/aws/ec2_instance_using_api_keys/metadata.json +++ b/assets/queries/terraform/aws/ec2_instance_using_api_keys/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "ffd8ce80", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/ec2_instance_using_default_security_group/metadata.json b/assets/queries/terraform/aws/ec2_instance_using_default_security_group/metadata.json index 9c4ec543d2b..fba16b67db2 100644 --- a/assets/queries/terraform/aws/ec2_instance_using_default_security_group/metadata.json +++ b/assets/queries/terraform/aws/ec2_instance_using_default_security_group/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "d263cf13", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/ec2_instance_using_default_vpc/metadata.json b/assets/queries/terraform/aws/ec2_instance_using_default_vpc/metadata.json index 474553259fe..ccb89968c12 100644 --- a/assets/queries/terraform/aws/ec2_instance_using_default_vpc/metadata.json +++ b/assets/queries/terraform/aws/ec2_instance_using_default_vpc/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "7e2909e5", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/ec2_not_ebs_optimized/metadata.json b/assets/queries/terraform/aws/ec2_not_ebs_optimized/metadata.json index 3bcbf0226ec..7dcadf11911 100644 --- a/assets/queries/terraform/aws/ec2_not_ebs_optimized/metadata.json +++ b/assets/queries/terraform/aws/ec2_not_ebs_optimized/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "ddce4bd9", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/ecr_image_tag_not_immutable/metadata.json b/assets/queries/terraform/aws/ecr_image_tag_not_immutable/metadata.json index 9b6e003bd38..5721ba29ec3 100644 --- a/assets/queries/terraform/aws/ecr_image_tag_not_immutable/metadata.json +++ b/assets/queries/terraform/aws/ecr_image_tag_not_immutable/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "1cc5d4e2", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/ecr_repository_is_publicly_accessible/metadata.json b/assets/queries/terraform/aws/ecr_repository_is_publicly_accessible/metadata.json index 781ecd84db5..83b219d5a90 100644 --- a/assets/queries/terraform/aws/ecr_repository_is_publicly_accessible/metadata.json +++ b/assets/queries/terraform/aws/ecr_repository_is_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "5a3ad5ce", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/ecr_repository_not_encrypted/metadata.json b/assets/queries/terraform/aws/ecr_repository_not_encrypted/metadata.json index 82d7c388098..dc27552797b 100644 --- a/assets/queries/terraform/aws/ecr_repository_not_encrypted/metadata.json +++ b/assets/queries/terraform/aws/ecr_repository_not_encrypted/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "e96d149c", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/ecr_repository_without_policy/metadata.json b/assets/queries/terraform/aws/ecr_repository_without_policy/metadata.json index 0f70b5b43c2..6749b99221b 100644 --- a/assets/queries/terraform/aws/ecr_repository_without_policy/metadata.json +++ b/assets/queries/terraform/aws/ecr_repository_without_policy/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "cb9636f6", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/ecs_cluster_container_insights_disabled/metadata.json b/assets/queries/terraform/aws/ecs_cluster_container_insights_disabled/metadata.json index 63f35945356..ee72cb71525 100644 --- a/assets/queries/terraform/aws/ecs_cluster_container_insights_disabled/metadata.json +++ b/assets/queries/terraform/aws/ecs_cluster_container_insights_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "b48a7a70", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/ecs_service_admin_role_is_present/metadata.json b/assets/queries/terraform/aws/ecs_service_admin_role_is_present/metadata.json index 6f625a5b78e..753c9c3c2f6 100644 --- a/assets/queries/terraform/aws/ecs_service_admin_role_is_present/metadata.json +++ b/assets/queries/terraform/aws/ecs_service_admin_role_is_present/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "0503dc3c", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/ecs_service_without_running_tasks/metadata.json b/assets/queries/terraform/aws/ecs_service_without_running_tasks/metadata.json index 5a02ead1ec3..e71907bd65b 100644 --- a/assets/queries/terraform/aws/ecs_service_without_running_tasks/metadata.json +++ b/assets/queries/terraform/aws/ecs_service_without_running_tasks/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "8bcc00c2", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/ecs_task_definition_network_mode_not_recommended/metadata.json b/assets/queries/terraform/aws/ecs_task_definition_network_mode_not_recommended/metadata.json index b034d988a82..f11bbb10a52 100644 --- a/assets/queries/terraform/aws/ecs_task_definition_network_mode_not_recommended/metadata.json +++ b/assets/queries/terraform/aws/ecs_task_definition_network_mode_not_recommended/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "61f295c5", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/ecs_task_definition_volume_not_encrypted/metadata.json b/assets/queries/terraform/aws/ecs_task_definition_volume_not_encrypted/metadata.json index 6449b392991..cf1dae44725 100644 --- a/assets/queries/terraform/aws/ecs_task_definition_volume_not_encrypted/metadata.json +++ b/assets/queries/terraform/aws/ecs_task_definition_volume_not_encrypted/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "b01e131b", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/ecs_task_definition_with_plaintext_password/metadata.json b/assets/queries/terraform/aws/ecs_task_definition_with_plaintext_password/metadata.json index 405130ebf56..9a308462059 100644 --- a/assets/queries/terraform/aws/ecs_task_definition_with_plaintext_password/metadata.json +++ b/assets/queries/terraform/aws/ecs_task_definition_with_plaintext_password/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "b2503e42", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/efs_not_encrypted/metadata.json b/assets/queries/terraform/aws/efs_not_encrypted/metadata.json index e06c16238a3..8b0f488d5f3 100644 --- a/assets/queries/terraform/aws/efs_not_encrypted/metadata.json +++ b/assets/queries/terraform/aws/efs_not_encrypted/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "e4ced70d", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/efs_with_vulnerable_policy/metadata.json b/assets/queries/terraform/aws/efs_with_vulnerable_policy/metadata.json index a0db937866c..b1657e52e66 100644 --- a/assets/queries/terraform/aws/efs_with_vulnerable_policy/metadata.json +++ b/assets/queries/terraform/aws/efs_with_vulnerable_policy/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "d2017b69", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/efs_without_kms/metadata.json b/assets/queries/terraform/aws/efs_without_kms/metadata.json index b5844dc0f21..c2aac189da4 100644 --- a/assets/queries/terraform/aws/efs_without_kms/metadata.json +++ b/assets/queries/terraform/aws/efs_without_kms/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "c5dfddad", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/eks_cluster_encryption_disabled/metadata.json b/assets/queries/terraform/aws/eks_cluster_encryption_disabled/metadata.json index 2245e8a9789..6d5c46e8138 100644 --- a/assets/queries/terraform/aws/eks_cluster_encryption_disabled/metadata.json +++ b/assets/queries/terraform/aws/eks_cluster_encryption_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "0a928b22", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/eks_cluster_has_public_access/metadata.json b/assets/queries/terraform/aws/eks_cluster_has_public_access/metadata.json index 68c768a9b2b..59f4bc65379 100644 --- a/assets/queries/terraform/aws/eks_cluster_has_public_access/metadata.json +++ b/assets/queries/terraform/aws/eks_cluster_has_public_access/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "653e0650", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/eks_cluster_has_public_access_cidrs/metadata.json b/assets/queries/terraform/aws/eks_cluster_has_public_access_cidrs/metadata.json index 02332556b04..229ac8205d0 100644 --- a/assets/queries/terraform/aws/eks_cluster_has_public_access_cidrs/metadata.json +++ b/assets/queries/terraform/aws/eks_cluster_has_public_access_cidrs/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "9579b0ff", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/eks_cluster_log_disabled/metadata.json b/assets/queries/terraform/aws/eks_cluster_log_disabled/metadata.json index 6a883aefe7f..4bbdbe2c416 100644 --- a/assets/queries/terraform/aws/eks_cluster_log_disabled/metadata.json +++ b/assets/queries/terraform/aws/eks_cluster_log_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "80a41f88", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/eks_node_group_remote_access_disabled/metadata.json b/assets/queries/terraform/aws/eks_node_group_remote_access_disabled/metadata.json index 3cbd62033aa..227e2341525 100644 --- a/assets/queries/terraform/aws/eks_node_group_remote_access_disabled/metadata.json +++ b/assets/queries/terraform/aws/eks_node_group_remote_access_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "6d42a06d", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticache_nodes_not_created_across_multi_az/metadata.json b/assets/queries/terraform/aws/elasticache_nodes_not_created_across_multi_az/metadata.json index 5be21dd4868..7392289fab2 100644 --- a/assets/queries/terraform/aws/elasticache_nodes_not_created_across_multi_az/metadata.json +++ b/assets/queries/terraform/aws/elasticache_nodes_not_created_across_multi_az/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "1bbfe45b", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticache_redis_cluster_without_backup/metadata.json b/assets/queries/terraform/aws/elasticache_redis_cluster_without_backup/metadata.json index a4e50c46bde..08d0e19fe9c 100644 --- a/assets/queries/terraform/aws/elasticache_redis_cluster_without_backup/metadata.json +++ b/assets/queries/terraform/aws/elasticache_redis_cluster_without_backup/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "0ebd9005", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_rest/metadata.json b/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_rest/metadata.json index d8ae3e48a02..a9186b707e9 100644 --- a/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_rest/metadata.json +++ b/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_rest/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "b4d49d59", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_transit/metadata.json b/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_transit/metadata.json index f6f986d0708..7a56577dc36 100644 --- a/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_transit/metadata.json +++ b/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_transit/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "40f92e86", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticache_using_default_port/metadata.json b/assets/queries/terraform/aws/elasticache_using_default_port/metadata.json index 7826ebdd5a1..840202e28bc 100644 --- a/assets/queries/terraform/aws/elasticache_using_default_port/metadata.json +++ b/assets/queries/terraform/aws/elasticache_using_default_port/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "86cc0d57", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticache_without_vpc/metadata.json b/assets/queries/terraform/aws/elasticache_without_vpc/metadata.json index 9a5c1944e92..6d59b0da35e 100644 --- a/assets/queries/terraform/aws/elasticache_without_vpc/metadata.json +++ b/assets/queries/terraform/aws/elasticache_without_vpc/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "cf79a8df", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticsearch_domain_not_encrypted_node_to_node/metadata.json b/assets/queries/terraform/aws/elasticsearch_domain_not_encrypted_node_to_node/metadata.json index 5c6189d7a71..ecd4f64f9e1 100644 --- a/assets/queries/terraform/aws/elasticsearch_domain_not_encrypted_node_to_node/metadata.json +++ b/assets/queries/terraform/aws/elasticsearch_domain_not_encrypted_node_to_node/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "e3dc1b2d", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticsearch_domain_with_vulnerable_policy/metadata.json b/assets/queries/terraform/aws/elasticsearch_domain_with_vulnerable_policy/metadata.json index 42df22646b3..500c5f07d02 100644 --- a/assets/queries/terraform/aws/elasticsearch_domain_with_vulnerable_policy/metadata.json +++ b/assets/queries/terraform/aws/elasticsearch_domain_with_vulnerable_policy/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "265f06df", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticsearch_encryption_with_kms_is_disabled/metadata.json b/assets/queries/terraform/aws/elasticsearch_encryption_with_kms_is_disabled/metadata.json index d0448bacfbd..b910aca29e6 100644 --- a/assets/queries/terraform/aws/elasticsearch_encryption_with_kms_is_disabled/metadata.json +++ b/assets/queries/terraform/aws/elasticsearch_encryption_with_kms_is_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "65a94cf1", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticsearch_logs_disabled/metadata.json b/assets/queries/terraform/aws/elasticsearch_logs_disabled/metadata.json index d75db3a04de..a824c51fdc1 100644 --- a/assets/queries/terraform/aws/elasticsearch_logs_disabled/metadata.json +++ b/assets/queries/terraform/aws/elasticsearch_logs_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "e0526e1b", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticsearch_not_encrypted_at_rest/metadata.json b/assets/queries/terraform/aws/elasticsearch_not_encrypted_at_rest/metadata.json index 9d9e0cb41df..4ba6dfd40e1 100644 --- a/assets/queries/terraform/aws/elasticsearch_not_encrypted_at_rest/metadata.json +++ b/assets/queries/terraform/aws/elasticsearch_not_encrypted_at_rest/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "c402717e", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticsearch_with_https_disabled/metadata.json b/assets/queries/terraform/aws/elasticsearch_with_https_disabled/metadata.json index 2b29cc46055..7381d7f6a43 100644 --- a/assets/queries/terraform/aws/elasticsearch_with_https_disabled/metadata.json +++ b/assets/queries/terraform/aws/elasticsearch_with_https_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "069080cd", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticsearch_without_iam_authentication/metadata.json b/assets/queries/terraform/aws/elasticsearch_without_iam_authentication/metadata.json index a41d06b71cd..3254eae1425 100644 --- a/assets/queries/terraform/aws/elasticsearch_without_iam_authentication/metadata.json +++ b/assets/queries/terraform/aws/elasticsearch_without_iam_authentication/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "7677c71c", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/elasticsearch_without_slow_logs/metadata.json b/assets/queries/terraform/aws/elasticsearch_without_slow_logs/metadata.json index 1ea3ed2a396..d86c4d669bc 100644 --- a/assets/queries/terraform/aws/elasticsearch_without_slow_logs/metadata.json +++ b/assets/queries/terraform/aws/elasticsearch_without_slow_logs/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "7430bf37", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/elb_access_logging_disabled/metadata.json b/assets/queries/terraform/aws/elb_access_logging_disabled/metadata.json index 038e914fba1..39e23ab9aa6 100644 --- a/assets/queries/terraform/aws/elb_access_logging_disabled/metadata.json +++ b/assets/queries/terraform/aws/elb_access_logging_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "c745bca6", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/elb_using_insecure_protocols/metadata.json b/assets/queries/terraform/aws/elb_using_insecure_protocols/metadata.json index 6a8f94ee2a5..837614c22da 100644 --- a/assets/queries/terraform/aws/elb_using_insecure_protocols/metadata.json +++ b/assets/queries/terraform/aws/elb_using_insecure_protocols/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "88f4d79a", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/elb_using_weak_ciphers/metadata.json b/assets/queries/terraform/aws/elb_using_weak_ciphers/metadata.json index ccb83da75e4..a30bcb45de9 100644 --- a/assets/queries/terraform/aws/elb_using_weak_ciphers/metadata.json +++ b/assets/queries/terraform/aws/elb_using_weak_ciphers/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "546bf472", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/emr_without_vpc/metadata.json b/assets/queries/terraform/aws/emr_without_vpc/metadata.json index 5f2b4e7288f..cae8b665d8b 100644 --- a/assets/queries/terraform/aws/emr_without_vpc/metadata.json +++ b/assets/queries/terraform/aws/emr_without_vpc/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "741aebff", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/global_accelerator_flow_logs_disabled/metadata.json b/assets/queries/terraform/aws/global_accelerator_flow_logs_disabled/metadata.json index 708f3ba6781..5e8001ce5c2 100644 --- a/assets/queries/terraform/aws/global_accelerator_flow_logs_disabled/metadata.json +++ b/assets/queries/terraform/aws/global_accelerator_flow_logs_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "3670731d", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/glue_data_catalog_encryption_disabled/metadata.json b/assets/queries/terraform/aws/glue_data_catalog_encryption_disabled/metadata.json index 6fc8eda0130..8f56c4d0bf3 100644 --- a/assets/queries/terraform/aws/glue_data_catalog_encryption_disabled/metadata.json +++ b/assets/queries/terraform/aws/glue_data_catalog_encryption_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "c6b6fc2e", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/glue_security_configuration_encryption_disabled/metadata.json b/assets/queries/terraform/aws/glue_security_configuration_encryption_disabled/metadata.json index b94b5e16c23..e0046d43708 100644 --- a/assets/queries/terraform/aws/glue_security_configuration_encryption_disabled/metadata.json +++ b/assets/queries/terraform/aws/glue_security_configuration_encryption_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "839261d5", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/glue_with_vulnerable_policy/metadata.json b/assets/queries/terraform/aws/glue_with_vulnerable_policy/metadata.json index a5b392dffe1..18b7439ab95 100644 --- a/assets/queries/terraform/aws/glue_with_vulnerable_policy/metadata.json +++ b/assets/queries/terraform/aws/glue_with_vulnerable_policy/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "61db62a1", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json index 0832f4dc878..2eb25004f74 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "10f17e18", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json index f8d4d96a1df..4b4b2f21a14 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "576ba016", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json index 90a742e6e60..85f6e699b68 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "e42aec0c", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json index 54502372fa6..5990adf9154 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "5e39f36b", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json index 598f47e9bb6..3933114f0df 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "25a0ad8b", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json index 992e1c714d8..a26586f060b 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "5182dbde", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json index 24f9c403dfd..bc8edf91eb2 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "13604723", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json index e05b95ecd80..e4244bc012d 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "04f8f6ca", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json index 531ef2bd1cf..8dbf8729abd 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "b02d4e3c", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json index b397e1d2fae..7cfa6655964 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "e6e9e8eb", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json index 2a676a6070e..3914fd0f08b 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "59598729", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/metadata.json index d925e80cf73..ab15a0afdcd 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "2a7afde0", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json index d6e713fd267..5cc9603f045 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "6ee8a28a", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json index 1787e0d6813..f7e48839f20 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "3a6914a5", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json index ab141055227..17c48d9f81a 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "fdfe7031", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json index ef1897b9784..7d15d5da72a 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "2be560bc", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json index 683b84a19e8..e3e16489ea0 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "7fec1740", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json index b69824e54a7..c31b3fa9cae 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "06985b1b", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json index 29c273d7287..4f19094ff16 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "1a80fe5c", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/guardduty_detector_disabled/metadata.json b/assets/queries/terraform/aws/guardduty_detector_disabled/metadata.json index 859020e9ca2..9cc1d1811a0 100644 --- a/assets/queries/terraform/aws/guardduty_detector_disabled/metadata.json +++ b/assets/queries/terraform/aws/guardduty_detector_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "0a3448be", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/hardcoded_aws_access_key/metadata.json b/assets/queries/terraform/aws/hardcoded_aws_access_key/metadata.json index a1a8c9ce5d8..29fb9ca50ac 100644 --- a/assets/queries/terraform/aws/hardcoded_aws_access_key/metadata.json +++ b/assets/queries/terraform/aws/hardcoded_aws_access_key/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "9e8cbdfb", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/hardcoded_aws_access_key_in_lambda/metadata.json b/assets/queries/terraform/aws/hardcoded_aws_access_key_in_lambda/metadata.json index 4babd9db155..201d7c2a931 100644 --- a/assets/queries/terraform/aws/hardcoded_aws_access_key_in_lambda/metadata.json +++ b/assets/queries/terraform/aws/hardcoded_aws_access_key_in_lambda/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "63935af4", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/http_port_open/metadata.json b/assets/queries/terraform/aws/http_port_open/metadata.json index b428b2d0702..e97d4a7dfaf 100644 --- a/assets/queries/terraform/aws/http_port_open/metadata.json +++ b/assets/queries/terraform/aws/http_port_open/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "a829609b", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_access_analyzer_not_enabled/metadata.json b/assets/queries/terraform/aws/iam_access_analyzer_not_enabled/metadata.json index 9e51f8a97b9..de9d9c5c043 100644 --- a/assets/queries/terraform/aws/iam_access_analyzer_not_enabled/metadata.json +++ b/assets/queries/terraform/aws/iam_access_analyzer_not_enabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "d03e85ae", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_access_key_is_exposed/metadata.json b/assets/queries/terraform/aws/iam_access_key_is_exposed/metadata.json index d19aaf12529..341233531ef 100644 --- a/assets/queries/terraform/aws/iam_access_key_is_exposed/metadata.json +++ b/assets/queries/terraform/aws/iam_access_key_is_exposed/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "99b02242", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_database_auth_not_enabled/metadata.json b/assets/queries/terraform/aws/iam_database_auth_not_enabled/metadata.json index de0c3acc6f5..85c9c171030 100644 --- a/assets/queries/terraform/aws/iam_database_auth_not_enabled/metadata.json +++ b/assets/queries/terraform/aws/iam_database_auth_not_enabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "12b1c8aa", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_group_without_users/metadata.json b/assets/queries/terraform/aws/iam_group_without_users/metadata.json index b854a140272..6f4421974f7 100644 --- a/assets/queries/terraform/aws/iam_group_without_users/metadata.json +++ b/assets/queries/terraform/aws/iam_group_without_users/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "c5730db9", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_password_without_lowercase_letter/metadata.json b/assets/queries/terraform/aws/iam_password_without_lowercase_letter/metadata.json index 02099af8218..029d012d06e 100644 --- a/assets/queries/terraform/aws/iam_password_without_lowercase_letter/metadata.json +++ b/assets/queries/terraform/aws/iam_password_without_lowercase_letter/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "726cd448", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_password_without_minimum_length/metadata.json b/assets/queries/terraform/aws/iam_password_without_minimum_length/metadata.json index 7f2fdd0fc6f..b9912f21c6e 100644 --- a/assets/queries/terraform/aws/iam_password_without_minimum_length/metadata.json +++ b/assets/queries/terraform/aws/iam_password_without_minimum_length/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "594a6a8e", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_password_without_symbol/metadata.json b/assets/queries/terraform/aws/iam_password_without_symbol/metadata.json index a97528cdb35..0b3218f7395 100644 --- a/assets/queries/terraform/aws/iam_password_without_symbol/metadata.json +++ b/assets/queries/terraform/aws/iam_password_without_symbol/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "aaadddd1", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_password_without_uppercase_letter/metadata.json b/assets/queries/terraform/aws/iam_password_without_uppercase_letter/metadata.json index 98ad3d3580b..414cf52b781 100644 --- a/assets/queries/terraform/aws/iam_password_without_uppercase_letter/metadata.json +++ b/assets/queries/terraform/aws/iam_password_without_uppercase_letter/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "4e96ea27", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_policies_attached_to_user/metadata.json b/assets/queries/terraform/aws/iam_policies_attached_to_user/metadata.json index c36aa44d527..be5afdc6acb 100755 --- a/assets/queries/terraform/aws/iam_policies_attached_to_user/metadata.json +++ b/assets/queries/terraform/aws/iam_policies_attached_to_user/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "32ec58ec", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_policies_with_full_privileges/metadata.json b/assets/queries/terraform/aws/iam_policies_with_full_privileges/metadata.json index a8ab0cc6b07..1c0d8024dae 100644 --- a/assets/queries/terraform/aws/iam_policies_with_full_privileges/metadata.json +++ b/assets/queries/terraform/aws/iam_policies_with_full_privileges/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "7f603399", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_policy_grants_assumerole_permission_across_all_services/metadata.json b/assets/queries/terraform/aws/iam_policy_grants_assumerole_permission_across_all_services/metadata.json index 7cdcbb52557..179fac1a4c1 100644 --- a/assets/queries/terraform/aws/iam_policy_grants_assumerole_permission_across_all_services/metadata.json +++ b/assets/queries/terraform/aws/iam_policy_grants_assumerole_permission_across_all_services/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "948aa2ac", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_policy_grants_full_permissions/metadata.json b/assets/queries/terraform/aws/iam_policy_grants_full_permissions/metadata.json index fc5d880c616..b8495aa6229 100644 --- a/assets/queries/terraform/aws/iam_policy_grants_full_permissions/metadata.json +++ b/assets/queries/terraform/aws/iam_policy_grants_full_permissions/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "f20cf2cf", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_role_allows_all_principals_to_assume/metadata.json b/assets/queries/terraform/aws/iam_role_allows_all_principals_to_assume/metadata.json index e994527138d..d458e6087ac 100644 --- a/assets/queries/terraform/aws/iam_role_allows_all_principals_to_assume/metadata.json +++ b/assets/queries/terraform/aws/iam_role_allows_all_principals_to_assume/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "a54d0d27", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_role_policy_passrole_allows_all/metadata.json b/assets/queries/terraform/aws/iam_role_policy_passrole_allows_all/metadata.json index 13b3aaa079d..07017945445 100644 --- a/assets/queries/terraform/aws/iam_role_policy_passrole_allows_all/metadata.json +++ b/assets/queries/terraform/aws/iam_role_policy_passrole_allows_all/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "380dd3f7", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_role_with_full_privileges/metadata.json b/assets/queries/terraform/aws/iam_role_with_full_privileges/metadata.json index c841e5ca5f7..b6b6bc1b75c 100644 --- a/assets/queries/terraform/aws/iam_role_with_full_privileges/metadata.json +++ b/assets/queries/terraform/aws/iam_role_with_full_privileges/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "81321ef4", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_user_policy_without_mfa/metadata.json b/assets/queries/terraform/aws/iam_user_policy_without_mfa/metadata.json index d858bdb3b0e..c2c743c2cbf 100644 --- a/assets/queries/terraform/aws/iam_user_policy_without_mfa/metadata.json +++ b/assets/queries/terraform/aws/iam_user_policy_without_mfa/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "3e905f71", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_user_too_many_access_keys/metadata.json b/assets/queries/terraform/aws/iam_user_too_many_access_keys/metadata.json index 0df73e2a3d3..78910ed7c2a 100644 --- a/assets/queries/terraform/aws/iam_user_too_many_access_keys/metadata.json +++ b/assets/queries/terraform/aws/iam_user_too_many_access_keys/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "387e9522", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_user_with_access_to_console/metadata.json b/assets/queries/terraform/aws/iam_user_with_access_to_console/metadata.json index f7f29a67ca4..c8b0bb016e2 100644 --- a/assets/queries/terraform/aws/iam_user_with_access_to_console/metadata.json +++ b/assets/queries/terraform/aws/iam_user_with_access_to_console/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "28422817", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/instance_with_no_vpc/metadata.json b/assets/queries/terraform/aws/instance_with_no_vpc/metadata.json index 6c2b407b79a..ae84607df13 100644 --- a/assets/queries/terraform/aws/instance_with_no_vpc/metadata.json +++ b/assets/queries/terraform/aws/instance_with_no_vpc/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "225a9f30", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/kinesis_not_encrypted_with_kms/metadata.json b/assets/queries/terraform/aws/kinesis_not_encrypted_with_kms/metadata.json index 9f6da0193cb..94538efd23f 100644 --- a/assets/queries/terraform/aws/kinesis_not_encrypted_with_kms/metadata.json +++ b/assets/queries/terraform/aws/kinesis_not_encrypted_with_kms/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "e154bb5e", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/kinesis_sse_not_configured/metadata.json b/assets/queries/terraform/aws/kinesis_sse_not_configured/metadata.json index 33880d2516e..018c440e6cb 100644 --- a/assets/queries/terraform/aws/kinesis_sse_not_configured/metadata.json +++ b/assets/queries/terraform/aws/kinesis_sse_not_configured/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "fce3b812", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/kms_key_with_full_permissions/metadata.json b/assets/queries/terraform/aws/kms_key_with_full_permissions/metadata.json index dd50a65a602..09921c28638 100644 --- a/assets/queries/terraform/aws/kms_key_with_full_permissions/metadata.json +++ b/assets/queries/terraform/aws/kms_key_with_full_permissions/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "32b2985e", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/kms_key_with_no_deletion_window/metadata.json b/assets/queries/terraform/aws/kms_key_with_no_deletion_window/metadata.json index cd6ca97ab0e..1a5990f9123 100644 --- a/assets/queries/terraform/aws/kms_key_with_no_deletion_window/metadata.json +++ b/assets/queries/terraform/aws/kms_key_with_no_deletion_window/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "5652d05c", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/lambda_function_with_privileged_role/metadata.json b/assets/queries/terraform/aws/lambda_function_with_privileged_role/metadata.json index b351dec435b..77e2ce7dffc 100644 --- a/assets/queries/terraform/aws/lambda_function_with_privileged_role/metadata.json +++ b/assets/queries/terraform/aws/lambda_function_with_privileged_role/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "1b3af2f9", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/lambda_functions_without_x-ray_tracing/metadata.json b/assets/queries/terraform/aws/lambda_functions_without_x-ray_tracing/metadata.json index 1d5ad9006d1..a575afe577a 100644 --- a/assets/queries/terraform/aws/lambda_functions_without_x-ray_tracing/metadata.json +++ b/assets/queries/terraform/aws/lambda_functions_without_x-ray_tracing/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "2f90e1e9", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/metadata.json b/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/metadata.json index bac8296b9da..9bbc595aef0 100644 --- a/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/metadata.json +++ b/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "0ca1017d", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/lambda_permission_misconfigured/metadata.json b/assets/queries/terraform/aws/lambda_permission_misconfigured/metadata.json index c63e351f3fb..4fb22396a9b 100644 --- a/assets/queries/terraform/aws/lambda_permission_misconfigured/metadata.json +++ b/assets/queries/terraform/aws/lambda_permission_misconfigured/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "8fb6f06e", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/lambda_permission_principal_is_wildcard/metadata.json b/assets/queries/terraform/aws/lambda_permission_principal_is_wildcard/metadata.json index 3565ef851f5..dcf296e0c64 100644 --- a/assets/queries/terraform/aws/lambda_permission_principal_is_wildcard/metadata.json +++ b/assets/queries/terraform/aws/lambda_permission_principal_is_wildcard/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "b443babe", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/lambda_with_vulnerable_policy/metadata.json b/assets/queries/terraform/aws/lambda_with_vulnerable_policy/metadata.json index 774294c9795..3f01c636627 100644 --- a/assets/queries/terraform/aws/lambda_with_vulnerable_policy/metadata.json +++ b/assets/queries/terraform/aws/lambda_with_vulnerable_policy/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "5db376a3", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/launch_configuration_is_not_encrypted/metadata.json b/assets/queries/terraform/aws/launch_configuration_is_not_encrypted/metadata.json index f12574b1981..915c1dd235e 100644 --- a/assets/queries/terraform/aws/launch_configuration_is_not_encrypted/metadata.json +++ b/assets/queries/terraform/aws/launch_configuration_is_not_encrypted/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "d11b3649", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/misconfigured_password_policy_expiration/metadata.json b/assets/queries/terraform/aws/misconfigured_password_policy_expiration/metadata.json index 0a8460506fb..2734910f0ab 100644 --- a/assets/queries/terraform/aws/misconfigured_password_policy_expiration/metadata.json +++ b/assets/queries/terraform/aws/misconfigured_password_policy_expiration/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "23788841", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/missing_cluster_log_types/metadata.json b/assets/queries/terraform/aws/missing_cluster_log_types/metadata.json index 1a4e55b406d..63d2f9044d3 100755 --- a/assets/queries/terraform/aws/missing_cluster_log_types/metadata.json +++ b/assets/queries/terraform/aws/missing_cluster_log_types/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "e89d4ffb", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/mq_broker_is_publicly_accessible/metadata.json b/assets/queries/terraform/aws/mq_broker_is_publicly_accessible/metadata.json index 6bc32925a49..eb396c9b5f1 100644 --- a/assets/queries/terraform/aws/mq_broker_is_publicly_accessible/metadata.json +++ b/assets/queries/terraform/aws/mq_broker_is_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "8ac7fe7e", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/mq_broker_logging_disabled/metadata.json b/assets/queries/terraform/aws/mq_broker_logging_disabled/metadata.json index bd996bbd9a3..d5421db3945 100644 --- a/assets/queries/terraform/aws/mq_broker_logging_disabled/metadata.json +++ b/assets/queries/terraform/aws/mq_broker_logging_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "cdf2b416", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/msk_broker_is_publicly_accessible/metadata.json b/assets/queries/terraform/aws/msk_broker_is_publicly_accessible/metadata.json index 7a021b4d5d1..c48753cfef4 100644 --- a/assets/queries/terraform/aws/msk_broker_is_publicly_accessible/metadata.json +++ b/assets/queries/terraform/aws/msk_broker_is_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "6ad9c2af", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/msk_cluster_encryption_disabled/metadata.json b/assets/queries/terraform/aws/msk_cluster_encryption_disabled/metadata.json index 1614daca410..e9b7f44c66d 100644 --- a/assets/queries/terraform/aws/msk_cluster_encryption_disabled/metadata.json +++ b/assets/queries/terraform/aws/msk_cluster_encryption_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "343faf8d", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/msk_cluster_logging_disabled/metadata.json b/assets/queries/terraform/aws/msk_cluster_logging_disabled/metadata.json index a9b721b47c3..7963b7a4429 100644 --- a/assets/queries/terraform/aws/msk_cluster_logging_disabled/metadata.json +++ b/assets/queries/terraform/aws/msk_cluster_logging_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "816831cc", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/neptune_cluster_instance_is_publicly_accessible/metadata.json b/assets/queries/terraform/aws/neptune_cluster_instance_is_publicly_accessible/metadata.json index ce4ae36b804..6ea43937c54 100644 --- a/assets/queries/terraform/aws/neptune_cluster_instance_is_publicly_accessible/metadata.json +++ b/assets/queries/terraform/aws/neptune_cluster_instance_is_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "ac4d6034", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/neptune_cluster_with_iam_database_authentication_disabled/metadata.json b/assets/queries/terraform/aws/neptune_cluster_with_iam_database_authentication_disabled/metadata.json index 494d810fb94..47c99750042 100644 --- a/assets/queries/terraform/aws/neptune_cluster_with_iam_database_authentication_disabled/metadata.json +++ b/assets/queries/terraform/aws/neptune_cluster_with_iam_database_authentication_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "88b26e61", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/metadata.json b/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/metadata.json index 92525e40d22..53fade8624d 100644 --- a/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/metadata.json +++ b/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "06036045", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/neptune_logging_disabled/metadata.json b/assets/queries/terraform/aws/neptune_logging_disabled/metadata.json index 42b1a032502..83744ee5b93 100644 --- a/assets/queries/terraform/aws/neptune_logging_disabled/metadata.json +++ b/assets/queries/terraform/aws/neptune_logging_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "eb6f1a3b", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_rdp/metadata.json b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_rdp/metadata.json index 2230d4738bd..caf36776f21 100644 --- a/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_rdp/metadata.json +++ b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_rdp/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "ed220e0d", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/metadata.json b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/metadata.json index 89432c0a9f3..64f8f6f5803 100644 --- a/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/metadata.json +++ b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "215ffb15", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/no_password_policy_enabled/metadata.json b/assets/queries/terraform/aws/no_password_policy_enabled/metadata.json index 738aada0511..0deb4cb99fa 100644 --- a/assets/queries/terraform/aws/no_password_policy_enabled/metadata.json +++ b/assets/queries/terraform/aws/no_password_policy_enabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "fc3e0d4f", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/no_stack_policy/metadata.json b/assets/queries/terraform/aws/no_stack_policy/metadata.json index e5483526347..262d4153067 100644 --- a/assets/queries/terraform/aws/no_stack_policy/metadata.json +++ b/assets/queries/terraform/aws/no_stack_policy/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "7ad97901", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/password_without_reuse_prevention/metadata.json b/assets/queries/terraform/aws/password_without_reuse_prevention/metadata.json index fcadf693097..5850f09126e 100644 --- a/assets/queries/terraform/aws/password_without_reuse_prevention/metadata.json +++ b/assets/queries/terraform/aws/password_without_reuse_prevention/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "37be9529", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/policy_without_principal/metadata.json b/assets/queries/terraform/aws/policy_without_principal/metadata.json index 0d8a51cf6cc..9f7e093ed56 100644 --- a/assets/queries/terraform/aws/policy_without_principal/metadata.json +++ b/assets/queries/terraform/aws/policy_without_principal/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "954ac1bf", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/public_and_private_ec2_share_role/metadata.json b/assets/queries/terraform/aws/public_and_private_ec2_share_role/metadata.json index ec075a209d7..0b7da4bceef 100644 --- a/assets/queries/terraform/aws/public_and_private_ec2_share_role/metadata.json +++ b/assets/queries/terraform/aws/public_and_private_ec2_share_role/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "4639db5f", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/public_lambda_via_api_gateway/metadata.json b/assets/queries/terraform/aws/public_lambda_via_api_gateway/metadata.json index 9260008e313..ccac1b6971f 100644 --- a/assets/queries/terraform/aws/public_lambda_via_api_gateway/metadata.json +++ b/assets/queries/terraform/aws/public_lambda_via_api_gateway/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "1f20399a", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/rds_associated_with_public_subnet/metadata.json b/assets/queries/terraform/aws/rds_associated_with_public_subnet/metadata.json index 3dc328d59d1..54896b0b6fd 100644 --- a/assets/queries/terraform/aws/rds_associated_with_public_subnet/metadata.json +++ b/assets/queries/terraform/aws/rds_associated_with_public_subnet/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "425d310e", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/rds_cluster_with_backup_disabled/metadata.json b/assets/queries/terraform/aws/rds_cluster_with_backup_disabled/metadata.json index 60f95d93603..91a0e79daea 100644 --- a/assets/queries/terraform/aws/rds_cluster_with_backup_disabled/metadata.json +++ b/assets/queries/terraform/aws/rds_cluster_with_backup_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "cce2787f", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/rds_database_cluster_not_encrypted/metadata.json b/assets/queries/terraform/aws/rds_database_cluster_not_encrypted/metadata.json index da813979fc7..f5dde1dc0ba 100644 --- a/assets/queries/terraform/aws/rds_database_cluster_not_encrypted/metadata.json +++ b/assets/queries/terraform/aws/rds_database_cluster_not_encrypted/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "c88d0255", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/metadata.json b/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/metadata.json index c68a3901026..0022b5cc570 100644 --- a/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/metadata.json +++ b/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "c145a47f", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/rds_storage_not_encrypted/metadata.json b/assets/queries/terraform/aws/rds_storage_not_encrypted/metadata.json index ffc6d33ff9e..c6ef2f2b132 100644 --- a/assets/queries/terraform/aws/rds_storage_not_encrypted/metadata.json +++ b/assets/queries/terraform/aws/rds_storage_not_encrypted/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "54288d64", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/rds_using_default_port/metadata.json b/assets/queries/terraform/aws/rds_using_default_port/metadata.json index 9a4191f21cb..0aaad59ba7e 100644 --- a/assets/queries/terraform/aws/rds_using_default_port/metadata.json +++ b/assets/queries/terraform/aws/rds_using_default_port/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "6cbad3f4", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/rds_with_backup_disabled/metadata.json b/assets/queries/terraform/aws/rds_with_backup_disabled/metadata.json index 719d3fe7f65..989c285a88a 100644 --- a/assets/queries/terraform/aws/rds_with_backup_disabled/metadata.json +++ b/assets/queries/terraform/aws/rds_with_backup_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "73fdfe55", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/rds_without_logging/metadata.json b/assets/queries/terraform/aws/rds_without_logging/metadata.json index 64aad53fdce..ac0e5bbe44a 100644 --- a/assets/queries/terraform/aws/rds_without_logging/metadata.json +++ b/assets/queries/terraform/aws/rds_without_logging/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "c499a58c", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/redis_disabled/metadata.json b/assets/queries/terraform/aws/redis_disabled/metadata.json index 88d160ab98a..49fe4dcf147 100644 --- a/assets/queries/terraform/aws/redis_disabled/metadata.json +++ b/assets/queries/terraform/aws/redis_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "68984bf2", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/redis_not_compliant/metadata.json b/assets/queries/terraform/aws/redis_not_compliant/metadata.json index 4ee592c1b48..6332e353316 100644 --- a/assets/queries/terraform/aws/redis_not_compliant/metadata.json +++ b/assets/queries/terraform/aws/redis_not_compliant/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "f9e5dc62", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/redshift_cluster_logging_disabled/metadata.json b/assets/queries/terraform/aws/redshift_cluster_logging_disabled/metadata.json index 9c5288c8aae..3cef04f4511 100644 --- a/assets/queries/terraform/aws/redshift_cluster_logging_disabled/metadata.json +++ b/assets/queries/terraform/aws/redshift_cluster_logging_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "458fe7a3", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/redshift_cluster_without_vpc/metadata.json b/assets/queries/terraform/aws/redshift_cluster_without_vpc/metadata.json index be56c4a18ee..1adead78d8d 100644 --- a/assets/queries/terraform/aws/redshift_cluster_without_vpc/metadata.json +++ b/assets/queries/terraform/aws/redshift_cluster_without_vpc/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "6fd531fa", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/redshift_not_encrypted/metadata.json b/assets/queries/terraform/aws/redshift_not_encrypted/metadata.json index 65224ca10e8..7f4224fa7e4 100644 --- a/assets/queries/terraform/aws/redshift_not_encrypted/metadata.json +++ b/assets/queries/terraform/aws/redshift_not_encrypted/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "2bee4895", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/redshift_publicly_accessible/metadata.json b/assets/queries/terraform/aws/redshift_publicly_accessible/metadata.json index a6919358aa3..d0858bac7c7 100644 --- a/assets/queries/terraform/aws/redshift_publicly_accessible/metadata.json +++ b/assets/queries/terraform/aws/redshift_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "9a581503", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/redshift_using_default_port/metadata.json b/assets/queries/terraform/aws/redshift_using_default_port/metadata.json index 06aef79a345..ffe681ce368 100644 --- a/assets/queries/terraform/aws/redshift_using_default_port/metadata.json +++ b/assets/queries/terraform/aws/redshift_using_default_port/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "e2e48d27", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/metadata.json b/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/metadata.json index ce72e8f27f9..eeb2d019942 100644 --- a/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/metadata.json +++ b/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "aea02d46", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/resource_not_using_tags/metadata.json b/assets/queries/terraform/aws/resource_not_using_tags/metadata.json index 6dcf4c411aa..cf572cfbd99 100644 --- a/assets/queries/terraform/aws/resource_not_using_tags/metadata.json +++ b/assets/queries/terraform/aws/resource_not_using_tags/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "09db2d52", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/rest_api_with_vulnerable_policy/metadata.json b/assets/queries/terraform/aws/rest_api_with_vulnerable_policy/metadata.json index a71ce6f23ec..50ead10002c 100644 --- a/assets/queries/terraform/aws/rest_api_with_vulnerable_policy/metadata.json +++ b/assets/queries/terraform/aws/rest_api_with_vulnerable_policy/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "fb6080ac", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json index f2df1db6ac5..3e63c57b2f5 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "bff18777", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json index 9306574612a..d7cb7b3ac9c 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "058bc100", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json index eaa89dcc9fa..da19a204228 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "54b22492", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json index 150608e7c55..8564a8a8602 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "aaf96d6e", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json index 8040ae3f93c..8e2f87c38c2 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "4efcf3e9", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json index 2921b8f5706..690eb508896 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "0d94441c", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json index a4840e0d8f3..9a90b5ce154 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "0e9af0ce", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json index 50ab62ff780..ba32f6a23e1 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "fe987a1d", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json index 7a550c06aea..ae3e8356d87 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "779be66e", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json index 3e8366421f4..531bd3372ec 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "b3d6f7cf", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json index 214e41198af..749451cf9bf 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "0bc279fe", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/metadata.json index 86cd5311e60..cfc64d82c06 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "628b0909", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json index ea657871ac6..ac61eb9da18 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "ce1bbaeb", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json index 0dc169ce17b..c68c21f64fe 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "2d361444", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json index d303c411e9b..5e2cde8846d 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "48764f87", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json index e67fc22d282..3683f4abe38 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "a0ddfb38", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json index d1eff98c6b6..1dc9bfc96b1 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "2d747022", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json index fe7a69db2af..44c7cba9076 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "8bf480db", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json index a036dabeba8..8e2cfe928d4 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "d6861f3e", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/root_account_has_active_access_keys/metadata.json b/assets/queries/terraform/aws/root_account_has_active_access_keys/metadata.json index f301ab887d7..077faf3b753 100644 --- a/assets/queries/terraform/aws/root_account_has_active_access_keys/metadata.json +++ b/assets/queries/terraform/aws/root_account_has_active_access_keys/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "f0795485", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/route53_record_undefined/metadata.json b/assets/queries/terraform/aws/route53_record_undefined/metadata.json index 5784252bf58..715287076eb 100644 --- a/assets/queries/terraform/aws/route53_record_undefined/metadata.json +++ b/assets/queries/terraform/aws/route53_record_undefined/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "91562f39", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_access_to_any_principal/metadata.json b/assets/queries/terraform/aws/s3_bucket_access_to_any_principal/metadata.json index a773ca9fee1..742a8c9f45d 100644 --- a/assets/queries/terraform/aws/s3_bucket_access_to_any_principal/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_access_to_any_principal/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "4f884b47", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/metadata.json b/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/metadata.json index 9eb98a58f85..acd5bd090ba 100644 --- a/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "d535387f", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/metadata.json b/assets/queries/terraform/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/metadata.json index 1ee2f799823..613eb21c43c 100644 --- a/assets/queries/terraform/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "a63624e5", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_acl_grants_write_acp_permission/metadata.json b/assets/queries/terraform/aws/s3_bucket_acl_grants_write_acp_permission/metadata.json index e4946045e12..63ebe81a92d 100644 --- a/assets/queries/terraform/aws/s3_bucket_acl_grants_write_acp_permission/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_acl_grants_write_acp_permission/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "addee63f", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/metadata.json b/assets/queries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/metadata.json index 5aef0c8bd4f..1ff1d8c39f9 100644 --- a/assets/queries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "8dc6c718", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_allows_get_action_from_all_principals/metadata.json b/assets/queries/terraform/aws/s3_bucket_allows_get_action_from_all_principals/metadata.json index cde44af64f6..76e349d7e6c 100644 --- a/assets/queries/terraform/aws/s3_bucket_allows_get_action_from_all_principals/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_allows_get_action_from_all_principals/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "2ac6911f", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_allows_list_action_from_all_principals/metadata.json b/assets/queries/terraform/aws/s3_bucket_allows_list_action_from_all_principals/metadata.json index 03bf842e126..567ba6c3c2d 100644 --- a/assets/queries/terraform/aws/s3_bucket_allows_list_action_from_all_principals/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_allows_list_action_from_all_principals/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "5f5c9e38", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_allows_public_acl/metadata.json b/assets/queries/terraform/aws/s3_bucket_allows_public_acl/metadata.json index 5899cbfa59a..e647b2f5b80 100644 --- a/assets/queries/terraform/aws/s3_bucket_allows_public_acl/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_allows_public_acl/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "7b8886c1", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_allows_put_action_from_all_principals/metadata.json b/assets/queries/terraform/aws/s3_bucket_allows_put_action_from_all_principals/metadata.json index fe2e1fd436a..9ddd9c1b826 100644 --- a/assets/queries/terraform/aws/s3_bucket_allows_put_action_from_all_principals/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_allows_put_action_from_all_principals/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "c38a18db", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_logging_disabled/metadata.json b/assets/queries/terraform/aws/s3_bucket_logging_disabled/metadata.json index f95090bf4ee..404c752f08a 100644 --- a/assets/queries/terraform/aws/s3_bucket_logging_disabled/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_logging_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "fa5c7c72", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_object_level_cloudtrail_logging_disabled/metadata.json b/assets/queries/terraform/aws/s3_bucket_object_level_cloudtrail_logging_disabled/metadata.json index 8ef0c77bf59..e28c02a0175 100644 --- a/assets/queries/terraform/aws/s3_bucket_object_level_cloudtrail_logging_disabled/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_object_level_cloudtrail_logging_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "e80b4f8a", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_object_not_encrypted/metadata.json b/assets/queries/terraform/aws/s3_bucket_object_not_encrypted/metadata.json index 4a89ede66ff..d822c486889 100644 --- a/assets/queries/terraform/aws/s3_bucket_object_not_encrypted/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_object_not_encrypted/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "e6b92744", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_policy_accepts_http_requests/metadata.json b/assets/queries/terraform/aws/s3_bucket_policy_accepts_http_requests/metadata.json index 1e7c97b0315..f5ae8ebdc27 100644 --- a/assets/queries/terraform/aws/s3_bucket_policy_accepts_http_requests/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_policy_accepts_http_requests/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "edbcd7bc", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_public_acl_overridden_by_public_access_block/metadata.json b/assets/queries/terraform/aws/s3_bucket_public_acl_overridden_by_public_access_block/metadata.json index 0661edda73f..5f78bda84f3 100644 --- a/assets/queries/terraform/aws/s3_bucket_public_acl_overridden_by_public_access_block/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_public_acl_overridden_by_public_access_block/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "aa9967ef", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_sse_disabled/metadata.json b/assets/queries/terraform/aws/s3_bucket_sse_disabled/metadata.json index fd9e59a04d8..f318dd092ff 100644 --- a/assets/queries/terraform/aws/s3_bucket_sse_disabled/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_sse_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "b386c506", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_with_all_permissions/metadata.json b/assets/queries/terraform/aws/s3_bucket_with_all_permissions/metadata.json index 4d12a8a06bf..a835c2114d3 100644 --- a/assets/queries/terraform/aws/s3_bucket_with_all_permissions/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_with_all_permissions/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "aec8fae9", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_with_public_policy/metadata.json b/assets/queries/terraform/aws/s3_bucket_with_public_policy/metadata.json index 9207fc1b6c8..85bde057e67 100755 --- a/assets/queries/terraform/aws/s3_bucket_with_public_policy/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_with_public_policy/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "a8924b3b", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_with_unsecured_cors_rule/metadata.json b/assets/queries/terraform/aws/s3_bucket_with_unsecured_cors_rule/metadata.json index a0419ae9c64..a2a9f3ae577 100644 --- a/assets/queries/terraform/aws/s3_bucket_with_unsecured_cors_rule/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_with_unsecured_cors_rule/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "28051a7f", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/metadata.json b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/metadata.json index a91423a66d7..7557b845e86 100755 --- a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "e1699d08", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_without_ignore_public_acl/metadata.json b/assets/queries/terraform/aws/s3_bucket_without_ignore_public_acl/metadata.json index 934d8c74701..0f3b6d8c20d 100755 --- a/assets/queries/terraform/aws/s3_bucket_without_ignore_public_acl/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_without_ignore_public_acl/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "28aa7150", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/metadata.json b/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/metadata.json index aebaa80738e..a880cb3633b 100755 --- a/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "a6e86c32", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_without_versioning/metadata.json b/assets/queries/terraform/aws/s3_bucket_without_versioning/metadata.json index 6321ca4659a..895791a2dc5 100755 --- a/assets/queries/terraform/aws/s3_bucket_without_versioning/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_without_versioning/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "7614ce3b", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_static_website_host_enabled/metadata.json b/assets/queries/terraform/aws/s3_static_website_host_enabled/metadata.json index 7c9c37e5a8e..a483c5137ad 100644 --- a/assets/queries/terraform/aws/s3_static_website_host_enabled/metadata.json +++ b/assets/queries/terraform/aws/s3_static_website_host_enabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "4db5c45a", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/sagemaker_endpoint_configuration_encryption_disabled/metadata.json b/assets/queries/terraform/aws/sagemaker_endpoint_configuration_encryption_disabled/metadata.json index 54864b00f93..da4425a21a2 100644 --- a/assets/queries/terraform/aws/sagemaker_endpoint_configuration_encryption_disabled/metadata.json +++ b/assets/queries/terraform/aws/sagemaker_endpoint_configuration_encryption_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "570f99ac", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/sagemaker_notebook_instance_without_kms/metadata.json b/assets/queries/terraform/aws/sagemaker_notebook_instance_without_kms/metadata.json index ff8704953b0..ac4bd592643 100644 --- a/assets/queries/terraform/aws/sagemaker_notebook_instance_without_kms/metadata.json +++ b/assets/queries/terraform/aws/sagemaker_notebook_instance_without_kms/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "4ad34dae", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/secrets_manager_with_vulnerable_policy/metadata.json b/assets/queries/terraform/aws/secrets_manager_with_vulnerable_policy/metadata.json index 0914a7da432..bcc507f28dc 100644 --- a/assets/queries/terraform/aws/secrets_manager_with_vulnerable_policy/metadata.json +++ b/assets/queries/terraform/aws/secrets_manager_with_vulnerable_policy/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "d348a5e7", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/secretsmanager_secret_encrypted_with_aws_managed_key/metadata.json b/assets/queries/terraform/aws/secretsmanager_secret_encrypted_with_aws_managed_key/metadata.json index 7590371f4d2..1671c83aa12 100644 --- a/assets/queries/terraform/aws/secretsmanager_secret_encrypted_with_aws_managed_key/metadata.json +++ b/assets/queries/terraform/aws/secretsmanager_secret_encrypted_with_aws_managed_key/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "f2d67513", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/secretsmanager_secret_without_kms/metadata.json b/assets/queries/terraform/aws/secretsmanager_secret_without_kms/metadata.json index 36a012d9232..5d744cc1ade 100644 --- a/assets/queries/terraform/aws/secretsmanager_secret_without_kms/metadata.json +++ b/assets/queries/terraform/aws/secretsmanager_secret_without_kms/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "c9c95b59", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/secure_ciphers_disabled/metadata.json b/assets/queries/terraform/aws/secure_ciphers_disabled/metadata.json index 363ff20ed2d..3380c392f2d 100644 --- a/assets/queries/terraform/aws/secure_ciphers_disabled/metadata.json +++ b/assets/queries/terraform/aws/secure_ciphers_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "72ee1fe2", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/security_group_rules_without_description/metadata.json b/assets/queries/terraform/aws/security_group_rules_without_description/metadata.json index 62f37eb26ae..339f2bd26f9 100644 --- a/assets/queries/terraform/aws/security_group_rules_without_description/metadata.json +++ b/assets/queries/terraform/aws/security_group_rules_without_description/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "cee242dd", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/security_group_with_unrestricted_access_to_ssh/metadata.json b/assets/queries/terraform/aws/security_group_with_unrestricted_access_to_ssh/metadata.json index faefce4f96d..aa2e1b1640d 100644 --- a/assets/queries/terraform/aws/security_group_with_unrestricted_access_to_ssh/metadata.json +++ b/assets/queries/terraform/aws/security_group_with_unrestricted_access_to_ssh/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "51e59188", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/security_group_without_description/metadata.json b/assets/queries/terraform/aws/security_group_without_description/metadata.json index e522afe85f2..0b4c8b1d3c1 100644 --- a/assets/queries/terraform/aws/security_group_without_description/metadata.json +++ b/assets/queries/terraform/aws/security_group_without_description/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "bc535d27", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/security_groups_not_used/metadata.json b/assets/queries/terraform/aws/security_groups_not_used/metadata.json index 3f9c6d59589..ac622807cf8 100644 --- a/assets/queries/terraform/aws/security_groups_not_used/metadata.json +++ b/assets/queries/terraform/aws/security_groups_not_used/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "eff2383a", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/metadata.json b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/metadata.json index 07e02c99e14..06661a211c4 100644 --- a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/metadata.json +++ b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/metadata.json @@ -9,5 +9,5 @@ "descriptionID": "5be78364", "aggregation": 63, "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/metadata.json b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/metadata.json index e4914f0d324..a404949bfe1 100644 --- a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/metadata.json +++ b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/metadata.json @@ -9,5 +9,5 @@ "descriptionID": "9ea13a71", "aggregation": 63, "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/metadata.json b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/metadata.json index f6aea9628cc..a02787f56eb 100644 --- a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/metadata.json +++ b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/metadata.json @@ -9,5 +9,5 @@ "descriptionID": "127a32be", "aggregation": 63, "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/service_control_policies_disabled/metadata.json b/assets/queries/terraform/aws/service_control_policies_disabled/metadata.json index b99be84d80f..688c2df0ffb 100644 --- a/assets/queries/terraform/aws/service_control_policies_disabled/metadata.json +++ b/assets/queries/terraform/aws/service_control_policies_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "0fbcc152", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/ses_policy_with_allowed_iam_actions/metadata.json b/assets/queries/terraform/aws/ses_policy_with_allowed_iam_actions/metadata.json index db13e5416cc..b3d9881f1d3 100644 --- a/assets/queries/terraform/aws/ses_policy_with_allowed_iam_actions/metadata.json +++ b/assets/queries/terraform/aws/ses_policy_with_allowed_iam_actions/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "3b263662", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/shield_advanced_not_in_use/metadata.json b/assets/queries/terraform/aws/shield_advanced_not_in_use/metadata.json index 731540a2e40..58cb1d6ea43 100644 --- a/assets/queries/terraform/aws/shield_advanced_not_in_use/metadata.json +++ b/assets/queries/terraform/aws/shield_advanced_not_in_use/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "e09b31c7", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/sns_topic_encrypted_with_aws_managed_key/metadata.json b/assets/queries/terraform/aws/sns_topic_encrypted_with_aws_managed_key/metadata.json index 4f6f6ae0fc7..51fc270e36c 100644 --- a/assets/queries/terraform/aws/sns_topic_encrypted_with_aws_managed_key/metadata.json +++ b/assets/queries/terraform/aws/sns_topic_encrypted_with_aws_managed_key/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "ecb127ec", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/metadata.json b/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/metadata.json index be8b08516c8..39bc8139dc5 100644 --- a/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/metadata.json +++ b/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "52e85de5", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/sns_topic_not_encrypted/metadata.json b/assets/queries/terraform/aws/sns_topic_not_encrypted/metadata.json index 6b3b6998fd0..f03876c15a5 100644 --- a/assets/queries/terraform/aws/sns_topic_not_encrypted/metadata.json +++ b/assets/queries/terraform/aws/sns_topic_not_encrypted/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "2f15b2d0", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/metadata.json b/assets/queries/terraform/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/metadata.json index 9d5c9c98884..724ba20843b 100644 --- a/assets/queries/terraform/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/metadata.json +++ b/assets/queries/terraform/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "ddd0f677", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/sql_analysis_services_port_2383_is_publicly_accessible/metadata.json b/assets/queries/terraform/aws/sql_analysis_services_port_2383_is_publicly_accessible/metadata.json index f8c71a45c68..932e84e83fb 100644 --- a/assets/queries/terraform/aws/sql_analysis_services_port_2383_is_publicly_accessible/metadata.json +++ b/assets/queries/terraform/aws/sql_analysis_services_port_2383_is_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "37ce6c0d", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/sqs_policy_allows_all_actions/metadata.json b/assets/queries/terraform/aws/sqs_policy_allows_all_actions/metadata.json index f3eda901c01..2622d905a95 100644 --- a/assets/queries/terraform/aws/sqs_policy_allows_all_actions/metadata.json +++ b/assets/queries/terraform/aws/sqs_policy_allows_all_actions/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "afcb58e6", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/sqs_policy_with_public_access/metadata.json b/assets/queries/terraform/aws/sqs_policy_with_public_access/metadata.json index d65cea95c6e..45fc2a66356 100644 --- a/assets/queries/terraform/aws/sqs_policy_with_public_access/metadata.json +++ b/assets/queries/terraform/aws/sqs_policy_with_public_access/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "534fb194", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/sqs_queue_exposed/metadata.json b/assets/queries/terraform/aws/sqs_queue_exposed/metadata.json index e7e5a2a9602..2527477eab9 100644 --- a/assets/queries/terraform/aws/sqs_queue_exposed/metadata.json +++ b/assets/queries/terraform/aws/sqs_queue_exposed/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "59f958c0", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/sqs_vpc_endpoint_without_dns_resolution/metadata.json b/assets/queries/terraform/aws/sqs_vpc_endpoint_without_dns_resolution/metadata.json index 058946ec568..3ee6505e358 100644 --- a/assets/queries/terraform/aws/sqs_vpc_endpoint_without_dns_resolution/metadata.json +++ b/assets/queries/terraform/aws/sqs_vpc_endpoint_without_dns_resolution/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "3ab3c05c", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/sqs_with_sse_disabled/metadata.json b/assets/queries/terraform/aws/sqs_with_sse_disabled/metadata.json index 0eb81035cdf..c367079052f 100644 --- a/assets/queries/terraform/aws/sqs_with_sse_disabled/metadata.json +++ b/assets/queries/terraform/aws/sqs_with_sse_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "e478b54b", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/ssm_session_transit_encryption_disabled/metadata.json b/assets/queries/terraform/aws/ssm_session_transit_encryption_disabled/metadata.json index 8395b62f959..18b39c3026d 100644 --- a/assets/queries/terraform/aws/ssm_session_transit_encryption_disabled/metadata.json +++ b/assets/queries/terraform/aws/ssm_session_transit_encryption_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "8b30849b", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/sso_permission_with_inadequate_user_session_duration/metadata.json b/assets/queries/terraform/aws/sso_permission_with_inadequate_user_session_duration/metadata.json index ac546702312..71ebec55ce7 100644 --- a/assets/queries/terraform/aws/sso_permission_with_inadequate_user_session_duration/metadata.json +++ b/assets/queries/terraform/aws/sso_permission_with_inadequate_user_session_duration/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "755ecfdf", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/sso_policy_with_full_priveleges copy/metadata.json b/assets/queries/terraform/aws/sso_policy_with_full_priveleges copy/metadata.json index 1cb82db191a..b37a07dbfd3 100644 --- a/assets/queries/terraform/aws/sso_policy_with_full_priveleges copy/metadata.json +++ b/assets/queries/terraform/aws/sso_policy_with_full_priveleges copy/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "a30fa3d3", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/sso_policy_with_full_priveleges/metadata.json b/assets/queries/terraform/aws/sso_policy_with_full_priveleges/metadata.json index 6cc4e6e0a40..107eabc3fc4 100644 --- a/assets/queries/terraform/aws/sso_policy_with_full_priveleges/metadata.json +++ b/assets/queries/terraform/aws/sso_policy_with_full_priveleges/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "cae7c4fc", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/stack_notifications_disabled/metadata.json b/assets/queries/terraform/aws/stack_notifications_disabled/metadata.json index 4ecb8997c34..39fabb0f6fe 100644 --- a/assets/queries/terraform/aws/stack_notifications_disabled/metadata.json +++ b/assets/queries/terraform/aws/stack_notifications_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "f9826281", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/stack_retention_disabled/metadata.json b/assets/queries/terraform/aws/stack_retention_disabled/metadata.json index a603f7a819c..f30847ad4c5 100644 --- a/assets/queries/terraform/aws/stack_retention_disabled/metadata.json +++ b/assets/queries/terraform/aws/stack_retention_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "fc66d737", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/stack_without_template/metadata.json b/assets/queries/terraform/aws/stack_without_template/metadata.json index 74b9d1e9e04..6e329551739 100644 --- a/assets/queries/terraform/aws/stack_without_template/metadata.json +++ b/assets/queries/terraform/aws/stack_without_template/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "e925d0ee", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/unknown_port_exposed_to_internet/metadata.json b/assets/queries/terraform/aws/unknown_port_exposed_to_internet/metadata.json index c909f3ac171..c091fcaa48e 100644 --- a/assets/queries/terraform/aws/unknown_port_exposed_to_internet/metadata.json +++ b/assets/queries/terraform/aws/unknown_port_exposed_to_internet/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "e55e747f", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/unrestricted_security_group_ingress/metadata.json b/assets/queries/terraform/aws/unrestricted_security_group_ingress/metadata.json index a0cf37bec95..6b51b12ba08 100644 --- a/assets/queries/terraform/aws/unrestricted_security_group_ingress/metadata.json +++ b/assets/queries/terraform/aws/unrestricted_security_group_ingress/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "ce3ee5e0", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/unscanned_ecr_image/metadata.json b/assets/queries/terraform/aws/unscanned_ecr_image/metadata.json index b10b023e4b7..22f3c7f10c5 100644 --- a/assets/queries/terraform/aws/unscanned_ecr_image/metadata.json +++ b/assets/queries/terraform/aws/unscanned_ecr_image/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "791b37b8", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_data_contains_encoded_private_key/metadata.json b/assets/queries/terraform/aws/user_data_contains_encoded_private_key/metadata.json index 652bb90fa07..cf01266204a 100644 --- a/assets/queries/terraform/aws/user_data_contains_encoded_private_key/metadata.json +++ b/assets/queries/terraform/aws/user_data_contains_encoded_private_key/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "e3b3b5c1", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_data_shell_script_is_encoded/metadata.json b/assets/queries/terraform/aws/user_data_shell_script_is_encoded/metadata.json index 472cfe10529..5f79ad889a1 100644 --- a/assets/queries/terraform/aws/user_data_shell_script_is_encoded/metadata.json +++ b/assets/queries/terraform/aws/user_data_shell_script_is_encoded/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "c1d49ed2", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json index 3e5bdb05c42..abdaf93653c 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "1a48ac37", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json index 21294c5a5a2..8bb7a5f1306 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "b201d168", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json index d1ca89dc7af..d101f790bd3 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "9f22319f", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json index 5381e1e3b7d..2097d5d3fe5 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "a33a40e2", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json index 2f59977ac1f..30423ed7d2f 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "98aa676c", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json index 311e8f241ac..9422fc4afc2 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "29b987f3", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json index ce66ee59bcc..181fe6e7525 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "43ba4982", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json index 0ba4e8f4914..913ef3c7354 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "e894d408", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json index 86cd2dfcbdb..ec47c6361fe 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "c878232c", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json index 94e898f3197..362c2868f69 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "05f5544f", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json index da3f3e7acd5..a446ea7c555 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "8d9e01f1", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/metadata.json index 79f4a393c78..d124578b1de 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "da252d8a", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json index 7bf63760f6c..3b301557865 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "024a2d0d", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json index e2f04e1e2e0..e79a63acb65 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "367257fe", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json index a2d9a10bcbc..8f24be3a2df 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "b99501af", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json index d79568533ca..ce0c2176020 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "85e8d749", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json index 6e6419b98c0..4ff2852a94c 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "7ab86e7e", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json index f63898c8b69..5e220513093 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "559f74f0", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json index 1c4b82d42ab..a1293d06a1e 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "f5d372a0", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/vpc_default_security_group_accepts_all_traffic/metadata.json b/assets/queries/terraform/aws/vpc_default_security_group_accepts_all_traffic/metadata.json index d89465e5139..db3192b7527 100644 --- a/assets/queries/terraform/aws/vpc_default_security_group_accepts_all_traffic/metadata.json +++ b/assets/queries/terraform/aws/vpc_default_security_group_accepts_all_traffic/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "d79243b5", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/vpc_flowlogs_disabled/metadata.json b/assets/queries/terraform/aws/vpc_flowlogs_disabled/metadata.json index bb27af08b06..db844f84ace 100644 --- a/assets/queries/terraform/aws/vpc_flowlogs_disabled/metadata.json +++ b/assets/queries/terraform/aws/vpc_flowlogs_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "cdbdeb30", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/metadata.json b/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/metadata.json index c715265fde8..91b6e0877c7 100644 --- a/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/metadata.json +++ b/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "3a60c60e", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/vpc_subnet_assigns_public_ip/metadata.json b/assets/queries/terraform/aws/vpc_subnet_assigns_public_ip/metadata.json index d99057a83ff..e39dd61632a 100644 --- a/assets/queries/terraform/aws/vpc_subnet_assigns_public_ip/metadata.json +++ b/assets/queries/terraform/aws/vpc_subnet_assigns_public_ip/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "2b7ea60d", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/vpc_without_network_firewall/metadata.json b/assets/queries/terraform/aws/vpc_without_network_firewall/metadata.json index 13425346e41..d0882479d43 100644 --- a/assets/queries/terraform/aws/vpc_without_network_firewall/metadata.json +++ b/assets/queries/terraform/aws/vpc_without_network_firewall/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "2e7d55e6", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/vulnerable_default_ssl_certificate/metadata.json b/assets/queries/terraform/aws/vulnerable_default_ssl_certificate/metadata.json index ff8fe052c68..ad5a0652793 100644 --- a/assets/queries/terraform/aws/vulnerable_default_ssl_certificate/metadata.json +++ b/assets/queries/terraform/aws/vulnerable_default_ssl_certificate/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "38579a53", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/workspaces_workspace_volume_not_encrypted/metadata.json b/assets/queries/terraform/aws/workspaces_workspace_volume_not_encrypted/metadata.json index 300b11c96d0..7301b1590f6 100644 --- a/assets/queries/terraform/aws/workspaces_workspace_volume_not_encrypted/metadata.json +++ b/assets/queries/terraform/aws/workspaces_workspace_volume_not_encrypted/metadata.json @@ -9,5 +9,5 @@ "descriptionID": "e3f9c7a9", "aggregation": 2, "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws_bom/dynamo/metadata.json b/assets/queries/terraform/aws_bom/dynamo/metadata.json index 8ca678d716b..3cbba12d02c 100644 --- a/assets/queries/terraform/aws_bom/dynamo/metadata.json +++ b/assets/queries/terraform/aws_bom/dynamo/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "c9007e7c", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws_bom/ebs/metadata.json b/assets/queries/terraform/aws_bom/ebs/metadata.json index ca232705db0..8341f8c06bf 100644 --- a/assets/queries/terraform/aws_bom/ebs/metadata.json +++ b/assets/queries/terraform/aws_bom/ebs/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "fd141699", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws_bom/efs/metadata.json b/assets/queries/terraform/aws_bom/efs/metadata.json index 4220c603046..125d1aa274c 100644 --- a/assets/queries/terraform/aws_bom/efs/metadata.json +++ b/assets/queries/terraform/aws_bom/efs/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "5522243f", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws_bom/elasticache/metadata.json b/assets/queries/terraform/aws_bom/elasticache/metadata.json index 9bd2969a9ca..928b10e9504 100644 --- a/assets/queries/terraform/aws_bom/elasticache/metadata.json +++ b/assets/queries/terraform/aws_bom/elasticache/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "34559ecd", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws_bom/kinesis/metadata.json b/assets/queries/terraform/aws_bom/kinesis/metadata.json index b6aa9b53927..28c1c9ce90d 100644 --- a/assets/queries/terraform/aws_bom/kinesis/metadata.json +++ b/assets/queries/terraform/aws_bom/kinesis/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "45271dee", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws_bom/mq/metadata.json b/assets/queries/terraform/aws_bom/mq/metadata.json index 74795986384..2ff01c2223d 100644 --- a/assets/queries/terraform/aws_bom/mq/metadata.json +++ b/assets/queries/terraform/aws_bom/mq/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "5f5ba9bc", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws_bom/msk/metadata.json b/assets/queries/terraform/aws_bom/msk/metadata.json index 90e53e2e9ba..884bcaea523 100644 --- a/assets/queries/terraform/aws_bom/msk/metadata.json +++ b/assets/queries/terraform/aws_bom/msk/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "cf7ae008", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws_bom/rds/metadata.json b/assets/queries/terraform/aws_bom/rds/metadata.json index 4279d37c3f9..992eb1067ed 100644 --- a/assets/queries/terraform/aws_bom/rds/metadata.json +++ b/assets/queries/terraform/aws_bom/rds/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "b621abbb", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws_bom/s3_bucket/metadata.json b/assets/queries/terraform/aws_bom/s3_bucket/metadata.json index e79ad2c504f..b406f50fae2 100644 --- a/assets/queries/terraform/aws_bom/s3_bucket/metadata.json +++ b/assets/queries/terraform/aws_bom/s3_bucket/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "0bdf2341", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws_bom/sns/metadata.json b/assets/queries/terraform/aws_bom/sns/metadata.json index 6867d3caf6a..abb980dc0cf 100644 --- a/assets/queries/terraform/aws_bom/sns/metadata.json +++ b/assets/queries/terraform/aws_bom/sns/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "4c016c6f", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/aws_bom/sqs/metadata.json b/assets/queries/terraform/aws_bom/sqs/metadata.json index 98ec0f187fb..3275f716ea4 100644 --- a/assets/queries/terraform/aws_bom/sqs/metadata.json +++ b/assets/queries/terraform/aws_bom/sqs/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "63fc27c2", "cloudProvider": "aws", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/ad_admin_not_configured_for_sql_server/metadata.json b/assets/queries/terraform/azure/ad_admin_not_configured_for_sql_server/metadata.json index 4801d2197f4..f2f0afbf6ea 100644 --- a/assets/queries/terraform/azure/ad_admin_not_configured_for_sql_server/metadata.json +++ b/assets/queries/terraform/azure/ad_admin_not_configured_for_sql_server/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "bccbda19", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/admin_user_enabled_for_container_registry/metadata.json b/assets/queries/terraform/azure/admin_user_enabled_for_container_registry/metadata.json index 0478efc787e..f52518e06bf 100644 --- a/assets/queries/terraform/azure/admin_user_enabled_for_container_registry/metadata.json +++ b/assets/queries/terraform/azure/admin_user_enabled_for_container_registry/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "5250257b", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/aks_disk_encryption_set_id_undefined/metadata.json b/assets/queries/terraform/azure/aks_disk_encryption_set_id_undefined/metadata.json index acc49976cf2..00b2e0e97da 100644 --- a/assets/queries/terraform/azure/aks_disk_encryption_set_id_undefined/metadata.json +++ b/assets/queries/terraform/azure/aks_disk_encryption_set_id_undefined/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "4eddeb5c", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/aks_network_policy_misconfigured/metadata.json b/assets/queries/terraform/azure/aks_network_policy_misconfigured/metadata.json index db116f3bb86..8b5bbe12b9b 100644 --- a/assets/queries/terraform/azure/aks_network_policy_misconfigured/metadata.json +++ b/assets/queries/terraform/azure/aks_network_policy_misconfigured/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "7708dadb", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/aks_private_cluster_disabled/metadata.json b/assets/queries/terraform/azure/aks_private_cluster_disabled/metadata.json index ef179cdad53..88da4bf5475 100644 --- a/assets/queries/terraform/azure/aks_private_cluster_disabled/metadata.json +++ b/assets/queries/terraform/azure/aks_private_cluster_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "3ec5eed5", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/aks_rbac_disabled/metadata.json b/assets/queries/terraform/azure/aks_rbac_disabled/metadata.json index 293fb296263..fec8754e883 100644 --- a/assets/queries/terraform/azure/aks_rbac_disabled/metadata.json +++ b/assets/queries/terraform/azure/aks_rbac_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "d27166a7", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/aks_uses_azure_policies_addon_disabled/metadata.json b/assets/queries/terraform/azure/aks_uses_azure_policies_addon_disabled/metadata.json index 61474d746cb..f0730f53b5b 100644 --- a/assets/queries/terraform/azure/aks_uses_azure_policies_addon_disabled/metadata.json +++ b/assets/queries/terraform/azure/aks_uses_azure_policies_addon_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "df6d2dcb", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/app_service_authentication_disabled/metadata.json b/assets/queries/terraform/azure/app_service_authentication_disabled/metadata.json index fe2399259c0..8749b8f5c6a 100644 --- a/assets/queries/terraform/azure/app_service_authentication_disabled/metadata.json +++ b/assets/queries/terraform/azure/app_service_authentication_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "ec37a064", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/app_service_ftps_enforce_disabled/metadata.json b/assets/queries/terraform/azure/app_service_ftps_enforce_disabled/metadata.json index f1bcf7874ac..dec6c678bf2 100644 --- a/assets/queries/terraform/azure/app_service_ftps_enforce_disabled/metadata.json +++ b/assets/queries/terraform/azure/app_service_ftps_enforce_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "a1ada318", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/app_service_http2_disabled/metadata.json b/assets/queries/terraform/azure/app_service_http2_disabled/metadata.json index faa67da0616..d5b3392b89c 100644 --- a/assets/queries/terraform/azure/app_service_http2_disabled/metadata.json +++ b/assets/queries/terraform/azure/app_service_http2_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "dee0c164", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/app_service_managed_identity_disabled/metadata.json b/assets/queries/terraform/azure/app_service_managed_identity_disabled/metadata.json index dd4badd9114..77b3ad63732 100644 --- a/assets/queries/terraform/azure/app_service_managed_identity_disabled/metadata.json +++ b/assets/queries/terraform/azure/app_service_managed_identity_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "c8096e2d", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/metadata.json b/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/metadata.json index 1b930e38a18..02a782121a4 100644 --- a/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/metadata.json +++ b/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "63399f46", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/app_service_without_latest_php_version/metadata.json b/assets/queries/terraform/azure/app_service_without_latest_php_version/metadata.json index 628070dfbf4..e6d42c06eb8 100644 --- a/assets/queries/terraform/azure/app_service_without_latest_php_version/metadata.json +++ b/assets/queries/terraform/azure/app_service_without_latest_php_version/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "0054cbe3", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/app_service_without_latest_python_version/metadata.json b/assets/queries/terraform/azure/app_service_without_latest_python_version/metadata.json index b63d9e72a84..0433f209a4e 100644 --- a/assets/queries/terraform/azure/app_service_without_latest_python_version/metadata.json +++ b/assets/queries/terraform/azure/app_service_without_latest_python_version/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "848bf695", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/azure_active_directory_authentication/metadata.json b/assets/queries/terraform/azure/azure_active_directory_authentication/metadata.json index 2311ae05a84..2dfd0b46081 100644 --- a/assets/queries/terraform/azure/azure_active_directory_authentication/metadata.json +++ b/assets/queries/terraform/azure/azure_active_directory_authentication/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "2c27e24e", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/metadata.json b/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/metadata.json index 88dc7f390ac..c56ece9d48c 100644 --- a/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/metadata.json +++ b/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "7beaf18e", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/metadata.json b/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/metadata.json index 30bff6313ea..72c4ecfa098 100644 --- a/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/metadata.json +++ b/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "d4766039", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/azure_container_registry_with_no_locks/metadata.json b/assets/queries/terraform/azure/azure_container_registry_with_no_locks/metadata.json index 364516b8a13..fd46204a7e3 100644 --- a/assets/queries/terraform/azure/azure_container_registry_with_no_locks/metadata.json +++ b/assets/queries/terraform/azure/azure_container_registry_with_no_locks/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "adb235b6", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/azure_front_door_waf_disabled/metadata.json b/assets/queries/terraform/azure/azure_front_door_waf_disabled/metadata.json index ce4559c84f0..45f0205845b 100644 --- a/assets/queries/terraform/azure/azure_front_door_waf_disabled/metadata.json +++ b/assets/queries/terraform/azure/azure_front_door_waf_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "a84ac10d", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/azure_instance_using_basic_authentication/metadata.json b/assets/queries/terraform/azure/azure_instance_using_basic_authentication/metadata.json index 6d58fc9c033..fc2633daf03 100644 --- a/assets/queries/terraform/azure/azure_instance_using_basic_authentication/metadata.json +++ b/assets/queries/terraform/azure/azure_instance_using_basic_authentication/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "dafe30ec", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/cosmos_db_account_without_tags/metadata.json b/assets/queries/terraform/azure/cosmos_db_account_without_tags/metadata.json index 24909f22058..78bc28f1938 100644 --- a/assets/queries/terraform/azure/cosmos_db_account_without_tags/metadata.json +++ b/assets/queries/terraform/azure/cosmos_db_account_without_tags/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "f0bce814", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/cosmosdb_account_ip_range_filter_not_set/metadata.json b/assets/queries/terraform/azure/cosmosdb_account_ip_range_filter_not_set/metadata.json index 32ebdf83ea7..989ff24fcb8 100644 --- a/assets/queries/terraform/azure/cosmosdb_account_ip_range_filter_not_set/metadata.json +++ b/assets/queries/terraform/azure/cosmosdb_account_ip_range_filter_not_set/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "fd34a2d6", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/dashboard_is_enabled/metadata.json b/assets/queries/terraform/azure/dashboard_is_enabled/metadata.json index bde4d8c12d5..327b99e9ff0 100644 --- a/assets/queries/terraform/azure/dashboard_is_enabled/metadata.json +++ b/assets/queries/terraform/azure/dashboard_is_enabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "3f384e51", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/metadata.json b/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/metadata.json index 89cd75e6b03..54fd760cfb0 100644 --- a/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/metadata.json +++ b/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "a5613650", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/email_alerts_disabled/metadata.json b/assets/queries/terraform/azure/email_alerts_disabled/metadata.json index 0442534c2eb..857fcb757ea 100644 --- a/assets/queries/terraform/azure/email_alerts_disabled/metadata.json +++ b/assets/queries/terraform/azure/email_alerts_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "23aadb20", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/metadata.json b/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/metadata.json index a90060a657e..fa7cd8318b4 100644 --- a/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/metadata.json +++ b/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "8f6e1fa8", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/metadata.json b/assets/queries/terraform/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/metadata.json index fed619db2df..aa580601f98 100644 --- a/assets/queries/terraform/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/metadata.json +++ b/assets/queries/terraform/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "6ac1bc00", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/function_app_authentication_disabled/metadata.json b/assets/queries/terraform/azure/function_app_authentication_disabled/metadata.json index 195ef8dc966..55faa7b3cd6 100644 --- a/assets/queries/terraform/azure/function_app_authentication_disabled/metadata.json +++ b/assets/queries/terraform/azure/function_app_authentication_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "7526dc36", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/metadata.json b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/metadata.json index b788596dd5a..ed28c03b955 100644 --- a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/metadata.json +++ b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "436752d7", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/metadata.json b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/metadata.json index c891568eb21..d5767b0895f 100644 --- a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/metadata.json +++ b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "2144ef13", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/function_app_http2_disabled/metadata.json b/assets/queries/terraform/azure/function_app_http2_disabled/metadata.json index e7e187d398c..fe02b69e1d6 100644 --- a/assets/queries/terraform/azure/function_app_http2_disabled/metadata.json +++ b/assets/queries/terraform/azure/function_app_http2_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "7c364a67", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/function_app_managed_identity_disabled/metadata.json b/assets/queries/terraform/azure/function_app_managed_identity_disabled/metadata.json index 819f169f5f1..57a51a5a44b 100644 --- a/assets/queries/terraform/azure/function_app_managed_identity_disabled/metadata.json +++ b/assets/queries/terraform/azure/function_app_managed_identity_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "37e5ef3f", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/metadata.json b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/metadata.json index 1f2ebbd58ce..e089aac7c25 100644 --- a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/metadata.json +++ b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "69753abf", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/geo_redundancy_is_disabled/metadata.json b/assets/queries/terraform/azure/geo_redundancy_is_disabled/metadata.json index 5ecf0d1a356..49dad1cae3f 100644 --- a/assets/queries/terraform/azure/geo_redundancy_is_disabled/metadata.json +++ b/assets/queries/terraform/azure/geo_redundancy_is_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "4646e954", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/key_expiration_not_set/metadata.json b/assets/queries/terraform/azure/key_expiration_not_set/metadata.json index 0defbb913d8..ae807783211 100644 --- a/assets/queries/terraform/azure/key_expiration_not_set/metadata.json +++ b/assets/queries/terraform/azure/key_expiration_not_set/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "bb99ceb7", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/key_vault_secrets_content_type_undefined/metadata.json b/assets/queries/terraform/azure/key_vault_secrets_content_type_undefined/metadata.json index 59c311ab9c0..83e53d04755 100644 --- a/assets/queries/terraform/azure/key_vault_secrets_content_type_undefined/metadata.json +++ b/assets/queries/terraform/azure/key_vault_secrets_content_type_undefined/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "4aacc07b", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/log_retention_is_not_set/metadata.json b/assets/queries/terraform/azure/log_retention_is_not_set/metadata.json index fb4d4c5d0fe..6e07839152c 100644 --- a/assets/queries/terraform/azure/log_retention_is_not_set/metadata.json +++ b/assets/queries/terraform/azure/log_retention_is_not_set/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "e14a3a02", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/mariadb_public_network_access_enabled/metadata.json b/assets/queries/terraform/azure/mariadb_public_network_access_enabled/metadata.json index e2472ab204b..b5c1a97ee7b 100644 --- a/assets/queries/terraform/azure/mariadb_public_network_access_enabled/metadata.json +++ b/assets/queries/terraform/azure/mariadb_public_network_access_enabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "e1decb5e", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/mariadb_server_georedundant_backup_disabled/metadata.json b/assets/queries/terraform/azure/mariadb_server_georedundant_backup_disabled/metadata.json index 8772b2319f0..bf51dab3bab 100644 --- a/assets/queries/terraform/azure/mariadb_server_georedundant_backup_disabled/metadata.json +++ b/assets/queries/terraform/azure/mariadb_server_georedundant_backup_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "f9f97af4", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/mssql_server_auditing_disabled/metadata.json b/assets/queries/terraform/azure/mssql_server_auditing_disabled/metadata.json index 7f50cd71c2e..5421e851d4f 100644 --- a/assets/queries/terraform/azure/mssql_server_auditing_disabled/metadata.json +++ b/assets/queries/terraform/azure/mssql_server_auditing_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "f0be3ea8", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/mssql_server_public_network_access_enabled/metadata.json b/assets/queries/terraform/azure/mssql_server_public_network_access_enabled/metadata.json index 68a7c56051b..e302a0ec21e 100644 --- a/assets/queries/terraform/azure/mssql_server_public_network_access_enabled/metadata.json +++ b/assets/queries/terraform/azure/mssql_server_public_network_access_enabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "d1ee9c09", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/mysql_server_public_access_enabled/metadata.json b/assets/queries/terraform/azure/mysql_server_public_access_enabled/metadata.json index 0669bd2d532..0c31d23801e 100644 --- a/assets/queries/terraform/azure/mysql_server_public_access_enabled/metadata.json +++ b/assets/queries/terraform/azure/mysql_server_public_access_enabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "e5c71632", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/mysql_ssl_connection_disabled/metadata.json b/assets/queries/terraform/azure/mysql_ssl_connection_disabled/metadata.json index ba20015d74c..ee5675fc250 100644 --- a/assets/queries/terraform/azure/mysql_ssl_connection_disabled/metadata.json +++ b/assets/queries/terraform/azure/mysql_ssl_connection_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "81500787", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/network_interfaces_dont_use_public_ip/metadata.json b/assets/queries/terraform/azure/network_interfaces_dont_use_public_ip/metadata.json index fd1c43ad9ba..aabf161ae77 100644 --- a/assets/queries/terraform/azure/network_interfaces_dont_use_public_ip/metadata.json +++ b/assets/queries/terraform/azure/network_interfaces_dont_use_public_ip/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "49907665", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/network_interfaces_ip_forwarding_enabled/metadata.json b/assets/queries/terraform/azure/network_interfaces_ip_forwarding_enabled/metadata.json index 9a7fa272bf5..d0b98edf929 100644 --- a/assets/queries/terraform/azure/network_interfaces_ip_forwarding_enabled/metadata.json +++ b/assets/queries/terraform/azure/network_interfaces_ip_forwarding_enabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "890cf9a4", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/network_watcher_flow_disabled/metadata.json b/assets/queries/terraform/azure/network_watcher_flow_disabled/metadata.json index 974108dd26d..382333a5a51 100644 --- a/assets/queries/terraform/azure/network_watcher_flow_disabled/metadata.json +++ b/assets/queries/terraform/azure/network_watcher_flow_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "fd29818c", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/postgre_sql_log_checkpoints_disabled/metadata.json b/assets/queries/terraform/azure/postgre_sql_log_checkpoints_disabled/metadata.json index 7a70657591a..78974c0eb40 100644 --- a/assets/queries/terraform/azure/postgre_sql_log_checkpoints_disabled/metadata.json +++ b/assets/queries/terraform/azure/postgre_sql_log_checkpoints_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "06d14345", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/postgre_sql_log_connections_not_set/metadata.json b/assets/queries/terraform/azure/postgre_sql_log_connections_not_set/metadata.json index 71182ed4562..d917f24b68a 100644 --- a/assets/queries/terraform/azure/postgre_sql_log_connections_not_set/metadata.json +++ b/assets/queries/terraform/azure/postgre_sql_log_connections_not_set/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "743324e3", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/postgre_sql_log_duration_not_set/metadata.json b/assets/queries/terraform/azure/postgre_sql_log_duration_not_set/metadata.json index a9f65ddb313..5e5d2fff7d5 100644 --- a/assets/queries/terraform/azure/postgre_sql_log_duration_not_set/metadata.json +++ b/assets/queries/terraform/azure/postgre_sql_log_duration_not_set/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "2961eac3", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/postgre_sql_server_infrastructure_encryption_disabled/metadata.json b/assets/queries/terraform/azure/postgre_sql_server_infrastructure_encryption_disabled/metadata.json index 95f4d2261a1..b09c57ee169 100644 --- a/assets/queries/terraform/azure/postgre_sql_server_infrastructure_encryption_disabled/metadata.json +++ b/assets/queries/terraform/azure/postgre_sql_server_infrastructure_encryption_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "b982dca0", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/postgre_sql_server_without_connection_throttling/metadata.json b/assets/queries/terraform/azure/postgre_sql_server_without_connection_throttling/metadata.json index d4547f2fe00..c717f83acbc 100644 --- a/assets/queries/terraform/azure/postgre_sql_server_without_connection_throttling/metadata.json +++ b/assets/queries/terraform/azure/postgre_sql_server_without_connection_throttling/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "6f6649db", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/postgresql_log_disconnections_not_set/metadata.json b/assets/queries/terraform/azure/postgresql_log_disconnections_not_set/metadata.json index 38fe2706abe..744eb61abd9 100644 --- a/assets/queries/terraform/azure/postgresql_log_disconnections_not_set/metadata.json +++ b/assets/queries/terraform/azure/postgresql_log_disconnections_not_set/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "d183d853", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/metadata.json b/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/metadata.json index 81078b6c5ca..c354f9232ec 100644 --- a/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/metadata.json +++ b/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "ed803b39", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/public_storage_account/metadata.json b/assets/queries/terraform/azure/public_storage_account/metadata.json index 21992868be5..4ceeb5b0e03 100644 --- a/assets/queries/terraform/azure/public_storage_account/metadata.json +++ b/assets/queries/terraform/azure/public_storage_account/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "88948514", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/rdp_is_exposed_to_the_internet/metadata.json b/assets/queries/terraform/azure/rdp_is_exposed_to_the_internet/metadata.json index 69c44d182c2..0252512fd73 100644 --- a/assets/queries/terraform/azure/rdp_is_exposed_to_the_internet/metadata.json +++ b/assets/queries/terraform/azure/rdp_is_exposed_to_the_internet/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "21b8be3f", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/metadata.json b/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/metadata.json index 5155693adf4..ba2903e69ce 100644 --- a/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/metadata.json +++ b/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "b7160c8c", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/redis_entirely_accessible/metadata.json b/assets/queries/terraform/azure/redis_entirely_accessible/metadata.json index 5f618229908..636705e8a47 100644 --- a/assets/queries/terraform/azure/redis_entirely_accessible/metadata.json +++ b/assets/queries/terraform/azure/redis_entirely_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "d18de348", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/redis_not_updated_regularly/metadata.json b/assets/queries/terraform/azure/redis_not_updated_regularly/metadata.json index 98ac374347c..b7e4bc1f8b3 100644 --- a/assets/queries/terraform/azure/redis_not_updated_regularly/metadata.json +++ b/assets/queries/terraform/azure/redis_not_updated_regularly/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "a9726898", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/redis_publicly_accessible/metadata.json b/assets/queries/terraform/azure/redis_publicly_accessible/metadata.json index b12c30931cf..b663403ad2f 100644 --- a/assets/queries/terraform/azure/redis_publicly_accessible/metadata.json +++ b/assets/queries/terraform/azure/redis_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "0017c1c6", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/role_assignment_not_limit_guest_users_permissions/metadata.json b/assets/queries/terraform/azure/role_assignment_not_limit_guest_users_permissions/metadata.json index eb5e9b7ed77..b06192e5bd5 100644 --- a/assets/queries/terraform/azure/role_assignment_not_limit_guest_users_permissions/metadata.json +++ b/assets/queries/terraform/azure/role_assignment_not_limit_guest_users_permissions/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "a827491d", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/role_assignment_of_guest_users/metadata.json b/assets/queries/terraform/azure/role_assignment_of_guest_users/metadata.json index 6345ddf45c3..d0b1642cd43 100644 --- a/assets/queries/terraform/azure/role_assignment_of_guest_users/metadata.json +++ b/assets/queries/terraform/azure/role_assignment_of_guest_users/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "fa055646", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/metadata.json b/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/metadata.json index 6d1bbb970d9..1c6a47807c3 100644 --- a/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/metadata.json +++ b/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "a96dc1b9", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/secret_expiration_not_set/metadata.json b/assets/queries/terraform/azure/secret_expiration_not_set/metadata.json index db7ddd01567..03c282123af 100644 --- a/assets/queries/terraform/azure/secret_expiration_not_set/metadata.json +++ b/assets/queries/terraform/azure/secret_expiration_not_set/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "172cf4e6", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/security_center_pricing_tier_is_not_standard/metadata.json b/assets/queries/terraform/azure/security_center_pricing_tier_is_not_standard/metadata.json index ec46a1323ea..f8b638853fe 100644 --- a/assets/queries/terraform/azure/security_center_pricing_tier_is_not_standard/metadata.json +++ b/assets/queries/terraform/azure/security_center_pricing_tier_is_not_standard/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "6a9ab071", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/security_contact_email/metadata.json b/assets/queries/terraform/azure/security_contact_email/metadata.json index 02aaf6f0063..2aab9453dbe 100644 --- a/assets/queries/terraform/azure/security_contact_email/metadata.json +++ b/assets/queries/terraform/azure/security_contact_email/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "8632da7c", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/security_group_is_not_configured/metadata.json b/assets/queries/terraform/azure/security_group_is_not_configured/metadata.json index eeeb5ef5703..062a7a6f633 100644 --- a/assets/queries/terraform/azure/security_group_is_not_configured/metadata.json +++ b/assets/queries/terraform/azure/security_group_is_not_configured/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "e64d2982", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/metadata.json b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/metadata.json index 3d85b107a05..7d6c0284bd4 100644 --- a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/metadata.json +++ b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/metadata.json @@ -9,5 +9,5 @@ "descriptionID": "a5d60df9", "aggregation": 63, "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/metadata.json b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/metadata.json index 6e8c66ce1bc..eede3069a58 100644 --- a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/metadata.json +++ b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/metadata.json @@ -9,5 +9,5 @@ "descriptionID": "c09ca1eb", "aggregation": 63, "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/metadata.json b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/metadata.json index 448c27dbbec..d25ecdfe196 100644 --- a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/metadata.json +++ b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/metadata.json @@ -9,5 +9,5 @@ "descriptionID": "6b1bfbd5", "aggregation": 63, "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/small_activity_log_retention_period/metadata.json b/assets/queries/terraform/azure/small_activity_log_retention_period/metadata.json index 107fa5514aa..38774d85ff5 100644 --- a/assets/queries/terraform/azure/small_activity_log_retention_period/metadata.json +++ b/assets/queries/terraform/azure/small_activity_log_retention_period/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "224ff4f9", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/small_flow_logs_retention_period/metadata.json b/assets/queries/terraform/azure/small_flow_logs_retention_period/metadata.json index 28b06392af7..4a911e4a8ea 100644 --- a/assets/queries/terraform/azure/small_flow_logs_retention_period/metadata.json +++ b/assets/queries/terraform/azure/small_flow_logs_retention_period/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "02e10365", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/small_msql_server_audit_retention/metadata.json b/assets/queries/terraform/azure/small_msql_server_audit_retention/metadata.json index 66c856194da..5043121c361 100644 --- a/assets/queries/terraform/azure/small_msql_server_audit_retention/metadata.json +++ b/assets/queries/terraform/azure/small_msql_server_audit_retention/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "96124822", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/small_mssql_audit_retention_period/metadata.json b/assets/queries/terraform/azure/small_mssql_audit_retention_period/metadata.json index 0681fd010a1..7923eff90ab 100644 --- a/assets/queries/terraform/azure/small_mssql_audit_retention_period/metadata.json +++ b/assets/queries/terraform/azure/small_mssql_audit_retention_period/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "ecd42771", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/small_postgresql_db_server_log_retention_period/metadata.json b/assets/queries/terraform/azure/small_postgresql_db_server_log_retention_period/metadata.json index 90f390588f5..1fa5b36bf05 100644 --- a/assets/queries/terraform/azure/small_postgresql_db_server_log_retention_period/metadata.json +++ b/assets/queries/terraform/azure/small_postgresql_db_server_log_retention_period/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "1ec96250", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/sql_database_audit_disabled/metadata.json b/assets/queries/terraform/azure/sql_database_audit_disabled/metadata.json index a1059ded475..959c39c868f 100644 --- a/assets/queries/terraform/azure/sql_database_audit_disabled/metadata.json +++ b/assets/queries/terraform/azure/sql_database_audit_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "8f1137db", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/sql_server_alert_email_disabled/metadata.json b/assets/queries/terraform/azure/sql_server_alert_email_disabled/metadata.json index a896b08cbde..82fd125ab7c 100644 --- a/assets/queries/terraform/azure/sql_server_alert_email_disabled/metadata.json +++ b/assets/queries/terraform/azure/sql_server_alert_email_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "4eb880dd", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/sql_server_auditing_disabled/metadata.json b/assets/queries/terraform/azure/sql_server_auditing_disabled/metadata.json index f21878ef0a1..33ff1efdbdc 100644 --- a/assets/queries/terraform/azure/sql_server_auditing_disabled/metadata.json +++ b/assets/queries/terraform/azure/sql_server_auditing_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "609638cc", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/metadata.json b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/metadata.json index 0ec5f0fc8c3..bc7a8c14ab0 100644 --- a/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/metadata.json +++ b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "eb6d3eca", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/sql_server_predictable_active_directory_admin_account_name/metadata.json b/assets/queries/terraform/azure/sql_server_predictable_active_directory_admin_account_name/metadata.json index 4b024f5a2b1..7cf4e3d3b54 100644 --- a/assets/queries/terraform/azure/sql_server_predictable_active_directory_admin_account_name/metadata.json +++ b/assets/queries/terraform/azure/sql_server_predictable_active_directory_admin_account_name/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "6ed21e26", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/sql_server_predictable_admin_account_name/metadata.json b/assets/queries/terraform/azure/sql_server_predictable_admin_account_name/metadata.json index f6acba7d1cb..ece29222a3d 100644 --- a/assets/queries/terraform/azure/sql_server_predictable_admin_account_name/metadata.json +++ b/assets/queries/terraform/azure/sql_server_predictable_admin_account_name/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "d0bed58e", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/ssh_is_exposed_to_the_internet/metadata.json b/assets/queries/terraform/azure/ssh_is_exposed_to_the_internet/metadata.json index dabc39de58b..34531d7f7d4 100644 --- a/assets/queries/terraform/azure/ssh_is_exposed_to_the_internet/metadata.json +++ b/assets/queries/terraform/azure/ssh_is_exposed_to_the_internet/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "f98cf1dc", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/ssl_enforce_is_disabled/metadata.json b/assets/queries/terraform/azure/ssl_enforce_is_disabled/metadata.json index 82785d30add..6a424f78ffd 100644 --- a/assets/queries/terraform/azure/ssl_enforce_is_disabled/metadata.json +++ b/assets/queries/terraform/azure/ssl_enforce_is_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "9549423a", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/storage_account_not_forcing_https/metadata.json b/assets/queries/terraform/azure/storage_account_not_forcing_https/metadata.json index 13b0fd14723..7c70e4eb854 100644 --- a/assets/queries/terraform/azure/storage_account_not_forcing_https/metadata.json +++ b/assets/queries/terraform/azure/storage_account_not_forcing_https/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "ab6688ca", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/storage_account_not_using_latest_tls_encryption_version/metadata.json b/assets/queries/terraform/azure/storage_account_not_using_latest_tls_encryption_version/metadata.json index 0235a64675d..247445306b0 100644 --- a/assets/queries/terraform/azure/storage_account_not_using_latest_tls_encryption_version/metadata.json +++ b/assets/queries/terraform/azure/storage_account_not_using_latest_tls_encryption_version/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "a38872a7", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/storage_container_is_publicly_accessible/metadata.json b/assets/queries/terraform/azure/storage_container_is_publicly_accessible/metadata.json index 6a0203c7c01..01fa737b18e 100644 --- a/assets/queries/terraform/azure/storage_container_is_publicly_accessible/metadata.json +++ b/assets/queries/terraform/azure/storage_container_is_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "a9e178f3", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/storage_share_file_allows_all_acl_permissions/metadata.json b/assets/queries/terraform/azure/storage_share_file_allows_all_acl_permissions/metadata.json index 3a409c0a66b..2498e3db45f 100644 --- a/assets/queries/terraform/azure/storage_share_file_allows_all_acl_permissions/metadata.json +++ b/assets/queries/terraform/azure/storage_share_file_allows_all_acl_permissions/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "33aa1747", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/storage_table_allows_all_acl_permissions/metadata.json b/assets/queries/terraform/azure/storage_table_allows_all_acl_permissions/metadata.json index e93918b959e..650f97e574a 100644 --- a/assets/queries/terraform/azure/storage_table_allows_all_acl_permissions/metadata.json +++ b/assets/queries/terraform/azure/storage_table_allows_all_acl_permissions/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "01751e5a", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/metadata.json b/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/metadata.json index 8399bfad275..14c9cc36cc7 100644 --- a/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/metadata.json +++ b/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "2d2af667", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/unrestricted_sql_server_access/metadata.json b/assets/queries/terraform/azure/unrestricted_sql_server_access/metadata.json index d90691e4957..baaab18e8e6 100644 --- a/assets/queries/terraform/azure/unrestricted_sql_server_access/metadata.json +++ b/assets/queries/terraform/azure/unrestricted_sql_server_access/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "837de8dd", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/vault_auditing_disabled/metadata.json b/assets/queries/terraform/azure/vault_auditing_disabled/metadata.json index c5a8575511b..6ac55bb731f 100644 --- a/assets/queries/terraform/azure/vault_auditing_disabled/metadata.json +++ b/assets/queries/terraform/azure/vault_auditing_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "047ab315", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/virtual_network_with_ddos_protection_plan_disabled/metadata.json b/assets/queries/terraform/azure/virtual_network_with_ddos_protection_plan_disabled/metadata.json index fae764968f9..7c457c563a1 100644 --- a/assets/queries/terraform/azure/virtual_network_with_ddos_protection_plan_disabled/metadata.json +++ b/assets/queries/terraform/azure/virtual_network_with_ddos_protection_plan_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "c08cb91b", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/vm_not_attached_to_network/metadata.json b/assets/queries/terraform/azure/vm_not_attached_to_network/metadata.json index 0dadc556319..f9f24110e21 100644 --- a/assets/queries/terraform/azure/vm_not_attached_to_network/metadata.json +++ b/assets/queries/terraform/azure/vm_not_attached_to_network/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "9f51f6b1", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/waf_is_disabled_for_azure_application_gateway/metadata.json b/assets/queries/terraform/azure/waf_is_disabled_for_azure_application_gateway/metadata.json index 8dd9b48d5c3..2ce7c785da0 100644 --- a/assets/queries/terraform/azure/waf_is_disabled_for_azure_application_gateway/metadata.json +++ b/assets/queries/terraform/azure/waf_is_disabled_for_azure_application_gateway/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "97c222ec", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/metadata.json b/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/metadata.json index 3bee4055688..2962df21b11 100644 --- a/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/metadata.json +++ b/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "74140c3d", "cloudProvider": "azure", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/databricks/autoscale_badly_setup/metadata.json b/assets/queries/terraform/databricks/autoscale_badly_setup/metadata.json index e0873f5ba6d..0057e9cd33c 100644 --- a/assets/queries/terraform/databricks/autoscale_badly_setup/metadata.json +++ b/assets/queries/terraform/databricks/autoscale_badly_setup/metadata.json @@ -9,5 +9,5 @@ "descriptionID": "e6eabd3e", "cloudProvider": "common", "experimental": "true", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/databricks/cluster_aws_attributes/metadata.json b/assets/queries/terraform/databricks/cluster_aws_attributes/metadata.json index 4fac6fe0bb1..6c9e57e3e50 100644 --- a/assets/queries/terraform/databricks/cluster_aws_attributes/metadata.json +++ b/assets/queries/terraform/databricks/cluster_aws_attributes/metadata.json @@ -9,5 +9,5 @@ "descriptionID": "b6345aa6", "cloudProvider": "common", "experimental": "true", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/databricks/cluster_azure_attributes/metadata.json b/assets/queries/terraform/databricks/cluster_azure_attributes/metadata.json index 099c27c3082..1af4ac4d401 100644 --- a/assets/queries/terraform/databricks/cluster_azure_attributes/metadata.json +++ b/assets/queries/terraform/databricks/cluster_azure_attributes/metadata.json @@ -9,5 +9,5 @@ "descriptionID": "bb2e4c81", "cloudProvider": "common", "experimental": "true", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/databricks/cluster_gcp_attributes/metadata.json b/assets/queries/terraform/databricks/cluster_gcp_attributes/metadata.json index 80f214aa8f0..d85f0b3b045 100644 --- a/assets/queries/terraform/databricks/cluster_gcp_attributes/metadata.json +++ b/assets/queries/terraform/databricks/cluster_gcp_attributes/metadata.json @@ -9,5 +9,5 @@ "descriptionID": "c1fe1954", "cloudProvider": "common", "experimental": "true", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/databricks/databricks_permissions/metadata.json b/assets/queries/terraform/databricks/databricks_permissions/metadata.json index e9c50d65eaa..d91b54be3e5 100755 --- a/assets/queries/terraform/databricks/databricks_permissions/metadata.json +++ b/assets/queries/terraform/databricks/databricks_permissions/metadata.json @@ -9,5 +9,5 @@ "descriptionID": "66b9bc6e", "cloudProvider": "common", "experimental": "true", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/databricks/group_without_user_or_instance_profile/metadata.json b/assets/queries/terraform/databricks/group_without_user_or_instance_profile/metadata.json index a4295e0e76c..d28cbe41fb6 100644 --- a/assets/queries/terraform/databricks/group_without_user_or_instance_profile/metadata.json +++ b/assets/queries/terraform/databricks/group_without_user_or_instance_profile/metadata.json @@ -9,5 +9,5 @@ "descriptionID": "4bb78f12", "cloudProvider": "common", "experimental": "true", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/databricks/indefinitely_obo_token/metadata.json b/assets/queries/terraform/databricks/indefinitely_obo_token/metadata.json index a0304a2bbdf..1ba33ac3287 100644 --- a/assets/queries/terraform/databricks/indefinitely_obo_token/metadata.json +++ b/assets/queries/terraform/databricks/indefinitely_obo_token/metadata.json @@ -9,5 +9,5 @@ "descriptionID": "df3aa7ed", "cloudProvider": "common", "experimental": "true", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/databricks/indefinitely_token/metadata.json b/assets/queries/terraform/databricks/indefinitely_token/metadata.json index f01449e13bd..aabe4250cc7 100644 --- a/assets/queries/terraform/databricks/indefinitely_token/metadata.json +++ b/assets/queries/terraform/databricks/indefinitely_token/metadata.json @@ -9,5 +9,5 @@ "descriptionID": "79759163", "cloudProvider": "common", "experimental": "true", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/databricks/unrestricted_acl/metadata.json b/assets/queries/terraform/databricks/unrestricted_acl/metadata.json index bfc358751cc..9416ea6c042 100644 --- a/assets/queries/terraform/databricks/unrestricted_acl/metadata.json +++ b/assets/queries/terraform/databricks/unrestricted_acl/metadata.json @@ -9,5 +9,5 @@ "descriptionID": "9670a9f6", "cloudProvider": "common", "experimental": "true", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/databricks/use_lts_spark_version/metadata.json b/assets/queries/terraform/databricks/use_lts_spark_version/metadata.json index d13bbcafab7..f9781e0d163 100644 --- a/assets/queries/terraform/databricks/use_lts_spark_version/metadata.json +++ b/assets/queries/terraform/databricks/use_lts_spark_version/metadata.json @@ -9,5 +9,5 @@ "descriptionID": "fdaa059f", "cloudProvider": "common", "experimental": "true", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/databricks/use_spark_submit_task/metadata.json b/assets/queries/terraform/databricks/use_spark_submit_task/metadata.json index ee1ad1ec901..6aa1123d6c0 100644 --- a/assets/queries/terraform/databricks/use_spark_submit_task/metadata.json +++ b/assets/queries/terraform/databricks/use_spark_submit_task/metadata.json @@ -9,5 +9,5 @@ "descriptionID": "fcfdfbd3", "cloudProvider": "common", "experimental": "true", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/bigquery_dataset_is_public/metadata.json b/assets/queries/terraform/gcp/bigquery_dataset_is_public/metadata.json index d0cd8396e25..aa1f5542832 100644 --- a/assets/queries/terraform/gcp/bigquery_dataset_is_public/metadata.json +++ b/assets/queries/terraform/gcp/bigquery_dataset_is_public/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "cb5081a0", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/cloud_dns_without_dnssec/metadata.json b/assets/queries/terraform/gcp/cloud_dns_without_dnssec/metadata.json index 56368287eb2..4d12b352459 100755 --- a/assets/queries/terraform/gcp/cloud_dns_without_dnssec/metadata.json +++ b/assets/queries/terraform/gcp/cloud_dns_without_dnssec/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "5598ed06", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/cloud_storage_anonymous_or_publicly_accessible/metadata.json b/assets/queries/terraform/gcp/cloud_storage_anonymous_or_publicly_accessible/metadata.json index e659873e0e1..f4cc5ff92d5 100644 --- a/assets/queries/terraform/gcp/cloud_storage_anonymous_or_publicly_accessible/metadata.json +++ b/assets/queries/terraform/gcp/cloud_storage_anonymous_or_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "fd990360", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/cloud_storage_bucket_is_publicly_accessible/metadata.json b/assets/queries/terraform/gcp/cloud_storage_bucket_is_publicly_accessible/metadata.json index 1285e24d1be..9e6305fc3ae 100644 --- a/assets/queries/terraform/gcp/cloud_storage_bucket_is_publicly_accessible/metadata.json +++ b/assets/queries/terraform/gcp/cloud_storage_bucket_is_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "7a54f7e2", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json b/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json index 095d76d0800..a517b0da3a9 100644 --- a/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json +++ b/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "9e9984aa", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/cloud_storage_bucket_versioning_disabled/metadata.json b/assets/queries/terraform/gcp/cloud_storage_bucket_versioning_disabled/metadata.json index c826ad2ccf3..f69f4887e20 100644 --- a/assets/queries/terraform/gcp/cloud_storage_bucket_versioning_disabled/metadata.json +++ b/assets/queries/terraform/gcp/cloud_storage_bucket_versioning_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "9fda4554", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/cluster_labels_disabled/metadata.json b/assets/queries/terraform/gcp/cluster_labels_disabled/metadata.json index 8c50d97c5c4..956ade4a98e 100644 --- a/assets/queries/terraform/gcp/cluster_labels_disabled/metadata.json +++ b/assets/queries/terraform/gcp/cluster_labels_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "947385a5", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/cos_node_image_not_used/metadata.json b/assets/queries/terraform/gcp/cos_node_image_not_used/metadata.json index 12a926e131b..bfad9b47726 100644 --- a/assets/queries/terraform/gcp/cos_node_image_not_used/metadata.json +++ b/assets/queries/terraform/gcp/cos_node_image_not_used/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "4bdfef01", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/disk_encryption_disabled/metadata.json b/assets/queries/terraform/gcp/disk_encryption_disabled/metadata.json index 77b21cf4f02..ebd624dbbab 100644 --- a/assets/queries/terraform/gcp/disk_encryption_disabled/metadata.json +++ b/assets/queries/terraform/gcp/disk_encryption_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "33fb7fa7", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/dnssec_using_rsasha1/metadata.json b/assets/queries/terraform/gcp/dnssec_using_rsasha1/metadata.json index 4679dfe9928..8dc7efd4fdd 100644 --- a/assets/queries/terraform/gcp/dnssec_using_rsasha1/metadata.json +++ b/assets/queries/terraform/gcp/dnssec_using_rsasha1/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "07664c32", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/gke_legacy_authorization_enabled/metadata.json b/assets/queries/terraform/gcp/gke_legacy_authorization_enabled/metadata.json index 931d2c2cb30..0195eb8405d 100644 --- a/assets/queries/terraform/gcp/gke_legacy_authorization_enabled/metadata.json +++ b/assets/queries/terraform/gcp/gke_legacy_authorization_enabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "a2e814bc", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/gke_using_default_service_account/metadata.json b/assets/queries/terraform/gcp/gke_using_default_service_account/metadata.json index 5f91ae009f8..971b14a5274 100644 --- a/assets/queries/terraform/gcp/gke_using_default_service_account/metadata.json +++ b/assets/queries/terraform/gcp/gke_using_default_service_account/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "efe7e7b0", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/google_compute_network_using_default_firewall_rule/metadata.json b/assets/queries/terraform/gcp/google_compute_network_using_default_firewall_rule/metadata.json index 9329707e9a7..60c217ac913 100644 --- a/assets/queries/terraform/gcp/google_compute_network_using_default_firewall_rule/metadata.json +++ b/assets/queries/terraform/gcp/google_compute_network_using_default_firewall_rule/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "68898cf7", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_all_ports/metadata.json b/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_all_ports/metadata.json index f56632ffa86..5c9b86151d2 100644 --- a/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_all_ports/metadata.json +++ b/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_all_ports/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "20fce4e9", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_port_range/metadata.json b/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_port_range/metadata.json index c3f797e0e4f..b464a156978 100644 --- a/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_port_range/metadata.json +++ b/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_port_range/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "7289eebd", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/google_compute_ssl_policy_weak_cipher_in_use/metadata.json b/assets/queries/terraform/gcp/google_compute_ssl_policy_weak_cipher_in_use/metadata.json index dc94d7b9885..1ceb366c396 100644 --- a/assets/queries/terraform/gcp/google_compute_ssl_policy_weak_cipher_in_use/metadata.json +++ b/assets/queries/terraform/gcp/google_compute_ssl_policy_weak_cipher_in_use/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "27c7da5e", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/google_compute_subnetwork_logging_disabled/metadata.json b/assets/queries/terraform/gcp/google_compute_subnetwork_logging_disabled/metadata.json index 0ee5a985b50..c74a12c9278 100644 --- a/assets/queries/terraform/gcp/google_compute_subnetwork_logging_disabled/metadata.json +++ b/assets/queries/terraform/gcp/google_compute_subnetwork_logging_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "689ef05b", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/metadata.json b/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/metadata.json index b32b9aae010..a5dc3cf52ad 100644 --- a/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/metadata.json +++ b/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "87e8a4f7", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/metadata.json b/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/metadata.json index 5cd75198987..8e8d3ef22c6 100644 --- a/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/metadata.json +++ b/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "39487293", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/metadata.json b/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/metadata.json index f6d3fe049fd..500ded83a66 100644 --- a/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/metadata.json +++ b/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "9bcdbe82", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/google_project_iam_binding_service_account_has_token_creator_or_account_user_role/metadata.json b/assets/queries/terraform/gcp/google_project_iam_binding_service_account_has_token_creator_or_account_user_role/metadata.json index c4d5e0f0722..23cbf88c28d 100644 --- a/assets/queries/terraform/gcp/google_project_iam_binding_service_account_has_token_creator_or_account_user_role/metadata.json +++ b/assets/queries/terraform/gcp/google_project_iam_binding_service_account_has_token_creator_or_account_user_role/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "2b311b42", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_admin_role/metadata.json b/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_admin_role/metadata.json index 03e82a3f3ff..9176a0ac866 100644 --- a/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_admin_role/metadata.json +++ b/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_admin_role/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "965c0d1c", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_token_creator_or_account_user_role/metadata.json b/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_token_creator_or_account_user_role/metadata.json index bcbe5a5dab8..030d3d578dc 100644 --- a/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_token_creator_or_account_user_role/metadata.json +++ b/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_token_creator_or_account_user_role/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "beb4558c", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/google_storage_bucket_level_access_disabled/metadata.json b/assets/queries/terraform/gcp/google_storage_bucket_level_access_disabled/metadata.json index a8dac4019ed..f7f63354f5d 100644 --- a/assets/queries/terraform/gcp/google_storage_bucket_level_access_disabled/metadata.json +++ b/assets/queries/terraform/gcp/google_storage_bucket_level_access_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "6a48f2c6", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/high_google_kms_crypto_key_rotation_period/metadata.json b/assets/queries/terraform/gcp/high_google_kms_crypto_key_rotation_period/metadata.json index 6dfaba671b0..6132a6cbbc7 100644 --- a/assets/queries/terraform/gcp/high_google_kms_crypto_key_rotation_period/metadata.json +++ b/assets/queries/terraform/gcp/high_google_kms_crypto_key_rotation_period/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "d43302d0", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/iam_audit_not_properly_configured/metadata.json b/assets/queries/terraform/gcp/iam_audit_not_properly_configured/metadata.json index ee505ee25d3..c14881fbab0 100644 --- a/assets/queries/terraform/gcp/iam_audit_not_properly_configured/metadata.json +++ b/assets/queries/terraform/gcp/iam_audit_not_properly_configured/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "dd31f3ec", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/ip_aliasing_disabled/metadata.json b/assets/queries/terraform/gcp/ip_aliasing_disabled/metadata.json index 2375ca90fae..3071f068ef7 100644 --- a/assets/queries/terraform/gcp/ip_aliasing_disabled/metadata.json +++ b/assets/queries/terraform/gcp/ip_aliasing_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "e7d9862a", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/ip_forwarding_enabled/metadata.json b/assets/queries/terraform/gcp/ip_forwarding_enabled/metadata.json index 11661e853c4..b17c2abbf74 100644 --- a/assets/queries/terraform/gcp/ip_forwarding_enabled/metadata.json +++ b/assets/queries/terraform/gcp/ip_forwarding_enabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "2c1a3242", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/kms_admin_and_crypto_key_roles_in_use/metadata.json b/assets/queries/terraform/gcp/kms_admin_and_crypto_key_roles_in_use/metadata.json index 51d5a3a7d23..610954b2fe0 100644 --- a/assets/queries/terraform/gcp/kms_admin_and_crypto_key_roles_in_use/metadata.json +++ b/assets/queries/terraform/gcp/kms_admin_and_crypto_key_roles_in_use/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "36d82ecd", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/kms_crypto_key_publicly_accessible/metadata.json b/assets/queries/terraform/gcp/kms_crypto_key_publicly_accessible/metadata.json index 804a9ba0e61..245464cd247 100644 --- a/assets/queries/terraform/gcp/kms_crypto_key_publicly_accessible/metadata.json +++ b/assets/queries/terraform/gcp/kms_crypto_key_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "b1146d1f", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/legacy_client_certificate_auth_enabled/metadata.json b/assets/queries/terraform/gcp/legacy_client_certificate_auth_enabled/metadata.json index c7b9bb2b95c..5b6d821e485 100644 --- a/assets/queries/terraform/gcp/legacy_client_certificate_auth_enabled/metadata.json +++ b/assets/queries/terraform/gcp/legacy_client_certificate_auth_enabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "94728b0c", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/network_policy_disabled/metadata.json b/assets/queries/terraform/gcp/network_policy_disabled/metadata.json index e8ec1d1a598..4168ab15f84 100644 --- a/assets/queries/terraform/gcp/network_policy_disabled/metadata.json +++ b/assets/queries/terraform/gcp/network_policy_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "afcf7c4b", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/node_auto_upgrade_disabled/metadata.json b/assets/queries/terraform/gcp/node_auto_upgrade_disabled/metadata.json index 6312be77b09..824cd5b9c82 100644 --- a/assets/queries/terraform/gcp/node_auto_upgrade_disabled/metadata.json +++ b/assets/queries/terraform/gcp/node_auto_upgrade_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "46e4c29f", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/not_proper_email_account_in_use/metadata.json b/assets/queries/terraform/gcp/not_proper_email_account_in_use/metadata.json index 5685d352cdf..14d541d42f8 100644 --- a/assets/queries/terraform/gcp/not_proper_email_account_in_use/metadata.json +++ b/assets/queries/terraform/gcp/not_proper_email_account_in_use/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "55ff1131", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/os_login_disabled/metadata.json b/assets/queries/terraform/gcp/os_login_disabled/metadata.json index 4c25386f297..12cf79bb28d 100644 --- a/assets/queries/terraform/gcp/os_login_disabled/metadata.json +++ b/assets/queries/terraform/gcp/os_login_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "3ed07bfa", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/os_login_is_disabled_for_vm_instance/metadata.json b/assets/queries/terraform/gcp/os_login_is_disabled_for_vm_instance/metadata.json index 5d8ac06eeac..8c36bea1958 100644 --- a/assets/queries/terraform/gcp/os_login_is_disabled_for_vm_instance/metadata.json +++ b/assets/queries/terraform/gcp/os_login_is_disabled_for_vm_instance/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "a0cc649c", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/outdated_gke_version/metadata.json b/assets/queries/terraform/gcp/outdated_gke_version/metadata.json index a84ee4f79e9..ed36f1771f5 100644 --- a/assets/queries/terraform/gcp/outdated_gke_version/metadata.json +++ b/assets/queries/terraform/gcp/outdated_gke_version/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "65a3bf94", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/pod_security_policy_disabled/metadata.json b/assets/queries/terraform/gcp/pod_security_policy_disabled/metadata.json index 571ea769f02..93e3c8cabb7 100644 --- a/assets/queries/terraform/gcp/pod_security_policy_disabled/metadata.json +++ b/assets/queries/terraform/gcp/pod_security_policy_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "546c4012", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/private_cluster_disabled/metadata.json b/assets/queries/terraform/gcp/private_cluster_disabled/metadata.json index 4ddde817caf..f643e01d274 100644 --- a/assets/queries/terraform/gcp/private_cluster_disabled/metadata.json +++ b/assets/queries/terraform/gcp/private_cluster_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "e9bbb09e", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/metadata.json b/assets/queries/terraform/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/metadata.json index 641649d6f7f..3caef75771c 100644 --- a/assets/queries/terraform/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/metadata.json +++ b/assets/queries/terraform/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "4b9307cd", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/rdp_access_is_not_restricted/metadata.json b/assets/queries/terraform/gcp/rdp_access_is_not_restricted/metadata.json index 2d91feaf80e..36bb6b04e88 100644 --- a/assets/queries/terraform/gcp/rdp_access_is_not_restricted/metadata.json +++ b/assets/queries/terraform/gcp/rdp_access_is_not_restricted/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "f8156d3b", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/service_account_with_improper_privileges/metadata.json b/assets/queries/terraform/gcp/service_account_with_improper_privileges/metadata.json index e595c07dcd3..032378bbbac 100644 --- a/assets/queries/terraform/gcp/service_account_with_improper_privileges/metadata.json +++ b/assets/queries/terraform/gcp/service_account_with_improper_privileges/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "1b2dbbea", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/shielded_gke_nodes_disabled/metadata.json b/assets/queries/terraform/gcp/shielded_gke_nodes_disabled/metadata.json index 355b3c98675..d8fdfabfb57 100644 --- a/assets/queries/terraform/gcp/shielded_gke_nodes_disabled/metadata.json +++ b/assets/queries/terraform/gcp/shielded_gke_nodes_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "579a0727", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/shielded_vm_disabled/metadata.json b/assets/queries/terraform/gcp/shielded_vm_disabled/metadata.json index 6ff650a91b6..70d0aff1b9e 100644 --- a/assets/queries/terraform/gcp/shielded_vm_disabled/metadata.json +++ b/assets/queries/terraform/gcp/shielded_vm_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "3a0a17c4", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/metadata.json b/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/metadata.json index 266f3632bc1..0ee38eb82b0 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/metadata.json +++ b/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "ab1d4131", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/metadata.json b/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/metadata.json index 6a677ec2649..2e89413c6f7 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/metadata.json +++ b/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "9beef444", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/metadata.json b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/metadata.json index b76d8c884e2..617fa638586 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/metadata.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "8983549e", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/ssh_access_is_not_restricted/metadata.json b/assets/queries/terraform/gcp/ssh_access_is_not_restricted/metadata.json index 4f830471416..6f8f62abe92 100644 --- a/assets/queries/terraform/gcp/ssh_access_is_not_restricted/metadata.json +++ b/assets/queries/terraform/gcp/ssh_access_is_not_restricted/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "c0e4fb6f", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/stackdriver_logging_disabled/metadata.json b/assets/queries/terraform/gcp/stackdriver_logging_disabled/metadata.json index 4de7b2af176..576be5c4d97 100644 --- a/assets/queries/terraform/gcp/stackdriver_logging_disabled/metadata.json +++ b/assets/queries/terraform/gcp/stackdriver_logging_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "b292106d", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/stackdriver_monitoring_disabled/metadata.json b/assets/queries/terraform/gcp/stackdriver_monitoring_disabled/metadata.json index 8f59dd7b439..7e0c250f711 100644 --- a/assets/queries/terraform/gcp/stackdriver_monitoring_disabled/metadata.json +++ b/assets/queries/terraform/gcp/stackdriver_monitoring_disabled/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "97635f79", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/user_with_iam_role/metadata.json b/assets/queries/terraform/gcp/user_with_iam_role/metadata.json index b39aebd0566..6ef514a9bf5 100644 --- a/assets/queries/terraform/gcp/user_with_iam_role/metadata.json +++ b/assets/queries/terraform/gcp/user_with_iam_role/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "256939e9", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/using_default_service_account/metadata.json b/assets/queries/terraform/gcp/using_default_service_account/metadata.json index 622bf883b8b..8cfff030d7b 100644 --- a/assets/queries/terraform/gcp/using_default_service_account/metadata.json +++ b/assets/queries/terraform/gcp/using_default_service_account/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "5c3e219f", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/metadata.json b/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/metadata.json index 999d501a200..0bb0561c45f 100644 --- a/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/metadata.json +++ b/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "2967cde6", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/vm_with_full_cloud_access/metadata.json b/assets/queries/terraform/gcp/vm_with_full_cloud_access/metadata.json index 10f6a348e5e..fd1e346bbfc 100644 --- a/assets/queries/terraform/gcp/vm_with_full_cloud_access/metadata.json +++ b/assets/queries/terraform/gcp/vm_with_full_cloud_access/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "a0c651be", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp_bom/dataflow/metadata.json b/assets/queries/terraform/gcp_bom/dataflow/metadata.json index e777a363e46..3b678a1ddd1 100644 --- a/assets/queries/terraform/gcp_bom/dataflow/metadata.json +++ b/assets/queries/terraform/gcp_bom/dataflow/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "5d614ad5", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp_bom/fi/metadata.json b/assets/queries/terraform/gcp_bom/fi/metadata.json index 9ac9f71b17d..eb60102fcd3 100644 --- a/assets/queries/terraform/gcp_bom/fi/metadata.json +++ b/assets/queries/terraform/gcp_bom/fi/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "4a45b126", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp_bom/pd/metadata.json b/assets/queries/terraform/gcp_bom/pd/metadata.json index a6f07023251..813703839cb 100644 --- a/assets/queries/terraform/gcp_bom/pd/metadata.json +++ b/assets/queries/terraform/gcp_bom/pd/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "4b72e52d", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp_bom/pst/metadata.json b/assets/queries/terraform/gcp_bom/pst/metadata.json index fef9c86170e..d7de3424a15 100644 --- a/assets/queries/terraform/gcp_bom/pst/metadata.json +++ b/assets/queries/terraform/gcp_bom/pst/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "aa371a3b", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp_bom/redis/metadata.json b/assets/queries/terraform/gcp_bom/redis/metadata.json index bff175aeb5f..561c43d10b2 100644 --- a/assets/queries/terraform/gcp_bom/redis/metadata.json +++ b/assets/queries/terraform/gcp_bom/redis/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "1db9d01f", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/gcp_bom/sb/metadata.json b/assets/queries/terraform/gcp_bom/sb/metadata.json index 4768d2b93ea..d6b82115bb3 100644 --- a/assets/queries/terraform/gcp_bom/sb/metadata.json +++ b/assets/queries/terraform/gcp_bom/sb/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "38a18539", "cloudProvider": "gcp", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/general/generic_git_module_without_revision/metadata.json b/assets/queries/terraform/general/generic_git_module_without_revision/metadata.json index 8965c7ca5e8..1b38255c66e 100644 --- a/assets/queries/terraform/general/generic_git_module_without_revision/metadata.json +++ b/assets/queries/terraform/general/generic_git_module_without_revision/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "2ee26fd1", "cloudProvider": "common", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/general/name_is_not_snake_case/metadata.json b/assets/queries/terraform/general/name_is_not_snake_case/metadata.json index 5b1d77e5a98..9b685a1c092 100644 --- a/assets/queries/terraform/general/name_is_not_snake_case/metadata.json +++ b/assets/queries/terraform/general/name_is_not_snake_case/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "ac707cad", "cloudProvider": "common", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/general/output_without_description/metadata.json b/assets/queries/terraform/general/output_without_description/metadata.json index 67f35651e35..82499f9bb5e 100644 --- a/assets/queries/terraform/general/output_without_description/metadata.json +++ b/assets/queries/terraform/general/output_without_description/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "81535d16", "cloudProvider": "common", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/general/variable_without_description/metadata.json b/assets/queries/terraform/general/variable_without_description/metadata.json index 62842c6726a..2f808373801 100644 --- a/assets/queries/terraform/general/variable_without_description/metadata.json +++ b/assets/queries/terraform/general/variable_without_description/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "b44986be", "cloudProvider": "common", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/general/variable_without_type/metadata.json b/assets/queries/terraform/general/variable_without_type/metadata.json index b00f286c2dc..daba2d6148a 100644 --- a/assets/queries/terraform/general/variable_without_type/metadata.json +++ b/assets/queries/terraform/general/variable_without_type/metadata.json @@ -8,5 +8,5 @@ "platform": "Terraform", "descriptionID": "bba696eb", "cloudProvider": "common", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/github/github_organization_webhook_with_ssl_disabled/metadata.json b/assets/queries/terraform/github/github_organization_webhook_with_ssl_disabled/metadata.json index 19d1203a330..116bef9c819 100644 --- a/assets/queries/terraform/github/github_organization_webhook_with_ssl_disabled/metadata.json +++ b/assets/queries/terraform/github/github_organization_webhook_with_ssl_disabled/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/github/latest/docs/resources/organization_webhook", "platform": "Terraform", "descriptionID": "5def6580", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/github/github_repository_set_to_public/metadata.json b/assets/queries/terraform/github/github_repository_set_to_public/metadata.json index c05cfbbc48c..077addc095b 100644 --- a/assets/queries/terraform/github/github_repository_set_to_public/metadata.json +++ b/assets/queries/terraform/github/github_repository_set_to_public/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://www.terraform.io/docs/providers/github/r/repository.html", "platform": "Terraform", "descriptionID": "4df8b842", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/cluster_admin_role_binding_with_super_user_permissions/metadata.json b/assets/queries/terraform/kubernetes/cluster_admin_role_binding_with_super_user_permissions/metadata.json index 5be0dec32ed..5190e6ebdc5 100644 --- a/assets/queries/terraform/kubernetes/cluster_admin_role_binding_with_super_user_permissions/metadata.json +++ b/assets/queries/terraform/kubernetes/cluster_admin_role_binding_with_super_user_permissions/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding#name", "platform": "Terraform", "descriptionID": "3cfeabe4", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/cluster_allows_unsafe_sysctls/metadata.json b/assets/queries/terraform/kubernetes/cluster_allows_unsafe_sysctls/metadata.json index 18487b73ea5..3ea2fbb9e25 100644 --- a/assets/queries/terraform/kubernetes/cluster_allows_unsafe_sysctls/metadata.json +++ b/assets/queries/terraform/kubernetes/cluster_allows_unsafe_sysctls/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#allowed_unsafe_sysctls", "platform": "Terraform", "descriptionID": "21547beb", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/container_host_pid_is_true/metadata.json b/assets/queries/terraform/kubernetes/container_host_pid_is_true/metadata.json index 2bbfcda52b6..60c19102772 100644 --- a/assets/queries/terraform/kubernetes/container_host_pid_is_true/metadata.json +++ b/assets/queries/terraform/kubernetes/container_host_pid_is_true/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_pid", "platform": "Terraform", "descriptionID": "74aa164e", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/container_is_privileged/metadata.json b/assets/queries/terraform/kubernetes/container_is_privileged/metadata.json index aab5b551f0c..02394f07af0 100644 --- a/assets/queries/terraform/kubernetes/container_is_privileged/metadata.json +++ b/assets/queries/terraform/kubernetes/container_is_privileged/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#privileged", "platform": "Terraform", "descriptionID": "e2be4ab9", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/container_resources_limits_undefined/metadata.json b/assets/queries/terraform/kubernetes/container_resources_limits_undefined/metadata.json index 6ca4c8cdee5..ac23c0266ff 100644 --- a/assets/queries/terraform/kubernetes/container_resources_limits_undefined/metadata.json +++ b/assets/queries/terraform/kubernetes/container_resources_limits_undefined/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod", "platform": "Terraform", "descriptionID": "36651cdf", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/container_runs_unmasked/metadata.json b/assets/queries/terraform/kubernetes/container_runs_unmasked/metadata.json index fa6854c52bb..32d09e32170 100644 --- a/assets/queries/terraform/kubernetes/container_runs_unmasked/metadata.json +++ b/assets/queries/terraform/kubernetes/container_runs_unmasked/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#allowed_proc_mount_types", "platform": "Terraform", "descriptionID": "bbb3aa40", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/container_with_added_capabilities/metadata.json b/assets/queries/terraform/kubernetes/container_with_added_capabilities/metadata.json index 68bee79ab10..f432defb204 100644 --- a/assets/queries/terraform/kubernetes/container_with_added_capabilities/metadata.json +++ b/assets/queries/terraform/kubernetes/container_with_added_capabilities/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#capabilities-1", "platform": "Terraform", "descriptionID": "4422c052", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/metadata.json b/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/metadata.json index c1a08d0cf92..8093e33ea66 100644 --- a/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/metadata.json +++ b/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#capabilities-1", "platform": "Terraform", "descriptionID": "03622ad2", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/cpu_limits_not_set/metadata.json b/assets/queries/terraform/kubernetes/cpu_limits_not_set/metadata.json index 0db0064bbef..35f72ac7b26 100644 --- a/assets/queries/terraform/kubernetes/cpu_limits_not_set/metadata.json +++ b/assets/queries/terraform/kubernetes/cpu_limits_not_set/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#limits", "platform": "Terraform", "descriptionID": "9dd8e356", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/cpu_requests_not_set/metadata.json b/assets/queries/terraform/kubernetes/cpu_requests_not_set/metadata.json index 9517dfefd66..58307f196d6 100644 --- a/assets/queries/terraform/kubernetes/cpu_requests_not_set/metadata.json +++ b/assets/queries/terraform/kubernetes/cpu_requests_not_set/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#requests", "platform": "Terraform", "descriptionID": "957f09a7", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/cronjob_deadline_not_configured/metadata.json b/assets/queries/terraform/kubernetes/cronjob_deadline_not_configured/metadata.json index 9a342a5b9d8..4dbf6ce692c 100644 --- a/assets/queries/terraform/kubernetes/cronjob_deadline_not_configured/metadata.json +++ b/assets/queries/terraform/kubernetes/cronjob_deadline_not_configured/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cron_job#starting_deadline_seconds", "platform": "Terraform", "descriptionID": "030edc62", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/default_service_account_in_use/metadata.json b/assets/queries/terraform/kubernetes/default_service_account_in_use/metadata.json index 763f73789ac..4e79b43a424 100644 --- a/assets/queries/terraform/kubernetes/default_service_account_in_use/metadata.json +++ b/assets/queries/terraform/kubernetes/default_service_account_in_use/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account#automount_service_account_token", "platform": "Terraform", "descriptionID": "b0822187", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/metadata.json b/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/metadata.json index 25bb497adf9..db3c3c63691 100644 --- a/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/metadata.json +++ b/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/deployment#affinity", "platform": "Terraform", "descriptionID": "4a5ad90d", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/deployment_without_pod_disruption_budget/metadata.json b/assets/queries/terraform/kubernetes/deployment_without_pod_disruption_budget/metadata.json index d5365b0da32..5c1333c4137 100644 --- a/assets/queries/terraform/kubernetes/deployment_without_pod_disruption_budget/metadata.json +++ b/assets/queries/terraform/kubernetes/deployment_without_pod_disruption_budget/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/deployment#selector", "platform": "Terraform", "descriptionID": "add58c0c", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/metadata.json b/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/metadata.json index 882cde53690..33d4bb4f17b 100644 --- a/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/metadata.json +++ b/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_path", "platform": "Terraform", "descriptionID": "836d927e", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/metadata.json b/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/metadata.json index e5facde244f..51da5c45d4a 100644 --- a/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/metadata.json +++ b/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/horizontal_pod_autoscaler#metric", "platform": "Terraform", "descriptionID": "f4d95aa4", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/metadata.json b/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/metadata.json index 15228f00ca9..886b1bb4d8e 100644 --- a/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/metadata.json +++ b/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#image_pull_policy", "platform": "Terraform", "descriptionID": "d2abf21b", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/image_without_digest/metadata.json b/assets/queries/terraform/kubernetes/image_without_digest/metadata.json index 79732753f93..e2f19b906e9 100644 --- a/assets/queries/terraform/kubernetes/image_without_digest/metadata.json +++ b/assets/queries/terraform/kubernetes/image_without_digest/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#image", "platform": "Terraform", "descriptionID": "fec9b353", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/incorrect_volume_claim_access_mode_read_write_once/metadata.json b/assets/queries/terraform/kubernetes/incorrect_volume_claim_access_mode_read_write_once/metadata.json index fe5fdfda322..df49f85af39 100644 --- a/assets/queries/terraform/kubernetes/incorrect_volume_claim_access_mode_read_write_once/metadata.json +++ b/assets/queries/terraform/kubernetes/incorrect_volume_claim_access_mode_read_write_once/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/stateful_set#volume_claim_template", "platform": "Terraform", "descriptionID": "02756212", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/metadata.json b/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/metadata.json index d991aedee6f..97f531dc75c 100644 --- a/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/metadata.json +++ b/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/ingress#http", "platform": "Terraform", "descriptionID": "88c1dfb2", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/invalid_image/metadata.json b/assets/queries/terraform/kubernetes/invalid_image/metadata.json index 53531e895ec..d011ccd812c 100644 --- a/assets/queries/terraform/kubernetes/invalid_image/metadata.json +++ b/assets/queries/terraform/kubernetes/invalid_image/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#image", "platform": "Terraform", "descriptionID": "56713716", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/metadata.json b/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/metadata.json index a48e80565eb..e43f9dea6c8 100644 --- a/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/metadata.json +++ b/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#liveness_probe", "platform": "Terraform", "descriptionID": "e5105a57", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/memory_limits_not_defined/metadata.json b/assets/queries/terraform/kubernetes/memory_limits_not_defined/metadata.json index bcf9f3aaba8..629b38f83bd 100644 --- a/assets/queries/terraform/kubernetes/memory_limits_not_defined/metadata.json +++ b/assets/queries/terraform/kubernetes/memory_limits_not_defined/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#limits", "platform": "Terraform", "descriptionID": "c957affa", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/memory_requests_not_defined/metadata.json b/assets/queries/terraform/kubernetes/memory_requests_not_defined/metadata.json index 6539d2f340a..81c56f79eb4 100644 --- a/assets/queries/terraform/kubernetes/memory_requests_not_defined/metadata.json +++ b/assets/queries/terraform/kubernetes/memory_requests_not_defined/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#requests", "platform": "Terraform", "descriptionID": "a77e5da7", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/metadata_label_is_invalid/metadata.json b/assets/queries/terraform/kubernetes/metadata_label_is_invalid/metadata.json index 4120de6ff1f..039c91d0526 100644 --- a/assets/queries/terraform/kubernetes/metadata_label_is_invalid/metadata.json +++ b/assets/queries/terraform/kubernetes/metadata_label_is_invalid/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#labels", "platform": "Terraform", "descriptionID": "5448851e", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/missing_app_armor_config/metadata.json b/assets/queries/terraform/kubernetes/missing_app_armor_config/metadata.json index 41c085fb39b..7d3fc2c2ad2 100644 --- a/assets/queries/terraform/kubernetes/missing_app_armor_config/metadata.json +++ b/assets/queries/terraform/kubernetes/missing_app_armor_config/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#annotations", "platform": "Terraform", "descriptionID": "ba36908b", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/metadata.json b/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/metadata.json index b33a2837c9c..edd7503f98f 100644 --- a/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/metadata.json +++ b/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#required_drop_capabilities", "platform": "Terraform", "descriptionID": "631e9c61", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/metadata.json b/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/metadata.json index 96ec0413f43..4a991139bce 100644 --- a/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/metadata.json +++ b/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#drop", "platform": "Terraform", "descriptionID": "548d4eac", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/network_policy_is_not_targeting_any_pod/metadata.json b/assets/queries/terraform/kubernetes/network_policy_is_not_targeting_any_pod/metadata.json index 6d0f7653dc4..124741bb186 100644 --- a/assets/queries/terraform/kubernetes/network_policy_is_not_targeting_any_pod/metadata.json +++ b/assets/queries/terraform/kubernetes/network_policy_is_not_targeting_any_pod/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy#match_labels", "platform": "Terraform", "descriptionID": "1598c368", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/metadata.json b/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/metadata.json index cef5cb0aa58..5696dc3a01b 100644 --- a/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/metadata.json +++ b/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#drop", "platform": "Terraform", "descriptionID": "f547f3d7", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/metadata.json b/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/metadata.json index 020adc57530..d8f6a65eb4e 100644 --- a/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/metadata.json +++ b/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod", "platform": "Terraform", "descriptionID": "5b17fdb1", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/not_limited_capabilities_for_pod_security_policy/metadata.json b/assets/queries/terraform/kubernetes/not_limited_capabilities_for_pod_security_policy/metadata.json index 2ac32b34a36..e7f63903f5f 100644 --- a/assets/queries/terraform/kubernetes/not_limited_capabilities_for_pod_security_policy/metadata.json +++ b/assets/queries/terraform/kubernetes/not_limited_capabilities_for_pod_security_policy/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#required_drop_capabilities", "platform": "Terraform", "descriptionID": "c42b1890", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/metadata.json b/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/metadata.json index 5536c8e9154..4acf0c31a4c 100644 --- a/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/metadata.json +++ b/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role#rule", "platform": "Terraform", "descriptionID": "cca5f42d", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/metadata.json b/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/metadata.json index 98912b8138a..6c010e208eb 100644 --- a/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/metadata.json +++ b/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#security_context", "platform": "Terraform", "descriptionID": "a465ab52", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/privilege_escalation_allowed/metadata.json b/assets/queries/terraform/kubernetes/privilege_escalation_allowed/metadata.json index ca2b38ec322..b9f95b8eeb4 100644 --- a/assets/queries/terraform/kubernetes/privilege_escalation_allowed/metadata.json +++ b/assets/queries/terraform/kubernetes/privilege_escalation_allowed/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#allow_privilege_escalation", "platform": "Terraform", "descriptionID": "e693ddd6", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/psp_allows_containers_to_share_the_host_network_namespace/metadata.json b/assets/queries/terraform/kubernetes/psp_allows_containers_to_share_the_host_network_namespace/metadata.json index 459d91e9139..4d457cd02b5 100644 --- a/assets/queries/terraform/kubernetes/psp_allows_containers_to_share_the_host_network_namespace/metadata.json +++ b/assets/queries/terraform/kubernetes/psp_allows_containers_to_share_the_host_network_namespace/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#host_network", "platform": "Terraform", "descriptionID": "531152cf", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/metadata.json b/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/metadata.json index 756dc0c5480..00579915ef7 100644 --- a/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/metadata.json +++ b/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#allow_privilege_escalation", "platform": "Terraform", "descriptionID": "1cdd3f21", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/metadata.json b/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/metadata.json index cefe701107f..3bf14e54e87 100644 --- a/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/metadata.json +++ b/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#host_ipc", "platform": "Terraform", "descriptionID": "45566e38", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/psp_set_to_privileged/metadata.json b/assets/queries/terraform/kubernetes/psp_set_to_privileged/metadata.json index df6fe782fa6..2e325761caa 100644 --- a/assets/queries/terraform/kubernetes/psp_set_to_privileged/metadata.json +++ b/assets/queries/terraform/kubernetes/psp_set_to_privileged/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#privileged", "platform": "Terraform", "descriptionID": "5ca96212", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/psp_with_added_capabilities/metadata.json b/assets/queries/terraform/kubernetes/psp_with_added_capabilities/metadata.json index c14b9323c68..19fa029a8b8 100644 --- a/assets/queries/terraform/kubernetes/psp_with_added_capabilities/metadata.json +++ b/assets/queries/terraform/kubernetes/psp_with_added_capabilities/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#allowed_capabilities", "platform": "Terraform", "descriptionID": "f3ad2d09", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/metadata.json b/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/metadata.json index 6884176c976..1dde2d17912 100644 --- a/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/metadata.json +++ b/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role#rule", "platform": "Terraform", "descriptionID": "a4fb7558", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/metadata.json b/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/metadata.json index 11b2c92066b..553a1b8abda 100644 --- a/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/metadata.json +++ b/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#readiness_probe", "platform": "Terraform", "descriptionID": "a333fe96", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/role_binding_to_default_service_account/metadata.json b/assets/queries/terraform/kubernetes/role_binding_to_default_service_account/metadata.json index f28f29a872b..3bf73e0d2d9 100644 --- a/assets/queries/terraform/kubernetes/role_binding_to_default_service_account/metadata.json +++ b/assets/queries/terraform/kubernetes/role_binding_to_default_service_account/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding#subject", "platform": "Terraform", "descriptionID": "a90a96ca", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/metadata.json b/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/metadata.json index c7bbb9aa135..c0a46e7b7de 100644 --- a/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/metadata.json +++ b/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#read_only_root_filesystem", "platform": "Terraform", "descriptionID": "b7afed50", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/root_containers_admitted/metadata.json b/assets/queries/terraform/kubernetes/root_containers_admitted/metadata.json index c63e2c46f3c..01c8e9d8799 100644 --- a/assets/queries/terraform/kubernetes/root_containers_admitted/metadata.json +++ b/assets/queries/terraform/kubernetes/root_containers_admitted/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#run_as_user", "platform": "Terraform", "descriptionID": "aa6d70b9", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/metadata.json b/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/metadata.json index eb5a13cdbec..7011821c31c 100644 --- a/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/metadata.json +++ b/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#annotations", "platform": "Terraform", "descriptionID": "ad5436a1", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/secrets_as_environment_variables/metadata.json b/assets/queries/terraform/kubernetes/secrets_as_environment_variables/metadata.json index e7b38fda4ff..e967ab5798b 100644 --- a/assets/queries/terraform/kubernetes/secrets_as_environment_variables/metadata.json +++ b/assets/queries/terraform/kubernetes/secrets_as_environment_variables/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#secret_key_ref", "platform": "Terraform", "descriptionID": "f5c43d1e", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/service_account_allows_access_secrets/metadata.json b/assets/queries/terraform/kubernetes/service_account_allows_access_secrets/metadata.json index 7bf86e067ca..5ff98a58938 100644 --- a/assets/queries/terraform/kubernetes/service_account_allows_access_secrets/metadata.json +++ b/assets/queries/terraform/kubernetes/service_account_allows_access_secrets/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding#subject", "platform": "Terraform", "descriptionID": "93294320", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/metadata.json b/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/metadata.json index e1516267688..1852195d01b 100644 --- a/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/metadata.json +++ b/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#service_account_name", "platform": "Terraform", "descriptionID": "ce3648b0", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/metadata.json b/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/metadata.json index 86d6aaca72f..94c3e21fa1e 100644 --- a/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/metadata.json +++ b/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#automount_service_account_token", "platform": "Terraform", "descriptionID": "9674e7f6", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/service_type_is_nodeport/metadata.json b/assets/queries/terraform/kubernetes/service_type_is_nodeport/metadata.json index 22cd1f396c2..830afb99c8d 100644 --- a/assets/queries/terraform/kubernetes/service_type_is_nodeport/metadata.json +++ b/assets/queries/terraform/kubernetes/service_type_is_nodeport/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service#type", "platform": "Terraform", "descriptionID": "50e2c36f", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/service_with_external_load_balancer/metadata.json b/assets/queries/terraform/kubernetes/service_with_external_load_balancer/metadata.json index c3e555a4abe..903c7d17d15 100644 --- a/assets/queries/terraform/kubernetes/service_with_external_load_balancer/metadata.json +++ b/assets/queries/terraform/kubernetes/service_with_external_load_balancer/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service", "platform": "Terraform", "descriptionID": "18a78d03", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/metadata.json b/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/metadata.json index 20d08c0d960..abda941ecc0 100644 --- a/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/metadata.json +++ b/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_ipc", "platform": "Terraform", "descriptionID": "e76243f6", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/shared_host_network_namespace/metadata.json b/assets/queries/terraform/kubernetes/shared_host_network_namespace/metadata.json index c9775ccb3e7..3a58226d456 100644 --- a/assets/queries/terraform/kubernetes/shared_host_network_namespace/metadata.json +++ b/assets/queries/terraform/kubernetes/shared_host_network_namespace/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_network", "platform": "Terraform", "descriptionID": "bf155ca7", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/shared_service_account/metadata.json b/assets/queries/terraform/kubernetes/shared_service_account/metadata.json index 9f5511ca0d7..8418038fba3 100644 --- a/assets/queries/terraform/kubernetes/shared_service_account/metadata.json +++ b/assets/queries/terraform/kubernetes/shared_service_account/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#service_account_name", "platform": "Terraform", "descriptionID": "a13adbaa", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/statefulset_requests_storage/metadata.json b/assets/queries/terraform/kubernetes/statefulset_requests_storage/metadata.json index 6e1b24ece0e..a077d9aa540 100644 --- a/assets/queries/terraform/kubernetes/statefulset_requests_storage/metadata.json +++ b/assets/queries/terraform/kubernetes/statefulset_requests_storage/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/stateful_set#volume_claim_template", "platform": "Terraform", "descriptionID": "3a82ccdb", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/statefulset_without_pod_disruption_budget/metadata.json b/assets/queries/terraform/kubernetes/statefulset_without_pod_disruption_budget/metadata.json index ff6aa8f16be..d77fa2f6c5e 100644 --- a/assets/queries/terraform/kubernetes/statefulset_without_pod_disruption_budget/metadata.json +++ b/assets/queries/terraform/kubernetes/statefulset_without_pod_disruption_budget/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/stateful_set#selector", "platform": "Terraform", "descriptionID": "efa415db", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/statefulset_without_service_name/metadata.json b/assets/queries/terraform/kubernetes/statefulset_without_service_name/metadata.json index 99d2736b2bb..0fb339eba89 100644 --- a/assets/queries/terraform/kubernetes/statefulset_without_service_name/metadata.json +++ b/assets/queries/terraform/kubernetes/statefulset_without_service_name/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/stateful_set#selector", "platform": "Terraform", "descriptionID": "a0d17b18", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/tiller_is_deployed/metadata.json b/assets/queries/terraform/kubernetes/tiller_is_deployed/metadata.json index 6c8c6f868f7..5c9fe316553 100644 --- a/assets/queries/terraform/kubernetes/tiller_is_deployed/metadata.json +++ b/assets/queries/terraform/kubernetes/tiller_is_deployed/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#image", "platform": "Terraform", "descriptionID": "bf1b3f30", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/using_default_namespace/metadata.json b/assets/queries/terraform/kubernetes/using_default_namespace/metadata.json index 5d67db853af..b8889939ebf 100644 --- a/assets/queries/terraform/kubernetes/using_default_namespace/metadata.json +++ b/assets/queries/terraform/kubernetes/using_default_namespace/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#namespace", "platform": "Terraform", "descriptionID": "4d26d672", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/metadata.json b/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/metadata.json index 88c4414f814..b5aa95eb401 100644 --- a/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/metadata.json +++ b/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#volume_mount", "platform": "Terraform", "descriptionID": "48833ef2", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/workload_host_port_not_specified/metadata.json b/assets/queries/terraform/kubernetes/workload_host_port_not_specified/metadata.json index 04ead903d00..df28b5f722d 100644 --- a/assets/queries/terraform/kubernetes/workload_host_port_not_specified/metadata.json +++ b/assets/queries/terraform/kubernetes/workload_host_port_not_specified/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_port", "platform": "Terraform", "descriptionID": "b7ddd063", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/workload_mounting_with_sensitive_os_directory/metadata.json b/assets/queries/terraform/kubernetes/workload_mounting_with_sensitive_os_directory/metadata.json index 29f2cad9864..312067f2d6f 100644 --- a/assets/queries/terraform/kubernetes/workload_mounting_with_sensitive_os_directory/metadata.json +++ b/assets/queries/terraform/kubernetes/workload_mounting_with_sensitive_os_directory/metadata.json @@ -7,5 +7,5 @@ "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_path", "platform": "Terraform", "descriptionID": "2047253f", - "CWE": "" + "cwe": "" } \ No newline at end of file diff --git a/assets/queries/terraform/nifcloud/computing_instance_has_common_private/metadata.json b/assets/queries/terraform/nifcloud/computing_instance_has_common_private/metadata.json index 32f8a8d5f13..a14f9662e51 100644 --- a/assets/queries/terraform/nifcloud/computing_instance_has_common_private/metadata.json +++ b/assets/queries/terraform/nifcloud/computing_instance_has_common_private/metadata.json @@ -9,5 +9,5 @@ "descriptionID": "c5065d3a", "cloudProvider": "nifcloud", "experimental": "true", - "CWE": "" + "cwe": "" } \ No newline at end of file From 21fc8e86323cba6f088f2ace0b32d3e01f96b812 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro <153724638+ArturRibeiro-CX@users.noreply.github.com> Date: Tue, 19 Dec 2023 15:47:18 +0000 Subject: [PATCH 315/379] Update go-ci-metrics.yaml --- .github/workflows/go-ci-metrics.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/go-ci-metrics.yaml b/.github/workflows/go-ci-metrics.yaml index 4cc47e0ac55..4ed671b3d57 100644 --- a/.github/workflows/go-ci-metrics.yaml +++ b/.github/workflows/go-ci-metrics.yaml @@ -26,7 +26,7 @@ jobs: curl -L \ https://img.shields.io/badge/Queries-${{ steps.metrics.outputs.total_queries }}-blue.svg > queries.svg cat queries.svg - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@v4 with: name: ${{ runner.os }}-queries-badge-latest path: queries.svg @@ -44,7 +44,7 @@ jobs: git config --global user.name "KICSBot" git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com" - name: Download Queries Badge SVG - uses: actions/download-artifact@master + uses: actions/download-artifact@v4 with: name: ${{ runner.os }}-queries-badge-latest path: latest-metrics From 8730fafb0b44f48bc92caefccb98932d4ff77b25 Mon Sep 17 00:00:00 2001 From: pereiramarco011 Date: Tue, 19 Dec 2023 15:49:37 +0000 Subject: [PATCH 316/379] change verification to analyzer and add e2e --- e2e/fixtures/E2E_CLI_076_RESULT.json | 26 + e2e/testcases/e2e-cli-076_max_file_size.go | 27 + internal/console/analyze.go | 6 +- pkg/analyzer/analyzer.go | 9 +- pkg/scan/utils.go | 1 + test/fixtures/max_file_size/sample.tf | 109989 ++++++++++++++++++ 6 files changed, 110053 insertions(+), 5 deletions(-) create mode 100644 e2e/fixtures/E2E_CLI_076_RESULT.json create mode 100644 e2e/testcases/e2e-cli-076_max_file_size.go create mode 100644 test/fixtures/max_file_size/sample.tf diff --git a/e2e/fixtures/E2E_CLI_076_RESULT.json b/e2e/fixtures/E2E_CLI_076_RESULT.json new file mode 100644 index 00000000000..3cca4b8bc5d --- /dev/null +++ b/e2e/fixtures/E2E_CLI_076_RESULT.json @@ -0,0 +1,26 @@ +{ + "kics_version": "development", + "files_scanned": 0, + "lines_scanned": 0, + "files_parsed": 0, + "lines_parsed": 0, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 0, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2023-12-19T15:48:05.8014232Z", + "end": "2023-12-19T15:48:05.9361693Z", + "paths": [], + "queries": [] +} diff --git a/e2e/testcases/e2e-cli-076_max_file_size.go b/e2e/testcases/e2e-cli-076_max_file_size.go new file mode 100644 index 00000000000..8c80e009c09 --- /dev/null +++ b/e2e/testcases/e2e-cli-076_max_file_size.go @@ -0,0 +1,27 @@ +package testcases + +// E2E-CLI-075 - KICS scan +// should perform the scan successfully detect ansible and return result 40 +func init() { //nolint + testSample := TestCase{ + Name: "should perform a valid scan and and detect ansible [E2E-CLI-075]", + Args: args{ + Args: []cmdArgs{ + []string{"scan", "-o", "/path/e2e/output", + "--output-name", "E2E_CLI_076_RESULT", + "-p", "\"/path/test/fixtures/max_file_size\"", + "--max-file-size", "4", + }, + }, + ExpectedResult: []ResultsValidation{ + { + ResultsFile: "E2E_CLI_076_RESULT", + ResultsFormats: []string{"json"}, + }, + }, + }, + WantStatus: []int{00}, + } + + Tests = append(Tests, testSample) +} diff --git a/internal/console/analyze.go b/internal/console/analyze.go index 30ccd9453ce..d0e7150d56d 100644 --- a/internal/console/analyze.go +++ b/internal/console/analyze.go @@ -65,8 +65,9 @@ func analyze() error { func getAnalyzeParameters() *analyzer.Parameters { analyzeParams := analyzer.Parameters{ - Path: flags.GetMultiStrFlag(flags.AnalyzePath), - Results: flags.GetStrFlag(flags.AnalyzeResults), + Path: flags.GetMultiStrFlag(flags.AnalyzePath), + Results: flags.GetStrFlag(flags.AnalyzeResults), + MaxFileSize: flags.GetIntFlag(flags.MaxFileSizeFlag), } return &analyzeParams @@ -90,6 +91,7 @@ func executeAnalyze(analyzeParams *analyzer.Parameters) error { Exc: []string{""}, ExcludeGitIgnore: false, GitIgnoreFileName: "", + MaxFileSize: analyzeParams.MaxFileSize, } analyzedPaths, err := analyzer.Analyze(analyzerStruct) diff --git a/pkg/analyzer/analyzer.go b/pkg/analyzer/analyzer.go index e983e63435b..774fd49e4f0 100644 --- a/pkg/analyzer/analyzer.go +++ b/pkg/analyzer/analyzer.go @@ -123,11 +123,13 @@ const ( dockerfile = "dockerfile" crossplane = "crossplane" knative = "knative" + MB_SIZE = 1048576 ) type Parameters struct { - Results string - Path []string + Results string + Path []string + MaxFileSize int } // regexSlice is a struct to contain a slice of regex @@ -149,6 +151,7 @@ type Analyzer struct { Exc []string GitIgnoreFileName string ExcludeGitIgnore bool + MaxFileSize int } // types is a map that contains the regex by type @@ -301,7 +304,7 @@ func Analyze(a *Analyzer) (model.AnalyzedPaths, error) { ext := utils.GetExtension(path) - if (hasGitIgnoreFile && gitIgnore.MatchesPath(path)) || isDeadSymlink(path) { + if (hasGitIgnoreFile && gitIgnore.MatchesPath(path)) || isDeadSymlink(path) || (a.MaxFileSize >= 0 && float64(info.Size())/float64(MB_SIZE) > float64(a.MaxFileSize)) { ignoreFiles = append(ignoreFiles, path) a.Exc = append(a.Exc, path) } diff --git a/pkg/scan/utils.go b/pkg/scan/utils.go index 866f82d0182..49c81ffc69f 100644 --- a/pkg/scan/utils.go +++ b/pkg/scan/utils.go @@ -59,6 +59,7 @@ func (c *Client) prepareAndAnalyzePaths(ctx context.Context) (provider.Extracted Exc: c.ScanParams.ExcludePaths, GitIgnoreFileName: ".gitignore", ExcludeGitIgnore: c.ScanParams.ExcludeGitIgnore, + MaxFileSize: c.ScanParams.MaxFileSizeFlag, } pathTypes, errAnalyze := analyzePaths(a) diff --git a/test/fixtures/max_file_size/sample.tf b/test/fixtures/max_file_size/sample.tf new file mode 100644 index 00000000000..1545e73634d --- /dev/null +++ b/test/fixtures/max_file_size/sample.tf @@ -0,0 +1,109989 @@ +#this is a problematic code where the query should report a result(s) +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +#this is a problematic code where the query should report a result(s) +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +#this is a problematic code where the query should report a result(s) +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +#this is a problematic code where the query should report a result(s) +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +#this is a problematic code where the query should report a result(s) +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +#this is a problematic code where the query should report a result(s) +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +#this is a problematic code where the query should report a result(s) +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +#this is a problematic code where the query should report a result(s) +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +#this is a problematic code where the query should report a result(s) +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +#this is a problematic code where the query should report a result(s) +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +#this is a problematic code where the query should report a result(s) +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + From 78f33dcad2c8fbc0a3eb2d230c5fae1196a7a97c Mon Sep 17 00:00:00 2001 From: pereiramarco011 Date: Tue, 19 Dec 2023 15:50:40 +0000 Subject: [PATCH 317/379] fix e2e --- e2e/testcases/e2e-cli-076_max_file_size.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/e2e/testcases/e2e-cli-076_max_file_size.go b/e2e/testcases/e2e-cli-076_max_file_size.go index 8c80e009c09..20708e26141 100644 --- a/e2e/testcases/e2e-cli-076_max_file_size.go +++ b/e2e/testcases/e2e-cli-076_max_file_size.go @@ -10,7 +10,7 @@ func init() { //nolint []string{"scan", "-o", "/path/e2e/output", "--output-name", "E2E_CLI_076_RESULT", "-p", "\"/path/test/fixtures/max_file_size\"", - "--max-file-size", "4", + "--max-file-size", "3", }, }, ExpectedResult: []ResultsValidation{ From bfcc477c5184f7b73cc9244a67ec509fc97191d7 Mon Sep 17 00:00:00 2001 From: pereiramarco011 Date: Tue, 19 Dec 2023 15:53:52 +0000 Subject: [PATCH 318/379] fix e2e desc --- e2e/testcases/e2e-cli-076_max_file_size.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/e2e/testcases/e2e-cli-076_max_file_size.go b/e2e/testcases/e2e-cli-076_max_file_size.go index 20708e26141..380e7fc8743 100644 --- a/e2e/testcases/e2e-cli-076_max_file_size.go +++ b/e2e/testcases/e2e-cli-076_max_file_size.go @@ -1,10 +1,10 @@ package testcases -// E2E-CLI-075 - KICS scan -// should perform the scan successfully detect ansible and return result 40 +// E2E-CLI-076 - KICS scan +// should perform a scan without detecting anything since no files are scanned because of max file size func init() { //nolint testSample := TestCase{ - Name: "should perform a valid scan and and detect ansible [E2E-CLI-075]", + Name: "should perform a scan without detecting anything since no files are scanned because of max file size [E2E-CLI-076]", Args: args{ Args: []cmdArgs{ []string{"scan", "-o", "/path/e2e/output", From dfbc9a95fba93302a652fb767165b17bc3c5aa3b Mon Sep 17 00:00:00 2001 From: pereiramarco011 Date: Tue, 19 Dec 2023 17:16:53 +0000 Subject: [PATCH 319/379] fix lint and err --- pkg/analyzer/analyzer.go | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/pkg/analyzer/analyzer.go b/pkg/analyzer/analyzer.go index 774fd49e4f0..bf7497eff92 100644 --- a/pkg/analyzer/analyzer.go +++ b/pkg/analyzer/analyzer.go @@ -123,7 +123,7 @@ const ( dockerfile = "dockerfile" crossplane = "crossplane" knative = "knative" - MB_SIZE = 1048576 + sizeMb = 1048576 ) type Parameters struct { @@ -304,9 +304,15 @@ func Analyze(a *Analyzer) (model.AnalyzedPaths, error) { ext := utils.GetExtension(path) - if (hasGitIgnoreFile && gitIgnore.MatchesPath(path)) || isDeadSymlink(path) || (a.MaxFileSize >= 0 && float64(info.Size())/float64(MB_SIZE) > float64(a.MaxFileSize)) { + exceededFileSize := a.MaxFileSize >= 0 && float64(info.Size())/float64(sizeMb) > float64(a.MaxFileSize) + + if (hasGitIgnoreFile && gitIgnore.MatchesPath(path)) || isDeadSymlink(path) || exceededFileSize { ignoreFiles = append(ignoreFiles, path) a.Exc = append(a.Exc, path) + + if exceededFileSize { + log.Err(err).Msgf("file %s exceeds maximum file size of %d Mb", path, a.MaxFileSize) + } } if isConfigFile(path, defaultConfigFiles) { From cc2442a200e684f341a5f207d2b70759774b684a Mon Sep 17 00:00:00 2001 From: pereiramarco011 Date: Tue, 19 Dec 2023 17:20:56 +0000 Subject: [PATCH 320/379] add error --- pkg/analyzer/analyzer.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/analyzer/analyzer.go b/pkg/analyzer/analyzer.go index bf7497eff92..d7429d60a29 100644 --- a/pkg/analyzer/analyzer.go +++ b/pkg/analyzer/analyzer.go @@ -311,7 +311,7 @@ func Analyze(a *Analyzer) (model.AnalyzedPaths, error) { a.Exc = append(a.Exc, path) if exceededFileSize { - log.Err(err).Msgf("file %s exceeds maximum file size of %d Mb", path, a.MaxFileSize) + log.Error().Msgf("file %s exceeds maximum file size of %d Mb", path, a.MaxFileSize) } } From 1c0a75e3d461a8eb7c4a9cb0c5d49ca61eeea2ba Mon Sep 17 00:00:00 2001 From: asofsilva Date: Tue, 19 Dec 2023 17:26:28 +0000 Subject: [PATCH 321/379] docs(queries): update queries catalog --- docs/queries/all-queries.md | 3178 ++++++++--------- docs/queries/ansible-queries.md | 306 +- docs/queries/azureresourcemanager-queries.md | 30 +- docs/queries/cloudformation-queries.md | 360 +- docs/queries/crossplane-queries.md | 26 +- docs/queries/dockercompose-queries.md | 14 +- docs/queries/dockerfile-queries.md | 42 +- .../googledeploymentmanager-queries.md | 46 +- docs/queries/kubernetes-queries.md | 142 +- docs/queries/openapi-queries.md | 442 +-- docs/queries/pulumi-queries.md | 22 +- docs/queries/serverlessfw-queries.md | 2 +- docs/queries/terraform-queries.md | 914 ++--- 13 files changed, 2762 insertions(+), 2762 deletions(-) diff --git a/docs/queries/all-queries.md b/docs/queries/all-queries.md index 53eda1b970c..9aec6050726 100644 --- a/docs/queries/all-queries.md +++ b/docs/queries/all-queries.md @@ -3,1771 +3,1771 @@ This page contains all queries. | Query |Platform|Severity|Category|Description|Help| |-----------------------------|---|---|---|---|---| -|Security Definitions Undefined or Empty
e3f026e8-fdb4-4d5a-bcfd-bd94452073fe|OpenAPI|High|Access Control|Security Definitions Object should be set and not empty (read more)|Documentation
| -|Security Requirement Not Defined In Security Definition
a599b0d1-ff89-4cb8-9ece-9951854c06f6|OpenAPI|High|Structure and Semantics|All security requirement objects must be defined in 'securityDefinitions' (read more)|Documentation
| -|Non OAuth2 Security Requirement Defining OAuth2 Scopes
ba239cb9-f342-4c20-812d-7b5a2aa6969e|OpenAPI|High|Structure and Semantics|If the security scheme is not of type 'oauth2', the array value must be empty (read more)|Documentation
| -|Invalid OAuth2 Authorization URL (v2)
33d96c65-977d-4c33-943f-440baca49185|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| -|Implicit Flow in OAuth2 (v2)
e9817ad8-a8c9-4038-8a2f-db0e6e7b284b|OpenAPI|Medium|Access Control|There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| -|Operation Using Password Flow
2e44e632-d617-43cb-b294-6bfe72a08938|OpenAPI|Medium|Access Control|Operation Object should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| -|Global Security Using Password Flow
2da46be4-4317-4650-9285-56d7103c4f93|OpenAPI|Medium|Access Control|Security should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| -|Security Definitions Allows Password Flow
773116aa-2e6d-416f-bd85-f0301cc05d76|OpenAPI|Medium|Access Control|Security Definition Object should not allow 'password' Flow in OAuth2 authentication (read more)|Documentation
| -|Invalid OAuth2 Token URL (v2)
274f910a-0665-4f08-b66d-7058fe927dba|OpenAPI|Medium|Access Control|OAuth2 security definition flow requires a valid URL in the tokenUrl field (read more)|Documentation
| -|Path Scheme Accepts HTTP (v2)
a6847dc6-f4ea-45ac-a81f-93291ae6c573|OpenAPI|Medium|Encryption|The Scheme list of Operation Object should only allow 'HTTPS' protocol to ensure an encrypted connection (read more)|Documentation
| -|Global Schemes Uses HTTP
f30ee711-0082-4480-85ab-31d922d9a2b2|OpenAPI|Medium|Encryption|Global Schemes should use 'https' protocol instead of 'http' (read more)|Documentation
| -|Schemes Uses HTTP
a46928f1-43d7-4671-94e0-2dd99746f389|OpenAPI|Medium|Encryption|Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials (read more)|Documentation
| -|Operation Object Without 'consumes'
0c79e50e-b3cf-490c-b8f6-587c644d4d0c|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations (read more)|Documentation
| -|Operation Object Without 'produces'
be3e170e-1572-461e-a8b6-d963def581ec|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'produces' feild defined for 'GET'operation (read more)|Documentation
| -|Undefined Scope 'securityDefinition' On Global 'security' Field
9aa6e95c-d964-4239-a3a8-9f37a3c5a31f|OpenAPI|Low|Access Control|Using an scope on global security field that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| -|Undefined Scope 'securityDefinition' On 'security' Field On Operations
3847280c-9193-40bc-8009-76168e822ce2|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| -|Operation Using Basic Auth
ceefb058-8065-418f-9c4c-584a78c7e104|OpenAPI|Low|Access Control|Operation Object should not use basic authentication (read more)|Documentation
| -|Operation Using Implicit Flow
f42dfe7e-787d-4478-a75e-a5f3d8a2269e|OpenAPI|Low|Access Control|Operation Object should not use implicit flow (read more)|Documentation
| -|Security Definitions Using Basic Auth
221015a8-aa2a-43f5-b00b-ad7d2b1d47a8|OpenAPI|Low|Access Control|Security Definition Object should not use basic authentication (read more)|Documentation
| -|Operation Summary Too Long
d47940ca-5970-45cc-bdd1-4d81398cee1f|OpenAPI|Low|Best Practices|Operation summary should be short (less than 120 characters) (read more)|Documentation
| -|Global Responses Definition Not Being Used
0b76d993-ee52-43e0-8b39-3787d2ddabf1|OpenAPI|Info|Best Practices|All global responses definitions should be in use (read more)|Documentation
| -|Global Schema Definition Not Being Used
6d2e0790-cc3d-4c74-b973-d4e8b09f4455|OpenAPI|Info|Best Practices|All global schemas definitions should be in use (read more)|Documentation
| -|Constraining Enum Property
be1d8733-3731-40c7-a845-734741c6871d|OpenAPI|Info|Best Practices|There is a constraining keyword in a property which is already restricted by enum values (read more)|Documentation
| -|Global Parameter Definition Not Being Used
b30981fa-a12e-49c7-a5bb-eeafb61d0f0f|OpenAPI|Info|Best Practices|All global parameters definitions should be in use (read more)|Documentation
| -|Unknown Prefix (v2)
3b615f00-c443-4ba9-acc4-7c308716917d|OpenAPI|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| -|Invalid Media Type Value (v2)
f985a7d2-d404-4a7f-9814-f645f791e46e|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| -|Schema with 'additionalProperties' set as Boolean
3a01790c-ebee-4da6-8fd3-e78657383b75|OpenAPI|Info|Best Practices|The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it (read more)|Documentation
| -|Schema Object Incorrect Ref (v2)
0220e1c5-65d1-49dd-b7c2-cef6d6cb5283|OpenAPI|Info|Structure and Semantics|Schema Object reference must always point to '#/definitions' (read more)|Documentation
| -|Parameter File Type Not In 'formData'
c3cab8c4-6c52-47a9-942b-c27f26fbd7d2|OpenAPI|Info|Structure and Semantics|The In field of Parameter Object must be 'formData' when type is 'file' (read more)|Documentation
| -|Host With Invalid Pattern
3d7d7b6c-fb0a-475e-8a28-c125e30d15f0|OpenAPI|Info|Structure and Semantics|Host field should be an IP or a valid host name (read more)|Documentation
| -|Response Object With Incorrect Ref (v2)
bccfa089-89e4-47e0-a0e5-185fe6902220|OpenAPI|Info|Structure and Semantics|Response Object reference must always point to '#/responses' (read more)|Documentation
| -|Multi 'collectionformat' Not Valid For 'in' Parameter
750f6448-27c0-49f8-a153-b81735c1e19c|OpenAPI|Info|Structure and Semantics|When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'formData' (read more)|Documentation
| -|Operation Object Parameters With 'body' And 'formatData' locations
eb3f9744-d24e-4614-b1ff-2a9514eca21c|OpenAPI|Info|Structure and Semantics|Operation object parameters should not have both 'body' and 'formatData' locations (read more)|Documentation
| -|BasePath With Wrong Format
b4803607-ed72-4d60-99e2-3fa6edf471c6|OpenAPI|Info|Structure and Semantics|The 'basePath' value format must match the pattern '^/' (read more)|Documentation
| -|File Parameter With Wrong Consumes Property
7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a|OpenAPI|Info|Structure and Semantics|Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both (read more)|Documentation
| -|Unknown Property (v2)
429b2106-ba37-43ba-9727-7f699cc611e1|OpenAPI|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| -|Property Not Unique
750b40be-4bac-4f59-bdc4-1ca0e6c3450e|OpenAPI|Info|Structure and Semantics|Every defined property must be unique throughout the whole API (read more)|Documentation
| -|Responses JSON Reference Does Not Exists (v2)
e9db5fb4-6a84-4abb-b4af-3b94fbdace6d|OpenAPI|Info|Structure and Semantics|Responses reference should exist on responses definition field (read more)|Documentation
| -|Parameter JSON Reference Does Not Exists (v2)
fb889ae9-2d16-40b5-b41f-9da716c5abc1|OpenAPI|Info|Structure and Semantics|Parameter reference should exist on parameters definition field (read more)|Documentation
| -|Parameter Object With Incorrect Ref (v2)
2596545e-1757-4ff7-a15a-8a9a180a42f3|OpenAPI|Info|Structure and Semantics|Parameter Object reference must always point to '#/parameters' (read more)|Documentation
| -|Body Parameter With Wrong Property
c38d630d-a415-4e3e-bac2-65475979ba88|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema' (read more)|Documentation
| -|Operation Example Mismatch Produces MimeType
2cf35b40-ded3-43d6-9633-c8dcc8bcc822|OpenAPI|Info|Structure and Semantics|Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces' (read more)|Documentation
| -|Multiple Body Parameters In The Same Operation
b90033cf-ad9f-4fb9-acd1-1b9d6d278c87|OpenAPI|Info|Structure and Semantics|Only one body parameter is allowed on operation's parameters type field (read more)|Documentation
| -|Object Without Required Property (v2)
5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275|OpenAPI|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| -|Non Body Parameter Without Schema
73c3bc54-3cc6-4c0a-b30a-e19f2abfc951|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| -|Body Parameter Without Schema
ed48229d-d43e-4da7-b453-5f98d964a57a|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| -|Schema JSON Reference Does Not Exists (v2)
98295b32-ec09-4b5b-89a9-39853197f914|OpenAPI|Info|Structure and Semantics|Schema reference should exists on definitions field (read more)|Documentation
| -|Global Security Field Is Undefined (v2)
74703c89-0ea2-49ab-a7db-bf04f19f5a57|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securityDefinitions|Documentation
| -|Global Security Field Is Undefined (v3)
8af270ce-298b-4405-9922-82a10aee7a4f|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes (read more)|Documentation
| -|Security Field On Operations Has An Empty Array (v2)
5d29effc-5d68-481f-9721-d74e5919226b|OpenAPI|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error|Documentation
| -|Security Field On Operations Has An Empty Array (v3)
663c442d-f918-4f62-b096-0bf5dcbeb655|OpenAPI|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error (read more)|Documentation
| -|Cleartext API Key In Operation Security (v2)
99733b39-6413-4ed8-8acf-dc7cdc9b4e51|OpenAPI|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| -|Cleartext API Key In Operation Security (v3)
d90d4e40-44c1-4125-87a0-e072c3e195b5|OpenAPI|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel (read more)|Documentation
| -|Security Field On Operations Has An Empty Object Definition (v2)
74581e3b-1d55-4323-a139-5959a7b3abc5|OpenAPI|High|Access Control|Security object for operations should not be empty object or has any empty object definition|Documentation
| -|Security Field On Operations Has An Empty Object Definition (v3)
baade968-7467-41e4-bf22-83ca222f5800|OpenAPI|High|Access Control|Security object for operations should not be empty object or has any empty object definition (read more)|Documentation
| -|Global security field has an empty object (v2)
292919fb-7b26-4454-bee9-ce29094768dd|OpenAPI|High|Access Control|Global security definition must not have empty objects|Documentation
| -|Global security field has an empty object (v3)
543e38f4-1eee-479e-8eb0-15257013aa0a|OpenAPI|High|Access Control|Global security definition must not have empty objects (read more)|Documentation
| -|Global Security Field Has An Empty Array (v2)
da31d54b-ad54-41dc-95eb-8b3828629213|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| -|Global Security Field Has An Empty Array (v3)
d674aea4-ba8b-454b-bb97-88a772ea33f0|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme (read more)|Documentation
| -|No Global And Operation Security Defined (v2)
586abcee-9653-462d-ad7b-2638a32bd6e6|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| -|No Global And Operation Security Defined (v3)
96729c6b-7400-4d9e-9807-17f00cdde4d2|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined (read more)|Documentation
| -|Array Without Maximum Number of Items (v2)
99eb2c95-2040-4104-9e7c-e16f7474d218|OpenAPI|High|Insecure Configurations|Array schema/parameter should have the field 'maxItems' set|Documentation
| -|Array Without Maximum Number of Items (v3)
6998389e-66b2-473d-8d05-c8d71ac4d04d|OpenAPI|High|Insecure Configurations|Array schema should have the field 'maxItems' set (read more)|Documentation
| -|Array Items Has No Type (v2)
8697a1a4-82c6-4603-8ac8-57529756744e|OpenAPI|High|Insecure Configurations|Schema/Parameter array items type should be defined|Documentation
| -|Array Items Has No Type (v3)
be0e0df7-f3d9-42a1-9b6f-d425f94872c4|OpenAPI|High|Insecure Configurations|Schema array items type should be defined (read more)|Documentation
| -|Cleartext API Key In Global Security (v2)
70d3873e-d537-46e5-ac3b-4e48fbdd29b4|OpenAPI|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| -|Cleartext API Key In Global Security (v3)
9c238c97-1991-4c0b-9c7d-6c7912e1dc7c|OpenAPI|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel (read more)|Documentation
| -|API Key Exposed In Global Security (v2)
533a0d13-6e89-4551-ae33-bce14e5849c1|OpenAPI|Medium|Access Control|API Keys should not be transported over network|Documentation
| -|API Key Exposed In Global Security (v3)
aecee30b-8ea1-4776-a99c-d6d600f0862f|OpenAPI|Medium|Access Control|API Keys should not be transported over network (read more)|Documentation
| -|JSON Object Schema Without Type (v2)
62d52544-82ef-4b75-8308-cad49d50212b|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined.|Documentation
| -|JSON Object Schema Without Type (v3)
e2ffa504-d22a-4c94-b6c5-f661849d2db7|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined. (read more)|Documentation
| -|Schema Object is Empty (v2)
967575e5-eb44-4c24-aadb-7e33608ed30a|OpenAPI|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values|Documentation
| -|Schema Object is Empty (v3)
500ce696-d501-41dd-86eb-eceb011a386f|OpenAPI|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values (read more)|Documentation
| -|Maximum Length Undefined (v2)
2ec86e48-ab90-4cb6-a131-0502afd1f442|OpenAPI|Medium|Insecure Configurations|String schema/parameter/header should have 'maxLength' defined.|Documentation
| -|Maximum Length Undefined (v3)
8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85|OpenAPI|Medium|Insecure Configurations|String schema should have 'maxLength' defined. (read more)|Documentation
| -|Numeric Schema Without Minimum (v2)
efd1dfc8-da91-4909-a3f3-c23abc5ec799|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined.|Documentation
| -|Numeric Schema Without Minimum (v3)
181bd815-767e-4e95-a24d-bb3c87328e19|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined. (read more)|Documentation
| -|Pattern Undefined (v2)
afde15cf-9444-4126-8c62-41cd79db1d1d|OpenAPI|Medium|Insecure Configurations|String schema/parameter/header should have 'pattern' defined.|Documentation
| -|Pattern Undefined (v3)
00b78adf-b83f-419c-8ed8-c6018441dd3a|OpenAPI|Medium|Insecure Configurations|String schema should have 'pattern' defined. (read more)|Documentation
| -|JSON Object Schema Without Properties (v2)
3d28f751-bc18-4f83-ace0-216b6086410b|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false.|Documentation
| -|JSON Object Schema Without Properties (v3)
9d967a2b-9d64-41a6-abea-dfc4960299bd|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false. (read more)|Documentation
| -|String Schema with Broad Pattern (v2)
e4a019f0-9af3-49c8-bf68-1939a6ff240d|OpenAPI|Medium|Insecure Configurations|String schema should restrict the pattern|Documentation
| -|String Schema with Broad Pattern (v3)
8c81d6c0-716b-49ec-afa5-2d62da4e3f3c|OpenAPI|Medium|Insecure Configurations|String schema should restrict the pattern (read more)|Documentation
| -|Numeric Schema Without Maximum (v2)
203eee11-15b6-4d47-b888-4c7f534967ee|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined.|Documentation
| -|Numeric Schema Without Maximum (v3)
2ea04bef-c769-409e-9179-ee3a50b5c0ac|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined. (read more)|Documentation
| -|Numeric Schema Without Format (v2)
3ed8fc82-c2bb-49e0-811f-c53923674c49|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined.|Documentation
| -|Numeric Schema Without Format (v3)
fbf699b5-ef74-4542-9cf1-f6eeac379373|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined. (read more)|Documentation
| -|Success Response Code Undefined for Put Operation (v2)
965a043f-5f3c-4d0a-be72-d9ce12fdb4d6|OpenAPI|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Put Operation (v3)
60b5f56b-66ff-4e1c-9b62-5753e16825bc|OpenAPI|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|Default Response Undefined On Operations (v2)
5f34c7ae-4f3f-4cbb-8fe3-a11d6961062f|OpenAPI|Medium|Networking and Firewall|Operations responses should have a default response defined|Documentation
| -|Default Response Undefined On Operations (v3)
86e3702f-c868-44b2-b61d-ea5316c18110|OpenAPI|Medium|Networking and Firewall|Operations responses should have a default response defined (read more)|Documentation
| -|Response on operations that should have a body has undefined schema (v2)
31afbcb7-70e0-48bb-a31a-3374f95cf859|OpenAPI|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined|Documentation
| -|Response on operations that should have a body has undefined schema (v3)
a92be1d5-d762-484a-86d6-8cd0907ba100|OpenAPI|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined (read more)|Documentation
| -|Success Response Code Undefined for Post Operation (v2)
9fedee41-2e6d-4091-b011-4a16b4c18c70|OpenAPI|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Post Operation (v3)
f368dd2d-9344-4146-a05b-7c6faa1269ad|OpenAPI|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|Success Response Code Undefined for Delete Operation (v2)
ad432855-b7fb-4429-92a3-93b5ce34f0b1|OpenAPI|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Delete Operation (v3)
3b497874-ae59-46dd-8d72-1868a3b8f150|OpenAPI|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|Success Response Code Undefined for Head Operation (v2)
4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a|OpenAPI|Medium|Networking and Firewall|Head should define at least one success response (200 or 202)|Documentation
| -|Success Response Code Undefined for Head Operation (v3)
3b066059-f411-4554-ac8d-96f32bff90da|OpenAPI|Medium|Networking and Firewall|Head should define at least one success response (200 or 202) (read more)|Documentation
| -|Response Code Missing (v2)
6e96ed39-bf45-4089-99ba-f1fe7cf6966f|OpenAPI|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined.|Documentation
| -|Response Code Missing (v3)
6c35d2c6-09f2-4e5c-a094-e0e91327071d|OpenAPI|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined. (read more)|Documentation
| -|Success Response Code Undefined for Patch Operation (v2)
f36e87cc-a209-4f37-8571-66833e4aead7|OpenAPI|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Patch Operation (v3)
1908a8ee-927d-4166-8f18-241152170cc1|OpenAPI|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|Response on operations that should not have a body has declared content (v2)
268defd2-2839-4e15-8cbc-de86eb38c231|OpenAPI|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a schema defined|Documentation
| -|Response on operations that should not have a body has declared content (v3)
12a7210b-f4b4-47d0-acac-0a819e2a0ca3|OpenAPI|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a content defined (read more)|Documentation
| -|Success Response Code Undefined for Get Operation (v2)
9b633f3b-c94b-4fbb-a65b-1a4e9134fb63|OpenAPI|Medium|Networking and Firewall|Get should define at least one success response (200 or 202)|Documentation
| -|Success Response Code Undefined for Get Operation (v3)
b2f275be-7d64-4064-b418-be6b431363a7|OpenAPI|Medium|Networking and Firewall|Get should define at least one success response (200 or 202) (read more)|Documentation
| -|API Key Exposed In Operation Security (v2)
392599e4-a4e2-403d-bc56-3fe05755782d|OpenAPI|Low|Access Control|API Keys should not be transported over network|Documentation
| -|API Key Exposed In Operation Security (v3)
281b8071-6226-4a43-911d-fec246d422c2|OpenAPI|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| -|Invalid Format (v2)
caf1793e-95dd-4b18-8d90-8f3c0ab5bddf|OpenAPI|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double|Documentation
| -|Invalid Format (v3)
d929c031-078f-4241-b802-e224656ad890|OpenAPI|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double (read more)|Documentation
| -|Header Parameter Named as 'Authorization' (v2)
e2e00c97-7171-4fb4-b461-d631df9a711c|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored.|Documentation
| -|Header Parameter Named as 'Authorization' (v3)
8c84f75e-5048-4926-a4cb-33e7b3431300|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored. (read more)|Documentation
| -|Invalid Schema External Documentation URL (v2)
f7fa95b7-d819-484c-9a2b-665dd1bba25e|OpenAPI|Info|Best Practices|Schema External Documentation URL should be a valid URL|Documentation
| -|Invalid Schema External Documentation URL (v3)
6952a7e0-6e48-4285-bbc1-27c64e60f888|OpenAPI|Info|Best Practices|Schema External Documentation URL should be a valid URL (read more)|Documentation
| -|Header Parameter Named as 'Accept' (v2)
3ddd74cc-6582-486c-8b0c-2b48cb38e0a3|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored.|Documentation
| -|Header Parameter Named as 'Accept' (v3)
f2702af5-6016-46cb-bbc8-84c766032095|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored. (read more)|Documentation
| -|Invalid Global External Documentation URL (v2)
46d3b74d-9fe9-45bf-9e9e-efb7f701ee28|OpenAPI|Info|Best Practices|Global External Documentation URL should be a valid URL|Documentation
| -|Invalid Global External Documentation URL (v3)
b2d9dbf6-539c-4374-a1fd-210ddf5563a8|OpenAPI|Info|Best Practices|Global External Documentation URL should be a valid URL (read more)|Documentation
| -|Object Using Enum With Keyword (v2)
7f15962a-d862-451c-ac9b-84ec13747aa6|OpenAPI|Info|Best Practices|Schema/Parameter/Header Object properties should not contain 'enum' and schema keywords|Documentation
| -|Object Using Enum With Keyword (v3)
2e9b6612-8f69-42e0-a5b8-ed17739c2f3a|OpenAPI|Info|Best Practices|Schema Object properties should not contain 'enum' and schema keywords (read more)|Documentation
| -|Header Response Name Is Invalid (v2)
86733e01-a435-4bd5-a8b0-5108be9dc1e4|OpenAPI|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored.|Documentation
| -|Header Response Name Is Invalid (v3)
d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd|OpenAPI|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored. (read more)|Documentation
| -|Operation Without Successful HTTP Status Code (v2)
a1ee6ebe-3877-42ec-b9a6-e524e7d06aa2|OpenAPI|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined|Documentation
| -|Operation Without Successful HTTP Status Code (v3)
48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd|OpenAPI|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined (read more)|Documentation
| -|Invalid Contact URL (v2)
c7000383-16d0-4509-8cd3-585e5ea2e2f2|OpenAPI|Info|Best Practices|Contact Object URL should be a valid URL|Documentation
| -|Invalid Contact URL (v3)
332cf2ad-380d-4b90-b436-46f8e635cf38|OpenAPI|Info|Best Practices|Contact Object URL should be a valid URL (read more)|Documentation
| -|Example Not Compliant With Schema Type (v2)
448db771-06ea-4dee-b48c-1689cbfb4b43|OpenAPI|Info|Best Practices|Examples values and fields should be compliant with the schema type|Documentation
| -|Example Not Compliant With Schema Type (v3)
881a6e71-c2a7-4fe2-b9c3-dfcf08895331|OpenAPI|Info|Best Practices|Examples values and fields should be compliant with the schema type (read more)|Documentation
| -|Invalid License URL (v2)
de2b4910-8484-46d6-a055-dc1e793ee3ff|OpenAPI|Info|Best Practices|License Object URL should be a valid URL|Documentation
| -|Invalid License URL (v3)
9239c289-9e4c-4d92-8be1-9d506057c971|OpenAPI|Info|Best Practices|License Object URL should be a valid URL (read more)|Documentation
| -|Header Parameter Named as 'Content-Type' (v2)
51978067-3b22-4c29-aaf3-96bf0bc28897|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored.|Documentation
| -|Header Parameter Named as 'Content-Type' (v3)
72d259ca-9741-48dd-9f62-eb11f2936b37|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored. (read more)|Documentation
| -|Invalid Tag External Documentation URL (v2)
b4a7d925-738b-4219-99d9-87d6ee262a03|OpenAPI|Info|Best Practices|Tag External Documentation URL should be a valid URL|Documentation
| -|Invalid Tag External Documentation URL (v3)
5aea1d7e-b834-4749-b143-2c7ec3bd5922|OpenAPI|Info|Best Practices|Tag External Documentation URL should be a valid URL (read more)|Documentation
| -|Required Property With Default Value (v2)
f7ab6c83-ef89-40e1-8a99-32e2599fb665|OpenAPI|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value|Documentation
| -|Required Property With Default Value (v3)
013bdb4b-9246-4248-b0c3-7fb0fee42a29|OpenAPI|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value (read more)|Documentation
| -|Invalid Contact Email (v2)
d83bebc8-4e5e-4241-b783-cba9fb5a1c9a|OpenAPI|Info|Best Practices|Contact Object Email should be a valid email|Documentation
| -|Invalid Contact Email (v3)
b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7|OpenAPI|Info|Best Practices|Contact Object Email should be a valid email (read more)|Documentation
| -|JSON '$ref' alongside other properties (v2)
f34c1c68-4773-4df0-a103-6e2ca32e585f|OpenAPI|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key|Documentation
| -|JSON '$ref' alongside other properties (v3)
96beb800-566f-49a9-a0ea-dbdf4bc80429|OpenAPI|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key (read more)|Documentation
| -|Invalid Operation External Documentation URL (v2)
25635c31-ee32-4708-88e5-fced87516f51|OpenAPI|Info|Best Practices|Operation External Documentation URL should be a valid URL|Documentation
| -|Invalid Operation External Documentation URL (v3)
5ea61624-3733-4a3a-8ca4-b96fec9c5aeb|OpenAPI|Info|Best Practices|Operation External Documentation URL should be a valid URL (read more)|Documentation
| -|Path Without Operation (v2)
609cd557-66b4-41fa-8edd-2abc6c7cfd08|OpenAPI|Info|Best Practices|Path object should have at least one operation object defined|Documentation
| -|Path Without Operation (v3)
84c826c9-1893-4b34-8cdd-db97645b4bf3|OpenAPI|Info|Best Practices|Path object should have at least one operation object defined (read more)|Documentation
| -|Property 'allowEmptyValue' Improperly Defined (v2)
0bc1477d-0922-478b-ae16-674a7634a1a8|OpenAPI|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters|Documentation
| -|Property 'allowEmptyValue' Improperly Defined (v3)
4bcbcd52-3028-469f-bc14-02c7dbba2df2|OpenAPI|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters (read more)|Documentation
| -|Paths Object is Empty (v2)
3e6c7b1c-8a8d-43ab-98b9-65159f44db4a|OpenAPI|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed|Documentation
| -|Paths Object is Empty (v3)
815021c8-a50c-46d9-b192-24f71072c400|OpenAPI|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed (read more)|Documentation
| -|Schema Enum Invalid (v2)
8fe6d18a-ad4c-4397-8884-e3a9da57f4c9|OpenAPI|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type|Documentation
| -|Schema Enum Invalid (v3)
03856cb2-e46c-4daf-bfbf-214ec93c882b|OpenAPI|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type (read more)|Documentation
| -|Schema Discriminator Not Required (v2)
be6a3722-af60-438c-b1b9-2a03e2958ab7|OpenAPI|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property|Documentation
| -|Schema Discriminator Not Required (v3)
b481d46c-9c61-480f-86d9-af07146dc4a4|OpenAPI|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property (read more)|Documentation
| -|Schema Discriminator Property Not String (v2)
949376f1-f560-4c6d-a016-63424ca931bb|OpenAPI|Info|Structure and Semantics|Schema discriminator property should be a string|Documentation
| -|Schema Discriminator Property Not String (v3)
dadc2f36-1f5a-46c0-8289-75e626583123|OpenAPI|Info|Structure and Semantics|Schema discriminator property should be a string (read more)|Documentation
| -|Type Has Invalid Keyword (v2)
492c6cbb-f3f8-4807-aa4f-42b8b1c46b59|OpenAPI|Info|Structure and Semantics|Schema/Parameter/Header Object define type should not use a keyword of another type|Documentation
| -|Type Has Invalid Keyword (v3)
a9228976-10cf-4b5f-b902-9e962aad037a|OpenAPI|Info|Structure and Semantics|Schema Object define type should not use a keyword of another type (read more)|Documentation
| -|Path Is Ambiguous (v2)
b2468463-3ac4-4930-890c-f35b2bf4485d|OpenAPI|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object|Documentation
| -|Path Is Ambiguous (v3)
237402e2-c2f0-46c9-9cf5-286160cf7bfc|OpenAPI|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object (read more)|Documentation
| -|Non-Array Schema With Items (v2)
9d47956b-29cd-43b1-9e6e-b39a4d484353|OpenAPI|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| -|Non-Array Schema With Items (v3)
20cb3159-b219-496b-8dac-54ae3ab2021a|OpenAPI|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined (read more)|Documentation
| -|Template Path With No Corresponding Path Parameter (v2)
e7656d8d-7288-4bbe-b07b-22b389be75ce|OpenAPI|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation|Documentation
| -|Template Path With No Corresponding Path Parameter (v3)
561710b1-b845-4562-95ce-2397a05ccef4|OpenAPI|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation (read more)|Documentation
| -|Responses Object Is Empty (v2)
6172e7ab-d2b7-45f8-a7db-1603931d8ba3|OpenAPI|Info|Structure and Semantics|Responses Object should not be empty|Documentation
| -|Responses Object Is Empty (v3)
990eaf09-d6f1-4c3c-b174-a517b1de8917|OpenAPI|Info|Structure and Semantics|Responses Object should not be empty (read more)|Documentation
| -|Default Invalid (v2)
78dfd8f0-a6ee-48ec-af8c-e4d9b3292a07|OpenAPI|Info|Structure and Semantics|The field 'default' of Schema/Parameter/Header Object should be consistent with the schema's/parameter's/header's type|Documentation
| -|Default Invalid (v3)
a96bbc06-8cde-4295-ad3c-ee343a7f658e|OpenAPI|Info|Structure and Semantics|The field 'default' of Schema Object should be consistent with the schema's type (read more)|Documentation
| -|Properties Missing Required Property (v2)
71beb6ab-8b70-4816-a9ac-a0ff1fb22a62|OpenAPI|Info|Structure and Semantics|Schema Object should have all required properties defined|Documentation
| -|Properties Missing Required Property (v3)
3fb03214-25d4-4bd4-867c-c2d8d708a483|OpenAPI|Info|Structure and Semantics|Schema Object should have all required properties defined (read more)|Documentation
| -|Schema Object Properties With Duplicated Keys (v2)
ded017bf-fb13-4f8d-868b-84aebcc572ad|OpenAPI|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties'|Documentation
| -|Schema Object Properties With Duplicated Keys (v3)
10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa|OpenAPI|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties' (read more)|Documentation
| -|OperationId Not Unique (v2)
21245007-91c4-40e5-964e-40c85d1e5aa6|OpenAPI|Info|Structure and Semantics|OperationId should be unique when defined|Documentation
| -|OperationId Not Unique (v3)
c254adc4-ef25-46e1-8270-b7944adb4198|OpenAPI|Info|Structure and Semantics|OperationId should be unique when defined (read more)|Documentation
| -|Schema Object With Circular Ref (v2)
cbff2508-85c9-4448-a8b3-770070edf5ca|OpenAPI|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties|Documentation
| -|Schema Object With Circular Ref (v3)
1a1aea94-745b-40a7-b860-0702ea6ee636|OpenAPI|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties (read more)|Documentation
| -|Path Parameter Not Required (v2)
ccd0613f-cb77-4684-a892-183bd2674d12|OpenAPI|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.|Documentation
| -|Path Parameter Not Required (v3)
0de50145-e845-47f4-9a15-23bcf2125710|OpenAPI|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true. (read more)|Documentation
| -|Schema Has A Required Property Undefined (v2)
811762c8-2e99-4f70-88f9-a63875a953b1|OpenAPI|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties|Documentation
| -|Schema Has A Required Property Undefined (v3)
2bd608ae-8a1f-457f-b710-c237883cb313|OpenAPI|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties (read more)|Documentation
| -|Responses With Wrong HTTP Status Code (v2)
069a5378-2091-43f0-aa3b-ee8f20996e99|OpenAPI|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599]|Documentation
| -|Responses With Wrong HTTP Status Code (v3)
d86655c0-92f6-4ffc-b4d5-5b5775804c27|OpenAPI|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599] (read more)|Documentation
| -|Items Undefined (v2)
3e4d34d2-36cf-4449-976d-6c256db8fc49|OpenAPI|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array.|Documentation
| -|Items Undefined (v3)
a8e859da-4a43-4e7f-94b8-25d6e3bf8e90|OpenAPI|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array. (read more)|Documentation
| -|Schema Discriminator Mismatch Defined Properties (v2)
addc0eab-27f6-4c26-8526-d2ccd3732662|OpenAPI|Info|Structure and Semantics|Schema discriminator values should match defined properties.|Documentation
| -|Schema Discriminator Mismatch Defined Properties (v3)
40d3df21-c170-4dbe-9c02-4289b51f994f|OpenAPI|Info|Structure and Semantics|Schema discriminator values should match defined properties. (read more)|Documentation
| -|Path Parameter With No Corresponding Template Path (v2)
194ef1f8-360e-4c14-8ed2-e83e2bafa142|OpenAPI|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation|Documentation
| -|Path Parameter With No Corresponding Template Path (v3)
69d7aefd-149d-47b8-8d89-1c2181a8067b|OpenAPI|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation (read more)|Documentation
| -|Property Defining Minimum Greater Than Maximum (v2)
b5102ea9-6527-4bb7-94fc-9b4076150e55|OpenAPI|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined|Documentation
| -|Property Defining Minimum Greater Than Maximum (v3)
ab2af219-cd08-4233-b5a1-a788aac88b51|OpenAPI|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined (read more)|Documentation
| -|Parameters Name In Combination Not Unique (v2)
ab871897-ec02-4835-9818-702536ee1dda|OpenAPI|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations|Documentation
| -|Parameters Name In Combination Not Unique (v3)
f5b2e6af-76f5-496d-8482-8f898c5fdb4a|OpenAPI|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations (read more)|Documentation
| -|Path Template is Empty (v2)
c201b7ad-6173-4598-a407-5edb04a1bcd7|OpenAPI|Info|Structure and Semantics|All path templates should not be empty|Documentation
| -|Path Template is Empty (v3)
ae13a37d-943b-47a7-a970-83c8598bcca3|OpenAPI|Info|Structure and Semantics|All path templates should not be empty (read more)|Documentation
| -|Parameter Objects Headers With Duplicated Name (v2)
bd2cbef5-62c4-40f1-af07-4b7f9ced6616|OpenAPI|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.|Documentation
| -|Parameter Objects Headers With Duplicated Name (v3)
05505192-ba2c-4a81-9b25-dcdbcc973746|OpenAPI|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive. (read more)|Documentation
| -|Field 'securityScheme' On Components Is Undefined
8db5544e-4874-4baa-9322-e9f75a2d219e|OpenAPI|High|Access Control|Components' securityScheme field must have a valid scheme (read more)|Documentation
| -|Cleartext Credentials With Basic Authentication For Operation
86b1fa30-9790-4980-994d-a27e0f6f27c1|OpenAPI|High|Access Control|Cleartext credentials over unencrypted channel should not be accepted for the operation (read more)|Documentation
| -|OAuth2 With Implicit Flow
39cb32f2-3a42-4af0-8037-82a7a9654b6c|OpenAPI|Medium|Access Control|OAuth2 implicit flow is vulnerable to access token leakage and access token replay (read more)|Documentation
| -|Invalid OAuth2 Authorization URL (v3)
52c0d841-60d6-4a81-88dd-c35fef36d315|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| -|Implicit Flow in OAuth2 (v3)
4a1f3d75-ab73-41b2-83e7-06a93dc3a75a|OpenAPI|Medium|Access Control|There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| -|Security Scheme Using HTTP Basic
68e5fcac-390c-4939-a373-6074b7be7c71|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using basic authentication (read more)|Documentation
| -|Security Scheme HTTP Unknown Scheme
06764426-3c56-407e-981f-caa25db1c149|OpenAPI|Medium|Access Control|Security Scheme HTTP scheme should be registered in the IANA Authentication Scheme registry (read more)|Documentation
| -|OAuth2 With Password Flow
3979b0a4-532c-4ea7-86e4-34c090eaa4f2|OpenAPI|Medium|Access Control|OAuth2 password flow insecurely exposes the credentials of the resource owner to the client (read more)|Documentation
| -|Invalid OAuth2 Token URL (v3)
3ba0cca1-b815-47bf-ac62-1e584eb64a05|OpenAPI|Medium|Access Control|OAuth2 security scheme flow requires a valid URL in the tokenUrl field (read more)|Documentation
| -|Security Scheme Using HTTP Negotiate
f525cc92-9050-4c41-a75c-890dc6f64449|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using negotiate authentication (read more)|Documentation
| -|Security Scheme Using HTTP Digest
a4247b11-890b-45df-bf42-350a7a3af9be|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using digest authentication (read more)|Documentation
| -|Global Server Object Uses HTTP
2d8c175a-6d90-412b-8b0e-e034ea49a1fe|OpenAPI|Medium|Encryption|Global server object URL should use 'https' protocol instead of 'http' (read more)|Documentation
| -|Path Server Object Uses HTTP (v3)
9670f240-7b4d-4955-bd93-edaa9fa38b58|OpenAPI|Medium|Encryption|The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection (read more)|Documentation
| -|Media Type Object Without Schema
f79b9d26-e945-44e7-98a1-b93f0f7a68a0|OpenAPI|Medium|Insecure Configurations|The Media Type Object should have the attribute 'schema' defined (read more)|Documentation
| -|Additional Properties Too Permissive
9f88c88d-824d-4d9a-b985-e22977046042|OpenAPI|Medium|Insecure Configurations|Objects should not accept 'additionalProperties' if it is possible (read more)|Documentation
| -|Additional Properties Too Restrictive
a19c3bbd-c056-40d7-9e1c-eeb0634e320d|OpenAPI|Medium|Insecure Configurations|Objects should accept 'additionalProperties' if it is allOf or an object with anyOf or oneOf (read more)|Documentation
| -|Parameter Object Without Schema
8fe1846f-52cc-4413-ace9-1933d7d23672|OpenAPI|Medium|Insecure Configurations|The Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| -|Success Response Code Undefined for Trace Operation
105e20dd-8449-4d71-95c6-d5dac96639af|OpenAPI|Medium|Networking and Firewall|Trace should define the '200' successful code (read more)|Documentation
| -|Header Object Without Schema
50de3b5b-6465-4e06-a9b0-b4c2ba34326b|OpenAPI|Medium|Networking and Firewall|The header object should have schema defined (read more)|Documentation
| -|Undefined Scope 'securityScheme' On Global 'security' Field
23a9e2d9-8738-4556-a71c-2802b6ffa022|OpenAPI|Low|Access Control|Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| -|Undefined Scope 'securityScheme' On 'security' Field On Operations
462d6a1d-fed9-4d75-bb9e-3de902f35e6e|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| -|API Key Exposed In Global Security Scheme
40e1d1bf-11a9-4f63-a3a2-a8b84c602839|OpenAPI|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| -|Global Security Scheme Using Basic Authentication
77276d82-4f45-4cf1-8e2b-4d345b936228|OpenAPI|Low|Access Control|A security scheme is allowing basic authentication credentials to be transported over network (read more)|Documentation
| -|Security Scheme Using Oauth 1.0
1bc3205c-0d60-44e6-84f3-44fbf4dac5b3|OpenAPI|Low|Access Control|Oauth 1.0 is deprecated, OAuth2 should be used instead (read more)|Documentation
| -|Components Callback Definition Is Unused
d15db953-a553-4b8a-9a14-a3d62ea3d79d|OpenAPI|Info|Best Practices|Components callbacks definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Property 'explode' of Encoding Object Ignored
a4dd69b8-49fa-45d2-a060-c76655405b05|OpenAPI|Info|Best Practices|Property 'explode' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| -|Unknown Prefix (v3)
a5375be3-521c-43bb-9eab-e2432e368ee4|OpenAPI|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| -|Property 'style' of Encoding Object Ignored
d3ea644a-9a5c-4fee-941f-f8a6786c0470|OpenAPI|Info|Best Practices|Property 'style' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| -|Components Schema Definition Is Unused
962fa01e-b791-4dcc-b04a-4a3e7389be5e|OpenAPI|Info|Best Practices|Components schemas definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Response Definition Is Unused
9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae|OpenAPI|Info|Best Practices|Components responses definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Invalid Media Type Value (v3)
cf4a5f45-a27b-49df-843a-9911dbfe71d4|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| -|Components Link Definition Is Unused
c19779a9-5774-4d2f-a3a1-a99831730375|OpenAPI|Info|Best Practices|Components links definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Header Definition Is Unused
a68da022-e95a-4bc2-97d3-481e0bd6d446|OpenAPI|Info|Best Practices|Components headers definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Example Definition Is Unused
b05bb927-2df5-43cc-8d7b-6825c0e71625|OpenAPI|Info|Best Practices|Components examples definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Encoding Header 'Content-Type' Improperly Defined
4cd8de87-b595-48b6-ab3c-1904567135ab|OpenAPI|Info|Best Practices|Encoding Map Key should not define a 'Content-Type' in the 'headers' field. If so, it will be ignored. (read more)|Documentation
| -|Property 'allowEmptyValue' Ignored
59c2f769-7cc2-49c8-a3de-4e211135cfab|OpenAPI|Info|Best Practices|Property 'allowEmptyValue' is ignored in the following cases: {"sytle": "simple", "explode": false}, {"sytle": "simple", "explode": true}, {"sytle": "spaceDelimited", "explode": false}, {"sytle": "pipeDelimited", "explode": false}, and {"sytle": "deepObject", "explode": true} (read more)|Documentation
| -|Components Request Body Definition Is Unused
6b76f589-9713-44ab-97f5-59a3dba1a285|OpenAPI|Info|Best Practices|Components request bodies definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Parameter Definition Is Unused
698a464e-bb3e-4ba8-ab5e-e6599b7644a0|OpenAPI|Info|Best Practices|Components parameters definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Property 'allowReserved' of Encoding Object Ignored
4190dda7-af03-4cf0-a128-70ac1661ca09|OpenAPI|Info|Best Practices|Property 'allowReserved' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| -|Schema Object Incorrect Ref (v3)
4cac7ace-b0fb-477d-830d-65395d9109d9|OpenAPI|Info|Structure and Semantics|Schema Object reference must always point to '#/components/schemas' (read more)|Documentation
| -|Schema With Both ReadOnly And WriteOnly
d2361d58-361c-49f0-9e50-b957fd608b29|OpenAPI|Info|Structure and Semantics|Schema should not have both 'writeOnly' and 'readOnly' set to true (read more)|Documentation
| -|Link JSON Reference Does Not Exists
801f0c6a-a834-4467-89c6-ddecffb46b5a|OpenAPI|Info|Structure and Semantics|Link reference should exists on components field (read more)|Documentation
| -|Security Operation Field Undefined
20a482d5-c5d9-4a7a-b7a4-60d0805047b4|OpenAPI|Info|Structure and Semantics|Security operation field should be defined in '#/components/securitySchemes' (read more)|Documentation
| -|Header Object With Incorrect Ref
2d6646f4-2946-420f-8c14-3232d49ae0cb|OpenAPI|Info|Structure and Semantics|Header Object reference must always point to '#/components/headers' (read more)|Documentation
| -|Request Body JSON Reference Does Not Exists
ca02f4e8-d3ae-4832-b7db-bb037516d9e7|OpenAPI|Info|Structure and Semantics|Request Body reference should exists on components field (read more)|Documentation
| -|Response Object With Incorrect Ref (v3)
b3871dd8-9333-4d6c-bd52-67eb898b71ab|OpenAPI|Info|Structure and Semantics|Response Object reference must always point to '#/components/responses' (read more)|Documentation
| -|Parameter Object With Schema And Content
31dd6fc0-f274-493b-9614-e063086c19fc|OpenAPI|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive (read more)|Documentation
| -|Request Body With Incorrect Ref
0f6cd0ab-c366-4595-84fc-fbd8b9901e4d|OpenAPI|Info|Structure and Semantics|Request Body reference must always point to '#/components/RequestBodies' (read more)|Documentation
| -|Property 'allowReserved' Improperly Defined
7f203940-39c4-4ea7-91ee-7aba16bca9e2|OpenAPI|Info|Structure and Semantics|Property 'allowReserved' should be only defined for query parameters (read more)|Documentation
| -|Server URL Not Absolute
a0bf7382-5d5a-4224-924c-3db8466026c9|OpenAPI|Info|Structure and Semantics|The Server URL should be an absolute URL (read more)|Documentation
| -|Invalid Content Type For Multiple Files Upload
26f06397-36d8-4ce7-b993-17711261d777|OpenAPI|Info|Structure and Semantics|Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array) (read more)|Documentation
| -|Link Object With Both 'operationId' And 'operationRef'
60fb6621-9f02-473b-9424-ba9a825747d3|OpenAPI|Info|Structure and Semantics|Link object 'OperationId' should not have both 'operationId' and 'operationRef' defined since they are mutually exclusive. (read more)|Documentation
| -|Security Field Undefined
ab1263c2-81df-46f0-9f2c-0b62fdb68419|OpenAPI|Info|Structure and Semantics|Security field should be defined in '#/components/securitySchemes' (read more)|Documentation
| -|Callback Object With Incorrect Ref
ba066cda-e808-450d-92b6-f29109754d45|OpenAPI|Info|Structure and Semantics|Callback Object reference must always point to '#/components/callbacks' (read more)|Documentation
| -|Link Object Incorrect Ref
b9db8a10-020c-49ca-88c6-780e5fdb4328|OpenAPI|Info|Structure and Semantics|Link object reference must always point to '#/components/links' (read more)|Documentation
| -|Unknown Property (v3)
fb7d81e7-4150-48c4-b914-92fc05da6a2f|OpenAPI|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| -|Server URL Uses Undefined Variables
8d0921d6-4131-461f-a253-99e873f8f77e|OpenAPI|Info|Structure and Semantics|Any variable used in the Service URL should be defined in the Service Object through 'variables'. (read more)|Documentation
| -|Response JSON Reference Does Not Exists (v3)
7a01dfbd-da62-4165-aed7-71349ad42ab4|OpenAPI|Info|Structure and Semantics|Response reference should exists on components field (read more)|Documentation
| -|Parameter JSON Reference Does Not Exists (v3)
2e275f16-b627-4d3f-ae73-a6153a23ae8f|OpenAPI|Info|Structure and Semantics|Parameter reference should exists on components field (read more)|Documentation
| -|Parameter Object With Undefined Type
46facedc-f243-4108-ab33-583b807d50b0|OpenAPI|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property (read more)|Documentation
| -|Example JSON Reference Does Not Exists
6a2c219f-da5e-4745-941e-5ea8cde23356|OpenAPI|Info|Structure and Semantics|Example reference should exists on components field (read more)|Documentation
| -|Callback JSON Reference Does Not Exists
f29904c8-6041-4bca-b043-dfa0546b8079|OpenAPI|Info|Structure and Semantics|Callback reference should exists on components field (read more)|Documentation
| -|Parameter Object With Incorrect Ref (v3)
d40f27e6-15fb-4b56-90f8-fc0ff0291c51|OpenAPI|Info|Structure and Semantics|Parameter Object reference must always point to '#/components/parameters' (read more)|Documentation
| -|Components Object Fixed Field Key Improperly Named
151331e2-11f4-4bb6-bd35-9a005e695087|OpenAPI|Info|Structure and Semantics|Components object fixed fields (schemas, responses, parameters, examples, requestBodies, headers, securitySchemes, links, and callbacks) should use keys that match the following REGEX: `^[a-zA-Z0-9\.\-_]+$` (read more)|Documentation
| -|Encoding Map Key Mismatch Schema Defined Properties
cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b|OpenAPI|Info|Structure and Semantics|Encoding Map Key should be set in schema defined properties (read more)|Documentation
| -|Request Body Object With Incorrect Media Type
58f06434-a88c-4f74-826c-db7e10cc7def|OpenAPI|Info|Structure and Semantics|The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set. (read more)|Documentation
| -|Security Requirement Object With Wrong Scopes
37140f7f-724a-4c87-a536-e9cee1d61533|OpenAPI|Info|Structure and Semantics|Security Requirement Object should only have scopes defined for security schemes of type 'oauth2' and 'openIdConnect' (read more)|Documentation
| -|Header JSON Reference Does Not Exists
376c9390-7e9e-4cb8-a067-fd31c05451fd|OpenAPI|Info|Structure and Semantics|Header reference should exists on components field (read more)|Documentation
| -|Empty Array
5915c20f-dffa-4cee-b5d4-f457ddc0151a|OpenAPI|Info|Structure and Semantics|All array fields should not be empty (read more)|Documentation
| -|Parameter Object Content With Multiple Entries
8bfed1c6-2d59-4924-bc7f-9b9d793ed0df|OpenAPI|Info|Structure and Semantics|The map content property of the parameter object should only contain one entry (read more)|Documentation
| -|Example JSON Reference Outside Components Examples
bac56e3c-1f71-4a74-8ae6-2fba07efcddb|OpenAPI|Info|Structure and Semantics|Reference to examples should point to #/components/examples (read more)|Documentation
| -|Object Without Required Property (v3)
d172a060-8569-4412-8045-3560ebd477e8|OpenAPI|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| -|Servers Array Undefined
c66ebeaa-676c-40dc-a3ff-3e49395dcd5e|OpenAPI|Info|Structure and Semantics|The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'. (read more)|Documentation
| -|Server Object Variable Not Used
8aee4754-970d-4c5f-8142-a49dfe388b1a|OpenAPI|Info|Structure and Semantics|Every defined Server Variable Object should be used in a Service URL. (read more)|Documentation
| -|Schema JSON Reference Does Not Exists (v3)
015eac96-6313-43c0-84e5-81b1374fa637|OpenAPI|Info|Structure and Semantics|Schema reference should exists on components field (read more)|Documentation
| -|Link Object OperationId Does Not Target Operation Object
c5bb7461-aa57-470b-a714-3bc3d74f4669|OpenAPI|Info|Structure and Semantics|Link object 'OperationId' should target an existing operation object in the OpenAPI definition (read more)|Documentation
| -|Key Vault Not Recoverable
7c25f361-7c66-44bf-9b69-022acd5eb4bd|AzureResourceManager|High|Backup|Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true (read more)|Documentation
| -|Azure Instance Using Basic Authentication
6797f581-0433-4768-ae3e-7ceb2f8b138e|AzureResourceManager|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| -|Secret Without Expiration Date
cff9c3f7-e8f0-455f-9fb4-5f72326da96e|AzureResourceManager|High|Best Practices|All Secrets must have an expiration date defined (read more)|Documentation
| -|Web App Not Using TLS Last Version
b5c851d5-00f1-43dc-a8de-3218fd6f71be|AzureResourceManager|High|Encryption|Resources of type 'Microsoft.Web/sites' should define 'properties.siteConfig.minTlsVersion' with '1.2' (read more)|Documentation
| -|Storage Account Allows Unsecure Transfer
1367dd13-2c90-4020-80b7-e4339a3dc2c4|AzureResourceManager|High|Encryption|'Microsoft.Storage/storageAccounts' should force the use of HTTPS (read more)|Documentation
| -|Azure Managed Disk Without Encryption
350f3955-b5be-436f-afaa-3d2be2fa6cdd|AzureResourceManager|High|Encryption|Azure Disk Encryption should be enabled (read more)|Documentation
| -|Website Not Forcing HTTPS
488847ff-6031-487c-bf42-98fd6ac5c9a0|AzureResourceManager|High|Insecure Configurations|'Microsoft.Web/sites' should force the use of HTTPS (read more)|Documentation
| -|Network Security Group With Unrestricted Access To RDP
59cb3da7-f206-4ae6-b827-7abf0a9cab9d|AzureResourceManager|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the Internet (read more)|Documentation
| -|Website with Client Certificate Auth Disabled
92302b47-b0cc-46cb-a28f-5610ecda140b|AzureResourceManager|High|Networking and Firewall|'Microsoft.Web/sites' should have client certificate authentication enabled (read more)|Documentation
| -|SQL Database Server Firewall Allows All IPS
6a3201a5-1630-494b-b294-3129d06b0eca|AzureResourceManager|High|Networking and Firewall|SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS (read more)|Documentation
| -|Network Security Group With Unrestricted Access To SSH
2ade1579-4b2c-4590-bebb-f99bf597f612|AzureResourceManager|High|Networking and Firewall|Port 22 (SSH) is exposed to the Internet (read more)|Documentation
| -|PostgreSQL Database Server SSL Disabled
bf500309-da53-4dd3-bcf7-95f7974545a5|AzureResourceManager|High|Networking and Firewall|Microsoft.DBforPostgreSQL/servers sslEnforcement property should be set to 'Enabled' (read more)|Documentation
| -|Storage Blob Service Container With Public Access
a0ab985d-660b-41f7-ac81-70957ee8e627|AzureResourceManager|High|Networking and Firewall|Storage Blob Service Container should not publicly accessible (read more)|Documentation
| -|MySQL Server SSL Enforcement Disabled
90120147-f2e7-4fda-bb21-6fa9109afd63|AzureResourceManager|High|Networking and Firewall|'Microsoft.DBforMySQL/servers' should enforce SSL (read more)|Documentation
| -|Trusted Microsoft Services Not Enabled
e25b56cd-a4d6-498f-ab92-e6296a082097|AzureResourceManager|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| -|Role Definitions Allow Custom Subscription Role Creation
8fa9ceea-881f-4ef0-b0b8-728f589699a7|AzureResourceManager|Medium|Access Control|Role Definitions should not allow custom subscription role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write') (read more)|Documentation
| -|Default Azure Storage Account Network Access Is Too Permissive
d855ced8-6157-448f-9f1d-f05a41d046f7|AzureResourceManager|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it. (read more)|Documentation
| -|AKS Cluster RBAC Disabled
9307a2ed-35c2-413d-94de-a1a0682c2158|AzureResourceManager|Medium|Access Control|Microsoft.ContainerService/managedClusters should have enableRBAC set to true (read more)|Documentation
| -|SQL Server Database With Alerts Disabled
574e8d82-1db2-4b9c-b526-e320ede9a9ff|AzureResourceManager|Medium|Best Practices|All Alerts should be enabled in SQL Database Server SecurityAlerts Policy Properties (read more)|Documentation
| -|AKS Cluster Network Policy Not Configured
25c0228e-4444-459b-a2df-93c7df40b7ed|AzureResourceManager|Medium|Insecure Configurations|Azure Kubernetes Service must have a network policy defined. (read more)|Documentation
| -|Standard Price Is Not Selected
2081c7d6-2851-4cce-bda5-cb49d462da42|AzureResourceManager|Medium|Networking and Firewall|Azure Security Center provides more features for standard pricing mode, so it must be activated. (read more)|Documentation
| -|PostgreSQL Database Server Log Checkpoints Disabled
f9112910-c7bb-4864-9f5e-2059ba413bb7|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' property set to 'on' (read more)|Documentation
| -|AKS With Authorized IP Ranges Disabled
2583fab1-953b-4fae-bd02-4a136a6c21f9|AzureResourceManager|Medium|Networking and Firewall|Azure Kubernetes Service must have an authorized IP range for API Services enabled (read more)|Documentation
| -|PostgresSQL Database Server Connection Throttling Disabled
a6d774b6-d9ea-4bf4-8433-217bf15d2fb8|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttling' property set to 'on' (read more)|Documentation
| -|PostgreSQL Database Server Log Connections Disabled
e69bda39-e1e2-47ca-b9ee-b6531b23aedd|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' property set to 'on' (read more)|Documentation
| -|SQL Server Database With Unrecommended Retention Days
c09cdac2-7670-458a-bf6c-efad6880973a|AzureResourceManager|Medium|Observability|SQL Server Database Auditing Settings should keep the audit logs in the storage account for at least 90 days (read more)|Documentation
| -|Storage Logging For Read Write And Delete Requests Disabled
43f6e60c-9cdb-4e77-864d-a66595d26518|AzureResourceManager|Medium|Observability|Storage Logging should be enabled for read, write and delete methods (read more)|Documentation
| -|SQL Server Database Without Auditing
e055285c-bc01-48b4-8aa5-8a54acdd29df|AzureResourceManager|Medium|Observability|Every 'Microsoft.Sql/servers/databases' resource should have Auditing Enabled (read more)|Documentation
| -|Unrecommended Log Profile Retention Policy
25684eac-daaa-4c2c-94b4-8d2dbb627909|AzureResourceManager|Medium|Observability|Log Profile Retention Policy should be enabled and the recommended number of days for the retention should be higher than 365 or 0 (0 will retain the events indefinitely) (read more)|Documentation
| -|AKS Logging To Azure Monitoring Is Disabled
9b09dee1-f09b-4013-91d2-158fa4695f4b|AzureResourceManager|Medium|Observability|Azure Kubernetes Service should have logging to Azure Monitoring enabled. (read more)|Documentation
| -|Unrecommended Network Watcher Flow Log Retention Policy
564b70f8-41cd-4690-aff8-bb53add86bc9|AzureResourceManager|Medium|Observability|Network Watcher Flow Log Retention Policy should be enabled and the recommended number of days for the retention should be higher than 90 (read more)|Documentation
| -|Log Profile Incorrect Category
4d522e7b-f938-4d51-a3b1-974ada528bd3|AzureResourceManager|Medium|Observability|Log Profile Categories should be set to 'Write', 'Delete', and/or 'Action' (read more)|Documentation
| -|Hardcoded SecureString Parameter Default Value
4d2cf896-c053-4be5-9c95-8b4771112f29|AzureResourceManager|Medium|Secret Management|Secure parameters should not have hardcoded default value (read more)|Documentation
| -|Website Azure Active Directory Disabled
e9c133e5-c2dd-4b7b-8fff-40f2de367b56|AzureResourceManager|Low|Access Control|WebApp should have Azure Active Directory enabled with 'identity.type' set to 'SystemAssigned' or 'userAssignedIdentities' set to 'true' (read more)|Documentation
| -|Phone Number Not Set For Security Contacts
3e9fcc67-1f64-405f-b2f9-0a6be17598f0|AzureResourceManager|Low|Best Practices|Microsoft.Security securityContacts should have a phone number defined (read more)|Documentation
| -|AKS Dashboard Is Enabled
c62d3b92-9a11-4ffd-b7b7-6faaae83faed|AzureResourceManager|Low|Insecure Configurations|Azure Kubernetes Service should have the Kubernetes dashboard disabled. (read more)|Documentation
| -|Storage Account Allows Default Network Access
9073f073-5d60-4b46-b569-0d6baa80ed95|AzureResourceManager|Low|Networking and Firewall|'Microsoft.Storage/storageAccounts' should force the use of HTTPS (read more)|Documentation
| -|Website with 'Http20Enabled' Disabled
70111098-7f85-48f0-b1b4-e4261cf5f61b|AzureResourceManager|Low|Networking and Firewall|'Microsoft.Web/sites' should have 'Http20Enabled' enabled (read more)|Documentation
| -|App Service Authentication Is Not Set
83130a07-235b-4a80-918b-a370e53f0bd9|AzureResourceManager|Info|Access Control|Azure App Service should have App Service Authentication set (read more)|Documentation
| -|Account Admins Not Notified By Email
a8852cc0-fd4b-4fc7-9372-1e43fad0732e|AzureResourceManager|Info|Best Practices|Account admins should be notified by email in the event of security alerts (read more)|Documentation
| -|SQL Alert Policy Without Emails
89b79fe5-49bd-4d39-84ce-55f5fc6f7764|AzureResourceManager|Info|Best Practices|SQL Database Server should contain emails to be notified in the event of a Security Alert (read more)|Documentation
| -|Email Notifications Disabled
79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92|AzureResourceManager|Info|Networking and Firewall|Email notifications about new security alerts, should be set to 'On', and be sent to persons with specific RBAC roles on the subscription (read more)|Documentation
| -|OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|Terraform|High|Access Control|OSS Bucket should have public access disabled (read more)|Documentation
| -|OSS Bucket Allows All Actions From All Principals
ec62a32c-a297-41ca-a850-cab40b42094a|Terraform|High|Access Control|OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals. (read more)|Documentation
| -|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|Terraform|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles (read more)|Documentation
| -|OSS Bucket Allows Delete Action From All Principals
8c0695d8-2378-4cd6-8243-7fd5894fa574|Terraform|High|Access Control|OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals. (read more)|Documentation
| -|OSS Bucket Allows List Action From All Principals
88541597-6f88-42c8-bac6-7e0b855e8ff6|Terraform|High|Access Control|OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals. (read more)|Documentation
| -|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|Terraform|High|Access Control|RAM Security preferences should enforce MFA login for RAM users (read more)|Documentation
| -|OSS Bucket Allows Put Action From All Principals
fe286195-e75c-4359-bd58-00847c4f855a|Terraform|High|Access Control|OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals. (read more)|Documentation
| -|RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|Terraform|High|Encryption|tde_status parameter should be Enabled for supported RDS instances (read more)|Documentation
| -|Launch Template Is Not Encrypted
1455cb21-1d48-46d6-8ae3-cef911b71fd5|Terraform|High|Encryption|ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true. (read more)|Documentation
| -|NAS File System Without KMS
5f670f9d-b1b4-4c90-8618-2288f1ab9676|Terraform|High|Encryption|NAS File System should have encryption provided by user KMS (read more)|Documentation
| -|NAS File System Not Encrypted
67bfdff1-31ce-4525-b564-e94368735360|Terraform|High|Encryption|NAS File System must be encrypted (read more)|Documentation
| -|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|Terraform|High|Encryption|Ecs Data Disk Kms Key Id should be set (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
faaefc15-51a5-419e-bb5e-51a4b5ab3485|Terraform|High|Insecure Configurations|The field 'address' should not be set to '0.0.0.0/0' (read more)|Documentation
| -|OSS Bucket Has Static Website
2b13c6ff-b87a-484d-86fd-21ef6e97d426|Terraform|High|Insecure Configurations|Checks if any static websties are hosted on buckets. Be aware of any website you are running. (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|Terraform|High|Insecure Configurations|'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list (read more)|Documentation
| -|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol (read more)|Documentation
| -|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|Terraform|High|Networking and Firewall|OSS Buckets should have secure transport enabled (read more)|Documentation
| -|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|Terraform|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS (read more)|Documentation
| -|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|Terraform|High|Networking and Firewall|OSS Bucket should have ip restricted access (read more)|Documentation
| -|ALB Listening on HTTP
ee3b1557-9fb5-4685-a95d-93f1edf2a0d7|Terraform|High|Networking and Firewall|Application Load Balancer (alb) Listener should not listen on HTTP (read more)|Documentation
| -|RDS Instance SSL Action Disabled
7a1ee8a9-71be-4b11-bb70-efb62d16863b|Terraform|High|Networking and Firewall|ssl_action parameter should be set to Open for RDS instances (read more)|Documentation
| -|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|Terraform|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public (read more)|Documentation
| -|ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|Terraform|High|Observability|ActionTrail Trail OSS Bucket should not be publicly accessible (read more)|Documentation
| -|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|Terraform|High|Observability|All RDS Instance events trackers should be 'true' (read more)|Documentation
| -|Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|Terraform|High|Secret Management|Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts (read more)|Documentation
| -|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|Terraform|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above (read more)|Documentation
| -|Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Terraform|Medium|Access Control|Ram policies should not be attached to users (read more)|Documentation
| -|CMK Is Unusable
ed6e3ba0-278f-47b6-a1f5-173576b40b7e|Terraform|Medium|Availability|Alicloud KMS must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true (read more)|Documentation
| -|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Terraform|Medium|Backup|OSS Bucket should have versioning enabled (read more)|Documentation
| -|ROS Stack Retention Disabled
4bb06fa1-2114-4a00-b7b5-6aeab8b896f0|Terraform|Medium|Backup|The retain_stacks should be enabled to keep the Stack upon deleting the stack instance from the stack group (read more)|Documentation
| -|ROS Stack Without Template
92d65c51-5d82-4507-a2a1-d252e9706855|Terraform|Medium|Build Process|Alicloud ROS Stack should have a template defined through the attribute template_url or attribute template_body (read more)|Documentation
| -|SLB Policy With Insecure TLS Version In Use
dbfc834a-56e5-4750-b5da-73fda8e73f70|Terraform|Medium|Encryption|SLB Policy should not support insecure versions of TLS protocol (read more)|Documentation
| -|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Terraform|Medium|Encryption|Disks should have encryption enabled (read more)|Documentation
| -|OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Terraform|Medium|Encryption|OSS Bucket should have encryption enabled using Customer Master Key (read more)|Documentation
| -|CS Kubernetes Node Pool Auto Repair Disabled
81ce9394-013d-4731-8fcc-9d229b474073|Terraform|Medium|Insecure Configurations|Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| -|Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Terraform|Medium|Networking and Firewall|Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies (read more)|Documentation
| -|Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Terraform|Medium|Networking and Firewall|A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned (read more)|Documentation
| -|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Terraform|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180 (read more)|Documentation
| -|ROS Stack Notifications Disabled
9ef08939-ea40-489c-8851-667870b2ef50|Terraform|Medium|Observability|The ROS Stack Notifications should be defined and populated to receive stack related events (read more)|Documentation
| -|Log Retention Is Not Greater Than 90 Days
ed6cf6ff-9a1f-491c-9f88-e03c0807f390|Terraform|Medium|Observability|OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects. (read more)|Documentation
| -|OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Terraform|Medium|Observability|OSS Bucket should have logging enabled, for better visibility of resources and objects. (read more)|Documentation
| -|Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Terraform|Medium|Observability|Action Trail Logging for all regions should be enabled (read more)|Documentation
| -|No ROS Stack Policy
72ceb736-0aee-43ea-a191-3a69ab135681|Terraform|Medium|Resource Management|ROS Stack should have a stack policy in order to protect stack resources from and during update actions (read more)|Documentation
| -|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true (read more)|Documentation
| -|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true (read more)|Documentation
| -|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true (read more)|Documentation
| -|High KMS Key Rotation Period
cb319d87-b90f-485e-a7e7-f2408380f309|Terraform|Medium|Secret Management|KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year (read more)|Documentation
| -|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Terraform|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less (read more)|Documentation
| -|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Terraform|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91 (read more)|Documentation
| -|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Terraform|Medium|Secret Management|RAM account password security should require at least one symbol (read more)|Documentation
| -|OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Terraform|Low|Availability|OSS Bucket should have transfer acceleration enabled (read more)|Documentation
| -|OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Terraform|Low|Backup|OSS Bucket should have lifecycle rule enabled and set to true (read more)|Documentation
| -|RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Terraform|Low|Observability|log_duration parameter should be set to ON for RDS instances (read more)|Documentation
| -|VPC Flow Logs Disabled
d2731f3d-a992-44ed-812e-f4f1c2747d71|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| -|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Terraform|Low|Observability|'log_connections' parameter should be set to ON for RDS instances (read more)|Documentation
| -|RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Terraform|Low|Observability|log_disconnections parameter should be set to ON for RDS instances (read more)|Documentation
| -|Databricks Cluster or Job With None Or Insecure Permission(s)
a4edb7e1-c0e0-4f7f-9d7c-d1b603e81ad5|Terraform|High|Insecure Configurations|Databricks Cluster and Job must have restricted permissions (read more)|Documentation
| -|Unrestricted Databricks ACL
2c4fe4a9-f44b-4c70-b09b-5b75cd251805|Terraform|High|Networking and Firewall|ACL allow ingress from 0.0.0.0/0 and/or ::/0 (read more)|Documentation
| -|Check Databricks Cluster Azure Attribute Best Practices
38028698-e663-4ef7-aa92-773fef0ca86f|Terraform|Medium|Best Practices|One or some Databricks Cluster Azure Attribute Best Practices are not respected (read more)|Documentation
| -|Job's Task is Legacy (spark_submit_task)
375cdab9-3f94-4ae0-b1e3-8fbdf9cdf4d7|Terraform|Medium|Best Practices|Job's Task Is spark_submit_task (read more)|Documentation
| -|Check use no LTS Spark Version
5a627dfa-a4dd-4020-a4c6-5f3caf4abcd6|Terraform|Medium|Best Practices|Spark Version is not a Long-term Support (read more)|Documentation
| -|Check Databricks Cluster AWS Attribute Best Practices
b0749c53-e3ff-4d09-bbe4-dca94e2e7a38|Terraform|Medium|Best Practices|One or some Databricks Cluster AWS Attribute Best Practices are not respected (read more)|Documentation
| -|Check Databricks Cluster GCP Attribute Best Practices
539e4557-d2b5-4d57-a001-cb01140a4e2d|Terraform|Medium|Best Practices|One or some Databricks Cluster GCP Attribute Best Practices are not respected (read more)|Documentation
| -|Indefinitely Databricks Token Lifetime
7d05ca25-91b4-42ee-b6f6-b06611a87ce8|Terraform|Medium|Insecure Defaults|Token has an indefinitely lifetime (read more)|Documentation
| -|Indefinitely Databricks OBO Token Lifetime
23e1f5f0-12b7-4d7e-9087-f60f42ccd514|Terraform|Medium|Insecure Defaults|OBO Token has an indefinitely lifetime (read more)|Documentation
| -|Databricks Autoscale Badly Setup
953c0cc6-5f30-44cb-a803-bf4ef2571be8|Terraform|Medium|Resource Management|Databricks should have min and max worker setup for autoscale (read more)|Documentation
| -|Databricks Group Without User Or Instance Profile
23c3067a-8cc9-480c-b645-7c1e0ad4bf60|Terraform|Low|Access Control|Databricks Group should have at least one user or one instance profile associated (read more)|Documentation
| -|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Terraform|Info|Best Practices|All variables should contain a valid description. (read more)|Documentation
| -|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Terraform|Info|Best Practices|All names should follow snake case pattern. (read more)|Documentation
| -|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Terraform|Info|Best Practices|All variables should contain a valid type. (read more)|Documentation
| -|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Terraform|Info|Best Practices|All outputs should contain a valid description. (read more)|Documentation
| -|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Terraform|Info|Best Practices|All generic git repositories should reference a revision. (read more)|Documentation
| -|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|Terraform|High|Insecure Configurations|Check if Tiller is deployed. (read more)|Documentation
| -|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|Terraform|High|Insecure Configurations|Limit capabilities for a Pod Security Policy (read more)|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|Terraform|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace. (read more)|Documentation
| -|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|Terraform|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false (read more)|Documentation
| -|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|Terraform|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined. (read more)|Documentation
| -|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|Terraform|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process (read more)|Documentation
| -|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|Terraform|High|Insecure Defaults|No role nor cluster role should bind to a default service account (read more)|Documentation
| -|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Terraform|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more)|Documentation
| -|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Terraform|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation. (read more)|Documentation
| -|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Terraform|Medium|Access Control|A non kube-system workload should not have hostPath mounted (read more)|Documentation
| -|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Terraform|Medium|Availability|Check if Readiness Probe is not configured. (read more)|Documentation
| -|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Terraform|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden (read more)|Documentation
| -|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Terraform|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' (read more)|Documentation
| -|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Terraform|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace (read more)|Documentation
| -|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Terraform|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace (read more)|Documentation
| -|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Terraform|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| -|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Terraform|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory (read more)|Documentation
| -|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Terraform|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities (read more)|Documentation
| -|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Terraform|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability (read more)|Documentation
| -|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Terraform|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more)|Documentation
| -|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation (read more)|Documentation
| -|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Terraform|Medium|Insecure Configurations|Containers should not have extra capabilities allowed (read more)|Documentation
| -|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Terraform|Medium|Insecure Configurations|Default service accounts should not be actively used (read more)|Documentation
| -|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Terraform|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory (read more)|Documentation
| -|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Terraform|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more)|Documentation
| -|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities (read more)|Documentation
| -|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Terraform|Medium|Insecure Configurations|The default namespace should not be used (read more)|Documentation
| -|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Terraform|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities (read more)|Documentation
| -|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Terraform|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls (read more)|Documentation
| -|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Terraform|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty. (read more)|Documentation
| -|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Terraform|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary (read more)|Documentation
| -|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Terraform|Medium|Networking and Firewall|Check if any network policy is not targeting any pod. (read more)|Documentation
| -|Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Terraform|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet (read more)|Documentation
| -|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Terraform|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| -|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Terraform|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| -|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Terraform|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more)|Documentation
| -|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Terraform|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| -|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Terraform|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| -|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Terraform|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more)|Documentation
| -|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Terraform|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more)|Documentation
| -|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Terraform|Medium|Secret Management|A Service Account token is shared between workloads (read more)|Documentation
| -|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Terraform|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs (read more)|Documentation
| -|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Terraform|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC) (read more)|Documentation
| -|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Terraform|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers (read more)|Documentation
| -|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Terraform|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack (read more)|Documentation
| -|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Terraform|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it (read more)|Documentation
| -|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Terraform|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more)|Documentation
| -|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Terraform|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| -|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Terraform|Low|Availability|The Horizontal Pod Autoscaler must target a valid object (read more)|Documentation
| -|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Terraform|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| -|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Terraform|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context (read more)|Documentation
| -|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Terraform|Low|Best Practices|Check if any label in the metadata is invalid. (read more)|Documentation
| -|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Terraform|Low|Build Process|Check if the root container filesystem is not being mounted as read-only. (read more)|Documentation
| -|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Terraform|Low|Build Process|A StatefulSet requests volume storage. (read more)|Documentation
| -|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Terraform|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity (read more)|Documentation
| -|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Terraform|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always (read more)|Documentation
| -|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Terraform|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container (read more)|Documentation
| -|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Terraform|Low|Networking and Firewall|Service type should not be NodePort (read more)|Documentation
| -|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Terraform|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified (read more)|Documentation
| -|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Terraform|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined (read more)|Documentation
| -|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Terraform|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| -|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Terraform|Low|Secret Management|Container should not use secrets as environment variables (read more)|Documentation
| -|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Terraform|Low|Supply-Chain|Image must be defined and not be empty or equal to latest. (read more)|Documentation
| -|BOM - GCP Redis
bc75ce52-a60a-4660-b533-bce837a5019b|Terraform|Trace|Bill Of Materials|A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments. (read more)|Documentation
| -|BOM - GCP Dataflow
895ed0d9-6fec-4567-8614-d7a74b599a53|Terraform|Trace|Bill Of Materials|A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective. (read more)|Documentation
| -|BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Terraform|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more)|Documentation
| -|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Terraform|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more)|Documentation
| -|BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Terraform|Trace|Bill Of Materials|A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime. (read more)|Documentation
| -|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Terraform|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more)|Documentation
| -|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|Terraform|High|Access Control|There is a role assignment for guest user (read more)|Documentation
| -|Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|Terraform|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage (read more)|Documentation
| -|Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|Terraform|High|Access Control|Role Assignment should limit guest user permissions (read more)|Documentation
| -|Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|Terraform|High|Access Control|Azure Function App authentication settings should be enabled (read more)|Documentation
| -|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|Terraform|High|Access Control|Admin user is enabled for Container Registry (read more)|Documentation
| -|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|Terraform|High|Access Control|Storage Account should not be public to grant the principle of least privileges (read more)|Documentation
| -|Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|Terraform|High|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled (read more)|Documentation
| -|Azure Instance Using Basic Authentication
dafe30ec-325d-4516-85d1-e8e6776f012c|Terraform|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| -|App Service Not Using Latest TLS Encryption Version
b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643|Terraform|High|Encryption|Ensure App Service is using the latest version of TLS encryption (read more)|Documentation
| -|Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6|Terraform|High|Encryption|Ensure Function App is using the latest version of TLS encryption (read more)|Documentation
| -|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|Terraform|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' (read more)|Documentation
| -|MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|Terraform|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more)|Documentation
| -|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|Terraform|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| -|AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|Terraform|High|Insecure Configurations|Azure Kubernetes Service (AKS) API should not be exposed to the internet (read more)|Documentation
| -|Function App FTPS Enforce Disabled
9dab0179-433d-4dff-af8f-0091025691df|Terraform|High|Insecure Configurations|Azure Function App should only enforce FTPS when 'ftps_state' is enabled (read more)|Documentation
| -|App Service FTPS Enforce Disabled
85da374f-b00f-4832-9d44-84a1ca1e89f8|Terraform|High|Insecure Configurations|Azure App Service should only enforce FTPS when 'ftps_state' is enabled (read more)|Documentation
| -|AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|Terraform|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server (read more)|Documentation
| -|Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|Terraform|High|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false. (read more)|Documentation
| -|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|Terraform|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry' (read more)|Documentation
| -|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|Terraform|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine (read more)|Documentation
| -|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|Terraform|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service. (read more)|Documentation
| -|Azure App Service Client Certificate Disabled
a81573f9-3691-4d83-88a0-7d4af63e17a3|Terraform|High|Insecure Configurations|Azure App Service client certificate should be enabled (read more)|Documentation
| -|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|Terraform|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates (read more)|Documentation
| -|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|Terraform|High|Networking and Firewall|The IP range filter should be defined to secure the data stored (read more)|Documentation
| -|SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|Terraform|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet (read more)|Documentation
| -|MySQL Server Public Access Enabled
f118890b-2468-42b1-9ce9-af35146b425b|Terraform|High|Networking and Firewall|MySQL Server public access should be disabled (read more)|Documentation
| -|Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| -|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet (read more)|Documentation
| -|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources (read more)|Documentation
| -|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|Terraform|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more)|Documentation
| -|MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|Terraform|High|Networking and Firewall|MSSQL Server public network access should be disabled (read more)|Documentation
| -|RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|Terraform|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet (read more)|Documentation
| -|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|Terraform|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| -|Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|Terraform|High|Observability|Ensure that logging for Azure KeyVault is 'Enabled' (read more)|Documentation
| -|SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a|Terraform|High|Resource Management|Ensure that 'Threat Detection' is enabled for Azure SQL Database (read more)|Documentation
| -|App Service Managed Identity Disabled
b61cce4b-0cc4-472b-8096-15617a6d769b|Terraform|High|Resource Management|Azure App Service should have managed identity enabled (read more)|Documentation
| -|PostgreSQL Server Threat Detection Policy Disabled
c407c3cf-c409-4b29-b590-db5f4138d332|Terraform|High|Resource Management|PostgreSQL Server Threat Detection Policy should be enabled (read more)|Documentation
| -|Key Expiration Not Set
4d080822-5ee2-49a4-8984-68f3d4c890fc|Terraform|High|Secret Management|Make sure that for all keys the expiration date is set (read more)|Documentation
| -|Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|Terraform|High|Secret Management|Make sure that for all secrets the expiration date is set (read more)|Documentation
| -|Storage Share File Allows All ACL Permissions
48bbe0fd-57e4-4678-a4a1-119e79c90fc3|Terraform|Medium|Access Control|Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list). (read more)|Documentation
| -|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Terraform|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more)|Documentation
| -|Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e|Terraform|Medium|Access Control|Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list). (read more)|Documentation
| -|AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Terraform|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| -|Virtual Network with DDoS Protection Plan disabled
b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a|Terraform|Medium|Availability|Virtual Network should have DDoS Protection Plan enabled (read more)|Documentation
| -|SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Terraform|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict (read more)|Documentation
| -|SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Terraform|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict (read more)|Documentation
| -|Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Terraform|Medium|Best Practices|Security Contact Email should be defined (read more)|Documentation
| -|Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Terraform|Medium|Build Process|Cosmos DB Account must have a mapping of tags. (read more)|Documentation
| -|AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Terraform|Medium|Encryption|Azure Container Service (AKS) should use Disk Encryption Set ID in supported types of disk (read more)|Documentation
| -|Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Terraform|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption (read more)|Documentation
| -|Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Terraform|Medium|Encryption|Ensure that the encryption is active on the disk (read more)|Documentation
| -|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Terraform|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections (read more)|Documentation
| -|Function App Managed Identity Disabled
c87749b3-ff10-41f5-9df2-c421e8151759|Terraform|Medium|Insecure Configurations|Azure Function App should have managed identity enabled (read more)|Documentation
| -|Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Terraform|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches (read more)|Documentation
| -|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Terraform|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined (read more)|Documentation
| -|Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Terraform|Medium|Insecure Configurations|Azure Function App should have 'client_cert_mode' set to required (read more)|Documentation
| -|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Terraform|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty (read more)|Documentation
| -|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Terraform|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected. (read more)|Documentation
| -|Default Azure Storage Account Network Access Is Too Permissive
a5613650-32ec-4975-a305-31af783153ea|Terraform|Medium|Insecure Defaults|Default Azure Storage Account network access should be set to Deny (read more)|Documentation
| -|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Terraform|Medium|Networking and Firewall|Network Interfaces IP Forwarding should be disabled (read more)|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol (read more)|Documentation
| -|Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b|Terraform|Medium|Networking and Firewall|Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline) (read more)|Documentation
| -|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Terraform|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache (read more)|Documentation
| -|MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Terraform|Medium|Networking and Firewall|MariaDB Server Public Network Access should be disabled (read more)|Documentation
| -|WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Terraform|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. (read more)|Documentation
| -|Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Terraform|Medium|Networking and Firewall|Public Network Access should be disabled for Azure Cognitive Search (read more)|Documentation
| -|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Terraform|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'. (read more)|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol (read more)|Documentation
| -|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more)|Documentation
| -|PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Terraform|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more)|Documentation
| -|MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Terraform|Medium|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On' (read more)|Documentation
| -|PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' (read more)|Documentation
| -|PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more)|Documentation
| -|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Terraform|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On' (read more)|Documentation
| -|Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Terraform|Medium|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact (read more)|Documentation
| -|PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' (read more)|Documentation
| -|PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Terraform|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server (read more)|Documentation
| -|Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Terraform|Medium|Observability|Make sure for SQL Servers that Auditing Retention is greater than 90 days (read more)|Documentation
| -|Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Terraform|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater (read more)|Documentation
| -|Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Terraform|Medium|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days (read more)|Documentation
| -|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Terraform|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days (read more)|Documentation
| -|Azure Active Directory Authentication
a21c8da9-41bf-40cf-941d-330cf0d11fc7|Terraform|Low|Access Control|Azure Active Directory must be used for authentication for Service Fabric (read more)|Documentation
| -|MariaDB Server Geo-redundant Backup Disabled
0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1|Terraform|Low|Backup|MariaDB Server Geo-redundant Backup should be enabled (read more)|Documentation
| -|AKS Uses Azure Policies Add-On Disabled
43789711-161b-4708-b5bb-9d1c626f7492|Terraform|Low|Best Practices|Azure Container Service (AKS) should use Azure Policies Add-On (read more)|Documentation
| -|Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Terraform|Low|Best Practices|Key Vault Secrets should have set Content Type (read more)|Documentation
| -|App Service Without Latest PHP Version
96fe318e-d631-4156-99fa-9080d57280ae|Terraform|Low|Best Practices|Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. (read more)|Documentation
| -|App Service Without Latest Python Version
cc4aaa9d-1070-461a-b519-04e00f42db8a|Terraform|Low|Best Practices|Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. (read more)|Documentation
| -|PostgreSQL Server Infrastructure Encryption Disabled
6425c98b-ca4e-41fe-896a-c78772c131f8|Terraform|Low|Encryption|PostgreSQL Server Infrastructure Encryption should be enabled (read more)|Documentation
| -|App Service HTTP2 Disabled
525b53be-62ed-4244-b4df-41aecfcb4071|Terraform|Low|Insecure Configurations|App Service should have 'http2_enabled' enabled (read more)|Documentation
| -|Function App HTTP2 Disabled
ace823d1-4432-4dee-945b-cdf11a5a6bd0|Terraform|Low|Insecure Configurations|Function App should have 'http2_enabled' enabled (read more)|Documentation
| -|Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Terraform|Low|Insecure Configurations|Check if the Kubernetes Dashboard is enabled. (read more)|Documentation
| -|Azure Front Door WAF Disabled
835a4f2f-df43-437d-9943-545ccfc55961|Terraform|Low|Networking and Firewall|Azure Front Door WAF should be enabled (read more)|Documentation
| -|App Service Authentication Disabled
c7fc1481-2899-4490-bbd8-544a3a61a2f3|Terraform|Info|Access Control|Azure App Service authentication settings should be enabled (read more)|Documentation
| -|SQL Server Alert Email Disabled
55975007-f6e7-4134-83c3-298f1fe4b519|Terraform|Info|Best Practices|SQL Server alert email should be enabled (read more)|Documentation
| -|Nifcloud Computing Has Common Private Network
df58dd45-8009-43c2-90f7-c90eb9d53ed9|Terraform|Low|Networking and Firewall|The instance has common private network (read more)|Documentation
| -|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|Terraform|High|Access Control|IAM role policy that allow full administrative privileges (for all resources) (read more)|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|Terraform|High|Access Control|S3 Buckets should not be readable and writable to all users (read more)|Documentation
| -|SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|Terraform|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| -|S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4|Terraform|High|Access Control|S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket. (read more)|Documentation
| -|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|Terraform|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|Terraform|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| -|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|Terraform|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role (read more)|Documentation
| -|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|Terraform|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| -|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|Terraform|High|Access Control|S3 bucket allows public policy (read more)|Documentation
| -|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|Terraform|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more)|Documentation
| -|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|Terraform|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals (read more)|Documentation
| -|EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|Terraform|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'. (read more)|Documentation
| -|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|Terraform|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| -|Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|Terraform|High|Access Control|Neptune Cluster Instance should not be publicly accessible (read more)|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|Terraform|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| -|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|Terraform|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| -|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|Terraform|High|Access Control|Checks if the SQS Queue is exposed (read more)|Documentation
| -|MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857|Terraform|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible (read more)|Documentation
| -|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|Terraform|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| -|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|Terraform|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| -|SSO Policy with full privileges
132a8c31-9837-4203-9fd1-15ca210c7b73|Terraform|High|Access Control|SSO policies should be configured to grant limited administrative privileges, rather than full access to all resources. This approach allows for better security and control over the resources being accessed. (read more)|Documentation
| -|Amazon DMS Replication Instance Is Publicly Accessible
030d3b18-1821-45b4-9e08-50efbe7becbb|Terraform|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| -|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|Terraform|High|Encryption|EBS Encryption should be enabled (read more)|Documentation
| -|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|Terraform|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| -|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|Terraform|High|Encryption|AWS Athena Database data in S3 should be encrypted (read more)|Documentation
| -|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|Terraform|High|Encryption|The certificate authority (CA) is the certificate that identifies the root CA at the top of the certificate chain. The CA certificate identifier must be one provided by Amazon RDS. (read more)|Documentation
| -|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|Terraform|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup (read more)|Documentation
| -|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|Terraform|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| -|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|Terraform|High|Encryption|AWS DAX Cluster should have server-side encryption at rest (read more)|Documentation
| -|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|Terraform|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true' (read more)|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|Terraform|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| -|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|Terraform|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| -|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|Terraform|High|Encryption|AWS AMI Encryption is not enabled (read more)|Documentation
| -|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|Terraform|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| -|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|Terraform|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| -|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|Terraform|High|Encryption|API Gateway Method Settings Cache should be encrypted (read more)|Documentation
| -|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|Terraform|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more)|Documentation
| -|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|Terraform|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS (read more)|Documentation
| -|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|Terraform|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key (read more)|Documentation
| -|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|Terraform|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) (read more)|Documentation
| -|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|Terraform|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS (read more)|Documentation
| -|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| -|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|Terraform|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled (read more)|Documentation
| -|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|Terraform|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more)|Documentation
| -|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|Terraform|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled (read more)|Documentation
| -|Aurora With Disabled at Rest Encryption
1a690d1d-0ae7-49fa-b2db-b75ae0dd1d3e|Terraform|High|Encryption|Amazon Aurora does not have encryption for data at rest enabled. To prevent such a scenario, update the attribute 'StorageEncrypted' to 'true'. (read more)|Documentation
| -|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|Terraform|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted (read more)|Documentation
| -|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|Terraform|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled (read more)|Documentation
| -|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|Terraform|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| -|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|Terraform|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume (read more)|Documentation
| -|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|Terraform|High|Encryption|Amazon ECS Task Definition does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'transit_encryption' (read more)|Documentation
| -|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|Terraform|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| -|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|Terraform|High|Encryption|S3 Bucket Object should have server-side encryption enabled (read more)|Documentation
| -|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|Terraform|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled (read more)|Documentation
| -|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|Terraform|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| -|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|Terraform|High|Encryption|Sagemaker endpoint configuration should encrypt data (read more)|Documentation
| -|EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|Terraform|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| -|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|Terraform|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true (read more)|Documentation
| -|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|Terraform|High|Encryption|EKS Cluster should be encrypted (read more)|Documentation
| -|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|Terraform|High|Encryption|AWS DOCDB Cluster storage should be encrypted (read more)|Documentation
| -|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|Terraform|High|Encryption|RDS Database Cluster Encryption should be enabled (read more)|Documentation
| -|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| -|KMS Key With Full Permissions
7ebc9038-0bde-479a-acc4-6ed7b6758899|Terraform|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| -|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|Terraform|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| -|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|Terraform|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| -|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|Terraform|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|Terraform|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). (read more)|Documentation
| -|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|Terraform|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| -|Lambda Function With Privileged Role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|Terraform|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions. (read more)|Documentation
| -|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|Terraform|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2. (read more)|Documentation
| -|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|Terraform|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more)|Documentation
| -|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|Terraform|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|Terraform|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| -|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|Terraform|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations (read more)|Documentation
| -|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|Terraform|High|Insecure Configurations|S3 bucket without restriction of public bucket (read more)|Documentation
| -|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|Terraform|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| -|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|Terraform|High|Insecure Configurations|Check if the root user is authenticated with MFA (read more)|Documentation
| -|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|Terraform|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true) (read more)|Documentation
| -|Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|Terraform|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| -|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|Terraform|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| -|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|Terraform|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0 and/or ::/0 (read more)|Documentation
| -|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|Terraform|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing (read more)|Documentation
| -|Elasticsearch with HTTPS disabled
2e9e0729-66d5-4148-9d39-5e6fb4bf2a4e|Terraform|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| -|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|Terraform|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0" (read more)|Documentation
| -|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|Terraform|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| -|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|Terraform|High|Networking and Firewall|EC2 Instance should not have a public IP address. (read more)|Documentation
| -|VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|Terraform|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic (read more)|Documentation
| -|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|Terraform|High|Networking and Firewall|Check if Record is set (read more)|Documentation
| -|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| -|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|Terraform|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| -|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|Terraform|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| -|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|Terraform|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| -|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL (read more)|Documentation
| -|HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|Terraform|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| -|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| -|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|Terraform|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL (read more)|Documentation
| -|Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|Terraform|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| -|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|Terraform|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| -|VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|Terraform|High|Networking and Firewall|VPC Peering Route Table should restrict CIDR (read more)|Documentation
| -|CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|Terraform|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls (read more)|Documentation
| -|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|Terraform|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| -|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|Terraform|High|Observability|AWS KMS Key should have a valid deletion window (read more)|Documentation
| -|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|Terraform|High|Observability|Ensure a log metric filter and alarm exist for root acount usage (read more)|Documentation
| -|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled (read more)|Documentation
| -|CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|Terraform|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| -|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|Terraform|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes (read more)|Documentation
| -|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible (read more)|Documentation
| -|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|Terraform|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Terraform|Medium|Access Control|S3 bucket allows public ACL (read more)|Documentation
| -|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Terraform|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal' (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Terraform|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Terraform|Medium|Access Control|An API Key should be required on a method request. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Terraform|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| -|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Terraform|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Terraform|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Terraform|Medium|Access Control|IAM Access Key should not be active for root users (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Terraform|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Terraform|Medium|Access Control|SES policy should not allow IAM actions to all principals (read more)|Documentation
| -|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Terraform|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined (read more)|Documentation
| -|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Terraform|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action' (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Terraform|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Terraform|Medium|Access Control|SQS policy allows ALL (*) actions (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Terraform|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| -|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Terraform|Medium|Access Control|Public and private EC2 istances should not share the same role. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Terraform|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Terraform|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions' (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Terraform|Medium|Access Control|The attribute 'action' should not have wildcard (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Terraform|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Terraform|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Terraform|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| -|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Terraform|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| -|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Terraform|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| -|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Terraform|Medium|Access Control|Expired SSL/TLS certificates should be removed (read more)|Documentation
| -|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Terraform|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image (read more)|Documentation
| -|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Terraform|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Terraform|Medium|Access Control|AWS IAM Users should not have access to console (read more)|Documentation
| -|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|SSO Permission With Inadequate User Session Duration
ce9dfce0-5fc8-433b-944a-3b16153111a8|Terraform|Medium|Access Control|SSO permissions should be configured to limit user sessions to no longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized access or session hijacking. This is a best practice for security and should be implemented in SSO permission settings. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Terraform|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Terraform|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Terraform|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions' (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Terraform|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Terraform|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'. (read more)|Documentation
| -|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Terraform|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| -|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Terraform|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| -|Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Terraform|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. (read more)|Documentation
| -|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Terraform|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true (read more)|Documentation
| -|RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Terraform|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| -|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Terraform|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0 (read more)|Documentation
| -|Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Terraform|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| -|Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Terraform|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24 (read more)|Documentation
| -|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Terraform|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| -|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Terraform|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more)|Documentation
| -|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Terraform|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields (read more)|Documentation
| -|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Terraform|Medium|Best Practices|No password expiration policy (read more)|Documentation
| -|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Terraform|Medium|Best Practices|IAM password should have the required symbols (read more)|Documentation
| -|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Terraform|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| -|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Terraform|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined (read more)|Documentation
| -|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Terraform|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| -|Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Terraform|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body (read more)|Documentation
| -|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Terraform|Medium|Encryption|Checks if the ECR Image has been scanned (read more)|Documentation
| -|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Terraform|Medium|Encryption|SSM Session should be encrypted in transit (read more)|Documentation
| -|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Terraform|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| -|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| -|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Terraform|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS. (read more)|Documentation
| -|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Terraform|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret (read more)|Documentation
| -|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Terraform|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption (read more)|Documentation
| -|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit (read more)|Documentation
| -|DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Terraform|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| -|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Terraform|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| -|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Terraform|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760. (read more)|Documentation
| -|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Terraform|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest (read more)|Documentation
| -|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted (read more)|Documentation
| -|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Terraform|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined (read more)|Documentation
| -|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Terraform|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests (read more)|Documentation
| -|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Terraform|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| -|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest (read more)|Documentation
| -|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Terraform|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| -|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Terraform|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| -|CloudWatch Log Group Without KMS
0afbcfe9-d341-4b92-a64c-7e6de0543879|Terraform|Medium|Encryption|AWS CloudWatch Log groups should be encrypted using KMS (read more)|Documentation
| -|Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Terraform|Medium|Encryption|ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html' (read more)|Documentation
| -|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Terraform|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node (read more)|Documentation
| -|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Terraform|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy (read more)|Documentation
| -|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Terraform|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more)|Documentation
| -|EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Terraform|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false (read more)|Documentation
| -|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Terraform|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible (read more)|Documentation
| -|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Terraform|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes (read more)|Documentation
| -|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Terraform|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| -|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Terraform|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud) (read more)|Documentation
| -|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Terraform|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials (read more)|Documentation
| -|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Terraform|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs). (read more)|Documentation
| -|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Terraform|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| -|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Terraform|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol (read more)|Documentation
| -|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Terraform|Medium|Networking and Firewall|VPC should have a Network Firewall associated (read more)|Documentation
| -|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Terraform|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| -|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Terraform|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| -|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Terraform|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association (read more)|Documentation
| -|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Terraform|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service (read more)|Documentation
| -|VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Terraform|Medium|Networking and Firewall|VPC Subnet should not assign public IP (read more)|Documentation
| -|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Terraform|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more)|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol (read more)|Documentation
| -|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Terraform|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled (read more)|Documentation
| -|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Terraform|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| -|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Terraform|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). (read more)|Documentation
| -|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes (read more)|Documentation
| -|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Terraform|Medium|Observability|Ensure MSK Cluster Logging is enabled (read more)|Documentation
| -|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Terraform|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| -|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Terraform|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| -|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes (read more)|Documentation
| -|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK (read more)|Documentation
| -|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Terraform|Medium|Observability|API Gateway should have Access Log Settings defined (read more)|Documentation
| -|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Terraform|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events (read more)|Documentation
| -|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes (read more)|Documentation
| -|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Terraform|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| -|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Terraform|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined (read more)|Documentation
| -|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Terraform|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| -|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Terraform|Medium|Observability|Make sure that Amazon GuardDuty is Enabled (read more)|Documentation
| -|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Terraform|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| -|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Terraform|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation (read more)|Documentation
| -|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (read more)|Documentation
| -|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Terraform|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| -|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Terraform|Medium|Observability|Checks if CloudWatch Metrics is Enabled (read more)|Documentation
| -|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Terraform|Medium|Observability|AWS CloudWatch Log groups should have retention days specified (read more)|Documentation
| -|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Terraform|Medium|Observability|ELB should have logging enabled to help on error investigation (read more)|Documentation
| -|ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Terraform|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs (read more)|Documentation
| -|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes (read more)|Documentation
| -|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Terraform|Medium|Observability|It isn't recommended to use resources in default VPC (read more)|Documentation
| -|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Terraform|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| -|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Terraform|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled (read more)|Documentation
| -|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Terraform|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. (read more)|Documentation
| -|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Terraform|Medium|Observability|Make sure Logging is enabled for Redshift Cluster (read more)|Documentation
| -|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Terraform|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones (read more)|Documentation
| -|No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Terraform|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions (read more)|Documentation
| -|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Terraform|Medium|Secret Management|AWS Access Key should not be hardcoded (read more)|Documentation
| -|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Terraform|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| -|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Terraform|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| -|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Terraform|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Terraform|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| -|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Terraform|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services (read more)|Documentation
| -|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Terraform|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| -|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Terraform|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets' (read more)|Documentation
| -|SSO Identity User Unsafe Creation
4003118b-046b-4640-b200-b8c7a4c8b89f|Terraform|Low|Access Control|The use of AWS SSO for creating users may pose a security risk as it does not synchronize with external Identity Providers (IdP) or Active Directory (AD). This can lead to inconsistencies and potential unauthorized access to resources. It is recommended to review and update user creation processes to ensure proper security protocols are in place. (read more)|Documentation
| -|Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Terraform|Low|Availability|Autoscaling groups should supply tags to configurate (read more)|Documentation
| -|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Terraform|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| -|IAM Access Analyzer Not Enabled
e592a0c5-5bdb-414c-9066-5dba7cdea370|Terraform|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions (read more)|Documentation
| -|Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| -|Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| -|ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Terraform|Low|Best Practices|ECR Repository should have Policies attached to it (read more)|Documentation
| -|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Terraform|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. (read more)|Documentation
| -|ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Terraform|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation (read more)|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Terraform|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| -|ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Terraform|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled (read more)|Documentation
| -|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Terraform|Low|Insecure Configurations|S3 bucket without ignore public ACL (read more)|Documentation
| -|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Terraform|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| -|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Terraform|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| -|EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Terraform|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| -|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Terraform|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| -|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Terraform|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| -|RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Terraform|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| -|Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Terraform|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| -|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Terraform|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more)|Documentation
| -|API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Terraform|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| -|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes (read more)|Documentation
| -|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| -|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes (read more)|Documentation
| -|ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Terraform|Low|Observability|ECS Cluster should enable container insights (read more)|Documentation
| -|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Terraform|Low|Observability|Amazon EKS control plane logging don't enabled for all log types (read more)|Documentation
| -|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL (read more)|Documentation
| -|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Terraform|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active' (read more)|Documentation
| -|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for route table changes (read more)|Documentation
| -|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes (read more)|Documentation
| -|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Terraform|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| -|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Terraform|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| -|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Terraform|Low|Observability|Global Accelerator should have flow logs enabled (read more)|Documentation
| -|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Terraform|Low|Observability|Amazon EKS control plane logging is not enabled (read more)|Documentation
| -|API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Terraform|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| -|Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Terraform|Info|Access Control|Security group must be used or not declared (read more)|Documentation
| -|Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Terraform|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description (read more)|Documentation
| -|EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Terraform|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| -|Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Terraform|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description (read more)|Documentation
| -|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Terraform|Info|Best Practices|AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name' (read more)|Documentation
| -|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Terraform|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more)|Documentation
| -|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Terraform|Info|Observability|Neptune logging should be enabled (read more)|Documentation
| -|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Terraform|Info|Observability|RDS does not have any kind of logger (read more)|Documentation
| -|EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Terraform|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| -|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Terraform|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)|Documentation
| -|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Terraform|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). (read more)|Documentation
| -|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Terraform|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS. (read more)|Documentation
| -|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Terraform|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)|Documentation
| -|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Terraform|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)|Documentation
| -|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Terraform|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more)|Documentation
| -|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Terraform|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more)|Documentation
| -|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Terraform|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more)|Documentation
| -|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Terraform|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)|Documentation
| -|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Terraform|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more)|Documentation
| -|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Terraform|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more)|Documentation
| -|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Terraform|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks (read more)|Documentation
| -|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Terraform|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|Terraform|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| -|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|Terraform|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible (read more)|Documentation
| -|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|Terraform|High|Access Control|Verifies that the OSLogin is enabled (read more)|Documentation
| -|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|Terraform|High|Access Control|BigQuery dataset is anonymously or publicly accessible (read more)|Documentation
| -|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|Terraform|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)|Documentation
| -|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|Terraform|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| -|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|Terraform|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members' (read more)|Documentation
| -|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|Terraform|High|Encryption|Cloud SQL Database Instance should have SSL enabled (read more)|Documentation
| -|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|Terraform|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad. (read more)|Documentation
| -|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE (read more)|Documentation
| -|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true (read more)|Documentation
| -|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|Terraform|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true (read more)|Documentation
| -|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|Terraform|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials (read more)|Documentation
| -|Legacy Client Certificate Auth Enabled
73fb21a1-b19a-45b1-b648-b47b1678681e|Terraform|High|Insecure Configurations|Kubernetes Clusters must use the default OAuth authentication, which means 'master_auth' must either be undefined or have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to false (read more)|Documentation
| -|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|Terraform|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible. (read more)|Documentation
| -|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true (read more)|Documentation
| -|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|Terraform|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)|Documentation
| -|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)|Documentation
| -|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|Terraform|High|Observability|Audit Logging Configuration is defective (read more)|Documentation
| -|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must either be undefined or set to 'monitoring.googleapis.com/kubernetes' (read more)|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|Terraform|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| -|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must either be undefined or set to 'logging.googleapis.com/kubernetes' (read more)|Documentation
| -|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|Terraform|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| -|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|Terraform|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)|Documentation
| -|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Terraform|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated (read more)|Documentation
| -|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Terraform|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated (read more)|Documentation
| -|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Terraform|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated (read more)|Documentation
| -|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Terraform|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member (read more)|Documentation
| -|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Terraform|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Terraform|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| -|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Terraform|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| -|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Terraform|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| -|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Terraform|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| -|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Terraform|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled (read more)|Documentation
| -|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Terraform|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)|Documentation
| -|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Terraform|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled (read more)|Documentation
| -|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Terraform|Medium|Insecure Configurations|Check if any VM instance disables OSLogin (read more)|Documentation
| -|Shielded GKE Nodes Disabled
579a0727-9c29-4d58-8195-fc5802a8bdb4|Terraform|Medium|Insecure Configurations|GKE cluster nodes must be launched with Shielded VM enabled, which means the attribute 'enable_shielded_nodes' must be set to 'true'. (read more)|Documentation
| -|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Terraform|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account. (read more)|Documentation
| -|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Terraform|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account (read more)|Documentation
| -|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Terraform|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)|Documentation
| -|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Terraform|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)|Documentation
| -|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Terraform|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| -|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Terraform|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| -|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Terraform|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Terraform|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports (read more)|Documentation
| -|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Terraform|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource. (read more)|Documentation
| -|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Terraform|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles (read more)|Documentation
| -|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Terraform|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Terraform|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| -|Outdated GKE Version
128df7ec-f185-48bc-8913-ce756a3ccb85|Terraform|Low|Best Practices|Running outdated versions of Google Kubernetes Engine (GKE) can expose it to known vulnerabilities and attacks. To reduce these risks, it is recommended to ensure that GKE is always running the latest version. (read more)|Documentation
| -|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Terraform|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user (read more)|Documentation
| -|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Terraform|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true (read more)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Terraform|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| -|Passwords And Secrets
a88baa34-e2ad-44ea-ad6f-8cac87bc7c71|Common|High|Secret Management|Query to find passwords and secrets in infrastructure code. (read more)|Documentation
| -|Enum Name Not CamelCase
daaace5f-c0dc-4835-b526-7a116b7f4b4e|GRPC|Low|Best Practices|All Enum Names should follow CamelCase and start with Capital Letter (read more)|Documentation
| -|Run Using apt
a1bc27c6-7115-48d8-bf9d-5a7e836845ba|Buildah|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache (read more)|Documentation
| -|Volume Has Sensitive Host Directory
1c1325ff-831d-43a1-973e-839ae57dfcc0|DockerCompose|High|Build Process|Container has sensitive host directory mounted as a volume (read more)|Documentation
| -|Docker Socket Mounted In Container
d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b|DockerCompose|High|Build Process|Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands. (read more)|Documentation
| -|Volume Mounted In Multiple Containers
baa452f0-1f21-4a25-ace5-844e7a5f410d|DockerCompose|High|Build Process|Volume mounts should not be shared, which means that 'propagation' should not be set to 'shared', 'rshared', 'slave', or 'rslave' (read more)|Documentation
| -|No New Privileges Not Set
27fcc7d6-c49b-46e0-98f1-6c082a6a2750|DockerCompose|High|Resource Management|Ensuring the process does not gain any new privileges lessens the risk associated with many operations. (read more)|Documentation
| -|Privileged Containers Enabled
ae5b6871-7f45-42e0-bb4c-ab300c4d2026|DockerCompose|High|Resource Management|Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker. (read more)|Documentation
| -|Healthcheck Not Set
698ed579-b239-4f8f-a388-baa4bcb13ef8|DockerCompose|Medium|Availability|Check containers periodically to see if they are running properly. (read more)|Documentation
| -|Restart Policy On Failure Not Set To 5
2fc99041-ddad-49d5-853f-e35e70a48391|DockerCompose|Medium|Build Process|Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used. (read more)|Documentation
| -|Cgroup Not Default
4d9f44c6-2f4a-4317-9bb5-267adbea0232|DockerCompose|Medium|Build Process|Control groups restrict the access processes and containers have to system resources such as CPU, RAM, IOPS and network. Not having a cgroup well configured may prove to be a security fault. (read more)|Documentation
| -|Networks Not Set
ce14a68b-1668-41a0-ab7d-facd9f784742|DockerCompose|Medium|Networking and Firewall|Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers. (read more)|Documentation
| -|Container Traffic Not Bound To Host Interface
451d79dc-0588-476a-ad03-3c7f0320abb3|DockerCompose|Medium|Networking and Firewall|Incoming container traffic should be bound to a specific host interface (read more)|Documentation
| -|Privileged Ports Mapped In Container
bc2908f3-f73c-40a9-8793-c1b7d5544f79|DockerCompose|Medium|Networking and Firewall|Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind_service linux capability from the container unless you absolutely need to use priviledged ports. (read more)|Documentation
| -|Shared Host Network Namespace
071a71ff-f868-47a4-ac0b-3c59e4ab5443|DockerCompose|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| -|Pids Limit Not Set
221e0658-cb2a-44e3-b08a-db96a341d6fa|DockerCompose|Medium|Resource Management|'pids_limit' should be set and different than -1 (read more)|Documentation
| -|Default Seccomp Profile Disabled
404fde2c-bc4b-4371-9747-7054132ac953|DockerCompose|Medium|Resource Management|Seccomp offers a whitelist of common system calls, blocking all others. Having less kernel exposed to an app then increases security. (read more)|Documentation
| -|Security Opt Not Set
610e266e-6c12-4bca-9925-1ed0cd29742b|DockerCompose|Medium|Resource Management|Attribute 'security_opt' should be defined. (read more)|Documentation
| -|Shared Host IPC Namespace
baa3890f-bed7-46f5-ab8f-1da8fc91c729|DockerCompose|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| -|Memory Not Limited
bb9ac4f7-e13b-423d-a010-c74a1bfbe492|DockerCompose|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| -|Host Namespace is Shared
4f31dd9f-2cc3-4751-9b53-67e4af83dac0|DockerCompose|Medium|Resource Management|The hosts process namespace should not be shared by containers (read more)|Documentation
| -|Shared Host User Namespace
8af7162d-6c98-482f-868e-0d33fb675ca8|DockerCompose|Medium|Resource Management|The host's user namespace should not be shared. (read more)|Documentation
| -|Cpus Not Limited
6b610c50-99fb-4ef0-a5f3-e312fd945bc3|DockerCompose|Low|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| -|Container Capabilities Unrestricted
ce76b7d0-9e77-464d-b86f-c5c48e03e22d|DockerCompose|Low|Resource Management|Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well. (read more)|Documentation
| -|AKS RBAC Disabled
b2418936-cd47-4ea2-8346-623c0bdb87bd|Crossplane|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| -|Redis Cache Allows Non SSL Connections
6c7cfec3-c686-4ed2-bf58-a1ec054b63fc|Crossplane|Medium|Encryption|Redis Cache resource should not allow non-SSL connections. (read more)|Documentation
| -|DB Instance Storage Not Encrypted
e50eb68a-a4af-4048-8bbe-8ec324421469|Crossplane|High|Encryption|RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'. (read more)|Documentation
| -|ELB Using Weak Ciphers
a507daa5-0795-4380-960b-dd7bb7c56661|Crossplane|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| -|EFS Without KMS
bdecd6db-2600-47dd-a10c-72c97cf17ae9|Crossplane|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| -|EFS Not Encrypted
72840c35-3876-48be-900d-f21b2f0c2ea1|Crossplane|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
d9dc6429-5140-498a-8f55-a10daac5f000|Crossplane|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false and neither dbSubnetGroupName' subnets being part of a VPC that has an Internet gateway attached to it (read more)|Documentation
| -|DB Security Group Has Public Interface
dd667399-8d9d-4a8d-bbb4-e49ab53b2f52|Crossplane|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
255b0fcc-9f82-41fe-9229-01b163e3376b|Crossplane|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| -|SQS With SSE Disabled
9296f1cc-7a40-45de-bd41-f31745488a0e|Crossplane|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| -|Neptune Database Cluster Encryption Disabled
83bf5aca-138a-498e-b9cd-ad5bc5e117b4|Crossplane|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| -|CloudFront Logging Disabled
7b590235-1ff4-421b-b9ff-5227134be9bb|Crossplane|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true (read more)|Documentation
| -|CloudWatch Without Retention Period Specified
934613fe-b12c-4e5a-95f5-c1dcdffac1ff|Crossplane|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more)|Documentation
| -|CloudFront Without WAF
6d19ce0f-b3d8-4128-ac3d-1064e0f00494|Crossplane|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| -|DocDB Logging Is Disabled
e6cd49ba-77ed-417f-9bca-4f5303554308|Crossplane|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
6c2d627c-de0f-45fb-b33d-dad9bffbb421|Crossplane|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| -|Google Container Node Pool Auto Repair Disabled
b4f65d13-a609-4dc1-af7c-63d2e08bffe9|Crossplane|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| -|Serving Revision Spec Without Timeout Seconds
e8bb41e4-2f24-4e84-8bea-8c7c070cf93d|Knative|Info|Insecure Configurations|Serving Revision Spec should have Timeout Seconds defined to avoid Denial of Service (read more)|Documentation
| -|PSP Set To Privileged
ee305555-6b1d-4055-94cf-e22131143c34|Pulumi|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| -|Missing App Armor Config
95588189-1abd-4df1-9588-b0a5034f9e87|Pulumi|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack (read more)|Documentation
| -|Storage Account Not Forcing HTTPS
cb8e4bf0-903d-45c6-a278-9a947d82a27b|Pulumi|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| -|Redis Cache Allows Non SSL Connections
49e30ac8-f58e-4222-b488-3dcb90158ec1|Pulumi|Medium|Encryption|Redis Cache resource should not allow non-SSL connections. (read more)|Documentation
| -|Amazon DMS Replication Instance Is Publicly Accessible
bccb296f-362c-4b05-9221-86d1437a1016|Pulumi|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
647de8aa-5a42-41b5-9faf-22136f117380|Pulumi|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false. (read more)|Documentation
| -|Elasticsearch with HTTPS disabled
00603add-7f72-448f-a6c0-9e456a7a3f94|Pulumi|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| -|ElastiCache Nodes Not Created Across Multi AZ
9b18fc19-7fb8-49b1-8452-9c757c70f926|Pulumi|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| -|ElastiCache Redis Cluster Without Backup
e93bbe63-a631-4c0f-b6ef-700d48441ff2|Pulumi|Medium|Backup|ElastiCache Redis cluster should have 'snapshotRetentionLimit' higher than 0 (read more)|Documentation
| -|IAM Password Without Lowercase Letter
de92dd34-1b88-43e8-b825-6e02d73c4549|Pulumi|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| -|IAM Password Without Minimum Length
9850d621-7485-44f7-8bdd-b3cf426315cf|Pulumi|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| -|DynamoDB Table Not Encrypted
b6a7e0ae-aed8-4a19-a993-a95760bf8836|Pulumi|Medium|Encryption|AWS DynamoDB Tables should have serverSideEncryption enabled (read more)|Documentation
| -|API Gateway Without SSL Certificate
f27791a5-e2ae-4905-8910-6f995c576d09|Pulumi|Medium|Insecure Configurations|SSL Client Certificate should be defined (read more)|Documentation
| -|Elasticsearch Logs Disabled
a1120ee4-a712-42d9-8fb5-22595fed643b|Pulumi|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| -|API Gateway Access Logging Disabled
bf4b48b9-fc1f-4552-984a-4becdb5bf503|Pulumi|Medium|Observability|API Gateway should have Access Log Settings defined (read more)|Documentation
| -|DocDB Logging Is Disabled
2ca87964-fe7e-4cdc-899c-427f0f3525f8|Pulumi|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| -|EC2 Not EBS Optimized
d991e4ae-42ab-429b-ab43-d5e5fa9ca633|Pulumi|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| -|DynamoDB Table Point In Time Recovery Disabled
327b0729-4c5c-4c44-8b5c-e476cd9c7290|Pulumi|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more)|Documentation
| -|EC2 Instance Monitoring Disabled
daa581ef-731c-4121-832d-cf078f67759d|Pulumi|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
48f7e44d-d1d1-44c2-b336-9f11b65c4fb0|Pulumi|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
965e8830-2bec-4b9b-a7f0-24dbc200a68f|Pulumi|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| -|Run Block Injection
20f14e1a-a899-4e79-9f09-b6a84cd4649b|CICD|High|Insecure Configurations|GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event. (read more)|Documentation
| -|Script Block Injection
62ff6823-927a-427f-acf9-f1ea2932d616|CICD|High|Insecure Configurations|GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event. (read more)|Documentation
| -|Unsecured Commands
60fd272d-15f4-4d8f-afe4-77d9c6cc0453|CICD|Medium|Insecure Configurations|There are deprecated set-env and add-path commands that can be explicitly enabled by a user via setting the ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable as true. Depending on the use of the environment variable, this could enable an attacker to, at worst, modify the system path to run a different command than intended, resulting in arbitrary code execution. (read more)|Documentation
| -|Unpinned Actions Full Length Commit SHA
555ab8f9-2001-455e-a077-f2d0f41e2fb9|CICD|Medium|Supply-Chain|Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork. (read more)|Documentation
| -|UNIX Ports Out Of Range
71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e|Dockerfile|High|Availability|Exposing UNIX ports out of range from 0 to 65535 (read more)|Documentation
| -|Same Alias In Different Froms
f2daed12-c802-49cd-afed-fe41d0b82fed|Dockerfile|High|Build Process|Different FROMS cant have the same alias defined (read more)|Documentation
| -|COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b|Dockerfile|High|Build Process|COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself (read more)|Documentation
| -|Copy With More Than Two Arguments Not Ending With Slash
6db6e0c2-32a3-4a2e-93b5-72c35f4119db|Dockerfile|High|Build Process|When a COPY command has more than two arguments, the last one should end with a slash (read more)|Documentation
| -|Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f|Dockerfile|High|Build Process|A user should be specified in the dockerfile, otherwise the image will run as root (read more)|Documentation
| -|Multiple ENTRYPOINT Instructions Listed
6938958b-3f1a-451c-909b-baeee14bdc97|Dockerfile|High|Build Process|There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect (read more)|Documentation
| -|WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|Dockerfile|High|Build Process|For clarity and reliability, you should always use absolute paths for your WORKDIR (read more)|Documentation
| -|Run Using Sudo
8ada6e80-0ade-439e-b176-0b28f6bce35a|Dockerfile|High|Insecure Configurations|Avoid RUN with sudo command as it leads to unpredictable behavior (read more)|Documentation
| -|Vulnerable OpenSSL Version
5fa731ea-e844-47a6-a1e8-abc25e95847e|Dockerfile|High|Supply-Chain|OpenSSL versions from 3.0.0 to 3.0.5 are affected by a critical vulnerability (read more)|Documentation
| -|Last User Is 'root'
67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae|Dockerfile|Medium|Best Practices|Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges (read more)|Documentation
| -|Changing Default Shell Using RUN Command
8a301064-c291-4b20-adcb-403fe7fd95fd|Dockerfile|Medium|Best Practices|Using the command RUN to override the default shell instead of the SHELL command leads to inefficiencies. It also does not make sense since Docker provides the SHELL command for this exact purpose. (read more)|Documentation
| -|Multiple CMD Instructions Listed
41c195f4-fc31-4a5c-8a1b-90605538d49f|Dockerfile|Medium|Build Process|There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect (read more)|Documentation
| -|Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79|Dockerfile|Medium|Build Process|Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments (read more)|Documentation
| -|RUN Instruction Using 'cd' Instead of WORKDIR
f4a6bcd3-e231-4acf-993c-aa027be50d2e|Dockerfile|Medium|Build Process|When using RUN command 'cd' should only be used for full path. For relative path make use of WORKDIR command instead. (read more)|Documentation
| -|Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd|Dockerfile|Medium|Build Process|Instruction 'RUN update' should always be followed by ' install' in the same RUN statement (read more)|Documentation
| -|Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22|Dockerfile|Medium|Insecure Defaults|Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o). (read more)|Documentation
| -|Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages (read more)|Documentation
| -|Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Dockerfile|Medium|Supply-Chain|Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect (read more)|Documentation
| -|Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03|Dockerfile|Medium|Supply-Chain|Need to use -y to avoid manual input 'yum install -y ' (read more)|Documentation
| -|Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313|Dockerfile|Medium|Supply-Chain|Reduce layer and image size by deleting unneeded caches after running zypper (read more)|Documentation
| -|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Dockerfile|Medium|Supply-Chain|When installing a package, its pin version should be defined (read more)|Documentation
| -|Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341|Dockerfile|Medium|Supply-Chain|Instead of 'gem install ' we should use 'gem install :' (read more)|Documentation
| -|NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5|Dockerfile|Medium|Supply-Chain|Check if packages installed by npm are pinning a specific version. (read more)|Documentation
| -|Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067|Dockerfile|Medium|Supply-Chain|When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag (read more)|Documentation
| -|Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118|Dockerfile|Medium|Supply-Chain|When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller (read more)|Documentation
| -|Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Dockerfile|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache (read more)|Documentation
| -|Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944|Dockerfile|Medium|Supply-Chain|Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input (read more)|Documentation
| -|Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9|Dockerfile|Medium|Supply-Chain|Don't use '--platform' flag with FROM (read more)|Documentation
| -|Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more)|Documentation
| -|Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37|Dockerfile|Medium|Supply-Chain|Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size (read more)|Documentation
| -|Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd|Dockerfile|Medium|Supply-Chain|Always tag the version of an image explicitly (read more)|Documentation
| -|APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Dockerfile|Medium|Supply-Chain|Check if apt-get calls use the flag -y to avoid user manual input. (read more)|Documentation
| -|Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1|Dockerfile|Medium|Supply-Chain|Specifying a package version allows to reduce failures due to unanticipated changes in required packages. (read more)|Documentation
| -|Add Instead of Copy
9513a694-aa0d-41d8-be61-3271e056f36b|Dockerfile|Medium|Supply-Chain|Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script. (read more)|Documentation
| -|Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8|Dockerfile|Medium|Supply-Chain|The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input. (read more)|Documentation
| -|Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0|Dockerfile|Medium|Supply-Chain|Cached package data should be cleaned after installation to reduce image size (read more)|Documentation
| -|Yum install Without Version
6452c424-1d92-4deb-bb18-a03e95d579c4|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages (read more)|Documentation
| -|Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more)|Documentation
| -|MAINTAINER Instruction Being Used
99614418-f82b-4852-a9ae-5051402b741c|Dockerfile|Low|Best Practices|The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily (read more)|Documentation
| -|Multiple RUN, ADD, COPY, Instructions Listed
0008c003-79aa-42d8-95b8-1c2fe37dbfe6|Dockerfile|Low|Best Practices|Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers. (read more)|Documentation
| -|Curl or Wget Instead of Add
4b410d24-1cbe-4430-a632-62c9a931cf1c|Dockerfile|Low|Best Practices|Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged (read more)|Documentation
| -|Chown Flag Exists
aa93e17f-b6db-4162-9334-c70334e7ac28|Dockerfile|Low|Best Practices|It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership (read more)|Documentation
| -|Exposing Port 22 (SSH)
5907595b-5b6d-4142-b173-dbb0e73fbff8|Dockerfile|Low|Best Practices|Expose only the ports that your application needs and avoid exposing ports like SSH (22) (read more)|Documentation
| -|Using Unnamed Build Stages
68a51e22-ae5a-4d48-8e87-b01a323605c9|Dockerfile|Low|Build Process| This query is used to ensure that build stages are named. This way even if the Dockerfile is re-ordered, the COPY instruction doesn’t break. (read more)|Documentation
| -|Healthcheck Instruction Missing
b03a748a-542d-44f4-bb86-9199ab4fd2d5|Dockerfile|Low|Insecure Configurations|Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working (read more)|Documentation
| -|Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c|Dockerfile|Info|Supply-Chain|After using apt-get install, it is needed to delete apt-get lists (read more)|Documentation
| -|APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c|Dockerfile|Info|Supply-Chain|Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages. (read more)|Documentation
| -|Apk Add Using Local Cache Path
ae9c56a6-3ed1-4ac0-9b54-31267f51151d|Dockerfile|Info|Supply-Chain|When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*' (read more)|Documentation
| -|Run Utilities And POSIX Commands
9b6b0f38-92a2-41f9-b881-3a1083d99f1b|Dockerfile|Info|Supply-Chain|Some POSIX commands and interactive utilities shouldn't run inside a Docker Container (read more)|Documentation
| -|Serverless Role With Full Privileges
59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd|ServerlessFW|High|Access Control|Roles defined in Serverless files should not have policies granting full administrative privileges. (read more)|Documentation
| -|Serverless Function Environment Variables Not Encrypted
4495bc5d-4d1e-4a26-ae92-152d18195648|ServerlessFW|High|Encryption|Serverless Function should encrypt environment variables (read more)|Documentation
| -|Serverless API Without Content Encoding
d5d1fe08-89db-440c-8725-b93223387309|ServerlessFW|Medium|Encryption|Serverless should have API Gateway with Content Encoding enabled through the attribute 'minimumCompressionSize'. This value should be greater than -1 and smaller than 10485760 (read more)|Documentation
| -|Serverless Function Without Tags
f99d3482-fa8c-4f79-bad9-35212dded164|ServerlessFW|Medium|Insecure Configurations|Serverless Function should be have associated tags (read more)|Documentation
| -|Serverless Function Without Unique IAM Role
165aae3b-a56a-48f3-b76d-d2b5083f5b8f|ServerlessFW|Medium|Insecure Configurations|Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| -|Serverless API Endpoint Config Not Private
4d424558-c6d1-453c-be98-9a7f877abd9a|ServerlessFW|Medium|Networking and Firewall|Serverless should have endpointType set to 'PRIVATE'. This way, it's not exposed to the public internet (read more)|Documentation
| -|Serverless API Access Logging Setting Undefined
a4d32883-aac7-42e1-b403-9415af0f3846|ServerlessFW|Medium|Observability|Serverless FW API should have HTTP Access Logging enabled (read more)|Documentation
| -|Serverless API X-Ray Tracing Disabled
434945e5-4dfd-41b1-aba1-47075ccd9265|ServerlessFW|Medium|Observability|Serverless API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| -|Serverless Function Without Dead Letter Queue
dec7bc85-d156-4f64-9a33-96ed3d9f3fed|ServerlessFW|Low|Insecure Configurations|Serverless Function should be configured for a Dead Letter Queue(DLQ). A Dead Letter Queue(DLQ) can be set up in 'onError' config parameter (read more)|Documentation
| -|Serverless Function Without X-Ray Tracing
0d7ef70f-e176-44e6-bdba-add3e429788d|ServerlessFW|Low|Observability|Serverless Function should have Tracing enabled. For this, property 'tracing' should have the value 'Active' (read more)|Documentation
| -|Privilege Escalation Using Become Plugin
0e75052f-cc02-41b8-ac39-a78017527e95|Ansible|Medium|Access Control|In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true' (read more)|Documentation
| -|Communication Over HTTP
2e8d4922-8362-4606-8c14-aa10466a1ce3|Ansible|Medium|Insecure Configurations|Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks (read more)|Documentation
| -|Insecure Relative Path Resolution
8d22ae91-6ac1-459f-95be-d37bd373f244|Ansible|Low|Best Practices|Using relative paths can lead to unexpected behavior as the path is resolved relative to the current working directory, which can change. (read more)|Documentation
| -|Logging of Sensitive Data
59029ddf-e651-412b-ae7b-ff6d403184bc|Ansible|Low|Best Practices|To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True (read more)|Documentation
| -|Unpinned Package Version
c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8|Ansible|Low|Supply-Chain|Setting state to latest performs an update and installs additional packages possibly resulting in performance degradation or loss of service (read more)|Documentation
| -|Risky File Permissions
88841d5c-d22d-4b7e-a6a0-89ca50e44b9f|Ansible|Info|Supply-Chain|Some modules could end up creating new files on disk with permissions that might be too open or unpredictable (read more)|Documentation
| -|Storage Container Is Publicly Accessible
4d3817db-dd35-4de4-a80d-3867157e7f7f|Ansible|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage (read more)|Documentation
| -|Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|Ansible|High|Access Control|Admin user is enabled for Container Registry (read more)|Documentation
| -|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|Ansible|High|Access Control|Storage Account should not be public to grant the principle of least privileges (read more)|Documentation
| -|Azure Instance Using Basic Authentication
e2d834b7-8b25-4935-af53-4a60668dcbe0|Ansible|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| -|SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555|Ansible|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' (read more)|Documentation
| -|MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|Ansible|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more)|Documentation
| -|Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|Ansible|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| -|AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|Ansible|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server (read more)|Documentation
| -|Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|Ansible|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined (read more)|Documentation
| -|VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|Ansible|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine (read more)|Documentation
| -|Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91|Ansible|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service. (read more)|Documentation
| -|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|Ansible|High|Networking and Firewall|The IP range filter should be defined to secure the data stored (read more)|Documentation
| -|Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|Ansible|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| -|Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet (read more)|Documentation
| -|Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources (read more)|Documentation
| -|SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|Ansible|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more)|Documentation
| -|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|Ansible|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| -|Role Definition Allows Custom Role Creation
5c80db8e-03f5-43a2-b4af-1f3f87018157|Ansible|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more)|Documentation
| -|Default Azure Storage Account Network Access Is Too Permissive
ca4df748-613a-4fbf-9c76-f02cbd580307|Ansible|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it. (read more)|Documentation
| -|AKS RBAC Disabled
149fa56c-4404-4f90-9e25-d34b676d5b39|Ansible|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| -|Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854|Ansible|Medium|Backup|Make sure Soft Delete is enabled for Key Vault (read more)|Documentation
| -|SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40|Ansible|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict (read more)|Documentation
| -|SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308|Ansible|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict (read more)|Documentation
| -|Cosmos DB Account Without Tags
23a4dc83-4959-4d99-8056-8e051a82bc1e|Ansible|Medium|Build Process|Cosmos DB Account must have a mapping of tags. (read more)|Documentation
| -|Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee|Ansible|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption (read more)|Documentation
| -|Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Ansible|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections (read more)|Documentation
| -|AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Ansible|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined (read more)|Documentation
| -|Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Ansible|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty (read more)|Documentation
| -|Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Ansible|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache. (read more)|Documentation
| -|WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Ansible|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. (read more)|Documentation
| -|Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Ansible|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0' (read more)|Documentation
| -|Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more)|Documentation
| -|PostgreSQL Log Checkpoints Disabled
7ab33ac0-e4a3-418f-a673-50da4e34df21|Ansible|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more)|Documentation
| -|PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' (read more)|Documentation
| -|PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more)|Documentation
| -|Monitoring Log Profile Without All Activities
89f84a1e-75f8-47c5-83b5-bee8e2de4168|Ansible|Medium|Observability|Monitoring log profile captures all the activities (Action, Write, Delete) (read more)|Documentation
| -|PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' (read more)|Documentation
| -|AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e|Ansible|Medium|Observability|Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring (read more)|Documentation
| -|PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a|Ansible|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server (read more)|Documentation
| -|Small Activity Log Retention Period
37fafbea-dedb-4e0d-852e-d16ee0589326|Ansible|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater (read more)|Documentation
| -|Allow Unsafe Lookups Enabled
86b97bb4-85c9-462d-8635-cbc057c5c8c5|Ansible|High|Insecure Configurations|When enabled, this option allows lookup plugins to return data that is not marked 'unsafe'. (read more)|Documentation
| -|Privilege Escalation Using Become Plugin
404908b6-4954-4611-98f0-e8ceacdabcb1|Ansible|Medium|Access Control|In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true' (read more)|Documentation
| -|Communication over HTTP
d7dc9350-74bc-485b-8c85-fed22d276c43|Ansible|Medium|Insecure Configurations|Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks (read more)|Documentation
| -|Logging of Sensitive Data
c6473dae-8477-4119-88b7-b909b435ce7b|Ansible|Low|Best Practices|To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True (read more)|Documentation
| -|Ansible Tower Exposed To Internet
1b2bf3ff-31e9-460e-bbfb-45e48f4f20cc|Ansible|Medium|Best Practices|Avoid exposing Ansible Tower to the public internet, effectively reducing the potential attack surface of your deployment (read more)|Documentation
| -|S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|Ansible|High|Access Control|S3 Buckets should not be readable to all users (read more)|Documentation
| -|SNS Topic is Publicly Accessible
905f4741-f965-45c1-98db-f7a00a0e5c73|Ansible|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| -|IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|Ansible|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|Ansible|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| -|ECS Service Admin Role Is Present
7db727c1-1720-468e-b80e-06697f71e09e|Ansible|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role (read more)|Documentation
| -|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|Ansible|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| -|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|Ansible|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more)|Documentation
| -|S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a|Ansible|High|Access Control|Checks if the S3 bucket is accessible for all users (read more)|Documentation
| -|S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|Ansible|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674|Ansible|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| -|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|Ansible|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| -|SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a|Ansible|High|Access Control|Checks if the SQS Queue is exposed (read more)|Documentation
| -|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|Ansible|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| -|S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|Ansible|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| -|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|Ansible|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| -|CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|Ansible|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'. (read more)|Documentation
| -|Secure Ciphers Disabled
218413a0-c716-4b94-9e08-0bb70d854709|Ansible|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| -|AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|Ansible|High|Encryption|AWS AMI Encryption is not enabled (read more)|Documentation
| -|ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|Ansible|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| -|User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|Ansible|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| -|DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|Ansible|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more)|Documentation
| -|Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7|Ansible|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS (read more)|Documentation
| -|S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571|Ansible|High|Encryption|AWS S3 Storage should be protected with SSE (Server-Side Encryption) (read more)|Documentation
| -|Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|Ansible|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) (read more)|Documentation
| -|ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| -|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|Ansible|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more)|Documentation
| -|User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|Ansible|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| -|Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a|Ansible|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume (read more)|Documentation
| -|S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4|Ansible|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| -|EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|Ansible|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76|Ansible|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| -|EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|Ansible|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| -|ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| -|KMS Key With Full Permissions
5b9d237a-57d5-4177-be0e-71434b0fef47|Ansible|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| -|Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|Ansible|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| -|ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f|Ansible|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209|Ansible|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). (read more)|Documentation
| -|S3 Bucket with Unsecured CORS Rule
3505094c-f77c-4ba0-95da-f83db712f86c|Ansible|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67|Ansible|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| -|EC2 Group Has Public Interface
5330b503-3319-44ff-9b1c-00ee873f728a|Ansible|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| -|Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f|Ansible|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| -|Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|Ansible|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true (default is false) (read more)|Documentation
| -|Vulnerable Default SSL Certificate
fb8f8929-afeb-4c46-99f0-a6cf410f7df4|Ansible|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| -|Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|Ansible|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| -|Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|Ansible|High|Networking and Firewall|AWS Security Group should restrict ingress access (read more)|Documentation
| -|Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2|Ansible|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0/0 (read more)|Documentation
| -|Elasticsearch with HTTPS disabled
d6c2d06f-43c1-488a-9ba1-8d75b40fc62d|Ansible|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| -|HTTP Port Open To Internet
a14ad534-acbe-4a8e-9404-2f7e1045646e|Ansible|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| -|DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640|Ansible|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| -|Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|Ansible|High|Networking and Firewall|AWS Security Group should not have public port wide (read more)|Documentation
| -|EC2 Instance Has Public IP
a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1|Ansible|High|Networking and Firewall|EC2 Instance should not have a public IP address. (read more)|Documentation
| -|Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4|Ansible|High|Networking and Firewall|Route53 Record should have a list of records (read more)|Documentation
| -|Remote Desktop Port Open To Internet
eda7301d-1f3e-47cf-8d4e-976debc64341|Ansible|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| -|ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|Ansible|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| -|Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b|Ansible|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| -|RDS Associated with Public Subnet
16732649-4ff6-4cd2-8746-e72c13fae4b8|Ansible|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| -|Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|Ansible|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| -|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|Ansible|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| -|CloudTrail Logging Disabled
d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5|Ansible|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| -|CMK Rotation Disabled
af96d737-0818-4162-8c41-40d969bd65d1|Ansible|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| -|Lambda Permission Principal Is Wildcard
1d972c56-8ec2-48c1-a578-887adb09c57a|Ansible|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| -|ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd|Ansible|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| -|IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Ansible|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root' (read more)|Documentation
| -|SES Policy With Allowed IAM Actions
8ed0bfce-f780-46d4-b086-21c3628f09ad|Ansible|Medium|Access Control|SES policy should not allow IAM actions to all principals (read more)|Documentation
| -|SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4|Ansible|Medium|Access Control|SQS policy allows ALL (*) actions (read more)|Documentation
| -|API Gateway Without Configured Authorizer
b16cdb37-ce15-4ab2-8401-d42b05d123fc|Ansible|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
af167837-9636-4086-b815-c239186b9dda|Ansible|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| -|IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060|Ansible|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| -|Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Ansible|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| -|SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10|Ansible|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| -|Certificate Has Expired
5a443297-19d4-4381-9e5b-24faf947ec22|Ansible|Medium|Access Control|Expired SSL/TLS certificates should be removed (read more)|Documentation
| -|AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f|Ansible|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image (read more)|Documentation
| -|S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9|Ansible|Medium|Access Control|S3 Bucket allows public access (read more)|Documentation
| -|ECS Service Without Running Tasks
f5c45127-1d28-4b49-a692-0b97da1c3a84|Ansible|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| -|Auto Scaling Group With No Associated ELB
050f085f-a8db-4072-9010-2cca235cc02f|Ansible|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. (read more)|Documentation
| -|CMK Is Unusable
133fee21-37ef-45df-a563-4d07edc169f4|Ansible|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined. (read more)|Documentation
| -|RDS With Backup Disabled
e69890e6-fce5-461d-98ad-cb98318dfc96|Ansible|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| -|Stack Retention Disabled
17d5ba1d-7667-4729-b1a6-b11fde3db7f7|Ansible|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| -|Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c|Ansible|Medium|Best Practices|Password policy `password_reuse_prevention` doesn't exist or is equal to 0 (read more)|Documentation
| -|IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354|Ansible|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| -|Misconfigured Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9|Ansible|Medium|Best Practices|No password expiration policy (read more)|Documentation
| -|IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Ansible|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| -|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Ansible|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number (read more)|Documentation
| -|IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Ansible|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| -|Stack Without Template
32d31f1f-0f83-4721-b7ec-1e6948c60145|Ansible|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body (read more)|Documentation
| -|EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Ansible|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| -|Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89|Ansible|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache (read more)|Documentation
| -|SQS With SSE Disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Ansible|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| -|Config Rule For Encrypted Volumes Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84|Ansible|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| -|CodeBuild Not Encrypted
a1423864-2fbc-4f46-bfe1-fbbf125c71c9|Ansible|Medium|Encryption|CodeBuild Project should be encrypted (read more)|Documentation
| -|AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472|Ansible|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy (read more)|Documentation
| -|Certificate RSA Key Bytes Lower Than 256
d5ec2080-340a-4259-b885-f833c4ea6a31|Ansible|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes (read more)|Documentation
| -|API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33|Ansible|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| -|Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5|Ansible|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags. (read more)|Documentation
| -|Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f|Ansible|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| -|ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Ansible|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| -|API Gateway without WAF
f5f38943-664b-4acc-ab11-f292fa10ed0b|Ansible|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| -|API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215|Ansible|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| -|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Ansible|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more)|Documentation
| -|S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|Ansible|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| -|API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f|Ansible|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| -|CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3|Ansible|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| -|CloudFront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Ansible|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' should be defined with 'enabled' set to true (read more)|Documentation
| -|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Ansible|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| -|Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Ansible|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| -|API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Ansible|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled (read more)|Documentation
| -|CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Ansible|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| -|CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Ansible|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more)|Documentation
| -|S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Ansible|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| -|CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Ansible|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'is_multi_region_trail' should be set to true (read more)|Documentation
| -|No Stack Policy
ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9|Ansible|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions (read more)|Documentation
| -|Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Ansible|Medium|Secret Management|AWS Access Key should not be hardcoded (read more)|Documentation
| -|Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645|Ansible|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| -|IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd|Ansible|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| -|EC2 Instance Using Default Security Group
8d03993b-8384-419b-a681-d1f55149397c|Ansible|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Ansible|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| -|IAM Group Without Users
f509931b-bbb0-443c-bd9b-10e92ecf2193|Ansible|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| -|CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6|Ansible|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| -|Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520|Ansible|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| -|Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|Ansible|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. (read more)|Documentation
| -|EFS Without Tags
b8a9852c-9943-4973-b8d5-77dae9352851|Ansible|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated (read more)|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
f5587077-3f57-4370-9b4e-4eb5b1bac85b|Ansible|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| -|ElastiCache Using Default Port
7cc6c791-5f68-4816-a564-b9b699f9d26e|Ansible|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| -|ElastiCache Without VPC
5527dcfc-94f9-4bf6-b7d4-1b78850cf41f|Ansible|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| -|EC2 Instance Using Default VPC
8833f180-96f1-46f4-9147-849aafa56029|Ansible|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| -|CloudFront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Ansible|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| -|RDS Using Default Port
2cb674f6-32f9-40be-97f2-62c0dc38f0d5|Ansible|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| -|Redshift Using Default Port
e01de151-a7bd-4db4-b49b-3c4775a5e881|Ansible|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| -|Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Ansible|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active' (read more)|Documentation
| -|CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Ansible|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| -|EC2 Not EBS Optimized
338b6cab-961d-4998-bb49-e5b6a11c9a5c|Ansible|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2|Ansible|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| -|BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2|Ansible|High|Access Control|BigQuery dataset is anonymously or publicly accessible (read more)|Documentation
| -|VM With Full Cloud Access
bc20bbc6-0697-4568-9a73-85af1dd97bdd|Ansible|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)|Documentation
| -|SQL DB Instance Backup Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8|Ansible|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| -|SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|Ansible|High|Encryption|Cloud SQL Database Instance should have SSL enabled (read more)|Documentation
| -|DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a|Ansible|High|Encryption|DNSSEC should not use the RSASHA1 algorithm (read more)|Documentation
| -|MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c|Ansible|High|Insecure Configurations|MySQL Instance should not have Local Infile On (read more)|Documentation
| -|IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'. (read more)|Documentation
| -|GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false. (read more)|Documentation
| -|PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514|Ansible|High|Insecure Configurations|PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1' (read more)|Documentation
| -|Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f|Ansible|High|Insecure Configurations|GCP SQL Instance should not have Cross DB Ownership Chaining On (read more)|Documentation
| -|GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1|Ansible|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty (read more)|Documentation
| -|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|Ansible|High|Insecure Configurations|SQL Instance should not have Contained Database Authentication On (read more)|Documentation
| -|Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty (read more)|Documentation
| -|Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true (read more)|Documentation
| -|SQL DB Instance Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b|Ansible|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible. (read more)|Documentation
| -|Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true. (read more)|Documentation
| -|Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7|Ansible|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)|Documentation
| -|Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)|Documentation
| -|GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83|Ansible|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters (read more)|Documentation
| -|Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82|Ansible|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet. (read more)|Documentation
| -|PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317|Ansible|High|Observability|PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on' (read more)|Documentation
| -|Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none' (read more)|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd|Ansible|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| -|Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none' (read more)|Documentation
| -|PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b|Ansible|High|Observability|PostgreSQL database 'log_temp_files' flag isn't set to '0' (read more)|Documentation
| -|Cloud Storage Bucket Versioning Disabled
7814ddda-e758-4a56-8be3-289a81ded929|Ansible|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| -|Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf|Ansible|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)|Documentation
| -|Disk Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3|Ansible|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Ansible|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| -|Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Ansible|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| -|Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03|Ansible|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| -|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Ansible|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| -|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Ansible|Medium|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account. (read more)|Documentation
| -|Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Ansible|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)|Documentation
| -|OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Ansible|Medium|Insecure Configurations|VM instance should have OSLogin enabled (read more)|Documentation
| -|GKE Using Default Service Account
dc126833-125a-40fb-905a-ce5f2afde240|Ansible|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account (read more)|Documentation
| -|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Ansible|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)|Documentation
| -|IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Ansible|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)|Documentation
| -|SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Ansible|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| -|RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77|Ansible|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| -|Google Compute Network Using Default Firewall Rule
29b8224a-60e9-4011-8ac2-7916a659841f|Ansible|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows All Ports
3602d273-3290-47b2-80fa-720162b1a8af|Ansible|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports (read more)|Documentation
| -|PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Ansible|Medium|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value (read more)|Documentation
| -|PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Ansible|Medium|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on' (read more)|Documentation
| -|High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Ansible|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Ansible|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| -|Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b|Ansible|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes (read more)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows Port Range
7289eebd-a477-4064-8ad4-3c044bd70b00|Ansible|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| -|BOM - GCP PST
9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more)|Documentation
| -|BOM - GCP SB
c7781feb-a955-4f9f-b9cf-0d7c6f54bb59|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more)|Documentation
| -|BOM - GCP PD
268c65a8-58ad-43e4-9019-1a9bbc56749f|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more)|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
63ae3638-a38c-4ff4-b616-6e1f72a31a6a|GoogleDeploymentManager|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| -|Cloud Storage Bucket Is Publicly Accessible
77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc|GoogleDeploymentManager|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible (read more)|Documentation
| -|BigQuery Dataset Is Public
83103dff-d57f-42a8-bd81-40abab64c1a7|GoogleDeploymentManager|High|Access Control|BigQuery dataset is anonymously or publicly accessible. Attribute access.specialGroup should not contain 'allAuthenticatedUsers' (read more)|Documentation
| -|SQL DB Instance Backup Disabled
a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01|GoogleDeploymentManager|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| -|SQL DB Instance With SSL Disabled
660360d3-9ca7-46d1-b147-3acc4002953f|GoogleDeploymentManager|High|Encryption|Cloud SQL Database Instance should have SSL enabled (read more)|Documentation
| -|DNSSEC Using RSASHA1
6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35|GoogleDeploymentManager|High|Encryption|DNSSEC should not use the RSASHA1 algorithm (read more)|Documentation
| -|MySQL Instance With Local Infile On
c759d6f2-4dd3-4160-82d3-89202ef10d87|GoogleDeploymentManager|High|Insecure Configurations|MySQL Instance should not have Local Infile On (read more)|Documentation
| -|IP Aliasing Disabled
28727987-e398-49b8-aef1-8a3e7789d111|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ipAllocationPolicy' must be defined and the subattribute 'useIpAliases' must be set to 'true'. (read more)|Documentation
| -|GKE Legacy Authorization Enabled
df58d46c-783b-43e0-bdd0-d99164f712ee|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false. (read more)|Documentation
| -|Not Proper Email Account In Use
a21b8df3-c840-4b3d-a41a-10fb2afda171|GoogleDeploymentManager|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials (read more)|Documentation
| -|Cluster Master Authentication Disabled
7ef7d141-9fbb-4679-a977-fd0883436906|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'masterAuth' must have the subattributes 'username' and 'password' defined and not empty (read more)|Documentation
| -|Client Certificate Disabled
dd690686-2bf9-4012-a821-f61912dd77be|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'masterAuth' must have 'clientCertificateConfig' with the attribute 'issueClientCertificate' equal to true (read more)|Documentation
| -|Private Cluster Disabled
48c61fbd-09c9-46cc-a521-012e0c325412|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true. (read more)|Documentation
| -|Cluster Labels Disabled
8810968b-4b15-421d-918b-d91eb4bb8d1d|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resourceLabels' must be defined (read more)|Documentation
| -|Network Policy Disabled
c47f90e8-4a19-43f0-8413-cc434d286c4e|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'networkPolicy.enabled' must be true and the attribute 'addonsConfig.networkPolicyConfig.disabled' must be false (read more)|Documentation
| -|GKE Master Authorized Networks Disabled
62c8cf50-87f0-4295-a974-8184ed78fe02|GoogleDeploymentManager|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters (read more)|Documentation
| -|Compute Instance Is Publicly Accessible
8212e2d7-e683-49bc-bf78-d6799075c5a7|GoogleDeploymentManager|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet. (read more)|Documentation
| -|Stackdriver Monitoring Disabled
bbfc97ab-e92a-4a7b-954c-e88cec815011|GoogleDeploymentManager|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoringService' must be defined and different than 'none' (read more)|Documentation
| -|Stackdriver Logging Disabled
95601b9a-7fe8-4aee-9b58-d36fd9382dfc|GoogleDeploymentManager|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'loggingService' must be defined and different from 'none' (read more)|Documentation
| -|Cloud Storage Bucket Versioning Disabled
ad0875c1-0b39-4890-9149-173158ba3bba|GoogleDeploymentManager|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| -|Node Auto Upgrade Disabled
dc5c5fee-6c53-43b0-ab11-4c660e064aaf|GoogleDeploymentManager|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means the attribute 'nodePools' must be defined and the subattribute 'managment' must be defined and have the attribute 'autoUpgrade' set to true (read more)|Documentation
| -|Disk Encryption Disabled
fc040fb6-4c23-4c0d-b12a-39edac35debb|GoogleDeploymentManager|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined (read more)|Documentation
| -|Cloud DNS Without DNSSEC
313d6deb-3b67-4948-b41d-35b699c2492e|GoogleDeploymentManager|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| -|COS Node Image Not Used
dbe058d7-b82e-430b-8426-992b2e4677e7|GoogleDeploymentManager|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| -|Shielded VM Disabled
9038b526-4c19-4928-bca2-c03d503bdb79|GoogleDeploymentManager|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true (read more)|Documentation
| -|Google Storage Bucket Level Access Disabled
1239f54b-33de-482a-8132-faebe288e6a6|GoogleDeploymentManager|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled (read more)|Documentation
| -|OSLogin Is Disabled In VM Instance
e66e1b71-c810-4b4e-a737-0ab59e7f5e41|GoogleDeploymentManager|Medium|Insecure Configurations|VM instance should have OSLogin enabled (read more)|Documentation
| -|IP Forwarding Enabled
7c98538a-81c6-444b-bf04-e60bc3ceeec0|GoogleDeploymentManager|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true (read more)|Documentation
| -|SSH Access Is Not Restricted
dee21308-2a7a-49de-8ff7-c9b87e188575|GoogleDeploymentManager|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| -|RDP Access Is Not Restricted
50cb6c3b-c878-4b88-b50e-d1421bada9e8|GoogleDeploymentManager|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| -|Bucket Without Versioning
227c2f58-70c6-4432-8e9a-a89c1a548cf5|GoogleDeploymentManager|Medium|Observability|Bucket should have versioning enabled (read more)|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
6e2b1ec1-1eca-4eb7-9d4d-2882680b4811|GoogleDeploymentManager|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| +|Serverless Role With Full Privileges
59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd|ServerlessFW|High|Access Control|Roles defined in Serverless files should not have policies granting full administrative privileges. (read more)|Documentation
| +|Serverless Function Environment Variables Not Encrypted
4495bc5d-4d1e-4a26-ae92-152d18195648|ServerlessFW|High|Encryption|Serverless Function should encrypt environment variables (read more)|Documentation
| +|Serverless API Without Content Encoding
d5d1fe08-89db-440c-8725-b93223387309|ServerlessFW|Medium|Encryption|Serverless should have API Gateway with Content Encoding enabled through the attribute 'minimumCompressionSize'. This value should be greater than -1 and smaller than 10485760 (read more)|Documentation
| +|Serverless Function Without Unique IAM Role
165aae3b-a56a-48f3-b76d-d2b5083f5b8f|ServerlessFW|Medium|Insecure Configurations|Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| +|Serverless Function Without Tags
f99d3482-fa8c-4f79-bad9-35212dded164|ServerlessFW|Medium|Insecure Configurations|Serverless Function should be have associated tags (read more)|Documentation
| +|Serverless API Endpoint Config Not Private
4d424558-c6d1-453c-be98-9a7f877abd9a|ServerlessFW|Medium|Networking and Firewall|Serverless should have endpointType set to 'PRIVATE'. This way, it's not exposed to the public internet (read more)|Documentation
| +|Serverless API Access Logging Setting Undefined
a4d32883-aac7-42e1-b403-9415af0f3846|ServerlessFW|Medium|Observability|Serverless FW API should have HTTP Access Logging enabled (read more)|Documentation
| +|Serverless API X-Ray Tracing Disabled
434945e5-4dfd-41b1-aba1-47075ccd9265|ServerlessFW|Medium|Observability|Serverless API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| +|Serverless Function Without Dead Letter Queue
dec7bc85-d156-4f64-9a33-96ed3d9f3fed|ServerlessFW|Low|Insecure Configurations|Serverless Function should be configured for a Dead Letter Queue(DLQ). A Dead Letter Queue(DLQ) can be set up in 'onError' config parameter (read more)|Documentation
| +|Serverless Function Without X-Ray Tracing
0d7ef70f-e176-44e6-bdba-add3e429788d|ServerlessFW|Low|Observability|Serverless Function should have Tracing enabled. For this, property 'tracing' should have the value 'Active' (read more)|Documentation
| +|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|Terraform|High|Access Control|BigQuery dataset is anonymously or publicly accessible (read more)|Documentation
| +|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|Terraform|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible (read more)|Documentation
| +|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|Terraform|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)|Documentation
| +|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|Terraform|High|Access Control|Verifies that the OSLogin is enabled (read more)|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|Terraform|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| +|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|Terraform|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| +|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|Terraform|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad. (read more)|Documentation
| +|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|Terraform|High|Encryption|Cloud SQL Database Instance should have SSL enabled (read more)|Documentation
| +|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|Terraform|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members' (read more)|Documentation
| +|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true (read more)|Documentation
| +|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|Terraform|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)|Documentation
| +|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|Terraform|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials (read more)|Documentation
| +|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE (read more)|Documentation
| +|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|Terraform|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true (read more)|Documentation
| +|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)|Documentation
| +|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true (read more)|Documentation
| +|Legacy Client Certificate Auth Enabled
73fb21a1-b19a-45b1-b648-b47b1678681e|Terraform|High|Insecure Configurations|Kubernetes Clusters must use the default OAuth authentication, which means 'master_auth' must either be undefined or have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to false (read more)|Documentation
| +|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|Terraform|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible. (read more)|Documentation
| +|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|Terraform|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| +|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|Terraform|High|Observability|Audit Logging Configuration is defective (read more)|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|Terraform|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| +|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must either be undefined or set to 'monitoring.googleapis.com/kubernetes' (read more)|Documentation
| +|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must either be undefined or set to 'logging.googleapis.com/kubernetes' (read more)|Documentation
| +|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|Terraform|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)|Documentation
| +|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Terraform|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated (read more)|Documentation
| +|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Terraform|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated (read more)|Documentation
| +|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Terraform|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member (read more)|Documentation
| +|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Terraform|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated (read more)|Documentation
| +|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Terraform|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Terraform|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| +|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Terraform|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled (read more)|Documentation
| +|Shielded GKE Nodes Disabled
579a0727-9c29-4d58-8195-fc5802a8bdb4|Terraform|Medium|Insecure Configurations|GKE cluster nodes must be launched with Shielded VM enabled, which means the attribute 'enable_shielded_nodes' must be set to 'true'. (read more)|Documentation
| +|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Terraform|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled (read more)|Documentation
| +|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Terraform|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| +|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Terraform|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| +|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Terraform|Medium|Insecure Configurations|Check if any VM instance disables OSLogin (read more)|Documentation
| +|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Terraform|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| +|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Terraform|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)|Documentation
| +|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Terraform|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account (read more)|Documentation
| +|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Terraform|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account. (read more)|Documentation
| +|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Terraform|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Terraform|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports (read more)|Documentation
| +|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Terraform|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)|Documentation
| +|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Terraform|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| +|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Terraform|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)|Documentation
| +|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Terraform|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| +|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Terraform|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource. (read more)|Documentation
| +|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Terraform|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles (read more)|Documentation
| +|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Terraform|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Terraform|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| +|Outdated GKE Version
128df7ec-f185-48bc-8913-ce756a3ccb85|Terraform|Low|Best Practices|Running outdated versions of Google Kubernetes Engine (GKE) can expose it to known vulnerabilities and attacks. To reduce these risks, it is recommended to ensure that GKE is always running the latest version. (read more)|Documentation
| +|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Terraform|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user (read more)|Documentation
| +|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Terraform|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true (read more)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Terraform|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| +|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Terraform|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks (read more)|Documentation
| +|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Terraform|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)|Documentation
| +|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|Terraform|High|Insecure Configurations|Check if Tiller is deployed. (read more)|Documentation
| +|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|Terraform|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process (read more)|Documentation
| +|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|Terraform|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false (read more)|Documentation
| +|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|Terraform|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined. (read more)|Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|Terraform|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace. (read more)|Documentation
| +|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|Terraform|High|Insecure Configurations|Limit capabilities for a Pod Security Policy (read more)|Documentation
| +|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|Terraform|High|Insecure Defaults|No role nor cluster role should bind to a default service account (read more)|Documentation
| +|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Terraform|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation. (read more)|Documentation
| +|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Terraform|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more)|Documentation
| +|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Terraform|Medium|Access Control|A non kube-system workload should not have hostPath mounted (read more)|Documentation
| +|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Terraform|Medium|Availability|Check if Readiness Probe is not configured. (read more)|Documentation
| +|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Terraform|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden (read more)|Documentation
| +|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Terraform|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' (read more)|Documentation
| +|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Terraform|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace (read more)|Documentation
| +|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Terraform|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls (read more)|Documentation
| +|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Terraform|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory (read more)|Documentation
| +|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Terraform|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities (read more)|Documentation
| +|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Terraform|Medium|Insecure Configurations|Containers should not have extra capabilities allowed (read more)|Documentation
| +|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Terraform|Medium|Insecure Configurations|Default service accounts should not be actively used (read more)|Documentation
| +|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Terraform|Medium|Insecure Configurations|The default namespace should not be used (read more)|Documentation
| +|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Terraform|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace (read more)|Documentation
| +|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Terraform|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more)|Documentation
| +|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Terraform|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities (read more)|Documentation
| +|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Terraform|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more)|Documentation
| +|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities (read more)|Documentation
| +|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Terraform|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability (read more)|Documentation
| +|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Terraform|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory (read more)|Documentation
| +|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation (read more)|Documentation
| +|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Terraform|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| +|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Terraform|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary (read more)|Documentation
| +|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Terraform|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty. (read more)|Documentation
| +|Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Terraform|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet (read more)|Documentation
| +|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Terraform|Medium|Networking and Firewall|Check if any network policy is not targeting any pod. (read more)|Documentation
| +|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Terraform|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| +|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Terraform|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more)|Documentation
| +|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Terraform|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more)|Documentation
| +|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Terraform|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| +|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Terraform|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| +|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Terraform|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more)|Documentation
| +|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Terraform|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| +|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Terraform|Medium|Secret Management|A Service Account token is shared between workloads (read more)|Documentation
| +|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Terraform|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs (read more)|Documentation
| +|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Terraform|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack (read more)|Documentation
| +|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Terraform|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC) (read more)|Documentation
| +|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Terraform|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers (read more)|Documentation
| +|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Terraform|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it (read more)|Documentation
| +|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Terraform|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| +|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Terraform|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| +|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Terraform|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more)|Documentation
| +|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Terraform|Low|Availability|The Horizontal Pod Autoscaler must target a valid object (read more)|Documentation
| +|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Terraform|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context (read more)|Documentation
| +|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Terraform|Low|Best Practices|Check if any label in the metadata is invalid. (read more)|Documentation
| +|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Terraform|Low|Build Process|Check if the root container filesystem is not being mounted as read-only. (read more)|Documentation
| +|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Terraform|Low|Build Process|A StatefulSet requests volume storage. (read more)|Documentation
| +|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Terraform|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity (read more)|Documentation
| +|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Terraform|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always (read more)|Documentation
| +|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Terraform|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container (read more)|Documentation
| +|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Terraform|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified (read more)|Documentation
| +|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Terraform|Low|Networking and Firewall|Service type should not be NodePort (read more)|Documentation
| +|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Terraform|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| +|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Terraform|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined (read more)|Documentation
| +|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Terraform|Low|Secret Management|Container should not use secrets as environment variables (read more)|Documentation
| +|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Terraform|Low|Supply-Chain|Image must be defined and not be empty or equal to latest. (read more)|Documentation
| +|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Terraform|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more)|Documentation
| +|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Terraform|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more)|Documentation
| +|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Terraform|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more)|Documentation
| +|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Terraform|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)|Documentation
| +|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Terraform|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more)|Documentation
| +|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Terraform|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). (read more)|Documentation
| +|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Terraform|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)|Documentation
| +|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Terraform|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS. (read more)|Documentation
| +|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Terraform|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)|Documentation
| +|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Terraform|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more)|Documentation
| +|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Terraform|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)|Documentation
| +|BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Terraform|Trace|Bill Of Materials|A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime. (read more)|Documentation
| +|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Terraform|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more)|Documentation
| +|BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Terraform|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more)|Documentation
| +|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Terraform|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more)|Documentation
| +|BOM - GCP Redis
bc75ce52-a60a-4660-b533-bce837a5019b|Terraform|Trace|Bill Of Materials|A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments. (read more)|Documentation
| +|BOM - GCP Dataflow
895ed0d9-6fec-4567-8614-d7a74b599a53|Terraform|Trace|Bill Of Materials|A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective. (read more)|Documentation
| +|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|Terraform|High|Access Control|Storage Account should not be public to grant the principle of least privileges (read more)|Documentation
| +|Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|Terraform|High|Access Control|Azure Function App authentication settings should be enabled (read more)|Documentation
| +|Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|Terraform|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage (read more)|Documentation
| +|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|Terraform|High|Access Control|Admin user is enabled for Container Registry (read more)|Documentation
| +|Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|Terraform|High|Access Control|Role Assignment should limit guest user permissions (read more)|Documentation
| +|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|Terraform|High|Access Control|There is a role assignment for guest user (read more)|Documentation
| +|Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|Terraform|High|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled (read more)|Documentation
| +|Azure Instance Using Basic Authentication
dafe30ec-325d-4516-85d1-e8e6776f012c|Terraform|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| +|MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|Terraform|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more)|Documentation
| +|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|Terraform|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' (read more)|Documentation
| +|App Service Not Using Latest TLS Encryption Version
b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643|Terraform|High|Encryption|Ensure App Service is using the latest version of TLS encryption (read more)|Documentation
| +|Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6|Terraform|High|Encryption|Ensure Function App is using the latest version of TLS encryption (read more)|Documentation
| +|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|Terraform|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| +|Function App FTPS Enforce Disabled
9dab0179-433d-4dff-af8f-0091025691df|Terraform|High|Insecure Configurations|Azure Function App should only enforce FTPS when 'ftps_state' is enabled (read more)|Documentation
| +|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|Terraform|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine (read more)|Documentation
| +|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|Terraform|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry' (read more)|Documentation
| +|Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|Terraform|High|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false. (read more)|Documentation
| +|AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|Terraform|High|Insecure Configurations|Azure Kubernetes Service (AKS) API should not be exposed to the internet (read more)|Documentation
| +|AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|Terraform|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server (read more)|Documentation
| +|Azure App Service Client Certificate Disabled
a81573f9-3691-4d83-88a0-7d4af63e17a3|Terraform|High|Insecure Configurations|Azure App Service client certificate should be enabled (read more)|Documentation
| +|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|Terraform|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates (read more)|Documentation
| +|App Service FTPS Enforce Disabled
85da374f-b00f-4832-9d44-84a1ca1e89f8|Terraform|High|Insecure Configurations|Azure App Service should only enforce FTPS when 'ftps_state' is enabled (read more)|Documentation
| +|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|Terraform|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service. (read more)|Documentation
| +|MySQL Server Public Access Enabled
f118890b-2468-42b1-9ce9-af35146b425b|Terraform|High|Networking and Firewall|MySQL Server public access should be disabled (read more)|Documentation
| +|Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| +|RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|Terraform|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet (read more)|Documentation
| +|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|Terraform|High|Networking and Firewall|The IP range filter should be defined to secure the data stored (read more)|Documentation
| +|MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|Terraform|High|Networking and Firewall|MSSQL Server public network access should be disabled (read more)|Documentation
| +|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|Terraform|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| +|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet (read more)|Documentation
| +|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|Terraform|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more)|Documentation
| +|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources (read more)|Documentation
| +|SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|Terraform|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet (read more)|Documentation
| +|Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|Terraform|High|Observability|Ensure that logging for Azure KeyVault is 'Enabled' (read more)|Documentation
| +|PostgreSQL Server Threat Detection Policy Disabled
c407c3cf-c409-4b29-b590-db5f4138d332|Terraform|High|Resource Management|PostgreSQL Server Threat Detection Policy should be enabled (read more)|Documentation
| +|SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a|Terraform|High|Resource Management|Ensure that 'Threat Detection' is enabled for Azure SQL Database (read more)|Documentation
| +|App Service Managed Identity Disabled
b61cce4b-0cc4-472b-8096-15617a6d769b|Terraform|High|Resource Management|Azure App Service should have managed identity enabled (read more)|Documentation
| +|Key Expiration Not Set
4d080822-5ee2-49a4-8984-68f3d4c890fc|Terraform|High|Secret Management|Make sure that for all keys the expiration date is set (read more)|Documentation
| +|Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|Terraform|High|Secret Management|Make sure that for all secrets the expiration date is set (read more)|Documentation
| +|Storage Share File Allows All ACL Permissions
48bbe0fd-57e4-4678-a4a1-119e79c90fc3|Terraform|Medium|Access Control|Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list). (read more)|Documentation
| +|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Terraform|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more)|Documentation
| +|AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Terraform|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| +|Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e|Terraform|Medium|Access Control|Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list). (read more)|Documentation
| +|Virtual Network with DDoS Protection Plan disabled
b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a|Terraform|Medium|Availability|Virtual Network should have DDoS Protection Plan enabled (read more)|Documentation
| +|Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Terraform|Medium|Best Practices|Security Contact Email should be defined (read more)|Documentation
| +|SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Terraform|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict (read more)|Documentation
| +|SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Terraform|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict (read more)|Documentation
| +|Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Terraform|Medium|Build Process|Cosmos DB Account must have a mapping of tags. (read more)|Documentation
| +|Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Terraform|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption (read more)|Documentation
| +|Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Terraform|Medium|Encryption|Ensure that the encryption is active on the disk (read more)|Documentation
| +|AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Terraform|Medium|Encryption|Azure Container Service (AKS) should use Disk Encryption Set ID in supported types of disk (read more)|Documentation
| +|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Terraform|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty (read more)|Documentation
| +|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Terraform|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections (read more)|Documentation
| +|Function App Managed Identity Disabled
c87749b3-ff10-41f5-9df2-c421e8151759|Terraform|Medium|Insecure Configurations|Azure Function App should have managed identity enabled (read more)|Documentation
| +|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Terraform|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected. (read more)|Documentation
| +|Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Terraform|Medium|Insecure Configurations|Azure Function App should have 'client_cert_mode' set to required (read more)|Documentation
| +|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Terraform|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined (read more)|Documentation
| +|Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Terraform|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches (read more)|Documentation
| +|Default Azure Storage Account Network Access Is Too Permissive
a5613650-32ec-4975-a305-31af783153ea|Terraform|Medium|Insecure Defaults|Default Azure Storage Account network access should be set to Deny (read more)|Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol (read more)|Documentation
| +|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Terraform|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache (read more)|Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol (read more)|Documentation
| +|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Terraform|Medium|Networking and Firewall|Network Interfaces IP Forwarding should be disabled (read more)|Documentation
| +|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Terraform|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'. (read more)|Documentation
| +|Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b|Terraform|Medium|Networking and Firewall|Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline) (read more)|Documentation
| +|MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Terraform|Medium|Networking and Firewall|MariaDB Server Public Network Access should be disabled (read more)|Documentation
| +|Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Terraform|Medium|Networking and Firewall|Public Network Access should be disabled for Azure Cognitive Search (read more)|Documentation
| +|WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Terraform|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. (read more)|Documentation
| +|PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' (read more)|Documentation
| +|Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Terraform|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater (read more)|Documentation
| +|PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Terraform|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server (read more)|Documentation
| +|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Terraform|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days (read more)|Documentation
| +|PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' (read more)|Documentation
| +|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more)|Documentation
| +|MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Terraform|Medium|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On' (read more)|Documentation
| +|Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Terraform|Medium|Observability|Make sure for SQL Servers that Auditing Retention is greater than 90 days (read more)|Documentation
| +|Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Terraform|Medium|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact (read more)|Documentation
| +|PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more)|Documentation
| +|PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Terraform|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more)|Documentation
| +|Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Terraform|Medium|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days (read more)|Documentation
| +|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Terraform|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On' (read more)|Documentation
| +|Azure Active Directory Authentication
a21c8da9-41bf-40cf-941d-330cf0d11fc7|Terraform|Low|Access Control|Azure Active Directory must be used for authentication for Service Fabric (read more)|Documentation
| +|MariaDB Server Geo-redundant Backup Disabled
0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1|Terraform|Low|Backup|MariaDB Server Geo-redundant Backup should be enabled (read more)|Documentation
| +|AKS Uses Azure Policies Add-On Disabled
43789711-161b-4708-b5bb-9d1c626f7492|Terraform|Low|Best Practices|Azure Container Service (AKS) should use Azure Policies Add-On (read more)|Documentation
| +|App Service Without Latest Python Version
cc4aaa9d-1070-461a-b519-04e00f42db8a|Terraform|Low|Best Practices|Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. (read more)|Documentation
| +|Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Terraform|Low|Best Practices|Key Vault Secrets should have set Content Type (read more)|Documentation
| +|App Service Without Latest PHP Version
96fe318e-d631-4156-99fa-9080d57280ae|Terraform|Low|Best Practices|Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. (read more)|Documentation
| +|PostgreSQL Server Infrastructure Encryption Disabled
6425c98b-ca4e-41fe-896a-c78772c131f8|Terraform|Low|Encryption|PostgreSQL Server Infrastructure Encryption should be enabled (read more)|Documentation
| +|Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Terraform|Low|Insecure Configurations|Check if the Kubernetes Dashboard is enabled. (read more)|Documentation
| +|Function App HTTP2 Disabled
ace823d1-4432-4dee-945b-cdf11a5a6bd0|Terraform|Low|Insecure Configurations|Function App should have 'http2_enabled' enabled (read more)|Documentation
| +|App Service HTTP2 Disabled
525b53be-62ed-4244-b4df-41aecfcb4071|Terraform|Low|Insecure Configurations|App Service should have 'http2_enabled' enabled (read more)|Documentation
| +|Azure Front Door WAF Disabled
835a4f2f-df43-437d-9943-545ccfc55961|Terraform|Low|Networking and Firewall|Azure Front Door WAF should be enabled (read more)|Documentation
| +|App Service Authentication Disabled
c7fc1481-2899-4490-bbd8-544a3a61a2f3|Terraform|Info|Access Control|Azure App Service authentication settings should be enabled (read more)|Documentation
| +|SQL Server Alert Email Disabled
55975007-f6e7-4134-83c3-298f1fe4b519|Terraform|Info|Best Practices|SQL Server alert email should be enabled (read more)|Documentation
| +|Nifcloud Computing Has Common Private Network
df58dd45-8009-43c2-90f7-c90eb9d53ed9|Terraform|Low|Networking and Firewall|The instance has common private network (read more)|Documentation
| +|OSS Bucket Allows Put Action From All Principals
fe286195-e75c-4359-bd58-00847c4f855a|Terraform|High|Access Control|OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals. (read more)|Documentation
| +|OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|Terraform|High|Access Control|OSS Bucket should have public access disabled (read more)|Documentation
| +|OSS Bucket Allows List Action From All Principals
88541597-6f88-42c8-bac6-7e0b855e8ff6|Terraform|High|Access Control|OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals. (read more)|Documentation
| +|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|Terraform|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles (read more)|Documentation
| +|OSS Bucket Allows Delete Action From All Principals
8c0695d8-2378-4cd6-8243-7fd5894fa574|Terraform|High|Access Control|OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals. (read more)|Documentation
| +|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|Terraform|High|Access Control|RAM Security preferences should enforce MFA login for RAM users (read more)|Documentation
| +|OSS Bucket Allows All Actions From All Principals
ec62a32c-a297-41ca-a850-cab40b42094a|Terraform|High|Access Control|OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals. (read more)|Documentation
| +|Launch Template Is Not Encrypted
1455cb21-1d48-46d6-8ae3-cef911b71fd5|Terraform|High|Encryption|ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true. (read more)|Documentation
| +|RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|Terraform|High|Encryption|tde_status parameter should be Enabled for supported RDS instances (read more)|Documentation
| +|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|Terraform|High|Encryption|Ecs Data Disk Kms Key Id should be set (read more)|Documentation
| +|NAS File System Without KMS
5f670f9d-b1b4-4c90-8618-2288f1ab9676|Terraform|High|Encryption|NAS File System should have encryption provided by user KMS (read more)|Documentation
| +|NAS File System Not Encrypted
67bfdff1-31ce-4525-b564-e94368735360|Terraform|High|Encryption|NAS File System must be encrypted (read more)|Documentation
| +|RDS DB Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|Terraform|High|Insecure Configurations|'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list (read more)|Documentation
| +|OSS Bucket Has Static Website
2b13c6ff-b87a-484d-86fd-21ef6e97d426|Terraform|High|Insecure Configurations|Checks if any static websties are hosted on buckets. Be aware of any website you are running. (read more)|Documentation
| +|RDS DB Instance Publicly Accessible
faaefc15-51a5-419e-bb5e-51a4b5ab3485|Terraform|High|Insecure Configurations|The field 'address' should not be set to '0.0.0.0/0' (read more)|Documentation
| +|RDS Instance SSL Action Disabled
7a1ee8a9-71be-4b11-bb70-efb62d16863b|Terraform|High|Networking and Firewall|ssl_action parameter should be set to Open for RDS instances (read more)|Documentation
| +|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol (read more)|Documentation
| +|ALB Listening on HTTP
ee3b1557-9fb5-4685-a95d-93f1edf2a0d7|Terraform|High|Networking and Firewall|Application Load Balancer (alb) Listener should not listen on HTTP (read more)|Documentation
| +|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|Terraform|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public (read more)|Documentation
| +|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|Terraform|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS (read more)|Documentation
| +|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|Terraform|High|Networking and Firewall|OSS Bucket should have ip restricted access (read more)|Documentation
| +|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|Terraform|High|Networking and Firewall|OSS Buckets should have secure transport enabled (read more)|Documentation
| +|ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|Terraform|High|Observability|ActionTrail Trail OSS Bucket should not be publicly accessible (read more)|Documentation
| +|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|Terraform|High|Observability|All RDS Instance events trackers should be 'true' (read more)|Documentation
| +|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|Terraform|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above (read more)|Documentation
| +|Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|Terraform|High|Secret Management|Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts (read more)|Documentation
| +|Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Terraform|Medium|Access Control|Ram policies should not be attached to users (read more)|Documentation
| +|CMK Is Unusable
ed6e3ba0-278f-47b6-a1f5-173576b40b7e|Terraform|Medium|Availability|Alicloud KMS must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true (read more)|Documentation
| +|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Terraform|Medium|Backup|OSS Bucket should have versioning enabled (read more)|Documentation
| +|ROS Stack Retention Disabled
4bb06fa1-2114-4a00-b7b5-6aeab8b896f0|Terraform|Medium|Backup|The retain_stacks should be enabled to keep the Stack upon deleting the stack instance from the stack group (read more)|Documentation
| +|ROS Stack Without Template
92d65c51-5d82-4507-a2a1-d252e9706855|Terraform|Medium|Build Process|Alicloud ROS Stack should have a template defined through the attribute template_url or attribute template_body (read more)|Documentation
| +|SLB Policy With Insecure TLS Version In Use
dbfc834a-56e5-4750-b5da-73fda8e73f70|Terraform|Medium|Encryption|SLB Policy should not support insecure versions of TLS protocol (read more)|Documentation
| +|OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Terraform|Medium|Encryption|OSS Bucket should have encryption enabled using Customer Master Key (read more)|Documentation
| +|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Terraform|Medium|Encryption|Disks should have encryption enabled (read more)|Documentation
| +|CS Kubernetes Node Pool Auto Repair Disabled
81ce9394-013d-4731-8fcc-9d229b474073|Terraform|Medium|Insecure Configurations|Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| +|Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Terraform|Medium|Networking and Firewall|A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned (read more)|Documentation
| +|Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Terraform|Medium|Networking and Firewall|Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies (read more)|Documentation
| +|Log Retention Is Not Greater Than 90 Days
ed6cf6ff-9a1f-491c-9f88-e03c0807f390|Terraform|Medium|Observability|OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects. (read more)|Documentation
| +|Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Terraform|Medium|Observability|Action Trail Logging for all regions should be enabled (read more)|Documentation
| +|ROS Stack Notifications Disabled
9ef08939-ea40-489c-8851-667870b2ef50|Terraform|Medium|Observability|The ROS Stack Notifications should be defined and populated to receive stack related events (read more)|Documentation
| +|OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Terraform|Medium|Observability|OSS Bucket should have logging enabled, for better visibility of resources and objects. (read more)|Documentation
| +|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Terraform|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180 (read more)|Documentation
| +|No ROS Stack Policy
72ceb736-0aee-43ea-a191-3a69ab135681|Terraform|Medium|Resource Management|ROS Stack should have a stack policy in order to protect stack resources from and during update actions (read more)|Documentation
| +|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true (read more)|Documentation
| +|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Terraform|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91 (read more)|Documentation
| +|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Terraform|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less (read more)|Documentation
| +|High KMS Key Rotation Period
cb319d87-b90f-485e-a7e7-f2408380f309|Terraform|Medium|Secret Management|KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year (read more)|Documentation
| +|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true (read more)|Documentation
| +|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true (read more)|Documentation
| +|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Terraform|Medium|Secret Management|RAM account password security should require at least one symbol (read more)|Documentation
| +|OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Terraform|Low|Availability|OSS Bucket should have transfer acceleration enabled (read more)|Documentation
| +|OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Terraform|Low|Backup|OSS Bucket should have lifecycle rule enabled and set to true (read more)|Documentation
| +|RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Terraform|Low|Observability|log_disconnections parameter should be set to ON for RDS instances (read more)|Documentation
| +|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Terraform|Low|Observability|'log_connections' parameter should be set to ON for RDS instances (read more)|Documentation
| +|VPC Flow Logs Disabled
d2731f3d-a992-44ed-812e-f4f1c2747d71|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| +|RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Terraform|Low|Observability|log_duration parameter should be set to ON for RDS instances (read more)|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|Terraform|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| +|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|Terraform|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| +|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|Terraform|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| +|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|Terraform|High|Access Control|S3 Buckets should not be readable and writable to all users (read more)|Documentation
| +|Amazon DMS Replication Instance Is Publicly Accessible
030d3b18-1821-45b4-9e08-50efbe7becbb|Terraform|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| +|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|Terraform|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more)|Documentation
| +|EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|Terraform|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'. (read more)|Documentation
| +|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|Terraform|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|Terraform|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| +|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|Terraform|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role (read more)|Documentation
| +|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|Terraform|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| +|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|Terraform|High|Access Control|Checks if the SQS Queue is exposed (read more)|Documentation
| +|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|Terraform|High|Access Control|S3 bucket allows public policy (read more)|Documentation
| +|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|Terraform|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| +|MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857|Terraform|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible (read more)|Documentation
| +|S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4|Terraform|High|Access Control|S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket. (read more)|Documentation
| +|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|Terraform|High|Access Control|IAM role policy that allow full administrative privileges (for all resources) (read more)|Documentation
| +|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|Terraform|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals (read more)|Documentation
| +|SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|Terraform|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| +|SSO Policy with full privileges
132a8c31-9837-4203-9fd1-15ca210c7b73|Terraform|High|Access Control|SSO policies should be configured to grant limited administrative privileges, rather than full access to all resources. This approach allows for better security and control over the resources being accessed. (read more)|Documentation
| +|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|Terraform|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| +|Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|Terraform|High|Access Control|Neptune Cluster Instance should not be publicly accessible (read more)|Documentation
| +|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|Terraform|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key (read more)|Documentation
| +|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|Terraform|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS (read more)|Documentation
| +|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|Terraform|High|Encryption|AWS DAX Cluster should have server-side encryption at rest (read more)|Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|Terraform|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| +|Aurora With Disabled at Rest Encryption
1a690d1d-0ae7-49fa-b2db-b75ae0dd1d3e|Terraform|High|Encryption|Amazon Aurora does not have encryption for data at rest enabled. To prevent such a scenario, update the attribute 'StorageEncrypted' to 'true'. (read more)|Documentation
| +|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|Terraform|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted (read more)|Documentation
| +|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|Terraform|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true' (read more)|Documentation
| +|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|Terraform|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled (read more)|Documentation
| +|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|Terraform|High|Encryption|Amazon ECS Task Definition does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'transit_encryption' (read more)|Documentation
| +|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|Terraform|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| +|EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|Terraform|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| +|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|Terraform|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| +|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|Terraform|High|Encryption|AWS Athena Database data in S3 should be encrypted (read more)|Documentation
| +|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|Terraform|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled (read more)|Documentation
| +|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|Terraform|High|Encryption|EKS Cluster should be encrypted (read more)|Documentation
| +|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|Terraform|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true (read more)|Documentation
| +|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|Terraform|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more)|Documentation
| +|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|Terraform|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled (read more)|Documentation
| +|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|Terraform|High|Encryption|AWS DOCDB Cluster storage should be encrypted (read more)|Documentation
| +|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|Terraform|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled (read more)|Documentation
| +|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|Terraform|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) (read more)|Documentation
| +|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|Terraform|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| +|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|Terraform|High|Encryption|API Gateway Method Settings Cache should be encrypted (read more)|Documentation
| +|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| +|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|Terraform|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| +|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|Terraform|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume (read more)|Documentation
| +|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|Terraform|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| +|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|Terraform|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup (read more)|Documentation
| +|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|Terraform|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| +|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|Terraform|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| +|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|Terraform|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more)|Documentation
| +|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|Terraform|High|Encryption|RDS Database Cluster Encryption should be enabled (read more)|Documentation
| +|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| +|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|Terraform|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| +|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|Terraform|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS (read more)|Documentation
| +|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|Terraform|High|Encryption|The certificate authority (CA) is the certificate that identifies the root CA at the top of the certificate chain. The CA certificate identifier must be one provided by Amazon RDS. (read more)|Documentation
| +|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|Terraform|High|Encryption|Sagemaker endpoint configuration should encrypt data (read more)|Documentation
| +|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|Terraform|High|Encryption|AWS AMI Encryption is not enabled (read more)|Documentation
| +|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|Terraform|High|Encryption|S3 Bucket Object should have server-side encryption enabled (read more)|Documentation
| +|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|Terraform|High|Encryption|EBS Encryption should be enabled (read more)|Documentation
| +|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|Terraform|High|Insecure Configurations|S3 bucket without restriction of public bucket (read more)|Documentation
| +|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|Terraform|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations (read more)|Documentation
| +|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|Terraform|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| +|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|Terraform|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2. (read more)|Documentation
| +|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|Terraform|High|Insecure Configurations|Check if the root user is authenticated with MFA (read more)|Documentation
| +|RDS DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|Terraform|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). (read more)|Documentation
| +|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|Terraform|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true) (read more)|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|Terraform|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| +|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|Terraform|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more)|Documentation
| +|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|Terraform|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| +|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|Terraform|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| +|Lambda Function With Privileged Role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|Terraform|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions. (read more)|Documentation
| +|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|Terraform|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| +|KMS Key With Full Permissions
7ebc9038-0bde-479a-acc4-6ed7b6758899|Terraform|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| +|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|Terraform|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| +|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|Terraform|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes (read more)|Documentation
| +|Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|Terraform|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| +|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| +|VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|Terraform|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic (read more)|Documentation
| +|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| +|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|Terraform|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| +|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|Terraform|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| +|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL (read more)|Documentation
| +|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|Terraform|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| +|Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|Terraform|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| +|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|Terraform|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| +|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|Terraform|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0 and/or ::/0 (read more)|Documentation
| +|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|Terraform|High|Networking and Firewall|EC2 Instance should not have a public IP address. (read more)|Documentation
| +|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|Terraform|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL (read more)|Documentation
| +|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|Terraform|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| +|HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|Terraform|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| +|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|Terraform|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing (read more)|Documentation
| +|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|Terraform|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| +|VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|Terraform|High|Networking and Firewall|VPC Peering Route Table should restrict CIDR (read more)|Documentation
| +|Elasticsearch with HTTPS disabled
2e9e0729-66d5-4148-9d39-5e6fb4bf2a4e|Terraform|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| +|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|Terraform|High|Networking and Firewall|Check if Record is set (read more)|Documentation
| +|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|Terraform|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0" (read more)|Documentation
| +|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible (read more)|Documentation
| +|CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|Terraform|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls (read more)|Documentation
| +|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled (read more)|Documentation
| +|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|Terraform|High|Observability|Ensure a log metric filter and alarm exist for root acount usage (read more)|Documentation
| +|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|Terraform|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes (read more)|Documentation
| +|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|Terraform|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| +|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|Terraform|High|Observability|AWS KMS Key should have a valid deletion window (read more)|Documentation
| +|CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|Terraform|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| +|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|Terraform|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Terraform|Medium|Access Control|SES policy should not allow IAM actions to all principals (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Terraform|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action' (read more)|Documentation
| +|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Terraform|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image (read more)|Documentation
| +|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Terraform|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| +|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Terraform|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Terraform|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Terraform|Medium|Access Control|AWS IAM Users should not have access to console (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Terraform|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions' (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Terraform|Medium|Access Control|S3 bucket allows public ACL (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|SSO Permission With Inadequate User Session Duration
ce9dfce0-5fc8-433b-944a-3b16153111a8|Terraform|Medium|Access Control|SSO permissions should be configured to limit user sessions to no longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized access or session hijacking. This is a best practice for security and should be implemented in SSO permission settings. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Terraform|Medium|Access Control|SQS policy allows ALL (*) actions (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Terraform|Medium|Access Control|An API Key should be required on a method request. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Terraform|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Terraform|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Terraform|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Terraform|Medium|Access Control|IAM Access Key should not be active for root users (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Terraform|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Terraform|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Terraform|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions' (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Terraform|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Terraform|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Terraform|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Terraform|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Terraform|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal' (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Terraform|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Terraform|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Terraform|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| +|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Terraform|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined (read more)|Documentation
| +|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Terraform|Medium|Access Control|Expired SSL/TLS certificates should be removed (read more)|Documentation
| +|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Terraform|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Terraform|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Terraform|Medium|Access Control|The attribute 'action' should not have wildcard (read more)|Documentation
| +|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Terraform|Medium|Access Control|Public and private EC2 istances should not share the same role. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Terraform|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Terraform|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| +|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Terraform|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true (read more)|Documentation
| +|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Terraform|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| +|Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Terraform|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. (read more)|Documentation
| +|RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Terraform|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| +|Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Terraform|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| +|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Terraform|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0 (read more)|Documentation
| +|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Terraform|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| +|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Terraform|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields (read more)|Documentation
| +|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Terraform|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| +|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Terraform|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined (read more)|Documentation
| +|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Terraform|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| +|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Terraform|Medium|Best Practices|IAM password should have the required symbols (read more)|Documentation
| +|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Terraform|Medium|Best Practices|No password expiration policy (read more)|Documentation
| +|Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Terraform|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24 (read more)|Documentation
| +|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Terraform|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more)|Documentation
| +|Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Terraform|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body (read more)|Documentation
| +|CloudWatch Log Group Without KMS
0afbcfe9-d341-4b92-a64c-7e6de0543879|Terraform|Medium|Encryption|AWS CloudWatch Log groups should be encrypted using KMS (read more)|Documentation
| +|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit (read more)|Documentation
| +|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Terraform|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| +|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Terraform|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret (read more)|Documentation
| +|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Terraform|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| +|DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Terraform|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| +|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Terraform|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined (read more)|Documentation
| +|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Terraform|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| +|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Terraform|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| +|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Terraform|Medium|Encryption|SSM Session should be encrypted in transit (read more)|Documentation
| +|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Terraform|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests (read more)|Documentation
| +|Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Terraform|Medium|Encryption|ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html' (read more)|Documentation
| +|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Terraform|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node (read more)|Documentation
| +|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Terraform|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760. (read more)|Documentation
| +|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest (read more)|Documentation
| +|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Terraform|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| +|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Terraform|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS. (read more)|Documentation
| +|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Terraform|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption (read more)|Documentation
| +|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Terraform|Medium|Encryption|Checks if the ECR Image has been scanned (read more)|Documentation
| +|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Terraform|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest (read more)|Documentation
| +|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted (read more)|Documentation
| +|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| +|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Terraform|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| +|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Terraform|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more)|Documentation
| +|EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Terraform|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false (read more)|Documentation
| +|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Terraform|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| +|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Terraform|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud) (read more)|Documentation
| +|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Terraform|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials (read more)|Documentation
| +|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Terraform|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs). (read more)|Documentation
| +|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Terraform|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| +|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Terraform|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible (read more)|Documentation
| +|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Terraform|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy (read more)|Documentation
| +|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Terraform|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes (read more)|Documentation
| +|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Terraform|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol (read more)|Documentation
| +|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Terraform|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service (read more)|Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol (read more)|Documentation
| +|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Terraform|Medium|Networking and Firewall|VPC should have a Network Firewall associated (read more)|Documentation
| +|VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Terraform|Medium|Networking and Firewall|VPC Subnet should not assign public IP (read more)|Documentation
| +|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Terraform|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association (read more)|Documentation
| +|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Terraform|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| +|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Terraform|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled (read more)|Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Terraform|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more)|Documentation
| +|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Terraform|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined (read more)|Documentation
| +|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Terraform|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| +|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Terraform|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| +|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Terraform|Medium|Observability|API Gateway should have Access Log Settings defined (read more)|Documentation
| +|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes (read more)|Documentation
| +|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Terraform|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| +|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Terraform|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| +|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Terraform|Medium|Observability|Make sure Logging is enabled for Redshift Cluster (read more)|Documentation
| +|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Terraform|Medium|Observability|Make sure that Amazon GuardDuty is Enabled (read more)|Documentation
| +|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (read more)|Documentation
| +|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Terraform|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). (read more)|Documentation
| +|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes (read more)|Documentation
| +|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Terraform|Medium|Observability|Ensure MSK Cluster Logging is enabled (read more)|Documentation
| +|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Terraform|Medium|Observability|Checks if CloudWatch Metrics is Enabled (read more)|Documentation
| +|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Terraform|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones (read more)|Documentation
| +|ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Terraform|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs (read more)|Documentation
| +|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Terraform|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| +|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes (read more)|Documentation
| +|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Terraform|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events (read more)|Documentation
| +|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK (read more)|Documentation
| +|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Terraform|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. (read more)|Documentation
| +|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes (read more)|Documentation
| +|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Terraform|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled (read more)|Documentation
| +|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Terraform|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| +|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Terraform|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| +|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Terraform|Medium|Observability|ELB should have logging enabled to help on error investigation (read more)|Documentation
| +|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Terraform|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation (read more)|Documentation
| +|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Terraform|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| +|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Terraform|Medium|Observability|AWS CloudWatch Log groups should have retention days specified (read more)|Documentation
| +|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Terraform|Medium|Observability|It isn't recommended to use resources in default VPC (read more)|Documentation
| +|No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Terraform|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions (read more)|Documentation
| +|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Terraform|Medium|Secret Management|AWS Access Key should not be hardcoded (read more)|Documentation
| +|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Terraform|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| +|SSO Identity User Unsafe Creation
4003118b-046b-4640-b200-b8c7a4c8b89f|Terraform|Low|Access Control|The use of AWS SSO for creating users may pose a security risk as it does not synchronize with external Identity Providers (IdP) or Active Directory (AD). This can lead to inconsistencies and potential unauthorized access to resources. It is recommended to review and update user creation processes to ensure proper security protocols are in place. (read more)|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Terraform|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| +|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Terraform|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| +|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Terraform|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| +|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Terraform|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets' (read more)|Documentation
| +|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Terraform|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services (read more)|Documentation
| +|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Terraform|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| +|Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Terraform|Low|Availability|Autoscaling groups should supply tags to configurate (read more)|Documentation
| +|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Terraform|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. (read more)|Documentation
| +|Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| +|ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Terraform|Low|Best Practices|ECR Repository should have Policies attached to it (read more)|Documentation
| +|Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| +|IAM Access Analyzer Not Enabled
e592a0c5-5bdb-414c-9066-5dba7cdea370|Terraform|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions (read more)|Documentation
| +|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Terraform|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Terraform|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| +|ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Terraform|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation (read more)|Documentation
| +|ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Terraform|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled (read more)|Documentation
| +|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Terraform|Low|Insecure Configurations|S3 bucket without ignore public ACL (read more)|Documentation
| +|RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Terraform|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| +|EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Terraform|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| +|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Terraform|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Terraform|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| +|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Terraform|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more)|Documentation
| +|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Terraform|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| +|Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Terraform|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| +|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Terraform|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for route table changes (read more)|Documentation
| +|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Terraform|Low|Observability|Amazon EKS control plane logging is not enabled (read more)|Documentation
| +|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Terraform|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| +|API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Terraform|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| +|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes (read more)|Documentation
| +|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes (read more)|Documentation
| +|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| +|ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Terraform|Low|Observability|ECS Cluster should enable container insights (read more)|Documentation
| +|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Terraform|Low|Observability|Global Accelerator should have flow logs enabled (read more)|Documentation
| +|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Terraform|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| +|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes (read more)|Documentation
| +|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Terraform|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active' (read more)|Documentation
| +|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Terraform|Low|Observability|Amazon EKS control plane logging don't enabled for all log types (read more)|Documentation
| +|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL (read more)|Documentation
| +|API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Terraform|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| +|Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Terraform|Info|Access Control|Security group must be used or not declared (read more)|Documentation
| +|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Terraform|Info|Best Practices|AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name' (read more)|Documentation
| +|Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Terraform|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description (read more)|Documentation
| +|EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Terraform|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| +|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Terraform|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more)|Documentation
| +|Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Terraform|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description (read more)|Documentation
| +|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Terraform|Info|Observability|Neptune logging should be enabled (read more)|Documentation
| +|EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Terraform|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| +|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Terraform|Info|Observability|RDS does not have any kind of logger (read more)|Documentation
| +|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Terraform|Info|Best Practices|All variables should contain a valid type. (read more)|Documentation
| +|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Terraform|Info|Best Practices|All outputs should contain a valid description. (read more)|Documentation
| +|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Terraform|Info|Best Practices|All generic git repositories should reference a revision. (read more)|Documentation
| +|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Terraform|Info|Best Practices|All variables should contain a valid description. (read more)|Documentation
| +|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Terraform|Info|Best Practices|All names should follow snake case pattern. (read more)|Documentation
| +|Databricks Cluster or Job With None Or Insecure Permission(s)
a4edb7e1-c0e0-4f7f-9d7c-d1b603e81ad5|Terraform|High|Insecure Configurations|Databricks Cluster and Job must have restricted permissions (read more)|Documentation
| +|Unrestricted Databricks ACL
2c4fe4a9-f44b-4c70-b09b-5b75cd251805|Terraform|High|Networking and Firewall|ACL allow ingress from 0.0.0.0/0 and/or ::/0 (read more)|Documentation
| +|Check use no LTS Spark Version
5a627dfa-a4dd-4020-a4c6-5f3caf4abcd6|Terraform|Medium|Best Practices|Spark Version is not a Long-term Support (read more)|Documentation
| +|Check Databricks Cluster AWS Attribute Best Practices
b0749c53-e3ff-4d09-bbe4-dca94e2e7a38|Terraform|Medium|Best Practices|One or some Databricks Cluster AWS Attribute Best Practices are not respected (read more)|Documentation
| +|Check Databricks Cluster GCP Attribute Best Practices
539e4557-d2b5-4d57-a001-cb01140a4e2d|Terraform|Medium|Best Practices|One or some Databricks Cluster GCP Attribute Best Practices are not respected (read more)|Documentation
| +|Job's Task is Legacy (spark_submit_task)
375cdab9-3f94-4ae0-b1e3-8fbdf9cdf4d7|Terraform|Medium|Best Practices|Job's Task Is spark_submit_task (read more)|Documentation
| +|Check Databricks Cluster Azure Attribute Best Practices
38028698-e663-4ef7-aa92-773fef0ca86f|Terraform|Medium|Best Practices|One or some Databricks Cluster Azure Attribute Best Practices are not respected (read more)|Documentation
| +|Indefinitely Databricks Token Lifetime
7d05ca25-91b4-42ee-b6f6-b06611a87ce8|Terraform|Medium|Insecure Defaults|Token has an indefinitely lifetime (read more)|Documentation
| +|Indefinitely Databricks OBO Token Lifetime
23e1f5f0-12b7-4d7e-9087-f60f42ccd514|Terraform|Medium|Insecure Defaults|OBO Token has an indefinitely lifetime (read more)|Documentation
| +|Databricks Autoscale Badly Setup
953c0cc6-5f30-44cb-a803-bf4ef2571be8|Terraform|Medium|Resource Management|Databricks should have min and max worker setup for autoscale (read more)|Documentation
| +|Databricks Group Without User Or Instance Profile
23c3067a-8cc9-480c-b645-7c1e0ad4bf60|Terraform|Low|Access Control|Databricks Group should have at least one user or one instance profile associated (read more)|Documentation
| +|Serving Revision Spec Without Timeout Seconds
e8bb41e4-2f24-4e84-8bea-8c7c070cf93d|Knative|Info|Insecure Configurations|Serving Revision Spec should have Timeout Seconds defined to avoid Denial of Service (read more)|Documentation
| +|UNIX Ports Out Of Range
71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e|Dockerfile|High|Availability|Exposing UNIX ports out of range from 0 to 65535 (read more)|Documentation
| +|WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|Dockerfile|High|Build Process|For clarity and reliability, you should always use absolute paths for your WORKDIR (read more)|Documentation
| +|Copy With More Than Two Arguments Not Ending With Slash
6db6e0c2-32a3-4a2e-93b5-72c35f4119db|Dockerfile|High|Build Process|When a COPY command has more than two arguments, the last one should end with a slash (read more)|Documentation
| +|COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b|Dockerfile|High|Build Process|COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself (read more)|Documentation
| +|Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f|Dockerfile|High|Build Process|A user should be specified in the dockerfile, otherwise the image will run as root (read more)|Documentation
| +|Multiple ENTRYPOINT Instructions Listed
6938958b-3f1a-451c-909b-baeee14bdc97|Dockerfile|High|Build Process|There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect (read more)|Documentation
| +|Same Alias In Different Froms
f2daed12-c802-49cd-afed-fe41d0b82fed|Dockerfile|High|Build Process|Different FROMS cant have the same alias defined (read more)|Documentation
| +|Run Using Sudo
8ada6e80-0ade-439e-b176-0b28f6bce35a|Dockerfile|High|Insecure Configurations|Avoid RUN with sudo command as it leads to unpredictable behavior (read more)|Documentation
| +|Vulnerable OpenSSL Version
5fa731ea-e844-47a6-a1e8-abc25e95847e|Dockerfile|High|Supply-Chain|OpenSSL versions from 3.0.0 to 3.0.5 are affected by a critical vulnerability (read more)|Documentation
| +|Last User Is 'root'
67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae|Dockerfile|Medium|Best Practices|Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges (read more)|Documentation
| +|Changing Default Shell Using RUN Command
8a301064-c291-4b20-adcb-403fe7fd95fd|Dockerfile|Medium|Best Practices|Using the command RUN to override the default shell instead of the SHELL command leads to inefficiencies. It also does not make sense since Docker provides the SHELL command for this exact purpose. (read more)|Documentation
| +|Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79|Dockerfile|Medium|Build Process|Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments (read more)|Documentation
| +|Multiple CMD Instructions Listed
41c195f4-fc31-4a5c-8a1b-90605538d49f|Dockerfile|Medium|Build Process|There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect (read more)|Documentation
| +|RUN Instruction Using 'cd' Instead of WORKDIR
f4a6bcd3-e231-4acf-993c-aa027be50d2e|Dockerfile|Medium|Build Process|When using RUN command 'cd' should only be used for full path. For relative path make use of WORKDIR command instead. (read more)|Documentation
| +|Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd|Dockerfile|Medium|Build Process|Instruction 'RUN update' should always be followed by ' install' in the same RUN statement (read more)|Documentation
| +|Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22|Dockerfile|Medium|Insecure Defaults|Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o). (read more)|Documentation
| +|Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944|Dockerfile|Medium|Supply-Chain|Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input (read more)|Documentation
| +|Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067|Dockerfile|Medium|Supply-Chain|When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag (read more)|Documentation
| +|Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118|Dockerfile|Medium|Supply-Chain|When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller (read more)|Documentation
| +|Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37|Dockerfile|Medium|Supply-Chain|Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size (read more)|Documentation
| +|Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages (read more)|Documentation
| +|Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1|Dockerfile|Medium|Supply-Chain|Specifying a package version allows to reduce failures due to unanticipated changes in required packages. (read more)|Documentation
| +|Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8|Dockerfile|Medium|Supply-Chain|The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input. (read more)|Documentation
| +|Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more)|Documentation
| +|Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0|Dockerfile|Medium|Supply-Chain|Cached package data should be cleaned after installation to reduce image size (read more)|Documentation
| +|Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03|Dockerfile|Medium|Supply-Chain|Need to use -y to avoid manual input 'yum install -y ' (read more)|Documentation
| +|Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9|Dockerfile|Medium|Supply-Chain|Don't use '--platform' flag with FROM (read more)|Documentation
| +|Yum install Without Version
6452c424-1d92-4deb-bb18-a03e95d579c4|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages (read more)|Documentation
| +|Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341|Dockerfile|Medium|Supply-Chain|Instead of 'gem install ' we should use 'gem install :' (read more)|Documentation
| +|APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Dockerfile|Medium|Supply-Chain|Check if apt-get calls use the flag -y to avoid user manual input. (read more)|Documentation
| +|Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Dockerfile|Medium|Supply-Chain|Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect (read more)|Documentation
| +|Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Dockerfile|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache (read more)|Documentation
| +|Add Instead of Copy
9513a694-aa0d-41d8-be61-3271e056f36b|Dockerfile|Medium|Supply-Chain|Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script. (read more)|Documentation
| +|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Dockerfile|Medium|Supply-Chain|When installing a package, its pin version should be defined (read more)|Documentation
| +|NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5|Dockerfile|Medium|Supply-Chain|Check if packages installed by npm are pinning a specific version. (read more)|Documentation
| +|Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more)|Documentation
| +|Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313|Dockerfile|Medium|Supply-Chain|Reduce layer and image size by deleting unneeded caches after running zypper (read more)|Documentation
| +|Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd|Dockerfile|Medium|Supply-Chain|Always tag the version of an image explicitly (read more)|Documentation
| +|Multiple RUN, ADD, COPY, Instructions Listed
0008c003-79aa-42d8-95b8-1c2fe37dbfe6|Dockerfile|Low|Best Practices|Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers. (read more)|Documentation
| +|Exposing Port 22 (SSH)
5907595b-5b6d-4142-b173-dbb0e73fbff8|Dockerfile|Low|Best Practices|Expose only the ports that your application needs and avoid exposing ports like SSH (22) (read more)|Documentation
| +|Chown Flag Exists
aa93e17f-b6db-4162-9334-c70334e7ac28|Dockerfile|Low|Best Practices|It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership (read more)|Documentation
| +|Curl or Wget Instead of Add
4b410d24-1cbe-4430-a632-62c9a931cf1c|Dockerfile|Low|Best Practices|Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged (read more)|Documentation
| +|MAINTAINER Instruction Being Used
99614418-f82b-4852-a9ae-5051402b741c|Dockerfile|Low|Best Practices|The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily (read more)|Documentation
| +|Using Unnamed Build Stages
68a51e22-ae5a-4d48-8e87-b01a323605c9|Dockerfile|Low|Build Process| This query is used to ensure that build stages are named. This way even if the Dockerfile is re-ordered, the COPY instruction doesn’t break. (read more)|Documentation
| +|Healthcheck Instruction Missing
b03a748a-542d-44f4-bb86-9199ab4fd2d5|Dockerfile|Low|Insecure Configurations|Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working (read more)|Documentation
| +|Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c|Dockerfile|Info|Supply-Chain|After using apt-get install, it is needed to delete apt-get lists (read more)|Documentation
| +|APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c|Dockerfile|Info|Supply-Chain|Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages. (read more)|Documentation
| +|Apk Add Using Local Cache Path
ae9c56a6-3ed1-4ac0-9b54-31267f51151d|Dockerfile|Info|Supply-Chain|When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*' (read more)|Documentation
| +|Run Utilities And POSIX Commands
9b6b0f38-92a2-41f9-b881-3a1083d99f1b|Dockerfile|Info|Supply-Chain|Some POSIX commands and interactive utilities shouldn't run inside a Docker Container (read more)|Documentation
| +|Run Using apt
a1bc27c6-7115-48d8-bf9d-5a7e836845ba|Buildah|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache (read more)|Documentation
| +|Run Block Injection
20f14e1a-a899-4e79-9f09-b6a84cd4649b|CICD|High|Insecure Configurations|GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event. (read more)|Documentation
| +|Script Block Injection
62ff6823-927a-427f-acf9-f1ea2932d616|CICD|High|Insecure Configurations|GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event. (read more)|Documentation
| +|Unsecured Commands
60fd272d-15f4-4d8f-afe4-77d9c6cc0453|CICD|Medium|Insecure Configurations|There are deprecated set-env and add-path commands that can be explicitly enabled by a user via setting the ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable as true. Depending on the use of the environment variable, this could enable an attacker to, at worst, modify the system path to run a different command than intended, resulting in arbitrary code execution. (read more)|Documentation
| +|Unpinned Actions Full Length Commit SHA
555ab8f9-2001-455e-a077-f2d0f41e2fb9|CICD|Medium|Supply-Chain|Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork. (read more)|Documentation
| +|BOM - AWS S3 Buckets
b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83|CloudFormation|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more)|Documentation
| +|BOM - AWS RDS
6ef03ff6-a2bd-483c-851f-631f248bc0ea|CloudFormation|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more)|Documentation
| +|BOM - AWS Kinesis
d53323be-dde6-4457-9a43-42df737e71d2|CloudFormation|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more)|Documentation
| +|BOM - AWS SQS
59a849c2-1127-4023-85a5-ef906dcd458c|CloudFormation|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)|Documentation
| +|BOM - AWS Elasticache
c689f51b-9203-43b3-9d8b-caed123f706c|CloudFormation|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more)|Documentation
| +|BOM - AWS EBS
0b0556ea-9cd9-476f-862e-20679dda752b|CloudFormation|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). (read more)|Documentation
| +|BOM - AWS Cassandra
124b173b-e06d-48a6-8acd-f889443d97a4|CloudFormation|Trace|Bill Of Materials|A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance (read more)|Documentation
| +|BOM - AWS SNS
42e7dca3-8cce-4325-8df0-108888259136|CloudFormation|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)|Documentation
| +|BOM - AWS MQ
209189f3-c879-48a7-9703-fbcfa96d0cef|CloudFormation|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS. (read more)|Documentation
| +|BOM - AWS MSK
2730c169-51d7-4ae7-99b5-584379eff1bb|CloudFormation|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)|Documentation
| +|BOM - AWS DynamoDB
4e67c0ae-38a0-47f4-a50c-f0c9b75826df|CloudFormation|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more)|Documentation
| +|BOM - AWS EFS
ef05a925-8568-4054-8ff1-f5ba82631c16|CloudFormation|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)|Documentation
| |Serverless Function Environment Variables Not Encrypted
a7f8ac28-eed1-483d-87c8-4c325f022572|CloudFormation|High|Encryption|AWS Serverless Function should encrypt environment variables (read more)|Documentation
| |Serverless API Without Content Encoding
a2f2800e-614b-4bc8-89e6-fec8afd24800|CloudFormation|Medium|Encryption|AWS Serverless API should enable Content Encoding through the attribute 'MinimumCompressionSize'. This value should be greater than -1 and smaller than 10485760 (read more)|Documentation
| -|Serverless Function Without Tags
a71ecabe-03b6-456a-b3bc-d1a39aa20c98|CloudFormation|Medium|Insecure Configurations|AWS Serverless Function should have associated tags (read more)|Documentation
| |Serverless Function Without Unique IAM Role
4ba74f01-aba5-4be2-83bc-be79ff1a3b92|CloudFormation|Medium|Insecure Configurations|AWS Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| +|Serverless Function Without Tags
a71ecabe-03b6-456a-b3bc-d1a39aa20c98|CloudFormation|Medium|Insecure Configurations|AWS Serverless Function should have associated tags (read more)|Documentation
| |Serverless API Endpoint Config Not Private
6b5b0313-771b-4319-ad7a-122ee78700ef|CloudFormation|Medium|Networking and Firewall|AWS Serverless API should set API Endpoint Config type to 'PRIVATE'. This way, it's not exposed to the public internet (read more)|Documentation
| |Serverless API Access Logging Setting Undefined
0a994e04-c6dc-471d-817e-d37451d18a3b|CloudFormation|Medium|Observability|AWS Serverless API/AWS Serverless HTTP API should have Access Logging Setting(s) defined (read more)|Documentation
| |Serverless API X-Ray Tracing Disabled
c757c6a3-ac87-4b9d-b28d-e5a5add6a315|CloudFormation|Medium|Observability|AWS Serverless API should have X-Ray Tracing enabled (read more)|Documentation
| -|Serverless Function Without Dead Letter Queue
cb2f612b-ed42-4ff5-9fb9-255c73d39a18|CloudFormation|Low|Insecure Configurations|AWS Serverless Function should be configured for a Dead Letter Queue(DLQ) (read more)|Documentation
| |Serverless API Cache Cluster Disabled
60a05ede-0a68-4d0d-a58f-f538cf55ff79|CloudFormation|Low|Insecure Configurations|AWS Serverless API should have cache clustering enabled (read more)|Documentation
| +|Serverless Function Without Dead Letter Queue
cb2f612b-ed42-4ff5-9fb9-255c73d39a18|CloudFormation|Low|Insecure Configurations|AWS Serverless Function should be configured for a Dead Letter Queue(DLQ) (read more)|Documentation
| |Serverless Function Without X-Ray Tracing
dc1ab429-1481-4540-9b1d-280e3f15f1f8|CloudFormation|Low|Observability|AWS Serverless Function should have Tracing enabled. For this, property 'Tracing' should have the value 'Active' (read more)|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
07dda8de-d90d-469e-9b37-1aca53526ced|CloudFormation|High|Access Control|S3 Buckets should not be readable and writable to all users (read more)|Documentation
| -|S3 Bucket ACL Allows Read to All Users
219f4c95-aa50-44e0-97de-cf71f4641170|CloudFormation|High|Access Control|S3 Buckets should not be readable to all users (read more)|Documentation
| -|SNS Topic is Publicly Accessible
ae53ce91-42b5-46bf-a84f-9a13366a4f13|CloudFormation|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| -|Lambda Functions With Full Privileges
a0ae0a4e-712b-4115-8112-51b9eeed9d69|CloudFormation|High|Access Control|AWS Lambda Functions should not have roles with policies granting full administrative privileges. (read more)|Documentation
| |S3 Bucket Allows Get Action From All Principals
f97b7d23-568f-4bcc-9ac9-02df0d57fbba|CloudFormation|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
acc78859-765e-4011-a229-a65ea57db252|CloudFormation|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| +|S3 Bucket ACL Allows Read Or Write to All Users
07dda8de-d90d-469e-9b37-1aca53526ced|CloudFormation|High|Access Control|S3 Buckets should not be readable and writable to all users (read more)|Documentation
| +|Amazon DMS Replication Instance Is Publicly Accessible
5864fb39-d719-4182-80e2-89dbe627be63|CloudFormation|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| |IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368|CloudFormation|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| -|ECS Service Admin Role Is Present
01986452-bdd8-4aaa-b5df-d6bf61d616ff|CloudFormation|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role (read more)|Documentation
| -|IAM Policies With Full Privileges
953b3cdb-ce13-428a-aa12-318726506661|CloudFormation|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| -|S3 Bucket Allows Public Policy
860ba89b-b8de-4e72-af54-d6aee4138a69|CloudFormation|High|Access Control|S3 bucket allows public policy (read more)|Documentation
| -|S3 Bucket Access to Any Principal
7772bb8c-c0f3-42d4-8e4e-f1b8939ad085|CloudFormation|High|Access Control|The S3 Bucket should not be associated with a policy statement that grants access to any principal (read more)|Documentation
| -|S3 Bucket With All Permissions
4ae8af91-5108-42cb-9471-3bdbe596eac9|CloudFormation|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| |S3 Bucket Allows Put Action From All Principals
f6397a20-4cf1-4540-a997-1d363c25ef58|CloudFormation|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
acc78859-765e-4011-a229-a65ea57db252|CloudFormation|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| |S3 Bucket ACL Allows Read to Any Authenticated User
835d5497-a526-4aea-a23f-98a9afd1635f|CloudFormation|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| +|S3 Bucket ACL Allows Read to All Users
219f4c95-aa50-44e0-97de-cf71f4641170|CloudFormation|High|Access Control|S3 Buckets should not be readable to all users (read more)|Documentation
| +|ECS Service Admin Role Is Present
01986452-bdd8-4aaa-b5df-d6bf61d616ff|CloudFormation|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role (read more)|Documentation
| +|S3 Bucket With All Permissions
4ae8af91-5108-42cb-9471-3bdbe596eac9|CloudFormation|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| |S3 Bucket Allows Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0|CloudFormation|High|Access Control|S3 Buckets must not allow Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Restore, for all Principals. (read more)|Documentation
| -|S3 Bucket Allows List Action From All Principals
faa8fddf-c0aa-4b2d-84ff-e993e233ebe9|CloudFormation|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| +|S3 Bucket Allows Public Policy
860ba89b-b8de-4e72-af54-d6aee4138a69|CloudFormation|High|Access Control|S3 bucket allows public policy (read more)|Documentation
| +|IAM Policies With Full Privileges
953b3cdb-ce13-428a-aa12-318726506661|CloudFormation|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| |MSK Broker Is Publicly Accessible
0ce1ba20-8ba8-4364-836f-40c24b8cb0ab|CloudFormation|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible (read more)|Documentation
| -|Amazon DMS Replication Instance Is Publicly Accessible
5864fb39-d719-4182-80e2-89dbe627be63|CloudFormation|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| -|EFS Volume With Disabled Transit Encryption
c1282e03-b285-4637-aee7-eefe3a7bb658|CloudFormation|High|Encryption|Amazon EFS volume does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'TransitEncryption' (read more)|Documentation
| -|IAM Database Auth Not Enabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184|CloudFormation|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| -|ELB Without Secure Protocol
80908a75-586b-4c61-ab04-490f4f4525b8|CloudFormation|High|Encryption|Check if the ELB is setup with SSL or HTTPS for secure communication (read more)|Documentation
| -|RDS Storage Not Encrypted
5beacce3-4020-4a3d-9e1d-a36f953df630|CloudFormation|High|Encryption|RDS Storage should be encrypted, which means the attribute 'StorageEncrypted' should be set to 'true' (read more)|Documentation
| +|Lambda Functions With Full Privileges
a0ae0a4e-712b-4115-8112-51b9eeed9d69|CloudFormation|High|Access Control|AWS Lambda Functions should not have roles with policies granting full administrative privileges. (read more)|Documentation
| +|S3 Bucket Access to Any Principal
7772bb8c-c0f3-42d4-8e4e-f1b8939ad085|CloudFormation|High|Access Control|The S3 Bucket should not be associated with a policy statement that grants access to any principal (read more)|Documentation
| +|S3 Bucket Allows List Action From All Principals
faa8fddf-c0aa-4b2d-84ff-e993e233ebe9|CloudFormation|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| +|SNS Topic is Publicly Accessible
ae53ce91-42b5-46bf-a84f-9a13366a4f13|CloudFormation|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| +|SageMaker Data Encryption Disabled
709e6da6-fa1f-44cc-8f17-7f25f96dadbe|CloudFormation|High|Encryption|Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, which means the attribute 'KmsKeyId' must be defined not empty or null. (read more)|Documentation
| +|API Gateway Cache Encrypted Disabled
37cca703-b74c-48ba-ac81-595b53398e9b|CloudFormation|High|Encryption|'API::Gateway::Deployment' should have 'CacheDataEncrypted' enabled when 'CachingEnabled' is set to true (read more)|Documentation
| |Cloudfront Viewer Protocol Policy Allows HTTP
31733ee2-fef0-4e87-9778-65da22a8ecf1|CloudFormation|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| -|Secure Ciphers Disabled
be96849c-3df6-49c2-bc16-778a7be2519c|CloudFormation|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| -|S3 Bucket Without SSL In Write Actions
38c64e76-c71e-4d92-a337-60174d1de1c9|CloudFormation|High|Encryption|S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL) (read more)|Documentation
| +|RDS Storage Not Encrypted
5beacce3-4020-4a3d-9e1d-a36f953df630|CloudFormation|High|Encryption|RDS Storage should be encrypted, which means the attribute 'StorageEncrypted' should be set to 'true' (read more)|Documentation
| +|ElastiCache With Disabled at Rest Encryption
e4ee3903-9225-4b6a-bdfb-e62dbadef821|CloudFormation|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled (read more)|Documentation
| +|ECS Cluster Not Encrypted At Rest
6c131358-c54d-419b-9dd6-1f7dd41d180c|CloudFormation|High|Encryption|Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems. (read more)|Documentation
| +|MSK Cluster Encryption Disabled
a976d63f-af0e-46e8-b714-8c1a9c4bf768|CloudFormation|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled (read more)|Documentation
| |ECS Task Definition Container With Plaintext Password
f9b10cdb-eaab-4e39-9793-e12b94a582ad|CloudFormation|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| +|EFS Not Encrypted
2ff8e83c-90e1-4d68-a300-6d652112e622|CloudFormation|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| |User Data Contains Encoded Private Key
568cc372-ca64-420d-9015-ee347d00d288|CloudFormation|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| -|S3 Bucket Without Server-side-encryption
b2e8752c-3497-4255-98d2-e4ae5b46bbf5|CloudFormation|High|Encryption|S3 Buckets should have server-side encryption at rest enabled to protect sensitive data (read more)|Documentation
| -|ElastiCache With Disabled Transit Encryption
3b02569b-fc6f-4153-b3a3-ba91022fed68|CloudFormation|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled (read more)|Documentation
| -|Redshift Cluster Without KMS CMK
de76a0d6-66d5-45c9-9022-f05545b85c78|CloudFormation|High|Encryption|AWS Redshift Cluster should have KMS CMK defined (read more)|Documentation
| -|Redshift Not Encrypted
3b316b05-564c-44a7-9c3f-405bb95e211e|CloudFormation|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'Encrypted' field is false or undefined (default is false) (read more)|Documentation
| -|ELB Using Weak Ciphers
809f77f8-d10e-4842-a84f-3be7b6ff1190|CloudFormation|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| -|MSK Cluster Encryption Disabled
a976d63f-af0e-46e8-b714-8c1a9c4bf768|CloudFormation|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled (read more)|Documentation
| -|CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db|CloudFormation|High|Encryption|Specifying credentials in the template itself is probably not safe to do. (read more)|Documentation
| -|SageMaker Data Encryption Disabled
709e6da6-fa1f-44cc-8f17-7f25f96dadbe|CloudFormation|High|Encryption|Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, which means the attribute 'KmsKeyId' must be defined not empty or null. (read more)|Documentation
| +|Kinesis SSE Not Configured
7f65be75-90ab-4036-8c2a-410aef7bb650|CloudFormation|High|Encryption|AWS Kinesis Stream should have SSE (Server Side Encryption) defined (read more)|Documentation
| +|S3 Bucket Without SSL In Write Actions
38c64e76-c71e-4d92-a337-60174d1de1c9|CloudFormation|High|Encryption|S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL) (read more)|Documentation
| |CMK Unencrypted Storage
ffee2785-c347-451e-89f3-11aeb08e5c84|CloudFormation|High|Encryption|Ensure that storage is encrypted. (read more)|Documentation
| -|DynamoDB With Aws Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac|CloudFormation|High|Encryption|AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false. (read more)|Documentation
| +|Redshift Not Encrypted
3b316b05-564c-44a7-9c3f-405bb95e211e|CloudFormation|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'Encrypted' field is false or undefined (default is false) (read more)|Documentation
| |User Data Shell Script Is Encoded
48c3bc58-6959-4f27-b647-4fedeace23be|CloudFormation|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| -|ElastiCache With Disabled at Rest Encryption
e4ee3903-9225-4b6a-bdfb-e62dbadef821|CloudFormation|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled (read more)|Documentation
| -|S3 Bucket SSE Disabled
64ab651b-f5b2-4af0-8c89-ddd03c4d0e61|CloudFormation|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| -|API Gateway Cache Encrypted Disabled
37cca703-b74c-48ba-ac81-595b53398e9b|CloudFormation|High|Encryption|'API::Gateway::Deployment' should have 'CacheDataEncrypted' enabled when 'CachingEnabled' is set to true (read more)|Documentation
| -|Kinesis SSE Not Configured
7f65be75-90ab-4036-8c2a-410aef7bb650|CloudFormation|High|Encryption|AWS Kinesis Stream should have SSE (Server Side Encryption) defined (read more)|Documentation
| -|EFS Without KMS
6d087495-2a42-4735-abf7-02ef5660a7e6|CloudFormation|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| +|ElastiCache With Disabled Transit Encryption
3b02569b-fc6f-4153-b3a3-ba91022fed68|CloudFormation|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled (read more)|Documentation
| +|ELB Using Weak Ciphers
809f77f8-d10e-4842-a84f-3be7b6ff1190|CloudFormation|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| +|Secure Ciphers Disabled
be96849c-3df6-49c2-bc16-778a7be2519c|CloudFormation|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| |Connection Between CloudFront Origin Not Encrypted
a5366a50-932f-4085-896b-41402714a388|CloudFormation|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted (read more)|Documentation
| -|EFS Not Encrypted
2ff8e83c-90e1-4d68-a300-6d652112e622|CloudFormation|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| -|ECS Cluster Not Encrypted At Rest
6c131358-c54d-419b-9dd6-1f7dd41d180c|CloudFormation|High|Encryption|Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems. (read more)|Documentation
| +|IAM Database Auth Not Enabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184|CloudFormation|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| +|EFS Volume With Disabled Transit Encryption
c1282e03-b285-4637-aee7-eefe3a7bb658|CloudFormation|High|Encryption|Amazon EFS volume does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'TransitEncryption' (read more)|Documentation
| +|S3 Bucket SSE Disabled
64ab651b-f5b2-4af0-8c89-ddd03c4d0e61|CloudFormation|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| +|ELB Without Secure Protocol
80908a75-586b-4c61-ab04-490f4f4525b8|CloudFormation|High|Encryption|Check if the ELB is setup with SSL or HTTPS for secure communication (read more)|Documentation
| +|S3 Bucket Without Server-side-encryption
b2e8752c-3497-4255-98d2-e4ae5b46bbf5|CloudFormation|High|Encryption|S3 Buckets should have server-side encryption at rest enabled to protect sensitive data (read more)|Documentation
| |ELB Using Insecure Protocols
61a94903-3cd3-4780-88ec-fc918819b9c8|CloudFormation|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| -|KMS Key With Full Permissions
da905474-7454-43c0-b8d2-5756ab951aba|CloudFormation|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| +|Redshift Cluster Without KMS CMK
de76a0d6-66d5-45c9-9022-f05545b85c78|CloudFormation|High|Encryption|AWS Redshift Cluster should have KMS CMK defined (read more)|Documentation
| +|EFS Without KMS
6d087495-2a42-4735-abf7-02ef5660a7e6|CloudFormation|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| +|CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db|CloudFormation|High|Encryption|Specifying credentials in the template itself is probably not safe to do. (read more)|Documentation
| +|DynamoDB With Aws Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac|CloudFormation|High|Encryption|AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false. (read more)|Documentation
| +|S3 Bucket Without Restriction Of Public Bucket
350cd468-0e2c-44ef-9d22-cfb73a62523c|CloudFormation|High|Insecure Configurations|S3 bucket without restriction of public bucket (read more)|Documentation
| |Root Account Has Active Access Keys
4c137350-7307-4803-8c04-17c09a7a9fcf|CloudFormation|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| -|ECS Task Definition Network Mode Not Recommended
027a4b7a-8a59-4938-a04f-ed532512cf45|CloudFormation|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
de38e1d5-54cb-4111-a868-6f7722695007|CloudFormation|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false. (read more)|Documentation
| -|S3 Bucket With Unsecured CORS Rule
3609d27c-3698-483a-9402-13af6ae80583|CloudFormation|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| |API Gateway Without Security Policy
8275fab0-68ec-4705-bbf4-86975edb170e|CloudFormation|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2. (read more)|Documentation
| -|S3 Static Website Host Enabled
90501b1b-cded-4cc1-9e8b-206b85cda317|CloudFormation|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more)|Documentation
| +|RDS DB Instance Publicly Accessible
de38e1d5-54cb-4111-a868-6f7722695007|CloudFormation|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false. (read more)|Documentation
| +|Redshift Publicly Accessible
bdf8dcb4-75df-4370-92c4-606e4ae6c4d3|CloudFormation|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false (read more)|Documentation
| |CloudFront Without Minimum Protocol TLS 1.2
dc17ee4b-ddf2-4e23-96e8-7a36abad1303|CloudFormation|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| -|S3 Bucket Without Restriction Of Public Bucket
350cd468-0e2c-44ef-9d22-cfb73a62523c|CloudFormation|High|Insecure Configurations|S3 bucket without restriction of public bucket (read more)|Documentation
| +|S3 Static Website Host Enabled
90501b1b-cded-4cc1-9e8b-206b85cda317|CloudFormation|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more)|Documentation
| +|S3 Bucket With Unsecured CORS Rule
3609d27c-3698-483a-9402-13af6ae80583|CloudFormation|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| +|ECS Task Definition Network Mode Not Recommended
027a4b7a-8a59-4938-a04f-ed532512cf45|CloudFormation|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| +|KMS Key With Full Permissions
da905474-7454-43c0-b8d2-5756ab951aba|CloudFormation|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| |Batch Job Definition With Privileged Container Properties
76ddf32c-85b1-4808-8935-7eef8030ab36|CloudFormation|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| -|Redshift Publicly Accessible
bdf8dcb4-75df-4370-92c4-606e4ae6c4d3|CloudFormation|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false (read more)|Documentation
| -|Vulnerable Default SSL Certificate
b4d9c12b-bfba-4aeb-9cb8-2358546d8041|CloudFormation|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| |Permissive Web ACL Default Action
6d64f311-3da6-45f3-80f1-14db9771ea40|CloudFormation|High|Insecure Defaults|WebAcl DefaultAction should not be ALLOW (read more)|Documentation
| +|Vulnerable Default SSL Certificate
b4d9c12b-bfba-4aeb-9cb8-2358546d8041|CloudFormation|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| +|Security Groups With Meta IP
adcd0082-e90b-4b63-862b-21899f6e6a48|CloudFormation|High|Networking and Firewall|Security Groups allows 0.0.0.0/0 for all ports and protocols. (read more)|Documentation
| |Security Group With Unrestricted Access To SSH
6e856af2-62d7-4ba2-adc1-73b62cef9cc1|CloudFormation|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| -|Default Security Groups With Unrestricted Traffic
ea33fcf7-394b-4d11-a228-985c5d08f205|CloudFormation|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| -|Unrestricted Security Group Ingress
4a1e6b34-1008-4e61-a5f2-1f7c276f8d14|CloudFormation|High|Networking and Firewall|AWS Security Group Ingress CIDR should not be open to the world (read more)|Documentation
| -|Elasticsearch with HTTPS disabled
4cdc88e6-c0c8-4081-a639-bb3a557cbedf|CloudFormation|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| |EC2 Public Instance Exposed Through Subnet
c44c95fc-ae92-4bb8-bdf8-bb9bc412004a|CloudFormation|High|Networking and Firewall|EC2 instances with public IP addresses shouldn't allow for unrestricted traffic to their subnets (read more)|Documentation
| -|Security Groups With Exposed Admin Ports
cdbb0467-2957-4a77-9992-7b55b29df7b7|CloudFormation|High|Networking and Firewall|Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389) (read more)|Documentation
| -|SageMaker Notebook Not Placed In VPC
9c7028d9-04c2-45be-b8b2-1188ccaefb36|CloudFormation|High|Networking and Firewall|SageMaker Notebook must be placed in a VPC (read more)|Documentation
| -|DB Security Group Open To Large Scope
0104165b-02d5-426f-abc9-91fb48189899|CloudFormation|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| -|Security Group Unrestricted Access To RDP
3ae83918-7ec7-4cb8-80db-b91ef0f94002|CloudFormation|High|Networking and Firewall|Security Groups does not allow 0.0.0.0/0 for rdp (port:3389) (read more)|Documentation
| -|EC2 Instance Subnet Has Public IP Mapping On Launch
b3de4e4c-14be-4159-b99d-9ad194365e4c|CloudFormation|High|Networking and Firewall|EC2 Instance Subnet should not have MapPublicIpOnLaunch set to true (read more)|Documentation
| -|ELB Sensitive Port Is Exposed To Entire Network
78055456-f670-4d2e-94d5-392d1cf4f5e4|CloudFormation|High|Networking and Firewall|The load balancer of the application with a sensitive port connection is exposed to the entire internet. (read more)|Documentation
| -|Route53 Record Undefined
24d932e1-91f0-46ea-836f-fdbd81694151|CloudFormation|High|Networking and Firewall|Route53 HostedZone must have the Record Set defined. (read more)|Documentation
| -|Fully Open Ingress
e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5|CloudFormation|High|Networking and Firewall|ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses (read more)|Documentation
| -|EKS node group remote access
73d59e76-a12c-4b74-a3d8-d3e1e19c25b3|CloudFormation|High|Networking and Firewall|Ensure Amazon EKS Node group has implict SSH access (read more)|Documentation
| |ALB Listening on HTTP
275a3217-ca37-40c1-a6cf-bb57d245ab32|CloudFormation|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| |EC2 Sensitive Port Is Publicly Exposed
494b03d3-bf40-4464-8524-7c56ad0700ed|CloudFormation|High|Networking and Firewall|The EC2 instance has a sensitive port connection exposed to the entire network (read more)|Documentation
| -|Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c|CloudFormation|High|Networking and Firewall|No security group should allow unrestricted egress access (read more)|Documentation
| +|ELB Sensitive Port Is Exposed To Entire Network
78055456-f670-4d2e-94d5-392d1cf4f5e4|CloudFormation|High|Networking and Firewall|The load balancer of the application with a sensitive port connection is exposed to the entire internet. (read more)|Documentation
| +|EC2 Network ACL Overlapping Ports
77b6f1e2-bde4-4a6a-ae7e-a40659ff1576|CloudFormation|High|Networking and Firewall|NetworkACL Entries are reusing or overlapping ports which may create ineffective rules (read more)|Documentation
| +|Default Security Groups With Unrestricted Traffic
ea33fcf7-394b-4d11-a228-985c5d08f205|CloudFormation|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| |Unknown Port Exposed To Internet
829ce3b8-065c-41a3-ad57-e0accfea82d2|CloudFormation|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| -|RDS Associated with Public Subnet
4e88adee-a8eb-4605-a78d-9fb1096e3091|CloudFormation|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| -|HTTP Port Open To Internet
ddfc4eaa-af23-409f-b96c-bf5c45dc4daa|CloudFormation|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| -|Security Groups With Meta IP
adcd0082-e90b-4b63-862b-21899f6e6a48|CloudFormation|High|Networking and Firewall|Security Groups allows 0.0.0.0/0 for all ports and protocols. (read more)|Documentation
| |Remote Desktop Port Open To Internet
c9846969-d066-431f-9b34-8c4abafe422a|CloudFormation|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| |DB Security Group With Public Scope
9564406d-e761-4e61-b8d7-5926e3ab8e79|CloudFormation|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| -|EC2 Network ACL Overlapping Ports
77b6f1e2-bde4-4a6a-ae7e-a40659ff1576|CloudFormation|High|Networking and Firewall|NetworkACL Entries are reusing or overlapping ports which may create ineffective rules (read more)|Documentation
| +|Unrestricted Security Group Ingress
4a1e6b34-1008-4e61-a5f2-1f7c276f8d14|CloudFormation|High|Networking and Firewall|AWS Security Group Ingress CIDR should not be open to the world (read more)|Documentation
| +|EKS node group remote access
73d59e76-a12c-4b74-a3d8-d3e1e19c25b3|CloudFormation|High|Networking and Firewall|Ensure Amazon EKS Node group has implict SSH access (read more)|Documentation
| +|Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c|CloudFormation|High|Networking and Firewall|No security group should allow unrestricted egress access (read more)|Documentation
| +|RDS Associated with Public Subnet
4e88adee-a8eb-4605-a78d-9fb1096e3091|CloudFormation|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| +|HTTP Port Open To Internet
ddfc4eaa-af23-409f-b96c-bf5c45dc4daa|CloudFormation|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| +|Security Group Unrestricted Access To RDP
3ae83918-7ec7-4cb8-80db-b91ef0f94002|CloudFormation|High|Networking and Firewall|Security Groups does not allow 0.0.0.0/0 for rdp (port:3389) (read more)|Documentation
| +|DB Security Group Open To Large Scope
0104165b-02d5-426f-abc9-91fb48189899|CloudFormation|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| +|EC2 Instance Subnet Has Public IP Mapping On Launch
b3de4e4c-14be-4159-b99d-9ad194365e4c|CloudFormation|High|Networking and Firewall|EC2 Instance Subnet should not have MapPublicIpOnLaunch set to true (read more)|Documentation
| +|Security Groups With Exposed Admin Ports
cdbb0467-2957-4a77-9992-7b55b29df7b7|CloudFormation|High|Networking and Firewall|Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389) (read more)|Documentation
| +|Elasticsearch with HTTPS disabled
4cdc88e6-c0c8-4081-a639-bb3a557cbedf|CloudFormation|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| +|SageMaker Notebook Not Placed In VPC
9c7028d9-04c2-45be-b8b2-1188ccaefb36|CloudFormation|High|Networking and Firewall|SageMaker Notebook must be placed in a VPC (read more)|Documentation
| +|Route53 Record Undefined
24d932e1-91f0-46ea-836f-fdbd81694151|CloudFormation|High|Networking and Firewall|Route53 HostedZone must have the Record Set defined. (read more)|Documentation
| +|Fully Open Ingress
e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5|CloudFormation|High|Networking and Firewall|ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses (read more)|Documentation
| |CloudTrail Logging Disabled
5c0b06d5-b7a4-484c-aeb0-75a836269ff0|CloudFormation|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| -|CMK Rotation Disabled
1c07bfaf-663c-4f6f-b22b-8e2d481e4df5|CloudFormation|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'EnableKeyRotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| |S3 Bucket CloudTrail Logging Disabled
c3ce69fd-e3df-49c6-be78-1db3f802261c|CloudFormation|High|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable when the Service used is CloudTrail (read more)|Documentation
| -|SQS Queue Policy Allows NotPrincipal
4a8fc9a2-2b2f-4b3f-aa8d-401425872034|CloudFormation|Medium|Access Control|Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using `NotPrincipal` in the same policy statement as `"Effect": "Allow"`. (read more)|Documentation
| -|S3 Bucket Allows Public ACL
48f100d9-f499-4c6d-b2b8-deafe47ffb26|CloudFormation|Medium|Access Control|S3 bucket allows public ACL (read more)|Documentation
| +|CMK Rotation Disabled
1c07bfaf-663c-4f6f-b22b-8e2d481e4df5|CloudFormation|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'EnableKeyRotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| |EC2 Instance Has No IAM Role
f914357d-8386-4d56-9ba6-456e5723f9a6|CloudFormation|Medium|Access Control|Check if an EC2 instance refers to an IAM profile, which represents an IAM Role. (read more)|Documentation
| +|SQS Policy With Public Access
9b6a3f5b-5fd6-40ee-9bc0-ed604911212d|CloudFormation|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| |Neptune Cluster With IAM Database Authentication Disabled
a3aa0087-8228-4e7e-b202-dc9036972d02|CloudFormation|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled (read more)|Documentation
| -|API Gateway Method Does Not Contains An API Key
3641d5b4-d339-4bc2-bfb9-208fe8d3477f|CloudFormation|Medium|Access Control|An API Key should be required on a method request. (read more)|Documentation
| -|Lambda Permission Principal Is Wildcard
1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7|CloudFormation|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| -|ECR Repository Is Publicly Accessible
75be209d-1948-41f6-a8c8-e22dd0121134|CloudFormation|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| |Elasticsearch Without IAM Authentication
5c666ed9-b586-49ab-9873-c495a833b705|CloudFormation|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication (read more)|Documentation
| -|SQS Queue Policy Allows NotAction
4fbfee74-8186-40d5-a24e-4baa76a855de|CloudFormation|Medium|Access Control|AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited (read more)|Documentation
| +|IoT Policy Allows Action as Wildcard
4d32780f-43a4-424a-a06d-943c543576a5|CloudFormation|Medium|Access Control|IoT Policy should not allow Action to be set as * (read more)|Documentation
| +|SQS Queue Policy Allows NotPrincipal
4a8fc9a2-2b2f-4b3f-aa8d-401425872034|CloudFormation|Medium|Access Control|Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using `NotPrincipal` in the same policy statement as `"Effect": "Allow"`. (read more)|Documentation
| +|S3 Bucket Allows Public ACL
48f100d9-f499-4c6d-b2b8-deafe47ffb26|CloudFormation|Medium|Access Control|S3 bucket allows public ACL (read more)|Documentation
| +|Empty Roles For ECS Cluster Task Definitions
7f384a5f-b5a2-4d84-8ca3-ee0a5247becb|CloudFormation|Medium|Access Control|Check if any ECS cluster has not defined proper roles for services' task definitions. (read more)|Documentation
| +|API Gateway Method Does Not Contains An API Key
3641d5b4-d339-4bc2-bfb9-208fe8d3477f|CloudFormation|Medium|Access Control|An API Key should be required on a method request. (read more)|Documentation
| +|KMS Allows Wildcard Principal
f6049677-ec4a-43af-8779-5190b6d03cba|CloudFormation|Medium|Access Control|KMS Should not allow Principal parameter to be set as * (read more)|Documentation
| |EC2 Network ACL Ineffective Denied Traffic
2623d682-dccb-44cd-99d0-54d9fd62f8f2|CloudFormation|Medium|Access Control|Ineffective deny rules. A deny rule should be applied to all IP addresses. (read more)|Documentation
| +|Public Lambda via API Gateway
57b12981-3816-4c31-b190-a1e614361dd2|CloudFormation|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| |API Gateway Without Configured Authorizer
7fd0d461-5b8c-4815-898c-f2b4b117eb28|CloudFormation|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| +|IAM Policy On User
e4239438-e639-44aa-adb8-866e400e3ade|CloudFormation|Medium|Access Control|IAM policies should be applied to groups and not to users (read more)|Documentation
| +|ECR Repository Is Publicly Accessible
75be209d-1948-41f6-a8c8-e22dd0121134|CloudFormation|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| +|IoT Policy Allows Wildcard Resource
be5b230d-4371-4a28-a441-85dc760e2aa3|CloudFormation|Medium|Access Control|IoT Policy should not allow Resource to be set as * (read more)|Documentation
| |Cross-Account IAM Assume Role Policy Without ExternalId or MFA
85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7|CloudFormation|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| |IAM Policies Attached To User
edc95c10-7366-4f30-9b4b-f995c84eceb5|CloudFormation|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| -|Public Lambda via API Gateway
57b12981-3816-4c31-b190-a1e614361dd2|CloudFormation|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| -|SQS Policy With Public Access
9b6a3f5b-5fd6-40ee-9bc0-ed604911212d|CloudFormation|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| -|KMS Allows Wildcard Principal
f6049677-ec4a-43af-8779-5190b6d03cba|CloudFormation|Medium|Access Control|KMS Should not allow Principal parameter to be set as * (read more)|Documentation
| |SNS Topic Publicity Has Allow and NotAction Simultaneously
818f38ed-8446-4132-9c03-474d49e10195|CloudFormation|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. (read more)|Documentation
| -|IoT Policy Allows Action as Wildcard
4d32780f-43a4-424a-a06d-943c543576a5|CloudFormation|Medium|Access Control|IoT Policy should not allow Action to be set as * (read more)|Documentation
| -|Empty Roles For ECS Cluster Task Definitions
7f384a5f-b5a2-4d84-8ca3-ee0a5247becb|CloudFormation|Medium|Access Control|Check if any ECS cluster has not defined proper roles for services' task definitions. (read more)|Documentation
| -|IoT Policy Allows Wildcard Resource
be5b230d-4371-4a28-a441-85dc760e2aa3|CloudFormation|Medium|Access Control|IoT Policy should not allow Resource to be set as * (read more)|Documentation
| -|IAM Policy On User
e4239438-e639-44aa-adb8-866e400e3ade|CloudFormation|Medium|Access Control|IAM policies should be applied to groups and not to users (read more)|Documentation
| +|Lambda Permission Principal Is Wildcard
1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7|CloudFormation|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| +|SQS Queue Policy Allows NotAction
4fbfee74-8186-40d5-a24e-4baa76a855de|CloudFormation|Medium|Access Control|AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited (read more)|Documentation
| |ElastiCache Nodes Not Created Across Multi AZ
cfdef2e5-1fe4-4ef4-bea8-c56e08963150|CloudFormation|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| -|ECS Service Without Running Tasks
79d745f0-d5f3-46db-9504-bef73e9fd528|CloudFormation|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| +|CMK Is Unusable
2844c749-bd78-4cd1-90e8-b179df827602|CloudFormation|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined. (read more)|Documentation
| |EBS Volume Not Attached To Instances
1819ac03-542b-4026-976b-f37addd59f3b|CloudFormation|Medium|Availability|EBS Volumes that are unattached to instances may contain sensitive data (read more)|Documentation
| +|ECS Service Without Running Tasks
79d745f0-d5f3-46db-9504-bef73e9fd528|CloudFormation|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| |Auto Scaling Group With No Associated ELB
ad21e616-5026-4b9d-990d-5b007bfe679c|CloudFormation|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty. (read more)|Documentation
| -|CMK Is Unusable
2844c749-bd78-4cd1-90e8-b179df827602|CloudFormation|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined. (read more)|Documentation
| -|RDS With Backup Disabled
8c415f6f-7b90-4a27-a44a-51047e1506f9|CloudFormation|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| |RDS Multi-AZ Deployment Disabled
2b1d4935-9acf-48a7-8466-10d18bf51a69|CloudFormation|Medium|Backup|AWS RDS Instance should have a multi-az deployment (read more)|Documentation
| |Low RDS Backup Retention Period
e649a218-d099-4550-86a4-1231e1fcb60d|CloudFormation|Medium|Backup|AWS RDS backup retention policy should be at least 7 days (read more)|Documentation
| +|RDS With Backup Disabled
8c415f6f-7b90-4a27-a44a-51047e1506f9|CloudFormation|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| |Stack Retention Disabled
fe974ae9-858e-4991-bbd5-e040a834679f|CloudFormation|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| -|IAM Password Without Uppercase Letter
445020f6-b69e-4484-847f-02d4b7768902|CloudFormation|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| -|Cognito UserPool Without MFA
74a18d1a-cf02-4a31-8791-ed0967ad7fdc|CloudFormation|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more)|Documentation
| -|IAM Managed Policy Applied to a User
0e5872b4-19a0-4165-8b2f-56d9e14b909f|CloudFormation|Medium|Best Practices|Make sure that any managed IAM policies are implemented in a group and not in a user. (read more)|Documentation
| -|IAM User Without Password Reset
a964d6e3-8e1e-4d93-8120-61fa640dd55a|CloudFormation|Medium|Best Practices|IAM User Login Profile should exist and have PasswordResetRequired property set to true (read more)|Documentation
| -|ECS No Load Balancer Attached
fb2b0ecf-1492-491a-a70d-ba1df579175d|CloudFormation|Medium|Best Practices|Amazon ECS service should be configured to use Load Balancing to distribute traffic evenly across the tasks, which means there must exist at least one LoadBalancer. (read more)|Documentation
| -|IAM Password Without Symbol
d72a7869-e8b9-4e12-bcd2-e8be10b39fa7|CloudFormation|Medium|Best Practices|IAM password should have the required symbols (read more)|Documentation
| |IAM Password Without Lowercase Letter
f4cf35d6-da92-48de-ab70-57be2b2e6497|CloudFormation|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| |IAM Password Without Number
839f238f-2e3a-4a72-b945-8abdf91af955|CloudFormation|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number (read more)|Documentation
| |IAM Password Without Minimum Length
b1b20ae3-8fa7-4af5-a74d-a2145920fcb1|CloudFormation|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| -|Unscanned ECR Image
9025b2b3-e554-4842-ba87-db7aeec36d35|CloudFormation|Medium|Encryption|Checks if the ECR Image has been scanned (read more)|Documentation
| -|EBS Volume Encryption Disabled
80b7ac3f-d2b7-4577-9b10-df7913497162|CloudFormation|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| +|IAM User Without Password Reset
a964d6e3-8e1e-4d93-8120-61fa640dd55a|CloudFormation|Medium|Best Practices|IAM User Login Profile should exist and have PasswordResetRequired property set to true (read more)|Documentation
| +|IAM Password Without Uppercase Letter
445020f6-b69e-4484-847f-02d4b7768902|CloudFormation|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| +|IAM Password Without Symbol
d72a7869-e8b9-4e12-bcd2-e8be10b39fa7|CloudFormation|Medium|Best Practices|IAM password should have the required symbols (read more)|Documentation
| +|IAM Managed Policy Applied to a User
0e5872b4-19a0-4165-8b2f-56d9e14b909f|CloudFormation|Medium|Best Practices|Make sure that any managed IAM policies are implemented in a group and not in a user. (read more)|Documentation
| +|ECS No Load Balancer Attached
fb2b0ecf-1492-491a-a70d-ba1df579175d|CloudFormation|Medium|Best Practices|Amazon ECS service should be configured to use Load Balancing to distribute traffic evenly across the tasks, which means there must exist at least one LoadBalancer. (read more)|Documentation
| +|Cognito UserPool Without MFA
74a18d1a-cf02-4a31-8791-ed0967ad7fdc|CloudFormation|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more)|Documentation
| +|ElasticSearch Encryption With KMS Disabled
d926aa95-0a04-4abc-b20c-acf54afe38a1|CloudFormation|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS. (read more)|Documentation
| +|Workspace Without Encryption
89827c57-5a8a-49eb-9731-976a606d70db|CloudFormation|Medium|Encryption|Workspaces should have encryption enabled (read more)|Documentation
| |SageMaker EndPoint Config Should Specify KmsKeyId Attribute
44034eda-1c3f-486a-831d-e09a7dd94354|CloudFormation|Medium|Encryption|KmsKeyId attribute should be defined (read more)|Documentation
| -|DynamoDB Table Not Encrypted
4bd21e68-38c1-4d58-acdc-6a14b203237f|CloudFormation|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption (read more)|Documentation
| -|API Gateway With Invalid Compression
d6653eee-2d4d-4e6a-976f-6794a497999a|CloudFormation|Medium|Encryption|API Gateway should have valid compression, which means attribute 'MinimumCompressionSize' should be set and its value should be greater than -1 and smaller than 10485760. (read more)|Documentation
| -|ElasticSearch Not Encrypted At Rest
86a248ab-0e01-4564-a82a-878303e253bb|CloudFormation|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest (read more)|Documentation
| |RDS Storage Encryption Disabled
65844ba3-03a1-40a8-b3dd-919f122e8c95|CloudFormation|Medium|Encryption|RDS DBCluster should have storage encrypted set to true (read more)|Documentation
| -|Default KMS Key Usage
e52395b4-250b-4c60-81d5-2e58c1d37abc|CloudFormation|Medium|Encryption|When `StorageEncrypted` is set to true, `KmsKeyId` should be defined, to avoid the use of the default KMS Key (read more)|Documentation
| -|Config Rule For Encrypted Volumes Disabled
1b6322d9-c755-4f8c-b804-32c19250f2d9|CloudFormation|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| -|Workspace Without Encryption
89827c57-5a8a-49eb-9731-976a606d70db|CloudFormation|Medium|Encryption|Workspaces should have encryption enabled (read more)|Documentation
| -|AmazonMQ Broker Encryption Disabled
316278b3-87ac-444c-8f8f-a733a28da60f|CloudFormation|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined (read more)|Documentation
| -|EMR Security Configuration Encryption Disabled
5b033ec8-f079-4323-b5c8-99d4620433a9|CloudFormation|Medium|Encryption|EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit. (read more)|Documentation
| -|Memcached Disabled
dd0971a6-09c3-4168-8474-a7ef8fbfd99d|CloudFormation|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache (read more)|Documentation
| |SQS With SSE Disabled
12726829-93ed-4d51-9cbe-13423f4299e1|CloudFormation|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| -|IAM Group Inline Policies
a58d1a2d-4078-4b80-855b-84cc3f7f4540|CloudFormation|Medium|Encryption|IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted (read more)|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85|CloudFormation|Medium|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| -|Alexa Skill Plaintext Client Secret Exposed
3c3b7a58-b018-4d07-9444-d9ee7156e111|CloudFormation|Medium|Encryption|Alexa skills' client secrets should not be defined as a plaintext string. It should either use 'AWS Systems Manager Parameter Store' or 'AWS Secrets Manager' to retrieve sensitive information (read more)|Documentation
| |KMS Key Rotation Disabled
235ca980-eb71-48f4-9030-df0c371029eb|CloudFormation|Medium|Encryption|EnableKeyRotation should not be false or undefined (read more)|Documentation
| +|AmazonMQ Broker Encryption Disabled
316278b3-87ac-444c-8f8f-a733a28da60f|CloudFormation|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined (read more)|Documentation
| |CodeBuild Not Encrypted
d7467bb6-3ed1-4c82-8095-5e7a818d0aad|CloudFormation|Medium|Encryption|CodeBuild Project should be encrypted, which means 'EncryptionKey' should be defined (read more)|Documentation
| |Neptune Database Cluster Encryption Disabled
bf4473f1-c8a2-4b1b-8134-bd32efabab93|CloudFormation|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| -|ElasticSearch Encryption With KMS Disabled
d926aa95-0a04-4abc-b20c-acf54afe38a1|CloudFormation|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS. (read more)|Documentation
| +|EBS Volume Encryption Disabled
80b7ac3f-d2b7-4577-9b10-df7913497162|CloudFormation|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| +|Alexa Skill Plaintext Client Secret Exposed
3c3b7a58-b018-4d07-9444-d9ee7156e111|CloudFormation|Medium|Encryption|Alexa skills' client secrets should not be defined as a plaintext string. It should either use 'AWS Systems Manager Parameter Store' or 'AWS Secrets Manager' to retrieve sensitive information (read more)|Documentation
| +|Memcached Disabled
dd0971a6-09c3-4168-8474-a7ef8fbfd99d|CloudFormation|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache (read more)|Documentation
| +|API Gateway With Invalid Compression
d6653eee-2d4d-4e6a-976f-6794a497999a|CloudFormation|Medium|Encryption|API Gateway should have valid compression, which means attribute 'MinimumCompressionSize' should be set and its value should be greater than -1 and smaller than 10485760. (read more)|Documentation
| +|Config Rule For Encrypted Volumes Disabled
1b6322d9-c755-4f8c-b804-32c19250f2d9|CloudFormation|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| +|DynamoDB Table Not Encrypted
4bd21e68-38c1-4d58-acdc-6a14b203237f|CloudFormation|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption (read more)|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85|CloudFormation|Medium|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| +|Default KMS Key Usage
e52395b4-250b-4c60-81d5-2e58c1d37abc|CloudFormation|Medium|Encryption|When `StorageEncrypted` is set to true, `KmsKeyId` should be defined, to avoid the use of the default KMS Key (read more)|Documentation
| +|Unscanned ECR Image
9025b2b3-e554-4842-ba87-db7aeec36d35|CloudFormation|Medium|Encryption|Checks if the ECR Image has been scanned (read more)|Documentation
| +|EMR Security Configuration Encryption Disabled
5b033ec8-f079-4323-b5c8-99d4620433a9|CloudFormation|Medium|Encryption|EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit. (read more)|Documentation
| +|ElasticSearch Not Encrypted At Rest
86a248ab-0e01-4564-a82a-878303e253bb|CloudFormation|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest (read more)|Documentation
| +|IAM Group Inline Policies
a58d1a2d-4078-4b80-855b-84cc3f7f4540|CloudFormation|Medium|Encryption|IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted (read more)|Documentation
| +|ECR Image Tag Not Immutable
33f41d31-86b1-46a4-81f7-9c9a671f59ac|CloudFormation|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| |API Gateway With Open Access
1056dfbb-5802-4762-bf2b-8b9b9684b1b0|CloudFormation|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more)|Documentation
| -|GitHub Repository Set To Public
5906092d-5f74-490d-9a03-78febe0f65e1|CloudFormation|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)|Documentation
| -|MQ Broker Is Publicly Accessible
68b6a789-82f8-4cfd-85de-e95332fe6a61|CloudFormation|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible (read more)|Documentation
| -|SageMaker Enabling Internet Access
88d55d94-315d-4564-beee-d2d725feab11|CloudFormation|Medium|Insecure Configurations|SageMaker must have disabled internet access and root access for Creating Notebook Instances. (read more)|Documentation
| +|Lambda Functions Without Unique IAM Roles
ae03f542-1423-402f-9cef-c834e7ee9583|CloudFormation|Medium|Insecure Configurations|AWS Lambda Functions should not share IAM roles to ensure they will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| |API Gateway Without SSL Certificate
ed4c48b8-eccc-4881-95c1-09fdae23db25|CloudFormation|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| +|Inline Policies Are Attached To ECS Service
9e8c89b3-7997-4d15-93e4-7911b9db99fd|CloudFormation|Medium|Insecure Configurations|Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies. (read more)|Documentation
| +|IAM User LoginProfile Password Is In Plaintext
06adef8c-c284-4de7-aad2-af43b07a8ca1|CloudFormation|Medium|Insecure Configurations|IAM User LoginProfile Password must not be a plaintext string (read more)|Documentation
| +|GitHub Repository Set To Public
5906092d-5f74-490d-9a03-78febe0f65e1|CloudFormation|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)|Documentation
| |Lambda Function Without Tags
8df8e857-bd59-44fa-9f4c-d77594b95b46|CloudFormation|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags. (read more)|Documentation
| -|Lambda Functions Without Unique IAM Roles
ae03f542-1423-402f-9cef-c834e7ee9583|CloudFormation|Medium|Insecure Configurations|AWS Lambda Functions should not share IAM roles to ensure they will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| |IAM User Has Too Many Access Keys
48677914-6fdf-40ec-80c4-2b0e94079f54|CloudFormation|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials (read more)|Documentation
| -|Inline Policies Are Attached To ECS Service
9e8c89b3-7997-4d15-93e4-7911b9db99fd|CloudFormation|Medium|Insecure Configurations|Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies. (read more)|Documentation
| |Instance With No VPC
8a6d36cd-0bc6-42b7-92c4-67acc8576861|CloudFormation|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| -|ECR Image Tag Not Immutable
33f41d31-86b1-46a4-81f7-9c9a671f59ac|CloudFormation|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| +|MQ Broker Is Publicly Accessible
68b6a789-82f8-4cfd-85de-e95332fe6a61|CloudFormation|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible (read more)|Documentation
| |EMR Cluster Without Security Configuration
48af92a5-c89b-4936-bc62-1086fe2bab23|CloudFormation|Medium|Insecure Configurations|EMR Cluster should have security configuration defined. (read more)|Documentation
| -|IAM User LoginProfile Password Is In Plaintext
06adef8c-c284-4de7-aad2-af43b07a8ca1|CloudFormation|Medium|Insecure Configurations|IAM User LoginProfile Password must not be a plaintext string (read more)|Documentation
| +|SageMaker Enabling Internet Access
88d55d94-315d-4564-beee-d2d725feab11|CloudFormation|Medium|Insecure Configurations|SageMaker must have disabled internet access and root access for Creating Notebook Instances. (read more)|Documentation
| |S3 Bucket Should Have Bucket Policy
37fa8188-738b-42c8-bf82-6334ea567738|CloudFormation|Medium|Insecure Defaults|Checks if S3 Bucket has the same name as a Bucket Policy, if it has, S3 Bucket has a Bucket Policy associated (read more)|Documentation
| |RouterTable with Default Routing
4f0908b9-eb66-433f-9145-134274e1e944|CloudFormation|Medium|Insecure Defaults|NAT gateways are recommended, and not the default route which permits all traffic, in Route Tables. (read more)|Documentation
| -|Security Group Egress CIDR Open To World
1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a|CloudFormation|Medium|Networking and Firewall|AWS Security Group Egress CIDR should not be open to the world (read more)|Documentation
| -|VPC Without Network Firewall
3e293410-d5b8-411f-85fd-7d26294f20c9|CloudFormation|Medium|Networking and Firewall|VPC should have a Network Firewall associated (read more)|Documentation
| |API Gateway without WAF
fcbf9019-566c-4832-a65c-af00d8137d2b|CloudFormation|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| -|TCP/UDP Protocol Network ACL Entry Allows All Ports
f57f849c-883b-4cb7-85e7-f7b199dff163|CloudFormation|Medium|Networking and Firewall|TCP/UDP protocol AWS Network ACL Entry should not allow all ports (read more)|Documentation
| +|ELB With Security Group Without Outbound Rules
01d5a458-a6c4-452a-ac50-054d59275b7c|CloudFormation|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more)|Documentation
| +|Security Group Ingress With Port Range
87482183-a8e7-4e42-a566-7a23ec231c16|CloudFormation|Medium|Networking and Firewall|AWS Security Group Ingress should have a single port (read more)|Documentation
| |Security Group Ingress With All Protocols
1a427b25-2e9e-4298-9530-0499a55e736b|CloudFormation|Medium|Networking and Firewall|AWS Security Group Ingress should not specify all protocols to prevent allow traffic on all ports (read more)|Documentation
| -|API Gateway Endpoint Config is Not Private
4a8daf95-709d-4a36-9132-d3e19878fa34|CloudFormation|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| -|Security Group Egress With Port Range
dae9c373-8287-462f-8746-6f93dad93610|CloudFormation|Medium|Networking and Firewall|AWS Security Group Egress should have a single port (read more)|Documentation
| |ALB Is Not Integrated With WAF
105ba098-1e34-48cd-b0f2-a8a43a51bf9b|CloudFormation|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service (read more)|Documentation
| -|ELB With Security Group Without Outbound Rules
01d5a458-a6c4-452a-ac50-054d59275b7c|CloudFormation|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more)|Documentation
| -|Security Groups Without VPC Attached
493d9591-6249-47bf-8dc0-5c10161cc558|CloudFormation|Medium|Networking and Firewall|Security Groups must have a VPC. (read more)|Documentation
| -|EC2 Permissive Network ACL Protocols
03879981-efa2-47a0-a818-c843e1441b88|CloudFormation|Medium|Networking and Firewall|To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code). (read more)|Documentation
| |GameLift Fleet EC2 InboundPermissions With Port Range
43356255-495d-4148-ad8d-f6af5eac09dd|CloudFormation|Medium|Networking and Firewall|AWS GameLift Fleet EC2InboundPermissions should have a single port (read more)|Documentation
| -|ELB With Security Group Without Inbound Rules
e200a6f3-c589-49ec-9143-7421d4a2c845|CloudFormation|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more)|Documentation
| -|Security Group Ingress With Port Range
87482183-a8e7-4e42-a566-7a23ec231c16|CloudFormation|Medium|Networking and Firewall|AWS Security Group Ingress should have a single port (read more)|Documentation
| +|VPC Without Network Firewall
3e293410-d5b8-411f-85fd-7d26294f20c9|CloudFormation|Medium|Networking and Firewall|VPC should have a Network Firewall associated (read more)|Documentation
| +|Security Group Egress With Port Range
dae9c373-8287-462f-8746-6f93dad93610|CloudFormation|Medium|Networking and Firewall|AWS Security Group Egress should have a single port (read more)|Documentation
| |Security Group Egress With All Protocols
ee464fc2-54a6-4e22-b10a-c6dcd2474d0c|CloudFormation|Medium|Networking and Firewall|AWS Security Group Egress should not specify all protocols to prevent allow traffic on all ports (read more)|Documentation
| -|S3 Bucket Without Versioning
a227ec01-f97a-4084-91a4-47b350c1db54|CloudFormation|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| -|MQ Broker Logging Disabled
e519ed6a-8328-4b69-8eb7-8fa549ac3050|CloudFormation|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). (read more)|Documentation
| -|ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621|CloudFormation|Medium|Observability|ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer. (read more)|Documentation
| -|MSK Cluster Logging Disabled
fc7c2c15-f5d0-4b80-adb2-c89019f8f62b|CloudFormation|Medium|Observability|Ensure MSK Cluster Logging is enabled (read more)|Documentation
| -|Elasticsearch Logs Disabled
edbd62d4-8700-41de-b000-b3cfebb5e996|CloudFormation|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| -|API Gateway X-Ray Disabled
4ab10c48-bedb-4deb-8f3b-ff12783b61de|CloudFormation|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| -|CloudTrail Not Integrated With CloudWatch
65d07da5-9af5-44df-8983-52d2e6f24c44|CloudFormation|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| +|Security Group Egress CIDR Open To World
1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a|CloudFormation|Medium|Networking and Firewall|AWS Security Group Egress CIDR should not be open to the world (read more)|Documentation
| +|API Gateway Endpoint Config is Not Private
4a8daf95-709d-4a36-9132-d3e19878fa34|CloudFormation|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| +|TCP/UDP Protocol Network ACL Entry Allows All Ports
f57f849c-883b-4cb7-85e7-f7b199dff163|CloudFormation|Medium|Networking and Firewall|TCP/UDP protocol AWS Network ACL Entry should not allow all ports (read more)|Documentation
| +|Security Groups Without VPC Attached
493d9591-6249-47bf-8dc0-5c10161cc558|CloudFormation|Medium|Networking and Firewall|Security Groups must have a VPC. (read more)|Documentation
| +|ELB With Security Group Without Inbound Rules
e200a6f3-c589-49ec-9143-7421d4a2c845|CloudFormation|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more)|Documentation
| +|EC2 Permissive Network ACL Protocols
03879981-efa2-47a0-a818-c843e1441b88|CloudFormation|Medium|Networking and Firewall|To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code). (read more)|Documentation
| |CloudFront Logging Disabled
de77cd9f-0e8b-46cc-b4a4-b6b436838642|CloudFormation|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'DistributionConfig.Logging' should be defined (read more)|Documentation
| +|Stack Notifications Disabled
837e033c-4717-40bd-807e-6abaa30161b7|CloudFormation|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| +|ELB Access Log Disabled
ee12ad32-2863-4c0f-b13f-28272d115028|CloudFormation|Medium|Observability|ELB should have access log enabled (read more)|Documentation
| +|CloudTrail Not Integrated With CloudWatch
65d07da5-9af5-44df-8983-52d2e6f24c44|CloudFormation|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| +|ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621|CloudFormation|Medium|Observability|ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer. (read more)|Documentation
| |API Gateway Stage Access Logging Settings Not Defined
80d45af4-4920-4236-a56e-b7ef419d1941|CloudFormation|Medium|Observability|API Gateway Stage should have Access Logging Settings defined (read more)|Documentation
| -|Configuration Aggregator to All Regions Disabled
9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d|CloudFormation|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| +|S3 Bucket Logging Disabled
4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c|CloudFormation|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| +|S3 Bucket Without Versioning
a227ec01-f97a-4084-91a4-47b350c1db54|CloudFormation|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| +|Redshift Cluster Logging Disabled
3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6|CloudFormation|Medium|Observability|Make sure Logging is enabled for Redshift Cluster (read more)|Documentation
| |GuardDuty Detector Disabled
a25cd877-375c-4121-a640-730929936fac|CloudFormation|Medium|Observability|Make sure that Amazon GuardDuty is Enabled (read more)|Documentation
| -|Stack Notifications Disabled
837e033c-4717-40bd-807e-6abaa30161b7|CloudFormation|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| -|CloudTrail SNS Topic Name Undefined
3e09413f-471e-40f3-8626-990c79ae63f3|CloudFormation|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| +|MQ Broker Logging Disabled
e519ed6a-8328-4b69-8eb7-8fa549ac3050|CloudFormation|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). (read more)|Documentation
| +|MSK Cluster Logging Disabled
fc7c2c15-f5d0-4b80-adb2-c89019f8f62b|CloudFormation|Medium|Observability|Ensure MSK Cluster Logging is enabled (read more)|Documentation
| |CloudWatch Metrics Disabled
5d3c1807-acb3-4bb0-be4e-0440230feeaf|CloudFormation|Medium|Observability|Checks if CloudWatch Metrics is Enabled (read more)|Documentation
| +|CloudWatch Logging Disabled
0f0fb06b-0f2f-4374-8588-f2c7c348c7a0|CloudFormation|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones (read more)|Documentation
| |ElasticSearch Without Slow Logs
086ea2eb-14a6-4fd4-914b-38e0bc8703e8|CloudFormation|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs (read more)|Documentation
| -|S3 Bucket Logging Disabled
4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c|CloudFormation|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| -|CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7|CloudFormation|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'IsMultiRegionTrail' should be set to true (read more)|Documentation
| -|ELB Access Log Disabled
ee12ad32-2863-4c0f-b13f-28272d115028|CloudFormation|Medium|Observability|ELB should have access log enabled (read more)|Documentation
| +|Configuration Aggregator to All Regions Disabled
9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d|CloudFormation|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| |API Gateway Deployment Without Access Log Setting
06ec63e3-9f72-4fe2-a218-2eb9200b8db5|CloudFormation|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. (read more)|Documentation
| -|Redshift Cluster Logging Disabled
3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6|CloudFormation|Medium|Observability|Make sure Logging is enabled for Redshift Cluster (read more)|Documentation
| -|CloudWatch Logging Disabled
0f0fb06b-0f2f-4374-8588-f2c7c348c7a0|CloudFormation|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones (read more)|Documentation
| -|Directory Service Microsoft AD Password Set to Plaintext or Default Ref
06b9f52a-8cd5-459b-bdc6-21a22521e1be|CloudFormation|Medium|Secret Management|Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|DMS Endpoint Password Exposed
5f700072-b7ce-4e84-b3f3-497bf1c24a4d|CloudFormation|Medium|Secret Management|DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|Amplify App Basic Auth Config Password Exposed
71493c8b-3014-404c-9802-078b74496fb7|CloudFormation|Medium|Secret Management|Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|SNS Topic Without KmsMasterKeyId
9d13b150-a2ab-42a1-b6f4-142e41f81e52|CloudFormation|Medium|Secret Management|KmsMasterKeyId attribute should not be undefined (read more)|Documentation
| -|Amplify Branch Basic Auth Config Password Exposed
dfb56e5d-ee68-446e-b32a-657b62befe69|CloudFormation|Medium|Secret Management|Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|Secrets Manager Should Specify KmsKeyId
c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22|CloudFormation|Medium|Secret Management|Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the secret to be shared cross-account (read more)|Documentation
| -|Hardcoded AWS Access Key In Lambda
2564172f-c92b-4261-9acd-464aed511696|CloudFormation|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| -|EBS Volume Without KmsKeyId
b7063015-6c31-4658-a8e7-14f98f37fd42|CloudFormation|Medium|Secret Management|EBS Volume should specify a KmsKeyId value (read more)|Documentation
| +|CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7|CloudFormation|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'IsMultiRegionTrail' should be set to true (read more)|Documentation
| +|API Gateway X-Ray Disabled
4ab10c48-bedb-4deb-8f3b-ff12783b61de|CloudFormation|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| +|CloudTrail SNS Topic Name Undefined
3e09413f-471e-40f3-8626-990c79ae63f3|CloudFormation|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| +|Elasticsearch Logs Disabled
edbd62d4-8700-41de-b000-b3cfebb5e996|CloudFormation|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| |DocDB Cluster Master Password In Plaintext
39423ce4-9011-46cd-b6b1-009edcd9385d|CloudFormation|Medium|Secret Management|DocDB DB Cluster master user password must not be in a plain text string or referenced in a parameter as a default value. (read more)|Documentation
| +|Amplify App Basic Auth Config Password Exposed
71493c8b-3014-404c-9802-078b74496fb7|CloudFormation|Medium|Secret Management|Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|Amplify App Access Token Exposed
73980e43-f399-4fcc-a373-658228f7adf7|CloudFormation|Medium|Secret Management|Amplify App Access Token must not be in a plain text string or referenced in a parameter as a default value. (read more)|Documentation
| |Amplify App OAuth Token Exposed
03b38885-8f4e-480c-a0e4-12c1affd15db|CloudFormation|Medium|Secret Management|Amplify App OAuth Token must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|DMS Endpoint MongoDB Settings Password Exposed
f988a17f-1139-46a3-8928-f27eafd8b024|CloudFormation|Medium|Secret Management|DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|Directory Service Simple AD Password Exposed
6685d912-d81f-4cfa-95ad-e316ea31c989|CloudFormation|Medium|Secret Management|DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|High Access Key Rotation Period
800fa019-49dd-421b-9042-7331fdd83fa2|CloudFormation|Medium|Secret Management|ConfigRule should enforce access keys to be rotated within 90 days. (read more)|Documentation
| +|EBS Volume Without KmsKeyId
b7063015-6c31-4658-a8e7-14f98f37fd42|CloudFormation|Medium|Secret Management|EBS Volume should specify a KmsKeyId value (read more)|Documentation
| +|DMS Endpoint Password Exposed
5f700072-b7ce-4e84-b3f3-497bf1c24a4d|CloudFormation|Medium|Secret Management|DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| |RefreshToken Is Exposed
5b48c507-0d1f-41b0-a630-76817c6b4189|CloudFormation|Medium|Secret Management|Alexa ASK Skill AuthenticationConfiguration RefreshToken should not be a plaintext string (read more)|Documentation
| -|Amplify App Access Token Exposed
73980e43-f399-4fcc-a373-658228f7adf7|CloudFormation|Medium|Secret Management|Amplify App Access Token must not be in a plain text string or referenced in a parameter as a default value. (read more)|Documentation
| -|IAM Role Allows All Principals To Assume
f80e3aa7-7b34-4185-954e-440a6894dde6|CloudFormation|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| -|EC2 Instance Using Default Security Group
08b81bb3-0985-4023-8602-b606ad81d279|CloudFormation|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| +|Directory Service Microsoft AD Password Set to Plaintext or Default Ref
06b9f52a-8cd5-459b-bdc6-21a22521e1be|CloudFormation|Medium|Secret Management|Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|High Access Key Rotation Period
800fa019-49dd-421b-9042-7331fdd83fa2|CloudFormation|Medium|Secret Management|ConfigRule should enforce access keys to be rotated within 90 days. (read more)|Documentation
| +|Secrets Manager Should Specify KmsKeyId
c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22|CloudFormation|Medium|Secret Management|Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the secret to be shared cross-account (read more)|Documentation
| +|Hardcoded AWS Access Key In Lambda
2564172f-c92b-4261-9acd-464aed511696|CloudFormation|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| +|SNS Topic Without KmsMasterKeyId
9d13b150-a2ab-42a1-b6f4-142e41f81e52|CloudFormation|Medium|Secret Management|KmsMasterKeyId attribute should not be undefined (read more)|Documentation
| +|Amplify Branch Basic Auth Config Password Exposed
dfb56e5d-ee68-446e-b32a-657b62befe69|CloudFormation|Medium|Secret Management|Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|DMS Endpoint MongoDB Settings Password Exposed
f988a17f-1139-46a3-8928-f27eafd8b024|CloudFormation|Medium|Secret Management|DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|Directory Service Simple AD Password Exposed
6685d912-d81f-4cfa-95ad-e316ea31c989|CloudFormation|Medium|Secret Management|DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| |IAM Policy Grants 'AssumeRole' Permission Across All Services
e835bd0d-65da-49f7-b6d1-b646da8727e6|CloudFormation|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| |Support Has No Role Associated
d71b5fd7-9020-4b2d-9ec8-b3839faa2744|CloudFormation|Low|Access Control|Check if any AWS Support policy does not have any role and users and group associated, which means that is not being managed. (read more)|Documentation
| +|EC2 Instance Using Default Security Group
08b81bb3-0985-4023-8602-b606ad81d279|CloudFormation|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| |IAM Group Without Users
8f957abd-9703-413d-87d3-c578950a753c|CloudFormation|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| |IAM User With No Group
06933df4-0ea7-461c-b9b5-104d27390e0e|CloudFormation|Low|Access Control|A IAM user should belong to a group (read more)|Documentation
| +|IAM Role Allows All Principals To Assume
f80e3aa7-7b34-4185-954e-440a6894dde6|CloudFormation|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| |VPC Attached With Too Many Gateways
97e94d17-e2c7-4109-a53b-6536ac1bb64e|CloudFormation|Low|Availability|The number of gateways attached should not approach or go beyond the limit of 3, in a particular VPC (read more)|Documentation
| |RDS DB Instance With Deletion Protection Disabled
2c161e58-cb52-454f-abea-6470c37b5e6e|CloudFormation|Low|Backup|RDS DBInstance should have deletion protection set to true (read more)|Documentation
| -|CDN Configuration Is Missing
e4f54ff4-d352-40e8-a096-5141073c37a2|CloudFormation|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| -|Security Group Ingress Has CIDR Not Recommended
a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd|CloudFormation|Low|Best Practices|AWS Security Group Ingress CIDR should not be /32 in case of IPV4 or /128 in case of IPV6 (read more)|Documentation
| -|IAM Access Analyzer Not Enabled
8d29754a-2a18-460d-a1ba-9509f8d359da|CloudFormation|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions (read more)|Documentation
| |IAM Policies Without Groups
5e7acff5-095b-40ac-9073-ac2e4ad8a512|CloudFormation|Low|Best Practices|IAM policy should not apply directly to users, should be with a group (read more)|Documentation
| -|Geo Restriction Disabled
7f8843f0-9ea5-42b4-a02b-753055113195|CloudFormation|Low|Best Practices|Geo Restriction feature should be enabled, to restrict or allow users in specific locations accessing web application content (read more)|Documentation
| -|Lambda Permission Misconfigured
9b83114b-b2a1-4534-990d-06da015e47aa|CloudFormation|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| |Automatic Minor Upgrades Disabled
f0104061-8bfc-4b45-8a7d-630eb502f281|CloudFormation|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'AutoMinorVersionUpgrade' must be set to true. (read more)|Documentation
| -|DynamoDB With Not Recommented Table Billing Mode
c333e906-8d8b-4275-b999-78b6318f8dc6|CloudFormation|Low|Build Process|Checks if DynamoDB Table Billing Mode is set to either PAY_PER_REQUEST or PROVISIONED (read more)|Documentation
| +|Lambda Permission Misconfigured
9b83114b-b2a1-4534-990d-06da015e47aa|CloudFormation|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| +|IAM Access Analyzer Not Enabled
8d29754a-2a18-460d-a1ba-9509f8d359da|CloudFormation|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions (read more)|Documentation
| +|Geo Restriction Disabled
7f8843f0-9ea5-42b4-a02b-753055113195|CloudFormation|Low|Best Practices|Geo Restriction feature should be enabled, to restrict or allow users in specific locations accessing web application content (read more)|Documentation
| +|Security Group Ingress Has CIDR Not Recommended
a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd|CloudFormation|Low|Best Practices|AWS Security Group Ingress CIDR should not be /32 in case of IPV4 or /128 in case of IPV6 (read more)|Documentation
| +|CDN Configuration Is Missing
e4f54ff4-d352-40e8-a096-5141073c37a2|CloudFormation|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| |EFS Without Tags
08e39832-5e42-4304-98a0-aa5b43393162|CloudFormation|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated (read more)|Documentation
| -|S3 Bucket Without Ignore Public ACL
6c8d51af-218d-4bfb-94a9-94eabaa0703a|CloudFormation|Low|Insecure Configurations|S3 bucket without ignore public ACL (read more)|Documentation
| +|DynamoDB With Not Recommented Table Billing Mode
c333e906-8d8b-4275-b999-78b6318f8dc6|CloudFormation|Low|Build Process|Checks if DynamoDB Table Billing Mode is set to either PAY_PER_REQUEST or PROVISIONED (read more)|Documentation
| |Wildcard In ACM Certificate Domain Name
cc8b294f-006f-4f8f-b5bb-0a9140c33131|CloudFormation|Low|Insecure Configurations|ACM Certificate should not use wildcards (*) in the domain name (read more)|Documentation
| |API Gateway Cache Cluster Disabled
52790cad-d60d-41d5-8483-146f9f21208d|CloudFormation|Low|Insecure Configurations|AWS API Gateway should have cache clustering enabled (read more)|Documentation
| +|S3 Bucket Without Ignore Public ACL
6c8d51af-218d-4bfb-94a9-94eabaa0703a|CloudFormation|Low|Insecure Configurations|S3 bucket without ignore public ACL (read more)|Documentation
| |Lambda Function Without Dead Letter Queue
c2eae442-d3ba-4cb1-84ca-1db4f80eae3d|CloudFormation|Low|Insecure Configurations|AWS Lambda Function should be configured for a Dead Letter Queue(DLQ) (read more)|Documentation
| -|ElastiCache Using Default Port
323db967-c68e-44e6-916c-a777f95af34b|CloudFormation|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| -|ElastiCache Without VPC
ba766c53-fe71-4bbb-be35-b6803f2ef13e|CloudFormation|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|RDS Using Default Port
1fe9d958-ddce-4228-a124-05265a959a8b|CloudFormation|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| |EC2 Instance Using Default VPC
e42a3ef0-5325-4667-84bf-075ba1c9d58e|CloudFormation|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| -|EMR Without VPC
bf89373a-be40-4c04-99f5-746742dfd7f3|CloudFormation|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| -|CloudFront Without WAF
0f139403-303f-467c-96bd-e717e6cfd62d|CloudFormation|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| +|ElastiCache Using Default Port
323db967-c68e-44e6-916c-a777f95af34b|CloudFormation|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| +|Shield Advanced Not In Use
ad7444cf-817a-4765-a79e-2145f7981faf|CloudFormation|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more)|Documentation
| |EC2 Network ACL Duplicate Rule
045ddb54-cfc5-4abb-9e05-e427b2bc96fe|CloudFormation|Low|Networking and Firewall|A Network ACL's rule numbers cannot be repeated unless one is egress and the other is ingress (read more)|Documentation
| -|RDS Using Default Port
1fe9d958-ddce-4228-a124-05265a959a8b|CloudFormation|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| +|CloudFront Without WAF
0f139403-303f-467c-96bd-e717e6cfd62d|CloudFormation|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| |Redshift Using Default Port
a478af30-8c3a-404d-aa64-0b673cee509a|CloudFormation|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| -|Shield Advanced Not In Use
ad7444cf-817a-4765-a79e-2145f7981faf|CloudFormation|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more)|Documentation
| +|ElastiCache Without VPC
ba766c53-fe71-4bbb-be35-b6803f2ef13e|CloudFormation|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|EMR Without VPC
bf89373a-be40-4c04-99f5-746742dfd7f3|CloudFormation|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd|CloudFormation|Low|Observability|Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks (read more)|Documentation
| +|DocDB Logging Is Disabled
1bf3b3d4-f373-4d7c-afbb-7d85948a67a5|CloudFormation|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| |API Gateway Deployment Without API Gateway UsagePlan Associated
783860a3-6dca-4c8b-81d0-7b62769ccbca|CloudFormation|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| |VPC FlowLogs Disabled
f6d299d2-21eb-41cc-b1e1-fe12d857500b|CloudFormation|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| -|Lambda Functions Without X-Ray Tracing
9488c451-074e-4cd3-aee3-7db6104f542c|CloudFormation|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracingConfig.mode' should have the value 'Active' (read more)|Documentation
| -|DocDB Logging Is Disabled
1bf3b3d4-f373-4d7c-afbb-7d85948a67a5|CloudFormation|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| |CloudTrail Log File Validation Disabled
2a3560fe-52ca-4443-b34f-bf0ed5eb74c8|CloudFormation|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| -|ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd|CloudFormation|Low|Observability|Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks (read more)|Documentation
| +|Lambda Functions Without X-Ray Tracing
9488c451-074e-4cd3-aee3-7db6104f542c|CloudFormation|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracingConfig.mode' should have the value 'Active' (read more)|Documentation
| |SDB Domain Declared As A Resource
6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d|CloudFormation|Low|Resource Management|SimpleDB Domain resource should not be declared (read more)|Documentation
| |API Gateway Stage Without API Gateway UsagePlan Associated
7f8f1b60-43df-4c28-aa21-fb836dbd8071|CloudFormation|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| |VPC Without Attached Subnet
3b3b4411-ad1f-40e7-b257-a78a6bb9673a|CloudFormation|Low|Resource Management|VPCs without attached subnets may indicate that they are not being used (read more)|Documentation
| |ECS Task Definition Invalid CPU or Memory
f4c9b5f5-68b8-491f-9e48-4f96644a1d51|CloudFormation|Low|Resource Management|In ECS Task Definition of FARGATE launch type if you specify an invalid CPU or Memory value, you will receive an error (read more)|Documentation
| -|Security Group Rule Without Description
5e6c9c68-8a82-408e-8749-ddad78cbb9c5|CloudFormation|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description (read more)|Documentation
| |EC2 Not EBS Optimized
8dd0ff1f-0da4-48df-9bb3-7f338ae36a40|CloudFormation|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| +|Security Group Rule Without Description
5e6c9c68-8a82-408e-8749-ddad78cbb9c5|CloudFormation|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description (read more)|Documentation
| |EC2 Instance Monitoring Disabled
0264093f-6791-4475-af34-4b8102dcbcd0|CloudFormation|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| -|BOM - AWS MSK
2730c169-51d7-4ae7-99b5-584379eff1bb|CloudFormation|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)|Documentation
| -|BOM - AWS EBS
0b0556ea-9cd9-476f-862e-20679dda752b|CloudFormation|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). (read more)|Documentation
| -|BOM - AWS MQ
209189f3-c879-48a7-9703-fbcfa96d0cef|CloudFormation|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS. (read more)|Documentation
| -|BOM - AWS SNS
42e7dca3-8cce-4325-8df0-108888259136|CloudFormation|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)|Documentation
| -|BOM - AWS Cassandra
124b173b-e06d-48a6-8acd-f889443d97a4|CloudFormation|Trace|Bill Of Materials|A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance (read more)|Documentation
| -|BOM - AWS EFS
ef05a925-8568-4054-8ff1-f5ba82631c16|CloudFormation|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)|Documentation
| -|BOM - AWS Elasticache
c689f51b-9203-43b3-9d8b-caed123f706c|CloudFormation|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more)|Documentation
| -|BOM - AWS RDS
6ef03ff6-a2bd-483c-851f-631f248bc0ea|CloudFormation|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more)|Documentation
| -|BOM - AWS S3 Buckets
b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83|CloudFormation|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more)|Documentation
| -|BOM - AWS SQS
59a849c2-1127-4023-85a5-ef906dcd458c|CloudFormation|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)|Documentation
| -|BOM - AWS Kinesis
d53323be-dde6-4457-9a43-42df737e71d2|CloudFormation|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more)|Documentation
| -|BOM - AWS DynamoDB
4e67c0ae-38a0-47f4-a50c-f0c9b75826df|CloudFormation|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more)|Documentation
| -|Client Certificate Authentication Not Setup Properly
e0e00aba-5f1c-4981-a542-9a9563c0ee20|Kubernetes|High|Access Control|Client Certificate Authentication should be Setup with a .pem or .crt file (read more)|Documentation
| -|Token Auth File Is Set
32ecd76e-7bbf-402e-bf48-8b9485749558|Kubernetes|High|Access Control|When using kube-apiserver command, the 'token-auth-file' flag should not be set (read more)|Documentation
| -|Basic Auth File Is Set
5da47109-f8d6-4585-9e2b-96a8958a12f5|Kubernetes|High|Access Control|When using kube-apiserver command, the 'basic-auth-file' flag should not be set (read more)|Documentation
| -|Always Admit Admission Control Plugin Set
ce30e584-b33f-4c7d-b418-a3d7027f8f60|Kubernetes|High|Access Control|When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin (read more)|Documentation
| -|Use Service Account Credentials Not Set To True
1acd93f1-5a37-45c0-aaac-82ece818be7d|Kubernetes|High|Access Control|When using kube-controller-manager commands, the '--use-service-account-credentials' should be set to true (read more)|Documentation
| +|Docker Socket Mounted In Container
d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b|DockerCompose|High|Build Process|Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands. (read more)|Documentation
| +|Volume Has Sensitive Host Directory
1c1325ff-831d-43a1-973e-839ae57dfcc0|DockerCompose|High|Build Process|Container has sensitive host directory mounted as a volume (read more)|Documentation
| +|Volume Mounted In Multiple Containers
baa452f0-1f21-4a25-ace5-844e7a5f410d|DockerCompose|High|Build Process|Volume mounts should not be shared, which means that 'propagation' should not be set to 'shared', 'rshared', 'slave', or 'rslave' (read more)|Documentation
| +|No New Privileges Not Set
27fcc7d6-c49b-46e0-98f1-6c082a6a2750|DockerCompose|High|Resource Management|Ensuring the process does not gain any new privileges lessens the risk associated with many operations. (read more)|Documentation
| +|Privileged Containers Enabled
ae5b6871-7f45-42e0-bb4c-ab300c4d2026|DockerCompose|High|Resource Management|Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker. (read more)|Documentation
| +|Healthcheck Not Set
698ed579-b239-4f8f-a388-baa4bcb13ef8|DockerCompose|Medium|Availability|Check containers periodically to see if they are running properly. (read more)|Documentation
| +|Restart Policy On Failure Not Set To 5
2fc99041-ddad-49d5-853f-e35e70a48391|DockerCompose|Medium|Build Process|Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used. (read more)|Documentation
| +|Cgroup Not Default
4d9f44c6-2f4a-4317-9bb5-267adbea0232|DockerCompose|Medium|Build Process|Control groups restrict the access processes and containers have to system resources such as CPU, RAM, IOPS and network. Not having a cgroup well configured may prove to be a security fault. (read more)|Documentation
| +|Container Traffic Not Bound To Host Interface
451d79dc-0588-476a-ad03-3c7f0320abb3|DockerCompose|Medium|Networking and Firewall|Incoming container traffic should be bound to a specific host interface (read more)|Documentation
| +|Privileged Ports Mapped In Container
bc2908f3-f73c-40a9-8793-c1b7d5544f79|DockerCompose|Medium|Networking and Firewall|Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind_service linux capability from the container unless you absolutely need to use priviledged ports. (read more)|Documentation
| +|Networks Not Set
ce14a68b-1668-41a0-ab7d-facd9f784742|DockerCompose|Medium|Networking and Firewall|Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers. (read more)|Documentation
| +|Host Namespace is Shared
4f31dd9f-2cc3-4751-9b53-67e4af83dac0|DockerCompose|Medium|Resource Management|The hosts process namespace should not be shared by containers (read more)|Documentation
| +|Shared Host User Namespace
8af7162d-6c98-482f-868e-0d33fb675ca8|DockerCompose|Medium|Resource Management|The host's user namespace should not be shared. (read more)|Documentation
| +|Memory Not Limited
bb9ac4f7-e13b-423d-a010-c74a1bfbe492|DockerCompose|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| +|Pids Limit Not Set
221e0658-cb2a-44e3-b08a-db96a341d6fa|DockerCompose|Medium|Resource Management|'pids_limit' should be set and different than -1 (read more)|Documentation
| +|Default Seccomp Profile Disabled
404fde2c-bc4b-4371-9747-7054132ac953|DockerCompose|Medium|Resource Management|Seccomp offers a whitelist of common system calls, blocking all others. Having less kernel exposed to an app then increases security. (read more)|Documentation
| +|Shared Host Network Namespace
071a71ff-f868-47a4-ac0b-3c59e4ab5443|DockerCompose|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| +|Security Opt Not Set
610e266e-6c12-4bca-9925-1ed0cd29742b|DockerCompose|Medium|Resource Management|Attribute 'security_opt' should be defined. (read more)|Documentation
| +|Shared Host IPC Namespace
baa3890f-bed7-46f5-ab8f-1da8fc91c729|DockerCompose|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| +|Container Capabilities Unrestricted
ce76b7d0-9e77-464d-b86f-c5c48e03e22d|DockerCompose|Low|Resource Management|Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well. (read more)|Documentation
| +|Cpus Not Limited
6b610c50-99fb-4ef0-a5f3-e312fd945bc3|DockerCompose|Low|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| +|BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2|Ansible|High|Access Control|BigQuery dataset is anonymously or publicly accessible (read more)|Documentation
| +|VM With Full Cloud Access
bc20bbc6-0697-4568-9a73-85af1dd97bdd|Ansible|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2|Ansible|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| +|SQL DB Instance Backup Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8|Ansible|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| +|DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a|Ansible|High|Encryption|DNSSEC should not use the RSASHA1 algorithm (read more)|Documentation
| +|SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|Ansible|High|Encryption|Cloud SQL Database Instance should have SSL enabled (read more)|Documentation
| +|GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false. (read more)|Documentation
| +|Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty (read more)|Documentation
| +|Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7|Ansible|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)|Documentation
| +|MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c|Ansible|High|Insecure Configurations|MySQL Instance should not have Local Infile On (read more)|Documentation
| +|GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1|Ansible|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty (read more)|Documentation
| +|PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514|Ansible|High|Insecure Configurations|PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1' (read more)|Documentation
| +|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|Ansible|High|Insecure Configurations|SQL Instance should not have Contained Database Authentication On (read more)|Documentation
| +|IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'. (read more)|Documentation
| +|Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f|Ansible|High|Insecure Configurations|GCP SQL Instance should not have Cross DB Ownership Chaining On (read more)|Documentation
| +|Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)|Documentation
| +|Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true (read more)|Documentation
| +|Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true. (read more)|Documentation
| +|SQL DB Instance Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b|Ansible|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible. (read more)|Documentation
| +|Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82|Ansible|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet. (read more)|Documentation
| +|GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83|Ansible|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters (read more)|Documentation
| +|Cloud Storage Bucket Versioning Disabled
7814ddda-e758-4a56-8be3-289a81ded929|Ansible|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| +|PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b|Ansible|High|Observability|PostgreSQL database 'log_temp_files' flag isn't set to '0' (read more)|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd|Ansible|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| +|PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317|Ansible|High|Observability|PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on' (read more)|Documentation
| +|Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none' (read more)|Documentation
| +|Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none' (read more)|Documentation
| +|Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf|Ansible|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)|Documentation
| +|Disk Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3|Ansible|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Ansible|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| +|Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Ansible|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| +|Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03|Ansible|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| +|OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Ansible|Medium|Insecure Configurations|VM instance should have OSLogin enabled (read more)|Documentation
| +|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Ansible|Medium|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account. (read more)|Documentation
| +|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Ansible|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| +|Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Ansible|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)|Documentation
| +|GKE Using Default Service Account
dc126833-125a-40fb-905a-ce5f2afde240|Ansible|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account (read more)|Documentation
| +|SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Ansible|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows All Ports
3602d273-3290-47b2-80fa-720162b1a8af|Ansible|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports (read more)|Documentation
| +|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Ansible|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)|Documentation
| +|IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Ansible|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)|Documentation
| +|Google Compute Network Using Default Firewall Rule
29b8224a-60e9-4011-8ac2-7916a659841f|Ansible|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| +|RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77|Ansible|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| +|PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Ansible|Medium|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value (read more)|Documentation
| +|PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Ansible|Medium|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on' (read more)|Documentation
| +|High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Ansible|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Ansible|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| +|Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b|Ansible|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes (read more)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows Port Range
7289eebd-a477-4064-8ad4-3c044bd70b00|Ansible|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| +|Allow Unsafe Lookups Enabled
86b97bb4-85c9-462d-8635-cbc057c5c8c5|Ansible|High|Insecure Configurations|When enabled, this option allows lookup plugins to return data that is not marked 'unsafe'. (read more)|Documentation
| +|Privilege Escalation Using Become Plugin
404908b6-4954-4611-98f0-e8ceacdabcb1|Ansible|Medium|Access Control|In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true' (read more)|Documentation
| +|Communication over HTTP
d7dc9350-74bc-485b-8c85-fed22d276c43|Ansible|Medium|Insecure Configurations|Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks (read more)|Documentation
| +|Logging of Sensitive Data
c6473dae-8477-4119-88b7-b909b435ce7b|Ansible|Low|Best Practices|To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True (read more)|Documentation
| +|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|Ansible|High|Access Control|Storage Account should not be public to grant the principle of least privileges (read more)|Documentation
| +|Storage Container Is Publicly Accessible
4d3817db-dd35-4de4-a80d-3867157e7f7f|Ansible|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage (read more)|Documentation
| +|Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|Ansible|High|Access Control|Admin user is enabled for Container Registry (read more)|Documentation
| +|Azure Instance Using Basic Authentication
e2d834b7-8b25-4935-af53-4a60668dcbe0|Ansible|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| +|MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|Ansible|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more)|Documentation
| +|SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555|Ansible|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' (read more)|Documentation
| +|Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|Ansible|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| +|VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|Ansible|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine (read more)|Documentation
| +|Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|Ansible|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined (read more)|Documentation
| +|AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|Ansible|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server (read more)|Documentation
| +|Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91|Ansible|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service. (read more)|Documentation
| +|Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|Ansible|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| +|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|Ansible|High|Networking and Firewall|The IP range filter should be defined to secure the data stored (read more)|Documentation
| +|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|Ansible|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| +|Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet (read more)|Documentation
| +|SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|Ansible|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more)|Documentation
| +|Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources (read more)|Documentation
| +|Default Azure Storage Account Network Access Is Too Permissive
ca4df748-613a-4fbf-9c76-f02cbd580307|Ansible|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it. (read more)|Documentation
| +|Role Definition Allows Custom Role Creation
5c80db8e-03f5-43a2-b4af-1f3f87018157|Ansible|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more)|Documentation
| +|AKS RBAC Disabled
149fa56c-4404-4f90-9e25-d34b676d5b39|Ansible|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| +|Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854|Ansible|Medium|Backup|Make sure Soft Delete is enabled for Key Vault (read more)|Documentation
| +|SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40|Ansible|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict (read more)|Documentation
| +|SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308|Ansible|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict (read more)|Documentation
| +|Cosmos DB Account Without Tags
23a4dc83-4959-4d99-8056-8e051a82bc1e|Ansible|Medium|Build Process|Cosmos DB Account must have a mapping of tags. (read more)|Documentation
| +|Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee|Ansible|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption (read more)|Documentation
| +|Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Ansible|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty (read more)|Documentation
| +|Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Ansible|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections (read more)|Documentation
| +|AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Ansible|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined (read more)|Documentation
| +|Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Ansible|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache. (read more)|Documentation
| +|Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Ansible|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0' (read more)|Documentation
| +|WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Ansible|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. (read more)|Documentation
| +|PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' (read more)|Documentation
| +|Small Activity Log Retention Period
37fafbea-dedb-4e0d-852e-d16ee0589326|Ansible|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater (read more)|Documentation
| +|PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a|Ansible|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server (read more)|Documentation
| +|PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' (read more)|Documentation
| +|Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more)|Documentation
| +|PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more)|Documentation
| +|PostgreSQL Log Checkpoints Disabled
7ab33ac0-e4a3-418f-a673-50da4e34df21|Ansible|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more)|Documentation
| +|Monitoring Log Profile Without All Activities
89f84a1e-75f8-47c5-83b5-bee8e2de4168|Ansible|Medium|Observability|Monitoring log profile captures all the activities (Action, Write, Delete) (read more)|Documentation
| +|AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e|Ansible|Medium|Observability|Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring (read more)|Documentation
| +|Ansible Tower Exposed To Internet
1b2bf3ff-31e9-460e-bbfb-45e48f4f20cc|Ansible|Medium|Best Practices|Avoid exposing Ansible Tower to the public internet, effectively reducing the potential attack surface of your deployment (read more)|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|Ansible|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| +|S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|Ansible|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| +|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|Ansible|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| +|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|Ansible|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more)|Documentation
| +|IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|Ansible|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674|Ansible|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| +|S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|Ansible|High|Access Control|S3 Buckets should not be readable to all users (read more)|Documentation
| +|ECS Service Admin Role Is Present
7db727c1-1720-468e-b80e-06697f71e09e|Ansible|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role (read more)|Documentation
| +|S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|Ansible|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| +|SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a|Ansible|High|Access Control|Checks if the SQS Queue is exposed (read more)|Documentation
| +|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|Ansible|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| +|S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a|Ansible|High|Access Control|Checks if the S3 bucket is accessible for all users (read more)|Documentation
| +|SNS Topic is Publicly Accessible
905f4741-f965-45c1-98db-f7a00a0e5c73|Ansible|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| +|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|Ansible|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76|Ansible|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| +|ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|Ansible|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| +|EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|Ansible|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| +|User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|Ansible|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| +|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|Ansible|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more)|Documentation
| +|S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571|Ansible|High|Encryption|AWS S3 Storage should be protected with SSE (Server-Side Encryption) (read more)|Documentation
| +|Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|Ansible|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) (read more)|Documentation
| +|User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|Ansible|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| +|ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| +|Secure Ciphers Disabled
218413a0-c716-4b94-9e08-0bb70d854709|Ansible|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| +|Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a|Ansible|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume (read more)|Documentation
| +|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|Ansible|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| +|S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4|Ansible|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| +|DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|Ansible|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more)|Documentation
| +|ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| +|EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|Ansible|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| +|Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7|Ansible|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS (read more)|Documentation
| +|CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|Ansible|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'. (read more)|Documentation
| +|AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|Ansible|High|Encryption|AWS AMI Encryption is not enabled (read more)|Documentation
| +|EC2 Group Has Public Interface
5330b503-3319-44ff-9b1c-00ee873f728a|Ansible|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| +|Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|Ansible|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| +|RDS DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209|Ansible|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). (read more)|Documentation
| +|Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|Ansible|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true (default is false) (read more)|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67|Ansible|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| +|S3 Bucket with Unsecured CORS Rule
3505094c-f77c-4ba0-95da-f83db712f86c|Ansible|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| +|ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f|Ansible|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| +|KMS Key With Full Permissions
5b9d237a-57d5-4177-be0e-71434b0fef47|Ansible|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| +|Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f|Ansible|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| +|Vulnerable Default SSL Certificate
fb8f8929-afeb-4c46-99f0-a6cf410f7df4|Ansible|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| +|Remote Desktop Port Open To Internet
eda7301d-1f3e-47cf-8d4e-976debc64341|Ansible|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| +|Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|Ansible|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| +|ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|Ansible|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| +|Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|Ansible|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| +|Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b|Ansible|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| +|Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|Ansible|High|Networking and Firewall|AWS Security Group should restrict ingress access (read more)|Documentation
| +|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|Ansible|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| +|Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2|Ansible|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0/0 (read more)|Documentation
| +|EC2 Instance Has Public IP
a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1|Ansible|High|Networking and Firewall|EC2 Instance should not have a public IP address. (read more)|Documentation
| +|Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|Ansible|High|Networking and Firewall|AWS Security Group should not have public port wide (read more)|Documentation
| +|RDS Associated with Public Subnet
16732649-4ff6-4cd2-8746-e72c13fae4b8|Ansible|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| +|DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640|Ansible|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| +|Elasticsearch with HTTPS disabled
d6c2d06f-43c1-488a-9ba1-8d75b40fc62d|Ansible|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| +|Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4|Ansible|High|Networking and Firewall|Route53 Record should have a list of records (read more)|Documentation
| +|HTTP Port Open To Internet
a14ad534-acbe-4a8e-9404-2f7e1045646e|Ansible|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| +|CloudTrail Logging Disabled
d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5|Ansible|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| +|CMK Rotation Disabled
af96d737-0818-4162-8c41-40d969bd65d1|Ansible|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| +|SES Policy With Allowed IAM Actions
8ed0bfce-f780-46d4-b086-21c3628f09ad|Ansible|Medium|Access Control|SES policy should not allow IAM actions to all principals (read more)|Documentation
| +|AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f|Ansible|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image (read more)|Documentation
| +|SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10|Ansible|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| +|SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4|Ansible|Medium|Access Control|SQS policy allows ALL (*) actions (read more)|Documentation
| +|Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Ansible|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| +|S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9|Ansible|Medium|Access Control|S3 Bucket allows public access (read more)|Documentation
| +|IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Ansible|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root' (read more)|Documentation
| +|API Gateway Without Configured Authorizer
b16cdb37-ce15-4ab2-8401-d42b05d123fc|Ansible|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| +|ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd|Ansible|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
af167837-9636-4086-b815-c239186b9dda|Ansible|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| +|IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060|Ansible|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| +|Lambda Permission Principal Is Wildcard
1d972c56-8ec2-48c1-a578-887adb09c57a|Ansible|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| +|Certificate Has Expired
5a443297-19d4-4381-9e5b-24faf947ec22|Ansible|Medium|Access Control|Expired SSL/TLS certificates should be removed (read more)|Documentation
| +|CMK Is Unusable
133fee21-37ef-45df-a563-4d07edc169f4|Ansible|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined. (read more)|Documentation
| +|ECS Service Without Running Tasks
f5c45127-1d28-4b49-a692-0b97da1c3a84|Ansible|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| +|Auto Scaling Group With No Associated ELB
050f085f-a8db-4072-9010-2cca235cc02f|Ansible|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. (read more)|Documentation
| +|RDS With Backup Disabled
e69890e6-fce5-461d-98ad-cb98318dfc96|Ansible|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| +|Stack Retention Disabled
17d5ba1d-7667-4729-b1a6-b11fde3db7f7|Ansible|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| +|IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Ansible|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| +|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Ansible|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number (read more)|Documentation
| +|IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Ansible|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| +|IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354|Ansible|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| +|Misconfigured Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9|Ansible|Medium|Best Practices|No password expiration policy (read more)|Documentation
| +|Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c|Ansible|Medium|Best Practices|Password policy `password_reuse_prevention` doesn't exist or is equal to 0 (read more)|Documentation
| +|Stack Without Template
32d31f1f-0f83-4721-b7ec-1e6948c60145|Ansible|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body (read more)|Documentation
| +|Config Rule For Encrypted Volumes Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84|Ansible|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| +|SQS With SSE Disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Ansible|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| +|CodeBuild Not Encrypted
a1423864-2fbc-4f46-bfe1-fbbf125c71c9|Ansible|Medium|Encryption|CodeBuild Project should be encrypted (read more)|Documentation
| +|EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Ansible|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| +|Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89|Ansible|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache (read more)|Documentation
| +|ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Ansible|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| +|API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33|Ansible|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| +|Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5|Ansible|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags. (read more)|Documentation
| +|Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f|Ansible|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| +|AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472|Ansible|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy (read more)|Documentation
| +|Certificate RSA Key Bytes Lower Than 256
d5ec2080-340a-4259-b885-f833c4ea6a31|Ansible|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes (read more)|Documentation
| +|API Gateway without WAF
f5f38943-664b-4acc-ab11-f292fa10ed0b|Ansible|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| +|API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215|Ansible|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Ansible|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more)|Documentation
| +|CloudFront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Ansible|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' should be defined with 'enabled' set to true (read more)|Documentation
| +|Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Ansible|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| +|CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3|Ansible|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| +|S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Ansible|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| +|S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|Ansible|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| +|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Ansible|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| +|CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Ansible|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'is_multi_region_trail' should be set to true (read more)|Documentation
| +|API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f|Ansible|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| +|CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Ansible|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| +|API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Ansible|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled (read more)|Documentation
| +|CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Ansible|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more)|Documentation
| +|No Stack Policy
ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9|Ansible|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions (read more)|Documentation
| +|Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Ansible|Medium|Secret Management|AWS Access Key should not be hardcoded (read more)|Documentation
| +|Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645|Ansible|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Ansible|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| +|EC2 Instance Using Default Security Group
8d03993b-8384-419b-a681-d1f55149397c|Ansible|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| +|IAM Group Without Users
f509931b-bbb0-443c-bd9b-10e92ecf2193|Ansible|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| +|IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd|Ansible|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| +|Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|Ansible|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. (read more)|Documentation
| +|Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520|Ansible|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| +|CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6|Ansible|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| +|EFS Without Tags
b8a9852c-9943-4973-b8d5-77dae9352851|Ansible|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated (read more)|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
f5587077-3f57-4370-9b4e-4eb5b1bac85b|Ansible|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| +|RDS Using Default Port
2cb674f6-32f9-40be-97f2-62c0dc38f0d5|Ansible|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| +|EC2 Instance Using Default VPC
8833f180-96f1-46f4-9147-849aafa56029|Ansible|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| +|ElastiCache Using Default Port
7cc6c791-5f68-4816-a564-b9b699f9d26e|Ansible|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| +|CloudFront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Ansible|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| +|Redshift Using Default Port
e01de151-a7bd-4db4-b49b-3c4775a5e881|Ansible|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| +|ElastiCache Without VPC
5527dcfc-94f9-4bf6-b7d4-1b78850cf41f|Ansible|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Ansible|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| +|Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Ansible|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active' (read more)|Documentation
| +|EC2 Not EBS Optimized
338b6cab-961d-4998-bb49-e5b6a11c9a5c|Ansible|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| +|Privilege Escalation Using Become Plugin
0e75052f-cc02-41b8-ac39-a78017527e95|Ansible|Medium|Access Control|In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true' (read more)|Documentation
| +|Communication Over HTTP
2e8d4922-8362-4606-8c14-aa10466a1ce3|Ansible|Medium|Insecure Configurations|Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks (read more)|Documentation
| +|Insecure Relative Path Resolution
8d22ae91-6ac1-459f-95be-d37bd373f244|Ansible|Low|Best Practices|Using relative paths can lead to unexpected behavior as the path is resolved relative to the current working directory, which can change. (read more)|Documentation
| +|Logging of Sensitive Data
59029ddf-e651-412b-ae7b-ff6d403184bc|Ansible|Low|Best Practices|To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True (read more)|Documentation
| +|Unpinned Package Version
c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8|Ansible|Low|Supply-Chain|Setting state to latest performs an update and installs additional packages possibly resulting in performance degradation or loss of service (read more)|Documentation
| +|Risky File Permissions
88841d5c-d22d-4b7e-a6a0-89ca50e44b9f|Ansible|Info|Supply-Chain|Some modules could end up creating new files on disk with permissions that might be too open or unpredictable (read more)|Documentation
| +|Passwords And Secrets
a88baa34-e2ad-44ea-ad6f-8cac87bc7c71|Common|High|Secret Management|Query to find passwords and secrets in infrastructure code. (read more)|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
6c2d627c-de0f-45fb-b33d-dad9bffbb421|Crossplane|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| +|Google Container Node Pool Auto Repair Disabled
b4f65d13-a609-4dc1-af7c-63d2e08bffe9|Crossplane|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| +|AKS RBAC Disabled
b2418936-cd47-4ea2-8346-623c0bdb87bd|Crossplane|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| +|Redis Cache Allows Non SSL Connections
6c7cfec3-c686-4ed2-bf58-a1ec054b63fc|Crossplane|Medium|Encryption|Redis Cache resource should not allow non-SSL connections. (read more)|Documentation
| +|EFS Not Encrypted
72840c35-3876-48be-900d-f21b2f0c2ea1|Crossplane|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| +|ELB Using Weak Ciphers
a507daa5-0795-4380-960b-dd7bb7c56661|Crossplane|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| +|DB Instance Storage Not Encrypted
e50eb68a-a4af-4048-8bbe-8ec324421469|Crossplane|High|Encryption|RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'. (read more)|Documentation
| +|EFS Without KMS
bdecd6db-2600-47dd-a10c-72c97cf17ae9|Crossplane|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| +|RDS DB Instance Publicly Accessible
d9dc6429-5140-498a-8f55-a10daac5f000|Crossplane|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false and neither dbSubnetGroupName' subnets being part of a VPC that has an Internet gateway attached to it (read more)|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
255b0fcc-9f82-41fe-9229-01b163e3376b|Crossplane|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| +|DB Security Group Has Public Interface
dd667399-8d9d-4a8d-bbb4-e49ab53b2f52|Crossplane|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| +|SQS With SSE Disabled
9296f1cc-7a40-45de-bd41-f31745488a0e|Crossplane|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| +|Neptune Database Cluster Encryption Disabled
83bf5aca-138a-498e-b9cd-ad5bc5e117b4|Crossplane|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| +|CloudFront Logging Disabled
7b590235-1ff4-421b-b9ff-5227134be9bb|Crossplane|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true (read more)|Documentation
| +|CloudWatch Without Retention Period Specified
934613fe-b12c-4e5a-95f5-c1dcdffac1ff|Crossplane|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more)|Documentation
| +|CloudFront Without WAF
6d19ce0f-b3d8-4128-ac3d-1064e0f00494|Crossplane|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| +|DocDB Logging Is Disabled
e6cd49ba-77ed-417f-9bca-4f5303554308|Crossplane|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| +|Cloud Storage Bucket Is Publicly Accessible
77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc|GoogleDeploymentManager|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible (read more)|Documentation
| +|BigQuery Dataset Is Public
83103dff-d57f-42a8-bd81-40abab64c1a7|GoogleDeploymentManager|High|Access Control|BigQuery dataset is anonymously or publicly accessible. Attribute access.specialGroup should not contain 'allAuthenticatedUsers' (read more)|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
63ae3638-a38c-4ff4-b616-6e1f72a31a6a|GoogleDeploymentManager|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| +|SQL DB Instance Backup Disabled
a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01|GoogleDeploymentManager|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| +|DNSSEC Using RSASHA1
6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35|GoogleDeploymentManager|High|Encryption|DNSSEC should not use the RSASHA1 algorithm (read more)|Documentation
| +|SQL DB Instance With SSL Disabled
660360d3-9ca7-46d1-b147-3acc4002953f|GoogleDeploymentManager|High|Encryption|Cloud SQL Database Instance should have SSL enabled (read more)|Documentation
| +|GKE Legacy Authorization Enabled
df58d46c-783b-43e0-bdd0-d99164f712ee|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false. (read more)|Documentation
| +|Cluster Master Authentication Disabled
7ef7d141-9fbb-4679-a977-fd0883436906|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'masterAuth' must have the subattributes 'username' and 'password' defined and not empty (read more)|Documentation
| +|Cluster Labels Disabled
8810968b-4b15-421d-918b-d91eb4bb8d1d|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resourceLabels' must be defined (read more)|Documentation
| +|MySQL Instance With Local Infile On
c759d6f2-4dd3-4160-82d3-89202ef10d87|GoogleDeploymentManager|High|Insecure Configurations|MySQL Instance should not have Local Infile On (read more)|Documentation
| +|Not Proper Email Account In Use
a21b8df3-c840-4b3d-a41a-10fb2afda171|GoogleDeploymentManager|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials (read more)|Documentation
| +|IP Aliasing Disabled
28727987-e398-49b8-aef1-8a3e7789d111|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ipAllocationPolicy' must be defined and the subattribute 'useIpAliases' must be set to 'true'. (read more)|Documentation
| +|Network Policy Disabled
c47f90e8-4a19-43f0-8413-cc434d286c4e|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'networkPolicy.enabled' must be true and the attribute 'addonsConfig.networkPolicyConfig.disabled' must be false (read more)|Documentation
| +|Client Certificate Disabled
dd690686-2bf9-4012-a821-f61912dd77be|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'masterAuth' must have 'clientCertificateConfig' with the attribute 'issueClientCertificate' equal to true (read more)|Documentation
| +|Private Cluster Disabled
48c61fbd-09c9-46cc-a521-012e0c325412|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true. (read more)|Documentation
| +|Compute Instance Is Publicly Accessible
8212e2d7-e683-49bc-bf78-d6799075c5a7|GoogleDeploymentManager|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet. (read more)|Documentation
| +|GKE Master Authorized Networks Disabled
62c8cf50-87f0-4295-a974-8184ed78fe02|GoogleDeploymentManager|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters (read more)|Documentation
| +|Cloud Storage Bucket Versioning Disabled
ad0875c1-0b39-4890-9149-173158ba3bba|GoogleDeploymentManager|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| +|Stackdriver Monitoring Disabled
bbfc97ab-e92a-4a7b-954c-e88cec815011|GoogleDeploymentManager|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoringService' must be defined and different than 'none' (read more)|Documentation
| +|Stackdriver Logging Disabled
95601b9a-7fe8-4aee-9b58-d36fd9382dfc|GoogleDeploymentManager|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'loggingService' must be defined and different from 'none' (read more)|Documentation
| +|Node Auto Upgrade Disabled
dc5c5fee-6c53-43b0-ab11-4c660e064aaf|GoogleDeploymentManager|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means the attribute 'nodePools' must be defined and the subattribute 'managment' must be defined and have the attribute 'autoUpgrade' set to true (read more)|Documentation
| +|Disk Encryption Disabled
fc040fb6-4c23-4c0d-b12a-39edac35debb|GoogleDeploymentManager|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined (read more)|Documentation
| +|Google Storage Bucket Level Access Disabled
1239f54b-33de-482a-8132-faebe288e6a6|GoogleDeploymentManager|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled (read more)|Documentation
| +|Cloud DNS Without DNSSEC
313d6deb-3b67-4948-b41d-35b699c2492e|GoogleDeploymentManager|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| +|OSLogin Is Disabled In VM Instance
e66e1b71-c810-4b4e-a737-0ab59e7f5e41|GoogleDeploymentManager|Medium|Insecure Configurations|VM instance should have OSLogin enabled (read more)|Documentation
| +|COS Node Image Not Used
dbe058d7-b82e-430b-8426-992b2e4677e7|GoogleDeploymentManager|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| +|Shielded VM Disabled
9038b526-4c19-4928-bca2-c03d503bdb79|GoogleDeploymentManager|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true (read more)|Documentation
| +|SSH Access Is Not Restricted
dee21308-2a7a-49de-8ff7-c9b87e188575|GoogleDeploymentManager|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| +|IP Forwarding Enabled
7c98538a-81c6-444b-bf04-e60bc3ceeec0|GoogleDeploymentManager|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true (read more)|Documentation
| +|RDP Access Is Not Restricted
50cb6c3b-c878-4b88-b50e-d1421bada9e8|GoogleDeploymentManager|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| +|Bucket Without Versioning
227c2f58-70c6-4432-8e9a-a89c1a548cf5|GoogleDeploymentManager|Medium|Observability|Bucket should have versioning enabled (read more)|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
6e2b1ec1-1eca-4eb7-9d4d-2882680b4811|GoogleDeploymentManager|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| +|BOM - GCP PD
268c65a8-58ad-43e4-9019-1a9bbc56749f|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more)|Documentation
| +|BOM - GCP PST
9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more)|Documentation
| +|BOM - GCP SB
c7781feb-a955-4f9f-b9cf-0d7c6f54bb59|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more)|Documentation
| +|Cleartext Credentials With Basic Authentication For Operation
86b1fa30-9790-4980-994d-a27e0f6f27c1|OpenAPI|High|Access Control|Cleartext credentials over unencrypted channel should not be accepted for the operation (read more)|Documentation
| +|Field 'securityScheme' On Components Is Undefined
8db5544e-4874-4baa-9322-e9f75a2d219e|OpenAPI|High|Access Control|Components' securityScheme field must have a valid scheme (read more)|Documentation
| +|Implicit Flow in OAuth2 (v3)
4a1f3d75-ab73-41b2-83e7-06a93dc3a75a|OpenAPI|Medium|Access Control|There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| +|Security Scheme HTTP Unknown Scheme
06764426-3c56-407e-981f-caa25db1c149|OpenAPI|Medium|Access Control|Security Scheme HTTP scheme should be registered in the IANA Authentication Scheme registry (read more)|Documentation
| +|Invalid OAuth2 Authorization URL (v3)
52c0d841-60d6-4a81-88dd-c35fef36d315|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| +|Security Scheme Using HTTP Negotiate
f525cc92-9050-4c41-a75c-890dc6f64449|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using negotiate authentication (read more)|Documentation
| +|Security Scheme Using HTTP Basic
68e5fcac-390c-4939-a373-6074b7be7c71|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using basic authentication (read more)|Documentation
| +|OAuth2 With Implicit Flow
39cb32f2-3a42-4af0-8037-82a7a9654b6c|OpenAPI|Medium|Access Control|OAuth2 implicit flow is vulnerable to access token leakage and access token replay (read more)|Documentation
| +|Invalid OAuth2 Token URL (v3)
3ba0cca1-b815-47bf-ac62-1e584eb64a05|OpenAPI|Medium|Access Control|OAuth2 security scheme flow requires a valid URL in the tokenUrl field (read more)|Documentation
| +|Security Scheme Using HTTP Digest
a4247b11-890b-45df-bf42-350a7a3af9be|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using digest authentication (read more)|Documentation
| +|OAuth2 With Password Flow
3979b0a4-532c-4ea7-86e4-34c090eaa4f2|OpenAPI|Medium|Access Control|OAuth2 password flow insecurely exposes the credentials of the resource owner to the client (read more)|Documentation
| +|Global Server Object Uses HTTP
2d8c175a-6d90-412b-8b0e-e034ea49a1fe|OpenAPI|Medium|Encryption|Global server object URL should use 'https' protocol instead of 'http' (read more)|Documentation
| +|Path Server Object Uses HTTP (v3)
9670f240-7b4d-4955-bd93-edaa9fa38b58|OpenAPI|Medium|Encryption|The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection (read more)|Documentation
| +|Additional Properties Too Permissive
9f88c88d-824d-4d9a-b985-e22977046042|OpenAPI|Medium|Insecure Configurations|Objects should not accept 'additionalProperties' if it is possible (read more)|Documentation
| +|Additional Properties Too Restrictive
a19c3bbd-c056-40d7-9e1c-eeb0634e320d|OpenAPI|Medium|Insecure Configurations|Objects should accept 'additionalProperties' if it is allOf or an object with anyOf or oneOf (read more)|Documentation
| +|Media Type Object Without Schema
f79b9d26-e945-44e7-98a1-b93f0f7a68a0|OpenAPI|Medium|Insecure Configurations|The Media Type Object should have the attribute 'schema' defined (read more)|Documentation
| +|Parameter Object Without Schema
8fe1846f-52cc-4413-ace9-1933d7d23672|OpenAPI|Medium|Insecure Configurations|The Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| +|Success Response Code Undefined for Trace Operation
105e20dd-8449-4d71-95c6-d5dac96639af|OpenAPI|Medium|Networking and Firewall|Trace should define the '200' successful code (read more)|Documentation
| +|Header Object Without Schema
50de3b5b-6465-4e06-a9b0-b4c2ba34326b|OpenAPI|Medium|Networking and Firewall|The header object should have schema defined (read more)|Documentation
| +|Global Security Scheme Using Basic Authentication
77276d82-4f45-4cf1-8e2b-4d345b936228|OpenAPI|Low|Access Control|A security scheme is allowing basic authentication credentials to be transported over network (read more)|Documentation
| +|Security Scheme Using Oauth 1.0
1bc3205c-0d60-44e6-84f3-44fbf4dac5b3|OpenAPI|Low|Access Control|Oauth 1.0 is deprecated, OAuth2 should be used instead (read more)|Documentation
| +|API Key Exposed In Global Security Scheme
40e1d1bf-11a9-4f63-a3a2-a8b84c602839|OpenAPI|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| +|Undefined Scope 'securityScheme' On Global 'security' Field
23a9e2d9-8738-4556-a71c-2802b6ffa022|OpenAPI|Low|Access Control|Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| +|Undefined Scope 'securityScheme' On 'security' Field On Operations
462d6a1d-fed9-4d75-bb9e-3de902f35e6e|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| +|Unknown Prefix (v3)
a5375be3-521c-43bb-9eab-e2432e368ee4|OpenAPI|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| +|Property 'allowEmptyValue' Ignored
59c2f769-7cc2-49c8-a3de-4e211135cfab|OpenAPI|Info|Best Practices|Property 'allowEmptyValue' is ignored in the following cases: {"sytle": "simple", "explode": false}, {"sytle": "simple", "explode": true}, {"sytle": "spaceDelimited", "explode": false}, {"sytle": "pipeDelimited", "explode": false}, and {"sytle": "deepObject", "explode": true} (read more)|Documentation
| +|Property 'allowReserved' of Encoding Object Ignored
4190dda7-af03-4cf0-a128-70ac1661ca09|OpenAPI|Info|Best Practices|Property 'allowReserved' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| +|Components Request Body Definition Is Unused
6b76f589-9713-44ab-97f5-59a3dba1a285|OpenAPI|Info|Best Practices|Components request bodies definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Schema Definition Is Unused
962fa01e-b791-4dcc-b04a-4a3e7389be5e|OpenAPI|Info|Best Practices|Components schemas definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Encoding Header 'Content-Type' Improperly Defined
4cd8de87-b595-48b6-ab3c-1904567135ab|OpenAPI|Info|Best Practices|Encoding Map Key should not define a 'Content-Type' in the 'headers' field. If so, it will be ignored. (read more)|Documentation
| +|Components Header Definition Is Unused
a68da022-e95a-4bc2-97d3-481e0bd6d446|OpenAPI|Info|Best Practices|Components headers definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Example Definition Is Unused
b05bb927-2df5-43cc-8d7b-6825c0e71625|OpenAPI|Info|Best Practices|Components examples definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Parameter Definition Is Unused
698a464e-bb3e-4ba8-ab5e-e6599b7644a0|OpenAPI|Info|Best Practices|Components parameters definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Link Definition Is Unused
c19779a9-5774-4d2f-a3a1-a99831730375|OpenAPI|Info|Best Practices|Components links definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Response Definition Is Unused
9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae|OpenAPI|Info|Best Practices|Components responses definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Callback Definition Is Unused
d15db953-a553-4b8a-9a14-a3d62ea3d79d|OpenAPI|Info|Best Practices|Components callbacks definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Property 'explode' of Encoding Object Ignored
a4dd69b8-49fa-45d2-a060-c76655405b05|OpenAPI|Info|Best Practices|Property 'explode' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| +|Property 'style' of Encoding Object Ignored
d3ea644a-9a5c-4fee-941f-f8a6786c0470|OpenAPI|Info|Best Practices|Property 'style' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| +|Invalid Media Type Value (v3)
cf4a5f45-a27b-49df-843a-9911dbfe71d4|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| +|Security Field Undefined
ab1263c2-81df-46f0-9f2c-0b62fdb68419|OpenAPI|Info|Structure and Semantics|Security field should be defined in '#/components/securitySchemes' (read more)|Documentation
| +|Request Body JSON Reference Does Not Exists
ca02f4e8-d3ae-4832-b7db-bb037516d9e7|OpenAPI|Info|Structure and Semantics|Request Body reference should exists on components field (read more)|Documentation
| +|Link JSON Reference Does Not Exists
801f0c6a-a834-4467-89c6-ddecffb46b5a|OpenAPI|Info|Structure and Semantics|Link reference should exists on components field (read more)|Documentation
| +|Server URL Not Absolute
a0bf7382-5d5a-4224-924c-3db8466026c9|OpenAPI|Info|Structure and Semantics|The Server URL should be an absolute URL (read more)|Documentation
| +|Server Object Variable Not Used
8aee4754-970d-4c5f-8142-a49dfe388b1a|OpenAPI|Info|Structure and Semantics|Every defined Server Variable Object should be used in a Service URL. (read more)|Documentation
| +|Request Body With Incorrect Ref
0f6cd0ab-c366-4595-84fc-fbd8b9901e4d|OpenAPI|Info|Structure and Semantics|Request Body reference must always point to '#/components/RequestBodies' (read more)|Documentation
| +|Callback JSON Reference Does Not Exists
f29904c8-6041-4bca-b043-dfa0546b8079|OpenAPI|Info|Structure and Semantics|Callback reference should exists on components field (read more)|Documentation
| +|Components Object Fixed Field Key Improperly Named
151331e2-11f4-4bb6-bd35-9a005e695087|OpenAPI|Info|Structure and Semantics|Components object fixed fields (schemas, responses, parameters, examples, requestBodies, headers, securitySchemes, links, and callbacks) should use keys that match the following REGEX: `^[a-zA-Z0-9\.\-_]+$` (read more)|Documentation
| +|Response Object With Incorrect Ref (v3)
b3871dd8-9333-4d6c-bd52-67eb898b71ab|OpenAPI|Info|Structure and Semantics|Response Object reference must always point to '#/components/responses' (read more)|Documentation
| +|Header JSON Reference Does Not Exists
376c9390-7e9e-4cb8-a067-fd31c05451fd|OpenAPI|Info|Structure and Semantics|Header reference should exists on components field (read more)|Documentation
| +|Request Body Object With Incorrect Media Type
58f06434-a88c-4f74-826c-db7e10cc7def|OpenAPI|Info|Structure and Semantics|The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set. (read more)|Documentation
| +|Schema With Both ReadOnly And WriteOnly
d2361d58-361c-49f0-9e50-b957fd608b29|OpenAPI|Info|Structure and Semantics|Schema should not have both 'writeOnly' and 'readOnly' set to true (read more)|Documentation
| +|Parameter Object With Undefined Type
46facedc-f243-4108-ab33-583b807d50b0|OpenAPI|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property (read more)|Documentation
| +|Invalid Content Type For Multiple Files Upload
26f06397-36d8-4ce7-b993-17711261d777|OpenAPI|Info|Structure and Semantics|Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array) (read more)|Documentation
| +|Empty Array
5915c20f-dffa-4cee-b5d4-f457ddc0151a|OpenAPI|Info|Structure and Semantics|All array fields should not be empty (read more)|Documentation
| +|Response JSON Reference Does Not Exists (v3)
7a01dfbd-da62-4165-aed7-71349ad42ab4|OpenAPI|Info|Structure and Semantics|Response reference should exists on components field (read more)|Documentation
| +|Example JSON Reference Does Not Exists
6a2c219f-da5e-4745-941e-5ea8cde23356|OpenAPI|Info|Structure and Semantics|Example reference should exists on components field (read more)|Documentation
| +|Servers Array Undefined
c66ebeaa-676c-40dc-a3ff-3e49395dcd5e|OpenAPI|Info|Structure and Semantics|The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'. (read more)|Documentation
| +|Encoding Map Key Mismatch Schema Defined Properties
cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b|OpenAPI|Info|Structure and Semantics|Encoding Map Key should be set in schema defined properties (read more)|Documentation
| +|Parameter Object With Schema And Content
31dd6fc0-f274-493b-9614-e063086c19fc|OpenAPI|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive (read more)|Documentation
| +|Example JSON Reference Outside Components Examples
bac56e3c-1f71-4a74-8ae6-2fba07efcddb|OpenAPI|Info|Structure and Semantics|Reference to examples should point to #/components/examples (read more)|Documentation
| +|Parameter Object Content With Multiple Entries
8bfed1c6-2d59-4924-bc7f-9b9d793ed0df|OpenAPI|Info|Structure and Semantics|The map content property of the parameter object should only contain one entry (read more)|Documentation
| +|Security Requirement Object With Wrong Scopes
37140f7f-724a-4c87-a536-e9cee1d61533|OpenAPI|Info|Structure and Semantics|Security Requirement Object should only have scopes defined for security schemes of type 'oauth2' and 'openIdConnect' (read more)|Documentation
| +|Callback Object With Incorrect Ref
ba066cda-e808-450d-92b6-f29109754d45|OpenAPI|Info|Structure and Semantics|Callback Object reference must always point to '#/components/callbacks' (read more)|Documentation
| +|Parameter JSON Reference Does Not Exists (v3)
2e275f16-b627-4d3f-ae73-a6153a23ae8f|OpenAPI|Info|Structure and Semantics|Parameter reference should exists on components field (read more)|Documentation
| +|Property 'allowReserved' Improperly Defined
7f203940-39c4-4ea7-91ee-7aba16bca9e2|OpenAPI|Info|Structure and Semantics|Property 'allowReserved' should be only defined for query parameters (read more)|Documentation
| +|Link Object Incorrect Ref
b9db8a10-020c-49ca-88c6-780e5fdb4328|OpenAPI|Info|Structure and Semantics|Link object reference must always point to '#/components/links' (read more)|Documentation
| +|Schema JSON Reference Does Not Exists (v3)
015eac96-6313-43c0-84e5-81b1374fa637|OpenAPI|Info|Structure and Semantics|Schema reference should exists on components field (read more)|Documentation
| +|Object Without Required Property (v3)
d172a060-8569-4412-8045-3560ebd477e8|OpenAPI|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| +|Unknown Property (v3)
fb7d81e7-4150-48c4-b914-92fc05da6a2f|OpenAPI|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| +|Parameter Object With Incorrect Ref (v3)
d40f27e6-15fb-4b56-90f8-fc0ff0291c51|OpenAPI|Info|Structure and Semantics|Parameter Object reference must always point to '#/components/parameters' (read more)|Documentation
| +|Header Object With Incorrect Ref
2d6646f4-2946-420f-8c14-3232d49ae0cb|OpenAPI|Info|Structure and Semantics|Header Object reference must always point to '#/components/headers' (read more)|Documentation
| +|Link Object OperationId Does Not Target Operation Object
c5bb7461-aa57-470b-a714-3bc3d74f4669|OpenAPI|Info|Structure and Semantics|Link object 'OperationId' should target an existing operation object in the OpenAPI definition (read more)|Documentation
| +|Server URL Uses Undefined Variables
8d0921d6-4131-461f-a253-99e873f8f77e|OpenAPI|Info|Structure and Semantics|Any variable used in the Service URL should be defined in the Service Object through 'variables'. (read more)|Documentation
| +|Link Object With Both 'operationId' And 'operationRef'
60fb6621-9f02-473b-9424-ba9a825747d3|OpenAPI|Info|Structure and Semantics|Link object 'OperationId' should not have both 'operationId' and 'operationRef' defined since they are mutually exclusive. (read more)|Documentation
| +|Security Operation Field Undefined
20a482d5-c5d9-4a7a-b7a4-60d0805047b4|OpenAPI|Info|Structure and Semantics|Security operation field should be defined in '#/components/securitySchemes' (read more)|Documentation
| +|Schema Object Incorrect Ref (v3)
4cac7ace-b0fb-477d-830d-65395d9109d9|OpenAPI|Info|Structure and Semantics|Schema Object reference must always point to '#/components/schemas' (read more)|Documentation
| +|Security Definitions Undefined or Empty
e3f026e8-fdb4-4d5a-bcfd-bd94452073fe|OpenAPI|High|Access Control|Security Definitions Object should be set and not empty (read more)|Documentation
| +|Security Requirement Not Defined In Security Definition
a599b0d1-ff89-4cb8-9ece-9951854c06f6|OpenAPI|High|Structure and Semantics|All security requirement objects must be defined in 'securityDefinitions' (read more)|Documentation
| +|Non OAuth2 Security Requirement Defining OAuth2 Scopes
ba239cb9-f342-4c20-812d-7b5a2aa6969e|OpenAPI|High|Structure and Semantics|If the security scheme is not of type 'oauth2', the array value must be empty (read more)|Documentation
| +|Implicit Flow in OAuth2 (v2)
e9817ad8-a8c9-4038-8a2f-db0e6e7b284b|OpenAPI|Medium|Access Control|There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| +|Security Definitions Allows Password Flow
773116aa-2e6d-416f-bd85-f0301cc05d76|OpenAPI|Medium|Access Control|Security Definition Object should not allow 'password' Flow in OAuth2 authentication (read more)|Documentation
| +|Invalid OAuth2 Authorization URL (v2)
33d96c65-977d-4c33-943f-440baca49185|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| +|Global Security Using Password Flow
2da46be4-4317-4650-9285-56d7103c4f93|OpenAPI|Medium|Access Control|Security should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| +|Invalid OAuth2 Token URL (v2)
274f910a-0665-4f08-b66d-7058fe927dba|OpenAPI|Medium|Access Control|OAuth2 security definition flow requires a valid URL in the tokenUrl field (read more)|Documentation
| +|Operation Using Password Flow
2e44e632-d617-43cb-b294-6bfe72a08938|OpenAPI|Medium|Access Control|Operation Object should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| +|Path Scheme Accepts HTTP (v2)
a6847dc6-f4ea-45ac-a81f-93291ae6c573|OpenAPI|Medium|Encryption|The Scheme list of Operation Object should only allow 'HTTPS' protocol to ensure an encrypted connection (read more)|Documentation
| +|Global Schemes Uses HTTP
f30ee711-0082-4480-85ab-31d922d9a2b2|OpenAPI|Medium|Encryption|Global Schemes should use 'https' protocol instead of 'http' (read more)|Documentation
| +|Schemes Uses HTTP
a46928f1-43d7-4671-94e0-2dd99746f389|OpenAPI|Medium|Encryption|Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials (read more)|Documentation
| +|Operation Object Without 'produces'
be3e170e-1572-461e-a8b6-d963def581ec|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'produces' feild defined for 'GET'operation (read more)|Documentation
| +|Operation Object Without 'consumes'
0c79e50e-b3cf-490c-b8f6-587c644d4d0c|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations (read more)|Documentation
| +|Security Definitions Using Basic Auth
221015a8-aa2a-43f5-b00b-ad7d2b1d47a8|OpenAPI|Low|Access Control|Security Definition Object should not use basic authentication (read more)|Documentation
| +|Operation Using Implicit Flow
f42dfe7e-787d-4478-a75e-a5f3d8a2269e|OpenAPI|Low|Access Control|Operation Object should not use implicit flow (read more)|Documentation
| +|Undefined Scope 'securityDefinition' On Global 'security' Field
9aa6e95c-d964-4239-a3a8-9f37a3c5a31f|OpenAPI|Low|Access Control|Using an scope on global security field that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| +|Undefined Scope 'securityDefinition' On 'security' Field On Operations
3847280c-9193-40bc-8009-76168e822ce2|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| +|Operation Using Basic Auth
ceefb058-8065-418f-9c4c-584a78c7e104|OpenAPI|Low|Access Control|Operation Object should not use basic authentication (read more)|Documentation
| +|Operation Summary Too Long
d47940ca-5970-45cc-bdd1-4d81398cee1f|OpenAPI|Low|Best Practices|Operation summary should be short (less than 120 characters) (read more)|Documentation
| +|Unknown Prefix (v2)
3b615f00-c443-4ba9-acc4-7c308716917d|OpenAPI|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| +|Global Parameter Definition Not Being Used
b30981fa-a12e-49c7-a5bb-eeafb61d0f0f|OpenAPI|Info|Best Practices|All global parameters definitions should be in use (read more)|Documentation
| +|Constraining Enum Property
be1d8733-3731-40c7-a845-734741c6871d|OpenAPI|Info|Best Practices|There is a constraining keyword in a property which is already restricted by enum values (read more)|Documentation
| +|Global Responses Definition Not Being Used
0b76d993-ee52-43e0-8b39-3787d2ddabf1|OpenAPI|Info|Best Practices|All global responses definitions should be in use (read more)|Documentation
| +|Schema with 'additionalProperties' set as Boolean
3a01790c-ebee-4da6-8fd3-e78657383b75|OpenAPI|Info|Best Practices|The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it (read more)|Documentation
| +|Global Schema Definition Not Being Used
6d2e0790-cc3d-4c74-b973-d4e8b09f4455|OpenAPI|Info|Best Practices|All global schemas definitions should be in use (read more)|Documentation
| +|Invalid Media Type Value (v2)
f985a7d2-d404-4a7f-9814-f645f791e46e|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| +|Body Parameter With Wrong Property
c38d630d-a415-4e3e-bac2-65475979ba88|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema' (read more)|Documentation
| +|Multiple Body Parameters In The Same Operation
b90033cf-ad9f-4fb9-acd1-1b9d6d278c87|OpenAPI|Info|Structure and Semantics|Only one body parameter is allowed on operation's parameters type field (read more)|Documentation
| +|BasePath With Wrong Format
b4803607-ed72-4d60-99e2-3fa6edf471c6|OpenAPI|Info|Structure and Semantics|The 'basePath' value format must match the pattern '^/' (read more)|Documentation
| +|Response Object With Incorrect Ref (v2)
bccfa089-89e4-47e0-a0e5-185fe6902220|OpenAPI|Info|Structure and Semantics|Response Object reference must always point to '#/responses' (read more)|Documentation
| +|Operation Example Mismatch Produces MimeType
2cf35b40-ded3-43d6-9633-c8dcc8bcc822|OpenAPI|Info|Structure and Semantics|Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces' (read more)|Documentation
| +|Non Body Parameter Without Schema
73c3bc54-3cc6-4c0a-b30a-e19f2abfc951|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| +|Responses JSON Reference Does Not Exists (v2)
e9db5fb4-6a84-4abb-b4af-3b94fbdace6d|OpenAPI|Info|Structure and Semantics|Responses reference should exist on responses definition field (read more)|Documentation
| +|Multi 'collectionformat' Not Valid For 'in' Parameter
750f6448-27c0-49f8-a153-b81735c1e19c|OpenAPI|Info|Structure and Semantics|When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'formData' (read more)|Documentation
| +|Parameter File Type Not In 'formData'
c3cab8c4-6c52-47a9-942b-c27f26fbd7d2|OpenAPI|Info|Structure and Semantics|The In field of Parameter Object must be 'formData' when type is 'file' (read more)|Documentation
| +|Property Not Unique
750b40be-4bac-4f59-bdc4-1ca0e6c3450e|OpenAPI|Info|Structure and Semantics|Every defined property must be unique throughout the whole API (read more)|Documentation
| +|Body Parameter Without Schema
ed48229d-d43e-4da7-b453-5f98d964a57a|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| +|Parameter JSON Reference Does Not Exists (v2)
fb889ae9-2d16-40b5-b41f-9da716c5abc1|OpenAPI|Info|Structure and Semantics|Parameter reference should exist on parameters definition field (read more)|Documentation
| +|Schema JSON Reference Does Not Exists (v2)
98295b32-ec09-4b5b-89a9-39853197f914|OpenAPI|Info|Structure and Semantics|Schema reference should exists on definitions field (read more)|Documentation
| +|Object Without Required Property (v2)
5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275|OpenAPI|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| +|Operation Object Parameters With 'body' And 'formatData' locations
eb3f9744-d24e-4614-b1ff-2a9514eca21c|OpenAPI|Info|Structure and Semantics|Operation object parameters should not have both 'body' and 'formatData' locations (read more)|Documentation
| +|Unknown Property (v2)
429b2106-ba37-43ba-9727-7f699cc611e1|OpenAPI|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| +|Parameter Object With Incorrect Ref (v2)
2596545e-1757-4ff7-a15a-8a9a180a42f3|OpenAPI|Info|Structure and Semantics|Parameter Object reference must always point to '#/parameters' (read more)|Documentation
| +|Host With Invalid Pattern
3d7d7b6c-fb0a-475e-8a28-c125e30d15f0|OpenAPI|Info|Structure and Semantics|Host field should be an IP or a valid host name (read more)|Documentation
| +|Schema Object Incorrect Ref (v2)
0220e1c5-65d1-49dd-b7c2-cef6d6cb5283|OpenAPI|Info|Structure and Semantics|Schema Object reference must always point to '#/definitions' (read more)|Documentation
| +|File Parameter With Wrong Consumes Property
7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a|OpenAPI|Info|Structure and Semantics|Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both (read more)|Documentation
| +|Global security field has an empty object (v2)
292919fb-7b26-4454-bee9-ce29094768dd|OpenAPI|High|Access Control||Documentation
| +|Global security field has an empty object (v3)
543e38f4-1eee-479e-8eb0-15257013aa0a|OpenAPI|High|Access Control|Global security definition must not have empty objects (read more)|Documentation
| +|No Global And Operation Security Defined (v2)
586abcee-9653-462d-ad7b-2638a32bd6e6|OpenAPI|High|Access Control||Documentation
| +|No Global And Operation Security Defined (v3)
96729c6b-7400-4d9e-9807-17f00cdde4d2|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined (read more)|Documentation
| +|Security Field On Operations Has An Empty Object Definition (v2)
74581e3b-1d55-4323-a139-5959a7b3abc5|OpenAPI|High|Access Control||Documentation
| +|Security Field On Operations Has An Empty Object Definition (v3)
baade968-7467-41e4-bf22-83ca222f5800|OpenAPI|High|Access Control|Security object for operations should not be empty object or has any empty object definition (read more)|Documentation
| +|Security Field On Operations Has An Empty Array (v2)
5d29effc-5d68-481f-9721-d74e5919226b|OpenAPI|High|Access Control||Documentation
| +|Security Field On Operations Has An Empty Array (v3)
663c442d-f918-4f62-b096-0bf5dcbeb655|OpenAPI|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error (read more)|Documentation
| +|Cleartext API Key In Operation Security (v2)
99733b39-6413-4ed8-8acf-dc7cdc9b4e51|OpenAPI|High|Access Control||Documentation
| +|Cleartext API Key In Operation Security (v3)
d90d4e40-44c1-4125-87a0-e072c3e195b5|OpenAPI|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel (read more)|Documentation
| +|Global Security Field Is Undefined (v2)
74703c89-0ea2-49ab-a7db-bf04f19f5a57|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securityDefinitions|Documentation
| +|Global Security Field Is Undefined (v3)
8af270ce-298b-4405-9922-82a10aee7a4f|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes (read more)|Documentation
| +|Global Security Field Has An Empty Array (v2)
da31d54b-ad54-41dc-95eb-8b3828629213|OpenAPI|High|Access Control||Documentation
| +|Global Security Field Has An Empty Array (v3)
d674aea4-ba8b-454b-bb97-88a772ea33f0|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme (read more)|Documentation
| +|Array Without Maximum Number of Items (v2)
99eb2c95-2040-4104-9e7c-e16f7474d218|OpenAPI|High|Insecure Configurations|Array schema/parameter should have the field 'maxItems' set|Documentation
| +|Array Without Maximum Number of Items (v3)
6998389e-66b2-473d-8d05-c8d71ac4d04d|OpenAPI|High|Insecure Configurations|Array schema should have the field 'maxItems' set (read more)|Documentation
| +|Array Items Has No Type (v2)
8697a1a4-82c6-4603-8ac8-57529756744e|OpenAPI|High|Insecure Configurations|Schema/Parameter array items type should be defined|Documentation
| +|Array Items Has No Type (v3)
be0e0df7-f3d9-42a1-9b6f-d425f94872c4|OpenAPI|High|Insecure Configurations|Schema array items type should be defined (read more)|Documentation
| +|API Key Exposed In Global Security (v2)
533a0d13-6e89-4551-ae33-bce14e5849c1|OpenAPI|Medium|Access Control||Documentation
| +|API Key Exposed In Global Security (v3)
aecee30b-8ea1-4776-a99c-d6d600f0862f|OpenAPI|Medium|Access Control|API Keys should not be transported over network (read more)|Documentation
| +|Cleartext API Key In Global Security (v2)
70d3873e-d537-46e5-ac3b-4e48fbdd29b4|OpenAPI|Medium|Access Control||Documentation
| +|Cleartext API Key In Global Security (v3)
9c238c97-1991-4c0b-9c7d-6c7912e1dc7c|OpenAPI|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel (read more)|Documentation
| +|Numeric Schema Without Minimum (v2)
efd1dfc8-da91-4909-a3f3-c23abc5ec799|OpenAPI|Medium|Insecure Configurations||Documentation
| +|Numeric Schema Without Minimum (v3)
181bd815-767e-4e95-a24d-bb3c87328e19|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined. (read more)|Documentation
| +|String Schema with Broad Pattern (v2)
e4a019f0-9af3-49c8-bf68-1939a6ff240d|OpenAPI|Medium|Insecure Configurations||Documentation
| +|String Schema with Broad Pattern (v3)
8c81d6c0-716b-49ec-afa5-2d62da4e3f3c|OpenAPI|Medium|Insecure Configurations|String schema should restrict the pattern (read more)|Documentation
| +|JSON Object Schema Without Type (v2)
62d52544-82ef-4b75-8308-cad49d50212b|OpenAPI|Medium|Insecure Configurations||Documentation
| +|JSON Object Schema Without Type (v3)
e2ffa504-d22a-4c94-b6c5-f661849d2db7|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined. (read more)|Documentation
| +|Schema Object is Empty (v2)
967575e5-eb44-4c24-aadb-7e33608ed30a|OpenAPI|Medium|Insecure Configurations||Documentation
| +|Schema Object is Empty (v3)
500ce696-d501-41dd-86eb-eceb011a386f|OpenAPI|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values (read more)|Documentation
| +|JSON Object Schema Without Properties (v2)
3d28f751-bc18-4f83-ace0-216b6086410b|OpenAPI|Medium|Insecure Configurations||Documentation
| +|JSON Object Schema Without Properties (v3)
9d967a2b-9d64-41a6-abea-dfc4960299bd|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false. (read more)|Documentation
| +|Numeric Schema Without Format (v2)
3ed8fc82-c2bb-49e0-811f-c53923674c49|OpenAPI|Medium|Insecure Configurations||Documentation
| +|Numeric Schema Without Format (v3)
fbf699b5-ef74-4542-9cf1-f6eeac379373|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined. (read more)|Documentation
| +|Numeric Schema Without Maximum (v2)
203eee11-15b6-4d47-b888-4c7f534967ee|OpenAPI|Medium|Insecure Configurations||Documentation
| +|Numeric Schema Without Maximum (v3)
2ea04bef-c769-409e-9179-ee3a50b5c0ac|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined. (read more)|Documentation
| +|Pattern Undefined (v2)
afde15cf-9444-4126-8c62-41cd79db1d1d|OpenAPI|Medium|Insecure Configurations|String schema/parameter/header should have 'pattern' defined.|Documentation
| +|Pattern Undefined (v3)
00b78adf-b83f-419c-8ed8-c6018441dd3a|OpenAPI|Medium|Insecure Configurations|String schema should have 'pattern' defined. (read more)|Documentation
| +|Maximum Length Undefined (v2)
2ec86e48-ab90-4cb6-a131-0502afd1f442|OpenAPI|Medium|Insecure Configurations|String schema/parameter/header should have 'maxLength' defined.|Documentation
| +|Maximum Length Undefined (v3)
8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85|OpenAPI|Medium|Insecure Configurations|String schema should have 'maxLength' defined. (read more)|Documentation
| +|Success Response Code Undefined for Head Operation (v2)
4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a|OpenAPI|Medium|Networking and Firewall||Documentation
| +|Success Response Code Undefined for Head Operation (v3)
3b066059-f411-4554-ac8d-96f32bff90da|OpenAPI|Medium|Networking and Firewall|Head should define at least one success response (200 or 202) (read more)|Documentation
| +|Default Response Undefined On Operations (v2)
5f34c7ae-4f3f-4cbb-8fe3-a11d6961062f|OpenAPI|Medium|Networking and Firewall||Documentation
| +|Default Response Undefined On Operations (v3)
86e3702f-c868-44b2-b61d-ea5316c18110|OpenAPI|Medium|Networking and Firewall|Operations responses should have a default response defined (read more)|Documentation
| +|Response on operations that should not have a body has declared content (v2)
268defd2-2839-4e15-8cbc-de86eb38c231|OpenAPI|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a schema defined|Documentation
| +|Response on operations that should not have a body has declared content (v3)
12a7210b-f4b4-47d0-acac-0a819e2a0ca3|OpenAPI|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a content defined (read more)|Documentation
| +|Response Code Missing (v2)
6e96ed39-bf45-4089-99ba-f1fe7cf6966f|OpenAPI|Medium|Networking and Firewall||Documentation
| +|Response Code Missing (v3)
6c35d2c6-09f2-4e5c-a094-e0e91327071d|OpenAPI|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined. (read more)|Documentation
| +|Success Response Code Undefined for Delete Operation (v2)
ad432855-b7fb-4429-92a3-93b5ce34f0b1|OpenAPI|Medium|Networking and Firewall||Documentation
| +|Success Response Code Undefined for Delete Operation (v3)
3b497874-ae59-46dd-8d72-1868a3b8f150|OpenAPI|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| +|Success Response Code Undefined for Patch Operation (v2)
f36e87cc-a209-4f37-8571-66833e4aead7|OpenAPI|Medium|Networking and Firewall||Documentation
| +|Success Response Code Undefined for Patch Operation (v3)
1908a8ee-927d-4166-8f18-241152170cc1|OpenAPI|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| +|Success Response Code Undefined for Put Operation (v2)
965a043f-5f3c-4d0a-be72-d9ce12fdb4d6|OpenAPI|Medium|Networking and Firewall||Documentation
| +|Success Response Code Undefined for Put Operation (v3)
60b5f56b-66ff-4e1c-9b62-5753e16825bc|OpenAPI|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| +|Success Response Code Undefined for Get Operation (v2)
9b633f3b-c94b-4fbb-a65b-1a4e9134fb63|OpenAPI|Medium|Networking and Firewall||Documentation
| +|Success Response Code Undefined for Get Operation (v3)
b2f275be-7d64-4064-b418-be6b431363a7|OpenAPI|Medium|Networking and Firewall|Get should define at least one success response (200 or 202) (read more)|Documentation
| +|Response on operations that should have a body has undefined schema (v2)
31afbcb7-70e0-48bb-a31a-3374f95cf859|OpenAPI|Medium|Networking and Firewall||Documentation
| +|Response on operations that should have a body has undefined schema (v3)
a92be1d5-d762-484a-86d6-8cd0907ba100|OpenAPI|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined (read more)|Documentation
| +|Success Response Code Undefined for Post Operation (v2)
9fedee41-2e6d-4091-b011-4a16b4c18c70|OpenAPI|Medium|Networking and Firewall||Documentation
| +|Success Response Code Undefined for Post Operation (v3)
f368dd2d-9344-4146-a05b-7c6faa1269ad|OpenAPI|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| +|API Key Exposed In Operation Security (v2)
392599e4-a4e2-403d-bc56-3fe05755782d|OpenAPI|Low|Access Control||Documentation
| +|API Key Exposed In Operation Security (v3)
281b8071-6226-4a43-911d-fec246d422c2|OpenAPI|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| +|Invalid Format (v2)
caf1793e-95dd-4b18-8d90-8f3c0ab5bddf|OpenAPI|Low|Insecure Configurations||Documentation
| +|Invalid Format (v3)
d929c031-078f-4241-b802-e224656ad890|OpenAPI|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double (read more)|Documentation
| +|Invalid Contact URL (v2)
c7000383-16d0-4509-8cd3-585e5ea2e2f2|OpenAPI|Info|Best Practices||Documentation
| +|Invalid Contact URL (v3)
332cf2ad-380d-4b90-b436-46f8e635cf38|OpenAPI|Info|Best Practices|Contact Object URL should be a valid URL (read more)|Documentation
| +|Operation Without Successful HTTP Status Code (v2)
a1ee6ebe-3877-42ec-b9a6-e524e7d06aa2|OpenAPI|Info|Best Practices||Documentation
| +|Operation Without Successful HTTP Status Code (v3)
48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd|OpenAPI|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined (read more)|Documentation
| +|Invalid Operation External Documentation URL (v2)
25635c31-ee32-4708-88e5-fced87516f51|OpenAPI|Info|Best Practices||Documentation
| +|Invalid Operation External Documentation URL (v3)
5ea61624-3733-4a3a-8ca4-b96fec9c5aeb|OpenAPI|Info|Best Practices|Operation External Documentation URL should be a valid URL (read more)|Documentation
| +|Path Without Operation (v2)
609cd557-66b4-41fa-8edd-2abc6c7cfd08|OpenAPI|Info|Best Practices||Documentation
| +|Path Without Operation (v3)
84c826c9-1893-4b34-8cdd-db97645b4bf3|OpenAPI|Info|Best Practices|Path object should have at least one operation object defined (read more)|Documentation
| +|Header Parameter Named as 'Authorization' (v2)
e2e00c97-7171-4fb4-b461-d631df9a711c|OpenAPI|Info|Best Practices||Documentation
| +|Header Parameter Named as 'Authorization' (v3)
8c84f75e-5048-4926-a4cb-33e7b3431300|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored. (read more)|Documentation
| +|Header Parameter Named as 'Accept' (v2)
3ddd74cc-6582-486c-8b0c-2b48cb38e0a3|OpenAPI|Info|Best Practices||Documentation
| +|Header Parameter Named as 'Accept' (v3)
f2702af5-6016-46cb-bbc8-84c766032095|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored. (read more)|Documentation
| +|Object Using Enum With Keyword (v2)
7f15962a-d862-451c-ac9b-84ec13747aa6|OpenAPI|Info|Best Practices|Schema/Parameter/Header Object properties should not contain 'enum' and schema keywords|Documentation
| +|Object Using Enum With Keyword (v3)
2e9b6612-8f69-42e0-a5b8-ed17739c2f3a|OpenAPI|Info|Best Practices|Schema Object properties should not contain 'enum' and schema keywords (read more)|Documentation
| +|Header Parameter Named as 'Content-Type' (v2)
51978067-3b22-4c29-aaf3-96bf0bc28897|OpenAPI|Info|Best Practices||Documentation
| +|Header Parameter Named as 'Content-Type' (v3)
72d259ca-9741-48dd-9f62-eb11f2936b37|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored. (read more)|Documentation
| +|Invalid License URL (v2)
de2b4910-8484-46d6-a055-dc1e793ee3ff|OpenAPI|Info|Best Practices||Documentation
| +|Invalid License URL (v3)
9239c289-9e4c-4d92-8be1-9d506057c971|OpenAPI|Info|Best Practices|License Object URL should be a valid URL (read more)|Documentation
| +|Invalid Global External Documentation URL (v2)
46d3b74d-9fe9-45bf-9e9e-efb7f701ee28|OpenAPI|Info|Best Practices||Documentation
| +|Invalid Global External Documentation URL (v3)
b2d9dbf6-539c-4374-a1fd-210ddf5563a8|OpenAPI|Info|Best Practices|Global External Documentation URL should be a valid URL (read more)|Documentation
| +|Invalid Tag External Documentation URL (v2)
b4a7d925-738b-4219-99d9-87d6ee262a03|OpenAPI|Info|Best Practices||Documentation
| +|Invalid Tag External Documentation URL (v3)
5aea1d7e-b834-4749-b143-2c7ec3bd5922|OpenAPI|Info|Best Practices|Tag External Documentation URL should be a valid URL (read more)|Documentation
| +|Header Response Name Is Invalid (v2)
86733e01-a435-4bd5-a8b0-5108be9dc1e4|OpenAPI|Info|Best Practices||Documentation
| +|Header Response Name Is Invalid (v3)
d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd|OpenAPI|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored. (read more)|Documentation
| +|Example Not Compliant With Schema Type (v2)
448db771-06ea-4dee-b48c-1689cbfb4b43|OpenAPI|Info|Best Practices||Documentation
| +|Example Not Compliant With Schema Type (v3)
881a6e71-c2a7-4fe2-b9c3-dfcf08895331|OpenAPI|Info|Best Practices|Examples values and fields should be compliant with the schema type (read more)|Documentation
| +|Invalid Schema External Documentation URL (v2)
f7fa95b7-d819-484c-9a2b-665dd1bba25e|OpenAPI|Info|Best Practices||Documentation
| +|Invalid Schema External Documentation URL (v3)
6952a7e0-6e48-4285-bbc1-27c64e60f888|OpenAPI|Info|Best Practices|Schema External Documentation URL should be a valid URL (read more)|Documentation
| +|Invalid Contact Email (v2)
d83bebc8-4e5e-4241-b783-cba9fb5a1c9a|OpenAPI|Info|Best Practices||Documentation
| +|Invalid Contact Email (v3)
b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7|OpenAPI|Info|Best Practices|Contact Object Email should be a valid email (read more)|Documentation
| +|Required Property With Default Value (v2)
f7ab6c83-ef89-40e1-8a99-32e2599fb665|OpenAPI|Info|Best Practices||Documentation
| +|Required Property With Default Value (v3)
013bdb4b-9246-4248-b0c3-7fb0fee42a29|OpenAPI|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value (read more)|Documentation
| +|JSON '$ref' alongside other properties (v2)
f34c1c68-4773-4df0-a103-6e2ca32e585f|OpenAPI|Info|Best Practices||Documentation
| +|JSON '$ref' alongside other properties (v3)
96beb800-566f-49a9-a0ea-dbdf4bc80429|OpenAPI|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key (read more)|Documentation
| +|Responses With Wrong HTTP Status Code (v2)
069a5378-2091-43f0-aa3b-ee8f20996e99|OpenAPI|Info|Structure and Semantics||Documentation
| +|Responses With Wrong HTTP Status Code (v3)
d86655c0-92f6-4ffc-b4d5-5b5775804c27|OpenAPI|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599] (read more)|Documentation
| +|Schema Enum Invalid (v2)
8fe6d18a-ad4c-4397-8884-e3a9da57f4c9|OpenAPI|Info|Structure and Semantics||Documentation
| +|Schema Enum Invalid (v3)
03856cb2-e46c-4daf-bfbf-214ec93c882b|OpenAPI|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type (read more)|Documentation
| +|Schema Discriminator Not Required (v2)
be6a3722-af60-438c-b1b9-2a03e2958ab7|OpenAPI|Info|Structure and Semantics||Documentation
| +|Schema Discriminator Not Required (v3)
b481d46c-9c61-480f-86d9-af07146dc4a4|OpenAPI|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property (read more)|Documentation
| +|Type Has Invalid Keyword (v2)
492c6cbb-f3f8-4807-aa4f-42b8b1c46b59|OpenAPI|Info|Structure and Semantics|Schema/Parameter/Header Object define type should not use a keyword of another type|Documentation
| +|Type Has Invalid Keyword (v3)
a9228976-10cf-4b5f-b902-9e962aad037a|OpenAPI|Info|Structure and Semantics|Schema Object define type should not use a keyword of another type (read more)|Documentation
| +|Responses Object Is Empty (v2)
6172e7ab-d2b7-45f8-a7db-1603931d8ba3|OpenAPI|Info|Structure and Semantics||Documentation
| +|Responses Object Is Empty (v3)
990eaf09-d6f1-4c3c-b174-a517b1de8917|OpenAPI|Info|Structure and Semantics|Responses Object should not be empty (read more)|Documentation
| +|Paths Object is Empty (v2)
3e6c7b1c-8a8d-43ab-98b9-65159f44db4a|OpenAPI|Info|Structure and Semantics||Documentation
| +|Paths Object is Empty (v3)
815021c8-a50c-46d9-b192-24f71072c400|OpenAPI|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed (read more)|Documentation
| +|Path Parameter Not Required (v2)
ccd0613f-cb77-4684-a892-183bd2674d12|OpenAPI|Info|Structure and Semantics||Documentation
| +|Path Parameter Not Required (v3)
0de50145-e845-47f4-9a15-23bcf2125710|OpenAPI|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true. (read more)|Documentation
| +|Items Undefined (v2)
3e4d34d2-36cf-4449-976d-6c256db8fc49|OpenAPI|Info|Structure and Semantics||Documentation
| +|Items Undefined (v3)
a8e859da-4a43-4e7f-94b8-25d6e3bf8e90|OpenAPI|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array. (read more)|Documentation
| +|Property 'allowEmptyValue' Improperly Defined (v2)
0bc1477d-0922-478b-ae16-674a7634a1a8|OpenAPI|Info|Structure and Semantics||Documentation
| +|Property 'allowEmptyValue' Improperly Defined (v3)
4bcbcd52-3028-469f-bc14-02c7dbba2df2|OpenAPI|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters (read more)|Documentation
| +|OperationId Not Unique (v2)
21245007-91c4-40e5-964e-40c85d1e5aa6|OpenAPI|Info|Structure and Semantics||Documentation
| +|OperationId Not Unique (v3)
c254adc4-ef25-46e1-8270-b7944adb4198|OpenAPI|Info|Structure and Semantics|OperationId should be unique when defined (read more)|Documentation
| +|Schema Discriminator Property Not String (v2)
949376f1-f560-4c6d-a016-63424ca931bb|OpenAPI|Info|Structure and Semantics||Documentation
| +|Schema Discriminator Property Not String (v3)
dadc2f36-1f5a-46c0-8289-75e626583123|OpenAPI|Info|Structure and Semantics|Schema discriminator property should be a string (read more)|Documentation
| +|Parameter Objects Headers With Duplicated Name (v2)
bd2cbef5-62c4-40f1-af07-4b7f9ced6616|OpenAPI|Info|Structure and Semantics||Documentation
| +|Parameter Objects Headers With Duplicated Name (v3)
05505192-ba2c-4a81-9b25-dcdbcc973746|OpenAPI|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive. (read more)|Documentation
| +|Parameters Name In Combination Not Unique (v2)
ab871897-ec02-4835-9818-702536ee1dda|OpenAPI|Info|Structure and Semantics||Documentation
| +|Parameters Name In Combination Not Unique (v3)
f5b2e6af-76f5-496d-8482-8f898c5fdb4a|OpenAPI|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations (read more)|Documentation
| +|Property Defining Minimum Greater Than Maximum (v2)
b5102ea9-6527-4bb7-94fc-9b4076150e55|OpenAPI|Info|Structure and Semantics||Documentation
| +|Property Defining Minimum Greater Than Maximum (v3)
ab2af219-cd08-4233-b5a1-a788aac88b51|OpenAPI|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined (read more)|Documentation
| +|Path Is Ambiguous (v2)
b2468463-3ac4-4930-890c-f35b2bf4485d|OpenAPI|Info|Structure and Semantics||Documentation
| +|Path Is Ambiguous (v3)
237402e2-c2f0-46c9-9cf5-286160cf7bfc|OpenAPI|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object (read more)|Documentation
| +|Schema Object With Circular Ref (v2)
cbff2508-85c9-4448-a8b3-770070edf5ca|OpenAPI|Info|Structure and Semantics||Documentation
| +|Schema Object With Circular Ref (v3)
1a1aea94-745b-40a7-b860-0702ea6ee636|OpenAPI|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties (read more)|Documentation
| +|Path Parameter With No Corresponding Template Path (v2)
194ef1f8-360e-4c14-8ed2-e83e2bafa142|OpenAPI|Info|Structure and Semantics||Documentation
| +|Path Parameter With No Corresponding Template Path (v3)
69d7aefd-149d-47b8-8d89-1c2181a8067b|OpenAPI|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation (read more)|Documentation
| +|Template Path With No Corresponding Path Parameter (v2)
e7656d8d-7288-4bbe-b07b-22b389be75ce|OpenAPI|Info|Structure and Semantics||Documentation
| +|Template Path With No Corresponding Path Parameter (v3)
561710b1-b845-4562-95ce-2397a05ccef4|OpenAPI|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation (read more)|Documentation
| +|Non-Array Schema With Items (v2)
9d47956b-29cd-43b1-9e6e-b39a4d484353|OpenAPI|Info|Structure and Semantics||Documentation
| +|Non-Array Schema With Items (v3)
20cb3159-b219-496b-8dac-54ae3ab2021a|OpenAPI|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined (read more)|Documentation
| +|Properties Missing Required Property (v2)
71beb6ab-8b70-4816-a9ac-a0ff1fb22a62|OpenAPI|Info|Structure and Semantics||Documentation
| +|Properties Missing Required Property (v3)
3fb03214-25d4-4bd4-867c-c2d8d708a483|OpenAPI|Info|Structure and Semantics|Schema Object should have all required properties defined (read more)|Documentation
| +|Schema Object Properties With Duplicated Keys (v2)
ded017bf-fb13-4f8d-868b-84aebcc572ad|OpenAPI|Info|Structure and Semantics||Documentation
| +|Schema Object Properties With Duplicated Keys (v3)
10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa|OpenAPI|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties' (read more)|Documentation
| +|Schema Discriminator Mismatch Defined Properties (v2)
addc0eab-27f6-4c26-8526-d2ccd3732662|OpenAPI|Info|Structure and Semantics||Documentation
| +|Schema Discriminator Mismatch Defined Properties (v3)
40d3df21-c170-4dbe-9c02-4289b51f994f|OpenAPI|Info|Structure and Semantics|Schema discriminator values should match defined properties. (read more)|Documentation
| +|Default Invalid (v2)
78dfd8f0-a6ee-48ec-af8c-e4d9b3292a07|OpenAPI|Info|Structure and Semantics|The field 'default' of Schema/Parameter/Header Object should be consistent with the schema's/parameter's/header's type|Documentation
| +|Default Invalid (v3)
a96bbc06-8cde-4295-ad3c-ee343a7f658e|OpenAPI|Info|Structure and Semantics|The field 'default' of Schema Object should be consistent with the schema's type (read more)|Documentation
| +|Schema Has A Required Property Undefined (v2)
811762c8-2e99-4f70-88f9-a63875a953b1|OpenAPI|Info|Structure and Semantics||Documentation
| +|Schema Has A Required Property Undefined (v3)
2bd608ae-8a1f-457f-b710-c237883cb313|OpenAPI|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties (read more)|Documentation
| +|Path Template is Empty (v2)
c201b7ad-6173-4598-a407-5edb04a1bcd7|OpenAPI|Info|Structure and Semantics||Documentation
| +|Path Template is Empty (v3)
ae13a37d-943b-47a7-a970-83c8598bcca3|OpenAPI|Info|Structure and Semantics|All path templates should not be empty (read more)|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
48f7e44d-d1d1-44c2-b336-9f11b65c4fb0|Pulumi|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
965e8830-2bec-4b9b-a7f0-24dbc200a68f|Pulumi|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| +|PSP Set To Privileged
ee305555-6b1d-4055-94cf-e22131143c34|Pulumi|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| +|Missing App Armor Config
95588189-1abd-4df1-9588-b0a5034f9e87|Pulumi|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack (read more)|Documentation
| +|Storage Account Not Forcing HTTPS
cb8e4bf0-903d-45c6-a278-9a947d82a27b|Pulumi|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| +|Redis Cache Allows Non SSL Connections
49e30ac8-f58e-4222-b488-3dcb90158ec1|Pulumi|Medium|Encryption|Redis Cache resource should not allow non-SSL connections. (read more)|Documentation
| +|Amazon DMS Replication Instance Is Publicly Accessible
bccb296f-362c-4b05-9221-86d1437a1016|Pulumi|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| +|RDS DB Instance Publicly Accessible
647de8aa-5a42-41b5-9faf-22136f117380|Pulumi|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false. (read more)|Documentation
| +|Elasticsearch with HTTPS disabled
00603add-7f72-448f-a6c0-9e456a7a3f94|Pulumi|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| +|ElastiCache Nodes Not Created Across Multi AZ
9b18fc19-7fb8-49b1-8452-9c757c70f926|Pulumi|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| +|ElastiCache Redis Cluster Without Backup
e93bbe63-a631-4c0f-b6ef-700d48441ff2|Pulumi|Medium|Backup|ElastiCache Redis cluster should have 'snapshotRetentionLimit' higher than 0 (read more)|Documentation
| +|IAM Password Without Lowercase Letter
de92dd34-1b88-43e8-b825-6e02d73c4549|Pulumi|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| +|IAM Password Without Minimum Length
9850d621-7485-44f7-8bdd-b3cf426315cf|Pulumi|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| +|DynamoDB Table Not Encrypted
b6a7e0ae-aed8-4a19-a993-a95760bf8836|Pulumi|Medium|Encryption|AWS DynamoDB Tables should have serverSideEncryption enabled (read more)|Documentation
| +|API Gateway Without SSL Certificate
f27791a5-e2ae-4905-8910-6f995c576d09|Pulumi|Medium|Insecure Configurations|SSL Client Certificate should be defined (read more)|Documentation
| +|API Gateway Access Logging Disabled
bf4b48b9-fc1f-4552-984a-4becdb5bf503|Pulumi|Medium|Observability|API Gateway should have Access Log Settings defined (read more)|Documentation
| +|Elasticsearch Logs Disabled
a1120ee4-a712-42d9-8fb5-22595fed643b|Pulumi|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| +|DocDB Logging Is Disabled
2ca87964-fe7e-4cdc-899c-427f0f3525f8|Pulumi|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| +|EC2 Not EBS Optimized
d991e4ae-42ab-429b-ab43-d5e5fa9ca633|Pulumi|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| +|DynamoDB Table Point In Time Recovery Disabled
327b0729-4c5c-4c44-8b5c-e476cd9c7290|Pulumi|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more)|Documentation
| +|EC2 Instance Monitoring Disabled
daa581ef-731c-4121-832d-cf078f67759d|Pulumi|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| +|Enum Name Not CamelCase
daaace5f-c0dc-4835-b526-7a116b7f4b4e|GRPC|Low|Best Practices|All Enum Names should follow CamelCase and start with Capital Letter (read more)|Documentation
| |RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e|Kubernetes|High|Access Control|Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least privilege recommends to specify only the set of needed objects and actions (read more)|Documentation
| -|Service Account Lookup Set To False
a5530bd7-225a-48f9-91bb-f40b04200165|Kubernetes|High|Access Control|When using kube-apiserver command, the '--service-account-lookup' flag should be set to true (read more)|Documentation
| +|Use Service Account Credentials Not Set To True
1acd93f1-5a37-45c0-aaac-82ece818be7d|Kubernetes|High|Access Control|When using kube-controller-manager commands, the '--use-service-account-credentials' should be set to true (read more)|Documentation
| +|Token Auth File Is Set
32ecd76e-7bbf-402e-bf48-8b9485749558|Kubernetes|High|Access Control|When using kube-apiserver command, the 'token-auth-file' flag should not be set (read more)|Documentation
| |Node Restriction Admission Control Plugin Not Set
33fc6923-6553-4fe6-9d3a-4efa51eb874b|Kubernetes|High|Access Control|When using kube-apiserver command, the --enable-admission-plugins flag should have 'NodeRestriction' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| +|Client Certificate Authentication Not Setup Properly
e0e00aba-5f1c-4981-a542-9a9563c0ee20|Kubernetes|High|Access Control|Client Certificate Authentication should be Setup with a .pem or .crt file (read more)|Documentation
| +|Service Account Lookup Set To False
a5530bd7-225a-48f9-91bb-f40b04200165|Kubernetes|High|Access Control|When using kube-apiserver command, the '--service-account-lookup' flag should be set to true (read more)|Documentation
| +|Always Admit Admission Control Plugin Set
ce30e584-b33f-4c7d-b418-a3d7027f8f60|Kubernetes|High|Access Control|When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin (read more)|Documentation
| +|Basic Auth File Is Set
5da47109-f8d6-4585-9e2b-96a8958a12f5|Kubernetes|High|Access Control|When using kube-apiserver command, the 'basic-auth-file' flag should not be set (read more)|Documentation
| |Pod Security Policy Admission Control Plugin Not Set
afa36afb-39fe-4d94-b9b6-afb236f7a03d|Kubernetes|High|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'PodSecurityPolicy' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| |Service Account Private Key File Not Defined
ccc98ff7-68a7-436e-9218-185cb0b0b780|Kubernetes|High|Encryption|When using kube-controller-manager commands, the '--service-account-private-key-file' should be defined (read more)|Documentation
| -|Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d|Kubernetes|High|Insecure Configurations|Check if there is any Tiller Service present (read more)|Documentation
| |Tiller (Helm v2) Is Deployed
6d173be7-545a-46c6-a81d-2ae52ed1605d|Kubernetes|High|Insecure Configurations|Check if Tiller is deployed. (read more)|Documentation
| -|Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032|Kubernetes|High|Insecure Configurations|Limit capabilities for a Pod Security Policy (read more)|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b|Kubernetes|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace. (read more)|Documentation
| -|Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d|Kubernetes|High|Insecure Configurations|Container should not share the host process ID namespace (read more)|Documentation
| +|Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d|Kubernetes|High|Insecure Configurations|Check if there is any Tiller Service present (read more)|Documentation
| +|Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d|Kubernetes|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process (read more)|Documentation
| |Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609|Kubernetes|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false (read more)|Documentation
| |Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad|Kubernetes|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined. (read more)|Documentation
| -|Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d|Kubernetes|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process (read more)|Documentation
| +|Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d|Kubernetes|High|Insecure Configurations|Container should not share the host process ID namespace (read more)|Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b|Kubernetes|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace. (read more)|Documentation
| +|Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032|Kubernetes|High|Insecure Configurations|Limit capabilities for a Pod Security Policy (read more)|Documentation
| |Role Binding To Default Service Account
1e749bc9-fde8-471c-af0c-8254efd2dee5|Kubernetes|High|Insecure Defaults|No role nor cluster role should bind to a default service account (read more)|Documentation
| -|Insecure Bind Address Set
b9380fd3-5ffe-4d10-9290-13e18e71eee1|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-bind-address' flag should not be set (read more)|Documentation
| -|TSL Connection Certificate Not Setup
fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f|Kubernetes|High|Networking and Firewall|TSL Connection Certificate files should be Setup (read more)|Documentation
| -|Etcd TLS Certificate Not Properly Configured
895a5a95-3756-4b04-9924-2f3bc93181bd|Kubernetes|High|Networking and Firewall|When using kube-apiserver commands, the '--etcd-certfile' and '--etcd-keyfile' flags should be defined (read more)|Documentation
| -|Insecure Port Not Properly Set
fa4def8c-1898-4a35-a139-7b76b1acdef0|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-port' flag should be defined and set to 0 (read more)|Documentation
| -|Etcd TLS Certificate Files Not Properly Set
075ca296-6768-4322-aea2-ba5063b969a9|Kubernetes|High|Networking and Firewall|When using etcd commands, the '--cert-file' and '--key-file' should be defined (read more)|Documentation
| -|Bind Address Not Properly Set
46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2|Kubernetes|High|Networking and Firewall|When using kube-controller-manager or kube-scheduler commands, the '--bind-address' should not be set to 127.0.0.1 (read more)|Documentation
| -|Secure Port Set To Zero
3d24b204-b73d-42cb-b0bf-1a5438c5f71e|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the --secure-port flag should not be 0 (read more)|Documentation
| |Etcd Peer TLS Certificate Files Not Properly Set
09bb9e96-8da3-4736-b89a-b36814acca60|Kubernetes|High|Networking and Firewall|When using etcd commands, the '--peer-cert-file' and '--peer-key-file' should be defined (read more)|Documentation
| +|Insecure Port Not Properly Set
fa4def8c-1898-4a35-a139-7b76b1acdef0|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-port' flag should be defined and set to 0 (read more)|Documentation
| |Tiller Deployment Is Accessible From Within The Cluster
e17fa86a-6222-4584-a914-56e8f6c87e06|Kubernetes|High|Networking and Firewall|Check if any Tiller Deployment container allows access from within the cluster. (read more)|Documentation
| +|Secure Port Set To Zero
3d24b204-b73d-42cb-b0bf-1a5438c5f71e|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the --secure-port flag should not be 0 (read more)|Documentation
| |Kubelet HTTPS Set To False
cdc8b54e-6b16-4538-a1b0-35849dbe29cf|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--kubelet-https' flag should not be set to false (read more)|Documentation
| +|Etcd TLS Certificate Not Properly Configured
895a5a95-3756-4b04-9924-2f3bc93181bd|Kubernetes|High|Networking and Firewall|When using kube-apiserver commands, the '--etcd-certfile' and '--etcd-keyfile' flags should be defined (read more)|Documentation
| +|Bind Address Not Properly Set
46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2|Kubernetes|High|Networking and Firewall|When using kube-controller-manager or kube-scheduler commands, the '--bind-address' should not be set to 127.0.0.1 (read more)|Documentation
| +|Etcd TLS Certificate Files Not Properly Set
075ca296-6768-4322-aea2-ba5063b969a9|Kubernetes|High|Networking and Firewall|When using etcd commands, the '--cert-file' and '--key-file' should be defined (read more)|Documentation
| +|Insecure Bind Address Set
b9380fd3-5ffe-4d10-9290-13e18e71eee1|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-bind-address' flag should not be set (read more)|Documentation
| +|TSL Connection Certificate Not Setup
fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f|Kubernetes|High|Networking and Firewall|TSL Connection Certificate files should be Setup (read more)|Documentation
| |PSP With Unrestricted Access to Host Path
de4421f1-4e35-43b4-9783-737dd4e4a47e|Kubernetes|High|Resource Management|PodSecurityPolicy should set 'readOnly' to true in every host path allowed (read more)|Documentation
| |Auto TLS Set To True
98ce8b81-7707-4734-aa39-627c6db3d84b|Kubernetes|High|Secret Management|When using etcd commands, the '--auto-tls' should be set to false (read more)|Documentation
| |Peer Auto TLS Set To True
ae8827e2-4af9-4baa-9998-87539ae0d6f0|Kubernetes|High|Secret Management|When using etcd commands, the '--peer-auto-tls' should be set to false (read more)|Documentation
| -|RBAC Roles with Exec Permission
c589f42c-7924-4871-aee2-1cede9bc7cbc|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to run commands in containers via 'kubectl exec' could be abused by attackers to execute malicious code in case of compromise. To prevent this, the 'pods/exec' verb should not be used in production environments (read more)|Documentation
| -|RBAC Roles with Impersonate Permission
9f85c3f6-26fd-4007-938a-2e0cb0100980|Kubernetes|Medium|Access Control|Roles or ClusterRoles with the permission 'impersonate' allow subjects to assume the rights of other users, groups, or service accounts. In case of compromise, attackers may abuse this sudo-like functionality to achieve privilege escalation (read more)|Documentation
| +|Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942|Kubernetes|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation. (read more)|Documentation
| +|Authorization Mode RBAC Not Set
1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e|Kubernetes|Medium|Access Control|When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode (read more)|Documentation
| |RBAC Roles with Port-Forwarding Permission
38fa11ef-dbcc-4da8-9680-7e1fd855b6fb|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to port-forward into pods can open socket-level communication channels to containers. In case of compromise, attackers may abuse this for direct communication that bypasses network security restrictions (read more)|Documentation
| -|RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14|Kubernetes|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more)|Documentation
| |Anonymous Auth Is Not Set To False
1de5cc51-f376-4638-a940-20f2e85ae238|Kubernetes|Medium|Access Control|When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag should be set to false (--anonymous-auth=false) (read more)|Documentation
| |Service Account Admission Control Plugin Disabled
9587c890-0524-40c2-9ce2-663af7c2f063|Kubernetes|Medium|Access Control|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'ServiceAccount' plugin (read more)|Documentation
| -|Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942|Kubernetes|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation. (read more)|Documentation
| -|RBAC Roles Allow Privilege Escalation
8320826e-7a9c-4b0b-9535-578333193432|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions 'bind' or 'escalate' allow subjects to create new bindings with other roles. This is dangerous, as users with these privileges can bind to roles that may exceed their own privileges (read more)|Documentation
| -|Authorization Mode RBAC Not Set
1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e|Kubernetes|Medium|Access Control|When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode (read more)|Documentation
| -|Authorization Mode Set To Always Allow
f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5|Kubernetes|Medium|Access Control|When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode (read more)|Documentation
| |RBAC Roles with Attach Permission
d45330fd-f58d-45fb-a682-6481477a0f84|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to attach to containers via 'kubectl attach' could be abused by attackers to read log output (stdout, stderr) and send input data (stdin) to running processes. Additionally, it would allow a malicious user to attach to a privileged container resulting in a privilege escalation attack. To prevent this, the 'pods/attach' verb should not be used in production environments (read more)|Documentation
| +|RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14|Kubernetes|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more)|Documentation
| +|RBAC Roles with Impersonate Permission
9f85c3f6-26fd-4007-938a-2e0cb0100980|Kubernetes|Medium|Access Control|Roles or ClusterRoles with the permission 'impersonate' allow subjects to assume the rights of other users, groups, or service accounts. In case of compromise, attackers may abuse this sudo-like functionality to achieve privilege escalation (read more)|Documentation
| +|Authorization Mode Set To Always Allow
f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5|Kubernetes|Medium|Access Control|When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode (read more)|Documentation
| |Non Kube System Pod With Host Mount
aa8f7a35-9923-4cad-bd61-a19b7f6aac91|Kubernetes|Medium|Access Control|A non kube-system workload should not have hostPath mounted (read more)|Documentation
| -|Request Timeout Not Properly Set
d89a15bb-8dba-4c71-9529-bef6729b9c09|Kubernetes|Medium|Availability|When using kube-apiserver command, the '--request-timeout' flag value should not be too long (read more)|Documentation
| +|RBAC Roles Allow Privilege Escalation
8320826e-7a9c-4b0b-9535-578333193432|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions 'bind' or 'escalate' allow subjects to create new bindings with other roles. This is dangerous, as users with these privileges can bind to roles that may exceed their own privileges (read more)|Documentation
| +|RBAC Roles with Exec Permission
c589f42c-7924-4871-aee2-1cede9bc7cbc|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to run commands in containers via 'kubectl exec' could be abused by attackers to execute malicious code in case of compromise. To prevent this, the 'pods/exec' verb should not be used in production environments (read more)|Documentation
| |Readiness Probe Is Not Configured
a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3|Kubernetes|Medium|Availability|Check if Readiness Probe is not configured. (read more)|Documentation
| |Terminated Pod Garbage Collector Threshold Not Properly Set
49113af4-29ca-458e-b8d4-724c01a4a24f|Kubernetes|Medium|Availability|When using kube-controller-manager commands, the '--terminated-pod-gc-threshold' should be set between 0 and 12501 (read more)|Documentation
| +|Request Timeout Not Properly Set
d89a15bb-8dba-4c71-9529-bef6729b9c09|Kubernetes|Medium|Availability|When using kube-apiserver command, the '--request-timeout' flag value should not be too long (read more)|Documentation
| |Root Containers Admitted
e3aa0612-4351-4a0d-983f-aefea25cf203|Kubernetes|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden (read more)|Documentation
| -|Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660|Kubernetes|Medium|Best Practices|Check if containers are running with low UID, which might cause conflicts with the host's user table. (read more)|Documentation
| |Container Running As Root
cf34805e-3872-4c08-bf92-6ff7bb0cfadb|Kubernetes|Medium|Best Practices|Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise (read more)|Documentation
| +|Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660|Kubernetes|Medium|Best Practices|Check if containers are running with low UID, which might cause conflicts with the host's user table. (read more)|Documentation
| |Incorrect Volume Claim Access Mode ReadWriteOnce
3878dc92-8e5d-47cf-9cdd-7590f71d21b9|Kubernetes|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' (read more)|Documentation
| |Always Pull Images Admission Control Plugin Not Set
a77f4d07-c6e0-4a48-8b35-0eeb51576f4f|Kubernetes|Medium|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'AlwaysPullImages' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| -|Weak TLS Cipher Suites
510d5810-9a30-443a-817d-5c1fa527b110|Kubernetes|Medium|Encryption|TLS Connection should use strong Cipher Suites (read more)|Documentation
| |Root CA File Not Defined
05fb986f-ac73-4ebb-a5b2-7faafa93d882|Kubernetes|Medium|Encryption|When using kube-controller-manager commands, the '--root-ca-file' should be defined (read more)|Documentation
| -|Encryption Provider Not Properly Configured
10efce34-5af6-4d83-b414-9e096d5a06a9|Kubernetes|Medium|Encryption|The EncryptionConfiguration should be configured to have at least one 'aescbc', 'kms' or 'secretbox' provider (read more)|Documentation
| +|Weak TLS Cipher Suites
510d5810-9a30-443a-817d-5c1fa527b110|Kubernetes|Medium|Encryption|TLS Connection should use strong Cipher Suites (read more)|Documentation
| |Encryption Provider Config Is Not Defined
cbd2db69-0b21-4c14-8a40-7710a50571a9|Kubernetes|Medium|Encryption|When using kube-apiserver commands, the '--encryption-provider-config' flag should be defined and the encryption should be correctly configured in Encryption Configuration file (read more)|Documentation
| +|Encryption Provider Not Properly Configured
10efce34-5af6-4d83-b414-9e096d5a06a9|Kubernetes|Medium|Encryption|The EncryptionConfiguration should be configured to have at least one 'aescbc', 'kms' or 'secretbox' provider (read more)|Documentation
| +|NET_RAW Capabilities Not Being Dropped
dbbc6705-d541-43b0-b166-dd4be8208b54|Kubernetes|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities (read more)|Documentation
| |PSP Allows Sharing Host IPC
80f93444-b240-4ebb-a4c6-5c40b76c04ea|Kubernetes|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace (read more)|Documentation
| -|Security Context Deny Admission Control Plugin Not Set
6a68bebe-c021-492e-8ddb-55b0567fb768|Kubernetes|Medium|Insecure Configurations|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set (read more)|Documentation
| +|PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9|Kubernetes|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host process ID namespace (read more)|Documentation
| +|Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3|Kubernetes|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more)|Documentation
| +|NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648|Kubernetes|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities (read more)|Documentation
| +|Authorization Mode Node Not Set
4d7ee40f-fc5d-427d-8cac-dffbe22d42d1|Kubernetes|Medium|Insecure Configurations|When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode (read more)|Documentation
| |Seccomp Profile Is Not Configured
f377b83e-bd07-4f48-a591-60c82b14a78b|Kubernetes|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls (read more)|Documentation
| -|PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91|Kubernetes|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| |Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40|Kubernetes|Medium|Insecure Configurations|Containers should not have extra capabilities allowed (read more)|Documentation
| -|NET_RAW Capabilities Not Being Dropped
dbbc6705-d541-43b0-b166-dd4be8208b54|Kubernetes|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities (read more)|Documentation
| +|Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b|Kubernetes|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more)|Documentation
| +|Using Unrecommended Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6|Kubernetes|Medium|Insecure Configurations|Namespaces like 'default', 'kube-system' or 'kube-public' should not be used (read more)|Documentation
| +|PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities (read more)|Documentation
| |Kubelet Protect Kernel Defaults Set To False
6cf42c97-facd-4fda-b8af-ea4529123355|Kubernetes|Medium|Insecure Configurations|--protect-kernel-defaults should be set to true (read more)|Documentation
| |Containers With Sys Admin Capabilities
235236ee-ad78-4065-bd29-61b061f28ce0|Kubernetes|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability (read more)|Documentation
| -|Authorization Mode Node Not Set
4d7ee40f-fc5d-427d-8cac-dffbe22d42d1|Kubernetes|Medium|Insecure Configurations|When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode (read more)|Documentation
| |Not Limited Capabilities For Container
2f1a0619-b12b-48a0-825f-993bb6f01d58|Kubernetes|Medium|Insecure Configurations|Limit the capabilities for a Container. (read more)|Documentation
| -|Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3|Kubernetes|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more)|Documentation
| -|PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation (read more)|Documentation
| |Workload Mounting With Sensitive OS Directory
5308a7a8-06f8-45ac-bf10-791fe21de46e|Kubernetes|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory (read more)|Documentation
| -|PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9|Kubernetes|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host process ID namespace (read more)|Documentation
| -|Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b|Kubernetes|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more)|Documentation
| -|PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities (read more)|Documentation
| -|NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648|Kubernetes|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities (read more)|Documentation
| -|Using Unrecommended Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6|Kubernetes|Medium|Insecure Configurations|Namespaces like 'default', 'kube-system' or 'kube-public' should not be used (read more)|Documentation
| -|Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9|Kubernetes|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty. (read more)|Documentation
| +|PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation (read more)|Documentation
| +|PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91|Kubernetes|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| +|Security Context Deny Admission Control Plugin Not Set
6a68bebe-c021-492e-8ddb-55b0567fb768|Kubernetes|Medium|Insecure Configurations|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set (read more)|Documentation
| |Service Account Token Automount Not Disabled
48471392-d4d0-47c0-b135-cdec95eb3eef|Kubernetes|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary (read more)|Documentation
| -|Kubelet Streaming Connection Timeout Disabled
ed89b97d-04e9-4fd4-919f-ee5b27e555e9|Kubernetes|Medium|Networking and Firewall|The flag --streaming-connection-idle-timeout should not be set to 0 (read more)|Documentation
| +|Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9|Kubernetes|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty. (read more)|Documentation
| +|Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be|Kubernetes|Medium|Networking and Firewall|Check if any pod is not being targeted by a proper network policy. (read more)|Documentation
| +|Kubelet Read Only Port Is Not Set To Zero
2940d48a-dc5e-4178-a3f8-bfbd80720b41|Kubernetes|Medium|Networking and Firewall|When using the kubelet command, the read-only port should be set to zero (--read-only-port=0) (read more)|Documentation
| +|Service With External Load Balancer
26763a1c-5dda-4772-b507-5fca7fb5f165|Kubernetes|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet (read more)|Documentation
| |Kubelet Not Managing Ip Tables
5f89001f-6dd9-49ff-9b15-d8cd71b617f4|Kubernetes|Medium|Networking and Firewall|Kubelet argument --make-iptables-util-chains should be true (read more)|Documentation
| +|Kubelet Streaming Connection Timeout Disabled
ed89b97d-04e9-4fd4-919f-ee5b27e555e9|Kubernetes|Medium|Networking and Firewall|The flag --streaming-connection-idle-timeout should not be set to 0 (read more)|Documentation
| |CNI Plugin Does Not Support Network Policies
03aabc8c-35d6-481e-9c85-20139cf72d23|Kubernetes|Medium|Networking and Firewall|Ensure the use of CNI Plugin that support Network Policies. If the CNI Plugin in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster (read more)|Documentation
| |Network Policy Is Not Targeting Any Pod
85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3|Kubernetes|Medium|Networking and Firewall|Check if any network policy is not targeting any pod. (read more)|Documentation
| -|Kubelet Read Only Port Is Not Set To Zero
2940d48a-dc5e-4178-a3f8-bfbd80720b41|Kubernetes|Medium|Networking and Firewall|When using the kubelet command, the read-only port should be set to zero (--read-only-port=0) (read more)|Documentation
| -|Service With External Load Balancer
26763a1c-5dda-4772-b507-5fca7fb5f165|Kubernetes|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet (read more)|Documentation
| -|Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be|Kubernetes|Medium|Networking and Firewall|Check if any pod is not being targeted by a proper network policy. (read more)|Documentation
| -|Audit Log Path Not Set
73e251f0-363d-4e53-86e2-0a93592437eb|Kubernetes|Medium|Observability|When using kube-apiserver command, the 'audit-log-path' flag should be defined (read more)|Documentation
| |Audit Policy File Not Defined
13a49a2e-488e-4309-a7c0-d6b05577a5fb|Kubernetes|Medium|Observability|When using kube-apiserver command, the '--audit-policy-file' flag should be defined (read more)|Documentation
| -|Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a|Kubernetes|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| +|Audit Log Path Not Set
73e251f0-363d-4e53-86e2-0a93592437eb|Kubernetes|Medium|Observability|When using kube-apiserver command, the 'audit-log-path' flag should be defined (read more)|Documentation
| |Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9|Kubernetes|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| -|Volume Mount With OS Directory Write Permissions
b7652612-de4e-4466-a0bf-1cd81f0c6063|Kubernetes|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more)|Documentation
| +|Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded|Kubernetes|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more)|Documentation
| +|CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a|Kubernetes|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more)|Documentation
| |CPU Limits Not Set
4ac0e2b7-d2d2-4af7-8799-e8de6721ccda|Kubernetes|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| +|Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a|Kubernetes|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| +|Volume Mount With OS Directory Write Permissions
b7652612-de4e-4466-a0bf-1cd81f0c6063|Kubernetes|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more)|Documentation
| |Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536|Kubernetes|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| -|CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a|Kubernetes|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more)|Documentation
| -|Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded|Kubernetes|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more)|Documentation
| -|Kubelet Client Periodic Certificate Switch Disabled
52d70f2e-3257-474c-b3dc-8ad9ba6a061a|Kubernetes|Medium|Secret Management|Kubelet argument --rotate-certificates should be true (read more)|Documentation
| -|Etcd Peer Client Certificate Authentication Set To False
b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff|Kubernetes|Medium|Secret Management|When using etcd commands, the '--peer-client-cert-auth' flag should be set to true (read more)|Documentation
| |Etcd Client Certificate File Not Defined
3f5ff8a7-5ad6-4d02-86f5-666307da1b20|Kubernetes|Medium|Secret Management|When using kube-apiserver commands, the '--etcd-cafile' flag should be defined (read more)|Documentation
| -|Not Unique Certificate Authority
cb7e695d-6a85-495c-b15f-23aed2519303|Kubernetes|Medium|Secret Management|Certificate Authority should be unique for etcd (read more)|Documentation
| -|Rotate Kubelet Server Certificate Not Active
1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2|Kubernetes|Medium|Secret Management|The RotateKubeletServerCertificate argument should be true (read more)|Documentation
| +|Etcd Peer Client Certificate Authentication Set To False
b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff|Kubernetes|Medium|Secret Management|When using etcd commands, the '--peer-client-cert-auth' flag should be set to true (read more)|Documentation
| |Service Account Key File Not Properly Set
dab4ec72-ce2e-4732-b7c3-1757dcce01a1|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the '--service-account-key-file' flag should be defined (read more)|Documentation
| -|Etcd Client Certificate Authentication Set To False
9391103a-d8d7-4671-ac5d-606ba7ccb0ac|Kubernetes|Medium|Secret Management|When using etcd commands, the '--client-cert-auth' flag should be defined (read more)|Documentation
| -|Kubelet Certificate Authority Not Set
ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set (read more)|Documentation
| +|Rotate Kubelet Server Certificate Not Active
1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2|Kubernetes|Medium|Secret Management|The RotateKubeletServerCertificate argument should be true (read more)|Documentation
| |Shared Service Account
c1032cf7-3628-44e2-bd53-38c17cf31b6b|Kubernetes|Medium|Secret Management|A Service Account token is shared between workloads (read more)|Documentation
| +|Not Unique Certificate Authority
cb7e695d-6a85-495c-b15f-23aed2519303|Kubernetes|Medium|Secret Management|Certificate Authority should be unique for etcd (read more)|Documentation
| |Kubelet Client Certificate Or Key Not Set
36a27826-1bf5-49da-aeb0-a60a30c0e834|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-client-key' and 'kubelet-client-certificate' flags should be set (read more)|Documentation
| +|Kubelet Client Periodic Certificate Switch Disabled
52d70f2e-3257-474c-b3dc-8ad9ba6a061a|Kubernetes|Medium|Secret Management|Kubelet argument --rotate-certificates should be true (read more)|Documentation
| +|Etcd Client Certificate Authentication Set To False
9391103a-d8d7-4671-ac5d-606ba7ccb0ac|Kubernetes|Medium|Secret Management|When using etcd commands, the '--client-cert-auth' flag should be defined (read more)|Documentation
| +|Kubelet Certificate Authority Not Set
ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set (read more)|Documentation
| |ServiceAccount Allows Access Secrets
056ac60e-fe07-4acc-9b34-8e1d51716ab9|Kubernetes|Medium|Secret Management|Roles and ClusterRoles when binded, should not use get, list or watch as verbs (read more)|Documentation
| +|Missing AppArmor Profile
8b36775e-183d-4d46-b0f7-96a6f34a723f|Kubernetes|Low|Access Control|Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources (read more)|Documentation
| |Cluster Admin Rolebinding With Superuser Permissions
249328b8-5f0f-409f-b1dd-029f07882e11|Kubernetes|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC) (read more)|Documentation
| |Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828|Kubernetes|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers (read more)|Documentation
| -|Missing AppArmor Profile
8b36775e-183d-4d46-b0f7-96a6f34a723f|Kubernetes|Low|Access Control|Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources (read more)|Documentation
| |Liveness Probe Is Not Defined
ade74944-a674-4e00-859e-c6eab5bde441|Kubernetes|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it (read more)|Documentation
| -|StatefulSet Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0|Kubernetes|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more)|Documentation
| |StatefulSet Without PodDisruptionBudget
1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5|Kubernetes|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| +|Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678|Kubernetes|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| +|StatefulSet Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0|Kubernetes|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more)|Documentation
| |Event Rate Limit Admission Control Plugin Not Set
e0099af2-fe17-411f-9991-0de28fe15f3c|Kubernetes|Low|Availability|When using kube-apiserver command, the --enable-admission-plugins flag should have 'EventRateLimit' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| |HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca|Kubernetes|Low|Availability|The Horizontal Pod Autoscaler must target a valid object (read more)|Documentation
| |HPA Targeted Deployments With Configured Replica Count
5744cbb8-5946-4b75-a196-ade44449525b|Kubernetes|Low|Availability|Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set (read more)|Documentation
| -|Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678|Kubernetes|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| -|Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645|Kubernetes|Low|Best Practices|Kubernetes APIs evolve over time and are sometimes removed with newer releases. To prevent incompatibilities when upgrading Kubernetes, deprecated APIs should be replaced with newer and more stable API versions. (read more)|Documentation
| |No Drop Capabilities for Containers
268ca686-7fb7-4ae9-b129-955a2a89064e|Kubernetes|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context (read more)|Documentation
| +|Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645|Kubernetes|Low|Best Practices|Kubernetes APIs evolve over time and are sometimes removed with newer releases. To prevent incompatibilities when upgrading Kubernetes, deprecated APIs should be replaced with newer and more stable API versions. (read more)|Documentation
| |Metadata Label Is Invalid
1123031a-f921-4c5b-bd86-ef354ecfd37a|Kubernetes|Low|Best Practices|Check if any label in the metadata is invalid. (read more)|Documentation
| +|Image Policy Webhook Admission Control Plugin Not Set
14abda69-8e91-4acb-9931-76e2bee90284|Kubernetes|Low|Build Process|When using kube-apiserver command, the --enable-admission-plugins flag should have 'ImagePolicyWebhook' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| |Root Container Not Mounted Read-only
a9c2f49d-0671-4fc9-9ece-f4e261e128d0|Kubernetes|Low|Build Process|Check if the root container filesystem is not being mounted read-only. (read more)|Documentation
| |StatefulSet Requests Storage
8cf4671a-cf3d-46fc-8389-21e7405063a2|Kubernetes|Low|Build Process|A StatefulSet requests volume storage. (read more)|Documentation
| -|Image Policy Webhook Admission Control Plugin Not Set
14abda69-8e91-4acb-9931-76e2bee90284|Kubernetes|Low|Build Process|When using kube-apiserver command, the --enable-admission-plugins flag should have 'ImagePolicyWebhook' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| |Namespace Lifecycle Admission Control Plugin Disabled
1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37|Kubernetes|Low|Build Process|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'NamespaceLifecycle' plugin (read more)|Documentation
| |Pod or Container Without ResourceQuota
48a5beba-e4c0-4584-a2aa-e6894e4cf424|Kubernetes|Low|Insecure Configurations|Each namespace should have a ResourceQuota policy associated to limit the total amount of resources Pods, Containers and PersistentVolumeClaims can consume (read more)|Documentation
| -|Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678|Kubernetes|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity (read more)|Documentation
| |Service Does Not Target Pod
3ca03a61-3249-4c16-8427-6f8e47dda729|Kubernetes|Low|Insecure Configurations|Service should Target a Pod (read more)|Documentation
| +|Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b|Kubernetes|Low|Insecure Configurations|If not needed, disabling the dashboard can prevent from being used as an attack vector (read more)|Documentation
| +|Kubelet Hostname Override Is Set
bf36b900-b5ef-4828-adb7-70eb543b7cfb|Kubernetes|Low|Insecure Configurations|Hostnames should not be overrided (read more)|Documentation
| +|Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678|Kubernetes|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity (read more)|Documentation
| |Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2|Kubernetes|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always (read more)|Documentation
| |Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995|Kubernetes|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container (read more)|Documentation
| |Pod or Container Without LimitRange
4a20ebac-1060-4c81-95d1-1f7f620e983b|Kubernetes|Low|Insecure Configurations|Each namespace should have a LimitRange policy associated to ensure that resource allocations of Pods, Containers and PersistentVolumeClaims do not exceed the defined boundaries (read more)|Documentation
| -|Kubelet Hostname Override Is Set
bf36b900-b5ef-4828-adb7-70eb543b7cfb|Kubernetes|Low|Insecure Configurations|Hostnames should not be overrided (read more)|Documentation
| -|Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b|Kubernetes|Low|Insecure Configurations|If not needed, disabling the dashboard can prevent from being used as an attack vector (read more)|Documentation
| -|Service Type is NodePort
845acfbe-3e10-4b8e-b656-3b404d36dfb2|Kubernetes|Low|Networking and Firewall|Service type should not be NodePort (read more)|Documentation
| |Workload Host Port Not Specified
2b1836f1-dcce-416e-8e16-da8c71920633|Kubernetes|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified (read more)|Documentation
| -|Audit Log Maxsize Not Properly Set
35c0a471-f7c8-4993-aa2c-503a3c712a66|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxsize' flag should be defined and set to 100 or more MegaBytes (read more)|Documentation
| -|Audit Log Maxage Not Properly Set
da9f3aa8-fbfb-472f-b5a1-576127944218|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxage' flag should be defined and set to 30 or more days (read more)|Documentation
| +|Service Type is NodePort
845acfbe-3e10-4b8e-b656-3b404d36dfb2|Kubernetes|Low|Networking and Firewall|Service type should not be NodePort (read more)|Documentation
| |Audit Log Maxbackup Not Properly Set
768aab52-2504-4a2f-a3e3-329d5a679848|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxbackup' flag should be defined and set to 10 or more files (read more)|Documentation
| +|Audit Log Maxsize Not Properly Set
35c0a471-f7c8-4993-aa2c-503a3c712a66|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxsize' flag should be defined and set to 100 or more MegaBytes (read more)|Documentation
| +|Profiling Not Set To False
2f491173-6375-4a84-b28e-a4e2b9a58a69|Kubernetes|Low|Observability|When using kube-apiserver or kube-controller-manager or kube-scheduler command, the '--profiling' flag should be defined and set to false (read more)|Documentation
| |Kubelet Event QPS Not Properly Set
1a07a446-8e61-4e4d-bc16-b0781fcb8211|Kubernetes|Low|Observability|When using the kubelet command, the '--event-qps' should be set to 0 (read more)|Documentation
| |Audit Policy Not Cover Key Security Concerns
1828a670-5957-4bc5-9974-47da228f75e2|Kubernetes|Low|Observability|Audit Policy should cover key security concerns about the sensitive data logged in Kubernetes audit policies (read more)|Documentation
| -|Profiling Not Set To False
2f491173-6375-4a84-b28e-a4e2b9a58a69|Kubernetes|Low|Observability|When using kube-apiserver or kube-controller-manager or kube-scheduler command, the '--profiling' flag should be defined and set to false (read more)|Documentation
| -|Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined. (read more)|Documentation
| +|Audit Log Maxage Not Properly Set
da9f3aa8-fbfb-472f-b5a1-576127944218|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxage' flag should be defined and set to 30 or more days (read more)|Documentation
| |Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46|Kubernetes|Low|Resource Management|Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively (read more)|Documentation
| |StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e|Kubernetes|Low|Resource Management|Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| -|CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3|Kubernetes|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined (read more)|Documentation
| -|Container Memory Requests Not Equal To It's Limits
aafa7d94-62de-4fbf-8838-b69ee217b0e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined. (read more)|Documentation
| |Deployment Has No PodAntiAffinity
a31b7b82-d994-48c4-bd21-3bab6c31827a|Kubernetes|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| +|Container Memory Requests Not Equal To It's Limits
aafa7d94-62de-4fbf-8838-b69ee217b0e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined. (read more)|Documentation
| +|Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined. (read more)|Documentation
| +|CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3|Kubernetes|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined (read more)|Documentation
| |Secrets As Environment Variables
3d658f8b-d988-41a0-a841-40043121de1e|Kubernetes|Low|Secret Management|Container should not use secrets as environment variables (read more)|Documentation
| |Invalid Image Tag
583053b7-e632-46f0-b989-f81ff8045385|Kubernetes|Low|Supply-Chain|Image tag must be defined and not be empty or equal to latest. (read more)|Documentation
| |Ensure Administrative Boundaries Between Resources
e84eaf4d-2f45-47b2-abe8-e581b06deb66|Kubernetes|Info|Access Control|As a best practice, ensure that is made the correct use of namespaces to adequately administer your resources. Kubernetes Authorization plugins can also be used to create policies that segregate user access to namespaces. (read more)|Documentation
| |Using Kubernetes Native Secret Management
b9c83569-459b-4110-8f79-6305aa33cb37|Kubernetes|Info|Secret Management|Kubernetes External Secret Storage and Management System usage should be considered if you have more complex secret management needs, rather than using Kubernetes Secrets directly. Additionally, ensure that access to secrets is carefully limited (read more)|Documentation
| +|Key Vault Not Recoverable
7c25f361-7c66-44bf-9b69-022acd5eb4bd|AzureResourceManager|High|Backup|Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true (read more)|Documentation
| +|Secret Without Expiration Date
cff9c3f7-e8f0-455f-9fb4-5f72326da96e|AzureResourceManager|High|Best Practices|All Secrets must have an expiration date defined (read more)|Documentation
| +|Azure Instance Using Basic Authentication
6797f581-0433-4768-ae3e-7ceb2f8b138e|AzureResourceManager|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| +|Web App Not Using TLS Last Version
b5c851d5-00f1-43dc-a8de-3218fd6f71be|AzureResourceManager|High|Encryption|Resources of type 'Microsoft.Web/sites' should define 'properties.siteConfig.minTlsVersion' with '1.2' (read more)|Documentation
| +|Azure Managed Disk Without Encryption
350f3955-b5be-436f-afaa-3d2be2fa6cdd|AzureResourceManager|High|Encryption|Azure Disk Encryption should be enabled (read more)|Documentation
| +|Storage Account Allows Unsecure Transfer
1367dd13-2c90-4020-80b7-e4339a3dc2c4|AzureResourceManager|High|Encryption|'Microsoft.Storage/storageAccounts' should force the use of HTTPS (read more)|Documentation
| +|Website Not Forcing HTTPS
488847ff-6031-487c-bf42-98fd6ac5c9a0|AzureResourceManager|High|Insecure Configurations|'Microsoft.Web/sites' should force the use of HTTPS (read more)|Documentation
| +|Storage Blob Service Container With Public Access
a0ab985d-660b-41f7-ac81-70957ee8e627|AzureResourceManager|High|Networking and Firewall|Storage Blob Service Container should not publicly accessible (read more)|Documentation
| +|MySQL Server SSL Enforcement Disabled
90120147-f2e7-4fda-bb21-6fa9109afd63|AzureResourceManager|High|Networking and Firewall|'Microsoft.DBforMySQL/servers' should enforce SSL (read more)|Documentation
| +|Trusted Microsoft Services Not Enabled
e25b56cd-a4d6-498f-ab92-e6296a082097|AzureResourceManager|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| +|PostgreSQL Database Server SSL Disabled
bf500309-da53-4dd3-bcf7-95f7974545a5|AzureResourceManager|High|Networking and Firewall|Microsoft.DBforPostgreSQL/servers sslEnforcement property should be set to 'Enabled' (read more)|Documentation
| +|Network Security Group With Unrestricted Access To SSH
2ade1579-4b2c-4590-bebb-f99bf597f612|AzureResourceManager|High|Networking and Firewall|Port 22 (SSH) is exposed to the Internet (read more)|Documentation
| +|Website with Client Certificate Auth Disabled
92302b47-b0cc-46cb-a28f-5610ecda140b|AzureResourceManager|High|Networking and Firewall|'Microsoft.Web/sites' should have client certificate authentication enabled (read more)|Documentation
| +|Network Security Group With Unrestricted Access To RDP
59cb3da7-f206-4ae6-b827-7abf0a9cab9d|AzureResourceManager|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the Internet (read more)|Documentation
| +|SQL Database Server Firewall Allows All IPS
6a3201a5-1630-494b-b294-3129d06b0eca|AzureResourceManager|High|Networking and Firewall|SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS (read more)|Documentation
| +|Default Azure Storage Account Network Access Is Too Permissive
d855ced8-6157-448f-9f1d-f05a41d046f7|AzureResourceManager|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it. (read more)|Documentation
| +|AKS Cluster RBAC Disabled
9307a2ed-35c2-413d-94de-a1a0682c2158|AzureResourceManager|Medium|Access Control|Microsoft.ContainerService/managedClusters should have enableRBAC set to true (read more)|Documentation
| +|Role Definitions Allow Custom Subscription Role Creation
8fa9ceea-881f-4ef0-b0b8-728f589699a7|AzureResourceManager|Medium|Access Control|Role Definitions should not allow custom subscription role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write') (read more)|Documentation
| +|SQL Server Database With Alerts Disabled
574e8d82-1db2-4b9c-b526-e320ede9a9ff|AzureResourceManager|Medium|Best Practices|All Alerts should be enabled in SQL Database Server SecurityAlerts Policy Properties (read more)|Documentation
| +|AKS Cluster Network Policy Not Configured
25c0228e-4444-459b-a2df-93c7df40b7ed|AzureResourceManager|Medium|Insecure Configurations|Azure Kubernetes Service must have a network policy defined. (read more)|Documentation
| +|PostgreSQL Database Server Log Connections Disabled
e69bda39-e1e2-47ca-b9ee-b6531b23aedd|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' property set to 'on' (read more)|Documentation
| +|PostgreSQL Database Server Log Checkpoints Disabled
f9112910-c7bb-4864-9f5e-2059ba413bb7|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' property set to 'on' (read more)|Documentation
| +|AKS With Authorized IP Ranges Disabled
2583fab1-953b-4fae-bd02-4a136a6c21f9|AzureResourceManager|Medium|Networking and Firewall|Azure Kubernetes Service must have an authorized IP range for API Services enabled (read more)|Documentation
| +|Standard Price Is Not Selected
2081c7d6-2851-4cce-bda5-cb49d462da42|AzureResourceManager|Medium|Networking and Firewall|Azure Security Center provides more features for standard pricing mode, so it must be activated. (read more)|Documentation
| +|PostgresSQL Database Server Connection Throttling Disabled
a6d774b6-d9ea-4bf4-8433-217bf15d2fb8|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttling' property set to 'on' (read more)|Documentation
| +|Storage Logging For Read Write And Delete Requests Disabled
43f6e60c-9cdb-4e77-864d-a66595d26518|AzureResourceManager|Medium|Observability|Storage Logging should be enabled for read, write and delete methods (read more)|Documentation
| +|Unrecommended Network Watcher Flow Log Retention Policy
564b70f8-41cd-4690-aff8-bb53add86bc9|AzureResourceManager|Medium|Observability|Network Watcher Flow Log Retention Policy should be enabled and the recommended number of days for the retention should be higher than 90 (read more)|Documentation
| +|SQL Server Database Without Auditing
e055285c-bc01-48b4-8aa5-8a54acdd29df|AzureResourceManager|Medium|Observability|Every 'Microsoft.Sql/servers/databases' resource should have Auditing Enabled (read more)|Documentation
| +|Log Profile Incorrect Category
4d522e7b-f938-4d51-a3b1-974ada528bd3|AzureResourceManager|Medium|Observability|Log Profile Categories should be set to 'Write', 'Delete', and/or 'Action' (read more)|Documentation
| +|AKS Logging To Azure Monitoring Is Disabled
9b09dee1-f09b-4013-91d2-158fa4695f4b|AzureResourceManager|Medium|Observability|Azure Kubernetes Service should have logging to Azure Monitoring enabled. (read more)|Documentation
| +|SQL Server Database With Unrecommended Retention Days
c09cdac2-7670-458a-bf6c-efad6880973a|AzureResourceManager|Medium|Observability|SQL Server Database Auditing Settings should keep the audit logs in the storage account for at least 90 days (read more)|Documentation
| +|Unrecommended Log Profile Retention Policy
25684eac-daaa-4c2c-94b4-8d2dbb627909|AzureResourceManager|Medium|Observability|Log Profile Retention Policy should be enabled and the recommended number of days for the retention should be higher than 365 or 0 (0 will retain the events indefinitely) (read more)|Documentation
| +|Hardcoded SecureString Parameter Default Value
4d2cf896-c053-4be5-9c95-8b4771112f29|AzureResourceManager|Medium|Secret Management|Secure parameters should not have hardcoded default value (read more)|Documentation
| +|Website Azure Active Directory Disabled
e9c133e5-c2dd-4b7b-8fff-40f2de367b56|AzureResourceManager|Low|Access Control|WebApp should have Azure Active Directory enabled with 'identity.type' set to 'SystemAssigned' or 'userAssignedIdentities' set to 'true' (read more)|Documentation
| +|Phone Number Not Set For Security Contacts
3e9fcc67-1f64-405f-b2f9-0a6be17598f0|AzureResourceManager|Low|Best Practices|Microsoft.Security securityContacts should have a phone number defined (read more)|Documentation
| +|AKS Dashboard Is Enabled
c62d3b92-9a11-4ffd-b7b7-6faaae83faed|AzureResourceManager|Low|Insecure Configurations|Azure Kubernetes Service should have the Kubernetes dashboard disabled. (read more)|Documentation
| +|Website with 'Http20Enabled' Disabled
70111098-7f85-48f0-b1b4-e4261cf5f61b|AzureResourceManager|Low|Networking and Firewall|'Microsoft.Web/sites' should have 'Http20Enabled' enabled (read more)|Documentation
| +|Storage Account Allows Default Network Access
9073f073-5d60-4b46-b569-0d6baa80ed95|AzureResourceManager|Low|Networking and Firewall|'Microsoft.Storage/storageAccounts' should force the use of HTTPS (read more)|Documentation
| +|App Service Authentication Is Not Set
83130a07-235b-4a80-918b-a370e53f0bd9|AzureResourceManager|Info|Access Control|Azure App Service should have App Service Authentication set (read more)|Documentation
| +|Account Admins Not Notified By Email
a8852cc0-fd4b-4fc7-9372-1e43fad0732e|AzureResourceManager|Info|Best Practices|Account admins should be notified by email in the event of security alerts (read more)|Documentation
| +|SQL Alert Policy Without Emails
89b79fe5-49bd-4d39-84ce-55f5fc6f7764|AzureResourceManager|Info|Best Practices|SQL Database Server should contain emails to be notified in the event of a Security Alert (read more)|Documentation
| +|Email Notifications Disabled
79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92|AzureResourceManager|Info|Networking and Firewall|Email notifications about new security alerts, should be set to 'On', and be sent to persons with specific RBAC roles on the subscription (read more)|Documentation
| diff --git a/docs/queries/ansible-queries.md b/docs/queries/ansible-queries.md index e32477b7285..60c6dfee4e5 100644 --- a/docs/queries/ansible-queries.md +++ b/docs/queries/ansible-queries.md @@ -1,19 +1,74 @@ ## Ansible Queries List This page contains all queries from Ansible. -### SHARED (V2/V3) -Bellow are listed queries related with Ansible SHARED (V2/V3): +### GCP +Bellow are listed queries related with Ansible GCP: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Privilege Escalation Using Become Plugin
0e75052f-cc02-41b8-ac39-a78017527e95|Medium|Access Control|In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true' (read more)|Documentation
| -|Communication Over HTTP
2e8d4922-8362-4606-8c14-aa10466a1ce3|Medium|Insecure Configurations|Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks (read more)|Documentation
| -|Insecure Relative Path Resolution
8d22ae91-6ac1-459f-95be-d37bd373f244|Low|Best Practices|Using relative paths can lead to unexpected behavior as the path is resolved relative to the current working directory, which can change. (read more)|Documentation
| -|Logging of Sensitive Data
59029ddf-e651-412b-ae7b-ff6d403184bc|Low|Best Practices|To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True (read more)|Documentation
| -|Unpinned Package Version
c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8|Low|Supply-Chain|Setting state to latest performs an update and installs additional packages possibly resulting in performance degradation or loss of service (read more)|Documentation
| -|Risky File Permissions
88841d5c-d22d-4b7e-a6a0-89ca50e44b9f|Info|Supply-Chain|Some modules could end up creating new files on disk with permissions that might be too open or unpredictable (read more)|Documentation
| +|BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2|High|Access Control|BigQuery dataset is anonymously or publicly accessible (read more)|Documentation
| +|VM With Full Cloud Access
bc20bbc6-0697-4568-9a73-85af1dd97bdd|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| +|SQL DB Instance Backup Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| +|DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a|High|Encryption|DNSSEC should not use the RSASHA1 algorithm (read more)|Documentation
| +|SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|High|Encryption|Cloud SQL Database Instance should have SSL enabled (read more)|Documentation
| +|GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false. (read more)|Documentation
| +|Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty (read more)|Documentation
| +|Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)|Documentation
| +|MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c|High|Insecure Configurations|MySQL Instance should not have Local Infile On (read more)|Documentation
| +|GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty (read more)|Documentation
| +|PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514|High|Insecure Configurations|PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1' (read more)|Documentation
| +|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|High|Insecure Configurations|SQL Instance should not have Contained Database Authentication On (read more)|Documentation
| +|IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'. (read more)|Documentation
| +|Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f|High|Insecure Configurations|GCP SQL Instance should not have Cross DB Ownership Chaining On (read more)|Documentation
| +|Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)|Documentation
| +|Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true (read more)|Documentation
| +|Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true. (read more)|Documentation
| +|SQL DB Instance Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible. (read more)|Documentation
| +|Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet. (read more)|Documentation
| +|GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters (read more)|Documentation
| +|Cloud Storage Bucket Versioning Disabled
7814ddda-e758-4a56-8be3-289a81ded929|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| +|PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b|High|Observability|PostgreSQL database 'log_temp_files' flag isn't set to '0' (read more)|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| +|PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317|High|Observability|PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on' (read more)|Documentation
| +|Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none' (read more)|Documentation
| +|Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none' (read more)|Documentation
| +|Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)|Documentation
| +|Disk Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| +|Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| +|Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| +|OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Medium|Insecure Configurations|VM instance should have OSLogin enabled (read more)|Documentation
| +|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Medium|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account. (read more)|Documentation
| +|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| +|Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)|Documentation
| +|GKE Using Default Service Account
dc126833-125a-40fb-905a-ce5f2afde240|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account (read more)|Documentation
| +|SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows All Ports
3602d273-3290-47b2-80fa-720162b1a8af|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports (read more)|Documentation
| +|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)|Documentation
| +|IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)|Documentation
| +|Google Compute Network Using Default Firewall Rule
29b8224a-60e9-4011-8ac2-7916a659841f|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| +|RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| +|PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Medium|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value (read more)|Documentation
| +|PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Medium|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on' (read more)|Documentation
| +|High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| +|Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes (read more)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows Port Range
7289eebd-a477-4064-8ad4-3c044bd70b00|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| + +### CONFIG +Bellow are listed queries related with Ansible CONFIG: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|Allow Unsafe Lookups Enabled
86b97bb4-85c9-462d-8635-cbc057c5c8c5|High|Insecure Configurations|When enabled, this option allows lookup plugins to return data that is not marked 'unsafe'. (read more)|Documentation
| +|Privilege Escalation Using Become Plugin
404908b6-4954-4611-98f0-e8ceacdabcb1|Medium|Access Control|In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true' (read more)|Documentation
| +|Communication over HTTP
d7dc9350-74bc-485b-8c85-fed22d276c43|Medium|Insecure Configurations|Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks (read more)|Documentation
| +|Logging of Sensitive Data
c6473dae-8477-4119-88b7-b909b435ce7b|Low|Best Practices|To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True (read more)|Documentation
| ### AZURE Bellow are listed queries related with Ansible AZURE: @@ -22,58 +77,46 @@ Bellow are listed queries related with Ansible AZURE: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| +|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|High|Access Control|Storage Account should not be public to grant the principle of least privileges (read more)|Documentation
| |Storage Container Is Publicly Accessible
4d3817db-dd35-4de4-a80d-3867157e7f7f|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage (read more)|Documentation
| |Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|High|Access Control|Admin user is enabled for Container Registry (read more)|Documentation
| -|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|High|Access Control|Storage Account should not be public to grant the principle of least privileges (read more)|Documentation
| |Azure Instance Using Basic Authentication
e2d834b7-8b25-4935-af53-4a60668dcbe0|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| -|SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' (read more)|Documentation
| |MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more)|Documentation
| +|SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' (read more)|Documentation
| |Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| -|AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server (read more)|Documentation
| -|Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined (read more)|Documentation
| |VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine (read more)|Documentation
| +|Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined (read more)|Documentation
| +|AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server (read more)|Documentation
| |Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service. (read more)|Documentation
| -|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|High|Networking and Firewall|The IP range filter should be defined to secure the data stored (read more)|Documentation
| |Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| +|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|High|Networking and Firewall|The IP range filter should be defined to secure the data stored (read more)|Documentation
| +|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| |Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet (read more)|Documentation
| -|Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources (read more)|Documentation
| |SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more)|Documentation
| -|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| -|Role Definition Allows Custom Role Creation
5c80db8e-03f5-43a2-b4af-1f3f87018157|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more)|Documentation
| +|Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources (read more)|Documentation
| |Default Azure Storage Account Network Access Is Too Permissive
ca4df748-613a-4fbf-9c76-f02cbd580307|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it. (read more)|Documentation
| +|Role Definition Allows Custom Role Creation
5c80db8e-03f5-43a2-b4af-1f3f87018157|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more)|Documentation
| |AKS RBAC Disabled
149fa56c-4404-4f90-9e25-d34b676d5b39|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| |Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854|Medium|Backup|Make sure Soft Delete is enabled for Key Vault (read more)|Documentation
| |SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict (read more)|Documentation
| |SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict (read more)|Documentation
| |Cosmos DB Account Without Tags
23a4dc83-4959-4d99-8056-8e051a82bc1e|Medium|Build Process|Cosmos DB Account must have a mapping of tags. (read more)|Documentation
| |Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption (read more)|Documentation
| +|Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty (read more)|Documentation
| |Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections (read more)|Documentation
| |AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined (read more)|Documentation
| -|Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty (read more)|Documentation
| |Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache. (read more)|Documentation
| -|WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. (read more)|Documentation
| |Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0' (read more)|Documentation
| -|Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more)|Documentation
| -|PostgreSQL Log Checkpoints Disabled
7ab33ac0-e4a3-418f-a673-50da4e34df21|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more)|Documentation
| +|WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. (read more)|Documentation
| |PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' (read more)|Documentation
| +|Small Activity Log Retention Period
37fafbea-dedb-4e0d-852e-d16ee0589326|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater (read more)|Documentation
| +|PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server (read more)|Documentation
| +|PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' (read more)|Documentation
| +|Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more)|Documentation
| |PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more)|Documentation
| +|PostgreSQL Log Checkpoints Disabled
7ab33ac0-e4a3-418f-a673-50da4e34df21|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more)|Documentation
| |Monitoring Log Profile Without All Activities
89f84a1e-75f8-47c5-83b5-bee8e2de4168|Medium|Observability|Monitoring log profile captures all the activities (Action, Write, Delete) (read more)|Documentation
| -|PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' (read more)|Documentation
| |AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e|Medium|Observability|Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring (read more)|Documentation
| -|PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server (read more)|Documentation
| -|Small Activity Log Retention Period
37fafbea-dedb-4e0d-852e-d16ee0589326|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater (read more)|Documentation
| - -### CONFIG -Bellow are listed queries related with Ansible CONFIG: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Allow Unsafe Lookups Enabled
86b97bb4-85c9-462d-8635-cbc057c5c8c5|High|Insecure Configurations|When enabled, this option allows lookup plugins to return data that is not marked 'unsafe'. (read more)|Documentation
| -|Privilege Escalation Using Become Plugin
404908b6-4954-4611-98f0-e8ceacdabcb1|Medium|Access Control|In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true' (read more)|Documentation
| -|Communication over HTTP
d7dc9350-74bc-485b-8c85-fed22d276c43|Medium|Insecure Configurations|Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks (read more)|Documentation
| -|Logging of Sensitive Data
c6473dae-8477-4119-88b7-b909b435ce7b|Low|Best Practices|To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True (read more)|Documentation
| ### HOSTS Bellow are listed queries related with Ansible HOSTS: @@ -91,191 +134,148 @@ Bellow are listed queries related with Ansible AWS: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|High|Access Control|S3 Buckets should not be readable to all users (read more)|Documentation
| -|SNS Topic is Publicly Accessible
905f4741-f965-45c1-98db-f7a00a0e5c73|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| -|IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| |S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| +|S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| +|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| +|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more)|Documentation
| +|IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| +|S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|High|Access Control|S3 Buckets should not be readable to all users (read more)|Documentation
| |ECS Service Admin Role Is Present
7db727c1-1720-468e-b80e-06697f71e09e|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role (read more)|Documentation
| +|S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| +|SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a|High|Access Control|Checks if the SQS Queue is exposed (read more)|Documentation
| |IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| -|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more)|Documentation
| |S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a|High|Access Control|Checks if the S3 bucket is accessible for all users (read more)|Documentation
| -|S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| +|SNS Topic is Publicly Accessible
905f4741-f965-45c1-98db-f7a00a0e5c73|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| |S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| -|SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a|High|Access Control|Checks if the SQS Queue is exposed (read more)|Documentation
| -|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| -|S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| -|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| -|CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'. (read more)|Documentation
| -|Secure Ciphers Disabled
218413a0-c716-4b94-9e08-0bb70d854709|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| -|AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|High|Encryption|AWS AMI Encryption is not enabled (read more)|Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| |ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| +|EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| |User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| -|DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more)|Documentation
| -|Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS (read more)|Documentation
| +|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more)|Documentation
| |S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571|High|Encryption|AWS S3 Storage should be protected with SSE (Server-Side Encryption) (read more)|Documentation
| |Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) (read more)|Documentation
| -|ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| -|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more)|Documentation
| |User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| +|ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| +|Secure Ciphers Disabled
218413a0-c716-4b94-9e08-0bb70d854709|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| |Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume (read more)|Documentation
| +|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| |S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| -|EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| -|EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| +|DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more)|Documentation
| |ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| -|KMS Key With Full Permissions
5b9d237a-57d5-4177-be0e-71434b0fef47|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| +|EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| +|Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS (read more)|Documentation
| +|CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'. (read more)|Documentation
| +|AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|High|Encryption|AWS AMI Encryption is not enabled (read more)|Documentation
| +|EC2 Group Has Public Interface
5330b503-3319-44ff-9b1c-00ee873f728a|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| |Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| -|ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| |RDS DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). (read more)|Documentation
| -|S3 Bucket with Unsecured CORS Rule
3505094c-f77c-4ba0-95da-f83db712f86c|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| +|Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true (default is false) (read more)|Documentation
| |CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| -|EC2 Group Has Public Interface
5330b503-3319-44ff-9b1c-00ee873f728a|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| +|S3 Bucket with Unsecured CORS Rule
3505094c-f77c-4ba0-95da-f83db712f86c|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| +|ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| +|KMS Key With Full Permissions
5b9d237a-57d5-4177-be0e-71434b0fef47|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| |Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| -|Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true (default is false) (read more)|Documentation
| |Vulnerable Default SSL Certificate
fb8f8929-afeb-4c46-99f0-a6cf410f7df4|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| +|Remote Desktop Port Open To Internet
eda7301d-1f3e-47cf-8d4e-976debc64341|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| +|Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| +|ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| |Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| +|Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| |Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|High|Networking and Firewall|AWS Security Group should restrict ingress access (read more)|Documentation
| +|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| |Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0/0 (read more)|Documentation
| -|Elasticsearch with HTTPS disabled
d6c2d06f-43c1-488a-9ba1-8d75b40fc62d|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| -|HTTP Port Open To Internet
a14ad534-acbe-4a8e-9404-2f7e1045646e|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| -|DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| -|Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|High|Networking and Firewall|AWS Security Group should not have public port wide (read more)|Documentation
| |EC2 Instance Has Public IP
a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1|High|Networking and Firewall|EC2 Instance should not have a public IP address. (read more)|Documentation
| -|Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4|High|Networking and Firewall|Route53 Record should have a list of records (read more)|Documentation
| -|Remote Desktop Port Open To Internet
eda7301d-1f3e-47cf-8d4e-976debc64341|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| -|ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| -|Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| +|Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|High|Networking and Firewall|AWS Security Group should not have public port wide (read more)|Documentation
| |RDS Associated with Public Subnet
16732649-4ff6-4cd2-8746-e72c13fae4b8|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| -|Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| -|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| +|DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| +|Elasticsearch with HTTPS disabled
d6c2d06f-43c1-488a-9ba1-8d75b40fc62d|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| +|Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4|High|Networking and Firewall|Route53 Record should have a list of records (read more)|Documentation
| +|HTTP Port Open To Internet
a14ad534-acbe-4a8e-9404-2f7e1045646e|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| |CloudTrail Logging Disabled
d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| |CMK Rotation Disabled
af96d737-0818-4162-8c41-40d969bd65d1|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| -|Lambda Permission Principal Is Wildcard
1d972c56-8ec2-48c1-a578-887adb09c57a|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| -|ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| -|IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root' (read more)|Documentation
| |SES Policy With Allowed IAM Actions
8ed0bfce-f780-46d4-b086-21c3628f09ad|Medium|Access Control|SES policy should not allow IAM actions to all principals (read more)|Documentation
| +|AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image (read more)|Documentation
| +|SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| |SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4|Medium|Access Control|SQS policy allows ALL (*) actions (read more)|Documentation
| +|Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| +|S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9|Medium|Access Control|S3 Bucket allows public access (read more)|Documentation
| +|IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root' (read more)|Documentation
| |API Gateway Without Configured Authorizer
b16cdb37-ce15-4ab2-8401-d42b05d123fc|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| +|ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| |Cross-Account IAM Assume Role Policy Without ExternalId or MFA
af167837-9636-4086-b815-c239186b9dda|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| |IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| -|Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| -|SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| +|Lambda Permission Principal Is Wildcard
1d972c56-8ec2-48c1-a578-887adb09c57a|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| |Certificate Has Expired
5a443297-19d4-4381-9e5b-24faf947ec22|Medium|Access Control|Expired SSL/TLS certificates should be removed (read more)|Documentation
| -|AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image (read more)|Documentation
| -|S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9|Medium|Access Control|S3 Bucket allows public access (read more)|Documentation
| +|CMK Is Unusable
133fee21-37ef-45df-a563-4d07edc169f4|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined. (read more)|Documentation
| |ECS Service Without Running Tasks
f5c45127-1d28-4b49-a692-0b97da1c3a84|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| |Auto Scaling Group With No Associated ELB
050f085f-a8db-4072-9010-2cca235cc02f|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. (read more)|Documentation
| -|CMK Is Unusable
133fee21-37ef-45df-a563-4d07edc169f4|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined. (read more)|Documentation
| |RDS With Backup Disabled
e69890e6-fce5-461d-98ad-cb98318dfc96|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| |Stack Retention Disabled
17d5ba1d-7667-4729-b1a6-b11fde3db7f7|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| -|Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c|Medium|Best Practices|Password policy `password_reuse_prevention` doesn't exist or is equal to 0 (read more)|Documentation
| -|IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| -|Misconfigured Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9|Medium|Best Practices|No password expiration policy (read more)|Documentation
| |IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| |IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number (read more)|Documentation
| |IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| +|IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| +|Misconfigured Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9|Medium|Best Practices|No password expiration policy (read more)|Documentation
| +|Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c|Medium|Best Practices|Password policy `password_reuse_prevention` doesn't exist or is equal to 0 (read more)|Documentation
| |Stack Without Template
32d31f1f-0f83-4721-b7ec-1e6948c60145|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body (read more)|Documentation
| -|EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| -|Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache (read more)|Documentation
| -|SQS With SSE Disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| |Config Rule For Encrypted Volumes Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| +|SQS With SSE Disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| |CodeBuild Not Encrypted
a1423864-2fbc-4f46-bfe1-fbbf125c71c9|Medium|Encryption|CodeBuild Project should be encrypted (read more)|Documentation
| -|AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy (read more)|Documentation
| -|Certificate RSA Key Bytes Lower Than 256
d5ec2080-340a-4259-b885-f833c4ea6a31|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes (read more)|Documentation
| +|EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| +|Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache (read more)|Documentation
| +|ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| |API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| |Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags. (read more)|Documentation
| |Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| -|ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| +|AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy (read more)|Documentation
| +|Certificate RSA Key Bytes Lower Than 256
d5ec2080-340a-4259-b885-f833c4ea6a31|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes (read more)|Documentation
| |API Gateway without WAF
f5f38943-664b-4acc-ab11-f292fa10ed0b|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| |API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| |SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more)|Documentation
| -|S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| -|API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| -|CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| |CloudFront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' should be defined with 'enabled' set to true (read more)|Documentation
| -|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| |Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| -|API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled (read more)|Documentation
| -|CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| -|CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more)|Documentation
| +|CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| |S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| +|S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| +|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| |CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'is_multi_region_trail' should be set to true (read more)|Documentation
| +|API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| +|CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| +|API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled (read more)|Documentation
| +|CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more)|Documentation
| |No Stack Policy
ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions (read more)|Documentation
| |Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Medium|Secret Management|AWS Access Key should not be hardcoded (read more)|Documentation
| |Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| -|IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| -|EC2 Instance Using Default Security Group
8d03993b-8384-419b-a681-d1f55149397c|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| |IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| +|EC2 Instance Using Default Security Group
8d03993b-8384-419b-a681-d1f55149397c|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| |IAM Group Without Users
f509931b-bbb0-443c-bd9b-10e92ecf2193|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| -|CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| -|Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| +|IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| |Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. (read more)|Documentation
| +|Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| +|CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| |EFS Without Tags
b8a9852c-9943-4973-b8d5-77dae9352851|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated (read more)|Documentation
| |CloudTrail Log Files Not Encrypted With KMS
f5587077-3f57-4370-9b4e-4eb5b1bac85b|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| -|ElastiCache Using Default Port
7cc6c791-5f68-4816-a564-b9b699f9d26e|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| -|ElastiCache Without VPC
5527dcfc-94f9-4bf6-b7d4-1b78850cf41f|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|RDS Using Default Port
2cb674f6-32f9-40be-97f2-62c0dc38f0d5|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| |EC2 Instance Using Default VPC
8833f180-96f1-46f4-9147-849aafa56029|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| +|ElastiCache Using Default Port
7cc6c791-5f68-4816-a564-b9b699f9d26e|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| |CloudFront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| -|RDS Using Default Port
2cb674f6-32f9-40be-97f2-62c0dc38f0d5|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| |Redshift Using Default Port
e01de151-a7bd-4db4-b49b-3c4775a5e881|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| -|Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active' (read more)|Documentation
| +|ElastiCache Without VPC
5527dcfc-94f9-4bf6-b7d4-1b78850cf41f|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| |CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| +|Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active' (read more)|Documentation
| |EC2 Not EBS Optimized
338b6cab-961d-4998-bb49-e5b6a11c9a5c|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| -### GCP -Bellow are listed queries related with Ansible GCP: +### SHARED (V2/V3) +Bellow are listed queries related with Ansible SHARED (V2/V3): | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| -|BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2|High|Access Control|BigQuery dataset is anonymously or publicly accessible (read more)|Documentation
| -|VM With Full Cloud Access
bc20bbc6-0697-4568-9a73-85af1dd97bdd|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)|Documentation
| -|SQL DB Instance Backup Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| -|SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|High|Encryption|Cloud SQL Database Instance should have SSL enabled (read more)|Documentation
| -|DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a|High|Encryption|DNSSEC should not use the RSASHA1 algorithm (read more)|Documentation
| -|MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c|High|Insecure Configurations|MySQL Instance should not have Local Infile On (read more)|Documentation
| -|IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'. (read more)|Documentation
| -|GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false. (read more)|Documentation
| -|PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514|High|Insecure Configurations|PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1' (read more)|Documentation
| -|Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f|High|Insecure Configurations|GCP SQL Instance should not have Cross DB Ownership Chaining On (read more)|Documentation
| -|GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty (read more)|Documentation
| -|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|High|Insecure Configurations|SQL Instance should not have Contained Database Authentication On (read more)|Documentation
| -|Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty (read more)|Documentation
| -|Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true (read more)|Documentation
| -|SQL DB Instance Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible. (read more)|Documentation
| -|Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true. (read more)|Documentation
| -|Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)|Documentation
| -|Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)|Documentation
| -|GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters (read more)|Documentation
| -|Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet. (read more)|Documentation
| -|PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317|High|Observability|PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on' (read more)|Documentation
| -|Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none' (read more)|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| -|Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none' (read more)|Documentation
| -|PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b|High|Observability|PostgreSQL database 'log_temp_files' flag isn't set to '0' (read more)|Documentation
| -|Cloud Storage Bucket Versioning Disabled
7814ddda-e758-4a56-8be3-289a81ded929|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| -|Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)|Documentation
| -|Disk Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| -|Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| -|Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| -|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| -|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Medium|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account. (read more)|Documentation
| -|Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)|Documentation
| -|OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Medium|Insecure Configurations|VM instance should have OSLogin enabled (read more)|Documentation
| -|GKE Using Default Service Account
dc126833-125a-40fb-905a-ce5f2afde240|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account (read more)|Documentation
| -|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)|Documentation
| -|IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)|Documentation
| -|SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| -|RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| -|Google Compute Network Using Default Firewall Rule
29b8224a-60e9-4011-8ac2-7916a659841f|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows All Ports
3602d273-3290-47b2-80fa-720162b1a8af|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports (read more)|Documentation
| -|PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Medium|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value (read more)|Documentation
| -|PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Medium|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on' (read more)|Documentation
| -|High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| -|Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes (read more)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows Port Range
7289eebd-a477-4064-8ad4-3c044bd70b00|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| +|Privilege Escalation Using Become Plugin
0e75052f-cc02-41b8-ac39-a78017527e95|Medium|Access Control|In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true' (read more)|Documentation
| +|Communication Over HTTP
2e8d4922-8362-4606-8c14-aa10466a1ce3|Medium|Insecure Configurations|Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks (read more)|Documentation
| +|Insecure Relative Path Resolution
8d22ae91-6ac1-459f-95be-d37bd373f244|Low|Best Practices|Using relative paths can lead to unexpected behavior as the path is resolved relative to the current working directory, which can change. (read more)|Documentation
| +|Logging of Sensitive Data
59029ddf-e651-412b-ae7b-ff6d403184bc|Low|Best Practices|To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True (read more)|Documentation
| +|Unpinned Package Version
c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8|Low|Supply-Chain|Setting state to latest performs an update and installs additional packages possibly resulting in performance degradation or loss of service (read more)|Documentation
| +|Risky File Permissions
88841d5c-d22d-4b7e-a6a0-89ca50e44b9f|Info|Supply-Chain|Some modules could end up creating new files on disk with permissions that might be too open or unpredictable (read more)|Documentation
| diff --git a/docs/queries/azureresourcemanager-queries.md b/docs/queries/azureresourcemanager-queries.md index e279506c87a..0b0db9c7caa 100644 --- a/docs/queries/azureresourcemanager-queries.md +++ b/docs/queries/azureresourcemanager-queries.md @@ -4,43 +4,43 @@ This page contains all queries from AzureResourceManager. | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| |Key Vault Not Recoverable
7c25f361-7c66-44bf-9b69-022acd5eb4bd|High|Backup|Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true (read more)|Documentation
| -|Azure Instance Using Basic Authentication
6797f581-0433-4768-ae3e-7ceb2f8b138e|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| |Secret Without Expiration Date
cff9c3f7-e8f0-455f-9fb4-5f72326da96e|High|Best Practices|All Secrets must have an expiration date defined (read more)|Documentation
| +|Azure Instance Using Basic Authentication
6797f581-0433-4768-ae3e-7ceb2f8b138e|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| |Web App Not Using TLS Last Version
b5c851d5-00f1-43dc-a8de-3218fd6f71be|High|Encryption|Resources of type 'Microsoft.Web/sites' should define 'properties.siteConfig.minTlsVersion' with '1.2' (read more)|Documentation
| -|Storage Account Allows Unsecure Transfer
1367dd13-2c90-4020-80b7-e4339a3dc2c4|High|Encryption|'Microsoft.Storage/storageAccounts' should force the use of HTTPS (read more)|Documentation
| |Azure Managed Disk Without Encryption
350f3955-b5be-436f-afaa-3d2be2fa6cdd|High|Encryption|Azure Disk Encryption should be enabled (read more)|Documentation
| +|Storage Account Allows Unsecure Transfer
1367dd13-2c90-4020-80b7-e4339a3dc2c4|High|Encryption|'Microsoft.Storage/storageAccounts' should force the use of HTTPS (read more)|Documentation
| |Website Not Forcing HTTPS
488847ff-6031-487c-bf42-98fd6ac5c9a0|High|Insecure Configurations|'Microsoft.Web/sites' should force the use of HTTPS (read more)|Documentation
| -|Network Security Group With Unrestricted Access To RDP
59cb3da7-f206-4ae6-b827-7abf0a9cab9d|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the Internet (read more)|Documentation
| -|Website with Client Certificate Auth Disabled
92302b47-b0cc-46cb-a28f-5610ecda140b|High|Networking and Firewall|'Microsoft.Web/sites' should have client certificate authentication enabled (read more)|Documentation
| -|SQL Database Server Firewall Allows All IPS
6a3201a5-1630-494b-b294-3129d06b0eca|High|Networking and Firewall|SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS (read more)|Documentation
| -|Network Security Group With Unrestricted Access To SSH
2ade1579-4b2c-4590-bebb-f99bf597f612|High|Networking and Firewall|Port 22 (SSH) is exposed to the Internet (read more)|Documentation
| -|PostgreSQL Database Server SSL Disabled
bf500309-da53-4dd3-bcf7-95f7974545a5|High|Networking and Firewall|Microsoft.DBforPostgreSQL/servers sslEnforcement property should be set to 'Enabled' (read more)|Documentation
| |Storage Blob Service Container With Public Access
a0ab985d-660b-41f7-ac81-70957ee8e627|High|Networking and Firewall|Storage Blob Service Container should not publicly accessible (read more)|Documentation
| |MySQL Server SSL Enforcement Disabled
90120147-f2e7-4fda-bb21-6fa9109afd63|High|Networking and Firewall|'Microsoft.DBforMySQL/servers' should enforce SSL (read more)|Documentation
| |Trusted Microsoft Services Not Enabled
e25b56cd-a4d6-498f-ab92-e6296a082097|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| -|Role Definitions Allow Custom Subscription Role Creation
8fa9ceea-881f-4ef0-b0b8-728f589699a7|Medium|Access Control|Role Definitions should not allow custom subscription role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write') (read more)|Documentation
| +|PostgreSQL Database Server SSL Disabled
bf500309-da53-4dd3-bcf7-95f7974545a5|High|Networking and Firewall|Microsoft.DBforPostgreSQL/servers sslEnforcement property should be set to 'Enabled' (read more)|Documentation
| +|Network Security Group With Unrestricted Access To SSH
2ade1579-4b2c-4590-bebb-f99bf597f612|High|Networking and Firewall|Port 22 (SSH) is exposed to the Internet (read more)|Documentation
| +|Website with Client Certificate Auth Disabled
92302b47-b0cc-46cb-a28f-5610ecda140b|High|Networking and Firewall|'Microsoft.Web/sites' should have client certificate authentication enabled (read more)|Documentation
| +|Network Security Group With Unrestricted Access To RDP
59cb3da7-f206-4ae6-b827-7abf0a9cab9d|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the Internet (read more)|Documentation
| +|SQL Database Server Firewall Allows All IPS
6a3201a5-1630-494b-b294-3129d06b0eca|High|Networking and Firewall|SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS (read more)|Documentation
| |Default Azure Storage Account Network Access Is Too Permissive
d855ced8-6157-448f-9f1d-f05a41d046f7|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it. (read more)|Documentation
| |AKS Cluster RBAC Disabled
9307a2ed-35c2-413d-94de-a1a0682c2158|Medium|Access Control|Microsoft.ContainerService/managedClusters should have enableRBAC set to true (read more)|Documentation
| +|Role Definitions Allow Custom Subscription Role Creation
8fa9ceea-881f-4ef0-b0b8-728f589699a7|Medium|Access Control|Role Definitions should not allow custom subscription role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write') (read more)|Documentation
| |SQL Server Database With Alerts Disabled
574e8d82-1db2-4b9c-b526-e320ede9a9ff|Medium|Best Practices|All Alerts should be enabled in SQL Database Server SecurityAlerts Policy Properties (read more)|Documentation
| |AKS Cluster Network Policy Not Configured
25c0228e-4444-459b-a2df-93c7df40b7ed|Medium|Insecure Configurations|Azure Kubernetes Service must have a network policy defined. (read more)|Documentation
| -|Standard Price Is Not Selected
2081c7d6-2851-4cce-bda5-cb49d462da42|Medium|Networking and Firewall|Azure Security Center provides more features for standard pricing mode, so it must be activated. (read more)|Documentation
| +|PostgreSQL Database Server Log Connections Disabled
e69bda39-e1e2-47ca-b9ee-b6531b23aedd|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' property set to 'on' (read more)|Documentation
| |PostgreSQL Database Server Log Checkpoints Disabled
f9112910-c7bb-4864-9f5e-2059ba413bb7|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' property set to 'on' (read more)|Documentation
| |AKS With Authorized IP Ranges Disabled
2583fab1-953b-4fae-bd02-4a136a6c21f9|Medium|Networking and Firewall|Azure Kubernetes Service must have an authorized IP range for API Services enabled (read more)|Documentation
| +|Standard Price Is Not Selected
2081c7d6-2851-4cce-bda5-cb49d462da42|Medium|Networking and Firewall|Azure Security Center provides more features for standard pricing mode, so it must be activated. (read more)|Documentation
| |PostgresSQL Database Server Connection Throttling Disabled
a6d774b6-d9ea-4bf4-8433-217bf15d2fb8|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttling' property set to 'on' (read more)|Documentation
| -|PostgreSQL Database Server Log Connections Disabled
e69bda39-e1e2-47ca-b9ee-b6531b23aedd|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' property set to 'on' (read more)|Documentation
| -|SQL Server Database With Unrecommended Retention Days
c09cdac2-7670-458a-bf6c-efad6880973a|Medium|Observability|SQL Server Database Auditing Settings should keep the audit logs in the storage account for at least 90 days (read more)|Documentation
| |Storage Logging For Read Write And Delete Requests Disabled
43f6e60c-9cdb-4e77-864d-a66595d26518|Medium|Observability|Storage Logging should be enabled for read, write and delete methods (read more)|Documentation
| -|SQL Server Database Without Auditing
e055285c-bc01-48b4-8aa5-8a54acdd29df|Medium|Observability|Every 'Microsoft.Sql/servers/databases' resource should have Auditing Enabled (read more)|Documentation
| -|Unrecommended Log Profile Retention Policy
25684eac-daaa-4c2c-94b4-8d2dbb627909|Medium|Observability|Log Profile Retention Policy should be enabled and the recommended number of days for the retention should be higher than 365 or 0 (0 will retain the events indefinitely) (read more)|Documentation
| -|AKS Logging To Azure Monitoring Is Disabled
9b09dee1-f09b-4013-91d2-158fa4695f4b|Medium|Observability|Azure Kubernetes Service should have logging to Azure Monitoring enabled. (read more)|Documentation
| |Unrecommended Network Watcher Flow Log Retention Policy
564b70f8-41cd-4690-aff8-bb53add86bc9|Medium|Observability|Network Watcher Flow Log Retention Policy should be enabled and the recommended number of days for the retention should be higher than 90 (read more)|Documentation
| +|SQL Server Database Without Auditing
e055285c-bc01-48b4-8aa5-8a54acdd29df|Medium|Observability|Every 'Microsoft.Sql/servers/databases' resource should have Auditing Enabled (read more)|Documentation
| |Log Profile Incorrect Category
4d522e7b-f938-4d51-a3b1-974ada528bd3|Medium|Observability|Log Profile Categories should be set to 'Write', 'Delete', and/or 'Action' (read more)|Documentation
| +|AKS Logging To Azure Monitoring Is Disabled
9b09dee1-f09b-4013-91d2-158fa4695f4b|Medium|Observability|Azure Kubernetes Service should have logging to Azure Monitoring enabled. (read more)|Documentation
| +|SQL Server Database With Unrecommended Retention Days
c09cdac2-7670-458a-bf6c-efad6880973a|Medium|Observability|SQL Server Database Auditing Settings should keep the audit logs in the storage account for at least 90 days (read more)|Documentation
| +|Unrecommended Log Profile Retention Policy
25684eac-daaa-4c2c-94b4-8d2dbb627909|Medium|Observability|Log Profile Retention Policy should be enabled and the recommended number of days for the retention should be higher than 365 or 0 (0 will retain the events indefinitely) (read more)|Documentation
| |Hardcoded SecureString Parameter Default Value
4d2cf896-c053-4be5-9c95-8b4771112f29|Medium|Secret Management|Secure parameters should not have hardcoded default value (read more)|Documentation
| |Website Azure Active Directory Disabled
e9c133e5-c2dd-4b7b-8fff-40f2de367b56|Low|Access Control|WebApp should have Azure Active Directory enabled with 'identity.type' set to 'SystemAssigned' or 'userAssignedIdentities' set to 'true' (read more)|Documentation
| |Phone Number Not Set For Security Contacts
3e9fcc67-1f64-405f-b2f9-0a6be17598f0|Low|Best Practices|Microsoft.Security securityContacts should have a phone number defined (read more)|Documentation
| |AKS Dashboard Is Enabled
c62d3b92-9a11-4ffd-b7b7-6faaae83faed|Low|Insecure Configurations|Azure Kubernetes Service should have the Kubernetes dashboard disabled. (read more)|Documentation
| -|Storage Account Allows Default Network Access
9073f073-5d60-4b46-b569-0d6baa80ed95|Low|Networking and Firewall|'Microsoft.Storage/storageAccounts' should force the use of HTTPS (read more)|Documentation
| |Website with 'Http20Enabled' Disabled
70111098-7f85-48f0-b1b4-e4261cf5f61b|Low|Networking and Firewall|'Microsoft.Web/sites' should have 'Http20Enabled' enabled (read more)|Documentation
| +|Storage Account Allows Default Network Access
9073f073-5d60-4b46-b569-0d6baa80ed95|Low|Networking and Firewall|'Microsoft.Storage/storageAccounts' should force the use of HTTPS (read more)|Documentation
| |App Service Authentication Is Not Set
83130a07-235b-4a80-918b-a370e53f0bd9|Info|Access Control|Azure App Service should have App Service Authentication set (read more)|Documentation
| |Account Admins Not Notified By Email
a8852cc0-fd4b-4fc7-9372-1e43fad0732e|Info|Best Practices|Account admins should be notified by email in the event of security alerts (read more)|Documentation
| |SQL Alert Policy Without Emails
89b79fe5-49bd-4d39-84ce-55f5fc6f7764|Info|Best Practices|SQL Database Server should contain emails to be notified in the event of a Security Alert (read more)|Documentation
| diff --git a/docs/queries/cloudformation-queries.md b/docs/queries/cloudformation-queries.md index c4f82b36316..40cdffeadf4 100644 --- a/docs/queries/cloudformation-queries.md +++ b/docs/queries/cloudformation-queries.md @@ -1,6 +1,26 @@ ## CloudFormation Queries List This page contains all queries from CloudFormation. +### AWS_BOM +Bellow are listed queries related with CloudFormation AWS_BOM: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|BOM - AWS S3 Buckets
b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more)|Documentation
| +|BOM - AWS RDS
6ef03ff6-a2bd-483c-851f-631f248bc0ea|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more)|Documentation
| +|BOM - AWS Kinesis
d53323be-dde6-4457-9a43-42df737e71d2|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more)|Documentation
| +|BOM - AWS SQS
59a849c2-1127-4023-85a5-ef906dcd458c|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)|Documentation
| +|BOM - AWS Elasticache
c689f51b-9203-43b3-9d8b-caed123f706c|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more)|Documentation
| +|BOM - AWS EBS
0b0556ea-9cd9-476f-862e-20679dda752b|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). (read more)|Documentation
| +|BOM - AWS Cassandra
124b173b-e06d-48a6-8acd-f889443d97a4|Trace|Bill Of Materials|A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance (read more)|Documentation
| +|BOM - AWS SNS
42e7dca3-8cce-4325-8df0-108888259136|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)|Documentation
| +|BOM - AWS MQ
209189f3-c879-48a7-9703-fbcfa96d0cef|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS. (read more)|Documentation
| +|BOM - AWS MSK
2730c169-51d7-4ae7-99b5-584379eff1bb|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)|Documentation
| +|BOM - AWS DynamoDB
4e67c0ae-38a0-47f4-a50c-f0c9b75826df|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more)|Documentation
| +|BOM - AWS EFS
ef05a925-8568-4054-8ff1-f5ba82631c16|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)|Documentation
| + ### AWS_SAM Bellow are listed queries related with CloudFormation AWS_SAM: @@ -10,13 +30,13 @@ Bellow are listed queries related with CloudFormation AWS_SAM: |------------------------------|--------|--------|-----------|----| |Serverless Function Environment Variables Not Encrypted
a7f8ac28-eed1-483d-87c8-4c325f022572|High|Encryption|AWS Serverless Function should encrypt environment variables (read more)|Documentation
| |Serverless API Without Content Encoding
a2f2800e-614b-4bc8-89e6-fec8afd24800|Medium|Encryption|AWS Serverless API should enable Content Encoding through the attribute 'MinimumCompressionSize'. This value should be greater than -1 and smaller than 10485760 (read more)|Documentation
| -|Serverless Function Without Tags
a71ecabe-03b6-456a-b3bc-d1a39aa20c98|Medium|Insecure Configurations|AWS Serverless Function should have associated tags (read more)|Documentation
| |Serverless Function Without Unique IAM Role
4ba74f01-aba5-4be2-83bc-be79ff1a3b92|Medium|Insecure Configurations|AWS Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| +|Serverless Function Without Tags
a71ecabe-03b6-456a-b3bc-d1a39aa20c98|Medium|Insecure Configurations|AWS Serverless Function should have associated tags (read more)|Documentation
| |Serverless API Endpoint Config Not Private
6b5b0313-771b-4319-ad7a-122ee78700ef|Medium|Networking and Firewall|AWS Serverless API should set API Endpoint Config type to 'PRIVATE'. This way, it's not exposed to the public internet (read more)|Documentation
| |Serverless API Access Logging Setting Undefined
0a994e04-c6dc-471d-817e-d37451d18a3b|Medium|Observability|AWS Serverless API/AWS Serverless HTTP API should have Access Logging Setting(s) defined (read more)|Documentation
| |Serverless API X-Ray Tracing Disabled
c757c6a3-ac87-4b9d-b28d-e5a5add6a315|Medium|Observability|AWS Serverless API should have X-Ray Tracing enabled (read more)|Documentation
| -|Serverless Function Without Dead Letter Queue
cb2f612b-ed42-4ff5-9fb9-255c73d39a18|Low|Insecure Configurations|AWS Serverless Function should be configured for a Dead Letter Queue(DLQ) (read more)|Documentation
| |Serverless API Cache Cluster Disabled
60a05ede-0a68-4d0d-a58f-f538cf55ff79|Low|Insecure Configurations|AWS Serverless API should have cache clustering enabled (read more)|Documentation
| +|Serverless Function Without Dead Letter Queue
cb2f612b-ed42-4ff5-9fb9-255c73d39a18|Low|Insecure Configurations|AWS Serverless Function should be configured for a Dead Letter Queue(DLQ) (read more)|Documentation
| |Serverless Function Without X-Ray Tracing
dc1ab429-1481-4540-9b1d-280e3f15f1f8|Low|Observability|AWS Serverless Function should have Tracing enabled. For this, property 'Tracing' should have the value 'Active' (read more)|Documentation
| ### AWS @@ -26,279 +46,259 @@ Bellow are listed queries related with CloudFormation AWS: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|S3 Bucket ACL Allows Read Or Write to All Users
07dda8de-d90d-469e-9b37-1aca53526ced|High|Access Control|S3 Buckets should not be readable and writable to all users (read more)|Documentation
| -|S3 Bucket ACL Allows Read to All Users
219f4c95-aa50-44e0-97de-cf71f4641170|High|Access Control|S3 Buckets should not be readable to all users (read more)|Documentation
| -|SNS Topic is Publicly Accessible
ae53ce91-42b5-46bf-a84f-9a13366a4f13|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| -|Lambda Functions With Full Privileges
a0ae0a4e-712b-4115-8112-51b9eeed9d69|High|Access Control|AWS Lambda Functions should not have roles with policies granting full administrative privileges. (read more)|Documentation
| |S3 Bucket Allows Get Action From All Principals
f97b7d23-568f-4bcc-9ac9-02df0d57fbba|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
acc78859-765e-4011-a229-a65ea57db252|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| +|S3 Bucket ACL Allows Read Or Write to All Users
07dda8de-d90d-469e-9b37-1aca53526ced|High|Access Control|S3 Buckets should not be readable and writable to all users (read more)|Documentation
| +|Amazon DMS Replication Instance Is Publicly Accessible
5864fb39-d719-4182-80e2-89dbe627be63|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| |IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| -|ECS Service Admin Role Is Present
01986452-bdd8-4aaa-b5df-d6bf61d616ff|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role (read more)|Documentation
| -|IAM Policies With Full Privileges
953b3cdb-ce13-428a-aa12-318726506661|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| -|S3 Bucket Allows Public Policy
860ba89b-b8de-4e72-af54-d6aee4138a69|High|Access Control|S3 bucket allows public policy (read more)|Documentation
| -|S3 Bucket Access to Any Principal
7772bb8c-c0f3-42d4-8e4e-f1b8939ad085|High|Access Control|The S3 Bucket should not be associated with a policy statement that grants access to any principal (read more)|Documentation
| -|S3 Bucket With All Permissions
4ae8af91-5108-42cb-9471-3bdbe596eac9|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| |S3 Bucket Allows Put Action From All Principals
f6397a20-4cf1-4540-a997-1d363c25ef58|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
acc78859-765e-4011-a229-a65ea57db252|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| |S3 Bucket ACL Allows Read to Any Authenticated User
835d5497-a526-4aea-a23f-98a9afd1635f|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| +|S3 Bucket ACL Allows Read to All Users
219f4c95-aa50-44e0-97de-cf71f4641170|High|Access Control|S3 Buckets should not be readable to all users (read more)|Documentation
| +|ECS Service Admin Role Is Present
01986452-bdd8-4aaa-b5df-d6bf61d616ff|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role (read more)|Documentation
| +|S3 Bucket With All Permissions
4ae8af91-5108-42cb-9471-3bdbe596eac9|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| |S3 Bucket Allows Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0|High|Access Control|S3 Buckets must not allow Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Restore, for all Principals. (read more)|Documentation
| -|S3 Bucket Allows List Action From All Principals
faa8fddf-c0aa-4b2d-84ff-e993e233ebe9|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| +|S3 Bucket Allows Public Policy
860ba89b-b8de-4e72-af54-d6aee4138a69|High|Access Control|S3 bucket allows public policy (read more)|Documentation
| +|IAM Policies With Full Privileges
953b3cdb-ce13-428a-aa12-318726506661|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| |MSK Broker Is Publicly Accessible
0ce1ba20-8ba8-4364-836f-40c24b8cb0ab|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible (read more)|Documentation
| -|Amazon DMS Replication Instance Is Publicly Accessible
5864fb39-d719-4182-80e2-89dbe627be63|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| -|EFS Volume With Disabled Transit Encryption
c1282e03-b285-4637-aee7-eefe3a7bb658|High|Encryption|Amazon EFS volume does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'TransitEncryption' (read more)|Documentation
| -|IAM Database Auth Not Enabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| -|ELB Without Secure Protocol
80908a75-586b-4c61-ab04-490f4f4525b8|High|Encryption|Check if the ELB is setup with SSL or HTTPS for secure communication (read more)|Documentation
| -|RDS Storage Not Encrypted
5beacce3-4020-4a3d-9e1d-a36f953df630|High|Encryption|RDS Storage should be encrypted, which means the attribute 'StorageEncrypted' should be set to 'true' (read more)|Documentation
| +|Lambda Functions With Full Privileges
a0ae0a4e-712b-4115-8112-51b9eeed9d69|High|Access Control|AWS Lambda Functions should not have roles with policies granting full administrative privileges. (read more)|Documentation
| +|S3 Bucket Access to Any Principal
7772bb8c-c0f3-42d4-8e4e-f1b8939ad085|High|Access Control|The S3 Bucket should not be associated with a policy statement that grants access to any principal (read more)|Documentation
| +|S3 Bucket Allows List Action From All Principals
faa8fddf-c0aa-4b2d-84ff-e993e233ebe9|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| +|SNS Topic is Publicly Accessible
ae53ce91-42b5-46bf-a84f-9a13366a4f13|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| +|SageMaker Data Encryption Disabled
709e6da6-fa1f-44cc-8f17-7f25f96dadbe|High|Encryption|Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, which means the attribute 'KmsKeyId' must be defined not empty or null. (read more)|Documentation
| +|API Gateway Cache Encrypted Disabled
37cca703-b74c-48ba-ac81-595b53398e9b|High|Encryption|'API::Gateway::Deployment' should have 'CacheDataEncrypted' enabled when 'CachingEnabled' is set to true (read more)|Documentation
| |Cloudfront Viewer Protocol Policy Allows HTTP
31733ee2-fef0-4e87-9778-65da22a8ecf1|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| -|Secure Ciphers Disabled
be96849c-3df6-49c2-bc16-778a7be2519c|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| -|S3 Bucket Without SSL In Write Actions
38c64e76-c71e-4d92-a337-60174d1de1c9|High|Encryption|S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL) (read more)|Documentation
| +|RDS Storage Not Encrypted
5beacce3-4020-4a3d-9e1d-a36f953df630|High|Encryption|RDS Storage should be encrypted, which means the attribute 'StorageEncrypted' should be set to 'true' (read more)|Documentation
| +|ElastiCache With Disabled at Rest Encryption
e4ee3903-9225-4b6a-bdfb-e62dbadef821|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled (read more)|Documentation
| +|ECS Cluster Not Encrypted At Rest
6c131358-c54d-419b-9dd6-1f7dd41d180c|High|Encryption|Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems. (read more)|Documentation
| +|MSK Cluster Encryption Disabled
a976d63f-af0e-46e8-b714-8c1a9c4bf768|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled (read more)|Documentation
| |ECS Task Definition Container With Plaintext Password
f9b10cdb-eaab-4e39-9793-e12b94a582ad|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| +|EFS Not Encrypted
2ff8e83c-90e1-4d68-a300-6d652112e622|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| |User Data Contains Encoded Private Key
568cc372-ca64-420d-9015-ee347d00d288|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| -|S3 Bucket Without Server-side-encryption
b2e8752c-3497-4255-98d2-e4ae5b46bbf5|High|Encryption|S3 Buckets should have server-side encryption at rest enabled to protect sensitive data (read more)|Documentation
| -|ElastiCache With Disabled Transit Encryption
3b02569b-fc6f-4153-b3a3-ba91022fed68|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled (read more)|Documentation
| -|Redshift Cluster Without KMS CMK
de76a0d6-66d5-45c9-9022-f05545b85c78|High|Encryption|AWS Redshift Cluster should have KMS CMK defined (read more)|Documentation
| -|Redshift Not Encrypted
3b316b05-564c-44a7-9c3f-405bb95e211e|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'Encrypted' field is false or undefined (default is false) (read more)|Documentation
| -|ELB Using Weak Ciphers
809f77f8-d10e-4842-a84f-3be7b6ff1190|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| -|MSK Cluster Encryption Disabled
a976d63f-af0e-46e8-b714-8c1a9c4bf768|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled (read more)|Documentation
| -|CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db|High|Encryption|Specifying credentials in the template itself is probably not safe to do. (read more)|Documentation
| -|SageMaker Data Encryption Disabled
709e6da6-fa1f-44cc-8f17-7f25f96dadbe|High|Encryption|Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, which means the attribute 'KmsKeyId' must be defined not empty or null. (read more)|Documentation
| +|Kinesis SSE Not Configured
7f65be75-90ab-4036-8c2a-410aef7bb650|High|Encryption|AWS Kinesis Stream should have SSE (Server Side Encryption) defined (read more)|Documentation
| +|S3 Bucket Without SSL In Write Actions
38c64e76-c71e-4d92-a337-60174d1de1c9|High|Encryption|S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL) (read more)|Documentation
| |CMK Unencrypted Storage
ffee2785-c347-451e-89f3-11aeb08e5c84|High|Encryption|Ensure that storage is encrypted. (read more)|Documentation
| -|DynamoDB With Aws Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac|High|Encryption|AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false. (read more)|Documentation
| +|Redshift Not Encrypted
3b316b05-564c-44a7-9c3f-405bb95e211e|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'Encrypted' field is false or undefined (default is false) (read more)|Documentation
| |User Data Shell Script Is Encoded
48c3bc58-6959-4f27-b647-4fedeace23be|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| -|ElastiCache With Disabled at Rest Encryption
e4ee3903-9225-4b6a-bdfb-e62dbadef821|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled (read more)|Documentation
| -|S3 Bucket SSE Disabled
64ab651b-f5b2-4af0-8c89-ddd03c4d0e61|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| -|API Gateway Cache Encrypted Disabled
37cca703-b74c-48ba-ac81-595b53398e9b|High|Encryption|'API::Gateway::Deployment' should have 'CacheDataEncrypted' enabled when 'CachingEnabled' is set to true (read more)|Documentation
| -|Kinesis SSE Not Configured
7f65be75-90ab-4036-8c2a-410aef7bb650|High|Encryption|AWS Kinesis Stream should have SSE (Server Side Encryption) defined (read more)|Documentation
| -|EFS Without KMS
6d087495-2a42-4735-abf7-02ef5660a7e6|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| +|ElastiCache With Disabled Transit Encryption
3b02569b-fc6f-4153-b3a3-ba91022fed68|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled (read more)|Documentation
| +|ELB Using Weak Ciphers
809f77f8-d10e-4842-a84f-3be7b6ff1190|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| +|Secure Ciphers Disabled
be96849c-3df6-49c2-bc16-778a7be2519c|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| |Connection Between CloudFront Origin Not Encrypted
a5366a50-932f-4085-896b-41402714a388|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted (read more)|Documentation
| -|EFS Not Encrypted
2ff8e83c-90e1-4d68-a300-6d652112e622|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| -|ECS Cluster Not Encrypted At Rest
6c131358-c54d-419b-9dd6-1f7dd41d180c|High|Encryption|Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems. (read more)|Documentation
| +|IAM Database Auth Not Enabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| +|EFS Volume With Disabled Transit Encryption
c1282e03-b285-4637-aee7-eefe3a7bb658|High|Encryption|Amazon EFS volume does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'TransitEncryption' (read more)|Documentation
| +|S3 Bucket SSE Disabled
64ab651b-f5b2-4af0-8c89-ddd03c4d0e61|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| +|ELB Without Secure Protocol
80908a75-586b-4c61-ab04-490f4f4525b8|High|Encryption|Check if the ELB is setup with SSL or HTTPS for secure communication (read more)|Documentation
| +|S3 Bucket Without Server-side-encryption
b2e8752c-3497-4255-98d2-e4ae5b46bbf5|High|Encryption|S3 Buckets should have server-side encryption at rest enabled to protect sensitive data (read more)|Documentation
| |ELB Using Insecure Protocols
61a94903-3cd3-4780-88ec-fc918819b9c8|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| -|KMS Key With Full Permissions
da905474-7454-43c0-b8d2-5756ab951aba|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| +|Redshift Cluster Without KMS CMK
de76a0d6-66d5-45c9-9022-f05545b85c78|High|Encryption|AWS Redshift Cluster should have KMS CMK defined (read more)|Documentation
| +|EFS Without KMS
6d087495-2a42-4735-abf7-02ef5660a7e6|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| +|CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db|High|Encryption|Specifying credentials in the template itself is probably not safe to do. (read more)|Documentation
| +|DynamoDB With Aws Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac|High|Encryption|AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false. (read more)|Documentation
| +|S3 Bucket Without Restriction Of Public Bucket
350cd468-0e2c-44ef-9d22-cfb73a62523c|High|Insecure Configurations|S3 bucket without restriction of public bucket (read more)|Documentation
| |Root Account Has Active Access Keys
4c137350-7307-4803-8c04-17c09a7a9fcf|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| -|ECS Task Definition Network Mode Not Recommended
027a4b7a-8a59-4938-a04f-ed532512cf45|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
de38e1d5-54cb-4111-a868-6f7722695007|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false. (read more)|Documentation
| -|S3 Bucket With Unsecured CORS Rule
3609d27c-3698-483a-9402-13af6ae80583|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| |API Gateway Without Security Policy
8275fab0-68ec-4705-bbf4-86975edb170e|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2. (read more)|Documentation
| -|S3 Static Website Host Enabled
90501b1b-cded-4cc1-9e8b-206b85cda317|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more)|Documentation
| +|RDS DB Instance Publicly Accessible
de38e1d5-54cb-4111-a868-6f7722695007|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false. (read more)|Documentation
| +|Redshift Publicly Accessible
bdf8dcb4-75df-4370-92c4-606e4ae6c4d3|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false (read more)|Documentation
| |CloudFront Without Minimum Protocol TLS 1.2
dc17ee4b-ddf2-4e23-96e8-7a36abad1303|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| -|S3 Bucket Without Restriction Of Public Bucket
350cd468-0e2c-44ef-9d22-cfb73a62523c|High|Insecure Configurations|S3 bucket without restriction of public bucket (read more)|Documentation
| +|S3 Static Website Host Enabled
90501b1b-cded-4cc1-9e8b-206b85cda317|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more)|Documentation
| +|S3 Bucket With Unsecured CORS Rule
3609d27c-3698-483a-9402-13af6ae80583|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| +|ECS Task Definition Network Mode Not Recommended
027a4b7a-8a59-4938-a04f-ed532512cf45|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| +|KMS Key With Full Permissions
da905474-7454-43c0-b8d2-5756ab951aba|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| |Batch Job Definition With Privileged Container Properties
76ddf32c-85b1-4808-8935-7eef8030ab36|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| -|Redshift Publicly Accessible
bdf8dcb4-75df-4370-92c4-606e4ae6c4d3|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false (read more)|Documentation
| -|Vulnerable Default SSL Certificate
b4d9c12b-bfba-4aeb-9cb8-2358546d8041|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| |Permissive Web ACL Default Action
6d64f311-3da6-45f3-80f1-14db9771ea40|High|Insecure Defaults|WebAcl DefaultAction should not be ALLOW (read more)|Documentation
| +|Vulnerable Default SSL Certificate
b4d9c12b-bfba-4aeb-9cb8-2358546d8041|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| +|Security Groups With Meta IP
adcd0082-e90b-4b63-862b-21899f6e6a48|High|Networking and Firewall|Security Groups allows 0.0.0.0/0 for all ports and protocols. (read more)|Documentation
| |Security Group With Unrestricted Access To SSH
6e856af2-62d7-4ba2-adc1-73b62cef9cc1|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| -|Default Security Groups With Unrestricted Traffic
ea33fcf7-394b-4d11-a228-985c5d08f205|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| -|Unrestricted Security Group Ingress
4a1e6b34-1008-4e61-a5f2-1f7c276f8d14|High|Networking and Firewall|AWS Security Group Ingress CIDR should not be open to the world (read more)|Documentation
| -|Elasticsearch with HTTPS disabled
4cdc88e6-c0c8-4081-a639-bb3a557cbedf|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| |EC2 Public Instance Exposed Through Subnet
c44c95fc-ae92-4bb8-bdf8-bb9bc412004a|High|Networking and Firewall|EC2 instances with public IP addresses shouldn't allow for unrestricted traffic to their subnets (read more)|Documentation
| -|Security Groups With Exposed Admin Ports
cdbb0467-2957-4a77-9992-7b55b29df7b7|High|Networking and Firewall|Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389) (read more)|Documentation
| -|SageMaker Notebook Not Placed In VPC
9c7028d9-04c2-45be-b8b2-1188ccaefb36|High|Networking and Firewall|SageMaker Notebook must be placed in a VPC (read more)|Documentation
| -|DB Security Group Open To Large Scope
0104165b-02d5-426f-abc9-91fb48189899|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| -|Security Group Unrestricted Access To RDP
3ae83918-7ec7-4cb8-80db-b91ef0f94002|High|Networking and Firewall|Security Groups does not allow 0.0.0.0/0 for rdp (port:3389) (read more)|Documentation
| -|EC2 Instance Subnet Has Public IP Mapping On Launch
b3de4e4c-14be-4159-b99d-9ad194365e4c|High|Networking and Firewall|EC2 Instance Subnet should not have MapPublicIpOnLaunch set to true (read more)|Documentation
| -|ELB Sensitive Port Is Exposed To Entire Network
78055456-f670-4d2e-94d5-392d1cf4f5e4|High|Networking and Firewall|The load balancer of the application with a sensitive port connection is exposed to the entire internet. (read more)|Documentation
| -|Route53 Record Undefined
24d932e1-91f0-46ea-836f-fdbd81694151|High|Networking and Firewall|Route53 HostedZone must have the Record Set defined. (read more)|Documentation
| -|Fully Open Ingress
e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5|High|Networking and Firewall|ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses (read more)|Documentation
| -|EKS node group remote access
73d59e76-a12c-4b74-a3d8-d3e1e19c25b3|High|Networking and Firewall|Ensure Amazon EKS Node group has implict SSH access (read more)|Documentation
| |ALB Listening on HTTP
275a3217-ca37-40c1-a6cf-bb57d245ab32|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| |EC2 Sensitive Port Is Publicly Exposed
494b03d3-bf40-4464-8524-7c56ad0700ed|High|Networking and Firewall|The EC2 instance has a sensitive port connection exposed to the entire network (read more)|Documentation
| -|Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c|High|Networking and Firewall|No security group should allow unrestricted egress access (read more)|Documentation
| +|ELB Sensitive Port Is Exposed To Entire Network
78055456-f670-4d2e-94d5-392d1cf4f5e4|High|Networking and Firewall|The load balancer of the application with a sensitive port connection is exposed to the entire internet. (read more)|Documentation
| +|EC2 Network ACL Overlapping Ports
77b6f1e2-bde4-4a6a-ae7e-a40659ff1576|High|Networking and Firewall|NetworkACL Entries are reusing or overlapping ports which may create ineffective rules (read more)|Documentation
| +|Default Security Groups With Unrestricted Traffic
ea33fcf7-394b-4d11-a228-985c5d08f205|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| |Unknown Port Exposed To Internet
829ce3b8-065c-41a3-ad57-e0accfea82d2|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| -|RDS Associated with Public Subnet
4e88adee-a8eb-4605-a78d-9fb1096e3091|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| -|HTTP Port Open To Internet
ddfc4eaa-af23-409f-b96c-bf5c45dc4daa|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| -|Security Groups With Meta IP
adcd0082-e90b-4b63-862b-21899f6e6a48|High|Networking and Firewall|Security Groups allows 0.0.0.0/0 for all ports and protocols. (read more)|Documentation
| |Remote Desktop Port Open To Internet
c9846969-d066-431f-9b34-8c4abafe422a|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| |DB Security Group With Public Scope
9564406d-e761-4e61-b8d7-5926e3ab8e79|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| -|EC2 Network ACL Overlapping Ports
77b6f1e2-bde4-4a6a-ae7e-a40659ff1576|High|Networking and Firewall|NetworkACL Entries are reusing or overlapping ports which may create ineffective rules (read more)|Documentation
| +|Unrestricted Security Group Ingress
4a1e6b34-1008-4e61-a5f2-1f7c276f8d14|High|Networking and Firewall|AWS Security Group Ingress CIDR should not be open to the world (read more)|Documentation
| +|EKS node group remote access
73d59e76-a12c-4b74-a3d8-d3e1e19c25b3|High|Networking and Firewall|Ensure Amazon EKS Node group has implict SSH access (read more)|Documentation
| +|Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c|High|Networking and Firewall|No security group should allow unrestricted egress access (read more)|Documentation
| +|RDS Associated with Public Subnet
4e88adee-a8eb-4605-a78d-9fb1096e3091|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| +|HTTP Port Open To Internet
ddfc4eaa-af23-409f-b96c-bf5c45dc4daa|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| +|Security Group Unrestricted Access To RDP
3ae83918-7ec7-4cb8-80db-b91ef0f94002|High|Networking and Firewall|Security Groups does not allow 0.0.0.0/0 for rdp (port:3389) (read more)|Documentation
| +|DB Security Group Open To Large Scope
0104165b-02d5-426f-abc9-91fb48189899|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| +|EC2 Instance Subnet Has Public IP Mapping On Launch
b3de4e4c-14be-4159-b99d-9ad194365e4c|High|Networking and Firewall|EC2 Instance Subnet should not have MapPublicIpOnLaunch set to true (read more)|Documentation
| +|Security Groups With Exposed Admin Ports
cdbb0467-2957-4a77-9992-7b55b29df7b7|High|Networking and Firewall|Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389) (read more)|Documentation
| +|Elasticsearch with HTTPS disabled
4cdc88e6-c0c8-4081-a639-bb3a557cbedf|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| +|SageMaker Notebook Not Placed In VPC
9c7028d9-04c2-45be-b8b2-1188ccaefb36|High|Networking and Firewall|SageMaker Notebook must be placed in a VPC (read more)|Documentation
| +|Route53 Record Undefined
24d932e1-91f0-46ea-836f-fdbd81694151|High|Networking and Firewall|Route53 HostedZone must have the Record Set defined. (read more)|Documentation
| +|Fully Open Ingress
e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5|High|Networking and Firewall|ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses (read more)|Documentation
| |CloudTrail Logging Disabled
5c0b06d5-b7a4-484c-aeb0-75a836269ff0|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| -|CMK Rotation Disabled
1c07bfaf-663c-4f6f-b22b-8e2d481e4df5|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'EnableKeyRotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| |S3 Bucket CloudTrail Logging Disabled
c3ce69fd-e3df-49c6-be78-1db3f802261c|High|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable when the Service used is CloudTrail (read more)|Documentation
| -|SQS Queue Policy Allows NotPrincipal
4a8fc9a2-2b2f-4b3f-aa8d-401425872034|Medium|Access Control|Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using `NotPrincipal` in the same policy statement as `"Effect": "Allow"`. (read more)|Documentation
| -|S3 Bucket Allows Public ACL
48f100d9-f499-4c6d-b2b8-deafe47ffb26|Medium|Access Control|S3 bucket allows public ACL (read more)|Documentation
| +|CMK Rotation Disabled
1c07bfaf-663c-4f6f-b22b-8e2d481e4df5|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'EnableKeyRotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| |EC2 Instance Has No IAM Role
f914357d-8386-4d56-9ba6-456e5723f9a6|Medium|Access Control|Check if an EC2 instance refers to an IAM profile, which represents an IAM Role. (read more)|Documentation
| +|SQS Policy With Public Access
9b6a3f5b-5fd6-40ee-9bc0-ed604911212d|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| |Neptune Cluster With IAM Database Authentication Disabled
a3aa0087-8228-4e7e-b202-dc9036972d02|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled (read more)|Documentation
| -|API Gateway Method Does Not Contains An API Key
3641d5b4-d339-4bc2-bfb9-208fe8d3477f|Medium|Access Control|An API Key should be required on a method request. (read more)|Documentation
| -|Lambda Permission Principal Is Wildcard
1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| -|ECR Repository Is Publicly Accessible
75be209d-1948-41f6-a8c8-e22dd0121134|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| |Elasticsearch Without IAM Authentication
5c666ed9-b586-49ab-9873-c495a833b705|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication (read more)|Documentation
| -|SQS Queue Policy Allows NotAction
4fbfee74-8186-40d5-a24e-4baa76a855de|Medium|Access Control|AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited (read more)|Documentation
| +|IoT Policy Allows Action as Wildcard
4d32780f-43a4-424a-a06d-943c543576a5|Medium|Access Control|IoT Policy should not allow Action to be set as * (read more)|Documentation
| +|SQS Queue Policy Allows NotPrincipal
4a8fc9a2-2b2f-4b3f-aa8d-401425872034|Medium|Access Control|Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using `NotPrincipal` in the same policy statement as `"Effect": "Allow"`. (read more)|Documentation
| +|S3 Bucket Allows Public ACL
48f100d9-f499-4c6d-b2b8-deafe47ffb26|Medium|Access Control|S3 bucket allows public ACL (read more)|Documentation
| +|Empty Roles For ECS Cluster Task Definitions
7f384a5f-b5a2-4d84-8ca3-ee0a5247becb|Medium|Access Control|Check if any ECS cluster has not defined proper roles for services' task definitions. (read more)|Documentation
| +|API Gateway Method Does Not Contains An API Key
3641d5b4-d339-4bc2-bfb9-208fe8d3477f|Medium|Access Control|An API Key should be required on a method request. (read more)|Documentation
| +|KMS Allows Wildcard Principal
f6049677-ec4a-43af-8779-5190b6d03cba|Medium|Access Control|KMS Should not allow Principal parameter to be set as * (read more)|Documentation
| |EC2 Network ACL Ineffective Denied Traffic
2623d682-dccb-44cd-99d0-54d9fd62f8f2|Medium|Access Control|Ineffective deny rules. A deny rule should be applied to all IP addresses. (read more)|Documentation
| +|Public Lambda via API Gateway
57b12981-3816-4c31-b190-a1e614361dd2|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| |API Gateway Without Configured Authorizer
7fd0d461-5b8c-4815-898c-f2b4b117eb28|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| +|IAM Policy On User
e4239438-e639-44aa-adb8-866e400e3ade|Medium|Access Control|IAM policies should be applied to groups and not to users (read more)|Documentation
| +|ECR Repository Is Publicly Accessible
75be209d-1948-41f6-a8c8-e22dd0121134|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| +|IoT Policy Allows Wildcard Resource
be5b230d-4371-4a28-a441-85dc760e2aa3|Medium|Access Control|IoT Policy should not allow Resource to be set as * (read more)|Documentation
| |Cross-Account IAM Assume Role Policy Without ExternalId or MFA
85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| |IAM Policies Attached To User
edc95c10-7366-4f30-9b4b-f995c84eceb5|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| -|Public Lambda via API Gateway
57b12981-3816-4c31-b190-a1e614361dd2|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| -|SQS Policy With Public Access
9b6a3f5b-5fd6-40ee-9bc0-ed604911212d|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| -|KMS Allows Wildcard Principal
f6049677-ec4a-43af-8779-5190b6d03cba|Medium|Access Control|KMS Should not allow Principal parameter to be set as * (read more)|Documentation
| |SNS Topic Publicity Has Allow and NotAction Simultaneously
818f38ed-8446-4132-9c03-474d49e10195|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. (read more)|Documentation
| -|IoT Policy Allows Action as Wildcard
4d32780f-43a4-424a-a06d-943c543576a5|Medium|Access Control|IoT Policy should not allow Action to be set as * (read more)|Documentation
| -|Empty Roles For ECS Cluster Task Definitions
7f384a5f-b5a2-4d84-8ca3-ee0a5247becb|Medium|Access Control|Check if any ECS cluster has not defined proper roles for services' task definitions. (read more)|Documentation
| -|IoT Policy Allows Wildcard Resource
be5b230d-4371-4a28-a441-85dc760e2aa3|Medium|Access Control|IoT Policy should not allow Resource to be set as * (read more)|Documentation
| -|IAM Policy On User
e4239438-e639-44aa-adb8-866e400e3ade|Medium|Access Control|IAM policies should be applied to groups and not to users (read more)|Documentation
| +|Lambda Permission Principal Is Wildcard
1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| +|SQS Queue Policy Allows NotAction
4fbfee74-8186-40d5-a24e-4baa76a855de|Medium|Access Control|AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited (read more)|Documentation
| |ElastiCache Nodes Not Created Across Multi AZ
cfdef2e5-1fe4-4ef4-bea8-c56e08963150|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| -|ECS Service Without Running Tasks
79d745f0-d5f3-46db-9504-bef73e9fd528|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| +|CMK Is Unusable
2844c749-bd78-4cd1-90e8-b179df827602|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined. (read more)|Documentation
| |EBS Volume Not Attached To Instances
1819ac03-542b-4026-976b-f37addd59f3b|Medium|Availability|EBS Volumes that are unattached to instances may contain sensitive data (read more)|Documentation
| +|ECS Service Without Running Tasks
79d745f0-d5f3-46db-9504-bef73e9fd528|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| |Auto Scaling Group With No Associated ELB
ad21e616-5026-4b9d-990d-5b007bfe679c|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty. (read more)|Documentation
| -|CMK Is Unusable
2844c749-bd78-4cd1-90e8-b179df827602|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined. (read more)|Documentation
| -|RDS With Backup Disabled
8c415f6f-7b90-4a27-a44a-51047e1506f9|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| |RDS Multi-AZ Deployment Disabled
2b1d4935-9acf-48a7-8466-10d18bf51a69|Medium|Backup|AWS RDS Instance should have a multi-az deployment (read more)|Documentation
| |Low RDS Backup Retention Period
e649a218-d099-4550-86a4-1231e1fcb60d|Medium|Backup|AWS RDS backup retention policy should be at least 7 days (read more)|Documentation
| +|RDS With Backup Disabled
8c415f6f-7b90-4a27-a44a-51047e1506f9|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| |Stack Retention Disabled
fe974ae9-858e-4991-bbd5-e040a834679f|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| -|IAM Password Without Uppercase Letter
445020f6-b69e-4484-847f-02d4b7768902|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| -|Cognito UserPool Without MFA
74a18d1a-cf02-4a31-8791-ed0967ad7fdc|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more)|Documentation
| -|IAM Managed Policy Applied to a User
0e5872b4-19a0-4165-8b2f-56d9e14b909f|Medium|Best Practices|Make sure that any managed IAM policies are implemented in a group and not in a user. (read more)|Documentation
| -|IAM User Without Password Reset
a964d6e3-8e1e-4d93-8120-61fa640dd55a|Medium|Best Practices|IAM User Login Profile should exist and have PasswordResetRequired property set to true (read more)|Documentation
| -|ECS No Load Balancer Attached
fb2b0ecf-1492-491a-a70d-ba1df579175d|Medium|Best Practices|Amazon ECS service should be configured to use Load Balancing to distribute traffic evenly across the tasks, which means there must exist at least one LoadBalancer. (read more)|Documentation
| -|IAM Password Without Symbol
d72a7869-e8b9-4e12-bcd2-e8be10b39fa7|Medium|Best Practices|IAM password should have the required symbols (read more)|Documentation
| |IAM Password Without Lowercase Letter
f4cf35d6-da92-48de-ab70-57be2b2e6497|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| |IAM Password Without Number
839f238f-2e3a-4a72-b945-8abdf91af955|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number (read more)|Documentation
| |IAM Password Without Minimum Length
b1b20ae3-8fa7-4af5-a74d-a2145920fcb1|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| -|Unscanned ECR Image
9025b2b3-e554-4842-ba87-db7aeec36d35|Medium|Encryption|Checks if the ECR Image has been scanned (read more)|Documentation
| -|EBS Volume Encryption Disabled
80b7ac3f-d2b7-4577-9b10-df7913497162|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| +|IAM User Without Password Reset
a964d6e3-8e1e-4d93-8120-61fa640dd55a|Medium|Best Practices|IAM User Login Profile should exist and have PasswordResetRequired property set to true (read more)|Documentation
| +|IAM Password Without Uppercase Letter
445020f6-b69e-4484-847f-02d4b7768902|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| +|IAM Password Without Symbol
d72a7869-e8b9-4e12-bcd2-e8be10b39fa7|Medium|Best Practices|IAM password should have the required symbols (read more)|Documentation
| +|IAM Managed Policy Applied to a User
0e5872b4-19a0-4165-8b2f-56d9e14b909f|Medium|Best Practices|Make sure that any managed IAM policies are implemented in a group and not in a user. (read more)|Documentation
| +|ECS No Load Balancer Attached
fb2b0ecf-1492-491a-a70d-ba1df579175d|Medium|Best Practices|Amazon ECS service should be configured to use Load Balancing to distribute traffic evenly across the tasks, which means there must exist at least one LoadBalancer. (read more)|Documentation
| +|Cognito UserPool Without MFA
74a18d1a-cf02-4a31-8791-ed0967ad7fdc|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more)|Documentation
| +|ElasticSearch Encryption With KMS Disabled
d926aa95-0a04-4abc-b20c-acf54afe38a1|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS. (read more)|Documentation
| +|Workspace Without Encryption
89827c57-5a8a-49eb-9731-976a606d70db|Medium|Encryption|Workspaces should have encryption enabled (read more)|Documentation
| |SageMaker EndPoint Config Should Specify KmsKeyId Attribute
44034eda-1c3f-486a-831d-e09a7dd94354|Medium|Encryption|KmsKeyId attribute should be defined (read more)|Documentation
| -|DynamoDB Table Not Encrypted
4bd21e68-38c1-4d58-acdc-6a14b203237f|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption (read more)|Documentation
| -|API Gateway With Invalid Compression
d6653eee-2d4d-4e6a-976f-6794a497999a|Medium|Encryption|API Gateway should have valid compression, which means attribute 'MinimumCompressionSize' should be set and its value should be greater than -1 and smaller than 10485760. (read more)|Documentation
| -|ElasticSearch Not Encrypted At Rest
86a248ab-0e01-4564-a82a-878303e253bb|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest (read more)|Documentation
| |RDS Storage Encryption Disabled
65844ba3-03a1-40a8-b3dd-919f122e8c95|Medium|Encryption|RDS DBCluster should have storage encrypted set to true (read more)|Documentation
| -|Default KMS Key Usage
e52395b4-250b-4c60-81d5-2e58c1d37abc|Medium|Encryption|When `StorageEncrypted` is set to true, `KmsKeyId` should be defined, to avoid the use of the default KMS Key (read more)|Documentation
| -|Config Rule For Encrypted Volumes Disabled
1b6322d9-c755-4f8c-b804-32c19250f2d9|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| -|Workspace Without Encryption
89827c57-5a8a-49eb-9731-976a606d70db|Medium|Encryption|Workspaces should have encryption enabled (read more)|Documentation
| -|AmazonMQ Broker Encryption Disabled
316278b3-87ac-444c-8f8f-a733a28da60f|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined (read more)|Documentation
| -|EMR Security Configuration Encryption Disabled
5b033ec8-f079-4323-b5c8-99d4620433a9|Medium|Encryption|EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit. (read more)|Documentation
| -|Memcached Disabled
dd0971a6-09c3-4168-8474-a7ef8fbfd99d|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache (read more)|Documentation
| |SQS With SSE Disabled
12726829-93ed-4d51-9cbe-13423f4299e1|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| -|IAM Group Inline Policies
a58d1a2d-4078-4b80-855b-84cc3f7f4540|Medium|Encryption|IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted (read more)|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85|Medium|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| -|Alexa Skill Plaintext Client Secret Exposed
3c3b7a58-b018-4d07-9444-d9ee7156e111|Medium|Encryption|Alexa skills' client secrets should not be defined as a plaintext string. It should either use 'AWS Systems Manager Parameter Store' or 'AWS Secrets Manager' to retrieve sensitive information (read more)|Documentation
| |KMS Key Rotation Disabled
235ca980-eb71-48f4-9030-df0c371029eb|Medium|Encryption|EnableKeyRotation should not be false or undefined (read more)|Documentation
| +|AmazonMQ Broker Encryption Disabled
316278b3-87ac-444c-8f8f-a733a28da60f|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined (read more)|Documentation
| |CodeBuild Not Encrypted
d7467bb6-3ed1-4c82-8095-5e7a818d0aad|Medium|Encryption|CodeBuild Project should be encrypted, which means 'EncryptionKey' should be defined (read more)|Documentation
| |Neptune Database Cluster Encryption Disabled
bf4473f1-c8a2-4b1b-8134-bd32efabab93|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| -|ElasticSearch Encryption With KMS Disabled
d926aa95-0a04-4abc-b20c-acf54afe38a1|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS. (read more)|Documentation
| +|EBS Volume Encryption Disabled
80b7ac3f-d2b7-4577-9b10-df7913497162|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| +|Alexa Skill Plaintext Client Secret Exposed
3c3b7a58-b018-4d07-9444-d9ee7156e111|Medium|Encryption|Alexa skills' client secrets should not be defined as a plaintext string. It should either use 'AWS Systems Manager Parameter Store' or 'AWS Secrets Manager' to retrieve sensitive information (read more)|Documentation
| +|Memcached Disabled
dd0971a6-09c3-4168-8474-a7ef8fbfd99d|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache (read more)|Documentation
| +|API Gateway With Invalid Compression
d6653eee-2d4d-4e6a-976f-6794a497999a|Medium|Encryption|API Gateway should have valid compression, which means attribute 'MinimumCompressionSize' should be set and its value should be greater than -1 and smaller than 10485760. (read more)|Documentation
| +|Config Rule For Encrypted Volumes Disabled
1b6322d9-c755-4f8c-b804-32c19250f2d9|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| +|DynamoDB Table Not Encrypted
4bd21e68-38c1-4d58-acdc-6a14b203237f|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption (read more)|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85|Medium|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| +|Default KMS Key Usage
e52395b4-250b-4c60-81d5-2e58c1d37abc|Medium|Encryption|When `StorageEncrypted` is set to true, `KmsKeyId` should be defined, to avoid the use of the default KMS Key (read more)|Documentation
| +|Unscanned ECR Image
9025b2b3-e554-4842-ba87-db7aeec36d35|Medium|Encryption|Checks if the ECR Image has been scanned (read more)|Documentation
| +|EMR Security Configuration Encryption Disabled
5b033ec8-f079-4323-b5c8-99d4620433a9|Medium|Encryption|EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit. (read more)|Documentation
| +|ElasticSearch Not Encrypted At Rest
86a248ab-0e01-4564-a82a-878303e253bb|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest (read more)|Documentation
| +|IAM Group Inline Policies
a58d1a2d-4078-4b80-855b-84cc3f7f4540|Medium|Encryption|IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted (read more)|Documentation
| +|ECR Image Tag Not Immutable
33f41d31-86b1-46a4-81f7-9c9a671f59ac|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| |API Gateway With Open Access
1056dfbb-5802-4762-bf2b-8b9b9684b1b0|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more)|Documentation
| -|GitHub Repository Set To Public
5906092d-5f74-490d-9a03-78febe0f65e1|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)|Documentation
| -|MQ Broker Is Publicly Accessible
68b6a789-82f8-4cfd-85de-e95332fe6a61|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible (read more)|Documentation
| -|SageMaker Enabling Internet Access
88d55d94-315d-4564-beee-d2d725feab11|Medium|Insecure Configurations|SageMaker must have disabled internet access and root access for Creating Notebook Instances. (read more)|Documentation
| +|Lambda Functions Without Unique IAM Roles
ae03f542-1423-402f-9cef-c834e7ee9583|Medium|Insecure Configurations|AWS Lambda Functions should not share IAM roles to ensure they will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| |API Gateway Without SSL Certificate
ed4c48b8-eccc-4881-95c1-09fdae23db25|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| +|Inline Policies Are Attached To ECS Service
9e8c89b3-7997-4d15-93e4-7911b9db99fd|Medium|Insecure Configurations|Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies. (read more)|Documentation
| +|IAM User LoginProfile Password Is In Plaintext
06adef8c-c284-4de7-aad2-af43b07a8ca1|Medium|Insecure Configurations|IAM User LoginProfile Password must not be a plaintext string (read more)|Documentation
| +|GitHub Repository Set To Public
5906092d-5f74-490d-9a03-78febe0f65e1|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)|Documentation
| |Lambda Function Without Tags
8df8e857-bd59-44fa-9f4c-d77594b95b46|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags. (read more)|Documentation
| -|Lambda Functions Without Unique IAM Roles
ae03f542-1423-402f-9cef-c834e7ee9583|Medium|Insecure Configurations|AWS Lambda Functions should not share IAM roles to ensure they will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| |IAM User Has Too Many Access Keys
48677914-6fdf-40ec-80c4-2b0e94079f54|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials (read more)|Documentation
| -|Inline Policies Are Attached To ECS Service
9e8c89b3-7997-4d15-93e4-7911b9db99fd|Medium|Insecure Configurations|Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies. (read more)|Documentation
| |Instance With No VPC
8a6d36cd-0bc6-42b7-92c4-67acc8576861|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| -|ECR Image Tag Not Immutable
33f41d31-86b1-46a4-81f7-9c9a671f59ac|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| +|MQ Broker Is Publicly Accessible
68b6a789-82f8-4cfd-85de-e95332fe6a61|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible (read more)|Documentation
| |EMR Cluster Without Security Configuration
48af92a5-c89b-4936-bc62-1086fe2bab23|Medium|Insecure Configurations|EMR Cluster should have security configuration defined. (read more)|Documentation
| -|IAM User LoginProfile Password Is In Plaintext
06adef8c-c284-4de7-aad2-af43b07a8ca1|Medium|Insecure Configurations|IAM User LoginProfile Password must not be a plaintext string (read more)|Documentation
| +|SageMaker Enabling Internet Access
88d55d94-315d-4564-beee-d2d725feab11|Medium|Insecure Configurations|SageMaker must have disabled internet access and root access for Creating Notebook Instances. (read more)|Documentation
| |S3 Bucket Should Have Bucket Policy
37fa8188-738b-42c8-bf82-6334ea567738|Medium|Insecure Defaults|Checks if S3 Bucket has the same name as a Bucket Policy, if it has, S3 Bucket has a Bucket Policy associated (read more)|Documentation
| |RouterTable with Default Routing
4f0908b9-eb66-433f-9145-134274e1e944|Medium|Insecure Defaults|NAT gateways are recommended, and not the default route which permits all traffic, in Route Tables. (read more)|Documentation
| -|Security Group Egress CIDR Open To World
1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a|Medium|Networking and Firewall|AWS Security Group Egress CIDR should not be open to the world (read more)|Documentation
| -|VPC Without Network Firewall
3e293410-d5b8-411f-85fd-7d26294f20c9|Medium|Networking and Firewall|VPC should have a Network Firewall associated (read more)|Documentation
| |API Gateway without WAF
fcbf9019-566c-4832-a65c-af00d8137d2b|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| -|TCP/UDP Protocol Network ACL Entry Allows All Ports
f57f849c-883b-4cb7-85e7-f7b199dff163|Medium|Networking and Firewall|TCP/UDP protocol AWS Network ACL Entry should not allow all ports (read more)|Documentation
| +|ELB With Security Group Without Outbound Rules
01d5a458-a6c4-452a-ac50-054d59275b7c|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more)|Documentation
| +|Security Group Ingress With Port Range
87482183-a8e7-4e42-a566-7a23ec231c16|Medium|Networking and Firewall|AWS Security Group Ingress should have a single port (read more)|Documentation
| |Security Group Ingress With All Protocols
1a427b25-2e9e-4298-9530-0499a55e736b|Medium|Networking and Firewall|AWS Security Group Ingress should not specify all protocols to prevent allow traffic on all ports (read more)|Documentation
| -|API Gateway Endpoint Config is Not Private
4a8daf95-709d-4a36-9132-d3e19878fa34|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| -|Security Group Egress With Port Range
dae9c373-8287-462f-8746-6f93dad93610|Medium|Networking and Firewall|AWS Security Group Egress should have a single port (read more)|Documentation
| |ALB Is Not Integrated With WAF
105ba098-1e34-48cd-b0f2-a8a43a51bf9b|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service (read more)|Documentation
| -|ELB With Security Group Without Outbound Rules
01d5a458-a6c4-452a-ac50-054d59275b7c|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more)|Documentation
| -|Security Groups Without VPC Attached
493d9591-6249-47bf-8dc0-5c10161cc558|Medium|Networking and Firewall|Security Groups must have a VPC. (read more)|Documentation
| -|EC2 Permissive Network ACL Protocols
03879981-efa2-47a0-a818-c843e1441b88|Medium|Networking and Firewall|To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code). (read more)|Documentation
| |GameLift Fleet EC2 InboundPermissions With Port Range
43356255-495d-4148-ad8d-f6af5eac09dd|Medium|Networking and Firewall|AWS GameLift Fleet EC2InboundPermissions should have a single port (read more)|Documentation
| -|ELB With Security Group Without Inbound Rules
e200a6f3-c589-49ec-9143-7421d4a2c845|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more)|Documentation
| -|Security Group Ingress With Port Range
87482183-a8e7-4e42-a566-7a23ec231c16|Medium|Networking and Firewall|AWS Security Group Ingress should have a single port (read more)|Documentation
| +|VPC Without Network Firewall
3e293410-d5b8-411f-85fd-7d26294f20c9|Medium|Networking and Firewall|VPC should have a Network Firewall associated (read more)|Documentation
| +|Security Group Egress With Port Range
dae9c373-8287-462f-8746-6f93dad93610|Medium|Networking and Firewall|AWS Security Group Egress should have a single port (read more)|Documentation
| |Security Group Egress With All Protocols
ee464fc2-54a6-4e22-b10a-c6dcd2474d0c|Medium|Networking and Firewall|AWS Security Group Egress should not specify all protocols to prevent allow traffic on all ports (read more)|Documentation
| -|S3 Bucket Without Versioning
a227ec01-f97a-4084-91a4-47b350c1db54|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| -|MQ Broker Logging Disabled
e519ed6a-8328-4b69-8eb7-8fa549ac3050|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). (read more)|Documentation
| -|ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621|Medium|Observability|ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer. (read more)|Documentation
| -|MSK Cluster Logging Disabled
fc7c2c15-f5d0-4b80-adb2-c89019f8f62b|Medium|Observability|Ensure MSK Cluster Logging is enabled (read more)|Documentation
| -|Elasticsearch Logs Disabled
edbd62d4-8700-41de-b000-b3cfebb5e996|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| -|API Gateway X-Ray Disabled
4ab10c48-bedb-4deb-8f3b-ff12783b61de|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| -|CloudTrail Not Integrated With CloudWatch
65d07da5-9af5-44df-8983-52d2e6f24c44|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| +|Security Group Egress CIDR Open To World
1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a|Medium|Networking and Firewall|AWS Security Group Egress CIDR should not be open to the world (read more)|Documentation
| +|API Gateway Endpoint Config is Not Private
4a8daf95-709d-4a36-9132-d3e19878fa34|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| +|TCP/UDP Protocol Network ACL Entry Allows All Ports
f57f849c-883b-4cb7-85e7-f7b199dff163|Medium|Networking and Firewall|TCP/UDP protocol AWS Network ACL Entry should not allow all ports (read more)|Documentation
| +|Security Groups Without VPC Attached
493d9591-6249-47bf-8dc0-5c10161cc558|Medium|Networking and Firewall|Security Groups must have a VPC. (read more)|Documentation
| +|ELB With Security Group Without Inbound Rules
e200a6f3-c589-49ec-9143-7421d4a2c845|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more)|Documentation
| +|EC2 Permissive Network ACL Protocols
03879981-efa2-47a0-a818-c843e1441b88|Medium|Networking and Firewall|To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code). (read more)|Documentation
| |CloudFront Logging Disabled
de77cd9f-0e8b-46cc-b4a4-b6b436838642|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'DistributionConfig.Logging' should be defined (read more)|Documentation
| +|Stack Notifications Disabled
837e033c-4717-40bd-807e-6abaa30161b7|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| +|ELB Access Log Disabled
ee12ad32-2863-4c0f-b13f-28272d115028|Medium|Observability|ELB should have access log enabled (read more)|Documentation
| +|CloudTrail Not Integrated With CloudWatch
65d07da5-9af5-44df-8983-52d2e6f24c44|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| +|ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621|Medium|Observability|ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer. (read more)|Documentation
| |API Gateway Stage Access Logging Settings Not Defined
80d45af4-4920-4236-a56e-b7ef419d1941|Medium|Observability|API Gateway Stage should have Access Logging Settings defined (read more)|Documentation
| -|Configuration Aggregator to All Regions Disabled
9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| +|S3 Bucket Logging Disabled
4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| +|S3 Bucket Without Versioning
a227ec01-f97a-4084-91a4-47b350c1db54|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| +|Redshift Cluster Logging Disabled
3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6|Medium|Observability|Make sure Logging is enabled for Redshift Cluster (read more)|Documentation
| |GuardDuty Detector Disabled
a25cd877-375c-4121-a640-730929936fac|Medium|Observability|Make sure that Amazon GuardDuty is Enabled (read more)|Documentation
| -|Stack Notifications Disabled
837e033c-4717-40bd-807e-6abaa30161b7|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| -|CloudTrail SNS Topic Name Undefined
3e09413f-471e-40f3-8626-990c79ae63f3|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| +|MQ Broker Logging Disabled
e519ed6a-8328-4b69-8eb7-8fa549ac3050|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). (read more)|Documentation
| +|MSK Cluster Logging Disabled
fc7c2c15-f5d0-4b80-adb2-c89019f8f62b|Medium|Observability|Ensure MSK Cluster Logging is enabled (read more)|Documentation
| |CloudWatch Metrics Disabled
5d3c1807-acb3-4bb0-be4e-0440230feeaf|Medium|Observability|Checks if CloudWatch Metrics is Enabled (read more)|Documentation
| +|CloudWatch Logging Disabled
0f0fb06b-0f2f-4374-8588-f2c7c348c7a0|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones (read more)|Documentation
| |ElasticSearch Without Slow Logs
086ea2eb-14a6-4fd4-914b-38e0bc8703e8|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs (read more)|Documentation
| -|S3 Bucket Logging Disabled
4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| -|CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'IsMultiRegionTrail' should be set to true (read more)|Documentation
| -|ELB Access Log Disabled
ee12ad32-2863-4c0f-b13f-28272d115028|Medium|Observability|ELB should have access log enabled (read more)|Documentation
| +|Configuration Aggregator to All Regions Disabled
9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| |API Gateway Deployment Without Access Log Setting
06ec63e3-9f72-4fe2-a218-2eb9200b8db5|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. (read more)|Documentation
| -|Redshift Cluster Logging Disabled
3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6|Medium|Observability|Make sure Logging is enabled for Redshift Cluster (read more)|Documentation
| -|CloudWatch Logging Disabled
0f0fb06b-0f2f-4374-8588-f2c7c348c7a0|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones (read more)|Documentation
| -|Directory Service Microsoft AD Password Set to Plaintext or Default Ref
06b9f52a-8cd5-459b-bdc6-21a22521e1be|Medium|Secret Management|Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|DMS Endpoint Password Exposed
5f700072-b7ce-4e84-b3f3-497bf1c24a4d|Medium|Secret Management|DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'IsMultiRegionTrail' should be set to true (read more)|Documentation
| +|API Gateway X-Ray Disabled
4ab10c48-bedb-4deb-8f3b-ff12783b61de|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| +|CloudTrail SNS Topic Name Undefined
3e09413f-471e-40f3-8626-990c79ae63f3|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| +|Elasticsearch Logs Disabled
edbd62d4-8700-41de-b000-b3cfebb5e996|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| +|DocDB Cluster Master Password In Plaintext
39423ce4-9011-46cd-b6b1-009edcd9385d|Medium|Secret Management|DocDB DB Cluster master user password must not be in a plain text string or referenced in a parameter as a default value. (read more)|Documentation
| |Amplify App Basic Auth Config Password Exposed
71493c8b-3014-404c-9802-078b74496fb7|Medium|Secret Management|Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|SNS Topic Without KmsMasterKeyId
9d13b150-a2ab-42a1-b6f4-142e41f81e52|Medium|Secret Management|KmsMasterKeyId attribute should not be undefined (read more)|Documentation
| -|Amplify Branch Basic Auth Config Password Exposed
dfb56e5d-ee68-446e-b32a-657b62befe69|Medium|Secret Management|Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|Amplify App Access Token Exposed
73980e43-f399-4fcc-a373-658228f7adf7|Medium|Secret Management|Amplify App Access Token must not be in a plain text string or referenced in a parameter as a default value. (read more)|Documentation
| +|Amplify App OAuth Token Exposed
03b38885-8f4e-480c-a0e4-12c1affd15db|Medium|Secret Management|Amplify App OAuth Token must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|EBS Volume Without KmsKeyId
b7063015-6c31-4658-a8e7-14f98f37fd42|Medium|Secret Management|EBS Volume should specify a KmsKeyId value (read more)|Documentation
| +|DMS Endpoint Password Exposed
5f700072-b7ce-4e84-b3f3-497bf1c24a4d|Medium|Secret Management|DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|RefreshToken Is Exposed
5b48c507-0d1f-41b0-a630-76817c6b4189|Medium|Secret Management|Alexa ASK Skill AuthenticationConfiguration RefreshToken should not be a plaintext string (read more)|Documentation
| +|Directory Service Microsoft AD Password Set to Plaintext or Default Ref
06b9f52a-8cd5-459b-bdc6-21a22521e1be|Medium|Secret Management|Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|High Access Key Rotation Period
800fa019-49dd-421b-9042-7331fdd83fa2|Medium|Secret Management|ConfigRule should enforce access keys to be rotated within 90 days. (read more)|Documentation
| |Secrets Manager Should Specify KmsKeyId
c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22|Medium|Secret Management|Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the secret to be shared cross-account (read more)|Documentation
| |Hardcoded AWS Access Key In Lambda
2564172f-c92b-4261-9acd-464aed511696|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| -|EBS Volume Without KmsKeyId
b7063015-6c31-4658-a8e7-14f98f37fd42|Medium|Secret Management|EBS Volume should specify a KmsKeyId value (read more)|Documentation
| -|DocDB Cluster Master Password In Plaintext
39423ce4-9011-46cd-b6b1-009edcd9385d|Medium|Secret Management|DocDB DB Cluster master user password must not be in a plain text string or referenced in a parameter as a default value. (read more)|Documentation
| -|Amplify App OAuth Token Exposed
03b38885-8f4e-480c-a0e4-12c1affd15db|Medium|Secret Management|Amplify App OAuth Token must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|SNS Topic Without KmsMasterKeyId
9d13b150-a2ab-42a1-b6f4-142e41f81e52|Medium|Secret Management|KmsMasterKeyId attribute should not be undefined (read more)|Documentation
| +|Amplify Branch Basic Auth Config Password Exposed
dfb56e5d-ee68-446e-b32a-657b62befe69|Medium|Secret Management|Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| |DMS Endpoint MongoDB Settings Password Exposed
f988a17f-1139-46a3-8928-f27eafd8b024|Medium|Secret Management|DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| |Directory Service Simple AD Password Exposed
6685d912-d81f-4cfa-95ad-e316ea31c989|Medium|Secret Management|DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|High Access Key Rotation Period
800fa019-49dd-421b-9042-7331fdd83fa2|Medium|Secret Management|ConfigRule should enforce access keys to be rotated within 90 days. (read more)|Documentation
| -|RefreshToken Is Exposed
5b48c507-0d1f-41b0-a630-76817c6b4189|Medium|Secret Management|Alexa ASK Skill AuthenticationConfiguration RefreshToken should not be a plaintext string (read more)|Documentation
| -|Amplify App Access Token Exposed
73980e43-f399-4fcc-a373-658228f7adf7|Medium|Secret Management|Amplify App Access Token must not be in a plain text string or referenced in a parameter as a default value. (read more)|Documentation
| -|IAM Role Allows All Principals To Assume
f80e3aa7-7b34-4185-954e-440a6894dde6|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| -|EC2 Instance Using Default Security Group
08b81bb3-0985-4023-8602-b606ad81d279|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| |IAM Policy Grants 'AssumeRole' Permission Across All Services
e835bd0d-65da-49f7-b6d1-b646da8727e6|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| |Support Has No Role Associated
d71b5fd7-9020-4b2d-9ec8-b3839faa2744|Low|Access Control|Check if any AWS Support policy does not have any role and users and group associated, which means that is not being managed. (read more)|Documentation
| +|EC2 Instance Using Default Security Group
08b81bb3-0985-4023-8602-b606ad81d279|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| |IAM Group Without Users
8f957abd-9703-413d-87d3-c578950a753c|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| |IAM User With No Group
06933df4-0ea7-461c-b9b5-104d27390e0e|Low|Access Control|A IAM user should belong to a group (read more)|Documentation
| +|IAM Role Allows All Principals To Assume
f80e3aa7-7b34-4185-954e-440a6894dde6|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| |VPC Attached With Too Many Gateways
97e94d17-e2c7-4109-a53b-6536ac1bb64e|Low|Availability|The number of gateways attached should not approach or go beyond the limit of 3, in a particular VPC (read more)|Documentation
| |RDS DB Instance With Deletion Protection Disabled
2c161e58-cb52-454f-abea-6470c37b5e6e|Low|Backup|RDS DBInstance should have deletion protection set to true (read more)|Documentation
| -|CDN Configuration Is Missing
e4f54ff4-d352-40e8-a096-5141073c37a2|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| -|Security Group Ingress Has CIDR Not Recommended
a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd|Low|Best Practices|AWS Security Group Ingress CIDR should not be /32 in case of IPV4 or /128 in case of IPV6 (read more)|Documentation
| -|IAM Access Analyzer Not Enabled
8d29754a-2a18-460d-a1ba-9509f8d359da|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions (read more)|Documentation
| |IAM Policies Without Groups
5e7acff5-095b-40ac-9073-ac2e4ad8a512|Low|Best Practices|IAM policy should not apply directly to users, should be with a group (read more)|Documentation
| -|Geo Restriction Disabled
7f8843f0-9ea5-42b4-a02b-753055113195|Low|Best Practices|Geo Restriction feature should be enabled, to restrict or allow users in specific locations accessing web application content (read more)|Documentation
| -|Lambda Permission Misconfigured
9b83114b-b2a1-4534-990d-06da015e47aa|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| |Automatic Minor Upgrades Disabled
f0104061-8bfc-4b45-8a7d-630eb502f281|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'AutoMinorVersionUpgrade' must be set to true. (read more)|Documentation
| -|DynamoDB With Not Recommented Table Billing Mode
c333e906-8d8b-4275-b999-78b6318f8dc6|Low|Build Process|Checks if DynamoDB Table Billing Mode is set to either PAY_PER_REQUEST or PROVISIONED (read more)|Documentation
| +|Lambda Permission Misconfigured
9b83114b-b2a1-4534-990d-06da015e47aa|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| +|IAM Access Analyzer Not Enabled
8d29754a-2a18-460d-a1ba-9509f8d359da|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions (read more)|Documentation
| +|Geo Restriction Disabled
7f8843f0-9ea5-42b4-a02b-753055113195|Low|Best Practices|Geo Restriction feature should be enabled, to restrict or allow users in specific locations accessing web application content (read more)|Documentation
| +|Security Group Ingress Has CIDR Not Recommended
a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd|Low|Best Practices|AWS Security Group Ingress CIDR should not be /32 in case of IPV4 or /128 in case of IPV6 (read more)|Documentation
| +|CDN Configuration Is Missing
e4f54ff4-d352-40e8-a096-5141073c37a2|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| |EFS Without Tags
08e39832-5e42-4304-98a0-aa5b43393162|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated (read more)|Documentation
| -|S3 Bucket Without Ignore Public ACL
6c8d51af-218d-4bfb-94a9-94eabaa0703a|Low|Insecure Configurations|S3 bucket without ignore public ACL (read more)|Documentation
| +|DynamoDB With Not Recommented Table Billing Mode
c333e906-8d8b-4275-b999-78b6318f8dc6|Low|Build Process|Checks if DynamoDB Table Billing Mode is set to either PAY_PER_REQUEST or PROVISIONED (read more)|Documentation
| |Wildcard In ACM Certificate Domain Name
cc8b294f-006f-4f8f-b5bb-0a9140c33131|Low|Insecure Configurations|ACM Certificate should not use wildcards (*) in the domain name (read more)|Documentation
| |API Gateway Cache Cluster Disabled
52790cad-d60d-41d5-8483-146f9f21208d|Low|Insecure Configurations|AWS API Gateway should have cache clustering enabled (read more)|Documentation
| +|S3 Bucket Without Ignore Public ACL
6c8d51af-218d-4bfb-94a9-94eabaa0703a|Low|Insecure Configurations|S3 bucket without ignore public ACL (read more)|Documentation
| |Lambda Function Without Dead Letter Queue
c2eae442-d3ba-4cb1-84ca-1db4f80eae3d|Low|Insecure Configurations|AWS Lambda Function should be configured for a Dead Letter Queue(DLQ) (read more)|Documentation
| -|ElastiCache Using Default Port
323db967-c68e-44e6-916c-a777f95af34b|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| -|ElastiCache Without VPC
ba766c53-fe71-4bbb-be35-b6803f2ef13e|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|RDS Using Default Port
1fe9d958-ddce-4228-a124-05265a959a8b|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| |EC2 Instance Using Default VPC
e42a3ef0-5325-4667-84bf-075ba1c9d58e|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| -|EMR Without VPC
bf89373a-be40-4c04-99f5-746742dfd7f3|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| -|CloudFront Without WAF
0f139403-303f-467c-96bd-e717e6cfd62d|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| +|ElastiCache Using Default Port
323db967-c68e-44e6-916c-a777f95af34b|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| +|Shield Advanced Not In Use
ad7444cf-817a-4765-a79e-2145f7981faf|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more)|Documentation
| |EC2 Network ACL Duplicate Rule
045ddb54-cfc5-4abb-9e05-e427b2bc96fe|Low|Networking and Firewall|A Network ACL's rule numbers cannot be repeated unless one is egress and the other is ingress (read more)|Documentation
| -|RDS Using Default Port
1fe9d958-ddce-4228-a124-05265a959a8b|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| +|CloudFront Without WAF
0f139403-303f-467c-96bd-e717e6cfd62d|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| |Redshift Using Default Port
a478af30-8c3a-404d-aa64-0b673cee509a|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| -|Shield Advanced Not In Use
ad7444cf-817a-4765-a79e-2145f7981faf|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more)|Documentation
| +|ElastiCache Without VPC
ba766c53-fe71-4bbb-be35-b6803f2ef13e|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|EMR Without VPC
bf89373a-be40-4c04-99f5-746742dfd7f3|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd|Low|Observability|Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks (read more)|Documentation
| +|DocDB Logging Is Disabled
1bf3b3d4-f373-4d7c-afbb-7d85948a67a5|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| |API Gateway Deployment Without API Gateway UsagePlan Associated
783860a3-6dca-4c8b-81d0-7b62769ccbca|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| |VPC FlowLogs Disabled
f6d299d2-21eb-41cc-b1e1-fe12d857500b|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| -|Lambda Functions Without X-Ray Tracing
9488c451-074e-4cd3-aee3-7db6104f542c|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracingConfig.mode' should have the value 'Active' (read more)|Documentation
| -|DocDB Logging Is Disabled
1bf3b3d4-f373-4d7c-afbb-7d85948a67a5|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| |CloudTrail Log File Validation Disabled
2a3560fe-52ca-4443-b34f-bf0ed5eb74c8|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| -|ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd|Low|Observability|Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks (read more)|Documentation
| +|Lambda Functions Without X-Ray Tracing
9488c451-074e-4cd3-aee3-7db6104f542c|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracingConfig.mode' should have the value 'Active' (read more)|Documentation
| |SDB Domain Declared As A Resource
6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d|Low|Resource Management|SimpleDB Domain resource should not be declared (read more)|Documentation
| |API Gateway Stage Without API Gateway UsagePlan Associated
7f8f1b60-43df-4c28-aa21-fb836dbd8071|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| |VPC Without Attached Subnet
3b3b4411-ad1f-40e7-b257-a78a6bb9673a|Low|Resource Management|VPCs without attached subnets may indicate that they are not being used (read more)|Documentation
| |ECS Task Definition Invalid CPU or Memory
f4c9b5f5-68b8-491f-9e48-4f96644a1d51|Low|Resource Management|In ECS Task Definition of FARGATE launch type if you specify an invalid CPU or Memory value, you will receive an error (read more)|Documentation
| -|Security Group Rule Without Description
5e6c9c68-8a82-408e-8749-ddad78cbb9c5|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description (read more)|Documentation
| |EC2 Not EBS Optimized
8dd0ff1f-0da4-48df-9bb3-7f338ae36a40|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| +|Security Group Rule Without Description
5e6c9c68-8a82-408e-8749-ddad78cbb9c5|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description (read more)|Documentation
| |EC2 Instance Monitoring Disabled
0264093f-6791-4475-af34-4b8102dcbcd0|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| - -### AWS_BOM -Bellow are listed queries related with CloudFormation AWS_BOM: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|BOM - AWS MSK
2730c169-51d7-4ae7-99b5-584379eff1bb|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)|Documentation
| -|BOM - AWS EBS
0b0556ea-9cd9-476f-862e-20679dda752b|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). (read more)|Documentation
| -|BOM - AWS MQ
209189f3-c879-48a7-9703-fbcfa96d0cef|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS. (read more)|Documentation
| -|BOM - AWS SNS
42e7dca3-8cce-4325-8df0-108888259136|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)|Documentation
| -|BOM - AWS Cassandra
124b173b-e06d-48a6-8acd-f889443d97a4|Trace|Bill Of Materials|A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance (read more)|Documentation
| -|BOM - AWS EFS
ef05a925-8568-4054-8ff1-f5ba82631c16|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)|Documentation
| -|BOM - AWS Elasticache
c689f51b-9203-43b3-9d8b-caed123f706c|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more)|Documentation
| -|BOM - AWS RDS
6ef03ff6-a2bd-483c-851f-631f248bc0ea|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more)|Documentation
| -|BOM - AWS S3 Buckets
b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more)|Documentation
| -|BOM - AWS SQS
59a849c2-1127-4023-85a5-ef906dcd458c|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)|Documentation
| -|BOM - AWS Kinesis
d53323be-dde6-4457-9a43-42df737e71d2|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more)|Documentation
| -|BOM - AWS DynamoDB
4e67c0ae-38a0-47f4-a50c-f0c9b75826df|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more)|Documentation
| diff --git a/docs/queries/crossplane-queries.md b/docs/queries/crossplane-queries.md index 10a9be6afd9..eca71c9787c 100644 --- a/docs/queries/crossplane-queries.md +++ b/docs/queries/crossplane-queries.md @@ -1,6 +1,16 @@ ## Crossplane Queries List This page contains all queries from Crossplane. +### GCP +Bellow are listed queries related with Crossplane GCP: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|Cloud Storage Bucket Logging Not Enabled
6c2d627c-de0f-45fb-b33d-dad9bffbb421|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| +|Google Container Node Pool Auto Repair Disabled
b4f65d13-a609-4dc1-af7c-63d2e08bffe9|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| + ### AZURE Bellow are listed queries related with Crossplane AZURE: @@ -18,26 +28,16 @@ Bellow are listed queries related with Crossplane AWS: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|DB Instance Storage Not Encrypted
e50eb68a-a4af-4048-8bbe-8ec324421469|High|Encryption|RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'. (read more)|Documentation
| +|EFS Not Encrypted
72840c35-3876-48be-900d-f21b2f0c2ea1|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| |ELB Using Weak Ciphers
a507daa5-0795-4380-960b-dd7bb7c56661|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| +|DB Instance Storage Not Encrypted
e50eb68a-a4af-4048-8bbe-8ec324421469|High|Encryption|RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'. (read more)|Documentation
| |EFS Without KMS
bdecd6db-2600-47dd-a10c-72c97cf17ae9|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| -|EFS Not Encrypted
72840c35-3876-48be-900d-f21b2f0c2ea1|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| |RDS DB Instance Publicly Accessible
d9dc6429-5140-498a-8f55-a10daac5f000|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false and neither dbSubnetGroupName' subnets being part of a VPC that has an Internet gateway attached to it (read more)|Documentation
| -|DB Security Group Has Public Interface
dd667399-8d9d-4a8d-bbb4-e49ab53b2f52|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| |CloudFront Without Minimum Protocol TLS 1.2
255b0fcc-9f82-41fe-9229-01b163e3376b|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| +|DB Security Group Has Public Interface
dd667399-8d9d-4a8d-bbb4-e49ab53b2f52|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| |SQS With SSE Disabled
9296f1cc-7a40-45de-bd41-f31745488a0e|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| |Neptune Database Cluster Encryption Disabled
83bf5aca-138a-498e-b9cd-ad5bc5e117b4|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| |CloudFront Logging Disabled
7b590235-1ff4-421b-b9ff-5227134be9bb|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true (read more)|Documentation
| |CloudWatch Without Retention Period Specified
934613fe-b12c-4e5a-95f5-c1dcdffac1ff|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more)|Documentation
| |CloudFront Without WAF
6d19ce0f-b3d8-4128-ac3d-1064e0f00494|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| |DocDB Logging Is Disabled
e6cd49ba-77ed-417f-9bca-4f5303554308|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| - -### GCP -Bellow are listed queries related with Crossplane GCP: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Cloud Storage Bucket Logging Not Enabled
6c2d627c-de0f-45fb-b33d-dad9bffbb421|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| -|Google Container Node Pool Auto Repair Disabled
b4f65d13-a609-4dc1-af7c-63d2e08bffe9|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| diff --git a/docs/queries/dockercompose-queries.md b/docs/queries/dockercompose-queries.md index fbd83ce66cd..7f2035ffa26 100644 --- a/docs/queries/dockercompose-queries.md +++ b/docs/queries/dockercompose-queries.md @@ -3,24 +3,24 @@ This page contains all queries from DockerCompose. | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Volume Has Sensitive Host Directory
1c1325ff-831d-43a1-973e-839ae57dfcc0|High|Build Process|Container has sensitive host directory mounted as a volume (read more)|Documentation
| |Docker Socket Mounted In Container
d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b|High|Build Process|Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands. (read more)|Documentation
| +|Volume Has Sensitive Host Directory
1c1325ff-831d-43a1-973e-839ae57dfcc0|High|Build Process|Container has sensitive host directory mounted as a volume (read more)|Documentation
| |Volume Mounted In Multiple Containers
baa452f0-1f21-4a25-ace5-844e7a5f410d|High|Build Process|Volume mounts should not be shared, which means that 'propagation' should not be set to 'shared', 'rshared', 'slave', or 'rslave' (read more)|Documentation
| |No New Privileges Not Set
27fcc7d6-c49b-46e0-98f1-6c082a6a2750|High|Resource Management|Ensuring the process does not gain any new privileges lessens the risk associated with many operations. (read more)|Documentation
| |Privileged Containers Enabled
ae5b6871-7f45-42e0-bb4c-ab300c4d2026|High|Resource Management|Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker. (read more)|Documentation
| |Healthcheck Not Set
698ed579-b239-4f8f-a388-baa4bcb13ef8|Medium|Availability|Check containers periodically to see if they are running properly. (read more)|Documentation
| |Restart Policy On Failure Not Set To 5
2fc99041-ddad-49d5-853f-e35e70a48391|Medium|Build Process|Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used. (read more)|Documentation
| |Cgroup Not Default
4d9f44c6-2f4a-4317-9bb5-267adbea0232|Medium|Build Process|Control groups restrict the access processes and containers have to system resources such as CPU, RAM, IOPS and network. Not having a cgroup well configured may prove to be a security fault. (read more)|Documentation
| -|Networks Not Set
ce14a68b-1668-41a0-ab7d-facd9f784742|Medium|Networking and Firewall|Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers. (read more)|Documentation
| |Container Traffic Not Bound To Host Interface
451d79dc-0588-476a-ad03-3c7f0320abb3|Medium|Networking and Firewall|Incoming container traffic should be bound to a specific host interface (read more)|Documentation
| |Privileged Ports Mapped In Container
bc2908f3-f73c-40a9-8793-c1b7d5544f79|Medium|Networking and Firewall|Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind_service linux capability from the container unless you absolutely need to use priviledged ports. (read more)|Documentation
| -|Shared Host Network Namespace
071a71ff-f868-47a4-ac0b-3c59e4ab5443|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| +|Networks Not Set
ce14a68b-1668-41a0-ab7d-facd9f784742|Medium|Networking and Firewall|Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers. (read more)|Documentation
| +|Host Namespace is Shared
4f31dd9f-2cc3-4751-9b53-67e4af83dac0|Medium|Resource Management|The hosts process namespace should not be shared by containers (read more)|Documentation
| +|Shared Host User Namespace
8af7162d-6c98-482f-868e-0d33fb675ca8|Medium|Resource Management|The host's user namespace should not be shared. (read more)|Documentation
| +|Memory Not Limited
bb9ac4f7-e13b-423d-a010-c74a1bfbe492|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| |Pids Limit Not Set
221e0658-cb2a-44e3-b08a-db96a341d6fa|Medium|Resource Management|'pids_limit' should be set and different than -1 (read more)|Documentation
| |Default Seccomp Profile Disabled
404fde2c-bc4b-4371-9747-7054132ac953|Medium|Resource Management|Seccomp offers a whitelist of common system calls, blocking all others. Having less kernel exposed to an app then increases security. (read more)|Documentation
| +|Shared Host Network Namespace
071a71ff-f868-47a4-ac0b-3c59e4ab5443|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| |Security Opt Not Set
610e266e-6c12-4bca-9925-1ed0cd29742b|Medium|Resource Management|Attribute 'security_opt' should be defined. (read more)|Documentation
| |Shared Host IPC Namespace
baa3890f-bed7-46f5-ab8f-1da8fc91c729|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| -|Memory Not Limited
bb9ac4f7-e13b-423d-a010-c74a1bfbe492|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| -|Host Namespace is Shared
4f31dd9f-2cc3-4751-9b53-67e4af83dac0|Medium|Resource Management|The hosts process namespace should not be shared by containers (read more)|Documentation
| -|Shared Host User Namespace
8af7162d-6c98-482f-868e-0d33fb675ca8|Medium|Resource Management|The host's user namespace should not be shared. (read more)|Documentation
| -|Cpus Not Limited
6b610c50-99fb-4ef0-a5f3-e312fd945bc3|Low|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| |Container Capabilities Unrestricted
ce76b7d0-9e77-464d-b86f-c5c48e03e22d|Low|Resource Management|Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well. (read more)|Documentation
| +|Cpus Not Limited
6b610c50-99fb-4ef0-a5f3-e312fd945bc3|Low|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| diff --git a/docs/queries/dockerfile-queries.md b/docs/queries/dockerfile-queries.md index 14a740794a2..2cdaa6c7b64 100644 --- a/docs/queries/dockerfile-queries.md +++ b/docs/queries/dockerfile-queries.md @@ -4,48 +4,48 @@ This page contains all queries from Dockerfile. | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| |UNIX Ports Out Of Range
71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e|High|Availability|Exposing UNIX ports out of range from 0 to 65535 (read more)|Documentation
| -|Same Alias In Different Froms
f2daed12-c802-49cd-afed-fe41d0b82fed|High|Build Process|Different FROMS cant have the same alias defined (read more)|Documentation
| -|COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b|High|Build Process|COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself (read more)|Documentation
| +|WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|High|Build Process|For clarity and reliability, you should always use absolute paths for your WORKDIR (read more)|Documentation
| |Copy With More Than Two Arguments Not Ending With Slash
6db6e0c2-32a3-4a2e-93b5-72c35f4119db|High|Build Process|When a COPY command has more than two arguments, the last one should end with a slash (read more)|Documentation
| +|COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b|High|Build Process|COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself (read more)|Documentation
| |Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f|High|Build Process|A user should be specified in the dockerfile, otherwise the image will run as root (read more)|Documentation
| |Multiple ENTRYPOINT Instructions Listed
6938958b-3f1a-451c-909b-baeee14bdc97|High|Build Process|There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect (read more)|Documentation
| -|WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|High|Build Process|For clarity and reliability, you should always use absolute paths for your WORKDIR (read more)|Documentation
| +|Same Alias In Different Froms
f2daed12-c802-49cd-afed-fe41d0b82fed|High|Build Process|Different FROMS cant have the same alias defined (read more)|Documentation
| |Run Using Sudo
8ada6e80-0ade-439e-b176-0b28f6bce35a|High|Insecure Configurations|Avoid RUN with sudo command as it leads to unpredictable behavior (read more)|Documentation
| |Vulnerable OpenSSL Version
5fa731ea-e844-47a6-a1e8-abc25e95847e|High|Supply-Chain|OpenSSL versions from 3.0.0 to 3.0.5 are affected by a critical vulnerability (read more)|Documentation
| |Last User Is 'root'
67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae|Medium|Best Practices|Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges (read more)|Documentation
| |Changing Default Shell Using RUN Command
8a301064-c291-4b20-adcb-403fe7fd95fd|Medium|Best Practices|Using the command RUN to override the default shell instead of the SHELL command leads to inefficiencies. It also does not make sense since Docker provides the SHELL command for this exact purpose. (read more)|Documentation
| -|Multiple CMD Instructions Listed
41c195f4-fc31-4a5c-8a1b-90605538d49f|Medium|Build Process|There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect (read more)|Documentation
| |Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79|Medium|Build Process|Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments (read more)|Documentation
| +|Multiple CMD Instructions Listed
41c195f4-fc31-4a5c-8a1b-90605538d49f|Medium|Build Process|There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect (read more)|Documentation
| |RUN Instruction Using 'cd' Instead of WORKDIR
f4a6bcd3-e231-4acf-993c-aa027be50d2e|Medium|Build Process|When using RUN command 'cd' should only be used for full path. For relative path make use of WORKDIR command instead. (read more)|Documentation
| |Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd|Medium|Build Process|Instruction 'RUN update' should always be followed by ' install' in the same RUN statement (read more)|Documentation
| |Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22|Medium|Insecure Defaults|Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o). (read more)|Documentation
| -|Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages (read more)|Documentation
| -|Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Medium|Supply-Chain|Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect (read more)|Documentation
| -|Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03|Medium|Supply-Chain|Need to use -y to avoid manual input 'yum install -y ' (read more)|Documentation
| -|Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313|Medium|Supply-Chain|Reduce layer and image size by deleting unneeded caches after running zypper (read more)|Documentation
| -|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Medium|Supply-Chain|When installing a package, its pin version should be defined (read more)|Documentation
| -|Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341|Medium|Supply-Chain|Instead of 'gem install ' we should use 'gem install :' (read more)|Documentation
| -|NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5|Medium|Supply-Chain|Check if packages installed by npm are pinning a specific version. (read more)|Documentation
| +|Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944|Medium|Supply-Chain|Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input (read more)|Documentation
| |Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067|Medium|Supply-Chain|When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag (read more)|Documentation
| |Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118|Medium|Supply-Chain|When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller (read more)|Documentation
| -|Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache (read more)|Documentation
| -|Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944|Medium|Supply-Chain|Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input (read more)|Documentation
| -|Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9|Medium|Supply-Chain|Don't use '--platform' flag with FROM (read more)|Documentation
| -|Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more)|Documentation
| |Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37|Medium|Supply-Chain|Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size (read more)|Documentation
| -|Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd|Medium|Supply-Chain|Always tag the version of an image explicitly (read more)|Documentation
| -|APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Medium|Supply-Chain|Check if apt-get calls use the flag -y to avoid user manual input. (read more)|Documentation
| +|Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages (read more)|Documentation
| |Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1|Medium|Supply-Chain|Specifying a package version allows to reduce failures due to unanticipated changes in required packages. (read more)|Documentation
| -|Add Instead of Copy
9513a694-aa0d-41d8-be61-3271e056f36b|Medium|Supply-Chain|Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script. (read more)|Documentation
| |Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8|Medium|Supply-Chain|The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input. (read more)|Documentation
| +|Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more)|Documentation
| |Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0|Medium|Supply-Chain|Cached package data should be cleaned after installation to reduce image size (read more)|Documentation
| +|Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03|Medium|Supply-Chain|Need to use -y to avoid manual input 'yum install -y ' (read more)|Documentation
| +|Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9|Medium|Supply-Chain|Don't use '--platform' flag with FROM (read more)|Documentation
| |Yum install Without Version
6452c424-1d92-4deb-bb18-a03e95d579c4|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages (read more)|Documentation
| +|Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341|Medium|Supply-Chain|Instead of 'gem install ' we should use 'gem install :' (read more)|Documentation
| +|APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Medium|Supply-Chain|Check if apt-get calls use the flag -y to avoid user manual input. (read more)|Documentation
| +|Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Medium|Supply-Chain|Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect (read more)|Documentation
| +|Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache (read more)|Documentation
| +|Add Instead of Copy
9513a694-aa0d-41d8-be61-3271e056f36b|Medium|Supply-Chain|Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script. (read more)|Documentation
| +|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Medium|Supply-Chain|When installing a package, its pin version should be defined (read more)|Documentation
| +|NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5|Medium|Supply-Chain|Check if packages installed by npm are pinning a specific version. (read more)|Documentation
| |Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more)|Documentation
| -|MAINTAINER Instruction Being Used
99614418-f82b-4852-a9ae-5051402b741c|Low|Best Practices|The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily (read more)|Documentation
| +|Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313|Medium|Supply-Chain|Reduce layer and image size by deleting unneeded caches after running zypper (read more)|Documentation
| +|Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd|Medium|Supply-Chain|Always tag the version of an image explicitly (read more)|Documentation
| |Multiple RUN, ADD, COPY, Instructions Listed
0008c003-79aa-42d8-95b8-1c2fe37dbfe6|Low|Best Practices|Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers. (read more)|Documentation
| -|Curl or Wget Instead of Add
4b410d24-1cbe-4430-a632-62c9a931cf1c|Low|Best Practices|Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged (read more)|Documentation
| -|Chown Flag Exists
aa93e17f-b6db-4162-9334-c70334e7ac28|Low|Best Practices|It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership (read more)|Documentation
| |Exposing Port 22 (SSH)
5907595b-5b6d-4142-b173-dbb0e73fbff8|Low|Best Practices|Expose only the ports that your application needs and avoid exposing ports like SSH (22) (read more)|Documentation
| +|Chown Flag Exists
aa93e17f-b6db-4162-9334-c70334e7ac28|Low|Best Practices|It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership (read more)|Documentation
| +|Curl or Wget Instead of Add
4b410d24-1cbe-4430-a632-62c9a931cf1c|Low|Best Practices|Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged (read more)|Documentation
| +|MAINTAINER Instruction Being Used
99614418-f82b-4852-a9ae-5051402b741c|Low|Best Practices|The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily (read more)|Documentation
| |Using Unnamed Build Stages
68a51e22-ae5a-4d48-8e87-b01a323605c9|Low|Build Process| This query is used to ensure that build stages are named. This way even if the Dockerfile is re-ordered, the COPY instruction doesn’t break. (read more)|Documentation
| |Healthcheck Instruction Missing
b03a748a-542d-44f4-bb86-9199ab4fd2d5|Low|Insecure Configurations|Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working (read more)|Documentation
| |Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c|Info|Supply-Chain|After using apt-get install, it is needed to delete apt-get lists (read more)|Documentation
| diff --git a/docs/queries/googledeploymentmanager-queries.md b/docs/queries/googledeploymentmanager-queries.md index 5f768b5476e..5399229d8ab 100644 --- a/docs/queries/googledeploymentmanager-queries.md +++ b/docs/queries/googledeploymentmanager-queries.md @@ -1,17 +1,6 @@ ## GoogleDeploymentManager Queries List This page contains all queries from GoogleDeploymentManager. -### GCP_BOM -Bellow are listed queries related with GoogleDeploymentManager GCP_BOM: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|BOM - GCP PST
9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more)|Documentation
| -|BOM - GCP SB
c7781feb-a955-4f9f-b9cf-0d7c6f54bb59|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more)|Documentation
| -|BOM - GCP PD
268c65a8-58ad-43e4-9019-1a9bbc56749f|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more)|Documentation
| - ### GCP Bellow are listed queries related with GoogleDeploymentManager GCP: @@ -19,35 +8,46 @@ Bellow are listed queries related with GoogleDeploymentManager GCP: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Cloud Storage Anonymous or Publicly Accessible
63ae3638-a38c-4ff4-b616-6e1f72a31a6a|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| |Cloud Storage Bucket Is Publicly Accessible
77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible (read more)|Documentation
| |BigQuery Dataset Is Public
83103dff-d57f-42a8-bd81-40abab64c1a7|High|Access Control|BigQuery dataset is anonymously or publicly accessible. Attribute access.specialGroup should not contain 'allAuthenticatedUsers' (read more)|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
63ae3638-a38c-4ff4-b616-6e1f72a31a6a|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| |SQL DB Instance Backup Disabled
a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| -|SQL DB Instance With SSL Disabled
660360d3-9ca7-46d1-b147-3acc4002953f|High|Encryption|Cloud SQL Database Instance should have SSL enabled (read more)|Documentation
| |DNSSEC Using RSASHA1
6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35|High|Encryption|DNSSEC should not use the RSASHA1 algorithm (read more)|Documentation
| -|MySQL Instance With Local Infile On
c759d6f2-4dd3-4160-82d3-89202ef10d87|High|Insecure Configurations|MySQL Instance should not have Local Infile On (read more)|Documentation
| -|IP Aliasing Disabled
28727987-e398-49b8-aef1-8a3e7789d111|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ipAllocationPolicy' must be defined and the subattribute 'useIpAliases' must be set to 'true'. (read more)|Documentation
| +|SQL DB Instance With SSL Disabled
660360d3-9ca7-46d1-b147-3acc4002953f|High|Encryption|Cloud SQL Database Instance should have SSL enabled (read more)|Documentation
| |GKE Legacy Authorization Enabled
df58d46c-783b-43e0-bdd0-d99164f712ee|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false. (read more)|Documentation
| -|Not Proper Email Account In Use
a21b8df3-c840-4b3d-a41a-10fb2afda171|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials (read more)|Documentation
| |Cluster Master Authentication Disabled
7ef7d141-9fbb-4679-a977-fd0883436906|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'masterAuth' must have the subattributes 'username' and 'password' defined and not empty (read more)|Documentation
| -|Client Certificate Disabled
dd690686-2bf9-4012-a821-f61912dd77be|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'masterAuth' must have 'clientCertificateConfig' with the attribute 'issueClientCertificate' equal to true (read more)|Documentation
| -|Private Cluster Disabled
48c61fbd-09c9-46cc-a521-012e0c325412|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true. (read more)|Documentation
| |Cluster Labels Disabled
8810968b-4b15-421d-918b-d91eb4bb8d1d|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resourceLabels' must be defined (read more)|Documentation
| +|MySQL Instance With Local Infile On
c759d6f2-4dd3-4160-82d3-89202ef10d87|High|Insecure Configurations|MySQL Instance should not have Local Infile On (read more)|Documentation
| +|Not Proper Email Account In Use
a21b8df3-c840-4b3d-a41a-10fb2afda171|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials (read more)|Documentation
| +|IP Aliasing Disabled
28727987-e398-49b8-aef1-8a3e7789d111|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ipAllocationPolicy' must be defined and the subattribute 'useIpAliases' must be set to 'true'. (read more)|Documentation
| |Network Policy Disabled
c47f90e8-4a19-43f0-8413-cc434d286c4e|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'networkPolicy.enabled' must be true and the attribute 'addonsConfig.networkPolicyConfig.disabled' must be false (read more)|Documentation
| -|GKE Master Authorized Networks Disabled
62c8cf50-87f0-4295-a974-8184ed78fe02|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters (read more)|Documentation
| +|Client Certificate Disabled
dd690686-2bf9-4012-a821-f61912dd77be|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'masterAuth' must have 'clientCertificateConfig' with the attribute 'issueClientCertificate' equal to true (read more)|Documentation
| +|Private Cluster Disabled
48c61fbd-09c9-46cc-a521-012e0c325412|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true. (read more)|Documentation
| |Compute Instance Is Publicly Accessible
8212e2d7-e683-49bc-bf78-d6799075c5a7|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet. (read more)|Documentation
| +|GKE Master Authorized Networks Disabled
62c8cf50-87f0-4295-a974-8184ed78fe02|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters (read more)|Documentation
| +|Cloud Storage Bucket Versioning Disabled
ad0875c1-0b39-4890-9149-173158ba3bba|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| |Stackdriver Monitoring Disabled
bbfc97ab-e92a-4a7b-954c-e88cec815011|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoringService' must be defined and different than 'none' (read more)|Documentation
| |Stackdriver Logging Disabled
95601b9a-7fe8-4aee-9b58-d36fd9382dfc|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'loggingService' must be defined and different from 'none' (read more)|Documentation
| -|Cloud Storage Bucket Versioning Disabled
ad0875c1-0b39-4890-9149-173158ba3bba|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| |Node Auto Upgrade Disabled
dc5c5fee-6c53-43b0-ab11-4c660e064aaf|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means the attribute 'nodePools' must be defined and the subattribute 'managment' must be defined and have the attribute 'autoUpgrade' set to true (read more)|Documentation
| |Disk Encryption Disabled
fc040fb6-4c23-4c0d-b12a-39edac35debb|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined (read more)|Documentation
| +|Google Storage Bucket Level Access Disabled
1239f54b-33de-482a-8132-faebe288e6a6|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled (read more)|Documentation
| |Cloud DNS Without DNSSEC
313d6deb-3b67-4948-b41d-35b699c2492e|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| +|OSLogin Is Disabled In VM Instance
e66e1b71-c810-4b4e-a737-0ab59e7f5e41|Medium|Insecure Configurations|VM instance should have OSLogin enabled (read more)|Documentation
| |COS Node Image Not Used
dbe058d7-b82e-430b-8426-992b2e4677e7|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| |Shielded VM Disabled
9038b526-4c19-4928-bca2-c03d503bdb79|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true (read more)|Documentation
| -|Google Storage Bucket Level Access Disabled
1239f54b-33de-482a-8132-faebe288e6a6|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled (read more)|Documentation
| -|OSLogin Is Disabled In VM Instance
e66e1b71-c810-4b4e-a737-0ab59e7f5e41|Medium|Insecure Configurations|VM instance should have OSLogin enabled (read more)|Documentation
| -|IP Forwarding Enabled
7c98538a-81c6-444b-bf04-e60bc3ceeec0|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true (read more)|Documentation
| |SSH Access Is Not Restricted
dee21308-2a7a-49de-8ff7-c9b87e188575|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| +|IP Forwarding Enabled
7c98538a-81c6-444b-bf04-e60bc3ceeec0|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true (read more)|Documentation
| |RDP Access Is Not Restricted
50cb6c3b-c878-4b88-b50e-d1421bada9e8|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| |Bucket Without Versioning
227c2f58-70c6-4432-8e9a-a89c1a548cf5|Medium|Observability|Bucket should have versioning enabled (read more)|Documentation
| |Project-wide SSH Keys Are Enabled In VM Instances
6e2b1ec1-1eca-4eb7-9d4d-2882680b4811|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| + +### GCP_BOM +Bellow are listed queries related with GoogleDeploymentManager GCP_BOM: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|BOM - GCP PD
268c65a8-58ad-43e4-9019-1a9bbc56749f|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more)|Documentation
| +|BOM - GCP PST
9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more)|Documentation
| +|BOM - GCP SB
c7781feb-a955-4f9f-b9cf-0d7c6f54bb59|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more)|Documentation
| diff --git a/docs/queries/kubernetes-queries.md b/docs/queries/kubernetes-queries.md index 875ff2d7f30..4b66afc9aa1 100644 --- a/docs/queries/kubernetes-queries.md +++ b/docs/queries/kubernetes-queries.md @@ -3,148 +3,148 @@ This page contains all queries from Kubernetes. | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Client Certificate Authentication Not Setup Properly
e0e00aba-5f1c-4981-a542-9a9563c0ee20|High|Access Control|Client Certificate Authentication should be Setup with a .pem or .crt file (read more)|Documentation
| -|Token Auth File Is Set
32ecd76e-7bbf-402e-bf48-8b9485749558|High|Access Control|When using kube-apiserver command, the 'token-auth-file' flag should not be set (read more)|Documentation
| -|Basic Auth File Is Set
5da47109-f8d6-4585-9e2b-96a8958a12f5|High|Access Control|When using kube-apiserver command, the 'basic-auth-file' flag should not be set (read more)|Documentation
| -|Always Admit Admission Control Plugin Set
ce30e584-b33f-4c7d-b418-a3d7027f8f60|High|Access Control|When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin (read more)|Documentation
| -|Use Service Account Credentials Not Set To True
1acd93f1-5a37-45c0-aaac-82ece818be7d|High|Access Control|When using kube-controller-manager commands, the '--use-service-account-credentials' should be set to true (read more)|Documentation
| |RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e|High|Access Control|Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least privilege recommends to specify only the set of needed objects and actions (read more)|Documentation
| -|Service Account Lookup Set To False
a5530bd7-225a-48f9-91bb-f40b04200165|High|Access Control|When using kube-apiserver command, the '--service-account-lookup' flag should be set to true (read more)|Documentation
| +|Use Service Account Credentials Not Set To True
1acd93f1-5a37-45c0-aaac-82ece818be7d|High|Access Control|When using kube-controller-manager commands, the '--use-service-account-credentials' should be set to true (read more)|Documentation
| +|Token Auth File Is Set
32ecd76e-7bbf-402e-bf48-8b9485749558|High|Access Control|When using kube-apiserver command, the 'token-auth-file' flag should not be set (read more)|Documentation
| |Node Restriction Admission Control Plugin Not Set
33fc6923-6553-4fe6-9d3a-4efa51eb874b|High|Access Control|When using kube-apiserver command, the --enable-admission-plugins flag should have 'NodeRestriction' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| +|Client Certificate Authentication Not Setup Properly
e0e00aba-5f1c-4981-a542-9a9563c0ee20|High|Access Control|Client Certificate Authentication should be Setup with a .pem or .crt file (read more)|Documentation
| +|Service Account Lookup Set To False
a5530bd7-225a-48f9-91bb-f40b04200165|High|Access Control|When using kube-apiserver command, the '--service-account-lookup' flag should be set to true (read more)|Documentation
| +|Always Admit Admission Control Plugin Set
ce30e584-b33f-4c7d-b418-a3d7027f8f60|High|Access Control|When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin (read more)|Documentation
| +|Basic Auth File Is Set
5da47109-f8d6-4585-9e2b-96a8958a12f5|High|Access Control|When using kube-apiserver command, the 'basic-auth-file' flag should not be set (read more)|Documentation
| |Pod Security Policy Admission Control Plugin Not Set
afa36afb-39fe-4d94-b9b6-afb236f7a03d|High|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'PodSecurityPolicy' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| |Service Account Private Key File Not Defined
ccc98ff7-68a7-436e-9218-185cb0b0b780|High|Encryption|When using kube-controller-manager commands, the '--service-account-private-key-file' should be defined (read more)|Documentation
| -|Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d|High|Insecure Configurations|Check if there is any Tiller Service present (read more)|Documentation
| |Tiller (Helm v2) Is Deployed
6d173be7-545a-46c6-a81d-2ae52ed1605d|High|Insecure Configurations|Check if Tiller is deployed. (read more)|Documentation
| -|Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032|High|Insecure Configurations|Limit capabilities for a Pod Security Policy (read more)|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace. (read more)|Documentation
| -|Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d|High|Insecure Configurations|Container should not share the host process ID namespace (read more)|Documentation
| +|Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d|High|Insecure Configurations|Check if there is any Tiller Service present (read more)|Documentation
| +|Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process (read more)|Documentation
| |Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false (read more)|Documentation
| |Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined. (read more)|Documentation
| -|Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process (read more)|Documentation
| +|Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d|High|Insecure Configurations|Container should not share the host process ID namespace (read more)|Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace. (read more)|Documentation
| +|Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032|High|Insecure Configurations|Limit capabilities for a Pod Security Policy (read more)|Documentation
| |Role Binding To Default Service Account
1e749bc9-fde8-471c-af0c-8254efd2dee5|High|Insecure Defaults|No role nor cluster role should bind to a default service account (read more)|Documentation
| -|Insecure Bind Address Set
b9380fd3-5ffe-4d10-9290-13e18e71eee1|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-bind-address' flag should not be set (read more)|Documentation
| -|TSL Connection Certificate Not Setup
fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f|High|Networking and Firewall|TSL Connection Certificate files should be Setup (read more)|Documentation
| -|Etcd TLS Certificate Not Properly Configured
895a5a95-3756-4b04-9924-2f3bc93181bd|High|Networking and Firewall|When using kube-apiserver commands, the '--etcd-certfile' and '--etcd-keyfile' flags should be defined (read more)|Documentation
| -|Insecure Port Not Properly Set
fa4def8c-1898-4a35-a139-7b76b1acdef0|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-port' flag should be defined and set to 0 (read more)|Documentation
| -|Etcd TLS Certificate Files Not Properly Set
075ca296-6768-4322-aea2-ba5063b969a9|High|Networking and Firewall|When using etcd commands, the '--cert-file' and '--key-file' should be defined (read more)|Documentation
| -|Bind Address Not Properly Set
46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2|High|Networking and Firewall|When using kube-controller-manager or kube-scheduler commands, the '--bind-address' should not be set to 127.0.0.1 (read more)|Documentation
| -|Secure Port Set To Zero
3d24b204-b73d-42cb-b0bf-1a5438c5f71e|High|Networking and Firewall|When using kube-apiserver command, the --secure-port flag should not be 0 (read more)|Documentation
| |Etcd Peer TLS Certificate Files Not Properly Set
09bb9e96-8da3-4736-b89a-b36814acca60|High|Networking and Firewall|When using etcd commands, the '--peer-cert-file' and '--peer-key-file' should be defined (read more)|Documentation
| +|Insecure Port Not Properly Set
fa4def8c-1898-4a35-a139-7b76b1acdef0|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-port' flag should be defined and set to 0 (read more)|Documentation
| |Tiller Deployment Is Accessible From Within The Cluster
e17fa86a-6222-4584-a914-56e8f6c87e06|High|Networking and Firewall|Check if any Tiller Deployment container allows access from within the cluster. (read more)|Documentation
| +|Secure Port Set To Zero
3d24b204-b73d-42cb-b0bf-1a5438c5f71e|High|Networking and Firewall|When using kube-apiserver command, the --secure-port flag should not be 0 (read more)|Documentation
| |Kubelet HTTPS Set To False
cdc8b54e-6b16-4538-a1b0-35849dbe29cf|High|Networking and Firewall|When using kube-apiserver command, the '--kubelet-https' flag should not be set to false (read more)|Documentation
| +|Etcd TLS Certificate Not Properly Configured
895a5a95-3756-4b04-9924-2f3bc93181bd|High|Networking and Firewall|When using kube-apiserver commands, the '--etcd-certfile' and '--etcd-keyfile' flags should be defined (read more)|Documentation
| +|Bind Address Not Properly Set
46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2|High|Networking and Firewall|When using kube-controller-manager or kube-scheduler commands, the '--bind-address' should not be set to 127.0.0.1 (read more)|Documentation
| +|Etcd TLS Certificate Files Not Properly Set
075ca296-6768-4322-aea2-ba5063b969a9|High|Networking and Firewall|When using etcd commands, the '--cert-file' and '--key-file' should be defined (read more)|Documentation
| +|Insecure Bind Address Set
b9380fd3-5ffe-4d10-9290-13e18e71eee1|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-bind-address' flag should not be set (read more)|Documentation
| +|TSL Connection Certificate Not Setup
fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f|High|Networking and Firewall|TSL Connection Certificate files should be Setup (read more)|Documentation
| |PSP With Unrestricted Access to Host Path
de4421f1-4e35-43b4-9783-737dd4e4a47e|High|Resource Management|PodSecurityPolicy should set 'readOnly' to true in every host path allowed (read more)|Documentation
| |Auto TLS Set To True
98ce8b81-7707-4734-aa39-627c6db3d84b|High|Secret Management|When using etcd commands, the '--auto-tls' should be set to false (read more)|Documentation
| |Peer Auto TLS Set To True
ae8827e2-4af9-4baa-9998-87539ae0d6f0|High|Secret Management|When using etcd commands, the '--peer-auto-tls' should be set to false (read more)|Documentation
| -|RBAC Roles with Exec Permission
c589f42c-7924-4871-aee2-1cede9bc7cbc|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to run commands in containers via 'kubectl exec' could be abused by attackers to execute malicious code in case of compromise. To prevent this, the 'pods/exec' verb should not be used in production environments (read more)|Documentation
| -|RBAC Roles with Impersonate Permission
9f85c3f6-26fd-4007-938a-2e0cb0100980|Medium|Access Control|Roles or ClusterRoles with the permission 'impersonate' allow subjects to assume the rights of other users, groups, or service accounts. In case of compromise, attackers may abuse this sudo-like functionality to achieve privilege escalation (read more)|Documentation
| +|Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation. (read more)|Documentation
| +|Authorization Mode RBAC Not Set
1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e|Medium|Access Control|When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode (read more)|Documentation
| |RBAC Roles with Port-Forwarding Permission
38fa11ef-dbcc-4da8-9680-7e1fd855b6fb|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to port-forward into pods can open socket-level communication channels to containers. In case of compromise, attackers may abuse this for direct communication that bypasses network security restrictions (read more)|Documentation
| -|RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more)|Documentation
| |Anonymous Auth Is Not Set To False
1de5cc51-f376-4638-a940-20f2e85ae238|Medium|Access Control|When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag should be set to false (--anonymous-auth=false) (read more)|Documentation
| |Service Account Admission Control Plugin Disabled
9587c890-0524-40c2-9ce2-663af7c2f063|Medium|Access Control|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'ServiceAccount' plugin (read more)|Documentation
| -|Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation. (read more)|Documentation
| -|RBAC Roles Allow Privilege Escalation
8320826e-7a9c-4b0b-9535-578333193432|Medium|Access Control|Roles or ClusterRoles with RBAC permissions 'bind' or 'escalate' allow subjects to create new bindings with other roles. This is dangerous, as users with these privileges can bind to roles that may exceed their own privileges (read more)|Documentation
| -|Authorization Mode RBAC Not Set
1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e|Medium|Access Control|When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode (read more)|Documentation
| -|Authorization Mode Set To Always Allow
f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5|Medium|Access Control|When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode (read more)|Documentation
| |RBAC Roles with Attach Permission
d45330fd-f58d-45fb-a682-6481477a0f84|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to attach to containers via 'kubectl attach' could be abused by attackers to read log output (stdout, stderr) and send input data (stdin) to running processes. Additionally, it would allow a malicious user to attach to a privileged container resulting in a privilege escalation attack. To prevent this, the 'pods/attach' verb should not be used in production environments (read more)|Documentation
| +|RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more)|Documentation
| +|RBAC Roles with Impersonate Permission
9f85c3f6-26fd-4007-938a-2e0cb0100980|Medium|Access Control|Roles or ClusterRoles with the permission 'impersonate' allow subjects to assume the rights of other users, groups, or service accounts. In case of compromise, attackers may abuse this sudo-like functionality to achieve privilege escalation (read more)|Documentation
| +|Authorization Mode Set To Always Allow
f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5|Medium|Access Control|When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode (read more)|Documentation
| |Non Kube System Pod With Host Mount
aa8f7a35-9923-4cad-bd61-a19b7f6aac91|Medium|Access Control|A non kube-system workload should not have hostPath mounted (read more)|Documentation
| -|Request Timeout Not Properly Set
d89a15bb-8dba-4c71-9529-bef6729b9c09|Medium|Availability|When using kube-apiserver command, the '--request-timeout' flag value should not be too long (read more)|Documentation
| +|RBAC Roles Allow Privilege Escalation
8320826e-7a9c-4b0b-9535-578333193432|Medium|Access Control|Roles or ClusterRoles with RBAC permissions 'bind' or 'escalate' allow subjects to create new bindings with other roles. This is dangerous, as users with these privileges can bind to roles that may exceed their own privileges (read more)|Documentation
| +|RBAC Roles with Exec Permission
c589f42c-7924-4871-aee2-1cede9bc7cbc|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to run commands in containers via 'kubectl exec' could be abused by attackers to execute malicious code in case of compromise. To prevent this, the 'pods/exec' verb should not be used in production environments (read more)|Documentation
| |Readiness Probe Is Not Configured
a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3|Medium|Availability|Check if Readiness Probe is not configured. (read more)|Documentation
| |Terminated Pod Garbage Collector Threshold Not Properly Set
49113af4-29ca-458e-b8d4-724c01a4a24f|Medium|Availability|When using kube-controller-manager commands, the '--terminated-pod-gc-threshold' should be set between 0 and 12501 (read more)|Documentation
| +|Request Timeout Not Properly Set
d89a15bb-8dba-4c71-9529-bef6729b9c09|Medium|Availability|When using kube-apiserver command, the '--request-timeout' flag value should not be too long (read more)|Documentation
| |Root Containers Admitted
e3aa0612-4351-4a0d-983f-aefea25cf203|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden (read more)|Documentation
| -|Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660|Medium|Best Practices|Check if containers are running with low UID, which might cause conflicts with the host's user table. (read more)|Documentation
| |Container Running As Root
cf34805e-3872-4c08-bf92-6ff7bb0cfadb|Medium|Best Practices|Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise (read more)|Documentation
| +|Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660|Medium|Best Practices|Check if containers are running with low UID, which might cause conflicts with the host's user table. (read more)|Documentation
| |Incorrect Volume Claim Access Mode ReadWriteOnce
3878dc92-8e5d-47cf-9cdd-7590f71d21b9|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' (read more)|Documentation
| |Always Pull Images Admission Control Plugin Not Set
a77f4d07-c6e0-4a48-8b35-0eeb51576f4f|Medium|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'AlwaysPullImages' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| -|Weak TLS Cipher Suites
510d5810-9a30-443a-817d-5c1fa527b110|Medium|Encryption|TLS Connection should use strong Cipher Suites (read more)|Documentation
| |Root CA File Not Defined
05fb986f-ac73-4ebb-a5b2-7faafa93d882|Medium|Encryption|When using kube-controller-manager commands, the '--root-ca-file' should be defined (read more)|Documentation
| -|Encryption Provider Not Properly Configured
10efce34-5af6-4d83-b414-9e096d5a06a9|Medium|Encryption|The EncryptionConfiguration should be configured to have at least one 'aescbc', 'kms' or 'secretbox' provider (read more)|Documentation
| +|Weak TLS Cipher Suites
510d5810-9a30-443a-817d-5c1fa527b110|Medium|Encryption|TLS Connection should use strong Cipher Suites (read more)|Documentation
| |Encryption Provider Config Is Not Defined
cbd2db69-0b21-4c14-8a40-7710a50571a9|Medium|Encryption|When using kube-apiserver commands, the '--encryption-provider-config' flag should be defined and the encryption should be correctly configured in Encryption Configuration file (read more)|Documentation
| +|Encryption Provider Not Properly Configured
10efce34-5af6-4d83-b414-9e096d5a06a9|Medium|Encryption|The EncryptionConfiguration should be configured to have at least one 'aescbc', 'kms' or 'secretbox' provider (read more)|Documentation
| +|NET_RAW Capabilities Not Being Dropped
dbbc6705-d541-43b0-b166-dd4be8208b54|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities (read more)|Documentation
| |PSP Allows Sharing Host IPC
80f93444-b240-4ebb-a4c6-5c40b76c04ea|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace (read more)|Documentation
| -|Security Context Deny Admission Control Plugin Not Set
6a68bebe-c021-492e-8ddb-55b0567fb768|Medium|Insecure Configurations|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set (read more)|Documentation
| +|PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host process ID namespace (read more)|Documentation
| +|Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more)|Documentation
| +|NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities (read more)|Documentation
| +|Authorization Mode Node Not Set
4d7ee40f-fc5d-427d-8cac-dffbe22d42d1|Medium|Insecure Configurations|When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode (read more)|Documentation
| |Seccomp Profile Is Not Configured
f377b83e-bd07-4f48-a591-60c82b14a78b|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls (read more)|Documentation
| -|PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| |Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40|Medium|Insecure Configurations|Containers should not have extra capabilities allowed (read more)|Documentation
| -|NET_RAW Capabilities Not Being Dropped
dbbc6705-d541-43b0-b166-dd4be8208b54|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities (read more)|Documentation
| +|Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more)|Documentation
| +|Using Unrecommended Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6|Medium|Insecure Configurations|Namespaces like 'default', 'kube-system' or 'kube-public' should not be used (read more)|Documentation
| +|PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities (read more)|Documentation
| |Kubelet Protect Kernel Defaults Set To False
6cf42c97-facd-4fda-b8af-ea4529123355|Medium|Insecure Configurations|--protect-kernel-defaults should be set to true (read more)|Documentation
| |Containers With Sys Admin Capabilities
235236ee-ad78-4065-bd29-61b061f28ce0|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability (read more)|Documentation
| -|Authorization Mode Node Not Set
4d7ee40f-fc5d-427d-8cac-dffbe22d42d1|Medium|Insecure Configurations|When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode (read more)|Documentation
| |Not Limited Capabilities For Container
2f1a0619-b12b-48a0-825f-993bb6f01d58|Medium|Insecure Configurations|Limit the capabilities for a Container. (read more)|Documentation
| -|Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more)|Documentation
| -|PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation (read more)|Documentation
| |Workload Mounting With Sensitive OS Directory
5308a7a8-06f8-45ac-bf10-791fe21de46e|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory (read more)|Documentation
| -|PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host process ID namespace (read more)|Documentation
| -|Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more)|Documentation
| -|PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities (read more)|Documentation
| -|NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities (read more)|Documentation
| -|Using Unrecommended Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6|Medium|Insecure Configurations|Namespaces like 'default', 'kube-system' or 'kube-public' should not be used (read more)|Documentation
| -|Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty. (read more)|Documentation
| +|PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation (read more)|Documentation
| +|PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| +|Security Context Deny Admission Control Plugin Not Set
6a68bebe-c021-492e-8ddb-55b0567fb768|Medium|Insecure Configurations|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set (read more)|Documentation
| |Service Account Token Automount Not Disabled
48471392-d4d0-47c0-b135-cdec95eb3eef|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary (read more)|Documentation
| -|Kubelet Streaming Connection Timeout Disabled
ed89b97d-04e9-4fd4-919f-ee5b27e555e9|Medium|Networking and Firewall|The flag --streaming-connection-idle-timeout should not be set to 0 (read more)|Documentation
| +|Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty. (read more)|Documentation
| +|Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be|Medium|Networking and Firewall|Check if any pod is not being targeted by a proper network policy. (read more)|Documentation
| +|Kubelet Read Only Port Is Not Set To Zero
2940d48a-dc5e-4178-a3f8-bfbd80720b41|Medium|Networking and Firewall|When using the kubelet command, the read-only port should be set to zero (--read-only-port=0) (read more)|Documentation
| +|Service With External Load Balancer
26763a1c-5dda-4772-b507-5fca7fb5f165|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet (read more)|Documentation
| |Kubelet Not Managing Ip Tables
5f89001f-6dd9-49ff-9b15-d8cd71b617f4|Medium|Networking and Firewall|Kubelet argument --make-iptables-util-chains should be true (read more)|Documentation
| +|Kubelet Streaming Connection Timeout Disabled
ed89b97d-04e9-4fd4-919f-ee5b27e555e9|Medium|Networking and Firewall|The flag --streaming-connection-idle-timeout should not be set to 0 (read more)|Documentation
| |CNI Plugin Does Not Support Network Policies
03aabc8c-35d6-481e-9c85-20139cf72d23|Medium|Networking and Firewall|Ensure the use of CNI Plugin that support Network Policies. If the CNI Plugin in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster (read more)|Documentation
| |Network Policy Is Not Targeting Any Pod
85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3|Medium|Networking and Firewall|Check if any network policy is not targeting any pod. (read more)|Documentation
| -|Kubelet Read Only Port Is Not Set To Zero
2940d48a-dc5e-4178-a3f8-bfbd80720b41|Medium|Networking and Firewall|When using the kubelet command, the read-only port should be set to zero (--read-only-port=0) (read more)|Documentation
| -|Service With External Load Balancer
26763a1c-5dda-4772-b507-5fca7fb5f165|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet (read more)|Documentation
| -|Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be|Medium|Networking and Firewall|Check if any pod is not being targeted by a proper network policy. (read more)|Documentation
| -|Audit Log Path Not Set
73e251f0-363d-4e53-86e2-0a93592437eb|Medium|Observability|When using kube-apiserver command, the 'audit-log-path' flag should be defined (read more)|Documentation
| |Audit Policy File Not Defined
13a49a2e-488e-4309-a7c0-d6b05577a5fb|Medium|Observability|When using kube-apiserver command, the '--audit-policy-file' flag should be defined (read more)|Documentation
| -|Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| +|Audit Log Path Not Set
73e251f0-363d-4e53-86e2-0a93592437eb|Medium|Observability|When using kube-apiserver command, the 'audit-log-path' flag should be defined (read more)|Documentation
| |Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| -|Volume Mount With OS Directory Write Permissions
b7652612-de4e-4466-a0bf-1cd81f0c6063|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more)|Documentation
| +|Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more)|Documentation
| +|CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more)|Documentation
| |CPU Limits Not Set
4ac0e2b7-d2d2-4af7-8799-e8de6721ccda|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| +|Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| +|Volume Mount With OS Directory Write Permissions
b7652612-de4e-4466-a0bf-1cd81f0c6063|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more)|Documentation
| |Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| -|CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more)|Documentation
| -|Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more)|Documentation
| -|Kubelet Client Periodic Certificate Switch Disabled
52d70f2e-3257-474c-b3dc-8ad9ba6a061a|Medium|Secret Management|Kubelet argument --rotate-certificates should be true (read more)|Documentation
| -|Etcd Peer Client Certificate Authentication Set To False
b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff|Medium|Secret Management|When using etcd commands, the '--peer-client-cert-auth' flag should be set to true (read more)|Documentation
| |Etcd Client Certificate File Not Defined
3f5ff8a7-5ad6-4d02-86f5-666307da1b20|Medium|Secret Management|When using kube-apiserver commands, the '--etcd-cafile' flag should be defined (read more)|Documentation
| -|Not Unique Certificate Authority
cb7e695d-6a85-495c-b15f-23aed2519303|Medium|Secret Management|Certificate Authority should be unique for etcd (read more)|Documentation
| -|Rotate Kubelet Server Certificate Not Active
1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2|Medium|Secret Management|The RotateKubeletServerCertificate argument should be true (read more)|Documentation
| +|Etcd Peer Client Certificate Authentication Set To False
b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff|Medium|Secret Management|When using etcd commands, the '--peer-client-cert-auth' flag should be set to true (read more)|Documentation
| |Service Account Key File Not Properly Set
dab4ec72-ce2e-4732-b7c3-1757dcce01a1|Medium|Secret Management|When using kube-apiserver command, the '--service-account-key-file' flag should be defined (read more)|Documentation
| -|Etcd Client Certificate Authentication Set To False
9391103a-d8d7-4671-ac5d-606ba7ccb0ac|Medium|Secret Management|When using etcd commands, the '--client-cert-auth' flag should be defined (read more)|Documentation
| -|Kubelet Certificate Authority Not Set
ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set (read more)|Documentation
| +|Rotate Kubelet Server Certificate Not Active
1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2|Medium|Secret Management|The RotateKubeletServerCertificate argument should be true (read more)|Documentation
| |Shared Service Account
c1032cf7-3628-44e2-bd53-38c17cf31b6b|Medium|Secret Management|A Service Account token is shared between workloads (read more)|Documentation
| +|Not Unique Certificate Authority
cb7e695d-6a85-495c-b15f-23aed2519303|Medium|Secret Management|Certificate Authority should be unique for etcd (read more)|Documentation
| |Kubelet Client Certificate Or Key Not Set
36a27826-1bf5-49da-aeb0-a60a30c0e834|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-client-key' and 'kubelet-client-certificate' flags should be set (read more)|Documentation
| +|Kubelet Client Periodic Certificate Switch Disabled
52d70f2e-3257-474c-b3dc-8ad9ba6a061a|Medium|Secret Management|Kubelet argument --rotate-certificates should be true (read more)|Documentation
| +|Etcd Client Certificate Authentication Set To False
9391103a-d8d7-4671-ac5d-606ba7ccb0ac|Medium|Secret Management|When using etcd commands, the '--client-cert-auth' flag should be defined (read more)|Documentation
| +|Kubelet Certificate Authority Not Set
ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set (read more)|Documentation
| |ServiceAccount Allows Access Secrets
056ac60e-fe07-4acc-9b34-8e1d51716ab9|Medium|Secret Management|Roles and ClusterRoles when binded, should not use get, list or watch as verbs (read more)|Documentation
| +|Missing AppArmor Profile
8b36775e-183d-4d46-b0f7-96a6f34a723f|Low|Access Control|Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources (read more)|Documentation
| |Cluster Admin Rolebinding With Superuser Permissions
249328b8-5f0f-409f-b1dd-029f07882e11|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC) (read more)|Documentation
| |Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers (read more)|Documentation
| -|Missing AppArmor Profile
8b36775e-183d-4d46-b0f7-96a6f34a723f|Low|Access Control|Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources (read more)|Documentation
| |Liveness Probe Is Not Defined
ade74944-a674-4e00-859e-c6eab5bde441|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it (read more)|Documentation
| -|StatefulSet Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more)|Documentation
| |StatefulSet Without PodDisruptionBudget
1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| +|Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| +|StatefulSet Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more)|Documentation
| |Event Rate Limit Admission Control Plugin Not Set
e0099af2-fe17-411f-9991-0de28fe15f3c|Low|Availability|When using kube-apiserver command, the --enable-admission-plugins flag should have 'EventRateLimit' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| |HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca|Low|Availability|The Horizontal Pod Autoscaler must target a valid object (read more)|Documentation
| |HPA Targeted Deployments With Configured Replica Count
5744cbb8-5946-4b75-a196-ade44449525b|Low|Availability|Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set (read more)|Documentation
| -|Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| -|Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645|Low|Best Practices|Kubernetes APIs evolve over time and are sometimes removed with newer releases. To prevent incompatibilities when upgrading Kubernetes, deprecated APIs should be replaced with newer and more stable API versions. (read more)|Documentation
| |No Drop Capabilities for Containers
268ca686-7fb7-4ae9-b129-955a2a89064e|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context (read more)|Documentation
| +|Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645|Low|Best Practices|Kubernetes APIs evolve over time and are sometimes removed with newer releases. To prevent incompatibilities when upgrading Kubernetes, deprecated APIs should be replaced with newer and more stable API versions. (read more)|Documentation
| |Metadata Label Is Invalid
1123031a-f921-4c5b-bd86-ef354ecfd37a|Low|Best Practices|Check if any label in the metadata is invalid. (read more)|Documentation
| +|Image Policy Webhook Admission Control Plugin Not Set
14abda69-8e91-4acb-9931-76e2bee90284|Low|Build Process|When using kube-apiserver command, the --enable-admission-plugins flag should have 'ImagePolicyWebhook' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| |Root Container Not Mounted Read-only
a9c2f49d-0671-4fc9-9ece-f4e261e128d0|Low|Build Process|Check if the root container filesystem is not being mounted read-only. (read more)|Documentation
| |StatefulSet Requests Storage
8cf4671a-cf3d-46fc-8389-21e7405063a2|Low|Build Process|A StatefulSet requests volume storage. (read more)|Documentation
| -|Image Policy Webhook Admission Control Plugin Not Set
14abda69-8e91-4acb-9931-76e2bee90284|Low|Build Process|When using kube-apiserver command, the --enable-admission-plugins flag should have 'ImagePolicyWebhook' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| |Namespace Lifecycle Admission Control Plugin Disabled
1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37|Low|Build Process|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'NamespaceLifecycle' plugin (read more)|Documentation
| |Pod or Container Without ResourceQuota
48a5beba-e4c0-4584-a2aa-e6894e4cf424|Low|Insecure Configurations|Each namespace should have a ResourceQuota policy associated to limit the total amount of resources Pods, Containers and PersistentVolumeClaims can consume (read more)|Documentation
| -|Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity (read more)|Documentation
| |Service Does Not Target Pod
3ca03a61-3249-4c16-8427-6f8e47dda729|Low|Insecure Configurations|Service should Target a Pod (read more)|Documentation
| +|Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b|Low|Insecure Configurations|If not needed, disabling the dashboard can prevent from being used as an attack vector (read more)|Documentation
| +|Kubelet Hostname Override Is Set
bf36b900-b5ef-4828-adb7-70eb543b7cfb|Low|Insecure Configurations|Hostnames should not be overrided (read more)|Documentation
| +|Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity (read more)|Documentation
| |Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always (read more)|Documentation
| |Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container (read more)|Documentation
| |Pod or Container Without LimitRange
4a20ebac-1060-4c81-95d1-1f7f620e983b|Low|Insecure Configurations|Each namespace should have a LimitRange policy associated to ensure that resource allocations of Pods, Containers and PersistentVolumeClaims do not exceed the defined boundaries (read more)|Documentation
| -|Kubelet Hostname Override Is Set
bf36b900-b5ef-4828-adb7-70eb543b7cfb|Low|Insecure Configurations|Hostnames should not be overrided (read more)|Documentation
| -|Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b|Low|Insecure Configurations|If not needed, disabling the dashboard can prevent from being used as an attack vector (read more)|Documentation
| -|Service Type is NodePort
845acfbe-3e10-4b8e-b656-3b404d36dfb2|Low|Networking and Firewall|Service type should not be NodePort (read more)|Documentation
| |Workload Host Port Not Specified
2b1836f1-dcce-416e-8e16-da8c71920633|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified (read more)|Documentation
| -|Audit Log Maxsize Not Properly Set
35c0a471-f7c8-4993-aa2c-503a3c712a66|Low|Observability|When using kube-apiserver command, the '--audit-log-maxsize' flag should be defined and set to 100 or more MegaBytes (read more)|Documentation
| -|Audit Log Maxage Not Properly Set
da9f3aa8-fbfb-472f-b5a1-576127944218|Low|Observability|When using kube-apiserver command, the '--audit-log-maxage' flag should be defined and set to 30 or more days (read more)|Documentation
| +|Service Type is NodePort
845acfbe-3e10-4b8e-b656-3b404d36dfb2|Low|Networking and Firewall|Service type should not be NodePort (read more)|Documentation
| |Audit Log Maxbackup Not Properly Set
768aab52-2504-4a2f-a3e3-329d5a679848|Low|Observability|When using kube-apiserver command, the '--audit-log-maxbackup' flag should be defined and set to 10 or more files (read more)|Documentation
| +|Audit Log Maxsize Not Properly Set
35c0a471-f7c8-4993-aa2c-503a3c712a66|Low|Observability|When using kube-apiserver command, the '--audit-log-maxsize' flag should be defined and set to 100 or more MegaBytes (read more)|Documentation
| +|Profiling Not Set To False
2f491173-6375-4a84-b28e-a4e2b9a58a69|Low|Observability|When using kube-apiserver or kube-controller-manager or kube-scheduler command, the '--profiling' flag should be defined and set to false (read more)|Documentation
| |Kubelet Event QPS Not Properly Set
1a07a446-8e61-4e4d-bc16-b0781fcb8211|Low|Observability|When using the kubelet command, the '--event-qps' should be set to 0 (read more)|Documentation
| |Audit Policy Not Cover Key Security Concerns
1828a670-5957-4bc5-9974-47da228f75e2|Low|Observability|Audit Policy should cover key security concerns about the sensitive data logged in Kubernetes audit policies (read more)|Documentation
| -|Profiling Not Set To False
2f491173-6375-4a84-b28e-a4e2b9a58a69|Low|Observability|When using kube-apiserver or kube-controller-manager or kube-scheduler command, the '--profiling' flag should be defined and set to false (read more)|Documentation
| -|Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Low|Resource Management|A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined. (read more)|Documentation
| +|Audit Log Maxage Not Properly Set
da9f3aa8-fbfb-472f-b5a1-576127944218|Low|Observability|When using kube-apiserver command, the '--audit-log-maxage' flag should be defined and set to 30 or more days (read more)|Documentation
| |Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46|Low|Resource Management|Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively (read more)|Documentation
| |StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e|Low|Resource Management|Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| -|CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined (read more)|Documentation
| -|Container Memory Requests Not Equal To It's Limits
aafa7d94-62de-4fbf-8838-b69ee217b0e6|Low|Resource Management|A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined. (read more)|Documentation
| |Deployment Has No PodAntiAffinity
a31b7b82-d994-48c4-bd21-3bab6c31827a|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| +|Container Memory Requests Not Equal To It's Limits
aafa7d94-62de-4fbf-8838-b69ee217b0e6|Low|Resource Management|A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined. (read more)|Documentation
| +|Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Low|Resource Management|A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined. (read more)|Documentation
| +|CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined (read more)|Documentation
| |Secrets As Environment Variables
3d658f8b-d988-41a0-a841-40043121de1e|Low|Secret Management|Container should not use secrets as environment variables (read more)|Documentation
| |Invalid Image Tag
583053b7-e632-46f0-b989-f81ff8045385|Low|Supply-Chain|Image tag must be defined and not be empty or equal to latest. (read more)|Documentation
| |Ensure Administrative Boundaries Between Resources
e84eaf4d-2f45-47b2-abe8-e581b06deb66|Info|Access Control|As a best practice, ensure that is made the correct use of namespaces to adequately administer your resources. Kubernetes Authorization plugins can also be used to create policies that segregate user access to namespaces. (read more)|Documentation
| diff --git a/docs/queries/openapi-queries.md b/docs/queries/openapi-queries.md index 578cae3e2c1..d20ce63adb4 100644 --- a/docs/queries/openapi-queries.md +++ b/docs/queries/openapi-queries.md @@ -1,6 +1,90 @@ ## OpenAPI Queries List This page contains all queries from OpenAPI. +### 3.0 +Bellow are listed queries related with OpenAPI 3.0: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|Cleartext Credentials With Basic Authentication For Operation
86b1fa30-9790-4980-994d-a27e0f6f27c1|High|Access Control|Cleartext credentials over unencrypted channel should not be accepted for the operation (read more)|Documentation
| +|Field 'securityScheme' On Components Is Undefined
8db5544e-4874-4baa-9322-e9f75a2d219e|High|Access Control|Components' securityScheme field must have a valid scheme (read more)|Documentation
| +|Implicit Flow in OAuth2 (v3)
4a1f3d75-ab73-41b2-83e7-06a93dc3a75a|Medium|Access Control|There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| +|Security Scheme HTTP Unknown Scheme
06764426-3c56-407e-981f-caa25db1c149|Medium|Access Control|Security Scheme HTTP scheme should be registered in the IANA Authentication Scheme registry (read more)|Documentation
| +|Invalid OAuth2 Authorization URL (v3)
52c0d841-60d6-4a81-88dd-c35fef36d315|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| +|Security Scheme Using HTTP Negotiate
f525cc92-9050-4c41-a75c-890dc6f64449|Medium|Access Control|Security Scheme HTTP should not be using negotiate authentication (read more)|Documentation
| +|Security Scheme Using HTTP Basic
68e5fcac-390c-4939-a373-6074b7be7c71|Medium|Access Control|Security Scheme HTTP should not be using basic authentication (read more)|Documentation
| +|OAuth2 With Implicit Flow
39cb32f2-3a42-4af0-8037-82a7a9654b6c|Medium|Access Control|OAuth2 implicit flow is vulnerable to access token leakage and access token replay (read more)|Documentation
| +|Invalid OAuth2 Token URL (v3)
3ba0cca1-b815-47bf-ac62-1e584eb64a05|Medium|Access Control|OAuth2 security scheme flow requires a valid URL in the tokenUrl field (read more)|Documentation
| +|Security Scheme Using HTTP Digest
a4247b11-890b-45df-bf42-350a7a3af9be|Medium|Access Control|Security Scheme HTTP should not be using digest authentication (read more)|Documentation
| +|OAuth2 With Password Flow
3979b0a4-532c-4ea7-86e4-34c090eaa4f2|Medium|Access Control|OAuth2 password flow insecurely exposes the credentials of the resource owner to the client (read more)|Documentation
| +|Global Server Object Uses HTTP
2d8c175a-6d90-412b-8b0e-e034ea49a1fe|Medium|Encryption|Global server object URL should use 'https' protocol instead of 'http' (read more)|Documentation
| +|Path Server Object Uses HTTP (v3)
9670f240-7b4d-4955-bd93-edaa9fa38b58|Medium|Encryption|The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection (read more)|Documentation
| +|Additional Properties Too Permissive
9f88c88d-824d-4d9a-b985-e22977046042|Medium|Insecure Configurations|Objects should not accept 'additionalProperties' if it is possible (read more)|Documentation
| +|Additional Properties Too Restrictive
a19c3bbd-c056-40d7-9e1c-eeb0634e320d|Medium|Insecure Configurations|Objects should accept 'additionalProperties' if it is allOf or an object with anyOf or oneOf (read more)|Documentation
| +|Media Type Object Without Schema
f79b9d26-e945-44e7-98a1-b93f0f7a68a0|Medium|Insecure Configurations|The Media Type Object should have the attribute 'schema' defined (read more)|Documentation
| +|Parameter Object Without Schema
8fe1846f-52cc-4413-ace9-1933d7d23672|Medium|Insecure Configurations|The Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| +|Success Response Code Undefined for Trace Operation
105e20dd-8449-4d71-95c6-d5dac96639af|Medium|Networking and Firewall|Trace should define the '200' successful code (read more)|Documentation
| +|Header Object Without Schema
50de3b5b-6465-4e06-a9b0-b4c2ba34326b|Medium|Networking and Firewall|The header object should have schema defined (read more)|Documentation
| +|Global Security Scheme Using Basic Authentication
77276d82-4f45-4cf1-8e2b-4d345b936228|Low|Access Control|A security scheme is allowing basic authentication credentials to be transported over network (read more)|Documentation
| +|Security Scheme Using Oauth 1.0
1bc3205c-0d60-44e6-84f3-44fbf4dac5b3|Low|Access Control|Oauth 1.0 is deprecated, OAuth2 should be used instead (read more)|Documentation
| +|API Key Exposed In Global Security Scheme
40e1d1bf-11a9-4f63-a3a2-a8b84c602839|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| +|Undefined Scope 'securityScheme' On Global 'security' Field
23a9e2d9-8738-4556-a71c-2802b6ffa022|Low|Access Control|Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| +|Undefined Scope 'securityScheme' On 'security' Field On Operations
462d6a1d-fed9-4d75-bb9e-3de902f35e6e|Low|Access Control|Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| +|Unknown Prefix (v3)
a5375be3-521c-43bb-9eab-e2432e368ee4|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| +|Property 'allowEmptyValue' Ignored
59c2f769-7cc2-49c8-a3de-4e211135cfab|Info|Best Practices|Property 'allowEmptyValue' is ignored in the following cases: {"sytle": "simple", "explode": false}, {"sytle": "simple", "explode": true}, {"sytle": "spaceDelimited", "explode": false}, {"sytle": "pipeDelimited", "explode": false}, and {"sytle": "deepObject", "explode": true} (read more)|Documentation
| +|Property 'allowReserved' of Encoding Object Ignored
4190dda7-af03-4cf0-a128-70ac1661ca09|Info|Best Practices|Property 'allowReserved' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| +|Components Request Body Definition Is Unused
6b76f589-9713-44ab-97f5-59a3dba1a285|Info|Best Practices|Components request bodies definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Schema Definition Is Unused
962fa01e-b791-4dcc-b04a-4a3e7389be5e|Info|Best Practices|Components schemas definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Encoding Header 'Content-Type' Improperly Defined
4cd8de87-b595-48b6-ab3c-1904567135ab|Info|Best Practices|Encoding Map Key should not define a 'Content-Type' in the 'headers' field. If so, it will be ignored. (read more)|Documentation
| +|Components Header Definition Is Unused
a68da022-e95a-4bc2-97d3-481e0bd6d446|Info|Best Practices|Components headers definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Example Definition Is Unused
b05bb927-2df5-43cc-8d7b-6825c0e71625|Info|Best Practices|Components examples definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Parameter Definition Is Unused
698a464e-bb3e-4ba8-ab5e-e6599b7644a0|Info|Best Practices|Components parameters definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Link Definition Is Unused
c19779a9-5774-4d2f-a3a1-a99831730375|Info|Best Practices|Components links definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Response Definition Is Unused
9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae|Info|Best Practices|Components responses definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Callback Definition Is Unused
d15db953-a553-4b8a-9a14-a3d62ea3d79d|Info|Best Practices|Components callbacks definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Property 'explode' of Encoding Object Ignored
a4dd69b8-49fa-45d2-a060-c76655405b05|Info|Best Practices|Property 'explode' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| +|Property 'style' of Encoding Object Ignored
d3ea644a-9a5c-4fee-941f-f8a6786c0470|Info|Best Practices|Property 'style' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| +|Invalid Media Type Value (v3)
cf4a5f45-a27b-49df-843a-9911dbfe71d4|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| +|Security Field Undefined
ab1263c2-81df-46f0-9f2c-0b62fdb68419|Info|Structure and Semantics|Security field should be defined in '#/components/securitySchemes' (read more)|Documentation
| +|Request Body JSON Reference Does Not Exists
ca02f4e8-d3ae-4832-b7db-bb037516d9e7|Info|Structure and Semantics|Request Body reference should exists on components field (read more)|Documentation
| +|Link JSON Reference Does Not Exists
801f0c6a-a834-4467-89c6-ddecffb46b5a|Info|Structure and Semantics|Link reference should exists on components field (read more)|Documentation
| +|Server URL Not Absolute
a0bf7382-5d5a-4224-924c-3db8466026c9|Info|Structure and Semantics|The Server URL should be an absolute URL (read more)|Documentation
| +|Server Object Variable Not Used
8aee4754-970d-4c5f-8142-a49dfe388b1a|Info|Structure and Semantics|Every defined Server Variable Object should be used in a Service URL. (read more)|Documentation
| +|Request Body With Incorrect Ref
0f6cd0ab-c366-4595-84fc-fbd8b9901e4d|Info|Structure and Semantics|Request Body reference must always point to '#/components/RequestBodies' (read more)|Documentation
| +|Callback JSON Reference Does Not Exists
f29904c8-6041-4bca-b043-dfa0546b8079|Info|Structure and Semantics|Callback reference should exists on components field (read more)|Documentation
| +|Components Object Fixed Field Key Improperly Named
151331e2-11f4-4bb6-bd35-9a005e695087|Info|Structure and Semantics|Components object fixed fields (schemas, responses, parameters, examples, requestBodies, headers, securitySchemes, links, and callbacks) should use keys that match the following REGEX: `^[a-zA-Z0-9\.\-_]+$` (read more)|Documentation
| +|Response Object With Incorrect Ref (v3)
b3871dd8-9333-4d6c-bd52-67eb898b71ab|Info|Structure and Semantics|Response Object reference must always point to '#/components/responses' (read more)|Documentation
| +|Header JSON Reference Does Not Exists
376c9390-7e9e-4cb8-a067-fd31c05451fd|Info|Structure and Semantics|Header reference should exists on components field (read more)|Documentation
| +|Request Body Object With Incorrect Media Type
58f06434-a88c-4f74-826c-db7e10cc7def|Info|Structure and Semantics|The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set. (read more)|Documentation
| +|Schema With Both ReadOnly And WriteOnly
d2361d58-361c-49f0-9e50-b957fd608b29|Info|Structure and Semantics|Schema should not have both 'writeOnly' and 'readOnly' set to true (read more)|Documentation
| +|Parameter Object With Undefined Type
46facedc-f243-4108-ab33-583b807d50b0|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property (read more)|Documentation
| +|Invalid Content Type For Multiple Files Upload
26f06397-36d8-4ce7-b993-17711261d777|Info|Structure and Semantics|Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array) (read more)|Documentation
| +|Empty Array
5915c20f-dffa-4cee-b5d4-f457ddc0151a|Info|Structure and Semantics|All array fields should not be empty (read more)|Documentation
| +|Response JSON Reference Does Not Exists (v3)
7a01dfbd-da62-4165-aed7-71349ad42ab4|Info|Structure and Semantics|Response reference should exists on components field (read more)|Documentation
| +|Example JSON Reference Does Not Exists
6a2c219f-da5e-4745-941e-5ea8cde23356|Info|Structure and Semantics|Example reference should exists on components field (read more)|Documentation
| +|Servers Array Undefined
c66ebeaa-676c-40dc-a3ff-3e49395dcd5e|Info|Structure and Semantics|The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'. (read more)|Documentation
| +|Encoding Map Key Mismatch Schema Defined Properties
cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b|Info|Structure and Semantics|Encoding Map Key should be set in schema defined properties (read more)|Documentation
| +|Parameter Object With Schema And Content
31dd6fc0-f274-493b-9614-e063086c19fc|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive (read more)|Documentation
| +|Example JSON Reference Outside Components Examples
bac56e3c-1f71-4a74-8ae6-2fba07efcddb|Info|Structure and Semantics|Reference to examples should point to #/components/examples (read more)|Documentation
| +|Parameter Object Content With Multiple Entries
8bfed1c6-2d59-4924-bc7f-9b9d793ed0df|Info|Structure and Semantics|The map content property of the parameter object should only contain one entry (read more)|Documentation
| +|Security Requirement Object With Wrong Scopes
37140f7f-724a-4c87-a536-e9cee1d61533|Info|Structure and Semantics|Security Requirement Object should only have scopes defined for security schemes of type 'oauth2' and 'openIdConnect' (read more)|Documentation
| +|Callback Object With Incorrect Ref
ba066cda-e808-450d-92b6-f29109754d45|Info|Structure and Semantics|Callback Object reference must always point to '#/components/callbacks' (read more)|Documentation
| +|Parameter JSON Reference Does Not Exists (v3)
2e275f16-b627-4d3f-ae73-a6153a23ae8f|Info|Structure and Semantics|Parameter reference should exists on components field (read more)|Documentation
| +|Property 'allowReserved' Improperly Defined
7f203940-39c4-4ea7-91ee-7aba16bca9e2|Info|Structure and Semantics|Property 'allowReserved' should be only defined for query parameters (read more)|Documentation
| +|Link Object Incorrect Ref
b9db8a10-020c-49ca-88c6-780e5fdb4328|Info|Structure and Semantics|Link object reference must always point to '#/components/links' (read more)|Documentation
| +|Schema JSON Reference Does Not Exists (v3)
015eac96-6313-43c0-84e5-81b1374fa637|Info|Structure and Semantics|Schema reference should exists on components field (read more)|Documentation
| +|Object Without Required Property (v3)
d172a060-8569-4412-8045-3560ebd477e8|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| +|Unknown Property (v3)
fb7d81e7-4150-48c4-b914-92fc05da6a2f|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| +|Parameter Object With Incorrect Ref (v3)
d40f27e6-15fb-4b56-90f8-fc0ff0291c51|Info|Structure and Semantics|Parameter Object reference must always point to '#/components/parameters' (read more)|Documentation
| +|Header Object With Incorrect Ref
2d6646f4-2946-420f-8c14-3232d49ae0cb|Info|Structure and Semantics|Header Object reference must always point to '#/components/headers' (read more)|Documentation
| +|Link Object OperationId Does Not Target Operation Object
c5bb7461-aa57-470b-a714-3bc3d74f4669|Info|Structure and Semantics|Link object 'OperationId' should target an existing operation object in the OpenAPI definition (read more)|Documentation
| +|Server URL Uses Undefined Variables
8d0921d6-4131-461f-a253-99e873f8f77e|Info|Structure and Semantics|Any variable used in the Service URL should be defined in the Service Object through 'variables'. (read more)|Documentation
| +|Link Object With Both 'operationId' And 'operationRef'
60fb6621-9f02-473b-9424-ba9a825747d3|Info|Structure and Semantics|Link object 'OperationId' should not have both 'operationId' and 'operationRef' defined since they are mutually exclusive. (read more)|Documentation
| +|Security Operation Field Undefined
20a482d5-c5d9-4a7a-b7a4-60d0805047b4|Info|Structure and Semantics|Security operation field should be defined in '#/components/securitySchemes' (read more)|Documentation
| +|Schema Object Incorrect Ref (v3)
4cac7ace-b0fb-477d-830d-65395d9109d9|Info|Structure and Semantics|Schema Object reference must always point to '#/components/schemas' (read more)|Documentation
| + ### 2.0 Bellow are listed queries related with OpenAPI 2.0: @@ -11,50 +95,50 @@ Bellow are listed queries related with OpenAPI 2.0: |Security Definitions Undefined or Empty
e3f026e8-fdb4-4d5a-bcfd-bd94452073fe|High|Access Control|Security Definitions Object should be set and not empty (read more)|Documentation
| |Security Requirement Not Defined In Security Definition
a599b0d1-ff89-4cb8-9ece-9951854c06f6|High|Structure and Semantics|All security requirement objects must be defined in 'securityDefinitions' (read more)|Documentation
| |Non OAuth2 Security Requirement Defining OAuth2 Scopes
ba239cb9-f342-4c20-812d-7b5a2aa6969e|High|Structure and Semantics|If the security scheme is not of type 'oauth2', the array value must be empty (read more)|Documentation
| -|Invalid OAuth2 Authorization URL (v2)
33d96c65-977d-4c33-943f-440baca49185|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| |Implicit Flow in OAuth2 (v2)
e9817ad8-a8c9-4038-8a2f-db0e6e7b284b|Medium|Access Control|There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| -|Operation Using Password Flow
2e44e632-d617-43cb-b294-6bfe72a08938|Medium|Access Control|Operation Object should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| -|Global Security Using Password Flow
2da46be4-4317-4650-9285-56d7103c4f93|Medium|Access Control|Security should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| |Security Definitions Allows Password Flow
773116aa-2e6d-416f-bd85-f0301cc05d76|Medium|Access Control|Security Definition Object should not allow 'password' Flow in OAuth2 authentication (read more)|Documentation
| +|Invalid OAuth2 Authorization URL (v2)
33d96c65-977d-4c33-943f-440baca49185|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| +|Global Security Using Password Flow
2da46be4-4317-4650-9285-56d7103c4f93|Medium|Access Control|Security should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| |Invalid OAuth2 Token URL (v2)
274f910a-0665-4f08-b66d-7058fe927dba|Medium|Access Control|OAuth2 security definition flow requires a valid URL in the tokenUrl field (read more)|Documentation
| +|Operation Using Password Flow
2e44e632-d617-43cb-b294-6bfe72a08938|Medium|Access Control|Operation Object should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| |Path Scheme Accepts HTTP (v2)
a6847dc6-f4ea-45ac-a81f-93291ae6c573|Medium|Encryption|The Scheme list of Operation Object should only allow 'HTTPS' protocol to ensure an encrypted connection (read more)|Documentation
| |Global Schemes Uses HTTP
f30ee711-0082-4480-85ab-31d922d9a2b2|Medium|Encryption|Global Schemes should use 'https' protocol instead of 'http' (read more)|Documentation
| |Schemes Uses HTTP
a46928f1-43d7-4671-94e0-2dd99746f389|Medium|Encryption|Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials (read more)|Documentation
| -|Operation Object Without 'consumes'
0c79e50e-b3cf-490c-b8f6-587c644d4d0c|Medium|Insecure Configurations|Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations (read more)|Documentation
| |Operation Object Without 'produces'
be3e170e-1572-461e-a8b6-d963def581ec|Medium|Insecure Configurations|Operation Object should have 'produces' feild defined for 'GET'operation (read more)|Documentation
| +|Operation Object Without 'consumes'
0c79e50e-b3cf-490c-b8f6-587c644d4d0c|Medium|Insecure Configurations|Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations (read more)|Documentation
| +|Security Definitions Using Basic Auth
221015a8-aa2a-43f5-b00b-ad7d2b1d47a8|Low|Access Control|Security Definition Object should not use basic authentication (read more)|Documentation
| +|Operation Using Implicit Flow
f42dfe7e-787d-4478-a75e-a5f3d8a2269e|Low|Access Control|Operation Object should not use implicit flow (read more)|Documentation
| |Undefined Scope 'securityDefinition' On Global 'security' Field
9aa6e95c-d964-4239-a3a8-9f37a3c5a31f|Low|Access Control|Using an scope on global security field that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| |Undefined Scope 'securityDefinition' On 'security' Field On Operations
3847280c-9193-40bc-8009-76168e822ce2|Low|Access Control|Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| |Operation Using Basic Auth
ceefb058-8065-418f-9c4c-584a78c7e104|Low|Access Control|Operation Object should not use basic authentication (read more)|Documentation
| -|Operation Using Implicit Flow
f42dfe7e-787d-4478-a75e-a5f3d8a2269e|Low|Access Control|Operation Object should not use implicit flow (read more)|Documentation
| -|Security Definitions Using Basic Auth
221015a8-aa2a-43f5-b00b-ad7d2b1d47a8|Low|Access Control|Security Definition Object should not use basic authentication (read more)|Documentation
| |Operation Summary Too Long
d47940ca-5970-45cc-bdd1-4d81398cee1f|Low|Best Practices|Operation summary should be short (less than 120 characters) (read more)|Documentation
| +|Unknown Prefix (v2)
3b615f00-c443-4ba9-acc4-7c308716917d|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| +|Global Parameter Definition Not Being Used
b30981fa-a12e-49c7-a5bb-eeafb61d0f0f|Info|Best Practices|All global parameters definitions should be in use (read more)|Documentation
| +|Constraining Enum Property
be1d8733-3731-40c7-a845-734741c6871d|Info|Best Practices|There is a constraining keyword in a property which is already restricted by enum values (read more)|Documentation
| |Global Responses Definition Not Being Used
0b76d993-ee52-43e0-8b39-3787d2ddabf1|Info|Best Practices|All global responses definitions should be in use (read more)|Documentation
| +|Schema with 'additionalProperties' set as Boolean
3a01790c-ebee-4da6-8fd3-e78657383b75|Info|Best Practices|The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it (read more)|Documentation
| |Global Schema Definition Not Being Used
6d2e0790-cc3d-4c74-b973-d4e8b09f4455|Info|Best Practices|All global schemas definitions should be in use (read more)|Documentation
| -|Constraining Enum Property
be1d8733-3731-40c7-a845-734741c6871d|Info|Best Practices|There is a constraining keyword in a property which is already restricted by enum values (read more)|Documentation
| -|Global Parameter Definition Not Being Used
b30981fa-a12e-49c7-a5bb-eeafb61d0f0f|Info|Best Practices|All global parameters definitions should be in use (read more)|Documentation
| -|Unknown Prefix (v2)
3b615f00-c443-4ba9-acc4-7c308716917d|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| |Invalid Media Type Value (v2)
f985a7d2-d404-4a7f-9814-f645f791e46e|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| -|Schema with 'additionalProperties' set as Boolean
3a01790c-ebee-4da6-8fd3-e78657383b75|Info|Best Practices|The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it (read more)|Documentation
| -|Schema Object Incorrect Ref (v2)
0220e1c5-65d1-49dd-b7c2-cef6d6cb5283|Info|Structure and Semantics|Schema Object reference must always point to '#/definitions' (read more)|Documentation
| -|Parameter File Type Not In 'formData'
c3cab8c4-6c52-47a9-942b-c27f26fbd7d2|Info|Structure and Semantics|The In field of Parameter Object must be 'formData' when type is 'file' (read more)|Documentation
| -|Host With Invalid Pattern
3d7d7b6c-fb0a-475e-8a28-c125e30d15f0|Info|Structure and Semantics|Host field should be an IP or a valid host name (read more)|Documentation
| -|Response Object With Incorrect Ref (v2)
bccfa089-89e4-47e0-a0e5-185fe6902220|Info|Structure and Semantics|Response Object reference must always point to '#/responses' (read more)|Documentation
| -|Multi 'collectionformat' Not Valid For 'in' Parameter
750f6448-27c0-49f8-a153-b81735c1e19c|Info|Structure and Semantics|When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'formData' (read more)|Documentation
| -|Operation Object Parameters With 'body' And 'formatData' locations
eb3f9744-d24e-4614-b1ff-2a9514eca21c|Info|Structure and Semantics|Operation object parameters should not have both 'body' and 'formatData' locations (read more)|Documentation
| -|BasePath With Wrong Format
b4803607-ed72-4d60-99e2-3fa6edf471c6|Info|Structure and Semantics|The 'basePath' value format must match the pattern '^/' (read more)|Documentation
| -|File Parameter With Wrong Consumes Property
7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a|Info|Structure and Semantics|Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both (read more)|Documentation
| -|Unknown Property (v2)
429b2106-ba37-43ba-9727-7f699cc611e1|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| -|Property Not Unique
750b40be-4bac-4f59-bdc4-1ca0e6c3450e|Info|Structure and Semantics|Every defined property must be unique throughout the whole API (read more)|Documentation
| -|Responses JSON Reference Does Not Exists (v2)
e9db5fb4-6a84-4abb-b4af-3b94fbdace6d|Info|Structure and Semantics|Responses reference should exist on responses definition field (read more)|Documentation
| -|Parameter JSON Reference Does Not Exists (v2)
fb889ae9-2d16-40b5-b41f-9da716c5abc1|Info|Structure and Semantics|Parameter reference should exist on parameters definition field (read more)|Documentation
| -|Parameter Object With Incorrect Ref (v2)
2596545e-1757-4ff7-a15a-8a9a180a42f3|Info|Structure and Semantics|Parameter Object reference must always point to '#/parameters' (read more)|Documentation
| |Body Parameter With Wrong Property
c38d630d-a415-4e3e-bac2-65475979ba88|Info|Structure and Semantics|The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema' (read more)|Documentation
| -|Operation Example Mismatch Produces MimeType
2cf35b40-ded3-43d6-9633-c8dcc8bcc822|Info|Structure and Semantics|Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces' (read more)|Documentation
| |Multiple Body Parameters In The Same Operation
b90033cf-ad9f-4fb9-acd1-1b9d6d278c87|Info|Structure and Semantics|Only one body parameter is allowed on operation's parameters type field (read more)|Documentation
| -|Object Without Required Property (v2)
5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| +|BasePath With Wrong Format
b4803607-ed72-4d60-99e2-3fa6edf471c6|Info|Structure and Semantics|The 'basePath' value format must match the pattern '^/' (read more)|Documentation
| +|Response Object With Incorrect Ref (v2)
bccfa089-89e4-47e0-a0e5-185fe6902220|Info|Structure and Semantics|Response Object reference must always point to '#/responses' (read more)|Documentation
| +|Operation Example Mismatch Produces MimeType
2cf35b40-ded3-43d6-9633-c8dcc8bcc822|Info|Structure and Semantics|Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces' (read more)|Documentation
| |Non Body Parameter Without Schema
73c3bc54-3cc6-4c0a-b30a-e19f2abfc951|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| +|Responses JSON Reference Does Not Exists (v2)
e9db5fb4-6a84-4abb-b4af-3b94fbdace6d|Info|Structure and Semantics|Responses reference should exist on responses definition field (read more)|Documentation
| +|Multi 'collectionformat' Not Valid For 'in' Parameter
750f6448-27c0-49f8-a153-b81735c1e19c|Info|Structure and Semantics|When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'formData' (read more)|Documentation
| +|Parameter File Type Not In 'formData'
c3cab8c4-6c52-47a9-942b-c27f26fbd7d2|Info|Structure and Semantics|The In field of Parameter Object must be 'formData' when type is 'file' (read more)|Documentation
| +|Property Not Unique
750b40be-4bac-4f59-bdc4-1ca0e6c3450e|Info|Structure and Semantics|Every defined property must be unique throughout the whole API (read more)|Documentation
| |Body Parameter Without Schema
ed48229d-d43e-4da7-b453-5f98d964a57a|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| +|Parameter JSON Reference Does Not Exists (v2)
fb889ae9-2d16-40b5-b41f-9da716c5abc1|Info|Structure and Semantics|Parameter reference should exist on parameters definition field (read more)|Documentation
| |Schema JSON Reference Does Not Exists (v2)
98295b32-ec09-4b5b-89a9-39853197f914|Info|Structure and Semantics|Schema reference should exists on definitions field (read more)|Documentation
| +|Object Without Required Property (v2)
5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| +|Operation Object Parameters With 'body' And 'formatData' locations
eb3f9744-d24e-4614-b1ff-2a9514eca21c|Info|Structure and Semantics|Operation object parameters should not have both 'body' and 'formatData' locations (read more)|Documentation
| +|Unknown Property (v2)
429b2106-ba37-43ba-9727-7f699cc611e1|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| +|Parameter Object With Incorrect Ref (v2)
2596545e-1757-4ff7-a15a-8a9a180a42f3|Info|Structure and Semantics|Parameter Object reference must always point to '#/parameters' (read more)|Documentation
| +|Host With Invalid Pattern
3d7d7b6c-fb0a-475e-8a28-c125e30d15f0|Info|Structure and Semantics|Host field should be an IP or a valid host name (read more)|Documentation
| +|Schema Object Incorrect Ref (v2)
0220e1c5-65d1-49dd-b7c2-cef6d6cb5283|Info|Structure and Semantics|Schema Object reference must always point to '#/definitions' (read more)|Documentation
| +|File Parameter With Wrong Consumes Property
7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a|Info|Structure and Semantics|Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both (read more)|Documentation
| ### SHARED (V2/V3) Bellow are listed queries related with OpenAPI SHARED (V2/V3): @@ -63,235 +147,151 @@ Bellow are listed queries related with OpenAPI SHARED (V2/V3): | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Global Security Field Is Undefined (v2)
74703c89-0ea2-49ab-a7db-bf04f19f5a57|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securityDefinitions|Documentation
| -|Global Security Field Is Undefined (v3)
8af270ce-298b-4405-9922-82a10aee7a4f|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes (read more)|Documentation
| -|Security Field On Operations Has An Empty Array (v2)
5d29effc-5d68-481f-9721-d74e5919226b|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error|Documentation
| +|Global security field has an empty object (v2)
292919fb-7b26-4454-bee9-ce29094768dd|High|Access Control||Documentation
| +|Global security field has an empty object (v3)
543e38f4-1eee-479e-8eb0-15257013aa0a|High|Access Control|Global security definition must not have empty objects (read more)|Documentation
| +|No Global And Operation Security Defined (v2)
586abcee-9653-462d-ad7b-2638a32bd6e6|High|Access Control||Documentation
| +|No Global And Operation Security Defined (v3)
96729c6b-7400-4d9e-9807-17f00cdde4d2|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined (read more)|Documentation
| +|Security Field On Operations Has An Empty Object Definition (v2)
74581e3b-1d55-4323-a139-5959a7b3abc5|High|Access Control||Documentation
| +|Security Field On Operations Has An Empty Object Definition (v3)
baade968-7467-41e4-bf22-83ca222f5800|High|Access Control|Security object for operations should not be empty object or has any empty object definition (read more)|Documentation
| +|Security Field On Operations Has An Empty Array (v2)
5d29effc-5d68-481f-9721-d74e5919226b|High|Access Control||Documentation
| |Security Field On Operations Has An Empty Array (v3)
663c442d-f918-4f62-b096-0bf5dcbeb655|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error (read more)|Documentation
| -|Cleartext API Key In Operation Security (v2)
99733b39-6413-4ed8-8acf-dc7cdc9b4e51|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| +|Cleartext API Key In Operation Security (v2)
99733b39-6413-4ed8-8acf-dc7cdc9b4e51|High|Access Control||Documentation
| |Cleartext API Key In Operation Security (v3)
d90d4e40-44c1-4125-87a0-e072c3e195b5|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel (read more)|Documentation
| -|Security Field On Operations Has An Empty Object Definition (v2)
74581e3b-1d55-4323-a139-5959a7b3abc5|High|Access Control|Security object for operations should not be empty object or has any empty object definition|Documentation
| -|Security Field On Operations Has An Empty Object Definition (v3)
baade968-7467-41e4-bf22-83ca222f5800|High|Access Control|Security object for operations should not be empty object or has any empty object definition (read more)|Documentation
| -|Global security field has an empty object (v2)
292919fb-7b26-4454-bee9-ce29094768dd|High|Access Control|Global security definition must not have empty objects|Documentation
| -|Global security field has an empty object (v3)
543e38f4-1eee-479e-8eb0-15257013aa0a|High|Access Control|Global security definition must not have empty objects (read more)|Documentation
| -|Global Security Field Has An Empty Array (v2)
da31d54b-ad54-41dc-95eb-8b3828629213|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| +|Global Security Field Is Undefined (v2)
74703c89-0ea2-49ab-a7db-bf04f19f5a57|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securityDefinitions|Documentation
| +|Global Security Field Is Undefined (v3)
8af270ce-298b-4405-9922-82a10aee7a4f|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes (read more)|Documentation
| +|Global Security Field Has An Empty Array (v2)
da31d54b-ad54-41dc-95eb-8b3828629213|High|Access Control||Documentation
| |Global Security Field Has An Empty Array (v3)
d674aea4-ba8b-454b-bb97-88a772ea33f0|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme (read more)|Documentation
| -|No Global And Operation Security Defined (v2)
586abcee-9653-462d-ad7b-2638a32bd6e6|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| -|No Global And Operation Security Defined (v3)
96729c6b-7400-4d9e-9807-17f00cdde4d2|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined (read more)|Documentation
| |Array Without Maximum Number of Items (v2)
99eb2c95-2040-4104-9e7c-e16f7474d218|High|Insecure Configurations|Array schema/parameter should have the field 'maxItems' set|Documentation
| |Array Without Maximum Number of Items (v3)
6998389e-66b2-473d-8d05-c8d71ac4d04d|High|Insecure Configurations|Array schema should have the field 'maxItems' set (read more)|Documentation
| |Array Items Has No Type (v2)
8697a1a4-82c6-4603-8ac8-57529756744e|High|Insecure Configurations|Schema/Parameter array items type should be defined|Documentation
| |Array Items Has No Type (v3)
be0e0df7-f3d9-42a1-9b6f-d425f94872c4|High|Insecure Configurations|Schema array items type should be defined (read more)|Documentation
| -|Cleartext API Key In Global Security (v2)
70d3873e-d537-46e5-ac3b-4e48fbdd29b4|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| -|Cleartext API Key In Global Security (v3)
9c238c97-1991-4c0b-9c7d-6c7912e1dc7c|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel (read more)|Documentation
| -|API Key Exposed In Global Security (v2)
533a0d13-6e89-4551-ae33-bce14e5849c1|Medium|Access Control|API Keys should not be transported over network|Documentation
| +|API Key Exposed In Global Security (v2)
533a0d13-6e89-4551-ae33-bce14e5849c1|Medium|Access Control||Documentation
| |API Key Exposed In Global Security (v3)
aecee30b-8ea1-4776-a99c-d6d600f0862f|Medium|Access Control|API Keys should not be transported over network (read more)|Documentation
| -|JSON Object Schema Without Type (v2)
62d52544-82ef-4b75-8308-cad49d50212b|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined.|Documentation
| +|Cleartext API Key In Global Security (v2)
70d3873e-d537-46e5-ac3b-4e48fbdd29b4|Medium|Access Control||Documentation
| +|Cleartext API Key In Global Security (v3)
9c238c97-1991-4c0b-9c7d-6c7912e1dc7c|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel (read more)|Documentation
| +|Numeric Schema Without Minimum (v2)
efd1dfc8-da91-4909-a3f3-c23abc5ec799|Medium|Insecure Configurations||Documentation
| +|Numeric Schema Without Minimum (v3)
181bd815-767e-4e95-a24d-bb3c87328e19|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined. (read more)|Documentation
| +|String Schema with Broad Pattern (v2)
e4a019f0-9af3-49c8-bf68-1939a6ff240d|Medium|Insecure Configurations||Documentation
| +|String Schema with Broad Pattern (v3)
8c81d6c0-716b-49ec-afa5-2d62da4e3f3c|Medium|Insecure Configurations|String schema should restrict the pattern (read more)|Documentation
| +|JSON Object Schema Without Type (v2)
62d52544-82ef-4b75-8308-cad49d50212b|Medium|Insecure Configurations||Documentation
| |JSON Object Schema Without Type (v3)
e2ffa504-d22a-4c94-b6c5-f661849d2db7|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined. (read more)|Documentation
| -|Schema Object is Empty (v2)
967575e5-eb44-4c24-aadb-7e33608ed30a|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values|Documentation
| +|Schema Object is Empty (v2)
967575e5-eb44-4c24-aadb-7e33608ed30a|Medium|Insecure Configurations||Documentation
| |Schema Object is Empty (v3)
500ce696-d501-41dd-86eb-eceb011a386f|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values (read more)|Documentation
| -|Maximum Length Undefined (v2)
2ec86e48-ab90-4cb6-a131-0502afd1f442|Medium|Insecure Configurations|String schema/parameter/header should have 'maxLength' defined.|Documentation
| -|Maximum Length Undefined (v3)
8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85|Medium|Insecure Configurations|String schema should have 'maxLength' defined. (read more)|Documentation
| -|Numeric Schema Without Minimum (v2)
efd1dfc8-da91-4909-a3f3-c23abc5ec799|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined.|Documentation
| -|Numeric Schema Without Minimum (v3)
181bd815-767e-4e95-a24d-bb3c87328e19|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined. (read more)|Documentation
| -|Pattern Undefined (v2)
afde15cf-9444-4126-8c62-41cd79db1d1d|Medium|Insecure Configurations|String schema/parameter/header should have 'pattern' defined.|Documentation
| -|Pattern Undefined (v3)
00b78adf-b83f-419c-8ed8-c6018441dd3a|Medium|Insecure Configurations|String schema should have 'pattern' defined. (read more)|Documentation
| -|JSON Object Schema Without Properties (v2)
3d28f751-bc18-4f83-ace0-216b6086410b|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false.|Documentation
| +|JSON Object Schema Without Properties (v2)
3d28f751-bc18-4f83-ace0-216b6086410b|Medium|Insecure Configurations||Documentation
| |JSON Object Schema Without Properties (v3)
9d967a2b-9d64-41a6-abea-dfc4960299bd|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false. (read more)|Documentation
| -|String Schema with Broad Pattern (v2)
e4a019f0-9af3-49c8-bf68-1939a6ff240d|Medium|Insecure Configurations|String schema should restrict the pattern|Documentation
| -|String Schema with Broad Pattern (v3)
8c81d6c0-716b-49ec-afa5-2d62da4e3f3c|Medium|Insecure Configurations|String schema should restrict the pattern (read more)|Documentation
| -|Numeric Schema Without Maximum (v2)
203eee11-15b6-4d47-b888-4c7f534967ee|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined.|Documentation
| -|Numeric Schema Without Maximum (v3)
2ea04bef-c769-409e-9179-ee3a50b5c0ac|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined. (read more)|Documentation
| -|Numeric Schema Without Format (v2)
3ed8fc82-c2bb-49e0-811f-c53923674c49|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined.|Documentation
| +|Numeric Schema Without Format (v2)
3ed8fc82-c2bb-49e0-811f-c53923674c49|Medium|Insecure Configurations||Documentation
| |Numeric Schema Without Format (v3)
fbf699b5-ef74-4542-9cf1-f6eeac379373|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined. (read more)|Documentation
| -|Success Response Code Undefined for Put Operation (v2)
965a043f-5f3c-4d0a-be72-d9ce12fdb4d6|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Put Operation (v3)
60b5f56b-66ff-4e1c-9b62-5753e16825bc|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|Default Response Undefined On Operations (v2)
5f34c7ae-4f3f-4cbb-8fe3-a11d6961062f|Medium|Networking and Firewall|Operations responses should have a default response defined|Documentation
| -|Default Response Undefined On Operations (v3)
86e3702f-c868-44b2-b61d-ea5316c18110|Medium|Networking and Firewall|Operations responses should have a default response defined (read more)|Documentation
| -|Response on operations that should have a body has undefined schema (v2)
31afbcb7-70e0-48bb-a31a-3374f95cf859|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined|Documentation
| -|Response on operations that should have a body has undefined schema (v3)
a92be1d5-d762-484a-86d6-8cd0907ba100|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined (read more)|Documentation
| -|Success Response Code Undefined for Post Operation (v2)
9fedee41-2e6d-4091-b011-4a16b4c18c70|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Post Operation (v3)
f368dd2d-9344-4146-a05b-7c6faa1269ad|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|Success Response Code Undefined for Delete Operation (v2)
ad432855-b7fb-4429-92a3-93b5ce34f0b1|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Delete Operation (v3)
3b497874-ae59-46dd-8d72-1868a3b8f150|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|Success Response Code Undefined for Head Operation (v2)
4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a|Medium|Networking and Firewall|Head should define at least one success response (200 or 202)|Documentation
| +|Numeric Schema Without Maximum (v2)
203eee11-15b6-4d47-b888-4c7f534967ee|Medium|Insecure Configurations||Documentation
| +|Numeric Schema Without Maximum (v3)
2ea04bef-c769-409e-9179-ee3a50b5c0ac|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined. (read more)|Documentation
| +|Pattern Undefined (v2)
afde15cf-9444-4126-8c62-41cd79db1d1d|Medium|Insecure Configurations|String schema/parameter/header should have 'pattern' defined.|Documentation
| +|Pattern Undefined (v3)
00b78adf-b83f-419c-8ed8-c6018441dd3a|Medium|Insecure Configurations|String schema should have 'pattern' defined. (read more)|Documentation
| +|Maximum Length Undefined (v2)
2ec86e48-ab90-4cb6-a131-0502afd1f442|Medium|Insecure Configurations|String schema/parameter/header should have 'maxLength' defined.|Documentation
| +|Maximum Length Undefined (v3)
8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85|Medium|Insecure Configurations|String schema should have 'maxLength' defined. (read more)|Documentation
| +|Success Response Code Undefined for Head Operation (v2)
4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a|Medium|Networking and Firewall||Documentation
| |Success Response Code Undefined for Head Operation (v3)
3b066059-f411-4554-ac8d-96f32bff90da|Medium|Networking and Firewall|Head should define at least one success response (200 or 202) (read more)|Documentation
| -|Response Code Missing (v2)
6e96ed39-bf45-4089-99ba-f1fe7cf6966f|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined.|Documentation
| -|Response Code Missing (v3)
6c35d2c6-09f2-4e5c-a094-e0e91327071d|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined. (read more)|Documentation
| -|Success Response Code Undefined for Patch Operation (v2)
f36e87cc-a209-4f37-8571-66833e4aead7|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Patch Operation (v3)
1908a8ee-927d-4166-8f18-241152170cc1|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| +|Default Response Undefined On Operations (v2)
5f34c7ae-4f3f-4cbb-8fe3-a11d6961062f|Medium|Networking and Firewall||Documentation
| +|Default Response Undefined On Operations (v3)
86e3702f-c868-44b2-b61d-ea5316c18110|Medium|Networking and Firewall|Operations responses should have a default response defined (read more)|Documentation
| |Response on operations that should not have a body has declared content (v2)
268defd2-2839-4e15-8cbc-de86eb38c231|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a schema defined|Documentation
| |Response on operations that should not have a body has declared content (v3)
12a7210b-f4b4-47d0-acac-0a819e2a0ca3|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a content defined (read more)|Documentation
| -|Success Response Code Undefined for Get Operation (v2)
9b633f3b-c94b-4fbb-a65b-1a4e9134fb63|Medium|Networking and Firewall|Get should define at least one success response (200 or 202)|Documentation
| +|Response Code Missing (v2)
6e96ed39-bf45-4089-99ba-f1fe7cf6966f|Medium|Networking and Firewall||Documentation
| +|Response Code Missing (v3)
6c35d2c6-09f2-4e5c-a094-e0e91327071d|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined. (read more)|Documentation
| +|Success Response Code Undefined for Delete Operation (v2)
ad432855-b7fb-4429-92a3-93b5ce34f0b1|Medium|Networking and Firewall||Documentation
| +|Success Response Code Undefined for Delete Operation (v3)
3b497874-ae59-46dd-8d72-1868a3b8f150|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| +|Success Response Code Undefined for Patch Operation (v2)
f36e87cc-a209-4f37-8571-66833e4aead7|Medium|Networking and Firewall||Documentation
| +|Success Response Code Undefined for Patch Operation (v3)
1908a8ee-927d-4166-8f18-241152170cc1|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| +|Success Response Code Undefined for Put Operation (v2)
965a043f-5f3c-4d0a-be72-d9ce12fdb4d6|Medium|Networking and Firewall||Documentation
| +|Success Response Code Undefined for Put Operation (v3)
60b5f56b-66ff-4e1c-9b62-5753e16825bc|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| +|Success Response Code Undefined for Get Operation (v2)
9b633f3b-c94b-4fbb-a65b-1a4e9134fb63|Medium|Networking and Firewall||Documentation
| |Success Response Code Undefined for Get Operation (v3)
b2f275be-7d64-4064-b418-be6b431363a7|Medium|Networking and Firewall|Get should define at least one success response (200 or 202) (read more)|Documentation
| -|API Key Exposed In Operation Security (v2)
392599e4-a4e2-403d-bc56-3fe05755782d|Low|Access Control|API Keys should not be transported over network|Documentation
| +|Response on operations that should have a body has undefined schema (v2)
31afbcb7-70e0-48bb-a31a-3374f95cf859|Medium|Networking and Firewall||Documentation
| +|Response on operations that should have a body has undefined schema (v3)
a92be1d5-d762-484a-86d6-8cd0907ba100|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined (read more)|Documentation
| +|Success Response Code Undefined for Post Operation (v2)
9fedee41-2e6d-4091-b011-4a16b4c18c70|Medium|Networking and Firewall||Documentation
| +|Success Response Code Undefined for Post Operation (v3)
f368dd2d-9344-4146-a05b-7c6faa1269ad|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| +|API Key Exposed In Operation Security (v2)
392599e4-a4e2-403d-bc56-3fe05755782d|Low|Access Control||Documentation
| |API Key Exposed In Operation Security (v3)
281b8071-6226-4a43-911d-fec246d422c2|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| -|Invalid Format (v2)
caf1793e-95dd-4b18-8d90-8f3c0ab5bddf|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double|Documentation
| +|Invalid Format (v2)
caf1793e-95dd-4b18-8d90-8f3c0ab5bddf|Low|Insecure Configurations||Documentation
| |Invalid Format (v3)
d929c031-078f-4241-b802-e224656ad890|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double (read more)|Documentation
| -|Header Parameter Named as 'Authorization' (v2)
e2e00c97-7171-4fb4-b461-d631df9a711c|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored.|Documentation
| +|Invalid Contact URL (v2)
c7000383-16d0-4509-8cd3-585e5ea2e2f2|Info|Best Practices||Documentation
| +|Invalid Contact URL (v3)
332cf2ad-380d-4b90-b436-46f8e635cf38|Info|Best Practices|Contact Object URL should be a valid URL (read more)|Documentation
| +|Operation Without Successful HTTP Status Code (v2)
a1ee6ebe-3877-42ec-b9a6-e524e7d06aa2|Info|Best Practices||Documentation
| +|Operation Without Successful HTTP Status Code (v3)
48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined (read more)|Documentation
| +|Invalid Operation External Documentation URL (v2)
25635c31-ee32-4708-88e5-fced87516f51|Info|Best Practices||Documentation
| +|Invalid Operation External Documentation URL (v3)
5ea61624-3733-4a3a-8ca4-b96fec9c5aeb|Info|Best Practices|Operation External Documentation URL should be a valid URL (read more)|Documentation
| +|Path Without Operation (v2)
609cd557-66b4-41fa-8edd-2abc6c7cfd08|Info|Best Practices||Documentation
| +|Path Without Operation (v3)
84c826c9-1893-4b34-8cdd-db97645b4bf3|Info|Best Practices|Path object should have at least one operation object defined (read more)|Documentation
| +|Header Parameter Named as 'Authorization' (v2)
e2e00c97-7171-4fb4-b461-d631df9a711c|Info|Best Practices||Documentation
| |Header Parameter Named as 'Authorization' (v3)
8c84f75e-5048-4926-a4cb-33e7b3431300|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored. (read more)|Documentation
| -|Invalid Schema External Documentation URL (v2)
f7fa95b7-d819-484c-9a2b-665dd1bba25e|Info|Best Practices|Schema External Documentation URL should be a valid URL|Documentation
| -|Invalid Schema External Documentation URL (v3)
6952a7e0-6e48-4285-bbc1-27c64e60f888|Info|Best Practices|Schema External Documentation URL should be a valid URL (read more)|Documentation
| -|Header Parameter Named as 'Accept' (v2)
3ddd74cc-6582-486c-8b0c-2b48cb38e0a3|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored.|Documentation
| +|Header Parameter Named as 'Accept' (v2)
3ddd74cc-6582-486c-8b0c-2b48cb38e0a3|Info|Best Practices||Documentation
| |Header Parameter Named as 'Accept' (v3)
f2702af5-6016-46cb-bbc8-84c766032095|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored. (read more)|Documentation
| -|Invalid Global External Documentation URL (v2)
46d3b74d-9fe9-45bf-9e9e-efb7f701ee28|Info|Best Practices|Global External Documentation URL should be a valid URL|Documentation
| -|Invalid Global External Documentation URL (v3)
b2d9dbf6-539c-4374-a1fd-210ddf5563a8|Info|Best Practices|Global External Documentation URL should be a valid URL (read more)|Documentation
| |Object Using Enum With Keyword (v2)
7f15962a-d862-451c-ac9b-84ec13747aa6|Info|Best Practices|Schema/Parameter/Header Object properties should not contain 'enum' and schema keywords|Documentation
| |Object Using Enum With Keyword (v3)
2e9b6612-8f69-42e0-a5b8-ed17739c2f3a|Info|Best Practices|Schema Object properties should not contain 'enum' and schema keywords (read more)|Documentation
| -|Header Response Name Is Invalid (v2)
86733e01-a435-4bd5-a8b0-5108be9dc1e4|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored.|Documentation
| -|Header Response Name Is Invalid (v3)
d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored. (read more)|Documentation
| -|Operation Without Successful HTTP Status Code (v2)
a1ee6ebe-3877-42ec-b9a6-e524e7d06aa2|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined|Documentation
| -|Operation Without Successful HTTP Status Code (v3)
48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined (read more)|Documentation
| -|Invalid Contact URL (v2)
c7000383-16d0-4509-8cd3-585e5ea2e2f2|Info|Best Practices|Contact Object URL should be a valid URL|Documentation
| -|Invalid Contact URL (v3)
332cf2ad-380d-4b90-b436-46f8e635cf38|Info|Best Practices|Contact Object URL should be a valid URL (read more)|Documentation
| -|Example Not Compliant With Schema Type (v2)
448db771-06ea-4dee-b48c-1689cbfb4b43|Info|Best Practices|Examples values and fields should be compliant with the schema type|Documentation
| -|Example Not Compliant With Schema Type (v3)
881a6e71-c2a7-4fe2-b9c3-dfcf08895331|Info|Best Practices|Examples values and fields should be compliant with the schema type (read more)|Documentation
| -|Invalid License URL (v2)
de2b4910-8484-46d6-a055-dc1e793ee3ff|Info|Best Practices|License Object URL should be a valid URL|Documentation
| -|Invalid License URL (v3)
9239c289-9e4c-4d92-8be1-9d506057c971|Info|Best Practices|License Object URL should be a valid URL (read more)|Documentation
| -|Header Parameter Named as 'Content-Type' (v2)
51978067-3b22-4c29-aaf3-96bf0bc28897|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored.|Documentation
| +|Header Parameter Named as 'Content-Type' (v2)
51978067-3b22-4c29-aaf3-96bf0bc28897|Info|Best Practices||Documentation
| |Header Parameter Named as 'Content-Type' (v3)
72d259ca-9741-48dd-9f62-eb11f2936b37|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored. (read more)|Documentation
| -|Invalid Tag External Documentation URL (v2)
b4a7d925-738b-4219-99d9-87d6ee262a03|Info|Best Practices|Tag External Documentation URL should be a valid URL|Documentation
| +|Invalid License URL (v2)
de2b4910-8484-46d6-a055-dc1e793ee3ff|Info|Best Practices||Documentation
| +|Invalid License URL (v3)
9239c289-9e4c-4d92-8be1-9d506057c971|Info|Best Practices|License Object URL should be a valid URL (read more)|Documentation
| +|Invalid Global External Documentation URL (v2)
46d3b74d-9fe9-45bf-9e9e-efb7f701ee28|Info|Best Practices||Documentation
| +|Invalid Global External Documentation URL (v3)
b2d9dbf6-539c-4374-a1fd-210ddf5563a8|Info|Best Practices|Global External Documentation URL should be a valid URL (read more)|Documentation
| +|Invalid Tag External Documentation URL (v2)
b4a7d925-738b-4219-99d9-87d6ee262a03|Info|Best Practices||Documentation
| |Invalid Tag External Documentation URL (v3)
5aea1d7e-b834-4749-b143-2c7ec3bd5922|Info|Best Practices|Tag External Documentation URL should be a valid URL (read more)|Documentation
| -|Required Property With Default Value (v2)
f7ab6c83-ef89-40e1-8a99-32e2599fb665|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value|Documentation
| -|Required Property With Default Value (v3)
013bdb4b-9246-4248-b0c3-7fb0fee42a29|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value (read more)|Documentation
| -|Invalid Contact Email (v2)
d83bebc8-4e5e-4241-b783-cba9fb5a1c9a|Info|Best Practices|Contact Object Email should be a valid email|Documentation
| +|Header Response Name Is Invalid (v2)
86733e01-a435-4bd5-a8b0-5108be9dc1e4|Info|Best Practices||Documentation
| +|Header Response Name Is Invalid (v3)
d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored. (read more)|Documentation
| +|Example Not Compliant With Schema Type (v2)
448db771-06ea-4dee-b48c-1689cbfb4b43|Info|Best Practices||Documentation
| +|Example Not Compliant With Schema Type (v3)
881a6e71-c2a7-4fe2-b9c3-dfcf08895331|Info|Best Practices|Examples values and fields should be compliant with the schema type (read more)|Documentation
| +|Invalid Schema External Documentation URL (v2)
f7fa95b7-d819-484c-9a2b-665dd1bba25e|Info|Best Practices||Documentation
| +|Invalid Schema External Documentation URL (v3)
6952a7e0-6e48-4285-bbc1-27c64e60f888|Info|Best Practices|Schema External Documentation URL should be a valid URL (read more)|Documentation
| +|Invalid Contact Email (v2)
d83bebc8-4e5e-4241-b783-cba9fb5a1c9a|Info|Best Practices||Documentation
| |Invalid Contact Email (v3)
b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7|Info|Best Practices|Contact Object Email should be a valid email (read more)|Documentation
| -|JSON '$ref' alongside other properties (v2)
f34c1c68-4773-4df0-a103-6e2ca32e585f|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key|Documentation
| +|Required Property With Default Value (v2)
f7ab6c83-ef89-40e1-8a99-32e2599fb665|Info|Best Practices||Documentation
| +|Required Property With Default Value (v3)
013bdb4b-9246-4248-b0c3-7fb0fee42a29|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value (read more)|Documentation
| +|JSON '$ref' alongside other properties (v2)
f34c1c68-4773-4df0-a103-6e2ca32e585f|Info|Best Practices||Documentation
| |JSON '$ref' alongside other properties (v3)
96beb800-566f-49a9-a0ea-dbdf4bc80429|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key (read more)|Documentation
| -|Invalid Operation External Documentation URL (v2)
25635c31-ee32-4708-88e5-fced87516f51|Info|Best Practices|Operation External Documentation URL should be a valid URL|Documentation
| -|Invalid Operation External Documentation URL (v3)
5ea61624-3733-4a3a-8ca4-b96fec9c5aeb|Info|Best Practices|Operation External Documentation URL should be a valid URL (read more)|Documentation
| -|Path Without Operation (v2)
609cd557-66b4-41fa-8edd-2abc6c7cfd08|Info|Best Practices|Path object should have at least one operation object defined|Documentation
| -|Path Without Operation (v3)
84c826c9-1893-4b34-8cdd-db97645b4bf3|Info|Best Practices|Path object should have at least one operation object defined (read more)|Documentation
| -|Property 'allowEmptyValue' Improperly Defined (v2)
0bc1477d-0922-478b-ae16-674a7634a1a8|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters|Documentation
| -|Property 'allowEmptyValue' Improperly Defined (v3)
4bcbcd52-3028-469f-bc14-02c7dbba2df2|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters (read more)|Documentation
| -|Paths Object is Empty (v2)
3e6c7b1c-8a8d-43ab-98b9-65159f44db4a|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed|Documentation
| -|Paths Object is Empty (v3)
815021c8-a50c-46d9-b192-24f71072c400|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed (read more)|Documentation
| -|Schema Enum Invalid (v2)
8fe6d18a-ad4c-4397-8884-e3a9da57f4c9|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type|Documentation
| +|Responses With Wrong HTTP Status Code (v2)
069a5378-2091-43f0-aa3b-ee8f20996e99|Info|Structure and Semantics||Documentation
| +|Responses With Wrong HTTP Status Code (v3)
d86655c0-92f6-4ffc-b4d5-5b5775804c27|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599] (read more)|Documentation
| +|Schema Enum Invalid (v2)
8fe6d18a-ad4c-4397-8884-e3a9da57f4c9|Info|Structure and Semantics||Documentation
| |Schema Enum Invalid (v3)
03856cb2-e46c-4daf-bfbf-214ec93c882b|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type (read more)|Documentation
| -|Schema Discriminator Not Required (v2)
be6a3722-af60-438c-b1b9-2a03e2958ab7|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property|Documentation
| +|Schema Discriminator Not Required (v2)
be6a3722-af60-438c-b1b9-2a03e2958ab7|Info|Structure and Semantics||Documentation
| |Schema Discriminator Not Required (v3)
b481d46c-9c61-480f-86d9-af07146dc4a4|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property (read more)|Documentation
| -|Schema Discriminator Property Not String (v2)
949376f1-f560-4c6d-a016-63424ca931bb|Info|Structure and Semantics|Schema discriminator property should be a string|Documentation
| -|Schema Discriminator Property Not String (v3)
dadc2f36-1f5a-46c0-8289-75e626583123|Info|Structure and Semantics|Schema discriminator property should be a string (read more)|Documentation
| |Type Has Invalid Keyword (v2)
492c6cbb-f3f8-4807-aa4f-42b8b1c46b59|Info|Structure and Semantics|Schema/Parameter/Header Object define type should not use a keyword of another type|Documentation
| |Type Has Invalid Keyword (v3)
a9228976-10cf-4b5f-b902-9e962aad037a|Info|Structure and Semantics|Schema Object define type should not use a keyword of another type (read more)|Documentation
| -|Path Is Ambiguous (v2)
b2468463-3ac4-4930-890c-f35b2bf4485d|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object|Documentation
| +|Responses Object Is Empty (v2)
6172e7ab-d2b7-45f8-a7db-1603931d8ba3|Info|Structure and Semantics||Documentation
| +|Responses Object Is Empty (v3)
990eaf09-d6f1-4c3c-b174-a517b1de8917|Info|Structure and Semantics|Responses Object should not be empty (read more)|Documentation
| +|Paths Object is Empty (v2)
3e6c7b1c-8a8d-43ab-98b9-65159f44db4a|Info|Structure and Semantics||Documentation
| +|Paths Object is Empty (v3)
815021c8-a50c-46d9-b192-24f71072c400|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed (read more)|Documentation
| +|Path Parameter Not Required (v2)
ccd0613f-cb77-4684-a892-183bd2674d12|Info|Structure and Semantics||Documentation
| +|Path Parameter Not Required (v3)
0de50145-e845-47f4-9a15-23bcf2125710|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true. (read more)|Documentation
| +|Items Undefined (v2)
3e4d34d2-36cf-4449-976d-6c256db8fc49|Info|Structure and Semantics||Documentation
| +|Items Undefined (v3)
a8e859da-4a43-4e7f-94b8-25d6e3bf8e90|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array. (read more)|Documentation
| +|Property 'allowEmptyValue' Improperly Defined (v2)
0bc1477d-0922-478b-ae16-674a7634a1a8|Info|Structure and Semantics||Documentation
| +|Property 'allowEmptyValue' Improperly Defined (v3)
4bcbcd52-3028-469f-bc14-02c7dbba2df2|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters (read more)|Documentation
| +|OperationId Not Unique (v2)
21245007-91c4-40e5-964e-40c85d1e5aa6|Info|Structure and Semantics||Documentation
| +|OperationId Not Unique (v3)
c254adc4-ef25-46e1-8270-b7944adb4198|Info|Structure and Semantics|OperationId should be unique when defined (read more)|Documentation
| +|Schema Discriminator Property Not String (v2)
949376f1-f560-4c6d-a016-63424ca931bb|Info|Structure and Semantics||Documentation
| +|Schema Discriminator Property Not String (v3)
dadc2f36-1f5a-46c0-8289-75e626583123|Info|Structure and Semantics|Schema discriminator property should be a string (read more)|Documentation
| +|Parameter Objects Headers With Duplicated Name (v2)
bd2cbef5-62c4-40f1-af07-4b7f9ced6616|Info|Structure and Semantics||Documentation
| +|Parameter Objects Headers With Duplicated Name (v3)
05505192-ba2c-4a81-9b25-dcdbcc973746|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive. (read more)|Documentation
| +|Parameters Name In Combination Not Unique (v2)
ab871897-ec02-4835-9818-702536ee1dda|Info|Structure and Semantics||Documentation
| +|Parameters Name In Combination Not Unique (v3)
f5b2e6af-76f5-496d-8482-8f898c5fdb4a|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations (read more)|Documentation
| +|Property Defining Minimum Greater Than Maximum (v2)
b5102ea9-6527-4bb7-94fc-9b4076150e55|Info|Structure and Semantics||Documentation
| +|Property Defining Minimum Greater Than Maximum (v3)
ab2af219-cd08-4233-b5a1-a788aac88b51|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined (read more)|Documentation
| +|Path Is Ambiguous (v2)
b2468463-3ac4-4930-890c-f35b2bf4485d|Info|Structure and Semantics||Documentation
| |Path Is Ambiguous (v3)
237402e2-c2f0-46c9-9cf5-286160cf7bfc|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object (read more)|Documentation
| -|Non-Array Schema With Items (v2)
9d47956b-29cd-43b1-9e6e-b39a4d484353|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| -|Non-Array Schema With Items (v3)
20cb3159-b219-496b-8dac-54ae3ab2021a|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined (read more)|Documentation
| -|Template Path With No Corresponding Path Parameter (v2)
e7656d8d-7288-4bbe-b07b-22b389be75ce|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation|Documentation
| +|Schema Object With Circular Ref (v2)
cbff2508-85c9-4448-a8b3-770070edf5ca|Info|Structure and Semantics||Documentation
| +|Schema Object With Circular Ref (v3)
1a1aea94-745b-40a7-b860-0702ea6ee636|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties (read more)|Documentation
| +|Path Parameter With No Corresponding Template Path (v2)
194ef1f8-360e-4c14-8ed2-e83e2bafa142|Info|Structure and Semantics||Documentation
| +|Path Parameter With No Corresponding Template Path (v3)
69d7aefd-149d-47b8-8d89-1c2181a8067b|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation (read more)|Documentation
| +|Template Path With No Corresponding Path Parameter (v2)
e7656d8d-7288-4bbe-b07b-22b389be75ce|Info|Structure and Semantics||Documentation
| |Template Path With No Corresponding Path Parameter (v3)
561710b1-b845-4562-95ce-2397a05ccef4|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation (read more)|Documentation
| -|Responses Object Is Empty (v2)
6172e7ab-d2b7-45f8-a7db-1603931d8ba3|Info|Structure and Semantics|Responses Object should not be empty|Documentation
| -|Responses Object Is Empty (v3)
990eaf09-d6f1-4c3c-b174-a517b1de8917|Info|Structure and Semantics|Responses Object should not be empty (read more)|Documentation
| -|Default Invalid (v2)
78dfd8f0-a6ee-48ec-af8c-e4d9b3292a07|Info|Structure and Semantics|The field 'default' of Schema/Parameter/Header Object should be consistent with the schema's/parameter's/header's type|Documentation
| -|Default Invalid (v3)
a96bbc06-8cde-4295-ad3c-ee343a7f658e|Info|Structure and Semantics|The field 'default' of Schema Object should be consistent with the schema's type (read more)|Documentation
| -|Properties Missing Required Property (v2)
71beb6ab-8b70-4816-a9ac-a0ff1fb22a62|Info|Structure and Semantics|Schema Object should have all required properties defined|Documentation
| +|Non-Array Schema With Items (v2)
9d47956b-29cd-43b1-9e6e-b39a4d484353|Info|Structure and Semantics||Documentation
| +|Non-Array Schema With Items (v3)
20cb3159-b219-496b-8dac-54ae3ab2021a|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined (read more)|Documentation
| +|Properties Missing Required Property (v2)
71beb6ab-8b70-4816-a9ac-a0ff1fb22a62|Info|Structure and Semantics||Documentation
| |Properties Missing Required Property (v3)
3fb03214-25d4-4bd4-867c-c2d8d708a483|Info|Structure and Semantics|Schema Object should have all required properties defined (read more)|Documentation
| -|Schema Object Properties With Duplicated Keys (v2)
ded017bf-fb13-4f8d-868b-84aebcc572ad|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties'|Documentation
| +|Schema Object Properties With Duplicated Keys (v2)
ded017bf-fb13-4f8d-868b-84aebcc572ad|Info|Structure and Semantics||Documentation
| |Schema Object Properties With Duplicated Keys (v3)
10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties' (read more)|Documentation
| -|OperationId Not Unique (v2)
21245007-91c4-40e5-964e-40c85d1e5aa6|Info|Structure and Semantics|OperationId should be unique when defined|Documentation
| -|OperationId Not Unique (v3)
c254adc4-ef25-46e1-8270-b7944adb4198|Info|Structure and Semantics|OperationId should be unique when defined (read more)|Documentation
| -|Schema Object With Circular Ref (v2)
cbff2508-85c9-4448-a8b3-770070edf5ca|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties|Documentation
| -|Schema Object With Circular Ref (v3)
1a1aea94-745b-40a7-b860-0702ea6ee636|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties (read more)|Documentation
| -|Path Parameter Not Required (v2)
ccd0613f-cb77-4684-a892-183bd2674d12|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.|Documentation
| -|Path Parameter Not Required (v3)
0de50145-e845-47f4-9a15-23bcf2125710|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true. (read more)|Documentation
| -|Schema Has A Required Property Undefined (v2)
811762c8-2e99-4f70-88f9-a63875a953b1|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties|Documentation
| -|Schema Has A Required Property Undefined (v3)
2bd608ae-8a1f-457f-b710-c237883cb313|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties (read more)|Documentation
| -|Responses With Wrong HTTP Status Code (v2)
069a5378-2091-43f0-aa3b-ee8f20996e99|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599]|Documentation
| -|Responses With Wrong HTTP Status Code (v3)
d86655c0-92f6-4ffc-b4d5-5b5775804c27|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599] (read more)|Documentation
| -|Items Undefined (v2)
3e4d34d2-36cf-4449-976d-6c256db8fc49|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array.|Documentation
| -|Items Undefined (v3)
a8e859da-4a43-4e7f-94b8-25d6e3bf8e90|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array. (read more)|Documentation
| -|Schema Discriminator Mismatch Defined Properties (v2)
addc0eab-27f6-4c26-8526-d2ccd3732662|Info|Structure and Semantics|Schema discriminator values should match defined properties.|Documentation
| +|Schema Discriminator Mismatch Defined Properties (v2)
addc0eab-27f6-4c26-8526-d2ccd3732662|Info|Structure and Semantics||Documentation
| |Schema Discriminator Mismatch Defined Properties (v3)
40d3df21-c170-4dbe-9c02-4289b51f994f|Info|Structure and Semantics|Schema discriminator values should match defined properties. (read more)|Documentation
| -|Path Parameter With No Corresponding Template Path (v2)
194ef1f8-360e-4c14-8ed2-e83e2bafa142|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation|Documentation
| -|Path Parameter With No Corresponding Template Path (v3)
69d7aefd-149d-47b8-8d89-1c2181a8067b|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation (read more)|Documentation
| -|Property Defining Minimum Greater Than Maximum (v2)
b5102ea9-6527-4bb7-94fc-9b4076150e55|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined|Documentation
| -|Property Defining Minimum Greater Than Maximum (v3)
ab2af219-cd08-4233-b5a1-a788aac88b51|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined (read more)|Documentation
| -|Parameters Name In Combination Not Unique (v2)
ab871897-ec02-4835-9818-702536ee1dda|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations|Documentation
| -|Parameters Name In Combination Not Unique (v3)
f5b2e6af-76f5-496d-8482-8f898c5fdb4a|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations (read more)|Documentation
| -|Path Template is Empty (v2)
c201b7ad-6173-4598-a407-5edb04a1bcd7|Info|Structure and Semantics|All path templates should not be empty|Documentation
| +|Default Invalid (v2)
78dfd8f0-a6ee-48ec-af8c-e4d9b3292a07|Info|Structure and Semantics|The field 'default' of Schema/Parameter/Header Object should be consistent with the schema's/parameter's/header's type|Documentation
| +|Default Invalid (v3)
a96bbc06-8cde-4295-ad3c-ee343a7f658e|Info|Structure and Semantics|The field 'default' of Schema Object should be consistent with the schema's type (read more)|Documentation
| +|Schema Has A Required Property Undefined (v2)
811762c8-2e99-4f70-88f9-a63875a953b1|Info|Structure and Semantics||Documentation
| +|Schema Has A Required Property Undefined (v3)
2bd608ae-8a1f-457f-b710-c237883cb313|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties (read more)|Documentation
| +|Path Template is Empty (v2)
c201b7ad-6173-4598-a407-5edb04a1bcd7|Info|Structure and Semantics||Documentation
| |Path Template is Empty (v3)
ae13a37d-943b-47a7-a970-83c8598bcca3|Info|Structure and Semantics|All path templates should not be empty (read more)|Documentation
| -|Parameter Objects Headers With Duplicated Name (v2)
bd2cbef5-62c4-40f1-af07-4b7f9ced6616|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.|Documentation
| -|Parameter Objects Headers With Duplicated Name (v3)
05505192-ba2c-4a81-9b25-dcdbcc973746|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive. (read more)|Documentation
| - -### 3.0 -Bellow are listed queries related with OpenAPI 3.0: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Field 'securityScheme' On Components Is Undefined
8db5544e-4874-4baa-9322-e9f75a2d219e|High|Access Control|Components' securityScheme field must have a valid scheme (read more)|Documentation
| -|Cleartext Credentials With Basic Authentication For Operation
86b1fa30-9790-4980-994d-a27e0f6f27c1|High|Access Control|Cleartext credentials over unencrypted channel should not be accepted for the operation (read more)|Documentation
| -|OAuth2 With Implicit Flow
39cb32f2-3a42-4af0-8037-82a7a9654b6c|Medium|Access Control|OAuth2 implicit flow is vulnerable to access token leakage and access token replay (read more)|Documentation
| -|Invalid OAuth2 Authorization URL (v3)
52c0d841-60d6-4a81-88dd-c35fef36d315|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| -|Implicit Flow in OAuth2 (v3)
4a1f3d75-ab73-41b2-83e7-06a93dc3a75a|Medium|Access Control|There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| -|Security Scheme Using HTTP Basic
68e5fcac-390c-4939-a373-6074b7be7c71|Medium|Access Control|Security Scheme HTTP should not be using basic authentication (read more)|Documentation
| -|Security Scheme HTTP Unknown Scheme
06764426-3c56-407e-981f-caa25db1c149|Medium|Access Control|Security Scheme HTTP scheme should be registered in the IANA Authentication Scheme registry (read more)|Documentation
| -|OAuth2 With Password Flow
3979b0a4-532c-4ea7-86e4-34c090eaa4f2|Medium|Access Control|OAuth2 password flow insecurely exposes the credentials of the resource owner to the client (read more)|Documentation
| -|Invalid OAuth2 Token URL (v3)
3ba0cca1-b815-47bf-ac62-1e584eb64a05|Medium|Access Control|OAuth2 security scheme flow requires a valid URL in the tokenUrl field (read more)|Documentation
| -|Security Scheme Using HTTP Negotiate
f525cc92-9050-4c41-a75c-890dc6f64449|Medium|Access Control|Security Scheme HTTP should not be using negotiate authentication (read more)|Documentation
| -|Security Scheme Using HTTP Digest
a4247b11-890b-45df-bf42-350a7a3af9be|Medium|Access Control|Security Scheme HTTP should not be using digest authentication (read more)|Documentation
| -|Global Server Object Uses HTTP
2d8c175a-6d90-412b-8b0e-e034ea49a1fe|Medium|Encryption|Global server object URL should use 'https' protocol instead of 'http' (read more)|Documentation
| -|Path Server Object Uses HTTP (v3)
9670f240-7b4d-4955-bd93-edaa9fa38b58|Medium|Encryption|The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection (read more)|Documentation
| -|Media Type Object Without Schema
f79b9d26-e945-44e7-98a1-b93f0f7a68a0|Medium|Insecure Configurations|The Media Type Object should have the attribute 'schema' defined (read more)|Documentation
| -|Additional Properties Too Permissive
9f88c88d-824d-4d9a-b985-e22977046042|Medium|Insecure Configurations|Objects should not accept 'additionalProperties' if it is possible (read more)|Documentation
| -|Additional Properties Too Restrictive
a19c3bbd-c056-40d7-9e1c-eeb0634e320d|Medium|Insecure Configurations|Objects should accept 'additionalProperties' if it is allOf or an object with anyOf or oneOf (read more)|Documentation
| -|Parameter Object Without Schema
8fe1846f-52cc-4413-ace9-1933d7d23672|Medium|Insecure Configurations|The Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| -|Success Response Code Undefined for Trace Operation
105e20dd-8449-4d71-95c6-d5dac96639af|Medium|Networking and Firewall|Trace should define the '200' successful code (read more)|Documentation
| -|Header Object Without Schema
50de3b5b-6465-4e06-a9b0-b4c2ba34326b|Medium|Networking and Firewall|The header object should have schema defined (read more)|Documentation
| -|Undefined Scope 'securityScheme' On Global 'security' Field
23a9e2d9-8738-4556-a71c-2802b6ffa022|Low|Access Control|Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| -|Undefined Scope 'securityScheme' On 'security' Field On Operations
462d6a1d-fed9-4d75-bb9e-3de902f35e6e|Low|Access Control|Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| -|API Key Exposed In Global Security Scheme
40e1d1bf-11a9-4f63-a3a2-a8b84c602839|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| -|Global Security Scheme Using Basic Authentication
77276d82-4f45-4cf1-8e2b-4d345b936228|Low|Access Control|A security scheme is allowing basic authentication credentials to be transported over network (read more)|Documentation
| -|Security Scheme Using Oauth 1.0
1bc3205c-0d60-44e6-84f3-44fbf4dac5b3|Low|Access Control|Oauth 1.0 is deprecated, OAuth2 should be used instead (read more)|Documentation
| -|Components Callback Definition Is Unused
d15db953-a553-4b8a-9a14-a3d62ea3d79d|Info|Best Practices|Components callbacks definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Property 'explode' of Encoding Object Ignored
a4dd69b8-49fa-45d2-a060-c76655405b05|Info|Best Practices|Property 'explode' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| -|Unknown Prefix (v3)
a5375be3-521c-43bb-9eab-e2432e368ee4|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| -|Property 'style' of Encoding Object Ignored
d3ea644a-9a5c-4fee-941f-f8a6786c0470|Info|Best Practices|Property 'style' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| -|Components Schema Definition Is Unused
962fa01e-b791-4dcc-b04a-4a3e7389be5e|Info|Best Practices|Components schemas definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Response Definition Is Unused
9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae|Info|Best Practices|Components responses definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Invalid Media Type Value (v3)
cf4a5f45-a27b-49df-843a-9911dbfe71d4|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| -|Components Link Definition Is Unused
c19779a9-5774-4d2f-a3a1-a99831730375|Info|Best Practices|Components links definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Header Definition Is Unused
a68da022-e95a-4bc2-97d3-481e0bd6d446|Info|Best Practices|Components headers definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Example Definition Is Unused
b05bb927-2df5-43cc-8d7b-6825c0e71625|Info|Best Practices|Components examples definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Encoding Header 'Content-Type' Improperly Defined
4cd8de87-b595-48b6-ab3c-1904567135ab|Info|Best Practices|Encoding Map Key should not define a 'Content-Type' in the 'headers' field. If so, it will be ignored. (read more)|Documentation
| -|Property 'allowEmptyValue' Ignored
59c2f769-7cc2-49c8-a3de-4e211135cfab|Info|Best Practices|Property 'allowEmptyValue' is ignored in the following cases: {"sytle": "simple", "explode": false}, {"sytle": "simple", "explode": true}, {"sytle": "spaceDelimited", "explode": false}, {"sytle": "pipeDelimited", "explode": false}, and {"sytle": "deepObject", "explode": true} (read more)|Documentation
| -|Components Request Body Definition Is Unused
6b76f589-9713-44ab-97f5-59a3dba1a285|Info|Best Practices|Components request bodies definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Parameter Definition Is Unused
698a464e-bb3e-4ba8-ab5e-e6599b7644a0|Info|Best Practices|Components parameters definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Property 'allowReserved' of Encoding Object Ignored
4190dda7-af03-4cf0-a128-70ac1661ca09|Info|Best Practices|Property 'allowReserved' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| -|Schema Object Incorrect Ref (v3)
4cac7ace-b0fb-477d-830d-65395d9109d9|Info|Structure and Semantics|Schema Object reference must always point to '#/components/schemas' (read more)|Documentation
| -|Schema With Both ReadOnly And WriteOnly
d2361d58-361c-49f0-9e50-b957fd608b29|Info|Structure and Semantics|Schema should not have both 'writeOnly' and 'readOnly' set to true (read more)|Documentation
| -|Link JSON Reference Does Not Exists
801f0c6a-a834-4467-89c6-ddecffb46b5a|Info|Structure and Semantics|Link reference should exists on components field (read more)|Documentation
| -|Security Operation Field Undefined
20a482d5-c5d9-4a7a-b7a4-60d0805047b4|Info|Structure and Semantics|Security operation field should be defined in '#/components/securitySchemes' (read more)|Documentation
| -|Header Object With Incorrect Ref
2d6646f4-2946-420f-8c14-3232d49ae0cb|Info|Structure and Semantics|Header Object reference must always point to '#/components/headers' (read more)|Documentation
| -|Request Body JSON Reference Does Not Exists
ca02f4e8-d3ae-4832-b7db-bb037516d9e7|Info|Structure and Semantics|Request Body reference should exists on components field (read more)|Documentation
| -|Response Object With Incorrect Ref (v3)
b3871dd8-9333-4d6c-bd52-67eb898b71ab|Info|Structure and Semantics|Response Object reference must always point to '#/components/responses' (read more)|Documentation
| -|Parameter Object With Schema And Content
31dd6fc0-f274-493b-9614-e063086c19fc|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive (read more)|Documentation
| -|Request Body With Incorrect Ref
0f6cd0ab-c366-4595-84fc-fbd8b9901e4d|Info|Structure and Semantics|Request Body reference must always point to '#/components/RequestBodies' (read more)|Documentation
| -|Property 'allowReserved' Improperly Defined
7f203940-39c4-4ea7-91ee-7aba16bca9e2|Info|Structure and Semantics|Property 'allowReserved' should be only defined for query parameters (read more)|Documentation
| -|Server URL Not Absolute
a0bf7382-5d5a-4224-924c-3db8466026c9|Info|Structure and Semantics|The Server URL should be an absolute URL (read more)|Documentation
| -|Invalid Content Type For Multiple Files Upload
26f06397-36d8-4ce7-b993-17711261d777|Info|Structure and Semantics|Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array) (read more)|Documentation
| -|Link Object With Both 'operationId' And 'operationRef'
60fb6621-9f02-473b-9424-ba9a825747d3|Info|Structure and Semantics|Link object 'OperationId' should not have both 'operationId' and 'operationRef' defined since they are mutually exclusive. (read more)|Documentation
| -|Security Field Undefined
ab1263c2-81df-46f0-9f2c-0b62fdb68419|Info|Structure and Semantics|Security field should be defined in '#/components/securitySchemes' (read more)|Documentation
| -|Callback Object With Incorrect Ref
ba066cda-e808-450d-92b6-f29109754d45|Info|Structure and Semantics|Callback Object reference must always point to '#/components/callbacks' (read more)|Documentation
| -|Link Object Incorrect Ref
b9db8a10-020c-49ca-88c6-780e5fdb4328|Info|Structure and Semantics|Link object reference must always point to '#/components/links' (read more)|Documentation
| -|Unknown Property (v3)
fb7d81e7-4150-48c4-b914-92fc05da6a2f|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| -|Server URL Uses Undefined Variables
8d0921d6-4131-461f-a253-99e873f8f77e|Info|Structure and Semantics|Any variable used in the Service URL should be defined in the Service Object through 'variables'. (read more)|Documentation
| -|Response JSON Reference Does Not Exists (v3)
7a01dfbd-da62-4165-aed7-71349ad42ab4|Info|Structure and Semantics|Response reference should exists on components field (read more)|Documentation
| -|Parameter JSON Reference Does Not Exists (v3)
2e275f16-b627-4d3f-ae73-a6153a23ae8f|Info|Structure and Semantics|Parameter reference should exists on components field (read more)|Documentation
| -|Parameter Object With Undefined Type
46facedc-f243-4108-ab33-583b807d50b0|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property (read more)|Documentation
| -|Example JSON Reference Does Not Exists
6a2c219f-da5e-4745-941e-5ea8cde23356|Info|Structure and Semantics|Example reference should exists on components field (read more)|Documentation
| -|Callback JSON Reference Does Not Exists
f29904c8-6041-4bca-b043-dfa0546b8079|Info|Structure and Semantics|Callback reference should exists on components field (read more)|Documentation
| -|Parameter Object With Incorrect Ref (v3)
d40f27e6-15fb-4b56-90f8-fc0ff0291c51|Info|Structure and Semantics|Parameter Object reference must always point to '#/components/parameters' (read more)|Documentation
| -|Components Object Fixed Field Key Improperly Named
151331e2-11f4-4bb6-bd35-9a005e695087|Info|Structure and Semantics|Components object fixed fields (schemas, responses, parameters, examples, requestBodies, headers, securitySchemes, links, and callbacks) should use keys that match the following REGEX: `^[a-zA-Z0-9\.\-_]+$` (read more)|Documentation
| -|Encoding Map Key Mismatch Schema Defined Properties
cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b|Info|Structure and Semantics|Encoding Map Key should be set in schema defined properties (read more)|Documentation
| -|Request Body Object With Incorrect Media Type
58f06434-a88c-4f74-826c-db7e10cc7def|Info|Structure and Semantics|The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set. (read more)|Documentation
| -|Security Requirement Object With Wrong Scopes
37140f7f-724a-4c87-a536-e9cee1d61533|Info|Structure and Semantics|Security Requirement Object should only have scopes defined for security schemes of type 'oauth2' and 'openIdConnect' (read more)|Documentation
| -|Header JSON Reference Does Not Exists
376c9390-7e9e-4cb8-a067-fd31c05451fd|Info|Structure and Semantics|Header reference should exists on components field (read more)|Documentation
| -|Empty Array
5915c20f-dffa-4cee-b5d4-f457ddc0151a|Info|Structure and Semantics|All array fields should not be empty (read more)|Documentation
| -|Parameter Object Content With Multiple Entries
8bfed1c6-2d59-4924-bc7f-9b9d793ed0df|Info|Structure and Semantics|The map content property of the parameter object should only contain one entry (read more)|Documentation
| -|Example JSON Reference Outside Components Examples
bac56e3c-1f71-4a74-8ae6-2fba07efcddb|Info|Structure and Semantics|Reference to examples should point to #/components/examples (read more)|Documentation
| -|Object Without Required Property (v3)
d172a060-8569-4412-8045-3560ebd477e8|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| -|Servers Array Undefined
c66ebeaa-676c-40dc-a3ff-3e49395dcd5e|Info|Structure and Semantics|The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'. (read more)|Documentation
| -|Server Object Variable Not Used
8aee4754-970d-4c5f-8142-a49dfe388b1a|Info|Structure and Semantics|Every defined Server Variable Object should be used in a Service URL. (read more)|Documentation
| -|Schema JSON Reference Does Not Exists (v3)
015eac96-6313-43c0-84e5-81b1374fa637|Info|Structure and Semantics|Schema reference should exists on components field (read more)|Documentation
| -|Link Object OperationId Does Not Target Operation Object
c5bb7461-aa57-470b-a714-3bc3d74f4669|Info|Structure and Semantics|Link object 'OperationId' should target an existing operation object in the OpenAPI definition (read more)|Documentation
| diff --git a/docs/queries/pulumi-queries.md b/docs/queries/pulumi-queries.md index 2a388b9bd9e..49a2a23334f 100644 --- a/docs/queries/pulumi-queries.md +++ b/docs/queries/pulumi-queries.md @@ -1,6 +1,16 @@ ## Pulumi Queries List This page contains all queries from Pulumi. +### GCP +Bellow are listed queries related with Pulumi GCP: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|Cloud Storage Bucket Logging Not Enabled
48f7e44d-d1d1-44c2-b336-9f11b65c4fb0|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
965e8830-2bec-4b9b-a7f0-24dbc200a68f|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| + ### KUBERNETES Bellow are listed queries related with Pulumi KUBERNETES: @@ -37,19 +47,9 @@ Bellow are listed queries related with Pulumi AWS: |IAM Password Without Minimum Length
9850d621-7485-44f7-8bdd-b3cf426315cf|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| |DynamoDB Table Not Encrypted
b6a7e0ae-aed8-4a19-a993-a95760bf8836|Medium|Encryption|AWS DynamoDB Tables should have serverSideEncryption enabled (read more)|Documentation
| |API Gateway Without SSL Certificate
f27791a5-e2ae-4905-8910-6f995c576d09|Medium|Insecure Configurations|SSL Client Certificate should be defined (read more)|Documentation
| -|Elasticsearch Logs Disabled
a1120ee4-a712-42d9-8fb5-22595fed643b|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| |API Gateway Access Logging Disabled
bf4b48b9-fc1f-4552-984a-4becdb5bf503|Medium|Observability|API Gateway should have Access Log Settings defined (read more)|Documentation
| +|Elasticsearch Logs Disabled
a1120ee4-a712-42d9-8fb5-22595fed643b|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| |DocDB Logging Is Disabled
2ca87964-fe7e-4cdc-899c-427f0f3525f8|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| |EC2 Not EBS Optimized
d991e4ae-42ab-429b-ab43-d5e5fa9ca633|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| |DynamoDB Table Point In Time Recovery Disabled
327b0729-4c5c-4c44-8b5c-e476cd9c7290|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more)|Documentation
| |EC2 Instance Monitoring Disabled
daa581ef-731c-4121-832d-cf078f67759d|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| - -### GCP -Bellow are listed queries related with Pulumi GCP: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Cloud Storage Bucket Logging Not Enabled
48f7e44d-d1d1-44c2-b336-9f11b65c4fb0|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
965e8830-2bec-4b9b-a7f0-24dbc200a68f|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| diff --git a/docs/queries/serverlessfw-queries.md b/docs/queries/serverlessfw-queries.md index 47b140b0098..4faa0e7640e 100644 --- a/docs/queries/serverlessfw-queries.md +++ b/docs/queries/serverlessfw-queries.md @@ -6,8 +6,8 @@ This page contains all queries from ServerlessFW. |Serverless Role With Full Privileges
59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd|High|Access Control|Roles defined in Serverless files should not have policies granting full administrative privileges. (read more)|Documentation
| |Serverless Function Environment Variables Not Encrypted
4495bc5d-4d1e-4a26-ae92-152d18195648|High|Encryption|Serverless Function should encrypt environment variables (read more)|Documentation
| |Serverless API Without Content Encoding
d5d1fe08-89db-440c-8725-b93223387309|Medium|Encryption|Serverless should have API Gateway with Content Encoding enabled through the attribute 'minimumCompressionSize'. This value should be greater than -1 and smaller than 10485760 (read more)|Documentation
| -|Serverless Function Without Tags
f99d3482-fa8c-4f79-bad9-35212dded164|Medium|Insecure Configurations|Serverless Function should be have associated tags (read more)|Documentation
| |Serverless Function Without Unique IAM Role
165aae3b-a56a-48f3-b76d-d2b5083f5b8f|Medium|Insecure Configurations|Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| +|Serverless Function Without Tags
f99d3482-fa8c-4f79-bad9-35212dded164|Medium|Insecure Configurations|Serverless Function should be have associated tags (read more)|Documentation
| |Serverless API Endpoint Config Not Private
4d424558-c6d1-453c-be98-9a7f877abd9a|Medium|Networking and Firewall|Serverless should have endpointType set to 'PRIVATE'. This way, it's not exposed to the public internet (read more)|Documentation
| |Serverless API Access Logging Setting Undefined
a4d32883-aac7-42e1-b403-9415af0f3846|Medium|Observability|Serverless FW API should have HTTP Access Logging enabled (read more)|Documentation
| |Serverless API X-Ray Tracing Disabled
434945e5-4dfd-41b1-aba1-47075ccd9265|Medium|Observability|Serverless API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| diff --git a/docs/queries/terraform-queries.md b/docs/queries/terraform-queries.md index a383e387626..1c096f688dd 100644 --- a/docs/queries/terraform-queries.md +++ b/docs/queries/terraform-queries.md @@ -1,101 +1,77 @@ ## Terraform Queries List This page contains all queries from Terraform. -### ALICLOUD -Bellow are listed queries related with Terraform ALICLOUD: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|High|Access Control|OSS Bucket should have public access disabled (read more)|Documentation
| -|OSS Bucket Allows All Actions From All Principals
ec62a32c-a297-41ca-a850-cab40b42094a|High|Access Control|OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals. (read more)|Documentation
| -|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles (read more)|Documentation
| -|OSS Bucket Allows Delete Action From All Principals
8c0695d8-2378-4cd6-8243-7fd5894fa574|High|Access Control|OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals. (read more)|Documentation
| -|OSS Bucket Allows List Action From All Principals
88541597-6f88-42c8-bac6-7e0b855e8ff6|High|Access Control|OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals. (read more)|Documentation
| -|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|High|Access Control|RAM Security preferences should enforce MFA login for RAM users (read more)|Documentation
| -|OSS Bucket Allows Put Action From All Principals
fe286195-e75c-4359-bd58-00847c4f855a|High|Access Control|OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals. (read more)|Documentation
| -|RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|High|Encryption|tde_status parameter should be Enabled for supported RDS instances (read more)|Documentation
| -|Launch Template Is Not Encrypted
1455cb21-1d48-46d6-8ae3-cef911b71fd5|High|Encryption|ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true. (read more)|Documentation
| -|NAS File System Without KMS
5f670f9d-b1b4-4c90-8618-2288f1ab9676|High|Encryption|NAS File System should have encryption provided by user KMS (read more)|Documentation
| -|NAS File System Not Encrypted
67bfdff1-31ce-4525-b564-e94368735360|High|Encryption|NAS File System must be encrypted (read more)|Documentation
| -|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|High|Encryption|Ecs Data Disk Kms Key Id should be set (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
faaefc15-51a5-419e-bb5e-51a4b5ab3485|High|Insecure Configurations|The field 'address' should not be set to '0.0.0.0/0' (read more)|Documentation
| -|OSS Bucket Has Static Website
2b13c6ff-b87a-484d-86fd-21ef6e97d426|High|Insecure Configurations|Checks if any static websties are hosted on buckets. Be aware of any website you are running. (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|High|Insecure Configurations|'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list (read more)|Documentation
| -|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol (read more)|Documentation
| -|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|High|Networking and Firewall|OSS Buckets should have secure transport enabled (read more)|Documentation
| -|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS (read more)|Documentation
| -|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|High|Networking and Firewall|OSS Bucket should have ip restricted access (read more)|Documentation
| -|ALB Listening on HTTP
ee3b1557-9fb5-4685-a95d-93f1edf2a0d7|High|Networking and Firewall|Application Load Balancer (alb) Listener should not listen on HTTP (read more)|Documentation
| -|RDS Instance SSL Action Disabled
7a1ee8a9-71be-4b11-bb70-efb62d16863b|High|Networking and Firewall|ssl_action parameter should be set to Open for RDS instances (read more)|Documentation
| -|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public (read more)|Documentation
| -|ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|High|Observability|ActionTrail Trail OSS Bucket should not be publicly accessible (read more)|Documentation
| -|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|High|Observability|All RDS Instance events trackers should be 'true' (read more)|Documentation
| -|Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|High|Secret Management|Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts (read more)|Documentation
| -|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above (read more)|Documentation
| -|Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Medium|Access Control|Ram policies should not be attached to users (read more)|Documentation
| -|CMK Is Unusable
ed6e3ba0-278f-47b6-a1f5-173576b40b7e|Medium|Availability|Alicloud KMS must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true (read more)|Documentation
| -|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Medium|Backup|OSS Bucket should have versioning enabled (read more)|Documentation
| -|ROS Stack Retention Disabled
4bb06fa1-2114-4a00-b7b5-6aeab8b896f0|Medium|Backup|The retain_stacks should be enabled to keep the Stack upon deleting the stack instance from the stack group (read more)|Documentation
| -|ROS Stack Without Template
92d65c51-5d82-4507-a2a1-d252e9706855|Medium|Build Process|Alicloud ROS Stack should have a template defined through the attribute template_url or attribute template_body (read more)|Documentation
| -|SLB Policy With Insecure TLS Version In Use
dbfc834a-56e5-4750-b5da-73fda8e73f70|Medium|Encryption|SLB Policy should not support insecure versions of TLS protocol (read more)|Documentation
| -|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Medium|Encryption|Disks should have encryption enabled (read more)|Documentation
| -|OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Medium|Encryption|OSS Bucket should have encryption enabled using Customer Master Key (read more)|Documentation
| -|CS Kubernetes Node Pool Auto Repair Disabled
81ce9394-013d-4731-8fcc-9d229b474073|Medium|Insecure Configurations|Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| -|Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Medium|Networking and Firewall|Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies (read more)|Documentation
| -|Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Medium|Networking and Firewall|A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned (read more)|Documentation
| -|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180 (read more)|Documentation
| -|ROS Stack Notifications Disabled
9ef08939-ea40-489c-8851-667870b2ef50|Medium|Observability|The ROS Stack Notifications should be defined and populated to receive stack related events (read more)|Documentation
| -|Log Retention Is Not Greater Than 90 Days
ed6cf6ff-9a1f-491c-9f88-e03c0807f390|Medium|Observability|OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects. (read more)|Documentation
| -|OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Medium|Observability|OSS Bucket should have logging enabled, for better visibility of resources and objects. (read more)|Documentation
| -|Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Medium|Observability|Action Trail Logging for all regions should be enabled (read more)|Documentation
| -|No ROS Stack Policy
72ceb736-0aee-43ea-a191-3a69ab135681|Medium|Resource Management|ROS Stack should have a stack policy in order to protect stack resources from and during update actions (read more)|Documentation
| -|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true (read more)|Documentation
| -|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true (read more)|Documentation
| -|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true (read more)|Documentation
| -|High KMS Key Rotation Period
cb319d87-b90f-485e-a7e7-f2408380f309|Medium|Secret Management|KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year (read more)|Documentation
| -|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less (read more)|Documentation
| -|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91 (read more)|Documentation
| -|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Medium|Secret Management|RAM account password security should require at least one symbol (read more)|Documentation
| -|OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Low|Availability|OSS Bucket should have transfer acceleration enabled (read more)|Documentation
| -|OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Low|Backup|OSS Bucket should have lifecycle rule enabled and set to true (read more)|Documentation
| -|RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Low|Observability|log_duration parameter should be set to ON for RDS instances (read more)|Documentation
| -|VPC Flow Logs Disabled
d2731f3d-a992-44ed-812e-f4f1c2747d71|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| -|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Low|Observability|'log_connections' parameter should be set to ON for RDS instances (read more)|Documentation
| -|RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Low|Observability|log_disconnections parameter should be set to ON for RDS instances (read more)|Documentation
| - -### DATABRICKS -Bellow are listed queries related with Terraform DATABRICKS: +### GCP +Bellow are listed queries related with Terraform GCP: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Databricks Cluster or Job With None Or Insecure Permission(s)
a4edb7e1-c0e0-4f7f-9d7c-d1b603e81ad5|High|Insecure Configurations|Databricks Cluster and Job must have restricted permissions (read more)|Documentation
| -|Unrestricted Databricks ACL
2c4fe4a9-f44b-4c70-b09b-5b75cd251805|High|Networking and Firewall|ACL allow ingress from 0.0.0.0/0 and/or ::/0 (read more)|Documentation
| -|Check Databricks Cluster Azure Attribute Best Practices
38028698-e663-4ef7-aa92-773fef0ca86f|Medium|Best Practices|One or some Databricks Cluster Azure Attribute Best Practices are not respected (read more)|Documentation
| -|Job's Task is Legacy (spark_submit_task)
375cdab9-3f94-4ae0-b1e3-8fbdf9cdf4d7|Medium|Best Practices|Job's Task Is spark_submit_task (read more)|Documentation
| -|Check use no LTS Spark Version
5a627dfa-a4dd-4020-a4c6-5f3caf4abcd6|Medium|Best Practices|Spark Version is not a Long-term Support (read more)|Documentation
| -|Check Databricks Cluster AWS Attribute Best Practices
b0749c53-e3ff-4d09-bbe4-dca94e2e7a38|Medium|Best Practices|One or some Databricks Cluster AWS Attribute Best Practices are not respected (read more)|Documentation
| -|Check Databricks Cluster GCP Attribute Best Practices
539e4557-d2b5-4d57-a001-cb01140a4e2d|Medium|Best Practices|One or some Databricks Cluster GCP Attribute Best Practices are not respected (read more)|Documentation
| -|Indefinitely Databricks Token Lifetime
7d05ca25-91b4-42ee-b6f6-b06611a87ce8|Medium|Insecure Defaults|Token has an indefinitely lifetime (read more)|Documentation
| -|Indefinitely Databricks OBO Token Lifetime
23e1f5f0-12b7-4d7e-9087-f60f42ccd514|Medium|Insecure Defaults|OBO Token has an indefinitely lifetime (read more)|Documentation
| -|Databricks Autoscale Badly Setup
953c0cc6-5f30-44cb-a803-bf4ef2571be8|Medium|Resource Management|Databricks should have min and max worker setup for autoscale (read more)|Documentation
| -|Databricks Group Without User Or Instance Profile
23c3067a-8cc9-480c-b645-7c1e0ad4bf60|Low|Access Control|Databricks Group should have at least one user or one instance profile associated (read more)|Documentation
| +|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|High|Access Control|BigQuery dataset is anonymously or publicly accessible (read more)|Documentation
| +|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible (read more)|Documentation
| +|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)|Documentation
| +|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|High|Access Control|Verifies that the OSLogin is enabled (read more)|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| +|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| +|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad. (read more)|Documentation
| +|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|High|Encryption|Cloud SQL Database Instance should have SSL enabled (read more)|Documentation
| +|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members' (read more)|Documentation
| +|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true (read more)|Documentation
| +|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)|Documentation
| +|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials (read more)|Documentation
| +|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE (read more)|Documentation
| +|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true (read more)|Documentation
| +|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)|Documentation
| +|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true (read more)|Documentation
| +|Legacy Client Certificate Auth Enabled
73fb21a1-b19a-45b1-b648-b47b1678681e|High|Insecure Configurations|Kubernetes Clusters must use the default OAuth authentication, which means 'master_auth' must either be undefined or have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to false (read more)|Documentation
| +|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible. (read more)|Documentation
| +|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| +|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|High|Observability|Audit Logging Configuration is defective (read more)|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| +|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must either be undefined or set to 'monitoring.googleapis.com/kubernetes' (read more)|Documentation
| +|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must either be undefined or set to 'logging.googleapis.com/kubernetes' (read more)|Documentation
| +|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)|Documentation
| +|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated (read more)|Documentation
| +|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated (read more)|Documentation
| +|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member (read more)|Documentation
| +|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated (read more)|Documentation
| +|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| +|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled (read more)|Documentation
| +|Shielded GKE Nodes Disabled
579a0727-9c29-4d58-8195-fc5802a8bdb4|Medium|Insecure Configurations|GKE cluster nodes must be launched with Shielded VM enabled, which means the attribute 'enable_shielded_nodes' must be set to 'true'. (read more)|Documentation
| +|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled (read more)|Documentation
| +|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| +|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| +|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Medium|Insecure Configurations|Check if any VM instance disables OSLogin (read more)|Documentation
| +|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| +|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)|Documentation
| +|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account (read more)|Documentation
| +|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account. (read more)|Documentation
| +|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports (read more)|Documentation
| +|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)|Documentation
| +|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| +|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)|Documentation
| +|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| +|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource. (read more)|Documentation
| +|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles (read more)|Documentation
| +|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| +|Outdated GKE Version
128df7ec-f185-48bc-8913-ce756a3ccb85|Low|Best Practices|Running outdated versions of Google Kubernetes Engine (GKE) can expose it to known vulnerabilities and attacks. To reduce these risks, it is recommended to ensure that GKE is always running the latest version. (read more)|Documentation
| +|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user (read more)|Documentation
| +|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true (read more)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| -### SHARED (V2/V3) -Bellow are listed queries related with Terraform SHARED (V2/V3): +### GITHUB +Bellow are listed queries related with Terraform GITHUB: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Info|Best Practices|All variables should contain a valid description. (read more)|Documentation
| -|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Info|Best Practices|All names should follow snake case pattern. (read more)|Documentation
| -|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Info|Best Practices|All variables should contain a valid type. (read more)|Documentation
| -|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Info|Best Practices|All outputs should contain a valid description. (read more)|Documentation
| -|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Info|Best Practices|All generic git repositories should reference a revision. (read more)|Documentation
| +|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks (read more)|Documentation
| +|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)|Documentation
| ### KUBERNETES Bellow are listed queries related with Terraform KUBERNETES: @@ -105,55 +81,55 @@ Bellow are listed queries related with Terraform KUBERNETES: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| |Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|High|Insecure Configurations|Check if Tiller is deployed. (read more)|Documentation
| -|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|High|Insecure Configurations|Limit capabilities for a Pod Security Policy (read more)|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace. (read more)|Documentation
| +|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process (read more)|Documentation
| |Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false (read more)|Documentation
| |Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined. (read more)|Documentation
| -|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process (read more)|Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace. (read more)|Documentation
| +|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|High|Insecure Configurations|Limit capabilities for a Pod Security Policy (read more)|Documentation
| |Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|High|Insecure Defaults|No role nor cluster role should bind to a default service account (read more)|Documentation
| -|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more)|Documentation
| |Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation. (read more)|Documentation
| +|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more)|Documentation
| |Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Medium|Access Control|A non kube-system workload should not have hostPath mounted (read more)|Documentation
| |Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Medium|Availability|Check if Readiness Probe is not configured. (read more)|Documentation
| |Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden (read more)|Documentation
| |Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' (read more)|Documentation
| -|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace (read more)|Documentation
| |Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace (read more)|Documentation
| -|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| +|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls (read more)|Documentation
| |Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory (read more)|Documentation
| |NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities (read more)|Documentation
| -|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability (read more)|Documentation
| -|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more)|Documentation
| -|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation (read more)|Documentation
| |Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Medium|Insecure Configurations|Containers should not have extra capabilities allowed (read more)|Documentation
| |Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Medium|Insecure Configurations|Default service accounts should not be actively used (read more)|Documentation
| -|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory (read more)|Documentation
| -|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more)|Documentation
| -|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities (read more)|Documentation
| |Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Medium|Insecure Configurations|The default namespace should not be used (read more)|Documentation
| +|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace (read more)|Documentation
| +|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more)|Documentation
| |NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities (read more)|Documentation
| -|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls (read more)|Documentation
| -|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty. (read more)|Documentation
| +|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more)|Documentation
| +|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities (read more)|Documentation
| +|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability (read more)|Documentation
| +|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory (read more)|Documentation
| +|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation (read more)|Documentation
| +|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| |Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary (read more)|Documentation
| -|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Medium|Networking and Firewall|Check if any network policy is not targeting any pod. (read more)|Documentation
| +|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty. (read more)|Documentation
| |Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet (read more)|Documentation
| -|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| +|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Medium|Networking and Firewall|Check if any network policy is not targeting any pod. (read more)|Documentation
| |Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| -|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more)|Documentation
| +|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more)|Documentation
| +|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more)|Documentation
| |CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| +|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| +|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more)|Documentation
| |Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| -|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more)|Documentation
| -|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more)|Documentation
| |Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Medium|Secret Management|A Service Account token is shared between workloads (read more)|Documentation
| |Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs (read more)|Documentation
| +|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack (read more)|Documentation
| |Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC) (read more)|Documentation
| |Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers (read more)|Documentation
| -|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack (read more)|Documentation
| |Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it (read more)|Documentation
| -|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more)|Documentation
| |StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| -|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Low|Availability|The Horizontal Pod Autoscaler must target a valid object (read more)|Documentation
| |Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| +|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more)|Documentation
| +|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Low|Availability|The Horizontal Pod Autoscaler must target a valid object (read more)|Documentation
| |No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context (read more)|Documentation
| |Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Low|Best Practices|Check if any label in the metadata is invalid. (read more)|Documentation
| |Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Low|Build Process|Check if the root container filesystem is not being mounted as read-only. (read more)|Documentation
| @@ -161,13 +137,32 @@ Bellow are listed queries related with Terraform KUBERNETES: |Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity (read more)|Documentation
| |Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always (read more)|Documentation
| |Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container (read more)|Documentation
| -|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Low|Networking and Firewall|Service type should not be NodePort (read more)|Documentation
| |Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified (read more)|Documentation
| -|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined (read more)|Documentation
| +|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Low|Networking and Firewall|Service type should not be NodePort (read more)|Documentation
| |Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| +|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined (read more)|Documentation
| |Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Low|Secret Management|Container should not use secrets as environment variables (read more)|Documentation
| |Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Low|Supply-Chain|Image must be defined and not be empty or equal to latest. (read more)|Documentation
| +### AWS_BOM +Bellow are listed queries related with Terraform AWS_BOM: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more)|Documentation
| +|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more)|Documentation
| +|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more)|Documentation
| +|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)|Documentation
| +|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more)|Documentation
| +|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). (read more)|Documentation
| +|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)|Documentation
| +|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS. (read more)|Documentation
| +|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)|Documentation
| +|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more)|Documentation
| +|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)|Documentation
| + ### GCP_BOM Bellow are listed queries related with Terraform GCP_BOM: @@ -175,12 +170,12 @@ Bellow are listed queries related with Terraform GCP_BOM: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|BOM - GCP Redis
bc75ce52-a60a-4660-b533-bce837a5019b|Trace|Bill Of Materials|A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments. (read more)|Documentation
| -|BOM - GCP Dataflow
895ed0d9-6fec-4567-8614-d7a74b599a53|Trace|Bill Of Materials|A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective. (read more)|Documentation
| -|BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more)|Documentation
| -|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more)|Documentation
| |BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Trace|Bill Of Materials|A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime. (read more)|Documentation
| |BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more)|Documentation
| +|BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more)|Documentation
| +|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more)|Documentation
| +|BOM - GCP Redis
bc75ce52-a60a-4660-b533-bce837a5019b|Trace|Bill Of Materials|A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments. (read more)|Documentation
| +|BOM - GCP Dataflow
895ed0d9-6fec-4567-8614-d7a74b599a53|Trace|Bill Of Materials|A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective. (read more)|Documentation
| ### AZURE Bellow are listed queries related with Terraform AZURE: @@ -189,97 +184,97 @@ Bellow are listed queries related with Terraform AZURE: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|High|Access Control|There is a role assignment for guest user (read more)|Documentation
| -|Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage (read more)|Documentation
| -|Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|High|Access Control|Role Assignment should limit guest user permissions (read more)|Documentation
| +|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|High|Access Control|Storage Account should not be public to grant the principle of least privileges (read more)|Documentation
| |Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|High|Access Control|Azure Function App authentication settings should be enabled (read more)|Documentation
| +|Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage (read more)|Documentation
| |Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|High|Access Control|Admin user is enabled for Container Registry (read more)|Documentation
| -|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|High|Access Control|Storage Account should not be public to grant the principle of least privileges (read more)|Documentation
| +|Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|High|Access Control|Role Assignment should limit guest user permissions (read more)|Documentation
| +|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|High|Access Control|There is a role assignment for guest user (read more)|Documentation
| |Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|High|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled (read more)|Documentation
| |Azure Instance Using Basic Authentication
dafe30ec-325d-4516-85d1-e8e6776f012c|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| +|MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more)|Documentation
| +|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' (read more)|Documentation
| |App Service Not Using Latest TLS Encryption Version
b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643|High|Encryption|Ensure App Service is using the latest version of TLS encryption (read more)|Documentation
| |Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6|High|Encryption|Ensure Function App is using the latest version of TLS encryption (read more)|Documentation
| -|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' (read more)|Documentation
| -|MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more)|Documentation
| |Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| -|AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|High|Insecure Configurations|Azure Kubernetes Service (AKS) API should not be exposed to the internet (read more)|Documentation
| |Function App FTPS Enforce Disabled
9dab0179-433d-4dff-af8f-0091025691df|High|Insecure Configurations|Azure Function App should only enforce FTPS when 'ftps_state' is enabled (read more)|Documentation
| -|App Service FTPS Enforce Disabled
85da374f-b00f-4832-9d44-84a1ca1e89f8|High|Insecure Configurations|Azure App Service should only enforce FTPS when 'ftps_state' is enabled (read more)|Documentation
| -|AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server (read more)|Documentation
| -|Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|High|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false. (read more)|Documentation
| -|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry' (read more)|Documentation
| |VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine (read more)|Documentation
| -|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service. (read more)|Documentation
| +|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry' (read more)|Documentation
| +|Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|High|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false. (read more)|Documentation
| +|AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|High|Insecure Configurations|Azure Kubernetes Service (AKS) API should not be exposed to the internet (read more)|Documentation
| +|AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server (read more)|Documentation
| |Azure App Service Client Certificate Disabled
a81573f9-3691-4d83-88a0-7d4af63e17a3|High|Insecure Configurations|Azure App Service client certificate should be enabled (read more)|Documentation
| |Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates (read more)|Documentation
| -|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|High|Networking and Firewall|The IP range filter should be defined to secure the data stored (read more)|Documentation
| -|SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet (read more)|Documentation
| +|App Service FTPS Enforce Disabled
85da374f-b00f-4832-9d44-84a1ca1e89f8|High|Insecure Configurations|Azure App Service should only enforce FTPS when 'ftps_state' is enabled (read more)|Documentation
| +|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service. (read more)|Documentation
| |MySQL Server Public Access Enabled
f118890b-2468-42b1-9ce9-af35146b425b|High|Networking and Firewall|MySQL Server public access should be disabled (read more)|Documentation
| |Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| -|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet (read more)|Documentation
| -|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources (read more)|Documentation
| -|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more)|Documentation
| -|MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|High|Networking and Firewall|MSSQL Server public network access should be disabled (read more)|Documentation
| |RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet (read more)|Documentation
| +|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|High|Networking and Firewall|The IP range filter should be defined to secure the data stored (read more)|Documentation
| +|MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|High|Networking and Firewall|MSSQL Server public network access should be disabled (read more)|Documentation
| |Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| +|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet (read more)|Documentation
| +|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more)|Documentation
| +|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources (read more)|Documentation
| +|SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet (read more)|Documentation
| |Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|High|Observability|Ensure that logging for Azure KeyVault is 'Enabled' (read more)|Documentation
| +|PostgreSQL Server Threat Detection Policy Disabled
c407c3cf-c409-4b29-b590-db5f4138d332|High|Resource Management|PostgreSQL Server Threat Detection Policy should be enabled (read more)|Documentation
| |SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a|High|Resource Management|Ensure that 'Threat Detection' is enabled for Azure SQL Database (read more)|Documentation
| |App Service Managed Identity Disabled
b61cce4b-0cc4-472b-8096-15617a6d769b|High|Resource Management|Azure App Service should have managed identity enabled (read more)|Documentation
| -|PostgreSQL Server Threat Detection Policy Disabled
c407c3cf-c409-4b29-b590-db5f4138d332|High|Resource Management|PostgreSQL Server Threat Detection Policy should be enabled (read more)|Documentation
| |Key Expiration Not Set
4d080822-5ee2-49a4-8984-68f3d4c890fc|High|Secret Management|Make sure that for all keys the expiration date is set (read more)|Documentation
| |Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|High|Secret Management|Make sure that for all secrets the expiration date is set (read more)|Documentation
| |Storage Share File Allows All ACL Permissions
48bbe0fd-57e4-4678-a4a1-119e79c90fc3|Medium|Access Control|Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list). (read more)|Documentation
| |Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more)|Documentation
| -|Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e|Medium|Access Control|Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list). (read more)|Documentation
| |AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| +|Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e|Medium|Access Control|Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list). (read more)|Documentation
| |Virtual Network with DDoS Protection Plan disabled
b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a|Medium|Availability|Virtual Network should have DDoS Protection Plan enabled (read more)|Documentation
| +|Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Medium|Best Practices|Security Contact Email should be defined (read more)|Documentation
| |SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict (read more)|Documentation
| |SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict (read more)|Documentation
| -|Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Medium|Best Practices|Security Contact Email should be defined (read more)|Documentation
| |Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Medium|Build Process|Cosmos DB Account must have a mapping of tags. (read more)|Documentation
| -|AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Medium|Encryption|Azure Container Service (AKS) should use Disk Encryption Set ID in supported types of disk (read more)|Documentation
| |Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption (read more)|Documentation
| |Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Medium|Encryption|Ensure that the encryption is active on the disk (read more)|Documentation
| +|AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Medium|Encryption|Azure Container Service (AKS) should use Disk Encryption Set ID in supported types of disk (read more)|Documentation
| +|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty (read more)|Documentation
| |Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections (read more)|Documentation
| |Function App Managed Identity Disabled
c87749b3-ff10-41f5-9df2-c421e8151759|Medium|Insecure Configurations|Azure Function App should have managed identity enabled (read more)|Documentation
| -|Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches (read more)|Documentation
| -|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined (read more)|Documentation
| -|Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Medium|Insecure Configurations|Azure Function App should have 'client_cert_mode' set to required (read more)|Documentation
| -|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty (read more)|Documentation
| |Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected. (read more)|Documentation
| +|Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Medium|Insecure Configurations|Azure Function App should have 'client_cert_mode' set to required (read more)|Documentation
| +|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined (read more)|Documentation
| +|Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches (read more)|Documentation
| |Default Azure Storage Account Network Access Is Too Permissive
a5613650-32ec-4975-a305-31af783153ea|Medium|Insecure Defaults|Default Azure Storage Account network access should be set to Deny (read more)|Documentation
| -|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Medium|Networking and Firewall|Network Interfaces IP Forwarding should be disabled (read more)|Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol (read more)|Documentation
| +|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache (read more)|Documentation
| |Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol (read more)|Documentation
| +|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Medium|Networking and Firewall|Network Interfaces IP Forwarding should be disabled (read more)|Documentation
| +|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'. (read more)|Documentation
| |Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b|Medium|Networking and Firewall|Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline) (read more)|Documentation
| -|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache (read more)|Documentation
| |MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Medium|Networking and Firewall|MariaDB Server Public Network Access should be disabled (read more)|Documentation
| -|WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. (read more)|Documentation
| |Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Medium|Networking and Firewall|Public Network Access should be disabled for Azure Cognitive Search (read more)|Documentation
| -|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'. (read more)|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol (read more)|Documentation
| -|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more)|Documentation
| -|PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more)|Documentation
| -|MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Medium|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On' (read more)|Documentation
| +|WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. (read more)|Documentation
| |PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' (read more)|Documentation
| -|PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more)|Documentation
| -|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On' (read more)|Documentation
| -|Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Medium|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact (read more)|Documentation
| -|PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' (read more)|Documentation
| +|Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater (read more)|Documentation
| |PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server (read more)|Documentation
| +|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days (read more)|Documentation
| +|PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' (read more)|Documentation
| +|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more)|Documentation
| +|MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Medium|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On' (read more)|Documentation
| |Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Medium|Observability|Make sure for SQL Servers that Auditing Retention is greater than 90 days (read more)|Documentation
| -|Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater (read more)|Documentation
| +|Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Medium|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact (read more)|Documentation
| +|PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more)|Documentation
| +|PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more)|Documentation
| |Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Medium|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days (read more)|Documentation
| -|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days (read more)|Documentation
| +|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On' (read more)|Documentation
| |Azure Active Directory Authentication
a21c8da9-41bf-40cf-941d-330cf0d11fc7|Low|Access Control|Azure Active Directory must be used for authentication for Service Fabric (read more)|Documentation
| |MariaDB Server Geo-redundant Backup Disabled
0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1|Low|Backup|MariaDB Server Geo-redundant Backup should be enabled (read more)|Documentation
| |AKS Uses Azure Policies Add-On Disabled
43789711-161b-4708-b5bb-9d1c626f7492|Low|Best Practices|Azure Container Service (AKS) should use Azure Policies Add-On (read more)|Documentation
| +|App Service Without Latest Python Version
cc4aaa9d-1070-461a-b519-04e00f42db8a|Low|Best Practices|Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. (read more)|Documentation
| |Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Low|Best Practices|Key Vault Secrets should have set Content Type (read more)|Documentation
| |App Service Without Latest PHP Version
96fe318e-d631-4156-99fa-9080d57280ae|Low|Best Practices|Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. (read more)|Documentation
| -|App Service Without Latest Python Version
cc4aaa9d-1070-461a-b519-04e00f42db8a|Low|Best Practices|Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. (read more)|Documentation
| |PostgreSQL Server Infrastructure Encryption Disabled
6425c98b-ca4e-41fe-896a-c78772c131f8|Low|Encryption|PostgreSQL Server Infrastructure Encryption should be enabled (read more)|Documentation
| -|App Service HTTP2 Disabled
525b53be-62ed-4244-b4df-41aecfcb4071|Low|Insecure Configurations|App Service should have 'http2_enabled' enabled (read more)|Documentation
| -|Function App HTTP2 Disabled
ace823d1-4432-4dee-945b-cdf11a5a6bd0|Low|Insecure Configurations|Function App should have 'http2_enabled' enabled (read more)|Documentation
| |Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Low|Insecure Configurations|Check if the Kubernetes Dashboard is enabled. (read more)|Documentation
| +|Function App HTTP2 Disabled
ace823d1-4432-4dee-945b-cdf11a5a6bd0|Low|Insecure Configurations|Function App should have 'http2_enabled' enabled (read more)|Documentation
| +|App Service HTTP2 Disabled
525b53be-62ed-4244-b4df-41aecfcb4071|Low|Insecure Configurations|App Service should have 'http2_enabled' enabled (read more)|Documentation
| |Azure Front Door WAF Disabled
835a4f2f-df43-437d-9943-545ccfc55961|Low|Networking and Firewall|Azure Front Door WAF should be enabled (read more)|Documentation
| |App Service Authentication Disabled
c7fc1481-2899-4490-bbd8-544a3a61a2f3|Info|Access Control|Azure App Service authentication settings should be enabled (read more)|Documentation
| |SQL Server Alert Email Disabled
55975007-f6e7-4134-83c3-298f1fe4b519|Info|Best Practices|SQL Server alert email should be enabled (read more)|Documentation
| @@ -293,6 +288,70 @@ Bellow are listed queries related with Terraform NIFCLOUD: |------------------------------|--------|--------|-----------|----| |Nifcloud Computing Has Common Private Network
df58dd45-8009-43c2-90f7-c90eb9d53ed9|Low|Networking and Firewall|The instance has common private network (read more)|Documentation
| +### ALICLOUD +Bellow are listed queries related with Terraform ALICLOUD: + + + +| Query |Severity|Category|Description|Help| +|------------------------------|--------|--------|-----------|----| +|OSS Bucket Allows Put Action From All Principals
fe286195-e75c-4359-bd58-00847c4f855a|High|Access Control|OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals. (read more)|Documentation
| +|OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|High|Access Control|OSS Bucket should have public access disabled (read more)|Documentation
| +|OSS Bucket Allows List Action From All Principals
88541597-6f88-42c8-bac6-7e0b855e8ff6|High|Access Control|OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals. (read more)|Documentation
| +|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles (read more)|Documentation
| +|OSS Bucket Allows Delete Action From All Principals
8c0695d8-2378-4cd6-8243-7fd5894fa574|High|Access Control|OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals. (read more)|Documentation
| +|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|High|Access Control|RAM Security preferences should enforce MFA login for RAM users (read more)|Documentation
| +|OSS Bucket Allows All Actions From All Principals
ec62a32c-a297-41ca-a850-cab40b42094a|High|Access Control|OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals. (read more)|Documentation
| +|Launch Template Is Not Encrypted
1455cb21-1d48-46d6-8ae3-cef911b71fd5|High|Encryption|ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true. (read more)|Documentation
| +|RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|High|Encryption|tde_status parameter should be Enabled for supported RDS instances (read more)|Documentation
| +|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|High|Encryption|Ecs Data Disk Kms Key Id should be set (read more)|Documentation
| +|NAS File System Without KMS
5f670f9d-b1b4-4c90-8618-2288f1ab9676|High|Encryption|NAS File System should have encryption provided by user KMS (read more)|Documentation
| +|NAS File System Not Encrypted
67bfdff1-31ce-4525-b564-e94368735360|High|Encryption|NAS File System must be encrypted (read more)|Documentation
| +|RDS DB Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|High|Insecure Configurations|'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list (read more)|Documentation
| +|OSS Bucket Has Static Website
2b13c6ff-b87a-484d-86fd-21ef6e97d426|High|Insecure Configurations|Checks if any static websties are hosted on buckets. Be aware of any website you are running. (read more)|Documentation
| +|RDS DB Instance Publicly Accessible
faaefc15-51a5-419e-bb5e-51a4b5ab3485|High|Insecure Configurations|The field 'address' should not be set to '0.0.0.0/0' (read more)|Documentation
| +|RDS Instance SSL Action Disabled
7a1ee8a9-71be-4b11-bb70-efb62d16863b|High|Networking and Firewall|ssl_action parameter should be set to Open for RDS instances (read more)|Documentation
| +|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol (read more)|Documentation
| +|ALB Listening on HTTP
ee3b1557-9fb5-4685-a95d-93f1edf2a0d7|High|Networking and Firewall|Application Load Balancer (alb) Listener should not listen on HTTP (read more)|Documentation
| +|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public (read more)|Documentation
| +|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS (read more)|Documentation
| +|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|High|Networking and Firewall|OSS Bucket should have ip restricted access (read more)|Documentation
| +|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|High|Networking and Firewall|OSS Buckets should have secure transport enabled (read more)|Documentation
| +|ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|High|Observability|ActionTrail Trail OSS Bucket should not be publicly accessible (read more)|Documentation
| +|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|High|Observability|All RDS Instance events trackers should be 'true' (read more)|Documentation
| +|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above (read more)|Documentation
| +|Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|High|Secret Management|Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts (read more)|Documentation
| +|Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Medium|Access Control|Ram policies should not be attached to users (read more)|Documentation
| +|CMK Is Unusable
ed6e3ba0-278f-47b6-a1f5-173576b40b7e|Medium|Availability|Alicloud KMS must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true (read more)|Documentation
| +|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Medium|Backup|OSS Bucket should have versioning enabled (read more)|Documentation
| +|ROS Stack Retention Disabled
4bb06fa1-2114-4a00-b7b5-6aeab8b896f0|Medium|Backup|The retain_stacks should be enabled to keep the Stack upon deleting the stack instance from the stack group (read more)|Documentation
| +|ROS Stack Without Template
92d65c51-5d82-4507-a2a1-d252e9706855|Medium|Build Process|Alicloud ROS Stack should have a template defined through the attribute template_url or attribute template_body (read more)|Documentation
| +|SLB Policy With Insecure TLS Version In Use
dbfc834a-56e5-4750-b5da-73fda8e73f70|Medium|Encryption|SLB Policy should not support insecure versions of TLS protocol (read more)|Documentation
| +|OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Medium|Encryption|OSS Bucket should have encryption enabled using Customer Master Key (read more)|Documentation
| +|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Medium|Encryption|Disks should have encryption enabled (read more)|Documentation
| +|CS Kubernetes Node Pool Auto Repair Disabled
81ce9394-013d-4731-8fcc-9d229b474073|Medium|Insecure Configurations|Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| +|Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Medium|Networking and Firewall|A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned (read more)|Documentation
| +|Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Medium|Networking and Firewall|Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies (read more)|Documentation
| +|Log Retention Is Not Greater Than 90 Days
ed6cf6ff-9a1f-491c-9f88-e03c0807f390|Medium|Observability|OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects. (read more)|Documentation
| +|Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Medium|Observability|Action Trail Logging for all regions should be enabled (read more)|Documentation
| +|ROS Stack Notifications Disabled
9ef08939-ea40-489c-8851-667870b2ef50|Medium|Observability|The ROS Stack Notifications should be defined and populated to receive stack related events (read more)|Documentation
| +|OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Medium|Observability|OSS Bucket should have logging enabled, for better visibility of resources and objects. (read more)|Documentation
| +|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180 (read more)|Documentation
| +|No ROS Stack Policy
72ceb736-0aee-43ea-a191-3a69ab135681|Medium|Resource Management|ROS Stack should have a stack policy in order to protect stack resources from and during update actions (read more)|Documentation
| +|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true (read more)|Documentation
| +|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91 (read more)|Documentation
| +|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less (read more)|Documentation
| +|High KMS Key Rotation Period
cb319d87-b90f-485e-a7e7-f2408380f309|Medium|Secret Management|KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year (read more)|Documentation
| +|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true (read more)|Documentation
| +|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true (read more)|Documentation
| +|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Medium|Secret Management|RAM account password security should require at least one symbol (read more)|Documentation
| +|OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Low|Availability|OSS Bucket should have transfer acceleration enabled (read more)|Documentation
| +|OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Low|Backup|OSS Bucket should have lifecycle rule enabled and set to true (read more)|Documentation
| +|RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Low|Observability|log_disconnections parameter should be set to ON for RDS instances (read more)|Documentation
| +|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Low|Observability|'log_connections' parameter should be set to ON for RDS instances (read more)|Documentation
| +|VPC Flow Logs Disabled
d2731f3d-a992-44ed-812e-f4f1c2747d71|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| +|RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Low|Observability|log_duration parameter should be set to ON for RDS instances (read more)|Documentation
| + ### AWS Bellow are listed queries related with Terraform AWS: @@ -300,430 +359,371 @@ Bellow are listed queries related with Terraform AWS: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|High|Access Control|IAM role policy that allow full administrative privileges (for all resources) (read more)|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|High|Access Control|S3 Buckets should not be readable and writable to all users (read more)|Documentation
| -|SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| -|S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4|High|Access Control|S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket. (read more)|Documentation
| -|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| |S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| -|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role (read more)|Documentation
| -|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| -|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|High|Access Control|S3 bucket allows public policy (read more)|Documentation
| +|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| +|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| +|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|High|Access Control|S3 Buckets should not be readable and writable to all users (read more)|Documentation
| +|Amazon DMS Replication Instance Is Publicly Accessible
030d3b18-1821-45b4-9e08-50efbe7becbb|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| |Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more)|Documentation
| -|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals (read more)|Documentation
| |EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'. (read more)|Documentation
| -|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| -|Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|High|Access Control|Neptune Cluster Instance should not be publicly accessible (read more)|Documentation
| +|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| |S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| -|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| +|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role (read more)|Documentation
| +|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| |SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|High|Access Control|Checks if the SQS Queue is exposed (read more)|Documentation
| +|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|High|Access Control|S3 bucket allows public policy (read more)|Documentation
| +|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| |MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible (read more)|Documentation
| -|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| -|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| +|S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4|High|Access Control|S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket. (read more)|Documentation
| +|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|High|Access Control|IAM role policy that allow full administrative privileges (for all resources) (read more)|Documentation
| +|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals (read more)|Documentation
| +|SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| |SSO Policy with full privileges
132a8c31-9837-4203-9fd1-15ca210c7b73|High|Access Control|SSO policies should be configured to grant limited administrative privileges, rather than full access to all resources. This approach allows for better security and control over the resources being accessed. (read more)|Documentation
| -|Amazon DMS Replication Instance Is Publicly Accessible
030d3b18-1821-45b4-9e08-50efbe7becbb|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| -|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|High|Encryption|EBS Encryption should be enabled (read more)|Documentation
| -|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| -|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|High|Encryption|AWS Athena Database data in S3 should be encrypted (read more)|Documentation
| -|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|High|Encryption|The certificate authority (CA) is the certificate that identifies the root CA at the top of the certificate chain. The CA certificate identifier must be one provided by Amazon RDS. (read more)|Documentation
| -|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup (read more)|Documentation
| -|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| +|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| +|Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|High|Access Control|Neptune Cluster Instance should not be publicly accessible (read more)|Documentation
| +|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key (read more)|Documentation
| +|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS (read more)|Documentation
| |DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|High|Encryption|AWS DAX Cluster should have server-side encryption at rest (read more)|Documentation
| -|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true' (read more)|Documentation
| |Cloudfront Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| -|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| -|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|High|Encryption|AWS AMI Encryption is not enabled (read more)|Documentation
| +|Aurora With Disabled at Rest Encryption
1a690d1d-0ae7-49fa-b2db-b75ae0dd1d3e|High|Encryption|Amazon Aurora does not have encryption for data at rest enabled. To prevent such a scenario, update the attribute 'StorageEncrypted' to 'true'. (read more)|Documentation
| +|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted (read more)|Documentation
| +|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true' (read more)|Documentation
| +|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled (read more)|Documentation
| +|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|High|Encryption|Amazon ECS Task Definition does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'transit_encryption' (read more)|Documentation
| |ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| +|EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| |User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| -|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|High|Encryption|API Gateway Method Settings Cache should be encrypted (read more)|Documentation
| -|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more)|Documentation
| -|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS (read more)|Documentation
| -|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key (read more)|Documentation
| -|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) (read more)|Documentation
| -|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS (read more)|Documentation
| -|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| +|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|High|Encryption|AWS Athena Database data in S3 should be encrypted (read more)|Documentation
| |Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled (read more)|Documentation
| +|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|High|Encryption|EKS Cluster should be encrypted (read more)|Documentation
| +|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true (read more)|Documentation
| |Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more)|Documentation
| -|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled (read more)|Documentation
| -|Aurora With Disabled at Rest Encryption
1a690d1d-0ae7-49fa-b2db-b75ae0dd1d3e|High|Encryption|Amazon Aurora does not have encryption for data at rest enabled. To prevent such a scenario, update the attribute 'StorageEncrypted' to 'true'. (read more)|Documentation
| -|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted (read more)|Documentation
| +|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled (read more)|Documentation
| +|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|High|Encryption|AWS DOCDB Cluster storage should be encrypted (read more)|Documentation
| |Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled (read more)|Documentation
| +|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) (read more)|Documentation
| |User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| +|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|High|Encryption|API Gateway Method Settings Cache should be encrypted (read more)|Documentation
| +|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| +|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| |Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume (read more)|Documentation
| -|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|High|Encryption|Amazon ECS Task Definition does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'transit_encryption' (read more)|Documentation
| +|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| +|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup (read more)|Documentation
| +|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| |S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| -|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|High|Encryption|S3 Bucket Object should have server-side encryption enabled (read more)|Documentation
| -|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled (read more)|Documentation
| -|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| -|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|High|Encryption|Sagemaker endpoint configuration should encrypt data (read more)|Documentation
| -|EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| -|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true (read more)|Documentation
| -|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|High|Encryption|EKS Cluster should be encrypted (read more)|Documentation
| -|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|High|Encryption|AWS DOCDB Cluster storage should be encrypted (read more)|Documentation
| +|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more)|Documentation
| |RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|High|Encryption|RDS Database Cluster Encryption should be enabled (read more)|Documentation
| |ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| -|KMS Key With Full Permissions
7ebc9038-0bde-479a-acc4-6ed7b6758899|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| +|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| +|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS (read more)|Documentation
| +|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|High|Encryption|The certificate authority (CA) is the certificate that identifies the root CA at the top of the certificate chain. The CA certificate identifier must be one provided by Amazon RDS. (read more)|Documentation
| +|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|High|Encryption|Sagemaker endpoint configuration should encrypt data (read more)|Documentation
| +|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|High|Encryption|AWS AMI Encryption is not enabled (read more)|Documentation
| +|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|High|Encryption|S3 Bucket Object should have server-side encryption enabled (read more)|Documentation
| +|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|High|Encryption|EBS Encryption should be enabled (read more)|Documentation
| +|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|High|Insecure Configurations|S3 bucket without restriction of public bucket (read more)|Documentation
| +|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations (read more)|Documentation
| |Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| -|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| -|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes (read more)|Documentation
| +|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2. (read more)|Documentation
| +|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|High|Insecure Configurations|Check if the root user is authenticated with MFA (read more)|Documentation
| |RDS DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). (read more)|Documentation
| +|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true) (read more)|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| +|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more)|Documentation
| |S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| +|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| |Lambda Function With Privileged Role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions. (read more)|Documentation
| -|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2. (read more)|Documentation
| -|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more)|Documentation
| |DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| -|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations (read more)|Documentation
| -|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|High|Insecure Configurations|S3 bucket without restriction of public bucket (read more)|Documentation
| +|KMS Key With Full Permissions
7ebc9038-0bde-479a-acc4-6ed7b6758899|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| |Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| -|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|High|Insecure Configurations|Check if the root user is authenticated with MFA (read more)|Documentation
| -|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true) (read more)|Documentation
| +|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes (read more)|Documentation
| |Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| -|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| -|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0 and/or ::/0 (read more)|Documentation
| -|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing (read more)|Documentation
| -|Elasticsearch with HTTPS disabled
2e9e0729-66d5-4148-9d39-5e6fb4bf2a4e|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| -|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0" (read more)|Documentation
| -|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| -|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|High|Networking and Firewall|EC2 Instance should not have a public IP address. (read more)|Documentation
| +|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| |VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic (read more)|Documentation
| -|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|High|Networking and Firewall|Check if Record is set (read more)|Documentation
| |Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| |ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| -|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| -|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| +|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| |Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL (read more)|Documentation
| -|HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| -|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| -|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL (read more)|Documentation
| +|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| |Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| |DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| +|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0 and/or ::/0 (read more)|Documentation
| +|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|High|Networking and Firewall|EC2 Instance should not have a public IP address. (read more)|Documentation
| +|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL (read more)|Documentation
| +|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| +|HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| +|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing (read more)|Documentation
| +|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| |VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|High|Networking and Firewall|VPC Peering Route Table should restrict CIDR (read more)|Documentation
| +|Elasticsearch with HTTPS disabled
2e9e0729-66d5-4148-9d39-5e6fb4bf2a4e|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| +|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|High|Networking and Firewall|Check if Record is set (read more)|Documentation
| +|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0" (read more)|Documentation
| +|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible (read more)|Documentation
| |CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls (read more)|Documentation
| +|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled (read more)|Documentation
| +|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|High|Observability|Ensure a log metric filter and alarm exist for root acount usage (read more)|Documentation
| +|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes (read more)|Documentation
| |CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| |KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|High|Observability|AWS KMS Key should have a valid deletion window (read more)|Documentation
| -|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|High|Observability|Ensure a log metric filter and alarm exist for root acount usage (read more)|Documentation
| -|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled (read more)|Documentation
| |CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| -|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes (read more)|Documentation
| -|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible (read more)|Documentation
| |CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Medium|Access Control|S3 bucket allows public ACL (read more)|Documentation
| -|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal' (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Medium|Access Control|An API Key should be required on a method request. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| -|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Medium|Access Control|IAM Access Key should not be active for root users (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Medium|Access Control|SES policy should not allow IAM actions to all principals (read more)|Documentation
| -|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action' (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Medium|Access Control|SQS policy allows ALL (*) actions (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image (read more)|Documentation
| +|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| +|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Medium|Access Control|AWS IAM Users should not have access to console (read more)|Documentation
| |Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions' (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Medium|Access Control|Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Medium|Access Control|S3 bucket allows public ACL (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Medium|Access Control|Public and private EC2 istances should not share the same role. (read more)|Documentation
| +|SSO Permission With Inadequate User Session Duration
ce9dfce0-5fc8-433b-944a-3b16153111a8|Medium|Access Control|SSO permissions should be configured to limit user sessions to no longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized access or session hijacking. This is a best practice for security and should be implemented in SSO permission settings. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Medium|Access Control|SQS policy allows ALL (*) actions (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Medium|Access Control|An API Key should be required on a method request. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Medium|Access Control|IAM Access Key should not be active for root users (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions' (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Medium|Access Control|The attribute 'action' should not have wildcard (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| -|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| -|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| -|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Medium|Access Control|Expired SSL/TLS certificates should be removed (read more)|Documentation
| -|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal' (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Medium|Access Control|AWS IAM Users should not have access to console (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| +|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined (read more)|Documentation
| +|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Medium|Access Control|Expired SSL/TLS certificates should be removed (read more)|Documentation
| +|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Medium|Access Control|Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Medium|Access Control|The attribute 'action' should not have wildcard (read more)|Documentation
| |User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|SSO Permission With Inadequate User Session Duration
ce9dfce0-5fc8-433b-944a-3b16153111a8|Medium|Access Control|SSO permissions should be configured to limit user sessions to no longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized access or session hijacking. This is a best practice for security and should be implemented in SSO permission settings. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions' (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Medium|Access Control|Public and private EC2 istances should not share the same role. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| |Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'. (read more)|Documentation
| |ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| +|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true (read more)|Documentation
| |ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| |Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. (read more)|Documentation
| -|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true (read more)|Documentation
| |RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| -|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0 (read more)|Documentation
| |Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| -|Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24 (read more)|Documentation
| -|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| -|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more)|Documentation
| -|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields (read more)|Documentation
| -|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Medium|Best Practices|No password expiration policy (read more)|Documentation
| -|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Medium|Best Practices|IAM password should have the required symbols (read more)|Documentation
| +|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0 (read more)|Documentation
| |IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| -|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined (read more)|Documentation
| +|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields (read more)|Documentation
| |IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| +|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined (read more)|Documentation
| +|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| +|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Medium|Best Practices|IAM password should have the required symbols (read more)|Documentation
| +|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Medium|Best Practices|No password expiration policy (read more)|Documentation
| +|Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24 (read more)|Documentation
| +|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more)|Documentation
| |Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body (read more)|Documentation
| -|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Medium|Encryption|Checks if the ECR Image has been scanned (read more)|Documentation
| -|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Medium|Encryption|SSM Session should be encrypted in transit (read more)|Documentation
| -|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| -|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| -|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS. (read more)|Documentation
| -|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret (read more)|Documentation
| -|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption (read more)|Documentation
| +|CloudWatch Log Group Without KMS
0afbcfe9-d341-4b92-a64c-7e6de0543879|Medium|Encryption|AWS CloudWatch Log groups should be encrypted using KMS (read more)|Documentation
| |ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit (read more)|Documentation
| +|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| +|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret (read more)|Documentation
| +|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| |DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| -|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| -|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760. (read more)|Documentation
| -|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest (read more)|Documentation
| -|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted (read more)|Documentation
| |AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined (read more)|Documentation
| -|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests (read more)|Documentation
| -|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| -|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest (read more)|Documentation
| -|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| |Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| -|CloudWatch Log Group Without KMS
0afbcfe9-d341-4b92-a64c-7e6de0543879|Medium|Encryption|AWS CloudWatch Log groups should be encrypted using KMS (read more)|Documentation
| +|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| +|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Medium|Encryption|SSM Session should be encrypted in transit (read more)|Documentation
| +|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests (read more)|Documentation
| |Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Medium|Encryption|ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html' (read more)|Documentation
| |Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node (read more)|Documentation
| -|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy (read more)|Documentation
| +|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760. (read more)|Documentation
| +|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest (read more)|Documentation
| +|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| +|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS. (read more)|Documentation
| +|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption (read more)|Documentation
| +|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Medium|Encryption|Checks if the ECR Image has been scanned (read more)|Documentation
| +|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest (read more)|Documentation
| +|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted (read more)|Documentation
| +|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| +|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| |API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more)|Documentation
| |EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false (read more)|Documentation
| -|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible (read more)|Documentation
| -|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes (read more)|Documentation
| |API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| |Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud) (read more)|Documentation
| |IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials (read more)|Documentation
| |Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs). (read more)|Documentation
| |Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| -|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol (read more)|Documentation
| -|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Medium|Networking and Firewall|VPC should have a Network Firewall associated (read more)|Documentation
| +|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible (read more)|Documentation
| +|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy (read more)|Documentation
| +|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes (read more)|Documentation
| |API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| -|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| -|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association (read more)|Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol (read more)|Documentation
| |ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service (read more)|Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol (read more)|Documentation
| +|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Medium|Networking and Firewall|VPC should have a Network Firewall associated (read more)|Documentation
| |VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Medium|Networking and Firewall|VPC Subnet should not assign public IP (read more)|Documentation
| -|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more)|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol (read more)|Documentation
| +|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association (read more)|Documentation
| +|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| |SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled (read more)|Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more)|Documentation
| +|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined (read more)|Documentation
| +|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| +|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| +|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Medium|Observability|API Gateway should have Access Log Settings defined (read more)|Documentation
| +|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes (read more)|Documentation
| +|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| |S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| +|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Medium|Observability|Make sure Logging is enabled for Redshift Cluster (read more)|Documentation
| +|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Medium|Observability|Make sure that Amazon GuardDuty is Enabled (read more)|Documentation
| +|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (read more)|Documentation
| |MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). (read more)|Documentation
| -|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes (read more)|Documentation
| -|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Medium|Observability|Ensure MSK Cluster Logging is enabled (read more)|Documentation
| -|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| -|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| |Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes (read more)|Documentation
| -|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK (read more)|Documentation
| -|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Medium|Observability|API Gateway should have Access Log Settings defined (read more)|Documentation
| -|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events (read more)|Documentation
| -|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes (read more)|Documentation
| -|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| -|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined (read more)|Documentation
| +|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Medium|Observability|Ensure MSK Cluster Logging is enabled (read more)|Documentation
| +|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Medium|Observability|Checks if CloudWatch Metrics is Enabled (read more)|Documentation
| +|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones (read more)|Documentation
| +|ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs (read more)|Documentation
| |Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| -|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Medium|Observability|Make sure that Amazon GuardDuty is Enabled (read more)|Documentation
| -|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| -|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation (read more)|Documentation
| -|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (read more)|Documentation
| +|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes (read more)|Documentation
| +|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events (read more)|Documentation
| +|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK (read more)|Documentation
| +|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. (read more)|Documentation
| +|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes (read more)|Documentation
| +|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled (read more)|Documentation
| +|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| |CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| -|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Medium|Observability|Checks if CloudWatch Metrics is Enabled (read more)|Documentation
| -|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Medium|Observability|AWS CloudWatch Log groups should have retention days specified (read more)|Documentation
| |ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Medium|Observability|ELB should have logging enabled to help on error investigation (read more)|Documentation
| -|ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs (read more)|Documentation
| -|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes (read more)|Documentation
| +|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation (read more)|Documentation
| +|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| +|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Medium|Observability|AWS CloudWatch Log groups should have retention days specified (read more)|Documentation
| |Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Medium|Observability|It isn't recommended to use resources in default VPC (read more)|Documentation
| -|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| -|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled (read more)|Documentation
| -|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. (read more)|Documentation
| -|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Medium|Observability|Make sure Logging is enabled for Redshift Cluster (read more)|Documentation
| -|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones (read more)|Documentation
| |No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions (read more)|Documentation
| |Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Medium|Secret Management|AWS Access Key should not be hardcoded (read more)|Documentation
| |Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| -|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| -|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| +|SSO Identity User Unsafe Creation
4003118b-046b-4640-b200-b8c7a4c8b89f|Low|Access Control|The use of AWS SSO for creating users may pose a security risk as it does not synchronize with external Identity Providers (IdP) or Active Directory (AD). This can lead to inconsistencies and potential unauthorized access to resources. It is recommended to review and update user creation processes to ensure proper security protocols are in place. (read more)|Documentation
| |IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| -|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services (read more)|Documentation
| +|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| |IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| |S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets' (read more)|Documentation
| -|SSO Identity User Unsafe Creation
4003118b-046b-4640-b200-b8c7a4c8b89f|Low|Access Control|The use of AWS SSO for creating users may pose a security risk as it does not synchronize with external Identity Providers (IdP) or Active Directory (AD). This can lead to inconsistencies and potential unauthorized access to resources. It is recommended to review and update user creation processes to ensure proper security protocols are in place. (read more)|Documentation
| +|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services (read more)|Documentation
| +|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| |Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Low|Availability|Autoscaling groups should supply tags to configurate (read more)|Documentation
| -|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| -|IAM Access Analyzer Not Enabled
e592a0c5-5bdb-414c-9066-5dba7cdea370|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions (read more)|Documentation
| -|Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| +|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. (read more)|Documentation
| |Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| |ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Low|Best Practices|ECR Repository should have Policies attached to it (read more)|Documentation
| -|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. (read more)|Documentation
| -|ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation (read more)|Documentation
| +|Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| +|IAM Access Analyzer Not Enabled
e592a0c5-5bdb-414c-9066-5dba7cdea370|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions (read more)|Documentation
| +|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| |CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| +|ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation (read more)|Documentation
| |ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled (read more)|Documentation
| |S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Low|Insecure Configurations|S3 bucket without ignore public ACL (read more)|Documentation
| -|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| -|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| |EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| |EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| +|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more)|Documentation
| |CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| -|RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| |Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| -|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more)|Documentation
| +|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Low|Observability|Ensure a log metric filter and alarm exist for route table changes (read more)|Documentation
| +|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Low|Observability|Amazon EKS control plane logging is not enabled (read more)|Documentation
| +|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| |API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| |CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes (read more)|Documentation
| -|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| |CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes (read more)|Documentation
| +|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| |ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Low|Observability|ECS Cluster should enable container insights (read more)|Documentation
| +|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Low|Observability|Global Accelerator should have flow logs enabled (read more)|Documentation
| +|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| +|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes (read more)|Documentation
| +|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active' (read more)|Documentation
| |Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Low|Observability|Amazon EKS control plane logging don't enabled for all log types (read more)|Documentation
| |CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL (read more)|Documentation
| -|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active' (read more)|Documentation
| -|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Low|Observability|Ensure a log metric filter and alarm exist for route table changes (read more)|Documentation
| -|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes (read more)|Documentation
| -|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| -|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| -|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Low|Observability|Global Accelerator should have flow logs enabled (read more)|Documentation
| -|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Low|Observability|Amazon EKS control plane logging is not enabled (read more)|Documentation
| |API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| |Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Info|Access Control|Security group must be used or not declared (read more)|Documentation
| -|Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description (read more)|Documentation
| -|EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| -|Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description (read more)|Documentation
| |Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Info|Best Practices|AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name' (read more)|Documentation
| +|Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description (read more)|Documentation
| +|EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| |DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more)|Documentation
| +|Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description (read more)|Documentation
| |Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Info|Observability|Neptune logging should be enabled (read more)|Documentation
| -|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Info|Observability|RDS does not have any kind of logger (read more)|Documentation
| |EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| +|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Info|Observability|RDS does not have any kind of logger (read more)|Documentation
| -### AWS_BOM -Bellow are listed queries related with Terraform AWS_BOM: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)|Documentation
| -|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). (read more)|Documentation
| -|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS. (read more)|Documentation
| -|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)|Documentation
| -|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)|Documentation
| -|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more)|Documentation
| -|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more)|Documentation
| -|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more)|Documentation
| -|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)|Documentation
| -|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more)|Documentation
| -|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more)|Documentation
| - -### GITHUB -Bellow are listed queries related with Terraform GITHUB: +### SHARED (V2/V3) +Bellow are listed queries related with Terraform SHARED (V2/V3): | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks (read more)|Documentation
| -|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)|Documentation
| +|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Info|Best Practices|All variables should contain a valid type. (read more)|Documentation
| +|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Info|Best Practices|All outputs should contain a valid description. (read more)|Documentation
| +|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Info|Best Practices|All generic git repositories should reference a revision. (read more)|Documentation
| +|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Info|Best Practices|All variables should contain a valid description. (read more)|Documentation
| +|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Info|Best Practices|All names should follow snake case pattern. (read more)|Documentation
| -### GCP -Bellow are listed queries related with Terraform GCP: +### DATABRICKS +Bellow are listed queries related with Terraform DATABRICKS: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| -|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible (read more)|Documentation
| -|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|High|Access Control|Verifies that the OSLogin is enabled (read more)|Documentation
| -|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|High|Access Control|BigQuery dataset is anonymously or publicly accessible (read more)|Documentation
| -|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)|Documentation
| -|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| -|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members' (read more)|Documentation
| -|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|High|Encryption|Cloud SQL Database Instance should have SSL enabled (read more)|Documentation
| -|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad. (read more)|Documentation
| -|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE (read more)|Documentation
| -|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true (read more)|Documentation
| -|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true (read more)|Documentation
| -|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials (read more)|Documentation
| -|Legacy Client Certificate Auth Enabled
73fb21a1-b19a-45b1-b648-b47b1678681e|High|Insecure Configurations|Kubernetes Clusters must use the default OAuth authentication, which means 'master_auth' must either be undefined or have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to false (read more)|Documentation
| -|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible. (read more)|Documentation
| -|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true (read more)|Documentation
| -|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)|Documentation
| -|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)|Documentation
| -|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|High|Observability|Audit Logging Configuration is defective (read more)|Documentation
| -|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must either be undefined or set to 'monitoring.googleapis.com/kubernetes' (read more)|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| -|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must either be undefined or set to 'logging.googleapis.com/kubernetes' (read more)|Documentation
| -|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| -|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)|Documentation
| -|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated (read more)|Documentation
| -|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated (read more)|Documentation
| -|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated (read more)|Documentation
| -|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member (read more)|Documentation
| -|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| -|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| -|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| -|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| -|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled (read more)|Documentation
| -|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)|Documentation
| -|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled (read more)|Documentation
| -|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Medium|Insecure Configurations|Check if any VM instance disables OSLogin (read more)|Documentation
| -|Shielded GKE Nodes Disabled
579a0727-9c29-4d58-8195-fc5802a8bdb4|Medium|Insecure Configurations|GKE cluster nodes must be launched with Shielded VM enabled, which means the attribute 'enable_shielded_nodes' must be set to 'true'. (read more)|Documentation
| -|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account. (read more)|Documentation
| -|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account (read more)|Documentation
| -|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)|Documentation
| -|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)|Documentation
| -|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| -|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| -|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports (read more)|Documentation
| -|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource. (read more)|Documentation
| -|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles (read more)|Documentation
| -|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| -|Outdated GKE Version
128df7ec-f185-48bc-8913-ce756a3ccb85|Low|Best Practices|Running outdated versions of Google Kubernetes Engine (GKE) can expose it to known vulnerabilities and attacks. To reduce these risks, it is recommended to ensure that GKE is always running the latest version. (read more)|Documentation
| -|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user (read more)|Documentation
| -|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true (read more)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| +|Databricks Cluster or Job With None Or Insecure Permission(s)
a4edb7e1-c0e0-4f7f-9d7c-d1b603e81ad5|High|Insecure Configurations|Databricks Cluster and Job must have restricted permissions (read more)|Documentation
| +|Unrestricted Databricks ACL
2c4fe4a9-f44b-4c70-b09b-5b75cd251805|High|Networking and Firewall|ACL allow ingress from 0.0.0.0/0 and/or ::/0 (read more)|Documentation
| +|Check use no LTS Spark Version
5a627dfa-a4dd-4020-a4c6-5f3caf4abcd6|Medium|Best Practices|Spark Version is not a Long-term Support (read more)|Documentation
| +|Check Databricks Cluster AWS Attribute Best Practices
b0749c53-e3ff-4d09-bbe4-dca94e2e7a38|Medium|Best Practices|One or some Databricks Cluster AWS Attribute Best Practices are not respected (read more)|Documentation
| +|Check Databricks Cluster GCP Attribute Best Practices
539e4557-d2b5-4d57-a001-cb01140a4e2d|Medium|Best Practices|One or some Databricks Cluster GCP Attribute Best Practices are not respected (read more)|Documentation
| +|Job's Task is Legacy (spark_submit_task)
375cdab9-3f94-4ae0-b1e3-8fbdf9cdf4d7|Medium|Best Practices|Job's Task Is spark_submit_task (read more)|Documentation
| +|Check Databricks Cluster Azure Attribute Best Practices
38028698-e663-4ef7-aa92-773fef0ca86f|Medium|Best Practices|One or some Databricks Cluster Azure Attribute Best Practices are not respected (read more)|Documentation
| +|Indefinitely Databricks Token Lifetime
7d05ca25-91b4-42ee-b6f6-b06611a87ce8|Medium|Insecure Defaults|Token has an indefinitely lifetime (read more)|Documentation
| +|Indefinitely Databricks OBO Token Lifetime
23e1f5f0-12b7-4d7e-9087-f60f42ccd514|Medium|Insecure Defaults|OBO Token has an indefinitely lifetime (read more)|Documentation
| +|Databricks Autoscale Badly Setup
953c0cc6-5f30-44cb-a803-bf4ef2571be8|Medium|Resource Management|Databricks should have min and max worker setup for autoscale (read more)|Documentation
| +|Databricks Group Without User Or Instance Profile
23c3067a-8cc9-480c-b645-7c1e0ad4bf60|Low|Access Control|Databricks Group should have at least one user or one instance profile associated (read more)|Documentation
| From 0f8885c381a2abeb871e45ceed27a319ec74e5af Mon Sep 17 00:00:00 2001 From: pereiramarco011 Date: Tue, 19 Dec 2023 17:42:29 +0000 Subject: [PATCH 322/379] fix lint --- pkg/analyzer/analyzer.go | 46 +++++++++++++++++++++++++--------------- 1 file changed, 29 insertions(+), 17 deletions(-) diff --git a/pkg/analyzer/analyzer.go b/pkg/analyzer/analyzer.go index d7429d60a29..ba66f279943 100644 --- a/pkg/analyzer/analyzer.go +++ b/pkg/analyzer/analyzer.go @@ -304,16 +304,7 @@ func Analyze(a *Analyzer) (model.AnalyzedPaths, error) { ext := utils.GetExtension(path) - exceededFileSize := a.MaxFileSize >= 0 && float64(info.Size())/float64(sizeMb) > float64(a.MaxFileSize) - - if (hasGitIgnoreFile && gitIgnore.MatchesPath(path)) || isDeadSymlink(path) || exceededFileSize { - ignoreFiles = append(ignoreFiles, path) - a.Exc = append(a.Exc, path) - - if exceededFileSize { - log.Error().Msgf("file %s exceeds maximum file size of %d Mb", path, a.MaxFileSize) - } - } + ignoreFiles = a.checkIgnore(info.Size(), hasGitIgnoreFile, gitIgnore, path, ignoreFiles) if isConfigFile(path, defaultConfigFiles) { projectConfigFiles = append(projectConfigFiles, path) @@ -333,13 +324,7 @@ func Analyze(a *Analyzer) (model.AnalyzedPaths, error) { // unwanted is the channel shared by the workers that contains the unwanted files that the parser will ignore unwanted := make(chan string, len(files)) - for i := range a.Types { - a.Types[i] = strings.ToLower(a.Types[i]) - } - - for i := range a.ExcludeTypes { - a.ExcludeTypes[i] = strings.ToLower(a.ExcludeTypes[i]) - } + a.Types, a.ExcludeTypes = typeLower(a.Types, a.ExcludeTypes) // Start the workers for _, file := range files { @@ -734,3 +719,30 @@ func (a *analyzerInfo) isAvailableType(typeName string) bool { // no valid behavior detected return false } + +func (a *Analyzer) checkIgnore(fileSize int64, hasGitIgnoreFile bool, gitIgnore *ignore.GitIgnore, path string, ignoreFiles []string) []string { + exceededFileSize := a.MaxFileSize >= 0 && float64(fileSize)/float64(sizeMb) > float64(a.MaxFileSize) + + if (hasGitIgnoreFile && gitIgnore.MatchesPath(path)) || isDeadSymlink(path) || exceededFileSize { + ignoreFiles = append(ignoreFiles, path) + a.Exc = append(a.Exc, path) + + if exceededFileSize { + log.Error().Msgf("file %s exceeds maximum file size of %d Mb", path, a.MaxFileSize) + } + } + return ignoreFiles +} + +func typeLower(types, exclTypes []string) ([]string, []string) { + for i := range types { + types[i] = strings.ToLower(types[i]) + } + + for i := range exclTypes { + exclTypes[i] = strings.ToLower(exclTypes[i]) + } + + return types, exclTypes + +} From 74ceb9360541480fb207cb3c5922de075ee0d256 Mon Sep 17 00:00:00 2001 From: pereiramarco011 Date: Wed, 20 Dec 2023 09:15:25 +0000 Subject: [PATCH 323/379] fix lint --- pkg/analyzer/analyzer.go | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/pkg/analyzer/analyzer.go b/pkg/analyzer/analyzer.go index ba66f279943..124e4d95eaf 100644 --- a/pkg/analyzer/analyzer.go +++ b/pkg/analyzer/analyzer.go @@ -720,7 +720,9 @@ func (a *analyzerInfo) isAvailableType(typeName string) bool { return false } -func (a *Analyzer) checkIgnore(fileSize int64, hasGitIgnoreFile bool, gitIgnore *ignore.GitIgnore, path string, ignoreFiles []string) []string { +func (a *Analyzer) checkIgnore(fileSize int64, hasGitIgnoreFile bool, + gitIgnore *ignore.GitIgnore, + path string, ignoreFiles []string) []string { exceededFileSize := a.MaxFileSize >= 0 && float64(fileSize)/float64(sizeMb) > float64(a.MaxFileSize) if (hasGitIgnoreFile && gitIgnore.MatchesPath(path)) || isDeadSymlink(path) || exceededFileSize { @@ -734,7 +736,7 @@ func (a *Analyzer) checkIgnore(fileSize int64, hasGitIgnoreFile bool, gitIgnore return ignoreFiles } -func typeLower(types, exclTypes []string) ([]string, []string) { +func typeLower(types, exclTypes []string) (typesRes []string, exclTypesRes []string) { for i := range types { types[i] = strings.ToLower(types[i]) } @@ -744,5 +746,4 @@ func typeLower(types, exclTypes []string) ([]string, []string) { } return types, exclTypes - } From 15725d783c5457d566c2a6a5ef812bad64ddddf9 Mon Sep 17 00:00:00 2001 From: pereiramarco011 Date: Wed, 20 Dec 2023 09:20:09 +0000 Subject: [PATCH 324/379] fix lint --- pkg/analyzer/analyzer.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/analyzer/analyzer.go b/pkg/analyzer/analyzer.go index 124e4d95eaf..8304f7c8f4b 100644 --- a/pkg/analyzer/analyzer.go +++ b/pkg/analyzer/analyzer.go @@ -736,7 +736,7 @@ func (a *Analyzer) checkIgnore(fileSize int64, hasGitIgnoreFile bool, return ignoreFiles } -func typeLower(types, exclTypes []string) (typesRes []string, exclTypesRes []string) { +func typeLower(types, exclTypes []string) (typesRes, exclTypesRes []string) { for i := range types { types[i] = strings.ToLower(types[i]) } From 4db5c6e9d36928b314fc33f57ebb62d5db1f6b55 Mon Sep 17 00:00:00 2001 From: pereiramarco011 Date: Wed, 20 Dec 2023 09:37:33 +0000 Subject: [PATCH 325/379] add unit test --- pkg/analyzer/analyzer_test.go | 41 +++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/pkg/analyzer/analyzer_test.go b/pkg/analyzer/analyzer_test.go index e352b5b57c7..b44a96ae212 100644 --- a/pkg/analyzer/analyzer_test.go +++ b/pkg/analyzer/analyzer_test.go @@ -20,6 +20,7 @@ func TestAnalyzer_Analyze(t *testing.T) { wantErr bool gitIgnoreFileName string excludeGitIgnore bool + MaxFileSize int }{ { name: "analyze_test_dir_single_path", @@ -36,6 +37,7 @@ func TestAnalyzer_Analyze(t *testing.T) { wantErr: false, gitIgnoreFileName: "", excludeGitIgnore: false, + MaxFileSize: -1, }, { name: "analyze_test_helm_single_path", @@ -48,6 +50,7 @@ func TestAnalyzer_Analyze(t *testing.T) { wantErr: false, gitIgnoreFileName: "", excludeGitIgnore: false, + MaxFileSize: -1, }, { name: "analyze_test_multiple_path", @@ -63,6 +66,7 @@ func TestAnalyzer_Analyze(t *testing.T) { wantErr: false, gitIgnoreFileName: "", excludeGitIgnore: false, + MaxFileSize: -1, }, { name: "analyze_test_multi_checks_path", @@ -77,6 +81,7 @@ func TestAnalyzer_Analyze(t *testing.T) { wantErr: false, gitIgnoreFileName: "", excludeGitIgnore: false, + MaxFileSize: -1, }, { name: "analyze_test_not_openapi", @@ -91,6 +96,7 @@ func TestAnalyzer_Analyze(t *testing.T) { wantErr: false, gitIgnoreFileName: "", excludeGitIgnore: false, + MaxFileSize: -1, }, { name: "analyze_test_error_path", @@ -105,6 +111,7 @@ func TestAnalyzer_Analyze(t *testing.T) { wantErr: true, gitIgnoreFileName: "", excludeGitIgnore: false, + MaxFileSize: -1, }, { name: "analyze_test_unwanted_path", @@ -119,6 +126,7 @@ func TestAnalyzer_Analyze(t *testing.T) { wantErr: false, gitIgnoreFileName: "", excludeGitIgnore: false, + MaxFileSize: -1, }, { name: "analyze_test_tfplan", @@ -133,6 +141,7 @@ func TestAnalyzer_Analyze(t *testing.T) { wantErr: false, gitIgnoreFileName: "", excludeGitIgnore: false, + MaxFileSize: -1, }, { name: "analyze_test_considering_ignore_file", @@ -150,6 +159,7 @@ func TestAnalyzer_Analyze(t *testing.T) { wantErr: false, gitIgnoreFileName: "gitignore", excludeGitIgnore: false, + MaxFileSize: -1, }, { name: "analyze_test_not_considering_ignore_file", @@ -164,6 +174,7 @@ func TestAnalyzer_Analyze(t *testing.T) { wantErr: false, gitIgnoreFileName: "gitignore", excludeGitIgnore: true, + MaxFileSize: -1, }, { name: "analyze_test_knative_file", @@ -178,6 +189,7 @@ func TestAnalyzer_Analyze(t *testing.T) { wantErr: false, gitIgnoreFileName: "", excludeGitIgnore: false, + MaxFileSize: -1, }, { name: "analyze_test_servelessfw_file", @@ -192,6 +204,7 @@ func TestAnalyzer_Analyze(t *testing.T) { wantErr: false, gitIgnoreFileName: "", excludeGitIgnore: false, + MaxFileSize: -1, }, { name: "analyze_test_undetected_yaml", @@ -206,6 +219,7 @@ func TestAnalyzer_Analyze(t *testing.T) { wantErr: false, gitIgnoreFileName: "", excludeGitIgnore: false, + MaxFileSize: -1, }, { name: "analyze_test_dir_single_path_types_value", @@ -237,6 +251,7 @@ func TestAnalyzer_Analyze(t *testing.T) { wantErr: false, gitIgnoreFileName: "", excludeGitIgnore: false, + MaxFileSize: -1, }, { name: "analyze_test_dir_single_path_exclude_type_value", @@ -255,6 +270,7 @@ func TestAnalyzer_Analyze(t *testing.T) { wantErr: false, gitIgnoreFileName: "", excludeGitIgnore: false, + MaxFileSize: -1, }, { name: "analyze_test_ignore_pnpm_lock_yaml_file", @@ -272,6 +288,7 @@ func TestAnalyzer_Analyze(t *testing.T) { wantErr: false, gitIgnoreFileName: "", excludeGitIgnore: false, + MaxFileSize: -1, }, { name: "analyze_test_ignore_dead_symlink", @@ -289,6 +306,7 @@ func TestAnalyzer_Analyze(t *testing.T) { wantErr: false, gitIgnoreFileName: "", excludeGitIgnore: false, + MaxFileSize: -1, }, { name: "analyze_test_ansible_host", @@ -301,6 +319,7 @@ func TestAnalyzer_Analyze(t *testing.T) { wantErr: false, gitIgnoreFileName: "", excludeGitIgnore: false, + MaxFileSize: -1, }, { name: "analyze_test_ansible_cfg", @@ -313,6 +332,7 @@ func TestAnalyzer_Analyze(t *testing.T) { wantErr: false, gitIgnoreFileName: "", excludeGitIgnore: false, + MaxFileSize: -1, }, { name: "analyze_test_ansible_conf", @@ -325,6 +345,7 @@ func TestAnalyzer_Analyze(t *testing.T) { wantErr: false, gitIgnoreFileName: "", excludeGitIgnore: false, + MaxFileSize: -1, }, { name: "analyze_test_cicd_github", @@ -337,6 +358,7 @@ func TestAnalyzer_Analyze(t *testing.T) { wantErr: false, gitIgnoreFileName: "", excludeGitIgnore: false, + MaxFileSize: -1, }, { name: "ansible_host", @@ -349,6 +371,7 @@ func TestAnalyzer_Analyze(t *testing.T) { wantErr: false, gitIgnoreFileName: "", excludeGitIgnore: false, + MaxFileSize: -1, }, { name: "ansible_by_children", @@ -361,6 +384,7 @@ func TestAnalyzer_Analyze(t *testing.T) { wantErr: false, gitIgnoreFileName: "", excludeGitIgnore: false, + MaxFileSize: -1, }, { name: "ansible_by_host", @@ -373,6 +397,22 @@ func TestAnalyzer_Analyze(t *testing.T) { wantErr: false, gitIgnoreFileName: "", excludeGitIgnore: false, + MaxFileSize: -1, + }, + { + name: "analyze_test_file_size_too_big", + paths: []string{filepath.FromSlash("../../test/fixtures/max_file_size")}, + wantTypes: []string{}, + wantExclude: []string{ + filepath.FromSlash("../../test/fixtures/max_file_size/sample.tf"), + }, + typesFromFlag: []string{""}, + excludeTypesFromFlag: []string{""}, + wantLOC: 0, + wantErr: false, + gitIgnoreFileName: "", + excludeGitIgnore: false, + MaxFileSize: 3, }, } @@ -387,6 +427,7 @@ func TestAnalyzer_Analyze(t *testing.T) { Exc: exc, ExcludeGitIgnore: tt.excludeGitIgnore, GitIgnoreFileName: tt.gitIgnoreFileName, + MaxFileSize: tt.MaxFileSize, } got, err := Analyze(analyzer) From 8f9a0327597aa44dea15d479ff08dffaced63904 Mon Sep 17 00:00:00 2001 From: pereiramarco011 Date: Wed, 20 Dec 2023 09:49:10 +0000 Subject: [PATCH 326/379] fix test --- pkg/scan/utils_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/scan/utils_test.go b/pkg/scan/utils_test.go index 402d4e66d34..4dadefa1977 100644 --- a/pkg/scan/utils_test.go +++ b/pkg/scan/utils_test.go @@ -554,6 +554,7 @@ func Test_AnalyzePaths(t *testing.T) { Exc: []string{}, GitIgnoreFileName: ".gitignore", ExcludeGitIgnore: false, + MaxFileSize: -1, }, expectedError: false, expectedOutput: model.AnalyzedPaths{ From 2d1b38358423e740f7805929479a3ed69471050e Mon Sep 17 00:00:00 2001 From: gabriel-cx Date: Wed, 20 Dec 2023 11:51:52 +0000 Subject: [PATCH 327/379] docs(kicsbot): preparing for release 1.7.12 --- docs/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/index.md b/docs/index.md index 2aa09029519..1ef7420c86c 100644 --- a/docs/index.md +++ b/docs/index.md @@ -10,7 +10,7 @@


Version 1.7.11

-

2023.11.08

+

2023.12.20

Contribute!

From 4e9e8cf970504c2e922a720d6df459585b45f344 Mon Sep 17 00:00:00 2001 From: gabriel-cx Date: Wed, 20 Dec 2023 11:57:43 +0000 Subject: [PATCH 328/379] update --- docker/Dockerfile.ubi8 | 2 +- docs/index.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docker/Dockerfile.ubi8 b/docker/Dockerfile.ubi8 index 96f816056a7..ec0c0573156 100644 --- a/docker/Dockerfile.ubi8 +++ b/docker/Dockerfile.ubi8 @@ -44,7 +44,7 @@ LABEL name="KICS" \ description="Checkmarx/kics is an opensource project that enable you to find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code find more in https://kics.io" \ maintainer="kics@checkmarx.com" \ vendor="Checkmarx" \ - version="v1.7.11" \ + version="v1.7.12" \ release="1" \ io.k8s.display-name="KICS by Checkmarx" \ io.openshift.tags="kics checkmarx" diff --git a/docs/index.md b/docs/index.md index 1ef7420c86c..b4308bbdaf5 100644 --- a/docs/index.md +++ b/docs/index.md @@ -9,7 +9,7 @@


-

Version 1.7.11

+

Version 1.7.12

2023.12.20

Contribute!

From 3b2a234c28cdf487238199e460683fececbf801e Mon Sep 17 00:00:00 2001 From: Lior Kaplan Date: Mon, 25 Dec 2023 10:28:45 +0200 Subject: [PATCH 329/379] Move conferences info to community page Remove reference to old community meetings --- README.md | 19 ++----------------- docs/CONTRIBUTING.md | 6 ------ docs/community.md | 12 ++---------- 3 files changed, 4 insertions(+), 33 deletions(-) diff --git a/README.md b/README.md index fc036d2b2cc..f946d2dc951 100644 --- a/README.md +++ b/README.md @@ -87,23 +87,8 @@ What makes KICS really powerful and popular is its built-in extensibility. This KICS is a true community project. It's built as an open source from day one, and anyone can find his own way to contribute to the project. [Check out how](docs/CONTRIBUTING.md), within just minutes, you can start making a difference, by sharing your expertise with a community of thousands of security experts and software developers. -You're welcome to join our monthly [community meetings](docs/community.md), talk with us on GitHub discussions or contact KICS core team at [kics@checkmarx.com](mailto:kics@checkmarx.com). - -## Meet us at conferences - -- [Blackhat ASIA 2023](https://www.blackhat.com/asia-23/arsenal/schedule/index.html#kics---your-iac-secure-now-31009) (video TBD) -- [AWS re:Invent 2021: AWS On Air](https://youtu.be/9ZKldJeBHl4) ([video](https://youtu.be/9ZKldJeBHl4)) -- [OWASP Bristol & Suffolk Chapter - Meetup](https://www.meetup.com/OWASP-Bristol/events/281869377/) ([video](https://youtu.be/KKZJEJF6I0M)) -- [OWASP Canberra Chapter - Meetup](https://www.meetup.com/OWASP-Canberra-Chapter/events/281946376/) -- [InfoSec City - Singapore 2021](https://www.infosec-city.com/sin21-bizcomm) -- [DevSecOps Singapore 2021](https://devopscon.io/cloud-platforms-serverless/infrastructure-is-the-new-code-is-your-devsecops-ready/) -- [Blackhat Europe 2021](https://www.blackhat.com/eu-21/arsenal/schedule/#kics-keeping-infrastructure-as-code-secure-25111) -- [HashiTalks IL 2021](https://events.hashicorp.com/hashitalksisrael) ([video](https://www.youtube.com/watch?v=DFRiSVH4lu0)) -- [Yalla DevOps 2021](https://yalla-devops.com/) ([video](https://youtu.be/Hs_YbAH9giI)) -- [Geektime Code 2021](https://code.geektime.co.il/) -- [DevSecCon24 2021](https://www.devseccon.com/devseccon24-2021/) ([video](https://www.youtube.com/watch?v=eaD-tGMOKe8)) -- [GISEC Global 2021](https://www.gisec.ae/gisec-2021-conference/insecure-infrastructure-as-code-leaves-the-door-open-for-hackers-1wez) -- [Blackhat ASIA 2021](https://www.blackhat.com/asia-21/arsenal/schedule/#kics-22475) ([video](https://www.youtube.com/watch?v=56AM1wiIOss)) +You're welcome to join our [community](docs/community.md), talk with us on GitHub discussions or contact KICS core team at [kics@checkmarx.com](mailto:kics@checkmarx.com). + **Keeping Infrastructure as Code Secure!** diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md index cf3d6532416..467d7f4d5b4 100644 --- a/docs/CONTRIBUTING.md +++ b/docs/CONTRIBUTING.md @@ -6,10 +6,6 @@ KICS is a true community project. It's built as an open source from day one, and Within just minutes, you can start making a difference, by sharing your expertise with a community of thousands of security experts and software developers. -#### Community Meetings - -You're welcome to join our monthly [community meetings](community.md) - #### Contribution Options Good news! You don't have to contribute code. There are plenty of ways you can contribute to KICS project: @@ -186,5 +182,3 @@ The people listed below had made a huge contribution to KICS. **Thank you all!** - - diff --git a/docs/community.md b/docs/community.md index 08ae6eca9f9..3dbec645753 100644 --- a/docs/community.md +++ b/docs/community.md @@ -1,13 +1,4 @@ -## Community Meetings -Our community meetings are held virtually on the first Thursday of every month at 15:00 UTC(+0) by [Zoom](https://tinyurl.com/kics-community). - -Upcoming meetings: -- March 2nd, 2023 -- April 6th, 2023 - -You're welcome to join us. - -If want to see summary of previous meetings, have questions about them or want to add a topic to the agenda, you can join our [community thread](https://github.com/Checkmarx/kics/discussions/5675). +## Community ## Hacktoberfest *"[Hacktoberfest](https://github.com/topics/hacktoberfest) is a month-long celebration of open source projects, their maintainers, and the entire community of contributors. Each October, open source maintainers give new contributors extra attention as they guide developers through their first pull requests on GitHub."*
@@ -22,6 +13,7 @@ KICS is a true community project. It's built as an open source from day one, and ## Meet us at conferences +- [Blackhat ASIA 2023](https://www.blackhat.com/asia-23/arsenal/schedule/index.html#kics---your-iac-secure-now-31009) (video TBD) - [AWS re:Invent 2021: AWS On Air](https://youtu.be/9ZKldJeBHl4) ([video](https://youtu.be/9ZKldJeBHl4)) - [OWASP Bristol & Suffolk Chapter - Meetup](https://www.meetup.com/OWASP-Bristol/events/281869377/) ([video](https://youtu.be/KKZJEJF6I0M)) - [OWASP Canberra Chapter - Meetup](https://www.meetup.com/OWASP-Canberra-Chapter/events/281946376/) From 93b54dd10ffad9d562c07be8c4d5489cad0b999c Mon Sep 17 00:00:00 2001 From: Lior Kaplan Date: Mon, 25 Dec 2023 12:04:35 +0200 Subject: [PATCH 330/379] Add contributors count badge Align buttons style --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f946d2dc951..b9da3d085b4 100644 --- a/README.md +++ b/README.md @@ -2,8 +2,9 @@ [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) [![Queries](https://raw.githubusercontent.com/Checkmarx/kics/gh-pages/queries.svg)](https://docs.kics.io/develop/queries/all-queries/) [![Docker Pulls](https://img.shields.io/docker/pulls/checkmarx/kics)](https://hub.docker.com/r/checkmarx/kics) -[![Documentation](https://img.shields.io/badge/docs-viewdocs-blue.svg?style=flat-square "Viewdocs")](https://docs.kics.io/) -[![GitHub Discussions](https://img.shields.io/badge/chat-discussions-blue.svg?logo=github&style=flat-square)](https://github.com/Checkmarx/kics/discussions) +![GitHub contributors](https://img.shields.io/github/contributors/checkmarx/kics?color=blue&link=https%3A%2F%2Fgithub.com%2FCheckmarx%2Fkics%2Fgraphs%2Fcontributors) +[![Documentation](https://img.shields.io/badge/docs-viewdocs-blue.svg "Viewdocs")](https://docs.kics.io/) +[![GitHub Discussions](https://img.shields.io/badge/chat-discussions-blue.svg?logo=github)](https://github.com/Checkmarx/kics/discussions) [![checkmarx](https://img.shields.io/endpoint?url=https://pgp36n22ol.execute-api.eu-west-1.amazonaws.com/dev/cxflowcache-results?style=plastic&logoWidth=20&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAACXBIWXMAAA7EAAAOxAGVKw4bAAADbklEQVRYhc2XTWidRRSGn3MJl1AkZFFcFCkFIYKCYMEgIhZEMtNS2kHBvxYbl1kUIqELQXHhQigtCK266EIoSt0YplbsTJGqaFFahC6yiiJFUIJ2IUGClJLj4vvu/X7uTC7cJOoLH5eZM3Ped37OOXPhP4akOl20XeAQsB+YAsZH9H8HuAVcAxa9CStDBbhgDyKcAfaMSJoVo8pZEd7wJqwNCHDRdlSZF+H0FhO3cR3FeBv+BOjUDM8InEZhm79pFT5w0Xb6Aly0Eyjvb+OqGxBVBzwJMAaA8jLCTrQ3olRbHNBv5TcKxoCH6e10z6cKKMeAr8ZKwsN94r5MABaAd7wJ6yMKwEU7A8SG/+J3Gqo78GBi7tXNkpf4giIUG1CYBOiUl2FHYuLNLSAH1SnQXQnDbYBOlkTZNHmRU+QbkG7bJsi3UF3CQbRS1OFoxwSeRplEuOpN+D1LHO048DbKfNJ3gXPQzANZuGh3CHyNchm4gPKji/axzNgp4BrKfN6jnvU23KwJSMhsds2iPF5rT6jqJy7ae2vEHRftUVR/QNm7wXoCIid6jTIMhYEc0BRzf/9ISpuI7EK54KI1qoyrckZgdsBXfTHCe8Cr3oQ7PdfVEQjNOG3mhC8z454CzolwQ4TZDeavIjwPHK+TVzswHJ+jfIhwNGGbHTL3e+CIN+HnlDF/B2rwJqwjzAFLw5RW0HXgJLAvRw79HUi8S1qavAl/uWifBb0BMjGEfQXkmDfhSr2zLHr3ACveFvknH4YJTd6EZUVe2ZBauQI8UicvI+Qt4A+EXxH9zkV7XyUgVbczuGjCIsqpxJy7wAmE/Ymn1wzK6yjdYqxMA+9C/wiq2ltbSR7Cayi7FZ4rZulPKnLkognXM7uyL9H3BPR2QGSwFEv+eLwJdxFeFOEBhEcReShLXvjrtkoxSFEIe2G4BkzWRWjxGs6iLGLLG42p+5ImOcCaN2G9J2AJaJRMgQMu2peAj0cty2WpfwE4kDAvQZWILgEzrQEd4CNgwUXzS/OM2ncm294N2bpwqS7gvMKbAjsTA/eCtJy0Y3RYuwlVbotwHspL6E1YFWXuX3iSg4LAnDdhtS+gFL2oxSN0eyEsICxWzRZctAfL0rpnK3kVbolw3JvwWVNPAi7aLsohZNN/Tv8GllEuI3zaLsX/C/wDM7pjD59N2pkAAAAASUVORK5CYII=)](https://sast.checkmarx.net/cxwebclient/portal#/projectState/702/Summary) [![Codacy Badge](https://app.codacy.com/project/badge/Grade/ceddb5b1b37d4edfa56440842c6248a4)](https://www.codacy.com/gh/Checkmarx/kics/dashboard?utm_source=github.com&utm_medium=referral&utm_content=Checkmarx/kics&utm_campaign=Badge_Grade) From e84718c37d77d9ac6558fec0f054dc5f70c1b1f3 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Wed, 27 Dec 2023 12:47:43 +0000 Subject: [PATCH 331/379] append len --- pkg/parser/json/json_line.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkg/parser/json/json_line.go b/pkg/parser/json/json_line.go index 4d468e3d48a..a9f7bb1f058 100644 --- a/pkg/parser/json/json_line.go +++ b/pkg/parser/json/json_line.go @@ -5,6 +5,7 @@ import ( "encoding/json" "fmt" "sort" + "strconv" "strings" "github.com/Checkmarx/kics/pkg/model" @@ -133,6 +134,7 @@ func (j *jsonLineStruct) delimSetup(v json.Delim) { j.noremoveidx[lenPathArr] = j.tmpParent } else { // the next close delimiter should not remove the last element from the pathArr + j.pathArr = append(j.pathArr, strconv.Itoa(lenPathArr)) j.noremoveidx[lenPathArr] = j.tmpParent } } From eb0f2aa4178c1237beec6195a7954e16c7e397cf Mon Sep 17 00:00:00 2001 From: Joao Reigota Date: Wed, 27 Dec 2023 17:01:11 +0000 Subject: [PATCH 332/379] fix searchLine array bug --- pkg/parser/json/json_line.go | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/pkg/parser/json/json_line.go b/pkg/parser/json/json_line.go index a9f7bb1f058..121d30c94de 100644 --- a/pkg/parser/json/json_line.go +++ b/pkg/parser/json/json_line.go @@ -5,7 +5,6 @@ import ( "encoding/json" "fmt" "sort" - "strconv" "strings" "github.com/Checkmarx/kics/pkg/model" @@ -134,7 +133,6 @@ func (j *jsonLineStruct) delimSetup(v json.Delim) { j.noremoveidx[lenPathArr] = j.tmpParent } else { // the next close delimiter should not remove the last element from the pathArr - j.pathArr = append(j.pathArr, strconv.Itoa(lenPathArr)) j.noremoveidx[lenPathArr] = j.tmpParent } } @@ -194,7 +192,7 @@ func (j *jsonLine) setLine(val map[string]interface{}, def int, father string, p } // iterate through the values of the object - for key, val := range val { + for key, v := range val { // if the key with father path was not found ignore if _, ok2 := j.LineInfo[key][father]; !ok2 { continue @@ -212,13 +210,13 @@ func (j *jsonLine) setLine(val map[string]interface{}, def int, father string, p lineNr = line.(*fifo).pop() } - switch v := val.(type) { + switch v := v.(type) { // value is an array and must call func setSeqLines to set element lines case []interface{}: lineArr = j.setSeqLines(v, lineNr, father, key, lineArr) // value is an object and must setLines for each element of the object case map[string]interface{}: - v["_kics_lines"] = j.setLine(v, lineNr, fmt.Sprintf("%s.%s", father, key), false) + v["_kics_lines"] = j.setLine(v, lineNr, fmt.Sprintf("%s.%s", father, key), pop) default: // value as no childs lineMap[fmt.Sprintf("_kics_%s", key)] = &model.LineObject{ @@ -244,12 +242,12 @@ func (j *jsonLine) setSeqLines(v []interface{}, def int, father, key string, // update father path with key fatherKey := father + "." + key - defaultLineArr := j.getMapDefaultLine(v, fatherKey) - if defaultLineArr == -1 { - defaultLineArr = def - } // iterate over each element of the array for _, contentEntry := range v { + defaultLineArr := j.getMapDefaultLine(v, fatherKey) + if defaultLineArr == -1 { + defaultLineArr = def + } switch con := contentEntry.(type) { // case element is a map/object call func setLine case map[string]interface{}: From 71947195fb7b1664a687b140b4156e4c386bb3d9 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Thu, 28 Dec 2023 09:59:31 +0000 Subject: [PATCH 333/379] merge master --- pkg/parser/json/parser.go | 1 - 1 file changed, 1 deletion(-) diff --git a/pkg/parser/json/parser.go b/pkg/parser/json/parser.go index 53c1828de5a..5aa9196e186 100644 --- a/pkg/parser/json/parser.go +++ b/pkg/parser/json/parser.go @@ -3,7 +3,6 @@ package json import ( "bytes" "encoding/json" - "github.com/Checkmarx/kics/pkg/model" "github.com/Checkmarx/kics/pkg/resolver/file" "github.com/mailru/easyjson" From 1037ac8d46dcda1ab5e7b9fbc72e1ca845474d2b Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Thu, 28 Dec 2023 11:21:33 +0000 Subject: [PATCH 334/379] unit tests --- pkg/parser/json/json_line_test.go | 973 +++++++++++++++++------------- 1 file changed, 543 insertions(+), 430 deletions(-) diff --git a/pkg/parser/json/json_line_test.go b/pkg/parser/json/json_line_test.go index a02cf3ab516..97c4c21397b 100644 --- a/pkg/parser/json/json_line_test.go +++ b/pkg/parser/json/json_line_test.go @@ -21,482 +21,417 @@ var testsinitiateJSONLine = []struct { name: "test array of ints", args: args{ doc: []byte(`{ - "father": { - "son" : [ - 1, - 2, - 3, - 0 - ] + "father": { + "son" : [ + 1, + 2, + 3, + 0 + ] + } } - } - `), + `), }, want: `{ - "LineInfo": { - "0": { - ".father.son": { - "Value": [ - 7 - ] - } - }, - "1": { - ".father.son": { - "Value": [ - 4 - ] - } - }, - "2": { - ".father.son": { - "Value": [ - 5 - ] - } - }, - "3": { - ".father.son": { - "Value": [ - 6 - ] - } - }, - "father": { - "": { - "Value": [ - 2 - ] - } - }, - "son": { - ".father": { - "Value": [ - 3 - ] + "LineInfo": { + "0": { + ".father.son": { + "Value": [ + 7 + ] + } + }, + "1": { + ".father.son": { + "Value": [ + 4 + ] + } + }, + "2": { + ".father.son": { + "Value": [ + 5 + ] + } + }, + "3": { + ".father.son": { + "Value": [ + 6 + ] + } + }, + "father": { + "": { + "Value": [ + 2 + ] + } + }, + "son": { + ".father": { + "Value": [ + 3 + ] + } + } } } - } - } - `, + `, wantKicsLine: `{ - "_kics_lines": { - "_kics__default": { - "_kics_line": 0 - }, - "_kics_father": { - "_kics_line": 2 - } - }, - "father": { - "_kics_lines": { - "_kics__default": { - "_kics_line": 2 + "_kics_lines": { + "_kics__default": { + "_kics_line": 0 + }, + "_kics_father": { + "_kics_line": 2 + } }, - "_kics_son": { - "_kics_arr": [ - { - "_kics__default": { - "_kics_line": 4 - } - }, - { - "_kics__default": { - "_kics_line": 5 - } - }, - { - "_kics__default": { - "_kics_line": 6 - } + "father": { + "_kics_lines": { + "_kics__default": { + "_kics_line": 2 }, - { - "_kics__default": { - "_kics_line": 7 - } + "_kics_son": { + "_kics_arr": [ + { + "_kics__default": { + "_kics_line": 4 + } + }, + { + "_kics__default": { + "_kics_line": 5 + } + }, + { + "_kics__default": { + "_kics_line": 6 + } + }, + { + "_kics__default": { + "_kics_line": 7 + } + } + ], + "_kics_line": 3 } - ], - "_kics_line": 3 + }, + "son": [ + 1, + 2, + 3, + 0 + ] } - }, - "son": [ - 1, - 2, - 3, - 0 - ] - } - }`, + }`, }, { name: "test array objects line", args: args{ doc: []byte(`{ - "father": [ - { - "key": "value" - } - ] - } - `), + "father": [ + { + "key": "value" + } + ] + } + `), }, wantKicsLine: ` - { - "_kics_lines": { - "_kics__default": { - "_kics_line": 0 - }, - "_kics_father": { - "_kics_arr": [ + { + "_kics_lines": { + "_kics__default": { + "_kics_line": 0 + }, + "_kics_father": { + "_kics_arr": [ + { + "_kics__default": { + "_kics_line": 4 + }, + "_kics_key": { + "_kics_line": 4 + } + } + ], + "_kics_line": 2 + } + }, + "father": [ { - "_kics__default": { - "_kics_line": 4 - }, - "_kics_key": { - "_kics_line": 4 - } + "key": "value" } - ], - "_kics_line": 2 - } - }, - "father": [ - { - "key": "value" + ] } - ] - } - `, + `, want: ` - { - "LineInfo": { - "father": { - "": { - "Value": [ - 2 - ] - } - }, - "key": { - ".father": { - "Value": [ - 4 - ] - } - }, - "value": { - ".father": { - "Value": [ - 4 - ] + { + "LineInfo": { + "father": { + "": { + "Value": [ + 2 + ] + } + }, + "key": { + ".father": { + "Value": [ + 4 + ] + } + }, + "value": { + ".father": { + "Value": [ + 4 + ] + } + } } } - } - } - `, + `, }, { name: "test initiate json line", args: args{ doc: []byte(`{ - "parameters": "simple test" - } - `), + "parameters": "simple test" + } + `), }, wantKicsLine: ` - { - "_kics_lines": { - "_kics__default": { - "_kics_line": 0 + { + "_kics_lines": { + "_kics__default": { + "_kics_line": 0 + }, + "_kics_parameters": { + "_kics_line": 2 + } }, - "_kics_parameters": { - "_kics_line": 2 - } - }, - "parameters":"simple test" - }`, + "parameters":"simple test" + }`, want: ` - { - "LineInfo": { - "parameters": { - "": { + { + "LineInfo": { + "parameters": { + "": { + "Value": [ + 2 + ] + } + }, + "simple test": { + "": { "Value": [ - 2 - ] - } - }, - "simple test": { - "": { - "Value": [ - 2 - ] + 2 + ] + } } } } - } - `, + `, }, { name: "test initiate special close json line", args: args{ doc: []byte(`{ - "father": { - "close": [ - "value" - ] + "father": { + "close": [ + "value" + ] + } } - } - `), + `), }, wantKicsLine: ` - { - "_kics_lines": { - "_kics__default": { - "_kics_line": 0 - }, - "_kics_father": { - "_kics_line": 2 - } - }, - "father": { - "_kics_lines": { - "_kics__default": { - "_kics_line": 2 + { + "_kics_lines": { + "_kics__default": { + "_kics_line": 0 + }, + "_kics_father": { + "_kics_line": 2 + } }, - "_kics_close": { - "_kics_arr": [ - { - "_kics__default": { - "_kics_line": 4 - } + "father": { + "_kics_lines": { + "_kics__default": { + "_kics_line": 2 + }, + "_kics_close": { + "_kics_arr": [ + { + "_kics__default": { + "_kics_line": 4 + } + } + ], + "_kics_line": 3 } - ], - "_kics_line": 3 - } - }, - "close": [ - "value" - ] - } - } - `, - want: ` - { - "LineInfo": { - "close": { - ".father": { - "Value": [ - 3 - ] - } - }, - "father": { - "": { - "Value": [ - 2 + }, + "close": [ + "value" ] } - }, - "value": { - ".father.close": { - "Value": [ - 4 - ] + } + `, + want: ` + { + "LineInfo": { + "close": { + ".father": { + "Value": [ + 3 + ] + } + }, + "father": { + "": { + "Value": [ + 2 + ] + } + }, + "value": { + ".father.close": { + "Value": [ + 4 + ] + } + } } } - } - } - `, + `, }, { name: "test same key different path json line", args: args{ doc: []byte(`{ - "father1": { - "key": "value" - }, - "father2": { - "key": "value" + "father1": { + "key": "value" + }, + "father2": { + "key": "value" + } } - } - `), + `), }, wantKicsLine: `{ - "_kics_lines": { - "_kics__default": { - "_kics_line": 0 - }, - "_kics_father1": { - "_kics_line": 2 - }, - "_kics_father2": { - "_kics_line": 5 - } - }, - "father1": { - "_kics_lines": { - "_kics__default": { - "_kics_line": 2 - }, - "_kics_key": { - "_kics_line": 3 - } - }, - "key": "value" - }, - "father2": { - "_kics_lines": { - "_kics__default": { - "_kics_line": 5 + "_kics_lines": { + "_kics__default": { + "_kics_line": 0 + }, + "_kics_father1": { + "_kics_line": 2 + }, + "_kics_father2": { + "_kics_line": 5 + } }, - "_kics_key": { - "_kics_line": 6 - } - }, - "key": "value" - } - }`, - want: ` - { - "LineInfo": { "father1": { - "": { - "Value": [ - 2 - ] + "_kics_lines": { + "_kics__default": { + "_kics_line": 2 + }, + "_kics_key": { + "_kics_line": 3 } + }, + "key": "value" }, "father2": { - "": { - "Value": [ - 5 - ] - } - }, - "key": { - ".father1": { - "Value": [ - 3 - ] + "_kics_lines": { + "_kics__default": { + "_kics_line": 5 }, - ".father2": { - "Value": [ - 6 - ] + "_kics_key": { + "_kics_line": 6 } - }, - "value": { - ".father1": { - "Value": [ - 3 - ] + }, + "key": "value" + } + }`, + want: ` + { + "LineInfo": { + "father1": { + "": { + "Value": [ + 2 + ] + } }, - ".father2": { - "Value": [ - 6 - ] + "father2": { + "": { + "Value": [ + 5 + ] + } + }, + "key": { + ".father1": { + "Value": [ + 3 + ] + }, + ".father2": { + "Value": [ + 6 + ] + } + }, + "value": { + ".father1": { + "Value": [ + 3 + ] + }, + ".father2": { + "Value": [ + 6 + ] + } } } - } - }`, + }`, }, { name: "test with parent json line", args: args{ doc: []byte(`{ - "father": { - "son": "this is a son" + "father": { + "son": "this is a son" + } } - } - `), + `), }, wantKicsLine: ` - { - "_kics_lines": { - "_kics__default": { - "_kics_line": 0 - }, - "_kics_father":{ - "_kics_line": 2 - } - }, - "father": { + { "_kics_lines": { "_kics__default": { - "_kics_line": 2 + "_kics_line": 0 }, - "_kics_son": { - "_kics_line": 3 + "_kics_father":{ + "_kics_line": 2 } }, - "son": "this is a son" - } - }`, - want: ` - { - "LineInfo": { - "father": { - "": { - "Value": [ - 2 - ] - } - }, - "son": { - ".father": { - "Value": [ - 3 - ] - } - }, - "this is a son": { - ".father": { - "Value": [ - 3 - ] - } - } - } - } - `}, - { - name: "test with array string json line", - args: args{ - doc: []byte(`{ - "father": [ - "testing1", - "testing2" - ] - } - `), - }, - wantKicsLine: ` - { - "_kics_lines": { - "_kics__default": { - "_kics_line": 0 - }, - "_kics_father": { - "_kics_arr": [ - { - "_kics__default": { - "_kics_line": 3 - } + "father": { + "_kics_lines": { + "_kics__default": { + "_kics_line": 2 }, - { - "_kics__default": { - "_kics_line": 4 - } + "_kics_son": { + "_kics_line": 3 } - ], - "_kics_line":2 - } - }, - "father": [ - "testing1", - "testing2" - ] - }`, + }, + "son": "this is a son" + } + }`, want: ` { "LineInfo": { @@ -507,83 +442,261 @@ var testsinitiateJSONLine = []struct { ] } }, - "testing1": { + "son": { ".father": { "Value": [ 3 ] } }, - "testing2": { + "this is a son": { ".father": { "Value": [ - 4 + 3 ] } } } } - `, + `}, + { + name: "test with array string json line", + args: args{ + doc: []byte(`{ + "father": [ + "testing1", + "testing2" + ] + } + `), + }, + wantKicsLine: ` + { + "_kics_lines": { + "_kics__default": { + "_kics_line": 0 + }, + "_kics_father": { + "_kics_arr": [ + { + "_kics__default": { + "_kics_line": 3 + } + }, + { + "_kics__default": { + "_kics_line": 4 + } + } + ], + "_kics_line":2 + } + }, + "father": [ + "testing1", + "testing2" + ] + }`, + want: ` + { + "LineInfo": { + "father": { + "": { + "Value": [ + 2 + ] + } + }, + "testing1": { + ".father": { + "Value": [ + 3 + ] + } + }, + "testing2": { + ".father": { + "Value": [ + 4 + ] + } + } + } + } + `, }, { name: "test with equal string json line", args: args{ doc: []byte(`{ - "father": [ + "father": [ + "testing", + "testing" + ] + } + `), + }, + wantKicsLine: ` + { + "_kics_lines": { + "_kics__default": { + "_kics_line": 0 + }, + "_kics_father": { + "_kics_arr":[ + { + "_kics__default": { + "_kics_line": 3 + } + }, + { + "_kics__default": { + "_kics_line": 4 + } + } + ], + "_kics_line": 2 + } + }, + "father":[ "testing", "testing" ] + }`, + want: ` + { + "LineInfo": { + "father": { + "": { + "Value": [ + 2 + ] + } + }, + "testing": { + ".father": { + "Value": [ + 3, + 4 + ] + } + } + } + } + `, + }, + { + name: "my test", + args: args{ + doc: []byte(`{ + "resources": [ + { + "properties": { + "httpsOnly": false + } + }, + { + "properties": { + "httpsOnly": false + } + } + ] } `), }, wantKicsLine: ` - { - "_kics_lines": { - "_kics__default": { - "_kics_line": 0 - }, - "_kics_father": { + { + "_kics_lines":{ + "_kics__default":{ + "_kics_line":0 + }, + "_kics_resources":{ + "_kics_line":2, "_kics_arr":[ { - "_kics__default": { - "_kics_line": 3 + "_kics__default":{ + "_kics_line":4 + }, + "_kics_properties":{ + "_kics_line":4 } }, { - "_kics__default": { - "_kics_line": 4 + "_kics__default":{ + "_kics_line":9 + }, + "_kics_properties":{ + "_kics_line":9 } } - ], - "_kics_line": 2 + ] } }, - "father":[ - "testing", - "testing" + "resources":[ + { + "properties":{ + "_kics_lines":{ + "_kics__default":{ + "_kics_line":4 + }, + "_kics_httpsOnly":{ + "_kics_line":5 + } + }, + "httpsOnly":false + } + }, + { + "properties":{ + "_kics_lines":{ + "_kics__default":{ + "_kics_line":9 + }, + "_kics_httpsOnly":{ + "_kics_line":10 + } + }, + "httpsOnly":false + } + } ] }`, want: ` { - "LineInfo": { - "father": { - "": { - "Value": [ - 2 - ] - } - }, - "testing": { - ".father": { - "Value": [ - 3, - 4 - ] + "LineInfo": { + "false": { + ".resources.properties": { + "Value": [ + 5, + 10 + ] + } + }, + "httpsOnly": { + ".resources.properties": { + "Value": [ + 5, + 10 + ] + } + }, + "properties": { + ".resources": { + "Value": [ + 4, + 9 + ] + } + }, + "resources": { + "": { + "Value": [ + 2 + ] + } } } - } - } - `, + }`, }, } From a781cf2ff4c0a662ab7f043c381d2ecc58f90292 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Thu, 28 Dec 2023 11:31:28 +0000 Subject: [PATCH 335/379] linter --- pkg/parser/json/parser.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/parser/json/parser.go b/pkg/parser/json/parser.go index 5aa9196e186..53c1828de5a 100644 --- a/pkg/parser/json/parser.go +++ b/pkg/parser/json/parser.go @@ -3,6 +3,7 @@ package json import ( "bytes" "encoding/json" + "github.com/Checkmarx/kics/pkg/model" "github.com/Checkmarx/kics/pkg/resolver/file" "github.com/mailru/easyjson" From 9b3b30fe1fd0e77ae1e432312f55b8169831ae94 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Thu, 28 Dec 2023 15:32:30 +0000 Subject: [PATCH 336/379] e2e --- e2e/fixtures/E2E_CLI_077_RESULT.json | 68 +++++++++++++++++++ .../e2e-cli-077_fix_similarity_id.go | 27 ++++++++ .../similarity_id/1_general_deployment.json | 43 ++++++++++++ 3 files changed, 138 insertions(+) create mode 100644 e2e/fixtures/E2E_CLI_077_RESULT.json create mode 100644 e2e/testcases/e2e-cli-077_fix_similarity_id.go create mode 100644 test/fixtures/similarity_id/1_general_deployment.json diff --git a/e2e/fixtures/E2E_CLI_077_RESULT.json b/e2e/fixtures/E2E_CLI_077_RESULT.json new file mode 100644 index 00000000000..72e81a69201 --- /dev/null +++ b/e2e/fixtures/E2E_CLI_077_RESULT.json @@ -0,0 +1,68 @@ +{ + "kics_version": "development", + "files_scanned": 1, + "lines_scanned": 43, + "files_parsed": 1, + "lines_parsed": 43, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "HIGH": 2, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 2, + "total_bom_resources": 0, + "start": "2023-12-27T09:48:54.183217Z", + "end": "2023-12-27T09:48:57.0673037Z", + "paths": [ + "C:\\Users\\joaom\\Downloads\\small-sample\\azure_resource_manager_my" + ], + "queries": [ + { + "query_name": "Website Not Forcing HTTPS", + "query_id": "488847ff-6031-487c-bf42-98fd6ac5c9a0", + "query_url": "https://docs.microsoft.com/en-us/azure/templates/microsoft.web/sites?tabs=json#siteproperties-object", + "severity": "HIGH", + "platform": "AzureResourceManager", + "category": "Insecure Configurations", + "experimental": false, + "description": "'Microsoft.Web/sites' should force the use of HTTPS", + "description_id": "3af52329", + "files": [ + { + "file_name": "path\\test\\fixtures\\similarity_id\\1_general_deployment.json", + "similarity_id": "60db1dec778c035dd27b92ac2a39f06a8e44d5e16fc81140d7a70d86cee4a370", + "line": 34, + "resource_type": "Microsoft.Web/sites", + "resource_name": "[variables('functionApp').microsoft_unbilled_synchronization]", + "issue_type": "IncorrectValue", + "search_key": "resources.name={{[variables('functionApp').microsoft_unbilled_synchronization]}}.properties.httpsOnly", + "search_line": -1, + "search_value": "", + "expected_value": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' false set to true", + "actual_value": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' set to true" + }, + { + "file_name": "path\\test\\fixtures\\similarity_id\\1_general_deployment.json", + "similarity_id": "ce5fe80b1d6f673cd23c2e92e490cae2fb8616a482058547d9e63b5417a92b25", + "line": 18, + "resource_type": "Microsoft.Web/sites", + "resource_name": "[variables('functionApp').unbilled_usage_process]", + "issue_type": "IncorrectValue", + "search_key": "resources.name={{[variables('functionApp').unbilled_usage_process]}}.properties.httpsOnly", + "search_line": -1, + "search_value": "", + "expected_value": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' false set to true", + "actual_value": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' set to true" + } + ] + } + ] +} diff --git a/e2e/testcases/e2e-cli-077_fix_similarity_id.go b/e2e/testcases/e2e-cli-077_fix_similarity_id.go new file mode 100644 index 00000000000..54998583898 --- /dev/null +++ b/e2e/testcases/e2e-cli-077_fix_similarity_id.go @@ -0,0 +1,27 @@ +package testcases + +// E2E-CLI-077 - KICS scan +// should perform a scan, present two results, without the same similarity id +func init() { //nolint + testSample := TestCase{ + Name: "should perform a scan, present two results, without the same similarity id [E2E-CLI-077]", + Args: args{ + Args: []cmdArgs{ + []string{"scan", "-o", "/path/e2e/output", + "--output-name", "E2E_CLI_077_RESULT", + "-p", "\"/path/test/fixtures/similarity_id\"", + "-i", "488847ff-6031-487c-bf42-98fd6ac5c9a0", + }, + }, + ExpectedResult: []ResultsValidation{ + { + ResultsFile: "E2E_CLI_077_RESULT", + ResultsFormats: []string{"json"}, + }, + }, + }, + WantStatus: []int{00}, + } + + Tests = append(Tests, testSample) +} diff --git a/test/fixtures/similarity_id/1_general_deployment.json b/test/fixtures/similarity_id/1_general_deployment.json new file mode 100644 index 00000000000..aa8fd77a5a2 --- /dev/null +++ b/test/fixtures/similarity_id/1_general_deployment.json @@ -0,0 +1,43 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + }, + "resources": [ + { + "type": "Microsoft.Web/sites", + "apiVersion": "2021-03-01", + "name": "[variables('functionApp').unbilled_usage_process]", + "location": "[resourceGroup().location]", + "dependsOn": [ + ], + "tags": { + }, + "kind": "functionapp,linux", + "properties": { + "httpsOnly": false, + "keyVaultReferenceIdentity": "SystemAssigned" + }, + "resources": [ + ] + }, + { + "type": "Microsoft.Web/sites", + "apiVersion": "2021-03-01", + "name": "[variables('functionApp').microsoft_unbilled_synchronization]", + "location": "[resourceGroup().location]", + "dependsOn": [], + "tags": { + }, + "kind": "functionapp,linux", + "properties": { + "httpsOnly": false, + "keyVaultReferenceIdentity": "SystemAssigned" + }, + "resources": [ + ] + } + ], + "outputs": { + } +} From c7fe29fba8e0d27510a308467e0a9995a92e1003 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Thu, 28 Dec 2023 15:40:45 +0000 Subject: [PATCH 337/379] fix --- e2e/testcases/e2e-cli-077_fix_similarity_id.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/e2e/testcases/e2e-cli-077_fix_similarity_id.go b/e2e/testcases/e2e-cli-077_fix_similarity_id.go index 54998583898..9d33799291e 100644 --- a/e2e/testcases/e2e-cli-077_fix_similarity_id.go +++ b/e2e/testcases/e2e-cli-077_fix_similarity_id.go @@ -20,7 +20,7 @@ func init() { //nolint }, }, }, - WantStatus: []int{00}, + WantStatus: []int{50}, } Tests = append(Tests, testSample) From 8378683e300ba4fb85825bab89eb7110381322cb Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Thu, 28 Dec 2023 16:21:40 +0000 Subject: [PATCH 338/379] fix --- e2e/fixtures/E2E_CLI_077_RESULT.json | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/e2e/fixtures/E2E_CLI_077_RESULT.json b/e2e/fixtures/E2E_CLI_077_RESULT.json index 72e81a69201..5e8fb2144c5 100644 --- a/e2e/fixtures/E2E_CLI_077_RESULT.json +++ b/e2e/fixtures/E2E_CLI_077_RESULT.json @@ -1,9 +1,9 @@ { "kics_version": "development", "files_scanned": 1, - "lines_scanned": 43, + "lines_scanned": 44, "files_parsed": 1, - "lines_parsed": 43, + "lines_parsed": 44, "lines_ignored": 0, "files_failed_to_scan": 0, "queries_total": 1, @@ -22,7 +22,7 @@ "start": "2023-12-27T09:48:54.183217Z", "end": "2023-12-27T09:48:57.0673037Z", "paths": [ - "C:\\Users\\joaom\\Downloads\\small-sample\\azure_resource_manager_my" + "/path/test/fixtures/similarity_id/" ], "queries": [ { @@ -38,26 +38,26 @@ "files": [ { "file_name": "path\\test\\fixtures\\similarity_id\\1_general_deployment.json", - "similarity_id": "60db1dec778c035dd27b92ac2a39f06a8e44d5e16fc81140d7a70d86cee4a370", + "similarity_id": "f649e674f984920f340e4078adb4d472fa857d1a8bcfa3e4e0418743faa946fd", "line": 34, "resource_type": "Microsoft.Web/sites", "resource_name": "[variables('functionApp').microsoft_unbilled_synchronization]", "issue_type": "IncorrectValue", "search_key": "resources.name={{[variables('functionApp').microsoft_unbilled_synchronization]}}.properties.httpsOnly", - "search_line": -1, + "search_line": 34, "search_value": "", "expected_value": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' false set to true", "actual_value": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' set to true" }, { "file_name": "path\\test\\fixtures\\similarity_id\\1_general_deployment.json", - "similarity_id": "ce5fe80b1d6f673cd23c2e92e490cae2fb8616a482058547d9e63b5417a92b25", + "similarity_id": "8e341b61966dfc47b2e78304b28b445c9891be5143fcf6bd09f5ba0679e1b0ca", "line": 18, "resource_type": "Microsoft.Web/sites", "resource_name": "[variables('functionApp').unbilled_usage_process]", "issue_type": "IncorrectValue", "search_key": "resources.name={{[variables('functionApp').unbilled_usage_process]}}.properties.httpsOnly", - "search_line": -1, + "search_line": 18, "search_value": "", "expected_value": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' false set to true", "actual_value": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' set to true" From f3f8f799e6c875e1e331ef8271ff6154976c70dd Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Thu, 28 Dec 2023 17:01:29 +0000 Subject: [PATCH 339/379] fix e2e --- e2e/fixtures/E2E_CLI_077_RESULT.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/e2e/fixtures/E2E_CLI_077_RESULT.json b/e2e/fixtures/E2E_CLI_077_RESULT.json index 5e8fb2144c5..e7288fe1221 100644 --- a/e2e/fixtures/E2E_CLI_077_RESULT.json +++ b/e2e/fixtures/E2E_CLI_077_RESULT.json @@ -22,7 +22,7 @@ "start": "2023-12-27T09:48:54.183217Z", "end": "2023-12-27T09:48:57.0673037Z", "paths": [ - "/path/test/fixtures/similarity_id/" + "/path/test/fixtures/similarity_id" ], "queries": [ { From 2a589ec5219b8c5016263ca520cd567f068a5d49 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Fri, 29 Dec 2023 09:52:39 +0000 Subject: [PATCH 340/379] feat(results): update cyclonedx reports from v1.3 to v1.5 --- pkg/report/model/cyclonedx.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkg/report/model/cyclonedx.go b/pkg/report/model/cyclonedx.go index 3aa3af32043..176ae333b92 100644 --- a/pkg/report/model/cyclonedx.go +++ b/pkg/report/model/cyclonedx.go @@ -218,9 +218,9 @@ func InitCycloneDxReport() *CycloneDxReport { }, }, } - + //update cycloneDX version to 1.5 (from 1.3 to 1.5 nothing needed to change since we only create 1 bom at a time, more changes to come) return &CycloneDxReport{ - XMLNS: "http://cyclonedx.org/schema/bom/1.3", + XMLNS: "http://cyclonedx.org/schema/bom/1.5", XMLNSV: "http://cyclonedx.org/schema/ext/vulnerability/1.0", SerialNumber: "urn:uuid:" + uuid.New().String(), Version: 1, @@ -268,5 +268,6 @@ func BuildCycloneDxReport(summary *model.Summary, filePaths map[string]string) * bom.Components.Components = append(bom.Components.Components, component) } + return bom } From e7501b8cfa4b5d25ac33f0a384c0cc479021fc92 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Fri, 29 Dec 2023 10:56:56 +0000 Subject: [PATCH 341/379] feat(update): update cyclonedx reports to support v1.5 --- pkg/report/model/cyclonedx.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/report/model/cyclonedx.go b/pkg/report/model/cyclonedx.go index 176ae333b92..7ec684dc0ab 100644 --- a/pkg/report/model/cyclonedx.go +++ b/pkg/report/model/cyclonedx.go @@ -218,7 +218,8 @@ func InitCycloneDxReport() *CycloneDxReport { }, }, } - //update cycloneDX version to 1.5 (from 1.3 to 1.5 nothing needed to change since we only create 1 bom at a time, more changes to come) + // Update cycloneDX version to 1.5 (from 1.3 to 1.5 nothing needed to change since we only create 1 bom at a time, + // more changes to come) return &CycloneDxReport{ XMLNS: "http://cyclonedx.org/schema/bom/1.5", XMLNSV: "http://cyclonedx.org/schema/ext/vulnerability/1.0", From 79b1631deb787da6469c3255ecafbd51cabd81fe Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Fri, 29 Dec 2023 11:10:00 +0000 Subject: [PATCH 342/379] feat(update): update cyclonedx reports to support v1.5 --- pkg/report/model/cyclonedx_test.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/report/model/cyclonedx_test.go b/pkg/report/model/cyclonedx_test.go index 6925f17f513..117f54cdf90 100644 --- a/pkg/report/model/cyclonedx_test.go +++ b/pkg/report/model/cyclonedx_test.go @@ -24,8 +24,9 @@ var metadata Metadata = Metadata{ }, } +// Update XMLNS version to 1.5 from 1.3 var initCycloneDxReport CycloneDxReport = CycloneDxReport{ - XMLNS: "http://cyclonedx.org/schema/bom/1.3", + XMLNS: "http://cyclonedx.org/schema/bom/1.5", XMLNSV: "http://cyclonedx.org/schema/ext/vulnerability/1.0", SerialNumber: "urn:uuid:", // set to "urn:uuid:" because it will be different for every report Version: 1, From 3787e70ae0efbfaf9180b16b110100cb18bc8cb7 Mon Sep 17 00:00:00 2001 From: Lior Kaplan Date: Mon, 25 Dec 2023 20:11:42 +0200 Subject: [PATCH 343/379] Update community information Add individual contributors images Add KICS contributing companies Start a list of organizations who use KICS --- README.md | 23 +++++++++++++++++++---- docs/community.md | 18 +++++++++++------- 2 files changed, 30 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index b9da3d085b4..17a98f1138b 100644 --- a/README.md +++ b/README.md @@ -83,14 +83,29 @@ What makes KICS really powerful and popular is its built-in extensibility. This - Fully customizable and adjustable heuristics rules, called [queries](docs/queries.md). These can be easily edited, extended and added. - Robust but yet simple [architecture](docs/architecture.md), which allows quick addition of support for new Infrastructure as Code solutions. -## Contribution - -KICS is a true community project. It's built as an open source from day one, and anyone can find his own way to contribute to the project. -[Check out how](docs/CONTRIBUTING.md), within just minutes, you can start making a difference, by sharing your expertise with a community of thousands of security experts and software developers. +## Community You're welcome to join our [community](docs/community.md), talk with us on GitHub discussions or contact KICS core team at [kics@checkmarx.com](mailto:kics@checkmarx.com). +### KICS Contributors + +See our individual contributors in the [community](docs/community.md) page. You're welcome to join them by [contributing](docs/CONTRIBUTING.md) to KICS. + +We also like to thank the following organizations for their ongoing contribution: +- [Checkmarx](https://checkmarx.com/) +- [Bedrock Streaming](https://bedrockstreaming.com/) (since v1.4.8) +- [Dynatrace](https://www.dynatrace.com/) (since v1.5.1) +- [Orca Security](https://orca.security/) (since v1.5.10) + +### KICS Users +KICS is used by various companies and organizations, some are listed below. If you would like to be included here please open a PR. +- [Checkmarx](https://checkmarx.com/) ([IaC Security](https://checkmarx.com/product/iac-security/)) +- [GitLab](https://gitlab.com/) ([Infrastructure as Code scanning](https://docs.gitlab.com/ee/user/application_security/iac_scanning/)) +- [Cisco](https://www.panoptica.app/) ([CI/CD Securitry](https://docs.panoptica.app/docs/ci-cd-security)) +- [JIT](https://www.jit.io/) ([SAST for IaC](https://www.jit.io/security-tools/kics)) +- [Redpanda](https://redpanda.com/) +- [Keptn](https://keptn.sh) **Keeping Infrastructure as Code Secure!** diff --git a/docs/community.md b/docs/community.md index 3dbec645753..e9947163454 100644 --- a/docs/community.md +++ b/docs/community.md @@ -1,15 +1,19 @@ -## Community +# Community -## Hacktoberfest -*"[Hacktoberfest](https://github.com/topics/hacktoberfest) is a month-long celebration of open source projects, their maintainers, and the entire community of contributors. Each October, open source maintainers give new contributors extra attention as they guide developers through their first pull requests on GitHub."*
+## Contribution -- [Open Issues for the event](https://github.com/Checkmarx/kics/issues?q=is%3Aissue+is%3Aopen+label%3A%22hacktoberfest%22) +KICS is a true community project. It's built as an open source from day one, and everyone can find their own way to contribute to the project. +[Check out how](CONTRIBUTING.md), within just minutes, you can start making a difference, by sharing your expertise with a community of thousands of security experts and software developers. + + + -## Contribution -KICS is a true community project. It's built as an open source from day one, and anyone can find his own way to contribute to the project. -[Check out how](https://github.com/Checkmarx/kics/blob/master/docs/CONTRIBUTING.md), within just minutes, you can start making a difference, by sharing your expertise with a community of thousands of security experts and software developers. +## Hacktoberfest +*"[Hacktoberfest](https://github.com/topics/hacktoberfest) is a month-long celebration of open source projects, their maintainers, and the entire community of contributors. Each October, open source maintainers give new contributors extra attention as they guide developers through their first pull requests on GitHub."*
+ +- [Open Issues for the event](https://github.com/Checkmarx/kics/issues?q=is%3Aissue+is%3Aopen+label%3A%22hacktoberfest%22) ## Meet us at conferences From 1683acbb938015732d9a0539f9a784451750786a Mon Sep 17 00:00:00 2001 From: Lior Kaplan Date: Wed, 27 Dec 2023 13:51:52 +0200 Subject: [PATCH 344/379] Add Firefly to users list Based on a request by NaorFirefly --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 17a98f1138b..414105d6e5e 100644 --- a/README.md +++ b/README.md @@ -104,6 +104,7 @@ KICS is used by various companies and organizations, some are listed below. If y - [GitLab](https://gitlab.com/) ([Infrastructure as Code scanning](https://docs.gitlab.com/ee/user/application_security/iac_scanning/)) - [Cisco](https://www.panoptica.app/) ([CI/CD Securitry](https://docs.panoptica.app/docs/ci-cd-security)) - [JIT](https://www.jit.io/) ([SAST for IaC](https://www.jit.io/security-tools/kics)) +- [Firefly](https://www.firefly.ai/) - [Redpanda](https://redpanda.com/) - [Keptn](https://keptn.sh) From 7f7e5456f2d81d6cf9d68e6b96ec22ffce6d9c8f Mon Sep 17 00:00:00 2001 From: Lior Kaplan Date: Thu, 28 Dec 2023 11:38:17 +0200 Subject: [PATCH 345/379] Add Orca Security to users list Based on request by Lior Samuni --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 414105d6e5e..8d4729615ca 100644 --- a/README.md +++ b/README.md @@ -103,6 +103,7 @@ KICS is used by various companies and organizations, some are listed below. If y - [Checkmarx](https://checkmarx.com/) ([IaC Security](https://checkmarx.com/product/iac-security/)) - [GitLab](https://gitlab.com/) ([Infrastructure as Code scanning](https://docs.gitlab.com/ee/user/application_security/iac_scanning/)) - [Cisco](https://www.panoptica.app/) ([CI/CD Securitry](https://docs.panoptica.app/docs/ci-cd-security)) +- [Orca Security](https://orca.security/) - [JIT](https://www.jit.io/) ([SAST for IaC](https://www.jit.io/security-tools/kics)) - [Firefly](https://www.firefly.ai/) - [Redpanda](https://redpanda.com/) From c64d953bd430ec556e21a3475f72da295a7e3962 Mon Sep 17 00:00:00 2001 From: gabriel-cx Date: Tue, 2 Jan 2024 16:59:28 +0000 Subject: [PATCH 346/379] update version --- .github/workflows/update_software_versions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/update_software_versions.yml b/.github/workflows/update_software_versions.yml index 9664fee5b87..0b861d3c0a6 100644 --- a/.github/workflows/update_software_versions.yml +++ b/.github/workflows/update_software_versions.yml @@ -18,7 +18,7 @@ jobs: pip3 install -r .github/scripts/update_versions/requirements.txt python3 .github/scripts/update_versions/update.py - name: Verify Changed files - uses: tj-actions/verify-changed-files@v13.1 + uses: tj-actions/verify-changed-files@v17 id: verify-changed-files with: files: | From b1a770dca6c527937aa0ef7beadb228b3481095a Mon Sep 17 00:00:00 2001 From: Lior Kaplan Date: Wed, 3 Jan 2024 16:04:38 +0200 Subject: [PATCH 347/379] Add Bedrock Streaming to users list Based on request by Jean-Yves CAMIER --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 8d4729615ca..f4b67776b3c 100644 --- a/README.md +++ b/README.md @@ -102,6 +102,7 @@ KICS is used by various companies and organizations, some are listed below. If y - [Checkmarx](https://checkmarx.com/) ([IaC Security](https://checkmarx.com/product/iac-security/)) - [GitLab](https://gitlab.com/) ([Infrastructure as Code scanning](https://docs.gitlab.com/ee/user/application_security/iac_scanning/)) +- [Bedrock Streaming](https://bedrockstreaming.com/) - [Cisco](https://www.panoptica.app/) ([CI/CD Securitry](https://docs.panoptica.app/docs/ci-cd-security)) - [Orca Security](https://orca.security/) - [JIT](https://www.jit.io/) ([SAST for IaC](https://www.jit.io/security-tools/kics)) From 96fabb4072edd758fc4bc23e02d54d9b637e0294 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Thu, 4 Jan 2024 15:54:04 +0000 Subject: [PATCH 348/379] add a timeout to decode results --- pkg/engine/inspector.go | 89 +++++++++++++++++++++++------------------ pkg/remediation/scan.go | 4 +- 2 files changed, 52 insertions(+), 41 deletions(-) diff --git a/pkg/engine/inspector.go b/pkg/engine/inspector.go index f5cb39c3171..7b4ec331684 100644 --- a/pkg/engine/inspector.go +++ b/pkg/engine/inspector.go @@ -212,6 +212,7 @@ func (c *Inspector) Inspect( } queries := c.getQueriesByPlat(platforms) + for i, queryMeta := range queries { currentQuery <- 1 @@ -259,8 +260,8 @@ func (c *Inspector) Inspect( vulnerabilities = append(vulnerabilities, vuls...) c.tracker.TrackQueryExecution(query.Metadata.Aggregation) - } + } return vulnerabilities, nil } @@ -343,11 +344,13 @@ func (c *Inspector) doRun(ctx *QueryContext) (vulns []model.Vulnerability, err e Str("scanID", ctx.scanID). Msgf("Inspector executed with result %+v, query=%s", results, ctx.Query.Metadata.Query) - return c.DecodeQueryResults(ctx, results) + timeoutCtxToDecode, cancelDecode := context.WithTimeout(ctx.Ctx, c.queryExecTimeout) + defer cancelDecode() + return c.DecodeQueryResults(ctx, timeoutCtxToDecode, results) } // DecodeQueryResults decodes the results into []model.Vulnerability -func (c *Inspector) DecodeQueryResults(ctx *QueryContext, results rego.ResultSet) ([]model.Vulnerability, error) { +func (c *Inspector) DecodeQueryResults(ctx *QueryContext, ctxTimeout context.Context, results rego.ResultSet) ([]model.Vulnerability, error) { if len(results) == 0 { return nil, ErrNoResult } @@ -367,48 +370,54 @@ func (c *Inspector) DecodeQueryResults(ctx *QueryContext, results rego.ResultSet vulnerabilities := make([]model.Vulnerability, 0, len(queryResultItems)) failedDetectLine := false for _, queryResultItem := range queryResultItems { - vulnerability, err := c.vb(ctx, c.tracker, queryResultItem, c.detector) - if err != nil && err.Error() == ErrNoResult.Error() { - // Ignoring bad results - continue - } - if err != nil { - sentryReport.ReportSentry(&sentryReport.Report{ - Message: fmt.Sprintf("Inspector can't save vulnerability, query=%s", ctx.Query.Metadata.Query), - Err: err, - Location: "func decodeQueryResults()", - Platform: ctx.Query.Metadata.Platform, - Metadata: ctx.Query.Metadata.Metadata, - Query: ctx.Query.Metadata.Query, - }, true) - - if _, ok := c.failedQueries[ctx.Query.Metadata.Query]; !ok { - c.failedQueries[ctx.Query.Metadata.Query] = err + select { + case <-ctxTimeout.Done(): + log.Err(ctxTimeout.Err()).Msgf("Timeout processing the results of the query: %s %s", ctx.Query.Metadata.Platform, ctx.Query.Metadata.Query) + break + default: + vulnerability, err := c.vb(ctx, c.tracker, queryResultItem, c.detector) + if err != nil && err.Error() == ErrNoResult.Error() { + // Ignoring bad results + continue + } + if err != nil { + sentryReport.ReportSentry(&sentryReport.Report{ + Message: fmt.Sprintf("Inspector can't save vulnerability, query=%s", ctx.Query.Metadata.Query), + Err: err, + Location: "func decodeQueryResults()", + Platform: ctx.Query.Metadata.Platform, + Metadata: ctx.Query.Metadata.Metadata, + Query: ctx.Query.Metadata.Query, + }, true) + + if _, ok := c.failedQueries[ctx.Query.Metadata.Query]; !ok { + c.failedQueries[ctx.Query.Metadata.Query] = err + } + + continue + } + file := ctx.Files[vulnerability.FileID] + if ShouldSkipVulnerability(file.Commands, vulnerability.QueryID) { + log.Debug().Msgf("Skipping vulnerability in file %s for query '%s':%s", file.FilePath, vulnerability.QueryName, vulnerability.QueryID) + continue } - continue - } - file := ctx.Files[vulnerability.FileID] - if ShouldSkipVulnerability(file.Commands, vulnerability.QueryID) { - log.Debug().Msgf("Skipping vulnerability in file %s for query '%s':%s", file.FilePath, vulnerability.QueryName, vulnerability.QueryID) - continue - } + if vulnerability.Line == UndetectedVulnerabilityLine { + failedDetectLine = true + } - if vulnerability.Line == UndetectedVulnerabilityLine { - failedDetectLine = true - } + if _, ok := c.excludeResults[vulnerability.SimilarityID]; ok { + log.Debug(). + Msgf("Excluding result SimilarityID: %s", vulnerability.SimilarityID) + continue + } else if checkComment(vulnerability.Line, file.LinesIgnore) { + log.Debug(). + Msgf("Excluding result Comment: %s", vulnerability.SimilarityID) + continue + } - if _, ok := c.excludeResults[vulnerability.SimilarityID]; ok { - log.Debug(). - Msgf("Excluding result SimilarityID: %s", vulnerability.SimilarityID) - continue - } else if checkComment(vulnerability.Line, file.LinesIgnore) { - log.Debug(). - Msgf("Excluding result Comment: %s", vulnerability.SimilarityID) - continue + vulnerabilities = append(vulnerabilities, *vulnerability) } - - vulnerabilities = append(vulnerabilities, *vulnerability) } if failedDetectLine { diff --git a/pkg/remediation/scan.go b/pkg/remediation/scan.go index afa81532c7d..21506a30cdc 100644 --- a/pkg/remediation/scan.go +++ b/pkg/remediation/scan.go @@ -174,7 +174,9 @@ func runQuery(r *runQueryInfo) []model.Vulnerability { Files: r.files.ToMap(), } - decoded, err := r.inspector.DecodeQueryResults(queryCtx, results) + timeoutCtxToDecode, cancelDecode := context.WithTimeout(context.Background(), queryExecTimeout) + defer cancelDecode() + decoded, err := r.inspector.DecodeQueryResults(queryCtx, timeoutCtxToDecode, results) if err != nil { log.Err(err) From de34b693d3b072fa742e30ad733349c43748a127 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Thu, 4 Jan 2024 16:13:38 +0000 Subject: [PATCH 349/379] wip --- pkg/engine/inspector.go | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/pkg/engine/inspector.go b/pkg/engine/inspector.go index 7b4ec331684..ee48460107c 100644 --- a/pkg/engine/inspector.go +++ b/pkg/engine/inspector.go @@ -260,7 +260,6 @@ func (c *Inspector) Inspect( vulnerabilities = append(vulnerabilities, vuls...) c.tracker.TrackQueryExecution(query.Metadata.Aggregation) - } return vulnerabilities, nil } @@ -350,7 +349,10 @@ func (c *Inspector) doRun(ctx *QueryContext) (vulns []model.Vulnerability, err e } // DecodeQueryResults decodes the results into []model.Vulnerability -func (c *Inspector) DecodeQueryResults(ctx *QueryContext, ctxTimeout context.Context, results rego.ResultSet) ([]model.Vulnerability, error) { +func (c *Inspector) DecodeQueryResults( + ctx *QueryContext, + ctxTimeout context.Context, + results rego.ResultSet) ([]model.Vulnerability, error) { if len(results) == 0 { return nil, ErrNoResult } @@ -372,7 +374,10 @@ func (c *Inspector) DecodeQueryResults(ctx *QueryContext, ctxTimeout context.Con for _, queryResultItem := range queryResultItems { select { case <-ctxTimeout.Done(): - log.Err(ctxTimeout.Err()).Msgf("Timeout processing the results of the query: %s %s", ctx.Query.Metadata.Platform, ctx.Query.Metadata.Query) + log.Err(ctxTimeout.Err()).Msgf( + "Timeout processing the results of the query: %s %s", + ctx.Query.Metadata.Platform, + ctx.Query.Metadata.Query) break default: vulnerability, err := c.vb(ctx, c.tracker, queryResultItem, c.detector) From d887cf7a164c6b20bdf028172464158eb46e5eb4 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Fri, 5 Jan 2024 10:30:55 +0000 Subject: [PATCH 350/379] change name of the test --- pkg/parser/json/json_line_test.go | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/pkg/parser/json/json_line_test.go b/pkg/parser/json/json_line_test.go index 97c4c21397b..2f1f7421a40 100644 --- a/pkg/parser/json/json_line_test.go +++ b/pkg/parser/json/json_line_test.go @@ -586,7 +586,7 @@ var testsinitiateJSONLine = []struct { `, }, { - name: "my test", + name: "test arrays with objects", args: args{ doc: []byte(`{ "resources": [ @@ -712,19 +712,20 @@ func Test_initializeJSONLine(t *testing.T) { func compareJSONLine(t *testing.T, test1 interface{}, test2 string) { stringefiedJSON, err := json.Marshal(&test1) require.NoError(t, err) - require.JSONEq(t, test2, string(stringefiedJSON)) + aux := string(stringefiedJSON) + require.JSONEq(t, test2, aux) } func Test_jsonLine_setLineInfo(t *testing.T) { for _, tt := range testsinitiateJSONLine { - t.Run(tt.name, func(t *testing.T) { - unmarshaledJSON := make(map[string]interface{}) - err := json.Unmarshal(tt.args.doc, &unmarshaledJSON) - require.NoError(t, err) - j := initializeJSONLine(tt.args.doc) - got := j.setLineInfo(unmarshaledJSON) - compareJSONLine(t, got, tt.wantKicsLine) - }) + //t.Run(tt.name, func(t *testing.T) { + unmarshaledJSON := make(map[string]interface{}) + err := json.Unmarshal(tt.args.doc, &unmarshaledJSON) + require.NoError(t, err) + j := initializeJSONLine(tt.args.doc) + got := j.setLineInfo(unmarshaledJSON) + compareJSONLine(t, got, tt.wantKicsLine) + //}) } } From 8db83e63a30d04879e9a42bdfde2bb32050e87d2 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Tue, 9 Jan 2024 14:39:36 +0000 Subject: [PATCH 351/379] fix(e2e): sort paths related to the e2e --- .../e2e-cli-069_ignore_experimental_query.go | 25 +++++++++++++------ ...e-cli-070_not_ignore_experimental_query.go | 12 ++++++++- 2 files changed, 29 insertions(+), 8 deletions(-) diff --git a/e2e/testcases/e2e-cli-069_ignore_experimental_query.go b/e2e/testcases/e2e-cli-069_ignore_experimental_query.go index b930126d359..1b87253290b 100644 --- a/e2e/testcases/e2e-cli-069_ignore_experimental_query.go +++ b/e2e/testcases/e2e-cli-069_ignore_experimental_query.go @@ -1,24 +1,35 @@ package testcases -// E2E-CLI-069 - KICS scan and ignore experimental queries -// should perform the scan successfully and return exit code 40 +import ( + "sort" +) + +// E2E-CLI-070 - KICS scan and not ignore experimental queries +// should perform the scan successfully and return exit code 40 and 50 func init() { //nolint + samplePath := "/path/test/fixtures/experimental_test/sample" + queriesPath := "/path/test/fixtures/experimental_test/queries" + + paths := []string{samplePath, queriesPath} + sort.Strings(paths) + testSample := TestCase{ - Name: "should perform a valid scan and ignore the experimental queries [E2E-CLI-069]", + Name: "should perform a valid scan and not ignore the experimental queries [E2E-CLI-070]", Args: args{ Args: []cmdArgs{ - []string{"scan", "-o", "/path/e2e/output", "--output-name", "E2E_CLI_069_RESULT", - "-p", "\"/path/test/fixtures/experimental_test/sample\"", "-q", "\"/path/test/fixtures/experimental_test/queries\"", + []string{"scan", "-o", "/path/e2e/output", "--output-name", "E2E_CLI_070_RESULT", + "-p", "\"" + paths[0] + "\"", "-q", "\"" + paths[1] + "\"", + "--experimental-queries", }, }, ExpectedResult: []ResultsValidation{ { - ResultsFile: "E2E_CLI_069_RESULT", + ResultsFile: "E2E_CLI_070_RESULT", ResultsFormats: []string{"json"}, }, }, }, - WantStatus: []int{40}, + WantStatus: []int{50}, } Tests = append(Tests, testSample) diff --git a/e2e/testcases/e2e-cli-070_not_ignore_experimental_query.go b/e2e/testcases/e2e-cli-070_not_ignore_experimental_query.go index 1dd2bc64d4a..1b87253290b 100644 --- a/e2e/testcases/e2e-cli-070_not_ignore_experimental_query.go +++ b/e2e/testcases/e2e-cli-070_not_ignore_experimental_query.go @@ -1,14 +1,24 @@ package testcases +import ( + "sort" +) + // E2E-CLI-070 - KICS scan and not ignore experimental queries // should perform the scan successfully and return exit code 40 and 50 func init() { //nolint + samplePath := "/path/test/fixtures/experimental_test/sample" + queriesPath := "/path/test/fixtures/experimental_test/queries" + + paths := []string{samplePath, queriesPath} + sort.Strings(paths) + testSample := TestCase{ Name: "should perform a valid scan and not ignore the experimental queries [E2E-CLI-070]", Args: args{ Args: []cmdArgs{ []string{"scan", "-o", "/path/e2e/output", "--output-name", "E2E_CLI_070_RESULT", - "-p", "\"/path/test/fixtures/experimental_test/sample\"", "-q", "\"/path/test/fixtures/experimental_test/queries\"", + "-p", "\"" + paths[0] + "\"", "-q", "\"" + paths[1] + "\"", "--experimental-queries", }, }, From 4abe51d5a0125bc68d53e4a22f5809e8f7a4293b Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Tue, 9 Jan 2024 15:27:37 +0000 Subject: [PATCH 352/379] fix sort paths related to the e2e --- .../e2e-cli-069_ignore_experimental_query.go | 15 +++++++-------- .../e2e-cli-070_not_ignore_experimental_query.go | 2 +- 2 files changed, 8 insertions(+), 9 deletions(-) diff --git a/e2e/testcases/e2e-cli-069_ignore_experimental_query.go b/e2e/testcases/e2e-cli-069_ignore_experimental_query.go index 1b87253290b..908fc6bec38 100644 --- a/e2e/testcases/e2e-cli-069_ignore_experimental_query.go +++ b/e2e/testcases/e2e-cli-069_ignore_experimental_query.go @@ -1,11 +1,11 @@ package testcases +// E2E-CLI-069 - KICS scan and ignore experimental queries +// should perform the scan successfully and return exit code 40 import ( "sort" ) -// E2E-CLI-070 - KICS scan and not ignore experimental queries -// should perform the scan successfully and return exit code 40 and 50 func init() { //nolint samplePath := "/path/test/fixtures/experimental_test/sample" queriesPath := "/path/test/fixtures/experimental_test/queries" @@ -14,22 +14,21 @@ func init() { //nolint sort.Strings(paths) testSample := TestCase{ - Name: "should perform a valid scan and not ignore the experimental queries [E2E-CLI-070]", + Name: "should perform a valid scan and ignore the experimental queries [E2E-CLI-069]", Args: args{ Args: []cmdArgs{ - []string{"scan", "-o", "/path/e2e/output", "--output-name", "E2E_CLI_070_RESULT", - "-p", "\"" + paths[0] + "\"", "-q", "\"" + paths[1] + "\"", - "--experimental-queries", + []string{"scan", "-o", "/path/e2e/output", "--output-name", "E2E_CLI_069_RESULT", + "-p", "\"" + paths[1] + "\"", "-q", "\"" + paths[0] + "\"", }, }, ExpectedResult: []ResultsValidation{ { - ResultsFile: "E2E_CLI_070_RESULT", + ResultsFile: "E2E_CLI_069_RESULT", ResultsFormats: []string{"json"}, }, }, }, - WantStatus: []int{50}, + WantStatus: []int{40}, } Tests = append(Tests, testSample) diff --git a/e2e/testcases/e2e-cli-070_not_ignore_experimental_query.go b/e2e/testcases/e2e-cli-070_not_ignore_experimental_query.go index 1b87253290b..e12dc88a121 100644 --- a/e2e/testcases/e2e-cli-070_not_ignore_experimental_query.go +++ b/e2e/testcases/e2e-cli-070_not_ignore_experimental_query.go @@ -18,7 +18,7 @@ func init() { //nolint Args: args{ Args: []cmdArgs{ []string{"scan", "-o", "/path/e2e/output", "--output-name", "E2E_CLI_070_RESULT", - "-p", "\"" + paths[0] + "\"", "-q", "\"" + paths[1] + "\"", + "-p", "\"" + paths[1] + "\"", "-q", "\"" + paths[0] + "\"", "--experimental-queries", }, }, From 2f669b642d068023ea2383e2c41c2f4936e1594e Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Wed, 10 Jan 2024 11:27:07 +0000 Subject: [PATCH 353/379] update documentation for the new version 1.5 of cyclonedx --- docs/results.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/results.md b/docs/results.md index 61ce60c66cb..f29fc73ded8 100644 --- a/docs/results.md +++ b/docs/results.md @@ -621,12 +621,14 @@ PDF reports are sorted by severity (from high to info), the results will have qu ## CycloneDX Now, the CycloneDX report is only available in XML format since the vulnerability schema extension is not currently available in JSON. The guidelines used to build the CycloneDX report were the [bom schema 1.3](http://cyclonedx.org/schema/bom/1.3) and [vulnerability schema 1.0](https://github.com/CycloneDX/specification/blob/master/schema/ext/vulnerability-1.0.xsd). +**Note:** As of the latest update, the CycloneDX version utilized in the report is 1.5. However, it's important to clarify that no additional features or fields introduced in version 1.5 are currently utilized. The functionality remains consistent with the version 1.3 for KICS. Future updates will leverage the new features introduced in CycloneDX version 1.5. + You can export CycloneDX report by using `--report-formats "cyclonedx"`. The generated report file will have a prefix `cyclonedx-` and looks like the following example: ``` - + 2021-12-03T15:39:49Z From 790a9a5dc2a761a2e6ae47bfa44b5cf159176b55 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Fri, 12 Jan 2024 16:21:40 +0000 Subject: [PATCH 354/379] start --- pkg/engine/vulnerability_builder.go | 16 ++- pkg/kics/resolver_sink.go | 4 +- pkg/kics/service.go | 45 +++++- pkg/kics/sink.go | 3 +- pkg/model/model.go | 1 + pkg/parser/parser.go | 4 +- pkg/parser/parser_test.go | 8 +- pkg/remediation/scan.go | 4 +- pkg/scan/scan.go | 4 +- stuck.json | 216 ++++++++++++++++++++++++++++ 10 files changed, 292 insertions(+), 13 deletions(-) create mode 100644 stuck.json diff --git a/pkg/engine/vulnerability_builder.go b/pkg/engine/vulnerability_builder.go index 0a64d377ea7..2faf65371c5 100644 --- a/pkg/engine/vulnerability_builder.go +++ b/pkg/engine/vulnerability_builder.go @@ -158,8 +158,13 @@ var DefaultVulnerabilityBuilder = func(ctx *QueryContext, tracker Tracker, } var similarityID *string + //aqui vamos usar o resolved file num map de string to boolean + if checkMinified(ctx, linesVulne.ResolvedFile) { + similarityID, err = similarity.ComputeSimilarityID(ctx.BaseScanPaths, linesVulne.ResolvedFile, queryID, searchKey, searchValue) + } else { + similarityID, err = similarity.ComputeSimilarityID(ctx.BaseScanPaths, linesVulne.ResolvedFile, queryID, similarityIDLineInfo, searchValue) + } - similarityID, err = similarity.ComputeSimilarityID(ctx.BaseScanPaths, linesVulne.ResolvedFile, queryID, similarityIDLineInfo, searchValue) if err != nil { logWithFields.Err(err).Send() tracker.FailedComputeSimilarityID() @@ -200,6 +205,15 @@ var DefaultVulnerabilityBuilder = func(ctx *QueryContext, tracker Tracker, }, nil } +func checkMinified(ctx *QueryContext, resolvedFile string) bool { + for _, file := range ctx.Files { + if file.FilePath == resolvedFile { + return file.IsMinified + } + } + return false +} + func getCloudProvider(platform, overrideKey string, vObj map[string]interface{}, logWithFields *zerolog.Logger) string { cloudProvider := "" if platform == "Terraform" || platform == "CloudFormation" || platform == "Ansible" { diff --git a/pkg/kics/resolver_sink.go b/pkg/kics/resolver_sink.go index c6da572dff2..bf15d768719 100644 --- a/pkg/kics/resolver_sink.go +++ b/pkg/kics/resolver_sink.go @@ -29,8 +29,8 @@ func (s *Service) resolverSink(ctx context.Context, filename, scanID string, ope s.Tracker.TrackFileFound() countLines := bytes.Count(rfile.Content, []byte{'\n'}) + 1 s.Tracker.TrackFileFoundCountLines(countLines) - - documents, err := s.Parser.Parse(rfile.FileName, rfile.Content, openAPIResolveReferences) + //burro aqui sff + documents, err := s.Parser.Parse(rfile.FileName, rfile.Content, openAPIResolveReferences, false) if err != nil { if documents.Kind == "break" { return []string{}, nil diff --git a/pkg/kics/service.go b/pkg/kics/service.go index 8570366a167..f2f4bcec3ab 100644 --- a/pkg/kics/service.go +++ b/pkg/kics/service.go @@ -1,10 +1,13 @@ package kics import ( + "bufio" "bytes" "context" "encoding/json" "io" + "regexp" + "strings" "sync" "github.com/Checkmarx/kics/pkg/engine" @@ -128,6 +131,7 @@ func (s *Service) StartScan( type Content struct { Content *[]byte CountLines int + IsMinified bool } /* @@ -161,10 +165,49 @@ func getContent(rc io.Reader, data []byte, maxSizeMB int) (*Content, error) { } c.Content = &content c.CountLines = countLines - + isMinified, err := isMinified(&content) + if err != nil { + return c, err + } + c.IsMinified = isMinified return c, nil } +// heuristic to try to find the minified files +func isMinified(content *[]byte) (bool, error) { + file := bytes.NewReader(*content) + scanner := bufio.NewScanner(file) + lineCount := 0 + nonEmptyLineCount := 0 + + // Define a regular expression to match common patterns in minified files + minifiedPattern := regexp.MustCompile(`[;{}()]`) + + for scanner.Scan() { + lineCount++ + line := scanner.Text() + + // Skip empty lines + if strings.TrimSpace(line) == "" { + continue + } + + nonEmptyLineCount++ + + // Check for common minification patterns + if minifiedPattern.MatchString(line) { + return true, nil + } + } + + // Check if the majority of non-empty lines are short + if nonEmptyLineCount > 0 && float64(len(scanner.Text()))/float64(nonEmptyLineCount) < 30 { + return true, nil + } + + return false, nil +} + // GetVulnerabilities returns a list of scan detected vulnerabilities func (s *Service) GetVulnerabilities(ctx context.Context, scanID string) ([]model.Vulnerability, error) { return s.Storage.GetVulnerabilities(ctx, scanID) diff --git a/pkg/kics/sink.go b/pkg/kics/sink.go index 44eabf318af..ca420e6d12d 100644 --- a/pkg/kics/sink.go +++ b/pkg/kics/sink.go @@ -42,7 +42,7 @@ func (s *Service) sink(ctx context.Context, filename, scanID string, if err != nil { return errors.Wrapf(err, "failed to get file content: %s", filename) } - documents, err := s.Parser.Parse(filename, *content, openAPIResolveReferences) + documents, err := s.Parser.Parse(filename, *content, openAPIResolveReferences, c.IsMinified) if err != nil { log.Err(err).Msgf("failed to parse file content: %s", filename) return nil @@ -87,6 +87,7 @@ func (s *Service) sink(ctx context.Context, filename, scanID string, LinesIgnore: documents.IgnoreLines, ResolvedFiles: documents.ResolvedFiles, LinesOriginalData: utils.SplitLines(documents.Content), + IsMinified: documents.IsMinified, } s.saveToFile(ctx, &file) diff --git a/pkg/model/model.go b/pkg/model/model.go index 4c37957db29..e85140be58b 100644 --- a/pkg/model/model.go +++ b/pkg/model/model.go @@ -130,6 +130,7 @@ type FileMetadata struct { LinesIgnore []int ResolvedFiles map[string]ResolvedFile LinesOriginalData *[]string + IsMinified bool } // QueryMetadata is a representation of general information about a query diff --git a/pkg/parser/parser.go b/pkg/parser/parser.go index a42fcf5ee7e..7be45c0823b 100644 --- a/pkg/parser/parser.go +++ b/pkg/parser/parser.go @@ -82,6 +82,7 @@ type ParsedDocument struct { IgnoreLines []int CountLines int ResolvedFiles map[string]model.ResolvedFile + IsMinified bool } // CommentsCommands gets commands on comments in the file beginning, before the code starts @@ -117,7 +118,7 @@ func (c *Parser) CommentsCommands(filePath string, fileContent []byte) model.Com // Parse executes a parser on the fileContent and returns the file content as a Document, the file kind and // an error, if an error has occurred -func (c *Parser) Parse(filePath string, fileContent []byte, openAPIResolveReferences bool) (ParsedDocument, error) { +func (c *Parser) Parse(filePath string, fileContent []byte, openAPIResolveReferences, isMinified bool) (ParsedDocument, error) { fileContent = utils.DecryptAnsibleVault(fileContent, os.Getenv("ANSIBLE_VAULT_PASSWORD_FILE")) if c.isValidExtension(filePath) { @@ -143,6 +144,7 @@ func (c *Parser) Parse(filePath string, fileContent []byte, openAPIResolveRefere IgnoreLines: igLines, CountLines: bytes.Count(resolved, []byte{'\n'}) + 1, ResolvedFiles: c.parsers.GetResolvedFiles(), + IsMinified: isMinified, }, nil } return ParsedDocument{ diff --git a/pkg/parser/parser_test.go b/pkg/parser/parser_test.go index a205a87ad5b..f21b0824a7d 100644 --- a/pkg/parser/parser_test.go +++ b/pkg/parser/parser_test.go @@ -25,7 +25,7 @@ func TestParser_Parse(t *testing.T) { "name": "CxBraga" } } -`), true) +`), true, false) require.NoError(t, err) require.Len(t, docs.Docs, 1) require.Contains(t, docs.Docs[0], "martin") @@ -39,7 +39,7 @@ func TestParser_Parse(t *testing.T) { docs, err := parser.Parse("test.yaml", []byte(` martin: name: CxBraga -`), true) +`), true, false) require.NoError(t, err) require.Len(t, docs.Docs, 1) require.Contains(t, docs.Docs[0], "martin") @@ -54,7 +54,7 @@ martin: FROM foo COPY . / RUN echo hello -`), true) +`), true, false) require.NoError(t, err) require.Len(t, docs.Docs, 1) @@ -70,7 +70,7 @@ func TestParser_Empty(t *testing.T) { t.Errorf("Error building parser: %s", err) } for _, parser := range p { - docs, err := parser.Parse("test.json", nil, true) + docs, err := parser.Parse("test.json", nil, true, false) require.Nil(t, docs.Docs) require.Equal(t, model.FileKind(""), docs.Kind) require.Error(t, err) diff --git a/pkg/remediation/scan.go b/pkg/remediation/scan.go index afa81532c7d..6fdd5439c5c 100644 --- a/pkg/remediation/scan.go +++ b/pkg/remediation/scan.go @@ -115,8 +115,8 @@ func getPayload(filePath string, content []byte, openAPIResolveReferences bool) log.Info().Msg("failed to get parser") return model.FileMetadatas{}, errors.New("failed to get parser") } - - documents, er := p[0].Parse(filePath, content, openAPIResolveReferences) + //aqui burro + documents, er := p[0].Parse(filePath, content, openAPIResolveReferences, false) if er != nil { log.Error().Msgf("failed to parse file '%s': %s", filePath, er) diff --git a/pkg/scan/scan.go b/pkg/scan/scan.go index 168c72361fa..683afc6bcaa 100644 --- a/pkg/scan/scan.go +++ b/pkg/scan/scan.go @@ -54,7 +54,7 @@ func (c *Client) initScan(ctx context.Context) (*executeScanParameters, error) { if len(extractedPaths.Path) == 0 { return nil, nil } - + //aqui querySource := source.NewFilesystemSource( c.ScanParams.QueriesPath, c.ScanParams.Platform, @@ -135,6 +135,8 @@ func (c *Client) executeScan(ctx context.Context) (*Results, error) { return nil, nil } + //ver aqui + //aqui é preenchido o contexto if err = scanner.PrepareAndScan(ctx, c.ScanParams.ScanID, c.ScanParams.OpenAPIResolveReferences, *c.ProBarBuilder, executeScanParameters.services); err != nil { log.Err(err) diff --git a/stuck.json b/stuck.json new file mode 100644 index 00000000000..ccbffe1910d --- /dev/null +++ b/stuck.json @@ -0,0 +1,216 @@ +{ + "document": [ + { + "swagger": "2.0", + "file": "C:/CxKics/comunidade/mini/swagger.json", + "id": "17b6ea4e-08cb-447f-8064-5f172f3aa2fc", + "definitions": {}, + "host": "apiapp-dev-lpd.azurewebsites.net", + "info": { + "title": "CCBCC.LAUNCHPAD.WebApi", + "version": "v1" + }, + "paths": { + "/api/BlobFileDownload": { + "get": { + "consumes": [], + "operationId": "BlobFileDownload_GetBlobFileDownload", + "produces": [ + "application/json", + "text/json", + "application/xml", + "text/xml" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "type": "object" + } + } + }, + "tags": [ + "BlobFileDownload" + ] + } + }, + "/api/BlobFileDownload/{id}": { + "get": { + "consumes": [], + "operationId": "BlobFileDownload_Get", + "parameters": [ + { + "format": "int32", + "in": "path", + "name": "id", + "required": true, + "type": "integer" + } + ], + "produces": [ + "application/json", + "text/json", + "application/xml", + "text/xml" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "type": "object" + } + } + }, + "tags": [ + "BlobFileDownload" + ] + } + } + }, + "schemes": [ + "https" + ] + }, + { + "file": "C:/CxKics/comunidade/mini/swagger_1.json", + "id": "e5f3635d-3131-47ab-8715-c671430035df", + "definitions": {}, + "host": "apiapp-cds-qa.azurewebsites.net", + "info": { + "title": "CCBCC.CDS.Server.LaunchPadApi", + "version": "v1" + }, + "paths": { + "/api/Document/GetAllLibraries": { + "get": { + "consumes": [], + "operationId": "Document_GetAllLibraries", + "parameters": [ + { + "in": "query", + "name": "SecretKey", + "required": true, + "type": "string" + }, + { + "in": "query", + "name": "exportCsv", + "required": false, + "type": "boolean" + } + ], + "produces": [ + "application/json", + "text/json", + "application/xml", + "text/xml" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "type": "object" + } + } + }, + "tags": [ + "Document" + ] + } + }, + "/api/Document/GetDocumentDownload/{documentId}": { + "get": { + "consumes": [], + "operationId": "Document_GetDocumentDownload", + "parameters": [ + { + "in": "query", + "name": "SecretKey", + "required": true, + "type": "string" + }, + { + "in": "path", + "name": "documentId", + "required": true, + "type": "string" + } + ], + "produces": [ + "application/json", + "text/json", + "application/xml", + "text/xml" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "type": "object" + } + } + }, + "tags": [ + "Document" + ] + } + }, + "/api/Document/GetDocumentsInLibrary": { + "get": { + "consumes": [], + "operationId": "Document_GetDocumentsInLibrary", + "parameters": [ + { + "in": "query", + "name": "SecretKey", + "required": true, + "type": "string" + }, + { + "in": "query", + "name": "libraryUrl", + "required": true, + "type": "string" + }, + { + "format": "int32", + "in": "query", + "name": "modifiedSinceEpoch", + "required": false, + "type": "integer" + }, + { + "format": "date-time", + "in": "query", + "name": "modifiedSince", + "required": false, + "type": "string" + } + ], + "produces": [ + "application/json", + "text/json", + "application/xml", + "text/xml" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "type": "object" + } + } + }, + "tags": [ + "Document" + ] + } + } + }, + "schemes": [ + "https" + ], + "swagger": "2.0" + } + ] +} From fb92690e969ae5b6def3d3ace20fccb2fd7643ac Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Mon, 15 Jan 2024 11:55:41 +0000 Subject: [PATCH 355/379] change logic + e2e --- e2e/fixtures/E2E_CLI_078_RESULT.json | 75 +++++++++++++++++++ ...2e-cli-078_similarity_id_minified_files.go | 27 +++++++ pkg/kics/service.go | 53 +++++-------- pkg/kics/sink.go | 2 +- .../minified_files_similarity_id/swagger.json | 1 + .../swagger_1.json | 1 + 6 files changed, 124 insertions(+), 35 deletions(-) create mode 100644 e2e/fixtures/E2E_CLI_078_RESULT.json create mode 100644 e2e/testcases/e2e-cli-078_similarity_id_minified_files.go create mode 100644 test/fixtures/minified_files_similarity_id/swagger.json create mode 100644 test/fixtures/minified_files_similarity_id/swagger_1.json diff --git a/e2e/fixtures/E2E_CLI_078_RESULT.json b/e2e/fixtures/E2E_CLI_078_RESULT.json new file mode 100644 index 00000000000..b6a0021fcab --- /dev/null +++ b/e2e/fixtures/E2E_CLI_078_RESULT.json @@ -0,0 +1,75 @@ +{ + "kics_version": "development", + "files_scanned": 2, + "lines_scanned": 2, + "files_parsed": 2, + "lines_parsed": 2, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 2, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 3, + "TRACE": 0 + }, + "total_counter": 3, + "total_bom_resources": 0, + "start": "2024-01-15T11:47:59.44764Z", + "end": "2024-01-15T11:48:03.7408356Z", + "paths": [ + "/path/test/fixtures/minified_files_similarity_id" + ], + "queries": [ + { + "query_name": "Pattern Undefined (v2)", + "query_id": "afde15cf-9444-4126-8c62-41cd79db1d1d", + "query_url": "https://swagger.io/specification/v2/#schemaObject", + "severity": "MEDIUM", + "platform": "OpenAPI", + "category": "Insecure Configurations", + "experimental": false, + "description": "String schema/parameter/header should have 'pattern' defined.", + "description_id": "16f07413", + "files": [ + { + "file_name": "path\\test\\fixtures\\minified_files_similarity_id\\e2e\\swagger_1.json", + "similarity_id": "8dbfdf18ee8ceaf7ea11cf6384e650dae90568011b1241c8292c062b670b1cec", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "paths.{{/api/Document/GetAllLibraries}}.get.parameters.type", + "search_line": 1, + "search_value": "", + "expected_value": "'pattern' should be defined", + "actual_value": "'pattern' is undefined" + }, + { + "file_name": "path\\test\\fixtures\\minified_files_similarity_id\\e2e\\swagger_1.json", + "similarity_id": "4ab2fd71196c89db11abe72cbc8a5bb461ee708820c01c663c179212609b214c", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "paths.{{/api/Document/GetDocumentDownload/{documentId}}}.get.parameters.type", + "search_line": 1, + "search_value": "", + "expected_value": "'pattern' should be defined", + "actual_value": "'pattern' is undefined" + }, + { + "file_name": "path\\test\\fixtures\\minified_files_similarity_id\\e2e\\swagger_1.json", + "similarity_id": "b7513d6ba4ddf6fde4f5fa5818423785826a8eb3b9930c502215aaf272eb9bd8", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "paths.{{/api/Document/GetDocumentsInLibrary}}.get.parameters.type", + "search_line": 1, + "search_value": "", + "expected_value": "'pattern' should be defined", + "actual_value": "'pattern' is undefined" + } + ] + } + ] +} diff --git a/e2e/testcases/e2e-cli-078_similarity_id_minified_files.go b/e2e/testcases/e2e-cli-078_similarity_id_minified_files.go new file mode 100644 index 00000000000..5822eca2fca --- /dev/null +++ b/e2e/testcases/e2e-cli-078_similarity_id_minified_files.go @@ -0,0 +1,27 @@ +package testcases + +// E2E-CLI-078 - KICS scan +// should perform a scan and return three different similarity ids on the results +func init() { //nolint + testSample := TestCase{ + Name: "should perform a scan and return three different similarity ids on the results [E2E-CLI-078]", + Args: args{ + Args: []cmdArgs{ + []string{"scan", "-o", "/path/e2e/output", + "--output-name", "E2E_CLI_078_RESULT", + "-p", "\"/path/test/fixtures/max_file_size\"", + "-i", "00b78adf-b83f-419c-8ed8-c6018441dd3a", + }, + }, + ExpectedResult: []ResultsValidation{ + { + ResultsFile: "E2E_CLI_078_RESULT", + ResultsFormats: []string{"json"}, + }, + }, + }, + WantStatus: []int{40}, + } + + Tests = append(Tests, testSample) +} diff --git a/pkg/kics/service.go b/pkg/kics/service.go index f2f4bcec3ab..06277fc7600 100644 --- a/pkg/kics/service.go +++ b/pkg/kics/service.go @@ -1,7 +1,6 @@ package kics import ( - "bufio" "bytes" "context" "encoding/json" @@ -138,7 +137,7 @@ type Content struct { getContent will read the passed file 1MB at a time to prevent resource exhaustion and return its content */ -func getContent(rc io.Reader, data []byte, maxSizeMB int) (*Content, error) { +func getContent(rc io.Reader, data []byte, maxSizeMB int, filename string) (*Content, error) { var content []byte countLines := 0 @@ -165,47 +164,33 @@ func getContent(rc io.Reader, data []byte, maxSizeMB int) (*Content, error) { } c.Content = &content c.CountLines = countLines - isMinified, err := isMinified(&content) - if err != nil { - return c, err + + var isMinified bool + if strings.HasSuffix(filename, ".json") { + isMinified = isMinifiedJSON(string(content)) + } else if strings.HasSuffix(filename, ".yaml") || strings.HasSuffix(filename, ".yml") { + isMinified = isMinifiedYAML(string(content)) } c.IsMinified = isMinified return c, nil } -// heuristic to try to find the minified files -func isMinified(content *[]byte) (bool, error) { - file := bytes.NewReader(*content) - scanner := bufio.NewScanner(file) - lineCount := 0 - nonEmptyLineCount := 0 - - // Define a regular expression to match common patterns in minified files - minifiedPattern := regexp.MustCompile(`[;{}()]`) - - for scanner.Scan() { - lineCount++ - line := scanner.Text() - - // Skip empty lines - if strings.TrimSpace(line) == "" { - continue - } +func isMinifiedJSON(content string) bool { + // Define a regular expression to match common minification patterns + minifiedPattern := regexp.MustCompile(`\s+`) - nonEmptyLineCount++ + // Count the number of non-whitespace characters + nonWhitespaceCount := len(minifiedPattern.ReplaceAllString(content, "")) - // Check for common minification patterns - if minifiedPattern.MatchString(line) { - return true, nil - } - } + // 80% of non-whitespace characters + minifiedThreshold := 0.8 - // Check if the majority of non-empty lines are short - if nonEmptyLineCount > 0 && float64(len(scanner.Text()))/float64(nonEmptyLineCount) < 30 { - return true, nil - } + return float64(nonWhitespaceCount)/float64(len(content)) > minifiedThreshold +} - return false, nil +func isMinifiedYAML(content string) bool { + // Check for lack of indentation + return strings.Contains(content, "\n") && !strings.Contains(content, "\n ") } // GetVulnerabilities returns a list of scan detected vulnerabilities diff --git a/pkg/kics/sink.go b/pkg/kics/sink.go index ca420e6d12d..b165d399144 100644 --- a/pkg/kics/sink.go +++ b/pkg/kics/sink.go @@ -32,7 +32,7 @@ func (s *Service) sink(ctx context.Context, filename, scanID string, s.Tracker.TrackFileFound() log.Debug().Msgf("Starting to process file %s", filename) - c, err := getContent(rc, data, s.MaxFileSize) + c, err := getContent(rc, data, s.MaxFileSize, filename) *c.Content = resolveCRLFFile(*c.Content) content := c.Content diff --git a/test/fixtures/minified_files_similarity_id/swagger.json b/test/fixtures/minified_files_similarity_id/swagger.json new file mode 100644 index 00000000000..fd702150f88 --- /dev/null +++ b/test/fixtures/minified_files_similarity_id/swagger.json @@ -0,0 +1 @@ +{"swagger":"2.0","info":{"version":"v1","title":"CCBCC.LAUNCHPAD.WebApi"},"host":"apiapp-dev-lpd.azurewebsites.net","schemes":["https"],"paths":{"/api/BlobFileDownload":{"get":{"tags":["BlobFileDownload"],"operationId":"BlobFileDownload_GetBlobFileDownload","consumes":[],"produces":["application/json","text/json","application/xml","text/xml"],"responses":{"200":{"description":"OK","schema":{"type":"object"}}}}},"/api/BlobFileDownload/{id}":{"get":{"tags":["BlobFileDownload"],"operationId":"BlobFileDownload_Get","consumes":[],"produces":["application/json","text/json","application/xml","text/xml"],"parameters":[{"name":"id","in":"path","required":true,"type":"integer","format":"int32"}],"responses":{"200":{"description":"OK","schema":{"type":"object"}}}}}},"definitions":{}} \ No newline at end of file diff --git a/test/fixtures/minified_files_similarity_id/swagger_1.json b/test/fixtures/minified_files_similarity_id/swagger_1.json new file mode 100644 index 00000000000..05b37c07aa2 --- /dev/null +++ b/test/fixtures/minified_files_similarity_id/swagger_1.json @@ -0,0 +1 @@ +{"swagger":"2.0","info":{"version":"v1","title":"CCBCC.CDS.Server.LaunchPadApi"},"host":"apiapp-cds-qa.azurewebsites.net","schemes":["https"],"paths":{"/api/Document/GetAllLibraries":{"get":{"tags":["Document"],"operationId":"Document_GetAllLibraries","consumes":[],"produces":["application/json","text/json","application/xml","text/xml"],"parameters":[{"name":"SecretKey","in":"query","required":true,"type":"string"},{"name":"exportCsv","in":"query","required":false,"type":"boolean"}],"responses":{"200":{"description":"OK","schema":{"type":"object"}}}}},"/api/Document/GetDocumentsInLibrary":{"get":{"tags":["Document"],"operationId":"Document_GetDocumentsInLibrary","consumes":[],"produces":["application/json","text/json","application/xml","text/xml"],"parameters":[{"name":"SecretKey","in":"query","required":true,"type":"string"},{"name":"libraryUrl","in":"query","required":true,"type":"string"},{"name":"modifiedSinceEpoch","in":"query","required":false,"type":"integer","format":"int32"},{"name":"modifiedSince","in":"query","required":false,"type":"string","format":"date-time"}],"responses":{"200":{"description":"OK","schema":{"type":"object"}}}}},"/api/Document/GetDocumentDownload/{documentId}":{"get":{"tags":["Document"],"operationId":"Document_GetDocumentDownload","consumes":[],"produces":["application/json","text/json","application/xml","text/xml"],"parameters":[{"name":"SecretKey","in":"query","required":true,"type":"string"},{"name":"documentId","in":"path","required":true,"type":"string"}],"responses":{"200":{"description":"OK","schema":{"type":"object"}}}}}},"definitions":{}} \ No newline at end of file From 165f6e39efaf0a6b0d2338c0a623f1e319a9a870 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Mon, 15 Jan 2024 12:00:13 +0000 Subject: [PATCH 356/379] remove comment --- pkg/engine/vulnerability_builder.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/engine/vulnerability_builder.go b/pkg/engine/vulnerability_builder.go index 2faf65371c5..7875efb0411 100644 --- a/pkg/engine/vulnerability_builder.go +++ b/pkg/engine/vulnerability_builder.go @@ -158,7 +158,7 @@ var DefaultVulnerabilityBuilder = func(ctx *QueryContext, tracker Tracker, } var similarityID *string - //aqui vamos usar o resolved file num map de string to boolean + if checkMinified(ctx, linesVulne.ResolvedFile) { similarityID, err = similarity.ComputeSimilarityID(ctx.BaseScanPaths, linesVulne.ResolvedFile, queryID, searchKey, searchValue) } else { From 9a5c19bb16a7e93240396d1a925151ada5ae5047 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Mon, 15 Jan 2024 12:03:07 +0000 Subject: [PATCH 357/379] remove comments --- pkg/scan/scan.go | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/pkg/scan/scan.go b/pkg/scan/scan.go index 683afc6bcaa..168c72361fa 100644 --- a/pkg/scan/scan.go +++ b/pkg/scan/scan.go @@ -54,7 +54,7 @@ func (c *Client) initScan(ctx context.Context) (*executeScanParameters, error) { if len(extractedPaths.Path) == 0 { return nil, nil } - //aqui + querySource := source.NewFilesystemSource( c.ScanParams.QueriesPath, c.ScanParams.Platform, @@ -135,8 +135,6 @@ func (c *Client) executeScan(ctx context.Context) (*Results, error) { return nil, nil } - //ver aqui - //aqui é preenchido o contexto if err = scanner.PrepareAndScan(ctx, c.ScanParams.ScanID, c.ScanParams.OpenAPIResolveReferences, *c.ProBarBuilder, executeScanParameters.services); err != nil { log.Err(err) From 4d0162fd17fcd3ed5d1ac18556c5694ec32af8c3 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Mon, 15 Jan 2024 14:48:06 +0000 Subject: [PATCH 358/379] move logic --- pkg/kics/resolver_sink.go | 7 +++++-- pkg/kics/service.go | 29 ++--------------------------- pkg/minified/minified.go | 33 +++++++++++++++++++++++++++++++++ pkg/remediation/scan.go | 7 +++++-- 4 files changed, 45 insertions(+), 31 deletions(-) create mode 100644 pkg/minified/minified.go diff --git a/pkg/kics/resolver_sink.go b/pkg/kics/resolver_sink.go index bf15d768719..9aecd3a60d5 100644 --- a/pkg/kics/resolver_sink.go +++ b/pkg/kics/resolver_sink.go @@ -5,6 +5,7 @@ import ( "context" "encoding/json" "fmt" + "github.com/Checkmarx/kics/pkg/minified" "sort" sentryReport "github.com/Checkmarx/kics/internal/sentry" @@ -29,8 +30,9 @@ func (s *Service) resolverSink(ctx context.Context, filename, scanID string, ope s.Tracker.TrackFileFound() countLines := bytes.Count(rfile.Content, []byte{'\n'}) + 1 s.Tracker.TrackFileFoundCountLines(countLines) - //burro aqui sff - documents, err := s.Parser.Parse(rfile.FileName, rfile.Content, openAPIResolveReferences, false) + + isMinified := minified.IsMinified(rfile.FileName, rfile.Content) + documents, err := s.Parser.Parse(rfile.FileName, rfile.Content, openAPIResolveReferences, isMinified) if err != nil { if documents.Kind == "break" { return []string{}, nil @@ -69,6 +71,7 @@ func (s *Service) resolverSink(ctx context.Context, filename, scanID string, ope LinesIgnore: documents.IgnoreLines, ResolvedFiles: documents.ResolvedFiles, LinesOriginalData: utils.SplitLines(string(rfile.OriginalData)), + IsMinified: documents.IsMinified, } s.saveToFile(ctx, &file) } diff --git a/pkg/kics/service.go b/pkg/kics/service.go index 06277fc7600..5bc18e6bfc9 100644 --- a/pkg/kics/service.go +++ b/pkg/kics/service.go @@ -5,13 +5,12 @@ import ( "context" "encoding/json" "io" - "regexp" - "strings" "sync" "github.com/Checkmarx/kics/pkg/engine" "github.com/Checkmarx/kics/pkg/engine/provider" "github.com/Checkmarx/kics/pkg/engine/secrets" + "github.com/Checkmarx/kics/pkg/minified" "github.com/Checkmarx/kics/pkg/model" "github.com/Checkmarx/kics/pkg/parser" "github.com/Checkmarx/kics/pkg/resolver" @@ -165,34 +164,10 @@ func getContent(rc io.Reader, data []byte, maxSizeMB int, filename string) (*Con c.Content = &content c.CountLines = countLines - var isMinified bool - if strings.HasSuffix(filename, ".json") { - isMinified = isMinifiedJSON(string(content)) - } else if strings.HasSuffix(filename, ".yaml") || strings.HasSuffix(filename, ".yml") { - isMinified = isMinifiedYAML(string(content)) - } - c.IsMinified = isMinified + c.IsMinified = minified.IsMinified(filename, content) return c, nil } -func isMinifiedJSON(content string) bool { - // Define a regular expression to match common minification patterns - minifiedPattern := regexp.MustCompile(`\s+`) - - // Count the number of non-whitespace characters - nonWhitespaceCount := len(minifiedPattern.ReplaceAllString(content, "")) - - // 80% of non-whitespace characters - minifiedThreshold := 0.8 - - return float64(nonWhitespaceCount)/float64(len(content)) > minifiedThreshold -} - -func isMinifiedYAML(content string) bool { - // Check for lack of indentation - return strings.Contains(content, "\n") && !strings.Contains(content, "\n ") -} - // GetVulnerabilities returns a list of scan detected vulnerabilities func (s *Service) GetVulnerabilities(ctx context.Context, scanID string) ([]model.Vulnerability, error) { return s.Storage.GetVulnerabilities(ctx, scanID) diff --git a/pkg/minified/minified.go b/pkg/minified/minified.go new file mode 100644 index 00000000000..3f0d96a2ba5 --- /dev/null +++ b/pkg/minified/minified.go @@ -0,0 +1,33 @@ +package minified + +import ( + "regexp" + "strings" +) + +func IsMinified(filename string, content []byte) bool { + if strings.HasSuffix(filename, ".json") { + return isMinifiedJSON(string(content)) + } else if strings.HasSuffix(filename, ".yaml") || strings.HasSuffix(filename, ".yml") { + return isMinifiedYAML(string(content)) + } + return false +} + +func isMinifiedJSON(content string) bool { + // Define a regular expression to match common minification patterns + minifiedPattern := regexp.MustCompile(`\s+`) + + // Count the number of non-whitespace characters + nonWhitespaceCount := len(minifiedPattern.ReplaceAllString(content, "")) + + // 80% of non-whitespace characters + minifiedThreshold := 0.8 + + return float64(nonWhitespaceCount)/float64(len(content)) > minifiedThreshold +} + +func isMinifiedYAML(content string) bool { + // Check for lack of indentation + return strings.Contains(content, "\n") && !strings.Contains(content, "\n ") +} diff --git a/pkg/remediation/scan.go b/pkg/remediation/scan.go index 6fdd5439c5c..3940a120d2a 100644 --- a/pkg/remediation/scan.go +++ b/pkg/remediation/scan.go @@ -4,6 +4,7 @@ import ( "context" "encoding/json" "errors" + "github.com/Checkmarx/kics/pkg/minified" "time" "github.com/Checkmarx/kics/pkg/engine" @@ -115,8 +116,9 @@ func getPayload(filePath string, content []byte, openAPIResolveReferences bool) log.Info().Msg("failed to get parser") return model.FileMetadatas{}, errors.New("failed to get parser") } - //aqui burro - documents, er := p[0].Parse(filePath, content, openAPIResolveReferences, false) + + isMinified := minified.IsMinified(filePath, content) + documents, er := p[0].Parse(filePath, content, openAPIResolveReferences, isMinified) if er != nil { log.Error().Msgf("failed to parse file '%s': %s", filePath, er) @@ -138,6 +140,7 @@ func getPayload(filePath string, content []byte, openAPIResolveReferences bool) Commands: p[0].CommentsCommands(filePath, content), OriginalData: string(content), LinesOriginalData: utils.SplitLines(string(content)), + IsMinified: documents.IsMinified, } files = append(files, file) From 02541a0abcc2de3a553580775d70d8e8e78578c2 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Mon, 15 Jan 2024 14:51:16 +0000 Subject: [PATCH 359/379] clean --- pkg/kics/resolver_sink.go | 2 +- pkg/remediation/scan.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/kics/resolver_sink.go b/pkg/kics/resolver_sink.go index 9aecd3a60d5..d7d24a4c877 100644 --- a/pkg/kics/resolver_sink.go +++ b/pkg/kics/resolver_sink.go @@ -5,10 +5,10 @@ import ( "context" "encoding/json" "fmt" - "github.com/Checkmarx/kics/pkg/minified" "sort" sentryReport "github.com/Checkmarx/kics/internal/sentry" + "github.com/Checkmarx/kics/pkg/minified" "github.com/Checkmarx/kics/pkg/model" "github.com/Checkmarx/kics/pkg/utils" "github.com/google/uuid" diff --git a/pkg/remediation/scan.go b/pkg/remediation/scan.go index 3940a120d2a..ed83a465a66 100644 --- a/pkg/remediation/scan.go +++ b/pkg/remediation/scan.go @@ -4,11 +4,11 @@ import ( "context" "encoding/json" "errors" - "github.com/Checkmarx/kics/pkg/minified" "time" "github.com/Checkmarx/kics/pkg/engine" "github.com/Checkmarx/kics/pkg/kics" + "github.com/Checkmarx/kics/pkg/minified" "github.com/Checkmarx/kics/pkg/model" "github.com/Checkmarx/kics/pkg/scan" "github.com/open-policy-agent/opa/topdown" From 6ad3033fb45c2b2ba047154f4cb0c6bbdd526a65 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Mon, 15 Jan 2024 14:53:23 +0000 Subject: [PATCH 360/379] clean --- pkg/engine/vulnerability_builder.go | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/pkg/engine/vulnerability_builder.go b/pkg/engine/vulnerability_builder.go index 7875efb0411..543684969cb 100644 --- a/pkg/engine/vulnerability_builder.go +++ b/pkg/engine/vulnerability_builder.go @@ -53,8 +53,12 @@ func modifyVulSearchKeyReference(doc interface{}, originalSearchKey string, stri } // DefaultVulnerabilityBuilder defines a vulnerability builder to execute default actions of scan -var DefaultVulnerabilityBuilder = func(ctx *QueryContext, tracker Tracker, - v interface{}, detector *dec.DetectLine) (*model.Vulnerability, error) { +var DefaultVulnerabilityBuilder = func( + ctx *QueryContext, + tracker Tracker, + v interface{}, + detector *dec.DetectLine, +) (*model.Vulnerability, error) { vObj, ok := v.(map[string]interface{}) if !ok { return &model.Vulnerability{}, ErrInvalidResult From 64e77144ddf855d11f0d0a815195aef23a60b451 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Mon, 15 Jan 2024 15:01:04 +0000 Subject: [PATCH 361/379] performance --- pkg/engine/vulnerability_builder.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/engine/vulnerability_builder.go b/pkg/engine/vulnerability_builder.go index 543684969cb..37480328396 100644 --- a/pkg/engine/vulnerability_builder.go +++ b/pkg/engine/vulnerability_builder.go @@ -210,9 +210,9 @@ var DefaultVulnerabilityBuilder = func( } func checkMinified(ctx *QueryContext, resolvedFile string) bool { - for _, file := range ctx.Files { - if file.FilePath == resolvedFile { - return file.IsMinified + for i := range ctx.Files { + if ctx.Files[i].FilePath == resolvedFile { + return ctx.Files[i].IsMinified } } return false From c61be076a17052b13549a210945c9a17cb596dfd Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Mon, 15 Jan 2024 15:04:53 +0000 Subject: [PATCH 362/379] clean --- pkg/engine/vulnerability_builder.go | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/pkg/engine/vulnerability_builder.go b/pkg/engine/vulnerability_builder.go index 37480328396..b084e257155 100644 --- a/pkg/engine/vulnerability_builder.go +++ b/pkg/engine/vulnerability_builder.go @@ -53,12 +53,7 @@ func modifyVulSearchKeyReference(doc interface{}, originalSearchKey string, stri } // DefaultVulnerabilityBuilder defines a vulnerability builder to execute default actions of scan -var DefaultVulnerabilityBuilder = func( - ctx *QueryContext, - tracker Tracker, - v interface{}, - detector *dec.DetectLine, -) (*model.Vulnerability, error) { +var DefaultVulnerabilityBuilder = func(ctx *QueryContext, tracker Tracker, v interface{}, detector *dec.DetectLine) (*model.Vulnerability, error) { vObj, ok := v.(map[string]interface{}) if !ok { return &model.Vulnerability{}, ErrInvalidResult From e9c6c7f35a2a9e5c2a85c4d85dccf9fceaf157ee Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Mon, 15 Jan 2024 16:03:55 +0000 Subject: [PATCH 363/379] wip --- pkg/engine/vulnerability_builder.go | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/pkg/engine/vulnerability_builder.go b/pkg/engine/vulnerability_builder.go index b084e257155..4808993da34 100644 --- a/pkg/engine/vulnerability_builder.go +++ b/pkg/engine/vulnerability_builder.go @@ -53,7 +53,10 @@ func modifyVulSearchKeyReference(doc interface{}, originalSearchKey string, stri } // DefaultVulnerabilityBuilder defines a vulnerability builder to execute default actions of scan -var DefaultVulnerabilityBuilder = func(ctx *QueryContext, tracker Tracker, v interface{}, detector *dec.DetectLine) (*model.Vulnerability, error) { +var DefaultVulnerabilityBuilder = func(ctx *QueryContext, + tracker Tracker, + v interface{}, + detector *dec.DetectLine) (*model.Vulnerability, error) { vObj, ok := v.(map[string]interface{}) if !ok { return &model.Vulnerability{}, ErrInvalidResult @@ -155,14 +158,7 @@ var DefaultVulnerabilityBuilder = func(ctx *QueryContext, tracker Tracker, v int if v := mustMapKeyToString(vObj, "issueType"); v != nil { issueType = model.IssueType(*v) } - - var similarityID *string - - if checkMinified(ctx, linesVulne.ResolvedFile) { - similarityID, err = similarity.ComputeSimilarityID(ctx.BaseScanPaths, linesVulne.ResolvedFile, queryID, searchKey, searchValue) - } else { - similarityID, err = similarity.ComputeSimilarityID(ctx.BaseScanPaths, linesVulne.ResolvedFile, queryID, similarityIDLineInfo, searchValue) - } + similarityID, err := buildSimilarityID(ctx, linesVulne.ResolvedFile, queryID, searchKey, similarityIDLineInfo, searchValue) if err != nil { logWithFields.Err(err).Send() @@ -204,6 +200,20 @@ var DefaultVulnerabilityBuilder = func(ctx *QueryContext, tracker Tracker, v int }, nil } +func buildSimilarityID( + ctx *QueryContext, + resolvedFile, + queryID, + searchKey, + similarityIDLineInfo, + searchValue string) (*string, error) { + if checkMinified(ctx, resolvedFile) { + return similarity.ComputeSimilarityID(ctx.BaseScanPaths, resolvedFile, queryID, searchKey, searchValue) + } else { + return similarity.ComputeSimilarityID(ctx.BaseScanPaths, resolvedFile, queryID, similarityIDLineInfo, searchValue) + } +} + func checkMinified(ctx *QueryContext, resolvedFile string) bool { for i := range ctx.Files { if ctx.Files[i].FilePath == resolvedFile { From 7352b5a2ba229a791422ead2b6c5e7903affab0c Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Mon, 15 Jan 2024 16:41:50 +0000 Subject: [PATCH 364/379] fix --- test/main_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/main_test.go b/test/main_test.go index 2037e3c40a6..c748caba8a7 100644 --- a/test/main_test.go +++ b/test/main_test.go @@ -170,7 +170,7 @@ func getFilesMetadatasWithContent(t testing.TB, filePath string, content []byte) files := make(model.FileMetadatas, 0) for _, parser := range combinedParser { - docs, err := parser.Parse(filePath, content, true) + docs, err := parser.Parse(filePath, content, true, false) for _, document := range docs.Docs { require.NoError(t, err) files = append(files, model.FileMetadata{ From 6318b5e9127e3b62b02a51ed47e725ace5d99b58 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Mon, 15 Jan 2024 18:40:12 +0000 Subject: [PATCH 365/379] Adding a new line on the note in the CycloneDX documentation --- docs/results.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/results.md b/docs/results.md index f29fc73ded8..e8f88bfcb57 100644 --- a/docs/results.md +++ b/docs/results.md @@ -620,7 +620,7 @@ PDF reports are sorted by severity (from high to info), the results will have qu ## CycloneDX -Now, the CycloneDX report is only available in XML format since the vulnerability schema extension is not currently available in JSON. The guidelines used to build the CycloneDX report were the [bom schema 1.3](http://cyclonedx.org/schema/bom/1.3) and [vulnerability schema 1.0](https://github.com/CycloneDX/specification/blob/master/schema/ext/vulnerability-1.0.xsd). +Now, the CycloneDX report is only available in XML format since the vulnerability schema extension is not currently available in JSON. The guidelines used to build the CycloneDX report were the [bom schema 1.3](http://cyclonedx.org/schema/bom/1.3) and [vulnerability schema 1.0](https://github.com/CycloneDX/specification/blob/master/schema/ext/vulnerability-1.0.xsd). **Note:** As of the latest update, the CycloneDX version utilized in the report is 1.5. However, it's important to clarify that no additional features or fields introduced in version 1.5 are currently utilized. The functionality remains consistent with the version 1.3 for KICS. Future updates will leverage the new features introduced in CycloneDX version 1.5. From 3adf3c0bfa62e2270c3b08a59334f1ab3e7ccd99 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Mon, 15 Jan 2024 21:56:17 +0000 Subject: [PATCH 366/379] fix --- e2e/testcases/e2e-cli-078_similarity_id_minified_files.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/e2e/testcases/e2e-cli-078_similarity_id_minified_files.go b/e2e/testcases/e2e-cli-078_similarity_id_minified_files.go index 5822eca2fca..829ad77767c 100644 --- a/e2e/testcases/e2e-cli-078_similarity_id_minified_files.go +++ b/e2e/testcases/e2e-cli-078_similarity_id_minified_files.go @@ -9,7 +9,7 @@ func init() { //nolint Args: []cmdArgs{ []string{"scan", "-o", "/path/e2e/output", "--output-name", "E2E_CLI_078_RESULT", - "-p", "\"/path/test/fixtures/max_file_size\"", + "-p", "\"/path/test/fixtures/minified_files_similarity_id\"", "-i", "00b78adf-b83f-419c-8ed8-c6018441dd3a", }, }, From 47eea8011e0dd36a66f50d2a5d614dad6258b0c9 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Tue, 16 Jan 2024 10:12:39 +0000 Subject: [PATCH 367/379] unit tests --- pkg/minified/minified_test.go | 59 +++++++++++++++++++ .../fixtures/test_minified/giantminified.json | 1 + 2 files changed, 60 insertions(+) create mode 100644 pkg/minified/minified_test.go create mode 100644 test/fixtures/test_minified/giantminified.json diff --git a/pkg/minified/minified_test.go b/pkg/minified/minified_test.go new file mode 100644 index 00000000000..2713e84cb50 --- /dev/null +++ b/pkg/minified/minified_test.go @@ -0,0 +1,59 @@ +package minified + +import ( + "github.com/stretchr/testify/assert" + "os" + "testing" +) + +func Test_IsMinified(t *testing.T) { + giantMinifiedJson, _ := os.ReadFile("../../test/fixtures/test_minified/giantminified.json") + tests := []struct { + name string + nameFile string + args []byte + want bool + }{ + { + name: "Mini minified file json", + nameFile: "test.json", + want: true, + args: []byte("{\"swagger\":\"2.0\",\"info\":{\"version\":\"v1\",\"title\":\"CCBCC.LAUNCHPAD.WebApi\"},\"host\":\"apiapp-dev-lpd.azurewebsites.net\",\"schemes\":[\"https\"],\"paths\":{\"/api/BlobFileDownload\":{\"get\":{\"tags\":[\"BlobFileDownload\"],\"operationId\":\"BlobFileDownload_GetBlobFileDownload\",\"consumes\":[],\"produces\":[\"application/json\",\"text/json\",\"application/xml\",\"text/xml\"],\"responses\":{\"200\":{\"description\":\"OK\",\"schema\":{\"type\":\"object\"}}}}},\"/api/BlobFileDownload/{id}\":{\"get\":{\"tags\":[\"BlobFileDownload\"],\"operationId\":\"BlobFileDownload_Get\",\"consumes\":[],\"produces\":[\"application/json\",\"text/json\",\"application/xml\",\"text/xml\"],\"parameters\":[{\"name\":\"id\",\"in\":\"path\",\"required\":true,\"type\":\"integer\",\"format\":\"int32\"}],\"responses\":{\"200\":{\"description\":\"OK\",\"schema\":{\"type\":\"object\"}}}}}},\"definitions\":{}}"), + }, + { + name: "Huge minified file json", + nameFile: "test.json", + want: true, + args: giantMinifiedJson, + }, + { + name: "File not json not yaml", + nameFile: "test.tf", + want: false, + args: []byte(""), + }, + { + name: "Mini minified file yaml", + nameFile: "test.yml", + want: true, + args: []byte("[{name: my_elb_application, community.aws.elb_application_lb: {name: myelb, security_groups: [sg-12345678, my-sec-group], subnets: [subnet-012345678, subnet-abcdef000], listeners: [{Protocol: HTTP, Port: 80, SslPolicy: ELBSecurityPolicy-2015-05, Certificates: [{CertificateArn: 'arn:aws:iam::12345678987:server-certificate/test.domain.com'}], DefaultActions: [{Type: forward, TargetGroupName: targetname}]}], state: present}}, {name: my_elb_application2, community.aws.elb_application_lb: {name: myelb2, security_groups: [sg-12345678, my-sec-group], subnets: [subnet-012345678, subnet-abcdef000], listeners: {Port: 80, SslPolicy: ELBSecurityPolicy-2015-05, Certificates: [{CertificateArn: 'arn:aws:iam::12345678987:server-certificate/test.domain.com'}], DefaultActions: [{Type: forward, TargetGroupName: targetname}]}, state: present}}]"), + }, + { + name: "Not minified file yaml", + nameFile: "test.yml", + want: false, + args: []byte("- name: my_elb_application\n community.aws.elb_application_lb:\n name: myelb\n security_groups:\n - sg-12345678\n - my-sec-group\n subnets:\n - subnet-012345678\n - subnet-abcdef000\n listeners:\n - Protocol: HTTP\n Port: 80\n SslPolicy: ELBSecurityPolicy-2015-05\n Certificates:\n - CertificateArn: arn:aws:iam::12345678987:server-certificate/test.domain.com\n DefaultActions:\n - Type: forward\n TargetGroupName: targetname\n state: present\n- name: my_elb_application2\n community.aws.elb_application_lb:\n name: myelb2\n security_groups:\n - sg-12345678\n - my-sec-group\n subnets:\n - subnet-012345678\n - subnet-abcdef000\n listeners:\n Port: 80\n SslPolicy: ELBSecurityPolicy-2015-05\n Certificates:\n - CertificateArn: arn:aws:iam::12345678987:server-certificate/test.domain.com\n DefaultActions:\n - Type: forward\n TargetGroupName: targetname\n state: present\n"), + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + result := IsMinified(tt.nameFile, tt.args) + if tt.want { + assert.True(t, result, tt.name) + } else { + assert.False(t, result, tt.name) + } + }) + } +} diff --git a/test/fixtures/test_minified/giantminified.json b/test/fixtures/test_minified/giantminified.json new file mode 100644 index 00000000000..662ad74ffdc --- /dev/null +++ b/test/fixtures/test_minified/giantminified.json @@ -0,0 +1 @@ +{"openapi":"3.0.1","info":{"title":"Onshape REST API","description":"## Welcome to the Onshape REST API Explorer\n\nTo use this API explorer, sign in to your Onshape account in another tab, then click the **Try it out** button below (it toggles to a **Cancel** button when selected).\n\nSee the **[API Explorer Guide](https://onshape-public.github.io/docs/api-intro/explorer/)** for help navigating this API Explorer, including **[authenticating](https://onshape-public.github.io/docs/api-intro/explorer/#authentication)**.\n\n## See Also\n\n* [Onshape API Guide](https://onshape-public.github.io/docs/): Our full suite of API documentation, to be used as an accompaniment to this API Explorer.\n* [Onshape Developer Portal](https://dev-portal.onshape.com/): The Onshape portal for managing your API keys, OAuth2 credentials, your Onshape applications, and your Onshape App Store entries.\n* [Authentication Guide](https://onshape-public.github.io/docs/auth/): Our guide to using API keys, request signatures, and OAuth2 in your Onshape applications.\n","termsOfService":"https://www.onshape.com/legal/terms-of-use","contact":{"email":"api-support@onshape.zendesk.com"},"license":{"name":"Apache 2.0","url":"http://www.apache.org/licenses/LICENSE-2.0.html"},"version":"","x-logo":{"url":"images/logo-onshape-gray-green.svg","backgroundColor":"#ffffff","altText":"Onshape","href":"images/logo-onshape-gray-green.svg"},"x-indeterministic-schemas":["BTDiffInfo","BTParameterSpecArray-2600","BTSplineDescription-2118","NodeModel","BTPFunctionDeclaration-246","BTPFunctionOrPredicateDeclaration-247","BTPExpression-9","SkinModel"]},"security":[{"BasicAuth":[]}],"tags":[{"name":"APIApplication","description":"Manage application preferences."},{"name":"Account","description":"Manage user purchases, subscriptions, and consumables."},{"name":"Alias","description":"Create and manage enterprise aliases. (Enterprise admins only.)"},{"name":"AppAssociativeData","description":"Manage the application-specific metadata that associates application data with Onshape data."},{"name":"AppCache","description":"Caching support for application elements."},{"name":"AppElement","description":"Access and modify application elements."},{"name":"Assembly","description":"Create and manage assemblies."},{"name":"Billing","description":"Get billing plan data for applications."},{"name":"BlobElement","description":"Create, modify, and translate blob elements."},{"name":"Classroom","description":"Modify and access classroom information."},{"name":"Comment","description":"Create, read, update, and delete comments."},{"name":"Company","description":"Access company information."},{"name":"ContentSecurityPolicy","description":"API related to Content Security Policy."},{"name":"Document","description":"Create and manage documents."},{"name":"Drawing","description":"Access, create, and translate drawings."},{"name":"Element","description":"Access and manage Elements."},{"name":"ElementLibrary","description":"Access Element Library."},{"name":"Event","description":"Fire events."},{"name":"ExportRule","description":"Access valid export rules."},{"name":"FeatureStudio","description":"Access and manage Feature Studio Elements."},{"name":"Folder","description":"Access and modify folder sharing permissions."},{"name":"GlobalTreeNode","description":"Manage and retrieve folders."},{"name":"Insertable","description":"Access the list of things that can be inserted into a document."},{"name":"KeyboardShortcut","description":"Access and modify keyboard shortcuts for user"},{"name":"Metadata","description":"Access and modify metadata."},{"name":"MetadataCategory","description":"Access properties associated with metadata categories."},{"name":"NumberingScheme","description":"Manage the set of valid Part numbers."},{"name":"OpenApi","description":"Get the OpenAPI specification for the Onshape API."},{"name":"PLMIntegration","description":"Manage PLM Integrations."},{"name":"Part","description":"Export Parts and access Part details."},{"name":"PartNumber","description":"Create valid part numbers."},{"name":"PartStudio","description":"Access and modify Part Studios."},{"name":"PropertiesTableTemplate","description":"Create, access, and delete templates for properties tables."},{"name":"Provisioning","description":"Endpoints for provisioning."},{"name":"Publication","description":"Access publication information."},{"name":"ReleasePackage","description":"Access and update Release Management workflows."},{"name":"Revision","description":"Access, delete, and enumerate revisions."},{"name":"Simulation","description":"Access and manipulate simulations."},{"name":"Sketch","description":"Access sketch information."},{"name":"Team","description":"Access team information."},{"name":"Thumbnail","description":"Access, modify, and delete thumbnails."},{"name":"Translation","description":"Import and export Onshape surfaces, parts, Part Studios, Assemblies, and subassemblies to/from other file formats (STL, PARASOLID, SOLIDWORKS, etc)."},{"name":"User","description":"Access user information."},{"name":"Variables","description":"Create, modify, and access variables."},{"name":"Version","description":"Get all versions of the Onshape REST APIs."},{"name":"Webhook","description":"Create and manage [webhooks](https://onshape-public.github.io/docs/app-dev/webhook/)."},{"name":"Workflow","description":"Access and modify workflows."},{"name":"OAuth2.0","description":"OAuth 2.0 endpoints."}],"paths":{"/accounts/consistency/{uid}":{"get":{"tags":["Account"],"description":"Runs consistency checks for accounts, purchases, purchase users. Cleans whatever data that cane","operationId":"checkConsistency","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"type":"string"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/accounts/paymentHistory":{"get":{"tags":["Account"],"description":"Get all PRO monthly and yearly account payment history information in given startDate and endDate","operationId":"getPaymentHistoryByDateRange","parameters":[{"name":"startDate","in":"query","schema":{"type":"string"}},{"name":"endDate","in":"query","schema":{"type":"string"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTPaymentHistoryAdminInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/accounts/paymentHistory/all":{"get":{"tags":["Account"],"description":"Get all PRO monthly and yearly account payment history information in given startDate and endDate","operationId":"getAllPaymentHistoryByDateRange","parameters":[{"name":"startDate","in":"query","schema":{"type":"string"}},{"name":"endDate","in":"query","schema":{"type":"string"}},{"name":"accountsWithAddress","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTPaymentHistoryAdminInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/accounts/plans/{planId}/purchases":{"get":{"tags":["Account"],"summary":"Get a list of all app purchases made for the specified plan.","operationId":"getPlanPurchases","parameters":[{"name":"planId","in":"path","required":true,"schema":{"type":"string"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTPurchaseInfo"}}}}},"deprecated":false,"x-BTVisibility":"PRODUCTION"}},"/accounts/purchases":{"get":{"tags":["Account"],"summary":"Get a list of all app purchases made by the current user.","description":"This API should be used within the context of an OAuth-enabled application.","operationId":"getPurchases","parameters":[{"name":"all","in":"query","schema":{"type":"boolean","default":false}},{"name":"ownPurchaseOnly","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeGoDEnabledAppPurchases","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTPurchaseInfo"}}}}}},"deprecated":false,"x-BTVisibility":"PRODUCTION"},"post":{"tags":["Account"],"description":"API for letting users purchase app store items. Users password, plan ID and quantity are required","operationId":"purchase","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPurchaseParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPurchaseInfo"}}}}},"deprecated":true,"x-BTVisibility":"INTERNAL"}},"/accounts/purchases/{pid}":{"delete":{"tags":["Account"],"description":"Cancel a recurring subscription. This API is expected to be used in a context of OAuth-enabled","operationId":"cancelPurchase","parameters":[{"name":"pid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Purchase"],"BasicAuth":["OAuth2Purchase"]}],"x-BTVisibility":"INTERNAL"}},"/accounts/purchases/{pid}/consume":{"post":{"tags":["Account"],"summary":"Mark a purchase as consumed by the current user.","operationId":"consumePurchase","parameters":[{"name":"pid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPurchaseUserParams"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPurchaseInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Purchase"],"BasicAuth":["OAuth2Purchase"]}],"x-BTVisibility":"PRODUCTION"}},"/accounts/purchases/{pid}/undo":{"delete":{"tags":["Account"],"description":"Undo cancel recurring subscription.","operationId":"undoCancelPurchase","parameters":[{"name":"pid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Purchase"],"BasicAuth":["OAuth2Purchase"]}],"x-BTVisibility":"INTERNAL"}},"/accounts/purchases/{pid}/users":{"get":{"tags":["Account"],"description":"Get purchase members","operationId":"getUsers","parameters":[{"name":"pid","in":"path","required":true,"schema":{"type":"string"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTPurchaseUserInfo"}}}}},"deprecated":true,"x-BTVisibility":"INTERNAL"}},"/accounts/purge/{aid}":{"delete":{"tags":["Account"],"description":"Purge (hard delete) the user account. This API is only for ADMIN users.","operationId":"deleteUserAccount","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/accounts/users/{uid}":{"get":{"tags":["Account"],"operationId":"getAccountsByUser","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"isOwner","in":"query","schema":{"type":"boolean","default":true}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTBillingAccountInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/accounts/{aid}":{"get":{"tags":["Account"],"operationId":"getAccount","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTBillingAccountInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/accounts/{aid}/allowPromonthly":{"post":{"tags":["Account"],"description":"updates the billing account to allow or disallow a user purchase PRO_MONTHLY_125 plan.","operationId":"allowProMonthlyForAccount","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTBillingAccountParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/accounts/{aid}/card":{"get":{"tags":["Account"],"description":"Returns card information for specified account. If account is not found or if current user is not","operationId":"getCard","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCardInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["Account"],"description":"Add or update credit card to users account. If the user does not have an account a HTTP 404 will","operationId":"addUpdateCard","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCardParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCardInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Account"],"description":"Delete card associated with the current users account. The user should not have active","operationId":"deleteCard","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/accounts/{aid}/paymentHistory":{"get":{"tags":["Account"],"description":"Get the billing history for an account","operationId":"getPaymentHistory","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTPaymentHistorySummaryInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/accounts/{aid}/paymentHistory/{cid}":{"get":{"tags":["Account"],"description":"Get an invoice for a subscription payment","operationId":"getInvoice","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}},{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPaymentHistoryInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/accounts/{aid}/paymentHistory/{cid}/pdf":{"get":{"tags":["Account"],"description":"Get the PDF invoice for a subscription payment from Zuora","operationId":"getInvoiceAsPDF","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}},{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/pdf":{"schema":{"type":"array","items":{"type":"string","format":"byte"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/accounts/{aid}/paymentHistory/{pid}":{"delete":{"tags":["Account"],"description":"Delete a selected payment history record from db","operationId":"deletePaymentHistoty","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}},{"name":"pid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/accounts/{aid}/purchasePreview":{"post":{"tags":["Account"],"description":"API for letting users preview the purchase of an upgrade or product. Returned details include sales tax for purchase","operationId":"purchasePreview","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPurchaseParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPurchaseInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/accounts/{aid}/purchases":{"post":{"tags":["Account"],"description":"API for letting users purchase app store items. Users password, plan ID and quantity are","operationId":"purchaseNew","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPurchaseParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPurchaseInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/accounts/{aid}/purchases/admin":{"get":{"tags":["Account"],"operationId":"getPurchasesForAccount","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTPurchaseInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Account"],"description":"Deletes all duplicate purchases for an account, and an app retaining one purchase. If app id is","operationId":"deleteDuplicatePurchasesForAccount","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}},{"name":"retain","in":"query","required":true,"schema":{"type":"string"}},{"name":"appid","in":"query","schema":{"type":"string"}},{"name":"dryRun","in":"query","schema":{"type":"boolean","default":true}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTBaseInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/accounts/{aid}/purchases/users/{uid}":{"get":{"tags":["Account"],"description":"Returns list of application purchases for the passed in user. This API is expected to be used","operationId":"getPurchasesForUser","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}},{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"all","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeGoDEnabledAppPurchases","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTPurchaseInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/accounts/{aid}/purchases/{pid}":{"get":{"tags":["Account"],"description":"Get details about a given purchase.","operationId":"getPurchase","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}},{"name":"pid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPurchaseInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Account"],"summary":"Cancel a recurring subscription for the specified account ID and purchase ID.","operationId":"cancelPurchaseNew","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}},{"name":"pid","in":"path","required":true,"schema":{"type":"string"}},{"name":"cancelImmediately","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Purchase"],"BasicAuth":["OAuth2Purchase"]}],"x-BTVisibility":"PRODUCTION"}},"/accounts/{aid}/purchases/{pid}/changePlan":{"post":{"tags":["Account"],"description":"Change plan for a purchase.","operationId":"changePlan","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}},{"name":"pid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPurchaseParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPurchaseInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/accounts/{aid}/purchases/{pid}/delete":{"delete":{"tags":["Account"],"description":"Delete the Purchase and associated PurchaseUsers.","operationId":"deletePurchaseNew","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}},{"name":"pid","in":"path","required":true,"schema":{"type":"string"}},{"name":"purge","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Purchase"],"BasicAuth":["OAuth2Purchase"]}],"x-BTVisibility":"INTERNAL"}},"/accounts/{aid}/purchases/{pid}/expireTrial":{"post":{"tags":["Account"],"description":"Expire Trial plan for a purchase.","operationId":"expireTrialPlan","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}},{"name":"pid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/accounts/{aid}/purchases/{pid}/extendTrial":{"post":{"tags":["Account"],"description":"extend trial period of an active trial plan account.","operationId":"extendTrial","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}},{"name":"pid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTExtendTrialParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/accounts/{aid}/purchases/{pid}/paymentType":{"post":{"tags":["Account"],"operationId":"changePaymentType","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}},{"name":"pid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPaymentTypeParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/accounts/{aid}/purchases/{pid}/purchaseUserCount":{"get":{"tags":["Account"],"description":"Get the number of purchase users","operationId":"getPurchaseUserCount","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}},{"name":"pid","in":"path","required":true,"schema":{"type":"string"}},{"name":"type","in":"query","schema":{"type":"string","default":"all"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserCountInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/accounts/{aid}/purchases/{pid}/seats":{"post":{"tags":["Account"],"description":"Change number of seats for a purchase.","operationId":"changeSeatsNew","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}},{"name":"pid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTSeatsParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPurchaseInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/accounts/{aid}/purchases/{pid}/syncUsers":{"post":{"tags":["Account"],"description":"Sync company users with purchase users","operationId":"syncCompanyUsersWithPurchaseUsers","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}},{"name":"pid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"type":"string"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/accounts/{aid}/purchases/{pid}/trails":{"get":{"tags":["Account"],"description":"Get the purchase trails for a purchase","operationId":"getPurchaseTrails","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}},{"name":"pid","in":"path","required":true,"schema":{"type":"string"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTPurchaseTrailInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/accounts/{aid}/purchases/{pid}/undo":{"delete":{"tags":["Account"],"summary":"Cancel a recurring subscription for the specified account ID and purchase ID.","description":"Undo cancel recurring subscription.","operationId":"undoCancelPurchaseNew","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}},{"name":"pid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Purchase"],"BasicAuth":["OAuth2Purchase"]}],"x-BTVisibility":"INTERNAL"}},"/accounts/{aid}/purchases/{pid}/users":{"get":{"tags":["Account"],"description":"Get purchase members","operationId":"getUsersNew","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}},{"name":"pid","in":"path","required":true,"schema":{"type":"string"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTPurchaseUserInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["Account"],"description":"Adds user to purchase","operationId":"addUser","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}},{"name":"pid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPurchaseUserParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPurchaseUserInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/accounts/{aid}/purchases/{pid}/users/{uid}":{"get":{"tags":["Account"],"description":"Get purchase user","operationId":"getPurchaseUser","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}},{"name":"pid","in":"path","required":true,"schema":{"type":"string"}},{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPurchaseUserInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Account"],"description":"Remove user from purchase","operationId":"removeUser","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}},{"name":"pid","in":"path","required":true,"schema":{"type":"string"}},{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/accounts/{cid}/availableSeats":{"get":{"tags":["Account"],"description":"Gets available seats on a purchase, purchase seats minus company user count","operationId":"getAvailableSeats","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAvailableSeatsInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/cache":{"get":{"tags":["Admin"],"description":"Get invitation info for an admin","operationId":"getCaches","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCacheInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Admin"],"description":"Clear application cache","operationId":"flush","parameters":[{"name":"name","in":"query","required":true,"schema":{"type":"string"}},{"name":"key","in":"query","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/cache/operationcounts":{"delete":{"tags":["Admin"],"description":"Clear cache operation counts","operationId":"clearCacheOperationCounts","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/cache/{cacheName}/{cacheKey}":{"get":{"tags":["Admin"],"description":"Gets the value of an item in the cache","operationId":"getCacheItem","parameters":[{"name":"cacheName","in":"path","required":true,"schema":{"type":"string"}},{"name":"cacheKey","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCacheItemInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/cacheflushall":{"delete":{"tags":["Admin"],"summary":"Flush Memcached in all regions.","description":"Use with caution: Flushes Memcached in all regions.","operationId":"cacheFlushAll","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/commandsearch/get":{"get":{"tags":["Admin"],"description":"get command search source information","operationId":"getCommandSearchInfo","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCommandSearchInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/commandsearch/save":{"post":{"tags":["Admin"],"description":"Save curated list of Command Search Options","operationId":"saveCommandSearch","parameters":[{"name":"documentId","in":"query","schema":{"type":"string"}},{"name":"versionId","in":"query","schema":{"type":"string"}},{"name":"elementId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCommandSearchInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/config/system":{"get":{"tags":["Admin"],"description":"Get system configuration","operationId":"getConfig","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTSystemConfigInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["Admin"],"description":"Save system configuration key/value.","operationId":"setSystemConfig","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object","additionalProperties":{"type":"string"}}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/dbviewer/config":{"get":{"tags":["Admin"],"description":"Get db viewer configuration","operationId":"getDBViewerConfig","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDBViewerConfigInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["Admin"],"description":"Update db viewer configuration.","operationId":"updateDBViewerConfig","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDBViewerConfig"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDBViewerConfigInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/dbviewer/indices":{"post":{"tags":["Admin"],"description":"List the indices for mongo collection.","operationId":"listIndices","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDBViewerQueryParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDBViewerQueryInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/dbviewer/query":{"post":{"tags":["Admin"],"description":"Return mongo documents in a collection matching the search query.","operationId":"queryDBViewer","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDBViewerQueryParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDBViewerQueryInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/dbviewer/queryCount":{"post":{"tags":["Admin"],"description":"Returns the count of mongo documents that would match the query.","operationId":"queryCountDBViewer","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDBViewerQueryParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDBViewerQueryInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/document/bulkUpdate":{"post":{"tags":["Admin"],"description":"Edit property of multiple documents","operationId":"bulkDocumentUpdate","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTBulkDocumentUpdateParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTBulkDocumentUpdateInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/document/debugInfo":{"get":{"tags":["Admin"],"description":"Get all document debug information","operationId":"getDocumentDebugInfo","parameters":[{"name":"documentId","in":"query","required":true,"schema":{"type":"string"}},{"name":"includeDetails","in":"query","schema":{"type":"boolean","default":false}},{"name":"modServer","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/document/resetAll":{"post":{"tags":["Admin"],"description":"Edits a property of multiple documents","operationId":"resetAll","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTResetSkipUpgradeInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/document/{did}/blocklist/{val}":{"post":{"tags":["Admin"],"description":"Set whether or not to skip an upgrade for a document","operationId":"blocklist","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"val","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/document/{did}/clearComputedPropertyCache":{"post":{"tags":["Admin"],"description":"Clear computed part and assembly property cache","operationId":"clearComputedPropertyCache","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"modServer","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/document/{did}/clearMicroversionCache":{"post":{"tags":["Admin"],"description":"Evict a document's microversions from memcached","operationId":"clearMicroversionCache","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"modServer","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/document/{did}/clearsectiondata":{"delete":{"tags":["Admin"],"operationId":"clearSectionData","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/document/{did}/documentOptions":{"post":{"tags":["Admin"],"description":"Change the document debug options","operationId":"updateDocumentOptions","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDocumentOptionsParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDocumentOptions"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/document/{did}/kill":{"post":{"tags":["Admin"],"description":"Kill a document","operationId":"kill","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"modServer","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/document/{did}/mvgraph":{"get":{"tags":["Admin"],"description":"Get an ASCII graph (forest) of how several microversions fit together","operationId":"microversionGraph","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"ids","in":"query","schema":{"type":"array","items":{"type":"string"}}},{"name":"limit","in":"query","schema":{"type":"integer","format":"int32","default":50}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"string"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/document/{did}/resetSkipUpgradeVersion":{"post":{"tags":["Admin"],"description":"Reset decision to skip upgrade on a document","operationId":"resetSkipUpgradeVersion","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/document/{did}/restoreDeleted":{"post":{"tags":["Admin"],"description":"Restore a deleted document","operationId":"restoreDeleted","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/document/{did}/setSkipCapture/{val}":{"post":{"tags":["Admin"],"description":"Set whether or not to skip an upgrade for a document","operationId":"setSkipCapture","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"val","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/document/{did}/setSkipUpgrade/{val}":{"post":{"tags":["Admin"],"description":"Set whether or not to skip an upgrade for a document","operationId":"setSkipUpgrade","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"val","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/document/{did}/setUpgradeMode/{val}":{"post":{"tags":["Admin"],"description":"Set upgrade mode for the document","operationId":"setUpgradeMode","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"val","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"boolean"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/document/{did}/v/{vid}/e/{eid}/clearBtPartData":{"delete":{"tags":["Admin"],"description":"Clear BTPartMetadata for an element, or a given part id","operationId":"clearBtPartData","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"vid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/document/{did}/versions":{"get":{"tags":["Admin"],"description":"List versions in document","operationId":"getVersions","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"type":"integer","format":"int32","default":0}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTVersionInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/document/{did}/workspaces":{"get":{"tags":["Admin"],"description":"List workspaces in document","operationId":"getWorkspaces","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTWorkspaceInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/document/{did}/{wid}/unlockWorkspace":{"post":{"tags":["Admin"],"description":"Forces the release of the zookeeper locks for the workspace in the document","operationId":"unlockWorkspace","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/document/{did}/{wvm}/{wvmid}/elements":{"get":{"tags":["Admin"],"description":"Get a list of elements in the workspace, version, or microversion of the document.","operationId":"getElements","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTDocumentElementInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/invitations":{"get":{"tags":["Admin"],"description":"Get invitation info for an admin","operationId":"getInvitations","parameters":[{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTInvitationInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/invitations/users/{uid}":{"get":{"tags":["Admin"],"description":"Get invitation for a given user","operationId":"getInvitationByUser","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTInvitationInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/learningCenter/{userId}":{"post":{"tags":["Admin"],"description":"Activate Learning Center User","operationId":"activateLearningCenterUser","parameters":[{"name":"userId","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/LearningCenterActionResponse"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/mongostats":{"get":{"tags":["Admin"],"description":"Get Mongo statistics","operationId":"getMongoStats","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTMongoStatsInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Admin"],"description":"Clear Mongo statistics","operationId":"clearMongoStats","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/parsedstd/{vn}/clear":{"delete":{"tags":["Admin"],"description":"Clear parsed std state on S3 for given parsed std version","operationId":"clearParsedStdVersion","parameters":[{"name":"vn","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/server/debugInfo":{"get":{"tags":["Admin"],"description":"Get server debug information, esp. loaded documents","operationId":"getServerDebugInfo","parameters":[{"name":"modServer","in":"query","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/tasks/available":{"get":{"tags":["Admin"],"description":"Get available upgrade tasks","operationId":"getUpgradeTasks","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTAdminTaskInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/tasks/execute":{"post":{"tags":["Admin"],"description":"Execute an upgrade task","operationId":"executeTask","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAdminTaskParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAdminTaskInfo"}}}}},"deprecated":true,"x-BTVisibility":"INTERNAL"}},"/admin/tasks/executeMultiple":{"post":{"tags":["Admin"],"description":"Execute an upgrade tasks","operationId":"executeTasks","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAdminTaskParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAdminTaskResultInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/tasks/runs":{"get":{"tags":["Admin"],"description":"Get all tasks run by admins","operationId":"getTasks","parameters":[{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTAdminTaskInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/user/{uid}/deviceLogin":{"get":{"tags":["Admin"],"description":"Get user device info during a specific period of time","operationId":"getLoginInfoAdmin","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"startDate","in":"query","required":true,"schema":{"type":"string"}},{"name":"endDate","in":"query","required":true,"schema":{"type":"string"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTUserLifecycleMetricsInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admin/user/{uid}/recalculateStorage":{"post":{"tags":["Admin"],"description":"Recalculate private, public and total document storage for user","operationId":"recalculateStorage","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":true,"x-BTVisibility":"INTERNAL"}},"/admin/users/documents/{uid}/acl":{"post":{"tags":["Admin"],"description":"Update user documents access","operationId":"updateUserDocumentsAccess","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserDocumentAclParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/adminauditevent/discounts/{uid}":{"get":{"tags":["AdminAuditEvent"],"description":"Admin endpoint to get all user discount events","operationId":"getDiscountEventsForUser","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAdminAuditEventInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/adminauditevent/types":{"get":{"tags":["AdminAuditEvent"],"description":"Admin endpoint to get list of all audit event types","operationId":"getAdminAuditEventTypes","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTBaseInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/adminauditevent/{type}":{"get":{"tags":["AdminAuditEvent"],"description":"Admin endpoint to get paged list of events by type","operationId":"getAdminAuditEventsByType","parameters":[{"name":"type","in":"path","required":true,"schema":{"type":"string"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAdminAuditEventInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admingroups/current":{"get":{"tags":["AdminGroup"],"description":"Admin endpoint to get the set of logged in users groups","operationId":"getLoggedInUserAdminGroups","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"uniqueItems":true,"type":"array","items":{"$ref":"#/components/schemas/BTAdminGroup"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admingroups/users":{"get":{"tags":["AdminGroup"],"description":"Admin endpoint to get list of all onshape users","operationId":"getOnshapeUsersAndGroups","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTAdminUserGroupInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/admingroups/{uid}":{"post":{"tags":["AdminGroup"],"description":"Admin endpoint to update user groups","operationId":"updateUserGroups","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAdminGroupParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAdminUserGroupInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/adminrole":{"get":{"tags":["AdminRole"],"description":"Get a list of existing admin roles to display on the roleList page","operationId":"getAdminRoles","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTAdminRoleInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["AdminRole"],"description":"Create a new admin role with name and description","operationId":"createAdminRole","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAdminRoleParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAdminRoleInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/adminrole/components":{"get":{"tags":["AdminRole"],"description":"Get a list of all admin role components to display on the Admin Roles list page","operationId":"getAdminRoleComponents","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTAdminRoleComponent"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/adminrole/console/{uid}/access":{"get":{"tags":["AdminRole"],"description":"Get user admin console access","operationId":"getUserAdminConsoleAccess","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"boolean"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/adminrole/consoleAccess":{"get":{"tags":["AdminRole"],"description":"Check whether Onshape Admin or has Admin Console role","operationId":"hasAdminConsoleAccess","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTOnshapeAdminInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/adminrole/menus":{"get":{"tags":["AdminRole"],"description":"Get a list of all admin role menus to display in the Admin Console.","operationId":"getAdminRoleMenus","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTAdminRoleMenu"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/adminrole/users":{"get":{"tags":["AdminRole"],"description":"Get admin user infos along with their role infos","operationId":"getAdminUsers","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTAdminUserRoleInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/adminrole/users/onshape":{"get":{"tags":["AdminRole"],"description":"Get list of onshape users","operationId":"getOnshapeUsers","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTCompanyUserSummaryInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/adminrole/{rid}":{"get":{"tags":["AdminRole"],"description":"returns detailed info of one admin role for editing purposes on the front end","operationId":"getAdminRole","parameters":[{"name":"rid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAdminRoleInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["AdminRole"],"description":"edit an admin role's description or permission set","operationId":"editRole","parameters":[{"name":"rid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAdminRoleParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAdminRoleInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["AdminRole"],"description":"Delete a role permanently","operationId":"deleteAdminRole","parameters":[{"name":"rid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/adminrole/{uid}/permissions":{"get":{"tags":["AdminRole"],"description":"Get user permissions","operationId":"getUserPermissions","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTAdminRolePermissionInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/adminrole/{uid}/roles":{"get":{"tags":["AdminRole"],"description":"Get user admin roles","operationId":"getUserRoles","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAdminUserRoleInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["AdminRole"],"description":"Set user roles","operationId":"setUserRoles","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAdminUserRoleParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAdminUserRoleInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["AdminRole"],"description":"Delete user roles","operationId":"deleteUserRoles","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAdminUserRoleParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/agreements/planeulatypes":{"get":{"tags":["Agreement"],"description":"List all plan eula types in the system","operationId":"getPlanEulaTypes","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTPlanEulaInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["Agreement"],"description":"Create or update plan eula type.","operationId":"savePlanEulaType","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPlanEulaParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/agreements/users/{uid}/{atype}":{"delete":{"tags":["Agreement"],"description":"Delete all accepted agreements for a user","operationId":"deleteAcceptedAgreement","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"atype","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/agreements/users/{uid}/{atype}/latest":{"get":{"tags":["Agreement"],"description":"Get latest agreement and whether agreement has been accepted by user","operationId":"getLatestAgreementForUser","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"atype","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTLatestAgreementInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/agreements/users/{uid}/{atype}/{aid}":{"post":{"tags":["Agreement"],"description":"Accept agreement for a user","operationId":"acceptAgreement","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"atype","in":"path","required":true,"schema":{"type":"string"}},{"name":"aid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAcceptedAgreementInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/agreements/{atype}":{"get":{"tags":["Agreement"],"description":"List all agreements in the system of the specified type (eula, dev, partner)","operationId":"getAgreements","parameters":[{"name":"atype","in":"path","required":true,"schema":{"type":"string"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTAgreementInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["Agreement"],"description":"Upload a new agreement to the server of the specified type (eula, dev, partner)","operationId":"createAgreement","parameters":[{"name":"atype","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAgreementParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAgreementInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/agreements/{atype}/latest":{"get":{"tags":["Agreement"],"description":"Get the latest agreement","operationId":"getLatestAgreement","parameters":[{"name":"atype","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAgreementInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/agreements/{atype}/{aid}":{"get":{"tags":["Agreement"],"description":"Get an agreement by ID","operationId":"getAgreement","parameters":[{"name":"atype","in":"path","required":true,"schema":{"type":"string"}},{"name":"aid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAgreementInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Agreement"],"description":"Delete an agreement","operationId":"deleteAgreement","parameters":[{"name":"atype","in":"path","required":true,"schema":{"type":"string"}},{"name":"aid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/aliases":{"get":{"tags":["Alias"],"summary":"Get a list of all aliases that exist for your enterprise.","operationId":"getAliasesInCompany","parameters":[{"name":"prefix","in":"query","schema":{"type":"string","default":""}},{"name":"sortColumn","in":"query","schema":{"type":"string","default":"name"}},{"name":"sortOrder","in":"query","schema":{"type":"string","default":"asc"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTAliasInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["Alias"],"summary":"Create an alias in your enterprise.","description":"`Manage users and teams` global permission is required to call this API.","operationId":"createAlias","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAliasParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAliasInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/aliases/{aid}":{"get":{"tags":["Alias"],"summary":"Get an alias by ID.","description":"Get the information for an alias ID.","operationId":"getAlias","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAliasInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["Alias"],"summary":"Add, remove, replace, or rename entries in an alias list.","description":"`Manage users and teams` global permission is required to call this API. \n* Add new users in the `additions` array. \n* Remove existing users in the `removals` array. Attempts to remove a user that does not exist in the Alias list will have no effect.\n* Replace the entire Alias list with the `entries` array. \n* You can also update the alias' `name` and `description`. \nFor example, given an Alias with members userA and userB: \n* `additions: [userC]` results in [userA, userB, userC] \n* `removals: [userB]` results in [userA] \n* `entries: [userC, user D]` results in [userC, userD]","operationId":"updateAlias","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAliasParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAliasInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"},"delete":{"tags":["Alias"],"summary":"Delete an alias from your enterprise.","description":"`Manage users and teams` global permission is required to call this API.","operationId":"deleteAlias","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/aliases/{aid}/members":{"get":{"tags":["Alias"],"summary":"Get all users and teams assigned to an alias.","description":"This is a search-like endpoint that returns a subset of the member list. Use `getAlias` to return all members every time it's called.","operationId":"getAliasMembers","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}},{"name":"prefix","in":"query","schema":{"type":"string","default":""}},{"name":"sortColumn","in":"query","schema":{"type":"string","default":"name"}},{"name":"sortOrder","in":"query","schema":{"type":"string","default":"asc"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTAliasEntryInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/appcaches/c/{cache}/d/{did}/e/{eid}/k/{key}":{"get":{"tags":["AppCache"],"summary":"Get a cache entry for a document","operationId":"getEntry","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"eid","in":"path","description":"Application elementId that is storing the cache","required":true,"schema":{"type":"string"}},{"name":"cache","in":"path","description":"Cache name for the application","required":true,"schema":{"type":"string"},"example":"cam, pcb, ren or drw"},{"name":"key","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/octet-stream":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"put":{"tags":["AppCache"],"summary":"Create new cache entry under a key for a document","operationId":"createEntry","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"eid","in":"path","description":"Application elementId that is storing the cache","required":true,"schema":{"type":"string"}},{"name":"cache","in":"path","description":"Cache name for the application","required":true,"schema":{"type":"string"},"example":"cam, pcb, ren or drw"},{"name":"key","in":"path","description":"cacke key under which the content stream will be stored","required":true,"schema":{"type":"string"}}],"responses":{"201":{"description":"Cache entry created"}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/appcaches/c/{cache}/d/{did}/e/{eid}/keys":{"get":{"tags":["AppCache"],"summary":"Get current saved cache keys for a document","operationId":"getCacheKeys","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"eid","in":"path","description":"Application elementId that is storing the cache","required":true,"schema":{"type":"string"}},{"name":"cache","in":"path","description":"Cache name for the application","required":true,"schema":{"type":"string"},"example":"cam, pcb, ren or drw"}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"type":"string"}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/appcaches/d/{did}/clear":{"post":{"tags":["AppCache"],"description":"Admin API to clear all or specified caches for a document","operationId":"clearDocumentCaches","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTClearCacheParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/appcaches/d/{did}/keys":{"get":{"tags":["AppCache"],"summary":"Admin API to get all cache entries for a document","operationId":"getAllCacheKeysForDocument","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTCacheEntriesInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/appcaches/schemas":{"get":{"tags":["AppCache"],"summary":"Get all cache schemas","operationId":"getSchemas","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTCacheSchemaInfo"}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/appelements/d/{did}/w/{wid}":{"post":{"tags":["AppElement"],"summary":"Create a new application element.","operationId":"createElement","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wid","in":"path","description":"The id of the workspace in which to perform the operation.","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppElementParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppElementModifyInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/appelements/d/{did}/w/{wid}/bulkcreate":{"post":{"tags":["AppElement"],"summary":"Create multiple empty application elements at once.","description":"Call this faster API instead of creating multiple app elements one at a time or in parallel.","operationId":"bulkCreateElement","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wid","in":"path","description":"The id of the workspace in which to perform the operation.","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppElementBulkCreateParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppElementBulkCreateInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/appelements/d/{did}/w/{wid}/e/{eid}/blob/{bid}":{"get":{"tags":["AppElement"],"summary":"Download the blob element (i.e., a file) stored in an app element in a document's workspace.","description":"The downloaded file can be used to retrieve stored subelements.","operationId":"downloadBlobSubelementWorkspace","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"bid","in":"path","required":true,"schema":{"type":"string"}},{"name":"contentDisposition","in":"query","schema":{"type":"string"}},{"name":"If-None-Match","in":"header","schema":{"type":"string"}},{"name":"transactionId","in":"query","schema":{"type":"string"}},{"name":"changeId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"File download.","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"string","format":"binary"}},"application/octet-stream":{"schema":{"type":"string","format":"binary"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["AppElement"],"summary":"Create a new blob subelement from an uploaded file.","description":"Request body parameters are multipart fields, so you must use `\"Content-Type\":\"multipart/form-data\"` in the request header.","operationId":"uploadBlobSubelement","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"bid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"multipart/form-data":{"schema":{"type":"object","properties":{"transactionId":{"type":"string"},"parentChangeId":{"type":"string"},"description":{"type":"string"},"file":{"type":"object","description":"File to upload.","format":"binary"},"fileContentLength":{"type":"integer","format":"int64","default":-1}}}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppElementModifyInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"},"delete":{"tags":["AppElement"],"summary":"Delete a blob subelement from an app element.","operationId":"deleteBlobSubelement","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"bid","in":"path","required":true,"schema":{"type":"string"}},{"name":"transactionId","in":"query","schema":{"type":"string"}},{"name":"changeId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppElementModifyInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/appelements/d/{did}/w/{wid}/e/{eid}/copyassociativedata":{"post":{"tags":["AppAssociativeData"],"summary":"Copy associative data from one view to another.","description":"Can only be copied between tabs in the same document. You can manage associativity with [translateIds](https://cad.onshape.com/glassworks/explorer/#/PartStudio/translateIds).","operationId":"copyAssociativeData","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppElementParamsArrayBTCopyViewAssociativeDataParams"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppAssociativeDataArrayInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/appelements/d/{did}/w/{wid}/e/{eid}/message":{"post":{"tags":["AppElement"],"operationId":"sendMessage","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"type":"string","format":"byte"}}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/appelements/d/{did}/w/{wid}/e/{eid}/transactions":{"get":{"tags":["AppElement"],"summary":"Get a list of all transactions performed on an element.","operationId":"getElementTransactions","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppElementTransactionsInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["AppElement"],"summary":"Start a transaction","description":"Creates a microbranch (i.e., a branch for a new microversion).","operationId":"startTransaction","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppElementStartTransactionParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppElementModifyInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/appelements/d/{did}/w/{wid}/e/{eid}/transactions/{tid}":{"post":{"tags":["AppElement"],"description":"Commits a transaction (merges a microbranch). Now that bulk transactions are supported, use the","operationId":"commitTransaction","parameters":[{"name":"tid","in":"path","required":true,"schema":{"type":"string"}},{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wid","in":"path","description":"The id of the workspace in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppElementCommitTransactionParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppElementModifyInfo"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"},"delete":{"tags":["AppElement"],"summary":"Abort a transaction.","description":"Deletes a microbranch (i.e., the branch with the microversion for the transaction).","operationId":"abortTransaction","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"tid","in":"path","required":true,"schema":{"type":"string"}},{"name":"returnError","in":"query","schema":{"type":"boolean","default":true}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/appelements/d/{did}/w/{wid}/e/{eid}/views/debug/updateangle":{"get":{"tags":["AppDrawingView"],"description":"Update Drawing View's Projection Angle","operationId":"updateViewProjectionAngle","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"viewId","in":"query","schema":{"type":"string","default":""}},{"name":"angle","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTAppDrawingViewInfo"}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/appelements/d/{did}/w/{wid}/transactions":{"post":{"tags":["AppElement"],"summary":"Merge multiple transactions into one microversion.","description":"If successful, all transactions will be committed to a single microversion. If the call raises an error, nothing will be committed.","operationId":"commitTransactions","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wid","in":"path","description":"The id of the workspace in which to perform the operation.","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppElementCommitTransactionParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppElementModifyInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/appelements/d/{did}/{vm}/{vmid}/e/{eid}/blob/{bid}":{"get":{"tags":["AppElement"],"summary":"Download a blob subelement from the specified app element.","description":"Download a blob subelement as a file.","operationId":"downloadBlobSubelement","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"vm","in":"path","required":true,"schema":{"type":"string"}},{"name":"vmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"bid","in":"path","required":true,"schema":{"type":"string"}},{"name":"contentDisposition","in":"query","schema":{"type":"string"}},{"name":"If-None-Match","in":"header","schema":{"type":"string"}},{"name":"transactionId","in":"query","schema":{"type":"string"}},{"name":"changeId","in":"query","schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"File download.","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"string","format":"binary"}},"application/octet-stream":{"schema":{"type":"string","format":"binary"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/appelements/d/{did}/{wvm}/{wvmid}/e/{eid}/associativedata":{"get":{"tags":["AppAssociativeData"],"summary":"Get the associative data for the specified app element.","description":"You can manage associativity with [translateIds](https://cad.onshape.com/glassworks/explorer/#/PartStudio/translateIds).","operationId":"getAssociativeData","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"transactionId","in":"query","schema":{"type":"string","default":""}},{"name":"changeId","in":"query","schema":{"type":"string","default":""}},{"name":"associativeDataId","in":"query","schema":{"type":"array","items":{"type":"string"}}},{"name":"elementId","in":"query","schema":{"type":"string","default":""}},{"name":"viewId","in":"query","schema":{"type":"string","default":""}},{"name":"microversionId","in":"query","schema":{"type":"string","default":""}},{"name":"documentMicroversion","in":"query","schema":{"type":"string","default":""}},{"name":"deterministicId","in":"query","schema":{"type":"string","default":""}},{"name":"featureId","in":"query","schema":{"type":"string","default":""}},{"name":"entityId","in":"query","schema":{"type":"string","default":""}},{"name":"occurrenceId","in":"query","schema":{"type":"string","default":""}},{"name":"returnIdTags","in":"query","schema":{"type":"boolean","default":false}},{"name":"referenceId","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppAssociativeDataArrayInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["AppAssociativeData"],"summary":"Set the associative data for the specified app element.","description":"You can manage associativity with [translateIds](https://cad.onshape.com/glassworks/explorer/#/PartStudio/translateIds).","operationId":"postAssociativeData","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"string"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppAssociativeDataArrayInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read","OAuth2Write"],"BasicAuth":["OAuth2Read","OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"},"delete":{"tags":["AppAssociativeData"],"summary":"Delete the associative data from the specified app element.","description":"You can manage associativity with [translateIds](https://cad.onshape.com/glassworks/explorer/#/PartStudio/translateIds).","operationId":"deleteAssociativeData","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"transactionId","in":"query","schema":{"type":"string","default":""}},{"name":"parentChangeId","in":"query","schema":{"type":"string","default":""}},{"name":"associativeDataId","in":"query","schema":{"type":"array","items":{"type":"string"}}},{"name":"elementId","in":"query","schema":{"type":"string","default":""}},{"name":"viewId","in":"query","schema":{"type":"string","default":""}},{"name":"microversionId","in":"query","schema":{"type":"string","default":""}},{"name":"documentMicroversion","in":"query","schema":{"type":"string","default":""}},{"name":"deterministicId","in":"query","schema":{"type":"string","default":""}},{"name":"featureId","in":"query","schema":{"type":"string","default":""}},{"name":"entityId","in":"query","schema":{"type":"string","default":""}},{"name":"occurrenceId","in":"query","schema":{"type":"string","default":""}},{"name":"referenceId","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppElementBasicInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/appelements/d/{did}/{wvm}/{wvmid}/e/{eid}/blob":{"get":{"tags":["AppElement"],"summary":"Get a list of all blob subelement IDs for the specified workspace, version, or microversion.","operationId":"getBlobSubelementIds","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"transactionId","in":"query","schema":{"type":"string"}},{"name":"changeId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppElementIdsInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/appelements/d/{did}/{wvm}/{wvmid}/e/{eid}/compare":{"get":{"tags":["AppElement"],"summary":"Compare app element JSON trees between workspaces/versions/microversions in a document.","description":"Specify the source workspace/version/microversion in the URL and specify the target workspace/version/microversion in the query parameters.","operationId":"compareAppElementJson","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"workspaceId","in":"query","schema":{"type":"string"}},{"name":"versionId","in":"query","schema":{"type":"string"}},{"name":"microversionId","in":"query","schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","schema":{"type":"string"}},{"name":"jsonDifferenceFormat","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDiffJsonResponse-2725"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/appelements/d/{did}/{wvm}/{wvmid}/e/{eid}/content":{"get":{"tags":["AppElement"],"summary":"Get a list of all subelement IDs in a specified workspace/version/microversion.","operationId":"getSubElementContent","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"transactionId","in":"query","schema":{"type":"string"}},{"name":"changeId","in":"query","schema":{"type":"string"}},{"name":"baseChangeId","in":"query","schema":{"type":"string"}},{"name":"subelementId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppElementContentInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["AppElement"],"summary":"Update the content for the specified app element.","operationId":"updateAppElement","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppElementUpdateParams"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppElementModifyInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read","OAuth2Write"],"BasicAuth":["OAuth2Read","OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/appelements/d/{did}/{wvm}/{wvmid}/e/{eid}/content/history":{"get":{"tags":["AppElement"],"summary":"Get the history of the specified all element.","operationId":"getAppElementHistory","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppElementHistoryInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/appelements/d/{did}/{wvm}/{wvmid}/e/{eid}/content/ids":{"get":{"tags":["AppElement"],"summary":"Get a list of all subelement IDs in a specified workspace/version/microversion.","operationId":"getSubelementIds","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"transactionId","in":"query","schema":{"type":"string"}},{"name":"changeId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppElementIdsInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/appelements/d/{did}/{wvm}/{wvmid}/e/{eid}/content/json":{"get":{"tags":["AppElement"],"summary":"Get the full JSON tree for the specified workspace/version/microversion.","operationId":"getJson","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"transactionId","in":"query","description":"The id of the transaction in which this operation should take place. Transaction ids can be generated through the AppElement startTransaction API.","schema":{"type":"string"}},{"name":"changeId","in":"query","description":"The id of the last change made to this application element. This can be retrieved from the response for any app element modification endpoint.","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGetJsonResponse-2137"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/appelements/d/{did}/{wvm}/{wvmid}/e/{eid}/content/jsonpaths":{"post":{"tags":["AppElement"],"summary":"Get the JSON at specified paths for an element.","description":"Use this endpoint to return the JSON at the specified path instead of returning the entire JSON for the element. This POST endpoint does not write any information.","operationId":"getJsonPaths","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"transactionId","in":"query","schema":{"type":"string"}},{"name":"changeId","in":"query","schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGetJsonPaths-1697"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGetJsonPathsResponse-1544"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/appelements/d/{did}/{wvm}/{wvmid}/e/{eid}/content/subelements":{"delete":{"tags":["AppElement"],"summary":"Delete multiple subelements array by document ID, workspace or version or microversion ID, tab ID, and subelement IDs.","operationId":"deleteAppElementContentBatch","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"subelementIds","in":"query","schema":{"type":"array","items":{"type":"string"}}},{"name":"transactionId","in":"query","schema":{"type":"string"}},{"name":"parentChangeId","in":"query","schema":{"type":"string"}},{"name":"description","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppElementModifyInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/appelements/d/{did}/{wvm}/{wvmid}/e/{eid}/content/subelements/{sid}":{"delete":{"tags":["AppElement"],"summary":"Deletes the content from the specified app element.","operationId":"deleteAppElementContent","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"sid","in":"path","required":true,"schema":{"type":"string"}},{"name":"transactionId","in":"query","schema":{"type":"string"}},{"name":"parentChangeId","in":"query","schema":{"type":"string"}},{"name":"description","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppElementModifyInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/appelements/d/{did}/{wvm}/{wvmid}/e/{eid}/debug/history":{"get":{"tags":["AppElement"],"operationId":"getDebugHistory","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"w","in":"query","schema":{"type":"string"}},{"name":"h","in":"query","schema":{"type":"string"}},{"name":"d","in":"query","schema":{"type":"string"}},{"name":"from","in":"query","schema":{"type":"string"}},{"name":"to","in":"query","schema":{"type":"string"}},{"name":"u","in":"query","schema":{"type":"string"}},{"name":"details","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppElementHistoryInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/appelements/d/{did}/{wvm}/{wvmid}/e/{eid}/forceIndexing":{"post":{"tags":["AppElement"],"operationId":"forceIndexing","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read","OAuth2Write"],"BasicAuth":["OAuth2Read","OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/appelements/d/{did}/{wvm}/{wvmid}/e/{eid}/references":{"get":{"tags":["AppElement"],"description":"list all app element references","operationId":"listReferences","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"transactionId","in":"query","schema":{"type":"string"}},{"name":"parentChangeId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTAppElementReferenceResolveInfo"}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["AppElement"],"summary":"Creates a reference to an app element.","operationId":"createReference","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppElementReferenceParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppElementReferenceInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write","OAuth2Read"],"BasicAuth":["OAuth2Write","OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/appelements/d/{did}/{wvm}/{wvmid}/e/{eid}/references/{rid}":{"get":{"tags":["AppElement"],"summary":"Resolves a single reference to an app element.","description":"For single operations only. Use `resolveReferences` for bulk operations.","operationId":"resolveReference","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"rid","in":"path","required":true,"schema":{"type":"string"}},{"name":"transactionId","in":"query","schema":{"type":"string"}},{"name":"parentChangeId","in":"query","schema":{"type":"string"}},{"name":"includeInternal","in":"query","schema":{"type":"boolean","default":false}},{"name":"linkDocumentId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppElementReferenceResolveInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["AppElement"],"summary":"Update an app element reference.","operationId":"updateReference","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"rid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppElementReferenceParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppElementReferenceInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write","OAuth2Read"],"BasicAuth":["OAuth2Write","OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"delete":{"tags":["AppElement"],"summary":"Delete an app element reference.","operationId":"deleteReference","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"rid","in":"path","required":true,"schema":{"type":"string"}},{"name":"transactionId","in":"query","schema":{"type":"string"}},{"name":"parentChangeId","in":"query","schema":{"type":"string"}},{"name":"description","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppElementReferenceInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/appelements/d/{did}/{wvm}/{wvmid}/e/{eid}/resolvereferences":{"get":{"tags":["AppElement"],"summary":"Resolves bulk app element references.","description":"For bulk operations only. Use `resolveReference` for a single operation.","operationId":"resolveReferences","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"transactionId","in":"query","schema":{"type":"string"}},{"name":"parentChangeId","in":"query","schema":{"type":"string"}},{"name":"includeInternal","in":"query","schema":{"type":"boolean","default":false}},{"name":"referenceIds","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppElementReferencesResolveInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/appelements/d/{did}/{wvm}/{wvmid}/e/{eid}/views":{"get":{"tags":["AppDrawingView"],"description":"Get details of all drawing views","operationId":"getDrawingViews","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"transactionId","in":"query","schema":{"type":"string","default":""}},{"name":"changeId","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppArrayInfoBTAppDrawingViewInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["AppDrawingView"],"description":"Create a drawing view","operationId":"createDrawingView","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppViewParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppDrawingViewInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/appelements/d/{did}/{wvm}/{wvmid}/e/{eid}/views/{viewids}/preview":{"get":{"tags":["AppDrawingView"],"description":"Get rasterized previews of multiple views","operationId":"getViewPreview","parameters":[{"name":"viewids","in":"path","required":true,"schema":{"type":"string"}},{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"transactionId","in":"query","schema":{"type":"string","default":""}},{"name":"changeId","in":"query","schema":{"type":"string","default":""}},{"name":"maxWidthPixels","in":"query","schema":{"type":"integer","format":"int32","default":400}},{"name":"maxHeightPixels","in":"query","schema":{"type":"integer","format":"int32","default":400}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/appelements/d/{did}/{wvm}/{wvmid}/e/{eid}/views/{viewid}":{"get":{"tags":["AppDrawingView"],"description":"Get details of one drawing view","operationId":"getDrawingView","parameters":[{"name":"viewid","in":"path","required":true,"schema":{"type":"string"}},{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"transactionId","in":"query","schema":{"type":"string","default":""}},{"name":"changeId","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppDrawingViewInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["AppDrawingView"],"description":"Update a drawing view","operationId":"updateDrawingView","parameters":[{"name":"viewid","in":"path","required":true,"schema":{"type":"string"}},{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppViewParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppDrawingViewInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"},"delete":{"tags":["AppDrawingView"],"description":"Delete a drawing view","operationId":"deleteView","parameters":[{"name":"viewid","in":"path","required":true,"schema":{"type":"string"}},{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"transactionId","in":"query","schema":{"type":"string","default":""}},{"name":"parentChangeId","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/appelements/d/{did}/{wvm}/{wvmid}/e/{eid}/views/{viewid}/associativity/changeid":{"get":{"tags":["AppDrawingView"],"description":"Get the associativity change id for a drawing view","operationId":"getViewAssociativityChangeId","parameters":[{"name":"viewid","in":"path","required":true,"schema":{"type":"string"}},{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"transactionId","in":"query","schema":{"type":"string","default":""}},{"name":"changeId","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/appelements/d/{did}/{wvm}/{wvmid}/e/{eid}/views/{viewid}/clearcache":{"post":{"tags":["AppDrawingView"],"description":"Clear a drawing view's cache","operationId":"clearViewCache","parameters":[{"name":"viewid","in":"path","required":true,"schema":{"type":"string"}},{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"scale","in":"query","schema":{"type":"number","format":"double"}},{"name":"clearModelCache","in":"query","schema":{"type":"boolean"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/appelements/d/{did}/{wvm}/{wvmid}/e/{eid}/views/{viewid}/debug/updateviewversion":{"get":{"tags":["AppDrawingView"],"description":"Update Drawing View's Version","operationId":"updateViewVersion","parameters":[{"name":"viewid","in":"path","required":true,"schema":{"type":"string"}},{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"versionId","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppDrawingViewInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/appelements/d/{did}/{wvm}/{wvmid}/e/{eid}/views/{viewid}/geometry":{"get":{"tags":["AppDrawingView"],"description":"Get view geometry of a drawing view","operationId":"getDrawingViewGeometry","parameters":[{"name":"viewid","in":"path","required":true,"schema":{"type":"string"}},{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"transactionId","in":"query","schema":{"type":"string","default":""}},{"name":"changeId","in":"query","schema":{"type":"string","default":""}},{"name":"scale","in":"query","schema":{"type":"number","format":"double"}},{"name":"proxy","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/octet-stream":{"schema":{"type":"object"}},"application/dwg":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/appelements/d/{did}/{wvm}/{wvmid}/e/{eid}/views/{viewid}/holes":{"get":{"tags":["AppDrawingView"],"description":"Get hole information for a drawing view","operationId":"getDrawingViewHoles","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"viewid","in":"path","required":true,"schema":{"type":"string"}},{"name":"transactionId","in":"query","schema":{"type":"string","default":""}},{"name":"changeId","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/appelements/d/{did}/{wvm}/{wvmid}/e/{eid}/views/{viewid}/instancetime":{"get":{"tags":["AppDrawingView"],"description":"Get time of processing each instance in BSServer","operationId":"getDrawingViewInstanceTime","parameters":[{"name":"viewid","in":"path","required":true,"schema":{"type":"string"}},{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"action","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/appelements/d/{did}/{wvm}/{wvmid}/e/{eid}/views/{viewid}/jsongeometry":{"get":{"tags":["AppDrawingView"],"description":"Get view geometry of a drawing view in JSON format","operationId":"getDrawingViewJsonGeometry","parameters":[{"name":"viewid","in":"path","required":true,"schema":{"type":"string"}},{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"transactionId","in":"query","schema":{"type":"string","default":""}},{"name":"changeId","in":"query","schema":{"type":"string","default":""}},{"name":"scale","in":"query","schema":{"type":"number","format":"double"}},{"name":"debug","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/appelements/d/{did}/{wvm}/{wvmid}/e/{eid}/views/{viewid}/shadedviews":{"get":{"tags":["AppDrawingView"],"description":"Get a shaded image rendering of the view's reference","operationId":"getDrawingShadedViews","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"viewid","in":"path","required":true,"schema":{"type":"string"}},{"name":"viewMatrix","in":"query","schema":{"type":"string","default":"front"}},{"name":"outputHeight","in":"query","schema":{"type":"integer","format":"int32","default":500}},{"name":"outputWidth","in":"query","schema":{"type":"integer","format":"int32","default":500}},{"name":"pixelSize","in":"query","schema":{"type":"number","format":"double","default":0.003}},{"name":"edges","in":"query","schema":{"type":"string","default":"show"}},{"name":"showAllParts","in":"query","schema":{"type":"boolean","default":false}},{"name":"useAntiAliasing","in":"query","schema":{"type":"boolean","default":false}},{"name":"transactionId","in":"query","schema":{"type":"string","default":""}},{"name":"changeId","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/appelements/d/{did}/{wvm}/{wvmid}/e/{eid}/views/{viewid}/translateAugDetIds":{"post":{"tags":["AppDrawingView"],"description":"Parses the augmentedDeterministicIds passed and returns a map of augDetId to a list of","operationId":"translateAugDetIds","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"viewid","in":"path","required":true,"schema":{"type":"string"}},{"name":"transactionId","in":"query","schema":{"type":"string","default":""}},{"name":"changeId","in":"query","schema":{"type":"string","default":""}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPartIdParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/appelements/d/{did}/{wv}/{wvid}/e/{eid}/debug/repairCreatedAt":{"get":{"tags":["AppElement"],"operationId":"repairAppElementCreatedAt","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"wv","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppElementCreatedAtFieldRepairInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/appelements/d/{did}/{wv}/{wvid}/e/{eid}/inspectiontable":{"get":{"tags":["AppElement"],"operationId":"getInspectionTable","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wv","in":"path","description":"Indicates which of workspace (w) or version (v) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v"]}},{"name":"wvid","in":"path","description":"The id of the workspace, version in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"templateId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTInspectionTableInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/appelements/d/{did}/{wv}/{wvid}/e/{eid}/revisiontable":{"get":{"tags":["AppElement"],"operationId":"getRevisionTable","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wv","in":"path","description":"Indicates which of workspace (w) or version (v) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v"]}},{"name":"wvid","in":"path","description":"The id of the workspace, version in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"templateId","in":"query","schema":{"type":"string"}},{"name":"additionalProperties","in":"query","schema":{"type":"array","items":{"type":"string"}}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTRevisionTableInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/appelements/{did}/w/{wid}/e/{eid}/associativedata":{"get":{"tags":["AppAssociativeData"],"description":"Get associative data for an app element","operationId":"getAssociativeDataDEPRECATED","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"transactionId","in":"query","schema":{"type":"string","default":""}},{"name":"changeId","in":"query","schema":{"type":"string","default":""}},{"name":"associativeDataId","in":"query","schema":{"type":"array","items":{"type":"string"}}},{"name":"elementId","in":"query","schema":{"type":"string","default":""}},{"name":"viewId","in":"query","schema":{"type":"string","default":""}},{"name":"microversionId","in":"query","schema":{"type":"string","default":""}},{"name":"documentMicroversion","in":"query","schema":{"type":"string","default":""}},{"name":"deterministicId","in":"query","schema":{"type":"string","default":""}},{"name":"featureId","in":"query","schema":{"type":"string","default":""}},{"name":"entityId","in":"query","schema":{"type":"string","default":""}},{"name":"occurrenceId","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppAssociativeDataArrayInfo"}}}}},"deprecated":true,"x-BTVisibility":"INTERNAL"},"post":{"tags":["AppAssociativeData"],"description":"Deprecated. Use /appelements/d/{did}/wvm/{wvmid}/e/{eid}/associativedata POST endpoint instead.","operationId":"postAssociativeDataOld","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"string"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppAssociativeDataArrayInfo"}}}}},"deprecated":true,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["AppAssociativeData"],"description":"Deprecated. Use /appelements/d/{did}/wvm/{wvmid}/e/{eid}/associativedata DELETE endpoint instead.","operationId":"deleteAssociativeDataOld","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"transactionId","in":"query","schema":{"type":"string","default":""}},{"name":"parentChangeId","in":"query","schema":{"type":"string","default":""}},{"name":"associativeDataId","in":"query","schema":{"type":"array","items":{"type":"string"}}},{"name":"elementId","in":"query","schema":{"type":"string","default":""}},{"name":"viewId","in":"query","schema":{"type":"string","default":""}},{"name":"microversionId","in":"query","schema":{"type":"string","default":""}},{"name":"documentMicroversion","in":"query","schema":{"type":"string","default":""}},{"name":"deterministicId","in":"query","schema":{"type":"string","default":""}},{"name":"featureId","in":"query","schema":{"type":"string","default":""}},{"name":"entityId","in":"query","schema":{"type":"string","default":""}},{"name":"occurrenceId","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppElementBasicInfo"}}}}},"deprecated":true,"x-BTVisibility":"INTERNAL"}},"/appelements/{did}/{wvm}/{wvmid}/e/{eid}/views":{"get":{"tags":["AppDrawingView"],"description":"Get details of all drawing views","operationId":"getDrawingViewsOld","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"transactionId","in":"query","schema":{"type":"string","default":""}},{"name":"changeId","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppArrayInfoBTAppDrawingViewInfo"}}}}},"deprecated":true,"x-BTVisibility":"INTERNAL"},"post":{"tags":["AppDrawingView"],"description":"Create a drawing view","operationId":"createDrawingViewOld","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppViewParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppDrawingViewInfo"}}}}},"deprecated":true,"x-BTVisibility":"INTERNAL"}},"/appelements/{did}/{wvm}/{wvmid}/e/{eid}/views/{viewids}/preview":{"get":{"tags":["AppDrawingView"],"description":"Get rasterized previews of multiple views","operationId":"getViewPreviewOld","parameters":[{"name":"viewids","in":"path","required":true,"schema":{"type":"string"}},{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"transactionId","in":"query","schema":{"type":"string","default":""}},{"name":"changeId","in":"query","schema":{"type":"string","default":""}},{"name":"maxWidthPixels","in":"query","schema":{"type":"integer","format":"int32","default":400}},{"name":"maxHeightPixels","in":"query","schema":{"type":"integer","format":"int32","default":400}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":true,"x-BTVisibility":"INTERNAL"}},"/appelements/{did}/{wvm}/{wvmid}/e/{eid}/views/{viewid}":{"get":{"tags":["AppDrawingView"],"description":"Get details of one drawing view","operationId":"getDrawingViewOld","parameters":[{"name":"viewid","in":"path","required":true,"schema":{"type":"string"}},{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"transactionId","in":"query","schema":{"type":"string","default":""}},{"name":"changeId","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppDrawingViewInfo"}}}}},"deprecated":true,"x-BTVisibility":"INTERNAL"},"post":{"tags":["AppDrawingView"],"description":"Update a drawing view","operationId":"updateDrawingViewOld","parameters":[{"name":"viewid","in":"path","required":true,"schema":{"type":"string"}},{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppViewParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppDrawingViewInfo"}}}}},"deprecated":true,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["AppDrawingView"],"description":"Delete a drawing view","operationId":"deleteViewOld","parameters":[{"name":"viewid","in":"path","required":true,"schema":{"type":"string"}},{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"transactionId","in":"query","schema":{"type":"string","default":""}},{"name":"parentChangeId","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":true,"x-BTVisibility":"INTERNAL"}},"/appelements/{did}/{wvm}/{wvmid}/e/{eid}/views/{viewid}/geometry":{"get":{"tags":["AppDrawingView"],"description":"Get view geometry of a drawing view","operationId":"getDrawingViewGeometryOld","parameters":[{"name":"viewid","in":"path","required":true,"schema":{"type":"string"}},{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"transactionId","in":"query","schema":{"type":"string","default":""}},{"name":"changeId","in":"query","schema":{"type":"string","default":""}},{"name":"scale","in":"query","schema":{"type":"number","format":"double"}},{"name":"proxy","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/octet-stream":{"schema":{"type":"object"}},"application/dwg":{"schema":{"type":"object"}}}}},"deprecated":true,"x-BTVisibility":"INTERNAL"}},"/appelements/{did}/{wvm}/{wvmid}/e/{eid}/views/{viewid}/jsongeometry":{"get":{"tags":["AppDrawingView"],"description":"Get view geometry of a drawing view in JSON format","operationId":"getDrawingViewJsonGeometryOld","parameters":[{"name":"viewid","in":"path","required":true,"schema":{"type":"string"}},{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"transactionId","in":"query","schema":{"type":"string","default":""}},{"name":"changeId","in":"query","schema":{"type":"string","default":""}},{"name":"scale","in":"query","schema":{"type":"number","format":"double"}},{"name":"debug","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/octet-stream":{"schema":{"type":"object"}},"application/dwg":{"schema":{"type":"object"}},"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":true,"x-BTVisibility":"INTERNAL"}},"/applications":{"get":{"tags":["APIApplication"],"description":"Return a paginated list of API applications","operationId":"getApplications","parameters":[{"name":"q","in":"query","schema":{"type":"string","default":""}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}},{"name":"team","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTAPIApplicationInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["APIApplication"],"description":"Create an API application","operationId":"createApplication","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAPIApplicationParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAPIApplicationInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/applications/applicationGrants/users/{uid}":{"get":{"tags":["APIApplication"],"description":"Get list of applications the user has granted/accepted terms for, that were not granted for any","operationId":"getApplicationGrantsForUser","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTAPIApplicationInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/applications/clients/{cid}/settings/companies/{cpid}":{"get":{"tags":["APIApplication"],"summary":"Get company-level preference settings for an application.","description":"This API is only usable with an OAuth token and only by the current user or admin.","operationId":"getCompanyAppSettings","parameters":[{"name":"cpid","in":"path","required":true,"schema":{"type":"string"}},{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"documentId","in":"query","description":"A document owned by the company. Read access to this document allows read access to its owning company's settings.","schema":{"type":"string"}},{"name":"key","in":"query","schema":{"type":"array","items":{"type":"string"}}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserAppSettingsInfo"}}}}},"deprecated":false,"x-BTVisibility":"PRODUCTION"},"post":{"tags":["APIApplication"],"summary":"Update company preference settings for an application.","description":"This API is only usable with an OAuth token and only by the current user or admin.","operationId":"updateAppCompanySettings","parameters":[{"name":"cpid","in":"path","required":true,"schema":{"type":"string"}},{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserAppSettingsParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"PRODUCTION"},"delete":{"tags":["APIApplication"],"summary":"Delete a company's application preference settings.","description":"This API is only usable with an OAuth token and only by the current user or admin.","operationId":"deleteCompanyAppSettings","parameters":[{"name":"cpid","in":"path","required":true,"schema":{"type":"string"}},{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"key","in":"query","schema":{"type":"array","items":{"type":"string"}}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"PRODUCTION"}},"/applications/clients/{cid}/settings/users/{uid}":{"get":{"tags":["APIApplication"],"summary":"Get user-level preference settings for an application.","description":"This API is only usable with an OAuth token and only by the current user or admin.","operationId":"getUserAppSettings","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"key","in":"query","schema":{"type":"array","items":{"type":"string"}}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserAppSettingsInfo"}}}}},"deprecated":false,"x-BTVisibility":"PRODUCTION"},"post":{"tags":["APIApplication"],"summary":"Update a user's application preference settings.","description":"This API is only usable with an OAuth token and only by the current user or admin.","operationId":"updateAppSettings","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserAppSettingsParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"PRODUCTION"},"delete":{"tags":["APIApplication"],"summary":"Delete a user's application preference settings.","description":"This API is only usable with an OAuth token and only by the current user or admin.","operationId":"deleteAppSettings","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"key","in":"query","schema":{"type":"array","items":{"type":"string"}}}],"responses":{"200":{"description":"Success!"}},"deprecated":false,"x-BTVisibility":"PRODUCTION"}},"/applications/consistency/{uid}":{"get":{"tags":["APIApplication"],"description":"Runs consistency checks for application uses for user purchased application.","operationId":"checkApplicationConsistency","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTApplicationDataConsistencyInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/applications/extensionlocations":{"get":{"tags":["APIApplication"],"description":"Get valid extension types supported by onshape.","operationId":"getAllValidExtensionTypes","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTApplicationExtensionTypesInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/applications/extensions/user/{uid}/client/{cid}":{"get":{"tags":["APIApplication"],"summary":"Get a list of the client extensions the specified user has granted/accepted terms for.","operationId":"getApplicableExtensionsForClient","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"validPurchases","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTAPIApplicationExtensionInfo"}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2ReadPII"],"BasicAuth":["OAuth2ReadPII"]}],"x-BTVisibility":"PRODUCTION"}},"/applications/extensions/users/{uid}":{"get":{"tags":["APIApplication"],"description":"Get list of extensions the user has granted/accepted terms for","operationId":"getApplicationExtensions","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"validPurchases","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTAPIApplicationExtensionInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/applications/extensions/{eid}/action":{"post":{"tags":["APIApplication"],"description":"Invokes the action defined for the extension.","operationId":"invokeExtension","parameters":[{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAPIApplicationExtensionActionParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/applications/grants/users/{uid}":{"get":{"tags":["APIApplication"],"description":"Get list of grants the user has granted/accepted terms for, that were not granted for any","operationId":"getGrantsForUser","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTAPIApplicationGrantInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/applications/grants/users/{uid}/companies/{coid}":{"get":{"tags":["APIApplication"],"description":"Get list of grants the user has granted/accepted terms, for a particular company","operationId":"getGrantsForUserAndCompany","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"coid","in":"path","required":true,"schema":{"type":"string"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTAPIApplicationGrantInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/applications/scopes":{"get":{"tags":["APIApplication"],"description":"Return all API application scopes","operationId":"getScopes","parameters":[{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}},{"name":"customScopes","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTAPIApplicationScopeInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/applications/scopes/{sid}":{"get":{"tags":["APIApplication"],"description":"Return an application scope","operationId":"getScope","parameters":[{"name":"sid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAPIApplicationScopeInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/applications/standard":{"get":{"tags":["APIApplication"],"description":"Return a paginated list of all Onshape Standard Applications","operationId":"getStandardApplications","parameters":[{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}},{"name":"filterByAllowedPlan","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTAPIApplicationInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/applications/sync/applicationtype/{appid}":{"post":{"tags":["APIApplication"],"description":"Sync API application and store entry","operationId":"syncApplicationType","parameters":[{"name":"appid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAPIApplicationParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAPIApplicationInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/applications/users/{uid}":{"get":{"tags":["APIApplication"],"description":"Get list of applications for user","operationId":"getApplicationsForUser","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"validPurchases","in":"query","schema":{"type":"boolean","default":false}},{"name":"calculateGrants","in":"query","schema":{"type":"boolean","default":true}},{"name":"calculateScopes","in":"query","schema":{"type":"boolean","default":true}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTAPIApplicationInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/applications/users/{uid}/apps":{"get":{"tags":["APIApplication"],"description":"Get list of applications for user","operationId":"getUserApplications","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"validPurchases","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTAPIApplicationUserInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/applications/uses/users/{uid}":{"get":{"tags":["APIApplication"],"description":"Get list of applications the user has registered for use","operationId":"getApplicationUses","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"validPurchases","in":"query","schema":{"type":"boolean","default":false}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTAPIApplicationInfo"}}}}},"deprecated":true,"x-BTVisibility":"INTERNAL"}},"/applications/{aid}/grants/users/{uid}":{"post":{"tags":["APIApplication"],"description":"Grant a user access to an application","operationId":"grantApplicationAccess","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}},{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAPIApplicationParams"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAPIApplicationGrantInfo"}}}}},"deprecated":true,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["APIApplication"],"description":"Revoke a user's access to an application","operationId":"revokeApplicationAccess","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}},{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":true,"x-BTVisibility":"INTERNAL"}},"/applications/{aid}/grants/users/{uid}/companies/{coid}":{"post":{"tags":["APIApplication"],"description":"Grant a user access to an application, for a given company","operationId":"grantApplicationAccessPerCompany","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}},{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"coid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAPIApplicationParams"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["APIApplication"],"description":"Revoke a user's access to an application per company","operationId":"revokeApplicationAccessPerCompany","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}},{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"coid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/applications/{appId}":{"get":{"tags":["APIApplication"],"description":"Return a particular API application","operationId":"getApplication","parameters":[{"name":"appId","in":"path","description":"Either the app id or the client id of the app.","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAPIApplicationInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/applications/{appId}/apiUse":{"get":{"tags":["APIApplication"],"description":"Get a summary of all API calls made by the application","operationId":"getApplicationAPIUse","parameters":[{"name":"appId","in":"path","description":"Either the app id or the client id of the app.","required":true,"schema":{"type":"string"}},{"name":"numDays","in":"query","schema":{"maximum":365,"minimum":1,"type":"integer","format":"int32","default":7}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTApiMetricSummaryInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/applications/{appId}/uses/users/{uid}":{"post":{"tags":["APIApplication"],"description":"Register user for use of an application","operationId":"registerApplicationUse","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"appId","in":"path","description":"Either the app id or the client id of the app.","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAPIApplicationUseInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["APIApplication"],"description":"Remove use of an application by a user","operationId":"removeApplicationUse","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"appId","in":"path","description":"Either the app id or the client id of the app.","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/applications/{appId}/xauth":{"post":{"tags":["APIApplication"],"description":"Add external OAuth definition for application denoted by application id or client id.","operationId":"addExternalAuth","parameters":[{"name":"appId","in":"path","description":"Either the app id or the client id of the app.","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAPIApplicationExtAuthParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAPIApplicationExternalAuthInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/applications/{appId}/xauth/{authid}":{"post":{"tags":["APIApplication"],"description":"Add external OAuth definition for application denoted by application id or client id.","operationId":"updateExternalAuth","parameters":[{"name":"appId","in":"path","description":"Either the app id or the client id of the app.","required":true,"schema":{"type":"string"}},{"name":"authid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAPIApplicationExtAuthParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAPIApplicationExternalAuthInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["APIApplication"],"description":"Deletes external OAuth definition for the given application id and external auth id or client id.","operationId":"deleteExternalAuth","parameters":[{"name":"appId","in":"path","description":"Either the app id or the client id of the app.","required":true,"schema":{"type":"string"}},{"name":"authid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/applications/{appid}":{"post":{"tags":["APIApplication"],"description":"Update an existing API application","operationId":"updateApplication","parameters":[{"name":"appid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAPIApplicationParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAPIApplicationInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["APIApplication"],"description":"Delete an API application","operationId":"deleteApplication","parameters":[{"name":"appid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/applications/{appid}/deprecate":{"post":{"tags":["APIApplication"],"description":"Deprecate a particular API application","operationId":"deprecateApplication","parameters":[{"name":"appid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAPIApplicationDeprecateParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAPIApplicationInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/applications/{appid}/extensions":{"post":{"tags":["APIApplication"],"description":"Create an API application extension","operationId":"createApplicationExtension","parameters":[{"name":"appid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAPIApplicationExtensionParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAPIApplicationExtensionInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/applications/{appid}/extensions/{extensionid}":{"post":{"tags":["APIApplication"],"description":"Update an existing API application extension","operationId":"updateApplicationExtension","parameters":[{"name":"appid","in":"path","required":true,"schema":{"type":"string"}},{"name":"extensionid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAPIApplicationExtensionParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAPIApplicationExtensionInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["APIApplication"],"description":"Delete an API application extension","operationId":"deleteExtension","parameters":[{"name":"appid","in":"path","required":true,"schema":{"type":"string"}},{"name":"extensionid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/applications/{appid}/extensions/{extensionid}/icon":{"get":{"tags":["APIApplication"],"description":"Get current active icon for an application extension","operationId":"getExtensionIcon","parameters":[{"name":"appid","in":"path","required":true,"schema":{"type":"string"}},{"name":"extensionid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"image/svg+xml; qs=0.1":{"schema":{"type":"array","items":{"type":"string","format":"byte"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["APIApplication"],"description":"Upload a new icon for an application extension","operationId":"uploadExtensionIcon","parameters":[{"name":"appid","in":"path","required":true,"schema":{"type":"string"}},{"name":"extensionid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"multipart/form-data":{"schema":{"type":"object","properties":{"file":{"type":"object","description":"The file to upload."}}}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["APIApplication"],"description":"Deactivate current active extension icon for an application","operationId":"deactivateExtensionIcon","parameters":[{"name":"appid","in":"path","required":true,"schema":{"type":"string"}},{"name":"extensionid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/applications/{appid}/extensions/{extensionid}/icon/approve":{"get":{"tags":["APIApplication"],"description":"Get current pending icon for an application extension","operationId":"getPendingExtensionIcon","parameters":[{"name":"appid","in":"path","required":true,"schema":{"type":"string"}},{"name":"extensionid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"image/svg+xml; qs=0.1":{"schema":{"type":"array","items":{"type":"string","format":"byte"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["APIApplication"],"description":"Approve the pending icon for an application extension","operationId":"approveExtensionIcon","parameters":[{"name":"appid","in":"path","required":true,"schema":{"type":"string"}},{"name":"extensionid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["APIApplication"],"description":"Reject (or cancel) current pending icon for an application extension","operationId":"rejectExtensionIcon","parameters":[{"name":"appid","in":"path","required":true,"schema":{"type":"string"}},{"name":"extensionid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/applications/{appid}/extensions/{extensionid}/icon/cleanup":{"delete":{"tags":["APIApplication"],"description":"Delete inactive extension icons.","operationId":"cleanUpExtensionIcons","parameters":[{"name":"appid","in":"path","required":true,"schema":{"type":"string"}},{"name":"extensionid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/applications/{appid}/productType":{"post":{"tags":["APIApplication"],"description":"Update product type for this app id. This would be used for products like Vuforia and Creo","operationId":"updateProductQueueName","parameters":[{"name":"appid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAPIApplicationParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/applications/{appid}/replaceClientId":{"post":{"tags":["APIApplication"],"description":"Replace the generated client id with the value specified. Required for first party apps using JWT","operationId":"replaceClientId","parameters":[{"name":"appid","in":"path","required":true,"schema":{"type":"string"}},{"name":"clientid","in":"query","required":true,"schema":{"pattern":"[A-Z2-7=]{40}|[\\p{XDigit}]{8}-[\\p{XDigit}]{4}-[\\p{XDigit}]{4}-[\\p{XDigit}]{4}-[\\p{XDigit}]{12}|[a-zA-Z0-9]{32}","type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAPIApplicationInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/applications/{appid}/resetSecret":{"post":{"tags":["APIApplication"],"description":"Reset an application's secret key","operationId":"resetSecret","parameters":[{"name":"appid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAPIApplicationInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/applications/{appid}/scopes":{"get":{"tags":["APIApplication"],"description":"Return all scopes for a particular application","operationId":"getAllScopesForApplication","parameters":[{"name":"appid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTAPIApplicationScopeInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/applications/{appid}/state":{"post":{"tags":["APIApplication"],"description":"Enable or disable an API application","operationId":"enableOrDisableState","parameters":[{"name":"appid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAPIApplicationParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/applications/{appid}/storeEntryIsPublic":{"post":{"tags":["APIApplication"],"description":"Update whether or not the store entry for this application is public. This is a reflection of the","operationId":"updateStoreEntryIsPublic","parameters":[{"name":"appid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAPIApplicationParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/applications/{appid}/tabicon":{"get":{"tags":["APIApplication"],"description":"Get current active tab icon for an application","operationId":"getTabIcon","parameters":[{"name":"appid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"image/svg+xml; qs=0.1":{"schema":{"type":"array","items":{"type":"string","format":"byte"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["APIApplication"],"description":"Upload a new tab icon for an application","operationId":"uploadTabIcon","parameters":[{"name":"appid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"multipart/form-data":{"schema":{"type":"object","properties":{"file":{"type":"object","description":"The file to upload."}}}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["APIApplication"],"description":"Deactivate current active tab icon for an application","operationId":"deactivateTabIcon","parameters":[{"name":"appid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/applications/{appid}/tabicon/approve":{"get":{"tags":["APIApplication"],"description":"Get current pending tab icon for an application","operationId":"getPendingTabIcon","parameters":[{"name":"appid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"image/svg+xml; qs=0.1":{"schema":{"type":"array","items":{"type":"string","format":"byte"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["APIApplication"],"description":"Approve the pending tab icon for an application","operationId":"approveTabIcon","parameters":[{"name":"appid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["APIApplication"],"description":"Reject (or cancel) current pending tab icon for an application","operationId":"rejectTabIcon","parameters":[{"name":"appid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/applications/{appid}/tabicon/cleanup":{"delete":{"tags":["APIApplication"],"description":"Delete inactive tab icons.","operationId":"cleanUpTabIcons","parameters":[{"name":"appid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/applications/{appid}/users":{"get":{"tags":["APIApplication"],"description":"Return a list of users associated with an application","operationId":"getApplicationUsers","parameters":[{"name":"appid","in":"path","required":true,"schema":{"type":"string"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTUserSummaryInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/applications/{appid}/users/{userid}/companies/{companyId}/xauth-token":{"delete":{"tags":["APIApplication"],"description":"Revokes external auth tokens for the provided application, user and company","operationId":"revokeAuthAccessForUserAndCompany","parameters":[{"name":"appid","in":"path","required":true,"schema":{"type":"string"}},{"name":"userid","in":"path","required":true,"schema":{"type":"string"}},{"name":"companyId","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/applications/{appid}/users/{userid}/xauth-token":{"delete":{"tags":["APIApplication"],"description":"Revokes external auth tokens for the provided application and user","operationId":"revokeAuthAccessForUser","parameters":[{"name":"appid","in":"path","required":true,"schema":{"type":"string"}},{"name":"userid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/applications/{appid}/xauth-token":{"delete":{"tags":["APIApplication"],"description":"Revokes external auth tokens for the provided application for all users.","operationId":"revokeAuthAccess","parameters":[{"name":"appid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/applications/{appid}/xauth/{authid}":{"get":{"tags":["APIApplication"],"description":"Gets external OAuth definition for the given application denoted by application id and external","operationId":"getExternalAuth","parameters":[{"name":"appid","in":"path","required":true,"schema":{"type":"string"}},{"name":"authid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAPIApplicationExternalAuthInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/applications/{cid}/grants/users/{uid}":{"get":{"tags":["APIApplication"],"description":"Get the grant details for the combination of app id and user. There may be multiple, if the user","operationId":"getApplicationGrantsForUserAndId","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTAPIApplicationGrantInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/approval":{"get":{"tags":["OAuth2.0"],"operationId":"approval","responses":{"default":{"description":"default response","content":{"*/*":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/appstore/purchaseRedirect":{"get":{"tags":["Appstore"],"description":"Redirect caller to verified post-purchase redirect URL","operationId":"purchaseRedirect","parameters":[{"name":"redirectURI","in":"query","schema":{"type":"string","format":"uri"}},{"name":"redirectUri","in":"query","schema":{"type":"string","format":"uri"}},{"name":"clientId","in":"query","required":true,"schema":{"type":"string"}},{"name":"sku","in":"query","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"*/*":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/assemblies/d/{did}/e/{eid}/namedViews":{"get":{"tags":["Assembly"],"summary":"Get the view data for all named views for the specified element.","operationId":"getNamedViews","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"skipPerspective","in":"query","schema":{"type":"boolean","default":true}},{"name":"includeSectionCutViews","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTNamedViewsInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/assemblies/d/{did}/w/{wid}":{"post":{"tags":["Assembly"],"summary":"Create a new assembly tab in the document.","operationId":"createAssembly","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTModelElementParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDocumentElementInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/assemblies/d/{did}/w/{wid}/e/{eid}/bomelement":{"post":{"tags":["Assembly"],"summary":"Gets the Bill Of Materials (BOM) for the specified assembly, or creates a BOM if none exist.","operationId":"getOrCreateBillOfMaterialsElement","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDocumentElementInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/assemblies/d/{did}/w/{wid}/e/{eid}/features/featureid/{fid}":{"post":{"tags":["Assembly"],"summary":"Update an existing feature for an Assembly.","operationId":"updateFeature","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"fid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTFeatureDefinitionCall-1406"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTFeatureDefinitionResponse-1617"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"},"delete":{"tags":["Assembly"],"summary":"Delete a feature from an assembly.","operationId":"deleteFeature","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"fid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"Success!","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTFeatureApiBase-1430"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/assemblies/d/{did}/w/{wid}/e/{eid}/instance/nodeid/{nid}":{"delete":{"tags":["Assembly"],"summary":"Delete an instance of an assembly.","operationId":"deleteInstance","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"nid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/assemblies/d/{did}/w/{wid}/e/{eid}/instances":{"post":{"tags":["Assembly"],"summary":"Insert an instance of a part, sketch, assembly, or Part Studio into an assembly.","description":"Part Studio instances may include multiple parts.","operationId":"createInstance","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAssemblyInstanceDefinitionParams"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read","OAuth2Write"],"BasicAuth":["OAuth2Read","OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/assemblies/d/{did}/w/{wid}/e/{eid}/modify":{"post":{"tags":["Assembly"],"summary":"Modify an assembly.","description":"This endpoint can include multiple modifications to an assembly with one change. For example, it can delete/suppress/unsuppress/transform multiple instances. It creates one history entry in the document history list.","operationId":"modify","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wid","in":"path","description":"The id of the workspace in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAssemblyModificationParams"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/assemblies/d/{did}/w/{wid}/e/{eid}/occurrencetransforms":{"post":{"tags":["Assembly"],"summary":"Transform a list of assembly occurrences.","operationId":"transformOccurrences","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAssemblyTransformDefinitionParams"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read","OAuth2Write"],"BasicAuth":["OAuth2Read","OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/assemblies/d/{did}/w/{wid}/e/{eid}/transformedinstances":{"post":{"tags":["Assembly"],"summary":"Create new instances with transformation.","operationId":"insertTransformedInstances","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAssemblyTransformedInstancesDefinitionParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAssemblyInsertTransformedInstancesResponse"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read","OAuth2Write"],"BasicAuth":["OAuth2Read","OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/assemblies/d/{did}/w/{wid}/e/{eid}/translationformats":{"get":{"tags":["Assembly"],"description":"Returns a list of the available formats to which this Assembly can be translated.","operationId":"getTranslatorFormats","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"checkContent","in":"query","schema":{"type":"boolean","default":true}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTModelFormatInfo"}}}}}},"deprecated":true,"x-BTVisibility":"PRODUCTION"}},"/assemblies/d/{did}/{wvm}/{wvmid}/e/{eid}":{"get":{"tags":["Assembly"],"summary":"Get definition information for the specified assembly.","description":"All coordinates and translation matrix components are in meters (m).","operationId":"getAssemblyDefinition","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}},{"name":"explodedViewId","in":"query","schema":{"type":"string"}},{"name":"includeMateFeatures","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeNonSolids","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeMateConnectors","in":"query","schema":{"type":"boolean","default":false}},{"name":"excludeSuppressed","in":"query","description":"Whether or not to exclude suppressed instances/mate features in response","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAssemblyDefinitionInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/assemblies/d/{did}/{wvm}/{wvmid}/e/{eid}/assemblystructure":{"get":{"tags":["Assembly"],"summary":"Get the detailed structure of an assembly for internal metadata operations","operationId":"getAssemblyStructure","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAssemblyStructureInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/assemblies/d/{did}/{wvm}/{wvmid}/e/{eid}/bom":{"get":{"tags":["Assembly"],"summary":"Get the Bill Of Materials (BOM) content for the specified assembly.","description":"Returns the BOM in JSON in the Onshape BOM Standard format.","operationId":"getBillOfMaterials","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}},{"name":"bomColumnIds","in":"query","description":"Ids of the columns to include, or all columns if empty. BOM column ids correspond to metadata property ids.","schema":{"type":"array","items":{"type":"string"}}},{"name":"indented","in":"query","description":"Return the Structured BOM table with all rows collapsed, otherwise returns the Flattened BOM.","schema":{"type":"boolean","default":true}},{"name":"multiLevel","in":"query","description":"Return the Structured BOM table with all rows expanded. Ignored if indented is false.","schema":{"type":"boolean","default":false}},{"name":"generateIfAbsent","in":"query","description":"Return the BOM table data even if the BOM does not exist. If this is false and the BOM does not exist, a 404 status code will be returned. This option is highly recommended.","schema":{"type":"boolean","default":false}},{"name":"templateId","in":"query","description":"The id of the BOM table template to use when generating the table.","schema":{"type":"string"}},{"name":"includeExcluded","in":"query","description":"Include items that have been excluded from the BOM table.","schema":{"type":"boolean"}},{"name":"onlyVisibleColumns","in":"query","description":"Only return data for visible columns, instead of all possible columns.","schema":{"type":"boolean"}},{"name":"ignoreSubassemblyBomBehavior","in":"query","description":"Ignore the 'Subassembly BOM behavior' property when constructing the BOM table.","schema":{"type":"boolean"}},{"name":"includeItemMicroversions","in":"query","description":"Include element microversions and version metadata microversions in the JSON.","schema":{"type":"boolean","default":false}},{"name":"includeTopLevelAssemblyRow","in":"query","description":"Include top-level assembly row when constructing the BOM table.","schema":{"type":"boolean","default":false}},{"name":"thumbnail","in":"query","description":"Return thumbnail info","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTBillOfMaterialsInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/assemblies/d/{did}/{wvm}/{wvmid}/e/{eid}/boundingboxes":{"get":{"tags":["Assembly"],"summary":"Get bounding box information for the specified assembly.","operationId":"getAssemblyBoundingBoxes","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}},{"name":"explodedViewId","in":"query","schema":{"type":"string"}},{"name":"includeHidden","in":"query","schema":{"type":"boolean"}},{"name":"displayStateId","in":"query","schema":{"type":"string"}},{"name":"namedPositionId","in":"query","schema":{"type":"string"}},{"name":"includeSketches","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTBoundingBoxInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/assemblies/d/{did}/{wvm}/{wvmid}/e/{eid}/debug/sizeanalysis":{"get":{"tags":["Assembly"],"description":"Get the bytes used by each class in a BTAssembly","operationId":"getDebugSizeAnalysis","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}},{"name":"explodedViewId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"text/csv":{"schema":{"type":"string"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/assemblies/d/{did}/{wvm}/{wvmid}/e/{eid}/displaystates":{"get":{"tags":["Assembly"],"operationId":"getDisplayStates","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"Success!","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTDisplayStateInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/assemblies/d/{did}/{wvm}/{wvmid}/e/{eid}/explodedviews":{"get":{"tags":["Assembly"],"summary":"Get a list of exploded views for the specified assembly.","operationId":"getExplodedViews","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}},{"name":"explodedViewId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTViewFeatureBaseInfo"}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/assemblies/d/{did}/{wvm}/{wvmid}/e/{eid}/explodematrices":{"get":{"tags":["Assembly"],"summary":"Returns explosion transformation for given explode view ID.","operationId":"getExplosionMatrices","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}},{"name":"explodedViewId","in":"query","schema":{"type":"array","items":{"type":"string"}}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTBulkExplodeTransformInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/assemblies/d/{did}/{wvm}/{wvmid}/e/{eid}/features":{"get":{"tags":["Assembly"],"summary":"Get the definitions of the specified features in an assembly.","operationId":"getFeatures","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}},{"name":"explodedViewId","in":"query","schema":{"type":"string"}},{"name":"featureId","in":"query","schema":{"type":"array","items":{"type":"string"}}}],"responses":{"200":{"description":"Success!","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAssemblyFeatureListResponse-1174"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["Assembly"],"summary":"Add a feature to the assembly feature list.","operationId":"addFeature","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTFeatureDefinitionCall-1406"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTFeatureDefinitionResponse-1617"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/assemblies/d/{did}/{wvm}/{wvmid}/e/{eid}/featurespecs":{"get":{"tags":["Assembly"],"summary":"Get the feature spec definitions for an assembly.","operationId":"getFeatureSpecs","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTFeatureSpecsResponse-664"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/assemblies/d/{did}/{wvm}/{wvmid}/e/{eid}/gltf":{"get":{"tags":["Assembly"],"operationId":"exportAssemblyGltf","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}},{"name":"explodedViewId","in":"query","schema":{"type":"string"}},{"name":"outputSeparateFaceNodes","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"200":{"description":"Success!","content":{"model/gltf+json;charset=UTF-8;qs=0.08":{"schema":{"$ref":"#/components/schemas/GlTF"}},"model/gltf-binary;qs=0.08":{"schema":{"type":"string","description":"Binary representation of glTF data","format":"binary","example":"data"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/assemblies/d/{did}/{wvm}/{wvmid}/e/{eid}/massproperties":{"get":{"tags":["Assembly"],"summary":"Get the mass properties for the assembly.","operationId":"getAssemblyMassProperties","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTMassPropertiesInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/assemblies/d/{did}/{wvm}/{wvmid}/e/{eid}/matevalues":{"get":{"tags":["Assembly"],"operationId":"getMateValues","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAssemblyMateValuesInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["Assembly"],"operationId":"updateMateValues","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAssemblyMateValuesInfo"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAssemblyMateValuesInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/assemblies/d/{did}/{wvm}/{wvmid}/e/{eid}/namedpositions":{"get":{"tags":["Assembly"],"summary":"Get a list of all named positions for the assembly.","operationId":"getNamedPositions","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}},{"name":"explodedViewId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTViewFeatureBaseInfo"}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/assemblies/d/{did}/{wvm}/{wvmid}/e/{eid}/shadedviews":{"get":{"tags":["Assembly"],"summary":"Get an array of shaded view images for the document.","operationId":"getAssemblyShadedViews","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}},{"name":"explodedViewId","in":"query","schema":{"type":"string"}},{"name":"viewMatrix","in":"query","schema":{"type":"string","default":"front"}},{"name":"outputHeight","in":"query","schema":{"type":"integer","format":"int32","default":500}},{"name":"outputWidth","in":"query","schema":{"type":"integer","format":"int32","default":500}},{"name":"pixelSize","in":"query","schema":{"type":"number","format":"double","default":0.003}},{"name":"edges","in":"query","schema":{"type":"string","default":"show"}},{"name":"showAllParts","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeSurfaces","in":"query","schema":{"type":"boolean","default":true}},{"name":"useAntiAliasing","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeWires","in":"query","schema":{"type":"boolean","default":false}},{"name":"displayStateId","in":"query","schema":{"type":"string"}},{"name":"namedPositionId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTShadedViewsInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/assemblies/d/{did}/{wv}/{wvid}/e/{eid}/translations":{"post":{"tags":["Assembly"],"summary":"Export the assembly to another format.","description":"* Use `formatName` in the JSON request body to specify the export file type. Use [Translations/getAllTranslatorFormats](https://cad.onshape.com/glassworks/explorer/#/Translation/getAllTranslatorFormats) to get a list of valid export file formats. Confirm that `couldBeAssembly=true.`\n* Set `storeInDocument` to `true` to export to a data file. Set to `false` to export to a blob element in the same document. \n* See [API Guide: Model Translation](https://onshape-public.github.io/docs/api-adv/translation/) for more details.","operationId":"translateFormat","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wv","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTranslateFormatParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTranslationRequestInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/authorize":{"get":{"tags":["OAuth2.0"],"operationId":"authorize","responses":{"default":{"description":"default response","content":{"*/*":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/billing/discount/{oid}":{"get":{"tags":["Billing"],"description":"Get a discount","operationId":"getDiscount","parameters":[{"name":"oid","in":"path","required":true,"schema":{"type":"string"}},{"name":"pid","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTDiscountInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["Billing"],"description":"Create a discount for an owner","operationId":"createDiscount","parameters":[{"name":"oid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDiscountParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Billing"],"description":"Delete a discount for an owner","operationId":"deleteDiscount","parameters":[{"name":"oid","in":"path","required":true,"schema":{"type":"string"}},{"name":"pid","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/billing/plans":{"get":{"tags":["Billing"],"description":"List supported Onshape billing plans","operationId":"getPlans","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTBillingPlanInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["Billing"],"description":"Create new billing plan.","operationId":"createPlan","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTBillingPlanParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTBillingPlanInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/billing/plans/allowed/{oid}":{"get":{"tags":["Billing"],"description":"Get allowed list of upgrade and downgrade Onshape plans based on current user's plan. This list","operationId":"getAllowedUpgradeDowngradePlans","parameters":[{"name":"oid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTBillingAllowedPlansInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/billing/plans/application/{aid}":{"get":{"tags":["Billing"],"description":"Returns billing plans for specified application.","operationId":"getApplicationPlans","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTBillingPlanInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/billing/plans/batch":{"post":{"tags":["Billing"],"description":"Update existing billing plans as a batch operation.","operationId":"updatePlans","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTBillingPlanBatchParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTBillingPlanInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/billing/plans/client/{cid}":{"get":{"tags":["Billing"],"summary":"Get all billing plans and their information for an application by client ID.","description":"This API should be used within the context of an OAuth-enabled application.","operationId":"getClientPlans","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"Success!"}},"deprecated":false,"x-BTVisibility":"PRODUCTION"}},"/billing/plans/onshape":{"get":{"tags":["Billing"],"description":"List supported all Onshape billing plans with optional plan group filter.","operationId":"getAllOnshapePlans","parameters":[{"name":"group","in":"query","schema":{"type":"string","default":""}},{"name":"showDeprecated","in":"query","schema":{"type":"boolean","default":true}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTBillingPlanInfo"}}}}}},"deprecated":true,"x-BTVisibility":"INTERNAL"}},"/billing/plans/stripe":{"post":{"tags":["Billing"],"description":"Loads the provided plan id from DB and creates stripe plan based","operationId":"createStripePlan","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTBillingPlanParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/Plan"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/billing/plans/{pid}":{"get":{"tags":["Billing"],"description":"Plan information","operationId":"getPlan","parameters":[{"name":"pid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTBillingPlanInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["Billing"],"description":"Update existing billing plan.","operationId":"updatePlan","parameters":[{"name":"pid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTBillingPlanParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTBillingPlanInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Billing"],"description":"Delete billing plan.","operationId":"deletePlan","parameters":[{"name":"pid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2ReadPII"],"BasicAuth":["OAuth2ReadPII"]}],"x-BTVisibility":"INTERNAL"}},"/billing/publishKey":{"get":{"tags":["Billing"],"description":"Get publishable billing key","operationId":"getPublishableKey","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTBaseInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/blobelements/d/{did}/w/{wid}":{"post":{"tags":["BlobElement"],"summary":"Upload a file and create a blob element from it.","description":"Request body parameters are multipart fields, so you must use `\"Content-Type\":\"multipart/form-data\"` in the request header.","operationId":"uploadFileCreateElement","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wid","in":"path","description":"The id of the workspace in which to perform the operation.","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"multipart/form-data":{"schema":{"type":"object","properties":{"file":{"type":"object","description":"The file to upload."},"allowFaultyParts":{"type":"boolean","description":"If true, and a part doesn't pass Onshape validation, it will be imported with faults."},"createComposite":{"type":"boolean"},"createDrawingIfPossible":{"type":"boolean"},"encodedFilename":{"type":"string","description":"If the filename contains non-ASCII characters. Use this field to store the filename."},"extractAssemblyHierarchy":{"type":"boolean"},"flattenAssemblies":{"type":"boolean","description":"If the file is an assembly, or contains an assembly, setting this to True will import it as a Part Studio. In this case the assembly will be flattened to a set of parts in a Part Studio. There will be duplicate parts created whenever a part is instanced more than once. If False, it will be imported as an Assembly."},"formatName":{"type":"string"},"joinAdjacentSurfaces":{"type":"boolean"},"locationElementId":{"type":"string"},"locationGroupId":{"type":"string"},"locationPosition":{"type":"integer","format":"int32","default":-1},"notifyUser":{"type":"boolean","default":true},"ownerId":{"type":"string"},"parentId":{"type":"string"},"projectId":{"type":"string"},"public":{"type":"boolean"},"onePartPerDoc":{"type":"boolean","default":false},"splitAssembliesIntoMultipleDocuments":{"type":"boolean","default":false},"storeInDocument":{"type":"boolean","default":true},"translate":{"type":"boolean","default":true},"unit":{"type":"string","default":""},"uploadId":{"type":"string"},"versionString":{"type":"string"},"importAppearances":{"type":"boolean","description":"Face appearances defined on models will be imported.","default":true},"yAxisIsUp":{"type":"boolean","description":"If the file was created in a system that orients with Y Axis Up, the models would by default be brought into Onshape (a Z Axis Up system) with a flipped coordinate system. Toggle this value to reorient the axis system to match Onshape and display the model with the coordinates you expect."},"importWithinDocument":{"type":"boolean"}}}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDocumentElementProcessingInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/blobelements/d/{did}/w/{wid}/e/{eid}":{"get":{"tags":["BlobElement"],"summary":"Download a file from a blob element for the specified workspace/version/microversion.","description":"See [API Guide: Model Translation](https://onshape-public.github.io/docs/api-adv/translation/) for more details.","operationId":"downloadFileWorkspace","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wid","in":"path","description":"The id of the workspace in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"contentDisposition","in":"query","description":"If \"attachment\", includes a Content-Disposition return header with the filename.","schema":{"type":"string"}},{"name":"If-None-Match","in":"header","description":"Entity tag; an md5 checksum of the data in double quotes. If the data to download has the same checksum as this entity tag, a 304 'Not Modified' status will be returned. The entity tag is returned in the response headers as ETag.","schema":{"type":"string"}}],"responses":{"default":{"description":"File download.","content":{"application/octet-stream":{"schema":{"type":"string","format":"binary"}},"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"string","format":"binary"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["BlobElement"],"summary":"Update a blob element by uploading a file.","description":"Request body parameters are multipart fields, so you must use `\"Content-Type\":\"multipart/form-data\"` in the request header.","operationId":"uploadFileUpdateElement","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wid","in":"path","description":"The id of the workspace in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"parentChangeId","in":"query","description":"The id of the last change made to this application element. This can be retrieved from the response for any app element modification endpoint.","schema":{"type":"string"}}],"requestBody":{"content":{"multipart/form-data":{"schema":{"type":"object","properties":{"file":{"type":"object","description":"The file to upload."},"allowFaultyParts":{"type":"boolean","description":"If true, and a part doesn't pass Onshape validation, it will be imported with faults."},"createComposite":{"type":"boolean"},"createDrawingIfPossible":{"type":"boolean"},"encodedFilename":{"type":"string","description":"If the filename contains non-ASCII characters. Use this field to store the filename."},"extractAssemblyHierarchy":{"type":"boolean"},"flattenAssemblies":{"type":"boolean","description":"If the file is an assembly, or contains an assembly, setting this to True will import it as a Part Studio. In this case the assembly will be flattened to a set of parts in a Part Studio. There will be duplicate parts created whenever a part is instanced more than once. If False, it will be imported as an Assembly."},"formatName":{"type":"string"},"joinAdjacentSurfaces":{"type":"boolean"},"locationElementId":{"type":"string"},"locationGroupId":{"type":"string"},"locationPosition":{"type":"integer","format":"int32","default":-1},"notifyUser":{"type":"boolean","default":true},"ownerId":{"type":"string"},"parentId":{"type":"string"},"projectId":{"type":"string"},"public":{"type":"boolean"},"onePartPerDoc":{"type":"boolean","default":false},"splitAssembliesIntoMultipleDocuments":{"type":"boolean","default":false},"storeInDocument":{"type":"boolean","default":true},"translate":{"type":"boolean","default":true},"unit":{"type":"string","default":""},"uploadId":{"type":"string"},"versionString":{"type":"string"},"importAppearances":{"type":"boolean","description":"Face appearances defined on models will be imported.","default":true},"yAxisIsUp":{"type":"boolean","description":"If the file was created in a system that orients with Y Axis Up, the models would by default be brought into Onshape (a Z Axis Up system) with a flipped coordinate system. Toggle this value to reorient the axis system to match Onshape and display the model with the coordinates you expect."},"importWithinDocument":{"type":"boolean"}}}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDocumentElementProcessingInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/blobelements/d/{did}/w/{wid}/e/{eid}/em/{emid}":{"get":{"tags":["BlobElement"],"summary":"Retrieve a blob element (icons or images) by document ID, element ID, and element microversion ID.","operationId":"downloadFileAtElementMicroversion","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wid","in":"path","description":"The id of the workspace in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"emid","in":"path","description":"The id of the element microversion in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"contentDisposition","in":"query","description":"If \"attachment\", includes a Content-Disposition return header with the filename.","schema":{"type":"string"}},{"name":"If-None-Match","in":"header","description":"Entity tag; an md5 checksum of the data in double quotes. If the data to download has the same checksum as this entity tag, a 304 'Not Modified' status will be returned. The entity tag is returned in the response headers as ETag.","schema":{"type":"string"}}],"responses":{"default":{"description":"File download.","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"string","format":"binary"}},"application/octet-stream":{"schema":{"type":"string","format":"binary"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/blobelements/d/{did}/w/{wid}/e/{eid}/translationformats":{"get":{"tags":["BlobElement"],"description":"Returns a list of the available formats to which this Blob element can be translated. If the","operationId":"getBlobTranslatorFormats","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wid","in":"path","description":"The id of the workspace in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTModelFormatInfo"}}}}}},"deprecated":true,"x-BTVisibility":"PRODUCTION"}},"/blobelements/d/{did}/w/{wid}/e/{eid}/units":{"post":{"tags":["BlobElement"],"summary":"Change the measurement units for the blob element.","operationId":"updateUnits","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wid","in":"path","description":"The id of the workspace in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUpdateMeshUnitsParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDocumentElementProcessingInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/blobelements/d/{did}/{vm}/{vmid}/e/{eid}":{"get":{"tags":["BlobElement"],"summary":"Retrieve a file from blob element by document ID, version or microversion ID, and tab ID.","operationId":"downloadFile","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"vm","in":"path","description":"Indicates which of the version (v) or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["v","m"]}},{"name":"vmid","in":"path","description":"The id of the version or microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"contentDisposition","in":"query","description":"If \"attachment\", includes a Content-Disposition return header with the filename.","schema":{"type":"string"}},{"name":"If-None-Match","in":"header","description":"Entity tag; an md5 checksum of the data in double quotes. If the data to download has the same checksum as this entity tag, a 304 'Not Modified' status will be returned. The entity tag is returned in the response headers as ETag.","schema":{"type":"string"}}],"responses":{"default":{"description":"File download.","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"string","format":"binary"}},"application/octet-stream":{"schema":{"type":"string","format":"binary"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}]}},"/blobelements/d/{did}/{wvm}/{wvmid}/e/{eid}/direct":{"get":{"tags":["BlobElement"],"summary":"Retrieve blob element directly from storage by document ID, workspace or version or microversion ID, and tab ID.","operationId":"downloadFileDirect","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}}],"responses":{"307":{"description":"A Redirect!"}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/blobelements/d/{did}/{wv}/{wvid}/e/{eid}/translations":{"post":{"tags":["BlobElement"],"summary":"Export a blob element to another format.","description":"* Use `formatName` in the JSON request body to specify the export file type. Use [Translations/getAllTranslatorFormats](https://cad.onshape.com/glassworks/explorer/#/Translation/getAllTranslatorFormats) to get a list of valid export file formats. \n* Set `storeInDocument` to `true` to export to a data file. Set to `false` to export to a blob element in the same document. \n* See [API Guide: Model Translation](https://onshape-public.github.io/docs/api-adv/translation/) for more details.","operationId":"createBlobTranslation","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wv","in":"path","description":"Indicates which of workspace (w) or version (v) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v"]}},{"name":"wvid","in":"path","description":"The id of the workspace, version in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTranslateFormatParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTranslationRequestInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/build":{"get":{"tags":["Build"],"description":"Get build number to display on landing page","operationId":"getBuild","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object","additionalProperties":{"type":"string"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/build/details":{"get":{"tags":["Build"],"description":"Get details about the current Onshape build","operationId":"getDetails","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object","additionalProperties":{"type":"object","additionalProperties":{"type":"object"}}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/build/production":{"get":{"tags":["Build"],"description":"Get whether or not you're on a production stack","operationId":"getProduction","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object","additionalProperties":{"type":"object"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/capabilities":{"get":{"tags":["Capability"],"description":"Returns a paginated list of capabilities","operationId":"getCapabilities","parameters":[{"name":"query","in":"query","schema":{"type":"string","default":""}},{"name":"sortColumn","in":"query","schema":{"type":"string","default":"name"}},{"name":"sortOrder","in":"query","schema":{"type":"string","default":"asc"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTCapabilitySummaryInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/capabilities/all":{"get":{"tags":["Capability"],"description":"Returns a list of all capabilities","operationId":"getAllCapabilities","parameters":[{"name":"query","in":"query","schema":{"type":"string","default":""}},{"name":"sortColumn","in":"query","schema":{"type":"string","default":"name"}},{"name":"sortOrder","in":"query","schema":{"type":"string","default":"asc"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTBaseInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/capabilities/allcurrent":{"get":{"tags":["Capability"],"description":"Evaluate the groovy script for each capability. Return all current active ones (not deleted)","operationId":"checkAllCapabilities","parameters":[{"name":"documentId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/capabilities/check":{"get":{"tags":["Capability"],"description":"Evaluate the groovy script for each capability from the input list","operationId":"checkBulkCapabilities","parameters":[{"name":"documentId","in":"query","schema":{"type":"string"}},{"name":"capabilities","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["Capability"],"description":"Evaluate the groovy script for each capability from the input list","operationId":"checkCapabilities","parameters":[{"name":"documentId","in":"query","schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCapabilityCheckParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/capabilities/check/{service}/{feature}":{"get":{"tags":["Capability"],"description":"Evaluate the groovy script of a capability with specified service type/feature name","operationId":"capable","parameters":[{"name":"service","in":"path","required":true,"schema":{"type":"string"}},{"name":"feature","in":"path","required":true,"schema":{"type":"string"}},{"name":"documentId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCapableInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/capabilities/{cid}":{"get":{"tags":["Capability"],"description":"Returns information about one capability","operationId":"getCapability","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCapabilityInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["Capability"],"description":"Update a capability with new rules","operationId":"updateCapabilitiesById","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCapabilityParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCapabilityInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/capabilities/{service}/{capability}":{"get":{"tags":["Capability"],"description":"Returns information about one capability","operationId":"getCapabilityByName","parameters":[{"name":"service","in":"path","required":true,"schema":{"type":"string"}},{"name":"capability","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCapabilityInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["Capability"],"description":"Update a capability with new rule by name","operationId":"updateByName","parameters":[{"name":"service","in":"path","required":true,"schema":{"type":"string"}},{"name":"capability","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCapabilityParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCapabilityInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/changes/changeorders":{"get":{"tags":["Change"],"description":"Returns all the change orders within the session's enterprise company","operationId":"getChangeOrders","parameters":[{"name":"limit","in":"query","schema":{"maximum":100,"minimum":1,"type":"integer","format":"int32","default":50}},{"name":"direction","in":"query","schema":{"type":"string","default":"desc"}},{"name":"sortBy","in":"query","schema":{"type":"string","default":"modifiedAt"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"searchText","in":"query","schema":{"type":"string","default":""}},{"name":"isOwner","in":"query","schema":{"type":"boolean","default":false}},{"name":"status","in":"query","schema":{"type":"string","default":"open"}},{"name":"createdWithinDays","in":"query","schema":{"maximum":90,"minimum":0,"type":"integer","format":"int32","default":0}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTChangeInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["Change"],"description":"Create a new change order within the session's enterprise company","operationId":"createChangeOrder","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTChangeOrderParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTChangeOrderInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/changes/changeorders/{coid}":{"get":{"tags":["Change"],"description":"Returns the change order given the change order id","operationId":"getChangeOrder","parameters":[{"name":"coid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTChangeOrderInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["Change"],"description":"Update change order","operationId":"updateChangeOrder","parameters":[{"name":"coid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTChangeResourceUpdateParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTChangeOrderInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Change"],"description":"Delete a change order","operationId":"deleteChangeOrder","parameters":[{"name":"coid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Delete"],"BasicAuth":["OAuth2Delete"]}],"x-BTVisibility":"INTERNAL"}},"/changes/changeorders/{coid}/affected":{"get":{"tags":["Change"],"description":"Returns the affected items of the specified change order","operationId":"getChangeOrderAffectedItems","parameters":[{"name":"coid","in":"path","required":true,"schema":{"type":"string"}},{"name":"sortBy","in":"query","schema":{"type":"string","default":"number"}},{"name":"direction","in":"query","schema":{"type":"string","default":"desc"}},{"name":"withReleaseItems","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTChangeOrderAffectedItemInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["Change"],"description":"Create a new affected item for this change order","operationId":"createChangeOrderAffectedItems","parameters":[{"name":"coid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTChangeOrderAffectedItemParams"}}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTChangeOrderAffectedItemInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/changes/changeorders/{coid}/affected/{afid}":{"delete":{"tags":["Change"],"description":"Delete an affected item from change order","operationId":"deleteChangeOrderAffectedItem","parameters":[{"name":"coid","in":"path","required":true,"schema":{"type":"string"}},{"name":"afid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Delete"],"BasicAuth":["OAuth2Delete"]}],"x-BTVisibility":"INTERNAL"}},"/changes/changeorders/{coid}/affected/{aiid}":{"post":{"tags":["Change"],"description":"Update an affected item for this change order","operationId":"updateChangeOrderAffectedItem","parameters":[{"name":"coid","in":"path","required":true,"schema":{"type":"string"}},{"name":"aiid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTChangeOrderAffectedItemUpdateParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTChangeOrderAffectedItemInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/changes/changeorders/{coid}/relationships":{"get":{"tags":["Change"],"description":"Returns the relationships of the specified change order","operationId":"getChangeOrderRelationships","parameters":[{"name":"coid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTChangeResourceRelationshipInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["Change"],"description":"Create a new relationship for this change order","operationId":"createChangeOrderRelationship","parameters":[{"name":"coid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTChangeResourceRelationshipParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTChangeResourceRelationshipInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/changes/changeorders/{coid}/relationships/{rid}":{"delete":{"tags":["Change"],"description":"Delete a change order relationship","operationId":"deleteChangeOrderRelationship","parameters":[{"name":"coid","in":"path","required":true,"schema":{"type":"string"}},{"name":"rid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Delete"],"BasicAuth":["OAuth2Delete"]}],"x-BTVisibility":"INTERNAL"}},"/changes/changeorders/{coid}/subscription":{"post":{"tags":["Change"],"description":"Update subscription for change order","operationId":"updateChangeOrderSubscription","parameters":[{"name":"coid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTChangeOrderInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/changes/changeorders/{coid}/tasks":{"get":{"tags":["Change"],"description":"Returns all the change tasks for a given change order","operationId":"getChangeTasks","parameters":[{"name":"limit","in":"query","schema":{"maximum":100,"minimum":1,"type":"integer","format":"int32","default":50}},{"name":"direction","in":"query","schema":{"type":"string","default":"asc"}},{"name":"sortBy","in":"query","schema":{"type":"string","default":"number"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"searchText","in":"query","schema":{"type":"string","default":""}},{"name":"isOwner","in":"query","schema":{"type":"boolean","default":false}},{"name":"coid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTChangeTaskInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/changes/changeorders/{coid}/transition/{transition}":{"post":{"tags":["Change"],"description":"Transition change order","operationId":"transitionChangeOrder","parameters":[{"name":"coid","in":"path","required":true,"schema":{"type":"string"}},{"name":"transition","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTChangeOrderInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/changes/changerequests":{"get":{"tags":["Change"],"description":"Returns all the change requests within the session's enterprise company","operationId":"getChangeRequests","parameters":[{"name":"limit","in":"query","schema":{"maximum":100,"minimum":1,"type":"integer","format":"int32","default":50}},{"name":"direction","in":"query","schema":{"type":"string","default":"desc"}},{"name":"sortBy","in":"query","schema":{"type":"string","default":"modifiedAt"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"searchText","in":"query","schema":{"type":"string","default":""}},{"name":"isOwner","in":"query","schema":{"type":"boolean","default":false}},{"name":"status","in":"query","schema":{"type":"string","default":"open"}},{"name":"createdWithinDays","in":"query","schema":{"maximum":90,"minimum":0,"type":"integer","format":"int32","default":0}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTChangeInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["Change"],"description":"Create a new change request within the session's enterprise company","operationId":"createChangeRequest","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTChangeRequestParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTChangeRequestInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/changes/changerequests/{crid}":{"get":{"tags":["Change"],"description":"Returns the change request given the change request id","operationId":"getChangeRequest","parameters":[{"name":"crid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTChangeRequestInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["Change"],"description":"Update change request","operationId":"updateChangeRequest","parameters":[{"name":"crid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTChangeResourceUpdateParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTChangeRequestInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Change"],"description":"Delete a change request","operationId":"deleteChangeRequest","parameters":[{"name":"crid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Delete"],"BasicAuth":["OAuth2Delete"]}],"x-BTVisibility":"INTERNAL"}},"/changes/changerequests/{crid}/affected":{"get":{"tags":["Change"],"description":"Returns the affected items of the specified change request","operationId":"getChangeRequestAffectedItems","parameters":[{"name":"crid","in":"path","required":true,"schema":{"type":"string"}},{"name":"sortBy","in":"query","schema":{"type":"string","default":"number"}},{"name":"direction","in":"query","schema":{"type":"string","default":"desc"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTChangeRequestAffectedItemInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["Change"],"description":"Create a new affected item for this change request","operationId":"createChangeRequestAffectedItems","parameters":[{"name":"crid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTChangeRequestAffectedItemParams"}}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTChangeRequestAffectedItemInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/changes/changerequests/{crid}/affected/{afid}":{"delete":{"tags":["Change"],"description":"Delete an affected item from change request","operationId":"deleteChangeRequestAffectedItem","parameters":[{"name":"crid","in":"path","required":true,"schema":{"type":"string"}},{"name":"afid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Delete"],"BasicAuth":["OAuth2Delete"]}],"x-BTVisibility":"INTERNAL"}},"/changes/changerequests/{crid}/affected/{aiid}":{"post":{"tags":["Change"],"description":"Update an affected item for this change request","operationId":"updateChangeRequestAffectedItem","parameters":[{"name":"crid","in":"path","required":true,"schema":{"type":"string"}},{"name":"aiid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTChangePropertyUpdateParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTChangeRequestAffectedItemInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/changes/changerequests/{crid}/relationships":{"get":{"tags":["Change"],"description":"Returns the relationships of the specified change request","operationId":"getChangeRequestRelationships","parameters":[{"name":"crid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTChangeResourceRelationshipInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["Change"],"description":"Create a new relationship for this change request","operationId":"createChangeRequestRelationship","parameters":[{"name":"crid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTChangeResourceRelationshipParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTChangeResourceRelationshipInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/changes/changerequests/{crid}/relationships/{rid}":{"delete":{"tags":["Change"],"description":"Delete a change request relationship","operationId":"deleteChangeRequestRelationship","parameters":[{"name":"crid","in":"path","required":true,"schema":{"type":"string"}},{"name":"rid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Delete"],"BasicAuth":["OAuth2Delete"]}],"x-BTVisibility":"INTERNAL"}},"/changes/changerequests/{crid}/subscription":{"post":{"tags":["Change"],"description":"Update subscription for change request","operationId":"updateChangeRequestSubscription","parameters":[{"name":"crid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTChangeRequestInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/changes/changerequests/{crid}/transition/{transition}":{"post":{"tags":["Change"],"description":"Transition change request","operationId":"transitionChangeRequest","parameters":[{"name":"crid","in":"path","required":true,"schema":{"type":"string"}},{"name":"transition","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTChangeRequestInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/changes/changetasks":{"post":{"tags":["Change"],"description":"Create a new change task","operationId":"createChangeTask","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTChangeTaskParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTChangeTaskInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/changes/changetasks/{ctid}":{"get":{"tags":["Change"],"description":"Returns the change task given the change task id","operationId":"getChangeTask","parameters":[{"name":"ctid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTChangeTaskInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["Change"],"description":"Update change task","operationId":"updateChangeTask","parameters":[{"name":"ctid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTChangeResourceUpdateParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTChangeTaskInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Change"],"description":"Delete a change task","operationId":"deleteChangeTask","parameters":[{"name":"ctid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Delete"],"BasicAuth":["OAuth2Delete"]}],"x-BTVisibility":"INTERNAL"}},"/changes/changetasks/{ctid}/affected":{"get":{"tags":["Change"],"description":"Returns the affected items of the specified change task","operationId":"getChangeTaskAffectedItems","parameters":[{"name":"ctid","in":"path","required":true,"schema":{"type":"string"}},{"name":"sortBy","in":"query","schema":{"type":"string","default":"number"}},{"name":"direction","in":"query","schema":{"type":"string","default":"desc"}},{"name":"withReleaseItems","in":"query","schema":{"type":"boolean","default":true}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTChangeOrderAffectedItemInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/changes/changetasks/{ctid}/affected/fillpartnumbers":{"post":{"tags":["Change"],"description":"Fill missing part numbers for change task affected items","operationId":"fillChangeTaskAffectedItemPartNumbers","parameters":[{"name":"ctid","in":"path","required":true,"schema":{"type":"string"}},{"name":"sortBy","in":"query","schema":{"type":"string","default":"number"}},{"name":"direction","in":"query","schema":{"type":"string","default":"desc"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTAffectedReleaseItemParams"}}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTChangeOrderAffectedItemInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/changes/changetasks/{ctid}/refreshaffected":{"get":{"tags":["Change"],"description":"Returns the refreshed affected items of the specified change task","operationId":"refreshChangeTaskAffectedItems","parameters":[{"name":"ctid","in":"path","required":true,"schema":{"type":"string"}},{"name":"sortBy","in":"query","schema":{"type":"string","default":"number"}},{"name":"direction","in":"query","schema":{"type":"string","default":"desc"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTChangeOrderAffectedItemInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/changes/changetasks/{ctid}/reopen":{"post":{"tags":["Change"],"description":"Reopens the change task","operationId":"reopenChangeTask","parameters":[{"name":"ctid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTChangeTaskInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/changes/changetasks/{ctid}/start":{"post":{"tags":["Change"],"description":"Starts the change task","operationId":"startChangeTask","parameters":[{"name":"ctid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTChangeTaskInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/changes/changetasks/{ctid}/subscription":{"post":{"tags":["Change"],"description":"Update subscription for change task","operationId":"updateChangeTaskSubscription","parameters":[{"name":"ctid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTChangeTaskInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/changes/changetasks/{ctid}/transition/{transition}":{"post":{"tags":["Change"],"description":"Transition change task","operationId":"transitionChangeTask","parameters":[{"name":"ctid","in":"path","required":true,"schema":{"type":"string"}},{"name":"transition","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTChangeTaskInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/classrooms":{"post":{"tags":["Classroom"],"description":"Create a new classroom","operationId":"createClassroom","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTClassroomParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTClassroomInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/classrooms/access":{"get":{"tags":["Classroom"],"description":"Get classroom access. It will tell if current user has access to create classroom.","operationId":"getClassroomAccess","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/ClassroomAccessInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/classrooms/document/{did}/submissions":{"get":{"tags":["Classroom"],"description":"Get submissions by document id","operationId":"getStudentSubmissionsForDocument","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTStudentSubmissionInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/classrooms/{cid}":{"get":{"tags":["Classroom"],"description":"Get classroom info. Caller must be admin, or member of the classroom.","operationId":"getClassroom","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTClassroomInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["Classroom"],"description":"Update info for a classroom","operationId":"updateClassroom","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTClassroomParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTClassroomInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Classroom"],"description":"Delete a classroom; this does not remove any users from Onshape","operationId":"deleteClassroom","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Delete"],"BasicAuth":["OAuth2Delete"]}],"x-BTVisibility":"INTERNAL"}},"/classrooms/{cid}/all/documents":{"get":{"tags":["Classroom"],"description":"List documents in a classroom","operationId":"getAllDocumentsInClassroom","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"sortColumn","in":"query","schema":{"type":"string"}},{"name":"sortOrder","in":"query","schema":{"type":"string","default":"asc"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTClassroomDocumentInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/classrooms/{cid}/assignments":{"get":{"tags":["Classroom"],"description":"Get assignments associated with class","operationId":"getAssignments","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"sortColumn","in":"query","schema":{"type":"string"}},{"name":"sortOrder","in":"query","schema":{"type":"string","default":"asc"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"q","in":"query","schema":{"type":"string","default":""}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTClassAssignmentInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["Classroom"],"description":"Create assignment for class.","operationId":"createAssignment","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAssignmentParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTClassAssignmentInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/classrooms/{cid}/assignments/{aid}":{"get":{"tags":["Classroom"],"description":"Get assignments by provided assignment id","operationId":"getAssignment","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"aid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTClassAssignmentInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["Classroom"],"description":"Update assignment for class.","operationId":"updateAssignment","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"aid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAssignmentParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTClassAssignmentInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Classroom"],"description":"Delete assignments by assignment id","operationId":"deleteAssignment","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"aid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Delete"],"BasicAuth":["OAuth2Delete"]}],"x-BTVisibility":"INTERNAL"}},"/classrooms/{cid}/assignments/{aid}/documents":{"get":{"tags":["Classroom"],"description":"List documents of an assignment","operationId":"getAssignmentDocuments","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"aid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTClassroomDocumentInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["Classroom"],"description":"Add new document to an assignment","operationId":"addAssignmentDocument","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"aid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTClassroomDocumentParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTClassroomDocumentInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/classrooms/{cid}/assignments/{aid}/documents/{adid}":{"delete":{"tags":["Classroom"],"description":"Remove a document from an assignment","operationId":"removeAssignmentDocument","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"aid","in":"path","required":true,"schema":{"type":"string"}},{"name":"adid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Delete"],"BasicAuth":["OAuth2Delete"]}],"x-BTVisibility":"INTERNAL"}},"/classrooms/{cid}/assignments/{aid}/state":{"post":{"tags":["Classroom"],"summary":"Transition assignment from one state to another but do not perform any actions configured in assignment workflow. All state changes must be done by an Onshape admin or an EDU enterprise admin/classroom educator.","operationId":"updateAssignmentState","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"aid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTClassroomObjectStateParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/classrooms/{cid}/assignments/{aid}/submissions":{"get":{"tags":["Classroom"],"description":"Get all submissions for assignment and classroom","operationId":"getAssignmentSubmissions","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"aid","in":"path","required":true,"schema":{"type":"string"}},{"name":"sortColumn","in":"query","schema":{"type":"string"}},{"name":"sortOrder","in":"query","schema":{"type":"string","default":"asc"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}},{"name":"q","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTStudentSubmissionInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["Classroom"],"description":"Create a new submission","operationId":"createSubmission","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"aid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTStudentSubmissionParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTStudentSubmissionInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/classrooms/{cid}/assignments/{aid}/submissions/{sid}":{"delete":{"tags":["Classroom"],"description":"Delete submission by submission id","operationId":"deleteSubmission","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"aid","in":"path","required":true,"schema":{"type":"string"}},{"name":"sid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Delete"],"BasicAuth":["OAuth2Delete"]}],"x-BTVisibility":"INTERNAL"}},"/classrooms/{cid}/assignments/{aid}/submissions/{sid}/documents":{"get":{"tags":["Classroom"],"description":"List documents of a student submission","operationId":"getStudentSubmissionDocuments","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"aid","in":"path","required":true,"schema":{"type":"string"}},{"name":"sid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTClassroomDocumentInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["Classroom"],"description":"Add new document to a student submission","operationId":"addStudentSubmissionDocument","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"aid","in":"path","required":true,"schema":{"type":"string"}},{"name":"sid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTClassroomDocumentParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTClassroomDocumentInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/classrooms/{cid}/assignments/{aid}/submissions/{sid}/documents/{sdid}":{"delete":{"tags":["Classroom"],"description":"Remove a document from student submission","operationId":"removeStudentSubmissionDocument","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"aid","in":"path","required":true,"schema":{"type":"string"}},{"name":"sid","in":"path","required":true,"schema":{"type":"string"}},{"name":"sdid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Delete"],"BasicAuth":["OAuth2Delete"]}],"x-BTVisibility":"INTERNAL"}},"/classrooms/{cid}/assignments/{aid}/submissions/{sid}/{transition}":{"post":{"tags":["Classroom"],"description":"Transition the student submission for given transition name","operationId":"transitionStudentSubmission","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"aid","in":"path","required":true,"schema":{"type":"string"}},{"name":"sid","in":"path","required":true,"schema":{"type":"string"}},{"name":"transition","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object","additionalProperties":{"type":"string"}}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTStudentSubmissionInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/classrooms/{cid}/assignments/{aid}/{transition}":{"post":{"tags":["Classroom"],"description":"Transition the assignment for given transition name","operationId":"transitionAssignmment","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"aid","in":"path","required":true,"schema":{"type":"string"}},{"name":"transition","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTClassAssignmentInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/classrooms/{cid}/copy":{"post":{"tags":["Classroom"],"description":"Copy classroom","operationId":"copyClassroom","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTClassroomParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTClassroomInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/classrooms/{cid}/count":{"get":{"tags":["Classroom"],"description":"Get count of educator and student in classroom. Caller must be admin, or member of the classroom.","operationId":"getEducatorAndStudentCount","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTClassroomMemberCountInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/classrooms/{cid}/documents":{"get":{"tags":["Classroom"],"description":"List documents of a classroom; max 20 per page","operationId":"getClassroomDocuments","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTClassroomDocumentInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["Classroom"],"description":"Add new document to a classroom","operationId":"addClassroomDocument","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTClassroomDocumentParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTClassroomDocumentInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/classrooms/{cid}/documents/{cdid}":{"post":{"tags":["Classroom"],"description":"Update classroom document metadata","operationId":"updateClassroomDocument","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"cdid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTClassroomDocumentParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTClassroomDocumentInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Classroom"],"description":"Remove a document from a classroom","operationId":"removeClassroomDocument","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"cdid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Delete"],"BasicAuth":["OAuth2Delete"]}],"x-BTVisibility":"INTERNAL"}},"/classrooms/{cid}/members":{"get":{"tags":["Classroom"],"description":"List members of a classroom; max 20 per page","operationId":"getClassroomMembers","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"sortColumn","in":"query","schema":{"type":"string"}},{"name":"sortOrder","in":"query","schema":{"type":"string","default":"asc"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}},{"name":"q","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTClassroomMemberInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["Classroom"],"description":"Add new member to a classroom; sends them an invitation","operationId":"addClassroomMember","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTClassroomMemberParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTClassroomMemberInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/classrooms/{cid}/members/bulk":{"post":{"tags":["Classroom"],"description":"Add new members to a classroom; sends them an invitation","operationId":"addClassroomMembers","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTClassroomMemberListParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTClassroomMemberListInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/classrooms/{cid}/members/csv":{"post":{"tags":["Classroom"],"description":"Add new member to a classroom by csv; sends them an invitation","operationId":"addClassroomMembersByCsv","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"multipart/form-data":{"schema":{"type":"object","properties":{"file":{"type":"object","description":"The file to upload."}}}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTManageMembersByCSVInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/classrooms/{cid}/members/{memberType}/{mid}/submissions":{"get":{"tags":["Classroom"],"description":"Get all submissions for member","operationId":"getSubmissionsForMember","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"memberType","in":"path","required":true,"schema":{"type":"string"}},{"name":"mid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTStudentSubmissionInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/classrooms/{cid}/members/{membertype}/{mid}":{"get":{"tags":["Classroom"],"description":"Get classroom member information","operationId":"getClassroomMember","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"membertype","in":"path","required":true,"schema":{"type":"string"}},{"name":"mid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTClassroomMemberInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["Classroom"],"description":"Update classroom member info","operationId":"updateClassroomMember","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"membertype","in":"path","required":true,"schema":{"type":"string"}},{"name":"mid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTClassroomMemberParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTClassroomMemberInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Classroom"],"description":"Remove a member from a classroom","operationId":"removeClassroomMember","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"membertype","in":"path","required":true,"schema":{"type":"string"}},{"name":"mid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Delete"],"BasicAuth":["OAuth2Delete"]}],"x-BTVisibility":"INTERNAL"}},"/classrooms/{cid}/members/{membertype}/{mid}/assignments/{aid}/submissions":{"get":{"tags":["Classroom"],"description":"Get submissions for assignment and member.","operationId":"getAssignmentSubmissionsForMember","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"membertype","in":"path","required":true,"schema":{"type":"string"}},{"name":"mid","in":"path","required":true,"schema":{"type":"string"}},{"name":"aid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTStudentSubmissionInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/classrooms/{cid}/state":{"post":{"tags":["Classroom"],"summary":"Transition classroom from one state to another. All state changes must be done by an Onshape admin or an EDU enterprise admin/classroom educator.","operationId":"updateClassroomState","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTClassroomObjectStateParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/classrooms/{cid}/submissions/{sid}":{"get":{"tags":["Classroom"],"description":"Get submission by id","operationId":"getStudentSubmission","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"sid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTStudentSubmissionInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/clientinfo/drift":{"get":{"tags":["ClientInfo"],"description":"Get the load identifier (Drift 'key').","operationId":"getDriftLoadId","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object","additionalProperties":{"type":"string"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/clientinfo/recaptcha/invite":{"get":{"tags":["ClientInfo"],"description":"Returns the Google Recaptcha site key for the current deployment for the signup page.","operationId":"getRecaptchaSiteKeyForInvite","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object","additionalProperties":{"type":"string"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/clientinfo/recaptcha/login":{"get":{"tags":["ClientInfo"],"description":"Returns the Google Recaptcha site key for the current deployment for the login page. The recaptcha site key returned will be either the recaptchaV2 site key or the recaptchaV3 site key depending on the capabilities enabled.","operationId":"getRecaptchaSiteKeyForLogin","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object","additionalProperties":{"type":"string"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/clientinfo/thirdPartyKeys":{"get":{"tags":["ClientInfo"],"description":"Return third party API keys used in the Onshape client","operationId":"getGoogleAnalyticsKeys","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTClientThirdPartyKeyInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/clientinfo/xsrf":{"get":{"tags":["ClientInfo"],"description":"Returns information about the rule with the provided ID","operationId":"getXSRFInfo","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTXSRFInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/cloudstorageaccount":{"get":{"tags":["CloudStorageAccount"],"description":"Get all Cloud storage accounts for a user.","operationId":"getCloudStorageAccounts","parameters":[{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCloudStorageAccountListInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/cloudstorageaccount/providers":{"get":{"tags":["CloudStorageAccount"],"description":"Get all integration providers (We need to find a better home for this API. Currently all","operationId":"getIntegrationProviders","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTIntegrationProviderInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/cloudstorageaccount/{csaid}":{"get":{"tags":["CloudStorageAccount"],"description":"Get Cloud storage account by Id","operationId":"getCloudStorageAccountById","parameters":[{"name":"csaid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCloudStorageAccountInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["CloudStorageAccount"],"description":"Update Cloud storage import/export folder Id account by Id","operationId":"updateImportExportFolderId","parameters":[{"name":"csaid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCloudStorageAccountParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCloudStorageAccountInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["CloudStorageAccount"],"description":"Delete Cloud storage account by Id","operationId":"deleteCloudStorageAccountById","parameters":[{"name":"csaid","in":"path","required":true,"schema":{"type":"string"}},{"name":"purge","in":"query","schema":{"type":"boolean","default":true}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/cms/contactus":{"get":{"tags":["Content"],"description":"Get contact us URL for mobile clients","operationId":"getContactUsLink","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTHelpLinkInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/cms/feedback":{"get":{"tags":["Content"],"description":"Get list of feedback URLs for mobile clients","operationId":"getFeedbackLinks","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTHelpLinkInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/cms/help":{"get":{"tags":["Content"],"description":"Gets list of Help links to be used in mobile clients","operationId":"getHelpLinks","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTHelpLinkInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/cms/onboarding/docUrl":{"get":{"tags":["Content"],"description":"Get anonymous document URL for on-boarding help. This document will be used to train user on","operationId":"getOnboardingDocUrl","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTHelpLinkInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/cms/onboarding/zerostatedoc":{"get":{"tags":["Content"],"description":"Get document information for for zero state document. If no document id is passed, uses template id from configuration.","operationId":"getZeroStateDoc","parameters":[{"name":"documentId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTZerostateDocInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["Content"],"description":"This API records the copied document information for zero state document in user metrics for avoiding future copies.","operationId":"setZeroStateDocUrl","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTZeroStateDocumentParams"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTZerostateDocInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/cms/welcome":{"get":{"tags":["Content"],"description":"Get welcome URL for mobile clients","operationId":"getWelcomeLink","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTHelpLinkInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/comments":{"get":{"tags":["Comment"],"summary":"Get a list of comments in a document.","operationId":"getComments","parameters":[{"name":"did","in":"query","schema":{"type":"string","default":""}},{"name":"objectType","in":"query","schema":{"type":"integer","format":"int32","default":6}},{"name":"pid","in":"query","schema":{"type":"string","default":""}},{"name":"eid","in":"query","schema":{"type":"string","default":""}},{"name":"filter","in":"query","schema":{"type":"integer","format":"int32","default":0}},{"name":"resolved","in":"query","schema":{"type":"boolean","default":true}},{"name":"sortColumn","in":"query","schema":{"type":"string","default":"createdAt"}},{"name":"sortOrder","in":"query","schema":{"type":"string","default":"asc"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":200,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTCommentInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["Comment"],"summary":"Update a document with a new comment.","operationId":"createComment","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCommentParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCommentInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/comments/subscription":{"post":{"tags":["Comment"],"description":"Update user's subscription to comments","operationId":"updateSubscription","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCommentSubscriptionParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCommentSubscriptionInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/comments/subscription/{did}":{"get":{"tags":["Comment"],"description":"Check if user is subscribed to comment notifications","operationId":"getSubscription","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCommentSubscriptionInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/comments/{cid}":{"get":{"tags":["Comment"],"summary":"Get details for a comment.","operationId":"getComment","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCommentInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["Comment"],"summary":"Update the content of an existing comment.","operationId":"updateComment","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCommentParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCommentInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"},"delete":{"tags":["Comment"],"summary":"Delete a comment from a document.","operationId":"deleteComment","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Delete"],"BasicAuth":["OAuth2Delete"]}],"x-BTVisibility":"PRODUCTION"}},"/comments/{cid}/attachment":{"post":{"tags":["Comment"],"summary":"Add an attachment to a comment.","operationId":"addAttachment","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"multipart/form-data":{"schema":{"required":["file"],"type":"object","properties":{"file":{"type":"object","description":"The file to upload."}}}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCommentInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"},"delete":{"tags":["Comment"],"summary":"Delete all attachments from a comment.","operationId":"deleteAttachments","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Delete"],"BasicAuth":["OAuth2Delete"]}],"x-BTVisibility":"PRODUCTION"}},"/comments/{cid}/attachment/{fdid}.{ext}":{"get":{"tags":["Comment"],"summary":"Get the attachment with the specified file extension that is associated with the specified comment.","description":"Returns only a single attachment.","operationId":"getAttachment","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"fdid","in":"path","required":true,"schema":{"type":"string"}},{"name":"ext","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/octet-stream":{"schema":{"type":"object"}},"image/*":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/comments/{cid}/reopen":{"post":{"tags":["Comment"],"summary":"Reopen a resolved comment.","operationId":"reopen","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCommentInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/comments/{cid}/resolve":{"post":{"tags":["Comment"],"summary":"Resolve a comment.","operationId":"resolve","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCommentInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/comments/{did}/summary":{"get":{"tags":["Comment"],"summary":"Get the count of open and unresolved tasks assigned to user in specified document","operationId":"getSummary","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"query","schema":{"type":"string","default":""}},{"name":"vid","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCommentSummaryInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/companies":{"get":{"tags":["Company"],"summary":"Get all companies to which the specified user belongs.","description":"If no user is specified, will return all companies associated with the current user.","operationId":"findCompany","parameters":[{"name":"uid","in":"query","schema":{"type":"string"}},{"name":"activeOnly","in":"query","schema":{"type":"boolean","default":true}},{"name":"includeAll","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTCompanyInfo"}}}}},"deprecated":false,"x-BTVisibility":"PRODUCTION"},"post":{"tags":["Company"],"description":"Create a new company","operationId":"createCompany","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCompanyParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCompanySummaryInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/companies/admin/onshape":{"get":{"tags":["Company"],"description":"Return whether or not user is Onshape admin","operationId":"isOnshapeAdmin","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTOnshapeAdminInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/companies/admin/{cid}":{"get":{"tags":["Company"],"description":"Get company info; admin-only","operationId":"getCompanyForAdmin","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"activeOnly","in":"query","schema":{"type":"boolean"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCompanyAdminInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/companies/admin/{cid}/identitymanagement":{"get":{"tags":["Company"],"description":"Return all enterprise company identity management configurations. At most one is active.","operationId":"getAllCompanyIdentityManagementForAdmin","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTIdentityManagementBaseInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/companies/all":{"get":{"tags":["Company"],"description":"Admin endpoint to get paginated list of all companies","operationId":"getAllCompanies","parameters":[{"name":"query","in":"query","schema":{"type":"string","default":""}},{"name":"enterpriseOnly","in":"query","schema":{"type":"boolean","default":false}},{"name":"state","in":"query","schema":{"type":"integer","format":"int32","default":-1}},{"name":"sortColumn","in":"query","schema":{"type":"string","default":"createdAt"}},{"name":"sortOrder","in":"query","schema":{"type":"string","default":"desc"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTCompanyAdminInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/companies/domain/{dpx}":{"get":{"tags":["Company"],"description":"Checks whether or not domain prefix is taken or is available.","operationId":"isDomainPrefixAvailable","parameters":[{"name":"dpx","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object","additionalProperties":{"type":"boolean"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/companies/edu":{"get":{"tags":["Company"],"description":"Endpoint to get companies with owner on EDU_YEARLY plan.","operationId":"getCompaniesWithOwnerPlanEdu","parameters":[{"name":"startDate","in":"query","schema":{"type":"string"}},{"name":"endDate","in":"query","schema":{"type":"string"}},{"name":"limit","in":"query","schema":{"maximum":500,"minimum":1,"type":"integer","format":"int32","default":100}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTCompanyOwnerInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Company"],"description":"Endpoint delete companies with owner on EDU_YEARLY plan","operationId":"deleteCompaniesWithOwnerPlanEdu","parameters":[{"name":"startDate","in":"query","schema":{"type":"string"}},{"name":"endDate","in":"query","schema":{"type":"string"}},{"name":"limit","in":"query","schema":{"maximum":500,"minimum":1,"type":"integer","format":"int32","default":100}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTCompanyOwnerInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/companies/enterprise/loginInfo":{"get":{"tags":["Company"],"description":"Provides the enterprise login information based on the domain prefix. Be aware that this is an","operationId":"getEnterpriseLoginInfo","parameters":[{"name":"RelayState","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTEnterpriseLoginInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/companies/enterprises":{"get":{"tags":["Company"],"description":"Endpoint to get list of all enterprise companies the user belongs too","operationId":"getEnterprises","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTCompanySummaryInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2ReadPII"],"BasicAuth":["OAuth2ReadPII"]}],"x-BTVisibility":"INTERNAL"}},"/companies/globalpermission":{"get":{"tags":["Company"],"description":"Get static definitions of all global permissions","operationId":"getGlobalPermissionDefinitions","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGlobalPermissionDefinitionsInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/companies/globalpermissions/companies":{"post":{"tags":["Company"],"description":"Endpoint to get a list of global permissions for the users in each company asked for","operationId":"getUsersCompaniesPermissionsByCompanyIds","parameters":[{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":1000,"minimum":1,"type":"integer","format":"int32","default":20}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTIdParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTCompanyPermissionsInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/companies/globalpermissions/users":{"post":{"tags":["Company"],"description":"Endpoint to get map of users to a list of the companies each user has access to, the user type","operationId":"getUsersCompaniesPermissions","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTIdParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object","additionalProperties":{"type":"array","items":{"$ref":"#/components/schemas/BTCompanyPermissionsInfo"}}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/companies/identitymanagement":{"get":{"tags":["Company"],"description":"Return all enterprise company identity management configurations. At most one is active.","operationId":"getAllCompanyIdentityManagement","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTIdentityManagementBaseInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/companies/identitymanagement/google":{"post":{"tags":["Company"],"description":"Configure enterprise company identity management for google","operationId":"setCompanyIdentityManagementGoogle","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTIdentityManagementParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTIdentityManagementBaseInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/companies/identitymanagement/login":{"get":{"tags":["Company"],"description":"Indicates whether enterprise identity management is configured for the company. Since this is","operationId":"getCompanyIdentityManagementLogin","parameters":[{"name":"RelayState","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTIdentityManagementLoginInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/companies/identitymanagement/saml2/metadata":{"post":{"tags":["Company"],"description":"Configure enterprise company identity management, though a static XML metadata file","operationId":"setCompanyIdentityManagementXML","parameters":[{"name":"enable","in":"query","schema":{"type":"string","default":"true"}},{"name":"disablePasswordSignIn","in":"query","schema":{"type":"string","default":"false"}},{"name":"name","in":"query","schema":{"type":"string"}},{"name":"providerType","in":"query","schema":{"type":"integer","format":"int32"}}],"requestBody":{"content":{"multipart/form-data":{"schema":{"type":"object","properties":{"file":{"type":"object","description":"The file to upload."},"uploadId":{"type":"string"}}}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTIdentityManagementBaseInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/companies/identitymanagement/validate/{invid}":{"post":{"tags":["Company"],"description":"Update auto-provisioning invitation","operationId":"updateAutoProvisioningInvitation","parameters":[{"name":"invid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/companies/identitymanagement/{eimid}":{"get":{"tags":["Company"],"description":"Return enterprise company identity management configuration.","operationId":"getCompanyIdentityManagement","parameters":[{"name":"eimid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTIdentityManagementBaseInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Company"],"description":"'Hard' delete of an enterprise identity management configuration. This may result in users being","operationId":"deleteCompanyIdentityManagement","parameters":[{"name":"eimid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/companies/identitymanagement/{eimid}/google":{"post":{"tags":["Company"],"description":"Updates the company identity management for Google SSO","operationId":"updateCompanyIdentityManagementGoogle","parameters":[{"name":"eimid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTIdentityManagementParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/companies/identitymanagement/{eimid}/saml2":{"post":{"tags":["Company"],"description":"Updates the company identity management saml2.","operationId":"updateCompanyIdentityManagementSaml2","parameters":[{"name":"eimid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTIdentityManagementParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/companies/identitymanagement/{eimid}/state":{"post":{"tags":["Company"],"description":"Enables the enterprise identity management configuration. This disables any currently enabled","operationId":"enableCompanyIdentityManagement","parameters":[{"name":"eimid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Company"],"description":"'Soft' delete (disables) of an enterprise identity management configuration. This may result in","operationId":"disableCompanyIdentityManagement","parameters":[{"name":"eimid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/companies/onshape":{"get":{"tags":["Company"],"description":"Admin endpoint to get Onshape company details for standard content etc","operationId":"getOnshapeCompany","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCompanyAdminInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/companies/syncusers":{"post":{"tags":["Company"],"description":"Activate inactive companyusers if user and company are active","operationId":"syncUsers","parameters":[{"name":"dryrun","in":"query","schema":{"type":"boolean","default":true}},{"name":"cid","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/companies/user/domains":{"get":{"tags":["Company"],"description":"Endpoint to get info of all the domains the user has access to","operationId":"getUserDomains","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTDomainInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/companies/user/totppolicy":{"get":{"tags":["Company"],"description":"returns true if any one of users companies has totp required policy is set to true, otherwise","operationId":"getUserTotpPolicy","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object","additionalProperties":{"type":"boolean"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/companies/users/{uid}/globalpermissions":{"get":{"tags":["Company"],"description":"Endpoint to get list of the companies the user has access to, the user type (light vs. full) and","operationId":"getUserCompaniesPermissions","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"companyId","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTCompanyPermissionsInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/companies/{cid}":{"get":{"tags":["Company"],"summary":"Get company information by company ID.","operationId":"getCompany","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCompanyInfo"}}}}},"deprecated":false,"x-BTVisibility":"PRODUCTION"},"post":{"tags":["Company"],"description":"Update company information, including address","operationId":"updateCompany","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCompanyParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCompanyInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Company"],"summary":"Delete a company","description":"Admin action to delete company. This will not delete all the user accounts from onshape, but removes the association between company and user.","operationId":"deleteCompany","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":true,"security":[{"OAuth2":["enterprise.delete"],"BasicAuth":["enterprise.delete"]}],"x-BTVisibility":"INTERNAL"}},"/companies/{cid}/activate":{"post":{"tags":["Company"],"description":"Activate company request. Changes the company state from requested to active.","operationId":"activate","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCompanyActivateParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCompanyInfo"}}}}},"deprecated":true,"x-BTVisibility":"INTERNAL"}},"/companies/{cid}/addCreatorAcl":{"post":{"tags":["Company"],"description":"Admin endpoint to add FULL permission ACL entry for document creators where required.","operationId":"addAclEntryForCreator","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"type":"string"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/companies/{cid}/appPurchases":{"get":{"tags":["Company"],"operationId":"getCompanyAppPurchases","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"uid","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTPurchaseInfo"}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/companies/{cid}/appPurchases/oneTime":{"get":{"tags":["Company"],"operationId":"getCompanyOneTimeAppPurchases","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTPurchaseInfo"}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/companies/{cid}/captureContentReferences":{"post":{"tags":["Company"],"description":"Capture content references for all of a company's documents. If forceClean parameter is passed","operationId":"captureCompanyContentReferences","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"includeAllVersions","in":"query","schema":{"type":"boolean","default":true}},{"name":"force","in":"query","schema":{"type":"boolean","default":true}},{"name":"ignoreExistingRunState","in":"query","schema":{"type":"boolean","default":true}},{"name":"includeMetadata","in":"query","schema":{"type":"boolean","default":true}},{"name":"includeAppElements","in":"query","schema":{"type":"boolean","default":true}},{"name":"includeAssemblies","in":"query","schema":{"type":"boolean","default":true}},{"name":"includePreviousFailures","in":"query","schema":{"type":"boolean","default":true}},{"name":"workspaceMode","in":"query","schema":{"type":"integer","format":"int32","default":0}},{"name":"futureTimeout","in":"query","schema":{"type":"integer","format":"int32","default":0}},{"name":"maxUpgradeModeToProcess","in":"query","schema":{"type":"integer","format":"int32","default":0}},{"name":"maxDocuments","in":"query","schema":{"type":"integer","format":"int32","default":0}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/companies/{cid}/changeDomainPrefix":{"post":{"tags":["Company"],"description":"Changes the current domain prefix, adds the current domain prefix to secondary domain prefixes","operationId":"changeDomainPrefix","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCompanyParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCompanyInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/companies/{cid}/documentsbyname":{"get":{"tags":["Company"],"summary":"Get document by exact document name.","description":"This API can only be called by company admins. Use the `name` field for the exact document name string.","operationId":"getDocumentsByName","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"name","in":"query","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTDocumentSummaryInfo"}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/companies/{cid}/events":{"get":{"tags":["Company"],"description":"Return company-related activities","operationId":"getCompanyEvents","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"startTime","in":"query","schema":{"type":"string","format":"date-time"}},{"name":"endTime","in":"query","schema":{"type":"string","format":"date-time"}},{"name":"user","in":"query","schema":{"type":"array","items":{"type":"string"}}},{"name":"document","in":"query","schema":{"type":"array","items":{"type":"string"}}},{"name":"allowEarlyTermination","in":"query","schema":{"type":"boolean"}},{"name":"maxMetricsScanBackSecs","in":"query","schema":{"type":"integer","format":"int32"}},{"name":"maxMetricsScanIterations","in":"query","schema":{"type":"integer","format":"int32"}},{"name":"project","in":"query","schema":{"type":"array","items":{"type":"string"}}},{"name":"maxEvents","in":"query","schema":{"maximum":100,"minimum":1,"type":"integer","format":"int32","default":20}},{"name":"collapse","in":"query","schema":{"type":"boolean","default":true}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTEnterpriseEventsInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/companies/{cid}/globalpermission":{"get":{"tags":["Company"],"description":"Get info about assignments of users to all global permissions","operationId":"getGlobalPermissions","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"permission","in":"query","schema":{"type":"integer","format":"int32"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGlobalPermissionInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["Company"],"description":"Add to one or more users' global permissions","operationId":"addGlobalPermissions","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"overwrite","in":"query","schema":{"type":"boolean","default":false}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGlobalPermissionParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGlobalPermissionInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/companies/{cid}/globalpermission/{type}/{id}":{"delete":{"tags":["Company"],"description":"Clear all or some of a user's global permissions","operationId":"clearGlobalPermissions","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"type","in":"path","required":true,"schema":{"type":"integer","format":"int32"}},{"name":"id","in":"path","required":true,"schema":{"type":"string"}},{"name":"permission","in":"query","schema":{"type":"array","items":{"type":"integer","format":"int32"}}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Delete"],"BasicAuth":["OAuth2Delete"]}],"x-BTVisibility":"INTERNAL"}},"/companies/{cid}/guests":{"get":{"tags":["Company"],"description":"Get list of guest user ids for the supplied company","operationId":"getAllGuestUsers","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"type":"string"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/companies/{cid}/lightusers":{"get":{"tags":["Company"],"description":"Get list of light user ids for the supplied company","operationId":"getAllLightUsers","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"type":"string"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/companies/{cid}/logo":{"post":{"tags":["Company"],"description":"Upload a company logo","operationId":"saveLogo","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"xOffsetPx","in":"query","schema":{"type":"integer","format":"int32","default":0}},{"name":"yOffsetPx","in":"query","schema":{"type":"integer","format":"int32","default":0}},{"name":"sizePx","in":"query","schema":{"type":"integer","format":"int32"}},{"name":"ySizePx","in":"query","schema":{"type":"integer","format":"int32","default":0}}],"requestBody":{"content":{"multipart/form-data":{"schema":{"type":"object","properties":{"file":{"type":"object","description":"The file to upload."},"uploadId":{"type":"string"}}}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCompanySummaryInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Company"],"description":"Delete a company's logo","operationId":"deleteLogo","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/companies/{cid}/lui":{"get":{"tags":["Company"],"description":"Get whether the company has enabled/disabled light ui. Enterprise companies are the only","operationId":"getLui","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object","additionalProperties":{"type":"boolean"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/companies/{cid}/nopublicdocuments":{"post":{"tags":["Company"],"description":"Update noPublicDocuments policy for a company. This option will block creation of public document","operationId":"updateNoPublicDocuments","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCompanyNoPublicDocumentParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCompanyInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/companies/{cid}/policies":{"get":{"tags":["Company"],"description":"Returns the company-level policies for the specified company.","operationId":"getCompanyPolicies","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCompanyPoliciesInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["Company"],"description":"Sets the company-level policies for the specified company.","operationId":"setCompanyPolicies","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCompanyPoliciesParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCompanyPoliciesInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/companies/{cid}/populatePredefinedTeams":{"post":{"tags":["Company"],"description":"Admin end point to populate predefined teams for enterprises","operationId":"populatePredefinedTeams","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"dryrun","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPredefinedTeamSummaryInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/companies/{cid}/resetguestusers":{"post":{"tags":["Company"],"description":"Set guest users to member users for BUSINESS_EDU plan company","operationId":"resetGuestUsers","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserCountInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/companies/{cid}/secondaryDomainPrefix/{dpx}":{"delete":{"tags":["Company"],"description":"Removes the supplied domain prefix from secondary domain prefixes list.","operationId":"deleteSecondaryDomainPrefix","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"dpx","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/companies/{cid}/state":{"post":{"tags":["Company"],"description":"Transition company from one state to other. All state changes should be done by Onshape admin.","operationId":"updateCompanyState","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCompanyParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/companies/{cid}/transfer":{"post":{"tags":["Company"],"description":"Transfer billing ownership for a PO based company. This will not work for credit card based","operationId":"transferOwnership","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCompanyTransferParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCompanyInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/companies/{cid}/usercount":{"get":{"tags":["Company"],"description":"Get the number of company members","operationId":"getUserCount","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"type","in":"query","schema":{"type":"string","default":"all"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserCountInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/companies/{cid}/users":{"get":{"tags":["Company"],"description":"Get company members","operationId":"getCompanyUsers","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"sortColumn","in":"query","schema":{"type":"string","default":"createdAt"}},{"name":"sortOrder","in":"query","schema":{"type":"string","default":"desc"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":200,"minimum":1,"type":"integer","format":"int32","default":20}},{"name":"q","in":"query","schema":{"type":"string","default":""}},{"name":"includeGlobalPermissions","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTCompanyUserInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["Company"],"summary":"Add a user to a company.","description":"Returns the company user info.","operationId":"addUserToCompany","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCompanyUserParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCompanyUserInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/companies/{cid}/users/exportCSV":{"get":{"tags":["Company"],"description":"Export company user list to csv file.","operationId":"exportUserToCsv","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/companies/{cid}/users/importCSV":{"post":{"tags":["Company"],"description":"Import user by uploading CSV file. The CSV file should have header row with Email, Role, Team,","operationId":"importUsersByCsv","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"multipart/form-data":{"schema":{"required":["file"],"type":"object","properties":{"sendEmail":{"type":"boolean","default":true},"file":{"type":"object"}}}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTManageMembersByCSVInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/companies/{cid}/users/removeCSV":{"post":{"tags":["Company"],"description":"Remove user(s) by uploading CSV file. The CSV file should have an Email header row. Only the","operationId":"removeUsersByCsv","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"multipart/form-data":{"schema":{"required":["file"],"type":"object","properties":{"sendEmail":{"type":"boolean","default":true},"file":{"type":"object"}}}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTManageMembersByCSVInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/companies/{cid}/users/{uid}":{"get":{"tags":["Company"],"summary":"Get user in a company","description":"Get the user information for a user in company.","operationId":"getCompanyUser","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"includeGlobalPermissions","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCompanyUserInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["Company"],"summary":"Update the company's information for a user.","description":"Returns updated company user info. Global permissions can only be updated by the company admin.","operationId":"updateCompanyUser","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCompanyUserParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCompanyUserInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"},"delete":{"tags":["Company"],"summary":"Remove a user from a company, company teams, and all the direct shares.","operationId":"removeUserFromCompany","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"removeFromTeams","in":"query","schema":{"type":"boolean","default":true}},{"name":"removeDirectShares","in":"query","schema":{"type":"boolean","default":true}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Delete"],"BasicAuth":["OAuth2Delete"]}],"x-BTVisibility":"PRODUCTION"}},"/companies/{cid}/webhookconfig":{"get":{"tags":["Company"],"description":"Returns the company-level webhook configurations for the specified company.","operationId":"getCompanyWebhookConfiguration","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTWebhookConfigurationInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["Company"],"description":"Sets the company-level webhook configurations for the specified company.","operationId":"setCompanyWebhookConfiguration","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTWebhookConfigurationParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/companies/{scid}/merge/{tcid}":{"post":{"tags":["Company"],"description":"Merge company request. Merge source company to target and delete the source.","operationId":"merge","parameters":[{"name":"scid","in":"path","required":true,"schema":{"type":"string"}},{"name":"tcid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCompanyInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/compliance/c/{cid}/nonCompliantDocs":{"get":{"tags":["CompanyRegionCompliance"],"description":"Get non-compliant docs for a company","operationId":"getNonCompliantDocs","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"type":"string"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/compliance/c/{cid}/regions":{"get":{"tags":["CompanyRegionCompliance"],"description":"Get currently blessed regions for company","operationId":"getBlessedRegions","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"type":"string"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["CompanyRegionCompliance"],"description":"Set blessed regions for company","operationId":"setBlessedRegions","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"type":"string"}}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/compliance/regions":{"get":{"tags":["CompanyRegionCompliance"],"description":"Get valid region options","operationId":"getRegions","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"uniqueItems":true,"type":"array","items":{"type":"string"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/configurations/shorten":{"post":{"tags":["Configurations"],"description":"Shorten a configuration and return result","operationId":"shorten","requestBody":{"content":{"*/*":{"schema":{"pattern":"^.+=.+$","type":"string"}}}},"responses":{"default":{"description":"default response","content":{"*/*":{"schema":{"type":"string"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/confirm_access":{"get":{"tags":["OAuth2.0"],"operationId":"confirm_access","responses":{"default":{"description":"default response","content":{"*/*":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/csp":{"post":{"tags":["ContentSecurityPolicy"],"description":"Browser will invoke this method when reporting a CSP violation","operationId":"reportCSPViolation","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/JsonNode"}},"application/csp-report":{"schema":{"$ref":"#/components/schemas/JsonNode"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/debug/d/{did}/modelingtimers":{"get":{"tags":["Debug"],"description":"Get document-specific Modeling timers","operationId":"getModelingTimersForDoc","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"after","in":"query","schema":{"type":"string","default":""}},{"name":"before","in":"query","schema":{"type":"string","default":""}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/debug/d/{did}/stopwatchlog":{"post":{"tags":["Debug"],"description":"Add new stop watch records. This endpoint is intended primarily for the Onshape UI, NOT for","operationId":"stopwatchlog","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/ClientLogEntry"}}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/debug/d/{did}/timerflag":{"get":{"tags":["Debug"],"description":"Get document-specific debug flag","operationId":"getTimerFlagForDoc","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDebugStateInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["Debug"],"description":"Enable performance timers for a specific document","operationId":"enablePerformanceMetricsForDocument","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Debug"],"description":"Disable performance timers for a specific document","operationId":"disablePerformanceMetricsForDocument","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/debug/log":{"post":{"tags":["Debug"],"operationId":"logWithoutDocumentId","requestBody":{"content":{"application/x-www-form-urlencoded":{"schema":{"type":"object","properties":{"logger":{"type":"string","default":""},"message":{"type":"string","default":""},"level":{"type":"string","default":""},"data":{"type":"string","default":""}}}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/debug/state":{"get":{"tags":["Debug"],"description":"Get debug state","operationId":"getState","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDebugStateInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/debug/timerflag":{"get":{"tags":["Debug"],"description":"Get list of documents with debug timers enabled","operationId":"getDocumentsWithPerformanceMetricsTrackingEnabled","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/debug/trace":{"get":{"tags":["Debug"],"description":"Get currently traced users and docs","operationId":"getTracingState","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTraceStateInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/debug/trace/c/{cid}":{"post":{"tags":["Debug"],"description":"Enable perf tracing for company","operationId":"enableTracingForCompany","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTraceParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Debug"],"description":"Disable perf tracing for company","operationId":"disableTracingForCompany","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/debug/trace/d/{did}":{"post":{"tags":["Debug"],"description":"Enable perf tracing for document","operationId":"enableTracingForDocument","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTraceParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Debug"],"description":"Disable perf tracing for document","operationId":"disableTracingForDocument","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/debug/trace/samplingrate":{"get":{"tags":["Debug"],"description":"Get the global operation tracing sample rate","operationId":"getSamplingRate","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTraceSamplingRateInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"put":{"tags":["Debug"],"operationId":"setSamplingRate","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTraceSamplingRateParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{}}}},"deprecated":false}},"/debug/trace/status":{"get":{"tags":["Debug"],"description":"Get trace status of user and company.","operationId":"getTraceStatus","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/debug/trace/status/d/{did}":{"get":{"tags":["Debug"],"description":"Get trace status of user, company, and document.","operationId":"getTraceStatusWithDocument","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/debug/trace/u/{uid}":{"post":{"tags":["Debug"],"description":"Enable perf tracing for user","operationId":"enableTracingForUser","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTraceParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Debug"],"description":"Disable perf tracing for user","operationId":"disableTracingForUser","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/debug/{did}/fixStartVersionMetadata":{"post":{"tags":["Debug"],"description":"Fix part metadata for document's start version (BEL-54787)","operationId":"fixDocumentStartVersionMetadata","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/debug/{did}/testLoadedDocument":{"get":{"tags":["Debug"],"description":"Test a document","operationId":"testLoadedDocument","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"string"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/debug/{modelId}/log":{"post":{"tags":["Debug"],"operationId":"log","parameters":[{"name":"modelId","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/x-www-form-urlencoded":{"schema":{"type":"object","properties":{"logger":{"type":"string","default":""},"message":{"type":"string","default":""},"level":{"type":"string","default":""},"data":{"type":"string","default":""}}}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/deploymentinfo/appstore":{"get":{"tags":["DeploymentInfo"],"description":"Get app store info, like URL","operationId":"getAppStoreInfo","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object","additionalProperties":{"type":"string"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/developers":{"get":{"tags":["APIDeveloper"],"description":"Returns a paginated list of API developers","operationId":"getDevelopers","parameters":[{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTAPIDeveloperInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["APIDeveloper"],"description":"Create an API developer","operationId":"createDeveloper","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAPIDeveloperParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAPIDeveloperInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/developers/{devid}":{"get":{"tags":["APIDeveloper"],"description":"Returns a particular API developer","operationId":"getDeveloper","parameters":[{"name":"devid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAPIDeveloperInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["APIDeveloper"],"description":"Update an existing API developer","operationId":"updateDeveloper","parameters":[{"name":"devid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAPIDeveloperParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAPIDeveloperInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["APIDeveloper"],"description":"Deletes an API developer","operationId":"deleteAPIDeveloper","parameters":[{"name":"devid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents":{"get":{"tags":["Document"],"summary":"Retrieve a document.","operationId":"getDocuments","parameters":[{"name":"q","in":"query","description":"Search for documents that contain the given string in the name. Search is not case-sensitive.","schema":{"type":"string","default":""}},{"name":"filter","in":"query","description":"Filter ID. Options are 0 (my documents), 1 (created), 2 (shared), 3 (trash), 4 (public), 5 (recent), 6 (by owner), 7 (by company), or 9 (by team).","schema":{"type":"integer","format":"int32"}},{"name":"owner","in":"query","description":"Document owner's ID (if the filter is 6 or 7), or Team Id (if the filter is 9) ","schema":{"type":"string","default":""}},{"name":"ownerType","in":"query","description":"Type of owner. Options are 0 (user), 1 (company), 2 (onshape). If the owner is a teamId, leave this unspecified.","schema":{"type":"integer","format":"int32","default":1}},{"name":"sortColumn","in":"query","description":"Column by which to sort search results. Options are name, modifiedAt, createdAt (Default), email, modifiedBy, and promotedAt.","schema":{"type":"string","default":"createdAt"}},{"name":"sortOrder","in":"query","description":"Sort order. Options are desc (descending, the default), or asc (ascending).","schema":{"type":"string","default":"desc"}},{"name":"offset","in":"query","description":"Offset. Determines where search results begin. Default value is 0.","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","description":"Maximum number of results to return per page. Default value is 20 (also the maximum). Number of results returned can be less than this value. Use the `next` URL in the response to fetch the next page.","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}},{"name":"label","in":"query","description":"Label","schema":{"type":"string"}},{"name":"project","in":"query","description":"Project","schema":{"type":"string"}},{"name":"parentId","in":"query","description":"Parent Id","schema":{"type":"string"}}],"responses":{"200":{"description":"Success!","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGlobalTreeNodeListResponse"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["Document"],"summary":"Create and upload a document.","operationId":"createDocument","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDocumentParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDocumentInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/documents/d/{did}/autoVersion":{"post":{"tags":["Document"],"description":"Automatically creates a document version for specified workspace. If workspace is not specified,","operationId":"autoCreateVersion","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTVersionOrWorkspaceParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTVersionInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/documents/d/{did}/createWorkspaceForVersionIfNecessary":{"post":{"tags":["Document"],"description":"Create a workspace for a version or get it if one exists","operationId":"createWorkspaceForVersionIfNecessary","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTVersionOrWorkspaceParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTWorkspaceInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/d/{did}/defaultversiongraphmode":{"post":{"tags":["Document"],"summary":"Set default version graph mode.","description":"Sets the default mode for the version graph","operationId":"setDefaultVersionGraphMode","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTVersionGraphModeParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/d/{did}/externaldata/{fid}":{"get":{"tags":["Document"],"summary":"Download external data file(s) associated with the document.","description":"* See [API Guide: Model Translation](https://onshape-public.github.io/docs/api-adv/translation/) for more details.\n* If downloading an exported file, poll the `requestState` in the translation response and wait for a result of `DONE` before attempting to download the file. \n* Use the `resultExternalDataIds` from the translation response as the foreign id (`{fid}`) in this API.","operationId":"downloadExternalData","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"fid","in":"path","required":true,"schema":{"type":"string"}},{"name":"If-None-Match","in":"header","schema":{"type":"string"}}],"responses":{"200":{"description":"Success!","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"string","format":"binary"}},"application/octet-stream":{"schema":{"type":"string","format":"binary"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/documents/d/{did}/externaldata/{fid}/direct":{"get":{"tags":["Document"],"operationId":"downloadExternalDataDirect","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"fid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"307":{"description":"A Redirect!"}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/documents/d/{did}/extract":{"get":{"tags":["Document"],"operationId":"extractDocument","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"includeForeign","in":"query","schema":{"type":"boolean","default":true}},{"name":"deepSearchForForeignData","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeLinkedDocuments","in":"query","schema":{"type":"boolean","default":true}},{"name":"linkedDocumentSubSetId","in":"query","schema":{"type":"string"}},{"name":"includeReleaseManagementData","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeCustomPropertiesData","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeComputedPropertyDocuments","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeItemsData","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeComments","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeThumbnails","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeDrawingTemplates","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeContentCaptures","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeImmutableContexts","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeStd","in":"query","schema":{"type":"boolean","default":true}},{"name":"extractToS3","in":"query","schema":{"type":"boolean","default":true}}],"responses":{"default":{"description":"default response","content":{"application/octet-stream":{"schema":{"type":"object"}},"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/documents/d/{did}/foreigndata/{fid}":{"get":{"tags":["Document"],"description":"Download foreign data as a file","operationId":"downloadForeignFile","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"fid","in":"path","required":true,"schema":{"type":"string"}},{"name":"If-None-Match","in":"header","schema":{"type":"string"}},{"name":"asAttachment","in":"query","schema":{"type":"boolean","default":true}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}},"application/octet-stream":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/d/{did}/memorystatistics":{"get":{"tags":["Document"],"description":"Get Memory statistics","operationId":"getMemoryStatistics","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"workspaceId","in":"query","schema":{"type":"string","default":""}},{"name":"versionId","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTElementDiagnosticsInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/d/{did}/publishedfs":{"get":{"tags":["Document"],"summary":"Get the version with published custom features and tables.","description":"For a document, get the version at which it has published custom features and tables.","operationId":"getPublishedFS","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"string"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["Document"],"summary":"Publish or unpublish custom features and tables.","description":"Publish or unpublish custom features and tables defined in some documents at some versions.","operationId":"setPublishedFS","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTSetPublishedFSParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/d/{did}/u/{uid}/specexternalreferences":{"get":{"tags":["Document"],"description":"Get custom feature external references","operationId":"getCustomSpecExternalReferences","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/d/{did}/u/{uid}/t/{ts}/s/{std}/extractdownload":{"get":{"tags":["Document"],"description":"Download export file with token","operationId":"extractDownload","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"ts","in":"path","required":true,"schema":{"type":"string"}},{"name":"std","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/documents/d/{did}/v/{vid}/parentcomparison":{"get":{"tags":["Document"],"description":"Get the differences across elements of the specified document between the specified version and","operationId":"compareVersionWithParent","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"vid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTVersionDiffInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/d/{did}/versions":{"get":{"tags":["Document"],"summary":"Retrieve versions by document ID.","operationId":"getDocumentVersions","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"type":"integer","format":"int32","default":0}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTVersionInfo"}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["Document"],"summary":"Create version by document ID.","operationId":"createVersion","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTVersionOrWorkspaceParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTVersionInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/documents/d/{did}/versions/{vid}":{"get":{"tags":["Document"],"summary":"Retrieve version by document ID and version ID.","operationId":"getVersion","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"vid","in":"path","required":true,"schema":{"type":"string"}},{"name":"parents","in":"query","schema":{"type":"boolean","default":false}},{"name":"linkDocumentId","in":"query","schema":{"type":"string"}}],"responses":{"200":{"description":"Success!","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTVersionInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["Document"],"description":"Update version information","operationId":"updateVersion","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"vid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTVersionOrWorkspaceParams"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTVersionInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read","OAuth2Write"],"BasicAuth":["OAuth2Read","OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/documents/d/{did}/w/{wid}/batchreferencedinternalelements":{"post":{"tags":["Document"],"description":"Get Referenced Internal Elements, i.e., what used for a set of elements","operationId":"getBatchReferencedInternalElements","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"elementIds","in":"query","required":true,"schema":{"type":"array","items":{"type":"string"}}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTDocumentElementInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/d/{did}/w/{wid}/changeunits":{"post":{"tags":["Document"],"description":"Change the workspace's units","operationId":"changeWorkspaceUnits","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTChangeUnitsParams"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/d/{did}/w/{wid}/e/{eid}/latestdocumentreferences":{"post":{"tags":["Document"],"summary":"Update external references to latest by document ID, workspace ID, and tab ID.","operationId":"updateExternalReferencesToLatestDocuments","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTLinkToLatestDocumentParams"}}}},"responses":{"200":{"description":"Success!","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTLinkToLatestDocumentInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/documents/d/{did}/w/{wid}/e/{eid}/partedoutexternalelements":{"get":{"tags":["Document"],"description":"Get referenced external elements that have been parted out","operationId":"getPartedOutExternalElements","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTPartedOutElementInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/d/{did}/w/{wid}/e/{eid}/querychangetorevisions":{"post":{"tags":["Document"],"description":"Change Revisions Query","operationId":"queryChangeToRevisions","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wid","in":"path","description":"The id of the workspace in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTQueryRevisionParams"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTRevisionChangeRevisionInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/d/{did}/w/{wid}/moveelement":{"post":{"tags":["Document"],"summary":"Move tab by document ID and workspace ID.","operationId":"moveElementsToDocument","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTMoveElementParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTMoveElementInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/documents/d/{did}/w/{wid}/revertunchangedtorevisions":{"post":{"tags":["Document"],"operationId":"revertUnchangedToRevisions","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTRevertUnchangedParams"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTUnchangedElementInfo"}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/documents/d/{did}/w/{wid}/syncAppElements":{"post":{"tags":["Document"],"operationId":"syncApplicationElements","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTSyncAppElementParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/documents/d/{did}/w/{wid}/syncApplicationElements":{"post":{"tags":["Document"],"description":"Sync application elements to the latest microversions","operationId":"syncApplicationElementsOld","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"applicationElementIds","in":"query","required":true,"schema":{"type":"array","items":{"type":"string"}}},{"name":"description","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/documents/d/{did}/workspaces":{"get":{"tags":["Document"],"summary":"Retrieve workspaces by document ID.","operationId":"getDocumentWorkspaces","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTWorkspaceInfo"}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["Document"],"summary":"Create workspace by document ID.","operationId":"createWorkspace","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTVersionOrWorkspaceParams"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTWorkspaceInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/documents/d/{did}/workspaces/{wid}":{"get":{"tags":["Document"],"description":"Get information for a workspace","operationId":"getWorkspace","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"parents","in":"query","schema":{"type":"boolean","default":false}},{"name":"readonly","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["Document"],"description":"Update workspace information","operationId":"updateWorkspace","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTVersionOrWorkspaceParams"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read","OAuth2Write"],"BasicAuth":["OAuth2Read","OAuth2Write"]}],"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Document"],"summary":"Delete workspace by document ID and workspace ID.","operationId":"deleteWorkspace","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Delete"],"BasicAuth":["OAuth2Delete"]}],"x-BTVisibility":"PRODUCTION"}},"/documents/d/{did}/workspaces/{wid}/createIfNecessary":{"post":{"tags":["Document"],"description":"Get information for a workspace, or create one if necessary","operationId":"getOrCreateWorkspace","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"parents","in":"query","schema":{"type":"boolean","default":false}},{"name":"readonly","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTWorkspaceInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/d/{did}/{wm}/{wmid}/documenthistory":{"get":{"tags":["Document"],"summary":"Retrieve document history by document ID and workspace or microversion ID.","operationId":"getDocumentHistory","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wmid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTDocumentHistoryInfo"}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/documents/d/{did}/{wm}/{wmid}/history":{"get":{"tags":["Document"],"description":"Get a document's history","operationId":"getHistory","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wmid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTHistoryInfo"}}}}}},"deprecated":true,"x-BTVisibility":"INTERNAL"}},"/documents/d/{did}/{wvm}/{wvmid}/batchreferencedbyelements":{"post":{"tags":["Document"],"description":"Get Referenced By Elements, i.e., where used (for a list of elements, rather than just one)","operationId":"getBatchReferencedByElements","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"elementIds","in":"query","required":true,"schema":{"type":"array","items":{"type":"string"}}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTDocumentElementInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/d/{did}/{wvm}/{wvmid}/e/{eid}/referencedbyelements":{"get":{"tags":["Document"],"description":"Get Referenced By Elements, i.e., where used","operationId":"getReferencedByElements","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTPartedOutElementInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/d/{did}/{wvm}/{wvmid}/e/{eid}/referencedinternalelements":{"get":{"tags":["Document"],"description":"Get Referenced Internal Elements","operationId":"getReferencedInternalElements","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTDocumentElementInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/d/{did}/{wvm}/{wvmid}/elements":{"get":{"tags":["Document"],"summary":"Retrieve tabs by document ID and workspace or version or microversion ID.","operationId":"getElementsInDocument","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"elementType","in":"query","schema":{"type":"string","default":""}},{"name":"elementId","in":"query","schema":{"type":"string","default":""}},{"name":"withThumbnails","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"200":{"description":"Success!","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTDocumentElementInfo"}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/documents/d/{did}/{wvm}/{wvmid}/externalreferences":{"get":{"tags":["Document"],"description":"Get External references","operationId":"getExternalDocumentReferences","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/documents/d/{did}/{wvm}/{wvmid}/outofdatedelements":{"get":{"tags":["Document"],"description":"Get Out of Dated Elements","operationId":"getOutOfDatedElements","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"microversionId","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTDocumentElementInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/d/{did}/{wvm}/{wvmid}/publishchecklist":{"get":{"tags":["Document"],"summary":"Get a checklist of requirements for publishing custom features.","description":"Returns a list of items that must be true or empty for custom features or tables to be publishable at this version. The document must be public and any custom features or tables it defines must be adequately documented.","operationId":"getPublishChecklist","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPublishChecklist"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/documents/d/{did}/{wvm}/{wvmid}/recursiveexternalreferences":{"get":{"tags":["Document"],"description":"Get External references","operationId":"getRecursiveExternalReferences","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"topLevelOnly","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/d/{did}/{wvm}/{wvmid}/unitinfo":{"get":{"tags":["Document"],"summary":"Get the selected units and precision by document ID and workspace or version or microversion ID.","operationId":"getUnitInfo","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUnitInfo"}}}}},"deprecated":false,"x-BTVisibility":"PRODUCTION"}},"/documents/d/{did}/{wv}/{wvid}/currentmicroversion":{"get":{"tags":["Document"],"summary":"Retrieve current microversion by document ID and workspace or version ID.","operationId":"getCurrentMicroversion","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wv","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTMicroversionInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/documents/d/{did}/{wv}/{wvid}/e/{eid}/export":{"get":{"tags":["Document"],"description":"Export the given element in STL or Parasolid (PS) formats; returns a 307 redirect.","operationId":"export","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wv","in":"path","description":"Indicates which of workspace (w) or version (v) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v"]}},{"name":"wvid","in":"path","description":"The id of the workspace, version in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"format","in":"query","required":true,"schema":{"type":"string"}},{"name":"storeInDocument","in":"query","schema":{"type":"boolean","default":false}},{"name":"triggerAutoDownload","in":"query","schema":{"type":"boolean","default":true}},{"name":"grouping","in":"query","schema":{"type":"string","default":""}},{"name":"mode","in":"query","schema":{"type":"string"}},{"name":"destinationName","in":"query","schema":{"type":"string","default":""}},{"name":"partIds","in":"query","schema":{"type":"string","default":""}},{"name":"featureIds","in":"query","schema":{"type":"string","default":""}},{"name":"elementIds","in":"query","schema":{"type":"string","default":""}},{"name":"partQuery","in":"query","schema":{"type":"string","default":""}},{"name":"resolution","in":"query","schema":{"type":"string","default":""}},{"name":"units","in":"query","schema":{"type":"string"}},{"name":"version","in":"query","schema":{"type":"string","default":""}},{"name":"includeExportIds","in":"query","schema":{"type":"boolean","default":false}},{"name":"view","in":"query","schema":{"type":"string","default":""}},{"name":"zipSingleFileOutput","in":"query","schema":{"type":"boolean","default":false}},{"name":"angleTolerance","in":"query","schema":{"type":"number","format":"double","default":-1}},{"name":"chordTolerance","in":"query","schema":{"type":"number","format":"double","default":-1}},{"name":"minFacetWidth","in":"query","schema":{"type":"number","format":"double","default":-1}},{"name":"maxFacetWidth","in":"query","schema":{"type":"number","format":"double","default":-1}},{"name":"scale","in":"query","schema":{"type":"number","format":"double"}},{"name":"userId","in":"query","schema":{"type":"string"}},{"name":"cloudObjectId","in":"query","schema":{"type":"string","default":""}},{"name":"cloudStorageAccountId","in":"query","schema":{"type":"string","default":""}},{"name":"emailLink","in":"query","schema":{"type":"boolean","default":false}},{"name":"emailTo","in":"query","schema":{"type":"string","default":""}},{"name":"emailSubject","in":"query","schema":{"type":"string","default":""}},{"name":"emailMessage","in":"query","schema":{"type":"string","default":""}},{"name":"sendCopyToMe","in":"query","schema":{"type":"boolean","default":false}},{"name":"fromUserId","in":"query","schema":{"type":"string","default":""}},{"name":"password","in":"query","schema":{"type":"string","default":""}},{"name":"validForDays","in":"query","schema":{"type":"integer","format":"int32","default":0}},{"name":"passwordRequired","in":"query","schema":{"type":"boolean","default":false}},{"name":"documentId","in":"query","required":true,"schema":{"type":"string"}},{"name":"elementId","in":"query","schema":{"type":"string","default":""}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}},{"name":"microversion","in":"query","schema":{"type":"string","default":""}},{"name":"documentVersionId","in":"query","schema":{"type":"string","default":""}},{"name":"workspaceId","in":"query","schema":{"type":"string","default":""}},{"name":"linkDocumentId","in":"query","schema":{"type":"string","default":""}},{"name":"linkDocumentWorkspaceId","in":"query","schema":{"type":"string","default":""}},{"name":"isPartingOut","in":"query","schema":{"type":"boolean","default":false}},{"name":"flatten","in":"query","schema":{"type":"boolean","default":false}},{"name":"sheetMetalFlat","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeBendCenterlines","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeBendLines","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeSketches","in":"query","schema":{"type":"boolean","default":false}},{"name":"batchFlatPatterns","in":"query","schema":{"type":"boolean","default":false}},{"name":"batchAllFlatPatterns","in":"query","schema":{"type":"boolean","default":false}},{"name":"splinesAsPolylines","in":"query","schema":{"type":"boolean","default":false}},{"name":"ignoreExportRulesForContents","in":"query","schema":{"type":"boolean","default":true}}],"responses":{"default":{"description":"default response","content":{"application/octet-stream":{"schema":{"type":"object"}},"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["Document"],"summary":"Export document by document ID, workspace or version ID, and tab ID.","operationId":"export2Json","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wv","in":"path","description":"Indicates which of workspace (w) or version (v) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v"]}},{"name":"wvid","in":"path","description":"The id of the workspace, version in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTBExportModelParams"}}}},"responses":{"default":{"description":"default response","content":{"application/octet-stream":{"schema":{"type":"object"}},"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/documents/d/{did}/{wv}/{wvid}/insertables":{"get":{"tags":["Document"],"summary":"Retrieve insertables by document ID and workspace or version ID.","operationId":"getInsertables","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wv","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvid","in":"path","required":true,"schema":{"type":"string"}},{"name":"elementId","in":"query","schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string"}},{"name":"includeParts","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeSurfaces","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeSketches","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeReferenceFeatures","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeAssemblies","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFeatureStudios","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeBlobs","in":"query","schema":{"type":"boolean","default":false}},{"name":"allowedBlobMimeTypes","in":"query","schema":{"type":"string","default":""}},{"name":"excludeNewerFSVersions","in":"query","schema":{"type":"boolean","default":false}},{"name":"maxFeatureScriptVersion","in":"query","schema":{"type":"integer","format":"int32"}},{"name":"includePartStudios","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFeatures","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeMeshes","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeWires","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFlattenedBodies","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeApplications","in":"query","schema":{"type":"boolean","default":false}},{"name":"allowedApplicationMimeTypes","in":"query","schema":{"type":"string","default":""}},{"name":"includeCompositeParts","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFSTables","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFSComputedPartPropertyFunctions","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeVariables","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeVariableStudios","in":"query","schema":{"type":"boolean","default":false}},{"name":"allowedBlobExtensions","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTInsertablesListResponse"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/documents/d/{did}/{wv}/{wvid}/microversion":{"get":{"tags":["Document"],"description":"Get microversion from a version or workspace","operationId":"getMicroversion","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wv","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"string"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/d/{did}/{wv}/{wvid}/multiexport":{"post":{"tags":["Document"],"description":"Translate multiple elements from document","operationId":"multiElementExportTranslation","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wv","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTranslateFormatParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTranslateInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/d/{did}/{wv}/{wvid}/referencedversions":{"get":{"tags":["Document"],"operationId":"getReferencedVersions","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wv","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvid","in":"path","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTReferencedVersionsInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/d/{did}/{wv}/{wvid}/translate":{"post":{"tags":["Document"],"description":"Translate document format","operationId":"createDocumentTranslation","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wv","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTranslateFormatParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTranslateInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/drawing/{did}":{"get":{"tags":["Document"],"description":"Retrieve drawing service information to send back to web in a different region","operationId":"getDrawingServiceForDocument","parameters":[{"name":"did","in":"path","description":"Document ID.","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/DrawingService"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Internal"],"BasicAuth":["OAuth2Internal"]}],"x-BTVisibility":"INTERNAL"}},"/documents/emptyTrash":{"post":{"tags":["Document"],"description":"Empty the documents trash","operationId":"emptyDocumentsTrash","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTEmptyTrashInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/exportlinkdata/{eid}":{"get":{"tags":["Document"],"description":"Download export file with token","operationId":"downloadFromExportLinkWithToken","parameters":[{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"token","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["Document"],"description":"Generate token for export link.","operationId":"generateTokenForExportLink","parameters":[{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTExportLinkDataParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object","properties":{"empty":{"type":"boolean"}},"additionalProperties":{"type":"string"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/filter/history":{"post":{"tags":["Document"],"operationId":"filterDocumentHistory","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTFilteredHistoryParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTHistoryInfo"}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/documents/find":{"post":{"tags":["Document"],"description":"Get search results","operationId":"findCadData","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCadSearchRequestParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTSearchResponseInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/documents/getImportFormatData":{"get":{"tags":["Document"],"description":"Return a map of supported import formats and if so, can they be assemblies","operationId":"getImportFormatData","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object","additionalProperties":{"type":"boolean"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/immutability/markoldversions":{"post":{"tags":["Document"],"summary":"Marks all old part studio versions as immutable for multiple documents.","description":"Marks all old part studio versions as immutable for multiple documents.","operationId":"markOldVersionsImmutable","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTMarkVersionsImmutableParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTMarkVersionsImmutableInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/insertables":{"get":{"tags":["Document"],"description":"Returns documents for insertables","operationId":"getDocumentsForInsertables","parameters":[{"name":"q","in":"query","schema":{"type":"string","default":""}},{"name":"filter","in":"query","schema":{"type":"integer","format":"int32","default":0}},{"name":"owner","in":"query","schema":{"type":"string","default":""}},{"name":"ownerType","in":"query","schema":{"type":"integer","format":"int32","default":1}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":100,"minimum":1,"type":"integer","format":"int32","default":20}},{"name":"label","in":"query","schema":{"type":"string"}},{"name":"referencedByParameterId","in":"query","schema":{"type":"string"}},{"name":"includeParts","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeSurfaces","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeSketches","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeReferenceFeatures","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeAssemblies","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFeatures","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFeatureStudios","in":"query","schema":{"type":"boolean","default":false}},{"name":"includePartStudios","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeBlobs","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFlattenedBodies","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeApplications","in":"query","schema":{"type":"boolean","default":false}},{"name":"allowedBlobMimeTypes","in":"query","schema":{"type":"string","default":""}},{"name":"allowedBlobExtensions","in":"query","schema":{"type":"string","default":""}},{"name":"allowedApplicationMimeTypes","in":"query","schema":{"type":"string","default":""}},{"name":"maxFeatureScriptVersion","in":"query","schema":{"type":"integer","format":"int32","default":0}},{"name":"includeCompositeParts","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFSTables","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFSComputedPartPropertyFunctions","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeVariables","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeVariableStudios","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/likes/{did}":{"get":{"tags":["DocumentLike"],"description":"Get all likes on a given document","operationId":"getLikes","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTDocumentLikeInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["DocumentLike"],"description":"Like selected document","operationId":"like","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["DocumentLike"],"description":"Delete previous like from a given document","operationId":"deleteLike","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/migrate":{"post":{"tags":["Document"],"description":"Migrate document data to a different cluster","operationId":"migrateDocumentData","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDocumentMigrateParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/mod/{did}":{"get":{"tags":["Document"],"description":"Retrieve modeling service information to send back to web in a different region to reply to client open WebSocket","operationId":"getModelingServiceForDocument","parameters":[{"name":"did","in":"path","description":"Document ID.","required":true,"schema":{"type":"string"}},{"name":"purpose","in":"query","description":"Document Open Purpose. A BTDocumentOpenPurpose enum value.","required":true,"schema":{"maxLength":128,"minLength":1,"type":"string"},"example":"MODELING"}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTModelingServiceInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Internal"],"BasicAuth":["OAuth2Internal"]}],"x-BTVisibility":"INTERNAL"}},"/documents/search":{"post":{"tags":["Document"],"summary":"Search document.","description":"This returns list of documents based on search parameters.","operationId":"search","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDocumentSearchParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/documents/search/cloudstorage/{csid}":{"get":{"tags":["Document"],"description":"Get cloud storage search results","operationId":"searchCloudStorage","parameters":[{"name":"csid","in":"path","required":true,"schema":{"type":"string"}},{"name":"search","in":"query","schema":{"type":"string"}},{"name":"csoid","in":"query","schema":{"type":"string"}},{"name":"containersOnly","in":"query","schema":{"type":"boolean","default":false}},{"name":"sortOrder","in":"query","schema":{"type":"string","default":""}},{"name":"sortColumn","in":"query","schema":{"type":"string","default":""}},{"name":"pageToken","in":"query","schema":{"type":"string","default":""}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":100,"minimum":1,"type":"integer","format":"int32","default":50}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCloudStorageObjectListInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/suggestvalues":{"get":{"tags":["Document"],"description":"Experimental api to retrieve a set of distinct values the current user can use when searching on","operationId":"getDistinctFieldValues","parameters":[{"name":"field","in":"query","schema":{"type":"string"}},{"name":"filter","in":"query","schema":{"type":"integer","format":"int32"}},{"name":"filter-value","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTSuggestedIdentityInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/documents/tags":{"get":{"tags":["Document"],"description":"Get paginated list of tags","operationId":"getDocumentTags","parameters":[{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":10}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTTagInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/testmigrate":{"post":{"tags":["Document"],"description":"Migrate document data to a different cluster","operationId":"testmigrateDocumentData","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDocumentMigrateParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/trashed/{uid}":{"get":{"tags":["Document"],"description":"End point to get the deleted and trashed documents for a given user","operationId":"getUserTrashedDeletedDocuments","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/documents/upload":{"post":{"tags":["Document"],"description":"Upload a file containing a foreign data element or Onshape script","operationId":"uploadFileToDocument","requestBody":{"content":{"multipart/form-data":{"schema":{"type":"object","properties":{"file":{"type":"object","description":"The file to upload."},"allowFaultyParts":{"type":"boolean","description":"If true, and a part doesn't pass Onshape validation, it will be imported with faults."},"createComposite":{"type":"boolean"},"createDrawingIfPossible":{"type":"boolean"},"encodedFilename":{"type":"string","description":"If the filename contains non-ASCII characters. Use this field to store the filename."},"extractAssemblyHierarchy":{"type":"boolean"},"flattenAssemblies":{"type":"boolean","description":"If the file is an assembly, or contains an assembly, setting this to True will import it as a Part Studio. In this case the assembly will be flattened to a set of parts in a Part Studio. There will be duplicate parts created whenever a part is instanced more than once. If False, it will be imported as an Assembly."},"formatName":{"type":"string"},"joinAdjacentSurfaces":{"type":"boolean"},"locationElementId":{"type":"string"},"locationGroupId":{"type":"string"},"locationPosition":{"type":"integer","format":"int32","default":-1},"notifyUser":{"type":"boolean","default":true},"ownerId":{"type":"string"},"parentId":{"type":"string"},"projectId":{"type":"string"},"public":{"type":"boolean"},"onePartPerDoc":{"type":"boolean","default":false},"splitAssembliesIntoMultipleDocuments":{"type":"boolean","default":false},"storeInDocument":{"type":"boolean","default":true},"translate":{"type":"boolean","default":true},"unit":{"type":"string","default":""},"uploadId":{"type":"string"},"versionString":{"type":"string"},"importAppearances":{"type":"boolean","description":"Face appearances defined on models will be imported.","default":true},"yAxisIsUp":{"type":"boolean","description":"If the file was created in a system that orients with Y Axis Up, the models would by default be brought into Onshape (a Z Axis Up system) with a flipped coordinate system. Toggle this value to reorient the axis system to match Onshape and display the model with the coordinates you expect."},"importWithinDocument":{"type":"boolean"}}}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDocumentProcessingInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/documents/upload/cloudstorage":{"post":{"tags":["Document"],"description":"Upload a file containing a foreign data element or Onshape script","operationId":"uploadFileFromCloudStorage","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTImportCloudObjectParams"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDocumentProcessingInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/{did}":{"get":{"tags":["Document"],"summary":"Retrieve document by document ID.","operationId":"getDocument","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"Success!","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDocumentInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["Document"],"summary":"Update document attributes by document ID.","operationId":"updateDocumentAttributes","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDocumentParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"},"delete":{"tags":["Document"],"summary":"Delete document by document ID.","operationId":"deleteDocument","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"forever","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Delete"],"BasicAuth":["OAuth2Delete"]}],"x-BTVisibility":"PRODUCTION"}},"/documents/{did}/acl":{"get":{"tags":["Document"],"summary":"Retrieve access control list by document ID.","operationId":"getDocumentAcl","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAclInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/documents/{did}/acl/anonymousAccess":{"post":{"tags":["Document"],"description":"Allow or deny anonymous access to a given document","operationId":"updateAnonymousAccess","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAclParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/{did}/acl/public":{"post":{"tags":["Document"],"description":"Make a document public or private","operationId":"updatePublicAccess","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAclParams"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/{did}/anonymousAccess":{"get":{"tags":["Document"],"description":"Retrieve a share link info object based on the document id","operationId":"getNewShareLink","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDocumentShareLinkInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["Document"],"description":"Allow or deny anonymous access to a given document and create a new link with random id","operationId":"updateAnonymousAccessLink","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAclParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDocumentShareLinkInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Document"],"description":"Delete document share link from database based on the document id","operationId":"deleteDocumentShareLink","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/{did}/canusereditforceexportrules":{"get":{"tags":["Document"],"description":"Determine if the current user can toggle the Force Export Rule flag on a publication","operationId":"canUserEditForceExportRules","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object","additionalProperties":{"type":"boolean"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/{did}/canusereditnotrevisionmanaged":{"get":{"tags":["Document"],"description":"Determine if the current user can toggle the Not Revision Managed flag on a document","operationId":"canUserEditNotRevisionManaged","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object","additionalProperties":{"type":"boolean"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/{did}/checkReaderAccess":{"post":{"tags":["Document"],"description":"Check the reader access for users.","operationId":"checkAccess","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDocumentCheckAccessParams"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDocumentCheckAccessInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/{did}/collaborators":{"get":{"tags":["Document"],"description":"Get all collaborators for the given document. Only the users with WRITE permission can check who","operationId":"getCollaborators","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTDocumentCollaboratorInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/documents/{did}/demote":{"post":{"tags":["Document"],"description":"Demote a document","operationId":"demote","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/{did}/elements":{"get":{"tags":["Document"],"description":"Get elements in a document","operationId":"getElements_1","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"workspaceId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTDocumentElementInfo"}}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/documents/{did}/export":{"get":{"tags":["Document"],"description":"Export the document","operationId":"exportWholeDocumentOld","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"format","in":"query","required":true,"schema":{"type":"string"}},{"name":"storeInDocument","in":"query","schema":{"type":"boolean","default":false}},{"name":"triggerAutoDownload","in":"query","schema":{"type":"boolean","default":true}},{"name":"grouping","in":"query","schema":{"type":"string","default":""}},{"name":"mode","in":"query","schema":{"type":"string"}},{"name":"destinationName","in":"query","schema":{"type":"string","default":""}},{"name":"partIds","in":"query","schema":{"type":"string","default":""}},{"name":"featureIds","in":"query","schema":{"type":"string","default":""}},{"name":"elementIds","in":"query","schema":{"type":"string","default":""}},{"name":"partQuery","in":"query","schema":{"type":"string","default":""}},{"name":"resolution","in":"query","schema":{"type":"string","default":""}},{"name":"units","in":"query","schema":{"type":"string"}},{"name":"version","in":"query","schema":{"type":"string","default":""}},{"name":"includeExportIds","in":"query","schema":{"type":"boolean","default":false}},{"name":"view","in":"query","schema":{"type":"string","default":""}},{"name":"zipSingleFileOutput","in":"query","schema":{"type":"boolean","default":false}},{"name":"angleTolerance","in":"query","schema":{"type":"number","format":"double","default":-1}},{"name":"chordTolerance","in":"query","schema":{"type":"number","format":"double","default":-1}},{"name":"minFacetWidth","in":"query","schema":{"type":"number","format":"double","default":-1}},{"name":"maxFacetWidth","in":"query","schema":{"type":"number","format":"double","default":-1}},{"name":"scale","in":"query","schema":{"type":"number","format":"double"}},{"name":"userId","in":"query","schema":{"type":"string"}},{"name":"cloudObjectId","in":"query","schema":{"type":"string","default":""}},{"name":"cloudStorageAccountId","in":"query","schema":{"type":"string","default":""}},{"name":"emailLink","in":"query","schema":{"type":"boolean","default":false}},{"name":"emailTo","in":"query","schema":{"type":"string","default":""}},{"name":"emailSubject","in":"query","schema":{"type":"string","default":""}},{"name":"emailMessage","in":"query","schema":{"type":"string","default":""}},{"name":"sendCopyToMe","in":"query","schema":{"type":"boolean","default":false}},{"name":"fromUserId","in":"query","schema":{"type":"string","default":""}},{"name":"password","in":"query","schema":{"type":"string","default":""}},{"name":"validForDays","in":"query","schema":{"type":"integer","format":"int32","default":0}},{"name":"passwordRequired","in":"query","schema":{"type":"boolean","default":false}},{"name":"documentId","in":"query","required":true,"schema":{"type":"string"}},{"name":"elementId","in":"query","schema":{"type":"string","default":""}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}},{"name":"microversion","in":"query","schema":{"type":"string","default":""}},{"name":"documentVersionId","in":"query","schema":{"type":"string","default":""}},{"name":"workspaceId","in":"query","schema":{"type":"string","default":""}},{"name":"linkDocumentId","in":"query","schema":{"type":"string","default":""}},{"name":"linkDocumentWorkspaceId","in":"query","schema":{"type":"string","default":""}},{"name":"isPartingOut","in":"query","schema":{"type":"boolean","default":false}},{"name":"flatten","in":"query","schema":{"type":"boolean","default":false}},{"name":"sheetMetalFlat","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeBendCenterlines","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeBendLines","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeSketches","in":"query","schema":{"type":"boolean","default":false}},{"name":"batchFlatPatterns","in":"query","schema":{"type":"boolean","default":false}},{"name":"batchAllFlatPatterns","in":"query","schema":{"type":"boolean","default":false}},{"name":"splinesAsPolylines","in":"query","schema":{"type":"boolean","default":false}},{"name":"ignoreExportRulesForContents","in":"query","schema":{"type":"boolean","default":true}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/documents/{did}/export/{eid}":{"get":{"tags":["Document"],"description":"Export the document (current workspace only)","operationId":"exportOld","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"workspaceId","in":"query","schema":{"type":"string"}},{"name":"format","in":"query","required":true,"schema":{"type":"string"}},{"name":"storeInDocument","in":"query","schema":{"type":"boolean","default":false}},{"name":"triggerAutoDownload","in":"query","schema":{"type":"boolean","default":true}},{"name":"grouping","in":"query","schema":{"type":"string","default":""}},{"name":"mode","in":"query","schema":{"type":"string"}},{"name":"destinationName","in":"query","schema":{"type":"string","default":""}},{"name":"partIds","in":"query","schema":{"type":"string","default":""}},{"name":"featureIds","in":"query","schema":{"type":"string","default":""}},{"name":"elementIds","in":"query","schema":{"type":"string","default":""}},{"name":"partQuery","in":"query","schema":{"type":"string","default":""}},{"name":"resolution","in":"query","schema":{"type":"string","default":""}},{"name":"units","in":"query","schema":{"type":"string"}},{"name":"version","in":"query","schema":{"type":"string","default":""}},{"name":"includeExportIds","in":"query","schema":{"type":"boolean","default":false}},{"name":"view","in":"query","schema":{"type":"string","default":""}},{"name":"zipSingleFileOutput","in":"query","schema":{"type":"boolean","default":false}},{"name":"angleTolerance","in":"query","schema":{"type":"number","format":"double","default":-1}},{"name":"chordTolerance","in":"query","schema":{"type":"number","format":"double","default":-1}},{"name":"minFacetWidth","in":"query","schema":{"type":"number","format":"double","default":-1}},{"name":"maxFacetWidth","in":"query","schema":{"type":"number","format":"double","default":-1}},{"name":"scale","in":"query","schema":{"type":"number","format":"double"}},{"name":"userId","in":"query","schema":{"type":"string"}},{"name":"cloudObjectId","in":"query","schema":{"type":"string","default":""}},{"name":"cloudStorageAccountId","in":"query","schema":{"type":"string","default":""}},{"name":"emailLink","in":"query","schema":{"type":"boolean","default":false}},{"name":"emailTo","in":"query","schema":{"type":"string","default":""}},{"name":"emailSubject","in":"query","schema":{"type":"string","default":""}},{"name":"emailMessage","in":"query","schema":{"type":"string","default":""}},{"name":"sendCopyToMe","in":"query","schema":{"type":"boolean","default":false}},{"name":"fromUserId","in":"query","schema":{"type":"string","default":""}},{"name":"password","in":"query","schema":{"type":"string","default":""}},{"name":"validForDays","in":"query","schema":{"type":"integer","format":"int32","default":0}},{"name":"passwordRequired","in":"query","schema":{"type":"boolean","default":false}},{"name":"documentId","in":"query","required":true,"schema":{"type":"string"}},{"name":"elementId","in":"query","schema":{"type":"string","default":""}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}},{"name":"microversion","in":"query","schema":{"type":"string","default":""}},{"name":"documentVersionId","in":"query","schema":{"type":"string","default":""}},{"name":"workspaceId","in":"query","schema":{"type":"string","default":""}},{"name":"linkDocumentId","in":"query","schema":{"type":"string","default":""}},{"name":"linkDocumentWorkspaceId","in":"query","schema":{"type":"string","default":""}},{"name":"isPartingOut","in":"query","schema":{"type":"boolean","default":false}},{"name":"flatten","in":"query","schema":{"type":"boolean","default":false}},{"name":"sheetMetalFlat","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeBendCenterlines","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeBendLines","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeSketches","in":"query","schema":{"type":"boolean","default":false}},{"name":"batchFlatPatterns","in":"query","schema":{"type":"boolean","default":false}},{"name":"batchAllFlatPatterns","in":"query","schema":{"type":"boolean","default":false}},{"name":"splinesAsPolylines","in":"query","schema":{"type":"boolean","default":false}},{"name":"ignoreExportRulesForContents","in":"query","schema":{"type":"boolean","default":true}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/documents/{did}/isloaded":{"get":{"tags":["Document"],"description":"Determine if the document is loaded currently","operationId":"getIsLoaded","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/{did}/m/{mvid}/containing":{"get":{"tags":["Document"],"description":"Returns a workspace or version that contains a given microversion","operationId":"getVersionOrWorkspaceContainingMicroversion","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"mvid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTVersionOrWorkspaceInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/{did}/modelingServiceRequest":{"get":{"tags":["Document"],"description":"Get URL to modeling server to open WebSocket","operationId":"createDocumentModelingServiceRequest","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/{did}/newChanges":{"get":{"tags":["Document"],"description":"Returns the workspace or version ids which are recently modified by another user","operationId":"getNewChangesInfo","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"previousOpenTimeInMilliSeconds","in":"query","schema":{"type":"integer","format":"int64","default":0}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTNewChangesInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/{did}/parent":{"post":{"tags":["Document"],"description":"update what parent the document belongs to (if any)","operationId":"updateDocumentParent","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDocumentParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDocumentInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/documents/{did}/permissionset":{"get":{"tags":["Document"],"summary":"Retrieve Document permissions by document ID.","operationId":"getDocumentPermissionSet","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"Success!","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"type":"string"}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/documents/{did}/project":{"post":{"tags":["Document"],"description":"update what parent and project the document belongs to (if any)","operationId":"updateDocumentProject","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDocumentParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/documents/{did}/promote":{"post":{"tags":["Document"],"description":"Promote a document","operationId":"promote","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/{did}/recentlyopened":{"delete":{"tags":["Document"],"description":"Delete document from Recently Opened Documents","operationId":"removeFromRecentlyOpenedDocuments","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/{did}/restore":{"post":{"tags":["Document"],"operationId":"restoreDocument","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"Success!","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDocumentMergeInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/{did}/revoke":{"delete":{"tags":["Document"],"description":"Revoke a user's access to a document","operationId":"revokeAccess","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/{did}/share":{"post":{"tags":["Document"],"summary":"Share document by document ID.","operationId":"shareDocument","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTShareParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAclInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read","OAuth2Share"],"BasicAuth":["OAuth2Read","OAuth2Share"]}],"x-BTVisibility":"PRODUCTION"}},"/documents/{did}/share/{eid}":{"delete":{"tags":["Document"],"summary":"Unshare document by document ID and tab ID.","operationId":"unShareDocument","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"entryType","in":"query","schema":{"maximum":4,"minimum":0,"type":"integer","format":"int32","default":0}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read","OAuth2Share"],"BasicAuth":["OAuth2Read","OAuth2Share"]}],"x-BTVisibility":"PRODUCTION"}},"/documents/{did}/shareWithSupport":{"post":{"tags":["Document"],"summary":"Share document by document ID with Onshape support.","operationId":"shareWithSupport","parameters":[{"name":"did","in":"path","description":"Document ID.","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"PRODUCTION"},"delete":{"tags":["Document"],"summary":"Unshare document with support.","operationId":"unshareFromSupport","parameters":[{"name":"did","in":"path","description":"Document ID.","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"PRODUCTION"}},"/documents/{did}/shareWithSupport/dev":{"post":{"tags":["Document"],"description":"Share document with Onshape developers for debugging.","operationId":"shareWithSupportDevlopers","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTShareWithSupportDevelopersParams"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTUserSummaryInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/{did}/shareWithSupport/dev/{uid}":{"delete":{"tags":["Document"],"description":"Unshare document from support developer","operationId":"unshareFromSupportDeveloper","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/{did}/tag":{"post":{"tags":["Document"],"description":"Add a tag to a document","operationId":"addTag","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTagParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/{did}/tag/{tag}":{"delete":{"tags":["Document"],"description":"Remove tag from a document","operationId":"removeTag","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"tag","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/{did}/translationDebuggingApproval":{"post":{"tags":["Document"],"description":"Approve sharing of failed translation with Onshape support.","operationId":"approveTranslationDebugging","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTApproveTranslationDebugParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/{did}/upgradeLater":{"post":{"tags":["Document"],"description":"Schedule upgrade for the document later.","operationId":"upgradeDocumentLater","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUpgradeOnDemandParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"string","format":"date-time"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/{did}/upgradeNow":{"post":{"tags":["Document"],"description":"Schedule upgrade for the document now.","operationId":"upgradeDocumentNow","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUpgradeOnDemandParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"string","format":"date-time"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/{did}/versions":{"get":{"tags":["Document"],"description":"Get all document versions","operationId":"getVersionsOld","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"type":"integer","format":"int32","default":0}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTVersionInfo"}}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["Document"],"description":"Create a version","operationId":"createVersionOld","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTVersionOrWorkspaceParams"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTVersionInfo"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read","OAuth2Write"],"BasicAuth":["OAuth2Read","OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/documents/{did}/versions/{vid}":{"get":{"tags":["Document"],"description":"Get a specific version","operationId":"getVersionOld","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"vid","in":"path","required":true,"schema":{"type":"string"}},{"name":"parents","in":"query","schema":{"type":"boolean","default":false}},{"name":"linkDocumentId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTVersionInfo"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["Document"],"description":"Update a document version","operationId":"updateVersionOld","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"vid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTVersionOrWorkspaceParams"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTVersionInfo"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read","OAuth2Write"],"BasicAuth":["OAuth2Read","OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/documents/{did}/w/{wid}/getImportFormatData":{"get":{"tags":["Document"],"description":"Return a map of supported import formats and if so, can they be assemblies","operationId":"getImportFormatDataForWorkspace","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object","additionalProperties":{"type":"boolean"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/{did}/w/{wid}/mergePreview":{"get":{"tags":["Document"],"summary":"Merge preview of changes that will occur based on document ID, workspace ID and source workspace/version ID","operationId":"mergePreview","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wid","in":"path","description":"The id of the workspace in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"sourceType","in":"query","required":true,"schema":{"pattern":"w|v","type":"string"}},{"name":"sourceId","in":"query","required":true,"schema":{"pattern":"[a-zA-Z0-9]{24}","type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTMergePreviewInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/documents/{did}/w/{wid}/restore/{vm}/{vmid}":{"post":{"tags":["Document"],"summary":"Restore version or microversion to workspace by document ID, workspace ID, and version or microversion ID.","operationId":"restoreFromHistory","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wid","in":"path","description":"The id of the workspace in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"vm","in":"path","required":true,"schema":{"type":"string"}},{"name":"vmid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTRestoreFromHistoryInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/documents/{did}/w/{wid}/upgradeLater":{"post":{"tags":["Document"],"description":"Schedule upgrade for the workspace later.","operationId":"upgradeLater","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUpgradeOnDemandParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"string","format":"date-time"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/{did}/w/{wid}/upgradeNow":{"post":{"tags":["Document"],"description":"Schedule upgrade for the workspace now.","operationId":"upgradeNow","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUpgradeOnDemandParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"string","format":"date-time"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/{did}/workspaces":{"get":{"tags":["Document"],"description":"Gets all workspaces for a document","operationId":"getWorkspacesOld","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTWorkspaceInfo"}}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["Document"],"description":"Create a new workspace","operationId":"createWorkspaceOld","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTVersionOrWorkspaceParams"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTWorkspaceInfo"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/documents/{did}/workspaces/{wid}":{"get":{"tags":["Document"],"description":"Gets a workspace","operationId":"getWorkspaceOld","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"parents","in":"query","schema":{"type":"boolean","default":false}},{"name":"readonly","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTWorkspaceInfo"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["Document"],"description":"Update a workspace","operationId":"updateWorkspaceOld","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTVersionOrWorkspaceParams"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTWorkspaceInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Document"],"description":"Deletes a workspace","operationId":"deleteWorkspaceOld","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Delete"],"BasicAuth":["OAuth2Delete"]}],"x-BTVisibility":"PRODUCTION"}},"/documents/{did}/workspaces/{wid}/copy":{"post":{"tags":["Document"],"summary":"Copy workspace by document ID and workspace ID.","operationId":"copyWorkspace","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCopyDocumentParams"}}},"required":true},"responses":{"200":{"description":"Success!","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCopyDocumentInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/documents/{did}/workspaces/{wid}/default":{"post":{"tags":["Document"],"description":"Sets the default document workspace","operationId":"setDefaultWorkspace","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/documents/{did}/workspaces/{wid}/history":{"get":{"tags":["Document"],"description":"Get a document's history","operationId":"getHistoryOld","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"mvId","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTHistoryInfo"}}}}}},"deprecated":true,"x-BTVisibility":"INTERNAL"}},"/documents/{did}/workspaces/{wid}/merge":{"post":{"tags":["Document"],"summary":"Merge into workspace by document ID and workspace ID.","operationId":"mergeIntoWorkspace","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTVersionOrWorkspaceMergeInfo"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDocumentMergeInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/documents/{did}/workspaces/{wid}/restore/{mvid}":{"post":{"tags":["Document"],"description":"Restores document to an old microversion in its history.","operationId":"restoreRenditionOld","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"mvid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTRestoreFromHistoryInfo"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/documents/{did}/workspaces/{wid}/translate":{"post":{"tags":["Document"],"description":"Translate document format","operationId":"translateFormatDEPRECATED","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTranslateFormatParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTranslateInfo"}}}}},"deprecated":true,"x-BTVisibility":"INTERNAL"}},"/drawings/create":{"post":{"tags":["Drawing"],"summary":"Create a new drawing in a document.","operationId":"createDrawingAppElementOld","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDrawingParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDocumentElementInfo"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/drawings/d/{did}/w/{wid}/create":{"post":{"tags":["Drawing"],"summary":"Create a new drawing in a document.","description":"This endpoint takes a JSON Schema as input. See the schema docs below for details, and see [API Guide: Drawings](https://onshape-public.github.io/docs/api-adv/drawings/) for more information.","operationId":"createDrawingAppElement","parameters":[{"name":"did","in":"path","description":"ID of the document in which to create the drawing.","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","description":"ID of the workspace in which to create the drawing.","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDrawingParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDocumentElementInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/drawings/d/{did}/w/{wid}/e/{eid}/modify":{"post":{"tags":["Drawing"],"summary":"Modify a drawing via JSON payload.","operationId":"modifyDrawing","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wid","in":"path","description":"The id of the workspace in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDrawingModificationParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppModificationRequestInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/drawings/d/{did}/w/{wid}/e/{eid}/translationformats":{"get":{"tags":["Drawing"],"summary":"Get a list of all valid formats the drawing can be translated (exported) to.","operationId":"getDrawingTranslatorFormats","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTModelFormatInfo"}}}}}},"deprecated":false,"x-BTVisibility":"PRODUCTION"}},"/drawings/d/{did}/{wvm}/{wvmid}/e/{eid}/references/{rid}/bom":{"get":{"tags":["Drawing"],"description":"Returns the Bom table for the specified reference if the reference is of an assembly","operationId":"getBillOfMaterialsForReference","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"rid","in":"path","required":true,"schema":{"type":"string"}},{"name":"transactionId","in":"query","schema":{"type":"string"}},{"name":"parentChangeId","in":"query","schema":{"type":"string"}},{"name":"templateId","in":"query","schema":{"type":"string"}},{"name":"indented","in":"query","schema":{"type":"boolean","default":true}},{"name":"multiLevel","in":"query","schema":{"type":"boolean","default":false}},{"name":"onlyVisibleColumns","in":"query","schema":{"type":"boolean"}},{"name":"includeTopLevelAssemblyRow","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTBillOfMaterialsInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/drawings/d/{did}/{wvm}/{wvmid}/e/{eid}/watermark":{"get":{"tags":["Drawing"],"description":"Get drawing watermark","operationId":"getDrawingWatermark","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/drawings/d/{did}/{wv}/{wvid}/e/{eid}/translations":{"post":{"tags":["Drawing"],"summary":"Translate (export) a drawing to a different format.","description":"Export a drawing to a different format within a document. Use `getDrawingTranslatorFormats` for a list of supported translation (i.e., import/export) formats.","operationId":"createDrawingTranslation","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wv","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTranslateFormatParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTranslationRequestInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/drawings/modify/status/{mrid}":{"get":{"tags":["Drawing"],"summary":"Get the status of a drawing modification operation.","operationId":"getModificationStatus","parameters":[{"name":"mrid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppModificationRequestInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/drawings/templates":{"get":{"tags":["DrawingTemplate"],"description":"Gets a list of drawing templates","operationId":"getDrawingTemplates","parameters":[{"name":"keyword","in":"query","schema":{"type":"array","items":{"type":"string"}}},{"name":"filter","in":"query","schema":{"type":"integer","format":"int32","default":0}},{"name":"owner","in":"query","schema":{"type":"string","default":""}},{"name":"ownerType","in":"query","schema":{"type":"integer","format":"int32","default":1}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTDrawingTemplateInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/drawings/templates/documents/company":{"get":{"tags":["DrawingTemplate"],"description":"Gets a list of drawing template documents","operationId":"getDrawingTemplateDocuments","parameters":[{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":200,"minimum":1,"type":"integer","format":"int32","default":200}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGlobalTreeNodeListResponseBTDocumentInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/drift/visible":{"get":{"tags":["Drift"],"description":"Is Drift visible for the user.","operationId":"getDriftVisible","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/elasticsearch/admin/company/reindex":{"post":{"tags":["Elasticsearch"],"description":"Reindex the element and part metadata in a all documents belonging to a given company","operationId":"reindexCompany","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTSearchIndexParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/elasticsearch/admin/company/reindex-projects":{"post":{"tags":["Elasticsearch"],"operationId":"reindexProjectsByEnterprise","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTSearchIndexParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/elasticsearch/admin/document/reindex":{"post":{"tags":["Elasticsearch"],"description":"Reindex the element and part metadata in a document","operationId":"reindexDocument","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTSearchIndexParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/elasticsearch/admin/projects/reindex":{"post":{"tags":["Elasticsearch"],"operationId":"reindexProjects","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTSearchIndexParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/elasticsearch/admin/reindex":{"post":{"tags":["Elasticsearch"],"description":"Reindex all documents, elements, parts","operationId":"reindexEverything","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTSearchIndexParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/elasticsearch/admin/reindex/run/{rid}":{"get":{"tags":["Elasticsearch"],"description":"Returns specific information about a single elasticsearch index run","operationId":"getSearchIndexRun","parameters":[{"name":"rid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTSearchIndexRunDataInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Elasticsearch"],"description":"Cancel an elasticsearch index run","operationId":"cancelIndexRun","parameters":[{"name":"rid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/elasticsearch/admin/reindex/runs":{"get":{"tags":["Elasticsearch"],"description":"Returns a list of runs with info about each run","operationId":"getSearchIndexRuns","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTSearchIndexRunSummaryInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/elasticsearch/admin/user/reindex":{"post":{"tags":["Elasticsearch"],"description":"Reindex all user-owned documents, elements, parts","operationId":"reindexUserDocuments","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTSearchIndexParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/elementLibrary":{"get":{"tags":["ElementLibrary"],"summary":"Get a list of element library summaries.","description":"Get summary information for system, user, or company-defined element libraries available to the user, including id, owner, and purpose.","operationId":"getElementLibraries","parameters":[{"name":"offset","in":"query","description":"The starting offset index of a page.","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","description":"The size of the page.","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}},{"name":"ownerId","in":"query","description":"If specified, excludes company-owned libraries other than that owner","schema":{"pattern":"[0-9a-fA-F]{24}","type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTElementLibrarySummaryInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/elementLibrary/populate":{"post":{"tags":["ElementLibrary"],"summary":"Get a list of element library summaries.","description":"Get summary information for system, user, or company-defined element libraries available to the user, including id, owner, and purpose.","operationId":"populateLibrary","parameters":[{"name":"sourceFolderId","in":"query","description":"The id of the source folder for the element library.","required":true,"schema":{"type":"string"}},{"name":"ownerType","in":"query","description":"The type of owner of the element library, user, company, or Onshape.","schema":{"$ref":"#/components/schemas/BTOwnerType"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTElementLibrarySummaryInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/elementLibrary/{lid}":{"get":{"tags":["ElementLibrary"],"description":"Get data for an element library at its latest version","operationId":"getElementLibrary","parameters":[{"name":"lid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTElementLibraryTreeInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"},"delete":{"tags":["ElementLibrary"],"description":"Delete an element library","operationId":"deleteElementLibrary","parameters":[{"name":"lid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/elements/application/content/history/{did}/{eid}/workspace/{wid}":{"get":{"tags":["ElementApplication"],"description":"Get change history for a workspace","operationId":"getHistoryByWorkspace","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/elements/application/content/ids/{did}/{eid}/workspace/{wid}":{"get":{"tags":["ElementApplication"],"description":"Gets a list of all sub-element IDs of a workspace","operationId":"getIdsByWorkspace","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"transactionId","in":"query","schema":{"type":"string"}},{"name":"changeId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/elements/application/content/{did}/{eid}/workspace/{wid}":{"get":{"tags":["ElementApplication"],"description":"Get content of sub-elements in a workspace","operationId":"getContentByWorkspace","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"transactionId","in":"query","schema":{"type":"string"}},{"name":"changeId","in":"query","schema":{"type":"string"}},{"name":"baseChangeId","in":"query","schema":{"type":"string"}},{"name":"subelementId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["ElementApplication"],"description":"Update an app element","operationId":"update","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppElementUpdateParams"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppElementModifyInfo"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read","OAuth2Write"],"BasicAuth":["OAuth2Read","OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"},"delete":{"tags":["ElementApplication"],"description":"Deletes sub-element of an application element","operationId":"deleteContent","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"transactionId","in":"query","schema":{"type":"string"}},{"name":"parentChangeId","in":"query","schema":{"type":"string"}},{"name":"subelementId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/elements/application/references/{did}/{eid}/workspace/{wid}":{"post":{"tags":["ElementApplication"],"description":"Create an app element reference","operationId":"createReference_1","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppElementReferenceParams"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read","OAuth2Write"],"BasicAuth":["OAuth2Read","OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/elements/application/references/{did}/{eid}/workspace/{wid}/{rid}":{"get":{"tags":["ElementApplication"],"description":"Resolve an app element reference","operationId":"resolveReference_1","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"rid","in":"path","required":true,"schema":{"type":"string"}},{"name":"parentChangeId","in":"query","schema":{"type":"string"}},{"name":"transactionId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read","OAuth2Write"],"BasicAuth":["OAuth2Read","OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["ElementApplication"],"description":"Update an app element reference","operationId":"updateReference_1","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"rid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppElementReferenceParams"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read","OAuth2Write"],"BasicAuth":["OAuth2Read","OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"},"delete":{"tags":["ElementApplication"],"description":"Delete an app element reference","operationId":"deleteReference_1","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"rid","in":"path","required":true,"schema":{"type":"string"}},{"name":"transactionId","in":"query","schema":{"type":"string"}},{"name":"parentChangeId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/elements/application/transaction/commit/{did}/{eid}/workspace/{wid}":{"post":{"tags":["ElementApplication"],"description":"Commits a transaction (merges a microbranch)","operationId":"commitTransaction_1","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppElementCommitTransactionParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/elements/application/transaction/{did}/{eid}/workspace/{wid}":{"post":{"tags":["ElementApplication"],"description":"Start a transaction (creates a microbranch)","operationId":"startTransaction_1","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppElementStartTransactionParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/elements/application/{did}/workspace/{wid}":{"post":{"tags":["ElementApplication"],"description":"Create an app element","operationId":"create","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAppElementParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/elements/applicationTargetInfo":{"get":{"tags":["Element"],"description":"Get information required for loading an application","operationId":"getApplicationTargetInfo","parameters":[{"name":"browserMediaType","in":"query","schema":{"type":"string"}},{"name":"filename","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTApplicationTargetInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/elements/copyelement/{did}/workspace/{wid}":{"post":{"tags":["Element"],"summary":"Copy tab by document ID and workspace ID.","operationId":"copyElementFromSourceDocument","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCopyElementParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDocumentElementInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/elements/d/{did}/e/{eid}/configurationencodings":{"post":{"tags":["Element"],"summary":"Encode configuration by documentation ID and tab ID.","operationId":"encodeConfigurationMap","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"versionId","in":"query","schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTConfigurationParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTEncodedConfigurationInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/elements/d/{did}/e/{eid}/shadedviews":{"get":{"tags":["ElementShadedViews"],"description":"Get a shaded image rendering of an element at","operationId":"getElementImagesAtMicroversions","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"elementMicroversionId","in":"query","schema":{"type":"array","items":{"type":"string"}}},{"name":"viewMatrix","in":"query","schema":{"type":"string","default":"front"}},{"name":"outputHeight","in":"query","schema":{"minimum":1,"type":"integer","format":"int32","default":500}},{"name":"outputWidth","in":"query","schema":{"minimum":1,"type":"integer","format":"int32","default":500}},{"name":"pixelSize","in":"query","schema":{"type":"number","format":"double","default":0.003}},{"name":"edges","in":"query","schema":{"type":"string","default":"show"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTShadedViewsInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/elements/d/{did}/w/{wid}/e/{eid}":{"delete":{"tags":["Element"],"operationId":"deleteElement","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Delete"],"BasicAuth":["OAuth2Delete"]}],"x-BTVisibility":"PRODUCTION"}},"/elements/d/{did}/w/{wid}/e/{eid}/isolate":{"delete":{"tags":["Element"],"summary":"Isolate an element.","description":"Delete all other elements in the document that this one doesn't depend on. This is useful for speeding up a document when only one element is needed for debugging purposes. This endpoint shouldn't be used on customer documents since it will effect the database.","operationId":"isolateElement","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wid","in":"path","description":"The id of the workspace in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Delete"],"BasicAuth":["OAuth2Delete"]}],"x-BTVisibility":"INTERNAL"}},"/elements/d/{did}/w/{wid}/e/{eid}/updatereferences":{"post":{"tags":["Element"],"summary":"Update or replace node references by document ID, workspace ID, and tab ID.","operationId":"updateReferences","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUpdateReferenceParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read","OAuth2Write"],"BasicAuth":["OAuth2Read","OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/elements/d/{did}/{wvm}/{wvmid}/e/{eid}/configuration":{"get":{"tags":["Element"],"summary":"Retrieve configuration by document ID, workspace or version or microversion ID, and tab ID.","operationId":"getConfiguration","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTConfigurationResponse-2019"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["Element"],"summary":"Update configuration by document ID, workspace or microversion ID, and tab ID.","operationId":"updateConfiguration","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTConfigurationUpdateCall-2933"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTConfigurationResponse-2019"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/elements/d/{did}/{wvm}/{wvmid}/e/{eid}/configurationencodings/{cid}":{"get":{"tags":["Element"],"summary":"Decode configuration string by documentation ID, workspace or version or microversion ID, and tab ID.","operationId":"decodeConfiguration","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","schema":{"type":"string"}},{"name":"includeDisplay","in":"query","schema":{"type":"boolean","default":false}},{"name":"configurationIsId","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTConfigurationInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/elements/d/{did}/{wvm}/{wvmid}/e/{eid}/externalreferences":{"get":{"tags":["Element"],"description":"Get External references","operationId":"getExternalReferences","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/RecursiveExternalReferenceInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/elements/d/{did}/{wvm}/{wvmid}/e/{eid}/references":{"get":{"tags":["Element"],"description":"Get all of an element's references","operationId":"getReferences","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTElementReferencesInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/elements/download/{did}/{eid}":{"get":{"tags":["Element"],"description":"Download foreign data element as a file","operationId":"downloadFile_1","parameters":[{"name":"contentDisposition","in":"query","schema":{"type":"string"}},{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"workspaceId","in":"query","required":true,"schema":{"type":"string"}},{"name":"versionId","in":"query","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"If-None-Match","in":"header","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}},"application/octet-stream":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/elements/info/{did}/{eid}":{"get":{"tags":["Element"],"description":"Get foreign data element information","operationId":"getElementInfo","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"workspaceId","in":"query","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTForeignItemInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/elements/translatorFormats":{"get":{"tags":["Element"],"description":"Get translator formats","operationId":"getTranslatorFormats_1","parameters":[{"name":"objectType","in":"query","schema":{"type":"integer","format":"int32","default":0}},{"name":"onlyImportable","in":"query","schema":{"type":"boolean","default":true}},{"name":"onlyExportable","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTModelFormatInfo"}}}}}},"deprecated":true,"x-BTVisibility":"PRODUCTION"}},"/elements/translatorFormats/{did}/{wid}/{eid}":{"get":{"tags":["Element"],"description":"Get translator formats for an element","operationId":"getElementTranslatorFormats","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"checkContent","in":"query","schema":{"type":"boolean","default":true}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTModelFormatInfo"}}}}}},"deprecated":true,"x-BTVisibility":"PRODUCTION"}},"/elements/translatorFormats/{did}/{wv}/{wvid}/{eid}":{"get":{"tags":["Element"],"operationId":"getElementTranslatorFormatsByVersionOrWorkspace","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wv","in":"path","description":"Indicates which of workspace (w) or version (v) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v"]}},{"name":"wvid","in":"path","description":"The id of the workspace, version in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"checkContent","in":"query","schema":{"type":"boolean","default":true}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTModelFormatInfo"}}}}}},"deprecated":false,"x-BTVisibility":"PRODUCTION"}},"/elements/upload/{did}":{"post":{"tags":["Element"],"description":"Update a foreign data file as a new element","operationId":"uploadFile","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"elementId","in":"query","schema":{"type":"string"}},{"name":"workspaceId","in":"query","schema":{"type":"string"}}],"requestBody":{"content":{"multipart/form-data":{"schema":{"type":"object","properties":{"file":{"type":"object","description":"The file to upload."},"allowFaultyParts":{"type":"boolean","description":"If true, and a part doesn't pass Onshape validation, it will be imported with faults."},"createComposite":{"type":"boolean"},"createDrawingIfPossible":{"type":"boolean"},"encodedFilename":{"type":"string","description":"If the filename contains non-ASCII characters. Use this field to store the filename."},"extractAssemblyHierarchy":{"type":"boolean"},"flattenAssemblies":{"type":"boolean","description":"If the file is an assembly, or contains an assembly, setting this to True will import it as a Part Studio. In this case the assembly will be flattened to a set of parts in a Part Studio. There will be duplicate parts created whenever a part is instanced more than once. If False, it will be imported as an Assembly."},"formatName":{"type":"string"},"joinAdjacentSurfaces":{"type":"boolean"},"locationElementId":{"type":"string"},"locationGroupId":{"type":"string"},"locationPosition":{"type":"integer","format":"int32","default":-1},"notifyUser":{"type":"boolean","default":true},"ownerId":{"type":"string"},"parentId":{"type":"string"},"projectId":{"type":"string"},"public":{"type":"boolean"},"onePartPerDoc":{"type":"boolean","default":false},"splitAssembliesIntoMultipleDocuments":{"type":"boolean","default":false},"storeInDocument":{"type":"boolean","default":true},"translate":{"type":"boolean","default":true},"unit":{"type":"string","default":""},"uploadId":{"type":"string"},"versionString":{"type":"string"},"importAppearances":{"type":"boolean","description":"Face appearances defined on models will be imported.","default":true},"yAxisIsUp":{"type":"boolean","description":"If the file was created in a system that orients with Y Axis Up, the models would by default be brought into Onshape (a Z Axis Up system) with a flipped coordinate system. Toggle this value to reorient the axis system to match Onshape and display the model with the coordinates you expect."},"importWithinDocument":{"type":"boolean"}}}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDocumentElementProcessingInfo"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/elements/{did}/version/{vid}":{"get":{"tags":["Element"],"description":"Get all elements from a given document version","operationId":"getElementByVersionDeprecated","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"vid","in":"path","required":true,"schema":{"type":"string"}},{"name":"withThumbnails","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTElementMetadataInfo"}}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/elements/{did}/workspace/{wid}":{"get":{"tags":["Element"],"description":"Get all elements from a given document workspace","operationId":"getElementByWorkspaceDeprecated","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"withThumbnails","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTElementMetadataInfo"}}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/elements/{did}/workspace/{wid}/all":{"get":{"tags":["Element"],"description":"Get all elements that were ever exist from a given document Id.","operationId":"getAllEverExistElements","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/octet-stream":{"schema":{"type":"object"}},"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/events":{"post":{"tags":["Event"],"summary":"Fire an asynchronous event.","operationId":"fireEvent","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTEventParams"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/exportrules":{"post":{"tags":["ExportRule"],"description":"Create a new export rule for user","operationId":"createExportRule","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTExportRuleParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTExportRuleInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/exportrules/companies/{cid}":{"get":{"tags":["ExportRule"],"description":"get company-wide export rules","operationId":"getForCompany","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTExportRuleInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/exportrules/d/{did}/{wv}/{wvid}/e/{eid}":{"post":{"tags":["ExportRule"],"description":"Finds (if none provided) an appropriate export rule and applies that rule to an element,","operationId":"findAndApplyExportRuleForElement","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wv","in":"path","description":"Indicates which of workspace (w) or version (v) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v"]}},{"name":"wvid","in":"path","description":"The id of the workspace, version in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"elementType","in":"query","schema":{"type":"integer","format":"int32"}},{"name":"configuration","in":"query","schema":{"type":"string"}},{"name":"ruleId","in":"query","schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTExportOptionsParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTExportRuleApplicationInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/exportrules/d/{did}/{wv}/{wvid}/e/{eid}/p/{pid}":{"post":{"tags":["ExportRule"],"description":"Finds (if none provided) an appropriate export rule and applies that rule to an part,","operationId":"findAndApplyExportRuleForPart","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wv","in":"path","description":"Indicates which of workspace (w) or version (v) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v"]}},{"name":"wvid","in":"path","description":"The id of the workspace, version in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}},{"name":"rollbackBarIndex","in":"query","description":"Index specifying the location of the rollback bar when the call is evaluated. A -1 indicates that it should be at the end of the featurelist.","schema":{"type":"integer","format":"int32","default":-1}},{"name":"elementMicroversionId","in":"query","description":"A specific element microversion in which to evaluate the request.","schema":{"type":"string"}},{"name":"pid","in":"path","required":true,"schema":{"type":"string"}},{"name":"ruleId","in":"query","schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTExportOptionsParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTExportRuleApplicationInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/exportrules/options/{cu}/{cuid}":{"get":{"tags":["ExportRule"],"summary":" Get a list of valid export rule options for the user or company.","description":"Does NOT get the rules themselves; it gets the information used to create them.","operationId":"getValidRuleOptions","parameters":[{"name":"cu","in":"path","description":"Indicates which of company (c) or user (u) id is specified below.","required":true,"schema":{"type":"string","enum":["c","u"]}},{"name":"cuid","in":"path","description":"The id of the company or user in which the operation should be performed.","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTExportRuleValidOptionsInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/exportrules/users/{uid}":{"get":{"tags":["ExportRule"],"description":"get export rules by user id","operationId":"getByUserId","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"onlyCurrentEnterprise","in":"query","schema":{"type":"boolean","default":true}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTExportRuleInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/exportrules/{rid}":{"get":{"tags":["ExportRule"],"description":"get an export rule by id","operationId":"getExportRule","parameters":[{"name":"rid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTExportRuleInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["ExportRule"],"description":"update export rule","operationId":"update_1","parameters":[{"name":"rid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTExportRuleParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTExportRuleInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"},"delete":{"tags":["ExportRule"],"description":"Delete an export rule","operationId":"deleteExportRule","parameters":[{"name":"rid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Delete"],"BasicAuth":["OAuth2Delete"]}],"x-BTVisibility":"INTERNAL"}},"/featurecallout":{"get":{"tags":["FeatureCallout"],"description":"Find all the feature callouts to display for free users","operationId":"findAll","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTFeatureCalloutInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["FeatureCallout"],"description":"Add a feature callout","operationId":"add","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTFeatureCalloutParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTFeatureCalloutInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/featurecallout/rank":{"post":{"tags":["FeatureCallout"],"description":"Update feature callout rank","operationId":"updateRank","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object","additionalProperties":{"type":"integer","format":"int32"}}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/featurecallout/{fid}":{"get":{"tags":["FeatureCallout"],"description":"Get a feature by feature id","operationId":"getFeatureCallout","parameters":[{"name":"fid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTFeatureCalloutInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["FeatureCallout"],"description":"Update feature callout","operationId":"updateFeatureCallout","parameters":[{"name":"fid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTFeatureCalloutParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTFeatureCalloutInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["FeatureCallout"],"description":"Delete a feature callout","operationId":"deleteFeatureCallout","parameters":[{"name":"fid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/featurestudios/d/{did}/w/{wid}":{"post":{"tags":["FeatureStudio"],"summary":"Create a new Feature Studio tab in a document.","description":"Specify the name for the new tab in the request body.","operationId":"createFeatureStudio","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTModelElementParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDocumentElementInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/featurestudios/d/{did}/{wvm}/{wvmid}/e/{eid}":{"get":{"tags":["FeatureStudio"],"summary":"Get the text for a Feature Studio element.","operationId":"getFeatureStudioContents","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTFeatureStudioContents-2239"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["FeatureStudio"],"summary":"Update the text for a Feature Studio element.","operationId":"updateFeatureStudioContents","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTFeatureStudioContents-2239"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTFeatureStudioContents-2239"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/featurestudios/d/{did}/{wvm}/{wvmid}/e/{eid}/featurespecs":{"get":{"tags":["FeatureStudio"],"summary":"Get the feature specs for a Feature Studio element.","operationId":"getFeatureStudioSpecs","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTFeatureSpecsResponse-664"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/folders":{"post":{"tags":["Folder"],"description":"Create a new folder","operationId":"createFolder","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTFolderParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTFolderInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/folders/{fid}":{"get":{"tags":["Folder"],"description":"Returns info about a folder","operationId":"getFolder","parameters":[{"name":"fid","in":"path","description":"The folder ID.","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTFolderInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["Folder"],"description":"update the folder's name / description / etc","operationId":"updateFolder","parameters":[{"name":"fid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTFolderParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTFolderInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Folder"],"description":"Delete a folder","operationId":"deleteFolder","parameters":[{"name":"fid","in":"path","required":true,"schema":{"type":"string"}},{"name":"forever","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Delete"],"BasicAuth":["OAuth2Delete"]}],"x-BTVisibility":"INTERNAL"}},"/folders/{fid}/acl":{"get":{"tags":["Folder"],"summary":"Get the Access Control List (ACL) for a folder to view permissions.","description":"Returns the ACL of permission objects. Each object contains: \n* The type of entity \n * 0 (User) \n * 1 (Company) \n * 2 (Team) \n * 3 (Document) \n * 4 (Application) \n * The ID of the entity for the specified type. \n* The permissions for that entity. \n * OWNER (100): All permissions, including those not listed, such as permission to transfer ownership. \n * DELETE (90) \n * RESHARE (80) \n * WRITE (70) \n * READ (60) \n * LINK (50) \n * COPY (30): Can copy workspace \n * EXPORT (20): Can export geometry \n * COMMENT (10) \n * ANONYMOUS_ACCESS (5): Special, restricted read access","operationId":"getFolderAcl","parameters":[{"name":"fid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAclInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/folders/{fid}/parent":{"post":{"tags":["Folder"],"description":"update the folder's parent","operationId":"updateFolderParent","parameters":[{"name":"fid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTFolderParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTFolderInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/folders/{fid}/project":{"post":{"tags":["Folder"],"description":"update the folder's project","operationId":"updateFolderProject","parameters":[{"name":"fid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTFolderParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTFolderInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/folders/{fid}/repair":{"post":{"tags":["Folder"],"description":"Repair folder structure by ensuring that child documents and folders are consistent with this","operationId":"repair","parameters":[{"name":"fid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/folders/{fid}/share":{"post":{"tags":["Folder"],"summary":"Share folder with an entity.","description":"* Specify the type of entity to share with using `entries.entryType`: \n * 0 (User) \n * 1 (Company) \n * 2 (Team) \n * 3 (Document) \n * 4 (Application) \n* Provide one of the identifiers in the `entries` object in the request body. \n * You can share with non-Onshape users with the `email` field when `entryType=0`. \n * Provide the string for the permission set. Do not include the integer in parentheses: \n * OWNER (100): Object owner. Implies all permissions including those not listed such as permission to transfer ownership. \n * DELETE (90) \n * RESHARE (80) \n * WRITE (70) \n * READ (60) \n * LINK (50) \n * COPY (30): Can copy workspace \n * EXPORT (20): Can export geometry \n * COMMENT (10) \n * ANONYMOUS_ACCESS (5): Special, restricted read access","operationId":"share","parameters":[{"name":"fid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTShareParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAclInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read","OAuth2Share"],"BasicAuth":["OAuth2Read","OAuth2Share"]}],"x-BTVisibility":"PRODUCTION"}},"/folders/{fid}/share/{eid}":{"delete":{"tags":["Folder"],"summary":"Remove permissions from the folder for the specified Access Control List (ACL) entry.","description":"* Provide the folder ID for the folder to unshare. \n * Provide the `entityType` for the type of entity to remove. \n * 0 (User) \n * 1 (Company) \n * 2 (Team) \n * 3 (Document) \n * 4 (Application) \n* Provide the entity ID in the `eid` param.","operationId":"unShare","parameters":[{"name":"fid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"entryType","in":"query","schema":{"maximum":4,"minimum":0,"type":"integer","format":"int32","default":0}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read","OAuth2Share"],"BasicAuth":["OAuth2Read","OAuth2Share"]}],"x-BTVisibility":"PRODUCTION"}},"/friends":{"get":{"tags":["Friend"],"description":"Get list of friends","operationId":"getFriends","parameters":[{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}},{"name":"prefix","in":"query","schema":{"type":"string","default":""}},{"name":"companyId","in":"query","schema":{"type":"string","default":""}},{"name":"excludeGuests","in":"query","schema":{"type":"boolean","default":false}},{"name":"excludeLightUsers","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeSelf","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTFriendInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/friends/admin/{uid}":{"get":{"tags":["Friend"],"description":"Get list of user's friends","operationId":"adminGetFriends","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}},{"name":"prefix","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTFriendInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["Friend"],"description":"Add a friend to a user","operationId":"adminAddFriend","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAddFriendParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/friends/admin/{uid}/{fid}":{"delete":{"tags":["Friend"],"description":"Remove a friend from a user's friends list","operationId":"adminForgetFriend","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"fid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/friends/fromlist":{"post":{"tags":["Friend"],"description":"Given a list of user ids, return the BTFriendInfos of those that are friends of the current user","operationId":"fromList","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTFriendsFromIdsParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTFriendInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/friends/{fid}":{"delete":{"tags":["Friend"],"description":"Remove a friend from friends list","operationId":"forgetFriend","parameters":[{"name":"fid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/globaltreenodes":{"get":{"tags":["GlobalTreeNode"],"description":"Get the children of the root of the global tree. Will return all the various magic tree nodes","operationId":"getRootChildren","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGlobalTreeNodeWithChildrenInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/globaltreenodes/cloudstorageaccount/{csaid}":{"get":{"tags":["GlobalTreeNode"],"description":"Get the children of a cloud storage account node in the global tree","operationId":"getCloudStorageAccountChildren","parameters":[{"name":"csaid","in":"path","required":true,"schema":{"type":"string"}},{"name":"containersOnly","in":"query","schema":{"type":"boolean","default":false}},{"name":"sortOrder","in":"query","schema":{"type":"string","default":""}},{"name":"sortColumn","in":"query","schema":{"type":"string","default":""}},{"name":"pageToken","in":"query","schema":{"type":"string","default":""}},{"name":"offset","in":"query","schema":{"type":"string","default":"0"}},{"name":"limit","in":"query","schema":{"maximum":50,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCloudStorageObjectListInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/globaltreenodes/cloudstoragefolderobject/{csoid}":{"get":{"tags":["GlobalTreeNode"],"description":"Get the cloud storage objects for given folder from Cloud storage account","operationId":"getCloudStorageObjectsByParentIdForCloudStorageAccount","parameters":[{"name":"csoid","in":"path","required":true,"schema":{"type":"string"}},{"name":"csaid","in":"query","schema":{"type":"string"}},{"name":"containersOnly","in":"query","schema":{"type":"boolean","default":false}},{"name":"sortOrder","in":"query","schema":{"type":"string","default":""}},{"name":"sortColumn","in":"query","schema":{"type":"string","default":""}},{"name":"pageToken","in":"query","schema":{"type":"string","default":""}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":50,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCloudStorageObjectListInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/globaltreenodes/cloudstorageobject/{csoid}":{"get":{"tags":["GlobalTreeNode"],"description":"Get Cloud storage object from Cloud storage account","operationId":"getCloudStorageObjectFromCloudStorageAccount","parameters":[{"name":"csoid","in":"path","required":true,"schema":{"type":"string"}},{"name":"csaid","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCloudStorageObjectInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/globaltreenodes/delete":{"post":{"tags":["GlobalTreeNode"],"description":"Permanently delete nodes","operationId":"deleteNode","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGlobalTreeNodeMoveParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["document.delete"],"BasicAuth":["document.delete"]}],"x-BTVisibility":"INTERNAL"}},"/globaltreenodes/document/{did}/parentInfo":{"get":{"tags":["GlobalTreeNode"],"description":"Get parent folder for the specified document","operationId":"getDocumentParentInfo","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGlobalTreeNodeInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"delete":{"tags":["GlobalTreeNode"],"operationId":"unparentDocument","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/globaltreenodes/emptyTrash":{"post":{"tags":["GlobalTreeNode"],"description":"Empty the trash","operationId":"emptyTrash","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTEmptyTrashInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/globaltreenodes/folder/{fid}":{"get":{"tags":["GlobalTreeNode"],"description":"Get the children of a folder node in the global tree","operationId":"getFolderChildren","parameters":[{"name":"fid","in":"path","required":true,"schema":{"type":"string"}},{"name":"getPathToRoot","in":"query","schema":{"type":"boolean","default":false}},{"name":"containersOnly","in":"query","schema":{"type":"boolean","default":false}},{"name":"sortOrder","in":"query","schema":{"type":"string","default":"desc"}},{"name":"sortColumn","in":"query","schema":{"type":"string","default":"createdAt"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":50,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGlobalTreeNodeWithChildrenInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["GlobalTreeNode"],"description":"Move nodes to the specified folder","operationId":"moveToFolder","parameters":[{"name":"fid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGlobalTreeNodeMoveParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/globaltreenodes/folder/{fid}/parentInfo":{"get":{"tags":["GlobalTreeNode"],"description":"Get parent folder for the specified folder","operationId":"getFolderParentInfo","parameters":[{"name":"fid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGlobalTreeNodeInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"delete":{"tags":["GlobalTreeNode"],"operationId":"unparentFolder","parameters":[{"name":"fid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/globaltreenodes/insertable":{"get":{"tags":["GlobalTreeNode"],"description":"Identical to non-insertable version; defined for consistency","operationId":"getRootInsertableChildren","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGlobalTreeNodeWithChildrenInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/globaltreenodes/insertable/folder/{fid}":{"get":{"tags":["GlobalTreeNode"],"description":"Get the children of a folder node in the global tree; any returned documents are decorated with","operationId":"getFolderInsertableChildren","parameters":[{"name":"fid","in":"path","required":true,"schema":{"type":"string"}},{"name":"getPathToRoot","in":"query","schema":{"type":"boolean","default":false}},{"name":"containersOnly","in":"query","schema":{"type":"boolean","default":false}},{"name":"sortOrder","in":"query","schema":{"type":"string","default":"desc"}},{"name":"sortColumn","in":"query","schema":{"type":"string","default":"createdAt"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":50,"minimum":1,"type":"integer","format":"int32","default":20}},{"name":"includeParts","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeSurfaces","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeSketches","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeReferenceFeatures","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeAssemblies","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFeatures","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFeatureStudios","in":"query","schema":{"type":"boolean","default":false}},{"name":"includePartStudios","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeBlobs","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFlattenedBodies","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeApplications","in":"query","schema":{"type":"boolean","default":false}},{"name":"allowedBlobMimeTypes","in":"query","schema":{"type":"string","default":""}},{"name":"allowedBlobExtensions","in":"query","schema":{"type":"string","default":""}},{"name":"allowedApplicationMimeTypes","in":"query","schema":{"type":"string","default":""}},{"name":"maxFeatureScriptVersion","in":"query","schema":{"type":"integer","format":"int32","default":0}},{"name":"includeCompositeParts","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFSTables","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFSComputedPartPropertyFunctions","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeVariables","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeVariableStudios","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGlobalTreeNodeWithChildrenInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/globaltreenodes/insertable/label/{lid}":{"get":{"tags":["GlobalTreeNode"],"description":"Get the children of a label node in the global tree; any returned documents are decorated with","operationId":"getLabelInsertableChildren","parameters":[{"name":"lid","in":"path","required":true,"schema":{"type":"string"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":50,"minimum":1,"type":"integer","format":"int32","default":20}},{"name":"getPathToRoot","in":"query","schema":{"type":"boolean","default":false}},{"name":"containersOnly","in":"query","schema":{"type":"boolean","default":false}},{"name":"sortOrder","in":"query","schema":{"type":"string","default":"desc"}},{"name":"sortColumn","in":"query","schema":{"type":"string","default":"createdAt"}},{"name":"includeParts","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeSurfaces","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeSketches","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeReferenceFeatures","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeAssemblies","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFeatures","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFeatureStudios","in":"query","schema":{"type":"boolean","default":false}},{"name":"includePartStudios","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeBlobs","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFlattenedBodies","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeApplications","in":"query","schema":{"type":"boolean","default":false}},{"name":"allowedBlobMimeTypes","in":"query","schema":{"type":"string","default":""}},{"name":"allowedBlobExtensions","in":"query","schema":{"type":"string","default":""}},{"name":"allowedApplicationMimeTypes","in":"query","schema":{"type":"string","default":""}},{"name":"maxFeatureScriptVersion","in":"query","schema":{"type":"integer","format":"int32","default":0}},{"name":"includeCompositeParts","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFSTables","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFSComputedPartPropertyFunctions","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeVariables","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeVariableStudios","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGlobalTreeNodeWithChildrenInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/globaltreenodes/insertable/magic/{mid}":{"get":{"tags":["GlobalTreeNode"],"description":"Identical to non-insertable version; defined for consistency","operationId":"getMagicInsertableChildren","parameters":[{"name":"mid","in":"path","required":true,"schema":{"type":"string"}},{"name":"getPathToRoot","in":"query","schema":{"type":"boolean","default":false}},{"name":"containersOnly","in":"query","schema":{"type":"boolean","default":false}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":50,"minimum":1,"type":"integer","format":"int32","default":20}},{"name":"sortOrder","in":"query","schema":{"type":"string","default":"desc"}},{"name":"sortColumn","in":"query","schema":{"type":"string","default":"modifiedAt"}},{"name":"includeParts","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeSurfaces","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeSketches","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeReferenceFeatures","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeAssemblies","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFeatures","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFeatureStudios","in":"query","schema":{"type":"boolean","default":false}},{"name":"includePartStudios","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeBlobs","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFlattenedBodies","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeApplications","in":"query","schema":{"type":"boolean","default":false}},{"name":"allowedBlobMimeTypes","in":"query","schema":{"type":"string","default":""}},{"name":"allowedBlobExtensions","in":"query","schema":{"type":"string","default":""}},{"name":"allowedApplicationMimeTypes","in":"query","schema":{"type":"string","default":""}},{"name":"maxFeatureScriptVersion","in":"query","schema":{"type":"integer","format":"int32","default":0}},{"name":"includeCompositeParts","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFSTables","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFSComputedPartPropertyFunctions","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeVariables","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeVariableStudios","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGlobalTreeNodeWithChildrenInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/globaltreenodes/insertable/project/{pid}":{"get":{"tags":["GlobalTreeNode"],"description":"Get the children of a project node in the global tree; any returned documents are decorated with","operationId":"getProjectInsertableChildren","parameters":[{"name":"pid","in":"path","required":true,"schema":{"type":"string"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":50,"minimum":1,"type":"integer","format":"int32","default":20}},{"name":"getPathToRoot","in":"query","schema":{"type":"boolean","default":false}},{"name":"containersOnly","in":"query","schema":{"type":"boolean","default":false}},{"name":"sortOrder","in":"query","schema":{"type":"string","default":"desc"}},{"name":"sortColumn","in":"query","schema":{"type":"string","default":"createdAt"}},{"name":"includeParts","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeSurfaces","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeSketches","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeReferenceFeatures","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeAssemblies","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFeatures","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFeatureStudios","in":"query","schema":{"type":"boolean","default":false}},{"name":"includePartStudios","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeBlobs","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFlattenedBodies","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeApplications","in":"query","schema":{"type":"boolean","default":false}},{"name":"allowedBlobMimeTypes","in":"query","schema":{"type":"string","default":""}},{"name":"allowedBlobExtensions","in":"query","schema":{"type":"string","default":""}},{"name":"allowedApplicationMimeTypes","in":"query","schema":{"type":"string","default":""}},{"name":"maxFeatureScriptVersion","in":"query","schema":{"type":"integer","format":"int32","default":0}},{"name":"includeCompositeParts","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFSTables","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFSComputedPartPropertyFunctions","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeVariables","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeVariableStudios","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGlobalTreeNodeWithChildrenInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/globaltreenodes/insertable/resourcecompanyowner/{cid}":{"get":{"tags":["GlobalTreeNode"],"description":"Similar to non-insertable 'resourcecompanyowner' version","operationId":"getCompanyResourcesInsertableChildren","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"getPathToRoot","in":"query","schema":{"type":"boolean","default":false}},{"name":"containersOnly","in":"query","schema":{"type":"boolean","default":false}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":50,"minimum":1,"type":"integer","format":"int32","default":20}},{"name":"sortOrder","in":"query","schema":{"type":"string","default":"desc"}},{"name":"sortColumn","in":"query","schema":{"type":"string","default":"modifiedAt"}},{"name":"includeParts","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeSurfaces","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeSketches","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeReferenceFeatures","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeAssemblies","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFeatures","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFeatureStudios","in":"query","schema":{"type":"boolean","default":false}},{"name":"includePartStudios","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeBlobs","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFlattenedBodies","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeApplications","in":"query","schema":{"type":"boolean","default":false}},{"name":"allowedBlobMimeTypes","in":"query","schema":{"type":"string","default":""}},{"name":"allowedBlobExtensions","in":"query","schema":{"type":"string","default":""}},{"name":"allowedApplicationMimeTypes","in":"query","schema":{"type":"string","default":""}},{"name":"maxFeatureScriptVersion","in":"query","schema":{"type":"integer","format":"int32","default":0}},{"name":"includeCompositeParts","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFSTables","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFSComputedPartPropertyFunctions","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeVariables","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeVariableStudios","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGlobalTreeNodeWithChildrenInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/globaltreenodes/insertable/resourceuserowner/{uid}":{"get":{"tags":["GlobalTreeNode"],"description":"Similar to non-insertable 'resourceuserowner' version","operationId":"getUserResourcesInsertableChildren","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"getPathToRoot","in":"query","schema":{"type":"boolean","default":false}},{"name":"containersOnly","in":"query","schema":{"type":"boolean","default":false}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":50,"minimum":1,"type":"integer","format":"int32","default":20}},{"name":"sortOrder","in":"query","schema":{"type":"string","default":"desc"}},{"name":"sortColumn","in":"query","schema":{"type":"string","default":"modifiedAt"}},{"name":"includeParts","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeSurfaces","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeSketches","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeReferenceFeatures","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeAssemblies","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFeatures","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFeatureStudios","in":"query","schema":{"type":"boolean","default":false}},{"name":"includePartStudios","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeBlobs","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFlattenedBodies","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeApplications","in":"query","schema":{"type":"boolean","default":false}},{"name":"allowedBlobMimeTypes","in":"query","schema":{"type":"string","default":""}},{"name":"allowedBlobExtensions","in":"query","schema":{"type":"string","default":""}},{"name":"allowedApplicationMimeTypes","in":"query","schema":{"type":"string","default":""}},{"name":"maxFeatureScriptVersion","in":"query","schema":{"type":"integer","format":"int32","default":0}},{"name":"includeCompositeParts","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFSTables","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFSComputedPartPropertyFunctions","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeVariables","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeVariableStudios","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGlobalTreeNodeWithChildrenInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/globaltreenodes/insertable/team/{tid}":{"get":{"tags":["GlobalTreeNode"],"description":"Get the children of a team node in the global tree; any returned documents are decorated with","operationId":"getTeamInsertableChildren","parameters":[{"name":"tid","in":"path","required":true,"schema":{"type":"string"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":50,"minimum":1,"type":"integer","format":"int32","default":20}},{"name":"getPathToRoot","in":"query","schema":{"type":"boolean","default":false}},{"name":"containersOnly","in":"query","schema":{"type":"boolean","default":false}},{"name":"sortOrder","in":"query","schema":{"type":"string","default":"desc"}},{"name":"sortColumn","in":"query","schema":{"type":"string","default":"createdAt"}},{"name":"includeParts","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeSurfaces","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeSketches","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeReferenceFeatures","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeAssemblies","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFeatures","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFeatureStudios","in":"query","schema":{"type":"boolean","default":false}},{"name":"includePartStudios","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeBlobs","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFlattenedBodies","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeApplications","in":"query","schema":{"type":"boolean","default":false}},{"name":"allowedBlobMimeTypes","in":"query","schema":{"type":"string","default":""}},{"name":"allowedBlobExtensions","in":"query","schema":{"type":"string","default":""}},{"name":"allowedApplicationMimeTypes","in":"query","schema":{"type":"string","default":""}},{"name":"maxFeatureScriptVersion","in":"query","schema":{"type":"integer","format":"int32","default":0}},{"name":"includeCompositeParts","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFSTables","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFSComputedPartPropertyFunctions","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeVariables","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeVariableStudios","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGlobalTreeNodeWithChildrenInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/globaltreenodes/label/{lid}":{"get":{"tags":["GlobalTreeNode"],"description":"Get the children of a label node in the global tree","operationId":"getLabelChildren","parameters":[{"name":"lid","in":"path","required":true,"schema":{"type":"string"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":50,"minimum":1,"type":"integer","format":"int32","default":20}},{"name":"getPathToRoot","in":"query","schema":{"type":"boolean","default":false}},{"name":"containersOnly","in":"query","schema":{"type":"boolean","default":false}},{"name":"sortOrder","in":"query","schema":{"type":"string","default":"desc"}},{"name":"sortColumn","in":"query","schema":{"type":"string","default":"createdAt"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGlobalTreeNodeWithChildrenInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/globaltreenodes/magic/{mid}":{"get":{"tags":["GlobalTreeNode"],"description":"Get the children of a 'magic' node in the global tree","operationId":"getMagicChildren","parameters":[{"name":"mid","in":"path","required":true,"schema":{"type":"string"}},{"name":"getPathToRoot","in":"query","schema":{"type":"boolean","default":false}},{"name":"containersOnly","in":"query","schema":{"type":"boolean","default":false}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":50,"minimum":1,"type":"integer","format":"int32","default":20}},{"name":"sortOrder","in":"query","schema":{"type":"string","default":"desc"}},{"name":"sortColumn","in":"query","schema":{"type":"string","default":"name"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGlobalTreeNodeWithChildrenInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["GlobalTreeNode"],"description":"Move nodes to the specified magic node","operationId":"moveToMagic","parameters":[{"name":"mid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGlobalTreeNodeMoveParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/globaltreenodes/owner":{"post":{"tags":["GlobalTreeNode"],"description":"Change owner of selected node","operationId":"changeOwner","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGlobalTreeNodeOwnerParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTOwnerInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/globaltreenodes/project/{pid}":{"get":{"tags":["GlobalTreeNode"],"description":"Get the children of a project node in the global tree","operationId":"getProjectChildren","parameters":[{"name":"pid","in":"path","required":true,"schema":{"type":"string"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":50,"minimum":1,"type":"integer","format":"int32","default":20}},{"name":"getPathToRoot","in":"query","schema":{"type":"boolean","default":false}},{"name":"containersOnly","in":"query","schema":{"type":"boolean","default":false}},{"name":"sortOrder","in":"query","schema":{"type":"string","default":"desc"}},{"name":"sortColumn","in":"query","schema":{"type":"string","default":"createdAt"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGlobalTreeNodeWithChildrenInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["GlobalTreeNode"],"description":"Move nodes to the specified project","operationId":"moveToProject","parameters":[{"name":"pid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGlobalTreeNodeMoveParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/globaltreenodes/resourcecompanyowner/{cid}":{"get":{"tags":["GlobalTreeNode"],"description":"Get the documents that are are not in in the folder and are owned by a company for the current user","operationId":"getCompanyResourcesByOwner","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"getPathToRoot","in":"query","schema":{"type":"boolean","default":false}},{"name":"containersOnly","in":"query","schema":{"type":"boolean","default":false}},{"name":"sortOrder","in":"query","schema":{"type":"string","default":"desc"}},{"name":"sortColumn","in":"query","schema":{"type":"string","default":"createdAt"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":50,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGlobalTreeNodeWithChildrenInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["GlobalTreeNode"],"description":"Move nodes to the resourcecompanyowner node","operationId":"moveToResourceCompanyOwner","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGlobalTreeNodeMoveParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/globaltreenodes/resourceuserowner/{uid}":{"get":{"tags":["GlobalTreeNode"],"description":"Get the documents that are owned by the user and are not in in the folder","operationId":"getUserResourcesByOwner","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"getPathToRoot","in":"query","schema":{"type":"boolean","default":false}},{"name":"containersOnly","in":"query","schema":{"type":"boolean","default":false}},{"name":"sortOrder","in":"query","schema":{"type":"string","default":"desc"}},{"name":"sortColumn","in":"query","schema":{"type":"string","default":"createdAt"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":50,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGlobalTreeNodeWithChildrenInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["GlobalTreeNode"],"description":"Move nodes to the resourceuserowner node","operationId":"moveToResourceUserOwner","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGlobalTreeNodeMoveParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/globaltreenodes/restore":{"post":{"tags":["GlobalTreeNode"],"description":"Restore items from the trash","operationId":"restoreFromTrash","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGlobalTreeNodeMoveParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read","OAuth2Write"],"BasicAuth":["OAuth2Read","OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/globaltreenodes/team/{tid}":{"get":{"tags":["GlobalTreeNode"],"description":"Get the children of a team node in the global tree","operationId":"getTeamChildren","parameters":[{"name":"tid","in":"path","required":true,"schema":{"type":"string"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":50,"minimum":1,"type":"integer","format":"int32","default":20}},{"name":"getPathToRoot","in":"query","schema":{"type":"boolean","default":false}},{"name":"containersOnly","in":"query","schema":{"type":"boolean","default":false}},{"name":"sortOrder","in":"query","schema":{"type":"string","default":"desc"}},{"name":"sortColumn","in":"query","schema":{"type":"string","default":"createdAt"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGlobalTreeNodeWithChildrenInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/globaltreenodes/user/{uid}/public":{"get":{"tags":["GlobalTreeNode"],"description":"Get the public children of a user in the global tree","operationId":"getPublicUserDocuments","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":50,"minimum":1,"type":"integer","format":"int32","default":20}},{"name":"sortOrder","in":"query","schema":{"type":"string","default":"desc"}},{"name":"sortColumn","in":"query","schema":{"type":"string","default":"name"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGlobalTreeNodeWithChildrenInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/inappmessages":{"get":{"tags":["InAppMessage"],"description":"Returns a paginated list of In-App Messages.","operationId":"getInAppMessages","parameters":[{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTInAppMessageInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["InAppMessage"],"description":"Create a new In-App Message","operationId":"createInAppMessage","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTInAppMessageParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTInAppMessageInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/inappmessages/displayOrder":{"post":{"tags":["InAppMessage"],"description":"Update In-App Message Display Order","operationId":"updateDisplayOrder","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object","additionalProperties":{"type":"integer","format":"int32"}}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/inappmessages/user":{"get":{"tags":["InAppMessage"],"description":"Returns information about one In-App Messages for current user.","operationId":"getInAppMessageForUser","parameters":[{"name":"context","in":"query","schema":{"type":"integer","format":"int32"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTInAppMessageInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/inappmessages/views/{mid}":{"post":{"tags":["InAppMessage"],"description":"Increase In-App Message view count","operationId":"increaseViewCount","parameters":[{"name":"mid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/inappmessages/{mid}":{"get":{"tags":["InAppMessage"],"description":"Returns information about one In-App Message.","operationId":"getInAppMessage","parameters":[{"name":"mid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTInAppMessageInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["InAppMessage"],"description":"Update In-App Message","operationId":"updateInAppMessage","parameters":[{"name":"mid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTInAppMessageParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTInAppMessageInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["InAppMessage"],"description":"Delete In-App Message","operationId":"deleteInAppMessage","parameters":[{"name":"mid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/inappmessages/{mid}/content":{"post":{"tags":["InAppMessage"],"description":"Create a new In-App Message Content","operationId":"createInAppMessageContent","parameters":[{"name":"mid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/Content"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTInAppMessageInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/inappmessages/{mid}/content/{cidx}":{"post":{"tags":["InAppMessage"],"description":"Update In-App Message Content specified by the content index.","operationId":"updateInAppMessageContent","parameters":[{"name":"mid","in":"path","required":true,"schema":{"type":"string"}},{"name":"cidx","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/Content"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTInAppMessageInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["InAppMessage"],"description":"Delete In-App Message Content specified by the content index.","operationId":"deleteInAppMessageContent","parameters":[{"name":"mid","in":"path","required":true,"schema":{"type":"string"}},{"name":"cidx","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/inappmessages/{mid}/content/{cidx}/item":{"post":{"tags":["InAppMessage"],"description":"Create a new In-App Message Content Item.","operationId":"createInAppMessageContentItem","parameters":[{"name":"mid","in":"path","required":true,"schema":{"type":"string"}},{"name":"cidx","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/ContentItem"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTInAppMessageInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/inappmessages/{mid}/content/{cidx}/item/{icidx}":{"post":{"tags":["InAppMessage"],"description":"UpdateIn-App Message Content Item specified by content index and content item index.","operationId":"updateInAppMessageContentItem","parameters":[{"name":"mid","in":"path","required":true,"schema":{"type":"string"}},{"name":"cidx","in":"path","required":true,"schema":{"type":"string"}},{"name":"icidx","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/ContentItem"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTInAppMessageInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["InAppMessage"],"description":"Delete In-App Message Content Item specified by content index and content item index.","operationId":"deleteInAppMessageContentItem","parameters":[{"name":"mid","in":"path","required":true,"schema":{"type":"string"}},{"name":"cidx","in":"path","required":true,"schema":{"type":"string"}},{"name":"icidx","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/inappmessages/{mid}/runLooker":{"post":{"tags":["InAppMessage"],"description":"Run looker query for In-App Message.","operationId":"runLookerForInAppMessage","parameters":[{"name":"mid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/insertables/d/{did}/latest":{"get":{"tags":["Insertable"],"summary":"Get a list of things in this document that can be inserted elsewhere.","description":"* Returns only the latest revision of released insertables. \n* Use the document ID (`did`) parameter to specify the source document, not the insertion target. \n* For example, you can insert a custom Feature library into another custom Feature library, insert Parts into an Assembly or a Drawing, etc.","operationId":"getLatestInDocument","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"includeParts","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeSurfaces","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeSketches","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeReferenceFeatures","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeAssemblies","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFeatureStudios","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeBlobs","in":"query","schema":{"type":"boolean","default":false}},{"name":"allowedBlobMimeTypes","in":"query","schema":{"type":"string","default":""}},{"name":"excludeNewerFSVersions","in":"query","schema":{"type":"boolean","default":false}},{"name":"maxFeatureScriptVersion","in":"query","schema":{"type":"integer","format":"int32"}},{"name":"includePartStudios","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFeatures","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeMeshes","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeWires","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFlattenedBodies","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeApplications","in":"query","schema":{"type":"boolean","default":false}},{"name":"allowedApplicationMimeTypes","in":"query","schema":{"type":"string","default":""}},{"name":"includeCompositeParts","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFSTables","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeFSComputedPartPropertyFunctions","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeVariables","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeVariableStudios","in":"query","schema":{"type":"boolean","default":false}},{"name":"allowedBlobExtensions","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTInsertableInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/insertables/d/{did}/v/{vid}/p/{pnum}":{"get":{"tags":["Insertable"],"description":"Return a single insertable matching the given version id and part number, exclusive of drawings","operationId":"getInsertableForPartNumberInVersion","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"vid","in":"path","required":true,"schema":{"type":"string"}},{"name":"pnum","in":"path","required":true,"schema":{"type":"string"}},{"name":"et","in":"query","required":true,"schema":{"type":"string"}},{"name":"flat","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTReleasedInsertableInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/insertables/rev/{rid}":{"get":{"tags":["Insertable"],"description":"Return a single insertable matching the given revision id","operationId":"getInsertableForRevision","parameters":[{"name":"rid","in":"path","required":true,"schema":{"type":"string"}},{"name":"flat","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTReleasedInsertableInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/items":{"get":{"tags":["Item"],"description":"Get items for a company","operationId":"getItems","parameters":[{"name":"documentId","in":"query","schema":{"type":"string"}},{"name":"companyId","in":"query","schema":{"type":"string"}},{"name":"q","in":"query","schema":{"type":"string","default":""}},{"name":"publishStates","in":"query","schema":{"type":"string","default":""}},{"name":"classification","in":"query","schema":{"type":"string","default":""}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":200,"minimum":1,"type":"integer","format":"int32","default":30}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTItemInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["Item"],"description":"Create a new item","operationId":"createItem","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTItemParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTItemInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/items/find":{"post":{"tags":["Item"],"description":"Get search results","operationId":"findItems","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTNonGeometricItemSearchRequestParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTItemInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/items/{cid}/upload":{"post":{"tags":["Item"],"description":"Create items defined by a csv file","operationId":"uploadItems","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"multipart/form-data":{"schema":{"type":"object","properties":{"file":{"type":"object","description":"The file to upload."}}}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUploadItemsInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/items/{iid}":{"get":{"tags":["Item"],"description":"Get item by id","operationId":"getItem","parameters":[{"name":"iid","in":"path","required":true,"schema":{"type":"string"}},{"name":"documentId","in":"query","schema":{"type":"string"}},{"name":"companyId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTItemInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["Item"],"description":"Update an item","operationId":"updateItem","parameters":[{"name":"iid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTItemParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTItemInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Item"],"description":"Delete an item. Items can only be deleted if they are PENDING","operationId":"deleteItem","parameters":[{"name":"iid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/jwtissuers":{"get":{"tags":["JwtIssuer"],"description":"Get JWT issuers.","operationId":"getJwtIssuer","parameters":[{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"minimum":1,"type":"integer","format":"int32","default":20}},{"name":"query","in":"query","schema":{"type":"string","default":""}},{"name":"sortColumn","in":"query","schema":{"type":"string","default":"createdAt"}},{"name":"sortOrder","in":"query","schema":{"type":"string","default":"desc"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTJwtIssuerInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["JwtIssuer"],"description":"Create a JWT Issuer","operationId":"create_1","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTJwtIssuerParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTJwtIssuerInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/jwtissuers/{iid}":{"get":{"tags":["JwtIssuer"],"description":"Get a JWT issuer by ID.","operationId":"getById","parameters":[{"name":"iid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTJwtIssuerInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"put":{"tags":["JwtIssuer"],"operationId":"update_2","parameters":[{"name":"iid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTJwtIssuerParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTJwtIssuerInfo"}}}}},"deprecated":false},"delete":{"tags":["JwtIssuer"],"description":"Delete a JWT issuer.","operationId":"deleteJwtIssuer","parameters":[{"name":"iid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/keyboardshortcuts":{"get":{"tags":["KeyboardShortcut"],"description":"This API returns Onshape's default keyboard shortcut map. It can be called anonymously.","operationId":"getDefaultShortcut","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object","additionalProperties":{"type":"object","additionalProperties":{"type":"string"}}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/keyboardshortcuts/users/{uid}":{"get":{"tags":["KeyboardShortcut"],"description":"Get map of active keyboard shortcuts for user.","operationId":"getUserShortcuts","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object","additionalProperties":{"type":"object","additionalProperties":{"type":"string"}}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["KeyboardShortcut"],"description":"Customize key shortcut for user.","operationId":"updateShortcuts","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTKeyboardShortcutParams"}}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"},"delete":{"tags":["KeyboardShortcut"],"description":"Restore all action shortcuts to their default values for user.","operationId":"restoreAllShortcuts","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Delete"],"BasicAuth":["OAuth2Delete"]}],"x-BTVisibility":"INTERNAL"}},"/keyboardshortcuts/users/{uid}/actions/{aid}":{"delete":{"tags":["KeyboardShortcut"],"description":"Restore a particular action shortcut, for a user, to its defaults value.","operationId":"restoreShortcut","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"aid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Delete"],"BasicAuth":["OAuth2Delete"]}],"x-BTVisibility":"INTERNAL"}},"/keyboardshortcuts/users/{uid}/category":{"get":{"tags":["KeyboardShortcut"],"description":"Get list of keyboard shortcuts for user by category. This APIs returns map of active shortcuts for user. Active shortcuts comprises list of defaults overridden by user customized shortcuts.","operationId":"getUserShortcutsByCategory","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object","additionalProperties":{"type":"array","items":{"$ref":"#/components/schemas/BTKeyboardShortcutInfo"}}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/labels":{"post":{"tags":["DocumentLabel"],"description":"Create a new label","operationId":"createLabel","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDocumentLabelParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDocumentLabelInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/labels/users/{oid}":{"get":{"tags":["DocumentLabel"],"description":"Get all labels owned by a user. Validates if current logged in user is allowed to see these","operationId":"getLabelsForUser","parameters":[{"name":"oid","in":"path","required":true,"schema":{"type":"string"}},{"name":"all","in":"query","schema":{"type":"boolean","default":false}},{"name":"parentLabelId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGlobalTreeNodeListResponseBTDocumentLabelInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/labels/{lid}":{"post":{"tags":["DocumentLabel"],"description":"rename an existing label","operationId":"renameLabel","parameters":[{"name":"lid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDocumentLabelParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDocumentLabelInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["DocumentLabel"],"description":"Delete a label","operationId":"deleteLabel","parameters":[{"name":"lid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/labels/{lid}/parent":{"post":{"tags":["DocumentLabel"],"description":"Move a label owned by user to under another label or as top level label","operationId":"changeParent","parameters":[{"name":"lid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDocumentLabelParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDocumentLabelInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/labels/{lid}/uses/documents":{"post":{"tags":["DocumentLabel"],"description":"Attach a label to a document","operationId":"attachLabelToDocument","parameters":[{"name":"lid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDocumentLabelParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["DocumentLabel"],"description":"Remove a label from a set of document","operationId":"removeLabelFromDocuments","parameters":[{"name":"lid","in":"path","required":true,"schema":{"type":"string"}},{"name":"docids","in":"query","required":true,"schema":{"uniqueItems":true,"type":"array","items":{"type":"string"}}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/locales":{"get":{"tags":["Locale"],"description":"Get details of locales","operationId":"getLocales","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTLocaleInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/logging/add":{"post":{"tags":["LoggingConfiguration"],"description":"Add logging configuration for the specified onshape service/package name","operationId":"addLoggingConfiguration","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTLoggingConfiguration"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/logging/addAll":{"post":{"tags":["LoggingConfiguration"],"description":"Add logging configurations for the specified package to all services","operationId":"addLoggingConfigurationForAllServices","parameters":[{"name":"packageName","in":"query","required":true,"schema":{"type":"string"}},{"name":"logLevel","in":"query","required":true,"schema":{"type":"string"}},{"name":"notes","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/logging/configurations":{"get":{"tags":["LoggingConfiguration"],"description":"Get list of all logging configurations of each of the specified onshape service stored in mongo","operationId":"getCurrentLoggingConfiguration","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/logging/delete":{"delete":{"tags":["LoggingConfiguration"],"description":"Delete logging configuration for the specified onshape service/package","operationId":"deleteLoggingConfiguration","parameters":[{"name":"serviceName","in":"query","required":true,"schema":{"type":"string"}},{"name":"packageName","in":"query","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/logging/deleteAll":{"delete":{"tags":["LoggingConfiguration"],"description":"Delete all logging configurations","operationId":"deleteAllLoggingConfiguration","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/logging/deleteAll/package":{"delete":{"tags":["LoggingConfiguration"],"description":"Delete all logging configurations for the specified onshape package","operationId":"deleteAllLoggingConfigurationForPackage","parameters":[{"name":"packageName","in":"query","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/logging/services":{"get":{"tags":["LoggingConfiguration"],"description":"Get list of all service types","operationId":"getServices","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/logging/update":{"post":{"tags":["LoggingConfiguration"],"description":"Update the logging configuration log level for the specified onshape service/package","operationId":"updateLoggingConfiguration","parameters":[{"name":"serviceName","in":"query","required":true,"schema":{"type":"string"}},{"name":"packageName","in":"query","required":true,"schema":{"type":"string"}},{"name":"logLevel","in":"query","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/logging/updateAll":{"post":{"tags":["LoggingConfiguration"],"description":"Update all the logging configurations log level for the specified package","operationId":"updateAllLoggingConfigurationsForPackage","parameters":[{"name":"packageName","in":"query","required":true,"schema":{"type":"string"}},{"name":"logLevel","in":"query","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/materials/libraries":{"get":{"tags":["Material"],"description":"Searches for material libraries","operationId":"findLibraries","parameters":[{"name":"keyword","in":"query","schema":{"type":"array","items":{"type":"string"}}},{"name":"filter","in":"query","schema":{"type":"integer","format":"int32","default":0}},{"name":"owner","in":"query","schema":{"type":"string","default":""}},{"name":"ownerType","in":"query","schema":{"type":"integer","format":"int32","default":1}},{"name":"documentId","in":"query","schema":{"type":"string","default":""}},{"name":"elementId","in":"query","schema":{"type":"string","default":""}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTMaterialLibraryMetadataInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/materials/libraries/d/{did}/e/{eid}":{"get":{"tags":["Material"],"description":"Get material library","operationId":"getRecentVersionLibrary","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/materials/libraries/d/{did}/w/{wid}/e/{eid}/csv":{"post":{"tags":["Material"],"description":"Updates a material library","operationId":"updateLibrary","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"string"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/materials/libraries/d/{did}/{wvm}/{wvmid}/e/{eid}":{"get":{"tags":["Material"],"description":"Get material library","operationId":"getLibrary","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/materials/supportedproperties":{"get":{"tags":["Material"],"description":"Get supported property definition","operationId":"getSupportedPropertyDefinitions","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTMaterialPropertyDefinitionInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/metadata/bulkGet":{"post":{"tags":["Metadata"],"description":"Get all requested metadata","operationId":"getBulkMetadata","parameters":[{"name":"linkDocumentId","in":"query","schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTBulkMetadataResolutionParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTBulkMetadataResolutionResponse"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/metadata/category":{"post":{"tags":["Metadata"],"description":"Get properties specific to the category or categories for each object/item in the jsonBody.","operationId":"getCategoryMetadata","parameters":[{"name":"ownerId","in":"query","schema":{"type":"string"}},{"name":"ownerType","in":"query","schema":{"type":"integer","format":"int32","default":1}},{"name":"documentId","in":"query","schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","schema":{"type":"string"}},{"name":"configurationId","in":"query","schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTMetadataItemsCategoryParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTMetadataObjectListInfoBTMetadataObjectInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/metadata/d/{did}/{subResource}":{"post":{"tags":["Metadata"],"description":"Update metadata","operationId":"updateMetadata","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"subResource","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"string"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/metadata/d/{did}/{wvm}/{wvmid}/e":{"get":{"tags":["Metadata"],"summary":"Get the metadata for all elements in a document.","description":"* You can specify the optional `depth` query parameter to get multiple levels in an assembly. Default `depth` is `1`. \n* `linkDocumentId` can be specified where applicable. Combined with `inferMetadataOwner` (default value is `false`), this is used to infer metadata owner. \n* `includeComputedProperties` can be used to include or omit computed properties. Default value is `true`. \n* `includeComputedAssemblyProperties` can be used to query computed assembly properties which are generally expensive. Default value is `false`. \n* You can also choose to include a `thumbnail`. Default value is `false`.","operationId":"getWMVEsMetadata","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","schema":{"type":"string"}},{"name":"inferMetadataOwner","in":"query","schema":{"type":"boolean","default":false}},{"name":"depth","in":"query","schema":{"type":"string","default":"1"}},{"name":"includeComputedProperties","in":"query","schema":{"type":"boolean","default":true}},{"name":"includeComputedAssemblyProperties","in":"query","schema":{"type":"boolean","default":false}},{"name":"thumbnail","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTMetadataObjectListInfoBTMetadataElementInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/metadata/d/{did}/{wvm}/{wvmid}/e/{eid}":{"get":{"tags":["Metadata"],"summary":"Get the metadata for an element.","description":"* `linkDocumentId` can be specified where applicable and this combined with the query param `inferMetadataOwner` (default value is `false`) will be used to infer metadata owner. \n* `configuration` optional query parameter defaults to default configuration. \n* You can specify an optional `depth` query parameter to get multiple levels in an assembly. Default `depth` is `1`. \n* `includeComputedProperties` can be used to include or omit computed properties. Default value is `true`. \n* `includeComputedAssemblyProperties` can be used to query computed assembly properties which are generally expensive. Default value is `false`. \n* You can also choose to include a `thumbnail`. Default value is `false`.","operationId":"getWMVEMetadata","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string"}},{"name":"inferMetadataOwner","in":"query","schema":{"type":"boolean","default":false}},{"name":"depth","in":"query","schema":{"type":"string","default":"1"}},{"name":"includeComputedProperties","in":"query","schema":{"type":"boolean","default":true}},{"name":"includeComputedAssemblyProperties","in":"query","schema":{"type":"boolean","default":false}},{"name":"thumbnail","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTMetadataObjectInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["Metadata"],"summary":"Update the metadata for an element.","description":"* Microversion (`m`) in `wvm` path parameter option is not supported. \n* Specify the property metadata to update in the Request body.","operationId":"updateWVEMetadata","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"string"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/metadata/d/{did}/{wvm}/{wvmid}/e/{eid}/p":{"get":{"tags":["Metadata"],"summary":"Get the metadata for all parts in a document.","description":"* The `configuration` optional query parameter uses the default configuration unless otherwise specified. \n* You can specify an optional `depth` query parameter to get multiple levels in an assembly. Default `depth` is `1`. \n* `linkDocumentId` can be specified where applicable. Combined with `inferMetadataOwner` (default value is `false`), this is used to infer metadata owner. \n* `includeComputedProperties` can be used to include or omit computed properties. Default value is `true`. \n* `includeComputedAssemblyProperties` can be used to query computed assembly properties which are generally expensive. Default value is `false`. \n* You can also choose to include a `thumbnail`. Default value is `false`.","operationId":"getWMVEPsMetadata","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}},{"name":"inferMetadataOwner","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeComputedProperties","in":"query","schema":{"type":"boolean","default":true}},{"name":"includeComputedAssemblyProperties","in":"query","schema":{"type":"boolean","default":false}},{"name":"thumbnail","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTMetadataObjectListInfoBTMetadataPartInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/metadata/d/{did}/{wvm}/{wvmid}/e/{eid}/{iden}/{pid}":{"get":{"tags":["Metadata"],"summary":"Get the metadata for a part.","description":"* Specify the part in the `iden` or `pid` path parameter. \n* The `configuration` optional query parameter uses the default configuration unless otherwise specified. \n* `linkDocumentId` can be specified where applicable. Combined with `inferMetadataOwner` (default value is `false`), this is used to infer metadata owner. \n* `includeComputedProperties` can be used to include or omit computed properties. Default value is `true`. \n* `includeComputedAssemblyProperties` can be used to query computed assembly properties which are generally expensive. Default value is `false`. \n* You can also choose to include a `thumbnail`. Default value is `false`.","operationId":"getWMVEPMetadata","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}},{"name":"rollbackBarIndex","in":"query","description":"Index specifying the location of the rollback bar when the call is evaluated. A -1 indicates that it should be at the end of the featurelist.","schema":{"type":"integer","format":"int32","default":-1}},{"name":"elementMicroversionId","in":"query","description":"A specific element microversion in which to evaluate the request.","schema":{"type":"string"}},{"name":"iden","in":"path","description":"Denotes whether the pid specified is a part id (p) or a part identity (pi).","required":true,"schema":{"type":"string","enum":["p","pi"]}},{"name":"pid","in":"path","required":true,"schema":{"type":"string"}},{"name":"inferMetadataOwner","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeComputedProperties","in":"query","schema":{"type":"boolean","default":true}},{"name":"includeComputedAssemblyProperties","in":"query","schema":{"type":"boolean","default":false}},{"name":"thumbnail","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTMetadataObjectInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["Metadata"],"summary":"Update the metadata for a part.","description":"* Specify the part in the `iden` or `pid` path parameter. \n* The `configuration` optional query parameter uses the default configuration unless otherwise specified. \n* `linkDocumentId` can be specified where applicable. Combined with `inferMetadataOwner` (default value is `false`), this is used to infer metadata owner. \n* Specify the property metadata to update in the Request body.","operationId":"updateWVEPMetadata","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}},{"name":"rollbackBarIndex","in":"query","description":"Index specifying the location of the rollback bar when the call is evaluated. A -1 indicates that it should be at the end of the featurelist.","schema":{"type":"integer","format":"int32","default":-1}},{"name":"elementMicroversionId","in":"query","description":"A specific element microversion in which to evaluate the request.","schema":{"type":"string"}},{"name":"iden","in":"path","description":"Denotes whether the pid specified is a part id (p) or a part identity (pi).","required":true,"schema":{"type":"string","enum":["p","pi"]}},{"name":"pid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"string"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/metadata/d/{did}/{wv}/{wvid}":{"get":{"tags":["Metadata"],"summary":"Get the metadata for a workspace or version.","description":"* `linkDocumentId` can be specified where applicable. Combined with `inferMetadataOwner` (default value is `false`), this is used to infer metadata owner. \n* You can specify an optional `depth` query parameter to get multiple levels in an assembly. Default `depth` is `1`. \n* `includeComputedProperties` can be used to include or omit computed properties. Default value is `true`. \n* `includeComputedAssemblyProperties` can be used to query computed assembly properties which are generally expensive. Default value is `false`. \n* You can also choose to include a `thumbnail`. Default value is `false`.","operationId":"getWVMetadata","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wv","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvid","in":"path","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","schema":{"type":"string"}},{"name":"inferMetadataOwner","in":"query","schema":{"type":"boolean","default":false}},{"name":"depth","in":"query","schema":{"type":"string","default":"1"}},{"name":"includeComputedProperties","in":"query","schema":{"type":"boolean","default":true}},{"name":"includeComputedAssemblyProperties","in":"query","schema":{"type":"boolean","default":false}},{"name":"thumbnail","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTMetadataObjectInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["Metadata"],"summary":"Update the metadata for a workspace or version.","description":"Specify the property metadata to update in the Request body.","operationId":"updateWVMetadata","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wv","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"string"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/metadata/formatvalue":{"post":{"tags":["Metadata"],"description":"Format a user-specified value based on the metadata value type","operationId":"formatValue","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTFormatValueParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTFormatValueResponse"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/metadata/gn/pr/{pid}":{"get":{"tags":["Metadata"],"description":"Get metadata for a project","operationId":"getProjectMetadata","parameters":[{"name":"pid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTMetadataObjectInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["Metadata"],"description":"Update project metadata","operationId":"updateProjectMetadata","parameters":[{"name":"pid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"string"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/metadata/it":{"post":{"tags":["Metadata"],"description":"Update items metadata","operationId":"updateItemsMetadata","parameters":[{"name":"companyId","in":"query","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"string"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/metadata/it/{iid}":{"get":{"tags":["Metadata"],"description":"Get metadata for an item","operationId":"getItemMetadata","parameters":[{"name":"iid","in":"path","required":true,"schema":{"type":"string"}},{"name":"allowNullItemDefinition","in":"query","schema":{"type":"boolean","default":false}},{"name":"linkDocumentId","in":"query","schema":{"type":"string"}},{"name":"companyId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTMetadataObjectInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/metadata/searchable":{"get":{"tags":["Metadata"],"description":"Returns the metadata about the searchable metadata (standard and custom property-defined) fields","operationId":"getSearchableFields","parameters":[{"name":"companyId","in":"query","schema":{"type":"string"}},{"name":"excludeStandard","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTSearchFieldsInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/metadata/standardcontent/d/{did}":{"post":{"tags":["Metadata"],"summary":"Update the metadata for a standard content part.","description":"* Specify the document ID to update in the `did` path param. \n* Specify the document in which you have inserted the standard content part in the `linkDocumentId` query param. \n* Specify the property metadata to update in the Request body.","operationId":"updateVEOPStandardContentPartMetadata","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"string"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/metadata/standardcontent/d/{did}/v/{vid}/e/{eid}/p/{pid}":{"get":{"tags":["Metadata"],"summary":"Get the metadata for a standard content part.","description":"* Specify the part in the `pid` path parameter. \n* The `configuration` and `linkDocumentId` query parameters are required. \n* `includeComputedProperties` can be used to include or omit computed properties. Default value is `true`. \n* `includeComputedAssemblyProperties` can be used to query computed assembly properties which are generally expensive. Default value is `false`. \n* You can also choose to include a `thumbnail`. Default value is `false`.","operationId":"getVEOPStandardContentMetadata","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"vid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"pid","in":"path","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","schema":{"type":"string"}},{"name":"includeComputedProperties","in":"query","schema":{"type":"boolean","default":true}},{"name":"includeComputedAssemblyProperties","in":"query","schema":{"type":"boolean","default":false}},{"name":"thumbnail","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTMetadataObjectInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/metadata/standardcontent/d/{did}/v/{vid}/e/{eid}/{cu}/{cuid}/p/{pid}":{"get":{"tags":["Metadata"],"summary":"Get the metadata for a standard content part.","description":"* Specify the part in the `pid` path parameter. \n* The `configuration` and `linkDocumentId` query parameters are required. \n* `includeComputedProperties` can be used to include or omit computed properties. Default value is `true`. \n* `includeComputedAssemblyProperties` can be used to query computed assembly properties which are generally expensive. Default value is `false`. \n* You can also choose to include a `thumbnail`. Default value is `false`.","operationId":"getVEOPStandardContentMetadataOld","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"vid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"cu","in":"path","description":"Indicates which of company (c) or user (u) id is specified below.","required":true,"schema":{"type":"string","enum":["c","u"]}},{"name":"cuid","in":"path","description":"The id of the company or user in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"pid","in":"path","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","schema":{"type":"string"}},{"name":"includeComputedProperties","in":"query","schema":{"type":"boolean","default":true}},{"name":"includeComputedAssemblyProperties","in":"query","schema":{"type":"boolean","default":false}},{"name":"thumbnail","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTMetadataObjectInfo"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["Metadata"],"summary":"Update the metadata for a standard content part.","description":"* Specify the document ID to update in the `did` path param. \n* Specify the document in which you have inserted the standard content part in the `linkDocumentId` query param. \n* Specify the property metadata to update in the Request body.","operationId":"updateVEOPStandardContentPartMetadataOld","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"vid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"cu","in":"path","description":"Indicates which of company (c) or user (u) id is specified below.","required":true,"schema":{"type":"string","enum":["c","u"]}},{"name":"cuid","in":"path","description":"The id of the company or user in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"pid","in":"path","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"string"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/metadata/ta":{"post":{"tags":["Metadata"],"description":"Update tasks metadata","operationId":"updateTaskMetadata","parameters":[{"name":"companyId","in":"query","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"string"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/metadata/ta/{tid}":{"get":{"tags":["Metadata"],"description":"Get metadata for a task","operationId":"getTaskMetadata","parameters":[{"name":"tid","in":"path","required":true,"schema":{"type":"string"}},{"name":"companyId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTMetadataObjectInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/metadatacategory":{"get":{"tags":["MetadataCategory"],"operationId":"searchCategories","parameters":[{"name":"ownerId","in":"query","schema":{"type":"string"}},{"name":"ownerType","in":"query","schema":{"type":"integer","format":"int32","default":1}},{"name":"documentId","in":"query","schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","schema":{"type":"string"}},{"name":"configurationId","in":"query","schema":{"type":"string"}},{"name":"objectType","in":"query","schema":{"type":"array","items":{"type":"integer","format":"int32"}}},{"name":"q","in":"query","schema":{"type":"string"}},{"name":"activeOnly","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeOnshape","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeAtlas","in":"query","schema":{"type":"boolean","default":false}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":500,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTMetadataCategoryInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["MetadataCategory"],"operationId":"createCategory","parameters":[{"name":"ownerId","in":"query","schema":{"type":"string"}},{"name":"ownerType","in":"query","schema":{"type":"integer","format":"int32","default":1}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTMetadataCategoryParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTMetadataCategoryInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read","OAuth2Write"],"BasicAuth":["OAuth2Read","OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/metadatacategory/categoryproperties":{"get":{"tags":["MetadataCategory"],"summary":"Get properties associated with the specified metadata categories.","description":"An object's category specifies its type: Part, Assembly, Drawing, etc. Available properties depend on the object's category.","operationId":"getCategoryProperties","parameters":[{"name":"ownerId","in":"query","schema":{"type":"string"}},{"name":"ownerType","in":"query","schema":{"type":"integer","format":"int32","default":1}},{"name":"documentId","in":"query","schema":{"type":"string"}},{"name":"categoryIds","in":"query","schema":{"type":"array","items":{"type":"string"}}},{"name":"objectType","in":"query","schema":{"type":"integer","format":"int32"}},{"name":"strict","in":"query","schema":{"type":"boolean","default":true}},{"name":"includeObjectTypeDefaults","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeComputedProperties","in":"query","schema":{"type":"boolean","default":true}},{"name":"includePartPropertiesTableOnlyProperties","in":"query","schema":{"type":"boolean","default":true}},{"name":"onlyActive","in":"query","schema":{"type":"boolean","default":false}},{"name":"onlyObjectTypeDefaults","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTCategoryPropertyInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/metadatacategory/properties":{"get":{"tags":["MetadataCategory"],"operationId":"getMetadataProperties","parameters":[{"name":"ownerId","in":"query","schema":{"type":"string"}},{"name":"ownerType","in":"query","schema":{"type":"integer","format":"int32","default":1}},{"name":"objectType","in":"query","schema":{"type":"integer","format":"int32"}},{"name":"documentId","in":"query","schema":{"type":"string"}},{"name":"activeOnly","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeOnshape","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeAtlas","in":"query","schema":{"type":"boolean","default":false}},{"name":"assignableOnly","in":"query","schema":{"type":"boolean","default":false}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":200,"minimum":1,"type":"integer","format":"int32","default":200}},{"name":"includeComputedProperties","in":"query","schema":{"type":"boolean"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTCategoryPropertyInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["MetadataCategory"],"description":"Update metadata properties and associate or disassociate them with categories","operationId":"updateProperties","parameters":[{"name":"companyId","in":"query","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCategoryBulkPropertyUpdateParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCategoryPropertyBulkUpdateResponse"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read","OAuth2Write"],"BasicAuth":["OAuth2Read","OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/metadatacategory/property":{"post":{"tags":["MetadataCategory"],"operationId":"createProperty","parameters":[{"name":"ownerId","in":"query","schema":{"type":"string"}},{"name":"ownerType","in":"query","schema":{"type":"integer","format":"int32","default":1}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCategoryPropertyParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCategoryPropertyInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read","OAuth2Write"],"BasicAuth":["OAuth2Read","OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/metadatacategory/property/{pid}":{"get":{"tags":["MetadataCategory"],"operationId":"getCategoryProperty","parameters":[{"name":"ownerId","in":"query","schema":{"type":"string"}},{"name":"ownerType","in":"query","schema":{"type":"integer","format":"int32","default":1}},{"name":"pid","in":"path","required":true,"schema":{"type":"string"}},{"name":"documentId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCategoryPropertyInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["MetadataCategory"],"operationId":"updateProperty","parameters":[{"name":"ownerId","in":"query","required":true,"schema":{"type":"string"}},{"name":"ownerType","in":"query","schema":{"type":"integer","format":"int32","default":1}},{"name":"pid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCategoryPropertyParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCategoryPropertyInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read","OAuth2Write"],"BasicAuth":["OAuth2Read","OAuth2Write"]}],"x-BTVisibility":"INTERNAL"},"delete":{"tags":["MetadataCategory"],"description":"Deletes a metadata category property","operationId":"deleteSchemaProperty","parameters":[{"name":"ownerId","in":"query","schema":{"type":"string"}},{"name":"ownerType","in":"query","schema":{"type":"integer","format":"int32","default":1}},{"name":"pid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/metadatacategory/{catid}":{"get":{"tags":["MetadataCategory"],"operationId":"getCategory","parameters":[{"name":"ownerId","in":"query","schema":{"type":"string"}},{"name":"ownerType","in":"query","schema":{"type":"integer","format":"int32","default":1}},{"name":"catid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTMetadataCategoryInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["MetadataCategory"],"operationId":"updateCategory","parameters":[{"name":"ownerId","in":"query","schema":{"type":"string"}},{"name":"ownerType","in":"query","schema":{"type":"integer","format":"int32","default":1}},{"name":"catid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTMetadataCategoryParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTMetadataCategoryInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read","OAuth2Write"],"BasicAuth":["OAuth2Read","OAuth2Write"]}],"x-BTVisibility":"INTERNAL"},"delete":{"tags":["MetadataCategory"],"operationId":"deleteCategory","parameters":[{"name":"ownerId","in":"query","schema":{"type":"string"}},{"name":"ownerType","in":"query","schema":{"type":"integer","format":"int32","default":1}},{"name":"catid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Delete"],"BasicAuth":["OAuth2Delete"]}],"x-BTVisibility":"INTERNAL"}},"/metadatacategory/{oid}/flushflatmembershipcache":{"post":{"tags":["MetadataCategory"],"description":"Flush flat membership cache for all categories for the given company. This end point is","operationId":"flushFlatMembershipCache","parameters":[{"name":"oid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/metadataschema":{"get":{"tags":["MetadataSchema"],"description":"Get metadata schema, or Onshape schema if user/company has no schema for the given object type","operationId":"getMetadataSchema","parameters":[{"name":"ownerId","in":"query","required":true,"schema":{"type":"string"}},{"name":"documentId","in":"query","schema":{"type":"string"}},{"name":"ownerType","in":"query","schema":{"type":"integer","format":"int32","default":1}},{"name":"objectType","in":"query","required":true,"schema":{"type":"integer","format":"int32"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTMetadataSchemaInfo"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/metadataschema/properties":{"get":{"tags":["MetadataSchema"],"description":"Get metadata properties","operationId":"getProperties","parameters":[{"name":"schemaId","in":"query","schema":{"type":"string"}},{"name":"ownerId","in":"query","schema":{"type":"string"}},{"name":"documentId","in":"query","schema":{"type":"string"}},{"name":"ownerType","in":"query","schema":{"type":"integer","format":"int32","default":1}},{"name":"objectType","in":"query","schema":{"type":"integer","format":"int32"}},{"name":"strict","in":"query","schema":{"type":"boolean","default":false}},{"name":"activeOnly","in":"query","schema":{"type":"boolean","default":false}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":200,"minimum":1,"type":"integer","format":"int32","default":200}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTMetadataPropertySummaryInfo"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/metadataschema/property/{pid}":{"get":{"tags":["MetadataSchema"],"description":"Get metadata property","operationId":"getProperty","parameters":[{"name":"pid","in":"path","required":true,"schema":{"type":"string"}},{"name":"documentId","in":"query","schema":{"type":"string"}},{"name":"schemaId","in":"query","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTMetadataPropertyInfoOld"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/metadataschema/propertyinfo/{pid}":{"get":{"tags":["MetadataSchema"],"description":"Get metadata property info","operationId":"getPropertyInfo","parameters":[{"name":"pid","in":"path","required":true,"schema":{"type":"string"}},{"name":"documentId","in":"query","schema":{"type":"string"}},{"name":"schemaId","in":"query","schema":{"type":"string"}},{"name":"ownerId","in":"query","schema":{"type":"string"}},{"name":"ownerType","in":"query","schema":{"type":"integer","format":"int32","default":1}},{"name":"objectType","in":"query","schema":{"type":"integer","format":"int32"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTMetadataPropertyInfo"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/metadataschema/searchable":{"get":{"tags":["MetadataSchema"],"description":"Returns the custom properties a user can search. Deprecated and scheduled for removal.","operationId":"getSearchableProperties","parameters":[{"name":"companyId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object","additionalProperties":{"uniqueItems":true,"type":"array","items":{"$ref":"#/components/schemas/BTMetadataSearchablePropertyInfo"}}}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}]}},"/metadataschema/{sid}":{"get":{"tags":["MetadataSchema"],"description":"Get metadata schema by ID","operationId":"getSchema","parameters":[{"name":"documentId","in":"query","schema":{"type":"string"}},{"name":"sid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTMetadataSchemaInfo"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/metrics/bandwidth/{uid}":{"get":{"tags":["Metrics"],"description":"Return the bandwidth metrics in JSON format for the specified user","operationId":"getBandwidthMetrics","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"minValue","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"maxValue","in":"query","schema":{"type":"integer","format":"int32","default":6}},{"name":"interval","in":"query","schema":{"maximum":2,"minimum":1,"type":"integer","format":"int32","default":1}},{"name":"durationType","in":"query","schema":{"pattern":"(day|week|month)","type":"string","default":"week"}},{"name":"startDate","in":"query","schema":{"type":"string"}},{"name":"ipAddress","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTClientPerformanceMetricsInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/metrics/document/lifecycle":{"post":{"tags":["Metrics"],"description":"Store a document lifecycle metric event","operationId":"storeMetric","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTMetricParams"}}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":true,"x-BTVisibility":"INTERNAL"}},"/metrics/document/{did}/lifecycle":{"post":{"tags":["Metrics"],"description":"Store a group of document lifecycle metric events","operationId":"storeDocumentMetrics","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTMetricsListParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/metrics/latency/{uid}":{"get":{"tags":["Metrics"],"description":"Return the latency metrics in JSON format for the specified user","operationId":"getLatencyMetrics","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"minValue","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"maxValue","in":"query","schema":{"type":"integer","format":"int32","default":600}},{"name":"interval","in":"query","schema":{"maximum":1000,"minimum":10,"type":"integer","format":"int32","default":100}},{"name":"durationType","in":"query","schema":{"pattern":"(day|week|month)","type":"string","default":"week"}},{"name":"startDate","in":"query","schema":{"type":"string"}},{"name":"ipAddress","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTClientPerformanceMetricsInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/metrics/users/{uid}/lifecycle":{"post":{"tags":["Metrics"],"description":"Store a user's current client metric events","operationId":"storeUIMetrics","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTMetricsListParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/metrics/users/{uid}/surveyResponse":{"post":{"tags":["Metrics"],"description":"Store a user's response to a survey question","operationId":"storeSurveyResponse","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTSurveyResponseParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/modelingServiceTest":{"get":{"tags":["ClientCheck"],"description":"Get URL to modeling server to open WebSocket","operationId":"createModelingServiceRequest","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/models/assembly/definition/{did}/workspace/{wid}/element/{eid}":{"get":{"tags":["Model"],"description":"Get definition of an assembly element","operationId":"getAssemblyDefinitionDEPRECATED","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"includeMateFeatures","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/models/bodies/details":{"post":{"tags":["Model"],"description":"Get body details of a model","operationId":"getBodyDetailsDEPRECATED","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTModelBodyParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTExportModelBodiesResponse-734"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/models/boundingbox":{"post":{"tags":["Model"],"description":"Get bounding box of a model","operationId":"getBoundingBox","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTBoundingBoxParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTBoundingBoxInfo"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/models/tessellatededges":{"post":{"tags":["Model"],"description":"Get tessellation of a model's edges","operationId":"getTessellatedEdgesDEPRECATED","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTModelTessellationParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTExportTessellatedEdgesResponse-327"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/models/tessellatedfaces":{"post":{"tags":["Model"],"description":"Get tessellation of a model's faces","operationId":"getFaces","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTModelTessellationParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTExportTessellatedFacesResponse-898"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/notifications":{"get":{"tags":["Notification"],"description":"Get all notifications for current user","operationId":"getNotifications","parameters":[{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":1000,"minimum":1,"type":"integer","format":"int32","default":20}},{"name":"includeDeferred","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserNotificationListInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["Notification"],"description":"Send a notification","operationId":"sendNotification","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTNotificationParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"string"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/notifications/acknowledgedall":{"post":{"tags":["Notification"],"description":"Set the acknowledged flag for all user notifications","operationId":"acknowledgedAllNotification","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTBulkAcknowledgeNotificationParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/notifications/all":{"delete":{"tags":["Notification"],"description":"Remove all user notifications","operationId":"deleteAllNotifications","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/notifications/campaign":{"get":{"tags":["Notification"],"description":"Get all campaigns owned by current user","operationId":"listCampaigns","parameters":[{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTCampaignInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["Notification"],"description":"Create a message campaign","operationId":"createCampaign","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCampaignParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCampaignInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/notifications/campaign/{cid}":{"post":{"tags":["Notification"],"description":"Update a message campaign","operationId":"updateCampaign","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCampaignParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCampaignInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/notifications/expandall":{"post":{"tags":["Notification"],"description":"Set the expanded flag for all user notifications","operationId":"expandallNotification","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTBulkExpandNotificationParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/notifications/mobile":{"get":{"tags":["Notification"],"description":"Get all mobile notification for current user","operationId":"listMobileNotifications","parameters":[{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}},{"name":"acknowledge","in":"query","schema":{"type":"boolean"}},{"name":"showAll","in":"query","schema":{"type":"boolean"}},{"name":"eventTypes","in":"query","schema":{"type":"array","items":{"type":"integer","format":"int32"}}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTMobileNotificationInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["Notification"],"description":"Set the acknowledged flag for given mobile notification","operationId":"setMobileNotificationAcknowledged","parameters":[{"name":"acknowledge","in":"query","schema":{"type":"boolean"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTMobileNotificationParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/notifications/mobile/bulkdelete":{"post":{"tags":["Notification"],"description":"Delete given mobile notification","operationId":"deleteBuilkMobileNotification","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTMobileNotificationParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/notifications/mobile/{nid}":{"delete":{"tags":["Notification"],"description":"Remove given mobile notification","operationId":"deleteMobileNotification","parameters":[{"name":"nid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/notifications/summary":{"get":{"tags":["Notification"],"description":"Get summary of notifications for current user","operationId":"getNotificationSummary","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserNotificationSummaryInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/notifications/testCreate":{"post":{"tags":["Notification"],"description":"Create a notification for testing purposes","operationId":"createNotification","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTNotificationParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"string"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/notifications/upload/{nid}/state":{"post":{"tags":["Notification"],"description":"Set the upload state of a notification","operationId":"setUploadState","parameters":[{"name":"nid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUploadStateParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/notifications/uploads":{"post":{"tags":["Notification"],"description":"Create a notification for starting an upload","operationId":"beginUpload","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUploadParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserNotificationInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/notifications/{nid}":{"get":{"tags":["Notification"],"description":"Get details for one notification","operationId":"getNotification","parameters":[{"name":"nid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserNotificationInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["Notification"],"description":"Set the acknowledged flag for a notification","operationId":"setNotificationAcknowledged","parameters":[{"name":"nid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTNotificationParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Notification"],"description":"Remove a notification","operationId":"deleteNotification","parameters":[{"name":"nid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/notifications/{nid}/debugComplete":{"post":{"tags":["Notification"],"description":"Set the completion status for a debug notification","operationId":"setNotificationDebugComplete","parameters":[{"name":"nid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTNotificationDebugParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/notifications/{nid}/expanded":{"post":{"tags":["Notification"],"description":"Set the expanded flag for a notification","operationId":"setNotificationExpanded","parameters":[{"name":"nid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTNotificationParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/numberingscheme/nextnumbers":{"post":{"tags":["NumberingScheme"],"summary":"Send the items to generate numbers for, and return the next valid available part numbers.","operationId":"nextNumbers","parameters":[{"name":"cid","in":"query","schema":{"type":"string"}},{"name":"did","in":"query","schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTNextPartNumbersParam"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object","additionalProperties":{"type":"array","items":{"$ref":"#/components/schemas/BTNextPartNumber"}}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/numberingscheme/{cid}/scheme":{"get":{"tags":["NumberingScheme"],"description":"Returns the part number scheme for the specified company.","operationId":"getNumberingScheme","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTNumberingSchemeInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["NumberingScheme"],"description":"Sets or updates the numbering scheme for the specified company.","operationId":"setNumberingScheme","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAutoNumberingSchemeParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTNumberingSchemeInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/numberingscheme/{cid}/schemes":{"get":{"tags":["NumberingScheme"],"description":"Returns definition of schemes and not which scheme is associated with what resource. Resource specific schemeId selection is saved in companypolicy.","operationId":"findNumberingSchemeDefinitions","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTNumberingSchemeInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/openapi":{"get":{"tags":["OpenApi"],"summary":"Get the OpenAPI specification for the Onshape REST API.","description":"The Onshape API OpenAPI specification is returned in the JSON format.","operationId":"getOpenApi","parameters":[{"name":"forceReload","in":"query","description":"Force reload the OpenApi definition. Only works when asking for the latest version.","schema":{"type":"boolean"}},{"name":"version","in":"query","description":"Specify a version of Onshape from which the OpenAPI is generated. If '*' is specified in any of the version fields, that indicates any version if acceptable.","schema":{"type":"string"}},{"name":"versionAlias","in":"query","description":"Version aliases based on the currently released version.","schema":{"$ref":"#/components/schemas/VersionAlias"}},{"name":"noFilter","in":"query","description":"Do not filter the specification at all.","schema":{"type":"boolean","default":false}},{"name":"includedTags","in":"query","description":"Return only operations with tags included in includedTags.","schema":{"type":"array","items":{"type":"string"}}},{"name":"excludedTags","in":"query","description":"If an operation contains an excluded tag, it is not returned from this endpoint.","schema":{"type":"array","items":{"type":"string"}}},{"name":"includeDeprecated","in":"query","description":"Include deprecated endpoints.","schema":{"type":"boolean","default":false}},{"name":"onlyDeprecated","in":"query","description":"Only include deprecated endpoints.","schema":{"type":"boolean","default":false}},{"name":"documentationStatuses","in":"query","description":"Only return endpoints that have the specified documentation status. Default is to return all the endpoints the user should have access to.","schema":{"type":"array","items":{"$ref":"#/components/schemas/Status"}}},{"name":"restUserRole","in":"query","description":"The REST user role for which this spec is requested.","schema":{"$ref":"#/components/schemas/BTRestUserRole"}},{"name":"operationIds","in":"query","description":"Only return operations with specified ids.","schema":{"type":"array","items":{"type":"string"}}},{"name":"excludedOperationIds","in":"query","description":"Do not return operations with specified ids.","schema":{"type":"array","items":{"type":"string"}}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/OpenAPI"}},"application/yaml;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/OpenAPI"}}}}},"deprecated":false,"x-BTVisibility":"PRODUCTION"}},"/openapi/diff":{"get":{"tags":["OpenApi"],"description":"Produce a diff between versions of Onshape.","operationId":"getOpenApiDiff","parameters":[{"name":"from","in":"query","description":"The URL to the OpenAPI Spec to compare from.","schema":{"type":"string","default":"%2Fapi%2Fopenapi%3FversionAlias%3DLAST_MINOR"}},{"name":"to","in":"query","description":"The URL to the OpenAPI Spec to compare to","schema":{"type":"string","default":"%2Fapi%2Fopenapi"}},{"name":"fromAuth","in":"header","description":"Headers needed for authorization to the url in the 'from' address.","schema":{"type":"string"}},{"name":"toAuth","in":"header","description":"Headers needed for authorization to the url in the 'to' address.","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"text/html":{"schema":{"$ref":"#/components/schemas/BTOpenApiDiff"}},"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTOpenApiDiff"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["OpenApi"],"description":"Produce a diff between any two OpenApi definitions.","operationId":"postOpenApiDiff","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTOpenApiDiffRequest"}}}},"responses":{"default":{"description":"default response","content":{"text/html":{"schema":{"$ref":"#/components/schemas/BTOpenApiDiff"}},"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTOpenApiDiff"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/openapi/openapijson":{"post":{"tags":["OpenApi"],"description":"Force create and save a new openapi.json.","operationId":"runOpenApiJsonCreation","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/openapi/tags":{"get":{"tags":["OpenApi"],"summary":"Get the list of tags in the Onshape OpenAPI specification.","description":"Tags are used to group operations. For example, `Document` groups operations on documents.","operationId":"getTags","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/Tag"}}},"application/yaml;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/Tag"}}}}}},"deprecated":false,"x-BTVisibility":"PRODUCTION"}},"/openapi/version":{"post":{"tags":["OpenApi"],"description":"Post a new version of the OpenAPI spec.","operationId":"createOpenApiSpec","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTOpenApi"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/openapi/version/{version}":{"delete":{"tags":["OpenApi"],"description":"Delete a saved version of the OpenAPI spec. Must be base64 encoded.","operationId":"deleteOpenApiSpec","parameters":[{"name":"version","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/openapi/versions":{"get":{"tags":["OpenApi"],"description":"Find all available OpenApi versions.","operationId":"getOpenApiVersions","parameters":[{"name":"filter","in":"query","schema":{"type":"string","default":"*.*.*"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTSemanticVersion"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/partners":{"get":{"tags":["APIPartner"],"description":"Returns a paginated list of API partners","operationId":"getPartners","parameters":[{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTAPIPartnerInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["APIPartner"],"description":"Create an API partner","operationId":"createPartner","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAPIPartnerParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAPIPartnerInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/partners/{partnerid}":{"get":{"tags":["APIPartner"],"description":"Returns a particular API partner","operationId":"getPartner","parameters":[{"name":"partnerid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAPIPartnerInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["APIPartner"],"description":"Update an existing API partner","operationId":"updatePartner","parameters":[{"name":"partnerid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAPIPartnerParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAPIPartnerInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["APIPartner"],"description":"Deletes an API partner","operationId":"deletePartner","parameters":[{"name":"partnerid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/partnumber/nextnumbers":{"post":{"tags":["PartNumber"],"summary":"Send the items to generate numbers for, and return the next valid available part numbers.","operationId":"updateNextNumbers","parameters":[{"name":"cid","in":"query","schema":{"type":"string"}},{"name":"did","in":"query","schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTNextPartNumbersParam"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object","additionalProperties":{"type":"array","items":{"$ref":"#/components/schemas/BTNextPartNumber"}}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/partnumber/{cid}/scheme":{"get":{"tags":["PartNumber"],"description":"Returns the part number scheme for the specified company.","operationId":"getPartNumberingScheme","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPartNumberingSchemeInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["PartNumber"],"description":"Sets or updates the part numbering scheme for the specified company.","operationId":"setPartNumberingScheme","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAutoPartNumberingSchemeParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPartNumberingSchemeInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/partnumber/{cid}/schemes":{"get":{"tags":["PartNumber"],"description":"Returns the part number schemes for the specified company.","operationId":"findPartNumberingSchemeDefinitions","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTPartNumberingSchemeInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/parts":{"post":{"tags":["Part"],"summary":"Add Part","operationId":"addPart","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTVersionOrWorkspaceParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/parts/d/{did}/{wvm}/{wvmid}":{"get":{"tags":["Part"],"summary":"Get all parts in a workspace, version, or microversion.","operationId":"getPartsWMV","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"elementId","in":"query","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}},{"name":"withThumbnails","in":"query","description":"Whether or not to include thumbnails (not supported for microversion)","schema":{"type":"boolean","default":false}},{"name":"includePropertyDefaults","in":"query","description":"If true, include metadata schema property defaults in response","schema":{"type":"boolean","default":false}},{"name":"includeFlatParts","in":"query","schema":{"type":"boolean"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTPartMetadataInfo"}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["Part"],"description":"Part metadata batch update","operationId":"updatePartsWMV","parameters":[{"name":"did","in":"path","description":"Document ID.","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","description":"One of w or v or m corresponding to whether a workspace or version or microversion was entered.","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","description":"Workspace (w), Version (v) or Microversion (m) ID.","required":true,"schema":{"type":"string"}},{"name":"editDescription","in":"query","description":"Description of the update (as appear in document history)","schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"string"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTPartMetadataInfo"}}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read","OAuth2Write"],"BasicAuth":["OAuth2Read","OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/parts/d/{did}/{wvm}/{wvmid}/e/{eid}":{"get":{"tags":["Part"],"summary":"Get all parts in an element.","operationId":"getPartsWMVE","parameters":[{"name":"did","in":"path","description":"Document ID.","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","description":"One of w or v or m corresponding to whether a workspace or version or microversion was entered.","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","description":"Workspace (w), Version (v) or Microversion (m) ID.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"Element ID.","required":true,"schema":{"type":"string"}},{"name":"withThumbnails","in":"query","description":"Whether or not to include thumbnails (not supported for microversion)","schema":{"type":"boolean","default":false}},{"name":"includePropertyDefaults","in":"query","description":"If true, include metadata schema property defaults in response","schema":{"type":"boolean","default":false}},{"name":"includeFlatParts","in":"query","schema":{"type":"boolean"}},{"name":"configuration","in":"query","description":"Configuration string.","schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"Id of document that links to the document being accessed. This may provide additional access rights to the document. Allowed only with version (v) path parameter.","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTPartMetadataInfo"}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/parts/d/{did}/{wvm}/{wvmid}/e/{eid}/partid/{partid}/bodydetails":{"get":{"tags":["Part"],"summary":"Get a part's body details.","description":"All coordinates are in meters (m).","operationId":"getBodyDetails","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}},{"name":"rollbackBarIndex","in":"query","description":"Index specifying the location of the rollback bar when the call is evaluated. A -1 indicates that it should be at the end of the featurelist.","schema":{"type":"integer","format":"int32","default":-1}},{"name":"elementMicroversionId","in":"query","description":"A specific element microversion in which to evaluate the request.","schema":{"type":"string"}},{"name":"partid","in":"path","required":true,"schema":{"type":"string"}},{"name":"includeGeometricData","in":"query","description":"Whether or not geometric data should be included in the response.","schema":{"type":"boolean","default":true}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTExportModelBodiesResponse-734"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/parts/d/{did}/{wvm}/{wvmid}/e/{eid}/partid/{partid}/boundingboxes":{"get":{"tags":["Part"],"summary":"Get a part's bounding box details.","operationId":"getBoundingBoxes","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"partid","in":"path","required":true,"schema":{"type":"string"}},{"name":"includeHidden","in":"query","schema":{"type":"boolean","default":false}},{"name":"configuration","in":"query","schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTBoundingBoxInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/parts/d/{did}/{wvm}/{wvmid}/e/{eid}/partid/{partid}/exportparasolidfile":{"get":{"tags":["Part"],"summary":"Export a part as a Parasolid file.","description":"Returns a URL from which to download the exported file. See [API Guide: Model Translation](https://onshape-public.github.io/docs/api-adv/translation/) for more details.","operationId":"exportPartParasolidFile","parameters":[{"name":"did","in":"path","description":"Document ID.","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","description":"One of w or v or m corresponding to whether a workspace or version or microversion was entered.","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","description":"Workspace (w), Version (v) or Microversion (m) ID.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"Element ID.","required":true,"schema":{"type":"string"}},{"name":"partid","in":"path","description":"Id of the part on which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"version","in":"query","description":"Parasolid version","schema":{"type":"string","default":"0"}},{"name":"configuration","in":"query","description":"Configuration string.","schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"Id of document that links to the document being accessed. This may provide additional access rights to the document. Allowed only with version (v) path parameter.","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTSynchronousExportInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/parts/d/{did}/{wvm}/{wvmid}/e/{eid}/partid/{partid}/exportstlfile":{"get":{"tags":["Part"],"summary":"Export a part to STL.","description":"Returns a URL, from which to download the STL file. See [API Guide: Model Translation](https://onshape-public.github.io/docs/api-adv/translation/) for more details.","operationId":"exportPartSTLFile","parameters":[{"name":"did","in":"path","description":"Document ID.","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","description":"One of w or v or m corresponding to whether a workspace or version or microversion was entered.","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","description":"Workspace (w), Version (v) or Microversion (m) ID.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"Element ID.","required":true,"schema":{"type":"string"}},{"name":"partid","in":"path","description":"Id of the part on which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"mode","in":"query","description":"Type of file: text, binary","schema":{"type":"string","default":"text"}},{"name":"grouping","in":"query","description":"Whether parts should be exported as a group or individually in a .zip file","schema":{"type":"boolean","default":true}},{"name":"scale","in":"query","description":"Scale for measurements.","schema":{"type":"number","format":"double","default":1}},{"name":"units","in":"query","description":"Units for the element: `METER` | `CENTIMETER` | `MILLIMETER` | `INCH` | `FOOT` | `YARD`","schema":{"type":"string","default":"inch"}},{"name":"angleTolerance","in":"query","description":"Angle tolerance (in radians). This specifies the limit on the sum of the angular deviations of a tessellation chord from the tangent vectors at two chord endpoints. The specified value must be less than PI/2. This parameter currently has a default value chosen based on the complexity of the parts being tessellated.","schema":{"type":"number","format":"double"}},{"name":"chordTolerance","in":"query","description":"Chord tolerance (in meters). This specifies the limit on the maximum deviation of a tessellation chord from the true surface/edge. This parameter currently has a default value chosen based on the size and complexity of the parts being tessellated.","schema":{"type":"number","format":"double"}},{"name":"maxFacetWidth","in":"query","description":"Max facet width. This specifies the limit on the size of any side of a tessellation facet.","schema":{"type":"number","format":"double"}},{"name":"minFacetWidth","in":"query","description":"Max facet width. This specifies the limit on the size of any side of a tessellation facet.","schema":{"type":"number","format":"double"}},{"name":"configuration","in":"query","description":"Configuration string.","schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"Id of document that links to the document being accessed. This may provide additional access rights to the document. Allowed only with version (v) path parameter.","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTSynchronousExportInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/parts/d/{did}/{wvm}/{wvmid}/e/{eid}/partid/{partid}/gltf":{"get":{"tags":["Part"],"summary":"Export a part as a glTF file.","description":"Returns a 307 redirect from which to download the exported file. See [API Guide: Model Translation](https://onshape-public.github.io/docs/api-adv/translation/) for more details.","operationId":"exportPartGltf","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}},{"name":"rollbackBarIndex","in":"query","description":"Index specifying the location of the rollback bar when the call is evaluated. A -1 indicates that it should be at the end of the featurelist.","schema":{"type":"integer","format":"int32","default":-1}},{"name":"elementMicroversionId","in":"query","description":"A specific element microversion in which to evaluate the request.","schema":{"type":"string"}},{"name":"partid","in":"path","required":true,"schema":{"type":"string"}},{"name":"angleTolerance","in":"query","schema":{"type":"number","format":"double"}},{"name":"chordTolerance","in":"query","schema":{"type":"number","format":"double"}},{"name":"precomputedLevelOfDetail","in":"query","schema":{"type":"string"}},{"name":"outputSeparateFaceNodes","in":"query","schema":{"type":"boolean","default":false}},{"name":"faceId","in":"query","schema":{"type":"array","items":{"type":"string"}}},{"name":"outputFaceAppearances","in":"query","schema":{"type":"boolean","default":false}},{"name":"maxFacetWidth","in":"query","schema":{"type":"number","format":"double"}}],"responses":{"200":{"description":"Success!","content":{"model/gltf+json;charset=UTF-8;qs=0.08":{"schema":{"$ref":"#/components/schemas/GlTF"}},"model/gltf-binary;qs=0.08":{"schema":{"type":"string","description":"Binary representation of glTF data","format":"binary","example":"data"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/parts/d/{did}/{wvm}/{wvmid}/e/{eid}/partid/{partid}/massproperties":{"get":{"tags":["Part"],"summary":"Get a part's mass properties.","description":"Parts must have density. If three mass properties are returned, the first is the calculated mass; the second and third are the minimum and maximum possible values considering tolerance.","operationId":"getMassProperties","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}},{"name":"rollbackBarIndex","in":"query","description":"Index specifying the location of the rollback bar when the call is evaluated. A -1 indicates that it should be at the end of the featurelist.","schema":{"type":"integer","format":"int32","default":-1}},{"name":"elementMicroversionId","in":"query","description":"A specific element microversion in which to evaluate the request.","schema":{"type":"string"}},{"name":"partid","in":"path","required":true,"schema":{"type":"string"}},{"name":"inferMetadataOwner","in":"query","schema":{"type":"boolean","default":true}},{"name":"useMassPropertyOverrides","in":"query","description":"If true, use the user mass property overrides when calculated mass properties","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTMassPropertiesBulkInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/parts/d/{did}/{wvm}/{wvmid}/e/{eid}/partid/{partid}/metadata":{"get":{"tags":["Part"],"description":"Get a part's metadata. Deprecated - use [Metadata.getWMVEPMetadata](#/Metadata/getWMVEPMetadata) endpoint instead.","operationId":"getPartMetadata","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}},{"name":"rollbackBarIndex","in":"query","description":"Index specifying the location of the rollback bar when the call is evaluated. A -1 indicates that it should be at the end of the featurelist.","schema":{"type":"integer","format":"int32","default":-1}},{"name":"elementMicroversionId","in":"query","description":"A specific element microversion in which to evaluate the request.","schema":{"type":"string"}},{"name":"partid","in":"path","required":true,"schema":{"type":"string"}},{"name":"inferMetadataOwner","in":"query","schema":{"type":"boolean","default":false}},{"name":"includePropertyDefaults","in":"query","schema":{"type":"boolean","default":false}},{"name":"friendlyUserIds","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPartMetadataInfo"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["Part"],"description":"Update a part's metadata. Deprecated - use [Metadata.updateWVEPMetadata](#/Metadata/updateWVEPMetadata) endpoint instead.","operationId":"updatePartMetadata","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"partid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTWorkspacePartParams"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPartMetadataInfo"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read","OAuth2Write"],"BasicAuth":["OAuth2Read","OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/parts/d/{did}/{wvm}/{wvmid}/e/{eid}/partid/{partid}/parasolid":{"get":{"tags":["Part"],"summary":"Export a part as a Parasolid file.","description":"Returns a 307 redirect from which to download the exported file. See [API Guide: Model Translation](https://onshape-public.github.io/docs/api-adv/translation/) for more details.","operationId":"exportPS","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"partid","in":"path","required":true,"schema":{"type":"string"}},{"name":"version","in":"query","schema":{"type":"string","default":"0"}},{"name":"configuration","in":"query","schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","schema":{"type":"string"}}],"responses":{"307":{"description":"A Redirect!","content":{"application/octet-stream":{"schema":{"type":"string","format":"binary"}},"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"string","format":"binary"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/parts/d/{did}/{wvm}/{wvmid}/e/{eid}/partid/{partid}/shadedviews":{"get":{"tags":["Part"],"summary":"Get a part's shaded views.","operationId":"getPartShadedViews","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"partid","in":"path","required":true,"schema":{"type":"string"}},{"name":"viewMatrix","in":"query","schema":{"type":"string","default":"front"}},{"name":"outputHeight","in":"query","schema":{"type":"integer","format":"int32","default":500}},{"name":"outputWidth","in":"query","schema":{"type":"integer","format":"int32","default":500}},{"name":"pixelSize","in":"query","schema":{"type":"number","format":"double","default":0.003}},{"name":"edges","in":"query","schema":{"type":"string","default":"show"}},{"name":"useAntiAliasing","in":"query","schema":{"type":"boolean","default":false}},{"name":"configuration","in":"query","schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTShadedViewsInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/parts/d/{did}/{wvm}/{wvmid}/e/{eid}/partid/{partid}/sheetmetal/bendtable":{"get":{"tags":["Part"],"summary":"Get a part's sheet metal bend table.","operationId":"getBendTable","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"partid","in":"path","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTableResponse-1546"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/parts/d/{did}/{wvm}/{wvmid}/e/{eid}/partid/{partid}/stl":{"get":{"tags":["Part"],"summary":"Export a part as an STL file.","description":"Returns a 307 redirect from which to download the exported file. See [API Guide: Model Translation](https://onshape-public.github.io/docs/api-adv/translation/) for more details.","operationId":"exportStl","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"partid","in":"path","required":true,"schema":{"type":"string"}},{"name":"mode","in":"query","schema":{"type":"string","default":"text"}},{"name":"grouping","in":"query","schema":{"type":"boolean","default":true}},{"name":"scale","in":"query","schema":{"type":"number","format":"double","default":1}},{"name":"units","in":"query","schema":{"type":"string","default":"inch"}},{"name":"angleTolerance","in":"query","schema":{"type":"number","format":"double"}},{"name":"chordTolerance","in":"query","schema":{"type":"number","format":"double"}},{"name":"maxFacetWidth","in":"query","schema":{"type":"number","format":"double"}},{"name":"minFacetWidth","in":"query","schema":{"type":"number","format":"double"}},{"name":"configuration","in":"query","schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/octet-stream":{"schema":{"type":"object"}},"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/parts/d/{did}/{wvm}/{wvmid}/e/{eid}/partid/{partid}/tessellatededges":{"get":{"tags":["Part"],"summary":"Get a list of a part's tessellation edges.","description":"Returns the coordinates (in meters) of each edge's endpoints.","operationId":"getEdges","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}},{"name":"rollbackBarIndex","in":"query","description":"Index specifying the location of the rollback bar when the call is evaluated. A -1 indicates that it should be at the end of the featurelist.","schema":{"type":"integer","format":"int32","default":-1}},{"name":"elementMicroversionId","in":"query","description":"A specific element microversion in which to evaluate the request.","schema":{"type":"string"}},{"name":"partid","in":"path","required":true,"schema":{"type":"string"}},{"name":"angleTolerance","in":"query","schema":{"type":"number","format":"double"}},{"name":"chordTolerance","in":"query","schema":{"type":"number","format":"double"}},{"name":"precomputedLevelOfDetail","in":"query","schema":{"type":"string"}},{"name":"edgeId","in":"query","schema":{"type":"array","items":{"type":"string"}}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTExportTessellatedEdgesResponse-327"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/parts/d/{did}/{wvm}/{wvmid}/e/{eid}/partid/{partid}/tessellatedfaces":{"get":{"tags":["Part"],"summary":"Get a list of a part's tessellation faces.","description":"Coordinates are in meters (m).","operationId":"getFaces_1","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}},{"name":"rollbackBarIndex","in":"query","description":"Index specifying the location of the rollback bar when the call is evaluated. A -1 indicates that it should be at the end of the featurelist.","schema":{"type":"integer","format":"int32","default":-1}},{"name":"elementMicroversionId","in":"query","description":"A specific element microversion in which to evaluate the request.","schema":{"type":"string"}},{"name":"partid","in":"path","required":true,"schema":{"type":"string"}},{"name":"angleTolerance","in":"query","schema":{"type":"number","format":"double"}},{"name":"chordTolerance","in":"query","schema":{"type":"number","format":"double"}},{"name":"precomputedLevelOfDetail","in":"query","schema":{"type":"string"}},{"name":"faceId","in":"query","schema":{"type":"array","items":{"type":"string"}}},{"name":"outputFaceAppearances","in":"query","schema":{"type":"boolean","default":false}},{"name":"maxFacetWidth","in":"query","schema":{"type":"number","format":"double"}},{"name":"outputVertexNormals","in":"query","schema":{"type":"boolean","default":false}},{"name":"outputFacetNormals","in":"query","schema":{"type":"boolean","default":true}},{"name":"outputTextureCoordinates","in":"query","schema":{"type":"boolean","default":false}},{"name":"outputIndexTable","in":"query","schema":{"type":"boolean","default":false}},{"name":"outputErrorFaces","in":"query","schema":{"type":"boolean","default":false}},{"name":"combineCompositePartConstituents","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTExportTessellatedFacesResponse-898"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/parts/standardcontent/d/{did}/v/{vid}/e/{eid}/{cu}/{cuid}/partid/{partid}/metadata":{"get":{"tags":["Part"],"description":"Get metadata for a standard content part in the context of a user or company. Deprecated - use [Metadata.getVEOPStandardContentMetadata](#/Metadata/getVEOPStandardContentMetadata) endpoint instead.","operationId":"getStandardContentPartMetadata","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"vid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"cu","in":"path","description":"Indicates which of company (c) or user (u) id is specified below.","required":true,"schema":{"type":"string","enum":["c","u"]}},{"name":"cuid","in":"path","description":"The id of the company or user in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"partid","in":"path","required":true,"schema":{"type":"string"}},{"name":"includePropertyDefaults","in":"query","schema":{"type":"boolean","default":false}},{"name":"configuration","in":"query","schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPartMetadataInfo"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["Part"],"description":"Update metadata for a standard content part in the context of a company or user. Deprecated - use [Metadata.updateVEOPStandardContentPartMetadata](#/Metadata/updateVEOPStandardContentPartMetadata) endpoint instead.","operationId":"updateStandardContentPartMetadata","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"vid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"cu","in":"path","description":"Indicates which of company (c) or user (u) id is specified below.","required":true,"schema":{"type":"string","enum":["c","u"]}},{"name":"cuid","in":"path","description":"The id of the company or user in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"partid","in":"path","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","schema":{"type":"string"}},{"name":"includePropertyDefaults","in":"query","schema":{"type":"boolean","default":false}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTWorkspacePartParams"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPartMetadataInfo"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read","OAuth2Write"],"BasicAuth":["OAuth2Read","OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/parts/{did}/version/{vid}":{"get":{"tags":["Part"],"description":"Get details for parts for a specific version","operationId":"getByVersionOld","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"vid","in":"path","required":true,"schema":{"type":"string"}},{"name":"withThumbnails","in":"query","schema":{"type":"boolean","default":false}},{"name":"linkDocumentId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTPartMetadataInfo"}}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/parts/{did}/workspace/{wid}":{"get":{"tags":["Part"],"description":"Get details for parts in a workspace","operationId":"getWorkspacePartsOld","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"withThumbnails","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTPartMetadataInfo"}}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["Part"],"description":"Update part in a given workspace","operationId":"updateWorkspacePart","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"string"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTPartMetadataInfo"}}}}}},"deprecated":true,"x-BTVisibility":"INTERNAL"}},"/parts/{did}/workspace/{wid}/element/{eid}":{"get":{"tags":["Part"],"description":"Get details for parts in a tab","operationId":"getElementPartsOld","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"withThumbnails","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTPartMetadataInfo"}}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/partstudios/d/{did}/e/{eid}/debug/immutability":{"get":{"tags":["PartStudio"],"summary":"Return immutability eligibility and contexts for versions of the part studio","description":"Return immutability eligibility and contexts for versions of the part studio","operationId":"getImmutabilityData","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPartStudioImmutabilityData-1627"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/partstudios/d/{did}/e/{eid}/mv/{mvid}/immutability":{"delete":{"tags":["PartStudio"],"summary":"Delete all contexts for a microversion","description":"Delete all contexts for a microversion","operationId":"deleteImmutabilityContexts","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"mvid","in":"path","required":true,"schema":{"type":"string"}},{"name":"removeImmutability","in":"query","description":"Whether to remove immutability for the microversion and its dependencies","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDeletedImmutableContextInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/partstudios/d/{did}/e/{eid}/namedViews":{"get":{"tags":["PartStudio"],"summary":"Get a list of all named views that exist in the Part Studio.","description":"Returns a map from view name to view data for the given element","operationId":"getPartStudioNamedViews","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"skipPerspective","in":"query","schema":{"type":"boolean","default":true}},{"name":"includeSectionCutViews","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTNamedViewsInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/partstudios/d/{did}/w/{wid}":{"post":{"tags":["PartStudio"],"summary":"Create a new Part Studio in a document.","operationId":"createPartStudio","parameters":[{"name":"did","in":"path","description":"Document ID.","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","description":"Workspace ID.","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTModelElementParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDocumentElementInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/partstudios/d/{did}/w/{wid}/e/{eid}/debug":{"post":{"tags":["PartStudio"],"operationId":"addTestNodes","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/partstudios/d/{did}/w/{wid}/e/{eid}/features/featureid/{fid}":{"post":{"tags":["PartStudio"],"summary":"Update the definition of a Part Studio feature.","operationId":"updatePartStudioFeature","parameters":[{"name":"did","in":"path","description":"Document ID.","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","description":"Workspace ID.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"Element ID.","required":true,"schema":{"type":"string"}},{"name":"fid","in":"path","description":"The id of the feature being updated. This id should be URL encoded and must match the featureId found in the serialized structure","required":true,"schema":{"type":"string"}}],"requestBody":{"description":"feature The serialized feature definition","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTFeatureDefinitionCall-1406"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTFeatureDefinitionResponse-1617"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"},"delete":{"tags":["PartStudio"],"summary":"Delete a Part Studio feature.","operationId":"deletePartStudioFeature","parameters":[{"name":"did","in":"path","description":"Document ID.","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","description":"Workspace ID.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"Element ID.","required":true,"schema":{"type":"string"}},{"name":"fid","in":"path","description":"The id of the feature being updated. This id should be URL encoded and must match the featureId found in the serialized structure","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTFeatureApiBase-1430"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/partstudios/d/{did}/w/{wid}/e/{eid}/features/rollback":{"post":{"tags":["PartStudio"],"summary":"Move the Feature List rollback bar in the Part Studio.","description":"Set to -1 to move the rollback bar to the end of the list.","operationId":"updateRollback","parameters":[{"name":"did","in":"path","description":"Document ID.","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","description":"Workspace ID.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"Element ID.","required":true,"schema":{"type":"string"}}],"requestBody":{"description":"The index at which the rollback index should be placed. Features\n with entry index (0-based) higher than or equal to the value are rolled back. Value of -1 is treated\n as an alias for \"end of feature list\". Otherwise the value must be in the range 0 to the number of\n entries in the feature list","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"string"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTSetFeatureRollbackResponse-1042"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/partstudios/d/{did}/w/{wid}/e/{eid}/features/updates":{"post":{"tags":["PartStudio"],"summary":"Update existing features' parameters.","description":"You can update multiple features with a single call.","operationId":"updateFeatures","parameters":[{"name":"did","in":"path","description":"Document ID.","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","description":"Workspace ID.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"Element ID.","required":true,"schema":{"type":"string"}}],"requestBody":{"description":"feature The serialized feature definition","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUpdateFeaturesCall-1748"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUpdateFeaturesResponse-1333"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/partstudios/d/{did}/w/{wid}/e/{eid}/translationformats":{"get":{"tags":["PartStudio"],"operationId":"getTranslatorFormats_2","parameters":[{"name":"did","in":"path","description":"Document ID.","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","description":"Workspace ID.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"Element ID.","required":true,"schema":{"type":"string"}},{"name":"checkContent","in":"query","description":"Whether the current content or lack thereof should be considered when determining the available formats. Empty part studios cannot be translated into any format.","schema":{"type":"boolean","default":true}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTModelFormatInfo"}}}}}},"deprecated":true,"x-BTVisibility":"PRODUCTION"}},"/partstudios/d/{did}/{wvm}/{wvmid}/e/{eid}/bodydetails":{"get":{"tags":["PartStudio"],"summary":"Get the body details for a Part Studio.","operationId":"getPartStudioBodyDetails","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}},{"name":"rollbackBarIndex","in":"query","description":"Index specifying the location of the rollback bar when the call is evaluated. A -1 indicates that it should be at the end of the featurelist.","schema":{"type":"integer","format":"int32","default":-1}},{"name":"elementMicroversionId","in":"query","description":"A specific element microversion in which to evaluate the request.","schema":{"type":"string"}},{"name":"partIds","in":"query","description":"If specified, the response will only include body details for the specific parts as indicated here by their corresponding Id","schema":{"type":"array","items":{"type":"string"}}},{"name":"includeSurfaces","in":"query","description":"Whether or not surfaces should be included in the response.","schema":{"type":"boolean","default":false}},{"name":"includeCompositeParts","in":"query","description":"Whether or not composite parts should be included in the response.","schema":{"type":"boolean","default":false}},{"name":"includeGeometricData","in":"query","description":"Whether or not geometric data should be included in the response.","schema":{"type":"boolean","default":true}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTExportModelBodiesResponse-734"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/partstudios/d/{did}/{wvm}/{wvmid}/e/{eid}/boundingboxes":{"get":{"tags":["PartStudio"],"summary":"Get the bounding boxes for a Part Studio.","operationId":"getPartStudioBoundingBoxes","parameters":[{"name":"did","in":"path","description":"Document ID.","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","description":"One of w or v or m corresponding to whether a workspace or version or microversion was entered.","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","description":"Workspace (w), Version (v) or Microversion (m) ID.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"Element ID.","required":true,"schema":{"type":"string"}},{"name":"includeHidden","in":"query","description":"Whether or not to include bounding boxes for hidden parts.","schema":{"type":"boolean","default":false}},{"name":"includeWireBodies","in":"query","description":"Whether to include wire bodies in the bounding box.","schema":{"type":"boolean","default":true}},{"name":"configuration","in":"query","description":"Configuration string.","schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"Id of document that links to the document being accessed. This may provide additional access rights to the document. Allowed only with version (v) path parameter.","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTBoundingBoxInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/partstudios/d/{did}/{wvm}/{wvmid}/e/{eid}/checkregenerationhash":{"get":{"tags":["PartStudio"],"description":"Check a part studio regeneration hash","operationId":"checkRegenerationHash","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}},{"name":"rollbackBarIndex","in":"query","description":"Index specifying the location of the rollback bar when the call is evaluated. A -1 indicates that it should be at the end of the featurelist.","schema":{"type":"integer","format":"int32","default":-1}},{"name":"elementMicroversionId","in":"query","description":"A specific element microversion in which to evaluate the request.","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUiCheckRegenerationHashResponse-2419"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/partstudios/d/{did}/{wvm}/{wvmid}/e/{eid}/compare":{"get":{"tags":["PartStudio"],"summary":"Get the differences between two Part Studios in a single document.","operationId":"comparePartStudios","parameters":[{"name":"did","in":"path","description":"Document ID.","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","description":"One of w or v or m corresponding to whether a workspace or version or microversion was entered.","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","description":"Workspace (w), Version (v) or Microversion (m) ID.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"Element ID.","required":true,"schema":{"type":"string"}},{"name":"workspaceId","in":"query","schema":{"type":"string"}},{"name":"versionId","in":"query","schema":{"type":"string"}},{"name":"microversionId","in":"query","schema":{"type":"string"}},{"name":"sourceConfiguration","in":"query","schema":{"type":"string"}},{"name":"targetConfiguration","in":"query","schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTRootDiffInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/partstudios/d/{did}/{wvm}/{wvmid}/e/{eid}/configuration":{"get":{"tags":["PartStudio"],"operationId":"getPartStudioConfiguration","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"Success!"}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["PartStudio"],"operationId":"updatePartStudioConfiguration","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTConfigurationUpdateCall-2933"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTConfigurationResponse-2019"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/partstudios/d/{did}/{wvm}/{wvmid}/e/{eid}/exportparasolidfile":{"get":{"tags":["PartStudio"],"summary":"Export the Part Studio as a Parasolid file.","description":"Returns the URL from which to download the exported file. See [API Guide: Model Translation](https://onshape-public.github.io/docs/api-adv/translation/) for more details.","operationId":"exportParasolidFile","parameters":[{"name":"did","in":"path","description":"Document ID.","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","description":"One of w or v or m corresponding to whether a workspace or version or microversion was entered.","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","description":"Workspace (w), Version (v) or Microversion (m) ID.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"Element ID.","required":true,"schema":{"type":"string"}},{"name":"partIds","in":"query","description":"IDs of the parts to retrieve. Use comma-separated IDs for multiple parts (example: partIds=JHK,JHD).","schema":{"type":"string"}},{"name":"version","in":"query","description":"Parasolid version","schema":{"type":"string","default":"0"}},{"name":"includeExportIds","in":"query","description":"Whether topology ids should be exported as parasolid attributes","schema":{"type":"boolean","default":false}},{"name":"configuration","in":"query","description":"Configuration string.","schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"Id of document that links to the document being accessed. This may provide additional access rights to the document. Allowed only with version (v) path parameter.","schema":{"type":"string"}},{"name":"binaryExport","in":"query","description":"Whether to use binary parasolid format instead of text","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTSynchronousExportInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/partstudios/d/{did}/{wvm}/{wvmid}/e/{eid}/exportstlfile":{"get":{"tags":["PartStudio"],"summary":"Export the Part Studio as an STL file.","description":"Returns the URL from which to download the exported file. See [API Guide: Model Translation](https://onshape-public.github.io/docs/api-adv/translation/)","operationId":"exportSTLFile","parameters":[{"name":"did","in":"path","description":"Document ID.","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","description":"One of w or v or m corresponding to whether a workspace or version or microversion was entered.","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","description":"Workspace (w), Version (v) or Microversion (m) ID.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"Element ID.","required":true,"schema":{"type":"string"}},{"name":"partIds","in":"query","description":"IDs of the parts to retrieve. Use comma-separated IDs for multiple parts (example: partIds=JHK,JHD).","schema":{"type":"string"}},{"name":"mode","in":"query","description":"Type of file: text, binary","schema":{"type":"string","default":"text"}},{"name":"grouping","in":"query","description":"Whether parts should be exported as a group or individually in a .zip file","schema":{"type":"boolean","default":true}},{"name":"scale","in":"query","description":"Scale for measurements.","schema":{"type":"number","format":"double","default":1}},{"name":"units","in":"query","description":"Units for the element: `METER` | `CENTIMETER` | `MILLIMETER` | `INCH` | `FOOT` | `YARD`","schema":{"type":"string","default":"inch"}},{"name":"angleTolerance","in":"query","description":"Angle tolerance (in radians). This specifies the limit on the sum of the angular deviations of a tessellation chord from the tangent vectors at two chord endpoints. The specified value must be less than PI/2. This parameter currently has a default value chosen based on the complexity of the parts being tessellated.","schema":{"type":"number","format":"double"}},{"name":"chordTolerance","in":"query","description":"Chord tolerance (in meters). This specifies the limit on the maximum deviation of a tessellation chord from the true surface/edge. This parameter currently has a default value chosen based on the size and complexity of the parts being tessellated.","schema":{"type":"number","format":"double"}},{"name":"maxFacetWidth","in":"query","description":"Max facet width. This specifies the limit on the size of any side of a tessellation facet.","schema":{"type":"number","format":"double"}},{"name":"minFacetWidth","in":"query","description":"Max facet width. This specifies the limit on the size of any side of a tessellation facet.","schema":{"type":"number","format":"double"}},{"name":"configuration","in":"query","description":"Configuration string.","schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"Id of document that links to the document being accessed. This may provide additional access rights to the document. Allowed only with version (v) path parameter.","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTSynchronousExportInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/partstudios/d/{did}/{wvm}/{wvmid}/e/{eid}/features":{"get":{"tags":["PartStudio"],"summary":"Retrieve a feature list of parts or a Part Studio by document ID, workspace or version or microversion ID, and tab ID.","operationId":"getPartStudioFeatures","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}},{"name":"rollbackBarIndex","in":"query","description":"Index specifying the location of the rollback bar when the call is evaluated. A -1 indicates that it should be at the end of the featurelist.","schema":{"type":"integer","format":"int32","default":-1}},{"name":"elementMicroversionId","in":"query","description":"A specific element microversion in which to evaluate the request.","schema":{"type":"string"}},{"name":"includeGeometryIds","in":"query","schema":{"type":"boolean","default":true}},{"name":"featureId","in":"query","description":"ID of a feature; repeat query param to add more than one","schema":{"type":"array","items":{"type":"string"}}},{"name":"noSketchGeometry","in":"query","description":"Whether or not to output simple sketch info without geometry","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTFeatureListResponse-2457"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["PartStudio"],"summary":"Add a feature to the Part Studio's Feature List.","description":"See Feature List APIs in the [developer documentation](https://onshape-public.github.io/docs/api-adv/featureaccess/) for additional information.","operationId":"addPartStudioFeature","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTFeatureDefinitionCall-1406"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTFeatureDefinitionResponse-1617"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/partstudios/d/{did}/{wvm}/{wvmid}/e/{eid}/featurescript":{"post":{"tags":["PartStudio"],"summary":"Evaluate the FeatureScript snippet for a Part Studio.","operationId":"evalFeatureScript","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}},{"name":"rollbackBarIndex","in":"query","description":"Index specifying the location of the rollback bar when the call is evaluated. A -1 indicates that it should be at the end of the featurelist.","schema":{"type":"integer","format":"int32","default":-1}},{"name":"elementMicroversionId","in":"query","description":"A specific element microversion in which to evaluate the request.","schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTFeatureScriptEvalCall-2377"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTFeatureScriptEvalResponse-1859"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/partstudios/d/{did}/{wvm}/{wvmid}/e/{eid}/featurescriptrepresentation":{"get":{"tags":["PartStudio"],"summary":"Get the FeatureScript representation of a Part Studio.","operationId":"getFeatureScriptRepresentation","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}},{"name":"rollbackBarIndex","in":"query","description":"Index specifying the location of the rollback bar when the call is evaluated. A -1 indicates that it should be at the end of the featurelist.","schema":{"type":"integer","format":"int32","default":-1}},{"name":"elementMicroversionId","in":"query","description":"A specific element microversion in which to evaluate the request.","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPModule-234"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/partstudios/d/{did}/{wvm}/{wvmid}/e/{eid}/featurespecs":{"get":{"tags":["PartStudio"],"summary":"Get the specs for a Part Studio feature.","operationId":"getPartStudioFeatureSpecs","parameters":[{"name":"did","in":"path","description":"Document ID.","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","description":"One of w or v or m corresponding to whether a workspace or version or microversion was entered.","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","description":"Workspace (w), Version (v) or Microversion (m) ID.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"Element ID.","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTFeatureSpecsResponse-664"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/partstudios/d/{did}/{wvm}/{wvmid}/e/{eid}/fstable":{"get":{"tags":["PartStudio"],"summary":"Compute and return a FeatureScript table for a Part Studio.","operationId":"getFeatureScriptTable","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string"}},{"name":"tableNamespace","in":"query","schema":{"type":"string"}},{"name":"tableType","in":"query","required":true,"schema":{"type":"string"}},{"name":"tableParameters","in":"query","schema":{"type":"string"}},{"name":"partId","in":"query","schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTApiTableList-1223"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/partstudios/d/{did}/{wvm}/{wvmid}/e/{eid}/gltf":{"get":{"tags":["PartStudio"],"summary":"Export the Part Studio as a glTF file.","description":"Returns the glTF representation. See [API Guide: Model Translation](https://onshape-public.github.io/docs/api-adv/translation/)","operationId":"exportPartStudioGltf","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}},{"name":"rollbackBarIndex","in":"query","description":"Index specifying the location of the rollback bar when the call is evaluated. A -1 indicates that it should be at the end of the featurelist.","schema":{"type":"integer","format":"int32","default":-1}},{"name":"elementMicroversionId","in":"query","description":"A specific element microversion in which to evaluate the request.","schema":{"type":"string"}},{"name":"partId","in":"query","schema":{"type":"array","items":{"type":"string"}}},{"name":"angleTolerance","in":"query","schema":{"type":"number","format":"double"}},{"name":"chordTolerance","in":"query","schema":{"type":"number","format":"double"}},{"name":"precomputedLevelOfDetail","in":"query","schema":{"type":"string"}},{"name":"outputSeparateFaceNodes","in":"query","schema":{"type":"boolean","default":false}},{"name":"faceId","in":"query","schema":{"type":"array","items":{"type":"string"}}},{"name":"outputFaceAppearances","in":"query","schema":{"type":"boolean","default":false}},{"name":"maxFacetWidth","in":"query","schema":{"type":"number","format":"double"}}],"responses":{"200":{"description":"Success!","content":{"model/gltf+json;charset=UTF-8;qs=0.08":{"schema":{"$ref":"#/components/schemas/GlTF"}},"model/gltf-binary;qs=0.08":{"schema":{"type":"string","description":"Binary representation of glTF data","format":"binary","example":"data"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/partstudios/d/{did}/{wvm}/{wvmid}/e/{eid}/idtranslations":{"post":{"tags":["PartStudio"],"summary":"Find corresponding deterministic IDs from a source document microversion at the target version.","description":"* Deterministic IDs are only valid for one microversion. \n* This maps deterministic IDs between microversions in an attempt to find the corresponding entities in each version.","operationId":"translateIds","parameters":[{"name":"did","in":"path","description":"Document ID.","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","description":"One of w or v or m corresponding to whether a workspace or version or microversion was entered.","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","description":"Workspace (w), Version (v) or Microversion (m) ID.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"Element ID.","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTIdTranslationParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTIdTranslationInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/partstudios/d/{did}/{wvm}/{wvmid}/e/{eid}/massproperties":{"get":{"tags":["PartStudio"],"summary":"Get the mass properties for a Part Studio.","description":"If three mass properties are returned, the first is the calculated mass; the second and third are the minimum and maximum possible values considering tolerance.","operationId":"getPartStudioMassProperties","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}},{"name":"rollbackBarIndex","in":"query","description":"Index specifying the location of the rollback bar when the call is evaluated. A -1 indicates that it should be at the end of the featurelist.","schema":{"type":"integer","format":"int32","default":-1}},{"name":"elementMicroversionId","in":"query","description":"A specific element microversion in which to evaluate the request.","schema":{"type":"string"}},{"name":"partId","in":"query","schema":{"type":"array","items":{"type":"string"}}},{"name":"massAsGroup","in":"query","description":"If true, specified parts will be evaluated as a single object instead of individually","schema":{"type":"boolean","default":true}},{"name":"useMassPropertyOverrides","in":"query","description":"If true, use the user mass property overrides when calculated mass properties","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTMassPropertiesBulkInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/partstudios/d/{did}/{wvm}/{wvmid}/e/{eid}/metadata":{"get":{"tags":["PartStudio"],"operationId":"getMetadata","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"partIds","in":"query","schema":{"type":"array","items":{"type":"string"}}},{"name":"linkDocumentId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/partstudios/d/{did}/{wvm}/{wvmid}/e/{eid}/parasolid":{"get":{"tags":["PartStudio"],"summary":"Export the Part Studio as a Parasolid file.","description":"Returns a 307 redirect from which to download the exported file. See [API Guide: Model Translation](https://onshape-public.github.io/docs/api-adv/translation/) for more details.","operationId":"exportParasolid","parameters":[{"name":"did","in":"path","description":"Document ID.","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","description":"One of w or v or m corresponding to whether a workspace or version or microversion was entered.","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","description":"Workspace (w), Version (v) or Microversion (m) ID.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"Element ID.","required":true,"schema":{"type":"string"}},{"name":"partIds","in":"query","description":"IDs of the parts to retrieve. Use comma-separated IDs for multiple parts (example: partIds=JHK,JHD).","schema":{"type":"string"}},{"name":"version","in":"query","description":"Parasolid version","schema":{"type":"string","default":"0"}},{"name":"includeExportIds","in":"query","description":"Whether topology ids should be exported as parasolid attributes","schema":{"type":"boolean","default":false}},{"name":"configuration","in":"query","description":"Configuration string.","schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"Id of document that links to the document being accessed. This may provide additional access rights to the document. Allowed only with version (v) path parameter.","schema":{"type":"string"}},{"name":"binaryExport","in":"query","description":"Whether to use binary parasolid format instead of text","schema":{"type":"boolean","default":false}}],"responses":{"307":{"description":"A Redirect!"}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/partstudios/d/{did}/{wvm}/{wvmid}/e/{eid}/shadedviews":{"get":{"tags":["PartStudio"],"summary":"Get a list of shaded views for a Part Studio.","operationId":"getPartStudioShadedViews","parameters":[{"name":"did","in":"path","description":"Document ID.","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","description":"One of w or v or m corresponding to whether a workspace or version or microversion was entered.","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","description":"Workspace (w), Version (v) or Microversion (m) ID.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"Element ID.","required":true,"schema":{"type":"string"}},{"name":"viewMatrix","in":"query","description":"12-number view matrix (comma-separated), or one of the following named views:\ntop, bottom, front, back, left, right\nThe 12 entries in the view matrix form three rows and four columns, which is a linear transformation applied to the model itself.\nThe matrix's first three columns maps the coordinate axes of the model to the coordinate axes of the view, and the fourth column translates the origin (in meters).\nThe view coordinates have x pointing right, y pointing up, and z pointing towards the viewer, while a front view of the model has x pointing right, y pointing away from the viewer, and z pointing up.\nFor example, the identity matrix viewMatrix=1,0,0,0,0,1,0,0,0,0,1,0 corresponds to the top view, and viewMatrix=0.612,0.612,0,0,-0.354,0.354,0.707,0,0.707,-0.707,0.707,0 corresponds (approximately) to the isometric view.\nThe first three columns of the view matrix should be orthonormal and have a positive determinant. If this is not the case, view behavior may be undefined.","schema":{"type":"string","default":"front"}},{"name":"outputHeight","in":"query","description":"Output image height (in pixels)","schema":{"type":"integer","format":"int32","default":500}},{"name":"outputWidth","in":"query","description":"Output image width (in pixels)","schema":{"type":"integer","format":"int32","default":500}},{"name":"pixelSize","in":"query","description":"Height and width represented by each pixel (in meters). If the value is 0, the display will be sized to fit the output image dimensions.","schema":{"type":"number","format":"double","default":0.003}},{"name":"edges","in":"query","description":"The treatment to be applied to edges in the display. Options are show: show visible edges, hide: hide visible edges.","schema":{"type":"string","default":"show"}},{"name":"showAllParts","in":"query","description":"Whether or not all parts should be shown in the element,\nregardless of user setting. If false, the visibility setting made by the user will be reflected in the\nimage. If true, all parts will be shown.","schema":{"type":"boolean","default":false}},{"name":"includeSurfaces","in":"query","description":"Whether or not surfaces should be shown in the element.\nIt is applicable only when showAllParts is true. If false, surfaces will be excluded.\nIf true, all surfaces will be shown.","schema":{"type":"boolean","default":false}},{"name":"useAntiAliasing","in":"query","description":"If true, an anti-aliasing factor will be used to smooth\nmodel boundaries in the final image result. If false, the image will be rasterized at the given\nresolution. Setting to true can have negative performance implications with respect to rendering time\nand memory usage. If a high-resolution image is requested and anti-aliasing is turned on, the server\nmay not be able to fulfill the request.","schema":{"type":"boolean","default":false}},{"name":"includeWires","in":"query","schema":{"type":"boolean","default":false}},{"name":"configuration","in":"query","description":"Configuration string.","schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"Id of document that links to the document being accessed. This may provide additional access rights to the document. Allowed only with version (v) path parameter.","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTShadedViewsInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/partstudios/d/{did}/{wvm}/{wvmid}/e/{eid}/sketches":{"get":{"tags":["Sketch"],"summary":"Get information for all sketches in Part Studio.","operationId":"getSketchInfo","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string"}},{"name":"sketchId","in":"query","schema":{"type":"array","items":{"type":"string"}}},{"name":"output3D","in":"query","schema":{"type":"boolean","default":false}},{"name":"curvePoints","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeGeometry","in":"query","schema":{"type":"boolean","default":true}},{"name":"linkDocumentId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/partstudios/d/{did}/{wvm}/{wvmid}/e/{eid}/sketches/{sid}/boundingboxes":{"get":{"tags":["Sketch"],"summary":"Get all bounding boxes for a sketch.","operationId":"getSketchBoundingBoxes","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"sid","in":"path","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTBoundingBoxInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/partstudios/d/{did}/{wvm}/{wvmid}/e/{eid}/sketches/{sid}/tessellatedentities":{"get":{"tags":["Sketch"],"summary":"Get the tessellations of a sketch in a Part Studio.","description":"The accuracy of the tessellation to exact geometry is controlled by the `angleTolerance` and `chordTolerance` parameters. The tessellation points are computed closely enough so that neither the angle tolerance nor the chord tolerance are exceeded. For most parts, the angular tolerance is the most restrictive of the two default tolerances.","operationId":"getTessellatedEntities","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"sid","in":"path","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string"}},{"name":"entityId","in":"query","schema":{"type":"array","items":{"type":"string"}}},{"name":"angleTolerance","in":"query","schema":{"type":"number","format":"double"}},{"name":"chordTolerance","in":"query","schema":{"type":"number","format":"double"}},{"name":"linkDocumentId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/partstudios/d/{did}/{wvm}/{wvmid}/e/{eid}/stl":{"get":{"tags":["PartStudio"],"summary":"Export the Part Studio as an STL file.","description":"Returns a 307 redirect from which to download the exported file. See [API Guide: Model Translation](https://onshape-public.github.io/docs/api-adv/translation/)","operationId":"exportPartStudioStl","parameters":[{"name":"did","in":"path","description":"Document ID.","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","description":"One of w or v or m corresponding to whether a workspace or version or microversion was entered.","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","description":"Workspace (w), Version (v) or Microversion (m) ID.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"Element ID.","required":true,"schema":{"type":"string"}},{"name":"partIds","in":"query","description":"IDs of the parts to retrieve. Use comma-separated IDs for multiple parts (example: partIds=JHK,JHD).","schema":{"type":"string"}},{"name":"mode","in":"query","description":"Type of file: text, binary","schema":{"type":"string","default":"text"}},{"name":"grouping","in":"query","description":"Whether parts should be exported as a group or individually in a .zip file","schema":{"type":"boolean","default":true}},{"name":"scale","in":"query","description":"Scale for measurements.","schema":{"type":"number","format":"double","default":1}},{"name":"units","in":"query","description":"Units for the element: `METER` | `CENTIMETER` | `MILLIMETER` | `INCH` | `FOOT` | `YARD`","schema":{"type":"string","default":"inch"}},{"name":"angleTolerance","in":"query","description":"Angle tolerance (in radians). This specifies the limit on the sum of the angular deviations of a tessellation chord from the tangent vectors at two chord endpoints. The specified value must be less than PI/2. This parameter currently has a default value chosen based on the complexity of the parts being tessellated.","schema":{"type":"number","format":"double"}},{"name":"chordTolerance","in":"query","description":"Chord tolerance (in meters). This specifies the limit on the maximum deviation of a tessellation chord from the true surface/edge. This parameter currently has a default value chosen based on the size and complexity of the parts being tessellated.","schema":{"type":"number","format":"double"}},{"name":"maxFacetWidth","in":"query","description":"Max facet width. This specifies the limit on the size of any side of a tessellation facet.","schema":{"type":"number","format":"double"}},{"name":"minFacetWidth","in":"query","description":"Max facet width. This specifies the limit on the size of any side of a tessellation facet.","schema":{"type":"number","format":"double"}},{"name":"configuration","in":"query","description":"Configuration string.","schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"Id of document that links to the document being accessed. This may provide additional access rights to the document. Allowed only with version (v) path parameter.","schema":{"type":"string"}}],"responses":{"307":{"description":"A Redirect!"}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/partstudios/d/{did}/{wvm}/{wvmid}/e/{eid}/tessellatededges":{"get":{"tags":["PartStudio"],"summary":"Get a list of all edges in a Part Studio.","description":"Returns the edges as tessellated data and includes display data. \nCoordinates are in meters (m).","operationId":"getPartStudioEdges","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}},{"name":"rollbackBarIndex","in":"query","description":"Index specifying the location of the rollback bar when the call is evaluated. A -1 indicates that it should be at the end of the featurelist.","schema":{"type":"integer","format":"int32","default":-1}},{"name":"elementMicroversionId","in":"query","description":"A specific element microversion in which to evaluate the request.","schema":{"type":"string"}},{"name":"partId","in":"query","schema":{"type":"array","items":{"type":"string"}}},{"name":"angleTolerance","in":"query","schema":{"type":"number","format":"double"}},{"name":"chordTolerance","in":"query","schema":{"type":"number","format":"double"}},{"name":"precomputedLevelOfDetail","in":"query","schema":{"type":"string"}},{"name":"edgeId","in":"query","schema":{"type":"array","items":{"type":"string"}}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTExportTessellatedEdgesResponse-327"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/partstudios/d/{did}/{wvm}/{wvmid}/e/{eid}/tessellatedfaces":{"get":{"tags":["PartStudio"],"summary":"Get a list of all faces in a Part Studio.","description":"Coordinates are in meters (m).","operationId":"getPartStudioFaces","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}},{"name":"rollbackBarIndex","in":"query","description":"Index specifying the location of the rollback bar when the call is evaluated. A -1 indicates that it should be at the end of the featurelist.","schema":{"type":"integer","format":"int32","default":-1}},{"name":"elementMicroversionId","in":"query","description":"A specific element microversion in which to evaluate the request.","schema":{"type":"string"}},{"name":"partId","in":"query","schema":{"type":"array","items":{"type":"string"}}},{"name":"angleTolerance","in":"query","schema":{"type":"number","format":"double"}},{"name":"chordTolerance","in":"query","schema":{"type":"number","format":"double"}},{"name":"precomputedLevelOfDetail","in":"query","schema":{"type":"string"}},{"name":"faceId","in":"query","schema":{"type":"array","items":{"type":"string"}}},{"name":"outputFaceAppearances","in":"query","schema":{"type":"boolean","default":false}},{"name":"maxFacetWidth","in":"query","schema":{"type":"number","format":"double"}},{"name":"outputVertexNormals","in":"query","schema":{"type":"boolean","default":false}},{"name":"outputFacetNormals","in":"query","schema":{"type":"boolean","default":true}},{"name":"outputTextureCoordinates","in":"query","schema":{"type":"boolean","default":false}},{"name":"outputIndexTable","in":"query","schema":{"type":"boolean","default":false}},{"name":"outputErrorFaces","in":"query","schema":{"type":"boolean","default":false}},{"name":"combineCompositePartConstituents","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTExportTessellatedFacesResponse-898"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/partstudios/d/{did}/{wv}/{wvid}/e/{eid}/translations":{"post":{"tags":["PartStudio"],"summary":"Export a Part Studio to another format.","description":"* Use `formatName` in the JSON request body to specify the export file type. Use [Translations/getAllTranslatorFormats](https://cad.onshape.com/glassworks/explorer/#/Translation/getAllTranslatorFormats) to get a list of valid export file formats. `\n* Set `storeInDocument` to `true` to export to a data file. Set to `false` to export to a blob element in the same document. \n* See [API Guide: Model Translation](https://onshape-public.github.io/docs/api-adv/translation/) for more details.","operationId":"createPartStudioTranslation","parameters":[{"name":"did","in":"path","description":"Document ID.","required":true,"schema":{"type":"string"}},{"name":"wv","in":"path","description":"One of w or v corresponding to whether a workspace or version was specified.","required":true,"schema":{"type":"string"}},{"name":"wvid","in":"path","description":"Workspace (w) or Version (v) ID.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"Element ID.","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTranslateFormatParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTranslationRequestInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/partstudios/exportFile":{"get":{"tags":["PartStudio"],"summary":"Retrieve a file from blob element by document ID, version or microversion ID, and tab ID.","operationId":"downloadFile_2","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}},"application/octet-stream":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}]}},"/permissions/d/{did}":{"get":{"tags":["Permissions"],"description":"Get default permissions for document sharing (used for user interface sharing dialog)","operationId":"getDocumentPermissions","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTPermissionInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/permissions/f/{fid}":{"get":{"tags":["Permissions"],"description":"Get default permissions for folder sharing (used for user interface sharing dialog)","operationId":"getFolderPermissions","parameters":[{"name":"fid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTPermissionInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/plmintegrations/companies/{cid}/changeorders":{"get":{"tags":["PLMIntegration"],"summary":"Get PLM change orders info","description":"Get PLM change orders information based on search text","operationId":"searchPLMChangeOrders","parameters":[{"name":"cid","in":"path","description":"Company id","required":true,"schema":{"type":"string"}},{"name":"q","in":"query","required":true,"schema":{"type":"string"}},{"name":"includeOpenOnly","in":"query","schema":{"type":"boolean","default":true}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTPLMChangeOrderInfo"}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/plmintegrations/companies/{cid}/integrationpartnumber":{"get":{"tags":["PLMIntegration"],"summary":"Get Integration part number info","description":"Get integration part number information, null if does not exist.","operationId":"getIntegrationPartNumberInfo","parameters":[{"name":"cid","in":"path","description":"Company id","required":true,"schema":{"type":"string"}},{"name":"pn","in":"query","description":"Part number","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTIntegrationPartNumberInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/plmintegrations/companies/{cid}/integrationparturls":{"get":{"tags":["PLMIntegration"],"summary":"Get integration part URLs","description":"Get integration part URLs that open the items or items BOM in Arena.","operationId":"getIntegrationPartUrlInfo","parameters":[{"name":"cid","in":"path","description":"Company id","required":true,"schema":{"type":"string"}},{"name":"pn","in":"query","description":"Part number","required":true,"schema":{"type":"string"}},{"name":"rev","in":"query","description":"Revision","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTIntegrationPartUrlInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/plmintegrations/companies/{cid}/mappinginfo":{"get":{"tags":["PLMIntegration"],"description":"Get PLM Integration mapping information","operationId":"getPLMMappingInfo","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"clearCache","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPLMIntegrationMappingInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["PLMIntegration"],"description":"Update PLM mapping.","operationId":"updatePLMMapping","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPLMIntegrationSettingsParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPLMIntegrationSettingsInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/plmintegrations/companies/{cid}/metrics":{"get":{"tags":["PLMIntegration"],"description":"Get PLM integration metrics","operationId":"getPLMMetrics","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPLMIntegrationMetricsInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/plmintegrations/companies/{cid}/settings":{"get":{"tags":["PLMIntegration"],"description":"Get PLM integration settings","operationId":"getPLMSettings","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPLMIntegrationSettingsInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["PLMIntegration"],"description":"Set PLM Integration settings.","operationId":"updatePLMSettings","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPLMIntegrationSettingsParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPLMIntegrationSettingsInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"},"delete":{"tags":["PLMIntegration"],"description":"Set PLM Integration settings.","operationId":"deletePLMSettings","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/plmintegrations/companies/{cid}/settings/cache":{"get":{"tags":["PLMIntegration"],"description":"Get PLM Integration settings cache","operationId":"getPLMSettingsCache","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"key","in":"query","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/plmintegrations/companies/{cid}/sync":{"post":{"tags":["PLMIntegration"],"description":"Create or update PLM items","operationId":"sync","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPLMSyncItemsParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTPLMSyncItemErrorInfo"}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/plmintegrations/companies/{cid}/syncbom":{"post":{"tags":["PLMIntegration"],"description":"Create or update PLM BOM","operationId":"syncBom","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"recurse","in":"query","schema":{"type":"boolean","default":false}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPLMSyncItemsParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTPLMSyncItemErrorInfo"}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/plmintegrations/navigation/d/{did}/{wv}/{wvid}/e/{eid}":{"get":{"tags":["PLMIntegration"],"summary":"Get Navigation URL","description":"Get Navigation URL for part number and revision.","operationId":"getNavigationURL","parameters":[{"name":"did","in":"path","description":"Document ID.","required":true,"schema":{"type":"string"}},{"name":"wv","in":"path","description":"One of w or v corresponding to whether a workspace or version was specified.","required":true,"schema":{"type":"string"}},{"name":"wvid","in":"path","description":"Workspace (w) or Version (v) ID.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"Element ID.","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","description":"Configuration string.","schema":{"type":"string"}},{"name":"itemnumber","in":"query","description":"Part Number","required":true,"schema":{"type":"string"}},{"name":"revision","in":"query","description":"Revision","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/productstructure/admin/capture":{"post":{"tags":["ProductStructure"],"description":"Initiate content reference capture via server","operationId":"capture","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCrcsCaptureParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCrcsCaptureInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/productstructure/admin/capture/company/{cid}":{"get":{"tags":["ProductStructure"],"description":"gets the summary for capture run for a company","operationId":"getCompanyContentCaptureSummary","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCrcsRunInstanceCompanyInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/productstructure/admin/capture/run/{rid}":{"get":{"tags":["ProductStructure"],"description":"returns run specific info - companies that are part of run with their current run statistics","operationId":"getContentCaptureRunSummary","parameters":[{"name":"rid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCrcsRunInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/productstructure/admin/capture/runs":{"get":{"tags":["ProductStructure"],"description":"Returns a list of runs with stats info about each run","operationId":"getContentCaptureRunsSummary","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTCrcsRunInstanceInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/productstructure/admin/capture/{rid}":{"delete":{"tags":["ProductStructure"],"description":"Cancel a content reference capture server run","operationId":"cancelCapture","parameters":[{"name":"rid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/productstructure/admin/capture/{rid}/{cid}":{"get":{"tags":["ProductStructure"],"description":"Get the status of a content reference capture server run for a company","operationId":"getCompanyCaptureStatus","parameters":[{"name":"rid","in":"path","required":true,"schema":{"type":"string"}},{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTCrcsRunInstanceComponentInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/productstructure/admin/capturestats/computeandsave":{"post":{"tags":["ProductStructure"],"description":"Compute And Save Capture Server Stats into db","operationId":"computeAndSaveCaptureStats","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCrcsCommitParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/productstructure/admin/capturestats/run/{rid}":{"get":{"tags":["ProductStructure"],"description":"Load Capture Server Stats into db","operationId":"loadCaptureStats","parameters":[{"name":"rid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTCrcsRunInstanceCompanyStatsInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/productstructure/admin/commitCapture":{"post":{"tags":["ProductStructure"],"description":"Commit a content reference capture server run","operationId":"commitCapture","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCrcsCommitParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/productstructure/filterproperties":{"post":{"tags":["ProductStructure"],"description":"Get filtered property values by property id and search keyword","operationId":"getFilteredPropertyValues","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTMetadataPropertySearchParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTMetadataPropertySearchInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/productstructure/item/children/{cid}":{"get":{"tags":["ProductStructure"],"operationId":"getItemChildren","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"partNumber","in":"query","schema":{"type":"string"}},{"name":"revision","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTProductStructureItemInfoList"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/productstructure/items":{"post":{"tags":["ProductStructure"],"description":"find items in location for given companyId and optional locationId","operationId":"findMyOnshapeItems","requestBody":{"description":"Product Structure searching and sorting parameters","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTProductStructureSearchParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTProductStructureItemInfoList"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/productstructure/items/fieldsdescriptors":{"get":{"tags":["ProductStructure"],"description":"Items Fields Descriptors for UI","operationId":"getResultFieldsDescriptors","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTProductStructureResultFieldDescriptor"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/productstructure/items/{cid}":{"get":{"tags":["ProductStructure"],"description":"getItemsInLocation for given companyId in My Docs folder","operationId":"getMyOnshapeItems","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"rootsOnly","in":"query","schema":{"type":"boolean","default":false}},{"name":"sortOrder","in":"query","schema":{"type":"string","default":"asc"}},{"name":"limit","in":"query","schema":{"maximum":100,"minimum":1,"type":"integer","format":"int32","default":20}},{"name":"offset","in":"query","schema":{"maximum":100,"minimum":0,"type":"integer","format":"int32","default":0}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTProductStructureItemInfoList"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/productstructure/items/{cid}/{locationType}/{lid}":{"get":{"tags":["ProductStructure"],"description":"getItemsInLocation for companyId and locationId","operationId":"getLocationItems","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"locationType","in":"path","required":true,"schema":{"type":"string"}},{"name":"lid","in":"path","required":true,"schema":{"type":"string"}},{"name":"rootsOnly","in":"query","schema":{"type":"boolean","default":false}},{"name":"sortOrder","in":"query","schema":{"type":"string","default":"asc"}},{"name":"limit","in":"query","schema":{"maximum":100,"minimum":1,"type":"integer","format":"int32","default":20}},{"name":"offset","in":"query","schema":{"maximum":100,"minimum":0,"type":"integer","format":"int32","default":0}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTProductStructureItemInfoList"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/productstructure/whereused":{"get":{"tags":["ProductStructure"],"description":"Find where an item is used","operationId":"getWhereUsed","parameters":[{"name":"documentId","in":"query","schema":{"type":"string"}},{"name":"elementId","in":"query","schema":{"type":"string"}},{"name":"versionId","in":"query","schema":{"type":"string"}},{"name":"workspaceId","in":"query","schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string"}},{"name":"partId","in":"query","schema":{"type":"string"}},{"name":"partNumber","in":"query","schema":{"type":"string"}},{"name":"includeProperties","in":"query","schema":{"type":"boolean","default":false}},{"name":"filter","in":"query","schema":{"type":"integer","format":"int32"}},{"name":"includeVersionInfo","in":"query","schema":{"type":"boolean"}},{"name":"companyId","in":"query","schema":{"type":"string"}},{"name":"useLatestVersion","in":"query","schema":{"type":"boolean","default":false}},{"name":"retainUniqueReferencedParts","in":"query","schema":{"type":"boolean","default":true}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/profile/{imageKey}":{"get":{"operationId":"getImage","parameters":[{"name":"imageKey","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"type":"string","format":"byte"}}}}}},"deprecated":false}},"/projects":{"get":{"tags":["Project"],"description":"Returns info about all the projects defined in the session's enterprise company. Enterprise only.","operationId":"getProjects","parameters":[{"name":"sortOrder","in":"query","schema":{"type":"string","default":"desc"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":100,"minimum":1,"type":"integer","format":"int32","default":100}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGlobalTreeNodeListResponseBTProjectInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["Project"],"description":"Create a new project within the session's enterprise company","operationId":"createProject","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTProjectParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTProjectInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/projects/{pid}":{"get":{"tags":["Project"],"description":"Returns info about a project defined in the session's enterprise company","operationId":"getProject","parameters":[{"name":"pid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTProjectInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["Project"],"description":"update the project's name / description / permission scheme","operationId":"updateProject","parameters":[{"name":"pid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTProjectParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTProjectInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Project"],"description":"Delete a project defined in the session's enterprise company","operationId":"deleteProject","parameters":[{"name":"pid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Delete"],"BasicAuth":["OAuth2Delete"]}],"x-BTVisibility":"INTERNAL"}},"/projects/{pid}/repair":{"post":{"tags":["Project"],"description":"Repair folder structure by ensuring that child documents and folders are consistent with this","operationId":"repairProject","parameters":[{"name":"pid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/provisioning":{"post":{"tags":["Provisioning"],"operationId":"provision","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTProvisioningParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCompanyAdminInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["enterprise.create"],"BasicAuth":["enterprise.create"]}],"x-BTVisibility":"INTERNAL"}},"/publications":{"post":{"tags":["Publication"],"description":"Create a new publication","operationId":"createPublication","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPublicationParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPublicationInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/publications/d/{did}/{wv}/{wvid}/e/{eid}/translate":{"post":{"tags":["Publication"],"description":"Translate publication format","operationId":"createPublicationTranslation","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wv","in":"path","description":"Indicates which of workspace (w) or version (v) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v"]}},{"name":"wvid","in":"path","description":"The id of the workspace, version in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTranslateFormatParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTranslateInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/publications/{pid}":{"post":{"tags":["Publication"],"description":"Update publications attributes name, description","operationId":"updatePublicationAttributes","parameters":[{"name":"pid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPublicationParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Publication"],"description":"Deletes a publication","operationId":"deletePublication","parameters":[{"name":"pid","in":"path","required":true,"schema":{"type":"string"}},{"name":"forever","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/publications/{pid}/item":{"post":{"tags":["Publication"],"description":"Create a new publication item","operationId":"addItemToPublication","parameters":[{"name":"pid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPublicationItemParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPublicationInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/publications/{pid}/item/{iid}":{"delete":{"tags":["Publication"],"description":"Removes an item from a publication","operationId":"deletePublicationItem","parameters":[{"name":"pid","in":"path","required":true,"schema":{"type":"string"}},{"name":"iid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/publications/{pid}/items":{"get":{"tags":["Publication"],"summary":"Get all items in a publication.","operationId":"getPublicationItems","parameters":[{"name":"pid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPublicationInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["Publication"],"description":"Create new publication items in bulk","operationId":"addItemsToPublication","parameters":[{"name":"pid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPublicationBulkItemParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPublicationInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/ratelimit":{"get":{"tags":["RateLimit"],"description":"Get lists of users and companies who have non-default rate limit","operationId":"getCurrentDisabledRateLimitIds","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/ratelimit/company/{cid}":{"post":{"tags":["RateLimit"],"description":"set rate limit method for company","operationId":"disableRateLimitingForCompany","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTRateLimitParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/ratelimit/company/{cid}/{method}":{"delete":{"tags":["RateLimit"],"description":"enable rate limit for company","operationId":"enableRateLimitingForCompany","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"method","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/ratelimit/dynamic":{"post":{"tags":["RateLimit"],"description":"set rate limit method","operationId":"createRateLimit","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDynamicRateLimitParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["RateLimit"],"operationId":"deleteAllLimits","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/ratelimit/dynamic/{name}":{"get":{"tags":["RateLimit"],"description":"get limit method","operationId":"getDynamicRateLimitValue","parameters":[{"name":"name","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["RateLimit"],"description":"delete limit","operationId":"deleteRateLimit","parameters":[{"name":"name","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/ratelimit/md5/{name}":{"get":{"tags":["RateLimit"],"summary":"return the md5 hash value of a rate limit name","description":"Get the md5 Hash of a specific rate limit name","operationId":"getMd5Hash","parameters":[{"name":"name","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/ratelimit/methods":{"get":{"tags":["RateLimit"],"description":"Get lists of rate limit methods","operationId":"getRateLimitMethods","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/ratelimit/multiplier/specific/{value}/{name}":{"put":{"tags":["RateLimit"],"description":"set specific rate limit multiplier","operationId":"setSpecificRateLimitMultiplier","parameters":[{"name":"value","in":"path","required":true,"schema":{"type":"number","format":"double"}},{"name":"name","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/ratelimit/multiplier/{value}":{"put":{"tags":["RateLimit"],"description":"set default rate limit multiplier","operationId":"setDefaultRateLimitMultiplier","parameters":[{"name":"value","in":"path","required":true,"schema":{"type":"number","format":"double"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/ratelimit/refresh":{"post":{"tags":["RateLimit"],"summary":"refresh the map of rate limits","description":"Refreshes the rate limits on the host web server only","operationId":"refreshMap","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/ratelimit/test/{path}/{httpMethod}/{uid}":{"get":{"tags":["RateLimit"],"summary":"return the state of a rate limit for a specific user","description":"Get state of specific rate limit path for specific user","operationId":"getRateLimitState","parameters":[{"name":"path","in":"path","required":true,"schema":{"type":"string"}},{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"httpMethod","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/ratelimit/user/{uid}":{"post":{"tags":["RateLimit"],"description":"Set rate limit method for user","operationId":"disableRateLimitingForUser","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTRateLimitParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/ratelimit/user/{uid}/{method}":{"delete":{"tags":["RateLimit"],"description":"enable rate limit for user","operationId":"enableRateLimitingForUser","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"method","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/rbac/permissionschemes":{"get":{"tags":["Rbac"],"description":"Returns info about all the permission schemes defined in the session's enterprise company","operationId":"getPermissionSchemes","parameters":[{"name":"sortOrder","in":"query","schema":{"type":"string","default":"desc"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTRbacPermissionSchemeListInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["Rbac"],"description":"Create a new permission scheme within the session's enterprise company","operationId":"createPermissionScheme","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTRbacPermissionSchemeParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTRbacPermissionSchemeInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/rbac/permissionschemes/{psid}":{"get":{"tags":["Rbac"],"description":"Returns info about a permission scheme defined in the session's enterprise company","operationId":"getPermissionScheme","parameters":[{"name":"psid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTRbacPermissionSchemeInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["Rbac"],"description":"update the permission scheme's name / description","operationId":"updatePermissionScheme","parameters":[{"name":"psid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTRbacPermissionSchemeParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTRbacPermissionSchemeInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Rbac"],"description":"Deletes a permission scheme defined in the session's enterprise company","operationId":"deletePermissionScheme","parameters":[{"name":"psid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/rbac/permissionschemes/{psid}/roles":{"post":{"tags":["Rbac"],"description":"Add an entry to the specified RBAC permission scheme","operationId":"addPermissionSchemeEntry","parameters":[{"name":"psid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTRbacPermissionSchemeEntryParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTRbacPermissionSchemeInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/rbac/permissionschemes/{psid}/roles/{rid}":{"delete":{"tags":["Rbac"],"description":"Delete a single entry from the specified RBAC permission scheme","operationId":"deletePermissionSchemeEntry","parameters":[{"name":"psid","in":"path","required":true,"schema":{"type":"string"}},{"name":"rid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/rbac/roles":{"get":{"tags":["Rbac"],"description":"Returns info about all the roles defined in the session's enterprise company","operationId":"getRoles","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTRbacRoleInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["Rbac"],"description":"Create a new role within the session's enterprise company","operationId":"createRole","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTRbacRoleParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTRbacRoleInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/rbac/roles/{rid}":{"get":{"tags":["Rbac"],"description":"Returns info about a role defined in the session's enterprise company","operationId":"getRole","parameters":[{"name":"rid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTRbacRoleInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["Rbac"],"description":"update the role's name / description","operationId":"updateRole","parameters":[{"name":"rid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUpdateRbacRoleParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTRbacRoleInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Rbac"],"description":"Deletes a role defined in the session's enterprise company","operationId":"deleteRole","parameters":[{"name":"rid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/rbac/{cid}/initializePredefinedSchemesAndRoles":{"post":{"tags":["Rbac"],"description":"Admin API to populate predefined permission schemes and project roles","operationId":"populatePredefinedSchemesAndRoles","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/releasepackages/companyreleaseworkflow":{"get":{"tags":["ReleasePackage"],"summary":"Get information about the release/obsoletion workflow for a company-owned document.","operationId":"getCompanyReleaseWorkflow","parameters":[{"name":"documentId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTActiveWorkflowInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/releasepackages/d/{did}":{"get":{"tags":["ReleasePackage"],"description":"Returns list of release packages for a given document id","operationId":"findByDocumentId","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"noRevisionsCreated","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTReleasePackageSummaryInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/releasepackages/d/{did}/v/{vid}":{"get":{"tags":["ReleasePackage"],"description":"Returns list of release packages for a document id and version id","operationId":"findByDocumentIdAndVersionId","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"vid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTReleasePackageSummaryInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/releasepackages/d/{did}/w/{wid}/drafts":{"get":{"tags":["ReleasePackage"],"description":"Returns release package drafts from a given document workspace that are editable by the session user.","operationId":"getDrafts","parameters":[{"name":"offset","in":"query","description":"Offset. Determines where search results begin. Default value is 0.","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","description":"Number of results to return per page. Default value is 20 (also the maximum).","schema":{"maximum":200,"minimum":1,"type":"integer","format":"int32","default":50}},{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTDraftReleasePackageInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/releasepackages/draft/{rpid}":{"delete":{"tags":["ReleasePackage"],"description":"Discard a draft release package.","operationId":"deleteDraftRelease","parameters":[{"name":"rpid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/releasepackages/obsoletion/{wfid}":{"post":{"tags":["ReleasePackage"],"summary":"Create an obsoletion package to make an existing revision obsolete.","operationId":"createObsoletionPackage","parameters":[{"name":"wfid","in":"path","required":true,"schema":{"type":"string"}},{"name":"revisionId","in":"query","required":true,"schema":{"type":"string"}},{"name":"debugMode","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/releasepackages/release/{wfid}":{"post":{"tags":["ReleasePackage"],"summary":"Create a new release package for one or more items.","description":"All revisionable items must be from the same document. Once a release package is successfully created, use `updateReleasePackage` to update all desired item/package properties, and transition it to the desired state.","operationId":"createReleasePackage","parameters":[{"name":"wfid","in":"path","required":true,"schema":{"type":"string"}},{"name":"debugMode","in":"query","schema":{"type":"boolean","default":false}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTReleasePackageParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/releasepackages/{rpid}":{"get":{"tags":["ReleasePackage"],"summary":"Get details about the specified release package.","operationId":"getReleasePackage","parameters":[{"name":"rpid","in":"path","required":true,"schema":{"type":"string"}},{"name":"detailed","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTReleasePackageInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["ReleasePackage"],"summary":"Update the release/obsoletion package/item properties.","description":"Use the `wfaction` query param to also perform a workflow transition.","operationId":"updateReleasePackage","parameters":[{"name":"rpid","in":"path","required":true,"schema":{"type":"string"}},{"name":"action","in":"query","schema":{"type":"string","default":"UPDATE"}},{"name":"wfaction","in":"query","schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUpdateReleasePackageParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTReleasePackageInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"},"delete":{"tags":["ReleasePackage"],"description":"Delete a bad release package that failed to transition correctly. Only onshape admins are allowed","operationId":"deleteReleasePackage","parameters":[{"name":"rpid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/releasepackages/{rpid}/approvalrolemembers/{rid}":{"get":{"tags":["ReleasePackage"],"description":"Returns membership in the role for the specified release package","operationId":"getApprovalRoleMembers","parameters":[{"name":"rpid","in":"path","required":true,"schema":{"type":"string"}},{"name":"rid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTUserDetailSummaryInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/releasepackages/{rpid}/detectunchanged":{"get":{"tags":["ReleasePackage"],"description":"Detect unchanged items in release package.","operationId":"detectUnchanged","parameters":[{"name":"rpid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUnchangedReleaseInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/releasepackages/{rpid}/itemconfigurationparameters":{"get":{"tags":["ReleasePackage"],"description":"Returns configuration parameters for all items","operationId":"getItemConfigurationParameters","parameters":[{"name":"rpid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"text/plain":{"schema":{"type":"string"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/releasepackages/{rpid}/precheck":{"post":{"tags":["ReleasePackage"],"description":"Check and validate release package for PLM submission","operationId":"precheck","parameters":[{"name":"rpid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTReleasePackageItemValidationInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/releasepackages/{rpid}/refresh":{"post":{"tags":["ReleasePackage"],"description":"Reload a release package in the setup state to pick up new changes in the workspace.","operationId":"refreshReleasePackage","parameters":[{"name":"rpid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTRefreshReleaseParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTReleasePackageInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/releasepackages/{rpid}/revertItemsToRevisions":{"post":{"tags":["ReleasePackage"],"description":"Updates unchanged references to revisions, then refreshes the release","operationId":"revertItemsToRevisions","parameters":[{"name":"rpid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTRevertUnchangedReleaseParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTReleasePackageInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/releasepackages/{rpid}/validate":{"post":{"tags":["ReleasePackage"],"description":"Validate proposed changes to items in a release package","operationId":"validateItems","parameters":[{"name":"rpid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUpdateReleasePackageParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTReleasePackageItemValidationInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/reports":{"get":{"tags":["Reports"],"description":"Get all reports for enterprise. Admin request without enterprise domain gets all reports.","operationId":"getAllReports","parameters":[{"name":"filterType","in":"query","schema":{"type":"integer","format":"int32","default":5}},{"name":"filterValue","in":"query","schema":{"type":"string"}},{"name":"showDrillDown","in":"query","schema":{"type":"boolean","default":false}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGlobalTreeNodeListResponseBTEnterpriseReportSummaryInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["Reports"],"description":"Create a report for enterprise.","operationId":"createReport","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTEnterpriseReportParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTEnterpriseReportSummaryInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/reports/admin/assign/{rid}":{"post":{"tags":["Reports"],"description":"Assign a custom reports to enterprise.","operationId":"assignReportToCompany","parameters":[{"name":"rid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTEnterpriseReportParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTEnterpriseReportSummaryInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/reports/etllastruninfo":{"get":{"tags":["Reports"],"description":"Get Enterprise ETL last run information.","operationId":"getETLLastRunInfo","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTEntepriseETLLastRunInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/reports/looker/usage":{"get":{"tags":["Reports"],"description":"Get Enterprise looker user usage info.","operationId":"getLookerUsageInfo","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTLookerUsageInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/reports/schedule":{"get":{"tags":["Reports"],"description":"Get all schedules created by a user.","operationId":"getReportSchedulesByUser","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTEnterpriseReportScheduleBasicInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/reports/{rid}":{"get":{"tags":["Reports"],"description":"Get report by Id.","operationId":"getReport","parameters":[{"name":"rid","in":"path","required":true,"schema":{"type":"string"}},{"name":"filter","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTEnterpriseReportInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["Reports"],"description":"Update a report by Id for enterprise.","operationId":"updateReport","parameters":[{"name":"rid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTEnterpriseReportParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTEnterpriseReportSummaryInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Reports"],"description":"Update a report by Id for enterprise.","operationId":"deleteReport","parameters":[{"name":"rid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/reports/{rid}/acl":{"get":{"tags":["Reports"],"description":"get ACL for report","operationId":"acl","parameters":[{"name":"rid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAclInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/reports/{rid}/schedule":{"get":{"tags":["Reports"],"description":"Get a report schedule by Id","operationId":"getReportSchedule","parameters":[{"name":"rid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTEnterpriseReportScheduleInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["Reports"],"description":"Create a schedule for a report","operationId":"createReportSchedule","parameters":[{"name":"rid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTEnterpriseReportScheduleParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTEnterpriseReportScheduleInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/reports/{rid}/schedule/{sid}":{"post":{"tags":["Reports"],"description":"Update a schedule for a report by schedule Id","operationId":"updateReportSchedule","parameters":[{"name":"rid","in":"path","required":true,"schema":{"type":"string"}},{"name":"sid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTEnterpriseReportScheduleParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTEnterpriseReportScheduleInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Reports"],"description":"Delete a schedule for a report by schedule Id","operationId":"deleteReportSchedule","parameters":[{"name":"rid","in":"path","required":true,"schema":{"type":"string"}},{"name":"sid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/reports/{rid}/schedule/{sid}/recipients":{"get":{"tags":["Reports"],"description":"Get recipients for a scheduled reports","operationId":"getRecipient","parameters":[{"name":"rid","in":"path","required":true,"schema":{"type":"string"}},{"name":"sid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTEnterpriseReportScheduleRecipientInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["Reports"],"description":"Add recipient for a scheduled report","operationId":"addRecipient","parameters":[{"name":"rid","in":"path","required":true,"schema":{"type":"string"}},{"name":"sid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTEnterpriseReportRecipientsParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTEnterpriseReportScheduleRecipientInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/reports/{rid}/schedule/{sid}/recipients/{rcid}":{"delete":{"tags":["Reports"],"description":"Remove a recipient for a scheduled report","operationId":"removeRecipient","parameters":[{"name":"rid","in":"path","required":true,"schema":{"type":"string"}},{"name":"sid","in":"path","required":true,"schema":{"type":"string"}},{"name":"rcid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/reports/{rid}/share":{"post":{"tags":["Reports"],"description":"Share report with one or more entities, which may be users, teams.","operationId":"shareReport","parameters":[{"name":"rid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTShareReportParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAclInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/reports/{rid}/share/{eid}":{"delete":{"tags":["Reports"],"description":"Remove share permissions from report","operationId":"unShareReport","parameters":[{"name":"rid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"entryType","in":"query","schema":{"maximum":4,"minimum":0,"type":"integer","format":"int32","default":0}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/revisionrules":{"get":{"tags":["RevisionRule"],"description":"List all Onshape system revision rules, optionally including a company's specific rules","operationId":"getAllRules","parameters":[{"name":"companyId","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTRevisionRuleInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["RevisionRule"],"description":"Create a new revision rule for a company","operationId":"createRule","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTRevisionRuleParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTRevisionRuleInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/revisionrules/{ruleid}":{"get":{"tags":["RevisionRule"],"description":"Get Revision Rule by id","operationId":"getRuleById","parameters":[{"name":"ruleid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTRevisionRuleInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["RevisionRule"],"description":"Update an existing revision rule for a company","operationId":"updateRule","parameters":[{"name":"ruleid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTRevisionRuleParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTRevisionRuleInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/revisionrules/{ruleid}/bulknext":{"post":{"tags":["RevisionRule"],"description":"Get multiple next revision names from different points in the rule. Returns a map from each given revision to its next.","operationId":"getBulkNextRevisionNames","parameters":[{"name":"ruleid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTNextRevisionParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object","additionalProperties":{"type":"string"}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/revisionrules/{ruleid}/next":{"get":{"tags":["RevisionRule"],"description":"Get next revision names","operationId":"getNextRevisionNames","parameters":[{"name":"ruleid","in":"path","required":true,"schema":{"type":"string"}},{"name":"revisionName","in":"query","schema":{"type":"string","default":""}},{"name":"limit","in":"query","schema":{"maximum":1000,"minimum":1,"type":"integer","format":"int32","default":1}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"type":"string"}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/revisions":{"post":{"tags":["Revision"],"description":"Creates and returns a {@link BTRevision} from the given info.","operationId":"createRevision","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTRevisionParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTRevisionInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/revisions/c/{cid}/partnumber/{pnum}":{"get":{"tags":["Revision"],"summary":"Get a list of revisions by part number.","operationId":"getRevisionByPartNumber","parameters":[{"name":"cid","in":"path","description":"Company id","required":true,"schema":{"type":"string"}},{"name":"pnum","in":"path","description":"Part Number","required":true,"schema":{"type":"string"}},{"name":"revision","in":"query","description":"Revision","schema":{"type":"string"}},{"name":"elementType","in":"query","description":"0: Part Studio, 1: Assembly, 2: Drawing. 4: Blob","schema":{"type":"integer","format":"int32"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTRevisionInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/revisions/companies/{cid}":{"get":{"tags":["Revision"],"summary":"Enumerate all of a company's revisions.","description":"* Returns a slice of all revisions per API call. \n* To get the next set of results, use the `next` URL from the response body. \n* This API can only be called by company admins.","operationId":"enumerateRevisions","parameters":[{"name":"cid","in":"path","description":"The company or enterprise ID that owns the resource.","required":true,"schema":{"type":"string"}},{"name":"elementType","in":"query","description":"0: Part Studio, 1: Assembly, 2: Drawing. 4: Blob","schema":{"type":"integer","format":"int32"}},{"name":"limit","in":"query","description":"The number of items to return in a single API call","schema":{"maximum":100,"minimum":1,"type":"integer","format":"int32","default":20}},{"name":"latestOnly","in":"query","description":"Whether to limit search to only latest revisions.","schema":{"type":"boolean","default":false}},{"name":"after","in":"query","description":"The earliest creation date of the revision to find.","schema":{"type":"string","format":"date-time","default":"2000-01-01T00:00:00Z"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTRevisionInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/revisions/companies/{cid}/d/{did}/{wv}/{wvid}/e/{eid}":{"get":{"tags":["Revision"],"summary":"Get a list of all revisions for an element in a company-owned document.","operationId":"getRevisionHistoryInCompanyByElementId","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wv","in":"path","description":"Indicates which of workspace (w) or version (v) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v"]}},{"name":"wvid","in":"path","description":"The id of the workspace, version in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}},{"name":"elementType","in":"query","required":true,"schema":{"type":"string"}},{"name":"fillApprovers","in":"query","schema":{"type":"boolean","default":false}},{"name":"fillExportPermission","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTRevisionListResponse"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/revisions/companies/{cid}/d/{did}/{wv}/{wvid}/e/{eid}/p/{pid}":{"get":{"tags":["Revision"],"summary":"Get a list of all revisions for a part in a company-owned document by part ID.","operationId":"getRevisionHistoryInCompanyByPartId","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wv","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"pid","in":"path","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","schema":{"type":"string"}},{"name":"fillApprovers","in":"query","schema":{"type":"boolean","default":false}},{"name":"fillExportPermission","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTRevisionListResponse"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/revisions/companies/{cid}/partnumber/{pnum}":{"get":{"tags":["Revision"],"summary":"Get a list of all revisions for a part or element in a company-owned document by part number.","description":"You can also request `elementType` in addition to `partNumber` since companies may or may not allow drawings to share part numbers with their parts/assemblies. ","operationId":"getRevisionHistoryInCompanyByPartNumber","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"pnum","in":"path","required":true,"schema":{"type":"string"}},{"name":"elementType","in":"query","required":true,"schema":{"type":"string"}},{"name":"fillApprovers","in":"query","schema":{"type":"boolean","default":false}},{"name":"fillExportPermission","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTRevisionListResponse"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/revisions/companies/{cid}/partnumber/{pnum}/elementType/{et}":{"delete":{"tags":["Revision"],"summary":"Delete all revisions for a part number.","description":"Only company admins can call this API. All documents that contain or use the part number must be deleted first. This operation cannot be undone.","operationId":"deleteRevisionHistory","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"pnum","in":"path","required":true,"schema":{"type":"string"}},{"name":"et","in":"path","required":true,"schema":{"type":"string"}},{"name":"ignoreLinkedDocuments","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Delete"],"BasicAuth":["OAuth2Delete"]}],"x-BTVisibility":"PRODUCTION"}},"/revisions/companies/{cid}/partnumber/{pnum}/revision/{revision}/obsolete":{"post":{"tags":["Revision"],"summary":"Obsolete revisions by partnumber and revision label in a company","operationId":"obsoleteRevision","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"pnum","in":"path","required":true,"schema":{"type":"string"}},{"name":"revision","in":"path","required":true,"schema":{"type":"string"}},{"name":"makeReleaseable","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/revisions/d/{did}":{"get":{"tags":["Revision"],"summary":"Get all revisions for the specified document.","description":"Retrieve a list of all revisions that exist in a document and are owned by the document's owning company.","operationId":"getAllInDocument","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTRevisionInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/revisions/d/{did}/autoobsoletions":{"get":{"tags":["Revision"],"description":"Get the list of all auto obsoleted revisions for a document.","operationId":"findAllAutoObsoletedInDocument","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTRevisionInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/revisions/d/{did}/changedreleasedpartids":{"get":{"tags":["Revision"],"description":"Find instances of BEL-155327 in a document (admin only)","operationId":"getChangedReleasedPartIds","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"versionId","in":"query","schema":{"type":"string","default":""}},{"name":"elementId","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTChangedReleasedPartIdInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/revisions/d/{did}/v/{vid}":{"get":{"tags":["Revision"],"summary":"Get all revisions for a version.","description":"Retrieve a list of all revisions that exist in a document version and are owned by the document's owning company.","operationId":"getAllInDocumentVersion","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"vid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTRevisionInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/revisions/update/{rid}":{"post":{"tags":["Revision"],"description":"Make changes to revisions that ordinarily we do not allow.","operationId":"updateRevision","parameters":[{"name":"rid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTRevisionUpdateParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUpdateRevisionInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/revisions/{cd}/{cdid}/p/{pnum}":{"get":{"tags":["Revision"],"description":"Get a list of all revisions for a part number in a company, ordered newest first. Returns empty","operationId":"getAllInDocumentOrCompany","parameters":[{"name":"cd","in":"path","required":true,"schema":{"type":"string"}},{"name":"cdid","in":"path","required":true,"schema":{"type":"string"}},{"name":"pnum","in":"path","required":true,"schema":{"type":"string"}},{"name":"et","in":"query","schema":{"type":"string"}},{"name":"rid","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTRevisionInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/revisions/{cd}/{cdid}/p/{pnum}/latest":{"get":{"tags":["Revision"],"summary":"Get the latest revision for a part number in a document or company.","description":"Returns 204 if no revisions are found.","operationId":"getLatestInDocumentOrCompany","parameters":[{"name":"cd","in":"path","required":true,"schema":{"type":"string"}},{"name":"cdid","in":"path","required":true,"schema":{"type":"string"}},{"name":"pnum","in":"path","required":true,"schema":{"type":"string"}},{"name":"et","in":"query","description":"0: Part Studio, 1: Assembly, 2: Drawing. 4: Blob","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTRevisionInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/revisions/{rid}":{"get":{"tags":["Revision"],"description":"Return a single revision matching the given revision id","operationId":"getRevisionById","parameters":[{"name":"rid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTRevisionInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/rules":{"get":{"tags":["CapabilityRule"],"description":"Get a list of rules","operationId":"getCapabilityRules","parameters":[{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTCapabilityRuleSummaryInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["CapabilityRule"],"description":"Creates a new capability rule","operationId":"createCapabilityRule","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCapabilityRuleParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCapabilityRuleInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/rules/full":{"get":{"tags":["CapabilityRule"],"description":"Get a list of rules","operationId":"getFullInfo","parameters":[{"name":"q","in":"query","schema":{"type":"string","default":""}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTCapabilityRuleInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/rules/{rid}":{"get":{"tags":["CapabilityRule"],"description":"Returns information about the rule with the provided ID","operationId":"getRule","parameters":[{"name":"rid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCapabilityRuleInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["CapabilityRule"],"description":"Update a rule with new script","operationId":"updateById","parameters":[{"name":"rid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCapabilityRuleParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCapabilityRuleInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["CapabilityRule"],"description":"Delete a capability rule","operationId":"deleteRule","parameters":[{"name":"rid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/sendgrid/webhook":{"post":{"tags":["SendGridWebhook"],"description":"Handle a webhook callback from SendGrid","operationId":"handleSendGridEvent","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"string"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/siem/disable/{companyId}":{"post":{"tags":["SiemSolution"],"operationId":"disableCompanySiem","parameters":[{"name":"companyId","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/siem/enable/{companyId}":{"post":{"tags":["SiemSolution"],"operationId":"enableSiemForCompany","parameters":[{"name":"companyId","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTEnableSiemParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/siem/events":{"get":{"tags":["SiemSolution"],"operationId":"getLogs","parameters":[{"name":"offset","in":"query","schema":{"type":"string","default":"0"}},{"name":"outputtype","in":"query","schema":{"type":"string","default":"cef"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTSiemWebResponseInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read","OAuth2ReadPII"],"BasicAuth":["OAuth2Read","OAuth2ReadPII"]}],"x-BTVisibility":"INTERNAL"}},"/signout":{"get":{"tags":["OAuth2.0"],"operationId":"signout","responses":{"default":{"description":"default response","content":{"*/*":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/signup/activate":{"post":{"tags":["Signup"],"description":"Activate a new user","operationId":"activateUser","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserActivationParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/signup/admin/forgotPassword/{userId}":{"post":{"tags":["Signup"],"description":"Creates a reset password URL for admin user to send to product user","operationId":"forgotPasswordAdmin","parameters":[{"name":"userId","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPasswordResetInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/signup/forgotPassword":{"post":{"tags":["Signup"],"description":"Creates a reset password URL for users who forget their password; returns a 307 redirect.","operationId":"forgotPassword","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/signup/forgotPassword/{prlId}":{"get":{"tags":["Signup"],"description":"Get details about a forgot password request","operationId":"forgotPasswordRequest","parameters":[{"name":"prlId","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object","additionalProperties":{"type":"string"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/signup/forgotPassword/{prlId}/{prlS}":{"get":{"tags":["Signup"],"description":"Handles forgot password redirects","operationId":"forgotPasswordRedirect","parameters":[{"name":"prlId","in":"path","required":true,"schema":{"type":"string"}},{"name":"prlS","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/signup/invite":{"post":{"tags":["Signup"],"description":"Self service request for FREE_2016, EDU and PRO_COMPANY_TRAIL plans. All other plans should go","operationId":"requestInvite","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTInvitationParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/signup/invite/privacyconsent":{"get":{"tags":["Signup"],"description":"Get privacy consent","operationId":"getPrivacyConsent","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPrivacyConsentTextInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/signup/invite/{iid}":{"get":{"tags":["Signup"],"description":"Get details about approved beta invitation","operationId":"getInvite","parameters":[{"name":"iid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTInvitationWithLocaleInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/signup/resetPassword":{"post":{"tags":["Signup"],"description":"Sends a reset password request; activated from forgot password URL","operationId":"resetPassword","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPasswordResetParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/simulations/d/{did}/{wvm}/{wvmid}/e/{eid}":{"get":{"tags":["Simulation"],"summary":"Get a list of simulations present in the given element","operationId":"getSimulationList","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}},{"name":"explodedViewId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTSimulationInfo"}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/simulations/d/{did}/{wvm}/{wvmid}/e/{eid}/connections":{"get":{"tags":["Simulation"],"summary":"Get information about connections between parts from a simulation perspective","operationId":"getConnectionsInfo","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}},{"name":"explodedViewId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTSimulationConnectionInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/simulations/d/{did}/{wvm}/{wvmid}/e/{eid}/generative/definition":{"get":{"tags":["Simulation"],"summary":"Get the generative design definition","description":"Get a serialized representation of the generative definition request","operationId":"getGenerativeDefinition","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}},{"name":"explodedViewId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/octet-stream":{"schema":{"type":"array","items":{"type":"string","format":"byte"}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/simulations/d/{did}/{wvm}/{wvmid}/e/{eid}/s/{sid}":{"get":{"tags":["Simulation"],"summary":"Get the result of running the given simulation","operationId":"getSimulationResult","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}},{"name":"sid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTSimulationResultInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/simulations/d/{did}/{wvm}/{wvmid}/e/{eid}/s/{sid}/definition":{"get":{"tags":["Simulation"],"summary":"Get a representation of the simulation definition: a serialized blob of the BTSimulationRequest sent to FGS, which includes full definition","operationId":"getSimulationDefinition","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wvm","in":"path","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v","m"]}},{"name":"wvmid","in":"path","description":"The id of the workspace, version or document microversion in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}},{"name":"sid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/octet-stream":{"schema":{"type":"array","items":{"type":"string","format":"byte"}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/sso/thoughtindustries":{"get":{"operationId":"thoughtIndustriesSSO","parameters":[{"name":"return_to","in":"query","required":true,"schema":{"type":"string","format":"uri"}}],"responses":{"default":{"description":"default response","content":{"text/plain":{"schema":{"type":"object"}}}}},"deprecated":false}},"/sso/vanilla3":{"get":{"operationId":"vanillaSSOV3","responses":{"default":{"description":"default response","content":{"text/html":{"schema":{"type":"object"}}}}},"deprecated":false}},"/sso/zendesk":{"get":{"operationId":"zendeskSSO","parameters":[{"name":"return_to","in":"query","required":true,"schema":{"type":"string","format":"uri"}}],"responses":{"default":{"description":"default response","content":{"text/plain":{"schema":{"type":"object"}}}}},"deprecated":false}},"/standardcontent/admin/list":{"get":{"tags":["StandardContent"],"description":"Get active standard content list for admin console user.","operationId":"getStandardContentListForAdmin","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTStandardContentHierarchyInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/standardcontent/customparameter/add":{"post":{"tags":["StandardContent"],"description":"Adds a standard content custom parameter","operationId":"addCustomParameter","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTStandardContentCustomParameterParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTStandardContentCustomParameterDefinition"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/standardcontent/customparameter/delete":{"post":{"tags":["StandardContent"],"description":"Deletes a standard content custom parameter","operationId":"deleteCustomParameter","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTStandardContentCustomParameterParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/standardcontent/customparameter/find":{"post":{"tags":["StandardContent"],"description":"Finds standard content custom parameters","operationId":"findCustomParameter","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTStandardContentCustomParameterParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTStandardContentCustomParameterDefinition"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/standardcontent/customparameter/findall":{"post":{"tags":["StandardContent"],"description":"Finds all the standard content custom parameters for a hierarchy","operationId":"findAllCustomParameter","parameters":[{"name":"includeParents","in":"query","schema":{"type":"boolean","default":false}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTStandardContentCustomParameterParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTStandardContentCustomParameterDefinition"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/standardcontent/d/{did}":{"get":{"tags":["StandardContent"],"description":"Get standard content related information for specified document. If the document is not marked as","operationId":"getDocumentInfo","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTStandardContentHierarchyInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["StandardContent"],"description":"Mark specified document as standard content. Document should be active and owned by Onshape","operationId":"markDocumentAsStandardContent","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTStandardContentHierarchyParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/standardcontent/delete":{"post":{"tags":["StandardContent"],"description":"Deletes a standard content hierarchy","operationId":"deleteStandardContent","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTStandardContentHierarchyParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/standardcontent/hierarchy":{"post":{"tags":["StandardContent"],"description":"Returns hierarchical information for standard content navigation. The return object has a list of","operationId":"getHierarchy","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTStandardContentHierarchyParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTMatchingStandardContentHierarchyInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/standardcontent/rename":{"post":{"tags":["StandardContent"],"description":"Renames a standard content hierarchy","operationId":"renameContent","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTStandardContentHierarchyRenameParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/standardcontent/usage":{"post":{"tags":["StandardContent"],"description":"Gets usage details of a standard content content for a fully or partially specified configuration","operationId":"getContentUsageForId","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTStandardContentFindUsageParams"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTStandardContentUsageSummary"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/standardcontent/versions":{"post":{"tags":["StandardContent"],"description":"Sets the run versions and run version states for a standard content document","operationId":"setContentRunVersions","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTStandardContentSetRunVersionsParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/standardcontent/{did}":{"post":{"tags":["StandardContent"],"description":"Create component version within the given document Id with the specified parameter values","operationId":"createContentForId","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTStandardContentParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTStandardContentInsertableComponentInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/standardcontent/{did}/custom":{"post":{"tags":["StandardContent"],"description":"Get the standard content component specifications for the given document Id","operationId":"getContentForId","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"setCustomProperties","in":"query","schema":{"type":"boolean","default":false}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTStandardContentParams"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTStandardContentComponentInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/stripe/webhook":{"post":{"tags":["StripeWebhook"],"description":"Handle an incoming event from Stripe","operationId":"handleStripeEvent","parameters":[{"name":"kgqfqmtu3wdsfpwe","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/systemtags":{"get":{"tags":["SystemTag"],"description":"Get all system tags","operationId":"getSystemTags","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTTagInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["SystemTag"],"description":"Create a new system tag","operationId":"createSystemTag","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTagParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTagInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/systemtags/{tid}":{"delete":{"tags":["SystemTag"],"description":"Delete a system tag; DO NOT USE THIS","operationId":"deleteSystemTag","parameters":[{"name":"tid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/tabletemplates":{"post":{"tags":["PropertiesTableTemplate"],"summary":"Create a new properties table template.","operationId":"createTableTemplate","parameters":[{"name":"templateGroupId","in":"query","schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPropertiesTableTemplateParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPropertiesTableTemplateInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/tabletemplates/companies/{cid}":{"get":{"tags":["PropertiesTableTemplate"],"summary":"Get all properties table templates available for a company.","operationId":"getByCompanyId","parameters":[{"name":"cid","in":"path","description":"The id of the company in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"templateType","in":"query","description":"Indicates filter for table templates: 0 (BOM) or 1 (Revision Table).","schema":{"$ref":"#/components/schemas/BTPropertiesTableTemplateType"}},{"name":"onlyActive","in":"query","schema":{"type":"boolean","default":false}},{"name":"includeDefaults","in":"query","schema":{"type":"boolean","default":true}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTPropertiesTableTemplateInfo"}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/tabletemplates/d/{did}":{"get":{"tags":["PropertiesTableTemplate"],"summary":"Get all table templates that are available to use on the provided document.","operationId":"getByDocumentId","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"templateType","in":"query","description":"Indicates filter for table templates: 0 (BOM) or 1 (Revision Table).","schema":{"$ref":"#/components/schemas/BTPropertiesTableTemplateType"}},{"name":"onlyActive","in":"query","schema":{"type":"boolean","default":true}},{"name":"includeDefaults","in":"query","schema":{"type":"boolean","default":true}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTPropertiesTableTemplateInfo"}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/tabletemplates/{tid}":{"get":{"tags":["PropertiesTableTemplate"],"summary":"Get a properties table template by template ID.","operationId":"getTableTemplate","parameters":[{"name":"tid","in":"path","description":"The id of the template in which to perform the operation.","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPropertiesTableTemplateInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"delete":{"tags":["PropertiesTableTemplate"],"summary":"Delete a properties table template.","operationId":"deleteTableTemplate","parameters":[{"name":"tid","in":"path","description":"The id of the template in which to perform the operation.","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Delete"],"BasicAuth":["OAuth2Delete"]}],"x-BTVisibility":"PRODUCTION"}},"/tasks":{"post":{"tags":["Task"],"description":"Create a new task","operationId":"createTask","parameters":[{"name":"companyId","in":"query","required":true,"schema":{"type":"string"}},{"name":"workflowId","in":"query","schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTTaskItemParams"}}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTaskInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/tasks/object/{id}":{"get":{"tags":["Task"],"description":"Lists tasks assigned to the task object","operationId":"getTasksByObjectId","parameters":[{"name":"id","in":"path","required":true,"schema":{"type":"string"}},{"name":"status","in":"query","schema":{"type":"integer","format":"int32","default":0}},{"name":"order","in":"query","schema":{"type":"integer","format":"int32","default":1}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTTaskInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/tasks/users":{"get":{"tags":["Task"],"description":"Lists tasks assigned to the current user","operationId":"getMyTasks","parameters":[{"name":"userId","in":"query","schema":{"type":"string"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":100,"minimum":1,"type":"integer","format":"int32","default":50}},{"name":"status","in":"query","schema":{"type":"integer","format":"int32","default":2}},{"name":"role","in":"query","schema":{"type":"integer","format":"int32","default":1}},{"name":"order","in":"query","schema":{"type":"integer","format":"int32","default":1}},{"name":"type","in":"query","schema":{"type":"array","items":{"type":"string"}}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTaskListResponse"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/tasks/{tid}":{"get":{"tags":["Task"],"description":"Get task by id","operationId":"getTask","parameters":[{"name":"tid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTaskInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["Task"],"description":"Update the task and its base properties","operationId":"updateTask","parameters":[{"name":"tid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTaskParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTaskInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Task"],"operationId":"deleteTask","parameters":[{"name":"tid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Delete"],"BasicAuth":["OAuth2Delete"]}],"x-BTVisibility":"INTERNAL"}},"/tasks/{tid}/close":{"post":{"tags":["Task"],"description":"Close the task. This end point is specifically provided for Onshape Admin use in that he/she can","operationId":"closeTask","parameters":[{"name":"tid","in":"path","required":true,"schema":{"type":"string"}},{"name":"description","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTaskInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/tasks/{tid}/{transition}":{"post":{"tags":["Task"],"description":"Transition the task for given transition name","operationId":"transitionTask","parameters":[{"name":"tid","in":"path","required":true,"schema":{"type":"string"}},{"name":"transition","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTaskInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/teams":{"get":{"tags":["Team"],"summary":"Get a list of all teams the current user belongs to.","operationId":"find","parameters":[{"name":"prefix","in":"query","schema":{"type":"string","default":""}},{"name":"uid","in":"query","schema":{"type":"string"}},{"name":"companyId","in":"query","schema":{"type":"string"}},{"name":"includeCompanyOwnedTeams","in":"query","schema":{"type":"boolean","default":true}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGlobalTreeNodeListResponseBTTeamInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["Team"],"description":"Make a new team","operationId":"createTeam","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTeamParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTeamSummaryInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/teams/all":{"get":{"tags":["Team"],"description":"Admin endpoint to get paginated list of all teams","operationId":"getAll","parameters":[{"name":"query","in":"query","schema":{"type":"string","default":""}},{"name":"sortColumn","in":"query","schema":{"type":"string","default":"createdAt"}},{"name":"sortOrder","in":"query","schema":{"type":"string","default":"desc"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGlobalTreeNodeListResponseBTTeamSummaryInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/teams/company/{cid}":{"get":{"tags":["Team"],"description":"Endpoint to get paginated list of teams owned by company","operationId":"getCompanyTeams","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"prefix","in":"query","schema":{"type":"string","default":""}},{"name":"sortColumn","in":"query","schema":{"type":"string","default":"createdAt"}},{"name":"sortOrder","in":"query","schema":{"type":"string","default":"asc"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGlobalTreeNodeListResponseBTTeamSummaryInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/teams/teambyname":{"get":{"tags":["Team"],"summary":"Retrieve team information by team name.","description":"Get team information by team name","operationId":"getTeamByName","parameters":[{"name":"teamName","in":"query","schema":{"type":"string","default":""}},{"name":"uid","in":"query","schema":{"type":"string"}},{"name":"companyId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTTeamInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/teams/{tid}":{"get":{"tags":["Team"],"summary":"Get team information by team ID.","operationId":"getTeam","parameters":[{"name":"tid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTeamInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["Team"],"description":"Update info for a team","operationId":"updateTeam","parameters":[{"name":"tid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTeamParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTeamSummaryInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Team"],"description":"Delete a team; this does not remove any users from Onshape","operationId":"deleteTeam","parameters":[{"name":"tid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Delete"],"BasicAuth":["OAuth2Delete"]}],"x-BTVisibility":"INTERNAL"}},"/teams/{tid}/memberdetails":{"get":{"tags":["Team"],"description":"List members of a team when only the basic user facing information is required; max 100 per page","operationId":"getMemberDetails","parameters":[{"name":"tid","in":"path","required":true,"schema":{"type":"string"}},{"name":"rpid","in":"query","schema":{"type":"string"}},{"name":"sortColumn","in":"query","schema":{"type":"string"}},{"name":"sortOrder","in":"query","schema":{"type":"string","default":"asc"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":100,"minimum":1,"type":"integer","format":"int32","default":100}},{"name":"q","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTUserDetailSummaryInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/teams/{tid}/members":{"get":{"tags":["Team"],"summary":"Get a list of a team's members.","description":"Returns a maximum of 20 per page.","operationId":"getMembers","parameters":[{"name":"tid","in":"path","required":true,"schema":{"type":"string"}},{"name":"sortColumn","in":"query","schema":{"type":"string"}},{"name":"sortOrder","in":"query","schema":{"type":"string","default":"asc"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}},{"name":"q","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTTeamMemberInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["Team"],"description":"Add new member to a team; sends them an invitation","operationId":"addMember","parameters":[{"name":"tid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTeamMemberParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTeamMemberInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/teams/{tid}/members/bulk":{"post":{"tags":["Team"],"description":"Add new member to a team; sends them an invitation","operationId":"addMembers","parameters":[{"name":"tid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTeamMemberListParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTeamMemberListInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/teams/{tid}/members/importCSV":{"post":{"tags":["Team"],"description":"Import member by email and admin/member role by csv file. Make sure to create CSV file with","operationId":"importMembersByCsv","parameters":[{"name":"tid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"multipart/form-data":{"schema":{"type":"object","properties":{"file":{"type":"object","description":"The file to upload."}}}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTManageMembersByCSVInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/teams/{tid}/members/{uid}":{"get":{"tags":["Team"],"description":"Get team member information","operationId":"getMember","parameters":[{"name":"tid","in":"path","required":true,"schema":{"type":"string"}},{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTeamMemberInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["enterprise.member.read"],"BasicAuth":["enterprise.member.read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["Team"],"description":"Update team member info","operationId":"updateMember","parameters":[{"name":"tid","in":"path","required":true,"schema":{"type":"string"}},{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTeamMemberParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTeamMemberInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["enterprise.edit"],"BasicAuth":["enterprise.edit"]}],"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Team"],"description":"Remove a member from a team","operationId":"removeMember","parameters":[{"name":"tid","in":"path","required":true,"schema":{"type":"string"}},{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/testapi/authzscope":{"get":{"tags":["TestAPI"],"description":"Applies BTAuthz and BTHasOAuth2Scopes annotation filters; does nothing but return 200 OK","operationId":"authzScope","responses":{"default":{"description":"default response","content":{"application/octet-stream":{"schema":{"type":"object"}},"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Delete"],"BasicAuth":["OAuth2Delete"]}],"x-BTVisibility":"INTERNAL"}},"/testapi/authzsessioncred":{"get":{"tags":["TestAPI"],"description":"Applies BTAuthz and BTSessionCred annotation filters; does nothing but return 200 OK","operationId":"authzSessionCred","responses":{"default":{"description":"default response","content":{"application/octet-stream":{"schema":{"type":"object"}},"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/testapi/capablescope":{"get":{"tags":["TestAPI"],"description":"Applies BTIsCapable and BTHasOAuth2Scopes annotation filters; does nothing but return 200 OK","operationId":"capableScope","responses":{"default":{"description":"default response","content":{"application/octet-stream":{"schema":{"type":"object"}},"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Delete"],"BasicAuth":["OAuth2Delete"]}],"x-BTVisibility":"INTERNAL"}},"/testapi/capablesessioncred":{"get":{"tags":["TestAPI"],"description":"Applies BTIsCapable and BTSessionCred annotation filters; does nothing but return 200 OK","operationId":"capableSessionCred","responses":{"default":{"description":"default response","content":{"application/octet-stream":{"schema":{"type":"object"}},"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/thumbnails/d/{did}":{"get":{"tags":["Thumbnail"],"summary":"Get the thumbnail info for a document in the default workspace.","description":"* By default, returns thumbnail info for the element with the most-recently generated image. If you pinned an element for the document thumbnail, that element will always be used for the document-level thumbnail, if it exists in the workspace.\n* The default workspace may vary by user; the image served depends on the signed-in user.\n* See also: [Tech tip on how to change a document thumbnail in onshape](https://www.onshape.com/en/resource-center/tech-tips/tech-tip-how-to-change-a-document-thumbnail-in-onshape)","operationId":"getThumbnailForDocument","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTThumbnailInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/thumbnails/d/{did}/s/{sz}":{"get":{"tags":["Thumbnail"],"description":"Return thumbnail image for document at specified size. This returns the default thumbnail, if the thumbnail was not found.","operationId":"getDefaultDocumentThumbnailWithSize","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"sz","in":"path","description":"the generated thumbnail size in pixels, widthxheigth","required":true,"schema":{"type":"string"},"example":"300x300"},{"name":"t","in":"query","description":"Cache Control key. If specified, the response header returned will tell the client to use cached thumbnails.","schema":{"type":"string"}},{"name":"skipDefaultImage","in":"query","description":"Controls the return of the default image, if thumbnail is not available","schema":{"type":"string","default":""},"examples":{"By default return the default thumbnail, if the thumbnail is not found or generated":{"summary":"Get the default image, if the thumbnail is not found","description":"By default return the default thumbnail, if the thumbnail is not found or generated"},"Setting skipDefaultImage=true, returns a 404 if the thumbnail is not found":{"summary":"Skip the default image, if the thumbnail does not exist.","description":"Setting skipDefaultImage=true, returns a 404 if the thumbnail is not found","value":true}}}],"responses":{"default":{"description":"default response","content":{"application/octet-stream":{"schema":{"type":"object"}},"image/*":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/thumbnails/d/{did}/v/{vid}":{"get":{"tags":["Thumbnail"],"summary":"Get the thumbnail info for a version of a document.","description":"* By default, returns thumbnail info for the element with the most-recently generated image. If you pinned an element for the document thumbnail, that element will always be used for the document-level thumbnail, if it exists in the workspace.\n* See also: [Tech tip on how to change a document thumbnail in onshape](https://www.onshape.com/en/resource-center/tech-tips/tech-tip-how-to-change-a-document-thumbnail-in-onshape)","operationId":"getThumbnailForDocumentAndVersion","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"vid","in":"path","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTThumbnailInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/thumbnails/d/{did}/v/{vid}/e/{eid}/ac/{cid}/s/{sz}":{"get":{"tags":["Thumbnail"],"description":"Return thumbnail image for an element at specified version in the given configuration","operationId":"getThumbnailImageForElementAndVersionWithApiConfiguration","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"vid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"sz","in":"path","description":"the generated thumbnail size in pixels, widthxheigth","required":true,"schema":{"type":"string"},"example":"300x300"},{"name":"t","in":"query","description":"Cache Control key. If specified, the response header returned will tell the client to use cached thumbnails.","schema":{"type":"string"}},{"name":"skipDefaultImage","in":"query","description":"Controls the return of the default image, if thumbnail is not available","schema":{"type":"string","default":""},"examples":{"By default return the default thumbnail, if the thumbnail is not found or generated":{"summary":"Get the default image, if the thumbnail is not found","description":"By default return the default thumbnail, if the thumbnail is not found or generated"},"Setting skipDefaultImage=true, returns a 404 if the thumbnail is not found":{"summary":"Skip the default image, if the thumbnail does not exist.","description":"Setting skipDefaultImage=true, returns a 404 if the thumbnail is not found","value":true}}},{"name":"requireConfigMatch","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/octet-stream":{"schema":{"type":"object"}},"image/*":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/thumbnails/d/{did}/v/{vid}/e/{eid}/p/{pid}/s/{sz}":{"get":{"tags":["Thumbnail"],"description":"Return thumbnail image for a part at specified version","operationId":"getThumbnailImageForPartAndVersion","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"vid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"pid","in":"path","required":true,"schema":{"type":"string"}},{"name":"sz","in":"path","description":"the generated thumbnail size in pixels, widthxheigth","required":true,"schema":{"type":"string"},"example":"300x300"},{"name":"t","in":"query","description":"Cache Control key. If specified, the response header returned will tell the client to use cached thumbnails.","schema":{"type":"string"}},{"name":"skipDefaultImage","in":"query","description":"Controls the return of the default image, if thumbnail is not available","schema":{"type":"string","default":""},"examples":{"By default return the default thumbnail, if the thumbnail is not found or generated":{"summary":"Get the default image, if the thumbnail is not found","description":"By default return the default thumbnail, if the thumbnail is not found or generated"},"Setting skipDefaultImage=true, returns a 404 if the thumbnail is not found":{"summary":"Skip the default image, if the thumbnail does not exist.","description":"Setting skipDefaultImage=true, returns a 404 if the thumbnail is not found","value":true}}}],"responses":{"default":{"description":"default response","content":{"application/octet-stream":{"schema":{"type":"object"}},"image/*":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/thumbnails/d/{did}/v/{vid}/s/{sz}":{"get":{"tags":["Thumbnail"],"description":"Return thumbnail image for document at specified version preferably for an element","operationId":"getThumbnailImageForDocumentAndVersionWithElementPreference","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"vid","in":"path","required":true,"schema":{"type":"string"}},{"name":"elementId","in":"query","schema":{"type":"string","default":""}},{"name":"sz","in":"path","description":"the generated thumbnail size in pixels, widthxheigth","required":true,"schema":{"type":"string"},"example":"300x300"},{"name":"t","in":"query","description":"Cache Control key. If specified, the response header returned will tell the client to use cached thumbnails.","schema":{"type":"string"}},{"name":"skipDefaultImage","in":"query","description":"Controls the return of the default image, if thumbnail is not available","schema":{"type":"string","default":""},"examples":{"By default return the default thumbnail, if the thumbnail is not found or generated":{"summary":"Get the default image, if the thumbnail is not found","description":"By default return the default thumbnail, if the thumbnail is not found or generated"},"Setting skipDefaultImage=true, returns a 404 if the thumbnail is not found":{"summary":"Skip the default image, if the thumbnail does not exist.","description":"Setting skipDefaultImage=true, returns a 404 if the thumbnail is not found","value":true}}}],"responses":{"default":{"description":"default response","content":{"application/octet-stream":{"schema":{"type":"object"}},"image/*":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/thumbnails/d/{did}/w/{wid}":{"get":{"tags":["Thumbnail"],"summary":"Get the thumbnail info for a workspace.","description":"* By default, returns thumbnail info for the element with the most-recently generated image. If you pinned an element for the document thumbnail, that element will always be used for the document-level thumbnail, if it exists in the workspace.\n* See also: [Tech tip on how to change a document thumbnail in onshape](https://www.onshape.com/en/resource-center/tech-tips/tech-tip-how-to-change-a-document-thumbnail-in-onshape)","operationId":"getDocumentThumbnail","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTThumbnailInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/thumbnails/d/{did}/w/{wid}/e/{eid}/ac/{cid}/s/{sz}":{"get":{"tags":["Thumbnail"],"summary":"Get the thumbnail image with the given configuration for an element.","description":"Returns the thumbnail image for an element at a specified version, with the given configuration.","operationId":"getElementThumbnailWithApiConfiguration","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"sz","in":"path","description":"the generated thumbnail size in pixels, widthxheigth","required":true,"schema":{"type":"string"},"example":"300x300"},{"name":"t","in":"query","description":"Cache Control key. If specified, the response header returned will tell the client to use cached thumbnails.","schema":{"type":"string"}},{"name":"skipDefaultImage","in":"query","description":"Controls the return of the default image, if thumbnail is not available","schema":{"type":"string","default":""},"examples":{"By default return the default thumbnail, if the thumbnail is not found or generated":{"summary":"Get the default image, if the thumbnail is not found","description":"By default return the default thumbnail, if the thumbnail is not found or generated"},"Setting skipDefaultImage=true, returns a 404 if the thumbnail is not found":{"summary":"Skip the default image, if the thumbnail does not exist.","description":"Setting skipDefaultImage=true, returns a 404 if the thumbnail is not found","value":true}}},{"name":"rejectEmpty","in":"query","schema":{"type":"boolean","default":false}},{"name":"requireConfigMatch","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/octet-stream":{"schema":{"type":"object"}},"image/*":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/thumbnails/d/{did}/w/{wid}/e/{eid}/c/{cid}/s/{sz}":{"get":{"tags":["Thumbnail"],"description":"Return thumbnail for a configured element, with specified size in pixels","operationId":"getConfiguredElementThumbnailWithSize","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"sz","in":"path","description":"the generated thumbnail size in pixels, widthxheigth","required":true,"schema":{"type":"string"},"example":"300x300"},{"name":"t","in":"query","description":"Cache Control key. If specified, the response header returned will tell the client to use cached thumbnails.","schema":{"type":"string"}},{"name":"skipDefaultImage","in":"query","description":"Controls the return of the default image, if thumbnail is not available","schema":{"type":"string","default":""},"examples":{"By default return the default thumbnail, if the thumbnail is not found or generated":{"summary":"Get the default image, if the thumbnail is not found","description":"By default return the default thumbnail, if the thumbnail is not found or generated"},"Setting skipDefaultImage=true, returns a 404 if the thumbnail is not found":{"summary":"Skip the default image, if the thumbnail does not exist.","description":"Setting skipDefaultImage=true, returns a 404 if the thumbnail is not found","value":true}}},{"name":"rejectEmpty","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/octet-stream":{"schema":{"type":"object"}},"image/*":{"schema":{"type":"object"}}}}},"deprecated":true,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/thumbnails/d/{did}/w/{wid}/e/{eid}/p/{pid}/s/{sz}":{"get":{"tags":["Thumbnail"],"description":"Return thumbnail image for a part at specified workspace","operationId":"getThumbnailImageForPartAndWorkspace","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"pid","in":"path","required":true,"schema":{"type":"string"}},{"name":"sz","in":"path","description":"the generated thumbnail size in pixels, widthxheigth","required":true,"schema":{"type":"string"},"example":"300x300"},{"name":"t","in":"query","description":"Cache Control key. If specified, the response header returned will tell the client to use cached thumbnails.","schema":{"type":"string"}},{"name":"skipDefaultImage","in":"query","description":"Controls the return of the default image, if thumbnail is not available","schema":{"type":"string","default":""},"examples":{"By default return the default thumbnail, if the thumbnail is not found or generated":{"summary":"Get the default image, if the thumbnail is not found","description":"By default return the default thumbnail, if the thumbnail is not found or generated"},"Setting skipDefaultImage=true, returns a 404 if the thumbnail is not found":{"summary":"Skip the default image, if the thumbnail does not exist.","description":"Setting skipDefaultImage=true, returns a 404 if the thumbnail is not found","value":true}}}],"responses":{"default":{"description":"default response","content":{"application/octet-stream":{"schema":{"type":"object"}},"image/*":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/thumbnails/d/{did}/w/{wid}/s/{sz}":{"get":{"tags":["Thumbnail"],"summary":"Get the thumbnail image with the given size for a document.","description":"* By default, returns thumbnail image for the element with the most-recently generated image. If you pinned an element for the document thumbnail, that element will always be used for the document-level thumbnail, if it exists in the workspace.\n* See also: [Tech tip on how to change a document thumbnail in onshape](https://www.onshape.com/en/resource-center/tech-tips/tech-tip-how-to-change-a-document-thumbnail-in-onshape)","operationId":"getDocumentThumbnailWithSize","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"sz","in":"path","description":"the generated thumbnail size in pixels, widthxheigth","required":true,"schema":{"type":"string"},"example":"300x300"},{"name":"t","in":"query","description":"Cache Control key. If specified, the response header returned will tell the client to use cached thumbnails.","schema":{"type":"string"}},{"name":"skipDefaultImage","in":"query","description":"Controls the return of the default image, if thumbnail is not available","schema":{"type":"string","default":""},"examples":{"By default return the default thumbnail, if the thumbnail is not found or generated":{"summary":"Get the default image, if the thumbnail is not found","description":"By default return the default thumbnail, if the thumbnail is not found or generated"},"Setting skipDefaultImage=true, returns a 404 if the thumbnail is not found":{"summary":"Skip the default image, if the thumbnail does not exist.","description":"Setting skipDefaultImage=true, returns a 404 if the thumbnail is not found","value":true}}}],"responses":{"default":{"description":"default response","content":{"application/octet-stream":{"schema":{"type":"object"}},"image/*":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/thumbnails/d/{did}/{wv}/{wvid}/e/{eid}":{"get":{"tags":["Thumbnail"],"summary":"Get the thumbnail info structure for an element.","description":"Returns thumbnail info for the given document, workspace or version, and element.","operationId":"getElementThumbnail","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wv","in":"path","description":"Indicates which of workspace (w) or version (v) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v"]}},{"name":"wvid","in":"path","description":"The id of the workspace, version in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTThumbnailInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["Thumbnail"],"summary":"Set the thumbnail image for an application element.","description":"* Allows 3rd-party applications to set thumbnails for their elements. \n* Application elements can have both primary and secondary thumbnails. A primary thumbnail represents the top-level of the element. A secondary thumbnail can represent sub-components of the element (e.g., a drawing sheet).\n* To update one or more thumbnails, you must set the overwrite query param to `true` and supply the entire set of thumbnails. All previous thumbnails will be deleted prior to updating the element with the latest images.","operationId":"setApplicationElementThumbnail","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wv","in":"path","description":"Indicates which of workspace (w) or version (v) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v"]}},{"name":"wvid","in":"path","description":"The id of the workspace, version in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"overwrite","in":"query","schema":{"type":"boolean","default":false}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTApplicationElementThumbnailParamsArray"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"},"delete":{"tags":["Thumbnail"],"summary":"Delete an element's thumbnail.","description":"Deletes an application element's thumbnail and images for the given document, workspace or version, and element combination.","operationId":"deleteApplicationThumbnails","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wv","in":"path","description":"Indicates which of workspace (w) or version (v) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v"]}},{"name":"wvid","in":"path","description":"The id of the workspace, version in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/thumbnails/d/{did}/{wv}/{wvid}/e/{eid}/s/{sz}":{"get":{"tags":["Thumbnail"],"summary":"Get the thumbnail image with the given size for an element.","operationId":"getElementThumbnailWithSize","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wv","in":"path","description":"Indicates which of workspace (w) or version (v) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v"]}},{"name":"wvid","in":"path","description":"The id of the workspace, version in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"sz","in":"path","description":"the generated thumbnail size in pixels, widthxheigth","required":true,"schema":{"type":"string"},"example":"300x300"},{"name":"t","in":"query","description":"Cache Control key. If specified, the response header returned will tell the client to use cached thumbnails.","schema":{"type":"string"}},{"name":"skipDefaultImage","in":"query","description":"Controls the return of the default image, if thumbnail is not available","schema":{"type":"string","default":""},"examples":{"By default return the default thumbnail, if the thumbnail is not found or generated":{"summary":"Get the default image, if the thumbnail is not found","description":"By default return the default thumbnail, if the thumbnail is not found or generated"},"Setting skipDefaultImage=true, returns a 404 if the thumbnail is not found":{"summary":"Skip the default image, if the thumbnail does not exist.","description":"Setting skipDefaultImage=true, returns a 404 if the thumbnail is not found","value":true}}},{"name":"rejectEmpty","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/octet-stream":{"schema":{"type":"object"}},"image/*":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/thumbnails/document/{did}":{"get":{"tags":["Thumbnail"],"summary":"This endpoint will be deprecated soon. Use `getThumbnailForDocument` instead.","description":"This API exists for historical reasons. It uses `/document/` in the path, rather than the standard `/d/` to specify the document.","operationId":"getThumbnailForDocumentOld","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTThumbnailInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/thumbnails/document/{did}/version/{vid}":{"get":{"tags":["Thumbnail"],"summary":"This endpoint will be deprecated soon. Use `getThumbnailForDocumentAndVersion` instead.","description":"This API exists for historical reasons. It uses `/document/` in the path, rather than the standard `/d/` to specify the document.","operationId":"getThumbnailForDocumentAndVersionOld","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"vid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTThumbnailInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/thumbnails/e/{eid}/diff":{"get":{"tags":["Thumbnail"],"description":"Get the differences between two released parts or elements from the specified versions or","operationId":"getVersionToVersionImageDiff","parameters":[{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"partNumber","in":"query","required":true,"schema":{"type":"string"}},{"name":"fromVersionId","in":"query","schema":{"type":"string"}},{"name":"toVersionId","in":"query","schema":{"type":"string"}},{"name":"fromConfiguration","in":"query","schema":{"type":"string"}},{"name":"toConfiguration","in":"query","schema":{"type":"string"}},{"name":"fromRevisionName","in":"query","schema":{"type":"string"}},{"name":"toRevisionName","in":"query","schema":{"type":"string"}},{"name":"fromElementId","in":"query","schema":{"type":"string"}},{"name":"documentId","in":"query","schema":{"type":"string"}},{"name":"elementType","in":"query","required":true,"schema":{"type":"integer","format":"int32"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTVersionDiffInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/thumbnails/em/{emid}/persistent":{"get":{"tags":["Thumbnail"],"description":"Return persistent thumbnail info for an element microversion","operationId":"getPersistentElementMicroversionThumbnailInfo","parameters":[{"name":"emid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTThumbnailInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/thumbnails/em/{emid}/s/{sz}/vo/{vo}/rm/{rm}/persistent":{"get":{"tags":["Thumbnail"],"description":"Return persistent thumbnail image for element microversion","operationId":"getPersistentThumbnailImageForElementMicroversion","parameters":[{"name":"emid","in":"path","required":true,"schema":{"type":"string"}},{"name":"sz","in":"path","description":"the generated thumbnail size in pixels, widthxheigth","required":true,"schema":{"type":"string"},"example":"300x300"},{"name":"vo","in":"path","required":true,"schema":{"type":"string"}},{"name":"rm","in":"path","required":true,"schema":{"type":"string"}},{"name":"partNumber","in":"query","schema":{"type":"string","default":""}},{"name":"configurationId","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/octet-stream":{"schema":{"type":"object"}},"image/*":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/thumbnails/from/{emid1}/to/{emid2}/comparison":{"get":{"tags":["Thumbnail"],"description":"Return persistent thumbnail info for an element microversion comparison","operationId":"getElementComparisonInfo","parameters":[{"name":"emid1","in":"path","required":true,"schema":{"type":"string"}},{"name":"emid2","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTElementImageCompareInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/thumbnails/from/{emid1}/to/{emid2}/s/{sz}/vo/{vo}/overlay":{"get":{"tags":["Thumbnail"],"description":"Return comparison overlay denoting difference between from and to element microversion id","operationId":"getCompareOverlay","parameters":[{"name":"emid1","in":"path","required":true,"schema":{"type":"string"}},{"name":"emid2","in":"path","required":true,"schema":{"type":"string"}},{"name":"sz","in":"path","description":"the generated thumbnail size in pixels, widthxheigth","required":true,"schema":{"type":"string"},"example":"300x300"},{"name":"vo","in":"path","required":true,"schema":{"type":"string"}},{"name":"comparison","in":"query","schema":{"type":"string","default":"forward"}},{"name":"partNumber","in":"query","schema":{"type":"string","default":""}},{"name":"fromConfigurationId","in":"query","schema":{"type":"string","default":""}},{"name":"toConfigurationId","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/octet-stream":{"schema":{"type":"object"}},"image/*":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/thumbnails/{tid}":{"get":{"tags":["Thumbnail"],"description":"Return JSON metadata describing thumbnail size","operationId":"getThumbnail","parameters":[{"name":"tid","in":"path","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTThumbnailInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/thumbnails/{tid}/s/{sz}":{"get":{"tags":["Thumbnail"],"description":"Return information for thumbnail, with given size","operationId":"getThumbnailWithSize","parameters":[{"name":"tid","in":"path","required":true,"schema":{"type":"string"}},{"name":"sz","in":"path","description":"the generated thumbnail size in pixels, widthxheigth","required":true,"schema":{"type":"string"},"example":"300x300"},{"name":"t","in":"query","description":"Cache Control key. If specified, the response header returned will tell the client to use cached thumbnails.","schema":{"type":"string"}},{"name":"skipDefaultImage","in":"query","description":"Controls the return of the default image, if thumbnail is not available","schema":{"type":"string","default":""},"examples":{"By default return the default thumbnail, if the thumbnail is not found or generated":{"summary":"Get the default image, if the thumbnail is not found","description":"By default return the default thumbnail, if the thumbnail is not found or generated"},"Setting skipDefaultImage=true, returns a 404 if the thumbnail is not found":{"summary":"Skip the default image, if the thumbnail does not exist.","description":"Setting skipDefaultImage=true, returns a 404 if the thumbnail is not found","value":true}}},{"name":"linkDocumentId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/octet-stream":{"schema":{"type":"object"}},"image/*":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/thumbnails/{tid}/u/{uid}/s/{sz}/secondary":{"get":{"tags":["Thumbnail"],"description":"Return information for the secondary thumbnail specified by the unique id, with given size","operationId":"getSecondaryThumbnail","parameters":[{"name":"tid","in":"path","required":true,"schema":{"type":"string"}},{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"sz","in":"path","description":"the generated thumbnail size in pixels, widthxheigth","required":true,"schema":{"type":"string"},"example":"300x300"},{"name":"t","in":"query","description":"Cache Control key. If specified, the response header returned will tell the client to use cached thumbnails.","schema":{"type":"string"}},{"name":"skipDefaultImage","in":"query","description":"Controls the return of the default image, if thumbnail is not available","schema":{"type":"string","default":""},"examples":{"By default return the default thumbnail, if the thumbnail is not found or generated":{"summary":"Get the default image, if the thumbnail is not found","description":"By default return the default thumbnail, if the thumbnail is not found or generated"},"Setting skipDefaultImage=true, returns a 404 if the thumbnail is not found":{"summary":"Skip the default image, if the thumbnail does not exist.","description":"Setting skipDefaultImage=true, returns a 404 if the thumbnail is not found","value":true}}}],"responses":{"default":{"description":"default response","content":{"application/octet-stream":{"schema":{"type":"object"}},"image/*":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/token":{"post":{"tags":["OAuth2.0"],"description":"Several different OAuth flows are supported, all requiring a different set of parameters. Note that the SSO-type flow only works when using Basic Authentication with the application client ID and secret as username and password, respectively, AND when the app has `grant on demand` set to `true`.","operationId":"issueToken","requestBody":{"content":{"application/x-www-form-urlencoded":{"schema":{"$ref":"#/components/schemas/BTOAuth2TokenRequest"}}}},"responses":{"default":{"description":"Successful token request.","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTOAuth2TokenResponse"}}}}},"deprecated":false,"servers":[{"url":"/oauth","variables":{}}],"x-BTVisibility":"INTERNAL"}},"/toolbar/collections":{"get":{"tags":["Toolbar"],"description":"Gets all tool collections by name","operationId":"getToolCollection","parameters":[{"name":"name","in":"query","schema":{"type":"array","items":{"type":"string"}}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTToolbarResponseBTToolNodeInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/toolbar/toolbars":{"get":{"tags":["Toolbar"],"description":"Gets all toolbars available to a user.","operationId":"getToolbars","parameters":[{"name":"name","in":"query","schema":{"type":"array","items":{"type":"string"}}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTToolbarResponseBTToolNodeInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["Toolbar"],"description":"Batch interface for modifying a user's toolbars. (BTToolCollection)s are created if no id is","operationId":"updateToolbar","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTToolTreeUpdateParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTToolTreeUpdateInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Toolbar"],"description":"Delete a user's toolbar customizations.","operationId":"deleteToolbars","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/toolbar/tools":{"get":{"tags":["Toolbar"],"description":"Gets all tools available to the current user.","operationId":"getTools","parameters":[{"name":"ot","in":"query","schema":{"type":"integer","format":"int32"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTToolInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/toolbar/tools/{cu}/{cuid}":{"delete":{"tags":["Toolbar"],"description":"Delete all custom tools belonging to a user or company","operationId":"deleteAllTools","parameters":[{"name":"cu","in":"path","required":true,"schema":{"type":"string"}},{"name":"cuid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/toolbar/tools/{cu}/{cuid}/create":{"post":{"tags":["Toolbar"],"description":"Endpoint to add custom tools for a user or company and create user feature specs if they don't","operationId":"createTools","parameters":[{"name":"cu","in":"path","required":true,"schema":{"type":"string"}},{"name":"cuid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTCreateCustomToolsParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTToolInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/toolbar/tools/{cu}/{cuid}/delete":{"post":{"tags":["Toolbar"],"description":"Remove custom tools (i.e. those associated with user feature specs) for a user or company","operationId":"deleteTools","parameters":[{"name":"cu","in":"path","required":true,"schema":{"type":"string"}},{"name":"cuid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTToolTreeUpdateParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/toolbar/tools/{cu}/{cuid}/update":{"post":{"tags":["Toolbar"],"description":"Update custom tools and corresponding owned feature specs","operationId":"updateSpecs","parameters":[{"name":"cu","in":"path","required":true,"schema":{"type":"string"}},{"name":"cuid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserUpdateSpecsParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUpdateSpecsInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/translations/d/{did}":{"get":{"tags":["Translation"],"summary":"Get information on an in-progress or completed translation by document ID.","operationId":"getDocumentTranslations","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTTranslationRequestInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/translations/d/{did}/w/{wid}":{"post":{"tags":["Translation"],"summary":"Upload a foreign file into Onshape and translate the data into parts, Part Studios, assemblies, and subassemblies.","description":"The API call may complete before the translation is finished. If `requestState = ACTIVE`, the translation can be polled until the state is either `DONE` or `FAILED`. Alternatively, a webhook callback can be registered for notification of translation completion (requires `Write` scope if `storeInDocument` is `true`). See [API Guide: Model Translation](https://onshape-public.github.io/docs/api-adv/translation/) for more details.","operationId":"createTranslation","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"multipart/form-data":{"schema":{"type":"object","properties":{"file":{"type":"object","description":"The file to upload."},"allowFaultyParts":{"type":"boolean","description":"If true, and a part doesn't pass Onshape validation, it will be imported with faults."},"createComposite":{"type":"boolean"},"createDrawingIfPossible":{"type":"boolean"},"encodedFilename":{"type":"string","description":"If the filename contains non-ASCII characters. Use this field to store the filename."},"extractAssemblyHierarchy":{"type":"boolean"},"flattenAssemblies":{"type":"boolean","description":"If the file is an assembly, or contains an assembly, setting this to True will import it as a Part Studio. In this case the assembly will be flattened to a set of parts in a Part Studio. There will be duplicate parts created whenever a part is instanced more than once. If False, it will be imported as an Assembly."},"formatName":{"type":"string"},"joinAdjacentSurfaces":{"type":"boolean"},"locationElementId":{"type":"string"},"locationGroupId":{"type":"string"},"locationPosition":{"type":"integer","format":"int32","default":-1},"notifyUser":{"type":"boolean","default":true},"ownerId":{"type":"string"},"parentId":{"type":"string"},"projectId":{"type":"string"},"public":{"type":"boolean"},"onePartPerDoc":{"type":"boolean","default":false},"splitAssembliesIntoMultipleDocuments":{"type":"boolean","default":false},"storeInDocument":{"type":"boolean","default":true},"translate":{"type":"boolean","default":true},"unit":{"type":"string","default":""},"uploadId":{"type":"string"},"versionString":{"type":"string"},"importAppearances":{"type":"boolean","description":"Face appearances defined on models will be imported.","default":true},"yAxisIsUp":{"type":"boolean","description":"If the file was created in a system that orients with Y Axis Up, the models would by default be brought into Onshape (a Z Axis Up system) with a flipped coordinate system. Toggle this value to reorient the axis system to match Onshape and display the model with the coordinates you expect."},"importWithinDocument":{"type":"boolean"}}}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTranslationRequestInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/translations/translationformats":{"get":{"tags":["Translation"],"summary":"Get a list of formats this translation can use.","description":"Note that we don't necessarily support both import and export for any given format. See [API Guide: Model Translation](https://onshape-public.github.io/docs/api-adv/translation/) for more details.","operationId":"getAllTranslatorFormats","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTModelFormatFullInfo"}}}}}},"deprecated":false,"x-BTVisibility":"PRODUCTION"}},"/translations/{tid}":{"get":{"tags":["Translation"],"summary":"Get information on an in-progress or completed translation by translation ID.","description":"When the translation is complete, `requestState` changes from `ACTIVE` to `DONE` or `FAILED`. See [API Guide: Model Translation](https://onshape-public.github.io/docs/api-adv/translation/) for more details.","operationId":"getTranslation","parameters":[{"name":"tid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTranslationRequestInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"delete":{"tags":["Translation"],"summary":"Delete a translation request.","operationId":"deleteTranslation","parameters":[{"name":"tid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/triggers":{"get":{"tags":["Trigger"],"description":"Get all triggers for company. User has to be enterprise admin.","operationId":"getAllTriggers","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTTriggerInfo"}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["Trigger"],"description":"Create a trigger. User has to be enterprise admin.","operationId":"createTrigger","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTriggerParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTriggerInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/triggers/eventtypes":{"get":{"tags":["Trigger"],"description":"Gets event types for which triggers are supported. User has to be enterprise admin.","operationId":"getTriggerEvents","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTTriggerEventInfo"}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/triggers/steptypes":{"get":{"tags":["Trigger"],"description":"Gets all supported step types that can be added in triggers. User has to be enterprise admin.","operationId":"getTriggerStepTypes","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTTriggerStepTypeInfo"}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/triggers/templates":{"get":{"tags":["Trigger"],"description":"Get all trigger templates. User has to be enterprise admin.","operationId":"getAllTriggerTemplates","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTTriggerInfo"}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/triggers/{tid}":{"get":{"tags":["Trigger"],"description":"Get trigger for specified id. User has to be enterprise admin.","operationId":"getTrigger","parameters":[{"name":"tid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTriggerInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["Trigger"],"description":"Updates trigger specified by trigger id.","operationId":"updateTrigger","parameters":[{"name":"tid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTriggerParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTriggerInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Trigger"],"description":"Delete trigger specified by triggerId. User has to be enterprise admin.","operationId":"deleteTrigger","parameters":[{"name":"tid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/triggers/{tid}/executions":{"get":{"tags":["Trigger"],"description":"Returns the status of all executions of the trigger job.","operationId":"getJobExections","parameters":[{"name":"tid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTTriggerJobExecutionInfo"}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/triggers/{tid}/executions/{eid}":{"get":{"tags":["Trigger"],"description":"Returns the status of job execution of a provided execution id for the trigger job.","operationId":"getJobExectionById","parameters":[{"name":"tid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTriggerJobExecutionInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Trigger"],"description":"Delete job execution with specified trigger id and execution id. User has to be enterprise admin.","operationId":"deleteExecution","parameters":[{"name":"tid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/triggers/{tid}/steps":{"get":{"tags":["Trigger"],"description":"Gets all the steps for given trigger. User has to be enterprise admin.","operationId":"getAllStepsForTrigger","parameters":[{"name":"tid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTTriggerStepInfo"}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["Trigger"],"description":"Create a trigger step. User has to be enterprise admin.","operationId":"createStep","parameters":[{"name":"tid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTriggerStepParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTriggerStepInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/triggers/{tid}/steps/{sid}":{"get":{"tags":["Trigger"],"description":"Gets a trigger step definition. User has to be enterprise admin.","operationId":"getStep","parameters":[{"name":"tid","in":"path","required":true,"schema":{"type":"string"}},{"name":"sid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTriggerStepInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["Trigger"],"description":"Update a trigger step. User has to be enterprise admin.","operationId":"updateStep","parameters":[{"name":"tid","in":"path","required":true,"schema":{"type":"string"}},{"name":"sid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTriggerStepParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTriggerStepInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"},"delete":{"tags":["Trigger"],"description":"Delete a trigger step. User has to be enterprise admin.","operationId":"deleteStep","parameters":[{"name":"tid","in":"path","required":true,"schema":{"type":"string"}},{"name":"sid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/usernotificationpref":{"get":{"tags":["UserNotificationPref"],"description":"Returns info about all the user's notification settings","operationId":"getNotificationPreferences","parameters":[{"name":"objectId","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTUserNotificationPrefInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["UserNotificationPref"],"description":"Create a new role within the session's enterprise company","operationId":"createOrUpdateUserNotificationPref","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserNotificationPrefParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserNotificationPrefInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/usernotificationpref/levels":{"get":{"tags":["UserNotificationPref"],"description":"Returns info about the level supported. Items for Levels Enum class.","operationId":"getUserNotificationPrefLevels","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserNotificationPrefLevelsInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users":{"get":{"tags":["User"],"description":"Get list of users; restricted to admin accounts and max of 20 per page","operationId":"get","parameters":[{"name":"q","in":"query","schema":{"type":"string","default":""}},{"name":"state","in":"query","schema":{"type":"integer","format":"int32","default":1}},{"name":"sortColumn","in":"query","schema":{"type":"string","default":"createdAt"}},{"name":"sortOrder","in":"query","schema":{"type":"string","default":"desc"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTUserAdminSummaryInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["User"],"description":"Create a user from the admin console","operationId":"createUser","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["enterprise.member.create"],"BasicAuth":["enterprise.member.create"]}],"x-BTVisibility":"INTERNAL"}},"/users/admin/{uid}":{"get":{"tags":["User"],"description":"Get details of user with given id; admin-only","operationId":"getUserForAdmin","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"docCounts","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserAdminInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/apikeys":{"get":{"tags":["ApiKey"],"description":"Gets all API keys for current user","operationId":"getAPIKeys","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTApiKeyInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["ApiKey"],"description":"Creates an API key for a user. The body (scopeNames and company ID) are optional. If not","operationId":"createAPIKey","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAPIKeyParams"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTApiKeyInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/apikeys/userid/{uid}":{"get":{"tags":["ApiKey"],"description":"Gets all API keys for specified user (admin only)","operationId":"getAPIKeysForUser","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTApiKeyInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/apikeys/{ak}":{"get":{"tags":["ApiKey"],"description":"Gets one API Key","operationId":"getKey","parameters":[{"name":"ak","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTApiKeyInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["ApiKey"],"description":"Updates an API key state","operationId":"updateAPIKey","parameters":[{"name":"ak","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTApiKeyUpdateParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTApiKeyInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["ApiKey"],"description":"Deletes a user's API key","operationId":"deleteAPIKey","parameters":[{"name":"ak","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/checkForumId":{"get":{"tags":["User"],"description":"Check if an ID is currently in use for the forums","operationId":"checkForumId","parameters":[{"name":"forumId","in":"query","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/current":{"get":{"tags":["User"],"description":"Get details of currently logged in user","operationId":"getCurrentUser","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2ReadPII"],"BasicAuth":["OAuth2ReadPII"]}],"x-BTVisibility":"INTERNAL"}},"/users/developer/{userid}":{"delete":{"tags":["User"],"description":"Deletes an API developer","operationId":"deleteDeveloper","parameters":[{"name":"userid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/deviceLogin":{"get":{"tags":["User"],"description":"Get devices user is logged in with","operationId":"getUserDeviceLogins","parameters":[{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTDeviceLoginPublicInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["User"],"description":"Remove all logins for a user","operationId":"deleteUserDeviceLogins","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/deviceLogin/{did}":{"get":{"tags":["User"],"description":"Get a device login by ID","operationId":"getDeviceLogin","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDeviceLoginPublicInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["User"],"description":"Delete a device login","operationId":"deleteDeviceLogin","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/deviceToken":{"post":{"tags":["User"],"description":"Register user's iOS or Android device for notifications","operationId":"registerDeviceToken","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDeviceTokenParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/disableTotp":{"post":{"tags":["User"],"description":"Disable time-based one-time password for a user","operationId":"disableTotp","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserTotpParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/duplicates":{"get":{"tags":["User"],"description":"Get list of all duplicate users by email; restricted to admin accounts","operationId":"getDuplicates","parameters":[{"name":"timeOutInMinutes","in":"query","schema":{"type":"integer","format":"int64","default":10}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDuplicateUserInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/email":{"get":{"tags":["User"],"description":"Get a user by sending an email query param","operationId":"getUserByEmail","parameters":[{"name":"email","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserAdminInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/email/check":{"post":{"tags":["User"],"description":"Get availability of user email","operationId":"checkEmail","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserEmailParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/email/status":{"post":{"tags":["User"],"description":"Get status of user email","operationId":"checkEmailStatus","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserEmailParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserEmailStateInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/email/{em}":{"get":{"tags":["User"],"description":"Get availability of user email","operationId":"checkEmailOld","parameters":[{"name":"em","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":true,"x-BTVisibility":"INTERNAL"}},"/users/enableTotp":{"post":{"tags":["User"],"description":"Enable time-based one-time password for a user after token code is provided","operationId":"enableTotp","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTLoginTotpParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/eula":{"get":{"tags":["User"],"description":"List all EULAs in the system","operationId":"getEulas","parameters":[{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTEulaInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["User"],"description":"Upload a new EULA to the server","operationId":"createEula","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTEulaTypeParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTEulaInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/eula/{eid}":{"get":{"tags":["User"],"description":"Get a EULA by ID","operationId":"getEula","parameters":[{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTEulaInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["User"],"description":"Delete a EULA","operationId":"deleteEula","parameters":[{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/generateTotpSecret":{"post":{"tags":["User"],"description":"Generates a time-based one-time password secret for a user","operationId":"generateTotpSecret","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserTotpParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTotpInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/handle/{handleId}":{"get":{"tags":["User"],"description":"Get user's public profile settings by handle (forum id)","operationId":"getPublicProfileInfo","parameters":[{"name":"handleId","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTBaseInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/logininfo":{"post":{"tags":["User"],"description":"Anonymous API to get users's SignIn info for a given email. This API takes email address and","operationId":"getLoginInfo","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserEmailParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserLoginInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/mobileappupdateinfo":{"get":{"tags":["User"],"description":"Get mobile app update information; prompts or forces user to upgrade to latest version","operationId":"getMobileAppUpdateInfo","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTMobileAppUpdateInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/photo":{"post":{"tags":["User"],"description":"Upload a new user profile picture","operationId":"savePhoto","parameters":[{"name":"xOffsetPx","in":"query","schema":{"type":"integer","format":"int32","default":0}},{"name":"yOffsetPx","in":"query","schema":{"type":"integer","format":"int32","default":0}},{"name":"sizePx","in":"query","schema":{"type":"integer","format":"int32"}}],"requestBody":{"content":{"multipart/form-data":{"schema":{"type":"object","properties":{"file":{"type":"object","description":"The file to upload."},"uploadId":{"type":"string"}}}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserSummaryInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["User"],"description":"Delete current user's photo","operationId":"deletePhoto","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/preferences/web/factory":{"get":{"tags":["User"],"description":"Get Onshape web preference settings","operationId":"getOnshapeWebPreference","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserWebPreferenceInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/resetScratchCodes":{"post":{"tags":["User"],"description":"Generate a new set of scratch codes","operationId":"resetScratchCodes","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserTotpParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTotpInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/resetTotp":{"post":{"tags":["User"],"description":"Generate new TOTP secret and scratch codes, for TOTP-enabled enterprise users.","operationId":"resetTotp","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserTotpParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTTotpInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/session":{"get":{"tags":["User"],"description":"Returned information depends on caller's OAuth2ReadPll scope.","operationId":"getUserSession","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserSummaryInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["User"],"summary":"Authenticate a user's Onshape credentials, and create a session.","description":"Returned information depends on caller's `OAuth2ReadPll` scope.","operationId":"session","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTLoginParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"PRODUCTION"},"delete":{"tags":["User"],"description":"Delete session and sign user out","operationId":"logout","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/session/jwt":{"get":{"tags":["User"],"description":"Redirect the requestor to the Auth0 signin page","operationId":"initiateSessionJwt","parameters":[{"name":"companyId","in":"query","schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["User"],"description":"Consume a JWT access token and emit a cookie with a redirect to the /documents page","operationId":"consumeSessionJwt","requestBody":{"content":{"application/x-www-form-urlencoded":{"schema":{"type":"object","properties":{"id_token":{"type":"string"},"state":{"type":"string"}}}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/sessioninfo":{"get":{"tags":["User"],"summary":"Get the session information for an authenticated (signed-in) user.","description":"Returned information depends on caller's `OAuth2ReadPll` scope.","operationId":"sessionInfo","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserOAuth2SummaryInfo"}}}}},"deprecated":false,"x-BTVisibility":"PRODUCTION"}},"/users/sessions":{"get":{"tags":["User"],"description":"Return list of authenticated sessions","operationId":"getSessions","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTActiveSessionInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/settings":{"get":{"tags":["User"],"summary":"Get the user settings for the signed-in user (i.e., you) for the current session.","description":"* Non-admins can call this API for their own user ID. \n* Mouse button settings are contained in `reverseScrollWheelZoomDirection` and `viewManipulationMouseKeyMapping`. \n* For each action in `viewManipulationMouseKeyMapping`, an array of modifier key/mouse combos is provided that performs that action. \n* Possible modifier keys include `SHIFT` and `CTRL`. \n* Possible mouse buttons include `MMB` (middle mouse button), `RMB` (right mouse button), and `SCROLLWHEEL`. \n* Scrolling forward zooms in, unless `reverseScrollWheelZoomDirection` is set to `true`.","operationId":"getUserSettingsCurrentLoggedInUser","parameters":[{"name":"includematerials","in":"query","schema":{"type":"boolean","default":true}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserSettingsInfo"}}}}},"deprecated":false,"x-BTVisibility":"PRODUCTION"}},"/users/settings/materiallibraries":{"get":{"tags":["User"],"description":"Get all the material libraries for the session user","operationId":"getMaterialLibraries","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTMaterialLibrarySettingsInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["User"],"description":"Update material libraries for the session user","operationId":"updateMaterialLibrarySettings","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"string"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTMaterialLibrarySettingsInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/units":{"get":{"tags":["User"],"description":"Get default units","operationId":"getUnits","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserSettingsInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/{uid}":{"get":{"tags":["User"],"description":"Get a user's information","operationId":"getUser","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2ReadPII"],"BasicAuth":["OAuth2ReadPII"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["User"],"description":"Update a user's information","operationId":"updateUser","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserUpdateParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["enterprise.member.edit"],"BasicAuth":["enterprise.member.edit"]}],"x-BTVisibility":"INTERNAL"},"delete":{"tags":["User"],"description":"Mark a user for deletion","operationId":"delete","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/{uid}/approvetrial":{"post":{"tags":["User"],"description":"Approve the Individual or Company Trial if user is in REQUESTED state.","operationId":"approveTrialRequest","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Purchase"],"BasicAuth":["OAuth2Purchase"]}],"x-BTVisibility":"INTERNAL"}},"/users/{uid}/emails":{"get":{"tags":["User"],"description":"Get list of all emails a user has","operationId":"getEmails","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTUserEmailInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["User"],"description":"Add a new email to a user account","operationId":"addEmail","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserEmailParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserEmailInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["User"],"description":"Remove a non-primary email address from a user account","operationId":"removeEmail","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserEmailParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/{uid}/emails/makePrimary":{"post":{"tags":["User"],"description":"Change a user's primary email address","operationId":"makeEmailPrimary","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserEmailParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserEmailInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/{uid}/emails/resendVerifyEmail":{"post":{"tags":["User"],"description":"Resend an email verification request to a user","operationId":"resendVerifyEmail","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserEmailParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/{uid}/emails/verify":{"post":{"tags":["User"],"description":"Admin version of email verification; override for users who don't respond to email","operationId":"adminVerifyEmail","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserEmailVerifyParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserEmailInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/{uid}/emails/verify/{verId}":{"get":{"tags":["User"],"description":"Get information about an email verification request","operationId":"verifyEmailRequest","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"verId","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object","additionalProperties":{"type":"string"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["User"],"description":"Complete verification request for an email address","operationId":"verifyEmail","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"verId","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserEmailVerifyParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserEmailInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/{uid}/emails/{email}":{"delete":{"tags":["User"],"description":"Remove a non-primary email address from a user account","operationId":"removeEmailDeprecatd","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"email","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":true,"x-BTVisibility":"INTERNAL"}},"/users/{uid}/eula":{"delete":{"tags":["User"],"description":"Delete all accepted EULAs for a user","operationId":"deleteAcceptEula","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"limitToLatest","in":"query","schema":{"type":"boolean"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/{uid}/eula/{eid}":{"post":{"tags":["User"],"description":"Accept EULA for a user","operationId":"acceptEulaAndCheckOnboard","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTAcceptedEulaInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/{uid}/extauth":{"get":{"tags":["User"],"description":"Get all external authenticated identities","operationId":"getExternallyLinkedAuthentications","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTExternalAuthInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/{uid}/extauth/{extid}":{"delete":{"tags":["User"],"description":"Delete a linked externally authenticated identity","operationId":"deleteExternallyLinkedAuthentication","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"extid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/{uid}/invitation":{"get":{"tags":["User"],"description":"Get user's invitation details","operationId":"getInvitation","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTInvitationSummaryInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/{uid}/metrics":{"get":{"tags":["User"],"description":"Get user metrics","operationId":"getMetrics","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"docCounts","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserMetricsInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/{uid}/migrationinfo":{"get":{"tags":["User"],"summary":"Returns info used to determine if a user is ready to be migrated to a new authentication solution.","operationId":"isUserReadyForMigration","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserMigrationInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/{uid}/photo":{"post":{"tags":["User"],"description":"Change a user's profile image","operationId":"saveUserPhoto","parameters":[{"name":"xOffsetPx","in":"query","schema":{"type":"integer","format":"int32","default":0}},{"name":"yOffsetPx","in":"query","schema":{"type":"integer","format":"int32","default":0}},{"name":"sizePx","in":"query","schema":{"type":"integer","format":"int32"}},{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"multipart/form-data":{"schema":{"required":["file","file"],"type":"object","properties":{"file":{"$ref":"#/components/schemas/FormDataContentDisposition"}}}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserSummaryInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["User"],"description":"Change a user's profile image","operationId":"deleteUserPhoto","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/{uid}/preferences/web":{"get":{"tags":["User"],"description":"Get all the preferences for user","operationId":"getAllUserWebPreferences","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTUserWebPreferenceInfo"}}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["User"],"description":"Create user preference for web client","operationId":"updateWebPreference","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserWebPreferencesParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserWebPreferenceInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/{uid}/preferences/web/{pid}":{"get":{"tags":["User"],"description":"Get the user preferences for web client for a given preference profile","operationId":"getUserWebPreference","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"pid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserWebPreferenceInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"post":{"tags":["User"],"description":"Rename and update user preference for web client","operationId":"updateUserWebPreference","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"pid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserWebPreferencesParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserWebPreferenceInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"},"delete":{"tags":["User"],"description":"Remove web preference profile for a user","operationId":"deleteWebPreference","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"pid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/{uid}/rejecttrial":{"delete":{"tags":["User"],"description":"Reject the Individual or Company Trial if user is in REQUESTED state. Downgrades the user and","operationId":"rejectTrialRequest","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Purchase"],"BasicAuth":["OAuth2Purchase"]}],"x-BTVisibility":"INTERNAL"}},"/users/{uid}/removeSpecs":{"post":{"tags":["User"],"description":"Remove feature specs for a user","operationId":"removeUserSpecs","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"string"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/{uid}/settings":{"get":{"tags":["User"],"summary":"Get the user settings for any user in your organization (admins only).","description":"* Mouse button settings are contained in `reverseScrollWheelZoomDirection` and `viewManipulationMouseKeyMapping`. \n* For each action in `viewManipulationMouseKeyMapping`, an array of modifier key/mouse combos is provided that performs that action. \n* Possible modifier keys include `SHIFT` and `CTRL`. \n* Possible mouse buttons include `MMB` (middle mouse button), `RMB` (right mouse button), and `SCROLLWHEEL`. \n* Scrolling forward zooms in, unless `reverseScrollWheelZoomDirection` is set to `true`.","operationId":"getUserSettings","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}},{"name":"includematerials","in":"query","schema":{"type":"boolean","default":true}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserSettingsInfo"}}}}},"deprecated":false,"x-BTVisibility":"PRODUCTION"},"post":{"tags":["User"],"description":"Update a user's settings","operationId":"updateSettings","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserSettingsParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserSettingsInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/{uid}/specexternalreferences":{"get":{"tags":["User"],"description":"Get External references for the feature specs in the user's toolbar","operationId":"getSpecExternalReferences","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/ElementExternalReferenceInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/{uid}/specs":{"post":{"tags":["User"],"description":"Add feature specs for a user","operationId":"addUserSpecs","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"string"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/{uid}/state":{"post":{"tags":["User"],"description":"Transition user account from one state to other. All state changes except MARKED_FOR_DELETION","operationId":"updateState","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/users/{uid}/updateSpecs":{"post":{"tags":["User"],"description":"Update feature specs for a user. Noop for specs that don't exist in new versions.","operationId":"updateUserSpecs","parameters":[{"name":"uid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUserUpdateSpecsParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUpdateSpecsInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/variables/d/{did}/w/{wid}/e/{eid}/variables":{"post":{"tags":["Variables"],"summary":"Assign variables to a Variable Studio","operationId":"setVariables","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wid","in":"path","description":"The id of the workspace in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/BTVariableParams"}}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/variables/d/{did}/w/{wid}/e/{eid}/variablestudioreferences":{"post":{"tags":["Variables"],"summary":"Set the Variable Studio references for an element.","operationId":"setVariableStudioReferences","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wid","in":"path","description":"The id of the workspace in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTVariableStudioReferenceListInfo"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/variables/d/{did}/w/{wid}/e/{eid}/variablestudioscope":{"post":{"tags":["Variables"],"summary":"Set the scope the Variable Studio.","operationId":"setVariableStudioScope","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wid","in":"path","description":"The id of the workspace in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTVariableStudioScopeInfo"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/variables/d/{did}/w/{wid}/variablestudio":{"post":{"tags":["Variables"],"summary":"Create a new Variable Studio in a document and workspace.","operationId":"createVariableStudio","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wid","in":"path","description":"The id of the workspace in which to perform the operation.","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTModelElementParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTDocumentElementInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"PRODUCTION"}},"/variables/d/{did}/{wv}/{wvid}/e/{eid}/variables":{"get":{"tags":["Variables"],"summary":"Get the contents of all variable tables in an element.","operationId":"getVariables","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wv","in":"path","description":"Indicates which of workspace (w) or version (v) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v"]}},{"name":"wvid","in":"path","description":"The id of the workspace, version in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"configuration","in":"query","schema":{"type":"string","default":""}},{"name":"includeValuesAndReferencedVariables","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTVariableTableInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/variables/d/{did}/{wv}/{wvid}/e/{eid}/variablestudioreferences":{"get":{"tags":["Variables"],"summary":"Get the Variable Studio references for an element.","operationId":"getVariableStudioReferences","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wv","in":"path","description":"Indicates which of workspace (w) or version (v) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v"]}},{"name":"wvid","in":"path","description":"The id of the workspace, version in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTVariableStudioReferenceListInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/variables/d/{did}/{wv}/{wvid}/e/{eid}/variablestudioscope":{"get":{"tags":["Variables"],"summary":"Get the scope of a Variable Studio.","operationId":"getVariableStudioScope","parameters":[{"name":"did","in":"path","description":"The id of the document in which to perform the operation.","required":true,"schema":{"type":"string"}},{"name":"linkDocumentId","in":"query","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both.","schema":{"type":"string","default":""}},{"name":"wv","in":"path","description":"Indicates which of workspace (w) or version (v) id is specified below.","required":true,"schema":{"type":"string","enum":["w","v"]}},{"name":"wvid","in":"path","description":"The id of the workspace, version in which the operation should be performed.","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","description":"The id of the element in which to perform the operation.","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTVariableStudioScopeInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/versions":{"get":{"tags":["Version"],"summary":"Get all versions of the Onshape REST APIs.","operationId":"getAllVersions","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/Versions"}}}}},"deprecated":false,"x-BTVisibility":"PRODUCTION"}},"/versions/test":{"get":{"tags":["Version"],"summary":"Get all versions of the Onshape REST APIs.","operationId":"testVersionsGet","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":true,"x-BTVisibility":"PRODUCTION"},"post":{"tags":["Version"],"summary":"Updates an API version 1 or version 2 structure, based on the Accept header passed.","operationId":"testVersionsPost","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":true,"x-BTVisibility":"PRODUCTION"}},"/webServiceTest/region":{"get":{"tags":["ClientCheck"],"description":"Get the Web server region and expected region","operationId":"getWsRegion","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTRegionCheckResponse"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/webhooks":{"get":{"tags":["Webhook"],"summary":"Get a list of all webhooks registered by a user or company.","operationId":"getWebhooks","parameters":[{"name":"company","in":"query","schema":{"type":"string","default":""}},{"name":"user","in":"query","schema":{"type":"string"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTWebhookInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["Webhook"],"summary":"Create a new webhook.","operationId":"createWebhook","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTWebhookParams"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTWebhookInfo"}}}}},"callbacks":{"onshape.user.lifecycle.updateappsettings":{"{$request.body#/url}":{"get":{"summary":"Occurs when user application settings are modified.","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/BTUserAppMessageBody"}}}},"responses":{"200":{"description":"OK"}}}}},"onshape.model.lifecycle.changed":{"{$request.body#/url}":{"get":{"summary":"Occurs when a change to a model has been made.","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/BTDocumentMessageBody"}}}},"responses":{"200":{"description":"OK"}}}}},"onshape.model.translation.complete":{"{$request.body#/url}":{"get":{"summary":"Occurs when a translation request is completed.","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/BTDocumentMessageBody"}}}},"responses":{"200":{"description":"OK"}}}}},"onshape.model.lifecycle.metadata":{"{$request.body#/url}":{"get":{"summary":"Occurs when part or element metadata is modified.","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/BTDocumentMessageBody"}}}},"responses":{"200":{"description":"OK"}}}}},"onshape.model.lifecycle.createversion":{"{$request.body#/url}":{"get":{"summary":"Occurs when a new version of a document is created.","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/BTDocumentMessageBody"}}}},"responses":{"200":{"description":"OK"}}}}},"onshape.model.lifecycle.createworkspace":{"{$request.body#/url}":{"get":{"summary":"Occurs when a new workspace is created.","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/BTWorkspaceMessageBody"}}}},"responses":{"200":{"description":"OK"}}}}},"onshape.model.lifecycle.deleteworkspace":{"{$request.body#/url}":{"get":{"summary":"Occurs when a workspace is deleted.","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/BTWorkspaceMessageBody"}}}},"responses":{"200":{"description":"OK"}}}}},"onshape.model.lifecycle.mergeworkspace":{"{$request.body#/url}":{"get":{"summary":"Occurs when a version or workspace is merged.","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/BTWorkspaceMessageBody"}}}},"responses":{"200":{"description":"OK"}}}}},"onshape.model.lifecycle.restoreworkspace":{"{$request.body#/url}":{"get":{"summary":"Occurs when a workspace is restored to a previous version or microversion.","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/BTWorkspaceMessageBody"}}}},"responses":{"200":{"description":"OK"}}}}},"onshape.model.lifecycle.updateworkspaceunits":{"{$request.body#/url}":{"get":{"summary":"Occurs when workspace units or precisions are changed.","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/BTWorkspaceMessageBody"}}}},"responses":{"200":{"description":"OK"}}}}},"onshape.model.lifecycle.createelement":{"{$request.body#/url}":{"get":{"summary":"Occurs when a new element is created.","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/BTDocumentMessageBody"}}}},"responses":{"200":{"description":"OK"}}}}},"onshape.model.lifecycle.deleteelement":{"{$request.body#/url}":{"get":{"summary":"Occurs when an element is deleted.","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/BTDocumentMessageBody"}}}},"responses":{"200":{"description":"OK"}}}}},"onshape.document.lifecycle.statechange":{"{$request.body#/url}":{"get":{"summary":"Occurs when an document changes state.","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/BTDocumentMessageBody"}}}},"responses":{"200":{"description":"OK"}}}}},"onshape.model.lifecycle.changed.externalreferences":{"{$request.body#/url}":{"get":{"summary":"Occurs when an external reference changes.","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/BTDocumentMessageBody"}}}},"responses":{"200":{"description":"OK"}}}}},"onshape.model.lifecycle.changed.namedviews":{"{$request.body#/url}":{"get":{"summary":"Occurs when the element's named views change.","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/BTDocumentMessageBody"}}}},"responses":{"200":{"description":"OK"}}}}},"onshape.document.lifecycle.created":{"{$request.body#/url}":{"get":{"summary":"Occurs when a document is created.","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/BTDocumentMessageBody"}}}},"responses":{"200":{"description":"OK"}}}}},"onshape.revision.created":{"{$request.body#/url}":{"get":{"summary":"Occursˇ when a revision is created.","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/BTRevisionMessageBody"}}}},"responses":{"200":{"description":"OK"}}}}},"onshape.comment.create":{"{$request.body#/url}":{"get":{"summary":"Occurs when a comment is created in a document.","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/BTDocumentMessageBody"}}}},"responses":{"200":{"description":"OK"}}}}},"onshape.comment.update":{"{$request.body#/url}":{"get":{"summary":"Occurs when a comment is updated in a document.","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/BTDocumentMessageBody"}}}},"responses":{"200":{"description":"OK"}}}}},"onshape.comment.delete":{"{$request.body#/url}":{"get":{"summary":"Occurs when a comment is deleted in a document.","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/BTDocumentMessageBody"}}}},"responses":{"200":{"description":"OK"}}}}},"onshape.workflow.transition":{"{$request.body#/url}":{"get":{"summary":"Occurs when a revision or release package transitions through workflow states.","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/BTWorkflowMessageBody"}}}},"responses":{"200":{"description":"OK"}}}}},"webhook.ping":{"{$request.body#/url}":{"get":{"summary":"Occurs either in response to a request by an application to call a registered webhook, or as a post-registration validation initiated by Onshape.","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/BTWebhookLifecycleMessageBody"}}}},"responses":{"200":{"description":"OK"}}}}},"webhook.register":{"{$request.body#/url}":{"get":{"summary":"Occurs in response to a notification registration API call.","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/BTWebhookLifecycleMessageBody"}}}},"responses":{"200":{"description":"OK"}}}}},"webhook.unregister":{"{$request.body#/url}":{"get":{"summary":"Occurs in response to a notification deregistation API call.","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/BTWebhookLifecycleMessageBody"}}}},"responses":{"200":{"description":"OK"}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/webhooks/events":{"get":{"tags":["Webhook"],"summary":"Get webhook event data list.","description":"Get list of webhook event data. Can be filtered by company id, document id and date range.","operationId":"getWebhooksEventData","parameters":[{"name":"companyId","in":"query","schema":{"type":"string"}},{"name":"documentId","in":"query","schema":{"type":"string"}},{"name":"startDate","in":"query","schema":{"type":"string"}},{"name":"endDate","in":"query","schema":{"type":"string"}},{"name":"all","in":"query","schema":{"type":"boolean","default":false}},{"name":"sortColumn","in":"query","schema":{"type":"string","default":"modifiedAt"}},{"name":"sortOrder","in":"query","schema":{"type":"string","default":"desc"}},{"name":"offset","in":"query","schema":{"minimum":0,"type":"integer","format":"int32","default":0}},{"name":"limit","in":"query","schema":{"maximum":20,"minimum":1,"type":"integer","format":"int32","default":20}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTWebhookEventNotifyDataInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/webhooks/{webhookid}":{"get":{"tags":["Webhook"],"summary":"Get webhook info by webhook ID.","operationId":"getWebhook","parameters":[{"name":"webhookid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTWebhookInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"post":{"tags":["Webhook"],"summary":"Update a webhook.","description":"Update a webhook","operationId":"updateWebhook","parameters":[{"name":"webhookid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTWebhookParams"}}}},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTWebhookInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"},"delete":{"tags":["Webhook"],"summary":"Unregister a webhook.","operationId":"unregisterWebhook","parameters":[{"name":"webhookid","in":"path","required":true,"schema":{"type":"string"}},{"name":"blockNotification","in":"query","schema":{"type":"boolean","default":false}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/webhooks/{webhookid}/ping":{"post":{"tags":["Webhook"],"summary":"Ping a webhook.","operationId":"pingWebhook","parameters":[{"name":"webhookid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/workflow/active":{"get":{"tags":["Workflow"],"summary":"Get all active workflows for the currently logged in user's company.","description":"Optionally takes a document ID to return all workflows for that document's owning company.","operationId":"getActiveWorkflows","parameters":[{"name":"documentId","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTActiveWorkflowInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/workflow/available":{"get":{"tags":["Workflow"],"description":"Get all available workflows for the logged-in user's company","operationId":"getAllAvailableWorkflows","parameters":[{"name":"full","in":"query","schema":{"type":"boolean"}},{"name":"onlyPickable","in":"query","schema":{"type":"boolean"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGroupedWorkflowInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/workflow/c/{cid}/id/{wid}/v/{vid}":{"get":{"tags":["Workflow"],"description":"Get a published workflow definition","operationId":"getPublishedWorkflowDef","parameters":[{"name":"cid","in":"path","required":true,"schema":{"type":"string"}},{"name":"wid","in":"path","required":true,"schema":{"type":"string"}},{"name":"vid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTWorkflowDef"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/workflow/c/{companyId}/approvers":{"get":{"tags":["Workflow"],"summary":"Get all identities allowed to be approvers on a workflow object.","description":"* Identities can be users and/or teams. \n* For Enterprise accounts, also includes roles and any aliases that contain allowed users/teams. \n* Not object- or property-specific. \n* Used for delegation and company settings.","operationId":"getAllowedApprovers","parameters":[{"name":"companyId","in":"path","required":true,"schema":{"type":"string"}},{"name":"q","in":"query","schema":{"type":"string","default":""}},{"name":"expandTeams","in":"query","schema":{"type":"boolean","default":true}},{"name":"includeSelf","in":"query","schema":{"type":"boolean","default":true}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTWorkflowObserverOptionInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/workflow/companies/{cid}/objects":{"get":{"tags":["Workflow"],"summary":"Enumerate all of a company's workflowable objects.","description":"* For example, you can enumerate RELEASES, TASKS, etc in a company by last modified time. \n* Caller must be a company admin. \n* Specify `modifiedAfter` and use the `next` URI for complete enumeration.","operationId":"enumerateObjectWorkflows","parameters":[{"name":"cid","in":"path","description":"The company or enterprise ID that owns the resource.","required":true,"schema":{"type":"string"}},{"name":"objectTypes","in":"query","description":"Optionally filter for specific workflowable types. Defaults to RELEASE and OBSOLETION","schema":{"type":"array","items":{"$ref":"#/components/schemas/BTAPIWorkflowableType"}}},{"name":"states","in":"query","description":"Optionally filter for specific workflow states like PENDING, RELEASED","schema":{"uniqueItems":true,"type":"array","items":{"type":"string"}}},{"name":"limit","in":"query","description":"The number of items to return in a single API call","schema":{"maximum":100,"minimum":1,"type":"integer","format":"int32","default":20}},{"name":"modifiedAfter","in":"query","description":"The earliest modification date of workflowable object to find.","schema":{"type":"string","format":"date-time","default":"2000-01-01T00:00:00Z"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTObjectWorkflowInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/workflow/d/{did}/{wvm}/{wvmid}/e/{eid}/validate":{"get":{"tags":["Workflow"],"description":"Validate a workflow definition from a document element","operationId":"validateFromElement","parameters":[{"name":"did","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvm","in":"path","required":true,"schema":{"type":"string"}},{"name":"wvmid","in":"path","required":true,"schema":{"type":"string"}},{"name":"eid","in":"path","required":true,"schema":{"type":"string"}},{"name":"obsoletion","in":"query","schema":{"type":"boolean","default":false}},{"name":"workflowableType","in":"query","schema":{"type":"integer","format":"int32"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"uniqueItems":true,"type":"array","items":{"$ref":"#/components/schemas/BTWorkflowErrorInfo"}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"}},"/workflow/obj/{objectId}/auditlog":{"get":{"tags":["Workflow"],"summary":"Get all audit log entries for a workflowable object.","description":"Get identities (users and/or teams) allowed to be approvers on a workflow object for the company. Not object- or property-specific; used for delegation and company settings","operationId":"getAuditLog","parameters":[{"name":"objectId","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTWorkflowAuditLogInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"PRODUCTION"}},"/workflow/obj/{objectId}/prop/{propertyId}/allowed":{"get":{"tags":["Workflow"],"description":"Get identities (users and/or teams) allowed to be assigned to a property on a workflow object","operationId":"getAllowedIdentities","parameters":[{"name":"objectId","in":"path","required":true,"schema":{"type":"string"}},{"name":"propertyId","in":"path","required":true,"schema":{"type":"string"}},{"name":"q","in":"query","schema":{"type":"string","default":""}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTListResponseBTWorkflowObserverOptionInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/workflow/publish":{"post":{"tags":["Workflow"],"description":"Publish a workflow definition","operationId":"publish","parameters":[{"name":"wfid","in":"query","schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPublishWorkflowParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPublishedWorkflowInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/workflow/update":{"post":{"tags":["Workflow"],"description":"update a workflow","operationId":"updateWorkflows","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUpdateWorkflowWrapperParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTGroupedWorkflowInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/workflow/validate":{"post":{"tags":["Workflow"],"description":"Validate a workflow definition from standalone JSON","operationId":"validateFromJson","parameters":[{"name":"companyId","in":"query","required":true,"schema":{"type":"string"}},{"name":"obsoletion","in":"query","schema":{"type":"boolean","default":false}},{"name":"workflowableType","in":"query","schema":{"type":"integer","format":"int32"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTValidateWorkflowParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"uniqueItems":true,"type":"array","items":{"$ref":"#/components/schemas/BTWorkflowErrorInfo"}}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/workflow/{wid}/unpublish":{"post":{"tags":["Workflow"],"description":"Unpublish a workflow","operationId":"unpublish","parameters":[{"name":"wid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTPublishedWorkflowInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/workflowabletestobject/testobject/{wfid}":{"post":{"tags":["WorkflowableTestObject"],"summary":"Update workflowable test object by workflow ID.","operationId":"createWorkflowableTestObject","parameters":[{"name":"wfid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTWorkflowableTestObjectInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/workflowabletestobject/{oid}":{"get":{"tags":["WorkflowableTestObject"],"summary":"Retrieve workflowable test object by object ID.","operationId":"getWorkflowableTestObject","parameters":[{"name":"oid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTWorkflowableTestObjectInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Read"],"BasicAuth":["OAuth2Read"]}],"x-BTVisibility":"INTERNAL"},"post":{"tags":["WorkflowableTestObject"],"summary":"Update workflowable test object by object ID.","operationId":"updateWorkflowableTestObject","parameters":[{"name":"oid","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTUpdateWorkflowableTestObjectParams"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTWorkflowableTestObjectInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/workflowabletestobject/{oid}/{transition}":{"post":{"tags":["WorkflowableTestObject"],"summary":"Update workflowable test object transition by object ID.","operationId":"transitionWorkflowableTestObject","parameters":[{"name":"oid","in":"path","required":true,"schema":{"type":"string"}},{"name":"transition","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTWorkflowableTestObjectInfo"}}}}},"deprecated":false,"security":[{"OAuth2":["OAuth2Write"],"BasicAuth":["OAuth2Write"]}],"x-BTVisibility":"INTERNAL"}},"/zuora/account/{aid}/card/{cid}":{"post":{"tags":["ZuoraWebhook"],"description":"Update default card for the Zuora account ID","operationId":"updateDefaultZuoraCard","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}},{"name":"cid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTZuoraCardInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/zuora/card/{aid}":{"get":{"tags":["ZuoraWebhook"],"description":"Get default card details for the Zuora account ID","operationId":"getDefaultZuoraCard","parameters":[{"name":"aid","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTZuoraCardInfo"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/zuora/registerCard":{"get":{"tags":["ZuoraWebhook"],"description":"Handle redirection back to Onshape after a card payment","operationId":"paymentPageRedirect","parameters":[{"name":"refId","in":"query","schema":{"type":"string"}},{"name":"field_passthrough1","in":"query","required":true,"schema":{"type":"string"}},{"name":"field_passthrough2","in":"query","schema":{"type":"string"}},{"name":"field_passthrough3","in":"query","schema":{"type":"string"}},{"name":"field_passthrough4","in":"query","schema":{"type":"string"}},{"name":"errorMessage","in":"query","schema":{"type":"string"}},{"name":"success","in":"query","required":true,"schema":{"type":"boolean"}}],"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/zuora/signature":{"get":{"tags":["ZuoraWebhook"],"description":"Get signature from Zuora","operationId":"getPaymentPageSignature","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTZuoraSignature"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/zuora/webhook/product/removed":{"post":{"tags":["ZuoraWebhook"],"description":"Handle an incoming product removal callout from Zuora","operationId":"handleZuoraProductRemoved","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/zuora/webhook/subscription/cancelled":{"post":{"tags":["ZuoraWebhook"],"description":"Handle an incoming subscription cancelled callout from Zuora","operationId":"handleZuoraSubscriptionRenewedCancelled","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/zuora/webhook/subscription/created":{"post":{"tags":["ZuoraWebhook"],"description":"Handle an incoming subscription created callout from Zuora","operationId":"handleZuoraSubscriptionCreatedCallout","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/zuora/webhook/subscription/renewed":{"post":{"tags":["ZuoraWebhook"],"description":"Handle an incoming subscription renewed callout from Zuora","operationId":"handleZuoraSubscriptionRenewedCallout","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/zuora/webhook/workflow/changeplan":{"post":{"tags":["ZuoraWebhook"],"description":"Handle an incoming workflow callout from Zuora","operationId":"handleZuoraWorkflowChangePlan","requestBody":{"content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"$ref":"#/components/schemas/BTZuoraWorkflowChangePlanOnSubscription"}}},"required":true},"responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}},"/zuora/webhook/workflow/updateproduct":{"post":{"tags":["ZuoraWebhook"],"description":"Handle an incoming workflow callout from Zuora","operationId":"handleZuoraWorkflowUpdateProduct","responses":{"default":{"description":"default response","content":{"application/json;charset=UTF-8; qs=0.09":{"schema":{"type":"object"}}}}},"deprecated":false,"x-BTVisibility":"INTERNAL"}}},"components":{"schemas":{"AccessGrantedVia":{"type":"string","enum":["me","team","company"]},"Accessor":{"type":"object","properties":{"bufferView":{"type":"integer","format":"int32"},"byteOffset":{"type":"integer","format":"int32"},"componentType":{"type":"integer","format":"int32"},"count":{"type":"integer","format":"int32"},"extensions":{"type":"object","additionalProperties":{"type":"object"}},"extras":{"type":"object"},"max":{"type":"array","items":{"type":"number"}},"min":{"type":"array","items":{"type":"number"}},"name":{"type":"string"},"normalized":{"type":"boolean"},"sparse":{"$ref":"#/components/schemas/AccessorSparse"},"type":{"type":"string"}}},"AccessorData":{"type":"object","properties":{"numComponentsPerElement":{"type":"integer","format":"int32"},"numElements":{"type":"integer","format":"int32"},"totalNumComponents":{"type":"integer","format":"int32"}}},"AccessorModel":{"type":"object","properties":{"accessorData":{"$ref":"#/components/schemas/AccessorData"},"bufferViewModel":{"$ref":"#/components/schemas/BufferViewModel"},"byteOffset":{"type":"integer","format":"int32"},"byteStride":{"type":"integer","format":"int32"},"componentSizeInBytes":{"type":"integer","format":"int32"},"componentType":{"type":"integer","format":"int32"},"count":{"type":"integer","format":"int32"},"elementSizeInBytes":{"type":"integer","format":"int32"},"elementType":{"$ref":"#/components/schemas/ElementType"},"max":{"type":"array","items":{"type":"number"}},"min":{"type":"array","items":{"type":"number"}},"name":{"type":"string"}}},"AccessorSparse":{"type":"object","properties":{"count":{"type":"integer","format":"int32"},"extensions":{"type":"object","additionalProperties":{"type":"object"}},"extras":{"type":"object"},"indices":{"$ref":"#/components/schemas/AccessorSparseIndices"},"values":{"$ref":"#/components/schemas/AccessorSparseValues"}}},"AccessorSparseIndices":{"type":"object","properties":{"bufferView":{"type":"integer","format":"int32"},"byteOffset":{"type":"integer","format":"int32"},"componentType":{"type":"integer","format":"int32"},"extensions":{"type":"object","additionalProperties":{"type":"object"}},"extras":{"type":"object"}}},"AccessorSparseValues":{"type":"object","properties":{"bufferView":{"type":"integer","format":"int32"},"byteOffset":{"type":"integer","format":"int32"},"extensions":{"type":"object","additionalProperties":{"type":"object"}},"extras":{"type":"object"}}},"Action":{"type":"object","properties":{"name":{"type":"string"},"paths":{"type":"array","items":{"$ref":"#/components/schemas/Path"}},"suggestion":{"type":"string"}}},"AddedOrDeletedElementInfo":{"type":"object","properties":{"elementId":{"type":"string"},"elementName":{"type":"string"},"elementType":{"$ref":"#/components/schemas/GBTElementType"},"microversion":{"type":"string"},"thumbnailInfo":{"$ref":"#/components/schemas/BTThumbnailInfo"}}},"Address":{"type":"object","properties":{"city":{"type":"string"},"country":{"type":"string"},"line1":{"type":"string"},"line2":{"type":"string"},"postalCode":{"type":"string"},"state":{"type":"string"}}},"Animation":{"type":"object","properties":{"channels":{"type":"array","items":{"$ref":"#/components/schemas/AnimationChannel"}},"extensions":{"type":"object","additionalProperties":{"type":"object"}},"extras":{"type":"object"},"name":{"type":"string"},"samplers":{"type":"array","items":{"$ref":"#/components/schemas/AnimationSampler"}}}},"AnimationChannel":{"type":"object","properties":{"extensions":{"type":"object","additionalProperties":{"type":"object"}},"extras":{"type":"object"},"sampler":{"type":"integer","format":"int32"},"target":{"$ref":"#/components/schemas/AnimationChannelTarget"}}},"AnimationChannelTarget":{"type":"object","properties":{"extensions":{"type":"object","additionalProperties":{"type":"object"}},"extras":{"type":"object"},"node":{"type":"integer","format":"int32"},"path":{"type":"string"}}},"AnimationModel":{"type":"object","properties":{"channels":{"type":"array","items":{"$ref":"#/components/schemas/Channel"}},"name":{"type":"string"}}},"AnimationSampler":{"type":"object","properties":{"extensions":{"type":"object","additionalProperties":{"type":"object"}},"extras":{"type":"object"},"input":{"type":"integer","format":"int32"},"interpolation":{"type":"string"},"output":{"type":"integer","format":"int32"}}},"ApiResponse":{"type":"object","properties":{"content":{"type":"object","properties":{"empty":{"type":"boolean"}},"additionalProperties":{"$ref":"#/components/schemas/MediaType"}},"description":{"type":"string"},"extensions":{"type":"object","additionalProperties":{"type":"object"}},"get$ref":{"type":"string"},"headers":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/Header"}},"links":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/Link"}}}},"ApiResponses":{"type":"object","properties":{"default":{"$ref":"#/components/schemas/ApiResponse"},"empty":{"type":"boolean"},"extensions":{"type":"object","additionalProperties":{"type":"object"}}},"additionalProperties":{"$ref":"#/components/schemas/ApiResponse"}},"Asset":{"type":"object","properties":{"copyright":{"type":"string"},"extensions":{"type":"object","additionalProperties":{"type":"object"}},"extras":{"type":"object"},"generator":{"type":"string"},"minVersion":{"type":"string"},"version":{"type":"string"}}},"BTAPIApplicationDeprecateParams":{"type":"object","properties":{"ownerEmailMessageText":{"type":"string"},"ownerEmailSubjectText":{"type":"string"},"userEmailMessageText":{"type":"string"},"userEmailSubjectText":{"type":"string"}}},"BTAPIApplicationExtAuthParams":{"type":"object","properties":{"accessTokenUrl":{"type":"string"},"authUrl":{"type":"string"},"clientId":{"type":"string"},"clientSecret":{"type":"string"},"extensionId":{"type":"string"},"revokeUrl":{"type":"string"},"scopes":{"type":"string"},"tokenExpiryTimeInSeconds":{"type":"integer","format":"int32"}}},"BTAPIApplicationExtensionActionParams":{"type":"object","properties":{"ab":{"type":"string"},"apj":{"type":"string"},"documentId":{"type":"string"}}},"BTAPIApplicationExtensionInfo":{"type":"object","properties":{"actionBody":{"type":"string"},"actionType":{"type":"integer","format":"int32"},"actionUrl":{"type":"string"},"applicationId":{"type":"string"},"clientId":{"type":"string"},"description":{"type":"string"},"extensionContext":{"type":"integer","format":"int64"},"extensionLocation":{"type":"integer","format":"int64"},"hasIcon":{"type":"boolean"},"hasPendingIcon":{"type":"boolean"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"iconUrl":{"type":"string"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"parentAppPrimaryFormat":{"type":"string"},"showResponse":{"type":"boolean"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTAPIApplicationExtensionParams":{"type":"object","properties":{"actionBody":{"type":"string"},"actionType":{"type":"integer","format":"int32"},"actionUrl":{"type":"string"},"clientId":{"type":"string"},"description":{"type":"string"},"extensionContext":{"type":"integer","format":"int64"},"extensionLocation":{"type":"integer","format":"int64"},"name":{"type":"string"},"showResponse":{"type":"boolean"}}},"BTAPIApplicationExternalAuthInfo":{"type":"object","properties":{"accessTokenUrl":{"type":"string"},"applicationId":{"type":"string"},"authUrl":{"type":"string"},"clientId":{"type":"string"},"clientSecret":{"type":"string"},"extensionId":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"revokeUrl":{"type":"string"},"scopes":{"type":"string"},"tokenExpiryTimeInSeconds":{"type":"integer","format":"int64"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTAPIApplicationGrantInfo":{"type":"object","properties":{"applicationId":{"type":"string"},"companyId":{"type":"string"},"createdDate":{"type":"string","format":"date-time"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"userId":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTAPIApplicationInfo":{"type":"object","properties":{"adminTeamId":{"type":"string"},"applicationScopes":{"type":"array","items":{"$ref":"#/components/schemas/BTAPIApplicationScopeInfo"}},"applicationType":{"type":"integer","format":"int32"},"baseHref":{"type":"string"},"clientId":{"type":"string"},"companyId":{"type":"string"},"description":{"type":"string"},"developerEmail":{"type":"string"},"developerId":{"type":"string"},"emebeddedExternalAuthType":{"type":"integer","format":"int32"},"emebeddedOnshapeAuthType":{"type":"integer","format":"int32"},"extensions":{"type":"array","items":{"$ref":"#/components/schemas/BTAPIApplicationExtensionInfo"}},"externalGrantStatus":{"type":"integer","format":"int32"},"grants":{"type":"array","items":{"$ref":"#/components/schemas/BTGrantStatusInfo"}},"hasExternalGrant":{"type":"boolean"},"hasOnshapeGrant":{"type":"boolean"},"hasPendingTabIcon":{"type":"boolean"},"hasTabIcon":{"type":"boolean"},"hiddenFromPlusMenu":{"type":"boolean"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"internalGrantOnDemand":{"type":"boolean"},"name":{"type":"string","description":"Name of the resource."},"onshapeGrantStatus":{"type":"integer","format":"int32"},"plansSupported":{"type":"array","items":{"type":"string"}},"primaryFormat":{"type":"string"},"redirectEndpoints":{"type":"array","items":{"type":"string"}},"secret":{"type":"string"},"state":{"type":"integer","format":"int32"},"storeEntryIsPublic":{"type":"boolean"},"supportEmail":{"type":"string"},"supportsCollaboration":{"type":"boolean"},"systemApplication":{"type":"boolean"},"uiSpec":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTAPIApplicationParams":{"type":"object","properties":{"adminTeamId":{"type":"string"},"allowUseAsService":{"type":"boolean"},"applicationType":{"type":"integer","format":"int32"},"audience":{"type":"string"},"baseHref":{"type":"string"},"clientId":{"type":"string"},"companyId":{"type":"string"},"description":{"type":"string"},"developerEmail":{"type":"string"},"developerId":{"type":"string"},"emebeddedExternalAuthType":{"type":"integer","format":"int32"},"emebeddedOnshapeAuthType":{"type":"integer","format":"int32"},"hiddenFromPlusMenu":{"type":"boolean"},"internalGrantOnDemand":{"type":"boolean"},"name":{"type":"string"},"plansSupported":{"type":"array","items":{"type":"string"}},"primaryFormat":{"type":"string"},"productType":{"type":"string"},"redirectURLs":{"type":"array","items":{"type":"string"}},"scopeNames":{"type":"array","items":{"type":"string"}},"state":{"type":"integer","format":"int32"},"storeEntryIsPublic":{"type":"boolean"},"supportEmail":{"type":"string"},"supportsCollaboration":{"type":"boolean"},"supportsMerge":{"type":"boolean"},"uiSpec":{"type":"string"}}},"BTAPIApplicationScopeInfo":{"type":"object","properties":{"description":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"systemScope":{"type":"boolean"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTAPIApplicationSummaryInfo":{"type":"object","properties":{"clientId":{"type":"string"},"description":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"state":{"type":"integer","format":"int32"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTAPIApplicationUseInfo":{"type":"object","properties":{"applicationId":{"type":"string"},"createdDate":{"type":"string","format":"date-time"},"userId":{"type":"string"}}},"BTAPIApplicationUserInfo":{"type":"object","properties":{"application":{"$ref":"#/components/schemas/BTAPIApplicationInfo"},"applicationUse":{"$ref":"#/components/schemas/BTAPIApplicationUseInfo"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"purchase":{"$ref":"#/components/schemas/BTPurchaseInfo"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTAPIDeveloperInfo":{"type":"object","properties":{"createdAt":{"type":"string","format":"date-time"},"description":{"type":"string"},"developerEulaId":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"userId":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"},"website":{"type":"string"}}},"BTAPIDeveloperParams":{"type":"object","properties":{"companyId":{"type":"string"},"description":{"type":"string"},"name":{"type":"string"},"userId":{"type":"string"},"website":{"type":"string"}}},"BTAPIKeyParams":{"type":"object","properties":{"companyId":{"type":"string"},"scopeNames":{"type":"array","items":{"type":"string"}}}},"BTAPIPartnerInfo":{"type":"object","properties":{"createdAt":{"type":"string","format":"date-time"},"description":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"userId":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"},"website":{"type":"string"}}},"BTAPIPartnerParams":{"type":"object","properties":{"description":{"type":"string"},"name":{"type":"string"},"userId":{"type":"string"},"website":{"type":"string"}}},"BTAPIWorkflowableType":{"type":"string","description":"All workflowable types that can be enumerated.","enum":["RELEASE","TASK","ASSIGNMENT","OBSOLETION"]},"BTAcceptedAgreementInfo":{"type":"object","properties":{"acceptedAt":{"type":"string","format":"date-time"},"agreementId":{"type":"string"},"agreementVersion":{"type":"integer","format":"int64"}}},"BTAcceptedEulaInfo":{"type":"object","properties":{"acceptedAt":{"type":"string","format":"date-time"},"eulaId":{"type":"string"},"eulaVersion":{"type":"integer","format":"int64"}}},"BTAclEntryInfo":{"type":"object","properties":{"acceptOwnerTransfer":{"type":"boolean"},"companyName":{"type":"string"},"email":{"type":"string"},"enterpriseMember":{"type":"boolean"},"entryId":{"type":"string"},"entryState":{"$ref":"#/components/schemas/BTUserState"},"entryType":{"type":"integer","format":"int32"},"image":{"type":"string"},"name":{"type":"string"},"objectId":{"type":"string"},"pendingOwnerTransfer":{"type":"boolean"},"permission":{"type":"integer","format":"int64"},"permissionSet":{"type":"array","items":{"type":"string"}},"teamName":{"type":"string"}}},"BTAclInfo":{"type":"object","properties":{"admin":{"type":"boolean"},"entries":{"type":"array","items":{"$ref":"#/components/schemas/BTAclEntryInfo"}},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"inheritedAcls":{"type":"array","items":{"$ref":"#/components/schemas/BTInheritedAclInfo"}},"name":{"type":"string","description":"Name of the resource."},"objectId":{"type":"string"},"objectType":{"type":"integer","format":"int64"},"owner":{"$ref":"#/components/schemas/BTOwnerInfo"},"public":{"type":"boolean"},"sharedWithSupport":{"type":"boolean"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"},"visibility":{"type":"string"}}},"BTAclParams":{"type":"object","properties":{"anonymousAccessAllowed":{"type":"boolean"},"anonymousAllowsExport":{"type":"boolean"},"docStateParams":{"type":"object","additionalProperties":{"type":"string"}},"documentId":{"type":"string"},"elementId":{"type":"string"},"public":{"type":"boolean"},"workspaceId":{"type":"string"}}},"BTActionDef":{"type":"object","properties":{"name":{"type":"string"},"params":{"type":"object","additionalProperties":{"type":"object"}}}},"BTActiveSessionInfo":{"type":"object","properties":{"name":{"type":"string"},"target":{"type":"string","format":"uri"}}},"BTActiveSheetMetalFilter-2944":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTQueryFilter-183"},{"type":"object","properties":{"btType":{"type":"string"},"isFromActiveSheetMetal":{"type":"boolean"}}}]},"BTActiveWorkflowInfo":{"type":"object","properties":{"allowReleaseItemsFromOtherDocuments":{"type":"boolean"},"canCurrentUserCreateReleases":{"type":"boolean"},"canCurrentUserEditStandardContent":{"type":"boolean"},"canCurrentUserManageWorkflows":{"type":"boolean"},"canCurrentUserSeeArenaItemLink":{"type":"boolean"},"canCurrentUserSyncBomToArena":{"type":"boolean"},"canCurrentUserSyncRevisionsToArena":{"type":"boolean"},"canCurrentUserSyncStandardContentToArena":{"type":"boolean"},"canCurrentUserSyncToArena":{"type":"boolean"},"companyId":{"type":"string"},"documentId":{"type":"string"},"drawingCanDuplicatePartNumber":{"type":"boolean"},"enabledActiveMultipleWorkflows":{"type":"boolean"},"obsoletionWorkflow":{"$ref":"#/components/schemas/BTPublishedWorkflowInfo"},"obsoletionWorkflowId":{"type":"string"},"partNumberingSchemeId":{"type":"string"},"pickableWorkflows":{"type":"array","items":{"$ref":"#/components/schemas/BTPublishedWorkflowInfo"}},"releaseWorkflow":{"$ref":"#/components/schemas/BTPublishedWorkflowInfo"},"releaseWorkflowId":{"type":"string"},"releaseableApplications":{"type":"array","items":{"type":"string"}},"standardContentNumberingSchemeId":{"type":"string"},"standardContentUsingAutoNumbering":{"type":"boolean"},"standardContentUsingThirdPartyPartNumbering":{"type":"boolean"},"usingAutoPartNumbering":{"type":"boolean"},"usingManagedWorkflow":{"type":"boolean"},"usingThirdPartyPartNumbering":{"type":"boolean"}}},"BTAddClassroomMemberResultInfo":{"type":"object","properties":{"classroomMemberInfo":{"$ref":"#/components/schemas/BTClassroomMemberInfo"},"email":{"type":"string"},"id":{"type":"string"},"message":{"type":"string"},"success":{"type":"boolean"}}},"BTAddFriendParams":{"type":"object","properties":{"email":{"type":"string"}}},"BTAddMemberResultInfo":{"type":"object","properties":{"email":{"type":"string"},"id":{"type":"string"},"message":{"type":"string"},"success":{"type":"boolean"}}},"BTAddTeamMemberResultInfo":{"type":"object","properties":{"email":{"type":"string"},"id":{"type":"string"},"message":{"type":"string"},"success":{"type":"boolean"},"teamMemberInfo":{"$ref":"#/components/schemas/BTTeamMemberInfo"}}},"BTAddressInfo":{"type":"object","properties":{"address":{"type":"string"},"city":{"type":"string"},"country":{"type":"string"},"countryCode":{"type":"string"},"id":{"type":"string"},"state":{"type":"string"},"stateCode":{"type":"string"},"zip":{"type":"string"}}},"BTAdminAuditEvent":{"type":"object","properties":{"adminId":{"type":"string"},"adminName":{"type":"string"},"createdAt":{"type":"string","format":"date-time"},"eventType":{"type":"string"},"id":{"type":"string"},"params":{"type":"object","additionalProperties":{"type":"object"}},"statusCode":{"type":"integer","format":"int32"}}},"BTAdminAuditEventInfo":{"type":"object","properties":{"events":{"type":"array","items":{"$ref":"#/components/schemas/BTAdminAuditEvent"}}}},"BTAdminGroup":{"type":"string","enum":["QA","SUPPORT","DEVELOPER","FINANCE","MARKETING","DEVOPS"]},"BTAdminGroupParams":{"type":"object","properties":{"groups":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"userId":{"type":"string"}}},"BTAdminRoleComponent":{"type":"object","properties":{"actions":{"type":"array","items":{"$ref":"#/components/schemas/Action"}},"allowed":{"type":"boolean"},"group":{"type":"integer","format":"int32"},"id":{"type":"string"},"isMenu":{"type":"boolean","writeOnly":true},"method":{"type":"string"},"name":{"type":"string"},"subActions":{"type":"array","items":{"$ref":"#/components/schemas/Action"}},"subactions":{"type":"array","writeOnly":true,"items":{"$ref":"#/components/schemas/Action"}}}},"BTAdminRoleInfo":{"type":"object","properties":{"description":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"permissions":{"type":"array","items":{"$ref":"#/components/schemas/BTAdminRolePermissionInfo"}},"users":{"type":"array","items":{"$ref":"#/components/schemas/BTUserSummaryInfo"}},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTAdminRoleMenu":{"type":"object","properties":{"group":{"type":"integer","format":"int32"},"id":{"type":"string"},"label":{"type":"string","description":"Label will get displayed in the sidebar menu in admin console"},"paths":{"type":"array","description":"Browser will redirect to this path after user click on menu","items":{"type":"string","description":"Browser will redirect to this path after user click on menu"}},"sref":{"type":"string","description":"ui router state where link will redirect user after click"},"srefAngular":{"type":"boolean","description":"Angular 15 module routing should set this to true"},"srefangular":{"type":"boolean","writeOnly":true},"subid":{"type":"string"}}},"BTAdminRoleParams":{"type":"object","properties":{"description":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"permissions":{"type":"array","items":{"$ref":"#/components/schemas/BTAdminRolePermissionParams"}}}},"BTAdminRolePermissionInfo":{"type":"object","properties":{"allowed":{"type":"boolean"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"method":{"type":"string"},"name":{"type":"string","description":"Name of the resource."},"resourceLabel":{"type":"string"},"resourcePath":{"type":"string"},"roleId":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTAdminRolePermissionParams":{"type":"object","properties":{"allowed":{"type":"boolean"},"method":{"type":"string"},"resourceLabel":{"type":"string"},"resourcePath":{"type":"string"}}},"BTAdminTaskInfo":{"type":"object","properties":{"author":{"type":"string"},"className":{"type":"string"},"createdAt":{"type":"string","format":"date-time"},"createdBy":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"description":{"type":"string"},"executedVersion":{"type":"integer","format":"int64"},"failureMessage":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"lastExecutedAt":{"type":"string","format":"date-time"},"lastExecutedOnHost":{"type":"string"},"lastExecutionTookMs":{"type":"integer","format":"int64"},"message":{"type":"string"},"name":{"type":"string","description":"Name of the resource."},"status":{"type":"integer","format":"int64"},"taskVersion":{"type":"integer","format":"int64"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}},"description":"Array of items in the current page."},"BTAdminTaskParams":{"type":"object","properties":{"force":{"type":"boolean"},"message":{"type":"string"},"taskName":{"type":"string"},"taskNames":{"type":"array","items":{"type":"string"}}}},"BTAdminTaskResultInfo":{"type":"object","properties":{"errors":{"type":"array","items":{"type":"string"}},"successTasks":{"type":"array","items":{"$ref":"#/components/schemas/BTAdminTaskInfo"}}}},"BTAdminUserGroupInfo":{"type":"object","properties":{"admin":{"type":"boolean"},"groups":{"uniqueItems":true,"type":"array","items":{"$ref":"#/components/schemas/BTAdminGroup"}},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"user":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTAdminUserRoleInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"roleInfos":{"type":"array","items":{"$ref":"#/components/schemas/BTAdminRoleInfo"}},"userInfo":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTAdminUserRoleParams":{"type":"object","properties":{"roleIds":{"type":"array","items":{"type":"string"}},"userId":{"type":"string"}}},"BTAffectedReleaseItemParams":{"type":"object","properties":{"affectedItemId":{"type":"string"},"releaseItemId":{"type":"string"}}},"BTAgreementInfo":{"type":"object","properties":{"content":{"type":"string"},"createdAt":{"type":"string","format":"date-time"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"options":{"type":"array","items":{"type":"string"}},"reapply":{"type":"boolean"},"type":{"type":"integer","format":"int32"},"version":{"type":"integer","format":"int64"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTAgreementParams":{"type":"object","properties":{"content":{"type":"string"},"name":{"type":"string"},"options":{"type":"array","items":{"type":"string"}},"reapply":{"type":"boolean"},"type":{"type":"integer","format":"int32"},"version":{"type":"integer","format":"int64"}}},"BTAliasEntryInfo":{"type":"object","properties":{"createdAt":{"type":"string","format":"date-time"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"identity":{"$ref":"#/components/schemas/BTIdentityInfo"},"name":{"type":"string","description":"Name of the resource."},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTAliasEntryParams":{"type":"object","properties":{"email":{"type":"string"},"teamId":{"type":"string"},"userId":{"type":"string"}}},"BTAliasInfo":{"type":"object","properties":{"companyId":{"type":"string"},"createdAt":{"type":"string","format":"date-time"},"description":{"type":"string"},"entries":{"type":"array","items":{"$ref":"#/components/schemas/BTAliasEntryInfo"}},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"identities":{"type":"array","items":{"$ref":"#/components/schemas/BTIdentityInfo"}},"name":{"type":"string","description":"Name of the resource."},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTAliasParams":{"type":"object","properties":{"additions":{"type":"array","items":{"$ref":"#/components/schemas/BTAliasEntryParams"}},"description":{"type":"string"},"entries":{"type":"array","items":{"$ref":"#/components/schemas/BTAliasEntryParams"}},"name":{"type":"string"},"removals":{"type":"array","items":{"$ref":"#/components/schemas/BTAliasEntryParams"}}}},"BTAllowEdgePointFilter-2371":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTQueryFilter-183"},{"type":"object","properties":{"allowsEdgePoint":{"type":"boolean"},"btType":{"type":"string"}}}]},"BTAllowFlattenedGeometryFilter-2140":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTQueryFilter-183"},{"type":"object","properties":{"allowsFlattenedGeometry":{"type":"boolean"},"btType":{"type":"string"}}}]},"BTAllowMeshGeometryFilter-1026":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTQueryFilter-183"},{"type":"object","properties":{"allowsMeshGeometry":{"type":"boolean"},"btType":{"type":"string"}}}]},"BTAllowedMateTypeFilter-1511":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMateFilter-162"},{"type":"object","properties":{"allowedMateTypes":{"type":"array","items":{"$ref":"#/components/schemas/GBTMateType"}},"btType":{"type":"string"}}}]},"BTAndFilter-110":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTQueryFilter-183"},{"type":"object","properties":{"btType":{"type":"string"},"operand1":{"$ref":"#/components/schemas/BTQueryFilter-183"},"operand2":{"$ref":"#/components/schemas/BTQueryFilter-183"}}}]},"BTAngularDimensionDisplayData-320":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTArcLengthDimensionDisplayData-1018":"#/components/schemas/BTArcLengthDimensionDisplayData-1018"}},"allOf":[{"$ref":"#/components/schemas/BTDimensionDisplayData-323"},{"type":"object","properties":{"btType":{"type":"string"},"clockwise":{"type":"boolean"},"positionR":{"type":"number","format":"double"},"positionT":{"type":"number","format":"double"},"witnessEndPoint0r":{"type":"number","format":"double"},"witnessEndPoint0t":{"type":"number","format":"double"},"witnessEndPoint1r":{"type":"number","format":"double"},"witnessEndPoint1t":{"type":"number","format":"double"},"witnessMaxPoint0r":{"type":"number","format":"double"},"witnessMaxPoint1r":{"type":"number","format":"double"},"witnessMinPoint0r":{"type":"number","format":"double"},"witnessMinPoint1r":{"type":"number","format":"double"}}}]},"BTApiConfiguration":{"type":"object","properties":{"current":{"type":"boolean"},"default":{"type":"boolean"},"null":{"type":"boolean"},"parameterMap":{"type":"object","additionalProperties":{"type":"string"}},"standardContent":{"type":"boolean"},"standardContentParametersId":{"type":"string"}}},"BTApiKeyInfo":{"type":"object","properties":{"accessKey":{"type":"string"},"companyId":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"scopeNames":{"type":"array","items":{"type":"string"}},"secretKey":{"type":"string"},"state":{"type":"integer","format":"int32"},"userId":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTApiKeyUpdateParams":{"type":"object","properties":{"accessKey":{"type":"string"},"state":{"type":"integer","format":"int32"}}},"BTApiMetricSummaryInfo":{"type":"object","properties":{"clientId":{"type":"string"},"count":{"type":"integer","format":"int64"},"httpMethod":{"type":"string"},"statusCode":{"type":"integer","format":"int32"},"urlPattern":{"type":"string"}}},"BTApiTable-2300":{"type":"object","properties":{"btType":{"type":"string"},"columns":{"type":"array","items":{"$ref":"#/components/schemas/BTApiTableColumn-3141"}},"entityIds":{"type":"array","items":{"type":"string"}},"id":{"type":"string"},"rows":{"type":"array","items":{"$ref":"#/components/schemas/BTApiTableRow-2915"}},"title":{"type":"string"}}},"BTApiTableColumn-3141":{"type":"object","properties":{"btType":{"type":"string"},"header":{"type":"string"},"id":{"type":"string"},"textAlignment":{"$ref":"#/components/schemas/GBTTableTextAlignment"}}},"BTApiTableList-1223":{"type":"object","properties":{"btType":{"type":"string"},"tables":{"type":"array","items":{"$ref":"#/components/schemas/BTApiTable-2300"}}}},"BTApiTableRow-2915":{"type":"object","properties":{"btType":{"type":"string"},"callout":{"type":"string"},"columnIdToValue":{"type":"object","additionalProperties":{"type":"string"}},"entityIds":{"type":"array","items":{"type":"string"}}}},"BTApiVersion":{"type":"string","enum":["UNDEFINED","V1_START","V2_SERIALIZATION_UNIFICATION","V3_NEW_BOM_FORMAT","V4_TRANSACTIONS_NO_NEW","V5_BODY_DETAILS_COMPOSITE_REFERENCE","V6_JSON_EDIT_RESPONSE_BUGFIX"]},"BTAppArrayInfoBTAppDrawingViewInfo":{"type":"object","properties":{"changeId":{"type":"string"},"errorCode":{"type":"integer","description":"The numeric code identifying the error that occurred, if one occurred.","format":"int32"},"errorDescription":{"type":"string","description":"A human-readable value for the error that occurred, if one occurred."},"errorValue":{"$ref":"#/components/schemas/BTAppElementErrorCode"},"items":{"type":"array","items":{"$ref":"#/components/schemas/BTAppDrawingViewInfo"}},"parentChangeId":{"type":"string"}}},"BTAppAssociativeDataArrayInfo":{"type":"object","properties":{"changeId":{"type":"string"},"errorCode":{"type":"integer","description":"The numeric code identifying the error that occurred, if one occurred.","format":"int32"},"errorDescription":{"type":"string","description":"A human-readable value for the error that occurred, if one occurred."},"errorValue":{"$ref":"#/components/schemas/BTAppElementErrorCode"},"items":{"type":"array","items":{"$ref":"#/components/schemas/BTAssociativeDataInfo"}},"parentChangeId":{"type":"string"}}},"BTAppDrawingViewInfo":{"type":"object","properties":{"associativityChangeId":{"type":"string"},"bomReferenceId":{"type":"string"},"brokenOutBBoxes":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTBoundingBox-1052"}},"brokenOutEndConditions":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTBrokenOutEndCondition-1107"}},"brokenOutPointNumbers":{"type":"array","items":{"type":"integer","format":"int32"}},"changeId":{"type":"string"},"computeIntersection":{"type":"boolean"},"cutPoint":{"type":"array","items":{"type":"number","format":"double"}},"depthSectionEndCondition":{"$ref":"#/components/schemas/BTBrokenOutEndCondition-1107"},"displayStateId":{"type":"string"},"errorCode":{"type":"integer","description":"The numeric code identifying the error that occurred, if one occurred.","format":"int32"},"errorDescription":{"type":"string","description":"A human-readable value for the error that occurred, if one occurred."},"errorValue":{"$ref":"#/components/schemas/BTAppElementErrorCode"},"explodedViewId":{"type":"string"},"hiddenLines":{"type":"string"},"ignoreFaultyParts":{"type":"boolean"},"includeHiddenInstances":{"type":"boolean"},"includeSurfaces":{"type":"boolean"},"includeWires":{"type":"boolean"},"isAlignedSection":{"type":"boolean"},"isBrokenOutSection":{"type":"boolean"},"isCopiedView":{"type":"boolean"},"isCropView":{"type":"boolean"},"isPartialSection":{"type":"boolean"},"isSectionOfAlignedSection":{"type":"boolean"},"isSectionOfSectionOnBase":{"type":"boolean"},"isSurface":{"type":"boolean"},"modelReferenceId":{"type":"string"},"modificationId":{"type":"string"},"namedPositionId":{"type":"string"},"occurrenceOrQueryToGeometryProperties":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTAppElementViewGeometryProperties-1100"}},"offsetSectionPoints":{"type":"array","items":{"type":"number","format":"double"}},"parentChangeId":{"type":"string"},"parentViewId":{"type":"string"},"perspective":{"type":"boolean"},"projectionAngle":{"type":"string"},"qualityOption":{"type":"integer","format":"int32"},"renderSketches":{"type":"boolean"},"sectionId":{"type":"string"},"showAutoCenterlines":{"type":"boolean"},"showAutoCentermarks":{"type":"boolean"},"showCutGeomOnly":{"type":"boolean"},"showTangentLines":{"type":"boolean"},"showThreads":{"type":"boolean"},"showViewingPlane":{"type":"boolean"},"simplificationOption":{"type":"integer","format":"int32"},"simplificationThreshold":{"type":"number","format":"double"},"useParentViewSectionData":{"type":"boolean"},"viewDirection":{"type":"array","items":{"type":"number","format":"double"}},"viewId":{"type":"string"},"viewMatrix":{"type":"array","items":{"type":"number","format":"double"}},"viewVersion":{"type":"integer","format":"int32"}}},"BTAppElementBasicInfo":{"type":"object","properties":{"changeId":{"type":"string"},"errorCode":{"type":"integer","description":"The numeric code identifying the error that occurred, if one occurred.","format":"int32"},"errorDescription":{"type":"string","description":"A human-readable value for the error that occurred, if one occurred."},"errorValue":{"$ref":"#/components/schemas/BTAppElementErrorCode"},"parentChangeId":{"type":"string"}}},"BTAppElementBulkCreateInfo":{"required":["documentMicroversionId"],"type":"object","properties":{"documentMicroversionId":{"type":"string","description":"The latest document microversion, after the edit was committed."},"elementIds":{"type":"array","description":"The ids of the created elements.","items":{"type":"string","description":"The ids of the created elements."}},"elementMicroversions":{"type":"array","description":"The microversion ids of the created elements, at creation time.","items":{"type":"string","description":"The microversion ids of the created elements, at creation time."}},"errorCode":{"type":"integer","description":"The numeric code identifying the error that occurred, if one occurred.","format":"int32"},"errorDescription":{"type":"string","description":"A human-readable value for the error that occurred, if one occurred."},"errorValue":{"$ref":"#/components/schemas/BTAppElementErrorCode"}}},"BTAppElementBulkCreateParams":{"required":["formatId"],"type":"object","properties":{"description":{"type":"string","description":"The label that will appear in the document's edit history for this operation. If blank, a value will be auto-generated."},"formatId":{"type":"string","description":"The data type of the application. This string allows an application to distinguish their elements from elements of another application."},"location":{"$ref":"#/components/schemas/BTElementLocationParams"},"names":{"type":"array","description":"The name of the element being created. If blank, a name will be auto-generated.","items":{"type":"string","description":"The name of the element being created. If blank, a name will be auto-generated."}}}},"BTAppElementChangeParams":{"required":["subelementId"],"type":"object","properties":{"baseContent":{"type":"string","description":"This base64-encoded data is treated as a full representation of the sub-element's data and all deltas previously added will no longer be returned.","format":"byte"},"delta":{"type":"string","description":"This base64-encoded data is a delta which the application can apply to the last added baseContent data.","format":"byte"},"subelementId":{"type":"string","description":"The id of the subelement to edit. The value is determined by the application."}}},"BTAppElementCommitTransactionParams":{"type":"object","properties":{"allowMerge":{"type":"boolean"},"description":{"type":"string"},"returnError":{"type":"boolean"},"transactionIds":{"type":"array","items":{"type":"string"}}}},"BTAppElementContentDeltaInfo":{"type":"object","properties":{"delta":{"type":"string"}}},"BTAppElementContentEntryInfo":{"type":"object","properties":{"baseContent":{"type":"string"},"deltas":{"type":"array","items":{"$ref":"#/components/schemas/BTAppElementContentDeltaInfo"}},"subelementId":{"type":"string"}}},"BTAppElementContentInfo":{"type":"object","properties":{"changeId":{"type":"string"},"data":{"type":"array","items":{"$ref":"#/components/schemas/BTAppElementContentEntryInfo"}},"errorCode":{"type":"integer","description":"The numeric code identifying the error that occurred, if one occurred.","format":"int32"},"errorDescription":{"type":"string","description":"A human-readable value for the error that occurred, if one occurred."},"errorValue":{"$ref":"#/components/schemas/BTAppElementErrorCode"}}},"BTAppElementCreatedAtFieldRepairInfo":{"type":"object","properties":{"newCreatedAt":{"type":"string"},"oldCreatedAt":{"type":"string"},"status":{"type":"string"}}},"BTAppElementErrorCode":{"type":"string","enum":["OK","TRANSACTION_CONFLICT","NOT_FOUND","INCONSISTENT_CHANGES"]},"BTAppElementHistoryEntryInfo":{"type":"object","properties":{"changeId":{"type":"string"},"createdAt":{"type":"string","format":"date-time"},"description":{"type":"string"}}},"BTAppElementHistoryInfo":{"type":"object","properties":{"changes":{"type":"array","items":{"$ref":"#/components/schemas/BTAppElementHistoryEntryInfo"}},"errorCode":{"type":"integer","description":"The numeric code identifying the error that occurred, if one occurred.","format":"int32"},"errorDescription":{"type":"string","description":"A human-readable value for the error that occurred, if one occurred."},"errorValue":{"$ref":"#/components/schemas/BTAppElementErrorCode"}}},"BTAppElementIdsInfo":{"type":"object","properties":{"changeId":{"type":"string"},"errorCode":{"type":"integer","description":"The numeric code identifying the error that occurred, if one occurred.","format":"int32"},"errorDescription":{"type":"string","description":"A human-readable value for the error that occurred, if one occurred."},"errorValue":{"$ref":"#/components/schemas/BTAppElementErrorCode"},"subelementIds":{"type":"array","items":{"type":"string"}}}},"BTAppElementModifyInfo":{"required":["changeId"],"type":"object","properties":{"changeId":{"type":"string","description":"The latest change id for the element, after the edit was committed."},"elementId":{"type":"string","description":"The id of the edited element."},"elementIds":{"type":"array","description":"The ids of the edited elements, if multiple elements were edited.","items":{"type":"string"}},"errorCode":{"type":"integer","description":"The numeric code identifying the error that occurred, if one occurred.","format":"int32"},"errorDescription":{"type":"string","description":"A human-readable value for the error that occurred, if one occurred."},"errorValue":{"$ref":"#/components/schemas/BTAppElementErrorCode"},"jsonDifference":{"$ref":"#/components/schemas/BTDiffJsonResponse-2725"},"parentChangeId":{"type":"string","description":"The latest change id for the element, before the edit was made."},"propertyEditsMerged":{"type":"boolean","description":"When committing a transaction, this field indicates if the properties of the application element were changed after the transaction was created."},"transactionId":{"type":"string","description":"The id of the transaction in which the edit was applied."}}},"BTAppElementParams":{"required":["formatId"],"type":"object","properties":{"description":{"type":"string","description":"The label that will appear in the document's edit history for this operation. If blank, a value will be auto-generated."},"formatId":{"type":"string","description":"The data type of the application. This string allows an application to distinguish their elements from elements of another application."},"jsonTree":{"type":"object","description":"Initialization data for the new element's json tree.","example":"{ 'stringKey': 'bar', 'arrayKey': [ 1, 2, 3 ], 'objectKey': { 'subKey': false } }"},"location":{"$ref":"#/components/schemas/BTElementLocationParams"},"name":{"type":"string","description":"The name of the element being created. If blank, a name will be auto-generated."},"subelements":{"type":"array","description":"Initialization data for the new element's subelements.","items":{"$ref":"#/components/schemas/BTAppElementChangeParams"}}}},"BTAppElementParamsArrayBTCopyViewAssociativeDataParams":{"type":"object","properties":{"description":{"type":"string"},"items":{"type":"array","items":{"$ref":"#/components/schemas/BTCopyViewAssociativeDataParams"}},"parentChangeId":{"type":"string"},"transactionId":{"type":"string"}}},"BTAppElementReferenceInfo":{"required":["changeId"],"type":"object","properties":{"changeId":{"type":"string","description":"The latest change id for the element, after the edit was committed."},"errorCode":{"type":"integer","description":"The numeric code identifying the error that occurred, if one occurred.","format":"int32"},"errorDescription":{"type":"string","description":"A human-readable value for the error that occurred, if one occurred."},"errorValue":{"$ref":"#/components/schemas/BTAppElementErrorCode"},"parentChangeId":{"type":"string","description":"The latest change id for the element, before the edit was made."},"referenceId":{"type":"string"},"transactionId":{"type":"string","description":"The id of the transaction in which the edit was applied."}}},"BTAppElementReferenceParams":{"type":"object","properties":{"hasDocumentMicroversions":{"type":"boolean"},"idTag":{"type":"string"},"idTagMicroversionId":{"type":"string"},"isLocked":{"type":"boolean"},"isSketchOnly":{"type":"boolean"},"parentChangeId":{"type":"string"},"parentViewId":{"type":"string"},"partNumber":{"type":"string"},"pureSketch":{"type":"boolean"},"referenceType":{"type":"integer","format":"int32"},"returnError":{"type":"boolean"},"revision":{"type":"string"},"sketchIds":{"type":"array","items":{"type":"string"}},"targetConfiguration":{"type":"string"},"targetDocumentId":{"type":"string"},"targetElementId":{"type":"string"},"targetMicroversionId":{"type":"string"},"targetVersionId":{"type":"string"},"trackNewVersions":{"type":"boolean"},"transactionId":{"type":"string"},"updateSketchInfo":{"type":"boolean"}}},"BTAppElementReferenceResolveInfo":{"type":"object","properties":{"changeId":{"type":"string"},"errorCode":{"type":"integer","description":"The numeric code identifying the error that occurred, if one occurred.","format":"int32"},"errorDescription":{"type":"string","description":"A human-readable value for the error that occurred, if one occurred."},"errorValue":{"$ref":"#/components/schemas/BTAppElementErrorCode"},"idTag":{"type":"string"},"idTagIsValid":{"type":"boolean"},"isConfigurable":{"type":"boolean"},"isFlattenedPart":{"type":"boolean"},"isLocked":{"type":"boolean"},"isSketchOnly":{"type":"boolean"},"isSurface":{"type":"boolean"},"latestElementMicroversionId":{"type":"string"},"partNumber":{"type":"string"},"referenceId":{"type":"string"},"referenceType":{"type":"integer","format":"int32"},"resolvedDocumentMicroversionId":{"type":"string"},"resolvedElementMicroversionId":{"type":"string"},"revision":{"type":"string"},"sketchIds":{"type":"array","items":{"type":"string"}},"targetConfiguration":{"type":"string"},"targetDocumentId":{"type":"string"},"targetDocumentMicroversionId":{"type":"string"},"targetElementId":{"type":"string"},"targetElementMicroversionId":{"type":"string"},"targetVersionId":{"type":"string"},"trackNewVersions":{"type":"boolean"}}},"BTAppElementReferencesResolveInfo":{"type":"object","properties":{"resolvedReferences":{"type":"array","items":{"$ref":"#/components/schemas/BTAppElementReferenceResolveInfo"}},"unresolvedReferenceIds":{"type":"array","items":{"type":"string"}}}},"BTAppElementStartTransactionParams":{"type":"object","properties":{"description":{"type":"string"},"parentChangeId":{"type":"string"},"returnError":{"type":"boolean"}}},"BTAppElementTransactionsInfo":{"type":"object","properties":{"elementTransactions":{"type":"array","items":{"$ref":"#/components/schemas/BTElementTransaction"}},"errorCode":{"type":"integer","description":"The numeric code identifying the error that occurred, if one occurred.","format":"int32"},"errorDescription":{"type":"string","description":"A human-readable value for the error that occurred, if one occurred."},"errorValue":{"$ref":"#/components/schemas/BTAppElementErrorCode"}}},"BTAppElementUpdateParams":{"type":"object","properties":{"changes":{"type":"array","description":"Edits to be applied to the element's subelement data.","items":{"$ref":"#/components/schemas/BTAppElementChangeParams"}},"description":{"type":"string","description":"The label that will appear in the document's edit history for this operation. If blank, a value will be auto-generated."},"jsonPatch":{"type":"string","description":"A json patch that will be applied to the application element's json data."},"jsonTreeEdit":{"$ref":"#/components/schemas/BTJEdit-3734"},"parentChangeId":{"type":"string","description":"The id of the last change made to this application element. This can be retrieved from the response for any app element modification endpoint."},"propertyUpdates":{"type":"array","description":"Edits to be applied to the element's metadata.","items":{"$ref":"#/components/schemas/BTMetadataPropertyUpdateParams"}},"returnError":{"type":"boolean","description":"If true, errors in request processing will be returned in a 200 response with a meaningful description. Otherwise, errors will result in a relevant HTTP error response."},"returnJsonDifferenceFormat":{"type":"string","description":"If specified, and jsonTreeEdit is non-empty, the json difference will be returned in this format, otherwise no json difference will be returned.","enum":["default","full_path","json_patch"]},"transactionId":{"type":"string","description":"The id of the transaction in which this operation should take place. Transaction ids can be generated through the AppElement startTransaction API."}}},"BTAppElementViewGeometryProperties-1100":{"type":"object","properties":{"btType":{"type":"string"},"propertyToValue":{"type":"object","additionalProperties":{"type":"string"}}}},"BTAppModificationRequestInfo":{"type":"object","properties":{"documentId":{"type":"string"},"elementId":{"type":"string"},"failureReason":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"output":{"type":"string"},"parentDocumentMicroversionId":{"type":"string"},"parentElementMicroversionId":{"type":"string"},"requestState":{"$ref":"#/components/schemas/BTAppModificationRequestState"},"resultDocumentMicroversionId":{"type":"string"},"resultElementMicroversionId":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"},"workspaceId":{"type":"string"}}},"BTAppModificationRequestState":{"type":"string","enum":["ACTIVE","DONE","FAILED"]},"BTAppViewParams":{"type":"object","properties":{"alignedSection":{"type":"boolean"},"bomReferenceId":{"type":"string"},"brokenOutBBoxes":{"type":"array","items":{"type":"number","format":"double"}},"brokenOutBBoxesMap":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTBoundingBox-1052"}},"brokenOutEndConditions":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTBrokenOutEndCondition-1107"}},"brokenOutPointNumbers":{"type":"array","items":{"type":"integer","format":"int32"}},"brokenOutSection":{"type":"boolean"},"computeIntersection":{"type":"boolean"},"copiedView":{"type":"boolean"},"cropView":{"type":"boolean"},"cutPoint":{"type":"array","items":{"type":"number","format":"double"}},"depthSectionEndCondition":{"$ref":"#/components/schemas/BTBrokenOutEndCondition-1107"},"displayStateId":{"type":"string"},"explodedViewId":{"type":"string"},"hiddenLines":{"$ref":"#/components/schemas/BTDrawingHiddenLineOption"},"ignoreFaultyParts":{"type":"boolean"},"includeHiddenInstances":{"type":"boolean"},"includeSurfaces":{"type":"boolean"},"includeWires":{"type":"boolean"},"isAlignedSection":{"type":"boolean"},"isBrokenOutSection":{"type":"boolean"},"isCopiedView":{"type":"boolean"},"isCropView":{"type":"boolean"},"isPartialSection":{"type":"boolean"},"isSectionOfSectionOnBase":{"type":"boolean"},"isSurface":{"type":"boolean"},"modelReferenceId":{"type":"string"},"modificationId":{"type":"string"},"namedPositionId":{"type":"string"},"occurrenceOrPartIdToGeometryProperties":{"type":"object","additionalProperties":{"type":"object","additionalProperties":{"type":"string"}}},"offsetSectionPoints":{"type":"array","items":{"type":"number","format":"double"}},"parameters":{"type":"array","items":{"type":"number","format":"double"}},"parentChangeId":{"type":"string"},"parentViewId":{"type":"string"},"perspective":{"type":"boolean"},"projectionAngle":{"type":"string"},"qualityOption":{"type":"integer","format":"int32"},"qualityOptionType":{"$ref":"#/components/schemas/GBTHLQualityOption"},"renderSketches":{"type":"boolean"},"sectionId":{"type":"string"},"showAutoCenterlines":{"type":"boolean"},"showAutoCentermarks":{"type":"boolean"},"showCutGeomOnly":{"type":"boolean"},"showTangentLines":{"type":"boolean"},"showThreads":{"type":"boolean"},"showViewingPlane":{"type":"boolean"},"simplificationOption":{"type":"integer","format":"int32"},"simplificationOptionType":{"$ref":"#/components/schemas/GBTHLSimplificationOption"},"simplificationThreshold":{"type":"number","format":"double"},"transactionId":{"type":"string"},"useParentViewSectionData":{"type":"boolean"},"viewDirection":{"type":"array","items":{"type":"number","format":"double"}},"viewMatrix":{"type":"array","items":{"type":"number","format":"double"}},"viewScale":{"type":"number","format":"double"},"viewVersion":{"type":"integer","format":"int32"},"viewVersionType":{"$ref":"#/components/schemas/GBTAppElementViewVersionNumber"}}},"BTAppearanceOverride-2517":{"type":"object","properties":{"appearance":{"$ref":"#/components/schemas/BTGraphicsAppearance-1152"},"appearanceReset":{"type":"boolean"},"btType":{"type":"string"},"copyWithoutEntities":{"$ref":"#/components/schemas/BTAppearanceOverride-2517"},"entityDeterministicIds":{"type":"array","items":{"type":"string"}},"isDeletion":{"type":"boolean"}}},"BTApplicationContext":{"type":"object","properties":{"displayName":{"type":"string"},"id":{"type":"integer","format":"int64"}}},"BTApplicationDataConsistencyApplicationStatusInfo":{"type":"object","properties":{"appUseExists":{"type":"boolean"},"applicationStatus":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTApplicationDataConsistencyPurchaseInfo"}},"containsElementTabExtension":{"type":"boolean"}}},"BTApplicationDataConsistencyInfo":{"type":"object","properties":{"data":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTApplicationDataConsistencyApplicationStatusInfo"}},"summary":{"type":"array","items":{"type":"string"}}}},"BTApplicationDataConsistencyPurchaseInfo":{"type":"object","properties":{"companyId":{"type":"string"},"purchaseActive":{"type":"boolean"},"purchaseExists":{"type":"boolean"},"purchaseUserExists":{"type":"boolean"},"purchaseValid":{"type":"boolean"}}},"BTApplicationElementThumbnailParams":{"type":"object","properties":{"base64EncodedImage":{"type":"string"},"description":{"type":"string"},"imageHeight":{"type":"integer","format":"int32"},"imageWidth":{"type":"integer","format":"int32"},"isPrimary":{"type":"boolean"},"uniqueId":{"type":"string"}}},"BTApplicationElementThumbnailParamsArray":{"type":"object","properties":{"thumbnails":{"type":"array","items":{"$ref":"#/components/schemas/BTApplicationElementThumbnailParams"}}}},"BTApplicationExtensionTypesInfo":{"type":"object","properties":{"category":{"type":"integer","format":"int32"},"displayName":{"type":"string"},"id":{"type":"integer","format":"int64"},"validContexts":{"type":"array","items":{"$ref":"#/components/schemas/BTApplicationContext"}}}},"BTApplicationSettingsType":{"type":"string","enum":["USER","COMPANY","TEAM"]},"BTApplicationTargetInfo":{"type":"object","properties":{"baseHref":{"type":"string","format":"uri"},"clientId":{"type":"string"},"supportsCollaboration":{"type":"boolean"},"tabIconHref":{"type":"string","format":"uri"}}},"BTApproveTranslationDebugParams":{"type":"object","properties":{"timestamp":{"type":"integer","format":"int64"}}},"BTArcLengthDimensionDisplayData-1018":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTAngularDimensionDisplayData-320"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTAssemblyBallMateValueInfo":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTAssemblyMateValueInfo"},{"type":"object","properties":{"rotationYPrevious":{"type":"number","format":"double"},"rotationZ":{"type":"number","format":"double"},"rotationZPrevious":{"type":"number","format":"double"}}}]},"BTAssemblyCylindricalMateValueInfo":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTAssemblyMateValueInfo"},{"type":"object","properties":{"rotationZ":{"type":"number","format":"double"},"translationZ":{"type":"number","format":"double"}}}]},"BTAssemblyDefinitionInfo":{"type":"object","properties":{"partStudioFeatures":{"type":"array","items":{"$ref":"#/components/schemas/BTAssemblyPsFeatureInfo"}},"parts":{"type":"array","items":{"$ref":"#/components/schemas/BTAssemblyPartInfo"}},"rootAssembly":{"$ref":"#/components/schemas/BTRootAssemblyInfo"},"subAssemblies":{"type":"array","items":{"$ref":"#/components/schemas/BTSubAssemblyInfo"}}}},"BTAssemblyFeatureDataInfo":{"type":"object","properties":{"name":{"type":"string"}}},"BTAssemblyFeatureInfo":{"type":"object","properties":{"featureData":{"$ref":"#/components/schemas/BTAssemblyFeatureDataInfo"},"featureType":{"type":"string"},"id":{"type":"string"},"suppressed":{"type":"boolean"}},"description":"List of Assembly features including those are created by replicates."},"BTAssemblyFeatureListResponse-1174":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTFeatureApiBase-1430"},{"type":"object","properties":{"btType":{"type":"string"},"featureStates":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTFeatureState-1688"}},"features":{"type":"array","items":{"$ref":"#/components/schemas/BTMAssemblyFeature-887"}},"isComplete":{"type":"boolean"}}}]},"BTAssemblyInsertTransformedInstancesResponse":{"type":"object","properties":{"insertInstanceResponses":{"type":"array","items":{"$ref":"#/components/schemas/BTAssemblyInstanceOccurrenceInfo"}},"insertResponses":{"type":"array","items":{"$ref":"#/components/schemas/BTAssemblyOccurrenceInfo"}}}},"BTAssemblyInstance-947":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTInstance-642"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTAssemblyInstanceDefinitionParams":{"required":["documentId"],"type":"object","properties":{"configuration":{"type":"string"},"documentId":{"type":"string"},"elementId":{"type":"string"},"featureId":{"type":"string"},"includePartTypes":{"type":"array","items":{"$ref":"#/components/schemas/GBTInsertableType"}},"isAssembly":{"type":"boolean"},"isHidden":{"type":"boolean"},"isSuppressed":{"type":"boolean"},"isWholePartStudio":{"type":"boolean"},"microversionId":{"type":"string"},"partId":{"type":"string"},"partNumber":{"type":"string"},"revision":{"type":"string"},"versionId":{"type":"string"}}},"BTAssemblyInstanceInfo":{"type":"object","properties":{"configuration":{"type":"string"},"documentId":{"type":"string"},"documentMicroversion":{"type":"string"},"documentVersion":{"type":"string"},"elementId":{"type":"string"},"featureId":{"type":"string"},"fullConfiguration":{"type":"string"},"id":{"type":"string"},"isStandardContent":{"type":"boolean"},"name":{"type":"string"},"partId":{"type":"string"},"partNumber":{"type":"string"},"revision":{"type":"string"},"status":{"$ref":"#/components/schemas/BTAssemblyInstanceStatus"},"suppressed":{"type":"boolean"},"type":{"$ref":"#/components/schemas/BTAssemblyInstanceType"}},"description":"List of instances including those created by patterns and replicates."},"BTAssemblyInstanceOccurrenceInfo":{"type":"object","properties":{"occurrences":{"type":"array","items":{"$ref":"#/components/schemas/BTAssemblyOccurrenceInfo"}}}},"BTAssemblyInstanceStatus":{"type":"string","enum":["DeletedElement"]},"BTAssemblyInstanceType":{"type":"string","enum":["Assembly","Feature","Part","Unknown"]},"BTAssemblyMateConnectorInfo":{"type":"object","properties":{"featureId":{"type":"string"},"mateConnectorCS":{"$ref":"#/components/schemas/BTMateConnectorCSInfo"}}},"BTAssemblyMateValueInfo":{"required":["jsonType"],"type":"object","properties":{"featureId":{"type":"string"},"jsonType":{"type":"string"},"mateName":{"type":"string"}},"discriminator":{"propertyName":"jsonType"}},"BTAssemblyMateValuesInfo":{"type":"object","properties":{"mateValues":{"type":"array","items":{"$ref":"#/components/schemas/BTAssemblyMateValueInfo"}}}},"BTAssemblyModificationParams":{"type":"object","properties":{"deleteInstances":{"type":"array","items":{"type":"string"}},"editDescription":{"type":"string"},"suppressInstances":{"type":"array","items":{"type":"string"}},"transformDefinitions":{"type":"array","items":{"$ref":"#/components/schemas/BTAssemblyTransformDefinitionParams"}},"unsuppressInstances":{"type":"array","items":{"type":"string"}}}},"BTAssemblyOccurrenceInfo":{"type":"object","properties":{"fixed":{"type":"boolean"},"hidden":{"type":"boolean"},"path":{"type":"array","items":{"type":"string"}},"transform":{"type":"array","items":{"type":"number","format":"double"}}}},"BTAssemblyParallelMateValueInfo":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTAssemblyMateValueInfo"},{"type":"object","properties":{"rotationZ":{"type":"number","format":"double"},"translationX":{"type":"number","format":"double"},"translationY":{"type":"number","format":"double"},"translationZ":{"type":"number","format":"double"}}}]},"BTAssemblyPartBodyType":{"type":"string","enum":["solid","sheet","composite"]},"BTAssemblyPartInfo":{"type":"object","properties":{"bodyType":{"$ref":"#/components/schemas/BTAssemblyPartBodyType"},"configuration":{"type":"string"},"documentId":{"type":"string"},"documentMicroversion":{"type":"string"},"documentVersion":{"type":"string"},"elementId":{"type":"string"},"fullConfiguration":{"type":"string"},"isStandardContent":{"type":"boolean"},"mateConnectors":{"type":"array","items":{"$ref":"#/components/schemas/BTAssemblyMateConnectorInfo"}},"partId":{"type":"string"},"partNumber":{"type":"string"},"revision":{"type":"string"}}},"BTAssemblyPattern-1974":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTParametricInstance-2641"},{"type":"object","properties":{"btType":{"type":"string"},"patternFeature":{"$ref":"#/components/schemas/BTMAssemblyPatternFeature-2241"}}}]},"BTAssemblyPatternInfo":{"type":"object","properties":{"id":{"type":"string","description":"Id of the pattern."},"name":{"type":"string","description":"Name of the pattern."},"seedToPatternInstances":{"type":"object","additionalProperties":{"type":"array","description":"Mapping of seed to pattern instance ids.","items":{"type":"string","description":"Mapping of seed to pattern instance ids."}},"description":"Mapping of seed to pattern instance ids."},"suppressed":{"type":"boolean","description":"If pattern is suppressed."},"type":{"$ref":"#/components/schemas/GBTPatternType"}},"description":"Pattern description."},"BTAssemblyPinSlotMateValueInfo":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTAssemblyMateValueInfo"},{"type":"object","properties":{"rotationZ":{"type":"number","format":"double"},"translationX":{"type":"number","format":"double"}}}]},"BTAssemblyPlanarMateValueInfo":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTAssemblyMateValueInfo"},{"type":"object","properties":{"rotationZ":{"type":"number","format":"double"},"translationX":{"type":"number","format":"double"},"translationY":{"type":"number","format":"double"}}}]},"BTAssemblyPsFeatureInfo":{"type":"object","properties":{"configuration":{"type":"string"},"documentId":{"type":"string"},"documentMicroversion":{"type":"string"},"documentVersion":{"type":"string"},"elementId":{"type":"string"},"featureId":{"type":"string"},"featureType":{"type":"string"},"fullConfiguration":{"type":"string"},"partNumber":{"type":"string"},"revision":{"type":"string"}}},"BTAssemblyReferencesDisplayData-1562":{"type":"object","properties":{"assemblyReferences":{"type":"array","items":{"$ref":"#/components/schemas/BTSingleReferenceDisplayData-1943"}},"btType":{"type":"string"},"elementId":{"type":"string"},"fromFullElementId":{"$ref":"#/components/schemas/BTFullElementId-756"},"fullElementId":{"$ref":"#/components/schemas/BTFullElementId-756"},"incremental":{"type":"boolean"},"instanceCount":{"type":"integer","format":"int32"},"keepFromMicroversion":{"type":"boolean"},"microversionId":{"$ref":"#/components/schemas/BTMicroversionId-366"},"microversionIdAndConfigurationInterval":{"$ref":"#/components/schemas/BTMicroversionIdAndConfigurationInterval-2364"},"microversionInterval":{"$ref":"#/components/schemas/BTMicroversionIdInterval-367"},"versionForRasterization":{"$ref":"#/components/schemas/BTElementDisplayData-326"}}},"BTAssemblyReplicate-2774":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTParametricInstance-2641"},{"type":"object","properties":{"btType":{"type":"string"},"replicateFeature":{"$ref":"#/components/schemas/BTMAssemblyReplicateFeature-1351"}}}]},"BTAssemblyRevoluteMateValueInfo":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTAssemblyMateValueInfo"},{"type":"object","properties":{"rotationZ":{"type":"number","format":"double"}}}]},"BTAssemblyRowIdInfo":{"type":"object","properties":{"apiConfiguration":{"type":"string"},"documentId":{"type":"string"},"elementId":{"type":"string"},"itemDefinitionId":{"type":"string"},"microversionId":{"type":"string"},"partId":{"type":"string"},"standardContent":{"type":"boolean"},"versionMetadataWorkspaceId":{"type":"string"},"versionMetadataWorkspaceMicroversionId":{"type":"string"},"wvmId":{"type":"string"},"wvmType":{"type":"string"}}},"BTAssemblyRowInfo":{"type":"object","properties":{"itemId":{"$ref":"#/components/schemas/BTAssemblyRowIdInfo"},"itemQuantity":{"type":"number","format":"double"},"numOccurrences":{"type":"integer","format":"int32"}}},"BTAssemblySimulation-2246":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMAssemblyFeature-887"},{"type":"object","properties":{"btType":{"type":"string"},"modal":{"type":"boolean"},"numberOfModes":{"type":"number","format":"double"},"type":{"$ref":"#/components/schemas/GBTAssemblySimulationType"}}}]},"BTAssemblySimulationData-978":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMNode-19"},{"type":"object","properties":{"btType":{"type":"string"},"contactBehavior":{"$ref":"#/components/schemas/GBTSimulationContactBehavior"},"loads":{"type":"array","items":{"$ref":"#/components/schemas/BTMLoad-3538"}},"loadsByNodeId":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTMLoad-3538"}},"simulations":{"type":"array","items":{"$ref":"#/components/schemas/BTAssemblySimulation-2246"}},"structuralLoads":{"type":"array","items":{"$ref":"#/components/schemas/BTMLoad-3538"}}}}]},"BTAssemblySimulationStructuralLoadsTable-3867":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTTable-1825"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTAssemblySimulationTable-3236":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTTable-1825"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTAssemblySliderMateValueInfo":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTAssemblyMateValueInfo"},{"type":"object","properties":{"translationZ":{"type":"number","format":"double"}}}]},"BTAssemblyStructureInfo":{"type":"object","properties":{"assemblyElementMicroversionId":{"type":"string"},"rowIdToChildren":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"rowIdToRowInfo":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTAssemblyRowInfo"}},"topLevelRowIds":{"type":"array","items":{"type":"string"}}}},"BTAssemblyTransformDefinitionParams":{"type":"object","properties":{"isRelative":{"type":"boolean"},"occurrences":{"type":"array","items":{"$ref":"#/components/schemas/BTOccurrence-74"}},"transform":{"type":"array","items":{"type":"number","format":"double"}}}},"BTAssemblyTransformedInstancesDefinitionParams":{"type":"object","properties":{"transformGroups":{"type":"array","items":{"$ref":"#/components/schemas/TransformGroup"}}}},"BTAssignmentParams":{"type":"object","properties":{"description":{"type":"string"},"endDate":{"type":"string","format":"date-time"},"name":{"type":"string"},"startDate":{"type":"string","format":"date-time"},"starterDocumentId":{"type":"string"},"submissionOption":{"type":"integer","format":"int32"}}},"BTAssociativeDataInfo":{"type":"object","properties":{"associativeDataId":{"type":"string"},"data":{"type":"array","items":{"$ref":"#/components/schemas/BTNameValuePair"}},"documentId":{"type":"string"},"documentMicroversion":{"type":"string"},"elementId":{"type":"string"},"error":{"type":"string"},"idTag":{"type":"string"},"microversionId":{"type":"string"},"occurrenceId":{"type":"string"},"type":{"$ref":"#/components/schemas/GBTAppElementAssociativeDataType"},"versionId":{"type":"string"}}},"BTAutoNumberingSchemeParams":{"type":"object","properties":{"assemblyPrefix":{"type":"string"},"drawingPrefix":{"type":"string"},"filePrefix":{"type":"string"},"nextNumber":{"type":"integer","format":"int64"},"nextNumberMinWidth":{"type":"integer","format":"int32"},"partPrefix":{"type":"string"},"prefix":{"type":"string","description":"Based on Scheme resource type, prefix used for Item, Standard content"},"schemeResourceTypeId":{"type":"string","description":"Scheme resource Id(Release object, Item, Standard content)"},"variableStudioPrefix":{"type":"string"}}},"BTAutoPartNumberingSchemeParams":{"type":"object","properties":{"assemblyPrefix":{"type":"string"},"drawingPrefix":{"type":"string"},"filePrefix":{"type":"string"},"nextNumber":{"type":"integer","format":"int64"},"nextNumberMinWidth":{"type":"integer","format":"int32"},"partPrefix":{"type":"string"},"schemeId":{"type":"string"},"variableStudioPrefix":{"type":"string"}}},"BTAvailableSeatsInfo":{"type":"object","properties":{"availableSeats":{"type":"integer","format":"int64"}}},"BTBExportModelParams":{"required":["documentId","format"],"type":"object","properties":{"angleTolerance":{"type":"number","format":"double"},"batchAllFlatPatterns":{"type":"boolean"},"batchFlatPatterns":{"type":"boolean"},"chordTolerance":{"type":"number","format":"double"},"cloudObjectId":{"type":"string"},"cloudStorageAccountId":{"type":"string"},"configuration":{"type":"string"},"destinationName":{"type":"string"},"documentId":{"type":"string"},"documentVersionId":{"type":"string"},"elementId":{"type":"string"},"elementIds":{"type":"string"},"emailLink":{"type":"boolean"},"emailMessage":{"type":"string"},"emailSubject":{"type":"string"},"emailTo":{"type":"string"},"featureIds":{"type":"string"},"flatten":{"type":"boolean"},"format":{"type":"string"},"fromUserId":{"type":"string"},"grouping":{"type":"string"},"ignoreExportRulesForContents":{"type":"boolean"},"includeBendCenterlines":{"type":"boolean"},"includeBendLines":{"type":"boolean"},"includeExportIds":{"type":"boolean"},"includeSketches":{"type":"boolean"},"isPartingOut":{"type":"boolean"},"linkDocumentId":{"type":"string"},"linkDocumentWorkspaceId":{"type":"string"},"maxFacetWidth":{"type":"number","format":"double"},"microversion":{"type":"string"},"minFacetWidth":{"type":"number","format":"double"},"mode":{"type":"string"},"partIds":{"type":"string"},"partQuery":{"type":"string"},"password":{"type":"string"},"passwordRequired":{"type":"boolean"},"resolution":{"type":"string"},"scale":{"type":"number","format":"double"},"sendCopyToMe":{"type":"boolean"},"sheetMetalFlat":{"type":"boolean"},"splinesAsPolylines":{"type":"boolean"},"storeInDocument":{"type":"boolean"},"triggerAutoDownload":{"type":"boolean"},"units":{"type":"string"},"userId":{"type":"string"},"validForDays":{"type":"integer","format":"int32"},"version":{"type":"string"},"view":{"type":"string"},"workspaceId":{"type":"string"},"zipSingleFileOutput":{"type":"boolean"}}},"BTBPartStudio":{"required":["documentId","elementId","vm","vmId","wId","wv","wvId","wvm","wvmId"],"type":"object","properties":{"configuration":{"type":"string"},"documentId":{"type":"string"},"effectiveDocumentId":{"type":"string"},"effectiveElementId":{"type":"string"},"effectiveWvm":{"type":"string"},"effectiveWvmId":{"type":"string"},"elementId":{"type":"string"},"elementMicroversionId":{"type":"string"},"linkDocumentId":{"type":"string"},"publication":{"type":"boolean"},"rollbackBarIndex":{"type":"integer","format":"int32"},"version":{"$ref":"#/components/schemas/BTDBVersion"},"versionReference":{"type":"boolean"},"vm":{"type":"string"},"vmId":{"type":"string"},"wId":{"type":"string"},"wv":{"type":"string"},"wvId":{"type":"string"},"wvm":{"type":"string"},"wvmId":{"type":"string"}}},"BTBSMatrix-386":{"type":"object","properties":{"btType":{"type":"string"},"fullTransformation":{"type":"array","items":{"type":"number","format":"double"}},"isNormalized":{"type":"boolean"},"m00":{"type":"number","format":"double"},"m01":{"type":"number","format":"double"},"m02":{"type":"number","format":"double"},"m03":{"type":"number","format":"double"},"m10":{"type":"number","format":"double"},"m11":{"type":"number","format":"double"},"m12":{"type":"number","format":"double"},"m13":{"type":"number","format":"double"},"m20":{"type":"number","format":"double"},"m21":{"type":"number","format":"double"},"m22":{"type":"number","format":"double"},"m23":{"type":"number","format":"double"},"rigid":{"type":"boolean"},"rigidWithinTransformTolerance":{"type":"boolean"},"translation":{"$ref":"#/components/schemas/BTVector3d-389"}}},"BTBaseEntityAppearanceEntry-3607":{"type":"object","properties":{"affectedDeterministicIds":{"type":"array","items":{"type":"string"}},"appearance":{"$ref":"#/components/schemas/BTGraphicsAppearance-1152"},"btType":{"type":"string"},"source":{"$ref":"#/components/schemas/BTPartMetadataSource-2895"}}},"BTBaseEntityAppearanceSettings-1391":{"type":"object","properties":{"btType":{"type":"string"},"colorIdToBaseEntityAppearanceEntry":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTBaseEntityAppearanceEntry-3607"}},"isNoop":{"type":"boolean"}}},"BTBaseEntityData-33":{"type":"object","properties":{"btType":{"type":"string"},"copyWithoutGeometry":{"$ref":"#/components/schemas/BTBaseEntityData-33"},"decompressed":{"$ref":"#/components/schemas/BTBaseEntityData-33"},"deletion":{"type":"boolean"},"featureIds":{"type":"array","items":{"type":"string"}},"fromSketch":{"type":"boolean"},"geometries":{"type":"array","items":{"$ref":"#/components/schemas/BTEntityGeometry-35"}}},"discriminator":{"propertyName":"btType","mapping":{"BTEntityDeletion-24":"#/components/schemas/BTEntityDeletion-24","BTFeatureEntity-34":"#/components/schemas/BTFeatureEntity-34"}}},"BTBaseInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTBasePartColorCycle-2614":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTSystemPartColorCycle-1580":"#/components/schemas/BTSystemPartColorCycle-1580"}}},"BTBaseSMJointTableRowMetadata-2232":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTSMBendTableRowMetadata-1705":"#/components/schemas/BTSMBendTableRowMetadata-1705","BTSMOtherJointTableRowMetadata-2640":"#/components/schemas/BTSMOtherJointTableRowMetadata-2640"}},"allOf":[{"$ref":"#/components/schemas/BTTableBaseRowMetadata-3181"},{"type":"object","properties":{"btType":{"type":"string"},"crossHighlightData":{"$ref":"#/components/schemas/BTTableCrossHighlightData-1753"},"crossHighlightDataIfAny":{"$ref":"#/components/schemas/BTTableCrossHighlightData-1753"}}}]},"BTBillOfMaterialsElementInfo":{"type":"object","properties":{"configuration":{"type":"string"},"headerIdToValue":{"type":"object","additionalProperties":{"type":"object"}},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTBillOfMaterialsHeaderInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"propertyName":{"type":"string"},"valueType":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"},"visible":{"type":"boolean"}}},"BTBillOfMaterialsInfo":{"type":"object","properties":{"bomSource":{"$ref":"#/components/schemas/BTBillOfMaterialsSourceInfo"},"createdAt":{"type":"string"},"formatVersion":{"type":"string"},"headers":{"type":"array","items":{"$ref":"#/components/schemas/BTBillOfMaterialsHeaderInfo"}},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"rows":{"type":"array","items":{"$ref":"#/components/schemas/BTBillOfMaterialsRowInfo"}},"templateId":{"type":"string"},"topLevelAssemblyRow":{"$ref":"#/components/schemas/BTBillOfMaterialsRowInfo"},"type":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTBillOfMaterialsItemSourceInfo":{"type":"object","properties":{"configuration":{"type":"string"},"documentId":{"type":"string"},"elementId":{"type":"string"},"fullConfiguration":{"type":"string"},"href":{"type":"string"},"isStandardContent":{"type":"boolean"},"nonGeometricItemId":{"type":"string"},"partId":{"type":"string"},"sourceElementMicroversionId":{"type":"string"},"thumbnailInfo":{"$ref":"#/components/schemas/BTThumbnailInfo"},"versionMetadataWorkspaceMicroversionId":{"type":"string"},"viewHref":{"type":"string"},"wvmId":{"type":"string"},"wvmType":{"type":"string"}}},"BTBillOfMaterialsObjectWithPropertiesInfo":{"type":"object","properties":{"headerIdToValue":{"type":"object","additionalProperties":{"type":"object"}},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTBillOfMaterialsRowInfo":{"type":"object","properties":{"headerIdToValue":{"type":"object","additionalProperties":{"type":"object"}},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"indentLevel":{"type":"integer","format":"int32"},"itemSource":{"$ref":"#/components/schemas/BTBillOfMaterialsItemSourceInfo"},"name":{"type":"string","description":"Name of the resource."},"relatedOccurrences":{"type":"array","items":{"type":"string"}},"rowId":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTBillOfMaterialsSourceInfo":{"type":"object","properties":{"document":{"$ref":"#/components/schemas/BTBillOfMaterialsObjectWithPropertiesInfo"},"documentMicroversion":{"$ref":"#/components/schemas/BTBillOfMaterialsObjectWithPropertiesInfo"},"element":{"$ref":"#/components/schemas/BTBillOfMaterialsElementInfo"},"href":{"type":"string"},"thumbnailInfo":{"$ref":"#/components/schemas/BTThumbnailInfo"},"version":{"$ref":"#/components/schemas/BTBillOfMaterialsObjectWithPropertiesInfo"},"viewHref":{"type":"string"},"workspace":{"$ref":"#/components/schemas/BTBillOfMaterialsObjectWithPropertiesInfo"}}},"BTBillOfMaterialsTable-1073":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTTable-1825"},{"type":"object","properties":{"btType":{"type":"string"},"failedMetadataRepresentativeOccurrences":{"type":"array","items":{"type":"string"}},"indented":{"type":"boolean"},"isShowingTopLevelAssemblyRow":{"type":"boolean"},"partNumber":{"type":"string"},"revision":{"type":"string"},"showingExcluded":{"type":"boolean"}}}]},"BTBillOfMaterialsTableRow-1425":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTTableRow-1054"},{"type":"object","properties":{"btType":{"type":"string"},"excludeIsEditable":{"type":"boolean"},"exclusionStatus":{"$ref":"#/components/schemas/GBTBillOfMaterialsExclusionStatus"},"expansionStatus":{"$ref":"#/components/schemas/GBTBillOfMaterialsExpansionStatus"},"indentLevel":{"type":"integer","format":"int32"},"metadataObjectType":{"type":"integer","format":"int32"},"metadataUpdateHref":{"type":"string"},"relatedOccurrencePaths":{"type":"array","items":{"type":"string"}},"uniqueItemId":{"$ref":"#/components/schemas/BTBillOfMaterialsUniqueItemId-2029"}}}]},"BTBillOfMaterialsTableRowMetadata-1300":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTTableBaseRowMetadata-3181"},{"type":"object","properties":{"btType":{"type":"string"},"crossHighlightData":{"$ref":"#/components/schemas/BTTableAssemblyCrossHighlightData-2675"},"crossHighlightDataIfAny":{"$ref":"#/components/schemas/BTTableAssemblyCrossHighlightData-2675"}}}]},"BTBillOfMaterialsUniqueItemId-2029":{"type":"object","properties":{"apiConfiguration":{"type":"string"},"btType":{"type":"string"},"isStandardContent":{"type":"boolean"},"itemDefinitionId":{"type":"string"},"metadataObjectType":{"$ref":"#/components/schemas/BTMetadataObjectType"},"partId":{"type":"string"},"sourceElement":{"$ref":"#/components/schemas/BTElementReference-725"},"versionMetadataWorkspaceId":{"type":"string"},"versionMetadataWorkspaceMicroversionId":{"type":"string"}}},"BTBillingAccountInfo":{"type":"object","properties":{"accountBalance":{"type":"integer","format":"int64"},"address":{"$ref":"#/components/schemas/BTAddressInfo"},"card":{"$ref":"#/components/schemas/BTCardInfo"},"company":{"$ref":"#/components/schemas/BTCompanyInfo"},"createdAt":{"type":"string","format":"date-time"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"owner":{"$ref":"#/components/schemas/BTUserSummaryInfo"},"proMonthlyEnabled":{"type":"boolean"},"state":{"type":"integer","format":"int32"},"stripeId":{"type":"string"},"trashedCompanies":{"type":"object","additionalProperties":{"type":"string"}},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"},"zuoraId":{"type":"string"}},"description":"Array of items in the current page."},"BTBillingAccountParams":{"type":"object","properties":{"address":{"$ref":"#/components/schemas/BTAddressInfo"},"companyId":{"type":"string"},"companyName":{"type":"string"},"companyPlan":{"type":"boolean"},"domainPrefix":{"type":"string"},"forceCreate":{"type":"boolean"},"password":{"type":"string"},"paymentType":{"type":"integer","format":"int32"},"planId":{"type":"string"},"promonthlyEnabled":{"type":"boolean"},"resellerName":{"type":"string"},"seats":{"type":"integer","format":"int64"},"token":{"type":"string"},"trialPeriodDays":{"type":"integer","format":"int32"},"userId":{"type":"string"}}},"BTBillingAllowedPlansInfo":{"type":"object","properties":{"currentPlan":{"$ref":"#/components/schemas/BTBillingPlanSummaryInfo"},"downgrades":{"type":"array","items":{"$ref":"#/components/schemas/BTBillingPlanSummaryInfo"}},"upgrades":{"type":"array","items":{"$ref":"#/components/schemas/BTBillingPlanSummaryInfo"}}}},"BTBillingPlanBatchParams":{"type":"object","properties":{"plans":{"type":"array","items":{"$ref":"#/components/schemas/BTBillingPlanParams"}}}},"BTBillingPlanInfo":{"type":"object","properties":{"amountCents":{"type":"integer","format":"int32"},"applicationId":{"type":"string"},"clientId":{"type":"string"},"companyPlan":{"type":"boolean"},"consumableQuantity":{"type":"integer","format":"int32"},"deprecated":{"type":"boolean"},"description":{"type":"string"},"discountInfo":{"$ref":"#/components/schemas/BTDiscountInfo"},"group":{"type":"string"},"hidden":{"type":"boolean"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"interval":{"type":"string"},"name":{"type":"string","description":"Name of the resource."},"onshapePlan":{"type":"boolean"},"planType":{"type":"integer","format":"int32"},"trialPeriodDays":{"type":"integer","format":"int32"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTBillingPlanParams":{"type":"object","properties":{"amountCents":{"type":"integer","format":"int32"},"applicationId":{"type":"string"},"clientId":{"type":"string"},"consumableQuantity":{"type":"integer","format":"int32"},"description":{"type":"string"},"group":{"type":"string"},"hidden":{"type":"boolean"},"interval":{"type":"string"},"name":{"type":"string"},"planId":{"type":"string"},"planType":{"type":"integer","format":"int32"},"trialPeriodDays":{"type":"integer","format":"int32"}}},"BTBillingPlanSummaryInfo":{"type":"object","properties":{"amountCents":{"type":"integer","format":"int32"},"applicationId":{"type":"string"},"companyPlan":{"type":"boolean"},"consumableQuantity":{"type":"integer","format":"int32"},"deprecated":{"type":"boolean"},"description":{"type":"string"},"hidden":{"type":"boolean"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"interval":{"type":"string"},"name":{"type":"string","description":"Name of the resource."},"onshapePlan":{"type":"boolean"},"planType":{"type":"integer","format":"int32"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTBodyEntity-26":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTFeatureEntity-34"},{"type":"object","properties":{"btType":{"type":"string"},"doesNotUseLevelsOfDetail":{"type":"boolean"}}}]},"BTBodyTypeFilter-112":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTQueryFilter-183"},{"type":"object","properties":{"bodyType":{"$ref":"#/components/schemas/GBTBodyType"},"btType":{"type":"string"}}}]},"BTBoundingBox-1052":{"type":"object","properties":{"btType":{"type":"string"},"maxCorner":{"$ref":"#/components/schemas/BTVector3d-389"},"minCorner":{"$ref":"#/components/schemas/BTVector3d-389"},"valid":{"type":"boolean"}},"description":"An axis-aligned bounding box indicated by two opposite corners.","discriminator":{"propertyName":"btType","mapping":{"BTNonAlignedBoundingBox-4180":"#/components/schemas/BTNonAlignedBoundingBox-4180"}}},"BTBoundingBoxInfo":{"type":"object","properties":{"highX":{"type":"number","format":"double"},"highY":{"type":"number","format":"double"},"highZ":{"type":"number","format":"double"},"lowX":{"type":"number","format":"double"},"lowY":{"type":"number","format":"double"},"lowZ":{"type":"number","format":"double"}}},"BTBoundingBoxParams":{"type":"object","properties":{"displayStateId":{"type":"string"},"documentId":{"type":"string"},"elementId":{"type":"string"},"elementMicroversionId":{"type":"string"},"explosionId":{"type":"string"},"includeHidden":{"type":"boolean"},"includeWireBodies":{"type":"boolean"},"namedPositionId":{"type":"string"},"partId":{"type":"string"},"partQuery":{"type":"string"},"sketchId":{"type":"string"},"workspaceId":{"type":"string"}}},"BTBrokenOutEndCondition-1107":{"type":"object","properties":{"btType":{"type":"string"},"hasOffset":{"type":"boolean"},"hasUptoPoint":{"type":"boolean"},"offsetDistance":{"type":"number","format":"double"},"offsetOppositeDirection":{"type":"boolean"},"uptoPoint":{"type":"array","items":{"type":"number","format":"double"}},"uptoPoint3d":{"$ref":"#/components/schemas/BTVector3d-389"}}},"BTBulkAcknowledgeNotificationParams":{"type":"object","properties":{"acknowledged":{"type":"boolean"}}},"BTBulkDocumentUpdateInfo":{"type":"object","properties":{"docId":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"status":{"type":"string"},"success":{"type":"boolean"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}},"description":"Array of items in the current page."},"BTBulkDocumentUpdateParams":{"type":"object","properties":{"addMissingExternalReferences":{"type":"boolean"},"documentIds":{"type":"string"},"skipRetrieval":{"type":"boolean"},"skipUpgrade":{"type":"boolean"},"skipUpgradeVersion":{"type":"integer","format":"int32"},"updateProperty":{"type":"string"},"upgradeMode":{"type":"string"},"upgradeVersion":{"type":"integer","format":"int32"}}},"BTBulkExpandNotificationParams":{"type":"object","properties":{"expanded":{"type":"boolean"}}},"BTBulkExplodeTransformInfo":{"type":"object","properties":{"bulkExplodeTransforms":{"type":"array","items":{"$ref":"#/components/schemas/BTExplodeTransformInfo"}}}},"BTBulkMetadataResolutionParams":{"type":"object","properties":{"ownerId":{"type":"string"},"ownerType":{"type":"integer","format":"int32"},"resolvableMetadataParams":{"type":"array","items":{"$ref":"#/components/schemas/BTMetadataResolutionParams"}}}},"BTBulkMetadataResolutionResponse":{"type":"object","properties":{"resolvedMetadata":{"type":"array","items":{"$ref":"#/components/schemas/BTMetadataResolutionResponse"}}}},"BTCacheDataPath-191":{"type":"object","properties":{"btType":{"type":"string"},"documentId":{"type":"string"},"elementId":{"type":"string"},"immutablePathContentsShouldExist":{"type":"boolean"},"isImmutableContextPath":{"type":"boolean"},"key":{"type":"string"},"keyContainsConfiguration":{"type":"boolean"},"useLocalFileCache":{"type":"boolean"}}},"BTCacheEntriesInfo":{"type":"object","properties":{"cacheKeys":{"type":"array","description":"All cache entries that were put under the cache","items":{"type":"string","description":"All cache entries that were put under the cache"}},"cacheVersion":{"type":"integer","description":"Current schema version of cache","format":"int32"},"description":{"type":"string","description":"Detailed description of the purpose of the cache"},"documentId":{"type":"string","description":"Document that owns the cache entries"},"name":{"type":"string","description":"Name of the cache"}},"description":"Cached keys for a document grouped by cache name"},"BTCacheInfo":{"type":"object","properties":{"cacheNames":{"type":"array","items":{"type":"string"}},"cacheStats":{"type":"object","additionalProperties":{"type":"object","additionalProperties":{"type":"string"}}},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"operationCounts":{"type":"object","additionalProperties":{"type":"integer","format":"int64"}},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTCacheItemInfo":{"type":"object","properties":{"cacheKey":{"type":"string"},"cacheName":{"type":"string"},"cached":{"type":"boolean"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"lastModifiedAt":{"type":"integer","format":"int64"},"name":{"type":"string","description":"Name of the resource."},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTCacheSchemaInfo":{"type":"object","properties":{"cacheVersion":{"type":"integer","description":"Current schema version of cache","format":"int32"},"description":{"type":"string","description":"Detailed description of the purpose of the cache"},"name":{"type":"string","description":"Name of the cache"}},"description":"Cache schema definition"},"BTCadSearchRequestParams":{"type":"object","properties":{"contentAsFilter":{"type":"boolean"},"documentFilter":{"$ref":"#/components/schemas/Query"},"entityTypes":{"type":"array","items":{"$ref":"#/components/schemas/BTSearchEntityType"}},"excludePublications":{"type":"boolean"},"from":{"type":"integer","format":"int32"},"inRecent":{"type":"boolean"},"inTrash":{"type":"boolean"},"includePublic":{"type":"boolean"},"includeStandardContent":{"type":"boolean"},"includeUserOwned":{"type":"boolean"},"ownerFilters":{"type":"array","items":{"$ref":"#/components/schemas/BTOwner-3114"}},"q":{"type":"string"},"query":{"$ref":"#/components/schemas/Query"},"queryElementJson":{"type":"boolean"},"restrictions":{"$ref":"#/components/schemas/Restrictions"},"shareFilters":{"type":"array","items":{"$ref":"#/components/schemas/ShareFilter"}},"size":{"type":"integer","format":"int32"},"sorts":{"type":"array","items":{"$ref":"#/components/schemas/Sort"}}}},"BTCampaignInfo":{"type":"object","properties":{"campaignId":{"type":"string"},"campaignName":{"type":"string"},"terminated":{"type":"boolean"}}},"BTCampaignParams":{"type":"object","properties":{"campaignName":{"type":"string"},"messages":{"type":"array","items":{"$ref":"#/components/schemas/Message"}},"terminated":{"type":"boolean"}}},"BTCapabilityCheckParams":{"type":"object","properties":{"capabilities":{"type":"array","items":{"type":"string"}}}},"BTCapabilityInfo":{"type":"object","properties":{"createdAt":{"type":"string","format":"date-time"},"deleted":{"type":"boolean"},"description":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"modifiedAt":{"type":"string","format":"date-time"},"modifiedBy":{"type":"string"},"name":{"type":"string","description":"Name of the resource."},"ownerEmail":{"type":"string"},"reason":{"type":"string"},"ruleId":{"type":"string"},"ruleInfo":{"$ref":"#/components/schemas/BTCapabilityRuleInfo"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTCapabilityParams":{"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"},"reason":{"type":"string"},"ruleId":{"type":"string"},"type":{"type":"string"}}},"BTCapabilityRuleInfo":{"type":"object","properties":{"description":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"script":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTCapabilityRuleParams":{"type":"object","properties":{"description":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"script":{"type":"string"}}},"BTCapabilityRuleSummaryInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}},"description":"Array of items in the current page."},"BTCapabilitySummaryInfo":{"type":"object","properties":{"createdAt":{"type":"string","format":"date-time"},"deleted":{"type":"boolean"},"description":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"modifiedAt":{"type":"string","format":"date-time"},"modifiedBy":{"type":"string"},"name":{"type":"string","description":"Name of the resource."},"ownerEmail":{"type":"string"},"reason":{"type":"string"},"ruleId":{"type":"string"},"ruleInfo":{"$ref":"#/components/schemas/BTCapabilityRuleInfo"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}},"description":"Array of items in the current page."},"BTCapableInfo":{"type":"object","properties":{"capable":{"type":"boolean"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTCardInfo":{"type":"object","properties":{"billingAddress":{"$ref":"#/components/schemas/BTAddressInfo"},"expMonth":{"type":"integer","format":"int32"},"expYear":{"type":"integer","format":"int32"},"last4":{"type":"string"},"type":{"type":"string"}}},"BTCardParams":{"type":"object","properties":{"address":{"$ref":"#/components/schemas/BTAddressInfo"},"token":{"type":"string"}}},"BTCategoryBulkPropertyUpdateParams":{"type":"object","properties":{"items":{"type":"array","items":{"$ref":"#/components/schemas/BTCategoryPropertyParams"}}}},"BTCategoryParam":{"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"}}},"BTCategoryPropertyBulkUpdateResponse":{"type":"object","properties":{"failed":{"type":"array","items":{"$ref":"#/components/schemas/FailedUpdate"}},"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTCategoryPropertyInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}}},"BTCategoryPropertyConfigInfo":{"type":"object","properties":{"computedAssemblyPropertyAggregatedPropertyId":{"type":"string"},"computedAssemblyPropertyAggregationOperator":{"type":"integer","format":"int32"},"computedAssemblyPropertyConfig":{"$ref":"#/components/schemas/BTComputedAssemblyPropertyConfig"},"computedAssemblyPropertyErrorValuePolicy":{"type":"integer","format":"int32"},"computedAssemblyPropertyFilterInverted":{"type":"boolean"},"computedAssemblyPropertyFilterPropertyId":{"type":"string"},"computedAssemblyPropertyMissingValuePolicy":{"type":"integer","format":"int32"},"computedAssemblyPropertySecondaryPropertyId":{"type":"string"},"computedPartPropertyConfig":{"$ref":"#/components/schemas/BTComputedPartPropertyConfig"},"computedPropertyFunctionName":{"type":"string"},"computedPropertyFunctionNamespace":{"type":"string"},"computedPropertyFunctionURL":{"type":"string"},"defaultValue":{"type":"string"},"displayName":{"type":"string"},"enumValues":{"type":"array","items":{"$ref":"#/components/schemas/BTMetadataEnumValue"}},"maxCount":{"type":"integer","format":"int32"},"maxDate":{"type":"string","format":"date-time"},"maxLength":{"type":"integer","format":"int32"},"maxValue":{"type":"number","format":"double"},"minCount":{"type":"integer","format":"int32"},"minDate":{"type":"string","format":"date-time"},"minLength":{"type":"integer","format":"int32"},"minValue":{"type":"number","format":"double"},"multiline":{"type":"boolean"},"multivalued":{"type":"boolean"},"pattern":{"type":"string"},"publishState":{"type":"integer","format":"int32"},"quantityType":{"type":"integer","format":"int32"},"required":{"type":"boolean"}}},"BTCategoryPropertyConfigParams":{"type":"object","properties":{"computedAssemblyPropertyAggregatedPropertyId":{"type":"string"},"computedAssemblyPropertyAggregationOperator":{"type":"integer","format":"int32"},"computedAssemblyPropertyErrorValuePolicy":{"type":"integer","format":"int32"},"computedAssemblyPropertyFilterInverted":{"type":"boolean"},"computedAssemblyPropertyFilterPropertyId":{"type":"string"},"computedAssemblyPropertyMissingValuePolicy":{"type":"integer","format":"int32"},"computedAssemblyPropertySecondaryPropertyId":{"type":"string"},"computedPropertyFunctionName":{"type":"string"},"computedPropertyFunctionNamespace":{"type":"string"},"computedPropertyFunctionReturnType":{"type":"integer","format":"int32"},"computedPropertyFunctionURL":{"type":"string"},"defaultValue":{"type":"string"},"displayName":{"type":"string"},"enumValues":{"type":"array","items":{"$ref":"#/components/schemas/BTMetadataEnumValue"}},"maxCount":{"type":"integer","format":"int32"},"maxDate":{"type":"string","format":"date-time"},"maxLength":{"type":"integer","format":"int32"},"maxValue":{"type":"number","format":"double"},"minCount":{"type":"integer","format":"int32"},"minDate":{"type":"string","format":"date-time"},"minLength":{"type":"integer","format":"int32"},"minValue":{"type":"number","format":"double"},"multiline":{"type":"boolean"},"multivalued":{"type":"boolean"},"pattern":{"type":"string"},"publishState":{"type":"integer","format":"int32"},"quantityType":{"type":"integer","format":"int32"},"required":{"type":"boolean"}}},"BTCategoryPropertyInfo":{"type":"object","properties":{"array":{"type":"boolean"},"assignable":{"type":"boolean"},"blobMimeType":{"type":"string"},"categoryPropertyConfigInfo":{"$ref":"#/components/schemas/BTCategoryPropertyConfigInfo"},"categorySummaryInfoList":{"type":"array","items":{"$ref":"#/components/schemas/BTMetadataCategorySummaryInfo"}},"description":{"type":"string"},"editableInMicroversion":{"type":"boolean"},"editableInVersion":{"type":"boolean"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"objectDefName":{"type":"string"},"ownerId":{"type":"string"},"ownerType":{"type":"integer","format":"int32"},"uiReadonlyInMicroversion":{"type":"boolean"},"uiReadonlyInVersion":{"type":"boolean"},"valueType":{"type":"integer","format":"int32"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTCategoryPropertyParams":{"type":"object","properties":{"addToCategoryIds":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"array":{"type":"boolean"},"blobMimeType":{"type":"string"},"categoryPropertyConfigParams":{"$ref":"#/components/schemas/BTCategoryPropertyConfigParams"},"description":{"type":"string"},"editableInMicroversion":{"type":"boolean"},"editableInVersion":{"type":"boolean"},"id":{"type":"string"},"metadataPropertyParams":{"$ref":"#/components/schemas/BTMetadataPropertyParams"},"name":{"type":"string"},"objectDefName":{"type":"string"},"ownerId":{"type":"string"},"ownerType":{"type":"integer","format":"int32"},"removeFromCategoryIds":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"uiReadonlyInMicroversion":{"type":"boolean"},"uiReadonlyInVersion":{"type":"boolean"},"valueType":{"type":"integer","format":"int32"}}},"BTCenterlineDimensionDisplayData-1798":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTLinearDimensionDisplayData-330"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTChangeInfo":{"type":"object","properties":{"allowStateChange":{"type":"boolean"},"closedDate":{"type":"string","format":"date-time"},"companyId":{"type":"string"},"createdAt":{"type":"string","format":"date-time"},"createdBy":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"deletable":{"type":"boolean"},"description":{"type":"string"},"documentId":{"type":"string"},"editable":{"type":"boolean"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"inProgressState":{"type":"string"},"modifiedAt":{"type":"string","format":"date-time"},"modifiedBy":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"name":{"type":"string","description":"Name of the resource."},"number":{"type":"string"},"ownerInfo":{"$ref":"#/components/schemas/BTOwnerInfo"},"pendingResolveState":{"type":"string"},"projectId":{"type":"string"},"properties":{"type":"array","items":{"$ref":"#/components/schemas/BTMetadataPropertyInfo"}},"subscribed":{"type":"boolean"},"subscriptionEnable":{"type":"boolean"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"},"workflow":{"$ref":"#/components/schemas/BTWorkflowSnapshotInfo"},"workflowError":{"type":"string","writeOnly":true},"workflowId":{"$ref":"#/components/schemas/BTPublishedWorkflowId"},"workflowProperties":{"type":"array","items":{"$ref":"#/components/schemas/BTWorkflowPropertyInfo"}}},"description":"Array of items in the current page."},"BTChangeOrderAffectedItemInfo":{"type":"object","properties":{"affectedItemId":{"type":"string"},"affectedItemType":{"type":"integer","format":"int32"},"affectedName":{"$ref":"#/components/schemas/BTMetadataPropertyInfo"},"affectedRevision":{"$ref":"#/components/schemas/BTMetadataPropertyInfo"},"bodyType":{"type":"string"},"changeTask":{"$ref":"#/components/schemas/BTMetadataPropertyInfo"},"changeTaskState":{"$ref":"#/components/schemas/BTWorkflowStateInfo"},"configurationId":{"type":"string"},"dataType":{"type":"string"},"derived":{"type":"boolean"},"documentId":{"type":"string"},"documentName":{"type":"string"},"editable":{"type":"boolean"},"elementId":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"note":{"$ref":"#/components/schemas/BTMetadataPropertyInfo"},"partId":{"type":"string"},"partNumber":{"type":"string"},"releasePackageId":{"type":"string"},"releasePackageItemInfo":{"$ref":"#/components/schemas/BTReleasePackageItemInfo"},"releasePackageItemInfoEditability":{"type":"boolean","writeOnly":true},"releasePackageRootItemId":{"type":"string"},"state":{"type":"string"},"targetDocumentId":{"type":"string"},"targetDocumentName":{"type":"string"},"targetResourceId":{"$ref":"#/components/schemas/BTResourceId"},"targetRevision":{"$ref":"#/components/schemas/BTMetadataPropertyInfo"},"targetVersion":{"$ref":"#/components/schemas/BTMetadataPropertyInfo"},"targetVersionId":{"type":"string"},"targetVersionName":{"type":"string"},"targetWorkspace":{"$ref":"#/components/schemas/BTMetadataPropertyInfo"},"targetWorkspaceId":{"type":"string"},"targetWorkspaceUrl":{"type":"string","format":"uri"},"type":{"type":"integer","format":"int32"},"url":{"type":"string","format":"uri"},"versionId":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTChangeOrderAffectedItemParams":{"type":"object","properties":{"affectedItemType":{"type":"integer","format":"int32"},"configurationId":{"type":"string"},"documentId":{"type":"string"},"elementId":{"type":"string"},"name":{"type":"string"},"notes":{"type":"string"},"partId":{"type":"string"},"systemId":{"type":"string"},"targetRevision":{"type":"string"},"targetState":{"type":"integer","format":"int32"},"type":{"type":"integer","format":"int32"},"uri":{"type":"string"},"versionId":{"type":"string"},"workspaceId":{"type":"string"}}},"BTChangeOrderAffectedItemUpdateParams":{"type":"object","properties":{"properties":{"type":"array","items":{"$ref":"#/components/schemas/BTChangePropertyValueParam"}},"releaseItemId":{"type":"string"},"syncChangeTaskForItemsInSameDocument":{"type":"boolean"}}},"BTChangeOrderInfo":{"type":"object","properties":{"allowStateChange":{"type":"boolean"},"closedDate":{"type":"string","format":"date-time"},"companyId":{"type":"string"},"createdAt":{"type":"string","format":"date-time"},"createdBy":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"deletable":{"type":"boolean"},"description":{"type":"string"},"documentId":{"type":"string"},"editable":{"type":"boolean"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"inProgressState":{"type":"string"},"modifiedAt":{"type":"string","format":"date-time"},"modifiedBy":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"name":{"type":"string","description":"Name of the resource."},"number":{"type":"string"},"obsoletionPackageId":{"type":"string"},"ownerInfo":{"$ref":"#/components/schemas/BTOwnerInfo"},"pendingResolveState":{"type":"string"},"projectId":{"type":"string"},"properties":{"type":"array","items":{"$ref":"#/components/schemas/BTMetadataPropertyInfo"}},"releaseFrozen":{"type":"boolean"},"releasePackageId":{"type":"string"},"subscribed":{"type":"boolean"},"subscriptionEnable":{"type":"boolean"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"},"workflow":{"$ref":"#/components/schemas/BTWorkflowSnapshotInfo"},"workflowError":{"type":"string","writeOnly":true},"workflowId":{"$ref":"#/components/schemas/BTPublishedWorkflowId"},"workflowProperties":{"type":"array","items":{"$ref":"#/components/schemas/BTWorkflowPropertyInfo"}}}},"BTChangeOrderParams":{"type":"object","properties":{"affectedItemParams":{"type":"array","items":{"$ref":"#/components/schemas/BTChangeOrderAffectedItemParams"}},"description":{"type":"string"},"name":{"type":"string"},"workflowId":{"type":"string"}}},"BTChangePropertyUpdateParams":{"type":"object","properties":{"properties":{"type":"array","items":{"$ref":"#/components/schemas/BTChangePropertyValueParam"}}}},"BTChangePropertyValueParam":{"type":"object","properties":{"initialValue":{"type":"object"},"propertyId":{"type":"string"},"value":{"type":"object"}}},"BTChangeRequestAffectedItemInfo":{"type":"object","properties":{"affectedItemType":{"type":"integer","format":"int32"},"affectedName":{"$ref":"#/components/schemas/BTMetadataPropertyInfo"},"affectedRevision":{"$ref":"#/components/schemas/BTMetadataPropertyInfo"},"bodyType":{"type":"string"},"configurationId":{"type":"string"},"dataType":{"type":"string"},"documentId":{"type":"string"},"editable":{"type":"boolean"},"elementId":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"note":{"$ref":"#/components/schemas/BTMetadataPropertyInfo"},"partId":{"type":"string"},"partNumber":{"type":"string"},"state":{"type":"string"},"type":{"type":"integer","format":"int32"},"url":{"type":"string","format":"uri"},"versionId":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTChangeRequestAffectedItemParams":{"type":"object","properties":{"affectedItemType":{"type":"integer","format":"int32"},"configurationId":{"type":"string"},"documentId":{"type":"string"},"elementId":{"type":"string"},"name":{"type":"string"},"notes":{"type":"string"},"partId":{"type":"string"},"systemId":{"type":"string"},"type":{"type":"integer","format":"int32"},"uri":{"type":"string"},"versionId":{"type":"string"},"workspaceId":{"type":"string"}}},"BTChangeRequestInfo":{"type":"object","properties":{"allowStateChange":{"type":"boolean"},"closedDate":{"type":"string","format":"date-time"},"companyId":{"type":"string"},"createdAt":{"type":"string","format":"date-time"},"createdBy":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"deletable":{"type":"boolean"},"description":{"type":"string"},"documentId":{"type":"string"},"editable":{"type":"boolean"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"inProgressState":{"type":"string"},"modifiedAt":{"type":"string","format":"date-time"},"modifiedBy":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"name":{"type":"string","description":"Name of the resource."},"number":{"type":"string"},"ownerInfo":{"$ref":"#/components/schemas/BTOwnerInfo"},"pendingResolveState":{"type":"string"},"projectId":{"type":"string"},"properties":{"type":"array","items":{"$ref":"#/components/schemas/BTMetadataPropertyInfo"}},"subscribed":{"type":"boolean"},"subscriptionEnable":{"type":"boolean"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"},"workflow":{"$ref":"#/components/schemas/BTWorkflowSnapshotInfo"},"workflowError":{"type":"string","writeOnly":true},"workflowId":{"$ref":"#/components/schemas/BTPublishedWorkflowId"},"workflowProperties":{"type":"array","items":{"$ref":"#/components/schemas/BTWorkflowPropertyInfo"}}}},"BTChangeRequestParams":{"type":"object","properties":{"affectedItemParams":{"type":"array","items":{"$ref":"#/components/schemas/BTChangeRequestAffectedItemParams"}},"description":{"type":"string"},"name":{"type":"string"},"workflowId":{"type":"string"}}},"BTChangeResourceInfo":{"type":"object","properties":{"id":{"type":"string"},"type":{"type":"integer","format":"int32"}}},"BTChangeResourceRelationshipInfo":{"type":"object","properties":{"changeResourceInfo":{"$ref":"#/components/schemas/BTChangeResourceInfo"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"number":{"type":"string"},"relationshipType":{"type":"integer","format":"int32"},"resourceInfo":{"$ref":"#/components/schemas/BTResourceInfo"},"state":{"$ref":"#/components/schemas/BTWorkflowStateInfo"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}},"description":"Array of items in the current page."},"BTChangeResourceRelationshipParams":{"type":"object","properties":{"relationshipType":{"type":"integer","format":"int32"},"resourceId":{"$ref":"#/components/schemas/BTResourceIdParams"}}},"BTChangeResourceUpdateParams":{"type":"object","properties":{"properties":{"type":"array","items":{"$ref":"#/components/schemas/BTChangePropertyValueParam"}},"workflowProperties":{"type":"array","items":{"$ref":"#/components/schemas/BTChangePropertyValueParam"}}}},"BTChangeTaskInfo":{"type":"object","properties":{"allowReopen":{"type":"boolean"},"allowStateChange":{"type":"boolean"},"changeOrderId":{"type":"string"},"closedDate":{"type":"string","format":"date-time"},"companyId":{"type":"string"},"createdAt":{"type":"string","format":"date-time"},"createdBy":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"deletable":{"type":"boolean"},"description":{"type":"string"},"documentId":{"type":"string"},"editable":{"type":"boolean"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"inProgressState":{"type":"string"},"modifiedAt":{"type":"string","format":"date-time"},"modifiedBy":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"name":{"type":"string","description":"Name of the resource."},"needDate":{"type":"string","format":"date-time"},"number":{"type":"string"},"ownerInfo":{"$ref":"#/components/schemas/BTOwnerInfo"},"pendingResolveState":{"type":"string"},"projectId":{"type":"string"},"properties":{"type":"array","items":{"$ref":"#/components/schemas/BTMetadataPropertyInfo"}},"releasePackageId":{"type":"string"},"state":{"type":"string"},"subscribed":{"type":"boolean"},"subscriptionEnable":{"type":"boolean"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"},"workflow":{"$ref":"#/components/schemas/BTWorkflowSnapshotInfo"},"workflowError":{"type":"string","writeOnly":true},"workflowId":{"$ref":"#/components/schemas/BTPublishedWorkflowId"},"workflowProperties":{"type":"array","items":{"$ref":"#/components/schemas/BTWorkflowPropertyInfo"}}}},"BTChangeTaskParams":{"type":"object","properties":{"affectedItemId":{"type":"string"},"changeOrderId":{"type":"string"},"description":{"type":"string"},"name":{"type":"string"},"syncChangeTaskForItemsInSameDocument":{"type":"boolean"},"workflowId":{"type":"string"}}},"BTChangeUnitsParams":{"type":"object","properties":{"units":{"type":"object","additionalProperties":{"type":"string"}},"unitsDisplayDecimalPlaces":{"type":"object","additionalProperties":{"type":"integer","format":"int32"}}}},"BTChangedReleasedPartIdInfo":{"type":"object","properties":{"configuration":{"type":"string"},"documentId":{"type":"string"},"elementId":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"newPartId":{"type":"string"},"oldPartId":{"type":"string"},"partNumber":{"type":"string"},"revision":{"type":"string"},"revisionId":{"type":"string"},"versionId":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}},"description":"Array of items in the current page."},"BTCircleDescription-1145":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTCurveDescription-1583"},{"type":"object","properties":{"btType":{"type":"string"},"normal":{"$ref":"#/components/schemas/BTVector3d-389"},"radius":{"type":"number","format":"double"}}}]},"BTClassAssignmentInfo":{"type":"object","properties":{"companyId":{"type":"string"},"createdAt":{"type":"string","format":"date-time"},"createdBy":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"description":{"type":"string"},"documentId":{"type":"string"},"documents":{"type":"array","items":{"$ref":"#/components/schemas/BTClassroomDocumentInfo"}},"educator":{"type":"boolean"},"endDate":{"type":"string","format":"date-time"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"modifiedAt":{"type":"string","format":"date-time"},"modifiedBy":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"modifiedDate":{"type":"string","format":"date-time"},"name":{"type":"string","description":"Name of the resource."},"numberOfStudents":{"type":"integer","format":"int32"},"numberOfSubmissions":{"type":"integer","format":"int32"},"numberOfSubmissionsInProgress":{"type":"integer","format":"int32"},"numberOfSubmissionsNotStarted":{"type":"integer","format":"int32"},"numberOfSubmissionsSubmitted":{"type":"integer","format":"int32"},"properties":{"type":"array","items":{"$ref":"#/components/schemas/BTWorkflowPropertyInfo"}},"publishedDate":{"type":"string","format":"date-time"},"startDate":{"type":"string","format":"date-time"},"state":{"type":"integer","format":"int32"},"stateName":{"type":"string"},"studentSubmissionState":{"type":"integer","format":"int32"},"submissionOption":{"type":"integer","format":"int32"},"submissions":{"type":"array","items":{"$ref":"#/components/schemas/BTStudentSubmissionInfo"}},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"},"workflow":{"$ref":"#/components/schemas/BTWorkflowSnapshotInfo"},"workflowError":{"type":"string","writeOnly":true},"workflowId":{"$ref":"#/components/schemas/BTPublishedWorkflowId"}}},"BTClassroomDocumentInfo":{"type":"object","properties":{"assignmentId":{"type":"string"},"classroomId":{"type":"string"},"documentState":{"type":"integer","format":"int32","writeOnly":true},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"metadata":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string","description":"Name of the resource."},"starterDocument":{"type":"boolean"},"studentSubmissionId":{"type":"string"},"thumbnailInfo":{"$ref":"#/components/schemas/BTThumbnailInfo"},"type":{"type":"integer","format":"int32"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTClassroomDocumentParams":{"type":"object","properties":{"assignmentId":{"type":"string"},"classroomId":{"type":"string"},"metadata":{"type":"object","additionalProperties":{"type":"string"}},"starterDocument":{"type":"boolean"},"studentSubmissionId":{"type":"string"},"type":{"type":"integer","format":"int32"}}},"BTClassroomInfo":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTGlobalTreeNodeInfo"},{"type":"object","properties":{"educator":{"type":"boolean"},"numberOfAssignments":{"type":"integer","format":"int64"},"numberOfMembers":{"type":"integer","format":"int64"},"state":{"type":"integer","format":"int32"},"stateName":{"type":"string"},"title":{"type":"string"}}}]},"BTClassroomMemberCountInfo":{"type":"object","properties":{"educatorCount":{"type":"integer","format":"int32"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"studentCount":{"type":"integer","format":"int32"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTClassroomMemberInfo":{"type":"object","properties":{"classroomId":{"type":"string"},"dateAdded":{"type":"string","format":"date-time"},"educator":{"type":"boolean"},"email":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"image":{"type":"string"},"lastLoginTime":{"type":"string","format":"date-time"},"memberId":{"type":"string"},"memberType":{"type":"integer","format":"int32"},"memberTypeState":{"type":"integer","format":"int32"},"name":{"type":"string","description":"Name of the resource."},"role":{"type":"integer","format":"int32"},"state":{"type":"integer","format":"int32"},"submissionFolderId":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTClassroomMemberListInfo":{"type":"object","properties":{"classroomId":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"results":{"type":"array","items":{"$ref":"#/components/schemas/BTAddClassroomMemberResultInfo"}},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTClassroomMemberListParams":{"type":"object","properties":{"classroomId":{"type":"string"},"listOfEmails":{"type":"array","items":{"type":"string"}},"memberType":{"type":"integer","format":"int32"},"role":{"type":"integer","format":"int32"}}},"BTClassroomMemberParams":{"type":"object","properties":{"classroomId":{"type":"string"},"email":{"type":"string"},"memberType":{"type":"integer","format":"int32"},"role":{"type":"integer","format":"int32"}}},"BTClassroomObjectStateParams":{"type":"object","properties":{"state":{"type":"integer","format":"int32"}}},"BTClassroomParams":{"type":"object","properties":{"description":{"type":"string"},"name":{"type":"string"},"ownerId":{"type":"string"},"starterDocuments":{"type":"array","items":{"type":"string"}},"state":{"type":"integer","format":"int32"},"title":{"type":"string"}}},"BTClearCacheParams":{"type":"object","properties":{"cacheNames":{"type":"array","description":"Names of caches to clear","items":{"type":"string","description":"Names of caches to clear"}},"clearLinkedDocuments":{"type":"boolean","description":"Whether to clear all linked document caches"}}},"BTClientPerformanceMetricsInfo":{"type":"object","properties":{"availableIpAddresses":{"type":"array","items":{"type":"string"}},"ipAddress":{"type":"string"},"rangeLabels":{"type":"array","items":{"type":"string"}},"rangeTitle":{"type":"string"},"valueMap":{"type":"object","additionalProperties":{"type":"array","items":{"type":"integer","format":"int32"}}}}},"BTClientThirdPartyKeyInfo":{"type":"object","properties":{"googleAnalyticsKey":{"type":"string"}}},"BTClonedInstance-2505":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTParametricOutputInstance-2288"},{"type":"object","properties":{"btType":{"type":"string"},"seedOccurrence":{"$ref":"#/components/schemas/BTOccurrence-74"}}}]},"BTClosedConstituentPartData-2911":{"type":"object","properties":{"bodyType":{"$ref":"#/components/schemas/GBTBodyType"},"btType":{"type":"string"},"isActiveSheetMetal":{"type":"boolean"},"isMesh":{"type":"boolean"},"meshState":{"$ref":"#/components/schemas/GBTMeshState"}}},"BTClosedCurveFilter-1206":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTQueryFilter-183"},{"type":"object","properties":{"btType":{"type":"string"},"isClosed":{"type":"boolean"}}}]},"BTCloudStorageAccountInfo":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTGlobalTreeNodeInfo"},{"type":"object","properties":{"cloudStorageAccountId":{"type":"string"},"cloudStorageProvider":{"type":"integer","format":"int32"},"enabled":{"type":"boolean"},"exportFolder":{"$ref":"#/components/schemas/BTCloudStorageObjectInfo"},"importFolder":{"$ref":"#/components/schemas/BTCloudStorageObjectInfo"}}}]},"BTCloudStorageAccountListInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTCloudStorageAccountInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}}},"BTCloudStorageAccountParams":{"type":"object","properties":{"exportFolderId":{"type":"string"},"importFolderId":{"type":"string"}}},"BTCloudStorageObjectInfo":{"type":"object","properties":{"canMove":{"type":"boolean"},"cloudStorageAccountId":{"type":"string"},"cloudStorageObjectId":{"type":"string"},"cloudStorageProvider":{"type":"integer","format":"int32"},"createdAt":{"type":"string","format":"date-time"},"createdBy":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"createdById":{"type":"string"},"description":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"iconLink":{"type":"string"},"id":{"type":"string","description":"Id of the resource."},"isContainer":{"type":"boolean"},"isEnterpriseOwned":{"type":"boolean"},"isMutable":{"type":"boolean"},"mimeType":{"type":"string"},"modifiedAt":{"type":"string","format":"date-time"},"modifiedBy":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"modifiedById":{"type":"string"},"name":{"type":"string","description":"Name of the resource."},"owner":{"$ref":"#/components/schemas/BTOwnerInfo"},"parentId":{"type":"string"},"projectId":{"type":"string"},"resourceType":{"type":"string"},"sizeBytes":{"type":"integer","format":"int64"},"thumbnailInfo":{"$ref":"#/components/schemas/BTThumbnailInfo"},"treeHref":{"type":"string"},"unparentHref":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"},"webViewLink":{"type":"string"}}},"BTCloudStorageObjectListInfo":{"type":"object","properties":{"href":{"type":"string","format":"uri"},"items":{"type":"array","items":{"$ref":"#/components/schemas/BTCloudStorageObjectInfo"}},"next":{"type":"string","format":"uri"},"pathToRoot":{"type":"array","items":{"$ref":"#/components/schemas/CloudObjectPathSegment"}}}},"BTColorInfo":{"type":"object","properties":{"blue":{"type":"integer","format":"int32"},"green":{"type":"integer","format":"int32"},"red":{"type":"integer","format":"int32"}}},"BTColorParams":{"type":"object","properties":{"blue":{"type":"integer","format":"int32"},"green":{"type":"integer","format":"int32"},"red":{"type":"integer","format":"int32"}}},"BTCommandSearchInfo":{"type":"object","properties":{"descriptions":{"type":"array","items":{"type":"string"}},"failureMessage":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"partStudioUri":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTCommentAttachmentInfo":{"type":"object","properties":{"fileName":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"mimeType":{"type":"string"},"name":{"type":"string","description":"Name of the resource."},"thumbnailFor":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTCommentInfo":{"type":"object","properties":{"assemblyFeatures":{"type":"array","items":{"type":"string"}},"assignedAt":{"type":"string","format":"date-time"},"assignee":{"$ref":"#/components/schemas/BTUserSummaryInfo"},"attachment":{"$ref":"#/components/schemas/BTCommentAttachmentInfo"},"canDelete":{"type":"boolean"},"canResolveOrReopen":{"type":"boolean"},"createdAt":{"type":"string","format":"date-time"},"documentId":{"type":"string"},"elementFeature":{"type":"string"},"elementId":{"type":"string"},"elementOccurrences":{"type":"array","items":{"type":"string"}},"elementQuery":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"message":{"type":"string"},"name":{"type":"string","description":"Name of the resource."},"objectId":{"type":"string"},"objectType":{"type":"integer","format":"int32"},"parentId":{"type":"string"},"releasePackageId":{"type":"string"},"reopenedAt":{"type":"string","format":"date-time"},"reopenedBy":{"$ref":"#/components/schemas/BTUserSummaryInfo"},"replyCount":{"type":"integer","format":"int64"},"resolvedAt":{"type":"string","format":"date-time"},"resolvedBy":{"$ref":"#/components/schemas/BTUserSummaryInfo"},"state":{"type":"integer","format":"int32"},"thumbnail":{"$ref":"#/components/schemas/BTCommentAttachmentInfo"},"topLevel":{"type":"boolean"},"user":{"$ref":"#/components/schemas/BTUserSummaryInfo"},"versionId":{"type":"string"},"viewData":{"$ref":"#/components/schemas/BTViewDataInfo"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"},"workspaceId":{"type":"string"}}},"BTCommentParams":{"type":"object","properties":{"assemblyFeature":{"type":"string"},"assignee":{"type":"string"},"documentId":{"type":"string"},"elementFeature":{"type":"string"},"elementId":{"type":"string"},"elementOccurrence":{"type":"string"},"elementQuery":{"type":"string"},"id":{"type":"string"},"message":{"type":"string"},"objectId":{"type":"string"},"objectType":{"type":"integer","format":"int32"},"parentId":{"type":"string"},"versionId":{"type":"string"},"viewData":{"$ref":"#/components/schemas/BTViewDataParams"},"workspaceId":{"type":"string"}}},"BTCommentSubscriptionInfo":{"type":"object","properties":{"documentId":{"type":"string"},"subscribed":{"type":"boolean"},"userId":{"type":"string"}}},"BTCommentSubscriptionParams":{"type":"object","properties":{"documentId":{"type":"string"},"subscribed":{"type":"boolean"}}},"BTCommentSummaryInfo":{"type":"object","properties":{"documentId":{"type":"string"},"openTasksCount":{"type":"integer","format":"int64"},"userId":{"type":"string"},"versionId":{"type":"string"},"workspaceId":{"type":"string"}}},"BTCommonUnitInfo":{"type":"object","properties":{"abbreviation":{"type":"string"},"unit":{"type":"string"},"unitName":{"type":"string"},"unitType":{"type":"string"},"valueInBaseUnits":{"type":"number","format":"double"}}},"BTCommonUnitsInfo":{"type":"object","properties":{"quantityTypeToBaseUnits":{"type":"object","additionalProperties":{"type":"object","additionalProperties":{"type":"integer","format":"int32"}}},"units":{"type":"array","items":{"$ref":"#/components/schemas/BTCommonUnitInfo"}}}},"BTCompanyActivateParams":{"type":"object","properties":{"paymentType":{"type":"integer","format":"int32"},"planId":{"type":"string"},"seats":{"type":"integer","format":"int64"},"userId":{"type":"string"}}},"BTCompanyAdminInfo":{"type":"object","properties":{"accountId":{"type":"string"},"address":{"$ref":"#/components/schemas/BTAddressInfo"},"admin":{"type":"boolean"},"createdAt":{"type":"string","format":"date-time"},"description":{"type":"string"},"domainPrefix":{"type":"string"},"enterpriseBaseUrl":{"type":"string"},"enterpriseSubtype":{"type":"integer","format":"int32"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"image":{"type":"string"},"name":{"type":"string","description":"Name of the resource."},"noPublicDocuments":{"type":"boolean"},"owner":{"$ref":"#/components/schemas/BTUserSummaryInfo"},"ownerId":{"type":"string"},"planId":{"type":"string"},"planLightSeats":{"type":"integer","format":"int64"},"planSeats":{"type":"integer","format":"int64"},"planState":{"type":"integer","format":"int32"},"purchase":{"$ref":"#/components/schemas/BTPurchaseInfo"},"secondaryDomainPrefixes":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"state":{"type":"integer","format":"int32"},"type":{"type":"integer","format":"int32"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTCompanyInfo":{"type":"object","properties":{"address":{"$ref":"#/components/schemas/BTAddressInfo"},"admin":{"type":"boolean"},"description":{"type":"string"},"domainPrefix":{"type":"string"},"enterpriseBaseUrl":{"type":"string"},"enterpriseSubtype":{"type":"integer","format":"int32"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"image":{"type":"string"},"name":{"type":"string","description":"Name of the resource."},"noPublicDocuments":{"type":"boolean"},"ownerId":{"type":"string"},"purchase":{"$ref":"#/components/schemas/BTPurchaseInfo"},"secondaryDomainPrefixes":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"state":{"type":"integer","format":"int32"},"type":{"type":"integer","format":"int32"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTCompanyNoPublicDocumentParams":{"type":"object","properties":{"noPublicDocuments":{"type":"boolean"}}},"BTCompanyOwnerInfo":{"type":"object","properties":{"companyId":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"ownerId":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}},"description":"Array of items in the current page."},"BTCompanyParams":{"type":"object","properties":{"address":{"$ref":"#/components/schemas/BTAddressInfo"},"description":{"type":"string"},"domainPrefix":{"type":"string"},"force":{"type":"boolean"},"id":{"type":"string"},"name":{"type":"string"},"ownerId":{"type":"string"},"planId":{"type":"string"},"state":{"type":"integer","format":"int32"}}},"BTCompanyPermissionsInfo":{"type":"object","properties":{"companyId":{"type":"string"},"globalPermissionInfo":{"$ref":"#/components/schemas/GlobalPermissionInfo"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"isLightUser":{"type":"boolean"},"name":{"type":"string","description":"Name of the resource."},"userId":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}},"description":"Array of items in the current page."},"BTCompanyPoliciesInfo":{"type":"object","properties":{"actionShowDrawingsWatermark":{"type":"boolean"},"addCompanyOwnedLibrariesInUserAccount":{"type":"boolean"},"allowReleaseItemsFromOtherDocuments":{"type":"boolean"},"approvedDrawingTemplatesDocumentId":{"type":"string"},"approverRequiredDuringRelease":{"type":"boolean"},"assemblyDefaultBomTemplateId":{"type":"string"},"automaticallyObsoletePreviousReleasedRevisions":{"type":"boolean"},"changeOrderWorkflowId":{"type":"string"},"changeRequestWorkflowId":{"type":"string"},"changeTaskWorkflowId":{"type":"string"},"defaultInspectionTableTemplateId":{"type":"string"},"defaultRevisionTableTemplateId":{"type":"string"},"drawingCanDuplicatePartNumber":{"type":"boolean"},"drawingDefaultBomTemplateId":{"type":"string"},"enabledActiveMultipleWorkflows":{"type":"boolean"},"enabledChangeManagement":{"type":"boolean"},"enabledChangeOrderMultipleWorkflows":{"type":"boolean"},"enabledChangeOrderUnreleasedDependents":{"type":"boolean"},"enabledChangeRequest":{"type":"boolean"},"enabledChangeRequestMultipleWorkflows":{"type":"boolean"},"errorOnAssemblyRefsOutOfDateDuringRelease":{"type":"boolean"},"errorOnAssemblyTreeErrorsDuringRelease":{"type":"boolean"},"errorOnFeatureListErrorsDuringRelease":{"type":"boolean"},"errorOnObsoleteRefsDuringRelease":{"type":"boolean"},"errorOnPartNumberPendingDuringRelease":{"type":"boolean"},"errorOnPendingContextEditsDuringRelease":{"type":"boolean"},"errorOnPendingDanglingDrawingObjectsDuringRelease":{"type":"boolean"},"errorOnPendingDrawingUpdateDuringRelease":{"type":"boolean"},"errorOnPendingTaskDuringRelease":{"type":"boolean"},"errorOnRollbackBarNotAtEndDuringRelease":{"type":"boolean"},"fillLightSeatFirst":{"type":"boolean"},"hideWatermarkForNotRevManaged":{"type":"boolean"},"integrations":{"$ref":"#/components/schemas/IntegrationsPolicyInfo"},"itemNumberingSchemeId":{"type":"string"},"noteRequiredDuringRelease":{"type":"boolean"},"obsoletionDescriptionOverride":{"type":"string"},"obsoletionNameOverride":{"type":"string"},"obsoletionWorkflowId":{"type":"string"},"onlyAdminsCanApproveReleases":{"type":"boolean"},"onlyAdminsCanDeleteDocumentsContainingReleasedObjects":{"type":"boolean"},"onlyAdminsCanEditPropertiesOfReleasedObjects":{"type":"boolean"},"onlyAdminsCanMarkObjectsAsNotRevisionManaged":{"type":"boolean"},"partNumberingSchemeId":{"type":"string"},"preventDuplicateDocumentNameRegex":{"type":"string"},"propagatePartNumberToWorkspace":{"type":"integer","format":"int32"},"propertiesDateFormat":{"type":"string"},"propertiesOrderList":{"type":"array","items":{"type":"string"}},"releaseDescriptionOverride":{"type":"string"},"releaseNameOverride":{"type":"string"},"releasePropertyNameOverrideEnabled":{"type":"boolean"},"releaseWorkflowId":{"type":"string"},"requireAllApprovers":{"type":"boolean"},"requireApprovedDrawingTemplates":{"type":"boolean"},"requireBasePartReleaseWithDerivedPart":{"type":"boolean"},"requireImageReleaseWithDrawing":{"type":"boolean"},"requirePartNumberForReleasedObjects":{"type":"boolean"},"requirePartsAndSubassembliesReleaseWithAssembly":{"type":"boolean"},"requirePartsAndSubassembliesReleaseWithDrawing":{"type":"boolean"},"requirePeerReview":{"type":"boolean"},"requireRevisionForReleasedObjects":{"type":"boolean"},"requireTotp":{"type":"boolean"},"revisionSchemeId":{"type":"string"},"revisionSuffix":{"type":"string"},"standardContentNumberingSchemeId":{"type":"string"},"startupPage":{"type":"integer","format":"int32"},"treatMetadataChangesAsChanges":{"type":"boolean"},"useCompanyFeaturesToolbar":{"type":"boolean"},"useLightUi":{"type":"boolean"}}},"BTCompanyPoliciesParams":{"type":"object","properties":{"actionShowDrawingsWatermark":{"type":"boolean"},"addCompanyOwnedLibrariesInUserAccount":{"type":"boolean"},"allowReleaseItemsFromOtherDocuments":{"type":"boolean"},"approvedDrawingTemplatesDocumentId":{"type":"string"},"approverRequiredDuringRelease":{"type":"boolean"},"assemblyDefaultBomTemplateId":{"type":"string"},"automaticallyObsoletePreviousReleasedRevisions":{"type":"boolean"},"changeOrderWorkflowId":{"type":"string"},"changeRequestWorkflowId":{"type":"string"},"changeTaskWorkflowId":{"type":"string"},"drawingCanDuplicatePartNumber":{"type":"boolean"},"drawingDefaultBomTemplateId":{"type":"string"},"enabledActiveMultipleWorkflows":{"type":"boolean"},"enabledChangeManagement":{"type":"boolean"},"enabledChangeOrderMultipleWorkflows":{"type":"boolean"},"enabledChangeOrderUnreleasedDependents":{"type":"boolean"},"enabledChangeRequest":{"type":"boolean"},"enabledChangeRequestMultipleWorkflows":{"type":"boolean"},"errorOnAssemblyRefsOutOfDateDuringRelease":{"type":"boolean"},"errorOnAssemblyTreeErrorsDuringRelease":{"type":"boolean"},"errorOnFeatureListErrorsDuringRelease":{"type":"boolean"},"errorOnObsoleteRefsDuringRelease":{"type":"boolean"},"errorOnPartNumberPendingDuringRelease":{"type":"boolean"},"errorOnPendingContextEditsDuringRelease":{"type":"boolean"},"errorOnPendingDanglingDrawingObjectsDuringRelease":{"type":"boolean"},"errorOnPendingDrawingUpdateDuringRelease":{"type":"boolean"},"errorOnPendingTaskDuringRelease":{"type":"boolean"},"errorOnRollbackBarNotAtEndDuringRelease":{"type":"boolean"},"fillLightSeatFirst":{"type":"boolean"},"hideWatermarkForNotRevManaged":{"type":"boolean"},"integrations":{"$ref":"#/components/schemas/IntegrationsParams"},"itemNumberingSchemeId":{"type":"string"},"noteRequiredDuringRelease":{"type":"boolean"},"obsoletionDescriptionOverride":{"type":"string"},"obsoletionNameOverride":{"type":"string"},"obsoletionWorkflowId":{"type":"string"},"onlyAdminsCanApproveReleases":{"type":"boolean"},"onlyAdminsCanDeleteDocumentsContainingReleasedObjects":{"type":"boolean"},"onlyAdminsCanEditPropertiesOfReleasedObjects":{"type":"boolean"},"onlyAdminsCanMarkObjectsAsNotRevisionManaged":{"type":"boolean"},"partNumberingSchemeId":{"type":"string"},"preventDuplicateDocumentNameRegex":{"type":"string"},"propagatePartNumberToWorkspace":{"$ref":"#/components/schemas/PartNumberPropagation"},"propertiesDateFormat":{"type":"string"},"propertiesOrderList":{"type":"array","items":{"type":"string"}},"releaseDescriptionOverride":{"type":"string"},"releaseNameOverride":{"type":"string"},"releasePropertyNameOverrideEnabled":{"type":"boolean"},"releaseWorkflowId":{"type":"string"},"requireAllApprovers":{"type":"boolean"},"requireApprovedDrawingTemplates":{"type":"boolean"},"requireBasePartReleaseWithDerivedPart":{"type":"boolean"},"requireImageReleaseWithDrawing":{"type":"boolean"},"requirePartNumberForReleasedObjects":{"type":"boolean"},"requirePartsAndSubassembliesReleaseWithAssembly":{"type":"boolean"},"requirePartsAndSubassembliesReleaseWithDrawing":{"type":"boolean"},"requirePeerReview":{"type":"boolean"},"requireRevisionForReleasedObjects":{"type":"boolean"},"requireTotp":{"type":"boolean"},"revisionSchemeId":{"type":"string"},"revisionSuffix":{"type":"string"},"standardContentNumberingSchemeId":{"type":"string"},"startupPage":{"type":"integer","format":"int32"},"treatMetadataChangesAsChanges":{"type":"boolean"},"useCompanyFeaturesToolbar":{"type":"boolean"},"useLightUi":{"type":"boolean"}}},"BTCompanySummaryInfo":{"type":"object","properties":{"admin":{"type":"boolean"},"description":{"type":"string"},"domainPrefix":{"type":"string"},"enterpriseBaseUrl":{"type":"string"},"enterpriseSubtype":{"type":"integer","format":"int32"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"image":{"type":"string"},"name":{"type":"string","description":"Name of the resource."},"noPublicDocuments":{"type":"boolean"},"ownerId":{"type":"string"},"secondaryDomainPrefixes":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"state":{"type":"integer","format":"int32"},"type":{"type":"integer","format":"int32"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTCompanyTransferParams":{"type":"object","properties":{"currentOwnerId":{"type":"string"},"newOwnerId":{"type":"string"}}},"BTCompanyUserInfo":{"type":"object","properties":{"admin":{"type":"boolean"},"company":{"$ref":"#/components/schemas/BTCompanySummaryInfo"},"documentationNameOverride":{"type":"string"},"guest":{"type":"boolean"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"lastLoginTime":{"type":"string","format":"date-time"},"light":{"type":"boolean"},"name":{"type":"string","description":"Name of the resource."},"state":{"type":"integer","format":"int32"},"user":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTCompanyUserParams":{"type":"object","properties":{"admin":{"type":"boolean","description":"Indicates the user is an admin if true."},"companyId":{"type":"string","description":"Company ID of the user."},"documentationNameOverride":{"type":"string","description":"String to override documentation name."},"email":{"type":"string","description":"Email ID of the company user."},"globalPermissions":{"type":"array","description":"List of global permissions to grant.","items":{"type":"integer","description":"List of global permissions to grant.","format":"int32"}},"guest":{"type":"boolean","description":"Indicates the user is a guest user if true."},"light":{"type":"boolean","description":"Indicates the user is a light user if true."}}},"BTCompanyUserSummaryAdminInfo":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTCompanyUserSummaryInfo"},{"type":"object","properties":{"totpEnabled":{"type":"boolean"}}}]},"BTCompanyUserSummaryInfo":{"type":"object","discriminator":{"propertyName":"jsonType","mapping":{"companyuser":"#/components/schemas/BTCompanyUserSummaryInfo","companyuseradmin":"#/components/schemas/BTCompanyUserSummaryAdminInfo"}},"allOf":[{"$ref":"#/components/schemas/BTUserSummaryInfo"},{"type":"object","properties":{"admin":{"type":"boolean"},"cls":{"type":"string"}}}]},"BTComponentUsagesSummary":{"type":"object","properties":{"count":{"type":"integer","format":"int64"},"hierarchy":{"$ref":"#/components/schemas/BTStandardContentHierarchy"}}},"BTComputedAssemblyPropertyAggregationOperator":{"type":"string","enum":["SUM","MINIMUM","MAXIMUM","AVERAGE","WEIGHTED_SUM","WEIGHTED_AVERAGE","ANY","ALL","NOT_ANY","NOT_ALL"]},"BTComputedAssemblyPropertyConfig":{"type":"object","properties":{"aggregatedPropertyId":{"type":"string"},"aggregationOperator":{"$ref":"#/components/schemas/BTComputedAssemblyPropertyAggregationOperator"},"errorValuePolicy":{"$ref":"#/components/schemas/BTComputedAssemblyPropertyErrorPolicy"},"filterPropertyId":{"type":"string"},"isFilterPropertyInverted":{"type":"boolean"},"missingValuePolicy":{"$ref":"#/components/schemas/BTComputedAssemblyPropertyErrorPolicy"},"secondaryPropertyId":{"type":"string"}}},"BTComputedAssemblyPropertyErrorPolicy":{"type":"string","enum":["ExcludeFromComputation","TreatAsZero","TreatAsTrue","TreatAsFalse","PropagateError"]},"BTComputedConfigurationInputSpec-2525":{"type":"object","properties":{"btType":{"type":"string"},"inputId":{"type":"string"}}},"BTComputedPartPropertyConfig":{"type":"object","properties":{"computedPartPropertySpecFunction":{"type":"string"},"computedPartPropertySpecNamespace":{"type":"string"},"computedPropertyFunctionReturnType":{"type":"integer","format":"int32"},"propertyFunctionDocumentId":{"type":"string"}}},"BTComputedPartPropertySpec-1746":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTFeatureSpec-129"},{"type":"object","properties":{"btType":{"type":"string"},"computedPartPropertySpecId":{"type":"string"},"propertyFunctionReturnType":{"type":"string"}}}]},"BTConeDescription-860":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTSurfaceDescription-1564"},{"type":"object","properties":{"axis":{"$ref":"#/components/schemas/BTVector3d-389"},"btType":{"type":"string"},"halfAngle":{"type":"number","format":"double"},"radius":{"type":"number","format":"double"}}}]},"BTConfigurationInfo":{"type":"object","properties":{"isStandardContent":{"type":"boolean"},"parameters":{"type":"array","items":{"$ref":"#/components/schemas/ConfigurationInfoEntry"}}}},"BTConfigurationParams":{"type":"object","properties":{"parameters":{"type":"array","items":{"$ref":"#/components/schemas/ConfigurationEntry"}},"standardContentParametersId":{"type":"string"}}},"BTConfigurationResponse-2019":{"type":"object","properties":{"btType":{"type":"string"},"configurationParameters":{"type":"array","items":{"$ref":"#/components/schemas/BTMConfigurationParameter-819"}},"currentConfiguration":{"type":"array","items":{"$ref":"#/components/schemas/BTMParameter-1"}},"libraryVersion":{"type":"integer","format":"int32"},"microversionSkew":{"type":"boolean"},"rejectMicroversionSkew":{"type":"boolean"},"serializationVersion":{"type":"string"},"sourceMicroversion":{"type":"string"}}},"BTConfigurationUpdateCall-2933":{"type":"object","properties":{"btType":{"type":"string"},"configurationParameters":{"type":"array","items":{"$ref":"#/components/schemas/BTMConfigurationParameter-819"}},"currentConfiguration":{"type":"array","items":{"$ref":"#/components/schemas/BTMParameter-1"}},"libraryVersion":{"type":"integer","format":"int32"},"microversionSkew":{"type":"boolean"},"rejectMicroversionSkew":{"type":"boolean"},"serializationVersion":{"type":"string"},"sourceMicroversion":{"type":"string"}}},"BTConfiguredDimensionColumnInfo-2168":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTConfiguredValuesColumnInfo-1025"},{"type":"object","properties":{"btType":{"type":"string"},"dimensionId":{"type":"string"},"parameterId":{"type":"string"}}}]},"BTConfiguredFeatureColumnInfo-1014":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTConfiguredValuesColumnInfo-1025"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTConfiguredParameterColumnInfo-2900":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTConfiguredValuesColumnInfo-1025"},{"type":"object","properties":{"btType":{"type":"string"},"innerParameterLocation":{"$ref":"#/components/schemas/BTInnerParameterLocation-1715"},"parameterId":{"type":"string"}}}]},"BTConfiguredPartProperties-2645":{"type":"object","properties":{"btType":{"type":"string"},"nodeId":{"type":"string"},"parts":{"type":"array","items":{"$ref":"#/components/schemas/BTPartWithConfiguredProperties-2163"}},"propertyIdToConfiguredTable":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTPartWithConfiguredProperties-2163"}},"synchronizeToSingleEnumInput":{"type":"boolean"}}},"BTConfiguredPartPropertiesTable-2740":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTTable-1825"},{"type":"object","properties":{"btType":{"type":"string"},"partDeterministicId":{"type":"string"},"partDeterministicIds":{"type":"array","items":{"type":"string"}},"propertyNodeId":{"type":"string"}}}]},"BTConfiguredSuppressionColumnInfo-2498":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTConfiguredValuesColumnInfo-1025"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTConfiguredValuesColumnInfo-1025":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTConfiguredDimensionColumnInfo-2168":"#/components/schemas/BTConfiguredDimensionColumnInfo-2168","BTConfiguredFeatureColumnInfo-1014":"#/components/schemas/BTConfiguredFeatureColumnInfo-1014","BTConfiguredParameterColumnInfo-2900":"#/components/schemas/BTConfiguredParameterColumnInfo-2900","BTConfiguredSuppressionColumnInfo-2498":"#/components/schemas/BTConfiguredSuppressionColumnInfo-2498"}},"allOf":[{"$ref":"#/components/schemas/BTTableColumnInfo-1222"},{"type":"object","properties":{"btType":{"type":"string"},"parentId":{"type":"string"},"parentName":{"type":"string"},"parentType":{"$ref":"#/components/schemas/GBTConfiguredParentType"}}}]},"BTConstructionObjectFilter-113":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTQueryFilter-183"},{"type":"object","properties":{"btType":{"type":"string"},"isConstruction":{"type":"boolean"}}}]},"BTConstructionPlaneEntity-27":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTFeatureEntity-34"},{"type":"object","properties":{"btType":{"type":"string"},"isDefault":{"type":"boolean"}}}]},"BTCoordinateSystem-387":{"type":"object","properties":{"btType":{"type":"string"},"matrix":{"$ref":"#/components/schemas/BTBSMatrix-386"},"origin":{"$ref":"#/components/schemas/BTVector3d-389"},"xaxis":{"$ref":"#/components/schemas/BTVector3d-389"},"yaxis":{"$ref":"#/components/schemas/BTVector3d-389"},"zaxis":{"$ref":"#/components/schemas/BTVector3d-389"}}},"BTCopyDocumentInfo":{"type":"object","properties":{"newDocumentId":{"type":"string"},"newDocumentName":{"type":"string"},"newOwner":{"$ref":"#/components/schemas/BTOwnerInfo"},"newParentId":{"type":"string"},"newProjectId":{"type":"string"},"newWorkspaceId":{"type":"string"}}},"BTCopyDocumentParams":{"type":"object","properties":{"isPublic":{"type":"boolean"},"newName":{"type":"string"},"ownerId":{"type":"string"},"ownerTypeIndex":{"type":"integer","format":"int32"},"parentId":{"type":"string"},"projectId":{"type":"string"}}},"BTCopyElementParams":{"type":"object","properties":{"anchorElementId":{"type":"string"},"documentIdSource":{"type":"string"},"elementIdSource":{"type":"string"},"isGroupAnchor":{"type":"boolean"},"workspaceIdSource":{"type":"string"}}},"BTCopyViewAssociativeDataParams":{"type":"object","properties":{"associativeDataIds":{"type":"array","items":{"type":"string"}},"destinationViewId":{"type":"string"},"sourceElementId":{"type":"string"},"sourceViewId":{"type":"string"}}},"BTCountDimensionDisplayData-1778":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTDimensionDisplayData-323"},{"type":"object","properties":{"btType":{"type":"string"},"positionX":{"type":"number","format":"double"},"positionY":{"type":"number","format":"double"}}}]},"BTCrcsCaptureInfo":{"type":"object","properties":{"runDate":{"type":"string","format":"date-time"},"runId":{"type":"string"}}},"BTCrcsCaptureParams":{"type":"object","properties":{"companyIds":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"companySelectionMode":{"type":"integer","format":"int32"},"force":{"type":"boolean"},"futureTimeout":{"type":"integer","format":"int32"},"ignoreExistingRunState":{"type":"boolean"},"includeAllVersions":{"type":"boolean"},"includeAppElements":{"type":"boolean"},"includeAssemblies":{"type":"boolean"},"includeMetadata":{"type":"boolean"},"includePreviousFailures":{"type":"boolean"},"maxDocuments":{"type":"integer","format":"int32"},"maxUpgradeModeToProcess":{"type":"integer","format":"int32"},"rerunId":{"type":"string"},"workspaceMode":{"type":"integer","format":"int32"}}},"BTCrcsCommitParams":{"type":"object","properties":{"rateCommitEnabled":{"type":"boolean"},"runId":{"type":"string"}}},"BTCrcsRunInfo":{"type":"object","properties":{"errorCodeCounts":{"type":"array","items":{"$ref":"#/components/schemas/ErrorCodeCounts"}},"numElementCapturesDone":{"type":"integer","format":"int64"},"numOfCommitedCompanies":{"type":"integer","format":"int64"},"numOfCompanies":{"type":"integer","format":"int32"},"numOfFailedCaptureThresholdCompanies":{"type":"integer","format":"int64"},"options":{"$ref":"#/components/schemas/BTCrcsRunOptionInfo"},"regionToMasterHost":{"type":"object","additionalProperties":{"type":"string"}},"regionToQueueSize":{"type":"object","additionalProperties":{"type":"integer","format":"int64"}},"regions":{"type":"array","items":{"type":"string"}},"runInstances":{"type":"array","items":{"$ref":"#/components/schemas/BTCrcsRunInstanceInfo"}},"runStateCounts":{"type":"array","items":{"$ref":"#/components/schemas/StateCount"}},"stateRegionCounts":{"type":"array","items":{"$ref":"#/components/schemas/StateRegionCounts"}},"top100FailedCompaniesStats":{"type":"array","items":{"$ref":"#/components/schemas/BTCrcsRunInstanceCompanyStatsInfo"}}}},"BTCrcsRunInstanceCompanyInfo":{"type":"object","properties":{"committedRunId":{"type":"string"},"companyId":{"type":"string"},"createdAt":{"type":"string","format":"date-time"},"regionRuns":{"type":"array","items":{"$ref":"#/components/schemas/BTCrcsRunInstanceComponentInfo"}},"runId":{"type":"string"},"state":{"type":"integer","format":"int32"}}},"BTCrcsRunInstanceCompanyStatsInfo":{"type":"object","properties":{"captureFailureRate":{"type":"number","format":"float"},"committed":{"type":"boolean"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"numFailedElementCaptures":{"type":"integer","format":"int64"},"numSuccessfulElementCaptures":{"type":"integer","format":"int64"},"state":{"type":"integer","format":"int32"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTCrcsRunInstanceComponentInfo":{"type":"object","properties":{"createdAt":{"type":"string","format":"date-time"},"masterHost":{"type":"string"},"masterHostName":{"type":"string","writeOnly":true},"region":{"type":"string"},"startDate":{"type":"string","format":"date-time"},"state":{"type":"integer","format":"int32"}}},"BTCrcsRunInstanceInfo":{"type":"object","properties":{"buildVersion":{"type":"string"},"companies":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"companyIdToRegionRuns":{"type":"object","additionalProperties":{"type":"array","items":{"$ref":"#/components/schemas/BTCrcsRunInstanceComponentInfo"}}},"companySelectionMode":{"type":"integer","format":"int32"},"endDate":{"type":"string","format":"date-time"},"runId":{"type":"string"},"startDate":{"type":"string","format":"date-time"},"startedBy":{"type":"string"},"startedByEmail":{"type":"string"},"state":{"type":"integer","format":"int32"}}},"BTCrcsRunOptionInfo":{"type":"object","properties":{"force":{"type":"boolean"},"ignoreExistingRunState":{"type":"boolean"},"includeAllVersions":{"type":"boolean"},"includeAppElements":{"type":"boolean"},"includeAssemblies":{"type":"boolean"},"includeMetadata":{"type":"boolean"},"includePreviousFailures":{"type":"boolean"},"maxDocuments":{"type":"string"},"maxUpgradeModeToProcess":{"type":"string"},"timeout":{"type":"integer","format":"int32"},"workspaceMode":{"type":"string"}}},"BTCreateCustomToolParams":{"type":"object","properties":{"insertableId":{"type":"string"},"tool":{"$ref":"#/components/schemas/BTToolTreeParams"}}},"BTCreateCustomToolsParams":{"type":"object","properties":{"parentId":{"type":"string"},"specsExist":{"type":"boolean"},"specsExist_":{"type":"boolean"},"tools":{"type":"array","items":{"$ref":"#/components/schemas/BTCreateCustomToolParams"}}}},"BTCurveDescription-1583":{"type":"object","properties":{"btType":{"type":"string"},"direction":{"$ref":"#/components/schemas/BTVector3d-389"},"directionOrientedWithFace":{"$ref":"#/components/schemas/BTVector3d-389"},"origin":{"$ref":"#/components/schemas/BTVector3d-389"},"type":{"$ref":"#/components/schemas/GBTCurveTypeEnum"}},"discriminator":{"propertyName":"btType","mapping":{"BTCircleDescription-1145":"#/components/schemas/BTCircleDescription-1145","BTEllipseDescription-866":"#/components/schemas/BTEllipseDescription-866","BTLineDescription-1559":"#/components/schemas/BTLineDescription-1559","BTSplineDescription-2118":"#/components/schemas/BTSplineDescription-2118"}}},"BTCurveGeometry-114":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTCurveGeometryCircle-115":"#/components/schemas/BTCurveGeometryCircle-115","BTCurveGeometryConic-2284":"#/components/schemas/BTCurveGeometryConic-2284","BTCurveGeometryInterpolatedSpline-116":"#/components/schemas/BTCurveGeometryInterpolatedSpline-116","BTCurveGeometryLine-117":"#/components/schemas/BTCurveGeometryLine-117","BTCurveGeometrySpline-118":"#/components/schemas/BTCurveGeometrySpline-118"}}},"BTCurveGeometryCircle-115":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTCurveGeometryEllipse-1189":"#/components/schemas/BTCurveGeometryEllipse-1189"}},"allOf":[{"$ref":"#/components/schemas/BTCurveGeometry-114"},{"type":"object","properties":{"btType":{"type":"string"},"clockwise":{"type":"boolean"},"radius":{"type":"number","format":"double"},"xcenter":{"type":"number","format":"double"},"xdir":{"type":"number","format":"double"},"ycenter":{"type":"number","format":"double"},"ydir":{"type":"number","format":"double"}}}]},"BTCurveGeometryConic-2284":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTCurveGeometry-114"},{"type":"object","properties":{"btType":{"type":"string"},"points":{"type":"array","items":{"type":"number","format":"double"}},"rho":{"type":"number","format":"double"}}}]},"BTCurveGeometryControlPointSpline-2197":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTCurveGeometrySpline-118"},{"type":"object","properties":{"btType":{"type":"string"},"isBezier":{"type":"boolean"}}}]},"BTCurveGeometryEllipse-1189":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTCurveGeometryCircle-115"},{"type":"object","properties":{"btType":{"type":"string"},"minorRadius":{"type":"number","format":"double"}}}]},"BTCurveGeometryInterpolatedSpline-116":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTCurveGeometry-114"},{"type":"object","properties":{"btType":{"type":"string"},"derivatives":{"type":"object","additionalProperties":{"type":"array","items":{"type":"number","format":"double"}}},"endDerivativeX":{"type":"number","format":"double"},"endDerivativeY":{"type":"number","format":"double"},"endHandleX":{"type":"number","format":"double"},"endHandleY":{"type":"number","format":"double"},"interpolationPoints":{"type":"array","items":{"type":"number","format":"double"}},"isPeriodic":{"type":"boolean"},"startDerivativeX":{"type":"number","format":"double"},"startDerivativeY":{"type":"number","format":"double"},"startHandleX":{"type":"number","format":"double"},"startHandleY":{"type":"number","format":"double"}}}]},"BTCurveGeometryLine-117":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTCurveGeometry-114"},{"type":"object","properties":{"btType":{"type":"string"},"dirX":{"type":"number","format":"double"},"dirY":{"type":"number","format":"double"},"pntX":{"type":"number","format":"double"},"pntY":{"type":"number","format":"double"}}}]},"BTCurveGeometrySpline-118":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTCurveGeometryControlPointSpline-2197":"#/components/schemas/BTCurveGeometryControlPointSpline-2197"}},"allOf":[{"$ref":"#/components/schemas/BTCurveGeometry-114"},{"type":"object","properties":{"btType":{"type":"string"},"controlPointCount":{"type":"integer","format":"int32"},"controlPoints":{"type":"array","items":{"type":"number","format":"double"}},"degree":{"type":"integer","format":"int32"},"isPeriodic":{"type":"boolean"},"isRational":{"type":"boolean"},"knots":{"type":"array","items":{"type":"number","format":"double"}}}}]},"BTCurveLengthDimensionDisplayData-322":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTDimensionDisplayData-323"},{"type":"object","properties":{"btType":{"type":"string"},"positionX":{"type":"number","format":"double"},"positionY":{"type":"number","format":"double"}}}]},"BTCylinderDescription-686":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTSurfaceDescription-1564"},{"type":"object","properties":{"axis":{"$ref":"#/components/schemas/BTVector3d-389"},"btType":{"type":"string"},"radius":{"type":"number","format":"double"}}}]},"BTCylindricalImageMapping-1640":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTImageMapping-3821"},{"type":"object","properties":{"btType":{"type":"string"},"cylinderSystem":{"$ref":"#/components/schemas/BTCoordinateSystem-387"},"radius":{"type":"number","format":"float"}}}]},"BTDBVersion":{"type":"object","properties":{"createdAt":{"type":"string","format":"date-time"},"createdBy":{"type":"string"},"dataVersion":{"type":"integer","format":"int32"},"description":{"type":"string"},"documentId":{"type":"string"},"generatedConfigurationThumbnails":{"type":"array","items":{"type":"string"}},"id":{"type":"string"},"metadataWorkspaceId":{"type":"string"},"microversionId":{"type":"string"},"missingBomTableTemplateId":{"type":"string"},"modifiedAt":{"type":"string","format":"date-time"},"modifiedBy":{"type":"string"},"name":{"type":"string"},"new":{"type":"boolean"},"overrideDate":{"type":"string","format":"date-time"},"parentId":{"type":"string"},"properties":{"type":"object","additionalProperties":{"type":"string"}},"purpose":{"type":"integer","format":"int32"},"thumbnailGenerationDate":{"type":"string","format":"date-time"},"thumbnailRegenerationDate":{"type":"string","format":"date-time"}}},"BTDBViewerCollectionConfig":{"type":"object","properties":{"allowCount":{"type":"boolean"},"binaryFields":{"type":"array","items":{"type":"string"}},"collection":{"type":"string"},"db":{"type":"string"},"hasCreatedDate":{"type":"boolean"},"hiddenFields":{"type":"array","items":{"type":"string"}},"queryFields":{"type":"array","items":{"type":"string"}}}},"BTDBViewerConfig":{"type":"object","properties":{"collectionConfigs":{"type":"array","items":{"$ref":"#/components/schemas/BTDBViewerCollectionConfig"}},"createdAt":{"type":"string","format":"date-time"},"createdBy":{"type":"string"},"id":{"type":"string"},"modifiedAt":{"type":"string","format":"date-time"},"modifiedBy":{"type":"string"},"queryFieldLabels":{"type":"object","additionalProperties":{"type":"string"}}}},"BTDBViewerConfigInfo":{"type":"object","properties":{"config":{"$ref":"#/components/schemas/BTDBViewerConfig"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTDBViewerQueryInfo":{"type":"object","properties":{"queryCount":{"type":"integer","format":"int64"},"queryParams":{"$ref":"#/components/schemas/BTDBViewerQueryParams"},"queryResults":{"type":"array","items":{"$ref":"#/components/schemas/Document"}}}},"BTDBViewerQueryParams":{"type":"object","properties":{"collection":{"type":"string"},"db":{"type":"string"},"fieldValues":{"type":"object","additionalProperties":{"type":"string"}},"fromDate":{"type":"string","format":"date-time"},"maxExecTime":{"type":"integer","format":"int32"},"toDate":{"type":"string","format":"date-time"}}},"BTDebugGeometry-2059":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTEntityGeometry-35"},{"type":"object","properties":{"appearance":{"$ref":"#/components/schemas/BTGraphicsAppearance-1152"},"belongsToFlattenedSheetMetalBody":{"type":"boolean"},"bodyId":{"type":"string"},"btType":{"type":"string"},"color":{"$ref":"#/components/schemas/GBTDebugEntityColor"},"deterministicId":{"type":"string"},"sheetMetalModelId":{"type":"string"},"style":{"$ref":"#/components/schemas/GBTDebugEntityStyle"},"tessellation":{"$ref":"#/components/schemas/BTTessellatedGeometry-2576"}}}]},"BTDebugStateInfo":{"type":"object","properties":{"enableTimers":{"type":"boolean"}}},"BTDecal-2404":{"type":"object","properties":{"btType":{"type":"string"},"imageForeignId":{"type":"string"},"imageSourceId":{"type":"string"},"isDeletion":{"type":"boolean"},"mappings":{"type":"array","items":{"$ref":"#/components/schemas/BTImageMapping-3821"}}}},"BTDefaultFeatures-119":{"type":"object","properties":{"btType":{"type":"string"},"children":{"type":"array","items":{"$ref":"#/components/schemas/BTMFeature-134"}}}},"BTDefaultUnitInfo":{"type":"object","properties":{"key":{"type":"string","description":"The quantity type."},"value":{"type":"string","description":"The unit that should be used."}},"description":"Specifies which unit should be used for each supported quantity type."},"BTDefaultUnitsInfo":{"type":"object","properties":{"nodeId":{"type":"string"},"units":{"type":"array","items":{"$ref":"#/components/schemas/BTDefaultUnitInfo"}}}},"BTDeletedImmutableContextInfo":{"type":"object","properties":{"deletedContextCount":{"type":"integer","format":"int32"}}},"BTDetectUnchangedInfo":{"type":"object","properties":{"documentId":{"type":"string"},"unchangedElements":{"type":"array","items":{"$ref":"#/components/schemas/BTUnchangedElementInfo"}},"versionId":{"type":"string"},"workspaceId":{"type":"string"}}},"BTDeviceLoginPublicInfo":{"type":"object","properties":{"clientType":{"type":"integer","format":"int32"},"createdAt":{"type":"string","format":"date-time"},"deviceId":{"type":"string"},"deviceName":{"type":"string"},"deviceType":{"type":"string"},"expired":{"type":"boolean"},"hasToken":{"type":"boolean"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"lastLoginDate":{"type":"string","format":"date-time"},"manufacturer":{"type":"string"},"modifiedAt":{"type":"string","format":"date-time"},"name":{"type":"string","description":"Name of the resource."},"operatingSystem":{"type":"string"},"userId":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}},"description":"Array of items in the current page."},"BTDeviceLoginSecretInfo":{"type":"object","properties":{"createdAt":{"type":"string","format":"date-time"},"modifiedAt":{"type":"string","format":"date-time"},"randomToken":{"type":"string"}}},"BTDeviceTokenParams":{"type":"object","properties":{"token":{"type":"string"}}},"BTDiffInfo":{"type":"object","properties":{"changes":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTDiffInfo"}},"entityType":{"$ref":"#/components/schemas/BTDiffInfoCollectionType"},"geometryChangeMessages":{"type":"array","items":{"type":"string"}},"sourceId":{"type":"string"},"sourceValue":{"type":"string"},"targetId":{"type":"string"},"targetValue":{"type":"string"},"type":{"$ref":"#/components/schemas/GBTNodeChange"}}},"BTDiffInfoCollectionType":{"type":"string","enum":["parts","sketches","points","mateConnectors","planes","curves","surfaces"]},"BTDiffJsonResponse-2725":{"type":"object","properties":{"btType":{"type":"string"},"change":{"$ref":"#/components/schemas/BTJEdit-3734"},"patch":{"type":"object","properties":{"btType":{"type":"string"}}},"sourceChangeId":{"type":"string"},"targetChangeId":{"type":"string"}}},"BTDimensionDisplayData-323":{"type":"object","properties":{"btType":{"type":"string"},"coordinateSystem":{"$ref":"#/components/schemas/BTMatrix3x3-340"},"featureId":{"type":"string"},"hasMaximumLimit":{"type":"boolean"},"hasMinimumLimit":{"type":"boolean"},"id":{"type":"string"},"isAssociatedWithFlat":{"type":"boolean"},"isDriven":{"type":"boolean"},"isOverDefined":{"type":"boolean"},"maximumLimit":{"type":"number","format":"double"},"minimumLimit":{"type":"number","format":"double"},"parameterId":{"type":"string"},"planeMatrix":{"$ref":"#/components/schemas/BTBSMatrix-386"},"value":{"type":"number","format":"double"}},"discriminator":{"propertyName":"btType","mapping":{"BTAngularDimensionDisplayData-320":"#/components/schemas/BTAngularDimensionDisplayData-320","BTCountDimensionDisplayData-1778":"#/components/schemas/BTCountDimensionDisplayData-1778","BTCurveLengthDimensionDisplayData-322":"#/components/schemas/BTCurveLengthDimensionDisplayData-322","BTLinearDimensionDisplayData-330":"#/components/schemas/BTLinearDimensionDisplayData-330","BTRadialDimensionDisplayData-348":"#/components/schemas/BTRadialDimensionDisplayData-348","BTRhoDimensionDisplayData-2892":"#/components/schemas/BTRhoDimensionDisplayData-2892"}}},"BTDiscount":{"type":"object","properties":{"accountBalance":{"type":"integer","format":"int32"},"amountOff":{"type":"integer","format":"int32"},"amountOffCurrency":{"type":"string"},"couponType":{"type":"integer","format":"int32"},"couponValidMonths":{"type":"integer","format":"int32"},"createdAt":{"type":"string","format":"date-time"},"createdBy":{"type":"string"},"description":{"type":"string"},"expiresAt":{"type":"string","format":"date-time"},"id":{"$ref":"#/components/schemas/BTDiscountOwnerIdPlanId"},"metadata":{"type":"object","additionalProperties":{"type":"object"}},"modifiedAt":{"type":"string","format":"date-time"},"modifiedBy":{"type":"string"},"name":{"type":"string"},"new":{"type":"boolean"},"percentOff":{"type":"integer","format":"int32"},"trialEndDate":{"type":"string"},"usedAt":{"type":"string","format":"date-time"}}},"BTDiscountInfo":{"type":"object","properties":{"accountBalance":{"type":"integer","format":"int32"},"amountOff":{"type":"integer","format":"int32"},"couponType":{"type":"integer","format":"int32"},"couponValidMonths":{"type":"integer","format":"int32"},"createdAt":{"type":"string","format":"date-time"},"createdBy":{"$ref":"#/components/schemas/BTUserSummaryInfo"},"expiresAt":{"type":"string","format":"date-time"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"ownerId":{"type":"string"},"percentOff":{"type":"integer","format":"int32"},"planId":{"type":"string"},"trialEndDate":{"type":"string"},"usedAt":{"type":"string","format":"date-time"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTDiscountOwnerIdPlanId":{"type":"object","properties":{"ownerId":{"type":"string"},"planId":{"type":"string"}}},"BTDiscountParams":{"type":"object","properties":{"amountOff":{"type":"integer","format":"int32"},"couponType":{"type":"integer","format":"int32"},"couponValidMonths":{"type":"integer","format":"int32"},"expiresInDays":{"type":"integer","format":"int32"},"percentOff":{"type":"integer","format":"int32"},"planId":{"type":"string"}}},"BTDisplayStateInfo":{"type":"object","properties":{"id":{"type":"string"},"isOnshapeDefault":{"type":"boolean"},"name":{"type":"string"}}},"BTDocumentCheckAccessInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"userAccess":{"type":"object","additionalProperties":{"type":"boolean"}},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTDocumentCheckAccessParams":{"type":"object","properties":{"userIds":{"type":"array","items":{"type":"string"}}}},"BTDocumentCollaboratorInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"userId":{"type":"string"},"userImage":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"},"workspaceId":{"type":"string"}},"description":"Array of items in the current page."},"BTDocumentElementCreationDescriptor":{"type":"object","properties":{"elementParams":{"$ref":"#/components/schemas/BTAppElementParams"},"elementType":{"type":"integer","format":"int32"}},"description":"List of element IDs to include in the document."},"BTDocumentElementInfo":{"type":"object","properties":{"accelerationUnits":{"type":"string"},"angleUnits":{"type":"string"},"angularVelocityUnits":{"type":"string"},"applicationTarget":{"$ref":"#/components/schemas/BTApplicationTargetInfo"},"areaUnits":{"type":"string"},"dataType":{"type":"string"},"deleted":{"type":"boolean"},"elementType":{"$ref":"#/components/schemas/GBTElementType"},"energyUnits":{"type":"string"},"filename":{"type":"string"},"forceUnits":{"type":"string"},"foreignDataId":{"type":"string"},"id":{"type":"string"},"lengthUnits":{"type":"string"},"massUnits":{"type":"string"},"microversionId":{"type":"string"},"momentUnits":{"type":"string"},"name":{"type":"string"},"pressureUnits":{"type":"string"},"prettyType":{"type":"string"},"safeToShow":{"type":"boolean"},"specifiedUnit":{"type":"string"},"thumbnailInfo":{"$ref":"#/components/schemas/BTThumbnailInfo"},"thumbnails":{"type":"string","format":"uri"},"timeUnits":{"type":"string"},"type":{"type":"string"},"unupdatable":{"type":"boolean"},"volumeUnits":{"type":"string"},"zip":{"$ref":"#/components/schemas/BTZipFileInfo"}}},"BTDocumentElementProcessingInfo":{"type":"object","properties":{"accelerationUnits":{"type":"string"},"angleUnits":{"type":"string"},"angularVelocityUnits":{"type":"string"},"applicationTarget":{"$ref":"#/components/schemas/BTApplicationTargetInfo"},"areaUnits":{"type":"string"},"dataType":{"type":"string"},"deleted":{"type":"boolean"},"elementType":{"$ref":"#/components/schemas/GBTElementType"},"energyUnits":{"type":"string"},"filename":{"type":"string"},"forceUnits":{"type":"string"},"foreignDataId":{"type":"string"},"id":{"type":"string"},"lengthUnits":{"type":"string"},"massUnits":{"type":"string"},"microversionId":{"type":"string"},"momentUnits":{"type":"string"},"name":{"type":"string"},"pressureUnits":{"type":"string"},"prettyType":{"type":"string"},"safeToShow":{"type":"boolean"},"specifiedUnit":{"type":"string"},"thumbnailInfo":{"$ref":"#/components/schemas/BTThumbnailInfo"},"thumbnails":{"type":"string","format":"uri"},"timeUnits":{"type":"string"},"translationEventKey":{"type":"string"},"translationId":{"type":"string"},"type":{"type":"string"},"unupdatable":{"type":"boolean"},"volumeUnits":{"type":"string"},"zip":{"$ref":"#/components/schemas/BTZipFileInfo"}}},"BTDocumentEventInfo":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTResourceEventInfo"},{"type":"object","properties":{"thumbnail":{"$ref":"#/components/schemas/BTThumbnailInfo"}}}]},"BTDocumentHistoryInfo":{"type":"object","properties":{"canBeRestored":{"type":"boolean"},"date":{"type":"string","format":"date-time"},"description":{"type":"string"},"microversionId":{"type":"string"},"nextMicroversionId":{"type":"string"},"restoreId":{"type":"string","description":"If this microversion is the result of a restore from another microversion, the restoreId will be the microversion Id of the original microversion that was restored. Otherwise this id will not be included within the response."},"userId":{"type":"string"},"username":{"type":"string"}}},"BTDocumentInfo":{"type":"object","discriminator":{"propertyName":"jsonType","mapping":{"document":"#/components/schemas/BTDocumentInfo","document-processing":"#/components/schemas/BTDocumentProcessingInfo"}},"allOf":[{"$ref":"#/components/schemas/BTDocumentSummaryInfo"},{"type":"object","properties":{"anonymousAccessAllowed":{"type":"boolean"},"anonymousAllowsExport":{"type":"boolean"},"canMove":{"type":"boolean"},"canUnshare":{"type":"boolean"},"createdAt":{"type":"string","format":"date-time"},"createdBy":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"createdWithEducationPlan":{"type":"boolean"},"defaultElementId":{"type":"string"},"defaultVersionGraphMode":{"$ref":"#/components/schemas/BTVersionGraphMode"},"defaultWorkspace":{"$ref":"#/components/schemas/BTWorkspaceInfo"},"description":{"type":"string"},"documentLabels":{"type":"array","items":{"$ref":"#/components/schemas/BTDocumentLabelInfo"}},"documentThumbnailElementId":{"type":"string"},"documentType":{"type":"integer","format":"int32"},"duplicateNameViolationError":{"type":"string"},"forceExportRules":{"type":"boolean"},"hasReleaseRevisionableObjects":{"type":"boolean"},"hasRelevantInsertables":{"type":"boolean"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"isContainer":{"type":"boolean"},"isEnterpriseOwned":{"type":"boolean"},"isMutable":{"type":"boolean"},"isOrphaned":{"type":"boolean"},"isUpgradedToLatestVersion":{"type":"boolean"},"isUsingManagedWorkflow":{"type":"boolean"},"likedByCurrentUser":{"type":"boolean"},"likes":{"type":"integer","format":"int64"},"modifiedAt":{"type":"string","format":"date-time"},"modifiedBy":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"name":{"type":"string","description":"Name of the resource."},"notRevisionManaged":{"type":"boolean"},"notes":{"type":"string"},"numberOfTimesCopied":{"type":"integer","format":"int64"},"numberOfTimesReferenced":{"type":"integer","format":"int64"},"owner":{"$ref":"#/components/schemas/BTOwnerInfo"},"parentId":{"type":"string"},"permission":{"$ref":"#/components/schemas/BTOldPermission"},"permissionSet":{"type":"array","items":{"type":"string"}},"projectId":{"type":"string"},"public":{"type":"boolean"},"publishedVersionId":{"type":"string"},"recentVersion":{"$ref":"#/components/schemas/BTBaseInfo"},"resourceType":{"type":"string"},"sequence":{"type":"string"},"supportTeamUserAndShared":{"type":"boolean"},"tags":{"type":"array","items":{"type":"string"}},"thumbnail":{"$ref":"#/components/schemas/BTThumbnailInfo"},"totalWorkspacesScheduledForUpdate":{"type":"integer","format":"int32"},"totalWorkspacesUpdating":{"type":"integer","format":"int32"},"tracingEnabled":{"type":"boolean"},"trash":{"type":"boolean"},"trashedAt":{"type":"string","format":"date-time"},"treeHref":{"type":"string"},"unparentHref":{"type":"string"},"userAccountLimitsBreached":{"type":"boolean"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}}],"x-BTVisibility-properties":{"totalWorkspacesUpdating":"INTERNAL","defaultVersionGraphMode":"INTERNAL","totalWorkspacesScheduledForUpdate":"INTERNAL","isOrphaned":"INTERNAL","tracingEnabled":"INTERNAL"}},"BTDocumentLabelInfo":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTGlobalTreeNodeInfo"},{"type":"object","properties":{"parentLabelId":{"type":"string"},"path":{"type":"string"}}}]},"BTDocumentLabelParams":{"type":"object","properties":{"documentIds":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"name":{"type":"string"},"ownerId":{"type":"string"},"parentLabelId":{"type":"string"}}},"BTDocumentLikeInfo":{"type":"object","properties":{"documentId":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"user":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}},"description":"Array of items in the current page."},"BTDocumentMergeInfo":{"type":"object","properties":{"libraryVersionMismatch":{"type":"boolean"},"overwrittenElements":{"type":"array","items":{"$ref":"#/components/schemas/BTDocumentElementInfo"}},"parentDocumentMicroversionId":{"type":"string"},"resultDocumentMicroversionId":{"type":"string"}}},"BTDocumentMessageBody":{"type":"object","properties":{"appElementSessionId":{"type":"string"},"commentId":{"type":"string"},"data":{"type":"string"},"documentId":{"type":"string"},"documentState":{"type":"string"},"documentType":{"type":"integer","format":"int32"},"elementId":{"type":"string"},"event":{"type":"string"},"messageId":{"type":"string"},"metadataObjectType":{"type":"string"},"partId":{"type":"string"},"partIdentity":{"type":"string"},"partNumber":{"type":"string"},"timestamp":{"type":"string","format":"date-time"},"translatationId":{"type":"string","writeOnly":true},"translationId":{"type":"string"},"userId":{"type":"string"},"versionId":{"type":"string"},"webhookId":{"type":"string"},"workspaceId":{"type":"string"}}},"BTDocumentMigrateParams":{"type":"object","properties":{"clusterId":{"type":"string"},"documentId":{"type":"string"}}},"BTDocumentOpenEventParams":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTEventParams"},{"type":"object","properties":{"documentId":{"type":"string"}}}]},"BTDocumentOpenPurpose":{"type":"string","enum":["MODELING","UPGRADE","ASYNC_READ_ONLY","PUBLIC","CLEANUP","MIGRATION","UPGRADE_WORKSPACE"]},"BTDocumentOptions":{"type":"object","properties":{"conservativeThumbnailGeneration":{"type":"boolean"},"cppCombinedServerMemory":{"type":"integer","format":"int32"},"cppServerDefaultElementLimit":{"type":"integer","format":"int32"},"cppServerLimit":{"type":"integer","format":"int32"},"cppServerMemory":{"type":"integer","format":"int32"},"documentMemory":{"type":"integer","format":"int32"},"drawingServerMemory":{"type":"integer","format":"int32"},"elementsInWorkspaceLimit":{"type":"integer","format":"int32"},"enableCppServerMemoryDiagnostics":{"type":"boolean"},"extendedDisplayCheck":{"type":"boolean"},"id":{"type":"string"},"linkedCppServerLimit":{"type":"integer","format":"int32"},"new":{"type":"boolean"},"referenceCloseDelaySeconds":{"type":"integer","format":"int32"},"skipCleanup":{"type":"boolean"},"skipRetrievalTest":{"type":"boolean"},"suppressImmutability":{"type":"boolean"},"thumbnailCppServerLimit":{"type":"integer","format":"int32"},"useStringHash":{"type":"boolean"}}},"BTDocumentOptionsParams":{"type":"object","properties":{"conservativeThumbnailGeneration":{"type":"boolean"},"cppCombinedServerMemory":{"type":"integer","format":"int32"},"cppServerDefaultElementLimit":{"type":"integer","format":"int32"},"cppServerLimit":{"type":"integer","format":"int32"},"cppServerMemory":{"type":"integer","format":"int32"},"documentMemory":{"type":"integer","format":"int32"},"drawingServerMemory":{"type":"integer","format":"int32"},"elementsInWorkspaceLimit":{"type":"integer","format":"int32"},"enableCppServerMemoryDiagnostics":{"type":"boolean"},"extendedDisplayCheck":{"type":"boolean"},"linkedCppServerLimit":{"type":"integer","format":"int32"},"referenceCloseDelaySeconds":{"type":"integer","format":"int32"},"skipCleanup":{"type":"boolean"},"skipRetrievalTest":{"type":"boolean"},"suppressImmutability":{"type":"boolean"},"thumbnailCppServerLimit":{"type":"integer","format":"int32"},"useStringHash":{"type":"boolean"}}},"BTDocumentParams":{"required":["name"],"type":"object","properties":{"description":{"type":"string","description":"Document description."},"elements":{"type":"array","description":"List of element IDs to include in the document.","items":{"$ref":"#/components/schemas/BTDocumentElementCreationDescriptor"}},"forceExportRules":{"type":"boolean","description":"`true` if the current user can toggle the Force Export Rule flag on a document."},"generateUnknownMessages":{"type":"boolean","description":"Set to `true` for debugging."},"isEmptyContent":{"type":"boolean","description":"Set to `true` to generate an empty document."},"isPublic":{"type":"boolean","description":"Set to `true` to make the document public."},"name":{"type":"string","description":"Document name.","example":"myDocument"},"notRevisionManaged":{"type":"boolean","description":"Set to `true` to indicate that revisions are not managed for this document."},"ownerEmail":{"type":"string","description":"The document owner's email address."},"ownerId":{"type":"string","description":"If `ownerType=USER`, this is the user ID. If `ownerType=COMPANY`, this is the company ID."},"ownerType":{"type":"integer","description":"The document's owner type. `USER=0` | `COMPANY=1` | `ONSHAPE=2`","format":"int32","example":0},"parentId":{"type":"string","description":"Document ID of this document's parent."},"projectId":{"type":"string","description":"ID of the project this document belongs to."},"tags":{"type":"array","description":"Array of strings to set as tags for the document.","items":{"type":"string","description":"Array of strings to set as tags for the document."}}},"description":"Parameters for creating and updating documents."},"BTDocumentProcessingInfo":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTDocumentInfo"},{"type":"object","properties":{"translationEventKey":{"type":"string"},"translationId":{"type":"string"}}}],"x-BTVisibility-properties":{"totalWorkspacesUpdating":"INTERNAL","defaultVersionGraphMode":"INTERNAL","totalWorkspacesScheduledForUpdate":"INTERNAL","isOrphaned":"INTERNAL","tracingEnabled":"INTERNAL"}},"BTDocumentSearchHitInfo":{"type":"object","properties":{"documentId":{"type":"string"},"elementName":{"type":"string"},"highlightedFields":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"hit":{"$ref":"#/components/schemas/BTLegacySearchHit"},"hitId":{"type":"string"},"name":{"type":"string"},"projectId":{"type":"string"},"sourceMap":{"type":"object","additionalProperties":{"type":"object"}},"type":{"$ref":"#/components/schemas/BTSearchEntityType"},"versionOrWorkspaceName":{"type":"string"}}},"BTDocumentSearchParams":{"type":"object","properties":{"dochitsOnly":{"type":"boolean"},"documentFilter":{"type":"integer","description":"Filter ID. Options are 0 (my documents), 1 (created), 2 (shared), 3 (trash), 4 (public), 5 (recent), 6 (by owner), 7 (by company), or 9 (by team).","format":"int32"},"foundIn":{"$ref":"#/components/schemas/BTESVersionWorkspaceChoice"},"limit":{"type":"integer","description":"Number of results to return per page. Default value is 20 (also the maximum).","format":"int32","example":1},"luceneSyntax":{"type":"boolean","description":"Lucene syntax ","example":false},"offset":{"type":"integer","description":"Offset. Determines where search results begin. Default value is 0.","format":"int32","example":0},"ownerId":{"type":"string","description":"Document owner's ID (if the filter is 6 or 7), or Team Id (if the filter is 9) "},"parentId":{"type":"string","description":"Search document parent Id ","example":"ALL"},"rawQuery":{"type":"string","description":"Search for documents that contain the given string in the name. Search is not case-sensitive."},"sortColumn":{"type":"string","description":"Column by which to sort search results. Options are name, modifiedAt, createdAt (Default), email, modifiedBy, and promotedAt."},"sortOrder":{"type":"string","description":"Sort order. Options are desc (descending, the default), or asc (ascending)."},"type":{"type":"string","description":"Type of owner. Options are 0 (user), 1 (company), 2 (onshape). If the owner is a teamId, leave this unspecified."},"when":{"$ref":"#/components/schemas/BTESResultsFilter"}},"x-BTVisibility-properties":{"luceneSyntax":"INTERNAL","dochitsOnly":"INTERNAL"}},"BTDocumentSelectorInfo":{"type":"object","properties":{"parameters":{"$ref":"#/components/schemas/BTDocumentSelectorParametersInfo"},"selectorId":{"type":"string"}}},"BTDocumentSelectorParametersInfo":{"required":["jsonType"],"type":"object","properties":{"jsonType":{"type":"string"}},"discriminator":{"propertyName":"jsonType","mapping":{"other-documents":"#/components/schemas/BTOtherDocumentSelectorParametersInfo"}}},"BTDocumentShareLinkInfo":{"type":"object","properties":{"docStateProperties":{"type":"object","additionalProperties":{"type":"string"}},"documentId":{"type":"string"},"elementId":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"link":{"type":"string"},"name":{"type":"string","description":"Name of the resource."},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"},"workspaceId":{"type":"string"}}},"BTDocumentSummaryInfo":{"type":"object","discriminator":{"propertyName":"jsonType","mapping":{"document":"#/components/schemas/BTDocumentInfo","document-summary":"#/components/schemas/BTDocumentSummaryInfo","document-summary-search":"#/components/schemas/BTDocumentSummarySearchInfo"}},"allOf":[{"$ref":"#/components/schemas/BTGlobalTreeNodeInfo"},{"type":"object","properties":{"anonymousAccessAllowed":{"type":"boolean"},"anonymousAllowsExport":{"type":"boolean"},"canUnshare":{"type":"boolean"},"createdWithEducationPlan":{"type":"boolean"},"defaultElementId":{"type":"string"},"defaultVersionGraphMode":{"$ref":"#/components/schemas/BTVersionGraphMode"},"defaultWorkspace":{"$ref":"#/components/schemas/BTWorkspaceInfo"},"documentLabels":{"type":"array","items":{"$ref":"#/components/schemas/BTDocumentLabelInfo"}},"documentType":{"type":"integer","format":"int32"},"forceExportRules":{"type":"boolean"},"hasReleaseRevisionableObjects":{"type":"boolean"},"hasRelevantInsertables":{"type":"boolean"},"isOrphaned":{"type":"boolean"},"isUsingManagedWorkflow":{"type":"boolean"},"likedByCurrentUser":{"type":"boolean"},"likes":{"type":"integer","format":"int64"},"notRevisionManaged":{"type":"boolean"},"notes":{"type":"string"},"numberOfTimesCopied":{"type":"integer","format":"int64"},"numberOfTimesReferenced":{"type":"integer","format":"int64"},"parentId":{"type":"string"},"permission":{"$ref":"#/components/schemas/BTOldPermission"},"permissionSet":{"type":"array","items":{"type":"string"}},"public":{"type":"boolean"},"publishedVersionId":{"type":"string"},"recentVersion":{"$ref":"#/components/schemas/BTBaseInfo"},"sequence":{"type":"string"},"supportTeamUserAndShared":{"type":"boolean"},"tags":{"type":"array","items":{"type":"string"}},"thumbnail":{"$ref":"#/components/schemas/BTThumbnailInfo"},"totalWorkspacesScheduledForUpdate":{"type":"integer","format":"int32"},"totalWorkspacesUpdating":{"type":"integer","format":"int32"},"trash":{"type":"boolean"},"trashedAt":{"type":"string","format":"date-time"},"userAccountLimitsBreached":{"type":"boolean"}}}],"x-BTVisibility-properties":{"totalWorkspacesUpdating":"INTERNAL","defaultVersionGraphMode":"INTERNAL","totalWorkspacesScheduledForUpdate":"INTERNAL","isOrphaned":"INTERNAL"}},"BTDocumentSummarySearchInfo":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTDocumentSummaryInfo"},{"type":"object","properties":{"searchHits":{"type":"array","items":{"$ref":"#/components/schemas/BTDocumentSearchHitInfo"}}}}],"x-BTVisibility-properties":{"totalWorkspacesUpdating":"INTERNAL","defaultVersionGraphMode":"INTERNAL","totalWorkspacesScheduledForUpdate":"INTERNAL","isOrphaned":"INTERNAL"}},"BTDocumentVersionElementIds-1897":{"type":"object","properties":{"btType":{"type":"string"},"documentId":{"type":"string"},"elementId":{"type":"string"},"versionId":{"type":"string"}}},"BTDocumentWithVersionAndElementId":{"type":"object","properties":{"documentId":{"type":"string"},"documentVersionId":{"type":"string"},"elementId":{"type":"string"},"elementLibraryId":{"$ref":"#/components/schemas/ObjectId"},"elementLibraryVersion":{"$ref":"#/components/schemas/ObjectId"},"partNumber":{"type":"string"},"revision":{"type":"string"},"uniqueVersionId":{"type":"string"},"validElementLibraryReference":{"type":"boolean"},"validRevisionReference":{"type":"boolean"}}},"BTDocumentWithVersionId":{"type":"object","properties":{"documentId":{"type":"string"},"documentVersionId":{"type":"string"}}},"BTDomainInfo":{"type":"object","properties":{"admin":{"type":"boolean"},"atlas":{"type":"boolean"},"current":{"type":"boolean"},"domainPrefix":{"type":"string"},"domainUrl":{"type":"string"},"enterprise":{"type":"boolean"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"light":{"type":"boolean"},"name":{"type":"string","description":"Name of the resource."},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}},"description":"Array of items in the current page."},"BTDomainSpecificMetadata-961":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTSMSpecificMetadata-1315":"#/components/schemas/BTSMSpecificMetadata-1315"}}},"BTDraftReleasePackageInfo":{"type":"object","properties":{"companyId":{"type":"string"},"createdAt":{"type":"string","format":"date-time"},"createdBy":{"$ref":"#/components/schemas/BTUserDetailSummaryInfo"},"documentId":{"type":"string"},"elementId":{"type":"string"},"elementType":{"type":"integer","format":"int32"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"mimeType":{"type":"string"},"modifiedAt":{"type":"string","format":"date-time"},"name":{"type":"string","description":"Name of the resource."},"objectType":{"type":"integer","format":"int32"},"partId":{"type":"string"},"partType":{"type":"string"},"thumbnail":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"},"workspaceId":{"type":"string"}},"description":"Array of items in the current page."},"BTDrawingHiddenLineOption":{"type":"string","enum":["drafting","excluded","marked"]},"BTDrawingModificationParams":{"type":"object","properties":{"editDescription":{"type":"string"},"jsonRequests":{"type":"object"}}},"BTDrawingParams":{"type":"object","properties":{"border":{"type":"boolean","description":"Set to `true` to include a border in the drawing.","example":false},"computeIntersection":{"type":"boolean","description":"Set to `true` to compute and display virtual edges (curves drawn where parts intersect). Leave as `false` to improve performance.","example":false},"decimalSeparator":{"type":"string","description":"`PERIOD` | `COMMA`","example":"PERIOD"},"displayStateId":{"type":"string","description":"Apply this display state's properties to the drawing."},"documentId":{"type":"string","description":"The document in which to create the drawing. If used, this value must match the document ID (`did`) value provided in the URL."},"documentMicroversionId":{"type":"string","description":"Create a drawing of a part or assembly from this microversion."},"drawingName":{"type":"string","description":"Provide a name for the drawing."},"elementConfiguration":{"type":"string","description":"Apply this configuration from the source element to the drawing."},"elementId":{"type":"string","description":"The id of the element in which to perform the operation."},"elementMicroversionId":{"type":"string","description":"The id of the element microversion in which to perform the operation."},"explosionId":{"type":"string","description":"Apply this exploded view to the drawing."},"externalDocumentId":{"type":"string","description":"Create a drawing of an element from this external document."},"externalDocumentVersionId":{"type":"string","description":"Create a drawing of an element from this external document version."},"hiddenLines":{"$ref":"#/components/schemas/BTDrawingHiddenLineOption"},"includeSurfaces":{"type":"boolean","description":"Set to `true` to include surfaces in the drawing.","example":false},"includeWires":{"type":"boolean","description":"Set to `true` to include wires in the drawing.","example":false},"isFlattenedPart":{"type":"boolean","description":"Set to `true` if creating a drawing from a flattened part.","example":false},"isSketchOnly":{"type":"boolean","description":"Set to `true` if creating a drawing of a sketch.","example":false},"isSurface":{"type":"boolean","description":"Set to `true` if creating a drawing from a surface.","example":false},"language":{"type":"string","description":"Set the language for the drawing. Accepts any ISO 639-1 standard language code.","example":"en-us"},"location":{"$ref":"#/components/schemas/BTElementLocationParams"},"modelType":{"type":"string","description":"The type of model to include in the drawing: `partstudio` | `assembly`"},"namedPositionId":{"type":"string","description":"Apply this named view to the drawing."},"numberHorizontalZones":{"type":"integer","description":"The number of horizontal zones to include in the drawing's graphics area.","format":"int32","example":2},"numberVerticalZones":{"type":"integer","description":"The number of vertical zones to include in the drawing's graphics area.","format":"int32","example":2},"partId":{"type":"string","description":"Include this part in the drawing."},"partNumber":{"type":"string","description":"Include this part in the drawing."},"partQuery":{"type":"string","description":"Include all parts found by the query in the drawing."},"projection":{"type":"string","description":"Apply this projection to the drawing."},"pureSketch":{"type":"boolean","description":"Set to `true` if creating the drawing of an empty sketch.","example":false},"qualityOption":{"type":"string","description":"`BEST_PERFORMANCE` | `BEST_QUALITY` | `BALANCED` | `ADAPTIVE`"},"referenceType":{"type":"integer","description":"Specify the type of element to create the drawing from. `0: UNKNOWN` | `1: PARTSTUDIO` | `2: ASSEMBLY` | `3: PART` | `4: FLATTENED_PART` | `5: COMPOSITE_PART` | `6: MESH_PART` | `7: SURFACE` | `8: SKETCH` | `9: CURVE`","format":"int32"},"referenceTypeEnum":{"$ref":"#/components/schemas/GBTAppElementReferenceType"},"revision":{"type":"string","description":"Create the drawing from this specific revision."},"showCutGeomOnly":{"type":"boolean","description":"Set to `true` to show only cut geometry in the drawing.","example":false},"simplificationOption":{"type":"string","description":"`NONE` | `ABSOLUTE` | `RATIO_TO_MODEL` | `RATIO_TO_BODY` | `AUTOMATIC`"},"simplificationThreshold":{"type":"number","description":"`NONE` | `UNKNOWN` | `SMOOTH` | `DRAFTING`","format":"double"},"size":{"type":"string","description":"Provide a size for the drawing."},"sketchIds":{"type":"array","description":"Include these sketches in the drawing.","items":{"type":"string","description":"Include these sketches in the drawing."}},"standard":{"type":"string","description":"Provide the Standard to use in the drawing.","example":"ANSI"},"startZones":{"type":"string","description":"The zone in which to start the drawing.","example":"A1"},"templateArgs":{"type":"array","description":"Provide any additional arguments for the template being used for this drawing.","items":{"type":"string","description":"Provide any additional arguments for the template being used for this drawing."}},"templateDocumentId":{"type":"string","description":"Apply the template from this document to the drawing."},"templateElementId":{"type":"string","description":"Apply the template from this element to the drawing."},"templateName":{"type":"string","description":"Apply this template to the drawing."},"templateVersionId":{"type":"string","description":"Apply the template from this version to the drawing."},"templateWorkspaceId":{"type":"string","description":"Apply the template from this workspace to the drawing."},"titleblock":{"type":"boolean","description":"Set to `true` to include a title block in the drawing.","example":false},"units":{"type":"string","description":"Units for the element: `METER` | `CENTIMETER` | `MILLIMETER` | `INCH` | `FOOT` | `YARD`"},"views":{"type":"string","description":"Add these views to the drawing."},"workspaceId":{"type":"string","description":"Create a drawing of a part or assembly from this workspace."}},"description":"JSON schema for creating or updating a drawing."},"BTDrawingTemplateInfo":{"type":"object","properties":{"documentId":{"type":"string"},"documentName":{"type":"string"},"elementId":{"type":"string"},"elementName":{"type":"string"},"isPublic":{"type":"boolean"},"ownerId":{"type":"string"},"ownerName":{"type":"string"},"versionId":{"type":"string"},"workspaceId":{"type":"string"}}},"BTDuplicateUserInfo":{"type":"object","properties":{"duplicateCount":{"type":"integer","format":"int32"},"duplicates":{"type":"array","items":{"$ref":"#/components/schemas/DuplicateUsersDetailInfo"}}}},"BTDynamicRateLimitParams":{"type":"object","properties":{"description":{"type":"string"},"endpoints":{"uniqueItems":true,"type":"array","items":{"$ref":"#/components/schemas/Endpoint"}},"name":{"type":"string"},"newValue":{"type":"integer","format":"int32"},"notes":{"type":"string"},"resetInterval":{"type":"integer","format":"int64"}}},"BTESResultsFilter":{"type":"string","description":"Search result when","example":"ALL","enum":["ALL","LATEST","LATEST_PER_HIT"]},"BTESVersionWorkspaceChoice":{"type":"string","description":"Search result found in","example":"ALL","enum":["ALL","WORKSPACES","VERSIONS"]},"BTEdgeTopologyFilter-122":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTQueryFilter-183"},{"type":"object","properties":{"btType":{"type":"string"},"edgeTopology":{"$ref":"#/components/schemas/GBTEdgeTopology"},"isInternalEdge":{"type":"boolean"}}}]},"BTEditingLogic-2350":{"type":"object","properties":{"btType":{"type":"string"},"functionName":{"type":"string"},"wantsHiddenBodies":{"type":"boolean"},"wantsIsCreating":{"type":"boolean"},"wantsSpecifiedParameters":{"type":"boolean"}}},"BTElementDiagnosticsInfo":{"type":"object","properties":{"countMap":{"type":"object","additionalProperties":{"type":"integer","format":"int32"}},"id":{"type":"string"},"name":{"type":"string"},"sizeMap":{"type":"object","additionalProperties":{"type":"number","format":"double"}},"type":{"type":"string"}}},"BTElementDisplayData-326":{"type":"object","properties":{"btType":{"type":"string"},"elementId":{"type":"string"},"fromFullElementId":{"$ref":"#/components/schemas/BTFullElementId-756"},"fullElementId":{"$ref":"#/components/schemas/BTFullElementId-756"},"incremental":{"type":"boolean"},"instanceCount":{"type":"integer","format":"int32"},"keepFromMicroversion":{"type":"boolean"},"microversionId":{"$ref":"#/components/schemas/BTMicroversionId-366"},"microversionIdAndConfigurationInterval":{"$ref":"#/components/schemas/BTMicroversionIdAndConfigurationInterval-2364"},"microversionInterval":{"$ref":"#/components/schemas/BTMicroversionIdInterval-367"},"versionForRasterization":{"$ref":"#/components/schemas/BTElementDisplayData-326"}},"discriminator":{"propertyName":"btType","mapping":{"BTAssemblyReferencesDisplayData-1562":"#/components/schemas/BTAssemblyReferencesDisplayData-1562","BTPartStudioDisplayDataBase-2751":"#/components/schemas/BTPartStudioDisplayDataBase-2751","BTRootAssemblyDisplayData-96":"#/components/schemas/BTRootAssemblyDisplayData-96"}}},"BTElementImageCompareInfo":{"type":"object","properties":{"fromThumbnailInfo":{"$ref":"#/components/schemas/BTThumbnailInfo"},"toThumbnailInfo":{"$ref":"#/components/schemas/BTThumbnailInfo"}}},"BTElementInVersionOrWorkspaceInfo":{"type":"object","properties":{"documentId":{"type":"string"},"elementId":{"type":"string"},"versionId":{"type":"string"},"workspaceId":{"type":"string"}}},"BTElementLibraryElementDataWrapper":{"type":"object","properties":{"serializedElementData":{"type":"array","items":{"type":"string","format":"byte"}}}},"BTElementLibraryPurpose-3353":{"type":"object","properties":{"btType":{"type":"string"}}},"BTElementLibraryReferenceData-3133":{"type":"object","properties":{"btType":{"type":"string"},"elementLibraryId":{"type":"string"},"elementLibraryIdRaw":{"$ref":"#/components/schemas/BTObjectId"},"elementLibrarySelectionPath":{"type":"array","items":{"$ref":"#/components/schemas/BTObjectId"}},"elementLibraryVersion":{"type":"string"},"elementLibraryVersionRaw":{"$ref":"#/components/schemas/BTObjectId"}}},"BTElementLibrarySummaryInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"libraryId":{"pattern":"[0-9a-fA-F]{24}","type":"string","description":"The Id of the library -- unique across Onshape."},"libraryVersion":{"pattern":"[0-9a-fA-F]{24}","type":"string","description":"The current version Id of the library."},"name":{"type":"string","description":"Name of the resource."},"ownerId":{"pattern":"[0-9a-fA-F]{24}","type":"string","description":"The owner Id of an element library (either Onshape, company, or user)."},"ownerType":{"type":"integer","description":"The type of library owner, Onshape, user, or company","format":"int32"},"purpose":{"type":"string","description":"The purpose string identifying the type of element library."},"sourceFolderId":{"type":"string","description":"The id of the root folder of the library"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}},"description":"Element library metadata"},"BTElementLibraryTreeInfo":{"type":"object","properties":{"libraryId":{"type":"string"},"libraryNodeIdToSerializedElementData":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTElementLibraryElementDataWrapper"}},"libraryVersion":{"type":"string"},"ownerId":{"type":"string"},"ownerType":{"type":"integer","format":"int32"},"tree":{"type":"array","items":{"type":"string","format":"byte"}}}},"BTElementLocationParams":{"type":"object","properties":{"elementId":{"type":"string","description":"The id of an element which provides context for the position value specified."},"position":{"type":"integer","description":"An indicator for the relative placement of the new element. If elementId is specified, a negative number indicates insertion prior to the element and a non-negative number indicates insertion following the element. If no elementId is specified, a negative value indicates insertion at the end of the element list and a non-negative number indicates insertion at the start of the element list.","format":"int32"}},"description":"The location at which the new element should be inserted."},"BTElementMergeInfo":{"type":"object","properties":{"branchPointElementName":{"type":"string"},"branchPointElementPath":{"type":"array","items":{"type":"string"}},"dependentElementMergeInfo":{"$ref":"#/components/schemas/BTElementMergeInfo"},"elementDataType":{"type":"string"},"elementId":{"type":"string"},"elementType":{"$ref":"#/components/schemas/GBTElementType"},"mergeable":{"type":"boolean"},"sourceElementName":{"type":"string"},"sourceElementPath":{"type":"array","items":{"type":"string"}},"sourceElementStatus":{"$ref":"#/components/schemas/GBTElementBranchStatus"},"sourceModifiedAt":{"type":"string","format":"date-time"},"sourceModifiedBy":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"targetElementName":{"type":"string"},"targetElementPath":{"type":"array","items":{"type":"string"}},"targetElementStatus":{"$ref":"#/components/schemas/GBTElementBranchStatus"},"targetModifiedAt":{"type":"string","format":"date-time"},"targetModifiedBy":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"}}},"BTElementMetadataInfo":{"type":"object","properties":{"baseHref":{"type":"string","format":"uri"},"clientId":{"type":"string"},"customProperties":{"type":"object","additionalProperties":{"type":"string"}},"dataType":{"type":"string"},"description":{"type":"string"},"elementId":{"type":"string"},"filename":{"type":"string"},"foreignDataId":{"type":"string"},"href":{"type":"string","format":"uri"},"id":{"type":"string"},"microversionId":{"type":"string"},"name":{"type":"string"},"partNumber":{"type":"string"},"prettyType":{"type":"string"},"productLine":{"type":"string"},"project":{"type":"string"},"revision":{"type":"string"},"safeToShow":{"type":"boolean"},"specifiedUnit":{"type":"string"},"state":{"$ref":"#/components/schemas/BTMetadataStateType"},"supportsCollaboration":{"type":"boolean"},"tabIconHref":{"type":"string","format":"uri"},"thumbnailInfo":{"$ref":"#/components/schemas/BTThumbnailInfo"},"thumbnailsHref":{"type":"string","format":"uri"},"title1":{"type":"string"},"title2":{"type":"string"},"title3":{"type":"string"},"type":{"$ref":"#/components/schemas/GBTElementType"},"unupdatable":{"type":"boolean"},"vendor":{"type":"string"},"zip":{"$ref":"#/components/schemas/BTZipFileInfo"}}},"BTElementOutOfDateStatus":{"type":"object","properties":{"elementType":{"type":"integer","format":"int32"},"hasExternalReference":{"type":"boolean"},"hasWorkspaceReferences":{"type":"boolean"},"isChildrenOutOfDate":{"type":"boolean"},"isOutOfDate":{"type":"boolean"},"isOutOfSync":{"type":"boolean"},"onlyLockedChildrenOutOfDate":{"type":"boolean"}}},"BTElementReference-725":{"type":"object","properties":{"btType":{"type":"string"},"configured":{"type":"boolean"},"elementId":{"type":"string"},"externalDocumentWithVersion":{"$ref":"#/components/schemas/BTDocumentWithVersionId"},"externalDocumentWithVersionAndElementId":{"$ref":"#/components/schemas/BTDocumentWithVersionAndElementId"},"externalReference":{"type":"boolean"},"fullElementId":{"$ref":"#/components/schemas/BTFullElementId-756"},"microversionIdAndConfiguration":{"$ref":"#/components/schemas/BTMicroversionIdAndConfiguration-2338"},"nodeId":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTExternalReference-1936":"#/components/schemas/BTExternalReference-1936"}}},"BTElementReferencesInfo":{"type":"object","properties":{"references":{"type":"array","items":{"$ref":"#/components/schemas/BTReferenceInfo"}}}},"BTElementTransaction":{"type":"object","properties":{"description":{"type":"string"},"documentId":{"type":"string"},"elementId":{"type":"string"},"id":{"type":"string"},"microbranchId":{"type":"string"},"workspaceId":{"type":"string"}}},"BTEllipseDescription-866":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTCurveDescription-1583"},{"type":"object","properties":{"btType":{"type":"string"},"majorAxis":{"$ref":"#/components/schemas/BTVector3d-389"},"majorRadius":{"type":"number","format":"double"},"minorRadius":{"type":"number","format":"double"},"normal":{"$ref":"#/components/schemas/BTVector3d-389"}}}]},"BTEllipseDiameterDimensionDisplayData-1301":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTLinearDimensionDisplayData-330"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTEmptyTrashInfo":{"type":"object","properties":{"skippedDocumentsCount":{"type":"integer","format":"int32"},"skippedFoldersCount":{"type":"integer","format":"int32"},"skippedProjectsCount":{"type":"integer","format":"int32"}}},"BTEnableSiemParams":{"type":"object","properties":{"authPassword":{"type":"string"},"authToken":{"type":"string"},"authType":{"type":"string"},"authUserName":{"type":"string"},"logType":{"type":"string"},"url":{"type":"string"}}},"BTEnabledTraceInfo":{"type":"object","properties":{"createTime":{"type":"string","format":"date-time"},"enabledByUser":{"type":"string"},"id":{"type":"string"},"notes":{"type":"string"}}},"BTEncodedConfigurationInfo":{"type":"object","properties":{"encodedId":{"type":"string"},"queryParam":{"type":"string"}}},"BTEntepriseETLLastRunInfo":{"type":"object","properties":{"endTime":{"type":"string","format":"date-time"},"etlServerHost":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"loadSuccess":{"type":"boolean"},"name":{"type":"string","description":"Name of the resource."},"runId":{"type":"string"},"startTime":{"type":"string","format":"date-time"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTEnterpriseEventsInfo":{"type":"object","properties":{"items":{"type":"array","items":{"$ref":"#/components/schemas/Event"}},"oldestMetricTime":{"type":"string","format":"date-time"},"terminatedEarly":{"type":"boolean"}}},"BTEnterpriseLoginInfo":{"type":"object","properties":{"baseCadHostName":{"type":"string"},"baseCadUrl":{"type":"string"},"companyName":{"type":"string"},"disablePasswordSignIn":{"type":"boolean"},"domainPrefix":{"type":"string"},"eduEnterprise":{"type":"boolean"},"idmLocalLoginUrl":{"type":"string"},"idmLogo":{"type":"string"},"idmName":{"type":"string"},"idmRedirectUrl":{"type":"string"},"logoUrl":{"type":"string"},"providerType":{"type":"integer","format":"int32"},"state":{"type":"integer","format":"int32"}}},"BTEnterpriseReportInfo":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTEnterpriseReportSummaryInfo"},{"type":"object","properties":{"company":{"$ref":"#/components/schemas/BTCompanySummaryInfo"},"ssoEmbedUrl":{"type":"string"}}}]},"BTEnterpriseReportParams":{"type":"object","properties":{"category":{"type":"integer","format":"int32"},"description":{"type":"string"},"drillDownDashboard":{"type":"boolean"},"filters":{"type":"string"},"groupName":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"ownerId":{"type":"string"},"ownerType":{"type":"integer","format":"int32"},"publicReport":{"type":"boolean"},"reportId":{"type":"string"},"reportName":{"type":"string"}}},"BTEnterpriseReportRecipientInfo":{"type":"object","properties":{"email":{"type":"string"},"name":{"type":"string"},"recipientId":{"type":"string"},"recipientType":{"type":"integer","format":"int32"}}},"BTEnterpriseReportRecipientParams":{"type":"object","properties":{"recipientId":{"type":"string"},"recipientType":{"type":"integer","format":"int32"}}},"BTEnterpriseReportRecipientsParams":{"type":"object","properties":{"entries":{"type":"array","items":{"$ref":"#/components/schemas/BTEnterpriseReportRecipientParams"}}}},"BTEnterpriseReportScheduleBasicInfo":{"type":"object","properties":{"dayOfMonth":{"type":"integer","format":"int32"},"dayOfWeek":{"type":"integer","format":"int32"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"lastScheduleRunTime":{"type":"string","format":"date-time"},"name":{"type":"string","description":"Name of the resource."},"nextScheduleTime":{"type":"string","format":"date-time"},"recurrenceString":{"type":"string"},"recurrenceTime":{"type":"integer","format":"int32"},"recurrenceType":{"type":"integer","format":"int32"},"reportId":{"type":"string"},"scheduleName":{"type":"string"},"scheduledBy":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTEnterpriseReportScheduleInfo":{"type":"object","properties":{"customMessage":{"type":"string"},"dayOfMonth":{"type":"integer","format":"int32"},"dayOfWeek":{"type":"integer","format":"int32"},"destinationType":{"type":"integer","format":"int32"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"lastScheduleRunTime":{"type":"string","format":"date-time"},"name":{"type":"string","description":"Name of the resource."},"nextScheduleTime":{"type":"string","format":"date-time"},"recipients":{"type":"array","items":{"$ref":"#/components/schemas/BTEnterpriseReportRecipientInfo"}},"recurrenceString":{"type":"string"},"recurrenceTime":{"type":"integer","format":"int32"},"recurrenceType":{"type":"integer","format":"int32"},"reportId":{"type":"string"},"resultFormat":{"type":"integer","format":"int32"},"scheduleName":{"type":"string"},"scheduledBy":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTEnterpriseReportScheduleParams":{"type":"object","properties":{"customMessage":{"type":"string"},"dayOfMonth":{"type":"integer","format":"int32"},"dayOfWeek":{"type":"integer","format":"int32"},"destinationType":{"type":"integer","format":"int32"},"recipients":{"type":"array","items":{"$ref":"#/components/schemas/BTEnterpriseReportRecipientParams"}},"recurrenceMinuteOfDay":{"type":"integer","format":"int32"},"recurrenceType":{"type":"integer","format":"int32"},"reportId":{"type":"string"},"resultFormat":{"type":"integer","format":"int32"},"scheduleName":{"type":"string"},"zoneOffsetMinutes":{"type":"integer","format":"int32"}}},"BTEnterpriseReportScheduleRecipientInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"recipients":{"type":"array","items":{"$ref":"#/components/schemas/BTEnterpriseReportRecipientInfo"}},"scheduleId":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTEnterpriseReportSummaryInfo":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTGlobalTreeNodeInfo"},{"type":"object","properties":{"dashboardId":{"type":"string"},"drillDown":{"type":"boolean"},"filters":{"type":"string"},"groupName":{"type":"string"},"isPublic":{"type":"boolean"},"lastOpenedTime":{"type":"string","format":"date-time"},"permissionSet":{"type":"array","items":{"type":"string"}},"reportId":{"type":"string"},"reportName":{"type":"string"},"shortUrl":{"type":"string"}}}]},"BTEntityDegenerateEdge-1129":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTTessellatedGeometry-2576"},{"type":"object","properties":{"btType":{"type":"string"},"point":{"type":"array","items":{"type":"number","format":"float"}}}}]},"BTEntityDeletion-24":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTBaseEntityData-33"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTEntityEdge-30":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTTessellatedGeometry-2576"},{"type":"object","properties":{"btType":{"type":"string"},"compressedPoints":{"$ref":"#/components/schemas/BTImmutableByteArray"},"edgeSmoothnessStatus":{"$ref":"#/components/schemas/GBTEntityEdgeSmoothnessStatus"},"edgeType":{"$ref":"#/components/schemas/GBTEdgeType"},"isClosed":{"type":"boolean"},"isInternalEdge":{"type":"boolean"},"points":{"$ref":"#/components/schemas/BTImmutableFloatArray"}}}]},"BTEntityFace-31":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTSimulationFace-2147":"#/components/schemas/BTSimulationFace-2147"}},"allOf":[{"$ref":"#/components/schemas/BTTessellatedGeometry-2576"},{"type":"object","properties":{"btType":{"type":"string"},"compressedUvs":{"$ref":"#/components/schemas/BTImmutableByteArray"},"flipComputedNormals":{"type":"boolean"},"indices":{"$ref":"#/components/schemas/BTImmutableIntArray"},"indicesStoredAsDifferences":{"type":"boolean"},"isPlanar":{"type":"boolean"},"maxPrincipleCurvatureMagnitudes":{"$ref":"#/components/schemas/BTImmutableFloatArray"},"minPrincipleCurvatureMagnitudes":{"$ref":"#/components/schemas/BTImmutableFloatArray"},"normals":{"$ref":"#/components/schemas/BTImmutableFloatArray"},"points":{"$ref":"#/components/schemas/BTImmutableFloatArray"},"surfaceParameters":{"$ref":"#/components/schemas/BTImmutableDoubleArray"},"surfaceType":{"$ref":"#/components/schemas/GBTSurfaceType"},"textureCoordinates":{"$ref":"#/components/schemas/BTImmutableFloatArray"},"triangleCount":{"type":"integer","format":"int32"}}}]},"BTEntityGeometry-35":{"type":"object","properties":{"btType":{"type":"string"},"compressed":{"type":"boolean"},"decompressed":{"$ref":"#/components/schemas/BTEntityGeometry-35"},"errorCode":{"type":"integer","format":"int32"},"estimatedMemoryUsageInBytes":{"type":"integer","format":"int32"},"face":{"type":"boolean"},"hasTessellationError":{"type":"boolean"},"settingIndex":{"type":"integer","format":"int32"}},"discriminator":{"propertyName":"btType","mapping":{"BTDebugGeometry-2059":"#/components/schemas/BTDebugGeometry-2059","BTTessellatedGeometry-2576":"#/components/schemas/BTTessellatedGeometry-2576"}}},"BTEntityPoint-29":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTTessellatedGeometry-2576"},{"type":"object","properties":{"btType":{"type":"string"},"point":{"type":"array","items":{"type":"number","format":"float"}}}}]},"BTEntityTypeFilter-124":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTQueryFilter-183"},{"type":"object","properties":{"btType":{"type":"string"},"entityType":{"$ref":"#/components/schemas/GBTEntityType"}}}]},"BTEulaInfo":{"type":"object","properties":{"content":{"type":"string"},"createdAt":{"type":"string","format":"date-time"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"options":{"type":"array","items":{"type":"string"}},"reapply":{"type":"boolean"},"type":{"type":"integer","format":"int32"},"version":{"type":"integer","format":"int64"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}},"description":"Array of items in the current page."},"BTEulaTypeParams":{"type":"object","properties":{"agreementParams":{"$ref":"#/components/schemas/BTAgreementParams"},"type":{"type":"integer","format":"int32"}}},"BTEventParams":{"type":"object","discriminator":{"propertyName":"jsonType","mapping":{"DocumentOpenEventInfo":"#/components/schemas/BTDocumentOpenEventParams"}},"oneOf":[{"$ref":"#/components/schemas/BTDocumentOpenEventParams"}]},"BTExplodeTransformInfo":{"type":"object","properties":{"explodeStepsTransforms":{"type":"array","items":{"$ref":"#/components/schemas/BTExplosionStepTransformInfo"}},"explodeViewId":{"type":"string"}}},"BTExplosion-2754":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMAssemblyFeature-887"},{"type":"object","properties":{"btType":{"type":"string"},"explodeSteps":{"type":"array","items":{"$ref":"#/components/schemas/BTExplosionStepFeature-3008"}},"startingPositionId":{"$ref":"#/components/schemas/BTMicroversionIdAndConfiguration-2338"}}}]},"BTExplosionStepFeature-3008":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMAssemblyFeature-887"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTExplosionStepTransformInfo":{"type":"object","properties":{"explosionStepId":{"type":"string"},"occurrencesInExplodeStep":{"type":"array","items":{"type":"string"}},"stepTransform":{"type":"array","items":{"type":"number","format":"double"}}}},"BTExportBodyProperties-3559":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTExportModelProperties-3216"},{"type":"object","properties":{"btType":{"type":"string"},"material":{"$ref":"#/components/schemas/BTPartMaterial-1445"},"visibility":{"$ref":"#/components/schemas/GBTPartVisibility"}}}]},"BTExportLinkDataParams":{"type":"object","properties":{"password":{"type":"string"}}},"BTExportModelArcEdgeGeometry-1257":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTExportModelEdgeGeometry-1125"},{"type":"object","properties":{"arcIsClockwise":{"type":"boolean"},"arcSweep":{"type":"number","format":"double"},"btType":{"type":"string"}}}]},"BTExportModelBodiesResponse-734":{"type":"object","properties":{"bodies":{"type":"array","items":{"$ref":"#/components/schemas/BTExportModelBody-1272"}},"btType":{"type":"string"},"errorEnum":{"$ref":"#/components/schemas/GBTErrorStringEnum"},"microversionId":{"$ref":"#/components/schemas/BTMicroversionId-366"},"nodeIdToReferencedProperty":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTExportModelProperties-3216"}}}},"BTExportModelBody-1272":{"type":"object","properties":{"btType":{"type":"string"},"closed":{"type":"boolean","description":"If type == COMPOSITE, indicates whether it is open or closed."},"constituentBodyIds":{"type":"array","items":{"type":"string","description":"If type == COMPOSITE, this is the id of a constituent that can be found in the 'bodies' array."}},"consumedByComposite":{"type":"boolean","description":"Indicates if there is a closed composite that consumes this body."},"edges":{"type":"array","items":{"$ref":"#/components/schemas/BTExportModelEdge-1782"}},"faces":{"type":"array","items":{"$ref":"#/components/schemas/BTExportModelFace-1363"}},"id":{"type":"string"},"properties":{"$ref":"#/components/schemas/BTExportBodyProperties-3559"},"type":{"$ref":"#/components/schemas/GBTBodyType"},"vertices":{"type":"array","items":{"$ref":"#/components/schemas/BTExportModelVertex-858"}}}},"BTExportModelCoedge-1342":{"type":"object","properties":{"btType":{"type":"string"},"edgeId":{"type":"string"},"orientation":{"type":"boolean"}}},"BTExportModelEdge-1782":{"type":"object","properties":{"btType":{"type":"string"},"curve":{"$ref":"#/components/schemas/BTCurveDescription-1583"},"geometry":{"$ref":"#/components/schemas/BTExportModelEdgeGeometry-1125"},"id":{"type":"string"},"vertices":{"type":"array","items":{"type":"string"}}}},"BTExportModelEdgeGeometry-1125":{"type":"object","properties":{"btType":{"type":"string"},"endPoint":{"$ref":"#/components/schemas/BTVector3d-389"},"endVector":{"$ref":"#/components/schemas/BTVector3d-389"},"length":{"type":"number","format":"double"},"midPoint":{"$ref":"#/components/schemas/BTVector3d-389"},"quarterPoint":{"$ref":"#/components/schemas/BTVector3d-389"},"startPoint":{"$ref":"#/components/schemas/BTVector3d-389"},"startVector":{"$ref":"#/components/schemas/BTVector3d-389"}},"discriminator":{"propertyName":"btType","mapping":{"BTExportModelArcEdgeGeometry-1257":"#/components/schemas/BTExportModelArcEdgeGeometry-1257"}}},"BTExportModelFace-1363":{"type":"object","properties":{"appearancePropertyNodeId":{"type":"string","description":"Identifies the application of the appearance. Faces that share a value were assigned an appearance together."},"area":{"type":"number","format":"double"},"box":{"$ref":"#/components/schemas/BTBoundingBox-1052"},"btType":{"type":"string"},"faceProperties":{"$ref":"#/components/schemas/BTExportModelProperties-3216"},"id":{"type":"string"},"loops":{"type":"array","items":{"$ref":"#/components/schemas/BTExportModelLoop-1182"}},"orientation":{"type":"boolean"},"surface":{"$ref":"#/components/schemas/BTSurfaceDescription-1564"}}},"BTExportModelLoop-1182":{"type":"object","properties":{"btType":{"type":"string"},"coedges":{"type":"array","items":{"$ref":"#/components/schemas/BTExportModelCoedge-1342"}},"isInner":{"type":"boolean"},"isOuter":{"type":"boolean"}}},"BTExportModelProperties-3216":{"type":"object","properties":{"appearance":{"$ref":"#/components/schemas/BTGraphicsAppearance-1152"},"btType":{"type":"string"},"name":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTExportBodyProperties-3559":"#/components/schemas/BTExportBodyProperties-3559"}}},"BTExportModelVertex-858":{"type":"object","properties":{"btType":{"type":"string"},"id":{"type":"string"},"point":{"$ref":"#/components/schemas/BTVector3d-389"}}},"BTExportOptionsParams":{"type":"object","properties":{"fileType":{"type":"string"},"resolution":{"type":"string"},"stlFormat":{"type":"string"},"timestamp":{"type":"string","format":"date-time"},"units":{"type":"string"}}},"BTExportRuleApplicationInfo":{"type":"object","properties":{"appliedRule":{"$ref":"#/components/schemas/BTExportRuleInfo"},"exportFileName":{"type":"string"},"objectMetadata":{"$ref":"#/components/schemas/BTMetadataObjectInfo"}}},"BTExportRuleHardcodedPropertyInfo":{"type":"object","properties":{"context":{"type":"integer","format":"int32"},"id":{"type":"string"},"name":{"type":"string"},"objectTypes":{"type":"array","items":{"type":"integer","format":"int32"}}}},"BTExportRuleInfo":{"type":"object","properties":{"category":{"type":"string"},"categoryDisplay":{"type":"string"},"company":{"$ref":"#/components/schemas/BTCompanySummaryInfo"},"fileType":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"nameConventionExternal":{"type":"string"},"nameConventionInternal":{"type":"string"},"objectType":{"type":"integer","format":"int32"},"userId":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTExportRuleParams":{"type":"object","properties":{"category":{"type":"string"},"companyId":{"type":"string"},"fileType":{"type":"string"},"nameConventionInternal":{"type":"string"},"objectType":{"$ref":"#/components/schemas/BTMetadataObjectType"},"userId":{"type":"string"}}},"BTExportRuleValidOptionsInfo":{"type":"object","properties":{"conventionPlaceholder":{"type":"string"},"hardcodedProperties":{"type":"array","items":{"$ref":"#/components/schemas/BTExportRuleHardcodedPropertyInfo"}},"propertyContextDisplayMap":{"type":"object","additionalProperties":{"type":"string"}},"validObjectTypes":{"type":"array","items":{"type":"integer","format":"int32"}}}},"BTExportTessellatedBody-3398":{"type":"object","properties":{"btType":{"type":"string"},"constituents":{"type":"array","items":{"type":"string"}},"id":{"type":"string"},"name":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTExportTessellatedEdgesBody-890":"#/components/schemas/BTExportTessellatedEdgesBody-890","BTExportTessellatedFacesBody-1321":"#/components/schemas/BTExportTessellatedFacesBody-1321"}}},"BTExportTessellatedEdgesBody-890":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTExportTessellatedBody-3398"},{"type":"object","properties":{"btType":{"type":"string"},"edges":{"type":"array","items":{"$ref":"#/components/schemas/BTExportTessellatedEdgesEdge-1364"}}}}]},"BTExportTessellatedEdgesEdge-1364":{"type":"object","properties":{"btType":{"type":"string"},"id":{"type":"string"},"vertices":{"type":"array","items":{"$ref":"#/components/schemas/BTVector3d-389"}}}},"BTExportTessellatedEdgesResponse-327":{"type":"object","properties":{"bodies":{"type":"array","items":{"$ref":"#/components/schemas/BTExportTessellatedBody-3398"}},"btType":{"type":"string"},"errorEnum":{"$ref":"#/components/schemas/GBTErrorStringEnum"}}},"BTExportTessellatedFacesBody-1321":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTExportTessellatedBody-3398"},{"type":"object","properties":{"appearance":{"$ref":"#/components/schemas/BTGraphicsAppearance-1152"},"bodyType":{"$ref":"#/components/schemas/GBTBodyType"},"btType":{"type":"string"},"faces":{"type":"array","items":{"$ref":"#/components/schemas/BTExportTessellatedFacesFace-1192"}},"facetPoints":{"type":"array","items":{"$ref":"#/components/schemas/BTVector3d-389"}}}}]},"BTExportTessellatedFacesFace-1192":{"type":"object","properties":{"appearance":{"$ref":"#/components/schemas/BTGraphicsAppearance-1152"},"appearanceSourceId":{"type":"string"},"appearanceSourceName":{"type":"string"},"btType":{"type":"string"},"errorMessage":{"type":"string"},"facets":{"type":"array","items":{"$ref":"#/components/schemas/BTExportTessellatedFacesFacet-1417"}},"id":{"type":"string"}}},"BTExportTessellatedFacesFacet-1417":{"type":"object","properties":{"btType":{"type":"string"},"indices":{"type":"array","items":{"type":"integer","format":"int32"}},"normal":{"$ref":"#/components/schemas/BTVector3d-389"},"normals":{"type":"array","items":{"$ref":"#/components/schemas/BTVector3d-389"}},"textureCoordinates":{"type":"array","items":{"$ref":"#/components/schemas/BTVector2d-1812"}},"vertices":{"type":"array","items":{"$ref":"#/components/schemas/BTVector3d-389"}}}},"BTExportTessellatedFacesResponse-898":{"type":"object","properties":{"bodies":{"type":"array","items":{"$ref":"#/components/schemas/BTExportTessellatedBody-3398"}},"bodiesInfo":{"$ref":"#/components/schemas/BTExportModelBodiesResponse-734"},"btType":{"type":"string"},"combineCompositePartConstituents":{"type":"boolean"},"displayData":{"$ref":"#/components/schemas/BTPartStudioDisplayData-346"},"documentId":{"type":"string"},"elementId":{"type":"string"},"errorEnum":{"$ref":"#/components/schemas/GBTErrorStringEnum"},"facetPoints":{"type":"array","items":{"$ref":"#/components/schemas/BTVector3d-389"}},"fullElementId":{"$ref":"#/components/schemas/BTFullElementId-756"},"outputFaceAppearances":{"type":"boolean"},"outputSeparateFaceNodes":{"type":"boolean"}}},"BTExtendTrialParams":{"type":"object","properties":{"extensionDays":{"type":"integer","format":"int32"},"userId":{"type":"string"}}},"BTExternalAuthInfo":{"type":"object","properties":{"description":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"provider":{"type":"string"},"providerId":{"type":"string"},"state":{"type":"integer","format":"int32"},"userId":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}},"description":"Array of items in the current page."},"BTExternalElementReferenceInfo":{"type":"object","properties":{"documentId":{"type":"string"},"elementId":{"type":"string"},"elementMicroversionId":{"type":"string"},"versionId":{"type":"string"}}},"BTExternalReference-1936":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTElementReference-725"},{"type":"object","properties":{"btType":{"type":"string"},"documentVersionId":{"type":"string"}}}]},"BTFSComputedPropertyValueInfo":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTMetadataValueInfo"},{"type":"object","properties":{"errorValue":{"$ref":"#/components/schemas/BTFSValue-1888"},"isOverride":{"type":"boolean"},"propertyFunctionReference":{"$ref":"#/components/schemas/BTComputedPartPropertyConfig"}}}]},"BTFSTable-953":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTTable-1825"},{"type":"object","properties":{"btType":{"type":"string"},"crossHighlightData":{"$ref":"#/components/schemas/BTTableBaseCrossHighlightData-2609"},"hiddenColumnIdsToNames":{"type":"object","additionalProperties":{"type":"string"}},"individualTableProperties":{"$ref":"#/components/schemas/BTIndividualTableProperties-3760"}}}]},"BTFSTableColumnInfo-623":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTTableColumnInfo-1222"},{"type":"object","properties":{"btType":{"type":"string"},"crossHighlightData":{"$ref":"#/components/schemas/BTTableBaseCrossHighlightData-2609"}}}]},"BTFSTableRowMetadata-2262":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTTableBaseRowMetadata-3181"},{"type":"object","properties":{"btType":{"type":"string"},"callout":{"type":"string"},"crossHighlightData":{"$ref":"#/components/schemas/BTTableBaseCrossHighlightData-2609"}}}]},"BTFSValue-1888":{"required":["btType"],"type":"object","properties":{"btType":{"type":"string"},"typeTag":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTFSValueArray-1499":"#/components/schemas/BTFSValueArray-1499","BTFSValueBoolean-1195":"#/components/schemas/BTFSValueBoolean-1195","BTFSValueMap-2062":"#/components/schemas/BTFSValueMap-2062","BTFSValueNumber-772":"#/components/schemas/BTFSValueNumber-772","BTFSValueOther-1124":"#/components/schemas/BTFSValueOther-1124","BTFSValueString-1422":"#/components/schemas/BTFSValueString-1422","BTFSValueTooBig-1247":"#/components/schemas/BTFSValueTooBig-1247","BTFSValueUndefined-2003":"#/components/schemas/BTFSValueUndefined-2003","BTFSValueWithUnits-1817":"#/components/schemas/BTFSValueWithUnits-1817"}}},"BTFSValueArray-1499":{"required":["btType"],"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTFSValue-1888"},{"type":"object","properties":{"btType":{"type":"string"},"value":{"type":"array","items":{"$ref":"#/components/schemas/BTFSValue-1888"}}}}]},"BTFSValueBoolean-1195":{"required":["btType"],"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTFSValue-1888"},{"type":"object","properties":{"btType":{"type":"string"},"value":{"type":"boolean"}}}]},"BTFSValueMap-2062":{"type":"object","properties":{"btType":{"type":"string"},"typeTag":{"type":"string"},"value":{"type":"array","items":{"$ref":"#/components/schemas/BTFSValueMapEntry-2077"}}}},"BTFSValueMapEntry-2077":{"type":"object","properties":{"btType":{"type":"string"},"key":{"$ref":"#/components/schemas/BTFSValue-1888"},"value":{"$ref":"#/components/schemas/BTFSValue-1888"}}},"BTFSValueNumber-772":{"required":["btType"],"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTFSValue-1888"},{"type":"object","properties":{"btType":{"type":"string"},"value":{"type":"number","format":"double"}}}]},"BTFSValueOther-1124":{"required":["btType"],"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTFSValue-1888"},{"type":"object","properties":{"btType":{"type":"string"},"type":{"$ref":"#/components/schemas/GBTPType"}}}]},"BTFSValueString-1422":{"required":["btType"],"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTFSValue-1888"},{"type":"object","properties":{"btType":{"type":"string"},"value":{"type":"string"}}}]},"BTFSValueTooBig-1247":{"required":["btType"],"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTFSValue-1888"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTFSValueUndefined-2003":{"required":["btType"],"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTFSValue-1888"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTFSValueWithUnits-1817":{"required":["btType"],"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTFSValue-1888"},{"type":"object","properties":{"btType":{"type":"string"},"unitToPower":{"type":"object","additionalProperties":{"type":"integer","format":"int32"}},"value":{"type":"number","format":"double"}}}]},"BTFeatureApiBase-1430":{"type":"object","properties":{"btType":{"type":"string"},"libraryVersion":{"type":"integer","format":"int32"},"microversionSkew":{"type":"boolean"},"rejectMicroversionSkew":{"type":"boolean"},"serializationVersion":{"type":"string"},"sourceMicroversion":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTAssemblyFeatureListResponse-1174":"#/components/schemas/BTAssemblyFeatureListResponse-1174","BTConfigurationResponse-2019":"#/components/schemas/BTConfigurationResponse-2019","BTConfigurationUpdateCall-2933":"#/components/schemas/BTConfigurationUpdateCall-2933","BTFeatureDefinitionCall-1406":"#/components/schemas/BTFeatureDefinitionCall-1406","BTFeatureDefinitionResponse-1617":"#/components/schemas/BTFeatureDefinitionResponse-1617","BTFeatureListResponse-2457":"#/components/schemas/BTFeatureListResponse-2457","BTFeatureScriptEvalCall-2377":"#/components/schemas/BTFeatureScriptEvalCall-2377","BTFeatureScriptEvalResponse-1859":"#/components/schemas/BTFeatureScriptEvalResponse-1859","BTFeatureSpecsResponse-664":"#/components/schemas/BTFeatureSpecsResponse-664","BTFeatureStudioContents-2239":"#/components/schemas/BTFeatureStudioContents-2239","BTSetFeatureRollbackCall-1899":"#/components/schemas/BTSetFeatureRollbackCall-1899","BTSetFeatureRollbackResponse-1042":"#/components/schemas/BTSetFeatureRollbackResponse-1042","BTUpdateFeaturesCall-1748":"#/components/schemas/BTUpdateFeaturesCall-1748","BTUpdateFeaturesResponse-1333":"#/components/schemas/BTUpdateFeaturesResponse-1333"}}},"BTFeatureCalloutInfo":{"type":"object","properties":{"active":{"type":"boolean"},"entFeature":{"type":"boolean"},"featureContext":{"type":"integer","format":"int32"},"featureDescriptionTemplate":{"type":"string"},"featureIcon":{"type":"string"},"featureName":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"imageUrl":{"type":"string"},"name":{"type":"string","description":"Name of the resource."},"proFeature":{"type":"boolean"},"rank":{"type":"integer","format":"int32"},"stdFeature":{"type":"boolean"},"videoUrl":{"type":"boolean"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTFeatureCalloutParams":{"type":"object","properties":{"active":{"type":"boolean"},"entFeature":{"type":"boolean"},"featureContext":{"type":"integer","format":"int32"},"featureDescriptionTemplate":{"type":"string"},"featureIcon":{"type":"string"},"featureName":{"type":"string"},"imageUrl":{"type":"string"},"proFeature":{"type":"boolean"},"stdFeature":{"type":"boolean"},"videoUrl":{"type":"boolean"}}},"BTFeatureDefinitionCall-1406":{"type":"object","properties":{"btType":{"type":"string"},"feature":{"$ref":"#/components/schemas/BTMFeature-134"},"libraryVersion":{"type":"integer","format":"int32"},"microversionSkew":{"type":"boolean"},"rejectMicroversionSkew":{"type":"boolean"},"serializationVersion":{"type":"string"},"sourceMicroversion":{"type":"string"}}},"BTFeatureDefinitionResponse-1617":{"type":"object","properties":{"btType":{"type":"string"},"feature":{"$ref":"#/components/schemas/BTMFeature-134"},"featureState":{"$ref":"#/components/schemas/BTFeatureState-1688"},"libraryVersion":{"type":"integer","format":"int32"},"microversionSkew":{"type":"boolean"},"rejectMicroversionSkew":{"type":"boolean"},"serializationVersion":{"type":"string"},"sourceMicroversion":{"type":"string"}}},"BTFeatureEntity-34":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTBodyEntity-26":"#/components/schemas/BTBodyEntity-26","BTConstructionPlaneEntity-27":"#/components/schemas/BTConstructionPlaneEntity-27","BTMateConnectorEntity-28":"#/components/schemas/BTMateConnectorEntity-28","BTOriginEntity-935":"#/components/schemas/BTOriginEntity-935","BTPointEntity-1439":"#/components/schemas/BTPointEntity-1439","BTSketchEntity-25":"#/components/schemas/BTSketchEntity-25"}},"allOf":[{"$ref":"#/components/schemas/BTBaseEntityData-33"},{"type":"object","properties":{"btType":{"type":"string"},"domainSpecificMetadata":{"type":"array","items":{"$ref":"#/components/schemas/BTDomainSpecificMetadata-961"}},"firstGeometry":{"$ref":"#/components/schemas/BTEntityGeometry-35"}}}]},"BTFeatureFilter-127":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTQueryFilter-183"},{"type":"object","properties":{"btType":{"type":"string"},"exclusion":{"$ref":"#/components/schemas/GBTFeatureFilterExclusion"},"featureId":{"type":"string"}}}]},"BTFeatureListResponse-2457":{"type":"object","properties":{"btType":{"type":"string"},"defaultFeatures":{"type":"array","items":{"$ref":"#/components/schemas/BTMFeature-134"}},"featureStates":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTFeatureState-1688"}},"features":{"type":"array","items":{"$ref":"#/components/schemas/BTMFeature-134"}},"imports":{"type":"array","items":{"$ref":"#/components/schemas/BTMImport-136"}},"isComplete":{"type":"boolean"},"libraryVersion":{"type":"integer","format":"int32"},"microversionSkew":{"type":"boolean"},"rejectMicroversionSkew":{"type":"boolean"},"rollbackIndex":{"type":"integer","format":"int32"},"serializationVersion":{"type":"string"},"sourceMicroversion":{"type":"string"}}},"BTFeatureOccurrenceData-775":{"type":"object","properties":{"btType":{"type":"string"},"visibility":{"$ref":"#/components/schemas/GBTBSFeatureVisibility"}},"discriminator":{"propertyName":"btType","mapping":{"BTMateOccurrenceData-1671":"#/components/schemas/BTMateOccurrenceData-1671"}}},"BTFeatureScriptEvalCall-2377":{"type":"object","properties":{"btType":{"type":"string"},"libraryVersion":{"type":"integer","format":"int32"},"microversionSkew":{"type":"boolean"},"queries":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"rejectMicroversionSkew":{"type":"boolean"},"script":{"type":"string"},"serializationVersion":{"type":"string"},"sourceMicroversion":{"type":"string"}}},"BTFeatureScriptEvalResponse-1859":{"type":"object","properties":{"btType":{"type":"string"},"console":{"type":"string"},"libraryVersion":{"type":"integer","format":"int32"},"microversionSkew":{"type":"boolean"},"notices":{"type":"array","items":{"$ref":"#/components/schemas/BTNotice-227"}},"rejectMicroversionSkew":{"type":"boolean"},"result":{"$ref":"#/components/schemas/BTFSValue-1888"},"serializationVersion":{"type":"string"},"sourceMicroversion":{"type":"string"}}},"BTFeatureSpec-129":{"type":"object","properties":{"additionalLocalizedStrings":{"type":"integer","format":"int32","writeOnly":true},"allParameters":{"type":"array","items":{"$ref":"#/components/schemas/BTParameterSpec-6"}},"btType":{"type":"string"},"computedPartPropertySpec":{"type":"boolean"},"descriptionImageUri":{"type":"string"},"editingLogic":{"$ref":"#/components/schemas/BTEditingLogic-2350"},"featureNameTemplate":{"type":"string"},"featureType":{"type":"string"},"featureTypeDescription":{"type":"string"},"featureTypeName":{"type":"string"},"filterSelectors":{"type":"array","items":{"type":"string"}},"fullFeatureType":{"type":"string"},"groups":{"type":"array","items":{"$ref":"#/components/schemas/BTParameterGroupSpec-3469"}},"iconUri":{"type":"string"},"languageVersion":{"type":"integer","format":"int32"},"linkedLocationName":{"type":"string"},"localizableName":{"type":"string"},"localizedName":{"type":"string","writeOnly":true},"locationInfos":{"type":"array","items":{"$ref":"#/components/schemas/BTLocationInfo-226"}},"manipulatorChangeFunction":{"type":"string"},"namespace":{"type":"string"},"namespaceIncludingEnums":{"type":"string","writeOnly":true},"namespaceTheSource":{"type":"boolean"},"parameterIdToSpec":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTParameterSpec-6"}},"parameters":{"type":"array","items":{"$ref":"#/components/schemas/BTParameterSpec-6"}},"signature":{"type":"string"},"sourceLocation":{"$ref":"#/components/schemas/BTLocationInfo-226"},"sourceMicroversionId":{"type":"string"},"stringsToLocalize":{"type":"array","items":{"type":"string"}},"tableSpec":{"type":"boolean"},"tooltipTemplate":{"type":"string"},"uiHints":{"type":"array","items":{"$ref":"#/components/schemas/GBTUIHint"}}},"discriminator":{"propertyName":"btType","mapping":{"BTComputedPartPropertySpec-1746":"#/components/schemas/BTComputedPartPropertySpec-1746","BTTableSpec-915":"#/components/schemas/BTTableSpec-915"}}},"BTFeatureSpecsResponse-664":{"type":"object","properties":{"btType":{"type":"string"},"featureSpecs":{"type":"array","items":{"$ref":"#/components/schemas/BTFeatureSpec-129"}},"libraryVersion":{"type":"integer","format":"int32"},"microversionSkew":{"type":"boolean"},"rejectMicroversionSkew":{"type":"boolean"},"serializationVersion":{"type":"string"},"sourceMicroversion":{"type":"string"}}},"BTFeatureState-1688":{"type":"object","properties":{"btType":{"type":"string"},"featureStatus":{"$ref":"#/components/schemas/GBTNodeStatusType"}}},"BTFeatureStudioContents-2239":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTFeatureApiBase-1430"},{"type":"object","properties":{"btType":{"type":"string"},"contents":{"type":"string"}}}]},"BTFeatureTypeFilter-962":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTQueryFilter-183"},{"type":"object","properties":{"btType":{"type":"string"},"featureType":{"type":"string"}}}]},"BTFilterHistoryByUser":{"type":"string","enum":["ONLY_ME","NOT_ME","ALL","BY_USER"]},"BTFilteredHistoryParams":{"type":"object","properties":{"availableWorkspaceIds":{"type":"array","items":{"type":"string"}},"description":{"type":"string"},"documentId":{"type":"string"},"elementIds":{"type":"array","items":{"type":"string"}},"elementTypes":{"type":"array","items":{"type":"integer","format":"int32"}},"endDate":{"type":"string","format":"date-time"},"groupBy":{"type":"integer","format":"int32"},"historyRecordId":{"type":"string"},"limit":{"type":"integer","format":"int32"},"offset":{"type":"integer","format":"int32"},"sortingStrategy":{"type":"integer","format":"int32"},"startDate":{"type":"string","format":"date-time"},"userId":{"type":"string"},"usersFilter":{"$ref":"#/components/schemas/BTFilterHistoryByUser"}}},"BTFlatSheetMetalFilter-3018":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTQueryFilter-183"},{"type":"object","properties":{"allows":{"$ref":"#/components/schemas/GBTFilterFlattenedGeometryOptions"},"btType":{"type":"string"}}}]},"BTFolderInfo":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTGlobalTreeNodeInfo"},{"type":"object","properties":{"active":{"type":"boolean"},"canUnshare":{"type":"boolean"},"elementLibrarySummaryInfo":{"type":"array","items":{"$ref":"#/components/schemas/BTElementLibrarySummaryInfo"}},"isOrphaned":{"type":"boolean"},"parentId":{"type":"string"},"permissionSet":{"type":"array","items":{"type":"string"}},"trash":{"type":"boolean"},"trashedAt":{"type":"string","format":"date-time"}}}]},"BTFolderParams":{"type":"object","properties":{"description":{"type":"string"},"name":{"type":"string"},"ownerId":{"type":"string"},"ownerType":{"type":"integer","format":"int32"},"parentId":{"type":"string"},"projectId":{"type":"string"}}},"BTFolderStateInfo":{"type":"object","properties":{"name":{"type":"string"},"treeHref":{"type":"string"}}},"BTForeignDataResponse-1070":{"type":"object","properties":{"btType":{"type":"string"},"bucketName":{"type":"string"},"bucketPath":{"type":"string"},"cacheChunkList":{"type":"array","items":{"type":"string"}},"dataId":{"type":"string"},"format":{"$ref":"#/components/schemas/GBTDataItemFormat"},"name":{"type":"string"},"region":{"type":"string"},"size":{"type":"integer","format":"int32"},"storageType":{"type":"string"},"useLocalStorage":{"type":"boolean"}}},"BTForeignItemInfo":{"type":"object","properties":{"documentMicroversionId":{"type":"string"},"fileSize":{"type":"integer","format":"int64"},"filename":{"type":"string"},"foreignId":{"type":"string"},"mediaType":{"type":"string"},"microversionId":{"type":"string"},"uploadedAt":{"type":"string","format":"date-time"},"uploadedBy":{"type":"string"}}},"BTFormatValueParams":{"type":"object","properties":{"contextDocumentId":{"type":"string"},"contextWv":{"type":"string"},"contextWvId":{"type":"string"},"isFromWebClient":{"type":"boolean"},"quantityType":{"$ref":"#/components/schemas/GBTQuantityType"},"value":{"type":"string"},"valueType":{"$ref":"#/components/schemas/BTMetadataValueType"}}},"BTFormatValueResponse":{"type":"object","properties":{"error":{"type":"string"},"formattedValue":{"type":"string"}}},"BTFriendInfo":{"type":"object","properties":{"documentationName":{"type":"string"},"email":{"type":"string"},"firstName":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"imageUrl":{"type":"string"},"lastName":{"type":"string"},"name":{"type":"string","description":"Name of the resource."},"token":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}},"description":"Array of items in the current page."},"BTFriendsFromIdsParams":{"type":"object","properties":{"ids":{"uniqueItems":true,"type":"array","items":{"type":"string"}}}},"BTFullElementId-756":{"type":"object","properties":{"btType":{"type":"string"},"configured":{"type":"boolean"},"elementId":{"type":"string"},"microversionId":{"$ref":"#/components/schemas/BTMicroversionId-366"},"microversionIdAndConfiguration":{"$ref":"#/components/schemas/BTMicroversionIdAndConfiguration-2338"},"target":{"$ref":"#/components/schemas/BTMicroversionIdAndConfiguration-2338"}},"discriminator":{"propertyName":"btType","mapping":{"BTFullElementIdWithDocument-1729":"#/components/schemas/BTFullElementIdWithDocument-1729"}}},"BTFullElementIdAndPartId-643":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTFullElementIdWithDocument-1729"},{"type":"object","properties":{"btType":{"type":"string"},"partId":{"type":"string"}}}]},"BTFullElementIdWithDocument-1729":{"type":"object","properties":{"btType":{"type":"string"},"configured":{"type":"boolean"},"documentId":{"type":"string"},"elementId":{"type":"string"},"microversionId":{"$ref":"#/components/schemas/BTMicroversionId-366"},"microversionIdAndConfiguration":{"$ref":"#/components/schemas/BTMicroversionIdAndConfiguration-2338"},"target":{"$ref":"#/components/schemas/BTMicroversionIdAndConfiguration-2338"}},"discriminator":{"propertyName":"btType","mapping":{"BTFullElementIdAndPartId-643":"#/components/schemas/BTFullElementIdAndPartId-643"}}},"BTGeneratedGraphicsAppearance-4159":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTGraphicsAppearance-1152"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTGeometryFilter-130":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTQueryFilter-183"},{"type":"object","properties":{"btType":{"type":"string"},"geometryType":{"$ref":"#/components/schemas/GBTGeometryType"}}}]},"BTGeometryMateDisplayData-1050":{"type":"object","properties":{"btType":{"type":"string"},"firstDeterministicId":{"type":"string"},"firstOccurrence":{"$ref":"#/components/schemas/BTOccurrence-74"},"hidden":{"type":"boolean"},"isDerivedFeature":{"type":"boolean"},"location":{"$ref":"#/components/schemas/BTCoordinateSystem-387"},"nodeId":{"type":"string"},"ownerOccurrence":{"$ref":"#/components/schemas/BTOccurrence-74"},"secondDeterministicId":{"type":"string"},"secondOccurrence":{"$ref":"#/components/schemas/BTOccurrence-74"},"status":{"$ref":"#/components/schemas/GBTAssemblyFeatureDisplayStatus"}}},"BTGetJsonPaths-1697":{"type":"object","properties":{"btType":{"type":"string"},"paths":{"type":"array","items":{"type":"string"}}}},"BTGetJsonPathsResponse-1544":{"type":"object","properties":{"btType":{"type":"string"},"changeId":{"type":"string"},"results":{"type":"array","items":{"type":"array","items":{"$ref":"#/components/schemas/BTJsonMatch-2290"}}}}},"BTGetJsonResponse-2137":{"type":"object","properties":{"btType":{"type":"string"},"changeId":{"type":"string"},"tree":{"type":"object","properties":{"btType":{"type":"string"}},"additionalProperties":{"type":"object","properties":{"btType":{"type":"string"}}}}}},"BTGlobalPermissionDefinitionsInfo":{"type":"object","properties":{"items":{"type":"array","items":{"$ref":"#/components/schemas/Definition"}}}},"BTGlobalPermissionInfo":{"type":"object","properties":{"items":{"type":"array","items":{"$ref":"#/components/schemas/Item"}}}},"BTGlobalPermissionParams":{"type":"object","properties":{"globalPermission":{"type":"integer","format":"int32"},"identityParams":{"type":"array","items":{"$ref":"#/components/schemas/BTIdentityParams"}}}},"BTGlobalTreeMagicNodeInfo":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTGlobalTreeNodeInfo"},{"type":"object","properties":{"subType":{"type":"integer","format":"int32"}}}]},"BTGlobalTreeNodeInfo":{"required":["jsonType"],"type":"object","properties":{"canMove":{"type":"boolean"},"createdAt":{"type":"string","format":"date-time"},"createdBy":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"description":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"isContainer":{"type":"boolean"},"isEnterpriseOwned":{"type":"boolean"},"isMutable":{"type":"boolean"},"jsonType":{"type":"string"},"modifiedAt":{"type":"string","format":"date-time"},"modifiedBy":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"name":{"type":"string","description":"Name of the resource."},"owner":{"$ref":"#/components/schemas/BTOwnerInfo"},"projectId":{"type":"string"},"resourceType":{"type":"string"},"treeHref":{"type":"string"},"unparentHref":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}},"discriminator":{"propertyName":"jsonType","mapping":{"document-summary":"#/components/schemas/BTDocumentSummaryInfo","folder":"#/components/schemas/BTFolderInfo","magic":"#/components/schemas/BTGlobalTreeMagicNodeInfo","project":"#/components/schemas/BTProjectInfo","label":"#/components/schemas/BTDocumentLabelInfo","team-summary":"#/components/schemas/BTTeamSummaryInfo","cloudstorageaccount":"#/components/schemas/BTCloudStorageAccountInfo","classroom":"#/components/schemas/BTClassroomInfo","resource-owner":"#/components/schemas/BTResourceOwnerInfo"}}},"BTGlobalTreeNodeInfoListBTDocumentInfo":{"type":"array","properties":{"empty":{"type":"boolean"}},"description":"Document Items array. Array entries are the same as that returned from \"/api/documents/{did}\".","items":{"$ref":"#/components/schemas/BTDocumentInfo"}},"BTGlobalTreeNodeInfoListBTDocumentLabelInfo":{"type":"array","properties":{"empty":{"type":"boolean"}},"description":"Document Items array. Array entries are the same as that returned from \"/api/documents/{did}\".","items":{"$ref":"#/components/schemas/BTDocumentLabelInfo"}},"BTGlobalTreeNodeInfoListBTEnterpriseReportSummaryInfo":{"type":"array","properties":{"empty":{"type":"boolean"}},"description":"Document Items array. Array entries are the same as that returned from \"/api/documents/{did}\".","items":{"$ref":"#/components/schemas/BTEnterpriseReportSummaryInfo"}},"BTGlobalTreeNodeInfoListBTGlobalTreeNodeInfo":{"type":"array","properties":{"empty":{"type":"boolean"}},"description":"Document Items array. Array entries are the same as that returned from \"/api/documents/{did}\".","items":{"$ref":"#/components/schemas/BTGlobalTreeNodeInfo"}},"BTGlobalTreeNodeInfoListBTProjectInfo":{"type":"array","properties":{"empty":{"type":"boolean"}},"description":"Document Items array. Array entries are the same as that returned from \"/api/documents/{did}\".","items":{"$ref":"#/components/schemas/BTProjectInfo"}},"BTGlobalTreeNodeInfoListBTTeamInfo":{"type":"array","properties":{"empty":{"type":"boolean"}},"description":"Document Items array. Array entries are the same as that returned from \"/api/documents/{did}\".","items":{"$ref":"#/components/schemas/BTTeamInfo"}},"BTGlobalTreeNodeInfoListBTTeamSummaryInfo":{"type":"array","properties":{"empty":{"type":"boolean"}},"description":"Document Items array. Array entries are the same as that returned from \"/api/documents/{did}\".","items":{"$ref":"#/components/schemas/BTTeamSummaryInfo"}},"BTGlobalTreeNodeListResponse":{"type":"object","properties":{"href":{"type":"string","description":"Requested Document URL","format":"uri"},"items":{"type":"array","properties":{"empty":{"type":"boolean"}},"description":"Document Items array. Array entries are the same as that returned from \"/api/documents/{did}\".","items":{"$ref":"#/components/schemas/BTGlobalTreeNodeInfo"}},"next":{"type":"string","description":"The URL for the next page of items. Responses are limited to 20 items per page.","format":"uri"},"previous":{"type":"string","description":"The URL for the previous page of items. Responses are limited to 20 items per page.","format":"uri"}}},"BTGlobalTreeNodeListResponseBTDocumentInfo":{"type":"object","properties":{"href":{"type":"string","description":"Requested Document URL","format":"uri"},"items":{"type":"array","properties":{"empty":{"type":"boolean"}},"description":"Document Items array. Array entries are the same as that returned from \"/api/documents/{did}\".","items":{"$ref":"#/components/schemas/BTDocumentInfo"}},"next":{"type":"string","description":"The URL for the next page of items. Responses are limited to 20 items per page.","format":"uri"},"previous":{"type":"string","description":"The URL for the previous page of items. Responses are limited to 20 items per page.","format":"uri"}}},"BTGlobalTreeNodeListResponseBTDocumentLabelInfo":{"type":"object","properties":{"href":{"type":"string","description":"Requested Document URL","format":"uri"},"items":{"type":"array","properties":{"empty":{"type":"boolean"}},"description":"Document Items array. Array entries are the same as that returned from \"/api/documents/{did}\".","items":{"$ref":"#/components/schemas/BTDocumentLabelInfo"}},"next":{"type":"string","description":"The URL for the next page of items. Responses are limited to 20 items per page.","format":"uri"},"previous":{"type":"string","description":"The URL for the previous page of items. Responses are limited to 20 items per page.","format":"uri"}}},"BTGlobalTreeNodeListResponseBTEnterpriseReportSummaryInfo":{"type":"object","properties":{"href":{"type":"string","description":"Requested Document URL","format":"uri"},"items":{"type":"array","properties":{"empty":{"type":"boolean"}},"description":"Document Items array. Array entries are the same as that returned from \"/api/documents/{did}\".","items":{"$ref":"#/components/schemas/BTEnterpriseReportSummaryInfo"}},"next":{"type":"string","description":"The URL for the next page of items. Responses are limited to 20 items per page.","format":"uri"},"previous":{"type":"string","description":"The URL for the previous page of items. Responses are limited to 20 items per page.","format":"uri"}}},"BTGlobalTreeNodeListResponseBTProjectInfo":{"type":"object","properties":{"href":{"type":"string","description":"Requested Document URL","format":"uri"},"items":{"type":"array","properties":{"empty":{"type":"boolean"}},"description":"Document Items array. Array entries are the same as that returned from \"/api/documents/{did}\".","items":{"$ref":"#/components/schemas/BTProjectInfo"}},"next":{"type":"string","description":"The URL for the next page of items. Responses are limited to 20 items per page.","format":"uri"},"previous":{"type":"string","description":"The URL for the previous page of items. Responses are limited to 20 items per page.","format":"uri"}}},"BTGlobalTreeNodeListResponseBTTeamInfo":{"type":"object","properties":{"href":{"type":"string","description":"Requested Document URL","format":"uri"},"items":{"type":"array","properties":{"empty":{"type":"boolean"}},"description":"Document Items array. Array entries are the same as that returned from \"/api/documents/{did}\".","items":{"$ref":"#/components/schemas/BTTeamInfo"}},"next":{"type":"string","description":"The URL for the next page of items. Responses are limited to 20 items per page.","format":"uri"},"previous":{"type":"string","description":"The URL for the previous page of items. Responses are limited to 20 items per page.","format":"uri"}}},"BTGlobalTreeNodeListResponseBTTeamSummaryInfo":{"type":"object","properties":{"href":{"type":"string","description":"Requested Document URL","format":"uri"},"items":{"type":"array","properties":{"empty":{"type":"boolean"}},"description":"Document Items array. Array entries are the same as that returned from \"/api/documents/{did}\".","items":{"$ref":"#/components/schemas/BTTeamSummaryInfo"}},"next":{"type":"string","description":"The URL for the next page of items. Responses are limited to 20 items per page.","format":"uri"},"previous":{"type":"string","description":"The URL for the previous page of items. Responses are limited to 20 items per page.","format":"uri"}}},"BTGlobalTreeNodeMoveParams":{"type":"object","properties":{"itemsToMove":{"type":"array","items":{"$ref":"#/components/schemas/Item"}}}},"BTGlobalTreeNodeOwnerParams":{"type":"object","properties":{"newOwnerId":{"type":"string"},"newOwnerType":{"type":"integer","format":"int32"},"newUserEmail":{"type":"string"},"personalMessage":{"type":"string"},"resourceId":{"type":"string"},"resourceType":{"type":"string"}}},"BTGlobalTreeNodeWithChildrenInfo":{"type":"object","properties":{"href":{"type":"string","description":"Requested Document URL","format":"uri"},"items":{"type":"array","properties":{"empty":{"type":"boolean"}},"description":"Document Items array. Array entries are the same as that returned from \"/api/documents/{did}\".","items":{"$ref":"#/components/schemas/BTGlobalTreeNodeInfo"}},"next":{"type":"string","description":"The URL for the next page of items. Responses are limited to 20 items per page.","format":"uri"},"pathToRoot":{"type":"array","items":{"$ref":"#/components/schemas/PathSegment"}},"permissionSet":{"type":"array","items":{"type":"string"}},"previous":{"type":"string","description":"The URL for the previous page of items. Responses are limited to 20 items per page.","format":"uri"}}},"BTGrantStatusInfo":{"type":"object","properties":{"applicationId":{"type":"string"},"companyId":{"type":"string"},"companyName":{"type":"string"},"externalGrantStatus":{"type":"integer","format":"int32"},"grantType":{"type":"integer","format":"int32"},"onshapeGrantStatus":{"type":"integer","format":"int32"},"userId":{"type":"string"}}},"BTGraphicsAppearance-1152":{"type":"object","properties":{"btType":{"type":"string"},"color":{"type":"array","items":{"type":"string","format":"byte"}},"nonTrivial":{"type":"boolean"},"opacity":{"type":"integer","format":"int32"},"reset":{"type":"boolean"},"rgbaColor":{"type":"array","items":{"type":"string","format":"byte"}},"type":{"$ref":"#/components/schemas/GBTAppearanceType"},"usableAppearance":{"type":"boolean"}},"discriminator":{"propertyName":"btType","mapping":{"BTGeneratedGraphicsAppearance-4159":"#/components/schemas/BTGeneratedGraphicsAppearance-4159"}}},"BTGraphicsSectionPlaneData-1429":{"type":"object","properties":{"btType":{"type":"string"},"center":{"$ref":"#/components/schemas/BTVector3d-389"},"normal":{"$ref":"#/components/schemas/BTVector3d-389"},"tangent":{"$ref":"#/components/schemas/BTVector3d-389"}}},"BTGraphicsSectionViewStateData-4379":{"type":"object","properties":{"btType":{"type":"string"},"elementId":{"type":"string"},"isExcluding":{"type":"boolean"},"sectionPlanes":{"type":"array","items":{"$ref":"#/components/schemas/BTGraphicsSectionPlaneData-1429"}},"selectionsToExclude":{"type":"array","items":{"$ref":"#/components/schemas/BTUiSelection-1185"}},"selectionsToInclude":{"type":"array","items":{"$ref":"#/components/schemas/BTUiSelection-1185"}}}},"BTGroupedWorkflowInfo":{"type":"object","properties":{"changeOrderWorkflows":{"type":"array","items":{"$ref":"#/components/schemas/BTPublishedWorkflowDetailInfo"}},"changeRequestWorkflows":{"type":"array","items":{"$ref":"#/components/schemas/BTPublishedWorkflowDetailInfo"}},"changeTaskWorkflows":{"type":"array","items":{"$ref":"#/components/schemas/BTPublishedWorkflowDetailInfo"}},"obsoletionWorkflows":{"type":"array","items":{"$ref":"#/components/schemas/BTPublishedWorkflowDetailInfo"}},"releaseWorkflows":{"type":"array","items":{"$ref":"#/components/schemas/BTPublishedWorkflowDetailInfo"}},"taskWorkflows":{"type":"array","items":{"$ref":"#/components/schemas/BTPublishedWorkflowDetailInfo"}}}},"BTGuardDef":{"type":"object","properties":{"name":{"type":"string"},"params":{"type":"object","additionalProperties":{"type":"object"}}}},"BTHelpLinkInfo":{"type":"object","properties":{"href":{"type":"string","format":"uri"},"name":{"type":"string"}}},"BTHistoryInfo":{"type":"object","properties":{"belongsToVersion":{"type":"boolean"},"canBeRestored":{"type":"boolean"},"date":{"type":"string","format":"date-time"},"description":{"type":"string"},"microversionId":{"type":"string"},"nextMicroversionId":{"type":"string"},"restoreId":{"type":"string"},"userId":{"type":"string"},"username":{"type":"string"},"workspaceOrVersionId":{"type":"string"}}},"BTIdParams":{"type":"object","properties":{"ids":{"uniqueItems":true,"type":"array","items":{"type":"string"}}}},"BTIdTranslationInfo":{"type":"object","properties":{"documentId":{"type":"string"},"elementId":{"type":"string"},"ids":{"type":"array","items":{"$ref":"#/components/schemas/BTIdTranslationResultInfo"}},"sourceDocumentMicroversion":{"type":"string"},"targetDocumentMicroversion":{"type":"string"}}},"BTIdTranslationParams":{"type":"object","properties":{"ids":{"type":"array","items":{"type":"string"}},"linkDocumentId":{"type":"string"},"sourceConfiguration":{"type":"string"},"sourceDocumentMicroversion":{"type":"string"},"targetConfiguration":{"type":"string"}}},"BTIdTranslationResultInfo":{"type":"object","properties":{"source":{"type":"string"},"status":{"type":"string"},"target":{"type":"array","items":{"type":"string"}}}},"BTIdentity":{"type":"object","properties":{"identityId":{"type":"string"},"identityType":{"$ref":"#/components/schemas/BTIdentityType"},"team":{"type":"boolean"},"user":{"type":"boolean"}}},"BTIdentityInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"identityType":{"type":"integer","format":"int32"},"team":{"$ref":"#/components/schemas/BTTeamSummaryInfo"},"user":{"$ref":"#/components/schemas/BTUserSummaryInfo"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTIdentityManagementBaseInfo":{"type":"object","properties":{"companyId":{"type":"string"},"configSourceType":{"type":"integer","format":"int32"},"disablePasswordSignIn":{"type":"boolean"},"enabled":{"type":"boolean"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"providerType":{"type":"integer","format":"int32"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"},"whiteListedDomains":{"uniqueItems":true,"type":"array","items":{"type":"string"}}}},"BTIdentityManagementLoginInfo":{"type":"object","properties":{"localLoginURL":{"type":"string"}}},"BTIdentityManagementParams":{"type":"object","properties":{"disablePasswordSignIn":{"type":"boolean"},"enabled":{"type":"boolean"},"metadataMustBeSigned":{"type":"boolean"},"name":{"type":"string"},"providerType":{"type":"integer","format":"int32"},"whiteListedDomains":{"uniqueItems":true,"type":"array","items":{"type":"string"}}}},"BTIdentityParams":{"type":"object","properties":{"identity":{"$ref":"#/components/schemas/BTIdentity"},"identityId":{"type":"string"},"identityType":{"type":"integer","format":"int32"}}},"BTIdentityType":{"type":"string","enum":["USER","TEAM"]},"BTImageFilter-853":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTQueryFilter-183"},{"type":"object","properties":{"btType":{"type":"string"},"isImage":{"type":"boolean"}}}]},"BTImageMapping-3821":{"type":"object","properties":{"btType":{"type":"string"},"deterministicIds":{"type":"array","items":{"type":"string"}},"uvTransform":{"$ref":"#/components/schemas/BTMatrix3x3-340"}},"discriminator":{"propertyName":"btType","mapping":{"BTCylindricalImageMapping-1640":"#/components/schemas/BTCylindricalImageMapping-1640","BTPlanarImageMapping-4398":"#/components/schemas/BTPlanarImageMapping-4398"}}},"BTImmutableByteArray":{"type":"object","properties":{"empty":{"type":"boolean"}}},"BTImmutableContextData-4072":{"type":"object","properties":{"btType":{"type":"string"},"creationTime":{"type":"string","format":"date-time"},"creationVersion":{"type":"string"},"key":{"type":"string"}}},"BTImmutableDoubleArray":{"type":"object","properties":{"empty":{"type":"boolean"}}},"BTImmutableFloatArray":{"type":"object","properties":{"empty":{"type":"boolean"}}},"BTImmutableIntArray":{"type":"object","properties":{"empty":{"type":"boolean"}}},"BTImport":{"type":"object","properties":{"forExport":{"type":"boolean"},"importMicroversion":{"type":"string","writeOnly":true}}},"BTImportCloudObjectParams":{"type":"object","properties":{"accessToken":{"type":"string"},"allowFaultyParts":{"type":"boolean","description":"If true, parts with faults are imported. If false, faulty parts are omitted.","example":false},"blobElementId":{"type":"string"},"blobMicroversionId":{"type":"string"},"cloudObjectId":{"type":"string"},"cloudStorageAccountId":{"type":"string"},"cloudStorageProvider":{"type":"integer","format":"int32"},"createComposite":{"type":"boolean"},"extractAssemblyHierarchy":{"type":"boolean"},"flattenAssemblies":{"type":"boolean"},"foreignId":{"type":"string"},"getyAxisIsUp":{"type":"boolean"},"importAppearances":{"type":"boolean"},"importWithinDocument":{"type":"boolean"},"joinAdjacentSurfaces":{"type":"boolean"},"mimeType":{"type":"string"},"name":{"type":"string"},"notifyUser":{"type":"boolean"},"onePartPerDoc":{"type":"boolean"},"originalForeignId":{"type":"string"},"ownerId":{"type":"string"},"ownerType":{"$ref":"#/components/schemas/BTOwnerType"},"parentId":{"type":"string"},"processedForeignId":{"type":"string"},"projectId":{"type":"string"},"public":{"type":"boolean"},"sizeBytes":{"type":"integer","format":"int64"},"skipBodyshop":{"type":"boolean"},"specifyUnits":{"type":"boolean"},"splitAssembliesIntoMultipleDocuments":{"type":"boolean"},"unit":{"type":"string"},"uploadId":{"type":"string"},"url":{"type":"string"}}},"BTInAppMessageContent":{"type":"object","properties":{"contentItems":{"type":"array","items":{"$ref":"#/components/schemas/BTInAppMessageContentItem"}},"maxNumSurveyResponses":{"type":"integer","format":"int32"},"showItems":{"type":"boolean"},"state":{"$ref":"#/components/schemas/BTObjectState"},"title":{"type":"string"}}},"BTInAppMessageContentItem":{"type":"object","properties":{"anchor":{"type":"string"},"contentId":{"type":"string"},"height":{"type":"integer","format":"int32"},"horizontalOffset":{"type":"integer","format":"int32"},"itemTitle":{"type":"string"},"link":{"type":"string"},"pausePoints":{"type":"array","items":{"type":"number","format":"double"}},"player":{"type":"string"},"position":{"type":"string"},"template":{"type":"string"},"thumbnail":{"type":"string"},"title":{"type":"string"},"verticalOffset":{"type":"integer","format":"int32"},"width":{"type":"integer","format":"int32"}}},"BTInAppMessageInfo":{"type":"object","properties":{"billingPlanIds":{"type":"array","items":{"type":"string"}},"content":{"type":"array","items":{"$ref":"#/components/schemas/BTInAppMessageContent"}},"contentIndex":{"type":"integer","format":"int32"},"contentType":{"type":"integer","format":"int32"},"context":{"type":"integer","format":"int32"},"description":{"type":"string"},"displayOrder":{"type":"integer","format":"int32"},"domainType":{"type":"integer","format":"int32"},"endDate":{"type":"string","format":"date-time"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"lookerQuery":{"type":"integer","format":"int64"},"name":{"type":"string","description":"Name of the resource."},"populationTaskId":{"type":"string"},"ruleId":{"type":"string"},"showOnce":{"type":"boolean"},"startDate":{"type":"string","format":"date-time"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTInAppMessageParams":{"type":"object","properties":{"billingPlanIds":{"type":"array","items":{"type":"string"}},"content":{"type":"array","items":{"$ref":"#/components/schemas/Content"}},"contentType":{"type":"integer","format":"int32"},"context":{"type":"integer","format":"int32"},"description":{"type":"string"},"displayOrder":{"type":"integer","format":"int32"},"domainType":{"type":"integer","format":"int32"},"endDate":{"type":"string","format":"date-time"},"lookerQuery":{"type":"integer","format":"int64"},"name":{"type":"string"},"populationTaskId":{"type":"string"},"ruleId":{"type":"string"},"showOnce":{"type":"boolean"},"startDate":{"type":"string","format":"date-time"}}},"BTInContextObjectFilter-3810":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTQueryFilter-183"},{"type":"object","properties":{"btType":{"type":"string"},"isInContext":{"type":"boolean"}}}]},"BTIndividualTableProperties-3760":{"type":"object","properties":{"btType":{"type":"string"},"hiddenColumns":{"type":"array","items":{"$ref":"#/components/schemas/BTStringNodeWrapper-4224"}},"nodeId":{"type":"string"},"order":{"type":"array","items":{"$ref":"#/components/schemas/BTStringNodeWrapper-4224"}},"tableNodeId":{"type":"string"}}},"BTInheritedAclInfo":{"type":"object","properties":{"entries":{"type":"array","items":{"$ref":"#/components/schemas/BTAclEntryInfo"}},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"objectId":{"type":"string"},"objectName":{"type":"string"},"objectType":{"type":"integer","format":"int64"},"owner":{"$ref":"#/components/schemas/BTOwnerInfo"},"public":{"type":"boolean"},"sharedWithSupport":{"type":"boolean"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"},"visibility":{"type":"string"}}},"BTInnerArrayParameterLocation-2368":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTInnerParameterLocation-1715"},{"type":"object","properties":{"btType":{"type":"string"},"index":{"type":"integer","format":"int32"},"outerParameterId":{"type":"string"}}}]},"BTInnerDerivedParameterLocation-591":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTInnerParameterLocation-1715"},{"type":"object","properties":{"btType":{"type":"string"},"outerParameterId":{"type":"string"}}}]},"BTInnerParameterLocation-1715":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTInnerArrayParameterLocation-2368":"#/components/schemas/BTInnerArrayParameterLocation-2368","BTInnerDerivedParameterLocation-591":"#/components/schemas/BTInnerDerivedParameterLocation-591"}}},"BTInsertable":{"type":"object","properties":{"bodyType":{"type":"integer","format":"int32"},"classType":{"type":"integer","format":"int32"},"configuration":{"type":"string"},"configurationParameterValues":{"type":"array","items":{"type":"string","format":"byte"}},"configurationParameters":{"type":"array","items":{"type":"string","format":"byte"}},"dataType":{"type":"string"},"deterministicId":{"type":"string"},"documentId":{"type":"string"},"elementId":{"type":"string"},"elementName":{"type":"string"},"elementType":{"type":"integer","format":"int32"},"featureId":{"type":"string"},"featureName":{"type":"string"},"featureScriptVersion":{"type":"integer","format":"int32"},"featureSpec":{"type":"array","items":{"type":"string","format":"byte"}},"featureType":{"type":"string"},"fscomputedPartPropertySpec":{"type":"array","items":{"type":"string","format":"byte"}},"fstableSpec":{"type":"array","items":{"type":"string","format":"byte"}},"hasFaults":{"type":"boolean"},"id":{"type":"string"},"insertableQuery":{"type":"string"},"insertableVersion":{"type":"integer","format":"int64"},"isFlattenedBody":{"type":"boolean"},"meshState":{"type":"integer","format":"int32"},"microversionId":{"type":"string"},"parentId":{"type":"string"},"partIdentity":{"type":"string"},"partName":{"type":"string"},"referenceFeature":{"type":"boolean"},"sourceFileExtension":{"type":"string"},"unflattenedPartDeterministicId":{"type":"string"},"variableName":{"type":"string"},"versionId":{"type":"string"},"workspaceId":{"type":"string"}}},"BTInsertableInfo":{"type":"object","properties":{"bodyType":{"$ref":"#/components/schemas/GBTBodyType"},"classType":{"type":"integer","format":"int32"},"configuration":{"type":"string"},"configurationParameterValues":{"type":"array","items":{"type":"string","format":"byte"}},"configurationParameters":{"type":"array","items":{"type":"string","format":"byte"}},"dataType":{"type":"string"},"deterministicId":{"type":"string"},"documentId":{"type":"string"},"elementId":{"type":"string"},"elementName":{"type":"string"},"elementType":{"$ref":"#/components/schemas/GBTElementType"},"featureId":{"type":"string"},"featureName":{"type":"string"},"featureSpec":{"type":"array","items":{"type":"string","format":"byte"}},"featureType":{"type":"string"},"fsComputedPartPropertySpec":{"type":"array","items":{"type":"string","format":"byte"}},"fsTableSpec":{"type":"array","items":{"type":"string","format":"byte"}},"hasFaults":{"type":"boolean"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"insertableQuery":{"type":"string"},"isFlattenedBody":{"type":"boolean"},"isMesh":{"type":"boolean"},"meshState":{"$ref":"#/components/schemas/GBTMeshState"},"microversionId":{"type":"string"},"name":{"type":"string","description":"Name of the resource."},"parentId":{"type":"string"},"partIdentity":{"type":"string"},"partName":{"type":"string"},"predictableThumbnailId":{"type":"string"},"sourceFileExtension":{"type":"string"},"thumbnailUri":{"type":"string"},"unflattenedPartDeterministicId":{"type":"string"},"variableName":{"type":"string"},"versionId":{"type":"string"},"versionName":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"},"workspaceId":{"type":"string"},"workspaceName":{"type":"string"}},"description":"Array of items in the current page."},"BTInsertablesListResponse":{"type":"object","properties":{"canSaveVersion":{"type":"boolean"},"changesSinceVersionSave":{"type":"integer","format":"int32"},"configuration":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTFSValue-1888"}},"configurationKey":{"type":"string"},"hasMultipleVersions":{"type":"boolean"},"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTInsertableInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"},"updatedThumbnailUri":{"type":"string"}}},"BTInspectionTableHeaderInfo":{"type":"object","properties":{"displayName":{"type":"string"},"propertyId":{"type":"string"},"valueType":{"type":"integer","format":"int32"}}},"BTInspectionTableInfo":{"type":"object","properties":{"headers":{"type":"array","items":{"$ref":"#/components/schemas/BTInspectionTableHeaderInfo"}},"isAllCaps":{"type":"boolean"}}},"BTInstance-642":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTAssemblyInstance-947":"#/components/schemas/BTAssemblyInstance-947","BTPartInstance-81":"#/components/schemas/BTPartInstance-81"}},"allOf":[{"$ref":"#/components/schemas/BTInstanceBase-2263"},{"type":"object","properties":{"btType":{"type":"string"},"configuration":{"type":"array","items":{"$ref":"#/components/schemas/BTMParameter-1"}},"configured":{"type":"boolean"},"documentId":{"type":"string"},"elementId":{"type":"string"},"elementReference":{"$ref":"#/components/schemas/BTElementReference-725"},"externalDocumentWithVersion":{"$ref":"#/components/schemas/BTDocumentWithVersionId"},"externalDocumentWithVersionAndElementId":{"$ref":"#/components/schemas/BTDocumentWithVersionAndElementId"},"lockedState":{"$ref":"#/components/schemas/BTMParameter-1"},"microversionId":{"$ref":"#/components/schemas/BTMicroversionId-366"},"name":{"type":"string"},"parameters":{"type":"array","items":{"$ref":"#/components/schemas/BTMParameter-1"}},"referenceParameter":{"$ref":"#/components/schemas/BTMParameterReferenceWithConfiguration-3028"},"versionId":{"type":"string"},"versionIdIfExternal":{"type":"string"}}}]},"BTInstanceBase-2263":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTInstance-642":"#/components/schemas/BTInstance-642","BTInstanceFolder-3627":"#/components/schemas/BTInstanceFolder-3627","BTParametricInstance-2641":"#/components/schemas/BTParametricInstance-2641","BTParametricOutputInstance-2288":"#/components/schemas/BTParametricOutputInstance-2288"}},"allOf":[{"$ref":"#/components/schemas/BTMNode-19"},{"type":"object","properties":{"assemblyInstance":{"type":"boolean"},"assemblyPattern":{"type":"boolean"},"assemblyReplicate":{"type":"boolean"},"btType":{"type":"string"},"clonedInstance":{"type":"boolean"},"customData":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTReferenceCustomData-1551"}},"instanceFolder":{"type":"boolean"},"instanceName":{"type":"string"},"isFlattenedPart":{"type":"boolean"},"locked":{"type":"boolean"},"parametricInstance":{"type":"boolean"},"parametricOutputInstance":{"type":"boolean"},"parametricPartStudioChildInstance":{"type":"boolean"},"parametricPartStudioInstance":{"type":"boolean"},"partInstance":{"type":"boolean"},"releasable":{"type":"boolean"},"revisionCustomData":{"$ref":"#/components/schemas/BTRevisionCustomData-2090"},"standardContent":{"type":"boolean"},"standardContentParametersId":{"type":"string"},"suppressed":{"type":"boolean"},"suppressedFieldIndex":{"type":"integer","format":"int32"},"suppressionConfigured":{"type":"boolean"},"suppressionState":{"$ref":"#/components/schemas/BTMSuppressionState-1924"},"validRevisionReference":{"type":"boolean"},"version":{"type":"integer","format":"int32"}}}]},"BTInstanceControlNode-750":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMNode-19"},{"type":"object","properties":{"btType":{"type":"string"},"suppressed":{"type":"boolean"},"suppressedFieldIndex":{"type":"integer","format":"int32"},"suppressionConfigured":{"type":"boolean"},"suppressionState":{"$ref":"#/components/schemas/BTMSuppressionState-1924"}}}]},"BTInstanceFolder-3627":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTInstanceBase-2263"},{"type":"object","properties":{"btType":{"type":"string"},"featureFolder":{"type":"boolean"},"folderEnd":{"type":"boolean"},"folderStart":{"type":"boolean"},"name":{"type":"string"},"parameters":{"type":"array","items":{"$ref":"#/components/schemas/BTMParameter-1"}},"startNodeId":{"type":"string"},"startNodeIdRaw":{"$ref":"#/components/schemas/BTObjectId"}}}]},"BTInstanceStandardContentData-2081":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTReferenceCustomData-1551"},{"type":"object","properties":{"btType":{"type":"string"},"parametersId":{"type":"string"}}}]},"BTIntegrationPartNumberInfo":{"type":"object","properties":{"bomLastSyncedAt":{"type":"string","description":"Item BOM last synced date time","format":"date-time"},"companyId":{"type":"string"},"lastSyncedAt":{"type":"string","description":"Item's last synced date time","format":"date-time"},"partNumber":{"type":"string"},"schemeId":{"type":"string","description":"Id of the part number integration scheme"},"targetItemId":{"type":"string","description":"The target (Arena for example) item unique id to locate the item after integration"}}},"BTIntegrationPartUrlInfo":{"type":"object","properties":{"bomHref":{"type":"string","description":"Integration item BOM link"},"companyId":{"type":"string"},"href":{"type":"string","description":"Integration item link"},"partNumber":{"type":"string"}}},"BTIntegrationProviderInfo":{"type":"object","properties":{"companies":{"type":"array","items":{"$ref":"#/components/schemas/BTBaseInfo"}},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}},"description":"Array of items in the current page."},"BTInvitationInfo":{"type":"object","properties":{"approvedAt":{"type":"string","format":"date-time"},"approvedBy":{"type":"string"},"approvedUser":{"$ref":"#/components/schemas/BTUserSummaryInfo"},"companyId":{"type":"string"},"companyNameRequired":{"type":"boolean"},"defaultCompanyName":{"type":"string"},"documentId":{"type":"string"},"email":{"type":"string"},"eulaRequired":{"type":"boolean"},"expiresAt":{"type":"string","format":"date-time"},"firstName":{"type":"string"},"firstNameRequired":{"type":"boolean"},"fromUser":{"$ref":"#/components/schemas/BTUserSummaryInfo"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"invitationRole":{"type":"integer","format":"int32"},"invitationState":{"type":"integer","format":"int32"},"invitedAt":{"type":"string","format":"date-time"},"invitedBy":{"type":"string"},"lastName":{"type":"string"},"lastNameRequired":{"type":"boolean"},"name":{"type":"string","description":"Name of the resource."},"phoneNumber":{"type":"string"},"phoneNumberRequired":{"type":"boolean"},"privacyConsentRequired":{"type":"boolean"},"redirectUrl":{"type":"string"},"requestedPlanId":{"type":"string"},"role":{"type":"integer","format":"int32"},"share":{"type":"boolean"},"state":{"type":"integer","format":"int32"},"toUser":{"$ref":"#/components/schemas/BTUserSummaryInfo"},"userId":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"},"workspaceId":{"type":"string"}},"description":"Array of items in the current page."},"BTInvitationParams":{"type":"object","properties":{"approveUser":{"type":"boolean"},"cadSystemAtSignup":{"type":"string"},"companyPlan":{"type":"boolean"},"companyUserEmails":{"type":"array","items":{"type":"string"}},"countryCode":{"type":"string"},"defaultCompanyName":{"type":"string"},"description":{"type":"string"},"email":{"type":"string"},"eulaAccepted":{"type":"boolean"},"evalCenter":{"type":"boolean"},"firstName":{"type":"string"},"hearAboutUs":{"type":"string"},"id":{"type":"string"},"intendedUse":{"type":"integer","format":"int32"},"inviteFriendRequest":{"type":"boolean"},"isRecaptchaV3":{"type":"boolean"},"lastName":{"type":"string"},"message":{"type":"string"},"name":{"type":"string"},"password":{"type":"string"},"phoneNumber":{"type":"string"},"planId":{"type":"string"},"privacyConsentAccepted":{"type":"boolean"},"recaptcha":{"type":"string"},"redirectUrl":{"type":"string"},"role":{"type":"integer","format":"int32"},"seats":{"type":"integer","format":"int64"},"signupData":{"type":"object","additionalProperties":{"type":"string"}},"source":{"type":"integer","format":"int32"},"state":{"type":"integer","format":"int32"},"teamId":{"type":"string"}}},"BTInvitationSummaryInfo":{"type":"object","properties":{"approvedAt":{"type":"string","format":"date-time"},"approvedBy":{"type":"string"},"companyId":{"type":"string"},"companyNameRequired":{"type":"boolean"},"defaultCompanyName":{"type":"string"},"documentId":{"type":"string"},"email":{"type":"string"},"eulaRequired":{"type":"boolean"},"expiresAt":{"type":"string","format":"date-time"},"firstName":{"type":"string"},"firstNameRequired":{"type":"boolean"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"invitationRole":{"type":"integer","format":"int32"},"invitationState":{"type":"integer","format":"int32"},"invitedAt":{"type":"string","format":"date-time"},"invitedBy":{"type":"string"},"lastName":{"type":"string"},"lastNameRequired":{"type":"boolean"},"name":{"type":"string","description":"Name of the resource."},"phoneNumber":{"type":"string"},"phoneNumberRequired":{"type":"boolean"},"privacyConsentRequired":{"type":"boolean"},"redirectUrl":{"type":"string"},"requestedPlanId":{"type":"string"},"role":{"type":"integer","format":"int32"},"state":{"type":"integer","format":"int32"},"userId":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"},"workspaceId":{"type":"string"}}},"BTInvitationWithLocaleInfo":{"type":"object","properties":{"approvedAt":{"type":"string","format":"date-time"},"approvedBy":{"type":"string"},"companyId":{"type":"string"},"companyNameRequired":{"type":"boolean"},"defaultCompanyName":{"type":"string"},"documentId":{"type":"string"},"email":{"type":"string"},"eulaRequired":{"type":"boolean"},"expiresAt":{"type":"string","format":"date-time"},"firstName":{"type":"string"},"firstNameRequired":{"type":"boolean"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"invitationRole":{"type":"integer","format":"int32"},"invitationState":{"type":"integer","format":"int32"},"invitedAt":{"type":"string","format":"date-time"},"invitedBy":{"type":"string"},"lastName":{"type":"string"},"lastNameRequired":{"type":"boolean"},"locale":{"$ref":"#/components/schemas/BTLocaleInfo"},"name":{"type":"string","description":"Name of the resource."},"phoneNumber":{"type":"string"},"phoneNumberRequired":{"type":"boolean"},"privacyConsentRequired":{"type":"boolean"},"redirectUrl":{"type":"string"},"requestedPlanId":{"type":"string"},"role":{"type":"integer","format":"int32"},"state":{"type":"integer","format":"int32"},"userId":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"},"workspaceId":{"type":"string"}}},"BTItemInfo":{"type":"object","properties":{"companyId":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"properties":{"type":"object","additionalProperties":{"type":"string"}},"publishState":{"type":"integer","format":"int32"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTItemParams":{"type":"object","properties":{"companyId":{"type":"string"},"name":{"type":"string"},"publishState":{"type":"integer","format":"int32"}}},"BTJEdit-3734":{"type":"object","properties":{"btType":{"type":"string"}},"description":"An edit that will be applied to the application element's json data.","discriminator":{"propertyName":"btType","mapping":{"BTJEditChange-2636":"#/components/schemas/BTJEditChange-2636","BTJEditDelete-1992":"#/components/schemas/BTJEditDelete-1992","BTJEditInsert-2523":"#/components/schemas/BTJEditInsert-2523","BTJEditList-2707":"#/components/schemas/BTJEditList-2707","BTJEditMove-3245":"#/components/schemas/BTJEditMove-3245"}}},"BTJEditChange-2636":{"required":["value"],"type":"object","properties":{"btType":{"type":"string"}},"description":"Change the value of a node.","example":"In the structure { 'stringKey': 'bar', 'arrayKey': [ 1, 2, 3 ], 'objectKey': { 'subKey': false } } to change 'bar' to 'baz', specify { 'btType': 'BTJEditChange-2636', 'path': { 'btType': 'BTJPath-3073', 'startNode': '', 'path': [ { 'btType': 'BTJPathKey-3221', 'key': 'stringKey' } ] }, 'value': 'baz' }","allOf":[{"$ref":"#/components/schemas/BTJEdit-3734"},{"type":"object","properties":{"btType":{"type":"string"},"path":{"$ref":"#/components/schemas/BTJPath-3073"},"value":{"type":"object","properties":{"btType":{"type":"string"}}}}}]},"BTJEditDelete-1992":{"type":"object","properties":{"btType":{"type":"string"}},"description":"Deletes the specified node.","example":"In the structure { 'stringKey': 'bar', 'arrayKey': [ 1, 2, 3 ], 'objectKey': { 'subKey': false } } to delete the 'stringKey' node, specify { 'btType' : 'BTJEditDelete-1992', 'path': { 'btType': 'BTJPath-3073', 'startNode': '', 'path': [ { 'btType': 'BTJPathKey-3221', 'key': 'stringKey' } ] } }","allOf":[{"$ref":"#/components/schemas/BTJEdit-3734"},{"type":"object","properties":{"btType":{"type":"string"},"path":{"$ref":"#/components/schemas/BTJPath-3073"}}}]},"BTJEditInsert-2523":{"type":"object","properties":{"btType":{"type":"string"}},"description":"Inserts a value using the specified path.","example":"In the structure { 'stringKey': 'bar', 'arrayKey': [ 1, 2, 3 ], 'objectKey': { 'subKey': false } } to insert 4 at the end of 'arrayKey', specify { 'btType': 'BTJEditInsert-2523', 'path': { 'btType': 'BTJPath-3073', 'startNode': '', 'path': [ { 'btType': 'BTJPathKey-3221', 'key': 'arrayKey' }, { 'btType': 'BTJPathIndex-1871', 'index': -1 } ] }, 'value': 4 }","allOf":[{"$ref":"#/components/schemas/BTJEdit-3734"},{"type":"object","properties":{"btType":{"type":"string"},"path":{"$ref":"#/components/schemas/BTJPath-3073"},"value":{"type":"object","properties":{"btType":{"type":"string"}}}}}]},"BTJEditList-2707":{"type":"object","properties":{"btType":{"type":"string"}},"description":"A list of edits that will be applied in order.","allOf":[{"$ref":"#/components/schemas/BTJEdit-3734"},{"type":"object","properties":{"btType":{"type":"string"},"edits":{"type":"array","items":{"$ref":"#/components/schemas/BTJEdit-3734"}}}}]},"BTJEditMove-3245":{"type":"object","properties":{"btType":{"type":"string"}},"description":"Move an existing node from one path to another.","example":"In the structure { 'stringKey': 'bar', 'arrayKey': [ 1, 2, 3 ], 'objectKey': { 'subKey': false } } to move the third value out of 'arrayKey' and into its own node, specify { 'btType': 'BTJEditMove-3245', 'sourcePath': { 'btType': 'BTJPath-3073', 'startNode': '', 'path': [ { 'btType': 'BTJPathKey-3221', 'key': 'arrayKey' }, { 'btType': 'BTJPathIndex-1871', 'index': 2 } ] }, 'destinationPath': { 'btType': 'BTJPath-3073', 'startNode': '', 'path': [ { 'btType': 'BTJPathKey-3221', 'key': 'newKey' } ] } }","allOf":[{"$ref":"#/components/schemas/BTJEdit-3734"},{"type":"object","properties":{"btType":{"type":"string"},"destinationPath":{"$ref":"#/components/schemas/BTJPath-3073"},"sourcePath":{"$ref":"#/components/schemas/BTJPath-3073"}}}]},"BTJPath-3073":{"required":["startNode"],"type":"object","properties":{"btType":{"type":"string"},"path":{"type":"array","items":{"$ref":"#/components/schemas/BTJPathElement-2297"}},"startNode":{"type":"string","description":"Either empty (root) or the nodeId of a node in the tree."}},"description":"Identifies a value in the json data to be operated upon."},"BTJPathElement-2297":{"type":"object","properties":{"btType":{"type":"string"}},"description":"Identifies a node in the json sturcture, beginning at the specified startNode.","discriminator":{"propertyName":"btType","mapping":{"BTJPathIndex-1871":"#/components/schemas/BTJPathIndex-1871","BTJPathKey-3221":"#/components/schemas/BTJPathKey-3221"}}},"BTJPathIndex-1871":{"type":"object","properties":{"btType":{"type":"string"}},"description":"Identifies a value in a json array. For insert and move edit destinations, -1 can be used to indicate 'end'.","allOf":[{"$ref":"#/components/schemas/BTJPathElement-2297"},{"type":"object","properties":{"btType":{"type":"string"},"index":{"type":"integer","format":"int32"}}}]},"BTJPathKey-3221":{"type":"object","properties":{"btType":{"type":"string"}},"description":"Identifies a subtree of the json structure by field name.","allOf":[{"$ref":"#/components/schemas/BTJPathElement-2297"},{"type":"object","properties":{"btType":{"type":"string"},"key":{"type":"string"}}}]},"BTJsonMatch-2290":{"type":"object","properties":{"btType":{"type":"string"},"definiteJsonPath":{"type":"string"},"node":{"type":"object","properties":{"btType":{"type":"string"}}}}},"BTJwtIssuerInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"issuerOIDMetadataUrl":{"type":"string"},"name":{"type":"string","description":"Name of the resource."},"trusted":{"type":"boolean"},"url":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTJwtIssuerParams":{"type":"object","properties":{"issuerOIDMetadataUrl":{"type":"string"},"name":{"type":"string"},"trusted":{"type":"boolean"},"url":{"type":"string"}}},"BTKeyMouseValuesInfo":{"type":"object","properties":{"keys":{"type":"array","items":{"type":"string"}},"mouseButtons":{"type":"array","items":{"type":"string"}}}},"BTKeyboardShortcutActionInfo":{"type":"object","properties":{"category":{"$ref":"#/components/schemas/BTKeyboardShortcutCategoryInfo"},"displayName":{"type":"string"},"editable":{"type":"boolean"},"id":{"type":"string"},"name":{"type":"string"},"scopes":{"type":"array","items":{"$ref":"#/components/schemas/BTKeyboardShortcutScopeInfo"}},"usedInMobileClient":{"type":"boolean"},"visible":{"type":"boolean"}}},"BTKeyboardShortcutCategoryInfo":{"type":"object","properties":{"displayName":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"}}},"BTKeyboardShortcutInfo":{"type":"object","properties":{"action":{"$ref":"#/components/schemas/BTKeyboardShortcutActionInfo"},"default":{"type":"boolean"},"defaultKeySequence":{"type":"array","items":{"type":"string"}},"disabled":{"type":"boolean"},"keySequence":{"type":"array","items":{"type":"string"}}}},"BTKeyboardShortcutParams":{"type":"object","properties":{"actionName":{"type":"string"},"disabled":{"type":"boolean"},"keySequence":{"type":"array","items":{"type":"string"}},"usedInMobileClient":{"type":"boolean"},"visible":{"type":"boolean"}}},"BTKeyboardShortcutScopeInfo":{"type":"object","properties":{"displayName":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"}}},"BTLatestAgreementInfo":{"type":"object","properties":{"accepted":{"type":"boolean"},"content":{"type":"string"},"createdAt":{"type":"string","format":"date-time"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"options":{"type":"array","items":{"type":"string"}},"reapply":{"type":"boolean"},"type":{"type":"integer","format":"int32"},"version":{"type":"integer","format":"int64"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTLazilyParsedFeatureScript":{"type":"object","properties":{"checksum":{"$ref":"#/components/schemas/BTUiFeatureStudioChecksum-2438"},"languageVersion":{"type":"integer","format":"int32"},"lines":{"$ref":"#/components/schemas/Lines"},"model":{"$ref":"#/components/schemas/BTMModel-141"},"module":{"$ref":"#/components/schemas/BTPModule-234"},"moduleId":{"$ref":"#/components/schemas/BTPModuleId-235"},"noticeModuleIds":{"$ref":"#/components/schemas/BTPModuleId-235"},"parentLanguageVersion":{"type":"integer","format":"int32","writeOnly":true},"references":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTMicroversionId-366"}},"source":{"type":"string"}}},"BTLegacySearchHit":{"type":"object","properties":{"documentId":{"type":"string"},"highlightedFields":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"hitId":{"type":"string"},"name":{"type":"string"},"projectId":{"type":"string"},"sourceMap":{"type":"object","additionalProperties":{"type":"object"}},"type":{"$ref":"#/components/schemas/BTSearchEntityType"}}},"BTLineDescription-1559":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTCurveDescription-1583"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTLinearDimensionDisplayData-330":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTCenterlineDimensionDisplayData-1798":"#/components/schemas/BTCenterlineDimensionDisplayData-1798","BTEllipseDiameterDimensionDisplayData-1301":"#/components/schemas/BTEllipseDiameterDimensionDisplayData-1301"}},"allOf":[{"$ref":"#/components/schemas/BTDimensionDisplayData-323"},{"type":"object","properties":{"btType":{"type":"string"},"positionX":{"type":"number","format":"double"},"positionY":{"type":"number","format":"double"},"witnessEndPoint0X":{"type":"number","format":"double"},"witnessEndPoint0Y":{"type":"number","format":"double"},"witnessEndPoint1X":{"type":"number","format":"double"},"witnessEndPoint1Y":{"type":"number","format":"double"}}}]},"BTLinkToLatestDocumentInfo":{"type":"object","properties":{"changedElements":{"type":"array","items":{"type":"string"}}}},"BTLinkToLatestDocumentParams":{"type":"object","properties":{"elements":{"type":"array","items":{"type":"string"}}}},"BTListResponseBTAPIApplicationGrantInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTAPIApplicationGrantInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTAPIApplicationInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTAPIApplicationInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTAPIApplicationScopeInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTAPIApplicationScopeInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTAPIDeveloperInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTAPIDeveloperInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTAPIPartnerInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTAPIPartnerInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTAdminRoleInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTAdminRoleInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTAdminRolePermissionInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTAdminRolePermissionInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTAdminTaskInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTAdminTaskInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTAdminUserRoleInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTAdminUserRoleInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTAgreementInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTAgreementInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTAliasEntryInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTAliasEntryInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTAliasInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTAliasInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTBaseInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTBaseInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTBillingAccountInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTBillingAccountInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTBulkDocumentUpdateInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTBulkDocumentUpdateInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTCapabilityRuleInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTCapabilityRuleInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTCapabilityRuleSummaryInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTCapabilityRuleSummaryInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTCapabilitySummaryInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTCapabilitySummaryInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTCategoryPropertyInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTCategoryPropertyInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTChangeInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTChangeInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTChangeOrderAffectedItemInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTChangeOrderAffectedItemInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTChangeRequestAffectedItemInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTChangeRequestAffectedItemInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTChangeResourceRelationshipInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTChangeResourceRelationshipInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTChangeTaskInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTChangeTaskInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTChangedReleasedPartIdInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTChangedReleasedPartIdInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTClassAssignmentInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTClassAssignmentInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTClassroomDocumentInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTClassroomDocumentInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTClassroomMemberInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTClassroomMemberInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTCommentInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTCommentInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTCompanyAdminInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTCompanyAdminInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTCompanyInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTCompanyInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTCompanyOwnerInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTCompanyOwnerInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTCompanyPermissionsInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTCompanyPermissionsInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTCompanySummaryInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTCompanySummaryInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTCompanyUserInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTCompanyUserInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTCompanyUserSummaryInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTCompanyUserSummaryInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTDeviceLoginPublicInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTDeviceLoginPublicInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTDocumentCollaboratorInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTDocumentCollaboratorInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTDocumentLikeInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTDocumentLikeInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTDomainInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTDomainInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTDraftReleasePackageInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTDraftReleasePackageInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTElementLibrarySummaryInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTElementLibrarySummaryInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTEulaInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTEulaInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTExportRuleInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTExportRuleInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTExternalAuthInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTExternalAuthInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTFeatureCalloutInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTFeatureCalloutInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTFriendInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTFriendInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTIdentityManagementBaseInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTIdentityManagementBaseInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTInAppMessageInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTInAppMessageInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTInsertableInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTInsertableInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTIntegrationProviderInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTIntegrationProviderInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTInvitationInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTInvitationInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTItemInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTItemInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTJwtIssuerInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTJwtIssuerInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTLocaleInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTLocaleInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTMetadataCategoryInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTMetadataCategoryInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTMetadataPropertySummaryInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTMetadataPropertySummaryInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTMobileNotificationInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTMobileNotificationInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTNumberingSchemeInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTNumberingSchemeInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTObjectWorkflowInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTObjectWorkflowInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTPartNumberingSchemeInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTPartNumberingSchemeInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTPaymentHistoryAdminInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTPaymentHistoryAdminInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTPaymentHistorySummaryInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTPaymentHistorySummaryInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTPermissionInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTPermissionInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTPlanEulaInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTPlanEulaInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTPurchaseInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTPurchaseInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTPurchaseTrailInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTPurchaseTrailInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTPurchaseUserInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTPurchaseUserInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTRbacRoleInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTRbacRoleInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTReleasePackageItemValidationInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTReleasePackageItemValidationInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTReleasePackageSummaryInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTReleasePackageSummaryInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTRevisionInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTRevisionInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTRevisionRuleInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTRevisionRuleInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTSiemWebResponseInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTSiemWebResponseInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTStandardContentHierarchyInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTStandardContentHierarchyInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTStudentSubmissionInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTStudentSubmissionInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTSuggestedIdentityInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTSuggestedIdentityInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTSystemConfigInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTSystemConfigInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTTagInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTTagInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTTeamMemberInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTTeamMemberInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTToolInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTToolInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTTranslationRequestInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTTranslationRequestInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTUserAdminSummaryInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTUserAdminSummaryInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTUserDetailSummaryInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTUserDetailSummaryInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTUserLifecycleMetricsInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTUserLifecycleMetricsInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTUserNotificationInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTUserNotificationInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTUserNotificationPrefInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTUserNotificationPrefInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTUserSummaryInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTUserSummaryInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTWebhookEventNotifyDataInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTWebhookEventNotifyDataInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTWebhookInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTWebhookInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTListResponseBTWorkflowObserverOptionInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTWorkflowObserverOptionInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}},"description":"A list of resources that typically supports paging."},"BTLoadDisplayData-837":{"type":"object","properties":{"btType":{"type":"string"},"componentValues":{"$ref":"#/components/schemas/BTVector3d-389"},"directionMateConnectorId":{"type":"string"},"faceLoadDeterministicIds":{"type":"array","items":{"type":"string"}},"hidden":{"type":"boolean"},"isDerivedFeature":{"type":"boolean"},"isDirectionFlipped":{"type":"boolean"},"loadType":{"$ref":"#/components/schemas/GBTLoadType"},"nodeId":{"type":"string"},"occurrence":{"$ref":"#/components/schemas/BTOccurrence-74"},"ownerOccurrence":{"$ref":"#/components/schemas/BTOccurrence-74"},"status":{"$ref":"#/components/schemas/GBTAssemblyFeatureDisplayStatus"}}},"BTLocaleInfo":{"type":"object","properties":{"aliases":{"type":"array","items":{"type":"string"}},"description":{"type":"string"},"displayName":{"type":"string"},"displayNameNative":{"type":"string"},"enabled":{"type":"boolean"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTLocationInfo-226":{"type":"object","properties":{"btType":{"type":"string"},"character":{"type":"integer","format":"int32"},"column":{"type":"integer","format":"int32"},"document":{"type":"string"},"elementMicroversion":{"type":"string"},"endCharacter":{"type":"integer","format":"int32"},"endColumn":{"type":"integer","format":"int32"},"endLine":{"type":"integer","format":"int32"},"fromNode":{"$ref":"#/components/schemas/BTPNode-7"},"fromTemplate":{"$ref":"#/components/schemas/BTLocationInfo-226"},"languageVersion":{"type":"integer","format":"int32"},"line":{"type":"integer","format":"int32"},"moduleIds":{"$ref":"#/components/schemas/BTDocumentVersionElementIds-1897"},"nodeId":{"type":"string"},"parseNodeId":{"type":"string"},"parseNodeIdRaw":{"$ref":"#/components/schemas/BTObjectId"},"topLevel":{"type":"string"},"version":{"type":"string"}}},"BTLoggingConfiguration":{"type":"object","properties":{"createdAt":{"type":"string","format":"date-time"},"createdBy":{"type":"string"},"logLevel":{"type":"string"},"modifiedAt":{"type":"string","format":"date-time"},"modifiedBy":{"type":"string"},"notes":{"type":"string"},"packageName":{"type":"string"},"serviceName":{"type":"string"}}},"BTLoginParams":{"type":"object","properties":{"deviceId":{"type":"string"},"email":{"type":"string"},"enableTotp":{"type":"boolean"},"isRecaptchaV3":{"type":"boolean"},"password":{"type":"string"},"randomToken":{"type":"string"},"recaptchaToken":{"type":"string"},"rememberTotp":{"type":"boolean"},"rendererPerformanceMeasurement":{"$ref":"#/components/schemas/BTWebRendererPerformanceMeasurementParams"},"totp":{"type":"string"},"webClientCapabilities":{"$ref":"#/components/schemas/BTWebClientCapabilitiesParams"}}},"BTLoginTotpParams":{"type":"object","properties":{"totp":{"type":"string"}}},"BTLookerUsageInfo":{"type":"object","properties":{"analyticsPermission":{"type":"integer","format":"int32"},"analyticsUsers":{"type":"integer","format":"int32"},"companyMembers":{"type":"integer","format":"int32"},"companyName":{"type":"string"},"domainPrefix":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTMArrayParameterItem-1843":{"type":"object","properties":{"btType":{"type":"string"},"importMicroversion":{"type":"string","writeOnly":true},"nodeId":{"type":"string"}}},"BTMAssemblyFeature-887":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTAssemblySimulation-2246":"#/components/schemas/BTAssemblySimulation-2246","BTExplosion-2754":"#/components/schemas/BTExplosion-2754","BTExplosionStepFeature-3008":"#/components/schemas/BTExplosionStepFeature-3008","BTMAssemblyFeature1-2218":"#/components/schemas/BTMAssemblyFeature1-2218","BTMAssemblyFeature2-1022":"#/components/schemas/BTMAssemblyFeature2-1022","BTMAssemblyFeatureFolder-2543":"#/components/schemas/BTMAssemblyFeatureFolder-2543","BTMAssemblyPatternFeature-2241":"#/components/schemas/BTMAssemblyPatternFeature-2241","BTMAssemblyReplicateFeature-1351":"#/components/schemas/BTMAssemblyReplicateFeature-1351","BTMGenerativeDesignFeature-3195":"#/components/schemas/BTMGenerativeDesignFeature-3195","BTMGeometryMate-1260":"#/components/schemas/BTMGeometryMate-1260","BTMLoad-3538":"#/components/schemas/BTMLoad-3538","BTMMate-64":"#/components/schemas/BTMMate-64","BTMMateConnector-66":"#/components/schemas/BTMMateConnector-66","BTMMateGroup-65":"#/components/schemas/BTMMateGroup-65","BTMMateRelation-1412":"#/components/schemas/BTMMateRelation-1412","BTMNonGeometricItem-1864":"#/components/schemas/BTMNonGeometricItem-1864","BTMParametricPartStudioFeature-3883":"#/components/schemas/BTMParametricPartStudioFeature-3883"}},"allOf":[{"$ref":"#/components/schemas/BTMFeature-134"},{"type":"object","properties":{"auxiliaryTreeFeature":{"type":"boolean"},"btType":{"type":"string"},"featureFolder":{"type":"boolean"},"featureListFieldIndex":{"type":"integer","format":"int32"},"fieldIndexForOwnedMateConnectors":{"type":"integer","format":"int32"},"occurrenceQueriesFromAllConfigurations":{"type":"array","items":{"$ref":"#/components/schemas/BTMIndividualQueryWithOccurrenceBase-904"}},"parametricInstanceFeature":{"type":"boolean"},"version":{"type":"integer","format":"int32"}}}]},"BTMAssemblyFeature1-2218":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMAssemblyFeature-887"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTMAssemblyFeature2-1022":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMAssemblyFeature-887"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTMAssemblyFeatureFolder-2543":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMAssemblyFeature-887"},{"type":"object","properties":{"btType":{"type":"string"},"folderEnd":{"type":"boolean"},"folderStart":{"type":"boolean"},"startNodeId":{"type":"string"},"startNodeIdRaw":{"$ref":"#/components/schemas/BTObjectId"}}}]},"BTMAssemblyPatternFeature-2241":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMAssemblyFeature-887"},{"type":"object","properties":{"btType":{"type":"string"},"patternType":{"$ref":"#/components/schemas/GBTPatternType"}}}]},"BTMAssemblyReplicateFeature-1351":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMAssemblyFeature-887"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTMConfigurationData-1560":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMNode-19"},{"type":"object","properties":{"btType":{"type":"string"},"currentConfiguration":{"type":"array","items":{"$ref":"#/components/schemas/BTMParameter-1"}},"currentFSValues":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTFSValue-1888"}},"defaultConfigurationValues":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTFSValue-1888"}}}}]},"BTMConfigurationParameter-819":{"type":"object","properties":{"btType":{"type":"string"},"generatedParameterId":{"$ref":"#/components/schemas/BTTreeNode-20"},"importMicroversion":{"type":"string","writeOnly":true},"nodeId":{"type":"string"},"parameterId":{"type":"string"},"parameterName":{"type":"string"},"parameterType":{"$ref":"#/components/schemas/GBTConfigurationParameterType"},"valid":{"type":"boolean"}},"discriminator":{"propertyName":"btType","mapping":{"BTMConfigurationParameterBoolean-2550":"#/components/schemas/BTMConfigurationParameterBoolean-2550","BTMConfigurationParameterEnum-105":"#/components/schemas/BTMConfigurationParameterEnum-105","BTMConfigurationParameterQuantity-1826":"#/components/schemas/BTMConfigurationParameterQuantity-1826","BTMConfigurationParameterString-872":"#/components/schemas/BTMConfigurationParameterString-872"}}},"BTMConfigurationParameterBoolean-2550":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMConfigurationParameter-819"},{"type":"object","properties":{"btType":{"type":"string"},"defaultValue":{"type":"boolean"}}}]},"BTMConfigurationParameterEnum-105":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMConfigurationParameter-819"},{"type":"object","properties":{"btType":{"type":"string"},"defaultValue":{"type":"string"},"enumName":{"type":"string"},"namespace":{"type":"string"},"optionIds":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"options":{"type":"array","items":{"$ref":"#/components/schemas/BTMEnumOption-592"}}}}]},"BTMConfigurationParameterQuantity-1826":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMConfigurationParameter-819"},{"type":"object","properties":{"btType":{"type":"string"},"quantityType":{"$ref":"#/components/schemas/GBTQuantityType"},"rangeAndDefault":{"$ref":"#/components/schemas/BTQuantityRange-181"}}}]},"BTMConfigurationParameterString-872":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMConfigurationParameter-819"},{"type":"object","properties":{"btType":{"type":"string"},"defaultValue":{"type":"string"}}}]},"BTMConfiguredValue-1341":{"type":"object","properties":{"btType":{"type":"string"},"configurationValueString":{"type":"string"},"importMicroversion":{"type":"string","writeOnly":true},"nodeId":{"type":"string"},"value":{"$ref":"#/components/schemas/BTMParameter-1"}},"discriminator":{"propertyName":"btType","mapping":{"BTMConfiguredValueByBoolean-1501":"#/components/schemas/BTMConfiguredValueByBoolean-1501","BTMConfiguredValueByEnum-1923":"#/components/schemas/BTMConfiguredValueByEnum-1923"}}},"BTMConfiguredValueByBoolean-1501":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMConfiguredValue-1341"},{"type":"object","properties":{"booleanValue":{"type":"boolean"},"btType":{"type":"string"}}}]},"BTMConfiguredValueByEnum-1923":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMConfiguredValue-1341"},{"type":"object","properties":{"btType":{"type":"string"},"enumName":{"type":"string"},"enumValue":{"type":"string"},"namespace":{"type":"string"}}}]},"BTMDatabaseParameter-2229":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMParameter-1"},{"type":"object","properties":{"btType":{"type":"string"},"databaseId":{"type":"string"}}}]},"BTMEnumOption-592":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMNode-19"},{"type":"object","properties":{"btType":{"type":"string"},"option":{"type":"string"},"optionName":{"type":"string"}}}]},"BTMFeature-134":{"type":"object","properties":{"btType":{"type":"string"},"featureId":{"type":"string"},"featureType":{"type":"string"},"importMicroversion":{"type":"string","writeOnly":true},"name":{"type":"string"},"namespace":{"type":"string"},"nodeId":{"type":"string"},"parameters":{"type":"array","items":{"$ref":"#/components/schemas/BTMParameter-1"}},"returnAfterSubfeatures":{"type":"boolean"},"subFeatures":{"type":"array","items":{"$ref":"#/components/schemas/BTMFeature-134"}},"suppressed":{"type":"boolean"},"suppressionConfigured":{"type":"boolean"},"variableStudioReference":{"type":"boolean"}},"discriminator":{"propertyName":"btType","mapping":{"BTMAssemblyFeature-887":"#/components/schemas/BTMAssemblyFeature-887","BTMFeatureInvalid-1031":"#/components/schemas/BTMFeatureInvalid-1031","BTMSketch-151":"#/components/schemas/BTMSketch-151","BTMVariableStudioReference-2764":"#/components/schemas/BTMVariableStudioReference-2764"}}},"BTMFeatureInvalid-1031":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMFeature-134"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTMFeatureQueryWithOccurrence-157":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTMPartStudioMateConnectorQuery-1324":"#/components/schemas/BTMPartStudioMateConnectorQuery-1324"}},"allOf":[{"$ref":"#/components/schemas/BTMIndividualQueryWithOccurrenceBase-904"},{"type":"object","properties":{"btType":{"type":"string"},"featureId":{"type":"string"},"featureIdWithOccurrence":{"type":"string"},"partStudioMateConnectorQuery":{"type":"boolean"},"queryData":{"type":"string"}}}]},"BTMFolder-3208":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMNode-19"},{"type":"object","properties":{"btType":{"type":"string"},"folderId":{"type":"string"},"isStartFolder":{"type":"boolean"},"name":{"type":"string"}}}]},"BTMGenerativeDesignFeature-3195":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMAssemblyFeature-887"},{"type":"object","properties":{"additiveSupportsOccurrences":{"type":"array","items":{"$ref":"#/components/schemas/BTOccurrence-74"}},"btType":{"type":"string"},"draftOccurrences":{"type":"array","items":{"$ref":"#/components/schemas/BTOccurrence-74"}},"extrusionOccurrences":{"type":"array","items":{"$ref":"#/components/schemas/BTOccurrence-74"}},"jsonRecipe":{"$ref":"#/components/schemas/BTMParameterReferenceJSON-790"},"millingOccurrences":{"type":"array","items":{"$ref":"#/components/schemas/BTOccurrence-74"}},"occurrences":{"type":"array","items":{"$ref":"#/components/schemas/BTOccurrence-74"}}}}]},"BTMGeometryMate-1260":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMAssemblyFeature-887"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTMImport-136":{"type":"object","properties":{"btType":{"type":"string"},"elementImport":{"type":"boolean"},"importMicroversion":{"type":"string","writeOnly":true},"importedExternalDocumentId":{"type":"string"},"namespace":{"type":"string"},"nodeId":{"type":"string"},"path":{"type":"string"},"version":{"type":"string"}}},"BTMInContextQuery-2254":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMIndividualQueryBase-139"},{"type":"object","properties":{"btType":{"type":"string"},"path":{"type":"array","items":{"type":"string"}}}}]},"BTMIndividualCoEdgeQuery-1332":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMIndividualQuery-138"},{"type":"object","properties":{"btType":{"type":"string"},"edgeQuery":{"$ref":"#/components/schemas/BTMIndividualQuery-138"},"faceQuery":{"$ref":"#/components/schemas/BTMIndividualQuery-138"}}}]},"BTMIndividualCreatedByQuery-137":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMIndividualQuery-138"},{"type":"object","properties":{"bodyType":{"$ref":"#/components/schemas/GBTBodyType"},"btType":{"type":"string"},"entityType":{"$ref":"#/components/schemas/GBTEntityType"},"featureId":{"type":"string"},"filterConstruction":{"type":"boolean"}}}]},"BTMIndividualOccurrenceQuery-626":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMIndividualQueryWithOccurrenceBase-904"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTMIndividualQuery-138":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTMIndividualCoEdgeQuery-1332":"#/components/schemas/BTMIndividualCoEdgeQuery-1332","BTMIndividualCreatedByQuery-137":"#/components/schemas/BTMIndividualCreatedByQuery-137","BTMIndividualSketchRegionQuery-140":"#/components/schemas/BTMIndividualSketchRegionQuery-140","BTMIndividualSketchUniqueVerticesQuery-1472":"#/components/schemas/BTMIndividualSketchUniqueVerticesQuery-1472"}},"allOf":[{"$ref":"#/components/schemas/BTMIndividualQueryBase-139"},{"type":"object","properties":{"btType":{"type":"string"},"persistentQuery":{"$ref":"#/components/schemas/BTPStatement-269"},"queryStatement":{"$ref":"#/components/schemas/BTPStatement-269"},"variableName":{"$ref":"#/components/schemas/BTMIndividualQuery-138"}}}]},"BTMIndividualQueryBase-139":{"type":"object","properties":{"btType":{"type":"string"},"deterministicIdList":{"$ref":"#/components/schemas/BTMIndividualQueryBase-139"},"deterministicIds":{"type":"array","items":{"type":"string"}},"importMicroversion":{"type":"string","writeOnly":true},"nodeId":{"type":"string"},"query":{"$ref":"#/components/schemas/BTMIndividualQueryBase-139"},"queryString":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTMInContextQuery-2254":"#/components/schemas/BTMInContextQuery-2254","BTMIndividualQuery-138":"#/components/schemas/BTMIndividualQuery-138","BTMIndividualQueryWithOccurrenceBase-904":"#/components/schemas/BTMIndividualQueryWithOccurrenceBase-904"}}},"BTMIndividualQueryWithOccurrence-811":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTMInferenceQueryWithOccurrence-1083":"#/components/schemas/BTMInferenceQueryWithOccurrence-1083"}},"allOf":[{"$ref":"#/components/schemas/BTMIndividualQueryWithOccurrenceBase-904"},{"type":"object","properties":{"btType":{"type":"string"},"entityQuery":{"type":"string"}}}]},"BTMIndividualQueryWithOccurrenceBase-904":{"type":"object","properties":{"btType":{"type":"string"},"deterministicIdList":{"$ref":"#/components/schemas/BTMIndividualQueryBase-139"},"deterministicIds":{"type":"array","items":{"type":"string"}},"fullPathAsString":{"type":"string"},"importMicroversion":{"type":"string","writeOnly":true},"nodeId":{"type":"string"},"occurrence":{"$ref":"#/components/schemas/BTOccurrence-74"},"path":{"type":"array","items":{"type":"string"}},"query":{"$ref":"#/components/schemas/BTMIndividualQueryBase-139"},"queryString":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTMFeatureQueryWithOccurrence-157":"#/components/schemas/BTMFeatureQueryWithOccurrence-157","BTMIndividualOccurrenceQuery-626":"#/components/schemas/BTMIndividualOccurrenceQuery-626","BTMIndividualQueryWithOccurrence-811":"#/components/schemas/BTMIndividualQueryWithOccurrence-811","BTMMeshPointQuery-1183":"#/components/schemas/BTMMeshPointQuery-1183"}}},"BTMIndividualSketchRegionQuery-140":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMIndividualQuery-138"},{"type":"object","properties":{"btType":{"type":"string"},"featureId":{"type":"string"},"filterInnerLoops":{"type":"boolean"}}}]},"BTMIndividualSketchUniqueVerticesQuery-1472":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMIndividualQuery-138"},{"type":"object","properties":{"btType":{"type":"string"},"featureId":{"type":"string"}}}]},"BTMInferenceQueryWithOccurrence-1083":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMIndividualQueryWithOccurrence-811"},{"type":"object","properties":{"btType":{"type":"string"},"inferenceType":{"$ref":"#/components/schemas/GBTEntityInferenceType"},"secondDeterministicId":{"type":"string"},"secondEntityQuery":{"type":"string"}}}]},"BTMLoad-3538":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMAssemblyFeature-887"},{"type":"object","properties":{"btType":{"type":"string"},"definedByComponents":{"type":"boolean"},"directionFlipped":{"type":"boolean"},"fgsBaseUnits":{"type":"string"},"loadComponentParameterIds":{"type":"object","additionalProperties":{"type":"string"}},"loadRegionParameterId":{"type":"string"},"loadType":{"$ref":"#/components/schemas/GBTLoadType"},"magnitudeParameterId":{"type":"string"},"magnitudeQuantityType":{"$ref":"#/components/schemas/GBTQuantityType"},"structuralLoad":{"type":"boolean"},"suppressedInSimulations":{"type":"object","additionalProperties":{"type":"integer","format":"int32"}}}}]},"BTMMate-64":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMAssemblyFeature-887"},{"type":"object","properties":{"btType":{"type":"string"},"mateConnectorQueryList":{"$ref":"#/components/schemas/BTMParameterQueryWithOccurrenceList-67"},"mateConnectors":{"type":"array","items":{"$ref":"#/components/schemas/BTMMateConnector-66"}},"mateType":{"$ref":"#/components/schemas/GBTMateType"}}}]},"BTMMateConnector-66":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMAssemblyFeature-887"},{"type":"object","properties":{"btType":{"type":"string"},"implicit":{"type":"boolean"},"isAuxiliaryTreeMateConnector":{"type":"boolean"},"isHidden":{"type":"boolean"},"savedFeatureType":{"type":"string"}}}]},"BTMMateGroup-65":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMAssemblyFeature-887"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTMMateRelation-1412":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMAssemblyFeature-887"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTMMeshPointQuery-1183":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMIndividualQueryWithOccurrenceBase-904"},{"type":"object","properties":{"btType":{"type":"string"},"origin":{"$ref":"#/components/schemas/BTVector3d-389"}}}]},"BTMModel-141":{"type":"object","properties":{"allFeatures":{"type":"array","items":{"$ref":"#/components/schemas/BTMFeature-134"}},"allFeaturesAndOtherReferences":{"type":"array","items":{"$ref":"#/components/schemas/BTMFeature-134"}},"allFeaturesAndSubFeatures":{"type":"array","items":{"$ref":"#/components/schemas/BTMFeature-134"}},"btType":{"type":"string"},"children":{"type":"array","items":{"$ref":"#/components/schemas/BTMNode-19"}},"configurationData":{"$ref":"#/components/schemas/BTMConfigurationData-1560"},"configured":{"type":"boolean"},"deepImports":{"type":"object","additionalProperties":{"type":"array","items":{"$ref":"#/components/schemas/BTImport"}}},"defaultFeatures":{"$ref":"#/components/schemas/BTDefaultFeatures-119"},"defaultUnits":{"$ref":"#/components/schemas/BTMUnitsDefault-160"},"featureImports":{"type":"object","additionalProperties":{"type":"array","items":{"$ref":"#/components/schemas/BTImport"}}},"firstRollbackIndex":{"type":"integer","format":"int32"},"importMicroversion":{"type":"string","writeOnly":true},"importSet":{"uniqueItems":true,"type":"array","items":{"$ref":"#/components/schemas/BTPModuleId-235"}},"imports":{"type":"array","items":{"$ref":"#/components/schemas/BTMImport-136"}},"isVariableStudio":{"type":"boolean"},"lastFeatureBeforeRollBack":{"$ref":"#/components/schemas/BTMFeature-134"},"name":{"type":"string"},"nodeId":{"type":"string"},"partProperties":{"$ref":"#/components/schemas/BTPartProperties-293"},"pathToCache":{"$ref":"#/components/schemas/BTCacheDataPath-191"},"properties":{"$ref":"#/components/schemas/BTModelProperties-1258"},"rollbackBar":{"$ref":"#/components/schemas/BTMRollback-150"},"rolledBackToEnd":{"type":"boolean"},"variableStudios":{"type":"array","items":{"$ref":"#/components/schemas/BTMVariableStudioReference-2764"}}}},"BTMNode-19":{"type":"object","properties":{"btType":{"type":"string"},"importMicroversion":{"type":"string","writeOnly":true},"nodeId":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTAssemblySimulationData-978":"#/components/schemas/BTAssemblySimulationData-978","BTInstanceBase-2263":"#/components/schemas/BTInstanceBase-2263","BTInstanceControlNode-750":"#/components/schemas/BTInstanceControlNode-750","BTMArrayParameterItem-1843":"#/components/schemas/BTMArrayParameterItem-1843","BTMConfigurationData-1560":"#/components/schemas/BTMConfigurationData-1560","BTMConfigurationParameter-819":"#/components/schemas/BTMConfigurationParameter-819","BTMConfiguredValue-1341":"#/components/schemas/BTMConfiguredValue-1341","BTMEnumOption-592":"#/components/schemas/BTMEnumOption-592","BTMFeature-134":"#/components/schemas/BTMFeature-134","BTMFolder-3208":"#/components/schemas/BTMFolder-3208","BTMImport-136":"#/components/schemas/BTMImport-136","BTMIndividualQueryBase-139":"#/components/schemas/BTMIndividualQueryBase-139","BTMModel-141":"#/components/schemas/BTMModel-141","BTMNodeInvalid-1772":"#/components/schemas/BTMNodeInvalid-1772","BTMParameter-1":"#/components/schemas/BTMParameter-1","BTMRecordMetrics-1169":"#/components/schemas/BTMRecordMetrics-1169","BTMRollback-150":"#/components/schemas/BTMRollback-150","BTMSketchEntity-3":"#/components/schemas/BTMSketchEntity-3","BTMSuppressionState-1924":"#/components/schemas/BTMSuppressionState-1924","BTMUnitsDefault-160":"#/components/schemas/BTMUnitsDefault-160","BTMUserCode-161":"#/components/schemas/BTMUserCode-161","BTSimulationInstance-3093":"#/components/schemas/BTSimulationInstance-3093","BTToleranceString-3274":"#/components/schemas/BTToleranceString-3274"}}},"BTMNodeInvalid-1772":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMNode-19"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTMNonGeometricItem-1864":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMAssemblyFeature-887"},{"type":"object","properties":{"btType":{"type":"string"},"itemDefinitionId":{"type":"string"}}}]},"BTMParameter-1":{"type":"object","properties":{"btType":{"type":"string"},"importMicroversion":{"type":"string","writeOnly":true},"nodeId":{"type":"string"},"parameterId":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTMDatabaseParameter-2229":"#/components/schemas/BTMDatabaseParameter-2229","BTMParameterAppearance-627":"#/components/schemas/BTMParameterAppearance-627","BTMParameterArray-2025":"#/components/schemas/BTMParameterArray-2025","BTMParameterBlobReference-1679":"#/components/schemas/BTMParameterBlobReference-1679","BTMParameterBoolean-144":"#/components/schemas/BTMParameterBoolean-144","BTMParameterConfigured-2222":"#/components/schemas/BTMParameterConfigured-2222","BTMParameterDerived-864":"#/components/schemas/BTMParameterDerived-864","BTMParameterEnum-145":"#/components/schemas/BTMParameterEnum-145","BTMParameterFeatureList-1749":"#/components/schemas/BTMParameterFeatureList-1749","BTMParameterForeignId-146":"#/components/schemas/BTMParameterForeignId-146","BTMParameterInvalid-1664":"#/components/schemas/BTMParameterInvalid-1664","BTMParameterLookupTablePath-1419":"#/components/schemas/BTMParameterLookupTablePath-1419","BTMParameterMaterial-1388":"#/components/schemas/BTMParameterMaterial-1388","BTMParameterMultiEnum-3411":"#/components/schemas/BTMParameterMultiEnum-3411","BTMParameterQuantity-147":"#/components/schemas/BTMParameterQuantity-147","BTMParameterQueryList-148":"#/components/schemas/BTMParameterQueryList-148","BTMParameterQueryWithOccurrenceList-67":"#/components/schemas/BTMParameterQueryWithOccurrenceList-67","BTMParameterReference-2434":"#/components/schemas/BTMParameterReference-2434","BTMParameterString-149":"#/components/schemas/BTMParameterString-149","BTMReadOnlyParameter-3800":"#/components/schemas/BTMReadOnlyParameter-3800"}}},"BTMParameterAppearance-627":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMParameter-1"},{"type":"object","properties":{"appearance":{"$ref":"#/components/schemas/BTGraphicsAppearance-1152"},"btType":{"type":"string"}}}]},"BTMParameterArray-2025":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMParameter-1"},{"type":"object","properties":{"btType":{"type":"string"},"items":{"type":"array","items":{"$ref":"#/components/schemas/BTMArrayParameterItem-1843"}}}}]},"BTMParameterBlobReference-1679":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMParameter-1"},{"type":"object","properties":{"blobImport":{"$ref":"#/components/schemas/BTMImport-136"},"btType":{"type":"string"},"namespace":{"type":"string"}}}]},"BTMParameterBoolean-144":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMParameter-1"},{"type":"object","properties":{"btType":{"type":"string"},"value":{"type":"boolean"}}}]},"BTMParameterConfigured-2222":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMParameter-1"},{"type":"object","properties":{"btType":{"type":"string"},"configurationParameterId":{"type":"string"},"configurationParameterIdFieldIndex":{"type":"integer","format":"int32"},"values":{"type":"array","items":{"$ref":"#/components/schemas/BTMConfiguredValue-1341"}},"valuesFieldIndex":{"type":"integer","format":"int32"}}}]},"BTMParameterDerived-864":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMParameter-1"},{"type":"object","properties":{"btType":{"type":"string"},"imports":{"type":"array","items":{"$ref":"#/components/schemas/BTMImport-136"}},"moduleId":{"$ref":"#/components/schemas/BTPModuleId-235"},"namespace":{"type":"string"}}}]},"BTMParameterEnum-145":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMParameter-1"},{"type":"object","properties":{"btType":{"type":"string"},"enumName":{"type":"string"},"namespace":{"type":"string"},"value":{"type":"string"}}}]},"BTMParameterFeatureList-1749":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMParameter-1"},{"type":"object","properties":{"btType":{"type":"string"},"featureIds":{"type":"array","items":{"type":"string"}}}}]},"BTMParameterForeignId-146":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMParameter-1"},{"type":"object","properties":{"btType":{"type":"string"},"foreignId":{"type":"string"},"foreignName":{"type":"string"},"locationInfo":{"$ref":"#/components/schemas/BTForeignDataResponse-1070"}}}]},"BTMParameterInvalid-1664":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMParameter-1"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTMParameterLookupTablePath-1419":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMParameter-1"},{"type":"object","properties":{"btType":{"type":"string"},"value":{"type":"object","additionalProperties":{"type":"string"}}}}]},"BTMParameterMaterial-1388":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMParameter-1"},{"type":"object","properties":{"btType":{"type":"string"},"material":{"$ref":"#/components/schemas/BTPartMaterial-1445"}}}]},"BTMParameterMultiEnum-3411":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMParameter-1"},{"type":"object","properties":{"btType":{"type":"string"},"enumName":{"type":"string"},"namespace":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}}]},"BTMParameterNullableQuantity-807":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMParameterQuantity-147"},{"type":"object","properties":{"btType":{"type":"string"},"isNull":{"type":"boolean"},"nullValue":{"type":"string"}}}]},"BTMParameterProgress-3232":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMReadOnlyParameter-3800"},{"type":"object","properties":{"btType":{"type":"string"},"percentDone":{"type":"number","format":"double"},"status":{"$ref":"#/components/schemas/GBTComputeStatus"},"statusMessage":{"type":"string"}}}]},"BTMParameterQuantity-147":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTMParameterNullableQuantity-807":"#/components/schemas/BTMParameterNullableQuantity-807"}},"allOf":[{"$ref":"#/components/schemas/BTMParameter-1"},{"type":"object","properties":{"btType":{"type":"string"},"expression":{"type":"string"},"isInteger":{"type":"boolean"},"units":{"type":"string"},"value":{"type":"number","format":"double"}}}]},"BTMParameterQueryList-148":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMParameter-1"},{"type":"object","properties":{"btType":{"type":"string"},"queries":{"type":"array","items":{"$ref":"#/components/schemas/BTMIndividualQueryBase-139"}}}}]},"BTMParameterQueryWithOccurrenceList-67":{"type":"object","properties":{"btType":{"type":"string"},"importMicroversion":{"type":"string","writeOnly":true},"nodeId":{"type":"string"},"occurrences":{"type":"array","items":{"$ref":"#/components/schemas/BTOccurrence-74"}},"parameterId":{"type":"string"},"queries":{"type":"array","items":{"$ref":"#/components/schemas/BTMIndividualQueryWithOccurrenceBase-904"}}}},"BTMParameterReference-2434":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTMParameterReferenceBlob-3281":"#/components/schemas/BTMParameterReferenceBlob-3281","BTMParameterReferenceWithConfiguration-3028":"#/components/schemas/BTMParameterReferenceWithConfiguration-3028"}},"allOf":[{"$ref":"#/components/schemas/BTMParameter-1"},{"type":"object","properties":{"btType":{"type":"string"},"documentId":{"type":"string"},"documentVersionId":{"type":"string"},"elementId":{"type":"string"},"elementLibraryData":{"$ref":"#/components/schemas/BTElementLibraryReferenceData-3133"},"featureScriptType":{"type":"string"},"ids":{"type":"array","items":{"type":"string"}},"microversioId":{"type":"string"},"namespace":{"type":"string"}}}]},"BTMParameterReferenceAssembly-938":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMParameterReferenceWithConfiguration-3028"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTMParameterReferenceBlob-3281":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTMParameterReferenceCADImport-2016":"#/components/schemas/BTMParameterReferenceCADImport-2016","BTMParameterReferenceImage-2014":"#/components/schemas/BTMParameterReferenceImage-2014","BTMParameterReferenceJSON-790":"#/components/schemas/BTMParameterReferenceJSON-790","BTMParameterReferenceTable-917":"#/components/schemas/BTMParameterReferenceTable-917"}},"allOf":[{"$ref":"#/components/schemas/BTMParameterReference-2434"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTMParameterReferenceCADImport-2016":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMParameterReferenceBlob-3281"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTMParameterReferenceImage-2014":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMParameterReferenceBlob-3281"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTMParameterReferenceJSON-790":{"type":"object","properties":{"btType":{"type":"string"},"documentId":{"type":"string"},"documentVersionId":{"type":"string"},"elementId":{"type":"string"},"elementLibraryData":{"$ref":"#/components/schemas/BTElementLibraryReferenceData-3133"},"featureScriptType":{"type":"string"},"ids":{"type":"array","items":{"type":"string"}},"importMicroversion":{"type":"string","writeOnly":true},"microversioId":{"type":"string"},"namespace":{"type":"string"},"nodeId":{"type":"string"},"parameterId":{"type":"string"}}},"BTMParameterReferencePartStudio-3302":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMParameterReferenceWithConfiguration-3028"},{"type":"object","properties":{"blockBuildFunctionAccess":{"type":"boolean","writeOnly":true},"btType":{"type":"string"},"partIdentity":{"$ref":"#/components/schemas/BTPSOIdentity-2741"},"partQuery":{"$ref":"#/components/schemas/BTMParameterQueryList-148"},"standardContentParametersId":{"type":"string"}}}]},"BTMParameterReferenceTable-917":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMParameterReferenceBlob-3281"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTMParameterReferenceVariableStudio-3550":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMParameterReferenceWithConfiguration-3028"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTMParameterReferenceWithConfiguration-3028":{"type":"object","properties":{"btType":{"type":"string"},"configuration":{"type":"array","items":{"$ref":"#/components/schemas/BTMParameter-1"}},"documentId":{"type":"string"},"documentVersionId":{"type":"string"},"elementId":{"type":"string"},"elementLibraryData":{"$ref":"#/components/schemas/BTElementLibraryReferenceData-3133"},"featureScriptType":{"type":"string"},"ids":{"type":"array","items":{"type":"string"}},"importMicroversion":{"type":"string","writeOnly":true},"microversioId":{"type":"string"},"namespace":{"type":"string"},"nodeId":{"type":"string"},"parameterId":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTMParameterReferenceAssembly-938":"#/components/schemas/BTMParameterReferenceAssembly-938","BTMParameterReferencePartStudio-3302":"#/components/schemas/BTMParameterReferencePartStudio-3302","BTMParameterReferenceVariableStudio-3550":"#/components/schemas/BTMParameterReferenceVariableStudio-3550"}}},"BTMParameterString-149":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMParameter-1"},{"type":"object","properties":{"btType":{"type":"string"},"value":{"type":"string"}}}]},"BTMParameterStringWithTolerances-4286":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMReadOnlyParameter-3800"},{"type":"object","properties":{"btType":{"type":"string"},"components":{"type":"array","items":{"$ref":"#/components/schemas/BTToleranceString-3274"}}}}]},"BTMParametricPartStudioFeature-3883":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMAssemblyFeature-887"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTMPartStudioMateConnectorQuery-1324":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMFeatureQueryWithOccurrence-157"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTMReadOnlyParameter-3800":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTMParameterProgress-3232":"#/components/schemas/BTMParameterProgress-3232","BTMParameterStringWithTolerances-4286":"#/components/schemas/BTMParameterStringWithTolerances-4286"}},"allOf":[{"$ref":"#/components/schemas/BTMParameter-1"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTMRecordMetrics-1169":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMNode-19"},{"type":"object","properties":{"btType":{"type":"string"},"doBodyValidation":{"type":"boolean"},"previousFeatureId":{"type":"string"},"references":{"type":"array","items":{"$ref":"#/components/schemas/BTMIndividualQuery-138"}},"useLatestBehavior":{"type":"boolean"}}}]},"BTMRollback-150":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMNode-19"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTMSketch-151":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMFeature-134"},{"type":"object","properties":{"btType":{"type":"string"},"constraints":{"type":"array","items":{"$ref":"#/components/schemas/BTMSketchConstraint-2"}},"entities":{"type":"array","items":{"$ref":"#/components/schemas/BTMSketchGeomEntity-5"}}}}]},"BTMSketchCompositeEntity-893":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMSketchEntity-3"},{"type":"object","properties":{"btType":{"type":"string"},"subEntities":{"type":"array","items":{"$ref":"#/components/schemas/BTMSketchEntity-3"}}}}]},"BTMSketchConstraint-2":{"type":"object","properties":{"btType":{"type":"string"},"constraintType":{"$ref":"#/components/schemas/GBTConstraintType"},"drivenDimension":{"type":"boolean"},"entityId":{"type":"string"},"entityIdAndReplaceInDependentFields":{"type":"string","writeOnly":true},"hasOffsetData1":{"type":"boolean"},"hasOffsetData2":{"type":"boolean"},"hasPierceParameter":{"type":"boolean"},"helpParameters":{"type":"array","items":{"type":"number","format":"double"}},"importMicroversion":{"type":"string","writeOnly":true},"namespace":{"type":"string"},"nodeId":{"type":"string"},"offsetDistance1":{"type":"number","format":"double"},"offsetDistance2":{"type":"number","format":"double"},"offsetOrientation1":{"type":"boolean"},"offsetOrientation2":{"type":"boolean"},"parameters":{"type":"array","items":{"$ref":"#/components/schemas/BTMParameter-1"}},"pierceParameter":{"type":"number","format":"double"}}},"BTMSketchCurve-4":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTMSketchCurveSegment-155":"#/components/schemas/BTMSketchCurveSegment-155"}},"allOf":[{"$ref":"#/components/schemas/BTMSketchGeomEntity-5"},{"type":"object","properties":{"btType":{"type":"string"},"centerId":{"type":"string"},"geometry":{"$ref":"#/components/schemas/BTCurveGeometry-114"},"internalIds":{"type":"array","items":{"type":"string"}}}}]},"BTMSketchCurveSegment-155":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMSketchCurve-4"},{"type":"object","properties":{"btType":{"type":"string"},"endParam":{"type":"number","format":"double"},"endPointId":{"type":"string"},"offsetCurveExtensions":{"type":"array","items":{"type":"number","format":"double"}},"startParam":{"type":"number","format":"double"},"startPointId":{"type":"string"}}}]},"BTMSketchEntity-3":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTMSketchCompositeEntity-893":"#/components/schemas/BTMSketchCompositeEntity-893","BTMSketchConstraint-2":"#/components/schemas/BTMSketchConstraint-2","BTMSketchGeomEntity-5":"#/components/schemas/BTMSketchGeomEntity-5","BTMSketchInvalid-1601":"#/components/schemas/BTMSketchInvalid-1601"}},"allOf":[{"$ref":"#/components/schemas/BTMNode-19"},{"type":"object","properties":{"btType":{"type":"string"},"entityId":{"type":"string"},"entityIdAndReplaceInDependentFields":{"type":"string","writeOnly":true},"namespace":{"type":"string"},"parameters":{"type":"array","items":{"$ref":"#/components/schemas/BTMParameter-1"}}}}]},"BTMSketchGeomEntity-5":{"type":"object","properties":{"btType":{"type":"string"},"controlBoxIds":{"type":"array","items":{"type":"string"}},"entityId":{"type":"string"},"entityIdAndReplaceInDependentFields":{"type":"string","writeOnly":true},"importMicroversion":{"type":"string","writeOnly":true},"isConstruction":{"type":"boolean"},"isFromEndpointSplineHandle":{"type":"boolean"},"isFromSplineControlPolygon":{"type":"boolean"},"isFromSplineHandle":{"type":"boolean"},"namespace":{"type":"string"},"nodeId":{"type":"string"},"parameters":{"type":"array","items":{"$ref":"#/components/schemas/BTMParameter-1"}}},"discriminator":{"propertyName":"btType","mapping":{"BTMSketchCurve-4":"#/components/schemas/BTMSketchCurve-4","BTMSketchImageEntity-763":"#/components/schemas/BTMSketchImageEntity-763","BTMSketchPoint-158":"#/components/schemas/BTMSketchPoint-158","BTMSketchTextEntity-1761":"#/components/schemas/BTMSketchTextEntity-1761"}}},"BTMSketchImageEntity-763":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMSketchGeomEntity-5"},{"type":"object","properties":{"aspectRatio":{"type":"number","format":"double"},"btType":{"type":"string"},"originX":{"type":"number","format":"double"},"originY":{"type":"number","format":"double"},"xaxisX":{"type":"number","format":"double"},"xaxisY":{"type":"number","format":"double"}}}]},"BTMSketchInvalid-1601":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMSketchEntity-3"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTMSketchPoint-158":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMSketchGeomEntity-5"},{"type":"object","properties":{"btType":{"type":"string"},"isUserPoint":{"type":"boolean"},"x":{"type":"number","format":"double"},"y":{"type":"number","format":"double"}}}]},"BTMSketchTextEntity-1761":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMSketchGeomEntity-5"},{"type":"object","properties":{"ascent":{"type":"number","format":"double"},"baselineDirectionX":{"type":"number","format":"double"},"baselineDirectionY":{"type":"number","format":"double"},"baselineStartX":{"type":"number","format":"double"},"baselineStartY":{"type":"number","format":"double"},"btType":{"type":"string"},"fontName":{"type":"string"},"text":{"type":"string"}}}]},"BTMSuppressionState-1924":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTMSuppressionStateConfigured-2598":"#/components/schemas/BTMSuppressionStateConfigured-2598"}},"allOf":[{"$ref":"#/components/schemas/BTMNode-19"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTMSuppressionStateConfigured-2598":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMSuppressionState-1924"},{"type":"object","properties":{"btType":{"type":"string"},"configurationParameterId":{"type":"string"},"configurationParameterIdFieldIndex":{"type":"integer","format":"int32"},"values":{"type":"array","items":{"$ref":"#/components/schemas/BTMConfiguredValue-1341"}},"valuesFieldIndex":{"type":"integer","format":"int32"}}}]},"BTMUnitsDefault-160":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMNode-19"},{"type":"object","properties":{"btType":{"type":"string"},"units":{"type":"object","additionalProperties":{"type":"string"}}}}]},"BTMUserCode-161":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMNode-19"},{"type":"object","properties":{"btType":{"type":"string"},"parsed":{"$ref":"#/components/schemas/BTPStatement-269"},"statement":{"type":"string"}}}]},"BTMVariableStudioReference-2764":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMFeature-134"},{"type":"object","properties":{"apiConfiguration":{"$ref":"#/components/schemas/BTApiConfiguration"},"btType":{"type":"string"},"configuration":{"type":"array","items":{"$ref":"#/components/schemas/BTMParameter-1"}},"documentId":{"type":"string"},"elementId":{"type":"string"},"entireVariableStudio":{"type":"boolean"},"isAutomatic":{"type":"boolean"},"microversionId":{"$ref":"#/components/schemas/BTMicroversionId-366"},"partialReference":{"type":"boolean"},"referenceId":{"type":"string"},"referenceNamespace":{"type":"string"},"referenceParameter":{"$ref":"#/components/schemas/BTMParameterReferenceWithConfiguration-3028"},"unsetAutomaticEdit":{"$ref":"#/components/schemas/BTTreeEdit-13"},"validRevisionReference":{"type":"boolean"},"variableNames":{"type":"array","items":{"type":"string"}},"versionId":{"type":"string"}}}]},"BTManageMembersByCSVInfo":{"type":"object","properties":{"failureCount":{"type":"integer","format":"int32"},"failures":{"type":"object","additionalProperties":{"type":"string"}},"results":{"type":"array","items":{"$ref":"#/components/schemas/BTAddMemberResultInfo"}},"success":{"type":"object","additionalProperties":{"type":"string"}},"successCount":{"type":"integer","format":"int32"}}},"BTMarkVersionsImmutableInfo":{"type":"object","properties":{"failures":{"type":"object","additionalProperties":{"type":"string"}},"successes":{"type":"array","items":{"type":"string"}}}},"BTMarkVersionsImmutableParams":{"type":"object","properties":{"documentIds":{"type":"array","items":{"type":"string"}}}},"BTMassPropertiesBulkInfo":{"type":"object","properties":{"bodies":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTMassPropertiesInfo"}},"microversionId":{"type":"string"}}},"BTMassPropertiesInfo":{"type":"object","properties":{"centroid":{"type":"array","items":{"type":"number","format":"double"}},"hasMass":{"type":"boolean"},"inertia":{"type":"array","items":{"type":"number","format":"double"}},"mass":{"type":"array","items":{"type":"number","format":"double"}},"massMissingCount":{"type":"integer","format":"int32"},"periphery":{"type":"array","items":{"type":"number","format":"double"}},"principalAxes":{"type":"array","items":{"$ref":"#/components/schemas/BTVector3d-389"}},"principalInertia":{"type":"array","items":{"type":"number","format":"double"}},"volume":{"type":"array","items":{"type":"number","format":"double"}}}},"BTMatchingStandardContentHierarchyInfo":{"type":"object","properties":{"category":{"type":"array","items":{"type":"string"}},"categoryDefault":{"type":"string"},"componentDocumentId":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"standard":{"type":"array","items":{"type":"string"}},"standardDefault":{"type":"string"},"type":{"type":"array","items":{"type":"string"}},"typeDefault":{"type":"string"},"types":{"type":"array","items":{"type":"string"}},"typesDefault":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTMateConnectorCSInfo":{"type":"object","properties":{"getxAxis":{"type":"array","items":{"type":"number","format":"double"}},"getyAxis":{"type":"array","items":{"type":"number","format":"double"}},"getzAxis":{"type":"array","items":{"type":"number","format":"double"}},"origin":{"type":"array","items":{"type":"number","format":"double"}}}},"BTMateConnectorDisplayData-94":{"type":"object","properties":{"btType":{"type":"string"},"elementId":{"type":"string"},"entityIds":{"type":"array","items":{"type":"string"}},"hidden":{"type":"boolean"},"implicit":{"type":"boolean"},"isDerivedFeature":{"type":"boolean"},"location":{"$ref":"#/components/schemas/BTCoordinateSystem-387"},"nodeId":{"type":"string"},"occurrence":{"$ref":"#/components/schemas/BTOccurrence-74"},"ownerOccurrence":{"$ref":"#/components/schemas/BTOccurrence-74"},"partId":{"type":"string"}}},"BTMateConnectorEntity-28":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTFeatureEntity-34"},{"type":"object","properties":{"btType":{"type":"string"},"coordinateSystem":{"$ref":"#/components/schemas/BTCoordinateSystem-387"},"partId":{"type":"string"}}}]},"BTMateConnectorFilter-163":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTQueryFilter-183"},{"type":"object","properties":{"btType":{"type":"string"},"requiresOccurrence":{"type":"boolean"}}}]},"BTMateDisplayData-1358":{"type":"object","properties":{"btType":{"type":"string"},"hidden":{"type":"boolean"},"isDerivedFeature":{"type":"boolean"},"mateConnectorIds":{"type":"array","items":{"type":"string"}},"mateType":{"$ref":"#/components/schemas/GBTMateType"},"nodeId":{"type":"string"},"ownerOccurrence":{"$ref":"#/components/schemas/BTOccurrence-74"},"status":{"$ref":"#/components/schemas/GBTAssemblyFeatureDisplayStatus"}}},"BTMateFilter-162":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTAllowedMateTypeFilter-1511":"#/components/schemas/BTAllowedMateTypeFilter-1511"}},"allOf":[{"$ref":"#/components/schemas/BTQueryFilter-183"},{"type":"object","properties":{"btType":{"type":"string"},"requireMateQueryData":{"type":"boolean"},"topLevelMateOnly":{"type":"boolean"}}}]},"BTMateGroupDisplayData-1990":{"type":"object","properties":{"btType":{"type":"string"},"hidden":{"type":"boolean"},"isDerivedFeature":{"type":"boolean"},"nodeId":{"type":"string"},"occurrenceIds":{"type":"array","items":{"type":"string"}},"ownerOccurrence":{"$ref":"#/components/schemas/BTOccurrence-74"},"status":{"$ref":"#/components/schemas/GBTAssemblyFeatureDisplayStatus"}}},"BTMateOccurrenceData-1671":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTFeatureOccurrenceData-775"},{"type":"object","properties":{"btType":{"type":"string"},"valueMap":{"type":"object","additionalProperties":{"type":"number","format":"double"}},"values":{"type":"array","items":{"type":"number","format":"double"}}}}]},"BTMaterialLibraryMetadataInfo":{"type":"object","properties":{"documentId":{"type":"string"},"documentName":{"type":"string"},"elementId":{"type":"string"},"isPublic":{"type":"boolean"},"libraryName":{"type":"string"},"ownerName":{"type":"string"},"versionId":{"type":"string"},"workspaceId":{"type":"string"}}},"BTMaterialLibrarySettingsInfo":{"type":"object","properties":{"companyLibraries":{"type":"array","items":{"$ref":"#/components/schemas/BTMaterialLibraryMetadataInfo"}},"libraries":{"type":"array","items":{"$ref":"#/components/schemas/BTMaterialLibraryMetadataInfo"}}}},"BTMaterialParams":{"type":"object","properties":{"displayName":{"type":"string"},"id":{"type":"string"},"libraryName":{"type":"string"},"libraryReference":{"$ref":"#/components/schemas/BTExternalElementReferenceInfo"},"properties":{"type":"array","items":{"$ref":"#/components/schemas/BTMaterialPropertyParams"}}}},"BTMaterialPropertyDefinitionInfo":{"type":"object","properties":{"category":{"type":"string"},"description":{"type":"string"},"displayName":{"type":"string"},"displayUnits":{"type":"string"},"name":{"type":"string"},"type":{"type":"string"},"units":{"type":"string"},"unitsChoices":{"uniqueItems":true,"type":"array","items":{"type":"string"}}}},"BTMaterialPropertyParams":{"type":"object","properties":{"category":{"type":"string"},"description":{"type":"string"},"displayName":{"type":"string"},"name":{"type":"string"},"type":{"type":"string"},"units":{"type":"string"},"value":{"type":"string"}}},"BTMatrix3x3-340":{"type":"object","properties":{"btType":{"type":"string"},"m00":{"type":"number","format":"double"},"m01":{"type":"number","format":"double"},"m02":{"type":"number","format":"double"},"m10":{"type":"number","format":"double"},"m11":{"type":"number","format":"double"},"m12":{"type":"number","format":"double"},"m20":{"type":"number","format":"double"},"m21":{"type":"number","format":"double"},"m22":{"type":"number","format":"double"}}},"BTMergePreviewInfo":{"type":"object","properties":{"branchPointMicroversionId":{"type":"string"},"branchPointVersionId":{"type":"string"},"branchPointWorkspaceId":{"type":"string"},"changes":{"type":"array","items":{"$ref":"#/components/schemas/BTElementMergeInfo"}},"isBranchPointAtStart":{"type":"boolean"},"sourceMicroversionId":{"type":"string"},"targetMicroversionId":{"type":"string"}}},"BTMergeStrategy":{"type":"string","enum":["MERGE","KEEP","REPLACE"]},"BTMetadataCategoryInfo":{"type":"object","properties":{"defaultObjectType":{"type":"integer","format":"int32"},"description":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"memberCategories":{"type":"array","items":{"$ref":"#/components/schemas/BTMetadataCategorySummaryInfo"}},"memberCategoryIds":{"type":"array","items":{"type":"string"}},"name":{"type":"string","description":"Name of the resource."},"objectTypes":{"type":"array","items":{"type":"integer","format":"int32"}},"ownerId":{"type":"string"},"ownerType":{"type":"integer","format":"int32"},"publishState":{"type":"integer","format":"int32"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTMetadataCategoryParams":{"type":"object","properties":{"description":{"type":"string"},"id":{"type":"string"},"memberCategoryIds":{"type":"array","items":{"type":"string"}},"name":{"type":"string"},"objectTypes":{"type":"array","items":{"type":"integer","format":"int32"}},"ownerId":{"type":"string"},"ownerType":{"type":"integer","format":"int32"},"publishState":{"type":"integer","format":"int32"}}},"BTMetadataCategorySummaryInfo":{"type":"object","properties":{"defaultObjectType":{"type":"integer","format":"int32"},"description":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"objectTypes":{"type":"array","items":{"type":"integer","format":"int32"}},"ownerId":{"type":"string"},"ownerType":{"type":"integer","format":"int32"},"publishState":{"type":"integer","format":"int32"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTMetadataComputedValueInfo":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTMetadataValueInfo"},{"type":"object","properties":{"isOverride":{"type":"boolean"}}}]},"BTMetadataElementContainerInfo":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTMetadataObjectInfo"},{"type":"object","properties":{"elements":{"$ref":"#/components/schemas/BTMetadataObjectListInfoBTMetadataElementInfo"}}}]},"BTMetadataElementInfo":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTMetadataObjectInfo"},{"type":"object","properties":{"elementId":{"type":"string"},"elementType":{"type":"integer","format":"int32"},"mimeType":{"type":"string"},"parts":{"$ref":"#/components/schemas/BTMetadataObjectListInfoBTMetadataPartInfo"}}}]},"BTMetadataElementResponse":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTMetadataObjectResponse"},{"type":"object","properties":{"dataType":{"type":"string"}}}]},"BTMetadataEnumValue":{"type":"object","properties":{"label":{"type":"string"},"state":{"type":"integer","format":"int32"},"value":{"type":"string"}}},"BTMetadataEnumValueInfo":{"type":"object","properties":{"label":{"type":"string"},"state":{"type":"integer","format":"int32"},"value":{"type":"string"}}},"BTMetadataError":{"type":"string","enum":["NONE","UNKNOWN","FAILED_TO_FIND_PART","FAILED_TO_FIND_ELEMENT","FAILED_TO_FIND_CONFIGURATION","FAILED_TO_FIND_VERSION","FAILED_TO_FIND_WORKSPACE","INVALID_REQUEST_PARAMETERS","FAILED_TO_FIND_DOCUMENT","CANNOT_RETRIEVE_METADATA_FOR_MICROVERSION","FAILED_TO_FIND_NON_GEOMETRIC_ITEM","FAILED_TO_FIND_PROJECT","FAILED_TO_FIND_DOCUMENT_DATA","FAILED_TO_RETRIEVE_METADATA","NON_GEOMETRIC_ITEM_NO_PERMISSIONS","ELEMENT_ID_REQUEST_TYPE_MISMATCH","UNSUPPORTED_ELEMENT_TYPE","FAILED_TO_FIND_TASK","FAILED_TO_FIND_CHANGE_REQUEST","FAILED_TO_FIND_PART_IN_DB","FAILED_TO_FIND_ELEMENT_IN_DB","FAILED_TO_FIND_CHANGE_ORDER","FAILED_TO_FIND_CHANGE_TASK"]},"BTMetadataItemCategoryValueParam":{"type":"object","properties":{"categories":{"type":"array","items":{"type":"string"}},"href":{"type":"string"}}},"BTMetadataItemsCategoryParams":{"type":"object","properties":{"items":{"type":"array","items":{"$ref":"#/components/schemas/BTMetadataItemCategoryValueParam"}}}},"BTMetadataObjectInfo":{"required":["jsonType"],"type":"object","properties":{"href":{"type":"string"},"jsonType":{"type":"string"},"properties":{"type":"array","items":{"$ref":"#/components/schemas/BTMetadataPropertyInfo"}},"thumbnail":{"$ref":"#/components/schemas/BTThumbnailInfo"}},"discriminator":{"propertyName":"jsonType"}},"BTMetadataObjectListInfoBTMetadataElementInfo":{"type":"object","properties":{"href":{"type":"string"},"items":{"type":"array","items":{"$ref":"#/components/schemas/BTMetadataElementInfo"}},"next":{"type":"string"},"prev":{"type":"string"}}},"BTMetadataObjectListInfoBTMetadataObjectInfo":{"type":"object","properties":{"href":{"type":"string"},"items":{"type":"array","items":{"$ref":"#/components/schemas/BTMetadataObjectInfo"}},"next":{"type":"string"},"prev":{"type":"string"}}},"BTMetadataObjectListInfoBTMetadataPartInfo":{"type":"object","properties":{"href":{"type":"string"},"items":{"type":"array","items":{"$ref":"#/components/schemas/BTMetadataPartInfo"}},"next":{"type":"string"},"prev":{"type":"string"}}},"BTMetadataObjectResponse":{"required":["jsonType"],"type":"object","properties":{"allowedCategoryIds":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"id":{"type":"string"},"isConfigured":{"type":"boolean"},"jsonType":{"type":"string"},"metadataObjectType":{"$ref":"#/components/schemas/BTMetadataObjectType"},"propertyIdToError":{"type":"object","additionalProperties":{"type":"string"}},"propertyIdToOverrideStatus":{"type":"object","additionalProperties":{"type":"integer","format":"int32"}},"propertyIdToSourceType":{"type":"object","additionalProperties":{"type":"integer","format":"int32"}},"propertyIdToValue":{"type":"object","additionalProperties":{"type":"string"}},"thumbnailInfo":{"$ref":"#/components/schemas/BTThumbnailInfo"}},"discriminator":{"propertyName":"jsonType"}},"BTMetadataObjectType":{"type":"string","enum":["GLOBAL","DOCUMENT","PART","ASSEMBLY","DRAWING","PART_STUDIO","BLOB_ELEMENT","APP_ELEMENT","VERSION","WORKSPACE","PROJECT","ITEM","FEATURE_STUDIO","CHANGE_REQUEST","TASK","CHANGE_ORDER","CHANGE_TASK","VARIABLE_STUDIO","DRAWING_ANNOTATIONS"]},"BTMetadataPartInfo":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTMetadataObjectInfo"},{"type":"object","properties":{"isFlattenedBody":{"type":"boolean"},"meshState":{"type":"integer","format":"int32"},"partId":{"type":"string"},"partIdentity":{"type":"string"},"partType":{"type":"string"}}}]},"BTMetadataPartResponse":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTMetadataObjectResponse"},{"type":"object","properties":{"bodyType":{"type":"string"},"isFlattenedBody":{"type":"boolean"},"meshState":{"type":"integer","format":"int32"},"partIdentity":{"type":"string"},"unflattenedPartId":{"type":"string"}}}]},"BTMetadataProjectInfo":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTMetadataObjectInfo"},{"type":"object","properties":{"projectId":{"type":"string"}}}]},"BTMetadataPropertyConfigInfo":{"type":"object","properties":{"categoryId":{"type":"string"},"categorySummaryInfo":{"$ref":"#/components/schemas/BTMetadataCategorySummaryInfo"},"computedPartPropertyConfig":{"$ref":"#/components/schemas/BTComputedPartPropertyConfig"},"defaultValue":{"type":"string"},"displayName":{"type":"string"},"enumValues":{"type":"array","items":{"$ref":"#/components/schemas/BTMetadataEnumValue"}},"maxCount":{"type":"integer","format":"int32"},"maxDate":{"type":"string","format":"date-time"},"maxLength":{"type":"integer","format":"int32"},"maxValue":{"type":"number","format":"double"},"minCount":{"type":"integer","format":"int32"},"minDate":{"type":"string","format":"date-time"},"minLength":{"type":"integer","format":"int32"},"minValue":{"type":"number","format":"double"},"multiline":{"type":"boolean"},"multivalued":{"type":"boolean"},"objectType":{"type":"integer","format":"int32"},"pattern":{"type":"string"},"propertyId":{"type":"string"},"publishState":{"type":"integer","format":"int32"},"quantityType":{"type":"integer","format":"int32"},"required":{"type":"boolean"},"schemaId":{"type":"string"}}},"BTMetadataPropertyConfigInfoOld":{"type":"object","properties":{"categoryId":{"type":"string"},"categorySummaryInfo":{"$ref":"#/components/schemas/BTMetadataCategorySummaryInfo"},"defaultValue":{"type":"string"},"displayName":{"type":"string"},"maxCount":{"type":"integer","format":"int32"},"maxDate":{"type":"string","format":"date-time"},"maxLength":{"type":"integer","format":"int32"},"maxValue":{"type":"number","format":"double"},"minCount":{"type":"integer","format":"int32"},"minDate":{"type":"string","format":"date-time"},"minLength":{"type":"integer","format":"int32"},"minValue":{"type":"number","format":"double"},"multiline":{"type":"boolean"},"objectType":{"type":"integer","format":"int32"},"pattern":{"type":"string"},"propertyId":{"type":"string"},"publishState":{"type":"integer","format":"int32"},"required":{"type":"boolean"},"schemaId":{"type":"string"}}},"BTMetadataPropertyConfigParams":{"type":"object","properties":{"categoryId":{"type":"string"},"computedAssemblyPropertyAggregatedPropertyId":{"type":"string"},"computedAssemblyPropertyAggregationOperator":{"type":"integer","format":"int32"},"computedAssemblyPropertyErrorValuePolicy":{"type":"integer","format":"int32"},"computedAssemblyPropertyFilterInverted":{"type":"boolean"},"computedAssemblyPropertyFilterPropertyId":{"type":"string"},"computedAssemblyPropertyMissingValuePolicy":{"type":"integer","format":"int32"},"computedAssemblyPropertySecondaryPropertyId":{"type":"string"},"computedPropertyFunctionName":{"type":"string"},"computedPropertyFunctionNamespace":{"type":"string"},"computedPropertyFunctionReturnType":{"type":"integer","format":"int32"},"defaultValue":{"type":"string"},"displayName":{"type":"string"},"enumValues":{"type":"array","items":{"$ref":"#/components/schemas/BTMetadataEnumValue"}},"maxCount":{"type":"integer","format":"int32"},"maxDate":{"type":"string","format":"date-time"},"maxLength":{"type":"integer","format":"int32"},"maxValue":{"type":"number","format":"double"},"minCount":{"type":"integer","format":"int32"},"minDate":{"type":"string","format":"date-time"},"minLength":{"type":"integer","format":"int32"},"minValue":{"type":"number","format":"double"},"multiline":{"type":"boolean"},"multivalued":{"type":"boolean"},"pattern":{"type":"string"},"propertyId":{"type":"string"},"publishState":{"type":"integer","format":"int32"},"quantityType":{"type":"integer","format":"int32"},"required":{"type":"boolean"},"schemaId":{"type":"string"}}},"BTMetadataPropertyConfigSummaryInfo":{"type":"object","properties":{"categoryId":{"type":"string"},"categorySummaryInfo":{"$ref":"#/components/schemas/BTMetadataCategorySummaryInfo"},"displayName":{"type":"string"},"objectType":{"type":"integer","format":"int32"},"propertyId":{"type":"string"},"publishState":{"type":"integer","format":"int32"},"schemaId":{"type":"string"}}},"BTMetadataPropertyInfo":{"type":"object","properties":{"computedAssemblyProperty":{"type":"boolean"},"computedProperty":{"type":"boolean"},"computedPropertyError":{"type":"string"},"dateFormat":{"type":"string"},"defaultValue":{"type":"object"},"dirty":{"type":"boolean"},"editable":{"type":"boolean"},"editableInUi":{"type":"boolean"},"enumValues":{"type":"array","items":{"$ref":"#/components/schemas/BTMetadataEnumValueInfo"}},"initialValue":{"type":"object"},"multivalued":{"type":"boolean"},"name":{"type":"string"},"propertyId":{"type":"string"},"propertyOverrideStatus":{"type":"integer","format":"int32"},"propertySource":{"type":"integer","format":"int32"},"required":{"type":"boolean"},"schemaId":{"type":"string"},"uiHints":{"$ref":"#/components/schemas/BTMetadataPropertyUiHintsInfo"},"validator":{"$ref":"#/components/schemas/BTMetadataPropertyValidatorInfo"},"value":{"type":"object"},"valueType":{"type":"string"}}},"BTMetadataPropertyInfoOld":{"type":"object","properties":{"array":{"type":"boolean"},"blobMimeType":{"type":"string"},"description":{"type":"string"},"editableInMicroversion":{"type":"boolean"},"editableInVersion":{"type":"boolean"},"enumValues":{"type":"array","items":{"type":"object","additionalProperties":{"type":"string"}}},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"namespace":{"type":"string"},"objectDefName":{"type":"string"},"ownerId":{"type":"string"},"ownerType":{"type":"integer","format":"int32"},"propertyConfigInfoList":{"type":"array","items":{"$ref":"#/components/schemas/BTMetadataPropertyConfigInfoOld"}},"propertyConfigSummaryInfoList":{"type":"array","items":{"$ref":"#/components/schemas/BTMetadataPropertyConfigSummaryInfo"}},"safeName":{"type":"string"},"searchBoost":{"type":"number","format":"double"},"uiReadonlyInMicroversion":{"type":"boolean"},"uiReadonlyInVersion":{"type":"boolean"},"valueType":{"type":"integer","format":"int32"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTMetadataPropertyParams":{"type":"object","properties":{"array":{"type":"boolean"},"blobMimeType":{"type":"string"},"description":{"type":"string"},"editableInMicroversion":{"type":"boolean"},"editableInVersion":{"type":"boolean"},"id":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"objectDefName":{"type":"string"},"ownerId":{"type":"string"},"ownerType":{"type":"integer","format":"int32"},"propertyConfigParamList":{"type":"array","items":{"$ref":"#/components/schemas/BTMetadataPropertyConfigParams"}},"removeFromCategoryIds":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"searchBoost":{"type":"number","format":"double"},"uiReadonlyInMicroversion":{"type":"boolean"},"uiReadonlyInVersion":{"type":"boolean"},"valueType":{"type":"integer","format":"int32"}}},"BTMetadataPropertySearchInfo":{"type":"object","properties":{"propertyInfo":{"$ref":"#/components/schemas/PropertyDescriptorInfo"},"propertyValues":{"type":"array","items":{"type":"string"}},"totalHits":{"type":"integer","format":"int64"}}},"BTMetadataPropertySearchParams":{"type":"object","properties":{"elementTypes":{"uniqueItems":true,"type":"array","items":{"type":"integer","format":"int32"}},"limit":{"type":"integer","format":"int32"},"locationId":{"type":"string"},"locationType":{"type":"string"},"metadataFilters":{"type":"array","items":{"$ref":"#/components/schemas/MetadataFilter"}},"offset":{"type":"integer","format":"int32"},"ownerId":{"type":"string"},"propertyId":{"type":"string"},"searchKeyword":{"type":"string"}}},"BTMetadataPropertySummaryInfo":{"type":"object","properties":{"description":{"type":"string"},"editableInMicroversion":{"type":"boolean"},"editableInVersion":{"type":"boolean"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"namespace":{"type":"string"},"ownerId":{"type":"string"},"ownerType":{"type":"integer","format":"int32"},"propertyConfigSummaryInfoList":{"type":"array","items":{"$ref":"#/components/schemas/BTMetadataPropertyConfigSummaryInfo"}},"uiReadonlyInMicroversion":{"type":"boolean"},"uiReadonlyInVersion":{"type":"boolean"},"valueType":{"type":"integer","format":"int32"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}},"description":"Array of items in the current page."},"BTMetadataPropertyUiHintsInfo":{"type":"object","properties":{"multiline":{"type":"boolean"}}},"BTMetadataPropertyUpdateParams":{"type":"object","properties":{"propertyId":{"type":"string","description":"The id of the property that should be edited. This can be retrieved from MetadataCategory:getCategoryProperties."},"value":{"type":"object","description":"The new value for the property."}}},"BTMetadataPropertyValidatorInfo":{"type":"object","properties":{"max":{"type":"number"},"maxCount":{"type":"integer","format":"int32"},"maxDate":{"type":"string","format":"date-time"},"maxLength":{"type":"integer","format":"int32"},"min":{"type":"number"},"minCount":{"type":"integer","format":"int32"},"minDate":{"type":"string","format":"date-time"},"minLength":{"type":"integer","format":"int32"},"pattern":{"type":"string"},"quantityType":{"type":"integer","format":"int32"}}},"BTMetadataResolutionParams":{"type":"object","properties":{"allChildren":{"type":"boolean"},"apiConfiguration":{"type":"string"},"elementId":{"type":"string"},"partId":{"type":"string"},"partIdentity":{"type":"string"},"requestType":{"type":"integer","format":"int32"},"rootId":{"type":"string"},"wvmId":{"type":"string"},"wvmType":{"type":"integer","format":"int32"}}},"BTMetadataResolutionResponse":{"type":"object","properties":{"error":{"$ref":"#/components/schemas/BTMetadataError"},"responses":{"type":"array","items":{"$ref":"#/components/schemas/BTMetadataObjectResponse"}}}},"BTMetadataSchemaInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"objectType":{"type":"integer","format":"int32"},"ownerId":{"type":"string"},"ownerType":{"type":"integer","format":"int32"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTMetadataSearchablePropertyInfo":{"type":"object","properties":{"categoryIds":{"type":"array","items":{"type":"string"}},"displayName":{"type":"string"},"editableInMicroversion":{"type":"boolean"},"editableInVersion":{"type":"boolean"},"fieldName":{"type":"string"},"id":{"type":"string"},"jsonName":{"type":"string"},"notAnalyzed":{"type":"boolean"},"objectTypes":{"type":"array","items":{"type":"integer","format":"int32"}},"ownerId":{"type":"string"},"ownerType":{"type":"integer","format":"int32"},"rawFieldSuffix":{"type":"string"},"valueType":{"type":"integer","format":"int32"},"values":{"type":"array","items":{"type":"object","additionalProperties":{"type":"string"}}}}},"BTMetadataStateType":{"type":"string","description":"The current state metadata values if applicable.","enum":["IN_PROGRESS","PENDING","RELEASED","OBSOLETE","REJECTED","DISCARDED"]},"BTMetadataValueInfo":{"required":["jsonType"],"type":"object","properties":{"jsonType":{"type":"string"},"propertyId":{"type":"string"},"value":{"type":"string"}},"discriminator":{"propertyName":"jsonType"}},"BTMetadataValueType":{"type":"string","enum":["STRING","BOOL","INT","DOUBLE","DATE","ENUM","OBJECT","BLOB","USER","LIST","FOREIGN","CATEGORY","COMPUTED","VALUE_WITH_UNITS"]},"BTMetadataVersionInfo":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTMetadataElementContainerInfo"},{"type":"object","properties":{"versionId":{"type":"string"}}}]},"BTMetadataWorkspaceInfo":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTMetadataElementContainerInfo"},{"type":"object","properties":{"workspaceId":{"type":"string"}}}]},"BTMetricParams":{"type":"object","properties":{"documentId":{"type":"string"},"elementId":{"type":"string"},"eventName":{"type":"string"},"eventNamespace":{"type":"string"},"eventTime":{"type":"string","format":"date-time"},"eventType":{"type":"integer","format":"int32"},"propertyMap":{"type":"object","additionalProperties":{"type":"object"}},"systemId":{"type":"string"}}},"BTMetricsListParams":{"type":"object","properties":{"clientTimeStamp":{"type":"integer","format":"int64"},"collectedMetrics":{"type":"array","items":{"$ref":"#/components/schemas/BTMetricParams"}},"eventType":{"type":"integer","format":"int64"}}},"BTMicroversionId-366":{"type":"object","properties":{"btType":{"type":"string"},"deleted":{"type":"boolean"},"theId":{"type":"string"}}},"BTMicroversionIdAndConfiguration-2338":{"type":"object","properties":{"btType":{"type":"string"},"cacheKey":{"type":"string"},"configurationParameterIdToValue":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTFSValue-1888"}},"deleted":{"type":"boolean"},"description":{"type":"string"},"microversion":{"$ref":"#/components/schemas/BTMicroversionId-366"}}},"BTMicroversionIdAndConfigurationInterval-2364":{"type":"object","properties":{"btType":{"type":"string"},"from":{"$ref":"#/components/schemas/BTMicroversionIdAndConfiguration-2338"},"microversionIdInterval":{"$ref":"#/components/schemas/BTMicroversionIdInterval-367"},"to":{"$ref":"#/components/schemas/BTMicroversionIdAndConfiguration-2338"}}},"BTMicroversionIdInterval-367":{"type":"object","properties":{"btType":{"type":"string"},"from":{"$ref":"#/components/schemas/BTMicroversionId-366"},"to":{"$ref":"#/components/schemas/BTMicroversionId-366"},"trivial":{"type":"boolean"}}},"BTMicroversionInfo":{"type":"object","properties":{"microversion":{"type":"string"}}},"BTMobileAppUpdateInfo":{"type":"object","properties":{"updateRecommended":{"type":"boolean"},"updateRequired":{"type":"boolean"}}},"BTMobileNotificationInfo":{"type":"object","properties":{"acknowledged":{"type":"boolean"},"assignee":{"type":"string"},"commentId":{"type":"string"},"documentId":{"type":"string"},"documentType":{"type":"integer","format":"int32"},"elementId":{"type":"string"},"eventType":{"type":"integer","format":"int32"},"eventTypeId":{"type":"integer","format":"int64"},"folderId":{"type":"string"},"fromUserId":{"type":"string","writeOnly":true},"fromUserIdId":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"imageUrl":{"type":"string"},"message":{"type":"string"},"name":{"type":"string","description":"Name of the resource."},"releasePackageId":{"type":"string"},"userId":{"type":"string"},"versionId":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"},"workspaceId":{"type":"string"}},"description":"Array of items in the current page."},"BTMobileNotificationParams":{"type":"object","properties":{"itemsToAcknowledge":{"type":"array","items":{"$ref":"#/components/schemas/Item"}}}},"BTModelBodyParams":{"type":"object","properties":{"configuration":{"type":"string"},"documentId":{"type":"string"},"elementId":{"type":"string"},"elementMicroversionId":{"type":"string"},"partId":{"type":"string"},"partIds":{"type":"array","items":{"type":"string"}},"partQuery":{"type":"string"},"workspaceId":{"type":"string"}}},"BTModelElementParams":{"type":"object","properties":{"name":{"type":"string"}}},"BTModelFormatFullInfo":{"type":"object","properties":{"couldBeAssembly":{"type":"boolean"},"name":{"type":"string"},"translatorName":{"type":"string"},"validDestinationFormat":{"type":"boolean"},"validSourceFormat":{"type":"boolean"}}},"BTModelFormatInfo":{"type":"object","properties":{"couldBeAssembly":{"type":"boolean"},"name":{"type":"string"},"translatorName":{"type":"string"}}},"BTModelProperties-1258":{"type":"object","properties":{"btType":{"type":"string"},"nodeId":{"type":"string"},"subPartProperties":{"type":"array","items":{"$ref":"#/components/schemas/BTOnePartProperties-230"}}}},"BTModelTessellationParams":{"type":"object","properties":{"angleTolerance":{"type":"number","format":"double"},"chordTolerance":{"type":"number","format":"double"},"combineCompositePartConstituents":{"type":"boolean"},"configuration":{"type":"string"},"documentId":{"type":"string"},"elementId":{"type":"string"},"elementMicroversionId":{"type":"string"},"entityIds":{"type":"array","items":{"type":"string"}},"maxFacetWidth":{"type":"number","format":"double"},"outputErrorFaces":{"type":"boolean"},"outputFaceAppearances":{"type":"boolean"},"outputFacetNormals":{"type":"boolean"},"outputGltf":{"type":"boolean"},"outputIndexTable":{"type":"boolean"},"outputSeparateFaceNodes":{"type":"boolean"},"outputTextureCoordinates":{"type":"boolean"},"outputVertexNormals":{"type":"boolean"},"partId":{"type":"string"},"partIds":{"type":"array","items":{"type":"string"}},"partQuery":{"type":"string"},"precomputedLevelOfDetail":{"type":"string"},"qualityLevel":{"type":"integer","format":"int32"},"useDisplayData":{"type":"boolean"},"workspaceId":{"type":"string"}}},"BTModelingServiceInfo":{"type":"object","properties":{"hostFqdn":{"type":"string"},"port":{"type":"integer","format":"int32"},"protocol":{"type":"string"},"proxied":{"type":"boolean"},"proxyHost":{"type":"string"},"purpose":{"$ref":"#/components/schemas/BTDocumentOpenPurpose"},"routingKey":{"type":"string"},"serviceMgmtIp":{"type":"string"},"wsProtocol":{"type":"string"},"zooKeeperNodeData":{"type":"array","items":{"type":"string","format":"byte"}}}},"BTModifiableEntityOnlyFilter-1593":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTQueryFilter-183"},{"type":"object","properties":{"btType":{"type":"string"},"modifiableOnly":{"type":"boolean"}}}]},"BTMongoStatsInfo":{"type":"object","properties":{"stats":{"type":"object","additionalProperties":{"type":"integer","format":"int32"}}}},"BTMoveElementInfo":{"type":"object","properties":{"elementOriginalToNewMap":{"type":"object","additionalProperties":{"type":"string"}},"errorMessage":{"type":"string"},"isNewDocument":{"type":"boolean"},"newDocumentId":{"type":"string"},"newDocumentName":{"type":"string"},"newDocumentVersionId":{"type":"string"},"newWorkspaceId":{"type":"string"}}},"BTMoveElementParams":{"type":"object","properties":{"anchorElementId":{"type":"string"},"description":{"type":"string"},"elementOriginalToNewMap":{"type":"object","additionalProperties":{"type":"string"}},"elements":{"type":"array","items":{"type":"string"}},"generateUnknownMessages":{"type":"boolean"},"importData":{"type":"array","items":{"type":"string","format":"byte"}},"isCopy":{"type":"boolean"},"isDeepCopy":{"type":"boolean"},"isGroupAnchor":{"type":"boolean"},"isNewDocument":{"type":"boolean"},"isPublic":{"type":"boolean"},"isSelectivePartOut":{"type":"boolean"},"name":{"type":"string"},"needNewVersion":{"type":"boolean"},"ownerEmail":{"type":"string"},"ownerId":{"type":"string"},"ownerType":{"type":"integer","format":"int32"},"parentId":{"type":"string"},"projectId":{"type":"string"},"selectedGroupIds":{"type":"array","items":{"type":"string"}},"sourceDocumentId":{"type":"string"},"sourceVersionId":{"type":"string"},"sourceWorkspaceId":{"type":"string"},"tags":{"type":"array","items":{"type":"string"}},"targetDocumentId":{"type":"string"},"targetWorkspaceId":{"type":"string"},"versionName":{"type":"string"}}},"BTNameValuePair":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}}},"BTNamedPositionValuesColumnInfo-816":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTTableColumnInfo-1222"},{"type":"object","properties":{"btType":{"type":"string"},"columnHasError":{"type":"boolean"},"parameterId":{"type":"string"},"parentId":{"type":"string"},"parentName":{"type":"string"}}}]},"BTNamedViewInfo":{"type":"object","properties":{"angle":{"type":"number","format":"double"},"cameraViewport":{"type":"array","items":{"type":"number","format":"double"}},"perspective":{"type":"boolean"},"sectionPlanes":{"type":"array","items":{"$ref":"#/components/schemas/BTSectionPlaneInfo"}},"sectionViewData":{"$ref":"#/components/schemas/BTGraphicsSectionViewStateData-4379"},"viewMatrix":{"type":"array","items":{"type":"number","format":"double"}}}},"BTNamedViewsInfo":{"type":"object","properties":{"namedViews":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTNamedViewInfo"}}}},"BTNewChangesInfo":{"type":"object","properties":{"lastTimeCurrentUserMadeChanges":{"type":"string","format":"date-time"},"workspaceOrVersionIds":{"type":"array","items":{"type":"string"}}}},"BTNextPartNumber":{"type":"object","properties":{"categories":{"type":"array","items":{"$ref":"#/components/schemas/Category"}},"configuration":{"type":"string"},"documentId":{"type":"string"},"elementId":{"type":"string"},"elementType":{"type":"integer","format":"int32"},"errorMessage":{"type":"string"},"id":{"type":"string"},"mimeType":{"type":"string"},"partId":{"type":"string"},"partNumber":{"type":"string"},"prefix":{"type":"string"},"resourceType":{"type":"integer","format":"int32"},"versionId":{"type":"string"},"workspaceId":{"type":"string"}}},"BTNextPartNumberParam":{"type":"object","properties":{"categories":{"type":"array","items":{"$ref":"#/components/schemas/BTCategoryParam"}},"configuration":{"type":"string"},"documentId":{"type":"string"},"elementId":{"type":"string"},"elementType":{"type":"integer","format":"int32"},"id":{"type":"string"},"mimeType":{"type":"string"},"numberSchemeResourceTypeId":{"type":"string"},"partId":{"type":"string"},"partNumber":{"type":"string"},"versionId":{"type":"string"},"workspaceId":{"type":"string"}}},"BTNextPartNumbersParam":{"type":"object","properties":{"itemPartNumbers":{"type":"array","items":{"$ref":"#/components/schemas/BTNextPartNumberParam"}},"skipPartNumbers":{"type":"array","items":{"type":"string"}}}},"BTNextRevisionParams":{"type":"object","properties":{"revisionNames":{"uniqueItems":true,"type":"array","items":{"type":"string"}}}},"BTNodeReference-21":{"type":"object","properties":{"btType":{"type":"string"},"nodeId":{"type":"string"},"nodeIdRaw":{"$ref":"#/components/schemas/BTObjectId"}}},"BTNonAlignedBoundingBox-4180":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTBoundingBox-1052"},{"type":"object","properties":{"btType":{"type":"string"},"coordinateSystem":{"$ref":"#/components/schemas/BTCoordinateSystem-387"}}}]},"BTNonGeometricItemSearchRequestParams":{"type":"object","properties":{"documentId":{"type":"string"},"entityTypes":{"type":"array","items":{"$ref":"#/components/schemas/BTSearchEntityType"}},"from":{"type":"integer","format":"int32"},"ownerFilters":{"type":"array","items":{"$ref":"#/components/schemas/BTOwner-3114"}},"query":{"$ref":"#/components/schemas/Query"},"size":{"type":"integer","format":"int32"},"sorts":{"type":"array","items":{"$ref":"#/components/schemas/Sort"}}}},"BTNotFilter-165":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTQueryFilter-183"},{"type":"object","properties":{"btType":{"type":"string"},"operand":{"$ref":"#/components/schemas/BTQueryFilter-183"}}}]},"BTNotice-227":{"type":"object","properties":{"btType":{"type":"string"},"expressionErrorInfo":{"$ref":"#/components/schemas/BTParameterExpressionErrorInfo-2037"},"level":{"$ref":"#/components/schemas/GBTNoticeLevel"},"locationInfos":{"type":"array","items":{"$ref":"#/components/schemas/BTLocationInfo-226"}},"message":{"type":"string"},"nodeId":{"type":"string"},"parameterId":{"type":"string"},"stackTrace":{"type":"array","items":{"$ref":"#/components/schemas/BTLocationInfo-226"}},"tryNode":{"$ref":"#/components/schemas/BTNodeReference-21"},"type":{"$ref":"#/components/schemas/GBTNoticeType"}}},"BTNotificationDebugParams":{"type":"object","properties":{"debugSubmitted":{"type":"boolean"}}},"BTNotificationLevel":{"type":"string","enum":["INFO","WARNING","ERROR","MARKETING","PRODUCT","IMPORTANT","ACTION"]},"BTNotificationParams":{"type":"object","properties":{"acknowledged":{"type":"boolean"},"campaignId":{"type":"string"},"deliverAt":{"type":"string","format":"date-time"},"eventKey":{"type":"string"},"expanded":{"type":"boolean"},"id":{"type":"string"},"messageId":{"type":"string"},"messageParams":{"type":"array","items":{"type":"object"}},"messageParamsArray":{"type":"array","items":{"type":"object"}},"notificationLevel":{"$ref":"#/components/schemas/BTNotificationLevel"},"userId":{"type":"string"}}},"BTNullableQuantityRange-1340":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTQuantityRange-181"},{"type":"object","properties":{"btType":{"type":"string"},"hasDefaultValue":{"type":"boolean"},"hasMaxValue":{"type":"boolean"},"hasMinValue":{"type":"boolean"}}}]},"BTNumberingSchemeInfo":{"required":["schemeResourceTypeId","schemeTypeId"],"type":"object","properties":{"assemblyPrefix":{"type":"string","writeOnly":true},"drawingPrefix":{"type":"string","writeOnly":true},"filePrefix":{"type":"string","writeOnly":true},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"itemPrefix":{"type":"string","writeOnly":true},"name":{"type":"string","description":"Name of the resource."},"nextNumber":{"type":"integer","format":"int64","writeOnly":true},"nextNumberMinWidth":{"type":"integer","format":"int32","writeOnly":true},"partPrefix":{"type":"string","writeOnly":true},"properties":{"type":"array","items":{"$ref":"#/components/schemas/BTMetadataPropertyInfo"}},"propertiesMap":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTMetadataPropertyInfo"}},"schemeResourceTypeId":{"type":"string","description":"Scheme resource Id(Release object, Item, Standard content)"},"schemeTypeId":{"type":"string","description":"Scheme types (Manual, Auto or Arena Scheme) Id"},"standardContentPrefix":{"type":"string","writeOnly":true},"variableStudioPrefix":{"type":"string","writeOnly":true},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTOAuth2GrantType":{"type":"string","enum":["password","authorization_code","refresh_token","onshapeSSOv1"]},"BTOAuth2Scope":{"type":"string","description":"Only needed if `grant_type` is `authorization_code`","enum":["OAuth2Internal","OAuth2ReadPII","OAuth2Read","OAuth2Write","OAuth2Delete","OAuth2Purchase","OAuth2Share","document.create","document.edit","document.delete","document.read","enterprise.create","enterprise.read","enterprise.edit","enterprise.delete","enterprise.member.create","enterprise.member.read","enterprise.member.edit","enterprise.member.delete","webhook.create","webhook.edit","webhook.read","webhook.delete","PLMIntegration"]},"BTOAuth2TokenRequest":{"type":"object","properties":{"client_id":{"type":"string","description":"Only needed if `grant_type` is `refresh_token` or `authorization_code`"},"client_secret":{"type":"string","description":"Only needed if `grant_type` is `refresh_token` or `authorization_code`"},"grant_type":{"$ref":"#/components/schemas/BTOAuth2GrantType"},"password":{"type":"string","description":"Only needed if `grant_type` is `password`"},"redirect_uri":{"type":"string","description":"Only needed if `grant_type` is `authorization_code`"},"refresh_token":{"type":"string","description":"Only needed if `grant_type` is `refresh_token`"},"rememberTotp":{"type":"string","description":"Only needed if `grant_type` is `password`"},"scope":{"type":"array","description":"Only needed if `grant_type` is `authorization_code`","items":{"$ref":"#/components/schemas/BTOAuth2Scope"}},"sso_token":{"type":"string","description":"Only needed if `grant_type` is `onshapeSSOv1`"},"state":{"type":"string","description":"Only needed if `grant_type` is `authorization_code`"},"totp":{"type":"string","description":"Only needed if `grant_type` is `password`"},"username":{"type":"string","description":"Only needed if `grant_type` is `password`"}}},"BTOAuth2TokenResponse":{"type":"object","properties":{"access_token":{"type":"string"},"expires_in":{"type":"string"},"refresh_token":{"type":"string"},"scope":{"type":"string"},"token_type":{"type":"string"}}},"BTObjectId":{"type":"object","properties":{"empty":{"type":"boolean"}}},"BTObjectState":{"type":"string","enum":["DELETED","TRASH","ACTIVE"]},"BTObjectWorkflowInfo":{"type":"object","properties":{"canBeDiscarded":{"type":"boolean","description":"Whether workflowable object can be discarded."},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"isDiscarded":{"type":"boolean","description":"Whether workflowable object has been discarded."},"isFrozen":{"type":"boolean","description":"Whether workflowable object has reached terminal state and is frozen."},"metadataState":{"$ref":"#/components/schemas/BTMetadataStateType"},"name":{"type":"string","description":"Name of the resource."},"objectType":{"$ref":"#/components/schemas/BTAPIWorkflowableType"},"stateId":{"type":"string","description":"The current state of object like SETUP, REJECTED etc. Custom workflows can have any declared state."},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"},"workflowId":{"type":"string","description":"The workflow definition id that governs this object's states and transitions."}},"description":"An workflowable object like Release or Task that supports states and transitions."},"BTOccurrence-74":{"type":"object","properties":{"btType":{"type":"string"},"fullPathAsString":{"type":"string"},"headInstanceId":{"type":"string"},"occurrenceWithoutHead":{"$ref":"#/components/schemas/BTOccurrence-74"},"occurrenceWithoutTail":{"$ref":"#/components/schemas/BTOccurrence-74"},"parent":{"$ref":"#/components/schemas/BTOccurrence-74"},"path":{"type":"array","items":{"type":"string"}},"rootOccurrence":{"type":"boolean"},"tailInstanceId":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTOccurrenceWithFullPartIds-1464":"#/components/schemas/BTOccurrenceWithFullPartIds-1464"}}},"BTOccurrenceData-75":{"type":"object","properties":{"btType":{"type":"string"},"featureData":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTFeatureOccurrenceData-775"}},"forceHighestQualityTessellation":{"type":"boolean"},"hidden":{"type":"boolean"},"isFixed":{"type":"boolean"},"isHidden":{"type":"boolean"},"nodeId":{"type":"string"},"occurrence":{"$ref":"#/components/schemas/BTOccurrence-74"},"transform":{"$ref":"#/components/schemas/BTBSMatrix-386"}}},"BTOccurrenceDisplayData-95":{"type":"object","properties":{"btType":{"type":"string"},"elementId":{"type":"string"},"forceHighestQualityTessellation":{"type":"boolean"},"fullElementId":{"$ref":"#/components/schemas/BTFullElementId-756"},"isHidden":{"type":"boolean"},"isPatternDescendant":{"type":"boolean"},"occurrenceData":{"$ref":"#/components/schemas/BTOccurrenceData-75"},"partIds":{"type":"array","items":{"type":"string"}}}},"BTOccurrenceFilter-166":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTQueryFilter-183"},{"type":"object","properties":{"btType":{"type":"string"},"excludeFlattenedParts":{"type":"boolean"},"excludeParametricPartStudioChildInstance":{"type":"boolean"},"excludeParametricPartStudioInstance":{"type":"boolean"},"excludePatternInstances":{"type":"boolean"},"excludeReplicatedInstances":{"type":"boolean"},"excludeSketch":{"type":"boolean"},"excludeStandardContent":{"type":"boolean"},"excludeStudioInserts":{"type":"boolean"},"excludeSubAssemblies":{"type":"boolean"},"excludeSuppressed":{"type":"boolean"},"includeAssemblyRoot":{"type":"boolean"},"includeParametricInstance":{"type":"boolean"},"includePatternOccurrence":{"type":"boolean"},"solidOrCompositeBodyOnly":{"type":"boolean"},"topLevelOnly":{"type":"boolean"}}}]},"BTOccurrenceWithFullPartIds-1464":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTOccurrence-74"},{"type":"object","properties":{"btType":{"type":"string"},"fullElementId":{"$ref":"#/components/schemas/BTFullElementIdWithDocument-1729"},"partIds":{"type":"array","items":{"type":"string"}},"transform":{"$ref":"#/components/schemas/BTBSMatrix-386"}}}]},"BTOldPermission":{"type":"string","enum":["NOACCESS","ANONYMOUS_ACCESS","READ","READ_COPY_EXPORT","COMMENT","WRITE","RESHARE","FULL","OWNER"]},"BTOneConfigurationPartProperties-1661":{"type":"object","properties":{"btType":{"type":"string"},"configuration":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTFSValue-1888"}},"merged":{"$ref":"#/components/schemas/BTOnePartProperties-230"},"nodeId":{"type":"string"},"properties":{"type":"array","items":{"$ref":"#/components/schemas/BTOnePartProperties-230"}},"propertyIds":{"uniqueItems":true,"type":"array","items":{"type":"string"}}}},"BTOnePartProperties-230":{"type":"object","properties":{"appearance":{"$ref":"#/components/schemas/BTGraphicsAppearance-1152"},"appearanceForNewCell":{"$ref":"#/components/schemas/BTGraphicsAppearance-1152"},"btType":{"type":"string"},"changedPropertiesSet":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"customProperties":{"$ref":"#/components/schemas/BTPartCustomProperties-1338"},"material":{"$ref":"#/components/schemas/BTPartMaterial-1445"},"materialForNewCell":{"$ref":"#/components/schemas/BTPartMaterial-1445"},"name":{"type":"string"},"nameForNewCell":{"type":"string"},"nameIfNotNull":{"$ref":"#/components/schemas/BTOnePartProperties-230"},"nodeId":{"type":"string"},"parsedQuery":{"$ref":"#/components/schemas/BTPFunctionDeclaration-246"},"query":{"type":"string"},"queryListParameter":{"$ref":"#/components/schemas/BTMParameterQueryList-148"},"sheetMetalBendOrder":{"type":"array","items":{"type":"string"}},"sheetMetalBendOrderIfNotNull":{"$ref":"#/components/schemas/BTOnePartProperties-230"},"visibility":{"$ref":"#/components/schemas/GBTPartVisibility"}}},"BTOnshapeAdminInfo":{"type":"object","properties":{"admin":{"type":"boolean"},"description":{"type":"string"},"domainPrefix":{"type":"string"},"enterpriseBaseUrl":{"type":"string"},"enterpriseSubtype":{"type":"integer","format":"int32"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"image":{"type":"string"},"name":{"type":"string","description":"Name of the resource."},"noPublicDocuments":{"type":"boolean"},"ownerId":{"type":"string"},"secondaryDomainPrefixes":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"state":{"type":"integer","format":"int32"},"type":{"type":"integer","format":"int32"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTOpenApi":{"type":"object","properties":{"openApi":{"$ref":"#/components/schemas/OpenAPI"},"serializeAsOpenApi":{"type":"boolean"}}},"BTOpenApiDiff":{"type":"object","properties":{"diff":{"$ref":"#/components/schemas/ChangedOpenApi"}}},"BTOpenApiDiffRequest":{"type":"object","properties":{"from":{"$ref":"#/components/schemas/BTOpenApi"},"to":{"$ref":"#/components/schemas/BTOpenApi"}}},"BTOrFilter-167":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTQueryFilter-183"},{"type":"object","properties":{"btType":{"type":"string"},"operand1":{"$ref":"#/components/schemas/BTQueryFilter-183"},"operand2":{"$ref":"#/components/schemas/BTQueryFilter-183"}}}]},"BTOriginDisplayData-934":{"type":"object","properties":{"btType":{"type":"string"},"hidden":{"type":"boolean"}}},"BTOriginEntity-935":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTFeatureEntity-34"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTOtherDocumentSelectorParametersInfo":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTDocumentSelectorParametersInfo"},{"type":"object","properties":{"folderStatePath":{"type":"array","items":{"$ref":"#/components/schemas/BTFolderStateInfo"}},"selectedDocumentId":{"type":"string"},"selectedVersionId":{"type":"string"}}}]},"BTOwner-3114":{"type":"object","properties":{"btType":{"type":"string"},"companyId":{"type":"boolean"},"ownerId":{"type":"string"},"ownerType":{"$ref":"#/components/schemas/BTOwnerType"},"ownerTypeOrdinal":{"type":"integer","format":"int32"},"userId":{"type":"boolean"}}},"BTOwnerInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"image":{"type":"string"},"isEnterpriseOwnedResource":{"type":"boolean"},"name":{"type":"string","description":"Name of the resource."},"type":{"type":"integer","format":"int32"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTOwnerType":{"type":"string","enum":["USER","COMPANY","ONSHAPE"]},"BTPAnnotation-231":{"type":"object","properties":{"atomic":{"type":"boolean"},"btType":{"type":"string"},"documentationType":{"$ref":"#/components/schemas/GBTPDefinitionType"},"endSourceLocation":{"type":"integer","format":"int32"},"nodeId":{"type":"string"},"shortDescriptor":{"type":"string"},"spaceAfter":{"$ref":"#/components/schemas/BTPSpace-10"},"spaceBefore":{"$ref":"#/components/schemas/BTPSpace-10"},"spaceDefault":{"type":"boolean"},"startSourceLocation":{"type":"integer","format":"int32"},"value":{"$ref":"#/components/schemas/BTPLiteralMap-256"}}},"BTPArgumentDeclaration-232":{"type":"object","properties":{"atomic":{"type":"boolean"},"btType":{"type":"string"},"documentationType":{"$ref":"#/components/schemas/GBTPDefinitionType"},"endSourceLocation":{"type":"integer","format":"int32"},"identifier":{"$ref":"#/components/schemas/BTPIdentifier-8"},"name":{"$ref":"#/components/schemas/BTPIdentifier-8"},"nodeId":{"type":"string"},"shortDescriptor":{"type":"string"},"spaceAfter":{"$ref":"#/components/schemas/BTPSpace-10"},"spaceBefore":{"$ref":"#/components/schemas/BTPSpace-10"},"spaceDefault":{"type":"boolean"},"standardType":{"$ref":"#/components/schemas/GBTPType"},"startSourceLocation":{"type":"integer","format":"int32"},"type":{"$ref":"#/components/schemas/BTPTypeName-290"},"typeName":{"type":"string"}}},"BTPBuiltinIdentifier-233":{"type":"object","properties":{"atomic":{"type":"boolean"},"btType":{"type":"string"},"documentationType":{"$ref":"#/components/schemas/GBTPDefinitionType"},"endSourceLocation":{"type":"integer","format":"int32"},"identifier":{"type":"string"},"nodeId":{"type":"string"},"shortDescriptor":{"type":"string"},"spaceAfter":{"$ref":"#/components/schemas/BTPSpace-10"},"spaceBefore":{"$ref":"#/components/schemas/BTPSpace-10"},"spaceDefault":{"type":"boolean"},"startSourceLocation":{"type":"integer","format":"int32"}}},"BTPConversionFunction-1362":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPProcedureDeclarationBase-266"},{"type":"object","properties":{"btType":{"type":"string"},"from":{"$ref":"#/components/schemas/BTPLiteralNumber-258"},"spaceAfterType":{"$ref":"#/components/schemas/BTPSpace-10"},"to":{"$ref":"#/components/schemas/BTPLiteralNumber-258"},"typeName":{"$ref":"#/components/schemas/BTPIdentifier-8"}}}]},"BTPExpression-9":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTPExpressionAccess-237":"#/components/schemas/BTPExpressionAccess-237","BTPExpressionAs-238":"#/components/schemas/BTPExpressionAs-238","BTPExpressionBuiltinCall-239":"#/components/schemas/BTPExpressionBuiltinCall-239","BTPExpressionCall-240":"#/components/schemas/BTPExpressionCall-240","BTPExpressionFunction-1325":"#/components/schemas/BTPExpressionFunction-1325","BTPExpressionGroup-241":"#/components/schemas/BTPExpressionGroup-241","BTPExpressionIs-242":"#/components/schemas/BTPExpressionIs-242","BTPExpressionNew-243":"#/components/schemas/BTPExpressionNew-243","BTPExpressionOperator-244":"#/components/schemas/BTPExpressionOperator-244","BTPExpressionSwitch-2632":"#/components/schemas/BTPExpressionSwitch-2632","BTPExpressionTry-1271":"#/components/schemas/BTPExpressionTry-1271","BTPExpressionVarReference-245":"#/components/schemas/BTPExpressionVarReference-245","BTPLiteral-253":"#/components/schemas/BTPLiteral-253"}},"allOf":[{"$ref":"#/components/schemas/BTPPropertyAccessor-23"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTPExpressionAccess-237":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPExpression-9"},{"type":"object","properties":{"accessor":{"$ref":"#/components/schemas/BTPPropertyAccessor-23"},"base":{"$ref":"#/components/schemas/BTPExpression-9"},"btType":{"type":"string"},"spaceInAccessor":{"$ref":"#/components/schemas/BTPSpace-10"}}}]},"BTPExpressionAs-238":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPExpression-9"},{"type":"object","properties":{"btType":{"type":"string"},"operand":{"$ref":"#/components/schemas/BTPExpression-9"},"typeName":{"$ref":"#/components/schemas/BTPTypeName-290"}}}]},"BTPExpressionBuiltinCall-239":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPExpression-9"},{"type":"object","properties":{"arguments":{"type":"array","items":{"$ref":"#/components/schemas/BTPExpression-9"}},"btType":{"type":"string"},"name":{"$ref":"#/components/schemas/BTPBuiltinIdentifier-233"},"spaceInEmptyList":{"$ref":"#/components/schemas/BTPSpace-10"}}}]},"BTPExpressionCall-240":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPExpression-9"},{"type":"object","properties":{"btType":{"type":"string"},"functionExpression":{"$ref":"#/components/schemas/BTPExpression-9"},"functionName":{"$ref":"#/components/schemas/BTPName-261"},"functionNameString":{"type":"string"},"isArrowCall":{"type":"boolean"},"spaceInEmptyList":{"$ref":"#/components/schemas/BTPSpace-10"}}}]},"BTPExpressionFunction-1325":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPExpression-9"},{"type":"object","properties":{"arguments":{"type":"array","items":{"$ref":"#/components/schemas/BTPArgumentDeclaration-232"}},"body":{"$ref":"#/components/schemas/BTPStatementBlock-271"},"btType":{"type":"string"},"precondition":{"$ref":"#/components/schemas/BTPStatement-269"},"returnType":{"$ref":"#/components/schemas/BTPTypeName-290"},"spaceAfterArglist":{"$ref":"#/components/schemas/BTPSpace-10"},"spaceAfterFunction":{"$ref":"#/components/schemas/BTPSpace-10"},"spaceInEmptyList":{"$ref":"#/components/schemas/BTPSpace-10"}}}]},"BTPExpressionGroup-241":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPExpression-9"},{"type":"object","properties":{"btType":{"type":"string"},"content":{"$ref":"#/components/schemas/BTPExpression-9"}}}]},"BTPExpressionIs-242":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPExpression-9"},{"type":"object","properties":{"btType":{"type":"string"},"operand":{"$ref":"#/components/schemas/BTPExpression-9"},"typeName":{"$ref":"#/components/schemas/BTPTypeName-290"}}}]},"BTPExpressionNew-243":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPExpression-9"},{"type":"object","properties":{"btType":{"type":"string"},"spaceAfterBox":{"$ref":"#/components/schemas/BTPSpace-10"},"spaceBetweenNewBox":{"$ref":"#/components/schemas/BTPSpace-10"},"value":{"$ref":"#/components/schemas/BTPExpression-9"}}}]},"BTPExpressionOperator-244":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPExpression-9"},{"type":"object","properties":{"btType":{"type":"string"},"forExport":{"type":"boolean"},"globalNamespace":{"type":"boolean"},"importMicroversion":{"type":"string","writeOnly":true},"namespace":{"type":"array","items":{"$ref":"#/components/schemas/BTPIdentifier-8"}},"operand1":{"$ref":"#/components/schemas/BTPExpression-9"},"operand2":{"$ref":"#/components/schemas/BTPExpression-9"},"operand3":{"$ref":"#/components/schemas/BTPExpression-9"},"operator":{"$ref":"#/components/schemas/GBTPOperator"},"spaceAfterNamespace":{"$ref":"#/components/schemas/BTPSpace-10"},"spaceAfterOperator":{"$ref":"#/components/schemas/BTPSpace-10"},"spaceBeforeOperator":{"$ref":"#/components/schemas/BTPSpace-10"},"writtenAsFunctionCall":{"type":"boolean"}}}]},"BTPExpressionSwitch-2632":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPExpression-9"},{"type":"object","properties":{"btType":{"type":"string"},"choices":{"$ref":"#/components/schemas/BTPLiteralMap-256"},"selector":{"$ref":"#/components/schemas/BTPExpression-9"},"spaceAfterSwitch":{"$ref":"#/components/schemas/BTPSpace-10"}}}]},"BTPExpressionTry-1271":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPExpression-9"},{"type":"object","properties":{"btType":{"type":"string"},"expression":{"$ref":"#/components/schemas/BTPExpression-9"},"silent":{"type":"boolean"},"spaceAfterSilent":{"$ref":"#/components/schemas/BTPSpace-10"},"spaceAfterTry":{"$ref":"#/components/schemas/BTPSpace-10"}}}]},"BTPExpressionVarReference-245":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPExpression-9"},{"type":"object","properties":{"btType":{"type":"string"},"name":{"$ref":"#/components/schemas/BTPName-261"}}}]},"BTPFunctionDeclaration-246":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPFunctionOrPredicateDeclaration-247"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTPFunctionOrPredicateDeclaration-247":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTPFunctionDeclaration-246":"#/components/schemas/BTPFunctionDeclaration-246","BTPPredicateDeclaration-265":"#/components/schemas/BTPPredicateDeclaration-265"}},"allOf":[{"$ref":"#/components/schemas/BTPProcedureDeclarationBase-266"},{"type":"object","properties":{"btType":{"type":"string"},"name":{"$ref":"#/components/schemas/BTPIdentifier-8"}}}]},"BTPIdentifier-8":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPPropertyAccessor-23"},{"type":"object","properties":{"btType":{"type":"string"},"identifier":{"type":"string"},"invalidIdentifierForTest":{"type":"string","writeOnly":true}}}]},"BTPLMCategoryInfo":{"type":"object","properties":{"activated":{"type":"boolean"},"children":{"type":"array","items":{"$ref":"#/components/schemas/BTPLMCategoryInfo"}},"description":{"type":"string"},"id":{"type":"string"},"level":{"type":"integer","format":"int32"},"name":{"type":"string"},"objectType":{"type":"array","items":{"type":"integer","format":"int32"}},"parentId":{"type":"string"},"path":{"type":"string"},"structural":{"type":"boolean"}}},"BTPLMChangeOrderInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"lifecycleDate":{"type":"string","description":"Date when state of change order was updated.","format":"date-time"},"lifecycleState":{"type":"string","description":"PLM Change order state name."},"name":{"type":"string","description":"Name of the resource."},"title":{"type":"string","description":"PLM Change order title."},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTPLMCustomPropertyErrorInfo":{"type":"object","properties":{"message":{"type":"string"},"onshapePropertyId":{"type":"string"},"plmPropertyId":{"type":"string"}}},"BTPLMCustomPropertyInfo":{"type":"object","properties":{"active":{"type":"boolean"},"associationType":{"type":"integer","format":"int32"},"defaultValue":{"type":"string"},"deleted":{"type":"boolean"},"description":{"type":"string"},"enumValues":{"type":"array","items":{"type":"string"}},"id":{"type":"string"},"maxLength":{"type":"integer","format":"int32"},"memberCategories":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"multiSelect":{"type":"boolean"},"name":{"type":"string"},"onshapeType":{"type":"integer","format":"int32"},"required":{"type":"boolean"},"type":{"type":"string"}}},"BTPLMIntegrationMappingInfo":{"type":"object","properties":{"mappedCategories":{"type":"object","additionalProperties":{"type":"string"}},"mappedCustomProperties":{"type":"object","additionalProperties":{"type":"string"}},"onshapeCategories":{"type":"array","items":{"$ref":"#/components/schemas/BTMetadataCategoryInfo"}},"onshapeCustomProperties":{"type":"array","items":{"$ref":"#/components/schemas/BTCategoryPropertyInfo"}},"plmCategories":{"type":"array","items":{"$ref":"#/components/schemas/BTPLMCategoryInfo"}},"plmCustomProperties":{"type":"array","items":{"$ref":"#/components/schemas/BTPLMCustomPropertyInfo"}}}},"BTPLMIntegrationMetricsInfo":{"type":"object","properties":{"metrics":{"type":"object","additionalProperties":{"type":"object"}},"users":{"type":"array","items":{"$ref":"#/components/schemas/BTUserSummaryInfo"}}}},"BTPLMIntegrationSettingsInfo":{"type":"object","properties":{"apiToken":{"type":"string"},"apiURI":{"type":"string"},"basicPartNumberFormatGuid":{"type":"string"},"basicPartNumberFormatItemGuid":{"type":"string"},"bomTagAttributeGuid":{"type":"string"},"cacheKeys":{"type":"array","items":{"type":"string"}},"connectionSuccessful":{"type":"boolean"},"customPropertyErrorInfo":{"type":"array","items":{"$ref":"#/components/schemas/BTPLMCustomPropertyErrorInfo"}},"email":{"type":"string"},"emailSecret":{"type":"string"},"enabled":{"type":"boolean"},"independentCADRevisions":{"type":"boolean"},"itemSyncOption":{"type":"integer","format":"int32"},"loginMode":{"type":"integer","format":"int32"},"mappedCategories":{"type":"object","additionalProperties":{"type":"string"}},"mappedCustomProperties":{"type":"object","additionalProperties":{"type":"string"}},"mappingInfo":{"$ref":"#/components/schemas/BTPLMIntegrationMappingInfo"},"matchReleaseNameWithChange":{"type":"boolean"},"plmDocumentationName":{"type":"string","description":"Approver name that appears as approver property on drawings when plm user releases packages"},"revisionSyncEnabled":{"type":"boolean"},"standardContentSyncOption":{"type":"integer","format":"int32"},"syncBom":{"type":"boolean"},"syncEnabled":{"type":"boolean"},"syncGltf":{"type":"boolean"},"syncReleaseNotesWithChange":{"type":"boolean"},"syncRequireCategoryMapping":{"type":"boolean"},"syncThumbnail":{"type":"boolean"},"uncategorizedCategoryId":{"type":"string"},"warning":{"type":"string"},"workspaceId":{"type":"string"},"workspaceName":{"type":"string"}}},"BTPLMIntegrationSettingsParams":{"type":"object","properties":{"addUpdateCategoryId":{"type":"string"},"addUpdateMappedCustomProperties":{"type":"object","additionalProperties":{"type":"string"}},"addUpdateOnshapeCategoryId":{"type":"string"},"apiToken":{"type":"string"},"apiURI":{"type":"string"},"basicPartNumberFormatGuid":{"type":"string"},"basicPartNumberFormatItemGuid":{"type":"string"},"bomTagAttributeGuid":{"type":"string"},"connectionSuccessful":{"type":"boolean"},"emailSecret":{"type":"string"},"enabled":{"type":"boolean"},"independentCADRevisions":{"type":"boolean"},"mappedCategories":{"type":"object","additionalProperties":{"type":"string"}},"mappedCustomProperties":{"type":"object","additionalProperties":{"type":"string"}},"matchReleaseNameWithChange":{"type":"boolean"},"plmDocumentationName":{"type":"string"},"revisionSyncEnabled":{"type":"boolean"},"syncEnabled":{"type":"boolean"},"syncReleaseNotesWithChange":{"type":"boolean"},"uncategorizedCategoryId":{"type":"string"},"workspaceId":{"type":"string"},"workspaceName":{"type":"string"}}},"BTPLMSyncItemErrorInfo":{"type":"object","properties":{"name":{"type":"string"},"releaseIds":{"type":"array","items":{"type":"string"}},"severity":{"type":"integer","format":"int32"},"type":{"type":"integer","format":"int32"}}},"BTPLMSyncItemsParams":{"type":"object","properties":{"items":{"type":"array","items":{"$ref":"#/components/schemas/BTReleasePackageItemParams"}}}},"BTPLValue-249":{"type":"object","properties":{"atomic":{"type":"boolean"},"btType":{"type":"string"},"documentationType":{"$ref":"#/components/schemas/GBTPDefinitionType"},"endSourceLocation":{"type":"integer","format":"int32"},"nodeId":{"type":"string"},"shortDescriptor":{"type":"string"},"spaceAfter":{"$ref":"#/components/schemas/BTPSpace-10"},"spaceBefore":{"$ref":"#/components/schemas/BTPSpace-10"},"spaceDefault":{"type":"boolean"},"startSourceLocation":{"type":"integer","format":"int32"}},"discriminator":{"propertyName":"btType","mapping":{"BTPLValueAccess-250":"#/components/schemas/BTPLValueAccess-250","BTPLValueBoxDereference-251":"#/components/schemas/BTPLValueBoxDereference-251","BTPLValueVarReference-252":"#/components/schemas/BTPLValueVarReference-252"}}},"BTPLValueAccess-250":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPLValue-249"},{"type":"object","properties":{"accessor":{"$ref":"#/components/schemas/BTPPropertyAccessor-23"},"base":{"$ref":"#/components/schemas/BTPLValue-249"},"btType":{"type":"string"}}}]},"BTPLValueBoxDereference-251":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPLValue-249"},{"type":"object","properties":{"box":{"$ref":"#/components/schemas/BTPExpression-9"},"btType":{"type":"string"},"spaceInside":{"$ref":"#/components/schemas/BTPSpace-10"}}}]},"BTPLValueVarReference-252":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPLValue-249"},{"type":"object","properties":{"btType":{"type":"string"},"name":{"$ref":"#/components/schemas/BTPIdentifier-8"}}}]},"BTPLiteral-253":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTPLiteralArray-254":"#/components/schemas/BTPLiteralArray-254","BTPLiteralBoolean-255":"#/components/schemas/BTPLiteralBoolean-255","BTPLiteralMap-256":"#/components/schemas/BTPLiteralMap-256","BTPLiteralNumber-258":"#/components/schemas/BTPLiteralNumber-258","BTPLiteralString-259":"#/components/schemas/BTPLiteralString-259","BTPLiteralUndefined-260":"#/components/schemas/BTPLiteralUndefined-260"}},"allOf":[{"$ref":"#/components/schemas/BTPExpression-9"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTPLiteralArray-254":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPLiteral-253"},{"type":"object","properties":{"btType":{"type":"string"},"spaceInEmptyList":{"$ref":"#/components/schemas/BTPSpace-10"},"trailingComma":{"type":"boolean"}}}]},"BTPLiteralBoolean-255":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPLiteral-253"},{"type":"object","properties":{"btType":{"type":"string"},"value":{"type":"boolean"}}}]},"BTPLiteralMap-256":{"type":"object","properties":{"atomic":{"type":"boolean"},"btType":{"type":"string"},"documentationType":{"$ref":"#/components/schemas/GBTPDefinitionType"},"endSourceLocation":{"type":"integer","format":"int32"},"entries":{"type":"array","items":{"$ref":"#/components/schemas/BTPLiteralMapEntry-257"}},"nodeId":{"type":"string"},"shortDescriptor":{"type":"string"},"spaceAfter":{"$ref":"#/components/schemas/BTPSpace-10"},"spaceBefore":{"$ref":"#/components/schemas/BTPSpace-10"},"spaceDefault":{"type":"boolean"},"spaceInEmptyList":{"$ref":"#/components/schemas/BTPSpace-10"},"startSourceLocation":{"type":"integer","format":"int32"},"trailingComma":{"type":"boolean"}}},"BTPLiteralMapEntry-257":{"type":"object","properties":{"atomic":{"type":"boolean"},"btType":{"type":"string"},"documentationType":{"$ref":"#/components/schemas/GBTPDefinitionType"},"endSourceLocation":{"type":"integer","format":"int32"},"key":{"$ref":"#/components/schemas/BTPPropertyAccessor-23"},"nodeId":{"type":"string"},"shortDescriptor":{"type":"string"},"spaceAfter":{"$ref":"#/components/schemas/BTPSpace-10"},"spaceBefore":{"$ref":"#/components/schemas/BTPSpace-10"},"spaceDefault":{"type":"boolean"},"startSourceLocation":{"type":"integer","format":"int32"},"value":{"$ref":"#/components/schemas/BTPExpression-9"}}},"BTPLiteralNumber-258":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPLiteral-253"},{"type":"object","properties":{"btType":{"type":"string"},"integer":{"type":"boolean"},"text":{"type":"string"},"value":{"type":"number","format":"double"}}}]},"BTPLiteralString-259":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPLiteral-253"},{"type":"object","properties":{"btType":{"type":"string"},"text":{"type":"string"},"value":{"type":"string"}}}]},"BTPLiteralUndefined-260":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPLiteral-253"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTPModule-234":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPNode-7"},{"type":"object","properties":{"btType":{"type":"string"},"deepImports":{"type":"object","additionalProperties":{"type":"array","items":{"$ref":"#/components/schemas/BTImport"}}},"imports":{"type":"array","items":{"$ref":"#/components/schemas/BTPTopLevelImport-285"}},"isBlob":{"type":"boolean"},"isInternalModule":{"type":"boolean"},"mayHaveImplicitImports":{"type":"boolean"},"pathMap":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTMicroversionId-366"}},"toBeParsed":{"$ref":"#/components/schemas/BTLazilyParsedFeatureScript"},"topLevel":{"type":"array","items":{"$ref":"#/components/schemas/BTPTopLevelNode-286"}},"version":{"$ref":"#/components/schemas/BTPLiteralNumber-258"},"versionNumber":{"type":"integer","format":"int32"}}}]},"BTPModuleId-235":{"type":"object","properties":{"atomic":{"type":"boolean"},"btType":{"type":"string"},"dbimportString":{"type":"string"},"documentationType":{"$ref":"#/components/schemas/GBTPDefinitionType"},"elementImport":{"type":"boolean"},"endSourceLocation":{"type":"integer","format":"int32"},"externalDocumentWithVersion":{"$ref":"#/components/schemas/BTDocumentWithVersionId"},"externalDocumentWithVersionAndElementId":{"$ref":"#/components/schemas/BTDocumentWithVersionAndElementId"},"externalImport":{"type":"boolean"},"importedDocumentId":{"type":"string"},"importedElementId":{"type":"string"},"importedVersionId":{"type":"string"},"legacy":{"type":"boolean"},"legacyElementName":{"type":"string"},"legacyVersionNumber":{"type":"integer","format":"int32"},"microversion":{"type":"string"},"nodeId":{"type":"string"},"path":{"$ref":"#/components/schemas/BTPLiteralString-259"},"pathPotentiallyValid":{"type":"boolean"},"pathVersion":{"type":"string"},"potentiallyValid":{"type":"boolean"},"shortDescriptor":{"type":"string"},"spaceAfter":{"$ref":"#/components/schemas/BTPSpace-10"},"spaceAfterPath":{"$ref":"#/components/schemas/BTPSpace-10"},"spaceAfterVersion":{"$ref":"#/components/schemas/BTPSpace-10"},"spaceBefore":{"$ref":"#/components/schemas/BTPSpace-10"},"spaceBeforePath":{"$ref":"#/components/schemas/BTPSpace-10"},"spaceBeforeVersion":{"$ref":"#/components/schemas/BTPSpace-10"},"spaceDefault":{"type":"boolean"},"standardLibrary":{"type":"boolean"},"standardLibraryCommon":{"type":"boolean"},"startSourceLocation":{"type":"integer","format":"int32"},"validLegacyVersion":{"type":"boolean"},"version":{"$ref":"#/components/schemas/BTPLiteralString-259"},"versionAndMicroversion":{"type":"string"},"versionPotentiallyValid":{"type":"boolean"}}},"BTPName-261":{"type":"object","properties":{"atomic":{"type":"boolean"},"btType":{"type":"string"},"documentationType":{"$ref":"#/components/schemas/GBTPDefinitionType"},"endSourceLocation":{"type":"integer","format":"int32"},"forExport":{"type":"boolean"},"globalNamespace":{"type":"boolean"},"identifier":{"$ref":"#/components/schemas/BTPIdentifier-8"},"importMicroversion":{"type":"string","writeOnly":true},"namespace":{"type":"array","items":{"$ref":"#/components/schemas/BTPIdentifier-8"}},"nodeId":{"type":"string"},"shortDescriptor":{"type":"string"},"spaceAfter":{"$ref":"#/components/schemas/BTPSpace-10"},"spaceBefore":{"$ref":"#/components/schemas/BTPSpace-10"},"spaceDefault":{"type":"boolean"},"startSourceLocation":{"type":"integer","format":"int32"}}},"BTPNode-7":{"type":"object","properties":{"atomic":{"type":"boolean"},"btType":{"type":"string"},"documentationType":{"$ref":"#/components/schemas/GBTPDefinitionType"},"endSourceLocation":{"type":"integer","format":"int32"},"nodeId":{"type":"string"},"shortDescriptor":{"type":"string"},"spaceAfter":{"$ref":"#/components/schemas/BTPSpace-10"},"spaceBefore":{"$ref":"#/components/schemas/BTPSpace-10"},"spaceDefault":{"type":"boolean"},"startSourceLocation":{"type":"integer","format":"int32"}},"discriminator":{"propertyName":"btType","mapping":{"BTPAnnotation-231":"#/components/schemas/BTPAnnotation-231","BTPArgumentDeclaration-232":"#/components/schemas/BTPArgumentDeclaration-232","BTPBuiltinIdentifier-233":"#/components/schemas/BTPBuiltinIdentifier-233","BTPLValue-249":"#/components/schemas/BTPLValue-249","BTPLiteralMapEntry-257":"#/components/schemas/BTPLiteralMapEntry-257","BTPModule-234":"#/components/schemas/BTPModule-234","BTPModuleId-235":"#/components/schemas/BTPModuleId-235","BTPName-261":"#/components/schemas/BTPName-261","BTPPropertyAccessor-23":"#/components/schemas/BTPPropertyAccessor-23","BTPStatement-269":"#/components/schemas/BTPStatement-269","BTPTopLevelNode-286":"#/components/schemas/BTPTopLevelNode-286","BTPTypeName-290":"#/components/schemas/BTPTypeName-290"}}},"BTPOperatorDeclaration-264":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPProcedureDeclarationBase-266"},{"type":"object","properties":{"btType":{"type":"string"},"operator":{"$ref":"#/components/schemas/GBTPOperator"},"spaceAfterOperator":{"$ref":"#/components/schemas/BTPSpace-10"},"spaceBeforeOperator":{"$ref":"#/components/schemas/BTPSpace-10"}}}]},"BTPPredicateDeclaration-265":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPFunctionOrPredicateDeclaration-247"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTPProcedureDeclarationBase-266":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTPConversionFunction-1362":"#/components/schemas/BTPConversionFunction-1362","BTPFunctionOrPredicateDeclaration-247":"#/components/schemas/BTPFunctionOrPredicateDeclaration-247","BTPOperatorDeclaration-264":"#/components/schemas/BTPOperatorDeclaration-264"}},"allOf":[{"$ref":"#/components/schemas/BTPTopLevelNode-286"},{"type":"object","properties":{"arguments":{"type":"array","items":{"$ref":"#/components/schemas/BTPArgumentDeclaration-232"}},"body":{"$ref":"#/components/schemas/BTPStatementBlock-271"},"btType":{"type":"string"},"precondition":{"$ref":"#/components/schemas/BTPStatement-269"},"returnType":{"$ref":"#/components/schemas/BTPTypeName-290"},"spaceAfterArglist":{"$ref":"#/components/schemas/BTPSpace-10"},"spaceInEmptyList":{"$ref":"#/components/schemas/BTPSpace-10"}}}]},"BTPPropertyAccessor-23":{"type":"object","properties":{"atomic":{"type":"boolean"},"btType":{"type":"string"},"documentationType":{"$ref":"#/components/schemas/GBTPDefinitionType"},"endSourceLocation":{"type":"integer","format":"int32"},"nodeId":{"type":"string"},"shortDescriptor":{"type":"string"},"spaceAfter":{"$ref":"#/components/schemas/BTPSpace-10"},"spaceBefore":{"$ref":"#/components/schemas/BTPSpace-10"},"spaceDefault":{"type":"boolean"},"startSourceLocation":{"type":"integer","format":"int32"}},"discriminator":{"propertyName":"btType","mapping":{"BTPExpression-9":"#/components/schemas/BTPExpression-9","BTPIdentifier-8":"#/components/schemas/BTPIdentifier-8"}}},"BTPSOIdentity-2741":{"type":"object","properties":{"btType":{"type":"string"},"theId":{"type":"string"}}},"BTPSpace-10":{"type":"object","properties":{"btType":{"type":"string"},"lines":{"type":"array","items":{"type":"string"}},"nodeId":{"type":"string"},"text":{"type":"string"}}},"BTPStatement-269":{"type":"object","properties":{"annotation":{"$ref":"#/components/schemas/BTPAnnotation-231"},"atomic":{"type":"boolean"},"btType":{"type":"string"},"documentationType":{"$ref":"#/components/schemas/GBTPDefinitionType"},"endSourceLocation":{"type":"integer","format":"int32"},"nodeId":{"type":"string"},"shortDescriptor":{"type":"string"},"spaceAfter":{"$ref":"#/components/schemas/BTPSpace-10"},"spaceBefore":{"$ref":"#/components/schemas/BTPSpace-10"},"spaceDefault":{"type":"boolean"},"startSourceLocation":{"type":"integer","format":"int32"}},"discriminator":{"propertyName":"btType","mapping":{"BTPStatementAssignment-270":"#/components/schemas/BTPStatementAssignment-270","BTPStatementBlock-271":"#/components/schemas/BTPStatementBlock-271","BTPStatementBreak-272":"#/components/schemas/BTPStatementBreak-272","BTPStatementCompressedQuery-1237":"#/components/schemas/BTPStatementCompressedQuery-1237","BTPStatementConstantDeclaration-273":"#/components/schemas/BTPStatementConstantDeclaration-273","BTPStatementContinue-274":"#/components/schemas/BTPStatementContinue-274","BTPStatementExpression-275":"#/components/schemas/BTPStatementExpression-275","BTPStatementIf-276":"#/components/schemas/BTPStatementIf-276","BTPStatementLoop-277":"#/components/schemas/BTPStatementLoop-277","BTPStatementReturn-281":"#/components/schemas/BTPStatementReturn-281","BTPStatementThrow-1080":"#/components/schemas/BTPStatementThrow-1080","BTPStatementTry-1523":"#/components/schemas/BTPStatementTry-1523","BTPStatementVarDeclaration-282":"#/components/schemas/BTPStatementVarDeclaration-282"}}},"BTPStatementAssignment-270":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPStatement-269"},{"type":"object","properties":{"btType":{"type":"string"},"lvalue":{"$ref":"#/components/schemas/BTPLValue-249"},"operator":{"$ref":"#/components/schemas/GBTPOperator"},"rvalue":{"$ref":"#/components/schemas/BTPExpression-9"}}}]},"BTPStatementBlock-271":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPStatement-269"},{"type":"object","properties":{"btType":{"type":"string"},"spaceAfterOpen":{"$ref":"#/components/schemas/BTPSpace-10"}}}]},"BTPStatementBreak-272":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPStatement-269"},{"type":"object","properties":{"btType":{"type":"string"},"spaceAfterBreak":{"$ref":"#/components/schemas/BTPSpace-10"}}}]},"BTPStatementCompressedQuery-1237":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPStatement-269"},{"type":"object","properties":{"btType":{"type":"string"},"query":{"type":"string"}}}]},"BTPStatementConstantDeclaration-273":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPStatement-269"},{"type":"object","properties":{"btType":{"type":"string"},"identifier":{"$ref":"#/components/schemas/BTPIdentifier-8"},"name":{"$ref":"#/components/schemas/BTPIdentifier-8"},"standardType":{"$ref":"#/components/schemas/GBTPType"},"type":{"$ref":"#/components/schemas/BTPTypeName-290"},"typeName":{"type":"string"},"value":{"$ref":"#/components/schemas/BTPExpression-9"}}}]},"BTPStatementContinue-274":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPStatement-269"},{"type":"object","properties":{"btType":{"type":"string"},"spaceAfterContinue":{"$ref":"#/components/schemas/BTPSpace-10"}}}]},"BTPStatementExpression-275":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPStatement-269"},{"type":"object","properties":{"btType":{"type":"string"},"expression":{"$ref":"#/components/schemas/BTPExpression-9"}}}]},"BTPStatementIf-276":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPStatement-269"},{"type":"object","properties":{"btType":{"type":"string"},"condition":{"$ref":"#/components/schemas/BTPExpression-9"},"elseBody":{"$ref":"#/components/schemas/BTPStatement-269"},"spaceAfterIf":{"$ref":"#/components/schemas/BTPSpace-10"},"thenBody":{"$ref":"#/components/schemas/BTPStatement-269"}}}]},"BTPStatementLoop-277":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTPStatementLoopFor3-278":"#/components/schemas/BTPStatementLoopFor3-278","BTPStatementLoopForIn-279":"#/components/schemas/BTPStatementLoopForIn-279","BTPStatementLoopWhile-280":"#/components/schemas/BTPStatementLoopWhile-280"}},"allOf":[{"$ref":"#/components/schemas/BTPStatement-269"},{"type":"object","properties":{"body":{"$ref":"#/components/schemas/BTPStatement-269"},"btType":{"type":"string"},"spaceAfterLoopType":{"$ref":"#/components/schemas/BTPSpace-10"}}}]},"BTPStatementLoopFor3-278":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPStatementLoop-277"},{"type":"object","properties":{"btType":{"type":"string"},"condition":{"$ref":"#/components/schemas/BTPExpression-9"},"increment":{"$ref":"#/components/schemas/BTPStatement-269"},"initialization":{"$ref":"#/components/schemas/BTPStatement-269"},"spaceAfterInitialization":{"$ref":"#/components/schemas/BTPSpace-10"},"spaceBeforeCondition":{"$ref":"#/components/schemas/BTPSpace-10"},"spaceBeforeIncrement":{"$ref":"#/components/schemas/BTPSpace-10"}}}]},"BTPStatementLoopForIn-279":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPStatementLoop-277"},{"type":"object","properties":{"btType":{"type":"string"},"container":{"$ref":"#/components/schemas/BTPExpression-9"},"identifiers":{"type":"array","items":{"$ref":"#/components/schemas/BTPIdentifier-8"}},"isVarDeclaredHere":{"type":"boolean"},"keyVar":{"$ref":"#/components/schemas/BTPIdentifier-8"},"spaceBeforeVar":{"$ref":"#/components/schemas/BTPSpace-10"},"standardTypes":{"type":"array","items":{"$ref":"#/components/schemas/GBTPType"}},"typeNames":{"type":"array","items":{"type":"string"}},"var":{"$ref":"#/components/schemas/BTPIdentifier-8"}}}]},"BTPStatementLoopWhile-280":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPStatementLoop-277"},{"type":"object","properties":{"btType":{"type":"string"},"condition":{"$ref":"#/components/schemas/BTPExpression-9"}}}]},"BTPStatementReturn-281":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPStatement-269"},{"type":"object","properties":{"btType":{"type":"string"},"spaceAfterReturn":{"$ref":"#/components/schemas/BTPSpace-10"},"value":{"$ref":"#/components/schemas/BTPExpression-9"}}}]},"BTPStatementThrow-1080":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPStatement-269"},{"type":"object","properties":{"btType":{"type":"string"},"value":{"$ref":"#/components/schemas/BTPExpression-9"}}}]},"BTPStatementTry-1523":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPStatement-269"},{"type":"object","properties":{"body":{"$ref":"#/components/schemas/BTPStatementBlock-271"},"btType":{"type":"string"},"catchBlock":{"$ref":"#/components/schemas/BTPStatementBlock-271"},"catchVariable":{"$ref":"#/components/schemas/BTPIdentifier-8"},"identifier":{"$ref":"#/components/schemas/BTPIdentifier-8"},"silent":{"type":"boolean"},"spaceAfterCatch":{"$ref":"#/components/schemas/BTPSpace-10"},"spaceBeforeSilent":{"$ref":"#/components/schemas/BTPSpace-10"},"standardType":{"$ref":"#/components/schemas/GBTPType"},"typeName":{"type":"string"}}}]},"BTPStatementVarDeclaration-282":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPStatement-269"},{"type":"object","properties":{"btType":{"type":"string"},"identifier":{"$ref":"#/components/schemas/BTPIdentifier-8"},"name":{"$ref":"#/components/schemas/BTPIdentifier-8"},"standardType":{"$ref":"#/components/schemas/GBTPType"},"type":{"$ref":"#/components/schemas/BTPTypeName-290"},"typeName":{"type":"string"},"value":{"$ref":"#/components/schemas/BTPExpression-9"}}}]},"BTPTopLevelConstantDeclaration-283":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPTopLevelNode-286"},{"type":"object","properties":{"btType":{"type":"string"},"declaration":{"$ref":"#/components/schemas/BTPStatementConstantDeclaration-273"}}}]},"BTPTopLevelEnumDeclaration-284":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPTopLevelTypeDeclaration-287"},{"type":"object","properties":{"annotations":{"type":"array","items":{"$ref":"#/components/schemas/BTPAnnotation-231"}},"btType":{"type":"string"},"spaceInEmptyList":{"$ref":"#/components/schemas/BTPSpace-10"},"trailingComma":{"type":"boolean"},"values":{"type":"array","items":{"$ref":"#/components/schemas/BTPIdentifier-8"}}}}]},"BTPTopLevelImport-285":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPTopLevelNode-286"},{"type":"object","properties":{"btType":{"type":"string"},"combinedNamespacePathAndVersion":{"type":"string"},"importMicroversion":{"type":"string","writeOnly":true},"moduleId":{"$ref":"#/components/schemas/BTPModuleId-235"},"namespace":{"type":"array","items":{"$ref":"#/components/schemas/BTPIdentifier-8"}},"namespaceString":{"type":"string"},"spaceBeforeImport":{"$ref":"#/components/schemas/BTPSpace-10"}}}]},"BTPTopLevelNode-286":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTPProcedureDeclarationBase-266":"#/components/schemas/BTPProcedureDeclarationBase-266","BTPTopLevelConstantDeclaration-283":"#/components/schemas/BTPTopLevelConstantDeclaration-283","BTPTopLevelImport-285":"#/components/schemas/BTPTopLevelImport-285","BTPTopLevelTypeDeclaration-287":"#/components/schemas/BTPTopLevelTypeDeclaration-287"}},"allOf":[{"$ref":"#/components/schemas/BTPNode-7"},{"type":"object","properties":{"annotation":{"$ref":"#/components/schemas/BTPAnnotation-231"},"argumentsToDocument":{"type":"array","items":{"$ref":"#/components/schemas/BTPArgumentDeclaration-232"}},"btType":{"type":"string"},"deprecated":{"type":"boolean"},"deprecatedExplanation":{"type":"string"},"forExport":{"type":"boolean"},"spaceAfterExport":{"$ref":"#/components/schemas/BTPSpace-10"},"symbolName":{"$ref":"#/components/schemas/BTPIdentifier-8"}}}]},"BTPTopLevelTypeDeclaration-287":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTPTopLevelEnumDeclaration-284":"#/components/schemas/BTPTopLevelEnumDeclaration-284","BTPTopLevelUserTypeDeclaration-288":"#/components/schemas/BTPTopLevelUserTypeDeclaration-288"}},"allOf":[{"$ref":"#/components/schemas/BTPTopLevelNode-286"},{"type":"object","properties":{"btType":{"type":"string"},"name":{"$ref":"#/components/schemas/BTPIdentifier-8"},"spaceAfterVersion":{"$ref":"#/components/schemas/BTPSpace-10"},"version":{"$ref":"#/components/schemas/BTPLiteralNumber-258"}}}]},"BTPTopLevelUserTypeDeclaration-288":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPTopLevelTypeDeclaration-287"},{"type":"object","properties":{"btType":{"type":"string"},"typecheck":{"$ref":"#/components/schemas/BTPName-261"}}}]},"BTPTypeName-290":{"type":"object","properties":{"atomic":{"type":"boolean"},"btType":{"type":"string"},"documentationType":{"$ref":"#/components/schemas/GBTPDefinitionType"},"endSourceLocation":{"type":"integer","format":"int32"},"nodeId":{"type":"string"},"shortDescriptor":{"type":"string"},"spaceAfter":{"$ref":"#/components/schemas/BTPSpace-10"},"spaceBefore":{"$ref":"#/components/schemas/BTPSpace-10"},"spaceDefault":{"type":"boolean"},"startSourceLocation":{"type":"integer","format":"int32"}},"discriminator":{"propertyName":"btType","mapping":{"BTPTypeNameStandard-291":"#/components/schemas/BTPTypeNameStandard-291","BTPTypeNameUser-292":"#/components/schemas/BTPTypeNameUser-292"}}},"BTPTypeNameStandard-291":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPTypeName-290"},{"type":"object","properties":{"btType":{"type":"string"},"type":{"$ref":"#/components/schemas/GBTPType"}}}]},"BTPTypeNameUser-292":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPTypeName-290"},{"type":"object","properties":{"btType":{"type":"string"},"type":{"$ref":"#/components/schemas/BTPName-261"}}}]},"BTParameterExpressionErrorInfo-2037":{"type":"object","properties":{"btType":{"type":"string"},"errorMessageIdentifier":{"$ref":"#/components/schemas/GBTErrorStringEnum"},"messageArguments":{"type":"array","items":{"$ref":"#/components/schemas/BTValueAndUse-4696"}}}},"BTParameterGroupSpec-3469":{"type":"object","properties":{"additionalLocalizedStrings":{"type":"integer","format":"int32","writeOnly":true},"btType":{"type":"string"},"collapsedByDefault":{"type":"boolean"},"drivingParameterId":{"type":"string"},"groupId":{"type":"string"},"groupName":{"type":"string"},"groupOrParameterIds":{"type":"array","items":{"type":"string"}},"localizableName":{"type":"string"},"localizedName":{"type":"string","writeOnly":true},"stringsToLocalize":{"type":"array","items":{"type":"string"}}}},"BTParameterLookupTableEntry-1667":{"type":"object","properties":{"additionalLocalizedStrings":{"type":"integer","format":"int32","writeOnly":true},"btType":{"type":"string"},"label":{"type":"string"},"localizableName":{"type":"string"},"localizedLabel":{"type":"string"},"localizedName":{"type":"string","writeOnly":true},"stringsToLocalize":{"type":"array","items":{"type":"string"}}},"discriminator":{"propertyName":"btType","mapping":{"BTParameterLookupTableListEntry-1916":"#/components/schemas/BTParameterLookupTableListEntry-1916"}}},"BTParameterLookupTableListEntry-1916":{"type":"object","properties":{"additionalLocalizedStrings":{"type":"integer","format":"int32","writeOnly":true},"btType":{"type":"string"},"defaultIndex":{"type":"integer","format":"int32"},"displayName":{"type":"string"},"entries":{"type":"array","items":{"$ref":"#/components/schemas/BTParameterLookupTableEntry-1667"}},"label":{"type":"string"},"localizableName":{"type":"string"},"localizedLabel":{"type":"string"},"localizedName":{"type":"string","writeOnly":true},"name":{"type":"string"},"stringsToLocalize":{"type":"array","items":{"type":"string"}}}},"BTParameterSpec-6":{"type":"object","properties":{"additionalLocalizedStrings":{"type":"integer","format":"int32","writeOnly":true},"btType":{"type":"string"},"columnName":{"type":"string"},"defaultValue":{"$ref":"#/components/schemas/BTMParameter-1"},"iconUri":{"type":"string"},"localizableName":{"type":"string"},"localizedName":{"type":"string","writeOnly":true},"parameterDescription":{"type":"string"},"parameterId":{"type":"string"},"parameterName":{"type":"string"},"quantityType":{"$ref":"#/components/schemas/GBTQuantityType"},"stringsToLocalize":{"type":"array","items":{"type":"string"}},"uiHint":{"type":"string"},"uiHints":{"type":"array","items":{"$ref":"#/components/schemas/GBTUIHint"}},"visibilityCondition":{"$ref":"#/components/schemas/BTParameterVisibilityCondition-177"}},"discriminator":{"propertyName":"btType","mapping":{"BTParameterSpecAppearance-1740":"#/components/schemas/BTParameterSpecAppearance-1740","BTParameterSpecArray-2600":"#/components/schemas/BTParameterSpecArray-2600","BTParameterSpecBoolean-170":"#/components/schemas/BTParameterSpecBoolean-170","BTParameterSpecDatabase-1071":"#/components/schemas/BTParameterSpecDatabase-1071","BTParameterSpecDerived-736":"#/components/schemas/BTParameterSpecDerived-736","BTParameterSpecEnum-171":"#/components/schemas/BTParameterSpecEnum-171","BTParameterSpecFeatureList-703":"#/components/schemas/BTParameterSpecFeatureList-703","BTParameterSpecForeignId-172":"#/components/schemas/BTParameterSpecForeignId-172","BTParameterSpecLookupTablePath-761":"#/components/schemas/BTParameterSpecLookupTablePath-761","BTParameterSpecMaterial-2700":"#/components/schemas/BTParameterSpecMaterial-2700","BTParameterSpecMultiEnum-3118":"#/components/schemas/BTParameterSpecMultiEnum-3118","BTParameterSpecNullableQuantity-715":"#/components/schemas/BTParameterSpecNullableQuantity-715","BTParameterSpecQuantity-173":"#/components/schemas/BTParameterSpecQuantity-173","BTParameterSpecQuery-174":"#/components/schemas/BTParameterSpecQuery-174","BTParameterSpecReference-2789":"#/components/schemas/BTParameterSpecReference-2789","BTParameterSpecString-175":"#/components/schemas/BTParameterSpecString-175","BTReadOnlyParameterSpec-1889":"#/components/schemas/BTReadOnlyParameterSpec-1889"}}},"BTParameterSpecAppearance-1740":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTParameterSpec-6"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTParameterSpecArray-2600":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTParameterSpec-6"},{"type":"object","properties":{"btType":{"type":"string"},"drivenQuery":{"type":"string"},"itemLabelTemplate":{"type":"string"},"itemName":{"type":"string"},"maxNumberOfPicks":{"type":"integer","format":"int32"},"parameters":{"type":"array","items":{"$ref":"#/components/schemas/BTParameterSpec-6"}}}}]},"BTParameterSpecBoolean-170":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTParameterSpec-6"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTParameterSpecCategories-4083":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTParameterSpecMultiEnum-3118"},{"type":"object","properties":{"btType":{"type":"string"},"categoryIdToMetadataTypes":{"type":"object","additionalProperties":{"type":"array","items":{"type":"integer","format":"int32"}}}}}]},"BTParameterSpecDatabase-1071":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTParameterSpec-6"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTParameterSpecDerived-736":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTParameterSpec-6"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTParameterSpecEnum-171":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTParameterSpec-6"},{"type":"object","properties":{"btType":{"type":"string"},"enumName":{"type":"string"},"enumValueToVisibilityCondition":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTParameterVisibilityCondition-177"}},"namespace":{"type":"string"},"optionNames":{"type":"array","items":{"type":"string"}},"options":{"type":"array","items":{"type":"string"}}}}]},"BTParameterSpecFeatureList-703":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTParameterSpec-6"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTParameterSpecForeignId-172":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTParameterSpec-6"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTParameterSpecLookupTablePath-761":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTParameterSpec-6"},{"type":"object","properties":{"btType":{"type":"string"},"lookupTable":{"$ref":"#/components/schemas/BTParameterLookupTableListEntry-1916"}}}]},"BTParameterSpecMaterial-2700":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTParameterSpec-6"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTParameterSpecMultiEnum-3118":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTParameterSpecCategories-4083":"#/components/schemas/BTParameterSpecCategories-4083"}},"allOf":[{"$ref":"#/components/schemas/BTParameterSpec-6"},{"type":"object","properties":{"btType":{"type":"string"},"enumName":{"type":"string"},"enumValueToVisibilityCondition":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTParameterVisibilityCondition-177"}},"multivalued":{"type":"boolean"},"namespace":{"type":"string"},"optionNames":{"type":"array","items":{"type":"string"}},"options":{"type":"array","items":{"type":"string"}}}}]},"BTParameterSpecNullableQuantity-715":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTParameterSpec-6"},{"type":"object","properties":{"btType":{"type":"string"},"ranges":{"type":"array","items":{"$ref":"#/components/schemas/BTNullableQuantityRange-1340"}}}}]},"BTParameterSpecProgress-3078":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTReadOnlyParameterSpec-1889"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTParameterSpecQuantity-173":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTParameterSpec-6"},{"type":"object","properties":{"btType":{"type":"string"},"ranges":{"type":"array","items":{"$ref":"#/components/schemas/BTQuantityRange-181"}}}}]},"BTParameterSpecQuery-174":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTParameterSpec-6"},{"type":"object","properties":{"additionalBoxSelectFilter":{"$ref":"#/components/schemas/BTQueryFilter-183"},"btType":{"type":"string"},"filter":{"$ref":"#/components/schemas/BTQueryFilter-183"},"maxNumberOfPicks":{"type":"integer","format":"int32"}}}]},"BTParameterSpecReference-2789":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTParameterSpecReferenceAssembly-2821":"#/components/schemas/BTParameterSpecReferenceAssembly-2821","BTParameterSpecReferenceBlob-1367":"#/components/schemas/BTParameterSpecReferenceBlob-1367","BTParameterSpecReferencePartStudio-1256":"#/components/schemas/BTParameterSpecReferencePartStudio-1256","BTParameterSpecReferenceWithConfiguration-2950":"#/components/schemas/BTParameterSpecReferenceWithConfiguration-2950"}},"allOf":[{"$ref":"#/components/schemas/BTParameterSpec-6"},{"type":"object","properties":{"btType":{"type":"string"},"defaultPurpose":{"$ref":"#/components/schemas/BTElementLibraryPurpose-3353"}}}]},"BTParameterSpecReferenceAssembly-2821":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTParameterSpecReference-2789"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTParameterSpecReferenceBlob-1367":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTParameterSpecReferenceCADImport-1792":"#/components/schemas/BTParameterSpecReferenceCADImport-1792","BTParameterSpecReferenceImage-1722":"#/components/schemas/BTParameterSpecReferenceImage-1722","BTParameterSpecReferenceJSON-1816":"#/components/schemas/BTParameterSpecReferenceJSON-1816","BTParameterSpecReferenceTable-1520":"#/components/schemas/BTParameterSpecReferenceTable-1520"}},"allOf":[{"$ref":"#/components/schemas/BTParameterSpecReference-2789"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTParameterSpecReferenceCADImport-1792":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTParameterSpecReferenceBlob-1367"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTParameterSpecReferenceImage-1722":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTParameterSpecReferenceBlob-1367"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTParameterSpecReferenceJSON-1816":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTParameterSpecReferenceBlob-1367"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTParameterSpecReferencePartStudio-1256":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTParameterSpecReference-2789"},{"type":"object","properties":{"allowedInsertableTypes":{"type":"array","items":{"$ref":"#/components/schemas/GBTPartStudioItemType"}},"btType":{"type":"string"},"computedConfigurationInputs":{"type":"array","items":{"$ref":"#/components/schemas/BTComputedConfigurationInputSpec-2525"}},"maxNumberOfPicks":{"type":"integer","format":"int32"}}}]},"BTParameterSpecReferenceTable-1520":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTParameterSpecReferenceBlob-1367"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTParameterSpecReferenceWithConfiguration-2950":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTParameterSpecReference-2789"},{"type":"object","properties":{"allowAssemblies":{"type":"boolean"},"allowedInsertableTypes":{"type":"array","items":{"$ref":"#/components/schemas/GBTPartStudioItemType"}},"btType":{"type":"string"},"maxNumberOfPicks":{"type":"integer","format":"int32"}}}]},"BTParameterSpecString-175":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTParameterSpec-6"},{"type":"object","properties":{"btType":{"type":"string"},"disallowsEmptyStrings":{"type":"string","writeOnly":true},"disallowsHtml":{"type":"string","writeOnly":true},"formatConditions":{"type":"array","items":{"$ref":"#/components/schemas/BTStringFormatCondition-683"}}}}]},"BTParameterSpecStringWithTolerances-2535":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTReadOnlyParameterSpec-1889"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTParameterVisibilityAlwaysHidden-176":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTParameterVisibilityCondition-177"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTParameterVisibilityCondition-177":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTParameterVisibilityAlwaysHidden-176":"#/components/schemas/BTParameterVisibilityAlwaysHidden-176","BTParameterVisibilityLogical-178":"#/components/schemas/BTParameterVisibilityLogical-178","BTParameterVisibilityOnEqual-180":"#/components/schemas/BTParameterVisibilityOnEqual-180"}}},"BTParameterVisibilityLogical-178":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTParameterVisibilityCondition-177"},{"type":"object","properties":{"btType":{"type":"string"},"children":{"type":"array","items":{"$ref":"#/components/schemas/BTParameterVisibilityCondition-177"}},"operation":{"$ref":"#/components/schemas/GBTParameterVisibilityLogicalOp"}}}]},"BTParameterVisibilityOnEqual-180":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTParameterVisibilityOnMateDOFType-2114":"#/components/schemas/BTParameterVisibilityOnMateDOFType-2114"}},"allOf":[{"$ref":"#/components/schemas/BTParameterVisibilityCondition-177"},{"type":"object","properties":{"btType":{"type":"string"},"inArray":{"type":"boolean"},"parameterId":{"type":"string"},"value":{"type":"string"}}}]},"BTParameterVisibilityOnMateDOFType-2114":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTParameterVisibilityOnEqual-180"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTParametricInstance-2641":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTAssemblyPattern-1974":"#/components/schemas/BTAssemblyPattern-1974","BTAssemblyReplicate-2774":"#/components/schemas/BTAssemblyReplicate-2774","BTParametricPartStudioInstance-4374":"#/components/schemas/BTParametricPartStudioInstance-4374"}},"allOf":[{"$ref":"#/components/schemas/BTInstanceBase-2263"},{"type":"object","properties":{"btType":{"type":"string"},"feature":{"$ref":"#/components/schemas/BTMAssemblyFeature-887"},"featureId":{"type":"string"},"instanceControlNodes":{"type":"array","items":{"$ref":"#/components/schemas/BTInstanceControlNode-750"}}}}]},"BTParametricOutputInstance-2288":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTClonedInstance-2505":"#/components/schemas/BTClonedInstance-2505","BTParametricPartStudioChildInstance-3696":"#/components/schemas/BTParametricPartStudioChildInstance-3696"}},"allOf":[{"$ref":"#/components/schemas/BTInstanceBase-2263"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTParametricPartStudioChildInstance-3696":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTParametricOutputInstance-2288"},{"type":"object","properties":{"btType":{"type":"string"},"partIdentity":{"$ref":"#/components/schemas/BTPSOIdentity-2741"},"sketchFeatureId":{"type":"string"},"type":{"$ref":"#/components/schemas/GBTPartStudioInstanceType"}}}]},"BTParametricPartStudioInstance-4374":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTParametricInstance-2641"},{"type":"object","properties":{"btType":{"type":"string"},"configuration":{"type":"array","items":{"$ref":"#/components/schemas/BTMParameter-1"}},"documentId":{"type":"string"},"elementId":{"type":"string"},"elementReference":{"$ref":"#/components/schemas/BTElementReference-725"},"externalDocumentWithVersion":{"$ref":"#/components/schemas/BTDocumentWithVersionId"},"externalDocumentWithVersionAndElementId":{"$ref":"#/components/schemas/BTDocumentWithVersionAndElementId"},"lockedState":{"type":"boolean"},"microversionId":{"$ref":"#/components/schemas/BTMicroversionId-366"},"parametricPartStudioFeature":{"$ref":"#/components/schemas/BTMParametricPartStudioFeature-3883"},"referenceParameter":{"$ref":"#/components/schemas/BTMParameterReferencePartStudio-3302"},"versionId":{"type":"string"},"versionIdIfExternal":{"type":"string"}}}]},"BTPartAppearanceInfo":{"type":"object","properties":{"color":{"$ref":"#/components/schemas/BTColorInfo"},"isGenerated":{"type":"boolean"},"opacity":{"type":"integer","format":"int32"}}},"BTPartAppearanceParams":{"type":"object","properties":{"color":{"$ref":"#/components/schemas/BTColorParams"},"opacity":{"type":"integer","format":"int32"}}},"BTPartCustomProperties-1338":{"type":"object","properties":{"btType":{"type":"string"},"description":{"type":"string"},"partNumber":{"type":"string"},"productLine":{"type":"string"},"project":{"type":"string"},"properties":{"type":"object","additionalProperties":{"type":"string"}},"revision":{"type":"string"},"tessellationSetting":{"type":"string"},"title1":{"type":"string"},"title2":{"type":"string"},"title3":{"type":"string"},"vendor":{"type":"string"}}},"BTPartData-16":{"type":"object","properties":{"bestAvailableTessellationSetting":{"$ref":"#/components/schemas/GBTTessellationSettingEnum"},"boundsDiameter":{"type":"number","format":"double"},"btType":{"type":"string"},"closedConstituentPartData":{"$ref":"#/components/schemas/BTClosedConstituentPartData-2911"},"coarsePlanarFaceTriangleCount":{"type":"integer","format":"int32"},"coarseTriangleCount":{"type":"integer","format":"int32"},"constituentBodyDeterministicIds":{"type":"array","items":{"type":"string"}},"copyWithoutEntities":{"$ref":"#/components/schemas/BTPartData-16"},"entityDIds":{"type":"array","items":{"type":"string"}},"entityDeterministicIds":{"type":"array","items":{"type":"string"}},"flattenedToUnflattenedMapping":{"type":"object","additionalProperties":{"type":"string"}},"highBoxCorner":{"$ref":"#/components/schemas/BTVector3d-389"},"isACopyForTessellationSettings":{"type":"boolean"},"isAssociatedWithFlat":{"type":"boolean"},"isBendCenterLineBody":{"type":"boolean"},"isClosedComposite":{"type":"boolean"},"isComposite":{"type":"boolean"},"isDeletion":{"type":"boolean"},"isEntitylessPartData":{"type":"boolean"},"isFlattenedSheetMetalBody":{"type":"boolean"},"isOpenComposite":{"type":"boolean"},"lowBoxCorner":{"$ref":"#/components/schemas/BTVector3d-389"},"ownerFlattenedBodyId":{"type":"string"},"sheetMetalModelId":{"type":"string"},"sheetMetalOrderId":{"type":"string"},"shouldAlwaysUseHighestQualityTessellation":{"type":"boolean"},"tessellationSettings":{"type":"array","items":{"type":"integer","format":"int32"}},"totalEntityCount":{"type":"integer","format":"int32"},"userTessellationSetting":{"$ref":"#/components/schemas/GBTTessellationSettingEnum"}}},"BTPartDisplayData-17":{"type":"object","properties":{"appearance":{"$ref":"#/components/schemas/BTGraphicsAppearance-1152"},"appearanceForNewCell":{"$ref":"#/components/schemas/BTGraphicsAppearance-1152"},"btType":{"type":"string"},"customProperties":{"$ref":"#/components/schemas/BTPartCustomProperties-1338"},"defaultColorHash":{"type":"string"},"hasFaults":{"type":"boolean"},"hidden":{"type":"boolean"},"highBoxCorner":{"$ref":"#/components/schemas/BTVector3d-389"},"id":{"type":"string"},"isActiveSheetMetal":{"type":"boolean"},"isMesh":{"type":"boolean"},"isModifiable":{"type":"boolean"},"isSheet":{"type":"boolean"},"isSolid":{"type":"boolean"},"isWire":{"type":"boolean"},"lowBoxCorner":{"$ref":"#/components/schemas/BTVector3d-389"},"material":{"$ref":"#/components/schemas/BTPartMaterial-1445"},"materialForNewCell":{"$ref":"#/components/schemas/BTPartMaterial-1445"},"meshState":{"$ref":"#/components/schemas/GBTMeshState"},"name":{"type":"string"},"nameForNewCell":{"type":"string"},"ordinal":{"type":"integer","format":"int32"},"partId":{"type":"string"},"propertyIdToSource":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTPartMetadataSource-2895"}},"referencingConfiguredPartNodeIds":{"type":"array","items":{"$ref":"#/components/schemas/BTObjectId"}},"visibility":{"$ref":"#/components/schemas/GBTPartVisibility"}}},"BTPartIdParams":{"type":"object","properties":{"configuration":{"type":"string"},"elementMicroversionId":{"type":"string"},"ids":{"type":"array","items":{"type":"string"}},"partId":{"type":"string"},"referenceType":{"type":"integer","format":"int32"},"targetVersionId":{"type":"string"}}},"BTPartInstance-81":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTInstance-642"},{"type":"object","properties":{"btType":{"type":"string"},"partIdentity":{"$ref":"#/components/schemas/BTPSOIdentity-2741"},"partQuery":{"type":"string"},"partReference":{"$ref":"#/components/schemas/BTMParameterReferencePartStudio-3302"},"type":{"$ref":"#/components/schemas/GBTPartStudioInstanceType"}}}]},"BTPartMaterial-1445":{"type":"object","properties":{"btType":{"type":"string"},"id":{"type":"string"},"libraryName":{"type":"string"},"libraryReference":{"$ref":"#/components/schemas/BTElementReference-725"},"name":{"type":"string"},"properties":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTPartMaterialProperty-1453"}},"version":{"type":"integer","format":"int32"}}},"BTPartMaterialInfo":{"type":"object","properties":{"displayName":{"type":"string"},"id":{"type":"string"},"libraryName":{"type":"string"},"libraryReference":{"$ref":"#/components/schemas/BTExternalElementReferenceInfo"},"properties":{"type":"array","items":{"$ref":"#/components/schemas/BTPartMaterialPropertyInfo"}}}},"BTPartMaterialProperty-1453":{"type":"object","properties":{"btType":{"type":"string"},"category":{"type":"string"},"description":{"type":"string"},"displayName":{"type":"string"},"name":{"type":"string"},"type":{"type":"string"},"units":{"type":"string"},"value":{"type":"string"}}},"BTPartMaterialPropertyInfo":{"type":"object","properties":{"category":{"type":"string"},"description":{"type":"string"},"displayName":{"type":"string"},"name":{"type":"string"},"type":{"type":"string"},"units":{"type":"string"},"value":{"type":"string"}}},"BTPartMetadataInfo":{"type":"object","properties":{"appearance":{"$ref":"#/components/schemas/BTPartAppearanceInfo"},"bodyType":{"type":"string"},"configurationId":{"type":"string"},"customProperties":{"type":"object","additionalProperties":{"type":"string"}},"defaultColorHash":{"type":"string"},"description":{"type":"string"},"elementId":{"type":"string"},"href":{"type":"string","format":"uri"},"id":{"type":"string"},"isFlattenedBody":{"type":"boolean"},"isHidden":{"type":"boolean"},"isMesh":{"type":"boolean"},"material":{"$ref":"#/components/schemas/BTPartMaterialInfo"},"meshState":{"$ref":"#/components/schemas/GBTMeshState"},"microversionId":{"type":"string"},"name":{"type":"string"},"ordinal":{"type":"integer","format":"int32"},"partId":{"type":"string"},"partIdentity":{"type":"string"},"partNumber":{"type":"string"},"partQuery":{"type":"string"},"productLine":{"type":"string"},"project":{"type":"string"},"propertySourceTypes":{"type":"object","additionalProperties":{"type":"integer","format":"int32"}},"referencingConfiguredPartNodeIds":{"type":"array","items":{"type":"string"}},"revision":{"type":"string"},"state":{"$ref":"#/components/schemas/BTMetadataStateType"},"thumbnailConfigurationId":{"type":"string"},"thumbnailInfo":{"$ref":"#/components/schemas/BTThumbnailInfo"},"title1":{"type":"string"},"title2":{"type":"string"},"title3":{"type":"string"},"unflattenedPartId":{"type":"string"},"vendor":{"type":"string"}}},"BTPartMetadataSource-2895":{"type":"object","properties":{"btType":{"type":"string"},"sourceId":{"type":"string"},"sourceType":{"$ref":"#/components/schemas/GBTMetadataSourceType"}}},"BTPartNumberingSchemeInfo":{"type":"object","properties":{"assemblyPrefix":{"type":"string"},"drawingPrefix":{"type":"string"},"filePrefix":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"nextNumber":{"type":"integer","format":"int64"},"nextNumberMinWidth":{"type":"integer","format":"int32"},"partPrefix":{"type":"string"},"properties":{"type":"array","items":{"$ref":"#/components/schemas/BTMetadataPropertyInfo"}},"schemeId":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTPartProperties-293":{"type":"object","properties":{"btType":{"type":"string"},"configuredParts":{"$ref":"#/components/schemas/BTConfiguredPartProperties-2645"},"identityIdToQueryIndex":{"type":"object","additionalProperties":{"type":"integer","format":"int32"}},"nodeId":{"type":"string"},"parts":{"type":"array","items":{"$ref":"#/components/schemas/BTOnePartProperties-230"}},"roughBytesEstimate":{"type":"integer","format":"int64"},"tessellationProperties":{"$ref":"#/components/schemas/BTTessellationProperties-927"}}},"BTPartStudioDependentImmutabilityData-1698":{"type":"object","properties":{"btType":{"type":"string"},"immutableContextData":{"type":"array","items":{"$ref":"#/components/schemas/BTImmutableContextData-4072"}},"microversionId":{"type":"string"},"parentMicroversionId":{"type":"string"}}},"BTPartStudioDisplayData-346":{"type":"object","properties":{"appearanceIdToAppearanceOverride":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTAppearanceOverride-2517"}},"assemblyReferenceDisplayData":{"$ref":"#/components/schemas/BTAssemblyReferencesDisplayData-1562"},"bodyIdToEntityAppearanceSettings":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTBaseEntityAppearanceSettings-1391"}},"bodyIdToEntityAppearanceSettingsChanged":{"type":"boolean"},"btType":{"type":"string"},"cacheablePartStudioDisplayDataVersion":{"$ref":"#/components/schemas/GBTPartStudioDisplayDataVersion"},"decalIdToDecal":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTDecal-2404"}},"deterministicIdToAssociatedFeatureIds":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"deterministicIdToEntity":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTBaseEntityData-33"}},"deterministicIdToPartDisplayData":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTPartDisplayData-17"}},"deterministicPartIdToData":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTPartData-16"}},"dimensions":{"type":"array","items":{"$ref":"#/components/schemas/BTDimensionDisplayData-323"}},"displayStateId":{"type":"string"},"elementId":{"type":"string"},"featureIdToOperationIndices":{"type":"object","additionalProperties":{"type":"array","items":{"type":"integer","format":"int32"}}},"fromCache":{"type":"boolean"},"fromFullElementId":{"$ref":"#/components/schemas/BTFullElementId-756"},"fullElementId":{"$ref":"#/components/schemas/BTFullElementId-756"},"incremental":{"type":"boolean"},"instanceCount":{"type":"integer","format":"int32"},"isBase":{"type":"boolean"},"isExternal":{"type":"boolean"},"isNoop":{"type":"boolean"},"keepFromMicroversion":{"type":"boolean"},"microversionId":{"$ref":"#/components/schemas/BTMicroversionId-366"},"microversionIdAndConfigurationInterval":{"$ref":"#/components/schemas/BTMicroversionIdAndConfigurationInterval-2364"},"microversionInterval":{"$ref":"#/components/schemas/BTMicroversionIdInterval-367"},"numberOfSketchEntities":{"type":"integer","format":"int32"},"partColorCycle":{"$ref":"#/components/schemas/BTBasePartColorCycle-2614"},"partDisplayData":{"type":"array","items":{"$ref":"#/components/schemas/BTPartDisplayData-17"}},"sketchImages":{"type":"object","additionalProperties":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTSketchImageDisplayData-1379"}}},"updatedParts":{"type":"array","items":{"type":"string"}},"usage":{"$ref":"#/components/schemas/GBTDisplayDataUsage"},"usesMultipleTessellationSettings":{"type":"boolean"},"versionForRasterization":{"$ref":"#/components/schemas/BTElementDisplayData-326"}}},"BTPartStudioDisplayDataBase-2751":{"type":"object","properties":{"btType":{"type":"string"},"elementId":{"type":"string"},"fromFullElementId":{"$ref":"#/components/schemas/BTFullElementId-756"},"fullElementId":{"$ref":"#/components/schemas/BTFullElementId-756"},"incremental":{"type":"boolean"},"instanceCount":{"type":"integer","format":"int32"},"isNoop":{"type":"boolean"},"keepFromMicroversion":{"type":"boolean"},"microversionId":{"$ref":"#/components/schemas/BTMicroversionId-366"},"microversionIdAndConfigurationInterval":{"$ref":"#/components/schemas/BTMicroversionIdAndConfigurationInterval-2364"},"microversionInterval":{"$ref":"#/components/schemas/BTMicroversionIdInterval-367"},"numberOfSketchEntities":{"type":"integer","format":"int32"},"versionForRasterization":{"$ref":"#/components/schemas/BTElementDisplayData-326"}},"discriminator":{"propertyName":"btType","mapping":{"BTPartStudioDisplayData-346":"#/components/schemas/BTPartStudioDisplayData-346","BTPartStudioDisplayDataReference-4360":"#/components/schemas/BTPartStudioDisplayDataReference-4360"}}},"BTPartStudioDisplayDataReference-4360":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTPartStudioDisplayDataBase-2751"},{"type":"object","properties":{"btType":{"type":"string"},"cacheDataPath":{"$ref":"#/components/schemas/BTCacheDataPath-191"},"tessellationSettings":{"type":"object","additionalProperties":{"type":"array","items":{"type":"integer","format":"int32"}}}}}]},"BTPartStudioImmutabilityData-1627":{"type":"object","properties":{"btType":{"type":"string"},"dependentData":{"type":"array","items":{"$ref":"#/components/schemas/BTPartStudioDependentImmutabilityData-1698"}},"versionData":{"type":"array","items":{"$ref":"#/components/schemas/BTPartStudioVersionImmutabilityData-3190"}}}},"BTPartStudioVersionImmutabilityData-3190":{"type":"object","properties":{"btType":{"type":"string"},"immutableContextData":{"type":"array","items":{"$ref":"#/components/schemas/BTImmutableContextData-4072"}},"isImmutable":{"type":"boolean"},"microversionId":{"type":"string"},"versionId":{"type":"string"},"versionName":{"type":"string"}}},"BTPartWithConfiguredProperties-2163":{"type":"object","properties":{"btType":{"type":"string"},"configurationProperties":{"type":"array","items":{"$ref":"#/components/schemas/BTOneConfigurationPartProperties-1661"}},"forSubPartProperties":{"type":"boolean"},"nodeId":{"type":"string"},"parsedQuery":{"$ref":"#/components/schemas/BTPFunctionDeclaration-246"},"propertyNodeId":{"type":"string"},"query":{"type":"string"}}},"BTPartedOutElementInfo":{"type":"object","properties":{"badIntraworkspaceReference":{"type":"boolean"},"destinationDocumentId":{"type":"string"},"destinationDocumentVersionId":{"type":"string"},"destinationElementId":{"type":"string"},"destinationElementMicroversionId":{"type":"string"},"sourceDocumentId":{"type":"string"},"sourceElementId":{"type":"string"}}},"BTPasswordResetInfo":{"type":"object","properties":{"message":{"type":"string"},"resetLink":{"type":"string"}}},"BTPasswordResetParams":{"type":"object","properties":{"email":{"type":"string"},"id":{"type":"string"},"password":{"type":"string"},"secret":{"type":"string"}}},"BTPaymentHistoryAdminInfo":{"type":"object","properties":{"accountId":{"type":"string"},"accountLast4":{"type":"string"},"actualAmountCents":{"type":"integer","format":"int64"},"address":{"type":"string"},"addressId":{"type":"string"},"amountCents":{"type":"integer","format":"int64"},"application":{"$ref":"#/components/schemas/BTAPIApplicationSummaryInfo"},"campaignCode":{"type":"string"},"campaignName":{"type":"string"},"cardType":{"type":"string"},"city":{"type":"string"},"country":{"type":"string"},"couponAmountOffCents":{"type":"integer","format":"int64"},"couponPercentOff":{"type":"integer","format":"int32"},"createdAt":{"type":"string","format":"date-time"},"credits":{"type":"integer","format":"int64"},"discount":{"type":"integer","format":"int64"},"endingBalanceCents":{"type":"integer","format":"int64"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"invoiceIdForRefund":{"type":"string"},"lineItems":{"type":"array","items":{"$ref":"#/components/schemas/LineItem"}},"name":{"type":"string","description":"Name of the resource."},"onshapePlan":{"type":"boolean"},"ownerId":{"type":"string"},"periodEnd":{"type":"string","format":"date-time"},"periodStart":{"type":"string","format":"date-time"},"plan":{"$ref":"#/components/schemas/BTBillingPlanSummaryInfo"},"postedAt":{"type":"string","format":"date-time"},"prevSeats":{"type":"integer","format":"int64"},"previousPlan":{"$ref":"#/components/schemas/BTBillingPlanSummaryInfo"},"proration":{"type":"boolean"},"refund":{"type":"boolean"},"seats":{"type":"integer","format":"int64"},"startingBalanceCents":{"type":"integer","format":"int64"},"state":{"type":"string"},"stripeId":{"type":"string"},"subtotalCents":{"type":"integer","format":"int64"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"},"zip":{"type":"string"},"zuoraInvoice":{"type":"boolean"}},"description":"Array of items in the current page."},"BTPaymentHistoryInfo":{"type":"object","properties":{"accountLast4":{"type":"string"},"actualAmountCents":{"type":"integer","format":"int64"},"amountCents":{"type":"integer","format":"int64"},"application":{"$ref":"#/components/schemas/BTAPIApplicationSummaryInfo"},"campaignCode":{"type":"string"},"campaignName":{"type":"string"},"cardType":{"type":"string"},"couponAmountOffCents":{"type":"integer","format":"int64"},"couponPercentOff":{"type":"integer","format":"int32"},"createdAt":{"type":"string","format":"date-time"},"credits":{"type":"integer","format":"int64"},"discount":{"type":"integer","format":"int64"},"endingBalanceCents":{"type":"integer","format":"int64"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"invoiceIdForRefund":{"type":"string"},"lineItems":{"type":"array","items":{"$ref":"#/components/schemas/LineItem"}},"name":{"type":"string","description":"Name of the resource."},"onshapePlan":{"type":"boolean"},"periodEnd":{"type":"string","format":"date-time"},"periodStart":{"type":"string","format":"date-time"},"plan":{"$ref":"#/components/schemas/BTBillingPlanSummaryInfo"},"postedAt":{"type":"string","format":"date-time"},"prevSeats":{"type":"integer","format":"int64"},"previousPlan":{"$ref":"#/components/schemas/BTBillingPlanSummaryInfo"},"proration":{"type":"boolean"},"refund":{"type":"boolean"},"seats":{"type":"integer","format":"int64"},"startingBalanceCents":{"type":"integer","format":"int64"},"subtotalCents":{"type":"integer","format":"int64"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"},"zuoraInvoice":{"type":"boolean"}}},"BTPaymentHistorySummaryInfo":{"type":"object","properties":{"actualAmountCents":{"type":"integer","format":"int64"},"amountCents":{"type":"integer","format":"int64"},"application":{"$ref":"#/components/schemas/BTAPIApplicationSummaryInfo"},"campaignCode":{"type":"string"},"campaignName":{"type":"string"},"couponAmountOffCents":{"type":"integer","format":"int64"},"couponPercentOff":{"type":"integer","format":"int32"},"createdAt":{"type":"string","format":"date-time"},"credits":{"type":"integer","format":"int64"},"endingBalanceCents":{"type":"integer","format":"int64"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"periodEnd":{"type":"string","format":"date-time"},"periodStart":{"type":"string","format":"date-time"},"plan":{"$ref":"#/components/schemas/BTBillingPlanSummaryInfo"},"postedAt":{"type":"string","format":"date-time"},"prevSeats":{"type":"integer","format":"int64"},"previousPlan":{"$ref":"#/components/schemas/BTBillingPlanSummaryInfo"},"proration":{"type":"boolean"},"refund":{"type":"boolean"},"seats":{"type":"integer","format":"int64"},"startingBalanceCents":{"type":"integer","format":"int64"},"subtotalCents":{"type":"integer","format":"int64"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"},"zuoraInvoice":{"type":"boolean"}},"description":"Array of items in the current page."},"BTPaymentTypeParams":{"type":"object","properties":{"paymentType":{"type":"integer","format":"int32"},"userId":{"type":"string"}}},"BTPermission":{"type":"string","enum":["OWNER","DELETE","RESHARE","WRITE","READ","LINK","COPY","EXPORT","COMMENT","ANONYMOUS_ACCESS"]},"BTPermissionInfo":{"type":"object","properties":{"defaultValue":{"type":"boolean"},"editable":{"type":"boolean"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"permission":{"$ref":"#/components/schemas/BTPermission"},"subPermissionList":{"type":"array","items":{"$ref":"#/components/schemas/BTPermissionInfo"}},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"},"visible":{"type":"boolean"}},"description":"Array of items in the current page."},"BTPlanEulaInfo":{"type":"object","properties":{"createdAt":{"type":"string","format":"date-time"},"createdBy":{"$ref":"#/components/schemas/BTUserSummaryInfo"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"planId":{"type":"string"},"type":{"type":"integer","format":"int32"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}},"description":"Array of items in the current page."},"BTPlanEulaParams":{"type":"object","properties":{"planId":{"type":"string"},"type":{"type":"integer","format":"int32"}}},"BTPlanSubscriberInfo":{"type":"object","properties":{"email":{"type":"string"},"firstName":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"image":{"type":"string"},"lastName":{"type":"string"},"name":{"type":"string","description":"Name of the resource."},"state":{"type":"integer","format":"int32"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTPlanarImageMapping-4398":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTImageMapping-3821"},{"type":"object","properties":{"btType":{"type":"string"},"planeSystem":{"$ref":"#/components/schemas/BTCoordinateSystem-387"}}}]},"BTPlaneDescription-692":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTSurfaceDescription-1564"},{"type":"object","properties":{"btType":{"type":"string"},"isOrientedWithFace":{"type":"boolean"},"normal":{"$ref":"#/components/schemas/BTVector3d-389"}}}]},"BTPlaneOrientationFilter-1700":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTQueryFilter-183"},{"type":"object","properties":{"btType":{"type":"string"},"normal":{"$ref":"#/components/schemas/BTVector3d-389"}}}]},"BTPointEntity-1439":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTFeatureEntity-34"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTPredefinedTeamInfo":{"type":"object","properties":{"exists":{"type":"boolean"},"missingUserIds":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"state":{"type":"integer","format":"int32"},"toBeRemovedIds":{"uniqueItems":true,"type":"array","items":{"type":"string"}}}},"BTPredefinedTeamSummaryInfo":{"type":"object","properties":{"companyId":{"type":"string"},"dryRun":{"type":"boolean"},"teams":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTPredefinedTeamInfo"}}}},"BTPrivacyConsentInfo":{"type":"object","properties":{"communicationsOptInDate":{"type":"string","format":"date-time"},"communicationsOptOutDate":{"type":"string","format":"date-time"},"communicationsStatus":{"type":"boolean"},"consentVersion":{"type":"string"},"dataProcessingOptInDate":{"type":"string","format":"date-time"},"dataProcessingOptOutDate":{"type":"string","format":"date-time"},"dataProcessingStatus":{"type":"boolean"},"eulaVersion":{"type":"integer","format":"int64"},"userId":{"type":"string"}}},"BTPrivacyConsentTextInfo":{"type":"object","properties":{"consentText":{"type":"string"},"consentVersion":{"type":"string"}}},"BTProductStructureElementInfo":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTProductStructureItemInfo"},{"type":"object","properties":{"childrenHref":{"type":"string"}}}]},"BTProductStructureItemInfo":{"required":["jsonType"],"type":"object","properties":{"jsonType":{"type":"string"}},"description":"Array of items in the current page.","discriminator":{"propertyName":"jsonType","mapping":{"product-structure-item":"#/components/schemas/BTProductStructureItemInfo","product-part":"#/components/schemas/BTProductStructurePartInfo","product-element":"#/components/schemas/BTProductStructureElementInfo"}},"allOf":[{"$ref":"#/components/schemas/BTBaseInfo"},{"type":"object","properties":{"configuration":{"type":"array","items":{"$ref":"#/components/schemas/ConfigInfo"}},"documentId":{"type":"string"},"documentName":{"type":"string"},"documentState":{"type":"integer","format":"int32"},"documentSummary":{"$ref":"#/components/schemas/BTDocumentSummaryInfo"},"elementId":{"type":"string"},"elementType":{"type":"integer","format":"int32"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"meshState":{"type":"integer","format":"int32"},"name":{"type":"string","description":"Name of the resource."},"notRevisionManaged":{"type":"boolean"},"partNumber":{"type":"string"},"peerConfiguration":{"type":"array","items":{"$ref":"#/components/schemas/ConfigInfo"}},"peerDocumentId":{"type":"string"},"peerElementId":{"type":"string"},"peerElementType":{"type":"integer","format":"int32"},"peerOutOfDateDocumentMv":{"type":"string"},"peerOwnerId":{"type":"string"},"peerPartId":{"type":"string"},"peerPartName":{"type":"string"},"peerPartNumber":{"type":"string"},"peerWvId":{"type":"string"},"peerWvType":{"type":"integer","format":"int32"},"properties":{"type":"array","items":{"$ref":"#/components/schemas/BTMetadataValueInfo"}},"resourceType":{"type":"string"},"revision":{"type":"string"},"standardProperties":{"type":"array","items":{"$ref":"#/components/schemas/Property"}},"thumbnailHref":{"type":"string","format":"uri"},"thumbnailId":{"type":"array","items":{"type":"string","format":"byte"}},"versionId":{"type":"string"},"versionName":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"},"workspaceId":{"type":"string"},"workspaceName":{"type":"string"},"wvCreatedAt":{"type":"string","format":"date-time"}}}]},"BTProductStructureItemInfoList":{"type":"object","properties":{"dbTimedOut":{"type":"boolean"},"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTProductStructureItemInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"pathToRoot":{"type":"array","items":{"$ref":"#/components/schemas/PathSegment"}},"permissionSet":{"type":"array","items":{"type":"string"}},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}}},"BTProductStructurePartInfo":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTProductStructureItemInfo"},{"type":"object","properties":{"bodyType":{"$ref":"#/components/schemas/GBTBodyType"},"partId":{"type":"string"}}}]},"BTProductStructureResultFieldDescriptor":{"type":"object","properties":{"displayName":{"type":"string"},"id":{"type":"string"},"locked":{"type":"boolean"},"name":{"type":"string"},"sortable":{"type":"boolean"},"standardProperty":{"type":"boolean"}}},"BTProductStructureSearchParams":{"type":"object","properties":{"companyId":{"type":"string"},"elementTypes":{"uniqueItems":true,"type":"array","items":{"type":"integer","format":"int32"}},"limit":{"type":"integer","format":"int32"},"locationId":{"type":"string"},"locationType":{"type":"string"},"metadataFilters":{"type":"array","items":{"$ref":"#/components/schemas/MetadataFilter"}},"offset":{"type":"integer","format":"int32"},"rootsOnly":{"type":"boolean"},"sort":{"type":"string"},"sortOrder":{"type":"string"}}},"BTProjectInfo":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTGlobalTreeNodeInfo"},{"type":"object","properties":{"permissionScheme":{"$ref":"#/components/schemas/BTRbacPermissionSchemeInfo"},"permissionSet":{"type":"array","items":{"type":"string"}},"roleMapEntries":{"type":"array","items":{"$ref":"#/components/schemas/RoleMapEntry"}},"trash":{"type":"boolean"}}}]},"BTProjectParams":{"type":"object","properties":{"description":{"type":"string"},"name":{"type":"string"},"permissionSchemeId":{"type":"string"},"roleIdentityMap":{"type":"object","additionalProperties":{"type":"array","items":{"$ref":"#/components/schemas/BTIdentity"}}},"roleMap":{"type":"object","additionalProperties":{"type":"array","items":{"$ref":"#/components/schemas/BTIdentityParams"}}}}},"BTPropertiesTableTemplateInfo":{"type":"object","properties":{"companyId":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"isActive":{"type":"boolean"},"isAllCaps":{"type":"boolean"},"name":{"type":"string","description":"Name of the resource."},"propertyColumns":{"type":"array","items":{"$ref":"#/components/schemas/BTSimplePropertyInfo"}},"tableType":{"$ref":"#/components/schemas/BTPropertiesTableTemplateType"},"templateGroupId":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTPropertiesTableTemplateParams":{"type":"object","properties":{"companyId":{"type":"string"},"isAllCaps":{"type":"boolean"},"name":{"type":"string"},"propertyColumns":{"type":"array","items":{"type":"string"}},"tableType":{"$ref":"#/components/schemas/BTPropertiesTableTemplateType"}}},"BTPropertiesTableTemplateType":{"type":"string","enum":["BOM","REVISION_TABLE","INSPECTION_TABLE"]},"BTPropertyMapTupleInfo":{"type":"object","properties":{"errorMessage":{"type":"string"},"propertyName":{"type":"string"},"stepId":{"type":"string"}}},"BTPropertyMapTupleParam":{"type":"object","properties":{"propertyName":{"type":"string"},"stepId":{"type":"string"}}},"BTPropertyTableColumnInfo-2161":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTTableColumnInfo-1222"},{"type":"object","properties":{"btType":{"type":"string"},"isComputedAssemblyProperty":{"type":"boolean"},"isComputedProperty":{"type":"boolean"},"propertyValueType":{"type":"integer","format":"int32"}}}]},"BTPropertyUpdateInfo":{"type":"object","properties":{"errorMessage":{"type":"string"},"itemHref":{"type":"string"},"newValue":{"type":"object"},"oldValue":{"type":"object"},"propertyId":{"type":"string"}}},"BTPropertyValueParam":{"type":"object","properties":{"propertyId":{"type":"string"},"value":{"type":"object"}}},"BTProvisioningParams":{"type":"object","properties":{"enterprise":{"$ref":"#/components/schemas/EnterpriseParams"},"ownerEmail":{"type":"string"},"plans":{"type":"array","items":{"$ref":"#/components/schemas/PlanParams"}}}},"BTPublicationBulkItemParams":{"type":"object","properties":{"items":{"type":"array","items":{"$ref":"#/components/schemas/BTPublicationItemParams"}}}},"BTPublicationInfo":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTGlobalTreeNodeInfo"},{"type":"object","properties":{"defaultWorkspaceId":{"type":"string"},"items":{"type":"array","items":{"$ref":"#/components/schemas/Item"}},"notes":{"type":"string"},"sequence":{"type":"string"}}}]},"BTPublicationItemParams":{"type":"object","properties":{"dataType":{"type":"string"},"documentId":{"type":"string"},"elementId":{"type":"string"},"encodedConfiguration":{"type":"string"},"isApplication":{"type":"boolean"},"isAssembly":{"type":"boolean"},"isBlob":{"type":"boolean"},"isWholePartStudio":{"type":"boolean"},"mimeType":{"type":"string"},"partId":{"type":"string"},"partName":{"type":"string"},"partNumber":{"type":"string"},"revision":{"type":"string"},"revisionId":{"type":"string"},"versionId":{"type":"string"}}},"BTPublicationParams":{"type":"object","properties":{"description":{"type":"string"},"items":{"type":"array","items":{"$ref":"#/components/schemas/BTPublicationItemParams"}},"name":{"type":"string"},"notes":{"type":"string"},"ownerId":{"type":"string"},"ownerType":{"type":"integer","format":"int32"},"parentId":{"type":"string"},"projectId":{"type":"string"}}},"BTPublishChecklist":{"type":"object","properties":{"elementIdToErrorCount":{"type":"object","additionalProperties":{"type":"integer","description":"Map from element id to number of FeatureScript errors.","format":"int32"},"description":"Map from element id to number of FeatureScript errors."},"elementIdToWarningCount":{"type":"object","additionalProperties":{"type":"integer","description":"Map from element id to number of FeatureScript warnings.","format":"int32"},"description":"Map from element id to number of FeatureScript warnings."},"elementIdsWithUncommittedChanges":{"type":"array","description":"List of Feature Studio ids with uncommitted changes.","items":{"type":"string","description":"List of Feature Studio ids with uncommitted changes."}},"featuresUnusedInPartStudios":{"type":"array","description":"Names of features that are not used in Part Studios.","items":{"type":"string","description":"Names of features that are not used in Part Studios."}},"featuresWithNoDescription":{"type":"array","description":"Names of features lacking descriptions.","items":{"type":"string","description":"Names of features lacking descriptions."}},"hasFeatureOrTableSpecs":{"type":"boolean","description":"True if the document defines custom features or tables."},"hasPdf":{"type":"boolean","description":"True if the document contains a PDF."},"isPublic":{"type":"boolean","description":"True if the document is public."}},"description":"A checklist of requirements a document must satisfy (at a workspace/version/microversion) before the custom features at a version can be published."},"BTPublishWorkflowParams":{"type":"object","properties":{"description":{"type":"string"},"documentId":{"type":"string"},"elementId":{"type":"string"},"name":{"type":"string"},"workflowType":{"type":"integer","format":"int32"},"workflowTypeEnum":{"$ref":"#/components/schemas/BTWorkflowableObjectType"},"workspaceId":{"type":"string"}}},"BTPublishedWorkflowDetailInfo":{"type":"object","properties":{"activeState":{"type":"integer","format":"int32"},"companyId":{"type":"string"},"description":{"type":"string"},"documentId":{"type":"string"},"elementId":{"type":"string"},"id":{"type":"string"},"imageSrc":{"type":"string"},"isPickable":{"type":"boolean"},"json":{"type":"string"},"name":{"type":"string"},"objectType":{"type":"integer","format":"int32"},"ownerType":{"type":"integer","format":"int32"},"publishedBy":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"publishedDate":{"type":"string","description":"The date of publication of workflow","format":"date-time"},"usesExternalPlm":{"type":"boolean","description":"Whether the workflow connects to an external PLM service like Arena"},"versionId":{"type":"string"}},"description":"Captures information of the user who published the workflow"},"BTPublishedWorkflowId":{"type":"object","properties":{"companyId":{"type":"string"},"versionId":{"type":"string"},"workflowId":{"type":"string"}}},"BTPublishedWorkflowInfo":{"type":"object","properties":{"activeState":{"type":"integer","format":"int32"},"companyId":{"type":"string"},"description":{"type":"string"},"documentId":{"type":"string"},"elementId":{"type":"string"},"id":{"type":"string"},"imageSrc":{"type":"string"},"isPickable":{"type":"boolean"},"json":{"type":"string"},"name":{"type":"string"},"objectType":{"type":"integer","format":"int32"},"ownerType":{"type":"integer","format":"int32"},"publishedDate":{"type":"string","description":"The date of publication of workflow","format":"date-time"},"usesExternalPlm":{"type":"boolean","description":"Whether the workflow connects to an external PLM service like Arena"},"versionId":{"type":"string"}},"description":"Captures information about a published workflow"},"BTPurchaseInfo":{"type":"object","properties":{"accountId":{"type":"string"},"actualAmountPaidCents":{"type":"integer","format":"int64"},"amountCents":{"type":"integer","format":"int64"},"application":{"$ref":"#/components/schemas/BTAPIApplicationSummaryInfo"},"canceledAt":{"type":"string","format":"date-time"},"card":{"$ref":"#/components/schemas/BTCardInfo"},"clientId":{"type":"string"},"couponAmountOff":{"type":"integer","format":"int64"},"couponPercentOff":{"type":"integer","format":"int32"},"createdBy":{"type":"string"},"currency":{"type":"string"},"duration":{"type":"integer","format":"int32"},"durationMonths":{"type":"integer","format":"int32"},"group":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"lastModified":{"type":"string","format":"date-time"},"lastModifiedBy":{"type":"string"},"lightSeats":{"type":"integer","format":"int64"},"name":{"type":"string","description":"Name of the resource."},"nextCharge":{"$ref":"#/components/schemas/NextCharge"},"paymentType":{"type":"integer","format":"int32"},"pendingCancelation":{"type":"boolean"},"plan":{"$ref":"#/components/schemas/BTBillingPlanInfo"},"planId":{"type":"string"},"planName":{"type":"string"},"planType":{"type":"integer","format":"int32"},"preTrialPlanId":{"type":"string"},"proratedCharges":{"type":"array","items":{"$ref":"#/components/schemas/ProratedCharges"}},"proratedTotal":{"type":"integer","format":"int64"},"purchaseDate":{"type":"string","format":"date-time"},"resellerName":{"type":"string"},"seats":{"type":"integer","format":"int64"},"state":{"type":"integer","format":"int32"},"subscribers":{"type":"array","items":{"$ref":"#/components/schemas/BTPlanSubscriberInfo"}},"subscriptionBeginAt":{"type":"string","format":"date-time"},"subscriptionEndAt":{"type":"string","format":"date-time"},"subscriptionFields":{"$ref":"#/components/schemas/Subscription"},"subscriptionId":{"type":"string"},"subscriptionType":{"type":"integer","format":"int32"},"taxAmountCents":{"type":"integer","format":"int64"},"trialEnd":{"type":"string","format":"date-time"},"trialInitiatedBy":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTPurchaseParams":{"type":"object","properties":{"accountId":{"type":"string"},"allowDeprecatedPlan":{"type":"boolean"},"domainPrefix":{"type":"string"},"email":{"type":"string"},"lightSeats":{"type":"integer","format":"int64"},"password":{"type":"string"},"paymentType":{"type":"integer","format":"int32"},"planId":{"type":"string"},"refId":{"type":"string"},"resellerName":{"type":"string"},"seats":{"type":"integer","format":"int64"},"trialPeriodDays":{"type":"integer","format":"int32"},"userId":{"type":"string"}}},"BTPurchaseTrailInfo":{"type":"object","properties":{"accountId":{"type":"string"},"appId":{"type":"string"},"changeType":{"type":"integer","format":"int32"},"createdDate":{"type":"string","format":"date-time"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"paymentType":{"type":"integer","format":"int32"},"planId":{"type":"string"},"previousPaymentType":{"type":"integer","format":"int32"},"previousPlanId":{"type":"string"},"previousSeats":{"type":"integer","format":"int64"},"previousSubscriptionBeginAt":{"type":"string","format":"date-time"},"previousSubscriptionEndAt":{"type":"string","format":"date-time"},"purchaseId":{"type":"string"},"seats":{"type":"integer","format":"int64"},"subscriptionBeginAt":{"type":"string","format":"date-time"},"subscriptionEndAt":{"type":"string","format":"date-time"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}},"description":"Array of items in the current page."},"BTPurchaseUserInfo":{"type":"object","properties":{"admin":{"type":"boolean"},"consumedQuantity":{"type":"integer","format":"int32"},"createdAt":{"type":"string","format":"date-time"},"createdBy":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"light":{"type":"boolean"},"modifiedAt":{"type":"string","format":"date-time"},"modifiedBy":{"type":"string"},"name":{"type":"string","description":"Name of the resource."},"owner":{"type":"boolean"},"planId":{"type":"string"},"purchase":{"$ref":"#/components/schemas/BTPurchaseInfo"},"purchaseState":{"type":"integer","format":"int32"},"user":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}},"description":"Array of items in the current page."},"BTPurchaseUserParams":{"type":"object","properties":{"consumedQuantity":{"type":"integer","format":"int32"},"purchaseId":{"type":"string"},"userId":{"type":"string"}}},"BTQuantityRange-181":{"type":"object","properties":{"btType":{"type":"string"},"defaultValue":{"type":"number","format":"double"},"location":{"$ref":"#/components/schemas/BTLocationInfo-226"},"maxValue":{"type":"number","format":"double"},"minValue":{"type":"number","format":"double"},"units":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTNullableQuantityRange-1340":"#/components/schemas/BTNullableQuantityRange-1340"}}},"BTQueryFilter-183":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTActiveSheetMetalFilter-2944":"#/components/schemas/BTActiveSheetMetalFilter-2944","BTAllowEdgePointFilter-2371":"#/components/schemas/BTAllowEdgePointFilter-2371","BTAllowFlattenedGeometryFilter-2140":"#/components/schemas/BTAllowFlattenedGeometryFilter-2140","BTAllowMeshGeometryFilter-1026":"#/components/schemas/BTAllowMeshGeometryFilter-1026","BTAndFilter-110":"#/components/schemas/BTAndFilter-110","BTBodyTypeFilter-112":"#/components/schemas/BTBodyTypeFilter-112","BTClosedCurveFilter-1206":"#/components/schemas/BTClosedCurveFilter-1206","BTConstructionObjectFilter-113":"#/components/schemas/BTConstructionObjectFilter-113","BTEdgeTopologyFilter-122":"#/components/schemas/BTEdgeTopologyFilter-122","BTEntityTypeFilter-124":"#/components/schemas/BTEntityTypeFilter-124","BTFeatureFilter-127":"#/components/schemas/BTFeatureFilter-127","BTFeatureTypeFilter-962":"#/components/schemas/BTFeatureTypeFilter-962","BTFlatSheetMetalFilter-3018":"#/components/schemas/BTFlatSheetMetalFilter-3018","BTGeometryFilter-130":"#/components/schemas/BTGeometryFilter-130","BTImageFilter-853":"#/components/schemas/BTImageFilter-853","BTInContextObjectFilter-3810":"#/components/schemas/BTInContextObjectFilter-3810","BTMateConnectorFilter-163":"#/components/schemas/BTMateConnectorFilter-163","BTMateFilter-162":"#/components/schemas/BTMateFilter-162","BTModifiableEntityOnlyFilter-1593":"#/components/schemas/BTModifiableEntityOnlyFilter-1593","BTNotFilter-165":"#/components/schemas/BTNotFilter-165","BTOccurrenceFilter-166":"#/components/schemas/BTOccurrenceFilter-166","BTOrFilter-167":"#/components/schemas/BTOrFilter-167","BTPlaneOrientationFilter-1700":"#/components/schemas/BTPlaneOrientationFilter-1700","BTSMDefinitionEntityTypeFilter-1651":"#/components/schemas/BTSMDefinitionEntityTypeFilter-1651","BTSectionGeometryFilter-4161":"#/components/schemas/BTSectionGeometryFilter-4161","BTSketchObjectFilter-184":"#/components/schemas/BTSketchObjectFilter-184","BTSketchSolveStatusFilter-3657":"#/components/schemas/BTSketchSolveStatusFilter-3657","BTSplineControlPolygonFilter-1130":"#/components/schemas/BTSplineControlPolygonFilter-1130","BTSplineHandleFilter-2971":"#/components/schemas/BTSplineHandleFilter-2971","BTTextObjectFilter-1515":"#/components/schemas/BTTextObjectFilter-1515","BTTextStrokeFilter-461":"#/components/schemas/BTTextStrokeFilter-461"}}},"BTQueryRevisionParams":{"type":"object","properties":{"companyId":{"type":"string"},"configurationParams":{"type":"object","additionalProperties":{"type":"string"}},"nodeIds":{"type":"array","items":{"type":"string"}},"unchangedSinceLastRevision":{"type":"boolean"}}},"BTRadialDimensionDisplayData-348":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTDimensionDisplayData-323"},{"type":"object","properties":{"btType":{"type":"string"},"positionR":{"type":"number","format":"double"},"positionT":{"type":"number","format":"double"},"radiusDisplay":{"$ref":"#/components/schemas/GBTRadiusDisplay"},"realDiameter":{"type":"boolean"},"witnessEndPoint0r":{"type":"number","format":"double"},"witnessEndPoint0t":{"type":"number","format":"double"},"witnessEndPoint1r":{"type":"number","format":"double"},"witnessEndPoint1t":{"type":"number","format":"double"}}}]},"BTRateLimitMethod":{"type":"string","enum":["all","addMember","addMembers","removeMember","addEmail","removeEmail","makeEmailPrimary","resendVerifyEmail","copyWorkspace","search","requestInvite","getElementsInDocument","BTDefaultRateLimit","BTRestPart","BTRestWebhook","BTLogRateLimit","BTLargeRateLimit","BTAppElementRateLimit","BTRestThumbnail","BTRestDocument"]},"BTRateLimitParams":{"type":"object","properties":{"newValue":{"type":"integer","format":"int32"},"notes":{"type":"string"},"rateLimit":{"$ref":"#/components/schemas/BTRateLimitMethod"},"rateLimitName":{"type":"string"}}},"BTRbacPermissionSchemeEntryParams":{"type":"object","properties":{"permissionSet":{"type":"array","items":{"type":"string"}},"roleId":{"type":"string"}}},"BTRbacPermissionSchemeInfo":{"type":"object","properties":{"active":{"type":"boolean"},"description":{"type":"string"},"entries":{"type":"array","items":{"$ref":"#/components/schemas/Entry"}},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"predefinedPermissionScheme":{"type":"integer","format":"int32"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTRbacPermissionSchemeListInfo":{"type":"object","properties":{"defaultIndex":{"type":"integer","format":"int32"},"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTRbacPermissionSchemeInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}}},"BTRbacPermissionSchemeParams":{"type":"object","properties":{"description":{"type":"string"},"name":{"type":"string"},"permissionMap":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}}}},"BTRbacRoleInfo":{"type":"object","properties":{"active":{"type":"boolean"},"description":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"predefinedRole":{"type":"integer","format":"int32"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTRbacRoleParams":{"type":"object","properties":{"description":{"type":"string"},"name":{"type":"string"}}},"BTReadOnlyParameterSpec-1889":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTParameterSpecProgress-3078":"#/components/schemas/BTParameterSpecProgress-3078","BTParameterSpecStringWithTolerances-2535":"#/components/schemas/BTParameterSpecStringWithTolerances-2535"}},"allOf":[{"$ref":"#/components/schemas/BTParameterSpec-6"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTReferenceCustomData-1551":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTInstanceStandardContentData-2081":"#/components/schemas/BTInstanceStandardContentData-2081","BTRevisionCustomData-2090":"#/components/schemas/BTRevisionCustomData-2090"}}},"BTReferenceInfo":{"type":"object","properties":{"documentId":{"type":"string"},"elementId":{"type":"string"},"elementMicroversionId":{"type":"string"},"isLocked":{"type":"boolean"},"nodeId":{"type":"string"},"parentNodeId":{"type":"string"},"partNumber":{"type":"string"},"revision":{"type":"string"},"versionId":{"type":"string"}}},"BTReferencedVersionsInfo":{"type":"object","properties":{"references":{"type":"object","additionalProperties":{"type":"array","items":{"$ref":"#/components/schemas/BTElementInVersionOrWorkspaceInfo"}}},"savedReferencesId":{"type":"string"},"uniqueDocuments":{"uniqueItems":true,"type":"array","items":{"type":"string"}}}},"BTRefreshReleaseParams":{"type":"object","properties":{"createNew":{"type":"boolean"},"debugMode":{"type":"boolean"},"updateParams":{"$ref":"#/components/schemas/BTUpdateReleasePackageParams"},"workflowId":{"type":"string"},"workspaceId":{"type":"string"}}},"BTRegionCheckResponse":{"type":"object","properties":{"expectedRegion":{"type":"string"},"location":{"type":"string"},"region":{"type":"string"}}},"BTReleaseCommentListInfo":{"type":"object","properties":{"comments":{"type":"array","items":{"$ref":"#/components/schemas/BTCommentInfo"}},"rpId":{"type":"string"},"rpName":{"type":"string"}}},"BTReleaseItemErrorInfo":{"type":"object","properties":{"changeTaskId":{"type":"string"},"documentId":{"type":"string"},"message":{"type":"string"},"ordinal":{"type":"integer","format":"int32"},"pendingTaskId":{"type":"string"},"pendingTaskObjectId":{"type":"string"},"pendingTaskType":{"type":"string"},"releaseId":{"type":"string"},"severity":{"type":"integer","format":"int32"},"versionId":{"type":"string"},"workspaceId":{"type":"string"}}},"BTReleaseItemMessageBody":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTDocumentMessageBody"},{"type":"object","properties":{"elementType":{"type":"integer","format":"int32"},"isFromInitialState":{"type":"boolean"},"isToTerminalState":{"type":"boolean"},"releaseId":{"type":"string"},"status":{"type":"string"},"transitionName":{"type":"string"}}}]},"BTReleasePackageInfo":{"type":"object","properties":{"changeOrderId":{"type":"string"},"columnNames":{"type":"object","additionalProperties":{"type":"string"}},"comments":{"type":"array","items":{"$ref":"#/components/schemas/BTCommentInfo"}},"companyId":{"type":"string"},"createdAt":{"type":"string","format":"date-time"},"createdBy":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"description":{"type":"string"},"detailed":{"type":"boolean"},"documentId":{"type":"string"},"draftItemCountChange":{"type":"integer","description":"Indicates whether the number of items in a draft is different due to workspace changes.","format":"int32"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"independentCADRevisions":{"type":"boolean","description":"Indicates whether CAD and PLM have independent revisions."},"isObsoletion":{"type":"boolean"},"items":{"type":"array","items":{"$ref":"#/components/schemas/BTReleasePackageItemInfo"}},"linkedVersionIds":{"type":"array","items":{"type":"string"}},"modifiedAt":{"type":"string","format":"date-time"},"modifiedBy":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"name":{"type":"string","description":"Name of the resource."},"originalWorkspaceId":{"type":"string"},"packageThumbnail":{"type":"string"},"parentComments":{"type":"array","items":{"$ref":"#/components/schemas/BTReleaseCommentListInfo"}},"parentPackages":{"type":"array","items":{"type":"string"}},"properties":{"type":"array","items":{"$ref":"#/components/schemas/BTWorkflowPropertyInfo"}},"retainedAsDraft":{"type":"boolean","description":"Indicates whether the release is still in setup state and saved as a draft."},"revisionRuleId":{"type":"string"},"versionId":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"},"workflow":{"$ref":"#/components/schemas/BTWorkflowSnapshotInfo"},"workflowError":{"type":"string","writeOnly":true},"workflowId":{"$ref":"#/components/schemas/BTPublishedWorkflowId"},"workspaceId":{"type":"string"}},"x-BTVisibility-properties":{"draftItemCountChange":"INTERNAL"}},"BTReleasePackageItemInfo":{"type":"object","properties":{"canExport":{"type":"boolean"},"changeDetectionStatus":{"type":"integer","format":"int32"},"companyId":{"type":"string"},"configuration":{"type":"string"},"configurationKey":{"type":"string"},"diffThumbnailConfigurationKey":{"type":"string"},"documentId":{"type":"string"},"elementId":{"type":"string"},"elementType":{"type":"integer","format":"int32"},"errors":{"type":"array","items":{"$ref":"#/components/schemas/BTReleaseItemErrorInfo"}},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"isRevisionManaged":{"type":"boolean"},"isRootItem":{"type":"boolean"},"isTranslatable":{"type":"boolean"},"meshState":{"type":"integer","format":"int32"},"mimeType":{"type":"string"},"name":{"type":"string","description":"Name of the resource."},"obsoletionRevisionId":{"type":"string"},"originalWorkspaceId":{"type":"string"},"partId":{"type":"string"},"partIdentity":{"type":"string"},"partType":{"type":"string"},"properties":{"type":"array","items":{"$ref":"#/components/schemas/BTMetadataPropertyInfo"}},"referenceIds":{"type":"array","items":{"type":"string"}},"referenceIdsFromOriginalWorkspace":{"type":"array","items":{"type":"string"}},"rpid":{"type":"string"},"smallThumbnailHref":{"type":"string"},"syncedWithPLM":{"type":"boolean"},"versionId":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"},"workspaceId":{"type":"string"}}},"BTReleasePackageItemParams":{"type":"object","properties":{"configuration":{"type":"string"},"documentId":{"type":"string"},"elementId":{"type":"string"},"href":{"type":"string"},"id":{"type":"string"},"isIncluded":{"type":"boolean"},"partId":{"type":"string"},"partIdentity":{"type":"string"},"partNumber":{"type":"string"},"properties":{"type":"array","items":{"$ref":"#/components/schemas/BTPropertyValueParam"}},"versionId":{"type":"string"},"workspaceId":{"type":"string"}}},"BTReleasePackageItemValidationInfo":{"type":"object","properties":{"documentId":{"type":"string"},"errors":{"type":"array","items":{"$ref":"#/components/schemas/BTReleaseItemErrorInfo"}},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"isRevisionManaged":{"type":"boolean"},"isRootItem":{"type":"boolean"},"name":{"type":"string","description":"Name of the resource."},"properties":{"type":"array","items":{"$ref":"#/components/schemas/BTReleasePackagePropertyUpdateInfo"}},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}},"description":"Array of items in the current page."},"BTReleasePackageParams":{"type":"object","properties":{"changeOrderId":{"type":"string"},"items":{"type":"array","items":{"$ref":"#/components/schemas/BTReleasePackageItemParams"}}}},"BTReleasePackagePropertyUpdateInfo":{"type":"object","properties":{"propertyId":{"type":"string"},"value":{"type":"object"}}},"BTReleasePackageSummaryInfo":{"type":"object","properties":{"changeOrderId":{"type":"string"},"companyId":{"type":"string"},"createdAt":{"type":"string","format":"date-time"},"createdBy":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"description":{"type":"string"},"documentId":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"independentCADRevisions":{"type":"boolean","description":"Indicates whether CAD and PLM have independent revisions."},"isObsoletion":{"type":"boolean"},"linkedVersionIds":{"type":"array","items":{"type":"string"}},"modifiedAt":{"type":"string","format":"date-time"},"modifiedBy":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"name":{"type":"string","description":"Name of the resource."},"originalWorkspaceId":{"type":"string"},"parentPackages":{"type":"array","items":{"type":"string"}},"properties":{"type":"array","items":{"$ref":"#/components/schemas/BTWorkflowPropertyInfo"}},"retainedAsDraft":{"type":"boolean","description":"Indicates whether the release is still in setup state and saved as a draft."},"revisionRuleId":{"type":"string"},"versionId":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"},"workflow":{"$ref":"#/components/schemas/BTWorkflowSnapshotInfo"},"workflowError":{"type":"string","writeOnly":true},"workflowId":{"$ref":"#/components/schemas/BTPublishedWorkflowId"},"workspaceId":{"type":"string"}},"description":"Array of items in the current page."},"BTReleasedInsertableInfo":{"type":"object","properties":{"bodyType":{"$ref":"#/components/schemas/GBTBodyType"},"classType":{"type":"integer","format":"int32"},"configuration":{"type":"string"},"configurationParameterValues":{"type":"array","items":{"type":"string","format":"byte"}},"configurationParameters":{"type":"array","items":{"type":"string","format":"byte"}},"dataType":{"type":"string"},"deterministicId":{"type":"string"},"documentId":{"type":"string"},"elementId":{"type":"string"},"elementName":{"type":"string"},"elementType":{"$ref":"#/components/schemas/GBTElementType"},"featureId":{"type":"string"},"featureName":{"type":"string"},"featureSpec":{"type":"array","items":{"type":"string","format":"byte"}},"featureType":{"type":"string"},"fsComputedPartPropertySpec":{"type":"array","items":{"type":"string","format":"byte"}},"fsTableSpec":{"type":"array","items":{"type":"string","format":"byte"}},"hasFaults":{"type":"boolean"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"insertableQuery":{"type":"string"},"isFlattenedBody":{"type":"boolean"},"isMesh":{"type":"boolean"},"meshState":{"$ref":"#/components/schemas/GBTMeshState"},"microversionId":{"type":"string"},"name":{"type":"string","description":"Name of the resource."},"parentId":{"type":"string"},"partIdentity":{"type":"string"},"partName":{"type":"string"},"partNumber":{"type":"string"},"predictableThumbnailId":{"type":"string"},"revision":{"type":"string"},"revisionId":{"type":"string"},"sourceFileExtension":{"type":"string"},"thumbnailUri":{"type":"string"},"unflattenedPartDeterministicId":{"type":"string"},"variableName":{"type":"string"},"versionId":{"type":"string"},"versionName":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"},"workspaceId":{"type":"string"},"workspaceName":{"type":"string"}}},"BTResetSkipUpgradeInfo":{"type":"object","properties":{"countReset":{"type":"integer","format":"int32"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTResourceEventInfo":{"required":["jsonType"],"type":"object","properties":{"jsonType":{"type":"string"}},"discriminator":{"propertyName":"jsonType","mapping":{"document":"#/components/schemas/BTDocumentEventInfo"}},"allOf":[{"$ref":"#/components/schemas/BTBaseInfo"},{"type":"object","properties":{"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}}]},"BTResourceId":{"type":"object","properties":{"bodyType":{"type":"string"},"configuration":{"type":"string"},"documentId":{"type":"string"},"elementId":{"type":"string"},"idType":{"type":"integer","format":"int32"},"partId":{"type":"string"},"resourceId":{"type":"string"},"systemId":{"type":"string"},"uri":{"type":"string"},"versionId":{"type":"string"},"workspaceId":{"type":"string"}}},"BTResourceIdParams":{"type":"object","properties":{"configurationId":{"type":"string"},"documentId":{"type":"string"},"elementId":{"type":"string"},"id":{"type":"string"},"partId":{"type":"string"},"type":{"type":"integer","format":"int32"},"versionId":{"type":"string"}}},"BTResourceInfo":{"type":"object","properties":{"configurationId":{"type":"string"},"documentId":{"type":"string"},"elementId":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"partId":{"type":"string"},"type":{"type":"integer","format":"int32"},"versionId":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTResourceOwnerInfo":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTGlobalTreeNodeInfo"},{"type":"object","properties":{"isEnterpriseEdu":{"type":"boolean"},"state":{"type":"integer","format":"int32"}}}]},"BTRestUserRole":{"type":"string","enum":["PUBLIC","INTERNAL"]},"BTRestoreFromHistoryInfo":{"type":"object","properties":{"newMicroversion":{"type":"string"}}},"BTRevertUnchangedElementParams":{"type":"object","properties":{"configuration":{"type":"string"},"elementId":{"type":"string"},"referenceIds":{"uniqueItems":true,"type":"array","items":{"type":"string"}}}},"BTRevertUnchangedParams":{"type":"object","properties":{"companyId":{"type":"string"},"connectionId":{"type":"string"},"doUpdate":{"type":"boolean"},"elements":{"type":"array","items":{"$ref":"#/components/schemas/BTRevertUnchangedElementParams"}}}},"BTRevertUnchangedReleaseItemParams":{"type":"object","properties":{"itemId":{"type":"string"}}},"BTRevertUnchangedReleaseParams":{"type":"object","properties":{"connectionId":{"type":"string"},"items":{"type":"array","items":{"$ref":"#/components/schemas/BTRevertUnchangedReleaseItemParams"}}}},"BTRevisionApproverInfo":{"type":"object","properties":{"date":{"type":"string","format":"date-time"},"id":{"type":"string"},"name":{"type":"string"}},"description":"The users who approved the release package that created this revision."},"BTRevisionChangeRevisionInfo":{"type":"object","properties":{"documents":{"type":"array","items":{"$ref":"#/components/schemas/BTDocumentInfo"}},"errors":{"type":"array","items":{"type":"string"}},"latestRevisions":{"type":"array","items":{"$ref":"#/components/schemas/BTRevisionInfo"}},"revisionItems":{"type":"array","items":{"$ref":"#/components/schemas/BTRevisionSingleChangeRevisionItem"}},"versions":{"type":"array","items":{"$ref":"#/components/schemas/BTVersionInfo"}}}},"BTRevisionCustomData-2090":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTReferenceCustomData-1551"},{"type":"object","properties":{"btType":{"type":"string"},"partNumber":{"type":"string"},"revision":{"type":"string"},"validRevisionReference":{"type":"boolean"}}}]},"BTRevisionInfo":{"type":"object","properties":{"approvers":{"type":"array","description":"The users who approved the release package that created this revision.","items":{"$ref":"#/components/schemas/BTRevisionApproverInfo"}},"autoObsoletionReleaseId":{"type":"string"},"autoObsoletionReleaseName":{"type":"string"},"canExport":{"type":"boolean"},"companyId":{"type":"string","description":"The company or enterprise ID that owns the resource."},"configuration":{"type":"string"},"createdAt":{"type":"string","format":"date-time"},"description":{"type":"string","description":"The Revision Description metadata property if revision is of a drawing."},"documentId":{"type":"string","description":"The document that contains the item."},"documentName":{"type":"string","description":"The name of the document that contains the item."},"elementId":{"type":"string","description":"The element that contains the item."},"elementType":{"type":"integer","description":"The type of item 0: Part Studio, 1: Assembly, 2: Drawing. 4: Blob","format":"int32"},"errorMessage":{"type":"string"},"flatPartInsertableId":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"insertableId":{"type":"string"},"isObsolete":{"type":"boolean","description":"Whether the revision has been obsoleted."},"isRereleasable":{"type":"boolean","description":"If true, the revision can be created again."},"isTranslatable":{"type":"boolean"},"mimeType":{"type":"string"},"name":{"type":"string","description":"Name of the resource."},"nextRevisionId":{"type":"string","description":"The next revision if applicable. null for the latest revision."},"obsoletionPackageId":{"type":"string","description":"The OBSOLETION release package that obsoleted this revision if applicable."},"partId":{"type":"string"},"partNumber":{"type":"string","description":"The Part Number with which the item was revised."},"previousRevisionId":{"type":"string","description":"The previous revision if applicable. null for first revision."},"releaseCreatedDate":{"type":"string","format":"date-time"},"releaseId":{"type":"string","description":"The release package that created this revision."},"releaseName":{"type":"string","description":"The name of the release package that created this item."},"releasedBy":{"$ref":"#/components/schemas/BTUserSummaryInfo"},"revision":{"type":"string","description":"The id of the revision."},"revisionRuleId":{"type":"string"},"versionId":{"type":"string","description":"The version of the document that contains this revision."},"versionName":{"type":"string","description":"The name of the version of the document that contains this revision."},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}},"description":"A revision of PART/ASSEMBLY etc created by release management."},"BTRevisionInfoWithStatus":{"type":"object","properties":{"documentId":{"type":"string"},"elementId":{"type":"string"},"isOutOfDate":{"type":"boolean"},"partNumber":{"type":"string"},"revision":{"type":"string"},"versionId":{"type":"string"}}},"BTRevisionListResponse":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTRevisionInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"partNumber":{"type":"string"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"}}},"BTRevisionMessageBody":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTReleaseItemMessageBody"},{"type":"object","properties":{"revisionId":{"type":"string"}}}]},"BTRevisionNodeItemState":{"type":"object","properties":{"documentId":{"type":"string"},"elementId":{"type":"string"},"partNumber":{"type":"string"},"revision":{"type":"string"},"uniqueId":{"type":"string"},"versionId":{"type":"string"},"workspaceId":{"type":"string"}}},"BTRevisionParams":{"type":"object","properties":{"companyId":{"type":"string"},"documentId":{"type":"string"},"elementId":{"type":"string"},"elementType":{"type":"integer","format":"int32"},"insertableId":{"type":"string"},"partNumber":{"type":"string"},"releaseId":{"type":"string"},"revision":{"type":"string"},"versionId":{"type":"string"}}},"BTRevisionRuleInfo":{"type":"object","properties":{"companyId":{"type":"string"},"description":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"revisionList":{"type":"array","items":{"type":"string"}},"ruleType":{"type":"integer","format":"int32"},"script":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTRevisionRuleParams":{"type":"object","properties":{"companyId":{"type":"string"},"description":{"type":"string"},"name":{"type":"string"},"revisionList":{"type":"array","items":{"type":"string"}},"ruleType":{"type":"integer","format":"int32"},"script":{"type":"string"},"validationRegex":{"type":"string"}}},"BTRevisionSingleChangeRevisionItem":{"type":"object","properties":{"fromState":{"$ref":"#/components/schemas/BTRevisionNodeItemState"},"nodeIds":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"partNumber":{"type":"string"},"toRevisionId":{"type":"string"}}},"BTRevisionTableHeaderInfo":{"type":"object","properties":{"displayName":{"type":"string"},"propertyId":{"type":"string"},"valueType":{"type":"integer","format":"int32"}}},"BTRevisionTableInfo":{"type":"object","properties":{"headers":{"type":"array","items":{"$ref":"#/components/schemas/BTRevisionTableHeaderInfo"}},"isAllCaps":{"type":"boolean"},"partNumber":{"type":"string"},"rows":{"type":"array","items":{"$ref":"#/components/schemas/BTRevisionTableRowInfo"}}}},"BTRevisionTableRowInfo":{"type":"object","properties":{"documentId":{"type":"string"},"elementId":{"type":"string"},"metadataHref":{"type":"string"},"properties":{"type":"object","additionalProperties":{"type":"string"}},"revisionId":{"type":"string"},"revisionOrdinal":{"type":"integer","format":"int32"},"versionId":{"type":"string"},"workspaceId":{"type":"string"}}},"BTRevisionUpdateParams":{"type":"object","properties":{"isRereleasable":{"type":"boolean"},"partId":{"type":"string"},"recomputeInsertableId":{"type":"boolean"}}},"BTRhoDimensionDisplayData-2892":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTDimensionDisplayData-323"},{"type":"object","properties":{"btType":{"type":"string"},"positionX":{"type":"number","format":"double"},"positionY":{"type":"number","format":"double"}}}]},"BTRole":{"type":"string","enum":["ANONYMOUS","TOTPPENDINGUSER","USER","DEVELOPER","PARTNER","ONSHAPECOMPANYUSER","ADMIN","SERVICE"]},"BTRootAssemblyDisplayData-96":{"type":"object","properties":{"btType":{"type":"string"},"buildDurationMillis":{"type":"number","format":"double"},"deletedGeometryMateIds":{"type":"array","items":{"type":"string"}},"deletedLoads":{"type":"array","items":{"type":"string"}},"deletedMateConnectorIds":{"type":"array","items":{"type":"string"}},"deletedMateGroupIds":{"type":"array","items":{"type":"string"}},"deletedMateIds":{"type":"array","items":{"type":"string"}},"deletedOccurrences":{"type":"array","items":{"$ref":"#/components/schemas/BTOccurrence-74"}},"elementId":{"type":"string"},"fromFullElementId":{"$ref":"#/components/schemas/BTFullElementId-756"},"fullElementId":{"$ref":"#/components/schemas/BTFullElementId-756"},"geometryMates":{"type":"array","items":{"$ref":"#/components/schemas/BTGeometryMateDisplayData-1050"}},"incremental":{"type":"boolean"},"instanceCount":{"type":"integer","format":"int32"},"isCollapsible":{"type":"boolean"},"isForInContext":{"type":"boolean"},"keepFromMicroversion":{"type":"boolean"},"loads":{"type":"array","items":{"$ref":"#/components/schemas/BTLoadDisplayData-837"}},"mateConnectors":{"type":"array","items":{"$ref":"#/components/schemas/BTMateConnectorDisplayData-94"}},"mateGroups":{"type":"array","items":{"$ref":"#/components/schemas/BTMateGroupDisplayData-1990"}},"mates":{"type":"array","items":{"$ref":"#/components/schemas/BTMateDisplayData-1358"}},"microversionId":{"$ref":"#/components/schemas/BTMicroversionId-366"},"microversionIdAndConfigurationInterval":{"$ref":"#/components/schemas/BTMicroversionIdAndConfigurationInterval-2364"},"microversionInterval":{"$ref":"#/components/schemas/BTMicroversionIdInterval-367"},"occurrences":{"type":"array","items":{"$ref":"#/components/schemas/BTOccurrenceDisplayData-95"}},"originDisplayData":{"$ref":"#/components/schemas/BTOriginDisplayData-934"},"partStudioDisplayData":{"type":"array","items":{"$ref":"#/components/schemas/BTPartStudioDisplayDataBase-2751"}},"quickSummary":{"type":"string"},"sentTimeISO":{"type":"string"},"versionForRasterization":{"$ref":"#/components/schemas/BTElementDisplayData-326"}}},"BTRootAssemblyInfo":{"type":"object","properties":{"configuration":{"type":"string"},"documentId":{"type":"string"},"documentMicroversion":{"type":"string"},"documentVersion":{"type":"string"},"elementId":{"type":"string"},"features":{"type":"array","description":"List of Assembly features including those are created by replicates.","items":{"$ref":"#/components/schemas/BTAssemblyFeatureInfo"}},"fullConfiguration":{"type":"string"},"instances":{"type":"array","description":"List of instances including those created by patterns and replicates.","items":{"$ref":"#/components/schemas/BTAssemblyInstanceInfo"}},"occurrences":{"type":"array","items":{"$ref":"#/components/schemas/BTAssemblyOccurrenceInfo"}},"partNumber":{"type":"string"},"patterns":{"type":"array","description":"List of patterns.","items":{"$ref":"#/components/schemas/BTAssemblyPatternInfo"}},"revision":{"type":"string"}}},"BTRootDiffInfo":{"type":"object","properties":{"changes":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTDiffInfo"}},"collectionChanges":{"type":"object","additionalProperties":{"type":"array","items":{"$ref":"#/components/schemas/BTDiffInfo"}}},"entityType":{"$ref":"#/components/schemas/BTDiffInfoCollectionType"},"geometryChangeMessages":{"type":"array","items":{"type":"string"}},"sourceConfiguration":{"type":"string"},"sourceId":{"type":"string"},"sourceMicroversionId":{"type":"string"},"sourceValue":{"type":"string"},"sourceVersionId":{"type":"string"},"sourceWorkspaceId":{"type":"string"},"targetConfiguration":{"type":"string"},"targetId":{"type":"string"},"targetMicroversionId":{"type":"string"},"targetValue":{"type":"string"},"targetVersionId":{"type":"string"},"targetWorkspaceId":{"type":"string"},"type":{"$ref":"#/components/schemas/GBTNodeChange"}}},"BTSMBendTableRowMetadata-1705":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTBaseSMJointTableRowMetadata-2232"},{"type":"object","properties":{"btType":{"type":"string"},"isJointTypeEditable":{"type":"boolean"}}}]},"BTSMDefinitionEntityTypeFilter-1651":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTQueryFilter-183"},{"type":"object","properties":{"btType":{"type":"string"},"smDefinitionEntityType":{"$ref":"#/components/schemas/GBTEntityType"}}}]},"BTSMOtherJointTableRowMetadata-2640":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTBaseSMJointTableRowMetadata-2232"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTSMSpecificMetadata-1315":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTDomainSpecificMetadata-961"},{"type":"object","properties":{"btType":{"type":"string"},"definitionEntityType":{"$ref":"#/components/schemas/GBTEntityType"}}}]},"BTSearchEntityType":{"type":"string","enum":["unknown","capability","company","document","element","friend","item","part","team","user","version","workspace","project","publication"]},"BTSearchFieldType":{"type":"string","enum":["UNKNOWN","KEYWORD","TEXT","WILDCARD","INTEGER_RANGE","FLOAT_RANGE","LONG_RANGE","DOUBLE_RANGE","DATE_RANGE","IP_RANGE","BINARY","LONG","INTEGER","SHORT","BYTE","DOUBLE","FLOAT","HALF_FLOAT","SCALED_FLOAT","DATE","DATE_NANO","BOOLEAN","OBJECT","NESTED","JOIN","COMPLETION","SEARCH_AS_YOU_TYPE","RANK_FEATURE","RANK_FEATURES","ALIAS"]},"BTSearchFieldsInfo":{"type":"object","properties":{"categoriesByOwner":{"type":"object","additionalProperties":{"uniqueItems":true,"type":"array","items":{"$ref":"#/components/schemas/CategoryValue"}}},"fields":{"type":"array","items":{"$ref":"#/components/schemas/Field"}},"ownerIds":{"uniqueItems":true,"type":"array","items":{"type":"string"}}}},"BTSearchIndexParams":{"type":"object","properties":{"batchSize":{"type":"integer","format":"int32"},"companyId":{"type":"string"},"documentId":{"type":"string"},"rerunId":{"type":"string"}}},"BTSearchIndexRunDataInfo":{"type":"object","properties":{"completedBatches":{"type":"integer","format":"int64"},"configuration":{"$ref":"#/components/schemas/Configuration"},"createdBatches":{"type":"integer","format":"int64"},"endDate":{"type":"string","format":"date-time"},"failures":{"$ref":"#/components/schemas/Failures"},"indexedDocuments":{"type":"integer","format":"int64"},"indexedElements":{"type":"integer","format":"int64"},"indexedParts":{"type":"integer","format":"int64"},"indexedVersions":{"type":"integer","format":"int64"},"indexedWorkspaces":{"type":"integer","format":"int64"},"newtonVersion":{"type":"string"},"runId":{"type":"string"},"startDate":{"type":"string","format":"date-time"},"state":{"type":"string"},"type":{"$ref":"#/components/schemas/Type"}}},"BTSearchIndexRunSummaryInfo":{"type":"object","properties":{"endDate":{"type":"string","format":"date-time"},"runId":{"type":"string"},"startDate":{"type":"string","format":"date-time"},"state":{"type":"string"},"type":{"$ref":"#/components/schemas/Type"}}},"BTSearchResponseInfo":{"type":"object","properties":{"items":{"type":"array","items":{"$ref":"#/components/schemas/BTSearchableMetadataItem"}},"totalHits":{"$ref":"#/components/schemas/TotalHits"}}},"BTSearchableMetadataItem":{"type":"object","properties":{"category":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"createdAt":{"type":"string","format":"date-time"},"creatorId":{"type":"string"},"description":{"type":"string"},"dt":{"$ref":"#/components/schemas/BTSearchEntityType"},"id":{"type":"string"},"metadataObjectType":{"$ref":"#/components/schemas/BTMetadataObjectType"},"modifiedAt":{"type":"string","format":"date-time"},"modifiedById":{"type":"string"},"name":{"type":"string"},"otherFields":{"type":"object","additionalProperties":{"type":"object"},"writeOnly":true},"properties":{"type":"object","additionalProperties":{"type":"string"}}}},"BTSeatsParams":{"type":"object","properties":{"lightSeats":{"type":"integer","format":"int64"},"seats":{"type":"integer","format":"int64"},"userId":{"type":"string"}}},"BTSectionGeometryFilter-4161":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTQueryFilter-183"},{"type":"object","properties":{"btType":{"type":"string"},"isSectionGeometry":{"type":"boolean"}}}]},"BTSectionPlaneInfo":{"type":"object","properties":{"center":{"type":"array","items":{"type":"number","format":"double"}},"normal":{"type":"array","items":{"type":"number","format":"double"}},"tangent":{"type":"array","items":{"type":"number","format":"double"}}}},"BTSelectItemViewStateInfo":{"type":"object","properties":{"activeSelectorId":{"type":"string"},"documentSelectors":{"type":"array","items":{"$ref":"#/components/schemas/BTDocumentSelectorInfo"}},"purpose":{"type":"string"}}},"BTSemanticVersion":{"type":"object","properties":{"buildMetadata":{"type":"string"},"majorVersion":{"type":"string"},"minorVersion":{"type":"string"},"patch":{"type":"string"},"prerelease":{"type":"string"}}},"BTSessionCredentialInfo":{"type":"object","properties":{"provider":{"type":"string"},"type":{"type":"string"}}},"BTSetFeatureRollbackCall-1899":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTFeatureApiBase-1430"},{"type":"object","properties":{"btType":{"type":"string"},"rollbackIndex":{"type":"integer","format":"int32"}}}]},"BTSetFeatureRollbackResponse-1042":{"type":"object","properties":{"btType":{"type":"string"},"libraryVersion":{"type":"integer","format":"int32"},"microversionId":{"$ref":"#/components/schemas/BTMicroversionId-366"},"microversionSkew":{"type":"boolean"},"rejectMicroversionSkew":{"type":"boolean"},"rollbackIndex":{"type":"integer","format":"int32"},"serializationVersion":{"type":"string"},"sourceMicroversion":{"type":"string"}}},"BTSetPublishedFSParams":{"type":"object","properties":{"versionId":{"type":"string"}}},"BTSettingInfo":{"type":"object","properties":{"key":{"type":"string"},"value":{"type":"object"}}},"BTSettingParam":{"type":"object","properties":{"key":{"type":"string"},"value":{"type":"object"}}},"BTShadedViewsInfo":{"type":"object","properties":{"images":{"type":"array","items":{"type":"array","items":{"type":"string","format":"byte"}}}},"description":"Images are returned as base64-encoded strings."},"BTShareEntryParams":{"type":"object","properties":{"applicationId":{"type":"string"},"companyId":{"type":"string"},"email":{"type":"string"},"entryType":{"type":"integer","format":"int32"},"teamId":{"type":"string"},"userId":{"type":"string"}}},"BTShareParams":{"type":"object","properties":{"documentId":{"type":"string"},"elementId":{"type":"string"},"encodedConfiguration":{"type":"string"},"entries":{"type":"array","items":{"$ref":"#/components/schemas/BTShareEntryParams"}},"folderId":{"type":"string"},"message":{"type":"string"},"permission":{"type":"integer","format":"int64"},"permissionSet":{"type":"array","items":{"type":"string"}},"update":{"type":"boolean"},"workspaceId":{"type":"string"}}},"BTShareReportParams":{"type":"object","properties":{"entries":{"type":"array","items":{"$ref":"#/components/schemas/BTShareEntryParams"}},"permissionSet":{"type":"array","items":{"type":"string"}}}},"BTShareWithSupportDevelopersParams":{"type":"object","properties":{"description":{"type":"string"},"userIds":{"type":"array","items":{"type":"string"}}}},"BTSiemEventInfo":{"type":"object","properties":{"actedOn":{"type":"string"},"actor":{"type":"string"},"deliveredTo":{"type":"string"},"eventTime":{"type":"string","format":"date-time"},"eventType":{"type":"string"},"region":{"type":"string"}}},"BTSiemWebResponseInfo":{"type":"object","properties":{"eventsCEF":{"type":"string"},"eventsJson":{"type":"array","items":{"$ref":"#/components/schemas/BTSiemEventInfo"}},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"responseId":{"$ref":"#/components/schemas/ObjectId"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}},"description":"Array of items in the current page."},"BTSimplePropertyInfo":{"type":"object","properties":{"displayName":{"type":"string"},"frozen":{"type":"boolean"},"propertyId":{"type":"string"},"publishState":{"type":"integer","format":"int32"},"valueType":{"$ref":"#/components/schemas/BTMetadataValueType"}}},"BTSimulationConnectionInfo":{"type":"object","properties":{"connectionPairCount":{"type":"integer","format":"int32"},"errorText":{"type":"string"}}},"BTSimulationFace-2147":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTEntityFace-31"},{"type":"object","properties":{"bounds":{"$ref":"#/components/schemas/BTBoundingBox-1052"},"btType":{"type":"string"},"sampleTrianglePointIndices":{"$ref":"#/components/schemas/BTImmutableIntArray"},"triangleNormalIndices":{"$ref":"#/components/schemas/BTImmutableIntArray"},"trianglePointIndices":{"$ref":"#/components/schemas/BTImmutableIntArray"}}}]},"BTSimulationInfo":{"type":"object","properties":{"nodeId":{"type":"string"}}},"BTSimulationInstance-3093":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTMNode-19"},{"type":"object","properties":{"btType":{"type":"string"},"isModal":{"type":"boolean"},"simulationId":{"type":"string"}}}]},"BTSimulationResultInfo":{"type":"object","properties":{"errorText":{"type":"string"},"maxDisplacement":{"type":"number","format":"float"},"maxVonMisesStress":{"type":"number","format":"float"},"minDisplacement":{"type":"number","format":"float"},"minVonMisesStress":{"type":"number","format":"float"}}},"BTSimulationTableColumnInfo-1785":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTTableColumnInfo-1222"},{"type":"object","properties":{"btType":{"type":"string"},"crossHighlightData":{"$ref":"#/components/schemas/BTTableAssemblyCrossHighlightData-2675"}}}]},"BTSingleAssemblyReferenceDisplayData-1557":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTSingleReferenceDisplayData-1943"},{"type":"object","properties":{"assemblyDisplayData":{"$ref":"#/components/schemas/BTRootAssemblyDisplayData-96"},"btType":{"type":"string"},"occurrencesToExclude":{"type":"array","items":{"$ref":"#/components/schemas/BTOccurrence-74"}},"transform":{"$ref":"#/components/schemas/BTBSMatrix-386"}}}]},"BTSingleReferenceDisplayData-1943":{"type":"object","properties":{"btType":{"type":"string"},"contextWorkspaceId":{"type":"string"},"documentId":{"type":"string"},"error":{"$ref":"#/components/schemas/GBTErrorStringEnum"},"errorMessage":{"type":"string"},"isTransient":{"type":"boolean"},"name":{"type":"string"},"referenceName":{"type":"string"},"referenceNodeId":{"type":"string"},"visibility":{"$ref":"#/components/schemas/GBTBSFeatureVisibility"}},"discriminator":{"propertyName":"btType","mapping":{"BTSingleAssemblyReferenceDisplayData-1557":"#/components/schemas/BTSingleAssemblyReferenceDisplayData-1557"}}},"BTSketchArcDisplayData-349":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTSketchEntityDisplayData-354"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTSketchCircleDisplayData-350":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTSketchEntityDisplayData-354"},{"type":"object","properties":{"btType":{"type":"string"},"radius":{"type":"number","format":"double"}}}]},"BTSketchCompositeEntityDisplayData-1093":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTSketchImageDisplayData-1379":"#/components/schemas/BTSketchImageDisplayData-1379","BTSketchTextDisplayData-1707":"#/components/schemas/BTSketchTextDisplayData-1707"}},"allOf":[{"$ref":"#/components/schemas/BTSketchEntityDisplayData-354"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTSketchConicDisplayData-1085":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTSketchEntityDisplayData-354"},{"type":"object","properties":{"btType":{"type":"string"},"offset":{"type":"number","format":"double"},"rho":{"type":"number","format":"double"}}}]},"BTSketchEllipseDisplayData-712":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTSketchEntityDisplayData-354"},{"type":"object","properties":{"btType":{"type":"string"},"minorRadius":{"type":"number","format":"double"},"offset":{"type":"number","format":"double"},"radius":{"type":"number","format":"double"}}}]},"BTSketchEllipticalArcDisplayData-892":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTSketchEntityDisplayData-354"},{"type":"object","properties":{"btType":{"type":"string"},"endParam":{"type":"number","format":"double"},"minorRadius":{"type":"number","format":"double"},"offset":{"type":"number","format":"double"},"radius":{"type":"number","format":"double"},"startParam":{"type":"number","format":"double"}}}]},"BTSketchEntity-25":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTFeatureEntity-34"},{"type":"object","properties":{"btType":{"type":"string"},"isConstruction":{"type":"boolean"},"isFromSplineControlPolygon":{"type":"boolean"},"isFromSplineHandle":{"type":"boolean"},"isTextStroke":{"type":"boolean"},"isUserPoint":{"type":"boolean"},"sketchCurveType":{"$ref":"#/components/schemas/GBTSketchCurveType"},"sketchEntityId":{"type":"string"},"solveStatus":{"type":"integer","format":"int32"}}}]},"BTSketchEntityDisplayData-354":{"type":"object","properties":{"btType":{"type":"string"},"points":{"type":"array","items":{"type":"number","format":"double"}}},"discriminator":{"propertyName":"btType","mapping":{"BTSketchArcDisplayData-349":"#/components/schemas/BTSketchArcDisplayData-349","BTSketchCircleDisplayData-350":"#/components/schemas/BTSketchCircleDisplayData-350","BTSketchCompositeEntityDisplayData-1093":"#/components/schemas/BTSketchCompositeEntityDisplayData-1093","BTSketchConicDisplayData-1085":"#/components/schemas/BTSketchConicDisplayData-1085","BTSketchEllipseDisplayData-712":"#/components/schemas/BTSketchEllipseDisplayData-712","BTSketchEllipticalArcDisplayData-892":"#/components/schemas/BTSketchEllipticalArcDisplayData-892","BTSketchLineDisplayData-357":"#/components/schemas/BTSketchLineDisplayData-357","BTSketchPointDisplayData-358":"#/components/schemas/BTSketchPointDisplayData-358","BTSketchSplineDisplayData-359":"#/components/schemas/BTSketchSplineDisplayData-359"}}},"BTSketchImageDisplayData-1379":{"type":"object","properties":{"bottomLeftCorner":{"$ref":"#/components/schemas/BTVector3d-389"},"bottomRightCorner":{"$ref":"#/components/schemas/BTVector3d-389"},"btType":{"type":"string"},"entities":{"type":"array","items":{"$ref":"#/components/schemas/BTSketchEntityDisplayData-354"}},"featureId":{"type":"string"},"isOnFlat":{"type":"boolean"},"points":{"type":"array","items":{"type":"number","format":"double"}},"sourceId":{"type":"string"},"topLeftCorner":{"$ref":"#/components/schemas/BTVector3d-389"}}},"BTSketchLineDisplayData-357":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTSketchEntityDisplayData-354"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTSketchObjectFilter-184":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTQueryFilter-183"},{"type":"object","properties":{"btType":{"type":"string"},"isSketchObject":{"type":"boolean"},"objectType":{"$ref":"#/components/schemas/GBTSketchObjectType"}}}]},"BTSketchPointDisplayData-358":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTSketchEntityDisplayData-354"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTSketchSolveStatusFilter-3657":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTQueryFilter-183"},{"type":"object","properties":{"btType":{"type":"string"},"solveStatus":{"$ref":"#/components/schemas/GBTMGeomStatus"}}}]},"BTSketchSplineDisplayData-359":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTSketchEntityDisplayData-354"},{"type":"object","properties":{"btType":{"type":"string"},"closed":{"type":"boolean"},"controlPointCount":{"type":"integer","format":"int32"},"degree":{"type":"integer","format":"int32"},"hasHandlesInSketch":{"type":"boolean"},"maximumParameter":{"type":"number","format":"double"},"minimumParameter":{"type":"number","format":"double"},"rational":{"type":"boolean"},"segment":{"type":"boolean"}}}]},"BTSketchTextDisplayData-1707":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTSketchCompositeEntityDisplayData-1093"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTSphereDescription-1263":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTSurfaceDescription-1564"},{"type":"object","properties":{"btType":{"type":"string"},"radius":{"type":"number","format":"double"}}}]},"BTSplineControlPolygonFilter-1130":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTQueryFilter-183"},{"type":"object","properties":{"allowsSplineControlPolygon":{"type":"boolean"},"btType":{"type":"string"}}}]},"BTSplineDescription-2118":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTCurveDescription-1583"},{"type":"object","properties":{"btType":{"type":"string"},"controlPoints":{"type":"array","items":{"type":"number","format":"double"}},"degree":{"type":"integer","format":"int32"},"isPeriodic":{"type":"boolean"},"isRational":{"type":"boolean"},"knots":{"type":"array","items":{"type":"number","format":"double"}}}}]},"BTSplineHandleFilter-2971":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTQueryFilter-183"},{"type":"object","properties":{"allowsSplineHandle":{"type":"boolean"},"btType":{"type":"string"}}}]},"BTSpunDescription-657":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTSurfaceDescription-1564"},{"type":"object","properties":{"axis":{"$ref":"#/components/schemas/BTVector3d-389"},"btType":{"type":"string"}}}]},"BTStandardContentComponentInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"image":{"type":"string"},"name":{"type":"string","description":"Name of the resource."},"options":{"type":"object","additionalProperties":{"type":"object"}},"optionsFSValue":{"$ref":"#/components/schemas/BTFSValueMap-2062"},"parameters":{"type":"array","items":{"$ref":"#/components/schemas/BTStandardContentParameterInfo"}},"versionId":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTStandardContentCustomParameterDefinition":{"type":"object","properties":{"createdAt":{"type":"string","format":"date-time"},"createdBy":{"type":"string"},"description":{"type":"string"},"id":{"$ref":"#/components/schemas/BTStandardContentCustomParameterDefinitionId"},"isDrivingConfiguration":{"type":"boolean"},"modifiedAt":{"type":"string","format":"date-time"},"modifiedBy":{"type":"string"},"name":{"type":"string"},"new":{"type":"boolean"},"parameterLinkType":{"type":"integer","format":"int32"},"parameterType":{"type":"integer","format":"int32"},"parameterValue":{"type":"string"}}},"BTStandardContentCustomParameterDefinitionId":{"type":"object","properties":{"category":{"type":"string"},"ownerId":{"type":"string"},"ownerType":{"type":"integer","format":"int32"},"parameterName":{"type":"string"},"propertyId":{"type":"string"},"standard":{"type":"string"},"type":{"type":"string"},"types":{"type":"string"}}},"BTStandardContentCustomParameterParams":{"type":"object","properties":{"category":{"type":"string"},"componentDocumentId":{"type":"string"},"disableProduction":{"type":"boolean"},"isDrivingConfiguration":{"type":"boolean"},"ownerId":{"type":"string"},"ownerType":{"type":"integer","format":"int32"},"parameterName":{"type":"string"},"parameterType":{"type":"integer","format":"int32"},"parameterValue":{"type":"string"},"productionVersionId":{"type":"string"},"propertyId":{"type":"string"},"standard":{"type":"string"},"testVersionId":{"type":"string"},"type":{"type":"string"},"types":{"type":"string"}}},"BTStandardContentFindUsageParams":{"type":"object","properties":{"companyId":{"type":"string"},"componentDocumentId":{"type":"string"},"parameters":{"type":"array","items":{"$ref":"#/components/schemas/BTStandardContentParameterDefinition"}},"usedFromInDays":{"type":"string"},"userId":{"type":"string"}}},"BTStandardContentHierarchy":{"type":"object","properties":{"category":{"type":"string"},"createdAt":{"type":"string","format":"date-time"},"createdBy":{"type":"string"},"documentId":{"type":"string"},"documentType":{"type":"integer","format":"int32"},"id":{"type":"string"},"modifiedAt":{"type":"string","format":"date-time"},"modifiedBy":{"type":"string"},"productionVersionId":{"type":"string"},"standard":{"type":"string"},"testVersionId":{"type":"string"},"type":{"type":"string"},"types":{"type":"string"}}},"BTStandardContentHierarchyInfo":{"type":"object","properties":{"category":{"type":"string"},"defaultWorkspace":{"type":"string"},"documentType":{"type":"integer","format":"int32"},"existingVersions":{"type":"array","items":{"$ref":"#/components/schemas/VersionSpecs"}},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"productionVersionId":{"type":"string"},"standard":{"type":"string"},"testVersionId":{"type":"string"},"type":{"type":"string"},"types":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}},"description":"Array of items in the current page."},"BTStandardContentHierarchyParams":{"type":"object","properties":{"category":{"type":"string"},"componentDocumentId":{"type":"string"},"disableProduction":{"type":"boolean"},"productionVersionId":{"type":"string"},"standard":{"type":"string"},"testVersionId":{"type":"string"},"type":{"type":"string"},"types":{"type":"string"}}},"BTStandardContentHierarchyRenameParams":{"type":"object","properties":{"category":{"type":"string"},"componentDocumentId":{"type":"string"},"disableProduction":{"type":"boolean"},"productionVersionId":{"type":"string"},"renameTo":{"type":"string"},"standard":{"type":"string"},"testVersionId":{"type":"string"},"type":{"type":"string"},"types":{"type":"string"}}},"BTStandardContentInsertableComponentInfo":{"type":"object","properties":{"componentVersionName":{"type":"string"},"insertableComponent":{"$ref":"#/components/schemas/BTInsertable"},"insertableData":{"type":"array","items":{"type":"string","format":"byte"}}}},"BTStandardContentParameterDefinition":{"type":"object","properties":{"defaultValue":{"type":"string"},"displayName":{"type":"string"},"isCustomParameter":{"type":"boolean"},"isDrivingConfiguration":{"type":"boolean"},"parameterId":{"type":"string"},"visible":{"type":"boolean"}}},"BTStandardContentParameterInfo":{"type":"object","properties":{"defaultValue":{"type":"string"},"displayName":{"type":"string"},"generatedDefaultValue":{"type":"string"},"isCustomParameter":{"type":"boolean"},"isDrivingConfiguration":{"type":"boolean"},"maxLength":{"type":"integer","format":"int32"},"parameterDefinition":{"$ref":"#/components/schemas/BTStandardContentParameterDefinition"},"parameterId":{"type":"string"},"parameterValues":{"type":"array","items":{"type":"string"}},"valueFieldType":{"type":"integer","format":"int32"},"valueFieldTypeByName":{"type":"string","writeOnly":true},"valueFieldTypeEnum":{"$ref":"#/components/schemas/GBTStandardContentValueFieldType"},"visible":{"type":"boolean"}}},"BTStandardContentParams":{"type":"object","properties":{"parameters":{"type":"array","items":{"$ref":"#/components/schemas/BTStandardContentParameterDefinition"}},"parametersId":{"type":"string"},"parametersIdVersion":{"type":"string"},"saveCustomProperties":{"type":"boolean"},"targetDocumentId":{"type":"string"},"targetElementId":{"type":"string"}}},"BTStandardContentSetRunVersionsParams":{"type":"object","properties":{"componentDocumentId":{"type":"string"},"productionVersionId":{"type":"string"},"testVersionId":{"type":"string"}}},"BTStandardContentUsageSummary":{"type":"object","properties":{"latestVersionUseCount":{"type":"integer","format":"int64"},"topComponentsUsedAlongWithByLatestVersions":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTComponentUsagesSummary"}},"topUsedComponentsByLatestVersions":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTComponentUsagesSummary"}},"topUsedComponentsByWorkspaces":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTComponentUsagesSummary"}},"topUsersByLatestVersions":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTUserUsagesSummary"}},"topUsersByWorkspaces":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTUserUsagesSummary"}},"topUsersSummaryDone":{"type":"boolean"},"versionUseCount":{"type":"integer","format":"int64"},"workspaceUseCount":{"type":"integer","format":"int64"}}},"BTStateDef":{"type":"object","properties":{"allActions":{"type":"array","items":{"$ref":"#/components/schemas/BTActionDef"}},"approverSourceProperty":{"type":"string"},"displayName":{"type":"string"},"editPermissions":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"editableProperties":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"entryActions":{"type":"array","items":{"$ref":"#/components/schemas/BTActionDef"}},"exitActions":{"type":"array","items":{"$ref":"#/components/schemas/BTActionDef"}},"name":{"type":"string"},"nonEditableProperties":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"notifierSourceProperty":{"type":"string"},"requiredItemProperties":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"requiredProperties":{"uniqueItems":true,"type":"array","items":{"type":"string"}}}},"BTStepInputValidationResult":{"type":"object","properties":{"errorMessage":{"type":"string"},"inputName":{"type":"string"},"inputValue":{"type":"string"}}},"BTStepParamTypeInfo":{"type":"object","properties":{"description":{"type":"string"},"displayName":{"type":"string"},"key":{"type":"string"},"properties":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"required":{"type":"boolean"},"type":{"type":"integer","format":"int32"}}},"BTStringFormatBlockPattern-1755":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTStringFormatCondition-683"},{"type":"object","properties":{"btType":{"type":"string"},"regExpToBlock":{"type":"string"}}}]},"BTStringFormatCondition-683":{"type":"object","properties":{"btType":{"type":"string"},"errorMessage":{"type":"string"},"shouldResetValueWhenConfirmed":{"type":"boolean"}},"discriminator":{"propertyName":"btType","mapping":{"BTStringFormatBlockPattern-1755":"#/components/schemas/BTStringFormatBlockPattern-1755","BTStringFormatMatchPattern-2446":"#/components/schemas/BTStringFormatMatchPattern-2446","BTStringMaximumLengthPattern-2593":"#/components/schemas/BTStringMaximumLengthPattern-2593","BTStringMinimumLengthPattern-895":"#/components/schemas/BTStringMinimumLengthPattern-895"}}},"BTStringFormatMatchPattern-2446":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTStringFormatCondition-683"},{"type":"object","properties":{"btType":{"type":"string"},"regExpToMatch":{"type":"string"}}}]},"BTStringMaximumLengthPattern-2593":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTStringFormatCondition-683"},{"type":"object","properties":{"btType":{"type":"string"},"maximumLength":{"type":"integer","format":"int32"}}}]},"BTStringMinimumLengthPattern-895":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTStringFormatCondition-683"},{"type":"object","properties":{"btType":{"type":"string"},"minimumLength":{"type":"integer","format":"int32"}}}]},"BTStringNodeWrapper-4224":{"type":"object","properties":{"btType":{"type":"string"},"nodeId":{"type":"string"},"string":{"type":"string"}}},"BTStudentSubmissionInfo":{"type":"object","properties":{"assignmentId":{"type":"string"},"classroomId":{"type":"string"},"companyId":{"type":"string"},"createdAt":{"type":"string","format":"date-time"},"createdBy":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"description":{"type":"string"},"documentId":{"type":"string"},"documents":{"type":"array","items":{"$ref":"#/components/schemas/BTClassroomDocumentInfo"}},"educator":{"type":"boolean"},"hasComments":{"type":"boolean"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"memberId":{"type":"string"},"memberName":{"type":"string"},"modifiedAt":{"type":"string","format":"date-time"},"modifiedBy":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"name":{"type":"string","description":"Name of the resource."},"numberOfAttempts":{"type":"integer","format":"int32"},"properties":{"type":"array","items":{"$ref":"#/components/schemas/BTWorkflowPropertyInfo"}},"state":{"type":"integer","format":"int32"},"stateName":{"type":"string"},"submittedOn":{"type":"string","format":"date-time"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"},"workflow":{"$ref":"#/components/schemas/BTWorkflowSnapshotInfo"},"workflowError":{"type":"string","writeOnly":true},"workflowId":{"$ref":"#/components/schemas/BTPublishedWorkflowId"}}},"BTStudentSubmissionParams":{"type":"object","properties":{"assignmentId":{"type":"string"}}},"BTSubAssemblyInfo":{"type":"object","properties":{"configuration":{"type":"string"},"documentId":{"type":"string"},"documentMicroversion":{"type":"string"},"documentVersion":{"type":"string"},"elementId":{"type":"string"},"features":{"type":"array","description":"List of Assembly features including those are created by replicates.","items":{"$ref":"#/components/schemas/BTAssemblyFeatureInfo"}},"fullConfiguration":{"type":"string"},"instances":{"type":"array","description":"List of instances including those created by patterns and replicates.","items":{"$ref":"#/components/schemas/BTAssemblyInstanceInfo"}},"partNumber":{"type":"string"},"patterns":{"type":"array","description":"List of patterns.","items":{"$ref":"#/components/schemas/BTAssemblyPatternInfo"}},"revision":{"type":"string"}}},"BTSubstituteApproverInfo":{"type":"object","properties":{"companyId":{"type":"string"},"enabled":{"type":"boolean"},"identity":{"$ref":"#/components/schemas/BTIdentityInfo"}}},"BTSubstituteApproverParams":{"type":"object","properties":{"companyId":{"type":"string"},"enabled":{"type":"boolean"},"identity":{"$ref":"#/components/schemas/BTIdentityParams"}}},"BTSuggestedIdentityInfo":{"type":"object","properties":{"email":{"type":"string"},"firstName":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"idType":{"$ref":"#/components/schemas/IdType"},"image":{"type":"string"},"lastName":{"type":"string"},"name":{"type":"string","description":"Name of the resource."},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}},"description":"Array of items in the current page."},"BTSurfaceDescription-1564":{"type":"object","properties":{"btType":{"type":"string"},"direction":{"$ref":"#/components/schemas/BTVector3d-389"},"directionOrientedWithFace":{"$ref":"#/components/schemas/BTVector3d-389"},"origin":{"$ref":"#/components/schemas/BTVector3d-389"},"type":{"$ref":"#/components/schemas/GBTSurfaceTypeEnum"}},"discriminator":{"propertyName":"btType","mapping":{"BTConeDescription-860":"#/components/schemas/BTConeDescription-860","BTCylinderDescription-686":"#/components/schemas/BTCylinderDescription-686","BTPlaneDescription-692":"#/components/schemas/BTPlaneDescription-692","BTSphereDescription-1263":"#/components/schemas/BTSphereDescription-1263","BTSpunDescription-657":"#/components/schemas/BTSpunDescription-657","BTSweepDescription-1473":"#/components/schemas/BTSweepDescription-1473","BTTorusDescription-1834":"#/components/schemas/BTTorusDescription-1834"}}},"BTSurveyResponseParams":{"type":"object","properties":{"msgId":{"type":"string"},"propertyMap":{"type":"object","additionalProperties":{"type":"object"}},"surveyType":{"type":"integer","format":"int32"}}},"BTSweepDescription-1473":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTSurfaceDescription-1564"},{"type":"object","properties":{"btType":{"type":"string"},"profile":{"$ref":"#/components/schemas/BTSplineDescription-2118"}}}]},"BTSyncAppElementParams":{"type":"object","properties":{"description":{"type":"string"},"elements":{"type":"array","items":{"type":"string"}}}},"BTSynchronousExportInfo":{"type":"object","properties":{"documentId":{"type":"string","description":"The id of the document in which to perform the operation."},"downloadHref":{"type":"string","description":"The URL at which the file can be downloaded. The client will need to make a GET call to obtain the file contents."},"elementId":{"type":"string","description":"The id of the element in which to perform the operation."},"wvm":{"type":"string","description":"Indicates which of workspace (w), version (v), or document microversion (m) id is specified below."},"wvmId":{"type":"string","description":"The id of the workspace, version or document microversion in which the operation should be performed."}}},"BTSystemConfigInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"value":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}},"description":"Array of items in the current page."},"BTSystemPartColorCycle-1580":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTBasePartColorCycle-2614"},{"type":"object","properties":{"btType":{"type":"string"},"version":{"$ref":"#/components/schemas/GBTPartColorCycleVersion"}}}]},"BTTable-1825":{"type":"object","properties":{"allRowValues":{"type":"array","items":{"type":"array","items":{"type":"string"}}},"btType":{"type":"string"},"columnCount":{"type":"integer","format":"int32"},"frozenColumns":{"type":"integer","format":"int32"},"isFailed":{"type":"boolean"},"nodeId":{"type":"string"},"readOnly":{"type":"boolean"},"rowCount":{"type":"integer","format":"int32"},"sortOrder":{"$ref":"#/components/schemas/BTTableSortOrder-4371"},"tableColumns":{"type":"array","items":{"$ref":"#/components/schemas/BTTableColumnInfo-1222"}},"tableId":{"type":"string"},"tableRows":{"type":"array","items":{"$ref":"#/components/schemas/BTTableRow-1054"}},"title":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTAssemblySimulationStructuralLoadsTable-3867":"#/components/schemas/BTAssemblySimulationStructuralLoadsTable-3867","BTAssemblySimulationTable-3236":"#/components/schemas/BTAssemblySimulationTable-3236","BTBillOfMaterialsTable-1073":"#/components/schemas/BTBillOfMaterialsTable-1073","BTConfiguredPartPropertiesTable-2740":"#/components/schemas/BTConfiguredPartPropertiesTable-2740","BTFSTable-953":"#/components/schemas/BTFSTable-953"}}},"BTTableAssemblyCrossHighlightData-2675":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTTableBaseCrossHighlightData-2609"},{"type":"object","properties":{"assemblyCrossHighlightItems":{"type":"array","items":{"$ref":"#/components/schemas/BTTableAssemblyCrossHighlightDataItem-2659"}}}}]},"BTTableAssemblyCrossHighlightDataItem-2659":{"type":"object","properties":{"btType":{"type":"string"},"occurrencePathId":{"type":"string"}}},"BTTableBaseCrossHighlightData-2609":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTTableAssemblyCrossHighlightData-2675":"#/components/schemas/BTTableAssemblyCrossHighlightData-2675","BTTableCrossHighlightData-1753":"#/components/schemas/BTTableCrossHighlightData-1753"}}},"BTTableBaseRowMetadata-3181":{"type":"object","properties":{"btType":{"type":"string"},"crossHighlightDataIfAny":{"$ref":"#/components/schemas/BTTableBaseCrossHighlightData-2609"}},"discriminator":{"propertyName":"btType","mapping":{"BTBaseSMJointTableRowMetadata-2232":"#/components/schemas/BTBaseSMJointTableRowMetadata-2232","BTBillOfMaterialsTableRowMetadata-1300":"#/components/schemas/BTBillOfMaterialsTableRowMetadata-1300","BTFSTableRowMetadata-2262":"#/components/schemas/BTFSTableRowMetadata-2262","BTVariableTableRowMetadata-3912":"#/components/schemas/BTVariableTableRowMetadata-3912"}}},"BTTableCell-1114":{"type":"object","properties":{"btType":{"type":"string"},"isEverVisible":{"type":"boolean"},"isReadOnly":{"type":"boolean"}},"discriminator":{"propertyName":"btType","mapping":{"BTTableCellParameter-2399":"#/components/schemas/BTTableCellParameter-2399","BTTableTestCellDouble-2509":"#/components/schemas/BTTableTestCellDouble-2509","BTTableTestCellString-2112":"#/components/schemas/BTTableTestCellString-2112"}}},"BTTableCellParameter-2399":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTTableCellParameterWithValue-2122":"#/components/schemas/BTTableCellParameterWithValue-2122","BTTableCellPropertyParameter-2983":"#/components/schemas/BTTableCellPropertyParameter-2983"}},"allOf":[{"$ref":"#/components/schemas/BTTableCell-1114"},{"type":"object","properties":{"btType":{"type":"string"},"error":{"type":"string"},"overrideSpec":{"$ref":"#/components/schemas/BTParameterSpec-6"},"parameter":{"$ref":"#/components/schemas/BTMParameter-1"}}}]},"BTTableCellParameterWithValue-2122":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTTableCellParameter-2399"},{"type":"object","properties":{"btType":{"type":"string"},"value":{"$ref":"#/components/schemas/BTFSValue-1888"}}}]},"BTTableCellPropertyParameter-2983":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTTableCellParameter-2399"},{"type":"object","properties":{"btType":{"type":"string"},"isUnchanged":{"type":"boolean"},"overrideStatusType":{"$ref":"#/components/schemas/GBTMetadataOverrideStatusType"},"propertySourceType":{"$ref":"#/components/schemas/GBTMetadataSourceType"}}}]},"BTTableColumnInfo-1222":{"type":"object","properties":{"btType":{"type":"string"},"id":{"type":"string"},"nodeId":{"type":"string"},"specification":{"$ref":"#/components/schemas/BTTableColumnSpec-1967"}},"discriminator":{"propertyName":"btType","mapping":{"BTConfiguredValuesColumnInfo-1025":"#/components/schemas/BTConfiguredValuesColumnInfo-1025","BTFSTableColumnInfo-623":"#/components/schemas/BTFSTableColumnInfo-623","BTNamedPositionValuesColumnInfo-816":"#/components/schemas/BTNamedPositionValuesColumnInfo-816","BTPropertyTableColumnInfo-2161":"#/components/schemas/BTPropertyTableColumnInfo-2161","BTSimulationTableColumnInfo-1785":"#/components/schemas/BTSimulationTableColumnInfo-1785"}}},"BTTableColumnSpec-1967":{"type":"object","properties":{"btType":{"type":"string"},"defaultCellSpec":{"$ref":"#/components/schemas/BTParameterSpec-6"},"defaultColumnWidthUnits":{"$ref":"#/components/schemas/GBTTableColumnWidthUnits"},"defaultColumnWidthValue":{"type":"integer","format":"int32"},"defaultHeaderName":{"type":"string"},"defaultTextAlignment":{"$ref":"#/components/schemas/GBTTableTextAlignment"},"readOnly":{"type":"boolean"}}},"BTTableCrossHighlightData-1753":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTTableBaseCrossHighlightData-2609"},{"type":"object","properties":{"deterministicIdList":{"type":"array","items":{"type":"string"}},"featureIdList":{"type":"array","items":{"type":"string"}}}}]},"BTTableResponse-1546":{"type":"object","properties":{"btType":{"type":"string"},"sourceMicroversion":{"type":"string"},"table":{"$ref":"#/components/schemas/BTTable-1825"}}},"BTTableRow-1054":{"type":"object","properties":{"btType":{"type":"string"},"columnIdToCell":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTTableCell-1114"}},"id":{"type":"string"},"metaData":{"$ref":"#/components/schemas/BTTreeNode-20"},"nodeId":{"type":"string"},"rowMetadata":{"$ref":"#/components/schemas/BTTableBaseRowMetadata-3181"}},"discriminator":{"propertyName":"btType","mapping":{"BTBillOfMaterialsTableRow-1425":"#/components/schemas/BTBillOfMaterialsTableRow-1425"}}},"BTTableSortOrder-4371":{"type":"object","properties":{"btType":{"type":"string"},"isAscending":{"type":"boolean"},"nodeId":{"type":"string"},"sortingColumnId":{"type":"string"}}},"BTTableSpec-915":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTFeatureSpec-129"},{"type":"object","properties":{"btType":{"type":"string"},"isComputedPropertyTable":{"type":"boolean"}}}]},"BTTableTestCellDouble-2509":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTTableCell-1114"},{"type":"object","properties":{"btType":{"type":"string"},"cellValue":{"type":"number","format":"double"}}}]},"BTTableTestCellString-2112":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTTableCell-1114"},{"type":"object","properties":{"btType":{"type":"string"},"cellValue":{"type":"string"}}}]},"BTTagInfo":{"type":"object","properties":{"displayName":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"systemTag":{"type":"boolean"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}},"description":"Array of items in the current page."},"BTTagParams":{"type":"object","properties":{"displayName":{"type":"string"},"tag":{"type":"string"}}},"BTTaskInfo":{"type":"object","properties":{"action":{"type":"string"},"approverRole":{"type":"string"},"comments":{"type":"array","items":{"$ref":"#/components/schemas/BTCommentInfo"}},"companyId":{"type":"string"},"createdAt":{"type":"string","format":"date-time"},"creator":{"$ref":"#/components/schemas/BTUserSummaryInfo"},"deletable":{"type":"boolean"},"description":{"type":"string"},"documentId":{"type":"string"},"documentName":{"type":"string"},"documentType":{"type":"integer","format":"int32"},"editable":{"type":"boolean"},"elementId":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"objectId":{"type":"string"},"properties":{"type":"array","items":{"$ref":"#/components/schemas/BTMetadataPropertyInfo"}},"resolvedAt":{"type":"string","format":"date-time"},"resolvedBy":{"$ref":"#/components/schemas/BTUserSummaryInfo"},"roles":{"type":"array","items":{"$ref":"#/components/schemas/BTTaskRbacRoleInfo"}},"simpleName":{"type":"string"},"state":{"type":"string"},"status":{"type":"integer","format":"int32"},"taskItems":{"type":"array","items":{"$ref":"#/components/schemas/BTTaskItemInfo"}},"taskTemplate":{"type":"integer","format":"int32"},"taskType":{"type":"string"},"teams":{"type":"array","items":{"$ref":"#/components/schemas/BTTaskTeamSummaryInfo"}},"thumbnail":{"$ref":"#/components/schemas/BTThumbnailInfo"},"transition":{"type":"string"},"users":{"type":"array","items":{"$ref":"#/components/schemas/BTTaskUserSummaryInfo"}},"versionId":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"},"workflowInfo":{"$ref":"#/components/schemas/BTWorkflowableObjectInfo"},"workflowableObjectType":{"type":"integer","format":"int32"},"workspaceId":{"type":"string"}}},"BTTaskItemInfo":{"type":"object","properties":{"assemblyFeatures":{"type":"array","items":{"type":"string"}},"bodyType":{"type":"string"},"configuration":{"type":"string"},"dataType":{"type":"string"},"documentId":{"type":"string"},"elementFeature":{"type":"string"},"elementId":{"type":"string"},"elementOccurrences":{"type":"array","items":{"type":"string"}},"elementQuery":{"type":"string"},"elementType":{"type":"integer","format":"int32"},"fileName":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"mimeType":{"type":"string"},"name":{"type":"string","description":"Name of the resource."},"partId":{"type":"string"},"releaseState":{"type":"integer","format":"int32"},"revisionId":{"type":"string"},"versionId":{"type":"string"},"viewData":{"$ref":"#/components/schemas/BTViewDataInfo"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"},"workspaceId":{"type":"string"}}},"BTTaskItemParams":{"type":"object","properties":{"assemblyFeature":{"type":"string"},"bodyType":{"type":"string"},"configuration":{"type":"string"},"dataType":{"type":"string"},"description":{"type":"string"},"documentId":{"type":"string"},"elementFeature":{"type":"string"},"elementId":{"type":"string"},"elementOccurrence":{"type":"string"},"elementQuery":{"type":"string"},"elementType":{"type":"integer","format":"int32"},"id":{"type":"string"},"mimeType":{"type":"string"},"name":{"type":"string"},"partId":{"type":"string"},"revisionId":{"type":"string"},"versionId":{"type":"string"},"viewData":{"$ref":"#/components/schemas/BTViewDataParams"},"workspaceId":{"type":"string"}}},"BTTaskListResponse":{"type":"object","properties":{"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTTaskInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"},"taskTypes":{"type":"array","items":{"$ref":"#/components/schemas/BTTaskTypeInfo"}}}},"BTTaskParams":{"type":"object","properties":{"addItemParams":{"type":"array","items":{"$ref":"#/components/schemas/BTTaskItemParams"}},"assigneeValues":{"type":"array","items":{"type":"string"}},"commentParamValue":{"type":"string"},"companyId":{"type":"string"},"deleteItemIds":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"descriptionParamValue":{"type":"string"},"empty":{"type":"boolean"},"nameParamValue":{"type":"string"},"propertyValues":{"type":"array","items":{"$ref":"#/components/schemas/BTPropertyValueParam"}}}},"BTTaskRbacRoleInfo":{"type":"object","properties":{"acted":{"type":"boolean"},"active":{"type":"boolean"},"description":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"predefinedRole":{"type":"integer","format":"int32"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTTaskTeamSummaryInfo":{"type":"object","properties":{"acted":{"type":"boolean"},"active":{"type":"boolean"},"canMove":{"type":"boolean"},"createdAt":{"type":"string","format":"date-time"},"createdBy":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"description":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"isContainer":{"type":"boolean"},"isEnterpriseOwned":{"type":"boolean"},"isMutable":{"type":"boolean"},"modifiedAt":{"type":"string","format":"date-time"},"modifiedBy":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"name":{"type":"string","description":"Name of the resource."},"owner":{"$ref":"#/components/schemas/BTOwnerInfo"},"predefinedTeam":{"type":"integer","format":"int32"},"predefinedTeamMutable":{"type":"boolean"},"projectId":{"type":"string"},"resourceType":{"type":"string"},"treeHref":{"type":"string"},"unparentHref":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTTaskTypeInfo":{"type":"object","properties":{"displayName":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"}}},"BTTaskUserSummaryInfo":{"type":"object","properties":{"acted":{"type":"boolean"},"company":{"$ref":"#/components/schemas/BTCompanySummaryInfo"},"documentationName":{"type":"string"},"documentationNameOverride":{"type":"string"},"email":{"type":"string"},"firstName":{"type":"string"},"globalPermissions":{"$ref":"#/components/schemas/GlobalPermissionInfo"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"image":{"type":"string"},"invitationState":{"type":"integer","format":"int32"},"isGuest":{"type":"boolean"},"isLight":{"type":"boolean"},"lastLoginTime":{"type":"string","format":"date-time"},"lastName":{"type":"string"},"name":{"type":"string","description":"Name of the resource."},"personalMessageAllowed":{"type":"boolean"},"source":{"type":"integer","format":"int32"},"state":{"type":"integer","format":"int32"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTTeamInfo":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTTeamSummaryInfo"},{"type":"object","properties":{"admin":{"type":"boolean"},"member":{"type":"boolean"},"size":{"type":"integer","format":"int32"}}}]},"BTTeamMemberInfo":{"type":"object","properties":{"admin":{"type":"boolean"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"member":{"$ref":"#/components/schemas/BTUserSummaryInfo"},"name":{"type":"string","description":"Name of the resource."},"team":{"$ref":"#/components/schemas/BTTeamSummaryInfo"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTTeamMemberListInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"results":{"type":"array","items":{"$ref":"#/components/schemas/BTAddTeamMemberResultInfo"}},"teamId":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTTeamMemberListParams":{"type":"object","properties":{"listOfEmails":{"type":"array","items":{"type":"string"}},"teamId":{"type":"string"}}},"BTTeamMemberParams":{"type":"object","properties":{"admin":{"type":"boolean"},"email":{"type":"string"},"teamId":{"type":"string"}}},"BTTeamParams":{"type":"object","properties":{"description":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"ownerId":{"type":"string"},"ownerType":{"type":"integer","format":"int32"}}},"BTTeamSummaryInfo":{"type":"object","properties":{"active":{"type":"boolean"},"canMove":{"type":"boolean"},"createdAt":{"type":"string","format":"date-time"},"createdBy":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"description":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"isContainer":{"type":"boolean"},"isEnterpriseOwned":{"type":"boolean"},"isMutable":{"type":"boolean"},"modifiedAt":{"type":"string","format":"date-time"},"modifiedBy":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"name":{"type":"string","description":"Name of the resource."},"owner":{"$ref":"#/components/schemas/BTOwnerInfo"},"predefinedTeam":{"type":"integer","format":"int32"},"predefinedTeamMutable":{"type":"boolean"},"projectId":{"type":"string"},"resourceType":{"type":"string"},"treeHref":{"type":"string"},"unparentHref":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}},"discriminator":{"propertyName":"jsonType","mapping":{"team":"#/components/schemas/BTTeamInfo"}}},"BTTessellatedGeometry-2576":{"type":"object","properties":{"btType":{"type":"string"}},"discriminator":{"propertyName":"btType","mapping":{"BTEntityDegenerateEdge-1129":"#/components/schemas/BTEntityDegenerateEdge-1129","BTEntityEdge-30":"#/components/schemas/BTEntityEdge-30","BTEntityFace-31":"#/components/schemas/BTEntityFace-31","BTEntityPoint-29":"#/components/schemas/BTEntityPoint-29"}},"allOf":[{"$ref":"#/components/schemas/BTEntityGeometry-35"},{"type":"object","properties":{"btType":{"type":"string"}}}]},"BTTessellationProperties-927":{"type":"object","properties":{"angularTolerance":{"type":"number","format":"double"},"btType":{"type":"string"},"chordalTolerance":{"type":"number","format":"double"},"nodeId":{"type":"string"},"tessellationBudget":{"type":"integer","format":"int32"}}},"BTTextObjectFilter-1515":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTQueryFilter-183"},{"type":"object","properties":{"btType":{"type":"string"},"isText":{"type":"boolean"}}}]},"BTTextStrokeFilter-461":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTQueryFilter-183"},{"type":"object","properties":{"btType":{"type":"string"},"isStroke":{"type":"boolean"}}}]},"BTThumbnailInfo":{"type":"object","properties":{"href":{"type":"string","format":"uri"},"id":{"type":"string"},"secondarySizes":{"type":"array","items":{"type":"array","items":{"$ref":"#/components/schemas/BTThumbnailSizeInfo"}}},"sizes":{"type":"array","items":{"$ref":"#/components/schemas/BTThumbnailSizeInfo"}}}},"BTThumbnailSizeInfo":{"type":"object","properties":{"href":{"type":"string","format":"uri"},"mediaType":{"type":"string"},"renderMode":{"type":"string"},"sheetName":{"type":"string"},"size":{"type":"string"},"uniqueId":{"type":"string"},"viewOrientation":{"type":"string"}}},"BTToleranceString-3274":{"type":"object","properties":{"btType":{"type":"string"},"classification":{"type":"string"},"importMicroversion":{"type":"string","writeOnly":true},"lower":{"type":"string"},"nodeId":{"type":"string"},"upper":{"type":"string"},"value":{"type":"string"}}},"BTToolInfo":{"type":"object","properties":{"capability":{"type":"string"},"command":{"type":"string"},"commandDetails":{"type":"string"},"context":{"type":"integer","format":"int32"},"expandedTooltipKey":{"type":"string"},"featureSpecName":{"type":"string"},"fsVersion":{"type":"integer","format":"int32"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"icon":{"type":"string"},"iconInitials":{"type":"string"},"id":{"type":"string","description":"Id of the resource."},"isNewerVersionAvailable":{"type":"boolean"},"name":{"type":"string","description":"Name of the resource."},"namespace":{"type":"string"},"nodeType":{"type":"integer","format":"int32"},"ownerId":{"type":"string"},"ownerType":{"type":"integer","format":"int32"},"requiresPurchaseFeature":{"type":"string"},"showLabel":{"type":"boolean"},"signature":{"type":"string"},"tooltipKey":{"type":"string"},"useDynamicSnippet":{"type":"boolean"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}},"description":"Array of items in the current page."},"BTToolNodeInfo":{"type":"object","properties":{"context":{"type":"integer","format":"int32"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"nodeType":{"type":"integer","format":"int32"},"ownerId":{"type":"string"},"ownerType":{"type":"integer","format":"int32"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTToolTreeParams":{"type":"object","properties":{"active":{"type":"boolean"},"capability":{"type":"string"},"command":{"type":"string"},"commandDetails":{"type":"string"},"context":{"type":"integer","format":"int32"},"expandedTooltipKey":{"type":"string"},"featureSpecName":{"type":"string"},"fsVersion":{"type":"integer","format":"int32"},"icon":{"type":"string"},"iconInitials":{"type":"string"},"id":{"type":"string"},"isNewerVersionAvailable":{"type":"boolean"},"mini":{"type":"boolean"},"name":{"type":"string"},"namespace":{"type":"string"},"nodeType":{"type":"integer","format":"int32"},"ownerId":{"type":"string"},"ownerType":{"type":"integer","format":"int32"},"priority":{"type":"integer","format":"int32"},"region":{"type":"integer","format":"int32"},"requiresPurchaseFeature":{"type":"string"},"signature":{"type":"string"},"tooltipKey":{"type":"string"},"useDynamicSnippet":{"type":"boolean"},"useHistory":{"type":"boolean"}}},"BTToolTreeUpdateInfo":{"type":"object","properties":{"created":{"type":"array","items":{"$ref":"#/components/schemas/BTToolNodeInfo"}},"deleted":{"type":"array","items":{"type":"string"}},"updated":{"type":"array","items":{"$ref":"#/components/schemas/BTToolNodeInfo"}}}},"BTToolTreeUpdateParams":{"type":"object","properties":{"remove":{"type":"array","items":{"type":"string"}},"save":{"type":"array","items":{"$ref":"#/components/schemas/BTToolTreeParams"}}}},"BTToolbarResponseBTToolNodeInfo":{"type":"object","properties":{"enterpriseAdmin":{"type":"boolean"},"href":{"type":"string","description":"URI for current page of resources.","format":"uri"},"items":{"type":"array","description":"Array of items in the current page.","items":{"$ref":"#/components/schemas/BTToolNodeInfo"}},"next":{"type":"string","description":"URI for next page of the resources if more are available.","format":"uri"},"previous":{"type":"string","description":"URI for previous page of the resources.","format":"uri"},"usesCompanyToolset":{"type":"boolean"}}},"BTTorusDescription-1834":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTSurfaceDescription-1564"},{"type":"object","properties":{"axis":{"$ref":"#/components/schemas/BTVector3d-389"},"btType":{"type":"string"},"majorRadius":{"type":"number","format":"double"},"minorRadius":{"type":"number","format":"double"}}}]},"BTTotpInfo":{"type":"object","properties":{"scratchCodes":{"type":"array","items":{"type":"integer","format":"int32"}},"totpSecret":{"type":"string"}}},"BTTraceParams":{"type":"object","properties":{"notes":{"type":"string"}}},"BTTraceSamplingRateInfo":{"type":"object","properties":{"samplingRate":{"type":"number","format":"float"}}},"BTTraceSamplingRateParams":{"type":"object","properties":{"samplingRate":{"type":"number","format":"float"}}},"BTTraceStateInfo":{"type":"object","properties":{"enabledCompanyIds":{"type":"array","items":{"$ref":"#/components/schemas/BTEnabledTraceInfo"}},"enabledDocIds":{"type":"array","items":{"$ref":"#/components/schemas/BTEnabledTraceInfo"}},"enabledUserIds":{"type":"array","items":{"$ref":"#/components/schemas/BTEnabledTraceInfo"}}}},"BTTransitionDef":{"type":"object","properties":{"actions":{"type":"array","items":{"$ref":"#/components/schemas/BTActionDef"}},"description":{"type":"string"},"displayName":{"type":"string"},"guards":{"type":"array","items":{"$ref":"#/components/schemas/BTGuardDef"}},"name":{"type":"string"},"requiredItemProperties":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"requiredProperties":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"sourceState":{"type":"string"},"targetState":{"type":"string"},"type":{"$ref":"#/components/schemas/BTTransitionType"},"uiHint":{"type":"string"}}},"BTTransitionType":{"type":"string","description":"Transition types(SUBMIT, APPROVE, REJECT)","enum":["DEFAULT","SUBMIT","APPROVE","APPROVE_DIRECT","REJECT","DELETE","COMMENT","REASSIGN_TASK"]},"BTTranslateFormatParams":{"required":["formatName"],"type":"object","properties":{"allowFaultyParts":{"type":"boolean","description":"If true, parts with faults are imported. If false, faulty parts are omitted.","example":false},"angularTolerance":{"type":"number","description":"Determines the maximum angular deviation, between the analytical surface and its triangulation. Lower values result in a finer geometry and higher values result in coarser geometry.","format":"double","example":0.001},"blobElementId":{"type":"string"},"blobMicroversionId":{"type":"string"},"cloudObjectId":{"type":"string"},"cloudStorageAccountId":{"type":"string"},"colorMethod":{"type":"string"},"configuration":{"type":"string"},"connectionId":{"type":"string"},"createComposite":{"type":"boolean"},"currentSheetOnly":{"type":"boolean"},"destinationName":{"type":"string"},"distanceTolerance":{"type":"number","format":"double"},"elementId":{"type":"string","description":"The id of the element in which to perform the operation."},"elementIds":{"type":"array","description":"An array of element ids.","items":{"type":"string","description":"An array of element ids."}},"emailLink":{"type":"boolean"},"emailMessage":{"type":"string"},"emailSubject":{"type":"string"},"emailTo":{"type":"array","items":{"type":"string"}},"extractAssemblyHierarchy":{"type":"boolean"},"flatten":{"type":"boolean"},"flattenAssemblies":{"type":"boolean"},"foreignId":{"type":"string"},"formatName":{"type":"string","description":"The name of the file format."},"fromUserId":{"type":"string"},"getyAxisIsUp":{"type":"boolean"},"grouping":{"type":"boolean"},"hideInspectionItems":{"type":"boolean"},"ignoreExportRulesForContents":{"type":"boolean"},"imageHeight":{"type":"integer","format":"int32"},"imageWidth":{"type":"integer","format":"int32"},"importAppearances":{"type":"boolean"},"importInBackground":{"type":"boolean"},"importWithinDocument":{"type":"boolean"},"includeExportIds":{"type":"boolean"},"joinAdjacentSurfaces":{"type":"boolean"},"level":{"type":"string"},"linkDocumentId":{"type":"string","description":"The id of the document through which the above document should be accessed; only applicable when accessing a version of the document. This allows a user who has access to document a to see data from document b, as long as document b has been linked to document a by a user who has permission to both."},"linkDocumentWorkspaceId":{"type":"string"},"maximumChordLength":{"type":"number","description":"Determines the maximum distance, between the analytical surface and its triangulation. Lower values result in a finer geometry and higher values result in coarser geometry.","format":"double","example":0.01},"notifyUser":{"type":"boolean"},"onePartPerDoc":{"type":"boolean"},"originalForeignId":{"type":"string"},"parentId":{"type":"string"},"partIds":{"type":"string"},"password":{"type":"string"},"passwordRequired":{"type":"boolean"},"pdfVersion":{"type":"string"},"processedForeignId":{"type":"string"},"projectId":{"type":"string"},"proxyDocumentId":{"type":"string"},"proxyElementId":{"type":"string"},"proxyWorkspaceVersion":{"type":"string"},"proxyWorkspaceVersionId":{"type":"string"},"selectablePdfText":{"type":"boolean"},"sendCopyToMe":{"type":"boolean"},"sheetIndices":{"type":"array","items":{"type":"integer","format":"int32"}},"showOverriddenDimensions":{"type":"boolean"},"skipBodyshop":{"type":"boolean"},"sourceName":{"type":"string"},"specifyUnits":{"type":"boolean"},"splinesAsPolylines":{"type":"boolean"},"splitAssembliesIntoMultipleDocuments":{"type":"boolean"},"stepParasolidPreprocessingOption":{"$ref":"#/components/schemas/GBTPreProcessParasolidOption"},"stepVersionString":{"type":"string"},"storeInDocument":{"type":"boolean"},"textAsGeometry":{"type":"boolean"},"textOption":{"type":"string"},"triggerAutoDownload":{"type":"boolean"},"unit":{"type":"string"},"uploadId":{"type":"string"},"useGltfCompression":{"type":"boolean"},"useIgesCompatibilityMode":{"type":"boolean"},"validForDays":{"type":"integer","format":"int32"},"versionString":{"type":"string"}}},"BTTranslateInfo":{"type":"object","properties":{"skippedEmptyElements":{"type":"boolean"},"translationEventKey":{"type":"string"},"translationId":{"type":"string"}}},"BTTranslationRequestInfo":{"type":"object","properties":{"documentId":{"type":"string"},"failureReason":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"requestElementId":{"type":"string"},"requestState":{"$ref":"#/components/schemas/BTTranslationRequestState"},"resultDocumentId":{"type":"string"},"resultElementIds":{"type":"array","items":{"type":"string"}},"resultExternalDataIds":{"type":"array","items":{"type":"string"}},"resultWorkspaceId":{"type":"string"},"versionId":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"},"workspaceId":{"type":"string"}}},"BTTranslationRequestState":{"type":"string","enum":["ACTIVE","DONE","FAILED"]},"BTTranslationResult":{"type":"string","enum":["SUCCESS","UNSUPPORTED","UNSUPPORTED_ZIP","FAILURE"]},"BTTreeEdit-13":{"type":"object","properties":{"btType":{"type":"string"},"editType":{"$ref":"#/components/schemas/EditType"},"newNodes":{"type":"array","items":{"$ref":"#/components/schemas/BTTreeNode-20"}},"nothing":{"type":"boolean"}}},"BTTreeNode-20":{"type":"object","properties":{"btType":{"type":"string"},"nodeId":{"type":"string"}}},"BTTrialInfo":{"type":"object","properties":{"paidCustomerInPast":{"type":"boolean"},"planId":{"type":"string"},"planInterval":{"type":"string"},"seats":{"type":"integer","format":"int64"},"trialDaysRemaining":{"type":"integer","format":"int64"},"trialEndDate":{"type":"string","format":"date-time"},"trialStartDate":{"type":"string","format":"date-time"}}},"BTTriggerEventInfo":{"type":"object","properties":{"description":{"type":"string"},"id":{"type":"integer","format":"int64"},"name":{"type":"string"},"output":{"type":"object","additionalProperties":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTStepParamTypeInfo"}}}}},"BTTriggerInfo":{"type":"object","properties":{"company":{"$ref":"#/components/schemas/BTCompanySummaryInfo"},"corrupted":{"type":"boolean"},"createdBy":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"description":{"type":"string"},"eventTypeId":{"type":"integer","format":"int64"},"eventTypeName":{"type":"string"},"headStepId":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"params":{"type":"object","additionalProperties":{"type":"string"}},"status":{"type":"integer","format":"int32"},"steps":{"type":"array","items":{"$ref":"#/components/schemas/BTTriggerStepSummaryInfo"}},"triggerType":{"type":"integer","format":"int32"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTTriggerJobExecutionInfo":{"type":"object","properties":{"endTime":{"type":"string","format":"date-time"},"exitMessage":{"type":"string"},"exitStatus":{"type":"string"},"id":{"type":"string"},"jobStatus":{"type":"string"},"params":{"type":"object","additionalProperties":{"type":"string"}},"startTime":{"type":"string","format":"date-time"},"stepExecutions":{"type":"array","items":{"$ref":"#/components/schemas/BTTriggerStepExecutionInfo"}},"triggerId":{"type":"string"}}},"BTTriggerParams":{"type":"object","properties":{"description":{"type":"string"},"eventTypeId":{"type":"integer","format":"int64"},"headStepId":{"type":"string"},"name":{"type":"string"},"params":{"type":"object","additionalProperties":{"type":"string"}},"status":{"type":"integer","format":"int32"},"templateId":{"type":"string"}}},"BTTriggerStepExecutionInfo":{"type":"object","properties":{"endTime":{"type":"string","format":"date-time"},"executionId":{"type":"string"},"exitCode":{"type":"string"},"exitMessage":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"params":{"type":"object","additionalProperties":{"type":"string"}},"startTime":{"type":"string","format":"date-time"},"stepId":{"type":"string"},"stepType":{"type":"integer","format":"int32"},"triggerId":{"type":"string"}}},"BTTriggerStepInfo":{"type":"object","properties":{"description":{"type":"string"},"errorMessage":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"nextHref":{"type":"string","format":"uri"},"nextStepId":{"type":"string"},"params":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTStepInputValidationResult"}},"previousHref":{"type":"string","format":"uri"},"previousStepId":{"type":"string"},"propertyMap":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTPropertyMapTupleInfo"}},"stepStatus":{"type":"integer","format":"int32"},"stepTypeId":{"type":"integer","format":"int32"},"triggerId":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTTriggerStepParams":{"type":"object","properties":{"insertAfterStepId":{"type":"string"},"params":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTStepInputValidationResult"}},"propertyMap":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTPropertyMapTupleParam"}},"triggerId":{"type":"string"},"triggerStepTypeId":{"type":"integer","format":"int32"}}},"BTTriggerStepSummaryInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"nextHref":{"type":"string","format":"uri"},"previousHref":{"type":"string","format":"uri"},"stepTypeId":{"type":"integer","format":"int32"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTTriggerStepTypeInfo":{"type":"object","properties":{"description":{"type":"string"},"id":{"type":"integer","format":"int32"},"input":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTStepParamTypeInfo"}},"name":{"type":"string"},"output":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTStepParamTypeInfo"}},"properties":{"type":"array","items":{"type":"string"}}}},"BTUiCheckRegenerationHashResponse-2419":{"type":"object","properties":{"affectedFeatureIdAndType":{"type":"array","items":{"type":"string"}},"btType":{"type":"string"},"details":{"type":"string"},"hashesMatch":{"type":"boolean"},"response":{"type":"string"},"status":{"$ref":"#/components/schemas/GBTMatchRegenerationHashStatus"}}},"BTUiFeatureStudioChecksum-2438":{"type":"object","properties":{"btType":{"type":"string"},"crc32":{"type":"integer","format":"int32"},"microversion":{"$ref":"#/components/schemas/BTMicroversionId-366"}}},"BTUiSelection-1185":{"type":"object","properties":{"btType":{"type":"string"},"deterministicIdList":{"type":"array","items":{"type":"string"}},"id":{"type":"string"},"occurrence":{"$ref":"#/components/schemas/BTOccurrence-74"},"tableRowId":{"type":"string"},"type":{"$ref":"#/components/schemas/GBTUiSelectionType"}}},"BTUnchangedElementInfo":{"type":"object","properties":{"connectionId":{"type":"string"},"elementId":{"type":"string"},"unchangedReferences":{"type":"array","items":{"$ref":"#/components/schemas/BTUnchangedReferenceInfo"}}}},"BTUnchangedReferenceInfo":{"type":"object","properties":{"metadataUnchanged":{"type":"boolean"},"nodeIds":{"type":"array","items":{"type":"string"}},"toRevision":{"$ref":"#/components/schemas/BTRevisionInfo"}}},"BTUnchangedReleaseInfo":{"type":"object","properties":{"geometryUnchangedItemIds":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"metadataChangedMessage":{"$ref":"#/components/schemas/BTReleaseItemErrorInfo"},"metadataUnchangedItemIds":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"unchangedItems":{"type":"array","items":{"$ref":"#/components/schemas/BTDetectUnchangedInfo"}},"unchangedMessage":{"$ref":"#/components/schemas/BTReleaseItemErrorInfo"}}},"BTUniqueDocumentItemParams":{"type":"object","properties":{"apiConfiguration":{"type":"string"},"documentId":{"type":"string"},"elementId":{"type":"string"},"elementType":{"type":"string"},"partId":{"type":"string"},"partNumber":{"type":"string"},"revision":{"type":"string"},"versionId":{"type":"string"},"workspaceId":{"type":"string"}}},"BTUnitInfo":{"type":"object","properties":{"defaultUnits":{"$ref":"#/components/schemas/BTDefaultUnitsInfo"},"unitsDisplayPrecision":{"type":"object","additionalProperties":{"type":"integer","description":"Specifies the display precision for every supported unit.","format":"int32"},"description":"Specifies the display precision for every supported unit."}}},"BTUnitsMaximumDisplayPrecisionInfo":{"type":"object","properties":{"unitsDisplayPrecision":{"type":"object","additionalProperties":{"type":"integer","format":"int32"}}}},"BTUpdateFeaturesCall-1748":{"type":"object","properties":{"btType":{"type":"string"},"features":{"type":"array","items":{"$ref":"#/components/schemas/BTMFeature-134"}},"libraryVersion":{"type":"integer","format":"int32"},"microversionSkew":{"type":"boolean"},"rejectMicroversionSkew":{"type":"boolean"},"serializationVersion":{"type":"string"},"sourceMicroversion":{"type":"string"},"updateSuppressionAttributes":{"type":"boolean"}}},"BTUpdateFeaturesResponse-1333":{"type":"object","properties":{"btType":{"type":"string"},"featureStates":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTFeatureState-1688"}},"features":{"type":"array","items":{"$ref":"#/components/schemas/BTMFeature-134"}},"libraryVersion":{"type":"integer","format":"int32"},"microversionSkew":{"type":"boolean"},"rejectMicroversionSkew":{"type":"boolean"},"serializationVersion":{"type":"string"},"sourceMicroversion":{"type":"string"}}},"BTUpdateMeshUnitsParams":{"type":"object","properties":{"units":{"type":"string"}}},"BTUpdateRbacRoleParams":{"type":"object","properties":{"description":{"type":"string"},"name":{"type":"string"}}},"BTUpdateReferenceParams":{"type":"object","properties":{"connectionId":{"type":"string"},"editDescription":{"type":"string"},"referenceUpdates":{"type":"array","items":{"$ref":"#/components/schemas/UpdateParams"}}}},"BTUpdateReleasePackageParams":{"type":"object","properties":{"empty":{"type":"boolean"},"itemIds":{"type":"array","items":{"type":"string"}},"items":{"type":"array","items":{"$ref":"#/components/schemas/BTReleasePackageItemParams"}},"properties":{"type":"array","items":{"$ref":"#/components/schemas/BTPropertyValueParam"}}}},"BTUpdateRevisionInfo":{"type":"object","properties":{"configuration":{"type":"string"},"documentId":{"type":"string"},"elementId":{"type":"string"},"insertableIdUpdated":{"type":"string"},"isRereleasable":{"type":"boolean"},"newFlatInsertableId":{"type":"string"},"newInsertableId":{"type":"string"},"newPartId":{"type":"string"},"oldFlatInsertableId":{"type":"string"},"oldInsertableId":{"type":"string"},"oldPartId":{"type":"string"},"partNumber":{"type":"string"},"releaseItemIdsUpdated":{"type":"array","items":{"type":"string"}},"revision":{"type":"string"},"revisionIdUpdated":{"type":"string"},"versionId":{"type":"string"}}},"BTUpdateSpecsInfo":{"type":"object","properties":{"deletedToolSignatures":{"type":"array","items":{"type":"string"}},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"missingFeature":{"type":"array","items":{"type":"string"}},"name":{"type":"string","description":"Name of the resource."},"oldToNew":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTToolNodeInfo"}},"updated":{"type":"array","items":{"type":"string"}},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTUpdateWorkflowParams":{"type":"object","properties":{"id":{"type":"string"},"isPickable":{"type":"boolean"}}},"BTUpdateWorkflowWrapperParams":{"type":"object","properties":{"workflows":{"type":"array","items":{"$ref":"#/components/schemas/BTUpdateWorkflowParams"}}}},"BTUpdateWorkflowableTestObjectParams":{"type":"object","properties":{"properties":{"type":"array","items":{"$ref":"#/components/schemas/BTPropertyValueParam"}}}},"BTUpgradeOnDemandParams":{"type":"object","properties":{"asSystemUser":{"type":"boolean"},"connectionId":{"type":"string"},"notificationId":{"type":"string"},"targetVersion":{"type":"integer","format":"int32"}}},"BTUploadItemsInfo":{"type":"object","properties":{"errorMessage":{"type":"string"},"items":{"type":"array","items":{"$ref":"#/components/schemas/BTItemInfo"}}}},"BTUploadParams":{"type":"object","properties":{"cloudStorageAccountId":{"type":"string"},"documentName":{"type":"string"},"elementId":{"type":"string"},"name":{"type":"string"},"state":{"type":"string"}}},"BTUploadStateParams":{"type":"object","properties":{"state":{"type":"string"}}},"BTUserActivationParams":{"type":"object","properties":{"defaultCompanyName":{"type":"string"},"email":{"type":"string"},"firstName":{"type":"string"},"id":{"type":"string"},"lastName":{"type":"string"},"password":{"type":"string"},"phoneNumber":{"type":"string"},"role":{"type":"integer","format":"int32"}}},"BTUserAdminInfo":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTUserInfo"},{"type":"object","properties":{"discount":{"$ref":"#/components/schemas/BTDiscount"},"invitationId":{"type":"string"},"invitedByEmail":{"type":"string"},"invitedDocumentId":{"type":"string"},"isTrialRequest":{"type":"boolean"},"privacyConsents":{"type":"array","items":{"$ref":"#/components/schemas/BTPrivacyConsentInfo"}},"userMetrics":{"$ref":"#/components/schemas/BTUserMetricsInfo"}}}]},"BTUserAdminSummaryInfo":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTUserSummaryInfo"},{"type":"object","properties":{"activePlanId":{"type":"string"},"billingUpdateRequired":{"type":"boolean"},"companyRoles":{"type":"array","items":{"$ref":"#/components/schemas/CompanyRole"}},"createdAt":{"type":"string","format":"date-time"},"forumId":{"type":"string"},"systemUser":{"type":"boolean"},"totpEnabled":{"type":"boolean"}}}]},"BTUserAppMessageBody":{"type":"object","properties":{"appElementSessionId":{"type":"string"},"clientId":{"type":"string"},"data":{"type":"string"},"event":{"type":"string"},"identityId":{"type":"string"},"messageId":{"type":"string"},"settingType":{"$ref":"#/components/schemas/BTApplicationSettingsType"},"timestamp":{"type":"string","format":"date-time"},"webhookId":{"type":"string"}}},"BTUserAppSettingsInfo":{"type":"object","properties":{"settings":{"type":"array","items":{"$ref":"#/components/schemas/BTSettingInfo"}}}},"BTUserAppSettingsParams":{"type":"object","properties":{"settings":{"type":"array","items":{"$ref":"#/components/schemas/BTSettingParam"}}}},"BTUserBasicSummaryInfo":{"required":["jsonType"],"type":"object","properties":{"jsonType":{"type":"string"}},"discriminator":{"propertyName":"jsonType","mapping":{"user-summary":"#/components/schemas/BTUserBasicSummaryInfo","user-detail-summary":"#/components/schemas/BTUserDetailSummaryInfo"}},"allOf":[{"$ref":"#/components/schemas/BTBaseInfo"},{"type":"object","properties":{"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"image":{"type":"string"},"name":{"type":"string","description":"Name of the resource."},"state":{"type":"integer","format":"int32"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}}]},"BTUserCountInfo":{"type":"object","properties":{"userCount":{"type":"integer","format":"int64"}}},"BTUserDetailSummaryInfo":{"type":"object","discriminator":{"propertyName":"jsonType","mapping":{"user-detail-summary":"#/components/schemas/BTUserDetailSummaryInfo","user-summary":"#/components/schemas/BTUserSummaryInfo"}},"allOf":[{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},{"type":"object","properties":{"documentationName":{"type":"string"},"email":{"type":"string"},"firstName":{"type":"string"},"lastName":{"type":"string"}}}]},"BTUserDocumentAclParams":{"type":"object","properties":{"public":{"type":"boolean"},"userId":{"type":"string"}}},"BTUserEmailInfo":{"type":"object","properties":{"email":{"type":"string"},"primary":{"type":"boolean"},"state":{"type":"integer","format":"int32"},"userId":{"type":"string"}}},"BTUserEmailParams":{"type":"object","properties":{"email":{"type":"string"},"password":{"type":"string"},"primary":{"type":"boolean"},"userId":{"type":"string"}}},"BTUserEmailStateInfo":{"type":"object","properties":{"emailState":{"type":"string"}}},"BTUserEmailVerifyParams":{"type":"object","properties":{"email":{"type":"string"},"requestId":{"type":"string"},"secret":{"type":"string"},"userId":{"type":"string"}}},"BTUserInfo":{"type":"object","discriminator":{"propertyName":"jsonType","mapping":{"userinfo":"#/components/schemas/BTUserInfo","BTUserAdminInfo":"#/components/schemas/BTUserAdminInfo"}},"allOf":[{"$ref":"#/components/schemas/BTUserSummaryInfo"},{"type":"object","properties":{"activePlan":{"$ref":"#/components/schemas/BTBillingPlanInfo"},"activePlanId":{"type":"string"},"activePurchases":{"type":"array","items":{"$ref":"#/components/schemas/BTPurchaseInfo"}},"activeTrialInfo":{"$ref":"#/components/schemas/BTTrialInfo"},"b2cId":{"type":"string"},"billingUpdateRequired":{"type":"boolean"},"cadSystemAtSignup":{"type":"string"},"countryCode":{"type":"string"},"createdAt":{"type":"string","format":"date-time"},"credential":{"$ref":"#/components/schemas/BTSessionCredentialInfo"},"defaultCompanyName":{"type":"string"},"description":{"type":"string"},"deviceInfo":{"$ref":"#/components/schemas/BTDeviceLoginSecretInfo"},"enterprise":{"type":"boolean"},"eulaId":{"type":"string"},"eulaRequired":{"type":"boolean"},"evalCenter":{"type":"boolean"},"forumId":{"type":"string"},"lastTrialInfo":{"$ref":"#/components/schemas/BTTrialInfo"},"needToShowNewWalkthrough":{"type":"boolean"},"ownPurchase":{"$ref":"#/components/schemas/BTPurchaseInfo"},"phoneNumber":{"type":"string"},"proDiscoveryTrialRejected":{"type":"boolean"},"productType":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"redirectUrl":{"type":"string"},"role":{"type":"integer","format":"int32"},"roles":{"uniqueItems":true,"type":"array","items":{"$ref":"#/components/schemas/BTRole"}},"startupPage":{"type":"integer","format":"int32"},"systemUser":{"type":"boolean"},"totpEnabled":{"type":"boolean"},"tracingEnabled":{"type":"boolean"},"trialInfos":{"type":"array","items":{"$ref":"#/components/schemas/BTTrialInfo"}}}}]},"BTUserLifecycleMetricsInfo":{"type":"object","properties":{"eventProperties":{"type":"object","additionalProperties":{"type":"object"}},"eventTime":{"type":"string","format":"date-time"},"eventType":{"type":"integer","format":"int64"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"userObjectId":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}},"description":"Array of items in the current page."},"BTUserLoginInfo":{"type":"object","properties":{"enterprises":{"type":"array","items":{"$ref":"#/components/schemas/BTEnterpriseLoginInfo"}},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTUserMetricsInfo":{"type":"object","properties":{"createdDocuments":{"type":"integer","format":"int64"},"hasRecentlyOpenedDocuments":{"type":"boolean"},"hasSharedDocuments":{"type":"boolean"},"hasTrashedDocuments":{"type":"boolean"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"name":{"type":"string","description":"Name of the resource."},"privateDocuments":{"type":"integer","format":"int64"},"publicDocuments":{"type":"integer","format":"int64"},"sharedDocuments":{"type":"integer","format":"int64"},"userAccountLimitsCrossed":{"type":"boolean"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTUserMigrationInfo":{"type":"object","properties":{"readyForMigration":{"type":"boolean"}}},"BTUserNotificationInfo":{"type":"object","properties":{"acknowledged":{"type":"boolean"},"createdAt":{"type":"string","format":"date-time"},"disableDelete":{"type":"boolean"},"eventKey":{"type":"string"},"expanded":{"type":"boolean"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"message":{"type":"string"},"messageTitle":{"type":"string"},"name":{"type":"string","description":"Name of the resource."},"notificationLevel":{"$ref":"#/components/schemas/BTNotificationLevel"},"translationResult":{"$ref":"#/components/schemas/BTTranslationResult"},"upload":{"$ref":"#/components/schemas/BTUserUploadInfo"},"uploadFilename":{"$ref":"#/components/schemas/BTUserUploadInfo"},"uploadId":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}},"description":"Array of items in the current page."},"BTUserNotificationListInfo":{"type":"object","properties":{"contentChecksum":{"type":"string"},"count":{"type":"integer","format":"int32"},"notifications":{"$ref":"#/components/schemas/BTListResponseBTUserNotificationInfo"},"unreadCount":{"type":"integer","format":"int32"}}},"BTUserNotificationPrefInfo":{"type":"object","properties":{"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"level":{"type":"integer","format":"int32"},"name":{"type":"string","description":"Name of the resource."},"objectId":{"type":"string"},"objectType":{"type":"integer","format":"int32"},"type":{"type":"integer","format":"int32"},"userId":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}},"description":"Array of items in the current page."},"BTUserNotificationPrefLevelsInfo":{"type":"object","properties":{"levelsInfoList":{"type":"array","items":{"$ref":"#/components/schemas/LevelInfo"}}}},"BTUserNotificationPrefParams":{"type":"object","properties":{"level":{"type":"integer","format":"int32"},"objectId":{"type":"string"},"objectType":{"type":"integer","format":"int32"},"type":{"type":"integer","format":"int32"}}},"BTUserNotificationSummaryInfo":{"type":"object","properties":{"contentChecksum":{"type":"string"},"count":{"type":"integer","format":"int32"},"unreadCount":{"type":"integer","format":"int32"}}},"BTUserOAuth2SummaryInfo":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTUserSummaryInfo"},{"type":"object","properties":{"clientId":{"type":"string"},"companyPlan":{"type":"boolean"},"oauth2Scopes":{"type":"integer","format":"int64"},"planGroup":{"type":"string"},"role":{"type":"integer","format":"int32"},"roles":{"uniqueItems":true,"type":"array","items":{"$ref":"#/components/schemas/BTRole"}}}}]},"BTUserParams":{"type":"object","properties":{"approveUser":{"type":"boolean"},"b2cId":{"type":"string"},"cadSystemAtSignup":{"type":"string"},"companyPlan":{"type":"boolean"},"countryCode":{"type":"string"},"defaultCompanyName":{"type":"string"},"description":{"type":"string"},"documentationName":{"type":"string"},"email":{"type":"string"},"eulaAccepted":{"type":"boolean"},"firstName":{"type":"string"},"forumId":{"type":"string"},"id":{"type":"string"},"inviteFriendRequest":{"type":"boolean"},"isRecaptchaV3":{"type":"boolean"},"lastName":{"type":"string"},"message":{"type":"string"},"name":{"type":"string"},"needToShowNewWalkthrough":{"type":"boolean"},"password":{"type":"string"},"phoneNumber":{"type":"string"},"planId":{"type":"string"},"recaptcha":{"type":"string"},"role":{"type":"integer","format":"int32"},"seats":{"type":"integer","format":"int64"},"source":{"type":"integer","format":"int32"},"state":{"type":"integer","format":"int32"},"token":{"type":"string"},"upgradeToEducationPlan":{"type":"boolean"}}},"BTUserSettingsInfo":{"type":"object","properties":{"axisRotationLock":{"type":"boolean"},"commonUnits":{"$ref":"#/components/schemas/BTCommonUnitsInfo"},"customColors":{"type":"array","items":{"type":"string"}},"defaultUnits":{"$ref":"#/components/schemas/BTDefaultUnitsInfo"},"displayAssemblyProperties":{"type":"boolean"},"drawingBackgroundId":{"type":"integer","format":"int32"},"enforceApplicationAcl":{"type":"boolean"},"exportDrawingOptions":{"type":"string"},"exportSolidOptions":{"type":"string"},"id":{"type":"string"},"importOptions":{"type":"string"},"locale":{"type":"string"},"materialLibrarySettings":{"$ref":"#/components/schemas/BTMaterialLibrarySettingsInfo"},"miniToolbarSettings":{"type":"string"},"mouseActions":{"type":"string"},"previousSketchFont":{"type":"string"},"reverseScrollWheelZoomDirection":{"type":"boolean"},"selectItemViewStateInfos":{"type":"array","items":{"$ref":"#/components/schemas/BTSelectItemViewStateInfo"}},"startupPage":{"type":"integer","format":"int32"},"substituteApprovers":{"type":"array","items":{"$ref":"#/components/schemas/BTSubstituteApproverInfo"}},"unitsDisplayPrecision":{"type":"object","additionalProperties":{"type":"integer","format":"int32"}},"unitsMaximumDisplayPrecision":{"$ref":"#/components/schemas/BTUnitsMaximumDisplayPrecisionInfo"},"use24HourTime":{"type":"boolean"},"useDecimalComma":{"type":"boolean"},"viewManipulationMouseKeyMapping":{"$ref":"#/components/schemas/BTViewManipulationMouseKeyMappingInfo"},"viewMappingId":{"type":"integer","format":"int32"}}},"BTUserSettingsParams":{"type":"object","properties":{"id":{"type":"string"},"key":{"type":"string"},"keyValues":{"type":"object","additionalProperties":{"type":"string"}},"quantityTypeToDefaultUnit":{"type":"object","additionalProperties":{"type":"string"}},"substituteApprovers":{"type":"array","items":{"$ref":"#/components/schemas/BTSubstituteApproverParams"}},"unitToDisplayPrecision":{"type":"object","additionalProperties":{"type":"integer","format":"int32"}},"value":{"type":"string"}}},"BTUserState":{"type":"string","enum":["DELETED","ACTIVE","INACTIVE","REQUESTED","APPROVED","REQUEST_EXPIRED","ALL","MARKED_FOR_DELETION"]},"BTUserSummaryInfo":{"type":"object","discriminator":{"propertyName":"jsonType","mapping":{"user-summary":"#/components/schemas/BTUserSummaryInfo","companyuser":"#/components/schemas/BTCompanyUserSummaryInfo","BTUserAdminSummaryInfo":"#/components/schemas/BTUserAdminSummaryInfo","userinfo":"#/components/schemas/BTUserInfo","BTUserOAuth2SummaryInfo":"#/components/schemas/BTUserOAuth2SummaryInfo"}},"allOf":[{"$ref":"#/components/schemas/BTUserDetailSummaryInfo"},{"type":"object","properties":{"company":{"$ref":"#/components/schemas/BTCompanySummaryInfo"},"documentationNameOverride":{"type":"string"},"globalPermissions":{"$ref":"#/components/schemas/GlobalPermissionInfo"},"invitationState":{"type":"integer","format":"int32"},"isGuest":{"type":"boolean"},"isLight":{"type":"boolean"},"lastLoginTime":{"type":"string","format":"date-time"},"personalMessageAllowed":{"type":"boolean"},"source":{"type":"integer","format":"int32"}}}]},"BTUserTotpParams":{"type":"object","properties":{"id":{"type":"string"},"password":{"type":"string"}}},"BTUserUpdateParams":{"type":"object","properties":{"b2cId":{"type":"string"},"countryCode":{"type":"string"},"defaultCompanyName":{"type":"string"},"description":{"type":"string"},"documentationName":{"type":"string"},"firstName":{"type":"string"},"forumId":{"type":"string"},"id":{"type":"string"},"lastName":{"type":"string"},"name":{"type":"string"},"needToShowNewWalkthrough":{"type":"boolean"},"newPassword":{"type":"string"},"oldPassword":{"type":"string"},"phoneNumber":{"type":"string"},"role":{"type":"integer","format":"int32"}}},"BTUserUpdateSpecsParams":{"type":"object","properties":{"specSignatureToVersion":{"type":"object","additionalProperties":{"type":"string"}},"toolIds":{"type":"object","additionalProperties":{"type":"string"}}}},"BTUserUploadInfo":{"type":"object","properties":{"filename":{"type":"string"},"state":{"type":"string"}}},"BTUserUsagesSummary":{"type":"object","properties":{"count":{"type":"integer","format":"int64"},"ownerId":{"type":"string"},"ownerName":{"type":"string"},"ownerType":{"type":"string"}}},"BTUserWebPreferenceInfo":{"type":"object","properties":{"id":{"type":"string"},"preferenceName":{"type":"string"},"retinaDisplaySetting":{"type":"string"},"userId":{"type":"string"}}},"BTUserWebPreferencesParams":{"type":"object","properties":{"id":{"type":"string"},"preferenceName":{"type":"string"},"retinaDisplaySetting":{"type":"string"},"userId":{"type":"string"}}},"BTValidateWorkflowParams":{"type":"object","properties":{"json":{"type":"string"}}},"BTValueAndUse-4696":{"type":"object","properties":{"btType":{"type":"string"},"use":{"$ref":"#/components/schemas/GBTValueUse"},"value":{"$ref":"#/components/schemas/BTFSValue-1888"}}},"BTVariableInfo":{"required":["expression","name","type","value"],"type":"object","properties":{"description":{"type":"string","description":"Variable description"},"expression":{"type":"string","description":"Variable expression"},"name":{"type":"string","description":"Variable name"},"type":{"$ref":"#/components/schemas/GBTVariableType"},"value":{"type":"string","description":"Variable formatted value"}},"description":"Variables in the VariableTable"},"BTVariableParams":{"required":["expression","name","type"],"type":"object","properties":{"description":{"type":"string","description":"Variable description"},"expression":{"type":"string","description":"Variable definition expression"},"name":{"pattern":"^[a-zA-Z_][a-zA-Z0-9_]*$","type":"string","description":"Variable name"},"type":{"type":"string","description":"VariableType name, from FeatureScript VariableType"}}},"BTVariableStudioReferenceInfo":{"required":["referenceElementId"],"type":"object","properties":{"entireVariableStudio":{"type":"boolean","description":"Whether all variables in the referenced variable studio are included"},"referenceDocumentId":{"type":"string","description":"DocumentId of referenced variable studio, blank for intra-workspace references"},"referenceElementId":{"type":"string","description":"ElementId of referenced variable studio"},"referenceVersionId":{"type":"string","description":"VersionId of referenced variable studio, blank for intra-workspace references"},"variableNames":{"type":"array","description":"Optional list of selected variables","items":{"type":"string","description":"Optional list of selected variables"}}},"description":"List of variable studio references"},"BTVariableStudioReferenceListInfo":{"type":"object","properties":{"references":{"type":"array","description":"List of variable studio references","items":{"$ref":"#/components/schemas/BTVariableStudioReferenceInfo"}}}},"BTVariableStudioScopeInfo":{"required":["isAutomaticallyInserted"],"type":"object","properties":{"isAutomaticallyInserted":{"type":"boolean","description":"Whether variable studio is automatically inserted into part studios and assemblies in the workspace"}}},"BTVariableTableInfo":{"required":["variables"],"type":"object","properties":{"variableStudioReference":{"$ref":"#/components/schemas/BTVariableStudioReferenceInfo"},"variables":{"type":"array","description":"Variables in the VariableTable","items":{"$ref":"#/components/schemas/BTVariableInfo"}}}},"BTVariableTableRowMetadata-3912":{"type":"object","properties":{"btType":{"type":"string"}},"allOf":[{"$ref":"#/components/schemas/BTTableBaseRowMetadata-3181"},{"type":"object","properties":{"btType":{"type":"string"},"crossHighlightData":{"$ref":"#/components/schemas/BTTableBaseCrossHighlightData-2609"},"info":{"type":"string"},"isFullyEditable":{"type":"boolean"},"isRecursiveImport":{"type":"boolean"},"lastWritingFeatureNodeId":{"type":"string"}}}]},"BTVector2d-1812":{"type":"object","properties":{"btType":{"type":"string"},"x":{"type":"number","format":"double"},"y":{"type":"number","format":"double"}}},"BTVector3d-389":{"type":"object","properties":{"btType":{"type":"string"},"x":{"type":"number","format":"double"},"y":{"type":"number","format":"double"},"z":{"type":"number","format":"double"}}},"BTVersionDiffInfo":{"type":"object","properties":{"elementsAdded":{"type":"array","items":{"$ref":"#/components/schemas/AddedOrDeletedElementInfo"}},"elementsChanged":{"type":"array","items":{"$ref":"#/components/schemas/ChangedElementInfo"}},"elementsDeleted":{"type":"array","items":{"$ref":"#/components/schemas/AddedOrDeletedElementInfo"}},"fromDocumentMicroversionId":{"type":"string"},"fromVersionId":{"type":"string"},"fromVersionName":{"type":"string"},"toDocumentMicroversionId":{"type":"string"}}},"BTVersionGraphMode":{"type":"string","enum":["ALL_BRANCHES","ACTIVE_BRANCH","ALL_BRANCHES_WITH_WORKSPACES"]},"BTVersionGraphModeParams":{"type":"object","properties":{"versionGraphMode":{"$ref":"#/components/schemas/BTVersionGraphMode"}}},"BTVersionInfo":{"type":"object","properties":{"createdAt":{"type":"string","format":"date-time"},"creator":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"description":{"type":"string"},"documentId":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"lastModifier":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"metadataWorkspaceId":{"type":"string"},"microversion":{"type":"string"},"modifiedAt":{"type":"string","format":"date-time"},"name":{"type":"string","description":"Name of the resource."},"overrideDate":{"type":"string","format":"date-time"},"parent":{"type":"string"},"purpose":{"type":"integer","format":"int32"},"thumbnail":{"$ref":"#/components/schemas/BTThumbnailInfo"},"type":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTVersionInfoWithStatus":{"type":"object","properties":{"createdAt":{"type":"string","format":"date-time"},"creator":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"description":{"type":"string"},"documentId":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"isOutOfDate":{"type":"boolean"},"isOutOfSync":{"type":"boolean"},"lastModifier":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"metadataWorkspaceId":{"type":"string"},"microversion":{"type":"string"},"modifiedAt":{"type":"string","format":"date-time"},"name":{"type":"string","description":"Name of the resource."},"outOfSyncElements":{"type":"array","items":{"type":"string"}},"overrideDate":{"type":"string","format":"date-time"},"parent":{"type":"string"},"parents":{"type":"array","items":{"$ref":"#/components/schemas/BTVersionInfo"}},"purpose":{"type":"integer","format":"int32"},"referencedElements":{"type":"array","items":{"type":"string"}},"thumbnail":{"$ref":"#/components/schemas/BTThumbnailInfo"},"type":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTVersionOrWorkspaceInfo":{"type":"object","properties":{"id":{"type":"string"},"type":{"type":"string"}}},"BTVersionOrWorkspaceMergeInfo":{"type":"object","properties":{"defaultMergeStrategy":{"$ref":"#/components/schemas/BTMergeStrategy"},"id":{"type":"string"},"mergeStrategyElementOverrides":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTMergeStrategy"}},"type":{"type":"string"}}},"BTVersionOrWorkspaceParams":{"type":"object","properties":{"clientInteractionMode":{"type":"string"},"description":{"type":"string"},"documentId":{"type":"string"},"fromHistory":{"type":"boolean"},"isRelease":{"type":"boolean"},"microversionId":{"type":"string"},"missingBomTableTemplateId":{"type":"string"},"name":{"type":"string"},"publishVersion":{"type":"boolean"},"purpose":{"type":"integer","format":"int32"},"readOnly":{"type":"boolean"},"versionId":{"type":"string"},"workspaceId":{"type":"string"}}},"BTViewDataInfo":{"type":"object","properties":{"angle":{"type":"number","format":"double"},"cameraViewport":{"type":"array","items":{"type":"number","format":"double"}},"isPerspective":{"type":"boolean"},"viewMatrix":{"type":"array","items":{"type":"number","format":"double"}}}},"BTViewDataParams":{"type":"object","properties":{"angle":{"type":"number","format":"double"},"cameraViewport":{"type":"array","items":{"type":"number","format":"double"}},"isPerspective":{"type":"boolean"},"viewMatrix":{"type":"array","items":{"type":"number","format":"double"}}}},"BTViewFeatureBaseInfo":{"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"}}},"BTViewManipulationMouseKeyMappingInfo":{"type":"object","properties":{"axisRotate3DMapping":{"type":"array","items":{"$ref":"#/components/schemas/BTKeyMouseValuesInfo"}},"pan2DMapping":{"type":"array","items":{"$ref":"#/components/schemas/BTKeyMouseValuesInfo"}},"pan3DMapping":{"type":"array","items":{"$ref":"#/components/schemas/BTKeyMouseValuesInfo"}},"rotate3DMapping":{"type":"array","items":{"$ref":"#/components/schemas/BTKeyMouseValuesInfo"}},"zoom2DMapping":{"type":"array","items":{"$ref":"#/components/schemas/BTKeyMouseValuesInfo"}},"zoom3DMapping":{"type":"array","items":{"$ref":"#/components/schemas/BTKeyMouseValuesInfo"}}}},"BTWebClientCapabilitiesParams":{"type":"object","properties":{"angleInstancedArrays":{"type":"boolean"},"compressedTextureS3tc":{"type":"boolean"},"depthTexture":{"type":"boolean"},"devicePixelRatio":{"type":"number","format":"double"},"drawBuffers":{"type":"boolean"},"extTextureFilterAnisotropic":{"type":"boolean"},"has3dMouse":{"type":"boolean"},"oesElementIndexUint":{"type":"boolean"},"oesStandardDerivatives":{"type":"boolean"},"oesTextureFloat":{"type":"boolean"},"oesTextureFloatLinear":{"type":"boolean"},"oesTextureHalfFloat":{"type":"boolean"},"oesTextureHalfFloatLinear":{"type":"boolean"},"oesVertexArrayObject":{"type":"boolean"},"renderer":{"type":"string"},"screenHeight":{"type":"integer","format":"int32"},"screenWidth":{"type":"integer","format":"int32"},"vendor":{"type":"string"}}},"BTWebRendererPerformanceMeasurementParams":{"type":"object","properties":{"linesPerSecond":{"type":"number","format":"float"},"renderer":{"type":"string"},"trianglesPerSecond":{"type":"number","format":"float"},"vendor":{"type":"string"}}},"BTWebhookConfigurationInfo":{"type":"object","properties":{"basicAuthEnabled":{"type":"boolean"},"basicAuthUser":{"type":"string"},"signatureKeyPrimary":{"type":"string"},"signatureKeySecondary":{"type":"string"}}},"BTWebhookConfigurationParams":{"type":"object","properties":{"basicAuthEnabled":{"type":"boolean"},"basicAuthPassword":{"type":"string"},"basicAuthUser":{"type":"string"},"signatureKeyPrimary":{"type":"string"},"signatureKeySecondary":{"type":"string"}}},"BTWebhookEventNotifyDataInfo":{"type":"object","properties":{"companyId":{"type":"string"},"data":{"type":"string"},"documentId":{"type":"string"},"errorMessage":{"type":"string"},"eventType":{"type":"string"},"expireAt":{"type":"string","format":"date-time"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"httpErrorCode":{"type":"integer","format":"int32"},"id":{"type":"string","description":"Id of the resource."},"messageBody":{"type":"object"},"messageId":{"type":"string"},"modifiedAt":{"type":"string","format":"date-time"},"name":{"type":"string","description":"Name of the resource."},"retryCount":{"type":"integer","format":"int32"},"state":{"type":"integer","format":"int32"},"transient":{"type":"boolean"},"url":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"},"webhookId":{"type":"string"}},"description":"Array of items in the current page."},"BTWebhookInfo":{"type":"object","properties":{"companyId":{"type":"string","description":"Company admins can register webhooks to listen to all company events."},"createdBy":{"$ref":"#/components/schemas/BTUserSummaryInfo"},"data":{"type":"string"},"description":{"type":"string"},"droppedEventCount":{"type":"integer","format":"int32"},"events":{"type":"array","description":"List of events for which webhook callback is invoked.","items":{"type":"string","description":"List of events for which webhook callback is invoked."}},"externalSessionId":{"type":"string","description":"Applications can pass this parameter as X-Session-ID with every REST call to distinguish webhooks triggered by self."},"filter":{"type":"string"},"folderId":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"isTransient":{"type":"boolean","description":"Transient webhooks are automatically cleaned up after a period of inactivity."},"name":{"type":"string","description":"Name of the resource."},"options":{"$ref":"#/components/schemas/BTWebhookOptions"},"projectId":{"type":"string"},"url":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTWebhookLifecycleMessageBody":{"type":"object","properties":{"appElementSessionId":{"type":"string"},"data":{"type":"string"},"event":{"type":"string"},"messageId":{"type":"string"},"timestamp":{"type":"string","format":"date-time"},"webhookId":{"type":"string"}}},"BTWebhookOptions":{"type":"object","properties":{"collapseEvents":{"type":"boolean"}}},"BTWebhookParams":{"type":"object","properties":{"clientId":{"type":"string"},"companyId":{"type":"string","description":"Company admins can register webhooks to listen to all company events."},"data":{"type":"string"},"description":{"type":"string"},"documentId":{"type":"string"},"elementId":{"type":"string"},"events":{"type":"array","description":"List of events for which webhook callback is invoked.","items":{"type":"string","description":"List of events for which webhook callback is invoked."}},"externalSessionId":{"type":"string","description":"Applications can pass this parameter as X-Session-ID with every REST call to distinguish webhooks triggered by self."},"filter":{"type":"string"},"folderId":{"type":"string"},"id":{"type":"string"},"isTransient":{"type":"boolean","description":"Transient webhooks are automatically cleaned up after a period of inactivity."},"linkDocumentId":{"type":"string"},"options":{"$ref":"#/components/schemas/BTWebhookOptions"},"partId":{"type":"string"},"projectId":{"type":"string"},"url":{"type":"string"},"userId":{"type":"string"},"versionId":{"type":"string"},"workspaceId":{"type":"string"}}},"BTWorkflowActionInfo":{"type":"object","properties":{"action":{"type":"string"},"allowIfApprovers":{"type":"boolean"},"allowIfNoApprovers":{"type":"boolean"},"alwaysAllow":{"type":"boolean"},"isAdminOverride":{"type":"boolean"},"isApproverAction":{"type":"boolean"},"label":{"type":"string"},"requiredProperties":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"tooltip":{"type":"string"},"type":{"$ref":"#/components/schemas/BTTransitionType"},"uiHint":{"type":"string"}}},"BTWorkflowAuditLogEntryInfo":{"type":"object","properties":{"approvalOverride":{"type":"boolean"},"approverIds":{"type":"array","items":{"type":"string"}},"commentId":{"type":"string"},"date":{"type":"string","format":"date-time"},"entryType":{"type":"integer","format":"int32"},"errorMessage":{"type":"string"},"featureScriptConsole":{"type":"string"},"featureScriptNotices":{"type":"array","items":{"type":"string"}},"featureScriptResponse":{"type":"object"},"id":{"type":"string"},"objectId":{"type":"string"},"propertyUpdates":{"type":"array","items":{"$ref":"#/components/schemas/BTPropertyUpdateInfo"}},"supportCode":{"type":"string"},"userId":{"type":"string"},"workflowAction":{"type":"string"},"workflowState":{"type":"string"},"workflowTransition":{"type":"string"}}},"BTWorkflowAuditLogInfo":{"type":"object","properties":{"companyId":{"type":"string"},"debugMicroversionId":{"type":"string"},"entries":{"type":"array","items":{"$ref":"#/components/schemas/BTWorkflowAuditLogEntryInfo"}},"objectId":{"type":"string"},"objectType":{"type":"integer","format":"int32"},"publishedWorkflowId":{"$ref":"#/components/schemas/BTPublishedWorkflowId"}}},"BTWorkflowDef":{"type":"object","properties":{"initialState":{"$ref":"#/components/schemas/BTStateDef"},"options":{"$ref":"#/components/schemas/BTWorkflowOptionsDef"},"osWorkflowVersion":{"type":"string"},"properties":{"type":"array","items":{"$ref":"#/components/schemas/BTWorkflowPropertyDef"}},"states":{"type":"array","items":{"$ref":"#/components/schemas/BTStateDef"}},"transitions":{"type":"array","items":{"$ref":"#/components/schemas/BTTransitionDef"}}}},"BTWorkflowEnumValue":{"type":"object","properties":{"label":{"type":"string"},"value":{"type":"string"}}},"BTWorkflowErrorInfo":{"type":"object","properties":{"level":{"type":"integer","format":"int32"},"message":{"type":"string"},"propertyId":{"type":"string"},"stateName":{"type":"string"},"transitionName":{"type":"string"}}},"BTWorkflowMessageBody":{"type":"object","properties":{"appElementSessionId":{"type":"string"},"data":{"type":"string"},"event":{"type":"string"},"messageId":{"type":"string"},"objectId":{"type":"string"},"objectType":{"type":"string"},"timestamp":{"type":"string","format":"date-time"},"transitionName":{"type":"string"},"webhookId":{"type":"string"},"workflowId":{"type":"string"}}},"BTWorkflowObserverEntryType":{"type":"string","enum":["USER","TEAM","ROLE","ALIAS"]},"BTWorkflowObserverOptionInfo":{"type":"object","properties":{"alias":{"$ref":"#/components/schemas/BTAliasInfo"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"identityType":{"type":"integer","format":"int32"},"role":{"$ref":"#/components/schemas/BTRbacRoleInfo"},"team":{"$ref":"#/components/schemas/BTTeamSummaryInfo"},"user":{"$ref":"#/components/schemas/BTUserSummaryInfo"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}},"description":"Array of items in the current page."},"BTWorkflowObserverState":{"type":"string","enum":["NONE","APPROVED","REJECTED","OVERRIDDEN"]},"BTWorkflowOptionsDef":{"type":"object","properties":{"autoObsolete":{"type":"boolean"},"descriptionOverride":{"type":"string"},"disallowCreatorAsApprover":{"type":"boolean"},"errorOnAssemblyErrors":{"type":"boolean"},"errorOnAssemblyRefsOutOfDate":{"type":"boolean"},"errorOnDrawingOutOfDate":{"type":"boolean"},"errorOnFeatureListErrors":{"type":"boolean"},"errorOnObsoleteRefs":{"type":"boolean"},"errorOnPartNumberPending":{"type":"boolean"},"errorOnPendingTask":{"type":"boolean"},"errorOnRolledBack":{"type":"boolean"},"nameOverride":{"type":"string"},"requireAllApprovers":{"type":"boolean"},"requireApprover":{"type":"boolean"},"requireNote":{"type":"boolean"},"revisionSchemeId":{"type":"string"}}},"BTWorkflowPropertyDef":{"type":"object","properties":{"defaultValue":{"type":"object"},"enumValues":{"type":"array","items":{"$ref":"#/components/schemas/BTWorkflowEnumValue"}},"hideInUi":{"type":"boolean"},"name":{"type":"string"},"propertyId":{"type":"string"},"required":{"type":"boolean"},"teamsOnly":{"type":"boolean"},"usersOnly":{"type":"boolean"},"valueType":{"$ref":"#/components/schemas/BTMetadataValueType"}}},"BTWorkflowPropertyInfo":{"type":"object","properties":{"computedAssemblyProperty":{"type":"boolean"},"computedProperty":{"type":"boolean"},"computedPropertyError":{"type":"string"},"dateFormat":{"type":"string"},"defaultValue":{"type":"object"},"dirty":{"type":"boolean"},"editable":{"type":"boolean"},"editableInUi":{"type":"boolean"},"enumValues":{"type":"array","items":{"$ref":"#/components/schemas/BTMetadataEnumValueInfo"}},"hideInUi":{"type":"boolean"},"initialValue":{"type":"object"},"isApproverProperty":{"type":"boolean"},"isNotifierProperty":{"type":"boolean"},"multivalued":{"type":"boolean"},"name":{"type":"string"},"observers":{"type":"array","writeOnly":true,"items":{"$ref":"#/components/schemas/BTWorkflowableObjectObserver"}},"propertyId":{"type":"string"},"propertyOverrideStatus":{"type":"integer","format":"int32"},"propertySource":{"type":"integer","format":"int32"},"required":{"type":"boolean"},"schemaId":{"type":"string"},"teamsOnly":{"type":"boolean"},"uiHints":{"$ref":"#/components/schemas/BTMetadataPropertyUiHintsInfo"},"usersOnly":{"type":"boolean"},"validator":{"$ref":"#/components/schemas/BTMetadataPropertyValidatorInfo"},"value":{"type":"object"},"valueType":{"type":"string"}}},"BTWorkflowSnapshotInfo":{"type":"object","properties":{"actions":{"type":"array","items":{"$ref":"#/components/schemas/BTWorkflowActionInfo"}},"approverIds":{"type":"array","items":{"type":"string"}},"canBeDiscarded":{"type":"boolean"},"debugMicroversionId":{"type":"string"},"errorMessage":{"type":"string"},"isCreator":{"type":"boolean"},"isDiscarded":{"type":"boolean"},"isFrozen":{"type":"boolean"},"isSetup":{"type":"boolean"},"metadataState":{"type":"string"},"notifierIds":{"type":"array","items":{"type":"string"}},"state":{"$ref":"#/components/schemas/BTWorkflowStateInfo"},"usesExternalPlm":{"type":"boolean"}}},"BTWorkflowStateInfo":{"type":"object","properties":{"approverSourceProperty":{"type":"string"},"displayName":{"type":"string"},"editPermissions":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"editableProperties":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"name":{"type":"string"},"nonEditableProperties":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"notifierSourceProperty":{"type":"string"},"requiredItemProperties":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"requiredProperties":{"uniqueItems":true,"type":"array","items":{"type":"string"}}}},"BTWorkflowableObjectInfo":{"type":"object","properties":{"companyId":{"type":"string"},"createdAt":{"type":"string","format":"date-time"},"createdBy":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"description":{"type":"string"},"documentId":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"modifiedAt":{"type":"string","format":"date-time"},"modifiedBy":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"name":{"type":"string","description":"Name of the resource."},"properties":{"type":"array","items":{"$ref":"#/components/schemas/BTWorkflowPropertyInfo"}},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"},"workflow":{"$ref":"#/components/schemas/BTWorkflowSnapshotInfo"},"workflowError":{"type":"string","writeOnly":true},"workflowId":{"$ref":"#/components/schemas/BTPublishedWorkflowId"}}},"BTWorkflowableObjectObserver":{"type":"object","properties":{"adminOverride":{"type":"boolean"},"approvalDate":{"type":"string","format":"date-time"},"approvalState":{"$ref":"#/components/schemas/BTWorkflowObserverState"},"approverId":{"type":"string"},"approverName":{"type":"string"},"associatedStates":{"type":"string"},"companyId":{"type":"string"},"createdAt":{"type":"string","format":"date-time"},"createdBy":{"type":"string"},"description":{"type":"string"},"entryId":{"type":"string"},"entryType":{"$ref":"#/components/schemas/BTWorkflowObserverEntryType"},"id":{"type":"string"},"modifiedAt":{"type":"string","format":"date-time"},"modifiedBy":{"type":"string"},"name":{"type":"string"},"new":{"type":"boolean"},"objectId":{"type":"string"},"observationType":{"type":"integer","format":"int32"},"propertyId":{"type":"string"},"rejectionDate":{"type":"string","format":"date-time"},"removable":{"type":"boolean"}}},"BTWorkflowableObjectType":{"type":"string","enum":["TEST","RELEASE","CHANGE_REQUEST","TASK","CHANGE_ORDER","CHANGE_TASK","ASSIGNMENT","STUDENT_SUBMISSION","OBSOLETION"]},"BTWorkflowableTestObjectInfo":{"type":"object","properties":{"companyId":{"type":"string"},"createdAt":{"type":"string","format":"date-time"},"createdBy":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"description":{"type":"string"},"documentId":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"info":{"type":"object","additionalProperties":{"type":"string"}},"modifiedAt":{"type":"string","format":"date-time"},"modifiedBy":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"name":{"type":"string","description":"Name of the resource."},"properties":{"type":"array","items":{"$ref":"#/components/schemas/BTWorkflowPropertyInfo"}},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"},"workflow":{"$ref":"#/components/schemas/BTWorkflowSnapshotInfo"},"workflowError":{"type":"string","writeOnly":true},"workflowId":{"$ref":"#/components/schemas/BTPublishedWorkflowId"}}},"BTWorkspaceInfo":{"type":"object","properties":{"canDelete":{"type":"boolean"},"createdAt":{"type":"string","format":"date-time"},"creator":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"description":{"type":"string"},"documentId":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"isReadOnly":{"type":"boolean"},"lastModifier":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"microversion":{"type":"string"},"modifiedAt":{"type":"string","format":"date-time"},"name":{"type":"string","description":"Name of the resource."},"overrideDate":{"type":"string","format":"date-time"},"parent":{"type":"string"},"parents":{"type":"array","items":{"$ref":"#/components/schemas/BTVersionInfo"}},"thumbnail":{"$ref":"#/components/schemas/BTThumbnailInfo"},"type":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"BTWorkspaceMessageBody":{"type":"object","allOf":[{"$ref":"#/components/schemas/BTDocumentMessageBody"},{"type":"object","properties":{"documentMicroversionId":{"type":"string","description":"The resultant document microverion if applicable created due to workspace modification."}}}]},"BTWorkspacePartParams":{"type":"object","properties":{"appearance":{"$ref":"#/components/schemas/BTPartAppearanceParams"},"applyUpdateToAllConfigurations":{"type":"boolean"},"configuration":{"type":"string"},"connectionId":{"type":"string"},"customProperties":{"type":"array","items":{"$ref":"#/components/schemas/BTNameValuePair"}},"description":{"type":"string"},"elementId":{"type":"string"},"material":{"$ref":"#/components/schemas/BTMaterialParams"},"name":{"type":"string"},"partId":{"type":"string"},"partIdentity":{"$ref":"#/components/schemas/BTPSOIdentity-2741"},"partNumber":{"type":"string"},"productLine":{"type":"string"},"project":{"type":"string"},"revision":{"type":"string"},"title1":{"type":"string"},"title2":{"type":"string"},"title3":{"type":"string"},"vendor":{"type":"string"}}},"BTXSRFInfo":{"type":"object","properties":{"xsrfHeaderName":{"type":"string"},"xsrfTokenName":{"type":"string"}}},"BTZeroStateDocumentParams":{"type":"object","properties":{"documentId":{"type":"string"},"templateId":{"type":"string"}}},"BTZerostateDocInfo":{"type":"object","properties":{"copied":{"type":"boolean"},"id":{"type":"string"},"name":{"type":"string"},"sourceDocumentId":{"type":"string"},"thumbnail":{"type":"string","format":"uri"},"workspace":{"type":"string"}}},"BTZipFileInfo":{"type":"object","properties":{"files":{"type":"array","items":{"type":"string"}}}},"BTZuoraCardInfo":{"type":"object","properties":{"cardHolderInfo":{"$ref":"#/components/schemas/BTZuoraContact"},"cardNumber":{"type":"string"},"cardType":{"type":"string"},"defaultPaymentMethod":{"type":"boolean"},"expirationMonth":{"type":"integer","format":"int32"},"expirationYear":{"type":"integer","format":"int32"},"id":{"type":"string"},"last4OfCardNumber":{"type":"string"}}},"BTZuoraContact":{"type":"object","properties":{"address1":{"type":"string"},"addressLine1":{"type":"string","writeOnly":true},"cardHolderName":{"type":"string"},"city":{"type":"string"},"country":{"type":"string"},"state":{"type":"string"},"workEmail":{"type":"string"},"zipCode":{"type":"string"}}},"BTZuoraSignature":{"type":"object","properties":{"domain":{"type":"string"},"key":{"type":"string"},"pageId":{"type":"string"},"signature":{"type":"string"},"success":{"type":"boolean"},"tenantId":{"type":"string"},"token":{"type":"string"}}},"BTZuoraWorkflowChangePlanOnSubscription":{"type":"object","properties":{"effectiveDate":{"type":"string"},"newBTBillingPlanId":{"type":"string"},"newSubscriptionId":{"type":"string"},"oldBTBillingPlanId":{"type":"string"},"oldSubscriptionId":{"type":"string"}}},"BatchFailures":{"type":"object","properties":{"failureCount":{"type":"integer","format":"int64"},"failureTypeCount":{"type":"integer","format":"int64"},"failures":{"type":"object","additionalProperties":{"type":"object","additionalProperties":{"type":"integer","format":"int32"}}},"id":{"type":"string"}}},"BlobItem":{"type":"object","allOf":[{"$ref":"#/components/schemas/Item"},{"type":"object","properties":{"dataTypeForResponse":{"type":"string"},"filename":{"type":"string"},"foreignDataId":{"type":"string"},"href":{"type":"string"},"prettyType":{"type":"string"},"safeToShow":{"type":"boolean"},"specifiedUnit":{"type":"string"},"unupdatable":{"type":"boolean"}}}]},"Buffer":{"type":"object","properties":{"byteLength":{"type":"integer","format":"int32"},"extensions":{"type":"object","additionalProperties":{"type":"object"}},"extras":{"type":"object"},"name":{"type":"string"},"uri":{"type":"string"}}},"BufferModel":{"type":"object","properties":{"bufferData":{"type":"object","properties":{"short":{"type":"integer","format":"int32"},"char":{"type":"string"},"int":{"type":"integer","format":"int32"},"long":{"type":"integer","format":"int64"},"float":{"type":"number","format":"float"},"double":{"type":"number","format":"double"},"direct":{"type":"boolean"},"readOnly":{"type":"boolean"}}},"byteLength":{"type":"integer","format":"int32"},"name":{"type":"string"},"uri":{"type":"string"}}},"BufferView":{"type":"object","properties":{"buffer":{"type":"integer","format":"int32"},"byteLength":{"type":"integer","format":"int32"},"byteOffset":{"type":"integer","format":"int32"},"byteStride":{"type":"integer","format":"int32"},"extensions":{"type":"object","additionalProperties":{"type":"object"}},"extras":{"type":"object"},"name":{"type":"string"},"target":{"type":"integer","format":"int32"}}},"BufferViewModel":{"type":"object","properties":{"bufferModel":{"$ref":"#/components/schemas/BufferModel"},"bufferViewData":{"type":"object","properties":{"short":{"type":"integer","format":"int32"},"char":{"type":"string"},"int":{"type":"integer","format":"int32"},"long":{"type":"integer","format":"int64"},"float":{"type":"number","format":"float"},"double":{"type":"number","format":"double"},"direct":{"type":"boolean"},"readOnly":{"type":"boolean"}}},"byteLength":{"type":"integer","format":"int32"},"byteOffset":{"type":"integer","format":"int32"},"byteStride":{"type":"integer","format":"int32"},"name":{"type":"string"},"target":{"type":"integer","format":"int32"}}},"Callback":{"type":"object","properties":{"empty":{"type":"boolean"},"extensions":{"type":"object","additionalProperties":{"type":"object"}},"get$ref":{"type":"string"}},"additionalProperties":{"$ref":"#/components/schemas/PathItem"}},"Camera":{"type":"object","properties":{"extensions":{"type":"object","additionalProperties":{"type":"object"}},"extras":{"type":"object"},"name":{"type":"string"},"orthographic":{"$ref":"#/components/schemas/CameraOrthographic"},"perspective":{"$ref":"#/components/schemas/CameraPerspective"},"type":{"type":"string"}}},"CameraModel":{"type":"object","properties":{"instanceName":{"type":"string"},"name":{"type":"string"},"nodeModel":{"$ref":"#/components/schemas/NodeModel"}}},"CameraOrthographic":{"type":"object","properties":{"extensions":{"type":"object","additionalProperties":{"type":"object"}},"extras":{"type":"object"},"xmag":{"type":"number","format":"float"},"ymag":{"type":"number","format":"float"},"zfar":{"type":"number","format":"float"},"znear":{"type":"number","format":"float"}}},"CameraPerspective":{"type":"object","properties":{"aspectRatio":{"type":"number","format":"float"},"extensions":{"type":"object","additionalProperties":{"type":"object"}},"extras":{"type":"object"},"yfov":{"type":"number","format":"float"},"zfar":{"type":"number","format":"float"},"znear":{"type":"number","format":"float"}}},"Card":{"type":"object","properties":{"account":{"type":"string"},"addressCity":{"type":"string"},"addressCountry":{"type":"string"},"addressLine1":{"type":"string"},"addressLine1Check":{"type":"string"},"addressLine2":{"type":"string"},"addressState":{"type":"string"},"addressZip":{"type":"string"},"addressZipCheck":{"type":"string"},"availablePayoutMethods":{"type":"array","items":{"type":"string"}},"brand":{"type":"string"},"country":{"type":"string"},"currency":{"type":"string"},"customer":{"type":"string"},"cvcCheck":{"type":"string"},"defaultForCurrency":{"type":"boolean"},"description":{"type":"string"},"dynamicLast4":{"type":"string"},"expMonth":{"type":"integer","format":"int32"},"expYear":{"type":"integer","format":"int32"},"fingerprint":{"type":"string"},"funding":{"type":"string"},"id":{"type":"string"},"iin":{"type":"string"},"instanceURL":{"type":"string"},"issuer":{"type":"string"},"last4":{"type":"string"},"metadata":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"object":{"type":"string"},"recipient":{"type":"string"},"status":{"type":"string"},"threeDSecure":{"$ref":"#/components/schemas/ThreeDSecure"},"tokenizationMethod":{"type":"string"},"type":{"type":"string"}}},"Category":{"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"},"plmId":{"type":"string"}}},"CategoryValue":{"type":"object","properties":{"defaultObjectType":{"type":"integer","format":"int32"},"id":{"type":"string"},"name":{"type":"string"},"objectTypes":{"type":"array","items":{"type":"integer","format":"int32"}}}},"Changed":{"type":"object","properties":{"compatible":{"type":"boolean"},"different":{"type":"boolean"},"incompatible":{"type":"boolean"},"unchanged":{"type":"boolean"}}},"ChangedApiResponse":{"required":["changedElements"],"type":"object","properties":{"changed":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/ChangedResponse"}},"changedElements":{"type":"array","items":{"$ref":"#/components/schemas/Changed"}},"compatible":{"type":"boolean"},"context":{"$ref":"#/components/schemas/DiffContext"},"different":{"type":"boolean"},"extensions":{"$ref":"#/components/schemas/ChangedExtensions"},"incompatible":{"type":"boolean"},"increased":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/ApiResponse"}},"missing":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/ApiResponse"}},"newApiResponses":{"type":"object","properties":{"extensions":{"type":"object","additionalProperties":{"type":"object"}},"default":{"$ref":"#/components/schemas/ApiResponse"},"empty":{"type":"boolean"}},"additionalProperties":{"$ref":"#/components/schemas/ApiResponse"}},"oldApiResponses":{"type":"object","properties":{"extensions":{"type":"object","additionalProperties":{"type":"object"}},"default":{"$ref":"#/components/schemas/ApiResponse"},"empty":{"type":"boolean"}},"additionalProperties":{"$ref":"#/components/schemas/ApiResponse"}},"unchanged":{"type":"boolean"}}},"ChangedContent":{"required":["changedElements"],"type":"object","properties":{"changed":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/ChangedMediaType"}},"changedElements":{"type":"array","items":{"$ref":"#/components/schemas/Changed"}},"compatible":{"type":"boolean"},"context":{"$ref":"#/components/schemas/DiffContext"},"different":{"type":"boolean"},"incompatible":{"type":"boolean"},"increased":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/MediaType"}},"missing":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/MediaType"}},"newContent":{"type":"object","properties":{"empty":{"type":"boolean"}},"additionalProperties":{"$ref":"#/components/schemas/MediaType"}},"oldContent":{"type":"object","properties":{"empty":{"type":"boolean"}},"additionalProperties":{"$ref":"#/components/schemas/MediaType"}},"unchanged":{"type":"boolean"}}},"ChangedElementInfo":{"type":"object","properties":{"elementId":{"type":"string"},"elementName":{"type":"string"},"elementType":{"$ref":"#/components/schemas/GBTElementType"},"fromMicroversion":{"type":"string"},"fromThumbnailInfo":{"$ref":"#/components/schemas/BTThumbnailInfo"},"toMicroversion":{"type":"string"},"toThumbnailInfo":{"$ref":"#/components/schemas/BTThumbnailInfo"}}},"ChangedEnumObject":{"type":"object","properties":{"compatible":{"type":"boolean"},"context":{"$ref":"#/components/schemas/DiffContext"},"different":{"type":"boolean"},"incompatible":{"type":"boolean"},"increased":{"type":"array","items":{"type":"object"}},"missing":{"type":"array","items":{"type":"object"}},"newValue":{"type":"array","items":{"type":"object"}},"oldValue":{"type":"array","items":{"type":"object"}},"shared":{"type":"array","items":{"type":"object"}},"unchanged":{"type":"boolean"}}},"ChangedExtensions":{"required":["changedElements"],"type":"object","properties":{"changed":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/Changed"}},"changedElements":{"type":"array","items":{"$ref":"#/components/schemas/Changed"}},"compatible":{"type":"boolean"},"context":{"$ref":"#/components/schemas/DiffContext"},"different":{"type":"boolean"},"incompatible":{"type":"boolean"},"increased":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/Changed"}},"missing":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/Changed"}},"newExtensions":{"type":"object","additionalProperties":{"type":"object"}},"oldExtensions":{"type":"object","additionalProperties":{"type":"object"}},"unchanged":{"type":"boolean"}}},"ChangedHeader":{"required":["changedElements"],"type":"object","properties":{"changedElements":{"type":"array","items":{"$ref":"#/components/schemas/Changed"}},"compatible":{"type":"boolean"},"content":{"$ref":"#/components/schemas/ChangedContent"},"context":{"$ref":"#/components/schemas/DiffContext"},"deprecated":{"type":"boolean"},"description":{"$ref":"#/components/schemas/ChangedMetadata"},"different":{"type":"boolean"},"explode":{"type":"boolean"},"extensions":{"$ref":"#/components/schemas/ChangedExtensions"},"incompatible":{"type":"boolean"},"newHeader":{"$ref":"#/components/schemas/Header"},"oldHeader":{"$ref":"#/components/schemas/Header"},"required":{"type":"boolean"},"schema":{"$ref":"#/components/schemas/ChangedSchema"},"style":{"type":"boolean"},"unchanged":{"type":"boolean"}}},"ChangedHeaders":{"required":["changedElements"],"type":"object","properties":{"changed":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/ChangedHeader"}},"changedElements":{"type":"array","items":{"$ref":"#/components/schemas/Changed"}},"compatible":{"type":"boolean"},"context":{"$ref":"#/components/schemas/DiffContext"},"different":{"type":"boolean"},"incompatible":{"type":"boolean"},"increased":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/Header"}},"missing":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/Header"}},"newHeaders":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/Header"}},"oldHeaders":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/Header"}},"unchanged":{"type":"boolean"}}},"ChangedMaxLength":{"type":"object","properties":{"compatible":{"type":"boolean"},"context":{"$ref":"#/components/schemas/DiffContext"},"different":{"type":"boolean"},"incompatible":{"type":"boolean"},"newValue":{"type":"integer","format":"int32"},"oldValue":{"type":"integer","format":"int32"},"unchanged":{"type":"boolean"}}},"ChangedMediaType":{"required":["changedElements"],"type":"object","properties":{"changedElements":{"type":"array","items":{"$ref":"#/components/schemas/Changed"}},"compatible":{"type":"boolean"},"context":{"$ref":"#/components/schemas/DiffContext"},"different":{"type":"boolean"},"incompatible":{"type":"boolean"},"newSchema":{"$ref":"#/components/schemas/Schema"},"oldSchema":{"$ref":"#/components/schemas/Schema"},"schema":{"$ref":"#/components/schemas/ChangedSchema"},"unchanged":{"type":"boolean"}}},"ChangedMetadata":{"type":"object","properties":{"compatible":{"type":"boolean"},"different":{"type":"boolean"},"incompatible":{"type":"boolean"},"left":{"type":"string"},"right":{"type":"string"},"unchanged":{"type":"boolean"}}},"ChangedOAuthFlow":{"required":["changedElements"],"type":"object","properties":{"authorizationUrl":{"type":"boolean"},"changedElements":{"type":"array","items":{"$ref":"#/components/schemas/Changed"}},"compatible":{"type":"boolean"},"different":{"type":"boolean"},"extensions":{"$ref":"#/components/schemas/ChangedExtensions"},"incompatible":{"type":"boolean"},"newOAuthFlow":{"$ref":"#/components/schemas/OAuthFlow"},"oldOAuthFlow":{"$ref":"#/components/schemas/OAuthFlow"},"refreshUrl":{"type":"boolean"},"tokenUrl":{"type":"boolean"},"unchanged":{"type":"boolean"}}},"ChangedOAuthFlows":{"required":["changedElements"],"type":"object","properties":{"authorizationCodeOAuthFlow":{"$ref":"#/components/schemas/ChangedOAuthFlow"},"changedElements":{"type":"array","items":{"$ref":"#/components/schemas/Changed"}},"clientCredentialOAuthFlow":{"$ref":"#/components/schemas/ChangedOAuthFlow"},"compatible":{"type":"boolean"},"different":{"type":"boolean"},"extensions":{"$ref":"#/components/schemas/ChangedExtensions"},"implicitOAuthFlow":{"$ref":"#/components/schemas/ChangedOAuthFlow"},"incompatible":{"type":"boolean"},"newOAuthFlows":{"$ref":"#/components/schemas/OAuthFlows"},"oldOAuthFlows":{"$ref":"#/components/schemas/OAuthFlows"},"passwordOAuthFlow":{"$ref":"#/components/schemas/ChangedOAuthFlow"},"unchanged":{"type":"boolean"}}},"ChangedOneOfSchema":{"required":["changedElements"],"type":"object","properties":{"changedElements":{"type":"array","items":{"$ref":"#/components/schemas/Changed"}},"compatible":{"type":"boolean"},"context":{"$ref":"#/components/schemas/DiffContext"},"different":{"type":"boolean"},"incompatible":{"type":"boolean"},"increased":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/Schema"}},"missing":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/Schema"}},"newMapping":{"type":"object","additionalProperties":{"type":"string"}},"oldMapping":{"type":"object","additionalProperties":{"type":"string"}},"unchanged":{"type":"boolean"}}},"ChangedOpenApi":{"required":["changedElements"],"type":"object","properties":{"changedElements":{"type":"array","items":{"$ref":"#/components/schemas/Changed"}},"changedExtensions":{"$ref":"#/components/schemas/ChangedExtensions"},"changedOperations":{"type":"array","items":{"$ref":"#/components/schemas/ChangedOperation"}},"compatible":{"type":"boolean"},"deprecatedEndpoints":{"type":"array","items":{"$ref":"#/components/schemas/Endpoint"}},"different":{"type":"boolean"},"incompatible":{"type":"boolean"},"missingEndpoints":{"type":"array","items":{"$ref":"#/components/schemas/Endpoint"}},"newEndpoints":{"type":"array","items":{"$ref":"#/components/schemas/Endpoint"}},"newSpecOpenApi":{"$ref":"#/components/schemas/OpenAPI"},"oldSpecOpenApi":{"$ref":"#/components/schemas/OpenAPI"},"unchanged":{"type":"boolean"}}},"ChangedOperation":{"required":["changedElements"],"type":"object","properties":{"apiResponses":{"$ref":"#/components/schemas/ChangedApiResponse"},"changedElements":{"type":"array","items":{"$ref":"#/components/schemas/Changed"}},"compatible":{"type":"boolean"},"deprecated":{"type":"boolean"},"description":{"$ref":"#/components/schemas/ChangedMetadata"},"different":{"type":"boolean"},"extensions":{"$ref":"#/components/schemas/ChangedExtensions"},"httpMethod":{"$ref":"#/components/schemas/HttpMethod"},"incompatible":{"type":"boolean"},"newOperation":{"$ref":"#/components/schemas/Operation"},"oldOperation":{"$ref":"#/components/schemas/Operation"},"operationId":{"$ref":"#/components/schemas/ChangedMetadata"},"parameters":{"$ref":"#/components/schemas/ChangedParameters"},"pathUrl":{"type":"string"},"requestBody":{"$ref":"#/components/schemas/ChangedRequestBody"},"securityRequirements":{"$ref":"#/components/schemas/ChangedSecurityRequirements"},"summary":{"$ref":"#/components/schemas/ChangedMetadata"},"unchanged":{"type":"boolean"}}},"ChangedParameter":{"required":["changedElements"],"type":"object","properties":{"changeAllowEmptyValue":{"type":"boolean"},"changeExplode":{"type":"boolean"},"changeRequired":{"type":"boolean"},"changeStyle":{"type":"boolean"},"changedElements":{"type":"array","items":{"$ref":"#/components/schemas/Changed"}},"compatible":{"type":"boolean"},"content":{"$ref":"#/components/schemas/ChangedContent"},"context":{"$ref":"#/components/schemas/DiffContext"},"deprecated":{"type":"boolean"},"description":{"$ref":"#/components/schemas/ChangedMetadata"},"different":{"type":"boolean"},"extensions":{"$ref":"#/components/schemas/ChangedExtensions"},"in":{"type":"string"},"incompatible":{"type":"boolean"},"name":{"type":"string"},"newParameter":{"$ref":"#/components/schemas/Parameter"},"oldParameter":{"$ref":"#/components/schemas/Parameter"},"schema":{"$ref":"#/components/schemas/ChangedSchema"},"unchanged":{"type":"boolean"}}},"ChangedParameters":{"required":["changedElements"],"type":"object","properties":{"changed":{"type":"array","items":{"$ref":"#/components/schemas/ChangedParameter"}},"changedElements":{"type":"array","items":{"$ref":"#/components/schemas/Changed"}},"compatible":{"type":"boolean"},"context":{"$ref":"#/components/schemas/DiffContext"},"different":{"type":"boolean"},"incompatible":{"type":"boolean"},"increased":{"type":"array","items":{"$ref":"#/components/schemas/Parameter"}},"missing":{"type":"array","items":{"$ref":"#/components/schemas/Parameter"}},"newParameterList":{"type":"array","items":{"$ref":"#/components/schemas/Parameter"}},"oldParameterList":{"type":"array","items":{"$ref":"#/components/schemas/Parameter"}},"unchanged":{"type":"boolean"}}},"ChangedReadOnly":{"type":"object","properties":{"compatible":{"type":"boolean"},"different":{"type":"boolean"},"incompatible":{"type":"boolean"},"unchanged":{"type":"boolean"}}},"ChangedRequestBody":{"required":["changedElements"],"type":"object","properties":{"changeRequired":{"type":"boolean"},"changedElements":{"type":"array","items":{"$ref":"#/components/schemas/Changed"}},"compatible":{"type":"boolean"},"content":{"$ref":"#/components/schemas/ChangedContent"},"context":{"$ref":"#/components/schemas/DiffContext"},"description":{"$ref":"#/components/schemas/ChangedMetadata"},"different":{"type":"boolean"},"extensions":{"$ref":"#/components/schemas/ChangedExtensions"},"incompatible":{"type":"boolean"},"newRequestBody":{"$ref":"#/components/schemas/RequestBody"},"oldRequestBody":{"$ref":"#/components/schemas/RequestBody"},"unchanged":{"type":"boolean"}}},"ChangedRequired":{"type":"object","properties":{"compatible":{"type":"boolean"},"context":{"$ref":"#/components/schemas/DiffContext"},"different":{"type":"boolean"},"incompatible":{"type":"boolean"},"increased":{"type":"array","items":{"type":"string"}},"missing":{"type":"array","items":{"type":"string"}},"newValue":{"type":"array","items":{"type":"string"}},"oldValue":{"type":"array","items":{"type":"string"}},"shared":{"type":"array","items":{"type":"string"}},"unchanged":{"type":"boolean"}}},"ChangedResponse":{"required":["changedElements"],"type":"object","properties":{"changedElements":{"type":"array","items":{"$ref":"#/components/schemas/Changed"}},"compatible":{"type":"boolean"},"content":{"$ref":"#/components/schemas/ChangedContent"},"context":{"$ref":"#/components/schemas/DiffContext"},"description":{"$ref":"#/components/schemas/ChangedMetadata"},"different":{"type":"boolean"},"extensions":{"$ref":"#/components/schemas/ChangedExtensions"},"headers":{"$ref":"#/components/schemas/ChangedHeaders"},"incompatible":{"type":"boolean"},"newApiResponse":{"$ref":"#/components/schemas/ApiResponse"},"oldApiResponse":{"$ref":"#/components/schemas/ApiResponse"},"unchanged":{"type":"boolean"}}},"ChangedSchema":{"required":["changedElements"],"type":"object","properties":{"addProp":{"$ref":"#/components/schemas/ChangedSchema"},"changeDefault":{"type":"boolean"},"changeDeprecated":{"type":"boolean"},"changeFormat":{"type":"boolean"},"changeTitle":{"type":"boolean"},"changedElements":{"type":"array","items":{"$ref":"#/components/schemas/Changed"}},"changedProperties":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/ChangedSchema"}},"changedType":{"type":"boolean"},"compatible":{"type":"boolean"},"context":{"$ref":"#/components/schemas/DiffContext"},"description":{"$ref":"#/components/schemas/ChangedMetadata"},"different":{"type":"boolean"},"discriminatorPropertyChanged":{"type":"boolean"},"enumeration":{"$ref":"#/components/schemas/ChangedEnumObject"},"extensions":{"$ref":"#/components/schemas/ChangedExtensions"},"incompatible":{"type":"boolean"},"increasedProperties":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/Schema"}},"items":{"$ref":"#/components/schemas/ChangedSchema"},"maxLength":{"$ref":"#/components/schemas/ChangedMaxLength"},"missingProperties":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/Schema"}},"newSchema":{"$ref":"#/components/schemas/Schema"},"oldSchema":{"$ref":"#/components/schemas/Schema"},"oneOfSchema":{"$ref":"#/components/schemas/ChangedOneOfSchema"},"readOnly":{"$ref":"#/components/schemas/ChangedReadOnly"},"required":{"$ref":"#/components/schemas/ChangedRequired"},"type":{"type":"string"},"unchanged":{"type":"boolean"},"writeOnly":{"$ref":"#/components/schemas/ChangedWriteOnly"}}},"ChangedSecurityRequirement":{"required":["changedElements"],"type":"object","properties":{"changed":{"type":"array","items":{"$ref":"#/components/schemas/ChangedSecurityScheme"}},"changedElements":{"type":"array","items":{"$ref":"#/components/schemas/Changed"}},"compatible":{"type":"boolean"},"different":{"type":"boolean"},"incompatible":{"type":"boolean"},"increased":{"$ref":"#/components/schemas/SecurityRequirement"},"missing":{"$ref":"#/components/schemas/SecurityRequirement"},"newSecurityRequirement":{"$ref":"#/components/schemas/SecurityRequirement"},"oldSecurityRequirement":{"$ref":"#/components/schemas/SecurityRequirement"},"unchanged":{"type":"boolean"}}},"ChangedSecurityRequirements":{"required":["changedElements"],"type":"object","properties":{"changed":{"type":"array","items":{"$ref":"#/components/schemas/ChangedSecurityRequirement"}},"changedElements":{"type":"array","items":{"$ref":"#/components/schemas/Changed"}},"compatible":{"type":"boolean"},"different":{"type":"boolean"},"incompatible":{"type":"boolean"},"increased":{"type":"array","items":{"$ref":"#/components/schemas/SecurityRequirement"}},"missing":{"type":"array","items":{"$ref":"#/components/schemas/SecurityRequirement"}},"newSecurityRequirements":{"type":"array","items":{"$ref":"#/components/schemas/SecurityRequirement"}},"oldSecurityRequirements":{"type":"array","items":{"$ref":"#/components/schemas/SecurityRequirement"}},"unchanged":{"type":"boolean"}}},"ChangedSecurityScheme":{"required":["changedElements"],"type":"object","properties":{"changedBearerFormat":{"type":"boolean"},"changedElements":{"type":"array","items":{"$ref":"#/components/schemas/Changed"}},"changedIn":{"type":"boolean"},"changedOpenIdConnectUrl":{"type":"boolean"},"changedScheme":{"type":"boolean"},"changedScopes":{"$ref":"#/components/schemas/ChangedSecuritySchemeScopes"},"changedType":{"type":"boolean"},"compatible":{"type":"boolean"},"description":{"$ref":"#/components/schemas/ChangedMetadata"},"different":{"type":"boolean"},"extensions":{"$ref":"#/components/schemas/ChangedExtensions"},"incompatible":{"type":"boolean"},"newSecurityScheme":{"$ref":"#/components/schemas/SecurityScheme"},"oauthFlows":{"$ref":"#/components/schemas/ChangedOAuthFlows"},"oldSecurityScheme":{"$ref":"#/components/schemas/SecurityScheme"},"unchanged":{"type":"boolean"}}},"ChangedSecuritySchemeScopes":{"type":"object","properties":{"compatible":{"type":"boolean"},"context":{"$ref":"#/components/schemas/DiffContext"},"different":{"type":"boolean"},"incompatible":{"type":"boolean"},"increased":{"type":"array","items":{"type":"string"}},"missing":{"type":"array","items":{"type":"string"}},"newValue":{"type":"array","items":{"type":"string"}},"oldValue":{"type":"array","items":{"type":"string"}},"shared":{"type":"array","items":{"type":"string"}},"unchanged":{"type":"boolean"}}},"ChangedWriteOnly":{"type":"object","properties":{"compatible":{"type":"boolean"},"different":{"type":"boolean"},"incompatible":{"type":"boolean"},"unchanged":{"type":"boolean"}}},"Channel":{"type":"object","properties":{"nodeModel":{"$ref":"#/components/schemas/NodeModel"},"path":{"type":"string"},"sampler":{"$ref":"#/components/schemas/Sampler"}}},"ClassroomAccessInfo":{"type":"object","properties":{"companyIdsWithCreateClassroomAccess":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"hasClassroomAccess":{"type":"boolean"},"isEduAdmin":{"type":"boolean"},"isEducatorsTeamMember":{"type":"boolean"}}},"ClientLogEntry":{"type":"object","properties":{"level":{"type":"string"},"logger":{"type":"string"},"message":{"type":"string"},"timestamp":{"type":"integer","format":"int64"},"url":{"type":"string"}}},"CloudObjectPathSegment":{"type":"object","properties":{"cloudStorageAccountId":{"type":"string"},"cloudStorageProviderType":{"type":"integer","format":"int32"},"id":{"type":"string"},"isEnterpriseEdu":{"type":"boolean"},"isEnterpriseOwned":{"type":"boolean"},"name":{"type":"string"},"resourceType":{"type":"string"},"subType":{"type":"integer","format":"int32"},"treeHref":{"type":"string"}}},"CompanyRole":{"type":"object","properties":{"admin":{"type":"boolean"},"companyId":{"type":"string"},"companyName":{"type":"string"},"guest":{"type":"boolean"},"light":{"type":"boolean"}}},"Components":{"type":"object","properties":{"callbacks":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/Callback"}},"examples":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/Example"}},"extensions":{"type":"object","additionalProperties":{"type":"object"}},"headers":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/Header"}},"links":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/Link"}},"parameters":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/Parameter"}},"pathItems":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/PathItem"}},"requestBodies":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/RequestBody"}},"responses":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/ApiResponse"}},"schemas":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/Schema"}},"securitySchemes":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/SecurityScheme"}}}},"ConfigInfo":{"type":"object","properties":{"displayValue":{"type":"string"},"displayValueAbbrUnit":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"type":{"type":"integer","format":"int32"},"value":{"type":"string"}}},"Configuration":{"type":"object","properties":{"batchSize":{"type":"integer","format":"int32"},"companyId":{"type":"string"},"deleteBeforeIndexing":{"type":"boolean","writeOnly":true},"documentId":{"type":"string"},"shouldMigrateIndices":{"type":"boolean","writeOnly":true},"type":{"$ref":"#/components/schemas/Type"}}},"ConfigurationEntry":{"type":"object","properties":{"parameterId":{"type":"string"},"parameterValue":{"type":"string"}}},"ConfigurationInfoEntry":{"type":"object","properties":{"explicit":{"type":"boolean"},"parameterAbbreviatedDisplayValue":{"type":"string"},"parameterDisplayValue":{"type":"string"},"parameterId":{"type":"string"},"parameterName":{"type":"string"},"parameterType":{"type":"integer","format":"int32"},"parameterValue":{"type":"string"}}},"Contact":{"type":"object","properties":{"email":{"type":"string"},"extensions":{"type":"object","additionalProperties":{"type":"object"}},"name":{"type":"string"},"url":{"type":"string"}}},"Content":{"type":"object","properties":{"empty":{"type":"boolean"}},"additionalProperties":{"$ref":"#/components/schemas/MediaType"}},"ContentItem":{"type":"object","properties":{"anchor":{"type":"string"},"contentId":{"type":"string"},"height":{"type":"integer","format":"int32"},"horizontalOffset":{"type":"integer","format":"int32"},"itemTitle":{"type":"string"},"link":{"type":"string"},"pausePoints":{"type":"array","items":{"type":"number","format":"double"}},"player":{"type":"string"},"position":{"type":"string"},"template":{"type":"string"},"thumbnail":{"type":"string"},"title":{"type":"string"},"verticalOffset":{"type":"integer","format":"int32"},"width":{"type":"integer","format":"int32"}}},"Coupon":{"type":"object","properties":{"amountOff":{"type":"integer","format":"int64"},"created":{"type":"integer","format":"int64"},"currency":{"type":"string"},"duration":{"type":"string"},"durationInMonths":{"type":"integer","format":"int32"},"id":{"type":"string"},"livemode":{"type":"boolean"},"maxRedemptions":{"type":"integer","format":"int64"},"metadata":{"type":"object","additionalProperties":{"type":"string"}},"object":{"type":"string"},"percentOff":{"type":"integer","format":"int32"},"redeemBy":{"type":"integer","format":"int64"},"timesRedeemed":{"type":"integer","format":"int32"},"valid":{"type":"boolean"}}},"Customer":{"type":"object","properties":{"accountBalance":{"type":"integer","format":"int64"},"businessVatId":{"type":"string"},"cards":{"$ref":"#/components/schemas/CustomerCardCollection"},"created":{"type":"integer","format":"int64"},"currency":{"type":"string"},"defaultCard":{"type":"string"},"defaultSource":{"type":"string"},"defaultSourceObject":{"$ref":"#/components/schemas/ExternalAccount"},"deleted":{"type":"boolean"},"delinquent":{"type":"boolean"},"description":{"type":"string"},"discount":{"$ref":"#/components/schemas/Discount"},"email":{"type":"string"},"id":{"type":"string"},"livemode":{"type":"boolean"},"metadata":{"type":"object","additionalProperties":{"type":"string"}},"nextRecurringCharge":{"$ref":"#/components/schemas/NextRecurringCharge"},"object":{"type":"string"},"shipping":{"$ref":"#/components/schemas/ShippingDetails"},"sources":{"$ref":"#/components/schemas/ExternalAccountCollection"},"subscription":{"$ref":"#/components/schemas/Subscription"},"subscriptions":{"$ref":"#/components/schemas/CustomerSubscriptionCollection"},"trialEnd":{"type":"integer","format":"int64"}}},"CustomerCardCollection":{"type":"object","properties":{"count":{"type":"integer","format":"int32"},"data":{"type":"array","items":{"$ref":"#/components/schemas/Card"}},"hasMore":{"type":"boolean"},"requestOptions":{"$ref":"#/components/schemas/RequestOptions"},"requestParams":{"type":"object","additionalProperties":{"type":"object"}},"totalCount":{"type":"integer","format":"int32"},"url":{"type":"string"}}},"CustomerSubscriptionCollection":{"type":"object","properties":{"count":{"type":"integer","format":"int32"},"data":{"type":"array","items":{"$ref":"#/components/schemas/Subscription"}},"hasMore":{"type":"boolean"},"requestOptions":{"$ref":"#/components/schemas/RequestOptions"},"requestParams":{"type":"object","additionalProperties":{"type":"object"}},"totalCount":{"type":"integer","format":"int32"},"url":{"type":"string"}}},"Definition":{"type":"object","properties":{"code":{"type":"integer","format":"int32"},"description":{"type":"string"},"name":{"type":"string"},"sortOrder":{"type":"integer","format":"int32"}}},"DiffContext":{"type":"object","properties":{"method":{"$ref":"#/components/schemas/HttpMethod"},"parameters":{"type":"object","additionalProperties":{"type":"string"}},"request":{"type":"boolean"},"required":{"type":"boolean"},"response":{"type":"boolean"},"url":{"type":"string"}}},"Discount":{"type":"object","properties":{"coupon":{"$ref":"#/components/schemas/Coupon"},"customer":{"type":"string"},"end":{"type":"integer","format":"int64"},"id":{"type":"string"},"object":{"type":"string"},"start":{"type":"integer","format":"int64"},"subscription":{"type":"string"}}},"Discriminator":{"type":"object","properties":{"extensions":{"type":"object","additionalProperties":{"type":"object"}},"mapping":{"type":"object","additionalProperties":{"type":"string"}},"propertyName":{"type":"string"}}},"Document":{"type":"object","properties":{"empty":{"type":"boolean"}},"additionalProperties":{"type":"object"}},"DrawingService":{"type":"object","properties":{"availability":{"type":"number","format":"double"},"drawingSessionCount":{"type":"integer","format":"int32"},"fqdn":{"type":"string"},"host":{"type":"string"},"hostId":{"type":"string"},"isAvailable":{"type":"boolean"},"maxCapacity":{"type":"number","format":"double"},"port":{"type":"integer","format":"int32"},"region":{"type":"string"},"zone":{"type":"string"}}},"DuplicateUserInfo":{"type":"object","properties":{"state":{"type":"string"},"userId":{"type":"string"},"viewRef":{"type":"string","format":"uri"}}},"DuplicateUsersDetailInfo":{"type":"object","properties":{"duplicateUsersInfo":{"type":"array","items":{"$ref":"#/components/schemas/DuplicateUserInfo"}},"email":{"type":"string"}}},"EditType":{"type":"string","enum":["NOTHING","NEW_ROOT","MOVE","CHANGE","CHANGE_FIELD","INSERTION","DELETION","LIST"]},"ElementExternalReferenceInfo":{"type":"object","properties":{"documents":{"type":"array","items":{"$ref":"#/components/schemas/BTDocumentInfo"}},"elementExternalReferences":{"type":"object","additionalProperties":{"type":"array","items":{"$ref":"#/components/schemas/BTVersionInfoWithStatus"}}},"elementRevisionReferences":{"type":"object","additionalProperties":{"type":"array","items":{"$ref":"#/components/schemas/BTRevisionInfoWithStatus"}}},"elementToHasWorkspaceReferences":{"type":"object","additionalProperties":{"type":"boolean"}},"elementToSyncVersion":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTVersionInfo"}},"latestRevisions":{"type":"array","items":{"$ref":"#/components/schemas/BTRevisionInfo"}},"latestVersions":{"type":"array","items":{"$ref":"#/components/schemas/BTVersionInfo"}}}},"ElementType":{"type":"string","enum":["SCALAR","VEC2","VEC3","VEC4","MAT2","MAT3","MAT4"]},"ElementVersionInfoWithStatus":{"type":"object","properties":{"createdAt":{"type":"string","format":"date-time"},"creator":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"description":{"type":"string"},"documentId":{"type":"string"},"href":{"type":"string","description":"URI to fetch complete information of the resource.","format":"uri"},"id":{"type":"string","description":"Id of the resource."},"isChildrenOutOfDate":{"type":"boolean"},"isOutOfDate":{"type":"boolean"},"isOutOfSync":{"type":"boolean"},"lastModifier":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"},"latestVersionId":{"type":"string"},"latestVersionName":{"type":"string"},"metadataWorkspaceId":{"type":"string"},"microversion":{"type":"string"},"modifiedAt":{"type":"string","format":"date-time"},"name":{"type":"string","description":"Name of the resource."},"overrideDate":{"type":"string","format":"date-time"},"parent":{"type":"string"},"parents":{"type":"array","items":{"$ref":"#/components/schemas/BTVersionInfo"}},"purpose":{"type":"integer","format":"int32"},"referencedElementId":{"type":"string"},"thumbnail":{"$ref":"#/components/schemas/BTThumbnailInfo"},"type":{"type":"string"},"viewRef":{"type":"string","description":"URI to visualize the resource in a webclient if applicable.","format":"uri"}}},"Encoding":{"type":"object","properties":{"allowReserved":{"type":"boolean"},"contentType":{"type":"string"},"explode":{"type":"boolean"},"extensions":{"type":"object","additionalProperties":{"type":"object"}},"headers":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/Header"}},"style":{"$ref":"#/components/schemas/StyleEnum"}}},"Endpoint":{"type":"object","properties":{"httpMethod":{"$ref":"#/components/schemas/HttpMethod"},"path":{"type":"string"}}},"EnterpriseParams":{"type":"object","properties":{"domainPrefix":{"type":"string"},"name":{"type":"string"}}},"Entry":{"type":"object","properties":{"permissionSet":{"type":"array","items":{"type":"string"}},"role":{"$ref":"#/components/schemas/BTRbacRoleInfo"}}},"ErrorCodeCounts":{"type":"object","properties":{"code":{"type":"integer","format":"int32"},"count":{"type":"integer","format":"int32"}}},"Event":{"type":"object","properties":{"document":{"$ref":"#/components/schemas/BTResourceEventInfo"},"endMicroversion":{"type":"string"},"eventDetailsHref":{"type":"string","format":"uri"},"id":{"type":"string"},"properties":{"type":"object","additionalProperties":{"type":"object"}},"startMicroversion":{"type":"string"},"time":{"type":"string","format":"date-time"},"type":{"type":"integer","format":"int32"},"user":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"}}},"Example":{"type":"object","properties":{"description":{"type":"string"},"extensions":{"type":"object","additionalProperties":{"type":"object"}},"externalValue":{"type":"string"},"get$ref":{"type":"string"},"summary":{"type":"string"},"value":{"type":"object"},"valueSetFlag":{"type":"boolean"}}},"ExternalAccount":{"type":"object","properties":{"account":{"type":"string"},"customer":{"type":"string"},"id":{"type":"string"},"instanceURL":{"type":"string"},"metadata":{"type":"object","additionalProperties":{"type":"string"}},"object":{"type":"string"}}},"ExternalAccountCollection":{"type":"object","properties":{"count":{"type":"integer","format":"int32"},"data":{"type":"array","items":{"$ref":"#/components/schemas/ExternalAccount"}},"hasMore":{"type":"boolean"},"requestOptions":{"$ref":"#/components/schemas/RequestOptions"},"requestParams":{"type":"object","additionalProperties":{"type":"object"}},"totalCount":{"type":"integer","format":"int32"},"url":{"type":"string"}}},"ExternalDocumentation":{"type":"object","properties":{"description":{"type":"string"},"extensions":{"type":"object","additionalProperties":{"type":"object"}},"url":{"type":"string"}}},"FailedUpdate":{"type":"object","properties":{"id":{"type":"string"},"reason":{"type":"string"}}},"Failures":{"type":"object","properties":{"batchFailures":{"type":"array","items":{"$ref":"#/components/schemas/BatchFailures"}},"failureCount":{"type":"integer","format":"int64"}}},"Field":{"type":"object","properties":{"field":{"type":"string"},"fieldType":{"$ref":"#/components/schemas/BTSearchFieldType"},"label":{"type":"string"},"ownerType":{"$ref":"#/components/schemas/BTOwnerType"},"source":{"$ref":"#/components/schemas/Source"},"valueType":{"$ref":"#/components/schemas/BTMetadataValueType"}}},"FormDataContentDisposition":{"type":"object","properties":{"creationDate":{"type":"string","format":"date-time"},"fileName":{"type":"string"},"modificationDate":{"type":"string","format":"date-time"},"name":{"type":"string"},"parameters":{"type":"object","additionalProperties":{"type":"string"}},"readDate":{"type":"string","format":"date-time"},"size":{"type":"integer","format":"int64"},"type":{"type":"string"}}},"GBTAppElementAssociativeDataType":{"type":"string","enum":["ONSHAPE_DRAWING_VIEW","MODEL_TOPOLOGY","MODEL_DEFINITION_FEATURE","MODEL_DEFINITION_ENTITY","UNKNOWN"]},"GBTAppElementReferenceType":{"type":"string","enum":["UNKNOWN","PARTSTUDIO","ASSEMBLY","PART","FLATTENED_PART","COMPOSITE_PART","MESH_PART","SURFACE","SKETCH","CURVE"]},"GBTAppElementViewVersionNumber":{"type":"string","enum":["V0_ORIGINAL_VERSION","V1_DONT_MERGE_SECTION_FACE","V2_CHANGE_VISIBLE_SILHOUETTE_DISAMBIGUATION","V3_NO_PARTIALLY_HIDDEN_SEGMENT","V4_FIX_ASSEMBLY_SILHOUETTE_INDICES","V5_USE_LISTS_NOT_SETS_FOR_MERGING","V6_KEEP_SKETCH_SPLINES","V7_SUPPORT_SURFACES","V8_USE_VERSION_IN_SECTION_CACHE_KEY","V9_PREFER_SAME_OCCURRENCE_DISAMBIGUATION","V10_SPHERE_NEW_SILHOUETTE_DISAMBIGUATION","V11_LOOSE_BOX_IN_SECTION_FEATURES","V12_ALL_POLYLINES_AS_SPLINES","V13_USE_LATEST_SECTION_PART_FS","V14_STABLE_OFFSET_REFERENCES","V15_REMOVE_HLR_INTERSETCION_THESHOLD","V16_VERSION_OPERATION_USE","V17_VERSION_OPERATION_USE","V18_PATTERN_SECTION_CUT","V19_FIX_COMPOSITE_PART_QUERY","V20_PATTERN_SECTION_CUT_RELEASE","V21_UNPACK_COMPOSITES_AFTER_PATTERN","V22_SM_PART_DEFAULT_COLOR","V23_SUPPORT_WIRES","V24_SECTION_EDGE","V25_RATIO_TO_PART_FOR_AUTO_SIMPLIFICATION","V26_REUSE_PARENT_SECTION_DATA","V27_DISAMBIGUATE_SILHOUETTES_BY_INDICES","V28_REUSE_PARENT_SECTION_DATA_RELEASE","V29_USE_ATTRIBUTE_TO_QUERY_SECTION_FACES","V30_CONVERT_POLYLINE_TO_CIRCLE","V31_NO_QUADRANT_CHECK_FOR_HALF_CIRCLE","V32_SUPPORT_SHEET_BODY_ALIGNED_SECTION_VIEWS","V33_ENLARGE_CROP_VIEW_BBOX","V34_CREATE_ALIGNED_SECTION_BODY_MAP","V35_ADD_ROTATED_BODY_TO_COMPOSITE","V36_SUPPORT_STANDARD_CONTENT_IN_OLD_FS_VERSIONS","V37_RENDERING_USE_DYNAMIC_CURVE_CHORD_TOL","V38_SUPPORT_AUTO_CENTERLINES","V39_ADD_ROTATED_BODY_BEFORE_EXTRUDE_CUT","V40_NEW_SECTION_FACE_BOUNDARY_CONSTRUCTION","V41_INCLUDE_AUTO_CENTERLINES","V42_DRAWINGS_SECTION_HATCH_IMPROVEMENT","V43_SHOW_AUTO_CENTERLINES_AND_CENTERMARKS","V44_CONVERT_CIRCLE_ARC_TO_CIRCLE","V45_CONTROL_AUTO_CENTERLINES_AND_CENTERMARKS_DISPLAY","V46_DRAWINGS_SECTION_HATCH_IMPROVEMENT_RELEASE","V47_NO_AUTO_CENTERLINES_FOR_FILLETS","V48_MIXED_MODELING","V49_VIEW_CACHEKEY_IMPROVEMENTS","V50_DENSE_HATCHING_FOR_COMPLEX_FACES","V51_HIDE_ALIGNED_SECTION_TOUCHING_LINE","V52_VIEW_CACHEKEY_SORT_OCCURRENCES","V53_DRAWINGS_SECTION_CACHEKEY_ROUNDOFF_DOUBLES","V54_DRAWINGS_EXPLODE_LINE_VIEW_ALLOW_OVERLAP","V55_PARTIAL_SECTION_CUT_TOOL_CORRECTION","V56_USE_TIGHTER_SUBASSEMBLY_BOX_FOR_SECTION_CUT","V57_BETTER_COSMETIC_EXTERNAL_THREADS","V58_HATCH_ANGLE_CONSISTENCY_BIAS","V59_HATCH_ANGLE_CONSISTENCY_CORRECTION","V60_REGION_POINT_DATA_IN_DWG_CACHEKEY","V61_SECTION_CUT_NON_MANIFOLD_ERROR","V62_FIX_OPEN_COMPOSITE_SECTION","V63_EXCLUDE_FROM_CUT_PER_SECTION_PROFILE","V64_IGNORE_FAULTY_PARTS","V65_EXCLUDE_FROM_CUT_PER_SECTION_PROFILE_UI"]},"GBTAppearanceType":{"type":"string","enum":["UNKNOWN","SKETCH"]},"GBTAssemblyFeatureDisplayStatus":{"type":"string","enum":["OK","ERROR","SUPPRESSED","UNKNOWN"]},"GBTAssemblySimulationType":{"type":"string","enum":["LINEAR_STATIC","MODAL","CONTACT_ANALYSIS","UNKNOWN"]},"GBTBSFeatureVisibility":{"type":"string","enum":["UNSET","HIDDEN","VISIBLE","UNKNOWN"]},"GBTBillOfMaterialsExclusionStatus":{"type":"string","enum":["NOT_EXCLUDED","PARENT_EXCLUDED","EXCLUDED","UNKNOWN"]},"GBTBillOfMaterialsExpansionStatus":{"type":"string","enum":["NOT_EXPANDABLE","EXPANDED","COLLAPSED","UNKNOWN"]},"GBTBodyType":{"type":"string","enum":["SOLID","SHEET","WIRE","POINT","MATE_CONNECTOR","COMPOSITE","UNKNOWN"]},"GBTComputeStatus":{"type":"string","enum":["COMPUTED","STALE","COMPUTING","ERROR","UNDERDEFINED","PREPARING","UNKNOWN"]},"GBTConfigurationParameterType":{"type":"string","enum":["ENUM","BOOLEAN","STRING","QUANTITY"]},"GBTConfiguredParentType":{"type":"string","enum":["FEATURE","INSTANCE","MATE","MATE_CONNECTOR","UNKNOWN"]},"GBTConstraintType":{"type":"string","enum":["NONE","COINCIDENT","PARALLEL","VERTICAL","HORIZONTAL","PERPENDICULAR","CONCENTRIC","MIRROR","MIDPOINT","TANGENT","EQUAL","LENGTH","DISTANCE","ANGLE","RADIUS","NORMAL","FIX","PROJECTED","OFFSET","CIRCULAR_PATTERN","PIERCE","LINEAR_PATTERN","MAJOR_DIAMETER","MINOR_DIAMETER","QUADRANT","DIAMETER","SILHOUETTED","CENTERLINE_DIMENSION","INTERSECTED","RHO","EQUAL_CURVATURE","UNKNOWN"]},"GBTCurveTypeEnum":{"type":"string","enum":["OTHER","LINE","CIRCLE","ELLIPSE","BCURVE","ICURVE","UNKNOWN"]},"GBTDataItemFormat":{"type":"string","enum":["X_T","XMM","STL","ONSHAPE","ZIP","X_T_XMM_ZIP","OBJ_MTL_ZIP","X_B","UNKNOWN"]},"GBTDebugEntityColor":{"type":"string","enum":["RED","GREEN","BLUE","CYAN","YELLOW","MAGENTA","BLACK","TRANSLUCENT_PURPLE","FEATURE_ERROR","FEATURE_DEBUG","TRANSLUCENT_GREEN","TRANSLUCENT_BLUE","TRANSLUCENT_CYAN","TRANSLUCENT_YELLOW","TRANSLUCENT_BLACK","TRANSLUCENT_ORANGE","UNKNOWN"]},"GBTDebugEntityStyle":{"type":"string","enum":["DEFAULT","STAR","WITH_START","ERROR","UNKNOWN"]},"GBTDisplayDataUsage":{"type":"string","enum":["BASE","PREVIEW_BEFORE","PREVIEW_AFTER","PREVIEW_FINAL","COMPARE_TARGET","UNKNOWN"]},"GBTEdgeTopology":{"type":"string","enum":["WIRE","ONE_SIDED","TWO_SIDED","LAMINAR","UNKNOWN"]},"GBTEdgeType":{"type":"string","enum":["OTHER","LINE","SPLINE","CIRCLE","ELLIPSE","INTERSECTION","SPCURVE","POLYLINE","CONIC","UNKNOWN"]},"GBTElementBranchStatus":{"type":"string","enum":["CREATED","DELETED","EDITS","NOT_ON_THIS_BRANCH","NO_CHANGES","UNKNOWN"]},"GBTElementType":{"type":"string","enum":["PARTSTUDIO","ASSEMBLY","DRAWING","FEATURESTUDIO","BLOB","APPLICATION","TABLE","BILLOFMATERIALS","VARIABLESTUDIO","PUBLICATIONITEM","UNKNOWN"]},"GBTEntityEdgeSmoothnessStatus":{"type":"string","enum":["UNKNOWN","SMOOTH","NOT_SMOOTH","SMOOTH_V2"]},"GBTEntityInferenceType":{"type":"string","enum":["PART_ORIGIN","POINT","CENTROID","CENTER","MID_POINT","TOP_AXIS_POINT","MID_AXIS_POINT","BOTTOM_AXIS_POINT","ORIGIN_X","ORIGIN_Y","ORIGIN_Z","LOOP_CENTER","VIRTUAL_SHARP","UNKNOWN"]},"GBTEntityType":{"type":"string","enum":["VERTEX","EDGE","FACE","BODY","DEGENERATE_EDGE","UNKNOWN"]},"GBTErrorStringEnum":{"type":"string","enum":["NO_ERROR","UNKNOWN_OPERATION","TOO_MANY_ENTITIES_SELECTED","POINTS_COINCIDENT","NO_TRANSLATION_DIRECTION","NO_ROTATION_AXIS","NO_TANGENT_PLANE","NO_TANGENT_LINE","INVALID_INPUT","CANNOT_RESOLVE_ENTITIES","CANNOT_EVALUATE_VERTEX","CANNOT_RESOLVE_PLANE","CANNOT_COMPUTE_BBOX","CANNOT_BE_EMPTY","CACHE_WRITE_FAILED","CACHE_READ_FAILED","HLR_FAILED","BAD_GEOMETRY","INVALID_RESULT","MISSING_EXT_REF","READ_FAILED","WRITE_FAILED","WRONG_TYPE","TANGENT_PROPAGATION_FAILED","REGEN_ERROR","COULD_NOT_COMPUTE_TRANSFORM","MATE_INVALID_MATE","MATECONNECTOR_INVALID_MATE","MATE_TWO_MATECONNECTORS_NEEDED","MATECONNECTORS_ON_SAME_OCCURRENCE","MATE_OVERDEFINED","MATE_INCONSISTENT","BOOLEAN_NEED_ONE_SOLID","BOOLEAN_INVALID","BOOLEAN_INTERSECT_FAIL","BOOLEAN_SAME_INPUT","BOOLEAN_BAD_INPUT","BOOLEAN_UNION_NO_OP","BOOLEAN_INTERSECT_NO_OP","BOOLEAN_SUBTRACT_NO_OP","CPLANE_INPUT_MIDPLANE","CPLANE_INPUT_OFFSET_PLANE","CPLANE_INPUT_POINT_PLANE","CPLANE_INPUT_LINE_ANGLE","CPLANE_INPUT_POINT_LINE","CPLANE_INPUT_THREE_POINT","CPLANE_FAILED","DRAFT_NO_NEUTRAL_PLANE","DRAFT_NO_DRAFT_FACE","DRAFT_FAILED","EXTRUDE_INVALID_REF_FACE","EXTRUDE_INVALID_REF_SURFACE","EXTRUDE_FAILED","EXTRUDE_NO_DIRECTION","EXTRUDE_INVALID_ENTITIES","PATTERN_INPUT_TOO_MANY_INSTANCES","PATTERN_INPUT_TOO_FEW_INSTANCES","PATTERN_FACE_FAILED","PATTERN_NOT_ON_BODY","PATTERN_BODY_FAILED","TRANSFORM_TRANSLATE_INPUT","TRANSFORM_TRANSLATE_BY_DISTANCE_INPUT","TRANSFORM_FAILED","SHELL_FAILED","EDGEBLEND_SMOOTH","EDGEBLEND_FAILED","DIRECT_EDIT_WRONG_CONCENTRIC","DIRECT_EDIT_WRONG_EQ_RADIUS","DIRECT_EDIT_NO_FILLET_FACES","DIRECT_EDIT_NO_OFFSET","DIRECT_EDIT_CONSTRAIN_FACE_FAILED","DIRECT_EDIT_REPLACE_FACE_FAILED","DIRECT_EDIT_DELETE_FACE_FAILED","DIRECT_EDIT_MODIFY_FILLET_FAILED","DIRECT_EDIT_MODIFY_FACE_FAILED","DIRECT_EDIT_MOVE_FACE_FAILED","DIRECT_EDIT_OFFSET_FACE_FAILED","IMPORT_PART_FAILED","IMPORT_ASSEMBLY_FAILED","IMPRINT_FAILED","REVOLVE_FAILED","REVOLVE_2ND_DIR_FAILED","REVOLVE_NOT_PLANAR","REVOLVE_PERPENDICULAR","REVOLVE_INVALID_ENTITIES","SPLIT_FAILED","SPLIT_INVALID_INPUT","SWEEP_INVALID_PATH","SWEEP_FAILED","SWEEP_PATH_FAILED","SWEEP_PROFILE_FAILED","WIRE_CREATION_FAILED","SKETCH_NO_PLANE","SKETCH_INPUT_INVALID","SKETCH_NOT_ACTIVE","SKETCH_SOLVER_NOT_INITIALIZED","SKETCH_EVALUATION_FAILED","SKETCH_MODIFICATION_FAILED","SKETCH_UPDATE_FAILED","SKETCH_SOLVE_FAILED","SKETCH_ADD_CONSTRAINT_FAILED","SKETCH_ADD_DIMENSION_FAILED","SKETCH_POSITION_DIMENSION_FAILED","SKETCH_CONSTRAINT_NEEDS_SKETCH_ENTITY","SKETCH_CONSTRAINT_UNKNOWN","SKETCH_MISSING_ENTITY","SKETCH_FILLET_INVALID_POINT","SKETCH_FILLET_PARALLEL","SKETCH_FILLET_FAIL","SKETCH_USE_FAILED","SKETCH_USE_PARTIAL","SKETCH_SPLINE_FAILED","SKETCH_BAD_SPLINE","SKETCH_DRAG_ERROR","SKETCH_PROJ_FAILED","SKETCH_PROJ_PARTIAL","SKETCH_TANGENT_ARC_FAILED","SKETCH_TANGENT_NOT_FOUND","SKETCH_OFFSET_FAILED","SKETCH_OFFSET_DISTANCE","SKETCH_TRIM_FAILED","SKETCH_INFERENCE_FAILED","SKETCH_MODIFY_DIM_FAILED","SKETCH_DRAG_NO_SKETCH","SKETCH_INFER_DIM_FAILED","SKETCH_DELETE_PTS_FAILED","SKETCH_DELETE_FAILED","SKETCH_ARC_FAILED","SKETCH_LINE_FAILED","SKETCH_CIRCLE_FAILED","SKETCH_RECTANGLE_FAILED","SKETCH_TANGENT_ARC_INVALID_START","SKETCH_CONSTRUCTION_POINT_FAILED","SYS_INTERNAL_DESERIALIZATION","SYS_SERVER_EXCEPTION","SYS_ERROR_REGEN","SYS_ERROR_MESSAGING","CANNOT_RESOLVE_ELEMENT","NOTHING_SELECTED","SKETCH_ANGLE_TWO_LINES","SKETCH_DIMENSION_DIFF_ENTITIES","SKETCH_CONSTRAINT_DIFF_ENTITIES","SKETCH_CONSTRAINT_TWO_ENTITIES","SKETCH_DIMENSION_TWO_ENTITIES","SKETCH_COINCIDENT_FAILED","SKETCH_COINCIDENT_INPUT_ERROR","SKETCH_COINCIDENT_DIFF_POINTS","SKETCH_CONCENTRIC_INPUT_ERROR","SKETCH_CONCENTRIC_FAILED","SKETCH_EQUAL_INPUT_ERROR","SKETCH_EQUAL_NO_ENDS","SKETCH_EQUAL_FAILED","SKETCH_FIX_ONE_ENT","SKETCH_FIX_FAILED","SKETCH_DIR_INTERNAL","SKETCH_DIR_INPUT","SKETCH_HORIZONTAL_FAILED","SKETCH_VERTICAL_FAILED","SKETCH_OFFSET_CONSTRAINT_FAILED","SKETCH_PARALLEL_CONSTRAINT_FAILED","SKETCH_PARALLEL_INPUT_ERROR","SKETCH_DIMENSION_INPUT_ERROR","SKETCH_DIMENSION_DIST_ERROR","SKETCH_DIMENSION_FAILED","SKETCH_NORMAL_NEED_LINE","SKETCH_NORMAL_INPUT_ERROR","SKETCH_NORMAL_INPUT_NEEDED","SKETCH_CANNOT_SPLIT_INTO_GROUPS","SKETCH_OFFSET_BAD_PAIR","SKETCH_OFFSET_INPUT_ERROR","SKETCH_MIDPOINT_INPUT_ERROR","SKETCH_MIDPOINT_NEED_POINT","SKETCH_MIDPOINT_NEED_DIFF_POINT","SKETCH_MIDPOINT_MISSING_ENDS","SKETCH_MIDPOINT_MISSING_PTS","SKETCH_MIDPOINT_NO_INTERNAL_LINE","SKETCH_MIDPOINT_NO_COINCIDENT","SKETCH_MIDPOINT_FAILED","SKETCH_PERPENDICULAR_INPUT_ERROR","SKETCH_PERPENDICULAR_FAILED","SKETCH_POINT_LINE_ONLY","SKETCH_PROJECTION_UNKNOWN","SKETCH_PROJECTION_FAILED","SKETCH_SIL_PROJECTION_INPUT_ERROR","SKETCH_SIL_PROJECTION_MISSING_POINT","SKETCH_LENGTH_DIM_INPUT_ERROR","SKETCH_LENGTH_DIM_MISSING_ENDS","SKETCH_LENGTH_DIM_NOT_FOUND","SKETCH_LENGTH_DIM_FAILED","SKETCH_RADIUS_INPUT_ERROR","SKETCH_RADIUS_DIM_FAILED","SKETCH_TANGENT_INPUT_ERROR","SKETCH_TANGENT_FAILED","PART_QUERY_FAILED","PART_QUERY_MULTI","MATECONNECTOR_QUERY_FAILED","MATECONNECTOR_QUERY_ORIGIN_FAILED","MATECONNECTOR_QUERY_AXIS_FAILED","MATECONNECTOR_QUERY_CSYS_FAILED","ASSEMBLY_INSERT_WILL_CAUSE_CYCLES","SKETCH_MIRROR_NEED_VALID_MIRROR_LINE","SKETCH_MIRROR_NEED_ENTITIES_TO_MIRROR","SKETCH_MIRROR_CONSTRAINT_FAILED","SKETCH_MIRROR_FAILED","SELF_INTERSECTING_CURVE_SELECTED","SWEEP_START_NOT_ON_PROFILE","PATTERN_DIRECTIONS_PARALLEL","MATE_OCCURRENCE_NOT_VALID","MATE_WITHIN_SAME_GROUP","EXPORT_ASSEMBLY_UNKNOWN_NODE_TYPE","EXPORT_ASSEMBLY_CREATE_INSTANCE_FAILED","EXPORT_PARTS_AS_XTS_NOT_A_BODY","EXPORT_PARTS_AS_XTS_FAILED_TO_WRITE_XT","MATECONNECTOR_OWNER_PART_NOT_RESOLVED","WIRE_CREATION_PARTIAL_FAILURE","SERVER_IS_IN_INVALID_STATE","SKETCH_EXTEND_FAILED","FOLLOW_CYCLE_ERROR","SKETCH_FILLET_INVALID_RADIUS","SKETCH_CONSTRAINT_COINCIDENT_TWO_ENTITIES","SKETCH_CONSTRAINT_CONCENTRIC_TWO_ENTITIES","SKETCH_CONSTRAINT_EQUAL_TWO_ENTITIES","SKETCH_CONSTRAINT_MIDPOINT_TWO_ENTITIES","EXTRUDE_NO_SELECTED_REGION","EXTRUDE_NO_REGION_IN_SKETCH","DELETE_SELECT_PARTS","COPY_SELECT_PARTS","SPLIT_NO_CHANGE","MIRROR_NO_PLANE","MIRROR_SELECT_PARTS","PATTERN_CIRCULAR_NO_AXIS","PATTERN_SELECT_FACES","PATTERN_SELECT_PARTS","PATTERN_LINEAR_NO_DIR","SHELL_SELECT_FACES","DRAFT_SELECT_NEUTRAL","DRAFT_SELECT_FACES","CHAMFER_SELECT_EDGES","FILLET_SELECT_EDGES","EXTRUDE_SURF_NO_CURVE","EXTRUDE_SELECT_TERMINATING_BODY","EXTRUDE_SELECT_TERMINATING_SURFACE","DIRECT_EDIT_SELECT_ANCHOR","REVOLVE_SURF_NO_CURVE","REVOLVE_SELECT_FACES","REVOLVE_SELECT_AXIS","SWEEP_SELECT_PROFILE","SWEEP_SELECT_PATH","DIRECT_EDIT_DELETE_SELECT_FACES","DIRECT_EDIT_MODIFY_FILLET_SELECT","DIRECT_EDIT_MODIFY_FACE_SELECT","DIRECT_EDIT_REPLACE_FACE_SELECT","DIRECT_EDIT_OFFSET_FACE_SELECT","DIRECT_EDIT_MOVE_FACE_SELECT","SELECT_MATECONNECTOR","OVERDEFINED_ASSEMBLY","PART_STUDIO_UPGRADE_SUCCESSFUL","PART_STUDIO_UPGRADE_FAILED","PART_STUDIO_UPGRADE_NONE","MATE_GROUP_OCCURRENCES_UNRESOLVED","SWEEP_SURF_NO_CURVE_PROFILE","MATE_RESET_HAD_NO_EFFECT","MATECONNECTOR_MULTIPLE_OCCURRENCES","MATECONNECTOR_OCCURRENCE_NOT_RESOLVED","ELEMENT_REFERENCE_CYCLE_DETECTED","MATE_OVERDEFINES_ASSEMBLY","MATE_CANNOT_RESOLVE_CONNECTORS","SKETCH_EXCEEDS_BOUNDS","SWEEP_SELF_INT","SKETCH_UNSOLVABLE_CONSTRAINT","RESTRUCTURE_INVALID_SOURCE_OR_TARGET","CPLANE_INPUT_CURVE_POINT","TRANSFORM_OCCURRENCES_HAD_NO_EFFECT","HELIX_FAILED","HELIX_INPUT_CONE","RENDERER_NOT_AVAILABLE","RENDERER_FAILED_TO_RENDER","EXPRESSION_FAILED_VALIDATION","VERSION_MISMATCH_ERROR","EXTRUDE_UPTO_NEXT_NO_DIVISION","MATE_BETWEEN_FIXED_OCCURRENCES","THICKEN_SELECT_ENTITIES","THICKEN_FAILED","WORKSPACE_UPGRADE_SUCCESSFUL","WORKSPACE_UPGRADE_FAILED","WORKSPACE_UPGRADE_NONE","SKETCH_CIRCULAR_PATTERN_FAILED","DIRECT_EDIT_ALL_FILLET_FACES_SELECTED","DIRECT_EDIT_FAILED_TO_IDENTIFY_FILLETS","PARASOLID_IMPORT_FAILED","FOLLOW_LEADER_HAS_NO_FUNCTIONALITY_ERROR","MIRROR_SELECT_FACES","RELATION_INVALID_RELATION","RELATION_INVALID_MATE","GEAR_RELATION_INVALID_MATE_TYPES","SCREW_RELATION_INVALID_MATE_TYPES","RACK_RELATION_INVALID_MATE_TYPES","ROLLING_RELATION_INVALID_MATE_TYPES","LINEAR_RELATION_INVALID_MATE_TYPES","RELATION_OVERDEFINED","RELATION_INCONSISTENT","RELATION_SAME_OCCURRENCES","SKETCH_SPLIT_FAILED","SKETCH_CONSTRAINT_PIERCE_TWO_ENTITIES","SKETCH_PIERCE_FAILED","MIRROR_FACE_FAILED","MIRROR_BODY_FAILED","SKETCH_CANNOT_PIERCE_WITH_PLANE","WITH_SUPPORT_CODE","FILLET_FAIL_SMOOTH","FILLET_FAILED","CHAMFER_FAIL_SMOOTH","CHAMFER_FAILED","BOOLEAN_OFFSET_NO_FACES","MATE_OCCURRENCE_SUPPRESSED","MATECONNECTOR_OCCURRENCE_SUPPRESSED","SKETCH_SPLINE_NEW_POINTS_TOO_CLOSE","SKETCH_SPLINE_CANNOT_DELETE_ENDPOINTS","SKETCH_SPLINE_POINT_TO_DELETE_NOT_FOUND","ASSEMBLY_INSERT_FAILED","SKETCH_PATTERN_UNKNOWN_FAILURE","SKETCH_PATTERN_TOO_LARGE","SKETCH_LINEAR_PATTERN_ZERO_LENGTH","SKETCH_LINEAR_PATTERN_PARALLEL_DIRECTIONS","SKETCH_CIRCULAR_PATTERN_ZERO_ANGLE","SKETCH_ELLIPSE_FAILED","SKETCH_ELLIPSE_FAILED_TOO_SMALL","DELETE_PARTS_FAILED","DELETE_PARTS_PARTIAL","SKETCH_ELLIPSE_RADIUS_INPUT_ERROR","QUADRANT_CONSTRAINT_INPUT","SKETCH_QUADRANT_FAILED","SKETCH_SPLINE_TOO_FEW_POINTS","SKETCH_SPLINE_NOT_INTERPOLATED_SPLINE","SKETCH_SPLINE_POINTS_NOT_DELETED","SKETCH_TEXT_RECTANGLE_FAILED","IMPORT_DERIVED_NO_PARTS","LOFT_SELECT_PROFILES","LOFT_PROFILE_SINGLE_FACE","LOFT_PROFILE_SOLID","LOFT_PROFILE_POINT","LOFT_PROFILE_FAILED","LOFT_SELECT_GUIDES","LOFT_GUIDE_FAILED","LOFT_PERIODIC_ERROR","LOFT_GUIDE_POINT_INTERSECTION","LOFT_GUIDE_PROFILE_INTERSECTION","LOFT_VERTEX_MATCHING","LOFT_DIRECTION_ERROR","LOFT_PROFILE_ALIGNMENT","LOFT_GUIDE_ALIGNMENT","LOFT_VERTEX_ADDITIONS","LOFT_FAILED","LOFT_INVALID","LOFT_ALIGNMENT_INFO","LOFT_VERTEX_NOT_ON_PROFILE","LOFT_PROFILE_NO_INNER_LOOPS","LOFT_TWO_PROFILES","CANNOT_OFFSET_ELLIPSE","SKETCH_MIRROR_NEEDS_LINE_AND_TWO_OTHERS","SKETCH_POLYGON_BAD_SIDE_COUNT","SKETCH_DIRECTIONAL_GROUP_INPUT","NAMED_VIEWS_DUPLICATE_NAME","SILHOUETTE_USE_FAILED","PASTE_SKETCH_METRICS_FAILURE","PASTE_SKETCH_LIBRARY_MISMATCH","PASTE_SKETCH_CLIPBOARD_EMPTY","SKETCH_MIRROR_OFFSET_SPLINE","SKETCH_MIRROR_CURVE_POINT","LOFT_PERIODIC_GUIDE_ERROR","SHELL_SELECT_PARTS","RELATION_MATE_DOES_NOT_EXIST","RELATION_MATE_IS_SUPPRESSED","VARIABLE_NAME_INVALID","LOFT_GUIDE_INFO","HOLE_NO_POINTS","HOLE_FAIL_BBOX","HOLE_EMPTY_SCOPE","HOLE_NO_HITS","WITH_EXTRA_DATA","HOLE_DISJOINT","SKETCH_INSERT_DWG_CONVERSION_FAILURE","HOLE_CBORE_TOO_SMALL","HOLE_CBORE_TOO_DEEP","HOLE_CSINK_TOO_SMALL","HOLE_CSINK_TOO_DEEP","SWEEP_PATH_NO_CONSTRUCTION","SKETCH_IMAGE_RECTANGLE_FAILED","ASSEMBLY_REPLICATE_NO_VALID_TARGET","ASSEMBLY_REPLICATE_NO_MATCHING_TARGET","LOFT_SHAPE_CONTROL_FAILED","LOFT_START_CONDITIONS_FAILED","LOFT_END_CONDITIONS_FAILED","LOFT_NO_FACE_FOR_START_CLAMP","LOFT_NO_FACE_FOR_END_CLAMP","LOFT_NO_PLANE_FOR_START_CLAMP","LOFT_NO_PLANE_FOR_END_CLAMP","LOFT_NO_CLAMPS_ON_POINT_PROFILE","EXPORT_NOT_IMPLEMENTED","SKETCH_POLYGON_ZERO_RADIUS_FAIL","DRAWING_FAILED_TO_RESOLVE_VIEW_REFERENCE","DRAWING_PARTSTUDIO_EMPTY_AFTER_SECTION_CUT","DRAWING_ASSEMBLY_DOES_NOT_CONTAIN_VISIBLE_INSTANCES","DRAWING_ASSEMBLY_EMPTY_AFTER_SECTION_CUT","DRAWING_VIEW_GENERATION_FAILED","SKETCH_SLOT_FAILURE","SKETCH_SLOT_PARTIAL_FAILURE","NO_UNIT","RESTRUCTURE_INVALID_SOURCE","RESTRUCTURE_INVALID_TARGET","MATE_MIN_MAX_LIMIT_VIOLATION","REST_ASSEMBLY_GET_DOCUMENT_FAILED","REST_ASSEMBLY_UNKNOWN_INSERTABLE_TYPE","REST_ASSEMBLY_SETUP_EXCEPTION","REST_ASSEMBLY_BEGIN_OPERATION_FAILED","REST_ASSEMBLY_INSERT_INSTANCE_FAILED","REST_ASSEMBLY_COMMIT_OPERATION_FAILED","REST_ASSEMBLY_CLOSE_CLIENT_FAILED","REST_ASSEMBLY_NULL_OCCURRENCES","REST_ASSEMBLY_EMPTY_OCCURRENCE","REST_ASSEMBLY_TRANSFORM_WRONG_SIZE","ASSEMBLY_EMPTY_OCCURRENCE_LIST","ASSEMBLY_NULL_TRANSFORM","ASSEMBLY_TRANSFORM_NOT_RIGID","ASSEMBLY_CANNOT_TRANSFORM_FIXED_OCCURRENCE","ASSEMBLY_TRANSFORM_FAILED","ASSEMBLY_OCCURRENCE_NOT_FOUND","ASSEMBLY_REPLICATE_MULTIPLE_VALID_TARGET","ASSEMBLY_REPLICATE_NO_TARGET_SELECTED","CPLANE_INPUT_LINE_ANGLE2","CPLANE_DEGENERATE_SELECTION","CPLANE_SELECT_LINE_ANGLE_REFERENCE","ASSEMBLY_REPLICATE_INVALID_SEED_INSTANCE","CANNOT_USE_VARIABLES_IN_SKETCH_PATTERNS","SKETCH_MIRROR_OFFSET_ELLIPSE","EXTERNAL_REFERENCE_FAILED_TO_CREATE","SPLIT_FACE_NO_CHANGE","SKETCH_INTERSECTION_FAILED","SKETCH_INTERSECTION_MULTIPLE_FAILED","SKETCH_INTERSECTION_PARTIAL_FAILED","FEATURE_ID_IN_PATH_DOES_NOT_MATCH_BODY","FEATURE_NOT_FOUND","FEATURE_DOES_NOT_MATCH","FEATURE_HAS_INVALID_TYPE","FEATURE_DOES_NOT_MATCH_ITS_FEATURE_SPEC","FEATURE_BAD_SERIALIZATION_VERSION","FEATURE_WRONG_SERIALIZATION_VERSION","FEATURE_INVALID_ROLLBACK_INDEX","FEATURE_ERROR_IN_INPUT","FEATURE_CONCURRENCY_ERROR","FEATURE_CHANGE_BREAKS_MODEL","FEATURE_NODE_IDS_INVALID","ROLLBACK_INDEX_INVALID","FEATURE_NO_SOLIDS","SKETCH_EXTERNAL_GEOMETRY_MISMATCH","HOLE_EXCEEDS_MAX_LOCATIONS","SKETCH_TEXT_IS_EMPTY","SKETCH_INSERT_DWG_MAX_ENTITIES_EXCEEDED","HOLE_TAP_DIA_TOO_LARGE","ASSEMBLY_EMPTY_BODY","SIMPLIFY_BODY_FAILED","INVALID_VIEW_NAME","PATTERN_SELECT_FEATURES","MIRROR_SELECT_FEATURES","PATTERN_FEATURE_FAILED","SKETCH_TRANSFORM_FAILED","TANGENT_MATE_TWO_ENTITIES_NEEDED","HOLE_CANNOT_DETERMINE_LAST_BODY","RESTRUCTURE_CANNOT_MODIFY_SAVED_VERSION","REST_ASSEMBLY_EXTERNAL_REFERENCE_REQUIRES_VERSION","REST_ASSEMBLY_EXTERNAL_REFERENCE_DISALLOWS_MICROVERSION","REST_ASSEMBLY_VERSION_SUPPORTED_ONLY_FOR_EXTERNAL_REFERENCES","SWEEP_BAD_LOCK_FACES","SKETCH_TEXT_CANNOT_BE_CONSTRUCTION","CUSTOM_ERROR","BEND_BAD_CONFIGURATION","BEND_WRONG_NUMBER_OF_ENTITIES","BEND_BAD_CURVES","BEND_GENERAL_ERROR","BEND_EDGE_NO_EDGES","BEND_EDGE_NO_SEED_ENTITY","EXTEND_SHEET_BODY_NO_BODY","EXTRACT_SURFACE_NO_FACES","FLATTEN_NO_EDGES","FLATTEN_NO_FACES","FOLD_NO_BODIES","BEND_PREP_NO_FACES","BEND_PREP_NO_BODIES","BEND_PREP_ERROR_FINDING_EDGE_LOCATIONS","BEND_PREP_ERROR_IMPRINTING_EDGES","ASSEMBLY_ANIMATE_MATE_START_AFTER_END","ASSEMBLY_ANIMATE_NO_MATE","ASSEMBLY_ANIMATE_MATE_SUPPRESSED","TANGENT_MATE_GEOMETRY_NOT_SUPPORTED","SKETCH_DIMENSION_INFINITY","BOLEAN_INPUTS_NOT_SOLID","FACE_IS_NOT_RECTANGLE","HOLE_DESTROY_SOLID","HELIX_INPUT_CIRCLE","IMPORT_SCALING_NON_MESH_DATA","EVALUATE_FACE_TANGENT_FOR_MESHES","CANNOT_COMPUTE_CENTROID","CANNOT_EVALUATE_DIMENSION","CANNOT_IMPORT_MESH","SKETCH_ELLIPSE_ZERO_AXIS","TRANSFORM_SCALE_UNIFORMLY","TRANSFORM_MATE_CONNECTORS","ASSEMBLY_WRONG_ELEMENT_TYPE","ASSEMBLY_ELEMENT_NOT_FOUND","SHEET_METAL_TABLE_UNKNOWN_ERROR","SHEET_METAL_TABLE_REGEN_ERROR","SHEET_METAL_TABLE_READ_ONLY","ASSEMBLY_PATTERN_INVALID_TYPE","ASSEMBLY_PATTERN_DIRECTION_ERROR","ASSEMBLY_PATTERN_NONPOSITIVE_LINEAR_DISTANCE","ASSEMBLY_PATTERN_NONPOSITIVE_ANGLE","ASSEMBLY_PATTERN_INVALID_SEED","ASSEMBLY_PATTERN_INVALID_REFERENCE_MATE_CONNECTOR","RESTORE_FEATURE_FAILED","FACES_NOT_OWNED_BY_PARTS","EDGES_NOT_OWNED_BY_PARTS","SHEET_METAL_REBUILD_ERROR","SHEET_METAL_INPUT_BODY_SHOULD_NOT_BE_SHEET_METAL","SHEET_METAL_CANNOT_RECOGNIZE_PARTS","SHEET_METAL_CANNOT_THICKEN","SHEET_METAL_CONVERT_PLANE","ASSEMBLY_PATTERN_AXIS_ERROR","RIB_NO_PROFILES","RIB_NO_PARTS","RIB_PROFILE_FAILED","RIB_BODY_FAILED","RIB_NO_INTERSECTIONS","RIB_MERGE_FAILED","ASSEMBLY_NAMED_POSITIONS_SAVE_FAILED","ASSEMBLY_NAMED_POSITIONS_LOAD_FAILED","ASSEMBLY_NAMED_POSITIONS_NO_MATES_TO_SAVE","ASSEMBLY_NAMED_POSITIONS_POSITION_NOT_FOUND","SPHERE_FAILED","ASSEMBLY_PATTERN_NOT_SUPPORTED","ASSEMBLY_NAMED_POSITIONS_PARTIAL_LOAD_FAILURE","ASSEMBLY_NAMED_POSITIONS_LOAD_SUCCEEDED_WITH_EXTRA_MATES","ASSEMBLY_NAMED_POSITIONS_SAVED_MATE_NOT_FOUND_ON_LOAD","SHEET_METAL_SINGLE_MODEL_NEEDED","SHEET_METAL_ACTIVE_JOIN_NEEDED","INSTANCE_QUERY_FAILED","SHEET_METAL_ACTIVE_EDGE_NEEDED","SHEET_METAL_FLANGE_NO_EDGES","MESH_NOT_SUPPORTED","SHEET_METAL_PARTS_PROHIBITED","VARIABLE_CANNOT_EVALUATE","DRAWING_ASSEMBLY_INVALID_SECTION_CUT","DRAWING_PARTSTUDIO_INVALID_SECTION_CUT","SHEET_METAL_COULD_NOT_UNFOLD","PARAMETER_OUT_OF_RANGE","SHEET_METAL_NO_0_ANGLE_BEND","SHEET_METAL_FLAT_RIP_NO_EDIT","SHEET_METAL_CANT_CHANGE_TO_FLAT","PARAMETER_PRECONDITION_FAILED","PARAMETER_SYNTAX_ERROR","SHEET_METAL_CAN_ONLY_REMOVE","SHEET_METAL_CAN_ONLY_SUBTRACT","REST_ASSEMBLY_INVALID_FEATURE","REST_ASSEMBLY_INVALID_BODY_TYPE","PARTING_OUT_TARGET_READONLY","SHEET_METAL_MULTI_SM_DEFAULT_RADIUS","SHEET_METAL_FLANGE_FAIL_ALIGNMENT","SHEET_METAL_FLANGE_FAIL_UP_TO","SHEET_METAL_FLANGE_FAIL_UP_TO_ENTITY","SHEET_METAL_FLANGE_FAIL","SHEET_METAL_FLANGE_FAIL_LIMIT_OPP_FLANGE","CANT_SPLIT_SHEET_METAL_BEND_FACE","IN_CONTEXT_INSTANCE_INVALID_TARGET","SHEET_METAL_SELF_INTERSECTING_MODEL","SHEET_METAL_SELF_INTERSECTING_FLAT","SHEET_METAL_NON_90_BUTT","SHEET_METAL_RIP_STYLE_ERROR","CANNOT_USE_MATECONNECTORS_IN_PATTERN","CANNOT_COPY_MATECONNECTORS","SHEET_METAL_CAN_ONLY_OFFSET","MODIFIABLE_ENTITY_ONLY","IN_CONTEXT_UPDATE_DELETED_ASSEMBLY","IN_CONTEXT_UPDATE_EMPTY_INSTANCE","IN_CONTEXT_UPDATE_INVALID_SOURCE","IN_CONTEXT_UPDATE_INVALID_TARGET","SHEET_METAL_NO_FEATURE_PATTERN","CUSTOM_FEATURE_DEFINITION_NOT_FOUND","SHEET_METAL_START_SELECT_BENDS","SHEET_METAL_END_DONE","PATH_EDGES_NOT_CONTINUOUS","SHEET_METAL_RIP_FAIL_INTERNAL_EDGE","SHEET_METAL_RIP_FAIL","SHEET_METAL_RIP_MULTI_BODY","SHEET_METAL_RIP_FAIL_NON_PLANAR","PATTERN_CURVE_NO_EDGES","SHEET_METAL_RIP_NO_CORNER","SHEET_METAL_RIP_EVEN","SHEET_METAL_RIP_WALL_NOT_FOUND","SHEET_METAL_RIP_SAME_VERTEX","SHEET_METAL_RIP_NEED_MORE_VERTICES","SHEET_METAL_MAKE_JOINT_FAIL","CURVE_PATTERN_START_OFF_PATH","PART_LOAD_FAILED","SHEET_METAL_MOVE_NOT_PLANAR","SHEET_METAL_JOINT_FAIL_ADJACENT_FACES","WRONG_PARASOLID_VERSION","SHEET_METAL_SINGLE_MODEL_NEEDED_EDGES","REST_ASSEMBLY_MISSING_INSTANCE_DOCUMENT_ID","REST_ASSEMBLY_MISSING_INSTANCE_ELEMENT_ID","FACE_CLASH","CURVE_PATTERN_START_OFF_CLOSED_PATH","SHEET_METAL_CUT_JOINT","EXPORT_STL_NO_PARTS","INPUT_NAME_TOO_LONG","IMPORT_BODY_FAILED_CHECK","DERIVED_BODIES_HAVE_FAULTS","SHEET_METAL_BLOCKED_PATTERN","SHEET_METAL_FLANGE_INTERNAL","SHEET_METAL_TOO_THICK","SHEET_METAL_BEND_END_NOT_A_CORNER","SHEET_METAL_NOT_A_CLOSED_CORNER","SHEET_METAL_CORNER_NOT_A_BEND_END","RIB_ONLY_OPEN_PROFILES","TAB_NO_LONGER_EXISTS","CLINE_FAILED","ILLEGAL_MODIFICATION","ASSEMBLY_MATE_VALUE_SET_FAILED","EXTRUDE_OFFSET_TOO_DEEP","SHEET_METAL_CANNOT_MOVE_BEND_EDGE","UP_TO_FACE_NOT_PARALLEL","TRANSLATION_FACE_NOT_PLANAR","MOVE_FACE_NO_INTERSECTION","SWEEP_PATH_PROFILE_NO_INTERSECTION","DIRECT_EDIT_MOVE_FACE_CREATE_SELECT","SHEET_METAL_THICKEN_IN_CONTEXT_INFO","CANNOT_DELETE_RHO_DIMENSION","INVALID_RHO","SKETCH_RHO_DIM_NOT_FOUND","SKETCH_CONIC_FAILED","TAB_NAME_TOO_LONG","DIRECT_EDIT_DELETE_FACE_ALL_FACES","SHEET_METAL_CORNER_BREAK_FAILED","BOOLEAN_NO_TARGET_SURFACE","BAD_BSPLINECURVE_DEFINITION","REQUIRE_3D_BSPLINECURVE_DATA","PERIODIC_BSPLINECURVE_NOT_CLOSED","PERIODIC_BSPLINECURVE_NOT_SMOOTH","RATIONAL_BSPLINECURVE_WEIGHT_NEGATIVE","BSPLINECURVE_NOT_G1","BRIDGING_CURVE_VERTEX_BOTH_SIDES","BRIDGING_CURVE_ONE_EDGE_EACH_SIDE","BRIDGING_CURVE_VERTEX_AT_END_OF_EDGE","PROJECT_CURVES_PARALLEL_PLANES","PROJECT_CURVES_DIFFERENT_SKETCHES","SHEET_METAL_SELECT_PART","VARIABLE_NOT_FOUND","CANNOT_EDIT_FIXED_CONIC","EXTRACT_WIRES_OVERLAPPING_EDGES","EXTRACT_WIRES_NON_MANIFOLD","EXTRACT_WIRES_NEEDS_EDGES","SPLINE_TWO_POINTS","CLOSED_SPLINE_THREE_POINTS","TANGENCY_ONE_EDGE","FIT_SPLINE_CANNOT_EVALUATE_END_CONDITION","FIT_SPLINE_REPEATED_POINT","FEATURE_ID_REQUIRED","PARAMETER_NOT_FOUND","PARAMETER_DOES_NOT_MATCH_ITS_FEATURE_SPEC","SHEET_METAL_CORNER_BREAK_DISABLED","SHEET_METAL_FILLET_NO_CONIC","SHEET_METAL_CHAMFER_NO_TWO_OFFSETS","SHEET_METAL_CHAMFER_NO_OFFSET_ANGLE","SHEET_METAL_CHAMFER_MUST_BE_EQUAL_OFFSETS","SHEET_METAL_ACTIVE_ENTITY_NEEDED","SHEET_METAL_CORNER_BREAK_NOT_A_CORNER","SHEET_METAL_CORNER_BREAK_NO_WALL","SHEET_METAL_CORNER_BREAK_VERTEX_NOT_FREE","SHEET_METAL_CORNER_BREAK_ATTRIBUTE_EXISTS","FIT_SPLINE_ZERO_START_MAGNITUDE","FIT_SPLINE_ZERO_END_MAGNITUDE","SHEET_METAL_CORNER_BREAK_SELECT_ENTITIES","EXTRUDE_SELECT_TERMINATING_VERTEX","FILL_SURFACE_NO_EDGES","FILL_SURFACE_DOUBLE_SELECTION","FILL_SURFACE_MULTI_LOOP","FILL_SURFACE_OPEN_LOOP","FILL_SURFACE_FAIL","FILL_SURFACE_ATTACH_FAIL","FILL_SURFACE_G2_FAIL","FILL_SURFACE_VERTEX_INTERPOLATION_FAIL","LOFT_SPINE_DISJOINT_PATH","LOFT_SPINE_SELF_INTERSECTING_PATH","LOFT_SPINE_PATH_PROFILE_NO_INTERSECTION","LOFT_SPINE_FAILED_XSECTIONS","LOFT_SPINE_GUIDE_WITH_POINT_PROFILE","LOFT_SPINE_PROFILES_NOT_IN_ORDER","LOFT_SELECT_SPINE","DOCUMENT_NOT_FOUND","ELEMENT_NOT_FOUND","ENCLOSE_NO_REGION","ENCLOSE_CANNOT_MERGE_REGIONS","ENCLOSE_CANNOT_CREATE_SOLID","ENCLOSE_NOTHING_SELECTED","ENCLOSE_UNKNOWN_ERROR","ACCESS_NOT_ALLOWED","LOFT_SPINE_TOO_MANY_GUIDES","FEATURE_INVALID_NAMESPACE","FEATURE_NULL_NOT_ALLOWED","SKETCH_DIMENSION_LIMIT_ERROR","FILL_SURFACE_WIRE_CONTINUITY_MISMATCH","FILL_SURFACE_INTERNAL_CONTINUITY_MISMATCH","LOFT_START_OR_END_CONDITIONS_FAILED","LOFT_START_OR_END_CONDITIONS_MAGNITUDE_NO_EFFECT","FOLLOW_LEADER_IS_IN_UNFOLLOWABLE_TAB","LOFT_START_OR_END_CONDITIONS_WITH_GUIDES_FAILED","REST_ASSEMBLY_MISSING_TRANSFORM_GROUPS","REST_ASSEMBLY_NULL_TRANSFORM_GROUP","REST_ASSEMBLY_NULL_TRANSFORM_GROUP_INSTANCES","REST_ASSEMBLY_NULL_TRANSFORM_GROUP_INSTANCE","LOFT_NO_FACE_FOR_GUIDE_CLAMP","LOFT_NO_CONTINUITY_CONDITION_AT_INTERNAL_GUIDE","SKETCH_CONSTRAINT_NOT_FOUND","SKETCH_CONSTRAINT_PARAMETER_NOT_FOUND","SKETCH_ENTITY_NOT_FOUND","SKETCH_ENTITY_PARAMETER_NOT_FOUND","FEATURE_PARAMETER_TYPE_MISMATCH","FEATURE_CONFIGURED_PARAMETER_NO_VALUES","FEATURE_CONFIGURED_PARAMETER_INCONSISTENT_TYPES","SHEET_METAL_FLANGE_FAIL_AUTO_MITER","SHEET_METAL_FLANGE_FAIL_PARALLEL_EDGE","SHEET_METAL_FLANGE_FAIL_PARALLEL_PLANE","SHEET_METAL_FLANGE_FAIL_PARALLEL_DIRECTION","SHEET_METAL_FLANGE_FAIL_NO_BEND","SHEET_METAL_FLANGE_NO_PARALLEL_ENTITY","SHEET_METAL_FLANGE_NO_DIRECTION_ENTITY","SHEET_METAL_TAB_NO_BEND","BOOLEAN_NO_SURFACE_IN_MERGE_SCOPE","BOOLEAN_NO_SHARED_EDGE_WITH_SURFACE_IN_MERGE_SCOPE","SHEET_METAL_BEND_RELIEF_NO_CORNER","SHEET_METAL_CORNER_SELECT_ENTITIES","SHEET_METAL_BEND_RELIEF_SELECT_ENTITIES","VRFILLET_RADIUS_REQUIRED_AT_VERTEX","VRFILLET_RHO_REQUIRED_AT_VERTEX","VRFILLET_MAG_REQUIRED_AT_VERTEX","VRFILLET_SELECT_VERTICES","VRFILLET_VERTEX_NOT_ON_CHAIN","VRFILLET_INVALID_CHAIN","SHEET_METAL_TAB_NO_MERGE","SHEET_METAL_TAB_NONPLANAR","SHEET_METAL_TAB_NO_WALL","SHEET_METAL_TAB_NO_TAB","VRFILLET_NO_EFFECT","VRFILLET_MULTI_SELECTION","SHEET_METAL_TAB_NO_PARALLEL_WALL","SHEET_METAL_CORNER_UNDER_SIZED","FILLET_PARTIAL_FAIL","VRFILLET_INTERNAL_ZERO","SHEET_METAL_TAB_NO_EFFECT","SHEET_METAL_TAB_LOW_CLEARANCE","SHEET_METAL_TAB_FAILS_MERGE","SHEET_METAL_TAB_COLLISION","REPLACE_FACE_FACE_COUNT_CHANGED","FACE_OVERLAP","FACE_REMOVED","INTERSECTING_EDGES","CANNOT_SPLIT_FACE","FILL_SURFACE_BAD_SUPPORT","FILL_SURFACE_SUPPORT_NOT_ON_BOUNDARY","FILL_SURFACE_SUPPORT_NOT_SMOOTH","FILL_CURVE_OR_POINT_CONSTRAINTS","SHEET_METAL_ADD_WRONG_MODEL","SHEET_METAL_PATTERN_DISABLED_BOOLEANS","DRAWING_ALL_INSTANCES_HIDDEN","FILL_SUPPORT_NOT_SMOOTH_INTERNAL","SKETCH_CONSTRAINT_WRONG_SHEET_METAL_BODY","SKETCH_CONSTRAINT_FLAT_IN_3D","SKETCH_CONSTRAINT_3D_IN_FLAT","FIT_SPLINE_CURVATURE_FACE","FIT_SPLINE_CANNOT_EVALUATE_CURVATURE_END_CONDITION","FIT_SPLINE_NEED_DIRECTION_FOR_CURVATURE","CONFIGURATION_HAS_BAD_PARAMETERS","CONFIGURATION_HAS_BAD_CURRENT_CONFIGURATION","FEATURE_CONFIGURED_PARAMETER_VALUES_HAVE_IDS","WORKSPACE_NO_LONGER_EXISTS","CONTENT_STACKING_INVALID_MODE","CONTENT_STACKING_INVALID_COMPONENTS","CONTENT_STACKING_INVALID_TOP_STACK","SHEET_METAL_FACE_PATTERN_NO_JOINT","SHEET_METAL_FACE_PATTERN_FLOATING_CUT","SHEET_METAL_FACE_PATTERN_FLOATING_WALL","SM_FLAT_OP_NO_INTERSECT","SM_FLAT_OP_PARTIAL_INTERSECT","SM_FLAT_OP_ADD_CROSSES_EDGE","SM_FLAT_OP_NON_PLANAR_TOOL","SM_FLAT_OP_NON_PLANAR_TARGET","SM_FLAT_OPERATION_FAILED","SM_FLAT_OP_LEGACY_MODEL","SHEET_METAL_FLANGE_NON_LINEAR_EDGES","SHEET_METAL_CYLINDER_BEND","SHEET_METAL_INVALID_FACE","SHEET_METAL_ROLLED_CORNER_RELIF","SHEET_METAL_RELIEF_FAILURES","EDGE_CHANGE_FAILED","BOOLEAN_INPUTS_NOT_SOLID","TRANSFORM_SCALE_SELECTION","SHEET_METAL_SUBTRACT_DESTROYS_SHEET","SPLIT_KEEP_TOOLS_WITH_FACE","SPLIT_TRIM_WITH_SINGLE_FACE","SHEET_METAL_SKETCH_DETACHED_FACE","HOLE_CUT_FAIL","SHEET_METAL_FLAT_OP_ROLL_FAIL","PATTERN_EDGE_FAILED","SHEET_METAL_FACE_PATTERN_NO_VERTEX","SHEET_METAL_FACE_PATTERN_PARTIAL_FLOATING_WALL","EXTRUDE_3D_AND_FLAT","PATTERN_SWITCH_TO_PER_INSTANCE","PATTERN_NO_GEOM_FROM_FEATURES","RM_NO_LINK_PERMISSION_TO_REVISION","DRAFT_SELECT_PARTING_EDGES","DRAFT_CONFLICTING_OPPOSITION","SPLIT_SELECT_TARGETS","SPLIT_SELECT_TOOL","SPLIT_SELECT_FACE_TARGETS","SPLIT_SELECT_FACE_TOOLS","ASSEMBLY_PATTERN_EXCEED_MAX_INSTANCE_COUNT","ASSEMBLY_PATTERN_RECURSIVE_SEED","NO_LINK_PERMISSION_TO_THIS_DOCUMENT","SM_FLAT_OP_FACES_NOT_COPLANAR","FLATTENED_SHEET_METAL_SKETCH_PROHIBTED","DRAFT_SELECT_PULL_DIRECTION_ENTITY","DRAFT_PARALLEL_PARTING_EDGE","FLATTENED_SHEET_METAL_SKETCH_ONE_FACE","SKETCH_OFFSET_CHAIN_FAIL","SKETCH_OFFSET_BASE_CURVE_CONSUMED","SKETCH_OFFSET_SPLINE_SPLIT","SKETCH_OFFSET_ELLIPSE_SPLIT","CANNOT_FIND_FLATTENED_BODY","SHEET_METAL_ACTIVE_MODEL_REQUIRED","SKETCH_REFERENCE_WRONG_FLAT_PART","SKETCH_CANNOT_REFERENCE_3D","SM_FLAT_OP_CANNOT_JOIN_DIFFERENT_TRANSFORMS","DEFINED_IN_3D_CANT_REFERENCE_SM_FLAT","DEFINED_IN_SM_FLAT_CANT_REFERENCE_3D","CANNOT_CHANGE_REFERENCE_TO_DELETED_DOCUMENT","CANNOT_CHANGE_REFERENCE_ELEMENT_NOT_FOUND","COPIED_SKETCH_NOT_FOUND","VARIABLE_NAME_TOO_LONG","NO_INSTANCE_TO_REPLACE","ASSEMBLY_REPLACE_NO_REPLACER","CANNOT_REPLACE_IN_SUBASSEMBLIES","FILL_SURFACE_G1_FAIL","ALL_CONFIGURATION_PARAMETERS_NOT_SPECIFIED","ASSEMBLY_REPLACE_INVALID_SEED_INSTANCE","ASSEMBLY_REPLACE_INVALID_SEED_TYPE","ASSEMBLY_REPLACE_SUPPRESSED_FORBIDDEN","DISPLAY_STATES_INVALID_NAME","DISPLAY_STATES_DUPLICATE_NAME","WORKSPACE_UPGRADE_NONE_ENABLE_CAPABILITY","DISPLAY_STATES_UPDATE_HAD_NO_EFFECT","DISPLAY_STATES_APPLY_HAD_NO_EFFECT","DISPLAY_STATES_DOES_NOT_EXIST","LOFT_SPINE_NONTANGENT_PATH","LOFT_SPINE_APPROXIMATED","REST_ASSEMBLY_REVISION_PART_NUMBER_BLANK","REST_ASSEMBLY_REVISION_NOT_FOUND","ROLL_FAILED","ROLL_CANNOT_ADJUST","ROLL_MISMATCHED_SOURCE","INVALID_ROLL_SURFACE","ROLL_NOT_TO_OR_FROM_PLANE","FAILED_TO_FIND_ELEMENT_FOR_TO_STATE","FAILED_TO_FIND_VERSION_FOR_TO_STATE","MISSING_REVISION_ID_FOR_TO_STATE","MISSING_VERSION_ID_FOR_TO_STATE","INVALID_DOCUMENT_ID_FOR_TO_STATE","ASSEMBLY_CONTAINS_MISSING_PART_DATA","SHEET_METAL_HEM_NO_EDGES","SHEET_METAL_HEM_NON_LINEAR_EDGES","SHEET_METAL_HEM_FAIL_ALIGNMENT","SHEET_METAL_HEM_TOO_SHORT","SHEET_METAL_HEM_TEAR_DROP_GAP_TOO_LARGE","SHEET_METAL_HEM_INTERNAL","SHEET_METAL_HEM_FAILED","INVALID_CONFIGURATION_SPECIFIED","EDGEBLEND_PARTIAL","CHAMFER_PARTIAL_FAIL","LOFT_INCONSISTENT_EXTENT","LOFT_CANT_TRIM_PROFILES_INFO","LOFT_CANT_TRIM_GUIDES_INFO","NON_GEOMETRIC_ITEM_INSERTION_FAILED","SHEET_METAL_FLANGE_NEXT_TO_CYLINDER_BEND","SHEET_METAL_HEM_NEXT_TO_CYLINDER_BEND","SHEET_METAL_MOVE_FACE_NEXT_TO_CYLINDER_BEND","ASSEMBLY_UNKNOWN_SOLVE_ERROR","ASSEMBLY_FEATURE_FAILED_TO_RESOLVE_ALL_INSTANCES","SHEET_METAL_ORPHANED_BEND","ASSEMBLY_CONTEXT_INVALID_REFERENCE","ASSEMBLY_FEATURE_QUERY_DATA_MISSING","NON_GEOMETRIC_ITEMS_DOCUMENT_NOT_OWNED_BY_COMPANY","NON_GEOMETRIC_ITEM_NO_ITEM_FOUND_FOR_DOCUMENT_OWNER","EXTEND_SHEET_BODY_NO_TARGET","EXTEND_TARGET_MISSED","EXTEND_SELF_INTERSECTION","EXTEND_FAILED","EXTEND_TO_FACE_FAILED","TRIM_TO_MULTI_FAILED","EXTEND_NON_LAMINAR","EXTEND_TO_VERTEX_FAILED","TRIM_FAILED","SKETCH_EQUAL_CURVATURE_FAILED","SKETCH_EQUAL_CURVATURE_INPUT_ERROR","ASSEMBLY_EXPLODE_STEP_DIRECTION_QUERY_FAILED","WRAP_DESTINATION_NO_FACE","WRAP_TRIM_FAILED","WRAP_TRIM_NO_INTERSECTION","WRAP_IMPRINT_FAILED","WRAP_NEEDS_ANCHOR","WRAP_SELECT_TOOLS","WRAP_SELECT_TARGET","CREATE_COMPOSITE_PART_FAILED","NESTED_COMPOSITE_PARTS","ASSEMBLY_EXPLOSION_DOES_NOT_EXIST","FILL_SURFACE_NO_GUIDES","HOLE_INCONSISTENT_TAP_INFO","WRAP_SOURCE_DIFFERING_PLANES","WRAP_IMPRINT_SHEET_METAL","WRAP_SELECT_ANCHORS","OPERATION_CANCELLED","COMPOSITE_CLOSED_OVERLAP","COMPOSITE_OPEN_OVERLAP","COMPOSITE_SKETCH","COMPOSITE_MATE_CONNECTOR","COMPOSITE_PLANE","COMPOSITE_NON_MODIFIABLE","ASSEMBLY_REPLACE_WILL_CAUSE_CYCLES","CREATE_OUTLINE_TWO_OFFSET_FACES_PER_BODY","SHEET_METAL_TOOL_DOES_NOT_CUT_THROUGH","PERIODIC_BSPLINESURFACE_NOT_CLOSED","PERIODIC_BSPLINESURFACE_NOT_SMOOTH","CANNOT_MAKE_BSPLINESURFACE","BSPLINESURFACE_NOT_G1","BAD_2D_BOUNDARY_BSPLINECURVE_DEFINITION","PERIODIC_2D_BOUNDARY_BSPLINECURVE_NOT_CLOSED","PERIODIC_2D_BOUNDARY_BSPLINECURVE_NOT_SMOOTH","BSPLINESURFACE_BOUNDARY_NOT_SINGLE_CLOSED_LOOP","BSPLINESURFACE_FAILED_TO_MAKE_SOLID","BOOLEAN_NO_SHARED_EDGE_WITH_OTHER_SURFACE","BOOLEAN_NO_SURFACE_TO_MERGE_WITH","BOOLEAN_INVALID_PARAMETER_COMBINATION","MODIFY_COMPOSITE_PART_FAILED","INSTANCE_CONSUMED_BY_CLOSED_COMPOSITE","EXPLODE_STEP_INSTANCE_IS_SUPPRESSED","NO_COMPOSITE_FOR_SINGLE_SOLID","COMPOSITE_PART_ADD_AND_REMOVE_BODY","BOOLEAN_TOOL_INPUTS_NOT_SOLID","BOOLEAN_CANNOT_MIX_SOLIDS_AND_SURFACES","BSPLINESURFACE_CONTROL_POINTS_GRID_TOO_LONG","BSPLINE_TOO_MANY_CONTROL_POINTS","BSPLINE_DEGREE_TOO_HIGH","COMPOSITE_PART_SELECT_ENTITIES","DELETE_COMPOSITE_PART_FAILED","SURFACES_NOT_SUPPORTED_BY_PATTERN_REMOVE_AND_INTERSECT","SHEET_METAL_TAB_MERGE_AND_SUBTRACT_SAME_FLANGE","EXPLODED_VIEW_INVALID_STARTING_POSITION","CANNOT_EXPLODE_SKETCH","FAILED_TO_CREATE_EXPLODED_VIEW","ASSEMBLY_NAMED_POSITIONS_NEW_INSTANCES","SYS_FEATURE_EXCEPTION","CURVE_PARTIAL_FAILED","CURVE_FAILED","SPLIT_KEEP_PLANES_AND_MATE_CONNECTORS","EXPLODE_LINES_MUST_SPECIFY_STARTING_POINT","EXPLODE_LINES_FAILED_TO_RESOLVE_ENTITY","SPLINE_THROUGH_EDGES_SELECTED_EDGES_DONT_FORM_CHAIN","SPLINE_THROUGH_EDGES_TANGENT_DISCONTINUITY_AT_EDGE_ENDS","SPLINE_THROUGH_EDGES_CANNOT_FIT_SPLINE","SPLINE_THROUGH_EDGES_SELECT_EDGES","SPLINE_THROUGH_EDGES_RESULTED_IN_MORE_THAN_ONE_EDGE","SKETCH_CANNOT_DELETE_SPLINE_HANDLES","SKETCH_TRIM_NO_SPLINE_HANDLES","SKETCH_SPLIT_NO_SPLINE_HANDLES","SKETCH_EXTEND_NO_SPLINE_HANDLES","SKETCH_PATTERN_NO_SPLINE_HANDLES","SKETCH_FILLET_NO_SPLINE_HANDLES","SKETCH_MIRROR_NO_SPLINE_HANDLES","SKETCH_TRANSFORM_NO_SPLINE_HANDLES","MATE_OFFSET_INVALID_ROTATION_TYPE","SKETCH_TANGENT_CONSTRAINT_SPLINE_AND_HANDLE","SKETCH_CURVATURE_CONSTRAINT_SPLINE_AND_HANDLE","EXPLODE_LINE_NOT_ON_EXPLODED_INSTANCE","SWEEP_DISJOINT_PROFILE","SWEEP_MIXED_PROFILE","MULTI_PROFILE_SWEEP_NO_INNER_LOOPS","SWEEP_PROFILE_DIM_MISMATCH","LOFT_CONNECTION_MATCHING","SIMULATION_LOAD_DIRECTION_QUERY_FAILED","SIMULATION_LOAD_REGION_QUERY_FAILED","SIMULATION_LOAD_REGION_QUERY_EMPTY","SIMULATION_LOAD_REGION_NOT_ON_LOAD_INSTANCE","SIMULATION_LOAD_INSTANCE_NOT_SPECIFIED","SIMULATION_LOAD_DIRECTION_NOT_SPECIFIED","SIMULATION_FUNCTIONAL_CONNECTION_QUERY_FAILED","SIMULATION_FUNCTIONAL_CONNECTION_QUERY_EMPTY","HOLE_MATCH_FAILED","RULED_SURFACE_SELECT_EDGES","RULED_SURFACE_MITER_FAILED","RULED_SURFACE_NO_TANGENT_DIR","RULED_SURFACE_SELECT_DIRECTION","RULED_SURFACE_ZERO_LENGTH","RULED_SURFACE_SELECT_UP_TO_ENTITY","RULED_SURFACE_OVERLAPPING_SKETCH_EDGES","RULED_SURFACE_EDGES_NOT_MANIFOLD","RULED_SURFACE_FAILED","RULED_SURFACE_NO_LOCK_FACE","RULED_SURFACE_VERTEX_SELECT_VERTEX","RULED_SURFACE_MULTIPLE_LOCK_FACES","RULED_SURFACE_TOP_LEVEL_BOUNDARY_ENTITY","RULED_SURFACE_SPLIT_VERTEX","FULL_ROUND_SELECT_FACES","FULL_ROUND_MINIMUM_VERSION","FULL_ROUND_ADJACENT_CENTER_FACES","FULL_ROUND_COMMON_BODY","FAILED_TO_CREATE_ASSEMBLY_SIMULATION","IN_CONTEXT_UPDATE_DELETED_WORKSPACE","HOLE_TOOL_CONSTRUCTION_FAILED","HOLE_PARTIAL_FAILURE","HOLE_EXCEEDS_MAX_LOCATIONS_500","CONSTRUCT_PATH_EDGES_OVERLAP","CONSTRUCT_PATH_NOT_MANIFOLD","CONSTRUCT_PATH_FAILED","CONSTRUCT_PATH_FACES_OPPOSITE_SIDES","RULED_SURFACE_REFERENCE_FACES_BOTH_SIDES","HOLE_TARGETS_DO_NOT_DIFFER","RULED_SURFACE_OVERRIDES_CLASH","FGS_STREAM_ERROR","NO_MATERIAL_FOR_MASS_PROPERTY","SPECIFIED_SIMULATION_DOES_NOT_EXIST","MULTIPLE_MODAL_SIMULATIONS_PROHIBITED","LOFT_POINT_PROFILE_NORMAL_TO_PROFILE_GUIDE","RULED_SURFACE_GLOBAL_NORMAL_OVERRIDE","RULED_SURFACE_EDGE_PARALLEL_REFERENCE","FIXED_PART_REQUIRED_FOR_SIMULATION","MATERIAL_ASSIGNMENT_REQUIRED_FOR_SIMULATION","LOAD_REQUIRED_FOR_LINEAR_STATIC_SIMULATION","MATERIAL_LACKS_REQUIRED_PROPERTY_FOR_SIMULATION","FILLET_EDGES_NOT_MANIFOLD","SHEET_METAL_FILLET_NO_WIDTH","FRAME_TAG_PROFILE_SELECT_SKETCH","FRAME_TAG_PROFILE_SPECIFY_COLUMNS","FRAME_TAG_PROFILE_HEADER_EMPTY","FRAME_TAG_PROFILE_VALUE_EMPTY","FRAME_MISSING_CAP_FACES","FRAME_MISSING_SWEPT_EDGES","FRAME_MISSING_SWEPT_FACES","FRAME_CUTLIST_NO_END_FACE_EDGE_GEOMETRY_PAIR","PUBLICATION_ITEM_INSERT_FAILED","PUBLICATION_ITEM_INSERT_FAILED_NO_LINK_PERMISSION","PUBLICATION_ITEM_INSERT_FAILED_NO_DUPLICATES_ALLOWED","PUBLICATION_ITEM_UPDATE_FAILED_NO_DUPLICATES_ALLOWED","PUBLICATION_ITEM_UPDATE_FAILED","VRFILLET_RADIUS_REQUIRED_AT_POINT","VRFILLET_PARAMETER_REQUIRED_AT_POINT","VRFILLET_RHO_REQUIRED_AT_POINT","VRFILLET_MAG_REQUIRED_AT_POINT","VRFILLET_SELECT_EDGES","VRFILLET_EDGE_NOT_ON_CHAIN","BRIDGING_CURVE_POSITIONS_IDENTICAL","SPLIT_FACE_MUTUAL_IMPRINT","BRIDGING_CURVE_ZERO_SPEED_SCALE","VARIABLE_DESCRIPTION_TOO_LONG","FRAME_BAD_PATH","FRAME_SWEEP_FAILED","FRAME_TRIM_FAILED","FRAME_MALFORMED_BEAM","FRAME_BAD_CORNER_TYPE","FRAME_SELECT_PROFILE","FRAME_PROFILE_REGION","FRAME_NO_INTERNAL_TRIM","FRAME_MULTIPLE_TRIM_PLANES","FRAME_MULTIPLE_EQUAL_BEAMS_AFTER_SPLIT","FRAME_TRIM_GROUPS","FRAME_DISJOINT_GROUPS","FRAME_CANDIDATE_FACES","FRAME_LENGTHWISE_TRIM","FRAME_TRIM_SELECT_TARGETS","FRAME_TRIM_SELECT_TOOL","FRAME_SELECT_PATH","FRAME_TAG_PROFILE_HEADER_RESERVED","FRAME_CUTLIST_COLUMN_EMPTY","FRAME_TAG_PROFILE_NO_FEATURE_PATTERN","FRAME_CUTLIST_NO_FEATURE_PATTERN","SPLIT_EDGE_SELECT_EDGES","SPLIT_EDGE_SIZES_MISMATCH","SPLIT_EDGE_PARAMETER_BOUND","SPLIT_EDGE_FAILED","SPLIT_CLOSED_EDGE_ONE_POINT","SPLIT_EDGE_PROVIDE_PARAMETERS","NO_MATERIAL_FOR_COMPOSITE_PART_COMPUTED_MASS","FRAME_MULTIPLE_EQUAL_SEGMENTS_AFTER_SPLIT","FRAME_MALFORMED_SEGMENT","SIMULATION_UNSUPPORTED_INSTANCE","MIXED_MODEL_LAYOUT","ADJACENT_MESH_FACES_FOR_CAP_OR_HEAL","NOT_ALL_MESH_FACES_PATTERN","VOLUME_ACCURACY_MUST_BE_HIGH_FOR_REGEN","ASSEMBLY_REPLICATE_INVALID_SEED_MATE","ASSEMBLY_REPLICATE_MISSING_SEED_MATE","DXF_UNKNOWN_ENTITY","DXF_NONUNIFORM_SCALING","DXF_COULD_NOT_READ_FILE","DXF_COULD_NOT_CONVERT_HATCH","DXF_COULD_NOT_CONVERT_BODY","DXF_COULD_NOT_CONVERT_REGION","DXF_BAD_SPLINE_DATA","SIMULATION_LOAD_INSTANCE_SUPPRESSED","DIAMETERS_MUST_BE_EQUAL","NOT_CONVEX","SELECT_CYLINDER_EDGES","NOT_CYLINDER_OR_CONE","UNABLE_TO_FIND_THREAD_BOUNDARY","UNDERCUT_OFF_FACE","UNDERCUT_TOO_DEEP","HOLE_CBORE_CSINK_VALUES_NON_STD","SHEET_METAL_FLANGE_PARAMETER_BOUND","SHEET_METAL_FLANGE_ZERO_WIDTH","SHEET_METAL_FLANGE_NO_BOUNDING_ENTITY","SHEET_METAL_FLANGE_BOUNDING_ENTITY_PARALLEL","SHEET_METAL_FLANGE_BOUNDING_ENTITY_NOT_SUPPORTED","FRAME_BAD_COMPOSITE_SEGMENT","SKETCH_SPLINE_POINT_HAS_HANDLE","SKETCH_TRIM_NO_SPLINE_CONTROL_POLYGON","SELECTED_NON_MATCHING_SIZE","NEAREST_MATCHING_THREAD_SIZE","SKETCH_PATTERN_NO_SPLINE_CONTROL_POLYGON","SKETCH_TRANSFORM_NO_SPLINE_CONTROL_POLYGON","SKETCH_FILLET_NO_SPLINE_CONTROL_POLYGON","SKETCH_MIRROR_NO_SPLINE_CONTROL_POLYGON","SKETCH_SPLIT_NO_SPLINE_CONTROL_POLYGON","VARIABLE_SELECT_FIRST_ENTITY","VARIABLE_SELECT_SECOND_ENTITY","VARIABLE_SELECT_CUSTOM_DIRECTION","VARIABLE_SELECT_ENTITIES_TO_MEASURE","VARIABLE_SELECT_ENTITY_TO_MEASURE","VARIABLE_NO_GEOMETRY_WITH_DIAMETER","VARIABLE_ONLY_TWO_ENTITIES_ALLOWED","VARIABLE_FLATTENED_ENTITIES_MUST_BE_SAME_BODY","CURVE_PROJECTION_FAILED","FACE_INTERSECTION_FAILED","FACE_INTERSECTION_NO_RESULT","FACE_INTERSECTION_UNIQUE_SELECTION","FACE_INTERSECTION_OVERLAPPING_SELECTION","CHAMFER_SIZE_EXCEED_GUSSET_SIZE","EMPTY_GUSSET_SELECTION","CANNOT_FIT_A_GUSSET","NON_FRAME_EDGE_SELECTED","SWEPT_EDGE_SELECTED","NO_CAP_FACE_SELECTED_ERROR","INVALID_CAP_FACE_SELECTED_ERROR","CAP_MULTI_FACE_SELECTED_ERROR","CAP_MULTI_LUMENS_SELECTED_ERROR","CAP_CURVED_FRAME_ERROR","CAP_FRAME_AXIS_ERROR","VARIABLE_CANNOT_USE_MAXIMUM_WITH_INFINITE_ENTITIES","VARIABLE_NO_AXIS_ENTITIES","CURVE_PROJECTION_NO_RESULT","BSURF_FAILED","BSURF_PROFILE_FAILED","BSURF_INCONSISTENT_BOUNDARY_CONDITIONS","FGS_SIMULATION_ERROR_SIMULATION_NON_CONVERGENT","FGS_SIMULATION_ERROR_LATERAL_BEARING_FORCE","FGS_SIMULATION_ERROR_LOADS_NONE","FGS_SIMULATION_ERROR_CONSTRAINTS_NONE","FGS_SIMULATION_ERROR_CONSTRAINTS_ONLY_KINEMATIC","FGS_SIMULATION_ERROR_INTERNAL_ERROR","DXF_COULD_NOT_CONVERT_TEXT","FGS_SIMULATION_ASSEMBLY_TOO_COMPLEX","SPLIT_SELECT_FACE_DIRECTION","SELECTION_IS_INVALID","CANNOT_ADD_MORE_THAN_ONE_THREAD_TO_UNSPLIT_CYLINDER","UNDERCUT_TOO_SHALLOW","CAP_INCLINED_CUT_FRAME_ERROR","SPLIT_OFF_FACE","UNDERCUT_DIAMETER_TOO_LARGE","PUBLICATION_ACTION_FAILED_NO_PLAN_ACCESS","DISPLAY_STATES_NO_REFERENCE","INVALID_ARC_LENGTH","FILLET_ADJOINING_EDGE_NOT_FILLETED","FILLET_BOUNDARY_INTERSECTS_EDGE","FILLET_BOUNDARY_OVERLAP","FILLET_EDGE_OVERLAPPED_BY_FILLET","FILLET_FACE_RANGE_TOO_LARGE","FILLET_ILLEGAL_END_BOUNDARY","FILLET_OVERLAP","FILLET_OVERLAPS_EDGE_LOOP","FILLET_PRODUCED_SELF_INT_SURFACE","FILLET_RANGE_INCONSISTENT_EDGE","FILLET_REQUIRES_SURFACE_EXTENSION","FILLET_RHO_TOO_LARGE","FILLET_VERTEX_EDGES_COMPLICATED","CHAMFER_ADJOINING_EDGE_NOT_CHAMFERED","CHAMFER_BOUNDARY_INTERSECTS_EDGE","CHAMFER_BOUNDARY_OVERLAP","CHAMFER_EDGE_OVERLAPPED_BY_CHAMFER","CHAMFER_FACE_RANGE_TOO_LARGE","CHAMFER_ILLEGAL_END_BOUNDARY","CHAMFER_OVERLAP","CHAMFER_OVERLAPS_EDGE_LOOP","CHAMFER_PRODUCED_SELF_INT_SURFACE","CHAMFER_RANGE_INCONSISTENT_EDGE","CHAMFER_REQUIRES_SURFACE_EXTENSION","CHAMFER_RHO_TOO_LARGE","CHAMFER_VERTEX_EDGES_COMPLICATED","EDGEBLEND_ADJOINING_EDGE_NOT_BLENDED","EDGEBLEND_BOUNDARY_INTERSECTS_EDGE","EDGEBLEND_BOUNDARY_OVERLAP","EDGEBLEND_EDGE_OVERLAPPED_BY_BLEND","EDGEBLEND_FACE_RANGE_TOO_LARGE","EDGEBLEND_ILLEGAL_END_BOUNDARY","EDGEBLEND_OVERLAP","EDGEBLEND_OVERLAPS_EDGE_LOOP","EDGEBLEND_PRODUCED_SELF_INT_SURFACE","EDGEBLEND_RANGE_INCONSISTENT_EDGE","EDGEBLEND_REQUIRES_SURFACE_EXTENSION","EDGEBLEND_RHO_TOO_LARGE","EDGEBLEND_VERTEX_EDGES_COMPLICATED","SIMULATION_LOAD_ON_FIXED_INSTANCE","FRAME_CUSTOM_ALIGNMENT_POINTS_NOT_IN_SKETCH","NON_MATCHING_SIZE_ERROR","FILL_CANNOT_MATCH_EDGE_ADJACENT_FACES","FILL_ADJACENT_FACE_BAD_INPUT","FRAME_BAD_OFFSET_INDEX","EXTERNAL_THREADS_UNSUPPORTED_ON_SHEET_METAL","THREAD_DEPTH_BEYOND_CYLINDER","VRFILLET_ASYMMETRIC_RADIUS_REQUIRED_AT_VERTEX","VRFILLET_ASYMMETRIC_RADIUS_REQUIRED_AT_POINT","VRFILLET_BAD_COEDGE","FILLET_LEGACY_ASYMMETRIC_UNSUPPORTED","PARTIAL_FILLET_BAD_INPUT_ERROR","GUSSET_EMPTY_ALIGNMENT_SELECTION","GUSSET_ALIGNMENT_NO_INTERSECTION","BRIDGING_CURVE_VERTEX_OR_EDGE_ON_SIDE","CANNOT_USE_PARTIAL_FILLET_IN_SHEET_METAL","PARTIAL_FILLET_CLOSED_PATH_ERROR","WRONG_CYLINDER_EDGE_SELECTED","GUSSET_OFFSET_NOT_PARALLEL","GUSSET_ALIGNED_OFFSET_NOT_PARALLEL","BRIDGING_CURVE_VERTEX_BELONG_TO_FACE","BRIDGING_CURVE_EDGE_BELONG_TO_FACE","BRIDGING_CURVE_NO_START_SELECTION","BRIDGING_CURVE_NO_END_SELECTION","NAMED_VIEW_INVALID","MUTUAL_TRIM_SAME_SURFACE_USED","MUTUAL_TRIM_SURFACE_NOT_SELECTED","MUTUAL_TRIM_GENERIC_ERROR","SHEET_METAL_CANNOT_CUT","BSURF_2_PROFILES","BSURF_OPEN_CHAIN","BSURF_PROFILE_QUALITY","BSURF_PROFILE_MISMATCH","BSURF_INVALID_BOUNDARY_CONDITIONS","BSURF_SOLVE_FAILS","HOLE_CSINK_ANGLE_TOO_WIDE","HOLE_CSINK_ANGLE_TOO_NARROW","EXTRUDE_START_OFFSET_BOUND_NOT_PLANAR","EXTRUDE_START_OFFSET_BOUND_NOT_PARALLEL_TO_EXTRUDED_ENTITIES","EXTRUDE_DIRECTION_COPLANAR","EXTRUDE_DIRECTION_INVALID_ENTITY","BSURF_CONVERGENCE_CURVES","BSURF_CONVERGENCE_TANGENCY","EXTRUDE_SELECT_DIRECTION","EXTRUDE_SELECT_START_OFFSET_ENTITY","BSURF_INCONSISTENT_CONDITIONS_ERROR","PARTIAL_FILLET_INVALID_BOUNDS_ERROR","DOCUMENT_ELEMENT_NOT_FOUND","BSURF_PROFILE_NON_G1","SM_FLAT_OP_FACES_DONT_MATCH","HOLE_REVERSED_BOUNDS","HELIX_INPUT_AXIS","HELIX_BOTH_RADII_ZERO","HELIX_START_POINT_MISALIGNED","HELIX_END_POINT_MISALIGNED","FACE_BLEND_SELECT_FACES","FACE_BLEND_FAILED","FACE_BLEND_DIMENSION_TOO_SMALL","FACE_BLEND_DIMENSION_TOO_LARGE","FACE_BLEND_CANNOT_ATTACH","FACE_BLEND_WRONG_LEFT_WALL_SENSE","FACE_BLEND_WRONG_RIGHT_WALL_SENSE","FACE_BLEND_WRONG_SENSES","FACE_BLEND_LEFT_WALL_MULTIPLE_BODIES","FACE_BLEND_RIGHT_WALL_MULTIPLE_BODIES","FACE_BLEND_INCONSISTENT_DATA","FACE_BLEND_INVALID_TANGENT_HOLD_LINE","FACE_BLEND_INVALID_CONIC_HOLD_LINE","FACE_BLEND_BAD_SPINE","FACE_BLEND_RHO_TOO_LARGE","FACE_BLEND_RHO_INVALID","FACE_BLEND_SELF_INTERSECTION","FACE_BLEND_INVALID_CAP","FACE_BLEND_INVALID_LIMIT","FACE_BLEND_INVALID_LIMIT_DIRECTION","FACE_BLEND_SPINE_ZERO_ANGLE_PROPAGATION","FACE_BLEND_SPINE_TANGENT_PROPAGATION","FACE_BLEND_SELECT_SPINE","FACE_BLEND_HOLD_LINE_IN_WALLS","FACE_BLEND_TANGENT_HL_ASYMMETRIC","FACE_BLEND_WIDTH_HOLD_LINES","FACE_BLEND_EDGE_LIMIT_NEEDS_SIDE","FACE_BLEND_INVALID_PLANE_LIMIT","FACE_BLEND_INVALID_PROPAGATION_ANGLE","OFFSET_WIRE_GENERIC_ERROR","OFFSET_WIRE_SELECT_WALL_PATH","OFFSET_WIRE_DIR1_FAILED","OFFSET_WIRE_DIR2_FAILED","FACE_BLEND_SOLID_LONG_ATTACH","OFFSET_WIRE_SHAPES_NON_CONSISTENT","OFFSET_WIRE_MULTIPLE_SHAPES","BOOLEAN_NON_MANIFOLD_RESULT","DRAWING_ASSEMBLY_NONMANIFOLD_SECTION_CUT","DRAWING_PARTSTUDIO_NONMANIFOLD_SECTION_CUT","MOVE_CURVE_BOUNDARY_FAILED","MOVE_CURVE_BOUNDARY_EXTENSION_NO_INTERSECTION","MOVE_CURVE_BOUNDARY_TRIM_NO_INTERSECTION","MOVE_CURVE_BOUNDARY_SELECT_CURVE","MOVE_CURVE_BOUNDARY_SELECT_TRIM_BOUNDARY","MOVE_CURVE_BOUNDARY_SELECT_EXTEND_BOUNDARY","MOVE_CURVE_BOUNDARY_NO_SKETCH_ENTITIES","MOVE_CURVE_BOUNDARY_ONLY_WIRES","MOVE_CURVE_BOUNDARY_SELECT_HELP_POINT","MOVE_CURVE_BOUNDARY_EXTEND_REQUIRES_OPEN_CURVE","MOVE_CURVE_BOUNDARY_SPLIT_CLOSED_AT_TWO_POINTS","HOLE_NO_END_BOUNDS","HOLE_TAP_TOO_DEEP","MOVE_CURVE_BOUNDARY_TOOL_IS_TARGET","DRAWING_IGNORE_FAULTY_PARTS","ISOCLINE_NO_RESULT","ISOCLINE_SELECT_FACES","ISOCLINE_SELECT_DIRECTION","ISOCLINE_FAILED","FGS_GENERATIVE_OPT_MAX_ITERATIONS","FGS_GENERATIVE_TARGET_VOLUME_LOW","FGS_GENERATIVE_TARGET_VOLUME_LARGE","FGS_GENERATIVE_THIN_GENERIC","FGS_GENERATIVE_SYMMETRY_DEF_PROBLEM","FGS_GENERATIVE_MINRADIUS_SMALL","FGS_GENERATIVE_MINRADIUS_LARGE","FGS_GENERATIVE_OPT_INVALID_SETUP","CURVE_PATTERN_DISTANCE_TOO_LARGE","BEND_REPLACEMENT_HEAL_FAILED","CANNOT_COPY_CONSTRAINTS","PARAMETER_EXPRESSION_VALIDATION_UNITS_MISMATCH_3ARGS","PARAMETER_EXPRESSION_VALIDATION_SYNTAX_ERROR_0ARGS","PARAMETER_EXPRESSION_VALIDATION_RESERVED_ID_1ARG","PARAMETER_EXPRESSION_VALIDATION_CANNOT_APPLY_OP_TO_1ARG","PARAMETER_EXPRESSION_VALIDATION_CANNOT_APPLY_OP_TO_2ARGS","PARAMETER_EXPRESSION_VALIDATION_CANNOT_APPLY_OP_TO_3ARGS","PARAMETER_EXPRESSION_VALIDATION_INCORRECT_TYPE","PARAMETER_EXPRESSION_UNKNOWN_FUNCTION","PARAMETER_EXPRESSION_UNKNOWN_VARIABLE","REVOLVE_NOT_COPLANAR_WITH_AXIS","FRAME_ANGLE_REFERENCE_INVALID_ENTITY","AMBIGUOUS_GEOMETRY_FOR_GUSSET_DEFINITION","HOLE_START_BOUND_INVALID","HOLE_NO_START_BOUND","BODY_DRAFT_FAILED","BODY_DRAFT_NO_REFERENCES","BODY_DRAFT_NO_ANGLES","BODY_DRAFT_INVALID_ABOVE_ANGLE","BODY_DRAFT_INVALID_BELOW_ANGLE","BODY_DRAFT_INVALID_PARTING_ENTITY","BODY_DRAFT_INVALID_PULL_DIRECTION","BODY_DRAFT_MITER_NEED_BOTH_SIDES","BODY_DRAFT_EDGE_SEPARATION_FAILED","BODY_DRAFT_EDGE_SPLIT_FAILED","BODY_DRAFT_ISOCLINE_SPLIT_FAILED","BODY_DRAFT_PARTING_PLANE_SHEET_ERROR","BODY_DRAFT_INVALID_REFERENCE","BODY_DRAFT_REFERENCE_LOOP","BODY_DRAFT_TOO_STEEP","BODY_DRAFT_BAD_PULL_DIRECTION","BODY_DRAFT_MITER_FAILED","DECAL_HORIZONTAL_REFERENCE_INVALID_ENTITY","OFFSET_WIRE_SHEET_CREATION_FAILED","REPLACE_FACE_SHEET_SMALL","REPLACE_FACES_NOT_ADJACENT","SHEET_METAL_HOLE_REBUILD_FAILED","CPLANE_TANGENT_INPUT","CPLANE_TANGENT_SELECT_REFERENCE","CPLANE_TANGENT_PLANE_INVALID","CPLANE_TANGENT_POINT_INVALID","REPLACE_FACES_NOT_SAME_BODY","MUST_USE_DEFAULT_RADIUS_WITH_FACE_BEND","CANNOT_RIP_A_FACE_BEND","CANNOT_MAKE_A_FACE_BEND_TANGENT","SKETCH_HAS_PATTERN_TOO_LARGE","SKETCH_LINEAR_PATTERN_FAILED","DECAL_PROJECTED_OFF_FACE","FIT_TOLERANCE_LIMITS_NOT_FOUND","FIT_TOLERANCE_SIZE_TOO_LARGE_ISO","FIT_TOLERANCE_SIZE_TOO_LARGE_ANSI","DECAL_NO_FACE_SELECTION","DECAL_NO_IMAGE_SELECTION","DECAL_IMAGE_TOO_LARGE","FGS_SIMULATION_ASSEMBLY_HAS_NO_INSTANCES","FGS_SIMULATION_ASSEMBLY_HAS_TOO_FEW_INSTANCES","FGS_MODAL_SIMULATION_HAS_ALL_FIXED_PARTS","BODY_DRAFT_STRAY_NONMITER_EDGES","MASS_PROPERTY_FACES_NOT_COPLANAR","PARAMETER_VALUE_INVALID","SHEET_METAL_CHAMFER_NO_TANGENT_BASED","CHAMFER_DIRECTION_OVERRIDE_NO_EFFECT","FILLET_CHAMFER_UNSUPPORTED","LINEAR_PATTERN_SKETCH_REAPPLY_INFO","CIRCULAR_PATTERN_SKETCH_REAPPLY_INFO","CURVE_PATTERN_SKETCH_REAPPLY_INFO","MIRROR_SKETCH_REAPPLY_INFO","CHAMFER_HELD_BACK","SWEEP_BAD_LOCK_DIRECTION","SHEET_METAL_COUNTER_HOLE_UNSUPPORTED","SPECIFIED_FEATURE_DOES_NOT_EXIST","UNKNOWN"]},"GBTFeatureFilterExclusion":{"type":"string","enum":["EXCLUDE_EVERYTHING_ELSE","EXCLUDE_THIS","UNKNOWN"]},"GBTFilterFlattenedGeometryOptions":{"type":"string","enum":["MODEL_ONLY","FLATTENED_ONLY","MODEL_AND_FLATTENED","UNKNOWN"]},"GBTGeometryType":{"type":"string","enum":["LINE","CIRCLE","ARC","PLANE","CYLINDER","CONE","SPHERE","TORUS","SPLINE","ELLIPSE","MESH","CONIC","REVOLVED","EXTRUDED","ALL_MESH","MIXED_MESH","SPLINE_INTERNAL_POINT","SPLINE_CONTROL_POLYGON","ELLIPTICAL_ARC","UNKNOWN"]},"GBTHLQualityOption":{"type":"string","enum":["BEST_PERFORMANCE","BEST_QUALITY","BALANCED","ADAPTIVE"]},"GBTHLSimplificationOption":{"type":"string","enum":["NONE","ABSOLUTE","RATIO_TO_MODEL","RATIO_TO_BODY","AUTOMATIC"]},"GBTInsertableType":{"type":"string","enum":["PARTS","SKETCHES","SURFACES","FLATTENED_PARTS","COMPOSITE_PARTS","PART_STUDIOS","WIRES","UNKNOWN"]},"GBTLoadType":{"type":"string","enum":["FORCE","MOMENT","BEARING_LOAD","ACCELERATION","PRESSURE","UNKNOWN"]},"GBTMGeomStatus":{"type":"string","enum":["UNKNOWN","UNDER_DEFINED","WELL_DEFINED","FIXED","OVER_DEFINED","NOT_CONSISTENT"]},"GBTMatchRegenerationHashStatus":{"type":"string","description":"Success or failure mode of the regeneration hash check.","enum":["MATCH","FAILED_HASH","MISMATCH_VERTICES","MISMATCH_EDGES","MISMATCH_FACES","MISMATCH_BODIES","MISMATCH_NUMBER_OPERATIONS","UNKNOWN"]},"GBTMateType":{"type":"string","enum":["SLIDER","CYLINDRICAL","REVOLUTE","PIN_SLOT","PLANAR","BALL","FASTENED","PARALLEL","UNKNOWN"]},"GBTMeshState":{"type":"string","enum":["NO_MESH","MIXED","ALL_MESH","UNKNOWN"]},"GBTMetadataOverrideStatusType":{"type":"string","enum":["UNKNOWN","PROPERTY_NOT_COMPUTED","COMPUTED_WITH_NO_OVERRIDES","COMPUTED_WITH_OVERRIDES","COMPUTED_WITH_SUBASSEMBLY_OVERRIDES","OVERRIDDEN"]},"GBTMetadataSourceType":{"type":"string","enum":["AUTOMATIC","MERGED","FEATURE","UNCONFIGURED","CONFIGURED","STANDARD_CONTENT","DEFAULT","COMPUTED","COMPUTED_CONFIGURED","IMPORT","UNKNOWN"]},"GBTNodeChange":{"type":"string","enum":["NONE","MOVED","MODIFIED","MOVED_AND_MODIFIED","ADDED","DELETED","UNKNOWN"]},"GBTNodeStatusType":{"type":"string","enum":["OK","INFO","WARNING","ERROR","UNKNOWN"]},"GBTNoticeLevel":{"type":"string","enum":["INTERNAL","ERROR","WARNING","INFO","UNKNOWN"]},"GBTNoticeType":{"type":"string","enum":["PARSE","SEMANTIC","EXECUTION","MODELING","TEST","OTHER","UNKNOWN"]},"GBTPDefinitionType":{"type":"string","enum":["FUNCTION","PREDICATE","CONSTANT","ENUM","USER_TYPE","FEATURE_DEFINITION","FILE_HEADER","UNDOCUMENTABLE","CONST_LAMBDA","UNKNOWN"]},"GBTPOperator":{"type":"string","enum":["NONE","PLUS","MINUS","TIMES","DIVIDE","MODULUS","POWER","NEGATE","OR","AND","NOT","EQUAL_TO","NOT_EQUAL_TO","GREATER","LESS","GREATER_OR_EQUAL","LESS_OR_EQUAL","CONCATENATE","CONDITIONAL"]},"GBTPType":{"type":"string","enum":["UNDEFINED","BOOLEAN","NUMBER","STRING","ARRAY","MAP","BOX","BUILTIN","FUNCTION","UNKNOWN"]},"GBTParameterVisibilityLogicalOp":{"type":"string","enum":["NOT","AND","OR","UNKNOWN"]},"GBTPartColorCycleVersion":{"type":"string","enum":["COLOR_CYCLE_0","COLOR_CYCLE_1","UNKNOWN"]},"GBTPartStudioDisplayDataVersion":{"type":"string","enum":["V0_ORIGINAL_VERSION","V1_SMOOTH_EDGES_RENDERING_OPTIONS","V2_SMOOTH_EDGES_TOLERANCE_CHANGED","UNKNOWN"]},"GBTPartStudioInstanceType":{"type":"string","enum":["PART","SKETCH","SURFACE","COMPOSITE","UNKNOWN"]},"GBTPartStudioItemType":{"type":"string","enum":["SOLID","SURFACE","WIRE","MESH","SKETCH","FLATTENED_SHEET_METAL","ENTIRE_PART_STUDIO","CONSTRUCTION_PLANE","COMPOSITE_PART","UNKNOWN"]},"GBTPartVisibility":{"type":"string","enum":["HIDDEN","VISIBLE","UNSPECIFIED","UNKNOWN"]},"GBTPatternType":{"type":"string","enum":["LINEAR","CIRCULAR","UNKNOWN"]},"GBTPreProcessParasolidOption":{"type":"string","enum":["NO_PRE_PROCESSING","USE_BODYSHOP_PRE_PROCESSING_ADVANCED","USE_TRANSLATOR_PRE_PROCESSING","USE_BODYSHOP_PRE_PROCESSING","UNKNOWN"]},"GBTQuantityType":{"type":"string","enum":["UNKNOWN","INTEGER","REAL","LENGTH","ANGLE","MASS","TIME","TEMPERATURE","CURRENT","ANYTHING","ANYTHING_WITH_UNITS","FORCE","PRESSURE","MOMENT","ACCELERATION","ANGULAR_VELOCITY","ENERGY","AREA","VOLUME","BOOLEAN","STRING"]},"GBTRadiusDisplay":{"type":"string","enum":["NONE","RADIAL","DIAMETRAL","UNKNOWN"]},"GBTSimulationContactBehavior":{"type":"string","enum":["MATES_ONLY","FUSE_IN_CONTACT","FUSE_IN_CONTACT_AND_USE_MATES","UNKNOWN"]},"GBTSketchCurveType":{"type":"string","enum":["UNSET","INTERPOLATED_SPLINE","BEZIER_CURVE","UNKNOWN"]},"GBTSketchObjectType":{"type":"string","enum":["NOT_SKETCH_OBJECT","ANY_SKETCH_OBJECT","USER_ENTITY","UNKNOWN"]},"GBTStandardContentValueFieldType":{"type":"string","enum":["DROPLIST","EDIT","STATIC","CHECKBOX","MATERIALLIST","UNKNOWN"]},"GBTSurfaceType":{"type":"string","enum":["PLANE","CYLINDER","CONE","SPHERE","TORUS","OTHER","REVOLVED","EXTRUDED","MESH","SPLINE","UNKNOWN"]},"GBTSurfaceTypeEnum":{"type":"string","enum":["PLANE","CYLINDER","CONE","SPHERE","TORUS","SPUN","SWEEP","OFFSET","BLEND","BSURFACE","OTHER","UNKNOWN"]},"GBTTableColumnWidthUnits":{"type":"string","enum":["PERCENT","CHARS","PIXELS","UNKNOWN"]},"GBTTableTextAlignment":{"type":"string","enum":["LEFT","CENTER","RIGHT","UNKNOWN"]},"GBTTessellationSettingEnum":{"type":"string","enum":["AUTO","COARSE","MEDIUM","FINE","VERY_FINE","CURVATURE_VISUALIZATION","UNKNOWN"]},"GBTUIHint":{"type":"string","enum":["OPPOSITE_DIRECTION","ALWAYS_HIDDEN","SHOW_CREATE_SELECTION","CONTROL_VISIBILITY","NO_PREVIEW_PROVIDED","REMEMBER_PREVIOUS_VALUE","DISPLAY_SHORT","ALLOW_FEATURE_SELECTION","MATE_CONNECTOR_AXIS_TYPE","PRIMARY_AXIS","SHOW_EXPRESSION","OPPOSITE_DIRECTION_CIRCULAR","SHOW_LABEL","HORIZONTAL_ENUM","UNCONFIGURABLE","MATCH_LAST_ARRAY_ITEM","COLLAPSE_ARRAY_ITEMS","INITIAL_FOCUS_ON_EDIT","INITIAL_FOCUS","DISPLAY_CURRENT_VALUE_ONLY","READ_ONLY","PREVENT_CREATING_NEW_MATE_CONNECTORS","FIRST_IN_ROW","ALLOW_QUERY_ORDER","PREVENT_ARRAY_REORDER","VARIABLE_NAME","FOCUS_INNER_QUERY","SHOW_TOLERANCE","UNKNOWN"]},"GBTUiSelectionType":{"type":"string","enum":["ENTITY","FEATURE","BODY","OCCURRENCE","USERCODE","ROLLBACKBAR","ELEMENT","MATE","MATE_CONNECTOR","EDGE_POINT","MESH_POINT","TABLE_ITEM","SKETCH_GROUP","FOLDER","NON_GEOMETRIC_ITEM","TEMPORARY_GEOMETRY","PROPERTY","SIMULATION_LOAD","PERSISTENT_QUERY_STRING","UNKNOWN"]},"GBTValueUse":{"type":"string","enum":["STRING","INTEGER","UNITS","TYPE","LOCALIZE","UNKNOWN"]},"GBTVariableType":{"type":"string","description":"Variable type name, from FeatureScript VariableType","enum":["LENGTH","ANGLE","NUMBER","ANY","UNKNOWN"]},"GlTF":{"type":"object","properties":{"accessors":{"type":"array","items":{"$ref":"#/components/schemas/Accessor"}},"animations":{"type":"array","items":{"$ref":"#/components/schemas/Animation"}},"asset":{"$ref":"#/components/schemas/Asset"},"bufferViews":{"type":"array","items":{"$ref":"#/components/schemas/BufferView"}},"buffers":{"type":"array","items":{"$ref":"#/components/schemas/Buffer"}},"cameras":{"type":"array","items":{"$ref":"#/components/schemas/Camera"}},"extensions":{"type":"object","additionalProperties":{"type":"object"}},"extensionsRequired":{"type":"array","items":{"type":"string"}},"extensionsUsed":{"type":"array","items":{"type":"string"}},"extras":{"type":"object"},"images":{"type":"array","items":{"$ref":"#/components/schemas/Image"}},"materials":{"type":"array","items":{"$ref":"#/components/schemas/Material"}},"meshes":{"type":"array","items":{"$ref":"#/components/schemas/Mesh"}},"nodes":{"type":"array","items":{"$ref":"#/components/schemas/Node"}},"samplers":{"type":"array","items":{"$ref":"#/components/schemas/Sampler"}},"scene":{"type":"integer","format":"int32"},"scenes":{"type":"array","items":{"$ref":"#/components/schemas/Scene"}},"skins":{"type":"array","items":{"$ref":"#/components/schemas/Skin"}},"textures":{"type":"array","items":{"$ref":"#/components/schemas/Texture"}}}},"GlobalPermissionInfo":{"type":"object","properties":{"accessReports":{"type":"boolean"},"adminEnterprise":{"type":"boolean"},"allowAppStoreAccess":{"type":"boolean"},"allowPublicDocumentsAccess":{"type":"boolean"},"approveReleases":{"type":"boolean"},"createChangeOrders":{"type":"boolean"},"createChangeRequests":{"type":"boolean"},"createDocumentsInRoot":{"type":"boolean"},"createProject":{"type":"boolean"},"createReleases":{"type":"boolean"},"createTasks":{"type":"boolean"},"deletePermanently":{"type":"boolean"},"manageGuestUsers":{"type":"boolean"},"manageNonGeometricItems":{"type":"boolean"},"manageRbac":{"type":"boolean"},"manageStandardContentMetadata":{"type":"boolean"},"manageUsers":{"type":"boolean"},"manageWorkflows":{"type":"boolean"},"shareForAnonymousAccess":{"type":"boolean"},"transferDocumentsFromEnterprise":{"type":"boolean"},"viewChangeOrders":{"type":"boolean"},"viewChangeRequests":{"type":"boolean"}}},"GltfModel":{"type":"object","properties":{"accessorModels":{"type":"array","items":{"$ref":"#/components/schemas/AccessorModel"}},"animationModels":{"type":"array","items":{"$ref":"#/components/schemas/AnimationModel"}},"bufferModels":{"type":"array","items":{"$ref":"#/components/schemas/BufferModel"}},"bufferViewModels":{"type":"array","items":{"$ref":"#/components/schemas/BufferViewModel"}},"cameraModels":{"type":"array","items":{"$ref":"#/components/schemas/CameraModel"}},"imageModels":{"type":"array","items":{"$ref":"#/components/schemas/ImageModel"}},"materialModels":{"type":"array","items":{"$ref":"#/components/schemas/MaterialModel"}},"nodeModels":{"type":"array","items":{"$ref":"#/components/schemas/NodeModel"}},"sceneModels":{"type":"array","items":{"$ref":"#/components/schemas/SceneModel"}},"textureModels":{"type":"array","items":{"$ref":"#/components/schemas/TextureModel"}}}},"Header":{"type":"object","properties":{"deprecated":{"type":"boolean"},"description":{"type":"string"},"example":{"type":"object"},"examples":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/Example"}},"explode":{"type":"boolean"},"extensions":{"type":"object","additionalProperties":{"type":"object"}},"get$ref":{"type":"string"},"required":{"type":"boolean"},"schema":{"$ref":"#/components/schemas/Schema"},"style":{"$ref":"#/components/schemas/StyleEnum"}}},"HttpMethod":{"type":"string","enum":["GET","HEAD","POST","PUT","PATCH","DELETE","OPTIONS","TRACE"]},"IdType":{"type":"string","enum":["USER","COMPANY"]},"Image":{"type":"object","properties":{"bufferView":{"type":"integer","format":"int32"},"extensions":{"type":"object","additionalProperties":{"type":"object"}},"extras":{"type":"object"},"mimeType":{"type":"string"},"name":{"type":"string"},"uri":{"type":"string"}}},"ImageModel":{"type":"object","properties":{"bufferViewModel":{"$ref":"#/components/schemas/BufferViewModel"},"imageData":{"type":"object","properties":{"short":{"type":"integer","format":"int32"},"char":{"type":"string"},"int":{"type":"integer","format":"int32"},"long":{"type":"integer","format":"int64"},"float":{"type":"number","format":"float"},"double":{"type":"number","format":"double"},"direct":{"type":"boolean"},"readOnly":{"type":"boolean"}}},"mimeType":{"type":"string"},"name":{"type":"string"},"uri":{"type":"string"}}},"ImmutableMapStringString":{"type":"object","properties":{"empty":{"type":"boolean"}},"additionalProperties":{"type":"string"}},"In":{"type":"string","enum":["COOKIE","HEADER","QUERY"]},"Info":{"type":"object","properties":{"contact":{"$ref":"#/components/schemas/Contact"},"description":{"type":"string"},"extensions":{"type":"object","additionalProperties":{"type":"object"}},"license":{"$ref":"#/components/schemas/License"},"summary":{"type":"string"},"termsOfService":{"type":"string"},"title":{"type":"string"},"version":{"type":"string"}}},"IntegrationsParams":{"type":"object","properties":{"accessLevel":{"type":"integer","format":"int32"},"providerIds":{"type":"array","items":{"type":"string"}},"providersType":{"type":"integer","format":"int32"},"teamIds":{"type":"array","items":{"type":"string"}},"userIds":{"type":"array","items":{"type":"string"}}}},"IntegrationsPolicyInfo":{"type":"object","properties":{"accessLevel":{"type":"integer","format":"int32"},"providerIds":{"type":"array","items":{"type":"string"}},"providersType":{"type":"integer","format":"int32"},"teams":{"type":"array","items":{"$ref":"#/components/schemas/BTTeamSummaryInfo"}},"users":{"type":"array","items":{"$ref":"#/components/schemas/BTUserBasicSummaryInfo"}}}},"Interpolation":{"type":"string","enum":["STEP","LINEAR","CATMULLROMSPLINE","CUBICSPLINE"]},"Item":{"required":["jsonType"],"type":"object","properties":{"applicationTarget":{"$ref":"#/components/schemas/BTApplicationTargetInfo"},"dataType":{"type":"string"},"documentId":{"type":"string"},"elementId":{"type":"string"},"elementType":{"$ref":"#/components/schemas/GBTElementType"},"encodedConfiguration":{"type":"string"},"id":{"type":"string"},"jsonType":{"type":"string"},"partId":{"type":"string"},"partName":{"type":"string"},"partNumber":{"type":"string"},"revision":{"type":"string"},"revisionId":{"type":"string"},"state":{"type":"integer","format":"int32"},"versionId":{"type":"string"},"versionName":{"type":"string"}},"discriminator":{"propertyName":"jsonType","mapping":{"publication-blob-item":"#/components/schemas/BlobItem"}}},"JsonNode":{"type":"object"},"LearningCenterActionResponse":{"type":"object","properties":{"error":{"type":"string"},"payload":{"type":"string"}}},"LevelInfo":{"type":"object","properties":{"description":{"type":"string"},"index":{"type":"integer","format":"int32"},"name":{"type":"string"}}},"License":{"type":"object","properties":{"extensions":{"type":"object","additionalProperties":{"type":"object"}},"identifier":{"type":"string"},"name":{"type":"string"},"url":{"type":"string"}}},"LineItem":{"type":"object","properties":{"amountCents":{"type":"integer","format":"int64"},"description":{"type":"string"}}},"Lines":{"type":"object"},"Link":{"type":"object","properties":{"description":{"type":"string"},"extensions":{"type":"object","additionalProperties":{"type":"object"}},"get$ref":{"type":"string"},"headers":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/Header"}},"operationId":{"type":"string"},"operationRef":{"type":"string"},"parameters":{"type":"object","additionalProperties":{"type":"string"}},"requestBody":{"type":"object"},"server":{"$ref":"#/components/schemas/Server"}}},"MatchMode":{"type":"string","enum":["EXACT","PREFIX"]},"Material":{"type":"object","properties":{"alphaCutoff":{"type":"number","format":"float"},"alphaMode":{"type":"string"},"doubleSided":{"type":"boolean"},"emissiveFactor":{"type":"array","items":{"type":"number","format":"float"}},"emissiveTexture":{"$ref":"#/components/schemas/TextureInfo"},"extensions":{"type":"object","additionalProperties":{"type":"object"}},"extras":{"type":"object"},"name":{"type":"string"},"normalTexture":{"$ref":"#/components/schemas/MaterialNormalTextureInfo"},"occlusionTexture":{"$ref":"#/components/schemas/MaterialOcclusionTextureInfo"},"pbrMetallicRoughness":{"$ref":"#/components/schemas/MaterialPbrMetallicRoughness"}}},"MaterialModel":{"type":"object","properties":{"name":{"type":"string"},"techniqueModel":{"$ref":"#/components/schemas/TechniqueModel"},"values":{"type":"object","additionalProperties":{"type":"object"}}}},"MaterialNormalTextureInfo":{"type":"object","properties":{"extensions":{"type":"object","additionalProperties":{"type":"object"}},"extras":{"type":"object"},"index":{"type":"integer","format":"int32"},"scale":{"type":"number","format":"float"},"texCoord":{"type":"integer","format":"int32"}}},"MaterialOcclusionTextureInfo":{"type":"object","properties":{"extensions":{"type":"object","additionalProperties":{"type":"object"}},"extras":{"type":"object"},"index":{"type":"integer","format":"int32"},"strength":{"type":"number","format":"float"},"texCoord":{"type":"integer","format":"int32"}}},"MaterialPbrMetallicRoughness":{"type":"object","properties":{"baseColorFactor":{"type":"array","items":{"type":"number","format":"float"}},"baseColorTexture":{"$ref":"#/components/schemas/TextureInfo"},"extensions":{"type":"object","additionalProperties":{"type":"object"}},"extras":{"type":"object"},"metallicFactor":{"type":"number","format":"float"},"metallicRoughnessTexture":{"$ref":"#/components/schemas/TextureInfo"},"roughnessFactor":{"type":"number","format":"float"}}},"MediaType":{"type":"object","properties":{"encoding":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/Encoding"}},"example":{"type":"object"},"exampleSetFlag":{"type":"boolean"},"examples":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/Example"}},"extensions":{"type":"object","additionalProperties":{"type":"object"}},"schema":{"$ref":"#/components/schemas/Schema"}}},"Mesh":{"type":"object","properties":{"extensions":{"type":"object","additionalProperties":{"type":"object"}},"extras":{"type":"object"},"name":{"type":"string"},"primitives":{"type":"array","items":{"$ref":"#/components/schemas/MeshPrimitive"}},"weights":{"type":"array","items":{"type":"number","format":"float"}}}},"MeshModel":{"type":"object","properties":{"meshPrimitiveModels":{"type":"array","items":{"$ref":"#/components/schemas/MeshPrimitiveModel"}},"name":{"type":"string"},"weights":{"type":"array","items":{"type":"number","format":"float"}}}},"MeshPrimitive":{"type":"object","properties":{"attributes":{"type":"object","additionalProperties":{"type":"integer","format":"int32"}},"extensions":{"type":"object","additionalProperties":{"type":"object"}},"extras":{"type":"object"},"indices":{"type":"integer","format":"int32"},"material":{"type":"integer","format":"int32"},"mode":{"type":"integer","format":"int32"},"targets":{"type":"array","items":{"type":"object","additionalProperties":{"type":"integer","format":"int32"}}}}},"MeshPrimitiveModel":{"type":"object","properties":{"attributes":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/AccessorModel"}},"indices":{"$ref":"#/components/schemas/AccessorModel"},"materialModel":{"$ref":"#/components/schemas/MaterialModel"},"mode":{"type":"integer","format":"int32"},"targets":{"type":"array","items":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/AccessorModel"}}}}},"Message":{"type":"object","properties":{"defaultTemplate":{"type":"string"},"defaultTitle":{"type":"string"},"id":{"type":"string"},"messageLevel":{"$ref":"#/components/schemas/BTNotificationLevel"}}},"MetadataFilter":{"type":"object","properties":{"id":{"type":"string"},"values":{"type":"array","items":{"type":"string"}}}},"NextCharge":{"type":"object","properties":{"amount":{"type":"integer","format":"int64"},"currentPeriodEnd":{"type":"string","format":"date-time"},"interval":{"type":"string"},"total":{"type":"integer","format":"int64"}}},"NextRecurringCharge":{"type":"object","properties":{"amount":{"type":"integer","format":"int64"},"date":{"type":"string"}}},"Node":{"type":"object","properties":{"camera":{"type":"integer","format":"int32"},"children":{"type":"array","items":{"type":"integer","format":"int32"}},"extensions":{"type":"object","additionalProperties":{"type":"object"}},"extras":{"type":"object"},"matrix":{"type":"array","items":{"type":"number","format":"float"}},"mesh":{"type":"integer","format":"int32"},"name":{"type":"string"},"rotation":{"type":"array","items":{"type":"number","format":"float"}},"scale":{"type":"array","items":{"type":"number","format":"float"}},"skin":{"type":"integer","format":"int32"},"translation":{"type":"array","items":{"type":"number","format":"float"}},"weights":{"type":"array","items":{"type":"number","format":"float"}}}},"NodeModel":{"type":"object","properties":{"children":{"type":"array","items":{"$ref":"#/components/schemas/NodeModel"}},"matrix":{"type":"array","items":{"type":"number","format":"float"}},"meshModels":{"type":"array","items":{"$ref":"#/components/schemas/MeshModel"}},"name":{"type":"string"},"parent":{"$ref":"#/components/schemas/NodeModel"},"rotation":{"type":"array","items":{"type":"number","format":"float"}},"scale":{"type":"array","items":{"type":"number","format":"float"}},"skinModel":{"$ref":"#/components/schemas/SkinModel"},"translation":{"type":"array","items":{"type":"number","format":"float"}},"weights":{"type":"array","items":{"type":"number","format":"float"}}}},"OAuthFlow":{"type":"object","properties":{"authorizationUrl":{"type":"string"},"extensions":{"type":"object","additionalProperties":{"type":"object"}},"refreshUrl":{"type":"string"},"scopes":{"type":"object","properties":{"extensions":{"type":"object","additionalProperties":{"type":"object"}},"empty":{"type":"boolean"}},"additionalProperties":{"type":"string"}},"tokenUrl":{"type":"string"}}},"OAuthFlows":{"type":"object","properties":{"authorizationCode":{"$ref":"#/components/schemas/OAuthFlow"},"clientCredentials":{"$ref":"#/components/schemas/OAuthFlow"},"extensions":{"type":"object","additionalProperties":{"type":"object"}},"implicit":{"$ref":"#/components/schemas/OAuthFlow"},"password":{"$ref":"#/components/schemas/OAuthFlow"}}},"ObjectId":{"type":"object","properties":{"date":{"type":"string","format":"date-time"},"timestamp":{"type":"integer","format":"int32"}}},"OpenAPI":{"type":"object","properties":{"components":{"$ref":"#/components/schemas/Components"},"extensions":{"type":"object","additionalProperties":{"type":"object"}},"externalDocs":{"$ref":"#/components/schemas/ExternalDocumentation"},"info":{"$ref":"#/components/schemas/Info"},"jsonSchemaDialect":{"type":"string"},"openapi":{"type":"string"},"paths":{"type":"object","properties":{"extensions":{"type":"object","additionalProperties":{"type":"object"}},"empty":{"type":"boolean"}},"additionalProperties":{"$ref":"#/components/schemas/PathItem"}},"security":{"type":"array","items":{"$ref":"#/components/schemas/SecurityRequirement"}},"servers":{"type":"array","items":{"$ref":"#/components/schemas/Server"}},"tags":{"type":"array","items":{"$ref":"#/components/schemas/Tag"}},"webhooks":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/PathItem"}}}},"Operation":{"type":"object","properties":{"callbacks":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/Callback"}},"deprecated":{"type":"boolean"},"description":{"type":"string"},"extensions":{"type":"object","additionalProperties":{"type":"object"}},"externalDocs":{"$ref":"#/components/schemas/ExternalDocumentation"},"operationId":{"type":"string"},"parameters":{"type":"array","items":{"$ref":"#/components/schemas/Parameter"}},"requestBody":{"$ref":"#/components/schemas/RequestBody"},"responses":{"type":"object","properties":{"extensions":{"type":"object","additionalProperties":{"type":"object"}},"default":{"$ref":"#/components/schemas/ApiResponse"},"empty":{"type":"boolean"}},"additionalProperties":{"$ref":"#/components/schemas/ApiResponse"}},"security":{"type":"array","items":{"$ref":"#/components/schemas/SecurityRequirement"}},"servers":{"type":"array","items":{"$ref":"#/components/schemas/Server"}},"summary":{"type":"string"},"tags":{"type":"array","items":{"type":"string"}}}},"Parameter":{"type":"object","properties":{"allowEmptyValue":{"type":"boolean"},"allowReserved":{"type":"boolean"},"content":{"type":"object","properties":{"empty":{"type":"boolean"}},"additionalProperties":{"$ref":"#/components/schemas/MediaType"}},"deprecated":{"type":"boolean"},"description":{"type":"string"},"example":{"type":"object"},"examples":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/Example"}},"explode":{"type":"boolean"},"extensions":{"type":"object","additionalProperties":{"type":"object"}},"get$ref":{"type":"string"},"in":{"type":"string"},"name":{"type":"string"},"required":{"type":"boolean"},"schema":{"$ref":"#/components/schemas/Schema"},"style":{"$ref":"#/components/schemas/StyleEnum"}}},"PartNumberPropagation":{"type":"string","enum":["NEVER","ONE_WORKSPACE","ALL_WORKSPACES"]},"Path":{"type":"object","properties":{"method":{"$ref":"#/components/schemas/HttpMethod"},"path":{"type":"string"}}},"PathItem":{"type":"object","properties":{"delete":{"$ref":"#/components/schemas/Operation"},"description":{"type":"string"},"extensions":{"type":"object","additionalProperties":{"type":"object"}},"get":{"$ref":"#/components/schemas/Operation"},"get$ref":{"type":"string"},"head":{"$ref":"#/components/schemas/Operation"},"options":{"$ref":"#/components/schemas/Operation"},"parameters":{"type":"array","items":{"$ref":"#/components/schemas/Parameter"}},"patch":{"$ref":"#/components/schemas/Operation"},"post":{"$ref":"#/components/schemas/Operation"},"put":{"$ref":"#/components/schemas/Operation"},"servers":{"type":"array","items":{"$ref":"#/components/schemas/Server"}},"summary":{"type":"string"},"trace":{"$ref":"#/components/schemas/Operation"}}},"PathSegment":{"type":"object","properties":{"id":{"type":"string"},"isEnterpriseEdu":{"type":"boolean"},"isEnterpriseOwned":{"type":"boolean"},"name":{"type":"string"},"resourceType":{"type":"string"},"subType":{"type":"integer","format":"int32"},"treeHref":{"type":"string"}}},"Paths":{"type":"object","properties":{"empty":{"type":"boolean"},"extensions":{"type":"object","additionalProperties":{"type":"object"}}},"additionalProperties":{"$ref":"#/components/schemas/PathItem"}},"Plan":{"type":"object","properties":{"amount":{"type":"integer","format":"int64"},"created":{"type":"integer","format":"int64"},"currency":{"type":"string"},"id":{"type":"string"},"interval":{"type":"string"},"intervalCount":{"type":"integer","format":"int32"},"livemode":{"type":"boolean"},"metadata":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"object":{"type":"string"},"statementDescription":{"type":"string"},"statementDescriptor":{"type":"string"},"trialPeriodDays":{"type":"integer","format":"int32"}}},"PlanParams":{"type":"object","properties":{"lightSeatsQuantity":{"type":"integer","format":"int64"},"planId":{"type":"string"},"seatsQuantity":{"type":"integer","format":"int64"}}},"ProgramModel":{"type":"object","properties":{"fragmentShaderModel":{"$ref":"#/components/schemas/ShaderModel"},"name":{"type":"string"},"vertexShaderModel":{"$ref":"#/components/schemas/ShaderModel"}}},"Property":{"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"},"sortable":{"type":"boolean"},"type":{"type":"string"},"value":{"type":"string"}}},"PropertyDescriptorInfo":{"type":"object","properties":{"propertyId":{"type":"string"},"propertySafeName":{"type":"string"},"propertyValueType":{"type":"integer","format":"int32"}}},"ProratedCharges":{"type":"object","properties":{"amount":{"type":"integer","format":"int64"},"date":{"type":"string","format":"date-time"},"description":{"type":"string"}}},"Query":{"type":"object","properties":{"empty":{"type":"boolean"},"field":{"type":"string"},"querySupplier":{"$ref":"#/components/schemas/Query"}}},"RecursiveExternalReferenceInfo":{"type":"object","properties":{"documentIdToDocumentInfo":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTDocumentSummaryInfo"}},"documentIdToPublishedVersionId":{"type":"object","additionalProperties":{"type":"string"}},"documentIdsWithLinkPermission":{"type":"array","items":{"type":"string"}},"documentIdsWithWritePermission":{"type":"array","items":{"type":"string"}},"elementIdToChildElementIds":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"elementIdToChildrenFullRevisionIdLockedOnly":{"type":"object","additionalProperties":{"type":"object","additionalProperties":{"type":"boolean"}}},"elementIdToChildrenVersionIdAndElementIdLockedOnly":{"type":"object","additionalProperties":{"type":"object","additionalProperties":{"type":"boolean"}}},"elementIdToStatus":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTElementOutOfDateStatus"}},"fullRevisionIdToRevisionInfo":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/BTRevisionInfoWithStatus"}},"parentDocumentIdsWithChildrenOufOfDate":{"type":"array","items":{"type":"string"}},"versionIdAndElementIdToVersionInfo":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/ElementVersionInfoWithStatus"}}}},"Relation":{"type":"string","enum":["EQUAL_TO","GREATER_THAN_OR_EQUAL_TO"]},"RequestBody":{"type":"object","properties":{"content":{"type":"object","properties":{"empty":{"type":"boolean"}},"additionalProperties":{"$ref":"#/components/schemas/MediaType"}},"description":{"type":"string"},"extensions":{"type":"object","additionalProperties":{"type":"object"}},"get$ref":{"type":"string"},"required":{"type":"boolean"}}},"RequestOptions":{"type":"object","properties":{"apiKey":{"type":"string"},"connectTimeout":{"type":"integer","format":"int32"},"idempotencyKey":{"type":"string"},"readTimeout":{"type":"integer","format":"int32"},"stripeAccount":{"type":"string"},"stripeVersion":{"type":"string"}}},"Restrictions":{"type":"object","properties":{"from":{"type":"array","items":{"$ref":"#/components/schemas/VersionType"}},"winnowTo":{"$ref":"#/components/schemas/WinnowType"}}},"RoleMapEntry":{"type":"object","properties":{"identities":{"type":"array","items":{"$ref":"#/components/schemas/BTIdentityInfo"}},"role":{"$ref":"#/components/schemas/BTRbacRoleInfo"}}},"Sampler":{"type":"object","properties":{"input":{"$ref":"#/components/schemas/AccessorModel"},"interpolation":{"$ref":"#/components/schemas/Interpolation"},"output":{"$ref":"#/components/schemas/AccessorModel"}}},"Scene":{"type":"object","properties":{"extensions":{"type":"object","additionalProperties":{"type":"object"}},"extras":{"type":"object"},"name":{"type":"string"},"nodes":{"type":"array","items":{"type":"integer","format":"int32"}}}},"SceneModel":{"type":"object","properties":{"name":{"type":"string"},"nodeModels":{"type":"array","items":{"$ref":"#/components/schemas/NodeModel"}}}},"Schema":{"type":"object","properties":{"additionalItems":{"$ref":"#/components/schemas/Schema"},"additionalProperties":{"type":"object"},"allOf":{"type":"array","items":{"$ref":"#/components/schemas/Schema"}},"anyOf":{"type":"array","items":{"$ref":"#/components/schemas/Schema"}},"booleanSchemaValue":{"type":"boolean"},"const":{"type":"object"},"contains":{"$ref":"#/components/schemas/Schema"},"contentEncoding":{"type":"string"},"contentMediaType":{"type":"string"},"contentSchema":{"$ref":"#/components/schemas/Schema"},"default":{"type":"object"},"dependentRequired":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"dependentSchemas":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/Schema"}},"deprecated":{"type":"boolean"},"description":{"type":"string"},"discriminator":{"$ref":"#/components/schemas/Discriminator"},"else":{"$ref":"#/components/schemas/Schema"},"enum":{"type":"array","items":{"type":"object"}},"example":{"type":"object"},"exampleSetFlag":{"type":"boolean"},"examples":{"type":"array","items":{"type":"object"}},"exclusiveMaximum":{"type":"boolean"},"exclusiveMaximumValue":{"type":"number"},"exclusiveMinimum":{"type":"boolean"},"exclusiveMinimumValue":{"type":"number"},"extensions":{"type":"object","additionalProperties":{"type":"object"}},"externalDocs":{"$ref":"#/components/schemas/ExternalDocumentation"},"format":{"type":"string"},"get$anchor":{"type":"string"},"get$comment":{"type":"string"},"get$id":{"type":"string"},"get$ref":{"type":"string"},"get$schema":{"type":"string"},"if":{"$ref":"#/components/schemas/Schema"},"items":{"$ref":"#/components/schemas/SchemaObject"},"jsonSchema":{"type":"object","additionalProperties":{"type":"object"}},"jsonSchemaImpl":{"type":"object"},"maxContains":{"type":"integer","format":"int32"},"maxItems":{"type":"integer","format":"int32"},"maxLength":{"type":"integer","format":"int32"},"maxProperties":{"type":"integer","format":"int32"},"maximum":{"type":"number"},"minContains":{"type":"integer","format":"int32"},"minItems":{"type":"integer","format":"int32"},"minLength":{"type":"integer","format":"int32"},"minProperties":{"type":"integer","format":"int32"},"minimum":{"type":"number"},"multipleOf":{"type":"number"},"not":{"$ref":"#/components/schemas/Schema"},"nullable":{"type":"boolean"},"oneOf":{"type":"array","items":{"$ref":"#/components/schemas/Schema"}},"pattern":{"type":"string"},"patternProperties":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/Schema"}},"prefixItems":{"type":"array","items":{"$ref":"#/components/schemas/Schema"}},"properties":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/Schema"}},"propertyNames":{"$ref":"#/components/schemas/Schema"},"readOnly":{"type":"boolean"},"required":{"type":"array","items":{"type":"string"}},"then":{"$ref":"#/components/schemas/Schema"},"title":{"type":"string"},"type":{"type":"string"},"types":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"unevaluatedItems":{"$ref":"#/components/schemas/Schema"},"unevaluatedProperties":{"$ref":"#/components/schemas/Schema"},"uniqueItems":{"type":"boolean"},"writeOnly":{"type":"boolean"},"xml":{"$ref":"#/components/schemas/XML"}}},"SchemaObject":{"type":"object","properties":{"additionalItems":{"$ref":"#/components/schemas/Schema"},"additionalProperties":{"type":"object"},"allOf":{"type":"array","items":{"$ref":"#/components/schemas/Schema"}},"anyOf":{"type":"array","items":{"$ref":"#/components/schemas/Schema"}},"booleanSchemaValue":{"type":"boolean"},"const":{"type":"object"},"contains":{"$ref":"#/components/schemas/Schema"},"contentEncoding":{"type":"string"},"contentMediaType":{"type":"string"},"contentSchema":{"$ref":"#/components/schemas/Schema"},"default":{"type":"object"},"dependentRequired":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"deprecated":{"type":"boolean"},"description":{"type":"string"},"discriminator":{"$ref":"#/components/schemas/Discriminator"},"else":{"$ref":"#/components/schemas/Schema"},"enum":{"type":"array","items":{"type":"object"}},"example":{"type":"object"},"exampleSetFlag":{"type":"boolean"},"examples":{"type":"array","items":{"type":"object"}},"exclusiveMaximum":{"type":"boolean"},"exclusiveMaximumValue":{"type":"number"},"exclusiveMinimum":{"type":"boolean"},"exclusiveMinimumValue":{"type":"number"},"extensions":{"type":"object","additionalProperties":{"type":"object"}},"externalDocs":{"$ref":"#/components/schemas/ExternalDocumentation"},"format":{"type":"string"},"get$anchor":{"type":"string"},"get$comment":{"type":"string"},"get$id":{"type":"string"},"get$ref":{"type":"string"},"get$schema":{"type":"string"},"if":{"$ref":"#/components/schemas/Schema"},"items":{"$ref":"#/components/schemas/SchemaObject"},"jsonSchema":{"type":"object","additionalProperties":{"type":"object"}},"jsonSchemaImpl":{"type":"object"},"maxContains":{"type":"integer","format":"int32"},"maxItems":{"type":"integer","format":"int32"},"maxLength":{"type":"integer","format":"int32"},"maxProperties":{"type":"integer","format":"int32"},"maximum":{"type":"number"},"minContains":{"type":"integer","format":"int32"},"minItems":{"type":"integer","format":"int32"},"minLength":{"type":"integer","format":"int32"},"minProperties":{"type":"integer","format":"int32"},"minimum":{"type":"number"},"multipleOf":{"type":"number"},"not":{"$ref":"#/components/schemas/Schema"},"nullable":{"type":"boolean"},"oneOf":{"type":"array","items":{"$ref":"#/components/schemas/Schema"}},"pattern":{"type":"string"},"prefixItems":{"type":"array","items":{"$ref":"#/components/schemas/Schema"}},"propertyNames":{"$ref":"#/components/schemas/Schema"},"readOnly":{"type":"boolean"},"required":{"type":"array","items":{"type":"string"}},"then":{"$ref":"#/components/schemas/Schema"},"title":{"type":"string"},"type":{"type":"string"},"types":{"uniqueItems":true,"type":"array","items":{"type":"string"}},"unevaluatedItems":{"$ref":"#/components/schemas/Schema"},"unevaluatedProperties":{"$ref":"#/components/schemas/Schema"},"uniqueItems":{"type":"boolean"},"writeOnly":{"type":"boolean"},"xml":{"$ref":"#/components/schemas/XML"}}},"Scopes":{"type":"object","properties":{"empty":{"type":"boolean"},"extensions":{"type":"object","additionalProperties":{"type":"object"}}},"additionalProperties":{"type":"string"}},"SecurityRequirement":{"type":"object","properties":{"empty":{"type":"boolean"}},"additionalProperties":{"type":"array","items":{"type":"string"}}},"SecurityScheme":{"type":"object","properties":{"bearerFormat":{"type":"string"},"description":{"type":"string"},"extensions":{"type":"object","additionalProperties":{"type":"object"}},"flows":{"$ref":"#/components/schemas/OAuthFlows"},"get$ref":{"type":"string"},"in":{"$ref":"#/components/schemas/In"},"name":{"type":"string"},"openIdConnectUrl":{"type":"string"},"scheme":{"type":"string"},"type":{"$ref":"#/components/schemas/Type"}}},"Server":{"type":"object","properties":{"description":{"type":"string"},"extensions":{"type":"object","additionalProperties":{"type":"object"}},"url":{"type":"string"},"variables":{"type":"object","properties":{"extensions":{"type":"object","additionalProperties":{"type":"object"}},"empty":{"type":"boolean"}},"additionalProperties":{"$ref":"#/components/schemas/ServerVariable"}}}},"ServerVariable":{"type":"object","properties":{"default":{"type":"string"},"description":{"type":"string"},"enum":{"type":"array","items":{"type":"string"}},"extensions":{"type":"object","additionalProperties":{"type":"object"}}}},"ServerVariables":{"type":"object","properties":{"empty":{"type":"boolean"},"extensions":{"type":"object","additionalProperties":{"type":"object"}}},"additionalProperties":{"$ref":"#/components/schemas/ServerVariable"}},"ShaderModel":{"type":"object","properties":{"name":{"type":"string"},"shaderData":{"type":"object","properties":{"short":{"type":"integer","format":"int32"},"char":{"type":"string"},"int":{"type":"integer","format":"int32"},"long":{"type":"integer","format":"int64"},"float":{"type":"number","format":"float"},"double":{"type":"number","format":"double"},"direct":{"type":"boolean"},"readOnly":{"type":"boolean"}}},"shaderSource":{"type":"string"},"shaderType":{"$ref":"#/components/schemas/ShaderType"},"uri":{"type":"string"}}},"ShaderType":{"type":"string","enum":["VERTEX_SHADER","FRAGMENT_SHADER"]},"ShareFilter":{"type":"object","properties":{"company":{"type":"boolean"},"direct":{"type":"boolean"},"id":{"type":"string"},"team":{"type":"boolean"},"via":{"$ref":"#/components/schemas/AccessGrantedVia"}}},"ShippingDetails":{"type":"object","properties":{"address":{"$ref":"#/components/schemas/Address"},"name":{"type":"string"},"phone":{"type":"string"}}},"Skin":{"type":"object","properties":{"extensions":{"type":"object","additionalProperties":{"type":"object"}},"extras":{"type":"object"},"inverseBindMatrices":{"type":"integer","format":"int32"},"joints":{"type":"array","items":{"type":"integer","format":"int32"}},"name":{"type":"string"},"skeleton":{"type":"integer","format":"int32"}}},"SkinModel":{"type":"object","properties":{"inverseBindMatrices":{"$ref":"#/components/schemas/AccessorModel"},"name":{"type":"string"},"skeleton":{"$ref":"#/components/schemas/NodeModel"}}},"Sort":{"type":"object","properties":{"field":{"type":"string"},"order":{"$ref":"#/components/schemas/SortOrder"}}},"SortOrder":{"type":"string","enum":["ASC","DESC"]},"Source":{"type":"string","enum":["STANDARD","METADATA"]},"StateCount":{"type":"object","properties":{"count":{"type":"integer","format":"int64"},"state":{"type":"integer","format":"int64"}}},"StateRegionCounts":{"type":"object","properties":{"regionCounts":{"type":"array","items":{"type":"integer","format":"int32"}},"state":{"type":"integer","format":"int32"}}},"Status":{"type":"string","enum":["DEVELOPMENT","PRODUCTION","STAGING","EVP","UNSET","INTERNAL"]},"StyleEnum":{"type":"string","enum":["FORM","SPACE_DELIMITED","PIPE_DELIMITED","DEEP_OBJECT"]},"Subscription":{"type":"object","properties":{"applicationFeePercent":{"type":"number","format":"double"},"billing":{"type":"string"},"cancelAtPeriodEnd":{"type":"boolean"},"canceledAt":{"type":"integer","format":"int64"},"created":{"type":"integer","format":"int64"},"currentPeriodEnd":{"type":"integer","format":"int64"},"currentPeriodStart":{"type":"integer","format":"int64"},"customer":{"type":"string"},"customerObject":{"$ref":"#/components/schemas/Customer"},"daysUntilDue":{"type":"integer","format":"int32"},"discount":{"$ref":"#/components/schemas/Discount"},"endedAt":{"type":"integer","format":"int64"},"id":{"type":"string"},"metadata":{"type":"object","additionalProperties":{"type":"string"}},"object":{"type":"string"},"plan":{"$ref":"#/components/schemas/Plan"},"quantity":{"type":"integer","format":"int32"},"start":{"type":"integer","format":"int64"},"status":{"type":"string"},"subscriptionItems":{"$ref":"#/components/schemas/SubscriptionItemCollection"},"taxPercent":{"type":"number","format":"double"},"trialEnd":{"type":"integer","format":"int64"},"trialStart":{"type":"integer","format":"int64"}}},"SubscriptionItem":{"type":"object","properties":{"created":{"type":"integer","format":"int64"},"id":{"type":"string"},"object":{"type":"string"},"plan":{"$ref":"#/components/schemas/Plan"},"quantity":{"type":"integer","format":"int32"}}},"SubscriptionItemCollection":{"type":"object","properties":{"count":{"type":"integer","format":"int32"},"data":{"type":"array","items":{"$ref":"#/components/schemas/SubscriptionItem"}},"hasMore":{"type":"boolean"},"requestOptions":{"$ref":"#/components/schemas/RequestOptions"},"requestParams":{"type":"object","additionalProperties":{"type":"object"}},"totalCount":{"type":"integer","format":"int32"},"url":{"type":"string"}}},"Tag":{"type":"object","properties":{"description":{"type":"string"},"extensions":{"type":"object","additionalProperties":{"type":"object"}},"externalDocs":{"$ref":"#/components/schemas/ExternalDocumentation"},"name":{"type":"string"}}},"TechniqueModel":{"type":"object","properties":{"attributes":{"type":"object","additionalProperties":{"type":"string"}},"name":{"type":"string"},"parameters":{"type":"object","additionalProperties":{"$ref":"#/components/schemas/TechniqueParametersModel"}},"programModel":{"$ref":"#/components/schemas/ProgramModel"},"techniqueStatesModel":{"$ref":"#/components/schemas/TechniqueStatesModel"},"uniforms":{"type":"object","additionalProperties":{"type":"string"}}}},"TechniqueParametersModel":{"type":"object","properties":{"count":{"type":"integer","format":"int32"},"nodeModel":{"$ref":"#/components/schemas/NodeModel"},"semantic":{"type":"string"},"type":{"type":"integer","format":"int32"},"value":{"type":"object"}}},"TechniqueStatesFunctionsModel":{"type":"object","properties":{"blendColor":{"type":"array","items":{"type":"number","format":"float"}},"blendEquationSeparate":{"type":"array","items":{"type":"integer","format":"int32"}},"blendFuncSeparate":{"type":"array","items":{"type":"integer","format":"int32"}},"colorMask":{"type":"array","items":{"type":"boolean"}},"cullFace":{"type":"array","items":{"type":"integer","format":"int32"}},"depthFunc":{"type":"array","items":{"type":"integer","format":"int32"}},"depthMask":{"type":"array","items":{"type":"boolean"}},"depthRange":{"type":"array","items":{"type":"number","format":"float"}},"frontFace":{"type":"array","items":{"type":"integer","format":"int32"}},"lineWidth":{"type":"array","items":{"type":"number","format":"float"}},"polygonOffset":{"type":"array","items":{"type":"number","format":"float"}}}},"TechniqueStatesModel":{"type":"object","properties":{"enable":{"type":"array","items":{"type":"integer","format":"int32"}},"techniqueStatesFunctionsModel":{"$ref":"#/components/schemas/TechniqueStatesFunctionsModel"}}},"Texture":{"type":"object","properties":{"extensions":{"type":"object","additionalProperties":{"type":"object"}},"extras":{"type":"object"},"name":{"type":"string"},"sampler":{"type":"integer","format":"int32"},"source":{"type":"integer","format":"int32"}}},"TextureInfo":{"type":"object","properties":{"extensions":{"type":"object","additionalProperties":{"type":"object"}},"extras":{"type":"object"},"index":{"type":"integer","format":"int32"},"texCoord":{"type":"integer","format":"int32"}}},"TextureModel":{"type":"object","properties":{"imageModel":{"$ref":"#/components/schemas/ImageModel"},"magFilter":{"type":"integer","format":"int32"},"minFilter":{"type":"integer","format":"int32"},"name":{"type":"string"},"wrapS":{"type":"integer","format":"int32"},"wrapT":{"type":"integer","format":"int32"}}},"ThreeDSecure":{"type":"object","properties":{"amount":{"type":"integer","format":"int64"},"authenticated":{"type":"boolean"},"card":{"$ref":"#/components/schemas/Card"},"created":{"type":"integer","format":"int64"},"currency":{"type":"string"},"id":{"type":"string"},"livemode":{"type":"boolean"},"object":{"type":"string"},"redirectURL":{"type":"string"},"status":{"type":"string"}}},"TotalHits":{"type":"object","properties":{"relation":{"$ref":"#/components/schemas/Relation"},"value":{"type":"integer","format":"int64"}}},"TransformGroup":{"type":"object","properties":{"instances":{"type":"array","items":{"$ref":"#/components/schemas/BTAssemblyInstanceDefinitionParams"}},"transform":{"type":"array","items":{"type":"number","format":"double"}}}},"Type":{"type":"string","enum":["APIKEY","HTTP","OAUTH2","OPENIDCONNECT","MUTUALTLS"]},"UpdateParams":{"type":"object","properties":{"fromReference":{"$ref":"#/components/schemas/BTUniqueDocumentItemParams"},"idsToUpdate":{"type":"array","items":{"type":"string"}},"ignoreChildren":{"type":"boolean"},"toReference":{"$ref":"#/components/schemas/BTUniqueDocumentItemParams"}}},"VersionAlias":{"type":"string","enum":["LAST_MINOR","LAST_BUILD"]},"VersionSpecs":{"type":"object","properties":{"versionId":{"type":"string"},"versionName":{"type":"string"}}},"VersionType":{"type":"string","enum":["any","workspace","version","revision"]},"Versions":{"type":"object","properties":{"availableVersions":{"type":"array","items":{"$ref":"#/components/schemas/BTApiVersion"}},"specifiedVersion":{"$ref":"#/components/schemas/BTApiVersion"}}},"WinnowType":{"type":"string","enum":["none","latest"]},"XML":{"type":"object","properties":{"attribute":{"type":"boolean"},"extensions":{"type":"object","additionalProperties":{"type":"object"}},"name":{"type":"string"},"namespace":{"type":"string"},"prefix":{"type":"string"},"wrapped":{"type":"boolean"}}}},"securitySchemes":{"OAuth2":{"type":"oauth2","description":"Use OAuth 2.0 to authenticate requests.","flows":{"authorizationCode":{"authorizationUrl":"/oauth/authorize","tokenUrl":"/oauth/token","refreshUrl":"/oauth/token","scopes":{"OAuth2Internal":"Application is Onshape Internal","OAuth2ReadPII":"Application can read your profile information","OAuth2Read":"Application can read your documents","OAuth2Write":"Application can write to your documents","OAuth2Delete":"Application can delete your documents and workspaces","OAuth2Purchase":"Application can request purchases on your behalf","OAuth2Share":"Application can share and unshare documents on your behalf","document.create":"Atlas Application can create a document","document.edit":"Atlas Application can edit a document","document.delete":"Atlas Application can delete a document","document.read":"Atlas Application can read a document","enterprise.create":"Atlas Application can create an enterprise","enterprise.read":"Atlas Application can read from an enterprise","enterprise.edit":"Atlas Application can edit an enterprise","enterprise.delete":"Atlas Application can delete an enterprise","enterprise.member.create":"Atlas Application can create an enterprise member","enterprise.member.read":"Atlas Application can read the details of an enterprise member","enterprise.member.edit":"Atlas Application can edit the details of an enterprise member","enterprise.member.delete":"Atlas Application can delete a member from an enterprise","webhook.create":"Atlas Application can create a webhook on behalf of the logged-in user","webhook.edit":"Atlas Application can edit a webhook on behalf of the logged-in user","webhook.read":"Atlas Application can read a webhook on behalf of the logged-in user","webhook.delete":"Atlas Application can delete a webhook on behalf of the logged-in user","PLMIntegration":"PLM automation can invoke limited operations"}}}},"BasicAuth":{"type":"http","description":"Use Basic Authentication with API Keys (key as username and secret as password) to authenticate requests.","scheme":"basic"}}}} \ No newline at end of file From 56d8abaa1d9a249e0d7205685649b1c43a37ab5b Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Tue, 16 Jan 2024 10:13:01 +0000 Subject: [PATCH 368/379] update logic --- pkg/minified/minified.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkg/minified/minified.go b/pkg/minified/minified.go index 3f0d96a2ba5..a20e9e2497f 100644 --- a/pkg/minified/minified.go +++ b/pkg/minified/minified.go @@ -27,7 +27,9 @@ func isMinifiedJSON(content string) bool { return float64(nonWhitespaceCount)/float64(len(content)) > minifiedThreshold } +// minification is not a standard practice in yaml +// heuristic, check for newline followed by whitespace func isMinifiedYAML(content string) bool { // Check for lack of indentation - return strings.Contains(content, "\n") && !strings.Contains(content, "\n ") + return !strings.Contains(content, "\n ") } From 2f87df5343965848947d53bd4e9c1eac4851c256 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Tue, 16 Jan 2024 12:08:50 +0000 Subject: [PATCH 369/379] improve logs --- pkg/engine/inspector.go | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/pkg/engine/inspector.go b/pkg/engine/inspector.go index ee48460107c..3be3c66057f 100644 --- a/pkg/engine/inspector.go +++ b/pkg/engine/inspector.go @@ -241,6 +241,7 @@ func (c *Inspector) Inspect( vuls, err := c.doRun(queryContext) if err != nil { + fmt.Println() sentryReport.ReportSentry(&sentryReport.Report{ Message: fmt.Sprintf("Inspector. query executed with error, query=%s", query.Metadata.Query), Err: err, @@ -371,13 +372,11 @@ func (c *Inspector) DecodeQueryResults( vulnerabilities := make([]model.Vulnerability, 0, len(queryResultItems)) failedDetectLine := false + timeOut := false for _, queryResultItem := range queryResultItems { select { case <-ctxTimeout.Done(): - log.Err(ctxTimeout.Err()).Msgf( - "Timeout processing the results of the query: %s %s", - ctx.Query.Metadata.Platform, - ctx.Query.Metadata.Query) + timeOut = true break default: vulnerability, err := c.vb(ctx, c.tracker, queryResultItem, c.detector) @@ -425,6 +424,14 @@ func (c *Inspector) DecodeQueryResults( } } + if timeOut { + fmt.Println() + log.Err(ctxTimeout.Err()).Msgf( + "Timeout processing the results of the query: %s %s", + ctx.Query.Metadata.Platform, + ctx.Query.Metadata.Query) + } + if failedDetectLine { c.tracker.FailedDetectLine() } From 72c9a01d25187a58ed99f6e990535a3a6012550b Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Tue, 16 Jan 2024 12:36:00 +0000 Subject: [PATCH 370/379] Fix adding new line on the note in the CycloneDX documentation --- docs/results.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/results.md b/docs/results.md index e8f88bfcb57..67c4de83c58 100644 --- a/docs/results.md +++ b/docs/results.md @@ -620,7 +620,7 @@ PDF reports are sorted by severity (from high to info), the results will have qu ## CycloneDX -Now, the CycloneDX report is only available in XML format since the vulnerability schema extension is not currently available in JSON. The guidelines used to build the CycloneDX report were the [bom schema 1.3](http://cyclonedx.org/schema/bom/1.3) and [vulnerability schema 1.0](https://github.com/CycloneDX/specification/blob/master/schema/ext/vulnerability-1.0.xsd). +Now, the CycloneDX report is only available in XML format since the vulnerability schema extension is not currently available in JSON. The guidelines used to build the CycloneDX report were the [bom schema 1.3](http://cyclonedx.org/schema/bom/1.3) and [vulnerability schema 1.0](https://github.com/CycloneDX/specification/blob/master/schema/ext/vulnerability-1.0.xsd). **Note:** As of the latest update, the CycloneDX version utilized in the report is 1.5. However, it's important to clarify that no additional features or fields introduced in version 1.5 are currently utilized. The functionality remains consistent with the version 1.3 for KICS. Future updates will leverage the new features introduced in CycloneDX version 1.5. From 62f9d03161b1960f1cda41a7539378c314b59424 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Tue, 16 Jan 2024 13:58:02 +0000 Subject: [PATCH 371/379] reduce cyclomatic --- pkg/engine/inspector.go | 90 +++++++++++++++++++++++------------------ 1 file changed, 50 insertions(+), 40 deletions(-) diff --git a/pkg/engine/inspector.go b/pkg/engine/inspector.go index 3be3c66057f..2954f9a7c5d 100644 --- a/pkg/engine/inspector.go +++ b/pkg/engine/inspector.go @@ -379,48 +379,13 @@ func (c *Inspector) DecodeQueryResults( timeOut = true break default: - vulnerability, err := c.vb(ctx, c.tracker, queryResultItem, c.detector) - if err != nil && err.Error() == ErrNoResult.Error() { - // Ignoring bad results - continue + vulnerability, aux := getVulnerabilitiesFromQuery(ctx, c, queryResultItem) + if aux { + failedDetectLine = aux } - if err != nil { - sentryReport.ReportSentry(&sentryReport.Report{ - Message: fmt.Sprintf("Inspector can't save vulnerability, query=%s", ctx.Query.Metadata.Query), - Err: err, - Location: "func decodeQueryResults()", - Platform: ctx.Query.Metadata.Platform, - Metadata: ctx.Query.Metadata.Metadata, - Query: ctx.Query.Metadata.Query, - }, true) - - if _, ok := c.failedQueries[ctx.Query.Metadata.Query]; !ok { - c.failedQueries[ctx.Query.Metadata.Query] = err - } - - continue + if vulnerability != nil && aux == false { + vulnerabilities = append(vulnerabilities, *vulnerability) } - file := ctx.Files[vulnerability.FileID] - if ShouldSkipVulnerability(file.Commands, vulnerability.QueryID) { - log.Debug().Msgf("Skipping vulnerability in file %s for query '%s':%s", file.FilePath, vulnerability.QueryName, vulnerability.QueryID) - continue - } - - if vulnerability.Line == UndetectedVulnerabilityLine { - failedDetectLine = true - } - - if _, ok := c.excludeResults[vulnerability.SimilarityID]; ok { - log.Debug(). - Msgf("Excluding result SimilarityID: %s", vulnerability.SimilarityID) - continue - } else if checkComment(vulnerability.Line, file.LinesIgnore) { - log.Debug(). - Msgf("Excluding result Comment: %s", vulnerability.SimilarityID) - continue - } - - vulnerabilities = append(vulnerabilities, *vulnerability) } } @@ -439,6 +404,51 @@ func (c *Inspector) DecodeQueryResults( return vulnerabilities, nil } +func getVulnerabilitiesFromQuery(ctx *QueryContext, c *Inspector, queryResultItem interface{}) (*model.Vulnerability, bool) { + vulnerability, err := c.vb(ctx, c.tracker, queryResultItem, c.detector) + if err != nil && err.Error() == ErrNoResult.Error() { + // Ignoring bad results + return nil, false + } + if err != nil { + sentryReport.ReportSentry(&sentryReport.Report{ + Message: fmt.Sprintf("Inspector can't save vulnerability, query=%s", ctx.Query.Metadata.Query), + Err: err, + Location: "func decodeQueryResults()", + Platform: ctx.Query.Metadata.Platform, + Metadata: ctx.Query.Metadata.Metadata, + Query: ctx.Query.Metadata.Query, + }, true) + + if _, ok := c.failedQueries[ctx.Query.Metadata.Query]; !ok { + c.failedQueries[ctx.Query.Metadata.Query] = err + } + + return nil, false + } + file := ctx.Files[vulnerability.FileID] + if ShouldSkipVulnerability(file.Commands, vulnerability.QueryID) { + log.Debug().Msgf("Skipping vulnerability in file %s for query '%s':%s", file.FilePath, vulnerability.QueryName, vulnerability.QueryID) + return nil, false + } + + if vulnerability.Line == UndetectedVulnerabilityLine { + return nil, true + } + + if _, ok := c.excludeResults[vulnerability.SimilarityID]; ok { + log.Debug(). + Msgf("Excluding result SimilarityID: %s", vulnerability.SimilarityID) + return nil, false + } else if checkComment(vulnerability.Line, file.LinesIgnore) { + log.Debug(). + Msgf("Excluding result Comment: %s", vulnerability.SimilarityID) + return nil, false + } + + return vulnerability, false +} + // checkComment checks if the vulnerability should be skipped from comment func checkComment(line int, ignoreLines []int) bool { for _, ignoreLine := range ignoreLines { From d6fd490858693a2e8e2a08be04f917fbdde03d04 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Tue, 16 Jan 2024 15:41:22 +0000 Subject: [PATCH 372/379] simpler --- pkg/engine/inspector.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/engine/inspector.go b/pkg/engine/inspector.go index 2954f9a7c5d..bf4ecb179a3 100644 --- a/pkg/engine/inspector.go +++ b/pkg/engine/inspector.go @@ -383,7 +383,7 @@ func (c *Inspector) DecodeQueryResults( if aux { failedDetectLine = aux } - if vulnerability != nil && aux == false { + if vulnerability != nil && !aux { vulnerabilities = append(vulnerabilities, *vulnerability) } } From f52def8be9dab870008ef9e506fe81f8007e6892 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Tue, 16 Jan 2024 16:32:06 +0000 Subject: [PATCH 373/379] delete unnecessary file --- stuck.json | 216 ----------------------------------------------------- 1 file changed, 216 deletions(-) delete mode 100644 stuck.json diff --git a/stuck.json b/stuck.json deleted file mode 100644 index ccbffe1910d..00000000000 --- a/stuck.json +++ /dev/null @@ -1,216 +0,0 @@ -{ - "document": [ - { - "swagger": "2.0", - "file": "C:/CxKics/comunidade/mini/swagger.json", - "id": "17b6ea4e-08cb-447f-8064-5f172f3aa2fc", - "definitions": {}, - "host": "apiapp-dev-lpd.azurewebsites.net", - "info": { - "title": "CCBCC.LAUNCHPAD.WebApi", - "version": "v1" - }, - "paths": { - "/api/BlobFileDownload": { - "get": { - "consumes": [], - "operationId": "BlobFileDownload_GetBlobFileDownload", - "produces": [ - "application/json", - "text/json", - "application/xml", - "text/xml" - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "type": "object" - } - } - }, - "tags": [ - "BlobFileDownload" - ] - } - }, - "/api/BlobFileDownload/{id}": { - "get": { - "consumes": [], - "operationId": "BlobFileDownload_Get", - "parameters": [ - { - "format": "int32", - "in": "path", - "name": "id", - "required": true, - "type": "integer" - } - ], - "produces": [ - "application/json", - "text/json", - "application/xml", - "text/xml" - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "type": "object" - } - } - }, - "tags": [ - "BlobFileDownload" - ] - } - } - }, - "schemes": [ - "https" - ] - }, - { - "file": "C:/CxKics/comunidade/mini/swagger_1.json", - "id": "e5f3635d-3131-47ab-8715-c671430035df", - "definitions": {}, - "host": "apiapp-cds-qa.azurewebsites.net", - "info": { - "title": "CCBCC.CDS.Server.LaunchPadApi", - "version": "v1" - }, - "paths": { - "/api/Document/GetAllLibraries": { - "get": { - "consumes": [], - "operationId": "Document_GetAllLibraries", - "parameters": [ - { - "in": "query", - "name": "SecretKey", - "required": true, - "type": "string" - }, - { - "in": "query", - "name": "exportCsv", - "required": false, - "type": "boolean" - } - ], - "produces": [ - "application/json", - "text/json", - "application/xml", - "text/xml" - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "type": "object" - } - } - }, - "tags": [ - "Document" - ] - } - }, - "/api/Document/GetDocumentDownload/{documentId}": { - "get": { - "consumes": [], - "operationId": "Document_GetDocumentDownload", - "parameters": [ - { - "in": "query", - "name": "SecretKey", - "required": true, - "type": "string" - }, - { - "in": "path", - "name": "documentId", - "required": true, - "type": "string" - } - ], - "produces": [ - "application/json", - "text/json", - "application/xml", - "text/xml" - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "type": "object" - } - } - }, - "tags": [ - "Document" - ] - } - }, - "/api/Document/GetDocumentsInLibrary": { - "get": { - "consumes": [], - "operationId": "Document_GetDocumentsInLibrary", - "parameters": [ - { - "in": "query", - "name": "SecretKey", - "required": true, - "type": "string" - }, - { - "in": "query", - "name": "libraryUrl", - "required": true, - "type": "string" - }, - { - "format": "int32", - "in": "query", - "name": "modifiedSinceEpoch", - "required": false, - "type": "integer" - }, - { - "format": "date-time", - "in": "query", - "name": "modifiedSince", - "required": false, - "type": "string" - } - ], - "produces": [ - "application/json", - "text/json", - "application/xml", - "text/xml" - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "type": "object" - } - } - }, - "tags": [ - "Document" - ] - } - } - }, - "schemes": [ - "https" - ], - "swagger": "2.0" - } - ] -} From 0836018ff9900433c2a7b490a9ac1fb9cc74a3f4 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Wed, 17 Jan 2024 16:49:07 +0000 Subject: [PATCH 374/379] unit test to test the behaviour on time out --- pkg/engine/inspector_test.go | 61 ++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) diff --git a/pkg/engine/inspector_test.go b/pkg/engine/inspector_test.go index 87e9099700b..4382e108748 100644 --- a/pkg/engine/inspector_test.go +++ b/pkg/engine/inspector_test.go @@ -3,6 +3,8 @@ package engine import ( "context" "fmt" + "github.com/open-policy-agent/opa/rego" + "github.com/stretchr/testify/assert" "io" "os" "path/filepath" @@ -677,6 +679,65 @@ func TestShouldSkipFile(t *testing.T) { } } +func TestInspector_DecodeQueryResults_ShouldNotFail_WhenTimeout(t *testing.T) { + //build inspector + c := newInspectorInstance(t, []string{ + filepath.FromSlash("../../assets/queries/terraform/aws/alb_deletion_protection_disabled"), + }) + + //context + myContext := context.Background() + + //build result set + myResultSet := newResultset() + + //query context + myQueryContext := newQueryContext(myContext) + + //create a context with 0 second to timeout + timeoutDuration, _ := time.ParseDuration("0s") + myCtxTimeOut, _ := context.WithTimeout(myContext, timeoutDuration) + + //call method + result, erro := c.DecodeQueryResults(&myQueryContext, myCtxTimeOut, myResultSet) + assert.Nil(t, erro, "Error not as expected") + assert.Equal(t, 0, len(result), "Array size is not as expected") +} + +func newResultset() rego.ResultSet { + myValue := make(map[string]interface{}) + myValue["documentId"] = "3a3be8f7-896e-4ef8-9db3-d6c19e60510b" + myValue["issueType"] = "IncorrectValue" + myValue["keyActualValue"] = "COPY --from referencesthe current FROM alias" + myValue["keyExpectedValue"] = "COPY --from should not references the current FROM alias" + myValue["searchKey"] = "{{ADD ${JAR_FILE} app.jar}}" + + myBinding := make([]interface{}, 1) + myBinding[0] = myValue + + myresult := rego.Result{ + Bindings: map[string]interface{}{ + "result": myBinding, + }, + } + myResultSet := rego.ResultSet{myresult} + return myResultSet +} + +func newQueryContext(ctx context.Context) QueryContext { + queryMetadata := model.QueryMetadata{ + Platform: "myPlatform", + Query: "myQuery"} + myQuery := PreparedQuery{ + Metadata: queryMetadata, + } + queryContext := QueryContext{ + Ctx: ctx, + Query: &myQuery, + } + return queryContext +} + func newInspectorInstance(t *testing.T, queryPath []string) *Inspector { querySource := source.NewFilesystemSource(queryPath, []string{""}, []string{""}, filepath.FromSlash("./assets/libraries"), true) var vb = func(ctx *QueryContext, tracker Tracker, v interface{}, From 9711f88bf3c5ebb505417b7d7a83d8e3a6610d80 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Wed, 17 Jan 2024 21:47:57 +0000 Subject: [PATCH 375/379] improve test --- pkg/engine/inspector_test.go | 52 +++++++++++++++++++++++------------- 1 file changed, 34 insertions(+), 18 deletions(-) diff --git a/pkg/engine/inspector_test.go b/pkg/engine/inspector_test.go index 4382e108748..fe41bc20626 100644 --- a/pkg/engine/inspector_test.go +++ b/pkg/engine/inspector_test.go @@ -679,29 +679,45 @@ func TestShouldSkipFile(t *testing.T) { } } -func TestInspector_DecodeQueryResults_ShouldNotFail_WhenTimeout(t *testing.T) { - //build inspector - c := newInspectorInstance(t, []string{ - filepath.FromSlash("../../assets/queries/terraform/aws/alb_deletion_protection_disabled"), - }) +func TestInspector_DecodeQueryResults(t *testing.T) { //context - myContext := context.Background() - - //build result set - myResultSet := newResultset() + contextToUSe := context.Background() - //query context - myQueryContext := newQueryContext(myContext) + //build inspector + c := newInspectorInstance(t, []string{}) - //create a context with 0 second to timeout - timeoutDuration, _ := time.ParseDuration("0s") - myCtxTimeOut, _ := context.WithTimeout(myContext, timeoutDuration) + type args struct { + queryContext QueryContext + regoResult rego.ResultSet + timeDuration string + } + tests := []struct { + name string + args args + expected int + }{ + { + name: "should_not_fail_when_timeout", + args: args{ + queryContext: newQueryContext(contextToUSe), + regoResult: newResultset(), + timeDuration: "0s", + }, + expected: 0, + }, + } - //call method - result, erro := c.DecodeQueryResults(&myQueryContext, myCtxTimeOut, myResultSet) - assert.Nil(t, erro, "Error not as expected") - assert.Equal(t, 0, len(result), "Array size is not as expected") + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + //create a context with 0 second to timeout + timeoutDuration, _ := time.ParseDuration(tt.args.timeDuration) + myCtxTimeOut, _ := context.WithTimeout(contextToUSe, timeoutDuration) + result, err := c.DecodeQueryResults(&tt.args.queryContext, myCtxTimeOut, tt.args.regoResult) + assert.Nil(t, err, "Error not as expected") + assert.Equal(t, 0, len(result), "Array size is not as expected") + }) + } } func newResultset() rego.ResultSet { From fa3d6c6cda6efd72c75bc8319d36a209e65b7a87 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Thu, 18 Jan 2024 09:36:03 +0000 Subject: [PATCH 376/379] remove logic for yaml minified --- pkg/minified/minified.go | 9 --------- pkg/minified/minified_test.go | 14 ++++---------- 2 files changed, 4 insertions(+), 19 deletions(-) diff --git a/pkg/minified/minified.go b/pkg/minified/minified.go index a20e9e2497f..c9369edab0a 100644 --- a/pkg/minified/minified.go +++ b/pkg/minified/minified.go @@ -8,8 +8,6 @@ import ( func IsMinified(filename string, content []byte) bool { if strings.HasSuffix(filename, ".json") { return isMinifiedJSON(string(content)) - } else if strings.HasSuffix(filename, ".yaml") || strings.HasSuffix(filename, ".yml") { - return isMinifiedYAML(string(content)) } return false } @@ -26,10 +24,3 @@ func isMinifiedJSON(content string) bool { return float64(nonWhitespaceCount)/float64(len(content)) > minifiedThreshold } - -// minification is not a standard practice in yaml -// heuristic, check for newline followed by whitespace -func isMinifiedYAML(content string) bool { - // Check for lack of indentation - return !strings.Contains(content, "\n ") -} diff --git a/pkg/minified/minified_test.go b/pkg/minified/minified_test.go index 2713e84cb50..e8a3e3cba80 100644 --- a/pkg/minified/minified_test.go +++ b/pkg/minified/minified_test.go @@ -27,22 +27,16 @@ func Test_IsMinified(t *testing.T) { args: giantMinifiedJson, }, { - name: "File not json not yaml", + name: "File not json", nameFile: "test.tf", want: false, args: []byte(""), }, { - name: "Mini minified file yaml", - nameFile: "test.yml", - want: true, - args: []byte("[{name: my_elb_application, community.aws.elb_application_lb: {name: myelb, security_groups: [sg-12345678, my-sec-group], subnets: [subnet-012345678, subnet-abcdef000], listeners: [{Protocol: HTTP, Port: 80, SslPolicy: ELBSecurityPolicy-2015-05, Certificates: [{CertificateArn: 'arn:aws:iam::12345678987:server-certificate/test.domain.com'}], DefaultActions: [{Type: forward, TargetGroupName: targetname}]}], state: present}}, {name: my_elb_application2, community.aws.elb_application_lb: {name: myelb2, security_groups: [sg-12345678, my-sec-group], subnets: [subnet-012345678, subnet-abcdef000], listeners: {Port: 80, SslPolicy: ELBSecurityPolicy-2015-05, Certificates: [{CertificateArn: 'arn:aws:iam::12345678987:server-certificate/test.domain.com'}], DefaultActions: [{Type: forward, TargetGroupName: targetname}]}, state: present}}]"), - }, - { - name: "Not minified file yaml", - nameFile: "test.yml", + name: "Json not minified", + nameFile: "test.json", want: false, - args: []byte("- name: my_elb_application\n community.aws.elb_application_lb:\n name: myelb\n security_groups:\n - sg-12345678\n - my-sec-group\n subnets:\n - subnet-012345678\n - subnet-abcdef000\n listeners:\n - Protocol: HTTP\n Port: 80\n SslPolicy: ELBSecurityPolicy-2015-05\n Certificates:\n - CertificateArn: arn:aws:iam::12345678987:server-certificate/test.domain.com\n DefaultActions:\n - Type: forward\n TargetGroupName: targetname\n state: present\n- name: my_elb_application2\n community.aws.elb_application_lb:\n name: myelb2\n security_groups:\n - sg-12345678\n - my-sec-group\n subnets:\n - subnet-012345678\n - subnet-abcdef000\n listeners:\n Port: 80\n SslPolicy: ELBSecurityPolicy-2015-05\n Certificates:\n - CertificateArn: arn:aws:iam::12345678987:server-certificate/test.domain.com\n DefaultActions:\n - Type: forward\n TargetGroupName: targetname\n state: present\n"), + args: []byte("{\n \"glossary\": {\n \"title\": \"example glossary\",\n\t\t\"GlossDiv\": {\n \"title\": \"S\",\n\t\t\t\"GlossList\": {\n \"GlossEntry\": {\n \"ID\": \"SGML\",\n\t\t\t\t\t\"SortAs\": \"SGML\",\n\t\t\t\t\t\"GlossTerm\": \"Standard Generalized Markup Language\",\n\t\t\t\t\t\"Acronym\": \"SGML\",\n\t\t\t\t\t\"Abbrev\": \"ISO 8879:1986\",\n\t\t\t\t\t\"GlossDef\": {\n \"para\": \"A meta-markup language, used to create markup languages such as DocBook.\",\n\t\t\t\t\t\t\"GlossSeeAlso\": [\"GML\", \"XML\"]\n },\n\t\t\t\t\t\"GlossSee\": \"markup\"\n }\n }\n }\n }\n}"), }, } From e548b9bd51d3a1644a63179fd89b18599493068f Mon Sep 17 00:00:00 2001 From: Katrin Leinweber <9948149+katrinleinweber@users.noreply.github.com> Date: Thu, 18 Jan 2024 16:52:39 +0100 Subject: [PATCH 377/379] Remove ZWSPs & align colum separators --- docs/performance.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/performance.md b/docs/performance.md index f1c56b40f8e..3d248ef614e 100644 --- a/docs/performance.md +++ b/docs/performance.md @@ -4,13 +4,13 @@ The values below were obtained after scanning 150 open source projects with KICS the supported IaC technologies (c.f., Terraform, Ansible, Kubernetes, Docker, AWS Cloudformation). -| IaC Technology | Query Accuracy1 | Query Coverage2 | Scanned IaC files​ | Number of Results​ | Average Scan Time​ (s) | Average Project Size (MB) | -| :--- | :--- | :--- | :--- | :--- | :---| :---| -| Terraform​ | 99.7%​ | 46% | 1176​ | 709 | 6.6 | 33.4​ | -| Docker​ | 98.8%​​ | 68%​ | 1017​ | 5109 | 11 | 0.7 |​ -| Kubernetes​ | 99.3%​​ | 88.7%​ | 6089​ | 21753 | 7 | 90 |​ -| CloudFormation​ | 95%​ | 73%​ | 1769​ | 5343 | 10.2 | 4.8 |​ -| Ansible ​ | 100% |​ 54%​ | 3367​ | 1320 | 23.3 | 4.1 |​ +| IaC Technology | Query Accuracy1 | Query Coverage2 | Scanned IaC files | Number of Results | Average Scan Time (s) | Average Project Size (MB) | +| :--- | :--- | :--- | :--- | :--- | :---| :--- | +| Terraform | 99.7% | 46% | 1176 | 709 | 6.6 | 33.4 | +| Docker | 98.8% | 68% | 1017 | 5109 | 11 | 0.7 | +| Kubernetes | 99.3% | 88.7% | 6089 | 21753 | 7 | 90 | +| CloudFormation | 95% | 73% | 1769 | 5343 | 10.2 | 4.8 | +| Ansible | 100% | 54% | 3367 | 1320 | 23.3 | 4.1 | --- From f1db632ac44333de9ce1476ac7d447ce7b76e1b4 Mon Sep 17 00:00:00 2001 From: Katrin Leinweber <9948149+katrinleinweber@users.noreply.github.com> Date: Thu, 18 Jan 2024 16:52:47 +0100 Subject: [PATCH 378/379] Remove ZWSPs --- docs/configuration-file.md | 2 +- docs/running-kics.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/configuration-file.md b/docs/configuration-file.md index a3ed52d321a..2ae9af69a95 100644 --- a/docs/configuration-file.md +++ b/docs/configuration-file.md @@ -79,7 +79,7 @@ You can enclose all your configurations in a file and use it in two different wa 3. Pass the configuration file as argument: ``` -docker run -t -v {​​​​path_to_kics_config}​​​​:/kics -v {path_to_host_folder_to_scan}:/path checkmarx/kics scan -p /path --config /kics/kics-config.json +docker run -t -v {path_to_kics_config}:/kics -v {path_to_host_folder_to_scan}:/path checkmarx/kics scan -p /path --config /kics/kics-config.json ``` #### Configuration as Code diff --git a/docs/running-kics.md b/docs/running-kics.md index 39553ab598f..1acc2a6f19e 100644 --- a/docs/running-kics.md +++ b/docs/running-kics.md @@ -17,7 +17,7 @@ Files and directories that are not local will be placed in a temporarily folder ### Local Files ``` -docker run -t -v {​​​​path_to_scan}​​​​:/path checkmarx/kics scan -p /path +docker run -t -v {path_to_scan}:/path checkmarx/kics scan -p /path ``` ### Archived Files @@ -33,7 +33,7 @@ Available archive formats: - `xz` ``` -docker run -t -v {​​​​path_to_scan_zip}​​​​:/path checkmarx/kics scan -p /path +docker run -t -v {path_to_scan_zip}:/path checkmarx/kics scan -p /path ``` More information can be seen [here](https://github.com/hashicorp/go-getter#unarchiving) From 29f42e0a10185bf258c25caf76a90bdc754581d5 Mon Sep 17 00:00:00 2001 From: gabriel-cx Date: Tue, 23 Jan 2024 12:45:46 +0000 Subject: [PATCH 379/379] update docs --- docs/running-kics.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/running-kics.md b/docs/running-kics.md index 1acc2a6f19e..2d668fd7807 100644 --- a/docs/running-kics.md +++ b/docs/running-kics.md @@ -33,7 +33,7 @@ Available archive formats: - `xz` ``` -docker run -t -v {path_to_scan_zip}:/path checkmarx/kics scan -p /path +docker run -t -v {path_to_zip}:/path checkmarx/kics scan -p /path/{name_of_zip_file} ``` More information can be seen [here](https://github.com/hashicorp/go-getter#unarchiving)